1/* 2 * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved. 3 * 4 * Licensed under the OpenSSL license (the "License"). You may not use 5 * this file except in compliance with the License. You can obtain a copy 6 * in the file LICENSE in the source distribution or at 7 * https://www.openssl.org/source/license.html 8 */ 9 10#if !defined(_POSIX_C_SOURCE) && defined(OPENSSL_SYS_VMS) 11/* 12 * On VMS, you need to define this to get the declaration of fileno(). The 13 * value 2 is to make sure no function defined in POSIX-2 is left undefined. 14 */ 15# define _POSIX_C_SOURCE 2 16#endif 17 18#include <stdio.h> 19#include <stdlib.h> 20#include <string.h> 21#include <sys/types.h> 22#ifndef OPENSSL_NO_POSIX_IO 23# include <sys/stat.h> 24# include <fcntl.h> 25#endif 26#include <ctype.h> 27#include <errno.h> 28#include <openssl/err.h> 29#include <openssl/x509.h> 30#include <openssl/x509v3.h> 31#include <openssl/pem.h> 32#include <openssl/pkcs12.h> 33#include <openssl/ui.h> 34#include <openssl/safestack.h> 35#ifndef OPENSSL_NO_ENGINE 36# include <openssl/engine.h> 37#endif 38#ifndef OPENSSL_NO_RSA 39# include <openssl/rsa.h> 40#endif 41#include <openssl/bn.h> 42#include <openssl/ssl.h> 43#include "apps.h" 44 45#ifdef _WIN32 46static int WIN32_rename(const char *from, const char *to); 47# define rename(from,to) WIN32_rename((from),(to)) 48#endif 49 50#if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS) 51# include <conio.h> 52#endif 53 54#if defined(OPENSSL_SYS_MSDOS) && !defined(_WIN32) 55# define _kbhit kbhit 56#endif 57 58typedef struct { 59 const char *name; 60 unsigned long flag; 61 unsigned long mask; 62} NAME_EX_TBL; 63 64static UI_METHOD *ui_method = NULL; 65static const UI_METHOD *ui_fallback_method = NULL; 66 67static int set_table_opts(unsigned long *flags, const char *arg, 68 const NAME_EX_TBL * in_tbl); 69static int set_multi_opts(unsigned long *flags, const char *arg, 70 const NAME_EX_TBL * in_tbl); 71 72int app_init(long mesgwin); 73 74int chopup_args(ARGS *arg, char *buf) 75{ 76 int quoted; 77 char c = '\0', *p = NULL; 78 79 arg->argc = 0; 80 if (arg->size == 0) { 81 arg->size = 20; 82 arg->argv = app_malloc(sizeof(*arg->argv) * arg->size, "argv space"); 83 } 84 85 for (p = buf;;) { 86 /* Skip whitespace. */ 87 while (*p && isspace(_UC(*p))) 88 p++; 89 if (!*p) 90 break; 91 92 /* The start of something good :-) */ 93 if (arg->argc >= arg->size) { 94 char **tmp; 95 arg->size += 20; 96 tmp = OPENSSL_realloc(arg->argv, sizeof(*arg->argv) * arg->size); 97 if (tmp == NULL) 98 return 0; 99 arg->argv = tmp; 100 } 101 quoted = *p == '\'' || *p == '"'; 102 if (quoted) 103 c = *p++; 104 arg->argv[arg->argc++] = p; 105 106 /* now look for the end of this */ 107 if (quoted) { 108 while (*p && *p != c) 109 p++; 110 *p++ = '\0'; 111 } else { 112 while (*p && !isspace(_UC(*p))) 113 p++; 114 if (*p) 115 *p++ = '\0'; 116 } 117 } 118 arg->argv[arg->argc] = NULL; 119 return 1; 120} 121 122#ifndef APP_INIT 123int app_init(long mesgwin) 124{ 125 return 1; 126} 127#endif 128 129int ctx_set_verify_locations(SSL_CTX *ctx, const char *CAfile, 130 const char *CApath, int noCAfile, int noCApath) 131{ 132 if (CAfile == NULL && CApath == NULL) { 133 if (!noCAfile && SSL_CTX_set_default_verify_file(ctx) <= 0) 134 return 0; 135 if (!noCApath && SSL_CTX_set_default_verify_dir(ctx) <= 0) 136 return 0; 137 138 return 1; 139 } 140 return SSL_CTX_load_verify_locations(ctx, CAfile, CApath); 141} 142 143#ifndef OPENSSL_NO_CT 144 145int ctx_set_ctlog_list_file(SSL_CTX *ctx, const char *path) 146{ 147 if (path == NULL) 148 return SSL_CTX_set_default_ctlog_list_file(ctx); 149 150 return SSL_CTX_set_ctlog_list_file(ctx, path); 151} 152 153#endif 154 155static unsigned long nmflag = 0; 156static char nmflag_set = 0; 157 158int set_nameopt(const char *arg) 159{ 160 int ret = set_name_ex(&nmflag, arg); 161 162 if (ret) 163 nmflag_set = 1; 164 165 return ret; 166} 167 168unsigned long get_nameopt(void) 169{ 170 return (nmflag_set) ? nmflag : XN_FLAG_ONELINE; 171} 172 173int dump_cert_text(BIO *out, X509 *x) 174{ 175 print_name(out, "subject=", X509_get_subject_name(x), get_nameopt()); 176 BIO_puts(out, "\n"); 177 print_name(out, "issuer=", X509_get_issuer_name(x), get_nameopt()); 178 BIO_puts(out, "\n"); 179 180 return 0; 181} 182 183static int ui_open(UI *ui) 184{ 185 int (*opener)(UI *ui) = UI_method_get_opener(ui_fallback_method); 186 187 if (opener) 188 return opener(ui); 189 return 1; 190} 191 192static int ui_read(UI *ui, UI_STRING *uis) 193{ 194 int (*reader)(UI *ui, UI_STRING *uis) = NULL; 195 196 if (UI_get_input_flags(uis) & UI_INPUT_FLAG_DEFAULT_PWD 197 && UI_get0_user_data(ui)) { 198 switch (UI_get_string_type(uis)) { 199 case UIT_PROMPT: 200 case UIT_VERIFY: 201 { 202 const char *password = 203 ((PW_CB_DATA *)UI_get0_user_data(ui))->password; 204 if (password && password[0] != '\0') { 205 UI_set_result(ui, uis, password); 206 return 1; 207 } 208 } 209 break; 210 case UIT_NONE: 211 case UIT_BOOLEAN: 212 case UIT_INFO: 213 case UIT_ERROR: 214 break; 215 } 216 } 217 218 reader = UI_method_get_reader(ui_fallback_method); 219 if (reader) 220 return reader(ui, uis); 221 return 1; 222} 223 224static int ui_write(UI *ui, UI_STRING *uis) 225{ 226 int (*writer)(UI *ui, UI_STRING *uis) = NULL; 227 228 if (UI_get_input_flags(uis) & UI_INPUT_FLAG_DEFAULT_PWD 229 && UI_get0_user_data(ui)) { 230 switch (UI_get_string_type(uis)) { 231 case UIT_PROMPT: 232 case UIT_VERIFY: 233 { 234 const char *password = 235 ((PW_CB_DATA *)UI_get0_user_data(ui))->password; 236 if (password && password[0] != '\0') 237 return 1; 238 } 239 break; 240 case UIT_NONE: 241 case UIT_BOOLEAN: 242 case UIT_INFO: 243 case UIT_ERROR: 244 break; 245 } 246 } 247 248 writer = UI_method_get_writer(ui_fallback_method); 249 if (writer) 250 return writer(ui, uis); 251 return 1; 252} 253 254static int ui_close(UI *ui) 255{ 256 int (*closer)(UI *ui) = UI_method_get_closer(ui_fallback_method); 257 258 if (closer) 259 return closer(ui); 260 return 1; 261} 262 263int setup_ui_method(void) 264{ 265 ui_fallback_method = UI_null(); 266#ifndef OPENSSL_NO_UI_CONSOLE 267 ui_fallback_method = UI_OpenSSL(); 268#endif 269 ui_method = UI_create_method("OpenSSL application user interface"); 270 UI_method_set_opener(ui_method, ui_open); 271 UI_method_set_reader(ui_method, ui_read); 272 UI_method_set_writer(ui_method, ui_write); 273 UI_method_set_closer(ui_method, ui_close); 274 return 0; 275} 276 277void destroy_ui_method(void) 278{ 279 if (ui_method) { 280 UI_destroy_method(ui_method); 281 ui_method = NULL; 282 } 283} 284 285const UI_METHOD *get_ui_method(void) 286{ 287 return ui_method; 288} 289 290int password_callback(char *buf, int bufsiz, int verify, PW_CB_DATA *cb_tmp) 291{ 292 int res = 0; 293 UI *ui = NULL; 294 PW_CB_DATA *cb_data = (PW_CB_DATA *)cb_tmp; 295 296 ui = UI_new_method(ui_method); 297 if (ui) { 298 int ok = 0; 299 char *buff = NULL; 300 int ui_flags = 0; 301 const char *prompt_info = NULL; 302 char *prompt; 303 304 if (cb_data != NULL && cb_data->prompt_info != NULL) 305 prompt_info = cb_data->prompt_info; 306 prompt = UI_construct_prompt(ui, "pass phrase", prompt_info); 307 if (!prompt) { 308 BIO_printf(bio_err, "Out of memory\n"); 309 UI_free(ui); 310 return 0; 311 } 312 313 ui_flags |= UI_INPUT_FLAG_DEFAULT_PWD; 314 UI_ctrl(ui, UI_CTRL_PRINT_ERRORS, 1, 0, 0); 315 316 /* We know that there is no previous user data to return to us */ 317 (void)UI_add_user_data(ui, cb_data); 318 319 ok = UI_add_input_string(ui, prompt, ui_flags, buf, 320 PW_MIN_LENGTH, bufsiz - 1); 321 322 if (ok >= 0 && verify) { 323 buff = app_malloc(bufsiz, "password buffer"); 324 ok = UI_add_verify_string(ui, prompt, ui_flags, buff, 325 PW_MIN_LENGTH, bufsiz - 1, buf); 326 } 327 if (ok >= 0) 328 do { 329 ok = UI_process(ui); 330 } while (ok < 0 && UI_ctrl(ui, UI_CTRL_IS_REDOABLE, 0, 0, 0)); 331 332 OPENSSL_clear_free(buff, (unsigned int)bufsiz); 333 334 if (ok >= 0) 335 res = strlen(buf); 336 if (ok == -1) { 337 BIO_printf(bio_err, "User interface error\n"); 338 ERR_print_errors(bio_err); 339 OPENSSL_cleanse(buf, (unsigned int)bufsiz); 340 res = 0; 341 } 342 if (ok == -2) { 343 BIO_printf(bio_err, "aborted!\n"); 344 OPENSSL_cleanse(buf, (unsigned int)bufsiz); 345 res = 0; 346 } 347 UI_free(ui); 348 OPENSSL_free(prompt); 349 } 350 return res; 351} 352 353static char *app_get_pass(const char *arg, int keepbio); 354 355int app_passwd(const char *arg1, const char *arg2, char **pass1, char **pass2) 356{ 357 int same; 358 if (arg2 == NULL || arg1 == NULL || strcmp(arg1, arg2)) 359 same = 0; 360 else 361 same = 1; 362 if (arg1 != NULL) { 363 *pass1 = app_get_pass(arg1, same); 364 if (*pass1 == NULL) 365 return 0; 366 } else if (pass1 != NULL) { 367 *pass1 = NULL; 368 } 369 if (arg2 != NULL) { 370 *pass2 = app_get_pass(arg2, same ? 2 : 0); 371 if (*pass2 == NULL) 372 return 0; 373 } else if (pass2 != NULL) { 374 *pass2 = NULL; 375 } 376 return 1; 377} 378 379static char *app_get_pass(const char *arg, int keepbio) 380{ 381 char *tmp, tpass[APP_PASS_LEN]; 382 static BIO *pwdbio = NULL; 383 int i; 384 385 if (strncmp(arg, "pass:", 5) == 0) 386 return OPENSSL_strdup(arg + 5); 387 if (strncmp(arg, "env:", 4) == 0) { 388 tmp = getenv(arg + 4); 389 if (tmp == NULL) { 390 BIO_printf(bio_err, "Can't read environment variable %s\n", arg + 4); 391 return NULL; 392 } 393 return OPENSSL_strdup(tmp); 394 } 395 if (!keepbio || pwdbio == NULL) { 396 if (strncmp(arg, "file:", 5) == 0) { 397 pwdbio = BIO_new_file(arg + 5, "r"); 398 if (pwdbio == NULL) { 399 BIO_printf(bio_err, "Can't open file %s\n", arg + 5); 400 return NULL; 401 } 402#if !defined(_WIN32) 403 /* 404 * Under _WIN32, which covers even Win64 and CE, file 405 * descriptors referenced by BIO_s_fd are not inherited 406 * by child process and therefore below is not an option. 407 * It could have been an option if bss_fd.c was operating 408 * on real Windows descriptors, such as those obtained 409 * with CreateFile. 410 */ 411 } else if (strncmp(arg, "fd:", 3) == 0) { 412 BIO *btmp; 413 i = atoi(arg + 3); 414 if (i >= 0) 415 pwdbio = BIO_new_fd(i, BIO_NOCLOSE); 416 if ((i < 0) || !pwdbio) { 417 BIO_printf(bio_err, "Can't access file descriptor %s\n", arg + 3); 418 return NULL; 419 } 420 /* 421 * Can't do BIO_gets on an fd BIO so add a buffering BIO 422 */ 423 btmp = BIO_new(BIO_f_buffer()); 424 pwdbio = BIO_push(btmp, pwdbio); 425#endif 426 } else if (strcmp(arg, "stdin") == 0) { 427 pwdbio = dup_bio_in(FORMAT_TEXT); 428 if (!pwdbio) { 429 BIO_printf(bio_err, "Can't open BIO for stdin\n"); 430 return NULL; 431 } 432 } else { 433 BIO_printf(bio_err, "Invalid password argument \"%s\"\n", arg); 434 return NULL; 435 } 436 } 437 i = BIO_gets(pwdbio, tpass, APP_PASS_LEN); 438 if (keepbio != 1) { 439 BIO_free_all(pwdbio); 440 pwdbio = NULL; 441 } 442 if (i <= 0) { 443 BIO_printf(bio_err, "Error reading password from BIO\n"); 444 return NULL; 445 } 446 tmp = strchr(tpass, '\n'); 447 if (tmp != NULL) 448 *tmp = 0; 449 return OPENSSL_strdup(tpass); 450} 451 452CONF *app_load_config_bio(BIO *in, const char *filename) 453{ 454 long errorline = -1; 455 CONF *conf; 456 int i; 457 458 conf = NCONF_new(NULL); 459 i = NCONF_load_bio(conf, in, &errorline); 460 if (i > 0) 461 return conf; 462 463 if (errorline <= 0) { 464 BIO_printf(bio_err, "%s: Can't load ", opt_getprog()); 465 } else { 466 BIO_printf(bio_err, "%s: Error on line %ld of ", opt_getprog(), 467 errorline); 468 } 469 if (filename != NULL) 470 BIO_printf(bio_err, "config file \"%s\"\n", filename); 471 else 472 BIO_printf(bio_err, "config input"); 473 474 NCONF_free(conf); 475 return NULL; 476} 477 478CONF *app_load_config(const char *filename) 479{ 480 BIO *in; 481 CONF *conf; 482 483 in = bio_open_default(filename, 'r', FORMAT_TEXT); 484 if (in == NULL) 485 return NULL; 486 487 conf = app_load_config_bio(in, filename); 488 BIO_free(in); 489 return conf; 490} 491 492CONF *app_load_config_quiet(const char *filename) 493{ 494 BIO *in; 495 CONF *conf; 496 497 in = bio_open_default_quiet(filename, 'r', FORMAT_TEXT); 498 if (in == NULL) 499 return NULL; 500 501 conf = app_load_config_bio(in, filename); 502 BIO_free(in); 503 return conf; 504} 505 506int app_load_modules(const CONF *config) 507{ 508 CONF *to_free = NULL; 509 510 if (config == NULL) 511 config = to_free = app_load_config_quiet(default_config_file); 512 if (config == NULL) 513 return 1; 514 515 if (CONF_modules_load(config, NULL, 0) <= 0) { 516 BIO_printf(bio_err, "Error configuring OpenSSL modules\n"); 517 ERR_print_errors(bio_err); 518 NCONF_free(to_free); 519 return 0; 520 } 521 NCONF_free(to_free); 522 return 1; 523} 524 525int add_oid_section(CONF *conf) 526{ 527 char *p; 528 STACK_OF(CONF_VALUE) *sktmp; 529 CONF_VALUE *cnf; 530 int i; 531 532 if ((p = NCONF_get_string(conf, NULL, "oid_section")) == NULL) { 533 ERR_clear_error(); 534 return 1; 535 } 536 if ((sktmp = NCONF_get_section(conf, p)) == NULL) { 537 BIO_printf(bio_err, "problem loading oid section %s\n", p); 538 return 0; 539 } 540 for (i = 0; i < sk_CONF_VALUE_num(sktmp); i++) { 541 cnf = sk_CONF_VALUE_value(sktmp, i); 542 if (OBJ_create(cnf->value, cnf->name, cnf->name) == NID_undef) { 543 BIO_printf(bio_err, "problem creating object %s=%s\n", 544 cnf->name, cnf->value); 545 return 0; 546 } 547 } 548 return 1; 549} 550 551static int load_pkcs12(BIO *in, const char *desc, 552 pem_password_cb *pem_cb, void *cb_data, 553 EVP_PKEY **pkey, X509 **cert, STACK_OF(X509) **ca) 554{ 555 const char *pass; 556 char tpass[PEM_BUFSIZE]; 557 int len, ret = 0; 558 PKCS12 *p12; 559 p12 = d2i_PKCS12_bio(in, NULL); 560 if (p12 == NULL) { 561 BIO_printf(bio_err, "Error loading PKCS12 file for %s\n", desc); 562 goto die; 563 } 564 /* See if an empty password will do */ 565 if (PKCS12_verify_mac(p12, "", 0) || PKCS12_verify_mac(p12, NULL, 0)) { 566 pass = ""; 567 } else { 568 if (!pem_cb) 569 pem_cb = (pem_password_cb *)password_callback; 570 len = pem_cb(tpass, PEM_BUFSIZE, 0, cb_data); 571 if (len < 0) { 572 BIO_printf(bio_err, "Passphrase callback error for %s\n", desc); 573 goto die; 574 } 575 if (len < PEM_BUFSIZE) 576 tpass[len] = 0; 577 if (!PKCS12_verify_mac(p12, tpass, len)) { 578 BIO_printf(bio_err, 579 "Mac verify error (wrong password?) in PKCS12 file for %s\n", 580 desc); 581 goto die; 582 } 583 pass = tpass; 584 } 585 ret = PKCS12_parse(p12, pass, pkey, cert, ca); 586 die: 587 PKCS12_free(p12); 588 return ret; 589} 590 591#if !defined(OPENSSL_NO_OCSP) && !defined(OPENSSL_NO_SOCK) 592static int load_cert_crl_http(const char *url, X509 **pcert, X509_CRL **pcrl) 593{ 594 char *host = NULL, *port = NULL, *path = NULL; 595 BIO *bio = NULL; 596 OCSP_REQ_CTX *rctx = NULL; 597 int use_ssl, rv = 0; 598 if (!OCSP_parse_url(url, &host, &port, &path, &use_ssl)) 599 goto err; 600 if (use_ssl) { 601 BIO_puts(bio_err, "https not supported\n"); 602 goto err; 603 } 604 bio = BIO_new_connect(host); 605 if (!bio || !BIO_set_conn_port(bio, port)) 606 goto err; 607 rctx = OCSP_REQ_CTX_new(bio, 1024); 608 if (rctx == NULL) 609 goto err; 610 if (!OCSP_REQ_CTX_http(rctx, "GET", path)) 611 goto err; 612 if (!OCSP_REQ_CTX_add1_header(rctx, "Host", host)) 613 goto err; 614 if (pcert) { 615 do { 616 rv = X509_http_nbio(rctx, pcert); 617 } while (rv == -1); 618 } else { 619 do { 620 rv = X509_CRL_http_nbio(rctx, pcrl); 621 } while (rv == -1); 622 } 623 624 err: 625 OPENSSL_free(host); 626 OPENSSL_free(path); 627 OPENSSL_free(port); 628 BIO_free_all(bio); 629 OCSP_REQ_CTX_free(rctx); 630 if (rv != 1) { 631 BIO_printf(bio_err, "Error loading %s from %s\n", 632 pcert ? "certificate" : "CRL", url); 633 ERR_print_errors(bio_err); 634 } 635 return rv; 636} 637#endif 638 639X509 *load_cert(const char *file, int format, const char *cert_descrip) 640{ 641 X509 *x = NULL; 642 BIO *cert; 643 644 if (format == FORMAT_HTTP) { 645#if !defined(OPENSSL_NO_OCSP) && !defined(OPENSSL_NO_SOCK) 646 load_cert_crl_http(file, &x, NULL); 647#endif 648 return x; 649 } 650 651 if (file == NULL) { 652 unbuffer(stdin); 653 cert = dup_bio_in(format); 654 } else { 655 cert = bio_open_default(file, 'r', format); 656 } 657 if (cert == NULL) 658 goto end; 659 660 if (format == FORMAT_ASN1) { 661 x = d2i_X509_bio(cert, NULL); 662 } else if (format == FORMAT_PEM) { 663 x = PEM_read_bio_X509_AUX(cert, NULL, 664 (pem_password_cb *)password_callback, NULL); 665 } else if (format == FORMAT_PKCS12) { 666 if (!load_pkcs12(cert, cert_descrip, NULL, NULL, NULL, &x, NULL)) 667 goto end; 668 } else { 669 BIO_printf(bio_err, "bad input format specified for %s\n", cert_descrip); 670 goto end; 671 } 672 end: 673 if (x == NULL) { 674 BIO_printf(bio_err, "unable to load certificate\n"); 675 ERR_print_errors(bio_err); 676 } 677 BIO_free(cert); 678 return x; 679} 680 681X509_CRL *load_crl(const char *infile, int format) 682{ 683 X509_CRL *x = NULL; 684 BIO *in = NULL; 685 686 if (format == FORMAT_HTTP) { 687#if !defined(OPENSSL_NO_OCSP) && !defined(OPENSSL_NO_SOCK) 688 load_cert_crl_http(infile, NULL, &x); 689#endif 690 return x; 691 } 692 693 in = bio_open_default(infile, 'r', format); 694 if (in == NULL) 695 goto end; 696 if (format == FORMAT_ASN1) { 697 x = d2i_X509_CRL_bio(in, NULL); 698 } else if (format == FORMAT_PEM) { 699 x = PEM_read_bio_X509_CRL(in, NULL, NULL, NULL); 700 } else { 701 BIO_printf(bio_err, "bad input format specified for input crl\n"); 702 goto end; 703 } 704 if (x == NULL) { 705 BIO_printf(bio_err, "unable to load CRL\n"); 706 ERR_print_errors(bio_err); 707 goto end; 708 } 709 710 end: 711 BIO_free(in); 712 return x; 713} 714 715EVP_PKEY *load_key(const char *file, int format, int maybe_stdin, 716 const char *pass, ENGINE *e, const char *key_descrip) 717{ 718 BIO *key = NULL; 719 EVP_PKEY *pkey = NULL; 720 PW_CB_DATA cb_data; 721 722 cb_data.password = pass; 723 cb_data.prompt_info = file; 724 725 if (file == NULL && (!maybe_stdin || format == FORMAT_ENGINE)) { 726 BIO_printf(bio_err, "no keyfile specified\n"); 727 goto end; 728 } 729 if (format == FORMAT_ENGINE) { 730 if (e == NULL) { 731 BIO_printf(bio_err, "no engine specified\n"); 732 } else { 733#ifndef OPENSSL_NO_ENGINE 734 if (ENGINE_init(e)) { 735 pkey = ENGINE_load_private_key(e, file, ui_method, &cb_data); 736 ENGINE_finish(e); 737 } 738 if (pkey == NULL) { 739 BIO_printf(bio_err, "cannot load %s from engine\n", key_descrip); 740 ERR_print_errors(bio_err); 741 } 742#else 743 BIO_printf(bio_err, "engines not supported\n"); 744#endif 745 } 746 goto end; 747 } 748 if (file == NULL && maybe_stdin) { 749 unbuffer(stdin); 750 key = dup_bio_in(format); 751 } else { 752 key = bio_open_default(file, 'r', format); 753 } 754 if (key == NULL) 755 goto end; 756 if (format == FORMAT_ASN1) { 757 pkey = d2i_PrivateKey_bio(key, NULL); 758 } else if (format == FORMAT_PEM) { 759 pkey = PEM_read_bio_PrivateKey(key, NULL, 760 (pem_password_cb *)password_callback, 761 &cb_data); 762 } else if (format == FORMAT_PKCS12) { 763 if (!load_pkcs12(key, key_descrip, 764 (pem_password_cb *)password_callback, &cb_data, 765 &pkey, NULL, NULL)) 766 goto end; 767#if !defined(OPENSSL_NO_RSA) && !defined(OPENSSL_NO_DSA) && !defined (OPENSSL_NO_RC4) 768 } else if (format == FORMAT_MSBLOB) { 769 pkey = b2i_PrivateKey_bio(key); 770 } else if (format == FORMAT_PVK) { 771 pkey = b2i_PVK_bio(key, (pem_password_cb *)password_callback, 772 &cb_data); 773#endif 774 } else { 775 BIO_printf(bio_err, "bad input format specified for key file\n"); 776 goto end; 777 } 778 end: 779 BIO_free(key); 780 if (pkey == NULL) { 781 BIO_printf(bio_err, "unable to load %s\n", key_descrip); 782 ERR_print_errors(bio_err); 783 } 784 return pkey; 785} 786 787EVP_PKEY *load_pubkey(const char *file, int format, int maybe_stdin, 788 const char *pass, ENGINE *e, const char *key_descrip) 789{ 790 BIO *key = NULL; 791 EVP_PKEY *pkey = NULL; 792 PW_CB_DATA cb_data; 793 794 cb_data.password = pass; 795 cb_data.prompt_info = file; 796 797 if (file == NULL && (!maybe_stdin || format == FORMAT_ENGINE)) { 798 BIO_printf(bio_err, "no keyfile specified\n"); 799 goto end; 800 } 801 if (format == FORMAT_ENGINE) { 802 if (e == NULL) { 803 BIO_printf(bio_err, "no engine specified\n"); 804 } else { 805#ifndef OPENSSL_NO_ENGINE 806 pkey = ENGINE_load_public_key(e, file, ui_method, &cb_data); 807 if (pkey == NULL) { 808 BIO_printf(bio_err, "cannot load %s from engine\n", key_descrip); 809 ERR_print_errors(bio_err); 810 } 811#else 812 BIO_printf(bio_err, "engines not supported\n"); 813#endif 814 } 815 goto end; 816 } 817 if (file == NULL && maybe_stdin) { 818 unbuffer(stdin); 819 key = dup_bio_in(format); 820 } else { 821 key = bio_open_default(file, 'r', format); 822 } 823 if (key == NULL) 824 goto end; 825 if (format == FORMAT_ASN1) { 826 pkey = d2i_PUBKEY_bio(key, NULL); 827 } else if (format == FORMAT_ASN1RSA) { 828#ifndef OPENSSL_NO_RSA 829 RSA *rsa; 830 rsa = d2i_RSAPublicKey_bio(key, NULL); 831 if (rsa) { 832 pkey = EVP_PKEY_new(); 833 if (pkey != NULL) 834 EVP_PKEY_set1_RSA(pkey, rsa); 835 RSA_free(rsa); 836 } else 837#else 838 BIO_printf(bio_err, "RSA keys not supported\n"); 839#endif 840 pkey = NULL; 841 } else if (format == FORMAT_PEMRSA) { 842#ifndef OPENSSL_NO_RSA 843 RSA *rsa; 844 rsa = PEM_read_bio_RSAPublicKey(key, NULL, 845 (pem_password_cb *)password_callback, 846 &cb_data); 847 if (rsa != NULL) { 848 pkey = EVP_PKEY_new(); 849 if (pkey != NULL) 850 EVP_PKEY_set1_RSA(pkey, rsa); 851 RSA_free(rsa); 852 } else 853#else 854 BIO_printf(bio_err, "RSA keys not supported\n"); 855#endif 856 pkey = NULL; 857 } else if (format == FORMAT_PEM) { 858 pkey = PEM_read_bio_PUBKEY(key, NULL, 859 (pem_password_cb *)password_callback, 860 &cb_data); 861#if !defined(OPENSSL_NO_RSA) && !defined(OPENSSL_NO_DSA) 862 } else if (format == FORMAT_MSBLOB) { 863 pkey = b2i_PublicKey_bio(key); 864#endif 865 } 866 end: 867 BIO_free(key); 868 if (pkey == NULL) 869 BIO_printf(bio_err, "unable to load %s\n", key_descrip); 870 return pkey; 871} 872 873static int load_certs_crls(const char *file, int format, 874 const char *pass, const char *desc, 875 STACK_OF(X509) **pcerts, 876 STACK_OF(X509_CRL) **pcrls) 877{ 878 int i; 879 BIO *bio; 880 STACK_OF(X509_INFO) *xis = NULL; 881 X509_INFO *xi; 882 PW_CB_DATA cb_data; 883 int rv = 0; 884 885 cb_data.password = pass; 886 cb_data.prompt_info = file; 887 888 if (format != FORMAT_PEM) { 889 BIO_printf(bio_err, "bad input format specified for %s\n", desc); 890 return 0; 891 } 892 893 bio = bio_open_default(file, 'r', FORMAT_PEM); 894 if (bio == NULL) 895 return 0; 896 897 xis = PEM_X509_INFO_read_bio(bio, NULL, 898 (pem_password_cb *)password_callback, 899 &cb_data); 900 901 BIO_free(bio); 902 903 if (pcerts != NULL && *pcerts == NULL) { 904 *pcerts = sk_X509_new_null(); 905 if (*pcerts == NULL) 906 goto end; 907 } 908 909 if (pcrls != NULL && *pcrls == NULL) { 910 *pcrls = sk_X509_CRL_new_null(); 911 if (*pcrls == NULL) 912 goto end; 913 } 914 915 for (i = 0; i < sk_X509_INFO_num(xis); i++) { 916 xi = sk_X509_INFO_value(xis, i); 917 if (xi->x509 != NULL && pcerts != NULL) { 918 if (!sk_X509_push(*pcerts, xi->x509)) 919 goto end; 920 xi->x509 = NULL; 921 } 922 if (xi->crl != NULL && pcrls != NULL) { 923 if (!sk_X509_CRL_push(*pcrls, xi->crl)) 924 goto end; 925 xi->crl = NULL; 926 } 927 } 928 929 if (pcerts != NULL && sk_X509_num(*pcerts) > 0) 930 rv = 1; 931 932 if (pcrls != NULL && sk_X509_CRL_num(*pcrls) > 0) 933 rv = 1; 934 935 end: 936 937 sk_X509_INFO_pop_free(xis, X509_INFO_free); 938 939 if (rv == 0) { 940 if (pcerts != NULL) { 941 sk_X509_pop_free(*pcerts, X509_free); 942 *pcerts = NULL; 943 } 944 if (pcrls != NULL) { 945 sk_X509_CRL_pop_free(*pcrls, X509_CRL_free); 946 *pcrls = NULL; 947 } 948 BIO_printf(bio_err, "unable to load %s\n", 949 pcerts ? "certificates" : "CRLs"); 950 ERR_print_errors(bio_err); 951 } 952 return rv; 953} 954 955void* app_malloc(int sz, const char *what) 956{ 957 void *vp = OPENSSL_malloc(sz); 958 959 if (vp == NULL) { 960 BIO_printf(bio_err, "%s: Could not allocate %d bytes for %s\n", 961 opt_getprog(), sz, what); 962 ERR_print_errors(bio_err); 963 exit(1); 964 } 965 return vp; 966} 967 968/* 969 * Initialize or extend, if *certs != NULL, a certificate stack. 970 */ 971int load_certs(const char *file, STACK_OF(X509) **certs, int format, 972 const char *pass, const char *desc) 973{ 974 return load_certs_crls(file, format, pass, desc, certs, NULL); 975} 976 977/* 978 * Initialize or extend, if *crls != NULL, a certificate stack. 979 */ 980int load_crls(const char *file, STACK_OF(X509_CRL) **crls, int format, 981 const char *pass, const char *desc) 982{ 983 return load_certs_crls(file, format, pass, desc, NULL, crls); 984} 985 986#define X509V3_EXT_UNKNOWN_MASK (0xfL << 16) 987/* Return error for unknown extensions */ 988#define X509V3_EXT_DEFAULT 0 989/* Print error for unknown extensions */ 990#define X509V3_EXT_ERROR_UNKNOWN (1L << 16) 991/* ASN1 parse unknown extensions */ 992#define X509V3_EXT_PARSE_UNKNOWN (2L << 16) 993/* BIO_dump unknown extensions */ 994#define X509V3_EXT_DUMP_UNKNOWN (3L << 16) 995 996#define X509_FLAG_CA (X509_FLAG_NO_ISSUER | X509_FLAG_NO_PUBKEY | \ 997 X509_FLAG_NO_HEADER | X509_FLAG_NO_VERSION) 998 999int set_cert_ex(unsigned long *flags, const char *arg) 1000{ 1001 static const NAME_EX_TBL cert_tbl[] = { 1002 {"compatible", X509_FLAG_COMPAT, 0xffffffffl}, 1003 {"ca_default", X509_FLAG_CA, 0xffffffffl}, 1004 {"no_header", X509_FLAG_NO_HEADER, 0}, 1005 {"no_version", X509_FLAG_NO_VERSION, 0}, 1006 {"no_serial", X509_FLAG_NO_SERIAL, 0}, 1007 {"no_signame", X509_FLAG_NO_SIGNAME, 0}, 1008 {"no_validity", X509_FLAG_NO_VALIDITY, 0}, 1009 {"no_subject", X509_FLAG_NO_SUBJECT, 0}, 1010 {"no_issuer", X509_FLAG_NO_ISSUER, 0}, 1011 {"no_pubkey", X509_FLAG_NO_PUBKEY, 0}, 1012 {"no_extensions", X509_FLAG_NO_EXTENSIONS, 0}, 1013 {"no_sigdump", X509_FLAG_NO_SIGDUMP, 0}, 1014 {"no_aux", X509_FLAG_NO_AUX, 0}, 1015 {"no_attributes", X509_FLAG_NO_ATTRIBUTES, 0}, 1016 {"ext_default", X509V3_EXT_DEFAULT, X509V3_EXT_UNKNOWN_MASK}, 1017 {"ext_error", X509V3_EXT_ERROR_UNKNOWN, X509V3_EXT_UNKNOWN_MASK}, 1018 {"ext_parse", X509V3_EXT_PARSE_UNKNOWN, X509V3_EXT_UNKNOWN_MASK}, 1019 {"ext_dump", X509V3_EXT_DUMP_UNKNOWN, X509V3_EXT_UNKNOWN_MASK}, 1020 {NULL, 0, 0} 1021 }; 1022 return set_multi_opts(flags, arg, cert_tbl); 1023} 1024 1025int set_name_ex(unsigned long *flags, const char *arg) 1026{ 1027 static const NAME_EX_TBL ex_tbl[] = { 1028 {"esc_2253", ASN1_STRFLGS_ESC_2253, 0}, 1029 {"esc_2254", ASN1_STRFLGS_ESC_2254, 0}, 1030 {"esc_ctrl", ASN1_STRFLGS_ESC_CTRL, 0}, 1031 {"esc_msb", ASN1_STRFLGS_ESC_MSB, 0}, 1032 {"use_quote", ASN1_STRFLGS_ESC_QUOTE, 0}, 1033 {"utf8", ASN1_STRFLGS_UTF8_CONVERT, 0}, 1034 {"ignore_type", ASN1_STRFLGS_IGNORE_TYPE, 0}, 1035 {"show_type", ASN1_STRFLGS_SHOW_TYPE, 0}, 1036 {"dump_all", ASN1_STRFLGS_DUMP_ALL, 0}, 1037 {"dump_nostr", ASN1_STRFLGS_DUMP_UNKNOWN, 0}, 1038 {"dump_der", ASN1_STRFLGS_DUMP_DER, 0}, 1039 {"compat", XN_FLAG_COMPAT, 0xffffffffL}, 1040 {"sep_comma_plus", XN_FLAG_SEP_COMMA_PLUS, XN_FLAG_SEP_MASK}, 1041 {"sep_comma_plus_space", XN_FLAG_SEP_CPLUS_SPC, XN_FLAG_SEP_MASK}, 1042 {"sep_semi_plus_space", XN_FLAG_SEP_SPLUS_SPC, XN_FLAG_SEP_MASK}, 1043 {"sep_multiline", XN_FLAG_SEP_MULTILINE, XN_FLAG_SEP_MASK}, 1044 {"dn_rev", XN_FLAG_DN_REV, 0}, 1045 {"nofname", XN_FLAG_FN_NONE, XN_FLAG_FN_MASK}, 1046 {"sname", XN_FLAG_FN_SN, XN_FLAG_FN_MASK}, 1047 {"lname", XN_FLAG_FN_LN, XN_FLAG_FN_MASK}, 1048 {"align", XN_FLAG_FN_ALIGN, 0}, 1049 {"oid", XN_FLAG_FN_OID, XN_FLAG_FN_MASK}, 1050 {"space_eq", XN_FLAG_SPC_EQ, 0}, 1051 {"dump_unknown", XN_FLAG_DUMP_UNKNOWN_FIELDS, 0}, 1052 {"RFC2253", XN_FLAG_RFC2253, 0xffffffffL}, 1053 {"oneline", XN_FLAG_ONELINE, 0xffffffffL}, 1054 {"multiline", XN_FLAG_MULTILINE, 0xffffffffL}, 1055 {"ca_default", XN_FLAG_MULTILINE, 0xffffffffL}, 1056 {NULL, 0, 0} 1057 }; 1058 if (set_multi_opts(flags, arg, ex_tbl) == 0) 1059 return 0; 1060 if (*flags != XN_FLAG_COMPAT 1061 && (*flags & XN_FLAG_SEP_MASK) == 0) 1062 *flags |= XN_FLAG_SEP_CPLUS_SPC; 1063 return 1; 1064} 1065 1066int set_ext_copy(int *copy_type, const char *arg) 1067{ 1068 if (strcasecmp(arg, "none") == 0) 1069 *copy_type = EXT_COPY_NONE; 1070 else if (strcasecmp(arg, "copy") == 0) 1071 *copy_type = EXT_COPY_ADD; 1072 else if (strcasecmp(arg, "copyall") == 0) 1073 *copy_type = EXT_COPY_ALL; 1074 else 1075 return 0; 1076 return 1; 1077} 1078 1079int copy_extensions(X509 *x, X509_REQ *req, int copy_type) 1080{ 1081 STACK_OF(X509_EXTENSION) *exts = NULL; 1082 X509_EXTENSION *ext, *tmpext; 1083 ASN1_OBJECT *obj; 1084 int i, idx, ret = 0; 1085 if (!x || !req || (copy_type == EXT_COPY_NONE)) 1086 return 1; 1087 exts = X509_REQ_get_extensions(req); 1088 1089 for (i = 0; i < sk_X509_EXTENSION_num(exts); i++) { 1090 ext = sk_X509_EXTENSION_value(exts, i); 1091 obj = X509_EXTENSION_get_object(ext); 1092 idx = X509_get_ext_by_OBJ(x, obj, -1); 1093 /* Does extension exist? */ 1094 if (idx != -1) { 1095 /* If normal copy don't override existing extension */ 1096 if (copy_type == EXT_COPY_ADD) 1097 continue; 1098 /* Delete all extensions of same type */ 1099 do { 1100 tmpext = X509_get_ext(x, idx); 1101 X509_delete_ext(x, idx); 1102 X509_EXTENSION_free(tmpext); 1103 idx = X509_get_ext_by_OBJ(x, obj, -1); 1104 } while (idx != -1); 1105 } 1106 if (!X509_add_ext(x, ext, -1)) 1107 goto end; 1108 } 1109 1110 ret = 1; 1111 1112 end: 1113 1114 sk_X509_EXTENSION_pop_free(exts, X509_EXTENSION_free); 1115 1116 return ret; 1117} 1118 1119static int set_multi_opts(unsigned long *flags, const char *arg, 1120 const NAME_EX_TBL * in_tbl) 1121{ 1122 STACK_OF(CONF_VALUE) *vals; 1123 CONF_VALUE *val; 1124 int i, ret = 1; 1125 if (!arg) 1126 return 0; 1127 vals = X509V3_parse_list(arg); 1128 for (i = 0; i < sk_CONF_VALUE_num(vals); i++) { 1129 val = sk_CONF_VALUE_value(vals, i); 1130 if (!set_table_opts(flags, val->name, in_tbl)) 1131 ret = 0; 1132 } 1133 sk_CONF_VALUE_pop_free(vals, X509V3_conf_free); 1134 return ret; 1135} 1136 1137static int set_table_opts(unsigned long *flags, const char *arg, 1138 const NAME_EX_TBL * in_tbl) 1139{ 1140 char c; 1141 const NAME_EX_TBL *ptbl; 1142 c = arg[0]; 1143 1144 if (c == '-') { 1145 c = 0; 1146 arg++; 1147 } else if (c == '+') { 1148 c = 1; 1149 arg++; 1150 } else { 1151 c = 1; 1152 } 1153 1154 for (ptbl = in_tbl; ptbl->name; ptbl++) { 1155 if (strcasecmp(arg, ptbl->name) == 0) { 1156 *flags &= ~ptbl->mask; 1157 if (c) 1158 *flags |= ptbl->flag; 1159 else 1160 *flags &= ~ptbl->flag; 1161 return 1; 1162 } 1163 } 1164 return 0; 1165} 1166 1167void print_name(BIO *out, const char *title, X509_NAME *nm, 1168 unsigned long lflags) 1169{ 1170 char *buf; 1171 char mline = 0; 1172 int indent = 0; 1173 1174 if (title) 1175 BIO_puts(out, title); 1176 if ((lflags & XN_FLAG_SEP_MASK) == XN_FLAG_SEP_MULTILINE) { 1177 mline = 1; 1178 indent = 4; 1179 } 1180 if (lflags == XN_FLAG_COMPAT) { 1181 buf = X509_NAME_oneline(nm, 0, 0); 1182 BIO_puts(out, buf); 1183 BIO_puts(out, "\n"); 1184 OPENSSL_free(buf); 1185 } else { 1186 if (mline) 1187 BIO_puts(out, "\n"); 1188 X509_NAME_print_ex(out, nm, indent, lflags); 1189 BIO_puts(out, "\n"); 1190 } 1191} 1192 1193void print_bignum_var(BIO *out, const BIGNUM *in, const char *var, 1194 int len, unsigned char *buffer) 1195{ 1196 BIO_printf(out, " static unsigned char %s_%d[] = {", var, len); 1197 if (BN_is_zero(in)) { 1198 BIO_printf(out, "\n 0x00"); 1199 } else { 1200 int i, l; 1201 1202 l = BN_bn2bin(in, buffer); 1203 for (i = 0; i < l; i++) { 1204 BIO_printf(out, (i % 10) == 0 ? "\n " : " "); 1205 if (i < l - 1) 1206 BIO_printf(out, "0x%02X,", buffer[i]); 1207 else 1208 BIO_printf(out, "0x%02X", buffer[i]); 1209 } 1210 } 1211 BIO_printf(out, "\n };\n"); 1212} 1213 1214void print_array(BIO *out, const char* title, int len, const unsigned char* d) 1215{ 1216 int i; 1217 1218 BIO_printf(out, "unsigned char %s[%d] = {", title, len); 1219 for (i = 0; i < len; i++) { 1220 if ((i % 10) == 0) 1221 BIO_printf(out, "\n "); 1222 if (i < len - 1) 1223 BIO_printf(out, "0x%02X, ", d[i]); 1224 else 1225 BIO_printf(out, "0x%02X", d[i]); 1226 } 1227 BIO_printf(out, "\n};\n"); 1228} 1229 1230X509_STORE *setup_verify(const char *CAfile, const char *CApath, int noCAfile, int noCApath) 1231{ 1232 X509_STORE *store = X509_STORE_new(); 1233 X509_LOOKUP *lookup; 1234 1235 if (store == NULL) 1236 goto end; 1237 1238 if (CAfile != NULL || !noCAfile) { 1239 lookup = X509_STORE_add_lookup(store, X509_LOOKUP_file()); 1240 if (lookup == NULL) 1241 goto end; 1242 if (CAfile) { 1243 if (!X509_LOOKUP_load_file(lookup, CAfile, X509_FILETYPE_PEM)) { 1244 BIO_printf(bio_err, "Error loading file %s\n", CAfile); 1245 goto end; 1246 } 1247 } else { 1248 X509_LOOKUP_load_file(lookup, NULL, X509_FILETYPE_DEFAULT); 1249 } 1250 } 1251 1252 if (CApath != NULL || !noCApath) { 1253 lookup = X509_STORE_add_lookup(store, X509_LOOKUP_hash_dir()); 1254 if (lookup == NULL) 1255 goto end; 1256 if (CApath) { 1257 if (!X509_LOOKUP_add_dir(lookup, CApath, X509_FILETYPE_PEM)) { 1258 BIO_printf(bio_err, "Error loading directory %s\n", CApath); 1259 goto end; 1260 } 1261 } else { 1262 X509_LOOKUP_add_dir(lookup, NULL, X509_FILETYPE_DEFAULT); 1263 } 1264 } 1265 1266 ERR_clear_error(); 1267 return store; 1268 end: 1269 X509_STORE_free(store); 1270 return NULL; 1271} 1272 1273#ifndef OPENSSL_NO_ENGINE 1274/* Try to load an engine in a shareable library */ 1275static ENGINE *try_load_engine(const char *engine) 1276{ 1277 ENGINE *e = ENGINE_by_id("dynamic"); 1278 if (e) { 1279 if (!ENGINE_ctrl_cmd_string(e, "SO_PATH", engine, 0) 1280 || !ENGINE_ctrl_cmd_string(e, "LOAD", NULL, 0)) { 1281 ENGINE_free(e); 1282 e = NULL; 1283 } 1284 } 1285 return e; 1286} 1287#endif 1288 1289ENGINE *setup_engine(const char *engine, int debug) 1290{ 1291 ENGINE *e = NULL; 1292 1293#ifndef OPENSSL_NO_ENGINE 1294 if (engine != NULL) { 1295 if (strcmp(engine, "auto") == 0) { 1296 BIO_printf(bio_err, "enabling auto ENGINE support\n"); 1297 ENGINE_register_all_complete(); 1298 return NULL; 1299 } 1300 if ((e = ENGINE_by_id(engine)) == NULL 1301 && (e = try_load_engine(engine)) == NULL) { 1302 BIO_printf(bio_err, "invalid engine \"%s\"\n", engine); 1303 ERR_print_errors(bio_err); 1304 return NULL; 1305 } 1306 if (debug) { 1307 ENGINE_ctrl(e, ENGINE_CTRL_SET_LOGSTREAM, 0, bio_err, 0); 1308 } 1309 ENGINE_ctrl_cmd(e, "SET_USER_INTERFACE", 0, ui_method, 0, 1); 1310 if (!ENGINE_set_default(e, ENGINE_METHOD_ALL)) { 1311 BIO_printf(bio_err, "can't use that engine\n"); 1312 ERR_print_errors(bio_err); 1313 ENGINE_free(e); 1314 return NULL; 1315 } 1316 1317 BIO_printf(bio_err, "engine \"%s\" set.\n", ENGINE_get_id(e)); 1318 } 1319#endif 1320 return e; 1321} 1322 1323void release_engine(ENGINE *e) 1324{ 1325#ifndef OPENSSL_NO_ENGINE 1326 if (e != NULL) 1327 /* Free our "structural" reference. */ 1328 ENGINE_free(e); 1329#endif 1330} 1331 1332static unsigned long index_serial_hash(const OPENSSL_CSTRING *a) 1333{ 1334 const char *n; 1335 1336 n = a[DB_serial]; 1337 while (*n == '0') 1338 n++; 1339 return OPENSSL_LH_strhash(n); 1340} 1341 1342static int index_serial_cmp(const OPENSSL_CSTRING *a, 1343 const OPENSSL_CSTRING *b) 1344{ 1345 const char *aa, *bb; 1346 1347 for (aa = a[DB_serial]; *aa == '0'; aa++) ; 1348 for (bb = b[DB_serial]; *bb == '0'; bb++) ; 1349 return strcmp(aa, bb); 1350} 1351 1352static int index_name_qual(char **a) 1353{ 1354 return (a[0][0] == 'V'); 1355} 1356 1357static unsigned long index_name_hash(const OPENSSL_CSTRING *a) 1358{ 1359 return OPENSSL_LH_strhash(a[DB_name]); 1360} 1361 1362int index_name_cmp(const OPENSSL_CSTRING *a, const OPENSSL_CSTRING *b) 1363{ 1364 return strcmp(a[DB_name], b[DB_name]); 1365} 1366 1367static IMPLEMENT_LHASH_HASH_FN(index_serial, OPENSSL_CSTRING) 1368static IMPLEMENT_LHASH_COMP_FN(index_serial, OPENSSL_CSTRING) 1369static IMPLEMENT_LHASH_HASH_FN(index_name, OPENSSL_CSTRING) 1370static IMPLEMENT_LHASH_COMP_FN(index_name, OPENSSL_CSTRING) 1371#undef BSIZE 1372#define BSIZE 256 1373BIGNUM *load_serial(const char *serialfile, int create, ASN1_INTEGER **retai) 1374{ 1375 BIO *in = NULL; 1376 BIGNUM *ret = NULL; 1377 char buf[1024]; 1378 ASN1_INTEGER *ai = NULL; 1379 1380 ai = ASN1_INTEGER_new(); 1381 if (ai == NULL) 1382 goto err; 1383 1384 in = BIO_new_file(serialfile, "r"); 1385 if (in == NULL) { 1386 if (!create) { 1387 perror(serialfile); 1388 goto err; 1389 } 1390 ERR_clear_error(); 1391 ret = BN_new(); 1392 if (ret == NULL || !rand_serial(ret, ai)) 1393 BIO_printf(bio_err, "Out of memory\n"); 1394 } else { 1395 if (!a2i_ASN1_INTEGER(in, ai, buf, 1024)) { 1396 BIO_printf(bio_err, "unable to load number from %s\n", 1397 serialfile); 1398 goto err; 1399 } 1400 ret = ASN1_INTEGER_to_BN(ai, NULL); 1401 if (ret == NULL) { 1402 BIO_printf(bio_err, 1403 "error converting number from bin to BIGNUM\n"); 1404 goto err; 1405 } 1406 } 1407 1408 if (ret && retai) { 1409 *retai = ai; 1410 ai = NULL; 1411 } 1412 err: 1413 BIO_free(in); 1414 ASN1_INTEGER_free(ai); 1415 return ret; 1416} 1417 1418int save_serial(const char *serialfile, const char *suffix, const BIGNUM *serial, 1419 ASN1_INTEGER **retai) 1420{ 1421 char buf[1][BSIZE]; 1422 BIO *out = NULL; 1423 int ret = 0; 1424 ASN1_INTEGER *ai = NULL; 1425 int j; 1426 1427 if (suffix == NULL) 1428 j = strlen(serialfile); 1429 else 1430 j = strlen(serialfile) + strlen(suffix) + 1; 1431 if (j >= BSIZE) { 1432 BIO_printf(bio_err, "file name too long\n"); 1433 goto err; 1434 } 1435 1436 if (suffix == NULL) 1437 OPENSSL_strlcpy(buf[0], serialfile, BSIZE); 1438 else { 1439#ifndef OPENSSL_SYS_VMS 1440 j = BIO_snprintf(buf[0], sizeof(buf[0]), "%s.%s", serialfile, suffix); 1441#else 1442 j = BIO_snprintf(buf[0], sizeof(buf[0]), "%s-%s", serialfile, suffix); 1443#endif 1444 } 1445 out = BIO_new_file(buf[0], "w"); 1446 if (out == NULL) { 1447 ERR_print_errors(bio_err); 1448 goto err; 1449 } 1450 1451 if ((ai = BN_to_ASN1_INTEGER(serial, NULL)) == NULL) { 1452 BIO_printf(bio_err, "error converting serial to ASN.1 format\n"); 1453 goto err; 1454 } 1455 i2a_ASN1_INTEGER(out, ai); 1456 BIO_puts(out, "\n"); 1457 ret = 1; 1458 if (retai) { 1459 *retai = ai; 1460 ai = NULL; 1461 } 1462 err: 1463 BIO_free_all(out); 1464 ASN1_INTEGER_free(ai); 1465 return ret; 1466} 1467 1468int rotate_serial(const char *serialfile, const char *new_suffix, 1469 const char *old_suffix) 1470{ 1471 char buf[2][BSIZE]; 1472 int i, j; 1473 1474 i = strlen(serialfile) + strlen(old_suffix); 1475 j = strlen(serialfile) + strlen(new_suffix); 1476 if (i > j) 1477 j = i; 1478 if (j + 1 >= BSIZE) { 1479 BIO_printf(bio_err, "file name too long\n"); 1480 goto err; 1481 } 1482#ifndef OPENSSL_SYS_VMS 1483 j = BIO_snprintf(buf[0], sizeof(buf[0]), "%s.%s", serialfile, new_suffix); 1484 j = BIO_snprintf(buf[1], sizeof(buf[1]), "%s.%s", serialfile, old_suffix); 1485#else 1486 j = BIO_snprintf(buf[0], sizeof(buf[0]), "%s-%s", serialfile, new_suffix); 1487 j = BIO_snprintf(buf[1], sizeof(buf[1]), "%s-%s", serialfile, old_suffix); 1488#endif 1489 if (rename(serialfile, buf[1]) < 0 && errno != ENOENT 1490#ifdef ENOTDIR 1491 && errno != ENOTDIR 1492#endif 1493 ) { 1494 BIO_printf(bio_err, 1495 "unable to rename %s to %s\n", serialfile, buf[1]); 1496 perror("reason"); 1497 goto err; 1498 } 1499 if (rename(buf[0], serialfile) < 0) { 1500 BIO_printf(bio_err, 1501 "unable to rename %s to %s\n", buf[0], serialfile); 1502 perror("reason"); 1503 rename(buf[1], serialfile); 1504 goto err; 1505 } 1506 return 1; 1507 err: 1508 return 0; 1509} 1510 1511int rand_serial(BIGNUM *b, ASN1_INTEGER *ai) 1512{ 1513 BIGNUM *btmp; 1514 int ret = 0; 1515 1516 btmp = b == NULL ? BN_new() : b; 1517 if (btmp == NULL) 1518 return 0; 1519 1520 if (!BN_rand(btmp, SERIAL_RAND_BITS, BN_RAND_TOP_ANY, BN_RAND_BOTTOM_ANY)) 1521 goto error; 1522 if (ai && !BN_to_ASN1_INTEGER(btmp, ai)) 1523 goto error; 1524 1525 ret = 1; 1526 1527 error: 1528 1529 if (btmp != b) 1530 BN_free(btmp); 1531 1532 return ret; 1533} 1534 1535CA_DB *load_index(const char *dbfile, DB_ATTR *db_attr) 1536{ 1537 CA_DB *retdb = NULL; 1538 TXT_DB *tmpdb = NULL; 1539 BIO *in; 1540 CONF *dbattr_conf = NULL; 1541 char buf[BSIZE]; 1542#ifndef OPENSSL_NO_POSIX_IO 1543 FILE *dbfp; 1544 struct stat dbst; 1545#endif 1546 1547 in = BIO_new_file(dbfile, "r"); 1548 if (in == NULL) { 1549 ERR_print_errors(bio_err); 1550 goto err; 1551 } 1552 1553#ifndef OPENSSL_NO_POSIX_IO 1554 BIO_get_fp(in, &dbfp); 1555 if (fstat(fileno(dbfp), &dbst) == -1) { 1556 SYSerr(SYS_F_FSTAT, errno); 1557 ERR_add_error_data(3, "fstat('", dbfile, "')"); 1558 ERR_print_errors(bio_err); 1559 goto err; 1560 } 1561#endif 1562 1563 if ((tmpdb = TXT_DB_read(in, DB_NUMBER)) == NULL) 1564 goto err; 1565 1566#ifndef OPENSSL_SYS_VMS 1567 BIO_snprintf(buf, sizeof(buf), "%s.attr", dbfile); 1568#else 1569 BIO_snprintf(buf, sizeof(buf), "%s-attr", dbfile); 1570#endif 1571 dbattr_conf = app_load_config_quiet(buf); 1572 1573 retdb = app_malloc(sizeof(*retdb), "new DB"); 1574 retdb->db = tmpdb; 1575 tmpdb = NULL; 1576 if (db_attr) 1577 retdb->attributes = *db_attr; 1578 else { 1579 retdb->attributes.unique_subject = 1; 1580 } 1581 1582 if (dbattr_conf) { 1583 char *p = NCONF_get_string(dbattr_conf, NULL, "unique_subject"); 1584 if (p) { 1585 retdb->attributes.unique_subject = parse_yesno(p, 1); 1586 } 1587 } 1588 1589 retdb->dbfname = OPENSSL_strdup(dbfile); 1590#ifndef OPENSSL_NO_POSIX_IO 1591 retdb->dbst = dbst; 1592#endif 1593 1594 err: 1595 NCONF_free(dbattr_conf); 1596 TXT_DB_free(tmpdb); 1597 BIO_free_all(in); 1598 return retdb; 1599} 1600 1601/* 1602 * Returns > 0 on success, <= 0 on error 1603 */ 1604int index_index(CA_DB *db) 1605{ 1606 if (!TXT_DB_create_index(db->db, DB_serial, NULL, 1607 LHASH_HASH_FN(index_serial), 1608 LHASH_COMP_FN(index_serial))) { 1609 BIO_printf(bio_err, 1610 "error creating serial number index:(%ld,%ld,%ld)\n", 1611 db->db->error, db->db->arg1, db->db->arg2); 1612 return 0; 1613 } 1614 1615 if (db->attributes.unique_subject 1616 && !TXT_DB_create_index(db->db, DB_name, index_name_qual, 1617 LHASH_HASH_FN(index_name), 1618 LHASH_COMP_FN(index_name))) { 1619 BIO_printf(bio_err, "error creating name index:(%ld,%ld,%ld)\n", 1620 db->db->error, db->db->arg1, db->db->arg2); 1621 return 0; 1622 } 1623 return 1; 1624} 1625 1626int save_index(const char *dbfile, const char *suffix, CA_DB *db) 1627{ 1628 char buf[3][BSIZE]; 1629 BIO *out; 1630 int j; 1631 1632 j = strlen(dbfile) + strlen(suffix); 1633 if (j + 6 >= BSIZE) { 1634 BIO_printf(bio_err, "file name too long\n"); 1635 goto err; 1636 } 1637#ifndef OPENSSL_SYS_VMS 1638 j = BIO_snprintf(buf[2], sizeof(buf[2]), "%s.attr", dbfile); 1639 j = BIO_snprintf(buf[1], sizeof(buf[1]), "%s.attr.%s", dbfile, suffix); 1640 j = BIO_snprintf(buf[0], sizeof(buf[0]), "%s.%s", dbfile, suffix); 1641#else 1642 j = BIO_snprintf(buf[2], sizeof(buf[2]), "%s-attr", dbfile); 1643 j = BIO_snprintf(buf[1], sizeof(buf[1]), "%s-attr-%s", dbfile, suffix); 1644 j = BIO_snprintf(buf[0], sizeof(buf[0]), "%s-%s", dbfile, suffix); 1645#endif 1646 out = BIO_new_file(buf[0], "w"); 1647 if (out == NULL) { 1648 perror(dbfile); 1649 BIO_printf(bio_err, "unable to open '%s'\n", dbfile); 1650 goto err; 1651 } 1652 j = TXT_DB_write(out, db->db); 1653 BIO_free(out); 1654 if (j <= 0) 1655 goto err; 1656 1657 out = BIO_new_file(buf[1], "w"); 1658 if (out == NULL) { 1659 perror(buf[2]); 1660 BIO_printf(bio_err, "unable to open '%s'\n", buf[2]); 1661 goto err; 1662 } 1663 BIO_printf(out, "unique_subject = %s\n", 1664 db->attributes.unique_subject ? "yes" : "no"); 1665 BIO_free(out); 1666 1667 return 1; 1668 err: 1669 return 0; 1670} 1671 1672int rotate_index(const char *dbfile, const char *new_suffix, 1673 const char *old_suffix) 1674{ 1675 char buf[5][BSIZE]; 1676 int i, j; 1677 1678 i = strlen(dbfile) + strlen(old_suffix); 1679 j = strlen(dbfile) + strlen(new_suffix); 1680 if (i > j) 1681 j = i; 1682 if (j + 6 >= BSIZE) { 1683 BIO_printf(bio_err, "file name too long\n"); 1684 goto err; 1685 } 1686#ifndef OPENSSL_SYS_VMS 1687 j = BIO_snprintf(buf[4], sizeof(buf[4]), "%s.attr", dbfile); 1688 j = BIO_snprintf(buf[3], sizeof(buf[3]), "%s.attr.%s", dbfile, old_suffix); 1689 j = BIO_snprintf(buf[2], sizeof(buf[2]), "%s.attr.%s", dbfile, new_suffix); 1690 j = BIO_snprintf(buf[1], sizeof(buf[1]), "%s.%s", dbfile, old_suffix); 1691 j = BIO_snprintf(buf[0], sizeof(buf[0]), "%s.%s", dbfile, new_suffix); 1692#else 1693 j = BIO_snprintf(buf[4], sizeof(buf[4]), "%s-attr", dbfile); 1694 j = BIO_snprintf(buf[3], sizeof(buf[3]), "%s-attr-%s", dbfile, old_suffix); 1695 j = BIO_snprintf(buf[2], sizeof(buf[2]), "%s-attr-%s", dbfile, new_suffix); 1696 j = BIO_snprintf(buf[1], sizeof(buf[1]), "%s-%s", dbfile, old_suffix); 1697 j = BIO_snprintf(buf[0], sizeof(buf[0]), "%s-%s", dbfile, new_suffix); 1698#endif 1699 if (rename(dbfile, buf[1]) < 0 && errno != ENOENT 1700#ifdef ENOTDIR 1701 && errno != ENOTDIR 1702#endif 1703 ) { 1704 BIO_printf(bio_err, "unable to rename %s to %s\n", dbfile, buf[1]); 1705 perror("reason"); 1706 goto err; 1707 } 1708 if (rename(buf[0], dbfile) < 0) { 1709 BIO_printf(bio_err, "unable to rename %s to %s\n", buf[0], dbfile); 1710 perror("reason"); 1711 rename(buf[1], dbfile); 1712 goto err; 1713 } 1714 if (rename(buf[4], buf[3]) < 0 && errno != ENOENT 1715#ifdef ENOTDIR 1716 && errno != ENOTDIR 1717#endif 1718 ) { 1719 BIO_printf(bio_err, "unable to rename %s to %s\n", buf[4], buf[3]); 1720 perror("reason"); 1721 rename(dbfile, buf[0]); 1722 rename(buf[1], dbfile); 1723 goto err; 1724 } 1725 if (rename(buf[2], buf[4]) < 0) { 1726 BIO_printf(bio_err, "unable to rename %s to %s\n", buf[2], buf[4]); 1727 perror("reason"); 1728 rename(buf[3], buf[4]); 1729 rename(dbfile, buf[0]); 1730 rename(buf[1], dbfile); 1731 goto err; 1732 } 1733 return 1; 1734 err: 1735 return 0; 1736} 1737 1738void free_index(CA_DB *db) 1739{ 1740 if (db) { 1741 TXT_DB_free(db->db); 1742 OPENSSL_free(db->dbfname); 1743 OPENSSL_free(db); 1744 } 1745} 1746 1747int parse_yesno(const char *str, int def) 1748{ 1749 if (str) { 1750 switch (*str) { 1751 case 'f': /* false */ 1752 case 'F': /* FALSE */ 1753 case 'n': /* no */ 1754 case 'N': /* NO */ 1755 case '0': /* 0 */ 1756 return 0; 1757 case 't': /* true */ 1758 case 'T': /* TRUE */ 1759 case 'y': /* yes */ 1760 case 'Y': /* YES */ 1761 case '1': /* 1 */ 1762 return 1; 1763 } 1764 } 1765 return def; 1766} 1767 1768/* 1769 * name is expected to be in the format /type0=value0/type1=value1/type2=... 1770 * where characters may be escaped by \ 1771 */ 1772X509_NAME *parse_name(const char *cp, long chtype, int canmulti) 1773{ 1774 int nextismulti = 0; 1775 char *work; 1776 X509_NAME *n; 1777 1778 if (*cp++ != '/') { 1779 BIO_printf(bio_err, 1780 "name is expected to be in the format " 1781 "/type0=value0/type1=value1/type2=... where characters may " 1782 "be escaped by \\. This name is not in that format: '%s'\n", 1783 --cp); 1784 return NULL; 1785 } 1786 1787 n = X509_NAME_new(); 1788 if (n == NULL) 1789 return NULL; 1790 work = OPENSSL_strdup(cp); 1791 if (work == NULL) 1792 goto err; 1793 1794 while (*cp) { 1795 char *bp = work; 1796 char *typestr = bp; 1797 unsigned char *valstr; 1798 int nid; 1799 int ismulti = nextismulti; 1800 nextismulti = 0; 1801 1802 /* Collect the type */ 1803 while (*cp && *cp != '=') 1804 *bp++ = *cp++; 1805 if (*cp == '\0') { 1806 BIO_printf(bio_err, 1807 "%s: Hit end of string before finding the equals.\n", 1808 opt_getprog()); 1809 goto err; 1810 } 1811 *bp++ = '\0'; 1812 ++cp; 1813 1814 /* Collect the value. */ 1815 valstr = (unsigned char *)bp; 1816 for (; *cp && *cp != '/'; *bp++ = *cp++) { 1817 if (canmulti && *cp == '+') { 1818 nextismulti = 1; 1819 break; 1820 } 1821 if (*cp == '\\' && *++cp == '\0') { 1822 BIO_printf(bio_err, 1823 "%s: escape character at end of string\n", 1824 opt_getprog()); 1825 goto err; 1826 } 1827 } 1828 *bp++ = '\0'; 1829 1830 /* If not at EOS (must be + or /), move forward. */ 1831 if (*cp) 1832 ++cp; 1833 1834 /* Parse */ 1835 nid = OBJ_txt2nid(typestr); 1836 if (nid == NID_undef) { 1837 BIO_printf(bio_err, "%s: Skipping unknown attribute \"%s\"\n", 1838 opt_getprog(), typestr); 1839 continue; 1840 } 1841 if (*valstr == '\0') { 1842 BIO_printf(bio_err, 1843 "%s: No value provided for Subject Attribute %s, skipped\n", 1844 opt_getprog(), typestr); 1845 continue; 1846 } 1847 if (!X509_NAME_add_entry_by_NID(n, nid, chtype, 1848 valstr, strlen((char *)valstr), 1849 -1, ismulti ? -1 : 0)) 1850 goto err; 1851 } 1852 1853 OPENSSL_free(work); 1854 return n; 1855 1856 err: 1857 X509_NAME_free(n); 1858 OPENSSL_free(work); 1859 return NULL; 1860} 1861 1862/* 1863 * Read whole contents of a BIO into an allocated memory buffer and return 1864 * it. 1865 */ 1866 1867int bio_to_mem(unsigned char **out, int maxlen, BIO *in) 1868{ 1869 BIO *mem; 1870 int len, ret; 1871 unsigned char tbuf[1024]; 1872 1873 mem = BIO_new(BIO_s_mem()); 1874 if (mem == NULL) 1875 return -1; 1876 for (;;) { 1877 if ((maxlen != -1) && maxlen < 1024) 1878 len = maxlen; 1879 else 1880 len = 1024; 1881 len = BIO_read(in, tbuf, len); 1882 if (len < 0) { 1883 BIO_free(mem); 1884 return -1; 1885 } 1886 if (len == 0) 1887 break; 1888 if (BIO_write(mem, tbuf, len) != len) { 1889 BIO_free(mem); 1890 return -1; 1891 } 1892 maxlen -= len; 1893 1894 if (maxlen == 0) 1895 break; 1896 } 1897 ret = BIO_get_mem_data(mem, (char **)out); 1898 BIO_set_flags(mem, BIO_FLAGS_MEM_RDONLY); 1899 BIO_free(mem); 1900 return ret; 1901} 1902 1903int pkey_ctrl_string(EVP_PKEY_CTX *ctx, const char *value) 1904{ 1905 int rv; 1906 char *stmp, *vtmp = NULL; 1907 stmp = OPENSSL_strdup(value); 1908 if (!stmp) 1909 return -1; 1910 vtmp = strchr(stmp, ':'); 1911 if (vtmp) { 1912 *vtmp = 0; 1913 vtmp++; 1914 } 1915 rv = EVP_PKEY_CTX_ctrl_str(ctx, stmp, vtmp); 1916 OPENSSL_free(stmp); 1917 return rv; 1918} 1919 1920static void nodes_print(const char *name, STACK_OF(X509_POLICY_NODE) *nodes) 1921{ 1922 X509_POLICY_NODE *node; 1923 int i; 1924 1925 BIO_printf(bio_err, "%s Policies:", name); 1926 if (nodes) { 1927 BIO_puts(bio_err, "\n"); 1928 for (i = 0; i < sk_X509_POLICY_NODE_num(nodes); i++) { 1929 node = sk_X509_POLICY_NODE_value(nodes, i); 1930 X509_POLICY_NODE_print(bio_err, node, 2); 1931 } 1932 } else { 1933 BIO_puts(bio_err, " <empty>\n"); 1934 } 1935} 1936 1937void policies_print(X509_STORE_CTX *ctx) 1938{ 1939 X509_POLICY_TREE *tree; 1940 int explicit_policy; 1941 tree = X509_STORE_CTX_get0_policy_tree(ctx); 1942 explicit_policy = X509_STORE_CTX_get_explicit_policy(ctx); 1943 1944 BIO_printf(bio_err, "Require explicit Policy: %s\n", 1945 explicit_policy ? "True" : "False"); 1946 1947 nodes_print("Authority", X509_policy_tree_get0_policies(tree)); 1948 nodes_print("User", X509_policy_tree_get0_user_policies(tree)); 1949} 1950 1951/*- 1952 * next_protos_parse parses a comma separated list of strings into a string 1953 * in a format suitable for passing to SSL_CTX_set_next_protos_advertised. 1954 * outlen: (output) set to the length of the resulting buffer on success. 1955 * err: (maybe NULL) on failure, an error message line is written to this BIO. 1956 * in: a NUL terminated string like "abc,def,ghi" 1957 * 1958 * returns: a malloc'd buffer or NULL on failure. 1959 */ 1960unsigned char *next_protos_parse(size_t *outlen, const char *in) 1961{ 1962 size_t len; 1963 unsigned char *out; 1964 size_t i, start = 0; 1965 size_t skipped = 0; 1966 1967 len = strlen(in); 1968 if (len == 0 || len >= 65535) 1969 return NULL; 1970 1971 out = app_malloc(len + 1, "NPN buffer"); 1972 for (i = 0; i <= len; ++i) { 1973 if (i == len || in[i] == ',') { 1974 /* 1975 * Zero-length ALPN elements are invalid on the wire, we could be 1976 * strict and reject the entire string, but just ignoring extra 1977 * commas seems harmless and more friendly. 1978 * 1979 * Every comma we skip in this way puts the input buffer another 1980 * byte ahead of the output buffer, so all stores into the output 1981 * buffer need to be decremented by the number commas skipped. 1982 */ 1983 if (i == start) { 1984 ++start; 1985 ++skipped; 1986 continue; 1987 } 1988 if (i - start > 255) { 1989 OPENSSL_free(out); 1990 return NULL; 1991 } 1992 out[start-skipped] = (unsigned char)(i - start); 1993 start = i + 1; 1994 } else { 1995 out[i + 1 - skipped] = in[i]; 1996 } 1997 } 1998 1999 if (len <= skipped) { 2000 OPENSSL_free(out); 2001 return NULL; 2002 } 2003 2004 *outlen = len + 1 - skipped; 2005 return out; 2006} 2007 2008void print_cert_checks(BIO *bio, X509 *x, 2009 const char *checkhost, 2010 const char *checkemail, const char *checkip) 2011{ 2012 if (x == NULL) 2013 return; 2014 if (checkhost) { 2015 BIO_printf(bio, "Hostname %s does%s match certificate\n", 2016 checkhost, 2017 X509_check_host(x, checkhost, 0, 0, NULL) == 1 2018 ? "" : " NOT"); 2019 } 2020 2021 if (checkemail) { 2022 BIO_printf(bio, "Email %s does%s match certificate\n", 2023 checkemail, X509_check_email(x, checkemail, 0, 0) 2024 ? "" : " NOT"); 2025 } 2026 2027 if (checkip) { 2028 BIO_printf(bio, "IP %s does%s match certificate\n", 2029 checkip, X509_check_ip_asc(x, checkip, 0) ? "" : " NOT"); 2030 } 2031} 2032 2033/* Get first http URL from a DIST_POINT structure */ 2034 2035static const char *get_dp_url(DIST_POINT *dp) 2036{ 2037 GENERAL_NAMES *gens; 2038 GENERAL_NAME *gen; 2039 int i, gtype; 2040 ASN1_STRING *uri; 2041 if (!dp->distpoint || dp->distpoint->type != 0) 2042 return NULL; 2043 gens = dp->distpoint->name.fullname; 2044 for (i = 0; i < sk_GENERAL_NAME_num(gens); i++) { 2045 gen = sk_GENERAL_NAME_value(gens, i); 2046 uri = GENERAL_NAME_get0_value(gen, >ype); 2047 if (gtype == GEN_URI && ASN1_STRING_length(uri) > 6) { 2048 const char *uptr = (const char *)ASN1_STRING_get0_data(uri); 2049 if (strncmp(uptr, "http://", 7) == 0) 2050 return uptr; 2051 } 2052 } 2053 return NULL; 2054} 2055 2056/* 2057 * Look through a CRLDP structure and attempt to find an http URL to 2058 * downloads a CRL from. 2059 */ 2060 2061static X509_CRL *load_crl_crldp(STACK_OF(DIST_POINT) *crldp) 2062{ 2063 int i; 2064 const char *urlptr = NULL; 2065 for (i = 0; i < sk_DIST_POINT_num(crldp); i++) { 2066 DIST_POINT *dp = sk_DIST_POINT_value(crldp, i); 2067 urlptr = get_dp_url(dp); 2068 if (urlptr) 2069 return load_crl(urlptr, FORMAT_HTTP); 2070 } 2071 return NULL; 2072} 2073 2074/* 2075 * Example of downloading CRLs from CRLDP: not usable for real world as it 2076 * always downloads, doesn't support non-blocking I/O and doesn't cache 2077 * anything. 2078 */ 2079 2080static STACK_OF(X509_CRL) *crls_http_cb(X509_STORE_CTX *ctx, X509_NAME *nm) 2081{ 2082 X509 *x; 2083 STACK_OF(X509_CRL) *crls = NULL; 2084 X509_CRL *crl; 2085 STACK_OF(DIST_POINT) *crldp; 2086 2087 crls = sk_X509_CRL_new_null(); 2088 if (!crls) 2089 return NULL; 2090 x = X509_STORE_CTX_get_current_cert(ctx); 2091 crldp = X509_get_ext_d2i(x, NID_crl_distribution_points, NULL, NULL); 2092 crl = load_crl_crldp(crldp); 2093 sk_DIST_POINT_pop_free(crldp, DIST_POINT_free); 2094 if (!crl) { 2095 sk_X509_CRL_free(crls); 2096 return NULL; 2097 } 2098 sk_X509_CRL_push(crls, crl); 2099 /* Try to download delta CRL */ 2100 crldp = X509_get_ext_d2i(x, NID_freshest_crl, NULL, NULL); 2101 crl = load_crl_crldp(crldp); 2102 sk_DIST_POINT_pop_free(crldp, DIST_POINT_free); 2103 if (crl) 2104 sk_X509_CRL_push(crls, crl); 2105 return crls; 2106} 2107 2108void store_setup_crl_download(X509_STORE *st) 2109{ 2110 X509_STORE_set_lookup_crls_cb(st, crls_http_cb); 2111} 2112 2113/* 2114 * Platform-specific sections 2115 */ 2116#if defined(_WIN32) 2117# ifdef fileno 2118# undef fileno 2119# define fileno(a) (int)_fileno(a) 2120# endif 2121 2122# include <windows.h> 2123# include <tchar.h> 2124 2125static int WIN32_rename(const char *from, const char *to) 2126{ 2127 TCHAR *tfrom = NULL, *tto; 2128 DWORD err; 2129 int ret = 0; 2130 2131 if (sizeof(TCHAR) == 1) { 2132 tfrom = (TCHAR *)from; 2133 tto = (TCHAR *)to; 2134 } else { /* UNICODE path */ 2135 2136 size_t i, flen = strlen(from) + 1, tlen = strlen(to) + 1; 2137 tfrom = malloc(sizeof(*tfrom) * (flen + tlen)); 2138 if (tfrom == NULL) 2139 goto err; 2140 tto = tfrom + flen; 2141# if !defined(_WIN32_WCE) || _WIN32_WCE>=101 2142 if (!MultiByteToWideChar(CP_ACP, 0, from, flen, (WCHAR *)tfrom, flen)) 2143# endif 2144 for (i = 0; i < flen; i++) 2145 tfrom[i] = (TCHAR)from[i]; 2146# if !defined(_WIN32_WCE) || _WIN32_WCE>=101 2147 if (!MultiByteToWideChar(CP_ACP, 0, to, tlen, (WCHAR *)tto, tlen)) 2148# endif 2149 for (i = 0; i < tlen; i++) 2150 tto[i] = (TCHAR)to[i]; 2151 } 2152 2153 if (MoveFile(tfrom, tto)) 2154 goto ok; 2155 err = GetLastError(); 2156 if (err == ERROR_ALREADY_EXISTS || err == ERROR_FILE_EXISTS) { 2157 if (DeleteFile(tto) && MoveFile(tfrom, tto)) 2158 goto ok; 2159 err = GetLastError(); 2160 } 2161 if (err == ERROR_FILE_NOT_FOUND || err == ERROR_PATH_NOT_FOUND) 2162 errno = ENOENT; 2163 else if (err == ERROR_ACCESS_DENIED) 2164 errno = EACCES; 2165 else 2166 errno = EINVAL; /* we could map more codes... */ 2167 err: 2168 ret = -1; 2169 ok: 2170 if (tfrom != NULL && tfrom != (TCHAR *)from) 2171 free(tfrom); 2172 return ret; 2173} 2174#endif 2175 2176/* app_tminterval section */ 2177#if defined(_WIN32) 2178double app_tminterval(int stop, int usertime) 2179{ 2180 FILETIME now; 2181 double ret = 0; 2182 static ULARGE_INTEGER tmstart; 2183 static int warning = 1; 2184# ifdef _WIN32_WINNT 2185 static HANDLE proc = NULL; 2186 2187 if (proc == NULL) { 2188 if (check_winnt()) 2189 proc = OpenProcess(PROCESS_QUERY_INFORMATION, FALSE, 2190 GetCurrentProcessId()); 2191 if (proc == NULL) 2192 proc = (HANDLE) - 1; 2193 } 2194 2195 if (usertime && proc != (HANDLE) - 1) { 2196 FILETIME junk; 2197 GetProcessTimes(proc, &junk, &junk, &junk, &now); 2198 } else 2199# endif 2200 { 2201 SYSTEMTIME systime; 2202 2203 if (usertime && warning) { 2204 BIO_printf(bio_err, "To get meaningful results, run " 2205 "this program on idle system.\n"); 2206 warning = 0; 2207 } 2208 GetSystemTime(&systime); 2209 SystemTimeToFileTime(&systime, &now); 2210 } 2211 2212 if (stop == TM_START) { 2213 tmstart.u.LowPart = now.dwLowDateTime; 2214 tmstart.u.HighPart = now.dwHighDateTime; 2215 } else { 2216 ULARGE_INTEGER tmstop; 2217 2218 tmstop.u.LowPart = now.dwLowDateTime; 2219 tmstop.u.HighPart = now.dwHighDateTime; 2220 2221 ret = (__int64)(tmstop.QuadPart - tmstart.QuadPart) * 1e-7; 2222 } 2223 2224 return ret; 2225} 2226#elif defined(OPENSSL_SYS_VXWORKS) 2227# include <time.h> 2228 2229double app_tminterval(int stop, int usertime) 2230{ 2231 double ret = 0; 2232# ifdef CLOCK_REALTIME 2233 static struct timespec tmstart; 2234 struct timespec now; 2235# else 2236 static unsigned long tmstart; 2237 unsigned long now; 2238# endif 2239 static int warning = 1; 2240 2241 if (usertime && warning) { 2242 BIO_printf(bio_err, "To get meaningful results, run " 2243 "this program on idle system.\n"); 2244 warning = 0; 2245 } 2246# ifdef CLOCK_REALTIME 2247 clock_gettime(CLOCK_REALTIME, &now); 2248 if (stop == TM_START) 2249 tmstart = now; 2250 else 2251 ret = ((now.tv_sec + now.tv_nsec * 1e-9) 2252 - (tmstart.tv_sec + tmstart.tv_nsec * 1e-9)); 2253# else 2254 now = tickGet(); 2255 if (stop == TM_START) 2256 tmstart = now; 2257 else 2258 ret = (now - tmstart) / (double)sysClkRateGet(); 2259# endif 2260 return ret; 2261} 2262 2263#elif defined(OPENSSL_SYSTEM_VMS) 2264# include <time.h> 2265# include <times.h> 2266 2267double app_tminterval(int stop, int usertime) 2268{ 2269 static clock_t tmstart; 2270 double ret = 0; 2271 clock_t now; 2272# ifdef __TMS 2273 struct tms rus; 2274 2275 now = times(&rus); 2276 if (usertime) 2277 now = rus.tms_utime; 2278# else 2279 if (usertime) 2280 now = clock(); /* sum of user and kernel times */ 2281 else { 2282 struct timeval tv; 2283 gettimeofday(&tv, NULL); 2284 now = (clock_t)((unsigned long long)tv.tv_sec * CLK_TCK + 2285 (unsigned long long)tv.tv_usec * (1000000 / CLK_TCK) 2286 ); 2287 } 2288# endif 2289 if (stop == TM_START) 2290 tmstart = now; 2291 else 2292 ret = (now - tmstart) / (double)(CLK_TCK); 2293 2294 return ret; 2295} 2296 2297#elif defined(_SC_CLK_TCK) /* by means of unistd.h */ 2298# include <sys/times.h> 2299 2300double app_tminterval(int stop, int usertime) 2301{ 2302 double ret = 0; 2303 struct tms rus; 2304 clock_t now = times(&rus); 2305 static clock_t tmstart; 2306 2307 if (usertime) 2308 now = rus.tms_utime; 2309 2310 if (stop == TM_START) { 2311 tmstart = now; 2312 } else { 2313 long int tck = sysconf(_SC_CLK_TCK); 2314 ret = (now - tmstart) / (double)tck; 2315 } 2316 2317 return ret; 2318} 2319 2320#else 2321# include <sys/time.h> 2322# include <sys/resource.h> 2323 2324double app_tminterval(int stop, int usertime) 2325{ 2326 double ret = 0; 2327 struct rusage rus; 2328 struct timeval now; 2329 static struct timeval tmstart; 2330 2331 if (usertime) 2332 getrusage(RUSAGE_SELF, &rus), now = rus.ru_utime; 2333 else 2334 gettimeofday(&now, NULL); 2335 2336 if (stop == TM_START) 2337 tmstart = now; 2338 else 2339 ret = ((now.tv_sec + now.tv_usec * 1e-6) 2340 - (tmstart.tv_sec + tmstart.tv_usec * 1e-6)); 2341 2342 return ret; 2343} 2344#endif 2345 2346int app_access(const char* name, int flag) 2347{ 2348#ifdef _WIN32 2349 return _access(name, flag); 2350#else 2351 return access(name, flag); 2352#endif 2353} 2354 2355/* app_isdir section */ 2356#ifdef _WIN32 2357int app_isdir(const char *name) 2358{ 2359 DWORD attr; 2360# if defined(UNICODE) || defined(_UNICODE) 2361 size_t i, len_0 = strlen(name) + 1; 2362 WCHAR tempname[MAX_PATH]; 2363 2364 if (len_0 > MAX_PATH) 2365 return -1; 2366 2367# if !defined(_WIN32_WCE) || _WIN32_WCE>=101 2368 if (!MultiByteToWideChar(CP_ACP, 0, name, len_0, tempname, MAX_PATH)) 2369# endif 2370 for (i = 0; i < len_0; i++) 2371 tempname[i] = (WCHAR)name[i]; 2372 2373 attr = GetFileAttributes(tempname); 2374# else 2375 attr = GetFileAttributes(name); 2376# endif 2377 if (attr == INVALID_FILE_ATTRIBUTES) 2378 return -1; 2379 return ((attr & FILE_ATTRIBUTE_DIRECTORY) != 0); 2380} 2381#else 2382# include <sys/stat.h> 2383# ifndef S_ISDIR 2384# if defined(_S_IFMT) && defined(_S_IFDIR) 2385# define S_ISDIR(a) (((a) & _S_IFMT) == _S_IFDIR) 2386# else 2387# define S_ISDIR(a) (((a) & S_IFMT) == S_IFDIR) 2388# endif 2389# endif 2390 2391int app_isdir(const char *name) 2392{ 2393# if defined(S_ISDIR) 2394 struct stat st; 2395 2396 if (stat(name, &st) == 0) 2397 return S_ISDIR(st.st_mode); 2398 else 2399 return -1; 2400# else 2401 return -1; 2402# endif 2403} 2404#endif 2405 2406/* raw_read|write section */ 2407#if defined(__VMS) 2408# include "vms_term_sock.h" 2409static int stdin_sock = -1; 2410 2411static void close_stdin_sock(void) 2412{ 2413 TerminalSocket (TERM_SOCK_DELETE, &stdin_sock); 2414} 2415 2416int fileno_stdin(void) 2417{ 2418 if (stdin_sock == -1) { 2419 TerminalSocket(TERM_SOCK_CREATE, &stdin_sock); 2420 atexit(close_stdin_sock); 2421 } 2422 2423 return stdin_sock; 2424} 2425#else 2426int fileno_stdin(void) 2427{ 2428 return fileno(stdin); 2429} 2430#endif 2431 2432int fileno_stdout(void) 2433{ 2434 return fileno(stdout); 2435} 2436 2437#if defined(_WIN32) && defined(STD_INPUT_HANDLE) 2438int raw_read_stdin(void *buf, int siz) 2439{ 2440 DWORD n; 2441 if (ReadFile(GetStdHandle(STD_INPUT_HANDLE), buf, siz, &n, NULL)) 2442 return n; 2443 else 2444 return -1; 2445} 2446#elif defined(__VMS) 2447# include <sys/socket.h> 2448 2449int raw_read_stdin(void *buf, int siz) 2450{ 2451 return recv(fileno_stdin(), buf, siz, 0); 2452} 2453#else 2454int raw_read_stdin(void *buf, int siz) 2455{ 2456 return read(fileno_stdin(), buf, siz); 2457} 2458#endif 2459 2460#if defined(_WIN32) && defined(STD_OUTPUT_HANDLE) 2461int raw_write_stdout(const void *buf, int siz) 2462{ 2463 DWORD n; 2464 if (WriteFile(GetStdHandle(STD_OUTPUT_HANDLE), buf, siz, &n, NULL)) 2465 return n; 2466 else 2467 return -1; 2468} 2469#else 2470int raw_write_stdout(const void *buf, int siz) 2471{ 2472 return write(fileno_stdout(), buf, siz); 2473} 2474#endif 2475 2476/* 2477 * Centralized handling if input and output files with format specification 2478 * The format is meant to show what the input and output is supposed to be, 2479 * and is therefore a show of intent more than anything else. However, it 2480 * does impact behavior on some platform, such as differentiating between 2481 * text and binary input/output on non-Unix platforms 2482 */ 2483static int istext(int format) 2484{ 2485 return (format & B_FORMAT_TEXT) == B_FORMAT_TEXT; 2486} 2487 2488BIO *dup_bio_in(int format) 2489{ 2490 return BIO_new_fp(stdin, 2491 BIO_NOCLOSE | (istext(format) ? BIO_FP_TEXT : 0)); 2492} 2493 2494static BIO_METHOD *prefix_method = NULL; 2495 2496BIO *dup_bio_out(int format) 2497{ 2498 BIO *b = BIO_new_fp(stdout, 2499 BIO_NOCLOSE | (istext(format) ? BIO_FP_TEXT : 0)); 2500 void *prefix = NULL; 2501 2502#ifdef OPENSSL_SYS_VMS 2503 if (istext(format)) 2504 b = BIO_push(BIO_new(BIO_f_linebuffer()), b); 2505#endif 2506 2507 if (istext(format) && (prefix = getenv("HARNESS_OSSL_PREFIX")) != NULL) { 2508 if (prefix_method == NULL) 2509 prefix_method = apps_bf_prefix(); 2510 b = BIO_push(BIO_new(prefix_method), b); 2511 BIO_ctrl(b, PREFIX_CTRL_SET_PREFIX, 0, prefix); 2512 } 2513 2514 return b; 2515} 2516 2517BIO *dup_bio_err(int format) 2518{ 2519 BIO *b = BIO_new_fp(stderr, 2520 BIO_NOCLOSE | (istext(format) ? BIO_FP_TEXT : 0)); 2521#ifdef OPENSSL_SYS_VMS 2522 if (istext(format)) 2523 b = BIO_push(BIO_new(BIO_f_linebuffer()), b); 2524#endif 2525 return b; 2526} 2527 2528void destroy_prefix_method(void) 2529{ 2530 BIO_meth_free(prefix_method); 2531 prefix_method = NULL; 2532} 2533 2534void unbuffer(FILE *fp) 2535{ 2536/* 2537 * On VMS, setbuf() will only take 32-bit pointers, and a compilation 2538 * with /POINTER_SIZE=64 will give off a MAYLOSEDATA2 warning here. 2539 * However, we trust that the C RTL will never give us a FILE pointer 2540 * above the first 4 GB of memory, so we simply turn off the warning 2541 * temporarily. 2542 */ 2543#if defined(OPENSSL_SYS_VMS) && defined(__DECC) 2544# pragma environment save 2545# pragma message disable maylosedata2 2546#endif 2547 setbuf(fp, NULL); 2548#if defined(OPENSSL_SYS_VMS) && defined(__DECC) 2549# pragma environment restore 2550#endif 2551} 2552 2553static const char *modestr(char mode, int format) 2554{ 2555 OPENSSL_assert(mode == 'a' || mode == 'r' || mode == 'w'); 2556 2557 switch (mode) { 2558 case 'a': 2559 return istext(format) ? "a" : "ab"; 2560 case 'r': 2561 return istext(format) ? "r" : "rb"; 2562 case 'w': 2563 return istext(format) ? "w" : "wb"; 2564 } 2565 /* The assert above should make sure we never reach this point */ 2566 return NULL; 2567} 2568 2569static const char *modeverb(char mode) 2570{ 2571 switch (mode) { 2572 case 'a': 2573 return "appending"; 2574 case 'r': 2575 return "reading"; 2576 case 'w': 2577 return "writing"; 2578 } 2579 return "(doing something)"; 2580} 2581 2582/* 2583 * Open a file for writing, owner-read-only. 2584 */ 2585BIO *bio_open_owner(const char *filename, int format, int private) 2586{ 2587 FILE *fp = NULL; 2588 BIO *b = NULL; 2589 int fd = -1, bflags, mode, textmode; 2590 2591 if (!private || filename == NULL || strcmp(filename, "-") == 0) 2592 return bio_open_default(filename, 'w', format); 2593 2594 mode = O_WRONLY; 2595#ifdef O_CREAT 2596 mode |= O_CREAT; 2597#endif 2598#ifdef O_TRUNC 2599 mode |= O_TRUNC; 2600#endif 2601 textmode = istext(format); 2602 if (!textmode) { 2603#ifdef O_BINARY 2604 mode |= O_BINARY; 2605#elif defined(_O_BINARY) 2606 mode |= _O_BINARY; 2607#endif 2608 } 2609 2610#ifdef OPENSSL_SYS_VMS 2611 /* VMS doesn't have O_BINARY, it just doesn't make sense. But, 2612 * it still needs to know that we're going binary, or fdopen() 2613 * will fail with "invalid argument"... so we tell VMS what the 2614 * context is. 2615 */ 2616 if (!textmode) 2617 fd = open(filename, mode, 0600, "ctx=bin"); 2618 else 2619#endif 2620 fd = open(filename, mode, 0600); 2621 if (fd < 0) 2622 goto err; 2623 fp = fdopen(fd, modestr('w', format)); 2624 if (fp == NULL) 2625 goto err; 2626 bflags = BIO_CLOSE; 2627 if (textmode) 2628 bflags |= BIO_FP_TEXT; 2629 b = BIO_new_fp(fp, bflags); 2630 if (b) 2631 return b; 2632 2633 err: 2634 BIO_printf(bio_err, "%s: Can't open \"%s\" for writing, %s\n", 2635 opt_getprog(), filename, strerror(errno)); 2636 ERR_print_errors(bio_err); 2637 /* If we have fp, then fdopen took over fd, so don't close both. */ 2638 if (fp) 2639 fclose(fp); 2640 else if (fd >= 0) 2641 close(fd); 2642 return NULL; 2643} 2644 2645static BIO *bio_open_default_(const char *filename, char mode, int format, 2646 int quiet) 2647{ 2648 BIO *ret; 2649 2650 if (filename == NULL || strcmp(filename, "-") == 0) { 2651 ret = mode == 'r' ? dup_bio_in(format) : dup_bio_out(format); 2652 if (quiet) { 2653 ERR_clear_error(); 2654 return ret; 2655 } 2656 if (ret != NULL) 2657 return ret; 2658 BIO_printf(bio_err, 2659 "Can't open %s, %s\n", 2660 mode == 'r' ? "stdin" : "stdout", strerror(errno)); 2661 } else { 2662 ret = BIO_new_file(filename, modestr(mode, format)); 2663 if (quiet) { 2664 ERR_clear_error(); 2665 return ret; 2666 } 2667 if (ret != NULL) 2668 return ret; 2669 BIO_printf(bio_err, 2670 "Can't open %s for %s, %s\n", 2671 filename, modeverb(mode), strerror(errno)); 2672 } 2673 ERR_print_errors(bio_err); 2674 return NULL; 2675} 2676 2677BIO *bio_open_default(const char *filename, char mode, int format) 2678{ 2679 return bio_open_default_(filename, mode, format, 0); 2680} 2681 2682BIO *bio_open_default_quiet(const char *filename, char mode, int format) 2683{ 2684 return bio_open_default_(filename, mode, format, 1); 2685} 2686 2687void wait_for_async(SSL *s) 2688{ 2689 /* On Windows select only works for sockets, so we simply don't wait */ 2690#ifndef OPENSSL_SYS_WINDOWS 2691 int width = 0; 2692 fd_set asyncfds; 2693 OSSL_ASYNC_FD *fds; 2694 size_t numfds; 2695 size_t i; 2696 2697 if (!SSL_get_all_async_fds(s, NULL, &numfds)) 2698 return; 2699 if (numfds == 0) 2700 return; 2701 fds = app_malloc(sizeof(OSSL_ASYNC_FD) * numfds, "allocate async fds"); 2702 if (!SSL_get_all_async_fds(s, fds, &numfds)) { 2703 OPENSSL_free(fds); 2704 return; 2705 } 2706 2707 FD_ZERO(&asyncfds); 2708 for (i = 0; i < numfds; i++) { 2709 if (width <= (int)fds[i]) 2710 width = (int)fds[i] + 1; 2711 openssl_fdset((int)fds[i], &asyncfds); 2712 } 2713 select(width, (void *)&asyncfds, NULL, NULL, NULL); 2714 OPENSSL_free(fds); 2715#endif 2716} 2717 2718/* if OPENSSL_SYS_WINDOWS is defined then so is OPENSSL_SYS_MSDOS */ 2719#if defined(OPENSSL_SYS_MSDOS) 2720int has_stdin_waiting(void) 2721{ 2722# if defined(OPENSSL_SYS_WINDOWS) 2723 HANDLE inhand = GetStdHandle(STD_INPUT_HANDLE); 2724 DWORD events = 0; 2725 INPUT_RECORD inputrec; 2726 DWORD insize = 1; 2727 BOOL peeked; 2728 2729 if (inhand == INVALID_HANDLE_VALUE) { 2730 return 0; 2731 } 2732 2733 peeked = PeekConsoleInput(inhand, &inputrec, insize, &events); 2734 if (!peeked) { 2735 /* Probably redirected input? _kbhit() does not work in this case */ 2736 if (!feof(stdin)) { 2737 return 1; 2738 } 2739 return 0; 2740 } 2741# endif 2742 return _kbhit(); 2743} 2744#endif 2745 2746/* Corrupt a signature by modifying final byte */ 2747void corrupt_signature(const ASN1_STRING *signature) 2748{ 2749 unsigned char *s = signature->data; 2750 s[signature->length - 1] ^= 0x1; 2751} 2752 2753int set_cert_times(X509 *x, const char *startdate, const char *enddate, 2754 int days) 2755{ 2756 if (startdate == NULL || strcmp(startdate, "today") == 0) { 2757 if (X509_gmtime_adj(X509_getm_notBefore(x), 0) == NULL) 2758 return 0; 2759 } else { 2760 if (!ASN1_TIME_set_string_X509(X509_getm_notBefore(x), startdate)) 2761 return 0; 2762 } 2763 if (enddate == NULL) { 2764 if (X509_time_adj_ex(X509_getm_notAfter(x), days, 0, NULL) 2765 == NULL) 2766 return 0; 2767 } else if (!ASN1_TIME_set_string_X509(X509_getm_notAfter(x), enddate)) { 2768 return 0; 2769 } 2770 return 1; 2771} 2772 2773void make_uppercase(char *string) 2774{ 2775 int i; 2776 2777 for (i = 0; string[i] != '\0'; i++) 2778 string[i] = toupper((unsigned char)string[i]); 2779} 2780