1 | /*
|
---|
2 | * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
|
---|
3 | *
|
---|
4 | * Licensed under the OpenSSL license (the "License"). You may not use
|
---|
5 | * this file except in compliance with the License. You can obtain a copy
|
---|
6 | * in the file LICENSE in the source distribution or at
|
---|
7 | * https://www.openssl.org/source/license.html
|
---|
8 | */
|
---|
9 |
|
---|
10 | #if !defined(_POSIX_C_SOURCE) && defined(OPENSSL_SYS_VMS)
|
---|
11 | /*
|
---|
12 | * On VMS, you need to define this to get the declaration of fileno(). The
|
---|
13 | * value 2 is to make sure no function defined in POSIX-2 is left undefined.
|
---|
14 | */
|
---|
15 | # define _POSIX_C_SOURCE 2
|
---|
16 | #endif
|
---|
17 |
|
---|
18 | #include <stdio.h>
|
---|
19 | #include <stdlib.h>
|
---|
20 | #include <string.h>
|
---|
21 | #ifndef NO_SYS_TYPES_H
|
---|
22 | # include <sys/types.h>
|
---|
23 | #endif
|
---|
24 | #ifndef OPENSSL_NO_POSIX_IO
|
---|
25 | # include <sys/stat.h>
|
---|
26 | # include <fcntl.h>
|
---|
27 | #endif
|
---|
28 | #include <ctype.h>
|
---|
29 | #include <errno.h>
|
---|
30 | #include <openssl/err.h>
|
---|
31 | #include <openssl/x509.h>
|
---|
32 | #include <openssl/x509v3.h>
|
---|
33 | #include <openssl/pem.h>
|
---|
34 | #include <openssl/pkcs12.h>
|
---|
35 | #include <openssl/ui.h>
|
---|
36 | #include <openssl/safestack.h>
|
---|
37 | #ifndef OPENSSL_NO_ENGINE
|
---|
38 | # include <openssl/engine.h>
|
---|
39 | #endif
|
---|
40 | #ifndef OPENSSL_NO_RSA
|
---|
41 | # include <openssl/rsa.h>
|
---|
42 | #endif
|
---|
43 | #include <openssl/bn.h>
|
---|
44 | #include <openssl/ssl.h>
|
---|
45 | #include "s_apps.h"
|
---|
46 | #include "apps.h"
|
---|
47 |
|
---|
48 | #ifdef _WIN32
|
---|
49 | static int WIN32_rename(const char *from, const char *to);
|
---|
50 | # define rename(from,to) WIN32_rename((from),(to))
|
---|
51 | #endif
|
---|
52 |
|
---|
53 | typedef struct {
|
---|
54 | const char *name;
|
---|
55 | unsigned long flag;
|
---|
56 | unsigned long mask;
|
---|
57 | } NAME_EX_TBL;
|
---|
58 |
|
---|
59 | #if !defined(OPENSSL_NO_UI) || !defined(OPENSSL_NO_ENGINE)
|
---|
60 | static UI_METHOD *ui_method = NULL;
|
---|
61 | #endif
|
---|
62 |
|
---|
63 | static int set_table_opts(unsigned long *flags, const char *arg,
|
---|
64 | const NAME_EX_TBL * in_tbl);
|
---|
65 | static int set_multi_opts(unsigned long *flags, const char *arg,
|
---|
66 | const NAME_EX_TBL * in_tbl);
|
---|
67 |
|
---|
68 | int app_init(long mesgwin);
|
---|
69 |
|
---|
70 | int chopup_args(ARGS *arg, char *buf)
|
---|
71 | {
|
---|
72 | int quoted;
|
---|
73 | char c = '\0', *p = NULL;
|
---|
74 |
|
---|
75 | arg->argc = 0;
|
---|
76 | if (arg->size == 0) {
|
---|
77 | arg->size = 20;
|
---|
78 | arg->argv = app_malloc(sizeof(*arg->argv) * arg->size, "argv space");
|
---|
79 | }
|
---|
80 |
|
---|
81 | for (p = buf;;) {
|
---|
82 | /* Skip whitespace. */
|
---|
83 | while (*p && isspace(_UC(*p)))
|
---|
84 | p++;
|
---|
85 | if (!*p)
|
---|
86 | break;
|
---|
87 |
|
---|
88 | /* The start of something good :-) */
|
---|
89 | if (arg->argc >= arg->size) {
|
---|
90 | char **tmp;
|
---|
91 | arg->size += 20;
|
---|
92 | tmp = OPENSSL_realloc(arg->argv, sizeof(*arg->argv) * arg->size);
|
---|
93 | if (tmp == NULL)
|
---|
94 | return 0;
|
---|
95 | arg->argv = tmp;
|
---|
96 | }
|
---|
97 | quoted = *p == '\'' || *p == '"';
|
---|
98 | if (quoted)
|
---|
99 | c = *p++;
|
---|
100 | arg->argv[arg->argc++] = p;
|
---|
101 |
|
---|
102 | /* now look for the end of this */
|
---|
103 | if (quoted) {
|
---|
104 | while (*p && *p != c)
|
---|
105 | p++;
|
---|
106 | *p++ = '\0';
|
---|
107 | } else {
|
---|
108 | while (*p && !isspace(_UC(*p)))
|
---|
109 | p++;
|
---|
110 | if (*p)
|
---|
111 | *p++ = '\0';
|
---|
112 | }
|
---|
113 | }
|
---|
114 | arg->argv[arg->argc] = NULL;
|
---|
115 | return (1);
|
---|
116 | }
|
---|
117 |
|
---|
118 | #ifndef APP_INIT
|
---|
119 | int app_init(long mesgwin)
|
---|
120 | {
|
---|
121 | return (1);
|
---|
122 | }
|
---|
123 | #endif
|
---|
124 |
|
---|
125 | int ctx_set_verify_locations(SSL_CTX *ctx, const char *CAfile,
|
---|
126 | const char *CApath, int noCAfile, int noCApath)
|
---|
127 | {
|
---|
128 | if (CAfile == NULL && CApath == NULL) {
|
---|
129 | if (!noCAfile && SSL_CTX_set_default_verify_file(ctx) <= 0)
|
---|
130 | return 0;
|
---|
131 | if (!noCApath && SSL_CTX_set_default_verify_dir(ctx) <= 0)
|
---|
132 | return 0;
|
---|
133 |
|
---|
134 | return 1;
|
---|
135 | }
|
---|
136 | return SSL_CTX_load_verify_locations(ctx, CAfile, CApath);
|
---|
137 | }
|
---|
138 |
|
---|
139 | #ifndef OPENSSL_NO_CT
|
---|
140 |
|
---|
141 | int ctx_set_ctlog_list_file(SSL_CTX *ctx, const char *path)
|
---|
142 | {
|
---|
143 | if (path == NULL) {
|
---|
144 | return SSL_CTX_set_default_ctlog_list_file(ctx);
|
---|
145 | }
|
---|
146 |
|
---|
147 | return SSL_CTX_set_ctlog_list_file(ctx, path);
|
---|
148 | }
|
---|
149 |
|
---|
150 | #endif
|
---|
151 |
|
---|
152 | int dump_cert_text(BIO *out, X509 *x)
|
---|
153 | {
|
---|
154 | char *p;
|
---|
155 |
|
---|
156 | p = X509_NAME_oneline(X509_get_subject_name(x), NULL, 0);
|
---|
157 | BIO_puts(out, "subject=");
|
---|
158 | BIO_puts(out, p);
|
---|
159 | OPENSSL_free(p);
|
---|
160 |
|
---|
161 | p = X509_NAME_oneline(X509_get_issuer_name(x), NULL, 0);
|
---|
162 | BIO_puts(out, "\nissuer=");
|
---|
163 | BIO_puts(out, p);
|
---|
164 | BIO_puts(out, "\n");
|
---|
165 | OPENSSL_free(p);
|
---|
166 |
|
---|
167 | return 0;
|
---|
168 | }
|
---|
169 |
|
---|
170 | #ifndef OPENSSL_NO_UI
|
---|
171 | static int ui_open(UI *ui)
|
---|
172 | {
|
---|
173 | return UI_method_get_opener(UI_OpenSSL())(ui);
|
---|
174 | }
|
---|
175 |
|
---|
176 | static int ui_read(UI *ui, UI_STRING *uis)
|
---|
177 | {
|
---|
178 | if (UI_get_input_flags(uis) & UI_INPUT_FLAG_DEFAULT_PWD
|
---|
179 | && UI_get0_user_data(ui)) {
|
---|
180 | switch (UI_get_string_type(uis)) {
|
---|
181 | case UIT_PROMPT:
|
---|
182 | case UIT_VERIFY:
|
---|
183 | {
|
---|
184 | const char *password =
|
---|
185 | ((PW_CB_DATA *)UI_get0_user_data(ui))->password;
|
---|
186 | if (password && password[0] != '\0') {
|
---|
187 | UI_set_result(ui, uis, password);
|
---|
188 | return 1;
|
---|
189 | }
|
---|
190 | }
|
---|
191 | default:
|
---|
192 | break;
|
---|
193 | }
|
---|
194 | }
|
---|
195 | return UI_method_get_reader(UI_OpenSSL())(ui, uis);
|
---|
196 | }
|
---|
197 |
|
---|
198 | static int ui_write(UI *ui, UI_STRING *uis)
|
---|
199 | {
|
---|
200 | if (UI_get_input_flags(uis) & UI_INPUT_FLAG_DEFAULT_PWD
|
---|
201 | && UI_get0_user_data(ui)) {
|
---|
202 | switch (UI_get_string_type(uis)) {
|
---|
203 | case UIT_PROMPT:
|
---|
204 | case UIT_VERIFY:
|
---|
205 | {
|
---|
206 | const char *password =
|
---|
207 | ((PW_CB_DATA *)UI_get0_user_data(ui))->password;
|
---|
208 | if (password && password[0] != '\0')
|
---|
209 | return 1;
|
---|
210 | }
|
---|
211 | default:
|
---|
212 | break;
|
---|
213 | }
|
---|
214 | }
|
---|
215 | return UI_method_get_writer(UI_OpenSSL())(ui, uis);
|
---|
216 | }
|
---|
217 |
|
---|
218 | static int ui_close(UI *ui)
|
---|
219 | {
|
---|
220 | return UI_method_get_closer(UI_OpenSSL())(ui);
|
---|
221 | }
|
---|
222 |
|
---|
223 | int setup_ui_method(void)
|
---|
224 | {
|
---|
225 | ui_method = UI_create_method("OpenSSL application user interface");
|
---|
226 | UI_method_set_opener(ui_method, ui_open);
|
---|
227 | UI_method_set_reader(ui_method, ui_read);
|
---|
228 | UI_method_set_writer(ui_method, ui_write);
|
---|
229 | UI_method_set_closer(ui_method, ui_close);
|
---|
230 | return 0;
|
---|
231 | }
|
---|
232 |
|
---|
233 | void destroy_ui_method(void)
|
---|
234 | {
|
---|
235 | if (ui_method) {
|
---|
236 | UI_destroy_method(ui_method);
|
---|
237 | ui_method = NULL;
|
---|
238 | }
|
---|
239 | }
|
---|
240 | #endif
|
---|
241 |
|
---|
242 | int password_callback(char *buf, int bufsiz, int verify, PW_CB_DATA *cb_tmp)
|
---|
243 | {
|
---|
244 | int res = 0;
|
---|
245 | #ifndef OPENSSL_NO_UI
|
---|
246 | UI *ui = NULL;
|
---|
247 | #endif
|
---|
248 | PW_CB_DATA *cb_data = (PW_CB_DATA *)cb_tmp;
|
---|
249 |
|
---|
250 | #ifdef OPENSSL_NO_UI
|
---|
251 | if (cb_data != NULL && cb_data->password != NULL) {
|
---|
252 | res = strlen(cb_data->password);
|
---|
253 | if (res > bufsiz)
|
---|
254 | res = bufsiz;
|
---|
255 | memcpy(buf, cb_data->password, res);
|
---|
256 | }
|
---|
257 | #else
|
---|
258 | ui = UI_new_method(ui_method);
|
---|
259 | if (ui) {
|
---|
260 | int ok = 0;
|
---|
261 | char *buff = NULL;
|
---|
262 | int ui_flags = 0;
|
---|
263 | const char *prompt_info = NULL;
|
---|
264 | char *prompt;
|
---|
265 |
|
---|
266 | if (cb_data != NULL && cb_data->prompt_info != NULL)
|
---|
267 | prompt_info = cb_data->prompt_info;
|
---|
268 | prompt = UI_construct_prompt(ui, "pass phrase", prompt_info);
|
---|
269 | if (!prompt) {
|
---|
270 | BIO_printf(bio_err, "Out of memory\n");
|
---|
271 | UI_free(ui);
|
---|
272 | return 0;
|
---|
273 | }
|
---|
274 |
|
---|
275 | ui_flags |= UI_INPUT_FLAG_DEFAULT_PWD;
|
---|
276 | UI_ctrl(ui, UI_CTRL_PRINT_ERRORS, 1, 0, 0);
|
---|
277 |
|
---|
278 | /* We know that there is no previous user data to return to us */
|
---|
279 | (void)UI_add_user_data(ui, cb_data);
|
---|
280 |
|
---|
281 | if (ok >= 0)
|
---|
282 | ok = UI_add_input_string(ui, prompt, ui_flags, buf,
|
---|
283 | PW_MIN_LENGTH, bufsiz - 1);
|
---|
284 | if (ok >= 0 && verify) {
|
---|
285 | buff = app_malloc(bufsiz, "password buffer");
|
---|
286 | ok = UI_add_verify_string(ui, prompt, ui_flags, buff,
|
---|
287 | PW_MIN_LENGTH, bufsiz - 1, buf);
|
---|
288 | }
|
---|
289 | if (ok >= 0)
|
---|
290 | do {
|
---|
291 | ok = UI_process(ui);
|
---|
292 | }
|
---|
293 | while (ok < 0 && UI_ctrl(ui, UI_CTRL_IS_REDOABLE, 0, 0, 0));
|
---|
294 |
|
---|
295 | OPENSSL_clear_free(buff, (unsigned int)bufsiz);
|
---|
296 |
|
---|
297 | if (ok >= 0)
|
---|
298 | res = strlen(buf);
|
---|
299 | if (ok == -1) {
|
---|
300 | BIO_printf(bio_err, "User interface error\n");
|
---|
301 | ERR_print_errors(bio_err);
|
---|
302 | OPENSSL_cleanse(buf, (unsigned int)bufsiz);
|
---|
303 | res = 0;
|
---|
304 | }
|
---|
305 | if (ok == -2) {
|
---|
306 | BIO_printf(bio_err, "aborted!\n");
|
---|
307 | OPENSSL_cleanse(buf, (unsigned int)bufsiz);
|
---|
308 | res = 0;
|
---|
309 | }
|
---|
310 | UI_free(ui);
|
---|
311 | OPENSSL_free(prompt);
|
---|
312 | }
|
---|
313 | #endif
|
---|
314 | return res;
|
---|
315 | }
|
---|
316 |
|
---|
317 | static char *app_get_pass(const char *arg, int keepbio);
|
---|
318 |
|
---|
319 | int app_passwd(const char *arg1, const char *arg2, char **pass1, char **pass2)
|
---|
320 | {
|
---|
321 | int same;
|
---|
322 | if (!arg2 || !arg1 || strcmp(arg1, arg2))
|
---|
323 | same = 0;
|
---|
324 | else
|
---|
325 | same = 1;
|
---|
326 | if (arg1) {
|
---|
327 | *pass1 = app_get_pass(arg1, same);
|
---|
328 | if (!*pass1)
|
---|
329 | return 0;
|
---|
330 | } else if (pass1)
|
---|
331 | *pass1 = NULL;
|
---|
332 | if (arg2) {
|
---|
333 | *pass2 = app_get_pass(arg2, same ? 2 : 0);
|
---|
334 | if (!*pass2)
|
---|
335 | return 0;
|
---|
336 | } else if (pass2)
|
---|
337 | *pass2 = NULL;
|
---|
338 | return 1;
|
---|
339 | }
|
---|
340 |
|
---|
341 | static char *app_get_pass(const char *arg, int keepbio)
|
---|
342 | {
|
---|
343 | char *tmp, tpass[APP_PASS_LEN];
|
---|
344 | static BIO *pwdbio = NULL;
|
---|
345 | int i;
|
---|
346 |
|
---|
347 | if (strncmp(arg, "pass:", 5) == 0)
|
---|
348 | return OPENSSL_strdup(arg + 5);
|
---|
349 | if (strncmp(arg, "env:", 4) == 0) {
|
---|
350 | tmp = getenv(arg + 4);
|
---|
351 | if (!tmp) {
|
---|
352 | BIO_printf(bio_err, "Can't read environment variable %s\n", arg + 4);
|
---|
353 | return NULL;
|
---|
354 | }
|
---|
355 | return OPENSSL_strdup(tmp);
|
---|
356 | }
|
---|
357 | if (!keepbio || !pwdbio) {
|
---|
358 | if (strncmp(arg, "file:", 5) == 0) {
|
---|
359 | pwdbio = BIO_new_file(arg + 5, "r");
|
---|
360 | if (!pwdbio) {
|
---|
361 | BIO_printf(bio_err, "Can't open file %s\n", arg + 5);
|
---|
362 | return NULL;
|
---|
363 | }
|
---|
364 | #if !defined(_WIN32)
|
---|
365 | /*
|
---|
366 | * Under _WIN32, which covers even Win64 and CE, file
|
---|
367 | * descriptors referenced by BIO_s_fd are not inherited
|
---|
368 | * by child process and therefore below is not an option.
|
---|
369 | * It could have been an option if bss_fd.c was operating
|
---|
370 | * on real Windows descriptors, such as those obtained
|
---|
371 | * with CreateFile.
|
---|
372 | */
|
---|
373 | } else if (strncmp(arg, "fd:", 3) == 0) {
|
---|
374 | BIO *btmp;
|
---|
375 | i = atoi(arg + 3);
|
---|
376 | if (i >= 0)
|
---|
377 | pwdbio = BIO_new_fd(i, BIO_NOCLOSE);
|
---|
378 | if ((i < 0) || !pwdbio) {
|
---|
379 | BIO_printf(bio_err, "Can't access file descriptor %s\n", arg + 3);
|
---|
380 | return NULL;
|
---|
381 | }
|
---|
382 | /*
|
---|
383 | * Can't do BIO_gets on an fd BIO so add a buffering BIO
|
---|
384 | */
|
---|
385 | btmp = BIO_new(BIO_f_buffer());
|
---|
386 | pwdbio = BIO_push(btmp, pwdbio);
|
---|
387 | #endif
|
---|
388 | } else if (strcmp(arg, "stdin") == 0) {
|
---|
389 | pwdbio = dup_bio_in(FORMAT_TEXT);
|
---|
390 | if (!pwdbio) {
|
---|
391 | BIO_printf(bio_err, "Can't open BIO for stdin\n");
|
---|
392 | return NULL;
|
---|
393 | }
|
---|
394 | } else {
|
---|
395 | BIO_printf(bio_err, "Invalid password argument \"%s\"\n", arg);
|
---|
396 | return NULL;
|
---|
397 | }
|
---|
398 | }
|
---|
399 | i = BIO_gets(pwdbio, tpass, APP_PASS_LEN);
|
---|
400 | if (keepbio != 1) {
|
---|
401 | BIO_free_all(pwdbio);
|
---|
402 | pwdbio = NULL;
|
---|
403 | }
|
---|
404 | if (i <= 0) {
|
---|
405 | BIO_printf(bio_err, "Error reading password from BIO\n");
|
---|
406 | return NULL;
|
---|
407 | }
|
---|
408 | tmp = strchr(tpass, '\n');
|
---|
409 | if (tmp)
|
---|
410 | *tmp = 0;
|
---|
411 | return OPENSSL_strdup(tpass);
|
---|
412 | }
|
---|
413 |
|
---|
414 | static CONF *app_load_config_(BIO *in, const char *filename)
|
---|
415 | {
|
---|
416 | long errorline = -1;
|
---|
417 | CONF *conf;
|
---|
418 | int i;
|
---|
419 |
|
---|
420 | conf = NCONF_new(NULL);
|
---|
421 | i = NCONF_load_bio(conf, in, &errorline);
|
---|
422 | if (i > 0)
|
---|
423 | return conf;
|
---|
424 |
|
---|
425 | if (errorline <= 0)
|
---|
426 | BIO_printf(bio_err, "%s: Can't load config file \"%s\"\n",
|
---|
427 | opt_getprog(), filename);
|
---|
428 | else
|
---|
429 | BIO_printf(bio_err, "%s: Error on line %ld of config file \"%s\"\n",
|
---|
430 | opt_getprog(), errorline, filename);
|
---|
431 | NCONF_free(conf);
|
---|
432 | return NULL;
|
---|
433 | }
|
---|
434 | CONF *app_load_config(const char *filename)
|
---|
435 | {
|
---|
436 | BIO *in;
|
---|
437 | CONF *conf;
|
---|
438 |
|
---|
439 | in = bio_open_default(filename, 'r', FORMAT_TEXT);
|
---|
440 | if (in == NULL)
|
---|
441 | return NULL;
|
---|
442 |
|
---|
443 | conf = app_load_config_(in, filename);
|
---|
444 | BIO_free(in);
|
---|
445 | return conf;
|
---|
446 | }
|
---|
447 | CONF *app_load_config_quiet(const char *filename)
|
---|
448 | {
|
---|
449 | BIO *in;
|
---|
450 | CONF *conf;
|
---|
451 |
|
---|
452 | in = bio_open_default_quiet(filename, 'r', FORMAT_TEXT);
|
---|
453 | if (in == NULL)
|
---|
454 | return NULL;
|
---|
455 |
|
---|
456 | conf = app_load_config_(in, filename);
|
---|
457 | BIO_free(in);
|
---|
458 | return conf;
|
---|
459 | }
|
---|
460 |
|
---|
461 | int app_load_modules(const CONF *config)
|
---|
462 | {
|
---|
463 | CONF *to_free = NULL;
|
---|
464 |
|
---|
465 | if (config == NULL)
|
---|
466 | config = to_free = app_load_config_quiet(default_config_file);
|
---|
467 | if (config == NULL)
|
---|
468 | return 1;
|
---|
469 |
|
---|
470 | if (CONF_modules_load(config, NULL, 0) <= 0) {
|
---|
471 | BIO_printf(bio_err, "Error configuring OpenSSL modules\n");
|
---|
472 | ERR_print_errors(bio_err);
|
---|
473 | NCONF_free(to_free);
|
---|
474 | return 0;
|
---|
475 | }
|
---|
476 | NCONF_free(to_free);
|
---|
477 | return 1;
|
---|
478 | }
|
---|
479 |
|
---|
480 | int add_oid_section(CONF *conf)
|
---|
481 | {
|
---|
482 | char *p;
|
---|
483 | STACK_OF(CONF_VALUE) *sktmp;
|
---|
484 | CONF_VALUE *cnf;
|
---|
485 | int i;
|
---|
486 |
|
---|
487 | if ((p = NCONF_get_string(conf, NULL, "oid_section")) == NULL) {
|
---|
488 | ERR_clear_error();
|
---|
489 | return 1;
|
---|
490 | }
|
---|
491 | if ((sktmp = NCONF_get_section(conf, p)) == NULL) {
|
---|
492 | BIO_printf(bio_err, "problem loading oid section %s\n", p);
|
---|
493 | return 0;
|
---|
494 | }
|
---|
495 | for (i = 0; i < sk_CONF_VALUE_num(sktmp); i++) {
|
---|
496 | cnf = sk_CONF_VALUE_value(sktmp, i);
|
---|
497 | if (OBJ_create(cnf->value, cnf->name, cnf->name) == NID_undef) {
|
---|
498 | BIO_printf(bio_err, "problem creating object %s=%s\n",
|
---|
499 | cnf->name, cnf->value);
|
---|
500 | return 0;
|
---|
501 | }
|
---|
502 | }
|
---|
503 | return 1;
|
---|
504 | }
|
---|
505 |
|
---|
506 | static int load_pkcs12(BIO *in, const char *desc,
|
---|
507 | pem_password_cb *pem_cb, void *cb_data,
|
---|
508 | EVP_PKEY **pkey, X509 **cert, STACK_OF(X509) **ca)
|
---|
509 | {
|
---|
510 | const char *pass;
|
---|
511 | char tpass[PEM_BUFSIZE];
|
---|
512 | int len, ret = 0;
|
---|
513 | PKCS12 *p12;
|
---|
514 | p12 = d2i_PKCS12_bio(in, NULL);
|
---|
515 | if (p12 == NULL) {
|
---|
516 | BIO_printf(bio_err, "Error loading PKCS12 file for %s\n", desc);
|
---|
517 | goto die;
|
---|
518 | }
|
---|
519 | /* See if an empty password will do */
|
---|
520 | if (PKCS12_verify_mac(p12, "", 0) || PKCS12_verify_mac(p12, NULL, 0))
|
---|
521 | pass = "";
|
---|
522 | else {
|
---|
523 | if (!pem_cb)
|
---|
524 | pem_cb = (pem_password_cb *)password_callback;
|
---|
525 | len = pem_cb(tpass, PEM_BUFSIZE, 0, cb_data);
|
---|
526 | if (len < 0) {
|
---|
527 | BIO_printf(bio_err, "Passphrase callback error for %s\n", desc);
|
---|
528 | goto die;
|
---|
529 | }
|
---|
530 | if (len < PEM_BUFSIZE)
|
---|
531 | tpass[len] = 0;
|
---|
532 | if (!PKCS12_verify_mac(p12, tpass, len)) {
|
---|
533 | BIO_printf(bio_err,
|
---|
534 | "Mac verify error (wrong password?) in PKCS12 file for %s\n",
|
---|
535 | desc);
|
---|
536 | goto die;
|
---|
537 | }
|
---|
538 | pass = tpass;
|
---|
539 | }
|
---|
540 | ret = PKCS12_parse(p12, pass, pkey, cert, ca);
|
---|
541 | die:
|
---|
542 | PKCS12_free(p12);
|
---|
543 | return ret;
|
---|
544 | }
|
---|
545 |
|
---|
546 | #if !defined(OPENSSL_NO_OCSP) && !defined(OPENSSL_NO_SOCK)
|
---|
547 | static int load_cert_crl_http(const char *url, X509 **pcert, X509_CRL **pcrl)
|
---|
548 | {
|
---|
549 | char *host = NULL, *port = NULL, *path = NULL;
|
---|
550 | BIO *bio = NULL;
|
---|
551 | OCSP_REQ_CTX *rctx = NULL;
|
---|
552 | int use_ssl, rv = 0;
|
---|
553 | if (!OCSP_parse_url(url, &host, &port, &path, &use_ssl))
|
---|
554 | goto err;
|
---|
555 | if (use_ssl) {
|
---|
556 | BIO_puts(bio_err, "https not supported\n");
|
---|
557 | goto err;
|
---|
558 | }
|
---|
559 | bio = BIO_new_connect(host);
|
---|
560 | if (!bio || !BIO_set_conn_port(bio, port))
|
---|
561 | goto err;
|
---|
562 | rctx = OCSP_REQ_CTX_new(bio, 1024);
|
---|
563 | if (rctx == NULL)
|
---|
564 | goto err;
|
---|
565 | if (!OCSP_REQ_CTX_http(rctx, "GET", path))
|
---|
566 | goto err;
|
---|
567 | if (!OCSP_REQ_CTX_add1_header(rctx, "Host", host))
|
---|
568 | goto err;
|
---|
569 | if (pcert) {
|
---|
570 | do {
|
---|
571 | rv = X509_http_nbio(rctx, pcert);
|
---|
572 | } while (rv == -1);
|
---|
573 | } else {
|
---|
574 | do {
|
---|
575 | rv = X509_CRL_http_nbio(rctx, pcrl);
|
---|
576 | } while (rv == -1);
|
---|
577 | }
|
---|
578 |
|
---|
579 | err:
|
---|
580 | OPENSSL_free(host);
|
---|
581 | OPENSSL_free(path);
|
---|
582 | OPENSSL_free(port);
|
---|
583 | if (bio)
|
---|
584 | BIO_free_all(bio);
|
---|
585 | OCSP_REQ_CTX_free(rctx);
|
---|
586 | if (rv != 1) {
|
---|
587 | BIO_printf(bio_err, "Error loading %s from %s\n",
|
---|
588 | pcert ? "certificate" : "CRL", url);
|
---|
589 | ERR_print_errors(bio_err);
|
---|
590 | }
|
---|
591 | return rv;
|
---|
592 | }
|
---|
593 | #endif
|
---|
594 |
|
---|
595 | X509 *load_cert(const char *file, int format, const char *cert_descrip)
|
---|
596 | {
|
---|
597 | X509 *x = NULL;
|
---|
598 | BIO *cert;
|
---|
599 |
|
---|
600 | if (format == FORMAT_HTTP) {
|
---|
601 | #if !defined(OPENSSL_NO_OCSP) && !defined(OPENSSL_NO_SOCK)
|
---|
602 | load_cert_crl_http(file, &x, NULL);
|
---|
603 | #endif
|
---|
604 | return x;
|
---|
605 | }
|
---|
606 |
|
---|
607 | if (file == NULL) {
|
---|
608 | unbuffer(stdin);
|
---|
609 | cert = dup_bio_in(format);
|
---|
610 | } else
|
---|
611 | cert = bio_open_default(file, 'r', format);
|
---|
612 | if (cert == NULL)
|
---|
613 | goto end;
|
---|
614 |
|
---|
615 | if (format == FORMAT_ASN1)
|
---|
616 | x = d2i_X509_bio(cert, NULL);
|
---|
617 | else if (format == FORMAT_PEM)
|
---|
618 | x = PEM_read_bio_X509_AUX(cert, NULL,
|
---|
619 | (pem_password_cb *)password_callback, NULL);
|
---|
620 | else if (format == FORMAT_PKCS12) {
|
---|
621 | if (!load_pkcs12(cert, cert_descrip, NULL, NULL, NULL, &x, NULL))
|
---|
622 | goto end;
|
---|
623 | } else {
|
---|
624 | BIO_printf(bio_err, "bad input format specified for %s\n", cert_descrip);
|
---|
625 | goto end;
|
---|
626 | }
|
---|
627 | end:
|
---|
628 | if (x == NULL) {
|
---|
629 | BIO_printf(bio_err, "unable to load certificate\n");
|
---|
630 | ERR_print_errors(bio_err);
|
---|
631 | }
|
---|
632 | BIO_free(cert);
|
---|
633 | return (x);
|
---|
634 | }
|
---|
635 |
|
---|
636 | X509_CRL *load_crl(const char *infile, int format)
|
---|
637 | {
|
---|
638 | X509_CRL *x = NULL;
|
---|
639 | BIO *in = NULL;
|
---|
640 |
|
---|
641 | if (format == FORMAT_HTTP) {
|
---|
642 | #if !defined(OPENSSL_NO_OCSP) && !defined(OPENSSL_NO_SOCK)
|
---|
643 | load_cert_crl_http(infile, NULL, &x);
|
---|
644 | #endif
|
---|
645 | return x;
|
---|
646 | }
|
---|
647 |
|
---|
648 | in = bio_open_default(infile, 'r', format);
|
---|
649 | if (in == NULL)
|
---|
650 | goto end;
|
---|
651 | if (format == FORMAT_ASN1)
|
---|
652 | x = d2i_X509_CRL_bio(in, NULL);
|
---|
653 | else if (format == FORMAT_PEM)
|
---|
654 | x = PEM_read_bio_X509_CRL(in, NULL, NULL, NULL);
|
---|
655 | else {
|
---|
656 | BIO_printf(bio_err, "bad input format specified for input crl\n");
|
---|
657 | goto end;
|
---|
658 | }
|
---|
659 | if (x == NULL) {
|
---|
660 | BIO_printf(bio_err, "unable to load CRL\n");
|
---|
661 | ERR_print_errors(bio_err);
|
---|
662 | goto end;
|
---|
663 | }
|
---|
664 |
|
---|
665 | end:
|
---|
666 | BIO_free(in);
|
---|
667 | return (x);
|
---|
668 | }
|
---|
669 |
|
---|
670 | EVP_PKEY *load_key(const char *file, int format, int maybe_stdin,
|
---|
671 | const char *pass, ENGINE *e, const char *key_descrip)
|
---|
672 | {
|
---|
673 | BIO *key = NULL;
|
---|
674 | EVP_PKEY *pkey = NULL;
|
---|
675 | PW_CB_DATA cb_data;
|
---|
676 |
|
---|
677 | cb_data.password = pass;
|
---|
678 | cb_data.prompt_info = file;
|
---|
679 |
|
---|
680 | if (file == NULL && (!maybe_stdin || format == FORMAT_ENGINE)) {
|
---|
681 | BIO_printf(bio_err, "no keyfile specified\n");
|
---|
682 | goto end;
|
---|
683 | }
|
---|
684 | if (format == FORMAT_ENGINE) {
|
---|
685 | if (e == NULL)
|
---|
686 | BIO_printf(bio_err, "no engine specified\n");
|
---|
687 | else {
|
---|
688 | #ifndef OPENSSL_NO_ENGINE
|
---|
689 | if (ENGINE_init(e)) {
|
---|
690 | pkey = ENGINE_load_private_key(e, file, ui_method, &cb_data);
|
---|
691 | ENGINE_finish(e);
|
---|
692 | }
|
---|
693 | if (pkey == NULL) {
|
---|
694 | BIO_printf(bio_err, "cannot load %s from engine\n", key_descrip);
|
---|
695 | ERR_print_errors(bio_err);
|
---|
696 | }
|
---|
697 | #else
|
---|
698 | BIO_printf(bio_err, "engines not supported\n");
|
---|
699 | #endif
|
---|
700 | }
|
---|
701 | goto end;
|
---|
702 | }
|
---|
703 | if (file == NULL && maybe_stdin) {
|
---|
704 | unbuffer(stdin);
|
---|
705 | key = dup_bio_in(format);
|
---|
706 | } else
|
---|
707 | key = bio_open_default(file, 'r', format);
|
---|
708 | if (key == NULL)
|
---|
709 | goto end;
|
---|
710 | if (format == FORMAT_ASN1) {
|
---|
711 | pkey = d2i_PrivateKey_bio(key, NULL);
|
---|
712 | } else if (format == FORMAT_PEM) {
|
---|
713 | pkey = PEM_read_bio_PrivateKey(key, NULL,
|
---|
714 | (pem_password_cb *)password_callback,
|
---|
715 | &cb_data);
|
---|
716 | }
|
---|
717 | else if (format == FORMAT_PKCS12) {
|
---|
718 | if (!load_pkcs12(key, key_descrip,
|
---|
719 | (pem_password_cb *)password_callback, &cb_data,
|
---|
720 | &pkey, NULL, NULL))
|
---|
721 | goto end;
|
---|
722 | }
|
---|
723 | #if !defined(OPENSSL_NO_RSA) && !defined(OPENSSL_NO_DSA) && !defined (OPENSSL_NO_RC4)
|
---|
724 | else if (format == FORMAT_MSBLOB)
|
---|
725 | pkey = b2i_PrivateKey_bio(key);
|
---|
726 | else if (format == FORMAT_PVK)
|
---|
727 | pkey = b2i_PVK_bio(key, (pem_password_cb *)password_callback,
|
---|
728 | &cb_data);
|
---|
729 | #endif
|
---|
730 | else {
|
---|
731 | BIO_printf(bio_err, "bad input format specified for key file\n");
|
---|
732 | goto end;
|
---|
733 | }
|
---|
734 | end:
|
---|
735 | BIO_free(key);
|
---|
736 | if (pkey == NULL) {
|
---|
737 | BIO_printf(bio_err, "unable to load %s\n", key_descrip);
|
---|
738 | ERR_print_errors(bio_err);
|
---|
739 | }
|
---|
740 | return (pkey);
|
---|
741 | }
|
---|
742 |
|
---|
743 | EVP_PKEY *load_pubkey(const char *file, int format, int maybe_stdin,
|
---|
744 | const char *pass, ENGINE *e, const char *key_descrip)
|
---|
745 | {
|
---|
746 | BIO *key = NULL;
|
---|
747 | EVP_PKEY *pkey = NULL;
|
---|
748 | PW_CB_DATA cb_data;
|
---|
749 |
|
---|
750 | cb_data.password = pass;
|
---|
751 | cb_data.prompt_info = file;
|
---|
752 |
|
---|
753 | if (file == NULL && (!maybe_stdin || format == FORMAT_ENGINE)) {
|
---|
754 | BIO_printf(bio_err, "no keyfile specified\n");
|
---|
755 | goto end;
|
---|
756 | }
|
---|
757 | if (format == FORMAT_ENGINE) {
|
---|
758 | if (e == NULL)
|
---|
759 | BIO_printf(bio_err, "no engine specified\n");
|
---|
760 | else {
|
---|
761 | #ifndef OPENSSL_NO_ENGINE
|
---|
762 | pkey = ENGINE_load_public_key(e, file, ui_method, &cb_data);
|
---|
763 | if (pkey == NULL) {
|
---|
764 | BIO_printf(bio_err, "cannot load %s from engine\n", key_descrip);
|
---|
765 | ERR_print_errors(bio_err);
|
---|
766 | }
|
---|
767 | #else
|
---|
768 | BIO_printf(bio_err, "engines not supported\n");
|
---|
769 | #endif
|
---|
770 | }
|
---|
771 | goto end;
|
---|
772 | }
|
---|
773 | if (file == NULL && maybe_stdin) {
|
---|
774 | unbuffer(stdin);
|
---|
775 | key = dup_bio_in(format);
|
---|
776 | } else
|
---|
777 | key = bio_open_default(file, 'r', format);
|
---|
778 | if (key == NULL)
|
---|
779 | goto end;
|
---|
780 | if (format == FORMAT_ASN1) {
|
---|
781 | pkey = d2i_PUBKEY_bio(key, NULL);
|
---|
782 | }
|
---|
783 | else if (format == FORMAT_ASN1RSA) {
|
---|
784 | #ifndef OPENSSL_NO_RSA
|
---|
785 | RSA *rsa;
|
---|
786 | rsa = d2i_RSAPublicKey_bio(key, NULL);
|
---|
787 | if (rsa) {
|
---|
788 | pkey = EVP_PKEY_new();
|
---|
789 | if (pkey != NULL)
|
---|
790 | EVP_PKEY_set1_RSA(pkey, rsa);
|
---|
791 | RSA_free(rsa);
|
---|
792 | } else
|
---|
793 | #else
|
---|
794 | BIO_printf(bio_err, "RSA keys not supported\n");
|
---|
795 | #endif
|
---|
796 | pkey = NULL;
|
---|
797 | } else if (format == FORMAT_PEMRSA) {
|
---|
798 | #ifndef OPENSSL_NO_RSA
|
---|
799 | RSA *rsa;
|
---|
800 | rsa = PEM_read_bio_RSAPublicKey(key, NULL,
|
---|
801 | (pem_password_cb *)password_callback,
|
---|
802 | &cb_data);
|
---|
803 | if (rsa != NULL) {
|
---|
804 | pkey = EVP_PKEY_new();
|
---|
805 | if (pkey != NULL)
|
---|
806 | EVP_PKEY_set1_RSA(pkey, rsa);
|
---|
807 | RSA_free(rsa);
|
---|
808 | } else
|
---|
809 | #else
|
---|
810 | BIO_printf(bio_err, "RSA keys not supported\n");
|
---|
811 | #endif
|
---|
812 | pkey = NULL;
|
---|
813 | }
|
---|
814 | else if (format == FORMAT_PEM) {
|
---|
815 | pkey = PEM_read_bio_PUBKEY(key, NULL,
|
---|
816 | (pem_password_cb *)password_callback,
|
---|
817 | &cb_data);
|
---|
818 | }
|
---|
819 | #if !defined(OPENSSL_NO_RSA) && !defined(OPENSSL_NO_DSA)
|
---|
820 | else if (format == FORMAT_MSBLOB)
|
---|
821 | pkey = b2i_PublicKey_bio(key);
|
---|
822 | #endif
|
---|
823 | end:
|
---|
824 | BIO_free(key);
|
---|
825 | if (pkey == NULL)
|
---|
826 | BIO_printf(bio_err, "unable to load %s\n", key_descrip);
|
---|
827 | return (pkey);
|
---|
828 | }
|
---|
829 |
|
---|
830 | static int load_certs_crls(const char *file, int format,
|
---|
831 | const char *pass, const char *desc,
|
---|
832 | STACK_OF(X509) **pcerts,
|
---|
833 | STACK_OF(X509_CRL) **pcrls)
|
---|
834 | {
|
---|
835 | int i;
|
---|
836 | BIO *bio;
|
---|
837 | STACK_OF(X509_INFO) *xis = NULL;
|
---|
838 | X509_INFO *xi;
|
---|
839 | PW_CB_DATA cb_data;
|
---|
840 | int rv = 0;
|
---|
841 |
|
---|
842 | cb_data.password = pass;
|
---|
843 | cb_data.prompt_info = file;
|
---|
844 |
|
---|
845 | if (format != FORMAT_PEM) {
|
---|
846 | BIO_printf(bio_err, "bad input format specified for %s\n", desc);
|
---|
847 | return 0;
|
---|
848 | }
|
---|
849 |
|
---|
850 | bio = bio_open_default(file, 'r', FORMAT_PEM);
|
---|
851 | if (bio == NULL)
|
---|
852 | return 0;
|
---|
853 |
|
---|
854 | xis = PEM_X509_INFO_read_bio(bio, NULL,
|
---|
855 | (pem_password_cb *)password_callback,
|
---|
856 | &cb_data);
|
---|
857 |
|
---|
858 | BIO_free(bio);
|
---|
859 |
|
---|
860 | if (pcerts && *pcerts == NULL) {
|
---|
861 | *pcerts = sk_X509_new_null();
|
---|
862 | if (!*pcerts)
|
---|
863 | goto end;
|
---|
864 | }
|
---|
865 |
|
---|
866 | if (pcrls && *pcrls == NULL) {
|
---|
867 | *pcrls = sk_X509_CRL_new_null();
|
---|
868 | if (!*pcrls)
|
---|
869 | goto end;
|
---|
870 | }
|
---|
871 |
|
---|
872 | for (i = 0; i < sk_X509_INFO_num(xis); i++) {
|
---|
873 | xi = sk_X509_INFO_value(xis, i);
|
---|
874 | if (xi->x509 && pcerts) {
|
---|
875 | if (!sk_X509_push(*pcerts, xi->x509))
|
---|
876 | goto end;
|
---|
877 | xi->x509 = NULL;
|
---|
878 | }
|
---|
879 | if (xi->crl && pcrls) {
|
---|
880 | if (!sk_X509_CRL_push(*pcrls, xi->crl))
|
---|
881 | goto end;
|
---|
882 | xi->crl = NULL;
|
---|
883 | }
|
---|
884 | }
|
---|
885 |
|
---|
886 | if (pcerts && sk_X509_num(*pcerts) > 0)
|
---|
887 | rv = 1;
|
---|
888 |
|
---|
889 | if (pcrls && sk_X509_CRL_num(*pcrls) > 0)
|
---|
890 | rv = 1;
|
---|
891 |
|
---|
892 | end:
|
---|
893 |
|
---|
894 | sk_X509_INFO_pop_free(xis, X509_INFO_free);
|
---|
895 |
|
---|
896 | if (rv == 0) {
|
---|
897 | if (pcerts) {
|
---|
898 | sk_X509_pop_free(*pcerts, X509_free);
|
---|
899 | *pcerts = NULL;
|
---|
900 | }
|
---|
901 | if (pcrls) {
|
---|
902 | sk_X509_CRL_pop_free(*pcrls, X509_CRL_free);
|
---|
903 | *pcrls = NULL;
|
---|
904 | }
|
---|
905 | BIO_printf(bio_err, "unable to load %s\n",
|
---|
906 | pcerts ? "certificates" : "CRLs");
|
---|
907 | ERR_print_errors(bio_err);
|
---|
908 | }
|
---|
909 | return rv;
|
---|
910 | }
|
---|
911 |
|
---|
912 | void* app_malloc(int sz, const char *what)
|
---|
913 | {
|
---|
914 | void *vp = OPENSSL_malloc(sz);
|
---|
915 |
|
---|
916 | if (vp == NULL) {
|
---|
917 | BIO_printf(bio_err, "%s: Could not allocate %d bytes for %s\n",
|
---|
918 | opt_getprog(), sz, what);
|
---|
919 | ERR_print_errors(bio_err);
|
---|
920 | exit(1);
|
---|
921 | }
|
---|
922 | return vp;
|
---|
923 | }
|
---|
924 |
|
---|
925 | /*
|
---|
926 | * Initialize or extend, if *certs != NULL, a certificate stack.
|
---|
927 | */
|
---|
928 | int load_certs(const char *file, STACK_OF(X509) **certs, int format,
|
---|
929 | const char *pass, const char *desc)
|
---|
930 | {
|
---|
931 | return load_certs_crls(file, format, pass, desc, certs, NULL);
|
---|
932 | }
|
---|
933 |
|
---|
934 | /*
|
---|
935 | * Initialize or extend, if *crls != NULL, a certificate stack.
|
---|
936 | */
|
---|
937 | int load_crls(const char *file, STACK_OF(X509_CRL) **crls, int format,
|
---|
938 | const char *pass, const char *desc)
|
---|
939 | {
|
---|
940 | return load_certs_crls(file, format, pass, desc, NULL, crls);
|
---|
941 | }
|
---|
942 |
|
---|
943 | #define X509V3_EXT_UNKNOWN_MASK (0xfL << 16)
|
---|
944 | /* Return error for unknown extensions */
|
---|
945 | #define X509V3_EXT_DEFAULT 0
|
---|
946 | /* Print error for unknown extensions */
|
---|
947 | #define X509V3_EXT_ERROR_UNKNOWN (1L << 16)
|
---|
948 | /* ASN1 parse unknown extensions */
|
---|
949 | #define X509V3_EXT_PARSE_UNKNOWN (2L << 16)
|
---|
950 | /* BIO_dump unknown extensions */
|
---|
951 | #define X509V3_EXT_DUMP_UNKNOWN (3L << 16)
|
---|
952 |
|
---|
953 | #define X509_FLAG_CA (X509_FLAG_NO_ISSUER | X509_FLAG_NO_PUBKEY | \
|
---|
954 | X509_FLAG_NO_HEADER | X509_FLAG_NO_VERSION)
|
---|
955 |
|
---|
956 | int set_cert_ex(unsigned long *flags, const char *arg)
|
---|
957 | {
|
---|
958 | static const NAME_EX_TBL cert_tbl[] = {
|
---|
959 | {"compatible", X509_FLAG_COMPAT, 0xffffffffl},
|
---|
960 | {"ca_default", X509_FLAG_CA, 0xffffffffl},
|
---|
961 | {"no_header", X509_FLAG_NO_HEADER, 0},
|
---|
962 | {"no_version", X509_FLAG_NO_VERSION, 0},
|
---|
963 | {"no_serial", X509_FLAG_NO_SERIAL, 0},
|
---|
964 | {"no_signame", X509_FLAG_NO_SIGNAME, 0},
|
---|
965 | {"no_validity", X509_FLAG_NO_VALIDITY, 0},
|
---|
966 | {"no_subject", X509_FLAG_NO_SUBJECT, 0},
|
---|
967 | {"no_issuer", X509_FLAG_NO_ISSUER, 0},
|
---|
968 | {"no_pubkey", X509_FLAG_NO_PUBKEY, 0},
|
---|
969 | {"no_extensions", X509_FLAG_NO_EXTENSIONS, 0},
|
---|
970 | {"no_sigdump", X509_FLAG_NO_SIGDUMP, 0},
|
---|
971 | {"no_aux", X509_FLAG_NO_AUX, 0},
|
---|
972 | {"no_attributes", X509_FLAG_NO_ATTRIBUTES, 0},
|
---|
973 | {"ext_default", X509V3_EXT_DEFAULT, X509V3_EXT_UNKNOWN_MASK},
|
---|
974 | {"ext_error", X509V3_EXT_ERROR_UNKNOWN, X509V3_EXT_UNKNOWN_MASK},
|
---|
975 | {"ext_parse", X509V3_EXT_PARSE_UNKNOWN, X509V3_EXT_UNKNOWN_MASK},
|
---|
976 | {"ext_dump", X509V3_EXT_DUMP_UNKNOWN, X509V3_EXT_UNKNOWN_MASK},
|
---|
977 | {NULL, 0, 0}
|
---|
978 | };
|
---|
979 | return set_multi_opts(flags, arg, cert_tbl);
|
---|
980 | }
|
---|
981 |
|
---|
982 | int set_name_ex(unsigned long *flags, const char *arg)
|
---|
983 | {
|
---|
984 | static const NAME_EX_TBL ex_tbl[] = {
|
---|
985 | {"esc_2253", ASN1_STRFLGS_ESC_2253, 0},
|
---|
986 | {"esc_2254", ASN1_STRFLGS_ESC_2254, 0},
|
---|
987 | {"esc_ctrl", ASN1_STRFLGS_ESC_CTRL, 0},
|
---|
988 | {"esc_msb", ASN1_STRFLGS_ESC_MSB, 0},
|
---|
989 | {"use_quote", ASN1_STRFLGS_ESC_QUOTE, 0},
|
---|
990 | {"utf8", ASN1_STRFLGS_UTF8_CONVERT, 0},
|
---|
991 | {"ignore_type", ASN1_STRFLGS_IGNORE_TYPE, 0},
|
---|
992 | {"show_type", ASN1_STRFLGS_SHOW_TYPE, 0},
|
---|
993 | {"dump_all", ASN1_STRFLGS_DUMP_ALL, 0},
|
---|
994 | {"dump_nostr", ASN1_STRFLGS_DUMP_UNKNOWN, 0},
|
---|
995 | {"dump_der", ASN1_STRFLGS_DUMP_DER, 0},
|
---|
996 | {"compat", XN_FLAG_COMPAT, 0xffffffffL},
|
---|
997 | {"sep_comma_plus", XN_FLAG_SEP_COMMA_PLUS, XN_FLAG_SEP_MASK},
|
---|
998 | {"sep_comma_plus_space", XN_FLAG_SEP_CPLUS_SPC, XN_FLAG_SEP_MASK},
|
---|
999 | {"sep_semi_plus_space", XN_FLAG_SEP_SPLUS_SPC, XN_FLAG_SEP_MASK},
|
---|
1000 | {"sep_multiline", XN_FLAG_SEP_MULTILINE, XN_FLAG_SEP_MASK},
|
---|
1001 | {"dn_rev", XN_FLAG_DN_REV, 0},
|
---|
1002 | {"nofname", XN_FLAG_FN_NONE, XN_FLAG_FN_MASK},
|
---|
1003 | {"sname", XN_FLAG_FN_SN, XN_FLAG_FN_MASK},
|
---|
1004 | {"lname", XN_FLAG_FN_LN, XN_FLAG_FN_MASK},
|
---|
1005 | {"align", XN_FLAG_FN_ALIGN, 0},
|
---|
1006 | {"oid", XN_FLAG_FN_OID, XN_FLAG_FN_MASK},
|
---|
1007 | {"space_eq", XN_FLAG_SPC_EQ, 0},
|
---|
1008 | {"dump_unknown", XN_FLAG_DUMP_UNKNOWN_FIELDS, 0},
|
---|
1009 | {"RFC2253", XN_FLAG_RFC2253, 0xffffffffL},
|
---|
1010 | {"oneline", XN_FLAG_ONELINE, 0xffffffffL},
|
---|
1011 | {"multiline", XN_FLAG_MULTILINE, 0xffffffffL},
|
---|
1012 | {"ca_default", XN_FLAG_MULTILINE, 0xffffffffL},
|
---|
1013 | {NULL, 0, 0}
|
---|
1014 | };
|
---|
1015 | if (set_multi_opts(flags, arg, ex_tbl) == 0)
|
---|
1016 | return 0;
|
---|
1017 | if ((*flags & XN_FLAG_SEP_MASK) == 0)
|
---|
1018 | *flags |= XN_FLAG_SEP_CPLUS_SPC;
|
---|
1019 | return 1;
|
---|
1020 | }
|
---|
1021 |
|
---|
1022 | int set_ext_copy(int *copy_type, const char *arg)
|
---|
1023 | {
|
---|
1024 | if (strcasecmp(arg, "none") == 0)
|
---|
1025 | *copy_type = EXT_COPY_NONE;
|
---|
1026 | else if (strcasecmp(arg, "copy") == 0)
|
---|
1027 | *copy_type = EXT_COPY_ADD;
|
---|
1028 | else if (strcasecmp(arg, "copyall") == 0)
|
---|
1029 | *copy_type = EXT_COPY_ALL;
|
---|
1030 | else
|
---|
1031 | return 0;
|
---|
1032 | return 1;
|
---|
1033 | }
|
---|
1034 |
|
---|
1035 | int copy_extensions(X509 *x, X509_REQ *req, int copy_type)
|
---|
1036 | {
|
---|
1037 | STACK_OF(X509_EXTENSION) *exts = NULL;
|
---|
1038 | X509_EXTENSION *ext, *tmpext;
|
---|
1039 | ASN1_OBJECT *obj;
|
---|
1040 | int i, idx, ret = 0;
|
---|
1041 | if (!x || !req || (copy_type == EXT_COPY_NONE))
|
---|
1042 | return 1;
|
---|
1043 | exts = X509_REQ_get_extensions(req);
|
---|
1044 |
|
---|
1045 | for (i = 0; i < sk_X509_EXTENSION_num(exts); i++) {
|
---|
1046 | ext = sk_X509_EXTENSION_value(exts, i);
|
---|
1047 | obj = X509_EXTENSION_get_object(ext);
|
---|
1048 | idx = X509_get_ext_by_OBJ(x, obj, -1);
|
---|
1049 | /* Does extension exist? */
|
---|
1050 | if (idx != -1) {
|
---|
1051 | /* If normal copy don't override existing extension */
|
---|
1052 | if (copy_type == EXT_COPY_ADD)
|
---|
1053 | continue;
|
---|
1054 | /* Delete all extensions of same type */
|
---|
1055 | do {
|
---|
1056 | tmpext = X509_get_ext(x, idx);
|
---|
1057 | X509_delete_ext(x, idx);
|
---|
1058 | X509_EXTENSION_free(tmpext);
|
---|
1059 | idx = X509_get_ext_by_OBJ(x, obj, -1);
|
---|
1060 | } while (idx != -1);
|
---|
1061 | }
|
---|
1062 | if (!X509_add_ext(x, ext, -1))
|
---|
1063 | goto end;
|
---|
1064 | }
|
---|
1065 |
|
---|
1066 | ret = 1;
|
---|
1067 |
|
---|
1068 | end:
|
---|
1069 |
|
---|
1070 | sk_X509_EXTENSION_pop_free(exts, X509_EXTENSION_free);
|
---|
1071 |
|
---|
1072 | return ret;
|
---|
1073 | }
|
---|
1074 |
|
---|
1075 | static int set_multi_opts(unsigned long *flags, const char *arg,
|
---|
1076 | const NAME_EX_TBL * in_tbl)
|
---|
1077 | {
|
---|
1078 | STACK_OF(CONF_VALUE) *vals;
|
---|
1079 | CONF_VALUE *val;
|
---|
1080 | int i, ret = 1;
|
---|
1081 | if (!arg)
|
---|
1082 | return 0;
|
---|
1083 | vals = X509V3_parse_list(arg);
|
---|
1084 | for (i = 0; i < sk_CONF_VALUE_num(vals); i++) {
|
---|
1085 | val = sk_CONF_VALUE_value(vals, i);
|
---|
1086 | if (!set_table_opts(flags, val->name, in_tbl))
|
---|
1087 | ret = 0;
|
---|
1088 | }
|
---|
1089 | sk_CONF_VALUE_pop_free(vals, X509V3_conf_free);
|
---|
1090 | return ret;
|
---|
1091 | }
|
---|
1092 |
|
---|
1093 | static int set_table_opts(unsigned long *flags, const char *arg,
|
---|
1094 | const NAME_EX_TBL * in_tbl)
|
---|
1095 | {
|
---|
1096 | char c;
|
---|
1097 | const NAME_EX_TBL *ptbl;
|
---|
1098 | c = arg[0];
|
---|
1099 |
|
---|
1100 | if (c == '-') {
|
---|
1101 | c = 0;
|
---|
1102 | arg++;
|
---|
1103 | } else if (c == '+') {
|
---|
1104 | c = 1;
|
---|
1105 | arg++;
|
---|
1106 | } else
|
---|
1107 | c = 1;
|
---|
1108 |
|
---|
1109 | for (ptbl = in_tbl; ptbl->name; ptbl++) {
|
---|
1110 | if (strcasecmp(arg, ptbl->name) == 0) {
|
---|
1111 | *flags &= ~ptbl->mask;
|
---|
1112 | if (c)
|
---|
1113 | *flags |= ptbl->flag;
|
---|
1114 | else
|
---|
1115 | *flags &= ~ptbl->flag;
|
---|
1116 | return 1;
|
---|
1117 | }
|
---|
1118 | }
|
---|
1119 | return 0;
|
---|
1120 | }
|
---|
1121 |
|
---|
1122 | void print_name(BIO *out, const char *title, X509_NAME *nm,
|
---|
1123 | unsigned long lflags)
|
---|
1124 | {
|
---|
1125 | char *buf;
|
---|
1126 | char mline = 0;
|
---|
1127 | int indent = 0;
|
---|
1128 |
|
---|
1129 | if (title)
|
---|
1130 | BIO_puts(out, title);
|
---|
1131 | if ((lflags & XN_FLAG_SEP_MASK) == XN_FLAG_SEP_MULTILINE) {
|
---|
1132 | mline = 1;
|
---|
1133 | indent = 4;
|
---|
1134 | }
|
---|
1135 | if (lflags == XN_FLAG_COMPAT) {
|
---|
1136 | buf = X509_NAME_oneline(nm, 0, 0);
|
---|
1137 | BIO_puts(out, buf);
|
---|
1138 | BIO_puts(out, "\n");
|
---|
1139 | OPENSSL_free(buf);
|
---|
1140 | } else {
|
---|
1141 | if (mline)
|
---|
1142 | BIO_puts(out, "\n");
|
---|
1143 | X509_NAME_print_ex(out, nm, indent, lflags);
|
---|
1144 | BIO_puts(out, "\n");
|
---|
1145 | }
|
---|
1146 | }
|
---|
1147 |
|
---|
1148 | void print_bignum_var(BIO *out, const BIGNUM *in, const char *var,
|
---|
1149 | int len, unsigned char *buffer)
|
---|
1150 | {
|
---|
1151 | BIO_printf(out, " static unsigned char %s_%d[] = {", var, len);
|
---|
1152 | if (BN_is_zero(in))
|
---|
1153 | BIO_printf(out, "\n\t0x00");
|
---|
1154 | else {
|
---|
1155 | int i, l;
|
---|
1156 |
|
---|
1157 | l = BN_bn2bin(in, buffer);
|
---|
1158 | for (i = 0; i < l; i++) {
|
---|
1159 | if ((i % 10) == 0)
|
---|
1160 | BIO_printf(out, "\n\t");
|
---|
1161 | if (i < l - 1)
|
---|
1162 | BIO_printf(out, "0x%02X, ", buffer[i]);
|
---|
1163 | else
|
---|
1164 | BIO_printf(out, "0x%02X", buffer[i]);
|
---|
1165 | }
|
---|
1166 | }
|
---|
1167 | BIO_printf(out, "\n };\n");
|
---|
1168 | }
|
---|
1169 | void print_array(BIO *out, const char* title, int len, const unsigned char* d)
|
---|
1170 | {
|
---|
1171 | int i;
|
---|
1172 |
|
---|
1173 | BIO_printf(out, "unsigned char %s[%d] = {", title, len);
|
---|
1174 | for (i = 0; i < len; i++) {
|
---|
1175 | if ((i % 10) == 0)
|
---|
1176 | BIO_printf(out, "\n ");
|
---|
1177 | if (i < len - 1)
|
---|
1178 | BIO_printf(out, "0x%02X, ", d[i]);
|
---|
1179 | else
|
---|
1180 | BIO_printf(out, "0x%02X", d[i]);
|
---|
1181 | }
|
---|
1182 | BIO_printf(out, "\n};\n");
|
---|
1183 | }
|
---|
1184 |
|
---|
1185 | X509_STORE *setup_verify(const char *CAfile, const char *CApath, int noCAfile, int noCApath)
|
---|
1186 | {
|
---|
1187 | X509_STORE *store = X509_STORE_new();
|
---|
1188 | X509_LOOKUP *lookup;
|
---|
1189 |
|
---|
1190 | if (store == NULL)
|
---|
1191 | goto end;
|
---|
1192 |
|
---|
1193 | if (CAfile != NULL || !noCAfile) {
|
---|
1194 | lookup = X509_STORE_add_lookup(store, X509_LOOKUP_file());
|
---|
1195 | if (lookup == NULL)
|
---|
1196 | goto end;
|
---|
1197 | if (CAfile) {
|
---|
1198 | if (!X509_LOOKUP_load_file(lookup, CAfile, X509_FILETYPE_PEM)) {
|
---|
1199 | BIO_printf(bio_err, "Error loading file %s\n", CAfile);
|
---|
1200 | goto end;
|
---|
1201 | }
|
---|
1202 | } else
|
---|
1203 | X509_LOOKUP_load_file(lookup, NULL, X509_FILETYPE_DEFAULT);
|
---|
1204 | }
|
---|
1205 |
|
---|
1206 | if (CApath != NULL || !noCApath) {
|
---|
1207 | lookup = X509_STORE_add_lookup(store, X509_LOOKUP_hash_dir());
|
---|
1208 | if (lookup == NULL)
|
---|
1209 | goto end;
|
---|
1210 | if (CApath) {
|
---|
1211 | if (!X509_LOOKUP_add_dir(lookup, CApath, X509_FILETYPE_PEM)) {
|
---|
1212 | BIO_printf(bio_err, "Error loading directory %s\n", CApath);
|
---|
1213 | goto end;
|
---|
1214 | }
|
---|
1215 | } else
|
---|
1216 | X509_LOOKUP_add_dir(lookup, NULL, X509_FILETYPE_DEFAULT);
|
---|
1217 | }
|
---|
1218 |
|
---|
1219 | ERR_clear_error();
|
---|
1220 | return store;
|
---|
1221 | end:
|
---|
1222 | X509_STORE_free(store);
|
---|
1223 | return NULL;
|
---|
1224 | }
|
---|
1225 |
|
---|
1226 | #ifndef OPENSSL_NO_ENGINE
|
---|
1227 | /* Try to load an engine in a shareable library */
|
---|
1228 | static ENGINE *try_load_engine(const char *engine)
|
---|
1229 | {
|
---|
1230 | ENGINE *e = ENGINE_by_id("dynamic");
|
---|
1231 | if (e) {
|
---|
1232 | if (!ENGINE_ctrl_cmd_string(e, "SO_PATH", engine, 0)
|
---|
1233 | || !ENGINE_ctrl_cmd_string(e, "LOAD", NULL, 0)) {
|
---|
1234 | ENGINE_free(e);
|
---|
1235 | e = NULL;
|
---|
1236 | }
|
---|
1237 | }
|
---|
1238 | return e;
|
---|
1239 | }
|
---|
1240 | #endif
|
---|
1241 |
|
---|
1242 | ENGINE *setup_engine(const char *engine, int debug)
|
---|
1243 | {
|
---|
1244 | ENGINE *e = NULL;
|
---|
1245 |
|
---|
1246 | #ifndef OPENSSL_NO_ENGINE
|
---|
1247 | if (engine) {
|
---|
1248 | if (strcmp(engine, "auto") == 0) {
|
---|
1249 | BIO_printf(bio_err, "enabling auto ENGINE support\n");
|
---|
1250 | ENGINE_register_all_complete();
|
---|
1251 | return NULL;
|
---|
1252 | }
|
---|
1253 | if ((e = ENGINE_by_id(engine)) == NULL
|
---|
1254 | && (e = try_load_engine(engine)) == NULL) {
|
---|
1255 | BIO_printf(bio_err, "invalid engine \"%s\"\n", engine);
|
---|
1256 | ERR_print_errors(bio_err);
|
---|
1257 | return NULL;
|
---|
1258 | }
|
---|
1259 | if (debug) {
|
---|
1260 | ENGINE_ctrl(e, ENGINE_CTRL_SET_LOGSTREAM, 0, bio_err, 0);
|
---|
1261 | }
|
---|
1262 | ENGINE_ctrl_cmd(e, "SET_USER_INTERFACE", 0, ui_method, 0, 1);
|
---|
1263 | if (!ENGINE_set_default(e, ENGINE_METHOD_ALL)) {
|
---|
1264 | BIO_printf(bio_err, "can't use that engine\n");
|
---|
1265 | ERR_print_errors(bio_err);
|
---|
1266 | ENGINE_free(e);
|
---|
1267 | return NULL;
|
---|
1268 | }
|
---|
1269 |
|
---|
1270 | BIO_printf(bio_err, "engine \"%s\" set.\n", ENGINE_get_id(e));
|
---|
1271 | }
|
---|
1272 | #endif
|
---|
1273 | return e;
|
---|
1274 | }
|
---|
1275 |
|
---|
1276 | void release_engine(ENGINE *e)
|
---|
1277 | {
|
---|
1278 | #ifndef OPENSSL_NO_ENGINE
|
---|
1279 | if (e != NULL)
|
---|
1280 | /* Free our "structural" reference. */
|
---|
1281 | ENGINE_free(e);
|
---|
1282 | #endif
|
---|
1283 | }
|
---|
1284 |
|
---|
1285 | static unsigned long index_serial_hash(const OPENSSL_CSTRING *a)
|
---|
1286 | {
|
---|
1287 | const char *n;
|
---|
1288 |
|
---|
1289 | n = a[DB_serial];
|
---|
1290 | while (*n == '0')
|
---|
1291 | n++;
|
---|
1292 | return OPENSSL_LH_strhash(n);
|
---|
1293 | }
|
---|
1294 |
|
---|
1295 | static int index_serial_cmp(const OPENSSL_CSTRING *a,
|
---|
1296 | const OPENSSL_CSTRING *b)
|
---|
1297 | {
|
---|
1298 | const char *aa, *bb;
|
---|
1299 |
|
---|
1300 | for (aa = a[DB_serial]; *aa == '0'; aa++) ;
|
---|
1301 | for (bb = b[DB_serial]; *bb == '0'; bb++) ;
|
---|
1302 | return (strcmp(aa, bb));
|
---|
1303 | }
|
---|
1304 |
|
---|
1305 | static int index_name_qual(char **a)
|
---|
1306 | {
|
---|
1307 | return (a[0][0] == 'V');
|
---|
1308 | }
|
---|
1309 |
|
---|
1310 | static unsigned long index_name_hash(const OPENSSL_CSTRING *a)
|
---|
1311 | {
|
---|
1312 | return OPENSSL_LH_strhash(a[DB_name]);
|
---|
1313 | }
|
---|
1314 |
|
---|
1315 | int index_name_cmp(const OPENSSL_CSTRING *a, const OPENSSL_CSTRING *b)
|
---|
1316 | {
|
---|
1317 | return (strcmp(a[DB_name], b[DB_name]));
|
---|
1318 | }
|
---|
1319 |
|
---|
1320 | static IMPLEMENT_LHASH_HASH_FN(index_serial, OPENSSL_CSTRING)
|
---|
1321 | static IMPLEMENT_LHASH_COMP_FN(index_serial, OPENSSL_CSTRING)
|
---|
1322 | static IMPLEMENT_LHASH_HASH_FN(index_name, OPENSSL_CSTRING)
|
---|
1323 | static IMPLEMENT_LHASH_COMP_FN(index_name, OPENSSL_CSTRING)
|
---|
1324 | #undef BSIZE
|
---|
1325 | #define BSIZE 256
|
---|
1326 | BIGNUM *load_serial(const char *serialfile, int create, ASN1_INTEGER **retai)
|
---|
1327 | {
|
---|
1328 | BIO *in = NULL;
|
---|
1329 | BIGNUM *ret = NULL;
|
---|
1330 | char buf[1024];
|
---|
1331 | ASN1_INTEGER *ai = NULL;
|
---|
1332 |
|
---|
1333 | ai = ASN1_INTEGER_new();
|
---|
1334 | if (ai == NULL)
|
---|
1335 | goto err;
|
---|
1336 |
|
---|
1337 | in = BIO_new_file(serialfile, "r");
|
---|
1338 | if (in == NULL) {
|
---|
1339 | if (!create) {
|
---|
1340 | perror(serialfile);
|
---|
1341 | goto err;
|
---|
1342 | }
|
---|
1343 | ERR_clear_error();
|
---|
1344 | ret = BN_new();
|
---|
1345 | if (ret == NULL || !rand_serial(ret, ai))
|
---|
1346 | BIO_printf(bio_err, "Out of memory\n");
|
---|
1347 | } else {
|
---|
1348 | if (!a2i_ASN1_INTEGER(in, ai, buf, 1024)) {
|
---|
1349 | BIO_printf(bio_err, "unable to load number from %s\n",
|
---|
1350 | serialfile);
|
---|
1351 | goto err;
|
---|
1352 | }
|
---|
1353 | ret = ASN1_INTEGER_to_BN(ai, NULL);
|
---|
1354 | if (ret == NULL) {
|
---|
1355 | BIO_printf(bio_err,
|
---|
1356 | "error converting number from bin to BIGNUM\n");
|
---|
1357 | goto err;
|
---|
1358 | }
|
---|
1359 | }
|
---|
1360 |
|
---|
1361 | if (ret && retai) {
|
---|
1362 | *retai = ai;
|
---|
1363 | ai = NULL;
|
---|
1364 | }
|
---|
1365 | err:
|
---|
1366 | BIO_free(in);
|
---|
1367 | ASN1_INTEGER_free(ai);
|
---|
1368 | return (ret);
|
---|
1369 | }
|
---|
1370 |
|
---|
1371 | int save_serial(const char *serialfile, const char *suffix, const BIGNUM *serial,
|
---|
1372 | ASN1_INTEGER **retai)
|
---|
1373 | {
|
---|
1374 | char buf[1][BSIZE];
|
---|
1375 | BIO *out = NULL;
|
---|
1376 | int ret = 0;
|
---|
1377 | ASN1_INTEGER *ai = NULL;
|
---|
1378 | int j;
|
---|
1379 |
|
---|
1380 | if (suffix == NULL)
|
---|
1381 | j = strlen(serialfile);
|
---|
1382 | else
|
---|
1383 | j = strlen(serialfile) + strlen(suffix) + 1;
|
---|
1384 | if (j >= BSIZE) {
|
---|
1385 | BIO_printf(bio_err, "file name too long\n");
|
---|
1386 | goto err;
|
---|
1387 | }
|
---|
1388 |
|
---|
1389 | if (suffix == NULL)
|
---|
1390 | OPENSSL_strlcpy(buf[0], serialfile, BSIZE);
|
---|
1391 | else {
|
---|
1392 | #ifndef OPENSSL_SYS_VMS
|
---|
1393 | j = BIO_snprintf(buf[0], sizeof buf[0], "%s.%s", serialfile, suffix);
|
---|
1394 | #else
|
---|
1395 | j = BIO_snprintf(buf[0], sizeof buf[0], "%s-%s", serialfile, suffix);
|
---|
1396 | #endif
|
---|
1397 | }
|
---|
1398 | out = BIO_new_file(buf[0], "w");
|
---|
1399 | if (out == NULL) {
|
---|
1400 | ERR_print_errors(bio_err);
|
---|
1401 | goto err;
|
---|
1402 | }
|
---|
1403 |
|
---|
1404 | if ((ai = BN_to_ASN1_INTEGER(serial, NULL)) == NULL) {
|
---|
1405 | BIO_printf(bio_err, "error converting serial to ASN.1 format\n");
|
---|
1406 | goto err;
|
---|
1407 | }
|
---|
1408 | i2a_ASN1_INTEGER(out, ai);
|
---|
1409 | BIO_puts(out, "\n");
|
---|
1410 | ret = 1;
|
---|
1411 | if (retai) {
|
---|
1412 | *retai = ai;
|
---|
1413 | ai = NULL;
|
---|
1414 | }
|
---|
1415 | err:
|
---|
1416 | BIO_free_all(out);
|
---|
1417 | ASN1_INTEGER_free(ai);
|
---|
1418 | return (ret);
|
---|
1419 | }
|
---|
1420 |
|
---|
1421 | int rotate_serial(const char *serialfile, const char *new_suffix,
|
---|
1422 | const char *old_suffix)
|
---|
1423 | {
|
---|
1424 | char buf[2][BSIZE];
|
---|
1425 | int i, j;
|
---|
1426 |
|
---|
1427 | i = strlen(serialfile) + strlen(old_suffix);
|
---|
1428 | j = strlen(serialfile) + strlen(new_suffix);
|
---|
1429 | if (i > j)
|
---|
1430 | j = i;
|
---|
1431 | if (j + 1 >= BSIZE) {
|
---|
1432 | BIO_printf(bio_err, "file name too long\n");
|
---|
1433 | goto err;
|
---|
1434 | }
|
---|
1435 | #ifndef OPENSSL_SYS_VMS
|
---|
1436 | j = BIO_snprintf(buf[0], sizeof buf[0], "%s.%s", serialfile, new_suffix);
|
---|
1437 | j = BIO_snprintf(buf[1], sizeof buf[1], "%s.%s", serialfile, old_suffix);
|
---|
1438 | #else
|
---|
1439 | j = BIO_snprintf(buf[0], sizeof buf[0], "%s-%s", serialfile, new_suffix);
|
---|
1440 | j = BIO_snprintf(buf[1], sizeof buf[1], "%s-%s", serialfile, old_suffix);
|
---|
1441 | #endif
|
---|
1442 | if (rename(serialfile, buf[1]) < 0 && errno != ENOENT
|
---|
1443 | #ifdef ENOTDIR
|
---|
1444 | && errno != ENOTDIR
|
---|
1445 | #endif
|
---|
1446 | ) {
|
---|
1447 | BIO_printf(bio_err,
|
---|
1448 | "unable to rename %s to %s\n", serialfile, buf[1]);
|
---|
1449 | perror("reason");
|
---|
1450 | goto err;
|
---|
1451 | }
|
---|
1452 | if (rename(buf[0], serialfile) < 0) {
|
---|
1453 | BIO_printf(bio_err,
|
---|
1454 | "unable to rename %s to %s\n", buf[0], serialfile);
|
---|
1455 | perror("reason");
|
---|
1456 | rename(buf[1], serialfile);
|
---|
1457 | goto err;
|
---|
1458 | }
|
---|
1459 | return 1;
|
---|
1460 | err:
|
---|
1461 | return 0;
|
---|
1462 | }
|
---|
1463 |
|
---|
1464 | int rand_serial(BIGNUM *b, ASN1_INTEGER *ai)
|
---|
1465 | {
|
---|
1466 | BIGNUM *btmp;
|
---|
1467 | int ret = 0;
|
---|
1468 |
|
---|
1469 | if (b)
|
---|
1470 | btmp = b;
|
---|
1471 | else
|
---|
1472 | btmp = BN_new();
|
---|
1473 |
|
---|
1474 | if (btmp == NULL)
|
---|
1475 | return 0;
|
---|
1476 |
|
---|
1477 | if (!BN_pseudo_rand(btmp, SERIAL_RAND_BITS, 0, 0))
|
---|
1478 | goto error;
|
---|
1479 | if (ai && !BN_to_ASN1_INTEGER(btmp, ai))
|
---|
1480 | goto error;
|
---|
1481 |
|
---|
1482 | ret = 1;
|
---|
1483 |
|
---|
1484 | error:
|
---|
1485 |
|
---|
1486 | if (btmp != b)
|
---|
1487 | BN_free(btmp);
|
---|
1488 |
|
---|
1489 | return ret;
|
---|
1490 | }
|
---|
1491 |
|
---|
1492 | CA_DB *load_index(const char *dbfile, DB_ATTR *db_attr)
|
---|
1493 | {
|
---|
1494 | CA_DB *retdb = NULL;
|
---|
1495 | TXT_DB *tmpdb = NULL;
|
---|
1496 | BIO *in;
|
---|
1497 | CONF *dbattr_conf = NULL;
|
---|
1498 | char buf[BSIZE];
|
---|
1499 |
|
---|
1500 | in = BIO_new_file(dbfile, "r");
|
---|
1501 | if (in == NULL) {
|
---|
1502 | ERR_print_errors(bio_err);
|
---|
1503 | goto err;
|
---|
1504 | }
|
---|
1505 | if ((tmpdb = TXT_DB_read(in, DB_NUMBER)) == NULL)
|
---|
1506 | goto err;
|
---|
1507 |
|
---|
1508 | #ifndef OPENSSL_SYS_VMS
|
---|
1509 | BIO_snprintf(buf, sizeof buf, "%s.attr", dbfile);
|
---|
1510 | #else
|
---|
1511 | BIO_snprintf(buf, sizeof buf, "%s-attr", dbfile);
|
---|
1512 | #endif
|
---|
1513 | dbattr_conf = app_load_config(buf);
|
---|
1514 |
|
---|
1515 | retdb = app_malloc(sizeof(*retdb), "new DB");
|
---|
1516 | retdb->db = tmpdb;
|
---|
1517 | tmpdb = NULL;
|
---|
1518 | if (db_attr)
|
---|
1519 | retdb->attributes = *db_attr;
|
---|
1520 | else {
|
---|
1521 | retdb->attributes.unique_subject = 1;
|
---|
1522 | }
|
---|
1523 |
|
---|
1524 | if (dbattr_conf) {
|
---|
1525 | char *p = NCONF_get_string(dbattr_conf, NULL, "unique_subject");
|
---|
1526 | if (p) {
|
---|
1527 | retdb->attributes.unique_subject = parse_yesno(p, 1);
|
---|
1528 | }
|
---|
1529 | }
|
---|
1530 |
|
---|
1531 | err:
|
---|
1532 | NCONF_free(dbattr_conf);
|
---|
1533 | TXT_DB_free(tmpdb);
|
---|
1534 | BIO_free_all(in);
|
---|
1535 | return retdb;
|
---|
1536 | }
|
---|
1537 |
|
---|
1538 | int index_index(CA_DB *db)
|
---|
1539 | {
|
---|
1540 | if (!TXT_DB_create_index(db->db, DB_serial, NULL,
|
---|
1541 | LHASH_HASH_FN(index_serial),
|
---|
1542 | LHASH_COMP_FN(index_serial))) {
|
---|
1543 | BIO_printf(bio_err,
|
---|
1544 | "error creating serial number index:(%ld,%ld,%ld)\n",
|
---|
1545 | db->db->error, db->db->arg1, db->db->arg2);
|
---|
1546 | return 0;
|
---|
1547 | }
|
---|
1548 |
|
---|
1549 | if (db->attributes.unique_subject
|
---|
1550 | && !TXT_DB_create_index(db->db, DB_name, index_name_qual,
|
---|
1551 | LHASH_HASH_FN(index_name),
|
---|
1552 | LHASH_COMP_FN(index_name))) {
|
---|
1553 | BIO_printf(bio_err, "error creating name index:(%ld,%ld,%ld)\n",
|
---|
1554 | db->db->error, db->db->arg1, db->db->arg2);
|
---|
1555 | return 0;
|
---|
1556 | }
|
---|
1557 | return 1;
|
---|
1558 | }
|
---|
1559 |
|
---|
1560 | int save_index(const char *dbfile, const char *suffix, CA_DB *db)
|
---|
1561 | {
|
---|
1562 | char buf[3][BSIZE];
|
---|
1563 | BIO *out;
|
---|
1564 | int j;
|
---|
1565 |
|
---|
1566 | j = strlen(dbfile) + strlen(suffix);
|
---|
1567 | if (j + 6 >= BSIZE) {
|
---|
1568 | BIO_printf(bio_err, "file name too long\n");
|
---|
1569 | goto err;
|
---|
1570 | }
|
---|
1571 | #ifndef OPENSSL_SYS_VMS
|
---|
1572 | j = BIO_snprintf(buf[2], sizeof buf[2], "%s.attr", dbfile);
|
---|
1573 | j = BIO_snprintf(buf[1], sizeof buf[1], "%s.attr.%s", dbfile, suffix);
|
---|
1574 | j = BIO_snprintf(buf[0], sizeof buf[0], "%s.%s", dbfile, suffix);
|
---|
1575 | #else
|
---|
1576 | j = BIO_snprintf(buf[2], sizeof buf[2], "%s-attr", dbfile);
|
---|
1577 | j = BIO_snprintf(buf[1], sizeof buf[1], "%s-attr-%s", dbfile, suffix);
|
---|
1578 | j = BIO_snprintf(buf[0], sizeof buf[0], "%s-%s", dbfile, suffix);
|
---|
1579 | #endif
|
---|
1580 | out = BIO_new_file(buf[0], "w");
|
---|
1581 | if (out == NULL) {
|
---|
1582 | perror(dbfile);
|
---|
1583 | BIO_printf(bio_err, "unable to open '%s'\n", dbfile);
|
---|
1584 | goto err;
|
---|
1585 | }
|
---|
1586 | j = TXT_DB_write(out, db->db);
|
---|
1587 | BIO_free(out);
|
---|
1588 | if (j <= 0)
|
---|
1589 | goto err;
|
---|
1590 |
|
---|
1591 | out = BIO_new_file(buf[1], "w");
|
---|
1592 | if (out == NULL) {
|
---|
1593 | perror(buf[2]);
|
---|
1594 | BIO_printf(bio_err, "unable to open '%s'\n", buf[2]);
|
---|
1595 | goto err;
|
---|
1596 | }
|
---|
1597 | BIO_printf(out, "unique_subject = %s\n",
|
---|
1598 | db->attributes.unique_subject ? "yes" : "no");
|
---|
1599 | BIO_free(out);
|
---|
1600 |
|
---|
1601 | return 1;
|
---|
1602 | err:
|
---|
1603 | return 0;
|
---|
1604 | }
|
---|
1605 |
|
---|
1606 | int rotate_index(const char *dbfile, const char *new_suffix,
|
---|
1607 | const char *old_suffix)
|
---|
1608 | {
|
---|
1609 | char buf[5][BSIZE];
|
---|
1610 | int i, j;
|
---|
1611 |
|
---|
1612 | i = strlen(dbfile) + strlen(old_suffix);
|
---|
1613 | j = strlen(dbfile) + strlen(new_suffix);
|
---|
1614 | if (i > j)
|
---|
1615 | j = i;
|
---|
1616 | if (j + 6 >= BSIZE) {
|
---|
1617 | BIO_printf(bio_err, "file name too long\n");
|
---|
1618 | goto err;
|
---|
1619 | }
|
---|
1620 | #ifndef OPENSSL_SYS_VMS
|
---|
1621 | j = BIO_snprintf(buf[4], sizeof buf[4], "%s.attr", dbfile);
|
---|
1622 | j = BIO_snprintf(buf[3], sizeof buf[3], "%s.attr.%s", dbfile, old_suffix);
|
---|
1623 | j = BIO_snprintf(buf[2], sizeof buf[2], "%s.attr.%s", dbfile, new_suffix);
|
---|
1624 | j = BIO_snprintf(buf[1], sizeof buf[1], "%s.%s", dbfile, old_suffix);
|
---|
1625 | j = BIO_snprintf(buf[0], sizeof buf[0], "%s.%s", dbfile, new_suffix);
|
---|
1626 | #else
|
---|
1627 | j = BIO_snprintf(buf[4], sizeof buf[4], "%s-attr", dbfile);
|
---|
1628 | j = BIO_snprintf(buf[3], sizeof buf[3], "%s-attr-%s", dbfile, old_suffix);
|
---|
1629 | j = BIO_snprintf(buf[2], sizeof buf[2], "%s-attr-%s", dbfile, new_suffix);
|
---|
1630 | j = BIO_snprintf(buf[1], sizeof buf[1], "%s-%s", dbfile, old_suffix);
|
---|
1631 | j = BIO_snprintf(buf[0], sizeof buf[0], "%s-%s", dbfile, new_suffix);
|
---|
1632 | #endif
|
---|
1633 | if (rename(dbfile, buf[1]) < 0 && errno != ENOENT
|
---|
1634 | #ifdef ENOTDIR
|
---|
1635 | && errno != ENOTDIR
|
---|
1636 | #endif
|
---|
1637 | ) {
|
---|
1638 | BIO_printf(bio_err, "unable to rename %s to %s\n", dbfile, buf[1]);
|
---|
1639 | perror("reason");
|
---|
1640 | goto err;
|
---|
1641 | }
|
---|
1642 | if (rename(buf[0], dbfile) < 0) {
|
---|
1643 | BIO_printf(bio_err, "unable to rename %s to %s\n", buf[0], dbfile);
|
---|
1644 | perror("reason");
|
---|
1645 | rename(buf[1], dbfile);
|
---|
1646 | goto err;
|
---|
1647 | }
|
---|
1648 | if (rename(buf[4], buf[3]) < 0 && errno != ENOENT
|
---|
1649 | #ifdef ENOTDIR
|
---|
1650 | && errno != ENOTDIR
|
---|
1651 | #endif
|
---|
1652 | ) {
|
---|
1653 | BIO_printf(bio_err, "unable to rename %s to %s\n", buf[4], buf[3]);
|
---|
1654 | perror("reason");
|
---|
1655 | rename(dbfile, buf[0]);
|
---|
1656 | rename(buf[1], dbfile);
|
---|
1657 | goto err;
|
---|
1658 | }
|
---|
1659 | if (rename(buf[2], buf[4]) < 0) {
|
---|
1660 | BIO_printf(bio_err, "unable to rename %s to %s\n", buf[2], buf[4]);
|
---|
1661 | perror("reason");
|
---|
1662 | rename(buf[3], buf[4]);
|
---|
1663 | rename(dbfile, buf[0]);
|
---|
1664 | rename(buf[1], dbfile);
|
---|
1665 | goto err;
|
---|
1666 | }
|
---|
1667 | return 1;
|
---|
1668 | err:
|
---|
1669 | return 0;
|
---|
1670 | }
|
---|
1671 |
|
---|
1672 | void free_index(CA_DB *db)
|
---|
1673 | {
|
---|
1674 | if (db) {
|
---|
1675 | TXT_DB_free(db->db);
|
---|
1676 | OPENSSL_free(db);
|
---|
1677 | }
|
---|
1678 | }
|
---|
1679 |
|
---|
1680 | int parse_yesno(const char *str, int def)
|
---|
1681 | {
|
---|
1682 | if (str) {
|
---|
1683 | switch (*str) {
|
---|
1684 | case 'f': /* false */
|
---|
1685 | case 'F': /* FALSE */
|
---|
1686 | case 'n': /* no */
|
---|
1687 | case 'N': /* NO */
|
---|
1688 | case '0': /* 0 */
|
---|
1689 | return 0;
|
---|
1690 | case 't': /* true */
|
---|
1691 | case 'T': /* TRUE */
|
---|
1692 | case 'y': /* yes */
|
---|
1693 | case 'Y': /* YES */
|
---|
1694 | case '1': /* 1 */
|
---|
1695 | return 1;
|
---|
1696 | }
|
---|
1697 | }
|
---|
1698 | return def;
|
---|
1699 | }
|
---|
1700 |
|
---|
1701 | /*
|
---|
1702 | * name is expected to be in the format /type0=value0/type1=value1/type2=...
|
---|
1703 | * where characters may be escaped by \
|
---|
1704 | */
|
---|
1705 | X509_NAME *parse_name(const char *cp, long chtype, int canmulti)
|
---|
1706 | {
|
---|
1707 | int nextismulti = 0;
|
---|
1708 | char *work;
|
---|
1709 | X509_NAME *n;
|
---|
1710 |
|
---|
1711 | if (*cp++ != '/')
|
---|
1712 | return NULL;
|
---|
1713 |
|
---|
1714 | n = X509_NAME_new();
|
---|
1715 | if (n == NULL)
|
---|
1716 | return NULL;
|
---|
1717 | work = OPENSSL_strdup(cp);
|
---|
1718 | if (work == NULL)
|
---|
1719 | goto err;
|
---|
1720 |
|
---|
1721 | while (*cp) {
|
---|
1722 | char *bp = work;
|
---|
1723 | char *typestr = bp;
|
---|
1724 | unsigned char *valstr;
|
---|
1725 | int nid;
|
---|
1726 | int ismulti = nextismulti;
|
---|
1727 | nextismulti = 0;
|
---|
1728 |
|
---|
1729 | /* Collect the type */
|
---|
1730 | while (*cp && *cp != '=')
|
---|
1731 | *bp++ = *cp++;
|
---|
1732 | if (*cp == '\0') {
|
---|
1733 | BIO_printf(bio_err,
|
---|
1734 | "%s: Hit end of string before finding the equals.\n",
|
---|
1735 | opt_getprog());
|
---|
1736 | goto err;
|
---|
1737 | }
|
---|
1738 | *bp++ = '\0';
|
---|
1739 | ++cp;
|
---|
1740 |
|
---|
1741 | /* Collect the value. */
|
---|
1742 | valstr = (unsigned char *)bp;
|
---|
1743 | for (; *cp && *cp != '/'; *bp++ = *cp++) {
|
---|
1744 | if (canmulti && *cp == '+') {
|
---|
1745 | nextismulti = 1;
|
---|
1746 | break;
|
---|
1747 | }
|
---|
1748 | if (*cp == '\\' && *++cp == '\0') {
|
---|
1749 | BIO_printf(bio_err,
|
---|
1750 | "%s: escape character at end of string\n",
|
---|
1751 | opt_getprog());
|
---|
1752 | goto err;
|
---|
1753 | }
|
---|
1754 | }
|
---|
1755 | *bp++ = '\0';
|
---|
1756 |
|
---|
1757 | /* If not at EOS (must be + or /), move forward. */
|
---|
1758 | if (*cp)
|
---|
1759 | ++cp;
|
---|
1760 |
|
---|
1761 | /* Parse */
|
---|
1762 | nid = OBJ_txt2nid(typestr);
|
---|
1763 | if (nid == NID_undef) {
|
---|
1764 | BIO_printf(bio_err, "%s: Skipping unknown attribute \"%s\"\n",
|
---|
1765 | opt_getprog(), typestr);
|
---|
1766 | continue;
|
---|
1767 | }
|
---|
1768 | if (!X509_NAME_add_entry_by_NID(n, nid, chtype,
|
---|
1769 | valstr, strlen((char *)valstr),
|
---|
1770 | -1, ismulti ? -1 : 0))
|
---|
1771 | goto err;
|
---|
1772 | }
|
---|
1773 |
|
---|
1774 | OPENSSL_free(work);
|
---|
1775 | return n;
|
---|
1776 |
|
---|
1777 | err:
|
---|
1778 | X509_NAME_free(n);
|
---|
1779 | OPENSSL_free(work);
|
---|
1780 | return NULL;
|
---|
1781 | }
|
---|
1782 |
|
---|
1783 | /*
|
---|
1784 | * Read whole contents of a BIO into an allocated memory buffer and return
|
---|
1785 | * it.
|
---|
1786 | */
|
---|
1787 |
|
---|
1788 | int bio_to_mem(unsigned char **out, int maxlen, BIO *in)
|
---|
1789 | {
|
---|
1790 | BIO *mem;
|
---|
1791 | int len, ret;
|
---|
1792 | unsigned char tbuf[1024];
|
---|
1793 |
|
---|
1794 | mem = BIO_new(BIO_s_mem());
|
---|
1795 | if (mem == NULL)
|
---|
1796 | return -1;
|
---|
1797 | for (;;) {
|
---|
1798 | if ((maxlen != -1) && maxlen < 1024)
|
---|
1799 | len = maxlen;
|
---|
1800 | else
|
---|
1801 | len = 1024;
|
---|
1802 | len = BIO_read(in, tbuf, len);
|
---|
1803 | if (len < 0) {
|
---|
1804 | BIO_free(mem);
|
---|
1805 | return -1;
|
---|
1806 | }
|
---|
1807 | if (len == 0)
|
---|
1808 | break;
|
---|
1809 | if (BIO_write(mem, tbuf, len) != len) {
|
---|
1810 | BIO_free(mem);
|
---|
1811 | return -1;
|
---|
1812 | }
|
---|
1813 | maxlen -= len;
|
---|
1814 |
|
---|
1815 | if (maxlen == 0)
|
---|
1816 | break;
|
---|
1817 | }
|
---|
1818 | ret = BIO_get_mem_data(mem, (char **)out);
|
---|
1819 | BIO_set_flags(mem, BIO_FLAGS_MEM_RDONLY);
|
---|
1820 | BIO_free(mem);
|
---|
1821 | return ret;
|
---|
1822 | }
|
---|
1823 |
|
---|
1824 | int pkey_ctrl_string(EVP_PKEY_CTX *ctx, const char *value)
|
---|
1825 | {
|
---|
1826 | int rv;
|
---|
1827 | char *stmp, *vtmp = NULL;
|
---|
1828 | stmp = OPENSSL_strdup(value);
|
---|
1829 | if (!stmp)
|
---|
1830 | return -1;
|
---|
1831 | vtmp = strchr(stmp, ':');
|
---|
1832 | if (vtmp) {
|
---|
1833 | *vtmp = 0;
|
---|
1834 | vtmp++;
|
---|
1835 | }
|
---|
1836 | rv = EVP_PKEY_CTX_ctrl_str(ctx, stmp, vtmp);
|
---|
1837 | OPENSSL_free(stmp);
|
---|
1838 | return rv;
|
---|
1839 | }
|
---|
1840 |
|
---|
1841 | static void nodes_print(const char *name, STACK_OF(X509_POLICY_NODE) *nodes)
|
---|
1842 | {
|
---|
1843 | X509_POLICY_NODE *node;
|
---|
1844 | int i;
|
---|
1845 |
|
---|
1846 | BIO_printf(bio_err, "%s Policies:", name);
|
---|
1847 | if (nodes) {
|
---|
1848 | BIO_puts(bio_err, "\n");
|
---|
1849 | for (i = 0; i < sk_X509_POLICY_NODE_num(nodes); i++) {
|
---|
1850 | node = sk_X509_POLICY_NODE_value(nodes, i);
|
---|
1851 | X509_POLICY_NODE_print(bio_err, node, 2);
|
---|
1852 | }
|
---|
1853 | } else
|
---|
1854 | BIO_puts(bio_err, " <empty>\n");
|
---|
1855 | }
|
---|
1856 |
|
---|
1857 | void policies_print(X509_STORE_CTX *ctx)
|
---|
1858 | {
|
---|
1859 | X509_POLICY_TREE *tree;
|
---|
1860 | int explicit_policy;
|
---|
1861 | tree = X509_STORE_CTX_get0_policy_tree(ctx);
|
---|
1862 | explicit_policy = X509_STORE_CTX_get_explicit_policy(ctx);
|
---|
1863 |
|
---|
1864 | BIO_printf(bio_err, "Require explicit Policy: %s\n",
|
---|
1865 | explicit_policy ? "True" : "False");
|
---|
1866 |
|
---|
1867 | nodes_print("Authority", X509_policy_tree_get0_policies(tree));
|
---|
1868 | nodes_print("User", X509_policy_tree_get0_user_policies(tree));
|
---|
1869 | }
|
---|
1870 |
|
---|
1871 | /*-
|
---|
1872 | * next_protos_parse parses a comma separated list of strings into a string
|
---|
1873 | * in a format suitable for passing to SSL_CTX_set_next_protos_advertised.
|
---|
1874 | * outlen: (output) set to the length of the resulting buffer on success.
|
---|
1875 | * err: (maybe NULL) on failure, an error message line is written to this BIO.
|
---|
1876 | * in: a NUL terminated string like "abc,def,ghi"
|
---|
1877 | *
|
---|
1878 | * returns: a malloc'd buffer or NULL on failure.
|
---|
1879 | */
|
---|
1880 | unsigned char *next_protos_parse(size_t *outlen, const char *in)
|
---|
1881 | {
|
---|
1882 | size_t len;
|
---|
1883 | unsigned char *out;
|
---|
1884 | size_t i, start = 0;
|
---|
1885 |
|
---|
1886 | len = strlen(in);
|
---|
1887 | if (len >= 65535)
|
---|
1888 | return NULL;
|
---|
1889 |
|
---|
1890 | out = app_malloc(strlen(in) + 1, "NPN buffer");
|
---|
1891 | for (i = 0; i <= len; ++i) {
|
---|
1892 | if (i == len || in[i] == ',') {
|
---|
1893 | if (i - start > 255) {
|
---|
1894 | OPENSSL_free(out);
|
---|
1895 | return NULL;
|
---|
1896 | }
|
---|
1897 | out[start] = i - start;
|
---|
1898 | start = i + 1;
|
---|
1899 | } else
|
---|
1900 | out[i + 1] = in[i];
|
---|
1901 | }
|
---|
1902 |
|
---|
1903 | *outlen = len + 1;
|
---|
1904 | return out;
|
---|
1905 | }
|
---|
1906 |
|
---|
1907 | void print_cert_checks(BIO *bio, X509 *x,
|
---|
1908 | const char *checkhost,
|
---|
1909 | const char *checkemail, const char *checkip)
|
---|
1910 | {
|
---|
1911 | if (x == NULL)
|
---|
1912 | return;
|
---|
1913 | if (checkhost) {
|
---|
1914 | BIO_printf(bio, "Hostname %s does%s match certificate\n",
|
---|
1915 | checkhost,
|
---|
1916 | X509_check_host(x, checkhost, 0, 0, NULL) == 1
|
---|
1917 | ? "" : " NOT");
|
---|
1918 | }
|
---|
1919 |
|
---|
1920 | if (checkemail) {
|
---|
1921 | BIO_printf(bio, "Email %s does%s match certificate\n",
|
---|
1922 | checkemail, X509_check_email(x, checkemail, 0, 0)
|
---|
1923 | ? "" : " NOT");
|
---|
1924 | }
|
---|
1925 |
|
---|
1926 | if (checkip) {
|
---|
1927 | BIO_printf(bio, "IP %s does%s match certificate\n",
|
---|
1928 | checkip, X509_check_ip_asc(x, checkip, 0) ? "" : " NOT");
|
---|
1929 | }
|
---|
1930 | }
|
---|
1931 |
|
---|
1932 | /* Get first http URL from a DIST_POINT structure */
|
---|
1933 |
|
---|
1934 | static const char *get_dp_url(DIST_POINT *dp)
|
---|
1935 | {
|
---|
1936 | GENERAL_NAMES *gens;
|
---|
1937 | GENERAL_NAME *gen;
|
---|
1938 | int i, gtype;
|
---|
1939 | ASN1_STRING *uri;
|
---|
1940 | if (!dp->distpoint || dp->distpoint->type != 0)
|
---|
1941 | return NULL;
|
---|
1942 | gens = dp->distpoint->name.fullname;
|
---|
1943 | for (i = 0; i < sk_GENERAL_NAME_num(gens); i++) {
|
---|
1944 | gen = sk_GENERAL_NAME_value(gens, i);
|
---|
1945 | uri = GENERAL_NAME_get0_value(gen, >ype);
|
---|
1946 | if (gtype == GEN_URI && ASN1_STRING_length(uri) > 6) {
|
---|
1947 | const char *uptr = (const char *)ASN1_STRING_get0_data(uri);
|
---|
1948 | if (strncmp(uptr, "http://", 7) == 0)
|
---|
1949 | return uptr;
|
---|
1950 | }
|
---|
1951 | }
|
---|
1952 | return NULL;
|
---|
1953 | }
|
---|
1954 |
|
---|
1955 | /*
|
---|
1956 | * Look through a CRLDP structure and attempt to find an http URL to
|
---|
1957 | * downloads a CRL from.
|
---|
1958 | */
|
---|
1959 |
|
---|
1960 | static X509_CRL *load_crl_crldp(STACK_OF(DIST_POINT) *crldp)
|
---|
1961 | {
|
---|
1962 | int i;
|
---|
1963 | const char *urlptr = NULL;
|
---|
1964 | for (i = 0; i < sk_DIST_POINT_num(crldp); i++) {
|
---|
1965 | DIST_POINT *dp = sk_DIST_POINT_value(crldp, i);
|
---|
1966 | urlptr = get_dp_url(dp);
|
---|
1967 | if (urlptr)
|
---|
1968 | return load_crl(urlptr, FORMAT_HTTP);
|
---|
1969 | }
|
---|
1970 | return NULL;
|
---|
1971 | }
|
---|
1972 |
|
---|
1973 | /*
|
---|
1974 | * Example of downloading CRLs from CRLDP: not usable for real world as it
|
---|
1975 | * always downloads, doesn't support non-blocking I/O and doesn't cache
|
---|
1976 | * anything.
|
---|
1977 | */
|
---|
1978 |
|
---|
1979 | static STACK_OF(X509_CRL) *crls_http_cb(X509_STORE_CTX *ctx, X509_NAME *nm)
|
---|
1980 | {
|
---|
1981 | X509 *x;
|
---|
1982 | STACK_OF(X509_CRL) *crls = NULL;
|
---|
1983 | X509_CRL *crl;
|
---|
1984 | STACK_OF(DIST_POINT) *crldp;
|
---|
1985 |
|
---|
1986 | crls = sk_X509_CRL_new_null();
|
---|
1987 | if (!crls)
|
---|
1988 | return NULL;
|
---|
1989 | x = X509_STORE_CTX_get_current_cert(ctx);
|
---|
1990 | crldp = X509_get_ext_d2i(x, NID_crl_distribution_points, NULL, NULL);
|
---|
1991 | crl = load_crl_crldp(crldp);
|
---|
1992 | sk_DIST_POINT_pop_free(crldp, DIST_POINT_free);
|
---|
1993 | if (!crl) {
|
---|
1994 | sk_X509_CRL_free(crls);
|
---|
1995 | return NULL;
|
---|
1996 | }
|
---|
1997 | sk_X509_CRL_push(crls, crl);
|
---|
1998 | /* Try to download delta CRL */
|
---|
1999 | crldp = X509_get_ext_d2i(x, NID_freshest_crl, NULL, NULL);
|
---|
2000 | crl = load_crl_crldp(crldp);
|
---|
2001 | sk_DIST_POINT_pop_free(crldp, DIST_POINT_free);
|
---|
2002 | if (crl)
|
---|
2003 | sk_X509_CRL_push(crls, crl);
|
---|
2004 | return crls;
|
---|
2005 | }
|
---|
2006 |
|
---|
2007 | void store_setup_crl_download(X509_STORE *st)
|
---|
2008 | {
|
---|
2009 | X509_STORE_set_lookup_crls_cb(st, crls_http_cb);
|
---|
2010 | }
|
---|
2011 |
|
---|
2012 | /*
|
---|
2013 | * Platform-specific sections
|
---|
2014 | */
|
---|
2015 | #if defined(_WIN32)
|
---|
2016 | # ifdef fileno
|
---|
2017 | # undef fileno
|
---|
2018 | # define fileno(a) (int)_fileno(a)
|
---|
2019 | # endif
|
---|
2020 |
|
---|
2021 | # include <windows.h>
|
---|
2022 | # include <tchar.h>
|
---|
2023 |
|
---|
2024 | static int WIN32_rename(const char *from, const char *to)
|
---|
2025 | {
|
---|
2026 | TCHAR *tfrom = NULL, *tto;
|
---|
2027 | DWORD err;
|
---|
2028 | int ret = 0;
|
---|
2029 |
|
---|
2030 | if (sizeof(TCHAR) == 1) {
|
---|
2031 | tfrom = (TCHAR *)from;
|
---|
2032 | tto = (TCHAR *)to;
|
---|
2033 | } else { /* UNICODE path */
|
---|
2034 |
|
---|
2035 | size_t i, flen = strlen(from) + 1, tlen = strlen(to) + 1;
|
---|
2036 | tfrom = malloc(sizeof(*tfrom) * (flen + tlen));
|
---|
2037 | if (tfrom == NULL)
|
---|
2038 | goto err;
|
---|
2039 | tto = tfrom + flen;
|
---|
2040 | # if !defined(_WIN32_WCE) || _WIN32_WCE>=101
|
---|
2041 | if (!MultiByteToWideChar(CP_ACP, 0, from, flen, (WCHAR *)tfrom, flen))
|
---|
2042 | # endif
|
---|
2043 | for (i = 0; i < flen; i++)
|
---|
2044 | tfrom[i] = (TCHAR)from[i];
|
---|
2045 | # if !defined(_WIN32_WCE) || _WIN32_WCE>=101
|
---|
2046 | if (!MultiByteToWideChar(CP_ACP, 0, to, tlen, (WCHAR *)tto, tlen))
|
---|
2047 | # endif
|
---|
2048 | for (i = 0; i < tlen; i++)
|
---|
2049 | tto[i] = (TCHAR)to[i];
|
---|
2050 | }
|
---|
2051 |
|
---|
2052 | if (MoveFile(tfrom, tto))
|
---|
2053 | goto ok;
|
---|
2054 | err = GetLastError();
|
---|
2055 | if (err == ERROR_ALREADY_EXISTS || err == ERROR_FILE_EXISTS) {
|
---|
2056 | if (DeleteFile(tto) && MoveFile(tfrom, tto))
|
---|
2057 | goto ok;
|
---|
2058 | err = GetLastError();
|
---|
2059 | }
|
---|
2060 | if (err == ERROR_FILE_NOT_FOUND || err == ERROR_PATH_NOT_FOUND)
|
---|
2061 | errno = ENOENT;
|
---|
2062 | else if (err == ERROR_ACCESS_DENIED)
|
---|
2063 | errno = EACCES;
|
---|
2064 | else
|
---|
2065 | errno = EINVAL; /* we could map more codes... */
|
---|
2066 | err:
|
---|
2067 | ret = -1;
|
---|
2068 | ok:
|
---|
2069 | if (tfrom != NULL && tfrom != (TCHAR *)from)
|
---|
2070 | free(tfrom);
|
---|
2071 | return ret;
|
---|
2072 | }
|
---|
2073 | #endif
|
---|
2074 |
|
---|
2075 | /* app_tminterval section */
|
---|
2076 | #if defined(_WIN32)
|
---|
2077 | double app_tminterval(int stop, int usertime)
|
---|
2078 | {
|
---|
2079 | FILETIME now;
|
---|
2080 | double ret = 0;
|
---|
2081 | static ULARGE_INTEGER tmstart;
|
---|
2082 | static int warning = 1;
|
---|
2083 | # ifdef _WIN32_WINNT
|
---|
2084 | static HANDLE proc = NULL;
|
---|
2085 |
|
---|
2086 | if (proc == NULL) {
|
---|
2087 | if (check_winnt())
|
---|
2088 | proc = OpenProcess(PROCESS_QUERY_INFORMATION, FALSE,
|
---|
2089 | GetCurrentProcessId());
|
---|
2090 | if (proc == NULL)
|
---|
2091 | proc = (HANDLE) - 1;
|
---|
2092 | }
|
---|
2093 |
|
---|
2094 | if (usertime && proc != (HANDLE) - 1) {
|
---|
2095 | FILETIME junk;
|
---|
2096 | GetProcessTimes(proc, &junk, &junk, &junk, &now);
|
---|
2097 | } else
|
---|
2098 | # endif
|
---|
2099 | {
|
---|
2100 | SYSTEMTIME systime;
|
---|
2101 |
|
---|
2102 | if (usertime && warning) {
|
---|
2103 | BIO_printf(bio_err, "To get meaningful results, run "
|
---|
2104 | "this program on idle system.\n");
|
---|
2105 | warning = 0;
|
---|
2106 | }
|
---|
2107 | GetSystemTime(&systime);
|
---|
2108 | SystemTimeToFileTime(&systime, &now);
|
---|
2109 | }
|
---|
2110 |
|
---|
2111 | if (stop == TM_START) {
|
---|
2112 | tmstart.u.LowPart = now.dwLowDateTime;
|
---|
2113 | tmstart.u.HighPart = now.dwHighDateTime;
|
---|
2114 | } else {
|
---|
2115 | ULARGE_INTEGER tmstop;
|
---|
2116 |
|
---|
2117 | tmstop.u.LowPart = now.dwLowDateTime;
|
---|
2118 | tmstop.u.HighPart = now.dwHighDateTime;
|
---|
2119 |
|
---|
2120 | ret = (__int64)(tmstop.QuadPart - tmstart.QuadPart) * 1e-7;
|
---|
2121 | }
|
---|
2122 |
|
---|
2123 | return (ret);
|
---|
2124 | }
|
---|
2125 | #elif defined(OPENSSL_SYSTEM_VXWORKS)
|
---|
2126 | # include <time.h>
|
---|
2127 |
|
---|
2128 | double app_tminterval(int stop, int usertime)
|
---|
2129 | {
|
---|
2130 | double ret = 0;
|
---|
2131 | # ifdef CLOCK_REALTIME
|
---|
2132 | static struct timespec tmstart;
|
---|
2133 | struct timespec now;
|
---|
2134 | # else
|
---|
2135 | static unsigned long tmstart;
|
---|
2136 | unsigned long now;
|
---|
2137 | # endif
|
---|
2138 | static int warning = 1;
|
---|
2139 |
|
---|
2140 | if (usertime && warning) {
|
---|
2141 | BIO_printf(bio_err, "To get meaningful results, run "
|
---|
2142 | "this program on idle system.\n");
|
---|
2143 | warning = 0;
|
---|
2144 | }
|
---|
2145 | # ifdef CLOCK_REALTIME
|
---|
2146 | clock_gettime(CLOCK_REALTIME, &now);
|
---|
2147 | if (stop == TM_START)
|
---|
2148 | tmstart = now;
|
---|
2149 | else
|
---|
2150 | ret = ((now.tv_sec + now.tv_nsec * 1e-9)
|
---|
2151 | - (tmstart.tv_sec + tmstart.tv_nsec * 1e-9));
|
---|
2152 | # else
|
---|
2153 | now = tickGet();
|
---|
2154 | if (stop == TM_START)
|
---|
2155 | tmstart = now;
|
---|
2156 | else
|
---|
2157 | ret = (now - tmstart) / (double)sysClkRateGet();
|
---|
2158 | # endif
|
---|
2159 | return (ret);
|
---|
2160 | }
|
---|
2161 |
|
---|
2162 | #elif defined(OPENSSL_SYSTEM_VMS)
|
---|
2163 | # include <time.h>
|
---|
2164 | # include <times.h>
|
---|
2165 |
|
---|
2166 | double app_tminterval(int stop, int usertime)
|
---|
2167 | {
|
---|
2168 | static clock_t tmstart;
|
---|
2169 | double ret = 0;
|
---|
2170 | clock_t now;
|
---|
2171 | # ifdef __TMS
|
---|
2172 | struct tms rus;
|
---|
2173 |
|
---|
2174 | now = times(&rus);
|
---|
2175 | if (usertime)
|
---|
2176 | now = rus.tms_utime;
|
---|
2177 | # else
|
---|
2178 | if (usertime)
|
---|
2179 | now = clock(); /* sum of user and kernel times */
|
---|
2180 | else {
|
---|
2181 | struct timeval tv;
|
---|
2182 | gettimeofday(&tv, NULL);
|
---|
2183 | now = (clock_t)((unsigned long long)tv.tv_sec * CLK_TCK +
|
---|
2184 | (unsigned long long)tv.tv_usec * (1000000 / CLK_TCK)
|
---|
2185 | );
|
---|
2186 | }
|
---|
2187 | # endif
|
---|
2188 | if (stop == TM_START)
|
---|
2189 | tmstart = now;
|
---|
2190 | else
|
---|
2191 | ret = (now - tmstart) / (double)(CLK_TCK);
|
---|
2192 |
|
---|
2193 | return (ret);
|
---|
2194 | }
|
---|
2195 |
|
---|
2196 | #elif defined(_SC_CLK_TCK) /* by means of unistd.h */
|
---|
2197 | # include <sys/times.h>
|
---|
2198 |
|
---|
2199 | double app_tminterval(int stop, int usertime)
|
---|
2200 | {
|
---|
2201 | double ret = 0;
|
---|
2202 | struct tms rus;
|
---|
2203 | clock_t now = times(&rus);
|
---|
2204 | static clock_t tmstart;
|
---|
2205 |
|
---|
2206 | if (usertime)
|
---|
2207 | now = rus.tms_utime;
|
---|
2208 |
|
---|
2209 | if (stop == TM_START)
|
---|
2210 | tmstart = now;
|
---|
2211 | else {
|
---|
2212 | long int tck = sysconf(_SC_CLK_TCK);
|
---|
2213 | ret = (now - tmstart) / (double)tck;
|
---|
2214 | }
|
---|
2215 |
|
---|
2216 | return (ret);
|
---|
2217 | }
|
---|
2218 |
|
---|
2219 | #else
|
---|
2220 | # include <sys/time.h>
|
---|
2221 | # include <sys/resource.h>
|
---|
2222 |
|
---|
2223 | double app_tminterval(int stop, int usertime)
|
---|
2224 | {
|
---|
2225 | double ret = 0;
|
---|
2226 | struct rusage rus;
|
---|
2227 | struct timeval now;
|
---|
2228 | static struct timeval tmstart;
|
---|
2229 |
|
---|
2230 | if (usertime)
|
---|
2231 | getrusage(RUSAGE_SELF, &rus), now = rus.ru_utime;
|
---|
2232 | else
|
---|
2233 | gettimeofday(&now, NULL);
|
---|
2234 |
|
---|
2235 | if (stop == TM_START)
|
---|
2236 | tmstart = now;
|
---|
2237 | else
|
---|
2238 | ret = ((now.tv_sec + now.tv_usec * 1e-6)
|
---|
2239 | - (tmstart.tv_sec + tmstart.tv_usec * 1e-6));
|
---|
2240 |
|
---|
2241 | return ret;
|
---|
2242 | }
|
---|
2243 | #endif
|
---|
2244 |
|
---|
2245 | int app_access(const char* name, int flag)
|
---|
2246 | {
|
---|
2247 | #ifdef _WIN32
|
---|
2248 | return _access(name, flag);
|
---|
2249 | #else
|
---|
2250 | return access(name, flag);
|
---|
2251 | #endif
|
---|
2252 | }
|
---|
2253 |
|
---|
2254 | /* app_isdir section */
|
---|
2255 | #ifdef _WIN32
|
---|
2256 | int app_isdir(const char *name)
|
---|
2257 | {
|
---|
2258 | HANDLE hList;
|
---|
2259 | WIN32_FIND_DATA FileData;
|
---|
2260 | # if defined(UNICODE) || defined(_UNICODE)
|
---|
2261 | size_t i, len_0 = strlen(name) + 1;
|
---|
2262 |
|
---|
2263 | if (len_0 > OSSL_NELEM(FileData.cFileName))
|
---|
2264 | return -1;
|
---|
2265 |
|
---|
2266 | # if !defined(_WIN32_WCE) || _WIN32_WCE>=101
|
---|
2267 | if (!MultiByteToWideChar
|
---|
2268 | (CP_ACP, 0, name, len_0, FileData.cFileName, len_0))
|
---|
2269 | # endif
|
---|
2270 | for (i = 0; i < len_0; i++)
|
---|
2271 | FileData.cFileName[i] = (WCHAR)name[i];
|
---|
2272 |
|
---|
2273 | hList = FindFirstFile(FileData.cFileName, &FileData);
|
---|
2274 | # else
|
---|
2275 | hList = FindFirstFile(name, &FileData);
|
---|
2276 | # endif
|
---|
2277 | if (hList == INVALID_HANDLE_VALUE)
|
---|
2278 | return -1;
|
---|
2279 | FindClose(hList);
|
---|
2280 | return ((FileData.dwFileAttributes & FILE_ATTRIBUTE_DIRECTORY) != 0);
|
---|
2281 | }
|
---|
2282 | #else
|
---|
2283 | # include <sys/stat.h>
|
---|
2284 | # ifndef S_ISDIR
|
---|
2285 | # if defined(_S_IFMT) && defined(_S_IFDIR)
|
---|
2286 | # define S_ISDIR(a) (((a) & _S_IFMT) == _S_IFDIR)
|
---|
2287 | # else
|
---|
2288 | # define S_ISDIR(a) (((a) & S_IFMT) == S_IFDIR)
|
---|
2289 | # endif
|
---|
2290 | # endif
|
---|
2291 |
|
---|
2292 | int app_isdir(const char *name)
|
---|
2293 | {
|
---|
2294 | # if defined(S_ISDIR)
|
---|
2295 | struct stat st;
|
---|
2296 |
|
---|
2297 | if (stat(name, &st) == 0)
|
---|
2298 | return S_ISDIR(st.st_mode);
|
---|
2299 | else
|
---|
2300 | return -1;
|
---|
2301 | # else
|
---|
2302 | return -1;
|
---|
2303 | # endif
|
---|
2304 | }
|
---|
2305 | #endif
|
---|
2306 |
|
---|
2307 | /* raw_read|write section */
|
---|
2308 | #if defined(__VMS)
|
---|
2309 | # include "vms_term_sock.h"
|
---|
2310 | static int stdin_sock = -1;
|
---|
2311 |
|
---|
2312 | static void close_stdin_sock(void)
|
---|
2313 | {
|
---|
2314 | TerminalSocket (TERM_SOCK_DELETE, &stdin_sock);
|
---|
2315 | }
|
---|
2316 |
|
---|
2317 | int fileno_stdin(void)
|
---|
2318 | {
|
---|
2319 | if (stdin_sock == -1) {
|
---|
2320 | TerminalSocket(TERM_SOCK_CREATE, &stdin_sock);
|
---|
2321 | atexit(close_stdin_sock);
|
---|
2322 | }
|
---|
2323 |
|
---|
2324 | return stdin_sock;
|
---|
2325 | }
|
---|
2326 | #else
|
---|
2327 | int fileno_stdin(void)
|
---|
2328 | {
|
---|
2329 | return fileno(stdin);
|
---|
2330 | }
|
---|
2331 | #endif
|
---|
2332 |
|
---|
2333 | int fileno_stdout(void)
|
---|
2334 | {
|
---|
2335 | return fileno(stdout);
|
---|
2336 | }
|
---|
2337 |
|
---|
2338 | #if defined(_WIN32) && defined(STD_INPUT_HANDLE)
|
---|
2339 | int raw_read_stdin(void *buf, int siz)
|
---|
2340 | {
|
---|
2341 | DWORD n;
|
---|
2342 | if (ReadFile(GetStdHandle(STD_INPUT_HANDLE), buf, siz, &n, NULL))
|
---|
2343 | return (n);
|
---|
2344 | else
|
---|
2345 | return (-1);
|
---|
2346 | }
|
---|
2347 | #elif defined(__VMS)
|
---|
2348 | #include <sys/socket.h>
|
---|
2349 |
|
---|
2350 | int raw_read_stdin(void *buf, int siz)
|
---|
2351 | {
|
---|
2352 | return recv(fileno_stdin(), buf, siz, 0);
|
---|
2353 | }
|
---|
2354 | #else
|
---|
2355 | int raw_read_stdin(void *buf, int siz)
|
---|
2356 | {
|
---|
2357 | return read(fileno_stdin(), buf, siz);
|
---|
2358 | }
|
---|
2359 | #endif
|
---|
2360 |
|
---|
2361 | #if defined(_WIN32) && defined(STD_OUTPUT_HANDLE)
|
---|
2362 | int raw_write_stdout(const void *buf, int siz)
|
---|
2363 | {
|
---|
2364 | DWORD n;
|
---|
2365 | if (WriteFile(GetStdHandle(STD_OUTPUT_HANDLE), buf, siz, &n, NULL))
|
---|
2366 | return (n);
|
---|
2367 | else
|
---|
2368 | return (-1);
|
---|
2369 | }
|
---|
2370 | #else
|
---|
2371 | int raw_write_stdout(const void *buf, int siz)
|
---|
2372 | {
|
---|
2373 | return write(fileno_stdout(), buf, siz);
|
---|
2374 | }
|
---|
2375 | #endif
|
---|
2376 |
|
---|
2377 | /*
|
---|
2378 | * Centralized handling if input and output files with format specification
|
---|
2379 | * The format is meant to show what the input and output is supposed to be,
|
---|
2380 | * and is therefore a show of intent more than anything else. However, it
|
---|
2381 | * does impact behavior on some platform, such as differentiating between
|
---|
2382 | * text and binary input/output on non-Unix platforms
|
---|
2383 | */
|
---|
2384 | static int istext(int format)
|
---|
2385 | {
|
---|
2386 | return (format & B_FORMAT_TEXT) == B_FORMAT_TEXT;
|
---|
2387 | }
|
---|
2388 |
|
---|
2389 | BIO *dup_bio_in(int format)
|
---|
2390 | {
|
---|
2391 | return BIO_new_fp(stdin,
|
---|
2392 | BIO_NOCLOSE | (istext(format) ? BIO_FP_TEXT : 0));
|
---|
2393 | }
|
---|
2394 |
|
---|
2395 | BIO *dup_bio_out(int format)
|
---|
2396 | {
|
---|
2397 | BIO *b = BIO_new_fp(stdout,
|
---|
2398 | BIO_NOCLOSE | (istext(format) ? BIO_FP_TEXT : 0));
|
---|
2399 | #ifdef OPENSSL_SYS_VMS
|
---|
2400 | if (istext(format))
|
---|
2401 | b = BIO_push(BIO_new(BIO_f_linebuffer()), b);
|
---|
2402 | #endif
|
---|
2403 | return b;
|
---|
2404 | }
|
---|
2405 |
|
---|
2406 | BIO *dup_bio_err(int format)
|
---|
2407 | {
|
---|
2408 | BIO *b = BIO_new_fp(stderr,
|
---|
2409 | BIO_NOCLOSE | (istext(format) ? BIO_FP_TEXT : 0));
|
---|
2410 | #ifdef OPENSSL_SYS_VMS
|
---|
2411 | if (istext(format))
|
---|
2412 | b = BIO_push(BIO_new(BIO_f_linebuffer()), b);
|
---|
2413 | #endif
|
---|
2414 | return b;
|
---|
2415 | }
|
---|
2416 |
|
---|
2417 | void unbuffer(FILE *fp)
|
---|
2418 | {
|
---|
2419 | /*
|
---|
2420 | * On VMS, setbuf() will only take 32-bit pointers, and a compilation
|
---|
2421 | * with /POINTER_SIZE=64 will give off a MAYLOSEDATA2 warning here.
|
---|
2422 | * However, we trust that the C RTL will never give us a FILE pointer
|
---|
2423 | * above the first 4 GB of memory, so we simply turn off the warning
|
---|
2424 | * temporarily.
|
---|
2425 | */
|
---|
2426 | #if defined(OPENSSL_SYS_VMS) && defined(__DECC)
|
---|
2427 | # pragma environment save
|
---|
2428 | # pragma message disable maylosedata2
|
---|
2429 | #endif
|
---|
2430 | setbuf(fp, NULL);
|
---|
2431 | #if defined(OPENSSL_SYS_VMS) && defined(__DECC)
|
---|
2432 | # pragma environment restore
|
---|
2433 | #endif
|
---|
2434 | }
|
---|
2435 |
|
---|
2436 | static const char *modestr(char mode, int format)
|
---|
2437 | {
|
---|
2438 | OPENSSL_assert(mode == 'a' || mode == 'r' || mode == 'w');
|
---|
2439 |
|
---|
2440 | switch (mode) {
|
---|
2441 | case 'a':
|
---|
2442 | return istext(format) ? "a" : "ab";
|
---|
2443 | case 'r':
|
---|
2444 | return istext(format) ? "r" : "rb";
|
---|
2445 | case 'w':
|
---|
2446 | return istext(format) ? "w" : "wb";
|
---|
2447 | }
|
---|
2448 | /* The assert above should make sure we never reach this point */
|
---|
2449 | return NULL;
|
---|
2450 | }
|
---|
2451 |
|
---|
2452 | static const char *modeverb(char mode)
|
---|
2453 | {
|
---|
2454 | switch (mode) {
|
---|
2455 | case 'a':
|
---|
2456 | return "appending";
|
---|
2457 | case 'r':
|
---|
2458 | return "reading";
|
---|
2459 | case 'w':
|
---|
2460 | return "writing";
|
---|
2461 | }
|
---|
2462 | return "(doing something)";
|
---|
2463 | }
|
---|
2464 |
|
---|
2465 | /*
|
---|
2466 | * Open a file for writing, owner-read-only.
|
---|
2467 | */
|
---|
2468 | BIO *bio_open_owner(const char *filename, int format, int private)
|
---|
2469 | {
|
---|
2470 | FILE *fp = NULL;
|
---|
2471 | BIO *b = NULL;
|
---|
2472 | int fd = -1, bflags, mode, textmode;
|
---|
2473 |
|
---|
2474 | if (!private || filename == NULL || strcmp(filename, "-") == 0)
|
---|
2475 | return bio_open_default(filename, 'w', format);
|
---|
2476 |
|
---|
2477 | mode = O_WRONLY;
|
---|
2478 | #ifdef O_CREAT
|
---|
2479 | mode |= O_CREAT;
|
---|
2480 | #endif
|
---|
2481 | #ifdef O_TRUNC
|
---|
2482 | mode |= O_TRUNC;
|
---|
2483 | #endif
|
---|
2484 | textmode = istext(format);
|
---|
2485 | if (!textmode) {
|
---|
2486 | #ifdef O_BINARY
|
---|
2487 | mode |= O_BINARY;
|
---|
2488 | #elif defined(_O_BINARY)
|
---|
2489 | mode |= _O_BINARY;
|
---|
2490 | #endif
|
---|
2491 | }
|
---|
2492 |
|
---|
2493 | #ifdef OPENSSL_SYS_VMS
|
---|
2494 | /* VMS doesn't have O_BINARY, it just doesn't make sense. But,
|
---|
2495 | * it still needs to know that we're going binary, or fdopen()
|
---|
2496 | * will fail with "invalid argument"... so we tell VMS what the
|
---|
2497 | * context is.
|
---|
2498 | */
|
---|
2499 | if (!textmode)
|
---|
2500 | fd = open(filename, mode, 0600, "ctx=bin");
|
---|
2501 | else
|
---|
2502 | #endif
|
---|
2503 | fd = open(filename, mode, 0600);
|
---|
2504 | if (fd < 0)
|
---|
2505 | goto err;
|
---|
2506 | fp = fdopen(fd, modestr('w', format));
|
---|
2507 | if (fp == NULL)
|
---|
2508 | goto err;
|
---|
2509 | bflags = BIO_CLOSE;
|
---|
2510 | if (textmode)
|
---|
2511 | bflags |= BIO_FP_TEXT;
|
---|
2512 | b = BIO_new_fp(fp, bflags);
|
---|
2513 | if (b)
|
---|
2514 | return b;
|
---|
2515 |
|
---|
2516 | err:
|
---|
2517 | BIO_printf(bio_err, "%s: Can't open \"%s\" for writing, %s\n",
|
---|
2518 | opt_getprog(), filename, strerror(errno));
|
---|
2519 | ERR_print_errors(bio_err);
|
---|
2520 | /* If we have fp, then fdopen took over fd, so don't close both. */
|
---|
2521 | if (fp)
|
---|
2522 | fclose(fp);
|
---|
2523 | else if (fd >= 0)
|
---|
2524 | close(fd);
|
---|
2525 | return NULL;
|
---|
2526 | }
|
---|
2527 |
|
---|
2528 | static BIO *bio_open_default_(const char *filename, char mode, int format,
|
---|
2529 | int quiet)
|
---|
2530 | {
|
---|
2531 | BIO *ret;
|
---|
2532 |
|
---|
2533 | if (filename == NULL || strcmp(filename, "-") == 0) {
|
---|
2534 | ret = mode == 'r' ? dup_bio_in(format) : dup_bio_out(format);
|
---|
2535 | if (quiet) {
|
---|
2536 | ERR_clear_error();
|
---|
2537 | return ret;
|
---|
2538 | }
|
---|
2539 | if (ret != NULL)
|
---|
2540 | return ret;
|
---|
2541 | BIO_printf(bio_err,
|
---|
2542 | "Can't open %s, %s\n",
|
---|
2543 | mode == 'r' ? "stdin" : "stdout", strerror(errno));
|
---|
2544 | } else {
|
---|
2545 | ret = BIO_new_file(filename, modestr(mode, format));
|
---|
2546 | if (quiet) {
|
---|
2547 | ERR_clear_error();
|
---|
2548 | return ret;
|
---|
2549 | }
|
---|
2550 | if (ret != NULL)
|
---|
2551 | return ret;
|
---|
2552 | BIO_printf(bio_err,
|
---|
2553 | "Can't open %s for %s, %s\n",
|
---|
2554 | filename, modeverb(mode), strerror(errno));
|
---|
2555 | }
|
---|
2556 | ERR_print_errors(bio_err);
|
---|
2557 | return NULL;
|
---|
2558 | }
|
---|
2559 |
|
---|
2560 | BIO *bio_open_default(const char *filename, char mode, int format)
|
---|
2561 | {
|
---|
2562 | return bio_open_default_(filename, mode, format, 0);
|
---|
2563 | }
|
---|
2564 |
|
---|
2565 | BIO *bio_open_default_quiet(const char *filename, char mode, int format)
|
---|
2566 | {
|
---|
2567 | return bio_open_default_(filename, mode, format, 1);
|
---|
2568 | }
|
---|
2569 |
|
---|
2570 | void wait_for_async(SSL *s)
|
---|
2571 | {
|
---|
2572 | /* On Windows select only works for sockets, so we simply don't wait */
|
---|
2573 | #ifndef OPENSSL_SYS_WINDOWS
|
---|
2574 | int width = 0;
|
---|
2575 | fd_set asyncfds;
|
---|
2576 | OSSL_ASYNC_FD *fds;
|
---|
2577 | size_t numfds;
|
---|
2578 |
|
---|
2579 | if (!SSL_get_all_async_fds(s, NULL, &numfds))
|
---|
2580 | return;
|
---|
2581 | if (numfds == 0)
|
---|
2582 | return;
|
---|
2583 | fds = app_malloc(sizeof(OSSL_ASYNC_FD) * numfds, "allocate async fds");
|
---|
2584 | if (!SSL_get_all_async_fds(s, fds, &numfds)) {
|
---|
2585 | OPENSSL_free(fds);
|
---|
2586 | }
|
---|
2587 |
|
---|
2588 | FD_ZERO(&asyncfds);
|
---|
2589 | while (numfds > 0) {
|
---|
2590 | if (width <= (int)*fds)
|
---|
2591 | width = (int)*fds + 1;
|
---|
2592 | openssl_fdset((int)*fds, &asyncfds);
|
---|
2593 | numfds--;
|
---|
2594 | fds++;
|
---|
2595 | }
|
---|
2596 | select(width, (void *)&asyncfds, NULL, NULL, NULL);
|
---|
2597 | #endif
|
---|
2598 | }
|
---|
2599 |
|
---|
2600 | /* if OPENSSL_SYS_WINDOWS is defined then so is OPENSSL_SYS_MSDOS */
|
---|
2601 | #if defined(OPENSSL_SYS_MSDOS)
|
---|
2602 | int has_stdin_waiting(void)
|
---|
2603 | {
|
---|
2604 | # if defined(OPENSSL_SYS_WINDOWS)
|
---|
2605 | HANDLE inhand = GetStdHandle(STD_INPUT_HANDLE);
|
---|
2606 | DWORD events = 0;
|
---|
2607 | INPUT_RECORD inputrec;
|
---|
2608 | DWORD insize = 1;
|
---|
2609 | BOOL peeked;
|
---|
2610 |
|
---|
2611 | if (inhand == INVALID_HANDLE_VALUE) {
|
---|
2612 | return 0;
|
---|
2613 | }
|
---|
2614 |
|
---|
2615 | peeked = PeekConsoleInput(inhand, &inputrec, insize, &events);
|
---|
2616 | if (!peeked) {
|
---|
2617 | /* Probably redirected input? _kbhit() does not work in this case */
|
---|
2618 | if (!feof(stdin)) {
|
---|
2619 | return 1;
|
---|
2620 | }
|
---|
2621 | return 0;
|
---|
2622 | }
|
---|
2623 | # endif
|
---|
2624 | return _kbhit();
|
---|
2625 | }
|
---|
2626 | #endif
|
---|
2627 |
|
---|
2628 | /* Corrupt a signature by modifying final byte */
|
---|
2629 | void corrupt_signature(const ASN1_STRING *signature)
|
---|
2630 | {
|
---|
2631 | unsigned char *s = signature->data;
|
---|
2632 | s[signature->length - 1] ^= 0x1;
|
---|
2633 | }
|
---|
2634 |
|
---|
2635 | int set_cert_times(X509 *x, const char *startdate, const char *enddate,
|
---|
2636 | int days)
|
---|
2637 | {
|
---|
2638 | if (startdate == NULL || strcmp(startdate, "today") == 0) {
|
---|
2639 | if (X509_gmtime_adj(X509_getm_notBefore(x), 0) == NULL)
|
---|
2640 | return 0;
|
---|
2641 | } else {
|
---|
2642 | if (!ASN1_TIME_set_string(X509_getm_notBefore(x), startdate))
|
---|
2643 | return 0;
|
---|
2644 | }
|
---|
2645 | if (enddate == NULL) {
|
---|
2646 | if (X509_time_adj_ex(X509_getm_notAfter(x), days, 0, NULL)
|
---|
2647 | == NULL)
|
---|
2648 | return 0;
|
---|
2649 | } else if (!ASN1_TIME_set_string(X509_getm_notAfter(x), enddate)) {
|
---|
2650 | return 0;
|
---|
2651 | }
|
---|
2652 | return 1;
|
---|
2653 | }
|
---|