Merge OpenSSL 3.0.9
Migrate to OpenSSL 3.0 in advance of FreeBSD 14.0. OpenSSL 1.1.1 (the version we were previously using) will be EOL as of 2023-09-11. Most of the base system has already been updated for a seamless switch to OpenSSL 3.0. For many components we've added `-DOPENSSL_API_COMPAT=0x10100000L` to CFLAGS to specify the API version, which avoids deprecation warnings from OpenSSL 3.0. Changes have also been made to avoid OpenSSL APIs that were already deprecated in OpenSSL 1.1.1. The process of updating to contemporary APIs can continue after this merge. Additional changes are still required for libarchive and Kerberos- related libraries or tools; workarounds will immediately follow this commit. Fixes are in progress in the upstream projects and will be incorporated when those are next updated. There are some performance regressions in benchmarks (certain tests in `openssl speed`) and in some OpenSSL consumers in ports (e.g. haproxy). Investigation will continue for these. Netflix's testing showed no functional regression and a rather small, albeit statistically significant, increase in CPU consumption with OpenSSL 3.0. Thanks to ngie@ and des@ for updating base system components, to antoine@ and bofh@ for ports exp-runs and port fixes/workarounds, and to Netflix and everyone who tested prior to commit or contributed to this update in other ways. PR: 271615 PR: 271656 [exp-run] Relnotes: Yes Sponsored by: The FreeBSD Foundation
This commit is contained in:
commit
b077aed33b
@ -52,6 +52,54 @@
|
||||
# xargs -n1 | sort | uniq -d;
|
||||
# done
|
||||
|
||||
# 20230623: OpenSSL 3.0.9
|
||||
OLD_LIBS+=lib/libcrypto.so.111
|
||||
OLD_FILES+=usr/include/openssl/rand_drbg.h
|
||||
OLD_FILES+=usr/lib/engines/capi.so
|
||||
OLD_FILES+=usr/lib/engines/padlock.so
|
||||
OLD_LIBS+=usr/lib/libssl.so.111
|
||||
OLD_DIRS+=usr/lib/engines
|
||||
OLD_FILES+=usr/share/man/man1/list.1
|
||||
OLD_FILES+=usr/share/man/man1/openssl-tsget.1
|
||||
OLD_FILES+=usr/share/man/man3/ECDH_get_ex_data.3
|
||||
OLD_FILES+=usr/share/man/man3/ECDH_get_ex_new_index.3
|
||||
OLD_FILES+=usr/share/man/man3/ECDH_set_ex_data.3
|
||||
OLD_FILES+=usr/share/man/man3/ERR_GET_FUNC.3
|
||||
OLD_FILES+=usr/share/man/man3/EVP_PKEY_CTX_hkdf_mode.3
|
||||
OLD_FILES+=usr/share/man/man3/EVP_PKEY_set_alias_type.3
|
||||
OLD_FILES+=usr/share/man/man3/EVP_aes.3
|
||||
OLD_FILES+=usr/share/man/man3/EVP_aria.3
|
||||
OLD_FILES+=usr/share/man/man3/EVP_camellia.3
|
||||
OLD_FILES+=usr/share/man/man3/EVP_des.3
|
||||
OLD_FILES+=usr/share/man/man3/RAND_DRBG_bytes.3
|
||||
OLD_FILES+=usr/share/man/man3/RAND_DRBG_cleanup_entropy_fn.3
|
||||
OLD_FILES+=usr/share/man/man3/RAND_DRBG_cleanup_nonce_fn.3
|
||||
OLD_FILES+=usr/share/man/man3/RAND_DRBG_free.3
|
||||
OLD_FILES+=usr/share/man/man3/RAND_DRBG_generate.3
|
||||
OLD_FILES+=usr/share/man/man3/RAND_DRBG_get0_master.3
|
||||
OLD_FILES+=usr/share/man/man3/RAND_DRBG_get0_private.3
|
||||
OLD_FILES+=usr/share/man/man3/RAND_DRBG_get0_public.3
|
||||
OLD_FILES+=usr/share/man/man3/RAND_DRBG_get_entropy_fn.3
|
||||
OLD_FILES+=usr/share/man/man3/RAND_DRBG_get_ex_data.3
|
||||
OLD_FILES+=usr/share/man/man3/RAND_DRBG_get_ex_new_index.3
|
||||
OLD_FILES+=usr/share/man/man3/RAND_DRBG_get_nonce_fn.3
|
||||
OLD_FILES+=usr/share/man/man3/RAND_DRBG_instantiate.3
|
||||
OLD_FILES+=usr/share/man/man3/RAND_DRBG_new.3
|
||||
OLD_FILES+=usr/share/man/man3/RAND_DRBG_reseed.3
|
||||
OLD_FILES+=usr/share/man/man3/RAND_DRBG_secure_new.3
|
||||
OLD_FILES+=usr/share/man/man3/RAND_DRBG_set.3
|
||||
OLD_FILES+=usr/share/man/man3/RAND_DRBG_set_callbacks.3
|
||||
OLD_FILES+=usr/share/man/man3/RAND_DRBG_set_defaults.3
|
||||
OLD_FILES+=usr/share/man/man3/RAND_DRBG_set_ex_data.3
|
||||
OLD_FILES+=usr/share/man/man3/RAND_DRBG_set_reseed_defaults.3
|
||||
OLD_FILES+=usr/share/man/man3/RAND_DRBG_set_reseed_interval.3
|
||||
OLD_FILES+=usr/share/man/man3/RAND_DRBG_set_reseed_time_interval.3
|
||||
OLD_FILES+=usr/share/man/man3/RAND_DRBG_uninstantiate.3
|
||||
OLD_FILES+=usr/share/man/man3/RSA_padding_add_SSLv23.3
|
||||
OLD_FILES+=usr/share/man/man3/RSA_padding_check_SSLv23.3
|
||||
OLD_FILES+=usr/share/man/man7/RAND_DRBG.7
|
||||
OLD_FILES+=usr/share/man/man7/scrypt.7
|
||||
|
||||
# 20230622: new clang import which bumps version from 15.0.7 to 16.0.1
|
||||
OLD_FILES+=usr/lib/clang/15.0.7/include/__clang_cuda_builtin_vars.h
|
||||
OLD_FILES+=usr/lib/clang/15.0.7/include/__clang_cuda_cmath.h
|
||||
|
@ -1,2 +0,0 @@
|
||||
Please https://www.openssl.org/community/thanks.html for the current
|
||||
acknowledgements.
|
6
crypto/openssl/ACKNOWLEDGEMENTS.md
Normal file
6
crypto/openssl/ACKNOWLEDGEMENTS.md
Normal file
@ -0,0 +1,6 @@
|
||||
Acknowlegements
|
||||
===============
|
||||
|
||||
Please see our [Thanks!][] page for the current acknowledgements.
|
||||
|
||||
[Thanks!]: https://www.openssl.org/community/thanks.html
|
@ -1,42 +0,0 @@
|
||||
# This is the list of OpenSSL authors for copyright purposes.
|
||||
#
|
||||
# This does not necessarily list everyone who has contributed code, since in
|
||||
# some cases, their employer may be the copyright holder. To see the full list
|
||||
# of contributors, see the revision history in source control.
|
||||
OpenSSL Software Services, Inc.
|
||||
OpenSSL Software Foundation, Inc.
|
||||
|
||||
# Individuals
|
||||
Andy Polyakov
|
||||
Ben Laurie
|
||||
Ben Kaduk
|
||||
Bernd Edlinger
|
||||
Bodo Möller
|
||||
David Benjamin
|
||||
David von Oheimb
|
||||
Dmitry Belyavskiy (Дмитрий Белявский)
|
||||
Emilia Käsper
|
||||
Eric Young
|
||||
Geoff Thorpe
|
||||
Holger Reif
|
||||
Kurt Roeckx
|
||||
Lutz Jänicke
|
||||
Mark J. Cox
|
||||
Matt Caswell
|
||||
Matthias St. Pierre
|
||||
Nicola Tuveri
|
||||
Nils Larsch
|
||||
Patrick Steuer
|
||||
Paul Dale
|
||||
Paul C. Sutton
|
||||
Paul Yang
|
||||
Ralf S. Engelschall
|
||||
Rich Salz
|
||||
Richard Levitte
|
||||
Shane Lontis
|
||||
Stephen Henson
|
||||
Steve Marquess
|
||||
Tim Hudson
|
||||
Tomáš Mráz
|
||||
Ulf Möller
|
||||
Viktor Dukhovni
|
51
crypto/openssl/AUTHORS.md
Normal file
51
crypto/openssl/AUTHORS.md
Normal file
@ -0,0 +1,51 @@
|
||||
Authors
|
||||
=======
|
||||
|
||||
This is the list of OpenSSL authors for copyright purposes.
|
||||
It does not necessarily list everyone who has contributed code,
|
||||
since in some cases, their employer may be the copyright holder.
|
||||
To see the full list of contributors, see the revision history in
|
||||
source control.
|
||||
|
||||
Groups
|
||||
------
|
||||
|
||||
* OpenSSL Software Services, Inc.
|
||||
* OpenSSL Software Foundation, Inc.
|
||||
|
||||
Individuals
|
||||
-----------
|
||||
|
||||
* Andy Polyakov
|
||||
* Ben Laurie
|
||||
* Ben Kaduk
|
||||
* Bernd Edlinger
|
||||
* Bodo Möller
|
||||
* David Benjamin
|
||||
* David von Oheimb
|
||||
* Dmitry Belyavskiy (Дмитрий Белявский)
|
||||
* Emilia Käsper
|
||||
* Eric Young
|
||||
* Geoff Thorpe
|
||||
* Holger Reif
|
||||
* Kurt Roeckx
|
||||
* Lutz Jänicke
|
||||
* Mark J. Cox
|
||||
* Matt Caswell
|
||||
* Matthias St. Pierre
|
||||
* Nicola Tuveri
|
||||
* Nils Larsch
|
||||
* Patrick Steuer
|
||||
* Paul Dale
|
||||
* Paul C. Sutton
|
||||
* Paul Yang
|
||||
* Ralf S. Engelschall
|
||||
* Rich Salz
|
||||
* Richard Levitte
|
||||
* Shane Lontis
|
||||
* Stephen Henson
|
||||
* Steve Marquess
|
||||
* Tim Hudson
|
||||
* Tomáš Mráz
|
||||
* Ulf Möller
|
||||
* Viktor Dukhovni
|
13962
crypto/openssl/CHANGES
13962
crypto/openssl/CHANGES
File diff suppressed because it is too large
Load Diff
19832
crypto/openssl/CHANGES.md
Normal file
19832
crypto/openssl/CHANGES.md
Normal file
File diff suppressed because it is too large
Load Diff
@ -1,72 +0,0 @@
|
||||
HOW TO CONTRIBUTE TO OpenSSL
|
||||
----------------------------
|
||||
|
||||
(Please visit https://www.openssl.org/community/getting-started.html for
|
||||
other ideas about how to contribute.)
|
||||
|
||||
Development is done on GitHub, https://github.com/openssl/openssl.
|
||||
|
||||
To request new features or report bugs, please open an issue on GitHub
|
||||
|
||||
To submit a patch, please open a pull request on GitHub. If you are thinking
|
||||
of making a large contribution, open an issue for it before starting work,
|
||||
to get comments from the community. Someone may be already working on
|
||||
the same thing or there may be reasons why that feature isn't implemented.
|
||||
|
||||
To make it easier to review and accept your pull request, please follow these
|
||||
guidelines:
|
||||
|
||||
1. Anything other than a trivial contribution requires a Contributor
|
||||
License Agreement (CLA), giving us permission to use your code. See
|
||||
https://www.openssl.org/policies/cla.html for details. If your
|
||||
contribution is too small to require a CLA, put "CLA: trivial" on a
|
||||
line by itself in your commit message body.
|
||||
|
||||
2. All source files should start with the following text (with
|
||||
appropriate comment characters at the start of each line and the
|
||||
year(s) updated):
|
||||
|
||||
Copyright 20xx-20yy The OpenSSL Project Authors. All Rights Reserved.
|
||||
|
||||
Licensed under the OpenSSL license (the "License"). You may not use
|
||||
this file except in compliance with the License. You can obtain a copy
|
||||
in the file LICENSE in the source distribution or at
|
||||
https://www.openssl.org/source/license.html
|
||||
|
||||
3. Patches should be as current as possible; expect to have to rebase
|
||||
often. We do not accept merge commits, you will have to remove them
|
||||
(usually by rebasing) before it will be acceptable.
|
||||
|
||||
4. Patches should follow our coding style (see
|
||||
https://www.openssl.org/policies/codingstyle.html) and compile
|
||||
without warnings. Where gcc or clang is available you should use the
|
||||
--strict-warnings Configure option. OpenSSL compiles on many varied
|
||||
platforms: try to ensure you only use portable features. Clean builds via
|
||||
GitHub Actions and AppVeyor are required, and they are started automatically
|
||||
whenever a PR is created or updated.
|
||||
|
||||
5. When at all possible, patches should include tests. These can
|
||||
either be added to an existing test, or completely new. Please see
|
||||
test/README for information on the test framework.
|
||||
|
||||
6. New features or changed functionality must include
|
||||
documentation. Please look at the "pod" files in doc/man[1357] for
|
||||
examples of our style. Run "make doc-nits" to make sure that your
|
||||
documentation changes are clean.
|
||||
|
||||
7. For user visible changes (API changes, behaviour changes, ...),
|
||||
consider adding a note in CHANGES. This could be a summarising
|
||||
description of the change, and could explain the grander details.
|
||||
Have a look through existing entries for inspiration.
|
||||
Please note that this is NOT simply a copy of git-log one-liners.
|
||||
Also note that security fixes get an entry in CHANGES.
|
||||
This file helps users get more in depth information of what comes
|
||||
with a specific release without having to sift through the higher
|
||||
noise ratio in git-log.
|
||||
|
||||
8. For larger or more important user visible changes, as well as
|
||||
security fixes, please add a line in NEWS. On exception, it might be
|
||||
worth adding a multi-line entry (such as the entry that announces all
|
||||
the types that became opaque with OpenSSL 1.1.0).
|
||||
This file helps users get a very quick summary of what comes with a
|
||||
specific release, to see if an upgrade is worth the effort.
|
94
crypto/openssl/CONTRIBUTING.md
Normal file
94
crypto/openssl/CONTRIBUTING.md
Normal file
@ -0,0 +1,94 @@
|
||||
HOW TO CONTRIBUTE TO OpenSSL
|
||||
============================
|
||||
|
||||
Please visit our [Getting Started] page for other ideas about how to contribute.
|
||||
|
||||
[Getting Started]: <https://www.openssl.org/community/getting-started.html>
|
||||
|
||||
Development is done on GitHub in the [openssl/openssl] repository.
|
||||
|
||||
[openssl/openssl]: <https://github.com/openssl/openssl>
|
||||
|
||||
To request new features or report bugs, please open an issue on GitHub
|
||||
|
||||
To submit a patch, please open a pull request on GitHub. If you are thinking
|
||||
of making a large contribution, open an issue for it before starting work,
|
||||
to get comments from the community. Someone may be already working on
|
||||
the same thing or there may be reasons why that feature isn't implemented.
|
||||
|
||||
To make it easier to review and accept your pull request, please follow these
|
||||
guidelines:
|
||||
|
||||
1. Anything other than a trivial contribution requires a [Contributor
|
||||
License Agreement] (CLA), giving us permission to use your code.
|
||||
If your contribution is too small to require a CLA (e.g. fixing a spelling
|
||||
mistake), place the text "`CLA: trivial`" on a line by itself separated by
|
||||
an empty line from the rest of the commit message. It is not sufficient to
|
||||
only place the text in the GitHub pull request description.
|
||||
|
||||
[Contributor License Agreement]: <https://www.openssl.org/policies/cla.html>
|
||||
|
||||
To amend a missing "`CLA: trivial`" line after submission, do the following:
|
||||
|
||||
```
|
||||
git commit --amend
|
||||
[add the line, save and quit the editor]
|
||||
git push -f
|
||||
```
|
||||
|
||||
2. All source files should start with the following text (with
|
||||
appropriate comment characters at the start of each line and the
|
||||
year(s) updated):
|
||||
|
||||
```
|
||||
Copyright 20xx-20yy The OpenSSL Project Authors. All Rights Reserved.
|
||||
|
||||
Licensed under the Apache License 2.0 (the "License"). You may not use
|
||||
this file except in compliance with the License. You can obtain a copy
|
||||
in the file LICENSE in the source distribution or at
|
||||
https://www.openssl.org/source/license.html
|
||||
```
|
||||
|
||||
3. Patches should be as current as possible; expect to have to rebase
|
||||
often. We do not accept merge commits, you will have to remove them
|
||||
(usually by rebasing) before it will be acceptable.
|
||||
|
||||
4. Patches should follow our [coding style] and compile without warnings.
|
||||
Where `gcc` or `clang` is available you should use the
|
||||
`--strict-warnings` `Configure` option. OpenSSL compiles on many varied
|
||||
platforms: try to ensure you only use portable features. Clean builds via
|
||||
GitHub Actions and AppVeyor are required, and they are started automatically
|
||||
whenever a PR is created or updated.
|
||||
|
||||
[coding style]: https://www.openssl.org/policies/technical/coding-style.html
|
||||
|
||||
5. When at all possible, patches should include tests. These can
|
||||
either be added to an existing test, or completely new. Please see
|
||||
[test/README.md](test/README.md) for information on the test framework.
|
||||
|
||||
6. New features or changed functionality must include
|
||||
documentation. Please look at the "pod" files in doc/man[1357] for
|
||||
examples of our style. Run "make doc-nits" to make sure that your
|
||||
documentation changes are clean.
|
||||
|
||||
7. For user visible changes (API changes, behaviour changes, ...),
|
||||
consider adding a note in [CHANGES.md](CHANGES.md).
|
||||
This could be a summarising description of the change, and could
|
||||
explain the grander details.
|
||||
Have a look through existing entries for inspiration.
|
||||
Please note that this is NOT simply a copy of git-log one-liners.
|
||||
Also note that security fixes get an entry in [CHANGES.md](CHANGES.md).
|
||||
This file helps users get more in depth information of what comes
|
||||
with a specific release without having to sift through the higher
|
||||
noise ratio in git-log.
|
||||
|
||||
8. For larger or more important user visible changes, as well as
|
||||
security fixes, please add a line in [NEWS.md](NEWS.md).
|
||||
On exception, it might be worth adding a multi-line entry (such as
|
||||
the entry that announces all the types that became opaque with
|
||||
OpenSSL 1.1.0).
|
||||
This file helps users get a very quick summary of what comes with a
|
||||
specific release, to see if an upgrade is worth the effort.
|
||||
|
||||
9. Guidelines how to integrate error output of new crypto library modules
|
||||
can be found in [crypto/err/README.md](crypto/err/README.md).
|
File diff suppressed because it is too large
Load Diff
@ -1,2 +0,0 @@
|
||||
The FAQ is now maintained on the web:
|
||||
https://www.openssl.org/docs/faq.html
|
6
crypto/openssl/FAQ.md
Normal file
6
crypto/openssl/FAQ.md
Normal file
@ -0,0 +1,6 @@
|
||||
Frequently Asked Questions (FAQ)
|
||||
================================
|
||||
|
||||
The [Frequently Asked Questions][FAQ] are now maintained on the OpenSSL homepage.
|
||||
|
||||
[FAQ]: https://www.openssl.org/docs/faq.html
|
33
crypto/openssl/HACKING.md
Normal file
33
crypto/openssl/HACKING.md
Normal file
@ -0,0 +1,33 @@
|
||||
MODIFYING OPENSSL SOURCE
|
||||
========================
|
||||
|
||||
This document describes the way to add custom modifications to OpenSSL sources.
|
||||
|
||||
If you are adding new public functions to the custom library build, you need to
|
||||
either add a prototype in one of the existing OpenSSL header files;
|
||||
or provide a new header file and edit
|
||||
[Configurations/unix-Makefile.tmpl](Configurations/unix-Makefile.tmpl)
|
||||
to pick up that file.
|
||||
|
||||
After that perform the following steps:
|
||||
|
||||
./Configure -Werror --strict-warnings [your-options]
|
||||
make update
|
||||
make
|
||||
make test
|
||||
|
||||
`make update` ensures that your functions declarations are added to
|
||||
`util/libcrypto.num` or `util/libssl.num`.
|
||||
If you plan to submit the changes you made to OpenSSL
|
||||
(see [CONTRIBUTING.md](CONTRIBUTING.md)), it's worth running:
|
||||
|
||||
make doc-nits
|
||||
|
||||
after running `make update` to ensure that documentation has correct format.
|
||||
|
||||
`make update` also generates files related to OIDs (in the `crypto/objects/`
|
||||
folder) and errors.
|
||||
If a merge error occurs in one of these generated files then the
|
||||
generated files need to be removed and regenerated using `make update`.
|
||||
To aid in this process the generated files can be committed separately
|
||||
so they can be removed easily.
|
File diff suppressed because it is too large
Load Diff
1817
crypto/openssl/INSTALL.md
Normal file
1817
crypto/openssl/INSTALL.md
Normal file
File diff suppressed because it is too large
Load Diff
@ -1,125 +0,0 @@
|
||||
|
||||
LICENSE ISSUES
|
||||
==============
|
||||
|
||||
The OpenSSL toolkit stays under a double license, i.e. both the conditions of
|
||||
the OpenSSL License and the original SSLeay license apply to the toolkit.
|
||||
See below for the actual license texts.
|
||||
|
||||
OpenSSL License
|
||||
---------------
|
||||
|
||||
/* ====================================================================
|
||||
* Copyright (c) 1998-2019 The OpenSSL Project. All rights reserved.
|
||||
*
|
||||
* Redistribution and use in source and binary forms, with or without
|
||||
* modification, are permitted provided that the following conditions
|
||||
* are met:
|
||||
*
|
||||
* 1. Redistributions of source code must retain the above copyright
|
||||
* notice, this list of conditions and the following disclaimer.
|
||||
*
|
||||
* 2. Redistributions in binary form must reproduce the above copyright
|
||||
* notice, this list of conditions and the following disclaimer in
|
||||
* the documentation and/or other materials provided with the
|
||||
* distribution.
|
||||
*
|
||||
* 3. All advertising materials mentioning features or use of this
|
||||
* software must display the following acknowledgment:
|
||||
* "This product includes software developed by the OpenSSL Project
|
||||
* for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
|
||||
*
|
||||
* 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
|
||||
* endorse or promote products derived from this software without
|
||||
* prior written permission. For written permission, please contact
|
||||
* openssl-core@openssl.org.
|
||||
*
|
||||
* 5. Products derived from this software may not be called "OpenSSL"
|
||||
* nor may "OpenSSL" appear in their names without prior written
|
||||
* permission of the OpenSSL Project.
|
||||
*
|
||||
* 6. Redistributions of any form whatsoever must retain the following
|
||||
* acknowledgment:
|
||||
* "This product includes software developed by the OpenSSL Project
|
||||
* for use in the OpenSSL Toolkit (http://www.openssl.org/)"
|
||||
*
|
||||
* THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
|
||||
* EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
||||
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
|
||||
* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
|
||||
* ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
|
||||
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
|
||||
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
|
||||
* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
||||
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
|
||||
* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
|
||||
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
|
||||
* OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
* ====================================================================
|
||||
*
|
||||
* This product includes cryptographic software written by Eric Young
|
||||
* (eay@cryptsoft.com). This product includes software written by Tim
|
||||
* Hudson (tjh@cryptsoft.com).
|
||||
*
|
||||
*/
|
||||
|
||||
Original SSLeay License
|
||||
-----------------------
|
||||
|
||||
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
|
||||
* All rights reserved.
|
||||
*
|
||||
* This package is an SSL implementation written
|
||||
* by Eric Young (eay@cryptsoft.com).
|
||||
* The implementation was written so as to conform with Netscapes SSL.
|
||||
*
|
||||
* This library is free for commercial and non-commercial use as long as
|
||||
* the following conditions are aheared to. The following conditions
|
||||
* apply to all code found in this distribution, be it the RC4, RSA,
|
||||
* lhash, DES, etc., code; not just the SSL code. The SSL documentation
|
||||
* included with this distribution is covered by the same copyright terms
|
||||
* except that the holder is Tim Hudson (tjh@cryptsoft.com).
|
||||
*
|
||||
* Copyright remains Eric Young's, and as such any Copyright notices in
|
||||
* the code are not to be removed.
|
||||
* If this package is used in a product, Eric Young should be given attribution
|
||||
* as the author of the parts of the library used.
|
||||
* This can be in the form of a textual message at program startup or
|
||||
* in documentation (online or textual) provided with the package.
|
||||
*
|
||||
* Redistribution and use in source and binary forms, with or without
|
||||
* modification, are permitted provided that the following conditions
|
||||
* are met:
|
||||
* 1. Redistributions of source code must retain the copyright
|
||||
* notice, this list of conditions and the following disclaimer.
|
||||
* 2. Redistributions in binary form must reproduce the above copyright
|
||||
* notice, this list of conditions and the following disclaimer in the
|
||||
* documentation and/or other materials provided with the distribution.
|
||||
* 3. All advertising materials mentioning features or use of this software
|
||||
* must display the following acknowledgement:
|
||||
* "This product includes cryptographic software written by
|
||||
* Eric Young (eay@cryptsoft.com)"
|
||||
* The word 'cryptographic' can be left out if the rouines from the library
|
||||
* being used are not cryptographic related :-).
|
||||
* 4. If you include any Windows specific code (or a derivative thereof) from
|
||||
* the apps directory (application code) you must include an acknowledgement:
|
||||
* "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
|
||||
*
|
||||
* THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
|
||||
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
||||
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
||||
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
|
||||
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
|
||||
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
|
||||
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
||||
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
|
||||
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
||||
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
||||
* SUCH DAMAGE.
|
||||
*
|
||||
* The licence and distribution terms for any publically available version or
|
||||
* derivative of this code cannot be changed. i.e. this code cannot simply be
|
||||
* copied and put under another distribution licence
|
||||
* [including the GNU Public Licence.]
|
||||
*/
|
||||
|
177
crypto/openssl/LICENSE.txt
Normal file
177
crypto/openssl/LICENSE.txt
Normal file
@ -0,0 +1,177 @@
|
||||
|
||||
Apache License
|
||||
Version 2.0, January 2004
|
||||
https://www.apache.org/licenses/
|
||||
|
||||
TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
|
||||
|
||||
1. Definitions.
|
||||
|
||||
"License" shall mean the terms and conditions for use, reproduction,
|
||||
and distribution as defined by Sections 1 through 9 of this document.
|
||||
|
||||
"Licensor" shall mean the copyright owner or entity authorized by
|
||||
the copyright owner that is granting the License.
|
||||
|
||||
"Legal Entity" shall mean the union of the acting entity and all
|
||||
other entities that control, are controlled by, or are under common
|
||||
control with that entity. For the purposes of this definition,
|
||||
"control" means (i) the power, direct or indirect, to cause the
|
||||
direction or management of such entity, whether by contract or
|
||||
otherwise, or (ii) ownership of fifty percent (50%) or more of the
|
||||
outstanding shares, or (iii) beneficial ownership of such entity.
|
||||
|
||||
"You" (or "Your") shall mean an individual or Legal Entity
|
||||
exercising permissions granted by this License.
|
||||
|
||||
"Source" form shall mean the preferred form for making modifications,
|
||||
including but not limited to software source code, documentation
|
||||
source, and configuration files.
|
||||
|
||||
"Object" form shall mean any form resulting from mechanical
|
||||
transformation or translation of a Source form, including but
|
||||
not limited to compiled object code, generated documentation,
|
||||
and conversions to other media types.
|
||||
|
||||
"Work" shall mean the work of authorship, whether in Source or
|
||||
Object form, made available under the License, as indicated by a
|
||||
copyright notice that is included in or attached to the work
|
||||
(an example is provided in the Appendix below).
|
||||
|
||||
"Derivative Works" shall mean any work, whether in Source or Object
|
||||
form, that is based on (or derived from) the Work and for which the
|
||||
editorial revisions, annotations, elaborations, or other modifications
|
||||
represent, as a whole, an original work of authorship. For the purposes
|
||||
of this License, Derivative Works shall not include works that remain
|
||||
separable from, or merely link (or bind by name) to the interfaces of,
|
||||
the Work and Derivative Works thereof.
|
||||
|
||||
"Contribution" shall mean any work of authorship, including
|
||||
the original version of the Work and any modifications or additions
|
||||
to that Work or Derivative Works thereof, that is intentionally
|
||||
submitted to Licensor for inclusion in the Work by the copyright owner
|
||||
or by an individual or Legal Entity authorized to submit on behalf of
|
||||
the copyright owner. For the purposes of this definition, "submitted"
|
||||
means any form of electronic, verbal, or written communication sent
|
||||
to the Licensor or its representatives, including but not limited to
|
||||
communication on electronic mailing lists, source code control systems,
|
||||
and issue tracking systems that are managed by, or on behalf of, the
|
||||
Licensor for the purpose of discussing and improving the Work, but
|
||||
excluding communication that is conspicuously marked or otherwise
|
||||
designated in writing by the copyright owner as "Not a Contribution."
|
||||
|
||||
"Contributor" shall mean Licensor and any individual or Legal Entity
|
||||
on behalf of whom a Contribution has been received by Licensor and
|
||||
subsequently incorporated within the Work.
|
||||
|
||||
2. Grant of Copyright License. Subject to the terms and conditions of
|
||||
this License, each Contributor hereby grants to You a perpetual,
|
||||
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
|
||||
copyright license to reproduce, prepare Derivative Works of,
|
||||
publicly display, publicly perform, sublicense, and distribute the
|
||||
Work and such Derivative Works in Source or Object form.
|
||||
|
||||
3. Grant of Patent License. Subject to the terms and conditions of
|
||||
this License, each Contributor hereby grants to You a perpetual,
|
||||
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
|
||||
(except as stated in this section) patent license to make, have made,
|
||||
use, offer to sell, sell, import, and otherwise transfer the Work,
|
||||
where such license applies only to those patent claims licensable
|
||||
by such Contributor that are necessarily infringed by their
|
||||
Contribution(s) alone or by combination of their Contribution(s)
|
||||
with the Work to which such Contribution(s) was submitted. If You
|
||||
institute patent litigation against any entity (including a
|
||||
cross-claim or counterclaim in a lawsuit) alleging that the Work
|
||||
or a Contribution incorporated within the Work constitutes direct
|
||||
or contributory patent infringement, then any patent licenses
|
||||
granted to You under this License for that Work shall terminate
|
||||
as of the date such litigation is filed.
|
||||
|
||||
4. Redistribution. You may reproduce and distribute copies of the
|
||||
Work or Derivative Works thereof in any medium, with or without
|
||||
modifications, and in Source or Object form, provided that You
|
||||
meet the following conditions:
|
||||
|
||||
(a) You must give any other recipients of the Work or
|
||||
Derivative Works a copy of this License; and
|
||||
|
||||
(b) You must cause any modified files to carry prominent notices
|
||||
stating that You changed the files; and
|
||||
|
||||
(c) You must retain, in the Source form of any Derivative Works
|
||||
that You distribute, all copyright, patent, trademark, and
|
||||
attribution notices from the Source form of the Work,
|
||||
excluding those notices that do not pertain to any part of
|
||||
the Derivative Works; and
|
||||
|
||||
(d) If the Work includes a "NOTICE" text file as part of its
|
||||
distribution, then any Derivative Works that You distribute must
|
||||
include a readable copy of the attribution notices contained
|
||||
within such NOTICE file, excluding those notices that do not
|
||||
pertain to any part of the Derivative Works, in at least one
|
||||
of the following places: within a NOTICE text file distributed
|
||||
as part of the Derivative Works; within the Source form or
|
||||
documentation, if provided along with the Derivative Works; or,
|
||||
within a display generated by the Derivative Works, if and
|
||||
wherever such third-party notices normally appear. The contents
|
||||
of the NOTICE file are for informational purposes only and
|
||||
do not modify the License. You may add Your own attribution
|
||||
notices within Derivative Works that You distribute, alongside
|
||||
or as an addendum to the NOTICE text from the Work, provided
|
||||
that such additional attribution notices cannot be construed
|
||||
as modifying the License.
|
||||
|
||||
You may add Your own copyright statement to Your modifications and
|
||||
may provide additional or different license terms and conditions
|
||||
for use, reproduction, or distribution of Your modifications, or
|
||||
for any such Derivative Works as a whole, provided Your use,
|
||||
reproduction, and distribution of the Work otherwise complies with
|
||||
the conditions stated in this License.
|
||||
|
||||
5. Submission of Contributions. Unless You explicitly state otherwise,
|
||||
any Contribution intentionally submitted for inclusion in the Work
|
||||
by You to the Licensor shall be under the terms and conditions of
|
||||
this License, without any additional terms or conditions.
|
||||
Notwithstanding the above, nothing herein shall supersede or modify
|
||||
the terms of any separate license agreement you may have executed
|
||||
with Licensor regarding such Contributions.
|
||||
|
||||
6. Trademarks. This License does not grant permission to use the trade
|
||||
names, trademarks, service marks, or product names of the Licensor,
|
||||
except as required for reasonable and customary use in describing the
|
||||
origin of the Work and reproducing the content of the NOTICE file.
|
||||
|
||||
7. Disclaimer of Warranty. Unless required by applicable law or
|
||||
agreed to in writing, Licensor provides the Work (and each
|
||||
Contributor provides its Contributions) on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
|
||||
implied, including, without limitation, any warranties or conditions
|
||||
of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
|
||||
PARTICULAR PURPOSE. You are solely responsible for determining the
|
||||
appropriateness of using or redistributing the Work and assume any
|
||||
risks associated with Your exercise of permissions under this License.
|
||||
|
||||
8. Limitation of Liability. In no event and under no legal theory,
|
||||
whether in tort (including negligence), contract, or otherwise,
|
||||
unless required by applicable law (such as deliberate and grossly
|
||||
negligent acts) or agreed to in writing, shall any Contributor be
|
||||
liable to You for damages, including any direct, indirect, special,
|
||||
incidental, or consequential damages of any character arising as a
|
||||
result of this License or out of the use or inability to use the
|
||||
Work (including but not limited to damages for loss of goodwill,
|
||||
work stoppage, computer failure or malfunction, or any and all
|
||||
other commercial damages or losses), even if such Contributor
|
||||
has been advised of the possibility of such damages.
|
||||
|
||||
9. Accepting Warranty or Additional Liability. While redistributing
|
||||
the Work or Derivative Works thereof, You may choose to offer,
|
||||
and charge a fee for, acceptance of support, warranty, indemnity,
|
||||
or other liability obligations and/or rights consistent with this
|
||||
License. However, in accepting such obligations, You may act only
|
||||
on Your own behalf and on Your sole responsibility, not on behalf
|
||||
of any other Contributor, and only if You agree to indemnify,
|
||||
defend, and hold each Contributor harmless for any liability
|
||||
incurred by, or claims asserted against, such Contributor by reason
|
||||
of your accepting any such warranty or additional liability.
|
||||
|
||||
END OF TERMS AND CONDITIONS
|
1054
crypto/openssl/NEWS
1054
crypto/openssl/NEWS
File diff suppressed because it is too large
Load Diff
1603
crypto/openssl/NEWS.md
Normal file
1603
crypto/openssl/NEWS.md
Normal file
File diff suppressed because it is too large
Load Diff
90
crypto/openssl/NOTES-ANDROID.md
Normal file
90
crypto/openssl/NOTES-ANDROID.md
Normal file
@ -0,0 +1,90 @@
|
||||
Notes for Android platforms
|
||||
===========================
|
||||
|
||||
Requirement details
|
||||
-------------------
|
||||
|
||||
Beside basic tools like perl and make you'll need to download the Android
|
||||
NDK. It's available for Linux, macOS and Windows, but only Linux
|
||||
version was actually tested. There is no reason to believe that macOS
|
||||
wouldn't work. And as for Windows, it's unclear which "shell" would be
|
||||
suitable, MSYS2 might have best chances. NDK version should play lesser
|
||||
role, the goal is to support a range of most recent versions.
|
||||
|
||||
Configuration
|
||||
-------------
|
||||
|
||||
Android is a cross-compiled target and you can't rely on `./Configure`
|
||||
to find out the configuration target for you. You have to name your
|
||||
target explicitly; there are `android-arm`, `android-arm64`, `android-mips`,
|
||||
`android-mip64`, `android-x86` and `android-x86_64` (`*MIPS` targets are no
|
||||
longer supported with NDK R20+).
|
||||
|
||||
Do not pass --cross-compile-prefix (as you might be tempted), as it
|
||||
will be "calculated" automatically based on chosen platform. However,
|
||||
you still need to know the prefix to extend your PATH, in order to
|
||||
invoke `$(CROSS_COMPILE)clang` [`*gcc` on NDK 19 and lower] and company.
|
||||
(`./Configure` will fail and give you a hint if you get it wrong.)
|
||||
|
||||
Apart from `PATH` adjustment you need to set `ANDROID_NDK_ROOT` environment
|
||||
to point at the `NDK` directory. If you're using a side-by-side NDK the path
|
||||
will look something like `/some/where/android-sdk/ndk/<ver>`, and for a
|
||||
standalone NDK the path will be something like `/some/where/android-ndk-<ver>`.
|
||||
Both variables are significant at both configuration and compilation times.
|
||||
The NDK customarily supports multiple Android API levels, e.g. `android-14`,
|
||||
`android-21`, etc. By default latest API level is chosen. If you need to target
|
||||
an older platform pass the argument `-D__ANDROID_API__=N` to `Configure`,
|
||||
with `N` being the numerical value of the target platform version. For example,
|
||||
to compile for Android 10 arm64 with a side-by-side NDK r20.0.5594570
|
||||
|
||||
export ANDROID_NDK_ROOT=/home/whoever/Android/android-sdk/ndk/20.0.5594570
|
||||
PATH=$ANDROID_NDK_ROOT/toolchains/llvm/prebuilt/linux-x86_64/bin:$ANDROID_NDK_ROOT/toolchains/arm-linux-androideabi-4.9/prebuilt/linux-x86_64/bin:$PATH
|
||||
./Configure android-arm64 -D__ANDROID_API__=29
|
||||
make
|
||||
|
||||
Older versions of the NDK have GCC under their common prebuilt tools
|
||||
directory, so the bin path will be slightly different. EG: to compile
|
||||
for ICS on ARM with NDK 10d:
|
||||
|
||||
export ANDROID_NDK_ROOT=/some/where/android-ndk-10d
|
||||
PATH=$ANDROID_NDK_ROOT/toolchains/arm-linux-androideabi-4.8/prebuilt/linux-x86_64/bin:$PATH
|
||||
./Configure android-arm -D__ANDROID_API__=14
|
||||
make
|
||||
|
||||
Caveat lector! Earlier OpenSSL versions relied on additional `CROSS_SYSROOT`
|
||||
variable set to `$ANDROID_NDK_ROOT/platforms/android-<api>/arch-<arch>` to
|
||||
appoint headers-n-libraries' location. It's still recognized in order
|
||||
to facilitate migration from older projects. However, since API level
|
||||
appears in `CROSS_SYSROOT` value, passing `-D__ANDROID_API__=N` can be in
|
||||
conflict, and mixing the two is therefore not supported. Migration to
|
||||
`CROSS_SYSROOT`-less setup is recommended.
|
||||
|
||||
One can engage clang by adjusting PATH to cover same NDK's clang. Just
|
||||
keep in mind that if you miss it, Configure will try to use gcc...
|
||||
Also, PATH would need even further adjustment to cover unprefixed, yet
|
||||
target-specific, ar and ranlib. It's possible that you don't need to
|
||||
bother, if binutils-multiarch is installed on your Linux system.
|
||||
|
||||
Another option is to create so called "standalone toolchain" tailored
|
||||
for single specific platform including Android API level, and assign its
|
||||
location to `ANDROID_NDK_ROOT`. In such case you have to pass matching
|
||||
target name to Configure and shouldn't use `-D__ANDROID_API__=N`. `PATH`
|
||||
adjustment becomes simpler, `$ANDROID_NDK_ROOT/bin:$PATH` suffices.
|
||||
|
||||
Running tests (on Linux)
|
||||
------------------------
|
||||
|
||||
This is not actually supported. Notes are meant rather as inspiration.
|
||||
|
||||
Even though build output targets alien system, it's possible to execute
|
||||
test suite on Linux system by employing qemu-user. The trick is static
|
||||
linking. Pass -static to Configure, then edit generated Makefile and
|
||||
remove occurrences of -ldl and -pie flags. You would also need to pick
|
||||
API version that comes with usable static libraries, 42/2=21 used to
|
||||
work. Once built, you should be able to
|
||||
|
||||
env EXE_SHELL=qemu-<arch> make test
|
||||
|
||||
If you need to pass additional flag to qemu, quotes are your friend, e.g.
|
||||
|
||||
env EXE_SHELL="qemu-mips64el -cpu MIPS64R6-generic" make test
|
46
crypto/openssl/NOTES-DJGPP.md
Normal file
46
crypto/openssl/NOTES-DJGPP.md
Normal file
@ -0,0 +1,46 @@
|
||||
Notes for the DOS platform with DJGPP
|
||||
=====================================
|
||||
|
||||
OpenSSL has been ported to DJGPP, a Unix look-alike 32-bit run-time
|
||||
environment for 16-bit DOS, but only with long filename support.
|
||||
If you wish to compile on native DOS with 8+3 filenames, you will
|
||||
have to tweak the installation yourself, including renaming files
|
||||
with illegal or duplicate names.
|
||||
|
||||
You should have a full DJGPP environment installed, including the
|
||||
latest versions of DJGPP, GCC, BINUTILS, BASH, etc. This package
|
||||
requires that PERL and the PERL module `Text::Template` also be
|
||||
installed (see [NOTES-PERL.md](NOTES-PERL.md)).
|
||||
|
||||
All of these can be obtained from the usual DJGPP mirror sites or
|
||||
directly at <http://www.delorie.com/pub/djgpp>. For help on which
|
||||
files to download, see the DJGPP "ZIP PICKER" page at
|
||||
<http://www.delorie.com/djgpp/zip-picker.html>. You also need to have
|
||||
the WATT-32 networking package installed before you try to compile
|
||||
OpenSSL. This can be obtained from <http://www.watt-32.net/>.
|
||||
The Makefile assumes that the WATT-32 code is in the directory
|
||||
specified by the environment variable WATT_ROOT. If you have watt-32
|
||||
in directory `watt32` under your main DJGPP directory, specify
|
||||
`WATT_ROOT="/dev/env/DJDIR/watt32"`.
|
||||
|
||||
To compile OpenSSL, start your BASH shell, then configure for DJGPP by
|
||||
running `./Configure` with appropriate arguments:
|
||||
|
||||
./Configure no-threads --prefix=/dev/env/DJDIR DJGPP
|
||||
|
||||
And finally fire up `make`. You may run out of DPMI selectors when
|
||||
running in a DOS box under Windows. If so, just close the BASH
|
||||
shell, go back to Windows, and restart BASH. Then run `make` again.
|
||||
|
||||
RUN-TIME CAVEAT LECTOR
|
||||
--------------
|
||||
|
||||
Quoting FAQ:
|
||||
|
||||
"Cryptographic software needs a source of unpredictable data to work
|
||||
correctly. Many open source operating systems provide a "randomness
|
||||
device" (`/dev/urandom` or `/dev/random`) that serves this purpose."
|
||||
|
||||
As of version 0.9.7f DJGPP port checks upon `/dev/urandom$` for a 3rd
|
||||
party "randomness" DOS driver. One such driver, `NOISE.SYS`, can be
|
||||
obtained from <http://www.rahul.net/dkaufman/index.html>.
|
259
crypto/openssl/NOTES-NONSTOP.md
Normal file
259
crypto/openssl/NOTES-NONSTOP.md
Normal file
@ -0,0 +1,259 @@
|
||||
NOTES FOR THE HPE NONSTOP PLATFORM
|
||||
==============================
|
||||
|
||||
Requirement details
|
||||
-------------------
|
||||
|
||||
In addition to the requirements and instructions listed
|
||||
in [INSTALL.md](INSTALL.md), the following are required as well:
|
||||
|
||||
* The TNS/X platform supports hardware randomization.
|
||||
Specify the `--with-rand-seed=rdcpu` option to the `./Configure` script.
|
||||
This is recommended but not required. `egd` is supported at 3.0 but cannot
|
||||
be used if FIPS is selected.
|
||||
* The TNS/E platform does not support hardware randomization, so
|
||||
specify the `--with-rand-seed=egd` option to the `./Configure` script.
|
||||
|
||||
About c99 compiler
|
||||
------------------
|
||||
|
||||
The c99 compiler is required for building OpenSSL from source. While c11
|
||||
may work, it has not been broadly tested. c99 is the only compiler
|
||||
prerequisite needed to build OpenSSL 3.0 on this platform. You should also
|
||||
have the FLOSS package installed on your system. The ITUGLIB FLOSS package
|
||||
is the only FLOSS variant that has been broadly tested.
|
||||
|
||||
Threading Models
|
||||
----------------
|
||||
|
||||
OpenSSL can be built using unthreaded, POSIX User Threads (PUT), or Standard
|
||||
POSIX Threads (SPT). Select the following build configuration for each on
|
||||
the TNS/X (L-Series) platform:
|
||||
|
||||
* `nonstop-nsx` or default will select an unthreaded build.
|
||||
* `nonstop-nsx_put` selects the PUT build.
|
||||
* `nonstop-nsx_64_put` selects the 64 bit file length PUT build.
|
||||
* `nonstop-nsx_spt_floss` selects the SPT build with FLOSS. FLOSS is
|
||||
required for SPT builds because of a known hang when using SPT on its own.
|
||||
|
||||
### TNS/E Considerations
|
||||
|
||||
The TNS/E platform is build using the same set of builds specifying `nse`
|
||||
instead of `nsx` in the set above.
|
||||
|
||||
You cannot build for TNS/E for FIPS, so you must specify the `no-fips`
|
||||
option to `./Configure`.
|
||||
|
||||
Linking and Loading Considerations
|
||||
----------------------------------
|
||||
|
||||
Because of how the NonStop Common Runtime Environment (CRE) works, there are
|
||||
restrictions on how programs can link and load with OpenSSL libraries.
|
||||
On current NonStop platforms, programs cannot both statically link OpenSSL
|
||||
libraries and dynamically load OpenSSL shared libraries concurrently. If this
|
||||
is done, there is a high probability of encountering a SIGSEGV condition
|
||||
relating to `atexit()` processing when a shared library is unloaded and when
|
||||
the program terminates. This limitation applies to all OpenSSL shared library
|
||||
components.
|
||||
|
||||
A resolution to this situation is under investigation.
|
||||
|
||||
About Prefix and OpenSSLDir
|
||||
---------------------------
|
||||
|
||||
Because there are many potential builds that must co-exist on any given
|
||||
NonStop node, managing the location of your build distribution is crucial.
|
||||
Keep each destination separate and distinct. Mixing any mode described in
|
||||
this document can cause application instability. The recommended approach
|
||||
is to specify the OpenSSL version and threading model in your configuration
|
||||
options, and keeping your memory and float options consistent, for example:
|
||||
|
||||
* For 1.1 `--prefix=/usr/local-ssl1.1 --openssldir=/usr/local-ssl1.1/ssl`
|
||||
* For 1.1 PUT `--prefix=/usr/local-ssl1.1_put --openssldir=/usr/local-ssl1.1_put/ssl`
|
||||
|
||||
As of 3.0, the NonStop configurations use the multilib attribute to distinguish
|
||||
between different models:
|
||||
|
||||
* For 3.0 `--prefix=/usr/local-ssl3.0 --openssldir=/usr/local-ssl3.0/ssl`
|
||||
|
||||
The PUT model is placed in `${prefix}/lib-put` for 32-bit models and
|
||||
`${prefix}/lib64-put` for 64-bit models.
|
||||
|
||||
Use the `_RLD_LIB_PATH` environment variable in OSS to select the appropriate
|
||||
directory containing `libcrypto.so` and `libssl.so`. In GUARDIAN, use the
|
||||
`=_RLD_LIB_PATH` search define to locate the GUARDIAN subvolume where OpenSSL
|
||||
is installed.
|
||||
|
||||
Float Considerations
|
||||
--------------------
|
||||
|
||||
OpenSSL is built using IEEE Float mode by default. If you need a different
|
||||
IEEE mode, create a new configuration specifying `tfloat-x86-64` (for Tandem
|
||||
Float) or `nfloat-x86-64` (for Neutral Float).
|
||||
|
||||
Memory Models
|
||||
-------------
|
||||
|
||||
The current OpenSSL default memory model uses the default platform address
|
||||
model. If you need a different address model, you must specify the appropriate
|
||||
c99 options for compile (`CFLAGS`) and linkers (`LDFLAGS`).
|
||||
|
||||
Cross Compiling on Windows
|
||||
--------------------------
|
||||
|
||||
To configure and compile OpenSSL, you will need to set up a Cygwin environment.
|
||||
The Cygwin tools should include bash, make, and any other normal tools required
|
||||
for building programs.
|
||||
|
||||
Your `PATH` must include the bin directory for the c99 cross-compiler, as in:
|
||||
|
||||
export PATH=/cygdrive/c/Program\ Files\ \(x86\)/HPE\ NonStop/L16.05/usr/bin:$PATH
|
||||
|
||||
This should be set before Configure is run. For the c99 cross-compiler to work
|
||||
correctly, you also need the `COMP_ROOT` set, as in:
|
||||
|
||||
export COMP_ROOT="C:\Program Files (x86)\HPE NonStop\L16.05"
|
||||
|
||||
`COMP_ROOT` needs to be in Windows form.
|
||||
|
||||
`Configure` must specify the `no-makedepend` option otherwise errors will
|
||||
result when running the build because the c99 cross-compiler does not support
|
||||
the `gcc -MT` option. An example of a `Configure` command to be run from the
|
||||
OpenSSL directory is:
|
||||
|
||||
./Configure nonstop-nsx_64 no-makedepend --with-rand-seed=rdcpu
|
||||
|
||||
Do not forget to include any OpenSSL cross-compiling prefix and certificate
|
||||
options when creating your libraries.
|
||||
|
||||
The OpenSSL test suite will not run on your workstation. In order to verify the
|
||||
build, you will need to perform the build and test steps in OSS in your NonStop
|
||||
server. You can also build under gcc and run the test suite for Windows but that
|
||||
is not equivalent.
|
||||
|
||||
**Note:** In the event that you are attempting a FIPS-compliant cross-compile,
|
||||
be aware that signatures may not match between builds done under OSS and under
|
||||
cross-compiles as the compilers do not necessarily generate identical objects.
|
||||
Anything and everything to do with FIPS is outside the scope of this document.
|
||||
Refer to the FIPS security policy for more information.
|
||||
|
||||
The following build configurations have been successfully attempted at one
|
||||
point or another. If you are successful in your cross-compile efforts, please
|
||||
update this list:
|
||||
|
||||
- nonstop-nsx_64
|
||||
- nonstop-nsx_64_put
|
||||
|
||||
**Note:** Cross-compile builds for TNS/E have not been attempted, but should
|
||||
follow the same considerations as for TNS/X above. SPT builds generally require
|
||||
FLOSS, which is not available for workstation builds. As a result, SPT builds
|
||||
of OpenSSL cannot be cross-compiled.
|
||||
|
||||
Also see the NSDEE discussion below for more historical information.
|
||||
|
||||
Cross Compiling with NSDEE
|
||||
--------------------------
|
||||
|
||||
**Note:** None of these builds have been tested by the platform maintainer and
|
||||
are supplied for historical value. Please submit a Pull Request to OpenSSL
|
||||
should these need to be adjusted.
|
||||
|
||||
If you are attempting to build OpenSSL with NSDEE, you will need to specify
|
||||
the following variables. The following set of compiler defines are required:
|
||||
|
||||
# COMP_ROOT must be a full path for the build system (e.g. windows)
|
||||
COMP_ROOT=$(cygpath -w /path/to/comp_root)
|
||||
# CC must be executable by your shell
|
||||
CC=/path/to/c99
|
||||
|
||||
### Optional Build Variables
|
||||
|
||||
DBGFLAG="--debug"
|
||||
CIPHENABLES="enable-ssl3 enable-ssl3-method enable-weak-ssl-ciphers enable-rc4"
|
||||
|
||||
### Internal Known TNS/X to TNS/E Cross Compile Variables
|
||||
|
||||
The following definition is required if you are building on TNS/X for TNS/E
|
||||
and have access to a TNS/E machine on your EXPAND network - with an example
|
||||
node named `\CS3`:
|
||||
|
||||
SYSTEMLIBS="-L/E/cs3/usr/local/lib"
|
||||
|
||||
Version Procedure (VPROC) Considerations
|
||||
----------------------------------------
|
||||
|
||||
If you require a VPROC entry for platform version identification, use the
|
||||
following variables:
|
||||
|
||||
### For Itanium
|
||||
|
||||
OPENSSL_VPROC_PREFIX=T0085H06
|
||||
|
||||
### For x86
|
||||
|
||||
OPENSSL_VPROC_PREFIX=T0085L01
|
||||
|
||||
### Common Definition
|
||||
|
||||
export OPENSSL_VPROC=${OPENSSL_VPROC_PREFIX}_$(
|
||||
. VERSION.dat
|
||||
if [ -n "$PRE_RELEASE_TAG" ]; then
|
||||
PRE_RELEASE_TAG="-$PRE_RELEASE_TAG"
|
||||
fi
|
||||
if [ -n "$BUILD_METADATA" ]; then
|
||||
BUILD_METADATA="+$BUILD_METADATA"
|
||||
fi
|
||||
echo "$MAJOR.$MINOR.$PATCH$PRE_RELEASE_TAG$BUILD_METADATA" |\
|
||||
sed -e 's/[-.+]/_/g'
|
||||
)
|
||||
|
||||
Example Configure Targets
|
||||
-------------------------
|
||||
|
||||
For OSS targets, the main DLL names will be `libssl.so` and `libcrypto.so`.
|
||||
For GUARDIAN targets, DLL names will be `ssl` and `crypto`. The following
|
||||
assumes that your PWD is set according to your installation standards.
|
||||
|
||||
./Configure nonstop-nsx --prefix=${PWD} \
|
||||
--openssldir=${PWD}/ssl no-threads \
|
||||
--with-rand-seed=rdcpu ${CIPHENABLES} ${DBGFLAG} ${SYSTEMLIBS}
|
||||
./Configure nonstop-nsx_g --prefix=${PWD} \
|
||||
--openssldir=${PWD}/ssl no-threads \
|
||||
--with-rand-seed=rdcpu ${CIPHENABLES} ${DBGFLAG} ${SYSTEMLIBS}
|
||||
./Configure nonstop-nsx_put --prefix=${PWD} \
|
||||
--openssldir=${PWD}/ssl threads "-D_REENTRANT" \
|
||||
--with-rand-seed=rdcpu ${CIPHENABLES} ${DBGFLAG} ${SYSTEMLIBS}
|
||||
./Configure nonstop-nsx_spt_floss --prefix=${PWD} \
|
||||
--openssldir=${PWD}/ssl threads "-D_REENTRANT" \
|
||||
--with-rand-seed=rdcpu ${CIPHENABLES} ${DBGFLAG} ${SYSTEMLIBS}
|
||||
./Configure nonstop-nsx_64 --prefix=${PWD} \
|
||||
--openssldir=${PWD}/ssl no-threads \
|
||||
--with-rand-seed=rdcpu ${CIPHENABLES} ${DBGFLAG} ${SYSTEMLIBS}
|
||||
./Configure nonstop-nsx_64_put --prefix=${PWD} \
|
||||
--openssldir=${PWD}/ssl threads "-D_REENTRANT" \
|
||||
--with-rand-seed=rdcpu ${CIPHENABLES} ${DBGFLAG} ${SYSTEMLIBS}
|
||||
./Configure nonstop-nsx_g_tandem --prefix=${PWD} \
|
||||
--openssldir=${PWD}/ssl no-threads \
|
||||
--with-rand-seed=rdcpu ${CIPHENABLES} ${DBGFLAG} ${SYSTEMLIBS}
|
||||
|
||||
./Configure nonstop-nse --prefix=${PWD} \
|
||||
--openssldir=${PWD}/ssl no-threads \
|
||||
--with-rand-seed=egd ${CIPHENABLES} ${DBGFLAG} ${SYSTEMLIBS}
|
||||
./Configure nonstop-nse_g --prefix=${PWD} \
|
||||
--openssldir=${PWD}/ssl no-threads \
|
||||
--with-rand-seed=egd ${CIPHENABLES} ${DBGFLAG} ${SYSTEMLIBS}
|
||||
./Configure nonstop-nse_put --prefix=${PWD} \
|
||||
--openssldir=${PWD}/ssl threads "-D_REENTRANT" \
|
||||
--with-rand-seed=egd ${CIPHENABLES} ${DBGFLAG} ${SYSTEMLIBS}
|
||||
./Configure nonstop-nse_spt_floss --prefix=${PWD} \
|
||||
--openssldir=${PWD}/ssl threads "-D_REENTRANT" \
|
||||
--with-rand-seed=egd ${CIPHENABLES} ${DBGFLAG} ${SYSTEMLIBS}
|
||||
./Configure nonstop-nse_64 --prefix=${PWD} \
|
||||
--openssldir=${PWD}/ssl no-threads \
|
||||
--with-rand-seed=egd ${CIPHENABLES} ${DBGFLAG} ${SYSTEMLIBS}
|
||||
./Configure nonstop-nse_64_put --prefix=${PWD} \
|
||||
--openssldir=${PWD}/ssl threads "-D_REENTRANT"
|
||||
--with-rand-seed=egd ${CIPHENABLES} ${DBGFLAG} ${SYSTEMLIBS}
|
||||
./Configure nonstop-nse_g_tandem --prefix=${PWD} \
|
||||
--openssldir=${PWD}/ssl no-threads \
|
||||
--with-rand-seed=egd ${CIPHENABLES} ${DBGFLAG} ${SYSTEMLIBS}
|
127
crypto/openssl/NOTES-PERL.md
Normal file
127
crypto/openssl/NOTES-PERL.md
Normal file
@ -0,0 +1,127 @@
|
||||
Notes on Perl
|
||||
=============
|
||||
|
||||
- [General Notes](#general-notes)
|
||||
- [Perl on Windows](#perl-on-windows)
|
||||
- [Perl on VMS](#perl-on-vms)
|
||||
- [Perl on NonStop](#perl-on-nonstop)
|
||||
- [Required Perl modules](#required-perl-modules)
|
||||
- [Notes on installing a Perl module](#notes-on-installing-a-perl-module])
|
||||
|
||||
General Notes
|
||||
-------------
|
||||
|
||||
For our scripts, we rely quite a bit on Perl, and increasingly on
|
||||
some core Perl modules. These Perl modules are part of the Perl
|
||||
source, so if you build Perl on your own, you should be set.
|
||||
|
||||
However, if you install Perl as binary packages, the outcome might
|
||||
differ, and you may have to check that you do get the core modules
|
||||
installed properly. We do not claim to know them all, but experience
|
||||
has told us the following:
|
||||
|
||||
- on Linux distributions based on Debian, the package `perl` will
|
||||
install the core Perl modules as well, so you will be fine.
|
||||
- on Linux distributions based on RPMs, you will need to install
|
||||
`perl-core` rather than just `perl`.
|
||||
|
||||
You MUST have at least Perl version 5.10.0 installed. This minimum
|
||||
requirement is due to our use of regexp backslash sequence \R among
|
||||
other features that didn't exist in core Perl before that version.
|
||||
|
||||
Perl on Windows
|
||||
---------------
|
||||
|
||||
There are a number of build targets that can be viewed as "Windows".
|
||||
Indeed, there are `VC-*` configs targeting VisualStudio C, as well as
|
||||
MinGW and Cygwin. The key recommendation is to use a Perl installation
|
||||
that matches the build environment. For example, if you will build
|
||||
on Cygwin be sure to use the Cygwin package manager to install Perl.
|
||||
For MSYS builds use the MSYS provided Perl.
|
||||
For VC-* builds we recommend Strawberry Perl, from <http://strawberryperl.com>.
|
||||
An alternative is ActiveState Perl, from <http://www.activestate.com/ActivePerl>
|
||||
for which you may need to explicitly select the Perl module Win32/Console.pm
|
||||
available via <https://platform.activestate.com/ActiveState>.
|
||||
|
||||
Perl on VMS
|
||||
-----------
|
||||
|
||||
You will need to install Perl separately. One way to do so is to
|
||||
download the source from <http://perl.org/>, unpacking it, reading
|
||||
`README-VMS.md` and follow the instructions. Another way is to download a
|
||||
`.PCSI` file from <http://www.vmsperl.com/> and install it using the
|
||||
POLYCENTER install tool.
|
||||
|
||||
Perl on NonStop
|
||||
---------------
|
||||
|
||||
Perl is installed on HPE NonStop platforms as part of the Scripting Languages
|
||||
package T1203PAX file. The package is shipped as part of a NonStop RVU
|
||||
(Release Version Updates) package. Individual SPRs (Software Product Release)
|
||||
representing fixes can be obtained from the Scout website at
|
||||
<https://h22204.www2.hpe.com/NEP>. Follow the appropriate set of installation
|
||||
instructions for your operating system release as described in the
|
||||
Script Language User Guide available from the NonStop Technical Library.
|
||||
|
||||
Required Perl modules
|
||||
---------------------
|
||||
|
||||
We do our best to limit ourselves to core Perl modules to keep the
|
||||
requirements down. There are just a few exceptions.
|
||||
|
||||
* Text::Template this is required *for building*
|
||||
|
||||
To avoid unnecessary initial hurdles, we include a copy of this module
|
||||
in the source. It will work as a fallback if the module isn't already
|
||||
installed.
|
||||
|
||||
* `Test::More` this is required *for testing*
|
||||
|
||||
We require the minimum version to be 0.96, which appeared in Perl 5.13.4,
|
||||
because that version was the first to have all the features we're using.
|
||||
This module is required for testing only! If you don't plan on running
|
||||
the tests, you don't need to bother with this one.
|
||||
|
||||
Notes on installing a Perl module
|
||||
---------------------------------
|
||||
|
||||
There are a number of ways to install a perl module. In all
|
||||
descriptions below, `Text::Template` will serve as an example.
|
||||
|
||||
1. for Linux users, the easiest is to install with the use of your
|
||||
favorite package manager. Usually, all you need to do is search
|
||||
for the module name and to install the package that comes up.
|
||||
|
||||
On Debian based Linux distributions, it would go like this:
|
||||
|
||||
$ apt-cache search Text::Template
|
||||
...
|
||||
libtext-template-perl - perl module to process text templates
|
||||
$ sudo apt-get install libtext-template-perl
|
||||
|
||||
Perl modules in Debian based distributions use package names like
|
||||
the name of the module in question, with "lib" prepended and
|
||||
"-perl" appended.
|
||||
|
||||
2. Install using CPAN. This is very easy, but usually requires root
|
||||
access:
|
||||
|
||||
$ cpan -i Text::Template
|
||||
|
||||
Note that this runs all the tests that the module to be installed
|
||||
comes with. This is usually a smooth operation, but there are
|
||||
platforms where a failure is indicated even though the actual tests
|
||||
were successful. Should that happen, you can force an
|
||||
installation regardless (that should be safe since you've already
|
||||
seen the tests succeed!):
|
||||
|
||||
$ cpan -f -i Text::Template
|
||||
|
||||
Note: on VMS, you must quote any argument that contains upper case
|
||||
characters, so the lines above would be:
|
||||
|
||||
$ cpan -i "Text::Template"
|
||||
|
||||
and:
|
||||
|
||||
$ cpan -f -i "Text::Template"
|
@ -1,9 +1,8 @@
|
||||
Notes for UNIX-like platforms
|
||||
=============================
|
||||
|
||||
NOTES FOR UNIX LIKE PLATFORMS
|
||||
=============================
|
||||
|
||||
For Unix/POSIX runtime systems on Windows, please see NOTES.WIN.
|
||||
|
||||
For Unix/POSIX runtime systems on Windows,
|
||||
please see the [Notes for Windows platforms](NOTES-WINDOWS.md).
|
||||
|
||||
OpenSSL uses the compiler to link programs and shared libraries
|
||||
---------------------------------------------------------------
|
||||
@ -13,21 +12,20 @@
|
||||
objects. Because of this, any linking option that's given to the
|
||||
configuration scripts MUST be in a form that the compiler can accept.
|
||||
This varies between systems, where some have compilers that accept
|
||||
linker flags directly, while others take them in '-Wl,' form. You need
|
||||
linker flags directly, while others take them in `-Wl,` form. You need
|
||||
to read your compiler documentation to figure out what is acceptable,
|
||||
and ld(1) to figure out what linker options are available.
|
||||
|
||||
and `ld(1)` to figure out what linker options are available.
|
||||
|
||||
Shared libraries and installation in non-default locations
|
||||
----------------------------------------------------------
|
||||
|
||||
Every Unix system has its own set of default locations for shared
|
||||
libraries, such as /lib, /usr/lib or possibly /usr/local/lib. If
|
||||
libraries, such as `/lib`, `/usr/lib` or possibly `/usr/local/lib`. If
|
||||
libraries are installed in non-default locations, dynamically linked
|
||||
binaries will not find them and therefore fail to run, unless they get
|
||||
a bit of help from a defined runtime shared library search path.
|
||||
|
||||
For OpenSSL's application (the 'openssl' command), our configuration
|
||||
For OpenSSL's application (the `openssl` command), our configuration
|
||||
scripts do NOT generally set the runtime shared library search path for
|
||||
you. It's therefore advisable to set it explicitly when configuring,
|
||||
unless the libraries are to be installed in directories that you know
|
||||
@ -50,7 +48,8 @@
|
||||
|
||||
OpenSSL's configuration scripts recognise all these options and pass
|
||||
them to the Makefile that they build. (In fact, all arguments starting
|
||||
with '-Wl,' are recognised as linker options.)
|
||||
with `-Wl,` are recognised as linker options.)
|
||||
Please note that 'l' in '-Wl' is lowercase L and not 1.
|
||||
|
||||
Please do not use verbatim directories in your runtime shared library
|
||||
search path! Some OpenSSL config targets add an extra directory level
|
||||
@ -59,41 +58,40 @@
|
||||
used with the runtime shared library search path options, as shown in
|
||||
this example:
|
||||
|
||||
$ ./config --prefix=/usr/local/ssl --openssldir=/usr/local/ssl \
|
||||
$ ./Configure --prefix=/usr/local/ssl --openssldir=/usr/local/ssl \
|
||||
'-Wl,-rpath,$(LIBRPATH)'
|
||||
|
||||
On modern ELF based systems, there are two runtime search paths tags to
|
||||
consider, DT_RPATH and DT_RUNPATH. Shared objects are searched for in
|
||||
consider, `DT_RPATH` and `DT_RUNPATH`. Shared objects are searched for in
|
||||
this order:
|
||||
|
||||
1. Using directories specified in DT_RPATH, unless DT_RUNPATH is
|
||||
also set.
|
||||
1. Using directories specified in DT_RPATH, unless DT_RUNPATH is also set.
|
||||
2. Using the environment variable LD_LIBRARY_PATH
|
||||
3. Using directories specified in DT_RUNPATH.
|
||||
4. Using system shared object caches and default directories.
|
||||
|
||||
This means that the values in the environment variable LD_LIBRARY_PATH
|
||||
won't matter if the library is found in the paths given by DT_RPATH
|
||||
(and DT_RUNPATH isn't set).
|
||||
This means that the values in the environment variable `LD_LIBRARY_PATH`
|
||||
won't matter if the library is found in the paths given by `DT_RPATH`
|
||||
(and `DT_RUNPATH` isn't set).
|
||||
|
||||
Exactly which of DT_RPATH or DT_RUNPATH is set by default appears to
|
||||
Exactly which of `DT_RPATH` or `DT_RUNPATH` is set by default appears to
|
||||
depend on the system. For example, according to documentation,
|
||||
DT_RPATH appears to be deprecated on Solaris in favor of DT_RUNPATH,
|
||||
while on Debian GNU/Linux, either can be set, and DT_RPATH is the
|
||||
`DT_RPATH` appears to be deprecated on Solaris in favor of `DT_RUNPATH`,
|
||||
while on Debian GNU/Linux, either can be set, and `DT_RPATH` is the
|
||||
default at the time of writing.
|
||||
|
||||
How to choose which runtime search path tag is to be set depends on
|
||||
your system, please refer to ld(1) for the exact information on your
|
||||
system. As an example, the way to ensure the DT_RUNPATH is set on
|
||||
system. As an example, the way to ensure the `DT_RUNPATH` is set on
|
||||
Debian GNU/Linux systems rather than DT_RPATH is to tell the linker to
|
||||
set new dtags, like this:
|
||||
|
||||
$ ./config --prefix=/usr/local/ssl --openssldir=/usr/local/ssl \
|
||||
$ ./Configure --prefix=/usr/local/ssl --openssldir=/usr/local/ssl \
|
||||
'-Wl,--enable-new-dtags,-rpath,$(LIBRPATH)'
|
||||
|
||||
It might be worth noting that some/most ELF systems implement support
|
||||
for runtime search path relative to the directory containing current
|
||||
executable, by interpreting $ORIGIN along with some other internal
|
||||
executable, by interpreting `$ORIGIN` along with some other internal
|
||||
variables. Consult your system documentation.
|
||||
|
||||
Linking your application
|
||||
@ -104,7 +102,7 @@
|
||||
The OpenSSL config options mentioned above might or might not have bearing
|
||||
on linking of the target application. "Might" means that under some
|
||||
circumstances it would be sufficient to link with OpenSSL shared library
|
||||
"naturally", i.e. with -L/whatever/path -lssl -lcrypto. But there are
|
||||
"naturally", i.e. with `-L/whatever/path -lssl -lcrypto`. But there are
|
||||
also cases when you'd have to explicitly specify runtime search path
|
||||
when linking your application. Consult your system documentation and use
|
||||
above section as inspiration...
|
||||
@ -114,4 +112,4 @@
|
||||
for shared libraries first and tend to remain "blind" to static OpenSSL
|
||||
libraries. Referring to system documentation would suffice, if not for
|
||||
a corner case. On AIX static libraries (in shared build) are named
|
||||
differently, add _a suffix to link with them, e.g. -lcrypto_a.
|
||||
differently, add `_a` suffix to link with them, e.g. `-lcrypto_a`.
|
72
crypto/openssl/NOTES-VALGRIND.md
Normal file
72
crypto/openssl/NOTES-VALGRIND.md
Normal file
@ -0,0 +1,72 @@
|
||||
Notes on Valgrind
|
||||
=================
|
||||
|
||||
Valgrind is a test harness that includes many tools such as memcheck,
|
||||
which is commonly used to check for memory leaks, etc. The default tool
|
||||
run by Valgrind is memcheck. There are other tools available, but this
|
||||
will focus on memcheck.
|
||||
|
||||
Valgrind runs programs in a virtual machine, this means OpenSSL unit
|
||||
tests run under Valgrind will take longer than normal.
|
||||
|
||||
Requirements
|
||||
------------
|
||||
|
||||
1. Platform supported by Valgrind
|
||||
See <http://valgrind.org/info/platforms.html>
|
||||
2. Valgrind installed on the platform
|
||||
See <http://valgrind.org/downloads/current.html>
|
||||
3. OpenSSL compiled
|
||||
See [INSTALL.md](INSTALL.md)
|
||||
|
||||
Running Tests
|
||||
-------------
|
||||
|
||||
Test behavior can be modified by adjusting environment variables.
|
||||
|
||||
`EXE_SHELL`
|
||||
|
||||
This variable is used to specify the shell used to execute OpenSSL test
|
||||
programs. The default wrapper (`util/wrap.pl`) initializes the environment
|
||||
to allow programs to find shared libraries. The variable can be modified
|
||||
to specify a different executable environment.
|
||||
|
||||
EXE_SHELL=\
|
||||
"`/bin/pwd`/util/wrap.pl valgrind --error-exitcode=1 --leak-check=full -q"
|
||||
|
||||
This will start up Valgrind with the default checker (`memcheck`).
|
||||
The `--error-exitcode=1` option specifies that Valgrind should exit with an
|
||||
error code of 1 when memory leaks occur.
|
||||
The `--leak-check=full` option specifies extensive memory checking.
|
||||
The `-q` option prints only error messages.
|
||||
Additional Valgrind options may be added to the `EXE_SHELL` variable.
|
||||
|
||||
`OPENSSL_ia32cap`
|
||||
|
||||
This variable controls the processor-specific code on Intel processors.
|
||||
By default, OpenSSL will attempt to figure out the capabilities of a
|
||||
processor, and use it to its fullest capability. This variable can be
|
||||
used to control what capabilities OpenSSL uses.
|
||||
|
||||
As of valgrind-3.15.0 on Linux/x86_64, instructions up to AVX2 are
|
||||
supported. Setting the following disables instructions beyond AVX2:
|
||||
|
||||
`OPENSSL_ia32cap=":0"`
|
||||
|
||||
This variable may need to be set to something different based on the
|
||||
processor and Valgrind version you are running tests on. More information
|
||||
may be found in [doc/man3/OPENSSL_ia32cap.pod](doc/man3/OPENSSL_ia32cap.pod).
|
||||
|
||||
Additional variables (such as `VERBOSE` and `TESTS`) are described in the
|
||||
file [test/README.md](test/README.md).
|
||||
|
||||
Example command line:
|
||||
|
||||
$ make test EXE_SHELL="`/bin/pwd`/util/wrap.pl valgrind --error-exitcode=1 \
|
||||
--leak-check=full -q" OPENSSL_ia32cap=":0"
|
||||
|
||||
If an error occurs, you can then run the specific test via the `TESTS` variable
|
||||
with the `VERBOSE` or `VF` or `VFP` options to gather additional information.
|
||||
|
||||
$ make test VERBOSE=1 TESTS=test_test EXE_SHELL="`/bin/pwd`/util/wrap.pl \
|
||||
valgrind --error-exitcode=1 --leak-check=full -q" OPENSSL_ia32cap=":0"
|
132
crypto/openssl/NOTES-VMS.md
Normal file
132
crypto/openssl/NOTES-VMS.md
Normal file
@ -0,0 +1,132 @@
|
||||
Notes for the OpenVMS platform
|
||||
==============================
|
||||
|
||||
- [Requirement details](#requirement-details)
|
||||
- [About ANSI C compiler](#about-ansi-c-compiler)
|
||||
- [About ODS-5 directory names and Perl](#about-ods-5-directory-names-and-perl)
|
||||
- [About MMS and DCL](#about-mms-and-dcl)
|
||||
- [About debugging](#about-debugging)
|
||||
- [Checking the distribution](#checking-the-distribution)
|
||||
|
||||
Requirement details
|
||||
-------------------
|
||||
|
||||
In addition to the requirements and instructions listed
|
||||
in [INSTALL.md](INSTALL.md), this are required as well:
|
||||
|
||||
* At least ODS-5 disk organization for source and build.
|
||||
Installation can be done on any existing disk organization.
|
||||
|
||||
About ANSI C compiler
|
||||
---------------------
|
||||
|
||||
An ANSI C compiled is needed among other things. This means that
|
||||
VAX C is not and will not be supported.
|
||||
|
||||
We have only tested with DEC C (aka HP VMS C / VSI C) and require
|
||||
version 7.1 or later. Compiling with a different ANSI C compiler may
|
||||
require some work.
|
||||
|
||||
Please avoid using C RTL feature logical names `DECC$*` when building
|
||||
and testing OpenSSL. Most of all, they can be disruptive when
|
||||
running the tests, as they affect the Perl interpreter.
|
||||
|
||||
About ODS-5 directory names and Perl
|
||||
------------------------------------
|
||||
|
||||
It seems that the perl function canonpath() in the `File::Spec` module
|
||||
doesn't treat file specifications where the last directory name
|
||||
contains periods very well. Unfortunately, some versions of VMS tar
|
||||
will keep the periods in the OpenSSL source directory instead of
|
||||
converting them to underscore, thereby leaving your source in
|
||||
something like `[.openssl-1^.1^.0]`. This will lead to issues when
|
||||
configuring and building OpenSSL.
|
||||
|
||||
We have no replacement for Perl's canonpath(), so the best workaround
|
||||
for now is to rename the OpenSSL source directory, as follows (please
|
||||
adjust for the actual source directory name you have):
|
||||
|
||||
$ rename openssl-1^.1^.0.DIR openssl-1_1_0.DIR
|
||||
|
||||
About MMS and DCL
|
||||
-----------------
|
||||
|
||||
MMS has certain limitations when it comes to line length, and DCL has
|
||||
certain limitations when it comes to total command length. We do
|
||||
what we can to mitigate, but there is the possibility that it's not
|
||||
enough. Should you run into issues, a very simple solution is to set
|
||||
yourself up a few logical names for the directory trees you're going
|
||||
to use.
|
||||
|
||||
About debugging
|
||||
---------------
|
||||
|
||||
If you build for debugging, the default on VMS is that image
|
||||
activation starts the debugger automatically, giving you a debug
|
||||
prompt. Unfortunately, this disrupts all other uses, such as running
|
||||
test programs in the test framework.
|
||||
|
||||
Generally speaking, if you build for debugging, only use the programs
|
||||
directly for debugging. Do not try to use them from a script, such
|
||||
as running the test suite.
|
||||
|
||||
### The following is not available on Alpha
|
||||
|
||||
As a compromise, we're turning off the flag that makes the debugger
|
||||
start automatically. If there is a program that you need to debug,
|
||||
you need to turn that flag back on first, for example:
|
||||
|
||||
$ set image /flag=call_debug [.test]evp_test.exe
|
||||
|
||||
Then just run it and you will find yourself in a debugging session.
|
||||
When done, we recommend that you turn that flag back off:
|
||||
|
||||
$ set image /flag=nocall_debug [.test]evp_test.exe
|
||||
|
||||
About assembler acceleration
|
||||
----------------------------
|
||||
|
||||
OpenSSL has assembler acceleration for a number of BIGNUM and crypto
|
||||
routines. The VMS config targets tries to look for a selection of
|
||||
assemblers and will use what they find. If none of the assemblers are
|
||||
found, OpenSSL will be built as if `no-asm` was configured.
|
||||
|
||||
### For Itanium / IA64 / I64
|
||||
|
||||
- There is only one assembler, a port of Intel's `ias`, found in the
|
||||
HP Open Source Tools CD, available through [DECUSlib](http://www.decuslib.com).
|
||||
It's assumed to be set up as per the instructions, where `disk` and
|
||||
`dir` are expected to be adapted to local conditions:
|
||||
|
||||
$ ias :== $disk:[dir]iasi64.exe
|
||||
|
||||
Checking the distribution
|
||||
-------------------------
|
||||
|
||||
There have been reports of places where the distribution didn't quite
|
||||
get through, for example if you've copied the tree from a NFS-mounted
|
||||
Unix mount point.
|
||||
|
||||
The easiest way to check if everything got through as it should is to
|
||||
check that this file exists:
|
||||
|
||||
[.include.openssl]configuration^.h.in
|
||||
|
||||
The best way to get a correct distribution is to download the gzipped
|
||||
tar file from ftp://ftp.openssl.org/source/, use `GZIP -d` to uncompress
|
||||
it and `VMSTAR` to unpack the resulting tar file.
|
||||
|
||||
Gzip and VMSTAR are available here:
|
||||
|
||||
<http://antinode.info/dec/index.html#Software>
|
||||
|
||||
Should you need it, you can find UnZip for VMS here:
|
||||
|
||||
<http://www.info-zip.org/UnZip.html>
|
||||
|
||||
How the value of 'arch' is determined
|
||||
-------------------------------------
|
||||
|
||||
'arch' is mentioned in INSTALL. It's value is determined like this:
|
||||
|
||||
arch = f$edit( f$getsyi( "arch_name"), "upcase")
|
265
crypto/openssl/NOTES-WINDOWS.md
Normal file
265
crypto/openssl/NOTES-WINDOWS.md
Normal file
@ -0,0 +1,265 @@
|
||||
Notes for Windows platforms
|
||||
===========================
|
||||
|
||||
- [Native builds using Visual C++](#native-builds-using-visual-c++)
|
||||
- [Native builds using Embarcadero C++Builder](
|
||||
#native-builds-using-embarcadero-c++-builder)
|
||||
- [Native builds using MinGW](#native-builds-using-mingw)
|
||||
- [Linking native applications](#linking-native-applications)
|
||||
- [Hosted builds using Cygwin](#hosted-builds-using-cygwin)
|
||||
|
||||
There are various options to build and run OpenSSL on the Windows platforms.
|
||||
|
||||
"Native" OpenSSL uses the Windows APIs directly at run time.
|
||||
To build a native OpenSSL you can either use:
|
||||
|
||||
Microsoft Visual C++ (MSVC) C compiler on the command line
|
||||
or
|
||||
Embarcadero C++Builder
|
||||
or
|
||||
MinGW cross compiler
|
||||
run on the GNU-like development environment MSYS2
|
||||
or run on Linux or Cygwin
|
||||
|
||||
"Hosted" OpenSSL relies on an external POSIX compatibility layer
|
||||
for building (using GNU/Unix shell, compiler, and tools) and at run time.
|
||||
For this option you can use Cygwin.
|
||||
|
||||
Native builds using Visual C++
|
||||
==============================
|
||||
|
||||
The native builds using Visual C++ have a `VC-*` prefix.
|
||||
|
||||
Requirement details
|
||||
-------------------
|
||||
|
||||
In addition to the requirements and instructions listed in `INSTALL.md`,
|
||||
these are required as well:
|
||||
|
||||
### Perl
|
||||
|
||||
We recommend Strawberry Perl, available from <http://strawberryperl.com/>
|
||||
Please read NOTES.PERL for more information, including the use of CPAN.
|
||||
An alternative is ActiveState Perl, <https://www.activestate.com/ActivePerl>
|
||||
for which you may need to explicitly build the Perl module Win32/Console.pm
|
||||
via <https://platform.activestate.com/ActiveState> and then download it.
|
||||
|
||||
### Microsoft Visual C compiler.
|
||||
|
||||
Since these are proprietary and ever-changing we cannot test them all.
|
||||
Older versions may not work. Use a recent version wherever possible.
|
||||
|
||||
### Netwide Assembler (NASM)
|
||||
|
||||
NASM is the only supported assembler. It is available from <https://www.nasm.us>.
|
||||
|
||||
Quick start
|
||||
-----------
|
||||
|
||||
1. Install Perl
|
||||
|
||||
2. Install NASM
|
||||
|
||||
3. Make sure both Perl and NASM are on your %PATH%
|
||||
|
||||
4. Use Visual Studio Developer Command Prompt with administrative privileges,
|
||||
choosing one of its variants depending on the intended architecture.
|
||||
Or run `cmd` and execute `vcvarsall.bat` with one of the options `x86`,
|
||||
`x86_amd64`, `x86_arm`, `x86_arm64`, `amd64`, `amd64_x86`, `amd64_arm`,
|
||||
or `amd64_arm64`.
|
||||
This sets up the environment variables needed for `nmake.exe`, `cl.exe`,
|
||||
etc.
|
||||
See also
|
||||
<https://docs.microsoft.com/cpp/build/building-on-the-command-line>
|
||||
|
||||
5. From the root of the OpenSSL source directory enter
|
||||
- `perl Configure VC-WIN32` if you want 32-bit OpenSSL or
|
||||
- `perl Configure VC-WIN64A` if you want 64-bit OpenSSL or
|
||||
- `perl Configure VC-WIN64-ARM` if you want Windows on Arm (win-arm64)
|
||||
OpenSSL or
|
||||
- `perl Configure` to let Configure figure out the platform
|
||||
|
||||
6. `nmake`
|
||||
|
||||
7. `nmake test`
|
||||
|
||||
8. `nmake install`
|
||||
|
||||
For the full installation instructions, or if anything goes wrong at any stage,
|
||||
check the INSTALL.md file.
|
||||
|
||||
Installation directories
|
||||
------------------------
|
||||
|
||||
The default installation directories are derived from environment
|
||||
variables.
|
||||
|
||||
For VC-WIN32, the following defaults are use:
|
||||
|
||||
PREFIX: %ProgramFiles(x86)%\OpenSSL
|
||||
OPENSSLDIR: %CommonProgramFiles(x86)%\SSL
|
||||
|
||||
For VC-WIN64, the following defaults are use:
|
||||
|
||||
PREFIX: %ProgramW6432%\OpenSSL
|
||||
OPENSSLDIR: %CommonProgramW6432%\SSL
|
||||
|
||||
Should those environment variables not exist (on a pure Win32
|
||||
installation for examples), these fallbacks are used:
|
||||
|
||||
PREFIX: %ProgramFiles%\OpenSSL
|
||||
OPENSSLDIR: %CommonProgramFiles%\SSL
|
||||
|
||||
ALSO NOTE that those directories are usually write protected, even if
|
||||
your account is in the Administrators group. To work around that,
|
||||
start the command prompt by right-clicking on it and choosing "Run as
|
||||
Administrator" before running `nmake install`. The other solution
|
||||
is, of course, to choose a different set of directories by using
|
||||
`--prefix` and `--openssldir` when configuring.
|
||||
|
||||
Special notes for Universal Windows Platform builds, aka `VC-*-UWP`
|
||||
-------------------------------------------------------------------
|
||||
|
||||
- UWP targets only support building the static and dynamic libraries.
|
||||
|
||||
- You should define the platform type to `uwp` and the target arch via
|
||||
`vcvarsall.bat` before you compile. For example, if you want to build
|
||||
`arm64` builds, you should run `vcvarsall.bat x86_arm64 uwp`.
|
||||
|
||||
Native builds using Embarcadero C++Builder
|
||||
=========================================
|
||||
|
||||
This toolchain (a descendant of Turbo/Borland C++) is an alternative to MSVC.
|
||||
OpenSSL currently includes an experimental 32-bit configuration targeting the
|
||||
Clang-based compiler (`bcc32c.exe`) in v10.3.3 Community Edition.
|
||||
<https://www.embarcadero.com/products/cbuilder/starter>
|
||||
|
||||
1. Install Perl.
|
||||
|
||||
2. Open the RAD Studio Command Prompt.
|
||||
|
||||
3. Go to the root of the OpenSSL source directory and run:
|
||||
`perl Configure BC-32 --prefix=%CD%`
|
||||
|
||||
4. `make -N`
|
||||
|
||||
5. `make -N test`
|
||||
|
||||
6. Build your program against this OpenSSL:
|
||||
* Set your include search path to the "include" subdirectory of OpenSSL.
|
||||
* Set your library search path to the OpenSSL source directory.
|
||||
|
||||
Note that this is very experimental. Support for 64-bit and other Configure
|
||||
options is still pending.
|
||||
|
||||
Native builds using MinGW
|
||||
=========================
|
||||
|
||||
MinGW offers an alternative way to build native OpenSSL, by cross compilation.
|
||||
|
||||
* Usually the build is done on Windows in a GNU-like environment called MSYS2.
|
||||
|
||||
MSYS2 provides GNU tools, a Unix-like command prompt,
|
||||
and a UNIX compatibility layer for applications.
|
||||
However, in this context it is only used for building OpenSSL.
|
||||
The resulting OpenSSL does not rely on MSYS2 to run and is fully native.
|
||||
|
||||
Requirement details
|
||||
|
||||
- MSYS2 shell, from <https://www.msys2.org/>
|
||||
|
||||
- Perl, at least version 5.10.0, which usually comes pre-installed with MSYS2
|
||||
|
||||
- make, installed using `pacman -S make` into the MSYS2 environment
|
||||
|
||||
- MinGW[64] compiler: `mingw-w64-i686-gcc` and/or `mingw-w64-x86_64-gcc`.
|
||||
These compilers must be on your MSYS2 $PATH.
|
||||
A common error is to not have these on your $PATH.
|
||||
The MSYS2 version of gcc will not work correctly here.
|
||||
|
||||
In the MSYS2 shell do the configuration depending on the target architecture:
|
||||
|
||||
./Configure mingw ...
|
||||
|
||||
or
|
||||
|
||||
./Configure mingw64 ...
|
||||
|
||||
or
|
||||
|
||||
./Configure ...
|
||||
|
||||
for the default architecture.
|
||||
|
||||
Apart from that, follow the Unix / Linux instructions in `INSTALL.md`.
|
||||
|
||||
* It is also possible to build mingw[64] on Linux or Cygwin.
|
||||
|
||||
In this case configure with the corresponding `--cross-compile-prefix=`
|
||||
option. For example
|
||||
|
||||
./Configure mingw --cross-compile-prefix=i686-w64-mingw32- ...
|
||||
|
||||
or
|
||||
|
||||
./Configure mingw64 --cross-compile-prefix=x86_64-w64-mingw32- ...
|
||||
|
||||
This requires that you've installed the necessary add-on packages for
|
||||
mingw[64] cross compilation.
|
||||
|
||||
Linking native applications
|
||||
===========================
|
||||
|
||||
This section applies to all native builds.
|
||||
|
||||
If you link with static OpenSSL libraries then you're expected to
|
||||
additionally link your application with `WS2_32.LIB`, `GDI32.LIB`,
|
||||
`ADVAPI32.LIB`, `CRYPT32.LIB` and `USER32.LIB`. Those developing
|
||||
non-interactive service applications might feel concerned about
|
||||
linking with `GDI32.LIB` and `USER32.LIB`, as they are justly associated
|
||||
with interactive desktop, which is not available to service
|
||||
processes. The toolkit is designed to detect in which context it's
|
||||
currently executed, GUI, console app or service, and act accordingly,
|
||||
namely whether or not to actually make GUI calls. Additionally those
|
||||
who wish to `/DELAYLOAD:GDI32.DLL` and `/DELAYLOAD:USER32.DLL` and
|
||||
actually keep them off service process should consider implementing
|
||||
and exporting from .exe image in question own `_OPENSSL_isservice` not
|
||||
relying on `USER32.DLL`. E.g., on Windows Vista and later you could:
|
||||
|
||||
__declspec(dllexport) __cdecl BOOL _OPENSSL_isservice(void)
|
||||
{
|
||||
DWORD sess;
|
||||
|
||||
if (ProcessIdToSessionId(GetCurrentProcessId(), &sess))
|
||||
return sess == 0;
|
||||
return FALSE;
|
||||
}
|
||||
|
||||
If you link with OpenSSL .DLLs, then you're expected to include into
|
||||
your application code a small "shim" snippet, which provides
|
||||
the glue between the OpenSSL BIO layer and your compiler run-time.
|
||||
See also the OPENSSL_Applink manual page.
|
||||
|
||||
Hosted builds using Cygwin
|
||||
==========================
|
||||
|
||||
Cygwin implements a POSIX/Unix runtime system (`cygwin1.dll`) on top of the
|
||||
Windows subsystem and provides a Bash shell and GNU tools environment.
|
||||
Consequently, a build of OpenSSL with Cygwin is virtually identical to the
|
||||
Unix procedure.
|
||||
|
||||
To build OpenSSL using Cygwin, you need to:
|
||||
|
||||
* Install Cygwin, see <https://cygwin.com/>
|
||||
|
||||
* Install Cygwin Perl, at least version 5.10.0
|
||||
and ensure it is in the $PATH
|
||||
|
||||
* Run the Cygwin Bash shell
|
||||
|
||||
Apart from that, follow the Unix / Linux instructions in INSTALL.md.
|
||||
|
||||
NOTE: `make test` and normal file operations may fail in directories
|
||||
mounted as text (i.e. `mount -t c:\somewhere /home`) due to Cygwin
|
||||
stripping of carriage returns. To avoid this ensure that a binary
|
||||
mount is used, e.g. `mount -b c:\somewhere /home`.
|
@ -1,119 +0,0 @@
|
||||
TOC
|
||||
===
|
||||
|
||||
- Notes on Perl
|
||||
- Notes on Perl on Windows
|
||||
- Notes on Perl modules we use
|
||||
- Notes on installing a perl module
|
||||
|
||||
Notes on Perl
|
||||
-------------
|
||||
|
||||
For our scripts, we rely quite a bit on Perl, and increasingly on
|
||||
some core Perl modules. These Perl modules are part of the Perl
|
||||
source, so if you build Perl on your own, you should be set.
|
||||
|
||||
However, if you install Perl as binary packages, the outcome might
|
||||
differ, and you may have to check that you do get the core modules
|
||||
installed properly. We do not claim to know them all, but experience
|
||||
has told us the following:
|
||||
|
||||
- on Linux distributions based on Debian, the package 'perl' will
|
||||
install the core Perl modules as well, so you will be fine.
|
||||
- on Linux distributions based on RPMs, you will need to install
|
||||
'perl-core' rather than just 'perl'.
|
||||
|
||||
You MUST have at least Perl version 5.10.0 installed. This minimum
|
||||
requirement is due to our use of regexp backslash sequence \R among
|
||||
other features that didn't exist in core Perl before that version.
|
||||
|
||||
Notes on Perl on Windows
|
||||
------------------------
|
||||
|
||||
There are a number of build targets that can be viewed as "Windows".
|
||||
Indeed, there are VC-* configs targeting VisualStudio C, as well as
|
||||
MinGW and Cygwin. The key recommendation is to use "matching" Perl,
|
||||
one that matches build environment. For example, if you will build
|
||||
on Cygwin be sure to use the Cygwin package manager to install Perl.
|
||||
For MSYS builds use the MSYS provided Perl. For VC-* builds we
|
||||
recommend ActiveState Perl, available from
|
||||
http://www.activestate.com/ActivePerl.
|
||||
|
||||
Notes on Perl on VMS
|
||||
--------------------
|
||||
|
||||
You will need to install Perl separately. One way to do so is to
|
||||
download the source from http://perl.org/, unpacking it, reading
|
||||
README.vms and follow the instructions. Another way is to download a
|
||||
.PCSI file from http://www.vmsperl.com/ and install it using the
|
||||
POLYCENTER install tool.
|
||||
|
||||
Notes on Perl modules we use
|
||||
----------------------------
|
||||
|
||||
We make increasing use of Perl modules, and do our best to limit
|
||||
ourselves to core Perl modules to keep the requirements down. There
|
||||
are just a few exceptions:
|
||||
|
||||
Test::More We require the minimum version to be 0.96, which
|
||||
appeared in Perl 5.13.4, because that version was
|
||||
the first to have all the features we're using.
|
||||
This module is required for testing only! If you
|
||||
don't plan on running the tests, you don't need to
|
||||
bother with this one.
|
||||
|
||||
Text::Template This module is not part of the core Perl modules.
|
||||
As a matter of fact, the core Perl modules do not
|
||||
include any templating module to date.
|
||||
This module is absolutely needed, configuration
|
||||
depends on it.
|
||||
|
||||
To avoid unnecessary initial hurdles, we have bundled a copy of the
|
||||
following modules in our source. They will work as fallbacks if
|
||||
these modules aren't already installed on the system.
|
||||
|
||||
Text::Template
|
||||
|
||||
Notes on installing a perl module
|
||||
---------------------------------
|
||||
|
||||
There are a number of ways to install a perl module. In all
|
||||
descriptions below, Text::Template will serve as an example.
|
||||
|
||||
1. for Linux users, the easiest is to install with the use of your
|
||||
favorite package manager. Usually, all you need to do is search
|
||||
for the module name and to install the package that comes up.
|
||||
|
||||
On Debian based Linux distributions, it would go like this:
|
||||
|
||||
$ apt-cache search Text::Template
|
||||
...
|
||||
libtext-template-perl - perl module to process text templates
|
||||
$ sudo apt-get install libtext-template-perl
|
||||
|
||||
Perl modules in Debian based distributions use package names like
|
||||
the name of the module in question, with "lib" prepended and
|
||||
"-perl" appended.
|
||||
|
||||
2. Install using CPAN. This is very easy, but usually requires root
|
||||
access:
|
||||
|
||||
$ cpan -i Text::Template
|
||||
|
||||
Note that this runs all the tests that the module to be installed
|
||||
comes with. This is usually a smooth operation, but there are
|
||||
platforms where a failure is indicated even though the actual tests
|
||||
were successful. Should that happen, you can force an
|
||||
installation regardless (that should be safe since you've already
|
||||
seen the tests succeed!):
|
||||
|
||||
$ cpan -f -i Text::Template
|
||||
|
||||
Note: on VMS, you must quote any argument that contains uppercase
|
||||
characters, so the lines above would be:
|
||||
|
||||
$ cpan -i "Text::Template"
|
||||
|
||||
and:
|
||||
|
||||
$ cpan -f -i "Text::Template"
|
@ -1,93 +0,0 @@
|
||||
|
||||
OpenSSL 1.1.1u 30 May 2023
|
||||
|
||||
Copyright (c) 1998-2023 The OpenSSL Project
|
||||
Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson
|
||||
All rights reserved.
|
||||
|
||||
DESCRIPTION
|
||||
-----------
|
||||
|
||||
The OpenSSL Project is a collaborative effort to develop a robust,
|
||||
commercial-grade, fully featured, and Open Source toolkit implementing the
|
||||
Transport Layer Security (TLS) protocols (including SSLv3) as well as a
|
||||
full-strength general purpose cryptographic library.
|
||||
|
||||
OpenSSL is descended from the SSLeay library developed by Eric A. Young
|
||||
and Tim J. Hudson. The OpenSSL toolkit is licensed under a dual-license (the
|
||||
OpenSSL license plus the SSLeay license), which means that you are free to
|
||||
get and use it for commercial and non-commercial purposes as long as you
|
||||
fulfill the conditions of both licenses.
|
||||
|
||||
OVERVIEW
|
||||
--------
|
||||
|
||||
The OpenSSL toolkit includes:
|
||||
|
||||
libssl (with platform specific naming):
|
||||
Provides the client and server-side implementations for SSLv3 and TLS.
|
||||
|
||||
libcrypto (with platform specific naming):
|
||||
Provides general cryptographic and X.509 support needed by SSL/TLS but
|
||||
not logically part of it.
|
||||
|
||||
openssl:
|
||||
A command line tool that can be used for:
|
||||
Creation of key parameters
|
||||
Creation of X.509 certificates, CSRs and CRLs
|
||||
Calculation of message digests
|
||||
Encryption and decryption
|
||||
SSL/TLS client and server tests
|
||||
Handling of S/MIME signed or encrypted mail
|
||||
And more...
|
||||
|
||||
INSTALLATION
|
||||
------------
|
||||
|
||||
See the appropriate file:
|
||||
INSTALL Linux, Unix, Windows, OpenVMS, ...
|
||||
NOTES.* INSTALL addendums for different platforms
|
||||
|
||||
SUPPORT
|
||||
-------
|
||||
|
||||
See the OpenSSL website www.openssl.org for details on how to obtain
|
||||
commercial technical support. Free community support is available through the
|
||||
openssl-users email list (see
|
||||
https://www.openssl.org/community/mailinglists.html for further details).
|
||||
|
||||
If you have any problems with OpenSSL then please take the following steps
|
||||
first:
|
||||
|
||||
- Download the latest version from the repository
|
||||
to see if the problem has already been addressed
|
||||
- Configure with no-asm
|
||||
- Remove compiler optimization flags
|
||||
|
||||
If you wish to report a bug then please include the following information
|
||||
and create an issue on GitHub:
|
||||
|
||||
- OpenSSL version: output of 'openssl version -a'
|
||||
- Configuration data: output of 'perl configdata.pm --dump'
|
||||
- OS Name, Version, Hardware platform
|
||||
- Compiler Details (name, version)
|
||||
- Application Details (name, version)
|
||||
- Problem Description (steps that will reproduce the problem, if known)
|
||||
- Stack Traceback (if the application dumps core)
|
||||
|
||||
Just because something doesn't work the way you expect does not mean it
|
||||
is necessarily a bug in OpenSSL. Use the openssl-users email list for this type
|
||||
of query.
|
||||
|
||||
HOW TO CONTRIBUTE TO OpenSSL
|
||||
----------------------------
|
||||
|
||||
See CONTRIBUTING
|
||||
|
||||
LEGALITIES
|
||||
----------
|
||||
|
||||
A number of nations restrict the use or export of cryptography. If you
|
||||
are potentially subject to such restrictions you should seek competent
|
||||
professional legal advice before attempting to develop or distribute
|
||||
cryptographic code.
|
316
crypto/openssl/README-ENGINES.md
Normal file
316
crypto/openssl/README-ENGINES.md
Normal file
@ -0,0 +1,316 @@
|
||||
Engines
|
||||
=======
|
||||
|
||||
Deprecation Note
|
||||
----------------
|
||||
|
||||
The ENGINE API was introduced in OpenSSL version 0.9.6 as a low level
|
||||
interface for adding alternative implementations of cryptographic
|
||||
primitives, most notably for integrating hardware crypto devices.
|
||||
|
||||
The ENGINE interface has its limitations and it has been superseeded
|
||||
by the [PROVIDER API](README-PROVIDERS.md), it is deprecated in OpenSSL
|
||||
version 3.0. The following documentation is retained as an aid for
|
||||
users who need to maintain or support existing ENGINE implementations.
|
||||
Support for new hardware devices or new algorithms should be added
|
||||
via providers, and existing engines should be converted to providers
|
||||
as soon as possible.
|
||||
|
||||
Built-in ENGINE implementations
|
||||
-------------------------------
|
||||
|
||||
There are currently built-in ENGINE implementations for the following
|
||||
crypto devices:
|
||||
|
||||
* Microsoft CryptoAPI
|
||||
* VIA Padlock
|
||||
* nCipher CHIL
|
||||
|
||||
In addition, dynamic binding to external ENGINE implementations is now
|
||||
provided by a special ENGINE called "dynamic". See the "DYNAMIC ENGINE"
|
||||
section below for details.
|
||||
|
||||
At this stage, a number of things are still needed and are being worked on:
|
||||
|
||||
1. Integration of EVP support.
|
||||
2. Configuration support.
|
||||
3. Documentation!
|
||||
|
||||
Integration of EVP support
|
||||
--------------------------
|
||||
|
||||
With respect to EVP, this relates to support for ciphers and digests in
|
||||
the ENGINE model so that alternative implementations of existing
|
||||
algorithms/modes (or previously unimplemented ones) can be provided by
|
||||
ENGINE implementations.
|
||||
|
||||
Configuration support
|
||||
---------------------
|
||||
|
||||
Configuration support currently exists in the ENGINE API itself, in the
|
||||
form of "control commands". These allow an application to expose to the
|
||||
user/admin the set of commands and parameter types a given ENGINE
|
||||
implementation supports, and for an application to directly feed string
|
||||
based input to those ENGINEs, in the form of name-value pairs. This is an
|
||||
extensible way for ENGINEs to define their own "configuration" mechanisms
|
||||
that are specific to a given ENGINE (eg. for a particular hardware
|
||||
device) but that should be consistent across *all* OpenSSL-based
|
||||
applications when they use that ENGINE. Work is in progress (or at least
|
||||
in planning) for supporting these control commands from the CONF (or
|
||||
NCONF) code so that applications using OpenSSL's existing configuration
|
||||
file format can have ENGINE settings specified in much the same way.
|
||||
Presently however, applications must use the ENGINE API itself to provide
|
||||
such functionality. To see first hand the types of commands available
|
||||
with the various compiled-in ENGINEs (see further down for dynamic
|
||||
ENGINEs), use the "engine" openssl utility with full verbosity, i.e.:
|
||||
|
||||
openssl engine -vvvv
|
||||
|
||||
Documentation
|
||||
-------------
|
||||
|
||||
Documentation? Volunteers welcome! The source code is reasonably well
|
||||
self-documenting, but some summaries and usage instructions are needed -
|
||||
moreover, they are needed in the same POD format the existing OpenSSL
|
||||
documentation is provided in. Any complete or incomplete contributions
|
||||
would help make this happen.
|
||||
|
||||
STABILITY & BUG-REPORTS
|
||||
=======================
|
||||
|
||||
What already exists is fairly stable as far as it has been tested, but
|
||||
the test base has been a bit small most of the time. For the most part,
|
||||
the vendors of the devices these ENGINEs support have contributed to the
|
||||
development and/or testing of the implementations, and *usually* (with no
|
||||
guarantees) have experience in using the ENGINE support to drive their
|
||||
devices from common OpenSSL-based applications. Bugs and/or inexplicable
|
||||
behaviour in using a specific ENGINE implementation should be sent to the
|
||||
author of that implementation (if it is mentioned in the corresponding C
|
||||
file), and in the case of implementations for commercial hardware
|
||||
devices, also through whatever vendor support channels are available. If
|
||||
none of this is possible, or the problem seems to be something about the
|
||||
ENGINE API itself (ie. not necessarily specific to a particular ENGINE
|
||||
implementation) then you should mail complete details to the relevant
|
||||
OpenSSL mailing list. For a definition of "complete details", refer to
|
||||
the OpenSSL "README" file. As for which list to send it to:
|
||||
|
||||
* openssl-users: if you are *using* the ENGINE abstraction, either in an
|
||||
pre-compiled application or in your own application code.
|
||||
|
||||
* openssl-dev: if you are discussing problems with OpenSSL source code.
|
||||
|
||||
USAGE
|
||||
=====
|
||||
|
||||
The default "openssl" ENGINE is always chosen when performing crypto
|
||||
operations unless you specify otherwise. You must actively tell the
|
||||
openssl utility commands to use anything else through a new command line
|
||||
switch called "-engine". Also, if you want to use the ENGINE support in
|
||||
your own code to do something similar, you must likewise explicitly
|
||||
select the ENGINE implementation you want.
|
||||
|
||||
Depending on the type of hardware, system, and configuration, "settings"
|
||||
may need to be applied to an ENGINE for it to function as expected/hoped.
|
||||
The recommended way of doing this is for the application to support
|
||||
ENGINE "control commands" so that each ENGINE implementation can provide
|
||||
whatever configuration primitives it might require and the application
|
||||
can allow the user/admin (and thus the hardware vendor's support desk
|
||||
also) to provide any such input directly to the ENGINE implementation.
|
||||
This way, applications do not need to know anything specific to any
|
||||
device, they only need to provide the means to carry such user/admin
|
||||
input through to the ENGINE in question. Ie. this connects *you* (and
|
||||
your helpdesk) to the specific ENGINE implementation (and device), and
|
||||
allows application authors to not get buried in hassle supporting
|
||||
arbitrary devices they know (and care) nothing about.
|
||||
|
||||
A new "openssl" utility, "openssl engine", has been added in that allows
|
||||
for testing and examination of ENGINE implementations. Basic usage
|
||||
instructions are available by specifying the "-?" command line switch.
|
||||
|
||||
DYNAMIC ENGINES
|
||||
===============
|
||||
|
||||
The new "dynamic" ENGINE provides a low-overhead way to support ENGINE
|
||||
implementations that aren't pre-compiled and linked into OpenSSL-based
|
||||
applications. This could be because existing compiled-in implementations
|
||||
have known problems and you wish to use a newer version with an existing
|
||||
application. It could equally be because the application (or OpenSSL
|
||||
library) you are using simply doesn't have support for the ENGINE you
|
||||
wish to use, and the ENGINE provider (eg. hardware vendor) is providing
|
||||
you with a self-contained implementation in the form of a shared-library.
|
||||
The other use-case for "dynamic" is with applications that wish to
|
||||
maintain the smallest foot-print possible and so do not link in various
|
||||
ENGINE implementations from OpenSSL, but instead leaves you to provide
|
||||
them, if you want them, in the form of "dynamic"-loadable
|
||||
shared-libraries. It should be possible for hardware vendors to provide
|
||||
their own shared-libraries to support arbitrary hardware to work with
|
||||
applications based on OpenSSL 0.9.7 or later. If you're using an
|
||||
application based on 0.9.7 (or later) and the support you desire is only
|
||||
announced for versions later than the one you need, ask the vendor to
|
||||
backport their ENGINE to the version you need.
|
||||
|
||||
How does "dynamic" work?
|
||||
------------------------
|
||||
|
||||
The dynamic ENGINE has a special flag in its implementation such that
|
||||
every time application code asks for the 'dynamic' ENGINE, it in fact
|
||||
gets its own copy of it. As such, multi-threaded code (or code that
|
||||
multiplexes multiple uses of 'dynamic' in a single application in any
|
||||
way at all) does not get confused by 'dynamic' being used to do many
|
||||
independent things. Other ENGINEs typically don't do this so there is
|
||||
only ever 1 ENGINE structure of its type (and reference counts are used
|
||||
to keep order). The dynamic ENGINE itself provides absolutely no
|
||||
cryptographic functionality, and any attempt to "initialise" the ENGINE
|
||||
automatically fails. All it does provide are a few "control commands"
|
||||
that can be used to control how it will load an external ENGINE
|
||||
implementation from a shared-library. To see these control commands,
|
||||
use the command-line;
|
||||
|
||||
openssl engine -vvvv dynamic
|
||||
|
||||
The "SO_PATH" control command should be used to identify the
|
||||
shared-library that contains the ENGINE implementation, and "NO_VCHECK"
|
||||
might possibly be useful if there is a minor version conflict and you
|
||||
(or a vendor helpdesk) is convinced you can safely ignore it.
|
||||
"ID" is probably only needed if a shared-library implements
|
||||
multiple ENGINEs, but if you know the engine id you expect to be using,
|
||||
it doesn't hurt to specify it (and this provides a sanity check if
|
||||
nothing else). "LIST_ADD" is only required if you actually wish the
|
||||
loaded ENGINE to be discoverable by application code later on using the
|
||||
ENGINE's "id". For most applications, this isn't necessary - but some
|
||||
application authors may have nifty reasons for using it. The "LOAD"
|
||||
command is the only one that takes no parameters and is the command
|
||||
that uses the settings from any previous commands to actually *load*
|
||||
the shared-library ENGINE implementation. If this command succeeds, the
|
||||
(copy of the) 'dynamic' ENGINE will magically morph into the ENGINE
|
||||
that has been loaded from the shared-library. As such, any control
|
||||
commands supported by the loaded ENGINE could then be executed as per
|
||||
normal. Eg. if ENGINE "foo" is implemented in the shared-library
|
||||
"libfoo.so" and it supports some special control command "CMD_FOO", the
|
||||
following code would load and use it (NB: obviously this code has no
|
||||
error checking);
|
||||
|
||||
ENGINE *e = ENGINE_by_id("dynamic");
|
||||
ENGINE_ctrl_cmd_string(e, "SO_PATH", "/lib/libfoo.so", 0);
|
||||
ENGINE_ctrl_cmd_string(e, "ID", "foo", 0);
|
||||
ENGINE_ctrl_cmd_string(e, "LOAD", NULL, 0);
|
||||
ENGINE_ctrl_cmd_string(e, "CMD_FOO", "some input data", 0);
|
||||
|
||||
For testing, the "openssl engine" utility can be useful for this sort
|
||||
of thing. For example the above code excerpt would achieve much the
|
||||
same result as;
|
||||
|
||||
openssl engine dynamic \
|
||||
-pre SO_PATH:/lib/libfoo.so \
|
||||
-pre ID:foo \
|
||||
-pre LOAD \
|
||||
-pre "CMD_FOO:some input data"
|
||||
|
||||
Or to simply see the list of commands supported by the "foo" ENGINE;
|
||||
|
||||
openssl engine -vvvv dynamic \
|
||||
-pre SO_PATH:/lib/libfoo.so \
|
||||
-pre ID:foo \
|
||||
-pre LOAD
|
||||
|
||||
Applications that support the ENGINE API and more specifically, the
|
||||
"control commands" mechanism, will provide some way for you to pass
|
||||
such commands through to ENGINEs. As such, you would select "dynamic"
|
||||
as the ENGINE to use, and the parameters/commands you pass would
|
||||
control the *actual* ENGINE used. Each command is actually a name-value
|
||||
pair and the value can sometimes be omitted (eg. the "LOAD" command).
|
||||
Whilst the syntax demonstrated in "openssl engine" uses a colon to
|
||||
separate the command name from the value, applications may provide
|
||||
their own syntax for making that separation (eg. a win32 registry
|
||||
key-value pair may be used by some applications). The reason for the
|
||||
"-pre" syntax in the "openssl engine" utility is that some commands
|
||||
might be issued to an ENGINE *after* it has been initialised for use.
|
||||
Eg. if an ENGINE implementation requires a smart-card to be inserted
|
||||
during initialisation (or a PIN to be typed, or whatever), there may be
|
||||
a control command you can issue afterwards to "forget" the smart-card
|
||||
so that additional initialisation is no longer possible. In
|
||||
applications such as web-servers, where potentially volatile code may
|
||||
run on the same host system, this may provide some arguable security
|
||||
value. In such a case, the command would be passed to the ENGINE after
|
||||
it has been initialised for use, and so the "-post" switch would be
|
||||
used instead. Applications may provide a different syntax for
|
||||
supporting this distinction, and some may simply not provide it at all
|
||||
("-pre" is almost always what you're after, in reality).
|
||||
|
||||
How do I build a "dynamic" ENGINE?
|
||||
----------------------------------
|
||||
|
||||
This question is trickier - currently OpenSSL bundles various ENGINE
|
||||
implementations that are statically built in, and any application that
|
||||
calls the "ENGINE_load_builtin_engines()" function will automatically
|
||||
have all such ENGINEs available (and occupying memory). Applications
|
||||
that don't call that function have no ENGINEs available like that and
|
||||
would have to use "dynamic" to load any such ENGINE - but on the other
|
||||
hand such applications would only have the memory footprint of any
|
||||
ENGINEs explicitly loaded using user/admin provided control commands.
|
||||
The main advantage of not statically linking ENGINEs and only using
|
||||
"dynamic" for hardware support is that any installation using no
|
||||
"external" ENGINE suffers no unnecessary memory footprint from unused
|
||||
ENGINEs. Likewise, installations that do require an ENGINE incur the
|
||||
overheads from only *that* ENGINE once it has been loaded.
|
||||
|
||||
Sounds good? Maybe, but currently building an ENGINE implementation as
|
||||
a shared-library that can be loaded by "dynamic" isn't automated in
|
||||
OpenSSL's build process. It can be done manually quite easily however.
|
||||
Such a shared-library can either be built with any OpenSSL code it
|
||||
needs statically linked in, or it can link dynamically against OpenSSL
|
||||
if OpenSSL itself is built as a shared library. The instructions are
|
||||
the same in each case, but in the former (statically linked any
|
||||
dependencies on OpenSSL) you must ensure OpenSSL is built with
|
||||
position-independent code ("PIC"). The default OpenSSL compilation may
|
||||
already specify the relevant flags to do this, but you should consult
|
||||
with your compiler documentation if you are in any doubt.
|
||||
|
||||
This example will show building the "atalla" ENGINE in the
|
||||
crypto/engine/ directory as a shared-library for use via the "dynamic"
|
||||
ENGINE.
|
||||
|
||||
1. "cd" to the crypto/engine/ directory of a pre-compiled OpenSSL
|
||||
source tree.
|
||||
|
||||
2. Recompile at least one source file so you can see all the compiler
|
||||
flags (and syntax) being used to build normally. Eg;
|
||||
|
||||
touch hw_atalla.c ; make
|
||||
|
||||
will rebuild "hw_atalla.o" using all such flags.
|
||||
|
||||
3. Manually enter the same compilation line to compile the
|
||||
"hw_atalla.c" file but with the following two changes;
|
||||
* add "-DENGINE_DYNAMIC_SUPPORT" to the command line switches,
|
||||
* change the output file from "hw_atalla.o" to something new,
|
||||
eg. "tmp_atalla.o"
|
||||
|
||||
4. Link "tmp_atalla.o" into a shared-library using the top-level
|
||||
OpenSSL libraries to resolve any dependencies. The syntax for doing
|
||||
this depends heavily on your system/compiler and is a nightmare
|
||||
known well to anyone who has worked with shared-library portability
|
||||
before. 'gcc' on Linux, for example, would use the following syntax;
|
||||
|
||||
gcc -shared -o dyn_atalla.so tmp_atalla.o -L../.. -lcrypto
|
||||
|
||||
5. Test your shared library using "openssl engine" as explained in the
|
||||
previous section. Eg. from the top-level directory, you might try
|
||||
|
||||
apps/openssl engine -vvvv dynamic \
|
||||
-pre SO_PATH:./crypto/engine/dyn_atalla.so -pre LOAD
|
||||
|
||||
If the shared-library loads successfully, you will see both "-pre"
|
||||
commands marked as "SUCCESS" and the list of control commands
|
||||
displayed (because of "-vvvv") will be the control commands for the
|
||||
*atalla* ENGINE (ie. *not* the 'dynamic' ENGINE). You can also add
|
||||
the "-t" switch to the utility if you want it to try and initialise
|
||||
the atalla ENGINE for use to test any possible hardware/driver issues.
|
||||
|
||||
PROBLEMS
|
||||
========
|
||||
|
||||
It seems like the ENGINE part doesn't work too well with CryptoSwift on Win32.
|
||||
A quick test done right before the release showed that trying "openssl speed
|
||||
-engine cswift" generated errors. If the DSO gets enabled, an attempt is made
|
||||
to write at memory address 0x00000002.
|
86
crypto/openssl/README-FIPS.md
Normal file
86
crypto/openssl/README-FIPS.md
Normal file
@ -0,0 +1,86 @@
|
||||
OpenSSL FIPS support
|
||||
====================
|
||||
|
||||
This release of OpenSSL includes a cryptographic module that can be
|
||||
FIPS 140-2 validated. The module is implemented as an OpenSSL provider.
|
||||
A provider is essentially a dynamically loadable module which implements
|
||||
cryptographic algorithms, see the [README-PROVIDERS](README-PROVIDERS.md) file
|
||||
for further details.
|
||||
|
||||
A cryptographic module is only FIPS validated after it has gone through the complex
|
||||
FIPS 140 validation process. As this process takes a very long time, it is not
|
||||
possible to validate every minor release of OpenSSL.
|
||||
If you need a FIPS validated module then you must ONLY generate a FIPS provider
|
||||
using OpenSSL versions that have valid FIPS certificates. A FIPS certificate
|
||||
contains a link to a Security Policy, and you MUST follow the instructions
|
||||
in the Security Policy in order to be FIPS compliant.
|
||||
See <https://www.openssl.org/source/> for information related to OpenSSL
|
||||
FIPS certificates and Security Policies.
|
||||
|
||||
Newer OpenSSL Releases that include security or bug fixes can be used to build
|
||||
all other components (such as the core API's, TLS and the default, base and
|
||||
legacy providers) without any restrictions, but the FIPS provider must be built
|
||||
as specified in the Security Policy (normally with a different version of the
|
||||
source code).
|
||||
|
||||
The OpenSSL FIPS provider is a shared library called `fips.so` (on Unix), or
|
||||
resp. `fips.dll` (on Windows). The FIPS provider does not get built and
|
||||
installed automatically. To enable it, you need to configure OpenSSL using
|
||||
the `enable-fips` option.
|
||||
|
||||
Installing the FIPS module
|
||||
==========================
|
||||
|
||||
The following is only a guide.
|
||||
Please read the Security Policy for up to date installation instructions.
|
||||
|
||||
If the FIPS provider is enabled, it gets installed automatically during the
|
||||
normal installation process. Simply follow the normal procedure (configure,
|
||||
make, make test, make install) as described in the [INSTALL](INSTALL.md) file.
|
||||
|
||||
For example, on Unix the final command
|
||||
|
||||
$ make install
|
||||
|
||||
effectively executes the following install targets
|
||||
|
||||
$ make install_sw
|
||||
$ make install_ssldirs
|
||||
$ make install_docs
|
||||
$ make install_fips # for `enable-fips` only
|
||||
|
||||
The `install_fips` make target can also be invoked explicitly to install
|
||||
the FIPS provider independently, without installing the rest of OpenSSL.
|
||||
|
||||
The Installation of the FIPS provider consists of two steps. In the first step,
|
||||
the shared library is copied to its installed location, which by default is
|
||||
|
||||
/usr/local/lib/ossl-modules/fips.so on Unix, and
|
||||
C:\Program Files\OpenSSL\lib\ossl-modules\fips.dll on Windows.
|
||||
|
||||
In the second step, the `openssl fipsinstall` command is executed, which completes
|
||||
the installation by doing the following two things:
|
||||
|
||||
- Runs the FIPS module self tests
|
||||
- Generates the so-called FIPS module configuration file containing information
|
||||
about the module such as the self test status, and the module checksum.
|
||||
|
||||
The FIPS module must have the self tests run, and the FIPS module config file
|
||||
output generated on every machine that it is to be used on. You must not copy
|
||||
the FIPS module config file output data from one machine to another.
|
||||
|
||||
On Unix the `openssl fipsinstall` command will be invoked as follows by default:
|
||||
|
||||
$ openssl fipsinstall -out /usr/local/ssl/fipsmodule.cnf -module /usr/local/lib/ossl-modules/fips.so
|
||||
|
||||
If you configured OpenSSL to be installed to a different location, the paths will
|
||||
vary accordingly. In the rare case that you need to install the fipsmodule.cnf
|
||||
to non-standard location, you can execute the `openssl fipsinstall` command manually.
|
||||
|
||||
Using the FIPS Module in applications
|
||||
=====================================
|
||||
|
||||
Documentation about using the FIPS module is available on the [fips_module(7)]
|
||||
manual page.
|
||||
|
||||
[fips_module(7)]: https://www.openssl.org/docs/man3.0/man7/fips_module.html
|
145
crypto/openssl/README-PROVIDERS.md
Normal file
145
crypto/openssl/README-PROVIDERS.md
Normal file
@ -0,0 +1,145 @@
|
||||
Providers
|
||||
=========
|
||||
|
||||
- [Standard Providers](#standard-providers)
|
||||
- [The Default Provider](#the-default-provider)
|
||||
- [The Legacy Provider](#the-legacy-provider)
|
||||
- [The FIPS Provider](#the-fips-provider)
|
||||
- [The Base Provider](#the-base-provider)
|
||||
- [The Null Provider](#the-null-provider)
|
||||
- [Loading Providers](#loading-providers)
|
||||
|
||||
Standard Providers
|
||||
==================
|
||||
|
||||
Providers are containers for algorithm implementations. Whenever a cryptographic
|
||||
algorithm is used via the high level APIs a provider is selected. It is that
|
||||
provider implementation that actually does the required work. There are five
|
||||
providers distributed with OpenSSL. In the future we expect third parties to
|
||||
distribute their own providers which can be added to OpenSSL dynamically.
|
||||
Documentation about writing providers is available on the [provider(7)]
|
||||
manual page.
|
||||
|
||||
[provider(7)]: https://www.openssl.org/docs/man3.0/man7/provider.html
|
||||
|
||||
The Default Provider
|
||||
--------------------
|
||||
|
||||
The default provider collects together all of the standard built-in OpenSSL
|
||||
algorithm implementations. If an application doesn't specify anything else
|
||||
explicitly (e.g. in the application or via config), then this is the provider
|
||||
that will be used. It is loaded automatically the first time that we try to
|
||||
get an algorithm from a provider if no other provider has been loaded yet.
|
||||
If another provider has already been loaded then it won't be loaded
|
||||
automatically. Therefore if you want to use it in conjunction with other
|
||||
providers then you must load it explicitly.
|
||||
|
||||
This is a "built-in" provider which means that it is compiled and linked
|
||||
into the libcrypto library and does not exist as a separate standalone module.
|
||||
|
||||
The Legacy Provider
|
||||
-------------------
|
||||
|
||||
The legacy provider is a collection of legacy algorithms that are either no
|
||||
longer in common use or considered insecure and strongly discouraged from use.
|
||||
However, some applications may need to use these algorithms for backwards
|
||||
compatibility reasons. This provider is **not** loaded by default.
|
||||
This may mean that some applications upgrading from earlier versions of OpenSSL
|
||||
may find that some algorithms are no longer available unless they load the
|
||||
legacy provider explicitly.
|
||||
|
||||
Algorithms in the legacy provider include MD2, MD4, MDC2, RMD160, CAST5,
|
||||
BF (Blowfish), IDEA, SEED, RC2, RC4, RC5 and DES (but not 3DES).
|
||||
|
||||
The FIPS Provider
|
||||
-----------------
|
||||
|
||||
The FIPS provider contains a sub-set of the algorithm implementations available
|
||||
from the default provider, consisting of algorithms conforming to FIPS standards.
|
||||
It is intended that this provider will be FIPS140-2 validated.
|
||||
|
||||
In some cases there may be minor behavioural differences between algorithm
|
||||
implementations in this provider compared to the equivalent algorithm in the
|
||||
default provider. This is typically in order to conform to FIPS standards.
|
||||
|
||||
The Base Provider
|
||||
-----------------
|
||||
|
||||
The base provider contains a small sub-set of non-cryptographic algorithms
|
||||
available in the default provider. For example, it contains algorithms to
|
||||
serialize and deserialize keys to files. If you do not load the default
|
||||
provider then you should always load this one instead (in particular, if
|
||||
you are using the FIPS provider).
|
||||
|
||||
The Null Provider
|
||||
-----------------
|
||||
|
||||
The null provider is "built-in" to libcrypto and contains no algorithm
|
||||
implementations. In order to guarantee that the default provider is not
|
||||
automatically loaded, the null provider can be loaded instead.
|
||||
|
||||
This can be useful if you are using non-default library contexts and want
|
||||
to ensure that the default library context is never used unintentionally.
|
||||
|
||||
Loading Providers
|
||||
=================
|
||||
|
||||
Providers to be loaded can be specified in the OpenSSL config file.
|
||||
See the [config(5)] manual page for information about how to configure
|
||||
providers via the config file, and how to automatically activate them.
|
||||
|
||||
[config(5)]: https://www.openssl.org/docs/man3.0/man5/config.html
|
||||
|
||||
The following is a minimal config file example to load and activate both
|
||||
the legacy and the default provider in the default library context.
|
||||
|
||||
openssl_conf = openssl_init
|
||||
|
||||
[openssl_init]
|
||||
providers = provider_sect
|
||||
|
||||
[provider_sect]
|
||||
default = default_sect
|
||||
legacy = legacy_sect
|
||||
|
||||
[default_sect]
|
||||
activate = 1
|
||||
|
||||
[legacy_sect]
|
||||
activate = 1
|
||||
|
||||
It is also possible to load providers programmatically. For example you can
|
||||
load the legacy provider into the default library context as shown below.
|
||||
Note that once you have explicitly loaded a provider into the library context
|
||||
the default provider will no longer be automatically loaded. Therefore you will
|
||||
often also want to explicitly load the default provider, as is done here:
|
||||
|
||||
#include <stdio.h>
|
||||
#include <stdlib.h>
|
||||
|
||||
#include <openssl/provider.h>
|
||||
|
||||
int main(void)
|
||||
{
|
||||
OSSL_PROVIDER *legacy;
|
||||
OSSL_PROVIDER *deflt;
|
||||
|
||||
/* Load Multiple providers into the default (NULL) library context */
|
||||
legacy = OSSL_PROVIDER_load(NULL, "legacy");
|
||||
if (legacy == NULL) {
|
||||
printf("Failed to load Legacy provider\n");
|
||||
exit(EXIT_FAILURE);
|
||||
}
|
||||
deflt = OSSL_PROVIDER_load(NULL, "default");
|
||||
if (deflt == NULL) {
|
||||
printf("Failed to load Default provider\n");
|
||||
OSSL_PROVIDER_unload(legacy);
|
||||
exit(EXIT_FAILURE);
|
||||
}
|
||||
|
||||
/* Rest of application */
|
||||
|
||||
OSSL_PROVIDER_unload(legacy);
|
||||
OSSL_PROVIDER_unload(deflt);
|
||||
exit(EXIT_SUCCESS);
|
||||
}
|
@ -1,287 +0,0 @@
|
||||
ENGINE
|
||||
======
|
||||
|
||||
With OpenSSL 0.9.6, a new component was added to support alternative
|
||||
cryptography implementations, most commonly for interfacing with external
|
||||
crypto devices (eg. accelerator cards). This component is called ENGINE,
|
||||
and its presence in OpenSSL 0.9.6 (and subsequent bug-fix releases)
|
||||
caused a little confusion as 0.9.6** releases were rolled in two
|
||||
versions, a "standard" and an "engine" version. In development for 0.9.7,
|
||||
the ENGINE code has been merged into the main branch and will be present
|
||||
in the standard releases from 0.9.7 forwards.
|
||||
|
||||
There are currently built-in ENGINE implementations for the following
|
||||
crypto devices:
|
||||
|
||||
o Microsoft CryptoAPI
|
||||
o VIA Padlock
|
||||
o nCipher CHIL
|
||||
|
||||
In addition, dynamic binding to external ENGINE implementations is now
|
||||
provided by a special ENGINE called "dynamic". See the "DYNAMIC ENGINE"
|
||||
section below for details.
|
||||
|
||||
At this stage, a number of things are still needed and are being worked on:
|
||||
|
||||
1 Integration of EVP support.
|
||||
2 Configuration support.
|
||||
3 Documentation!
|
||||
|
||||
1 With respect to EVP, this relates to support for ciphers and digests in
|
||||
the ENGINE model so that alternative implementations of existing
|
||||
algorithms/modes (or previously unimplemented ones) can be provided by
|
||||
ENGINE implementations.
|
||||
|
||||
2 Configuration support currently exists in the ENGINE API itself, in the
|
||||
form of "control commands". These allow an application to expose to the
|
||||
user/admin the set of commands and parameter types a given ENGINE
|
||||
implementation supports, and for an application to directly feed string
|
||||
based input to those ENGINEs, in the form of name-value pairs. This is an
|
||||
extensible way for ENGINEs to define their own "configuration" mechanisms
|
||||
that are specific to a given ENGINE (eg. for a particular hardware
|
||||
device) but that should be consistent across *all* OpenSSL-based
|
||||
applications when they use that ENGINE. Work is in progress (or at least
|
||||
in planning) for supporting these control commands from the CONF (or
|
||||
NCONF) code so that applications using OpenSSL's existing configuration
|
||||
file format can have ENGINE settings specified in much the same way.
|
||||
Presently however, applications must use the ENGINE API itself to provide
|
||||
such functionality. To see first hand the types of commands available
|
||||
with the various compiled-in ENGINEs (see further down for dynamic
|
||||
ENGINEs), use the "engine" openssl utility with full verbosity, ie;
|
||||
openssl engine -vvvv
|
||||
|
||||
3 Documentation? Volunteers welcome! The source code is reasonably well
|
||||
self-documenting, but some summaries and usage instructions are needed -
|
||||
moreover, they are needed in the same POD format the existing OpenSSL
|
||||
documentation is provided in. Any complete or incomplete contributions
|
||||
would help make this happen.
|
||||
|
||||
STABILITY & BUG-REPORTS
|
||||
=======================
|
||||
|
||||
What already exists is fairly stable as far as it has been tested, but
|
||||
the test base has been a bit small most of the time. For the most part,
|
||||
the vendors of the devices these ENGINEs support have contributed to the
|
||||
development and/or testing of the implementations, and *usually* (with no
|
||||
guarantees) have experience in using the ENGINE support to drive their
|
||||
devices from common OpenSSL-based applications. Bugs and/or inexplicable
|
||||
behaviour in using a specific ENGINE implementation should be sent to the
|
||||
author of that implementation (if it is mentioned in the corresponding C
|
||||
file), and in the case of implementations for commercial hardware
|
||||
devices, also through whatever vendor support channels are available. If
|
||||
none of this is possible, or the problem seems to be something about the
|
||||
ENGINE API itself (ie. not necessarily specific to a particular ENGINE
|
||||
implementation) then you should mail complete details to the relevant
|
||||
OpenSSL mailing list. For a definition of "complete details", refer to
|
||||
the OpenSSL "README" file. As for which list to send it to;
|
||||
|
||||
openssl-users: if you are *using* the ENGINE abstraction, either in an
|
||||
pre-compiled application or in your own application code.
|
||||
|
||||
openssl-dev: if you are discussing problems with OpenSSL source code.
|
||||
|
||||
USAGE
|
||||
=====
|
||||
|
||||
The default "openssl" ENGINE is always chosen when performing crypto
|
||||
operations unless you specify otherwise. You must actively tell the
|
||||
openssl utility commands to use anything else through a new command line
|
||||
switch called "-engine". Also, if you want to use the ENGINE support in
|
||||
your own code to do something similar, you must likewise explicitly
|
||||
select the ENGINE implementation you want.
|
||||
|
||||
Depending on the type of hardware, system, and configuration, "settings"
|
||||
may need to be applied to an ENGINE for it to function as expected/hoped.
|
||||
The recommended way of doing this is for the application to support
|
||||
ENGINE "control commands" so that each ENGINE implementation can provide
|
||||
whatever configuration primitives it might require and the application
|
||||
can allow the user/admin (and thus the hardware vendor's support desk
|
||||
also) to provide any such input directly to the ENGINE implementation.
|
||||
This way, applications do not need to know anything specific to any
|
||||
device, they only need to provide the means to carry such user/admin
|
||||
input through to the ENGINE in question. Ie. this connects *you* (and
|
||||
your helpdesk) to the specific ENGINE implementation (and device), and
|
||||
allows application authors to not get buried in hassle supporting
|
||||
arbitrary devices they know (and care) nothing about.
|
||||
|
||||
A new "openssl" utility, "openssl engine", has been added in that allows
|
||||
for testing and examination of ENGINE implementations. Basic usage
|
||||
instructions are available by specifying the "-?" command line switch.
|
||||
|
||||
DYNAMIC ENGINES
|
||||
===============
|
||||
|
||||
The new "dynamic" ENGINE provides a low-overhead way to support ENGINE
|
||||
implementations that aren't pre-compiled and linked into OpenSSL-based
|
||||
applications. This could be because existing compiled-in implementations
|
||||
have known problems and you wish to use a newer version with an existing
|
||||
application. It could equally be because the application (or OpenSSL
|
||||
library) you are using simply doesn't have support for the ENGINE you
|
||||
wish to use, and the ENGINE provider (eg. hardware vendor) is providing
|
||||
you with a self-contained implementation in the form of a shared-library.
|
||||
The other use-case for "dynamic" is with applications that wish to
|
||||
maintain the smallest foot-print possible and so do not link in various
|
||||
ENGINE implementations from OpenSSL, but instead leaves you to provide
|
||||
them, if you want them, in the form of "dynamic"-loadable
|
||||
shared-libraries. It should be possible for hardware vendors to provide
|
||||
their own shared-libraries to support arbitrary hardware to work with
|
||||
applications based on OpenSSL 0.9.7 or later. If you're using an
|
||||
application based on 0.9.7 (or later) and the support you desire is only
|
||||
announced for versions later than the one you need, ask the vendor to
|
||||
backport their ENGINE to the version you need.
|
||||
|
||||
How does "dynamic" work?
|
||||
------------------------
|
||||
The dynamic ENGINE has a special flag in its implementation such that
|
||||
every time application code asks for the 'dynamic' ENGINE, it in fact
|
||||
gets its own copy of it. As such, multi-threaded code (or code that
|
||||
multiplexes multiple uses of 'dynamic' in a single application in any
|
||||
way at all) does not get confused by 'dynamic' being used to do many
|
||||
independent things. Other ENGINEs typically don't do this so there is
|
||||
only ever 1 ENGINE structure of its type (and reference counts are used
|
||||
to keep order). The dynamic ENGINE itself provides absolutely no
|
||||
cryptographic functionality, and any attempt to "initialise" the ENGINE
|
||||
automatically fails. All it does provide are a few "control commands"
|
||||
that can be used to control how it will load an external ENGINE
|
||||
implementation from a shared-library. To see these control commands,
|
||||
use the command-line;
|
||||
|
||||
openssl engine -vvvv dynamic
|
||||
|
||||
The "SO_PATH" control command should be used to identify the
|
||||
shared-library that contains the ENGINE implementation, and "NO_VCHECK"
|
||||
might possibly be useful if there is a minor version conflict and you
|
||||
(or a vendor helpdesk) is convinced you can safely ignore it.
|
||||
"ID" is probably only needed if a shared-library implements
|
||||
multiple ENGINEs, but if you know the engine id you expect to be using,
|
||||
it doesn't hurt to specify it (and this provides a sanity check if
|
||||
nothing else). "LIST_ADD" is only required if you actually wish the
|
||||
loaded ENGINE to be discoverable by application code later on using the
|
||||
ENGINE's "id". For most applications, this isn't necessary - but some
|
||||
application authors may have nifty reasons for using it. The "LOAD"
|
||||
command is the only one that takes no parameters and is the command
|
||||
that uses the settings from any previous commands to actually *load*
|
||||
the shared-library ENGINE implementation. If this command succeeds, the
|
||||
(copy of the) 'dynamic' ENGINE will magically morph into the ENGINE
|
||||
that has been loaded from the shared-library. As such, any control
|
||||
commands supported by the loaded ENGINE could then be executed as per
|
||||
normal. Eg. if ENGINE "foo" is implemented in the shared-library
|
||||
"libfoo.so" and it supports some special control command "CMD_FOO", the
|
||||
following code would load and use it (NB: obviously this code has no
|
||||
error checking);
|
||||
|
||||
ENGINE *e = ENGINE_by_id("dynamic");
|
||||
ENGINE_ctrl_cmd_string(e, "SO_PATH", "/lib/libfoo.so", 0);
|
||||
ENGINE_ctrl_cmd_string(e, "ID", "foo", 0);
|
||||
ENGINE_ctrl_cmd_string(e, "LOAD", NULL, 0);
|
||||
ENGINE_ctrl_cmd_string(e, "CMD_FOO", "some input data", 0);
|
||||
|
||||
For testing, the "openssl engine" utility can be useful for this sort
|
||||
of thing. For example the above code excerpt would achieve much the
|
||||
same result as;
|
||||
|
||||
openssl engine dynamic \
|
||||
-pre SO_PATH:/lib/libfoo.so \
|
||||
-pre ID:foo \
|
||||
-pre LOAD \
|
||||
-pre "CMD_FOO:some input data"
|
||||
|
||||
Or to simply see the list of commands supported by the "foo" ENGINE;
|
||||
|
||||
openssl engine -vvvv dynamic \
|
||||
-pre SO_PATH:/lib/libfoo.so \
|
||||
-pre ID:foo \
|
||||
-pre LOAD
|
||||
|
||||
Applications that support the ENGINE API and more specifically, the
|
||||
"control commands" mechanism, will provide some way for you to pass
|
||||
such commands through to ENGINEs. As such, you would select "dynamic"
|
||||
as the ENGINE to use, and the parameters/commands you pass would
|
||||
control the *actual* ENGINE used. Each command is actually a name-value
|
||||
pair and the value can sometimes be omitted (eg. the "LOAD" command).
|
||||
Whilst the syntax demonstrated in "openssl engine" uses a colon to
|
||||
separate the command name from the value, applications may provide
|
||||
their own syntax for making that separation (eg. a win32 registry
|
||||
key-value pair may be used by some applications). The reason for the
|
||||
"-pre" syntax in the "openssl engine" utility is that some commands
|
||||
might be issued to an ENGINE *after* it has been initialised for use.
|
||||
Eg. if an ENGINE implementation requires a smart-card to be inserted
|
||||
during initialisation (or a PIN to be typed, or whatever), there may be
|
||||
a control command you can issue afterwards to "forget" the smart-card
|
||||
so that additional initialisation is no longer possible. In
|
||||
applications such as web-servers, where potentially volatile code may
|
||||
run on the same host system, this may provide some arguable security
|
||||
value. In such a case, the command would be passed to the ENGINE after
|
||||
it has been initialised for use, and so the "-post" switch would be
|
||||
used instead. Applications may provide a different syntax for
|
||||
supporting this distinction, and some may simply not provide it at all
|
||||
("-pre" is almost always what you're after, in reality).
|
||||
|
||||
How do I build a "dynamic" ENGINE?
|
||||
----------------------------------
|
||||
This question is trickier - currently OpenSSL bundles various ENGINE
|
||||
implementations that are statically built in, and any application that
|
||||
calls the "ENGINE_load_builtin_engines()" function will automatically
|
||||
have all such ENGINEs available (and occupying memory). Applications
|
||||
that don't call that function have no ENGINEs available like that and
|
||||
would have to use "dynamic" to load any such ENGINE - but on the other
|
||||
hand such applications would only have the memory footprint of any
|
||||
ENGINEs explicitly loaded using user/admin provided control commands.
|
||||
The main advantage of not statically linking ENGINEs and only using
|
||||
"dynamic" for hardware support is that any installation using no
|
||||
"external" ENGINE suffers no unnecessary memory footprint from unused
|
||||
ENGINEs. Likewise, installations that do require an ENGINE incur the
|
||||
overheads from only *that* ENGINE once it has been loaded.
|
||||
|
||||
Sounds good? Maybe, but currently building an ENGINE implementation as
|
||||
a shared-library that can be loaded by "dynamic" isn't automated in
|
||||
OpenSSL's build process. It can be done manually quite easily however.
|
||||
Such a shared-library can either be built with any OpenSSL code it
|
||||
needs statically linked in, or it can link dynamically against OpenSSL
|
||||
if OpenSSL itself is built as a shared library. The instructions are
|
||||
the same in each case, but in the former (statically linked any
|
||||
dependencies on OpenSSL) you must ensure OpenSSL is built with
|
||||
position-independent code ("PIC"). The default OpenSSL compilation may
|
||||
already specify the relevant flags to do this, but you should consult
|
||||
with your compiler documentation if you are in any doubt.
|
||||
|
||||
This example will show building the "atalla" ENGINE in the
|
||||
crypto/engine/ directory as a shared-library for use via the "dynamic"
|
||||
ENGINE.
|
||||
1) "cd" to the crypto/engine/ directory of a pre-compiled OpenSSL
|
||||
source tree.
|
||||
2) Recompile at least one source file so you can see all the compiler
|
||||
flags (and syntax) being used to build normally. Eg;
|
||||
touch hw_atalla.c ; make
|
||||
will rebuild "hw_atalla.o" using all such flags.
|
||||
3) Manually enter the same compilation line to compile the
|
||||
"hw_atalla.c" file but with the following two changes;
|
||||
(a) add "-DENGINE_DYNAMIC_SUPPORT" to the command line switches,
|
||||
(b) change the output file from "hw_atalla.o" to something new,
|
||||
eg. "tmp_atalla.o"
|
||||
4) Link "tmp_atalla.o" into a shared-library using the top-level
|
||||
OpenSSL libraries to resolve any dependencies. The syntax for doing
|
||||
this depends heavily on your system/compiler and is a nightmare
|
||||
known well to anyone who has worked with shared-library portability
|
||||
before. 'gcc' on Linux, for example, would use the following syntax;
|
||||
gcc -shared -o dyn_atalla.so tmp_atalla.o -L../.. -lcrypto
|
||||
5) Test your shared library using "openssl engine" as explained in the
|
||||
previous section. Eg. from the top-level directory, you might try;
|
||||
apps/openssl engine -vvvv dynamic \
|
||||
-pre SO_PATH:./crypto/engine/dyn_atalla.so -pre LOAD
|
||||
If the shared-library loads successfully, you will see both "-pre"
|
||||
commands marked as "SUCCESS" and the list of control commands
|
||||
displayed (because of "-vvvv") will be the control commands for the
|
||||
*atalla* ENGINE (ie. *not* the 'dynamic' ENGINE). You can also add
|
||||
the "-t" switch to the utility if you want it to try and initialise
|
||||
the atalla ENGINE for use to test any possible hardware/driver
|
||||
issues.
|
||||
|
||||
PROBLEMS
|
||||
========
|
||||
|
||||
It seems like the ENGINE part doesn't work too well with CryptoSwift on Win32.
|
||||
A quick test done right before the release showed that trying "openssl speed
|
||||
-engine cswift" generated errors. If the DSO gets enabled, an attempt is made
|
||||
to write at memory address 0x00000002.
|
||||
|
@ -1 +0,0 @@
|
||||
This release does not support a FIPS 140-2 validated module.
|
224
crypto/openssl/README.md
Normal file
224
crypto/openssl/README.md
Normal file
@ -0,0 +1,224 @@
|
||||
Welcome to the OpenSSL Project
|
||||
==============================
|
||||
|
||||
[![openssl logo]][www.openssl.org]
|
||||
|
||||
[![github actions ci badge]][github actions ci]
|
||||
[![appveyor badge]][appveyor jobs]
|
||||
|
||||
OpenSSL is a robust, commercial-grade, full-featured Open Source Toolkit
|
||||
for the Transport Layer Security (TLS) protocol formerly known as the
|
||||
Secure Sockets Layer (SSL) protocol. The protocol implementation is based
|
||||
on a full-strength general purpose cryptographic library, which can also
|
||||
be used stand-alone.
|
||||
|
||||
OpenSSL is descended from the SSLeay library developed by Eric A. Young
|
||||
and Tim J. Hudson.
|
||||
|
||||
The official Home Page of the OpenSSL Project is [www.openssl.org].
|
||||
|
||||
Table of Contents
|
||||
=================
|
||||
|
||||
- [Overview](#overview)
|
||||
- [Download](#download)
|
||||
- [Build and Install](#build-and-install)
|
||||
- [Documentation](#documentation)
|
||||
- [License](#license)
|
||||
- [Support](#support)
|
||||
- [Contributing](#contributing)
|
||||
- [Legalities](#legalities)
|
||||
|
||||
Overview
|
||||
========
|
||||
|
||||
The OpenSSL toolkit includes:
|
||||
|
||||
- **libssl**
|
||||
an implementation of all TLS protocol versions up to TLSv1.3 ([RFC 8446]).
|
||||
|
||||
- **libcrypto**
|
||||
a full-strength general purpose cryptographic library. It constitutes the
|
||||
basis of the TLS implementation, but can also be used independently.
|
||||
|
||||
- **openssl**
|
||||
the OpenSSL command line tool, a swiss army knife for cryptographic tasks,
|
||||
testing and analyzing. It can be used for
|
||||
- creation of key parameters
|
||||
- creation of X.509 certificates, CSRs and CRLs
|
||||
- calculation of message digests
|
||||
- encryption and decryption
|
||||
- SSL/TLS client and server tests
|
||||
- handling of S/MIME signed or encrypted mail
|
||||
- and more...
|
||||
|
||||
Download
|
||||
========
|
||||
|
||||
For Production Use
|
||||
------------------
|
||||
|
||||
Source code tarballs of the official releases can be downloaded from
|
||||
[www.openssl.org/source](https://www.openssl.org/source).
|
||||
The OpenSSL project does not distribute the toolkit in binary form.
|
||||
|
||||
However, for a large variety of operating systems precompiled versions
|
||||
of the OpenSSL toolkit are available. In particular on Linux and other
|
||||
Unix operating systems it is normally recommended to link against the
|
||||
precompiled shared libraries provided by the distributor or vendor.
|
||||
|
||||
For Testing and Development
|
||||
---------------------------
|
||||
|
||||
Although testing and development could in theory also be done using
|
||||
the source tarballs, having a local copy of the git repository with
|
||||
the entire project history gives you much more insight into the
|
||||
code base.
|
||||
|
||||
The official OpenSSL Git Repository is located at [git.openssl.org].
|
||||
There is a GitHub mirror of the repository at [github.com/openssl/openssl],
|
||||
which is updated automatically from the former on every commit.
|
||||
|
||||
A local copy of the Git Repository can be obtained by cloning it from
|
||||
the original OpenSSL repository using
|
||||
|
||||
git clone git://git.openssl.org/openssl.git
|
||||
|
||||
or from the GitHub mirror using
|
||||
|
||||
git clone https://github.com/openssl/openssl.git
|
||||
|
||||
If you intend to contribute to OpenSSL, either to fix bugs or contribute
|
||||
new features, you need to fork the OpenSSL repository openssl/openssl on
|
||||
GitHub and clone your public fork instead.
|
||||
|
||||
git clone https://github.com/yourname/openssl.git
|
||||
|
||||
This is necessary, because all development of OpenSSL nowadays is done via
|
||||
GitHub pull requests. For more details, see [Contributing](#contributing).
|
||||
|
||||
Build and Install
|
||||
=================
|
||||
|
||||
After obtaining the Source, have a look at the [INSTALL](INSTALL.md) file for
|
||||
detailed instructions about building and installing OpenSSL. For some
|
||||
platforms, the installation instructions are amended by a platform specific
|
||||
document.
|
||||
|
||||
* [Notes for UNIX-like platforms](NOTES-UNIX.md)
|
||||
* [Notes for Android platforms](NOTES-ANDROID.md)
|
||||
* [Notes for Windows platforms](NOTES-WINDOWS.md)
|
||||
* [Notes for the DOS platform with DJGPP](NOTES-DJGPP.md)
|
||||
* [Notes for the OpenVMS platform](NOTES-VMS.md)
|
||||
* [Notes on Perl](NOTES-PERL.md)
|
||||
* [Notes on Valgrind](NOTES-VALGRIND.md)
|
||||
|
||||
Specific notes on upgrading to OpenSSL 3.0 from previous versions can be found
|
||||
in the [migration_guide(7ossl)] manual page.
|
||||
|
||||
Documentation
|
||||
=============
|
||||
|
||||
Manual Pages
|
||||
------------
|
||||
|
||||
The manual pages for the master branch and all current stable releases are
|
||||
available online.
|
||||
|
||||
- [OpenSSL master](https://www.openssl.org/docs/manmaster)
|
||||
- [OpenSSL 3.0](https://www.openssl.org/docs/man3.0)
|
||||
- [OpenSSL 1.1.1](https://www.openssl.org/docs/man1.1.1)
|
||||
|
||||
Wiki
|
||||
----
|
||||
|
||||
There is a Wiki at [wiki.openssl.org] which is currently not very active.
|
||||
It contains a lot of useful information, not all of which is up to date.
|
||||
|
||||
License
|
||||
=======
|
||||
|
||||
OpenSSL is licensed under the Apache License 2.0, which means that
|
||||
you are free to get and use it for commercial and non-commercial
|
||||
purposes as long as you fulfill its conditions.
|
||||
|
||||
See the [LICENSE.txt](LICENSE.txt) file for more details.
|
||||
|
||||
Support
|
||||
=======
|
||||
|
||||
There are various ways to get in touch. The correct channel depends on
|
||||
your requirement. see the [SUPPORT](SUPPORT.md) file for more details.
|
||||
|
||||
Contributing
|
||||
============
|
||||
|
||||
If you are interested and willing to contribute to the OpenSSL project,
|
||||
please take a look at the [CONTRIBUTING](CONTRIBUTING.md) file.
|
||||
|
||||
Legalities
|
||||
==========
|
||||
|
||||
A number of nations restrict the use or export of cryptography. If you are
|
||||
potentially subject to such restrictions you should seek legal advice before
|
||||
attempting to develop or distribute cryptographic code.
|
||||
|
||||
Copyright
|
||||
=========
|
||||
|
||||
Copyright (c) 1998-2022 The OpenSSL Project
|
||||
|
||||
Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson
|
||||
|
||||
All rights reserved.
|
||||
|
||||
<!-- Links -->
|
||||
|
||||
[www.openssl.org]:
|
||||
<https://www.openssl.org>
|
||||
"OpenSSL Homepage"
|
||||
|
||||
[git.openssl.org]:
|
||||
<https://git.openssl.org>
|
||||
"OpenSSL Git Repository"
|
||||
|
||||
[git.openssl.org]:
|
||||
<https://git.openssl.org>
|
||||
"OpenSSL Git Repository"
|
||||
|
||||
[github.com/openssl/openssl]:
|
||||
<https://github.com/openssl/openssl>
|
||||
"OpenSSL GitHub Mirror"
|
||||
|
||||
[wiki.openssl.org]:
|
||||
<https://wiki.openssl.org>
|
||||
"OpenSSL Wiki"
|
||||
|
||||
[migration_guide(7ossl)]:
|
||||
<https://www.openssl.org/docs/man3.0/man7/migration_guide.html>
|
||||
"OpenSSL Migration Guide"
|
||||
|
||||
[RFC 8446]:
|
||||
<https://tools.ietf.org/html/rfc8446>
|
||||
|
||||
<!-- Logos and Badges -->
|
||||
|
||||
[openssl logo]:
|
||||
doc/images/openssl.svg
|
||||
"OpenSSL Logo"
|
||||
|
||||
[github actions ci badge]:
|
||||
<https://github.com/openssl/openssl/workflows/GitHub%20CI/badge.svg>
|
||||
"GitHub Actions CI Status"
|
||||
|
||||
[github actions ci]:
|
||||
<https://github.com/openssl/openssl/actions?query=workflow%3A%22GitHub+CI%22>
|
||||
"GitHub Actions CI"
|
||||
|
||||
[appveyor badge]:
|
||||
<https://ci.appveyor.com/api/projects/status/8e10o7xfrg73v98f/branch/master?svg=true>
|
||||
"AppVeyor Build Status"
|
||||
|
||||
[appveyor jobs]:
|
||||
<https://ci.appveyor.com/project/openssl/openssl/branch/master>
|
||||
"AppVeyor Jobs"
|
93
crypto/openssl/SUPPORT.md
Normal file
93
crypto/openssl/SUPPORT.md
Normal file
@ -0,0 +1,93 @@
|
||||
OpenSSL User Support resources
|
||||
==============================
|
||||
|
||||
See the <https://www.openssl.org/support/contracts.html> for details on how to
|
||||
obtain commercial technical support.
|
||||
|
||||
If you have general questions about using OpenSSL
|
||||
-------------------------------------------------
|
||||
|
||||
In this case the [openssl-users] mailing list is the right place for you.
|
||||
The list is not only watched by the OpenSSL team members, but also by many
|
||||
other OpenSSL users. Here you will most likely get the answer to your questions.
|
||||
An overview over the [mailing lists](#mailing-lists) can be found below.
|
||||
|
||||
If you think you found a Bug
|
||||
----------------------------
|
||||
|
||||
*NOTE: this section assumes that you want to report it or figure it out and
|
||||
fix it. What's written here is not to be taken as a recipe for how to get a
|
||||
working production installation*
|
||||
|
||||
If you have any problems with OpenSSL then please take the following steps
|
||||
first:
|
||||
|
||||
- Search the mailing lists and/or the GitHub issues to find out whether
|
||||
the problem has already been reported.
|
||||
- Download the latest version from the repository to see if the problem
|
||||
has already been addressed.
|
||||
- Configure without assembler support (`no-asm`) and check whether the
|
||||
problem persists.
|
||||
- Remove compiler optimization flags.
|
||||
|
||||
Please keep in mind: Just because something doesn't work the way you expect
|
||||
does not mean it is necessarily a bug in OpenSSL. If you are not sure,
|
||||
consider searching the mail archives and posting a question to the
|
||||
[openssl-users] mailing list first.
|
||||
|
||||
### Open an Issue
|
||||
|
||||
If you wish to report a bug, please open an [issue][github-issues] on GitHub
|
||||
and include the following information:
|
||||
|
||||
- OpenSSL version: output of `openssl version -a`
|
||||
- Configuration data: output of `perl configdata.pm --dump`
|
||||
- OS Name, Version, Hardware platform
|
||||
- Compiler Details (name, version)
|
||||
- Application Details (name, version)
|
||||
- Problem Description (steps that will reproduce the problem, if known)
|
||||
- Stack Traceback (if the application dumps core)
|
||||
|
||||
Not only errors in the software, also errors in the documentation, in
|
||||
particular the manual pages, can be reported as issues.
|
||||
|
||||
### Submit a Pull Request
|
||||
|
||||
The fastest way to get a bug fixed is to fix it yourself ;-). If you are
|
||||
experienced in programming and know how to fix the bug, you can open a
|
||||
pull request. The details are covered in the [Contributing][contributing] section.
|
||||
|
||||
Don't hesitate to open a pull request, even if it's only a small change
|
||||
like a grammatical or typographical error in the documentation.
|
||||
|
||||
Mailing Lists
|
||||
=============
|
||||
|
||||
The OpenSSL maintains a number of [mailing lists] for various purposes.
|
||||
The most important lists are:
|
||||
|
||||
- [openssl-users] for general questions about using the OpenSSL software
|
||||
and discussions between OpenSSL users.
|
||||
|
||||
- [openssl-announce] for official announcements to the OpenSSL community.
|
||||
|
||||
- [openssl-project] for discussion about the development roadmap
|
||||
and governance.
|
||||
|
||||
Only subscribers can post to [openssl-users] or [openssl-project]. The
|
||||
archives are made public, however. For more information, see the [mailing
|
||||
lists] page.
|
||||
|
||||
There was an [openssl-dev] list that has been discontinued since development
|
||||
is now taking place in the form of GitHub pull requests. Although not active
|
||||
anymore, the searchable archive may still contain useful information.
|
||||
|
||||
<!-- Links -->
|
||||
|
||||
[mailing lists]: https://www.openssl.org/community/mailinglists.html
|
||||
[openssl-users]: https://mta.openssl.org/mailman/listinfo/openssl-users
|
||||
[openssl-announce]: https://mta.openssl.org/mailman/listinfo/openssl-announce
|
||||
[openssl-project]: https://mta.openssl.org/mailman/listinfo/openssl-project
|
||||
[openssl-dev]: https://mta.openssl.org/mailman/listinfo/openssl-dev
|
||||
[github-issues]: https://github.com/openssl/openssl/issues/new/choose
|
||||
[contributing]: https://github.com/openssl/openssl/blob/master/CONTRIBUTING.md
|
7
crypto/openssl/VERSION.dat
Normal file
7
crypto/openssl/VERSION.dat
Normal file
@ -0,0 +1,7 @@
|
||||
MAJOR=3
|
||||
MINOR=0
|
||||
PATCH=9
|
||||
PRE_RELEASE_TAG=
|
||||
BUILD_METADATA=
|
||||
RELEASE_DATE="30 May 2023"
|
||||
SHLIB_VERSION=3
|
@ -1,7 +1,7 @@
|
||||
#!{- $config{HASHBANGPERL} -}
|
||||
# Copyright 2000-2018 The OpenSSL Project Authors. All Rights Reserved.
|
||||
# Copyright 2000-2021 The OpenSSL Project Authors. All Rights Reserved.
|
||||
#
|
||||
# Licensed under the OpenSSL license (the "License"). You may not use
|
||||
# Licensed under the Apache License 2.0 (the "License"). You may not use
|
||||
# this file except in compliance with the License. You can obtain a copy
|
||||
# in the file LICENSE in the source distribution or at
|
||||
# https://www.openssl.org/source/license.html
|
||||
@ -14,57 +14,63 @@
|
||||
use strict;
|
||||
use warnings;
|
||||
|
||||
my $openssl = "openssl";
|
||||
if(defined $ENV{'OPENSSL'}) {
|
||||
$openssl = $ENV{'OPENSSL'};
|
||||
} else {
|
||||
$ENV{'OPENSSL'} = $openssl;
|
||||
}
|
||||
|
||||
my $verbose = 1;
|
||||
my @OPENSSL_CMDS = ("req", "ca", "pkcs12", "x509", "verify");
|
||||
|
||||
my $OPENSSL_CONFIG = $ENV{"OPENSSL_CONFIG"} || "";
|
||||
my $DAYS = "-days 365";
|
||||
my $CADAYS = "-days 1095"; # 3 years
|
||||
my $openssl = $ENV{'OPENSSL'} // "openssl";
|
||||
$ENV{'OPENSSL'} = $openssl;
|
||||
my $OPENSSL_CONFIG = $ENV{"OPENSSL_CONFIG"} // "";
|
||||
|
||||
# Command invocations.
|
||||
my $REQ = "$openssl req $OPENSSL_CONFIG";
|
||||
my $CA = "$openssl ca $OPENSSL_CONFIG";
|
||||
my $VERIFY = "$openssl verify";
|
||||
my $X509 = "$openssl x509";
|
||||
my $PKCS12 = "$openssl pkcs12";
|
||||
|
||||
# default openssl.cnf file has setup as per the following
|
||||
# Default values for various configuration settings.
|
||||
my $CATOP = "./demoCA";
|
||||
my $CAKEY = "cakey.pem";
|
||||
my $CAREQ = "careq.pem";
|
||||
my $CACERT = "cacert.pem";
|
||||
my $CACRL = "crl.pem";
|
||||
my $DIRMODE = 0777;
|
||||
|
||||
my $DAYS = "-days 365";
|
||||
my $CADAYS = "-days 1095"; # 3 years
|
||||
my $NEWKEY = "newkey.pem";
|
||||
my $NEWREQ = "newreq.pem";
|
||||
my $NEWCERT = "newcert.pem";
|
||||
my $NEWP12 = "newcert.p12";
|
||||
my $RET = 0;
|
||||
my $WHAT = shift @ARGV || "";
|
||||
my @OPENSSL_CMDS = ("req", "ca", "pkcs12", "x509", "verify");
|
||||
my %EXTRA = extra_args(\@ARGV, "-extra-");
|
||||
my $FILE;
|
||||
|
||||
sub extra_args {
|
||||
my ($args_ref, $arg_prefix) = @_;
|
||||
my %eargs = map {
|
||||
if ($_ < $#$args_ref) {
|
||||
my ($arg, $value) = splice(@$args_ref, $_, 2);
|
||||
$arg =~ s/$arg_prefix//;
|
||||
($arg, $value);
|
||||
} else {
|
||||
();
|
||||
# Commandline parsing
|
||||
my %EXTRA;
|
||||
my $WHAT = shift @ARGV || "";
|
||||
@ARGV = parse_extra(@ARGV);
|
||||
my $RET = 0;
|
||||
|
||||
# Split out "-extra-CMD value", and return new |@ARGV|. Fill in
|
||||
# |EXTRA{CMD}| with list of values.
|
||||
sub parse_extra
|
||||
{
|
||||
foreach ( @OPENSSL_CMDS ) {
|
||||
$EXTRA{$_} = '';
|
||||
}
|
||||
} reverse grep($$args_ref[$_] =~ /$arg_prefix/, 0..$#$args_ref);
|
||||
my %empty = map { ($_, "") } @OPENSSL_CMDS;
|
||||
return (%empty, %eargs);
|
||||
|
||||
my @result;
|
||||
while ( scalar(@_) > 0 ) {
|
||||
my $arg = shift;
|
||||
if ( $arg !~ m/-extra-([a-z0-9]+)/ ) {
|
||||
push @result, $arg;
|
||||
next;
|
||||
}
|
||||
$arg =~ s/-extra-//;
|
||||
die("Unknown \"-${arg}-extra\" option, exiting")
|
||||
unless scalar grep { $arg eq $_ } @OPENSSL_CMDS;
|
||||
$EXTRA{$arg} .= " " . shift;
|
||||
}
|
||||
return @result;
|
||||
}
|
||||
|
||||
|
||||
# See if reason for a CRL entry is valid; exit if not.
|
||||
sub crl_reason_ok
|
||||
{
|
||||
@ -113,19 +119,25 @@ sub run
|
||||
|
||||
|
||||
if ( $WHAT =~ /^(-\?|-h|-help)$/ ) {
|
||||
print STDERR "usage: CA.pl -newcert | -newreq | -newreq-nodes | -xsign | -sign | -signCA | -signcert | -crl | -newca [-extra-cmd extra-params]\n";
|
||||
print STDERR " CA.pl -pkcs12 [-extra-pkcs12 extra-params] [certname]\n";
|
||||
print STDERR " CA.pl -verify [-extra-verify extra-params] certfile ...\n";
|
||||
print STDERR " CA.pl -revoke [-extra-ca extra-params] certfile [reason]\n";
|
||||
print STDERR <<EOF;
|
||||
Usage:
|
||||
CA.pl -newcert | -newreq | -newreq-nodes | -xsign | -sign | -signCA | -signcert | -crl | -newca [-extra-cmd parameter]
|
||||
CA.pl -pkcs12 [certname]
|
||||
CA.pl -verify certfile ...
|
||||
CA.pl -revoke certfile [reason]
|
||||
EOF
|
||||
exit 0;
|
||||
}
|
||||
|
||||
if ($WHAT eq '-newcert' ) {
|
||||
# create a certificate
|
||||
$RET = run("$REQ -new -x509 -keyout $NEWKEY -out $NEWCERT $DAYS $EXTRA{req}");
|
||||
$RET = run("$REQ -new -x509 -keyout $NEWKEY -out $NEWCERT $DAYS"
|
||||
. " $EXTRA{req}");
|
||||
print "Cert is in $NEWCERT, private key is in $NEWKEY\n" if $RET == 0;
|
||||
} elsif ($WHAT eq '-precert' ) {
|
||||
# create a pre-certificate
|
||||
$RET = run("$REQ -x509 -precert -keyout $NEWKEY -out $NEWCERT $DAYS");
|
||||
$RET = run("$REQ -x509 -precert -keyout $NEWKEY -out $NEWCERT $DAYS"
|
||||
. " $EXTRA{req}");
|
||||
print "Pre-cert is in $NEWCERT, private key is in $NEWKEY\n" if $RET == 0;
|
||||
} elsif ($WHAT =~ /^\-newreq(\-nodes)?$/ ) {
|
||||
# create a certificate request
|
||||
@ -133,11 +145,20 @@ if ($WHAT eq '-newcert' ) {
|
||||
print "Request is in $NEWREQ, private key is in $NEWKEY\n" if $RET == 0;
|
||||
} elsif ($WHAT eq '-newca' ) {
|
||||
# create the directory hierarchy
|
||||
mkdir ${CATOP}, $DIRMODE;
|
||||
mkdir "${CATOP}/certs", $DIRMODE;
|
||||
mkdir "${CATOP}/crl", $DIRMODE ;
|
||||
mkdir "${CATOP}/newcerts", $DIRMODE;
|
||||
mkdir "${CATOP}/private", $DIRMODE;
|
||||
my @dirs = ( "${CATOP}", "${CATOP}/certs", "${CATOP}/crl",
|
||||
"${CATOP}/newcerts", "${CATOP}/private" );
|
||||
die "${CATOP}/index.txt exists.\nRemove old sub-tree to proceed,"
|
||||
if -f "${CATOP}/index.txt";
|
||||
die "${CATOP}/serial exists.\nRemove old sub-tree to proceed,"
|
||||
if -f "${CATOP}/serial";
|
||||
foreach my $d ( @dirs ) {
|
||||
if ( -d $d ) {
|
||||
warn "Directory $d exists" if -d $d;
|
||||
} else {
|
||||
mkdir $d or die "Can't mkdir $d, $!";
|
||||
}
|
||||
}
|
||||
|
||||
open OUT, ">${CATOP}/index.txt";
|
||||
close OUT;
|
||||
open OUT, ">${CATOP}/crlnumber";
|
||||
@ -145,6 +166,7 @@ if ($WHAT eq '-newcert' ) {
|
||||
close OUT;
|
||||
# ask user for existing CA certificate
|
||||
print "CA certificate filename (or enter to create)\n";
|
||||
my $FILE;
|
||||
$FILE = "" unless defined($FILE = <STDIN>);
|
||||
$FILE =~ s{\R$}{};
|
||||
if ($FILE ne "") {
|
||||
@ -152,43 +174,43 @@ if ($WHAT eq '-newcert' ) {
|
||||
copy_pemfile($FILE,"${CATOP}/$CACERT", "CERTIFICATE");
|
||||
} else {
|
||||
print "Making CA certificate ...\n";
|
||||
$RET = run("$REQ -new -keyout"
|
||||
. " ${CATOP}/private/$CAKEY"
|
||||
$RET = run("$REQ -new -keyout ${CATOP}/private/$CAKEY"
|
||||
. " -out ${CATOP}/$CAREQ $EXTRA{req}");
|
||||
$RET = run("$CA -create_serial"
|
||||
. " -out ${CATOP}/$CACERT $CADAYS -batch"
|
||||
. " -keyfile ${CATOP}/private/$CAKEY -selfsign"
|
||||
. " -extensions v3_ca $EXTRA{ca}"
|
||||
. " -infiles ${CATOP}/$CAREQ") if $RET == 0;
|
||||
. " -extensions v3_ca"
|
||||
. " -infiles ${CATOP}/$CAREQ $EXTRA{ca}") if $RET == 0;
|
||||
print "CA certificate is in ${CATOP}/$CACERT\n" if $RET == 0;
|
||||
}
|
||||
} elsif ($WHAT eq '-pkcs12' ) {
|
||||
my $cname = $ARGV[0];
|
||||
$cname = "My Certificate" unless defined $cname;
|
||||
$RET = run("$PKCS12 -in $NEWCERT -inkey $NEWKEY"
|
||||
. " -certfile ${CATOP}/$CACERT"
|
||||
. " -out $NEWP12"
|
||||
. " -certfile ${CATOP}/$CACERT -out $NEWP12"
|
||||
. " -export -name \"$cname\" $EXTRA{pkcs12}");
|
||||
print "PKCS #12 file is in $NEWP12\n" if $RET == 0;
|
||||
} elsif ($WHAT eq '-xsign' ) {
|
||||
$RET = run("$CA -policy policy_anything $EXTRA{ca} -infiles $NEWREQ");
|
||||
$RET = run("$CA -policy policy_anything -infiles $NEWREQ $EXTRA{ca}");
|
||||
} elsif ($WHAT eq '-sign' ) {
|
||||
$RET = run("$CA -policy policy_anything -out $NEWCERT $EXTRA{ca} -infiles $NEWREQ");
|
||||
$RET = run("$CA -policy policy_anything -out $NEWCERT"
|
||||
. " -infiles $NEWREQ $EXTRA{ca}");
|
||||
print "Signed certificate is in $NEWCERT\n" if $RET == 0;
|
||||
} elsif ($WHAT eq '-signCA' ) {
|
||||
$RET = run("$CA -policy policy_anything -out $NEWCERT"
|
||||
. " -extensions v3_ca $EXTRA{ca} -infiles $NEWREQ");
|
||||
. " -extensions v3_ca -infiles $NEWREQ $EXTRA{ca}");
|
||||
print "Signed CA certificate is in $NEWCERT\n" if $RET == 0;
|
||||
} elsif ($WHAT eq '-signcert' ) {
|
||||
$RET = run("$X509 -x509toreq -in $NEWREQ -signkey $NEWREQ"
|
||||
. " -out tmp.pem $EXTRA{x509}");
|
||||
$RET = run("$CA -policy policy_anything -out $NEWCERT"
|
||||
. "$EXTRA{ca} -infiles tmp.pem") if $RET == 0;
|
||||
. "-infiles tmp.pem $EXTRA{ca}") if $RET == 0;
|
||||
print "Signed certificate is in $NEWCERT\n" if $RET == 0;
|
||||
} elsif ($WHAT eq '-verify' ) {
|
||||
my @files = @ARGV ? @ARGV : ( $NEWCERT );
|
||||
my $file;
|
||||
foreach $file (@files) {
|
||||
foreach my $file (@files) {
|
||||
# -CAfile quoted for VMS, since the C RTL downcases all unquoted
|
||||
# arguments to C programs
|
||||
my $status = run("$VERIFY \"-CAfile\" ${CATOP}/$CACERT $file $EXTRA{verify}");
|
||||
$RET = $status if $status != 0;
|
||||
}
|
||||
|
@ -1,7 +1,7 @@
|
||||
/*
|
||||
* Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
|
||||
* Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
|
||||
*
|
||||
* Licensed under the OpenSSL license (the "License"). You may not use
|
||||
* Licensed under the Apache License 2.0 (the "License"). You may not use
|
||||
* this file except in compliance with the License. You can obtain a copy
|
||||
* in the file LICENSE in the source distribution or at
|
||||
* https://www.openssl.org/source/license.html
|
||||
@ -19,7 +19,7 @@
|
||||
#include <openssl/asn1t.h>
|
||||
|
||||
typedef enum OPTION_choice {
|
||||
OPT_ERR = -1, OPT_EOF = 0, OPT_HELP,
|
||||
OPT_COMMON,
|
||||
OPT_INFORM, OPT_IN, OPT_OUT, OPT_INDENT, OPT_NOOUT,
|
||||
OPT_OID, OPT_OFFSET, OPT_LENGTH, OPT_DUMP, OPT_DLIMIT,
|
||||
OPT_STRPARSE, OPT_GENSTR, OPT_GENCONF, OPT_STRICTPEM,
|
||||
@ -27,27 +27,32 @@ typedef enum OPTION_choice {
|
||||
} OPTION_CHOICE;
|
||||
|
||||
const OPTIONS asn1parse_options[] = {
|
||||
OPT_SECTION("General"),
|
||||
{"help", OPT_HELP, '-', "Display this summary"},
|
||||
{"oid", OPT_OID, '<', "file of extra oid definitions"},
|
||||
|
||||
OPT_SECTION("I/O"),
|
||||
{"inform", OPT_INFORM, 'F', "input format - one of DER PEM"},
|
||||
{"in", OPT_IN, '<', "input file"},
|
||||
{"out", OPT_OUT, '>', "output file (output format is always DER)"},
|
||||
{"i", OPT_INDENT, 0, "indents the output"},
|
||||
{"noout", OPT_NOOUT, 0, "do not produce any output"},
|
||||
{"offset", OPT_OFFSET, 'p', "offset into file"},
|
||||
{"length", OPT_LENGTH, 'p', "length of section in file"},
|
||||
{"oid", OPT_OID, '<', "file of extra oid definitions"},
|
||||
{"dump", OPT_DUMP, 0, "unknown data in hex form"},
|
||||
{"dlimit", OPT_DLIMIT, 'p',
|
||||
"dump the first arg bytes of unknown data in hex form"},
|
||||
{"strparse", OPT_STRPARSE, 'p',
|
||||
"offset; a series of these can be used to 'dig'"},
|
||||
{OPT_MORE_STR, 0, 0, "into multiple ASN1 blob wrappings"},
|
||||
{"genstr", OPT_GENSTR, 's', "string to generate ASN1 structure from"},
|
||||
{OPT_MORE_STR, 0, 0, "into multiple ASN1 blob wrappings"},
|
||||
{"genconf", OPT_GENCONF, 's', "file to generate ASN1 structure from"},
|
||||
{OPT_MORE_STR, 0, 0, "(-inform will be ignored)"},
|
||||
{"strictpem", OPT_STRICTPEM, 0,
|
||||
"do not attempt base64 decode outside PEM markers"},
|
||||
{"item", OPT_ITEM, 's', "item to parse and print"},
|
||||
{OPT_MORE_STR, 0, 0, "(-inform will be ignored)"},
|
||||
|
||||
OPT_SECTION("Formatting"),
|
||||
{"i", OPT_INDENT, 0, "indents the output"},
|
||||
{"dump", OPT_DUMP, 0, "unknown data in hex form"},
|
||||
{"dlimit", OPT_DLIMIT, 'p',
|
||||
"dump the first arg bytes of unknown data in hex form"},
|
||||
{NULL}
|
||||
};
|
||||
|
||||
@ -152,6 +157,8 @@ int asn1parse_main(int argc, char **argv)
|
||||
break;
|
||||
}
|
||||
}
|
||||
|
||||
/* No extra args. */
|
||||
argc = opt_num_rest();
|
||||
if (argc != 0)
|
||||
goto opthelp;
|
@ -1,79 +1,90 @@
|
||||
{- our @apps_openssl_src =
|
||||
qw(openssl.c
|
||||
asn1pars.c ca.c ciphers.c cms.c crl.c crl2p7.c dgst.c
|
||||
enc.c errstr.c
|
||||
genpkey.c nseq.c passwd.c pkcs7.c pkcs8.c
|
||||
pkey.c pkeyparam.c pkeyutl.c prime.c rand.c req.c
|
||||
s_client.c s_server.c s_time.c sess_id.c smime.c speed.c spkac.c
|
||||
verify.c version.c x509.c rehash.c storeutl.c);
|
||||
our @apps_lib_src =
|
||||
( qw(apps.c opt.c s_cb.c s_socket.c app_rand.c bf_prefix.c),
|
||||
split(/\s+/, $target{apps_aux_src}) );
|
||||
our @apps_init_src = split(/\s+/, $target{apps_init_src});
|
||||
"" -}
|
||||
SUBDIRS=lib
|
||||
|
||||
# Program init source, that don't have direct linkage with the rest of the
|
||||
# source, and can therefore not be part of a library.
|
||||
IF[{- !$disabled{uplink} -}]
|
||||
$INITSRC=../ms/applink.c
|
||||
ENDIF
|
||||
IF[{- $config{target} =~ /^vms-/ -}]
|
||||
$INITSRC=vms_decc_init.c
|
||||
ENDIF
|
||||
|
||||
# Source for the 'openssl' program
|
||||
$OPENSSLSRC=\
|
||||
openssl.c \
|
||||
asn1parse.c ca.c ciphers.c crl.c crl2pkcs7.c dgst.c \
|
||||
enc.c errstr.c \
|
||||
genpkey.c kdf.c mac.c nseq.c passwd.c pkcs7.c \
|
||||
pkcs8.c pkey.c pkeyparam.c pkeyutl.c prime.c rand.c req.c \
|
||||
s_client.c s_server.c s_time.c sess_id.c smime.c speed.c \
|
||||
spkac.c verify.c version.c x509.c rehash.c storeutl.c \
|
||||
list.c info.c fipsinstall.c pkcs12.c
|
||||
IF[{- !$disabled{'ec'} -}]
|
||||
$OPENSSLSRC=$OPENSSLSRC ec.c ecparam.c
|
||||
ENDIF
|
||||
IF[{- !$disabled{'ocsp'} -}]
|
||||
$OPENSSLSRC=$OPENSSLSRC ocsp.c
|
||||
ENDIF
|
||||
IF[{- !$disabled{'srp'} -}]
|
||||
$OPENSSLSRC=$OPENSSLSRC srp.c
|
||||
ENDIF
|
||||
IF[{- !$disabled{'ts'} -}]
|
||||
$OPENSSLSRC=$OPENSSLSRC ts.c
|
||||
ENDIF
|
||||
IF[{- !$disabled{'dh'} -}]
|
||||
$OPENSSLSRC=$OPENSSLSRC dhparam.c
|
||||
ENDIF
|
||||
IF[{- !$disabled{'dsa'} -}]
|
||||
$OPENSSLSRC=$OPENSSLSRC dsa.c dsaparam.c gendsa.c
|
||||
ENDIF
|
||||
IF[{- !$disabled{'engine'} -}]
|
||||
$OPENSSLSRC=$OPENSSLSRC engine.c
|
||||
ENDIF
|
||||
IF[{- !$disabled{'rsa'} -}]
|
||||
$OPENSSLSRC=$OPENSSLSRC rsa.c genrsa.c
|
||||
ENDIF
|
||||
IF[{- !$disabled{'deprecated-3.0'} -}]
|
||||
IF[{- !$disabled{'rsa'} -}]
|
||||
$OPENSSLSRC=$OPENSSLSRC rsautl.c
|
||||
ENDIF
|
||||
ENDIF
|
||||
IF[{- !$disabled{'cms'} -}]
|
||||
$OPENSSLSRC=$OPENSSLSRC cms.c
|
||||
ENDIF
|
||||
IF[{- !$disabled{'cmp'} -}]
|
||||
$OPENSSLSRC=$OPENSSLSRC cmp.c lib/cmp_mock_srv.c
|
||||
ENDIF
|
||||
|
||||
IF[{- !$disabled{apps} -}]
|
||||
LIBS_NO_INST=libapps.a
|
||||
SOURCE[libapps.a]={- join(" ", @apps_lib_src) -}
|
||||
INCLUDE[libapps.a]=.. ../include
|
||||
|
||||
PROGRAMS=openssl
|
||||
SOURCE[openssl]={- join(" ", @apps_init_src) -}
|
||||
SOURCE[openssl]={- join(" ", @apps_openssl_src) -}
|
||||
INCLUDE[openssl]=.. ../include
|
||||
SOURCE[openssl]=$INITSRC $OPENSSLSRC
|
||||
INCLUDE[openssl]=.. ../include include
|
||||
DEPEND[openssl]=libapps.a ../libssl
|
||||
IF[{- !$disabled{'des'} -}]
|
||||
SOURCE[openssl]=pkcs12.c
|
||||
DEPEND[pkcs12.o]=progs.h
|
||||
ENDIF
|
||||
IF[{- !$disabled{'ec'} -}]
|
||||
SOURCE[openssl]=ec.c ecparam.c
|
||||
DEPEND[ec.o]=progs.h
|
||||
DEPEND[ecparam.o]=progs.h
|
||||
ENDIF
|
||||
IF[{- !$disabled{'ocsp'} -}]
|
||||
SOURCE[openssl]=ocsp.c
|
||||
DEPEND[ocsp.o]=progs.h
|
||||
ENDIF
|
||||
IF[{- !$disabled{'srp'} -}]
|
||||
SOURCE[openssl]=srp.c
|
||||
DEPEND[srp.o]=progs.h
|
||||
ENDIF
|
||||
IF[{- !$disabled{'ts'} -}]
|
||||
SOURCE[openssl]=ts.c
|
||||
DEPEND[ts.o]=progs.h
|
||||
ENDIF
|
||||
IF[{- !$disabled{'dh'} -}]
|
||||
SOURCE[openssl]=dhparam.c
|
||||
DEPEND[dhparam.o]=progs.h
|
||||
ENDIF
|
||||
IF[{- !$disabled{'dsa'} -}]
|
||||
SOURCE[openssl]=dsa.c dsaparam.c gendsa.c
|
||||
DEPEND[dsa.o]=progs.h
|
||||
DEPEND[dsaparam.o]=progs.h
|
||||
DEPEND[gendsa.o]=progs.h
|
||||
ENDIF
|
||||
IF[{- !$disabled{'engine'} -}]
|
||||
SOURCE[openssl]=engine.c
|
||||
DEPEND[engine.o]=progs.h
|
||||
ENDIF
|
||||
IF[{- !$disabled{'rsa'} -}]
|
||||
SOURCE[openssl]=rsa.c rsautl.c genrsa.c
|
||||
DEPEND[rsa.o]=progs.h
|
||||
DEPEND[rsautl.o]=progs.h
|
||||
DEPEND[genrsa.o]=progs.h
|
||||
ENDIF
|
||||
IF[{- $config{target} =~ /^(?:Cygwin|mingw|VC-)/ -}]
|
||||
|
||||
# The nocheck attribute is picked up by progs.pl as a signal not to look
|
||||
# at that file; some systems may have locked it as the output file, and
|
||||
# therefore don't allow it to be read at the same time, making progs.pl
|
||||
# fail.
|
||||
SOURCE[openssl]{nocheck}=progs.c
|
||||
DEPEND[${OPENSSLSRC/.c/.o} progs.o]=progs.h
|
||||
GENERATE[progs.c]=progs.pl "-C" $(APPS_OPENSSL)
|
||||
GENERATE[progs.h]=progs.pl "-H" $(APPS_OPENSSL)
|
||||
# progs.pl tries to read all 'openssl' sources, including progs.c, so we make
|
||||
# sure things are generated in the correct order.
|
||||
DEPEND[progs.h]=progs.c
|
||||
# Because the files to look through may change (depends on $OPENSSLSRC),
|
||||
# always depend on a changed configuration.
|
||||
DEPEND[progs.c]=../configdata.pm
|
||||
|
||||
IF[{- $config{target} =~ /^(?:Cygwin|mingw|VC-|BC-)/ -}]
|
||||
GENERATE[openssl.rc]=../util/mkrc.pl openssl
|
||||
SOURCE[openssl]=openssl.rc
|
||||
ENDIF
|
||||
|
||||
{- join("\n ", map { (my $x = $_) =~ s|\.c$|.o|; "DEPEND[$x]=progs.h" }
|
||||
@apps_openssl_src) -}
|
||||
GENERATE[progs.h]=progs.pl $(APPS_OPENSSL)
|
||||
DEPEND[progs.h]=../configdata.pm
|
||||
|
||||
SCRIPTS=CA.pl tsget.pl
|
||||
SCRIPTS{misc}=CA.pl
|
||||
SOURCE[CA.pl]=CA.pl.in
|
||||
# linkname tells build files that a symbolic link or copy of this script
|
||||
# without extension must be installed as well. Unix or Unix lookalike only.
|
||||
SCRIPTS{misc,linkname=tsget}=tsget.pl
|
||||
SOURCE[tsget.pl]=tsget.in
|
||||
ENDIF
|
||||
|
File diff suppressed because it is too large
Load Diff
@ -1,7 +1,7 @@
|
||||
/*
|
||||
* Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
|
||||
* Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
|
||||
*
|
||||
* Licensed under the OpenSSL license (the "License"). You may not use
|
||||
* Licensed under the Apache License 2.0 (the "License"). You may not use
|
||||
* this file except in compliance with the License. You can obtain a copy
|
||||
* in the file LICENSE in the source distribution or at
|
||||
* https://www.openssl.org/source/license.html
|
||||
@ -14,9 +14,10 @@
|
||||
#include "progs.h"
|
||||
#include <openssl/err.h>
|
||||
#include <openssl/ssl.h>
|
||||
#include "s_apps.h"
|
||||
|
||||
typedef enum OPTION_choice {
|
||||
OPT_ERR = -1, OPT_EOF = 0, OPT_HELP,
|
||||
OPT_COMMON,
|
||||
OPT_STDNAME,
|
||||
OPT_CONVERT,
|
||||
OPT_SSL3,
|
||||
@ -27,39 +28,50 @@ typedef enum OPTION_choice {
|
||||
OPT_PSK,
|
||||
OPT_SRP,
|
||||
OPT_CIPHERSUITES,
|
||||
OPT_V, OPT_UPPER_V, OPT_S
|
||||
OPT_V, OPT_UPPER_V, OPT_S, OPT_PROV_ENUM
|
||||
} OPTION_CHOICE;
|
||||
|
||||
const OPTIONS ciphers_options[] = {
|
||||
{OPT_HELP_STR, 1, '-', "Usage: %s [options] [cipher]\n"},
|
||||
|
||||
OPT_SECTION("General"),
|
||||
{"help", OPT_HELP, '-', "Display this summary"},
|
||||
|
||||
OPT_SECTION("Output"),
|
||||
{"v", OPT_V, '-', "Verbose listing of the SSL/TLS ciphers"},
|
||||
{"V", OPT_UPPER_V, '-', "Even more verbose"},
|
||||
{"stdname", OPT_STDNAME, '-', "Show standard cipher names"},
|
||||
{"convert", OPT_CONVERT, 's', "Convert standard name into OpenSSL name"},
|
||||
|
||||
OPT_SECTION("Cipher specification"),
|
||||
{"s", OPT_S, '-', "Only supported ciphers"},
|
||||
#ifndef OPENSSL_NO_SSL3
|
||||
{"ssl3", OPT_SSL3, '-', "SSL3 mode"},
|
||||
{"ssl3", OPT_SSL3, '-', "Ciphers compatible with SSL3"},
|
||||
#endif
|
||||
#ifndef OPENSSL_NO_TLS1
|
||||
{"tls1", OPT_TLS1, '-', "TLS1 mode"},
|
||||
{"tls1", OPT_TLS1, '-', "Ciphers compatible with TLS1"},
|
||||
#endif
|
||||
#ifndef OPENSSL_NO_TLS1_1
|
||||
{"tls1_1", OPT_TLS1_1, '-', "TLS1.1 mode"},
|
||||
{"tls1_1", OPT_TLS1_1, '-', "Ciphers compatible with TLS1.1"},
|
||||
#endif
|
||||
#ifndef OPENSSL_NO_TLS1_2
|
||||
{"tls1_2", OPT_TLS1_2, '-', "TLS1.2 mode"},
|
||||
{"tls1_2", OPT_TLS1_2, '-', "Ciphers compatible with TLS1.2"},
|
||||
#endif
|
||||
#ifndef OPENSSL_NO_TLS1_3
|
||||
{"tls1_3", OPT_TLS1_3, '-', "TLS1.3 mode"},
|
||||
{"tls1_3", OPT_TLS1_3, '-', "Ciphers compatible with TLS1.3"},
|
||||
#endif
|
||||
{"stdname", OPT_STDNAME, '-', "Show standard cipher names"},
|
||||
#ifndef OPENSSL_NO_PSK
|
||||
{"psk", OPT_PSK, '-', "include ciphersuites requiring PSK"},
|
||||
{"psk", OPT_PSK, '-', "Include ciphersuites requiring PSK"},
|
||||
#endif
|
||||
#ifndef OPENSSL_NO_SRP
|
||||
{"srp", OPT_SRP, '-', "include ciphersuites requiring SRP"},
|
||||
{"srp", OPT_SRP, '-', "(deprecated) Include ciphersuites requiring SRP"},
|
||||
#endif
|
||||
{"convert", OPT_CONVERT, 's', "Convert standard name into OpenSSL name"},
|
||||
{"ciphersuites", OPT_CIPHERSUITES, 's',
|
||||
"Configure the TLSv1.3 ciphersuites to use"},
|
||||
OPT_PROV_OPTIONS,
|
||||
|
||||
OPT_PARAMETERS(),
|
||||
{"cipher", 0, 0, "Cipher string to decode (optional)"},
|
||||
{NULL}
|
||||
};
|
||||
|
||||
@ -72,12 +84,6 @@ static unsigned int dummy_psk(SSL *ssl, const char *hint, char *identity,
|
||||
return 0;
|
||||
}
|
||||
#endif
|
||||
#ifndef OPENSSL_NO_SRP
|
||||
static char *dummy_srp(SSL *ssl, void *arg)
|
||||
{
|
||||
return "";
|
||||
}
|
||||
#endif
|
||||
|
||||
int ciphers_main(int argc, char **argv)
|
||||
{
|
||||
@ -159,13 +165,18 @@ int ciphers_main(int argc, char **argv)
|
||||
case OPT_CIPHERSUITES:
|
||||
ciphersuites = opt_arg();
|
||||
break;
|
||||
case OPT_PROV_CASES:
|
||||
if (!opt_provider(o))
|
||||
goto end;
|
||||
break;
|
||||
}
|
||||
}
|
||||
|
||||
/* Optional arg is cipher name. */
|
||||
argv = opt_rest();
|
||||
argc = opt_num_rest();
|
||||
|
||||
if (argc == 1)
|
||||
ciphers = *argv;
|
||||
ciphers = argv[0];
|
||||
else if (argc != 0)
|
||||
goto opthelp;
|
||||
|
||||
@ -176,7 +187,7 @@ int ciphers_main(int argc, char **argv)
|
||||
goto end;
|
||||
}
|
||||
|
||||
ctx = SSL_CTX_new(meth);
|
||||
ctx = SSL_CTX_new_ex(app_get0_libctx(), app_get0_propq(), meth);
|
||||
if (ctx == NULL)
|
||||
goto err;
|
||||
if (SSL_CTX_set_min_proto_version(ctx, min_version) == 0)
|
||||
@ -190,7 +201,7 @@ int ciphers_main(int argc, char **argv)
|
||||
#endif
|
||||
#ifndef OPENSSL_NO_SRP
|
||||
if (srp)
|
||||
SSL_CTX_set_srp_client_pwd_callback(ctx, dummy_srp);
|
||||
set_up_dummy_srp(ctx);
|
||||
#endif
|
||||
|
||||
if (ciphersuites != NULL && !SSL_CTX_set_ciphersuites(ctx, ciphersuites)) {
|
||||
@ -216,6 +227,10 @@ int ciphers_main(int argc, char **argv)
|
||||
if (!verbose) {
|
||||
for (i = 0; i < sk_SSL_CIPHER_num(sk); i++) {
|
||||
const SSL_CIPHER *c = sk_SSL_CIPHER_value(sk, i);
|
||||
|
||||
if (!ossl_assert(c != NULL))
|
||||
continue;
|
||||
|
||||
p = SSL_CIPHER_get_name(c);
|
||||
if (p == NULL)
|
||||
break;
|
||||
@ -231,6 +246,9 @@ int ciphers_main(int argc, char **argv)
|
||||
|
||||
c = sk_SSL_CIPHER_value(sk, i);
|
||||
|
||||
if (!ossl_assert(c != NULL))
|
||||
continue;
|
||||
|
||||
if (Verbose) {
|
||||
unsigned long id = SSL_CIPHER_get_id(c);
|
||||
int id0 = (int)(id >> 24);
|
||||
@ -248,7 +266,7 @@ int ciphers_main(int argc, char **argv)
|
||||
const char *nm = SSL_CIPHER_standard_name(c);
|
||||
if (nm == NULL)
|
||||
nm = "UNKNOWN";
|
||||
BIO_printf(bio_out, "%s - ", nm);
|
||||
BIO_printf(bio_out, "%-45s - ", nm);
|
||||
}
|
||||
BIO_puts(bio_out, SSL_CIPHER_description(c, buf, sizeof(buf)));
|
||||
}
|
||||
|
3083
crypto/openssl/apps/cmp.c
Normal file
3083
crypto/openssl/apps/cmp.c
Normal file
File diff suppressed because it is too large
Load Diff
File diff suppressed because it is too large
Load Diff
@ -1,7 +1,7 @@
|
||||
/*
|
||||
* Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
|
||||
* Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
|
||||
*
|
||||
* Licensed under the OpenSSL license (the "License"). You may not use
|
||||
* Licensed under the Apache License 2.0 (the "License"). You may not use
|
||||
* this file except in compliance with the License. You can obtain a copy
|
||||
* in the file LICENSE in the source distribution or at
|
||||
* https://www.openssl.org/source/license.html
|
||||
@ -19,22 +19,38 @@
|
||||
#include <openssl/pem.h>
|
||||
|
||||
typedef enum OPTION_choice {
|
||||
OPT_ERR = -1, OPT_EOF = 0, OPT_HELP,
|
||||
OPT_COMMON,
|
||||
OPT_INFORM, OPT_IN, OPT_OUTFORM, OPT_OUT, OPT_KEYFORM, OPT_KEY,
|
||||
OPT_ISSUER, OPT_LASTUPDATE, OPT_NEXTUPDATE, OPT_FINGERPRINT,
|
||||
OPT_CRLNUMBER, OPT_BADSIG, OPT_GENDELTA, OPT_CAPATH, OPT_CAFILE,
|
||||
OPT_NOCAPATH, OPT_NOCAFILE, OPT_VERIFY, OPT_TEXT, OPT_HASH, OPT_HASH_OLD,
|
||||
OPT_NOOUT, OPT_NAMEOPT, OPT_MD
|
||||
OPT_CRLNUMBER, OPT_BADSIG, OPT_GENDELTA, OPT_CAPATH, OPT_CAFILE, OPT_CASTORE,
|
||||
OPT_NOCAPATH, OPT_NOCAFILE, OPT_NOCASTORE, OPT_VERIFY, OPT_DATEOPT, OPT_TEXT, OPT_HASH,
|
||||
OPT_HASH_OLD, OPT_NOOUT, OPT_NAMEOPT, OPT_MD, OPT_PROV_ENUM
|
||||
} OPTION_CHOICE;
|
||||
|
||||
const OPTIONS crl_options[] = {
|
||||
OPT_SECTION("General"),
|
||||
{"help", OPT_HELP, '-', "Display this summary"},
|
||||
{"inform", OPT_INFORM, 'F', "Input format; default PEM"},
|
||||
{"verify", OPT_VERIFY, '-', "Verify CRL signature"},
|
||||
|
||||
OPT_SECTION("Input"),
|
||||
{"in", OPT_IN, '<', "Input file - default stdin"},
|
||||
{"outform", OPT_OUTFORM, 'F', "Output format - default PEM"},
|
||||
{"out", OPT_OUT, '>', "output file - default stdout"},
|
||||
{"keyform", OPT_KEYFORM, 'F', "Private key file format (PEM or ENGINE)"},
|
||||
{"inform", OPT_INFORM, 'F', "CRL input format (DER or PEM); has no effect"},
|
||||
{"key", OPT_KEY, '<', "CRL signing Private key to use"},
|
||||
{"keyform", OPT_KEYFORM, 'F', "Private key file format (DER/PEM/P12); has no effect"},
|
||||
|
||||
OPT_SECTION("Output"),
|
||||
{"out", OPT_OUT, '>', "output file - default stdout"},
|
||||
{"outform", OPT_OUTFORM, 'F', "Output format - default PEM"},
|
||||
{"dateopt", OPT_DATEOPT, 's', "Datetime format used for printing. (rfc_822/iso_8601). Default is rfc_822."},
|
||||
{"text", OPT_TEXT, '-', "Print out a text format version"},
|
||||
{"hash", OPT_HASH, '-', "Print hash value"},
|
||||
#ifndef OPENSSL_NO_MD5
|
||||
{"hash_old", OPT_HASH_OLD, '-', "Print old-style (MD5) hash value"},
|
||||
#endif
|
||||
{"nameopt", OPT_NAMEOPT, 's', "Certificate subject/issuer name printing options"},
|
||||
{"", OPT_MD, '-', "Any supported digest"},
|
||||
|
||||
OPT_SECTION("CRL"),
|
||||
{"issuer", OPT_ISSUER, '-', "Print issuer DN"},
|
||||
{"lastupdate", OPT_LASTUPDATE, '-', "Set lastUpdate field"},
|
||||
{"nextupdate", OPT_NEXTUPDATE, '-', "Set nextUpdate field"},
|
||||
@ -43,20 +59,18 @@ const OPTIONS crl_options[] = {
|
||||
{"crlnumber", OPT_CRLNUMBER, '-', "Print CRL number"},
|
||||
{"badsig", OPT_BADSIG, '-', "Corrupt last byte of loaded CRL signature (for test)" },
|
||||
{"gendelta", OPT_GENDELTA, '<', "Other CRL to compare/diff to the Input one"},
|
||||
|
||||
OPT_SECTION("Certificate"),
|
||||
{"CApath", OPT_CAPATH, '/', "Verify CRL using certificates in dir"},
|
||||
{"CAfile", OPT_CAFILE, '<', "Verify CRL using certificates in file name"},
|
||||
{"CAstore", OPT_CASTORE, ':', "Verify CRL using certificates in store URI"},
|
||||
{"no-CAfile", OPT_NOCAFILE, '-',
|
||||
"Do not load the default certificates file"},
|
||||
{"no-CApath", OPT_NOCAPATH, '-',
|
||||
"Do not load certificates from the default certificates directory"},
|
||||
{"verify", OPT_VERIFY, '-', "Verify CRL signature"},
|
||||
{"text", OPT_TEXT, '-', "Print out a text format version"},
|
||||
{"hash", OPT_HASH, '-', "Print hash value"},
|
||||
{"nameopt", OPT_NAMEOPT, 's', "Various certificate name options"},
|
||||
{"", OPT_MD, '-', "Any supported digest"},
|
||||
#ifndef OPENSSL_NO_MD5
|
||||
{"hash_old", OPT_HASH_OLD, '-', "Print old-style (MD5) hash value"},
|
||||
#endif
|
||||
{"no-CAstore", OPT_NOCASTORE, '-',
|
||||
"Do not load certificates from the default certificates store"},
|
||||
OPT_PROV_OPTIONS,
|
||||
{NULL}
|
||||
};
|
||||
|
||||
@ -69,14 +83,16 @@ int crl_main(int argc, char **argv)
|
||||
X509_LOOKUP *lookup = NULL;
|
||||
X509_OBJECT *xobj = NULL;
|
||||
EVP_PKEY *pkey;
|
||||
const EVP_MD *digest = EVP_sha1();
|
||||
EVP_MD *digest = (EVP_MD *)EVP_sha1();
|
||||
char *infile = NULL, *outfile = NULL, *crldiff = NULL, *keyfile = NULL;
|
||||
const char *CAfile = NULL, *CApath = NULL, *prog;
|
||||
char *digestname = NULL;
|
||||
const char *CAfile = NULL, *CApath = NULL, *CAstore = NULL, *prog;
|
||||
OPTION_CHOICE o;
|
||||
int hash = 0, issuer = 0, lastupdate = 0, nextupdate = 0, noout = 0;
|
||||
int informat = FORMAT_PEM, outformat = FORMAT_PEM, keyformat = FORMAT_PEM;
|
||||
int informat = FORMAT_UNDEF, outformat = FORMAT_PEM, keyformat = FORMAT_UNDEF;
|
||||
int ret = 1, num = 0, badsig = 0, fingerprint = 0, crlnumber = 0;
|
||||
int text = 0, do_ver = 0, noCAfile = 0, noCApath = 0;
|
||||
int text = 0, do_ver = 0, noCAfile = 0, noCApath = 0, noCAstore = 0;
|
||||
unsigned long dateopt = ASN1_DTFLGS_RFC822;
|
||||
int i;
|
||||
#ifndef OPENSSL_NO_MD5
|
||||
int hash_old = 0;
|
||||
@ -109,7 +125,7 @@ int crl_main(int argc, char **argv)
|
||||
outfile = opt_arg();
|
||||
break;
|
||||
case OPT_KEYFORM:
|
||||
if (!opt_format(opt_arg(), OPT_FMT_PEMDER, &keyformat))
|
||||
if (!opt_format(opt_arg(), OPT_FMT_ANY, &keyformat))
|
||||
goto opthelp;
|
||||
break;
|
||||
case OPT_KEY:
|
||||
@ -126,12 +142,19 @@ int crl_main(int argc, char **argv)
|
||||
CAfile = opt_arg();
|
||||
do_ver = 1;
|
||||
break;
|
||||
case OPT_CASTORE:
|
||||
CAstore = opt_arg();
|
||||
do_ver = 1;
|
||||
break;
|
||||
case OPT_NOCAPATH:
|
||||
noCApath = 1;
|
||||
break;
|
||||
case OPT_NOCAFILE:
|
||||
noCAfile = 1;
|
||||
break;
|
||||
case OPT_NOCASTORE:
|
||||
noCAstore = 1;
|
||||
break;
|
||||
case OPT_HASH_OLD:
|
||||
#ifndef OPENSSL_NO_MD5
|
||||
hash_old = ++num;
|
||||
@ -140,6 +163,10 @@ int crl_main(int argc, char **argv)
|
||||
case OPT_VERIFY:
|
||||
do_ver = 1;
|
||||
break;
|
||||
case OPT_DATEOPT:
|
||||
if (!set_dateopt(&dateopt, opt_arg()))
|
||||
goto opthelp;
|
||||
break;
|
||||
case OPT_TEXT:
|
||||
text = 1;
|
||||
break;
|
||||
@ -156,7 +183,7 @@ int crl_main(int argc, char **argv)
|
||||
nextupdate = ++num;
|
||||
break;
|
||||
case OPT_NOOUT:
|
||||
noout = ++num;
|
||||
noout = 1;
|
||||
break;
|
||||
case OPT_FINGERPRINT:
|
||||
fingerprint = ++num;
|
||||
@ -172,20 +199,31 @@ int crl_main(int argc, char **argv)
|
||||
goto opthelp;
|
||||
break;
|
||||
case OPT_MD:
|
||||
if (!opt_md(opt_unknown(), &digest))
|
||||
goto opthelp;
|
||||
digestname = opt_unknown();
|
||||
break;
|
||||
case OPT_PROV_CASES:
|
||||
if (!opt_provider(o))
|
||||
goto end;
|
||||
break;
|
||||
}
|
||||
}
|
||||
|
||||
/* No remaining args. */
|
||||
argc = opt_num_rest();
|
||||
if (argc != 0)
|
||||
goto opthelp;
|
||||
|
||||
x = load_crl(infile, informat);
|
||||
if (digestname != NULL) {
|
||||
if (!opt_md(digestname, &digest))
|
||||
goto opthelp;
|
||||
}
|
||||
x = load_crl(infile, informat, 1, "CRL");
|
||||
if (x == NULL)
|
||||
goto end;
|
||||
|
||||
if (do_ver) {
|
||||
if ((store = setup_verify(CAfile, CApath, noCAfile, noCApath)) == NULL)
|
||||
if ((store = setup_verify(CAfile, noCAfile, CApath, noCApath,
|
||||
CAstore, noCAstore)) == NULL)
|
||||
goto end;
|
||||
lookup = X509_STORE_add_lookup(store, X509_LOOKUP_file());
|
||||
if (lookup == NULL)
|
||||
@ -204,7 +242,7 @@ int crl_main(int argc, char **argv)
|
||||
}
|
||||
pkey = X509_get_pubkey(X509_OBJECT_get0_X509(xobj));
|
||||
X509_OBJECT_free(xobj);
|
||||
if (!pkey) {
|
||||
if (pkey == NULL) {
|
||||
BIO_printf(bio_err, "Error getting CRL issuer public key\n");
|
||||
goto end;
|
||||
}
|
||||
@ -218,17 +256,17 @@ int crl_main(int argc, char **argv)
|
||||
BIO_printf(bio_err, "verify OK\n");
|
||||
}
|
||||
|
||||
if (crldiff) {
|
||||
if (crldiff != NULL) {
|
||||
X509_CRL *newcrl, *delta;
|
||||
if (!keyfile) {
|
||||
BIO_puts(bio_err, "Missing CRL signing key\n");
|
||||
goto end;
|
||||
}
|
||||
newcrl = load_crl(crldiff, informat);
|
||||
newcrl = load_crl(crldiff, informat, 0, "other CRL");
|
||||
if (!newcrl)
|
||||
goto end;
|
||||
pkey = load_key(keyfile, keyformat, 0, NULL, NULL, "CRL signing key");
|
||||
if (!pkey) {
|
||||
if (pkey == NULL) {
|
||||
X509_CRL_free(newcrl);
|
||||
goto end;
|
||||
}
|
||||
@ -254,39 +292,54 @@ int crl_main(int argc, char **argv)
|
||||
if (num) {
|
||||
for (i = 1; i <= num; i++) {
|
||||
if (issuer == i) {
|
||||
print_name(bio_out, "issuer=", X509_CRL_get_issuer(x),
|
||||
get_nameopt());
|
||||
print_name(bio_out, "issuer=", X509_CRL_get_issuer(x));
|
||||
}
|
||||
if (crlnumber == i) {
|
||||
ASN1_INTEGER *crlnum;
|
||||
|
||||
crlnum = X509_CRL_get_ext_d2i(x, NID_crl_number, NULL, NULL);
|
||||
BIO_printf(bio_out, "crlNumber=");
|
||||
if (crlnum) {
|
||||
BIO_puts(bio_out, "0x");
|
||||
i2a_ASN1_INTEGER(bio_out, crlnum);
|
||||
ASN1_INTEGER_free(crlnum);
|
||||
} else
|
||||
} else {
|
||||
BIO_puts(bio_out, "<NONE>");
|
||||
}
|
||||
BIO_printf(bio_out, "\n");
|
||||
}
|
||||
if (hash == i) {
|
||||
BIO_printf(bio_out, "%08lx\n",
|
||||
X509_NAME_hash(X509_CRL_get_issuer(x)));
|
||||
int ok;
|
||||
unsigned long hash_value =
|
||||
X509_NAME_hash_ex(X509_CRL_get_issuer(x), app_get0_libctx(),
|
||||
app_get0_propq(), &ok);
|
||||
|
||||
if (num > 1)
|
||||
BIO_printf(bio_out, "issuer name hash=");
|
||||
if (ok) {
|
||||
BIO_printf(bio_out, "%08lx\n", hash_value);
|
||||
} else {
|
||||
BIO_puts(bio_out, "<ERROR>");
|
||||
goto end;
|
||||
}
|
||||
}
|
||||
#ifndef OPENSSL_NO_MD5
|
||||
if (hash_old == i) {
|
||||
if (num > 1)
|
||||
BIO_printf(bio_out, "issuer name old hash=");
|
||||
BIO_printf(bio_out, "%08lx\n",
|
||||
X509_NAME_hash_old(X509_CRL_get_issuer(x)));
|
||||
}
|
||||
#endif
|
||||
if (lastupdate == i) {
|
||||
BIO_printf(bio_out, "lastUpdate=");
|
||||
ASN1_TIME_print(bio_out, X509_CRL_get0_lastUpdate(x));
|
||||
ASN1_TIME_print_ex(bio_out, X509_CRL_get0_lastUpdate(x), dateopt);
|
||||
BIO_printf(bio_out, "\n");
|
||||
}
|
||||
if (nextupdate == i) {
|
||||
BIO_printf(bio_out, "nextUpdate=");
|
||||
if (X509_CRL_get0_nextUpdate(x))
|
||||
ASN1_TIME_print(bio_out, X509_CRL_get0_nextUpdate(x));
|
||||
ASN1_TIME_print_ex(bio_out, X509_CRL_get0_nextUpdate(x), dateopt);
|
||||
else
|
||||
BIO_printf(bio_out, "NONE");
|
||||
BIO_printf(bio_out, "\n");
|
||||
@ -301,7 +354,7 @@ int crl_main(int argc, char **argv)
|
||||
goto end;
|
||||
}
|
||||
BIO_printf(bio_out, "%s Fingerprint=",
|
||||
OBJ_nid2sn(EVP_MD_type(digest)));
|
||||
EVP_MD_get0_name(digest));
|
||||
for (j = 0; j < (int)n; j++) {
|
||||
BIO_printf(bio_out, "%02X%c", md[j], (j + 1 == (int)n)
|
||||
? '\n' : ':');
|
||||
@ -335,6 +388,7 @@ int crl_main(int argc, char **argv)
|
||||
if (ret != 0)
|
||||
ERR_print_errors(bio_err);
|
||||
BIO_free_all(out);
|
||||
EVP_MD_free(digest);
|
||||
X509_CRL_free(x);
|
||||
X509_STORE_CTX_free(ctx);
|
||||
X509_STORE_free(store);
|
||||
|
@ -1,7 +1,7 @@
|
||||
/*
|
||||
* Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
|
||||
*
|
||||
* Licensed under the OpenSSL license (the "License"). You may not use
|
||||
* Licensed under the Apache License 2.0 (the "License"). You may not use
|
||||
* this file except in compliance with the License. You can obtain a copy
|
||||
* in the file LICENSE in the source distribution or at
|
||||
* https://www.openssl.org/source/license.html
|
||||
@ -22,19 +22,27 @@
|
||||
static int add_certs_from_file(STACK_OF(X509) *stack, char *certfile);
|
||||
|
||||
typedef enum OPTION_choice {
|
||||
OPT_ERR = -1, OPT_EOF = 0, OPT_HELP,
|
||||
OPT_INFORM, OPT_OUTFORM, OPT_IN, OPT_OUT, OPT_NOCRL, OPT_CERTFILE
|
||||
OPT_COMMON,
|
||||
OPT_INFORM, OPT_OUTFORM, OPT_IN, OPT_OUT, OPT_NOCRL, OPT_CERTFILE,
|
||||
OPT_PROV_ENUM
|
||||
} OPTION_CHOICE;
|
||||
|
||||
const OPTIONS crl2pkcs7_options[] = {
|
||||
OPT_SECTION("General"),
|
||||
{"help", OPT_HELP, '-', "Display this summary"},
|
||||
{"inform", OPT_INFORM, 'F', "Input format - DER or PEM"},
|
||||
{"outform", OPT_OUTFORM, 'F', "Output format - DER or PEM"},
|
||||
|
||||
OPT_SECTION("Input"),
|
||||
{"in", OPT_IN, '<', "Input file"},
|
||||
{"out", OPT_OUT, '>', "Output file"},
|
||||
{"inform", OPT_INFORM, 'F', "Input format - DER or PEM"},
|
||||
{"nocrl", OPT_NOCRL, '-', "No crl to load, just certs from '-certfile'"},
|
||||
{"certfile", OPT_CERTFILE, '<',
|
||||
"File of chain of certs to a trusted CA; can be repeated"},
|
||||
|
||||
OPT_SECTION("Output"),
|
||||
{"out", OPT_OUT, '>', "Output file"},
|
||||
{"outform", OPT_OUTFORM, 'F', "Output format - DER or PEM"},
|
||||
|
||||
OPT_PROV_OPTIONS,
|
||||
{NULL}
|
||||
};
|
||||
|
||||
@ -88,8 +96,14 @@ int crl2pkcs7_main(int argc, char **argv)
|
||||
if (!sk_OPENSSL_STRING_push(certflst, opt_arg()))
|
||||
goto end;
|
||||
break;
|
||||
case OPT_PROV_CASES:
|
||||
if (!opt_provider(o))
|
||||
goto end;
|
||||
break;
|
||||
}
|
||||
}
|
||||
|
||||
/* No remaining args. */
|
||||
argc = opt_num_rest();
|
||||
if (argc != 0)
|
||||
goto opthelp;
|
@ -1,7 +1,7 @@
|
||||
/*
|
||||
* Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
|
||||
* Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved.
|
||||
*
|
||||
* Licensed under the OpenSSL license (the "License"). You may not use
|
||||
* Licensed under the Apache License 2.0 (the "License"). You may not use
|
||||
* this file except in compliance with the License. You can obtain a copy
|
||||
* in the file LICENSE in the source distribution or at
|
||||
* https://www.openssl.org/source/license.html
|
||||
@ -24,7 +24,7 @@
|
||||
#undef BUFSIZE
|
||||
#define BUFSIZE 1024*8
|
||||
|
||||
int do_fp(BIO *out, unsigned char *buf, BIO *bp, int sep, int binout,
|
||||
int do_fp(BIO *out, unsigned char *buf, BIO *bp, int sep, int binout, int xoflen,
|
||||
EVP_PKEY *key, unsigned char *sigin, int siglen,
|
||||
const char *sig_name, const char *md_name,
|
||||
const char *file);
|
||||
@ -36,49 +36,58 @@ struct doall_dgst_digests {
|
||||
};
|
||||
|
||||
typedef enum OPTION_choice {
|
||||
OPT_ERR = -1, OPT_EOF = 0, OPT_HELP, OPT_LIST,
|
||||
OPT_COMMON,
|
||||
OPT_LIST,
|
||||
OPT_C, OPT_R, OPT_OUT, OPT_SIGN, OPT_PASSIN, OPT_VERIFY,
|
||||
OPT_PRVERIFY, OPT_SIGNATURE, OPT_KEYFORM, OPT_ENGINE, OPT_ENGINE_IMPL,
|
||||
OPT_HEX, OPT_BINARY, OPT_DEBUG, OPT_FIPS_FINGERPRINT,
|
||||
OPT_HMAC, OPT_MAC, OPT_SIGOPT, OPT_MACOPT,
|
||||
OPT_HMAC, OPT_MAC, OPT_SIGOPT, OPT_MACOPT, OPT_XOFLEN,
|
||||
OPT_DIGEST,
|
||||
OPT_R_ENUM
|
||||
OPT_R_ENUM, OPT_PROV_ENUM
|
||||
} OPTION_CHOICE;
|
||||
|
||||
const OPTIONS dgst_options[] = {
|
||||
{OPT_HELP_STR, 1, '-', "Usage: %s [options] [file...]\n"},
|
||||
{OPT_HELP_STR, 1, '-',
|
||||
" file... files to digest (default is stdin)\n"},
|
||||
|
||||
OPT_SECTION("General"),
|
||||
{"help", OPT_HELP, '-', "Display this summary"},
|
||||
{"list", OPT_LIST, '-', "List digests"},
|
||||
{"c", OPT_C, '-', "Print the digest with separating colons"},
|
||||
{"r", OPT_R, '-', "Print the digest in coreutils format"},
|
||||
{"out", OPT_OUT, '>', "Output to filename rather than stdout"},
|
||||
{"passin", OPT_PASSIN, 's', "Input file pass phrase source"},
|
||||
{"sign", OPT_SIGN, 's', "Sign digest using private key"},
|
||||
{"verify", OPT_VERIFY, 's',
|
||||
"Verify a signature using public key"},
|
||||
{"prverify", OPT_PRVERIFY, 's',
|
||||
"Verify a signature using private key"},
|
||||
{"signature", OPT_SIGNATURE, '<', "File with signature to verify"},
|
||||
{"keyform", OPT_KEYFORM, 'f', "Key file format (PEM or ENGINE)"},
|
||||
{"hex", OPT_HEX, '-', "Print as hex dump"},
|
||||
{"binary", OPT_BINARY, '-', "Print in binary form"},
|
||||
{"d", OPT_DEBUG, '-', "Print debug info"},
|
||||
{"debug", OPT_DEBUG, '-', "Print debug info"},
|
||||
{"fips-fingerprint", OPT_FIPS_FINGERPRINT, '-',
|
||||
"Compute HMAC with the key used in OpenSSL-FIPS fingerprint"},
|
||||
{"hmac", OPT_HMAC, 's', "Create hashed MAC with key"},
|
||||
{"mac", OPT_MAC, 's', "Create MAC (not necessarily HMAC)"},
|
||||
{"sigopt", OPT_SIGOPT, 's', "Signature parameter in n:v form"},
|
||||
{"macopt", OPT_MACOPT, 's', "MAC algorithm parameters in n:v form or key"},
|
||||
{"", OPT_DIGEST, '-', "Any supported digest"},
|
||||
OPT_R_OPTIONS,
|
||||
#ifndef OPENSSL_NO_ENGINE
|
||||
{"engine", OPT_ENGINE, 's', "Use engine e, possibly a hardware device"},
|
||||
{"engine_impl", OPT_ENGINE_IMPL, '-',
|
||||
"Also use engine given by -engine for digest operations"},
|
||||
#endif
|
||||
{"passin", OPT_PASSIN, 's', "Input file pass phrase source"},
|
||||
|
||||
OPT_SECTION("Output"),
|
||||
{"c", OPT_C, '-', "Print the digest with separating colons"},
|
||||
{"r", OPT_R, '-', "Print the digest in coreutils format"},
|
||||
{"out", OPT_OUT, '>', "Output to filename rather than stdout"},
|
||||
{"keyform", OPT_KEYFORM, 'f', "Key file format (ENGINE, other values ignored)"},
|
||||
{"hex", OPT_HEX, '-', "Print as hex dump"},
|
||||
{"binary", OPT_BINARY, '-', "Print in binary form"},
|
||||
{"xoflen", OPT_XOFLEN, 'p', "Output length for XOF algorithms. To obtain the maximum security strength set this to 32 (or greater) for SHAKE128, and 64 (or greater) for SHAKE256"},
|
||||
{"d", OPT_DEBUG, '-', "Print debug info"},
|
||||
{"debug", OPT_DEBUG, '-', "Print debug info"},
|
||||
|
||||
OPT_SECTION("Signing"),
|
||||
{"sign", OPT_SIGN, 's', "Sign digest using private key"},
|
||||
{"verify", OPT_VERIFY, 's', "Verify a signature using public key"},
|
||||
{"prverify", OPT_PRVERIFY, 's', "Verify a signature using private key"},
|
||||
{"sigopt", OPT_SIGOPT, 's', "Signature parameter in n:v form"},
|
||||
{"signature", OPT_SIGNATURE, '<', "File with signature to verify"},
|
||||
{"hmac", OPT_HMAC, 's', "Create hashed MAC with key"},
|
||||
{"mac", OPT_MAC, 's', "Create MAC (not necessarily HMAC)"},
|
||||
{"macopt", OPT_MACOPT, 's', "MAC algorithm parameters in n:v form or key"},
|
||||
{"", OPT_DIGEST, '-', "Any supported digest"},
|
||||
{"fips-fingerprint", OPT_FIPS_FINGERPRINT, '-',
|
||||
"Compute HMAC with the key used in OpenSSL-FIPS fingerprint"},
|
||||
|
||||
OPT_R_OPTIONS,
|
||||
OPT_PROV_OPTIONS,
|
||||
|
||||
OPT_PARAMETERS(),
|
||||
{"file", 0, 0, "Files to digest (optional; default is stdin)"},
|
||||
{NULL}
|
||||
};
|
||||
|
||||
@ -89,21 +98,24 @@ int dgst_main(int argc, char **argv)
|
||||
EVP_PKEY *sigkey = NULL;
|
||||
STACK_OF(OPENSSL_STRING) *sigopts = NULL, *macopts = NULL;
|
||||
char *hmac_key = NULL;
|
||||
char *mac_name = NULL;
|
||||
char *mac_name = NULL, *digestname = NULL;
|
||||
char *passinarg = NULL, *passin = NULL;
|
||||
const EVP_MD *md = NULL, *m;
|
||||
EVP_MD *md = NULL;
|
||||
const char *outfile = NULL, *keyfile = NULL, *prog = NULL;
|
||||
const char *sigfile = NULL;
|
||||
const char *md_name = NULL;
|
||||
OPTION_CHOICE o;
|
||||
int separator = 0, debug = 0, keyform = FORMAT_PEM, siglen = 0;
|
||||
int i, ret = 1, out_bin = -1, want_pub = 0, do_verify = 0;
|
||||
int separator = 0, debug = 0, keyform = FORMAT_UNDEF, siglen = 0;
|
||||
int i, ret = EXIT_FAILURE, out_bin = -1, want_pub = 0, do_verify = 0;
|
||||
int xoflen = 0;
|
||||
unsigned char *buf = NULL, *sigbuf = NULL;
|
||||
int engine_impl = 0;
|
||||
struct doall_dgst_digests dec;
|
||||
|
||||
prog = opt_progname(argv[0]);
|
||||
buf = app_malloc(BUFSIZE, "I/O buffer");
|
||||
md = EVP_get_digestbyname(prog);
|
||||
md = (EVP_MD *)EVP_get_digestbyname(argv[0]);
|
||||
if (md != NULL)
|
||||
digestname = argv[0];
|
||||
|
||||
prog = opt_init(argc, argv, dgst_options);
|
||||
while ((o = opt_next()) != OPT_EOF) {
|
||||
@ -115,7 +127,7 @@ int dgst_main(int argc, char **argv)
|
||||
goto end;
|
||||
case OPT_HELP:
|
||||
opt_help(dgst_options);
|
||||
ret = 0;
|
||||
ret = EXIT_SUCCESS;
|
||||
goto end;
|
||||
case OPT_LIST:
|
||||
BIO_printf(bio_out, "Supported digests:\n");
|
||||
@ -124,7 +136,7 @@ int dgst_main(int argc, char **argv)
|
||||
OBJ_NAME_do_all_sorted(OBJ_NAME_TYPE_MD_METH,
|
||||
show_digests, &dec);
|
||||
BIO_printf(bio_out, "\n");
|
||||
ret = 0;
|
||||
ret = EXIT_SUCCESS;
|
||||
goto end;
|
||||
case OPT_C:
|
||||
separator = 1;
|
||||
@ -172,6 +184,9 @@ int dgst_main(int argc, char **argv)
|
||||
case OPT_BINARY:
|
||||
out_bin = 1;
|
||||
break;
|
||||
case OPT_XOFLEN:
|
||||
xoflen = atoi(opt_arg());
|
||||
break;
|
||||
case OPT_DEBUG:
|
||||
debug = 1;
|
||||
break;
|
||||
@ -197,18 +212,29 @@ int dgst_main(int argc, char **argv)
|
||||
goto opthelp;
|
||||
break;
|
||||
case OPT_DIGEST:
|
||||
if (!opt_md(opt_unknown(), &m))
|
||||
goto opthelp;
|
||||
md = m;
|
||||
digestname = opt_unknown();
|
||||
break;
|
||||
case OPT_PROV_CASES:
|
||||
if (!opt_provider(o))
|
||||
goto end;
|
||||
break;
|
||||
}
|
||||
}
|
||||
|
||||
/* Remaining args are files to digest. */
|
||||
argc = opt_num_rest();
|
||||
argv = opt_rest();
|
||||
if (keyfile != NULL && argc > 1) {
|
||||
BIO_printf(bio_err, "%s: Can only sign or verify one file.\n", prog);
|
||||
goto end;
|
||||
}
|
||||
if (!app_RAND_load())
|
||||
goto end;
|
||||
|
||||
if (digestname != NULL) {
|
||||
if (!opt_md(digestname, &md))
|
||||
goto opthelp;
|
||||
}
|
||||
|
||||
if (do_verify && sigfile == NULL) {
|
||||
BIO_printf(bio_err,
|
||||
@ -220,13 +246,11 @@ int dgst_main(int argc, char **argv)
|
||||
|
||||
in = BIO_new(BIO_s_file());
|
||||
bmd = BIO_new(BIO_f_md());
|
||||
if ((in == NULL) || (bmd == NULL)) {
|
||||
ERR_print_errors(bio_err);
|
||||
if (in == NULL || bmd == NULL)
|
||||
goto end;
|
||||
}
|
||||
|
||||
if (debug) {
|
||||
BIO_set_callback(in, BIO_debug_callback);
|
||||
BIO_set_callback_ex(in, BIO_debug_callback_ex);
|
||||
/* needed for windows 3.1 */
|
||||
BIO_set_callback_arg(in, (char *)bio_err);
|
||||
}
|
||||
@ -248,7 +272,7 @@ int dgst_main(int argc, char **argv)
|
||||
goto end;
|
||||
|
||||
if ((!(mac_name == NULL) + !(keyfile == NULL) + !(hmac_key == NULL)) > 1) {
|
||||
BIO_printf(bio_err, "MAC and Signing key cannot both be specified\n");
|
||||
BIO_printf(bio_err, "MAC and signing key cannot both be specified\n");
|
||||
goto end;
|
||||
}
|
||||
|
||||
@ -256,16 +280,16 @@ int dgst_main(int argc, char **argv)
|
||||
int type;
|
||||
|
||||
if (want_pub)
|
||||
sigkey = load_pubkey(keyfile, keyform, 0, NULL, e, "key file");
|
||||
sigkey = load_pubkey(keyfile, keyform, 0, NULL, e, "public key");
|
||||
else
|
||||
sigkey = load_key(keyfile, keyform, 0, passin, e, "key file");
|
||||
sigkey = load_key(keyfile, keyform, 0, passin, e, "private key");
|
||||
if (sigkey == NULL) {
|
||||
/*
|
||||
* load_[pub]key() has already printed an appropriate message
|
||||
*/
|
||||
goto end;
|
||||
}
|
||||
type = EVP_PKEY_id(sigkey);
|
||||
type = EVP_PKEY_get_id(sigkey);
|
||||
if (type == EVP_PKEY_ED25519 || type == EVP_PKEY_ED448) {
|
||||
/*
|
||||
* We implement PureEdDSA for these which doesn't have a separate
|
||||
@ -278,36 +302,34 @@ int dgst_main(int argc, char **argv)
|
||||
|
||||
if (mac_name != NULL) {
|
||||
EVP_PKEY_CTX *mac_ctx = NULL;
|
||||
int r = 0;
|
||||
if (!init_gen_str(&mac_ctx, mac_name, impl, 0))
|
||||
goto mac_end;
|
||||
if (macopts != NULL) {
|
||||
char *macopt;
|
||||
for (i = 0; i < sk_OPENSSL_STRING_num(macopts); i++) {
|
||||
macopt = sk_OPENSSL_STRING_value(macopts, i);
|
||||
if (pkey_ctrl_string(mac_ctx, macopt) <= 0) {
|
||||
BIO_printf(bio_err,
|
||||
"MAC parameter error \"%s\"\n", macopt);
|
||||
ERR_print_errors(bio_err);
|
||||
goto mac_end;
|
||||
}
|
||||
}
|
||||
}
|
||||
if (EVP_PKEY_keygen(mac_ctx, &sigkey) <= 0) {
|
||||
BIO_puts(bio_err, "Error generating key\n");
|
||||
ERR_print_errors(bio_err);
|
||||
goto mac_end;
|
||||
}
|
||||
r = 1;
|
||||
mac_end:
|
||||
EVP_PKEY_CTX_free(mac_ctx);
|
||||
if (r == 0)
|
||||
|
||||
if (!init_gen_str(&mac_ctx, mac_name, impl, 0, NULL, NULL))
|
||||
goto end;
|
||||
if (macopts != NULL) {
|
||||
for (i = 0; i < sk_OPENSSL_STRING_num(macopts); i++) {
|
||||
char *macopt = sk_OPENSSL_STRING_value(macopts, i);
|
||||
|
||||
if (pkey_ctrl_string(mac_ctx, macopt) <= 0) {
|
||||
EVP_PKEY_CTX_free(mac_ctx);
|
||||
BIO_printf(bio_err, "MAC parameter error \"%s\"\n", macopt);
|
||||
goto end;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
sigkey = app_keygen(mac_ctx, mac_name, 0, 0 /* not verbose */);
|
||||
/* Verbose output would make external-tests gost-engine fail */
|
||||
EVP_PKEY_CTX_free(mac_ctx);
|
||||
}
|
||||
|
||||
if (hmac_key != NULL) {
|
||||
if (md == NULL) {
|
||||
md = (EVP_MD *)EVP_sha256();
|
||||
digestname = SN_sha256;
|
||||
}
|
||||
sigkey = EVP_PKEY_new_raw_private_key(EVP_PKEY_HMAC, impl,
|
||||
(unsigned char *)hmac_key, -1);
|
||||
(unsigned char *)hmac_key,
|
||||
strlen(hmac_key));
|
||||
if (sigkey == NULL)
|
||||
goto end;
|
||||
}
|
||||
@ -315,28 +337,37 @@ int dgst_main(int argc, char **argv)
|
||||
if (sigkey != NULL) {
|
||||
EVP_MD_CTX *mctx = NULL;
|
||||
EVP_PKEY_CTX *pctx = NULL;
|
||||
int r;
|
||||
int res;
|
||||
|
||||
if (BIO_get_md_ctx(bmd, &mctx) <= 0) {
|
||||
BIO_printf(bio_err, "Error getting context\n");
|
||||
ERR_print_errors(bio_err);
|
||||
goto end;
|
||||
}
|
||||
if (do_verify)
|
||||
r = EVP_DigestVerifyInit(mctx, &pctx, md, impl, sigkey);
|
||||
if (impl == NULL)
|
||||
res = EVP_DigestVerifyInit_ex(mctx, &pctx, digestname,
|
||||
app_get0_libctx(),
|
||||
app_get0_propq(), sigkey, NULL);
|
||||
else
|
||||
r = EVP_DigestSignInit(mctx, &pctx, md, impl, sigkey);
|
||||
if (!r) {
|
||||
res = EVP_DigestVerifyInit(mctx, &pctx, md, impl, sigkey);
|
||||
else
|
||||
if (impl == NULL)
|
||||
res = EVP_DigestSignInit_ex(mctx, &pctx, digestname,
|
||||
app_get0_libctx(),
|
||||
app_get0_propq(), sigkey, NULL);
|
||||
else
|
||||
res = EVP_DigestSignInit(mctx, &pctx, md, impl, sigkey);
|
||||
if (res == 0) {
|
||||
BIO_printf(bio_err, "Error setting context\n");
|
||||
ERR_print_errors(bio_err);
|
||||
goto end;
|
||||
}
|
||||
if (sigopts != NULL) {
|
||||
char *sigopt;
|
||||
for (i = 0; i < sk_OPENSSL_STRING_num(sigopts); i++) {
|
||||
sigopt = sk_OPENSSL_STRING_value(sigopts, i);
|
||||
char *sigopt = sk_OPENSSL_STRING_value(sigopts, i);
|
||||
|
||||
if (pkey_ctrl_string(pctx, sigopt) <= 0) {
|
||||
BIO_printf(bio_err, "parameter error \"%s\"\n", sigopt);
|
||||
ERR_print_errors(bio_err);
|
||||
BIO_printf(bio_err, "Signature parameter error \"%s\"\n",
|
||||
sigopt);
|
||||
goto end;
|
||||
}
|
||||
}
|
||||
@ -347,32 +378,29 @@ int dgst_main(int argc, char **argv)
|
||||
EVP_MD_CTX *mctx = NULL;
|
||||
if (BIO_get_md_ctx(bmd, &mctx) <= 0) {
|
||||
BIO_printf(bio_err, "Error getting context\n");
|
||||
ERR_print_errors(bio_err);
|
||||
goto end;
|
||||
}
|
||||
if (md == NULL)
|
||||
md = EVP_sha256();
|
||||
md = (EVP_MD *)EVP_sha256();
|
||||
if (!EVP_DigestInit_ex(mctx, md, impl)) {
|
||||
BIO_printf(bio_err, "Error setting digest\n");
|
||||
ERR_print_errors(bio_err);
|
||||
goto end;
|
||||
}
|
||||
}
|
||||
|
||||
if (sigfile != NULL && sigkey != NULL) {
|
||||
BIO *sigbio = BIO_new_file(sigfile, "rb");
|
||||
|
||||
if (sigbio == NULL) {
|
||||
BIO_printf(bio_err, "Error opening signature file %s\n", sigfile);
|
||||
ERR_print_errors(bio_err);
|
||||
goto end;
|
||||
}
|
||||
siglen = EVP_PKEY_size(sigkey);
|
||||
siglen = EVP_PKEY_get_size(sigkey);
|
||||
sigbuf = app_malloc(siglen, "signature buffer");
|
||||
siglen = BIO_read(sigbio, sigbuf, siglen);
|
||||
BIO_free(sigbio);
|
||||
if (siglen <= 0) {
|
||||
BIO_printf(bio_err, "Error reading signature file %s\n", sigfile);
|
||||
ERR_print_errors(bio_err);
|
||||
goto end;
|
||||
}
|
||||
}
|
||||
@ -380,48 +408,62 @@ int dgst_main(int argc, char **argv)
|
||||
|
||||
if (md == NULL) {
|
||||
EVP_MD_CTX *tctx;
|
||||
|
||||
BIO_get_md_ctx(bmd, &tctx);
|
||||
md = EVP_MD_CTX_md(tctx);
|
||||
md = EVP_MD_CTX_get1_md(tctx);
|
||||
}
|
||||
if (md != NULL)
|
||||
md_name = EVP_MD_get0_name(md);
|
||||
|
||||
if (xoflen > 0) {
|
||||
if (!(EVP_MD_get_flags(md) & EVP_MD_FLAG_XOF)) {
|
||||
BIO_printf(bio_err, "Length can only be specified for XOF\n");
|
||||
goto end;
|
||||
}
|
||||
/*
|
||||
* Signing using XOF is not supported by any algorithms currently since
|
||||
* each algorithm only calls EVP_DigestFinal_ex() in their sign_final
|
||||
* and verify_final methods.
|
||||
*/
|
||||
if (sigkey != NULL) {
|
||||
BIO_printf(bio_err, "Signing key cannot be specified for XOF\n");
|
||||
goto end;
|
||||
}
|
||||
}
|
||||
|
||||
if (argc == 0) {
|
||||
BIO_set_fp(in, stdin, BIO_NOCLOSE);
|
||||
ret = do_fp(out, buf, inp, separator, out_bin, sigkey, sigbuf,
|
||||
siglen, NULL, NULL, "stdin");
|
||||
ret = do_fp(out, buf, inp, separator, out_bin, xoflen, sigkey, sigbuf,
|
||||
siglen, NULL, md_name, "stdin");
|
||||
} else {
|
||||
const char *md_name = NULL, *sig_name = NULL;
|
||||
if (!out_bin) {
|
||||
if (sigkey != NULL) {
|
||||
const EVP_PKEY_ASN1_METHOD *ameth;
|
||||
ameth = EVP_PKEY_get0_asn1(sigkey);
|
||||
if (ameth)
|
||||
EVP_PKEY_asn1_get0_info(NULL, NULL,
|
||||
NULL, NULL, &sig_name, ameth);
|
||||
const char *sig_name = NULL;
|
||||
|
||||
if (out_bin == 0) {
|
||||
if (sigkey != NULL)
|
||||
sig_name = EVP_PKEY_get0_type_name(sigkey);
|
||||
}
|
||||
if (md != NULL)
|
||||
md_name = EVP_MD_name(md);
|
||||
}
|
||||
ret = 0;
|
||||
ret = EXIT_SUCCESS;
|
||||
for (i = 0; i < argc; i++) {
|
||||
int r;
|
||||
if (BIO_read_filename(in, argv[i]) <= 0) {
|
||||
perror(argv[i]);
|
||||
ret++;
|
||||
ret = EXIT_FAILURE;
|
||||
continue;
|
||||
} else {
|
||||
r = do_fp(out, buf, inp, separator, out_bin, sigkey, sigbuf,
|
||||
siglen, sig_name, md_name, argv[i]);
|
||||
if (do_fp(out, buf, inp, separator, out_bin, xoflen,
|
||||
sigkey, sigbuf, siglen, sig_name, md_name, argv[i]))
|
||||
ret = EXIT_FAILURE;
|
||||
}
|
||||
if (r)
|
||||
ret = r;
|
||||
(void)BIO_reset(bmd);
|
||||
}
|
||||
}
|
||||
end:
|
||||
if (ret != EXIT_SUCCESS)
|
||||
ERR_print_errors(bio_err);
|
||||
OPENSSL_clear_free(buf, BUFSIZE);
|
||||
BIO_free(in);
|
||||
OPENSSL_free(passin);
|
||||
BIO_free_all(out);
|
||||
EVP_MD_free(md);
|
||||
EVP_PKEY_free(sigkey);
|
||||
sk_OPENSSL_STRING_free(sigopts);
|
||||
sk_OPENSSL_STRING_free(macopts);
|
||||
@ -444,9 +486,12 @@ static void show_digests(const OBJ_NAME *name, void *arg)
|
||||
return;
|
||||
|
||||
/* Filter out message digests that we cannot use */
|
||||
md = EVP_MD_fetch(app_get0_libctx(), name->name, app_get0_propq());
|
||||
if (md == NULL) {
|
||||
md = EVP_get_digestbyname(name->name);
|
||||
if (md == NULL)
|
||||
return;
|
||||
}
|
||||
|
||||
BIO_printf(dec->bio, "-%-25s", name->name);
|
||||
if (++dec->n == 3) {
|
||||
@ -496,20 +541,19 @@ static const char *newline_escape_filename(const char *file, int * backslash)
|
||||
}
|
||||
|
||||
|
||||
int do_fp(BIO *out, unsigned char *buf, BIO *bp, int sep, int binout,
|
||||
int do_fp(BIO *out, unsigned char *buf, BIO *bp, int sep, int binout, int xoflen,
|
||||
EVP_PKEY *key, unsigned char *sigin, int siglen,
|
||||
const char *sig_name, const char *md_name,
|
||||
const char *file)
|
||||
{
|
||||
size_t len = BUFSIZE;
|
||||
int i, backslash = 0, ret = 1;
|
||||
unsigned char *sigbuf = NULL;
|
||||
int i, backslash = 0, ret = EXIT_FAILURE;
|
||||
unsigned char *allocated_buf = NULL;
|
||||
|
||||
while (BIO_pending(bp) || !BIO_eof(bp)) {
|
||||
i = BIO_read(bp, (char *)buf, BUFSIZE);
|
||||
if (i < 0) {
|
||||
BIO_printf(bio_err, "Read Error in %s\n", file);
|
||||
ERR_print_errors(bio_err);
|
||||
BIO_printf(bio_err, "Read error in %s\n", file);
|
||||
goto end;
|
||||
}
|
||||
if (i == 0)
|
||||
@ -522,38 +566,53 @@ int do_fp(BIO *out, unsigned char *buf, BIO *bp, int sep, int binout,
|
||||
if (i > 0) {
|
||||
BIO_printf(out, "Verified OK\n");
|
||||
} else if (i == 0) {
|
||||
BIO_printf(out, "Verification Failure\n");
|
||||
BIO_printf(out, "Verification failure\n");
|
||||
goto end;
|
||||
} else {
|
||||
BIO_printf(bio_err, "Error Verifying Data\n");
|
||||
ERR_print_errors(bio_err);
|
||||
BIO_printf(bio_err, "Error verifying data\n");
|
||||
goto end;
|
||||
}
|
||||
ret = 0;
|
||||
ret = EXIT_SUCCESS;
|
||||
goto end;
|
||||
}
|
||||
if (key != NULL) {
|
||||
EVP_MD_CTX *ctx;
|
||||
int pkey_len;
|
||||
size_t tmplen;
|
||||
|
||||
BIO_get_md_ctx(bp, &ctx);
|
||||
pkey_len = EVP_PKEY_size(key);
|
||||
if (pkey_len > BUFSIZE) {
|
||||
len = pkey_len;
|
||||
sigbuf = app_malloc(len, "Signature buffer");
|
||||
buf = sigbuf;
|
||||
if (!EVP_DigestSignFinal(ctx, NULL, &tmplen)) {
|
||||
BIO_printf(bio_err, "Error getting maximum length of signed data\n");
|
||||
goto end;
|
||||
}
|
||||
if (tmplen > BUFSIZE) {
|
||||
len = tmplen;
|
||||
allocated_buf = app_malloc(len, "Signature buffer");
|
||||
buf = allocated_buf;
|
||||
}
|
||||
if (!EVP_DigestSignFinal(ctx, buf, &len)) {
|
||||
BIO_printf(bio_err, "Error Signing Data\n");
|
||||
ERR_print_errors(bio_err);
|
||||
BIO_printf(bio_err, "Error signing data\n");
|
||||
goto end;
|
||||
}
|
||||
} else if (xoflen > 0) {
|
||||
EVP_MD_CTX *ctx;
|
||||
|
||||
len = xoflen;
|
||||
if (len > BUFSIZE) {
|
||||
allocated_buf = app_malloc(len, "Digest buffer");
|
||||
buf = allocated_buf;
|
||||
}
|
||||
|
||||
BIO_get_md_ctx(bp, &ctx);
|
||||
|
||||
if (!EVP_DigestFinalXOF(ctx, buf, len)) {
|
||||
BIO_printf(bio_err, "Error Digesting Data\n");
|
||||
goto end;
|
||||
}
|
||||
} else {
|
||||
len = BIO_gets(bp, (char *)buf, BUFSIZE);
|
||||
if ((int)len < 0) {
|
||||
ERR_print_errors(bio_err);
|
||||
if ((int)len < 0)
|
||||
goto end;
|
||||
}
|
||||
}
|
||||
|
||||
if (binout) {
|
||||
BIO_write(out, buf, len);
|
||||
@ -587,10 +646,10 @@ int do_fp(BIO *out, unsigned char *buf, BIO *bp, int sep, int binout,
|
||||
BIO_printf(out, "\n");
|
||||
}
|
||||
|
||||
ret = 0;
|
||||
ret = EXIT_SUCCESS;
|
||||
end:
|
||||
if (sigbuf != NULL)
|
||||
OPENSSL_clear_free(sigbuf, len);
|
||||
if (allocated_buf != NULL)
|
||||
OPENSSL_clear_free(allocated_buf, len);
|
||||
|
||||
return ret;
|
||||
}
|
||||
|
@ -1,10 +0,0 @@
|
||||
-----BEGIN DH PARAMETERS-----
|
||||
MIGHAoGBAP//////////yQ/aoiFowjTExmKLgNwc0SkCTgiKZ8x0Agu+pjsTmyJR
|
||||
Sgh5jjQE3e+VGbPNOkMbMCsKbfJfFDdP4TVtbVHCReSFtXZiXn7G9ExC6aY37WsL
|
||||
/1y29Aa37e44a/taiZ+lrp8kEXxLH+ZJKGZR7OZTgf//////////AgEC
|
||||
-----END DH PARAMETERS-----
|
||||
|
||||
These are the 1024-bit DH parameters from "Internet Key Exchange
|
||||
Protocol Version 2 (IKEv2)": https://tools.ietf.org/html/rfc5996
|
||||
|
||||
See https://tools.ietf.org/html/rfc2412 for how they were generated.
|
@ -1,14 +0,0 @@
|
||||
-----BEGIN DH PARAMETERS-----
|
||||
MIIBCAKCAQEA///////////JD9qiIWjCNMTGYouA3BzRKQJOCIpnzHQCC76mOxOb
|
||||
IlFKCHmONATd75UZs806QxswKwpt8l8UN0/hNW1tUcJF5IW1dmJefsb0TELppjft
|
||||
awv/XLb0Brft7jhr+1qJn6WunyQRfEsf5kkoZlHs5Fs9wgB8uKFjvwWY2kg2HFXT
|
||||
mmkWP6j9JM9fg2VdI9yjrZYcYvNWIIVSu57VKQdwlpZtZww1Tkq8mATxdGwIyhgh
|
||||
fDKQXkYuNs474553LBgOhgObJ4Oi7Aeij7XFXfBvTFLJ3ivL9pVYFxg5lUl86pVq
|
||||
5RXSJhiY+gUQFXKOWoqsqmj//////////wIBAg==
|
||||
-----END DH PARAMETERS-----
|
||||
|
||||
These are the 2048-bit DH parameters from "More Modular Exponential
|
||||
(MODP) Diffie-Hellman groups for Internet Key Exchange (IKE)":
|
||||
https://tools.ietf.org/html/rfc3526
|
||||
|
||||
See https://tools.ietf.org/html/rfc2412 for how they were generated.
|
@ -1,19 +0,0 @@
|
||||
-----BEGIN DH PARAMETERS-----
|
||||
MIICCAKCAgEA///////////JD9qiIWjCNMTGYouA3BzRKQJOCIpnzHQCC76mOxOb
|
||||
IlFKCHmONATd75UZs806QxswKwpt8l8UN0/hNW1tUcJF5IW1dmJefsb0TELppjft
|
||||
awv/XLb0Brft7jhr+1qJn6WunyQRfEsf5kkoZlHs5Fs9wgB8uKFjvwWY2kg2HFXT
|
||||
mmkWP6j9JM9fg2VdI9yjrZYcYvNWIIVSu57VKQdwlpZtZww1Tkq8mATxdGwIyhgh
|
||||
fDKQXkYuNs474553LBgOhgObJ4Oi7Aeij7XFXfBvTFLJ3ivL9pVYFxg5lUl86pVq
|
||||
5RXSJhiY+gUQFXKOWoqqxC2tMxcNBFB6M6hVIavfHLpk7PuFBFjb7wqK6nFXXQYM
|
||||
fbOXD4Wm4eTHq/WujNsJM9cejJTgSiVhnc7j0iYa0u5r8S/6BtmKCGTYdgJzPshq
|
||||
ZFIfKxgXeyAMu+EXV3phXWx3CYjAutlG4gjiT6B05asxQ9tb/OD9EI5LgtEgqSEI
|
||||
ARpyPBKnh+bXiHGaEL26WyaZwycYavTiPBqUaDS2FQvaJYPpyirUTOjbu8LbBN6O
|
||||
+S6O/BQfvsqmKHxZR05rwF2ZspZPoJDDoiM7oYZRW+ftH2EpcM7i16+4G912IXBI
|
||||
HNAGkSfVsFqpk7TqmI2P3cGG/7fckKbAj030Nck0BjGZ//////////8CAQI=
|
||||
-----END DH PARAMETERS-----
|
||||
|
||||
These are the 4096-bit DH parameters from "More Modular Exponential
|
||||
(MODP) Diffie-Hellman groups for Internet Key Exchange (IKE)":
|
||||
https://tools.ietf.org/html/rfc3526
|
||||
|
||||
See https://tools.ietf.org/html/rfc2412 for how they were generated.
|
@ -1,13 +1,14 @@
|
||||
/*
|
||||
* Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved.
|
||||
* Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
|
||||
*
|
||||
* Licensed under the OpenSSL license (the "License"). You may not use
|
||||
* Licensed under the Apache License 2.0 (the "License"). You may not use
|
||||
* this file except in compliance with the License. You can obtain a copy
|
||||
* in the file LICENSE in the source distribution or at
|
||||
* https://www.openssl.org/source/license.html
|
||||
*/
|
||||
|
||||
#include <openssl/opensslconf.h>
|
||||
|
||||
#include <stdio.h>
|
||||
#include <stdlib.h>
|
||||
#include <time.h>
|
||||
@ -17,61 +18,73 @@
|
||||
#include <openssl/bio.h>
|
||||
#include <openssl/err.h>
|
||||
#include <openssl/bn.h>
|
||||
#include <openssl/dsa.h>
|
||||
#include <openssl/dh.h>
|
||||
#include <openssl/x509.h>
|
||||
#include <openssl/pem.h>
|
||||
|
||||
#ifndef OPENSSL_NO_DSA
|
||||
# include <openssl/dsa.h>
|
||||
#endif
|
||||
#include <openssl/core_names.h>
|
||||
#include <openssl/core_dispatch.h>
|
||||
#include <openssl/param_build.h>
|
||||
#include <openssl/encoder.h>
|
||||
#include <openssl/decoder.h>
|
||||
|
||||
#define DEFBITS 2048
|
||||
|
||||
static int dh_cb(int p, int n, BN_GENCB *cb);
|
||||
static EVP_PKEY *dsa_to_dh(EVP_PKEY *dh);
|
||||
static int gendh_cb(EVP_PKEY_CTX *ctx);
|
||||
|
||||
typedef enum OPTION_choice {
|
||||
OPT_ERR = -1, OPT_EOF = 0, OPT_HELP,
|
||||
OPT_COMMON,
|
||||
OPT_INFORM, OPT_OUTFORM, OPT_IN, OPT_OUT,
|
||||
OPT_ENGINE, OPT_CHECK, OPT_TEXT, OPT_NOOUT,
|
||||
OPT_DSAPARAM, OPT_C, OPT_2, OPT_5,
|
||||
OPT_R_ENUM
|
||||
OPT_DSAPARAM, OPT_2, OPT_3, OPT_5,
|
||||
OPT_R_ENUM, OPT_PROV_ENUM
|
||||
} OPTION_CHOICE;
|
||||
|
||||
const OPTIONS dhparam_options[] = {
|
||||
{OPT_HELP_STR, 1, '-', "Usage: %s [flags] [numbits]\n"},
|
||||
{OPT_HELP_STR, 1, '-', "Valid options are:\n"},
|
||||
{OPT_HELP_STR, 1, '-', "Usage: %s [options] [numbits]\n"},
|
||||
|
||||
OPT_SECTION("General"),
|
||||
{"help", OPT_HELP, '-', "Display this summary"},
|
||||
{"in", OPT_IN, '<', "Input file"},
|
||||
{"inform", OPT_INFORM, 'F', "Input format, DER or PEM"},
|
||||
{"outform", OPT_OUTFORM, 'F', "Output format, DER or PEM"},
|
||||
{"out", OPT_OUT, '>', "Output file"},
|
||||
{"check", OPT_CHECK, '-', "Check the DH parameters"},
|
||||
{"text", OPT_TEXT, '-', "Print a text form of the DH parameters"},
|
||||
{"noout", OPT_NOOUT, '-', "Don't output any DH parameters"},
|
||||
OPT_R_OPTIONS,
|
||||
{"C", OPT_C, '-', "Print C code"},
|
||||
{"2", OPT_2, '-', "Generate parameters using 2 as the generator value"},
|
||||
{"5", OPT_5, '-', "Generate parameters using 5 as the generator value"},
|
||||
#ifndef OPENSSL_NO_DSA
|
||||
#if !defined(OPENSSL_NO_DSA) || !defined(OPENSSL_NO_DEPRECATED_3_0)
|
||||
{"dsaparam", OPT_DSAPARAM, '-',
|
||||
"Read or generate DSA parameters, convert to DH"},
|
||||
#endif
|
||||
#ifndef OPENSSL_NO_ENGINE
|
||||
{"engine", OPT_ENGINE, 's', "Use engine e, possibly a hardware device"},
|
||||
#endif
|
||||
|
||||
OPT_SECTION("Input"),
|
||||
{"in", OPT_IN, '<', "Input file"},
|
||||
{"inform", OPT_INFORM, 'F', "Input format, DER or PEM"},
|
||||
|
||||
OPT_SECTION("Output"),
|
||||
{"out", OPT_OUT, '>', "Output file"},
|
||||
{"outform", OPT_OUTFORM, 'F', "Output format, DER or PEM"},
|
||||
{"text", OPT_TEXT, '-', "Print a text form of the DH parameters"},
|
||||
{"noout", OPT_NOOUT, '-', "Don't output any DH parameters"},
|
||||
{"2", OPT_2, '-', "Generate parameters using 2 as the generator value"},
|
||||
{"3", OPT_3, '-', "Generate parameters using 3 as the generator value"},
|
||||
{"5", OPT_5, '-', "Generate parameters using 5 as the generator value"},
|
||||
|
||||
OPT_R_OPTIONS,
|
||||
OPT_PROV_OPTIONS,
|
||||
|
||||
OPT_PARAMETERS(),
|
||||
{"numbits", 0, 0, "Number of bits if generating parameters (optional)"},
|
||||
{NULL}
|
||||
};
|
||||
|
||||
int dhparam_main(int argc, char **argv)
|
||||
{
|
||||
BIO *in = NULL, *out = NULL;
|
||||
DH *dh = NULL;
|
||||
EVP_PKEY *pkey = NULL, *tmppkey = NULL;
|
||||
EVP_PKEY_CTX *ctx = NULL;
|
||||
char *infile = NULL, *outfile = NULL, *prog;
|
||||
ENGINE *e = NULL;
|
||||
#ifndef OPENSSL_NO_DSA
|
||||
int dsaparam = 0;
|
||||
#endif
|
||||
int i, text = 0, C = 0, ret = 1, num = 0, g = 0;
|
||||
int text = 0, ret = 1, num = 0, g = 0;
|
||||
int informat = FORMAT_PEM, outformat = FORMAT_PEM, check = 0, noout = 0;
|
||||
OPTION_CHOICE o;
|
||||
|
||||
@ -111,16 +124,14 @@ int dhparam_main(int argc, char **argv)
|
||||
text = 1;
|
||||
break;
|
||||
case OPT_DSAPARAM:
|
||||
#ifndef OPENSSL_NO_DSA
|
||||
dsaparam = 1;
|
||||
#endif
|
||||
break;
|
||||
case OPT_C:
|
||||
C = 1;
|
||||
break;
|
||||
case OPT_2:
|
||||
g = 2;
|
||||
break;
|
||||
case OPT_3:
|
||||
g = 3;
|
||||
break;
|
||||
case OPT_5:
|
||||
g = 5;
|
||||
break;
|
||||
@ -131,24 +142,33 @@ int dhparam_main(int argc, char **argv)
|
||||
if (!opt_rand(o))
|
||||
goto end;
|
||||
break;
|
||||
case OPT_PROV_CASES:
|
||||
if (!opt_provider(o))
|
||||
goto end;
|
||||
break;
|
||||
}
|
||||
}
|
||||
|
||||
/* One optional argument, bitsize to generate. */
|
||||
argc = opt_num_rest();
|
||||
argv = opt_rest();
|
||||
|
||||
if (argv[0] != NULL && (!opt_int(argv[0], &num) || num <= 0))
|
||||
if (argc == 1) {
|
||||
if (!opt_int(argv[0], &num) || num <= 0)
|
||||
goto opthelp;
|
||||
} else if (argc != 0) {
|
||||
goto opthelp;
|
||||
}
|
||||
if (!app_RAND_load())
|
||||
goto end;
|
||||
|
||||
if (g && !num)
|
||||
num = DEFBITS;
|
||||
|
||||
#ifndef OPENSSL_NO_DSA
|
||||
if (dsaparam && g) {
|
||||
BIO_printf(bio_err,
|
||||
"generator may not be chosen for DSA parameters\n");
|
||||
"Error, generator may not be chosen for DSA parameters\n");
|
||||
goto end;
|
||||
}
|
||||
#endif
|
||||
|
||||
out = bio_open_default(outfile, 'w', outformat);
|
||||
if (out == NULL)
|
||||
@ -159,216 +179,238 @@ int dhparam_main(int argc, char **argv)
|
||||
g = 2;
|
||||
|
||||
if (num) {
|
||||
const char *alg = dsaparam ? "DSA" : "DH";
|
||||
|
||||
BN_GENCB *cb;
|
||||
cb = BN_GENCB_new();
|
||||
if (cb == NULL) {
|
||||
ERR_print_errors(bio_err);
|
||||
if (infile != NULL) {
|
||||
BIO_printf(bio_err, "Warning, input file %s ignored\n", infile);
|
||||
}
|
||||
|
||||
ctx = EVP_PKEY_CTX_new_from_name(app_get0_libctx(), alg, app_get0_propq());
|
||||
if (ctx == NULL) {
|
||||
BIO_printf(bio_err,
|
||||
"Error, %s param generation context allocation failed\n",
|
||||
alg);
|
||||
goto end;
|
||||
}
|
||||
EVP_PKEY_CTX_set_cb(ctx, gendh_cb);
|
||||
EVP_PKEY_CTX_set_app_data(ctx, bio_err);
|
||||
BIO_printf(bio_err,
|
||||
"Generating %s parameters, %d bit long %sprime\n",
|
||||
alg, num, dsaparam ? "" : "safe ");
|
||||
|
||||
if (EVP_PKEY_paramgen_init(ctx) <= 0) {
|
||||
BIO_printf(bio_err,
|
||||
"Error, unable to initialise %s parameters\n",
|
||||
alg);
|
||||
goto end;
|
||||
}
|
||||
|
||||
BN_GENCB_set(cb, dh_cb, bio_err);
|
||||
|
||||
#ifndef OPENSSL_NO_DSA
|
||||
if (dsaparam) {
|
||||
DSA *dsa = DSA_new();
|
||||
|
||||
BIO_printf(bio_err,
|
||||
"Generating DSA parameters, %d bit long prime\n", num);
|
||||
if (dsa == NULL
|
||||
|| !DSA_generate_parameters_ex(dsa, num, NULL, 0, NULL, NULL,
|
||||
cb)) {
|
||||
DSA_free(dsa);
|
||||
BN_GENCB_free(cb);
|
||||
ERR_print_errors(bio_err);
|
||||
if (EVP_PKEY_CTX_set_dsa_paramgen_bits(ctx, num) <= 0) {
|
||||
BIO_printf(bio_err, "Error, unable to set DSA prime length\n");
|
||||
goto end;
|
||||
}
|
||||
|
||||
dh = DSA_dup_DH(dsa);
|
||||
DSA_free(dsa);
|
||||
if (dh == NULL) {
|
||||
BN_GENCB_free(cb);
|
||||
ERR_print_errors(bio_err);
|
||||
goto end;
|
||||
}
|
||||
} else
|
||||
#endif
|
||||
{
|
||||
dh = DH_new();
|
||||
BIO_printf(bio_err,
|
||||
"Generating DH parameters, %d bit long safe prime, generator %d\n",
|
||||
num, g);
|
||||
BIO_printf(bio_err, "This is going to take a long time\n");
|
||||
if (dh == NULL || !DH_generate_parameters_ex(dh, num, g, cb)) {
|
||||
BN_GENCB_free(cb);
|
||||
ERR_print_errors(bio_err);
|
||||
goto end;
|
||||
}
|
||||
}
|
||||
|
||||
BN_GENCB_free(cb);
|
||||
} else {
|
||||
if (EVP_PKEY_CTX_set_dh_paramgen_prime_len(ctx, num) <= 0) {
|
||||
BIO_printf(bio_err, "Error, unable to set DH prime length\n");
|
||||
goto end;
|
||||
}
|
||||
if (EVP_PKEY_CTX_set_dh_paramgen_generator(ctx, g) <= 0) {
|
||||
BIO_printf(bio_err, "Error, unable to set generator\n");
|
||||
goto end;
|
||||
}
|
||||
}
|
||||
|
||||
tmppkey = app_paramgen(ctx, alg);
|
||||
EVP_PKEY_CTX_free(ctx);
|
||||
ctx = NULL;
|
||||
if (dsaparam) {
|
||||
pkey = dsa_to_dh(tmppkey);
|
||||
if (pkey == NULL)
|
||||
goto end;
|
||||
EVP_PKEY_free(tmppkey);
|
||||
} else {
|
||||
pkey = tmppkey;
|
||||
}
|
||||
tmppkey = NULL;
|
||||
} else {
|
||||
OSSL_DECODER_CTX *decoderctx = NULL;
|
||||
const char *keytype = "DH";
|
||||
int done;
|
||||
|
||||
in = bio_open_default(infile, 'r', informat);
|
||||
if (in == NULL)
|
||||
goto end;
|
||||
|
||||
#ifndef OPENSSL_NO_DSA
|
||||
if (dsaparam) {
|
||||
DSA *dsa;
|
||||
|
||||
if (informat == FORMAT_ASN1)
|
||||
dsa = d2i_DSAparams_bio(in, NULL);
|
||||
else /* informat == FORMAT_PEM */
|
||||
dsa = PEM_read_bio_DSAparams(in, NULL, NULL, NULL);
|
||||
|
||||
if (dsa == NULL) {
|
||||
BIO_printf(bio_err, "unable to load DSA parameters\n");
|
||||
ERR_print_errors(bio_err);
|
||||
goto end;
|
||||
}
|
||||
|
||||
dh = DSA_dup_DH(dsa);
|
||||
DSA_free(dsa);
|
||||
if (dh == NULL) {
|
||||
ERR_print_errors(bio_err);
|
||||
goto end;
|
||||
}
|
||||
} else
|
||||
#endif
|
||||
{
|
||||
if (informat == FORMAT_ASN1) {
|
||||
do {
|
||||
/*
|
||||
* We have no PEM header to determine what type of DH params it
|
||||
* is. We'll just try both.
|
||||
* We assume we're done unless we explicitly want to retry and set
|
||||
* this to 0 below.
|
||||
*/
|
||||
dh = d2i_DHparams_bio(in, NULL);
|
||||
/* BIO_reset() returns 0 for success for file BIOs only!!! */
|
||||
if (dh == NULL && BIO_reset(in) == 0)
|
||||
dh = d2i_DHxparams_bio(in, NULL);
|
||||
} else {
|
||||
/* informat == FORMAT_PEM */
|
||||
dh = PEM_read_bio_DHparams(in, NULL, NULL, NULL);
|
||||
}
|
||||
done = 1;
|
||||
/*
|
||||
* We set NULL for the keytype to allow any key type. We don't know
|
||||
* if we're going to get DH or DHX (or DSA in the event of dsaparam).
|
||||
* We check that we got one of those key types afterwards.
|
||||
*/
|
||||
decoderctx
|
||||
= OSSL_DECODER_CTX_new_for_pkey(&tmppkey,
|
||||
(informat == FORMAT_ASN1)
|
||||
? "DER" : "PEM",
|
||||
NULL,
|
||||
(informat == FORMAT_ASN1)
|
||||
? keytype : NULL,
|
||||
OSSL_KEYMGMT_SELECT_DOMAIN_PARAMETERS,
|
||||
NULL, NULL);
|
||||
|
||||
if (dh == NULL) {
|
||||
BIO_printf(bio_err, "unable to load DH parameters\n");
|
||||
ERR_print_errors(bio_err);
|
||||
if (decoderctx != NULL
|
||||
&& !OSSL_DECODER_from_bio(decoderctx, in)
|
||||
&& informat == FORMAT_ASN1
|
||||
&& strcmp(keytype, "DH") == 0) {
|
||||
/*
|
||||
* When reading DER we explicitly state the expected keytype
|
||||
* because, unlike PEM, there is no header to declare what
|
||||
* the contents of the DER file are. The decoders just try
|
||||
* and guess. Unfortunately with DHX key types they may guess
|
||||
* wrong and think we have a DSA keytype. Therefore we try
|
||||
* both DH and DHX sequentially.
|
||||
*/
|
||||
keytype = "DHX";
|
||||
/*
|
||||
* BIO_reset() returns 0 for success for file BIOs only!!!
|
||||
* This won't work for stdin (and never has done)
|
||||
*/
|
||||
if (BIO_reset(in) == 0)
|
||||
done = 0;
|
||||
}
|
||||
OSSL_DECODER_CTX_free(decoderctx);
|
||||
} while (!done);
|
||||
if (tmppkey == NULL) {
|
||||
BIO_printf(bio_err, "Error, unable to load parameters\n");
|
||||
goto end;
|
||||
}
|
||||
|
||||
if (dsaparam) {
|
||||
if (!EVP_PKEY_is_a(tmppkey, "DSA")) {
|
||||
BIO_printf(bio_err, "Error, unable to load DSA parameters\n");
|
||||
goto end;
|
||||
}
|
||||
pkey = dsa_to_dh(tmppkey);
|
||||
if (pkey == NULL)
|
||||
goto end;
|
||||
} else {
|
||||
if (!EVP_PKEY_is_a(tmppkey, "DH")
|
||||
&& !EVP_PKEY_is_a(tmppkey, "DHX")) {
|
||||
BIO_printf(bio_err, "Error, unable to load DH parameters\n");
|
||||
goto end;
|
||||
}
|
||||
pkey = tmppkey;
|
||||
tmppkey = NULL;
|
||||
}
|
||||
}
|
||||
|
||||
/* dh != NULL */
|
||||
}
|
||||
|
||||
if (text) {
|
||||
DHparams_print(out, dh);
|
||||
}
|
||||
if (text)
|
||||
EVP_PKEY_print_params(out, pkey, 4, NULL);
|
||||
|
||||
if (check) {
|
||||
if (!DH_check(dh, &i)) {
|
||||
ERR_print_errors(bio_err);
|
||||
ctx = EVP_PKEY_CTX_new_from_pkey(app_get0_libctx(), pkey, app_get0_propq());
|
||||
if (ctx == NULL) {
|
||||
BIO_printf(bio_err, "Error, failed to check DH parameters\n");
|
||||
goto end;
|
||||
}
|
||||
if (EVP_PKEY_param_check(ctx) <= 0) {
|
||||
BIO_printf(bio_err, "Error, invalid parameters generated\n");
|
||||
goto end;
|
||||
}
|
||||
if (i & DH_CHECK_P_NOT_PRIME)
|
||||
BIO_printf(bio_err, "WARNING: p value is not prime\n");
|
||||
if (i & DH_CHECK_P_NOT_SAFE_PRIME)
|
||||
BIO_printf(bio_err, "WARNING: p value is not a safe prime\n");
|
||||
if (i & DH_CHECK_Q_NOT_PRIME)
|
||||
BIO_printf(bio_err, "WARNING: q value is not a prime\n");
|
||||
if (i & DH_CHECK_INVALID_Q_VALUE)
|
||||
BIO_printf(bio_err, "WARNING: q value is invalid\n");
|
||||
if (i & DH_CHECK_INVALID_J_VALUE)
|
||||
BIO_printf(bio_err, "WARNING: j value is invalid\n");
|
||||
if (i & DH_UNABLE_TO_CHECK_GENERATOR)
|
||||
BIO_printf(bio_err,
|
||||
"WARNING: unable to check the generator value\n");
|
||||
if (i & DH_NOT_SUITABLE_GENERATOR)
|
||||
BIO_printf(bio_err, "WARNING: the g value is not a generator\n");
|
||||
if (i == 0)
|
||||
BIO_printf(bio_err, "DH parameters appear to be ok.\n");
|
||||
if (num != 0 && i != 0) {
|
||||
/*
|
||||
* We have generated parameters but DH_check() indicates they are
|
||||
* invalid! This should never happen!
|
||||
*/
|
||||
BIO_printf(bio_err, "ERROR: Invalid parameters generated\n");
|
||||
goto end;
|
||||
}
|
||||
}
|
||||
if (C) {
|
||||
unsigned char *data;
|
||||
int len, bits;
|
||||
const BIGNUM *pbn, *gbn;
|
||||
|
||||
len = DH_size(dh);
|
||||
bits = DH_bits(dh);
|
||||
DH_get0_pqg(dh, &pbn, NULL, &gbn);
|
||||
data = app_malloc(len, "print a BN");
|
||||
|
||||
BIO_printf(out, "static DH *get_dh%d(void)\n{\n", bits);
|
||||
print_bignum_var(out, pbn, "dhp", bits, data);
|
||||
print_bignum_var(out, gbn, "dhg", bits, data);
|
||||
BIO_printf(out, " DH *dh = DH_new();\n"
|
||||
" BIGNUM *p, *g;\n"
|
||||
"\n"
|
||||
" if (dh == NULL)\n"
|
||||
" return NULL;\n");
|
||||
BIO_printf(out, " p = BN_bin2bn(dhp_%d, sizeof(dhp_%d), NULL);\n",
|
||||
bits, bits);
|
||||
BIO_printf(out, " g = BN_bin2bn(dhg_%d, sizeof(dhg_%d), NULL);\n",
|
||||
bits, bits);
|
||||
BIO_printf(out, " if (p == NULL || g == NULL\n"
|
||||
" || !DH_set0_pqg(dh, p, NULL, g)) {\n"
|
||||
" DH_free(dh);\n"
|
||||
" BN_free(p);\n"
|
||||
" BN_free(g);\n"
|
||||
" return NULL;\n"
|
||||
" }\n");
|
||||
if (DH_get_length(dh) > 0)
|
||||
BIO_printf(out,
|
||||
" if (!DH_set_length(dh, %ld)) {\n"
|
||||
" DH_free(dh);\n"
|
||||
" return NULL;\n"
|
||||
" }\n", DH_get_length(dh));
|
||||
BIO_printf(out, " return dh;\n}\n");
|
||||
OPENSSL_free(data);
|
||||
}
|
||||
|
||||
if (!noout) {
|
||||
const BIGNUM *q;
|
||||
DH_get0_pqg(dh, NULL, &q, NULL);
|
||||
if (outformat == FORMAT_ASN1) {
|
||||
if (q != NULL)
|
||||
i = i2d_DHxparams_bio(out, dh);
|
||||
else
|
||||
i = i2d_DHparams_bio(out, dh);
|
||||
} else if (q != NULL) {
|
||||
i = PEM_write_bio_DHxparams(out, dh);
|
||||
} else {
|
||||
i = PEM_write_bio_DHparams(out, dh);
|
||||
}
|
||||
if (!i) {
|
||||
BIO_printf(bio_err, "unable to write DH parameters\n");
|
||||
ERR_print_errors(bio_err);
|
||||
OSSL_ENCODER_CTX *ectx =
|
||||
OSSL_ENCODER_CTX_new_for_pkey(pkey,
|
||||
OSSL_KEYMGMT_SELECT_DOMAIN_PARAMETERS,
|
||||
outformat == FORMAT_ASN1
|
||||
? "DER" : "PEM",
|
||||
NULL, NULL);
|
||||
|
||||
if (ectx == NULL || !OSSL_ENCODER_to_bio(ectx, out)) {
|
||||
OSSL_ENCODER_CTX_free(ectx);
|
||||
BIO_printf(bio_err, "Error, unable to write DH parameters\n");
|
||||
goto end;
|
||||
}
|
||||
OSSL_ENCODER_CTX_free(ectx);
|
||||
}
|
||||
ret = 0;
|
||||
end:
|
||||
if (ret != 0)
|
||||
ERR_print_errors(bio_err);
|
||||
BIO_free(in);
|
||||
BIO_free_all(out);
|
||||
DH_free(dh);
|
||||
EVP_PKEY_free(pkey);
|
||||
EVP_PKEY_free(tmppkey);
|
||||
EVP_PKEY_CTX_free(ctx);
|
||||
release_engine(e);
|
||||
return ret;
|
||||
}
|
||||
|
||||
static int dh_cb(int p, int n, BN_GENCB *cb)
|
||||
/*
|
||||
* Historically we had the low level call DSA_dup_DH() to do this.
|
||||
* That is now deprecated with no replacement. Since we still need to do this
|
||||
* for backwards compatibility reasons, we do it "manually".
|
||||
*/
|
||||
static EVP_PKEY *dsa_to_dh(EVP_PKEY *dh)
|
||||
{
|
||||
OSSL_PARAM_BLD *tmpl = NULL;
|
||||
OSSL_PARAM *params = NULL;
|
||||
BIGNUM *bn_p = NULL, *bn_q = NULL, *bn_g = NULL;
|
||||
EVP_PKEY_CTX *ctx = NULL;
|
||||
EVP_PKEY *pkey = NULL;
|
||||
|
||||
if (!EVP_PKEY_get_bn_param(dh, OSSL_PKEY_PARAM_FFC_P, &bn_p)
|
||||
|| !EVP_PKEY_get_bn_param(dh, OSSL_PKEY_PARAM_FFC_Q, &bn_q)
|
||||
|| !EVP_PKEY_get_bn_param(dh, OSSL_PKEY_PARAM_FFC_G, &bn_g)) {
|
||||
BIO_printf(bio_err, "Error, failed to set DH parameters\n");
|
||||
goto err;
|
||||
}
|
||||
|
||||
if ((tmpl = OSSL_PARAM_BLD_new()) == NULL
|
||||
|| !OSSL_PARAM_BLD_push_BN(tmpl, OSSL_PKEY_PARAM_FFC_P,
|
||||
bn_p)
|
||||
|| !OSSL_PARAM_BLD_push_BN(tmpl, OSSL_PKEY_PARAM_FFC_Q,
|
||||
bn_q)
|
||||
|| !OSSL_PARAM_BLD_push_BN(tmpl, OSSL_PKEY_PARAM_FFC_G,
|
||||
bn_g)
|
||||
|| (params = OSSL_PARAM_BLD_to_param(tmpl)) == NULL) {
|
||||
BIO_printf(bio_err, "Error, failed to set DH parameters\n");
|
||||
goto err;
|
||||
}
|
||||
|
||||
ctx = EVP_PKEY_CTX_new_from_name(app_get0_libctx(), "DHX", app_get0_propq());
|
||||
if (ctx == NULL
|
||||
|| EVP_PKEY_fromdata_init(ctx) <= 0
|
||||
|| EVP_PKEY_fromdata(ctx, &pkey, EVP_PKEY_KEY_PARAMETERS, params) <= 0) {
|
||||
BIO_printf(bio_err, "Error, failed to set DH parameters\n");
|
||||
goto err;
|
||||
}
|
||||
|
||||
err:
|
||||
EVP_PKEY_CTX_free(ctx);
|
||||
OSSL_PARAM_free(params);
|
||||
OSSL_PARAM_BLD_free(tmpl);
|
||||
BN_free(bn_p);
|
||||
BN_free(bn_q);
|
||||
BN_free(bn_g);
|
||||
return pkey;
|
||||
}
|
||||
|
||||
static int gendh_cb(EVP_PKEY_CTX *ctx)
|
||||
{
|
||||
int p = EVP_PKEY_CTX_get_keygen_info(ctx, 0);
|
||||
BIO *b = EVP_PKEY_CTX_get_app_data(ctx);
|
||||
static const char symbols[] = ".+*\n";
|
||||
char c = (p >= 0 && (size_t)p < sizeof(symbols) - 1) ? symbols[p] : '?';
|
||||
|
||||
BIO_write(BN_GENCB_get_arg(cb), &c, 1);
|
||||
(void)BIO_flush(BN_GENCB_get_arg(cb));
|
||||
BIO_write(b, &c, 1);
|
||||
(void)BIO_flush(b);
|
||||
return 1;
|
||||
}
|
||||
|
@ -1,13 +1,14 @@
|
||||
/*
|
||||
* Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved.
|
||||
* Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
|
||||
*
|
||||
* Licensed under the OpenSSL license (the "License"). You may not use
|
||||
* Licensed under the Apache License 2.0 (the "License"). You may not use
|
||||
* this file except in compliance with the License. You can obtain a copy
|
||||
* in the file LICENSE in the source distribution or at
|
||||
* https://www.openssl.org/source/license.html
|
||||
*/
|
||||
|
||||
#include <openssl/opensslconf.h>
|
||||
|
||||
#include <stdio.h>
|
||||
#include <stdlib.h>
|
||||
#include <string.h>
|
||||
@ -21,29 +22,29 @@
|
||||
#include <openssl/x509.h>
|
||||
#include <openssl/pem.h>
|
||||
#include <openssl/bn.h>
|
||||
#include <openssl/encoder.h>
|
||||
#include <openssl/core_names.h>
|
||||
#include <openssl/core_dispatch.h>
|
||||
|
||||
#ifndef OPENSSL_NO_RC4
|
||||
# define DEFAULT_PVK_ENCR_STRENGTH 2
|
||||
#else
|
||||
# define DEFAULT_PVK_ENCR_STRENGTH 0
|
||||
#endif
|
||||
|
||||
typedef enum OPTION_choice {
|
||||
OPT_ERR = -1, OPT_EOF = 0, OPT_HELP,
|
||||
OPT_COMMON,
|
||||
OPT_INFORM, OPT_OUTFORM, OPT_IN, OPT_OUT, OPT_ENGINE,
|
||||
/* Do not change the order here; see case statements below */
|
||||
OPT_PVK_NONE, OPT_PVK_WEAK, OPT_PVK_STRONG,
|
||||
OPT_NOOUT, OPT_TEXT, OPT_MODULUS, OPT_PUBIN,
|
||||
OPT_PUBOUT, OPT_CIPHER, OPT_PASSIN, OPT_PASSOUT
|
||||
OPT_PUBOUT, OPT_CIPHER, OPT_PASSIN, OPT_PASSOUT,
|
||||
OPT_PROV_ENUM
|
||||
} OPTION_CHOICE;
|
||||
|
||||
const OPTIONS dsa_options[] = {
|
||||
OPT_SECTION("General"),
|
||||
{"help", OPT_HELP, '-', "Display this summary"},
|
||||
{"inform", OPT_INFORM, 'f', "Input format, DER PEM PVK"},
|
||||
{"outform", OPT_OUTFORM, 'f', "Output format, DER PEM PVK"},
|
||||
{"in", OPT_IN, 's', "Input key"},
|
||||
{"out", OPT_OUT, '>', "Output file"},
|
||||
{"noout", OPT_NOOUT, '-', "Don't print key out"},
|
||||
{"text", OPT_TEXT, '-', "Print the key in text"},
|
||||
{"modulus", OPT_MODULUS, '-', "Print the DSA public value"},
|
||||
{"pubin", OPT_PUBIN, '-', "Expect a public key in input file"},
|
||||
{"pubout", OPT_PUBOUT, '-', "Output public key, not private"},
|
||||
{"passin", OPT_PASSIN, 's', "Input file pass phrase source"},
|
||||
{"passout", OPT_PASSOUT, 's', "Output file pass phrase source"},
|
||||
{"", OPT_CIPHER, '-', "Any supported cipher"},
|
||||
#ifndef OPENSSL_NO_RC4
|
||||
{"pvk-strong", OPT_PVK_STRONG, '-', "Enable 'Strong' PVK encoding level (default)"},
|
||||
@ -53,24 +54,43 @@ const OPTIONS dsa_options[] = {
|
||||
#ifndef OPENSSL_NO_ENGINE
|
||||
{"engine", OPT_ENGINE, 's', "Use engine e, possibly a hardware device"},
|
||||
#endif
|
||||
|
||||
OPT_SECTION("Input"),
|
||||
{"in", OPT_IN, 's', "Input key"},
|
||||
{"inform", OPT_INFORM, 'f', "Input format (DER/PEM/PVK); has no effect"},
|
||||
{"pubin", OPT_PUBIN, '-', "Expect a public key in input file"},
|
||||
{"passin", OPT_PASSIN, 's', "Input file pass phrase source"},
|
||||
|
||||
OPT_SECTION("Output"),
|
||||
{"out", OPT_OUT, '>', "Output file"},
|
||||
{"outform", OPT_OUTFORM, 'f', "Output format, DER PEM PVK"},
|
||||
{"noout", OPT_NOOUT, '-', "Don't print key out"},
|
||||
{"text", OPT_TEXT, '-', "Print the key in text"},
|
||||
{"modulus", OPT_MODULUS, '-', "Print the DSA public value"},
|
||||
{"pubout", OPT_PUBOUT, '-', "Output public key, not private"},
|
||||
{"passout", OPT_PASSOUT, 's', "Output file pass phrase source"},
|
||||
|
||||
OPT_PROV_OPTIONS,
|
||||
{NULL}
|
||||
};
|
||||
|
||||
int dsa_main(int argc, char **argv)
|
||||
{
|
||||
BIO *out = NULL;
|
||||
DSA *dsa = NULL;
|
||||
ENGINE *e = NULL;
|
||||
const EVP_CIPHER *enc = NULL;
|
||||
EVP_PKEY *pkey = NULL;
|
||||
EVP_CIPHER *enc = NULL;
|
||||
char *infile = NULL, *outfile = NULL, *prog;
|
||||
char *passin = NULL, *passout = NULL, *passinarg = NULL, *passoutarg = NULL;
|
||||
OPTION_CHOICE o;
|
||||
int informat = FORMAT_PEM, outformat = FORMAT_PEM, text = 0, noout = 0;
|
||||
int i, modulus = 0, pubin = 0, pubout = 0, ret = 1;
|
||||
#ifndef OPENSSL_NO_RC4
|
||||
int pvk_encr = 2;
|
||||
#endif
|
||||
int informat = FORMAT_UNDEF, outformat = FORMAT_PEM, text = 0, noout = 0;
|
||||
int modulus = 0, pubin = 0, pubout = 0, ret = 1;
|
||||
int pvk_encr = DEFAULT_PVK_ENCR_STRENGTH;
|
||||
int private = 0;
|
||||
const char *output_type = NULL, *ciphername = NULL;
|
||||
const char *output_structure = NULL;
|
||||
int selection = 0;
|
||||
OSSL_ENCODER_CTX *ectx = NULL;
|
||||
|
||||
prog = opt_init(argc, argv, dsa_options);
|
||||
while ((o = opt_next()) != OPT_EOF) {
|
||||
@ -131,15 +151,24 @@ int dsa_main(int argc, char **argv)
|
||||
pubout = 1;
|
||||
break;
|
||||
case OPT_CIPHER:
|
||||
if (!opt_cipher(opt_unknown(), &enc))
|
||||
ciphername = opt_unknown();
|
||||
break;
|
||||
case OPT_PROV_CASES:
|
||||
if (!opt_provider(o))
|
||||
goto end;
|
||||
break;
|
||||
}
|
||||
}
|
||||
|
||||
/* No extra args. */
|
||||
argc = opt_num_rest();
|
||||
if (argc != 0)
|
||||
goto opthelp;
|
||||
|
||||
if (ciphername != NULL) {
|
||||
if (!opt_cipher(ciphername, &enc))
|
||||
goto end;
|
||||
}
|
||||
private = pubin || pubout ? 0 : 1;
|
||||
if (text && !pubin)
|
||||
private = 1;
|
||||
@ -150,24 +179,20 @@ int dsa_main(int argc, char **argv)
|
||||
}
|
||||
|
||||
BIO_printf(bio_err, "read DSA key\n");
|
||||
{
|
||||
EVP_PKEY *pkey;
|
||||
|
||||
if (pubin)
|
||||
pkey = load_pubkey(infile, informat, 1, passin, e, "Public Key");
|
||||
pkey = load_pubkey(infile, informat, 1, passin, e, "public key");
|
||||
else
|
||||
pkey = load_key(infile, informat, 1, passin, e, "Private Key");
|
||||
pkey = load_key(infile, informat, 1, passin, e, "private key");
|
||||
|
||||
if (pkey != NULL) {
|
||||
dsa = EVP_PKEY_get1_DSA(pkey);
|
||||
EVP_PKEY_free(pkey);
|
||||
}
|
||||
}
|
||||
if (dsa == NULL) {
|
||||
if (pkey == NULL) {
|
||||
BIO_printf(bio_err, "unable to load Key\n");
|
||||
ERR_print_errors(bio_err);
|
||||
goto end;
|
||||
}
|
||||
if (!EVP_PKEY_is_a(pkey, "DSA")) {
|
||||
BIO_printf(bio_err, "Not a DSA key\n");
|
||||
goto end;
|
||||
}
|
||||
|
||||
out = bio_open_owner(outfile, outformat, private);
|
||||
if (out == NULL)
|
||||
@ -175,7 +200,8 @@ int dsa_main(int argc, char **argv)
|
||||
|
||||
if (text) {
|
||||
assert(pubin || private);
|
||||
if (!DSA_print(out, dsa, 0)) {
|
||||
if ((pubin && EVP_PKEY_print_public(out, pkey, 0, NULL) <= 0)
|
||||
|| (!pubin && EVP_PKEY_print_private(out, pkey, 0, NULL) <= 0)) {
|
||||
perror(outfile);
|
||||
ERR_print_errors(bio_err);
|
||||
goto end;
|
||||
@ -183,11 +209,16 @@ int dsa_main(int argc, char **argv)
|
||||
}
|
||||
|
||||
if (modulus) {
|
||||
const BIGNUM *pub_key = NULL;
|
||||
DSA_get0_key(dsa, &pub_key, NULL);
|
||||
BIGNUM *pub_key = NULL;
|
||||
|
||||
if (!EVP_PKEY_get_bn_param(pkey, "pub", &pub_key)) {
|
||||
ERR_print_errors(bio_err);
|
||||
goto end;
|
||||
}
|
||||
BIO_printf(out, "Public Key=");
|
||||
BN_print(out, pub_key);
|
||||
BIO_printf(out, "\n");
|
||||
BN_free(pub_key);
|
||||
}
|
||||
|
||||
if (noout) {
|
||||
@ -196,63 +227,83 @@ int dsa_main(int argc, char **argv)
|
||||
}
|
||||
BIO_printf(bio_err, "writing DSA key\n");
|
||||
if (outformat == FORMAT_ASN1) {
|
||||
if (pubin || pubout) {
|
||||
i = i2d_DSA_PUBKEY_bio(out, dsa);
|
||||
} else {
|
||||
assert(private);
|
||||
i = i2d_DSAPrivateKey_bio(out, dsa);
|
||||
}
|
||||
output_type = "DER";
|
||||
} else if (outformat == FORMAT_PEM) {
|
||||
if (pubin || pubout) {
|
||||
i = PEM_write_bio_DSA_PUBKEY(out, dsa);
|
||||
} else {
|
||||
assert(private);
|
||||
i = PEM_write_bio_DSAPrivateKey(out, dsa, enc,
|
||||
NULL, 0, NULL, passout);
|
||||
}
|
||||
#ifndef OPENSSL_NO_RSA
|
||||
} else if (outformat == FORMAT_MSBLOB || outformat == FORMAT_PVK) {
|
||||
EVP_PKEY *pk;
|
||||
pk = EVP_PKEY_new();
|
||||
if (pk == NULL)
|
||||
goto end;
|
||||
|
||||
EVP_PKEY_set1_DSA(pk, dsa);
|
||||
if (outformat == FORMAT_PVK) {
|
||||
output_type = "PEM";
|
||||
} else if (outformat == FORMAT_MSBLOB) {
|
||||
output_type = "MSBLOB";
|
||||
} else if (outformat == FORMAT_PVK) {
|
||||
if (pubin) {
|
||||
BIO_printf(bio_err, "PVK form impossible with public key input\n");
|
||||
EVP_PKEY_free(pk);
|
||||
goto end;
|
||||
}
|
||||
assert(private);
|
||||
# ifdef OPENSSL_NO_RC4
|
||||
BIO_printf(bio_err, "PVK format not supported\n");
|
||||
EVP_PKEY_free(pk);
|
||||
goto end;
|
||||
# else
|
||||
i = i2b_PVK_bio(out, pk, pvk_encr, 0, passout);
|
||||
# endif
|
||||
} else if (pubin || pubout) {
|
||||
i = i2b_PublicKey_bio(out, pk);
|
||||
} else {
|
||||
assert(private);
|
||||
i = i2b_PrivateKey_bio(out, pk);
|
||||
}
|
||||
EVP_PKEY_free(pk);
|
||||
#endif
|
||||
output_type = "PVK";
|
||||
} else {
|
||||
BIO_printf(bio_err, "bad output format specified for outfile\n");
|
||||
goto end;
|
||||
}
|
||||
if (i <= 0) {
|
||||
BIO_printf(bio_err, "unable to write private key\n");
|
||||
ERR_print_errors(bio_err);
|
||||
|
||||
if (outformat == FORMAT_ASN1 || outformat == FORMAT_PEM) {
|
||||
if (pubout || pubin)
|
||||
output_structure = "SubjectPublicKeyInfo";
|
||||
else
|
||||
output_structure = "type-specific";
|
||||
}
|
||||
|
||||
/* Select what you want in the output */
|
||||
if (pubout || pubin) {
|
||||
selection = OSSL_KEYMGMT_SELECT_PUBLIC_KEY;
|
||||
} else {
|
||||
assert(private);
|
||||
selection = (OSSL_KEYMGMT_SELECT_KEYPAIR
|
||||
| OSSL_KEYMGMT_SELECT_ALL_PARAMETERS);
|
||||
}
|
||||
|
||||
/* Perform the encoding */
|
||||
ectx = OSSL_ENCODER_CTX_new_for_pkey(pkey, selection, output_type,
|
||||
output_structure, NULL);
|
||||
if (OSSL_ENCODER_CTX_get_num_encoders(ectx) == 0) {
|
||||
BIO_printf(bio_err, "%s format not supported\n", output_type);
|
||||
goto end;
|
||||
}
|
||||
|
||||
/* Passphrase setup */
|
||||
if (enc != NULL)
|
||||
OSSL_ENCODER_CTX_set_cipher(ectx, EVP_CIPHER_get0_name(enc), NULL);
|
||||
|
||||
/* Default passphrase prompter */
|
||||
if (enc != NULL || outformat == FORMAT_PVK) {
|
||||
OSSL_ENCODER_CTX_set_passphrase_ui(ectx, get_ui_method(), NULL);
|
||||
if (passout != NULL)
|
||||
/* When passout given, override the passphrase prompter */
|
||||
OSSL_ENCODER_CTX_set_passphrase(ectx,
|
||||
(const unsigned char *)passout,
|
||||
strlen(passout));
|
||||
}
|
||||
|
||||
/* PVK requires a bit more */
|
||||
if (outformat == FORMAT_PVK) {
|
||||
OSSL_PARAM params[2] = { OSSL_PARAM_END, OSSL_PARAM_END };
|
||||
|
||||
params[0] = OSSL_PARAM_construct_int("encrypt-level", &pvk_encr);
|
||||
if (!OSSL_ENCODER_CTX_set_params(ectx, params)) {
|
||||
BIO_printf(bio_err, "invalid PVK encryption level\n");
|
||||
goto end;
|
||||
}
|
||||
}
|
||||
|
||||
if (!OSSL_ENCODER_to_bio(ectx, out)) {
|
||||
BIO_printf(bio_err, "unable to write key\n");
|
||||
goto end;
|
||||
}
|
||||
ret = 0;
|
||||
end:
|
||||
if (ret != 0)
|
||||
ERR_print_errors(bio_err);
|
||||
OSSL_ENCODER_CTX_free(ectx);
|
||||
BIO_free_all(out);
|
||||
DSA_free(dsa);
|
||||
EVP_PKEY_free(pkey);
|
||||
EVP_CIPHER_free(enc);
|
||||
release_engine(e);
|
||||
OPENSSL_free(passin);
|
||||
OPENSSL_free(passout);
|
||||
|
@ -1,15 +1,17 @@
|
||||
/*
|
||||
* Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved.
|
||||
* Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
|
||||
*
|
||||
* Licensed under the OpenSSL license (the "License"). You may not use
|
||||
* Licensed under the Apache License 2.0 (the "License"). You may not use
|
||||
* this file except in compliance with the License. You can obtain a copy
|
||||
* in the file LICENSE in the source distribution or at
|
||||
* https://www.openssl.org/source/license.html
|
||||
*/
|
||||
|
||||
#include <openssl/opensslconf.h>
|
||||
|
||||
#include <stdio.h>
|
||||
#include <stdlib.h>
|
||||
#include "apps.h"
|
||||
#include <time.h>
|
||||
#include <string.h>
|
||||
#include "apps.h"
|
||||
@ -21,39 +23,54 @@
|
||||
#include <openssl/x509.h>
|
||||
#include <openssl/pem.h>
|
||||
|
||||
static int dsa_cb(int p, int n, BN_GENCB *cb);
|
||||
static int verbose = 0;
|
||||
|
||||
static int gendsa_cb(EVP_PKEY_CTX *ctx);
|
||||
|
||||
typedef enum OPTION_choice {
|
||||
OPT_ERR = -1, OPT_EOF = 0, OPT_HELP,
|
||||
OPT_INFORM, OPT_OUTFORM, OPT_IN, OPT_OUT, OPT_TEXT, OPT_C,
|
||||
OPT_NOOUT, OPT_GENKEY, OPT_ENGINE, OPT_R_ENUM
|
||||
OPT_COMMON,
|
||||
OPT_INFORM, OPT_OUTFORM, OPT_IN, OPT_OUT, OPT_TEXT,
|
||||
OPT_NOOUT, OPT_GENKEY, OPT_ENGINE, OPT_VERBOSE,
|
||||
OPT_R_ENUM, OPT_PROV_ENUM
|
||||
} OPTION_CHOICE;
|
||||
|
||||
const OPTIONS dsaparam_options[] = {
|
||||
{OPT_HELP_STR, 1, '-', "Usage: %s [options] [numbits]\n"},
|
||||
|
||||
OPT_SECTION("General"),
|
||||
{"help", OPT_HELP, '-', "Display this summary"},
|
||||
{"inform", OPT_INFORM, 'F', "Input format - DER or PEM"},
|
||||
{"in", OPT_IN, '<', "Input file"},
|
||||
{"outform", OPT_OUTFORM, 'F', "Output format - DER or PEM"},
|
||||
{"out", OPT_OUT, '>', "Output file"},
|
||||
{"text", OPT_TEXT, '-', "Print as text"},
|
||||
{"C", OPT_C, '-', "Output C code"},
|
||||
{"noout", OPT_NOOUT, '-', "No output"},
|
||||
{"genkey", OPT_GENKEY, '-', "Generate a DSA key"},
|
||||
OPT_R_OPTIONS,
|
||||
#ifndef OPENSSL_NO_ENGINE
|
||||
{"engine", OPT_ENGINE, 's', "Use engine e, possibly a hardware device"},
|
||||
#endif
|
||||
|
||||
OPT_SECTION("Input"),
|
||||
{"in", OPT_IN, '<', "Input file"},
|
||||
{"inform", OPT_INFORM, 'F', "Input format - DER or PEM"},
|
||||
|
||||
OPT_SECTION("Output"),
|
||||
{"out", OPT_OUT, '>', "Output file"},
|
||||
{"outform", OPT_OUTFORM, 'F', "Output format - DER or PEM"},
|
||||
{"text", OPT_TEXT, '-', "Print as text"},
|
||||
{"noout", OPT_NOOUT, '-', "No output"},
|
||||
{"verbose", OPT_VERBOSE, '-', "Verbose output"},
|
||||
{"genkey", OPT_GENKEY, '-', "Generate a DSA key"},
|
||||
|
||||
OPT_R_OPTIONS,
|
||||
OPT_PROV_OPTIONS,
|
||||
|
||||
OPT_PARAMETERS(),
|
||||
{"numbits", 0, 0, "Number of bits if generating parameters (optional)"},
|
||||
{NULL}
|
||||
};
|
||||
|
||||
int dsaparam_main(int argc, char **argv)
|
||||
{
|
||||
ENGINE *e = NULL;
|
||||
DSA *dsa = NULL;
|
||||
BIO *in = NULL, *out = NULL;
|
||||
BN_GENCB *cb = NULL;
|
||||
BIO *out = NULL;
|
||||
EVP_PKEY *params = NULL, *pkey = NULL;
|
||||
EVP_PKEY_CTX *ctx = NULL;
|
||||
int numbits = -1, num = 0, genkey = 0;
|
||||
int informat = FORMAT_PEM, outformat = FORMAT_PEM, noout = 0, C = 0;
|
||||
int informat = FORMAT_UNDEF, outformat = FORMAT_PEM, noout = 0;
|
||||
int ret = 1, i, text = 0, private = 0;
|
||||
char *infile = NULL, *outfile = NULL, *prog;
|
||||
OPTION_CHOICE o;
|
||||
@ -90,9 +107,6 @@ int dsaparam_main(int argc, char **argv)
|
||||
case OPT_TEXT:
|
||||
text = 1;
|
||||
break;
|
||||
case OPT_C:
|
||||
C = 1;
|
||||
break;
|
||||
case OPT_GENKEY:
|
||||
genkey = 1;
|
||||
break;
|
||||
@ -100,29 +114,45 @@ int dsaparam_main(int argc, char **argv)
|
||||
if (!opt_rand(o))
|
||||
goto end;
|
||||
break;
|
||||
case OPT_PROV_CASES:
|
||||
if (!opt_provider(o))
|
||||
goto end;
|
||||
break;
|
||||
case OPT_NOOUT:
|
||||
noout = 1;
|
||||
break;
|
||||
case OPT_VERBOSE:
|
||||
verbose = 1;
|
||||
break;
|
||||
}
|
||||
}
|
||||
|
||||
/* Optional arg is bitsize. */
|
||||
argc = opt_num_rest();
|
||||
argv = opt_rest();
|
||||
|
||||
if (argc == 1) {
|
||||
if (!opt_int(argv[0], &num) || num < 0)
|
||||
goto opthelp;
|
||||
} else if (argc != 0) {
|
||||
goto opthelp;
|
||||
}
|
||||
if (!app_RAND_load())
|
||||
goto end;
|
||||
|
||||
/* generate a key */
|
||||
numbits = num;
|
||||
}
|
||||
private = genkey ? 1 : 0;
|
||||
|
||||
in = bio_open_default(infile, 'r', informat);
|
||||
if (in == NULL)
|
||||
goto end;
|
||||
out = bio_open_owner(outfile, outformat, private);
|
||||
if (out == NULL)
|
||||
goto end;
|
||||
|
||||
ctx = EVP_PKEY_CTX_new_from_name(app_get0_libctx(), "DSA", app_get0_propq());
|
||||
if (ctx == NULL) {
|
||||
BIO_printf(bio_err,
|
||||
"Error, DSA parameter generation context allocation failed\n");
|
||||
goto end;
|
||||
}
|
||||
if (numbits > 0) {
|
||||
if (numbits > OPENSSL_DSA_MAX_MODULUS_BITS)
|
||||
BIO_printf(bio_err,
|
||||
@ -130,74 +160,34 @@ int dsaparam_main(int argc, char **argv)
|
||||
" Your key size is %d! Larger key size may behave not as expected.\n",
|
||||
OPENSSL_DSA_MAX_MODULUS_BITS, numbits);
|
||||
|
||||
cb = BN_GENCB_new();
|
||||
if (cb == NULL) {
|
||||
BIO_printf(bio_err, "Error allocating BN_GENCB object\n");
|
||||
goto end;
|
||||
}
|
||||
BN_GENCB_set(cb, dsa_cb, bio_err);
|
||||
dsa = DSA_new();
|
||||
if (dsa == NULL) {
|
||||
BIO_printf(bio_err, "Error allocating DSA object\n");
|
||||
goto end;
|
||||
}
|
||||
EVP_PKEY_CTX_set_cb(ctx, gendsa_cb);
|
||||
EVP_PKEY_CTX_set_app_data(ctx, bio_err);
|
||||
if (verbose) {
|
||||
BIO_printf(bio_err, "Generating DSA parameters, %d bit long prime\n",
|
||||
num);
|
||||
BIO_printf(bio_err, "This could take some time\n");
|
||||
if (!DSA_generate_parameters_ex(dsa, num, NULL, 0, NULL, NULL, cb)) {
|
||||
ERR_print_errors(bio_err);
|
||||
BIO_printf(bio_err, "Error, DSA key generation failed\n");
|
||||
}
|
||||
if (EVP_PKEY_paramgen_init(ctx) <= 0) {
|
||||
BIO_printf(bio_err,
|
||||
"Error, DSA key generation paramgen init failed\n");
|
||||
goto end;
|
||||
}
|
||||
} else if (informat == FORMAT_ASN1) {
|
||||
dsa = d2i_DSAparams_bio(in, NULL);
|
||||
} else {
|
||||
dsa = PEM_read_bio_DSAparams(in, NULL, NULL, NULL);
|
||||
if (EVP_PKEY_CTX_set_dsa_paramgen_bits(ctx, num) <= 0) {
|
||||
BIO_printf(bio_err,
|
||||
"Error, DSA key generation setting bit length failed\n");
|
||||
goto end;
|
||||
}
|
||||
if (dsa == NULL) {
|
||||
BIO_printf(bio_err, "unable to load DSA parameters\n");
|
||||
ERR_print_errors(bio_err);
|
||||
params = app_paramgen(ctx, "DSA");
|
||||
} else {
|
||||
params = load_keyparams(infile, informat, 1, "DSA", "DSA parameters");
|
||||
}
|
||||
if (params == NULL) {
|
||||
/* Error message should already have been displayed */
|
||||
goto end;
|
||||
}
|
||||
|
||||
if (text) {
|
||||
DSAparams_print(out, dsa);
|
||||
}
|
||||
|
||||
if (C) {
|
||||
const BIGNUM *p = NULL, *q = NULL, *g = NULL;
|
||||
unsigned char *data;
|
||||
int len, bits_p;
|
||||
|
||||
DSA_get0_pqg(dsa, &p, &q, &g);
|
||||
len = BN_num_bytes(p);
|
||||
bits_p = BN_num_bits(p);
|
||||
|
||||
data = app_malloc(len + 20, "BN space");
|
||||
|
||||
BIO_printf(bio_out, "static DSA *get_dsa%d(void)\n{\n", bits_p);
|
||||
print_bignum_var(bio_out, p, "dsap", bits_p, data);
|
||||
print_bignum_var(bio_out, q, "dsaq", bits_p, data);
|
||||
print_bignum_var(bio_out, g, "dsag", bits_p, data);
|
||||
BIO_printf(bio_out, " DSA *dsa = DSA_new();\n"
|
||||
" BIGNUM *p, *q, *g;\n"
|
||||
"\n");
|
||||
BIO_printf(bio_out, " if (dsa == NULL)\n"
|
||||
" return NULL;\n");
|
||||
BIO_printf(bio_out, " if (!DSA_set0_pqg(dsa, p = BN_bin2bn(dsap_%d, sizeof(dsap_%d), NULL),\n",
|
||||
bits_p, bits_p);
|
||||
BIO_printf(bio_out, " q = BN_bin2bn(dsaq_%d, sizeof(dsaq_%d), NULL),\n",
|
||||
bits_p, bits_p);
|
||||
BIO_printf(bio_out, " g = BN_bin2bn(dsag_%d, sizeof(dsag_%d), NULL))) {\n",
|
||||
bits_p, bits_p);
|
||||
BIO_printf(bio_out, " DSA_free(dsa);\n"
|
||||
" BN_free(p);\n"
|
||||
" BN_free(q);\n"
|
||||
" BN_free(g);\n"
|
||||
" return NULL;\n"
|
||||
" }\n"
|
||||
" return dsa;\n}\n");
|
||||
OPENSSL_free(data);
|
||||
EVP_PKEY_print_params(out, params, 0, NULL);
|
||||
}
|
||||
|
||||
if (outformat == FORMAT_ASN1 && genkey)
|
||||
@ -205,49 +195,62 @@ int dsaparam_main(int argc, char **argv)
|
||||
|
||||
if (!noout) {
|
||||
if (outformat == FORMAT_ASN1)
|
||||
i = i2d_DSAparams_bio(out, dsa);
|
||||
i = i2d_KeyParams_bio(out, params);
|
||||
else
|
||||
i = PEM_write_bio_DSAparams(out, dsa);
|
||||
i = PEM_write_bio_Parameters(out, params);
|
||||
if (!i) {
|
||||
BIO_printf(bio_err, "unable to write DSA parameters\n");
|
||||
ERR_print_errors(bio_err);
|
||||
BIO_printf(bio_err, "Error, unable to write DSA parameters\n");
|
||||
goto end;
|
||||
}
|
||||
}
|
||||
if (genkey) {
|
||||
DSA *dsakey;
|
||||
|
||||
if ((dsakey = DSAparams_dup(dsa)) == NULL)
|
||||
goto end;
|
||||
if (!DSA_generate_key(dsakey)) {
|
||||
ERR_print_errors(bio_err);
|
||||
DSA_free(dsakey);
|
||||
EVP_PKEY_CTX_free(ctx);
|
||||
ctx = EVP_PKEY_CTX_new_from_pkey(app_get0_libctx(), params,
|
||||
app_get0_propq());
|
||||
if (ctx == NULL) {
|
||||
BIO_printf(bio_err,
|
||||
"Error, DSA key generation context allocation failed\n");
|
||||
goto end;
|
||||
}
|
||||
if (EVP_PKEY_keygen_init(ctx) <= 0) {
|
||||
BIO_printf(bio_err,
|
||||
"Error, unable to initialise for key generation\n");
|
||||
goto end;
|
||||
}
|
||||
pkey = app_keygen(ctx, "DSA", numbits, verbose);
|
||||
assert(private);
|
||||
if (outformat == FORMAT_ASN1)
|
||||
i = i2d_DSAPrivateKey_bio(out, dsakey);
|
||||
i = i2d_PrivateKey_bio(out, pkey);
|
||||
else
|
||||
i = PEM_write_bio_DSAPrivateKey(out, dsakey, NULL, NULL, 0, NULL,
|
||||
NULL);
|
||||
DSA_free(dsakey);
|
||||
i = PEM_write_bio_PrivateKey(out, pkey, NULL, NULL, 0, NULL, NULL);
|
||||
}
|
||||
ret = 0;
|
||||
end:
|
||||
BN_GENCB_free(cb);
|
||||
BIO_free(in);
|
||||
if (ret != 0)
|
||||
ERR_print_errors(bio_err);
|
||||
BIO_free_all(out);
|
||||
DSA_free(dsa);
|
||||
EVP_PKEY_CTX_free(ctx);
|
||||
EVP_PKEY_free(pkey);
|
||||
EVP_PKEY_free(params);
|
||||
release_engine(e);
|
||||
return ret;
|
||||
}
|
||||
|
||||
static int dsa_cb(int p, int n, BN_GENCB *cb)
|
||||
static int gendsa_cb(EVP_PKEY_CTX *ctx)
|
||||
{
|
||||
static const char symbols[] = ".+*\n";
|
||||
char c = (p >= 0 && (size_t)p < sizeof(symbols) - 1) ? symbols[p] : '?';
|
||||
int p;
|
||||
char c;
|
||||
BIO *b;
|
||||
|
||||
BIO_write(BN_GENCB_get_arg(cb), &c, 1);
|
||||
(void)BIO_flush(BN_GENCB_get_arg(cb));
|
||||
if (!verbose)
|
||||
return 1;
|
||||
|
||||
b = EVP_PKEY_CTX_get_app_data(ctx);
|
||||
p = EVP_PKEY_CTX_get_keygen_info(ctx, 0);
|
||||
c = (p >= 0 && (size_t)p < sizeof(symbols) - 1) ? symbols[p] : '?';
|
||||
|
||||
BIO_write(b, &c, 1);
|
||||
(void)BIO_flush(b);
|
||||
return 1;
|
||||
}
|
||||
|
@ -1,84 +1,84 @@
|
||||
/*
|
||||
* Copyright 2002-2020 The OpenSSL Project Authors. All Rights Reserved.
|
||||
* Copyright 2002-2022 The OpenSSL Project Authors. All Rights Reserved.
|
||||
*
|
||||
* Licensed under the OpenSSL license (the "License"). You may not use
|
||||
* Licensed under the Apache License 2.0 (the "License"). You may not use
|
||||
* this file except in compliance with the License. You can obtain a copy
|
||||
* in the file LICENSE in the source distribution or at
|
||||
* https://www.openssl.org/source/license.html
|
||||
*/
|
||||
|
||||
#include <openssl/opensslconf.h>
|
||||
#include <stdio.h>
|
||||
#include <stdlib.h>
|
||||
#include <string.h>
|
||||
#include <openssl/opensslconf.h>
|
||||
#include <openssl/evp.h>
|
||||
#include <openssl/encoder.h>
|
||||
#include <openssl/decoder.h>
|
||||
#include <openssl/core_names.h>
|
||||
#include <openssl/core_dispatch.h>
|
||||
#include <openssl/params.h>
|
||||
#include <openssl/err.h>
|
||||
|
||||
#include "apps.h"
|
||||
#include "progs.h"
|
||||
#include <openssl/bio.h>
|
||||
#include <openssl/err.h>
|
||||
#include <openssl/evp.h>
|
||||
#include <openssl/pem.h>
|
||||
|
||||
static OPT_PAIR conv_forms[] = {
|
||||
{"compressed", POINT_CONVERSION_COMPRESSED},
|
||||
{"uncompressed", POINT_CONVERSION_UNCOMPRESSED},
|
||||
{"hybrid", POINT_CONVERSION_HYBRID},
|
||||
{NULL}
|
||||
};
|
||||
|
||||
static OPT_PAIR param_enc[] = {
|
||||
{"named_curve", OPENSSL_EC_NAMED_CURVE},
|
||||
{"explicit", 0},
|
||||
{NULL}
|
||||
};
|
||||
#include "ec_common.h"
|
||||
|
||||
typedef enum OPTION_choice {
|
||||
OPT_ERR = -1, OPT_EOF = 0, OPT_HELP,
|
||||
OPT_COMMON,
|
||||
OPT_INFORM, OPT_OUTFORM, OPT_ENGINE, OPT_IN, OPT_OUT,
|
||||
OPT_NOOUT, OPT_TEXT, OPT_PARAM_OUT, OPT_PUBIN, OPT_PUBOUT,
|
||||
OPT_PASSIN, OPT_PASSOUT, OPT_PARAM_ENC, OPT_CONV_FORM, OPT_CIPHER,
|
||||
OPT_NO_PUBLIC, OPT_CHECK
|
||||
OPT_NO_PUBLIC, OPT_CHECK, OPT_PROV_ENUM
|
||||
} OPTION_CHOICE;
|
||||
|
||||
const OPTIONS ec_options[] = {
|
||||
OPT_SECTION("General"),
|
||||
{"help", OPT_HELP, '-', "Display this summary"},
|
||||
#ifndef OPENSSL_NO_ENGINE
|
||||
{"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"},
|
||||
#endif
|
||||
|
||||
OPT_SECTION("Input"),
|
||||
{"in", OPT_IN, 's', "Input file"},
|
||||
{"inform", OPT_INFORM, 'f', "Input format - DER or PEM"},
|
||||
{"inform", OPT_INFORM, 'f', "Input format (DER/PEM/P12/ENGINE)"},
|
||||
{"pubin", OPT_PUBIN, '-', "Expect a public key in input file"},
|
||||
{"passin", OPT_PASSIN, 's', "Input file pass phrase source"},
|
||||
{"check", OPT_CHECK, '-', "check key consistency"},
|
||||
{"", OPT_CIPHER, '-', "Any supported cipher"},
|
||||
{"param_enc", OPT_PARAM_ENC, 's',
|
||||
"Specifies the way the ec parameters are encoded"},
|
||||
{"conv_form", OPT_CONV_FORM, 's', "Specifies the point conversion form "},
|
||||
|
||||
OPT_SECTION("Output"),
|
||||
{"out", OPT_OUT, '>', "Output file"},
|
||||
{"outform", OPT_OUTFORM, 'F', "Output format - DER or PEM"},
|
||||
{"noout", OPT_NOOUT, '-', "Don't print key out"},
|
||||
{"text", OPT_TEXT, '-', "Print the key"},
|
||||
{"param_out", OPT_PARAM_OUT, '-', "Print the elliptic curve parameters"},
|
||||
{"pubin", OPT_PUBIN, '-', "Expect a public key in input file"},
|
||||
{"pubout", OPT_PUBOUT, '-', "Output public key, not private"},
|
||||
{"no_public", OPT_NO_PUBLIC, '-', "exclude public key from private key"},
|
||||
{"check", OPT_CHECK, '-', "check key consistency"},
|
||||
{"passin", OPT_PASSIN, 's', "Input file pass phrase source"},
|
||||
{"passout", OPT_PASSOUT, 's', "Output file pass phrase source"},
|
||||
{"param_enc", OPT_PARAM_ENC, 's',
|
||||
"Specifies the way the ec parameters are encoded"},
|
||||
{"conv_form", OPT_CONV_FORM, 's', "Specifies the point conversion form "},
|
||||
{"", OPT_CIPHER, '-', "Any supported cipher"},
|
||||
#ifndef OPENSSL_NO_ENGINE
|
||||
{"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"},
|
||||
#endif
|
||||
|
||||
OPT_PROV_OPTIONS,
|
||||
{NULL}
|
||||
};
|
||||
|
||||
int ec_main(int argc, char **argv)
|
||||
{
|
||||
BIO *in = NULL, *out = NULL;
|
||||
OSSL_ENCODER_CTX *ectx = NULL;
|
||||
OSSL_DECODER_CTX *dctx = NULL;
|
||||
EVP_PKEY_CTX *pctx = NULL;
|
||||
EVP_PKEY *eckey = NULL;
|
||||
BIO *out = NULL;
|
||||
ENGINE *e = NULL;
|
||||
EC_KEY *eckey = NULL;
|
||||
const EC_GROUP *group;
|
||||
const EVP_CIPHER *enc = NULL;
|
||||
point_conversion_form_t form = POINT_CONVERSION_UNCOMPRESSED;
|
||||
char *infile = NULL, *outfile = NULL, *prog;
|
||||
EVP_CIPHER *enc = NULL;
|
||||
char *infile = NULL, *outfile = NULL, *ciphername = NULL, *prog;
|
||||
char *passin = NULL, *passout = NULL, *passinarg = NULL, *passoutarg = NULL;
|
||||
OPTION_CHOICE o;
|
||||
int asn1_flag = OPENSSL_EC_NAMED_CURVE, new_form = 0, new_asn1_flag = 0;
|
||||
int informat = FORMAT_PEM, outformat = FORMAT_PEM, text = 0, noout = 0;
|
||||
int pubin = 0, pubout = 0, param_out = 0, i, ret = 1, private = 0;
|
||||
int no_public = 0, check = 0;
|
||||
int informat = FORMAT_UNDEF, outformat = FORMAT_PEM, text = 0, noout = 0;
|
||||
int pubin = 0, pubout = 0, param_out = 0, ret = 1, private = 0;
|
||||
int check = 0;
|
||||
char *asn1_encoding = NULL;
|
||||
char *point_format = NULL;
|
||||
int no_public = 0;
|
||||
|
||||
prog = opt_init(argc, argv, ec_options);
|
||||
while ((o = opt_next()) != OPT_EOF) {
|
||||
@ -131,20 +131,17 @@ int ec_main(int argc, char **argv)
|
||||
e = setup_engine(opt_arg(), 0);
|
||||
break;
|
||||
case OPT_CIPHER:
|
||||
if (!opt_cipher(opt_unknown(), &enc))
|
||||
goto opthelp;
|
||||
ciphername = opt_unknown();
|
||||
break;
|
||||
case OPT_CONV_FORM:
|
||||
if (!opt_pair(opt_arg(), conv_forms, &i))
|
||||
point_format = opt_arg();
|
||||
if (!opt_string(point_format, point_format_options))
|
||||
goto opthelp;
|
||||
new_form = 1;
|
||||
form = i;
|
||||
break;
|
||||
case OPT_PARAM_ENC:
|
||||
if (!opt_pair(opt_arg(), param_enc, &i))
|
||||
asn1_encoding = opt_arg();
|
||||
if (!opt_string(asn1_encoding, asn1_encoding_options))
|
||||
goto opthelp;
|
||||
new_asn1_flag = 1;
|
||||
asn1_flag = i;
|
||||
break;
|
||||
case OPT_NO_PUBLIC:
|
||||
no_public = 1;
|
||||
@ -152,12 +149,22 @@ int ec_main(int argc, char **argv)
|
||||
case OPT_CHECK:
|
||||
check = 1;
|
||||
break;
|
||||
case OPT_PROV_CASES:
|
||||
if (!opt_provider(o))
|
||||
goto end;
|
||||
break;
|
||||
}
|
||||
}
|
||||
|
||||
/* No extra arguments. */
|
||||
argc = opt_num_rest();
|
||||
if (argc != 0)
|
||||
goto opthelp;
|
||||
|
||||
if (ciphername != NULL) {
|
||||
if (!opt_cipher(ciphername, &enc))
|
||||
goto opthelp;
|
||||
}
|
||||
private = param_out || pubin || pubout ? 0 : 1;
|
||||
if (text && !pubin)
|
||||
private = 1;
|
||||
@ -167,37 +174,15 @@ int ec_main(int argc, char **argv)
|
||||
goto end;
|
||||
}
|
||||
|
||||
if (informat != FORMAT_ENGINE) {
|
||||
in = bio_open_default(infile, 'r', informat);
|
||||
if (in == NULL)
|
||||
goto end;
|
||||
}
|
||||
|
||||
BIO_printf(bio_err, "read EC key\n");
|
||||
if (informat == FORMAT_ASN1) {
|
||||
|
||||
if (pubin)
|
||||
eckey = d2i_EC_PUBKEY_bio(in, NULL);
|
||||
eckey = load_pubkey(infile, informat, 1, passin, e, "public key");
|
||||
else
|
||||
eckey = d2i_ECPrivateKey_bio(in, NULL);
|
||||
} else if (informat == FORMAT_ENGINE) {
|
||||
EVP_PKEY *pkey;
|
||||
if (pubin)
|
||||
pkey = load_pubkey(infile, informat, 1, passin, e, "Public Key");
|
||||
else
|
||||
pkey = load_key(infile, informat, 1, passin, e, "Private Key");
|
||||
if (pkey != NULL) {
|
||||
eckey = EVP_PKEY_get1_EC_KEY(pkey);
|
||||
EVP_PKEY_free(pkey);
|
||||
}
|
||||
} else {
|
||||
if (pubin)
|
||||
eckey = PEM_read_bio_EC_PUBKEY(in, NULL, NULL, NULL);
|
||||
else
|
||||
eckey = PEM_read_bio_ECPrivateKey(in, NULL, NULL, passin);
|
||||
}
|
||||
eckey = load_key(infile, informat, 1, passin, e, "private key");
|
||||
|
||||
if (eckey == NULL) {
|
||||
BIO_printf(bio_err, "unable to load Key\n");
|
||||
ERR_print_errors(bio_err);
|
||||
goto end;
|
||||
}
|
||||
|
||||
@ -205,74 +190,105 @@ int ec_main(int argc, char **argv)
|
||||
if (out == NULL)
|
||||
goto end;
|
||||
|
||||
group = EC_KEY_get0_group(eckey);
|
||||
if (point_format
|
||||
&& !EVP_PKEY_set_utf8_string_param(
|
||||
eckey, OSSL_PKEY_PARAM_EC_POINT_CONVERSION_FORMAT,
|
||||
point_format)) {
|
||||
BIO_printf(bio_err, "unable to set point conversion format\n");
|
||||
goto end;
|
||||
}
|
||||
|
||||
if (new_form)
|
||||
EC_KEY_set_conv_form(eckey, form);
|
||||
if (asn1_encoding != NULL
|
||||
&& !EVP_PKEY_set_utf8_string_param(
|
||||
eckey, OSSL_PKEY_PARAM_EC_ENCODING, asn1_encoding)) {
|
||||
BIO_printf(bio_err, "unable to set asn1 encoding format\n");
|
||||
goto end;
|
||||
}
|
||||
|
||||
if (new_asn1_flag)
|
||||
EC_KEY_set_asn1_flag(eckey, asn1_flag);
|
||||
|
||||
if (no_public)
|
||||
EC_KEY_set_enc_flags(eckey, EC_PKEY_NO_PUBKEY);
|
||||
if (no_public) {
|
||||
if (!EVP_PKEY_set_int_param(eckey, OSSL_PKEY_PARAM_EC_INCLUDE_PUBLIC, 0)) {
|
||||
BIO_printf(bio_err, "unable to disable public key encoding\n");
|
||||
goto end;
|
||||
}
|
||||
} else {
|
||||
if (!EVP_PKEY_set_int_param(eckey, OSSL_PKEY_PARAM_EC_INCLUDE_PUBLIC, 1)) {
|
||||
BIO_printf(bio_err, "unable to enable public key encoding\n");
|
||||
goto end;
|
||||
}
|
||||
}
|
||||
|
||||
if (text) {
|
||||
assert(pubin || private);
|
||||
if (!EC_KEY_print(out, eckey, 0)) {
|
||||
perror(outfile);
|
||||
ERR_print_errors(bio_err);
|
||||
if ((pubin && EVP_PKEY_print_public(out, eckey, 0, NULL) <= 0)
|
||||
|| (!pubin && EVP_PKEY_print_private(out, eckey, 0, NULL) <= 0)) {
|
||||
BIO_printf(bio_err, "unable to print EC key\n");
|
||||
goto end;
|
||||
}
|
||||
}
|
||||
|
||||
if (check) {
|
||||
if (EC_KEY_check_key(eckey) == 1) {
|
||||
BIO_printf(bio_err, "EC Key valid.\n");
|
||||
} else {
|
||||
BIO_printf(bio_err, "EC Key Invalid!\n");
|
||||
ERR_print_errors(bio_err);
|
||||
}
|
||||
}
|
||||
|
||||
if (noout) {
|
||||
ret = 0;
|
||||
pctx = EVP_PKEY_CTX_new_from_pkey(NULL, eckey, NULL);
|
||||
if (pctx == NULL) {
|
||||
BIO_printf(bio_err, "unable to check EC key\n");
|
||||
goto end;
|
||||
}
|
||||
if (EVP_PKEY_check(pctx) <= 0)
|
||||
BIO_printf(bio_err, "EC Key Invalid!\n");
|
||||
else
|
||||
BIO_printf(bio_err, "EC Key valid.\n");
|
||||
ERR_print_errors(bio_err);
|
||||
}
|
||||
|
||||
if (!noout) {
|
||||
int selection;
|
||||
const char *output_type = outformat == FORMAT_ASN1 ? "DER" : "PEM";
|
||||
const char *output_structure = "type-specific";
|
||||
|
||||
BIO_printf(bio_err, "writing EC key\n");
|
||||
if (outformat == FORMAT_ASN1) {
|
||||
if (param_out) {
|
||||
i = i2d_ECPKParameters_bio(out, group);
|
||||
selection = OSSL_KEYMGMT_SELECT_DOMAIN_PARAMETERS;
|
||||
} else if (pubin || pubout) {
|
||||
i = i2d_EC_PUBKEY_bio(out, eckey);
|
||||
selection = OSSL_KEYMGMT_SELECT_DOMAIN_PARAMETERS
|
||||
| OSSL_KEYMGMT_SELECT_PUBLIC_KEY;
|
||||
output_structure = "SubjectPublicKeyInfo";
|
||||
} else {
|
||||
selection = OSSL_KEYMGMT_SELECT_ALL;
|
||||
assert(private);
|
||||
i = i2d_ECPrivateKey_bio(out, eckey);
|
||||
}
|
||||
} else {
|
||||
if (param_out) {
|
||||
i = PEM_write_bio_ECPKParameters(out, group);
|
||||
} else if (pubin || pubout) {
|
||||
i = PEM_write_bio_EC_PUBKEY(out, eckey);
|
||||
} else {
|
||||
assert(private);
|
||||
i = PEM_write_bio_ECPrivateKey(out, eckey, enc,
|
||||
NULL, 0, NULL, passout);
|
||||
|
||||
ectx = OSSL_ENCODER_CTX_new_for_pkey(eckey, selection,
|
||||
output_type, output_structure,
|
||||
NULL);
|
||||
if (enc != NULL) {
|
||||
OSSL_ENCODER_CTX_set_cipher(ectx, EVP_CIPHER_get0_name(enc), NULL);
|
||||
/* Default passphrase prompter */
|
||||
OSSL_ENCODER_CTX_set_passphrase_ui(ectx, get_ui_method(), NULL);
|
||||
if (passout != NULL)
|
||||
/* When passout given, override the passphrase prompter */
|
||||
OSSL_ENCODER_CTX_set_passphrase(ectx,
|
||||
(const unsigned char *)passout,
|
||||
strlen(passout));
|
||||
}
|
||||
if (!OSSL_ENCODER_to_bio(ectx, out)) {
|
||||
BIO_printf(bio_err, "unable to write EC key\n");
|
||||
goto end;
|
||||
}
|
||||
}
|
||||
|
||||
if (!i) {
|
||||
BIO_printf(bio_err, "unable to write private key\n");
|
||||
ERR_print_errors(bio_err);
|
||||
} else {
|
||||
ret = 0;
|
||||
}
|
||||
end:
|
||||
BIO_free(in);
|
||||
end:
|
||||
if (ret != 0)
|
||||
ERR_print_errors(bio_err);
|
||||
BIO_free_all(out);
|
||||
EC_KEY_free(eckey);
|
||||
EVP_PKEY_free(eckey);
|
||||
EVP_CIPHER_free(enc);
|
||||
OSSL_ENCODER_CTX_free(ectx);
|
||||
OSSL_DECODER_CTX_free(dctx);
|
||||
EVP_PKEY_CTX_free(pctx);
|
||||
release_engine(e);
|
||||
OPENSSL_free(passin);
|
||||
OPENSSL_free(passout);
|
||||
if (passin != NULL)
|
||||
OPENSSL_clear_free(passin, strlen(passin));
|
||||
if (passout != NULL)
|
||||
OPENSSL_clear_free(passout, strlen(passout));
|
||||
return ret;
|
||||
}
|
||||
|
@ -1,92 +1,115 @@
|
||||
/*
|
||||
* Copyright 2002-2020 The OpenSSL Project Authors. All Rights Reserved.
|
||||
* Copyright 2002-2022 The OpenSSL Project Authors. All Rights Reserved.
|
||||
* Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
|
||||
*
|
||||
* Licensed under the OpenSSL license (the "License"). You may not use
|
||||
* Licensed under the Apache License 2.0 (the "License"). You may not use
|
||||
* this file except in compliance with the License. You can obtain a copy
|
||||
* in the file LICENSE in the source distribution or at
|
||||
* https://www.openssl.org/source/license.html
|
||||
*/
|
||||
|
||||
#include <openssl/opensslconf.h>
|
||||
#include <stdio.h>
|
||||
#include <stdlib.h>
|
||||
#include <time.h>
|
||||
#include <string.h>
|
||||
#include <openssl/opensslconf.h>
|
||||
#include <openssl/evp.h>
|
||||
#include <openssl/encoder.h>
|
||||
#include <openssl/decoder.h>
|
||||
#include <openssl/core_names.h>
|
||||
#include <openssl/core_dispatch.h>
|
||||
#include <openssl/params.h>
|
||||
#include <openssl/err.h>
|
||||
#include "apps.h"
|
||||
#include "progs.h"
|
||||
#include <openssl/bio.h>
|
||||
#include <openssl/err.h>
|
||||
#include <openssl/bn.h>
|
||||
#include <openssl/ec.h>
|
||||
#include <openssl/x509.h>
|
||||
#include <openssl/pem.h>
|
||||
#include "ec_common.h"
|
||||
|
||||
typedef enum OPTION_choice {
|
||||
OPT_ERR = -1, OPT_EOF = 0, OPT_HELP,
|
||||
OPT_INFORM, OPT_OUTFORM, OPT_IN, OPT_OUT, OPT_TEXT, OPT_C,
|
||||
OPT_COMMON,
|
||||
OPT_INFORM, OPT_OUTFORM, OPT_IN, OPT_OUT, OPT_TEXT,
|
||||
OPT_CHECK, OPT_LIST_CURVES, OPT_NO_SEED, OPT_NOOUT, OPT_NAME,
|
||||
OPT_CONV_FORM, OPT_PARAM_ENC, OPT_GENKEY, OPT_ENGINE,
|
||||
OPT_R_ENUM
|
||||
OPT_CONV_FORM, OPT_PARAM_ENC, OPT_GENKEY, OPT_ENGINE, OPT_CHECK_NAMED,
|
||||
OPT_R_ENUM, OPT_PROV_ENUM
|
||||
} OPTION_CHOICE;
|
||||
|
||||
const OPTIONS ecparam_options[] = {
|
||||
OPT_SECTION("General"),
|
||||
{"help", OPT_HELP, '-', "Display this summary"},
|
||||
{"inform", OPT_INFORM, 'F', "Input format - default PEM (DER or PEM)"},
|
||||
{"outform", OPT_OUTFORM, 'F', "Output format - default PEM"},
|
||||
{"in", OPT_IN, '<', "Input file - default stdin"},
|
||||
{"out", OPT_OUT, '>', "Output file - default stdout"},
|
||||
{"text", OPT_TEXT, '-', "Print the ec parameters in text form"},
|
||||
{"C", OPT_C, '-', "Print a 'C' function creating the parameters"},
|
||||
{"check", OPT_CHECK, '-', "Validate the ec parameters"},
|
||||
{"list_curves", OPT_LIST_CURVES, '-',
|
||||
"Prints a list of all curve 'short names'"},
|
||||
{"no_seed", OPT_NO_SEED, '-',
|
||||
"If 'explicit' parameters are chosen do not use the seed"},
|
||||
{"noout", OPT_NOOUT, '-', "Do not print the ec parameter"},
|
||||
{"name", OPT_NAME, 's',
|
||||
"Use the ec parameters with specified 'short name'"},
|
||||
{"conv_form", OPT_CONV_FORM, 's', "Specifies the point conversion form "},
|
||||
{"param_enc", OPT_PARAM_ENC, 's',
|
||||
"Specifies the way the ec parameters are encoded"},
|
||||
{"genkey", OPT_GENKEY, '-', "Generate ec key"},
|
||||
OPT_R_OPTIONS,
|
||||
#ifndef OPENSSL_NO_ENGINE
|
||||
{"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"},
|
||||
#endif
|
||||
|
||||
{"genkey", OPT_GENKEY, '-', "Generate ec key"},
|
||||
{"in", OPT_IN, '<', "Input file - default stdin"},
|
||||
{"inform", OPT_INFORM, 'F', "Input format - default PEM (DER or PEM)"},
|
||||
{"out", OPT_OUT, '>', "Output file - default stdout"},
|
||||
{"outform", OPT_OUTFORM, 'F', "Output format - default PEM"},
|
||||
|
||||
OPT_SECTION("Output"),
|
||||
{"text", OPT_TEXT, '-', "Print the ec parameters in text form"},
|
||||
{"noout", OPT_NOOUT, '-', "Do not print the ec parameter"},
|
||||
{"param_enc", OPT_PARAM_ENC, 's',
|
||||
"Specifies the way the ec parameters are encoded"},
|
||||
|
||||
OPT_SECTION("Parameter"),
|
||||
{"check", OPT_CHECK, '-', "Validate the ec parameters"},
|
||||
{"check_named", OPT_CHECK_NAMED, '-',
|
||||
"Check that named EC curve parameters have not been modified"},
|
||||
{"no_seed", OPT_NO_SEED, '-',
|
||||
"If 'explicit' parameters are chosen do not use the seed"},
|
||||
{"name", OPT_NAME, 's',
|
||||
"Use the ec parameters with specified 'short name'"},
|
||||
{"conv_form", OPT_CONV_FORM, 's', "Specifies the point conversion form "},
|
||||
|
||||
OPT_R_OPTIONS,
|
||||
OPT_PROV_OPTIONS,
|
||||
{NULL}
|
||||
};
|
||||
|
||||
static OPT_PAIR forms[] = {
|
||||
{"compressed", POINT_CONVERSION_COMPRESSED},
|
||||
{"uncompressed", POINT_CONVERSION_UNCOMPRESSED},
|
||||
{"hybrid", POINT_CONVERSION_HYBRID},
|
||||
{NULL}
|
||||
};
|
||||
static int list_builtin_curves(BIO *out)
|
||||
{
|
||||
int ret = 0;
|
||||
EC_builtin_curve *curves = NULL;
|
||||
size_t n, crv_len = EC_get_builtin_curves(NULL, 0);
|
||||
|
||||
static OPT_PAIR encodings[] = {
|
||||
{"named_curve", OPENSSL_EC_NAMED_CURVE},
|
||||
{"explicit", 0},
|
||||
{NULL}
|
||||
};
|
||||
curves = app_malloc((int)sizeof(*curves) * crv_len, "list curves");
|
||||
if (!EC_get_builtin_curves(curves, crv_len))
|
||||
goto end;
|
||||
|
||||
for (n = 0; n < crv_len; n++) {
|
||||
const char *comment = curves[n].comment;
|
||||
const char *sname = OBJ_nid2sn(curves[n].nid);
|
||||
|
||||
if (comment == NULL)
|
||||
comment = "CURVE DESCRIPTION NOT AVAILABLE";
|
||||
if (sname == NULL)
|
||||
sname = "";
|
||||
|
||||
BIO_printf(out, " %-10s: ", sname);
|
||||
BIO_printf(out, "%s\n", comment);
|
||||
}
|
||||
ret = 1;
|
||||
end:
|
||||
OPENSSL_free(curves);
|
||||
return ret;
|
||||
}
|
||||
|
||||
int ecparam_main(int argc, char **argv)
|
||||
{
|
||||
EVP_PKEY_CTX *gctx_params = NULL, *gctx_key = NULL, *pctx = NULL;
|
||||
EVP_PKEY *params_key = NULL, *key = NULL;
|
||||
OSSL_ENCODER_CTX *ectx_key = NULL, *ectx_params = NULL;
|
||||
OSSL_DECODER_CTX *dctx_params = NULL;
|
||||
ENGINE *e = NULL;
|
||||
BIGNUM *ec_gen = NULL, *ec_order = NULL, *ec_cofactor = NULL;
|
||||
BIGNUM *ec_p = NULL, *ec_a = NULL, *ec_b = NULL;
|
||||
BIO *in = NULL, *out = NULL;
|
||||
EC_GROUP *group = NULL;
|
||||
point_conversion_form_t form = POINT_CONVERSION_UNCOMPRESSED;
|
||||
BIO *out = NULL;
|
||||
char *curve_name = NULL;
|
||||
char *asn1_encoding = NULL;
|
||||
char *point_format = NULL;
|
||||
char *infile = NULL, *outfile = NULL, *prog;
|
||||
unsigned char *buffer = NULL;
|
||||
OPTION_CHOICE o;
|
||||
int asn1_flag = OPENSSL_EC_NAMED_CURVE, new_asn1_flag = 0;
|
||||
int informat = FORMAT_PEM, outformat = FORMAT_PEM, noout = 0, C = 0;
|
||||
int informat = FORMAT_PEM, outformat = FORMAT_PEM, noout = 0;
|
||||
int ret = 1, private = 0;
|
||||
int list_curves = 0, no_seed = 0, check = 0, new_form = 0;
|
||||
int text = 0, i, genkey = 0;
|
||||
int no_seed = 0, check = 0, check_named = 0, text = 0, genkey = 0;
|
||||
int list_curves = 0;
|
||||
|
||||
prog = opt_init(argc, argv, ecparam_options);
|
||||
while ((o = opt_next()) != OPT_EOF) {
|
||||
@ -117,12 +140,12 @@ int ecparam_main(int argc, char **argv)
|
||||
case OPT_TEXT:
|
||||
text = 1;
|
||||
break;
|
||||
case OPT_C:
|
||||
C = 1;
|
||||
break;
|
||||
case OPT_CHECK:
|
||||
check = 1;
|
||||
break;
|
||||
case OPT_CHECK_NAMED:
|
||||
check_named = 1;
|
||||
break;
|
||||
case OPT_LIST_CURVES:
|
||||
list_curves = 1;
|
||||
break;
|
||||
@ -136,15 +159,14 @@ int ecparam_main(int argc, char **argv)
|
||||
curve_name = opt_arg();
|
||||
break;
|
||||
case OPT_CONV_FORM:
|
||||
if (!opt_pair(opt_arg(), forms, &new_form))
|
||||
point_format = opt_arg();
|
||||
if (!opt_string(point_format, point_format_options))
|
||||
goto opthelp;
|
||||
form = new_form;
|
||||
new_form = 1;
|
||||
break;
|
||||
case OPT_PARAM_ENC:
|
||||
if (!opt_pair(opt_arg(), encodings, &asn1_flag))
|
||||
asn1_encoding = opt_arg();
|
||||
if (!opt_string(asn1_encoding, asn1_encoding_options))
|
||||
goto opthelp;
|
||||
new_asn1_flag = 1;
|
||||
break;
|
||||
case OPT_GENKEY:
|
||||
genkey = 1;
|
||||
@ -153,292 +175,178 @@ int ecparam_main(int argc, char **argv)
|
||||
if (!opt_rand(o))
|
||||
goto end;
|
||||
break;
|
||||
case OPT_PROV_CASES:
|
||||
if (!opt_provider(o))
|
||||
goto end;
|
||||
break;
|
||||
case OPT_ENGINE:
|
||||
e = setup_engine(opt_arg(), 0);
|
||||
break;
|
||||
}
|
||||
}
|
||||
|
||||
/* No extra args. */
|
||||
argc = opt_num_rest();
|
||||
if (argc != 0)
|
||||
goto opthelp;
|
||||
|
||||
if (!app_RAND_load())
|
||||
goto end;
|
||||
|
||||
private = genkey ? 1 : 0;
|
||||
|
||||
in = bio_open_default(infile, 'r', informat);
|
||||
if (in == NULL)
|
||||
goto end;
|
||||
out = bio_open_owner(outfile, outformat, private);
|
||||
if (out == NULL)
|
||||
goto end;
|
||||
|
||||
if (list_curves) {
|
||||
EC_builtin_curve *curves = NULL;
|
||||
size_t crv_len = EC_get_builtin_curves(NULL, 0);
|
||||
size_t n;
|
||||
|
||||
curves = app_malloc((int)sizeof(*curves) * crv_len, "list curves");
|
||||
if (!EC_get_builtin_curves(curves, crv_len)) {
|
||||
OPENSSL_free(curves);
|
||||
goto end;
|
||||
}
|
||||
|
||||
for (n = 0; n < crv_len; n++) {
|
||||
const char *comment;
|
||||
const char *sname;
|
||||
comment = curves[n].comment;
|
||||
sname = OBJ_nid2sn(curves[n].nid);
|
||||
if (comment == NULL)
|
||||
comment = "CURVE DESCRIPTION NOT AVAILABLE";
|
||||
if (sname == NULL)
|
||||
sname = "";
|
||||
|
||||
BIO_printf(out, " %-10s: ", sname);
|
||||
BIO_printf(out, "%s\n", comment);
|
||||
}
|
||||
|
||||
OPENSSL_free(curves);
|
||||
if (list_builtin_curves(out))
|
||||
ret = 0;
|
||||
goto end;
|
||||
}
|
||||
|
||||
if (curve_name != NULL) {
|
||||
int nid;
|
||||
OSSL_PARAM params[4];
|
||||
OSSL_PARAM *p = params;
|
||||
|
||||
/*
|
||||
* workaround for the SECG curve names secp192r1 and secp256r1 (which
|
||||
* are the same as the curves prime192v1 and prime256v1 defined in
|
||||
* X9.62)
|
||||
*/
|
||||
if (strcmp(curve_name, "secp192r1") == 0) {
|
||||
BIO_printf(bio_err, "using curve name prime192v1 "
|
||||
"instead of secp192r1\n");
|
||||
nid = NID_X9_62_prime192v1;
|
||||
BIO_printf(bio_err,
|
||||
"using curve name prime192v1 instead of secp192r1\n");
|
||||
curve_name = SN_X9_62_prime192v1;
|
||||
} else if (strcmp(curve_name, "secp256r1") == 0) {
|
||||
BIO_printf(bio_err, "using curve name prime256v1 "
|
||||
"instead of secp256r1\n");
|
||||
nid = NID_X9_62_prime256v1;
|
||||
BIO_printf(bio_err,
|
||||
"using curve name prime256v1 instead of secp256r1\n");
|
||||
curve_name = SN_X9_62_prime256v1;
|
||||
}
|
||||
*p++ = OSSL_PARAM_construct_utf8_string(OSSL_PKEY_PARAM_GROUP_NAME,
|
||||
curve_name, 0);
|
||||
if (asn1_encoding != NULL)
|
||||
*p++ = OSSL_PARAM_construct_utf8_string(OSSL_PKEY_PARAM_EC_ENCODING,
|
||||
asn1_encoding, 0);
|
||||
if (point_format != NULL)
|
||||
*p++ = OSSL_PARAM_construct_utf8_string(
|
||||
OSSL_PKEY_PARAM_EC_POINT_CONVERSION_FORMAT,
|
||||
point_format, 0);
|
||||
*p = OSSL_PARAM_construct_end();
|
||||
|
||||
if (OPENSSL_strcasecmp(curve_name, "SM2") == 0)
|
||||
gctx_params = EVP_PKEY_CTX_new_from_name(app_get0_libctx(), "sm2",
|
||||
app_get0_propq());
|
||||
else
|
||||
gctx_params = EVP_PKEY_CTX_new_from_name(app_get0_libctx(), "ec",
|
||||
app_get0_propq());
|
||||
if (gctx_params == NULL
|
||||
|| EVP_PKEY_keygen_init(gctx_params) <= 0
|
||||
|| EVP_PKEY_CTX_set_params(gctx_params, params) <= 0
|
||||
|| EVP_PKEY_keygen(gctx_params, ¶ms_key) <= 0) {
|
||||
BIO_printf(bio_err, "unable to generate key\n");
|
||||
goto end;
|
||||
}
|
||||
} else {
|
||||
nid = OBJ_sn2nid(curve_name);
|
||||
}
|
||||
|
||||
if (nid == 0)
|
||||
nid = EC_curve_nist2nid(curve_name);
|
||||
|
||||
if (nid == 0) {
|
||||
BIO_printf(bio_err, "unknown curve name (%s)\n", curve_name);
|
||||
params_key = load_keyparams(infile, informat, 1, "EC", "EC parameters");
|
||||
if (params_key == NULL || !EVP_PKEY_is_a(params_key, "EC"))
|
||||
goto end;
|
||||
if (point_format
|
||||
&& !EVP_PKEY_set_utf8_string_param(
|
||||
params_key, OSSL_PKEY_PARAM_EC_POINT_CONVERSION_FORMAT,
|
||||
point_format)) {
|
||||
BIO_printf(bio_err, "unable to set point conversion format\n");
|
||||
goto end;
|
||||
}
|
||||
|
||||
group = EC_GROUP_new_by_curve_name(nid);
|
||||
if (group == NULL) {
|
||||
BIO_printf(bio_err, "unable to create curve (%s)\n", curve_name);
|
||||
if (asn1_encoding != NULL
|
||||
&& !EVP_PKEY_set_utf8_string_param(
|
||||
params_key, OSSL_PKEY_PARAM_EC_ENCODING, asn1_encoding)) {
|
||||
BIO_printf(bio_err, "unable to set asn1 encoding format\n");
|
||||
goto end;
|
||||
}
|
||||
EC_GROUP_set_asn1_flag(group, asn1_flag);
|
||||
EC_GROUP_set_point_conversion_form(group, form);
|
||||
} else if (informat == FORMAT_ASN1) {
|
||||
group = d2i_ECPKParameters_bio(in, NULL);
|
||||
} else {
|
||||
group = PEM_read_bio_ECPKParameters(in, NULL, NULL, NULL);
|
||||
}
|
||||
if (group == NULL) {
|
||||
BIO_printf(bio_err, "unable to load elliptic curve parameters\n");
|
||||
ERR_print_errors(bio_err);
|
||||
|
||||
if (no_seed
|
||||
&& !EVP_PKEY_set_octet_string_param(params_key, OSSL_PKEY_PARAM_EC_SEED,
|
||||
NULL, 0)) {
|
||||
BIO_printf(bio_err, "unable to clear seed\n");
|
||||
goto end;
|
||||
}
|
||||
|
||||
if (new_form)
|
||||
EC_GROUP_set_point_conversion_form(group, form);
|
||||
|
||||
if (new_asn1_flag)
|
||||
EC_GROUP_set_asn1_flag(group, asn1_flag);
|
||||
|
||||
if (no_seed) {
|
||||
EC_GROUP_set_seed(group, NULL, 0);
|
||||
}
|
||||
|
||||
if (text) {
|
||||
if (!ECPKParameters_print(out, group, 0))
|
||||
if (text
|
||||
&& !EVP_PKEY_print_params(out, params_key, 0, NULL)) {
|
||||
BIO_printf(bio_err, "unable to print params\n");
|
||||
goto end;
|
||||
}
|
||||
|
||||
if (check) {
|
||||
if (check || check_named) {
|
||||
BIO_printf(bio_err, "checking elliptic curve parameters: ");
|
||||
if (!EC_GROUP_check(group, NULL)) {
|
||||
|
||||
if (check_named
|
||||
&& !EVP_PKEY_set_utf8_string_param(params_key,
|
||||
OSSL_PKEY_PARAM_EC_GROUP_CHECK_TYPE,
|
||||
OSSL_PKEY_EC_GROUP_CHECK_NAMED)) {
|
||||
BIO_printf(bio_err, "unable to set check_type\n");
|
||||
goto end;
|
||||
}
|
||||
pctx = EVP_PKEY_CTX_new_from_pkey(app_get0_libctx(), params_key,
|
||||
app_get0_propq());
|
||||
if (pctx == NULL || EVP_PKEY_param_check(pctx) <= 0) {
|
||||
BIO_printf(bio_err, "failed\n");
|
||||
ERR_print_errors(bio_err);
|
||||
goto end;
|
||||
}
|
||||
BIO_printf(bio_err, "ok\n");
|
||||
|
||||
}
|
||||
|
||||
if (C) {
|
||||
size_t buf_len = 0, tmp_len = 0;
|
||||
const EC_POINT *point;
|
||||
int is_prime, len = 0;
|
||||
const EC_METHOD *meth = EC_GROUP_method_of(group);
|
||||
|
||||
if ((ec_p = BN_new()) == NULL
|
||||
|| (ec_a = BN_new()) == NULL
|
||||
|| (ec_b = BN_new()) == NULL
|
||||
|| (ec_gen = BN_new()) == NULL
|
||||
|| (ec_order = BN_new()) == NULL
|
||||
|| (ec_cofactor = BN_new()) == NULL) {
|
||||
perror("Can't allocate BN");
|
||||
goto end;
|
||||
}
|
||||
|
||||
is_prime = (EC_METHOD_get_field_type(meth) == NID_X9_62_prime_field);
|
||||
if (!is_prime) {
|
||||
BIO_printf(bio_err, "Can only handle X9.62 prime fields\n");
|
||||
goto end;
|
||||
}
|
||||
|
||||
if (!EC_GROUP_get_curve(group, ec_p, ec_a, ec_b, NULL))
|
||||
goto end;
|
||||
|
||||
if ((point = EC_GROUP_get0_generator(group)) == NULL)
|
||||
goto end;
|
||||
if (!EC_POINT_point2bn(group, point,
|
||||
EC_GROUP_get_point_conversion_form(group),
|
||||
ec_gen, NULL))
|
||||
goto end;
|
||||
if (!EC_GROUP_get_order(group, ec_order, NULL))
|
||||
goto end;
|
||||
if (!EC_GROUP_get_cofactor(group, ec_cofactor, NULL))
|
||||
goto end;
|
||||
|
||||
if (!ec_p || !ec_a || !ec_b || !ec_gen || !ec_order || !ec_cofactor)
|
||||
goto end;
|
||||
|
||||
len = BN_num_bits(ec_order);
|
||||
|
||||
if ((tmp_len = (size_t)BN_num_bytes(ec_p)) > buf_len)
|
||||
buf_len = tmp_len;
|
||||
if ((tmp_len = (size_t)BN_num_bytes(ec_a)) > buf_len)
|
||||
buf_len = tmp_len;
|
||||
if ((tmp_len = (size_t)BN_num_bytes(ec_b)) > buf_len)
|
||||
buf_len = tmp_len;
|
||||
if ((tmp_len = (size_t)BN_num_bytes(ec_gen)) > buf_len)
|
||||
buf_len = tmp_len;
|
||||
if ((tmp_len = (size_t)BN_num_bytes(ec_order)) > buf_len)
|
||||
buf_len = tmp_len;
|
||||
if ((tmp_len = (size_t)BN_num_bytes(ec_cofactor)) > buf_len)
|
||||
buf_len = tmp_len;
|
||||
|
||||
buffer = app_malloc(buf_len, "BN buffer");
|
||||
|
||||
BIO_printf(out, "EC_GROUP *get_ec_group_%d(void)\n{\n", len);
|
||||
print_bignum_var(out, ec_p, "ec_p", len, buffer);
|
||||
print_bignum_var(out, ec_a, "ec_a", len, buffer);
|
||||
print_bignum_var(out, ec_b, "ec_b", len, buffer);
|
||||
print_bignum_var(out, ec_gen, "ec_gen", len, buffer);
|
||||
print_bignum_var(out, ec_order, "ec_order", len, buffer);
|
||||
print_bignum_var(out, ec_cofactor, "ec_cofactor", len, buffer);
|
||||
BIO_printf(out, " int ok = 0;\n"
|
||||
" EC_GROUP *group = NULL;\n"
|
||||
" EC_POINT *point = NULL;\n"
|
||||
" BIGNUM *tmp_1 = NULL;\n"
|
||||
" BIGNUM *tmp_2 = NULL;\n"
|
||||
" BIGNUM *tmp_3 = NULL;\n"
|
||||
"\n");
|
||||
|
||||
BIO_printf(out, " if ((tmp_1 = BN_bin2bn(ec_p_%d, sizeof(ec_p_%d), NULL)) == NULL)\n"
|
||||
" goto err;\n", len, len);
|
||||
BIO_printf(out, " if ((tmp_2 = BN_bin2bn(ec_a_%d, sizeof(ec_a_%d), NULL)) == NULL)\n"
|
||||
" goto err;\n", len, len);
|
||||
BIO_printf(out, " if ((tmp_3 = BN_bin2bn(ec_b_%d, sizeof(ec_b_%d), NULL)) == NULL)\n"
|
||||
" goto err;\n", len, len);
|
||||
BIO_printf(out, " if ((group = EC_GROUP_new_curve_GFp(tmp_1, tmp_2, tmp_3, NULL)) == NULL)\n"
|
||||
" goto err;\n"
|
||||
"\n");
|
||||
BIO_printf(out, " /* build generator */\n");
|
||||
BIO_printf(out, " if ((tmp_1 = BN_bin2bn(ec_gen_%d, sizeof(ec_gen_%d), tmp_1)) == NULL)\n"
|
||||
" goto err;\n", len, len);
|
||||
BIO_printf(out, " point = EC_POINT_bn2point(group, tmp_1, NULL, NULL);\n");
|
||||
BIO_printf(out, " if (point == NULL)\n"
|
||||
" goto err;\n");
|
||||
BIO_printf(out, " if ((tmp_2 = BN_bin2bn(ec_order_%d, sizeof(ec_order_%d), tmp_2)) == NULL)\n"
|
||||
" goto err;\n", len, len);
|
||||
BIO_printf(out, " if ((tmp_3 = BN_bin2bn(ec_cofactor_%d, sizeof(ec_cofactor_%d), tmp_3)) == NULL)\n"
|
||||
" goto err;\n", len, len);
|
||||
BIO_printf(out, " if (!EC_GROUP_set_generator(group, point, tmp_2, tmp_3))\n"
|
||||
" goto err;\n"
|
||||
"ok = 1;"
|
||||
"\n");
|
||||
BIO_printf(out, "err:\n"
|
||||
" BN_free(tmp_1);\n"
|
||||
" BN_free(tmp_2);\n"
|
||||
" BN_free(tmp_3);\n"
|
||||
" EC_POINT_free(point);\n"
|
||||
" if (!ok) {\n"
|
||||
" EC_GROUP_free(group);\n"
|
||||
" return NULL;\n"
|
||||
" }\n"
|
||||
" return (group);\n"
|
||||
"}\n");
|
||||
}
|
||||
|
||||
if (outformat == FORMAT_ASN1 && genkey)
|
||||
noout = 1;
|
||||
|
||||
if (!noout) {
|
||||
if (outformat == FORMAT_ASN1)
|
||||
i = i2d_ECPKParameters_bio(out, group);
|
||||
else
|
||||
i = PEM_write_bio_ECPKParameters(out, group);
|
||||
if (!i) {
|
||||
BIO_printf(bio_err, "unable to write elliptic "
|
||||
"curve parameters\n");
|
||||
ERR_print_errors(bio_err);
|
||||
ectx_params = OSSL_ENCODER_CTX_new_for_pkey(
|
||||
params_key, OSSL_KEYMGMT_SELECT_DOMAIN_PARAMETERS,
|
||||
outformat == FORMAT_ASN1 ? "DER" : "PEM", NULL, NULL);
|
||||
if (!OSSL_ENCODER_to_bio(ectx_params, out)) {
|
||||
BIO_printf(bio_err, "unable to write elliptic curve parameters\n");
|
||||
goto end;
|
||||
}
|
||||
}
|
||||
|
||||
if (genkey) {
|
||||
EC_KEY *eckey = EC_KEY_new();
|
||||
|
||||
if (eckey == NULL)
|
||||
goto end;
|
||||
|
||||
if (EC_KEY_set_group(eckey, group) == 0) {
|
||||
BIO_printf(bio_err, "unable to set group when generating key\n");
|
||||
EC_KEY_free(eckey);
|
||||
ERR_print_errors(bio_err);
|
||||
goto end;
|
||||
}
|
||||
|
||||
if (new_form)
|
||||
EC_KEY_set_conv_form(eckey, form);
|
||||
|
||||
if (!EC_KEY_generate_key(eckey)) {
|
||||
/*
|
||||
* NOTE: EC keygen does not normally need to pass in the param_key
|
||||
* for named curves. This can be achieved using:
|
||||
* gctx = EVP_PKEY_CTX_new_from_name(NULL, "EC", NULL);
|
||||
* EVP_PKEY_keygen_init(gctx);
|
||||
* EVP_PKEY_CTX_set_group_name(gctx, curvename);
|
||||
* EVP_PKEY_keygen(gctx, &key) <= 0)
|
||||
*/
|
||||
gctx_key = EVP_PKEY_CTX_new_from_pkey(app_get0_libctx(), params_key,
|
||||
app_get0_propq());
|
||||
if (EVP_PKEY_keygen_init(gctx_key) <= 0
|
||||
|| EVP_PKEY_keygen(gctx_key, &key) <= 0) {
|
||||
BIO_printf(bio_err, "unable to generate key\n");
|
||||
EC_KEY_free(eckey);
|
||||
ERR_print_errors(bio_err);
|
||||
goto end;
|
||||
}
|
||||
assert(private);
|
||||
if (outformat == FORMAT_ASN1)
|
||||
i = i2d_ECPrivateKey_bio(out, eckey);
|
||||
else
|
||||
i = PEM_write_bio_ECPrivateKey(out, eckey, NULL,
|
||||
NULL, 0, NULL, NULL);
|
||||
EC_KEY_free(eckey);
|
||||
ectx_key = OSSL_ENCODER_CTX_new_for_pkey(
|
||||
key, OSSL_KEYMGMT_SELECT_ALL,
|
||||
outformat == FORMAT_ASN1 ? "DER" : "PEM", NULL, NULL);
|
||||
if (!OSSL_ENCODER_to_bio(ectx_key, out)) {
|
||||
BIO_printf(bio_err, "unable to write elliptic "
|
||||
"curve parameters\n");
|
||||
goto end;
|
||||
}
|
||||
}
|
||||
|
||||
ret = 0;
|
||||
end:
|
||||
BN_free(ec_p);
|
||||
BN_free(ec_a);
|
||||
BN_free(ec_b);
|
||||
BN_free(ec_gen);
|
||||
BN_free(ec_order);
|
||||
BN_free(ec_cofactor);
|
||||
OPENSSL_free(buffer);
|
||||
EC_GROUP_free(group);
|
||||
end:
|
||||
if (ret != 0)
|
||||
ERR_print_errors(bio_err);
|
||||
release_engine(e);
|
||||
BIO_free(in);
|
||||
EVP_PKEY_free(params_key);
|
||||
EVP_PKEY_free(key);
|
||||
EVP_PKEY_CTX_free(pctx);
|
||||
EVP_PKEY_CTX_free(gctx_params);
|
||||
EVP_PKEY_CTX_free(gctx_key);
|
||||
OSSL_DECODER_CTX_free(dctx_params);
|
||||
OSSL_ENCODER_CTX_free(ectx_params);
|
||||
OSSL_ENCODER_CTX_free(ectx_key);
|
||||
BIO_free_all(out);
|
||||
return ret;
|
||||
}
|
||||
|
@ -1,7 +1,7 @@
|
||||
/*
|
||||
* Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
|
||||
* Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved.
|
||||
*
|
||||
* Licensed under the OpenSSL license (the "License"). You may not use
|
||||
* Licensed under the Apache License 2.0 (the "License"). You may not use
|
||||
* this file except in compliance with the License. You can obtain a copy
|
||||
* in the file LICENSE in the source distribution or at
|
||||
* https://www.openssl.org/source/license.html
|
||||
@ -30,6 +30,10 @@
|
||||
#define SIZE (512)
|
||||
#define BSIZE (8*1024)
|
||||
|
||||
#define PBKDF2_ITER_DEFAULT 10000
|
||||
#define STR(a) XSTR(a)
|
||||
#define XSTR(a) #a
|
||||
|
||||
static int set_hex(const char *in, unsigned char *out, int size);
|
||||
static void show_ciphers(const OBJ_NAME *name, void *bio_);
|
||||
|
||||
@ -39,53 +43,70 @@ struct doall_enc_ciphers {
|
||||
};
|
||||
|
||||
typedef enum OPTION_choice {
|
||||
OPT_ERR = -1, OPT_EOF = 0, OPT_HELP,
|
||||
OPT_COMMON,
|
||||
OPT_LIST,
|
||||
OPT_E, OPT_IN, OPT_OUT, OPT_PASS, OPT_ENGINE, OPT_D, OPT_P, OPT_V,
|
||||
OPT_NOPAD, OPT_SALT, OPT_NOSALT, OPT_DEBUG, OPT_UPPER_P, OPT_UPPER_A,
|
||||
OPT_A, OPT_Z, OPT_BUFSIZE, OPT_K, OPT_KFILE, OPT_UPPER_K, OPT_NONE,
|
||||
OPT_UPPER_S, OPT_IV, OPT_MD, OPT_ITER, OPT_PBKDF2, OPT_CIPHER,
|
||||
OPT_R_ENUM
|
||||
OPT_R_ENUM, OPT_PROV_ENUM
|
||||
} OPTION_CHOICE;
|
||||
|
||||
const OPTIONS enc_options[] = {
|
||||
OPT_SECTION("General"),
|
||||
{"help", OPT_HELP, '-', "Display this summary"},
|
||||
{"list", OPT_LIST, '-', "List ciphers"},
|
||||
#ifndef OPENSSL_NO_DEPRECATED_3_0
|
||||
{"ciphers", OPT_LIST, '-', "Alias for -list"},
|
||||
{"in", OPT_IN, '<', "Input file"},
|
||||
{"out", OPT_OUT, '>', "Output file"},
|
||||
{"pass", OPT_PASS, 's', "Passphrase source"},
|
||||
#endif
|
||||
{"e", OPT_E, '-', "Encrypt"},
|
||||
{"d", OPT_D, '-', "Decrypt"},
|
||||
{"p", OPT_P, '-', "Print the iv/key"},
|
||||
{"P", OPT_UPPER_P, '-', "Print the iv/key and exit"},
|
||||
#ifndef OPENSSL_NO_ENGINE
|
||||
{"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"},
|
||||
#endif
|
||||
|
||||
OPT_SECTION("Input"),
|
||||
{"in", OPT_IN, '<', "Input file"},
|
||||
{"k", OPT_K, 's', "Passphrase"},
|
||||
{"kfile", OPT_KFILE, '<', "Read passphrase from file"},
|
||||
|
||||
OPT_SECTION("Output"),
|
||||
{"out", OPT_OUT, '>', "Output file"},
|
||||
{"pass", OPT_PASS, 's', "Passphrase source"},
|
||||
{"v", OPT_V, '-', "Verbose output"},
|
||||
{"nopad", OPT_NOPAD, '-', "Disable standard block padding"},
|
||||
{"salt", OPT_SALT, '-', "Use salt in the KDF (default)"},
|
||||
{"nosalt", OPT_NOSALT, '-', "Do not use salt in the KDF"},
|
||||
{"debug", OPT_DEBUG, '-', "Print debug info"},
|
||||
{"a", OPT_A, '-', "Base64 encode/decode, depending on encryption flag"},
|
||||
{"base64", OPT_A, '-', "Same as option -a"},
|
||||
{"A", OPT_UPPER_A, '-',
|
||||
"Used with -[base64|a] to specify base64 buffer as a single line"},
|
||||
|
||||
OPT_SECTION("Encryption"),
|
||||
{"nopad", OPT_NOPAD, '-', "Disable standard block padding"},
|
||||
{"salt", OPT_SALT, '-', "Use salt in the KDF (default)"},
|
||||
{"nosalt", OPT_NOSALT, '-', "Do not use salt in the KDF"},
|
||||
{"debug", OPT_DEBUG, '-', "Print debug info"},
|
||||
|
||||
{"bufsize", OPT_BUFSIZE, 's', "Buffer size"},
|
||||
{"k", OPT_K, 's', "Passphrase"},
|
||||
{"kfile", OPT_KFILE, '<', "Read passphrase from file"},
|
||||
{"K", OPT_UPPER_K, 's', "Raw key, in hex"},
|
||||
{"S", OPT_UPPER_S, 's', "Salt, in hex"},
|
||||
{"iv", OPT_IV, 's', "IV in hex"},
|
||||
{"md", OPT_MD, 's', "Use specified digest to create a key from the passphrase"},
|
||||
{"iter", OPT_ITER, 'p', "Specify the iteration count and force use of PBKDF2"},
|
||||
{"pbkdf2", OPT_PBKDF2, '-', "Use password-based key derivation function 2"},
|
||||
{"iter", OPT_ITER, 'p',
|
||||
"Specify the iteration count and force the use of PBKDF2"},
|
||||
{OPT_MORE_STR, 0, 0, "Default: " STR(PBKDF2_ITER_DEFAULT)},
|
||||
{"pbkdf2", OPT_PBKDF2, '-',
|
||||
"Use password-based key derivation function 2 (PBKDF2)"},
|
||||
{OPT_MORE_STR, 0, 0,
|
||||
"Use -iter to change the iteration count from " STR(PBKDF2_ITER_DEFAULT)},
|
||||
{"none", OPT_NONE, '-', "Don't encrypt"},
|
||||
{"", OPT_CIPHER, '-', "Any supported cipher"},
|
||||
OPT_R_OPTIONS,
|
||||
#ifdef ZLIB
|
||||
{"z", OPT_Z, '-', "Compress or decompress encrypted data using zlib"},
|
||||
#endif
|
||||
#ifndef OPENSSL_NO_ENGINE
|
||||
{"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"},
|
||||
#endif
|
||||
{"", OPT_CIPHER, '-', "Any supported cipher"},
|
||||
|
||||
OPT_R_OPTIONS,
|
||||
OPT_PROV_OPTIONS,
|
||||
{NULL}
|
||||
};
|
||||
|
||||
@ -97,11 +118,13 @@ int enc_main(int argc, char **argv)
|
||||
BIO *in = NULL, *out = NULL, *b64 = NULL, *benc = NULL, *rbio =
|
||||
NULL, *wbio = NULL;
|
||||
EVP_CIPHER_CTX *ctx = NULL;
|
||||
const EVP_CIPHER *cipher = NULL, *c;
|
||||
const EVP_MD *dgst = NULL;
|
||||
EVP_CIPHER *cipher = NULL;
|
||||
EVP_MD *dgst = NULL;
|
||||
const char *digestname = NULL;
|
||||
char *hkey = NULL, *hiv = NULL, *hsalt = NULL, *p;
|
||||
char *infile = NULL, *outfile = NULL, *prog;
|
||||
char *str = NULL, *passarg = NULL, *pass = NULL, *strbuf = NULL;
|
||||
const char *ciphername = NULL;
|
||||
char mbuf[sizeof(magic) - 1];
|
||||
OPTION_CHOICE o;
|
||||
int bsize = BSIZE, verbose = 0, debug = 0, olb64 = 0, nosalt = 0;
|
||||
@ -119,21 +142,15 @@ int enc_main(int argc, char **argv)
|
||||
BIO *bzl = NULL;
|
||||
#endif
|
||||
|
||||
/* first check the program name */
|
||||
prog = opt_progname(argv[0]);
|
||||
if (strcmp(prog, "base64") == 0) {
|
||||
/* first check the command name */
|
||||
if (strcmp(argv[0], "base64") == 0)
|
||||
base64 = 1;
|
||||
#ifdef ZLIB
|
||||
} else if (strcmp(prog, "zlib") == 0) {
|
||||
else if (strcmp(argv[0], "zlib") == 0)
|
||||
do_zlib = 1;
|
||||
#endif
|
||||
} else {
|
||||
cipher = EVP_get_cipherbyname(prog);
|
||||
if (cipher == NULL && strcmp(prog, "enc") != 0) {
|
||||
BIO_printf(bio_err, "%s is not a known cipher\n", prog);
|
||||
goto end;
|
||||
}
|
||||
}
|
||||
else if (strcmp(argv[0], "enc") != 0)
|
||||
ciphername = argv[0];
|
||||
|
||||
prog = opt_init(argc, argv, enc_options);
|
||||
while ((o = opt_next()) != OPT_EOF) {
|
||||
@ -252,23 +269,19 @@ int enc_main(int argc, char **argv)
|
||||
hiv = opt_arg();
|
||||
break;
|
||||
case OPT_MD:
|
||||
if (!opt_md(opt_arg(), &dgst))
|
||||
goto opthelp;
|
||||
digestname = opt_arg();
|
||||
break;
|
||||
case OPT_CIPHER:
|
||||
if (!opt_cipher(opt_unknown(), &c))
|
||||
goto opthelp;
|
||||
cipher = c;
|
||||
ciphername = opt_unknown();
|
||||
break;
|
||||
case OPT_ITER:
|
||||
if (!opt_int(opt_arg(), &iter))
|
||||
goto opthelp;
|
||||
iter = opt_int_arg();
|
||||
pbkdf2 = 1;
|
||||
break;
|
||||
case OPT_PBKDF2:
|
||||
pbkdf2 = 1;
|
||||
if (iter == 0) /* do not overwrite a chosen value */
|
||||
iter = 10000;
|
||||
iter = PBKDF2_ITER_DEFAULT;
|
||||
break;
|
||||
case OPT_NONE:
|
||||
cipher = NULL;
|
||||
@ -277,25 +290,31 @@ int enc_main(int argc, char **argv)
|
||||
if (!opt_rand(o))
|
||||
goto end;
|
||||
break;
|
||||
case OPT_PROV_CASES:
|
||||
if (!opt_provider(o))
|
||||
goto end;
|
||||
break;
|
||||
}
|
||||
}
|
||||
if (opt_num_rest() != 0) {
|
||||
BIO_printf(bio_err, "Extra arguments given.\n");
|
||||
|
||||
/* No extra arguments. */
|
||||
argc = opt_num_rest();
|
||||
if (argc != 0)
|
||||
goto opthelp;
|
||||
if (!app_RAND_load())
|
||||
goto end;
|
||||
|
||||
/* Get the cipher name, either from progname (if set) or flag. */
|
||||
if (ciphername != NULL) {
|
||||
if (!opt_cipher(ciphername, &cipher))
|
||||
goto opthelp;
|
||||
}
|
||||
|
||||
if (cipher && EVP_CIPHER_flags(cipher) & EVP_CIPH_FLAG_AEAD_CIPHER) {
|
||||
BIO_printf(bio_err, "%s: AEAD ciphers not supported\n", prog);
|
||||
goto end;
|
||||
if (digestname != NULL) {
|
||||
if (!opt_md(digestname, &dgst))
|
||||
goto opthelp;
|
||||
}
|
||||
|
||||
if (cipher && (EVP_CIPHER_mode(cipher) == EVP_CIPH_XTS_MODE)) {
|
||||
BIO_printf(bio_err, "%s XTS ciphers not supported\n", prog);
|
||||
goto end;
|
||||
}
|
||||
|
||||
if (dgst == NULL)
|
||||
dgst = EVP_sha256();
|
||||
dgst = (EVP_MD *)EVP_sha256();
|
||||
|
||||
if (iter == 0)
|
||||
iter = 1;
|
||||
@ -342,7 +361,7 @@ int enc_main(int argc, char **argv)
|
||||
char prompt[200];
|
||||
|
||||
BIO_snprintf(prompt, sizeof(prompt), "enter %s %s password:",
|
||||
OBJ_nid2ln(EVP_CIPHER_nid(cipher)),
|
||||
EVP_CIPHER_get0_name(cipher),
|
||||
(enc) ? "encryption" : "decryption");
|
||||
strbuf[0] = '\0';
|
||||
i = EVP_read_pw_string((char *)strbuf, SIZE, prompt, enc);
|
||||
@ -371,8 +390,8 @@ int enc_main(int argc, char **argv)
|
||||
goto end;
|
||||
|
||||
if (debug) {
|
||||
BIO_set_callback(in, BIO_debug_callback);
|
||||
BIO_set_callback(out, BIO_debug_callback);
|
||||
BIO_set_callback_ex(in, BIO_debug_callback_ex);
|
||||
BIO_set_callback_ex(out, BIO_debug_callback_ex);
|
||||
BIO_set_callback_arg(in, (char *)bio_err);
|
||||
BIO_set_callback_arg(out, (char *)bio_err);
|
||||
}
|
||||
@ -385,7 +404,7 @@ int enc_main(int argc, char **argv)
|
||||
if ((bzl = BIO_new(BIO_f_zlib())) == NULL)
|
||||
goto end;
|
||||
if (debug) {
|
||||
BIO_set_callback(bzl, BIO_debug_callback);
|
||||
BIO_set_callback_ex(bzl, BIO_debug_callback_ex);
|
||||
BIO_set_callback_arg(bzl, (char *)bio_err);
|
||||
}
|
||||
if (enc)
|
||||
@ -399,7 +418,7 @@ int enc_main(int argc, char **argv)
|
||||
if ((b64 = BIO_new(BIO_f_base64())) == NULL)
|
||||
goto end;
|
||||
if (debug) {
|
||||
BIO_set_callback(b64, BIO_debug_callback);
|
||||
BIO_set_callback_ex(b64, BIO_debug_callback_ex);
|
||||
BIO_set_callback_arg(b64, (char *)bio_err);
|
||||
}
|
||||
if (olb64)
|
||||
@ -411,14 +430,11 @@ int enc_main(int argc, char **argv)
|
||||
}
|
||||
|
||||
if (cipher != NULL) {
|
||||
if (str != NULL) { /* a passphrase is available */
|
||||
/*
|
||||
* Note that str is NULL if a key was passed on the command line, so
|
||||
* we get no salt in that case. Is this a bug?
|
||||
*/
|
||||
if (str != NULL) {
|
||||
/*
|
||||
* Salt handling: if encrypting generate a salt and write to
|
||||
* output BIO. If decrypting read salt from input BIO.
|
||||
* Salt handling: if encrypting generate a salt if not supplied,
|
||||
* and write to output BIO. If decrypting use salt from input BIO
|
||||
* if not given with args
|
||||
*/
|
||||
unsigned char *sptr;
|
||||
size_t str_len = strlen(str);
|
||||
@ -426,17 +442,19 @@ int enc_main(int argc, char **argv)
|
||||
if (nosalt) {
|
||||
sptr = NULL;
|
||||
} else {
|
||||
if (enc) {
|
||||
if (hsalt) {
|
||||
if (!set_hex(hsalt, salt, sizeof(salt))) {
|
||||
if (hsalt != NULL && !set_hex(hsalt, salt, sizeof(salt))) {
|
||||
BIO_printf(bio_err, "invalid hex salt value\n");
|
||||
goto end;
|
||||
}
|
||||
} else if (RAND_bytes(salt, sizeof(salt)) <= 0) {
|
||||
if (enc) { /* encryption */
|
||||
if (hsalt == NULL) {
|
||||
if (RAND_bytes(salt, sizeof(salt)) <= 0) {
|
||||
BIO_printf(bio_err, "RAND_bytes failed\n");
|
||||
goto end;
|
||||
}
|
||||
/*
|
||||
* If -P option then don't bother writing
|
||||
* If -P option then don't bother writing.
|
||||
* If salt is given, shouldn't either ?
|
||||
*/
|
||||
if ((printkey != 2)
|
||||
&& (BIO_write(wbio, magic,
|
||||
@ -447,16 +465,25 @@ int enc_main(int argc, char **argv)
|
||||
BIO_printf(bio_err, "error writing output file\n");
|
||||
goto end;
|
||||
}
|
||||
} else if (BIO_read(rbio, mbuf, sizeof(mbuf)) != sizeof(mbuf)
|
||||
|| BIO_read(rbio,
|
||||
(unsigned char *)salt,
|
||||
}
|
||||
} else { /* decryption */
|
||||
if (hsalt == NULL) {
|
||||
if (BIO_read(rbio, mbuf, sizeof(mbuf)) != sizeof(mbuf)) {
|
||||
BIO_printf(bio_err, "error reading input file\n");
|
||||
goto end;
|
||||
}
|
||||
if (memcmp(mbuf, magic, sizeof(mbuf)) == 0) { /* file IS salted */
|
||||
if (BIO_read(rbio, salt,
|
||||
sizeof(salt)) != sizeof(salt)) {
|
||||
BIO_printf(bio_err, "error reading input file\n");
|
||||
goto end;
|
||||
} else if (memcmp(mbuf, magic, sizeof(magic) - 1)) {
|
||||
}
|
||||
} else { /* file is NOT salted, NO salt available */
|
||||
BIO_printf(bio_err, "bad magic number\n");
|
||||
goto end;
|
||||
}
|
||||
}
|
||||
}
|
||||
sptr = salt;
|
||||
}
|
||||
|
||||
@ -466,8 +493,8 @@ int enc_main(int argc, char **argv)
|
||||
* concatenated into a temporary buffer
|
||||
*/
|
||||
unsigned char tmpkeyiv[EVP_MAX_KEY_LENGTH + EVP_MAX_IV_LENGTH];
|
||||
int iklen = EVP_CIPHER_key_length(cipher);
|
||||
int ivlen = EVP_CIPHER_iv_length(cipher);
|
||||
int iklen = EVP_CIPHER_get_key_length(cipher);
|
||||
int ivlen = EVP_CIPHER_get_iv_length(cipher);
|
||||
/* not needed if HASH_UPDATE() is fixed : */
|
||||
int islen = (sptr != NULL ? sizeof(salt) : 0);
|
||||
if (!PKCS5_PBKDF2_HMAC(str, str_len, sptr, islen,
|
||||
@ -499,7 +526,7 @@ int enc_main(int argc, char **argv)
|
||||
OPENSSL_cleanse(str, str_len);
|
||||
}
|
||||
if (hiv != NULL) {
|
||||
int siz = EVP_CIPHER_iv_length(cipher);
|
||||
int siz = EVP_CIPHER_get_iv_length(cipher);
|
||||
if (siz == 0) {
|
||||
BIO_printf(bio_err, "warning: iv not used by this cipher\n");
|
||||
} else if (!set_hex(hiv, iv, siz)) {
|
||||
@ -508,7 +535,7 @@ int enc_main(int argc, char **argv)
|
||||
}
|
||||
}
|
||||
if ((hiv == NULL) && (str == NULL)
|
||||
&& EVP_CIPHER_iv_length(cipher) != 0) {
|
||||
&& EVP_CIPHER_get_iv_length(cipher) != 0) {
|
||||
/*
|
||||
* No IV was explicitly set and no IV was generated.
|
||||
* Hence the IV is undefined, making correct decryption impossible.
|
||||
@ -517,12 +544,12 @@ int enc_main(int argc, char **argv)
|
||||
goto end;
|
||||
}
|
||||
if (hkey != NULL) {
|
||||
if (!set_hex(hkey, key, EVP_CIPHER_key_length(cipher))) {
|
||||
if (!set_hex(hkey, key, EVP_CIPHER_get_key_length(cipher))) {
|
||||
BIO_printf(bio_err, "invalid hex key value\n");
|
||||
goto end;
|
||||
}
|
||||
/* wiping secret data as we no longer need it */
|
||||
OPENSSL_cleanse(hkey, strlen(hkey));
|
||||
cleanse(hkey);
|
||||
}
|
||||
|
||||
if ((benc = BIO_new(BIO_f_cipher())) == NULL)
|
||||
@ -535,9 +562,9 @@ int enc_main(int argc, char **argv)
|
||||
|
||||
BIO_get_cipher_ctx(benc, &ctx);
|
||||
|
||||
if (!EVP_CipherInit_ex(ctx, cipher, NULL, NULL, NULL, enc)) {
|
||||
if (!EVP_CipherInit_ex(ctx, cipher, e, NULL, NULL, enc)) {
|
||||
BIO_printf(bio_err, "Error setting cipher %s\n",
|
||||
EVP_CIPHER_name(cipher));
|
||||
EVP_CIPHER_get0_name(cipher));
|
||||
ERR_print_errors(bio_err);
|
||||
goto end;
|
||||
}
|
||||
@ -547,13 +574,13 @@ int enc_main(int argc, char **argv)
|
||||
|
||||
if (!EVP_CipherInit_ex(ctx, NULL, NULL, key, iv, enc)) {
|
||||
BIO_printf(bio_err, "Error setting cipher %s\n",
|
||||
EVP_CIPHER_name(cipher));
|
||||
EVP_CIPHER_get0_name(cipher));
|
||||
ERR_print_errors(bio_err);
|
||||
goto end;
|
||||
}
|
||||
|
||||
if (debug) {
|
||||
BIO_set_callback(benc, BIO_debug_callback);
|
||||
BIO_set_callback_ex(benc, BIO_debug_callback_ex);
|
||||
BIO_set_callback_arg(benc, (char *)bio_err);
|
||||
}
|
||||
|
||||
@ -564,15 +591,15 @@ int enc_main(int argc, char **argv)
|
||||
printf("%02X", salt[i]);
|
||||
printf("\n");
|
||||
}
|
||||
if (EVP_CIPHER_key_length(cipher) > 0) {
|
||||
if (EVP_CIPHER_get_key_length(cipher) > 0) {
|
||||
printf("key=");
|
||||
for (i = 0; i < EVP_CIPHER_key_length(cipher); i++)
|
||||
for (i = 0; i < EVP_CIPHER_get_key_length(cipher); i++)
|
||||
printf("%02X", key[i]);
|
||||
printf("\n");
|
||||
}
|
||||
if (EVP_CIPHER_iv_length(cipher) > 0) {
|
||||
if (EVP_CIPHER_get_iv_length(cipher) > 0) {
|
||||
printf("iv =");
|
||||
for (i = 0; i < EVP_CIPHER_iv_length(cipher); i++)
|
||||
for (i = 0; i < EVP_CIPHER_get_iv_length(cipher); i++)
|
||||
printf("%02X", iv[i]);
|
||||
printf("\n");
|
||||
}
|
||||
@ -614,6 +641,8 @@ int enc_main(int argc, char **argv)
|
||||
BIO_free_all(out);
|
||||
BIO_free(benc);
|
||||
BIO_free(b64);
|
||||
EVP_MD_free(dgst);
|
||||
EVP_CIPHER_free(cipher);
|
||||
#ifdef ZLIB
|
||||
BIO_free(bzl);
|
||||
#endif
|
||||
@ -632,9 +661,9 @@ static void show_ciphers(const OBJ_NAME *name, void *arg)
|
||||
|
||||
/* Filter out ciphers that we cannot use */
|
||||
cipher = EVP_get_cipherbyname(name->name);
|
||||
if (cipher == NULL ||
|
||||
(EVP_CIPHER_flags(cipher) & EVP_CIPH_FLAG_AEAD_CIPHER) != 0 ||
|
||||
EVP_CIPHER_mode(cipher) == EVP_CIPH_XTS_MODE)
|
||||
if (cipher == NULL
|
||||
|| (EVP_CIPHER_get_flags(cipher) & EVP_CIPH_FLAG_AEAD_CIPHER) != 0
|
||||
|| EVP_CIPHER_get_mode(cipher) == EVP_CIPH_XTS_MODE)
|
||||
return;
|
||||
|
||||
BIO_printf(dec->bio, "-%-25s", name->name);
|
||||
|
@ -1,13 +1,17 @@
|
||||
/*
|
||||
* Copyright 2000-2020 The OpenSSL Project Authors. All Rights Reserved.
|
||||
* Copyright 2000-2021 The OpenSSL Project Authors. All Rights Reserved.
|
||||
*
|
||||
* Licensed under the OpenSSL license (the "License"). You may not use
|
||||
* Licensed under the Apache License 2.0 (the "License"). You may not use
|
||||
* this file except in compliance with the License. You can obtain a copy
|
||||
* in the file LICENSE in the source distribution or at
|
||||
* https://www.openssl.org/source/license.html
|
||||
*/
|
||||
|
||||
/* We need to use some engine deprecated APIs */
|
||||
#define OPENSSL_SUPPRESS_DEPRECATED
|
||||
|
||||
#include <openssl/opensslconf.h>
|
||||
|
||||
#include "apps.h"
|
||||
#include "progs.h"
|
||||
#include <stdio.h>
|
||||
@ -19,27 +23,32 @@
|
||||
#include <openssl/store.h>
|
||||
|
||||
typedef enum OPTION_choice {
|
||||
OPT_ERR = -1, OPT_EOF = 0, OPT_HELP,
|
||||
OPT_COMMON,
|
||||
OPT_C, OPT_T, OPT_TT, OPT_PRE, OPT_POST,
|
||||
OPT_V = 100, OPT_VV, OPT_VVV, OPT_VVVV
|
||||
} OPTION_CHOICE;
|
||||
|
||||
const OPTIONS engine_options[] = {
|
||||
{OPT_HELP_STR, 1, '-', "Usage: %s [options] engine...\n"},
|
||||
{OPT_HELP_STR, 1, '-',
|
||||
" engine... Engines to load\n"},
|
||||
|
||||
OPT_SECTION("General"),
|
||||
{"help", OPT_HELP, '-', "Display this summary"},
|
||||
{"t", OPT_T, '-', "Check that specified engine is available"},
|
||||
{"pre", OPT_PRE, 's', "Run command against the ENGINE before loading it"},
|
||||
{"post", OPT_POST, 's', "Run command against the ENGINE after loading it"},
|
||||
|
||||
OPT_SECTION("Output"),
|
||||
{"v", OPT_V, '-', "List 'control commands' For each specified engine"},
|
||||
{"vv", OPT_VV, '-', "Also display each command's description"},
|
||||
{"vvv", OPT_VVV, '-', "Also add the input flags for each command"},
|
||||
{"vvvv", OPT_VVVV, '-', "Also show internal input flags"},
|
||||
{"c", OPT_C, '-', "List the capabilities of specified engine"},
|
||||
{"t", OPT_T, '-', "Check that specified engine is available"},
|
||||
{"tt", OPT_TT, '-', "Display error trace for unavailable engines"},
|
||||
{"pre", OPT_PRE, 's', "Run command against the ENGINE before loading it"},
|
||||
{"post", OPT_POST, 's', "Run command against the ENGINE after loading it"},
|
||||
{OPT_MORE_STR, OPT_EOF, 1,
|
||||
"Commands are like \"SO_PATH:/lib/libdriver.so\""},
|
||||
|
||||
OPT_PARAMETERS(),
|
||||
{"engine", 0, 0, "ID of engine(s) to load"},
|
||||
{NULL}
|
||||
};
|
||||
|
||||
@ -351,7 +360,7 @@ int engine_main(int argc, char **argv)
|
||||
}
|
||||
}
|
||||
|
||||
/* Allow any trailing parameters as engine names. */
|
||||
/* Any remaining arguments are engine names. */
|
||||
argc = opt_num_rest();
|
||||
argv = opt_rest();
|
||||
for ( ; *argv; argv++) {
|
||||
|
@ -1,7 +1,7 @@
|
||||
/*
|
||||
* Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
|
||||
*
|
||||
* Licensed under the OpenSSL license (the "License"). You may not use
|
||||
* Licensed under the Apache License 2.0 (the "License"). You may not use
|
||||
* this file except in compliance with the License. You can obtain a copy
|
||||
* in the file LICENSE in the source distribution or at
|
||||
* https://www.openssl.org/source/license.html
|
||||
@ -22,8 +22,12 @@ typedef enum OPTION_choice {
|
||||
|
||||
const OPTIONS errstr_options[] = {
|
||||
{OPT_HELP_STR, 1, '-', "Usage: %s [options] errnum...\n"},
|
||||
{OPT_HELP_STR, 1, '-', " errnum Error number\n"},
|
||||
|
||||
OPT_SECTION("General"),
|
||||
{"help", OPT_HELP, '-', "Display this summary"},
|
||||
|
||||
OPT_PARAMETERS(),
|
||||
{"errnum", 0, 0, "Error number(s) to decode"},
|
||||
{NULL}
|
||||
};
|
||||
|
||||
@ -48,16 +52,19 @@ int errstr_main(int argc, char **argv)
|
||||
}
|
||||
}
|
||||
|
||||
ret = 0;
|
||||
for (argv = opt_rest(); *argv; argv++) {
|
||||
if (sscanf(*argv, "%lx", &l) == 0) {
|
||||
ret++;
|
||||
} else {
|
||||
/* We're not really an SSL application so this won't auto-init, but
|
||||
/*
|
||||
* We're not really an SSL application so this won't auto-init, but
|
||||
* we're still interested in SSL error strings
|
||||
*/
|
||||
OPENSSL_init_ssl(OPENSSL_INIT_LOAD_SSL_STRINGS
|
||||
| OPENSSL_INIT_LOAD_CRYPTO_STRINGS, NULL);
|
||||
|
||||
/* All remaining arg are error code. */
|
||||
ret = 0;
|
||||
for (argv = opt_rest(); *argv != NULL; argv++) {
|
||||
if (sscanf(*argv, "%lx", &l) == 0) {
|
||||
ret++;
|
||||
} else {
|
||||
ERR_error_string_n(l, buf, sizeof(buf));
|
||||
BIO_printf(bio_out, "%s\n", buf);
|
||||
}
|
||||
|
590
crypto/openssl/apps/fipsinstall.c
Normal file
590
crypto/openssl/apps/fipsinstall.c
Normal file
@ -0,0 +1,590 @@
|
||||
/*
|
||||
* Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved.
|
||||
*
|
||||
* Licensed under the Apache License 2.0 (the "License"). You may not use
|
||||
* this file except in compliance with the License. You can obtain a copy
|
||||
* in the file LICENSE in the source distribution or at
|
||||
* https://www.openssl.org/source/license.html
|
||||
*/
|
||||
|
||||
#include <string.h>
|
||||
#include <openssl/evp.h>
|
||||
#include <openssl/err.h>
|
||||
#include <openssl/provider.h>
|
||||
#include <openssl/params.h>
|
||||
#include <openssl/fips_names.h>
|
||||
#include <openssl/core_names.h>
|
||||
#include <openssl/self_test.h>
|
||||
#include <openssl/fipskey.h>
|
||||
#include "apps.h"
|
||||
#include "progs.h"
|
||||
|
||||
#define BUFSIZE 4096
|
||||
|
||||
/* Configuration file values */
|
||||
#define VERSION_KEY "version"
|
||||
#define VERSION_VAL "1"
|
||||
#define INSTALL_STATUS_VAL "INSTALL_SELF_TEST_KATS_RUN"
|
||||
|
||||
static OSSL_CALLBACK self_test_events;
|
||||
static char *self_test_corrupt_desc = NULL;
|
||||
static char *self_test_corrupt_type = NULL;
|
||||
static int self_test_log = 1;
|
||||
static int quiet = 0;
|
||||
|
||||
typedef enum OPTION_choice {
|
||||
OPT_COMMON,
|
||||
OPT_IN, OPT_OUT, OPT_MODULE,
|
||||
OPT_PROV_NAME, OPT_SECTION_NAME, OPT_MAC_NAME, OPT_MACOPT, OPT_VERIFY,
|
||||
OPT_NO_LOG, OPT_CORRUPT_DESC, OPT_CORRUPT_TYPE, OPT_QUIET, OPT_CONFIG,
|
||||
OPT_NO_CONDITIONAL_ERRORS,
|
||||
OPT_NO_SECURITY_CHECKS,
|
||||
OPT_SELF_TEST_ONLOAD
|
||||
} OPTION_CHOICE;
|
||||
|
||||
const OPTIONS fipsinstall_options[] = {
|
||||
OPT_SECTION("General"),
|
||||
{"help", OPT_HELP, '-', "Display this summary"},
|
||||
{"verify", OPT_VERIFY, '-',
|
||||
"Verify a config file instead of generating one"},
|
||||
{"module", OPT_MODULE, '<', "File name of the provider module"},
|
||||
{"provider_name", OPT_PROV_NAME, 's', "FIPS provider name"},
|
||||
{"section_name", OPT_SECTION_NAME, 's',
|
||||
"FIPS Provider config section name (optional)"},
|
||||
{"no_conditional_errors", OPT_NO_CONDITIONAL_ERRORS, '-',
|
||||
"Disable the ability of the fips module to enter an error state if"
|
||||
" any conditional self tests fail"},
|
||||
{"no_security_checks", OPT_NO_SECURITY_CHECKS, '-',
|
||||
"Disable the run-time FIPS security checks in the module"},
|
||||
{"self_test_onload", OPT_SELF_TEST_ONLOAD, '-',
|
||||
"Forces self tests to always run on module load"},
|
||||
OPT_SECTION("Input"),
|
||||
{"in", OPT_IN, '<', "Input config file, used when verifying"},
|
||||
|
||||
OPT_SECTION("Output"),
|
||||
{"out", OPT_OUT, '>', "Output config file, used when generating"},
|
||||
{"mac_name", OPT_MAC_NAME, 's', "MAC name"},
|
||||
{"macopt", OPT_MACOPT, 's', "MAC algorithm parameters in n:v form. "
|
||||
"See 'PARAMETER NAMES' in the EVP_MAC_ docs"},
|
||||
{"noout", OPT_NO_LOG, '-', "Disable logging of self test events"},
|
||||
{"corrupt_desc", OPT_CORRUPT_DESC, 's', "Corrupt a self test by description"},
|
||||
{"corrupt_type", OPT_CORRUPT_TYPE, 's', "Corrupt a self test by type"},
|
||||
{"config", OPT_CONFIG, '<', "The parent config to verify"},
|
||||
{"quiet", OPT_QUIET, '-', "No messages, just exit status"},
|
||||
{NULL}
|
||||
};
|
||||
|
||||
static int do_mac(EVP_MAC_CTX *ctx, unsigned char *tmp, BIO *in,
|
||||
unsigned char *out, size_t *out_len)
|
||||
{
|
||||
int ret = 0;
|
||||
int i;
|
||||
size_t outsz = *out_len;
|
||||
|
||||
if (!EVP_MAC_init(ctx, NULL, 0, NULL))
|
||||
goto err;
|
||||
if (EVP_MAC_CTX_get_mac_size(ctx) > outsz)
|
||||
goto end;
|
||||
while ((i = BIO_read(in, (char *)tmp, BUFSIZE)) != 0) {
|
||||
if (i < 0 || !EVP_MAC_update(ctx, tmp, i))
|
||||
goto err;
|
||||
}
|
||||
end:
|
||||
if (!EVP_MAC_final(ctx, out, out_len, outsz))
|
||||
goto err;
|
||||
ret = 1;
|
||||
err:
|
||||
return ret;
|
||||
}
|
||||
|
||||
static int load_fips_prov_and_run_self_test(const char *prov_name)
|
||||
{
|
||||
int ret = 0;
|
||||
OSSL_PROVIDER *prov = NULL;
|
||||
|
||||
prov = OSSL_PROVIDER_load(NULL, prov_name);
|
||||
if (prov == NULL) {
|
||||
BIO_printf(bio_err, "Failed to load FIPS module\n");
|
||||
goto end;
|
||||
}
|
||||
ret = 1;
|
||||
end:
|
||||
OSSL_PROVIDER_unload(prov);
|
||||
return ret;
|
||||
}
|
||||
|
||||
static int print_mac(BIO *bio, const char *label, const unsigned char *mac,
|
||||
size_t len)
|
||||
{
|
||||
int ret;
|
||||
char *hexstr = NULL;
|
||||
|
||||
hexstr = OPENSSL_buf2hexstr(mac, (long)len);
|
||||
if (hexstr == NULL)
|
||||
return 0;
|
||||
ret = BIO_printf(bio, "%s = %s\n", label, hexstr);
|
||||
OPENSSL_free(hexstr);
|
||||
return ret;
|
||||
}
|
||||
|
||||
static int write_config_header(BIO *out, const char *prov_name,
|
||||
const char *section)
|
||||
{
|
||||
return BIO_printf(out, "openssl_conf = openssl_init\n\n")
|
||||
&& BIO_printf(out, "[openssl_init]\n")
|
||||
&& BIO_printf(out, "providers = provider_section\n\n")
|
||||
&& BIO_printf(out, "[provider_section]\n")
|
||||
&& BIO_printf(out, "%s = %s\n\n", prov_name, section);
|
||||
}
|
||||
|
||||
/*
|
||||
* Outputs a fips related config file that contains entries for the fips
|
||||
* module checksum, installation indicator checksum and the options
|
||||
* conditional_errors and security_checks.
|
||||
*
|
||||
* Returns 1 if the config file is written otherwise it returns 0 on error.
|
||||
*/
|
||||
static int write_config_fips_section(BIO *out, const char *section,
|
||||
unsigned char *module_mac,
|
||||
size_t module_mac_len,
|
||||
int conditional_errors,
|
||||
int security_checks,
|
||||
unsigned char *install_mac,
|
||||
size_t install_mac_len)
|
||||
{
|
||||
int ret = 0;
|
||||
|
||||
if (BIO_printf(out, "[%s]\n", section) <= 0
|
||||
|| BIO_printf(out, "activate = 1\n") <= 0
|
||||
|| BIO_printf(out, "%s = %s\n", OSSL_PROV_FIPS_PARAM_INSTALL_VERSION,
|
||||
VERSION_VAL) <= 0
|
||||
|| BIO_printf(out, "%s = %s\n", OSSL_PROV_FIPS_PARAM_CONDITIONAL_ERRORS,
|
||||
conditional_errors ? "1" : "0") <= 0
|
||||
|| BIO_printf(out, "%s = %s\n", OSSL_PROV_FIPS_PARAM_SECURITY_CHECKS,
|
||||
security_checks ? "1" : "0") <= 0
|
||||
|| !print_mac(out, OSSL_PROV_FIPS_PARAM_MODULE_MAC, module_mac,
|
||||
module_mac_len))
|
||||
goto end;
|
||||
|
||||
if (install_mac != NULL && install_mac_len > 0) {
|
||||
if (!print_mac(out, OSSL_PROV_FIPS_PARAM_INSTALL_MAC, install_mac,
|
||||
install_mac_len)
|
||||
|| BIO_printf(out, "%s = %s\n", OSSL_PROV_FIPS_PARAM_INSTALL_STATUS,
|
||||
INSTALL_STATUS_VAL) <= 0)
|
||||
goto end;
|
||||
}
|
||||
ret = 1;
|
||||
end:
|
||||
return ret;
|
||||
}
|
||||
|
||||
static CONF *generate_config_and_load(const char *prov_name,
|
||||
const char *section,
|
||||
unsigned char *module_mac,
|
||||
size_t module_mac_len,
|
||||
int conditional_errors,
|
||||
int security_checks)
|
||||
{
|
||||
BIO *mem_bio = NULL;
|
||||
CONF *conf = NULL;
|
||||
|
||||
mem_bio = BIO_new(BIO_s_mem());
|
||||
if (mem_bio == NULL)
|
||||
return 0;
|
||||
if (!write_config_header(mem_bio, prov_name, section)
|
||||
|| !write_config_fips_section(mem_bio, section,
|
||||
module_mac, module_mac_len,
|
||||
conditional_errors,
|
||||
security_checks,
|
||||
NULL, 0))
|
||||
goto end;
|
||||
|
||||
conf = app_load_config_bio(mem_bio, NULL);
|
||||
if (conf == NULL)
|
||||
goto end;
|
||||
|
||||
if (CONF_modules_load(conf, NULL, 0) <= 0)
|
||||
goto end;
|
||||
BIO_free(mem_bio);
|
||||
return conf;
|
||||
end:
|
||||
NCONF_free(conf);
|
||||
BIO_free(mem_bio);
|
||||
return NULL;
|
||||
}
|
||||
|
||||
static void free_config_and_unload(CONF *conf)
|
||||
{
|
||||
if (conf != NULL) {
|
||||
NCONF_free(conf);
|
||||
CONF_modules_unload(1);
|
||||
}
|
||||
}
|
||||
|
||||
static int verify_module_load(const char *parent_config_file)
|
||||
{
|
||||
return OSSL_LIB_CTX_load_config(NULL, parent_config_file);
|
||||
}
|
||||
|
||||
/*
|
||||
* Returns 1 if the config file entries match the passed in module_mac and
|
||||
* install_mac values, otherwise it returns 0.
|
||||
*/
|
||||
static int verify_config(const char *infile, const char *section,
|
||||
unsigned char *module_mac, size_t module_mac_len,
|
||||
unsigned char *install_mac, size_t install_mac_len)
|
||||
{
|
||||
int ret = 0;
|
||||
char *s = NULL;
|
||||
unsigned char *buf1 = NULL, *buf2 = NULL;
|
||||
long len;
|
||||
CONF *conf = NULL;
|
||||
|
||||
/* read in the existing values and check they match the saved values */
|
||||
conf = app_load_config(infile);
|
||||
if (conf == NULL)
|
||||
goto end;
|
||||
|
||||
s = NCONF_get_string(conf, section, OSSL_PROV_FIPS_PARAM_INSTALL_VERSION);
|
||||
if (s == NULL || strcmp(s, VERSION_VAL) != 0) {
|
||||
BIO_printf(bio_err, "version not found\n");
|
||||
goto end;
|
||||
}
|
||||
s = NCONF_get_string(conf, section, OSSL_PROV_FIPS_PARAM_MODULE_MAC);
|
||||
if (s == NULL) {
|
||||
BIO_printf(bio_err, "Module integrity MAC not found\n");
|
||||
goto end;
|
||||
}
|
||||
buf1 = OPENSSL_hexstr2buf(s, &len);
|
||||
if (buf1 == NULL
|
||||
|| (size_t)len != module_mac_len
|
||||
|| memcmp(module_mac, buf1, module_mac_len) != 0) {
|
||||
BIO_printf(bio_err, "Module integrity mismatch\n");
|
||||
goto end;
|
||||
}
|
||||
if (install_mac != NULL && install_mac_len > 0) {
|
||||
s = NCONF_get_string(conf, section, OSSL_PROV_FIPS_PARAM_INSTALL_STATUS);
|
||||
if (s == NULL || strcmp(s, INSTALL_STATUS_VAL) != 0) {
|
||||
BIO_printf(bio_err, "install status not found\n");
|
||||
goto end;
|
||||
}
|
||||
s = NCONF_get_string(conf, section, OSSL_PROV_FIPS_PARAM_INSTALL_MAC);
|
||||
if (s == NULL) {
|
||||
BIO_printf(bio_err, "Install indicator MAC not found\n");
|
||||
goto end;
|
||||
}
|
||||
buf2 = OPENSSL_hexstr2buf(s, &len);
|
||||
if (buf2 == NULL
|
||||
|| (size_t)len != install_mac_len
|
||||
|| memcmp(install_mac, buf2, install_mac_len) != 0) {
|
||||
BIO_printf(bio_err, "Install indicator status mismatch\n");
|
||||
goto end;
|
||||
}
|
||||
}
|
||||
ret = 1;
|
||||
end:
|
||||
OPENSSL_free(buf1);
|
||||
OPENSSL_free(buf2);
|
||||
NCONF_free(conf);
|
||||
return ret;
|
||||
}
|
||||
|
||||
int fipsinstall_main(int argc, char **argv)
|
||||
{
|
||||
int ret = 1, verify = 0, gotkey = 0, gotdigest = 0, self_test_onload = 0;
|
||||
int enable_conditional_errors = 1, enable_security_checks = 1;
|
||||
const char *section_name = "fips_sect";
|
||||
const char *mac_name = "HMAC";
|
||||
const char *prov_name = "fips";
|
||||
BIO *module_bio = NULL, *mem_bio = NULL, *fout = NULL;
|
||||
char *in_fname = NULL, *out_fname = NULL, *prog;
|
||||
char *module_fname = NULL, *parent_config = NULL, *module_path = NULL;
|
||||
const char *tail;
|
||||
EVP_MAC_CTX *ctx = NULL, *ctx2 = NULL;
|
||||
STACK_OF(OPENSSL_STRING) *opts = NULL;
|
||||
OPTION_CHOICE o;
|
||||
unsigned char *read_buffer = NULL;
|
||||
unsigned char module_mac[EVP_MAX_MD_SIZE];
|
||||
size_t module_mac_len = EVP_MAX_MD_SIZE;
|
||||
unsigned char install_mac[EVP_MAX_MD_SIZE];
|
||||
size_t install_mac_len = EVP_MAX_MD_SIZE;
|
||||
EVP_MAC *mac = NULL;
|
||||
CONF *conf = NULL;
|
||||
|
||||
if ((opts = sk_OPENSSL_STRING_new_null()) == NULL)
|
||||
goto end;
|
||||
|
||||
prog = opt_init(argc, argv, fipsinstall_options);
|
||||
while ((o = opt_next()) != OPT_EOF) {
|
||||
switch (o) {
|
||||
case OPT_EOF:
|
||||
case OPT_ERR:
|
||||
opthelp:
|
||||
BIO_printf(bio_err, "%s: Use -help for summary.\n", prog);
|
||||
goto cleanup;
|
||||
case OPT_HELP:
|
||||
opt_help(fipsinstall_options);
|
||||
ret = 0;
|
||||
goto end;
|
||||
case OPT_IN:
|
||||
in_fname = opt_arg();
|
||||
break;
|
||||
case OPT_OUT:
|
||||
out_fname = opt_arg();
|
||||
break;
|
||||
case OPT_NO_CONDITIONAL_ERRORS:
|
||||
enable_conditional_errors = 0;
|
||||
break;
|
||||
case OPT_NO_SECURITY_CHECKS:
|
||||
enable_security_checks = 0;
|
||||
break;
|
||||
case OPT_QUIET:
|
||||
quiet = 1;
|
||||
/* FALLTHROUGH */
|
||||
case OPT_NO_LOG:
|
||||
self_test_log = 0;
|
||||
break;
|
||||
case OPT_CORRUPT_DESC:
|
||||
self_test_corrupt_desc = opt_arg();
|
||||
break;
|
||||
case OPT_CORRUPT_TYPE:
|
||||
self_test_corrupt_type = opt_arg();
|
||||
break;
|
||||
case OPT_PROV_NAME:
|
||||
prov_name = opt_arg();
|
||||
break;
|
||||
case OPT_MODULE:
|
||||
module_fname = opt_arg();
|
||||
break;
|
||||
case OPT_SECTION_NAME:
|
||||
section_name = opt_arg();
|
||||
break;
|
||||
case OPT_MAC_NAME:
|
||||
mac_name = opt_arg();
|
||||
break;
|
||||
case OPT_CONFIG:
|
||||
parent_config = opt_arg();
|
||||
break;
|
||||
case OPT_MACOPT:
|
||||
if (!sk_OPENSSL_STRING_push(opts, opt_arg()))
|
||||
goto opthelp;
|
||||
if (strncmp(opt_arg(), "hexkey:", 7) == 0)
|
||||
gotkey = 1;
|
||||
else if (strncmp(opt_arg(), "digest:", 7) == 0)
|
||||
gotdigest = 1;
|
||||
break;
|
||||
case OPT_VERIFY:
|
||||
verify = 1;
|
||||
break;
|
||||
case OPT_SELF_TEST_ONLOAD:
|
||||
self_test_onload = 1;
|
||||
break;
|
||||
}
|
||||
}
|
||||
|
||||
/* No extra arguments. */
|
||||
argc = opt_num_rest();
|
||||
if (argc != 0 || (verify && in_fname == NULL))
|
||||
goto opthelp;
|
||||
|
||||
if (parent_config != NULL) {
|
||||
/* Test that a parent config can load the module */
|
||||
if (verify_module_load(parent_config)) {
|
||||
ret = OSSL_PROVIDER_available(NULL, prov_name) ? 0 : 1;
|
||||
if (!quiet)
|
||||
BIO_printf(bio_err, "FIPS provider is %s\n",
|
||||
ret == 0 ? "available" : " not available");
|
||||
}
|
||||
goto end;
|
||||
}
|
||||
if (module_fname == NULL)
|
||||
goto opthelp;
|
||||
|
||||
tail = opt_path_end(module_fname);
|
||||
if (tail != NULL) {
|
||||
module_path = OPENSSL_strdup(module_fname);
|
||||
if (module_path == NULL)
|
||||
goto end;
|
||||
module_path[tail - module_fname] = '\0';
|
||||
if (!OSSL_PROVIDER_set_default_search_path(NULL, module_path))
|
||||
goto end;
|
||||
}
|
||||
|
||||
if (self_test_log
|
||||
|| self_test_corrupt_desc != NULL
|
||||
|| self_test_corrupt_type != NULL)
|
||||
OSSL_SELF_TEST_set_callback(NULL, self_test_events, NULL);
|
||||
|
||||
/* Use the default FIPS HMAC digest and key if not specified. */
|
||||
if (!gotdigest && !sk_OPENSSL_STRING_push(opts, "digest:SHA256"))
|
||||
goto end;
|
||||
if (!gotkey && !sk_OPENSSL_STRING_push(opts, "hexkey:" FIPS_KEY_STRING))
|
||||
goto end;
|
||||
|
||||
module_bio = bio_open_default(module_fname, 'r', FORMAT_BINARY);
|
||||
if (module_bio == NULL) {
|
||||
BIO_printf(bio_err, "Failed to open module file\n");
|
||||
goto end;
|
||||
}
|
||||
|
||||
read_buffer = app_malloc(BUFSIZE, "I/O buffer");
|
||||
if (read_buffer == NULL)
|
||||
goto end;
|
||||
|
||||
mac = EVP_MAC_fetch(app_get0_libctx(), mac_name, app_get0_propq());
|
||||
if (mac == NULL) {
|
||||
BIO_printf(bio_err, "Unable to get MAC of type %s\n", mac_name);
|
||||
goto end;
|
||||
}
|
||||
|
||||
ctx = EVP_MAC_CTX_new(mac);
|
||||
if (ctx == NULL) {
|
||||
BIO_printf(bio_err, "Unable to create MAC CTX for module check\n");
|
||||
goto end;
|
||||
}
|
||||
|
||||
if (opts != NULL) {
|
||||
int ok = 1;
|
||||
OSSL_PARAM *params =
|
||||
app_params_new_from_opts(opts, EVP_MAC_settable_ctx_params(mac));
|
||||
|
||||
if (params == NULL)
|
||||
goto end;
|
||||
|
||||
if (!EVP_MAC_CTX_set_params(ctx, params)) {
|
||||
BIO_printf(bio_err, "MAC parameter error\n");
|
||||
ERR_print_errors(bio_err);
|
||||
ok = 0;
|
||||
}
|
||||
app_params_free(params);
|
||||
if (!ok)
|
||||
goto end;
|
||||
}
|
||||
|
||||
ctx2 = EVP_MAC_CTX_dup(ctx);
|
||||
if (ctx2 == NULL) {
|
||||
BIO_printf(bio_err, "Unable to create MAC CTX for install indicator\n");
|
||||
goto end;
|
||||
}
|
||||
|
||||
if (!do_mac(ctx, read_buffer, module_bio, module_mac, &module_mac_len))
|
||||
goto end;
|
||||
|
||||
if (self_test_onload == 0) {
|
||||
mem_bio = BIO_new_mem_buf((const void *)INSTALL_STATUS_VAL,
|
||||
strlen(INSTALL_STATUS_VAL));
|
||||
if (mem_bio == NULL) {
|
||||
BIO_printf(bio_err, "Unable to create memory BIO\n");
|
||||
goto end;
|
||||
}
|
||||
if (!do_mac(ctx2, read_buffer, mem_bio, install_mac, &install_mac_len))
|
||||
goto end;
|
||||
} else {
|
||||
install_mac_len = 0;
|
||||
}
|
||||
|
||||
if (verify) {
|
||||
if (!verify_config(in_fname, section_name, module_mac, module_mac_len,
|
||||
install_mac, install_mac_len))
|
||||
goto end;
|
||||
if (!quiet)
|
||||
BIO_printf(bio_err, "VERIFY PASSED\n");
|
||||
} else {
|
||||
|
||||
conf = generate_config_and_load(prov_name, section_name, module_mac,
|
||||
module_mac_len,
|
||||
enable_conditional_errors,
|
||||
enable_security_checks);
|
||||
if (conf == NULL)
|
||||
goto end;
|
||||
if (!load_fips_prov_and_run_self_test(prov_name))
|
||||
goto end;
|
||||
|
||||
fout =
|
||||
out_fname == NULL ? dup_bio_out(FORMAT_TEXT)
|
||||
: bio_open_default(out_fname, 'w', FORMAT_TEXT);
|
||||
if (fout == NULL) {
|
||||
BIO_printf(bio_err, "Failed to open file\n");
|
||||
goto end;
|
||||
}
|
||||
if (!write_config_fips_section(fout, section_name,
|
||||
module_mac, module_mac_len,
|
||||
enable_conditional_errors,
|
||||
enable_security_checks,
|
||||
install_mac, install_mac_len))
|
||||
goto end;
|
||||
if (!quiet)
|
||||
BIO_printf(bio_err, "INSTALL PASSED\n");
|
||||
}
|
||||
|
||||
ret = 0;
|
||||
end:
|
||||
if (ret == 1) {
|
||||
if (!quiet)
|
||||
BIO_printf(bio_err, "%s FAILED\n", verify ? "VERIFY" : "INSTALL");
|
||||
ERR_print_errors(bio_err);
|
||||
}
|
||||
|
||||
cleanup:
|
||||
OPENSSL_free(module_path);
|
||||
BIO_free(fout);
|
||||
BIO_free(mem_bio);
|
||||
BIO_free(module_bio);
|
||||
sk_OPENSSL_STRING_free(opts);
|
||||
EVP_MAC_free(mac);
|
||||
EVP_MAC_CTX_free(ctx2);
|
||||
EVP_MAC_CTX_free(ctx);
|
||||
OPENSSL_free(read_buffer);
|
||||
free_config_and_unload(conf);
|
||||
return ret;
|
||||
}
|
||||
|
||||
static int self_test_events(const OSSL_PARAM params[], void *arg)
|
||||
{
|
||||
const OSSL_PARAM *p = NULL;
|
||||
const char *phase = NULL, *type = NULL, *desc = NULL;
|
||||
int ret = 0;
|
||||
|
||||
p = OSSL_PARAM_locate_const(params, OSSL_PROV_PARAM_SELF_TEST_PHASE);
|
||||
if (p == NULL || p->data_type != OSSL_PARAM_UTF8_STRING)
|
||||
goto err;
|
||||
phase = (const char *)p->data;
|
||||
|
||||
p = OSSL_PARAM_locate_const(params, OSSL_PROV_PARAM_SELF_TEST_DESC);
|
||||
if (p == NULL || p->data_type != OSSL_PARAM_UTF8_STRING)
|
||||
goto err;
|
||||
desc = (const char *)p->data;
|
||||
|
||||
p = OSSL_PARAM_locate_const(params, OSSL_PROV_PARAM_SELF_TEST_TYPE);
|
||||
if (p == NULL || p->data_type != OSSL_PARAM_UTF8_STRING)
|
||||
goto err;
|
||||
type = (const char *)p->data;
|
||||
|
||||
if (self_test_log) {
|
||||
if (strcmp(phase, OSSL_SELF_TEST_PHASE_START) == 0)
|
||||
BIO_printf(bio_err, "%s : (%s) : ", desc, type);
|
||||
else if (strcmp(phase, OSSL_SELF_TEST_PHASE_PASS) == 0
|
||||
|| strcmp(phase, OSSL_SELF_TEST_PHASE_FAIL) == 0)
|
||||
BIO_printf(bio_err, "%s\n", phase);
|
||||
}
|
||||
/*
|
||||
* The self test code will internally corrupt the KAT test result if an
|
||||
* error is returned during the corrupt phase.
|
||||
*/
|
||||
if (strcmp(phase, OSSL_SELF_TEST_PHASE_CORRUPT) == 0
|
||||
&& (self_test_corrupt_desc != NULL
|
||||
|| self_test_corrupt_type != NULL)) {
|
||||
if (self_test_corrupt_desc != NULL
|
||||
&& strcmp(self_test_corrupt_desc, desc) != 0)
|
||||
goto end;
|
||||
if (self_test_corrupt_type != NULL
|
||||
&& strcmp(self_test_corrupt_type, type) != 0)
|
||||
goto end;
|
||||
BIO_printf(bio_err, "%s ", phase);
|
||||
goto err;
|
||||
}
|
||||
end:
|
||||
ret = 1;
|
||||
err:
|
||||
return ret;
|
||||
}
|
@ -1,13 +1,14 @@
|
||||
/*
|
||||
* Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved.
|
||||
* Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
|
||||
*
|
||||
* Licensed under the OpenSSL license (the "License"). You may not use
|
||||
* Licensed under the Apache License 2.0 (the "License"). You may not use
|
||||
* this file except in compliance with the License. You can obtain a copy
|
||||
* in the file LICENSE in the source distribution or at
|
||||
* https://www.openssl.org/source/license.html
|
||||
*/
|
||||
|
||||
#include <openssl/opensslconf.h>
|
||||
|
||||
#include <stdio.h>
|
||||
#include <string.h>
|
||||
#include <sys/types.h>
|
||||
@ -22,22 +23,30 @@
|
||||
#include <openssl/pem.h>
|
||||
|
||||
typedef enum OPTION_choice {
|
||||
OPT_ERR = -1, OPT_EOF = 0, OPT_HELP,
|
||||
OPT_OUT, OPT_PASSOUT, OPT_ENGINE, OPT_CIPHER,
|
||||
OPT_R_ENUM
|
||||
OPT_COMMON,
|
||||
OPT_OUT, OPT_PASSOUT, OPT_ENGINE, OPT_CIPHER, OPT_VERBOSE,
|
||||
OPT_R_ENUM, OPT_PROV_ENUM
|
||||
} OPTION_CHOICE;
|
||||
|
||||
const OPTIONS gendsa_options[] = {
|
||||
{OPT_HELP_STR, 1, '-', "Usage: %s [args] dsaparam-file\n"},
|
||||
{OPT_HELP_STR, 1, '-', "Valid options are:\n"},
|
||||
{OPT_HELP_STR, 1, '-', "Usage: %s [options] dsaparam-file\n"},
|
||||
|
||||
OPT_SECTION("General"),
|
||||
{"help", OPT_HELP, '-', "Display this summary"},
|
||||
{"out", OPT_OUT, '>', "Output the key to the specified file"},
|
||||
{"passout", OPT_PASSOUT, 's', "Output file pass phrase source"},
|
||||
OPT_R_OPTIONS,
|
||||
{"", OPT_CIPHER, '-', "Encrypt the output with any supported cipher"},
|
||||
#ifndef OPENSSL_NO_ENGINE
|
||||
{"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"},
|
||||
#endif
|
||||
|
||||
OPT_SECTION("Output"),
|
||||
{"out", OPT_OUT, '>', "Output the key to the specified file"},
|
||||
{"passout", OPT_PASSOUT, 's', "Output file pass phrase source"},
|
||||
OPT_R_OPTIONS,
|
||||
OPT_PROV_OPTIONS,
|
||||
{"", OPT_CIPHER, '-', "Encrypt the output with any supported cipher"},
|
||||
{"verbose", OPT_VERBOSE, '-', "Verbose output"},
|
||||
|
||||
OPT_PARAMETERS(),
|
||||
{"dsaparam-file", 0, 0, "File containing DSA parameters"},
|
||||
{NULL}
|
||||
};
|
||||
|
||||
@ -45,13 +54,13 @@ int gendsa_main(int argc, char **argv)
|
||||
{
|
||||
ENGINE *e = NULL;
|
||||
BIO *out = NULL, *in = NULL;
|
||||
DSA *dsa = NULL;
|
||||
const EVP_CIPHER *enc = NULL;
|
||||
char *dsaparams = NULL;
|
||||
EVP_PKEY *pkey = NULL;
|
||||
EVP_PKEY_CTX *ctx = NULL;
|
||||
EVP_CIPHER *enc = NULL;
|
||||
char *dsaparams = NULL, *ciphername = NULL;
|
||||
char *outfile = NULL, *passoutarg = NULL, *passout = NULL, *prog;
|
||||
OPTION_CHOICE o;
|
||||
int ret = 1, private = 0;
|
||||
const BIGNUM *p = NULL;
|
||||
int ret = 1, private = 0, verbose = 0, nbits;
|
||||
|
||||
prog = opt_init(argc, argv, gendsa_options);
|
||||
while ((o = opt_next()) != OPT_EOF) {
|
||||
@ -78,55 +87,71 @@ int gendsa_main(int argc, char **argv)
|
||||
if (!opt_rand(o))
|
||||
goto end;
|
||||
break;
|
||||
case OPT_CIPHER:
|
||||
if (!opt_cipher(opt_unknown(), &enc))
|
||||
case OPT_PROV_CASES:
|
||||
if (!opt_provider(o))
|
||||
goto end;
|
||||
break;
|
||||
case OPT_CIPHER:
|
||||
ciphername = opt_unknown();
|
||||
break;
|
||||
case OPT_VERBOSE:
|
||||
verbose = 1;
|
||||
break;
|
||||
}
|
||||
}
|
||||
|
||||
/* One argument, the params file. */
|
||||
argc = opt_num_rest();
|
||||
argv = opt_rest();
|
||||
private = 1;
|
||||
|
||||
if (argc != 1)
|
||||
goto opthelp;
|
||||
dsaparams = *argv;
|
||||
dsaparams = argv[0];
|
||||
|
||||
if (!app_RAND_load())
|
||||
goto end;
|
||||
|
||||
if (ciphername != NULL) {
|
||||
if (!opt_cipher(ciphername, &enc))
|
||||
goto end;
|
||||
}
|
||||
private = 1;
|
||||
|
||||
if (!app_passwd(NULL, passoutarg, NULL, &passout)) {
|
||||
BIO_printf(bio_err, "Error getting password\n");
|
||||
goto end;
|
||||
}
|
||||
|
||||
in = bio_open_default(dsaparams, 'r', FORMAT_PEM);
|
||||
if (in == NULL)
|
||||
goto end2;
|
||||
|
||||
if ((dsa = PEM_read_bio_DSAparams(in, NULL, NULL, NULL)) == NULL) {
|
||||
BIO_printf(bio_err, "unable to load DSA parameter file\n");
|
||||
goto end;
|
||||
}
|
||||
BIO_free(in);
|
||||
in = NULL;
|
||||
pkey = load_keyparams(dsaparams, FORMAT_UNDEF, 1, "DSA", "DSA parameters");
|
||||
|
||||
out = bio_open_owner(outfile, FORMAT_PEM, private);
|
||||
if (out == NULL)
|
||||
goto end2;
|
||||
|
||||
DSA_get0_pqg(dsa, &p, NULL, NULL);
|
||||
|
||||
if (BN_num_bits(p) > OPENSSL_DSA_MAX_MODULUS_BITS)
|
||||
nbits = EVP_PKEY_get_bits(pkey);
|
||||
if (nbits > OPENSSL_DSA_MAX_MODULUS_BITS)
|
||||
BIO_printf(bio_err,
|
||||
"Warning: It is not recommended to use more than %d bit for DSA keys.\n"
|
||||
" Your key size is %d! Larger key size may behave not as expected.\n",
|
||||
OPENSSL_DSA_MAX_MODULUS_BITS, BN_num_bits(p));
|
||||
OPENSSL_DSA_MAX_MODULUS_BITS, EVP_PKEY_get_bits(pkey));
|
||||
|
||||
BIO_printf(bio_err, "Generating DSA key, %d bits\n", BN_num_bits(p));
|
||||
if (!DSA_generate_key(dsa))
|
||||
ctx = EVP_PKEY_CTX_new_from_pkey(app_get0_libctx(), pkey, app_get0_propq());
|
||||
if (ctx == NULL) {
|
||||
BIO_printf(bio_err, "unable to create PKEY context\n");
|
||||
goto end;
|
||||
}
|
||||
EVP_PKEY_free(pkey);
|
||||
pkey = NULL;
|
||||
if (EVP_PKEY_keygen_init(ctx) <= 0) {
|
||||
BIO_printf(bio_err, "unable to set up for key generation\n");
|
||||
goto end;
|
||||
}
|
||||
pkey = app_keygen(ctx, "DSA", nbits, verbose);
|
||||
|
||||
assert(private);
|
||||
if (!PEM_write_bio_DSAPrivateKey(out, dsa, enc, NULL, 0, NULL, passout))
|
||||
if (!PEM_write_bio_PrivateKey(out, pkey, enc, NULL, 0, NULL, passout)) {
|
||||
BIO_printf(bio_err, "unable to output generated key\n");
|
||||
goto end;
|
||||
}
|
||||
ret = 0;
|
||||
end:
|
||||
if (ret != 0)
|
||||
@ -134,7 +159,9 @@ int gendsa_main(int argc, char **argv)
|
||||
end2:
|
||||
BIO_free(in);
|
||||
BIO_free_all(out);
|
||||
DSA_free(dsa);
|
||||
EVP_PKEY_free(pkey);
|
||||
EVP_PKEY_CTX_free(ctx);
|
||||
EVP_CIPHER_free(enc);
|
||||
release_engine(e);
|
||||
OPENSSL_free(passout);
|
||||
return ret;
|
||||
|
@ -1,7 +1,7 @@
|
||||
/*
|
||||
* Copyright 2006-2020 The OpenSSL Project Authors. All Rights Reserved.
|
||||
* Copyright 2006-2021 The OpenSSL Project Authors. All Rights Reserved.
|
||||
*
|
||||
* Licensed under the OpenSSL license (the "License"). You may not use
|
||||
* Licensed under the Apache License 2.0 (the "License"). You may not use
|
||||
* this file except in compliance with the License. You can obtain a copy
|
||||
* in the file LICENSE in the source distribution or at
|
||||
* https://www.openssl.org/source/license.html
|
||||
@ -14,34 +14,44 @@
|
||||
#include <openssl/pem.h>
|
||||
#include <openssl/err.h>
|
||||
#include <openssl/evp.h>
|
||||
#ifndef OPENSSL_NO_ENGINE
|
||||
# include <openssl/engine.h>
|
||||
#endif
|
||||
|
||||
static int init_keygen_file(EVP_PKEY_CTX **pctx, const char *file, ENGINE *e);
|
||||
static int quiet;
|
||||
|
||||
static int init_keygen_file(EVP_PKEY_CTX **pctx, const char *file, ENGINE *e,
|
||||
OSSL_LIB_CTX *libctx, const char *propq);
|
||||
static int genpkey_cb(EVP_PKEY_CTX *ctx);
|
||||
|
||||
typedef enum OPTION_choice {
|
||||
OPT_ERR = -1, OPT_EOF = 0, OPT_HELP,
|
||||
OPT_COMMON,
|
||||
OPT_ENGINE, OPT_OUTFORM, OPT_OUT, OPT_PASS, OPT_PARAMFILE,
|
||||
OPT_ALGORITHM, OPT_PKEYOPT, OPT_GENPARAM, OPT_TEXT, OPT_CIPHER
|
||||
OPT_ALGORITHM, OPT_PKEYOPT, OPT_GENPARAM, OPT_TEXT, OPT_CIPHER,
|
||||
OPT_QUIET, OPT_CONFIG,
|
||||
OPT_PROV_ENUM
|
||||
} OPTION_CHOICE;
|
||||
|
||||
const OPTIONS genpkey_options[] = {
|
||||
OPT_SECTION("General"),
|
||||
{"help", OPT_HELP, '-', "Display this summary"},
|
||||
{"out", OPT_OUT, '>', "Output file"},
|
||||
{"outform", OPT_OUTFORM, 'F', "output format (DER or PEM)"},
|
||||
{"pass", OPT_PASS, 's', "Output file pass phrase source"},
|
||||
{"paramfile", OPT_PARAMFILE, '<', "Parameters file"},
|
||||
{"algorithm", OPT_ALGORITHM, 's', "The public key algorithm"},
|
||||
{"pkeyopt", OPT_PKEYOPT, 's',
|
||||
"Set the public key algorithm option as opt:value"},
|
||||
{"genparam", OPT_GENPARAM, '-', "Generate parameters, not key"},
|
||||
{"text", OPT_TEXT, '-', "Print the in text"},
|
||||
{"", OPT_CIPHER, '-', "Cipher to use to encrypt the key"},
|
||||
#ifndef OPENSSL_NO_ENGINE
|
||||
{"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"},
|
||||
#endif
|
||||
{"paramfile", OPT_PARAMFILE, '<', "Parameters file"},
|
||||
{"algorithm", OPT_ALGORITHM, 's', "The public key algorithm"},
|
||||
{"quiet", OPT_QUIET, '-', "Do not output status while generating keys"},
|
||||
{"pkeyopt", OPT_PKEYOPT, 's',
|
||||
"Set the public key algorithm option as opt:value"},
|
||||
OPT_CONFIG_OPTION,
|
||||
|
||||
OPT_SECTION("Output"),
|
||||
{"out", OPT_OUT, '>', "Output file"},
|
||||
{"outform", OPT_OUTFORM, 'F', "output format (DER or PEM)"},
|
||||
{"pass", OPT_PASS, 's', "Output file pass phrase source"},
|
||||
{"genparam", OPT_GENPARAM, '-', "Generate parameters, not key"},
|
||||
{"text", OPT_TEXT, '-', "Print the in text"},
|
||||
{"", OPT_CIPHER, '-', "Cipher to use to encrypt the key"},
|
||||
|
||||
OPT_PROV_OPTIONS,
|
||||
|
||||
/* This is deliberately last. */
|
||||
{OPT_HELP_STR, 1, 1,
|
||||
"Order of options may be important! See the documentation.\n"},
|
||||
@ -50,17 +60,24 @@ const OPTIONS genpkey_options[] = {
|
||||
|
||||
int genpkey_main(int argc, char **argv)
|
||||
{
|
||||
CONF *conf = NULL;
|
||||
BIO *in = NULL, *out = NULL;
|
||||
ENGINE *e = NULL;
|
||||
EVP_PKEY *pkey = NULL;
|
||||
EVP_PKEY_CTX *ctx = NULL;
|
||||
char *outfile = NULL, *passarg = NULL, *pass = NULL, *prog;
|
||||
const EVP_CIPHER *cipher = NULL;
|
||||
char *outfile = NULL, *passarg = NULL, *pass = NULL, *prog, *p;
|
||||
const char *ciphername = NULL, *paramfile = NULL, *algname = NULL;
|
||||
EVP_CIPHER *cipher = NULL;
|
||||
OPTION_CHOICE o;
|
||||
int outformat = FORMAT_PEM, text = 0, ret = 1, rv, do_param = 0;
|
||||
int private = 0;
|
||||
int private = 0, i;
|
||||
OSSL_LIB_CTX *libctx = app_get0_libctx();
|
||||
STACK_OF(OPENSSL_STRING) *keyopt = NULL;
|
||||
|
||||
prog = opt_init(argc, argv, genpkey_options);
|
||||
keyopt = sk_OPENSSL_STRING_new_null();
|
||||
if (keyopt == NULL)
|
||||
goto end;
|
||||
while ((o = opt_next()) != OPT_EOF) {
|
||||
switch (o) {
|
||||
case OPT_EOF:
|
||||
@ -88,56 +105,70 @@ int genpkey_main(int argc, char **argv)
|
||||
case OPT_PARAMFILE:
|
||||
if (do_param == 1)
|
||||
goto opthelp;
|
||||
if (!init_keygen_file(&ctx, opt_arg(), e))
|
||||
goto end;
|
||||
paramfile = opt_arg();
|
||||
break;
|
||||
case OPT_ALGORITHM:
|
||||
if (!init_gen_str(&ctx, opt_arg(), e, do_param))
|
||||
goto end;
|
||||
algname = opt_arg();
|
||||
break;
|
||||
case OPT_PKEYOPT:
|
||||
if (ctx == NULL) {
|
||||
BIO_printf(bio_err, "%s: No keytype specified.\n", prog);
|
||||
goto opthelp;
|
||||
}
|
||||
if (pkey_ctrl_string(ctx, opt_arg()) <= 0) {
|
||||
BIO_printf(bio_err,
|
||||
"%s: Error setting %s parameter:\n",
|
||||
prog, opt_arg());
|
||||
ERR_print_errors(bio_err);
|
||||
if (!sk_OPENSSL_STRING_push(keyopt, opt_arg()))
|
||||
goto end;
|
||||
}
|
||||
break;
|
||||
case OPT_QUIET:
|
||||
quiet = 1;
|
||||
break;
|
||||
case OPT_GENPARAM:
|
||||
if (ctx != NULL)
|
||||
goto opthelp;
|
||||
do_param = 1;
|
||||
break;
|
||||
case OPT_TEXT:
|
||||
text = 1;
|
||||
break;
|
||||
case OPT_CIPHER:
|
||||
if (!opt_cipher(opt_unknown(), &cipher)
|
||||
|| do_param == 1)
|
||||
goto opthelp;
|
||||
if (EVP_CIPHER_mode(cipher) == EVP_CIPH_GCM_MODE ||
|
||||
EVP_CIPHER_mode(cipher) == EVP_CIPH_CCM_MODE ||
|
||||
EVP_CIPHER_mode(cipher) == EVP_CIPH_XTS_MODE ||
|
||||
EVP_CIPHER_mode(cipher) == EVP_CIPH_OCB_MODE) {
|
||||
BIO_printf(bio_err, "%s: cipher mode not supported\n", prog);
|
||||
ciphername = opt_unknown();
|
||||
break;
|
||||
case OPT_CONFIG:
|
||||
conf = app_load_config_modules(opt_arg());
|
||||
if (conf == NULL)
|
||||
goto end;
|
||||
break;
|
||||
case OPT_PROV_CASES:
|
||||
if (!opt_provider(o))
|
||||
goto end;
|
||||
break;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
/* No extra arguments. */
|
||||
argc = opt_num_rest();
|
||||
if (argc != 0)
|
||||
goto opthelp;
|
||||
|
||||
private = do_param ? 0 : 1;
|
||||
|
||||
/* Fetch cipher, etc. */
|
||||
if (paramfile != NULL) {
|
||||
if (!init_keygen_file(&ctx, paramfile, e, libctx, app_get0_propq()))
|
||||
goto end;
|
||||
}
|
||||
if (algname != NULL) {
|
||||
if (!init_gen_str(&ctx, algname, e, do_param, libctx, app_get0_propq()))
|
||||
goto end;
|
||||
}
|
||||
if (ctx == NULL)
|
||||
goto opthelp;
|
||||
|
||||
for (i = 0; i < sk_OPENSSL_STRING_num(keyopt); i++) {
|
||||
p = sk_OPENSSL_STRING_value(keyopt, i);
|
||||
if (pkey_ctrl_string(ctx, p) <= 0) {
|
||||
BIO_printf(bio_err, "%s: Error setting %s parameter:\n", prog, p);
|
||||
ERR_print_errors(bio_err);
|
||||
goto end;
|
||||
}
|
||||
}
|
||||
if (ciphername != NULL)
|
||||
if (!opt_cipher(ciphername, &cipher) || do_param == 1)
|
||||
goto opthelp;
|
||||
|
||||
private = do_param ? 0 : 1;
|
||||
|
||||
if (!app_passwd(passarg, NULL, &pass, NULL)) {
|
||||
BIO_puts(bio_err, "Error getting password\n");
|
||||
goto end;
|
||||
@ -150,19 +181,8 @@ int genpkey_main(int argc, char **argv)
|
||||
EVP_PKEY_CTX_set_cb(ctx, genpkey_cb);
|
||||
EVP_PKEY_CTX_set_app_data(ctx, bio_err);
|
||||
|
||||
if (do_param) {
|
||||
if (EVP_PKEY_paramgen(ctx, &pkey) <= 0) {
|
||||
BIO_puts(bio_err, "Error generating parameters\n");
|
||||
ERR_print_errors(bio_err);
|
||||
goto end;
|
||||
}
|
||||
} else {
|
||||
if (EVP_PKEY_keygen(ctx, &pkey) <= 0) {
|
||||
BIO_puts(bio_err, "Error generating key\n");
|
||||
ERR_print_errors(bio_err);
|
||||
goto end;
|
||||
}
|
||||
}
|
||||
pkey = do_param ? app_paramgen(ctx, algname)
|
||||
: app_keygen(ctx, algname, 0, 0 /* not verbose */);
|
||||
|
||||
if (do_param) {
|
||||
rv = PEM_write_bio_Parameters(out, pkey);
|
||||
@ -181,7 +201,6 @@ int genpkey_main(int argc, char **argv)
|
||||
|
||||
if (rv <= 0) {
|
||||
BIO_puts(bio_err, "Error writing key\n");
|
||||
ERR_print_errors(bio_err);
|
||||
ret = 1;
|
||||
}
|
||||
|
||||
@ -193,22 +212,27 @@ int genpkey_main(int argc, char **argv)
|
||||
|
||||
if (rv <= 0) {
|
||||
BIO_puts(bio_err, "Error printing key\n");
|
||||
ERR_print_errors(bio_err);
|
||||
ret = 1;
|
||||
}
|
||||
}
|
||||
|
||||
end:
|
||||
sk_OPENSSL_STRING_free(keyopt);
|
||||
if (ret != 0)
|
||||
ERR_print_errors(bio_err);
|
||||
EVP_PKEY_free(pkey);
|
||||
EVP_PKEY_CTX_free(ctx);
|
||||
EVP_CIPHER_free(cipher);
|
||||
BIO_free_all(out);
|
||||
BIO_free(in);
|
||||
release_engine(e);
|
||||
OPENSSL_free(pass);
|
||||
NCONF_free(conf);
|
||||
return ret;
|
||||
}
|
||||
|
||||
static int init_keygen_file(EVP_PKEY_CTX **pctx, const char *file, ENGINE *e)
|
||||
static int init_keygen_file(EVP_PKEY_CTX **pctx, const char *file, ENGINE *e,
|
||||
OSSL_LIB_CTX *libctx, const char *propq)
|
||||
{
|
||||
BIO *pbio;
|
||||
EVP_PKEY *pkey = NULL;
|
||||
@ -219,20 +243,23 @@ static int init_keygen_file(EVP_PKEY_CTX **pctx, const char *file, ENGINE *e)
|
||||
}
|
||||
|
||||
pbio = BIO_new_file(file, "r");
|
||||
if (!pbio) {
|
||||
if (pbio == NULL) {
|
||||
BIO_printf(bio_err, "Can't open parameter file %s\n", file);
|
||||
return 0;
|
||||
}
|
||||
|
||||
pkey = PEM_read_bio_Parameters(pbio, NULL);
|
||||
pkey = PEM_read_bio_Parameters_ex(pbio, NULL, libctx, propq);
|
||||
BIO_free(pbio);
|
||||
|
||||
if (!pkey) {
|
||||
if (pkey == NULL) {
|
||||
BIO_printf(bio_err, "Error reading parameter file %s\n", file);
|
||||
return 0;
|
||||
}
|
||||
|
||||
if (e != NULL)
|
||||
ctx = EVP_PKEY_CTX_new(pkey, e);
|
||||
else
|
||||
ctx = EVP_PKEY_CTX_new_from_pkey(libctx, pkey, propq);
|
||||
if (ctx == NULL)
|
||||
goto err;
|
||||
if (EVP_PKEY_keygen_init(ctx) <= 0)
|
||||
@ -251,11 +278,10 @@ static int init_keygen_file(EVP_PKEY_CTX **pctx, const char *file, ENGINE *e)
|
||||
}
|
||||
|
||||
int init_gen_str(EVP_PKEY_CTX **pctx,
|
||||
const char *algname, ENGINE *e, int do_param)
|
||||
const char *algname, ENGINE *e, int do_param,
|
||||
OSSL_LIB_CTX *libctx, const char *propq)
|
||||
{
|
||||
EVP_PKEY_CTX *ctx = NULL;
|
||||
const EVP_PKEY_ASN1_METHOD *ameth;
|
||||
ENGINE *tmpeng = NULL;
|
||||
int pkey_id;
|
||||
|
||||
if (*pctx) {
|
||||
@ -263,27 +289,13 @@ int init_gen_str(EVP_PKEY_CTX **pctx,
|
||||
return 0;
|
||||
}
|
||||
|
||||
ameth = EVP_PKEY_asn1_find_str(&tmpeng, algname, -1);
|
||||
|
||||
#ifndef OPENSSL_NO_ENGINE
|
||||
if (!ameth && e)
|
||||
ameth = ENGINE_get_pkey_asn1_meth_str(e, algname, -1);
|
||||
#endif
|
||||
|
||||
if (!ameth) {
|
||||
BIO_printf(bio_err, "Algorithm %s not found\n", algname);
|
||||
return 0;
|
||||
}
|
||||
|
||||
ERR_clear_error();
|
||||
|
||||
EVP_PKEY_asn1_get0_info(&pkey_id, NULL, NULL, NULL, NULL, ameth);
|
||||
#ifndef OPENSSL_NO_ENGINE
|
||||
ENGINE_finish(tmpeng);
|
||||
#endif
|
||||
pkey_id = get_legacy_pkey_id(libctx, algname, e);
|
||||
if (pkey_id != NID_undef)
|
||||
ctx = EVP_PKEY_CTX_new_id(pkey_id, e);
|
||||
else
|
||||
ctx = EVP_PKEY_CTX_new_from_name(libctx, algname, propq);
|
||||
|
||||
if (!ctx)
|
||||
if (ctx == NULL)
|
||||
goto err;
|
||||
if (do_param) {
|
||||
if (EVP_PKEY_paramgen_init(ctx) <= 0)
|
||||
@ -308,16 +320,22 @@ static int genpkey_cb(EVP_PKEY_CTX *ctx)
|
||||
{
|
||||
char c = '*';
|
||||
BIO *b = EVP_PKEY_CTX_get_app_data(ctx);
|
||||
int p;
|
||||
p = EVP_PKEY_CTX_get_keygen_info(ctx, 0);
|
||||
if (p == 0)
|
||||
|
||||
if (quiet)
|
||||
return 1;
|
||||
|
||||
switch (EVP_PKEY_CTX_get_keygen_info(ctx, 0)) {
|
||||
case 0:
|
||||
c = '.';
|
||||
if (p == 1)
|
||||
break;
|
||||
case 1:
|
||||
c = '+';
|
||||
if (p == 2)
|
||||
c = '*';
|
||||
if (p == 3)
|
||||
break;
|
||||
case 3:
|
||||
c = '\n';
|
||||
break;
|
||||
}
|
||||
|
||||
BIO_write(b, &c, 1);
|
||||
(void)BIO_flush(b);
|
||||
return 1;
|
||||
|
@ -1,13 +1,14 @@
|
||||
/*
|
||||
* Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved.
|
||||
* Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
|
||||
*
|
||||
* Licensed under the OpenSSL license (the "License"). You may not use
|
||||
* Licensed under the Apache License 2.0 (the "License"). You may not use
|
||||
* this file except in compliance with the License. You can obtain a copy
|
||||
* in the file LICENSE in the source distribution or at
|
||||
* https://www.openssl.org/source/license.html
|
||||
*/
|
||||
|
||||
#include <openssl/opensslconf.h>
|
||||
|
||||
#include <stdio.h>
|
||||
#include <string.h>
|
||||
#include <sys/types.h>
|
||||
@ -26,52 +27,72 @@
|
||||
#define DEFBITS 2048
|
||||
#define DEFPRIMES 2
|
||||
|
||||
static int genrsa_cb(int p, int n, BN_GENCB *cb);
|
||||
static int verbose = 0;
|
||||
|
||||
static int genrsa_cb(EVP_PKEY_CTX *ctx);
|
||||
|
||||
typedef enum OPTION_choice {
|
||||
OPT_ERR = -1, OPT_EOF = 0, OPT_HELP,
|
||||
OPT_3, OPT_F4, OPT_ENGINE,
|
||||
OPT_OUT, OPT_PASSOUT, OPT_CIPHER, OPT_PRIMES,
|
||||
OPT_R_ENUM
|
||||
OPT_COMMON,
|
||||
#ifndef OPENSSL_NO_DEPRECATED_3_0
|
||||
OPT_3,
|
||||
#endif
|
||||
OPT_F4, OPT_ENGINE,
|
||||
OPT_OUT, OPT_PASSOUT, OPT_CIPHER, OPT_PRIMES, OPT_VERBOSE,
|
||||
OPT_R_ENUM, OPT_PROV_ENUM, OPT_TRADITIONAL
|
||||
} OPTION_CHOICE;
|
||||
|
||||
const OPTIONS genrsa_options[] = {
|
||||
{OPT_HELP_STR, 1, '-', "Usage: %s [options] numbits\n"},
|
||||
|
||||
OPT_SECTION("General"),
|
||||
{"help", OPT_HELP, '-', "Display this summary"},
|
||||
{"3", OPT_3, '-', "Use 3 for the E value"},
|
||||
{"F4", OPT_F4, '-', "Use F4 (0x10001) for the E value"},
|
||||
{"f4", OPT_F4, '-', "Use F4 (0x10001) for the E value"},
|
||||
{"out", OPT_OUT, '>', "Output the key to specified file"},
|
||||
OPT_R_OPTIONS,
|
||||
{"passout", OPT_PASSOUT, 's', "Output file pass phrase source"},
|
||||
{"", OPT_CIPHER, '-', "Encrypt the output with any supported cipher"},
|
||||
#ifndef OPENSSL_NO_ENGINE
|
||||
{"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"},
|
||||
#endif
|
||||
|
||||
OPT_SECTION("Input"),
|
||||
#ifndef OPENSSL_NO_DEPRECATED_3_0
|
||||
{"3", OPT_3, '-', "(deprecated) Use 3 for the E value"},
|
||||
#endif
|
||||
{"F4", OPT_F4, '-', "Use the Fermat number F4 (0x10001) for the E value"},
|
||||
{"f4", OPT_F4, '-', "Use the Fermat number F4 (0x10001) for the E value"},
|
||||
|
||||
OPT_SECTION("Output"),
|
||||
{"out", OPT_OUT, '>', "Output the key to specified file"},
|
||||
{"passout", OPT_PASSOUT, 's', "Output file pass phrase source"},
|
||||
{"primes", OPT_PRIMES, 'p', "Specify number of primes"},
|
||||
{"verbose", OPT_VERBOSE, '-', "Verbose output"},
|
||||
{"traditional", OPT_TRADITIONAL, '-',
|
||||
"Use traditional format for private keys"},
|
||||
{"", OPT_CIPHER, '-', "Encrypt the output with any supported cipher"},
|
||||
|
||||
OPT_R_OPTIONS,
|
||||
OPT_PROV_OPTIONS,
|
||||
|
||||
OPT_PARAMETERS(),
|
||||
{"numbits", 0, 0, "Size of key in bits"},
|
||||
{NULL}
|
||||
};
|
||||
|
||||
int genrsa_main(int argc, char **argv)
|
||||
{
|
||||
BN_GENCB *cb = BN_GENCB_new();
|
||||
PW_CB_DATA cb_data;
|
||||
ENGINE *eng = NULL;
|
||||
BIGNUM *bn = BN_new();
|
||||
BIO *out = NULL;
|
||||
const BIGNUM *e;
|
||||
RSA *rsa = NULL;
|
||||
const EVP_CIPHER *enc = NULL;
|
||||
EVP_PKEY *pkey = NULL;
|
||||
EVP_PKEY_CTX *ctx = NULL;
|
||||
EVP_CIPHER *enc = NULL;
|
||||
int ret = 1, num = DEFBITS, private = 0, primes = DEFPRIMES;
|
||||
unsigned long f4 = RSA_F4;
|
||||
char *outfile = NULL, *passoutarg = NULL, *passout = NULL;
|
||||
char *prog, *hexe, *dece;
|
||||
char *prog, *hexe, *dece, *ciphername = NULL;
|
||||
OPTION_CHOICE o;
|
||||
int traditional = 0;
|
||||
|
||||
if (bn == NULL || cb == NULL)
|
||||
goto end;
|
||||
|
||||
BN_GENCB_set(cb, genrsa_cb, bio_err);
|
||||
|
||||
prog = opt_init(argc, argv, genrsa_options);
|
||||
while ((o = opt_next()) != OPT_EOF) {
|
||||
switch (o) {
|
||||
@ -84,9 +105,11 @@ int genrsa_main(int argc, char **argv)
|
||||
ret = 0;
|
||||
opt_help(genrsa_options);
|
||||
goto end;
|
||||
#ifndef OPENSSL_NO_DEPRECATED_3_0
|
||||
case OPT_3:
|
||||
f4 = 3;
|
||||
f4 = RSA_3;
|
||||
break;
|
||||
#endif
|
||||
case OPT_F4:
|
||||
f4 = RSA_F4;
|
||||
break;
|
||||
@ -100,19 +123,29 @@ int genrsa_main(int argc, char **argv)
|
||||
if (!opt_rand(o))
|
||||
goto end;
|
||||
break;
|
||||
case OPT_PROV_CASES:
|
||||
if (!opt_provider(o))
|
||||
goto end;
|
||||
break;
|
||||
case OPT_PASSOUT:
|
||||
passoutarg = opt_arg();
|
||||
break;
|
||||
case OPT_CIPHER:
|
||||
if (!opt_cipher(opt_unknown(), &enc))
|
||||
goto end;
|
||||
ciphername = opt_unknown();
|
||||
break;
|
||||
case OPT_PRIMES:
|
||||
if (!opt_int(opt_arg(), &primes))
|
||||
goto end;
|
||||
primes = opt_int_arg();
|
||||
break;
|
||||
case OPT_VERBOSE:
|
||||
verbose = 1;
|
||||
break;
|
||||
case OPT_TRADITIONAL:
|
||||
traditional = 1;
|
||||
break;
|
||||
}
|
||||
}
|
||||
|
||||
/* One optional argument, the bitsize. */
|
||||
argc = opt_num_rest();
|
||||
argv = opt_rest();
|
||||
|
||||
@ -129,7 +162,14 @@ int genrsa_main(int argc, char **argv)
|
||||
goto opthelp;
|
||||
}
|
||||
|
||||
if (!app_RAND_load())
|
||||
goto end;
|
||||
|
||||
private = 1;
|
||||
if (ciphername != NULL) {
|
||||
if (!opt_cipher(ciphername, &enc))
|
||||
goto end;
|
||||
}
|
||||
if (!app_passwd(NULL, passoutarg, NULL, &passout)) {
|
||||
BIO_printf(bio_err, "Error getting password\n");
|
||||
goto end;
|
||||
@ -139,17 +179,40 @@ int genrsa_main(int argc, char **argv)
|
||||
if (out == NULL)
|
||||
goto end;
|
||||
|
||||
BIO_printf(bio_err, "Generating RSA private key, %d bit long modulus (%d primes)\n",
|
||||
num, primes);
|
||||
rsa = eng ? RSA_new_method(eng) : RSA_new();
|
||||
if (rsa == NULL)
|
||||
if (!init_gen_str(&ctx, "RSA", eng, 0, app_get0_libctx(),
|
||||
app_get0_propq()))
|
||||
goto end;
|
||||
|
||||
if (!BN_set_word(bn, f4)
|
||||
|| !RSA_generate_multi_prime_key(rsa, num, primes, bn, cb))
|
||||
goto end;
|
||||
EVP_PKEY_CTX_set_cb(ctx, genrsa_cb);
|
||||
EVP_PKEY_CTX_set_app_data(ctx, bio_err);
|
||||
|
||||
RSA_get0_key(rsa, NULL, &e, NULL);
|
||||
if (EVP_PKEY_CTX_set_rsa_keygen_bits(ctx, num) <= 0) {
|
||||
BIO_printf(bio_err, "Error setting RSA length\n");
|
||||
goto end;
|
||||
}
|
||||
if (!BN_set_word(bn, f4)) {
|
||||
BIO_printf(bio_err, "Error allocating RSA public exponent\n");
|
||||
goto end;
|
||||
}
|
||||
if (EVP_PKEY_CTX_set1_rsa_keygen_pubexp(ctx, bn) <= 0) {
|
||||
BIO_printf(bio_err, "Error setting RSA public exponent\n");
|
||||
goto end;
|
||||
}
|
||||
if (EVP_PKEY_CTX_set_rsa_keygen_primes(ctx, primes) <= 0) {
|
||||
BIO_printf(bio_err, "Error setting number of primes\n");
|
||||
goto end;
|
||||
}
|
||||
pkey = app_keygen(ctx, "RSA", num, verbose);
|
||||
|
||||
if (verbose) {
|
||||
BIGNUM *e = NULL;
|
||||
|
||||
/* Every RSA key has an 'e' */
|
||||
EVP_PKEY_get_bn_param(pkey, "e", &e);
|
||||
if (e == NULL) {
|
||||
BIO_printf(bio_err, "Error cannot access RSA e\n");
|
||||
goto end;
|
||||
}
|
||||
hexe = BN_bn2hex(e);
|
||||
dece = BN_bn2dec(e);
|
||||
if (hexe && dece) {
|
||||
@ -157,19 +220,24 @@ int genrsa_main(int argc, char **argv)
|
||||
}
|
||||
OPENSSL_free(hexe);
|
||||
OPENSSL_free(dece);
|
||||
cb_data.password = passout;
|
||||
cb_data.prompt_info = outfile;
|
||||
assert(private);
|
||||
if (!PEM_write_bio_RSAPrivateKey(out, rsa, enc, NULL, 0,
|
||||
(pem_password_cb *)password_callback,
|
||||
&cb_data))
|
||||
BN_free(e);
|
||||
}
|
||||
if (traditional) {
|
||||
if (!PEM_write_bio_PrivateKey_traditional(out, pkey, enc, NULL, 0,
|
||||
NULL, passout))
|
||||
goto end;
|
||||
} else {
|
||||
if (!PEM_write_bio_PrivateKey(out, pkey, enc, NULL, 0, NULL, passout))
|
||||
goto end;
|
||||
}
|
||||
|
||||
ret = 0;
|
||||
end:
|
||||
BN_free(bn);
|
||||
BN_GENCB_free(cb);
|
||||
RSA_free(rsa);
|
||||
EVP_PKEY_CTX_free(ctx);
|
||||
EVP_PKEY_free(pkey);
|
||||
EVP_CIPHER_free(enc);
|
||||
BIO_free_all(out);
|
||||
release_engine(eng);
|
||||
OPENSSL_free(passout);
|
||||
@ -178,9 +246,14 @@ int genrsa_main(int argc, char **argv)
|
||||
return ret;
|
||||
}
|
||||
|
||||
static int genrsa_cb(int p, int n, BN_GENCB *cb)
|
||||
static int genrsa_cb(EVP_PKEY_CTX *ctx)
|
||||
{
|
||||
char c = '*';
|
||||
BIO *b = EVP_PKEY_CTX_get_app_data(ctx);
|
||||
int p = EVP_PKEY_CTX_get_keygen_info(ctx, 0);
|
||||
|
||||
if (!verbose)
|
||||
return 1;
|
||||
|
||||
if (p == 0)
|
||||
c = '.';
|
||||
@ -190,7 +263,7 @@ static int genrsa_cb(int p, int n, BN_GENCB *cb)
|
||||
c = '*';
|
||||
if (p == 3)
|
||||
c = '\n';
|
||||
BIO_write(BN_GENCB_get_arg(cb), &c, 1);
|
||||
(void)BIO_flush(BN_GENCB_get_arg(cb));
|
||||
BIO_write(b, &c, 1);
|
||||
(void)BIO_flush(b);
|
||||
return 1;
|
||||
}
|
||||
|
22
crypto/openssl/apps/include/__DECC_INCLUDE_EPILOGUE.H
Normal file
22
crypto/openssl/apps/include/__DECC_INCLUDE_EPILOGUE.H
Normal file
@ -0,0 +1,22 @@
|
||||
/*
|
||||
* Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved.
|
||||
*
|
||||
* Licensed under the Apache License 2.0 (the "License"). You may not use
|
||||
* this file except in compliance with the License. You can obtain a copy
|
||||
* in the file LICENSE in the source distribution or at
|
||||
* https://www.openssl.org/source/license.html
|
||||
*/
|
||||
|
||||
/*
|
||||
* This file is only used by HP C/C++ on VMS, and is included automatically
|
||||
* after each header file from this directory
|
||||
*/
|
||||
|
||||
/*
|
||||
* The C++ compiler doesn't understand these pragmas, even though it
|
||||
* understands the corresponding command line qualifier.
|
||||
*/
|
||||
#ifndef __cplusplus
|
||||
/* restore state. Must correspond to the save in __decc_include_prologue.h */
|
||||
# pragma names restore
|
||||
#endif
|
26
crypto/openssl/apps/include/__DECC_INCLUDE_PROLOGUE.H
Normal file
26
crypto/openssl/apps/include/__DECC_INCLUDE_PROLOGUE.H
Normal file
@ -0,0 +1,26 @@
|
||||
/*
|
||||
* Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved.
|
||||
*
|
||||
* Licensed under the Apache License 2.0 (the "License"). You may not use
|
||||
* this file except in compliance with the License. You can obtain a copy
|
||||
* in the file LICENSE in the source distribution or at
|
||||
* https://www.openssl.org/source/license.html
|
||||
*/
|
||||
|
||||
/*
|
||||
* This file is only used by HP C/C++ on VMS, and is included automatically
|
||||
* after each header file from this directory
|
||||
*/
|
||||
|
||||
/*
|
||||
* The C++ compiler doesn't understand these pragmas, even though it
|
||||
* understands the corresponding command line qualifier.
|
||||
*/
|
||||
#ifndef __cplusplus
|
||||
/* save state */
|
||||
# pragma names save
|
||||
/* have the compiler shorten symbols larger than 31 chars to 23 chars
|
||||
* followed by a 8 hex char CRC
|
||||
*/
|
||||
# pragma names as_is,shortened
|
||||
#endif
|
20
crypto/openssl/apps/include/app_libctx.h
Normal file
20
crypto/openssl/apps/include/app_libctx.h
Normal file
@ -0,0 +1,20 @@
|
||||
/*
|
||||
* Copyright 2021 The OpenSSL Project Authors. All Rights Reserved.
|
||||
*
|
||||
* Licensed under the Apache License 2.0 (the "License"). You may not use
|
||||
* this file except in compliance with the License. You can obtain a copy
|
||||
* in the file LICENSE in the source distribution or at
|
||||
* https://www.openssl.org/source/license.html
|
||||
*/
|
||||
|
||||
#ifndef OSSL_APPS_LIBCTX_H
|
||||
# define OSSL_APPS_LIBCTX_H
|
||||
|
||||
# include <openssl/types.h>
|
||||
|
||||
OSSL_LIB_CTX *app_create_libctx(void);
|
||||
OSSL_LIB_CTX *app_get0_libctx(void);
|
||||
int app_set_propq(const char *arg);
|
||||
const char *app_get0_propq(void);
|
||||
|
||||
#endif
|
14
crypto/openssl/apps/include/app_params.h
Normal file
14
crypto/openssl/apps/include/app_params.h
Normal file
@ -0,0 +1,14 @@
|
||||
/*
|
||||
* Copyright 2019-2020 The OpenSSL Project Authors. All Rights Reserved.
|
||||
*
|
||||
* Licensed under the Apache License 2.0 (the "License"). You may not use
|
||||
* this file except in compliance with the License. You can obtain a copy
|
||||
* in the file LICENSE in the source distribution or at
|
||||
* https://www.openssl.org/source/license.html
|
||||
*/
|
||||
|
||||
#include <openssl/core.h>
|
||||
|
||||
int print_param_types(const char *thing, const OSSL_PARAM *pdefs, int indent);
|
||||
void print_param_value(const OSSL_PARAM *p, int indent);
|
||||
|
348
crypto/openssl/apps/include/apps.h
Normal file
348
crypto/openssl/apps/include/apps.h
Normal file
@ -0,0 +1,348 @@
|
||||
/*
|
||||
* Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
|
||||
*
|
||||
* Licensed under the Apache License 2.0 (the "License"). You may not use
|
||||
* this file except in compliance with the License. You can obtain a copy
|
||||
* in the file LICENSE in the source distribution or at
|
||||
* https://www.openssl.org/source/license.html
|
||||
*/
|
||||
|
||||
#ifndef OSSL_APPS_H
|
||||
# define OSSL_APPS_H
|
||||
|
||||
# include "e_os.h" /* struct timeval for DTLS */
|
||||
# include "internal/nelem.h"
|
||||
# include "internal/sockets.h" /* for openssl_fdset() */
|
||||
# include "internal/cryptlib.h" /* ossl_assert() */
|
||||
# include <assert.h>
|
||||
|
||||
# include <stdarg.h>
|
||||
# include <sys/types.h>
|
||||
# ifndef OPENSSL_NO_POSIX_IO
|
||||
# include <sys/stat.h>
|
||||
# include <fcntl.h>
|
||||
# endif
|
||||
|
||||
# include <openssl/e_os2.h>
|
||||
# include <openssl/types.h>
|
||||
# include <openssl/bio.h>
|
||||
# include <openssl/x509.h>
|
||||
# include <openssl/conf.h>
|
||||
# include <openssl/txt_db.h>
|
||||
# include <openssl/engine.h>
|
||||
# include <openssl/ocsp.h>
|
||||
# include <openssl/http.h>
|
||||
# include <signal.h>
|
||||
# include "apps_ui.h"
|
||||
# include "opt.h"
|
||||
# include "fmt.h"
|
||||
# include "platform.h"
|
||||
# include "engine_loader.h"
|
||||
# include "app_libctx.h"
|
||||
|
||||
/*
|
||||
* quick macro when you need to pass an unsigned char instead of a char.
|
||||
* this is true for some implementations of the is*() functions, for
|
||||
* example.
|
||||
*/
|
||||
# define _UC(c) ((unsigned char)(c))
|
||||
|
||||
void app_RAND_load_conf(CONF *c, const char *section);
|
||||
int app_RAND_write(void);
|
||||
int app_RAND_load(void);
|
||||
|
||||
extern char *default_config_file; /* may be "" */
|
||||
extern BIO *bio_in;
|
||||
extern BIO *bio_out;
|
||||
extern BIO *bio_err;
|
||||
extern const unsigned char tls13_aes128gcmsha256_id[];
|
||||
extern const unsigned char tls13_aes256gcmsha384_id[];
|
||||
extern BIO_ADDR *ourpeer;
|
||||
|
||||
BIO *dup_bio_in(int format);
|
||||
BIO *dup_bio_out(int format);
|
||||
BIO *dup_bio_err(int format);
|
||||
BIO *bio_open_owner(const char *filename, int format, int private);
|
||||
BIO *bio_open_default(const char *filename, char mode, int format);
|
||||
BIO *bio_open_default_quiet(const char *filename, char mode, int format);
|
||||
CONF *app_load_config_bio(BIO *in, const char *filename);
|
||||
#define app_load_config(filename) app_load_config_internal(filename, 0)
|
||||
#define app_load_config_quiet(filename) app_load_config_internal(filename, 1)
|
||||
CONF *app_load_config_internal(const char *filename, int quiet);
|
||||
CONF *app_load_config_verbose(const char *filename, int verbose);
|
||||
int app_load_modules(const CONF *config);
|
||||
CONF *app_load_config_modules(const char *configfile);
|
||||
void unbuffer(FILE *fp);
|
||||
void wait_for_async(SSL *s);
|
||||
# if defined(OPENSSL_SYS_MSDOS)
|
||||
int has_stdin_waiting(void);
|
||||
# endif
|
||||
|
||||
void corrupt_signature(const ASN1_STRING *signature);
|
||||
int set_cert_times(X509 *x, const char *startdate, const char *enddate,
|
||||
int days);
|
||||
int set_crl_lastupdate(X509_CRL *crl, const char *lastupdate);
|
||||
int set_crl_nextupdate(X509_CRL *crl, const char *nextupdate,
|
||||
long days, long hours, long secs);
|
||||
|
||||
typedef struct args_st {
|
||||
int size;
|
||||
int argc;
|
||||
char **argv;
|
||||
} ARGS;
|
||||
|
||||
/* We need both wrap and the "real" function because libcrypto uses both. */
|
||||
int wrap_password_callback(char *buf, int bufsiz, int verify, void *cb_data);
|
||||
|
||||
int chopup_args(ARGS *arg, char *buf);
|
||||
void dump_cert_text(BIO *out, X509 *x);
|
||||
void print_name(BIO *out, const char *title, const X509_NAME *nm);
|
||||
void print_bignum_var(BIO *, const BIGNUM *, const char*,
|
||||
int, unsigned char *);
|
||||
void print_array(BIO *, const char *, int, const unsigned char *);
|
||||
int set_nameopt(const char *arg);
|
||||
unsigned long get_nameopt(void);
|
||||
int set_dateopt(unsigned long *dateopt, const char *arg);
|
||||
int set_cert_ex(unsigned long *flags, const char *arg);
|
||||
int set_name_ex(unsigned long *flags, const char *arg);
|
||||
int set_ext_copy(int *copy_type, const char *arg);
|
||||
int copy_extensions(X509 *x, X509_REQ *req, int copy_type);
|
||||
char *get_passwd(const char *pass, const char *desc);
|
||||
int app_passwd(const char *arg1, const char *arg2, char **pass1, char **pass2);
|
||||
int add_oid_section(CONF *conf);
|
||||
X509_REQ *load_csr(const char *file, int format, const char *desc);
|
||||
X509 *load_cert_pass(const char *uri, int format, int maybe_stdin,
|
||||
const char *pass, const char *desc);
|
||||
#define load_cert(uri, format, desc) load_cert_pass(uri, format, 1, NULL, desc)
|
||||
X509_CRL *load_crl(const char *uri, int format, int maybe_stdin,
|
||||
const char *desc);
|
||||
void cleanse(char *str);
|
||||
void clear_free(char *str);
|
||||
EVP_PKEY *load_key(const char *uri, int format, int maybe_stdin,
|
||||
const char *pass, ENGINE *e, const char *desc);
|
||||
EVP_PKEY *load_pubkey(const char *uri, int format, int maybe_stdin,
|
||||
const char *pass, ENGINE *e, const char *desc);
|
||||
EVP_PKEY *load_keyparams(const char *uri, int format, int maybe_stdin,
|
||||
const char *keytype, const char *desc);
|
||||
EVP_PKEY *load_keyparams_suppress(const char *uri, int format, int maybe_stdin,
|
||||
const char *keytype, const char *desc,
|
||||
int suppress_decode_errors);
|
||||
char *next_item(char *opt); /* in list separated by comma and/or space */
|
||||
int load_cert_certs(const char *uri,
|
||||
X509 **pcert, STACK_OF(X509) **pcerts,
|
||||
int exclude_http, const char *pass, const char *desc,
|
||||
X509_VERIFY_PARAM *vpm);
|
||||
STACK_OF(X509) *load_certs_multifile(char *files, const char *pass,
|
||||
const char *desc, X509_VERIFY_PARAM *vpm);
|
||||
X509_STORE *load_certstore(char *input, const char *pass, const char *desc,
|
||||
X509_VERIFY_PARAM *vpm);
|
||||
int load_certs(const char *uri, int maybe_stdin, STACK_OF(X509) **certs,
|
||||
const char *pass, const char *desc);
|
||||
int load_crls(const char *uri, STACK_OF(X509_CRL) **crls,
|
||||
const char *pass, const char *desc);
|
||||
int load_key_certs_crls(const char *uri, int format, int maybe_stdin,
|
||||
const char *pass, const char *desc,
|
||||
EVP_PKEY **ppkey, EVP_PKEY **ppubkey,
|
||||
EVP_PKEY **pparams,
|
||||
X509 **pcert, STACK_OF(X509) **pcerts,
|
||||
X509_CRL **pcrl, STACK_OF(X509_CRL) **pcrls);
|
||||
int load_key_cert_crl(const char *uri, int format, int maybe_stdin,
|
||||
const char *pass, const char *desc,
|
||||
EVP_PKEY **ppkey, EVP_PKEY **ppubkey,
|
||||
X509 **pcert, X509_CRL **pcrl);
|
||||
X509_STORE *setup_verify(const char *CAfile, int noCAfile,
|
||||
const char *CApath, int noCApath,
|
||||
const char *CAstore, int noCAstore);
|
||||
__owur int ctx_set_verify_locations(SSL_CTX *ctx,
|
||||
const char *CAfile, int noCAfile,
|
||||
const char *CApath, int noCApath,
|
||||
const char *CAstore, int noCAstore);
|
||||
|
||||
# ifndef OPENSSL_NO_CT
|
||||
|
||||
/*
|
||||
* Sets the file to load the Certificate Transparency log list from.
|
||||
* If path is NULL, loads from the default file path.
|
||||
* Returns 1 on success, 0 otherwise.
|
||||
*/
|
||||
__owur int ctx_set_ctlog_list_file(SSL_CTX *ctx, const char *path);
|
||||
|
||||
# endif
|
||||
|
||||
ENGINE *setup_engine_methods(const char *id, unsigned int methods, int debug);
|
||||
# define setup_engine(e, debug) setup_engine_methods(e, (unsigned int)-1, debug)
|
||||
void release_engine(ENGINE *e);
|
||||
int init_engine(ENGINE *e);
|
||||
int finish_engine(ENGINE *e);
|
||||
char *make_engine_uri(ENGINE *e, const char *key_id, const char *desc);
|
||||
|
||||
int get_legacy_pkey_id(OSSL_LIB_CTX *libctx, const char *algname, ENGINE *e);
|
||||
const EVP_MD *get_digest_from_engine(const char *name);
|
||||
const EVP_CIPHER *get_cipher_from_engine(const char *name);
|
||||
|
||||
# ifndef OPENSSL_NO_OCSP
|
||||
OCSP_RESPONSE *process_responder(OCSP_REQUEST *req, const char *host,
|
||||
const char *port, const char *path,
|
||||
const char *proxy, const char *no_proxy,
|
||||
int use_ssl, STACK_OF(CONF_VALUE) *headers,
|
||||
int req_timeout);
|
||||
# endif
|
||||
|
||||
/* Functions defined in ca.c and also used in ocsp.c */
|
||||
int unpack_revinfo(ASN1_TIME **prevtm, int *preason, ASN1_OBJECT **phold,
|
||||
ASN1_GENERALIZEDTIME **pinvtm, const char *str);
|
||||
|
||||
# define DB_type 0
|
||||
# define DB_exp_date 1
|
||||
# define DB_rev_date 2
|
||||
# define DB_serial 3 /* index - unique */
|
||||
# define DB_file 4
|
||||
# define DB_name 5 /* index - unique when active and not
|
||||
* disabled */
|
||||
# define DB_NUMBER 6
|
||||
|
||||
# define DB_TYPE_REV 'R' /* Revoked */
|
||||
# define DB_TYPE_EXP 'E' /* Expired */
|
||||
# define DB_TYPE_VAL 'V' /* Valid ; inserted with: ca ... -valid */
|
||||
# define DB_TYPE_SUSP 'S' /* Suspended */
|
||||
|
||||
typedef struct db_attr_st {
|
||||
int unique_subject;
|
||||
} DB_ATTR;
|
||||
typedef struct ca_db_st {
|
||||
DB_ATTR attributes;
|
||||
TXT_DB *db;
|
||||
char *dbfname;
|
||||
# ifndef OPENSSL_NO_POSIX_IO
|
||||
struct stat dbst;
|
||||
# endif
|
||||
} CA_DB;
|
||||
|
||||
void app_bail_out(char *fmt, ...);
|
||||
void *app_malloc(size_t sz, const char *what);
|
||||
|
||||
/* load_serial, save_serial, and rotate_serial are also used for CRL numbers */
|
||||
BIGNUM *load_serial(const char *serialfile, int *exists, int create,
|
||||
ASN1_INTEGER **retai);
|
||||
int save_serial(const char *serialfile, const char *suffix,
|
||||
const BIGNUM *serial, ASN1_INTEGER **retai);
|
||||
int rotate_serial(const char *serialfile, const char *new_suffix,
|
||||
const char *old_suffix);
|
||||
int rand_serial(BIGNUM *b, ASN1_INTEGER *ai);
|
||||
|
||||
CA_DB *load_index(const char *dbfile, DB_ATTR *dbattr);
|
||||
int index_index(CA_DB *db);
|
||||
int save_index(const char *dbfile, const char *suffix, CA_DB *db);
|
||||
int rotate_index(const char *dbfile, const char *new_suffix,
|
||||
const char *old_suffix);
|
||||
void free_index(CA_DB *db);
|
||||
# define index_name_cmp_noconst(a, b) \
|
||||
index_name_cmp((const OPENSSL_CSTRING *)CHECKED_PTR_OF(OPENSSL_STRING, a), \
|
||||
(const OPENSSL_CSTRING *)CHECKED_PTR_OF(OPENSSL_STRING, b))
|
||||
int index_name_cmp(const OPENSSL_CSTRING *a, const OPENSSL_CSTRING *b);
|
||||
int parse_yesno(const char *str, int def);
|
||||
|
||||
X509_NAME *parse_name(const char *str, int chtype, int multirdn,
|
||||
const char *desc);
|
||||
void policies_print(X509_STORE_CTX *ctx);
|
||||
int bio_to_mem(unsigned char **out, int maxlen, BIO *in);
|
||||
int pkey_ctrl_string(EVP_PKEY_CTX *ctx, const char *value);
|
||||
int x509_ctrl_string(X509 *x, const char *value);
|
||||
int x509_req_ctrl_string(X509_REQ *x, const char *value);
|
||||
int init_gen_str(EVP_PKEY_CTX **pctx,
|
||||
const char *algname, ENGINE *e, int do_param,
|
||||
OSSL_LIB_CTX *libctx, const char *propq);
|
||||
int do_X509_sign(X509 *x, EVP_PKEY *pkey, const char *md,
|
||||
STACK_OF(OPENSSL_STRING) *sigopts, X509V3_CTX *ext_ctx);
|
||||
int do_X509_verify(X509 *x, EVP_PKEY *pkey, STACK_OF(OPENSSL_STRING) *vfyopts);
|
||||
int do_X509_REQ_sign(X509_REQ *x, EVP_PKEY *pkey, const char *md,
|
||||
STACK_OF(OPENSSL_STRING) *sigopts);
|
||||
int do_X509_REQ_verify(X509_REQ *x, EVP_PKEY *pkey,
|
||||
STACK_OF(OPENSSL_STRING) *vfyopts);
|
||||
int do_X509_CRL_sign(X509_CRL *x, EVP_PKEY *pkey, const char *md,
|
||||
STACK_OF(OPENSSL_STRING) *sigopts);
|
||||
|
||||
extern char *psk_key;
|
||||
|
||||
|
||||
unsigned char *next_protos_parse(size_t *outlen, const char *in);
|
||||
|
||||
void print_cert_checks(BIO *bio, X509 *x,
|
||||
const char *checkhost,
|
||||
const char *checkemail, const char *checkip);
|
||||
|
||||
void store_setup_crl_download(X509_STORE *st);
|
||||
|
||||
typedef struct app_http_tls_info_st {
|
||||
const char *server;
|
||||
const char *port;
|
||||
int use_proxy;
|
||||
long timeout;
|
||||
SSL_CTX *ssl_ctx;
|
||||
} APP_HTTP_TLS_INFO;
|
||||
BIO *app_http_tls_cb(BIO *hbio, /* APP_HTTP_TLS_INFO */ void *arg,
|
||||
int connect, int detail);
|
||||
void APP_HTTP_TLS_INFO_free(APP_HTTP_TLS_INFO *info);
|
||||
# ifndef OPENSSL_NO_SOCK
|
||||
ASN1_VALUE *app_http_get_asn1(const char *url, const char *proxy,
|
||||
const char *no_proxy, SSL_CTX *ssl_ctx,
|
||||
const STACK_OF(CONF_VALUE) *headers,
|
||||
long timeout, const char *expected_content_type,
|
||||
const ASN1_ITEM *it);
|
||||
ASN1_VALUE *app_http_post_asn1(const char *host, const char *port,
|
||||
const char *path, const char *proxy,
|
||||
const char *no_proxy, SSL_CTX *ctx,
|
||||
const STACK_OF(CONF_VALUE) *headers,
|
||||
const char *content_type,
|
||||
ASN1_VALUE *req, const ASN1_ITEM *req_it,
|
||||
const char *expected_content_type,
|
||||
long timeout, const ASN1_ITEM *rsp_it);
|
||||
# endif
|
||||
|
||||
# define EXT_COPY_NONE 0
|
||||
# define EXT_COPY_ADD 1
|
||||
# define EXT_COPY_ALL 2
|
||||
|
||||
# define NETSCAPE_CERT_HDR "certificate"
|
||||
|
||||
# define APP_PASS_LEN 1024
|
||||
|
||||
/*
|
||||
* IETF RFC 5280 says serial number must be <= 20 bytes. Use 159 bits
|
||||
* so that the first bit will never be one, so that the DER encoding
|
||||
* rules won't force a leading octet.
|
||||
*/
|
||||
# define SERIAL_RAND_BITS 159
|
||||
|
||||
int app_isdir(const char *);
|
||||
int app_access(const char *, int flag);
|
||||
int fileno_stdin(void);
|
||||
int fileno_stdout(void);
|
||||
int raw_read_stdin(void *, int);
|
||||
int raw_write_stdout(const void *, int);
|
||||
|
||||
# define TM_START 0
|
||||
# define TM_STOP 1
|
||||
double app_tminterval(int stop, int usertime);
|
||||
|
||||
void make_uppercase(char *string);
|
||||
|
||||
typedef struct verify_options_st {
|
||||
int depth;
|
||||
int quiet;
|
||||
int error;
|
||||
int return_error;
|
||||
} VERIFY_CB_ARGS;
|
||||
|
||||
extern VERIFY_CB_ARGS verify_args;
|
||||
|
||||
OSSL_PARAM *app_params_new_from_opts(STACK_OF(OPENSSL_STRING) *opts,
|
||||
const OSSL_PARAM *paramdefs);
|
||||
void app_params_free(OSSL_PARAM *params);
|
||||
int app_provider_load(OSSL_LIB_CTX *libctx, const char *provider_name);
|
||||
void app_providers_cleanup(void);
|
||||
|
||||
EVP_PKEY *app_keygen(EVP_PKEY_CTX *ctx, const char *alg, int bits, int verbose);
|
||||
EVP_PKEY *app_paramgen(EVP_PKEY_CTX *ctx, const char *alg);
|
||||
|
||||
#endif
|
29
crypto/openssl/apps/include/apps_ui.h
Normal file
29
crypto/openssl/apps/include/apps_ui.h
Normal file
@ -0,0 +1,29 @@
|
||||
/*
|
||||
* Copyright 2018-2020 The OpenSSL Project Authors. All Rights Reserved.
|
||||
*
|
||||
* Licensed under the Apache License 2.0 (the "License"). You may not use
|
||||
* this file except in compliance with the License. You can obtain a copy
|
||||
* in the file LICENSE in the source distribution or at
|
||||
* https://www.openssl.org/source/license.html
|
||||
*/
|
||||
|
||||
#ifndef OSSL_APPS_UI_H
|
||||
# define OSSL_APPS_UI_H
|
||||
|
||||
|
||||
# define PW_MIN_LENGTH 4
|
||||
typedef struct pw_cb_data {
|
||||
const void *password;
|
||||
const char *prompt_info;
|
||||
} PW_CB_DATA;
|
||||
|
||||
int password_callback(char *buf, int bufsiz, int verify, PW_CB_DATA *cb_data);
|
||||
|
||||
int setup_ui_method(void);
|
||||
void destroy_ui_method(void);
|
||||
int set_base_ui_method(const UI_METHOD *ui_method);
|
||||
const UI_METHOD *get_ui_method(void);
|
||||
|
||||
extern BIO *bio_err;
|
||||
|
||||
#endif
|
35
crypto/openssl/apps/include/cmp_mock_srv.h
Normal file
35
crypto/openssl/apps/include/cmp_mock_srv.h
Normal file
@ -0,0 +1,35 @@
|
||||
/*
|
||||
* Copyright 2018-2023 The OpenSSL Project Authors. All Rights Reserved.
|
||||
* Copyright Siemens AG 2018-2020
|
||||
*
|
||||
* Licensed under the Apache License 2.0 (the "License"). You may not use
|
||||
* this file except in compliance with the License. You can obtain a copy
|
||||
* in the file LICENSE in the source distribution or at
|
||||
* https://www.openssl.org/source/license.html
|
||||
*/
|
||||
|
||||
#ifndef OSSL_APPS_CMP_MOCK_SRV_H
|
||||
# define OSSL_APPS_CMP_MOCK_SRV_H
|
||||
|
||||
# include <openssl/opensslconf.h>
|
||||
# ifndef OPENSSL_NO_CMP
|
||||
|
||||
# include <openssl/cmp.h>
|
||||
|
||||
OSSL_CMP_SRV_CTX *ossl_cmp_mock_srv_new(OSSL_LIB_CTX *libctx,
|
||||
const char *propq);
|
||||
void ossl_cmp_mock_srv_free(OSSL_CMP_SRV_CTX *srv_ctx);
|
||||
|
||||
int ossl_cmp_mock_srv_set1_certOut(OSSL_CMP_SRV_CTX *srv_ctx, X509 *cert);
|
||||
int ossl_cmp_mock_srv_set1_chainOut(OSSL_CMP_SRV_CTX *srv_ctx,
|
||||
STACK_OF(X509) *chain);
|
||||
int ossl_cmp_mock_srv_set1_caPubsOut(OSSL_CMP_SRV_CTX *srv_ctx,
|
||||
STACK_OF(X509) *caPubs);
|
||||
int ossl_cmp_mock_srv_set_statusInfo(OSSL_CMP_SRV_CTX *srv_ctx, int status,
|
||||
int fail_info, const char *text);
|
||||
int ossl_cmp_mock_srv_set_sendError(OSSL_CMP_SRV_CTX *srv_ctx, int bodytype);
|
||||
int ossl_cmp_mock_srv_set_pollCount(OSSL_CMP_SRV_CTX *srv_ctx, int count);
|
||||
int ossl_cmp_mock_srv_set_checkAfterTime(OSSL_CMP_SRV_CTX *srv_ctx, int sec);
|
||||
|
||||
# endif /* !defined(OPENSSL_NO_CMP) */
|
||||
#endif /* !defined(OSSL_APPS_CMP_MOCK_SRV_H) */
|
23
crypto/openssl/apps/include/ec_common.h
Normal file
23
crypto/openssl/apps/include/ec_common.h
Normal file
@ -0,0 +1,23 @@
|
||||
/*
|
||||
* Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved.
|
||||
*
|
||||
* Licensed under the Apache License 2.0 (the "License"). You may not use
|
||||
* this file except in compliance with the License. You can obtain a copy
|
||||
* in the file LICENSE in the source distribution or at
|
||||
* https://www.openssl.org/source/license.html
|
||||
*/
|
||||
|
||||
#ifndef OPENSSL_NO_EC
|
||||
static const char *point_format_options[] = {
|
||||
"uncompressed",
|
||||
"compressed",
|
||||
"hybrid",
|
||||
NULL
|
||||
};
|
||||
|
||||
static const char *asn1_encoding_options[] = {
|
||||
"named_curve",
|
||||
"explicit",
|
||||
NULL
|
||||
};
|
||||
#endif
|
21
crypto/openssl/apps/include/engine_loader.h
Normal file
21
crypto/openssl/apps/include/engine_loader.h
Normal file
@ -0,0 +1,21 @@
|
||||
/*
|
||||
* Copyright 2018-2022 The OpenSSL Project Authors. All Rights Reserved.
|
||||
*
|
||||
* Licensed under the Apache License 2.0 (the "License"). You may not use
|
||||
* this file except in compliance with the License. You can obtain a copy
|
||||
* in the file LICENSE in the source distribution or at
|
||||
* https://www.openssl.org/source/license.html
|
||||
*/
|
||||
#ifndef HEADER_ENGINE_LOADER_H
|
||||
# define HEADER_ENGINE_LOADER_H
|
||||
|
||||
# include <openssl/store.h>
|
||||
|
||||
/* this is a private URI scheme */
|
||||
# define ENGINE_SCHEME "org.openssl.engine"
|
||||
# define ENGINE_SCHEME_COLON (ENGINE_SCHEME ":")
|
||||
|
||||
int setup_engine_loader(void);
|
||||
void destroy_engine_loader(void);
|
||||
|
||||
#endif
|
45
crypto/openssl/apps/include/fmt.h
Normal file
45
crypto/openssl/apps/include/fmt.h
Normal file
@ -0,0 +1,45 @@
|
||||
/*
|
||||
* Copyright 2018-2021 The OpenSSL Project Authors. All Rights Reserved.
|
||||
*
|
||||
* Licensed under the Apache License 2.0 (the "License"). You may not use
|
||||
* this file except in compliance with the License. You can obtain a copy
|
||||
* in the file LICENSE in the source distribution or at
|
||||
* https://www.openssl.org/source/license.html
|
||||
*/
|
||||
|
||||
/*
|
||||
* Options are shared by apps (see apps.h) and the test system
|
||||
* (see test/testutil.h').
|
||||
* In order to remove the dependency between apps and options, the following
|
||||
* shared fields have been moved into this file.
|
||||
*/
|
||||
|
||||
#ifndef OSSL_APPS_FMT_H
|
||||
#define OSSL_APPS_FMT_H
|
||||
|
||||
/*
|
||||
* On some platforms, it's important to distinguish between text and binary
|
||||
* files. On some, there might even be specific file formats for different
|
||||
* contents. The FORMAT_xxx macros are meant to express an intent with the
|
||||
* file being read or created.
|
||||
*/
|
||||
# define B_FORMAT_TEXT 0x8000
|
||||
# define FORMAT_UNDEF 0
|
||||
# define FORMAT_TEXT (1 | B_FORMAT_TEXT) /* Generic text */
|
||||
# define FORMAT_BINARY 2 /* Generic binary */
|
||||
# define FORMAT_BASE64 (3 | B_FORMAT_TEXT) /* Base64 */
|
||||
# define FORMAT_ASN1 4 /* ASN.1/DER */
|
||||
# define FORMAT_PEM (5 | B_FORMAT_TEXT)
|
||||
# define FORMAT_PKCS12 6
|
||||
# define FORMAT_SMIME (7 | B_FORMAT_TEXT)
|
||||
# define FORMAT_ENGINE 8 /* Not really a file format */
|
||||
# define FORMAT_PEMRSA (9 | B_FORMAT_TEXT) /* PEM RSAPublicKey format */
|
||||
# define FORMAT_ASN1RSA 10 /* DER RSAPublicKey format */
|
||||
# define FORMAT_MSBLOB 11 /* MS Key blob format */
|
||||
# define FORMAT_PVK 12 /* MS PVK file format */
|
||||
# define FORMAT_HTTP 13 /* Download using HTTP */
|
||||
# define FORMAT_NSS 14 /* NSS keylog format */
|
||||
|
||||
int FMT_istext(int format);
|
||||
|
||||
#endif /* OSSL_APPS_FMT_H_ */
|
44
crypto/openssl/apps/include/function.h
Normal file
44
crypto/openssl/apps/include/function.h
Normal file
@ -0,0 +1,44 @@
|
||||
/*
|
||||
* Copyright 2019-2020 The OpenSSL Project Authors. All Rights Reserved.
|
||||
*
|
||||
* Licensed under the Apache License 2.0 (the "License"). You may not use
|
||||
* this file except in compliance with the License. You can obtain a copy
|
||||
* in the file LICENSE in the source distribution or at
|
||||
* https://www.openssl.org/source/license.html
|
||||
*/
|
||||
|
||||
#ifndef OSSL_APPS_FUNCTION_H
|
||||
# define OSSL_APPS_FUNCTION_H
|
||||
|
||||
# include <openssl/lhash.h>
|
||||
# include "opt.h"
|
||||
|
||||
#define DEPRECATED_NO_ALTERNATIVE "unknown"
|
||||
|
||||
typedef enum FUNC_TYPE {
|
||||
FT_none, FT_general, FT_md, FT_cipher, FT_pkey,
|
||||
FT_md_alg, FT_cipher_alg
|
||||
} FUNC_TYPE;
|
||||
|
||||
typedef struct function_st {
|
||||
FUNC_TYPE type;
|
||||
const char *name;
|
||||
int (*func)(int argc, char *argv[]);
|
||||
const OPTIONS *help;
|
||||
const char *deprecated_alternative;
|
||||
const char *deprecated_version;
|
||||
} FUNCTION;
|
||||
|
||||
DEFINE_LHASH_OF(FUNCTION);
|
||||
|
||||
/* Structure to hold the number of columns to be displayed and the
|
||||
* field width used to display them.
|
||||
*/
|
||||
typedef struct {
|
||||
int columns;
|
||||
int width;
|
||||
} DISPLAY_COLUMNS;
|
||||
|
||||
void calculate_columns(FUNCTION *functions, DISPLAY_COLUMNS *dc);
|
||||
|
||||
#endif
|
125
crypto/openssl/apps/include/http_server.h
Normal file
125
crypto/openssl/apps/include/http_server.h
Normal file
@ -0,0 +1,125 @@
|
||||
/*
|
||||
* Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
|
||||
*
|
||||
* Licensed under the Apache License 2.0 (the "License"). You may not use
|
||||
* this file except in compliance with the License. You can obtain a copy
|
||||
* in the file LICENSE in the source distribution or at
|
||||
* https://www.openssl.org/source/license.html
|
||||
*/
|
||||
|
||||
#ifndef OSSL_HTTP_SERVER_H
|
||||
# define OSSL_HTTP_SERVER_H
|
||||
|
||||
# include "apps.h"
|
||||
|
||||
# ifndef HAVE_FORK
|
||||
# if defined(OPENSSL_SYS_VMS) || defined(OPENSSL_SYS_WINDOWS)
|
||||
# define HAVE_FORK 0
|
||||
# else
|
||||
# define HAVE_FORK 1
|
||||
# endif
|
||||
# endif
|
||||
|
||||
# if HAVE_FORK
|
||||
# undef NO_FORK
|
||||
# else
|
||||
# define NO_FORK
|
||||
# endif
|
||||
|
||||
# if !defined(NO_FORK) && !defined(OPENSSL_NO_SOCK) \
|
||||
&& !defined(OPENSSL_NO_POSIX_IO)
|
||||
# define HTTP_DAEMON
|
||||
# include <sys/types.h>
|
||||
# include <sys/wait.h>
|
||||
# include <syslog.h>
|
||||
# include <signal.h>
|
||||
# define MAXERRLEN 1000 /* limit error text sent to syslog to 1000 bytes */
|
||||
# else
|
||||
# undef LOG_DEBUG
|
||||
# undef LOG_INFO
|
||||
# undef LOG_WARNING
|
||||
# undef LOG_ERR
|
||||
# define LOG_DEBUG 7
|
||||
# define LOG_INFO 6
|
||||
# define LOG_WARNING 4
|
||||
# define LOG_ERR 3
|
||||
# endif
|
||||
|
||||
/*-
|
||||
* Log a message to syslog if multi-threaded HTTP_DAEMON, else to bio_err
|
||||
* prog: the name of the current app
|
||||
* level: the severity of the message, e.g., LOG_ERR
|
||||
* fmt: message with potential extra parameters like with printf()
|
||||
* returns nothing
|
||||
*/
|
||||
void log_message(const char *prog, int level, const char *fmt, ...);
|
||||
|
||||
# ifndef OPENSSL_NO_SOCK
|
||||
/*-
|
||||
* Initialize an HTTP server by setting up its listening BIO
|
||||
* prog: the name of the current app
|
||||
* port: the port to listen on
|
||||
* returns a BIO for accepting requests, NULL on error
|
||||
*/
|
||||
BIO *http_server_init_bio(const char *prog, const char *port);
|
||||
|
||||
/*-
|
||||
* Accept an ASN.1-formatted HTTP request
|
||||
* it: the expected request ASN.1 type
|
||||
* preq: pointer to variable where to place the parsed request
|
||||
* ppath: pointer to variable where to place the request path, or NULL
|
||||
* pcbio: pointer to variable where to place the BIO for sending the response to
|
||||
* acbio: the listening bio (typically as returned by http_server_init_bio())
|
||||
* found_keep_alive: for returning flag if client requests persistent connection
|
||||
* prog: the name of the current app, for diagnostics only
|
||||
* port: the local port listening to, for diagnostics only
|
||||
* accept_get: whether to accept GET requests (in addition to POST requests)
|
||||
* timeout: connection timeout (in seconds), or 0 for none/infinite
|
||||
* returns 0 in case caller should retry, then *preq == *ppath == *pcbio == NULL
|
||||
* returns -1 on fatal error; also then holds *preq == *ppath == *pcbio == NULL
|
||||
* returns 1 otherwise. In this case it is guaranteed that *pcbio != NULL while
|
||||
* *ppath == NULL and *preq == NULL if and only if the request is invalid,
|
||||
* On return value 1 the caller is responsible for sending an HTTP response,
|
||||
* using http_server_send_asn1_resp() or http_server_send_status().
|
||||
* The caller must free any non-NULL *preq, *ppath, and *pcbio pointers.
|
||||
*/
|
||||
int http_server_get_asn1_req(const ASN1_ITEM *it, ASN1_VALUE **preq,
|
||||
char **ppath, BIO **pcbio, BIO *acbio,
|
||||
int *found_keep_alive,
|
||||
const char *prog, const char *port,
|
||||
int accept_get, int timeout);
|
||||
|
||||
/*-
|
||||
* Send an ASN.1-formatted HTTP response
|
||||
* cbio: destination BIO (typically as returned by http_server_get_asn1_req())
|
||||
* note: cbio should not do an encoding that changes the output length
|
||||
* keep_alive: grant persistent connnection
|
||||
* content_type: string identifying the type of the response
|
||||
* it: the response ASN.1 type
|
||||
* resp: the response to send
|
||||
* returns 1 on success, 0 on failure
|
||||
*/
|
||||
int http_server_send_asn1_resp(BIO *cbio, int keep_alive,
|
||||
const char *content_type,
|
||||
const ASN1_ITEM *it, const ASN1_VALUE *resp);
|
||||
|
||||
/*-
|
||||
* Send a trivial HTTP response, typically to report an error or OK
|
||||
* cbio: destination BIO (typically as returned by http_server_get_asn1_req())
|
||||
* status: the status code to send
|
||||
* reason: the corresponding human-readable string
|
||||
* returns 1 on success, 0 on failure
|
||||
*/
|
||||
int http_server_send_status(BIO *cbio, int status, const char *reason);
|
||||
|
||||
# endif
|
||||
|
||||
# ifdef HTTP_DAEMON
|
||||
extern int multi;
|
||||
extern int acfd;
|
||||
|
||||
void socket_timeout(int signum);
|
||||
void spawn_loop(const char *prog);
|
||||
# endif
|
||||
|
||||
#endif
|
17
crypto/openssl/apps/include/names.h
Normal file
17
crypto/openssl/apps/include/names.h
Normal file
@ -0,0 +1,17 @@
|
||||
/*
|
||||
* Copyright 2019 The OpenSSL Project Authors. All Rights Reserved.
|
||||
*
|
||||
* Licensed under the Apache License 2.0 (the "License"). You may not use
|
||||
* this file except in compliance with the License. You can obtain a copy
|
||||
* in the file LICENSE in the source distribution or at
|
||||
* https://www.openssl.org/source/license.html
|
||||
*/
|
||||
|
||||
#include <openssl/safestack.h>
|
||||
|
||||
/* Standard comparing function for names */
|
||||
int name_cmp(const char * const *a, const char * const *b);
|
||||
/* collect_names is meant to be used with EVP_{type}_doall_names */
|
||||
void collect_names(const char *name, void *vdata);
|
||||
/* Sorts and prints a stack of names to |out| */
|
||||
void print_names(BIO *out, STACK_OF(OPENSSL_CSTRING) *names);
|
@ -1,92 +1,20 @@
|
||||
/*
|
||||
* Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
|
||||
* Copyright 2018-2021 The OpenSSL Project Authors. All Rights Reserved.
|
||||
*
|
||||
* Licensed under the OpenSSL license (the "License"). You may not use
|
||||
* Licensed under the Apache License 2.0 (the "License"). You may not use
|
||||
* this file except in compliance with the License. You can obtain a copy
|
||||
* in the file LICENSE in the source distribution or at
|
||||
* https://www.openssl.org/source/license.html
|
||||
*/
|
||||
#ifndef OSSL_APPS_OPT_H
|
||||
#define OSSL_APPS_OPT_H
|
||||
|
||||
#ifndef OSSL_APPS_H
|
||||
# define OSSL_APPS_H
|
||||
#include <sys/types.h>
|
||||
#include <openssl/e_os2.h>
|
||||
#include <openssl/types.h>
|
||||
#include <stdarg.h>
|
||||
|
||||
# include "e_os.h" /* struct timeval for DTLS */
|
||||
# include "internal/nelem.h"
|
||||
# include <assert.h>
|
||||
|
||||
# include <sys/types.h>
|
||||
# ifndef OPENSSL_NO_POSIX_IO
|
||||
# include <sys/stat.h>
|
||||
# include <fcntl.h>
|
||||
# endif
|
||||
|
||||
# include <openssl/e_os2.h>
|
||||
# include <openssl/ossl_typ.h>
|
||||
# include <openssl/bio.h>
|
||||
# include <openssl/x509.h>
|
||||
# include <openssl/conf.h>
|
||||
# include <openssl/txt_db.h>
|
||||
# include <openssl/engine.h>
|
||||
# include <openssl/ocsp.h>
|
||||
# include <signal.h>
|
||||
|
||||
# if defined(OPENSSL_SYS_WIN32) || defined(OPENSSL_SYS_WINCE)
|
||||
# define openssl_fdset(a,b) FD_SET((unsigned int)a, b)
|
||||
# else
|
||||
# define openssl_fdset(a,b) FD_SET(a, b)
|
||||
# endif
|
||||
|
||||
/*
|
||||
* quick macro when you need to pass an unsigned char instead of a char.
|
||||
* this is true for some implementations of the is*() functions, for
|
||||
* example.
|
||||
*/
|
||||
#define _UC(c) ((unsigned char)(c))
|
||||
|
||||
void app_RAND_load_conf(CONF *c, const char *section);
|
||||
void app_RAND_write(void);
|
||||
|
||||
extern char *default_config_file;
|
||||
extern BIO *bio_in;
|
||||
extern BIO *bio_out;
|
||||
extern BIO *bio_err;
|
||||
extern const unsigned char tls13_aes128gcmsha256_id[];
|
||||
extern const unsigned char tls13_aes256gcmsha384_id[];
|
||||
extern BIO_ADDR *ourpeer;
|
||||
|
||||
BIO_METHOD *apps_bf_prefix(void);
|
||||
/*
|
||||
* The control used to set the prefix with BIO_ctrl()
|
||||
* We make it high enough so the chance of ever clashing with the BIO library
|
||||
* remains unlikely for the foreseeable future and beyond.
|
||||
*/
|
||||
#define PREFIX_CTRL_SET_PREFIX (1 << 15)
|
||||
/*
|
||||
* apps_bf_prefix() returns a dynamically created BIO_METHOD, which we
|
||||
* need to destroy at some point. When created internally, it's stored
|
||||
* in an internal pointer which can be freed with the following function
|
||||
*/
|
||||
void destroy_prefix_method(void);
|
||||
|
||||
BIO *dup_bio_in(int format);
|
||||
BIO *dup_bio_out(int format);
|
||||
BIO *dup_bio_err(int format);
|
||||
BIO *bio_open_owner(const char *filename, int format, int private);
|
||||
BIO *bio_open_default(const char *filename, char mode, int format);
|
||||
BIO *bio_open_default_quiet(const char *filename, char mode, int format);
|
||||
CONF *app_load_config_bio(BIO *in, const char *filename);
|
||||
CONF *app_load_config(const char *filename);
|
||||
CONF *app_load_config_quiet(const char *filename);
|
||||
int app_load_modules(const CONF *config);
|
||||
void unbuffer(FILE *fp);
|
||||
void wait_for_async(SSL *s);
|
||||
# if defined(OPENSSL_SYS_MSDOS)
|
||||
int has_stdin_waiting(void);
|
||||
# endif
|
||||
|
||||
void corrupt_signature(const ASN1_STRING *signature);
|
||||
int set_cert_times(X509 *x, const char *startdate, const char *enddate,
|
||||
int days);
|
||||
#define OPT_COMMON OPT_ERR = -1, OPT_EOF = 0, OPT_HELP
|
||||
|
||||
/*
|
||||
* Common verification options.
|
||||
@ -106,6 +34,7 @@ int set_cert_times(X509 *x, const char *startdate, const char *enddate,
|
||||
OPT_V__LAST
|
||||
|
||||
# define OPT_V_OPTIONS \
|
||||
OPT_SECTION("Validation"), \
|
||||
{ "policy", OPT_V_POLICY, 's', "adds policy to the acceptable policy set"}, \
|
||||
{ "purpose", OPT_V_PURPOSE, 's', \
|
||||
"certificate chain purpose"}, \
|
||||
@ -198,15 +127,16 @@ int set_cert_times(X509 *x, const char *startdate, const char *enddate,
|
||||
OPT_X__LAST
|
||||
|
||||
# define OPT_X_OPTIONS \
|
||||
OPT_SECTION("Extended certificate"), \
|
||||
{ "xkey", OPT_X_KEY, '<', "key for Extended certificates"}, \
|
||||
{ "xcert", OPT_X_CERT, '<', "cert for Extended certificates"}, \
|
||||
{ "xchain", OPT_X_CHAIN, '<', "chain for Extended certificates"}, \
|
||||
{ "xchain_build", OPT_X_CHAIN_BUILD, '-', \
|
||||
"build certificate chain for the extended certificates"}, \
|
||||
{ "xcertform", OPT_X_CERTFORM, 'F', \
|
||||
"format of Extended certificate (PEM or DER) PEM default " }, \
|
||||
"format of Extended certificate (PEM/DER/P12); has no effect" }, \
|
||||
{ "xkeyform", OPT_X_KEYFORM, 'F', \
|
||||
"format of Extended certificate's key (PEM or DER) PEM default"}
|
||||
"format of Extended certificate's key (DER/PEM/P12); has no effect"}
|
||||
|
||||
# define OPT_X_CASES \
|
||||
OPT_X__FIRST: case OPT_X__LAST: break; \
|
||||
@ -225,16 +155,18 @@ int set_cert_times(X509 *x, const char *startdate, const char *enddate,
|
||||
OPT_S__FIRST=3000, \
|
||||
OPT_S_NOSSL3, OPT_S_NOTLS1, OPT_S_NOTLS1_1, OPT_S_NOTLS1_2, \
|
||||
OPT_S_NOTLS1_3, OPT_S_BUGS, OPT_S_NO_COMP, OPT_S_NOTICKET, \
|
||||
OPT_S_SERVERPREF, OPT_S_LEGACYRENEG, OPT_S_LEGACYCONN, \
|
||||
OPT_S_SERVERPREF, OPT_S_LEGACYRENEG, OPT_S_CLIENTRENEG, \
|
||||
OPT_S_LEGACYCONN, \
|
||||
OPT_S_ONRESUMP, OPT_S_NOLEGACYCONN, OPT_S_ALLOW_NO_DHE_KEX, \
|
||||
OPT_S_PRIORITIZE_CHACHA, \
|
||||
OPT_S_STRICT, OPT_S_SIGALGS, OPT_S_CLIENTSIGALGS, OPT_S_GROUPS, \
|
||||
OPT_S_CURVES, OPT_S_NAMEDCURVE, OPT_S_CIPHER, OPT_S_CIPHERSUITES, \
|
||||
OPT_S_RECORD_PADDING, OPT_S_DEBUGBROKE, OPT_S_COMP, \
|
||||
OPT_S_MINPROTO, OPT_S_MAXPROTO, \
|
||||
OPT_S_NO_RENEGOTIATION, OPT_S_NO_MIDDLEBOX, OPT_S__LAST
|
||||
OPT_S_NO_RENEGOTIATION, OPT_S_NO_MIDDLEBOX, OPT_S_NO_ETM, OPT_S__LAST
|
||||
|
||||
# define OPT_S_OPTIONS \
|
||||
OPT_SECTION("TLS/SSL"), \
|
||||
{"no_ssl3", OPT_S_NOSSL3, '-',"Just disable SSLv3" }, \
|
||||
{"no_tls1", OPT_S_NOTLS1, '-', "Just disable TLSv1"}, \
|
||||
{"no_tls1_1", OPT_S_NOTLS1_1, '-', "Just disable TLSv1.1" }, \
|
||||
@ -248,6 +180,8 @@ int set_cert_times(X509 *x, const char *startdate, const char *enddate,
|
||||
{"serverpref", OPT_S_SERVERPREF, '-', "Use server's cipher preferences"}, \
|
||||
{"legacy_renegotiation", OPT_S_LEGACYRENEG, '-', \
|
||||
"Enable use of legacy renegotiation (dangerous)"}, \
|
||||
{"client_renegotiation", OPT_S_CLIENTRENEG, '-', \
|
||||
"Allow client-initiated renegotiation" }, \
|
||||
{"no_renegotiation", OPT_S_NO_RENEGOTIATION, '-', \
|
||||
"Disable all renegotiation."}, \
|
||||
{"legacy_server_connect", OPT_S_LEGACYCONN, '-', \
|
||||
@ -282,7 +216,9 @@ int set_cert_times(X509 *x, const char *startdate, const char *enddate,
|
||||
{"debug_broken_protocol", OPT_S_DEBUGBROKE, '-', \
|
||||
"Perform all sorts of protocol violations for testing purposes"}, \
|
||||
{"no_middlebox", OPT_S_NO_MIDDLEBOX, '-', \
|
||||
"Disable TLSv1.3 middlebox compat mode" }
|
||||
"Disable TLSv1.3 middlebox compat mode" }, \
|
||||
{"no_etm", OPT_S_NO_ETM, '-', \
|
||||
"Disable Encrypt-then-Mac extension"}
|
||||
|
||||
# define OPT_S_CASES \
|
||||
OPT_S__FIRST: case OPT_S__LAST: break; \
|
||||
@ -297,6 +233,7 @@ int set_cert_times(X509 *x, const char *startdate, const char *enddate,
|
||||
case OPT_S_NOTICKET: \
|
||||
case OPT_S_SERVERPREF: \
|
||||
case OPT_S_LEGACYRENEG: \
|
||||
case OPT_S_CLIENTRENEG: \
|
||||
case OPT_S_LEGACYCONN: \
|
||||
case OPT_S_ONRESUMP: \
|
||||
case OPT_S_NOLEGACYCONN: \
|
||||
@ -315,7 +252,8 @@ int set_cert_times(X509 *x, const char *startdate, const char *enddate,
|
||||
case OPT_S_MINPROTO: \
|
||||
case OPT_S_MAXPROTO: \
|
||||
case OPT_S_DEBUGBROKE: \
|
||||
case OPT_S_NO_MIDDLEBOX
|
||||
case OPT_S_NO_MIDDLEBOX: \
|
||||
case OPT_S_NO_ETM
|
||||
|
||||
#define IS_NO_PROT_FLAG(o) \
|
||||
(o == OPT_S_NOSSL3 || o == OPT_S_NOTLS1 || o == OPT_S_NOTLS1_1 \
|
||||
@ -328,18 +266,45 @@ int set_cert_times(X509 *x, const char *startdate, const char *enddate,
|
||||
OPT_R__FIRST=1500, OPT_R_RAND, OPT_R_WRITERAND, OPT_R__LAST
|
||||
|
||||
# define OPT_R_OPTIONS \
|
||||
{"rand", OPT_R_RAND, 's', "Load the file(s) into the random number generator"}, \
|
||||
OPT_SECTION("Random state"), \
|
||||
{"rand", OPT_R_RAND, 's', "Load the given file(s) into the random number generator"}, \
|
||||
{"writerand", OPT_R_WRITERAND, '>', "Write random data to the specified file"}
|
||||
|
||||
# define OPT_R_CASES \
|
||||
OPT_R__FIRST: case OPT_R__LAST: break; \
|
||||
case OPT_R_RAND: case OPT_R_WRITERAND
|
||||
|
||||
/*
|
||||
* Provider options.
|
||||
*/
|
||||
# define OPT_PROV_ENUM \
|
||||
OPT_PROV__FIRST=1600, \
|
||||
OPT_PROV_PROVIDER, OPT_PROV_PROVIDER_PATH, OPT_PROV_PROPQUERY, \
|
||||
OPT_PROV__LAST
|
||||
|
||||
# define OPT_CONFIG_OPTION \
|
||||
{ "config", OPT_CONFIG, '<', "Load a configuration file (this may load modules)" }
|
||||
|
||||
# define OPT_PROV_OPTIONS \
|
||||
OPT_SECTION("Provider"), \
|
||||
{ "provider-path", OPT_PROV_PROVIDER_PATH, 's', "Provider load path (must be before 'provider' argument if required)" }, \
|
||||
{ "provider", OPT_PROV_PROVIDER, 's', "Provider to load (can be specified multiple times)" }, \
|
||||
{ "propquery", OPT_PROV_PROPQUERY, 's', "Property query used when fetching algorithms" }
|
||||
|
||||
# define OPT_PROV_CASES \
|
||||
OPT_PROV__FIRST: case OPT_PROV__LAST: break; \
|
||||
case OPT_PROV_PROVIDER: \
|
||||
case OPT_PROV_PROVIDER_PATH: \
|
||||
case OPT_PROV_PROPQUERY
|
||||
|
||||
/*
|
||||
* Option parsing.
|
||||
*/
|
||||
extern const char OPT_HELP_STR[];
|
||||
extern const char OPT_MORE_STR[];
|
||||
extern const char OPT_SECTION_STR[];
|
||||
extern const char OPT_PARAM_STR[];
|
||||
|
||||
typedef struct options_st {
|
||||
const char *name;
|
||||
int retval;
|
||||
@ -352,6 +317,9 @@ typedef struct options_st {
|
||||
int valtype;
|
||||
const char *helpstr;
|
||||
} OPTIONS;
|
||||
/* Special retval values: */
|
||||
#define OPT_PARAM 0 /* same as OPT_EOF usually defined in apps */
|
||||
#define OPT_DUP -2 /* marks duplicate occurrence of option in help output */
|
||||
|
||||
/*
|
||||
* A string/int pairing; widely use for option value lookup, hence the
|
||||
@ -381,255 +349,52 @@ typedef struct string_int_pair_st {
|
||||
OPT_FMT_ENGINE | OPT_FMT_MSBLOB | OPT_FMT_NSS | \
|
||||
OPT_FMT_TEXT | OPT_FMT_HTTP | OPT_FMT_PVK)
|
||||
|
||||
char *opt_progname(const char *argv0);
|
||||
char *opt_getprog(void);
|
||||
/* Divide options into sections when displaying usage */
|
||||
#define OPT_SECTION(sec) { OPT_SECTION_STR, 1, '-', sec " options:\n" }
|
||||
#define OPT_PARAMETERS() { OPT_PARAM_STR, 1, '-', "Parameters:\n" }
|
||||
|
||||
const char *opt_path_end(const char *filename);
|
||||
char *opt_init(int ac, char **av, const OPTIONS * o);
|
||||
char *opt_progname(const char *argv0);
|
||||
char *opt_appname(const char *argv0);
|
||||
char *opt_getprog(void);
|
||||
void opt_help(const OPTIONS * list);
|
||||
|
||||
void opt_begin(void);
|
||||
int opt_next(void);
|
||||
int opt_format(const char *s, unsigned long flags, int *result);
|
||||
int opt_int(const char *arg, int *result);
|
||||
int opt_ulong(const char *arg, unsigned long *result);
|
||||
int opt_long(const char *arg, long *result);
|
||||
#if defined(__STDC_VERSION__) && __STDC_VERSION__ >= 199901L && \
|
||||
defined(INTMAX_MAX) && defined(UINTMAX_MAX)
|
||||
int opt_imax(const char *arg, intmax_t *result);
|
||||
int opt_umax(const char *arg, uintmax_t *result);
|
||||
#else
|
||||
# define opt_imax opt_long
|
||||
# define opt_umax opt_ulong
|
||||
# define intmax_t long
|
||||
# define uintmax_t unsigned long
|
||||
#endif
|
||||
int opt_pair(const char *arg, const OPT_PAIR * pairs, int *result);
|
||||
int opt_cipher(const char *name, const EVP_CIPHER **cipherp);
|
||||
int opt_md(const char *name, const EVP_MD **mdp);
|
||||
char *opt_arg(void);
|
||||
char *opt_flag(void);
|
||||
char *opt_arg(void);
|
||||
char *opt_unknown(void);
|
||||
char **opt_rest(void);
|
||||
int opt_num_rest(void);
|
||||
int opt_cipher(const char *name, EVP_CIPHER **cipherp);
|
||||
int opt_cipher_any(const char *name, EVP_CIPHER **cipherp);
|
||||
int opt_cipher_silent(const char *name, EVP_CIPHER **cipherp);
|
||||
int opt_md(const char *name, EVP_MD **mdp);
|
||||
int opt_md_silent(const char *name, EVP_MD **mdp);
|
||||
|
||||
int opt_int(const char *arg, int *result);
|
||||
int opt_int_arg(void);
|
||||
int opt_long(const char *arg, long *result);
|
||||
int opt_ulong(const char *arg, unsigned long *result);
|
||||
int opt_intmax(const char *arg, ossl_intmax_t *result);
|
||||
int opt_uintmax(const char *arg, ossl_uintmax_t *result);
|
||||
|
||||
int opt_isdir(const char *name);
|
||||
int opt_format(const char *s, unsigned long flags, int *result);
|
||||
void print_format_error(int format, unsigned long flags);
|
||||
int opt_printf_stderr(const char *fmt, ...);
|
||||
int opt_string(const char *name, const char **options);
|
||||
int opt_pair(const char *arg, const OPT_PAIR * pairs, int *result);
|
||||
|
||||
int opt_verify(int i, X509_VERIFY_PARAM *vpm);
|
||||
int opt_rand(int i);
|
||||
void opt_help(const OPTIONS * list);
|
||||
int opt_format_error(const char *s, unsigned long flags);
|
||||
int opt_provider(int i);
|
||||
int opt_provider_option_given(void);
|
||||
|
||||
typedef struct args_st {
|
||||
int size;
|
||||
int argc;
|
||||
char **argv;
|
||||
} ARGS;
|
||||
char **opt_rest(void);
|
||||
int opt_num_rest(void);
|
||||
|
||||
/*
|
||||
* VMS C only for now, implemented in vms_decc_init.c
|
||||
* If other C compilers forget to terminate argv with NULL, this function
|
||||
* can be re-used.
|
||||
*/
|
||||
char **copy_argv(int *argc, char *argv[]);
|
||||
/*
|
||||
* Win32-specific argv initialization that splits OS-supplied UNICODE
|
||||
* command line string to array of UTF8-encoded strings.
|
||||
*/
|
||||
void win32_utf8argv(int *argc, char **argv[]);
|
||||
/* Returns non-zero if legacy paths are still available */
|
||||
int opt_legacy_okay(void);
|
||||
|
||||
|
||||
# define PW_MIN_LENGTH 4
|
||||
typedef struct pw_cb_data {
|
||||
const void *password;
|
||||
const char *prompt_info;
|
||||
} PW_CB_DATA;
|
||||
|
||||
int password_callback(char *buf, int bufsiz, int verify, PW_CB_DATA *cb_data);
|
||||
|
||||
int setup_ui_method(void);
|
||||
void destroy_ui_method(void);
|
||||
const UI_METHOD *get_ui_method(void);
|
||||
|
||||
int chopup_args(ARGS *arg, char *buf);
|
||||
int dump_cert_text(BIO *out, X509 *x);
|
||||
void print_name(BIO *out, const char *title, X509_NAME *nm,
|
||||
unsigned long lflags);
|
||||
void print_bignum_var(BIO *, const BIGNUM *, const char*,
|
||||
int, unsigned char *);
|
||||
void print_array(BIO *, const char *, int, const unsigned char *);
|
||||
int set_nameopt(const char *arg);
|
||||
unsigned long get_nameopt(void);
|
||||
int set_cert_ex(unsigned long *flags, const char *arg);
|
||||
int set_name_ex(unsigned long *flags, const char *arg);
|
||||
int set_ext_copy(int *copy_type, const char *arg);
|
||||
int copy_extensions(X509 *x, X509_REQ *req, int copy_type);
|
||||
int app_passwd(const char *arg1, const char *arg2, char **pass1, char **pass2);
|
||||
int add_oid_section(CONF *conf);
|
||||
X509 *load_cert(const char *file, int format, const char *cert_descrip);
|
||||
X509_CRL *load_crl(const char *infile, int format);
|
||||
EVP_PKEY *load_key(const char *file, int format, int maybe_stdin,
|
||||
const char *pass, ENGINE *e, const char *key_descrip);
|
||||
EVP_PKEY *load_pubkey(const char *file, int format, int maybe_stdin,
|
||||
const char *pass, ENGINE *e, const char *key_descrip);
|
||||
int load_certs(const char *file, STACK_OF(X509) **certs, int format,
|
||||
const char *pass, const char *cert_descrip);
|
||||
int load_crls(const char *file, STACK_OF(X509_CRL) **crls, int format,
|
||||
const char *pass, const char *cert_descrip);
|
||||
X509_STORE *setup_verify(const char *CAfile, const char *CApath,
|
||||
int noCAfile, int noCApath);
|
||||
__owur int ctx_set_verify_locations(SSL_CTX *ctx, const char *CAfile,
|
||||
const char *CApath, int noCAfile,
|
||||
int noCApath);
|
||||
|
||||
#ifndef OPENSSL_NO_CT
|
||||
|
||||
/*
|
||||
* Sets the file to load the Certificate Transparency log list from.
|
||||
* If path is NULL, loads from the default file path.
|
||||
* Returns 1 on success, 0 otherwise.
|
||||
*/
|
||||
__owur int ctx_set_ctlog_list_file(SSL_CTX *ctx, const char *path);
|
||||
|
||||
#endif
|
||||
|
||||
ENGINE *setup_engine(const char *engine, int debug);
|
||||
void release_engine(ENGINE *e);
|
||||
|
||||
# ifndef OPENSSL_NO_OCSP
|
||||
OCSP_RESPONSE *process_responder(OCSP_REQUEST *req,
|
||||
const char *host, const char *path,
|
||||
const char *port, int use_ssl,
|
||||
STACK_OF(CONF_VALUE) *headers,
|
||||
int req_timeout);
|
||||
# endif
|
||||
|
||||
/* Functions defined in ca.c and also used in ocsp.c */
|
||||
int unpack_revinfo(ASN1_TIME **prevtm, int *preason, ASN1_OBJECT **phold,
|
||||
ASN1_GENERALIZEDTIME **pinvtm, const char *str);
|
||||
|
||||
# define DB_type 0
|
||||
# define DB_exp_date 1
|
||||
# define DB_rev_date 2
|
||||
# define DB_serial 3 /* index - unique */
|
||||
# define DB_file 4
|
||||
# define DB_name 5 /* index - unique when active and not
|
||||
* disabled */
|
||||
# define DB_NUMBER 6
|
||||
|
||||
# define DB_TYPE_REV 'R' /* Revoked */
|
||||
# define DB_TYPE_EXP 'E' /* Expired */
|
||||
# define DB_TYPE_VAL 'V' /* Valid ; inserted with: ca ... -valid */
|
||||
# define DB_TYPE_SUSP 'S' /* Suspended */
|
||||
|
||||
typedef struct db_attr_st {
|
||||
int unique_subject;
|
||||
} DB_ATTR;
|
||||
typedef struct ca_db_st {
|
||||
DB_ATTR attributes;
|
||||
TXT_DB *db;
|
||||
char *dbfname;
|
||||
# ifndef OPENSSL_NO_POSIX_IO
|
||||
struct stat dbst;
|
||||
# endif
|
||||
} CA_DB;
|
||||
|
||||
void* app_malloc(int sz, const char *what);
|
||||
|
||||
/* load_serial, save_serial, and rotate_serial are also used for CRL numbers */
|
||||
BIGNUM *load_serial(const char *serialfile, int *exists, int create,
|
||||
ASN1_INTEGER **retai);
|
||||
int save_serial(const char *serialfile, const char *suffix,
|
||||
const BIGNUM *serial, ASN1_INTEGER **retai);
|
||||
int rotate_serial(const char *serialfile, const char *new_suffix,
|
||||
const char *old_suffix);
|
||||
int rand_serial(BIGNUM *b, ASN1_INTEGER *ai);
|
||||
CA_DB *load_index(const char *dbfile, DB_ATTR *dbattr);
|
||||
int index_index(CA_DB *db);
|
||||
int save_index(const char *dbfile, const char *suffix, CA_DB *db);
|
||||
int rotate_index(const char *dbfile, const char *new_suffix,
|
||||
const char *old_suffix);
|
||||
void free_index(CA_DB *db);
|
||||
# define index_name_cmp_noconst(a, b) \
|
||||
index_name_cmp((const OPENSSL_CSTRING *)CHECKED_PTR_OF(OPENSSL_STRING, a), \
|
||||
(const OPENSSL_CSTRING *)CHECKED_PTR_OF(OPENSSL_STRING, b))
|
||||
int index_name_cmp(const OPENSSL_CSTRING *a, const OPENSSL_CSTRING *b);
|
||||
int parse_yesno(const char *str, int def);
|
||||
|
||||
X509_NAME *parse_name(const char *str, long chtype, int multirdn);
|
||||
void policies_print(X509_STORE_CTX *ctx);
|
||||
int bio_to_mem(unsigned char **out, int maxlen, BIO *in);
|
||||
int pkey_ctrl_string(EVP_PKEY_CTX *ctx, const char *value);
|
||||
int init_gen_str(EVP_PKEY_CTX **pctx,
|
||||
const char *algname, ENGINE *e, int do_param);
|
||||
int do_X509_sign(X509 *x, EVP_PKEY *pkey, const EVP_MD *md,
|
||||
STACK_OF(OPENSSL_STRING) *sigopts);
|
||||
int do_X509_REQ_sign(X509_REQ *x, EVP_PKEY *pkey, const EVP_MD *md,
|
||||
STACK_OF(OPENSSL_STRING) *sigopts);
|
||||
int do_X509_CRL_sign(X509_CRL *x, EVP_PKEY *pkey, const EVP_MD *md,
|
||||
STACK_OF(OPENSSL_STRING) *sigopts);
|
||||
|
||||
extern char *psk_key;
|
||||
|
||||
|
||||
unsigned char *next_protos_parse(size_t *outlen, const char *in);
|
||||
|
||||
void print_cert_checks(BIO *bio, X509 *x,
|
||||
const char *checkhost,
|
||||
const char *checkemail, const char *checkip);
|
||||
|
||||
void store_setup_crl_download(X509_STORE *st);
|
||||
|
||||
/* See OPT_FMT_xxx, above. */
|
||||
/* On some platforms, it's important to distinguish between text and binary
|
||||
* files. On some, there might even be specific file formats for different
|
||||
* contents. The FORMAT_xxx macros are meant to express an intent with the
|
||||
* file being read or created.
|
||||
*/
|
||||
# define B_FORMAT_TEXT 0x8000
|
||||
# define FORMAT_UNDEF 0
|
||||
# define FORMAT_TEXT (1 | B_FORMAT_TEXT) /* Generic text */
|
||||
# define FORMAT_BINARY 2 /* Generic binary */
|
||||
# define FORMAT_BASE64 (3 | B_FORMAT_TEXT) /* Base64 */
|
||||
# define FORMAT_ASN1 4 /* ASN.1/DER */
|
||||
# define FORMAT_PEM (5 | B_FORMAT_TEXT)
|
||||
# define FORMAT_PKCS12 6
|
||||
# define FORMAT_SMIME (7 | B_FORMAT_TEXT)
|
||||
# define FORMAT_ENGINE 8 /* Not really a file format */
|
||||
# define FORMAT_PEMRSA (9 | B_FORMAT_TEXT) /* PEM RSAPubicKey format */
|
||||
# define FORMAT_ASN1RSA 10 /* DER RSAPubicKey format */
|
||||
# define FORMAT_MSBLOB 11 /* MS Key blob format */
|
||||
# define FORMAT_PVK 12 /* MS PVK file format */
|
||||
# define FORMAT_HTTP 13 /* Download using HTTP */
|
||||
# define FORMAT_NSS 14 /* NSS keylog format */
|
||||
|
||||
# define EXT_COPY_NONE 0
|
||||
# define EXT_COPY_ADD 1
|
||||
# define EXT_COPY_ALL 2
|
||||
|
||||
# define NETSCAPE_CERT_HDR "certificate"
|
||||
|
||||
# define APP_PASS_LEN 1024
|
||||
|
||||
/*
|
||||
* IETF RFC 5280 says serial number must be <= 20 bytes. Use 159 bits
|
||||
* so that the first bit will never be one, so that the DER encoding
|
||||
* rules won't force a leading octet.
|
||||
*/
|
||||
# define SERIAL_RAND_BITS 159
|
||||
|
||||
int app_isdir(const char *);
|
||||
int app_access(const char *, int flag);
|
||||
int fileno_stdin(void);
|
||||
int fileno_stdout(void);
|
||||
int raw_read_stdin(void *, int);
|
||||
int raw_write_stdout(const void *, int);
|
||||
|
||||
# define TM_START 0
|
||||
# define TM_STOP 1
|
||||
double app_tminterval(int stop, int usertime);
|
||||
|
||||
void make_uppercase(char *string);
|
||||
|
||||
typedef struct verify_options_st {
|
||||
int depth;
|
||||
int quiet;
|
||||
int error;
|
||||
int return_error;
|
||||
} VERIFY_CB_ARGS;
|
||||
|
||||
extern VERIFY_CB_ARGS verify_args;
|
||||
|
||||
#endif
|
||||
#endif /* OSSL_APPS_OPT_H */
|
32
crypto/openssl/apps/include/platform.h
Normal file
32
crypto/openssl/apps/include/platform.h
Normal file
@ -0,0 +1,32 @@
|
||||
/*
|
||||
* Copyright 2019 The OpenSSL Project Authors. All Rights Reserved.
|
||||
*
|
||||
* Licensed under the Apache License 2.0 (the "License"). You may not use
|
||||
* this file except in compliance with the License. You can obtain a copy
|
||||
* in the file LICENSE in the source distribution or at
|
||||
* https://www.openssl.org/source/license.html
|
||||
*/
|
||||
|
||||
#ifndef OSSL_APPS_PLATFORM_H
|
||||
# define OSSL_APPS_PLATFORM_H
|
||||
|
||||
# include <openssl/e_os2.h>
|
||||
|
||||
# if defined(OPENSSL_SYS_VMS) && defined(__DECC)
|
||||
/*
|
||||
* VMS C only for now, implemented in vms_decc_init.c
|
||||
* If other C compilers forget to terminate argv with NULL, this function
|
||||
* can be re-used.
|
||||
*/
|
||||
char **copy_argv(int *argc, char *argv[]);
|
||||
# endif
|
||||
|
||||
# ifdef _WIN32
|
||||
/*
|
||||
* Win32-specific argv initialization that splits OS-supplied UNICODE
|
||||
* command line string to array of UTF8-encoded strings.
|
||||
*/
|
||||
void win32_utf8argv(int *argc, char **argv[]);
|
||||
# endif
|
||||
|
||||
#endif
|
@ -1,7 +1,7 @@
|
||||
/*
|
||||
* Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
|
||||
* Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
|
||||
*
|
||||
* Licensed under the OpenSSL license (the "License"). You may not use
|
||||
* Licensed under the Apache License 2.0 (the "License"). You may not use
|
||||
* this file except in compliance with the License. You can obtain a copy
|
||||
* in the file LICENSE in the source distribution or at
|
||||
* https://www.openssl.org/source/license.html
|
||||
@ -10,11 +10,13 @@
|
||||
#include <openssl/opensslconf.h>
|
||||
|
||||
#include <openssl/ssl.h>
|
||||
#include <openssl/srp.h>
|
||||
|
||||
#define PORT "4433"
|
||||
#define PROTOCOL "tcp"
|
||||
|
||||
typedef int (*do_server_cb)(int s, int stype, int prot, unsigned char *context);
|
||||
int report_server_accept(BIO *out, int asock, int with_address, int with_pid);
|
||||
int do_server(int *accept_sock, const char *host, const char *port,
|
||||
int family, int type, int protocol, do_server_cb cb,
|
||||
unsigned char *context, int naccept, BIO *bio_s_out);
|
||||
@ -32,9 +34,10 @@ int init_client(int *sock, const char *host, const char *port,
|
||||
const char *bindhost, const char *bindport,
|
||||
int family, int type, int protocol);
|
||||
int should_retry(int i);
|
||||
void do_ssl_shutdown(SSL *ssl);
|
||||
|
||||
long bio_dump_callback(BIO *bio, int cmd, const char *argp,
|
||||
int argi, long argl, long ret);
|
||||
long bio_dump_callback(BIO *bio, int cmd, const char *argp, size_t len,
|
||||
int argi, long argl, int ret, size_t *processed);
|
||||
|
||||
void apps_ssl_info_callback(const SSL *s, int where, int ret);
|
||||
void msg_cb(int write_p, int version, int content_type, const void *buf,
|
||||
@ -69,9 +72,37 @@ int config_ctx(SSL_CONF_CTX *cctx, STACK_OF(OPENSSL_STRING) *str, SSL_CTX *ctx);
|
||||
int ssl_ctx_add_crls(SSL_CTX *ctx, STACK_OF(X509_CRL) *crls,
|
||||
int crl_download);
|
||||
int ssl_load_stores(SSL_CTX *ctx, const char *vfyCApath,
|
||||
const char *vfyCAfile, const char *chCApath,
|
||||
const char *chCAfile, STACK_OF(X509_CRL) *crls,
|
||||
const char *vfyCAfile, const char *vfyCAstore,
|
||||
const char *chCApath, const char *chCAfile,
|
||||
const char *chCAstore, STACK_OF(X509_CRL) *crls,
|
||||
int crl_download);
|
||||
void ssl_ctx_security_debug(SSL_CTX *ctx, int verbose);
|
||||
int set_keylog_file(SSL_CTX *ctx, const char *keylog_file);
|
||||
void print_ca_names(BIO *bio, SSL *s);
|
||||
|
||||
#ifndef OPENSSL_NO_SRP
|
||||
/* The client side SRP context that we pass to all SRP related callbacks */
|
||||
typedef struct srp_arg_st {
|
||||
char *srppassin;
|
||||
char *srplogin;
|
||||
int msg; /* copy from c_msg */
|
||||
int debug; /* copy from c_debug */
|
||||
int amp; /* allow more groups */
|
||||
int strength; /* minimal size for N */
|
||||
} SRP_ARG;
|
||||
|
||||
int set_up_srp_arg(SSL_CTX *ctx, SRP_ARG *srp_arg, int srp_lateuser, int c_msg,
|
||||
int c_debug);
|
||||
void set_up_dummy_srp(SSL_CTX *ctx);
|
||||
|
||||
/* The server side SRP context that we pass to all SRP related callbacks */
|
||||
typedef struct srpsrvparm_st {
|
||||
char *login;
|
||||
SRP_VBASE *vb;
|
||||
SRP_user_pwd *user;
|
||||
} srpsrvparm;
|
||||
|
||||
int set_up_srp_verifier_file(SSL_CTX *ctx, srpsrvparm *srp_callback_parm,
|
||||
char *srpuserseed, char *srp_verifier_file);
|
||||
void lookup_srp_user(srpsrvparm *srp_callback_parm, BIO *bio_s_out);
|
||||
#endif /* OPENSSL_NO_SRP */
|
31
crypto/openssl/apps/include/vms_term_sock.h
Normal file
31
crypto/openssl/apps/include/vms_term_sock.h
Normal file
@ -0,0 +1,31 @@
|
||||
/*
|
||||
* Copyright 2016 The OpenSSL Project Authors. All Rights Reserved.
|
||||
* Copyright 2016 VMS Software, Inc. All Rights Reserved.
|
||||
*
|
||||
* Licensed under the Apache License 2.0 (the "License"). You may not use
|
||||
* this file except in compliance with the License. You can obtain a copy
|
||||
* in the file LICENSE in the source distribution or at
|
||||
* https://www.openssl.org/source/license.html
|
||||
*/
|
||||
|
||||
#ifndef OSSL_APPS_VMS_TERM_SOCK_H
|
||||
# define OSSL_APPS_VMS_TERM_SOCK_H
|
||||
|
||||
/*
|
||||
** Terminal Socket Function Codes
|
||||
*/
|
||||
# define TERM_SOCK_CREATE 1
|
||||
# define TERM_SOCK_DELETE 2
|
||||
|
||||
/*
|
||||
** Terminal Socket Status Codes
|
||||
*/
|
||||
# define TERM_SOCK_FAILURE 0
|
||||
# define TERM_SOCK_SUCCESS 1
|
||||
|
||||
/*
|
||||
** Terminal Socket Prototype
|
||||
*/
|
||||
int TerminalSocket (int FunctionCode, int *ReturnSocket);
|
||||
|
||||
#endif
|
104
crypto/openssl/apps/info.c
Normal file
104
crypto/openssl/apps/info.c
Normal file
@ -0,0 +1,104 @@
|
||||
/*
|
||||
* Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved.
|
||||
*
|
||||
* Licensed under the Apache License 2.0 (the "License"). You may not use
|
||||
* this file except in compliance with the License. You can obtain a copy
|
||||
* in the file LICENSE in the source distribution or at
|
||||
* https://www.openssl.org/source/license.html
|
||||
*/
|
||||
|
||||
#include <openssl/crypto.h>
|
||||
#include "apps.h"
|
||||
#include "progs.h"
|
||||
|
||||
typedef enum OPTION_choice {
|
||||
OPT_COMMON,
|
||||
OPT_CONFIGDIR, OPT_ENGINESDIR, OPT_MODULESDIR, OPT_DSOEXT, OPT_DIRNAMESEP,
|
||||
OPT_LISTSEP, OPT_SEEDS, OPT_CPUSETTINGS
|
||||
} OPTION_CHOICE;
|
||||
|
||||
const OPTIONS info_options[] = {
|
||||
|
||||
OPT_SECTION("General"),
|
||||
{"help", OPT_HELP, '-', "Display this summary"},
|
||||
|
||||
OPT_SECTION("Output"),
|
||||
{"configdir", OPT_CONFIGDIR, '-', "Default configuration file directory"},
|
||||
{"enginesdir", OPT_ENGINESDIR, '-', "Default engine module directory"},
|
||||
{"modulesdir", OPT_MODULESDIR, '-',
|
||||
"Default module directory (other than engine modules)"},
|
||||
{"dsoext", OPT_DSOEXT, '-', "Configured extension for modules"},
|
||||
{"dirnamesep", OPT_DIRNAMESEP, '-', "Directory-filename separator"},
|
||||
{"listsep", OPT_LISTSEP, '-', "List separator character"},
|
||||
{"seeds", OPT_SEEDS, '-', "Seed sources"},
|
||||
{"cpusettings", OPT_CPUSETTINGS, '-', "CPU settings info"},
|
||||
{NULL}
|
||||
};
|
||||
|
||||
int info_main(int argc, char **argv)
|
||||
{
|
||||
int ret = 1, dirty = 0, type = 0;
|
||||
char *prog;
|
||||
OPTION_CHOICE o;
|
||||
|
||||
prog = opt_init(argc, argv, info_options);
|
||||
while ((o = opt_next()) != OPT_EOF) {
|
||||
switch (o) {
|
||||
default:
|
||||
opthelp:
|
||||
BIO_printf(bio_err, "%s: Use -help for summary.\n", prog);
|
||||
goto end;
|
||||
case OPT_HELP:
|
||||
opt_help(info_options);
|
||||
ret = 0;
|
||||
goto end;
|
||||
case OPT_CONFIGDIR:
|
||||
type = OPENSSL_INFO_CONFIG_DIR;
|
||||
dirty++;
|
||||
break;
|
||||
case OPT_ENGINESDIR:
|
||||
type = OPENSSL_INFO_ENGINES_DIR;
|
||||
dirty++;
|
||||
break;
|
||||
case OPT_MODULESDIR:
|
||||
type = OPENSSL_INFO_MODULES_DIR;
|
||||
dirty++;
|
||||
break;
|
||||
case OPT_DSOEXT:
|
||||
type = OPENSSL_INFO_DSO_EXTENSION;
|
||||
dirty++;
|
||||
break;
|
||||
case OPT_DIRNAMESEP:
|
||||
type = OPENSSL_INFO_DIR_FILENAME_SEPARATOR;
|
||||
dirty++;
|
||||
break;
|
||||
case OPT_LISTSEP:
|
||||
type = OPENSSL_INFO_LIST_SEPARATOR;
|
||||
dirty++;
|
||||
break;
|
||||
case OPT_SEEDS:
|
||||
type = OPENSSL_INFO_SEED_SOURCE;
|
||||
dirty++;
|
||||
break;
|
||||
case OPT_CPUSETTINGS:
|
||||
type = OPENSSL_INFO_CPU_SETTINGS;
|
||||
dirty++;
|
||||
break;
|
||||
}
|
||||
}
|
||||
if (opt_num_rest() != 0)
|
||||
goto opthelp;
|
||||
if (dirty > 1) {
|
||||
BIO_printf(bio_err, "%s: Only one item allowed\n", prog);
|
||||
goto opthelp;
|
||||
}
|
||||
if (dirty == 0) {
|
||||
BIO_printf(bio_err, "%s: No items chosen\n", prog);
|
||||
goto opthelp;
|
||||
}
|
||||
|
||||
BIO_printf(bio_out, "%s\n", OPENSSL_info(type));
|
||||
ret = 0;
|
||||
end:
|
||||
return ret;
|
||||
}
|
BIN
crypto/openssl/apps/insta.ca.crt
Normal file
BIN
crypto/openssl/apps/insta.ca.crt
Normal file
Binary file not shown.
211
crypto/openssl/apps/kdf.c
Normal file
211
crypto/openssl/apps/kdf.c
Normal file
@ -0,0 +1,211 @@
|
||||
/*
|
||||
* Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved.
|
||||
*
|
||||
* Licensed under the Apache License 2.0 (the "License"). You may not use
|
||||
* this file except in compliance with the License. You can obtain a copy
|
||||
* in the file LICENSE in the source distribution or at
|
||||
* https://www.openssl.org/source/license.html
|
||||
*/
|
||||
|
||||
#include <string.h>
|
||||
|
||||
#include "apps.h"
|
||||
#include "progs.h"
|
||||
#include <openssl/bio.h>
|
||||
#include <openssl/err.h>
|
||||
#include <openssl/evp.h>
|
||||
#include <openssl/kdf.h>
|
||||
#include <openssl/params.h>
|
||||
|
||||
typedef enum OPTION_choice {
|
||||
OPT_COMMON,
|
||||
OPT_KDFOPT, OPT_BIN, OPT_KEYLEN, OPT_OUT,
|
||||
OPT_CIPHER, OPT_DIGEST, OPT_MAC,
|
||||
OPT_PROV_ENUM
|
||||
} OPTION_CHOICE;
|
||||
|
||||
const OPTIONS kdf_options[] = {
|
||||
{OPT_HELP_STR, 1, '-', "Usage: %s [options] kdf_name\n"},
|
||||
|
||||
OPT_SECTION("General"),
|
||||
{"help", OPT_HELP, '-', "Display this summary"},
|
||||
{"kdfopt", OPT_KDFOPT, 's', "KDF algorithm control parameters in n:v form"},
|
||||
{"cipher", OPT_CIPHER, 's', "Cipher"},
|
||||
{"digest", OPT_DIGEST, 's', "Digest"},
|
||||
{"mac", OPT_MAC, 's', "MAC"},
|
||||
{OPT_MORE_STR, 1, '-', "See 'Supported Controls' in the EVP_KDF_ docs\n"},
|
||||
{"keylen", OPT_KEYLEN, 's', "The size of the output derived key"},
|
||||
|
||||
OPT_SECTION("Output"),
|
||||
{"out", OPT_OUT, '>', "Output to filename rather than stdout"},
|
||||
{"binary", OPT_BIN, '-',
|
||||
"Output in binary format (default is hexadecimal)"},
|
||||
|
||||
OPT_PROV_OPTIONS,
|
||||
|
||||
OPT_PARAMETERS(),
|
||||
{"kdf_name", 0, 0, "Name of the KDF algorithm"},
|
||||
{NULL}
|
||||
};
|
||||
|
||||
static char *alloc_kdf_algorithm_name(STACK_OF(OPENSSL_STRING) **optp,
|
||||
const char *name, const char *arg)
|
||||
{
|
||||
size_t len = strlen(name) + strlen(arg) + 2;
|
||||
char *res;
|
||||
|
||||
if (*optp == NULL)
|
||||
*optp = sk_OPENSSL_STRING_new_null();
|
||||
if (*optp == NULL)
|
||||
return NULL;
|
||||
|
||||
res = app_malloc(len, "algorithm name");
|
||||
BIO_snprintf(res, len, "%s:%s", name, arg);
|
||||
if (sk_OPENSSL_STRING_push(*optp, res))
|
||||
return res;
|
||||
OPENSSL_free(res);
|
||||
return NULL;
|
||||
}
|
||||
|
||||
int kdf_main(int argc, char **argv)
|
||||
{
|
||||
int ret = 1, out_bin = 0;
|
||||
OPTION_CHOICE o;
|
||||
STACK_OF(OPENSSL_STRING) *opts = NULL;
|
||||
char *prog, *hexout = NULL;
|
||||
const char *outfile = NULL;
|
||||
unsigned char *dkm_bytes = NULL;
|
||||
size_t dkm_len = 0;
|
||||
BIO *out = NULL;
|
||||
EVP_KDF *kdf = NULL;
|
||||
EVP_KDF_CTX *ctx = NULL;
|
||||
char *digest = NULL, *cipher = NULL, *mac = NULL;
|
||||
|
||||
prog = opt_init(argc, argv, kdf_options);
|
||||
while ((o = opt_next()) != OPT_EOF) {
|
||||
switch (o) {
|
||||
default:
|
||||
opthelp:
|
||||
BIO_printf(bio_err, "%s: Use -help for summary.\n", prog);
|
||||
goto err;
|
||||
case OPT_HELP:
|
||||
opt_help(kdf_options);
|
||||
ret = 0;
|
||||
goto err;
|
||||
case OPT_BIN:
|
||||
out_bin = 1;
|
||||
break;
|
||||
case OPT_KEYLEN:
|
||||
dkm_len = (size_t)atoi(opt_arg());
|
||||
break;
|
||||
case OPT_OUT:
|
||||
outfile = opt_arg();
|
||||
break;
|
||||
case OPT_KDFOPT:
|
||||
if (opts == NULL)
|
||||
opts = sk_OPENSSL_STRING_new_null();
|
||||
if (opts == NULL || !sk_OPENSSL_STRING_push(opts, opt_arg()))
|
||||
goto opthelp;
|
||||
break;
|
||||
case OPT_CIPHER:
|
||||
OPENSSL_free(cipher);
|
||||
cipher = alloc_kdf_algorithm_name(&opts, "cipher", opt_arg());
|
||||
if (cipher == NULL)
|
||||
goto opthelp;
|
||||
break;
|
||||
case OPT_DIGEST:
|
||||
OPENSSL_free(digest);
|
||||
digest = alloc_kdf_algorithm_name(&opts, "digest", opt_arg());
|
||||
if (digest == NULL)
|
||||
goto opthelp;
|
||||
break;
|
||||
case OPT_MAC:
|
||||
OPENSSL_free(mac);
|
||||
mac = alloc_kdf_algorithm_name(&opts, "mac", opt_arg());
|
||||
if (mac == NULL)
|
||||
goto opthelp;
|
||||
break;
|
||||
case OPT_PROV_CASES:
|
||||
if (!opt_provider(o))
|
||||
goto err;
|
||||
break;
|
||||
}
|
||||
}
|
||||
|
||||
/* One argument, the KDF name. */
|
||||
argc = opt_num_rest();
|
||||
argv = opt_rest();
|
||||
if (argc != 1)
|
||||
goto opthelp;
|
||||
|
||||
if ((kdf = EVP_KDF_fetch(app_get0_libctx(), argv[0],
|
||||
app_get0_propq())) == NULL) {
|
||||
BIO_printf(bio_err, "Invalid KDF name %s\n", argv[0]);
|
||||
goto opthelp;
|
||||
}
|
||||
|
||||
ctx = EVP_KDF_CTX_new(kdf);
|
||||
if (ctx == NULL)
|
||||
goto err;
|
||||
|
||||
if (opts != NULL) {
|
||||
int ok = 1;
|
||||
OSSL_PARAM *params =
|
||||
app_params_new_from_opts(opts, EVP_KDF_settable_ctx_params(kdf));
|
||||
|
||||
if (params == NULL)
|
||||
goto err;
|
||||
|
||||
if (!EVP_KDF_CTX_set_params(ctx, params)) {
|
||||
BIO_printf(bio_err, "KDF parameter error\n");
|
||||
ERR_print_errors(bio_err);
|
||||
ok = 0;
|
||||
}
|
||||
app_params_free(params);
|
||||
if (!ok)
|
||||
goto err;
|
||||
}
|
||||
|
||||
out = bio_open_default(outfile, 'w', out_bin ? FORMAT_BINARY : FORMAT_TEXT);
|
||||
if (out == NULL)
|
||||
goto err;
|
||||
|
||||
if (dkm_len <= 0) {
|
||||
BIO_printf(bio_err, "Invalid derived key length.\n");
|
||||
goto err;
|
||||
}
|
||||
dkm_bytes = app_malloc(dkm_len, "out buffer");
|
||||
if (dkm_bytes == NULL)
|
||||
goto err;
|
||||
|
||||
if (!EVP_KDF_derive(ctx, dkm_bytes, dkm_len, NULL)) {
|
||||
BIO_printf(bio_err, "EVP_KDF_derive failed\n");
|
||||
goto err;
|
||||
}
|
||||
|
||||
if (out_bin) {
|
||||
BIO_write(out, dkm_bytes, dkm_len);
|
||||
} else {
|
||||
hexout = OPENSSL_buf2hexstr(dkm_bytes, dkm_len);
|
||||
if (hexout == NULL) {
|
||||
BIO_printf(bio_err, "Memory allocation failure\n");
|
||||
goto err;
|
||||
}
|
||||
BIO_printf(out, "%s\n\n", hexout);
|
||||
}
|
||||
|
||||
ret = 0;
|
||||
err:
|
||||
if (ret != 0)
|
||||
ERR_print_errors(bio_err);
|
||||
OPENSSL_clear_free(dkm_bytes, dkm_len);
|
||||
sk_OPENSSL_STRING_free(opts);
|
||||
EVP_KDF_free(kdf);
|
||||
EVP_KDF_CTX_free(ctx);
|
||||
BIO_free(out);
|
||||
OPENSSL_free(hexout);
|
||||
OPENSSL_free(cipher);
|
||||
OPENSSL_free(digest);
|
||||
OPENSSL_free(mac);
|
||||
return ret;
|
||||
}
|
48
crypto/openssl/apps/lib/app_libctx.c
Normal file
48
crypto/openssl/apps/lib/app_libctx.c
Normal file
@ -0,0 +1,48 @@
|
||||
/*
|
||||
* Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
|
||||
*
|
||||
* Licensed under the Apache License 2.0 (the "License"). You may not use
|
||||
* this file except in compliance with the License. You can obtain a copy
|
||||
* in the file LICENSE in the source distribution or at
|
||||
* https://www.openssl.org/source/license.html
|
||||
*/
|
||||
#include "app_libctx.h"
|
||||
#include "apps.h"
|
||||
|
||||
static OSSL_LIB_CTX *app_libctx = NULL;
|
||||
static const char *app_propq = NULL;
|
||||
|
||||
int app_set_propq(const char *arg)
|
||||
{
|
||||
app_propq = arg;
|
||||
return 1;
|
||||
}
|
||||
|
||||
const char *app_get0_propq(void)
|
||||
{
|
||||
return app_propq;
|
||||
}
|
||||
|
||||
OSSL_LIB_CTX *app_get0_libctx(void)
|
||||
{
|
||||
return app_libctx;
|
||||
}
|
||||
|
||||
OSSL_LIB_CTX *app_create_libctx(void)
|
||||
{
|
||||
/*
|
||||
* Load the NULL provider into the default library context and create a
|
||||
* library context which will then be used for any OPT_PROV options.
|
||||
*/
|
||||
if (app_libctx == NULL) {
|
||||
if (!app_provider_load(NULL, "null")) {
|
||||
opt_printf_stderr( "Failed to create null provider\n");
|
||||
return NULL;
|
||||
}
|
||||
app_libctx = OSSL_LIB_CTX_new();
|
||||
}
|
||||
if (app_libctx == NULL)
|
||||
opt_printf_stderr("Failed to create library context\n");
|
||||
return app_libctx;
|
||||
}
|
||||
|
132
crypto/openssl/apps/lib/app_params.c
Normal file
132
crypto/openssl/apps/lib/app_params.c
Normal file
@ -0,0 +1,132 @@
|
||||
/*
|
||||
* Copyright 2019-2020 The OpenSSL Project Authors. All Rights Reserved.
|
||||
*
|
||||
* Licensed under the Apache License 2.0 (the "License"). You may not use
|
||||
* this file except in compliance with the License. You can obtain a copy
|
||||
* in the file LICENSE in the source distribution or at
|
||||
* https://www.openssl.org/source/license.html
|
||||
*/
|
||||
|
||||
#include "apps.h"
|
||||
#include "app_params.h"
|
||||
|
||||
static int describe_param_type(char *buf, size_t bufsz, const OSSL_PARAM *param)
|
||||
{
|
||||
const char *type_mod = "";
|
||||
const char *type = NULL;
|
||||
int show_type_number = 0;
|
||||
int printed_len;
|
||||
|
||||
switch (param->data_type) {
|
||||
case OSSL_PARAM_UNSIGNED_INTEGER:
|
||||
type_mod = "unsigned ";
|
||||
/* FALLTHRU */
|
||||
case OSSL_PARAM_INTEGER:
|
||||
type = "integer";
|
||||
break;
|
||||
case OSSL_PARAM_UTF8_PTR:
|
||||
type_mod = "pointer to a ";
|
||||
/* FALLTHRU */
|
||||
case OSSL_PARAM_UTF8_STRING:
|
||||
type = "UTF8 encoded string";
|
||||
break;
|
||||
case OSSL_PARAM_OCTET_PTR:
|
||||
type_mod = "pointer to an ";
|
||||
/* FALLTHRU */
|
||||
case OSSL_PARAM_OCTET_STRING:
|
||||
type = "octet string";
|
||||
break;
|
||||
default:
|
||||
type = "unknown type";
|
||||
show_type_number = 1;
|
||||
break;
|
||||
}
|
||||
|
||||
printed_len = BIO_snprintf(buf, bufsz, "%s: ", param->key);
|
||||
if (printed_len > 0) {
|
||||
buf += printed_len;
|
||||
bufsz -= printed_len;
|
||||
}
|
||||
printed_len = BIO_snprintf(buf, bufsz, "%s%s", type_mod, type);
|
||||
if (printed_len > 0) {
|
||||
buf += printed_len;
|
||||
bufsz -= printed_len;
|
||||
}
|
||||
if (show_type_number) {
|
||||
printed_len = BIO_snprintf(buf, bufsz, " [%d]", param->data_type);
|
||||
if (printed_len > 0) {
|
||||
buf += printed_len;
|
||||
bufsz -= printed_len;
|
||||
}
|
||||
}
|
||||
if (param->data_size == 0)
|
||||
printed_len = BIO_snprintf(buf, bufsz, " (arbitrary size)");
|
||||
else
|
||||
printed_len = BIO_snprintf(buf, bufsz, " (max %zu bytes large)",
|
||||
param->data_size);
|
||||
if (printed_len > 0) {
|
||||
buf += printed_len;
|
||||
bufsz -= printed_len;
|
||||
}
|
||||
*buf = '\0';
|
||||
return 1;
|
||||
}
|
||||
|
||||
int print_param_types(const char *thing, const OSSL_PARAM *pdefs, int indent)
|
||||
{
|
||||
if (pdefs == NULL) {
|
||||
return 1;
|
||||
} else if (pdefs->key == NULL) {
|
||||
/*
|
||||
* An empty list? This shouldn't happen, but let's just make sure to
|
||||
* say something if there's a badly written provider...
|
||||
*/
|
||||
BIO_printf(bio_out, "%*sEmpty list of %s (!!!)\n", indent, "", thing);
|
||||
} else {
|
||||
BIO_printf(bio_out, "%*s%s:\n", indent, "", thing);
|
||||
for (; pdefs->key != NULL; pdefs++) {
|
||||
char buf[200]; /* This should be ample space */
|
||||
|
||||
describe_param_type(buf, sizeof(buf), pdefs);
|
||||
BIO_printf(bio_out, "%*s %s\n", indent, "", buf);
|
||||
}
|
||||
}
|
||||
return 1;
|
||||
}
|
||||
|
||||
void print_param_value(const OSSL_PARAM *p, int indent)
|
||||
{
|
||||
int64_t i;
|
||||
uint64_t u;
|
||||
|
||||
printf("%*s%s: ", indent, "", p->key);
|
||||
switch (p->data_type) {
|
||||
case OSSL_PARAM_UNSIGNED_INTEGER:
|
||||
if (OSSL_PARAM_get_uint64(p, &u))
|
||||
BIO_printf(bio_out, "%llu\n", (unsigned long long int)u);
|
||||
else
|
||||
BIO_printf(bio_out, "error getting value\n");
|
||||
break;
|
||||
case OSSL_PARAM_INTEGER:
|
||||
if (OSSL_PARAM_get_int64(p, &i))
|
||||
BIO_printf(bio_out, "%lld\n", (long long int)i);
|
||||
else
|
||||
BIO_printf(bio_out, "error getting value\n");
|
||||
break;
|
||||
case OSSL_PARAM_UTF8_PTR:
|
||||
BIO_printf(bio_out, "'%s'\n", *(char **)(p->data));
|
||||
break;
|
||||
case OSSL_PARAM_UTF8_STRING:
|
||||
BIO_printf(bio_out, "'%s'\n", (char *)p->data);
|
||||
break;
|
||||
case OSSL_PARAM_OCTET_PTR:
|
||||
case OSSL_PARAM_OCTET_STRING:
|
||||
BIO_printf(bio_out, "<%zu bytes>\n", p->data_size);
|
||||
break;
|
||||
default:
|
||||
BIO_printf(bio_out, "unknown type (%u) of %zu bytes\n",
|
||||
p->data_type, p->data_size);
|
||||
break;
|
||||
}
|
||||
}
|
||||
|
92
crypto/openssl/apps/lib/app_provider.c
Normal file
92
crypto/openssl/apps/lib/app_provider.c
Normal file
@ -0,0 +1,92 @@
|
||||
/*
|
||||
* Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved.
|
||||
*
|
||||
* Licensed under the Apache License 2.0 (the "License"). You may not use
|
||||
* this file except in compliance with the License. You can obtain a copy
|
||||
* in the file LICENSE in the source distribution or at
|
||||
* https://www.openssl.org/source/license.html
|
||||
*/
|
||||
|
||||
#include "apps.h"
|
||||
#include <string.h>
|
||||
#include <openssl/err.h>
|
||||
#include <openssl/provider.h>
|
||||
#include <openssl/safestack.h>
|
||||
|
||||
/* Non-zero if any of the provider options have been seen */
|
||||
static int provider_option_given = 0;
|
||||
|
||||
DEFINE_STACK_OF(OSSL_PROVIDER)
|
||||
|
||||
/*
|
||||
* See comments in opt_verify for explanation of this.
|
||||
*/
|
||||
enum prov_range { OPT_PROV_ENUM };
|
||||
|
||||
static STACK_OF(OSSL_PROVIDER) *app_providers = NULL;
|
||||
|
||||
static void provider_free(OSSL_PROVIDER *prov)
|
||||
{
|
||||
OSSL_PROVIDER_unload(prov);
|
||||
}
|
||||
|
||||
int app_provider_load(OSSL_LIB_CTX *libctx, const char *provider_name)
|
||||
{
|
||||
OSSL_PROVIDER *prov;
|
||||
|
||||
prov = OSSL_PROVIDER_load(libctx, provider_name);
|
||||
if (prov == NULL) {
|
||||
opt_printf_stderr("%s: unable to load provider %s\n"
|
||||
"Hint: use -provider-path option or OPENSSL_MODULES environment variable.\n",
|
||||
opt_getprog(), provider_name);
|
||||
ERR_print_errors(bio_err);
|
||||
return 0;
|
||||
}
|
||||
if (app_providers == NULL)
|
||||
app_providers = sk_OSSL_PROVIDER_new_null();
|
||||
if (app_providers == NULL
|
||||
|| !sk_OSSL_PROVIDER_push(app_providers, prov)) {
|
||||
app_providers_cleanup();
|
||||
return 0;
|
||||
}
|
||||
return 1;
|
||||
}
|
||||
|
||||
void app_providers_cleanup(void)
|
||||
{
|
||||
sk_OSSL_PROVIDER_pop_free(app_providers, provider_free);
|
||||
app_providers = NULL;
|
||||
}
|
||||
|
||||
static int opt_provider_path(const char *path)
|
||||
{
|
||||
if (path != NULL && *path == '\0')
|
||||
path = NULL;
|
||||
return OSSL_PROVIDER_set_default_search_path(app_get0_libctx(), path);
|
||||
}
|
||||
|
||||
int opt_provider(int opt)
|
||||
{
|
||||
const int given = provider_option_given;
|
||||
|
||||
provider_option_given = 1;
|
||||
switch ((enum prov_range)opt) {
|
||||
case OPT_PROV__FIRST:
|
||||
case OPT_PROV__LAST:
|
||||
return 1;
|
||||
case OPT_PROV_PROVIDER:
|
||||
return app_provider_load(app_get0_libctx(), opt_arg());
|
||||
case OPT_PROV_PROVIDER_PATH:
|
||||
return opt_provider_path(opt_arg());
|
||||
case OPT_PROV_PROPQUERY:
|
||||
return app_set_propq(opt_arg());
|
||||
}
|
||||
/* Should never get here but if we do, undo what we did earlier */
|
||||
provider_option_given = given;
|
||||
return 0;
|
||||
}
|
||||
|
||||
int opt_provider_option_given(void)
|
||||
{
|
||||
return provider_option_given;
|
||||
}
|
@ -1,7 +1,7 @@
|
||||
/*
|
||||
* Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
|
||||
* Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
|
||||
*
|
||||
* Licensed under the OpenSSL license (the "License"). You may not use
|
||||
* Licensed under the Apache License 2.0 (the "License"). You may not use
|
||||
* this file except in compliance with the License. You can obtain a copy
|
||||
* in the file LICENSE in the source distribution or at
|
||||
* https://www.openssl.org/source/license.html
|
||||
@ -14,6 +14,7 @@
|
||||
#include <openssl/conf.h>
|
||||
|
||||
static char *save_rand_file;
|
||||
static STACK_OF(OPENSSL_STRING) *randfiles;
|
||||
|
||||
void app_RAND_load_conf(CONF *c, const char *section)
|
||||
{
|
||||
@ -27,8 +28,14 @@ void app_RAND_load_conf(CONF *c, const char *section)
|
||||
BIO_printf(bio_err, "Can't load %s into RNG\n", randfile);
|
||||
ERR_print_errors(bio_err);
|
||||
}
|
||||
if (save_rand_file == NULL)
|
||||
if (save_rand_file == NULL) {
|
||||
save_rand_file = OPENSSL_strdup(randfile);
|
||||
/* If some internal memory errors have occurred */
|
||||
if (save_rand_file == NULL) {
|
||||
BIO_printf(bio_err, "Can't duplicate %s\n", randfile);
|
||||
ERR_print_errors(bio_err);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
static int loadfiles(char *name)
|
||||
@ -57,16 +64,34 @@ static int loadfiles(char *name)
|
||||
return ret;
|
||||
}
|
||||
|
||||
void app_RAND_write(void)
|
||||
int app_RAND_load(void)
|
||||
{
|
||||
char *p;
|
||||
int i, ret = 1;
|
||||
|
||||
for (i = 0; i < sk_OPENSSL_STRING_num(randfiles); i++) {
|
||||
p = sk_OPENSSL_STRING_value(randfiles, i);
|
||||
if (!loadfiles(p))
|
||||
ret = 0;
|
||||
}
|
||||
sk_OPENSSL_STRING_free(randfiles);
|
||||
return ret;
|
||||
}
|
||||
|
||||
int app_RAND_write(void)
|
||||
{
|
||||
int ret = 1;
|
||||
|
||||
if (save_rand_file == NULL)
|
||||
return;
|
||||
return 1;
|
||||
if (RAND_write_file(save_rand_file) == -1) {
|
||||
BIO_printf(bio_err, "Cannot write random bytes:\n");
|
||||
ERR_print_errors(bio_err);
|
||||
ret = 0;
|
||||
}
|
||||
OPENSSL_free(save_rand_file);
|
||||
save_rand_file = NULL;
|
||||
return ret;
|
||||
}
|
||||
|
||||
|
||||
@ -82,11 +107,17 @@ int opt_rand(int opt)
|
||||
case OPT_R__LAST:
|
||||
break;
|
||||
case OPT_R_RAND:
|
||||
return loadfiles(opt_arg());
|
||||
if (randfiles == NULL
|
||||
&& (randfiles = sk_OPENSSL_STRING_new_null()) == NULL)
|
||||
return 0;
|
||||
if (!sk_OPENSSL_STRING_push(randfiles, opt_arg()))
|
||||
return 0;
|
||||
break;
|
||||
case OPT_R_WRITERAND:
|
||||
OPENSSL_free(save_rand_file);
|
||||
save_rand_file = OPENSSL_strdup(opt_arg());
|
||||
if (save_rand_file == NULL)
|
||||
return 0;
|
||||
break;
|
||||
}
|
||||
return 1;
|
137
crypto/openssl/apps/lib/app_x509.c
Normal file
137
crypto/openssl/apps/lib/app_x509.c
Normal file
@ -0,0 +1,137 @@
|
||||
/*
|
||||
* Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved.
|
||||
*
|
||||
* Licensed under the Apache License 2.0 (the "License"). You may not use
|
||||
* this file except in compliance with the License. You can obtain a copy
|
||||
* in the file LICENSE in the source distribution or at
|
||||
* https://www.openssl.org/source/license.html
|
||||
*/
|
||||
|
||||
#include <string.h>
|
||||
#include "apps.h"
|
||||
|
||||
/*
|
||||
* X509_ctrl_str() is sorely lacking in libcrypto, but is still needed to
|
||||
* allow the application to process verification options in a manner similar
|
||||
* to signature or other options that pass through EVP_PKEY_CTX_ctrl_str(),
|
||||
* for uniformity.
|
||||
*
|
||||
* As soon as more stuff is added, the code will need serious rework. For
|
||||
* the moment, it only handles the FIPS 196 / SM2 distinguishing ID.
|
||||
*/
|
||||
#ifdef EVP_PKEY_CTRL_SET1_ID
|
||||
static ASN1_OCTET_STRING *mk_octet_string(void *value, size_t value_n)
|
||||
{
|
||||
ASN1_OCTET_STRING *v = ASN1_OCTET_STRING_new();
|
||||
|
||||
if (v == NULL) {
|
||||
BIO_printf(bio_err, "error: allocation failed\n");
|
||||
} else if (!ASN1_OCTET_STRING_set(v, value, (int)value_n)) {
|
||||
ASN1_OCTET_STRING_free(v);
|
||||
v = NULL;
|
||||
}
|
||||
return v;
|
||||
}
|
||||
#endif
|
||||
|
||||
static int x509_ctrl(void *object, int cmd, void *value, size_t value_n)
|
||||
{
|
||||
switch (cmd) {
|
||||
#ifdef EVP_PKEY_CTRL_SET1_ID
|
||||
case EVP_PKEY_CTRL_SET1_ID:
|
||||
{
|
||||
ASN1_OCTET_STRING *v = mk_octet_string(value, value_n);
|
||||
|
||||
if (v == NULL) {
|
||||
BIO_printf(bio_err,
|
||||
"error: setting distinguishing ID in certificate failed\n");
|
||||
return 0;
|
||||
}
|
||||
|
||||
X509_set0_distinguishing_id(object, v);
|
||||
return 1;
|
||||
}
|
||||
#endif
|
||||
default:
|
||||
break;
|
||||
}
|
||||
return -2; /* typical EVP_PKEY return for "unsupported" */
|
||||
}
|
||||
|
||||
static int x509_req_ctrl(void *object, int cmd, void *value, size_t value_n)
|
||||
{
|
||||
switch (cmd) {
|
||||
#ifdef EVP_PKEY_CTRL_SET1_ID
|
||||
case EVP_PKEY_CTRL_SET1_ID:
|
||||
{
|
||||
ASN1_OCTET_STRING *v = mk_octet_string(value, value_n);
|
||||
|
||||
if (v == NULL) {
|
||||
BIO_printf(bio_err,
|
||||
"error: setting distinguishing ID in certificate signing request failed\n");
|
||||
return 0;
|
||||
}
|
||||
|
||||
X509_REQ_set0_distinguishing_id(object, v);
|
||||
return 1;
|
||||
}
|
||||
#endif
|
||||
default:
|
||||
break;
|
||||
}
|
||||
return -2; /* typical EVP_PKEY return for "unsupported" */
|
||||
}
|
||||
|
||||
static int do_x509_ctrl_string(int (*ctrl)(void *object, int cmd,
|
||||
void *value, size_t value_n),
|
||||
void *object, const char *value)
|
||||
{
|
||||
int rv = 0;
|
||||
char *stmp, *vtmp = NULL;
|
||||
size_t vtmp_len = 0;
|
||||
int cmd = 0; /* Will get command values that make sense somehow */
|
||||
|
||||
stmp = OPENSSL_strdup(value);
|
||||
if (stmp == NULL)
|
||||
return -1;
|
||||
vtmp = strchr(stmp, ':');
|
||||
if (vtmp != NULL) {
|
||||
*vtmp = 0;
|
||||
vtmp++;
|
||||
vtmp_len = strlen(vtmp);
|
||||
}
|
||||
|
||||
if (strcmp(stmp, "distid") == 0) {
|
||||
#ifdef EVP_PKEY_CTRL_SET1_ID
|
||||
cmd = EVP_PKEY_CTRL_SET1_ID; /* ... except we put it in X509 */
|
||||
#endif
|
||||
} else if (strcmp(stmp, "hexdistid") == 0) {
|
||||
if (vtmp != NULL) {
|
||||
void *hexid;
|
||||
long hexid_len = 0;
|
||||
|
||||
hexid = OPENSSL_hexstr2buf((const char *)vtmp, &hexid_len);
|
||||
OPENSSL_free(stmp);
|
||||
stmp = vtmp = hexid;
|
||||
vtmp_len = (size_t)hexid_len;
|
||||
}
|
||||
#ifdef EVP_PKEY_CTRL_SET1_ID
|
||||
cmd = EVP_PKEY_CTRL_SET1_ID; /* ... except we put it in X509 */
|
||||
#endif
|
||||
}
|
||||
|
||||
rv = ctrl(object, cmd, vtmp, vtmp_len);
|
||||
|
||||
OPENSSL_free(stmp);
|
||||
return rv;
|
||||
}
|
||||
|
||||
int x509_ctrl_string(X509 *x, const char *value)
|
||||
{
|
||||
return do_x509_ctrl_string(x509_ctrl, x, value);
|
||||
}
|
||||
|
||||
int x509_req_ctrl_string(X509_REQ *x, const char *value)
|
||||
{
|
||||
return do_x509_ctrl_string(x509_req_ctrl, x, value);
|
||||
}
|
File diff suppressed because it is too large
Load Diff
223
crypto/openssl/apps/lib/apps_ui.c
Normal file
223
crypto/openssl/apps/lib/apps_ui.c
Normal file
@ -0,0 +1,223 @@
|
||||
/*
|
||||
* Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved.
|
||||
*
|
||||
* Licensed under the Apache License 2.0 (the "License"). You may not use
|
||||
* this file except in compliance with the License. You can obtain a copy
|
||||
* in the file LICENSE in the source distribution or at
|
||||
* https://www.openssl.org/source/license.html
|
||||
*/
|
||||
|
||||
#include <string.h>
|
||||
#include <openssl/err.h>
|
||||
#include <openssl/ui.h>
|
||||
#include "apps_ui.h"
|
||||
|
||||
static UI_METHOD *ui_method = NULL;
|
||||
static const UI_METHOD *ui_base_method = NULL;
|
||||
|
||||
static int ui_open(UI *ui)
|
||||
{
|
||||
int (*opener)(UI *ui) = UI_method_get_opener(ui_base_method);
|
||||
|
||||
if (opener != NULL)
|
||||
return opener(ui);
|
||||
return 1;
|
||||
}
|
||||
|
||||
static int ui_read(UI *ui, UI_STRING *uis)
|
||||
{
|
||||
int (*reader)(UI *ui, UI_STRING *uis) = NULL;
|
||||
|
||||
if (UI_get_input_flags(uis) & UI_INPUT_FLAG_DEFAULT_PWD
|
||||
&& UI_get0_user_data(ui)) {
|
||||
switch (UI_get_string_type(uis)) {
|
||||
case UIT_PROMPT:
|
||||
case UIT_VERIFY:
|
||||
{
|
||||
const char *password =
|
||||
((PW_CB_DATA *)UI_get0_user_data(ui))->password;
|
||||
|
||||
if (password != NULL) {
|
||||
UI_set_result(ui, uis, password);
|
||||
return 1;
|
||||
}
|
||||
}
|
||||
break;
|
||||
case UIT_NONE:
|
||||
case UIT_BOOLEAN:
|
||||
case UIT_INFO:
|
||||
case UIT_ERROR:
|
||||
break;
|
||||
}
|
||||
}
|
||||
|
||||
reader = UI_method_get_reader(ui_base_method);
|
||||
if (reader != NULL)
|
||||
return reader(ui, uis);
|
||||
/* Default to the empty password if we've got nothing better */
|
||||
UI_set_result(ui, uis, "");
|
||||
return 1;
|
||||
}
|
||||
|
||||
static int ui_write(UI *ui, UI_STRING *uis)
|
||||
{
|
||||
int (*writer)(UI *ui, UI_STRING *uis) = NULL;
|
||||
|
||||
if (UI_get_input_flags(uis) & UI_INPUT_FLAG_DEFAULT_PWD
|
||||
&& UI_get0_user_data(ui)) {
|
||||
switch (UI_get_string_type(uis)) {
|
||||
case UIT_PROMPT:
|
||||
case UIT_VERIFY:
|
||||
{
|
||||
const char *password =
|
||||
((PW_CB_DATA *)UI_get0_user_data(ui))->password;
|
||||
|
||||
if (password != NULL)
|
||||
return 1;
|
||||
}
|
||||
break;
|
||||
case UIT_NONE:
|
||||
case UIT_BOOLEAN:
|
||||
case UIT_INFO:
|
||||
case UIT_ERROR:
|
||||
break;
|
||||
}
|
||||
}
|
||||
|
||||
writer = UI_method_get_writer(ui_base_method);
|
||||
if (writer != NULL)
|
||||
return writer(ui, uis);
|
||||
return 1;
|
||||
}
|
||||
|
||||
static int ui_close(UI *ui)
|
||||
{
|
||||
int (*closer)(UI *ui) = UI_method_get_closer(ui_base_method);
|
||||
|
||||
if (closer != NULL)
|
||||
return closer(ui);
|
||||
return 1;
|
||||
}
|
||||
|
||||
/* object_name defaults to prompt_info from ui user data if present */
|
||||
static char *ui_prompt_construct(UI *ui, const char *phrase_desc,
|
||||
const char *object_name)
|
||||
{
|
||||
PW_CB_DATA *cb_data = (PW_CB_DATA *)UI_get0_user_data(ui);
|
||||
|
||||
if (phrase_desc == NULL)
|
||||
phrase_desc = "pass phrase";
|
||||
if (object_name == NULL && cb_data != NULL)
|
||||
object_name = cb_data->prompt_info;
|
||||
return UI_construct_prompt(NULL, phrase_desc, object_name);
|
||||
}
|
||||
|
||||
int set_base_ui_method(const UI_METHOD *ui_meth)
|
||||
{
|
||||
if (ui_meth == NULL)
|
||||
ui_meth = UI_null();
|
||||
ui_base_method = ui_meth;
|
||||
return 1;
|
||||
}
|
||||
|
||||
int setup_ui_method(void)
|
||||
{
|
||||
ui_base_method = UI_null();
|
||||
#ifndef OPENSSL_NO_UI_CONSOLE
|
||||
ui_base_method = UI_OpenSSL();
|
||||
#endif
|
||||
ui_method = UI_create_method("OpenSSL application user interface");
|
||||
return ui_method != NULL
|
||||
&& 0 == UI_method_set_opener(ui_method, ui_open)
|
||||
&& 0 == UI_method_set_reader(ui_method, ui_read)
|
||||
&& 0 == UI_method_set_writer(ui_method, ui_write)
|
||||
&& 0 == UI_method_set_closer(ui_method, ui_close)
|
||||
&& 0 == UI_method_set_prompt_constructor(ui_method,
|
||||
ui_prompt_construct);
|
||||
}
|
||||
|
||||
void destroy_ui_method(void)
|
||||
{
|
||||
if (ui_method != NULL) {
|
||||
UI_destroy_method(ui_method);
|
||||
ui_method = NULL;
|
||||
}
|
||||
}
|
||||
|
||||
const UI_METHOD *get_ui_method(void)
|
||||
{
|
||||
return ui_method;
|
||||
}
|
||||
|
||||
static void *ui_malloc(int sz, const char *what)
|
||||
{
|
||||
void *vp = OPENSSL_malloc(sz);
|
||||
|
||||
if (vp == NULL) {
|
||||
BIO_printf(bio_err, "Could not allocate %d bytes for %s\n", sz, what);
|
||||
ERR_print_errors(bio_err);
|
||||
exit(1);
|
||||
}
|
||||
return vp;
|
||||
}
|
||||
|
||||
int password_callback(char *buf, int bufsiz, int verify, PW_CB_DATA *cb_data)
|
||||
{
|
||||
int res = 0;
|
||||
UI *ui;
|
||||
int ok = 0;
|
||||
char *buff = NULL;
|
||||
int ui_flags = 0;
|
||||
const char *prompt_info = NULL;
|
||||
char *prompt;
|
||||
|
||||
if ((ui = UI_new_method(ui_method)) == NULL)
|
||||
return 0;
|
||||
|
||||
if (cb_data != NULL && cb_data->prompt_info != NULL)
|
||||
prompt_info = cb_data->prompt_info;
|
||||
prompt = UI_construct_prompt(ui, "pass phrase", prompt_info);
|
||||
if (prompt == NULL) {
|
||||
BIO_printf(bio_err, "Out of memory\n");
|
||||
UI_free(ui);
|
||||
return 0;
|
||||
}
|
||||
|
||||
ui_flags |= UI_INPUT_FLAG_DEFAULT_PWD;
|
||||
UI_ctrl(ui, UI_CTRL_PRINT_ERRORS, 1, 0, 0);
|
||||
|
||||
/* We know that there is no previous user data to return to us */
|
||||
(void)UI_add_user_data(ui, cb_data);
|
||||
|
||||
ok = UI_add_input_string(ui, prompt, ui_flags, buf,
|
||||
PW_MIN_LENGTH, bufsiz - 1);
|
||||
|
||||
if (ok >= 0 && verify) {
|
||||
buff = ui_malloc(bufsiz, "password buffer");
|
||||
ok = UI_add_verify_string(ui, prompt, ui_flags, buff,
|
||||
PW_MIN_LENGTH, bufsiz - 1, buf);
|
||||
}
|
||||
if (ok >= 0)
|
||||
do {
|
||||
ok = UI_process(ui);
|
||||
} while (ok < 0 && UI_ctrl(ui, UI_CTRL_IS_REDOABLE, 0, 0, 0));
|
||||
|
||||
OPENSSL_clear_free(buff, (unsigned int)bufsiz);
|
||||
|
||||
if (ok >= 0)
|
||||
res = strlen(buf);
|
||||
if (ok == -1) {
|
||||
BIO_printf(bio_err, "User interface error\n");
|
||||
ERR_print_errors(bio_err);
|
||||
OPENSSL_cleanse(buf, (unsigned int)bufsiz);
|
||||
res = 0;
|
||||
}
|
||||
if (ok == -2) {
|
||||
BIO_printf(bio_err, "aborted!\n");
|
||||
OPENSSL_cleanse(buf, (unsigned int)bufsiz);
|
||||
res = 0;
|
||||
}
|
||||
UI_free(ui);
|
||||
OPENSSL_free(prompt);
|
||||
return res;
|
||||
}
|
23
crypto/openssl/apps/lib/build.info
Normal file
23
crypto/openssl/apps/lib/build.info
Normal file
@ -0,0 +1,23 @@
|
||||
# Auxiliary program source
|
||||
IF[{- $config{target} =~ /^(?:VC-|mingw|BC-)/ -}]
|
||||
# It's called 'init', but doesn't have much 'init' in it...
|
||||
$AUXLIBAPPSSRC=win32_init.c
|
||||
ENDIF
|
||||
IF[{- $config{target} =~ /^vms-/ -}]
|
||||
$AUXLIBAPPSSRC=vms_term_sock.c vms_decc_argv.c
|
||||
ENDIF
|
||||
|
||||
# Source for libapps
|
||||
$LIBAPPSSRC=apps.c apps_ui.c opt.c fmt.c s_cb.c s_socket.c app_rand.c \
|
||||
columns.c app_params.c names.c app_provider.c app_x509.c http_server.c \
|
||||
engine.c engine_loader.c app_libctx.c
|
||||
|
||||
IF[{- !$disabled{apps} -}]
|
||||
LIBS{noinst}=../libapps.a
|
||||
SOURCE[../libapps.a]=$LIBAPPSSRC $AUXLIBAPPSSRC
|
||||
INCLUDE[../libapps.a]=../.. ../../include ../include
|
||||
ENDIF
|
||||
|
||||
IF[{- !$disabled{srp} -}]
|
||||
SOURCE[../libapps.a]=tlssrp_depr.c
|
||||
ENDIF
|
452
crypto/openssl/apps/lib/cmp_mock_srv.c
Normal file
452
crypto/openssl/apps/lib/cmp_mock_srv.c
Normal file
@ -0,0 +1,452 @@
|
||||
/*
|
||||
* Copyright 2018-2023 The OpenSSL Project Authors. All Rights Reserved.
|
||||
* Copyright Siemens AG 2018-2020
|
||||
*
|
||||
* Licensed under the Apache License 2.0 (the "License"). You may not use
|
||||
* this file except in compliance with the License. You can obtain a copy
|
||||
* in the file LICENSE in the source distribution or atf
|
||||
* https://www.openssl.org/source/license.html
|
||||
*/
|
||||
|
||||
#include "apps.h"
|
||||
#include "cmp_mock_srv.h"
|
||||
|
||||
#include <openssl/cmp.h>
|
||||
#include <openssl/err.h>
|
||||
#include <openssl/cmperr.h>
|
||||
|
||||
/* the context for the CMP mock server */
|
||||
typedef struct
|
||||
{
|
||||
X509 *certOut; /* certificate to be returned in cp/ip/kup msg */
|
||||
STACK_OF(X509) *chainOut; /* chain of certOut to add to extraCerts field */
|
||||
STACK_OF(X509) *caPubsOut; /* certs to return in caPubs field of ip msg */
|
||||
OSSL_CMP_PKISI *statusOut; /* status for ip/cp/kup/rp msg unless polling */
|
||||
int sendError; /* send error response on given request type */
|
||||
OSSL_CMP_MSG *certReq; /* ir/cr/p10cr/kur remembered while polling */
|
||||
int pollCount; /* number of polls before actual cert response */
|
||||
int curr_pollCount; /* number of polls so far for current request */
|
||||
int checkAfterTime; /* time the client should wait between polling */
|
||||
} mock_srv_ctx;
|
||||
|
||||
|
||||
static void mock_srv_ctx_free(mock_srv_ctx *ctx)
|
||||
{
|
||||
if (ctx == NULL)
|
||||
return;
|
||||
|
||||
OSSL_CMP_PKISI_free(ctx->statusOut);
|
||||
X509_free(ctx->certOut);
|
||||
sk_X509_pop_free(ctx->chainOut, X509_free);
|
||||
sk_X509_pop_free(ctx->caPubsOut, X509_free);
|
||||
OSSL_CMP_MSG_free(ctx->certReq);
|
||||
OPENSSL_free(ctx);
|
||||
}
|
||||
|
||||
static mock_srv_ctx *mock_srv_ctx_new(void)
|
||||
{
|
||||
mock_srv_ctx *ctx = OPENSSL_zalloc(sizeof(mock_srv_ctx));
|
||||
|
||||
if (ctx == NULL)
|
||||
goto err;
|
||||
|
||||
if ((ctx->statusOut = OSSL_CMP_PKISI_new()) == NULL)
|
||||
goto err;
|
||||
|
||||
ctx->sendError = -1;
|
||||
|
||||
/* all other elements are initialized to 0 or NULL, respectively */
|
||||
return ctx;
|
||||
err:
|
||||
mock_srv_ctx_free(ctx);
|
||||
return NULL;
|
||||
}
|
||||
|
||||
int ossl_cmp_mock_srv_set1_certOut(OSSL_CMP_SRV_CTX *srv_ctx, X509 *cert)
|
||||
{
|
||||
mock_srv_ctx *ctx = OSSL_CMP_SRV_CTX_get0_custom_ctx(srv_ctx);
|
||||
|
||||
if (ctx == NULL) {
|
||||
ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
|
||||
return 0;
|
||||
}
|
||||
if (cert == NULL || X509_up_ref(cert)) {
|
||||
X509_free(ctx->certOut);
|
||||
ctx->certOut = cert;
|
||||
return 1;
|
||||
}
|
||||
return 0;
|
||||
}
|
||||
|
||||
int ossl_cmp_mock_srv_set1_chainOut(OSSL_CMP_SRV_CTX *srv_ctx,
|
||||
STACK_OF(X509) *chain)
|
||||
{
|
||||
mock_srv_ctx *ctx = OSSL_CMP_SRV_CTX_get0_custom_ctx(srv_ctx);
|
||||
STACK_OF(X509) *chain_copy = NULL;
|
||||
|
||||
if (ctx == NULL) {
|
||||
ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
|
||||
return 0;
|
||||
}
|
||||
if (chain != NULL && (chain_copy = X509_chain_up_ref(chain)) == NULL)
|
||||
return 0;
|
||||
sk_X509_pop_free(ctx->chainOut, X509_free);
|
||||
ctx->chainOut = chain_copy;
|
||||
return 1;
|
||||
}
|
||||
|
||||
int ossl_cmp_mock_srv_set1_caPubsOut(OSSL_CMP_SRV_CTX *srv_ctx,
|
||||
STACK_OF(X509) *caPubs)
|
||||
{
|
||||
mock_srv_ctx *ctx = OSSL_CMP_SRV_CTX_get0_custom_ctx(srv_ctx);
|
||||
STACK_OF(X509) *caPubs_copy = NULL;
|
||||
|
||||
if (ctx == NULL) {
|
||||
ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
|
||||
return 0;
|
||||
}
|
||||
if (caPubs != NULL && (caPubs_copy = X509_chain_up_ref(caPubs)) == NULL)
|
||||
return 0;
|
||||
sk_X509_pop_free(ctx->caPubsOut, X509_free);
|
||||
ctx->caPubsOut = caPubs_copy;
|
||||
return 1;
|
||||
}
|
||||
|
||||
int ossl_cmp_mock_srv_set_statusInfo(OSSL_CMP_SRV_CTX *srv_ctx, int status,
|
||||
int fail_info, const char *text)
|
||||
{
|
||||
mock_srv_ctx *ctx = OSSL_CMP_SRV_CTX_get0_custom_ctx(srv_ctx);
|
||||
OSSL_CMP_PKISI *si;
|
||||
|
||||
if (ctx == NULL) {
|
||||
ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
|
||||
return 0;
|
||||
}
|
||||
if ((si = OSSL_CMP_STATUSINFO_new(status, fail_info, text)) == NULL)
|
||||
return 0;
|
||||
OSSL_CMP_PKISI_free(ctx->statusOut);
|
||||
ctx->statusOut = si;
|
||||
return 1;
|
||||
}
|
||||
|
||||
int ossl_cmp_mock_srv_set_sendError(OSSL_CMP_SRV_CTX *srv_ctx, int bodytype)
|
||||
{
|
||||
mock_srv_ctx *ctx = OSSL_CMP_SRV_CTX_get0_custom_ctx(srv_ctx);
|
||||
|
||||
if (ctx == NULL) {
|
||||
ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
|
||||
return 0;
|
||||
}
|
||||
/* might check bodytype, but this would require exporting all body types */
|
||||
ctx->sendError = bodytype;
|
||||
return 1;
|
||||
}
|
||||
|
||||
int ossl_cmp_mock_srv_set_pollCount(OSSL_CMP_SRV_CTX *srv_ctx, int count)
|
||||
{
|
||||
mock_srv_ctx *ctx = OSSL_CMP_SRV_CTX_get0_custom_ctx(srv_ctx);
|
||||
|
||||
if (ctx == NULL) {
|
||||
ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
|
||||
return 0;
|
||||
}
|
||||
if (count < 0) {
|
||||
ERR_raise(ERR_LIB_CMP, CMP_R_INVALID_ARGS);
|
||||
return 0;
|
||||
}
|
||||
ctx->pollCount = count;
|
||||
return 1;
|
||||
}
|
||||
|
||||
int ossl_cmp_mock_srv_set_checkAfterTime(OSSL_CMP_SRV_CTX *srv_ctx, int sec)
|
||||
{
|
||||
mock_srv_ctx *ctx = OSSL_CMP_SRV_CTX_get0_custom_ctx(srv_ctx);
|
||||
|
||||
if (ctx == NULL) {
|
||||
ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
|
||||
return 0;
|
||||
}
|
||||
ctx->checkAfterTime = sec;
|
||||
return 1;
|
||||
}
|
||||
|
||||
static OSSL_CMP_PKISI *process_cert_request(OSSL_CMP_SRV_CTX *srv_ctx,
|
||||
const OSSL_CMP_MSG *cert_req,
|
||||
ossl_unused int certReqId,
|
||||
const OSSL_CRMF_MSG *crm,
|
||||
const X509_REQ *p10cr,
|
||||
X509 **certOut,
|
||||
STACK_OF(X509) **chainOut,
|
||||
STACK_OF(X509) **caPubs)
|
||||
{
|
||||
mock_srv_ctx *ctx = OSSL_CMP_SRV_CTX_get0_custom_ctx(srv_ctx);
|
||||
OSSL_CMP_PKISI *si = NULL;
|
||||
|
||||
if (ctx == NULL || cert_req == NULL
|
||||
|| certOut == NULL || chainOut == NULL || caPubs == NULL) {
|
||||
ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
|
||||
return NULL;
|
||||
}
|
||||
if (ctx->sendError == 1
|
||||
|| ctx->sendError == OSSL_CMP_MSG_get_bodytype(cert_req)) {
|
||||
ERR_raise(ERR_LIB_CMP, CMP_R_ERROR_PROCESSING_MESSAGE);
|
||||
return NULL;
|
||||
}
|
||||
|
||||
*certOut = NULL;
|
||||
*chainOut = NULL;
|
||||
*caPubs = NULL;
|
||||
|
||||
if (ctx->pollCount > 0 && ctx->curr_pollCount == 0) {
|
||||
/* start polling */
|
||||
if (ctx->certReq != NULL) {
|
||||
/* already in polling mode */
|
||||
ERR_raise(ERR_LIB_CMP, CMP_R_UNEXPECTED_PKIBODY);
|
||||
return NULL;
|
||||
}
|
||||
if ((ctx->certReq = OSSL_CMP_MSG_dup(cert_req)) == NULL)
|
||||
return NULL;
|
||||
return OSSL_CMP_STATUSINFO_new(OSSL_CMP_PKISTATUS_waiting, 0, NULL);
|
||||
}
|
||||
if (ctx->curr_pollCount >= ctx->pollCount)
|
||||
/* give final response after polling */
|
||||
ctx->curr_pollCount = 0;
|
||||
|
||||
if (OSSL_CMP_MSG_get_bodytype(cert_req) == OSSL_CMP_KUR
|
||||
&& crm != NULL && ctx->certOut != NULL) {
|
||||
const OSSL_CRMF_CERTID *cid = OSSL_CRMF_MSG_get0_regCtrl_oldCertID(crm);
|
||||
const X509_NAME *issuer = X509_get_issuer_name(ctx->certOut);
|
||||
const ASN1_INTEGER *serial = X509_get0_serialNumber(ctx->certOut);
|
||||
|
||||
if (cid == NULL) {
|
||||
ERR_raise(ERR_LIB_CMP, CMP_R_MISSING_CERTID);
|
||||
return NULL;
|
||||
}
|
||||
if (issuer != NULL
|
||||
&& X509_NAME_cmp(issuer, OSSL_CRMF_CERTID_get0_issuer(cid)) != 0) {
|
||||
ERR_raise(ERR_LIB_CMP, CMP_R_WRONG_CERTID);
|
||||
return NULL;
|
||||
}
|
||||
if (serial != NULL
|
||||
&& ASN1_INTEGER_cmp(serial,
|
||||
OSSL_CRMF_CERTID_get0_serialNumber(cid)) != 0) {
|
||||
ERR_raise(ERR_LIB_CMP, CMP_R_WRONG_CERTID);
|
||||
return NULL;
|
||||
}
|
||||
}
|
||||
|
||||
if (ctx->certOut != NULL
|
||||
&& (*certOut = X509_dup(ctx->certOut)) == NULL)
|
||||
goto err;
|
||||
if (ctx->chainOut != NULL
|
||||
&& (*chainOut = X509_chain_up_ref(ctx->chainOut)) == NULL)
|
||||
goto err;
|
||||
if (ctx->caPubsOut != NULL
|
||||
&& (*caPubs = X509_chain_up_ref(ctx->caPubsOut)) == NULL)
|
||||
goto err;
|
||||
if (ctx->statusOut != NULL
|
||||
&& (si = OSSL_CMP_PKISI_dup(ctx->statusOut)) == NULL)
|
||||
goto err;
|
||||
return si;
|
||||
|
||||
err:
|
||||
X509_free(*certOut);
|
||||
*certOut = NULL;
|
||||
sk_X509_pop_free(*chainOut, X509_free);
|
||||
*chainOut = NULL;
|
||||
sk_X509_pop_free(*caPubs, X509_free);
|
||||
*caPubs = NULL;
|
||||
return NULL;
|
||||
}
|
||||
|
||||
static OSSL_CMP_PKISI *process_rr(OSSL_CMP_SRV_CTX *srv_ctx,
|
||||
const OSSL_CMP_MSG *rr,
|
||||
const X509_NAME *issuer,
|
||||
const ASN1_INTEGER *serial)
|
||||
{
|
||||
mock_srv_ctx *ctx = OSSL_CMP_SRV_CTX_get0_custom_ctx(srv_ctx);
|
||||
|
||||
if (ctx == NULL || rr == NULL) {
|
||||
ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
|
||||
return NULL;
|
||||
}
|
||||
if (ctx->certOut == NULL || ctx->sendError == 1
|
||||
|| ctx->sendError == OSSL_CMP_MSG_get_bodytype(rr)) {
|
||||
ERR_raise(ERR_LIB_CMP, CMP_R_ERROR_PROCESSING_MESSAGE);
|
||||
return NULL;
|
||||
}
|
||||
|
||||
/* Allow any RR derived from CSR, which may include subject and serial */
|
||||
if (issuer == NULL || serial == NULL)
|
||||
return OSSL_CMP_PKISI_dup(ctx->statusOut);
|
||||
|
||||
/* accept revocation only for the certificate we sent in ir/cr/kur */
|
||||
if (X509_NAME_cmp(issuer, X509_get_issuer_name(ctx->certOut)) != 0
|
||||
|| ASN1_INTEGER_cmp(serial,
|
||||
X509_get0_serialNumber(ctx->certOut)) != 0) {
|
||||
ERR_raise_data(ERR_LIB_CMP, CMP_R_REQUEST_NOT_ACCEPTED,
|
||||
"wrong certificate to revoke");
|
||||
return NULL;
|
||||
}
|
||||
return OSSL_CMP_PKISI_dup(ctx->statusOut);
|
||||
}
|
||||
|
||||
static int process_genm(OSSL_CMP_SRV_CTX *srv_ctx,
|
||||
const OSSL_CMP_MSG *genm,
|
||||
const STACK_OF(OSSL_CMP_ITAV) *in,
|
||||
STACK_OF(OSSL_CMP_ITAV) **out)
|
||||
{
|
||||
mock_srv_ctx *ctx = OSSL_CMP_SRV_CTX_get0_custom_ctx(srv_ctx);
|
||||
|
||||
if (ctx == NULL || genm == NULL || in == NULL || out == NULL) {
|
||||
ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
|
||||
return 0;
|
||||
}
|
||||
if (ctx->sendError == 1
|
||||
|| ctx->sendError == OSSL_CMP_MSG_get_bodytype(genm)
|
||||
|| sk_OSSL_CMP_ITAV_num(in) > 1) {
|
||||
ERR_raise(ERR_LIB_CMP, CMP_R_ERROR_PROCESSING_MESSAGE);
|
||||
return 0;
|
||||
}
|
||||
|
||||
*out = sk_OSSL_CMP_ITAV_deep_copy(in, OSSL_CMP_ITAV_dup,
|
||||
OSSL_CMP_ITAV_free);
|
||||
return *out != NULL;
|
||||
}
|
||||
|
||||
static void process_error(OSSL_CMP_SRV_CTX *srv_ctx, const OSSL_CMP_MSG *error,
|
||||
const OSSL_CMP_PKISI *statusInfo,
|
||||
const ASN1_INTEGER *errorCode,
|
||||
const OSSL_CMP_PKIFREETEXT *errorDetails)
|
||||
{
|
||||
mock_srv_ctx *ctx = OSSL_CMP_SRV_CTX_get0_custom_ctx(srv_ctx);
|
||||
char buf[OSSL_CMP_PKISI_BUFLEN];
|
||||
char *sibuf;
|
||||
int i;
|
||||
|
||||
if (ctx == NULL || error == NULL) {
|
||||
ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
|
||||
return;
|
||||
}
|
||||
|
||||
BIO_printf(bio_err, "mock server received error:\n");
|
||||
|
||||
if (statusInfo == NULL) {
|
||||
BIO_printf(bio_err, "pkiStatusInfo absent\n");
|
||||
} else {
|
||||
sibuf = OSSL_CMP_snprint_PKIStatusInfo(statusInfo, buf, sizeof(buf));
|
||||
BIO_printf(bio_err, "pkiStatusInfo: %s\n",
|
||||
sibuf != NULL ? sibuf: "<invalid>");
|
||||
}
|
||||
|
||||
if (errorCode == NULL)
|
||||
BIO_printf(bio_err, "errorCode absent\n");
|
||||
else
|
||||
BIO_printf(bio_err, "errorCode: %ld\n", ASN1_INTEGER_get(errorCode));
|
||||
|
||||
if (sk_ASN1_UTF8STRING_num(errorDetails) <= 0) {
|
||||
BIO_printf(bio_err, "errorDetails absent\n");
|
||||
} else {
|
||||
BIO_printf(bio_err, "errorDetails: ");
|
||||
for (i = 0; i < sk_ASN1_UTF8STRING_num(errorDetails); i++) {
|
||||
if (i > 0)
|
||||
BIO_printf(bio_err, ", ");
|
||||
BIO_printf(bio_err, "\"");
|
||||
ASN1_STRING_print(bio_err,
|
||||
sk_ASN1_UTF8STRING_value(errorDetails, i));
|
||||
BIO_printf(bio_err, "\"");
|
||||
}
|
||||
BIO_printf(bio_err, "\n");
|
||||
}
|
||||
}
|
||||
|
||||
static int process_certConf(OSSL_CMP_SRV_CTX *srv_ctx,
|
||||
const OSSL_CMP_MSG *certConf,
|
||||
ossl_unused int certReqId,
|
||||
const ASN1_OCTET_STRING *certHash,
|
||||
const OSSL_CMP_PKISI *si)
|
||||
{
|
||||
mock_srv_ctx *ctx = OSSL_CMP_SRV_CTX_get0_custom_ctx(srv_ctx);
|
||||
ASN1_OCTET_STRING *digest;
|
||||
|
||||
if (ctx == NULL || certConf == NULL || certHash == NULL) {
|
||||
ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
|
||||
return 0;
|
||||
}
|
||||
if (ctx->sendError == 1
|
||||
|| ctx->sendError == OSSL_CMP_MSG_get_bodytype(certConf)
|
||||
|| ctx->certOut == NULL) {
|
||||
ERR_raise(ERR_LIB_CMP, CMP_R_ERROR_PROCESSING_MESSAGE);
|
||||
return 0;
|
||||
}
|
||||
|
||||
if ((digest = X509_digest_sig(ctx->certOut, NULL, NULL)) == NULL)
|
||||
return 0;
|
||||
if (ASN1_OCTET_STRING_cmp(certHash, digest) != 0) {
|
||||
ASN1_OCTET_STRING_free(digest);
|
||||
ERR_raise(ERR_LIB_CMP, CMP_R_CERTHASH_UNMATCHED);
|
||||
return 0;
|
||||
}
|
||||
ASN1_OCTET_STRING_free(digest);
|
||||
return 1;
|
||||
}
|
||||
|
||||
static int process_pollReq(OSSL_CMP_SRV_CTX *srv_ctx,
|
||||
const OSSL_CMP_MSG *pollReq,
|
||||
ossl_unused int certReqId,
|
||||
OSSL_CMP_MSG **certReq, int64_t *check_after)
|
||||
{
|
||||
mock_srv_ctx *ctx = OSSL_CMP_SRV_CTX_get0_custom_ctx(srv_ctx);
|
||||
|
||||
if (ctx == NULL || pollReq == NULL
|
||||
|| certReq == NULL || check_after == NULL) {
|
||||
ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
|
||||
return 0;
|
||||
}
|
||||
if (ctx->sendError == 1
|
||||
|| ctx->sendError == OSSL_CMP_MSG_get_bodytype(pollReq)) {
|
||||
*certReq = NULL;
|
||||
ERR_raise(ERR_LIB_CMP, CMP_R_ERROR_PROCESSING_MESSAGE);
|
||||
return 0;
|
||||
}
|
||||
if (ctx->certReq == NULL) {
|
||||
/* not currently in polling mode */
|
||||
*certReq = NULL;
|
||||
ERR_raise(ERR_LIB_CMP, CMP_R_UNEXPECTED_PKIBODY);
|
||||
return 0;
|
||||
}
|
||||
|
||||
if (++ctx->curr_pollCount >= ctx->pollCount) {
|
||||
/* end polling */
|
||||
*certReq = ctx->certReq;
|
||||
ctx->certReq = NULL;
|
||||
*check_after = 0;
|
||||
} else {
|
||||
*certReq = NULL;
|
||||
*check_after = ctx->checkAfterTime;
|
||||
}
|
||||
return 1;
|
||||
}
|
||||
|
||||
OSSL_CMP_SRV_CTX *ossl_cmp_mock_srv_new(OSSL_LIB_CTX *libctx, const char *propq)
|
||||
{
|
||||
OSSL_CMP_SRV_CTX *srv_ctx = OSSL_CMP_SRV_CTX_new(libctx, propq);
|
||||
mock_srv_ctx *ctx = mock_srv_ctx_new();
|
||||
|
||||
if (srv_ctx != NULL && ctx != NULL
|
||||
&& OSSL_CMP_SRV_CTX_init(srv_ctx, ctx, process_cert_request,
|
||||
process_rr, process_genm, process_error,
|
||||
process_certConf, process_pollReq))
|
||||
return srv_ctx;
|
||||
|
||||
mock_srv_ctx_free(ctx);
|
||||
OSSL_CMP_SRV_CTX_free(srv_ctx);
|
||||
return NULL;
|
||||
}
|
||||
|
||||
void ossl_cmp_mock_srv_free(OSSL_CMP_SRV_CTX *srv_ctx)
|
||||
{
|
||||
if (srv_ctx != NULL)
|
||||
mock_srv_ctx_free(OSSL_CMP_SRV_CTX_get0_custom_ctx(srv_ctx));
|
||||
OSSL_CMP_SRV_CTX_free(srv_ctx);
|
||||
}
|
27
crypto/openssl/apps/lib/columns.c
Normal file
27
crypto/openssl/apps/lib/columns.c
Normal file
@ -0,0 +1,27 @@
|
||||
/*
|
||||
* Copyright 2017-2019 The OpenSSL Project Authors. All Rights Reserved.
|
||||
*
|
||||
* Licensed under the Apache License 2.0 (the "License"). You may not use
|
||||
* this file except in compliance with the License. You can obtain a copy
|
||||
* in the file LICENSE in the source distribution or at
|
||||
* https://www.openssl.org/source/license.html
|
||||
*/
|
||||
|
||||
#include <string.h>
|
||||
#include "apps.h"
|
||||
#include "function.h"
|
||||
|
||||
void calculate_columns(FUNCTION *functions, DISPLAY_COLUMNS *dc)
|
||||
{
|
||||
FUNCTION *f;
|
||||
int len, maxlen = 0;
|
||||
|
||||
for (f = functions; f->name != NULL; ++f)
|
||||
if (f->type == FT_general || f->type == FT_md || f->type == FT_cipher)
|
||||
if ((len = strlen(f->name)) > maxlen)
|
||||
maxlen = len;
|
||||
|
||||
dc->width = maxlen + 2;
|
||||
dc->columns = (80 - 1) / dc->width;
|
||||
}
|
||||
|
193
crypto/openssl/apps/lib/engine.c
Normal file
193
crypto/openssl/apps/lib/engine.c
Normal file
@ -0,0 +1,193 @@
|
||||
/*
|
||||
* Copyright 2020 The OpenSSL Project Authors. All Rights Reserved.
|
||||
*
|
||||
* Licensed under the Apache License 2.0 (the "License"). You may not use
|
||||
* this file except in compliance with the License. You can obtain a copy
|
||||
* in the file LICENSE in the source distribution or at
|
||||
* https://www.openssl.org/source/license.html
|
||||
*/
|
||||
|
||||
/*
|
||||
* Here is a set of wrappers for the ENGINE API, which are no-ops when the
|
||||
* ENGINE API is disabled / removed.
|
||||
* We need to suppress deprecation warnings to make this work.
|
||||
*/
|
||||
#define OPENSSL_SUPPRESS_DEPRECATED
|
||||
|
||||
#include <string.h> /* strcmp */
|
||||
|
||||
#include <openssl/types.h> /* Ensure we have the ENGINE type, regardless */
|
||||
#include <openssl/err.h>
|
||||
#ifndef OPENSSL_NO_ENGINE
|
||||
# include <openssl/engine.h>
|
||||
#endif
|
||||
#include "apps.h"
|
||||
|
||||
#ifndef OPENSSL_NO_ENGINE
|
||||
/* Try to load an engine in a shareable library */
|
||||
static ENGINE *try_load_engine(const char *engine)
|
||||
{
|
||||
ENGINE *e = NULL;
|
||||
|
||||
if ((e = ENGINE_by_id("dynamic")) != NULL) {
|
||||
if (!ENGINE_ctrl_cmd_string(e, "SO_PATH", engine, 0)
|
||||
|| !ENGINE_ctrl_cmd_string(e, "LOAD", NULL, 0)) {
|
||||
ENGINE_free(e);
|
||||
e = NULL;
|
||||
}
|
||||
}
|
||||
return e;
|
||||
}
|
||||
#endif
|
||||
|
||||
ENGINE *setup_engine_methods(const char *id, unsigned int methods, int debug)
|
||||
{
|
||||
ENGINE *e = NULL;
|
||||
|
||||
#ifndef OPENSSL_NO_ENGINE
|
||||
if (id != NULL) {
|
||||
if (strcmp(id, "auto") == 0) {
|
||||
BIO_printf(bio_err, "Enabling auto ENGINE support\n");
|
||||
ENGINE_register_all_complete();
|
||||
return NULL;
|
||||
}
|
||||
if ((e = ENGINE_by_id(id)) == NULL
|
||||
&& (e = try_load_engine(id)) == NULL) {
|
||||
BIO_printf(bio_err, "Invalid engine \"%s\"\n", id);
|
||||
ERR_print_errors(bio_err);
|
||||
return NULL;
|
||||
}
|
||||
if (debug)
|
||||
(void)ENGINE_ctrl(e, ENGINE_CTRL_SET_LOGSTREAM, 0, bio_err, 0);
|
||||
if (!ENGINE_ctrl_cmd(e, "SET_USER_INTERFACE", 0,
|
||||
(void *)get_ui_method(), 0, 1)
|
||||
|| !ENGINE_set_default(e, methods)) {
|
||||
BIO_printf(bio_err, "Cannot use engine \"%s\"\n", ENGINE_get_id(e));
|
||||
ERR_print_errors(bio_err);
|
||||
ENGINE_free(e);
|
||||
return NULL;
|
||||
}
|
||||
|
||||
BIO_printf(bio_err, "Engine \"%s\" set.\n", ENGINE_get_id(e));
|
||||
}
|
||||
#endif
|
||||
return e;
|
||||
}
|
||||
|
||||
void release_engine(ENGINE *e)
|
||||
{
|
||||
#ifndef OPENSSL_NO_ENGINE
|
||||
/* Free our "structural" reference. */
|
||||
ENGINE_free(e);
|
||||
#endif
|
||||
}
|
||||
|
||||
int init_engine(ENGINE *e)
|
||||
{
|
||||
int rv = 1;
|
||||
|
||||
#ifndef OPENSSL_NO_ENGINE
|
||||
rv = ENGINE_init(e);
|
||||
#endif
|
||||
return rv;
|
||||
}
|
||||
|
||||
int finish_engine(ENGINE *e)
|
||||
{
|
||||
int rv = 1;
|
||||
|
||||
#ifndef OPENSSL_NO_ENGINE
|
||||
rv = ENGINE_finish(e);
|
||||
#endif
|
||||
return rv;
|
||||
}
|
||||
|
||||
char *make_engine_uri(ENGINE *e, const char *key_id, const char *desc)
|
||||
{
|
||||
char *new_uri = NULL;
|
||||
|
||||
#ifndef OPENSSL_NO_ENGINE
|
||||
if (e == NULL) {
|
||||
BIO_printf(bio_err, "No engine specified for loading %s\n", desc);
|
||||
} else if (key_id == NULL) {
|
||||
BIO_printf(bio_err, "No engine key id specified for loading %s\n", desc);
|
||||
} else {
|
||||
const char *engineid = ENGINE_get_id(e);
|
||||
size_t uri_sz =
|
||||
sizeof(ENGINE_SCHEME_COLON) - 1
|
||||
+ strlen(engineid)
|
||||
+ 1 /* : */
|
||||
+ strlen(key_id)
|
||||
+ 1 /* \0 */
|
||||
;
|
||||
|
||||
new_uri = OPENSSL_malloc(uri_sz);
|
||||
if (new_uri != NULL) {
|
||||
OPENSSL_strlcpy(new_uri, ENGINE_SCHEME_COLON, uri_sz);
|
||||
OPENSSL_strlcat(new_uri, engineid, uri_sz);
|
||||
OPENSSL_strlcat(new_uri, ":", uri_sz);
|
||||
OPENSSL_strlcat(new_uri, key_id, uri_sz);
|
||||
}
|
||||
}
|
||||
#else
|
||||
BIO_printf(bio_err, "Engines not supported for loading %s\n", desc);
|
||||
#endif
|
||||
return new_uri;
|
||||
}
|
||||
|
||||
int get_legacy_pkey_id(OSSL_LIB_CTX *libctx, const char *algname, ENGINE *e)
|
||||
{
|
||||
const EVP_PKEY_ASN1_METHOD *ameth;
|
||||
ENGINE *tmpeng = NULL;
|
||||
int pkey_id = NID_undef;
|
||||
|
||||
ERR_set_mark();
|
||||
ameth = EVP_PKEY_asn1_find_str(&tmpeng, algname, -1);
|
||||
|
||||
#if !defined(OPENSSL_NO_ENGINE)
|
||||
ENGINE_finish(tmpeng);
|
||||
|
||||
if (ameth == NULL && e != NULL)
|
||||
ameth = ENGINE_get_pkey_asn1_meth_str(e, algname, -1);
|
||||
else
|
||||
#endif
|
||||
/* We're only interested if it comes from an ENGINE */
|
||||
if (tmpeng == NULL)
|
||||
ameth = NULL;
|
||||
|
||||
ERR_pop_to_mark();
|
||||
if (ameth == NULL)
|
||||
return NID_undef;
|
||||
|
||||
EVP_PKEY_asn1_get0_info(&pkey_id, NULL, NULL, NULL, NULL, ameth);
|
||||
|
||||
return pkey_id;
|
||||
}
|
||||
|
||||
const EVP_MD *get_digest_from_engine(const char *name)
|
||||
{
|
||||
#ifndef OPENSSL_NO_ENGINE
|
||||
ENGINE *eng;
|
||||
|
||||
eng = ENGINE_get_digest_engine(OBJ_sn2nid(name));
|
||||
if (eng != NULL) {
|
||||
ENGINE_finish(eng);
|
||||
return EVP_get_digestbyname(name);
|
||||
}
|
||||
#endif
|
||||
return NULL;
|
||||
}
|
||||
|
||||
const EVP_CIPHER *get_cipher_from_engine(const char *name)
|
||||
{
|
||||
#ifndef OPENSSL_NO_ENGINE
|
||||
ENGINE *eng;
|
||||
|
||||
eng = ENGINE_get_cipher_engine(OBJ_sn2nid(name));
|
||||
if (eng != NULL) {
|
||||
ENGINE_finish(eng);
|
||||
return EVP_get_cipherbyname(name);
|
||||
}
|
||||
#endif
|
||||
return NULL;
|
||||
}
|
203
crypto/openssl/apps/lib/engine_loader.c
Normal file
203
crypto/openssl/apps/lib/engine_loader.c
Normal file
@ -0,0 +1,203 @@
|
||||
/*
|
||||
* Copyright 2018-2022 The OpenSSL Project Authors. All Rights Reserved.
|
||||
*
|
||||
* Licensed under the Apache License 2.0 (the "License"). You may not use
|
||||
* this file except in compliance with the License. You can obtain a copy
|
||||
* in the file LICENSE in the source distribution or at
|
||||
* https://www.openssl.org/source/license.html
|
||||
*/
|
||||
|
||||
/*
|
||||
* Here is an STORE loader for ENGINE backed keys. It relies on deprecated
|
||||
* functions, and therefore need to have deprecation warnings suppressed.
|
||||
* This file is not compiled at all in a '--api=3 no-deprecated' configuration.
|
||||
*/
|
||||
#define OPENSSL_SUPPRESS_DEPRECATED
|
||||
|
||||
#include "apps.h"
|
||||
|
||||
#ifndef OPENSSL_NO_ENGINE
|
||||
|
||||
# include <stdarg.h>
|
||||
# include <string.h>
|
||||
# include <openssl/engine.h>
|
||||
# include <openssl/store.h>
|
||||
|
||||
/*
|
||||
* Support for legacy private engine keys via the 'org.openssl.engine:' scheme
|
||||
*
|
||||
* org.openssl.engine:{engineid}:{keyid}
|
||||
*
|
||||
* Note: we ONLY support ENGINE_load_private_key() and ENGINE_load_public_key()
|
||||
* Note 2: This scheme has a precedent in code in PKIX-SSH. for exactly
|
||||
* this sort of purpose.
|
||||
*/
|
||||
|
||||
/* Local definition of OSSL_STORE_LOADER_CTX */
|
||||
struct ossl_store_loader_ctx_st {
|
||||
ENGINE *e; /* Structural reference */
|
||||
char *keyid;
|
||||
int expected;
|
||||
int loaded; /* 0 = key not loaded yet, 1 = key loaded */
|
||||
};
|
||||
|
||||
static OSSL_STORE_LOADER_CTX *OSSL_STORE_LOADER_CTX_new(ENGINE *e, char *keyid)
|
||||
{
|
||||
OSSL_STORE_LOADER_CTX *ctx = OPENSSL_zalloc(sizeof(*ctx));
|
||||
|
||||
if (ctx != NULL) {
|
||||
ctx->e = e;
|
||||
ctx->keyid = keyid;
|
||||
}
|
||||
return ctx;
|
||||
}
|
||||
|
||||
static void OSSL_STORE_LOADER_CTX_free(OSSL_STORE_LOADER_CTX *ctx)
|
||||
{
|
||||
if (ctx != NULL) {
|
||||
ENGINE_free(ctx->e);
|
||||
OPENSSL_free(ctx->keyid);
|
||||
OPENSSL_free(ctx);
|
||||
}
|
||||
}
|
||||
|
||||
static OSSL_STORE_LOADER_CTX *engine_open(const OSSL_STORE_LOADER *loader,
|
||||
const char *uri,
|
||||
const UI_METHOD *ui_method,
|
||||
void *ui_data)
|
||||
{
|
||||
const char *p = uri, *q;
|
||||
ENGINE *e = NULL;
|
||||
char *keyid = NULL;
|
||||
OSSL_STORE_LOADER_CTX *ctx = NULL;
|
||||
|
||||
if (OPENSSL_strncasecmp(p, ENGINE_SCHEME_COLON, sizeof(ENGINE_SCHEME_COLON) - 1)
|
||||
!= 0)
|
||||
return NULL;
|
||||
p += sizeof(ENGINE_SCHEME_COLON) - 1;
|
||||
|
||||
/* Look for engine ID */
|
||||
q = strchr(p, ':');
|
||||
if (q != NULL /* There is both an engine ID and a key ID */
|
||||
&& p[0] != ':' /* The engine ID is at least one character */
|
||||
&& q[1] != '\0') { /* The key ID is at least one character */
|
||||
char engineid[256];
|
||||
size_t engineid_l = q - p;
|
||||
|
||||
strncpy(engineid, p, engineid_l);
|
||||
engineid[engineid_l] = '\0';
|
||||
e = ENGINE_by_id(engineid);
|
||||
|
||||
keyid = OPENSSL_strdup(q + 1);
|
||||
}
|
||||
|
||||
if (e != NULL && keyid != NULL)
|
||||
ctx = OSSL_STORE_LOADER_CTX_new(e, keyid);
|
||||
|
||||
if (ctx == NULL) {
|
||||
OPENSSL_free(keyid);
|
||||
ENGINE_free(e);
|
||||
}
|
||||
|
||||
return ctx;
|
||||
}
|
||||
|
||||
static int engine_expect(OSSL_STORE_LOADER_CTX *ctx, int expected)
|
||||
{
|
||||
if (expected == 0
|
||||
|| expected == OSSL_STORE_INFO_PUBKEY
|
||||
|| expected == OSSL_STORE_INFO_PKEY) {
|
||||
ctx->expected = expected;
|
||||
return 1;
|
||||
}
|
||||
return 0;
|
||||
}
|
||||
|
||||
static OSSL_STORE_INFO *engine_load(OSSL_STORE_LOADER_CTX *ctx,
|
||||
const UI_METHOD *ui_method, void *ui_data)
|
||||
{
|
||||
EVP_PKEY *pkey = NULL, *pubkey = NULL;
|
||||
OSSL_STORE_INFO *info = NULL;
|
||||
|
||||
if (ctx->loaded == 0) {
|
||||
if (ENGINE_init(ctx->e)) {
|
||||
if (ctx->expected == 0
|
||||
|| ctx->expected == OSSL_STORE_INFO_PKEY)
|
||||
pkey =
|
||||
ENGINE_load_private_key(ctx->e, ctx->keyid,
|
||||
(UI_METHOD *)ui_method, ui_data);
|
||||
if ((pkey == NULL && ctx->expected == 0)
|
||||
|| ctx->expected == OSSL_STORE_INFO_PUBKEY)
|
||||
pubkey =
|
||||
ENGINE_load_public_key(ctx->e, ctx->keyid,
|
||||
(UI_METHOD *)ui_method, ui_data);
|
||||
ENGINE_finish(ctx->e);
|
||||
}
|
||||
}
|
||||
|
||||
ctx->loaded = 1;
|
||||
|
||||
if (pubkey != NULL)
|
||||
info = OSSL_STORE_INFO_new_PUBKEY(pubkey);
|
||||
else if (pkey != NULL)
|
||||
info = OSSL_STORE_INFO_new_PKEY(pkey);
|
||||
if (info == NULL) {
|
||||
EVP_PKEY_free(pkey);
|
||||
EVP_PKEY_free(pubkey);
|
||||
}
|
||||
return info;
|
||||
}
|
||||
|
||||
static int engine_eof(OSSL_STORE_LOADER_CTX *ctx)
|
||||
{
|
||||
return ctx->loaded != 0;
|
||||
}
|
||||
|
||||
static int engine_error(OSSL_STORE_LOADER_CTX *ctx)
|
||||
{
|
||||
return 0;
|
||||
}
|
||||
|
||||
static int engine_close(OSSL_STORE_LOADER_CTX *ctx)
|
||||
{
|
||||
OSSL_STORE_LOADER_CTX_free(ctx);
|
||||
return 1;
|
||||
}
|
||||
|
||||
int setup_engine_loader(void)
|
||||
{
|
||||
OSSL_STORE_LOADER *loader = NULL;
|
||||
|
||||
if ((loader = OSSL_STORE_LOADER_new(NULL, ENGINE_SCHEME)) == NULL
|
||||
|| !OSSL_STORE_LOADER_set_open(loader, engine_open)
|
||||
|| !OSSL_STORE_LOADER_set_expect(loader, engine_expect)
|
||||
|| !OSSL_STORE_LOADER_set_load(loader, engine_load)
|
||||
|| !OSSL_STORE_LOADER_set_eof(loader, engine_eof)
|
||||
|| !OSSL_STORE_LOADER_set_error(loader, engine_error)
|
||||
|| !OSSL_STORE_LOADER_set_close(loader, engine_close)
|
||||
|| !OSSL_STORE_register_loader(loader)) {
|
||||
OSSL_STORE_LOADER_free(loader);
|
||||
loader = NULL;
|
||||
}
|
||||
|
||||
return loader != NULL;
|
||||
}
|
||||
|
||||
void destroy_engine_loader(void)
|
||||
{
|
||||
OSSL_STORE_LOADER *loader = OSSL_STORE_unregister_loader(ENGINE_SCHEME);
|
||||
OSSL_STORE_LOADER_free(loader);
|
||||
}
|
||||
|
||||
#else /* !OPENSSL_NO_ENGINE */
|
||||
|
||||
int setup_engine_loader(void)
|
||||
{
|
||||
return 0;
|
||||
}
|
||||
|
||||
void destroy_engine_loader(void)
|
||||
{
|
||||
}
|
||||
|
||||
#endif
|
15
crypto/openssl/apps/lib/fmt.c
Normal file
15
crypto/openssl/apps/lib/fmt.c
Normal file
@ -0,0 +1,15 @@
|
||||
/*
|
||||
* Copyright 2018-2020 The OpenSSL Project Authors. All Rights Reserved.
|
||||
*
|
||||
* Licensed under the Apache License 2.0 (the "License"). You may not use
|
||||
* this file except in compliance with the License. You can obtain a copy
|
||||
* in the file LICENSE in the source distribution or at
|
||||
* https://www.openssl.org/source/license.html
|
||||
*/
|
||||
|
||||
#include "fmt.h"
|
||||
|
||||
int FMT_istext(int format)
|
||||
{
|
||||
return (format & B_FORMAT_TEXT) == B_FORMAT_TEXT;
|
||||
}
|
533
crypto/openssl/apps/lib/http_server.c
Normal file
533
crypto/openssl/apps/lib/http_server.c
Normal file
@ -0,0 +1,533 @@
|
||||
/*
|
||||
* Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
|
||||
*
|
||||
* Licensed under the Apache License 2.0 (the "License"). You may not use
|
||||
* this file except in compliance with the License. You can obtain a copy
|
||||
* in the file LICENSE in the source distribution or at
|
||||
* https://www.openssl.org/source/license.html
|
||||
*/
|
||||
|
||||
/* Very basic HTTP server */
|
||||
|
||||
#if !defined(_POSIX_C_SOURCE) && defined(OPENSSL_SYS_VMS)
|
||||
/*
|
||||
* On VMS, you need to define this to get the declaration of fileno(). The
|
||||
* value 2 is to make sure no function defined in POSIX-2 is left undefined.
|
||||
*/
|
||||
# define _POSIX_C_SOURCE 2
|
||||
#endif
|
||||
|
||||
#include <string.h>
|
||||
#include <ctype.h>
|
||||
#include "http_server.h"
|
||||
#include "internal/sockets.h"
|
||||
#include <openssl/err.h>
|
||||
#include <openssl/rand.h>
|
||||
#include "s_apps.h"
|
||||
|
||||
#if defined(__TANDEM)
|
||||
# if defined(OPENSSL_TANDEM_FLOSS)
|
||||
# include <floss.h(floss_fork)>
|
||||
# endif
|
||||
#endif
|
||||
|
||||
static int verbosity = LOG_INFO;
|
||||
|
||||
#define HTTP_PREFIX "HTTP/"
|
||||
#define HTTP_VERSION_PATT "1." /* allow 1.x */
|
||||
#define HTTP_PREFIX_VERSION HTTP_PREFIX""HTTP_VERSION_PATT
|
||||
#define HTTP_1_0 HTTP_PREFIX_VERSION"0" /* "HTTP/1.0" */
|
||||
|
||||
#ifdef HTTP_DAEMON
|
||||
|
||||
int multi = 0; /* run multiple responder processes */
|
||||
int acfd = (int) INVALID_SOCKET;
|
||||
|
||||
static int print_syslog(const char *str, size_t len, void *levPtr)
|
||||
{
|
||||
int level = *(int *)levPtr;
|
||||
int ilen = len > MAXERRLEN ? MAXERRLEN : len;
|
||||
|
||||
syslog(level, "%.*s", ilen, str);
|
||||
|
||||
return ilen;
|
||||
}
|
||||
#endif
|
||||
|
||||
void log_message(const char *prog, int level, const char *fmt, ...)
|
||||
{
|
||||
va_list ap;
|
||||
|
||||
if (verbosity < level)
|
||||
return;
|
||||
|
||||
va_start(ap, fmt);
|
||||
#ifdef HTTP_DAEMON
|
||||
if (multi) {
|
||||
char buf[1024];
|
||||
|
||||
if (vsnprintf(buf, sizeof(buf), fmt, ap) > 0)
|
||||
syslog(level, "%s", buf);
|
||||
if (level <= LOG_ERR)
|
||||
ERR_print_errors_cb(print_syslog, &level);
|
||||
} else
|
||||
#endif
|
||||
{
|
||||
BIO_printf(bio_err, "%s: ", prog);
|
||||
BIO_vprintf(bio_err, fmt, ap);
|
||||
BIO_printf(bio_err, "\n");
|
||||
(void)BIO_flush(bio_err);
|
||||
}
|
||||
va_end(ap);
|
||||
}
|
||||
|
||||
#ifdef HTTP_DAEMON
|
||||
void socket_timeout(int signum)
|
||||
{
|
||||
if (acfd != (int)INVALID_SOCKET)
|
||||
(void)shutdown(acfd, SHUT_RD);
|
||||
}
|
||||
|
||||
static void killall(int ret, pid_t *kidpids)
|
||||
{
|
||||
int i;
|
||||
|
||||
for (i = 0; i < multi; ++i)
|
||||
if (kidpids[i] != 0)
|
||||
(void)kill(kidpids[i], SIGTERM);
|
||||
OPENSSL_free(kidpids);
|
||||
ossl_sleep(1000);
|
||||
exit(ret);
|
||||
}
|
||||
|
||||
static int termsig = 0;
|
||||
|
||||
static void noteterm(int sig)
|
||||
{
|
||||
termsig = sig;
|
||||
}
|
||||
|
||||
/*
|
||||
* Loop spawning up to `multi` child processes, only child processes return
|
||||
* from this function. The parent process loops until receiving a termination
|
||||
* signal, kills extant children and exits without returning.
|
||||
*/
|
||||
void spawn_loop(const char *prog)
|
||||
{
|
||||
pid_t *kidpids = NULL;
|
||||
int status;
|
||||
int procs = 0;
|
||||
int i;
|
||||
|
||||
openlog(prog, LOG_PID, LOG_DAEMON);
|
||||
|
||||
if (setpgid(0, 0)) {
|
||||
syslog(LOG_ERR, "fatal: error detaching from parent process group: %s",
|
||||
strerror(errno));
|
||||
exit(1);
|
||||
}
|
||||
kidpids = app_malloc(multi * sizeof(*kidpids), "child PID array");
|
||||
for (i = 0; i < multi; ++i)
|
||||
kidpids[i] = 0;
|
||||
|
||||
signal(SIGINT, noteterm);
|
||||
signal(SIGTERM, noteterm);
|
||||
|
||||
while (termsig == 0) {
|
||||
pid_t fpid;
|
||||
|
||||
/*
|
||||
* Wait for a child to replace when we're at the limit.
|
||||
* Slow down if a child exited abnormally or waitpid() < 0
|
||||
*/
|
||||
while (termsig == 0 && procs >= multi) {
|
||||
if ((fpid = waitpid(-1, &status, 0)) > 0) {
|
||||
for (i = 0; i < procs; ++i) {
|
||||
if (kidpids[i] == fpid) {
|
||||
kidpids[i] = 0;
|
||||
--procs;
|
||||
break;
|
||||
}
|
||||
}
|
||||
if (i >= multi) {
|
||||
syslog(LOG_ERR, "fatal: internal error: "
|
||||
"no matching child slot for pid: %ld",
|
||||
(long) fpid);
|
||||
killall(1, kidpids);
|
||||
}
|
||||
if (status != 0) {
|
||||
if (WIFEXITED(status))
|
||||
syslog(LOG_WARNING, "child process: %ld, exit status: %d",
|
||||
(long)fpid, WEXITSTATUS(status));
|
||||
else if (WIFSIGNALED(status))
|
||||
syslog(LOG_WARNING, "child process: %ld, term signal %d%s",
|
||||
(long)fpid, WTERMSIG(status),
|
||||
# ifdef WCOREDUMP
|
||||
WCOREDUMP(status) ? " (core dumped)" :
|
||||
# endif
|
||||
"");
|
||||
ossl_sleep(1000);
|
||||
}
|
||||
break;
|
||||
} else if (errno != EINTR) {
|
||||
syslog(LOG_ERR, "fatal: waitpid(): %s", strerror(errno));
|
||||
killall(1, kidpids);
|
||||
}
|
||||
}
|
||||
if (termsig)
|
||||
break;
|
||||
|
||||
switch (fpid = fork()) {
|
||||
case -1: /* error */
|
||||
/* System critically low on memory, pause and try again later */
|
||||
ossl_sleep(30000);
|
||||
break;
|
||||
case 0: /* child */
|
||||
OPENSSL_free(kidpids);
|
||||
signal(SIGINT, SIG_DFL);
|
||||
signal(SIGTERM, SIG_DFL);
|
||||
if (termsig)
|
||||
_exit(0);
|
||||
if (RAND_poll() <= 0) {
|
||||
syslog(LOG_ERR, "fatal: RAND_poll() failed");
|
||||
_exit(1);
|
||||
}
|
||||
return;
|
||||
default: /* parent */
|
||||
for (i = 0; i < multi; ++i) {
|
||||
if (kidpids[i] == 0) {
|
||||
kidpids[i] = fpid;
|
||||
procs++;
|
||||
break;
|
||||
}
|
||||
}
|
||||
if (i >= multi) {
|
||||
syslog(LOG_ERR, "fatal: internal error: no free child slots");
|
||||
killall(1, kidpids);
|
||||
}
|
||||
break;
|
||||
}
|
||||
}
|
||||
|
||||
/* The loop above can only break on termsig */
|
||||
syslog(LOG_INFO, "terminating on signal: %d", termsig);
|
||||
killall(0, kidpids);
|
||||
}
|
||||
#endif
|
||||
|
||||
#ifndef OPENSSL_NO_SOCK
|
||||
BIO *http_server_init_bio(const char *prog, const char *port)
|
||||
{
|
||||
BIO *acbio = NULL, *bufbio;
|
||||
int asock;
|
||||
|
||||
bufbio = BIO_new(BIO_f_buffer());
|
||||
if (bufbio == NULL)
|
||||
goto err;
|
||||
acbio = BIO_new(BIO_s_accept());
|
||||
if (acbio == NULL
|
||||
|| BIO_set_bind_mode(acbio, BIO_BIND_REUSEADDR) < 0
|
||||
|| BIO_set_accept_port(acbio, port) < 0) {
|
||||
log_message(prog, LOG_ERR, "Error setting up accept BIO");
|
||||
goto err;
|
||||
}
|
||||
|
||||
BIO_set_accept_bios(acbio, bufbio);
|
||||
bufbio = NULL;
|
||||
if (BIO_do_accept(acbio) <= 0) {
|
||||
log_message(prog, LOG_ERR, "Error starting accept");
|
||||
goto err;
|
||||
}
|
||||
|
||||
/* Report back what address and port are used */
|
||||
BIO_get_fd(acbio, &asock);
|
||||
if (!report_server_accept(bio_out, asock, 1, 1)) {
|
||||
log_message(prog, LOG_ERR, "Error printing ACCEPT string");
|
||||
goto err;
|
||||
}
|
||||
|
||||
return acbio;
|
||||
|
||||
err:
|
||||
BIO_free_all(acbio);
|
||||
BIO_free(bufbio);
|
||||
return NULL;
|
||||
}
|
||||
|
||||
/*
|
||||
* Decode %xx URL-decoding in-place. Ignores malformed sequences.
|
||||
*/
|
||||
static int urldecode(char *p)
|
||||
{
|
||||
unsigned char *out = (unsigned char *)p;
|
||||
unsigned char *save = out;
|
||||
|
||||
for (; *p; p++) {
|
||||
if (*p != '%') {
|
||||
*out++ = *p;
|
||||
} else if (isxdigit(_UC(p[1])) && isxdigit(_UC(p[2]))) {
|
||||
/* Don't check, can't fail because of ixdigit() call. */
|
||||
*out++ = (OPENSSL_hexchar2int(p[1]) << 4)
|
||||
| OPENSSL_hexchar2int(p[2]);
|
||||
p += 2;
|
||||
} else {
|
||||
return -1;
|
||||
}
|
||||
}
|
||||
*out = '\0';
|
||||
return (int)(out - save);
|
||||
}
|
||||
|
||||
/* if *pcbio != NULL, continue given connected session, else accept new */
|
||||
/* if found_keep_alive != NULL, return this way connection persistence state */
|
||||
int http_server_get_asn1_req(const ASN1_ITEM *it, ASN1_VALUE **preq,
|
||||
char **ppath, BIO **pcbio, BIO *acbio,
|
||||
int *found_keep_alive,
|
||||
const char *prog, const char *port,
|
||||
int accept_get, int timeout)
|
||||
{
|
||||
BIO *cbio = *pcbio, *getbio = NULL, *b64 = NULL;
|
||||
int len;
|
||||
char reqbuf[2048], inbuf[2048];
|
||||
char *meth, *url, *end;
|
||||
ASN1_VALUE *req;
|
||||
int ret = 0;
|
||||
|
||||
*preq = NULL;
|
||||
if (ppath != NULL)
|
||||
*ppath = NULL;
|
||||
|
||||
if (cbio == NULL) {
|
||||
log_message(prog, LOG_DEBUG,
|
||||
"Awaiting new connection on port %s...", port);
|
||||
if (BIO_do_accept(acbio) <= 0)
|
||||
/* Connection loss before accept() is routine, ignore silently */
|
||||
return ret;
|
||||
|
||||
*pcbio = cbio = BIO_pop(acbio);
|
||||
} else {
|
||||
log_message(prog, LOG_DEBUG, "Awaiting next request...");
|
||||
}
|
||||
if (cbio == NULL) {
|
||||
/* Cannot call http_server_send_status(cbio, ...) */
|
||||
ret = -1;
|
||||
goto out;
|
||||
}
|
||||
|
||||
# ifdef HTTP_DAEMON
|
||||
if (timeout > 0) {
|
||||
(void)BIO_get_fd(cbio, &acfd);
|
||||
alarm(timeout);
|
||||
}
|
||||
# endif
|
||||
|
||||
/* Read the request line. */
|
||||
len = BIO_gets(cbio, reqbuf, sizeof(reqbuf));
|
||||
if (len == 0)
|
||||
return ret;
|
||||
ret = 1;
|
||||
if (len < 0) {
|
||||
log_message(prog, LOG_WARNING, "Request line read error");
|
||||
(void)http_server_send_status(cbio, 400, "Bad Request");
|
||||
goto out;
|
||||
}
|
||||
if ((end = strchr(reqbuf, '\r')) != NULL
|
||||
|| (end = strchr(reqbuf, '\n')) != NULL)
|
||||
*end = '\0';
|
||||
log_message(prog, LOG_INFO, "Received request, 1st line: %s", reqbuf);
|
||||
|
||||
meth = reqbuf;
|
||||
url = meth + 3;
|
||||
if ((accept_get && strncmp(meth, "GET ", 4) == 0)
|
||||
|| (url++, strncmp(meth, "POST ", 5) == 0)) {
|
||||
static const char http_version_str[] = " "HTTP_PREFIX_VERSION;
|
||||
static const size_t http_version_str_len = sizeof(http_version_str) - 1;
|
||||
|
||||
/* Expecting (GET|POST) {sp} /URL {sp} HTTP/1.x */
|
||||
*(url++) = '\0';
|
||||
while (*url == ' ')
|
||||
url++;
|
||||
if (*url != '/') {
|
||||
log_message(prog, LOG_WARNING,
|
||||
"Invalid %s -- URL does not begin with '/': %s",
|
||||
meth, url);
|
||||
(void)http_server_send_status(cbio, 400, "Bad Request");
|
||||
goto out;
|
||||
}
|
||||
url++;
|
||||
|
||||
/* Splice off the HTTP version identifier. */
|
||||
for (end = url; *end != '\0'; end++)
|
||||
if (*end == ' ')
|
||||
break;
|
||||
if (strncmp(end, http_version_str, http_version_str_len) != 0) {
|
||||
log_message(prog, LOG_WARNING,
|
||||
"Invalid %s -- bad HTTP/version string: %s",
|
||||
meth, end + 1);
|
||||
(void)http_server_send_status(cbio, 400, "Bad Request");
|
||||
goto out;
|
||||
}
|
||||
*end = '\0';
|
||||
/* above HTTP 1.0, connection persistence is the default */
|
||||
if (found_keep_alive != NULL)
|
||||
*found_keep_alive = end[http_version_str_len] > '0';
|
||||
|
||||
/*-
|
||||
* Skip "GET / HTTP..." requests often used by load-balancers.
|
||||
* 'url' was incremented above to point to the first byte *after*
|
||||
* the leading slash, so in case 'GET / ' it is now an empty string.
|
||||
*/
|
||||
if (strlen(meth) == 3 && url[0] == '\0') {
|
||||
(void)http_server_send_status(cbio, 200, "OK");
|
||||
goto out;
|
||||
}
|
||||
|
||||
len = urldecode(url);
|
||||
if (len < 0) {
|
||||
log_message(prog, LOG_WARNING,
|
||||
"Invalid %s request -- bad URL encoding: %s",
|
||||
meth, url);
|
||||
(void)http_server_send_status(cbio, 400, "Bad Request");
|
||||
goto out;
|
||||
}
|
||||
if (strlen(meth) == 3) { /* GET */
|
||||
if ((getbio = BIO_new_mem_buf(url, len)) == NULL
|
||||
|| (b64 = BIO_new(BIO_f_base64())) == NULL) {
|
||||
log_message(prog, LOG_ERR,
|
||||
"Could not allocate base64 bio with size = %d",
|
||||
len);
|
||||
goto fatal;
|
||||
}
|
||||
BIO_set_flags(b64, BIO_FLAGS_BASE64_NO_NL);
|
||||
getbio = BIO_push(b64, getbio);
|
||||
}
|
||||
} else {
|
||||
log_message(prog, LOG_WARNING,
|
||||
"HTTP request does not begin with %sPOST: %s",
|
||||
accept_get ? "GET or " : "", reqbuf);
|
||||
(void)http_server_send_status(cbio, 400, "Bad Request");
|
||||
goto out;
|
||||
}
|
||||
|
||||
/* chop any further/duplicate leading or trailing '/' */
|
||||
while (*url == '/')
|
||||
url++;
|
||||
while (end >= url + 2 && end[-2] == '/' && end[-1] == '/')
|
||||
end--;
|
||||
*end = '\0';
|
||||
|
||||
/* Read and skip past the headers. */
|
||||
for (;;) {
|
||||
char *key, *value, *line_end = NULL;
|
||||
|
||||
len = BIO_gets(cbio, inbuf, sizeof(inbuf));
|
||||
if (len <= 0) {
|
||||
log_message(prog, LOG_WARNING, "Error reading HTTP header");
|
||||
(void)http_server_send_status(cbio, 400, "Bad Request");
|
||||
goto out;
|
||||
}
|
||||
|
||||
if (inbuf[0] == '\r' || inbuf[0] == '\n')
|
||||
break;
|
||||
|
||||
key = inbuf;
|
||||
value = strchr(key, ':');
|
||||
if (value == NULL) {
|
||||
log_message(prog, LOG_WARNING,
|
||||
"Error parsing HTTP header: missing ':'");
|
||||
(void)http_server_send_status(cbio, 400, "Bad Request");
|
||||
goto out;
|
||||
}
|
||||
*(value++) = '\0';
|
||||
while (*value == ' ')
|
||||
value++;
|
||||
line_end = strchr(value, '\r');
|
||||
if (line_end == NULL) {
|
||||
line_end = strchr(value, '\n');
|
||||
if (line_end == NULL) {
|
||||
log_message(prog, LOG_WARNING,
|
||||
"Error parsing HTTP header: missing end of line");
|
||||
(void)http_server_send_status(cbio, 400, "Bad Request");
|
||||
goto out;
|
||||
}
|
||||
}
|
||||
*line_end = '\0';
|
||||
/* https://tools.ietf.org/html/rfc7230#section-6.3 Persistence */
|
||||
if (found_keep_alive != NULL
|
||||
&& OPENSSL_strcasecmp(key, "Connection") == 0) {
|
||||
if (OPENSSL_strcasecmp(value, "keep-alive") == 0)
|
||||
*found_keep_alive = 1;
|
||||
else if (OPENSSL_strcasecmp(value, "close") == 0)
|
||||
*found_keep_alive = 0;
|
||||
}
|
||||
}
|
||||
|
||||
# ifdef HTTP_DAEMON
|
||||
/* Clear alarm before we close the client socket */
|
||||
alarm(0);
|
||||
timeout = 0;
|
||||
# endif
|
||||
|
||||
/* Try to read and parse request */
|
||||
req = ASN1_item_d2i_bio(it, getbio != NULL ? getbio : cbio, NULL);
|
||||
if (req == NULL) {
|
||||
log_message(prog, LOG_WARNING,
|
||||
"Error parsing DER-encoded request content");
|
||||
(void)http_server_send_status(cbio, 400, "Bad Request");
|
||||
} else if (ppath != NULL && (*ppath = OPENSSL_strdup(url)) == NULL) {
|
||||
log_message(prog, LOG_ERR,
|
||||
"Out of memory allocating %zu bytes", strlen(url) + 1);
|
||||
ASN1_item_free(req, it);
|
||||
goto fatal;
|
||||
}
|
||||
|
||||
*preq = req;
|
||||
|
||||
out:
|
||||
BIO_free_all(getbio);
|
||||
# ifdef HTTP_DAEMON
|
||||
if (timeout > 0)
|
||||
alarm(0);
|
||||
acfd = (int)INVALID_SOCKET;
|
||||
# endif
|
||||
return ret;
|
||||
|
||||
fatal:
|
||||
(void)http_server_send_status(cbio, 500, "Internal Server Error");
|
||||
if (ppath != NULL) {
|
||||
OPENSSL_free(*ppath);
|
||||
*ppath = NULL;
|
||||
}
|
||||
BIO_free_all(cbio);
|
||||
*pcbio = NULL;
|
||||
ret = -1;
|
||||
goto out;
|
||||
}
|
||||
|
||||
/* assumes that cbio does not do an encoding that changes the output length */
|
||||
int http_server_send_asn1_resp(BIO *cbio, int keep_alive,
|
||||
const char *content_type,
|
||||
const ASN1_ITEM *it, const ASN1_VALUE *resp)
|
||||
{
|
||||
int ret = BIO_printf(cbio, HTTP_1_0" 200 OK\r\n%s"
|
||||
"Content-type: %s\r\n"
|
||||
"Content-Length: %d\r\n\r\n",
|
||||
keep_alive ? "Connection: keep-alive\r\n" : "",
|
||||
content_type,
|
||||
ASN1_item_i2d(resp, NULL, it)) > 0
|
||||
&& ASN1_item_i2d_bio(it, cbio, resp) > 0;
|
||||
|
||||
(void)BIO_flush(cbio);
|
||||
return ret;
|
||||
}
|
||||
|
||||
int http_server_send_status(BIO *cbio, int status, const char *reason)
|
||||
{
|
||||
int ret = BIO_printf(cbio, HTTP_1_0" %d %s\r\n\r\n",
|
||||
/* This implicitly cancels keep-alive */
|
||||
status, reason) > 0;
|
||||
|
||||
(void)BIO_flush(cbio);
|
||||
return ret;
|
||||
}
|
||||
#endif
|
45
crypto/openssl/apps/lib/names.c
Normal file
45
crypto/openssl/apps/lib/names.c
Normal file
@ -0,0 +1,45 @@
|
||||
/*
|
||||
* Copyright 2019-2022 The OpenSSL Project Authors. All Rights Reserved.
|
||||
*
|
||||
* Licensed under the Apache License 2.0 (the "License"). You may not use
|
||||
* this file except in compliance with the License. You can obtain a copy
|
||||
* in the file LICENSE in the source distribution or at
|
||||
* https://www.openssl.org/source/license.html
|
||||
*/
|
||||
|
||||
#include <string.h>
|
||||
#include <openssl/bio.h>
|
||||
#include <openssl/safestack.h>
|
||||
#include "names.h"
|
||||
#include "openssl/crypto.h"
|
||||
|
||||
int name_cmp(const char * const *a, const char * const *b)
|
||||
{
|
||||
return OPENSSL_strcasecmp(*a, *b);
|
||||
}
|
||||
|
||||
void collect_names(const char *name, void *vdata)
|
||||
{
|
||||
STACK_OF(OPENSSL_CSTRING) *names = vdata;
|
||||
|
||||
sk_OPENSSL_CSTRING_push(names, name);
|
||||
}
|
||||
|
||||
void print_names(BIO *out, STACK_OF(OPENSSL_CSTRING) *names)
|
||||
{
|
||||
int i = sk_OPENSSL_CSTRING_num(names);
|
||||
int j;
|
||||
|
||||
sk_OPENSSL_CSTRING_sort(names);
|
||||
if (i > 1)
|
||||
BIO_printf(out, "{ ");
|
||||
for (j = 0; j < i; j++) {
|
||||
const char *name = sk_OPENSSL_CSTRING_value(names, j);
|
||||
|
||||
if (j > 0)
|
||||
BIO_printf(out, ", ");
|
||||
BIO_printf(out, "%s", name);
|
||||
}
|
||||
if (i > 1)
|
||||
BIO_printf(out, " }");
|
||||
}
|
@ -1,27 +1,38 @@
|
||||
/*
|
||||
* Copyright 2015-2018 The OpenSSL Project Authors. All Rights Reserved.
|
||||
* Copyright 2015-2021 The OpenSSL Project Authors. All Rights Reserved.
|
||||
*
|
||||
* Licensed under the OpenSSL license (the "License"). You may not use
|
||||
* Licensed under the Apache License 2.0 (the "License"). You may not use
|
||||
* this file except in compliance with the License. You can obtain a copy
|
||||
* in the file LICENSE in the source distribution or at
|
||||
* https://www.openssl.org/source/license.html
|
||||
*/
|
||||
#include "apps.h"
|
||||
|
||||
/*
|
||||
* This file is also used by the test suite. Do not #include "apps.h".
|
||||
*/
|
||||
#include "opt.h"
|
||||
#include "fmt.h"
|
||||
#include "app_libctx.h"
|
||||
#include "internal/nelem.h"
|
||||
#include "internal/numbers.h"
|
||||
#include <string.h>
|
||||
#if !defined(OPENSSL_SYS_MSDOS)
|
||||
# include OPENSSL_UNISTD
|
||||
# include <unistd.h>
|
||||
#endif
|
||||
|
||||
#include <stdlib.h>
|
||||
#include <errno.h>
|
||||
#include <ctype.h>
|
||||
#include <limits.h>
|
||||
#include <openssl/err.h>
|
||||
#include <openssl/bio.h>
|
||||
#include <openssl/x509v3.h>
|
||||
|
||||
#define MAX_OPT_HELP_WIDTH 30
|
||||
const char OPT_HELP_STR[] = "--";
|
||||
const char OPT_MORE_STR[] = "---";
|
||||
const char OPT_HELP_STR[] = "-H";
|
||||
const char OPT_MORE_STR[] = "-M";
|
||||
const char OPT_SECTION_STR[] = "-S";
|
||||
const char OPT_PARAM_STR[] = "-P";
|
||||
|
||||
/* Our state */
|
||||
static char **argv;
|
||||
@ -38,18 +49,27 @@ static char prog[40];
|
||||
* Return the simple name of the program; removing various platform gunk.
|
||||
*/
|
||||
#if defined(OPENSSL_SYS_WIN32)
|
||||
|
||||
const char *opt_path_end(const char *filename)
|
||||
{
|
||||
const char *p;
|
||||
|
||||
/* find the last '/', '\' or ':' */
|
||||
for (p = filename + strlen(filename); --p > filename; )
|
||||
if (*p == '/' || *p == '\\' || *p == ':') {
|
||||
p++;
|
||||
break;
|
||||
}
|
||||
return p;
|
||||
}
|
||||
|
||||
char *opt_progname(const char *argv0)
|
||||
{
|
||||
size_t i, n;
|
||||
const char *p;
|
||||
char *q;
|
||||
|
||||
/* find the last '/', '\' or ':' */
|
||||
for (p = argv0 + strlen(argv0); --p > argv0;)
|
||||
if (*p == '/' || *p == '\\' || *p == ':') {
|
||||
p++;
|
||||
break;
|
||||
}
|
||||
p = opt_path_end(argv0);
|
||||
|
||||
/* Strip off trailing nonsense. */
|
||||
n = strlen(p);
|
||||
@ -68,18 +88,27 @@ char *opt_progname(const char *argv0)
|
||||
|
||||
#elif defined(OPENSSL_SYS_VMS)
|
||||
|
||||
const char *opt_path_end(const char *filename)
|
||||
{
|
||||
const char *p;
|
||||
|
||||
/* Find last special character sys:[foo.bar]openssl */
|
||||
for (p = filename + strlen(filename); --p > filename;)
|
||||
if (*p == ':' || *p == ']' || *p == '>') {
|
||||
p++;
|
||||
break;
|
||||
}
|
||||
return p;
|
||||
}
|
||||
|
||||
char *opt_progname(const char *argv0)
|
||||
{
|
||||
const char *p, *q;
|
||||
|
||||
/* Find last special character sys:[foo.bar]openssl */
|
||||
for (p = argv0 + strlen(argv0); --p > argv0;)
|
||||
if (*p == ':' || *p == ']' || *p == '>') {
|
||||
p++;
|
||||
break;
|
||||
}
|
||||
|
||||
p = opt_path_end(argv0);
|
||||
q = strrchr(p, '.');
|
||||
if (prog != p)
|
||||
strncpy(prog, p, sizeof(prog) - 1);
|
||||
prog[sizeof(prog) - 1] = '\0';
|
||||
if (q != NULL && q - p < sizeof(prog))
|
||||
@ -89,22 +118,40 @@ char *opt_progname(const char *argv0)
|
||||
|
||||
#else
|
||||
|
||||
char *opt_progname(const char *argv0)
|
||||
const char *opt_path_end(const char *filename)
|
||||
{
|
||||
const char *p;
|
||||
|
||||
/* Could use strchr, but this is like the ones above. */
|
||||
for (p = argv0 + strlen(argv0); --p > argv0;)
|
||||
for (p = filename + strlen(filename); --p > filename;)
|
||||
if (*p == '/') {
|
||||
p++;
|
||||
break;
|
||||
}
|
||||
return p;
|
||||
}
|
||||
|
||||
char *opt_progname(const char *argv0)
|
||||
{
|
||||
const char *p;
|
||||
|
||||
p = opt_path_end(argv0);
|
||||
if (prog != p)
|
||||
strncpy(prog, p, sizeof(prog) - 1);
|
||||
prog[sizeof(prog) - 1] = '\0';
|
||||
return prog;
|
||||
}
|
||||
#endif
|
||||
|
||||
char *opt_appname(const char *argv0)
|
||||
{
|
||||
size_t len = strlen(prog);
|
||||
|
||||
if (argv0 != NULL)
|
||||
BIO_snprintf(prog + len, sizeof(prog) - len - 1, " %s", argv0);
|
||||
return prog;
|
||||
}
|
||||
|
||||
char *opt_getprog(void)
|
||||
{
|
||||
return prog;
|
||||
@ -116,32 +163,41 @@ char *opt_init(int ac, char **av, const OPTIONS *o)
|
||||
/* Store state. */
|
||||
argc = ac;
|
||||
argv = av;
|
||||
opt_index = 1;
|
||||
opt_begin();
|
||||
opts = o;
|
||||
opt_progname(av[0]);
|
||||
unknown = NULL;
|
||||
|
||||
for (; o->name; ++o) {
|
||||
/* Make sure prog name is set for usage output */
|
||||
(void)opt_progname(argv[0]);
|
||||
|
||||
/* Check all options up until the PARAM marker (if present) */
|
||||
for (; o->name != NULL && o->name != OPT_PARAM_STR; ++o) {
|
||||
#ifndef NDEBUG
|
||||
const OPTIONS *next;
|
||||
int duplicated, i;
|
||||
#endif
|
||||
|
||||
if (o->name == OPT_HELP_STR || o->name == OPT_MORE_STR)
|
||||
if (o->name == OPT_HELP_STR
|
||||
|| o->name == OPT_MORE_STR
|
||||
|| o->name == OPT_SECTION_STR)
|
||||
continue;
|
||||
#ifndef NDEBUG
|
||||
i = o->valtype;
|
||||
|
||||
/* Make sure options are legit. */
|
||||
assert(o->name[0] != '-');
|
||||
assert(o->retval > 0);
|
||||
OPENSSL_assert(o->name[0] != '-');
|
||||
if (o->valtype == '.')
|
||||
OPENSSL_assert(o->retval == OPT_PARAM);
|
||||
else
|
||||
OPENSSL_assert(o->retval == OPT_DUP || o->retval > OPT_PARAM);
|
||||
switch (i) {
|
||||
case 0: case '-': case '/': case '<': case '>': case 'E': case 'F':
|
||||
case 0: case '-': case '.':
|
||||
case '/': case '<': case '>': case 'E': case 'F':
|
||||
case 'M': case 'U': case 'f': case 'l': case 'n': case 'p': case 's':
|
||||
case 'u': case 'c':
|
||||
case 'u': case 'c': case ':': case 'N':
|
||||
break;
|
||||
default:
|
||||
assert(0);
|
||||
OPENSSL_assert(0);
|
||||
}
|
||||
|
||||
/* Make sure there are no duplicates. */
|
||||
@ -149,14 +205,19 @@ char *opt_init(int ac, char **av, const OPTIONS *o)
|
||||
/*
|
||||
* Some compilers inline strcmp and the assert string is too long.
|
||||
*/
|
||||
duplicated = strcmp(o->name, next->name) == 0;
|
||||
assert(!duplicated);
|
||||
duplicated = next->retval != OPT_DUP
|
||||
&& strcmp(o->name, next->name) == 0;
|
||||
if (duplicated) {
|
||||
opt_printf_stderr("%s: Internal error: duplicate option %s\n",
|
||||
prog, o->name);
|
||||
OPENSSL_assert(!duplicated);
|
||||
}
|
||||
}
|
||||
#endif
|
||||
if (o->name[0] == '\0') {
|
||||
assert(unknown == NULL);
|
||||
OPENSSL_assert(unknown == NULL);
|
||||
unknown = o;
|
||||
assert(unknown->valtype == 0 || unknown->valtype == '-');
|
||||
OPENSSL_assert(unknown->valtype == 0 || unknown->valtype == '-');
|
||||
}
|
||||
}
|
||||
return prog;
|
||||
@ -176,19 +237,19 @@ static OPT_PAIR formats[] = {
|
||||
};
|
||||
|
||||
/* Print an error message about a failed format parse. */
|
||||
int opt_format_error(const char *s, unsigned long flags)
|
||||
static int opt_format_error(const char *s, unsigned long flags)
|
||||
{
|
||||
OPT_PAIR *ap;
|
||||
|
||||
if (flags == OPT_FMT_PEMDER) {
|
||||
BIO_printf(bio_err, "%s: Bad format \"%s\"; must be pem or der\n",
|
||||
opt_printf_stderr("%s: Bad format \"%s\"; must be pem or der\n",
|
||||
prog, s);
|
||||
} else {
|
||||
BIO_printf(bio_err, "%s: Bad format \"%s\"; must be one of:\n",
|
||||
opt_printf_stderr("%s: Bad format \"%s\"; must be one of:\n",
|
||||
prog, s);
|
||||
for (ap = formats; ap->name; ap++)
|
||||
if (flags & ap->retval)
|
||||
BIO_printf(bio_err, " %s\n", ap->name);
|
||||
opt_printf_stderr(" %s\n", ap->name);
|
||||
}
|
||||
return 0;
|
||||
}
|
||||
@ -198,6 +259,7 @@ int opt_format(const char *s, unsigned long flags, int *result)
|
||||
{
|
||||
switch (*s) {
|
||||
default:
|
||||
opt_printf_stderr("%s: Bad format \"%s\"\n", prog, s);
|
||||
return 0;
|
||||
case 'D':
|
||||
case 'd':
|
||||
@ -264,6 +326,7 @@ int opt_format(const char *s, unsigned long flags, int *result)
|
||||
return opt_format_error(s, flags);
|
||||
*result = FORMAT_PKCS12;
|
||||
} else {
|
||||
opt_printf_stderr("%s: Bad format \"%s\"\n", prog, s);
|
||||
return 0;
|
||||
}
|
||||
break;
|
||||
@ -271,28 +334,132 @@ int opt_format(const char *s, unsigned long flags, int *result)
|
||||
return 1;
|
||||
}
|
||||
|
||||
/* Parse a cipher name, put it in *EVP_CIPHER; return 0 on failure, else 1. */
|
||||
int opt_cipher(const char *name, const EVP_CIPHER **cipherp)
|
||||
/* Return string representing the given format. */
|
||||
static const char *format2str(int format)
|
||||
{
|
||||
*cipherp = EVP_get_cipherbyname(name);
|
||||
if (*cipherp != NULL)
|
||||
switch (format) {
|
||||
default:
|
||||
return "(undefined)";
|
||||
case FORMAT_PEM:
|
||||
return "PEM";
|
||||
case FORMAT_ASN1:
|
||||
return "DER";
|
||||
case FORMAT_TEXT:
|
||||
return "TEXT";
|
||||
case FORMAT_NSS:
|
||||
return "NSS";
|
||||
case FORMAT_SMIME:
|
||||
return "SMIME";
|
||||
case FORMAT_MSBLOB:
|
||||
return "MSBLOB";
|
||||
case FORMAT_ENGINE:
|
||||
return "ENGINE";
|
||||
case FORMAT_HTTP:
|
||||
return "HTTP";
|
||||
case FORMAT_PKCS12:
|
||||
return "P12";
|
||||
case FORMAT_PVK:
|
||||
return "PVK";
|
||||
}
|
||||
}
|
||||
|
||||
/* Print an error message about unsuitable/unsupported format requested. */
|
||||
void print_format_error(int format, unsigned long flags)
|
||||
{
|
||||
(void)opt_format_error(format2str(format), flags);
|
||||
}
|
||||
|
||||
/*
|
||||
* Parse a cipher name, put it in *cipherp after freeing what was there, if
|
||||
* cipherp is not NULL. Return 0 on failure, else 1.
|
||||
*/
|
||||
int opt_cipher_silent(const char *name, EVP_CIPHER **cipherp)
|
||||
{
|
||||
EVP_CIPHER *c;
|
||||
|
||||
ERR_set_mark();
|
||||
if ((c = EVP_CIPHER_fetch(app_get0_libctx(), name,
|
||||
app_get0_propq())) != NULL
|
||||
|| (opt_legacy_okay()
|
||||
&& (c = (EVP_CIPHER *)EVP_get_cipherbyname(name)) != NULL)) {
|
||||
ERR_pop_to_mark();
|
||||
if (cipherp != NULL) {
|
||||
EVP_CIPHER_free(*cipherp);
|
||||
*cipherp = c;
|
||||
} else {
|
||||
EVP_CIPHER_free(c);
|
||||
}
|
||||
return 1;
|
||||
BIO_printf(bio_err, "%s: Unrecognized flag %s\n", prog, name);
|
||||
}
|
||||
ERR_clear_last_mark();
|
||||
return 0;
|
||||
}
|
||||
|
||||
int opt_cipher_any(const char *name, EVP_CIPHER **cipherp)
|
||||
{
|
||||
int ret;
|
||||
|
||||
if ((ret = opt_cipher_silent(name, cipherp)) == 0)
|
||||
opt_printf_stderr("%s: Unknown cipher: %s\n", prog, name);
|
||||
return ret;
|
||||
}
|
||||
|
||||
int opt_cipher(const char *name, EVP_CIPHER **cipherp)
|
||||
{
|
||||
int mode, ret = 0;
|
||||
unsigned long int flags;
|
||||
EVP_CIPHER *c = NULL;
|
||||
|
||||
if (opt_cipher_any(name, &c)) {
|
||||
mode = EVP_CIPHER_get_mode(c);
|
||||
flags = EVP_CIPHER_get_flags(c);
|
||||
if (mode == EVP_CIPH_XTS_MODE) {
|
||||
opt_printf_stderr("%s XTS ciphers not supported\n", prog);
|
||||
} else if ((flags & EVP_CIPH_FLAG_AEAD_CIPHER) != 0) {
|
||||
opt_printf_stderr("%s: AEAD ciphers not supported\n", prog);
|
||||
} else {
|
||||
ret = 1;
|
||||
if (cipherp != NULL)
|
||||
*cipherp = c;
|
||||
}
|
||||
}
|
||||
return ret;
|
||||
}
|
||||
|
||||
/*
|
||||
* Parse message digest name, put it in *EVP_MD; return 0 on failure, else 1.
|
||||
*/
|
||||
int opt_md(const char *name, const EVP_MD **mdp)
|
||||
int opt_md_silent(const char *name, EVP_MD **mdp)
|
||||
{
|
||||
*mdp = EVP_get_digestbyname(name);
|
||||
if (*mdp != NULL)
|
||||
EVP_MD *md;
|
||||
|
||||
ERR_set_mark();
|
||||
if ((md = EVP_MD_fetch(app_get0_libctx(), name, app_get0_propq())) != NULL
|
||||
|| (opt_legacy_okay()
|
||||
&& (md = (EVP_MD *)EVP_get_digestbyname(name)) != NULL)) {
|
||||
ERR_pop_to_mark();
|
||||
if (mdp != NULL) {
|
||||
EVP_MD_free(*mdp);
|
||||
*mdp = md;
|
||||
} else {
|
||||
EVP_MD_free(md);
|
||||
}
|
||||
return 1;
|
||||
BIO_printf(bio_err, "%s: Unrecognized flag %s\n", prog, name);
|
||||
}
|
||||
ERR_clear_last_mark();
|
||||
return 0;
|
||||
}
|
||||
|
||||
int opt_md(const char *name, EVP_MD **mdp)
|
||||
{
|
||||
int ret;
|
||||
|
||||
if ((ret = opt_md_silent(name, mdp)) == 0)
|
||||
opt_printf_stderr("%s: Unknown option or message digest: %s\n", prog,
|
||||
name != NULL ? name : "\"\"");
|
||||
return ret;
|
||||
}
|
||||
|
||||
/* Look through a list of name/value pairs. */
|
||||
int opt_pair(const char *name, const OPT_PAIR* pairs, int *result)
|
||||
{
|
||||
@ -303,9 +470,23 @@ int opt_pair(const char *name, const OPT_PAIR* pairs, int *result)
|
||||
*result = pp->retval;
|
||||
return 1;
|
||||
}
|
||||
BIO_printf(bio_err, "%s: Value must be one of:\n", prog);
|
||||
opt_printf_stderr("%s: Value must be one of:\n", prog);
|
||||
for (pp = pairs; pp->name; pp++)
|
||||
BIO_printf(bio_err, "\t%s\n", pp->name);
|
||||
opt_printf_stderr("\t%s\n", pp->name);
|
||||
return 0;
|
||||
}
|
||||
|
||||
/* Look through a list of valid names */
|
||||
int opt_string(const char *name, const char **options)
|
||||
{
|
||||
const char **p;
|
||||
|
||||
for (p = options; *p != NULL; p++)
|
||||
if (strcmp(*p, name) == 0)
|
||||
return 1;
|
||||
opt_printf_stderr("%s: Value must be one of:\n", prog);
|
||||
for (p = options; *p != NULL; p++)
|
||||
opt_printf_stderr("\t%s\n", *p);
|
||||
return 0;
|
||||
}
|
||||
|
||||
@ -318,13 +499,22 @@ int opt_int(const char *value, int *result)
|
||||
return 0;
|
||||
*result = (int)l;
|
||||
if (*result != l) {
|
||||
BIO_printf(bio_err, "%s: Value \"%s\" outside integer range\n",
|
||||
opt_printf_stderr("%s: Value \"%s\" outside integer range\n",
|
||||
prog, value);
|
||||
return 0;
|
||||
}
|
||||
return 1;
|
||||
}
|
||||
|
||||
/* Parse and return an integer, assuming range has been checked before. */
|
||||
int opt_int_arg(void)
|
||||
{
|
||||
int result = -1;
|
||||
|
||||
(void)opt_int(arg, &result);
|
||||
return result;
|
||||
}
|
||||
|
||||
static void opt_number_error(const char *v)
|
||||
{
|
||||
size_t i = 0;
|
||||
@ -339,13 +529,12 @@ static void opt_number_error(const char *v)
|
||||
|
||||
for (i = 0; i < OSSL_NELEM(b); i++) {
|
||||
if (strncmp(v, b[i].prefix, strlen(b[i].prefix)) == 0) {
|
||||
BIO_printf(bio_err,
|
||||
"%s: Can't parse \"%s\" as %s number\n",
|
||||
opt_printf_stderr("%s: Can't parse \"%s\" as %s number\n",
|
||||
prog, v, b[i].name);
|
||||
return;
|
||||
}
|
||||
}
|
||||
BIO_printf(bio_err, "%s: Can't parse \"%s\" as a number\n", prog, v);
|
||||
opt_printf_stderr("%s: Can't parse \"%s\" as a number\n", prog, v);
|
||||
return;
|
||||
}
|
||||
|
||||
@ -372,10 +561,11 @@ int opt_long(const char *value, long *result)
|
||||
}
|
||||
|
||||
#if defined(__STDC_VERSION__) && __STDC_VERSION__ >= 199901L && \
|
||||
defined(INTMAX_MAX) && defined(UINTMAX_MAX)
|
||||
defined(INTMAX_MAX) && defined(UINTMAX_MAX) && \
|
||||
!defined(OPENSSL_NO_INTTYPES_H)
|
||||
|
||||
/* Parse an intmax_t, put it into *result; return 0 on failure, else 1. */
|
||||
int opt_imax(const char *value, intmax_t *result)
|
||||
int opt_intmax(const char *value, ossl_intmax_t *result)
|
||||
{
|
||||
int oerrno = errno;
|
||||
intmax_t m;
|
||||
@ -385,19 +575,26 @@ int opt_imax(const char *value, intmax_t *result)
|
||||
m = strtoimax(value, &endp, 0);
|
||||
if (*endp
|
||||
|| endp == value
|
||||
|| ((m == INTMAX_MAX || m == INTMAX_MIN) && errno == ERANGE)
|
||||
|| ((m == INTMAX_MAX || m == INTMAX_MIN)
|
||||
&& errno == ERANGE)
|
||||
|| (m == 0 && errno != 0)) {
|
||||
opt_number_error(value);
|
||||
errno = oerrno;
|
||||
return 0;
|
||||
}
|
||||
*result = m;
|
||||
/* Ensure that the value in |m| is never too big for |*result| */
|
||||
if (sizeof(m) > sizeof(*result)
|
||||
&& (m < OSSL_INTMAX_MIN || m > OSSL_INTMAX_MAX)) {
|
||||
opt_number_error(value);
|
||||
return 0;
|
||||
}
|
||||
*result = (ossl_intmax_t)m;
|
||||
errno = oerrno;
|
||||
return 1;
|
||||
}
|
||||
|
||||
/* Parse a uintmax_t, put it into *result; return 0 on failure, else 1. */
|
||||
int opt_umax(const char *value, uintmax_t *result)
|
||||
int opt_uintmax(const char *value, ossl_uintmax_t *result)
|
||||
{
|
||||
int oerrno = errno;
|
||||
uintmax_t m;
|
||||
@ -413,10 +610,37 @@ int opt_umax(const char *value, uintmax_t *result)
|
||||
errno = oerrno;
|
||||
return 0;
|
||||
}
|
||||
*result = m;
|
||||
/* Ensure that the value in |m| is never too big for |*result| */
|
||||
if (sizeof(m) > sizeof(*result)
|
||||
&& m > OSSL_UINTMAX_MAX) {
|
||||
opt_number_error(value);
|
||||
return 0;
|
||||
}
|
||||
*result = (ossl_intmax_t)m;
|
||||
errno = oerrno;
|
||||
return 1;
|
||||
}
|
||||
#else
|
||||
/* Fallback implementations based on long */
|
||||
int opt_intmax(const char *value, ossl_intmax_t *result)
|
||||
{
|
||||
long m;
|
||||
int ret;
|
||||
|
||||
if ((ret = opt_long(value, &m)))
|
||||
*result = m;
|
||||
return ret;
|
||||
}
|
||||
|
||||
int opt_uintmax(const char *value, ossl_uintmax_t *result)
|
||||
{
|
||||
unsigned long m;
|
||||
int ret;
|
||||
|
||||
if ((ret = opt_ulong(value, &m)))
|
||||
*result = m;
|
||||
return ret;
|
||||
}
|
||||
#endif
|
||||
|
||||
/*
|
||||
@ -458,9 +682,9 @@ int opt_verify(int opt, X509_VERIFY_PARAM *vpm)
|
||||
X509_PURPOSE *xptmp;
|
||||
const X509_VERIFY_PARAM *vtmp;
|
||||
|
||||
assert(vpm != NULL);
|
||||
assert(opt > OPT_V__FIRST);
|
||||
assert(opt < OPT_V__LAST);
|
||||
OPENSSL_assert(vpm != NULL);
|
||||
OPENSSL_assert(opt > OPT_V__FIRST);
|
||||
OPENSSL_assert(opt < OPT_V__LAST);
|
||||
|
||||
switch ((enum range)opt) {
|
||||
case OPT_V__FIRST:
|
||||
@ -469,7 +693,7 @@ int opt_verify(int opt, X509_VERIFY_PARAM *vpm)
|
||||
case OPT_V_POLICY:
|
||||
otmp = OBJ_txt2obj(opt_arg(), 0);
|
||||
if (otmp == NULL) {
|
||||
BIO_printf(bio_err, "%s: Invalid Policy %s\n", prog, opt_arg());
|
||||
opt_printf_stderr("%s: Invalid Policy %s\n", prog, opt_arg());
|
||||
return 0;
|
||||
}
|
||||
X509_VERIFY_PARAM_add0_policy(vpm, otmp);
|
||||
@ -478,7 +702,7 @@ int opt_verify(int opt, X509_VERIFY_PARAM *vpm)
|
||||
/* purpose name -> purpose index */
|
||||
i = X509_PURPOSE_get_by_sname(opt_arg());
|
||||
if (i < 0) {
|
||||
BIO_printf(bio_err, "%s: Invalid purpose %s\n", prog, opt_arg());
|
||||
opt_printf_stderr("%s: Invalid purpose %s\n", prog, opt_arg());
|
||||
return 0;
|
||||
}
|
||||
|
||||
@ -489,8 +713,7 @@ int opt_verify(int opt, X509_VERIFY_PARAM *vpm)
|
||||
i = X509_PURPOSE_get_id(xptmp);
|
||||
|
||||
if (!X509_VERIFY_PARAM_set_purpose(vpm, i)) {
|
||||
BIO_printf(bio_err,
|
||||
"%s: Internal error setting purpose %s\n",
|
||||
opt_printf_stderr("%s: Internal error setting purpose %s\n",
|
||||
prog, opt_arg());
|
||||
return 0;
|
||||
}
|
||||
@ -498,7 +721,7 @@ int opt_verify(int opt, X509_VERIFY_PARAM *vpm)
|
||||
case OPT_V_VERIFY_NAME:
|
||||
vtmp = X509_VERIFY_PARAM_lookup(opt_arg());
|
||||
if (vtmp == NULL) {
|
||||
BIO_printf(bio_err, "%s: Invalid verify name %s\n",
|
||||
opt_printf_stderr("%s: Invalid verify name %s\n",
|
||||
prog, opt_arg());
|
||||
return 0;
|
||||
}
|
||||
@ -515,10 +738,10 @@ int opt_verify(int opt, X509_VERIFY_PARAM *vpm)
|
||||
X509_VERIFY_PARAM_set_auth_level(vpm, i);
|
||||
break;
|
||||
case OPT_V_ATTIME:
|
||||
if (!opt_imax(opt_arg(), &t))
|
||||
if (!opt_intmax(opt_arg(), &t))
|
||||
return 0;
|
||||
if (t != (time_t)t) {
|
||||
BIO_printf(bio_err, "%s: epoch time out of range %s\n",
|
||||
opt_printf_stderr("%s: epoch time out of range %s\n",
|
||||
prog, opt_arg());
|
||||
return 0;
|
||||
}
|
||||
@ -606,6 +829,13 @@ int opt_verify(int opt, X509_VERIFY_PARAM *vpm)
|
||||
|
||||
}
|
||||
|
||||
void opt_begin(void)
|
||||
{
|
||||
opt_index = 1;
|
||||
arg = NULL;
|
||||
flag = NULL;
|
||||
}
|
||||
|
||||
/*
|
||||
* Parse the next flag (and value if specified), return 0 if done, -1 on
|
||||
* error, otherwise the flag's retval.
|
||||
@ -645,14 +875,15 @@ int opt_next(void)
|
||||
*arg++ = '\0';
|
||||
for (o = opts; o->name; ++o) {
|
||||
/* If not this option, move on to the next one. */
|
||||
if (strcmp(p, o->name) != 0)
|
||||
if (!(strcmp(p, "h") == 0 && strcmp(o->name, "help") == 0)
|
||||
&& strcmp(p, o->name) != 0)
|
||||
continue;
|
||||
|
||||
/* If it doesn't take a value, make sure none was given. */
|
||||
if (o->valtype == 0 || o->valtype == '-') {
|
||||
if (arg) {
|
||||
BIO_printf(bio_err,
|
||||
"%s: Option -%s does not take a value\n", prog, p);
|
||||
opt_printf_stderr("%s: Option -%s does not take a value\n",
|
||||
prog, p);
|
||||
return -1;
|
||||
}
|
||||
return o->retval;
|
||||
@ -661,8 +892,8 @@ int opt_next(void)
|
||||
/* Want a value; get the next param if =foo not used. */
|
||||
if (arg == NULL) {
|
||||
if (argv[opt_index] == NULL) {
|
||||
BIO_printf(bio_err,
|
||||
"%s: Option -%s needs a value\n", prog, o->name);
|
||||
opt_printf_stderr("%s: Option -%s needs a value\n",
|
||||
prog, o->name);
|
||||
return -1;
|
||||
}
|
||||
arg = argv[opt_index++];
|
||||
@ -672,12 +903,16 @@ int opt_next(void)
|
||||
switch (o->valtype) {
|
||||
default:
|
||||
case 's':
|
||||
case ':':
|
||||
/* Just a string. */
|
||||
break;
|
||||
case '/':
|
||||
if (app_isdir(arg) > 0)
|
||||
case '.':
|
||||
/* Parameters */
|
||||
break;
|
||||
BIO_printf(bio_err, "%s: Not a directory: %s\n", prog, arg);
|
||||
case '/':
|
||||
if (opt_isdir(arg) > 0)
|
||||
break;
|
||||
opt_printf_stderr("%s: Not a directory: %s\n", prog, arg);
|
||||
return -1;
|
||||
case '<':
|
||||
/* Input file. */
|
||||
@ -687,45 +922,35 @@ int opt_next(void)
|
||||
break;
|
||||
case 'p':
|
||||
case 'n':
|
||||
if (!opt_int(arg, &ival)
|
||||
|| (o->valtype == 'p' && ival <= 0)) {
|
||||
BIO_printf(bio_err,
|
||||
"%s: Non-positive number \"%s\" for -%s\n",
|
||||
case 'N':
|
||||
if (!opt_int(arg, &ival))
|
||||
return -1;
|
||||
if (o->valtype == 'p' && ival <= 0) {
|
||||
opt_printf_stderr("%s: Non-positive number \"%s\" for option -%s\n",
|
||||
prog, arg, o->name);
|
||||
return -1;
|
||||
}
|
||||
if (o->valtype == 'N' && ival < 0) {
|
||||
opt_printf_stderr("%s: Negative number \"%s\" for option -%s\n",
|
||||
prog, arg, o->name);
|
||||
return -1;
|
||||
}
|
||||
break;
|
||||
case 'M':
|
||||
if (!opt_imax(arg, &imval)) {
|
||||
BIO_printf(bio_err,
|
||||
"%s: Invalid number \"%s\" for -%s\n",
|
||||
prog, arg, o->name);
|
||||
if (!opt_intmax(arg, &imval))
|
||||
return -1;
|
||||
}
|
||||
break;
|
||||
case 'U':
|
||||
if (!opt_umax(arg, &umval)) {
|
||||
BIO_printf(bio_err,
|
||||
"%s: Invalid number \"%s\" for -%s\n",
|
||||
prog, arg, o->name);
|
||||
if (!opt_uintmax(arg, &umval))
|
||||
return -1;
|
||||
}
|
||||
break;
|
||||
case 'l':
|
||||
if (!opt_long(arg, &lval)) {
|
||||
BIO_printf(bio_err,
|
||||
"%s: Invalid number \"%s\" for -%s\n",
|
||||
prog, arg, o->name);
|
||||
if (!opt_long(arg, &lval))
|
||||
return -1;
|
||||
}
|
||||
break;
|
||||
case 'u':
|
||||
if (!opt_ulong(arg, &ulval)) {
|
||||
BIO_printf(bio_err,
|
||||
"%s: Invalid number \"%s\" for -%s\n",
|
||||
prog, arg, o->name);
|
||||
if (!opt_ulong(arg, &ulval))
|
||||
return -1;
|
||||
}
|
||||
break;
|
||||
case 'c':
|
||||
case 'E':
|
||||
@ -737,8 +962,7 @@ int opt_next(void)
|
||||
o->valtype == 'F' ? OPT_FMT_PEMDER
|
||||
: OPT_FMT_ANY, &ival))
|
||||
break;
|
||||
BIO_printf(bio_err,
|
||||
"%s: Invalid format \"%s\" for -%s\n",
|
||||
opt_printf_stderr("%s: Invalid format \"%s\" for option -%s\n",
|
||||
prog, arg, o->name);
|
||||
return -1;
|
||||
}
|
||||
@ -750,7 +974,7 @@ int opt_next(void)
|
||||
dunno = p;
|
||||
return unknown->retval;
|
||||
}
|
||||
BIO_printf(bio_err, "%s: Option unknown option -%s\n", prog, p);
|
||||
opt_printf_stderr("%s: Unknown option: -%s\n", prog, p);
|
||||
return -1;
|
||||
}
|
||||
|
||||
@ -760,7 +984,7 @@ char *opt_arg(void)
|
||||
return arg;
|
||||
}
|
||||
|
||||
/* Return the most recent flag. */
|
||||
/* Return the most recent flag (option name including the preceding '-'). */
|
||||
char *opt_flag(void)
|
||||
{
|
||||
return flag;
|
||||
@ -796,6 +1020,8 @@ static const char *valtype2param(const OPTIONS *o)
|
||||
case 0:
|
||||
case '-':
|
||||
return "";
|
||||
case ':':
|
||||
return "uri";
|
||||
case 's':
|
||||
return "val";
|
||||
case '/':
|
||||
@ -820,21 +1046,75 @@ static const char *valtype2param(const OPTIONS *o)
|
||||
return "format";
|
||||
case 'M':
|
||||
return "intmax";
|
||||
case 'N':
|
||||
return "nonneg";
|
||||
case 'U':
|
||||
return "uintmax";
|
||||
}
|
||||
return "parm";
|
||||
}
|
||||
|
||||
static void opt_print(const OPTIONS *o, int doingparams, int width)
|
||||
{
|
||||
const char* help;
|
||||
char start[80 + 1];
|
||||
char *p;
|
||||
|
||||
help = o->helpstr ? o->helpstr : "(No additional info)";
|
||||
if (o->name == OPT_HELP_STR) {
|
||||
opt_printf_stderr(help, prog);
|
||||
return;
|
||||
}
|
||||
if (o->name == OPT_SECTION_STR) {
|
||||
opt_printf_stderr("\n");
|
||||
opt_printf_stderr(help, prog);
|
||||
return;
|
||||
}
|
||||
if (o->name == OPT_PARAM_STR) {
|
||||
opt_printf_stderr("\nParameters:\n");
|
||||
return;
|
||||
}
|
||||
|
||||
/* Pad out prefix */
|
||||
memset(start, ' ', sizeof(start) - 1);
|
||||
start[sizeof(start) - 1] = '\0';
|
||||
|
||||
if (o->name == OPT_MORE_STR) {
|
||||
/* Continuation of previous line; pad and print. */
|
||||
start[width] = '\0';
|
||||
opt_printf_stderr("%s %s\n", start, help);
|
||||
return;
|
||||
}
|
||||
|
||||
/* Build up the "-flag [param]" part. */
|
||||
p = start;
|
||||
*p++ = ' ';
|
||||
if (!doingparams)
|
||||
*p++ = '-';
|
||||
if (o->name[0])
|
||||
p += strlen(strcpy(p, o->name));
|
||||
else
|
||||
*p++ = '*';
|
||||
if (o->valtype != '-') {
|
||||
*p++ = ' ';
|
||||
p += strlen(strcpy(p, valtype2param(o)));
|
||||
}
|
||||
*p = ' ';
|
||||
if ((int)(p - start) >= MAX_OPT_HELP_WIDTH) {
|
||||
*p = '\0';
|
||||
opt_printf_stderr("%s\n", start);
|
||||
memset(start, ' ', sizeof(start));
|
||||
}
|
||||
start[width] = '\0';
|
||||
opt_printf_stderr("%s %s\n", start, help);
|
||||
}
|
||||
|
||||
void opt_help(const OPTIONS *list)
|
||||
{
|
||||
const OPTIONS *o;
|
||||
int i;
|
||||
int i, sawparams = 0, width = 5;
|
||||
int standard_prolog;
|
||||
int width = 5;
|
||||
char start[80 + 1];
|
||||
char *p;
|
||||
const char *help;
|
||||
|
||||
/* Starts with its own help message? */
|
||||
standard_prolog = list[0].name != OPT_HELP_STR;
|
||||
@ -848,51 +1128,71 @@ void opt_help(const OPTIONS *list)
|
||||
i += 1 + strlen(valtype2param(o));
|
||||
if (i < MAX_OPT_HELP_WIDTH && i > width)
|
||||
width = i;
|
||||
assert(i < (int)sizeof(start));
|
||||
OPENSSL_assert(i < (int)sizeof(start));
|
||||
}
|
||||
|
||||
if (standard_prolog)
|
||||
BIO_printf(bio_err, "Usage: %s [options]\nValid options are:\n",
|
||||
prog);
|
||||
if (standard_prolog) {
|
||||
opt_printf_stderr("Usage: %s [options]\n", prog);
|
||||
if (list[0].name != OPT_SECTION_STR)
|
||||
opt_printf_stderr("Valid options are:\n", prog);
|
||||
}
|
||||
|
||||
/* Now let's print. */
|
||||
for (o = list; o->name; o++) {
|
||||
help = o->helpstr ? o->helpstr : "(No additional info)";
|
||||
if (o->name == OPT_HELP_STR) {
|
||||
BIO_printf(bio_err, help, prog);
|
||||
continue;
|
||||
}
|
||||
|
||||
/* Pad out prefix */
|
||||
memset(start, ' ', sizeof(start) - 1);
|
||||
start[sizeof(start) - 1] = '\0';
|
||||
|
||||
if (o->name == OPT_MORE_STR) {
|
||||
/* Continuation of previous line; pad and print. */
|
||||
start[width] = '\0';
|
||||
BIO_printf(bio_err, "%s %s\n", start, help);
|
||||
continue;
|
||||
}
|
||||
|
||||
/* Build up the "-flag [param]" part. */
|
||||
p = start;
|
||||
*p++ = ' ';
|
||||
*p++ = '-';
|
||||
if (o->name[0])
|
||||
p += strlen(strcpy(p, o->name));
|
||||
else
|
||||
*p++ = '*';
|
||||
if (o->valtype != '-') {
|
||||
*p++ = ' ';
|
||||
p += strlen(strcpy(p, valtype2param(o)));
|
||||
}
|
||||
*p = ' ';
|
||||
if ((int)(p - start) >= MAX_OPT_HELP_WIDTH) {
|
||||
*p = '\0';
|
||||
BIO_printf(bio_err, "%s\n", start);
|
||||
memset(start, ' ', sizeof(start));
|
||||
}
|
||||
start[width] = '\0';
|
||||
BIO_printf(bio_err, "%s %s\n", start, help);
|
||||
if (o->name == OPT_PARAM_STR)
|
||||
sawparams = 1;
|
||||
opt_print(o, sawparams, width);
|
||||
}
|
||||
}
|
||||
|
||||
/* opt_isdir section */
|
||||
#ifdef _WIN32
|
||||
# include <windows.h>
|
||||
int opt_isdir(const char *name)
|
||||
{
|
||||
DWORD attr;
|
||||
# if defined(UNICODE) || defined(_UNICODE)
|
||||
size_t i, len_0 = strlen(name) + 1;
|
||||
WCHAR tempname[MAX_PATH];
|
||||
|
||||
if (len_0 > MAX_PATH)
|
||||
return -1;
|
||||
|
||||
# if !defined(_WIN32_WCE) || _WIN32_WCE>=101
|
||||
if (!MultiByteToWideChar(CP_ACP, 0, name, len_0, tempname, MAX_PATH))
|
||||
# endif
|
||||
for (i = 0; i < len_0; i++)
|
||||
tempname[i] = (WCHAR)name[i];
|
||||
|
||||
attr = GetFileAttributes(tempname);
|
||||
# else
|
||||
attr = GetFileAttributes(name);
|
||||
# endif
|
||||
if (attr == INVALID_FILE_ATTRIBUTES)
|
||||
return -1;
|
||||
return ((attr & FILE_ATTRIBUTE_DIRECTORY) != 0);
|
||||
}
|
||||
#else
|
||||
# include <sys/stat.h>
|
||||
# ifndef S_ISDIR
|
||||
# if defined(_S_IFMT) && defined(_S_IFDIR)
|
||||
# define S_ISDIR(a) (((a) & _S_IFMT) == _S_IFDIR)
|
||||
# else
|
||||
# define S_ISDIR(a) (((a) & S_IFMT) == S_IFDIR)
|
||||
# endif
|
||||
# endif
|
||||
|
||||
int opt_isdir(const char *name)
|
||||
{
|
||||
# if defined(S_ISDIR)
|
||||
struct stat st;
|
||||
|
||||
if (stat(name, &st) == 0)
|
||||
return S_ISDIR(st.st_mode);
|
||||
else
|
||||
return -1;
|
||||
# else
|
||||
return -1;
|
||||
# endif
|
||||
}
|
||||
#endif
|
@ -1,7 +1,7 @@
|
||||
/*
|
||||
* Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
|
||||
*
|
||||
* Licensed under the OpenSSL license (the "License"). You may not use
|
||||
* Licensed under the Apache License 2.0 (the "License"). You may not use
|
||||
* this file except in compliance with the License. You can obtain a copy
|
||||
* in the file LICENSE in the source distribution or at
|
||||
* https://www.openssl.org/source/license.html
|
||||
@ -12,6 +12,8 @@
|
||||
#include <stdlib.h>
|
||||
#include <string.h> /* for memcpy() and strcmp() */
|
||||
#include "apps.h"
|
||||
#include <openssl/core_names.h>
|
||||
#include <openssl/params.h>
|
||||
#include <openssl/err.h>
|
||||
#include <openssl/rand.h>
|
||||
#include <openssl/x509.h>
|
||||
@ -150,6 +152,7 @@ int set_cert_key_stuff(SSL_CTX *ctx, X509 *cert, EVP_PKEY *key,
|
||||
STACK_OF(X509) *chain, int build_chain)
|
||||
{
|
||||
int chflags = chain ? SSL_BUILD_CHAIN_FLAG_CHECK : 0;
|
||||
|
||||
if (cert == NULL)
|
||||
return 1;
|
||||
if (SSL_CTX_use_certificate(ctx, cert) <= 0) {
|
||||
@ -194,7 +197,7 @@ static STRINT_PAIR cert_type_list[] = {
|
||||
{"RSA fixed ECDH", TLS_CT_RSA_FIXED_ECDH},
|
||||
{"ECDSA fixed ECDH", TLS_CT_ECDSA_FIXED_ECDH},
|
||||
{"GOST01 Sign", TLS_CT_GOST01_SIGN},
|
||||
{"GOST12 Sign", TLS_CT_GOST12_SIGN},
|
||||
{"GOST12 Sign", TLS_CT_GOST12_IANA_SIGN},
|
||||
{NULL}
|
||||
};
|
||||
|
||||
@ -203,6 +206,7 @@ static void ssl_print_client_cert_types(BIO *bio, SSL *s)
|
||||
const unsigned char *p;
|
||||
int i;
|
||||
int cert_type_num = SSL_get0_certificate_types(s, &p);
|
||||
|
||||
if (!cert_type_num)
|
||||
return;
|
||||
BIO_puts(bio, "Client Certificate Types: ");
|
||||
@ -258,6 +262,7 @@ static const char *get_sigtype(int nid)
|
||||
static int do_print_sigalgs(BIO *out, SSL *s, int shared)
|
||||
{
|
||||
int i, nsig, client;
|
||||
|
||||
client = SSL_is_server(s) ? 0 : 1;
|
||||
if (shared)
|
||||
nsig = SSL_get_shared_sigalgs(s, 0, NULL, NULL, NULL, NULL, NULL);
|
||||
@ -300,6 +305,7 @@ static int do_print_sigalgs(BIO *out, SSL *s, int shared)
|
||||
int ssl_print_sigalgs(BIO *out, SSL *s)
|
||||
{
|
||||
int nid;
|
||||
|
||||
if (!SSL_is_server(s))
|
||||
ssl_print_client_cert_types(out, s);
|
||||
do_print_sigalgs(out, s, 0);
|
||||
@ -316,6 +322,7 @@ int ssl_print_point_formats(BIO *out, SSL *s)
|
||||
{
|
||||
int i, nformats;
|
||||
const char *pformats;
|
||||
|
||||
nformats = SSL_get0_ec_point_formats(s, &pformats);
|
||||
if (nformats <= 0)
|
||||
return 1;
|
||||
@ -349,7 +356,6 @@ int ssl_print_point_formats(BIO *out, SSL *s)
|
||||
int ssl_print_groups(BIO *out, SSL *s, int noshared)
|
||||
{
|
||||
int i, ngroups, *groups, nid;
|
||||
const char *gname;
|
||||
|
||||
ngroups = SSL_get1_groups(s, NULL);
|
||||
if (ngroups <= 0)
|
||||
@ -357,39 +363,25 @@ int ssl_print_groups(BIO *out, SSL *s, int noshared)
|
||||
groups = app_malloc(ngroups * sizeof(int), "groups to print");
|
||||
SSL_get1_groups(s, groups);
|
||||
|
||||
BIO_puts(out, "Supported Elliptic Groups: ");
|
||||
BIO_puts(out, "Supported groups: ");
|
||||
for (i = 0; i < ngroups; i++) {
|
||||
if (i)
|
||||
BIO_puts(out, ":");
|
||||
nid = groups[i];
|
||||
/* If unrecognised print out hex version */
|
||||
if (nid & TLSEXT_nid_unknown) {
|
||||
BIO_printf(out, "0x%04X", nid & 0xFFFF);
|
||||
} else {
|
||||
/* TODO(TLS1.3): Get group name here */
|
||||
/* Use NIST name for curve if it exists */
|
||||
gname = EC_curve_nid2nist(nid);
|
||||
if (gname == NULL)
|
||||
gname = OBJ_nid2sn(nid);
|
||||
BIO_printf(out, "%s", gname);
|
||||
}
|
||||
BIO_printf(out, "%s", SSL_group_to_name(s, nid));
|
||||
}
|
||||
OPENSSL_free(groups);
|
||||
if (noshared) {
|
||||
BIO_puts(out, "\n");
|
||||
return 1;
|
||||
}
|
||||
BIO_puts(out, "\nShared Elliptic groups: ");
|
||||
BIO_puts(out, "\nShared groups: ");
|
||||
ngroups = SSL_get_shared_group(s, -1);
|
||||
for (i = 0; i < ngroups; i++) {
|
||||
if (i)
|
||||
BIO_puts(out, ":");
|
||||
nid = SSL_get_shared_group(s, i);
|
||||
/* TODO(TLS1.3): Convert for DH groups */
|
||||
gname = EC_curve_nid2nist(nid);
|
||||
if (gname == NULL)
|
||||
gname = OBJ_nid2sn(nid);
|
||||
BIO_printf(out, "%s", gname);
|
||||
BIO_printf(out, "%s", SSL_group_to_name(s, nid));
|
||||
}
|
||||
if (ngroups == 0)
|
||||
BIO_puts(out, "NONE");
|
||||
@ -405,39 +397,37 @@ int ssl_print_tmp_key(BIO *out, SSL *s)
|
||||
if (!SSL_get_peer_tmp_key(s, &key))
|
||||
return 1;
|
||||
BIO_puts(out, "Server Temp Key: ");
|
||||
switch (EVP_PKEY_id(key)) {
|
||||
switch (EVP_PKEY_get_id(key)) {
|
||||
case EVP_PKEY_RSA:
|
||||
BIO_printf(out, "RSA, %d bits\n", EVP_PKEY_bits(key));
|
||||
BIO_printf(out, "RSA, %d bits\n", EVP_PKEY_get_bits(key));
|
||||
break;
|
||||
|
||||
case EVP_PKEY_DH:
|
||||
BIO_printf(out, "DH, %d bits\n", EVP_PKEY_bits(key));
|
||||
BIO_printf(out, "DH, %d bits\n", EVP_PKEY_get_bits(key));
|
||||
break;
|
||||
#ifndef OPENSSL_NO_EC
|
||||
case EVP_PKEY_EC:
|
||||
{
|
||||
EC_KEY *ec = EVP_PKEY_get1_EC_KEY(key);
|
||||
int nid;
|
||||
const char *cname;
|
||||
nid = EC_GROUP_get_curve_name(EC_KEY_get0_group(ec));
|
||||
EC_KEY_free(ec);
|
||||
cname = EC_curve_nid2nist(nid);
|
||||
if (cname == NULL)
|
||||
cname = OBJ_nid2sn(nid);
|
||||
BIO_printf(out, "ECDH, %s, %d bits\n", cname, EVP_PKEY_bits(key));
|
||||
char name[80];
|
||||
size_t name_len;
|
||||
|
||||
if (!EVP_PKEY_get_utf8_string_param(key, OSSL_PKEY_PARAM_GROUP_NAME,
|
||||
name, sizeof(name), &name_len))
|
||||
strcpy(name, "?");
|
||||
BIO_printf(out, "ECDH, %s, %d bits\n", name, EVP_PKEY_get_bits(key));
|
||||
}
|
||||
break;
|
||||
#endif
|
||||
default:
|
||||
BIO_printf(out, "%s, %d bits\n", OBJ_nid2sn(EVP_PKEY_id(key)),
|
||||
EVP_PKEY_bits(key));
|
||||
BIO_printf(out, "%s, %d bits\n", OBJ_nid2sn(EVP_PKEY_get_id(key)),
|
||||
EVP_PKEY_get_bits(key));
|
||||
}
|
||||
EVP_PKEY_free(key);
|
||||
return 1;
|
||||
}
|
||||
|
||||
long bio_dump_callback(BIO *bio, int cmd, const char *argp,
|
||||
int argi, long argl, long ret)
|
||||
long bio_dump_callback(BIO *bio, int cmd, const char *argp, size_t len,
|
||||
int argi, long argl, int ret, size_t *processed)
|
||||
{
|
||||
BIO *out;
|
||||
|
||||
@ -446,14 +436,23 @@ long bio_dump_callback(BIO *bio, int cmd, const char *argp,
|
||||
return ret;
|
||||
|
||||
if (cmd == (BIO_CB_READ | BIO_CB_RETURN)) {
|
||||
BIO_printf(out, "read from %p [%p] (%lu bytes => %ld (0x%lX))\n",
|
||||
(void *)bio, (void *)argp, (unsigned long)argi, ret, ret);
|
||||
BIO_dump(out, argp, (int)ret);
|
||||
return ret;
|
||||
if (ret > 0 && processed != NULL) {
|
||||
BIO_printf(out, "read from %p [%p] (%zu bytes => %zu (0x%zX))\n",
|
||||
(void *)bio, (void *)argp, len, *processed, *processed);
|
||||
BIO_dump(out, argp, (int)*processed);
|
||||
} else {
|
||||
BIO_printf(out, "read from %p [%p] (%zu bytes => %d)\n",
|
||||
(void *)bio, (void *)argp, len, ret);
|
||||
}
|
||||
} else if (cmd == (BIO_CB_WRITE | BIO_CB_RETURN)) {
|
||||
BIO_printf(out, "write to %p [%p] (%lu bytes => %ld (0x%lX))\n",
|
||||
(void *)bio, (void *)argp, (unsigned long)argi, ret, ret);
|
||||
BIO_dump(out, argp, (int)ret);
|
||||
if (ret > 0 && processed != NULL) {
|
||||
BIO_printf(out, "write to %p [%p] (%zu bytes => %zu (0x%zX))\n",
|
||||
(void *)bio, (void *)argp, len, *processed, *processed);
|
||||
BIO_dump(out, argp, (int)*processed);
|
||||
} else {
|
||||
BIO_printf(out, "write to %p [%p] (%zu bytes => %d)\n",
|
||||
(void *)bio, (void *)argp, len, ret);
|
||||
}
|
||||
}
|
||||
return ret;
|
||||
}
|
||||
@ -569,8 +568,8 @@ void msg_cb(int write_p, int version, int content_type, const void *buf,
|
||||
{
|
||||
BIO *bio = arg;
|
||||
const char *str_write_p = write_p ? ">>>" : "<<<";
|
||||
const char *str_version = lookup(version, ssl_versions, "???");
|
||||
const char *str_content_type = "", *str_details1 = "", *str_details2 = "";
|
||||
char tmpbuf[128];
|
||||
const char *str_version, *str_content_type = "", *str_details1 = "", *str_details2 = "";
|
||||
const unsigned char* bp = buf;
|
||||
|
||||
if (version == SSL3_VERSION ||
|
||||
@ -579,11 +578,14 @@ void msg_cb(int write_p, int version, int content_type, const void *buf,
|
||||
version == TLS1_2_VERSION ||
|
||||
version == TLS1_3_VERSION ||
|
||||
version == DTLS1_VERSION || version == DTLS1_BAD_VER) {
|
||||
str_version = lookup(version, ssl_versions, "???");
|
||||
switch (content_type) {
|
||||
case 20:
|
||||
case SSL3_RT_CHANGE_CIPHER_SPEC:
|
||||
/* type 20 */
|
||||
str_content_type = ", ChangeCipherSpec";
|
||||
break;
|
||||
case 21:
|
||||
case SSL3_RT_ALERT:
|
||||
/* type 21 */
|
||||
str_content_type = ", Alert";
|
||||
str_details1 = ", ???";
|
||||
if (len == 2) {
|
||||
@ -598,32 +600,32 @@ void msg_cb(int write_p, int version, int content_type, const void *buf,
|
||||
str_details2 = lookup((int)bp[1], alert_types, " ???");
|
||||
}
|
||||
break;
|
||||
case 22:
|
||||
case SSL3_RT_HANDSHAKE:
|
||||
/* type 22 */
|
||||
str_content_type = ", Handshake";
|
||||
str_details1 = "???";
|
||||
if (len > 0)
|
||||
str_details1 = lookup((int)bp[0], handshakes, "???");
|
||||
break;
|
||||
case 23:
|
||||
case SSL3_RT_APPLICATION_DATA:
|
||||
/* type 23 */
|
||||
str_content_type = ", ApplicationData";
|
||||
break;
|
||||
#ifndef OPENSSL_NO_HEARTBEATS
|
||||
case 24:
|
||||
str_details1 = ", Heartbeat";
|
||||
|
||||
if (len > 0) {
|
||||
switch (bp[0]) {
|
||||
case 1:
|
||||
str_details1 = ", HeartbeatRequest";
|
||||
case SSL3_RT_HEADER:
|
||||
/* type 256 */
|
||||
str_content_type = ", RecordHeader";
|
||||
break;
|
||||
case 2:
|
||||
str_details1 = ", HeartbeatResponse";
|
||||
case SSL3_RT_INNER_CONTENT_TYPE:
|
||||
/* type 257 */
|
||||
str_content_type = ", InnerContent";
|
||||
break;
|
||||
default:
|
||||
BIO_snprintf(tmpbuf, sizeof(tmpbuf)-1, ", Unknown (content_type=%d)", content_type);
|
||||
str_content_type = tmpbuf;
|
||||
}
|
||||
}
|
||||
break;
|
||||
#endif
|
||||
}
|
||||
} else {
|
||||
BIO_snprintf(tmpbuf, sizeof(tmpbuf)-1, "Not TLS data or unknown version (version=%d, content_type=%d)", version, content_type);
|
||||
str_version = tmpbuf;
|
||||
}
|
||||
|
||||
BIO_printf(bio, "%s %s%s [length %04lx]%s%s\n", str_write_p, str_version,
|
||||
@ -663,7 +665,6 @@ static STRINT_PAIR tlsext_types[] = {
|
||||
{"SRP", TLSEXT_TYPE_srp},
|
||||
{"signature algorithms", TLSEXT_TYPE_signature_algorithms},
|
||||
{"use SRTP", TLSEXT_TYPE_use_srtp},
|
||||
{"heartbeat", TLSEXT_TYPE_heartbeat},
|
||||
{"session ticket", TLSEXT_TYPE_session_ticket},
|
||||
{"renegotiation info", TLSEXT_TYPE_renegotiate},
|
||||
{"signed certificate timestamps", TLSEXT_TYPE_signed_certificate_timestamp},
|
||||
@ -750,13 +751,14 @@ void tlsext_cb(SSL *s, int client_server, int type,
|
||||
}
|
||||
|
||||
#ifndef OPENSSL_NO_SOCK
|
||||
int generate_cookie_callback(SSL *ssl, unsigned char *cookie,
|
||||
unsigned int *cookie_len)
|
||||
int generate_stateless_cookie_callback(SSL *ssl, unsigned char *cookie,
|
||||
size_t *cookie_len)
|
||||
{
|
||||
unsigned char *buffer;
|
||||
unsigned char *buffer = NULL;
|
||||
size_t length = 0;
|
||||
unsigned short port;
|
||||
BIO_ADDR *lpeer = NULL, *peer = NULL;
|
||||
int res = 0;
|
||||
|
||||
/* Initialize a random secret */
|
||||
if (!cookie_initialized) {
|
||||
@ -783,6 +785,7 @@ int generate_cookie_callback(SSL *ssl, unsigned char *cookie,
|
||||
/* Create buffer with peer's address and port */
|
||||
if (!BIO_ADDR_rawaddress(peer, NULL, &length)) {
|
||||
BIO_printf(bio_err, "Failed getting peer address\n");
|
||||
BIO_ADDR_free(lpeer);
|
||||
return 0;
|
||||
}
|
||||
OPENSSL_assert(length != 0);
|
||||
@ -793,26 +796,31 @@ int generate_cookie_callback(SSL *ssl, unsigned char *cookie,
|
||||
memcpy(buffer, &port, sizeof(port));
|
||||
BIO_ADDR_rawaddress(peer, buffer + sizeof(port), NULL);
|
||||
|
||||
/* Calculate HMAC of buffer using the secret */
|
||||
HMAC(EVP_sha1(), cookie_secret, COOKIE_SECRET_LENGTH,
|
||||
buffer, length, cookie, cookie_len);
|
||||
|
||||
if (EVP_Q_mac(NULL, "HMAC", NULL, "SHA1", NULL,
|
||||
cookie_secret, COOKIE_SECRET_LENGTH, buffer, length,
|
||||
cookie, DTLS1_COOKIE_LENGTH, cookie_len) == NULL) {
|
||||
BIO_printf(bio_err,
|
||||
"Error calculating HMAC-SHA1 of buffer with secret\n");
|
||||
goto end;
|
||||
}
|
||||
res = 1;
|
||||
end:
|
||||
OPENSSL_free(buffer);
|
||||
BIO_ADDR_free(lpeer);
|
||||
|
||||
return 1;
|
||||
return res;
|
||||
}
|
||||
|
||||
int verify_cookie_callback(SSL *ssl, const unsigned char *cookie,
|
||||
unsigned int cookie_len)
|
||||
int verify_stateless_cookie_callback(SSL *ssl, const unsigned char *cookie,
|
||||
size_t cookie_len)
|
||||
{
|
||||
unsigned char result[EVP_MAX_MD_SIZE];
|
||||
unsigned int resultlength;
|
||||
size_t resultlength;
|
||||
|
||||
/* Note: we check cookie_initialized because if it's not,
|
||||
* it cannot be valid */
|
||||
if (cookie_initialized
|
||||
&& generate_cookie_callback(ssl, result, &resultlength)
|
||||
&& generate_stateless_cookie_callback(ssl, result, &resultlength)
|
||||
&& cookie_len == resultlength
|
||||
&& memcmp(result, cookie, resultlength) == 0)
|
||||
return 1;
|
||||
@ -820,21 +828,21 @@ int verify_cookie_callback(SSL *ssl, const unsigned char *cookie,
|
||||
return 0;
|
||||
}
|
||||
|
||||
int generate_stateless_cookie_callback(SSL *ssl, unsigned char *cookie,
|
||||
size_t *cookie_len)
|
||||
int generate_cookie_callback(SSL *ssl, unsigned char *cookie,
|
||||
unsigned int *cookie_len)
|
||||
{
|
||||
unsigned int temp;
|
||||
int res = generate_cookie_callback(ssl, cookie, &temp);
|
||||
size_t temp = 0;
|
||||
int res = generate_stateless_cookie_callback(ssl, cookie, &temp);
|
||||
|
||||
if (res != 0)
|
||||
*cookie_len = temp;
|
||||
*cookie_len = (unsigned int)temp;
|
||||
return res;
|
||||
}
|
||||
|
||||
int verify_stateless_cookie_callback(SSL *ssl, const unsigned char *cookie,
|
||||
size_t cookie_len)
|
||||
int verify_cookie_callback(SSL *ssl, const unsigned char *cookie,
|
||||
unsigned int cookie_len)
|
||||
{
|
||||
return verify_cookie_callback(ssl, cookie, cookie_len);
|
||||
return verify_stateless_cookie_callback(ssl, cookie, cookie_len);
|
||||
}
|
||||
|
||||
#endif
|
||||
@ -898,6 +906,7 @@ static int set_cert_cb(SSL *ssl, void *arg)
|
||||
SSL_EXCERT *exc = arg;
|
||||
#ifdef CERT_CB_TEST_RETRY
|
||||
static int retry_cnt;
|
||||
|
||||
if (retry_cnt < 5) {
|
||||
retry_cnt++;
|
||||
BIO_printf(bio_err,
|
||||
@ -996,6 +1005,7 @@ void ssl_excert_free(SSL_EXCERT *exc)
|
||||
int load_excert(SSL_EXCERT **pexc)
|
||||
{
|
||||
SSL_EXCERT *exc = *pexc;
|
||||
|
||||
if (exc == NULL)
|
||||
return 1;
|
||||
/* If nothing in list, free and set to NULL */
|
||||
@ -1015,16 +1025,15 @@ int load_excert(SSL_EXCERT **pexc)
|
||||
return 0;
|
||||
if (exc->keyfile != NULL) {
|
||||
exc->key = load_key(exc->keyfile, exc->keyform,
|
||||
0, NULL, NULL, "Server Key");
|
||||
0, NULL, NULL, "server key");
|
||||
} else {
|
||||
exc->key = load_key(exc->certfile, exc->certform,
|
||||
0, NULL, NULL, "Server Key");
|
||||
0, NULL, NULL, "server key");
|
||||
}
|
||||
if (exc->key == NULL)
|
||||
return 0;
|
||||
if (exc->chainfile != NULL) {
|
||||
if (!load_certs(exc->chainfile, &exc->chain, FORMAT_PEM, NULL,
|
||||
"Server Chain"))
|
||||
if (!load_certs(exc->chainfile, 0, &exc->chain, NULL, "server chain"))
|
||||
return 0;
|
||||
}
|
||||
}
|
||||
@ -1080,11 +1089,11 @@ int args_excert(int opt, SSL_EXCERT **pexc)
|
||||
exc->build_chain = 1;
|
||||
break;
|
||||
case OPT_X_CERTFORM:
|
||||
if (!opt_format(opt_arg(), OPT_FMT_PEMDER, &exc->certform))
|
||||
if (!opt_format(opt_arg(), OPT_FMT_ANY, &exc->certform))
|
||||
return 0;
|
||||
break;
|
||||
case OPT_X_KEYFORM:
|
||||
if (!opt_format(opt_arg(), OPT_FMT_PEMDER, &exc->keyform))
|
||||
if (!opt_format(opt_arg(), OPT_FMT_ANY, &exc->keyform))
|
||||
return 0;
|
||||
break;
|
||||
}
|
||||
@ -1102,6 +1111,7 @@ static void print_raw_cipherlist(SSL *s)
|
||||
const unsigned char *rlist;
|
||||
static const unsigned char scsv_id[] = { 0, 0xFF };
|
||||
size_t i, rlistlen, num;
|
||||
|
||||
if (!SSL_is_server(s))
|
||||
return;
|
||||
num = SSL_get0_raw_cipherlist(s, NULL);
|
||||
@ -1210,7 +1220,7 @@ void print_ssl_summary(SSL *s)
|
||||
c = SSL_get_current_cipher(s);
|
||||
BIO_printf(bio_err, "Ciphersuite: %s\n", SSL_CIPHER_get_name(c));
|
||||
do_print_sigalgs(bio_err, s, 0);
|
||||
peer = SSL_get_peer_certificate(s);
|
||||
peer = SSL_get0_peer_certificate(s);
|
||||
if (peer != NULL) {
|
||||
int nid;
|
||||
|
||||
@ -1226,7 +1236,6 @@ void print_ssl_summary(SSL *s)
|
||||
} else {
|
||||
BIO_puts(bio_err, "No peer certificate\n");
|
||||
}
|
||||
X509_free(peer);
|
||||
#ifndef OPENSSL_NO_EC
|
||||
ssl_print_point_formats(bio_err, s);
|
||||
if (SSL_is_server(s))
|
||||
@ -1248,12 +1257,10 @@ int config_ctx(SSL_CONF_CTX *cctx, STACK_OF(OPENSSL_STRING) *str,
|
||||
for (i = 0; i < sk_OPENSSL_STRING_num(str); i += 2) {
|
||||
const char *flag = sk_OPENSSL_STRING_value(str, i);
|
||||
const char *arg = sk_OPENSSL_STRING_value(str, i + 1);
|
||||
|
||||
if (SSL_CONF_cmd(cctx, flag, arg) <= 0) {
|
||||
if (arg != NULL)
|
||||
BIO_printf(bio_err, "Error with command: \"%s %s\"\n",
|
||||
flag, arg);
|
||||
else
|
||||
BIO_printf(bio_err, "Error with command: \"%s\"\n", flag);
|
||||
BIO_printf(bio_err, "Call to SSL_CONF_cmd(%s, %s) failed\n",
|
||||
flag, arg == NULL ? "<NULL>" : arg);
|
||||
ERR_print_errors(bio_err);
|
||||
return 0;
|
||||
}
|
||||
@ -1269,17 +1276,20 @@ int config_ctx(SSL_CONF_CTX *cctx, STACK_OF(OPENSSL_STRING) *str,
|
||||
static int add_crls_store(X509_STORE *st, STACK_OF(X509_CRL) *crls)
|
||||
{
|
||||
X509_CRL *crl;
|
||||
int i;
|
||||
int i, ret = 1;
|
||||
|
||||
for (i = 0; i < sk_X509_CRL_num(crls); i++) {
|
||||
crl = sk_X509_CRL_value(crls, i);
|
||||
X509_STORE_add_crl(st, crl);
|
||||
if (!X509_STORE_add_crl(st, crl))
|
||||
ret = 0;
|
||||
}
|
||||
return 1;
|
||||
return ret;
|
||||
}
|
||||
|
||||
int ssl_ctx_add_crls(SSL_CTX *ctx, STACK_OF(X509_CRL) *crls, int crl_download)
|
||||
{
|
||||
X509_STORE *st;
|
||||
|
||||
st = SSL_CTX_get_cert_store(ctx);
|
||||
add_crls_store(st, crls);
|
||||
if (crl_download)
|
||||
@ -1289,27 +1299,38 @@ int ssl_ctx_add_crls(SSL_CTX *ctx, STACK_OF(X509_CRL) *crls, int crl_download)
|
||||
|
||||
int ssl_load_stores(SSL_CTX *ctx,
|
||||
const char *vfyCApath, const char *vfyCAfile,
|
||||
const char *vfyCAstore,
|
||||
const char *chCApath, const char *chCAfile,
|
||||
const char *chCAstore,
|
||||
STACK_OF(X509_CRL) *crls, int crl_download)
|
||||
{
|
||||
X509_STORE *vfy = NULL, *ch = NULL;
|
||||
int rv = 0;
|
||||
if (vfyCApath != NULL || vfyCAfile != NULL) {
|
||||
|
||||
if (vfyCApath != NULL || vfyCAfile != NULL || vfyCAstore != NULL) {
|
||||
vfy = X509_STORE_new();
|
||||
if (vfy == NULL)
|
||||
goto err;
|
||||
if (!X509_STORE_load_locations(vfy, vfyCAfile, vfyCApath))
|
||||
if (vfyCAfile != NULL && !X509_STORE_load_file(vfy, vfyCAfile))
|
||||
goto err;
|
||||
if (vfyCApath != NULL && !X509_STORE_load_path(vfy, vfyCApath))
|
||||
goto err;
|
||||
if (vfyCAstore != NULL && !X509_STORE_load_store(vfy, vfyCAstore))
|
||||
goto err;
|
||||
add_crls_store(vfy, crls);
|
||||
SSL_CTX_set1_verify_cert_store(ctx, vfy);
|
||||
if (crl_download)
|
||||
store_setup_crl_download(vfy);
|
||||
}
|
||||
if (chCApath != NULL || chCAfile != NULL) {
|
||||
if (chCApath != NULL || chCAfile != NULL || chCAstore != NULL) {
|
||||
ch = X509_STORE_new();
|
||||
if (ch == NULL)
|
||||
goto err;
|
||||
if (!X509_STORE_load_locations(ch, chCAfile, chCApath))
|
||||
if (chCAfile != NULL && !X509_STORE_load_file(ch, chCAfile))
|
||||
goto err;
|
||||
if (chCApath != NULL && !X509_STORE_load_path(ch, chCApath))
|
||||
goto err;
|
||||
if (chCAstore != NULL && !X509_STORE_load_store(ch, chCAstore))
|
||||
goto err;
|
||||
SSL_CTX_set1_chain_cert_store(ctx, ch);
|
||||
}
|
||||
@ -1362,6 +1383,7 @@ static int security_callback_debug(const SSL *s, const SSL_CTX *ctx,
|
||||
int rv, show_bits = 1, cert_md = 0;
|
||||
const char *nm;
|
||||
int show_nm;
|
||||
|
||||
rv = sdb->old_cb(s, ctx, op, bits, nid, other, ex);
|
||||
if (rv == 1 && sdb->verbose < 2)
|
||||
return 1;
|
||||
@ -1410,27 +1432,26 @@ static int security_callback_debug(const SSL *s, const SSL_CTX *ctx,
|
||||
BIO_puts(sdb->out, cname);
|
||||
}
|
||||
break;
|
||||
#endif
|
||||
#ifndef OPENSSL_NO_DH
|
||||
case SSL_SECOP_OTHER_DH:
|
||||
{
|
||||
DH *dh = other;
|
||||
BIO_printf(sdb->out, "%d", DH_bits(dh));
|
||||
break;
|
||||
}
|
||||
#endif
|
||||
case SSL_SECOP_OTHER_CERT:
|
||||
{
|
||||
if (cert_md) {
|
||||
int sig_nid = X509_get_signature_nid(other);
|
||||
|
||||
BIO_puts(sdb->out, OBJ_nid2sn(sig_nid));
|
||||
} else {
|
||||
EVP_PKEY *pkey = X509_get0_pubkey(other);
|
||||
|
||||
if (pkey == NULL) {
|
||||
BIO_printf(sdb->out, "Public key missing");
|
||||
} else {
|
||||
const char *algname = "";
|
||||
|
||||
EVP_PKEY_asn1_get0_info(NULL, NULL, NULL, NULL,
|
||||
&algname, EVP_PKEY_get0_asn1(pkey));
|
||||
BIO_printf(sdb->out, "%s, bits=%d",
|
||||
algname, EVP_PKEY_bits(pkey));
|
||||
algname, EVP_PKEY_get_bits(pkey));
|
||||
}
|
||||
}
|
||||
break;
|
||||
}
|
@ -1,7 +1,7 @@
|
||||
/*
|
||||
* Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
|
||||
*
|
||||
* Licensed under the OpenSSL license (the "License"). You may not use
|
||||
* Licensed under the Apache License 2.0 (the "License"). You may not use
|
||||
* this file except in compliance with the License. You can obtain a copy
|
||||
* in the file LICENSE in the source distribution or at
|
||||
* https://www.openssl.org/source/license.html
|
||||
@ -26,12 +26,27 @@
|
||||
typedef unsigned int u_int;
|
||||
#endif
|
||||
|
||||
#ifdef _WIN32
|
||||
# include <process.h>
|
||||
|
||||
/* MSVC renamed some POSIX functions to have an underscore prefix. */
|
||||
# ifdef _MSC_VER
|
||||
# define getpid _getpid
|
||||
# endif
|
||||
#endif
|
||||
|
||||
#ifndef OPENSSL_NO_SOCK
|
||||
|
||||
# include "apps.h"
|
||||
# include "s_apps.h"
|
||||
# include "internal/sockets.h"
|
||||
|
||||
# if defined(__TANDEM)
|
||||
# if defined(OPENSSL_TANDEM_FLOSS)
|
||||
# include <floss.h(floss_read)>
|
||||
# endif
|
||||
# endif
|
||||
|
||||
# include <openssl/bio.h>
|
||||
# include <openssl/err.h>
|
||||
|
||||
@ -160,7 +175,9 @@ int init_client(int *sock, const char *host, const char *port,
|
||||
if (*sock == INVALID_SOCKET) {
|
||||
if (bindaddr != NULL && !found) {
|
||||
BIO_printf(bio_err, "Can't bind %saddress for %s%s%s\n",
|
||||
#ifdef AF_INET6
|
||||
BIO_ADDRINFO_family(res) == AF_INET6 ? "IPv6 " :
|
||||
#endif
|
||||
BIO_ADDRINFO_family(res) == AF_INET ? "IPv4 " :
|
||||
BIO_ADDRINFO_family(res) == AF_UNIX ? "unix " : "",
|
||||
bindhost != NULL ? bindhost : "",
|
||||
@ -183,6 +200,42 @@ int init_client(int *sock, const char *host, const char *port,
|
||||
return ret;
|
||||
}
|
||||
|
||||
int report_server_accept(BIO *out, int asock, int with_address, int with_pid)
|
||||
{
|
||||
int success = 1;
|
||||
|
||||
if (BIO_printf(out, "ACCEPT") <= 0)
|
||||
return 0;
|
||||
if (with_address) {
|
||||
union BIO_sock_info_u info;
|
||||
char *hostname = NULL;
|
||||
char *service = NULL;
|
||||
|
||||
if ((info.addr = BIO_ADDR_new()) != NULL
|
||||
&& BIO_sock_info(asock, BIO_SOCK_INFO_ADDRESS, &info)
|
||||
&& (hostname = BIO_ADDR_hostname_string(info.addr, 1)) != NULL
|
||||
&& (service = BIO_ADDR_service_string(info.addr, 1)) != NULL) {
|
||||
success = BIO_printf(out,
|
||||
strchr(hostname, ':') == NULL
|
||||
? /* IPv4 */ " %s:%s"
|
||||
: /* IPv6 */ " [%s]:%s",
|
||||
hostname, service) > 0;
|
||||
} else {
|
||||
(void)BIO_printf(out, "unknown:error\n");
|
||||
success = 0;
|
||||
}
|
||||
OPENSSL_free(hostname);
|
||||
OPENSSL_free(service);
|
||||
BIO_ADDR_free(info.addr);
|
||||
}
|
||||
if (with_pid)
|
||||
success = success && BIO_printf(out, " PID=%d", getpid()) > 0;
|
||||
success = success && BIO_printf(out, "\n") > 0;
|
||||
(void)BIO_flush(out);
|
||||
|
||||
return success;
|
||||
}
|
||||
|
||||
/*
|
||||
* do_server - helper routine to perform a server operation
|
||||
* @accept_sock: pointer to storage of resulting socket.
|
||||
@ -239,6 +292,7 @@ int do_server(int *accept_sock, const char *host, const char *port,
|
||||
sock_protocol = BIO_ADDRINFO_protocol(res);
|
||||
sock_address = BIO_ADDRINFO_address(res);
|
||||
next = BIO_ADDRINFO_next(res);
|
||||
#ifdef AF_INET6
|
||||
if (sock_family == AF_INET6)
|
||||
sock_options |= BIO_SOCK_V6_ONLY;
|
||||
if (next != NULL
|
||||
@ -257,6 +311,7 @@ int do_server(int *accept_sock, const char *host, const char *port,
|
||||
sock_options &= ~BIO_SOCK_V6_ONLY;
|
||||
}
|
||||
}
|
||||
#endif
|
||||
|
||||
asock = BIO_socket(sock_family, sock_type, sock_protocol, 0);
|
||||
if (asock == INVALID_SOCKET && sock_family_fallback != AF_UNSPEC) {
|
||||
@ -296,37 +351,11 @@ int do_server(int *accept_sock, const char *host, const char *port,
|
||||
BIO_ADDRINFO_free(res);
|
||||
res = NULL;
|
||||
|
||||
if (sock_port == 0) {
|
||||
/* dynamically allocated port, report which one */
|
||||
union BIO_sock_info_u info;
|
||||
char *hostname = NULL;
|
||||
char *service = NULL;
|
||||
int success = 0;
|
||||
|
||||
if ((info.addr = BIO_ADDR_new()) != NULL
|
||||
&& BIO_sock_info(asock, BIO_SOCK_INFO_ADDRESS, &info)
|
||||
&& (hostname = BIO_ADDR_hostname_string(info.addr, 1)) != NULL
|
||||
&& (service = BIO_ADDR_service_string(info.addr, 1)) != NULL
|
||||
&& BIO_printf(bio_s_out,
|
||||
strchr(hostname, ':') == NULL
|
||||
? /* IPv4 */ "ACCEPT %s:%s\n"
|
||||
: /* IPv6 */ "ACCEPT [%s]:%s\n",
|
||||
hostname, service) > 0)
|
||||
success = 1;
|
||||
|
||||
(void)BIO_flush(bio_s_out);
|
||||
OPENSSL_free(hostname);
|
||||
OPENSSL_free(service);
|
||||
BIO_ADDR_free(info.addr);
|
||||
if (!success) {
|
||||
if (!report_server_accept(bio_s_out, asock, sock_port == 0, 0)) {
|
||||
BIO_closesocket(asock);
|
||||
ERR_print_errors(bio_err);
|
||||
goto end;
|
||||
}
|
||||
} else {
|
||||
(void)BIO_printf(bio_s_out, "ACCEPT\n");
|
||||
(void)BIO_flush(bio_s_out);
|
||||
}
|
||||
|
||||
if (accept_sock != NULL)
|
||||
*accept_sock = asock;
|
||||
@ -402,4 +431,25 @@ int do_server(int *accept_sock, const char *host, const char *port,
|
||||
return ret;
|
||||
}
|
||||
|
||||
void do_ssl_shutdown(SSL *ssl)
|
||||
{
|
||||
int ret;
|
||||
|
||||
do {
|
||||
/* We only do unidirectional shutdown */
|
||||
ret = SSL_shutdown(ssl);
|
||||
if (ret < 0) {
|
||||
switch (SSL_get_error(ssl, ret)) {
|
||||
case SSL_ERROR_WANT_READ:
|
||||
case SSL_ERROR_WANT_WRITE:
|
||||
case SSL_ERROR_WANT_ASYNC:
|
||||
case SSL_ERROR_WANT_ASYNC_JOB:
|
||||
/* We just do busy waiting. Nothing clever */
|
||||
continue;
|
||||
}
|
||||
ret = 0;
|
||||
}
|
||||
} while (ret < 0);
|
||||
}
|
||||
|
||||
#endif /* OPENSSL_NO_SOCK */
|
Some files were not shown because too many files have changed in this diff Show More
Loading…
Reference in New Issue
Block a user