[331] | 1 | /*
|
---|
| 2 | * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
|
---|
| 3 | *
|
---|
| 4 | * Licensed under the OpenSSL license (the "License"). You may not use
|
---|
| 5 | * this file except in compliance with the License. You can obtain a copy
|
---|
| 6 | * in the file LICENSE in the source distribution or at
|
---|
| 7 | * https://www.openssl.org/source/license.html
|
---|
| 8 | */
|
---|
| 9 |
|
---|
| 10 | #if !defined(_POSIX_C_SOURCE) && defined(OPENSSL_SYS_VMS)
|
---|
| 11 | /*
|
---|
| 12 | * On VMS, you need to define this to get the declaration of fileno(). The
|
---|
| 13 | * value 2 is to make sure no function defined in POSIX-2 is left undefined.
|
---|
| 14 | */
|
---|
| 15 | # define _POSIX_C_SOURCE 2
|
---|
| 16 | #endif
|
---|
| 17 |
|
---|
| 18 | #include <stdio.h>
|
---|
| 19 | #include <stdlib.h>
|
---|
| 20 | #include <string.h>
|
---|
| 21 | #ifndef NO_SYS_TYPES_H
|
---|
| 22 | # include <sys/types.h>
|
---|
| 23 | #endif
|
---|
| 24 | #ifndef OPENSSL_NO_POSIX_IO
|
---|
| 25 | # include <sys/stat.h>
|
---|
| 26 | # include <fcntl.h>
|
---|
| 27 | #endif
|
---|
| 28 | #include <ctype.h>
|
---|
| 29 | #include <errno.h>
|
---|
| 30 | #include <openssl/err.h>
|
---|
| 31 | #include <openssl/x509.h>
|
---|
| 32 | #include <openssl/x509v3.h>
|
---|
| 33 | #include <openssl/pem.h>
|
---|
| 34 | #include <openssl/pkcs12.h>
|
---|
| 35 | #include <openssl/ui.h>
|
---|
| 36 | #include <openssl/safestack.h>
|
---|
| 37 | #ifndef OPENSSL_NO_ENGINE
|
---|
| 38 | # include <openssl/engine.h>
|
---|
| 39 | #endif
|
---|
| 40 | #ifndef OPENSSL_NO_RSA
|
---|
| 41 | # include <openssl/rsa.h>
|
---|
| 42 | #endif
|
---|
| 43 | #include <openssl/bn.h>
|
---|
| 44 | #include <openssl/ssl.h>
|
---|
| 45 | #include "s_apps.h"
|
---|
| 46 | #include "apps.h"
|
---|
| 47 |
|
---|
| 48 | #ifdef _WIN32
|
---|
| 49 | static int WIN32_rename(const char *from, const char *to);
|
---|
| 50 | # define rename(from,to) WIN32_rename((from),(to))
|
---|
| 51 | #endif
|
---|
| 52 |
|
---|
| 53 | typedef struct {
|
---|
| 54 | const char *name;
|
---|
| 55 | unsigned long flag;
|
---|
| 56 | unsigned long mask;
|
---|
| 57 | } NAME_EX_TBL;
|
---|
| 58 |
|
---|
| 59 | #if !defined(OPENSSL_NO_UI) || !defined(OPENSSL_NO_ENGINE)
|
---|
| 60 | static UI_METHOD *ui_method = NULL;
|
---|
| 61 | #endif
|
---|
| 62 |
|
---|
| 63 | static int set_table_opts(unsigned long *flags, const char *arg,
|
---|
| 64 | const NAME_EX_TBL * in_tbl);
|
---|
| 65 | static int set_multi_opts(unsigned long *flags, const char *arg,
|
---|
| 66 | const NAME_EX_TBL * in_tbl);
|
---|
| 67 |
|
---|
| 68 | int app_init(long mesgwin);
|
---|
| 69 |
|
---|
| 70 | int chopup_args(ARGS *arg, char *buf)
|
---|
| 71 | {
|
---|
| 72 | int quoted;
|
---|
| 73 | char c = '\0', *p = NULL;
|
---|
| 74 |
|
---|
| 75 | arg->argc = 0;
|
---|
| 76 | if (arg->size == 0) {
|
---|
| 77 | arg->size = 20;
|
---|
| 78 | arg->argv = app_malloc(sizeof(*arg->argv) * arg->size, "argv space");
|
---|
| 79 | }
|
---|
| 80 |
|
---|
| 81 | for (p = buf;;) {
|
---|
| 82 | /* Skip whitespace. */
|
---|
| 83 | while (*p && isspace(_UC(*p)))
|
---|
| 84 | p++;
|
---|
| 85 | if (!*p)
|
---|
| 86 | break;
|
---|
| 87 |
|
---|
| 88 | /* The start of something good :-) */
|
---|
| 89 | if (arg->argc >= arg->size) {
|
---|
| 90 | char **tmp;
|
---|
| 91 | arg->size += 20;
|
---|
| 92 | tmp = OPENSSL_realloc(arg->argv, sizeof(*arg->argv) * arg->size);
|
---|
| 93 | if (tmp == NULL)
|
---|
| 94 | return 0;
|
---|
| 95 | arg->argv = tmp;
|
---|
| 96 | }
|
---|
| 97 | quoted = *p == '\'' || *p == '"';
|
---|
| 98 | if (quoted)
|
---|
| 99 | c = *p++;
|
---|
| 100 | arg->argv[arg->argc++] = p;
|
---|
| 101 |
|
---|
| 102 | /* now look for the end of this */
|
---|
| 103 | if (quoted) {
|
---|
| 104 | while (*p && *p != c)
|
---|
| 105 | p++;
|
---|
| 106 | *p++ = '\0';
|
---|
| 107 | } else {
|
---|
| 108 | while (*p && !isspace(_UC(*p)))
|
---|
| 109 | p++;
|
---|
| 110 | if (*p)
|
---|
| 111 | *p++ = '\0';
|
---|
| 112 | }
|
---|
| 113 | }
|
---|
| 114 | arg->argv[arg->argc] = NULL;
|
---|
| 115 | return (1);
|
---|
| 116 | }
|
---|
| 117 |
|
---|
| 118 | #ifndef APP_INIT
|
---|
| 119 | int app_init(long mesgwin)
|
---|
| 120 | {
|
---|
| 121 | return (1);
|
---|
| 122 | }
|
---|
| 123 | #endif
|
---|
| 124 |
|
---|
| 125 | int ctx_set_verify_locations(SSL_CTX *ctx, const char *CAfile,
|
---|
| 126 | const char *CApath, int noCAfile, int noCApath)
|
---|
| 127 | {
|
---|
| 128 | if (CAfile == NULL && CApath == NULL) {
|
---|
| 129 | if (!noCAfile && SSL_CTX_set_default_verify_file(ctx) <= 0)
|
---|
| 130 | return 0;
|
---|
| 131 | if (!noCApath && SSL_CTX_set_default_verify_dir(ctx) <= 0)
|
---|
| 132 | return 0;
|
---|
| 133 |
|
---|
| 134 | return 1;
|
---|
| 135 | }
|
---|
| 136 | return SSL_CTX_load_verify_locations(ctx, CAfile, CApath);
|
---|
| 137 | }
|
---|
| 138 |
|
---|
| 139 | #ifndef OPENSSL_NO_CT
|
---|
| 140 |
|
---|
| 141 | int ctx_set_ctlog_list_file(SSL_CTX *ctx, const char *path)
|
---|
| 142 | {
|
---|
| 143 | if (path == NULL) {
|
---|
| 144 | return SSL_CTX_set_default_ctlog_list_file(ctx);
|
---|
| 145 | }
|
---|
| 146 |
|
---|
| 147 | return SSL_CTX_set_ctlog_list_file(ctx, path);
|
---|
| 148 | }
|
---|
| 149 |
|
---|
| 150 | #endif
|
---|
| 151 |
|
---|
| 152 | int dump_cert_text(BIO *out, X509 *x)
|
---|
| 153 | {
|
---|
| 154 | char *p;
|
---|
| 155 |
|
---|
| 156 | p = X509_NAME_oneline(X509_get_subject_name(x), NULL, 0);
|
---|
| 157 | BIO_puts(out, "subject=");
|
---|
| 158 | BIO_puts(out, p);
|
---|
| 159 | OPENSSL_free(p);
|
---|
| 160 |
|
---|
| 161 | p = X509_NAME_oneline(X509_get_issuer_name(x), NULL, 0);
|
---|
| 162 | BIO_puts(out, "\nissuer=");
|
---|
| 163 | BIO_puts(out, p);
|
---|
| 164 | BIO_puts(out, "\n");
|
---|
| 165 | OPENSSL_free(p);
|
---|
| 166 |
|
---|
| 167 | return 0;
|
---|
| 168 | }
|
---|
| 169 |
|
---|
| 170 | #ifndef OPENSSL_NO_UI
|
---|
| 171 | static int ui_open(UI *ui)
|
---|
| 172 | {
|
---|
| 173 | return UI_method_get_opener(UI_OpenSSL())(ui);
|
---|
| 174 | }
|
---|
| 175 |
|
---|
| 176 | static int ui_read(UI *ui, UI_STRING *uis)
|
---|
| 177 | {
|
---|
| 178 | if (UI_get_input_flags(uis) & UI_INPUT_FLAG_DEFAULT_PWD
|
---|
| 179 | && UI_get0_user_data(ui)) {
|
---|
| 180 | switch (UI_get_string_type(uis)) {
|
---|
| 181 | case UIT_PROMPT:
|
---|
| 182 | case UIT_VERIFY:
|
---|
| 183 | {
|
---|
| 184 | const char *password =
|
---|
| 185 | ((PW_CB_DATA *)UI_get0_user_data(ui))->password;
|
---|
| 186 | if (password && password[0] != '\0') {
|
---|
| 187 | UI_set_result(ui, uis, password);
|
---|
| 188 | return 1;
|
---|
| 189 | }
|
---|
| 190 | }
|
---|
| 191 | default:
|
---|
| 192 | break;
|
---|
| 193 | }
|
---|
| 194 | }
|
---|
| 195 | return UI_method_get_reader(UI_OpenSSL())(ui, uis);
|
---|
| 196 | }
|
---|
| 197 |
|
---|
| 198 | static int ui_write(UI *ui, UI_STRING *uis)
|
---|
| 199 | {
|
---|
| 200 | if (UI_get_input_flags(uis) & UI_INPUT_FLAG_DEFAULT_PWD
|
---|
| 201 | && UI_get0_user_data(ui)) {
|
---|
| 202 | switch (UI_get_string_type(uis)) {
|
---|
| 203 | case UIT_PROMPT:
|
---|
| 204 | case UIT_VERIFY:
|
---|
| 205 | {
|
---|
| 206 | const char *password =
|
---|
| 207 | ((PW_CB_DATA *)UI_get0_user_data(ui))->password;
|
---|
| 208 | if (password && password[0] != '\0')
|
---|
| 209 | return 1;
|
---|
| 210 | }
|
---|
| 211 | default:
|
---|
| 212 | break;
|
---|
| 213 | }
|
---|
| 214 | }
|
---|
| 215 | return UI_method_get_writer(UI_OpenSSL())(ui, uis);
|
---|
| 216 | }
|
---|
| 217 |
|
---|
| 218 | static int ui_close(UI *ui)
|
---|
| 219 | {
|
---|
| 220 | return UI_method_get_closer(UI_OpenSSL())(ui);
|
---|
| 221 | }
|
---|
| 222 |
|
---|
| 223 | int setup_ui_method(void)
|
---|
| 224 | {
|
---|
| 225 | ui_method = UI_create_method("OpenSSL application user interface");
|
---|
| 226 | UI_method_set_opener(ui_method, ui_open);
|
---|
| 227 | UI_method_set_reader(ui_method, ui_read);
|
---|
| 228 | UI_method_set_writer(ui_method, ui_write);
|
---|
| 229 | UI_method_set_closer(ui_method, ui_close);
|
---|
| 230 | return 0;
|
---|
| 231 | }
|
---|
| 232 |
|
---|
| 233 | void destroy_ui_method(void)
|
---|
| 234 | {
|
---|
| 235 | if (ui_method) {
|
---|
| 236 | UI_destroy_method(ui_method);
|
---|
| 237 | ui_method = NULL;
|
---|
| 238 | }
|
---|
| 239 | }
|
---|
| 240 | #endif
|
---|
| 241 |
|
---|
| 242 | int password_callback(char *buf, int bufsiz, int verify, PW_CB_DATA *cb_tmp)
|
---|
| 243 | {
|
---|
| 244 | int res = 0;
|
---|
| 245 | #ifndef OPENSSL_NO_UI
|
---|
| 246 | UI *ui = NULL;
|
---|
| 247 | #endif
|
---|
| 248 | PW_CB_DATA *cb_data = (PW_CB_DATA *)cb_tmp;
|
---|
| 249 |
|
---|
| 250 | #ifdef OPENSSL_NO_UI
|
---|
| 251 | if (cb_data != NULL && cb_data->password != NULL) {
|
---|
| 252 | res = strlen(cb_data->password);
|
---|
| 253 | if (res > bufsiz)
|
---|
| 254 | res = bufsiz;
|
---|
| 255 | memcpy(buf, cb_data->password, res);
|
---|
| 256 | }
|
---|
| 257 | #else
|
---|
| 258 | ui = UI_new_method(ui_method);
|
---|
| 259 | if (ui) {
|
---|
| 260 | int ok = 0;
|
---|
| 261 | char *buff = NULL;
|
---|
| 262 | int ui_flags = 0;
|
---|
| 263 | const char *prompt_info = NULL;
|
---|
| 264 | char *prompt;
|
---|
| 265 |
|
---|
| 266 | if (cb_data != NULL && cb_data->prompt_info != NULL)
|
---|
| 267 | prompt_info = cb_data->prompt_info;
|
---|
| 268 | prompt = UI_construct_prompt(ui, "pass phrase", prompt_info);
|
---|
| 269 | if (!prompt) {
|
---|
| 270 | BIO_printf(bio_err, "Out of memory\n");
|
---|
| 271 | UI_free(ui);
|
---|
| 272 | return 0;
|
---|
| 273 | }
|
---|
| 274 |
|
---|
| 275 | ui_flags |= UI_INPUT_FLAG_DEFAULT_PWD;
|
---|
| 276 | UI_ctrl(ui, UI_CTRL_PRINT_ERRORS, 1, 0, 0);
|
---|
| 277 |
|
---|
| 278 | /* We know that there is no previous user data to return to us */
|
---|
| 279 | (void)UI_add_user_data(ui, cb_data);
|
---|
| 280 |
|
---|
| 281 | if (ok >= 0)
|
---|
| 282 | ok = UI_add_input_string(ui, prompt, ui_flags, buf,
|
---|
| 283 | PW_MIN_LENGTH, bufsiz - 1);
|
---|
| 284 | if (ok >= 0 && verify) {
|
---|
| 285 | buff = app_malloc(bufsiz, "password buffer");
|
---|
| 286 | ok = UI_add_verify_string(ui, prompt, ui_flags, buff,
|
---|
| 287 | PW_MIN_LENGTH, bufsiz - 1, buf);
|
---|
| 288 | }
|
---|
| 289 | if (ok >= 0)
|
---|
| 290 | do {
|
---|
| 291 | ok = UI_process(ui);
|
---|
| 292 | }
|
---|
| 293 | while (ok < 0 && UI_ctrl(ui, UI_CTRL_IS_REDOABLE, 0, 0, 0));
|
---|
| 294 |
|
---|
| 295 | OPENSSL_clear_free(buff, (unsigned int)bufsiz);
|
---|
| 296 |
|
---|
| 297 | if (ok >= 0)
|
---|
| 298 | res = strlen(buf);
|
---|
| 299 | if (ok == -1) {
|
---|
| 300 | BIO_printf(bio_err, "User interface error\n");
|
---|
| 301 | ERR_print_errors(bio_err);
|
---|
| 302 | OPENSSL_cleanse(buf, (unsigned int)bufsiz);
|
---|
| 303 | res = 0;
|
---|
| 304 | }
|
---|
| 305 | if (ok == -2) {
|
---|
| 306 | BIO_printf(bio_err, "aborted!\n");
|
---|
| 307 | OPENSSL_cleanse(buf, (unsigned int)bufsiz);
|
---|
| 308 | res = 0;
|
---|
| 309 | }
|
---|
| 310 | UI_free(ui);
|
---|
| 311 | OPENSSL_free(prompt);
|
---|
| 312 | }
|
---|
| 313 | #endif
|
---|
| 314 | return res;
|
---|
| 315 | }
|
---|
| 316 |
|
---|
| 317 | static char *app_get_pass(const char *arg, int keepbio);
|
---|
| 318 |
|
---|
| 319 | int app_passwd(const char *arg1, const char *arg2, char **pass1, char **pass2)
|
---|
| 320 | {
|
---|
| 321 | int same;
|
---|
| 322 | if (!arg2 || !arg1 || strcmp(arg1, arg2))
|
---|
| 323 | same = 0;
|
---|
| 324 | else
|
---|
| 325 | same = 1;
|
---|
| 326 | if (arg1) {
|
---|
| 327 | *pass1 = app_get_pass(arg1, same);
|
---|
| 328 | if (!*pass1)
|
---|
| 329 | return 0;
|
---|
| 330 | } else if (pass1)
|
---|
| 331 | *pass1 = NULL;
|
---|
| 332 | if (arg2) {
|
---|
| 333 | *pass2 = app_get_pass(arg2, same ? 2 : 0);
|
---|
| 334 | if (!*pass2)
|
---|
| 335 | return 0;
|
---|
| 336 | } else if (pass2)
|
---|
| 337 | *pass2 = NULL;
|
---|
| 338 | return 1;
|
---|
| 339 | }
|
---|
| 340 |
|
---|
| 341 | static char *app_get_pass(const char *arg, int keepbio)
|
---|
| 342 | {
|
---|
| 343 | char *tmp, tpass[APP_PASS_LEN];
|
---|
| 344 | static BIO *pwdbio = NULL;
|
---|
| 345 | int i;
|
---|
| 346 |
|
---|
| 347 | if (strncmp(arg, "pass:", 5) == 0)
|
---|
| 348 | return OPENSSL_strdup(arg + 5);
|
---|
| 349 | if (strncmp(arg, "env:", 4) == 0) {
|
---|
| 350 | tmp = getenv(arg + 4);
|
---|
| 351 | if (!tmp) {
|
---|
| 352 | BIO_printf(bio_err, "Can't read environment variable %s\n", arg + 4);
|
---|
| 353 | return NULL;
|
---|
| 354 | }
|
---|
| 355 | return OPENSSL_strdup(tmp);
|
---|
| 356 | }
|
---|
| 357 | if (!keepbio || !pwdbio) {
|
---|
| 358 | if (strncmp(arg, "file:", 5) == 0) {
|
---|
| 359 | pwdbio = BIO_new_file(arg + 5, "r");
|
---|
| 360 | if (!pwdbio) {
|
---|
| 361 | BIO_printf(bio_err, "Can't open file %s\n", arg + 5);
|
---|
| 362 | return NULL;
|
---|
| 363 | }
|
---|
| 364 | #if !defined(_WIN32)
|
---|
| 365 | /*
|
---|
| 366 | * Under _WIN32, which covers even Win64 and CE, file
|
---|
| 367 | * descriptors referenced by BIO_s_fd are not inherited
|
---|
| 368 | * by child process and therefore below is not an option.
|
---|
| 369 | * It could have been an option if bss_fd.c was operating
|
---|
| 370 | * on real Windows descriptors, such as those obtained
|
---|
| 371 | * with CreateFile.
|
---|
| 372 | */
|
---|
| 373 | } else if (strncmp(arg, "fd:", 3) == 0) {
|
---|
| 374 | BIO *btmp;
|
---|
| 375 | i = atoi(arg + 3);
|
---|
| 376 | if (i >= 0)
|
---|
| 377 | pwdbio = BIO_new_fd(i, BIO_NOCLOSE);
|
---|
| 378 | if ((i < 0) || !pwdbio) {
|
---|
| 379 | BIO_printf(bio_err, "Can't access file descriptor %s\n", arg + 3);
|
---|
| 380 | return NULL;
|
---|
| 381 | }
|
---|
| 382 | /*
|
---|
| 383 | * Can't do BIO_gets on an fd BIO so add a buffering BIO
|
---|
| 384 | */
|
---|
| 385 | btmp = BIO_new(BIO_f_buffer());
|
---|
| 386 | pwdbio = BIO_push(btmp, pwdbio);
|
---|
| 387 | #endif
|
---|
| 388 | } else if (strcmp(arg, "stdin") == 0) {
|
---|
| 389 | pwdbio = dup_bio_in(FORMAT_TEXT);
|
---|
| 390 | if (!pwdbio) {
|
---|
| 391 | BIO_printf(bio_err, "Can't open BIO for stdin\n");
|
---|
| 392 | return NULL;
|
---|
| 393 | }
|
---|
| 394 | } else {
|
---|
| 395 | BIO_printf(bio_err, "Invalid password argument \"%s\"\n", arg);
|
---|
| 396 | return NULL;
|
---|
| 397 | }
|
---|
| 398 | }
|
---|
| 399 | i = BIO_gets(pwdbio, tpass, APP_PASS_LEN);
|
---|
| 400 | if (keepbio != 1) {
|
---|
| 401 | BIO_free_all(pwdbio);
|
---|
| 402 | pwdbio = NULL;
|
---|
| 403 | }
|
---|
| 404 | if (i <= 0) {
|
---|
| 405 | BIO_printf(bio_err, "Error reading password from BIO\n");
|
---|
| 406 | return NULL;
|
---|
| 407 | }
|
---|
| 408 | tmp = strchr(tpass, '\n');
|
---|
| 409 | if (tmp)
|
---|
| 410 | *tmp = 0;
|
---|
| 411 | return OPENSSL_strdup(tpass);
|
---|
| 412 | }
|
---|
| 413 |
|
---|
| 414 | static CONF *app_load_config_(BIO *in, const char *filename)
|
---|
| 415 | {
|
---|
| 416 | long errorline = -1;
|
---|
| 417 | CONF *conf;
|
---|
| 418 | int i;
|
---|
| 419 |
|
---|
| 420 | conf = NCONF_new(NULL);
|
---|
| 421 | i = NCONF_load_bio(conf, in, &errorline);
|
---|
| 422 | if (i > 0)
|
---|
| 423 | return conf;
|
---|
| 424 |
|
---|
| 425 | if (errorline <= 0)
|
---|
| 426 | BIO_printf(bio_err, "%s: Can't load config file \"%s\"\n",
|
---|
| 427 | opt_getprog(), filename);
|
---|
| 428 | else
|
---|
| 429 | BIO_printf(bio_err, "%s: Error on line %ld of config file \"%s\"\n",
|
---|
| 430 | opt_getprog(), errorline, filename);
|
---|
| 431 | NCONF_free(conf);
|
---|
| 432 | return NULL;
|
---|
| 433 | }
|
---|
| 434 | CONF *app_load_config(const char *filename)
|
---|
| 435 | {
|
---|
| 436 | BIO *in;
|
---|
| 437 | CONF *conf;
|
---|
| 438 |
|
---|
| 439 | in = bio_open_default(filename, 'r', FORMAT_TEXT);
|
---|
| 440 | if (in == NULL)
|
---|
| 441 | return NULL;
|
---|
| 442 |
|
---|
| 443 | conf = app_load_config_(in, filename);
|
---|
| 444 | BIO_free(in);
|
---|
| 445 | return conf;
|
---|
| 446 | }
|
---|
| 447 | CONF *app_load_config_quiet(const char *filename)
|
---|
| 448 | {
|
---|
| 449 | BIO *in;
|
---|
| 450 | CONF *conf;
|
---|
| 451 |
|
---|
| 452 | in = bio_open_default_quiet(filename, 'r', FORMAT_TEXT);
|
---|
| 453 | if (in == NULL)
|
---|
| 454 | return NULL;
|
---|
| 455 |
|
---|
| 456 | conf = app_load_config_(in, filename);
|
---|
| 457 | BIO_free(in);
|
---|
| 458 | return conf;
|
---|
| 459 | }
|
---|
| 460 |
|
---|
| 461 | int app_load_modules(const CONF *config)
|
---|
| 462 | {
|
---|
| 463 | CONF *to_free = NULL;
|
---|
| 464 |
|
---|
| 465 | if (config == NULL)
|
---|
| 466 | config = to_free = app_load_config_quiet(default_config_file);
|
---|
| 467 | if (config == NULL)
|
---|
| 468 | return 1;
|
---|
| 469 |
|
---|
| 470 | if (CONF_modules_load(config, NULL, 0) <= 0) {
|
---|
| 471 | BIO_printf(bio_err, "Error configuring OpenSSL modules\n");
|
---|
| 472 | ERR_print_errors(bio_err);
|
---|
| 473 | NCONF_free(to_free);
|
---|
| 474 | return 0;
|
---|
| 475 | }
|
---|
| 476 | NCONF_free(to_free);
|
---|
| 477 | return 1;
|
---|
| 478 | }
|
---|
| 479 |
|
---|
| 480 | int add_oid_section(CONF *conf)
|
---|
| 481 | {
|
---|
| 482 | char *p;
|
---|
| 483 | STACK_OF(CONF_VALUE) *sktmp;
|
---|
| 484 | CONF_VALUE *cnf;
|
---|
| 485 | int i;
|
---|
| 486 |
|
---|
| 487 | if ((p = NCONF_get_string(conf, NULL, "oid_section")) == NULL) {
|
---|
| 488 | ERR_clear_error();
|
---|
| 489 | return 1;
|
---|
| 490 | }
|
---|
| 491 | if ((sktmp = NCONF_get_section(conf, p)) == NULL) {
|
---|
| 492 | BIO_printf(bio_err, "problem loading oid section %s\n", p);
|
---|
| 493 | return 0;
|
---|
| 494 | }
|
---|
| 495 | for (i = 0; i < sk_CONF_VALUE_num(sktmp); i++) {
|
---|
| 496 | cnf = sk_CONF_VALUE_value(sktmp, i);
|
---|
| 497 | if (OBJ_create(cnf->value, cnf->name, cnf->name) == NID_undef) {
|
---|
| 498 | BIO_printf(bio_err, "problem creating object %s=%s\n",
|
---|
| 499 | cnf->name, cnf->value);
|
---|
| 500 | return 0;
|
---|
| 501 | }
|
---|
| 502 | }
|
---|
| 503 | return 1;
|
---|
| 504 | }
|
---|
| 505 |
|
---|
| 506 | static int load_pkcs12(BIO *in, const char *desc,
|
---|
| 507 | pem_password_cb *pem_cb, void *cb_data,
|
---|
| 508 | EVP_PKEY **pkey, X509 **cert, STACK_OF(X509) **ca)
|
---|
| 509 | {
|
---|
| 510 | const char *pass;
|
---|
| 511 | char tpass[PEM_BUFSIZE];
|
---|
| 512 | int len, ret = 0;
|
---|
| 513 | PKCS12 *p12;
|
---|
| 514 | p12 = d2i_PKCS12_bio(in, NULL);
|
---|
| 515 | if (p12 == NULL) {
|
---|
| 516 | BIO_printf(bio_err, "Error loading PKCS12 file for %s\n", desc);
|
---|
| 517 | goto die;
|
---|
| 518 | }
|
---|
| 519 | /* See if an empty password will do */
|
---|
| 520 | if (PKCS12_verify_mac(p12, "", 0) || PKCS12_verify_mac(p12, NULL, 0))
|
---|
| 521 | pass = "";
|
---|
| 522 | else {
|
---|
| 523 | if (!pem_cb)
|
---|
| 524 | pem_cb = (pem_password_cb *)password_callback;
|
---|
| 525 | len = pem_cb(tpass, PEM_BUFSIZE, 0, cb_data);
|
---|
| 526 | if (len < 0) {
|
---|
| 527 | BIO_printf(bio_err, "Passphrase callback error for %s\n", desc);
|
---|
| 528 | goto die;
|
---|
| 529 | }
|
---|
| 530 | if (len < PEM_BUFSIZE)
|
---|
| 531 | tpass[len] = 0;
|
---|
| 532 | if (!PKCS12_verify_mac(p12, tpass, len)) {
|
---|
| 533 | BIO_printf(bio_err,
|
---|
| 534 | "Mac verify error (wrong password?) in PKCS12 file for %s\n",
|
---|
| 535 | desc);
|
---|
| 536 | goto die;
|
---|
| 537 | }
|
---|
| 538 | pass = tpass;
|
---|
| 539 | }
|
---|
| 540 | ret = PKCS12_parse(p12, pass, pkey, cert, ca);
|
---|
| 541 | die:
|
---|
| 542 | PKCS12_free(p12);
|
---|
| 543 | return ret;
|
---|
| 544 | }
|
---|
| 545 |
|
---|
| 546 | #if !defined(OPENSSL_NO_OCSP) && !defined(OPENSSL_NO_SOCK)
|
---|
| 547 | static int load_cert_crl_http(const char *url, X509 **pcert, X509_CRL **pcrl)
|
---|
| 548 | {
|
---|
| 549 | char *host = NULL, *port = NULL, *path = NULL;
|
---|
| 550 | BIO *bio = NULL;
|
---|
| 551 | OCSP_REQ_CTX *rctx = NULL;
|
---|
| 552 | int use_ssl, rv = 0;
|
---|
| 553 | if (!OCSP_parse_url(url, &host, &port, &path, &use_ssl))
|
---|
| 554 | goto err;
|
---|
| 555 | if (use_ssl) {
|
---|
| 556 | BIO_puts(bio_err, "https not supported\n");
|
---|
| 557 | goto err;
|
---|
| 558 | }
|
---|
| 559 | bio = BIO_new_connect(host);
|
---|
| 560 | if (!bio || !BIO_set_conn_port(bio, port))
|
---|
| 561 | goto err;
|
---|
| 562 | rctx = OCSP_REQ_CTX_new(bio, 1024);
|
---|
| 563 | if (rctx == NULL)
|
---|
| 564 | goto err;
|
---|
| 565 | if (!OCSP_REQ_CTX_http(rctx, "GET", path))
|
---|
| 566 | goto err;
|
---|
| 567 | if (!OCSP_REQ_CTX_add1_header(rctx, "Host", host))
|
---|
| 568 | goto err;
|
---|
| 569 | if (pcert) {
|
---|
| 570 | do {
|
---|
| 571 | rv = X509_http_nbio(rctx, pcert);
|
---|
| 572 | } while (rv == -1);
|
---|
| 573 | } else {
|
---|
| 574 | do {
|
---|
| 575 | rv = X509_CRL_http_nbio(rctx, pcrl);
|
---|
| 576 | } while (rv == -1);
|
---|
| 577 | }
|
---|
| 578 |
|
---|
| 579 | err:
|
---|
| 580 | OPENSSL_free(host);
|
---|
| 581 | OPENSSL_free(path);
|
---|
| 582 | OPENSSL_free(port);
|
---|
| 583 | if (bio)
|
---|
| 584 | BIO_free_all(bio);
|
---|
| 585 | OCSP_REQ_CTX_free(rctx);
|
---|
| 586 | if (rv != 1) {
|
---|
| 587 | BIO_printf(bio_err, "Error loading %s from %s\n",
|
---|
| 588 | pcert ? "certificate" : "CRL", url);
|
---|
| 589 | ERR_print_errors(bio_err);
|
---|
| 590 | }
|
---|
| 591 | return rv;
|
---|
| 592 | }
|
---|
| 593 | #endif
|
---|
| 594 |
|
---|
| 595 | X509 *load_cert(const char *file, int format, const char *cert_descrip)
|
---|
| 596 | {
|
---|
| 597 | X509 *x = NULL;
|
---|
| 598 | BIO *cert;
|
---|
| 599 |
|
---|
| 600 | if (format == FORMAT_HTTP) {
|
---|
| 601 | #if !defined(OPENSSL_NO_OCSP) && !defined(OPENSSL_NO_SOCK)
|
---|
| 602 | load_cert_crl_http(file, &x, NULL);
|
---|
| 603 | #endif
|
---|
| 604 | return x;
|
---|
| 605 | }
|
---|
| 606 |
|
---|
| 607 | if (file == NULL) {
|
---|
| 608 | unbuffer(stdin);
|
---|
| 609 | cert = dup_bio_in(format);
|
---|
| 610 | } else
|
---|
| 611 | cert = bio_open_default(file, 'r', format);
|
---|
| 612 | if (cert == NULL)
|
---|
| 613 | goto end;
|
---|
| 614 |
|
---|
| 615 | if (format == FORMAT_ASN1)
|
---|
| 616 | x = d2i_X509_bio(cert, NULL);
|
---|
| 617 | else if (format == FORMAT_PEM)
|
---|
| 618 | x = PEM_read_bio_X509_AUX(cert, NULL,
|
---|
| 619 | (pem_password_cb *)password_callback, NULL);
|
---|
| 620 | else if (format == FORMAT_PKCS12) {
|
---|
| 621 | if (!load_pkcs12(cert, cert_descrip, NULL, NULL, NULL, &x, NULL))
|
---|
| 622 | goto end;
|
---|
| 623 | } else {
|
---|
| 624 | BIO_printf(bio_err, "bad input format specified for %s\n", cert_descrip);
|
---|
| 625 | goto end;
|
---|
| 626 | }
|
---|
| 627 | end:
|
---|
| 628 | if (x == NULL) {
|
---|
| 629 | BIO_printf(bio_err, "unable to load certificate\n");
|
---|
| 630 | ERR_print_errors(bio_err);
|
---|
| 631 | }
|
---|
| 632 | BIO_free(cert);
|
---|
| 633 | return (x);
|
---|
| 634 | }
|
---|
| 635 |
|
---|
| 636 | X509_CRL *load_crl(const char *infile, int format)
|
---|
| 637 | {
|
---|
| 638 | X509_CRL *x = NULL;
|
---|
| 639 | BIO *in = NULL;
|
---|
| 640 |
|
---|
| 641 | if (format == FORMAT_HTTP) {
|
---|
| 642 | #if !defined(OPENSSL_NO_OCSP) && !defined(OPENSSL_NO_SOCK)
|
---|
| 643 | load_cert_crl_http(infile, NULL, &x);
|
---|
| 644 | #endif
|
---|
| 645 | return x;
|
---|
| 646 | }
|
---|
| 647 |
|
---|
| 648 | in = bio_open_default(infile, 'r', format);
|
---|
| 649 | if (in == NULL)
|
---|
| 650 | goto end;
|
---|
| 651 | if (format == FORMAT_ASN1)
|
---|
| 652 | x = d2i_X509_CRL_bio(in, NULL);
|
---|
| 653 | else if (format == FORMAT_PEM)
|
---|
| 654 | x = PEM_read_bio_X509_CRL(in, NULL, NULL, NULL);
|
---|
| 655 | else {
|
---|
| 656 | BIO_printf(bio_err, "bad input format specified for input crl\n");
|
---|
| 657 | goto end;
|
---|
| 658 | }
|
---|
| 659 | if (x == NULL) {
|
---|
| 660 | BIO_printf(bio_err, "unable to load CRL\n");
|
---|
| 661 | ERR_print_errors(bio_err);
|
---|
| 662 | goto end;
|
---|
| 663 | }
|
---|
| 664 |
|
---|
| 665 | end:
|
---|
| 666 | BIO_free(in);
|
---|
| 667 | return (x);
|
---|
| 668 | }
|
---|
| 669 |
|
---|
| 670 | EVP_PKEY *load_key(const char *file, int format, int maybe_stdin,
|
---|
| 671 | const char *pass, ENGINE *e, const char *key_descrip)
|
---|
| 672 | {
|
---|
| 673 | BIO *key = NULL;
|
---|
| 674 | EVP_PKEY *pkey = NULL;
|
---|
| 675 | PW_CB_DATA cb_data;
|
---|
| 676 |
|
---|
| 677 | cb_data.password = pass;
|
---|
| 678 | cb_data.prompt_info = file;
|
---|
| 679 |
|
---|
| 680 | if (file == NULL && (!maybe_stdin || format == FORMAT_ENGINE)) {
|
---|
| 681 | BIO_printf(bio_err, "no keyfile specified\n");
|
---|
| 682 | goto end;
|
---|
| 683 | }
|
---|
| 684 | if (format == FORMAT_ENGINE) {
|
---|
| 685 | if (e == NULL)
|
---|
| 686 | BIO_printf(bio_err, "no engine specified\n");
|
---|
| 687 | else {
|
---|
| 688 | #ifndef OPENSSL_NO_ENGINE
|
---|
| 689 | if (ENGINE_init(e)) {
|
---|
| 690 | pkey = ENGINE_load_private_key(e, file, ui_method, &cb_data);
|
---|
| 691 | ENGINE_finish(e);
|
---|
| 692 | }
|
---|
| 693 | if (pkey == NULL) {
|
---|
| 694 | BIO_printf(bio_err, "cannot load %s from engine\n", key_descrip);
|
---|
| 695 | ERR_print_errors(bio_err);
|
---|
| 696 | }
|
---|
| 697 | #else
|
---|
| 698 | BIO_printf(bio_err, "engines not supported\n");
|
---|
| 699 | #endif
|
---|
| 700 | }
|
---|
| 701 | goto end;
|
---|
| 702 | }
|
---|
| 703 | if (file == NULL && maybe_stdin) {
|
---|
| 704 | unbuffer(stdin);
|
---|
| 705 | key = dup_bio_in(format);
|
---|
| 706 | } else
|
---|
| 707 | key = bio_open_default(file, 'r', format);
|
---|
| 708 | if (key == NULL)
|
---|
| 709 | goto end;
|
---|
| 710 | if (format == FORMAT_ASN1) {
|
---|
| 711 | pkey = d2i_PrivateKey_bio(key, NULL);
|
---|
| 712 | } else if (format == FORMAT_PEM) {
|
---|
| 713 | pkey = PEM_read_bio_PrivateKey(key, NULL,
|
---|
| 714 | (pem_password_cb *)password_callback,
|
---|
| 715 | &cb_data);
|
---|
| 716 | }
|
---|
| 717 | else if (format == FORMAT_PKCS12) {
|
---|
| 718 | if (!load_pkcs12(key, key_descrip,
|
---|
| 719 | (pem_password_cb *)password_callback, &cb_data,
|
---|
| 720 | &pkey, NULL, NULL))
|
---|
| 721 | goto end;
|
---|
| 722 | }
|
---|
| 723 | #if !defined(OPENSSL_NO_RSA) && !defined(OPENSSL_NO_DSA) && !defined (OPENSSL_NO_RC4)
|
---|
| 724 | else if (format == FORMAT_MSBLOB)
|
---|
| 725 | pkey = b2i_PrivateKey_bio(key);
|
---|
| 726 | else if (format == FORMAT_PVK)
|
---|
| 727 | pkey = b2i_PVK_bio(key, (pem_password_cb *)password_callback,
|
---|
| 728 | &cb_data);
|
---|
| 729 | #endif
|
---|
| 730 | else {
|
---|
| 731 | BIO_printf(bio_err, "bad input format specified for key file\n");
|
---|
| 732 | goto end;
|
---|
| 733 | }
|
---|
| 734 | end:
|
---|
| 735 | BIO_free(key);
|
---|
| 736 | if (pkey == NULL) {
|
---|
| 737 | BIO_printf(bio_err, "unable to load %s\n", key_descrip);
|
---|
| 738 | ERR_print_errors(bio_err);
|
---|
| 739 | }
|
---|
| 740 | return (pkey);
|
---|
| 741 | }
|
---|
| 742 |
|
---|
| 743 | EVP_PKEY *load_pubkey(const char *file, int format, int maybe_stdin,
|
---|
| 744 | const char *pass, ENGINE *e, const char *key_descrip)
|
---|
| 745 | {
|
---|
| 746 | BIO *key = NULL;
|
---|
| 747 | EVP_PKEY *pkey = NULL;
|
---|
| 748 | PW_CB_DATA cb_data;
|
---|
| 749 |
|
---|
| 750 | cb_data.password = pass;
|
---|
| 751 | cb_data.prompt_info = file;
|
---|
| 752 |
|
---|
| 753 | if (file == NULL && (!maybe_stdin || format == FORMAT_ENGINE)) {
|
---|
| 754 | BIO_printf(bio_err, "no keyfile specified\n");
|
---|
| 755 | goto end;
|
---|
| 756 | }
|
---|
| 757 | if (format == FORMAT_ENGINE) {
|
---|
| 758 | if (e == NULL)
|
---|
| 759 | BIO_printf(bio_err, "no engine specified\n");
|
---|
| 760 | else {
|
---|
| 761 | #ifndef OPENSSL_NO_ENGINE
|
---|
| 762 | pkey = ENGINE_load_public_key(e, file, ui_method, &cb_data);
|
---|
| 763 | if (pkey == NULL) {
|
---|
| 764 | BIO_printf(bio_err, "cannot load %s from engine\n", key_descrip);
|
---|
| 765 | ERR_print_errors(bio_err);
|
---|
| 766 | }
|
---|
| 767 | #else
|
---|
| 768 | BIO_printf(bio_err, "engines not supported\n");
|
---|
| 769 | #endif
|
---|
| 770 | }
|
---|
| 771 | goto end;
|
---|
| 772 | }
|
---|
| 773 | if (file == NULL && maybe_stdin) {
|
---|
| 774 | unbuffer(stdin);
|
---|
| 775 | key = dup_bio_in(format);
|
---|
| 776 | } else
|
---|
| 777 | key = bio_open_default(file, 'r', format);
|
---|
| 778 | if (key == NULL)
|
---|
| 779 | goto end;
|
---|
| 780 | if (format == FORMAT_ASN1) {
|
---|
| 781 | pkey = d2i_PUBKEY_bio(key, NULL);
|
---|
| 782 | }
|
---|
| 783 | else if (format == FORMAT_ASN1RSA) {
|
---|
| 784 | #ifndef OPENSSL_NO_RSA
|
---|
| 785 | RSA *rsa;
|
---|
| 786 | rsa = d2i_RSAPublicKey_bio(key, NULL);
|
---|
| 787 | if (rsa) {
|
---|
| 788 | pkey = EVP_PKEY_new();
|
---|
| 789 | if (pkey != NULL)
|
---|
| 790 | EVP_PKEY_set1_RSA(pkey, rsa);
|
---|
| 791 | RSA_free(rsa);
|
---|
| 792 | } else
|
---|
| 793 | #else
|
---|
| 794 | BIO_printf(bio_err, "RSA keys not supported\n");
|
---|
| 795 | #endif
|
---|
| 796 | pkey = NULL;
|
---|
| 797 | } else if (format == FORMAT_PEMRSA) {
|
---|
| 798 | #ifndef OPENSSL_NO_RSA
|
---|
| 799 | RSA *rsa;
|
---|
| 800 | rsa = PEM_read_bio_RSAPublicKey(key, NULL,
|
---|
| 801 | (pem_password_cb *)password_callback,
|
---|
| 802 | &cb_data);
|
---|
| 803 | if (rsa != NULL) {
|
---|
| 804 | pkey = EVP_PKEY_new();
|
---|
| 805 | if (pkey != NULL)
|
---|
| 806 | EVP_PKEY_set1_RSA(pkey, rsa);
|
---|
| 807 | RSA_free(rsa);
|
---|
| 808 | } else
|
---|
| 809 | #else
|
---|
| 810 | BIO_printf(bio_err, "RSA keys not supported\n");
|
---|
| 811 | #endif
|
---|
| 812 | pkey = NULL;
|
---|
| 813 | }
|
---|
| 814 | else if (format == FORMAT_PEM) {
|
---|
| 815 | pkey = PEM_read_bio_PUBKEY(key, NULL,
|
---|
| 816 | (pem_password_cb *)password_callback,
|
---|
| 817 | &cb_data);
|
---|
| 818 | }
|
---|
| 819 | #if !defined(OPENSSL_NO_RSA) && !defined(OPENSSL_NO_DSA)
|
---|
| 820 | else if (format == FORMAT_MSBLOB)
|
---|
| 821 | pkey = b2i_PublicKey_bio(key);
|
---|
| 822 | #endif
|
---|
| 823 | end:
|
---|
| 824 | BIO_free(key);
|
---|
| 825 | if (pkey == NULL)
|
---|
| 826 | BIO_printf(bio_err, "unable to load %s\n", key_descrip);
|
---|
| 827 | return (pkey);
|
---|
| 828 | }
|
---|
| 829 |
|
---|
| 830 | static int load_certs_crls(const char *file, int format,
|
---|
| 831 | const char *pass, const char *desc,
|
---|
| 832 | STACK_OF(X509) **pcerts,
|
---|
| 833 | STACK_OF(X509_CRL) **pcrls)
|
---|
| 834 | {
|
---|
| 835 | int i;
|
---|
| 836 | BIO *bio;
|
---|
| 837 | STACK_OF(X509_INFO) *xis = NULL;
|
---|
| 838 | X509_INFO *xi;
|
---|
| 839 | PW_CB_DATA cb_data;
|
---|
| 840 | int rv = 0;
|
---|
| 841 |
|
---|
| 842 | cb_data.password = pass;
|
---|
| 843 | cb_data.prompt_info = file;
|
---|
| 844 |
|
---|
| 845 | if (format != FORMAT_PEM) {
|
---|
| 846 | BIO_printf(bio_err, "bad input format specified for %s\n", desc);
|
---|
| 847 | return 0;
|
---|
| 848 | }
|
---|
| 849 |
|
---|
| 850 | bio = bio_open_default(file, 'r', FORMAT_PEM);
|
---|
| 851 | if (bio == NULL)
|
---|
| 852 | return 0;
|
---|
| 853 |
|
---|
| 854 | xis = PEM_X509_INFO_read_bio(bio, NULL,
|
---|
| 855 | (pem_password_cb *)password_callback,
|
---|
| 856 | &cb_data);
|
---|
| 857 |
|
---|
| 858 | BIO_free(bio);
|
---|
| 859 |
|
---|
| 860 | if (pcerts && *pcerts == NULL) {
|
---|
| 861 | *pcerts = sk_X509_new_null();
|
---|
| 862 | if (!*pcerts)
|
---|
| 863 | goto end;
|
---|
| 864 | }
|
---|
| 865 |
|
---|
| 866 | if (pcrls && *pcrls == NULL) {
|
---|
| 867 | *pcrls = sk_X509_CRL_new_null();
|
---|
| 868 | if (!*pcrls)
|
---|
| 869 | goto end;
|
---|
| 870 | }
|
---|
| 871 |
|
---|
| 872 | for (i = 0; i < sk_X509_INFO_num(xis); i++) {
|
---|
| 873 | xi = sk_X509_INFO_value(xis, i);
|
---|
| 874 | if (xi->x509 && pcerts) {
|
---|
| 875 | if (!sk_X509_push(*pcerts, xi->x509))
|
---|
| 876 | goto end;
|
---|
| 877 | xi->x509 = NULL;
|
---|
| 878 | }
|
---|
| 879 | if (xi->crl && pcrls) {
|
---|
| 880 | if (!sk_X509_CRL_push(*pcrls, xi->crl))
|
---|
| 881 | goto end;
|
---|
| 882 | xi->crl = NULL;
|
---|
| 883 | }
|
---|
| 884 | }
|
---|
| 885 |
|
---|
| 886 | if (pcerts && sk_X509_num(*pcerts) > 0)
|
---|
| 887 | rv = 1;
|
---|
| 888 |
|
---|
| 889 | if (pcrls && sk_X509_CRL_num(*pcrls) > 0)
|
---|
| 890 | rv = 1;
|
---|
| 891 |
|
---|
| 892 | end:
|
---|
| 893 |
|
---|
| 894 | sk_X509_INFO_pop_free(xis, X509_INFO_free);
|
---|
| 895 |
|
---|
| 896 | if (rv == 0) {
|
---|
| 897 | if (pcerts) {
|
---|
| 898 | sk_X509_pop_free(*pcerts, X509_free);
|
---|
| 899 | *pcerts = NULL;
|
---|
| 900 | }
|
---|
| 901 | if (pcrls) {
|
---|
| 902 | sk_X509_CRL_pop_free(*pcrls, X509_CRL_free);
|
---|
| 903 | *pcrls = NULL;
|
---|
| 904 | }
|
---|
| 905 | BIO_printf(bio_err, "unable to load %s\n",
|
---|
| 906 | pcerts ? "certificates" : "CRLs");
|
---|
| 907 | ERR_print_errors(bio_err);
|
---|
| 908 | }
|
---|
| 909 | return rv;
|
---|
| 910 | }
|
---|
| 911 |
|
---|
| 912 | void* app_malloc(int sz, const char *what)
|
---|
| 913 | {
|
---|
| 914 | void *vp = OPENSSL_malloc(sz);
|
---|
| 915 |
|
---|
| 916 | if (vp == NULL) {
|
---|
| 917 | BIO_printf(bio_err, "%s: Could not allocate %d bytes for %s\n",
|
---|
| 918 | opt_getprog(), sz, what);
|
---|
| 919 | ERR_print_errors(bio_err);
|
---|
| 920 | exit(1);
|
---|
| 921 | }
|
---|
| 922 | return vp;
|
---|
| 923 | }
|
---|
| 924 |
|
---|
| 925 | /*
|
---|
| 926 | * Initialize or extend, if *certs != NULL, a certificate stack.
|
---|
| 927 | */
|
---|
| 928 | int load_certs(const char *file, STACK_OF(X509) **certs, int format,
|
---|
| 929 | const char *pass, const char *desc)
|
---|
| 930 | {
|
---|
| 931 | return load_certs_crls(file, format, pass, desc, certs, NULL);
|
---|
| 932 | }
|
---|
| 933 |
|
---|
| 934 | /*
|
---|
| 935 | * Initialize or extend, if *crls != NULL, a certificate stack.
|
---|
| 936 | */
|
---|
| 937 | int load_crls(const char *file, STACK_OF(X509_CRL) **crls, int format,
|
---|
| 938 | const char *pass, const char *desc)
|
---|
| 939 | {
|
---|
| 940 | return load_certs_crls(file, format, pass, desc, NULL, crls);
|
---|
| 941 | }
|
---|
| 942 |
|
---|
| 943 | #define X509V3_EXT_UNKNOWN_MASK (0xfL << 16)
|
---|
| 944 | /* Return error for unknown extensions */
|
---|
| 945 | #define X509V3_EXT_DEFAULT 0
|
---|
| 946 | /* Print error for unknown extensions */
|
---|
| 947 | #define X509V3_EXT_ERROR_UNKNOWN (1L << 16)
|
---|
| 948 | /* ASN1 parse unknown extensions */
|
---|
| 949 | #define X509V3_EXT_PARSE_UNKNOWN (2L << 16)
|
---|
| 950 | /* BIO_dump unknown extensions */
|
---|
| 951 | #define X509V3_EXT_DUMP_UNKNOWN (3L << 16)
|
---|
| 952 |
|
---|
| 953 | #define X509_FLAG_CA (X509_FLAG_NO_ISSUER | X509_FLAG_NO_PUBKEY | \
|
---|
| 954 | X509_FLAG_NO_HEADER | X509_FLAG_NO_VERSION)
|
---|
| 955 |
|
---|
| 956 | int set_cert_ex(unsigned long *flags, const char *arg)
|
---|
| 957 | {
|
---|
| 958 | static const NAME_EX_TBL cert_tbl[] = {
|
---|
| 959 | {"compatible", X509_FLAG_COMPAT, 0xffffffffl},
|
---|
| 960 | {"ca_default", X509_FLAG_CA, 0xffffffffl},
|
---|
| 961 | {"no_header", X509_FLAG_NO_HEADER, 0},
|
---|
| 962 | {"no_version", X509_FLAG_NO_VERSION, 0},
|
---|
| 963 | {"no_serial", X509_FLAG_NO_SERIAL, 0},
|
---|
| 964 | {"no_signame", X509_FLAG_NO_SIGNAME, 0},
|
---|
| 965 | {"no_validity", X509_FLAG_NO_VALIDITY, 0},
|
---|
| 966 | {"no_subject", X509_FLAG_NO_SUBJECT, 0},
|
---|
| 967 | {"no_issuer", X509_FLAG_NO_ISSUER, 0},
|
---|
| 968 | {"no_pubkey", X509_FLAG_NO_PUBKEY, 0},
|
---|
| 969 | {"no_extensions", X509_FLAG_NO_EXTENSIONS, 0},
|
---|
| 970 | {"no_sigdump", X509_FLAG_NO_SIGDUMP, 0},
|
---|
| 971 | {"no_aux", X509_FLAG_NO_AUX, 0},
|
---|
| 972 | {"no_attributes", X509_FLAG_NO_ATTRIBUTES, 0},
|
---|
| 973 | {"ext_default", X509V3_EXT_DEFAULT, X509V3_EXT_UNKNOWN_MASK},
|
---|
| 974 | {"ext_error", X509V3_EXT_ERROR_UNKNOWN, X509V3_EXT_UNKNOWN_MASK},
|
---|
| 975 | {"ext_parse", X509V3_EXT_PARSE_UNKNOWN, X509V3_EXT_UNKNOWN_MASK},
|
---|
| 976 | {"ext_dump", X509V3_EXT_DUMP_UNKNOWN, X509V3_EXT_UNKNOWN_MASK},
|
---|
| 977 | {NULL, 0, 0}
|
---|
| 978 | };
|
---|
| 979 | return set_multi_opts(flags, arg, cert_tbl);
|
---|
| 980 | }
|
---|
| 981 |
|
---|
| 982 | int set_name_ex(unsigned long *flags, const char *arg)
|
---|
| 983 | {
|
---|
| 984 | static const NAME_EX_TBL ex_tbl[] = {
|
---|
| 985 | {"esc_2253", ASN1_STRFLGS_ESC_2253, 0},
|
---|
| 986 | {"esc_2254", ASN1_STRFLGS_ESC_2254, 0},
|
---|
| 987 | {"esc_ctrl", ASN1_STRFLGS_ESC_CTRL, 0},
|
---|
| 988 | {"esc_msb", ASN1_STRFLGS_ESC_MSB, 0},
|
---|
| 989 | {"use_quote", ASN1_STRFLGS_ESC_QUOTE, 0},
|
---|
| 990 | {"utf8", ASN1_STRFLGS_UTF8_CONVERT, 0},
|
---|
| 991 | {"ignore_type", ASN1_STRFLGS_IGNORE_TYPE, 0},
|
---|
| 992 | {"show_type", ASN1_STRFLGS_SHOW_TYPE, 0},
|
---|
| 993 | {"dump_all", ASN1_STRFLGS_DUMP_ALL, 0},
|
---|
| 994 | {"dump_nostr", ASN1_STRFLGS_DUMP_UNKNOWN, 0},
|
---|
| 995 | {"dump_der", ASN1_STRFLGS_DUMP_DER, 0},
|
---|
| 996 | {"compat", XN_FLAG_COMPAT, 0xffffffffL},
|
---|
| 997 | {"sep_comma_plus", XN_FLAG_SEP_COMMA_PLUS, XN_FLAG_SEP_MASK},
|
---|
| 998 | {"sep_comma_plus_space", XN_FLAG_SEP_CPLUS_SPC, XN_FLAG_SEP_MASK},
|
---|
| 999 | {"sep_semi_plus_space", XN_FLAG_SEP_SPLUS_SPC, XN_FLAG_SEP_MASK},
|
---|
| 1000 | {"sep_multiline", XN_FLAG_SEP_MULTILINE, XN_FLAG_SEP_MASK},
|
---|
| 1001 | {"dn_rev", XN_FLAG_DN_REV, 0},
|
---|
| 1002 | {"nofname", XN_FLAG_FN_NONE, XN_FLAG_FN_MASK},
|
---|
| 1003 | {"sname", XN_FLAG_FN_SN, XN_FLAG_FN_MASK},
|
---|
| 1004 | {"lname", XN_FLAG_FN_LN, XN_FLAG_FN_MASK},
|
---|
| 1005 | {"align", XN_FLAG_FN_ALIGN, 0},
|
---|
| 1006 | {"oid", XN_FLAG_FN_OID, XN_FLAG_FN_MASK},
|
---|
| 1007 | {"space_eq", XN_FLAG_SPC_EQ, 0},
|
---|
| 1008 | {"dump_unknown", XN_FLAG_DUMP_UNKNOWN_FIELDS, 0},
|
---|
| 1009 | {"RFC2253", XN_FLAG_RFC2253, 0xffffffffL},
|
---|
| 1010 | {"oneline", XN_FLAG_ONELINE, 0xffffffffL},
|
---|
| 1011 | {"multiline", XN_FLAG_MULTILINE, 0xffffffffL},
|
---|
| 1012 | {"ca_default", XN_FLAG_MULTILINE, 0xffffffffL},
|
---|
| 1013 | {NULL, 0, 0}
|
---|
| 1014 | };
|
---|
| 1015 | if (set_multi_opts(flags, arg, ex_tbl) == 0)
|
---|
| 1016 | return 0;
|
---|
| 1017 | if ((*flags & XN_FLAG_SEP_MASK) == 0)
|
---|
| 1018 | *flags |= XN_FLAG_SEP_CPLUS_SPC;
|
---|
| 1019 | return 1;
|
---|
| 1020 | }
|
---|
| 1021 |
|
---|
| 1022 | int set_ext_copy(int *copy_type, const char *arg)
|
---|
| 1023 | {
|
---|
| 1024 | if (strcasecmp(arg, "none") == 0)
|
---|
| 1025 | *copy_type = EXT_COPY_NONE;
|
---|
| 1026 | else if (strcasecmp(arg, "copy") == 0)
|
---|
| 1027 | *copy_type = EXT_COPY_ADD;
|
---|
| 1028 | else if (strcasecmp(arg, "copyall") == 0)
|
---|
| 1029 | *copy_type = EXT_COPY_ALL;
|
---|
| 1030 | else
|
---|
| 1031 | return 0;
|
---|
| 1032 | return 1;
|
---|
| 1033 | }
|
---|
| 1034 |
|
---|
| 1035 | int copy_extensions(X509 *x, X509_REQ *req, int copy_type)
|
---|
| 1036 | {
|
---|
| 1037 | STACK_OF(X509_EXTENSION) *exts = NULL;
|
---|
| 1038 | X509_EXTENSION *ext, *tmpext;
|
---|
| 1039 | ASN1_OBJECT *obj;
|
---|
| 1040 | int i, idx, ret = 0;
|
---|
| 1041 | if (!x || !req || (copy_type == EXT_COPY_NONE))
|
---|
| 1042 | return 1;
|
---|
| 1043 | exts = X509_REQ_get_extensions(req);
|
---|
| 1044 |
|
---|
| 1045 | for (i = 0; i < sk_X509_EXTENSION_num(exts); i++) {
|
---|
| 1046 | ext = sk_X509_EXTENSION_value(exts, i);
|
---|
| 1047 | obj = X509_EXTENSION_get_object(ext);
|
---|
| 1048 | idx = X509_get_ext_by_OBJ(x, obj, -1);
|
---|
| 1049 | /* Does extension exist? */
|
---|
| 1050 | if (idx != -1) {
|
---|
| 1051 | /* If normal copy don't override existing extension */
|
---|
| 1052 | if (copy_type == EXT_COPY_ADD)
|
---|
| 1053 | continue;
|
---|
| 1054 | /* Delete all extensions of same type */
|
---|
| 1055 | do {
|
---|
| 1056 | tmpext = X509_get_ext(x, idx);
|
---|
| 1057 | X509_delete_ext(x, idx);
|
---|
| 1058 | X509_EXTENSION_free(tmpext);
|
---|
| 1059 | idx = X509_get_ext_by_OBJ(x, obj, -1);
|
---|
| 1060 | } while (idx != -1);
|
---|
| 1061 | }
|
---|
| 1062 | if (!X509_add_ext(x, ext, -1))
|
---|
| 1063 | goto end;
|
---|
| 1064 | }
|
---|
| 1065 |
|
---|
| 1066 | ret = 1;
|
---|
| 1067 |
|
---|
| 1068 | end:
|
---|
| 1069 |
|
---|
| 1070 | sk_X509_EXTENSION_pop_free(exts, X509_EXTENSION_free);
|
---|
| 1071 |
|
---|
| 1072 | return ret;
|
---|
| 1073 | }
|
---|
| 1074 |
|
---|
| 1075 | static int set_multi_opts(unsigned long *flags, const char *arg,
|
---|
| 1076 | const NAME_EX_TBL * in_tbl)
|
---|
| 1077 | {
|
---|
| 1078 | STACK_OF(CONF_VALUE) *vals;
|
---|
| 1079 | CONF_VALUE *val;
|
---|
| 1080 | int i, ret = 1;
|
---|
| 1081 | if (!arg)
|
---|
| 1082 | return 0;
|
---|
| 1083 | vals = X509V3_parse_list(arg);
|
---|
| 1084 | for (i = 0; i < sk_CONF_VALUE_num(vals); i++) {
|
---|
| 1085 | val = sk_CONF_VALUE_value(vals, i);
|
---|
| 1086 | if (!set_table_opts(flags, val->name, in_tbl))
|
---|
| 1087 | ret = 0;
|
---|
| 1088 | }
|
---|
| 1089 | sk_CONF_VALUE_pop_free(vals, X509V3_conf_free);
|
---|
| 1090 | return ret;
|
---|
| 1091 | }
|
---|
| 1092 |
|
---|
| 1093 | static int set_table_opts(unsigned long *flags, const char *arg,
|
---|
| 1094 | const NAME_EX_TBL * in_tbl)
|
---|
| 1095 | {
|
---|
| 1096 | char c;
|
---|
| 1097 | const NAME_EX_TBL *ptbl;
|
---|
| 1098 | c = arg[0];
|
---|
| 1099 |
|
---|
| 1100 | if (c == '-') {
|
---|
| 1101 | c = 0;
|
---|
| 1102 | arg++;
|
---|
| 1103 | } else if (c == '+') {
|
---|
| 1104 | c = 1;
|
---|
| 1105 | arg++;
|
---|
| 1106 | } else
|
---|
| 1107 | c = 1;
|
---|
| 1108 |
|
---|
| 1109 | for (ptbl = in_tbl; ptbl->name; ptbl++) {
|
---|
| 1110 | if (strcasecmp(arg, ptbl->name) == 0) {
|
---|
| 1111 | *flags &= ~ptbl->mask;
|
---|
| 1112 | if (c)
|
---|
| 1113 | *flags |= ptbl->flag;
|
---|
| 1114 | else
|
---|
| 1115 | *flags &= ~ptbl->flag;
|
---|
| 1116 | return 1;
|
---|
| 1117 | }
|
---|
| 1118 | }
|
---|
| 1119 | return 0;
|
---|
| 1120 | }
|
---|
| 1121 |
|
---|
| 1122 | void print_name(BIO *out, const char *title, X509_NAME *nm,
|
---|
| 1123 | unsigned long lflags)
|
---|
| 1124 | {
|
---|
| 1125 | char *buf;
|
---|
| 1126 | char mline = 0;
|
---|
| 1127 | int indent = 0;
|
---|
| 1128 |
|
---|
| 1129 | if (title)
|
---|
| 1130 | BIO_puts(out, title);
|
---|
| 1131 | if ((lflags & XN_FLAG_SEP_MASK) == XN_FLAG_SEP_MULTILINE) {
|
---|
| 1132 | mline = 1;
|
---|
| 1133 | indent = 4;
|
---|
| 1134 | }
|
---|
| 1135 | if (lflags == XN_FLAG_COMPAT) {
|
---|
| 1136 | buf = X509_NAME_oneline(nm, 0, 0);
|
---|
| 1137 | BIO_puts(out, buf);
|
---|
| 1138 | BIO_puts(out, "\n");
|
---|
| 1139 | OPENSSL_free(buf);
|
---|
| 1140 | } else {
|
---|
| 1141 | if (mline)
|
---|
| 1142 | BIO_puts(out, "\n");
|
---|
| 1143 | X509_NAME_print_ex(out, nm, indent, lflags);
|
---|
| 1144 | BIO_puts(out, "\n");
|
---|
| 1145 | }
|
---|
| 1146 | }
|
---|
| 1147 |
|
---|
| 1148 | void print_bignum_var(BIO *out, const BIGNUM *in, const char *var,
|
---|
| 1149 | int len, unsigned char *buffer)
|
---|
| 1150 | {
|
---|
| 1151 | BIO_printf(out, " static unsigned char %s_%d[] = {", var, len);
|
---|
| 1152 | if (BN_is_zero(in))
|
---|
| 1153 | BIO_printf(out, "\n\t0x00");
|
---|
| 1154 | else {
|
---|
| 1155 | int i, l;
|
---|
| 1156 |
|
---|
| 1157 | l = BN_bn2bin(in, buffer);
|
---|
| 1158 | for (i = 0; i < l; i++) {
|
---|
| 1159 | if ((i % 10) == 0)
|
---|
| 1160 | BIO_printf(out, "\n\t");
|
---|
| 1161 | if (i < l - 1)
|
---|
| 1162 | BIO_printf(out, "0x%02X, ", buffer[i]);
|
---|
| 1163 | else
|
---|
| 1164 | BIO_printf(out, "0x%02X", buffer[i]);
|
---|
| 1165 | }
|
---|
| 1166 | }
|
---|
| 1167 | BIO_printf(out, "\n };\n");
|
---|
| 1168 | }
|
---|
| 1169 | void print_array(BIO *out, const char* title, int len, const unsigned char* d)
|
---|
| 1170 | {
|
---|
| 1171 | int i;
|
---|
| 1172 |
|
---|
| 1173 | BIO_printf(out, "unsigned char %s[%d] = {", title, len);
|
---|
| 1174 | for (i = 0; i < len; i++) {
|
---|
| 1175 | if ((i % 10) == 0)
|
---|
| 1176 | BIO_printf(out, "\n ");
|
---|
| 1177 | if (i < len - 1)
|
---|
| 1178 | BIO_printf(out, "0x%02X, ", d[i]);
|
---|
| 1179 | else
|
---|
| 1180 | BIO_printf(out, "0x%02X", d[i]);
|
---|
| 1181 | }
|
---|
| 1182 | BIO_printf(out, "\n};\n");
|
---|
| 1183 | }
|
---|
| 1184 |
|
---|
| 1185 | X509_STORE *setup_verify(const char *CAfile, const char *CApath, int noCAfile, int noCApath)
|
---|
| 1186 | {
|
---|
| 1187 | X509_STORE *store = X509_STORE_new();
|
---|
| 1188 | X509_LOOKUP *lookup;
|
---|
| 1189 |
|
---|
| 1190 | if (store == NULL)
|
---|
| 1191 | goto end;
|
---|
| 1192 |
|
---|
| 1193 | if (CAfile != NULL || !noCAfile) {
|
---|
| 1194 | lookup = X509_STORE_add_lookup(store, X509_LOOKUP_file());
|
---|
| 1195 | if (lookup == NULL)
|
---|
| 1196 | goto end;
|
---|
| 1197 | if (CAfile) {
|
---|
| 1198 | if (!X509_LOOKUP_load_file(lookup, CAfile, X509_FILETYPE_PEM)) {
|
---|
| 1199 | BIO_printf(bio_err, "Error loading file %s\n", CAfile);
|
---|
| 1200 | goto end;
|
---|
| 1201 | }
|
---|
| 1202 | } else
|
---|
| 1203 | X509_LOOKUP_load_file(lookup, NULL, X509_FILETYPE_DEFAULT);
|
---|
| 1204 | }
|
---|
| 1205 |
|
---|
| 1206 | if (CApath != NULL || !noCApath) {
|
---|
| 1207 | lookup = X509_STORE_add_lookup(store, X509_LOOKUP_hash_dir());
|
---|
| 1208 | if (lookup == NULL)
|
---|
| 1209 | goto end;
|
---|
| 1210 | if (CApath) {
|
---|
| 1211 | if (!X509_LOOKUP_add_dir(lookup, CApath, X509_FILETYPE_PEM)) {
|
---|
| 1212 | BIO_printf(bio_err, "Error loading directory %s\n", CApath);
|
---|
| 1213 | goto end;
|
---|
| 1214 | }
|
---|
| 1215 | } else
|
---|
| 1216 | X509_LOOKUP_add_dir(lookup, NULL, X509_FILETYPE_DEFAULT);
|
---|
| 1217 | }
|
---|
| 1218 |
|
---|
| 1219 | ERR_clear_error();
|
---|
| 1220 | return store;
|
---|
| 1221 | end:
|
---|
| 1222 | X509_STORE_free(store);
|
---|
| 1223 | return NULL;
|
---|
| 1224 | }
|
---|
| 1225 |
|
---|
| 1226 | #ifndef OPENSSL_NO_ENGINE
|
---|
| 1227 | /* Try to load an engine in a shareable library */
|
---|
| 1228 | static ENGINE *try_load_engine(const char *engine)
|
---|
| 1229 | {
|
---|
| 1230 | ENGINE *e = ENGINE_by_id("dynamic");
|
---|
| 1231 | if (e) {
|
---|
| 1232 | if (!ENGINE_ctrl_cmd_string(e, "SO_PATH", engine, 0)
|
---|
| 1233 | || !ENGINE_ctrl_cmd_string(e, "LOAD", NULL, 0)) {
|
---|
| 1234 | ENGINE_free(e);
|
---|
| 1235 | e = NULL;
|
---|
| 1236 | }
|
---|
| 1237 | }
|
---|
| 1238 | return e;
|
---|
| 1239 | }
|
---|
| 1240 | #endif
|
---|
| 1241 |
|
---|
| 1242 | ENGINE *setup_engine(const char *engine, int debug)
|
---|
| 1243 | {
|
---|
| 1244 | ENGINE *e = NULL;
|
---|
| 1245 |
|
---|
| 1246 | #ifndef OPENSSL_NO_ENGINE
|
---|
| 1247 | if (engine) {
|
---|
| 1248 | if (strcmp(engine, "auto") == 0) {
|
---|
| 1249 | BIO_printf(bio_err, "enabling auto ENGINE support\n");
|
---|
| 1250 | ENGINE_register_all_complete();
|
---|
| 1251 | return NULL;
|
---|
| 1252 | }
|
---|
| 1253 | if ((e = ENGINE_by_id(engine)) == NULL
|
---|
| 1254 | && (e = try_load_engine(engine)) == NULL) {
|
---|
| 1255 | BIO_printf(bio_err, "invalid engine \"%s\"\n", engine);
|
---|
| 1256 | ERR_print_errors(bio_err);
|
---|
| 1257 | return NULL;
|
---|
| 1258 | }
|
---|
| 1259 | if (debug) {
|
---|
| 1260 | ENGINE_ctrl(e, ENGINE_CTRL_SET_LOGSTREAM, 0, bio_err, 0);
|
---|
| 1261 | }
|
---|
| 1262 | ENGINE_ctrl_cmd(e, "SET_USER_INTERFACE", 0, ui_method, 0, 1);
|
---|
| 1263 | if (!ENGINE_set_default(e, ENGINE_METHOD_ALL)) {
|
---|
| 1264 | BIO_printf(bio_err, "can't use that engine\n");
|
---|
| 1265 | ERR_print_errors(bio_err);
|
---|
| 1266 | ENGINE_free(e);
|
---|
| 1267 | return NULL;
|
---|
| 1268 | }
|
---|
| 1269 |
|
---|
| 1270 | BIO_printf(bio_err, "engine \"%s\" set.\n", ENGINE_get_id(e));
|
---|
| 1271 | }
|
---|
| 1272 | #endif
|
---|
| 1273 | return e;
|
---|
| 1274 | }
|
---|
| 1275 |
|
---|
| 1276 | void release_engine(ENGINE *e)
|
---|
| 1277 | {
|
---|
| 1278 | #ifndef OPENSSL_NO_ENGINE
|
---|
| 1279 | if (e != NULL)
|
---|
| 1280 | /* Free our "structural" reference. */
|
---|
| 1281 | ENGINE_free(e);
|
---|
| 1282 | #endif
|
---|
| 1283 | }
|
---|
| 1284 |
|
---|
| 1285 | static unsigned long index_serial_hash(const OPENSSL_CSTRING *a)
|
---|
| 1286 | {
|
---|
| 1287 | const char *n;
|
---|
| 1288 |
|
---|
| 1289 | n = a[DB_serial];
|
---|
| 1290 | while (*n == '0')
|
---|
| 1291 | n++;
|
---|
| 1292 | return OPENSSL_LH_strhash(n);
|
---|
| 1293 | }
|
---|
| 1294 |
|
---|
| 1295 | static int index_serial_cmp(const OPENSSL_CSTRING *a,
|
---|
| 1296 | const OPENSSL_CSTRING *b)
|
---|
| 1297 | {
|
---|
| 1298 | const char *aa, *bb;
|
---|
| 1299 |
|
---|
| 1300 | for (aa = a[DB_serial]; *aa == '0'; aa++) ;
|
---|
| 1301 | for (bb = b[DB_serial]; *bb == '0'; bb++) ;
|
---|
| 1302 | return (strcmp(aa, bb));
|
---|
| 1303 | }
|
---|
| 1304 |
|
---|
| 1305 | static int index_name_qual(char **a)
|
---|
| 1306 | {
|
---|
| 1307 | return (a[0][0] == 'V');
|
---|
| 1308 | }
|
---|
| 1309 |
|
---|
| 1310 | static unsigned long index_name_hash(const OPENSSL_CSTRING *a)
|
---|
| 1311 | {
|
---|
| 1312 | return OPENSSL_LH_strhash(a[DB_name]);
|
---|
| 1313 | }
|
---|
| 1314 |
|
---|
| 1315 | int index_name_cmp(const OPENSSL_CSTRING *a, const OPENSSL_CSTRING *b)
|
---|
| 1316 | {
|
---|
| 1317 | return (strcmp(a[DB_name], b[DB_name]));
|
---|
| 1318 | }
|
---|
| 1319 |
|
---|
| 1320 | static IMPLEMENT_LHASH_HASH_FN(index_serial, OPENSSL_CSTRING)
|
---|
| 1321 | static IMPLEMENT_LHASH_COMP_FN(index_serial, OPENSSL_CSTRING)
|
---|
| 1322 | static IMPLEMENT_LHASH_HASH_FN(index_name, OPENSSL_CSTRING)
|
---|
| 1323 | static IMPLEMENT_LHASH_COMP_FN(index_name, OPENSSL_CSTRING)
|
---|
| 1324 | #undef BSIZE
|
---|
| 1325 | #define BSIZE 256
|
---|
| 1326 | BIGNUM *load_serial(const char *serialfile, int create, ASN1_INTEGER **retai)
|
---|
| 1327 | {
|
---|
| 1328 | BIO *in = NULL;
|
---|
| 1329 | BIGNUM *ret = NULL;
|
---|
| 1330 | char buf[1024];
|
---|
| 1331 | ASN1_INTEGER *ai = NULL;
|
---|
| 1332 |
|
---|
| 1333 | ai = ASN1_INTEGER_new();
|
---|
| 1334 | if (ai == NULL)
|
---|
| 1335 | goto err;
|
---|
| 1336 |
|
---|
| 1337 | in = BIO_new_file(serialfile, "r");
|
---|
| 1338 | if (in == NULL) {
|
---|
| 1339 | if (!create) {
|
---|
| 1340 | perror(serialfile);
|
---|
| 1341 | goto err;
|
---|
| 1342 | }
|
---|
| 1343 | ERR_clear_error();
|
---|
| 1344 | ret = BN_new();
|
---|
| 1345 | if (ret == NULL || !rand_serial(ret, ai))
|
---|
| 1346 | BIO_printf(bio_err, "Out of memory\n");
|
---|
| 1347 | } else {
|
---|
| 1348 | if (!a2i_ASN1_INTEGER(in, ai, buf, 1024)) {
|
---|
| 1349 | BIO_printf(bio_err, "unable to load number from %s\n",
|
---|
| 1350 | serialfile);
|
---|
| 1351 | goto err;
|
---|
| 1352 | }
|
---|
| 1353 | ret = ASN1_INTEGER_to_BN(ai, NULL);
|
---|
| 1354 | if (ret == NULL) {
|
---|
| 1355 | BIO_printf(bio_err,
|
---|
| 1356 | "error converting number from bin to BIGNUM\n");
|
---|
| 1357 | goto err;
|
---|
| 1358 | }
|
---|
| 1359 | }
|
---|
| 1360 |
|
---|
| 1361 | if (ret && retai) {
|
---|
| 1362 | *retai = ai;
|
---|
| 1363 | ai = NULL;
|
---|
| 1364 | }
|
---|
| 1365 | err:
|
---|
| 1366 | BIO_free(in);
|
---|
| 1367 | ASN1_INTEGER_free(ai);
|
---|
| 1368 | return (ret);
|
---|
| 1369 | }
|
---|
| 1370 |
|
---|
| 1371 | int save_serial(const char *serialfile, const char *suffix, const BIGNUM *serial,
|
---|
| 1372 | ASN1_INTEGER **retai)
|
---|
| 1373 | {
|
---|
| 1374 | char buf[1][BSIZE];
|
---|
| 1375 | BIO *out = NULL;
|
---|
| 1376 | int ret = 0;
|
---|
| 1377 | ASN1_INTEGER *ai = NULL;
|
---|
| 1378 | int j;
|
---|
| 1379 |
|
---|
| 1380 | if (suffix == NULL)
|
---|
| 1381 | j = strlen(serialfile);
|
---|
| 1382 | else
|
---|
| 1383 | j = strlen(serialfile) + strlen(suffix) + 1;
|
---|
| 1384 | if (j >= BSIZE) {
|
---|
| 1385 | BIO_printf(bio_err, "file name too long\n");
|
---|
| 1386 | goto err;
|
---|
| 1387 | }
|
---|
| 1388 |
|
---|
| 1389 | if (suffix == NULL)
|
---|
| 1390 | OPENSSL_strlcpy(buf[0], serialfile, BSIZE);
|
---|
| 1391 | else {
|
---|
| 1392 | #ifndef OPENSSL_SYS_VMS
|
---|
| 1393 | j = BIO_snprintf(buf[0], sizeof buf[0], "%s.%s", serialfile, suffix);
|
---|
| 1394 | #else
|
---|
| 1395 | j = BIO_snprintf(buf[0], sizeof buf[0], "%s-%s", serialfile, suffix);
|
---|
| 1396 | #endif
|
---|
| 1397 | }
|
---|
| 1398 | out = BIO_new_file(buf[0], "w");
|
---|
| 1399 | if (out == NULL) {
|
---|
| 1400 | ERR_print_errors(bio_err);
|
---|
| 1401 | goto err;
|
---|
| 1402 | }
|
---|
| 1403 |
|
---|
| 1404 | if ((ai = BN_to_ASN1_INTEGER(serial, NULL)) == NULL) {
|
---|
| 1405 | BIO_printf(bio_err, "error converting serial to ASN.1 format\n");
|
---|
| 1406 | goto err;
|
---|
| 1407 | }
|
---|
| 1408 | i2a_ASN1_INTEGER(out, ai);
|
---|
| 1409 | BIO_puts(out, "\n");
|
---|
| 1410 | ret = 1;
|
---|
| 1411 | if (retai) {
|
---|
| 1412 | *retai = ai;
|
---|
| 1413 | ai = NULL;
|
---|
| 1414 | }
|
---|
| 1415 | err:
|
---|
| 1416 | BIO_free_all(out);
|
---|
| 1417 | ASN1_INTEGER_free(ai);
|
---|
| 1418 | return (ret);
|
---|
| 1419 | }
|
---|
| 1420 |
|
---|
| 1421 | int rotate_serial(const char *serialfile, const char *new_suffix,
|
---|
| 1422 | const char *old_suffix)
|
---|
| 1423 | {
|
---|
| 1424 | char buf[2][BSIZE];
|
---|
| 1425 | int i, j;
|
---|
| 1426 |
|
---|
| 1427 | i = strlen(serialfile) + strlen(old_suffix);
|
---|
| 1428 | j = strlen(serialfile) + strlen(new_suffix);
|
---|
| 1429 | if (i > j)
|
---|
| 1430 | j = i;
|
---|
| 1431 | if (j + 1 >= BSIZE) {
|
---|
| 1432 | BIO_printf(bio_err, "file name too long\n");
|
---|
| 1433 | goto err;
|
---|
| 1434 | }
|
---|
| 1435 | #ifndef OPENSSL_SYS_VMS
|
---|
| 1436 | j = BIO_snprintf(buf[0], sizeof buf[0], "%s.%s", serialfile, new_suffix);
|
---|
| 1437 | j = BIO_snprintf(buf[1], sizeof buf[1], "%s.%s", serialfile, old_suffix);
|
---|
| 1438 | #else
|
---|
| 1439 | j = BIO_snprintf(buf[0], sizeof buf[0], "%s-%s", serialfile, new_suffix);
|
---|
| 1440 | j = BIO_snprintf(buf[1], sizeof buf[1], "%s-%s", serialfile, old_suffix);
|
---|
| 1441 | #endif
|
---|
| 1442 | if (rename(serialfile, buf[1]) < 0 && errno != ENOENT
|
---|
| 1443 | #ifdef ENOTDIR
|
---|
| 1444 | && errno != ENOTDIR
|
---|
| 1445 | #endif
|
---|
| 1446 | ) {
|
---|
| 1447 | BIO_printf(bio_err,
|
---|
| 1448 | "unable to rename %s to %s\n", serialfile, buf[1]);
|
---|
| 1449 | perror("reason");
|
---|
| 1450 | goto err;
|
---|
| 1451 | }
|
---|
| 1452 | if (rename(buf[0], serialfile) < 0) {
|
---|
| 1453 | BIO_printf(bio_err,
|
---|
| 1454 | "unable to rename %s to %s\n", buf[0], serialfile);
|
---|
| 1455 | perror("reason");
|
---|
| 1456 | rename(buf[1], serialfile);
|
---|
| 1457 | goto err;
|
---|
| 1458 | }
|
---|
| 1459 | return 1;
|
---|
| 1460 | err:
|
---|
| 1461 | return 0;
|
---|
| 1462 | }
|
---|
| 1463 |
|
---|
| 1464 | int rand_serial(BIGNUM *b, ASN1_INTEGER *ai)
|
---|
| 1465 | {
|
---|
| 1466 | BIGNUM *btmp;
|
---|
| 1467 | int ret = 0;
|
---|
| 1468 |
|
---|
| 1469 | if (b)
|
---|
| 1470 | btmp = b;
|
---|
| 1471 | else
|
---|
| 1472 | btmp = BN_new();
|
---|
| 1473 |
|
---|
| 1474 | if (btmp == NULL)
|
---|
| 1475 | return 0;
|
---|
| 1476 |
|
---|
| 1477 | if (!BN_pseudo_rand(btmp, SERIAL_RAND_BITS, 0, 0))
|
---|
| 1478 | goto error;
|
---|
| 1479 | if (ai && !BN_to_ASN1_INTEGER(btmp, ai))
|
---|
| 1480 | goto error;
|
---|
| 1481 |
|
---|
| 1482 | ret = 1;
|
---|
| 1483 |
|
---|
| 1484 | error:
|
---|
| 1485 |
|
---|
| 1486 | if (btmp != b)
|
---|
| 1487 | BN_free(btmp);
|
---|
| 1488 |
|
---|
| 1489 | return ret;
|
---|
| 1490 | }
|
---|
| 1491 |
|
---|
| 1492 | CA_DB *load_index(const char *dbfile, DB_ATTR *db_attr)
|
---|
| 1493 | {
|
---|
| 1494 | CA_DB *retdb = NULL;
|
---|
| 1495 | TXT_DB *tmpdb = NULL;
|
---|
| 1496 | BIO *in;
|
---|
| 1497 | CONF *dbattr_conf = NULL;
|
---|
| 1498 | char buf[BSIZE];
|
---|
| 1499 |
|
---|
| 1500 | in = BIO_new_file(dbfile, "r");
|
---|
| 1501 | if (in == NULL) {
|
---|
| 1502 | ERR_print_errors(bio_err);
|
---|
| 1503 | goto err;
|
---|
| 1504 | }
|
---|
| 1505 | if ((tmpdb = TXT_DB_read(in, DB_NUMBER)) == NULL)
|
---|
| 1506 | goto err;
|
---|
| 1507 |
|
---|
| 1508 | #ifndef OPENSSL_SYS_VMS
|
---|
| 1509 | BIO_snprintf(buf, sizeof buf, "%s.attr", dbfile);
|
---|
| 1510 | #else
|
---|
| 1511 | BIO_snprintf(buf, sizeof buf, "%s-attr", dbfile);
|
---|
| 1512 | #endif
|
---|
| 1513 | dbattr_conf = app_load_config(buf);
|
---|
| 1514 |
|
---|
| 1515 | retdb = app_malloc(sizeof(*retdb), "new DB");
|
---|
| 1516 | retdb->db = tmpdb;
|
---|
| 1517 | tmpdb = NULL;
|
---|
| 1518 | if (db_attr)
|
---|
| 1519 | retdb->attributes = *db_attr;
|
---|
| 1520 | else {
|
---|
| 1521 | retdb->attributes.unique_subject = 1;
|
---|
| 1522 | }
|
---|
| 1523 |
|
---|
| 1524 | if (dbattr_conf) {
|
---|
| 1525 | char *p = NCONF_get_string(dbattr_conf, NULL, "unique_subject");
|
---|
| 1526 | if (p) {
|
---|
| 1527 | retdb->attributes.unique_subject = parse_yesno(p, 1);
|
---|
| 1528 | }
|
---|
| 1529 | }
|
---|
| 1530 |
|
---|
| 1531 | err:
|
---|
| 1532 | NCONF_free(dbattr_conf);
|
---|
| 1533 | TXT_DB_free(tmpdb);
|
---|
| 1534 | BIO_free_all(in);
|
---|
| 1535 | return retdb;
|
---|
| 1536 | }
|
---|
| 1537 |
|
---|
| 1538 | int index_index(CA_DB *db)
|
---|
| 1539 | {
|
---|
| 1540 | if (!TXT_DB_create_index(db->db, DB_serial, NULL,
|
---|
| 1541 | LHASH_HASH_FN(index_serial),
|
---|
| 1542 | LHASH_COMP_FN(index_serial))) {
|
---|
| 1543 | BIO_printf(bio_err,
|
---|
| 1544 | "error creating serial number index:(%ld,%ld,%ld)\n",
|
---|
| 1545 | db->db->error, db->db->arg1, db->db->arg2);
|
---|
| 1546 | return 0;
|
---|
| 1547 | }
|
---|
| 1548 |
|
---|
| 1549 | if (db->attributes.unique_subject
|
---|
| 1550 | && !TXT_DB_create_index(db->db, DB_name, index_name_qual,
|
---|
| 1551 | LHASH_HASH_FN(index_name),
|
---|
| 1552 | LHASH_COMP_FN(index_name))) {
|
---|
| 1553 | BIO_printf(bio_err, "error creating name index:(%ld,%ld,%ld)\n",
|
---|
| 1554 | db->db->error, db->db->arg1, db->db->arg2);
|
---|
| 1555 | return 0;
|
---|
| 1556 | }
|
---|
| 1557 | return 1;
|
---|
| 1558 | }
|
---|
| 1559 |
|
---|
| 1560 | int save_index(const char *dbfile, const char *suffix, CA_DB *db)
|
---|
| 1561 | {
|
---|
| 1562 | char buf[3][BSIZE];
|
---|
| 1563 | BIO *out;
|
---|
| 1564 | int j;
|
---|
| 1565 |
|
---|
| 1566 | j = strlen(dbfile) + strlen(suffix);
|
---|
| 1567 | if (j + 6 >= BSIZE) {
|
---|
| 1568 | BIO_printf(bio_err, "file name too long\n");
|
---|
| 1569 | goto err;
|
---|
| 1570 | }
|
---|
| 1571 | #ifndef OPENSSL_SYS_VMS
|
---|
| 1572 | j = BIO_snprintf(buf[2], sizeof buf[2], "%s.attr", dbfile);
|
---|
| 1573 | j = BIO_snprintf(buf[1], sizeof buf[1], "%s.attr.%s", dbfile, suffix);
|
---|
| 1574 | j = BIO_snprintf(buf[0], sizeof buf[0], "%s.%s", dbfile, suffix);
|
---|
| 1575 | #else
|
---|
| 1576 | j = BIO_snprintf(buf[2], sizeof buf[2], "%s-attr", dbfile);
|
---|
| 1577 | j = BIO_snprintf(buf[1], sizeof buf[1], "%s-attr-%s", dbfile, suffix);
|
---|
| 1578 | j = BIO_snprintf(buf[0], sizeof buf[0], "%s-%s", dbfile, suffix);
|
---|
| 1579 | #endif
|
---|
| 1580 | out = BIO_new_file(buf[0], "w");
|
---|
| 1581 | if (out == NULL) {
|
---|
| 1582 | perror(dbfile);
|
---|
| 1583 | BIO_printf(bio_err, "unable to open '%s'\n", dbfile);
|
---|
| 1584 | goto err;
|
---|
| 1585 | }
|
---|
| 1586 | j = TXT_DB_write(out, db->db);
|
---|
| 1587 | BIO_free(out);
|
---|
| 1588 | if (j <= 0)
|
---|
| 1589 | goto err;
|
---|
| 1590 |
|
---|
| 1591 | out = BIO_new_file(buf[1], "w");
|
---|
| 1592 | if (out == NULL) {
|
---|
| 1593 | perror(buf[2]);
|
---|
| 1594 | BIO_printf(bio_err, "unable to open '%s'\n", buf[2]);
|
---|
| 1595 | goto err;
|
---|
| 1596 | }
|
---|
| 1597 | BIO_printf(out, "unique_subject = %s\n",
|
---|
| 1598 | db->attributes.unique_subject ? "yes" : "no");
|
---|
| 1599 | BIO_free(out);
|
---|
| 1600 |
|
---|
| 1601 | return 1;
|
---|
| 1602 | err:
|
---|
| 1603 | return 0;
|
---|
| 1604 | }
|
---|
| 1605 |
|
---|
| 1606 | int rotate_index(const char *dbfile, const char *new_suffix,
|
---|
| 1607 | const char *old_suffix)
|
---|
| 1608 | {
|
---|
| 1609 | char buf[5][BSIZE];
|
---|
| 1610 | int i, j;
|
---|
| 1611 |
|
---|
| 1612 | i = strlen(dbfile) + strlen(old_suffix);
|
---|
| 1613 | j = strlen(dbfile) + strlen(new_suffix);
|
---|
| 1614 | if (i > j)
|
---|
| 1615 | j = i;
|
---|
| 1616 | if (j + 6 >= BSIZE) {
|
---|
| 1617 | BIO_printf(bio_err, "file name too long\n");
|
---|
| 1618 | goto err;
|
---|
| 1619 | }
|
---|
| 1620 | #ifndef OPENSSL_SYS_VMS
|
---|
| 1621 | j = BIO_snprintf(buf[4], sizeof buf[4], "%s.attr", dbfile);
|
---|
| 1622 | j = BIO_snprintf(buf[3], sizeof buf[3], "%s.attr.%s", dbfile, old_suffix);
|
---|
| 1623 | j = BIO_snprintf(buf[2], sizeof buf[2], "%s.attr.%s", dbfile, new_suffix);
|
---|
| 1624 | j = BIO_snprintf(buf[1], sizeof buf[1], "%s.%s", dbfile, old_suffix);
|
---|
| 1625 | j = BIO_snprintf(buf[0], sizeof buf[0], "%s.%s", dbfile, new_suffix);
|
---|
| 1626 | #else
|
---|
| 1627 | j = BIO_snprintf(buf[4], sizeof buf[4], "%s-attr", dbfile);
|
---|
| 1628 | j = BIO_snprintf(buf[3], sizeof buf[3], "%s-attr-%s", dbfile, old_suffix);
|
---|
| 1629 | j = BIO_snprintf(buf[2], sizeof buf[2], "%s-attr-%s", dbfile, new_suffix);
|
---|
| 1630 | j = BIO_snprintf(buf[1], sizeof buf[1], "%s-%s", dbfile, old_suffix);
|
---|
| 1631 | j = BIO_snprintf(buf[0], sizeof buf[0], "%s-%s", dbfile, new_suffix);
|
---|
| 1632 | #endif
|
---|
| 1633 | if (rename(dbfile, buf[1]) < 0 && errno != ENOENT
|
---|
| 1634 | #ifdef ENOTDIR
|
---|
| 1635 | && errno != ENOTDIR
|
---|
| 1636 | #endif
|
---|
| 1637 | ) {
|
---|
| 1638 | BIO_printf(bio_err, "unable to rename %s to %s\n", dbfile, buf[1]);
|
---|
| 1639 | perror("reason");
|
---|
| 1640 | goto err;
|
---|
| 1641 | }
|
---|
| 1642 | if (rename(buf[0], dbfile) < 0) {
|
---|
| 1643 | BIO_printf(bio_err, "unable to rename %s to %s\n", buf[0], dbfile);
|
---|
| 1644 | perror("reason");
|
---|
| 1645 | rename(buf[1], dbfile);
|
---|
| 1646 | goto err;
|
---|
| 1647 | }
|
---|
| 1648 | if (rename(buf[4], buf[3]) < 0 && errno != ENOENT
|
---|
| 1649 | #ifdef ENOTDIR
|
---|
| 1650 | && errno != ENOTDIR
|
---|
| 1651 | #endif
|
---|
| 1652 | ) {
|
---|
| 1653 | BIO_printf(bio_err, "unable to rename %s to %s\n", buf[4], buf[3]);
|
---|
| 1654 | perror("reason");
|
---|
| 1655 | rename(dbfile, buf[0]);
|
---|
| 1656 | rename(buf[1], dbfile);
|
---|
| 1657 | goto err;
|
---|
| 1658 | }
|
---|
| 1659 | if (rename(buf[2], buf[4]) < 0) {
|
---|
| 1660 | BIO_printf(bio_err, "unable to rename %s to %s\n", buf[2], buf[4]);
|
---|
| 1661 | perror("reason");
|
---|
| 1662 | rename(buf[3], buf[4]);
|
---|
| 1663 | rename(dbfile, buf[0]);
|
---|
| 1664 | rename(buf[1], dbfile);
|
---|
| 1665 | goto err;
|
---|
| 1666 | }
|
---|
| 1667 | return 1;
|
---|
| 1668 | err:
|
---|
| 1669 | return 0;
|
---|
| 1670 | }
|
---|
| 1671 |
|
---|
| 1672 | void free_index(CA_DB *db)
|
---|
| 1673 | {
|
---|
| 1674 | if (db) {
|
---|
| 1675 | TXT_DB_free(db->db);
|
---|
| 1676 | OPENSSL_free(db);
|
---|
| 1677 | }
|
---|
| 1678 | }
|
---|
| 1679 |
|
---|
| 1680 | int parse_yesno(const char *str, int def)
|
---|
| 1681 | {
|
---|
| 1682 | if (str) {
|
---|
| 1683 | switch (*str) {
|
---|
| 1684 | case 'f': /* false */
|
---|
| 1685 | case 'F': /* FALSE */
|
---|
| 1686 | case 'n': /* no */
|
---|
| 1687 | case 'N': /* NO */
|
---|
| 1688 | case '0': /* 0 */
|
---|
| 1689 | return 0;
|
---|
| 1690 | case 't': /* true */
|
---|
| 1691 | case 'T': /* TRUE */
|
---|
| 1692 | case 'y': /* yes */
|
---|
| 1693 | case 'Y': /* YES */
|
---|
| 1694 | case '1': /* 1 */
|
---|
| 1695 | return 1;
|
---|
| 1696 | }
|
---|
| 1697 | }
|
---|
| 1698 | return def;
|
---|
| 1699 | }
|
---|
| 1700 |
|
---|
| 1701 | /*
|
---|
| 1702 | * name is expected to be in the format /type0=value0/type1=value1/type2=...
|
---|
| 1703 | * where characters may be escaped by \
|
---|
| 1704 | */
|
---|
| 1705 | X509_NAME *parse_name(const char *cp, long chtype, int canmulti)
|
---|
| 1706 | {
|
---|
| 1707 | int nextismulti = 0;
|
---|
| 1708 | char *work;
|
---|
| 1709 | X509_NAME *n;
|
---|
| 1710 |
|
---|
| 1711 | if (*cp++ != '/')
|
---|
| 1712 | return NULL;
|
---|
| 1713 |
|
---|
| 1714 | n = X509_NAME_new();
|
---|
| 1715 | if (n == NULL)
|
---|
| 1716 | return NULL;
|
---|
| 1717 | work = OPENSSL_strdup(cp);
|
---|
| 1718 | if (work == NULL)
|
---|
| 1719 | goto err;
|
---|
| 1720 |
|
---|
| 1721 | while (*cp) {
|
---|
| 1722 | char *bp = work;
|
---|
| 1723 | char *typestr = bp;
|
---|
| 1724 | unsigned char *valstr;
|
---|
| 1725 | int nid;
|
---|
| 1726 | int ismulti = nextismulti;
|
---|
| 1727 | nextismulti = 0;
|
---|
| 1728 |
|
---|
| 1729 | /* Collect the type */
|
---|
| 1730 | while (*cp && *cp != '=')
|
---|
| 1731 | *bp++ = *cp++;
|
---|
| 1732 | if (*cp == '\0') {
|
---|
| 1733 | BIO_printf(bio_err,
|
---|
| 1734 | "%s: Hit end of string before finding the equals.\n",
|
---|
| 1735 | opt_getprog());
|
---|
| 1736 | goto err;
|
---|
| 1737 | }
|
---|
| 1738 | *bp++ = '\0';
|
---|
| 1739 | ++cp;
|
---|
| 1740 |
|
---|
| 1741 | /* Collect the value. */
|
---|
| 1742 | valstr = (unsigned char *)bp;
|
---|
| 1743 | for (; *cp && *cp != '/'; *bp++ = *cp++) {
|
---|
| 1744 | if (canmulti && *cp == '+') {
|
---|
| 1745 | nextismulti = 1;
|
---|
| 1746 | break;
|
---|
| 1747 | }
|
---|
| 1748 | if (*cp == '\\' && *++cp == '\0') {
|
---|
| 1749 | BIO_printf(bio_err,
|
---|
| 1750 | "%s: escape character at end of string\n",
|
---|
| 1751 | opt_getprog());
|
---|
| 1752 | goto err;
|
---|
| 1753 | }
|
---|
| 1754 | }
|
---|
| 1755 | *bp++ = '\0';
|
---|
| 1756 |
|
---|
| 1757 | /* If not at EOS (must be + or /), move forward. */
|
---|
| 1758 | if (*cp)
|
---|
| 1759 | ++cp;
|
---|
| 1760 |
|
---|
| 1761 | /* Parse */
|
---|
| 1762 | nid = OBJ_txt2nid(typestr);
|
---|
| 1763 | if (nid == NID_undef) {
|
---|
| 1764 | BIO_printf(bio_err, "%s: Skipping unknown attribute \"%s\"\n",
|
---|
| 1765 | opt_getprog(), typestr);
|
---|
| 1766 | continue;
|
---|
| 1767 | }
|
---|
| 1768 | if (!X509_NAME_add_entry_by_NID(n, nid, chtype,
|
---|
| 1769 | valstr, strlen((char *)valstr),
|
---|
| 1770 | -1, ismulti ? -1 : 0))
|
---|
| 1771 | goto err;
|
---|
| 1772 | }
|
---|
| 1773 |
|
---|
| 1774 | OPENSSL_free(work);
|
---|
| 1775 | return n;
|
---|
| 1776 |
|
---|
| 1777 | err:
|
---|
| 1778 | X509_NAME_free(n);
|
---|
| 1779 | OPENSSL_free(work);
|
---|
| 1780 | return NULL;
|
---|
| 1781 | }
|
---|
| 1782 |
|
---|
| 1783 | /*
|
---|
| 1784 | * Read whole contents of a BIO into an allocated memory buffer and return
|
---|
| 1785 | * it.
|
---|
| 1786 | */
|
---|
| 1787 |
|
---|
| 1788 | int bio_to_mem(unsigned char **out, int maxlen, BIO *in)
|
---|
| 1789 | {
|
---|
| 1790 | BIO *mem;
|
---|
| 1791 | int len, ret;
|
---|
| 1792 | unsigned char tbuf[1024];
|
---|
| 1793 |
|
---|
| 1794 | mem = BIO_new(BIO_s_mem());
|
---|
| 1795 | if (mem == NULL)
|
---|
| 1796 | return -1;
|
---|
| 1797 | for (;;) {
|
---|
| 1798 | if ((maxlen != -1) && maxlen < 1024)
|
---|
| 1799 | len = maxlen;
|
---|
| 1800 | else
|
---|
| 1801 | len = 1024;
|
---|
| 1802 | len = BIO_read(in, tbuf, len);
|
---|
| 1803 | if (len < 0) {
|
---|
| 1804 | BIO_free(mem);
|
---|
| 1805 | return -1;
|
---|
| 1806 | }
|
---|
| 1807 | if (len == 0)
|
---|
| 1808 | break;
|
---|
| 1809 | if (BIO_write(mem, tbuf, len) != len) {
|
---|
| 1810 | BIO_free(mem);
|
---|
| 1811 | return -1;
|
---|
| 1812 | }
|
---|
| 1813 | maxlen -= len;
|
---|
| 1814 |
|
---|
| 1815 | if (maxlen == 0)
|
---|
| 1816 | break;
|
---|
| 1817 | }
|
---|
| 1818 | ret = BIO_get_mem_data(mem, (char **)out);
|
---|
| 1819 | BIO_set_flags(mem, BIO_FLAGS_MEM_RDONLY);
|
---|
| 1820 | BIO_free(mem);
|
---|
| 1821 | return ret;
|
---|
| 1822 | }
|
---|
| 1823 |
|
---|
| 1824 | int pkey_ctrl_string(EVP_PKEY_CTX *ctx, const char *value)
|
---|
| 1825 | {
|
---|
| 1826 | int rv;
|
---|
| 1827 | char *stmp, *vtmp = NULL;
|
---|
| 1828 | stmp = OPENSSL_strdup(value);
|
---|
| 1829 | if (!stmp)
|
---|
| 1830 | return -1;
|
---|
| 1831 | vtmp = strchr(stmp, ':');
|
---|
| 1832 | if (vtmp) {
|
---|
| 1833 | *vtmp = 0;
|
---|
| 1834 | vtmp++;
|
---|
| 1835 | }
|
---|
| 1836 | rv = EVP_PKEY_CTX_ctrl_str(ctx, stmp, vtmp);
|
---|
| 1837 | OPENSSL_free(stmp);
|
---|
| 1838 | return rv;
|
---|
| 1839 | }
|
---|
| 1840 |
|
---|
| 1841 | static void nodes_print(const char *name, STACK_OF(X509_POLICY_NODE) *nodes)
|
---|
| 1842 | {
|
---|
| 1843 | X509_POLICY_NODE *node;
|
---|
| 1844 | int i;
|
---|
| 1845 |
|
---|
| 1846 | BIO_printf(bio_err, "%s Policies:", name);
|
---|
| 1847 | if (nodes) {
|
---|
| 1848 | BIO_puts(bio_err, "\n");
|
---|
| 1849 | for (i = 0; i < sk_X509_POLICY_NODE_num(nodes); i++) {
|
---|
| 1850 | node = sk_X509_POLICY_NODE_value(nodes, i);
|
---|
| 1851 | X509_POLICY_NODE_print(bio_err, node, 2);
|
---|
| 1852 | }
|
---|
| 1853 | } else
|
---|
| 1854 | BIO_puts(bio_err, " <empty>\n");
|
---|
| 1855 | }
|
---|
| 1856 |
|
---|
| 1857 | void policies_print(X509_STORE_CTX *ctx)
|
---|
| 1858 | {
|
---|
| 1859 | X509_POLICY_TREE *tree;
|
---|
| 1860 | int explicit_policy;
|
---|
| 1861 | tree = X509_STORE_CTX_get0_policy_tree(ctx);
|
---|
| 1862 | explicit_policy = X509_STORE_CTX_get_explicit_policy(ctx);
|
---|
| 1863 |
|
---|
| 1864 | BIO_printf(bio_err, "Require explicit Policy: %s\n",
|
---|
| 1865 | explicit_policy ? "True" : "False");
|
---|
| 1866 |
|
---|
| 1867 | nodes_print("Authority", X509_policy_tree_get0_policies(tree));
|
---|
| 1868 | nodes_print("User", X509_policy_tree_get0_user_policies(tree));
|
---|
| 1869 | }
|
---|
| 1870 |
|
---|
| 1871 | /*-
|
---|
| 1872 | * next_protos_parse parses a comma separated list of strings into a string
|
---|
| 1873 | * in a format suitable for passing to SSL_CTX_set_next_protos_advertised.
|
---|
| 1874 | * outlen: (output) set to the length of the resulting buffer on success.
|
---|
| 1875 | * err: (maybe NULL) on failure, an error message line is written to this BIO.
|
---|
| 1876 | * in: a NUL terminated string like "abc,def,ghi"
|
---|
| 1877 | *
|
---|
| 1878 | * returns: a malloc'd buffer or NULL on failure.
|
---|
| 1879 | */
|
---|
| 1880 | unsigned char *next_protos_parse(size_t *outlen, const char *in)
|
---|
| 1881 | {
|
---|
| 1882 | size_t len;
|
---|
| 1883 | unsigned char *out;
|
---|
| 1884 | size_t i, start = 0;
|
---|
| 1885 |
|
---|
| 1886 | len = strlen(in);
|
---|
| 1887 | if (len >= 65535)
|
---|
| 1888 | return NULL;
|
---|
| 1889 |
|
---|
| 1890 | out = app_malloc(strlen(in) + 1, "NPN buffer");
|
---|
| 1891 | for (i = 0; i <= len; ++i) {
|
---|
| 1892 | if (i == len || in[i] == ',') {
|
---|
| 1893 | if (i - start > 255) {
|
---|
| 1894 | OPENSSL_free(out);
|
---|
| 1895 | return NULL;
|
---|
| 1896 | }
|
---|
| 1897 | out[start] = i - start;
|
---|
| 1898 | start = i + 1;
|
---|
| 1899 | } else
|
---|
| 1900 | out[i + 1] = in[i];
|
---|
| 1901 | }
|
---|
| 1902 |
|
---|
| 1903 | *outlen = len + 1;
|
---|
| 1904 | return out;
|
---|
| 1905 | }
|
---|
| 1906 |
|
---|
| 1907 | void print_cert_checks(BIO *bio, X509 *x,
|
---|
| 1908 | const char *checkhost,
|
---|
| 1909 | const char *checkemail, const char *checkip)
|
---|
| 1910 | {
|
---|
| 1911 | if (x == NULL)
|
---|
| 1912 | return;
|
---|
| 1913 | if (checkhost) {
|
---|
| 1914 | BIO_printf(bio, "Hostname %s does%s match certificate\n",
|
---|
| 1915 | checkhost,
|
---|
| 1916 | X509_check_host(x, checkhost, 0, 0, NULL) == 1
|
---|
| 1917 | ? "" : " NOT");
|
---|
| 1918 | }
|
---|
| 1919 |
|
---|
| 1920 | if (checkemail) {
|
---|
| 1921 | BIO_printf(bio, "Email %s does%s match certificate\n",
|
---|
| 1922 | checkemail, X509_check_email(x, checkemail, 0, 0)
|
---|
| 1923 | ? "" : " NOT");
|
---|
| 1924 | }
|
---|
| 1925 |
|
---|
| 1926 | if (checkip) {
|
---|
| 1927 | BIO_printf(bio, "IP %s does%s match certificate\n",
|
---|
| 1928 | checkip, X509_check_ip_asc(x, checkip, 0) ? "" : " NOT");
|
---|
| 1929 | }
|
---|
| 1930 | }
|
---|
| 1931 |
|
---|
| 1932 | /* Get first http URL from a DIST_POINT structure */
|
---|
| 1933 |
|
---|
| 1934 | static const char *get_dp_url(DIST_POINT *dp)
|
---|
| 1935 | {
|
---|
| 1936 | GENERAL_NAMES *gens;
|
---|
| 1937 | GENERAL_NAME *gen;
|
---|
| 1938 | int i, gtype;
|
---|
| 1939 | ASN1_STRING *uri;
|
---|
| 1940 | if (!dp->distpoint || dp->distpoint->type != 0)
|
---|
| 1941 | return NULL;
|
---|
| 1942 | gens = dp->distpoint->name.fullname;
|
---|
| 1943 | for (i = 0; i < sk_GENERAL_NAME_num(gens); i++) {
|
---|
| 1944 | gen = sk_GENERAL_NAME_value(gens, i);
|
---|
| 1945 | uri = GENERAL_NAME_get0_value(gen, >ype);
|
---|
| 1946 | if (gtype == GEN_URI && ASN1_STRING_length(uri) > 6) {
|
---|
| 1947 | const char *uptr = (const char *)ASN1_STRING_get0_data(uri);
|
---|
| 1948 | if (strncmp(uptr, "http://", 7) == 0)
|
---|
| 1949 | return uptr;
|
---|
| 1950 | }
|
---|
| 1951 | }
|
---|
| 1952 | return NULL;
|
---|
| 1953 | }
|
---|
| 1954 |
|
---|
| 1955 | /*
|
---|
| 1956 | * Look through a CRLDP structure and attempt to find an http URL to
|
---|
| 1957 | * downloads a CRL from.
|
---|
| 1958 | */
|
---|
| 1959 |
|
---|
| 1960 | static X509_CRL *load_crl_crldp(STACK_OF(DIST_POINT) *crldp)
|
---|
| 1961 | {
|
---|
| 1962 | int i;
|
---|
| 1963 | const char *urlptr = NULL;
|
---|
| 1964 | for (i = 0; i < sk_DIST_POINT_num(crldp); i++) {
|
---|
| 1965 | DIST_POINT *dp = sk_DIST_POINT_value(crldp, i);
|
---|
| 1966 | urlptr = get_dp_url(dp);
|
---|
| 1967 | if (urlptr)
|
---|
| 1968 | return load_crl(urlptr, FORMAT_HTTP);
|
---|
| 1969 | }
|
---|
| 1970 | return NULL;
|
---|
| 1971 | }
|
---|
| 1972 |
|
---|
| 1973 | /*
|
---|
| 1974 | * Example of downloading CRLs from CRLDP: not usable for real world as it
|
---|
| 1975 | * always downloads, doesn't support non-blocking I/O and doesn't cache
|
---|
| 1976 | * anything.
|
---|
| 1977 | */
|
---|
| 1978 |
|
---|
| 1979 | static STACK_OF(X509_CRL) *crls_http_cb(X509_STORE_CTX *ctx, X509_NAME *nm)
|
---|
| 1980 | {
|
---|
| 1981 | X509 *x;
|
---|
| 1982 | STACK_OF(X509_CRL) *crls = NULL;
|
---|
| 1983 | X509_CRL *crl;
|
---|
| 1984 | STACK_OF(DIST_POINT) *crldp;
|
---|
| 1985 |
|
---|
| 1986 | crls = sk_X509_CRL_new_null();
|
---|
| 1987 | if (!crls)
|
---|
| 1988 | return NULL;
|
---|
| 1989 | x = X509_STORE_CTX_get_current_cert(ctx);
|
---|
| 1990 | crldp = X509_get_ext_d2i(x, NID_crl_distribution_points, NULL, NULL);
|
---|
| 1991 | crl = load_crl_crldp(crldp);
|
---|
| 1992 | sk_DIST_POINT_pop_free(crldp, DIST_POINT_free);
|
---|
| 1993 | if (!crl) {
|
---|
| 1994 | sk_X509_CRL_free(crls);
|
---|
| 1995 | return NULL;
|
---|
| 1996 | }
|
---|
| 1997 | sk_X509_CRL_push(crls, crl);
|
---|
| 1998 | /* Try to download delta CRL */
|
---|
| 1999 | crldp = X509_get_ext_d2i(x, NID_freshest_crl, NULL, NULL);
|
---|
| 2000 | crl = load_crl_crldp(crldp);
|
---|
| 2001 | sk_DIST_POINT_pop_free(crldp, DIST_POINT_free);
|
---|
| 2002 | if (crl)
|
---|
| 2003 | sk_X509_CRL_push(crls, crl);
|
---|
| 2004 | return crls;
|
---|
| 2005 | }
|
---|
| 2006 |
|
---|
| 2007 | void store_setup_crl_download(X509_STORE *st)
|
---|
| 2008 | {
|
---|
| 2009 | X509_STORE_set_lookup_crls_cb(st, crls_http_cb);
|
---|
| 2010 | }
|
---|
| 2011 |
|
---|
| 2012 | /*
|
---|
| 2013 | * Platform-specific sections
|
---|
| 2014 | */
|
---|
| 2015 | #if defined(_WIN32)
|
---|
| 2016 | # ifdef fileno
|
---|
| 2017 | # undef fileno
|
---|
| 2018 | # define fileno(a) (int)_fileno(a)
|
---|
| 2019 | # endif
|
---|
| 2020 |
|
---|
| 2021 | # include <windows.h>
|
---|
| 2022 | # include <tchar.h>
|
---|
| 2023 |
|
---|
| 2024 | static int WIN32_rename(const char *from, const char *to)
|
---|
| 2025 | {
|
---|
| 2026 | TCHAR *tfrom = NULL, *tto;
|
---|
| 2027 | DWORD err;
|
---|
| 2028 | int ret = 0;
|
---|
| 2029 |
|
---|
| 2030 | if (sizeof(TCHAR) == 1) {
|
---|
| 2031 | tfrom = (TCHAR *)from;
|
---|
| 2032 | tto = (TCHAR *)to;
|
---|
| 2033 | } else { /* UNICODE path */
|
---|
| 2034 |
|
---|
| 2035 | size_t i, flen = strlen(from) + 1, tlen = strlen(to) + 1;
|
---|
| 2036 | tfrom = malloc(sizeof(*tfrom) * (flen + tlen));
|
---|
| 2037 | if (tfrom == NULL)
|
---|
| 2038 | goto err;
|
---|
| 2039 | tto = tfrom + flen;
|
---|
| 2040 | # if !defined(_WIN32_WCE) || _WIN32_WCE>=101
|
---|
| 2041 | if (!MultiByteToWideChar(CP_ACP, 0, from, flen, (WCHAR *)tfrom, flen))
|
---|
| 2042 | # endif
|
---|
| 2043 | for (i = 0; i < flen; i++)
|
---|
| 2044 | tfrom[i] = (TCHAR)from[i];
|
---|
| 2045 | # if !defined(_WIN32_WCE) || _WIN32_WCE>=101
|
---|
| 2046 | if (!MultiByteToWideChar(CP_ACP, 0, to, tlen, (WCHAR *)tto, tlen))
|
---|
| 2047 | # endif
|
---|
| 2048 | for (i = 0; i < tlen; i++)
|
---|
| 2049 | tto[i] = (TCHAR)to[i];
|
---|
| 2050 | }
|
---|
| 2051 |
|
---|
| 2052 | if (MoveFile(tfrom, tto))
|
---|
| 2053 | goto ok;
|
---|
| 2054 | err = GetLastError();
|
---|
| 2055 | if (err == ERROR_ALREADY_EXISTS || err == ERROR_FILE_EXISTS) {
|
---|
| 2056 | if (DeleteFile(tto) && MoveFile(tfrom, tto))
|
---|
| 2057 | goto ok;
|
---|
| 2058 | err = GetLastError();
|
---|
| 2059 | }
|
---|
| 2060 | if (err == ERROR_FILE_NOT_FOUND || err == ERROR_PATH_NOT_FOUND)
|
---|
| 2061 | errno = ENOENT;
|
---|
| 2062 | else if (err == ERROR_ACCESS_DENIED)
|
---|
| 2063 | errno = EACCES;
|
---|
| 2064 | else
|
---|
| 2065 | errno = EINVAL; /* we could map more codes... */
|
---|
| 2066 | err:
|
---|
| 2067 | ret = -1;
|
---|
| 2068 | ok:
|
---|
| 2069 | if (tfrom != NULL && tfrom != (TCHAR *)from)
|
---|
| 2070 | free(tfrom);
|
---|
| 2071 | return ret;
|
---|
| 2072 | }
|
---|
| 2073 | #endif
|
---|
| 2074 |
|
---|
| 2075 | /* app_tminterval section */
|
---|
| 2076 | #if defined(_WIN32)
|
---|
| 2077 | double app_tminterval(int stop, int usertime)
|
---|
| 2078 | {
|
---|
| 2079 | FILETIME now;
|
---|
| 2080 | double ret = 0;
|
---|
| 2081 | static ULARGE_INTEGER tmstart;
|
---|
| 2082 | static int warning = 1;
|
---|
| 2083 | # ifdef _WIN32_WINNT
|
---|
| 2084 | static HANDLE proc = NULL;
|
---|
| 2085 |
|
---|
| 2086 | if (proc == NULL) {
|
---|
| 2087 | if (check_winnt())
|
---|
| 2088 | proc = OpenProcess(PROCESS_QUERY_INFORMATION, FALSE,
|
---|
| 2089 | GetCurrentProcessId());
|
---|
| 2090 | if (proc == NULL)
|
---|
| 2091 | proc = (HANDLE) - 1;
|
---|
| 2092 | }
|
---|
| 2093 |
|
---|
| 2094 | if (usertime && proc != (HANDLE) - 1) {
|
---|
| 2095 | FILETIME junk;
|
---|
| 2096 | GetProcessTimes(proc, &junk, &junk, &junk, &now);
|
---|
| 2097 | } else
|
---|
| 2098 | # endif
|
---|
| 2099 | {
|
---|
| 2100 | SYSTEMTIME systime;
|
---|
| 2101 |
|
---|
| 2102 | if (usertime && warning) {
|
---|
| 2103 | BIO_printf(bio_err, "To get meaningful results, run "
|
---|
| 2104 | "this program on idle system.\n");
|
---|
| 2105 | warning = 0;
|
---|
| 2106 | }
|
---|
| 2107 | GetSystemTime(&systime);
|
---|
| 2108 | SystemTimeToFileTime(&systime, &now);
|
---|
| 2109 | }
|
---|
| 2110 |
|
---|
| 2111 | if (stop == TM_START) {
|
---|
| 2112 | tmstart.u.LowPart = now.dwLowDateTime;
|
---|
| 2113 | tmstart.u.HighPart = now.dwHighDateTime;
|
---|
| 2114 | } else {
|
---|
| 2115 | ULARGE_INTEGER tmstop;
|
---|
| 2116 |
|
---|
| 2117 | tmstop.u.LowPart = now.dwLowDateTime;
|
---|
| 2118 | tmstop.u.HighPart = now.dwHighDateTime;
|
---|
| 2119 |
|
---|
| 2120 | ret = (__int64)(tmstop.QuadPart - tmstart.QuadPart) * 1e-7;
|
---|
| 2121 | }
|
---|
| 2122 |
|
---|
| 2123 | return (ret);
|
---|
| 2124 | }
|
---|
| 2125 | #elif defined(OPENSSL_SYSTEM_VXWORKS)
|
---|
| 2126 | # include <time.h>
|
---|
| 2127 |
|
---|
| 2128 | double app_tminterval(int stop, int usertime)
|
---|
| 2129 | {
|
---|
| 2130 | double ret = 0;
|
---|
| 2131 | # ifdef CLOCK_REALTIME
|
---|
| 2132 | static struct timespec tmstart;
|
---|
| 2133 | struct timespec now;
|
---|
| 2134 | # else
|
---|
| 2135 | static unsigned long tmstart;
|
---|
| 2136 | unsigned long now;
|
---|
| 2137 | # endif
|
---|
| 2138 | static int warning = 1;
|
---|
| 2139 |
|
---|
| 2140 | if (usertime && warning) {
|
---|
| 2141 | BIO_printf(bio_err, "To get meaningful results, run "
|
---|
| 2142 | "this program on idle system.\n");
|
---|
| 2143 | warning = 0;
|
---|
| 2144 | }
|
---|
| 2145 | # ifdef CLOCK_REALTIME
|
---|
| 2146 | clock_gettime(CLOCK_REALTIME, &now);
|
---|
| 2147 | if (stop == TM_START)
|
---|
| 2148 | tmstart = now;
|
---|
| 2149 | else
|
---|
| 2150 | ret = ((now.tv_sec + now.tv_nsec * 1e-9)
|
---|
| 2151 | - (tmstart.tv_sec + tmstart.tv_nsec * 1e-9));
|
---|
| 2152 | # else
|
---|
| 2153 | now = tickGet();
|
---|
| 2154 | if (stop == TM_START)
|
---|
| 2155 | tmstart = now;
|
---|
| 2156 | else
|
---|
| 2157 | ret = (now - tmstart) / (double)sysClkRateGet();
|
---|
| 2158 | # endif
|
---|
| 2159 | return (ret);
|
---|
| 2160 | }
|
---|
| 2161 |
|
---|
| 2162 | #elif defined(OPENSSL_SYSTEM_VMS)
|
---|
| 2163 | # include <time.h>
|
---|
| 2164 | # include <times.h>
|
---|
| 2165 |
|
---|
| 2166 | double app_tminterval(int stop, int usertime)
|
---|
| 2167 | {
|
---|
| 2168 | static clock_t tmstart;
|
---|
| 2169 | double ret = 0;
|
---|
| 2170 | clock_t now;
|
---|
| 2171 | # ifdef __TMS
|
---|
| 2172 | struct tms rus;
|
---|
| 2173 |
|
---|
| 2174 | now = times(&rus);
|
---|
| 2175 | if (usertime)
|
---|
| 2176 | now = rus.tms_utime;
|
---|
| 2177 | # else
|
---|
| 2178 | if (usertime)
|
---|
| 2179 | now = clock(); /* sum of user and kernel times */
|
---|
| 2180 | else {
|
---|
| 2181 | struct timeval tv;
|
---|
| 2182 | gettimeofday(&tv, NULL);
|
---|
| 2183 | now = (clock_t)((unsigned long long)tv.tv_sec * CLK_TCK +
|
---|
| 2184 | (unsigned long long)tv.tv_usec * (1000000 / CLK_TCK)
|
---|
| 2185 | );
|
---|
| 2186 | }
|
---|
| 2187 | # endif
|
---|
| 2188 | if (stop == TM_START)
|
---|
| 2189 | tmstart = now;
|
---|
| 2190 | else
|
---|
| 2191 | ret = (now - tmstart) / (double)(CLK_TCK);
|
---|
| 2192 |
|
---|
| 2193 | return (ret);
|
---|
| 2194 | }
|
---|
| 2195 |
|
---|
| 2196 | #elif defined(_SC_CLK_TCK) /* by means of unistd.h */
|
---|
| 2197 | # include <sys/times.h>
|
---|
| 2198 |
|
---|
| 2199 | double app_tminterval(int stop, int usertime)
|
---|
| 2200 | {
|
---|
| 2201 | double ret = 0;
|
---|
| 2202 | struct tms rus;
|
---|
| 2203 | clock_t now = times(&rus);
|
---|
| 2204 | static clock_t tmstart;
|
---|
| 2205 |
|
---|
| 2206 | if (usertime)
|
---|
| 2207 | now = rus.tms_utime;
|
---|
| 2208 |
|
---|
| 2209 | if (stop == TM_START)
|
---|
| 2210 | tmstart = now;
|
---|
| 2211 | else {
|
---|
| 2212 | long int tck = sysconf(_SC_CLK_TCK);
|
---|
| 2213 | ret = (now - tmstart) / (double)tck;
|
---|
| 2214 | }
|
---|
| 2215 |
|
---|
| 2216 | return (ret);
|
---|
| 2217 | }
|
---|
| 2218 |
|
---|
| 2219 | #else
|
---|
| 2220 | # include <sys/time.h>
|
---|
| 2221 | # include <sys/resource.h>
|
---|
| 2222 |
|
---|
| 2223 | double app_tminterval(int stop, int usertime)
|
---|
| 2224 | {
|
---|
| 2225 | double ret = 0;
|
---|
| 2226 | struct rusage rus;
|
---|
| 2227 | struct timeval now;
|
---|
| 2228 | static struct timeval tmstart;
|
---|
| 2229 |
|
---|
| 2230 | if (usertime)
|
---|
| 2231 | getrusage(RUSAGE_SELF, &rus), now = rus.ru_utime;
|
---|
| 2232 | else
|
---|
| 2233 | gettimeofday(&now, NULL);
|
---|
| 2234 |
|
---|
| 2235 | if (stop == TM_START)
|
---|
| 2236 | tmstart = now;
|
---|
| 2237 | else
|
---|
| 2238 | ret = ((now.tv_sec + now.tv_usec * 1e-6)
|
---|
| 2239 | - (tmstart.tv_sec + tmstart.tv_usec * 1e-6));
|
---|
| 2240 |
|
---|
| 2241 | return ret;
|
---|
| 2242 | }
|
---|
| 2243 | #endif
|
---|
| 2244 |
|
---|
| 2245 | int app_access(const char* name, int flag)
|
---|
| 2246 | {
|
---|
| 2247 | #ifdef _WIN32
|
---|
| 2248 | return _access(name, flag);
|
---|
| 2249 | #else
|
---|
| 2250 | return access(name, flag);
|
---|
| 2251 | #endif
|
---|
| 2252 | }
|
---|
| 2253 |
|
---|
| 2254 | /* app_isdir section */
|
---|
| 2255 | #ifdef _WIN32
|
---|
| 2256 | int app_isdir(const char *name)
|
---|
| 2257 | {
|
---|
| 2258 | HANDLE hList;
|
---|
| 2259 | WIN32_FIND_DATA FileData;
|
---|
| 2260 | # if defined(UNICODE) || defined(_UNICODE)
|
---|
| 2261 | size_t i, len_0 = strlen(name) + 1;
|
---|
| 2262 |
|
---|
| 2263 | if (len_0 > OSSL_NELEM(FileData.cFileName))
|
---|
| 2264 | return -1;
|
---|
| 2265 |
|
---|
| 2266 | # if !defined(_WIN32_WCE) || _WIN32_WCE>=101
|
---|
| 2267 | if (!MultiByteToWideChar
|
---|
| 2268 | (CP_ACP, 0, name, len_0, FileData.cFileName, len_0))
|
---|
| 2269 | # endif
|
---|
| 2270 | for (i = 0; i < len_0; i++)
|
---|
| 2271 | FileData.cFileName[i] = (WCHAR)name[i];
|
---|
| 2272 |
|
---|
| 2273 | hList = FindFirstFile(FileData.cFileName, &FileData);
|
---|
| 2274 | # else
|
---|
| 2275 | hList = FindFirstFile(name, &FileData);
|
---|
| 2276 | # endif
|
---|
| 2277 | if (hList == INVALID_HANDLE_VALUE)
|
---|
| 2278 | return -1;
|
---|
| 2279 | FindClose(hList);
|
---|
| 2280 | return ((FileData.dwFileAttributes & FILE_ATTRIBUTE_DIRECTORY) != 0);
|
---|
| 2281 | }
|
---|
| 2282 | #else
|
---|
| 2283 | # include <sys/stat.h>
|
---|
| 2284 | # ifndef S_ISDIR
|
---|
| 2285 | # if defined(_S_IFMT) && defined(_S_IFDIR)
|
---|
| 2286 | # define S_ISDIR(a) (((a) & _S_IFMT) == _S_IFDIR)
|
---|
| 2287 | # else
|
---|
| 2288 | # define S_ISDIR(a) (((a) & S_IFMT) == S_IFDIR)
|
---|
| 2289 | # endif
|
---|
| 2290 | # endif
|
---|
| 2291 |
|
---|
| 2292 | int app_isdir(const char *name)
|
---|
| 2293 | {
|
---|
| 2294 | # if defined(S_ISDIR)
|
---|
| 2295 | struct stat st;
|
---|
| 2296 |
|
---|
| 2297 | if (stat(name, &st) == 0)
|
---|
| 2298 | return S_ISDIR(st.st_mode);
|
---|
| 2299 | else
|
---|
| 2300 | return -1;
|
---|
| 2301 | # else
|
---|
| 2302 | return -1;
|
---|
| 2303 | # endif
|
---|
| 2304 | }
|
---|
| 2305 | #endif
|
---|
| 2306 |
|
---|
| 2307 | /* raw_read|write section */
|
---|
| 2308 | #if defined(__VMS)
|
---|
| 2309 | # include "vms_term_sock.h"
|
---|
| 2310 | static int stdin_sock = -1;
|
---|
| 2311 |
|
---|
| 2312 | static void close_stdin_sock(void)
|
---|
| 2313 | {
|
---|
| 2314 | TerminalSocket (TERM_SOCK_DELETE, &stdin_sock);
|
---|
| 2315 | }
|
---|
| 2316 |
|
---|
| 2317 | int fileno_stdin(void)
|
---|
| 2318 | {
|
---|
| 2319 | if (stdin_sock == -1) {
|
---|
| 2320 | TerminalSocket(TERM_SOCK_CREATE, &stdin_sock);
|
---|
| 2321 | atexit(close_stdin_sock);
|
---|
| 2322 | }
|
---|
| 2323 |
|
---|
| 2324 | return stdin_sock;
|
---|
| 2325 | }
|
---|
| 2326 | #else
|
---|
| 2327 | int fileno_stdin(void)
|
---|
| 2328 | {
|
---|
| 2329 | return fileno(stdin);
|
---|
| 2330 | }
|
---|
| 2331 | #endif
|
---|
| 2332 |
|
---|
| 2333 | int fileno_stdout(void)
|
---|
| 2334 | {
|
---|
| 2335 | return fileno(stdout);
|
---|
| 2336 | }
|
---|
| 2337 |
|
---|
| 2338 | #if defined(_WIN32) && defined(STD_INPUT_HANDLE)
|
---|
| 2339 | int raw_read_stdin(void *buf, int siz)
|
---|
| 2340 | {
|
---|
| 2341 | DWORD n;
|
---|
| 2342 | if (ReadFile(GetStdHandle(STD_INPUT_HANDLE), buf, siz, &n, NULL))
|
---|
| 2343 | return (n);
|
---|
| 2344 | else
|
---|
| 2345 | return (-1);
|
---|
| 2346 | }
|
---|
| 2347 | #elif defined(__VMS)
|
---|
| 2348 | #include <sys/socket.h>
|
---|
| 2349 |
|
---|
| 2350 | int raw_read_stdin(void *buf, int siz)
|
---|
| 2351 | {
|
---|
| 2352 | return recv(fileno_stdin(), buf, siz, 0);
|
---|
| 2353 | }
|
---|
| 2354 | #else
|
---|
| 2355 | int raw_read_stdin(void *buf, int siz)
|
---|
| 2356 | {
|
---|
| 2357 | return read(fileno_stdin(), buf, siz);
|
---|
| 2358 | }
|
---|
| 2359 | #endif
|
---|
| 2360 |
|
---|
| 2361 | #if defined(_WIN32) && defined(STD_OUTPUT_HANDLE)
|
---|
| 2362 | int raw_write_stdout(const void *buf, int siz)
|
---|
| 2363 | {
|
---|
| 2364 | DWORD n;
|
---|
| 2365 | if (WriteFile(GetStdHandle(STD_OUTPUT_HANDLE), buf, siz, &n, NULL))
|
---|
| 2366 | return (n);
|
---|
| 2367 | else
|
---|
| 2368 | return (-1);
|
---|
| 2369 | }
|
---|
| 2370 | #else
|
---|
| 2371 | int raw_write_stdout(const void *buf, int siz)
|
---|
| 2372 | {
|
---|
| 2373 | return write(fileno_stdout(), buf, siz);
|
---|
| 2374 | }
|
---|
| 2375 | #endif
|
---|
| 2376 |
|
---|
| 2377 | /*
|
---|
| 2378 | * Centralized handling if input and output files with format specification
|
---|
| 2379 | * The format is meant to show what the input and output is supposed to be,
|
---|
| 2380 | * and is therefore a show of intent more than anything else. However, it
|
---|
| 2381 | * does impact behavior on some platform, such as differentiating between
|
---|
| 2382 | * text and binary input/output on non-Unix platforms
|
---|
| 2383 | */
|
---|
| 2384 | static int istext(int format)
|
---|
| 2385 | {
|
---|
| 2386 | return (format & B_FORMAT_TEXT) == B_FORMAT_TEXT;
|
---|
| 2387 | }
|
---|
| 2388 |
|
---|
| 2389 | BIO *dup_bio_in(int format)
|
---|
| 2390 | {
|
---|
| 2391 | return BIO_new_fp(stdin,
|
---|
| 2392 | BIO_NOCLOSE | (istext(format) ? BIO_FP_TEXT : 0));
|
---|
| 2393 | }
|
---|
| 2394 |
|
---|
| 2395 | BIO *dup_bio_out(int format)
|
---|
| 2396 | {
|
---|
| 2397 | BIO *b = BIO_new_fp(stdout,
|
---|
| 2398 | BIO_NOCLOSE | (istext(format) ? BIO_FP_TEXT : 0));
|
---|
| 2399 | #ifdef OPENSSL_SYS_VMS
|
---|
| 2400 | if (istext(format))
|
---|
| 2401 | b = BIO_push(BIO_new(BIO_f_linebuffer()), b);
|
---|
| 2402 | #endif
|
---|
| 2403 | return b;
|
---|
| 2404 | }
|
---|
| 2405 |
|
---|
| 2406 | BIO *dup_bio_err(int format)
|
---|
| 2407 | {
|
---|
| 2408 | BIO *b = BIO_new_fp(stderr,
|
---|
| 2409 | BIO_NOCLOSE | (istext(format) ? BIO_FP_TEXT : 0));
|
---|
| 2410 | #ifdef OPENSSL_SYS_VMS
|
---|
| 2411 | if (istext(format))
|
---|
| 2412 | b = BIO_push(BIO_new(BIO_f_linebuffer()), b);
|
---|
| 2413 | #endif
|
---|
| 2414 | return b;
|
---|
| 2415 | }
|
---|
| 2416 |
|
---|
| 2417 | void unbuffer(FILE *fp)
|
---|
| 2418 | {
|
---|
| 2419 | /*
|
---|
| 2420 | * On VMS, setbuf() will only take 32-bit pointers, and a compilation
|
---|
| 2421 | * with /POINTER_SIZE=64 will give off a MAYLOSEDATA2 warning here.
|
---|
| 2422 | * However, we trust that the C RTL will never give us a FILE pointer
|
---|
| 2423 | * above the first 4 GB of memory, so we simply turn off the warning
|
---|
| 2424 | * temporarily.
|
---|
| 2425 | */
|
---|
| 2426 | #if defined(OPENSSL_SYS_VMS) && defined(__DECC)
|
---|
| 2427 | # pragma environment save
|
---|
| 2428 | # pragma message disable maylosedata2
|
---|
| 2429 | #endif
|
---|
| 2430 | setbuf(fp, NULL);
|
---|
| 2431 | #if defined(OPENSSL_SYS_VMS) && defined(__DECC)
|
---|
| 2432 | # pragma environment restore
|
---|
| 2433 | #endif
|
---|
| 2434 | }
|
---|
| 2435 |
|
---|
| 2436 | static const char *modestr(char mode, int format)
|
---|
| 2437 | {
|
---|
| 2438 | OPENSSL_assert(mode == 'a' || mode == 'r' || mode == 'w');
|
---|
| 2439 |
|
---|
| 2440 | switch (mode) {
|
---|
| 2441 | case 'a':
|
---|
| 2442 | return istext(format) ? "a" : "ab";
|
---|
| 2443 | case 'r':
|
---|
| 2444 | return istext(format) ? "r" : "rb";
|
---|
| 2445 | case 'w':
|
---|
| 2446 | return istext(format) ? "w" : "wb";
|
---|
| 2447 | }
|
---|
| 2448 | /* The assert above should make sure we never reach this point */
|
---|
| 2449 | return NULL;
|
---|
| 2450 | }
|
---|
| 2451 |
|
---|
| 2452 | static const char *modeverb(char mode)
|
---|
| 2453 | {
|
---|
| 2454 | switch (mode) {
|
---|
| 2455 | case 'a':
|
---|
| 2456 | return "appending";
|
---|
| 2457 | case 'r':
|
---|
| 2458 | return "reading";
|
---|
| 2459 | case 'w':
|
---|
| 2460 | return "writing";
|
---|
| 2461 | }
|
---|
| 2462 | return "(doing something)";
|
---|
| 2463 | }
|
---|
| 2464 |
|
---|
| 2465 | /*
|
---|
| 2466 | * Open a file for writing, owner-read-only.
|
---|
| 2467 | */
|
---|
| 2468 | BIO *bio_open_owner(const char *filename, int format, int private)
|
---|
| 2469 | {
|
---|
| 2470 | FILE *fp = NULL;
|
---|
| 2471 | BIO *b = NULL;
|
---|
| 2472 | int fd = -1, bflags, mode, textmode;
|
---|
| 2473 |
|
---|
| 2474 | if (!private || filename == NULL || strcmp(filename, "-") == 0)
|
---|
| 2475 | return bio_open_default(filename, 'w', format);
|
---|
| 2476 |
|
---|
| 2477 | mode = O_WRONLY;
|
---|
| 2478 | #ifdef O_CREAT
|
---|
| 2479 | mode |= O_CREAT;
|
---|
| 2480 | #endif
|
---|
| 2481 | #ifdef O_TRUNC
|
---|
| 2482 | mode |= O_TRUNC;
|
---|
| 2483 | #endif
|
---|
| 2484 | textmode = istext(format);
|
---|
| 2485 | if (!textmode) {
|
---|
| 2486 | #ifdef O_BINARY
|
---|
| 2487 | mode |= O_BINARY;
|
---|
| 2488 | #elif defined(_O_BINARY)
|
---|
| 2489 | mode |= _O_BINARY;
|
---|
| 2490 | #endif
|
---|
| 2491 | }
|
---|
| 2492 |
|
---|
| 2493 | #ifdef OPENSSL_SYS_VMS
|
---|
| 2494 | /* VMS doesn't have O_BINARY, it just doesn't make sense. But,
|
---|
| 2495 | * it still needs to know that we're going binary, or fdopen()
|
---|
| 2496 | * will fail with "invalid argument"... so we tell VMS what the
|
---|
| 2497 | * context is.
|
---|
| 2498 | */
|
---|
| 2499 | if (!textmode)
|
---|
| 2500 | fd = open(filename, mode, 0600, "ctx=bin");
|
---|
| 2501 | else
|
---|
| 2502 | #endif
|
---|
| 2503 | fd = open(filename, mode, 0600);
|
---|
| 2504 | if (fd < 0)
|
---|
| 2505 | goto err;
|
---|
| 2506 | fp = fdopen(fd, modestr('w', format));
|
---|
| 2507 | if (fp == NULL)
|
---|
| 2508 | goto err;
|
---|
| 2509 | bflags = BIO_CLOSE;
|
---|
| 2510 | if (textmode)
|
---|
| 2511 | bflags |= BIO_FP_TEXT;
|
---|
| 2512 | b = BIO_new_fp(fp, bflags);
|
---|
| 2513 | if (b)
|
---|
| 2514 | return b;
|
---|
| 2515 |
|
---|
| 2516 | err:
|
---|
| 2517 | BIO_printf(bio_err, "%s: Can't open \"%s\" for writing, %s\n",
|
---|
| 2518 | opt_getprog(), filename, strerror(errno));
|
---|
| 2519 | ERR_print_errors(bio_err);
|
---|
| 2520 | /* If we have fp, then fdopen took over fd, so don't close both. */
|
---|
| 2521 | if (fp)
|
---|
| 2522 | fclose(fp);
|
---|
| 2523 | else if (fd >= 0)
|
---|
| 2524 | close(fd);
|
---|
| 2525 | return NULL;
|
---|
| 2526 | }
|
---|
| 2527 |
|
---|
| 2528 | static BIO *bio_open_default_(const char *filename, char mode, int format,
|
---|
| 2529 | int quiet)
|
---|
| 2530 | {
|
---|
| 2531 | BIO *ret;
|
---|
| 2532 |
|
---|
| 2533 | if (filename == NULL || strcmp(filename, "-") == 0) {
|
---|
| 2534 | ret = mode == 'r' ? dup_bio_in(format) : dup_bio_out(format);
|
---|
| 2535 | if (quiet) {
|
---|
| 2536 | ERR_clear_error();
|
---|
| 2537 | return ret;
|
---|
| 2538 | }
|
---|
| 2539 | if (ret != NULL)
|
---|
| 2540 | return ret;
|
---|
| 2541 | BIO_printf(bio_err,
|
---|
| 2542 | "Can't open %s, %s\n",
|
---|
| 2543 | mode == 'r' ? "stdin" : "stdout", strerror(errno));
|
---|
| 2544 | } else {
|
---|
| 2545 | ret = BIO_new_file(filename, modestr(mode, format));
|
---|
| 2546 | if (quiet) {
|
---|
| 2547 | ERR_clear_error();
|
---|
| 2548 | return ret;
|
---|
| 2549 | }
|
---|
| 2550 | if (ret != NULL)
|
---|
| 2551 | return ret;
|
---|
| 2552 | BIO_printf(bio_err,
|
---|
| 2553 | "Can't open %s for %s, %s\n",
|
---|
| 2554 | filename, modeverb(mode), strerror(errno));
|
---|
| 2555 | }
|
---|
| 2556 | ERR_print_errors(bio_err);
|
---|
| 2557 | return NULL;
|
---|
| 2558 | }
|
---|
| 2559 |
|
---|
| 2560 | BIO *bio_open_default(const char *filename, char mode, int format)
|
---|
| 2561 | {
|
---|
| 2562 | return bio_open_default_(filename, mode, format, 0);
|
---|
| 2563 | }
|
---|
| 2564 |
|
---|
| 2565 | BIO *bio_open_default_quiet(const char *filename, char mode, int format)
|
---|
| 2566 | {
|
---|
| 2567 | return bio_open_default_(filename, mode, format, 1);
|
---|
| 2568 | }
|
---|
| 2569 |
|
---|
| 2570 | void wait_for_async(SSL *s)
|
---|
| 2571 | {
|
---|
| 2572 | /* On Windows select only works for sockets, so we simply don't wait */
|
---|
| 2573 | #ifndef OPENSSL_SYS_WINDOWS
|
---|
| 2574 | int width = 0;
|
---|
| 2575 | fd_set asyncfds;
|
---|
| 2576 | OSSL_ASYNC_FD *fds;
|
---|
| 2577 | size_t numfds;
|
---|
| 2578 |
|
---|
| 2579 | if (!SSL_get_all_async_fds(s, NULL, &numfds))
|
---|
| 2580 | return;
|
---|
| 2581 | if (numfds == 0)
|
---|
| 2582 | return;
|
---|
| 2583 | fds = app_malloc(sizeof(OSSL_ASYNC_FD) * numfds, "allocate async fds");
|
---|
| 2584 | if (!SSL_get_all_async_fds(s, fds, &numfds)) {
|
---|
| 2585 | OPENSSL_free(fds);
|
---|
| 2586 | }
|
---|
| 2587 |
|
---|
| 2588 | FD_ZERO(&asyncfds);
|
---|
| 2589 | while (numfds > 0) {
|
---|
| 2590 | if (width <= (int)*fds)
|
---|
| 2591 | width = (int)*fds + 1;
|
---|
| 2592 | openssl_fdset((int)*fds, &asyncfds);
|
---|
| 2593 | numfds--;
|
---|
| 2594 | fds++;
|
---|
| 2595 | }
|
---|
| 2596 | select(width, (void *)&asyncfds, NULL, NULL, NULL);
|
---|
| 2597 | #endif
|
---|
| 2598 | }
|
---|
| 2599 |
|
---|
| 2600 | /* if OPENSSL_SYS_WINDOWS is defined then so is OPENSSL_SYS_MSDOS */
|
---|
| 2601 | #if defined(OPENSSL_SYS_MSDOS)
|
---|
| 2602 | int has_stdin_waiting(void)
|
---|
| 2603 | {
|
---|
| 2604 | # if defined(OPENSSL_SYS_WINDOWS)
|
---|
| 2605 | HANDLE inhand = GetStdHandle(STD_INPUT_HANDLE);
|
---|
| 2606 | DWORD events = 0;
|
---|
| 2607 | INPUT_RECORD inputrec;
|
---|
| 2608 | DWORD insize = 1;
|
---|
| 2609 | BOOL peeked;
|
---|
| 2610 |
|
---|
| 2611 | if (inhand == INVALID_HANDLE_VALUE) {
|
---|
| 2612 | return 0;
|
---|
| 2613 | }
|
---|
| 2614 |
|
---|
| 2615 | peeked = PeekConsoleInput(inhand, &inputrec, insize, &events);
|
---|
| 2616 | if (!peeked) {
|
---|
| 2617 | /* Probably redirected input? _kbhit() does not work in this case */
|
---|
| 2618 | if (!feof(stdin)) {
|
---|
| 2619 | return 1;
|
---|
| 2620 | }
|
---|
| 2621 | return 0;
|
---|
| 2622 | }
|
---|
| 2623 | # endif
|
---|
| 2624 | return _kbhit();
|
---|
| 2625 | }
|
---|
| 2626 | #endif
|
---|
| 2627 |
|
---|
| 2628 | /* Corrupt a signature by modifying final byte */
|
---|
| 2629 | void corrupt_signature(const ASN1_STRING *signature)
|
---|
| 2630 | {
|
---|
| 2631 | unsigned char *s = signature->data;
|
---|
| 2632 | s[signature->length - 1] ^= 0x1;
|
---|
| 2633 | }
|
---|
| 2634 |
|
---|
| 2635 | int set_cert_times(X509 *x, const char *startdate, const char *enddate,
|
---|
| 2636 | int days)
|
---|
| 2637 | {
|
---|
| 2638 | if (startdate == NULL || strcmp(startdate, "today") == 0) {
|
---|
| 2639 | if (X509_gmtime_adj(X509_getm_notBefore(x), 0) == NULL)
|
---|
| 2640 | return 0;
|
---|
| 2641 | } else {
|
---|
| 2642 | if (!ASN1_TIME_set_string(X509_getm_notBefore(x), startdate))
|
---|
| 2643 | return 0;
|
---|
| 2644 | }
|
---|
| 2645 | if (enddate == NULL) {
|
---|
| 2646 | if (X509_time_adj_ex(X509_getm_notAfter(x), days, 0, NULL)
|
---|
| 2647 | == NULL)
|
---|
| 2648 | return 0;
|
---|
| 2649 | } else if (!ASN1_TIME_set_string(X509_getm_notAfter(x), enddate)) {
|
---|
| 2650 | return 0;
|
---|
| 2651 | }
|
---|
| 2652 | return 1;
|
---|
| 2653 | }
|
---|