From aa4d426b4d3527d7e166df1a05058c9a4a0f6683 Mon Sep 17 00:00:00 2001 From: Wojtek Kosior Date: Fri, 30 Apr 2021 00:33:56 +0200 Subject: initial/final commit --- openssl-1.1.0h/apps/CA.pl.in | 196 ++ openssl-1.1.0h/apps/app_rand.c | 115 + openssl-1.1.0h/apps/apps.c | 2650 +++++++++++++++++ openssl-1.1.0h/apps/apps.h | 573 ++++ openssl-1.1.0h/apps/asn1pars.c | 330 ++ openssl-1.1.0h/apps/build.info | 28 + openssl-1.1.0h/apps/ca-cert.srl | 1 + openssl-1.1.0h/apps/ca-key.pem | 16 + openssl-1.1.0h/apps/ca-req.pem | 11 + openssl-1.1.0h/apps/ca.c | 2593 ++++++++++++++++ openssl-1.1.0h/apps/cert.pem | 11 + openssl-1.1.0h/apps/ciphers.c | 242 ++ openssl-1.1.0h/apps/client.pem | 52 + openssl-1.1.0h/apps/cms.c | 1298 ++++++++ openssl-1.1.0h/apps/crl.c | 347 +++ openssl-1.1.0h/apps/crl2p7.c | 216 ++ openssl-1.1.0h/apps/ct_log_list.cnf | 34 + openssl-1.1.0h/apps/demoCA/cacert.pem | 14 + openssl-1.1.0h/apps/demoCA/index.txt | 39 + openssl-1.1.0h/apps/demoCA/private/cakey.pem | 24 + openssl-1.1.0h/apps/demoCA/serial | 1 + openssl-1.1.0h/apps/demoSRP/srp_verifier.txt | 6 + openssl-1.1.0h/apps/demoSRP/srp_verifier.txt.attr | 1 + openssl-1.1.0h/apps/dgst.c | 480 +++ openssl-1.1.0h/apps/dh1024.pem | 10 + openssl-1.1.0h/apps/dh2048.pem | 14 + openssl-1.1.0h/apps/dh4096.pem | 19 + openssl-1.1.0h/apps/dhparam.c | 392 +++ openssl-1.1.0h/apps/dsa-ca.pem | 47 + openssl-1.1.0h/apps/dsa-pca.pem | 47 + openssl-1.1.0h/apps/dsa.c | 265 ++ openssl-1.1.0h/apps/dsa1024.pem | 9 + openssl-1.1.0h/apps/dsa512.pem | 6 + openssl-1.1.0h/apps/dsap.pem | 6 + openssl-1.1.0h/apps/dsaparam.c | 316 ++ openssl-1.1.0h/apps/ec.c | 281 ++ openssl-1.1.0h/apps/ecparam.c | 471 +++ openssl-1.1.0h/apps/enc.c | 623 ++++ openssl-1.1.0h/apps/engine.c | 446 +++ openssl-1.1.0h/apps/errstr.c | 67 + openssl-1.1.0h/apps/gendsa.c | 147 + openssl-1.1.0h/apps/genpkey.c | 314 ++ openssl-1.1.0h/apps/genrsa.c | 198 ++ openssl-1.1.0h/apps/nseq.c | 113 + openssl-1.1.0h/apps/ocsp.c | 1290 ++++++++ openssl-1.1.0h/apps/openssl-vms.cnf | 346 +++ openssl-1.1.0h/apps/openssl.c | 703 +++++ openssl-1.1.0h/apps/openssl.cnf | 346 +++ openssl-1.1.0h/apps/opt.c | 977 ++++++ openssl-1.1.0h/apps/passwd.c | 512 ++++ openssl-1.1.0h/apps/pca-cert.srl | 1 + openssl-1.1.0h/apps/pca-key.pem | 16 + openssl-1.1.0h/apps/pca-req.pem | 11 + openssl-1.1.0h/apps/pkcs12.c | 935 ++++++ openssl-1.1.0h/apps/pkcs7.c | 197 ++ openssl-1.1.0h/apps/pkcs8.c | 353 +++ openssl-1.1.0h/apps/pkey.c | 190 ++ openssl-1.1.0h/apps/pkeyparam.c | 104 + openssl-1.1.0h/apps/pkeyutl.c | 508 ++++ openssl-1.1.0h/apps/prime.c | 132 + openssl-1.1.0h/apps/privkey.pem | 16 + openssl-1.1.0h/apps/progs.pl | 164 + openssl-1.1.0h/apps/rand.c | 136 + openssl-1.1.0h/apps/rehash.c | 529 ++++ openssl-1.1.0h/apps/req.c | 1510 ++++++++++ openssl-1.1.0h/apps/req.pem | 11 + openssl-1.1.0h/apps/rsa.c | 310 ++ openssl-1.1.0h/apps/rsa8192.pem | 101 + openssl-1.1.0h/apps/rsautl.c | 278 ++ openssl-1.1.0h/apps/s1024key.pem | 15 + openssl-1.1.0h/apps/s1024req.pem | 11 + openssl-1.1.0h/apps/s512-key.pem | 9 + openssl-1.1.0h/apps/s512-req.pem | 8 + openssl-1.1.0h/apps/s_apps.h | 102 + openssl-1.1.0h/apps/s_cb.c | 1335 +++++++++ openssl-1.1.0h/apps/s_client.c | 2760 +++++++++++++++++ openssl-1.1.0h/apps/s_server.c | 3305 +++++++++++++++++++++ openssl-1.1.0h/apps/s_socket.c | 250 ++ openssl-1.1.0h/apps/s_time.c | 385 +++ openssl-1.1.0h/apps/server.pem | 52 + openssl-1.1.0h/apps/server.srl | 1 + openssl-1.1.0h/apps/server2.pem | 52 + openssl-1.1.0h/apps/sess_id.c | 190 ++ openssl-1.1.0h/apps/smime.c | 656 ++++ openssl-1.1.0h/apps/speed.c | 3149 ++++++++++++++++++++ openssl-1.1.0h/apps/spkac.c | 196 ++ openssl-1.1.0h/apps/srp.c | 613 ++++ openssl-1.1.0h/apps/testCA.pem | 8 + openssl-1.1.0h/apps/testdsa.h | 290 ++ openssl-1.1.0h/apps/testrsa.h | 1960 ++++++++++++ openssl-1.1.0h/apps/timeouts.h | 17 + openssl-1.1.0h/apps/ts.c | 995 +++++++ openssl-1.1.0h/apps/tsget.in | 200 ++ openssl-1.1.0h/apps/verify.c | 312 ++ openssl-1.1.0h/apps/version.c | 145 + openssl-1.1.0h/apps/vms_decc_init.c | 214 ++ openssl-1.1.0h/apps/vms_term_sock.c | 590 ++++ openssl-1.1.0h/apps/vms_term_sock.h | 30 + openssl-1.1.0h/apps/win32_init.c | 307 ++ openssl-1.1.0h/apps/x509.c | 1099 +++++++ 100 files changed, 42001 insertions(+) create mode 100644 openssl-1.1.0h/apps/CA.pl.in create mode 100644 openssl-1.1.0h/apps/app_rand.c create mode 100644 openssl-1.1.0h/apps/apps.c create mode 100644 openssl-1.1.0h/apps/apps.h create mode 100644 openssl-1.1.0h/apps/asn1pars.c create mode 100644 openssl-1.1.0h/apps/build.info create mode 100644 openssl-1.1.0h/apps/ca-cert.srl create mode 100644 openssl-1.1.0h/apps/ca-key.pem create mode 100644 openssl-1.1.0h/apps/ca-req.pem create mode 100644 openssl-1.1.0h/apps/ca.c create mode 100644 openssl-1.1.0h/apps/cert.pem create mode 100644 openssl-1.1.0h/apps/ciphers.c create mode 100644 openssl-1.1.0h/apps/client.pem create mode 100644 openssl-1.1.0h/apps/cms.c create mode 100644 openssl-1.1.0h/apps/crl.c create mode 100644 openssl-1.1.0h/apps/crl2p7.c create mode 100644 openssl-1.1.0h/apps/ct_log_list.cnf create mode 100644 openssl-1.1.0h/apps/demoCA/cacert.pem create mode 100644 openssl-1.1.0h/apps/demoCA/index.txt create mode 100644 openssl-1.1.0h/apps/demoCA/private/cakey.pem create mode 100644 openssl-1.1.0h/apps/demoCA/serial create mode 100644 openssl-1.1.0h/apps/demoSRP/srp_verifier.txt create mode 100644 openssl-1.1.0h/apps/demoSRP/srp_verifier.txt.attr create mode 100644 openssl-1.1.0h/apps/dgst.c create mode 100644 openssl-1.1.0h/apps/dh1024.pem create mode 100644 openssl-1.1.0h/apps/dh2048.pem create mode 100644 openssl-1.1.0h/apps/dh4096.pem create mode 100644 openssl-1.1.0h/apps/dhparam.c create mode 100644 openssl-1.1.0h/apps/dsa-ca.pem create mode 100644 openssl-1.1.0h/apps/dsa-pca.pem create mode 100644 openssl-1.1.0h/apps/dsa.c create mode 100644 openssl-1.1.0h/apps/dsa1024.pem create mode 100644 openssl-1.1.0h/apps/dsa512.pem create mode 100644 openssl-1.1.0h/apps/dsap.pem create mode 100644 openssl-1.1.0h/apps/dsaparam.c create mode 100644 openssl-1.1.0h/apps/ec.c create mode 100644 openssl-1.1.0h/apps/ecparam.c create mode 100644 openssl-1.1.0h/apps/enc.c create mode 100644 openssl-1.1.0h/apps/engine.c create mode 100644 openssl-1.1.0h/apps/errstr.c create mode 100644 openssl-1.1.0h/apps/gendsa.c create mode 100644 openssl-1.1.0h/apps/genpkey.c create mode 100644 openssl-1.1.0h/apps/genrsa.c create mode 100644 openssl-1.1.0h/apps/nseq.c create mode 100644 openssl-1.1.0h/apps/ocsp.c create mode 100644 openssl-1.1.0h/apps/openssl-vms.cnf create mode 100644 openssl-1.1.0h/apps/openssl.c create mode 100644 openssl-1.1.0h/apps/openssl.cnf create mode 100644 openssl-1.1.0h/apps/opt.c create mode 100644 openssl-1.1.0h/apps/passwd.c create mode 100644 openssl-1.1.0h/apps/pca-cert.srl create mode 100644 openssl-1.1.0h/apps/pca-key.pem create mode 100644 openssl-1.1.0h/apps/pca-req.pem create mode 100644 openssl-1.1.0h/apps/pkcs12.c create mode 100644 openssl-1.1.0h/apps/pkcs7.c create mode 100644 openssl-1.1.0h/apps/pkcs8.c create mode 100644 openssl-1.1.0h/apps/pkey.c create mode 100644 openssl-1.1.0h/apps/pkeyparam.c create mode 100644 openssl-1.1.0h/apps/pkeyutl.c create mode 100644 openssl-1.1.0h/apps/prime.c create mode 100644 openssl-1.1.0h/apps/privkey.pem create mode 100644 openssl-1.1.0h/apps/progs.pl create mode 100644 openssl-1.1.0h/apps/rand.c create mode 100644 openssl-1.1.0h/apps/rehash.c create mode 100644 openssl-1.1.0h/apps/req.c create mode 100644 openssl-1.1.0h/apps/req.pem create mode 100644 openssl-1.1.0h/apps/rsa.c create mode 100644 openssl-1.1.0h/apps/rsa8192.pem create mode 100644 openssl-1.1.0h/apps/rsautl.c create mode 100644 openssl-1.1.0h/apps/s1024key.pem create mode 100644 openssl-1.1.0h/apps/s1024req.pem create mode 100644 openssl-1.1.0h/apps/s512-key.pem create mode 100644 openssl-1.1.0h/apps/s512-req.pem create mode 100644 openssl-1.1.0h/apps/s_apps.h create mode 100644 openssl-1.1.0h/apps/s_cb.c create mode 100644 openssl-1.1.0h/apps/s_client.c create mode 100644 openssl-1.1.0h/apps/s_server.c create mode 100644 openssl-1.1.0h/apps/s_socket.c create mode 100644 openssl-1.1.0h/apps/s_time.c create mode 100644 openssl-1.1.0h/apps/server.pem create mode 100644 openssl-1.1.0h/apps/server.srl create mode 100644 openssl-1.1.0h/apps/server2.pem create mode 100644 openssl-1.1.0h/apps/sess_id.c create mode 100644 openssl-1.1.0h/apps/smime.c create mode 100644 openssl-1.1.0h/apps/speed.c create mode 100644 openssl-1.1.0h/apps/spkac.c create mode 100644 openssl-1.1.0h/apps/srp.c create mode 100644 openssl-1.1.0h/apps/testCA.pem create mode 100644 openssl-1.1.0h/apps/testdsa.h create mode 100644 openssl-1.1.0h/apps/testrsa.h create mode 100644 openssl-1.1.0h/apps/timeouts.h create mode 100644 openssl-1.1.0h/apps/ts.c create mode 100644 openssl-1.1.0h/apps/tsget.in create mode 100644 openssl-1.1.0h/apps/verify.c create mode 100644 openssl-1.1.0h/apps/version.c create mode 100644 openssl-1.1.0h/apps/vms_decc_init.c create mode 100644 openssl-1.1.0h/apps/vms_term_sock.c create mode 100644 openssl-1.1.0h/apps/vms_term_sock.h create mode 100644 openssl-1.1.0h/apps/win32_init.c create mode 100644 openssl-1.1.0h/apps/x509.c (limited to 'openssl-1.1.0h/apps') diff --git a/openssl-1.1.0h/apps/CA.pl.in b/openssl-1.1.0h/apps/CA.pl.in new file mode 100644 index 0000000..7277eec --- /dev/null +++ b/openssl-1.1.0h/apps/CA.pl.in @@ -0,0 +1,196 @@ +#!{- $config{hashbangperl} -} +# Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved. +# +# Licensed under the OpenSSL license (the "License"). You may not use +# this file except in compliance with the License. You can obtain a copy +# in the file LICENSE in the source distribution or at +# https://www.openssl.org/source/license.html + +# +# Wrapper around the ca to make it easier to use +# +# {- join("\n# ", @autowarntext) -} + +use strict; +use warnings; + +my $openssl = "openssl"; +if(defined $ENV{'OPENSSL'}) { + $openssl = $ENV{'OPENSSL'}; +} else { + $ENV{'OPENSSL'} = $openssl; +} + +my $verbose = 1; + +my $OPENSSL_CONFIG = $ENV{"OPENSSL_CONFIG"} || ""; +my $DAYS = "-days 365"; +my $CADAYS = "-days 1095"; # 3 years +my $REQ = "$openssl req $OPENSSL_CONFIG"; +my $CA = "$openssl ca $OPENSSL_CONFIG"; +my $VERIFY = "$openssl verify"; +my $X509 = "$openssl x509"; +my $PKCS12 = "$openssl pkcs12"; + +# default openssl.cnf file has setup as per the following +my $CATOP = "./demoCA"; +my $CAKEY = "cakey.pem"; +my $CAREQ = "careq.pem"; +my $CACERT = "cacert.pem"; +my $CACRL = "crl.pem"; +my $DIRMODE = 0777; + +my $NEWKEY = "newkey.pem"; +my $NEWREQ = "newreq.pem"; +my $NEWCERT = "newcert.pem"; +my $NEWP12 = "newcert.p12"; +my $RET = 0; +my $WHAT = shift @ARGV || ""; +my $FILE; + +# See if reason for a CRL entry is valid; exit if not. +sub crl_reason_ok +{ + my $r = shift; + + if ($r eq 'unspecified' || $r eq 'keyCompromise' + || $r eq 'CACompromise' || $r eq 'affiliationChanged' + || $r eq 'superseded' || $r eq 'cessationOfOperation' + || $r eq 'certificateHold' || $r eq 'removeFromCRL') { + return 1; + } + print STDERR "Invalid CRL reason; must be one of:\n"; + print STDERR " unspecified, keyCompromise, CACompromise,\n"; + print STDERR " affiliationChanged, superseded, cessationOfOperation\n"; + print STDERR " certificateHold, removeFromCRL"; + exit 1; +} + +# Copy a PEM-format file; return like exit status (zero means ok) +sub copy_pemfile +{ + my ($infile, $outfile, $bound) = @_; + my $found = 0; + + open IN, $infile || die "Cannot open $infile, $!"; + open OUT, ">$outfile" || die "Cannot write to $outfile, $!"; + while () { + $found = 1 if /^-----BEGIN.*$bound/; + print OUT $_ if $found; + $found = 2, last if /^-----END.*$bound/; + } + close IN; + close OUT; + return $found == 2 ? 0 : 1; +} + +# Wrapper around system; useful for debugging. Returns just the exit status +sub run +{ + my $cmd = shift; + print "====\n$cmd\n" if $verbose; + my $status = system($cmd); + print "==> $status\n====\n" if $verbose; + return $status >> 8; +} + + +if ( $WHAT =~ /^(-\?|-h|-help)$/ ) { + print STDERR "usage: CA -newcert|-newreq|-newreq-nodes|-newca|-sign|-signcert|-verify\n"; + print STDERR " CA -pkcs12 [certname]\n"; + print STDERR " CA -crl|-revoke cert-filename [reason]\n"; + exit 0; +} +if ($WHAT eq '-newcert' ) { + # create a certificate + $RET = run("$REQ -new -x509 -keyout $NEWKEY -out $NEWCERT $DAYS"); + print "Cert is in $NEWCERT, private key is in $NEWKEY\n" if $RET == 0; +} elsif ($WHAT eq '-newreq' ) { + # create a certificate request + $RET = run("$REQ -new -keyout $NEWKEY -out $NEWREQ $DAYS"); + print "Request is in $NEWREQ, private key is in $NEWKEY\n" if $RET == 0; +} elsif ($WHAT eq '-newreq-nodes' ) { + # create a certificate request + $RET = run("$REQ -new -nodes -keyout $NEWKEY -out $NEWREQ $DAYS"); + print "Request is in $NEWREQ, private key is in $NEWKEY\n" if $RET == 0; +} elsif ($WHAT eq '-newca' ) { + # create the directory hierarchy + mkdir ${CATOP}, $DIRMODE; + mkdir "${CATOP}/certs", $DIRMODE; + mkdir "${CATOP}/crl", $DIRMODE ; + mkdir "${CATOP}/newcerts", $DIRMODE; + mkdir "${CATOP}/private", $DIRMODE; + open OUT, ">${CATOP}/index.txt"; + close OUT; + open OUT, ">${CATOP}/crlnumber"; + print OUT "01\n"; + close OUT; + # ask user for existing CA certificate + print "CA certificate filename (or enter to create)\n"; + $FILE = "" unless defined($FILE = ); + $FILE =~ s{\R$}{}; + if ($FILE ne "") { + copy_pemfile($FILE,"${CATOP}/private/$CAKEY", "PRIVATE"); + copy_pemfile($FILE,"${CATOP}/$CACERT", "CERTIFICATE"); + } else { + print "Making CA certificate ...\n"; + $RET = run("$REQ -new -keyout" + . " ${CATOP}/private/$CAKEY" + . " -out ${CATOP}/$CAREQ"); + $RET = run("$CA -create_serial" + . " -out ${CATOP}/$CACERT $CADAYS -batch" + . " -keyfile ${CATOP}/private/$CAKEY -selfsign" + . " -extensions v3_ca" + . " -infiles ${CATOP}/$CAREQ") if $RET == 0; + print "CA certificate is in ${CATOP}/$CACERT\n" if $RET == 0; + } +} elsif ($WHAT eq '-pkcs12' ) { + my $cname = $ARGV[0]; + $cname = "My Certificate" unless defined $cname; + $RET = run("$PKCS12 -in $NEWCERT -inkey $NEWKEY" + . " -certfile ${CATOP}/$CACERT" + . " -out $NEWP12" + . " -export -name \"$cname\""); + print "PKCS #12 file is in $NEWP12\n" if $RET == 0; +} elsif ($WHAT eq '-xsign' ) { + $RET = run("$CA -policy policy_anything -infiles $NEWREQ"); +} elsif ($WHAT eq '-sign' ) { + $RET = run("$CA -policy policy_anything -out $NEWCERT -infiles $NEWREQ"); + print "Signed certificate is in $NEWCERT\n" if $RET == 0; +} elsif ($WHAT eq '-signCA' ) { + $RET = run("$CA -policy policy_anything -out $NEWCERT" + . " -extensions v3_ca -infiles $NEWREQ"); + print "Signed CA certificate is in $NEWCERT\n" if $RET == 0; +} elsif ($WHAT eq '-signcert' ) { + $RET = run("$X509 -x509toreq -in $NEWREQ -signkey $NEWREQ" + . " -out tmp.pem"); + $RET = run("$CA -policy policy_anything -out $NEWCERT" + . " -infiles tmp.pem") if $RET == 0; + print "Signed certificate is in $NEWCERT\n" if $RET == 0; +} elsif ($WHAT eq '-verify' ) { + my @files = @ARGV ? @ARGV : ( $NEWCERT ); + my $file; + foreach $file (@files) { + my $status = run("$VERIFY \"-CAfile\" ${CATOP}/$CACERT $file"); + $RET = $status if $status != 0; + } +} elsif ($WHAT eq '-crl' ) { + $RET = run("$CA -gencrl -out ${CATOP}/crl/$CACRL"); + print "Generated CRL is in ${CATOP}/crl/$CACRL\n" if $RET == 0; +} elsif ($WHAT eq '-revoke' ) { + my $cname = $ARGV[0]; + if (!defined $cname) { + print "Certificate filename is required; reason optional.\n"; + exit 1; + } + my $reason = $ARGV[1]; + $reason = " -crl_reason $reason" + if defined $reason && crl_reason_ok($reason); + $RET = run("$CA -revoke \"$cname\"" . $reason); +} else { + print STDERR "Unknown arg \"$WHAT\"\n"; + print STDERR "Use -help for help.\n"; + exit 1; +} + +exit $RET; diff --git a/openssl-1.1.0h/apps/app_rand.c b/openssl-1.1.0h/apps/app_rand.c new file mode 100644 index 0000000..ff0771c --- /dev/null +++ b/openssl-1.1.0h/apps/app_rand.c @@ -0,0 +1,115 @@ +/* + * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the OpenSSL license (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +#include "apps.h" +#include +#include + +static int seeded = 0; +static int egdsocket = 0; + +int app_RAND_load_file(const char *file, int dont_warn) +{ + int consider_randfile = (file == NULL); + char buffer[200]; + + if (file == NULL) + file = RAND_file_name(buffer, sizeof(buffer)); +#ifndef OPENSSL_NO_EGD + else if (RAND_egd(file) > 0) { + /* + * we try if the given filename is an EGD socket. if it is, we don't + * write anything back to the file. + */ + egdsocket = 1; + return 1; + } +#endif + if (file == NULL || !RAND_load_file(file, -1)) { + if (RAND_status() == 0) { + if (!dont_warn) { + BIO_printf(bio_err, "unable to load 'random state'\n"); + BIO_printf(bio_err, + "This means that the random number generator has not been seeded\n"); + BIO_printf(bio_err, "with much random data.\n"); + if (consider_randfile) { /* explanation does not apply when a + * file is explicitly named */ + BIO_printf(bio_err, + "Consider setting the RANDFILE environment variable to point at a file that\n"); + BIO_printf(bio_err, + "'random' data can be kept in (the file will be overwritten).\n"); + } + } + return 0; + } + } + seeded = 1; + return 1; +} + +long app_RAND_load_files(char *name) +{ + char *p, *n; + int last; + long tot = 0; +#ifndef OPENSSL_NO_EGD + int egd; +#endif + + for (;;) { + last = 0; + for (p = name; ((*p != '\0') && (*p != LIST_SEPARATOR_CHAR)); p++) ; + if (*p == '\0') + last = 1; + *p = '\0'; + n = name; + name = p + 1; + if (*n == '\0') + break; + +#ifndef OPENSSL_NO_EGD + egd = RAND_egd(n); + if (egd > 0) + tot += egd; + else +#endif + tot += RAND_load_file(n, -1); + if (last) + break; + } + if (tot > 512) + app_RAND_allow_write_file(); + return (tot); +} + +int app_RAND_write_file(const char *file) +{ + char buffer[200]; + + if (egdsocket || !seeded) + /* + * If we did not manage to read the seed file, we should not write a + * low-entropy seed file back -- it would suppress a crucial warning + * the next time we want to use it. + */ + return 0; + + if (file == NULL) + file = RAND_file_name(buffer, sizeof(buffer)); + if (file == NULL || !RAND_write_file(file)) { + BIO_printf(bio_err, "unable to write 'random state'\n"); + return 0; + } + return 1; +} + +void app_RAND_allow_write_file(void) +{ + seeded = 1; +} diff --git a/openssl-1.1.0h/apps/apps.c b/openssl-1.1.0h/apps/apps.c new file mode 100644 index 0000000..8703d0c --- /dev/null +++ b/openssl-1.1.0h/apps/apps.c @@ -0,0 +1,2650 @@ +/* + * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the OpenSSL license (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +#if !defined(_POSIX_C_SOURCE) && defined(OPENSSL_SYS_VMS) +/* + * On VMS, you need to define this to get the declaration of fileno(). The + * value 2 is to make sure no function defined in POSIX-2 is left undefined. + */ +# define _POSIX_C_SOURCE 2 +#endif + +#include +#include +#include +#include +#ifndef OPENSSL_NO_POSIX_IO +# include +# include +#endif +#include +#include +#include +#include +#include +#include +#include +#include +#include +#ifndef OPENSSL_NO_ENGINE +# include +#endif +#ifndef OPENSSL_NO_RSA +# include +#endif +#include +#include +#include "s_apps.h" +#include "apps.h" + +#ifdef _WIN32 +static int WIN32_rename(const char *from, const char *to); +# define rename(from,to) WIN32_rename((from),(to)) +#endif + +typedef struct { + const char *name; + unsigned long flag; + unsigned long mask; +} NAME_EX_TBL; + +#if !defined(OPENSSL_NO_UI) || !defined(OPENSSL_NO_ENGINE) +static UI_METHOD *ui_method = NULL; +#endif + +static int set_table_opts(unsigned long *flags, const char *arg, + const NAME_EX_TBL * in_tbl); +static int set_multi_opts(unsigned long *flags, const char *arg, + const NAME_EX_TBL * in_tbl); + +int app_init(long mesgwin); + +int chopup_args(ARGS *arg, char *buf) +{ + int quoted; + char c = '\0', *p = NULL; + + arg->argc = 0; + if (arg->size == 0) { + arg->size = 20; + arg->argv = app_malloc(sizeof(*arg->argv) * arg->size, "argv space"); + } + + for (p = buf;;) { + /* Skip whitespace. */ + while (*p && isspace(_UC(*p))) + p++; + if (!*p) + break; + + /* The start of something good :-) */ + if (arg->argc >= arg->size) { + char **tmp; + arg->size += 20; + tmp = OPENSSL_realloc(arg->argv, sizeof(*arg->argv) * arg->size); + if (tmp == NULL) + return 0; + arg->argv = tmp; + } + quoted = *p == '\'' || *p == '"'; + if (quoted) + c = *p++; + arg->argv[arg->argc++] = p; + + /* now look for the end of this */ + if (quoted) { + while (*p && *p != c) + p++; + *p++ = '\0'; + } else { + while (*p && !isspace(_UC(*p))) + p++; + if (*p) + *p++ = '\0'; + } + } + arg->argv[arg->argc] = NULL; + return (1); +} + +#ifndef APP_INIT +int app_init(long mesgwin) +{ + return (1); +} +#endif + +int ctx_set_verify_locations(SSL_CTX *ctx, const char *CAfile, + const char *CApath, int noCAfile, int noCApath) +{ + if (CAfile == NULL && CApath == NULL) { + if (!noCAfile && SSL_CTX_set_default_verify_file(ctx) <= 0) + return 0; + if (!noCApath && SSL_CTX_set_default_verify_dir(ctx) <= 0) + return 0; + + return 1; + } + return SSL_CTX_load_verify_locations(ctx, CAfile, CApath); +} + +#ifndef OPENSSL_NO_CT + +int ctx_set_ctlog_list_file(SSL_CTX *ctx, const char *path) +{ + if (path == NULL) { + return SSL_CTX_set_default_ctlog_list_file(ctx); + } + + return SSL_CTX_set_ctlog_list_file(ctx, path); +} + +#endif + +int dump_cert_text(BIO *out, X509 *x) +{ + char *p; + + p = X509_NAME_oneline(X509_get_subject_name(x), NULL, 0); + BIO_puts(out, "subject="); + BIO_puts(out, p); + OPENSSL_free(p); + + p = X509_NAME_oneline(X509_get_issuer_name(x), NULL, 0); + BIO_puts(out, "\nissuer="); + BIO_puts(out, p); + BIO_puts(out, "\n"); + OPENSSL_free(p); + + return 0; +} + +#ifndef OPENSSL_NO_UI +static int ui_open(UI *ui) +{ + return UI_method_get_opener(UI_OpenSSL())(ui); +} + +static int ui_read(UI *ui, UI_STRING *uis) +{ + if (UI_get_input_flags(uis) & UI_INPUT_FLAG_DEFAULT_PWD + && UI_get0_user_data(ui)) { + switch (UI_get_string_type(uis)) { + case UIT_PROMPT: + case UIT_VERIFY: + { + const char *password = + ((PW_CB_DATA *)UI_get0_user_data(ui))->password; + if (password && password[0] != '\0') { + UI_set_result(ui, uis, password); + return 1; + } + } + default: + break; + } + } + return UI_method_get_reader(UI_OpenSSL())(ui, uis); +} + +static int ui_write(UI *ui, UI_STRING *uis) +{ + if (UI_get_input_flags(uis) & UI_INPUT_FLAG_DEFAULT_PWD + && UI_get0_user_data(ui)) { + switch (UI_get_string_type(uis)) { + case UIT_PROMPT: + case UIT_VERIFY: + { + const char *password = + ((PW_CB_DATA *)UI_get0_user_data(ui))->password; + if (password && password[0] != '\0') + return 1; + } + default: + break; + } + } + return UI_method_get_writer(UI_OpenSSL())(ui, uis); +} + +static int ui_close(UI *ui) +{ + return UI_method_get_closer(UI_OpenSSL())(ui); +} + +int setup_ui_method(void) +{ + ui_method = UI_create_method("OpenSSL application user interface"); + UI_method_set_opener(ui_method, ui_open); + UI_method_set_reader(ui_method, ui_read); + UI_method_set_writer(ui_method, ui_write); + UI_method_set_closer(ui_method, ui_close); + return 0; +} + +void destroy_ui_method(void) +{ + if (ui_method) { + UI_destroy_method(ui_method); + ui_method = NULL; + } +} +#endif + +int password_callback(char *buf, int bufsiz, int verify, PW_CB_DATA *cb_tmp) +{ + int res = 0; +#ifndef OPENSSL_NO_UI + UI *ui = NULL; +#endif + PW_CB_DATA *cb_data = (PW_CB_DATA *)cb_tmp; + +#ifdef OPENSSL_NO_UI + if (cb_data != NULL && cb_data->password != NULL) { + res = strlen(cb_data->password); + if (res > bufsiz) + res = bufsiz; + memcpy(buf, cb_data->password, res); + } +#else + ui = UI_new_method(ui_method); + if (ui) { + int ok = 0; + char *buff = NULL; + int ui_flags = 0; + const char *prompt_info = NULL; + char *prompt; + + if (cb_data != NULL && cb_data->prompt_info != NULL) + prompt_info = cb_data->prompt_info; + prompt = UI_construct_prompt(ui, "pass phrase", prompt_info); + if (!prompt) { + BIO_printf(bio_err, "Out of memory\n"); + UI_free(ui); + return 0; + } + + ui_flags |= UI_INPUT_FLAG_DEFAULT_PWD; + UI_ctrl(ui, UI_CTRL_PRINT_ERRORS, 1, 0, 0); + + /* We know that there is no previous user data to return to us */ + (void)UI_add_user_data(ui, cb_data); + + if (ok >= 0) + ok = UI_add_input_string(ui, prompt, ui_flags, buf, + PW_MIN_LENGTH, bufsiz - 1); + if (ok >= 0 && verify) { + buff = app_malloc(bufsiz, "password buffer"); + ok = UI_add_verify_string(ui, prompt, ui_flags, buff, + PW_MIN_LENGTH, bufsiz - 1, buf); + } + if (ok >= 0) + do { + ok = UI_process(ui); + } + while (ok < 0 && UI_ctrl(ui, UI_CTRL_IS_REDOABLE, 0, 0, 0)); + + OPENSSL_clear_free(buff, (unsigned int)bufsiz); + + if (ok >= 0) + res = strlen(buf); + if (ok == -1) { + BIO_printf(bio_err, "User interface error\n"); + ERR_print_errors(bio_err); + OPENSSL_cleanse(buf, (unsigned int)bufsiz); + res = 0; + } + if (ok == -2) { + BIO_printf(bio_err, "aborted!\n"); + OPENSSL_cleanse(buf, (unsigned int)bufsiz); + res = 0; + } + UI_free(ui); + OPENSSL_free(prompt); + } +#endif + return res; +} + +static char *app_get_pass(const char *arg, int keepbio); + +int app_passwd(const char *arg1, const char *arg2, char **pass1, char **pass2) +{ + int same; + if (!arg2 || !arg1 || strcmp(arg1, arg2)) + same = 0; + else + same = 1; + if (arg1) { + *pass1 = app_get_pass(arg1, same); + if (!*pass1) + return 0; + } else if (pass1) + *pass1 = NULL; + if (arg2) { + *pass2 = app_get_pass(arg2, same ? 2 : 0); + if (!*pass2) + return 0; + } else if (pass2) + *pass2 = NULL; + return 1; +} + +static char *app_get_pass(const char *arg, int keepbio) +{ + char *tmp, tpass[APP_PASS_LEN]; + static BIO *pwdbio = NULL; + int i; + + if (strncmp(arg, "pass:", 5) == 0) + return OPENSSL_strdup(arg + 5); + if (strncmp(arg, "env:", 4) == 0) { + tmp = getenv(arg + 4); + if (!tmp) { + BIO_printf(bio_err, "Can't read environment variable %s\n", arg + 4); + return NULL; + } + return OPENSSL_strdup(tmp); + } + if (!keepbio || !pwdbio) { + if (strncmp(arg, "file:", 5) == 0) { + pwdbio = BIO_new_file(arg + 5, "r"); + if (!pwdbio) { + BIO_printf(bio_err, "Can't open file %s\n", arg + 5); + return NULL; + } +#if !defined(_WIN32) + /* + * Under _WIN32, which covers even Win64 and CE, file + * descriptors referenced by BIO_s_fd are not inherited + * by child process and therefore below is not an option. + * It could have been an option if bss_fd.c was operating + * on real Windows descriptors, such as those obtained + * with CreateFile. + */ + } else if (strncmp(arg, "fd:", 3) == 0) { + BIO *btmp; + i = atoi(arg + 3); + if (i >= 0) + pwdbio = BIO_new_fd(i, BIO_NOCLOSE); + if ((i < 0) || !pwdbio) { + BIO_printf(bio_err, "Can't access file descriptor %s\n", arg + 3); + return NULL; + } + /* + * Can't do BIO_gets on an fd BIO so add a buffering BIO + */ + btmp = BIO_new(BIO_f_buffer()); + pwdbio = BIO_push(btmp, pwdbio); +#endif + } else if (strcmp(arg, "stdin") == 0) { + pwdbio = dup_bio_in(FORMAT_TEXT); + if (!pwdbio) { + BIO_printf(bio_err, "Can't open BIO for stdin\n"); + return NULL; + } + } else { + BIO_printf(bio_err, "Invalid password argument \"%s\"\n", arg); + return NULL; + } + } + i = BIO_gets(pwdbio, tpass, APP_PASS_LEN); + if (keepbio != 1) { + BIO_free_all(pwdbio); + pwdbio = NULL; + } + if (i <= 0) { + BIO_printf(bio_err, "Error reading password from BIO\n"); + return NULL; + } + tmp = strchr(tpass, '\n'); + if (tmp) + *tmp = 0; + return OPENSSL_strdup(tpass); +} + +static CONF *app_load_config_(BIO *in, const char *filename) +{ + long errorline = -1; + CONF *conf; + int i; + + conf = NCONF_new(NULL); + i = NCONF_load_bio(conf, in, &errorline); + if (i > 0) + return conf; + + if (errorline <= 0) + BIO_printf(bio_err, "%s: Can't load config file \"%s\"\n", + opt_getprog(), filename); + else + BIO_printf(bio_err, "%s: Error on line %ld of config file \"%s\"\n", + opt_getprog(), errorline, filename); + NCONF_free(conf); + return NULL; +} +CONF *app_load_config(const char *filename) +{ + BIO *in; + CONF *conf; + + in = bio_open_default(filename, 'r', FORMAT_TEXT); + if (in == NULL) + return NULL; + + conf = app_load_config_(in, filename); + BIO_free(in); + return conf; +} +CONF *app_load_config_quiet(const char *filename) +{ + BIO *in; + CONF *conf; + + in = bio_open_default_quiet(filename, 'r', FORMAT_TEXT); + if (in == NULL) + return NULL; + + conf = app_load_config_(in, filename); + BIO_free(in); + return conf; +} + +int app_load_modules(const CONF *config) +{ + CONF *to_free = NULL; + + if (config == NULL) + config = to_free = app_load_config_quiet(default_config_file); + if (config == NULL) + return 1; + + if (CONF_modules_load(config, NULL, 0) <= 0) { + BIO_printf(bio_err, "Error configuring OpenSSL modules\n"); + ERR_print_errors(bio_err); + NCONF_free(to_free); + return 0; + } + NCONF_free(to_free); + return 1; +} + +int add_oid_section(CONF *conf) +{ + char *p; + STACK_OF(CONF_VALUE) *sktmp; + CONF_VALUE *cnf; + int i; + + if ((p = NCONF_get_string(conf, NULL, "oid_section")) == NULL) { + ERR_clear_error(); + return 1; + } + if ((sktmp = NCONF_get_section(conf, p)) == NULL) { + BIO_printf(bio_err, "problem loading oid section %s\n", p); + return 0; + } + for (i = 0; i < sk_CONF_VALUE_num(sktmp); i++) { + cnf = sk_CONF_VALUE_value(sktmp, i); + if (OBJ_create(cnf->value, cnf->name, cnf->name) == NID_undef) { + BIO_printf(bio_err, "problem creating object %s=%s\n", + cnf->name, cnf->value); + return 0; + } + } + return 1; +} + +static int load_pkcs12(BIO *in, const char *desc, + pem_password_cb *pem_cb, void *cb_data, + EVP_PKEY **pkey, X509 **cert, STACK_OF(X509) **ca) +{ + const char *pass; + char tpass[PEM_BUFSIZE]; + int len, ret = 0; + PKCS12 *p12; + p12 = d2i_PKCS12_bio(in, NULL); + if (p12 == NULL) { + BIO_printf(bio_err, "Error loading PKCS12 file for %s\n", desc); + goto die; + } + /* See if an empty password will do */ + if (PKCS12_verify_mac(p12, "", 0) || PKCS12_verify_mac(p12, NULL, 0)) + pass = ""; + else { + if (!pem_cb) + pem_cb = (pem_password_cb *)password_callback; + len = pem_cb(tpass, PEM_BUFSIZE, 0, cb_data); + if (len < 0) { + BIO_printf(bio_err, "Passphrase callback error for %s\n", desc); + goto die; + } + if (len < PEM_BUFSIZE) + tpass[len] = 0; + if (!PKCS12_verify_mac(p12, tpass, len)) { + BIO_printf(bio_err, + "Mac verify error (wrong password?) in PKCS12 file for %s\n", + desc); + goto die; + } + pass = tpass; + } + ret = PKCS12_parse(p12, pass, pkey, cert, ca); + die: + PKCS12_free(p12); + return ret; +} + +#if !defined(OPENSSL_NO_OCSP) && !defined(OPENSSL_NO_SOCK) +static int load_cert_crl_http(const char *url, X509 **pcert, X509_CRL **pcrl) +{ + char *host = NULL, *port = NULL, *path = NULL; + BIO *bio = NULL; + OCSP_REQ_CTX *rctx = NULL; + int use_ssl, rv = 0; + if (!OCSP_parse_url(url, &host, &port, &path, &use_ssl)) + goto err; + if (use_ssl) { + BIO_puts(bio_err, "https not supported\n"); + goto err; + } + bio = BIO_new_connect(host); + if (!bio || !BIO_set_conn_port(bio, port)) + goto err; + rctx = OCSP_REQ_CTX_new(bio, 1024); + if (rctx == NULL) + goto err; + if (!OCSP_REQ_CTX_http(rctx, "GET", path)) + goto err; + if (!OCSP_REQ_CTX_add1_header(rctx, "Host", host)) + goto err; + if (pcert) { + do { + rv = X509_http_nbio(rctx, pcert); + } while (rv == -1); + } else { + do { + rv = X509_CRL_http_nbio(rctx, pcrl); + } while (rv == -1); + } + + err: + OPENSSL_free(host); + OPENSSL_free(path); + OPENSSL_free(port); + if (bio) + BIO_free_all(bio); + OCSP_REQ_CTX_free(rctx); + if (rv != 1) { + BIO_printf(bio_err, "Error loading %s from %s\n", + pcert ? "certificate" : "CRL", url); + ERR_print_errors(bio_err); + } + return rv; +} +#endif + +X509 *load_cert(const char *file, int format, const char *cert_descrip) +{ + X509 *x = NULL; + BIO *cert; + + if (format == FORMAT_HTTP) { +#if !defined(OPENSSL_NO_OCSP) && !defined(OPENSSL_NO_SOCK) + load_cert_crl_http(file, &x, NULL); +#endif + return x; + } + + if (file == NULL) { + unbuffer(stdin); + cert = dup_bio_in(format); + } else + cert = bio_open_default(file, 'r', format); + if (cert == NULL) + goto end; + + if (format == FORMAT_ASN1) + x = d2i_X509_bio(cert, NULL); + else if (format == FORMAT_PEM) + x = PEM_read_bio_X509_AUX(cert, NULL, + (pem_password_cb *)password_callback, NULL); + else if (format == FORMAT_PKCS12) { + if (!load_pkcs12(cert, cert_descrip, NULL, NULL, NULL, &x, NULL)) + goto end; + } else { + BIO_printf(bio_err, "bad input format specified for %s\n", cert_descrip); + goto end; + } + end: + if (x == NULL) { + BIO_printf(bio_err, "unable to load certificate\n"); + ERR_print_errors(bio_err); + } + BIO_free(cert); + return (x); +} + +X509_CRL *load_crl(const char *infile, int format) +{ + X509_CRL *x = NULL; + BIO *in = NULL; + + if (format == FORMAT_HTTP) { +#if !defined(OPENSSL_NO_OCSP) && !defined(OPENSSL_NO_SOCK) + load_cert_crl_http(infile, NULL, &x); +#endif + return x; + } + + in = bio_open_default(infile, 'r', format); + if (in == NULL) + goto end; + if (format == FORMAT_ASN1) + x = d2i_X509_CRL_bio(in, NULL); + else if (format == FORMAT_PEM) + x = PEM_read_bio_X509_CRL(in, NULL, NULL, NULL); + else { + BIO_printf(bio_err, "bad input format specified for input crl\n"); + goto end; + } + if (x == NULL) { + BIO_printf(bio_err, "unable to load CRL\n"); + ERR_print_errors(bio_err); + goto end; + } + + end: + BIO_free(in); + return (x); +} + +EVP_PKEY *load_key(const char *file, int format, int maybe_stdin, + const char *pass, ENGINE *e, const char *key_descrip) +{ + BIO *key = NULL; + EVP_PKEY *pkey = NULL; + PW_CB_DATA cb_data; + + cb_data.password = pass; + cb_data.prompt_info = file; + + if (file == NULL && (!maybe_stdin || format == FORMAT_ENGINE)) { + BIO_printf(bio_err, "no keyfile specified\n"); + goto end; + } + if (format == FORMAT_ENGINE) { + if (e == NULL) + BIO_printf(bio_err, "no engine specified\n"); + else { +#ifndef OPENSSL_NO_ENGINE + if (ENGINE_init(e)) { + pkey = ENGINE_load_private_key(e, file, ui_method, &cb_data); + ENGINE_finish(e); + } + if (pkey == NULL) { + BIO_printf(bio_err, "cannot load %s from engine\n", key_descrip); + ERR_print_errors(bio_err); + } +#else + BIO_printf(bio_err, "engines not supported\n"); +#endif + } + goto end; + } + if (file == NULL && maybe_stdin) { + unbuffer(stdin); + key = dup_bio_in(format); + } else + key = bio_open_default(file, 'r', format); + if (key == NULL) + goto end; + if (format == FORMAT_ASN1) { + pkey = d2i_PrivateKey_bio(key, NULL); + } else if (format == FORMAT_PEM) { + pkey = PEM_read_bio_PrivateKey(key, NULL, + (pem_password_cb *)password_callback, + &cb_data); + } + else if (format == FORMAT_PKCS12) { + if (!load_pkcs12(key, key_descrip, + (pem_password_cb *)password_callback, &cb_data, + &pkey, NULL, NULL)) + goto end; + } +#if !defined(OPENSSL_NO_RSA) && !defined(OPENSSL_NO_DSA) && !defined (OPENSSL_NO_RC4) + else if (format == FORMAT_MSBLOB) + pkey = b2i_PrivateKey_bio(key); + else if (format == FORMAT_PVK) + pkey = b2i_PVK_bio(key, (pem_password_cb *)password_callback, + &cb_data); +#endif + else { + BIO_printf(bio_err, "bad input format specified for key file\n"); + goto end; + } + end: + BIO_free(key); + if (pkey == NULL) { + BIO_printf(bio_err, "unable to load %s\n", key_descrip); + ERR_print_errors(bio_err); + } + return (pkey); +} + +EVP_PKEY *load_pubkey(const char *file, int format, int maybe_stdin, + const char *pass, ENGINE *e, const char *key_descrip) +{ + BIO *key = NULL; + EVP_PKEY *pkey = NULL; + PW_CB_DATA cb_data; + + cb_data.password = pass; + cb_data.prompt_info = file; + + if (file == NULL && (!maybe_stdin || format == FORMAT_ENGINE)) { + BIO_printf(bio_err, "no keyfile specified\n"); + goto end; + } + if (format == FORMAT_ENGINE) { + if (e == NULL) + BIO_printf(bio_err, "no engine specified\n"); + else { +#ifndef OPENSSL_NO_ENGINE + pkey = ENGINE_load_public_key(e, file, ui_method, &cb_data); + if (pkey == NULL) { + BIO_printf(bio_err, "cannot load %s from engine\n", key_descrip); + ERR_print_errors(bio_err); + } +#else + BIO_printf(bio_err, "engines not supported\n"); +#endif + } + goto end; + } + if (file == NULL && maybe_stdin) { + unbuffer(stdin); + key = dup_bio_in(format); + } else + key = bio_open_default(file, 'r', format); + if (key == NULL) + goto end; + if (format == FORMAT_ASN1) { + pkey = d2i_PUBKEY_bio(key, NULL); + } + else if (format == FORMAT_ASN1RSA) { +#ifndef OPENSSL_NO_RSA + RSA *rsa; + rsa = d2i_RSAPublicKey_bio(key, NULL); + if (rsa) { + pkey = EVP_PKEY_new(); + if (pkey != NULL) + EVP_PKEY_set1_RSA(pkey, rsa); + RSA_free(rsa); + } else +#else + BIO_printf(bio_err, "RSA keys not supported\n"); +#endif + pkey = NULL; + } else if (format == FORMAT_PEMRSA) { +#ifndef OPENSSL_NO_RSA + RSA *rsa; + rsa = PEM_read_bio_RSAPublicKey(key, NULL, + (pem_password_cb *)password_callback, + &cb_data); + if (rsa != NULL) { + pkey = EVP_PKEY_new(); + if (pkey != NULL) + EVP_PKEY_set1_RSA(pkey, rsa); + RSA_free(rsa); + } else +#else + BIO_printf(bio_err, "RSA keys not supported\n"); +#endif + pkey = NULL; + } + else if (format == FORMAT_PEM) { + pkey = PEM_read_bio_PUBKEY(key, NULL, + (pem_password_cb *)password_callback, + &cb_data); + } +#if !defined(OPENSSL_NO_RSA) && !defined(OPENSSL_NO_DSA) + else if (format == FORMAT_MSBLOB) + pkey = b2i_PublicKey_bio(key); +#endif + end: + BIO_free(key); + if (pkey == NULL) + BIO_printf(bio_err, "unable to load %s\n", key_descrip); + return (pkey); +} + +static int load_certs_crls(const char *file, int format, + const char *pass, const char *desc, + STACK_OF(X509) **pcerts, + STACK_OF(X509_CRL) **pcrls) +{ + int i; + BIO *bio; + STACK_OF(X509_INFO) *xis = NULL; + X509_INFO *xi; + PW_CB_DATA cb_data; + int rv = 0; + + cb_data.password = pass; + cb_data.prompt_info = file; + + if (format != FORMAT_PEM) { + BIO_printf(bio_err, "bad input format specified for %s\n", desc); + return 0; + } + + bio = bio_open_default(file, 'r', FORMAT_PEM); + if (bio == NULL) + return 0; + + xis = PEM_X509_INFO_read_bio(bio, NULL, + (pem_password_cb *)password_callback, + &cb_data); + + BIO_free(bio); + + if (pcerts && *pcerts == NULL) { + *pcerts = sk_X509_new_null(); + if (!*pcerts) + goto end; + } + + if (pcrls && *pcrls == NULL) { + *pcrls = sk_X509_CRL_new_null(); + if (!*pcrls) + goto end; + } + + for (i = 0; i < sk_X509_INFO_num(xis); i++) { + xi = sk_X509_INFO_value(xis, i); + if (xi->x509 && pcerts) { + if (!sk_X509_push(*pcerts, xi->x509)) + goto end; + xi->x509 = NULL; + } + if (xi->crl && pcrls) { + if (!sk_X509_CRL_push(*pcrls, xi->crl)) + goto end; + xi->crl = NULL; + } + } + + if (pcerts && sk_X509_num(*pcerts) > 0) + rv = 1; + + if (pcrls && sk_X509_CRL_num(*pcrls) > 0) + rv = 1; + + end: + + sk_X509_INFO_pop_free(xis, X509_INFO_free); + + if (rv == 0) { + if (pcerts) { + sk_X509_pop_free(*pcerts, X509_free); + *pcerts = NULL; + } + if (pcrls) { + sk_X509_CRL_pop_free(*pcrls, X509_CRL_free); + *pcrls = NULL; + } + BIO_printf(bio_err, "unable to load %s\n", + pcerts ? "certificates" : "CRLs"); + ERR_print_errors(bio_err); + } + return rv; +} + +void* app_malloc(int sz, const char *what) +{ + void *vp = OPENSSL_malloc(sz); + + if (vp == NULL) { + BIO_printf(bio_err, "%s: Could not allocate %d bytes for %s\n", + opt_getprog(), sz, what); + ERR_print_errors(bio_err); + exit(1); + } + return vp; +} + +/* + * Initialize or extend, if *certs != NULL, a certificate stack. + */ +int load_certs(const char *file, STACK_OF(X509) **certs, int format, + const char *pass, const char *desc) +{ + return load_certs_crls(file, format, pass, desc, certs, NULL); +} + +/* + * Initialize or extend, if *crls != NULL, a certificate stack. + */ +int load_crls(const char *file, STACK_OF(X509_CRL) **crls, int format, + const char *pass, const char *desc) +{ + return load_certs_crls(file, format, pass, desc, NULL, crls); +} + +#define X509V3_EXT_UNKNOWN_MASK (0xfL << 16) +/* Return error for unknown extensions */ +#define X509V3_EXT_DEFAULT 0 +/* Print error for unknown extensions */ +#define X509V3_EXT_ERROR_UNKNOWN (1L << 16) +/* ASN1 parse unknown extensions */ +#define X509V3_EXT_PARSE_UNKNOWN (2L << 16) +/* BIO_dump unknown extensions */ +#define X509V3_EXT_DUMP_UNKNOWN (3L << 16) + +#define X509_FLAG_CA (X509_FLAG_NO_ISSUER | X509_FLAG_NO_PUBKEY | \ + X509_FLAG_NO_HEADER | X509_FLAG_NO_VERSION) + +int set_cert_ex(unsigned long *flags, const char *arg) +{ + static const NAME_EX_TBL cert_tbl[] = { + {"compatible", X509_FLAG_COMPAT, 0xffffffffl}, + {"ca_default", X509_FLAG_CA, 0xffffffffl}, + {"no_header", X509_FLAG_NO_HEADER, 0}, + {"no_version", X509_FLAG_NO_VERSION, 0}, + {"no_serial", X509_FLAG_NO_SERIAL, 0}, + {"no_signame", X509_FLAG_NO_SIGNAME, 0}, + {"no_validity", X509_FLAG_NO_VALIDITY, 0}, + {"no_subject", X509_FLAG_NO_SUBJECT, 0}, + {"no_issuer", X509_FLAG_NO_ISSUER, 0}, + {"no_pubkey", X509_FLAG_NO_PUBKEY, 0}, + {"no_extensions", X509_FLAG_NO_EXTENSIONS, 0}, + {"no_sigdump", X509_FLAG_NO_SIGDUMP, 0}, + {"no_aux", X509_FLAG_NO_AUX, 0}, + {"no_attributes", X509_FLAG_NO_ATTRIBUTES, 0}, + {"ext_default", X509V3_EXT_DEFAULT, X509V3_EXT_UNKNOWN_MASK}, + {"ext_error", X509V3_EXT_ERROR_UNKNOWN, X509V3_EXT_UNKNOWN_MASK}, + {"ext_parse", X509V3_EXT_PARSE_UNKNOWN, X509V3_EXT_UNKNOWN_MASK}, + {"ext_dump", X509V3_EXT_DUMP_UNKNOWN, X509V3_EXT_UNKNOWN_MASK}, + {NULL, 0, 0} + }; + return set_multi_opts(flags, arg, cert_tbl); +} + +int set_name_ex(unsigned long *flags, const char *arg) +{ + static const NAME_EX_TBL ex_tbl[] = { + {"esc_2253", ASN1_STRFLGS_ESC_2253, 0}, + {"esc_2254", ASN1_STRFLGS_ESC_2254, 0}, + {"esc_ctrl", ASN1_STRFLGS_ESC_CTRL, 0}, + {"esc_msb", ASN1_STRFLGS_ESC_MSB, 0}, + {"use_quote", ASN1_STRFLGS_ESC_QUOTE, 0}, + {"utf8", ASN1_STRFLGS_UTF8_CONVERT, 0}, + {"ignore_type", ASN1_STRFLGS_IGNORE_TYPE, 0}, + {"show_type", ASN1_STRFLGS_SHOW_TYPE, 0}, + {"dump_all", ASN1_STRFLGS_DUMP_ALL, 0}, + {"dump_nostr", ASN1_STRFLGS_DUMP_UNKNOWN, 0}, + {"dump_der", ASN1_STRFLGS_DUMP_DER, 0}, + {"compat", XN_FLAG_COMPAT, 0xffffffffL}, + {"sep_comma_plus", XN_FLAG_SEP_COMMA_PLUS, XN_FLAG_SEP_MASK}, + {"sep_comma_plus_space", XN_FLAG_SEP_CPLUS_SPC, XN_FLAG_SEP_MASK}, + {"sep_semi_plus_space", XN_FLAG_SEP_SPLUS_SPC, XN_FLAG_SEP_MASK}, + {"sep_multiline", XN_FLAG_SEP_MULTILINE, XN_FLAG_SEP_MASK}, + {"dn_rev", XN_FLAG_DN_REV, 0}, + {"nofname", XN_FLAG_FN_NONE, XN_FLAG_FN_MASK}, + {"sname", XN_FLAG_FN_SN, XN_FLAG_FN_MASK}, + {"lname", XN_FLAG_FN_LN, XN_FLAG_FN_MASK}, + {"align", XN_FLAG_FN_ALIGN, 0}, + {"oid", XN_FLAG_FN_OID, XN_FLAG_FN_MASK}, + {"space_eq", XN_FLAG_SPC_EQ, 0}, + {"dump_unknown", XN_FLAG_DUMP_UNKNOWN_FIELDS, 0}, + {"RFC2253", XN_FLAG_RFC2253, 0xffffffffL}, + {"oneline", XN_FLAG_ONELINE, 0xffffffffL}, + {"multiline", XN_FLAG_MULTILINE, 0xffffffffL}, + {"ca_default", XN_FLAG_MULTILINE, 0xffffffffL}, + {NULL, 0, 0} + }; + if (set_multi_opts(flags, arg, ex_tbl) == 0) + return 0; + if ((*flags & XN_FLAG_SEP_MASK) == 0) + *flags |= XN_FLAG_SEP_CPLUS_SPC; + return 1; +} + +int set_ext_copy(int *copy_type, const char *arg) +{ + if (strcasecmp(arg, "none") == 0) + *copy_type = EXT_COPY_NONE; + else if (strcasecmp(arg, "copy") == 0) + *copy_type = EXT_COPY_ADD; + else if (strcasecmp(arg, "copyall") == 0) + *copy_type = EXT_COPY_ALL; + else + return 0; + return 1; +} + +int copy_extensions(X509 *x, X509_REQ *req, int copy_type) +{ + STACK_OF(X509_EXTENSION) *exts = NULL; + X509_EXTENSION *ext, *tmpext; + ASN1_OBJECT *obj; + int i, idx, ret = 0; + if (!x || !req || (copy_type == EXT_COPY_NONE)) + return 1; + exts = X509_REQ_get_extensions(req); + + for (i = 0; i < sk_X509_EXTENSION_num(exts); i++) { + ext = sk_X509_EXTENSION_value(exts, i); + obj = X509_EXTENSION_get_object(ext); + idx = X509_get_ext_by_OBJ(x, obj, -1); + /* Does extension exist? */ + if (idx != -1) { + /* If normal copy don't override existing extension */ + if (copy_type == EXT_COPY_ADD) + continue; + /* Delete all extensions of same type */ + do { + tmpext = X509_get_ext(x, idx); + X509_delete_ext(x, idx); + X509_EXTENSION_free(tmpext); + idx = X509_get_ext_by_OBJ(x, obj, -1); + } while (idx != -1); + } + if (!X509_add_ext(x, ext, -1)) + goto end; + } + + ret = 1; + + end: + + sk_X509_EXTENSION_pop_free(exts, X509_EXTENSION_free); + + return ret; +} + +static int set_multi_opts(unsigned long *flags, const char *arg, + const NAME_EX_TBL * in_tbl) +{ + STACK_OF(CONF_VALUE) *vals; + CONF_VALUE *val; + int i, ret = 1; + if (!arg) + return 0; + vals = X509V3_parse_list(arg); + for (i = 0; i < sk_CONF_VALUE_num(vals); i++) { + val = sk_CONF_VALUE_value(vals, i); + if (!set_table_opts(flags, val->name, in_tbl)) + ret = 0; + } + sk_CONF_VALUE_pop_free(vals, X509V3_conf_free); + return ret; +} + +static int set_table_opts(unsigned long *flags, const char *arg, + const NAME_EX_TBL * in_tbl) +{ + char c; + const NAME_EX_TBL *ptbl; + c = arg[0]; + + if (c == '-') { + c = 0; + arg++; + } else if (c == '+') { + c = 1; + arg++; + } else + c = 1; + + for (ptbl = in_tbl; ptbl->name; ptbl++) { + if (strcasecmp(arg, ptbl->name) == 0) { + *flags &= ~ptbl->mask; + if (c) + *flags |= ptbl->flag; + else + *flags &= ~ptbl->flag; + return 1; + } + } + return 0; +} + +void print_name(BIO *out, const char *title, X509_NAME *nm, + unsigned long lflags) +{ + char *buf; + char mline = 0; + int indent = 0; + + if (title) + BIO_puts(out, title); + if ((lflags & XN_FLAG_SEP_MASK) == XN_FLAG_SEP_MULTILINE) { + mline = 1; + indent = 4; + } + if (lflags == XN_FLAG_COMPAT) { + buf = X509_NAME_oneline(nm, 0, 0); + BIO_puts(out, buf); + BIO_puts(out, "\n"); + OPENSSL_free(buf); + } else { + if (mline) + BIO_puts(out, "\n"); + X509_NAME_print_ex(out, nm, indent, lflags); + BIO_puts(out, "\n"); + } +} + +void print_bignum_var(BIO *out, const BIGNUM *in, const char *var, + int len, unsigned char *buffer) +{ + BIO_printf(out, " static unsigned char %s_%d[] = {", var, len); + if (BN_is_zero(in)) + BIO_printf(out, "\n\t0x00"); + else { + int i, l; + + l = BN_bn2bin(in, buffer); + for (i = 0; i < l; i++) { + if ((i % 10) == 0) + BIO_printf(out, "\n\t"); + if (i < l - 1) + BIO_printf(out, "0x%02X, ", buffer[i]); + else + BIO_printf(out, "0x%02X", buffer[i]); + } + } + BIO_printf(out, "\n };\n"); +} +void print_array(BIO *out, const char* title, int len, const unsigned char* d) +{ + int i; + + BIO_printf(out, "unsigned char %s[%d] = {", title, len); + for (i = 0; i < len; i++) { + if ((i % 10) == 0) + BIO_printf(out, "\n "); + if (i < len - 1) + BIO_printf(out, "0x%02X, ", d[i]); + else + BIO_printf(out, "0x%02X", d[i]); + } + BIO_printf(out, "\n};\n"); +} + +X509_STORE *setup_verify(const char *CAfile, const char *CApath, int noCAfile, int noCApath) +{ + X509_STORE *store = X509_STORE_new(); + X509_LOOKUP *lookup; + + if (store == NULL) + goto end; + + if (CAfile != NULL || !noCAfile) { + lookup = X509_STORE_add_lookup(store, X509_LOOKUP_file()); + if (lookup == NULL) + goto end; + if (CAfile) { + if (!X509_LOOKUP_load_file(lookup, CAfile, X509_FILETYPE_PEM)) { + BIO_printf(bio_err, "Error loading file %s\n", CAfile); + goto end; + } + } else + X509_LOOKUP_load_file(lookup, NULL, X509_FILETYPE_DEFAULT); + } + + if (CApath != NULL || !noCApath) { + lookup = X509_STORE_add_lookup(store, X509_LOOKUP_hash_dir()); + if (lookup == NULL) + goto end; + if (CApath) { + if (!X509_LOOKUP_add_dir(lookup, CApath, X509_FILETYPE_PEM)) { + BIO_printf(bio_err, "Error loading directory %s\n", CApath); + goto end; + } + } else + X509_LOOKUP_add_dir(lookup, NULL, X509_FILETYPE_DEFAULT); + } + + ERR_clear_error(); + return store; + end: + X509_STORE_free(store); + return NULL; +} + +#ifndef OPENSSL_NO_ENGINE +/* Try to load an engine in a shareable library */ +static ENGINE *try_load_engine(const char *engine) +{ + ENGINE *e = ENGINE_by_id("dynamic"); + if (e) { + if (!ENGINE_ctrl_cmd_string(e, "SO_PATH", engine, 0) + || !ENGINE_ctrl_cmd_string(e, "LOAD", NULL, 0)) { + ENGINE_free(e); + e = NULL; + } + } + return e; +} +#endif + +ENGINE *setup_engine(const char *engine, int debug) +{ + ENGINE *e = NULL; + +#ifndef OPENSSL_NO_ENGINE + if (engine) { + if (strcmp(engine, "auto") == 0) { + BIO_printf(bio_err, "enabling auto ENGINE support\n"); + ENGINE_register_all_complete(); + return NULL; + } + if ((e = ENGINE_by_id(engine)) == NULL + && (e = try_load_engine(engine)) == NULL) { + BIO_printf(bio_err, "invalid engine \"%s\"\n", engine); + ERR_print_errors(bio_err); + return NULL; + } + if (debug) { + ENGINE_ctrl(e, ENGINE_CTRL_SET_LOGSTREAM, 0, bio_err, 0); + } + ENGINE_ctrl_cmd(e, "SET_USER_INTERFACE", 0, ui_method, 0, 1); + if (!ENGINE_set_default(e, ENGINE_METHOD_ALL)) { + BIO_printf(bio_err, "can't use that engine\n"); + ERR_print_errors(bio_err); + ENGINE_free(e); + return NULL; + } + + BIO_printf(bio_err, "engine \"%s\" set.\n", ENGINE_get_id(e)); + } +#endif + return e; +} + +void release_engine(ENGINE *e) +{ +#ifndef OPENSSL_NO_ENGINE + if (e != NULL) + /* Free our "structural" reference. */ + ENGINE_free(e); +#endif +} + +static unsigned long index_serial_hash(const OPENSSL_CSTRING *a) +{ + const char *n; + + n = a[DB_serial]; + while (*n == '0') + n++; + return OPENSSL_LH_strhash(n); +} + +static int index_serial_cmp(const OPENSSL_CSTRING *a, + const OPENSSL_CSTRING *b) +{ + const char *aa, *bb; + + for (aa = a[DB_serial]; *aa == '0'; aa++) ; + for (bb = b[DB_serial]; *bb == '0'; bb++) ; + return (strcmp(aa, bb)); +} + +static int index_name_qual(char **a) +{ + return (a[0][0] == 'V'); +} + +static unsigned long index_name_hash(const OPENSSL_CSTRING *a) +{ + return OPENSSL_LH_strhash(a[DB_name]); +} + +int index_name_cmp(const OPENSSL_CSTRING *a, const OPENSSL_CSTRING *b) +{ + return (strcmp(a[DB_name], b[DB_name])); +} + +static IMPLEMENT_LHASH_HASH_FN(index_serial, OPENSSL_CSTRING) +static IMPLEMENT_LHASH_COMP_FN(index_serial, OPENSSL_CSTRING) +static IMPLEMENT_LHASH_HASH_FN(index_name, OPENSSL_CSTRING) +static IMPLEMENT_LHASH_COMP_FN(index_name, OPENSSL_CSTRING) +#undef BSIZE +#define BSIZE 256 +BIGNUM *load_serial(const char *serialfile, int create, ASN1_INTEGER **retai) +{ + BIO *in = NULL; + BIGNUM *ret = NULL; + char buf[1024]; + ASN1_INTEGER *ai = NULL; + + ai = ASN1_INTEGER_new(); + if (ai == NULL) + goto err; + + in = BIO_new_file(serialfile, "r"); + if (in == NULL) { + if (!create) { + perror(serialfile); + goto err; + } + ERR_clear_error(); + ret = BN_new(); + if (ret == NULL || !rand_serial(ret, ai)) + BIO_printf(bio_err, "Out of memory\n"); + } else { + if (!a2i_ASN1_INTEGER(in, ai, buf, 1024)) { + BIO_printf(bio_err, "unable to load number from %s\n", + serialfile); + goto err; + } + ret = ASN1_INTEGER_to_BN(ai, NULL); + if (ret == NULL) { + BIO_printf(bio_err, + "error converting number from bin to BIGNUM\n"); + goto err; + } + } + + if (ret && retai) { + *retai = ai; + ai = NULL; + } + err: + BIO_free(in); + ASN1_INTEGER_free(ai); + return (ret); +} + +int save_serial(const char *serialfile, const char *suffix, const BIGNUM *serial, + ASN1_INTEGER **retai) +{ + char buf[1][BSIZE]; + BIO *out = NULL; + int ret = 0; + ASN1_INTEGER *ai = NULL; + int j; + + if (suffix == NULL) + j = strlen(serialfile); + else + j = strlen(serialfile) + strlen(suffix) + 1; + if (j >= BSIZE) { + BIO_printf(bio_err, "file name too long\n"); + goto err; + } + + if (suffix == NULL) + OPENSSL_strlcpy(buf[0], serialfile, BSIZE); + else { +#ifndef OPENSSL_SYS_VMS + j = BIO_snprintf(buf[0], sizeof(buf[0]), "%s.%s", serialfile, suffix); +#else + j = BIO_snprintf(buf[0], sizeof(buf[0]), "%s-%s", serialfile, suffix); +#endif + } + out = BIO_new_file(buf[0], "w"); + if (out == NULL) { + ERR_print_errors(bio_err); + goto err; + } + + if ((ai = BN_to_ASN1_INTEGER(serial, NULL)) == NULL) { + BIO_printf(bio_err, "error converting serial to ASN.1 format\n"); + goto err; + } + i2a_ASN1_INTEGER(out, ai); + BIO_puts(out, "\n"); + ret = 1; + if (retai) { + *retai = ai; + ai = NULL; + } + err: + BIO_free_all(out); + ASN1_INTEGER_free(ai); + return (ret); +} + +int rotate_serial(const char *serialfile, const char *new_suffix, + const char *old_suffix) +{ + char buf[2][BSIZE]; + int i, j; + + i = strlen(serialfile) + strlen(old_suffix); + j = strlen(serialfile) + strlen(new_suffix); + if (i > j) + j = i; + if (j + 1 >= BSIZE) { + BIO_printf(bio_err, "file name too long\n"); + goto err; + } +#ifndef OPENSSL_SYS_VMS + j = BIO_snprintf(buf[0], sizeof(buf[0]), "%s.%s", serialfile, new_suffix); + j = BIO_snprintf(buf[1], sizeof(buf[1]), "%s.%s", serialfile, old_suffix); +#else + j = BIO_snprintf(buf[0], sizeof(buf[0]), "%s-%s", serialfile, new_suffix); + j = BIO_snprintf(buf[1], sizeof(buf[1]), "%s-%s", serialfile, old_suffix); +#endif + if (rename(serialfile, buf[1]) < 0 && errno != ENOENT +#ifdef ENOTDIR + && errno != ENOTDIR +#endif + ) { + BIO_printf(bio_err, + "unable to rename %s to %s\n", serialfile, buf[1]); + perror("reason"); + goto err; + } + if (rename(buf[0], serialfile) < 0) { + BIO_printf(bio_err, + "unable to rename %s to %s\n", buf[0], serialfile); + perror("reason"); + rename(buf[1], serialfile); + goto err; + } + return 1; + err: + return 0; +} + +int rand_serial(BIGNUM *b, ASN1_INTEGER *ai) +{ + BIGNUM *btmp; + int ret = 0; + + if (b) + btmp = b; + else + btmp = BN_new(); + + if (btmp == NULL) + return 0; + + if (!BN_pseudo_rand(btmp, SERIAL_RAND_BITS, 0, 0)) + goto error; + if (ai && !BN_to_ASN1_INTEGER(btmp, ai)) + goto error; + + ret = 1; + + error: + + if (btmp != b) + BN_free(btmp); + + return ret; +} + +CA_DB *load_index(const char *dbfile, DB_ATTR *db_attr) +{ + CA_DB *retdb = NULL; + TXT_DB *tmpdb = NULL; + BIO *in; + CONF *dbattr_conf = NULL; + char buf[BSIZE]; + + in = BIO_new_file(dbfile, "r"); + if (in == NULL) { + ERR_print_errors(bio_err); + goto err; + } + if ((tmpdb = TXT_DB_read(in, DB_NUMBER)) == NULL) + goto err; + +#ifndef OPENSSL_SYS_VMS + BIO_snprintf(buf, sizeof(buf), "%s.attr", dbfile); +#else + BIO_snprintf(buf, sizeof(buf), "%s-attr", dbfile); +#endif + dbattr_conf = app_load_config(buf); + + retdb = app_malloc(sizeof(*retdb), "new DB"); + retdb->db = tmpdb; + tmpdb = NULL; + if (db_attr) + retdb->attributes = *db_attr; + else { + retdb->attributes.unique_subject = 1; + } + + if (dbattr_conf) { + char *p = NCONF_get_string(dbattr_conf, NULL, "unique_subject"); + if (p) { + retdb->attributes.unique_subject = parse_yesno(p, 1); + } + } + + err: + NCONF_free(dbattr_conf); + TXT_DB_free(tmpdb); + BIO_free_all(in); + return retdb; +} + +int index_index(CA_DB *db) +{ + if (!TXT_DB_create_index(db->db, DB_serial, NULL, + LHASH_HASH_FN(index_serial), + LHASH_COMP_FN(index_serial))) { + BIO_printf(bio_err, + "error creating serial number index:(%ld,%ld,%ld)\n", + db->db->error, db->db->arg1, db->db->arg2); + return 0; + } + + if (db->attributes.unique_subject + && !TXT_DB_create_index(db->db, DB_name, index_name_qual, + LHASH_HASH_FN(index_name), + LHASH_COMP_FN(index_name))) { + BIO_printf(bio_err, "error creating name index:(%ld,%ld,%ld)\n", + db->db->error, db->db->arg1, db->db->arg2); + return 0; + } + return 1; +} + +int save_index(const char *dbfile, const char *suffix, CA_DB *db) +{ + char buf[3][BSIZE]; + BIO *out; + int j; + + j = strlen(dbfile) + strlen(suffix); + if (j + 6 >= BSIZE) { + BIO_printf(bio_err, "file name too long\n"); + goto err; + } +#ifndef OPENSSL_SYS_VMS + j = BIO_snprintf(buf[2], sizeof(buf[2]), "%s.attr", dbfile); + j = BIO_snprintf(buf[1], sizeof(buf[1]), "%s.attr.%s", dbfile, suffix); + j = BIO_snprintf(buf[0], sizeof(buf[0]), "%s.%s", dbfile, suffix); +#else + j = BIO_snprintf(buf[2], sizeof(buf[2]), "%s-attr", dbfile); + j = BIO_snprintf(buf[1], sizeof(buf[1]), "%s-attr-%s", dbfile, suffix); + j = BIO_snprintf(buf[0], sizeof(buf[0]), "%s-%s", dbfile, suffix); +#endif + out = BIO_new_file(buf[0], "w"); + if (out == NULL) { + perror(dbfile); + BIO_printf(bio_err, "unable to open '%s'\n", dbfile); + goto err; + } + j = TXT_DB_write(out, db->db); + BIO_free(out); + if (j <= 0) + goto err; + + out = BIO_new_file(buf[1], "w"); + if (out == NULL) { + perror(buf[2]); + BIO_printf(bio_err, "unable to open '%s'\n", buf[2]); + goto err; + } + BIO_printf(out, "unique_subject = %s\n", + db->attributes.unique_subject ? "yes" : "no"); + BIO_free(out); + + return 1; + err: + return 0; +} + +int rotate_index(const char *dbfile, const char *new_suffix, + const char *old_suffix) +{ + char buf[5][BSIZE]; + int i, j; + + i = strlen(dbfile) + strlen(old_suffix); + j = strlen(dbfile) + strlen(new_suffix); + if (i > j) + j = i; + if (j + 6 >= BSIZE) { + BIO_printf(bio_err, "file name too long\n"); + goto err; + } +#ifndef OPENSSL_SYS_VMS + j = BIO_snprintf(buf[4], sizeof(buf[4]), "%s.attr", dbfile); + j = BIO_snprintf(buf[3], sizeof(buf[3]), "%s.attr.%s", dbfile, old_suffix); + j = BIO_snprintf(buf[2], sizeof(buf[2]), "%s.attr.%s", dbfile, new_suffix); + j = BIO_snprintf(buf[1], sizeof(buf[1]), "%s.%s", dbfile, old_suffix); + j = BIO_snprintf(buf[0], sizeof(buf[0]), "%s.%s", dbfile, new_suffix); +#else + j = BIO_snprintf(buf[4], sizeof(buf[4]), "%s-attr", dbfile); + j = BIO_snprintf(buf[3], sizeof(buf[3]), "%s-attr-%s", dbfile, old_suffix); + j = BIO_snprintf(buf[2], sizeof(buf[2]), "%s-attr-%s", dbfile, new_suffix); + j = BIO_snprintf(buf[1], sizeof(buf[1]), "%s-%s", dbfile, old_suffix); + j = BIO_snprintf(buf[0], sizeof(buf[0]), "%s-%s", dbfile, new_suffix); +#endif + if (rename(dbfile, buf[1]) < 0 && errno != ENOENT +#ifdef ENOTDIR + && errno != ENOTDIR +#endif + ) { + BIO_printf(bio_err, "unable to rename %s to %s\n", dbfile, buf[1]); + perror("reason"); + goto err; + } + if (rename(buf[0], dbfile) < 0) { + BIO_printf(bio_err, "unable to rename %s to %s\n", buf[0], dbfile); + perror("reason"); + rename(buf[1], dbfile); + goto err; + } + if (rename(buf[4], buf[3]) < 0 && errno != ENOENT +#ifdef ENOTDIR + && errno != ENOTDIR +#endif + ) { + BIO_printf(bio_err, "unable to rename %s to %s\n", buf[4], buf[3]); + perror("reason"); + rename(dbfile, buf[0]); + rename(buf[1], dbfile); + goto err; + } + if (rename(buf[2], buf[4]) < 0) { + BIO_printf(bio_err, "unable to rename %s to %s\n", buf[2], buf[4]); + perror("reason"); + rename(buf[3], buf[4]); + rename(dbfile, buf[0]); + rename(buf[1], dbfile); + goto err; + } + return 1; + err: + return 0; +} + +void free_index(CA_DB *db) +{ + if (db) { + TXT_DB_free(db->db); + OPENSSL_free(db); + } +} + +int parse_yesno(const char *str, int def) +{ + if (str) { + switch (*str) { + case 'f': /* false */ + case 'F': /* FALSE */ + case 'n': /* no */ + case 'N': /* NO */ + case '0': /* 0 */ + return 0; + case 't': /* true */ + case 'T': /* TRUE */ + case 'y': /* yes */ + case 'Y': /* YES */ + case '1': /* 1 */ + return 1; + } + } + return def; +} + +/* + * name is expected to be in the format /type0=value0/type1=value1/type2=... + * where characters may be escaped by \ + */ +X509_NAME *parse_name(const char *cp, long chtype, int canmulti) +{ + int nextismulti = 0; + char *work; + X509_NAME *n; + + if (*cp++ != '/') + return NULL; + + n = X509_NAME_new(); + if (n == NULL) + return NULL; + work = OPENSSL_strdup(cp); + if (work == NULL) + goto err; + + while (*cp) { + char *bp = work; + char *typestr = bp; + unsigned char *valstr; + int nid; + int ismulti = nextismulti; + nextismulti = 0; + + /* Collect the type */ + while (*cp && *cp != '=') + *bp++ = *cp++; + if (*cp == '\0') { + BIO_printf(bio_err, + "%s: Hit end of string before finding the equals.\n", + opt_getprog()); + goto err; + } + *bp++ = '\0'; + ++cp; + + /* Collect the value. */ + valstr = (unsigned char *)bp; + for (; *cp && *cp != '/'; *bp++ = *cp++) { + if (canmulti && *cp == '+') { + nextismulti = 1; + break; + } + if (*cp == '\\' && *++cp == '\0') { + BIO_printf(bio_err, + "%s: escape character at end of string\n", + opt_getprog()); + goto err; + } + } + *bp++ = '\0'; + + /* If not at EOS (must be + or /), move forward. */ + if (*cp) + ++cp; + + /* Parse */ + nid = OBJ_txt2nid(typestr); + if (nid == NID_undef) { + BIO_printf(bio_err, "%s: Skipping unknown attribute \"%s\"\n", + opt_getprog(), typestr); + continue; + } + if (!X509_NAME_add_entry_by_NID(n, nid, chtype, + valstr, strlen((char *)valstr), + -1, ismulti ? -1 : 0)) + goto err; + } + + OPENSSL_free(work); + return n; + + err: + X509_NAME_free(n); + OPENSSL_free(work); + return NULL; +} + +/* + * Read whole contents of a BIO into an allocated memory buffer and return + * it. + */ + +int bio_to_mem(unsigned char **out, int maxlen, BIO *in) +{ + BIO *mem; + int len, ret; + unsigned char tbuf[1024]; + + mem = BIO_new(BIO_s_mem()); + if (mem == NULL) + return -1; + for (;;) { + if ((maxlen != -1) && maxlen < 1024) + len = maxlen; + else + len = 1024; + len = BIO_read(in, tbuf, len); + if (len < 0) { + BIO_free(mem); + return -1; + } + if (len == 0) + break; + if (BIO_write(mem, tbuf, len) != len) { + BIO_free(mem); + return -1; + } + maxlen -= len; + + if (maxlen == 0) + break; + } + ret = BIO_get_mem_data(mem, (char **)out); + BIO_set_flags(mem, BIO_FLAGS_MEM_RDONLY); + BIO_free(mem); + return ret; +} + +int pkey_ctrl_string(EVP_PKEY_CTX *ctx, const char *value) +{ + int rv; + char *stmp, *vtmp = NULL; + stmp = OPENSSL_strdup(value); + if (!stmp) + return -1; + vtmp = strchr(stmp, ':'); + if (vtmp) { + *vtmp = 0; + vtmp++; + } + rv = EVP_PKEY_CTX_ctrl_str(ctx, stmp, vtmp); + OPENSSL_free(stmp); + return rv; +} + +static void nodes_print(const char *name, STACK_OF(X509_POLICY_NODE) *nodes) +{ + X509_POLICY_NODE *node; + int i; + + BIO_printf(bio_err, "%s Policies:", name); + if (nodes) { + BIO_puts(bio_err, "\n"); + for (i = 0; i < sk_X509_POLICY_NODE_num(nodes); i++) { + node = sk_X509_POLICY_NODE_value(nodes, i); + X509_POLICY_NODE_print(bio_err, node, 2); + } + } else + BIO_puts(bio_err, " \n"); +} + +void policies_print(X509_STORE_CTX *ctx) +{ + X509_POLICY_TREE *tree; + int explicit_policy; + tree = X509_STORE_CTX_get0_policy_tree(ctx); + explicit_policy = X509_STORE_CTX_get_explicit_policy(ctx); + + BIO_printf(bio_err, "Require explicit Policy: %s\n", + explicit_policy ? "True" : "False"); + + nodes_print("Authority", X509_policy_tree_get0_policies(tree)); + nodes_print("User", X509_policy_tree_get0_user_policies(tree)); +} + +/*- + * next_protos_parse parses a comma separated list of strings into a string + * in a format suitable for passing to SSL_CTX_set_next_protos_advertised. + * outlen: (output) set to the length of the resulting buffer on success. + * err: (maybe NULL) on failure, an error message line is written to this BIO. + * in: a NUL terminated string like "abc,def,ghi" + * + * returns: a malloc'd buffer or NULL on failure. + */ +unsigned char *next_protos_parse(size_t *outlen, const char *in) +{ + size_t len; + unsigned char *out; + size_t i, start = 0; + + len = strlen(in); + if (len >= 65535) + return NULL; + + out = app_malloc(strlen(in) + 1, "NPN buffer"); + for (i = 0; i <= len; ++i) { + if (i == len || in[i] == ',') { + if (i - start > 255) { + OPENSSL_free(out); + return NULL; + } + out[start] = i - start; + start = i + 1; + } else + out[i + 1] = in[i]; + } + + *outlen = len + 1; + return out; +} + +void print_cert_checks(BIO *bio, X509 *x, + const char *checkhost, + const char *checkemail, const char *checkip) +{ + if (x == NULL) + return; + if (checkhost) { + BIO_printf(bio, "Hostname %s does%s match certificate\n", + checkhost, + X509_check_host(x, checkhost, 0, 0, NULL) == 1 + ? "" : " NOT"); + } + + if (checkemail) { + BIO_printf(bio, "Email %s does%s match certificate\n", + checkemail, X509_check_email(x, checkemail, 0, 0) + ? "" : " NOT"); + } + + if (checkip) { + BIO_printf(bio, "IP %s does%s match certificate\n", + checkip, X509_check_ip_asc(x, checkip, 0) ? "" : " NOT"); + } +} + +/* Get first http URL from a DIST_POINT structure */ + +static const char *get_dp_url(DIST_POINT *dp) +{ + GENERAL_NAMES *gens; + GENERAL_NAME *gen; + int i, gtype; + ASN1_STRING *uri; + if (!dp->distpoint || dp->distpoint->type != 0) + return NULL; + gens = dp->distpoint->name.fullname; + for (i = 0; i < sk_GENERAL_NAME_num(gens); i++) { + gen = sk_GENERAL_NAME_value(gens, i); + uri = GENERAL_NAME_get0_value(gen, >ype); + if (gtype == GEN_URI && ASN1_STRING_length(uri) > 6) { + const char *uptr = (const char *)ASN1_STRING_get0_data(uri); + if (strncmp(uptr, "http://", 7) == 0) + return uptr; + } + } + return NULL; +} + +/* + * Look through a CRLDP structure and attempt to find an http URL to + * downloads a CRL from. + */ + +static X509_CRL *load_crl_crldp(STACK_OF(DIST_POINT) *crldp) +{ + int i; + const char *urlptr = NULL; + for (i = 0; i < sk_DIST_POINT_num(crldp); i++) { + DIST_POINT *dp = sk_DIST_POINT_value(crldp, i); + urlptr = get_dp_url(dp); + if (urlptr) + return load_crl(urlptr, FORMAT_HTTP); + } + return NULL; +} + +/* + * Example of downloading CRLs from CRLDP: not usable for real world as it + * always downloads, doesn't support non-blocking I/O and doesn't cache + * anything. + */ + +static STACK_OF(X509_CRL) *crls_http_cb(X509_STORE_CTX *ctx, X509_NAME *nm) +{ + X509 *x; + STACK_OF(X509_CRL) *crls = NULL; + X509_CRL *crl; + STACK_OF(DIST_POINT) *crldp; + + crls = sk_X509_CRL_new_null(); + if (!crls) + return NULL; + x = X509_STORE_CTX_get_current_cert(ctx); + crldp = X509_get_ext_d2i(x, NID_crl_distribution_points, NULL, NULL); + crl = load_crl_crldp(crldp); + sk_DIST_POINT_pop_free(crldp, DIST_POINT_free); + if (!crl) { + sk_X509_CRL_free(crls); + return NULL; + } + sk_X509_CRL_push(crls, crl); + /* Try to download delta CRL */ + crldp = X509_get_ext_d2i(x, NID_freshest_crl, NULL, NULL); + crl = load_crl_crldp(crldp); + sk_DIST_POINT_pop_free(crldp, DIST_POINT_free); + if (crl) + sk_X509_CRL_push(crls, crl); + return crls; +} + +void store_setup_crl_download(X509_STORE *st) +{ + X509_STORE_set_lookup_crls_cb(st, crls_http_cb); +} + +/* + * Platform-specific sections + */ +#if defined(_WIN32) +# ifdef fileno +# undef fileno +# define fileno(a) (int)_fileno(a) +# endif + +# include +# include + +static int WIN32_rename(const char *from, const char *to) +{ + TCHAR *tfrom = NULL, *tto; + DWORD err; + int ret = 0; + + if (sizeof(TCHAR) == 1) { + tfrom = (TCHAR *)from; + tto = (TCHAR *)to; + } else { /* UNICODE path */ + + size_t i, flen = strlen(from) + 1, tlen = strlen(to) + 1; + tfrom = malloc(sizeof(*tfrom) * (flen + tlen)); + if (tfrom == NULL) + goto err; + tto = tfrom + flen; +# if !defined(_WIN32_WCE) || _WIN32_WCE>=101 + if (!MultiByteToWideChar(CP_ACP, 0, from, flen, (WCHAR *)tfrom, flen)) +# endif + for (i = 0; i < flen; i++) + tfrom[i] = (TCHAR)from[i]; +# if !defined(_WIN32_WCE) || _WIN32_WCE>=101 + if (!MultiByteToWideChar(CP_ACP, 0, to, tlen, (WCHAR *)tto, tlen)) +# endif + for (i = 0; i < tlen; i++) + tto[i] = (TCHAR)to[i]; + } + + if (MoveFile(tfrom, tto)) + goto ok; + err = GetLastError(); + if (err == ERROR_ALREADY_EXISTS || err == ERROR_FILE_EXISTS) { + if (DeleteFile(tto) && MoveFile(tfrom, tto)) + goto ok; + err = GetLastError(); + } + if (err == ERROR_FILE_NOT_FOUND || err == ERROR_PATH_NOT_FOUND) + errno = ENOENT; + else if (err == ERROR_ACCESS_DENIED) + errno = EACCES; + else + errno = EINVAL; /* we could map more codes... */ + err: + ret = -1; + ok: + if (tfrom != NULL && tfrom != (TCHAR *)from) + free(tfrom); + return ret; +} +#endif + +/* app_tminterval section */ +#if defined(_WIN32) +double app_tminterval(int stop, int usertime) +{ + FILETIME now; + double ret = 0; + static ULARGE_INTEGER tmstart; + static int warning = 1; +# ifdef _WIN32_WINNT + static HANDLE proc = NULL; + + if (proc == NULL) { + if (check_winnt()) + proc = OpenProcess(PROCESS_QUERY_INFORMATION, FALSE, + GetCurrentProcessId()); + if (proc == NULL) + proc = (HANDLE) - 1; + } + + if (usertime && proc != (HANDLE) - 1) { + FILETIME junk; + GetProcessTimes(proc, &junk, &junk, &junk, &now); + } else +# endif + { + SYSTEMTIME systime; + + if (usertime && warning) { + BIO_printf(bio_err, "To get meaningful results, run " + "this program on idle system.\n"); + warning = 0; + } + GetSystemTime(&systime); + SystemTimeToFileTime(&systime, &now); + } + + if (stop == TM_START) { + tmstart.u.LowPart = now.dwLowDateTime; + tmstart.u.HighPart = now.dwHighDateTime; + } else { + ULARGE_INTEGER tmstop; + + tmstop.u.LowPart = now.dwLowDateTime; + tmstop.u.HighPart = now.dwHighDateTime; + + ret = (__int64)(tmstop.QuadPart - tmstart.QuadPart) * 1e-7; + } + + return (ret); +} +#elif defined(OPENSSL_SYSTEM_VXWORKS) +# include + +double app_tminterval(int stop, int usertime) +{ + double ret = 0; +# ifdef CLOCK_REALTIME + static struct timespec tmstart; + struct timespec now; +# else + static unsigned long tmstart; + unsigned long now; +# endif + static int warning = 1; + + if (usertime && warning) { + BIO_printf(bio_err, "To get meaningful results, run " + "this program on idle system.\n"); + warning = 0; + } +# ifdef CLOCK_REALTIME + clock_gettime(CLOCK_REALTIME, &now); + if (stop == TM_START) + tmstart = now; + else + ret = ((now.tv_sec + now.tv_nsec * 1e-9) + - (tmstart.tv_sec + tmstart.tv_nsec * 1e-9)); +# else + now = tickGet(); + if (stop == TM_START) + tmstart = now; + else + ret = (now - tmstart) / (double)sysClkRateGet(); +# endif + return (ret); +} + +#elif defined(OPENSSL_SYSTEM_VMS) +# include +# include + +double app_tminterval(int stop, int usertime) +{ + static clock_t tmstart; + double ret = 0; + clock_t now; +# ifdef __TMS + struct tms rus; + + now = times(&rus); + if (usertime) + now = rus.tms_utime; +# else + if (usertime) + now = clock(); /* sum of user and kernel times */ + else { + struct timeval tv; + gettimeofday(&tv, NULL); + now = (clock_t)((unsigned long long)tv.tv_sec * CLK_TCK + + (unsigned long long)tv.tv_usec * (1000000 / CLK_TCK) + ); + } +# endif + if (stop == TM_START) + tmstart = now; + else + ret = (now - tmstart) / (double)(CLK_TCK); + + return (ret); +} + +#elif defined(_SC_CLK_TCK) /* by means of unistd.h */ +# include + +double app_tminterval(int stop, int usertime) +{ + double ret = 0; + struct tms rus; + clock_t now = times(&rus); + static clock_t tmstart; + + if (usertime) + now = rus.tms_utime; + + if (stop == TM_START) + tmstart = now; + else { + long int tck = sysconf(_SC_CLK_TCK); + ret = (now - tmstart) / (double)tck; + } + + return (ret); +} + +#else +# include +# include + +double app_tminterval(int stop, int usertime) +{ + double ret = 0; + struct rusage rus; + struct timeval now; + static struct timeval tmstart; + + if (usertime) + getrusage(RUSAGE_SELF, &rus), now = rus.ru_utime; + else + gettimeofday(&now, NULL); + + if (stop == TM_START) + tmstart = now; + else + ret = ((now.tv_sec + now.tv_usec * 1e-6) + - (tmstart.tv_sec + tmstart.tv_usec * 1e-6)); + + return ret; +} +#endif + +int app_access(const char* name, int flag) +{ +#ifdef _WIN32 + return _access(name, flag); +#else + return access(name, flag); +#endif +} + +/* app_isdir section */ +#ifdef _WIN32 +int app_isdir(const char *name) +{ + DWORD attr; +# if defined(UNICODE) || defined(_UNICODE) + size_t i, len_0 = strlen(name) + 1; + WCHAR tempname[MAX_PATH]; + + if (len_0 > MAX_PATH) + return -1; + +# if !defined(_WIN32_WCE) || _WIN32_WCE>=101 + if (!MultiByteToWideChar(CP_ACP, 0, name, len_0, tempname, MAX_PATH)) +# endif + for (i = 0; i < len_0; i++) + tempname[i] = (WCHAR)name[i]; + + attr = GetFileAttributes(tempname); +# else + attr = GetFileAttributes(name); +# endif + if (attr == INVALID_FILE_ATTRIBUTES) + return -1; + return ((attr & FILE_ATTRIBUTE_DIRECTORY) != 0); +} +#else +# include +# ifndef S_ISDIR +# if defined(_S_IFMT) && defined(_S_IFDIR) +# define S_ISDIR(a) (((a) & _S_IFMT) == _S_IFDIR) +# else +# define S_ISDIR(a) (((a) & S_IFMT) == S_IFDIR) +# endif +# endif + +int app_isdir(const char *name) +{ +# if defined(S_ISDIR) + struct stat st; + + if (stat(name, &st) == 0) + return S_ISDIR(st.st_mode); + else + return -1; +# else + return -1; +# endif +} +#endif + +/* raw_read|write section */ +#if defined(__VMS) +# include "vms_term_sock.h" +static int stdin_sock = -1; + +static void close_stdin_sock(void) +{ + TerminalSocket (TERM_SOCK_DELETE, &stdin_sock); +} + +int fileno_stdin(void) +{ + if (stdin_sock == -1) { + TerminalSocket(TERM_SOCK_CREATE, &stdin_sock); + atexit(close_stdin_sock); + } + + return stdin_sock; +} +#else +int fileno_stdin(void) +{ + return fileno(stdin); +} +#endif + +int fileno_stdout(void) +{ + return fileno(stdout); +} + +#if defined(_WIN32) && defined(STD_INPUT_HANDLE) +int raw_read_stdin(void *buf, int siz) +{ + DWORD n; + if (ReadFile(GetStdHandle(STD_INPUT_HANDLE), buf, siz, &n, NULL)) + return (n); + else + return (-1); +} +#elif defined(__VMS) +#include + +int raw_read_stdin(void *buf, int siz) +{ + return recv(fileno_stdin(), buf, siz, 0); +} +#else +int raw_read_stdin(void *buf, int siz) +{ + return read(fileno_stdin(), buf, siz); +} +#endif + +#if defined(_WIN32) && defined(STD_OUTPUT_HANDLE) +int raw_write_stdout(const void *buf, int siz) +{ + DWORD n; + if (WriteFile(GetStdHandle(STD_OUTPUT_HANDLE), buf, siz, &n, NULL)) + return (n); + else + return (-1); +} +#else +int raw_write_stdout(const void *buf, int siz) +{ + return write(fileno_stdout(), buf, siz); +} +#endif + +/* + * Centralized handling if input and output files with format specification + * The format is meant to show what the input and output is supposed to be, + * and is therefore a show of intent more than anything else. However, it + * does impact behavior on some platform, such as differentiating between + * text and binary input/output on non-Unix platforms + */ +static int istext(int format) +{ + return (format & B_FORMAT_TEXT) == B_FORMAT_TEXT; +} + +BIO *dup_bio_in(int format) +{ + return BIO_new_fp(stdin, + BIO_NOCLOSE | (istext(format) ? BIO_FP_TEXT : 0)); +} + +BIO *dup_bio_out(int format) +{ + BIO *b = BIO_new_fp(stdout, + BIO_NOCLOSE | (istext(format) ? BIO_FP_TEXT : 0)); +#ifdef OPENSSL_SYS_VMS + if (istext(format)) + b = BIO_push(BIO_new(BIO_f_linebuffer()), b); +#endif + return b; +} + +BIO *dup_bio_err(int format) +{ + BIO *b = BIO_new_fp(stderr, + BIO_NOCLOSE | (istext(format) ? BIO_FP_TEXT : 0)); +#ifdef OPENSSL_SYS_VMS + if (istext(format)) + b = BIO_push(BIO_new(BIO_f_linebuffer()), b); +#endif + return b; +} + +void unbuffer(FILE *fp) +{ +/* + * On VMS, setbuf() will only take 32-bit pointers, and a compilation + * with /POINTER_SIZE=64 will give off a MAYLOSEDATA2 warning here. + * However, we trust that the C RTL will never give us a FILE pointer + * above the first 4 GB of memory, so we simply turn off the warning + * temporarily. + */ +#if defined(OPENSSL_SYS_VMS) && defined(__DECC) +# pragma environment save +# pragma message disable maylosedata2 +#endif + setbuf(fp, NULL); +#if defined(OPENSSL_SYS_VMS) && defined(__DECC) +# pragma environment restore +#endif +} + +static const char *modestr(char mode, int format) +{ + OPENSSL_assert(mode == 'a' || mode == 'r' || mode == 'w'); + + switch (mode) { + case 'a': + return istext(format) ? "a" : "ab"; + case 'r': + return istext(format) ? "r" : "rb"; + case 'w': + return istext(format) ? "w" : "wb"; + } + /* The assert above should make sure we never reach this point */ + return NULL; +} + +static const char *modeverb(char mode) +{ + switch (mode) { + case 'a': + return "appending"; + case 'r': + return "reading"; + case 'w': + return "writing"; + } + return "(doing something)"; +} + +/* + * Open a file for writing, owner-read-only. + */ +BIO *bio_open_owner(const char *filename, int format, int private) +{ + FILE *fp = NULL; + BIO *b = NULL; + int fd = -1, bflags, mode, textmode; + + if (!private || filename == NULL || strcmp(filename, "-") == 0) + return bio_open_default(filename, 'w', format); + + mode = O_WRONLY; +#ifdef O_CREAT + mode |= O_CREAT; +#endif +#ifdef O_TRUNC + mode |= O_TRUNC; +#endif + textmode = istext(format); + if (!textmode) { +#ifdef O_BINARY + mode |= O_BINARY; +#elif defined(_O_BINARY) + mode |= _O_BINARY; +#endif + } + +#ifdef OPENSSL_SYS_VMS + /* VMS doesn't have O_BINARY, it just doesn't make sense. But, + * it still needs to know that we're going binary, or fdopen() + * will fail with "invalid argument"... so we tell VMS what the + * context is. + */ + if (!textmode) + fd = open(filename, mode, 0600, "ctx=bin"); + else +#endif + fd = open(filename, mode, 0600); + if (fd < 0) + goto err; + fp = fdopen(fd, modestr('w', format)); + if (fp == NULL) + goto err; + bflags = BIO_CLOSE; + if (textmode) + bflags |= BIO_FP_TEXT; + b = BIO_new_fp(fp, bflags); + if (b) + return b; + + err: + BIO_printf(bio_err, "%s: Can't open \"%s\" for writing, %s\n", + opt_getprog(), filename, strerror(errno)); + ERR_print_errors(bio_err); + /* If we have fp, then fdopen took over fd, so don't close both. */ + if (fp) + fclose(fp); + else if (fd >= 0) + close(fd); + return NULL; +} + +static BIO *bio_open_default_(const char *filename, char mode, int format, + int quiet) +{ + BIO *ret; + + if (filename == NULL || strcmp(filename, "-") == 0) { + ret = mode == 'r' ? dup_bio_in(format) : dup_bio_out(format); + if (quiet) { + ERR_clear_error(); + return ret; + } + if (ret != NULL) + return ret; + BIO_printf(bio_err, + "Can't open %s, %s\n", + mode == 'r' ? "stdin" : "stdout", strerror(errno)); + } else { + ret = BIO_new_file(filename, modestr(mode, format)); + if (quiet) { + ERR_clear_error(); + return ret; + } + if (ret != NULL) + return ret; + BIO_printf(bio_err, + "Can't open %s for %s, %s\n", + filename, modeverb(mode), strerror(errno)); + } + ERR_print_errors(bio_err); + return NULL; +} + +BIO *bio_open_default(const char *filename, char mode, int format) +{ + return bio_open_default_(filename, mode, format, 0); +} + +BIO *bio_open_default_quiet(const char *filename, char mode, int format) +{ + return bio_open_default_(filename, mode, format, 1); +} + +void wait_for_async(SSL *s) +{ + /* On Windows select only works for sockets, so we simply don't wait */ +#ifndef OPENSSL_SYS_WINDOWS + int width = 0; + fd_set asyncfds; + OSSL_ASYNC_FD *fds; + size_t numfds; + size_t i; + + if (!SSL_get_all_async_fds(s, NULL, &numfds)) + return; + if (numfds == 0) + return; + fds = app_malloc(sizeof(OSSL_ASYNC_FD) * numfds, "allocate async fds"); + if (!SSL_get_all_async_fds(s, fds, &numfds)) { + OPENSSL_free(fds); + return; + } + + FD_ZERO(&asyncfds); + for (i = 0; i < numfds; i++) { + if (width <= (int)fds[i]) + width = (int)fds[i] + 1; + openssl_fdset((int)fds[i], &asyncfds); + } + select(width, (void *)&asyncfds, NULL, NULL, NULL); + OPENSSL_free(fds); +#endif +} + +/* if OPENSSL_SYS_WINDOWS is defined then so is OPENSSL_SYS_MSDOS */ +#if defined(OPENSSL_SYS_MSDOS) +int has_stdin_waiting(void) +{ +# if defined(OPENSSL_SYS_WINDOWS) + HANDLE inhand = GetStdHandle(STD_INPUT_HANDLE); + DWORD events = 0; + INPUT_RECORD inputrec; + DWORD insize = 1; + BOOL peeked; + + if (inhand == INVALID_HANDLE_VALUE) { + return 0; + } + + peeked = PeekConsoleInput(inhand, &inputrec, insize, &events); + if (!peeked) { + /* Probably redirected input? _kbhit() does not work in this case */ + if (!feof(stdin)) { + return 1; + } + return 0; + } +# endif + return _kbhit(); +} +#endif + +/* Corrupt a signature by modifying final byte */ +void corrupt_signature(const ASN1_STRING *signature) +{ + unsigned char *s = signature->data; + s[signature->length - 1] ^= 0x1; +} + +int set_cert_times(X509 *x, const char *startdate, const char *enddate, + int days) +{ + if (startdate == NULL || strcmp(startdate, "today") == 0) { + if (X509_gmtime_adj(X509_getm_notBefore(x), 0) == NULL) + return 0; + } else { + if (!ASN1_TIME_set_string(X509_getm_notBefore(x), startdate)) + return 0; + } + if (enddate == NULL) { + if (X509_time_adj_ex(X509_getm_notAfter(x), days, 0, NULL) + == NULL) + return 0; + } else if (!ASN1_TIME_set_string(X509_getm_notAfter(x), enddate)) { + return 0; + } + return 1; +} diff --git a/openssl-1.1.0h/apps/apps.h b/openssl-1.1.0h/apps/apps.h new file mode 100644 index 0000000..f91faf8 --- /dev/null +++ b/openssl-1.1.0h/apps/apps.h @@ -0,0 +1,573 @@ +/* + * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the OpenSSL license (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +#ifndef HEADER_APPS_H +# define HEADER_APPS_H + +# include "e_os.h" +# if defined(__unix) || defined(__unix__) +# include /* struct timeval for DTLS */ +# endif +# include + +# include +# include +# include +# include +# include +# include +# include +# include +# include +# include + +# if defined(OPENSSL_SYS_WIN32) || defined(OPENSSL_SYS_WINCE) +# define openssl_fdset(a,b) FD_SET((unsigned int)a, b) +# else +# define openssl_fdset(a,b) FD_SET(a, b) +# endif + +/* + * quick macro when you need to pass an unsigned char instead of a char. + * this is true for some implementations of the is*() functions, for + * example. + */ +#define _UC(c) ((unsigned char)(c)) + +int app_RAND_load_file(const char *file, int dont_warn); +int app_RAND_write_file(const char *file); +/* + * When `file' is NULL, use defaults. `bio_e' is for error messages. + */ +void app_RAND_allow_write_file(void); +long app_RAND_load_files(char *file); /* `file' is a list of files to read, + * separated by LIST_SEPARATOR_CHAR + * (see e_os.h). The string is + * destroyed! */ + +extern char *default_config_file; +extern BIO *bio_in; +extern BIO *bio_out; +extern BIO *bio_err; +BIO *dup_bio_in(int format); +BIO *dup_bio_out(int format); +BIO *dup_bio_err(int format); +BIO *bio_open_owner(const char *filename, int format, int private); +BIO *bio_open_default(const char *filename, char mode, int format); +BIO *bio_open_default_quiet(const char *filename, char mode, int format); +CONF *app_load_config(const char *filename); +CONF *app_load_config_quiet(const char *filename); +int app_load_modules(const CONF *config); +void unbuffer(FILE *fp); +void wait_for_async(SSL *s); +# if defined(OPENSSL_SYS_MSDOS) +int has_stdin_waiting(void); +# endif + +void corrupt_signature(const ASN1_STRING *signature); +int set_cert_times(X509 *x, const char *startdate, const char *enddate, + int days); + +/* + * Common verification options. + */ +# define OPT_V_ENUM \ + OPT_V__FIRST=2000, \ + OPT_V_POLICY, OPT_V_PURPOSE, OPT_V_VERIFY_NAME, OPT_V_VERIFY_DEPTH, \ + OPT_V_ATTIME, OPT_V_VERIFY_HOSTNAME, OPT_V_VERIFY_EMAIL, \ + OPT_V_VERIFY_IP, OPT_V_IGNORE_CRITICAL, OPT_V_ISSUER_CHECKS, \ + OPT_V_CRL_CHECK, OPT_V_CRL_CHECK_ALL, OPT_V_POLICY_CHECK, \ + OPT_V_EXPLICIT_POLICY, OPT_V_INHIBIT_ANY, OPT_V_INHIBIT_MAP, \ + OPT_V_X509_STRICT, OPT_V_EXTENDED_CRL, OPT_V_USE_DELTAS, \ + OPT_V_POLICY_PRINT, OPT_V_CHECK_SS_SIG, OPT_V_TRUSTED_FIRST, \ + OPT_V_SUITEB_128_ONLY, OPT_V_SUITEB_128, OPT_V_SUITEB_192, \ + OPT_V_PARTIAL_CHAIN, OPT_V_NO_ALT_CHAINS, OPT_V_NO_CHECK_TIME, \ + OPT_V_VERIFY_AUTH_LEVEL, OPT_V_ALLOW_PROXY_CERTS, \ + OPT_V__LAST + +# define OPT_V_OPTIONS \ + { "policy", OPT_V_POLICY, 's', "adds policy to the acceptable policy set"}, \ + { "purpose", OPT_V_PURPOSE, 's', \ + "certificate chain purpose"}, \ + { "verify_name", OPT_V_VERIFY_NAME, 's', "verification policy name"}, \ + { "verify_depth", OPT_V_VERIFY_DEPTH, 'n', \ + "chain depth limit" }, \ + { "auth_level", OPT_V_VERIFY_AUTH_LEVEL, 'n', \ + "chain authentication security level" }, \ + { "attime", OPT_V_ATTIME, 'M', "verification epoch time" }, \ + { "verify_hostname", OPT_V_VERIFY_HOSTNAME, 's', \ + "expected peer hostname" }, \ + { "verify_email", OPT_V_VERIFY_EMAIL, 's', \ + "expected peer email" }, \ + { "verify_ip", OPT_V_VERIFY_IP, 's', \ + "expected peer IP address" }, \ + { "ignore_critical", OPT_V_IGNORE_CRITICAL, '-', \ + "permit unhandled critical extensions"}, \ + { "issuer_checks", OPT_V_ISSUER_CHECKS, '-', "(deprecated)"}, \ + { "crl_check", OPT_V_CRL_CHECK, '-', "check leaf certificate revocation" }, \ + { "crl_check_all", OPT_V_CRL_CHECK_ALL, '-', "check full chain revocation" }, \ + { "policy_check", OPT_V_POLICY_CHECK, '-', "perform rfc5280 policy checks"}, \ + { "explicit_policy", OPT_V_EXPLICIT_POLICY, '-', \ + "set policy variable require-explicit-policy"}, \ + { "inhibit_any", OPT_V_INHIBIT_ANY, '-', \ + "set policy variable inhibit-any-policy"}, \ + { "inhibit_map", OPT_V_INHIBIT_MAP, '-', \ + "set policy variable inhibit-policy-mapping"}, \ + { "x509_strict", OPT_V_X509_STRICT, '-', \ + "disable certificate compatibility work-arounds"}, \ + { "extended_crl", OPT_V_EXTENDED_CRL, '-', \ + "enable extended CRL features"}, \ + { "use_deltas", OPT_V_USE_DELTAS, '-', \ + "use delta CRLs"}, \ + { "policy_print", OPT_V_POLICY_PRINT, '-', \ + "print policy processing diagnostics"}, \ + { "check_ss_sig", OPT_V_CHECK_SS_SIG, '-', \ + "check root CA self-signatures"}, \ + { "trusted_first", OPT_V_TRUSTED_FIRST, '-', \ + "search trust store first (default)" }, \ + { "suiteB_128_only", OPT_V_SUITEB_128_ONLY, '-', "Suite B 128-bit-only mode"}, \ + { "suiteB_128", OPT_V_SUITEB_128, '-', \ + "Suite B 128-bit mode allowing 192-bit algorithms"}, \ + { "suiteB_192", OPT_V_SUITEB_192, '-', "Suite B 192-bit-only mode" }, \ + { "partial_chain", OPT_V_PARTIAL_CHAIN, '-', \ + "accept chains anchored by intermediate trust-store CAs"}, \ + { "no_alt_chains", OPT_V_NO_ALT_CHAINS, '-', "(deprecated)" }, \ + { "no_check_time", OPT_V_NO_CHECK_TIME, '-', "ignore certificate validity time" }, \ + { "allow_proxy_certs", OPT_V_ALLOW_PROXY_CERTS, '-', "allow the use of proxy certificates" } + +# define OPT_V_CASES \ + OPT_V__FIRST: case OPT_V__LAST: break; \ + case OPT_V_POLICY: \ + case OPT_V_PURPOSE: \ + case OPT_V_VERIFY_NAME: \ + case OPT_V_VERIFY_DEPTH: \ + case OPT_V_VERIFY_AUTH_LEVEL: \ + case OPT_V_ATTIME: \ + case OPT_V_VERIFY_HOSTNAME: \ + case OPT_V_VERIFY_EMAIL: \ + case OPT_V_VERIFY_IP: \ + case OPT_V_IGNORE_CRITICAL: \ + case OPT_V_ISSUER_CHECKS: \ + case OPT_V_CRL_CHECK: \ + case OPT_V_CRL_CHECK_ALL: \ + case OPT_V_POLICY_CHECK: \ + case OPT_V_EXPLICIT_POLICY: \ + case OPT_V_INHIBIT_ANY: \ + case OPT_V_INHIBIT_MAP: \ + case OPT_V_X509_STRICT: \ + case OPT_V_EXTENDED_CRL: \ + case OPT_V_USE_DELTAS: \ + case OPT_V_POLICY_PRINT: \ + case OPT_V_CHECK_SS_SIG: \ + case OPT_V_TRUSTED_FIRST: \ + case OPT_V_SUITEB_128_ONLY: \ + case OPT_V_SUITEB_128: \ + case OPT_V_SUITEB_192: \ + case OPT_V_PARTIAL_CHAIN: \ + case OPT_V_NO_ALT_CHAINS: \ + case OPT_V_NO_CHECK_TIME: \ + case OPT_V_ALLOW_PROXY_CERTS + +/* + * Common "extended"? options. + */ +# define OPT_X_ENUM \ + OPT_X__FIRST=1000, \ + OPT_X_KEY, OPT_X_CERT, OPT_X_CHAIN, OPT_X_CHAIN_BUILD, \ + OPT_X_CERTFORM, OPT_X_KEYFORM, \ + OPT_X__LAST + +# define OPT_X_OPTIONS \ + { "xkey", OPT_X_KEY, '<', "key for Extended certificates"}, \ + { "xcert", OPT_X_CERT, '<', "cert for Extended certificates"}, \ + { "xchain", OPT_X_CHAIN, '<', "chain for Extended certificates"}, \ + { "xchain_build", OPT_X_CHAIN_BUILD, '-', \ + "build certificate chain for the extended certificates"}, \ + { "xcertform", OPT_X_CERTFORM, 'F', \ + "format of Extended certificate (PEM or DER) PEM default " }, \ + { "xkeyform", OPT_X_KEYFORM, 'F', \ + "format of Extended certificate's key (PEM or DER) PEM default"} + +# define OPT_X_CASES \ + OPT_X__FIRST: case OPT_X__LAST: break; \ + case OPT_X_KEY: \ + case OPT_X_CERT: \ + case OPT_X_CHAIN: \ + case OPT_X_CHAIN_BUILD: \ + case OPT_X_CERTFORM: \ + case OPT_X_KEYFORM + +/* + * Common SSL options. + * Any changes here must be coordinated with ../ssl/ssl_conf.c + */ +# define OPT_S_ENUM \ + OPT_S__FIRST=3000, \ + OPT_S_NOSSL3, OPT_S_NOTLS1, OPT_S_NOTLS1_1, OPT_S_NOTLS1_2, \ + OPT_S_BUGS, OPT_S_NO_COMP, OPT_S_NOTICKET, \ + OPT_S_SERVERPREF, OPT_S_LEGACYRENEG, OPT_S_LEGACYCONN, \ + OPT_S_ONRESUMP, OPT_S_NOLEGACYCONN, OPT_S_STRICT, OPT_S_SIGALGS, \ + OPT_S_CLIENTSIGALGS, OPT_S_CURVES, OPT_S_NAMEDCURVE, OPT_S_CIPHER, \ + OPT_S_DEBUGBROKE, OPT_S_COMP, OPT_S_MINPROTO, OPT_S_MAXPROTO, \ + OPT_S_NO_RENEGOTIATION, OPT_S__LAST + +# define OPT_S_OPTIONS \ + {"no_ssl3", OPT_S_NOSSL3, '-',"Just disable SSLv3" }, \ + {"no_tls1", OPT_S_NOTLS1, '-', "Just disable TLSv1"}, \ + {"no_tls1_1", OPT_S_NOTLS1_1, '-', "Just disable TLSv1.1" }, \ + {"no_tls1_2", OPT_S_NOTLS1_2, '-', "Just disable TLSv1.2"}, \ + {"bugs", OPT_S_BUGS, '-', "Turn on SSL bug compatibility"}, \ + {"no_comp", OPT_S_NO_COMP, '-', "Disable SSL/TLS compression (default)" }, \ + {"comp", OPT_S_COMP, '-', "Use SSL/TLS-level compression" }, \ + {"no_ticket", OPT_S_NOTICKET, '-', \ + "Disable use of TLS session tickets"}, \ + {"serverpref", OPT_S_SERVERPREF, '-', "Use server's cipher preferences"}, \ + {"legacy_renegotiation", OPT_S_LEGACYRENEG, '-', \ + "Enable use of legacy renegotiation (dangerous)"}, \ + {"no_renegotiation", OPT_S_NO_RENEGOTIATION, '-', \ + "Disable all renegotiation."}, \ + {"legacy_server_connect", OPT_S_LEGACYCONN, '-', \ + "Allow initial connection to servers that don't support RI"}, \ + {"no_resumption_on_reneg", OPT_S_ONRESUMP, '-', \ + "Disallow session resumption on renegotiation"}, \ + {"no_legacy_server_connect", OPT_S_NOLEGACYCONN, '-', \ + "Disallow initial connection to servers that don't support RI"}, \ + {"strict", OPT_S_STRICT, '-', \ + "Enforce strict certificate checks as per TLS standard"}, \ + {"sigalgs", OPT_S_SIGALGS, 's', \ + "Signature algorithms to support (colon-separated list)" }, \ + {"client_sigalgs", OPT_S_CLIENTSIGALGS, 's', \ + "Signature algorithms to support for client certificate" \ + " authentication (colon-separated list)" }, \ + {"curves", OPT_S_CURVES, 's', \ + "Elliptic curves to advertise (colon-separated list)" }, \ + {"named_curve", OPT_S_NAMEDCURVE, 's', \ + "Elliptic curve used for ECDHE (server-side only)" }, \ + {"cipher", OPT_S_CIPHER, 's', "Specify cipher list to be used"}, \ + {"min_protocol", OPT_S_MINPROTO, 's', "Specify the minimum protocol version to be used"}, \ + {"max_protocol", OPT_S_MAXPROTO, 's', "Specify the maximum protocol version to be used"}, \ + {"debug_broken_protocol", OPT_S_DEBUGBROKE, '-', \ + "Perform all sorts of protocol violations for testing purposes"} + +# define OPT_S_CASES \ + OPT_S__FIRST: case OPT_S__LAST: break; \ + case OPT_S_NOSSL3: \ + case OPT_S_NOTLS1: \ + case OPT_S_NOTLS1_1: \ + case OPT_S_NOTLS1_2: \ + case OPT_S_BUGS: \ + case OPT_S_NO_COMP: \ + case OPT_S_COMP: \ + case OPT_S_NOTICKET: \ + case OPT_S_SERVERPREF: \ + case OPT_S_LEGACYRENEG: \ + case OPT_S_LEGACYCONN: \ + case OPT_S_ONRESUMP: \ + case OPT_S_NOLEGACYCONN: \ + case OPT_S_STRICT: \ + case OPT_S_SIGALGS: \ + case OPT_S_CLIENTSIGALGS: \ + case OPT_S_CURVES: \ + case OPT_S_NAMEDCURVE: \ + case OPT_S_CIPHER: \ + case OPT_S_MINPROTO: \ + case OPT_S_MAXPROTO: \ + case OPT_S_NO_RENEGOTIATION: \ + case OPT_S_DEBUGBROKE + +#define IS_NO_PROT_FLAG(o) \ + (o == OPT_S_NOSSL3 || o == OPT_S_NOTLS1 || o == OPT_S_NOTLS1_1 \ + || o == OPT_S_NOTLS1_2) + +/* + * Option parsing. + */ +extern const char OPT_HELP_STR[]; +extern const char OPT_MORE_STR[]; +typedef struct options_st { + const char *name; + int retval; + /* + * value type: - no value (also the value zero), n number, p positive + * number, u unsigned, l long, s string, < input file, > output file, + * f any format, F der/pem format , E der/pem/engine format identifier. + * l, n and u include zero; p does not. + */ + int valtype; + const char *helpstr; +} OPTIONS; + +/* + * A string/int pairing; widely use for option value lookup, hence the + * name OPT_PAIR. But that name is misleading in s_cb.c, so we also use + * the "generic" name STRINT_PAIR. + */ +typedef struct string_int_pair_st { + const char *name; + int retval; +} OPT_PAIR, STRINT_PAIR; + +/* Flags to pass into opt_format; see FORMAT_xxx, below. */ +# define OPT_FMT_PEMDER (1L << 1) +# define OPT_FMT_PKCS12 (1L << 2) +# define OPT_FMT_SMIME (1L << 3) +# define OPT_FMT_ENGINE (1L << 4) +# define OPT_FMT_MSBLOB (1L << 5) +# define OPT_FMT_NETSCAPE (1L << 6) +# define OPT_FMT_NSS (1L << 7) +# define OPT_FMT_TEXT (1L << 8) +# define OPT_FMT_HTTP (1L << 9) +# define OPT_FMT_PVK (1L << 10) +# define OPT_FMT_PDE (OPT_FMT_PEMDER | OPT_FMT_ENGINE) +# define OPT_FMT_PDS (OPT_FMT_PEMDER | OPT_FMT_SMIME) +# define OPT_FMT_ANY ( \ + OPT_FMT_PEMDER | OPT_FMT_PKCS12 | OPT_FMT_SMIME | \ + OPT_FMT_ENGINE | OPT_FMT_MSBLOB | OPT_FMT_NETSCAPE | \ + OPT_FMT_NSS | OPT_FMT_TEXT | OPT_FMT_HTTP | OPT_FMT_PVK) + +char *opt_progname(const char *argv0); +char *opt_getprog(void); +char *opt_init(int ac, char **av, const OPTIONS * o); +int opt_next(void); +int opt_format(const char *s, unsigned long flags, int *result); +int opt_int(const char *arg, int *result); +int opt_ulong(const char *arg, unsigned long *result); +int opt_long(const char *arg, long *result); +#if defined(__STDC_VERSION__) && __STDC_VERSION__ >= 199901L && \ + defined(INTMAX_MAX) && defined(UINTMAX_MAX) +int opt_imax(const char *arg, intmax_t *result); +int opt_umax(const char *arg, uintmax_t *result); +#else +# define opt_imax opt_long +# define opt_umax opt_ulong +# define intmax_t long +# define uintmax_t unsigned long +#endif +int opt_pair(const char *arg, const OPT_PAIR * pairs, int *result); +int opt_cipher(const char *name, const EVP_CIPHER **cipherp); +int opt_md(const char *name, const EVP_MD **mdp); +char *opt_arg(void); +char *opt_flag(void); +char *opt_unknown(void); +char *opt_reset(void); +char **opt_rest(void); +int opt_num_rest(void); +int opt_verify(int i, X509_VERIFY_PARAM *vpm); +void opt_help(const OPTIONS * list); +int opt_format_error(const char *s, unsigned long flags); + +typedef struct args_st { + int size; + int argc; + char **argv; +} ARGS; + +/* + * VMS C only for now, implemented in vms_decc_init.c + * If other C compilers forget to terminate argv with NULL, this function + * can be re-used. + */ +char **copy_argv(int *argc, char *argv[]); +/* + * Win32-specific argv initialization that splits OS-supplied UNICODE + * command line string to array of UTF8-encoded strings. + */ +void win32_utf8argv(int *argc, char **argv[]); + + +# define PW_MIN_LENGTH 4 +typedef struct pw_cb_data { + const void *password; + const char *prompt_info; +} PW_CB_DATA; + +int password_callback(char *buf, int bufsiz, int verify, PW_CB_DATA *cb_data); + +int setup_ui_method(void); +void destroy_ui_method(void); + +int chopup_args(ARGS *arg, char *buf); +# ifdef HEADER_X509_H +int dump_cert_text(BIO *out, X509 *x); +void print_name(BIO *out, const char *title, X509_NAME *nm, + unsigned long lflags); +# endif +void print_bignum_var(BIO *, const BIGNUM *, const char*, + int, unsigned char *); +void print_array(BIO *, const char *, int, const unsigned char *); +int set_cert_ex(unsigned long *flags, const char *arg); +int set_name_ex(unsigned long *flags, const char *arg); +int set_ext_copy(int *copy_type, const char *arg); +int copy_extensions(X509 *x, X509_REQ *req, int copy_type); +int app_passwd(const char *arg1, const char *arg2, char **pass1, char **pass2); +int add_oid_section(CONF *conf); +X509 *load_cert(const char *file, int format, const char *cert_descrip); +X509_CRL *load_crl(const char *infile, int format); +EVP_PKEY *load_key(const char *file, int format, int maybe_stdin, + const char *pass, ENGINE *e, const char *key_descrip); +EVP_PKEY *load_pubkey(const char *file, int format, int maybe_stdin, + const char *pass, ENGINE *e, const char *key_descrip); +int load_certs(const char *file, STACK_OF(X509) **certs, int format, + const char *pass, const char *cert_descrip); +int load_crls(const char *file, STACK_OF(X509_CRL) **crls, int format, + const char *pass, const char *cert_descrip); +X509_STORE *setup_verify(const char *CAfile, const char *CApath, + int noCAfile, int noCApath); +__owur int ctx_set_verify_locations(SSL_CTX *ctx, const char *CAfile, + const char *CApath, int noCAfile, + int noCApath); + +#ifndef OPENSSL_NO_CT + +/* + * Sets the file to load the Certificate Transparency log list from. + * If path is NULL, loads from the default file path. + * Returns 1 on success, 0 otherwise. + */ +__owur int ctx_set_ctlog_list_file(SSL_CTX *ctx, const char *path); + +#endif + +ENGINE *setup_engine(const char *engine, int debug); +void release_engine(ENGINE *e); + +# ifndef OPENSSL_NO_OCSP +OCSP_RESPONSE *process_responder(OCSP_REQUEST *req, + const char *host, const char *path, + const char *port, int use_ssl, + STACK_OF(CONF_VALUE) *headers, + int req_timeout); +# endif + +/* Functions defined in ca.c and also used in ocsp.c */ +int unpack_revinfo(ASN1_TIME **prevtm, int *preason, ASN1_OBJECT **phold, + ASN1_GENERALIZEDTIME **pinvtm, const char *str); + +# define DB_type 0 +# define DB_exp_date 1 +# define DB_rev_date 2 +# define DB_serial 3 /* index - unique */ +# define DB_file 4 +# define DB_name 5 /* index - unique when active and not + * disabled */ +# define DB_NUMBER 6 + +# define DB_TYPE_REV 'R' +# define DB_TYPE_EXP 'E' +# define DB_TYPE_VAL 'V' + +typedef struct db_attr_st { + int unique_subject; +} DB_ATTR; +typedef struct ca_db_st { + DB_ATTR attributes; + TXT_DB *db; +} CA_DB; + +void* app_malloc(int sz, const char *what); +BIGNUM *load_serial(const char *serialfile, int create, ASN1_INTEGER **retai); +int save_serial(const char *serialfile, const char *suffix, const BIGNUM *serial, + ASN1_INTEGER **retai); +int rotate_serial(const char *serialfile, const char *new_suffix, + const char *old_suffix); +int rand_serial(BIGNUM *b, ASN1_INTEGER *ai); +CA_DB *load_index(const char *dbfile, DB_ATTR *dbattr); +int index_index(CA_DB *db); +int save_index(const char *dbfile, const char *suffix, CA_DB *db); +int rotate_index(const char *dbfile, const char *new_suffix, + const char *old_suffix); +void free_index(CA_DB *db); +# define index_name_cmp_noconst(a, b) \ + index_name_cmp((const OPENSSL_CSTRING *)CHECKED_PTR_OF(OPENSSL_STRING, a), \ + (const OPENSSL_CSTRING *)CHECKED_PTR_OF(OPENSSL_STRING, b)) +int index_name_cmp(const OPENSSL_CSTRING *a, const OPENSSL_CSTRING *b); +int parse_yesno(const char *str, int def); + +X509_NAME *parse_name(const char *str, long chtype, int multirdn); +int args_verify(char ***pargs, int *pargc, + int *badarg, X509_VERIFY_PARAM **pm); +void policies_print(X509_STORE_CTX *ctx); +int bio_to_mem(unsigned char **out, int maxlen, BIO *in); +int pkey_ctrl_string(EVP_PKEY_CTX *ctx, const char *value); +int init_gen_str(EVP_PKEY_CTX **pctx, + const char *algname, ENGINE *e, int do_param); +int do_X509_sign(X509 *x, EVP_PKEY *pkey, const EVP_MD *md, + STACK_OF(OPENSSL_STRING) *sigopts); +int do_X509_REQ_sign(X509_REQ *x, EVP_PKEY *pkey, const EVP_MD *md, + STACK_OF(OPENSSL_STRING) *sigopts); +int do_X509_CRL_sign(X509_CRL *x, EVP_PKEY *pkey, const EVP_MD *md, + STACK_OF(OPENSSL_STRING) *sigopts); +# ifndef OPENSSL_NO_PSK +extern char *psk_key; +# endif + +unsigned char *next_protos_parse(size_t *outlen, const char *in); + +void print_cert_checks(BIO *bio, X509 *x, + const char *checkhost, + const char *checkemail, const char *checkip); + +void store_setup_crl_download(X509_STORE *st); + +/* See OPT_FMT_xxx, above. */ +/* On some platforms, it's important to distinguish between text and binary + * files. On some, there might even be specific file formats for different + * contents. The FORMAT_xxx macros are meant to express an intent with the + * file being read or created. + */ +# define B_FORMAT_TEXT 0x8000 +# define FORMAT_UNDEF 0 +# define FORMAT_TEXT (1 | B_FORMAT_TEXT) /* Generic text */ +# define FORMAT_BINARY 2 /* Generic binary */ +# define FORMAT_BASE64 (3 | B_FORMAT_TEXT) /* Base64 */ +# define FORMAT_ASN1 4 /* ASN.1/DER */ +# define FORMAT_PEM (5 | B_FORMAT_TEXT) +# define FORMAT_PKCS12 6 +# define FORMAT_SMIME (7 | B_FORMAT_TEXT) +# define FORMAT_ENGINE 8 /* Not really a file format */ +# define FORMAT_PEMRSA (9 | B_FORMAT_TEXT) /* PEM RSAPubicKey format */ +# define FORMAT_ASN1RSA 10 /* DER RSAPubicKey format */ +# define FORMAT_MSBLOB 11 /* MS Key blob format */ +# define FORMAT_PVK 12 /* MS PVK file format */ +# define FORMAT_HTTP 13 /* Download using HTTP */ +# define FORMAT_NSS 14 /* NSS keylog format */ + +# define EXT_COPY_NONE 0 +# define EXT_COPY_ADD 1 +# define EXT_COPY_ALL 2 + +# define NETSCAPE_CERT_HDR "certificate" + +# define APP_PASS_LEN 1024 + +# define SERIAL_RAND_BITS 64 + +int app_isdir(const char *); +int app_access(const char *, int flag); +int fileno_stdin(void); +int fileno_stdout(void); +int raw_read_stdin(void *, int); +int raw_write_stdout(const void *, int); + +# define TM_START 0 +# define TM_STOP 1 +double app_tminterval(int stop, int usertime); + +typedef struct verify_options_st { + int depth; + int quiet; + int error; + int return_error; +} VERIFY_CB_ARGS; + +extern VERIFY_CB_ARGS verify_args; + +# include "progs.h" + +#endif diff --git a/openssl-1.1.0h/apps/asn1pars.c b/openssl-1.1.0h/apps/asn1pars.c new file mode 100644 index 0000000..1ac261c --- /dev/null +++ b/openssl-1.1.0h/apps/asn1pars.c @@ -0,0 +1,330 @@ +/* + * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the OpenSSL license (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +/* + * A nice addition from Dr Stephen Henson to add the + * -strparse option which parses nested binary structures + */ + +#include +#include +#include +#include "apps.h" +#include +#include +#include +#include + +typedef enum OPTION_choice { + OPT_ERR = -1, OPT_EOF = 0, OPT_HELP, + OPT_INFORM, OPT_IN, OPT_OUT, OPT_INDENT, OPT_NOOUT, + OPT_OID, OPT_OFFSET, OPT_LENGTH, OPT_DUMP, OPT_DLIMIT, + OPT_STRPARSE, OPT_GENSTR, OPT_GENCONF, OPT_STRICTPEM +} OPTION_CHOICE; + +OPTIONS asn1parse_options[] = { + {"help", OPT_HELP, '-', "Display this summary"}, + {"inform", OPT_INFORM, 'F', "input format - one of DER PEM"}, + {"in", OPT_IN, '<', "input file"}, + {"out", OPT_OUT, '>', "output file (output format is always DER)"}, + {"i", OPT_INDENT, 0, "indents the output"}, + {"noout", OPT_NOOUT, 0, "do not produce any output"}, + {"offset", OPT_OFFSET, 'p', "offset into file"}, + {"length", OPT_LENGTH, 'p', "length of section in file"}, + {"oid", OPT_OID, '<', "file of extra oid definitions"}, + {"dump", OPT_DUMP, 0, "unknown data in hex form"}, + {"dlimit", OPT_DLIMIT, 'p', + "dump the first arg bytes of unknown data in hex form"}, + {"strparse", OPT_STRPARSE, 's', + "offset; a series of these can be used to 'dig'"}, + {OPT_MORE_STR, 0, 0, "into multiple ASN1 blob wrappings"}, + {"genstr", OPT_GENSTR, 's', "string to generate ASN1 structure from"}, + {"genconf", OPT_GENCONF, 's', "file to generate ASN1 structure from"}, + {OPT_MORE_STR, 0, 0, "(-inform will be ignored)"}, + {"strictpem", OPT_STRICTPEM, 0, + "do not attempt base64 decode outside PEM markers"}, + {NULL} +}; + +static int do_generate(char *genstr, const char *genconf, BUF_MEM *buf); + +int asn1parse_main(int argc, char **argv) +{ + ASN1_TYPE *at = NULL; + BIO *in = NULL, *b64 = NULL, *derout = NULL; + BUF_MEM *buf = NULL; + STACK_OF(OPENSSL_STRING) *osk = NULL; + char *genstr = NULL, *genconf = NULL; + char *infile = NULL, *oidfile = NULL, *derfile = NULL; + unsigned char *str = NULL; + char *name = NULL, *header = NULL, *prog; + const unsigned char *ctmpbuf; + int indent = 0, noout = 0, dump = 0, strictpem = 0, informat = FORMAT_PEM; + int offset = 0, ret = 1, i, j; + long num, tmplen; + unsigned char *tmpbuf; + unsigned int length = 0; + OPTION_CHOICE o; + + prog = opt_init(argc, argv, asn1parse_options); + + if ((osk = sk_OPENSSL_STRING_new_null()) == NULL) { + BIO_printf(bio_err, "%s: Memory allocation failure\n", prog); + goto end; + } + + while ((o = opt_next()) != OPT_EOF) { + switch (o) { + case OPT_EOF: + case OPT_ERR: + opthelp: + BIO_printf(bio_err, "%s: Use -help for summary.\n", prog); + goto end; + case OPT_HELP: + opt_help(asn1parse_options); + ret = 0; + goto end; + case OPT_INFORM: + if (!opt_format(opt_arg(), OPT_FMT_PEMDER, &informat)) + goto opthelp; + break; + case OPT_IN: + infile = opt_arg(); + break; + case OPT_OUT: + derfile = opt_arg(); + break; + case OPT_INDENT: + indent = 1; + break; + case OPT_NOOUT: + noout = 1; + break; + case OPT_OID: + oidfile = opt_arg(); + break; + case OPT_OFFSET: + offset = strtol(opt_arg(), NULL, 0); + break; + case OPT_LENGTH: + length = atoi(opt_arg()); + break; + case OPT_DUMP: + dump = -1; + break; + case OPT_DLIMIT: + dump = atoi(opt_arg()); + break; + case OPT_STRPARSE: + sk_OPENSSL_STRING_push(osk, opt_arg()); + break; + case OPT_GENSTR: + genstr = opt_arg(); + break; + case OPT_GENCONF: + genconf = opt_arg(); + break; + case OPT_STRICTPEM: + strictpem = 1; + informat = FORMAT_PEM; + break; + } + } + argc = opt_num_rest(); + if (argc != 0) + goto opthelp; + + if (oidfile != NULL) { + in = bio_open_default(oidfile, 'r', FORMAT_TEXT); + if (in == NULL) + goto end; + OBJ_create_objects(in); + BIO_free(in); + } + + if ((in = bio_open_default(infile, 'r', informat)) == NULL) + goto end; + + if (derfile && (derout = bio_open_default(derfile, 'w', FORMAT_ASN1)) == NULL) + goto end; + + if (strictpem) { + if (PEM_read_bio(in, &name, &header, &str, &num) != + 1) { + BIO_printf(bio_err, "Error reading PEM file\n"); + ERR_print_errors(bio_err); + goto end; + } + } else { + + if ((buf = BUF_MEM_new()) == NULL) + goto end; + if (!BUF_MEM_grow(buf, BUFSIZ * 8)) + goto end; /* Pre-allocate :-) */ + + if (genstr || genconf) { + num = do_generate(genstr, genconf, buf); + if (num < 0) { + ERR_print_errors(bio_err); + goto end; + } + } + + else { + + if (informat == FORMAT_PEM) { + BIO *tmp; + + if ((b64 = BIO_new(BIO_f_base64())) == NULL) + goto end; + BIO_push(b64, in); + tmp = in; + in = b64; + b64 = tmp; + } + + num = 0; + for (;;) { + if (!BUF_MEM_grow(buf, (int)num + BUFSIZ)) + goto end; + i = BIO_read(in, &(buf->data[num]), BUFSIZ); + if (i <= 0) + break; + num += i; + } + } + str = (unsigned char *)buf->data; + + } + + /* If any structs to parse go through in sequence */ + + if (sk_OPENSSL_STRING_num(osk)) { + tmpbuf = str; + tmplen = num; + for (i = 0; i < sk_OPENSSL_STRING_num(osk); i++) { + ASN1_TYPE *atmp; + int typ; + j = atoi(sk_OPENSSL_STRING_value(osk, i)); + if (j == 0) { + BIO_printf(bio_err, "'%s' is an invalid number\n", + sk_OPENSSL_STRING_value(osk, i)); + continue; + } + tmpbuf += j; + tmplen -= j; + atmp = at; + ctmpbuf = tmpbuf; + at = d2i_ASN1_TYPE(NULL, &ctmpbuf, tmplen); + ASN1_TYPE_free(atmp); + if (!at) { + BIO_printf(bio_err, "Error parsing structure\n"); + ERR_print_errors(bio_err); + goto end; + } + typ = ASN1_TYPE_get(at); + if ((typ == V_ASN1_OBJECT) + || (typ == V_ASN1_BOOLEAN) + || (typ == V_ASN1_NULL)) { + BIO_printf(bio_err, "Can't parse %s type\n", ASN1_tag2str(typ)); + ERR_print_errors(bio_err); + goto end; + } + /* hmm... this is a little evil but it works */ + tmpbuf = at->value.asn1_string->data; + tmplen = at->value.asn1_string->length; + } + str = tmpbuf; + num = tmplen; + } + + if (offset >= num) { + BIO_printf(bio_err, "Error: offset too large\n"); + goto end; + } + + num -= offset; + + if ((length == 0) || ((long)length > num)) + length = (unsigned int)num; + if (derout) { + if (BIO_write(derout, str + offset, length) != (int)length) { + BIO_printf(bio_err, "Error writing output\n"); + ERR_print_errors(bio_err); + goto end; + } + } + if (!noout && + !ASN1_parse_dump(bio_out, &(str[offset]), length, + indent, dump)) { + ERR_print_errors(bio_err); + goto end; + } + ret = 0; + end: + BIO_free(derout); + BIO_free(in); + BIO_free(b64); + if (ret != 0) + ERR_print_errors(bio_err); + BUF_MEM_free(buf); + OPENSSL_free(name); + OPENSSL_free(header); + if (strictpem) + OPENSSL_free(str); + ASN1_TYPE_free(at); + sk_OPENSSL_STRING_free(osk); + return (ret); +} + +static int do_generate(char *genstr, const char *genconf, BUF_MEM *buf) +{ + CONF *cnf = NULL; + int len; + unsigned char *p; + ASN1_TYPE *atyp = NULL; + + if (genconf) { + if ((cnf = app_load_config(genconf)) == NULL) + goto err; + if (!genstr) + genstr = NCONF_get_string(cnf, "default", "asn1"); + if (!genstr) { + BIO_printf(bio_err, "Can't find 'asn1' in '%s'\n", genconf); + goto err; + } + } + + atyp = ASN1_generate_nconf(genstr, cnf); + NCONF_free(cnf); + cnf = NULL; + + if (!atyp) + return -1; + + len = i2d_ASN1_TYPE(atyp, NULL); + + if (len <= 0) + goto err; + + if (!BUF_MEM_grow(buf, len)) + goto err; + + p = (unsigned char *)buf->data; + + i2d_ASN1_TYPE(atyp, &p); + + ASN1_TYPE_free(atyp); + return len; + + err: + NCONF_free(cnf); + ASN1_TYPE_free(atyp); + return -1; +} diff --git a/openssl-1.1.0h/apps/build.info b/openssl-1.1.0h/apps/build.info new file mode 100644 index 0000000..e2ddd2b --- /dev/null +++ b/openssl-1.1.0h/apps/build.info @@ -0,0 +1,28 @@ +{- our $tsget_name = $config{target} =~ /^(VC|vms)-/ ? "tsget.pl" : "tsget"; + our @apps_openssl_src = + ( qw(openssl.c + asn1pars.c ca.c ciphers.c cms.c crl.c crl2p7.c dgst.c dhparam.c + dsa.c dsaparam.c ec.c ecparam.c enc.c engine.c errstr.c gendsa.c + genpkey.c genrsa.c nseq.c ocsp.c passwd.c pkcs12.c pkcs7.c pkcs8.c + pkey.c pkeyparam.c pkeyutl.c prime.c rand.c req.c rsa.c rsautl.c + s_client.c s_server.c s_time.c sess_id.c smime.c speed.c spkac.c + srp.c ts.c verify.c version.c x509.c rehash.c + apps.c opt.c s_cb.c s_socket.c + app_rand.c), + split(/\s+/, $target{apps_aux_src}) ); + "" -} +IF[{- !$disabled{apps} -}] + PROGRAMS=openssl + SOURCE[openssl]={- join(" ", @apps_openssl_src) -} + INCLUDE[openssl]=.. ../include + DEPEND[openssl]=../libssl + + {- join("\n ", map { (my $x = $_) =~ s|\.c$|.o|; "DEPEND[$x]=progs.h" } + @apps_openssl_src) -} + GENERATE[progs.h]=progs.pl $(APPS_OPENSSL) + DEPEND[progs.h]=../configdata.pm + + SCRIPTS=CA.pl {- $tsget_name -} + SOURCE[CA.pl]=CA.pl.in + SOURCE[{- $tsget_name -}]=tsget.in +ENDIF diff --git a/openssl-1.1.0h/apps/ca-cert.srl b/openssl-1.1.0h/apps/ca-cert.srl new file mode 100644 index 0000000..2c7456e --- /dev/null +++ b/openssl-1.1.0h/apps/ca-cert.srl @@ -0,0 +1 @@ +07 diff --git a/openssl-1.1.0h/apps/ca-key.pem b/openssl-1.1.0h/apps/ca-key.pem new file mode 100644 index 0000000..4e74249 --- /dev/null +++ b/openssl-1.1.0h/apps/ca-key.pem @@ -0,0 +1,16 @@ +-----BEGIN PRIVATE KEY----- +MIICdgIBADANBgkqhkiG9w0BAQEFAASCAmAwggJcAgEAAoGBAL4tQNyKy4U2zX6l +IZvORB1edmwMwIgSB4cgoFECrG5pixzYxKauZkAwKG9/+L4DB8qXRjfXWcvafcOU +DlYpRROykJ7wGkiqmqbZyrxY8DWjk5ZZQXiSuhYOAJB+Fyfb11JZV6+CvBQX/1g+ +vhJr39Gmp6oAesoYrj90ecozClmnAgMBAAECgYA3j6sSg+5f9hnldUMzbPjTh8Sb +XsJlPrc6UFrmMBzGiUleXSpe9Dbla+x0XvQCN4pwMvAN4nnWp/f0Su5BV/9Y93nb +im5ijGNrfN9i6QrnqGCr+MMute+4E8HR2pCScX0mBLDDf40SmDvMzCaxtd21keyr +9DqHgInQZNEi6NKlkQJBAPCbUTFg6iQ6VTCQ8CsEf5q2xHhuTK23fJ999lvWVxN7 +QsvWb9RP9Ng34HVtvB7Pl6P7FyHLQYiDJhhvYR0L0+kCQQDKV/09Kt6Wjf5Omp1I +wd3A+tFnipdqnPw+qNHGjevv0hYiEIWQOYbx00zXgaX+WN/pzV9eeNN2XAxlNJ++ +dxcPAkBrzeuPKFFAcjKBVC+H1rgl5gYZv7Hzk+buv02G0H6rZ+sB0c7BXiHiTwbv +Fn/XfkP/YR14Ms3mEH0dLaphjU8hAkEAh3Ar/rRiN04mCcEuRFQXtaNtZSv8PA2G +Pf7MI2Y9pdHupLCAZlBLRjTUO2/5hu1AO4QPMPIZQSFN3rRBtMCL+wJAMp/m2hvI +TmtbMp/IrKGfma09e3yFiCmoNn7cHLJ7jLvXcacV2XNzpr9YHfBxiZo0g9FqZKvv +PZoQ5B2XJ7bhTQ== +-----END PRIVATE KEY----- diff --git a/openssl-1.1.0h/apps/ca-req.pem b/openssl-1.1.0h/apps/ca-req.pem new file mode 100644 index 0000000..84c6dbb --- /dev/null +++ b/openssl-1.1.0h/apps/ca-req.pem @@ -0,0 +1,11 @@ +-----BEGIN CERTIFICATE REQUEST----- +MIIBmzCCAQQCAQAwWzELMAkGA1UEBhMCQVUxEzARBgNVBAgMClF1ZWVuc2xhbmQx +GjAYBgNVBAoMEUNyeXB0U29mdCBQdHkgTHRkMRswGQYDVQQDDBJUZXN0IENBICgx +MDI0IGJpdCkwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAL4tQNyKy4U2zX6l +IZvORB1edmwMwIgSB4cgoFECrG5pixzYxKauZkAwKG9/+L4DB8qXRjfXWcvafcOU +DlYpRROykJ7wGkiqmqbZyrxY8DWjk5ZZQXiSuhYOAJB+Fyfb11JZV6+CvBQX/1g+ +vhJr39Gmp6oAesoYrj90ecozClmnAgMBAAGgADANBgkqhkiG9w0BAQsFAAOBgQCo +2jE7J1SNV7kyRm9m8CoPw8xYsuVcVFxPheBymYp8BlO0/rSdYygRjobpYnLVRUPZ +pV792wzT1Rp4sXfZWO10lkFY4yi0pH2cdK2RX7qedibV1Xu9vt/yYANFBKVpA4dy +PRyTQwi3In1N8hdfddpYR8f5MIUYRe5poFMIJcf8JA== +-----END CERTIFICATE REQUEST----- diff --git a/openssl-1.1.0h/apps/ca.c b/openssl-1.1.0h/apps/ca.c new file mode 100644 index 0000000..d474a2b --- /dev/null +++ b/openssl-1.1.0h/apps/ca.c @@ -0,0 +1,2593 @@ +/* + * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the OpenSSL license (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +/* The PPKI stuff has been donated by Jeff Barber */ + +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +#ifndef W_OK +# ifdef OPENSSL_SYS_VMS +# if defined(__DECC) +# include +# else +# include +# endif +# elif !defined(OPENSSL_SYS_VXWORKS) && !defined(OPENSSL_SYS_WINDOWS) +# include +# endif +#endif + +#include "apps.h" + +#ifndef W_OK +# define F_OK 0 +# define X_OK 1 +# define W_OK 2 +# define R_OK 4 +#endif + +#undef BSIZE +#define BSIZE 256 + +#define BASE_SECTION "ca" + +#define ENV_DEFAULT_CA "default_ca" + +#define STRING_MASK "string_mask" +#define UTF8_IN "utf8" + +#define ENV_NEW_CERTS_DIR "new_certs_dir" +#define ENV_CERTIFICATE "certificate" +#define ENV_SERIAL "serial" +#define ENV_CRLNUMBER "crlnumber" +#define ENV_PRIVATE_KEY "private_key" +#define ENV_DEFAULT_DAYS "default_days" +#define ENV_DEFAULT_STARTDATE "default_startdate" +#define ENV_DEFAULT_ENDDATE "default_enddate" +#define ENV_DEFAULT_CRL_DAYS "default_crl_days" +#define ENV_DEFAULT_CRL_HOURS "default_crl_hours" +#define ENV_DEFAULT_MD "default_md" +#define ENV_DEFAULT_EMAIL_DN "email_in_dn" +#define ENV_PRESERVE "preserve" +#define ENV_POLICY "policy" +#define ENV_EXTENSIONS "x509_extensions" +#define ENV_CRLEXT "crl_extensions" +#define ENV_MSIE_HACK "msie_hack" +#define ENV_NAMEOPT "name_opt" +#define ENV_CERTOPT "cert_opt" +#define ENV_EXTCOPY "copy_extensions" +#define ENV_UNIQUE_SUBJECT "unique_subject" + +#define ENV_DATABASE "database" + +/* Additional revocation information types */ + +#define REV_NONE 0 /* No additional information */ +#define REV_CRL_REASON 1 /* Value is CRL reason code */ +#define REV_HOLD 2 /* Value is hold instruction */ +#define REV_KEY_COMPROMISE 3 /* Value is cert key compromise time */ +#define REV_CA_COMPROMISE 4 /* Value is CA key compromise time */ + +static char *lookup_conf(const CONF *conf, const char *group, const char *tag); + +static int certify(X509 **xret, const char *infile, EVP_PKEY *pkey, X509 *x509, + const EVP_MD *dgst, STACK_OF(OPENSSL_STRING) *sigopts, + STACK_OF(CONF_VALUE) *policy, CA_DB *db, + BIGNUM *serial, const char *subj, unsigned long chtype, + int multirdn, int email_dn, const char *startdate, + const char *enddate, + long days, int batch, const char *ext_sect, CONF *conf, + int verbose, unsigned long certopt, unsigned long nameopt, + int default_op, int ext_copy, int selfsign); +static int certify_cert(X509 **xret, const char *infile, EVP_PKEY *pkey, X509 *x509, + const EVP_MD *dgst, STACK_OF(OPENSSL_STRING) *sigopts, + STACK_OF(CONF_VALUE) *policy, CA_DB *db, + BIGNUM *serial, const char *subj, unsigned long chtype, + int multirdn, int email_dn, const char *startdate, + const char *enddate, long days, int batch, const char *ext_sect, + CONF *conf, int verbose, unsigned long certopt, + unsigned long nameopt, int default_op, int ext_copy); +static int certify_spkac(X509 **xret, const char *infile, EVP_PKEY *pkey, + X509 *x509, const EVP_MD *dgst, + STACK_OF(OPENSSL_STRING) *sigopts, + STACK_OF(CONF_VALUE) *policy, CA_DB *db, + BIGNUM *serial, const char *subj, unsigned long chtype, + int multirdn, int email_dn, const char *startdate, + const char *enddate, long days, const char *ext_sect, CONF *conf, + int verbose, unsigned long certopt, + unsigned long nameopt, int default_op, int ext_copy); +static void write_new_certificate(BIO *bp, X509 *x, int output_der, int notext); +static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509, + const EVP_MD *dgst, STACK_OF(OPENSSL_STRING) *sigopts, + STACK_OF(CONF_VALUE) *policy, CA_DB *db, BIGNUM *serial, + const char *subj, unsigned long chtype, int multirdn, + int email_dn, const char *startdate, const char *enddate, long days, + int batch, int verbose, X509_REQ *req, const char *ext_sect, + CONF *conf, unsigned long certopt, unsigned long nameopt, + int default_op, int ext_copy, int selfsign); +static int do_revoke(X509 *x509, CA_DB *db, int ext, char *extval); +static int get_certificate_status(const char *ser_status, CA_DB *db); +static int do_updatedb(CA_DB *db); +static int check_time_format(const char *str); +char *make_revocation_str(int rev_type, char *rev_arg); +int make_revoked(X509_REVOKED *rev, const char *str); +static int old_entry_print(const ASN1_OBJECT *obj, const ASN1_STRING *str); + +static CONF *extconf = NULL; +static int preserve = 0; +static int msie_hack = 0; + +typedef enum OPTION_choice { + OPT_ERR = -1, OPT_EOF = 0, OPT_HELP, + OPT_ENGINE, OPT_VERBOSE, OPT_CONFIG, OPT_NAME, OPT_SUBJ, OPT_UTF8, + OPT_CREATE_SERIAL, OPT_MULTIVALUE_RDN, OPT_STARTDATE, OPT_ENDDATE, + OPT_DAYS, OPT_MD, OPT_POLICY, OPT_KEYFILE, OPT_KEYFORM, OPT_PASSIN, + OPT_KEY, OPT_CERT, OPT_SELFSIGN, OPT_IN, OPT_OUT, OPT_OUTDIR, + OPT_SIGOPT, OPT_NOTEXT, OPT_BATCH, OPT_PRESERVEDN, OPT_NOEMAILDN, + OPT_GENCRL, OPT_MSIE_HACK, OPT_CRLDAYS, OPT_CRLHOURS, OPT_CRLSEC, + OPT_INFILES, OPT_SS_CERT, OPT_SPKAC, OPT_REVOKE, OPT_VALID, + OPT_EXTENSIONS, OPT_EXTFILE, OPT_STATUS, OPT_UPDATEDB, OPT_CRLEXTS, + OPT_CRL_REASON, OPT_CRL_HOLD, OPT_CRL_COMPROMISE, + OPT_CRL_CA_COMPROMISE +} OPTION_CHOICE; + +OPTIONS ca_options[] = { + {"help", OPT_HELP, '-', "Display this summary"}, + {"verbose", OPT_VERBOSE, '-', "Verbose output during processing"}, + {"config", OPT_CONFIG, 's', "A config file"}, + {"name", OPT_NAME, 's', "The particular CA definition to use"}, + {"subj", OPT_SUBJ, 's', "Use arg instead of request's subject"}, + {"utf8", OPT_UTF8, '-', "Input characters are UTF8 (default ASCII)"}, + {"create_serial", OPT_CREATE_SERIAL, '-', + "If reading serial fails, create a new random serial"}, + {"multivalue-rdn", OPT_MULTIVALUE_RDN, '-', + "Enable support for multivalued RDNs"}, + {"startdate", OPT_STARTDATE, 's', "Cert notBefore, YYMMDDHHMMSSZ"}, + {"enddate", OPT_ENDDATE, 's', + "YYMMDDHHMMSSZ cert notAfter (overrides -days)"}, + {"days", OPT_DAYS, 'p', "Number of days to certify the cert for"}, + {"md", OPT_MD, 's', "md to use; one of md2, md5, sha or sha1"}, + {"policy", OPT_POLICY, 's', "The CA 'policy' to support"}, + {"keyfile", OPT_KEYFILE, 's', "Private key"}, + {"keyform", OPT_KEYFORM, 'f', "Private key file format (PEM or ENGINE)"}, + {"passin", OPT_PASSIN, 's', "Input file pass phrase source"}, + {"key", OPT_KEY, 's', "Key to decode the private key if it is encrypted"}, + {"cert", OPT_CERT, '<', "The CA cert"}, + {"selfsign", OPT_SELFSIGN, '-', + "Sign a cert with the key associated with it"}, + {"in", OPT_IN, '<', "The input PEM encoded cert request(s)"}, + {"out", OPT_OUT, '>', "Where to put the output file(s)"}, + {"outdir", OPT_OUTDIR, '/', "Where to put output cert"}, + {"sigopt", OPT_SIGOPT, 's', "Signature parameter in n:v form"}, + {"notext", OPT_NOTEXT, '-', "Do not print the generated certificate"}, + {"batch", OPT_BATCH, '-', "Don't ask questions"}, + {"preserveDN", OPT_PRESERVEDN, '-', "Don't re-order the DN"}, + {"noemailDN", OPT_NOEMAILDN, '-', "Don't add the EMAIL field to the DN"}, + {"gencrl", OPT_GENCRL, '-', "Generate a new CRL"}, + {"msie_hack", OPT_MSIE_HACK, '-', + "msie modifications to handle all those universal strings"}, + {"crldays", OPT_CRLDAYS, 'p', "Days until the next CRL is due"}, + {"crlhours", OPT_CRLHOURS, 'p', "Hours until the next CRL is due"}, + {"crlsec", OPT_CRLSEC, 'p', "Seconds until the next CRL is due"}, + {"infiles", OPT_INFILES, '-', "The last argument, requests to process"}, + {"ss_cert", OPT_SS_CERT, '<', "File contains a self signed cert to sign"}, + {"spkac", OPT_SPKAC, '<', + "File contains DN and signed public key and challenge"}, + {"revoke", OPT_REVOKE, '<', "Revoke a cert (given in file)"}, + {"valid", OPT_VALID, 's', + "Add a Valid(not-revoked) DB entry about a cert (given in file)"}, + {"extensions", OPT_EXTENSIONS, 's', + "Extension section (override value in config file)"}, + {"extfile", OPT_EXTFILE, '<', + "Configuration file with X509v3 extensions to add"}, + {"status", OPT_STATUS, 's', "Shows cert status given the serial number"}, + {"updatedb", OPT_UPDATEDB, '-', "Updates db for expired cert"}, + {"crlexts", OPT_CRLEXTS, 's', + "CRL extension section (override value in config file)"}, + {"crl_reason", OPT_CRL_REASON, 's', "revocation reason"}, + {"crl_hold", OPT_CRL_HOLD, 's', + "the hold instruction, an OID. Sets revocation reason to certificateHold"}, + {"crl_compromise", OPT_CRL_COMPROMISE, 's', + "sets compromise time to val and the revocation reason to keyCompromise"}, + {"crl_CA_compromise", OPT_CRL_CA_COMPROMISE, 's', + "sets compromise time to val and the revocation reason to CACompromise"}, +#ifndef OPENSSL_NO_ENGINE + {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"}, +#endif + {NULL} +}; + +int ca_main(int argc, char **argv) +{ + CONF *conf = NULL; + ENGINE *e = NULL; + BIGNUM *crlnumber = NULL, *serial = NULL; + EVP_PKEY *pkey = NULL; + BIO *in = NULL, *out = NULL, *Sout = NULL; + ASN1_INTEGER *tmpser; + ASN1_TIME *tmptm; + CA_DB *db = NULL; + DB_ATTR db_attr; + STACK_OF(CONF_VALUE) *attribs = NULL; + STACK_OF(OPENSSL_STRING) *sigopts = NULL; + STACK_OF(X509) *cert_sk = NULL; + X509_CRL *crl = NULL; + const EVP_MD *dgst = NULL; + char *configfile = default_config_file, *section = NULL; + char *md = NULL, *policy = NULL, *keyfile = NULL; + char *certfile = NULL, *crl_ext = NULL, *crlnumberfile = NULL, *key = NULL; + const char *infile = NULL, *spkac_file = NULL, *ss_cert_file = NULL; + const char *extensions = NULL, *extfile = NULL, *passinarg = NULL; + char *outdir = NULL, *outfile = NULL, *rev_arg = NULL, *ser_status = NULL; + const char *serialfile = NULL, *subj = NULL; + char *prog, *startdate = NULL, *enddate = NULL; + char *dbfile = NULL, *f, *randfile = NULL; + char buf[3][BSIZE]; + char *const *pp; + const char *p; + int create_ser = 0, free_key = 0, total = 0, total_done = 0; + int batch = 0, default_op = 1, doupdatedb = 0, ext_copy = EXT_COPY_NONE; + int keyformat = FORMAT_PEM, multirdn = 0, notext = 0, output_der = 0; + int ret = 1, email_dn = 1, req = 0, verbose = 0, gencrl = 0, dorevoke = 0; + int i, j, rev_type = REV_NONE, selfsign = 0; + long crldays = 0, crlhours = 0, crlsec = 0, days = 0; + unsigned long chtype = MBSTRING_ASC, nameopt = 0, certopt = 0; + X509 *x509 = NULL, *x509p = NULL, *x = NULL; + X509_REVOKED *r = NULL; + OPTION_CHOICE o; + + prog = opt_init(argc, argv, ca_options); + while ((o = opt_next()) != OPT_EOF) { + switch (o) { + case OPT_EOF: + case OPT_ERR: +opthelp: + BIO_printf(bio_err, "%s: Use -help for summary.\n", prog); + goto end; + case OPT_HELP: + opt_help(ca_options); + ret = 0; + goto end; + case OPT_IN: + req = 1; + infile = opt_arg(); + break; + case OPT_OUT: + outfile = opt_arg(); + break; + case OPT_VERBOSE: + verbose = 1; + break; + case OPT_CONFIG: + configfile = opt_arg(); + break; + case OPT_NAME: + section = opt_arg(); + break; + case OPT_SUBJ: + subj = opt_arg(); + /* preserve=1; */ + break; + case OPT_UTF8: + chtype = MBSTRING_UTF8; + break; + case OPT_CREATE_SERIAL: + create_ser = 1; + break; + case OPT_MULTIVALUE_RDN: + multirdn = 1; + break; + case OPT_STARTDATE: + startdate = opt_arg(); + break; + case OPT_ENDDATE: + enddate = opt_arg(); + break; + case OPT_DAYS: + days = atoi(opt_arg()); + break; + case OPT_MD: + md = opt_arg(); + break; + case OPT_POLICY: + policy = opt_arg(); + break; + case OPT_KEYFILE: + keyfile = opt_arg(); + break; + case OPT_KEYFORM: + if (!opt_format(opt_arg(), OPT_FMT_ANY, &keyformat)) + goto opthelp; + break; + case OPT_PASSIN: + passinarg = opt_arg(); + break; + case OPT_KEY: + key = opt_arg(); + break; + case OPT_CERT: + certfile = opt_arg(); + break; + case OPT_SELFSIGN: + selfsign = 1; + break; + case OPT_OUTDIR: + outdir = opt_arg(); + break; + case OPT_SIGOPT: + if (sigopts == NULL) + sigopts = sk_OPENSSL_STRING_new_null(); + if (sigopts == NULL + || !sk_OPENSSL_STRING_push(sigopts, opt_arg())) + goto end; + break; + case OPT_NOTEXT: + notext = 1; + break; + case OPT_BATCH: + batch = 1; + break; + case OPT_PRESERVEDN: + preserve = 1; + break; + case OPT_NOEMAILDN: + email_dn = 0; + break; + case OPT_GENCRL: + gencrl = 1; + break; + case OPT_MSIE_HACK: + msie_hack = 1; + break; + case OPT_CRLDAYS: + crldays = atol(opt_arg()); + break; + case OPT_CRLHOURS: + crlhours = atol(opt_arg()); + break; + case OPT_CRLSEC: + crlsec = atol(opt_arg()); + break; + case OPT_INFILES: + req = 1; + goto end_of_options; + case OPT_SS_CERT: + ss_cert_file = opt_arg(); + req = 1; + break; + case OPT_SPKAC: + spkac_file = opt_arg(); + req = 1; + break; + case OPT_REVOKE: + infile = opt_arg(); + dorevoke = 1; + break; + case OPT_VALID: + infile = opt_arg(); + dorevoke = 2; + break; + case OPT_EXTENSIONS: + extensions = opt_arg(); + break; + case OPT_EXTFILE: + extfile = opt_arg(); + break; + case OPT_STATUS: + ser_status = opt_arg(); + break; + case OPT_UPDATEDB: + doupdatedb = 1; + break; + case OPT_CRLEXTS: + crl_ext = opt_arg(); + break; + case OPT_CRL_REASON: + rev_arg = opt_arg(); + rev_type = REV_CRL_REASON; + break; + case OPT_CRL_HOLD: + rev_arg = opt_arg(); + rev_type = REV_HOLD; + break; + case OPT_CRL_COMPROMISE: + rev_arg = opt_arg(); + rev_type = REV_KEY_COMPROMISE; + break; + case OPT_CRL_CA_COMPROMISE: + rev_arg = opt_arg(); + rev_type = REV_CA_COMPROMISE; + break; + case OPT_ENGINE: + e = setup_engine(opt_arg(), 0); + break; + } + } +end_of_options: + argc = opt_num_rest(); + argv = opt_rest(); + + BIO_printf(bio_err, "Using configuration from %s\n", configfile); + + if ((conf = app_load_config(configfile)) == NULL) + goto end; + if (configfile != default_config_file && !app_load_modules(conf)) + goto end; + + /* Lets get the config section we are using */ + if (section == NULL + && (section = lookup_conf(conf, BASE_SECTION, ENV_DEFAULT_CA)) == NULL) + goto end; + + p = NCONF_get_string(conf, NULL, "oid_file"); + if (p == NULL) + ERR_clear_error(); + if (p != NULL) { + BIO *oid_bio = BIO_new_file(p, "r"); + + if (oid_bio == NULL) { + ERR_clear_error(); + } else { + OBJ_create_objects(oid_bio); + BIO_free(oid_bio); + } + } + if (!add_oid_section(conf)) { + ERR_print_errors(bio_err); + goto end; + } + + randfile = NCONF_get_string(conf, BASE_SECTION, "RANDFILE"); + if (randfile == NULL) + ERR_clear_error(); + app_RAND_load_file(randfile, 0); + + f = NCONF_get_string(conf, section, STRING_MASK); + if (!f) + ERR_clear_error(); + + if (f && !ASN1_STRING_set_default_mask_asc(f)) { + BIO_printf(bio_err, "Invalid global string mask setting %s\n", f); + goto end; + } + + if (chtype != MBSTRING_UTF8) { + f = NCONF_get_string(conf, section, UTF8_IN); + if (!f) + ERR_clear_error(); + else if (strcmp(f, "yes") == 0) + chtype = MBSTRING_UTF8; + } + + db_attr.unique_subject = 1; + p = NCONF_get_string(conf, section, ENV_UNIQUE_SUBJECT); + if (p) { + db_attr.unique_subject = parse_yesno(p, 1); + } else + ERR_clear_error(); + + /*****************************************************************/ + /* report status of cert with serial number given on command line */ + if (ser_status) { + dbfile = lookup_conf(conf, section, ENV_DATABASE); + if (dbfile == NULL) + goto end; + + db = load_index(dbfile, &db_attr); + if (db == NULL) + goto end; + + if (!index_index(db)) + goto end; + + if (get_certificate_status(ser_status, db) != 1) + BIO_printf(bio_err, "Error verifying serial %s!\n", ser_status); + goto end; + } + + /*****************************************************************/ + /* we definitely need a private key, so let's get it */ + + if (keyfile == NULL + && (keyfile = lookup_conf(conf, section, ENV_PRIVATE_KEY)) == NULL) + goto end; + + if (!key) { + free_key = 1; + if (!app_passwd(passinarg, NULL, &key, NULL)) { + BIO_printf(bio_err, "Error getting password\n"); + goto end; + } + } + pkey = load_key(keyfile, keyformat, 0, key, e, "CA private key"); + if (key) + OPENSSL_cleanse(key, strlen(key)); + if (pkey == NULL) { + /* load_key() has already printed an appropriate message */ + goto end; + } + + /*****************************************************************/ + /* we need a certificate */ + if (!selfsign || spkac_file || ss_cert_file || gencrl) { + if (certfile == NULL + && (certfile = lookup_conf(conf, section, ENV_CERTIFICATE)) == NULL) + goto end; + + x509 = load_cert(certfile, FORMAT_PEM, "CA certificate"); + if (x509 == NULL) + goto end; + + if (!X509_check_private_key(x509, pkey)) { + BIO_printf(bio_err, + "CA certificate and CA private key do not match\n"); + goto end; + } + } + if (!selfsign) + x509p = x509; + + f = NCONF_get_string(conf, BASE_SECTION, ENV_PRESERVE); + if (f == NULL) + ERR_clear_error(); + if ((f != NULL) && ((*f == 'y') || (*f == 'Y'))) + preserve = 1; + f = NCONF_get_string(conf, BASE_SECTION, ENV_MSIE_HACK); + if (f == NULL) + ERR_clear_error(); + if ((f != NULL) && ((*f == 'y') || (*f == 'Y'))) + msie_hack = 1; + + f = NCONF_get_string(conf, section, ENV_NAMEOPT); + + if (f) { + if (!set_name_ex(&nameopt, f)) { + BIO_printf(bio_err, "Invalid name options: \"%s\"\n", f); + goto end; + } + default_op = 0; + } else { + nameopt = XN_FLAG_ONELINE; + ERR_clear_error(); + } + + f = NCONF_get_string(conf, section, ENV_CERTOPT); + + if (f) { + if (!set_cert_ex(&certopt, f)) { + BIO_printf(bio_err, "Invalid certificate options: \"%s\"\n", f); + goto end; + } + default_op = 0; + } else + ERR_clear_error(); + + f = NCONF_get_string(conf, section, ENV_EXTCOPY); + + if (f) { + if (!set_ext_copy(&ext_copy, f)) { + BIO_printf(bio_err, "Invalid extension copy option: \"%s\"\n", f); + goto end; + } + } else + ERR_clear_error(); + + /*****************************************************************/ + /* lookup where to write new certificates */ + if ((outdir == NULL) && (req)) { + + outdir = NCONF_get_string(conf, section, ENV_NEW_CERTS_DIR); + if (outdir == NULL) { + BIO_printf(bio_err, + "there needs to be defined a directory for new certificate to be placed in\n"); + goto end; + } +#ifndef OPENSSL_SYS_VMS + /* + * outdir is a directory spec, but access() for VMS demands a + * filename. We could use the DEC C routine to convert the + * directory syntax to Unixly, and give that to app_isdir, + * but for now the fopen will catch the error if it's not a + * directory + */ + if (app_isdir(outdir) <= 0) { + BIO_printf(bio_err, "%s: %s is not a directory\n", prog, outdir); + perror(outdir); + goto end; + } +#endif + } + + /*****************************************************************/ + /* we need to load the database file */ + dbfile = lookup_conf(conf, section, ENV_DATABASE); + if (dbfile == NULL) + goto end; + + db = load_index(dbfile, &db_attr); + if (db == NULL) + goto end; + + /* Lets check some fields */ + for (i = 0; i < sk_OPENSSL_PSTRING_num(db->db->data); i++) { + pp = sk_OPENSSL_PSTRING_value(db->db->data, i); + if ((pp[DB_type][0] != DB_TYPE_REV) && (pp[DB_rev_date][0] != '\0')) { + BIO_printf(bio_err, + "entry %d: not revoked yet, but has a revocation date\n", + i + 1); + goto end; + } + if ((pp[DB_type][0] == DB_TYPE_REV) && + !make_revoked(NULL, pp[DB_rev_date])) { + BIO_printf(bio_err, " in entry %d\n", i + 1); + goto end; + } + if (!check_time_format((char *)pp[DB_exp_date])) { + BIO_printf(bio_err, "entry %d: invalid expiry date\n", i + 1); + goto end; + } + p = pp[DB_serial]; + j = strlen(p); + if (*p == '-') { + p++; + j--; + } + if ((j & 1) || (j < 2)) { + BIO_printf(bio_err, "entry %d: bad serial number length (%d)\n", + i + 1, j); + goto end; + } + for ( ; *p; p++) { + if (!isxdigit(_UC(*p))) { + BIO_printf(bio_err, + "entry %d: bad char 0%o '%c' in serial number\n", + i + 1, *p, *p); + goto end; + } + } + } + if (verbose) { + TXT_DB_write(bio_out, db->db); + BIO_printf(bio_err, "%d entries loaded from the database\n", + sk_OPENSSL_PSTRING_num(db->db->data)); + BIO_printf(bio_err, "generating index\n"); + } + + if (!index_index(db)) + goto end; + + /*****************************************************************/ + /* Update the db file for expired certificates */ + if (doupdatedb) { + if (verbose) + BIO_printf(bio_err, "Updating %s ...\n", dbfile); + + i = do_updatedb(db); + if (i == -1) { + BIO_printf(bio_err, "Malloc failure\n"); + goto end; + } else if (i == 0) { + if (verbose) + BIO_printf(bio_err, "No entries found to mark expired\n"); + } else { + if (!save_index(dbfile, "new", db)) + goto end; + + if (!rotate_index(dbfile, "new", "old")) + goto end; + + if (verbose) + BIO_printf(bio_err, + "Done. %d entries marked as expired\n", i); + } + } + + /*****************************************************************/ + /* Read extensions config file */ + if (extfile) { + if ((extconf = app_load_config(extfile)) == NULL) { + ret = 1; + goto end; + } + + if (verbose) + BIO_printf(bio_err, "Successfully loaded extensions file %s\n", + extfile); + + /* We can have sections in the ext file */ + if (extensions == NULL) { + extensions = NCONF_get_string(extconf, "default", "extensions"); + if (extensions == NULL) + extensions = "default"; + } + } + + /*****************************************************************/ + if (req || gencrl) { + /* FIXME: Is it really always text? */ + Sout = bio_open_default(outfile, 'w', FORMAT_TEXT); + if (Sout == NULL) + goto end; + } + + if (md == NULL + && (md = lookup_conf(conf, section, ENV_DEFAULT_MD)) == NULL) + goto end; + + if (strcmp(md, "default") == 0) { + int def_nid; + if (EVP_PKEY_get_default_digest_nid(pkey, &def_nid) <= 0) { + BIO_puts(bio_err, "no default digest\n"); + goto end; + } + md = (char *)OBJ_nid2sn(def_nid); + } + + if (!opt_md(md, &dgst)) { + goto end; + } + + if (req) { + if (email_dn == 1) { + char *tmp_email_dn = NULL; + + tmp_email_dn = NCONF_get_string(conf, section, ENV_DEFAULT_EMAIL_DN); + if (tmp_email_dn != NULL && strcmp(tmp_email_dn, "no") == 0) + email_dn = 0; + } + if (verbose) + BIO_printf(bio_err, "message digest is %s\n", + OBJ_nid2ln(EVP_MD_type(dgst))); + if (policy == NULL + && (policy = lookup_conf(conf, section, ENV_POLICY)) == NULL) + goto end; + + if (verbose) + BIO_printf(bio_err, "policy is %s\n", policy); + + serialfile = lookup_conf(conf, section, ENV_SERIAL); + if (serialfile == NULL) + goto end; + + if (!extconf) { + /* + * no '-extfile' option, so we look for extensions in the main + * configuration file + */ + if (!extensions) { + extensions = NCONF_get_string(conf, section, ENV_EXTENSIONS); + if (!extensions) + ERR_clear_error(); + } + if (extensions) { + /* Check syntax of file */ + X509V3_CTX ctx; + X509V3_set_ctx_test(&ctx); + X509V3_set_nconf(&ctx, conf); + if (!X509V3_EXT_add_nconf(conf, &ctx, extensions, NULL)) { + BIO_printf(bio_err, + "Error Loading extension section %s\n", + extensions); + ret = 1; + goto end; + } + } + } + + if (startdate == NULL) { + startdate = NCONF_get_string(conf, section, + ENV_DEFAULT_STARTDATE); + if (startdate == NULL) + ERR_clear_error(); + } + if (startdate && !ASN1_TIME_set_string(NULL, startdate)) { + BIO_printf(bio_err, + "start date is invalid, it should be YYMMDDHHMMSSZ or YYYYMMDDHHMMSSZ\n"); + goto end; + } + if (startdate == NULL) + startdate = "today"; + + if (enddate == NULL) { + enddate = NCONF_get_string(conf, section, ENV_DEFAULT_ENDDATE); + if (enddate == NULL) + ERR_clear_error(); + } + if (enddate && !ASN1_TIME_set_string(NULL, enddate)) { + BIO_printf(bio_err, + "end date is invalid, it should be YYMMDDHHMMSSZ or YYYYMMDDHHMMSSZ\n"); + goto end; + } + + if (days == 0) { + if (!NCONF_get_number(conf, section, ENV_DEFAULT_DAYS, &days)) + days = 0; + } + if (!enddate && (days == 0)) { + BIO_printf(bio_err, + "cannot lookup how many days to certify for\n"); + goto end; + } + + if ((serial = load_serial(serialfile, create_ser, NULL)) == NULL) { + BIO_printf(bio_err, "error while loading serial number\n"); + goto end; + } + if (verbose) { + if (BN_is_zero(serial)) + BIO_printf(bio_err, "next serial number is 00\n"); + else { + if ((f = BN_bn2hex(serial)) == NULL) + goto end; + BIO_printf(bio_err, "next serial number is %s\n", f); + OPENSSL_free(f); + } + } + + if ((attribs = NCONF_get_section(conf, policy)) == NULL) { + BIO_printf(bio_err, "unable to find 'section' for %s\n", policy); + goto end; + } + + if ((cert_sk = sk_X509_new_null()) == NULL) { + BIO_printf(bio_err, "Memory allocation failure\n"); + goto end; + } + if (spkac_file != NULL) { + total++; + j = certify_spkac(&x, spkac_file, pkey, x509, dgst, sigopts, + attribs, db, serial, subj, chtype, multirdn, + email_dn, startdate, enddate, days, extensions, + conf, verbose, certopt, nameopt, default_op, + ext_copy); + if (j < 0) + goto end; + if (j > 0) { + total_done++; + BIO_printf(bio_err, "\n"); + if (!BN_add_word(serial, 1)) + goto end; + if (!sk_X509_push(cert_sk, x)) { + BIO_printf(bio_err, "Memory allocation failure\n"); + goto end; + } + if (outfile) { + output_der = 1; + batch = 1; + } + } + } + if (ss_cert_file != NULL) { + total++; + j = certify_cert(&x, ss_cert_file, pkey, x509, dgst, sigopts, + attribs, + db, serial, subj, chtype, multirdn, email_dn, + startdate, enddate, days, batch, extensions, + conf, verbose, certopt, nameopt, default_op, + ext_copy); + if (j < 0) + goto end; + if (j > 0) { + total_done++; + BIO_printf(bio_err, "\n"); + if (!BN_add_word(serial, 1)) + goto end; + if (!sk_X509_push(cert_sk, x)) { + BIO_printf(bio_err, "Memory allocation failure\n"); + goto end; + } + } + } + if (infile != NULL) { + total++; + j = certify(&x, infile, pkey, x509p, dgst, sigopts, attribs, db, + serial, subj, chtype, multirdn, email_dn, startdate, + enddate, days, batch, extensions, conf, verbose, + certopt, nameopt, default_op, ext_copy, selfsign); + if (j < 0) + goto end; + if (j > 0) { + total_done++; + BIO_printf(bio_err, "\n"); + if (!BN_add_word(serial, 1)) + goto end; + if (!sk_X509_push(cert_sk, x)) { + BIO_printf(bio_err, "Memory allocation failure\n"); + goto end; + } + } + } + for (i = 0; i < argc; i++) { + total++; + j = certify(&x, argv[i], pkey, x509p, dgst, sigopts, attribs, db, + serial, subj, chtype, multirdn, email_dn, startdate, + enddate, days, batch, extensions, conf, verbose, + certopt, nameopt, default_op, ext_copy, selfsign); + if (j < 0) + goto end; + if (j > 0) { + total_done++; + BIO_printf(bio_err, "\n"); + if (!BN_add_word(serial, 1)) + goto end; + if (!sk_X509_push(cert_sk, x)) { + BIO_printf(bio_err, "Memory allocation failure\n"); + goto end; + } + } + } + /* + * we have a stack of newly certified certificates and a data base + * and serial number that need updating + */ + + if (sk_X509_num(cert_sk) > 0) { + if (!batch) { + BIO_printf(bio_err, + "\n%d out of %d certificate requests certified, commit? [y/n]", + total_done, total); + (void)BIO_flush(bio_err); + buf[0][0] = '\0'; + if (!fgets(buf[0], 10, stdin)) { + BIO_printf(bio_err, + "CERTIFICATION CANCELED: I/O error\n"); + ret = 0; + goto end; + } + if ((buf[0][0] != 'y') && (buf[0][0] != 'Y')) { + BIO_printf(bio_err, "CERTIFICATION CANCELED\n"); + ret = 0; + goto end; + } + } + + BIO_printf(bio_err, "Write out database with %d new entries\n", + sk_X509_num(cert_sk)); + + if (!save_serial(serialfile, "new", serial, NULL)) + goto end; + + if (!save_index(dbfile, "new", db)) + goto end; + } + + if (verbose) + BIO_printf(bio_err, "writing new certificates\n"); + for (i = 0; i < sk_X509_num(cert_sk); i++) { + BIO *Cout = NULL; + X509 *xi = sk_X509_value(cert_sk, i); + ASN1_INTEGER *serialNumber = X509_get_serialNumber(xi); + int k; + char *n; + + j = ASN1_STRING_length(serialNumber); + p = (const char *)ASN1_STRING_get0_data(serialNumber); + + if (strlen(outdir) >= (size_t)(j ? BSIZE - j * 2 - 6 : BSIZE - 8)) { + BIO_printf(bio_err, "certificate file name too long\n"); + goto end; + } + + strcpy(buf[2], outdir); + +#ifndef OPENSSL_SYS_VMS + OPENSSL_strlcat(buf[2], "/", sizeof(buf[2])); +#endif + + n = (char *)&(buf[2][strlen(buf[2])]); + if (j > 0) { + for (k = 0; k < j; k++) { + if (n >= &(buf[2][sizeof(buf[2])])) + break; + BIO_snprintf(n, + &buf[2][0] + sizeof(buf[2]) - n, + "%02X", (unsigned char)*(p++)); + n += 2; + } + } else { + *(n++) = '0'; + *(n++) = '0'; + } + *(n++) = '.'; + *(n++) = 'p'; + *(n++) = 'e'; + *(n++) = 'm'; + *n = '\0'; + if (verbose) + BIO_printf(bio_err, "writing %s\n", buf[2]); + + Cout = BIO_new_file(buf[2], "w"); + if (Cout == NULL) { + perror(buf[2]); + goto end; + } + write_new_certificate(Cout, xi, 0, notext); + write_new_certificate(Sout, xi, output_der, notext); + BIO_free_all(Cout); + } + + if (sk_X509_num(cert_sk)) { + /* Rename the database and the serial file */ + if (!rotate_serial(serialfile, "new", "old")) + goto end; + + if (!rotate_index(dbfile, "new", "old")) + goto end; + + BIO_printf(bio_err, "Data Base Updated\n"); + } + } + + /*****************************************************************/ + if (gencrl) { + int crl_v2 = 0; + if (!crl_ext) { + crl_ext = NCONF_get_string(conf, section, ENV_CRLEXT); + if (!crl_ext) + ERR_clear_error(); + } + if (crl_ext) { + /* Check syntax of file */ + X509V3_CTX ctx; + X509V3_set_ctx_test(&ctx); + X509V3_set_nconf(&ctx, conf); + if (!X509V3_EXT_add_nconf(conf, &ctx, crl_ext, NULL)) { + BIO_printf(bio_err, + "Error Loading CRL extension section %s\n", + crl_ext); + ret = 1; + goto end; + } + } + + if ((crlnumberfile = NCONF_get_string(conf, section, ENV_CRLNUMBER)) + != NULL) + if ((crlnumber = load_serial(crlnumberfile, 0, NULL)) == NULL) { + BIO_printf(bio_err, "error while loading CRL number\n"); + goto end; + } + + if (!crldays && !crlhours && !crlsec) { + if (!NCONF_get_number(conf, section, + ENV_DEFAULT_CRL_DAYS, &crldays)) + crldays = 0; + if (!NCONF_get_number(conf, section, + ENV_DEFAULT_CRL_HOURS, &crlhours)) + crlhours = 0; + ERR_clear_error(); + } + if ((crldays == 0) && (crlhours == 0) && (crlsec == 0)) { + BIO_printf(bio_err, + "cannot lookup how long until the next CRL is issued\n"); + goto end; + } + + if (verbose) + BIO_printf(bio_err, "making CRL\n"); + if ((crl = X509_CRL_new()) == NULL) + goto end; + if (!X509_CRL_set_issuer_name(crl, X509_get_subject_name(x509))) + goto end; + + tmptm = ASN1_TIME_new(); + if (tmptm == NULL + || X509_gmtime_adj(tmptm, 0) == NULL + || !X509_CRL_set1_lastUpdate(crl, tmptm) + || X509_time_adj_ex(tmptm, crldays, crlhours * 60 * 60 + crlsec, + NULL) == NULL) { + BIO_puts(bio_err, "error setting CRL nextUpdate\n"); + ASN1_TIME_free(tmptm); + goto end; + } + X509_CRL_set1_nextUpdate(crl, tmptm); + + ASN1_TIME_free(tmptm); + + for (i = 0; i < sk_OPENSSL_PSTRING_num(db->db->data); i++) { + pp = sk_OPENSSL_PSTRING_value(db->db->data, i); + if (pp[DB_type][0] == DB_TYPE_REV) { + if ((r = X509_REVOKED_new()) == NULL) + goto end; + j = make_revoked(r, pp[DB_rev_date]); + if (!j) + goto end; + if (j == 2) + crl_v2 = 1; + if (!BN_hex2bn(&serial, pp[DB_serial])) + goto end; + tmpser = BN_to_ASN1_INTEGER(serial, NULL); + BN_free(serial); + serial = NULL; + if (!tmpser) + goto end; + X509_REVOKED_set_serialNumber(r, tmpser); + ASN1_INTEGER_free(tmpser); + X509_CRL_add0_revoked(crl, r); + } + } + + /* + * sort the data so it will be written in serial number order + */ + X509_CRL_sort(crl); + + /* we now have a CRL */ + if (verbose) + BIO_printf(bio_err, "signing CRL\n"); + + /* Add any extensions asked for */ + + if (crl_ext || crlnumberfile != NULL) { + X509V3_CTX crlctx; + X509V3_set_ctx(&crlctx, x509, NULL, NULL, crl, 0); + X509V3_set_nconf(&crlctx, conf); + + if (crl_ext) + if (!X509V3_EXT_CRL_add_nconf(conf, &crlctx, crl_ext, crl)) + goto end; + if (crlnumberfile != NULL) { + tmpser = BN_to_ASN1_INTEGER(crlnumber, NULL); + if (!tmpser) + goto end; + X509_CRL_add1_ext_i2d(crl, NID_crl_number, tmpser, 0, 0); + ASN1_INTEGER_free(tmpser); + crl_v2 = 1; + if (!BN_add_word(crlnumber, 1)) + goto end; + } + } + if (crl_ext || crl_v2) { + if (!X509_CRL_set_version(crl, 1)) + goto end; /* version 2 CRL */ + } + + /* we have a CRL number that need updating */ + if (crlnumberfile != NULL) + if (!save_serial(crlnumberfile, "new", crlnumber, NULL)) + goto end; + + BN_free(crlnumber); + crlnumber = NULL; + + if (!do_X509_CRL_sign(crl, pkey, dgst, sigopts)) + goto end; + + PEM_write_bio_X509_CRL(Sout, crl); + + if (crlnumberfile != NULL) /* Rename the crlnumber file */ + if (!rotate_serial(crlnumberfile, "new", "old")) + goto end; + + } + /*****************************************************************/ + if (dorevoke) { + if (infile == NULL) { + BIO_printf(bio_err, "no input files\n"); + goto end; + } else { + X509 *revcert; + revcert = load_cert(infile, FORMAT_PEM, infile); + if (revcert == NULL) + goto end; + if (dorevoke == 2) + rev_type = -1; + j = do_revoke(revcert, db, rev_type, rev_arg); + if (j <= 0) + goto end; + X509_free(revcert); + + if (!save_index(dbfile, "new", db)) + goto end; + + if (!rotate_index(dbfile, "new", "old")) + goto end; + + BIO_printf(bio_err, "Data Base Updated\n"); + } + } + /*****************************************************************/ + ret = 0; + end: + BIO_free_all(Sout); + BIO_free_all(out); + BIO_free_all(in); + sk_X509_pop_free(cert_sk, X509_free); + + if (ret) + ERR_print_errors(bio_err); + app_RAND_write_file(randfile); + if (free_key) + OPENSSL_free(key); + BN_free(serial); + BN_free(crlnumber); + free_index(db); + sk_OPENSSL_STRING_free(sigopts); + EVP_PKEY_free(pkey); + X509_free(x509); + X509_CRL_free(crl); + NCONF_free(conf); + NCONF_free(extconf); + release_engine(e); + return (ret); +} + +static char *lookup_conf(const CONF *conf, const char *section, const char *tag) +{ + char *entry = NCONF_get_string(conf, section, tag); + if (entry == NULL) + BIO_printf(bio_err, "variable lookup failed for %s::%s\n", section, tag); + return entry; +} + +static int certify(X509 **xret, const char *infile, EVP_PKEY *pkey, X509 *x509, + const EVP_MD *dgst, STACK_OF(OPENSSL_STRING) *sigopts, + STACK_OF(CONF_VALUE) *policy, CA_DB *db, + BIGNUM *serial, const char *subj, unsigned long chtype, + int multirdn, int email_dn, const char *startdate, + const char *enddate, + long days, int batch, const char *ext_sect, CONF *lconf, + int verbose, unsigned long certopt, unsigned long nameopt, + int default_op, int ext_copy, int selfsign) +{ + X509_REQ *req = NULL; + BIO *in = NULL; + EVP_PKEY *pktmp = NULL; + int ok = -1, i; + + in = BIO_new_file(infile, "r"); + if (in == NULL) { + ERR_print_errors(bio_err); + goto end; + } + if ((req = PEM_read_bio_X509_REQ(in, NULL, NULL, NULL)) == NULL) { + BIO_printf(bio_err, "Error reading certificate request in %s\n", + infile); + goto end; + } + if (verbose) + X509_REQ_print(bio_err, req); + + BIO_printf(bio_err, "Check that the request matches the signature\n"); + + if (selfsign && !X509_REQ_check_private_key(req, pkey)) { + BIO_printf(bio_err, + "Certificate request and CA private key do not match\n"); + ok = 0; + goto end; + } + if ((pktmp = X509_REQ_get0_pubkey(req)) == NULL) { + BIO_printf(bio_err, "error unpacking public key\n"); + goto end; + } + i = X509_REQ_verify(req, pktmp); + pktmp = NULL; + if (i < 0) { + ok = 0; + BIO_printf(bio_err, "Signature verification problems....\n"); + ERR_print_errors(bio_err); + goto end; + } + if (i == 0) { + ok = 0; + BIO_printf(bio_err, + "Signature did not match the certificate request\n"); + ERR_print_errors(bio_err); + goto end; + } else + BIO_printf(bio_err, "Signature ok\n"); + + ok = do_body(xret, pkey, x509, dgst, sigopts, policy, db, serial, subj, + chtype, multirdn, email_dn, startdate, enddate, days, batch, + verbose, req, ext_sect, lconf, certopt, nameopt, default_op, + ext_copy, selfsign); + + end: + X509_REQ_free(req); + BIO_free(in); + return (ok); +} + +static int certify_cert(X509 **xret, const char *infile, EVP_PKEY *pkey, X509 *x509, + const EVP_MD *dgst, STACK_OF(OPENSSL_STRING) *sigopts, + STACK_OF(CONF_VALUE) *policy, CA_DB *db, + BIGNUM *serial, const char *subj, unsigned long chtype, + int multirdn, int email_dn, const char *startdate, + const char *enddate, long days, int batch, const char *ext_sect, + CONF *lconf, int verbose, unsigned long certopt, + unsigned long nameopt, int default_op, int ext_copy) +{ + X509 *req = NULL; + X509_REQ *rreq = NULL; + EVP_PKEY *pktmp = NULL; + int ok = -1, i; + + if ((req = load_cert(infile, FORMAT_PEM, infile)) == NULL) + goto end; + if (verbose) + X509_print(bio_err, req); + + BIO_printf(bio_err, "Check that the request matches the signature\n"); + + if ((pktmp = X509_get0_pubkey(req)) == NULL) { + BIO_printf(bio_err, "error unpacking public key\n"); + goto end; + } + i = X509_verify(req, pktmp); + if (i < 0) { + ok = 0; + BIO_printf(bio_err, "Signature verification problems....\n"); + goto end; + } + if (i == 0) { + ok = 0; + BIO_printf(bio_err, "Signature did not match the certificate\n"); + goto end; + } else + BIO_printf(bio_err, "Signature ok\n"); + + if ((rreq = X509_to_X509_REQ(req, NULL, NULL)) == NULL) + goto end; + + ok = do_body(xret, pkey, x509, dgst, sigopts, policy, db, serial, subj, + chtype, multirdn, email_dn, startdate, enddate, days, batch, + verbose, rreq, ext_sect, lconf, certopt, nameopt, default_op, + ext_copy, 0); + + end: + X509_REQ_free(rreq); + X509_free(req); + return (ok); +} + +static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509, + const EVP_MD *dgst, STACK_OF(OPENSSL_STRING) *sigopts, + STACK_OF(CONF_VALUE) *policy, CA_DB *db, BIGNUM *serial, + const char *subj, unsigned long chtype, int multirdn, + int email_dn, const char *startdate, const char *enddate, long days, + int batch, int verbose, X509_REQ *req, const char *ext_sect, + CONF *lconf, unsigned long certopt, unsigned long nameopt, + int default_op, int ext_copy, int selfsign) +{ + X509_NAME *name = NULL, *CAname = NULL, *subject = NULL; + const ASN1_TIME *tm; + ASN1_STRING *str, *str2; + ASN1_OBJECT *obj; + X509 *ret = NULL; + X509_NAME_ENTRY *ne; + X509_NAME_ENTRY *tne, *push; + EVP_PKEY *pktmp; + int ok = -1, i, j, last, nid; + const char *p; + CONF_VALUE *cv; + OPENSSL_STRING row[DB_NUMBER]; + OPENSSL_STRING *irow = NULL; + OPENSSL_STRING *rrow = NULL; + char buf[25]; + + for (i = 0; i < DB_NUMBER; i++) + row[i] = NULL; + + if (subj) { + X509_NAME *n = parse_name(subj, chtype, multirdn); + + if (!n) { + ERR_print_errors(bio_err); + goto end; + } + X509_REQ_set_subject_name(req, n); + X509_NAME_free(n); + } + + if (default_op) + BIO_printf(bio_err, + "The Subject's Distinguished Name is as follows\n"); + + name = X509_REQ_get_subject_name(req); + for (i = 0; i < X509_NAME_entry_count(name); i++) { + ne = X509_NAME_get_entry(name, i); + str = X509_NAME_ENTRY_get_data(ne); + obj = X509_NAME_ENTRY_get_object(ne); + + if (msie_hack) { + /* assume all type should be strings */ + nid = OBJ_obj2nid(X509_NAME_ENTRY_get_object(ne)); + + if (str->type == V_ASN1_UNIVERSALSTRING) + ASN1_UNIVERSALSTRING_to_string(str); + + if ((str->type == V_ASN1_IA5STRING) && + (nid != NID_pkcs9_emailAddress)) + str->type = V_ASN1_T61STRING; + + if ((nid == NID_pkcs9_emailAddress) && + (str->type == V_ASN1_PRINTABLESTRING)) + str->type = V_ASN1_IA5STRING; + } + + /* If no EMAIL is wanted in the subject */ + if ((OBJ_obj2nid(obj) == NID_pkcs9_emailAddress) && (!email_dn)) + continue; + + /* check some things */ + if ((OBJ_obj2nid(obj) == NID_pkcs9_emailAddress) && + (str->type != V_ASN1_IA5STRING)) { + BIO_printf(bio_err, + "\nemailAddress type needs to be of type IA5STRING\n"); + goto end; + } + if ((str->type != V_ASN1_BMPSTRING) + && (str->type != V_ASN1_UTF8STRING)) { + j = ASN1_PRINTABLE_type(str->data, str->length); + if (((j == V_ASN1_T61STRING) && + (str->type != V_ASN1_T61STRING)) || + ((j == V_ASN1_IA5STRING) && + (str->type == V_ASN1_PRINTABLESTRING))) { + BIO_printf(bio_err, + "\nThe string contains characters that are illegal for the ASN.1 type\n"); + goto end; + } + } + + if (default_op) + old_entry_print(obj, str); + } + + /* Ok, now we check the 'policy' stuff. */ + if ((subject = X509_NAME_new()) == NULL) { + BIO_printf(bio_err, "Memory allocation failure\n"); + goto end; + } + + /* take a copy of the issuer name before we mess with it. */ + if (selfsign) + CAname = X509_NAME_dup(name); + else + CAname = X509_NAME_dup(X509_get_subject_name(x509)); + if (CAname == NULL) + goto end; + str = str2 = NULL; + + for (i = 0; i < sk_CONF_VALUE_num(policy); i++) { + cv = sk_CONF_VALUE_value(policy, i); /* get the object id */ + if ((j = OBJ_txt2nid(cv->name)) == NID_undef) { + BIO_printf(bio_err, + "%s:unknown object type in 'policy' configuration\n", + cv->name); + goto end; + } + obj = OBJ_nid2obj(j); + + last = -1; + for (;;) { + /* lookup the object in the supplied name list */ + j = X509_NAME_get_index_by_OBJ(name, obj, last); + if (j < 0) { + if (last != -1) + break; + tne = NULL; + } else { + tne = X509_NAME_get_entry(name, j); + } + last = j; + + /* depending on the 'policy', decide what to do. */ + push = NULL; + if (strcmp(cv->value, "optional") == 0) { + if (tne != NULL) + push = tne; + } else if (strcmp(cv->value, "supplied") == 0) { + if (tne == NULL) { + BIO_printf(bio_err, + "The %s field needed to be supplied and was missing\n", + cv->name); + goto end; + } else + push = tne; + } else if (strcmp(cv->value, "match") == 0) { + int last2; + + if (tne == NULL) { + BIO_printf(bio_err, + "The mandatory %s field was missing\n", + cv->name); + goto end; + } + + last2 = -1; + + again2: + j = X509_NAME_get_index_by_OBJ(CAname, obj, last2); + if ((j < 0) && (last2 == -1)) { + BIO_printf(bio_err, + "The %s field does not exist in the CA certificate,\n" + "the 'policy' is misconfigured\n", + cv->name); + goto end; + } + if (j >= 0) { + push = X509_NAME_get_entry(CAname, j); + str = X509_NAME_ENTRY_get_data(tne); + str2 = X509_NAME_ENTRY_get_data(push); + last2 = j; + if (ASN1_STRING_cmp(str, str2) != 0) + goto again2; + } + if (j < 0) { + BIO_printf(bio_err, + "The %s field is different between\n" + "CA certificate (%s) and the request (%s)\n", + cv->name, + ((str2 == NULL) ? "NULL" : (char *)str2->data), + ((str == NULL) ? "NULL" : (char *)str->data)); + goto end; + } + } else { + BIO_printf(bio_err, + "%s:invalid type in 'policy' configuration\n", + cv->value); + goto end; + } + + if (push != NULL) { + if (!X509_NAME_add_entry(subject, push, -1, 0)) { + BIO_printf(bio_err, "Memory allocation failure\n"); + goto end; + } + } + if (j < 0) + break; + } + } + + if (preserve) { + X509_NAME_free(subject); + /* subject=X509_NAME_dup(X509_REQ_get_subject_name(req)); */ + subject = X509_NAME_dup(name); + if (subject == NULL) + goto end; + } + + /* We are now totally happy, lets make and sign the certificate */ + if (verbose) + BIO_printf(bio_err, + "Everything appears to be ok, creating and signing the certificate\n"); + + if ((ret = X509_new()) == NULL) + goto end; + +#ifdef X509_V3 + /* Make it an X509 v3 certificate. */ + if (!X509_set_version(ret, 2)) + goto end; +#endif + + if (BN_to_ASN1_INTEGER(serial, X509_get_serialNumber(ret)) == NULL) + goto end; + if (selfsign) { + if (!X509_set_issuer_name(ret, subject)) + goto end; + } else { + if (!X509_set_issuer_name(ret, X509_get_subject_name(x509))) + goto end; + } + + if (!set_cert_times(ret, startdate, enddate, days)) + goto end; + + if (enddate != NULL) { + int tdays; + + if (!ASN1_TIME_diff(&tdays, NULL, NULL, X509_get0_notAfter(ret))) + goto end; + days = tdays; + } + + if (!X509_set_subject_name(ret, subject)) + goto end; + + pktmp = X509_REQ_get0_pubkey(req); + i = X509_set_pubkey(ret, pktmp); + if (!i) + goto end; + + /* Lets add the extensions, if there are any */ + if (ext_sect) { + X509V3_CTX ctx; + + /* Initialize the context structure */ + if (selfsign) + X509V3_set_ctx(&ctx, ret, ret, req, NULL, 0); + else + X509V3_set_ctx(&ctx, x509, ret, req, NULL, 0); + + if (extconf) { + if (verbose) + BIO_printf(bio_err, "Extra configuration file found\n"); + + /* Use the extconf configuration db LHASH */ + X509V3_set_nconf(&ctx, extconf); + + /* Test the structure (needed?) */ + /* X509V3_set_ctx_test(&ctx); */ + + /* Adds exts contained in the configuration file */ + if (!X509V3_EXT_add_nconf(extconf, &ctx, ext_sect, ret)) { + BIO_printf(bio_err, + "ERROR: adding extensions in section %s\n", + ext_sect); + ERR_print_errors(bio_err); + goto end; + } + if (verbose) + BIO_printf(bio_err, + "Successfully added extensions from file.\n"); + } else if (ext_sect) { + /* We found extensions to be set from config file */ + X509V3_set_nconf(&ctx, lconf); + + if (!X509V3_EXT_add_nconf(lconf, &ctx, ext_sect, ret)) { + BIO_printf(bio_err, + "ERROR: adding extensions in section %s\n", + ext_sect); + ERR_print_errors(bio_err); + goto end; + } + + if (verbose) + BIO_printf(bio_err, + "Successfully added extensions from config\n"); + } + } + + /* Copy extensions from request (if any) */ + + if (!copy_extensions(ret, req, ext_copy)) { + BIO_printf(bio_err, "ERROR: adding extensions from request\n"); + ERR_print_errors(bio_err); + goto end; + } + + { + const STACK_OF(X509_EXTENSION) *exts = X509_get0_extensions(ret); + + if (exts != NULL && sk_X509_EXTENSION_num(exts) > 0) + /* Make it an X509 v3 certificate. */ + if (!X509_set_version(ret, 2)) + goto end; + } + + if (verbose) + BIO_printf(bio_err, + "The subject name appears to be ok, checking data base for clashes\n"); + + /* Build the correct Subject if no e-mail is wanted in the subject. */ + if (!email_dn) { + X509_NAME_ENTRY *tmpne; + X509_NAME *dn_subject; + + /* + * Its best to dup the subject DN and then delete any email addresses + * because this retains its structure. + */ + if ((dn_subject = X509_NAME_dup(subject)) == NULL) { + BIO_printf(bio_err, "Memory allocation failure\n"); + goto end; + } + while ((i = X509_NAME_get_index_by_NID(dn_subject, + NID_pkcs9_emailAddress, + -1)) >= 0) { + tmpne = X509_NAME_get_entry(dn_subject, i); + X509_NAME_delete_entry(dn_subject, i); + X509_NAME_ENTRY_free(tmpne); + } + + if (!X509_set_subject_name(ret, dn_subject)) { + X509_NAME_free(dn_subject); + goto end; + } + X509_NAME_free(dn_subject); + } + + row[DB_name] = X509_NAME_oneline(X509_get_subject_name(ret), NULL, 0); + if (row[DB_name] == NULL) { + BIO_printf(bio_err, "Memory allocation failure\n"); + goto end; + } + + if (BN_is_zero(serial)) + row[DB_serial] = OPENSSL_strdup("00"); + else + row[DB_serial] = BN_bn2hex(serial); + if (row[DB_serial] == NULL) { + BIO_printf(bio_err, "Memory allocation failure\n"); + goto end; + } + + if (row[DB_name][0] == '\0') { + /* + * An empty subject! We'll use the serial number instead. If + * unique_subject is in use then we don't want different entries with + * empty subjects matching each other. + */ + OPENSSL_free(row[DB_name]); + row[DB_name] = OPENSSL_strdup(row[DB_serial]); + if (row[DB_name] == NULL) { + BIO_printf(bio_err, "Memory allocation failure\n"); + goto end; + } + } + + if (db->attributes.unique_subject) { + OPENSSL_STRING *crow = row; + + rrow = TXT_DB_get_by_index(db->db, DB_name, crow); + if (rrow != NULL) { + BIO_printf(bio_err, + "ERROR:There is already a certificate for %s\n", + row[DB_name]); + } + } + if (rrow == NULL) { + rrow = TXT_DB_get_by_index(db->db, DB_serial, row); + if (rrow != NULL) { + BIO_printf(bio_err, + "ERROR:Serial number %s has already been issued,\n", + row[DB_serial]); + BIO_printf(bio_err, + " check the database/serial_file for corruption\n"); + } + } + + if (rrow != NULL) { + BIO_printf(bio_err, "The matching entry has the following details\n"); + if (rrow[DB_type][0] == DB_TYPE_EXP) + p = "Expired"; + else if (rrow[DB_type][0] == DB_TYPE_REV) + p = "Revoked"; + else if (rrow[DB_type][0] == DB_TYPE_VAL) + p = "Valid"; + else + p = "\ninvalid type, Data base error\n"; + BIO_printf(bio_err, "Type :%s\n", p);; + if (rrow[DB_type][0] == DB_TYPE_REV) { + p = rrow[DB_exp_date]; + if (p == NULL) + p = "undef"; + BIO_printf(bio_err, "Was revoked on:%s\n", p); + } + p = rrow[DB_exp_date]; + if (p == NULL) + p = "undef"; + BIO_printf(bio_err, "Expires on :%s\n", p); + p = rrow[DB_serial]; + if (p == NULL) + p = "undef"; + BIO_printf(bio_err, "Serial Number :%s\n", p); + p = rrow[DB_file]; + if (p == NULL) + p = "undef"; + BIO_printf(bio_err, "File name :%s\n", p); + p = rrow[DB_name]; + if (p == NULL) + p = "undef"; + BIO_printf(bio_err, "Subject Name :%s\n", p); + ok = -1; /* This is now a 'bad' error. */ + goto end; + } + + if (!default_op) { + BIO_printf(bio_err, "Certificate Details:\n"); + /* + * Never print signature details because signature not present + */ + certopt |= X509_FLAG_NO_SIGDUMP | X509_FLAG_NO_SIGNAME; + X509_print_ex(bio_err, ret, nameopt, certopt); + } + + BIO_printf(bio_err, "Certificate is to be certified until "); + ASN1_TIME_print(bio_err, X509_get0_notAfter(ret)); + if (days) + BIO_printf(bio_err, " (%ld days)", days); + BIO_printf(bio_err, "\n"); + + if (!batch) { + + BIO_printf(bio_err, "Sign the certificate? [y/n]:"); + (void)BIO_flush(bio_err); + buf[0] = '\0'; + if (!fgets(buf, sizeof(buf) - 1, stdin)) { + BIO_printf(bio_err, + "CERTIFICATE WILL NOT BE CERTIFIED: I/O error\n"); + ok = 0; + goto end; + } + if (!((buf[0] == 'y') || (buf[0] == 'Y'))) { + BIO_printf(bio_err, "CERTIFICATE WILL NOT BE CERTIFIED\n"); + ok = 0; + goto end; + } + } + + pktmp = X509_get0_pubkey(ret); + if (EVP_PKEY_missing_parameters(pktmp) && + !EVP_PKEY_missing_parameters(pkey)) + EVP_PKEY_copy_parameters(pktmp, pkey); + + if (!do_X509_sign(ret, pkey, dgst, sigopts)) + goto end; + + /* We now just add it to the database */ + row[DB_type] = OPENSSL_strdup("V"); + tm = X509_get0_notAfter(ret); + row[DB_exp_date] = app_malloc(tm->length + 1, "row expdate"); + memcpy(row[DB_exp_date], tm->data, tm->length); + row[DB_exp_date][tm->length] = '\0'; + row[DB_rev_date] = NULL; + row[DB_file] = OPENSSL_strdup("unknown"); + if ((row[DB_type] == NULL) || (row[DB_exp_date] == NULL) || + (row[DB_file] == NULL) || (row[DB_name] == NULL)) { + BIO_printf(bio_err, "Memory allocation failure\n"); + goto end; + } + + irow = app_malloc(sizeof(*irow) * (DB_NUMBER + 1), "row space"); + for (i = 0; i < DB_NUMBER; i++) + irow[i] = row[i]; + irow[DB_NUMBER] = NULL; + + if (!TXT_DB_insert(db->db, irow)) { + BIO_printf(bio_err, "failed to update database\n"); + BIO_printf(bio_err, "TXT_DB error number %ld\n", db->db->error); + goto end; + } + irow = NULL; + ok = 1; + end: + if (ok != 1) { + for (i = 0; i < DB_NUMBER; i++) + OPENSSL_free(row[i]); + } + OPENSSL_free(irow); + + X509_NAME_free(CAname); + X509_NAME_free(subject); + if (ok <= 0) + X509_free(ret); + else + *xret = ret; + return (ok); +} + +static void write_new_certificate(BIO *bp, X509 *x, int output_der, + int notext) +{ + + if (output_der) { + (void)i2d_X509_bio(bp, x); + return; + } + if (!notext) + X509_print(bp, x); + PEM_write_bio_X509(bp, x); +} + +static int certify_spkac(X509 **xret, const char *infile, EVP_PKEY *pkey, + X509 *x509, const EVP_MD *dgst, + STACK_OF(OPENSSL_STRING) *sigopts, + STACK_OF(CONF_VALUE) *policy, CA_DB *db, + BIGNUM *serial, const char *subj, unsigned long chtype, + int multirdn, int email_dn, const char *startdate, + const char *enddate, long days, const char *ext_sect, + CONF *lconf, int verbose, unsigned long certopt, + unsigned long nameopt, int default_op, int ext_copy) +{ + STACK_OF(CONF_VALUE) *sk = NULL; + LHASH_OF(CONF_VALUE) *parms = NULL; + X509_REQ *req = NULL; + CONF_VALUE *cv = NULL; + NETSCAPE_SPKI *spki = NULL; + char *type, *buf; + EVP_PKEY *pktmp = NULL; + X509_NAME *n = NULL; + X509_NAME_ENTRY *ne = NULL; + int ok = -1, i, j; + long errline; + int nid; + + /* + * Load input file into a hash table. (This is just an easy + * way to read and parse the file, then put it into a convenient + * STACK format). + */ + parms = CONF_load(NULL, infile, &errline); + if (parms == NULL) { + BIO_printf(bio_err, "error on line %ld of %s\n", errline, infile); + ERR_print_errors(bio_err); + goto end; + } + + sk = CONF_get_section(parms, "default"); + if (sk_CONF_VALUE_num(sk) == 0) { + BIO_printf(bio_err, "no name/value pairs found in %s\n", infile); + goto end; + } + + /* + * Now create a dummy X509 request structure. We don't actually + * have an X509 request, but we have many of the components + * (a public key, various DN components). The idea is that we + * put these components into the right X509 request structure + * and we can use the same code as if you had a real X509 request. + */ + req = X509_REQ_new(); + if (req == NULL) { + ERR_print_errors(bio_err); + goto end; + } + + /* + * Build up the subject name set. + */ + n = X509_REQ_get_subject_name(req); + + for (i = 0;; i++) { + if (sk_CONF_VALUE_num(sk) <= i) + break; + + cv = sk_CONF_VALUE_value(sk, i); + type = cv->name; + /* + * Skip past any leading X. X: X, etc to allow for multiple instances + */ + for (buf = cv->name; *buf; buf++) + if ((*buf == ':') || (*buf == ',') || (*buf == '.')) { + buf++; + if (*buf) + type = buf; + break; + } + + buf = cv->value; + if ((nid = OBJ_txt2nid(type)) == NID_undef) { + if (strcmp(type, "SPKAC") == 0) { + spki = NETSCAPE_SPKI_b64_decode(cv->value, -1); + if (spki == NULL) { + BIO_printf(bio_err, + "unable to load Netscape SPKAC structure\n"); + ERR_print_errors(bio_err); + goto end; + } + } + continue; + } + + if (!X509_NAME_add_entry_by_NID(n, nid, chtype, + (unsigned char *)buf, -1, -1, 0)) + goto end; + } + if (spki == NULL) { + BIO_printf(bio_err, "Netscape SPKAC structure not found in %s\n", + infile); + goto end; + } + + /* + * Now extract the key from the SPKI structure. + */ + + BIO_printf(bio_err, + "Check that the SPKAC request matches the signature\n"); + + if ((pktmp = NETSCAPE_SPKI_get_pubkey(spki)) == NULL) { + BIO_printf(bio_err, "error unpacking SPKAC public key\n"); + goto end; + } + + j = NETSCAPE_SPKI_verify(spki, pktmp); + if (j <= 0) { + EVP_PKEY_free(pktmp); + BIO_printf(bio_err, + "signature verification failed on SPKAC public key\n"); + goto end; + } + BIO_printf(bio_err, "Signature ok\n"); + + X509_REQ_set_pubkey(req, pktmp); + EVP_PKEY_free(pktmp); + ok = do_body(xret, pkey, x509, dgst, sigopts, policy, db, serial, subj, + chtype, multirdn, email_dn, startdate, enddate, days, 1, + verbose, req, ext_sect, lconf, certopt, nameopt, default_op, + ext_copy, 0); + end: + X509_REQ_free(req); + CONF_free(parms); + NETSCAPE_SPKI_free(spki); + X509_NAME_ENTRY_free(ne); + + return (ok); +} + +static int check_time_format(const char *str) +{ + return ASN1_TIME_set_string(NULL, str); +} + +static int do_revoke(X509 *x509, CA_DB *db, int type, char *value) +{ + const ASN1_TIME *tm = NULL; + char *row[DB_NUMBER], **rrow, **irow; + char *rev_str = NULL; + BIGNUM *bn = NULL; + int ok = -1, i; + + for (i = 0; i < DB_NUMBER; i++) + row[i] = NULL; + row[DB_name] = X509_NAME_oneline(X509_get_subject_name(x509), NULL, 0); + bn = ASN1_INTEGER_to_BN(X509_get_serialNumber(x509), NULL); + if (!bn) + goto end; + if (BN_is_zero(bn)) + row[DB_serial] = OPENSSL_strdup("00"); + else + row[DB_serial] = BN_bn2hex(bn); + BN_free(bn); + if (row[DB_name] != NULL && row[DB_name][0] == '\0') { + /* Entries with empty Subjects actually use the serial number instead */ + OPENSSL_free(row[DB_name]); + row[DB_name] = OPENSSL_strdup(row[DB_serial]); + } + if ((row[DB_name] == NULL) || (row[DB_serial] == NULL)) { + BIO_printf(bio_err, "Memory allocation failure\n"); + goto end; + } + /* + * We have to lookup by serial number because name lookup skips revoked + * certs + */ + rrow = TXT_DB_get_by_index(db->db, DB_serial, row); + if (rrow == NULL) { + BIO_printf(bio_err, + "Adding Entry with serial number %s to DB for %s\n", + row[DB_serial], row[DB_name]); + + /* We now just add it to the database */ + row[DB_type] = OPENSSL_strdup("V"); + tm = X509_get0_notAfter(x509); + row[DB_exp_date] = app_malloc(tm->length + 1, "row exp_data"); + memcpy(row[DB_exp_date], tm->data, tm->length); + row[DB_exp_date][tm->length] = '\0'; + row[DB_rev_date] = NULL; + row[DB_file] = OPENSSL_strdup("unknown"); + + if (row[DB_type] == NULL || row[DB_file] == NULL) { + BIO_printf(bio_err, "Memory allocation failure\n"); + goto end; + } + + irow = app_malloc(sizeof(*irow) * (DB_NUMBER + 1), "row ptr"); + for (i = 0; i < DB_NUMBER; i++) + irow[i] = row[i]; + irow[DB_NUMBER] = NULL; + + if (!TXT_DB_insert(db->db, irow)) { + BIO_printf(bio_err, "failed to update database\n"); + BIO_printf(bio_err, "TXT_DB error number %ld\n", db->db->error); + OPENSSL_free(irow); + goto end; + } + + for (i = 0; i < DB_NUMBER; i++) + row[i] = NULL; + + /* Revoke Certificate */ + if (type == -1) + ok = 1; + else + ok = do_revoke(x509, db, type, value); + + goto end; + + } else if (index_name_cmp_noconst(row, rrow)) { + BIO_printf(bio_err, "ERROR:name does not match %s\n", row[DB_name]); + goto end; + } else if (type == -1) { + BIO_printf(bio_err, "ERROR:Already present, serial number %s\n", + row[DB_serial]); + goto end; + } else if (rrow[DB_type][0] == 'R') { + BIO_printf(bio_err, "ERROR:Already revoked, serial number %s\n", + row[DB_serial]); + goto end; + } else { + BIO_printf(bio_err, "Revoking Certificate %s.\n", rrow[DB_serial]); + rev_str = make_revocation_str(type, value); + if (!rev_str) { + BIO_printf(bio_err, "Error in revocation arguments\n"); + goto end; + } + rrow[DB_type][0] = 'R'; + rrow[DB_type][1] = '\0'; + rrow[DB_rev_date] = rev_str; + } + ok = 1; + end: + for (i = 0; i < DB_NUMBER; i++) + OPENSSL_free(row[i]); + return (ok); +} + +static int get_certificate_status(const char *serial, CA_DB *db) +{ + char *row[DB_NUMBER], **rrow; + int ok = -1, i; + size_t serial_len = strlen(serial); + + /* Free Resources */ + for (i = 0; i < DB_NUMBER; i++) + row[i] = NULL; + + /* Malloc needed char spaces */ + row[DB_serial] = app_malloc(serial_len + 2, "row serial#"); + + if (serial_len % 2) { + /* + * Set the first char to 0 + */ ; + row[DB_serial][0] = '0'; + + /* Copy String from serial to row[DB_serial] */ + memcpy(row[DB_serial] + 1, serial, serial_len); + row[DB_serial][serial_len + 1] = '\0'; + } else { + /* Copy String from serial to row[DB_serial] */ + memcpy(row[DB_serial], serial, serial_len); + row[DB_serial][serial_len] = '\0'; + } + + /* Make it Upper Case */ + for (i = 0; row[DB_serial][i] != '\0'; i++) + row[DB_serial][i] = toupper((unsigned char)row[DB_serial][i]); + + ok = 1; + + /* Search for the certificate */ + rrow = TXT_DB_get_by_index(db->db, DB_serial, row); + if (rrow == NULL) { + BIO_printf(bio_err, "Serial %s not present in db.\n", row[DB_serial]); + ok = -1; + goto end; + } else if (rrow[DB_type][0] == 'V') { + BIO_printf(bio_err, "%s=Valid (%c)\n", + row[DB_serial], rrow[DB_type][0]); + goto end; + } else if (rrow[DB_type][0] == 'R') { + BIO_printf(bio_err, "%s=Revoked (%c)\n", + row[DB_serial], rrow[DB_type][0]); + goto end; + } else if (rrow[DB_type][0] == 'E') { + BIO_printf(bio_err, "%s=Expired (%c)\n", + row[DB_serial], rrow[DB_type][0]); + goto end; + } else if (rrow[DB_type][0] == 'S') { + BIO_printf(bio_err, "%s=Suspended (%c)\n", + row[DB_serial], rrow[DB_type][0]); + goto end; + } else { + BIO_printf(bio_err, "%s=Unknown (%c).\n", + row[DB_serial], rrow[DB_type][0]); + ok = -1; + } + end: + for (i = 0; i < DB_NUMBER; i++) { + OPENSSL_free(row[i]); + } + return (ok); +} + +static int do_updatedb(CA_DB *db) +{ + ASN1_UTCTIME *a_tm = NULL; + int i, cnt = 0; + int db_y2k, a_y2k; /* flags = 1 if y >= 2000 */ + char **rrow, *a_tm_s; + + a_tm = ASN1_UTCTIME_new(); + if (a_tm == NULL) + return -1; + + /* get actual time and make a string */ + if (X509_gmtime_adj(a_tm, 0) == NULL) { + ASN1_UTCTIME_free(a_tm); + return -1; + } + a_tm_s = app_malloc(a_tm->length + 1, "time string"); + + memcpy(a_tm_s, a_tm->data, a_tm->length); + a_tm_s[a_tm->length] = '\0'; + + if (strncmp(a_tm_s, "49", 2) <= 0) + a_y2k = 1; + else + a_y2k = 0; + + for (i = 0; i < sk_OPENSSL_PSTRING_num(db->db->data); i++) { + rrow = sk_OPENSSL_PSTRING_value(db->db->data, i); + + if (rrow[DB_type][0] == 'V') { + /* ignore entries that are not valid */ + if (strncmp(rrow[DB_exp_date], "49", 2) <= 0) + db_y2k = 1; + else + db_y2k = 0; + + if (db_y2k == a_y2k) { + /* all on the same y2k side */ + if (strcmp(rrow[DB_exp_date], a_tm_s) <= 0) { + rrow[DB_type][0] = 'E'; + rrow[DB_type][1] = '\0'; + cnt++; + + BIO_printf(bio_err, "%s=Expired\n", rrow[DB_serial]); + } + } else if (db_y2k < a_y2k) { + rrow[DB_type][0] = 'E'; + rrow[DB_type][1] = '\0'; + cnt++; + + BIO_printf(bio_err, "%s=Expired\n", rrow[DB_serial]); + } + + } + } + + ASN1_UTCTIME_free(a_tm); + OPENSSL_free(a_tm_s); + return (cnt); +} + +static const char *crl_reasons[] = { + /* CRL reason strings */ + "unspecified", + "keyCompromise", + "CACompromise", + "affiliationChanged", + "superseded", + "cessationOfOperation", + "certificateHold", + "removeFromCRL", + /* Additional pseudo reasons */ + "holdInstruction", + "keyTime", + "CAkeyTime" +}; + +#define NUM_REASONS OSSL_NELEM(crl_reasons) + +/* + * Given revocation information convert to a DB string. The format of the + * string is: revtime[,reason,extra]. Where 'revtime' is the revocation time + * (the current time). 'reason' is the optional CRL reason and 'extra' is any + * additional argument + */ + +char *make_revocation_str(int rev_type, char *rev_arg) +{ + char *str; + const char *other = NULL; + const char *reason = NULL; + ASN1_OBJECT *otmp; + ASN1_UTCTIME *revtm = NULL; + int i; + switch (rev_type) { + case REV_NONE: + break; + + case REV_CRL_REASON: + for (i = 0; i < 8; i++) { + if (strcasecmp(rev_arg, crl_reasons[i]) == 0) { + reason = crl_reasons[i]; + break; + } + } + if (reason == NULL) { + BIO_printf(bio_err, "Unknown CRL reason %s\n", rev_arg); + return NULL; + } + break; + + case REV_HOLD: + /* Argument is an OID */ + + otmp = OBJ_txt2obj(rev_arg, 0); + ASN1_OBJECT_free(otmp); + + if (otmp == NULL) { + BIO_printf(bio_err, "Invalid object identifier %s\n", rev_arg); + return NULL; + } + + reason = "holdInstruction"; + other = rev_arg; + break; + + case REV_KEY_COMPROMISE: + case REV_CA_COMPROMISE: + + /* Argument is the key compromise time */ + if (!ASN1_GENERALIZEDTIME_set_string(NULL, rev_arg)) { + BIO_printf(bio_err, + "Invalid time format %s. Need YYYYMMDDHHMMSSZ\n", + rev_arg); + return NULL; + } + other = rev_arg; + if (rev_type == REV_KEY_COMPROMISE) + reason = "keyTime"; + else + reason = "CAkeyTime"; + + break; + + } + + revtm = X509_gmtime_adj(NULL, 0); + + if (!revtm) + return NULL; + + i = revtm->length + 1; + + if (reason) + i += strlen(reason) + 1; + if (other) + i += strlen(other) + 1; + + str = app_malloc(i, "revocation reason"); + OPENSSL_strlcpy(str, (char *)revtm->data, i); + if (reason) { + OPENSSL_strlcat(str, ",", i); + OPENSSL_strlcat(str, reason, i); + } + if (other) { + OPENSSL_strlcat(str, ",", i); + OPENSSL_strlcat(str, other, i); + } + ASN1_UTCTIME_free(revtm); + return str; +} + +/*- + * Convert revocation field to X509_REVOKED entry + * return code: + * 0 error + * 1 OK + * 2 OK and some extensions added (i.e. V2 CRL) + */ + +int make_revoked(X509_REVOKED *rev, const char *str) +{ + char *tmp = NULL; + int reason_code = -1; + int i, ret = 0; + ASN1_OBJECT *hold = NULL; + ASN1_GENERALIZEDTIME *comp_time = NULL; + ASN1_ENUMERATED *rtmp = NULL; + + ASN1_TIME *revDate = NULL; + + i = unpack_revinfo(&revDate, &reason_code, &hold, &comp_time, str); + + if (i == 0) + goto end; + + if (rev && !X509_REVOKED_set_revocationDate(rev, revDate)) + goto end; + + if (rev && (reason_code != OCSP_REVOKED_STATUS_NOSTATUS)) { + rtmp = ASN1_ENUMERATED_new(); + if (rtmp == NULL || !ASN1_ENUMERATED_set(rtmp, reason_code)) + goto end; + if (!X509_REVOKED_add1_ext_i2d(rev, NID_crl_reason, rtmp, 0, 0)) + goto end; + } + + if (rev && comp_time) { + if (!X509_REVOKED_add1_ext_i2d + (rev, NID_invalidity_date, comp_time, 0, 0)) + goto end; + } + if (rev && hold) { + if (!X509_REVOKED_add1_ext_i2d + (rev, NID_hold_instruction_code, hold, 0, 0)) + goto end; + } + + if (reason_code != OCSP_REVOKED_STATUS_NOSTATUS) + ret = 2; + else + ret = 1; + + end: + + OPENSSL_free(tmp); + ASN1_OBJECT_free(hold); + ASN1_GENERALIZEDTIME_free(comp_time); + ASN1_ENUMERATED_free(rtmp); + ASN1_TIME_free(revDate); + + return ret; +} + +static int old_entry_print(const ASN1_OBJECT *obj, const ASN1_STRING *str) +{ + char buf[25], *pbuf; + const char *p; + int j; + + j = i2a_ASN1_OBJECT(bio_err, obj); + pbuf = buf; + for (j = 22 - j; j > 0; j--) + *(pbuf++) = ' '; + *(pbuf++) = ':'; + *(pbuf++) = '\0'; + BIO_puts(bio_err, buf); + + if (str->type == V_ASN1_PRINTABLESTRING) + BIO_printf(bio_err, "PRINTABLE:'"); + else if (str->type == V_ASN1_T61STRING) + BIO_printf(bio_err, "T61STRING:'"); + else if (str->type == V_ASN1_IA5STRING) + BIO_printf(bio_err, "IA5STRING:'"); + else if (str->type == V_ASN1_UNIVERSALSTRING) + BIO_printf(bio_err, "UNIVERSALSTRING:'"); + else + BIO_printf(bio_err, "ASN.1 %2d:'", str->type); + + p = (const char *)str->data; + for (j = str->length; j > 0; j--) { + if ((*p >= ' ') && (*p <= '~')) + BIO_printf(bio_err, "%c", *p); + else if (*p & 0x80) + BIO_printf(bio_err, "\\0x%02X", *p); + else if ((unsigned char)*p == 0xf7) + BIO_printf(bio_err, "^?"); + else + BIO_printf(bio_err, "^%c", *p + '@'); + p++; + } + BIO_printf(bio_err, "'\n"); + return 1; +} + +int unpack_revinfo(ASN1_TIME **prevtm, int *preason, ASN1_OBJECT **phold, + ASN1_GENERALIZEDTIME **pinvtm, const char *str) +{ + char *tmp; + char *rtime_str, *reason_str = NULL, *arg_str = NULL, *p; + int reason_code = -1; + int ret = 0; + unsigned int i; + ASN1_OBJECT *hold = NULL; + ASN1_GENERALIZEDTIME *comp_time = NULL; + + tmp = OPENSSL_strdup(str); + if (!tmp) { + BIO_printf(bio_err, "memory allocation failure\n"); + goto end; + } + + p = strchr(tmp, ','); + + rtime_str = tmp; + + if (p) { + *p = '\0'; + p++; + reason_str = p; + p = strchr(p, ','); + if (p) { + *p = '\0'; + arg_str = p + 1; + } + } + + if (prevtm) { + *prevtm = ASN1_UTCTIME_new(); + if (*prevtm == NULL) { + BIO_printf(bio_err, "memory allocation failure\n"); + goto end; + } + if (!ASN1_UTCTIME_set_string(*prevtm, rtime_str)) { + BIO_printf(bio_err, "invalid revocation date %s\n", rtime_str); + goto end; + } + } + if (reason_str) { + for (i = 0; i < NUM_REASONS; i++) { + if (strcasecmp(reason_str, crl_reasons[i]) == 0) { + reason_code = i; + break; + } + } + if (reason_code == OCSP_REVOKED_STATUS_NOSTATUS) { + BIO_printf(bio_err, "invalid reason code %s\n", reason_str); + goto end; + } + + if (reason_code == 7) + reason_code = OCSP_REVOKED_STATUS_REMOVEFROMCRL; + else if (reason_code == 8) { /* Hold instruction */ + if (!arg_str) { + BIO_printf(bio_err, "missing hold instruction\n"); + goto end; + } + reason_code = OCSP_REVOKED_STATUS_CERTIFICATEHOLD; + hold = OBJ_txt2obj(arg_str, 0); + + if (!hold) { + BIO_printf(bio_err, "invalid object identifier %s\n", + arg_str); + goto end; + } + if (phold) + *phold = hold; + else + ASN1_OBJECT_free(hold); + } else if ((reason_code == 9) || (reason_code == 10)) { + if (!arg_str) { + BIO_printf(bio_err, "missing compromised time\n"); + goto end; + } + comp_time = ASN1_GENERALIZEDTIME_new(); + if (comp_time == NULL) { + BIO_printf(bio_err, "memory allocation failure\n"); + goto end; + } + if (!ASN1_GENERALIZEDTIME_set_string(comp_time, arg_str)) { + BIO_printf(bio_err, "invalid compromised time %s\n", arg_str); + goto end; + } + if (reason_code == 9) + reason_code = OCSP_REVOKED_STATUS_KEYCOMPROMISE; + else + reason_code = OCSP_REVOKED_STATUS_CACOMPROMISE; + } + } + + if (preason) + *preason = reason_code; + if (pinvtm) { + *pinvtm = comp_time; + comp_time = NULL; + } + + ret = 1; + + end: + + OPENSSL_free(tmp); + ASN1_GENERALIZEDTIME_free(comp_time); + + return ret; +} diff --git a/openssl-1.1.0h/apps/cert.pem b/openssl-1.1.0h/apps/cert.pem new file mode 100644 index 0000000..de4a77a --- /dev/null +++ b/openssl-1.1.0h/apps/cert.pem @@ -0,0 +1,11 @@ +-----BEGIN CERTIFICATE----- +MIIBoDCCAUoCAQAwDQYJKoZIhvcNAQEEBQAwYzELMAkGA1UEBhMCQVUxEzARBgNV +BAgTClF1ZWVuc2xhbmQxGjAYBgNVBAoTEUNyeXB0U29mdCBQdHkgTHRkMSMwIQYD +VQQDExpTZXJ2ZXIgdGVzdCBjZXJ0ICg1MTIgYml0KTAeFw05NzA5MDkwMzQxMjZa +Fw05NzEwMDkwMzQxMjZaMF4xCzAJBgNVBAYTAkFVMRMwEQYDVQQIEwpTb21lLVN0 +YXRlMSEwHwYDVQQKExhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQxFzAVBgNVBAMT +DkVyaWMgdGhlIFlvdW5nMFEwCQYFKw4DAgwFAANEAAJBALVEqPODnpI4rShlY8S7 +tB713JNvabvn6Gned7zylwLLiXQAo/PAT6mfdWPTyCX9RlId/Aroh1ou893BA32Q +sggwDQYJKoZIhvcNAQEEBQADQQCU5SSgapJSdRXJoX+CpCvFy+JVh9HpSjCpSNKO +19raHv98hKAUJuP9HyM+SUsffO6mAIgitUaqW8/wDMePhEC3 +-----END CERTIFICATE----- diff --git a/openssl-1.1.0h/apps/ciphers.c b/openssl-1.1.0h/apps/ciphers.c new file mode 100644 index 0000000..e1b5b25 --- /dev/null +++ b/openssl-1.1.0h/apps/ciphers.c @@ -0,0 +1,242 @@ +/* + * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the OpenSSL license (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +#include +#include +#include +#include "apps.h" +#include +#include + +typedef enum OPTION_choice { + OPT_ERR = -1, OPT_EOF = 0, OPT_HELP, + OPT_STDNAME, + OPT_SSL3, + OPT_TLS1, + OPT_TLS1_1, + OPT_TLS1_2, + OPT_PSK, + OPT_SRP, + OPT_V, OPT_UPPER_V, OPT_S +} OPTION_CHOICE; + +OPTIONS ciphers_options[] = { + {"help", OPT_HELP, '-', "Display this summary"}, + {"v", OPT_V, '-', "Verbose listing of the SSL/TLS ciphers"}, + {"V", OPT_UPPER_V, '-', "Even more verbose"}, + {"s", OPT_S, '-', "Only supported ciphers"}, +#ifndef OPENSSL_NO_SSL3 + {"ssl3", OPT_SSL3, '-', "SSL3 mode"}, +#endif +#ifndef OPENSSL_NO_TLS1 + {"tls1", OPT_TLS1, '-', "TLS1 mode"}, +#endif +#ifndef OPENSSL_NO_TLS1_1 + {"tls1_1", OPT_TLS1_1, '-', "TLS1.1 mode"}, +#endif +#ifndef OPENSSL_NO_TLS1_2 + {"tls1_2", OPT_TLS1_2, '-', "TLS1.2 mode"}, +#endif +#ifndef OPENSSL_NO_SSL_TRACE + {"stdname", OPT_STDNAME, '-', "Show standard cipher names"}, +#endif +#ifndef OPENSSL_NO_PSK + {"psk", OPT_PSK, '-', "include ciphersuites requiring PSK"}, +#endif +#ifndef OPENSSL_NO_SRP + {"srp", OPT_SRP, '-', "include ciphersuites requiring SRP"}, +#endif + {NULL} +}; + +#ifndef OPENSSL_NO_PSK +static unsigned int dummy_psk(SSL *ssl, const char *hint, char *identity, + unsigned int max_identity_len, + unsigned char *psk, + unsigned int max_psk_len) +{ + return 0; +} +#endif +#ifndef OPENSSL_NO_SRP +static char *dummy_srp(SSL *ssl, void *arg) +{ + return ""; +} +#endif + +int ciphers_main(int argc, char **argv) +{ + SSL_CTX *ctx = NULL; + SSL *ssl = NULL; + STACK_OF(SSL_CIPHER) *sk = NULL; + const SSL_METHOD *meth = TLS_server_method(); + int ret = 1, i, verbose = 0, Verbose = 0, use_supported = 0; +#ifndef OPENSSL_NO_SSL_TRACE + int stdname = 0; +#endif +#ifndef OPENSSL_NO_PSK + int psk = 0; +#endif +#ifndef OPENSSL_NO_SRP + int srp = 0; +#endif + const char *p; + char *ciphers = NULL, *prog; + char buf[512]; + OPTION_CHOICE o; + int min_version = 0, max_version = 0; + + prog = opt_init(argc, argv, ciphers_options); + while ((o = opt_next()) != OPT_EOF) { + switch (o) { + case OPT_EOF: + case OPT_ERR: + opthelp: + BIO_printf(bio_err, "%s: Use -help for summary.\n", prog); + goto end; + case OPT_HELP: + opt_help(ciphers_options); + ret = 0; + goto end; + case OPT_V: + verbose = 1; + break; + case OPT_UPPER_V: + verbose = Verbose = 1; + break; + case OPT_S: + use_supported = 1; + break; + case OPT_STDNAME: +#ifndef OPENSSL_NO_SSL_TRACE + stdname = verbose = 1; +#endif + break; + case OPT_SSL3: + min_version = SSL3_VERSION; + max_version = SSL3_VERSION; + break; + case OPT_TLS1: + min_version = TLS1_VERSION; + max_version = TLS1_VERSION; + break; + case OPT_TLS1_1: + min_version = TLS1_1_VERSION; + max_version = TLS1_1_VERSION; + break; + case OPT_TLS1_2: + min_version = TLS1_2_VERSION; + max_version = TLS1_2_VERSION; + break; + case OPT_PSK: +#ifndef OPENSSL_NO_PSK + psk = 1; +#endif + break; + case OPT_SRP: +#ifndef OPENSSL_NO_SRP + srp = 1; +#endif + break; + } + } + argv = opt_rest(); + argc = opt_num_rest(); + + if (argc == 1) + ciphers = *argv; + else if (argc != 0) + goto opthelp; + + ctx = SSL_CTX_new(meth); + if (ctx == NULL) + goto err; + if (SSL_CTX_set_min_proto_version(ctx, min_version) == 0) + goto err; + if (SSL_CTX_set_max_proto_version(ctx, max_version) == 0) + goto err; + +#ifndef OPENSSL_NO_PSK + if (psk) + SSL_CTX_set_psk_client_callback(ctx, dummy_psk); +#endif +#ifndef OPENSSL_NO_SRP + if (srp) + SSL_CTX_set_srp_client_pwd_callback(ctx, dummy_srp); +#endif + if (ciphers != NULL) { + if (!SSL_CTX_set_cipher_list(ctx, ciphers)) { + BIO_printf(bio_err, "Error in cipher list\n"); + goto err; + } + } + ssl = SSL_new(ctx); + if (ssl == NULL) + goto err; + + if (use_supported) + sk = SSL_get1_supported_ciphers(ssl); + else + sk = SSL_get_ciphers(ssl); + + if (!verbose) { + for (i = 0; i < sk_SSL_CIPHER_num(sk); i++) { + const SSL_CIPHER *c = sk_SSL_CIPHER_value(sk, i); + p = SSL_CIPHER_get_name(c); + if (p == NULL) + break; + if (i != 0) + BIO_printf(bio_out, ":"); + BIO_printf(bio_out, "%s", p); + } + BIO_printf(bio_out, "\n"); + } else { + + for (i = 0; i < sk_SSL_CIPHER_num(sk); i++) { + const SSL_CIPHER *c; + + c = sk_SSL_CIPHER_value(sk, i); + + if (Verbose) { + unsigned long id = SSL_CIPHER_get_id(c); + int id0 = (int)(id >> 24); + int id1 = (int)((id >> 16) & 0xffL); + int id2 = (int)((id >> 8) & 0xffL); + int id3 = (int)(id & 0xffL); + + if ((id & 0xff000000L) == 0x03000000L) + BIO_printf(bio_out, " 0x%02X,0x%02X - ", id2, id3); /* SSL3 + * cipher */ + else + BIO_printf(bio_out, "0x%02X,0x%02X,0x%02X,0x%02X - ", id0, id1, id2, id3); /* whatever */ + } +#ifndef OPENSSL_NO_SSL_TRACE + if (stdname) { + const char *nm = SSL_CIPHER_standard_name(c); + if (nm == NULL) + nm = "UNKNOWN"; + BIO_printf(bio_out, "%s - ", nm); + } +#endif + BIO_puts(bio_out, SSL_CIPHER_description(c, buf, sizeof(buf))); + } + } + + ret = 0; + goto end; + err: + ERR_print_errors(bio_err); + end: + if (use_supported) + sk_SSL_CIPHER_free(sk); + SSL_CTX_free(ctx); + SSL_free(ssl); + return (ret); +} diff --git a/openssl-1.1.0h/apps/client.pem b/openssl-1.1.0h/apps/client.pem new file mode 100644 index 0000000..e7a47a7 --- /dev/null +++ b/openssl-1.1.0h/apps/client.pem @@ -0,0 +1,52 @@ +subject= C = UK, O = OpenSSL Group, OU = FOR TESTING PURPOSES ONLY, CN = Test Client Cert +issuer= C = UK, O = OpenSSL Group, OU = FOR TESTING PURPOSES ONLY, CN = OpenSSL Test Intermediate CA +-----BEGIN CERTIFICATE----- +MIID5zCCAs+gAwIBAgIJALnu1NlVpZ6yMA0GCSqGSIb3DQEBBQUAMHAxCzAJBgNV +BAYTAlVLMRYwFAYDVQQKDA1PcGVuU1NMIEdyb3VwMSIwIAYDVQQLDBlGT1IgVEVT +VElORyBQVVJQT1NFUyBPTkxZMSUwIwYDVQQDDBxPcGVuU1NMIFRlc3QgSW50ZXJt +ZWRpYXRlIENBMB4XDTExMTIwODE0MDE0OFoXDTIxMTAxNjE0MDE0OFowZDELMAkG +A1UEBhMCVUsxFjAUBgNVBAoMDU9wZW5TU0wgR3JvdXAxIjAgBgNVBAsMGUZPUiBU +RVNUSU5HIFBVUlBPU0VTIE9OTFkxGTAXBgNVBAMMEFRlc3QgQ2xpZW50IENlcnQw +ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC0ranbHRLcLVqN+0BzcZpY ++yOLqxzDWT1LD9eW1stC4NzXX9/DCtSIVyN7YIHdGLrIPr64IDdXXaMRzgZ2rOKs +lmHCAiFpO/ja99gGCJRxH0xwQatqAULfJVHeUhs7OEGOZc2nWifjqKvGfNTilP7D +nwi69ipQFq9oS19FmhwVHk2wg7KZGHI1qDyG04UrfCZMRitvS9+UVhPpIPjuiBi2 +x3/FZIpL5gXJvvFK6xHY63oq2asyzBATntBgnP4qJFWWcvRx24wF1PnZabxuVoL2 +bPnQ/KvONDrw3IdqkKhYNTul7jEcu3OlcZIMw+7DiaKJLAzKb/bBF5gm/pwW6As9 +AgMBAAGjgY8wgYwwDAYDVR0TAQH/BAIwADAOBgNVHQ8BAf8EBAMCBeAwLAYJYIZI +AYb4QgENBB8WHU9wZW5TU0wgR2VuZXJhdGVkIENlcnRpZmljYXRlMB0GA1UdDgQW +BBSZHKyLoTh7Mb409Zn/mK1ceSDAjDAfBgNVHSMEGDAWgBQ2w2yI55X+sL3szj49 +hqshgYfa2jANBgkqhkiG9w0BAQUFAAOCAQEAD0mL7PtPYgCEuDyOQSbLpeND5hVS +curxQdGnrJ6Acrhodb7E9ccATokeb0PLx6HBLQUicxhTZIQ9FbO43YkQcOU6C3BB +IlwskqmtN6+VmrQzNolHCDzvxNZs9lYL2VbGPGqVRyjZeHpoAlf9cQr8PgDb4d4b +vUx2KAhHQvV2nkmYvKyXcgnRuHggumF87mkxidriGAEFwH4qfOqetUg64WyxP7P2 +QLipm04SyQa7ONtIApfVXgHcE42Py4/f4arzCzMjKe3VyhGkS7nsT55X/fWgTaRm +CQPkO+H94P958WTvQDt77bQ+D3IvYaVvfil8n6HJMOJfFT0LJuSUbpSXJg== +-----END CERTIFICATE----- +-----BEGIN RSA PRIVATE KEY----- +MIIEpQIBAAKCAQEAtK2p2x0S3C1ajftAc3GaWPsji6scw1k9Sw/XltbLQuDc11/f +wwrUiFcje2CB3Ri6yD6+uCA3V12jEc4GdqzirJZhwgIhaTv42vfYBgiUcR9McEGr +agFC3yVR3lIbOzhBjmXNp1on46irxnzU4pT+w58IuvYqUBavaEtfRZocFR5NsIOy +mRhyNag8htOFK3wmTEYrb0vflFYT6SD47ogYtsd/xWSKS+YFyb7xSusR2Ot6Ktmr +MswQE57QYJz+KiRVlnL0cduMBdT52Wm8blaC9mz50PyrzjQ68NyHapCoWDU7pe4x +HLtzpXGSDMPuw4miiSwMym/2wReYJv6cFugLPQIDAQABAoIBAAZOyc9MhIwLSU4L +p4RgQvM4UVVe8/Id+3XTZ8NsXExJbWxXfIhiqGjaIfL8u4vsgRjcl+v1s/jo2/iT +KMab4o4D8gXD7UavQVDjtjb/ta79WL3SjRl2Uc9YjjMkyq6WmDNQeo2NKDdafCTB +1uzSJtLNipB8Z53ELPuHJhxX9QMHrMnuha49riQgXZ7buP9iQrHJFhImBjSzbxJx +L+TI6rkyLSf9Wi0Pd3L27Ob3QWNfNRYNSeTE+08eSRChkur5W0RuXAcuAICdQlCl +LBvWO/LmmvbzCqiDcgy/TliSb6CGGwgiNG7LJZmlkYNj8laGwalNlYZs3UrVv6NO +Br2loAECgYEA2kvCvPGj0Dg/6g7WhXDvAkEbcaL1tSeCxBbNH+6HS2UWMWvyTtCn +/bbD519QIdkvayy1QjEf32GV/UjUVmlULMLBcDy0DGjtL3+XpIhLKWDNxN1v1/ai +1oz23ZJCOgnk6K4qtFtlRS1XtynjA+rBetvYvLP9SKeFrnpzCgaA2r0CgYEA0+KX +1ACXDTNH5ySX3kMjSS9xdINf+OOw4CvPHFwbtc9aqk2HePlEsBTz5I/W3rKwXva3 +NqZ/bRqVVeZB/hHKFywgdUQk2Uc5z/S7Lw70/w1HubNTXGU06Ngb6zOFAo/o/TwZ +zTP1BMIKSOB6PAZPS3l+aLO4FRIRotfFhgRHOoECgYEAmiZbqt8cJaJDB/5YYDzC +mp3tSk6gIb936Q6M5VqkMYp9pIKsxhk0N8aDCnTU+kIK6SzWBpr3/d9Ecmqmfyq7 +5SvWO3KyVf0WWK9KH0abhOm2BKm2HBQvI0DB5u8sUx2/hsvOnjPYDISbZ11t0MtK +u35Zy89yMYcSsIYJjG/ROCUCgYEAgI2P9G5PNxEP5OtMwOsW84Y3Xat/hPAQFlI+ +HES+AzbFGWJkeT8zL2nm95tVkFP1sggZ7Kxjz3w7cpx7GX0NkbWSE9O+T51pNASV +tN1sQ3p5M+/a+cnlqgfEGJVvc7iAcXQPa3LEi5h2yPR49QYXAgG6cifn3dDSpmwn +SUI7PQECgYEApGCIIpSRPLAEHTGmP87RBL1smurhwmy2s/pghkvUkWehtxg0sGHh +kuaqDWcskogv+QC0sVdytiLSz8G0DwcEcsHK1Fkyb8A+ayiw6jWJDo2m9+IF4Fww +1Te6jFPYDESnbhq7+TLGgHGhtwcu5cnb4vSuYXGXKupZGzoLOBbv1Zw= +-----END RSA PRIVATE KEY----- diff --git a/openssl-1.1.0h/apps/cms.c b/openssl-1.1.0h/apps/cms.c new file mode 100644 index 0000000..640f92e --- /dev/null +++ b/openssl-1.1.0h/apps/cms.c @@ -0,0 +1,1298 @@ +/* + * Copyright 2008-2018 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the OpenSSL license (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +/* CMS utility function */ + +#include +#include +#include "apps.h" + +#ifndef OPENSSL_NO_CMS + +# include +# include +# include +# include +# include +# include + +static int save_certs(char *signerfile, STACK_OF(X509) *signers); +static int cms_cb(int ok, X509_STORE_CTX *ctx); +static void receipt_request_print(CMS_ContentInfo *cms); +static CMS_ReceiptRequest *make_receipt_request(STACK_OF(OPENSSL_STRING) + *rr_to, int rr_allorfirst, STACK_OF(OPENSSL_STRING) + *rr_from); +static int cms_set_pkey_param(EVP_PKEY_CTX *pctx, + STACK_OF(OPENSSL_STRING) *param); + +# define SMIME_OP 0x10 +# define SMIME_IP 0x20 +# define SMIME_SIGNERS 0x40 +# define SMIME_ENCRYPT (1 | SMIME_OP) +# define SMIME_DECRYPT (2 | SMIME_IP) +# define SMIME_SIGN (3 | SMIME_OP | SMIME_SIGNERS) +# define SMIME_VERIFY (4 | SMIME_IP) +# define SMIME_CMSOUT (5 | SMIME_IP | SMIME_OP) +# define SMIME_RESIGN (6 | SMIME_IP | SMIME_OP | SMIME_SIGNERS) +# define SMIME_DATAOUT (7 | SMIME_IP) +# define SMIME_DATA_CREATE (8 | SMIME_OP) +# define SMIME_DIGEST_VERIFY (9 | SMIME_IP) +# define SMIME_DIGEST_CREATE (10 | SMIME_OP) +# define SMIME_UNCOMPRESS (11 | SMIME_IP) +# define SMIME_COMPRESS (12 | SMIME_OP) +# define SMIME_ENCRYPTED_DECRYPT (13 | SMIME_IP) +# define SMIME_ENCRYPTED_ENCRYPT (14 | SMIME_OP) +# define SMIME_SIGN_RECEIPT (15 | SMIME_IP | SMIME_OP) +# define SMIME_VERIFY_RECEIPT (16 | SMIME_IP) + +static int verify_err = 0; + +typedef struct cms_key_param_st cms_key_param; + +struct cms_key_param_st { + int idx; + STACK_OF(OPENSSL_STRING) *param; + cms_key_param *next; +}; + +typedef enum OPTION_choice { + OPT_ERR = -1, OPT_EOF = 0, OPT_HELP, + OPT_INFORM, OPT_OUTFORM, OPT_IN, OPT_OUT, OPT_ENCRYPT, + OPT_DECRYPT, OPT_SIGN, OPT_SIGN_RECEIPT, OPT_RESIGN, + OPT_VERIFY, OPT_VERIFY_RETCODE, OPT_VERIFY_RECEIPT, + OPT_CMSOUT, OPT_DATA_OUT, OPT_DATA_CREATE, OPT_DIGEST_VERIFY, + OPT_DIGEST_CREATE, OPT_COMPRESS, OPT_UNCOMPRESS, + OPT_ED_DECRYPT, OPT_ED_ENCRYPT, OPT_DEBUG_DECRYPT, OPT_TEXT, + OPT_ASCIICRLF, OPT_NOINTERN, OPT_NOVERIFY, OPT_NOCERTS, + OPT_NOATTR, OPT_NODETACH, OPT_NOSMIMECAP, OPT_BINARY, OPT_KEYID, + OPT_NOSIGS, OPT_NO_CONTENT_VERIFY, OPT_NO_ATTR_VERIFY, OPT_INDEF, + OPT_NOINDEF, OPT_CRLFEOL, OPT_NOOUT, OPT_RR_PRINT, + OPT_RR_ALL, OPT_RR_FIRST, OPT_RCTFORM, OPT_CERTFILE, OPT_CAFILE, + OPT_CAPATH, OPT_NOCAPATH, OPT_NOCAFILE,OPT_CONTENT, OPT_PRINT, + OPT_SECRETKEY, OPT_SECRETKEYID, OPT_PWRI_PASSWORD, OPT_ECONTENT_TYPE, + OPT_RAND, OPT_PASSIN, OPT_TO, OPT_FROM, OPT_SUBJECT, OPT_SIGNER, OPT_RECIP, + OPT_CERTSOUT, OPT_MD, OPT_INKEY, OPT_KEYFORM, OPT_KEYOPT, OPT_RR_FROM, + OPT_RR_TO, OPT_AES128_WRAP, OPT_AES192_WRAP, OPT_AES256_WRAP, + OPT_3DES_WRAP, OPT_ENGINE, + OPT_V_ENUM, + OPT_CIPHER +} OPTION_CHOICE; + +OPTIONS cms_options[] = { + {OPT_HELP_STR, 1, '-', "Usage: %s [options] cert.pem...\n"}, + {OPT_HELP_STR, 1, '-', + " cert.pem... recipient certs for encryption\n"}, + {OPT_HELP_STR, 1, '-', "Valid options are:\n"}, + {"help", OPT_HELP, '-', "Display this summary"}, + {"inform", OPT_INFORM, 'c', "Input format SMIME (default), PEM or DER"}, + {"outform", OPT_OUTFORM, 'c', + "Output format SMIME (default), PEM or DER"}, + {"in", OPT_IN, '<', "Input file"}, + {"out", OPT_OUT, '>', "Output file"}, + {"encrypt", OPT_ENCRYPT, '-', "Encrypt message"}, + {"decrypt", OPT_DECRYPT, '-', "Decrypt encrypted message"}, + {"sign", OPT_SIGN, '-', "Sign message"}, + {"sign_receipt", OPT_SIGN_RECEIPT, '-', "Generate a signed receipt for the message"}, + {"resign", OPT_RESIGN, '-', "Resign a signed message"}, + {"verify", OPT_VERIFY, '-', "Verify signed message"}, + {"verify_retcode", OPT_VERIFY_RETCODE, '-'}, + {"verify_receipt", OPT_VERIFY_RECEIPT, '<'}, + {"cmsout", OPT_CMSOUT, '-', "Output CMS structure"}, + {"data_out", OPT_DATA_OUT, '-'}, + {"data_create", OPT_DATA_CREATE, '-'}, + {"digest_verify", OPT_DIGEST_VERIFY, '-'}, + {"digest_create", OPT_DIGEST_CREATE, '-'}, + {"compress", OPT_COMPRESS, '-'}, + {"uncompress", OPT_UNCOMPRESS, '-'}, + {"EncryptedData_decrypt", OPT_ED_DECRYPT, '-'}, + {"EncryptedData_encrypt", OPT_ED_ENCRYPT, '-'}, + {"debug_decrypt", OPT_DEBUG_DECRYPT, '-'}, + {"text", OPT_TEXT, '-', "Include or delete text MIME headers"}, + {"asciicrlf", OPT_ASCIICRLF, '-'}, + {"nointern", OPT_NOINTERN, '-', + "Don't search certificates in message for signer"}, + {"noverify", OPT_NOVERIFY, '-', "Don't verify signers certificate"}, + {"nocerts", OPT_NOCERTS, '-', + "Don't include signers certificate when signing"}, + {"noattr", OPT_NOATTR, '-', "Don't include any signed attributes"}, + {"nodetach", OPT_NODETACH, '-', "Use opaque signing"}, + {"nosmimecap", OPT_NOSMIMECAP, '-', "Omit the SMIMECapabilities attribute"}, + {"binary", OPT_BINARY, '-', "Don't translate message to text"}, + {"keyid", OPT_KEYID, '-', "Use subject key identifier"}, + {"nosigs", OPT_NOSIGS, '-', "Don't verify message signature"}, + {"no_content_verify", OPT_NO_CONTENT_VERIFY, '-'}, + {"no_attr_verify", OPT_NO_ATTR_VERIFY, '-'}, + {"stream", OPT_INDEF, '-', "Enable CMS streaming"}, + {"indef", OPT_INDEF, '-', "Same as -stream"}, + {"noindef", OPT_NOINDEF, '-', "Disable CMS streaming"}, + {"crlfeol", OPT_CRLFEOL, '-', "Use CRLF as EOL termination instead of CR only" }, + {"noout", OPT_NOOUT, '-', "For the -cmsout operation do not output the parsed CMS structure"}, + {"receipt_request_print", OPT_RR_PRINT, '-', "Print CMS Receipt Request" }, + {"receipt_request_all", OPT_RR_ALL, '-'}, + {"receipt_request_first", OPT_RR_FIRST, '-'}, + {"rctform", OPT_RCTFORM, 'F', "Receipt file format"}, + {"certfile", OPT_CERTFILE, '<', "Other certificates file"}, + {"CAfile", OPT_CAFILE, '<', "Trusted certificates file"}, + {"CApath", OPT_CAPATH, '/', "trusted certificates directory"}, + {"no-CAfile", OPT_NOCAFILE, '-', + "Do not load the default certificates file"}, + {"no-CApath", OPT_NOCAPATH, '-', + "Do not load certificates from the default certificates directory"}, + {"content", OPT_CONTENT, '<', + "Supply or override content for detached signature"}, + {"print", OPT_PRINT, '-', + "For the -cmsout operation print out all fields of the CMS structure"}, + {"secretkey", OPT_SECRETKEY, 's'}, + {"secretkeyid", OPT_SECRETKEYID, 's'}, + {"pwri_password", OPT_PWRI_PASSWORD, 's'}, + {"econtent_type", OPT_ECONTENT_TYPE, 's'}, + {"rand", OPT_RAND, 's', + "Load the file(s) into the random number generator"}, + {"passin", OPT_PASSIN, 's', "Input file pass phrase source"}, + {"to", OPT_TO, 's', "To address"}, + {"from", OPT_FROM, 's', "From address"}, + {"subject", OPT_SUBJECT, 's', "Subject"}, + {"signer", OPT_SIGNER, 's', "Signer certificate file"}, + {"recip", OPT_RECIP, '<', "Recipient cert file for decryption"}, + {"certsout", OPT_CERTSOUT, '>', "Certificate output file"}, + {"md", OPT_MD, 's', "Digest algorithm to use when signing or resigning"}, + {"inkey", OPT_INKEY, 's', + "Input private key (if not signer or recipient)"}, + {"keyform", OPT_KEYFORM, 'f', "Input private key format (PEM or ENGINE)"}, + {"keyopt", OPT_KEYOPT, 's', "Set public key parameters as n:v pairs"}, + {"receipt_request_from", OPT_RR_FROM, 's'}, + {"receipt_request_to", OPT_RR_TO, 's'}, + {"", OPT_CIPHER, '-', "Any supported cipher"}, + OPT_V_OPTIONS, + {"aes128-wrap", OPT_AES128_WRAP, '-', "Use AES128 to wrap key"}, + {"aes192-wrap", OPT_AES192_WRAP, '-', "Use AES192 to wrap key"}, + {"aes256-wrap", OPT_AES256_WRAP, '-', "Use AES256 to wrap key"}, +# ifndef OPENSSL_NO_DES + {"des3-wrap", OPT_3DES_WRAP, '-', "Use 3DES-EDE to wrap key"}, +# endif +# ifndef OPENSSL_NO_ENGINE + {"engine", OPT_ENGINE, 's', "Use engine e, possibly a hardware device"}, +# endif + {NULL} +}; + +int cms_main(int argc, char **argv) +{ + ASN1_OBJECT *econtent_type = NULL; + BIO *in = NULL, *out = NULL, *indata = NULL, *rctin = NULL; + CMS_ContentInfo *cms = NULL, *rcms = NULL; + CMS_ReceiptRequest *rr = NULL; + ENGINE *e = NULL; + EVP_PKEY *key = NULL; + const EVP_CIPHER *cipher = NULL, *wrap_cipher = NULL; + const EVP_MD *sign_md = NULL; + STACK_OF(OPENSSL_STRING) *rr_to = NULL, *rr_from = NULL; + STACK_OF(OPENSSL_STRING) *sksigners = NULL, *skkeys = NULL; + STACK_OF(X509) *encerts = NULL, *other = NULL; + X509 *cert = NULL, *recip = NULL, *signer = NULL; + X509_STORE *store = NULL; + X509_VERIFY_PARAM *vpm = NULL; + char *certfile = NULL, *keyfile = NULL, *contfile = NULL; + const char *CAfile = NULL, *CApath = NULL; + char *certsoutfile = NULL; + int noCAfile = 0, noCApath = 0; + char *infile = NULL, *outfile = NULL, *rctfile = NULL, *inrand = NULL; + char *passinarg = NULL, *passin = NULL, *signerfile = NULL, *recipfile = + NULL; + char *to = NULL, *from = NULL, *subject = NULL, *prog; + cms_key_param *key_first = NULL, *key_param = NULL; + int flags = CMS_DETACHED, noout = 0, print = 0, keyidx = -1, vpmtouched = + 0; + int informat = FORMAT_SMIME, outformat = FORMAT_SMIME; + int need_rand = 0, operation = 0, ret = 1, rr_print = 0, rr_allorfirst = + -1; + int verify_retcode = 0, rctformat = FORMAT_SMIME, keyform = FORMAT_PEM; + size_t secret_keylen = 0, secret_keyidlen = 0; + unsigned char *pwri_pass = NULL, *pwri_tmp = NULL; + unsigned char *secret_key = NULL, *secret_keyid = NULL; + long ltmp; + const char *mime_eol = "\n"; + OPTION_CHOICE o; + + if ((vpm = X509_VERIFY_PARAM_new()) == NULL) + return 1; + + prog = opt_init(argc, argv, cms_options); + while ((o = opt_next()) != OPT_EOF) { + switch (o) { + case OPT_EOF: + case OPT_ERR: + opthelp: + BIO_printf(bio_err, "%s: Use -help for summary.\n", prog); + goto end; + case OPT_HELP: + opt_help(cms_options); + ret = 0; + goto end; + case OPT_INFORM: + if (!opt_format(opt_arg(), OPT_FMT_PDS, &informat)) + goto opthelp; + break; + case OPT_OUTFORM: + if (!opt_format(opt_arg(), OPT_FMT_PDS, &outformat)) + goto opthelp; + break; + case OPT_OUT: + outfile = opt_arg(); + break; + case OPT_ENCRYPT: + operation = SMIME_ENCRYPT; + break; + case OPT_DECRYPT: + operation = SMIME_DECRYPT; + break; + case OPT_SIGN: + operation = SMIME_SIGN; + break; + case OPT_SIGN_RECEIPT: + operation = SMIME_SIGN_RECEIPT; + break; + case OPT_RESIGN: + operation = SMIME_RESIGN; + break; + case OPT_VERIFY: + operation = SMIME_VERIFY; + break; + case OPT_VERIFY_RETCODE: + verify_retcode = 1; + break; + case OPT_VERIFY_RECEIPT: + operation = SMIME_VERIFY_RECEIPT; + rctfile = opt_arg(); + break; + case OPT_CMSOUT: + operation = SMIME_CMSOUT; + break; + case OPT_DATA_OUT: + operation = SMIME_DATAOUT; + break; + case OPT_DATA_CREATE: + operation = SMIME_DATA_CREATE; + break; + case OPT_DIGEST_VERIFY: + operation = SMIME_DIGEST_VERIFY; + break; + case OPT_DIGEST_CREATE: + operation = SMIME_DIGEST_CREATE; + break; + case OPT_COMPRESS: + operation = SMIME_COMPRESS; + break; + case OPT_UNCOMPRESS: + operation = SMIME_UNCOMPRESS; + break; + case OPT_ED_DECRYPT: + operation = SMIME_ENCRYPTED_DECRYPT; + break; + case OPT_ED_ENCRYPT: + operation = SMIME_ENCRYPTED_ENCRYPT; + break; + case OPT_DEBUG_DECRYPT: + flags |= CMS_DEBUG_DECRYPT; + break; + case OPT_TEXT: + flags |= CMS_TEXT; + break; + case OPT_ASCIICRLF: + flags |= CMS_ASCIICRLF; + break; + case OPT_NOINTERN: + flags |= CMS_NOINTERN; + break; + case OPT_NOVERIFY: + flags |= CMS_NO_SIGNER_CERT_VERIFY; + break; + case OPT_NOCERTS: + flags |= CMS_NOCERTS; + break; + case OPT_NOATTR: + flags |= CMS_NOATTR; + break; + case OPT_NODETACH: + flags &= ~CMS_DETACHED; + break; + case OPT_NOSMIMECAP: + flags |= CMS_NOSMIMECAP; + break; + case OPT_BINARY: + flags |= CMS_BINARY; + break; + case OPT_KEYID: + flags |= CMS_USE_KEYID; + break; + case OPT_NOSIGS: + flags |= CMS_NOSIGS; + break; + case OPT_NO_CONTENT_VERIFY: + flags |= CMS_NO_CONTENT_VERIFY; + break; + case OPT_NO_ATTR_VERIFY: + flags |= CMS_NO_ATTR_VERIFY; + break; + case OPT_INDEF: + flags |= CMS_STREAM; + break; + case OPT_NOINDEF: + flags &= ~CMS_STREAM; + break; + case OPT_CRLFEOL: + mime_eol = "\r\n"; + flags |= CMS_CRLFEOL; + break; + case OPT_NOOUT: + noout = 1; + break; + case OPT_RR_PRINT: + rr_print = 1; + break; + case OPT_RR_ALL: + rr_allorfirst = 0; + break; + case OPT_RR_FIRST: + rr_allorfirst = 1; + break; + case OPT_RCTFORM: + if (rctformat == FORMAT_SMIME) + rcms = SMIME_read_CMS(rctin, NULL); + else if (rctformat == FORMAT_PEM) + rcms = PEM_read_bio_CMS(rctin, NULL, NULL, NULL); + else if (rctformat == FORMAT_ASN1) + if (!opt_format(opt_arg(), + OPT_FMT_PEMDER | OPT_FMT_SMIME, &rctformat)) + goto opthelp; + break; + case OPT_CERTFILE: + certfile = opt_arg(); + break; + case OPT_CAFILE: + CAfile = opt_arg(); + break; + case OPT_CAPATH: + CApath = opt_arg(); + break; + case OPT_NOCAFILE: + noCAfile = 1; + break; + case OPT_NOCAPATH: + noCApath = 1; + break; + case OPT_IN: + infile = opt_arg(); + break; + case OPT_CONTENT: + contfile = opt_arg(); + break; + case OPT_RR_FROM: + if (rr_from == NULL + && (rr_from = sk_OPENSSL_STRING_new_null()) == NULL) + goto end; + sk_OPENSSL_STRING_push(rr_from, opt_arg()); + break; + case OPT_RR_TO: + if (rr_to == NULL + && (rr_to = sk_OPENSSL_STRING_new_null()) == NULL) + goto end; + sk_OPENSSL_STRING_push(rr_to, opt_arg()); + break; + case OPT_PRINT: + noout = print = 1; + break; + case OPT_SECRETKEY: + if (secret_key != NULL) { + BIO_printf(bio_err, "Invalid key (supplied twice) %s\n", + opt_arg()); + goto opthelp; + } + secret_key = OPENSSL_hexstr2buf(opt_arg(), <mp); + if (secret_key == NULL) { + BIO_printf(bio_err, "Invalid key %s\n", opt_arg()); + goto end; + } + secret_keylen = (size_t)ltmp; + break; + case OPT_SECRETKEYID: + if (secret_keyid != NULL) { + BIO_printf(bio_err, "Invalid id (supplied twice) %s\n", + opt_arg()); + goto opthelp; + } + secret_keyid = OPENSSL_hexstr2buf(opt_arg(), <mp); + if (secret_keyid == NULL) { + BIO_printf(bio_err, "Invalid id %s\n", opt_arg()); + goto opthelp; + } + secret_keyidlen = (size_t)ltmp; + break; + case OPT_PWRI_PASSWORD: + pwri_pass = (unsigned char *)opt_arg(); + break; + case OPT_ECONTENT_TYPE: + if (econtent_type != NULL) { + BIO_printf(bio_err, "Invalid OID (supplied twice) %s\n", + opt_arg()); + goto opthelp; + } + econtent_type = OBJ_txt2obj(opt_arg(), 0); + if (econtent_type == NULL) { + BIO_printf(bio_err, "Invalid OID %s\n", opt_arg()); + goto opthelp; + } + break; + case OPT_RAND: + inrand = opt_arg(); + need_rand = 1; + break; + case OPT_ENGINE: + e = setup_engine(opt_arg(), 0); + break; + case OPT_PASSIN: + passinarg = opt_arg(); + break; + case OPT_TO: + to = opt_arg(); + break; + case OPT_FROM: + from = opt_arg(); + break; + case OPT_SUBJECT: + subject = opt_arg(); + break; + case OPT_CERTSOUT: + certsoutfile = opt_arg(); + break; + case OPT_MD: + if (!opt_md(opt_arg(), &sign_md)) + goto end; + break; + case OPT_SIGNER: + /* If previous -signer argument add signer to list */ + if (signerfile) { + if (sksigners == NULL + && (sksigners = sk_OPENSSL_STRING_new_null()) == NULL) + goto end; + sk_OPENSSL_STRING_push(sksigners, signerfile); + if (keyfile == NULL) + keyfile = signerfile; + if (skkeys == NULL + && (skkeys = sk_OPENSSL_STRING_new_null()) == NULL) + goto end; + sk_OPENSSL_STRING_push(skkeys, keyfile); + keyfile = NULL; + } + signerfile = opt_arg(); + break; + case OPT_INKEY: + /* If previous -inkey argument add signer to list */ + if (keyfile) { + if (signerfile == NULL) { + BIO_puts(bio_err, "Illegal -inkey without -signer\n"); + goto end; + } + if (sksigners == NULL + && (sksigners = sk_OPENSSL_STRING_new_null()) == NULL) + goto end; + sk_OPENSSL_STRING_push(sksigners, signerfile); + signerfile = NULL; + if (skkeys == NULL + && (skkeys = sk_OPENSSL_STRING_new_null()) == NULL) + goto end; + sk_OPENSSL_STRING_push(skkeys, keyfile); + } + keyfile = opt_arg(); + break; + case OPT_KEYFORM: + if (!opt_format(opt_arg(), OPT_FMT_ANY, &keyform)) + goto opthelp; + break; + case OPT_RECIP: + if (operation == SMIME_ENCRYPT) { + if (encerts == NULL && (encerts = sk_X509_new_null()) == NULL) + goto end; + cert = load_cert(opt_arg(), FORMAT_PEM, + "recipient certificate file"); + if (cert == NULL) + goto end; + sk_X509_push(encerts, cert); + cert = NULL; + } else + recipfile = opt_arg(); + break; + case OPT_CIPHER: + if (!opt_cipher(opt_unknown(), &cipher)) + goto end; + break; + case OPT_KEYOPT: + keyidx = -1; + if (operation == SMIME_ENCRYPT) { + if (encerts) + keyidx += sk_X509_num(encerts); + } else { + if (keyfile || signerfile) + keyidx++; + if (skkeys) + keyidx += sk_OPENSSL_STRING_num(skkeys); + } + if (keyidx < 0) { + BIO_printf(bio_err, "No key specified\n"); + goto opthelp; + } + if (key_param == NULL || key_param->idx != keyidx) { + cms_key_param *nparam; + nparam = app_malloc(sizeof(*nparam), "key param buffer"); + nparam->idx = keyidx; + if ((nparam->param = sk_OPENSSL_STRING_new_null()) == NULL) + goto end; + nparam->next = NULL; + if (key_first == NULL) + key_first = nparam; + else + key_param->next = nparam; + key_param = nparam; + } + sk_OPENSSL_STRING_push(key_param->param, opt_arg()); + break; + case OPT_V_CASES: + if (!opt_verify(o, vpm)) + goto end; + vpmtouched++; + break; + case OPT_3DES_WRAP: +# ifndef OPENSSL_NO_DES + wrap_cipher = EVP_des_ede3_wrap(); +# endif + break; + case OPT_AES128_WRAP: + wrap_cipher = EVP_aes_128_wrap(); + break; + case OPT_AES192_WRAP: + wrap_cipher = EVP_aes_192_wrap(); + break; + case OPT_AES256_WRAP: + wrap_cipher = EVP_aes_256_wrap(); + break; + } + } + argc = opt_num_rest(); + argv = opt_rest(); + + if (((rr_allorfirst != -1) || rr_from) && !rr_to) { + BIO_puts(bio_err, "No Signed Receipts Recipients\n"); + goto opthelp; + } + + if (!(operation & SMIME_SIGNERS) && (rr_to || rr_from)) { + BIO_puts(bio_err, "Signed receipts only allowed with -sign\n"); + goto opthelp; + } + if (!(operation & SMIME_SIGNERS) && (skkeys || sksigners)) { + BIO_puts(bio_err, "Multiple signers or keys not allowed\n"); + goto opthelp; + } + + if (operation & SMIME_SIGNERS) { + if (keyfile && !signerfile) { + BIO_puts(bio_err, "Illegal -inkey without -signer\n"); + goto opthelp; + } + /* Check to see if any final signer needs to be appended */ + if (signerfile) { + if (!sksigners + && (sksigners = sk_OPENSSL_STRING_new_null()) == NULL) + goto end; + sk_OPENSSL_STRING_push(sksigners, signerfile); + if (!skkeys && (skkeys = sk_OPENSSL_STRING_new_null()) == NULL) + goto end; + if (!keyfile) + keyfile = signerfile; + sk_OPENSSL_STRING_push(skkeys, keyfile); + } + if (!sksigners) { + BIO_printf(bio_err, "No signer certificate specified\n"); + goto opthelp; + } + signerfile = NULL; + keyfile = NULL; + need_rand = 1; + } + + else if (operation == SMIME_DECRYPT) { + if (!recipfile && !keyfile && !secret_key && !pwri_pass) { + BIO_printf(bio_err, + "No recipient certificate or key specified\n"); + goto opthelp; + } + } else if (operation == SMIME_ENCRYPT) { + if (*argv == NULL && !secret_key && !pwri_pass && !encerts) { + BIO_printf(bio_err, "No recipient(s) certificate(s) specified\n"); + goto opthelp; + } + need_rand = 1; + } else if (!operation) + goto opthelp; + + if (!app_passwd(passinarg, NULL, &passin, NULL)) { + BIO_printf(bio_err, "Error getting password\n"); + goto end; + } + + if (need_rand) { + app_RAND_load_file(NULL, (inrand != NULL)); + if (inrand != NULL) + BIO_printf(bio_err, "%ld semi-random bytes loaded\n", + app_RAND_load_files(inrand)); + } + + ret = 2; + + if (!(operation & SMIME_SIGNERS)) + flags &= ~CMS_DETACHED; + + if (!(operation & SMIME_OP)) { + if (flags & CMS_BINARY) + outformat = FORMAT_BINARY; + } + + if (!(operation & SMIME_IP)) { + if (flags & CMS_BINARY) + informat = FORMAT_BINARY; + } + + if (operation == SMIME_ENCRYPT) { + if (!cipher) { +# ifndef OPENSSL_NO_DES + cipher = EVP_des_ede3_cbc(); +# else + BIO_printf(bio_err, "No cipher selected\n"); + goto end; +# endif + } + + if (secret_key && !secret_keyid) { + BIO_printf(bio_err, "No secret key id\n"); + goto end; + } + + if (*argv && !encerts) + if ((encerts = sk_X509_new_null()) == NULL) + goto end; + while (*argv) { + if ((cert = load_cert(*argv, FORMAT_PEM, + "recipient certificate file")) == NULL) + goto end; + sk_X509_push(encerts, cert); + cert = NULL; + argv++; + } + } + + if (certfile) { + if (!load_certs(certfile, &other, FORMAT_PEM, NULL, + "certificate file")) { + ERR_print_errors(bio_err); + goto end; + } + } + + if (recipfile && (operation == SMIME_DECRYPT)) { + if ((recip = load_cert(recipfile, FORMAT_PEM, + "recipient certificate file")) == NULL) { + ERR_print_errors(bio_err); + goto end; + } + } + + if (operation == SMIME_SIGN_RECEIPT) { + if ((signer = load_cert(signerfile, FORMAT_PEM, + "receipt signer certificate file")) == NULL) { + ERR_print_errors(bio_err); + goto end; + } + } + + if (operation == SMIME_DECRYPT) { + if (!keyfile) + keyfile = recipfile; + } else if ((operation == SMIME_SIGN) || (operation == SMIME_SIGN_RECEIPT)) { + if (!keyfile) + keyfile = signerfile; + } else + keyfile = NULL; + + if (keyfile) { + key = load_key(keyfile, keyform, 0, passin, e, "signing key file"); + if (!key) + goto end; + } + + in = bio_open_default(infile, 'r', informat); + if (in == NULL) + goto end; + + if (operation & SMIME_IP) { + if (informat == FORMAT_SMIME) + cms = SMIME_read_CMS(in, &indata); + else if (informat == FORMAT_PEM) + cms = PEM_read_bio_CMS(in, NULL, NULL, NULL); + else if (informat == FORMAT_ASN1) + cms = d2i_CMS_bio(in, NULL); + else { + BIO_printf(bio_err, "Bad input format for CMS file\n"); + goto end; + } + + if (!cms) { + BIO_printf(bio_err, "Error reading S/MIME message\n"); + goto end; + } + if (contfile) { + BIO_free(indata); + if ((indata = BIO_new_file(contfile, "rb")) == NULL) { + BIO_printf(bio_err, "Can't read content file %s\n", contfile); + goto end; + } + } + if (certsoutfile) { + STACK_OF(X509) *allcerts; + allcerts = CMS_get1_certs(cms); + if (!save_certs(certsoutfile, allcerts)) { + BIO_printf(bio_err, + "Error writing certs to %s\n", certsoutfile); + ret = 5; + goto end; + } + sk_X509_pop_free(allcerts, X509_free); + } + } + + if (rctfile) { + char *rctmode = (rctformat == FORMAT_ASN1) ? "rb" : "r"; + if ((rctin = BIO_new_file(rctfile, rctmode)) == NULL) { + BIO_printf(bio_err, "Can't open receipt file %s\n", rctfile); + goto end; + } + + if (rctformat == FORMAT_SMIME) + rcms = SMIME_read_CMS(rctin, NULL); + else if (rctformat == FORMAT_PEM) + rcms = PEM_read_bio_CMS(rctin, NULL, NULL, NULL); + else if (rctformat == FORMAT_ASN1) + rcms = d2i_CMS_bio(rctin, NULL); + else { + BIO_printf(bio_err, "Bad input format for receipt\n"); + goto end; + } + + if (!rcms) { + BIO_printf(bio_err, "Error reading receipt\n"); + goto end; + } + } + + out = bio_open_default(outfile, 'w', outformat); + if (out == NULL) + goto end; + + if ((operation == SMIME_VERIFY) || (operation == SMIME_VERIFY_RECEIPT)) { + if ((store = setup_verify(CAfile, CApath, noCAfile, noCApath)) == NULL) + goto end; + X509_STORE_set_verify_cb(store, cms_cb); + if (vpmtouched) + X509_STORE_set1_param(store, vpm); + } + + ret = 3; + + if (operation == SMIME_DATA_CREATE) { + cms = CMS_data_create(in, flags); + } else if (operation == SMIME_DIGEST_CREATE) { + cms = CMS_digest_create(in, sign_md, flags); + } else if (operation == SMIME_COMPRESS) { + cms = CMS_compress(in, -1, flags); + } else if (operation == SMIME_ENCRYPT) { + int i; + flags |= CMS_PARTIAL; + cms = CMS_encrypt(NULL, in, cipher, flags); + if (!cms) + goto end; + for (i = 0; i < sk_X509_num(encerts); i++) { + CMS_RecipientInfo *ri; + cms_key_param *kparam; + int tflags = flags; + X509 *x = sk_X509_value(encerts, i); + for (kparam = key_first; kparam; kparam = kparam->next) { + if (kparam->idx == i) { + tflags |= CMS_KEY_PARAM; + break; + } + } + ri = CMS_add1_recipient_cert(cms, x, tflags); + if (!ri) + goto end; + if (kparam) { + EVP_PKEY_CTX *pctx; + pctx = CMS_RecipientInfo_get0_pkey_ctx(ri); + if (!cms_set_pkey_param(pctx, kparam->param)) + goto end; + } + if (CMS_RecipientInfo_type(ri) == CMS_RECIPINFO_AGREE + && wrap_cipher) { + EVP_CIPHER_CTX *wctx; + wctx = CMS_RecipientInfo_kari_get0_ctx(ri); + EVP_EncryptInit_ex(wctx, wrap_cipher, NULL, NULL, NULL); + } + } + + if (secret_key) { + if (!CMS_add0_recipient_key(cms, NID_undef, + secret_key, secret_keylen, + secret_keyid, secret_keyidlen, + NULL, NULL, NULL)) + goto end; + /* NULL these because call absorbs them */ + secret_key = NULL; + secret_keyid = NULL; + } + if (pwri_pass) { + pwri_tmp = (unsigned char *)OPENSSL_strdup((char *)pwri_pass); + if (!pwri_tmp) + goto end; + if (!CMS_add0_recipient_password(cms, + -1, NID_undef, NID_undef, + pwri_tmp, -1, NULL)) + goto end; + pwri_tmp = NULL; + } + if (!(flags & CMS_STREAM)) { + if (!CMS_final(cms, in, NULL, flags)) + goto end; + } + } else if (operation == SMIME_ENCRYPTED_ENCRYPT) { + cms = CMS_EncryptedData_encrypt(in, cipher, + secret_key, secret_keylen, flags); + + } else if (operation == SMIME_SIGN_RECEIPT) { + CMS_ContentInfo *srcms = NULL; + STACK_OF(CMS_SignerInfo) *sis; + CMS_SignerInfo *si; + sis = CMS_get0_SignerInfos(cms); + if (!sis) + goto end; + si = sk_CMS_SignerInfo_value(sis, 0); + srcms = CMS_sign_receipt(si, signer, key, other, flags); + if (!srcms) + goto end; + CMS_ContentInfo_free(cms); + cms = srcms; + } else if (operation & SMIME_SIGNERS) { + int i; + /* + * If detached data content we enable streaming if S/MIME output + * format. + */ + if (operation == SMIME_SIGN) { + + if (flags & CMS_DETACHED) { + if (outformat == FORMAT_SMIME) + flags |= CMS_STREAM; + } + flags |= CMS_PARTIAL; + cms = CMS_sign(NULL, NULL, other, in, flags); + if (!cms) + goto end; + if (econtent_type) + CMS_set1_eContentType(cms, econtent_type); + + if (rr_to) { + rr = make_receipt_request(rr_to, rr_allorfirst, rr_from); + if (!rr) { + BIO_puts(bio_err, + "Signed Receipt Request Creation Error\n"); + goto end; + } + } + } else + flags |= CMS_REUSE_DIGEST; + for (i = 0; i < sk_OPENSSL_STRING_num(sksigners); i++) { + CMS_SignerInfo *si; + cms_key_param *kparam; + int tflags = flags; + signerfile = sk_OPENSSL_STRING_value(sksigners, i); + keyfile = sk_OPENSSL_STRING_value(skkeys, i); + + signer = load_cert(signerfile, FORMAT_PEM, "signer certificate"); + if (!signer) { + ret = 2; + goto end; + } + key = load_key(keyfile, keyform, 0, passin, e, "signing key file"); + if (!key) { + ret = 2; + goto end; + } + for (kparam = key_first; kparam; kparam = kparam->next) { + if (kparam->idx == i) { + tflags |= CMS_KEY_PARAM; + break; + } + } + si = CMS_add1_signer(cms, signer, key, sign_md, tflags); + if (!si) + goto end; + if (kparam) { + EVP_PKEY_CTX *pctx; + pctx = CMS_SignerInfo_get0_pkey_ctx(si); + if (!cms_set_pkey_param(pctx, kparam->param)) + goto end; + } + if (rr && !CMS_add1_ReceiptRequest(si, rr)) + goto end; + X509_free(signer); + signer = NULL; + EVP_PKEY_free(key); + key = NULL; + } + /* If not streaming or resigning finalize structure */ + if ((operation == SMIME_SIGN) && !(flags & CMS_STREAM)) { + if (!CMS_final(cms, in, NULL, flags)) + goto end; + } + } + + if (!cms) { + BIO_printf(bio_err, "Error creating CMS structure\n"); + goto end; + } + + ret = 4; + if (operation == SMIME_DECRYPT) { + if (flags & CMS_DEBUG_DECRYPT) + CMS_decrypt(cms, NULL, NULL, NULL, NULL, flags); + + if (secret_key) { + if (!CMS_decrypt_set1_key(cms, + secret_key, secret_keylen, + secret_keyid, secret_keyidlen)) { + BIO_puts(bio_err, "Error decrypting CMS using secret key\n"); + goto end; + } + } + + if (key) { + if (!CMS_decrypt_set1_pkey(cms, key, recip)) { + BIO_puts(bio_err, "Error decrypting CMS using private key\n"); + goto end; + } + } + + if (pwri_pass) { + if (!CMS_decrypt_set1_password(cms, pwri_pass, -1)) { + BIO_puts(bio_err, "Error decrypting CMS using password\n"); + goto end; + } + } + + if (!CMS_decrypt(cms, NULL, NULL, indata, out, flags)) { + BIO_printf(bio_err, "Error decrypting CMS structure\n"); + goto end; + } + } else if (operation == SMIME_DATAOUT) { + if (!CMS_data(cms, out, flags)) + goto end; + } else if (operation == SMIME_UNCOMPRESS) { + if (!CMS_uncompress(cms, indata, out, flags)) + goto end; + } else if (operation == SMIME_DIGEST_VERIFY) { + if (CMS_digest_verify(cms, indata, out, flags) > 0) + BIO_printf(bio_err, "Verification successful\n"); + else { + BIO_printf(bio_err, "Verification failure\n"); + goto end; + } + } else if (operation == SMIME_ENCRYPTED_DECRYPT) { + if (!CMS_EncryptedData_decrypt(cms, secret_key, secret_keylen, + indata, out, flags)) + goto end; + } else if (operation == SMIME_VERIFY) { + if (CMS_verify(cms, other, store, indata, out, flags) > 0) + BIO_printf(bio_err, "Verification successful\n"); + else { + BIO_printf(bio_err, "Verification failure\n"); + if (verify_retcode) + ret = verify_err + 32; + goto end; + } + if (signerfile) { + STACK_OF(X509) *signers; + signers = CMS_get0_signers(cms); + if (!save_certs(signerfile, signers)) { + BIO_printf(bio_err, + "Error writing signers to %s\n", signerfile); + ret = 5; + goto end; + } + sk_X509_free(signers); + } + if (rr_print) + receipt_request_print(cms); + + } else if (operation == SMIME_VERIFY_RECEIPT) { + if (CMS_verify_receipt(rcms, cms, other, store, flags) > 0) + BIO_printf(bio_err, "Verification successful\n"); + else { + BIO_printf(bio_err, "Verification failure\n"); + goto end; + } + } else { + if (noout) { + if (print) + CMS_ContentInfo_print_ctx(out, cms, 0, NULL); + } else if (outformat == FORMAT_SMIME) { + if (to) + BIO_printf(out, "To: %s%s", to, mime_eol); + if (from) + BIO_printf(out, "From: %s%s", from, mime_eol); + if (subject) + BIO_printf(out, "Subject: %s%s", subject, mime_eol); + if (operation == SMIME_RESIGN) + ret = SMIME_write_CMS(out, cms, indata, flags); + else + ret = SMIME_write_CMS(out, cms, in, flags); + } else if (outformat == FORMAT_PEM) + ret = PEM_write_bio_CMS_stream(out, cms, in, flags); + else if (outformat == FORMAT_ASN1) + ret = i2d_CMS_bio_stream(out, cms, in, flags); + else { + BIO_printf(bio_err, "Bad output format for CMS file\n"); + goto end; + } + if (ret <= 0) { + ret = 6; + goto end; + } + } + ret = 0; + end: + if (ret) + ERR_print_errors(bio_err); + if (need_rand) + app_RAND_write_file(NULL); + sk_X509_pop_free(encerts, X509_free); + sk_X509_pop_free(other, X509_free); + X509_VERIFY_PARAM_free(vpm); + sk_OPENSSL_STRING_free(sksigners); + sk_OPENSSL_STRING_free(skkeys); + OPENSSL_free(secret_key); + OPENSSL_free(secret_keyid); + OPENSSL_free(pwri_tmp); + ASN1_OBJECT_free(econtent_type); + CMS_ReceiptRequest_free(rr); + sk_OPENSSL_STRING_free(rr_to); + sk_OPENSSL_STRING_free(rr_from); + for (key_param = key_first; key_param;) { + cms_key_param *tparam; + sk_OPENSSL_STRING_free(key_param->param); + tparam = key_param->next; + OPENSSL_free(key_param); + key_param = tparam; + } + X509_STORE_free(store); + X509_free(cert); + X509_free(recip); + X509_free(signer); + EVP_PKEY_free(key); + CMS_ContentInfo_free(cms); + CMS_ContentInfo_free(rcms); + release_engine(e); + BIO_free(rctin); + BIO_free(in); + BIO_free(indata); + BIO_free_all(out); + OPENSSL_free(passin); + return (ret); +} + +static int save_certs(char *signerfile, STACK_OF(X509) *signers) +{ + int i; + BIO *tmp; + if (!signerfile) + return 1; + tmp = BIO_new_file(signerfile, "w"); + if (!tmp) + return 0; + for (i = 0; i < sk_X509_num(signers); i++) + PEM_write_bio_X509(tmp, sk_X509_value(signers, i)); + BIO_free(tmp); + return 1; +} + +/* Minimal callback just to output policy info (if any) */ + +static int cms_cb(int ok, X509_STORE_CTX *ctx) +{ + int error; + + error = X509_STORE_CTX_get_error(ctx); + + verify_err = error; + + if ((error != X509_V_ERR_NO_EXPLICIT_POLICY) + && ((error != X509_V_OK) || (ok != 2))) + return ok; + + policies_print(ctx); + + return ok; + +} + +static void gnames_stack_print(STACK_OF(GENERAL_NAMES) *gns) +{ + STACK_OF(GENERAL_NAME) *gens; + GENERAL_NAME *gen; + int i, j; + + for (i = 0; i < sk_GENERAL_NAMES_num(gns); i++) { + gens = sk_GENERAL_NAMES_value(gns, i); + for (j = 0; j < sk_GENERAL_NAME_num(gens); j++) { + gen = sk_GENERAL_NAME_value(gens, j); + BIO_puts(bio_err, " "); + GENERAL_NAME_print(bio_err, gen); + BIO_puts(bio_err, "\n"); + } + } + return; +} + +static void receipt_request_print(CMS_ContentInfo *cms) +{ + STACK_OF(CMS_SignerInfo) *sis; + CMS_SignerInfo *si; + CMS_ReceiptRequest *rr; + int allorfirst; + STACK_OF(GENERAL_NAMES) *rto, *rlist; + ASN1_STRING *scid; + int i, rv; + sis = CMS_get0_SignerInfos(cms); + for (i = 0; i < sk_CMS_SignerInfo_num(sis); i++) { + si = sk_CMS_SignerInfo_value(sis, i); + rv = CMS_get1_ReceiptRequest(si, &rr); + BIO_printf(bio_err, "Signer %d:\n", i + 1); + if (rv == 0) + BIO_puts(bio_err, " No Receipt Request\n"); + else if (rv < 0) { + BIO_puts(bio_err, " Receipt Request Parse Error\n"); + ERR_print_errors(bio_err); + } else { + const char *id; + int idlen; + CMS_ReceiptRequest_get0_values(rr, &scid, &allorfirst, + &rlist, &rto); + BIO_puts(bio_err, " Signed Content ID:\n"); + idlen = ASN1_STRING_length(scid); + id = (const char *)ASN1_STRING_get0_data(scid); + BIO_dump_indent(bio_err, id, idlen, 4); + BIO_puts(bio_err, " Receipts From"); + if (rlist) { + BIO_puts(bio_err, " List:\n"); + gnames_stack_print(rlist); + } else if (allorfirst == 1) + BIO_puts(bio_err, ": First Tier\n"); + else if (allorfirst == 0) + BIO_puts(bio_err, ": All\n"); + else + BIO_printf(bio_err, " Unknown (%d)\n", allorfirst); + BIO_puts(bio_err, " Receipts To:\n"); + gnames_stack_print(rto); + } + CMS_ReceiptRequest_free(rr); + } +} + +static STACK_OF(GENERAL_NAMES) *make_names_stack(STACK_OF(OPENSSL_STRING) *ns) +{ + int i; + STACK_OF(GENERAL_NAMES) *ret; + GENERAL_NAMES *gens = NULL; + GENERAL_NAME *gen = NULL; + ret = sk_GENERAL_NAMES_new_null(); + if (!ret) + goto err; + for (i = 0; i < sk_OPENSSL_STRING_num(ns); i++) { + char *str = sk_OPENSSL_STRING_value(ns, i); + gen = a2i_GENERAL_NAME(NULL, NULL, NULL, GEN_EMAIL, str, 0); + if (!gen) + goto err; + gens = GENERAL_NAMES_new(); + if (gens == NULL) + goto err; + if (!sk_GENERAL_NAME_push(gens, gen)) + goto err; + gen = NULL; + if (!sk_GENERAL_NAMES_push(ret, gens)) + goto err; + gens = NULL; + } + + return ret; + + err: + sk_GENERAL_NAMES_pop_free(ret, GENERAL_NAMES_free); + GENERAL_NAMES_free(gens); + GENERAL_NAME_free(gen); + return NULL; +} + +static CMS_ReceiptRequest *make_receipt_request(STACK_OF(OPENSSL_STRING) + *rr_to, int rr_allorfirst, STACK_OF(OPENSSL_STRING) + *rr_from) +{ + STACK_OF(GENERAL_NAMES) *rct_to = NULL, *rct_from = NULL; + CMS_ReceiptRequest *rr; + rct_to = make_names_stack(rr_to); + if (!rct_to) + goto err; + if (rr_from) { + rct_from = make_names_stack(rr_from); + if (!rct_from) + goto err; + } else + rct_from = NULL; + rr = CMS_ReceiptRequest_create0(NULL, -1, rr_allorfirst, rct_from, + rct_to); + return rr; + err: + sk_GENERAL_NAMES_pop_free(rct_to, GENERAL_NAMES_free); + return NULL; +} + +static int cms_set_pkey_param(EVP_PKEY_CTX *pctx, + STACK_OF(OPENSSL_STRING) *param) +{ + char *keyopt; + int i; + if (sk_OPENSSL_STRING_num(param) <= 0) + return 1; + for (i = 0; i < sk_OPENSSL_STRING_num(param); i++) { + keyopt = sk_OPENSSL_STRING_value(param, i); + if (pkey_ctrl_string(pctx, keyopt) <= 0) { + BIO_printf(bio_err, "parameter error \"%s\"\n", keyopt); + ERR_print_errors(bio_err); + return 0; + } + } + return 1; +} + +#endif diff --git a/openssl-1.1.0h/apps/crl.c b/openssl-1.1.0h/apps/crl.c new file mode 100644 index 0000000..06b6e5b --- /dev/null +++ b/openssl-1.1.0h/apps/crl.c @@ -0,0 +1,347 @@ +/* + * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the OpenSSL license (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +#include +#include +#include +#include "apps.h" +#include +#include +#include +#include +#include + +typedef enum OPTION_choice { + OPT_ERR = -1, OPT_EOF = 0, OPT_HELP, + OPT_INFORM, OPT_IN, OPT_OUTFORM, OPT_OUT, OPT_KEYFORM, OPT_KEY, + OPT_ISSUER, OPT_LASTUPDATE, OPT_NEXTUPDATE, OPT_FINGERPRINT, + OPT_CRLNUMBER, OPT_BADSIG, OPT_GENDELTA, OPT_CAPATH, OPT_CAFILE, + OPT_NOCAPATH, OPT_NOCAFILE, OPT_VERIFY, OPT_TEXT, OPT_HASH, OPT_HASH_OLD, + OPT_NOOUT, OPT_NAMEOPT, OPT_MD +} OPTION_CHOICE; + +OPTIONS crl_options[] = { + {"help", OPT_HELP, '-', "Display this summary"}, + {"inform", OPT_INFORM, 'F', "Input format; default PEM"}, + {"in", OPT_IN, '<', "Input file - default stdin"}, + {"outform", OPT_OUTFORM, 'F', "Output format - default PEM"}, + {"out", OPT_OUT, '>', "output file - default stdout"}, + {"keyform", OPT_KEYFORM, 'F', "Private key file format (PEM or ENGINE)"}, + {"key", OPT_KEY, '<', "CRL signing Private key to use"}, + {"issuer", OPT_ISSUER, '-', "Print issuer DN"}, + {"lastupdate", OPT_LASTUPDATE, '-', "Set lastUpdate field"}, + {"nextupdate", OPT_NEXTUPDATE, '-', "Set nextUpdate field"}, + {"noout", OPT_NOOUT, '-', "No CRL output"}, + {"fingerprint", OPT_FINGERPRINT, '-', "Print the crl fingerprint"}, + {"crlnumber", OPT_CRLNUMBER, '-', "Print CRL number"}, + {"badsig", OPT_BADSIG, '-', "Corrupt last byte of loaded CRL signature (for test)" }, + {"gendelta", OPT_GENDELTA, '<', "Other CRL to compare/diff to the Input one"}, + {"CApath", OPT_CAPATH, '/', "Verify CRL using certificates in dir"}, + {"CAfile", OPT_CAFILE, '<', "Verify CRL using certificates in file name"}, + {"no-CAfile", OPT_NOCAFILE, '-', + "Do not load the default certificates file"}, + {"no-CApath", OPT_NOCAPATH, '-', + "Do not load certificates from the default certificates directory"}, + {"verify", OPT_VERIFY, '-', "Verify CRL signature"}, + {"text", OPT_TEXT, '-', "Print out a text format version"}, + {"hash", OPT_HASH, '-', "Print hash value"}, + {"nameopt", OPT_NAMEOPT, 's', "Various certificate name options"}, + {"", OPT_MD, '-', "Any supported digest"}, +#ifndef OPENSSL_NO_MD5 + {"hash_old", OPT_HASH_OLD, '-', "Print old-style (MD5) hash value"}, +#endif + {NULL} +}; + +int crl_main(int argc, char **argv) +{ + X509_CRL *x = NULL; + BIO *out = NULL; + X509_STORE *store = NULL; + X509_STORE_CTX *ctx = NULL; + X509_LOOKUP *lookup = NULL; + X509_OBJECT *xobj = NULL; + EVP_PKEY *pkey; + const EVP_MD *digest = EVP_sha1(); + unsigned long nmflag = 0; + char nmflag_set = 0; + char *infile = NULL, *outfile = NULL, *crldiff = NULL, *keyfile = NULL; + const char *CAfile = NULL, *CApath = NULL, *prog; + OPTION_CHOICE o; + int hash = 0, issuer = 0, lastupdate = 0, nextupdate = 0, noout = 0; + int informat = FORMAT_PEM, outformat = FORMAT_PEM, keyformat = FORMAT_PEM; + int ret = 1, num = 0, badsig = 0, fingerprint = 0, crlnumber = 0; + int text = 0, do_ver = 0, noCAfile = 0, noCApath = 0; + int i; +#ifndef OPENSSL_NO_MD5 + int hash_old = 0; +#endif + + prog = opt_init(argc, argv, crl_options); + while ((o = opt_next()) != OPT_EOF) { + switch (o) { + case OPT_EOF: + case OPT_ERR: + opthelp: + BIO_printf(bio_err, "%s: Use -help for summary.\n", prog); + goto end; + case OPT_HELP: + opt_help(crl_options); + ret = 0; + goto end; + case OPT_INFORM: + if (!opt_format(opt_arg(), OPT_FMT_PEMDER, &informat)) + goto opthelp; + break; + case OPT_IN: + infile = opt_arg(); + break; + case OPT_OUTFORM: + if (!opt_format(opt_arg(), OPT_FMT_PEMDER, &outformat)) + goto opthelp; + break; + case OPT_OUT: + outfile = opt_arg(); + break; + case OPT_KEYFORM: + if (!opt_format(opt_arg(), OPT_FMT_PEMDER, &keyformat)) + goto opthelp; + break; + case OPT_KEY: + keyfile = opt_arg(); + break; + case OPT_GENDELTA: + crldiff = opt_arg(); + break; + case OPT_CAPATH: + CApath = opt_arg(); + do_ver = 1; + break; + case OPT_CAFILE: + CAfile = opt_arg(); + do_ver = 1; + break; + case OPT_NOCAPATH: + noCApath = 1; + break; + case OPT_NOCAFILE: + noCAfile = 1; + break; + case OPT_HASH_OLD: +#ifndef OPENSSL_NO_MD5 + hash_old = ++num; +#endif + break; + case OPT_VERIFY: + do_ver = 1; + break; + case OPT_TEXT: + text = 1; + break; + case OPT_HASH: + hash = ++num; + break; + case OPT_ISSUER: + issuer = ++num; + break; + case OPT_LASTUPDATE: + lastupdate = ++num; + break; + case OPT_NEXTUPDATE: + nextupdate = ++num; + break; + case OPT_NOOUT: + noout = ++num; + break; + case OPT_FINGERPRINT: + fingerprint = ++num; + break; + case OPT_CRLNUMBER: + crlnumber = ++num; + break; + case OPT_BADSIG: + badsig = 1; + break; + case OPT_NAMEOPT: + nmflag_set = 1; + if (!set_name_ex(&nmflag, opt_arg())) + goto opthelp; + break; + case OPT_MD: + if (!opt_md(opt_unknown(), &digest)) + goto opthelp; + } + } + argc = opt_num_rest(); + if (argc != 0) + goto opthelp; + + if (!nmflag_set) + nmflag = XN_FLAG_ONELINE; + + x = load_crl(infile, informat); + if (x == NULL) + goto end; + + if (do_ver) { + if ((store = setup_verify(CAfile, CApath, noCAfile, noCApath)) == NULL) + goto end; + lookup = X509_STORE_add_lookup(store, X509_LOOKUP_file()); + if (lookup == NULL) + goto end; + ctx = X509_STORE_CTX_new(); + if (ctx == NULL || !X509_STORE_CTX_init(ctx, store, NULL, NULL)) { + BIO_printf(bio_err, "Error initialising X509 store\n"); + goto end; + } + + xobj = X509_STORE_CTX_get_obj_by_subject(ctx, X509_LU_X509, + X509_CRL_get_issuer(x)); + if (xobj == NULL) { + BIO_printf(bio_err, "Error getting CRL issuer certificate\n"); + goto end; + } + pkey = X509_get_pubkey(X509_OBJECT_get0_X509(xobj)); + X509_OBJECT_free(xobj); + if (!pkey) { + BIO_printf(bio_err, "Error getting CRL issuer public key\n"); + goto end; + } + i = X509_CRL_verify(x, pkey); + EVP_PKEY_free(pkey); + if (i < 0) + goto end; + if (i == 0) + BIO_printf(bio_err, "verify failure\n"); + else + BIO_printf(bio_err, "verify OK\n"); + } + + if (crldiff) { + X509_CRL *newcrl, *delta; + if (!keyfile) { + BIO_puts(bio_err, "Missing CRL signing key\n"); + goto end; + } + newcrl = load_crl(crldiff, informat); + if (!newcrl) + goto end; + pkey = load_key(keyfile, keyformat, 0, NULL, NULL, "CRL signing key"); + if (!pkey) { + X509_CRL_free(newcrl); + goto end; + } + delta = X509_CRL_diff(x, newcrl, pkey, digest, 0); + X509_CRL_free(newcrl); + EVP_PKEY_free(pkey); + if (delta) { + X509_CRL_free(x); + x = delta; + } else { + BIO_puts(bio_err, "Error creating delta CRL\n"); + goto end; + } + } + + if (badsig) { + const ASN1_BIT_STRING *sig; + + X509_CRL_get0_signature(x, &sig, NULL); + corrupt_signature(sig); + } + + if (num) { + for (i = 1; i <= num; i++) { + if (issuer == i) { + print_name(bio_out, "issuer=", X509_CRL_get_issuer(x), + nmflag); + } + if (crlnumber == i) { + ASN1_INTEGER *crlnum; + crlnum = X509_CRL_get_ext_d2i(x, NID_crl_number, NULL, NULL); + BIO_printf(bio_out, "crlNumber="); + if (crlnum) { + i2a_ASN1_INTEGER(bio_out, crlnum); + ASN1_INTEGER_free(crlnum); + } else + BIO_puts(bio_out, ""); + BIO_printf(bio_out, "\n"); + } + if (hash == i) { + BIO_printf(bio_out, "%08lx\n", + X509_NAME_hash(X509_CRL_get_issuer(x))); + } +#ifndef OPENSSL_NO_MD5 + if (hash_old == i) { + BIO_printf(bio_out, "%08lx\n", + X509_NAME_hash_old(X509_CRL_get_issuer(x))); + } +#endif + if (lastupdate == i) { + BIO_printf(bio_out, "lastUpdate="); + ASN1_TIME_print(bio_out, X509_CRL_get0_lastUpdate(x)); + BIO_printf(bio_out, "\n"); + } + if (nextupdate == i) { + BIO_printf(bio_out, "nextUpdate="); + if (X509_CRL_get0_nextUpdate(x)) + ASN1_TIME_print(bio_out, X509_CRL_get0_nextUpdate(x)); + else + BIO_printf(bio_out, "NONE"); + BIO_printf(bio_out, "\n"); + } + if (fingerprint == i) { + int j; + unsigned int n; + unsigned char md[EVP_MAX_MD_SIZE]; + + if (!X509_CRL_digest(x, digest, md, &n)) { + BIO_printf(bio_err, "out of memory\n"); + goto end; + } + BIO_printf(bio_out, "%s Fingerprint=", + OBJ_nid2sn(EVP_MD_type(digest))); + for (j = 0; j < (int)n; j++) { + BIO_printf(bio_out, "%02X%c", md[j], (j + 1 == (int)n) + ? '\n' : ':'); + } + } + } + } + out = bio_open_default(outfile, 'w', outformat); + if (out == NULL) + goto end; + + if (text) + X509_CRL_print(out, x); + + if (noout) { + ret = 0; + goto end; + } + + if (outformat == FORMAT_ASN1) + i = (int)i2d_X509_CRL_bio(out, x); + else + i = PEM_write_bio_X509_CRL(out, x); + if (!i) { + BIO_printf(bio_err, "unable to write CRL\n"); + goto end; + } + ret = 0; + + end: + if (ret != 0) + ERR_print_errors(bio_err); + BIO_free_all(out); + X509_CRL_free(x); + X509_STORE_CTX_free(ctx); + X509_STORE_free(store); + return (ret); +} diff --git a/openssl-1.1.0h/apps/crl2p7.c b/openssl-1.1.0h/apps/crl2p7.c new file mode 100644 index 0000000..9c5f79f --- /dev/null +++ b/openssl-1.1.0h/apps/crl2p7.c @@ -0,0 +1,216 @@ +/* + * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the OpenSSL license (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +#include +#include +#include +#include "apps.h" +#include +#include +#include +#include +#include +#include + +static int add_certs_from_file(STACK_OF(X509) *stack, char *certfile); + +typedef enum OPTION_choice { + OPT_ERR = -1, OPT_EOF = 0, OPT_HELP, + OPT_INFORM, OPT_OUTFORM, OPT_IN, OPT_OUT, OPT_NOCRL, OPT_CERTFILE +} OPTION_CHOICE; + +OPTIONS crl2pkcs7_options[] = { + {"help", OPT_HELP, '-', "Display this summary"}, + {"inform", OPT_INFORM, 'F', "Input format - DER or PEM"}, + {"outform", OPT_OUTFORM, 'F', "Output format - DER or PEM"}, + {"in", OPT_IN, '<', "Input file"}, + {"out", OPT_OUT, '>', "Output file"}, + {"nocrl", OPT_NOCRL, '-', "No crl to load, just certs from '-certfile'"}, + {"certfile", OPT_CERTFILE, '<', + "File of chain of certs to a trusted CA; can be repeated"}, + {NULL} +}; + +int crl2pkcs7_main(int argc, char **argv) +{ + BIO *in = NULL, *out = NULL; + PKCS7 *p7 = NULL; + PKCS7_SIGNED *p7s = NULL; + STACK_OF(OPENSSL_STRING) *certflst = NULL; + STACK_OF(X509) *cert_stack = NULL; + STACK_OF(X509_CRL) *crl_stack = NULL; + X509_CRL *crl = NULL; + char *infile = NULL, *outfile = NULL, *prog, *certfile; + int i = 0, informat = FORMAT_PEM, outformat = FORMAT_PEM, ret = 1, nocrl = + 0; + OPTION_CHOICE o; + + prog = opt_init(argc, argv, crl2pkcs7_options); + while ((o = opt_next()) != OPT_EOF) { + switch (o) { + case OPT_EOF: + case OPT_ERR: + opthelp: + BIO_printf(bio_err, "%s: Use -help for summary.\n", prog); + goto end; + case OPT_HELP: + opt_help(crl2pkcs7_options); + ret = 0; + goto end; + case OPT_INFORM: + if (!opt_format(opt_arg(), OPT_FMT_PEMDER, &informat)) + goto opthelp; + break; + case OPT_OUTFORM: + if (!opt_format(opt_arg(), OPT_FMT_PEMDER, &outformat)) + goto opthelp; + break; + case OPT_IN: + infile = opt_arg(); + break; + case OPT_OUT: + outfile = opt_arg(); + break; + case OPT_NOCRL: + nocrl = 1; + break; + case OPT_CERTFILE: + if ((certflst == NULL) + && (certflst = sk_OPENSSL_STRING_new_null()) == NULL) + goto end; + if (!sk_OPENSSL_STRING_push(certflst, opt_arg())) + goto end; + break; + } + } + argc = opt_num_rest(); + if (argc != 0) + goto opthelp; + + if (!nocrl) { + in = bio_open_default(infile, 'r', informat); + if (in == NULL) + goto end; + + if (informat == FORMAT_ASN1) + crl = d2i_X509_CRL_bio(in, NULL); + else if (informat == FORMAT_PEM) + crl = PEM_read_bio_X509_CRL(in, NULL, NULL, NULL); + if (crl == NULL) { + BIO_printf(bio_err, "unable to load CRL\n"); + ERR_print_errors(bio_err); + goto end; + } + } + + if ((p7 = PKCS7_new()) == NULL) + goto end; + if ((p7s = PKCS7_SIGNED_new()) == NULL) + goto end; + p7->type = OBJ_nid2obj(NID_pkcs7_signed); + p7->d.sign = p7s; + p7s->contents->type = OBJ_nid2obj(NID_pkcs7_data); + + if (!ASN1_INTEGER_set(p7s->version, 1)) + goto end; + if ((crl_stack = sk_X509_CRL_new_null()) == NULL) + goto end; + p7s->crl = crl_stack; + if (crl != NULL) { + sk_X509_CRL_push(crl_stack, crl); + crl = NULL; /* now part of p7 for OPENSSL_freeing */ + } + + if ((cert_stack = sk_X509_new_null()) == NULL) + goto end; + p7s->cert = cert_stack; + + if (certflst) + for (i = 0; i < sk_OPENSSL_STRING_num(certflst); i++) { + certfile = sk_OPENSSL_STRING_value(certflst, i); + if (add_certs_from_file(cert_stack, certfile) < 0) { + BIO_printf(bio_err, "error loading certificates\n"); + ERR_print_errors(bio_err); + goto end; + } + } + + out = bio_open_default(outfile, 'w', outformat); + if (out == NULL) + goto end; + + if (outformat == FORMAT_ASN1) + i = i2d_PKCS7_bio(out, p7); + else if (outformat == FORMAT_PEM) + i = PEM_write_bio_PKCS7(out, p7); + if (!i) { + BIO_printf(bio_err, "unable to write pkcs7 object\n"); + ERR_print_errors(bio_err); + goto end; + } + ret = 0; + end: + sk_OPENSSL_STRING_free(certflst); + BIO_free(in); + BIO_free_all(out); + PKCS7_free(p7); + X509_CRL_free(crl); + + return (ret); +} + +/*- + *---------------------------------------------------------------------- + * int add_certs_from_file + * + * Read a list of certificates to be checked from a file. + * + * Results: + * number of certs added if successful, -1 if not. + *---------------------------------------------------------------------- + */ +static int add_certs_from_file(STACK_OF(X509) *stack, char *certfile) +{ + BIO *in = NULL; + int count = 0; + int ret = -1; + STACK_OF(X509_INFO) *sk = NULL; + X509_INFO *xi; + + in = BIO_new_file(certfile, "r"); + if (in == NULL) { + BIO_printf(bio_err, "error opening the file, %s\n", certfile); + goto end; + } + + /* This loads from a file, a stack of x509/crl/pkey sets */ + sk = PEM_X509_INFO_read_bio(in, NULL, NULL, NULL); + if (sk == NULL) { + BIO_printf(bio_err, "error reading the file, %s\n", certfile); + goto end; + } + + /* scan over it and pull out the CRL's */ + while (sk_X509_INFO_num(sk)) { + xi = sk_X509_INFO_shift(sk); + if (xi->x509 != NULL) { + sk_X509_push(stack, xi->x509); + xi->x509 = NULL; + count++; + } + X509_INFO_free(xi); + } + + ret = count; + end: + /* never need to OPENSSL_free x */ + BIO_free(in); + sk_X509_INFO_free(sk); + return (ret); +} diff --git a/openssl-1.1.0h/apps/ct_log_list.cnf b/openssl-1.1.0h/apps/ct_log_list.cnf new file mode 100644 index 0000000..2434874 --- /dev/null +++ b/openssl-1.1.0h/apps/ct_log_list.cnf @@ -0,0 +1,34 @@ +enabled_logs=pilot,aviator,rocketeer,digicert,certly,izempe,symantec,venafi + +[pilot] +description = Google Pilot Log +key = MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEfahLEimAoz2t01p3uMziiLOl/fHTDM0YDOhBRuiBARsV4UvxG2LdNgoIGLrtCzWE0J5APC2em4JlvR8EEEFMoA== + +[aviator] +description = Google Aviator log +key = MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE1/TMabLkDpCjiupacAlP7xNi0I1JYP8bQFAHDG1xhtolSY1l4QgNRzRrvSe8liE+NPWHdjGxfx3JhTsN9x8/6Q== + +[rocketeer] +description = Google Rocketeer log +key = MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEIFsYyDzBi7MxCAC/oJBXK7dHjG+1aLCOkHjpoHPqTyghLpzA9BYbqvnV16mAw04vUjyYASVGJCUoI3ctBcJAeg== + +[digicert] +description = DigiCert Log Server +key = MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEAkbFvhu7gkAW6MHSrBlpE1n4+HCFRkC5OLAjgqhkTH+/uzSfSl8ois8ZxAD2NgaTZe1M9akhYlrYkes4JECs6A== + +[certly] +description = Certly.IO log +key = MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAECyPLhWKYYUgEc+tUXfPQB4wtGS2MNvXrjwFCCnyYJifBtd2Sk7Cu+Js9DNhMTh35FftHaHu6ZrclnNBKwmbbSA== + +[izempe] +description = Izempe log +key = MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEJ2Q5DC3cUBj4IQCiDu0s6j51up+TZAkAEcQRF6tczw90rLWXkJMAW7jr9yc92bIKgV8vDXU4lDeZHvYHduDuvg== + +[symantec] +description = Symantec log +key = MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEluqsHEYMG1XcDfy1lCdGV0JwOmkY4r87xNuroPS2bMBTP01CEDPwWJePa75y9CrsHEKqAy8afig1dpkIPSEUhg== + +[venafi] +description = Venafi log +key = MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAolpIHxdSlTXLo1s6H1OCdpSj/4DyHDc8wLG9wVmLqy1lk9fz4ATVmm+/1iN2Nk8jmctUKK2MFUtlWXZBSpym97M7frGlSaQXUWyA3CqQUEuIJOmlEjKTBEiQAvpfDjCHjlV2Be4qTM6jamkJbiWtgnYPhJL6ONaGTiSPm7Byy57iaz/hbckldSOIoRhYBiMzeNoA0DiRZ9KmfSeXZ1rB8y8X5urSW+iBzf2SaOfzBvDpcoTuAaWx2DPazoOl28fP1hZ+kHUYvxbcMjttjauCFx+JII0dmuZNIwjfeG/GBb9frpSX219k1O4Wi6OEbHEr8at/XQ0y7gTikOxBn/s5wQIDAQAB + diff --git a/openssl-1.1.0h/apps/demoCA/cacert.pem b/openssl-1.1.0h/apps/demoCA/cacert.pem new file mode 100644 index 0000000..affbce3 --- /dev/null +++ b/openssl-1.1.0h/apps/demoCA/cacert.pem @@ -0,0 +1,14 @@ +subject=/C=AU/SOP=QLD/O=Mincom Pty. Ltd./OU=CS/CN=SSLeay demo server +issuer= /C=AU/SOP=QLD/O=Mincom Pty. Ltd./OU=CS/CN=CA +-----BEGIN X509 CERTIFICATE----- + +MIIBgjCCASwCAQQwDQYJKoZIhvcNAQEEBQAwODELMAkGA1UEBhMCQVUxDDAKBgNV +BAgTA1FMRDEbMBkGA1UEAxMSU1NMZWF5L3JzYSB0ZXN0IENBMB4XDTk1MTAwOTIz +MzIwNVoXDTk4MDcwNTIzMzIwNVowYDELMAkGA1UEBhMCQVUxDDAKBgNVBAgTA1FM +RDEZMBcGA1UEChMQTWluY29tIFB0eS4gTHRkLjELMAkGA1UECxMCQ1MxGzAZBgNV +BAMTElNTTGVheSBkZW1vIHNlcnZlcjBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQC3 +LCXcScWua0PFLkHBLm2VejqpA1F4RQ8q0VjRiPafjx/Z/aWH3ipdMVvuJGa/wFXb +/nDFLDlfWp+oCPwhBtVPAgMBAAEwDQYJKoZIhvcNAQEEBQADQQArNFsihWIjBzb0 +DCsU0BvL2bvSwJrPEqFlkDq3F4M6EGutL9axEcANWgbbEdAvNJD1dmEmoWny27Pn +IMs6ZOZB +-----END X509 CERTIFICATE----- diff --git a/openssl-1.1.0h/apps/demoCA/index.txt b/openssl-1.1.0h/apps/demoCA/index.txt new file mode 100644 index 0000000..2cdd252 --- /dev/null +++ b/openssl-1.1.0h/apps/demoCA/index.txt @@ -0,0 +1,39 @@ +R 980705233205Z 951009233205Z 01 certs/00000001 /CN=Eric Young +E 951009233205Z 02 certs/00000002 /CN=Duncan Young +R 980705233205Z 951201010000Z 03 certs/00000003 /CN=Tim Hudson +V 980705233205Z 04 certs/00000004 /CN=Eric Young4 +V 980705233205Z 05 certs/00000004 /CN=Eric Young5 +V 980705233205Z 06 certs/00000004 /CN=Eric Young6 +V 980705233205Z 07 certs/00000004 /CN=Eric Young7 +V 980705233205Z 08 certs/00000004 /CN=Eric Young8 +V 980705233205Z 09 certs/00000004 /CN=Eric Young9 +V 980705233205Z 0A certs/00000004 /CN=Eric YoungA +V 980705233205Z 0B certs/00000004 /CN=Eric YoungB +V 980705233205Z 0C certs/00000004 /CN=Eric YoungC +V 980705233205Z 0D certs/00000004 /CN=Eric YoungD +V 980705233205Z 0E certs/00000004 /CN=Eric YoungE +V 980705233205Z 0F certs/00000004 /CN=Eric YoungF +V 980705233205Z 10 certs/00000004 /CN=Eric Young10 +V 980705233205Z 11 certs/00000004 /CN=Eric Young11 +V 980705233205Z 12 certs/00000004 /CN=Eric Young12 +V 980705233205Z 13 certs/00000004 /CN=Eric Young13 +V 980705233205Z 14 certs/00000004 /CN=Eric Young14 +V 980705233205Z 15 certs/00000004 /CN=Eric Young15 +V 980705233205Z 16 certs/00000004 /CN=Eric Young16 +V 980705233205Z 17 certs/00000004 /CN=Eric Young17 +V 961206150305Z 010C unknown /C=AU/SP=QLD/O=Mincom Pty. Ltd./OU=MTR/CN=Eric Young/Email=eay@mincom.oz.au +V 961206153245Z 010D unknown /C=AU/SP=Queensland/O=Mincom Pty Ltd/OU=MTR/CN=Eric Young/Email=eay@mincom.oz.au +V 970322074816Z 010E unknown /CN=Eric Young/Email=eay@mincom.oz.au +V 970322075152Z 010F unknown /CN=Eric Young +V 970322075906Z 0110 unknown /CN=Eric Youngg +V 970324092238Z 0111 unknown /C=AU/SP=Queensland/CN=Eric Young +V 970324221931Z 0112 unknown /CN=Fred +V 970324224934Z 0113 unknown /C=AU/CN=eay +V 971001005237Z 0114 unknown /C=AU/SP=QLD/O=Mincom Pty Ltd/OU=MTR/CN=x509v3 test +V 971001010331Z 0115 unknown /C=AU/SP=Queensland/O=Mincom Pty Ltd/OU=MTR/CN=test again - x509v3 +V 971001013945Z 0117 unknown /C=AU/SP=Queensland/O=Mincom Pty Ltd/OU=MTR/CN=x509v3 test +V 971014225415Z 0118 unknown /C=AU/SP=Queensland/CN=test +V 971015004448Z 0119 unknown /C=AU/SP=Queensland/O=Mincom Pty Ltd/OU=MTR/CN=test2 +V 971016035001Z 011A unknown /C=AU/SP=Queensland/O=Mincom Pty Ltd/OU=MTR/CN=test64 +V 971016080129Z 011B unknown /C=FR/O=ALCATEL/OU=Alcatel Mobile Phones/CN=bourque/Email=bourque@art.alcatel.fr +V 971016224000Z 011D unknown /L=Bedford/O=Cranfield University/OU=Computer Centre/CN=Peter R Lister/Email=P.Lister@cranfield.ac.uk diff --git a/openssl-1.1.0h/apps/demoCA/private/cakey.pem b/openssl-1.1.0h/apps/demoCA/private/cakey.pem new file mode 100644 index 0000000..48fb18c --- /dev/null +++ b/openssl-1.1.0h/apps/demoCA/private/cakey.pem @@ -0,0 +1,24 @@ +issuer= /C=AU/SOP=QLD/O=Mincom Pty. Ltd./OU=CS/CN=CA +subject=/C=AU/SOP=QLD/O=Mincom Pty. Ltd./OU=CS/CN=SSLeay demo server +-----BEGIN X509 CERTIFICATE----- + +MIIBgjCCASwCAQQwDQYJKoZIhvcNAQEEBQAwODELMAkGA1UEBhMCQVUxDDAKBgNV +BAgTA1FMRDEbMBkGA1UEAxMSU1NMZWF5L3JzYSB0ZXN0IENBMB4XDTk1MTAwOTIz +MzIwNVoXDTk4MDcwNTIzMzIwNVowYDELMAkGA1UEBhMCQVUxDDAKBgNVBAgTA1FM +RDEZMBcGA1UEChMQTWluY29tIFB0eS4gTHRkLjELMAkGA1UECxMCQ1MxGzAZBgNV +BAMTElNTTGVheSBkZW1vIHNlcnZlcjBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQC3 +LCXcScWua0PFLkHBLm2VejqpA1F4RQ8q0VjRiPafjx/Z/aWH3ipdMVvuJGa/wFXb +/nDFLDlfWp+oCPwhBtVPAgMBAAEwDQYJKoZIhvcNAQEEBQADQQArNFsihWIjBzb0 +DCsU0BvL2bvSwJrPEqFlkDq3F4M6EGutL9axEcANWgbbEdAvNJD1dmEmoWny27Pn +IMs6ZOZB +-----END X509 CERTIFICATE----- +-----BEGIN RSA PRIVATE KEY----- + +MIIBPAIBAAJBALcsJdxJxa5rQ8UuQcEubZV6OqkDUXhFDyrRWNGI9p+PH9n9pYfe +Kl0xW+4kZr/AVdv+cMUsOV9an6gI/CEG1U8CAwEAAQJAXJMBZ34ZXHd1vtgL/3hZ +hexKbVTx/djZO4imXO/dxPGRzG2ylYZpHmG32/T1kaHpZlCHoEPgHoSzmxYXfxjG +sQIhAPmZ/bQOjmRUHM/VM2X5zrjjM6z18R1P6l3ObFwt9FGdAiEAu943Yh9SqMRw +tL0xHGxKmM/YJueUw1gB6sLkETN71NsCIQCeT3RhoqXfrpXDoEcEU+gwzjI1bpxq +agiNTOLfqGoA5QIhAIQFYjgzONxex7FLrsKBm16N2SFl5pXsN9SpRqqL2n63AiEA +g9VNIQ3xwpw7og3IbONifeku+J9qGMGQJMKwSTwrFtI= +-----END RSA PRIVATE KEY----- diff --git a/openssl-1.1.0h/apps/demoCA/serial b/openssl-1.1.0h/apps/demoCA/serial new file mode 100644 index 0000000..69fa0ff --- /dev/null +++ b/openssl-1.1.0h/apps/demoCA/serial @@ -0,0 +1 @@ +011E diff --git a/openssl-1.1.0h/apps/demoSRP/srp_verifier.txt b/openssl-1.1.0h/apps/demoSRP/srp_verifier.txt new file mode 100644 index 0000000..ccae629 --- /dev/null +++ b/openssl-1.1.0h/apps/demoSRP/srp_verifier.txt @@ -0,0 +1,6 @@ +# This is a file that will be filled by the openssl srp routine. +# You can initialize the file with additional groups, these are +# records starting with a I followed by the g and N values and the id. +# The exact values ... you have to dig this out from the source of srp.c +# or srp_vfy.c +# The last value of an I is used as the default group for new users. diff --git a/openssl-1.1.0h/apps/demoSRP/srp_verifier.txt.attr b/openssl-1.1.0h/apps/demoSRP/srp_verifier.txt.attr new file mode 100644 index 0000000..8f7e63a --- /dev/null +++ b/openssl-1.1.0h/apps/demoSRP/srp_verifier.txt.attr @@ -0,0 +1 @@ +unique_subject = yes diff --git a/openssl-1.1.0h/apps/dgst.c b/openssl-1.1.0h/apps/dgst.c new file mode 100644 index 0000000..08182e2 --- /dev/null +++ b/openssl-1.1.0h/apps/dgst.c @@ -0,0 +1,480 @@ +/* + * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the OpenSSL license (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +#include +#include +#include +#include "apps.h" +#include +#include +#include +#include +#include +#include +#include + +#undef BUFSIZE +#define BUFSIZE 1024*8 + +int do_fp(BIO *out, unsigned char *buf, BIO *bp, int sep, int binout, + EVP_PKEY *key, unsigned char *sigin, int siglen, + const char *sig_name, const char *md_name, + const char *file); + +typedef enum OPTION_choice { + OPT_ERR = -1, OPT_EOF = 0, OPT_HELP, + OPT_C, OPT_R, OPT_RAND, OPT_OUT, OPT_SIGN, OPT_PASSIN, OPT_VERIFY, + OPT_PRVERIFY, OPT_SIGNATURE, OPT_KEYFORM, OPT_ENGINE, OPT_ENGINE_IMPL, + OPT_HEX, OPT_BINARY, OPT_DEBUG, OPT_FIPS_FINGERPRINT, + OPT_HMAC, OPT_MAC, OPT_SIGOPT, OPT_MACOPT, + OPT_DIGEST +} OPTION_CHOICE; + +OPTIONS dgst_options[] = { + {OPT_HELP_STR, 1, '-', "Usage: %s [options] [file...]\n"}, + {OPT_HELP_STR, 1, '-', + " file... files to digest (default is stdin)\n"}, + {"help", OPT_HELP, '-', "Display this summary"}, + {"c", OPT_C, '-', "Print the digest with separating colons"}, + {"r", OPT_R, '-', "Print the digest in coreutils format"}, + {"rand", OPT_RAND, 's', + "Use file(s) containing random data to seed RNG or an EGD sock"}, + {"out", OPT_OUT, '>', "Output to filename rather than stdout"}, + {"passin", OPT_PASSIN, 's', "Input file pass phrase source"}, + {"sign", OPT_SIGN, 's', "Sign digest using private key"}, + {"verify", OPT_VERIFY, 's', + "Verify a signature using public key"}, + {"prverify", OPT_PRVERIFY, 's', + "Verify a signature using private key"}, + {"signature", OPT_SIGNATURE, '<', "File with signature to verify"}, + {"keyform", OPT_KEYFORM, 'f', "Key file format (PEM or ENGINE)"}, + {"hex", OPT_HEX, '-', "Print as hex dump"}, + {"binary", OPT_BINARY, '-', "Print in binary form"}, + {"d", OPT_DEBUG, '-', "Print debug info"}, + {"debug", OPT_DEBUG, '-', "Print debug info"}, + {"fips-fingerprint", OPT_FIPS_FINGERPRINT, '-', + "Compute HMAC with the key used in OpenSSL-FIPS fingerprint"}, + {"hmac", OPT_HMAC, 's', "Create hashed MAC with key"}, + {"mac", OPT_MAC, 's', "Create MAC (not necessarily HMAC)"}, + {"sigopt", OPT_SIGOPT, 's', "Signature parameter in n:v form"}, + {"macopt", OPT_MACOPT, 's', "MAC algorithm parameters in n:v form or key"}, + {"", OPT_DIGEST, '-', "Any supported digest"}, +#ifndef OPENSSL_NO_ENGINE + {"engine", OPT_ENGINE, 's', "Use engine e, possibly a hardware device"}, + {"engine_impl", OPT_ENGINE_IMPL, '-', + "Also use engine given by -engine for digest operations"}, +#endif + {NULL} +}; + +int dgst_main(int argc, char **argv) +{ + BIO *in = NULL, *inp, *bmd = NULL, *out = NULL; + ENGINE *e = NULL, *impl = NULL; + EVP_PKEY *sigkey = NULL; + STACK_OF(OPENSSL_STRING) *sigopts = NULL, *macopts = NULL; + char *hmac_key = NULL; + char *mac_name = NULL; + char *passinarg = NULL, *passin = NULL; + const EVP_MD *md = NULL, *m; + const char *outfile = NULL, *keyfile = NULL, *prog = NULL; + const char *sigfile = NULL, *randfile = NULL; + OPTION_CHOICE o; + int separator = 0, debug = 0, keyform = FORMAT_PEM, siglen = 0; + int i, ret = 1, out_bin = -1, want_pub = 0, do_verify = 0; + unsigned char *buf = NULL, *sigbuf = NULL; + int engine_impl = 0; + + prog = opt_progname(argv[0]); + buf = app_malloc(BUFSIZE, "I/O buffer"); + md = EVP_get_digestbyname(prog); + + prog = opt_init(argc, argv, dgst_options); + while ((o = opt_next()) != OPT_EOF) { + switch (o) { + case OPT_EOF: + case OPT_ERR: + opthelp: + BIO_printf(bio_err, "%s: Use -help for summary.\n", prog); + goto end; + case OPT_HELP: + opt_help(dgst_options); + ret = 0; + goto end; + case OPT_C: + separator = 1; + break; + case OPT_R: + separator = 2; + break; + case OPT_RAND: + randfile = opt_arg(); + break; + case OPT_OUT: + outfile = opt_arg(); + break; + case OPT_SIGN: + keyfile = opt_arg(); + break; + case OPT_PASSIN: + passinarg = opt_arg(); + break; + case OPT_VERIFY: + keyfile = opt_arg(); + want_pub = do_verify = 1; + break; + case OPT_PRVERIFY: + keyfile = opt_arg(); + do_verify = 1; + break; + case OPT_SIGNATURE: + sigfile = opt_arg(); + break; + case OPT_KEYFORM: + if (!opt_format(opt_arg(), OPT_FMT_ANY, &keyform)) + goto opthelp; + break; + case OPT_ENGINE: + e = setup_engine(opt_arg(), 0); + break; + case OPT_ENGINE_IMPL: + engine_impl = 1; + break; + case OPT_HEX: + out_bin = 0; + break; + case OPT_BINARY: + out_bin = 1; + break; + case OPT_DEBUG: + debug = 1; + break; + case OPT_FIPS_FINGERPRINT: + hmac_key = "etaonrishdlcupfm"; + break; + case OPT_HMAC: + hmac_key = opt_arg(); + break; + case OPT_MAC: + mac_name = opt_arg(); + break; + case OPT_SIGOPT: + if (!sigopts) + sigopts = sk_OPENSSL_STRING_new_null(); + if (!sigopts || !sk_OPENSSL_STRING_push(sigopts, opt_arg())) + goto opthelp; + break; + case OPT_MACOPT: + if (!macopts) + macopts = sk_OPENSSL_STRING_new_null(); + if (!macopts || !sk_OPENSSL_STRING_push(macopts, opt_arg())) + goto opthelp; + break; + case OPT_DIGEST: + if (!opt_md(opt_unknown(), &m)) + goto opthelp; + md = m; + break; + } + } + argc = opt_num_rest(); + argv = opt_rest(); + if (keyfile != NULL && argc > 1) { + BIO_printf(bio_err, "%s: Can only sign or verify one file.\n", prog); + goto end; + } + + if (do_verify && !sigfile) { + BIO_printf(bio_err, + "No signature to verify: use the -signature option\n"); + goto end; + } + if (engine_impl) + impl = e; + + in = BIO_new(BIO_s_file()); + bmd = BIO_new(BIO_f_md()); + if ((in == NULL) || (bmd == NULL)) { + ERR_print_errors(bio_err); + goto end; + } + + if (debug) { + BIO_set_callback(in, BIO_debug_callback); + /* needed for windows 3.1 */ + BIO_set_callback_arg(in, (char *)bio_err); + } + + if (!app_passwd(passinarg, NULL, &passin, NULL)) { + BIO_printf(bio_err, "Error getting password\n"); + goto end; + } + + if (out_bin == -1) { + if (keyfile) + out_bin = 1; + else + out_bin = 0; + } + + if (randfile) + app_RAND_load_file(randfile, 0); + + out = bio_open_default(outfile, 'w', out_bin ? FORMAT_BINARY : FORMAT_TEXT); + if (out == NULL) + goto end; + + if ((! !mac_name + ! !keyfile + ! !hmac_key) > 1) { + BIO_printf(bio_err, "MAC and Signing key cannot both be specified\n"); + goto end; + } + + if (keyfile) { + if (want_pub) + sigkey = load_pubkey(keyfile, keyform, 0, NULL, e, "key file"); + else + sigkey = load_key(keyfile, keyform, 0, passin, e, "key file"); + if (!sigkey) { + /* + * load_[pub]key() has already printed an appropriate message + */ + goto end; + } + } + + if (mac_name) { + EVP_PKEY_CTX *mac_ctx = NULL; + int r = 0; + if (!init_gen_str(&mac_ctx, mac_name, impl, 0)) + goto mac_end; + if (macopts) { + char *macopt; + for (i = 0; i < sk_OPENSSL_STRING_num(macopts); i++) { + macopt = sk_OPENSSL_STRING_value(macopts, i); + if (pkey_ctrl_string(mac_ctx, macopt) <= 0) { + BIO_printf(bio_err, + "MAC parameter error \"%s\"\n", macopt); + ERR_print_errors(bio_err); + goto mac_end; + } + } + } + if (EVP_PKEY_keygen(mac_ctx, &sigkey) <= 0) { + BIO_puts(bio_err, "Error generating key\n"); + ERR_print_errors(bio_err); + goto mac_end; + } + r = 1; + mac_end: + EVP_PKEY_CTX_free(mac_ctx); + if (r == 0) + goto end; + } + + if (hmac_key) { + sigkey = EVP_PKEY_new_mac_key(EVP_PKEY_HMAC, impl, + (unsigned char *)hmac_key, -1); + if (!sigkey) + goto end; + } + + if (sigkey) { + EVP_MD_CTX *mctx = NULL; + EVP_PKEY_CTX *pctx = NULL; + int r; + if (!BIO_get_md_ctx(bmd, &mctx)) { + BIO_printf(bio_err, "Error getting context\n"); + ERR_print_errors(bio_err); + goto end; + } + if (do_verify) + r = EVP_DigestVerifyInit(mctx, &pctx, md, impl, sigkey); + else + r = EVP_DigestSignInit(mctx, &pctx, md, impl, sigkey); + if (!r) { + BIO_printf(bio_err, "Error setting context\n"); + ERR_print_errors(bio_err); + goto end; + } + if (sigopts) { + char *sigopt; + for (i = 0; i < sk_OPENSSL_STRING_num(sigopts); i++) { + sigopt = sk_OPENSSL_STRING_value(sigopts, i); + if (pkey_ctrl_string(pctx, sigopt) <= 0) { + BIO_printf(bio_err, "parameter error \"%s\"\n", sigopt); + ERR_print_errors(bio_err); + goto end; + } + } + } + } + /* we use md as a filter, reading from 'in' */ + else { + EVP_MD_CTX *mctx = NULL; + if (!BIO_get_md_ctx(bmd, &mctx)) { + BIO_printf(bio_err, "Error getting context\n"); + ERR_print_errors(bio_err); + goto end; + } + if (md == NULL) + md = EVP_sha256(); + if (!EVP_DigestInit_ex(mctx, md, impl)) { + BIO_printf(bio_err, "Error setting digest\n"); + ERR_print_errors(bio_err); + goto end; + } + } + + if (sigfile && sigkey) { + BIO *sigbio = BIO_new_file(sigfile, "rb"); + if (!sigbio) { + BIO_printf(bio_err, "Error opening signature file %s\n", sigfile); + ERR_print_errors(bio_err); + goto end; + } + siglen = EVP_PKEY_size(sigkey); + sigbuf = app_malloc(siglen, "signature buffer"); + siglen = BIO_read(sigbio, sigbuf, siglen); + BIO_free(sigbio); + if (siglen <= 0) { + BIO_printf(bio_err, "Error reading signature file %s\n", sigfile); + ERR_print_errors(bio_err); + goto end; + } + } + inp = BIO_push(bmd, in); + + if (md == NULL) { + EVP_MD_CTX *tctx; + BIO_get_md_ctx(bmd, &tctx); + md = EVP_MD_CTX_md(tctx); + } + + if (argc == 0) { + BIO_set_fp(in, stdin, BIO_NOCLOSE); + ret = do_fp(out, buf, inp, separator, out_bin, sigkey, sigbuf, + siglen, NULL, NULL, "stdin"); + } else { + const char *md_name = NULL, *sig_name = NULL; + if (!out_bin) { + if (sigkey) { + const EVP_PKEY_ASN1_METHOD *ameth; + ameth = EVP_PKEY_get0_asn1(sigkey); + if (ameth) + EVP_PKEY_asn1_get0_info(NULL, NULL, + NULL, NULL, &sig_name, ameth); + } + if (md) + md_name = EVP_MD_name(md); + } + ret = 0; + for (i = 0; i < argc; i++) { + int r; + if (BIO_read_filename(in, argv[i]) <= 0) { + perror(argv[i]); + ret++; + continue; + } else + r = do_fp(out, buf, inp, separator, out_bin, sigkey, sigbuf, + siglen, sig_name, md_name, argv[i]); + if (r) + ret = r; + (void)BIO_reset(bmd); + } + } + end: + OPENSSL_clear_free(buf, BUFSIZE); + BIO_free(in); + OPENSSL_free(passin); + BIO_free_all(out); + EVP_PKEY_free(sigkey); + sk_OPENSSL_STRING_free(sigopts); + sk_OPENSSL_STRING_free(macopts); + OPENSSL_free(sigbuf); + BIO_free(bmd); + release_engine(e); + return (ret); +} + +int do_fp(BIO *out, unsigned char *buf, BIO *bp, int sep, int binout, + EVP_PKEY *key, unsigned char *sigin, int siglen, + const char *sig_name, const char *md_name, + const char *file) +{ + size_t len; + int i; + + for (;;) { + i = BIO_read(bp, (char *)buf, BUFSIZE); + if (i < 0) { + BIO_printf(bio_err, "Read Error in %s\n", file); + ERR_print_errors(bio_err); + return 1; + } + if (i == 0) + break; + } + if (sigin) { + EVP_MD_CTX *ctx; + BIO_get_md_ctx(bp, &ctx); + i = EVP_DigestVerifyFinal(ctx, sigin, (unsigned int)siglen); + if (i > 0) + BIO_printf(out, "Verified OK\n"); + else if (i == 0) { + BIO_printf(out, "Verification Failure\n"); + return 1; + } else { + BIO_printf(bio_err, "Error Verifying Data\n"); + ERR_print_errors(bio_err); + return 1; + } + return 0; + } + if (key) { + EVP_MD_CTX *ctx; + BIO_get_md_ctx(bp, &ctx); + len = BUFSIZE; + if (!EVP_DigestSignFinal(ctx, buf, &len)) { + BIO_printf(bio_err, "Error Signing Data\n"); + ERR_print_errors(bio_err); + return 1; + } + } else { + len = BIO_gets(bp, (char *)buf, BUFSIZE); + if ((int)len < 0) { + ERR_print_errors(bio_err); + return 1; + } + } + + if (binout) + BIO_write(out, buf, len); + else if (sep == 2) { + for (i = 0; i < (int)len; i++) + BIO_printf(out, "%02x", buf[i]); + BIO_printf(out, " *%s\n", file); + } else { + if (sig_name) { + BIO_puts(out, sig_name); + if (md_name) + BIO_printf(out, "-%s", md_name); + BIO_printf(out, "(%s)= ", file); + } else if (md_name) + BIO_printf(out, "%s(%s)= ", md_name, file); + else + BIO_printf(out, "(%s)= ", file); + for (i = 0; i < (int)len; i++) { + if (sep && (i != 0)) + BIO_printf(out, ":"); + BIO_printf(out, "%02x", buf[i]); + } + BIO_printf(out, "\n"); + } + return 0; +} diff --git a/openssl-1.1.0h/apps/dh1024.pem b/openssl-1.1.0h/apps/dh1024.pem new file mode 100644 index 0000000..f1a5e18 --- /dev/null +++ b/openssl-1.1.0h/apps/dh1024.pem @@ -0,0 +1,10 @@ +-----BEGIN DH PARAMETERS----- +MIGHAoGBAP//////////yQ/aoiFowjTExmKLgNwc0SkCTgiKZ8x0Agu+pjsTmyJR +Sgh5jjQE3e+VGbPNOkMbMCsKbfJfFDdP4TVtbVHCReSFtXZiXn7G9ExC6aY37WsL +/1y29Aa37e44a/taiZ+lrp8kEXxLH+ZJKGZR7OZTgf//////////AgEC +-----END DH PARAMETERS----- + +These are the 1024-bit DH parameters from "Internet Key Exchange +Protocol Version 2 (IKEv2)": https://tools.ietf.org/html/rfc5996 + +See https://tools.ietf.org/html/rfc2412 for how they were generated. diff --git a/openssl-1.1.0h/apps/dh2048.pem b/openssl-1.1.0h/apps/dh2048.pem new file mode 100644 index 0000000..e899f2e --- /dev/null +++ b/openssl-1.1.0h/apps/dh2048.pem @@ -0,0 +1,14 @@ +-----BEGIN DH PARAMETERS----- +MIIBCAKCAQEA///////////JD9qiIWjCNMTGYouA3BzRKQJOCIpnzHQCC76mOxOb +IlFKCHmONATd75UZs806QxswKwpt8l8UN0/hNW1tUcJF5IW1dmJefsb0TELppjft +awv/XLb0Brft7jhr+1qJn6WunyQRfEsf5kkoZlHs5Fs9wgB8uKFjvwWY2kg2HFXT +mmkWP6j9JM9fg2VdI9yjrZYcYvNWIIVSu57VKQdwlpZtZww1Tkq8mATxdGwIyhgh +fDKQXkYuNs474553LBgOhgObJ4Oi7Aeij7XFXfBvTFLJ3ivL9pVYFxg5lUl86pVq +5RXSJhiY+gUQFXKOWoqsqmj//////////wIBAg== +-----END DH PARAMETERS----- + +These are the 2048-bit DH parameters from "More Modular Exponential +(MODP) Diffie-Hellman groups for Internet Key Exchange (IKE)": +https://tools.ietf.org/html/rfc3526 + +See https://tools.ietf.org/html/rfc2412 for how they were generated. diff --git a/openssl-1.1.0h/apps/dh4096.pem b/openssl-1.1.0h/apps/dh4096.pem new file mode 100644 index 0000000..adada2b --- /dev/null +++ b/openssl-1.1.0h/apps/dh4096.pem @@ -0,0 +1,19 @@ +-----BEGIN DH PARAMETERS----- +MIICCAKCAgEA///////////JD9qiIWjCNMTGYouA3BzRKQJOCIpnzHQCC76mOxOb +IlFKCHmONATd75UZs806QxswKwpt8l8UN0/hNW1tUcJF5IW1dmJefsb0TELppjft +awv/XLb0Brft7jhr+1qJn6WunyQRfEsf5kkoZlHs5Fs9wgB8uKFjvwWY2kg2HFXT +mmkWP6j9JM9fg2VdI9yjrZYcYvNWIIVSu57VKQdwlpZtZww1Tkq8mATxdGwIyhgh +fDKQXkYuNs474553LBgOhgObJ4Oi7Aeij7XFXfBvTFLJ3ivL9pVYFxg5lUl86pVq +5RXSJhiY+gUQFXKOWoqqxC2tMxcNBFB6M6hVIavfHLpk7PuFBFjb7wqK6nFXXQYM +fbOXD4Wm4eTHq/WujNsJM9cejJTgSiVhnc7j0iYa0u5r8S/6BtmKCGTYdgJzPshq +ZFIfKxgXeyAMu+EXV3phXWx3CYjAutlG4gjiT6B05asxQ9tb/OD9EI5LgtEgqSEI +ARpyPBKnh+bXiHGaEL26WyaZwycYavTiPBqUaDS2FQvaJYPpyirUTOjbu8LbBN6O ++S6O/BQfvsqmKHxZR05rwF2ZspZPoJDDoiM7oYZRW+ftH2EpcM7i16+4G912IXBI +HNAGkSfVsFqpk7TqmI2P3cGG/7fckKbAj030Nck0BjGZ//////////8CAQI= +-----END DH PARAMETERS----- + +These are the 4096-bit DH parameters from "More Modular Exponential +(MODP) Diffie-Hellman groups for Internet Key Exchange (IKE)": +https://tools.ietf.org/html/rfc3526 + +See https://tools.ietf.org/html/rfc2412 for how they were generated. diff --git a/openssl-1.1.0h/apps/dhparam.c b/openssl-1.1.0h/apps/dhparam.c new file mode 100644 index 0000000..94322e3 --- /dev/null +++ b/openssl-1.1.0h/apps/dhparam.c @@ -0,0 +1,392 @@ +/* + * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the OpenSSL license (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +#include +#ifdef OPENSSL_NO_DH +NON_EMPTY_TRANSLATION_UNIT +#else + +# include +# include +# include +# include +# include "apps.h" +# include +# include +# include +# include +# include +# include + +# ifndef OPENSSL_NO_DSA +# include +# endif + +# define DEFBITS 2048 + +static int dh_cb(int p, int n, BN_GENCB *cb); + +typedef enum OPTION_choice { + OPT_ERR = -1, OPT_EOF = 0, OPT_HELP, + OPT_INFORM, OPT_OUTFORM, OPT_IN, OPT_OUT, + OPT_ENGINE, OPT_CHECK, OPT_TEXT, OPT_NOOUT, + OPT_RAND, OPT_DSAPARAM, OPT_C, OPT_2, OPT_5 +} OPTION_CHOICE; + +OPTIONS dhparam_options[] = { + {OPT_HELP_STR, 1, '-', "Usage: %s [flags] [numbits]\n"}, + {OPT_HELP_STR, 1, '-', "Valid options are:\n"}, + {"help", OPT_HELP, '-', "Display this summary"}, + {"in", OPT_IN, '<', "Input file"}, + {"inform", OPT_INFORM, 'F', "Input format, DER or PEM"}, + {"outform", OPT_OUTFORM, 'F', "Output format, DER or PEM"}, + {"out", OPT_OUT, '>', "Output file"}, + {"check", OPT_CHECK, '-', "Check the DH parameters"}, + {"text", OPT_TEXT, '-', "Print a text form of the DH parameters"}, + {"noout", OPT_NOOUT, '-', "Don't output any DH parameters"}, + {"rand", OPT_RAND, 's', + "Load the file(s) into the random number generator"}, + {"C", OPT_C, '-', "Print C code"}, + {"2", OPT_2, '-', "Generate parameters using 2 as the generator value"}, + {"5", OPT_5, '-', "Generate parameters using 5 as the generator value"}, +# ifndef OPENSSL_NO_DSA + {"dsaparam", OPT_DSAPARAM, '-', + "Read or generate DSA parameters, convert to DH"}, +# endif +# ifndef OPENSSL_NO_ENGINE + {"engine", OPT_ENGINE, 's', "Use engine e, possibly a hardware device"}, +# endif + {NULL} +}; + +int dhparam_main(int argc, char **argv) +{ + BIO *in = NULL, *out = NULL; + DH *dh = NULL; + char *infile = NULL, *outfile = NULL, *prog, *inrand = NULL; + ENGINE *e = NULL; +#ifndef OPENSSL_NO_DSA + int dsaparam = 0; +#endif + int i, text = 0, C = 0, ret = 1, num = 0, g = 0; + int informat = FORMAT_PEM, outformat = FORMAT_PEM, check = 0, noout = 0; + OPTION_CHOICE o; + + prog = opt_init(argc, argv, dhparam_options); + while ((o = opt_next()) != OPT_EOF) { + switch (o) { + case OPT_EOF: + case OPT_ERR: + opthelp: + BIO_printf(bio_err, "%s: Use -help for summary.\n", prog); + goto end; + case OPT_HELP: + opt_help(dhparam_options); + ret = 0; + goto end; + case OPT_INFORM: + if (!opt_format(opt_arg(), OPT_FMT_PEMDER, &informat)) + goto opthelp; + break; + case OPT_OUTFORM: + if (!opt_format(opt_arg(), OPT_FMT_PEMDER, &outformat)) + goto opthelp; + break; + case OPT_IN: + infile = opt_arg(); + break; + case OPT_OUT: + outfile = opt_arg(); + break; + case OPT_ENGINE: + e = setup_engine(opt_arg(), 0); + break; + case OPT_CHECK: + check = 1; + break; + case OPT_TEXT: + text = 1; + break; + case OPT_DSAPARAM: +#ifndef OPENSSL_NO_DSA + dsaparam = 1; +#endif + break; + case OPT_C: + C = 1; + break; + case OPT_2: + g = 2; + break; + case OPT_5: + g = 5; + break; + case OPT_NOOUT: + noout = 1; + break; + case OPT_RAND: + inrand = opt_arg(); + break; + } + } + argc = opt_num_rest(); + argv = opt_rest(); + + if (argv[0] && (!opt_int(argv[0], &num) || num <= 0)) + goto end; + + if (g && !num) + num = DEFBITS; + +# ifndef OPENSSL_NO_DSA + if (dsaparam && g) { + BIO_printf(bio_err, + "generator may not be chosen for DSA parameters\n"); + goto end; + } +# endif + /* DH parameters */ + if (num && !g) + g = 2; + + if (num) { + + BN_GENCB *cb; + cb = BN_GENCB_new(); + if (cb == NULL) { + ERR_print_errors(bio_err); + goto end; + } + + BN_GENCB_set(cb, dh_cb, bio_err); + if (!app_RAND_load_file(NULL, 1) && inrand == NULL) { + BIO_printf(bio_err, + "warning, not much extra random data, consider using the -rand option\n"); + } + if (inrand != NULL) + BIO_printf(bio_err, "%ld semi-random bytes loaded\n", + app_RAND_load_files(inrand)); + +# ifndef OPENSSL_NO_DSA + if (dsaparam) { + DSA *dsa = DSA_new(); + + BIO_printf(bio_err, + "Generating DSA parameters, %d bit long prime\n", num); + if (dsa == NULL + || !DSA_generate_parameters_ex(dsa, num, NULL, 0, NULL, NULL, + cb)) { + DSA_free(dsa); + BN_GENCB_free(cb); + ERR_print_errors(bio_err); + goto end; + } + + dh = DSA_dup_DH(dsa); + DSA_free(dsa); + if (dh == NULL) { + BN_GENCB_free(cb); + ERR_print_errors(bio_err); + goto end; + } + } else +# endif + { + dh = DH_new(); + BIO_printf(bio_err, + "Generating DH parameters, %d bit long safe prime, generator %d\n", + num, g); + BIO_printf(bio_err, "This is going to take a long time\n"); + if (dh == NULL || !DH_generate_parameters_ex(dh, num, g, cb)) { + BN_GENCB_free(cb); + ERR_print_errors(bio_err); + goto end; + } + } + + BN_GENCB_free(cb); + app_RAND_write_file(NULL); + } else { + + in = bio_open_default(infile, 'r', informat); + if (in == NULL) + goto end; + +# ifndef OPENSSL_NO_DSA + if (dsaparam) { + DSA *dsa; + + if (informat == FORMAT_ASN1) + dsa = d2i_DSAparams_bio(in, NULL); + else /* informat == FORMAT_PEM */ + dsa = PEM_read_bio_DSAparams(in, NULL, NULL, NULL); + + if (dsa == NULL) { + BIO_printf(bio_err, "unable to load DSA parameters\n"); + ERR_print_errors(bio_err); + goto end; + } + + dh = DSA_dup_DH(dsa); + DSA_free(dsa); + if (dh == NULL) { + ERR_print_errors(bio_err); + goto end; + } + } else +# endif + { + if (informat == FORMAT_ASN1) { + /* + * We have no PEM header to determine what type of DH params it + * is. We'll just try both. + */ + dh = d2i_DHparams_bio(in, NULL); + /* BIO_reset() returns 0 for success for file BIOs only!!! */ + if (dh == NULL && BIO_reset(in) == 0) + dh = d2i_DHxparams_bio(in, NULL); + } else { + /* informat == FORMAT_PEM */ + dh = PEM_read_bio_DHparams(in, NULL, NULL, NULL); + } + + if (dh == NULL) { + BIO_printf(bio_err, "unable to load DH parameters\n"); + ERR_print_errors(bio_err); + goto end; + } + } + + /* dh != NULL */ + } + + out = bio_open_default(outfile, 'w', outformat); + if (out == NULL) + goto end; + + if (text) { + DHparams_print(out, dh); + } + + if (check) { + if (!DH_check(dh, &i)) { + ERR_print_errors(bio_err); + goto end; + } + if (i & DH_CHECK_P_NOT_PRIME) + BIO_printf(bio_err, "WARNING: p value is not prime\n"); + if (i & DH_CHECK_P_NOT_SAFE_PRIME) + BIO_printf(bio_err, "WARNING: p value is not a safe prime\n"); + if (i & DH_CHECK_Q_NOT_PRIME) + BIO_printf(bio_err, "WARNING: q value is not a prime\n"); + if (i & DH_CHECK_INVALID_Q_VALUE) + BIO_printf(bio_err, "WARNING: q value is invalid\n"); + if (i & DH_CHECK_INVALID_J_VALUE) + BIO_printf(bio_err, "WARNING: j value is invalid\n"); + if (i & DH_UNABLE_TO_CHECK_GENERATOR) + BIO_printf(bio_err, + "WARNING: unable to check the generator value\n"); + if (i & DH_NOT_SUITABLE_GENERATOR) + BIO_printf(bio_err, "WARNING: the g value is not a generator\n"); + if (i == 0) + BIO_printf(bio_err, "DH parameters appear to be ok.\n"); + if (num != 0 && i != 0) { + /* + * We have generated parameters but DH_check() indicates they are + * invalid! This should never happen! + */ + BIO_printf(bio_err, "ERROR: Invalid parameters generated\n"); + goto end; + } + } + if (C) { + unsigned char *data; + int len, bits; + const BIGNUM *pbn, *gbn; + + len = DH_size(dh); + bits = DH_bits(dh); + DH_get0_pqg(dh, &pbn, NULL, &gbn); + data = app_malloc(len, "print a BN"); + BIO_printf(out, "#ifndef HEADER_DH_H\n" + "# include \n" + "#endif\n" + "\n"); + BIO_printf(out, "DH *get_dh%d()\n{\n", bits); + print_bignum_var(out, pbn, "dhp", bits, data); + print_bignum_var(out, gbn, "dhg", bits, data); + BIO_printf(out, " DH *dh = DH_new();\n" + " BIGNUM *dhp_bn, *dhg_bn;\n" + "\n" + " if (dh == NULL)\n" + " return NULL;\n"); + BIO_printf(out, " dhp_bn = BN_bin2bn(dhp_%d, sizeof(dhp_%d), NULL);\n", + bits, bits); + BIO_printf(out, " dhg_bn = BN_bin2bn(dhg_%d, sizeof(dhg_%d), NULL);\n", + bits, bits); + BIO_printf(out, " if (dhp_bn == NULL || dhg_bn == NULL\n" + " || !DH_set0_pqg(dh, dhp_bn, NULL, dhg_bn)) {\n" + " DH_free(dh);\n" + " BN_free(dhp_bn);\n" + " BN_free(dhg_bn);\n" + " return NULL;\n" + " }\n"); + if (DH_get_length(dh) > 0) + BIO_printf(out, + " if (!DH_set_length(dh, %ld)) {\n" + " DH_free(dh);\n" + " }\n", DH_get_length(dh)); + BIO_printf(out, " return dh;\n}\n"); + OPENSSL_free(data); + } + + if (!noout) { + const BIGNUM *q; + DH_get0_pqg(dh, NULL, &q, NULL); + if (outformat == FORMAT_ASN1) { + if (q != NULL) + i = i2d_DHxparams_bio(out, dh); + else + i = i2d_DHparams_bio(out, dh); + } else if (q != NULL) + i = PEM_write_bio_DHxparams(out, dh); + else + i = PEM_write_bio_DHparams(out, dh); + if (!i) { + BIO_printf(bio_err, "unable to write DH parameters\n"); + ERR_print_errors(bio_err); + goto end; + } + } + ret = 0; + end: + BIO_free(in); + BIO_free_all(out); + DH_free(dh); + release_engine(e); + return (ret); +} + +static int dh_cb(int p, int n, BN_GENCB *cb) +{ + char c = '*'; + + if (p == 0) + c = '.'; + if (p == 1) + c = '+'; + if (p == 2) + c = '*'; + if (p == 3) + c = '\n'; + BIO_write(BN_GENCB_get_arg(cb), &c, 1); + (void)BIO_flush(BN_GENCB_get_arg(cb)); + return 1; +} +#endif diff --git a/openssl-1.1.0h/apps/dsa-ca.pem b/openssl-1.1.0h/apps/dsa-ca.pem new file mode 100644 index 0000000..3ce8dc6 --- /dev/null +++ b/openssl-1.1.0h/apps/dsa-ca.pem @@ -0,0 +1,47 @@ +-----BEGIN DSA PRIVATE KEY----- +MIIBugIBAAKBgQCnP26Fv0FqKX3wn0cZMJCaCR3aajMexT2GlrMV4FMuj+BZgnOQ +PnUxmUd6UvuF5NmmezibaIqEm4fGHrV+hktTW1nPcWUZiG7OZq5riDb77Cjcwtel +u+UsOSZL2ppwGJU3lRBWI/YV7boEXt45T/23Qx+1pGVvzYAR5HCVW1DNSQIVAPcH +Me36bAYD1YWKHKycZedQZmVvAoGATd9MA6aRivUZb1BGJZnlaG8w42nh5bNdmLso +hkj83pkEP1+IDJxzJA0gXbkqmj8YlifkYofBe3RiU/xhJ6h6kQmdtvFNnFQPWAbu +SXQHzlV+I84W9srcWmEBfslxtU323DQph2j2XiCTs9v15AlsQReVkusBtXOlan7Y +Mu0OArgCgYAapll6iqz9XrZFlk2GCVcB+KihxWnH7IuHvSLw9YUrJahcBHmbpvt4 +94lF4gC5w3WPM+vXJofbusk4GoQEEsQNMDaah4m49uUqAylOVFJJJXuirVJ+o+0T +tOFDITEAl+YZZariXOD7tdOSOl9RLMPC6+daHKS9e68u3enxhqnDGQIUB78dhW77 +J6zsFbSEHaQGUmfSeoM= +-----END DSA PRIVATE KEY----- +-----BEGIN CERTIFICATE REQUEST----- +MIICVjCCAhMCAQAwUjELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUx +ITAfBgNVBAoMGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDELMAkGA1UEAwwCQ0Ew +ggG2MIIBKwYHKoZIzjgEATCCAR4CgYEApz9uhb9Bail98J9HGTCQmgkd2mozHsU9 +hpazFeBTLo/gWYJzkD51MZlHelL7heTZpns4m2iKhJuHxh61foZLU1tZz3FlGYhu +zmaua4g2++wo3MLXpbvlLDkmS9qacBiVN5UQViP2Fe26BF7eOU/9t0MftaRlb82A +EeRwlVtQzUkCFQD3BzHt+mwGA9WFihysnGXnUGZlbwKBgE3fTAOmkYr1GW9QRiWZ +5WhvMONp4eWzXZi7KIZI/N6ZBD9fiAyccyQNIF25Kpo/GJYn5GKHwXt0YlP8YSeo +epEJnbbxTZxUD1gG7kl0B85VfiPOFvbK3FphAX7JcbVN9tw0KYdo9l4gk7Pb9eQJ +bEEXlZLrAbVzpWp+2DLtDgK4A4GEAAKBgBqmWXqKrP1etkWWTYYJVwH4qKHFacfs +i4e9IvD1hSslqFwEeZum+3j3iUXiALnDdY8z69cmh9u6yTgahAQSxA0wNpqHibj2 +5SoDKU5UUkkle6KtUn6j7RO04UMhMQCX5hllquJc4Pu105I6X1Esw8Lr51ocpL17 +ry7d6fGGqcMZoAAwCwYJYIZIAWUDBAMCAzAAMC0CFCp7rUwGJNtxK6Aqo6k6US+S +KP8sAhUAyfSi8Zs3QAvkJoFG0IMRaq8M03I= +-----END CERTIFICATE REQUEST----- +-----BEGIN CERTIFICATE----- +MIIDMDCCAuygAwIBAgIBAjALBglghkgBZQMEAwIwUzELMAkGA1UEBhMCQVUxEzAR +BgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoMGEludGVybmV0IFdpZGdpdHMgUHR5 +IEx0ZDEMMAoGA1UEAwwDUENBMCAXDTE2MDExMzIxNDE0OVoYDzMwMTUwNTE2MjE0 +MTQ5WjBSMQswCQYDVQQGEwJBVTETMBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UE +CgwYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMQswCQYDVQQDDAJDQTCCAbYwggEr +BgcqhkjOOAQBMIIBHgKBgQCnP26Fv0FqKX3wn0cZMJCaCR3aajMexT2GlrMV4FMu +j+BZgnOQPnUxmUd6UvuF5NmmezibaIqEm4fGHrV+hktTW1nPcWUZiG7OZq5riDb7 +7Cjcwtelu+UsOSZL2ppwGJU3lRBWI/YV7boEXt45T/23Qx+1pGVvzYAR5HCVW1DN +SQIVAPcHMe36bAYD1YWKHKycZedQZmVvAoGATd9MA6aRivUZb1BGJZnlaG8w42nh +5bNdmLsohkj83pkEP1+IDJxzJA0gXbkqmj8YlifkYofBe3RiU/xhJ6h6kQmdtvFN +nFQPWAbuSXQHzlV+I84W9srcWmEBfslxtU323DQph2j2XiCTs9v15AlsQReVkusB +tXOlan7YMu0OArgDgYQAAoGAGqZZeoqs/V62RZZNhglXAfioocVpx+yLh70i8PWF +KyWoXAR5m6b7ePeJReIAucN1jzPr1yaH27rJOBqEBBLEDTA2moeJuPblKgMpTlRS +SSV7oq1SfqPtE7ThQyExAJfmGWWq4lzg+7XTkjpfUSzDwuvnWhykvXuvLt3p8Yap +wxmjUDBOMB0GA1UdDgQWBBTMZcORcBEVlqO/CD4pf4V6N1NM1zAfBgNVHSMEGDAW +gBTGjwJ33uvjSa20RNrMKWoGptOLdDAMBgNVHRMEBTADAQH/MAsGCWCGSAFlAwQD +AgMxADAuAhUA4V6MrHufG8R79E+AtVO02olPxK8CFQDkZyo/TWpavsUBRDJbCeD9 +jgjIkA== +-----END CERTIFICATE----- diff --git a/openssl-1.1.0h/apps/dsa-pca.pem b/openssl-1.1.0h/apps/dsa-pca.pem new file mode 100644 index 0000000..a51a06e --- /dev/null +++ b/openssl-1.1.0h/apps/dsa-pca.pem @@ -0,0 +1,47 @@ +-----BEGIN DSA PRIVATE KEY----- +MIIBvAIBAAKBgQCnP26Fv0FqKX3wn0cZMJCaCR3aajMexT2GlrMV4FMuj+BZgnOQ +PnUxmUd6UvuF5NmmezibaIqEm4fGHrV+hktTW1nPcWUZiG7OZq5riDb77Cjcwtel +u+UsOSZL2ppwGJU3lRBWI/YV7boEXt45T/23Qx+1pGVvzYAR5HCVW1DNSQIVAPcH +Me36bAYD1YWKHKycZedQZmVvAoGATd9MA6aRivUZb1BGJZnlaG8w42nh5bNdmLso +hkj83pkEP1+IDJxzJA0gXbkqmj8YlifkYofBe3RiU/xhJ6h6kQmdtvFNnFQPWAbu +SXQHzlV+I84W9srcWmEBfslxtU323DQph2j2XiCTs9v15AlsQReVkusBtXOlan7Y +Mu0OArgCgYEApu25HkB1b4gKMIV7aLGNSIknMzYgrB7o1kQxeDf34dDVRM9OZ8tk +umz6tl+iUcNe5EoxdsYV1IXSddjOi08LOLsZq7AQlNnKvbtlmMDULpqkZJD0bO7A +29nisJfKy1URqABLw5DgfcPh1ZLXtmDfUgJvmjgTmvTPT2j9TPjq7RUCFQDNvrBz +6TicfImU7UFRn9h00j0lJQ== +-----END DSA PRIVATE KEY----- +-----BEGIN CERTIFICATE REQUEST----- +MIICWDCCAhUCAQAwUzELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUx +ITAfBgNVBAoMGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDEMMAoGA1UEAwwDUENB +MIIBtzCCASsGByqGSM44BAEwggEeAoGBAKc/boW/QWopffCfRxkwkJoJHdpqMx7F +PYaWsxXgUy6P4FmCc5A+dTGZR3pS+4Xk2aZ7OJtoioSbh8YetX6GS1NbWc9xZRmI +bs5mrmuINvvsKNzC16W75Sw5JkvamnAYlTeVEFYj9hXtugRe3jlP/bdDH7WkZW/N +gBHkcJVbUM1JAhUA9wcx7fpsBgPVhYocrJxl51BmZW8CgYBN30wDppGK9RlvUEYl +meVobzDjaeHls12YuyiGSPzemQQ/X4gMnHMkDSBduSqaPxiWJ+Rih8F7dGJT/GEn +qHqRCZ228U2cVA9YBu5JdAfOVX4jzhb2ytxaYQF+yXG1TfbcNCmHaPZeIJOz2/Xk +CWxBF5WS6wG1c6Vqftgy7Q4CuAOBhQACgYEApu25HkB1b4gKMIV7aLGNSIknMzYg +rB7o1kQxeDf34dDVRM9OZ8tkumz6tl+iUcNe5EoxdsYV1IXSddjOi08LOLsZq7AQ +lNnKvbtlmMDULpqkZJD0bO7A29nisJfKy1URqABLw5DgfcPh1ZLXtmDfUgJvmjgT +mvTPT2j9TPjq7RWgADALBglghkgBZQMEAwIDMAAwLQIVAPA6/jxCT1D2HgzE4iZR +AEup/C7YAhRPLTQvQnAiS5FRrA+8SwBLvDAsaw== +-----END CERTIFICATE REQUEST----- +-----BEGIN CERTIFICATE----- +MIIDMDCCAu6gAwIBAgIBATALBglghkgBZQMEAwIwUzELMAkGA1UEBhMCQVUxEzAR +BgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoMGEludGVybmV0IFdpZGdpdHMgUHR5 +IEx0ZDEMMAoGA1UEAwwDUENBMCAXDTE2MDExMzIxNDE0OVoYDzMwMTUwNTE2MjE0 +MTQ5WjBTMQswCQYDVQQGEwJBVTETMBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UE +CgwYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMQwwCgYDVQQDDANQQ0EwggG3MIIB +KwYHKoZIzjgEATCCAR4CgYEApz9uhb9Bail98J9HGTCQmgkd2mozHsU9hpazFeBT +Lo/gWYJzkD51MZlHelL7heTZpns4m2iKhJuHxh61foZLU1tZz3FlGYhuzmaua4g2 +++wo3MLXpbvlLDkmS9qacBiVN5UQViP2Fe26BF7eOU/9t0MftaRlb82AEeRwlVtQ +zUkCFQD3BzHt+mwGA9WFihysnGXnUGZlbwKBgE3fTAOmkYr1GW9QRiWZ5WhvMONp +4eWzXZi7KIZI/N6ZBD9fiAyccyQNIF25Kpo/GJYn5GKHwXt0YlP8YSeoepEJnbbx +TZxUD1gG7kl0B85VfiPOFvbK3FphAX7JcbVN9tw0KYdo9l4gk7Pb9eQJbEEXlZLr +AbVzpWp+2DLtDgK4A4GFAAKBgQCm7bkeQHVviAowhXtosY1IiSczNiCsHujWRDF4 +N/fh0NVEz05ny2S6bPq2X6JRw17kSjF2xhXUhdJ12M6LTws4uxmrsBCU2cq9u2WY +wNQumqRkkPRs7sDb2eKwl8rLVRGoAEvDkOB9w+HVkte2YN9SAm+aOBOa9M9PaP1M ++OrtFaNQME4wHQYDVR0OBBYEFMaPAnfe6+NJrbRE2swpagam04t0MB8GA1UdIwQY +MBaAFMaPAnfe6+NJrbRE2swpagam04t0MAwGA1UdEwQFMAMBAf8wCwYJYIZIAWUD +BAMCAy8AMCwCFFhdz4fzQo9BBF20U1CHldYTi/D7AhQydDnDMj21y+U1UhDZJrvh +lnt88g== +-----END CERTIFICATE----- diff --git a/openssl-1.1.0h/apps/dsa.c b/openssl-1.1.0h/apps/dsa.c new file mode 100644 index 0000000..8454b2e --- /dev/null +++ b/openssl-1.1.0h/apps/dsa.c @@ -0,0 +1,265 @@ +/* + * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the OpenSSL license (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +#include +#ifdef OPENSSL_NO_DSA +NON_EMPTY_TRANSLATION_UNIT +#else + +# include +# include +# include +# include +# include "apps.h" +# include +# include +# include +# include +# include +# include +# include + +typedef enum OPTION_choice { + OPT_ERR = -1, OPT_EOF = 0, OPT_HELP, + OPT_INFORM, OPT_OUTFORM, OPT_IN, OPT_OUT, OPT_ENGINE, + /* Do not change the order here; see case statements below */ + OPT_PVK_NONE, OPT_PVK_WEAK, OPT_PVK_STRONG, + OPT_NOOUT, OPT_TEXT, OPT_MODULUS, OPT_PUBIN, + OPT_PUBOUT, OPT_CIPHER, OPT_PASSIN, OPT_PASSOUT +} OPTION_CHOICE; + +OPTIONS dsa_options[] = { + {"help", OPT_HELP, '-', "Display this summary"}, + {"inform", OPT_INFORM, 'f', "Input format, DER PEM PVK"}, + {"outform", OPT_OUTFORM, 'f', "Output format, DER PEM PVK"}, + {"in", OPT_IN, 's', "Input key"}, + {"out", OPT_OUT, '>', "Output file"}, + {"noout", OPT_NOOUT, '-', "Don't print key out"}, + {"text", OPT_TEXT, '-', "Print the key in text"}, + {"modulus", OPT_MODULUS, '-', "Print the DSA public value"}, + {"pubin", OPT_PUBIN, '-', "Expect a public key in input file"}, + {"pubout", OPT_PUBOUT, '-', "Output public key, not private"}, + {"passin", OPT_PASSIN, 's', "Input file pass phrase source"}, + {"passout", OPT_PASSOUT, 's', "Output file pass phrase source"}, + {"", OPT_CIPHER, '-', "Any supported cipher"}, +# ifndef OPENSSL_NO_RC4 + {"pvk-strong", OPT_PVK_STRONG, '-', "Enable 'Strong' PVK encoding level (default)"}, + {"pvk-weak", OPT_PVK_WEAK, '-', "Enable 'Weak' PVK encoding level"}, + {"pvk-none", OPT_PVK_NONE, '-', "Don't enforce PVK encoding"}, +# endif +# ifndef OPENSSL_NO_ENGINE + {"engine", OPT_ENGINE, 's', "Use engine e, possibly a hardware device"}, +# endif + {NULL} +}; + +int dsa_main(int argc, char **argv) +{ + BIO *out = NULL; + DSA *dsa = NULL; + ENGINE *e = NULL; + const EVP_CIPHER *enc = NULL; + char *infile = NULL, *outfile = NULL, *prog; + char *passin = NULL, *passout = NULL, *passinarg = NULL, *passoutarg = NULL; + OPTION_CHOICE o; + int informat = FORMAT_PEM, outformat = FORMAT_PEM, text = 0, noout = 0; + int i, modulus = 0, pubin = 0, pubout = 0, ret = 1; +# ifndef OPENSSL_NO_RC4 + int pvk_encr = 2; +# endif + int private = 0; + + prog = opt_init(argc, argv, dsa_options); + while ((o = opt_next()) != OPT_EOF) { + switch (o) { + case OPT_EOF: + case OPT_ERR: + opthelp: + ret = 0; + BIO_printf(bio_err, "%s: Use -help for summary.\n", prog); + goto end; + case OPT_HELP: + opt_help(dsa_options); + ret = 0; + goto end; + case OPT_INFORM: + if (!opt_format(opt_arg(), OPT_FMT_ANY, &informat)) + goto opthelp; + break; + case OPT_IN: + infile = opt_arg(); + break; + case OPT_OUTFORM: + if (!opt_format(opt_arg(), OPT_FMT_ANY, &outformat)) + goto opthelp; + break; + case OPT_OUT: + outfile = opt_arg(); + break; + case OPT_ENGINE: + e = setup_engine(opt_arg(), 0); + break; + case OPT_PASSIN: + passinarg = opt_arg(); + break; + case OPT_PASSOUT: + passoutarg = opt_arg(); + break; + case OPT_PVK_STRONG: /* pvk_encr:= 2 */ + case OPT_PVK_WEAK: /* pvk_encr:= 1 */ + case OPT_PVK_NONE: /* pvk_encr:= 0 */ +#ifndef OPENSSL_NO_RC4 + pvk_encr = (o - OPT_PVK_NONE); +#endif + break; + case OPT_NOOUT: + noout = 1; + break; + case OPT_TEXT: + text = 1; + break; + case OPT_MODULUS: + modulus = 1; + break; + case OPT_PUBIN: + pubin = 1; + break; + case OPT_PUBOUT: + pubout = 1; + break; + case OPT_CIPHER: + if (!opt_cipher(opt_unknown(), &enc)) + goto end; + break; + } + } + argc = opt_num_rest(); + if (argc != 0) + goto opthelp; + + private = pubin || pubout ? 0 : 1; + if (text && !pubin) + private = 1; + + if (!app_passwd(passinarg, passoutarg, &passin, &passout)) { + BIO_printf(bio_err, "Error getting passwords\n"); + goto end; + } + + BIO_printf(bio_err, "read DSA key\n"); + { + EVP_PKEY *pkey; + + if (pubin) + pkey = load_pubkey(infile, informat, 1, passin, e, "Public Key"); + else + pkey = load_key(infile, informat, 1, passin, e, "Private Key"); + + if (pkey) { + dsa = EVP_PKEY_get1_DSA(pkey); + EVP_PKEY_free(pkey); + } + } + if (dsa == NULL) { + BIO_printf(bio_err, "unable to load Key\n"); + ERR_print_errors(bio_err); + goto end; + } + + out = bio_open_owner(outfile, outformat, private); + if (out == NULL) + goto end; + + if (text) { + assert(pubin || private); + if (!DSA_print(out, dsa, 0)) { + perror(outfile); + ERR_print_errors(bio_err); + goto end; + } + } + + if (modulus) { + const BIGNUM *pub_key = NULL; + DSA_get0_key(dsa, &pub_key, NULL); + BIO_printf(out, "Public Key="); + BN_print(out, pub_key); + BIO_printf(out, "\n"); + } + + if (noout) { + ret = 0; + goto end; + } + BIO_printf(bio_err, "writing DSA key\n"); + if (outformat == FORMAT_ASN1) { + if (pubin || pubout) + i = i2d_DSA_PUBKEY_bio(out, dsa); + else { + assert(private); + i = i2d_DSAPrivateKey_bio(out, dsa); + } + } else if (outformat == FORMAT_PEM) { + if (pubin || pubout) + i = PEM_write_bio_DSA_PUBKEY(out, dsa); + else { + assert(private); + i = PEM_write_bio_DSAPrivateKey(out, dsa, enc, + NULL, 0, NULL, passout); + } +# ifndef OPENSSL_NO_RSA + } else if (outformat == FORMAT_MSBLOB || outformat == FORMAT_PVK) { + EVP_PKEY *pk; + pk = EVP_PKEY_new(); + if (pk == NULL) + goto end; + + EVP_PKEY_set1_DSA(pk, dsa); + if (outformat == FORMAT_PVK) { + if (pubin) { + BIO_printf(bio_err, "PVK form impossible with public key input\n"); + EVP_PKEY_free(pk); + goto end; + } + assert(private); +# ifdef OPENSSL_NO_RC4 + BIO_printf(bio_err, "PVK format not supported\n"); + EVP_PKEY_free(pk); + goto end; +# else + i = i2b_PVK_bio(out, pk, pvk_encr, 0, passout); +# endif + } + else if (pubin || pubout) + i = i2b_PublicKey_bio(out, pk); + else { + assert(private); + i = i2b_PrivateKey_bio(out, pk); + } + EVP_PKEY_free(pk); +# endif + } else { + BIO_printf(bio_err, "bad output format specified for outfile\n"); + goto end; + } + if (i <= 0) { + BIO_printf(bio_err, "unable to write private key\n"); + ERR_print_errors(bio_err); + goto end; + } + ret = 0; + end: + BIO_free_all(out); + DSA_free(dsa); + release_engine(e); + OPENSSL_free(passin); + OPENSSL_free(passout); + return (ret); +} +#endif diff --git a/openssl-1.1.0h/apps/dsa1024.pem b/openssl-1.1.0h/apps/dsa1024.pem new file mode 100644 index 0000000..082dec3 --- /dev/null +++ b/openssl-1.1.0h/apps/dsa1024.pem @@ -0,0 +1,9 @@ +-----BEGIN DSA PARAMETERS----- +MIIBHgKBgQCnP26Fv0FqKX3wn0cZMJCaCR3aajMexT2GlrMV4FMuj+BZgnOQPnUx +mUd6UvuF5NmmezibaIqEm4fGHrV+hktTW1nPcWUZiG7OZq5riDb77Cjcwtelu+Us +OSZL2ppwGJU3lRBWI/YV7boEXt45T/23Qx+1pGVvzYAR5HCVW1DNSQIVAPcHMe36 +bAYD1YWKHKycZedQZmVvAoGATd9MA6aRivUZb1BGJZnlaG8w42nh5bNdmLsohkj8 +3pkEP1+IDJxzJA0gXbkqmj8YlifkYofBe3RiU/xhJ6h6kQmdtvFNnFQPWAbuSXQH +zlV+I84W9srcWmEBfslxtU323DQph2j2XiCTs9v15AlsQReVkusBtXOlan7YMu0O +Arg= +-----END DSA PARAMETERS----- diff --git a/openssl-1.1.0h/apps/dsa512.pem b/openssl-1.1.0h/apps/dsa512.pem new file mode 100644 index 0000000..5f86d1a --- /dev/null +++ b/openssl-1.1.0h/apps/dsa512.pem @@ -0,0 +1,6 @@ +-----BEGIN DSA PARAMETERS----- +MIGdAkEAnRtpjibb8isRcBmG9hnI+BnyGFOURgbQYlAzSwI8UjADizv5X9EkBk97 +TLqqQJv9luQ3M7stWtdaEUBmonZ9MQIVAPtT71C0QJIxVoZTeuiLIppJ+3GPAkEA +gz6I5cWJc847bAFJv7PHnwrqRJHlMKrZvltftxDXibeOdPvPKR7rqCxUUbgQ3qDO +L8wka5B33qJoplISogOdIA== +-----END DSA PARAMETERS----- diff --git a/openssl-1.1.0h/apps/dsap.pem b/openssl-1.1.0h/apps/dsap.pem new file mode 100644 index 0000000..d4dfdb3 --- /dev/null +++ b/openssl-1.1.0h/apps/dsap.pem @@ -0,0 +1,6 @@ +-----BEGIN DSA PARAMETERS----- +MIGcAkEA+ZiKEvZmc9MtnaFZh4NiZ3oZS4J1PHvPrm9MXj5ntVheDPkdmBDTncya +GAJcMjwsyB/GvLDGd6yGCw/8eF+09wIVAK3VagOxGd/Q4Af5NbxR5FB7CXEjAkA2 +t/q7HgVLi0KeKvcDG8BRl3wuy7bCvpjgtWiJc/tpvcuzeuAayH89UofjAGueKjXD +ADiRffvSdhrNw5dkqdql +-----END DSA PARAMETERS----- diff --git a/openssl-1.1.0h/apps/dsaparam.c b/openssl-1.1.0h/apps/dsaparam.c new file mode 100644 index 0000000..5c3c8f8 --- /dev/null +++ b/openssl-1.1.0h/apps/dsaparam.c @@ -0,0 +1,316 @@ +/* + * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the OpenSSL license (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +#include +#ifdef OPENSSL_NO_DSA +NON_EMPTY_TRANSLATION_UNIT +#else + +# include +# include +# include +# include +# include "apps.h" +# include +# include +# include +# include +# include +# include + +# ifdef GENCB_TEST + +static int stop_keygen_flag = 0; + +static void timebomb_sigalarm(int foo) +{ + stop_keygen_flag = 1; +} + +# endif + +static int dsa_cb(int p, int n, BN_GENCB *cb); + +typedef enum OPTION_choice { + OPT_ERR = -1, OPT_EOF = 0, OPT_HELP, + OPT_INFORM, OPT_OUTFORM, OPT_IN, OPT_OUT, OPT_TEXT, OPT_C, + OPT_NOOUT, OPT_GENKEY, OPT_RAND, OPT_ENGINE, + OPT_TIMEBOMB +} OPTION_CHOICE; + +OPTIONS dsaparam_options[] = { + {"help", OPT_HELP, '-', "Display this summary"}, + {"inform", OPT_INFORM, 'F', "Input format - DER or PEM"}, + {"in", OPT_IN, '<', "Input file"}, + {"outform", OPT_OUTFORM, 'F', "Output format - DER or PEM"}, + {"out", OPT_OUT, '>', "Output file"}, + {"text", OPT_TEXT, '-', "Print as text"}, + {"C", OPT_C, '-', "Output C code"}, + {"noout", OPT_NOOUT, '-', "No output"}, + {"genkey", OPT_GENKEY, '-', "Generate a DSA key"}, + {"rand", OPT_RAND, 's', "Files to use for random number input"}, +# ifdef GENCB_TEST + {"timebomb", OPT_TIMEBOMB, 'p', "Interrupt keygen after 'pnum' seconds"}, +# endif +# ifndef OPENSSL_NO_ENGINE + {"engine", OPT_ENGINE, 's', "Use engine e, possibly a hardware device"}, +# endif + {NULL} +}; + +int dsaparam_main(int argc, char **argv) +{ + ENGINE *e = NULL; + DSA *dsa = NULL; + BIO *in = NULL, *out = NULL; + BN_GENCB *cb = NULL; + int numbits = -1, num = 0, genkey = 0, need_rand = 0; + int informat = FORMAT_PEM, outformat = FORMAT_PEM, noout = 0, C = 0; + int ret = 1, i, text = 0, private = 0; +# ifdef GENCB_TEST + int timebomb = 0; +# endif + char *infile = NULL, *outfile = NULL, *prog, *inrand = NULL; + OPTION_CHOICE o; + + prog = opt_init(argc, argv, dsaparam_options); + while ((o = opt_next()) != OPT_EOF) { + switch (o) { + case OPT_EOF: + case OPT_ERR: + opthelp: + BIO_printf(bio_err, "%s: Use -help for summary.\n", prog); + goto end; + case OPT_HELP: + opt_help(dsaparam_options); + ret = 0; + goto end; + case OPT_INFORM: + if (!opt_format(opt_arg(), OPT_FMT_PEMDER, &informat)) + goto opthelp; + break; + case OPT_IN: + infile = opt_arg(); + break; + case OPT_OUTFORM: + if (!opt_format(opt_arg(), OPT_FMT_PEMDER, &outformat)) + goto opthelp; + break; + case OPT_OUT: + outfile = opt_arg(); + break; + case OPT_ENGINE: + e = setup_engine(opt_arg(), 0); + break; + case OPT_TIMEBOMB: +# ifdef GENCB_TEST + timebomb = atoi(opt_arg()); + break; +# endif + case OPT_TEXT: + text = 1; + break; + case OPT_C: + C = 1; + break; + case OPT_GENKEY: + genkey = need_rand = 1; + break; + case OPT_RAND: + inrand = opt_arg(); + need_rand = 1; + break; + case OPT_NOOUT: + noout = 1; + break; + } + } + argc = opt_num_rest(); + argv = opt_rest(); + + if (argc == 1) { + if (!opt_int(argv[0], &num) || num < 0) + goto end; + /* generate a key */ + numbits = num; + need_rand = 1; + } + private = genkey ? 1 : 0; + + in = bio_open_default(infile, 'r', informat); + if (in == NULL) + goto end; + out = bio_open_owner(outfile, outformat, private); + if (out == NULL) + goto end; + + if (need_rand) { + app_RAND_load_file(NULL, (inrand != NULL)); + if (inrand != NULL) + BIO_printf(bio_err, "%ld semi-random bytes loaded\n", + app_RAND_load_files(inrand)); + } + + if (numbits > 0) { + cb = BN_GENCB_new(); + if (cb == NULL) { + BIO_printf(bio_err, "Error allocating BN_GENCB object\n"); + goto end; + } + BN_GENCB_set(cb, dsa_cb, bio_err); + assert(need_rand); + dsa = DSA_new(); + if (dsa == NULL) { + BIO_printf(bio_err, "Error allocating DSA object\n"); + goto end; + } + BIO_printf(bio_err, "Generating DSA parameters, %d bit long prime\n", + num); + BIO_printf(bio_err, "This could take some time\n"); +# ifdef GENCB_TEST + if (timebomb > 0) { + struct sigaction act; + act.sa_handler = timebomb_sigalarm; + act.sa_flags = 0; + BIO_printf(bio_err, + "(though I'll stop it if not done within %d secs)\n", + timebomb); + if (sigaction(SIGALRM, &act, NULL) != 0) { + BIO_printf(bio_err, "Error, couldn't set SIGALRM handler\n"); + goto end; + } + alarm(timebomb); + } +# endif + if (!DSA_generate_parameters_ex(dsa, num, NULL, 0, NULL, NULL, cb)) { +# ifdef GENCB_TEST + if (stop_keygen_flag) { + BIO_printf(bio_err, "DSA key generation time-stopped\n"); + /* This is an asked-for behaviour! */ + ret = 0; + goto end; + } +# endif + ERR_print_errors(bio_err); + BIO_printf(bio_err, "Error, DSA key generation failed\n"); + goto end; + } + } else if (informat == FORMAT_ASN1) + dsa = d2i_DSAparams_bio(in, NULL); + else + dsa = PEM_read_bio_DSAparams(in, NULL, NULL, NULL); + if (dsa == NULL) { + BIO_printf(bio_err, "unable to load DSA parameters\n"); + ERR_print_errors(bio_err); + goto end; + } + + if (text) { + DSAparams_print(out, dsa); + } + + if (C) { + const BIGNUM *p = NULL, *q = NULL, *g = NULL; + unsigned char *data; + int len, bits_p; + + DSA_get0_pqg(dsa, &p, &q, &g); + len = BN_num_bytes(p); + bits_p = BN_num_bits(p); + + data = app_malloc(len + 20, "BN space"); + + BIO_printf(bio_out, "DSA *get_dsa%d()\n{\n", bits_p); + print_bignum_var(bio_out, p, "dsap", len, data); + print_bignum_var(bio_out, q, "dsaq", len, data); + print_bignum_var(bio_out, g, "dsag", len, data); + BIO_printf(bio_out, " DSA *dsa = DSA_new();\n" + "\n"); + BIO_printf(bio_out, " if (dsa == NULL)\n" + " return NULL;\n"); + BIO_printf(bio_out, " dsa->p = BN_bin2bn(dsap_%d, sizeof(dsap_%d), NULL);\n", + bits_p, bits_p); + BIO_printf(bio_out, " dsa->q = BN_bin2bn(dsaq_%d, sizeof(dsaq_%d), NULL);\n", + bits_p, bits_p); + BIO_printf(bio_out, " dsa->g = BN_bin2bn(dsag_%d, sizeof(dsag_%d), NULL);\n", + bits_p, bits_p); + BIO_printf(bio_out, " if (!dsa->p || !dsa->q || !dsa->g) {\n" + " DSA_free(dsa);\n" + " return NULL;\n" + " }\n" + " return(dsa);\n}\n"); + OPENSSL_free(data); + } + + if (outformat == FORMAT_ASN1 && genkey) + noout = 1; + + if (!noout) { + if (outformat == FORMAT_ASN1) + i = i2d_DSAparams_bio(out, dsa); + else + i = PEM_write_bio_DSAparams(out, dsa); + if (!i) { + BIO_printf(bio_err, "unable to write DSA parameters\n"); + ERR_print_errors(bio_err); + goto end; + } + } + if (genkey) { + DSA *dsakey; + + assert(need_rand); + if ((dsakey = DSAparams_dup(dsa)) == NULL) + goto end; + if (!DSA_generate_key(dsakey)) { + ERR_print_errors(bio_err); + DSA_free(dsakey); + goto end; + } + assert(private); + if (outformat == FORMAT_ASN1) + i = i2d_DSAPrivateKey_bio(out, dsakey); + else + i = PEM_write_bio_DSAPrivateKey(out, dsakey, NULL, NULL, 0, NULL, + NULL); + DSA_free(dsakey); + } + if (need_rand) + app_RAND_write_file(NULL); + ret = 0; + end: + BN_GENCB_free(cb); + BIO_free(in); + BIO_free_all(out); + DSA_free(dsa); + release_engine(e); + return (ret); +} + +static int dsa_cb(int p, int n, BN_GENCB *cb) +{ + char c = '*'; + + if (p == 0) + c = '.'; + if (p == 1) + c = '+'; + if (p == 2) + c = '*'; + if (p == 3) + c = '\n'; + BIO_write(BN_GENCB_get_arg(cb), &c, 1); + (void)BIO_flush(BN_GENCB_get_arg(cb)); +# ifdef GENCB_TEST + if (stop_keygen_flag) + return 0; +# endif + return 1; +} +#endif diff --git a/openssl-1.1.0h/apps/ec.c b/openssl-1.1.0h/apps/ec.c new file mode 100644 index 0000000..2516c03 --- /dev/null +++ b/openssl-1.1.0h/apps/ec.c @@ -0,0 +1,281 @@ +/* + * Copyright 2002-2016 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the OpenSSL license (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +#include +#ifdef OPENSSL_NO_EC +NON_EMPTY_TRANSLATION_UNIT +#else + +# include +# include +# include +# include "apps.h" +# include +# include +# include +# include + +static OPT_PAIR conv_forms[] = { + {"compressed", POINT_CONVERSION_COMPRESSED}, + {"uncompressed", POINT_CONVERSION_UNCOMPRESSED}, + {"hybrid", POINT_CONVERSION_HYBRID}, + {NULL} +}; + +static OPT_PAIR param_enc[] = { + {"named_curve", OPENSSL_EC_NAMED_CURVE}, + {"explicit", 0}, + {NULL} +}; + +typedef enum OPTION_choice { + OPT_ERR = -1, OPT_EOF = 0, OPT_HELP, + OPT_INFORM, OPT_OUTFORM, OPT_ENGINE, OPT_IN, OPT_OUT, + OPT_NOOUT, OPT_TEXT, OPT_PARAM_OUT, OPT_PUBIN, OPT_PUBOUT, + OPT_PASSIN, OPT_PASSOUT, OPT_PARAM_ENC, OPT_CONV_FORM, OPT_CIPHER, + OPT_NO_PUBLIC, OPT_CHECK +} OPTION_CHOICE; + +OPTIONS ec_options[] = { + {"help", OPT_HELP, '-', "Display this summary"}, + {"in", OPT_IN, 's', "Input file"}, + {"inform", OPT_INFORM, 'f', "Input format - DER or PEM"}, + {"out", OPT_OUT, '>', "Output file"}, + {"outform", OPT_OUTFORM, 'F', "Output format - DER or PEM"}, + {"noout", OPT_NOOUT, '-', "Don't print key out"}, + {"text", OPT_TEXT, '-', "Print the key"}, + {"param_out", OPT_PARAM_OUT, '-', "Print the elliptic curve parameters"}, + {"pubin", OPT_PUBIN, '-', "Expect a public key in input file"}, + {"pubout", OPT_PUBOUT, '-', "Output public key, not private"}, + {"no_public", OPT_NO_PUBLIC, '-', "exclude public key from private key"}, + {"check", OPT_CHECK, '-', "check key consistency"}, + {"passin", OPT_PASSIN, 's', "Input file pass phrase source"}, + {"passout", OPT_PASSOUT, 's', "Output file pass phrase source"}, + {"param_enc", OPT_PARAM_ENC, 's', + "Specifies the way the ec parameters are encoded"}, + {"conv_form", OPT_CONV_FORM, 's', "Specifies the point conversion form "}, + {"", OPT_CIPHER, '-', "Any supported cipher"}, +# ifndef OPENSSL_NO_ENGINE + {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"}, +# endif + {NULL} +}; + +int ec_main(int argc, char **argv) +{ + BIO *in = NULL, *out = NULL; + ENGINE *e = NULL; + EC_KEY *eckey = NULL; + const EC_GROUP *group; + const EVP_CIPHER *enc = NULL; + point_conversion_form_t form = POINT_CONVERSION_UNCOMPRESSED; + char *infile = NULL, *outfile = NULL, *prog; + char *passin = NULL, *passout = NULL, *passinarg = NULL, *passoutarg = NULL; + OPTION_CHOICE o; + int asn1_flag = OPENSSL_EC_NAMED_CURVE, new_form = 0, new_asn1_flag = 0; + int informat = FORMAT_PEM, outformat = FORMAT_PEM, text = 0, noout = 0; + int pubin = 0, pubout = 0, param_out = 0, i, ret = 1, private = 0; + int no_public = 0, check = 0; + + prog = opt_init(argc, argv, ec_options); + while ((o = opt_next()) != OPT_EOF) { + switch (o) { + case OPT_EOF: + case OPT_ERR: + opthelp: + BIO_printf(bio_err, "%s: Use -help for summary.\n", prog); + goto end; + case OPT_HELP: + opt_help(ec_options); + ret = 0; + goto end; + case OPT_INFORM: + if (!opt_format(opt_arg(), OPT_FMT_ANY, &informat)) + goto opthelp; + break; + case OPT_IN: + infile = opt_arg(); + break; + case OPT_OUTFORM: + if (!opt_format(opt_arg(), OPT_FMT_PEMDER, &outformat)) + goto opthelp; + break; + case OPT_OUT: + outfile = opt_arg(); + break; + case OPT_NOOUT: + noout = 1; + break; + case OPT_TEXT: + text = 1; + break; + case OPT_PARAM_OUT: + param_out = 1; + break; + case OPT_PUBIN: + pubin = 1; + break; + case OPT_PUBOUT: + pubout = 1; + break; + case OPT_PASSIN: + passinarg = opt_arg(); + break; + case OPT_PASSOUT: + passoutarg = opt_arg(); + break; + case OPT_ENGINE: + e = setup_engine(opt_arg(), 0); + break; + case OPT_CIPHER: + if (!opt_cipher(opt_unknown(), &enc)) + goto opthelp; + break; + case OPT_CONV_FORM: + if (!opt_pair(opt_arg(), conv_forms, &i)) + goto opthelp; + new_form = 1; + form = i; + break; + case OPT_PARAM_ENC: + if (!opt_pair(opt_arg(), param_enc, &i)) + goto opthelp; + new_asn1_flag = 1; + asn1_flag = i; + break; + case OPT_NO_PUBLIC: + no_public = 1; + break; + case OPT_CHECK: + check = 1; + break; + } + } + argc = opt_num_rest(); + if (argc != 0) + goto opthelp; + + private = param_out || pubin || pubout ? 0 : 1; + if (text && !pubin) + private = 1; + + if (!app_passwd(passinarg, passoutarg, &passin, &passout)) { + BIO_printf(bio_err, "Error getting passwords\n"); + goto end; + } + + if (informat != FORMAT_ENGINE) { + in = bio_open_default(infile, 'r', informat); + if (in == NULL) + goto end; + } + + BIO_printf(bio_err, "read EC key\n"); + if (informat == FORMAT_ASN1) { + if (pubin) + eckey = d2i_EC_PUBKEY_bio(in, NULL); + else + eckey = d2i_ECPrivateKey_bio(in, NULL); + } else if (informat == FORMAT_ENGINE) { + EVP_PKEY *pkey; + if (pubin) + pkey = load_pubkey(infile, informat , 1, passin, e, "Public Key"); + else + pkey = load_key(infile, informat, 1, passin, e, "Private Key"); + if (pkey != NULL) { + eckey = EVP_PKEY_get1_EC_KEY(pkey); + EVP_PKEY_free(pkey); + } + } else { + if (pubin) + eckey = PEM_read_bio_EC_PUBKEY(in, NULL, NULL, NULL); + else + eckey = PEM_read_bio_ECPrivateKey(in, NULL, NULL, passin); + } + if (eckey == NULL) { + BIO_printf(bio_err, "unable to load Key\n"); + ERR_print_errors(bio_err); + goto end; + } + + out = bio_open_owner(outfile, outformat, private); + if (out == NULL) + goto end; + + group = EC_KEY_get0_group(eckey); + + if (new_form) + EC_KEY_set_conv_form(eckey, form); + + if (new_asn1_flag) + EC_KEY_set_asn1_flag(eckey, asn1_flag); + + if (no_public) + EC_KEY_set_enc_flags(eckey, EC_PKEY_NO_PUBKEY); + + if (text) { + assert(pubin || private); + if (!EC_KEY_print(out, eckey, 0)) { + perror(outfile); + ERR_print_errors(bio_err); + goto end; + } + } + + if (check) { + if (EC_KEY_check_key(eckey) == 1) { + BIO_printf(bio_err, "EC Key valid.\n"); + } else { + BIO_printf(bio_err, "EC Key Invalid!\n"); + ERR_print_errors(bio_err); + } + } + + if (noout) { + ret = 0; + goto end; + } + + BIO_printf(bio_err, "writing EC key\n"); + if (outformat == FORMAT_ASN1) { + if (param_out) + i = i2d_ECPKParameters_bio(out, group); + else if (pubin || pubout) + i = i2d_EC_PUBKEY_bio(out, eckey); + else { + assert(private); + i = i2d_ECPrivateKey_bio(out, eckey); + } + } else { + if (param_out) + i = PEM_write_bio_ECPKParameters(out, group); + else if (pubin || pubout) + i = PEM_write_bio_EC_PUBKEY(out, eckey); + else { + assert(private); + i = PEM_write_bio_ECPrivateKey(out, eckey, enc, + NULL, 0, NULL, passout); + } + } + + if (!i) { + BIO_printf(bio_err, "unable to write private key\n"); + ERR_print_errors(bio_err); + } else + ret = 0; + end: + BIO_free(in); + BIO_free_all(out); + EC_KEY_free(eckey); + release_engine(e); + OPENSSL_free(passin); + OPENSSL_free(passout); + return (ret); +} +#endif diff --git a/openssl-1.1.0h/apps/ecparam.c b/openssl-1.1.0h/apps/ecparam.c new file mode 100644 index 0000000..999f748 --- /dev/null +++ b/openssl-1.1.0h/apps/ecparam.c @@ -0,0 +1,471 @@ +/* + * Copyright 2002-2018 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the OpenSSL license (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +/* ==================================================================== + * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED. + * + * Portions of the attached software ("Contribution") are developed by + * SUN MICROSYSTEMS, INC., and are contributed to the OpenSSL project. + * + * The Contribution is licensed pursuant to the OpenSSL open source + * license provided above. + * + * The elliptic curve binary polynomial software is originally written by + * Sheueling Chang Shantz and Douglas Stebila of Sun Microsystems Laboratories. + * + */ + +#include +#ifdef OPENSSL_NO_EC +NON_EMPTY_TRANSLATION_UNIT +#else + +# include +# include +# include +# include +# include "apps.h" +# include +# include +# include +# include +# include +# include + +typedef enum OPTION_choice { + OPT_ERR = -1, OPT_EOF = 0, OPT_HELP, + OPT_INFORM, OPT_OUTFORM, OPT_IN, OPT_OUT, OPT_TEXT, OPT_C, + OPT_CHECK, OPT_LIST_CURVES, OPT_NO_SEED, OPT_NOOUT, OPT_NAME, + OPT_CONV_FORM, OPT_PARAM_ENC, OPT_GENKEY, OPT_RAND, OPT_ENGINE +} OPTION_CHOICE; + +OPTIONS ecparam_options[] = { + {"help", OPT_HELP, '-', "Display this summary"}, + {"inform", OPT_INFORM, 'F', "Input format - default PEM (DER or PEM)"}, + {"outform", OPT_OUTFORM, 'F', "Output format - default PEM"}, + {"in", OPT_IN, '<', "Input file - default stdin"}, + {"out", OPT_OUT, '>', "Output file - default stdout"}, + {"text", OPT_TEXT, '-', "Print the ec parameters in text form"}, + {"C", OPT_C, '-', "Print a 'C' function creating the parameters"}, + {"check", OPT_CHECK, '-', "Validate the ec parameters"}, + {"list_curves", OPT_LIST_CURVES, '-', + "Prints a list of all curve 'short names'"}, + {"no_seed", OPT_NO_SEED, '-', + "If 'explicit' parameters are chosen do not use the seed"}, + {"noout", OPT_NOOUT, '-', "Do not print the ec parameter"}, + {"name", OPT_NAME, 's', + "Use the ec parameters with specified 'short name'"}, + {"conv_form", OPT_CONV_FORM, 's', "Specifies the point conversion form "}, + {"param_enc", OPT_PARAM_ENC, 's', + "Specifies the way the ec parameters are encoded"}, + {"genkey", OPT_GENKEY, '-', "Generate ec key"}, + {"rand", OPT_RAND, 's', "Files to use for random number input"}, +# ifndef OPENSSL_NO_ENGINE + {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"}, +# endif + {NULL} +}; + +static OPT_PAIR forms[] = { + {"compressed", POINT_CONVERSION_COMPRESSED}, + {"uncompressed", POINT_CONVERSION_UNCOMPRESSED}, + {"hybrid", POINT_CONVERSION_HYBRID}, + {NULL} +}; + +static OPT_PAIR encodings[] = { + {"named_curve", OPENSSL_EC_NAMED_CURVE}, + {"explicit", 0}, + {NULL} +}; + +int ecparam_main(int argc, char **argv) +{ + ENGINE *e = NULL; + BIGNUM *ec_gen = NULL, *ec_order = NULL, *ec_cofactor = NULL; + BIGNUM *ec_p = NULL, *ec_a = NULL, *ec_b = NULL; + BIO *in = NULL, *out = NULL; + EC_GROUP *group = NULL; + point_conversion_form_t form = POINT_CONVERSION_UNCOMPRESSED; + char *curve_name = NULL, *inrand = NULL; + char *infile = NULL, *outfile = NULL, *prog; + unsigned char *buffer = NULL; + OPTION_CHOICE o; + int asn1_flag = OPENSSL_EC_NAMED_CURVE, new_asn1_flag = 0; + int informat = FORMAT_PEM, outformat = FORMAT_PEM, noout = 0, C = 0; + int ret = 1, private = 0; + int list_curves = 0, no_seed = 0, check = 0, new_form = 0; + int text = 0, i, need_rand = 0, genkey = 0; + + prog = opt_init(argc, argv, ecparam_options); + while ((o = opt_next()) != OPT_EOF) { + switch (o) { + case OPT_EOF: + case OPT_ERR: + opthelp: + BIO_printf(bio_err, "%s: Use -help for summary.\n", prog); + goto end; + case OPT_HELP: + opt_help(ecparam_options); + ret = 0; + goto end; + case OPT_INFORM: + if (!opt_format(opt_arg(), OPT_FMT_PEMDER, &informat)) + goto opthelp; + break; + case OPT_IN: + infile = opt_arg(); + break; + case OPT_OUTFORM: + if (!opt_format(opt_arg(), OPT_FMT_PEMDER, &outformat)) + goto opthelp; + break; + case OPT_OUT: + outfile = opt_arg(); + break; + case OPT_TEXT: + text = 1; + break; + case OPT_C: + C = 1; + break; + case OPT_CHECK: + check = 1; + break; + case OPT_LIST_CURVES: + list_curves = 1; + break; + case OPT_NO_SEED: + no_seed = 1; + break; + case OPT_NOOUT: + noout = 1; + break; + case OPT_NAME: + curve_name = opt_arg(); + break; + case OPT_CONV_FORM: + if (!opt_pair(opt_arg(), forms, &new_form)) + goto opthelp; + form = new_form; + new_form = 1; + break; + case OPT_PARAM_ENC: + if (!opt_pair(opt_arg(), encodings, &asn1_flag)) + goto opthelp; + new_asn1_flag = 1; + break; + case OPT_GENKEY: + genkey = need_rand = 1; + break; + case OPT_RAND: + inrand = opt_arg(); + need_rand = 1; + break; + case OPT_ENGINE: + e = setup_engine(opt_arg(), 0); + break; + } + } + argc = opt_num_rest(); + if (argc != 0) + goto opthelp; + + private = genkey ? 1 : 0; + + in = bio_open_default(infile, 'r', informat); + if (in == NULL) + goto end; + out = bio_open_owner(outfile, outformat, private); + if (out == NULL) + goto end; + + if (list_curves) { + EC_builtin_curve *curves = NULL; + size_t crv_len = EC_get_builtin_curves(NULL, 0); + size_t n; + + curves = app_malloc((int)sizeof(*curves) * crv_len, "list curves"); + if (!EC_get_builtin_curves(curves, crv_len)) { + OPENSSL_free(curves); + goto end; + } + + for (n = 0; n < crv_len; n++) { + const char *comment; + const char *sname; + comment = curves[n].comment; + sname = OBJ_nid2sn(curves[n].nid); + if (comment == NULL) + comment = "CURVE DESCRIPTION NOT AVAILABLE"; + if (sname == NULL) + sname = ""; + + BIO_printf(out, " %-10s: ", sname); + BIO_printf(out, "%s\n", comment); + } + + OPENSSL_free(curves); + ret = 0; + goto end; + } + + if (curve_name != NULL) { + int nid; + + /* + * workaround for the SECG curve names secp192r1 and secp256r1 (which + * are the same as the curves prime192v1 and prime256v1 defined in + * X9.62) + */ + if (strcmp(curve_name, "secp192r1") == 0) { + BIO_printf(bio_err, "using curve name prime192v1 " + "instead of secp192r1\n"); + nid = NID_X9_62_prime192v1; + } else if (strcmp(curve_name, "secp256r1") == 0) { + BIO_printf(bio_err, "using curve name prime256v1 " + "instead of secp256r1\n"); + nid = NID_X9_62_prime256v1; + } else + nid = OBJ_sn2nid(curve_name); + + if (nid == 0) + nid = EC_curve_nist2nid(curve_name); + + if (nid == 0) { + BIO_printf(bio_err, "unknown curve name (%s)\n", curve_name); + goto end; + } + + group = EC_GROUP_new_by_curve_name(nid); + if (group == NULL) { + BIO_printf(bio_err, "unable to create curve (%s)\n", curve_name); + goto end; + } + EC_GROUP_set_asn1_flag(group, asn1_flag); + EC_GROUP_set_point_conversion_form(group, form); + } else if (informat == FORMAT_ASN1) + group = d2i_ECPKParameters_bio(in, NULL); + else + group = PEM_read_bio_ECPKParameters(in, NULL, NULL, NULL); + if (group == NULL) { + BIO_printf(bio_err, "unable to load elliptic curve parameters\n"); + ERR_print_errors(bio_err); + goto end; + } + + if (new_form) + EC_GROUP_set_point_conversion_form(group, form); + + if (new_asn1_flag) + EC_GROUP_set_asn1_flag(group, asn1_flag); + + if (no_seed) { + EC_GROUP_set_seed(group, NULL, 0); + } + + if (text) { + if (!ECPKParameters_print(out, group, 0)) + goto end; + } + + if (check) { + BIO_printf(bio_err, "checking elliptic curve parameters: "); + if (!EC_GROUP_check(group, NULL)) { + BIO_printf(bio_err, "failed\n"); + ERR_print_errors(bio_err); + goto end; + } + BIO_printf(bio_err, "ok\n"); + + } + + if (C) { + size_t buf_len = 0, tmp_len = 0; + const EC_POINT *point; + int is_prime, len = 0; + const EC_METHOD *meth = EC_GROUP_method_of(group); + + if ((ec_p = BN_new()) == NULL + || (ec_a = BN_new()) == NULL + || (ec_b = BN_new()) == NULL + || (ec_gen = BN_new()) == NULL + || (ec_order = BN_new()) == NULL + || (ec_cofactor = BN_new()) == NULL) { + perror("Can't allocate BN"); + goto end; + } + + is_prime = (EC_METHOD_get_field_type(meth) == NID_X9_62_prime_field); + if (!is_prime) { + BIO_printf(bio_err, "Can only handle X9.62 prime fields\n"); + goto end; + } + + if (!EC_GROUP_get_curve_GFp(group, ec_p, ec_a, ec_b, NULL)) + goto end; + + if ((point = EC_GROUP_get0_generator(group)) == NULL) + goto end; + if (!EC_POINT_point2bn(group, point, + EC_GROUP_get_point_conversion_form(group), + ec_gen, NULL)) + goto end; + if (!EC_GROUP_get_order(group, ec_order, NULL)) + goto end; + if (!EC_GROUP_get_cofactor(group, ec_cofactor, NULL)) + goto end; + + if (!ec_p || !ec_a || !ec_b || !ec_gen || !ec_order || !ec_cofactor) + goto end; + + len = BN_num_bits(ec_order); + + if ((tmp_len = (size_t)BN_num_bytes(ec_p)) > buf_len) + buf_len = tmp_len; + if ((tmp_len = (size_t)BN_num_bytes(ec_a)) > buf_len) + buf_len = tmp_len; + if ((tmp_len = (size_t)BN_num_bytes(ec_b)) > buf_len) + buf_len = tmp_len; + if ((tmp_len = (size_t)BN_num_bytes(ec_gen)) > buf_len) + buf_len = tmp_len; + if ((tmp_len = (size_t)BN_num_bytes(ec_order)) > buf_len) + buf_len = tmp_len; + if ((tmp_len = (size_t)BN_num_bytes(ec_cofactor)) > buf_len) + buf_len = tmp_len; + + buffer = app_malloc(buf_len, "BN buffer"); + + BIO_printf(out, "EC_GROUP *get_ec_group_%d(void)\n{\n", len); + print_bignum_var(out, ec_p, "ec_p", len, buffer); + print_bignum_var(out, ec_a, "ec_a", len, buffer); + print_bignum_var(out, ec_b, "ec_b", len, buffer); + print_bignum_var(out, ec_gen, "ec_gen", len, buffer); + print_bignum_var(out, ec_order, "ec_order", len, buffer); + print_bignum_var(out, ec_cofactor, "ec_cofactor", len, buffer); + BIO_printf(out, " int ok = 0;\n" + " EC_GROUP *group = NULL;\n" + " EC_POINT *point = NULL;\n" + " BIGNUM *tmp_1 = NULL;\n" + " BIGNUM *tmp_2 = NULL;\n" + " BIGNUM *tmp_3 = NULL;\n" + "\n"); + + BIO_printf(out, " if ((tmp_1 = BN_bin2bn(ec_p_%d, sizeof(ec_p_%d), NULL)) == NULL)\n" + " goto err;\n", len, len); + BIO_printf(out, " if ((tmp_2 = BN_bin2bn(ec_a_%d, sizeof(ec_a_%d), NULL)) == NULL)\n" + " goto err;\n", len, len); + BIO_printf(out, " if ((tmp_3 = BN_bin2bn(ec_b_%d, sizeof(ec_b_%d), NULL)) == NULL)\n" + " goto err;\n", len, len); + BIO_printf(out, " if ((group = EC_GROUP_new_curve_GFp(tmp_1, tmp_2, tmp_3, NULL)) == NULL)\n" + " goto err;\n" + "\n"); + BIO_printf(out, " /* build generator */\n"); + BIO_printf(out, " if ((tmp_1 = BN_bin2bn(ec_gen_%d, sizeof(ec_gen_%d), tmp_1)) == NULL)\n" + " goto err;\n", len, len); + BIO_printf(out, " point = EC_POINT_bn2point(group, tmp_1, NULL, NULL);\n"); + BIO_printf(out, " if (point == NULL)\n" + " goto err;\n"); + BIO_printf(out, " if ((tmp_2 = BN_bin2bn(ec_order_%d, sizeof(ec_order_%d), tmp_2)) == NULL)\n" + " goto err;\n", len, len); + BIO_printf(out, " if ((tmp_3 = BN_bin2bn(ec_cofactor_%d, sizeof(ec_cofactor_%d), tmp_3)) == NULL)\n" + " goto err;\n", len, len); + BIO_printf(out, " if (!EC_GROUP_set_generator(group, point, tmp_2, tmp_3))\n" + " goto err;\n" + "ok = 1;" + "\n"); + BIO_printf(out, "err:\n" + " BN_free(tmp_1);\n" + " BN_free(tmp_2);\n" + " BN_free(tmp_3);\n" + " EC_POINT_free(point);\n" + " if (!ok) {\n" + " EC_GROUP_free(group);\n" + " return NULL;\n" + " }\n" + " return (group);\n" + "}\n"); + } + + if (outformat == FORMAT_ASN1 && genkey) + noout = 1; + + if (!noout) { + if (outformat == FORMAT_ASN1) + i = i2d_ECPKParameters_bio(out, group); + else + i = PEM_write_bio_ECPKParameters(out, group); + if (!i) { + BIO_printf(bio_err, "unable to write elliptic " + "curve parameters\n"); + ERR_print_errors(bio_err); + goto end; + } + } + + if (need_rand) { + app_RAND_load_file(NULL, (inrand != NULL)); + if (inrand != NULL) + BIO_printf(bio_err, "%ld semi-random bytes loaded\n", + app_RAND_load_files(inrand)); + } + + if (genkey) { + EC_KEY *eckey = EC_KEY_new(); + + if (eckey == NULL) + goto end; + + assert(need_rand); + + if (EC_KEY_set_group(eckey, group) == 0) { + BIO_printf(bio_err, "unable to set group when generating key\n"); + EC_KEY_free(eckey); + ERR_print_errors(bio_err); + goto end; + } + + if (new_form) + EC_KEY_set_conv_form(eckey, form); + + if (!EC_KEY_generate_key(eckey)) { + BIO_printf(bio_err, "unable to generate key\n"); + EC_KEY_free(eckey); + ERR_print_errors(bio_err); + goto end; + } + assert(private); + if (outformat == FORMAT_ASN1) + i = i2d_ECPrivateKey_bio(out, eckey); + else + i = PEM_write_bio_ECPrivateKey(out, eckey, NULL, + NULL, 0, NULL, NULL); + EC_KEY_free(eckey); + } + + if (need_rand) + app_RAND_write_file(NULL); + + ret = 0; + end: + BN_free(ec_p); + BN_free(ec_a); + BN_free(ec_b); + BN_free(ec_gen); + BN_free(ec_order); + BN_free(ec_cofactor); + OPENSSL_free(buffer); + EC_GROUP_free(group); + release_engine(e); + BIO_free(in); + BIO_free_all(out); + return (ret); +} + +#endif diff --git a/openssl-1.1.0h/apps/enc.c b/openssl-1.1.0h/apps/enc.c new file mode 100644 index 0000000..df55381 --- /dev/null +++ b/openssl-1.1.0h/apps/enc.c @@ -0,0 +1,623 @@ +/* + * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the OpenSSL license (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +#include +#include +#include +#include +#include "apps.h" +#include +#include +#include +#include +#include +#include +#include +#ifndef OPENSSL_NO_COMP +# include +#endif +#include + +#undef SIZE +#undef BSIZE +#define SIZE (512) +#define BSIZE (8*1024) + +static int set_hex(char *in, unsigned char *out, int size); +static void show_ciphers(const OBJ_NAME *name, void *bio_); + +struct doall_enc_ciphers { + BIO *bio; + int n; +}; + +typedef enum OPTION_choice { + OPT_ERR = -1, OPT_EOF = 0, OPT_HELP, + OPT_LIST, + OPT_E, OPT_IN, OPT_OUT, OPT_PASS, OPT_ENGINE, OPT_D, OPT_P, OPT_V, + OPT_NOPAD, OPT_SALT, OPT_NOSALT, OPT_DEBUG, OPT_UPPER_P, OPT_UPPER_A, + OPT_A, OPT_Z, OPT_BUFSIZE, OPT_K, OPT_KFILE, OPT_UPPER_K, OPT_NONE, + OPT_UPPER_S, OPT_IV, OPT_MD, OPT_CIPHER +} OPTION_CHOICE; + +OPTIONS enc_options[] = { + {"help", OPT_HELP, '-', "Display this summary"}, + {"ciphers", OPT_LIST, '-', "List ciphers"}, + {"in", OPT_IN, '<', "Input file"}, + {"out", OPT_OUT, '>', "Output file"}, + {"pass", OPT_PASS, 's', "Passphrase source"}, + {"e", OPT_E, '-', "Encrypt"}, + {"d", OPT_D, '-', "Decrypt"}, + {"p", OPT_P, '-', "Print the iv/key"}, + {"P", OPT_UPPER_P, '-', "Print the iv/key and exit"}, + {"v", OPT_V, '-', "Verbose output"}, + {"nopad", OPT_NOPAD, '-', "Disable standard block padding"}, + {"salt", OPT_SALT, '-', "Use salt in the KDF (default)"}, + {"nosalt", OPT_NOSALT, '-', "Do not use salt in the KDF"}, + {"debug", OPT_DEBUG, '-', "Print debug info"}, + {"a", OPT_A, '-', "Base64 encode/decode, depending on encryption flag"}, + {"base64", OPT_A, '-', "Same as option -a"}, + {"A", OPT_UPPER_A, '-', + "Used with -[base64|a] to specify base64 buffer as a single line"}, + {"bufsize", OPT_BUFSIZE, 's', "Buffer size"}, + {"k", OPT_K, 's', "Passphrase"}, + {"kfile", OPT_KFILE, '<', "Read passphrase from file"}, + {"K", OPT_UPPER_K, 's', "Raw key, in hex"}, + {"S", OPT_UPPER_S, 's', "Salt, in hex"}, + {"iv", OPT_IV, 's', "IV in hex"}, + {"md", OPT_MD, 's', "Use specified digest to create a key from the passphrase"}, + {"none", OPT_NONE, '-', "Don't encrypt"}, + {"", OPT_CIPHER, '-', "Any supported cipher"}, +#ifdef ZLIB + {"z", OPT_Z, '-', "Use zlib as the 'encryption'"}, +#endif +#ifndef OPENSSL_NO_ENGINE + {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"}, +#endif + {NULL} +}; + +int enc_main(int argc, char **argv) +{ + static char buf[128]; + static const char magic[] = "Salted__"; + ENGINE *e = NULL; + BIO *in = NULL, *out = NULL, *b64 = NULL, *benc = NULL, *rbio = + NULL, *wbio = NULL; + EVP_CIPHER_CTX *ctx = NULL; + const EVP_CIPHER *cipher = NULL, *c; + const EVP_MD *dgst = NULL; + char *hkey = NULL, *hiv = NULL, *hsalt = NULL, *p; + char *infile = NULL, *outfile = NULL, *prog; + char *str = NULL, *passarg = NULL, *pass = NULL, *strbuf = NULL; + char mbuf[sizeof(magic) - 1]; + OPTION_CHOICE o; + int bsize = BSIZE, verbose = 0, debug = 0, olb64 = 0, nosalt = 0; + int enc = 1, printkey = 0, i, k; + int base64 = 0, informat = FORMAT_BINARY, outformat = FORMAT_BINARY; + int ret = 1, inl, nopad = 0; + unsigned char key[EVP_MAX_KEY_LENGTH], iv[EVP_MAX_IV_LENGTH]; + unsigned char *buff = NULL, salt[PKCS5_SALT_LEN]; + long n; + struct doall_enc_ciphers dec; +#ifdef ZLIB + int do_zlib = 0; + BIO *bzl = NULL; +#endif + + /* first check the program name */ + prog = opt_progname(argv[0]); + if (strcmp(prog, "base64") == 0) + base64 = 1; +#ifdef ZLIB + else if (strcmp(prog, "zlib") == 0) + do_zlib = 1; +#endif + else { + cipher = EVP_get_cipherbyname(prog); + if (cipher == NULL && strcmp(prog, "enc") != 0) { + BIO_printf(bio_err, "%s is not a known cipher\n", prog); + goto end; + } + } + + prog = opt_init(argc, argv, enc_options); + while ((o = opt_next()) != OPT_EOF) { + switch (o) { + case OPT_EOF: + case OPT_ERR: + opthelp: + BIO_printf(bio_err, "%s: Use -help for summary.\n", prog); + goto end; + case OPT_HELP: + opt_help(enc_options); + ret = 0; + goto end; + case OPT_LIST: + BIO_printf(bio_out, "Supported ciphers:\n"); + dec.bio = bio_out; + dec.n = 0; + OBJ_NAME_do_all_sorted(OBJ_NAME_TYPE_CIPHER_METH, + show_ciphers, &dec); + BIO_printf(bio_out, "\n"); + ret = 0; + goto end; + case OPT_E: + enc = 1; + break; + case OPT_IN: + infile = opt_arg(); + break; + case OPT_OUT: + outfile = opt_arg(); + break; + case OPT_PASS: + passarg = opt_arg(); + break; + case OPT_ENGINE: + e = setup_engine(opt_arg(), 0); + break; + case OPT_D: + enc = 0; + break; + case OPT_P: + printkey = 1; + break; + case OPT_V: + verbose = 1; + break; + case OPT_NOPAD: + nopad = 1; + break; + case OPT_SALT: + nosalt = 0; + break; + case OPT_NOSALT: + nosalt = 1; + break; + case OPT_DEBUG: + debug = 1; + break; + case OPT_UPPER_P: + printkey = 2; + break; + case OPT_UPPER_A: + olb64 = 1; + break; + case OPT_A: + base64 = 1; + break; + case OPT_Z: +#ifdef ZLIB + do_zlib = 1; +#endif + break; + case OPT_BUFSIZE: + p = opt_arg(); + i = (int)strlen(p) - 1; + k = i >= 1 && p[i] == 'k'; + if (k) + p[i] = '\0'; + if (!opt_long(opt_arg(), &n) + || n < 0 || (k && n >= LONG_MAX / 1024)) + goto opthelp; + if (k) + n *= 1024; + bsize = (int)n; + break; + case OPT_K: + str = opt_arg(); + break; + case OPT_KFILE: + in = bio_open_default(opt_arg(), 'r', FORMAT_TEXT); + if (in == NULL) + goto opthelp; + i = BIO_gets(in, buf, sizeof(buf)); + BIO_free(in); + in = NULL; + if (i <= 0) { + BIO_printf(bio_err, + "%s Can't read key from %s\n", prog, opt_arg()); + goto opthelp; + } + while (--i > 0 && (buf[i] == '\r' || buf[i] == '\n')) + buf[i] = '\0'; + if (i <= 0) { + BIO_printf(bio_err, "%s: zero length password\n", prog); + goto opthelp; + } + str = buf; + break; + case OPT_UPPER_K: + hkey = opt_arg(); + break; + case OPT_UPPER_S: + hsalt = opt_arg(); + break; + case OPT_IV: + hiv = opt_arg(); + break; + case OPT_MD: + if (!opt_md(opt_arg(), &dgst)) + goto opthelp; + break; + case OPT_CIPHER: + if (!opt_cipher(opt_unknown(), &c)) + goto opthelp; + cipher = c; + break; + case OPT_NONE: + cipher = NULL; + break; + } + } + if (opt_num_rest() != 0) { + BIO_printf(bio_err, "Extra arguments given.\n"); + goto opthelp; + } + + if (cipher && EVP_CIPHER_flags(cipher) & EVP_CIPH_FLAG_AEAD_CIPHER) { + BIO_printf(bio_err, "%s: AEAD ciphers not supported\n", prog); + goto end; + } + + if (cipher && (EVP_CIPHER_mode(cipher) == EVP_CIPH_XTS_MODE)) { + BIO_printf(bio_err, "%s XTS ciphers not supported\n", prog); + goto end; + } + + if (dgst == NULL) + dgst = EVP_sha256(); + + /* It must be large enough for a base64 encoded line */ + if (base64 && bsize < 80) + bsize = 80; + if (verbose) + BIO_printf(bio_err, "bufsize=%d\n", bsize); + +#ifdef ZLIB + if (!do_zlib) +#endif + if (base64) { + if (enc) + outformat = FORMAT_BASE64; + else + informat = FORMAT_BASE64; + } + + strbuf = app_malloc(SIZE, "strbuf"); + buff = app_malloc(EVP_ENCODE_LENGTH(bsize), "evp buffer"); + + if (infile == NULL) { + in = dup_bio_in(informat); + } else + in = bio_open_default(infile, 'r', informat); + if (in == NULL) + goto end; + + if (!str && passarg) { + if (!app_passwd(passarg, NULL, &pass, NULL)) { + BIO_printf(bio_err, "Error getting password\n"); + goto end; + } + str = pass; + } + + if ((str == NULL) && (cipher != NULL) && (hkey == NULL)) { + if (1) { +#ifndef OPENSSL_NO_UI + for (;;) { + char prompt[200]; + + BIO_snprintf(prompt, sizeof(prompt), "enter %s %s password:", + OBJ_nid2ln(EVP_CIPHER_nid(cipher)), + (enc) ? "encryption" : "decryption"); + strbuf[0] = '\0'; + i = EVP_read_pw_string((char *)strbuf, SIZE, prompt, enc); + if (i == 0) { + if (strbuf[0] == '\0') { + ret = 1; + goto end; + } + str = strbuf; + break; + } + if (i < 0) { + BIO_printf(bio_err, "bad password read\n"); + goto end; + } + } + } else { +#endif + BIO_printf(bio_err, "password required\n"); + goto end; + } + } + + out = bio_open_default(outfile, 'w', outformat); + if (out == NULL) + goto end; + + if (debug) { + BIO_set_callback(in, BIO_debug_callback); + BIO_set_callback(out, BIO_debug_callback); + BIO_set_callback_arg(in, (char *)bio_err); + BIO_set_callback_arg(out, (char *)bio_err); + } + + rbio = in; + wbio = out; + +#ifdef ZLIB + if (do_zlib) { + if ((bzl = BIO_new(BIO_f_zlib())) == NULL) + goto end; + if (debug) { + BIO_set_callback(bzl, BIO_debug_callback); + BIO_set_callback_arg(bzl, (char *)bio_err); + } + if (enc) + wbio = BIO_push(bzl, wbio); + else + rbio = BIO_push(bzl, rbio); + } +#endif + + if (base64) { + if ((b64 = BIO_new(BIO_f_base64())) == NULL) + goto end; + if (debug) { + BIO_set_callback(b64, BIO_debug_callback); + BIO_set_callback_arg(b64, (char *)bio_err); + } + if (olb64) + BIO_set_flags(b64, BIO_FLAGS_BASE64_NO_NL); + if (enc) + wbio = BIO_push(b64, wbio); + else + rbio = BIO_push(b64, rbio); + } + + if (cipher != NULL) { + /* + * Note that str is NULL if a key was passed on the command line, so + * we get no salt in that case. Is this a bug? + */ + if (str != NULL) { + /* + * Salt handling: if encrypting generate a salt and write to + * output BIO. If decrypting read salt from input BIO. + */ + unsigned char *sptr; + size_t str_len = strlen(str); + + if (nosalt) + sptr = NULL; + else { + if (enc) { + if (hsalt) { + if (!set_hex(hsalt, salt, sizeof(salt))) { + BIO_printf(bio_err, "invalid hex salt value\n"); + goto end; + } + } else if (RAND_bytes(salt, sizeof(salt)) <= 0) + goto end; + /* + * If -P option then don't bother writing + */ + if ((printkey != 2) + && (BIO_write(wbio, magic, + sizeof(magic) - 1) != sizeof(magic) - 1 + || BIO_write(wbio, + (char *)salt, + sizeof(salt)) != sizeof(salt))) { + BIO_printf(bio_err, "error writing output file\n"); + goto end; + } + } else if (BIO_read(rbio, mbuf, sizeof(mbuf)) != sizeof(mbuf) + || BIO_read(rbio, + (unsigned char *)salt, + sizeof(salt)) != sizeof(salt)) { + BIO_printf(bio_err, "error reading input file\n"); + goto end; + } else if (memcmp(mbuf, magic, sizeof(magic) - 1)) { + BIO_printf(bio_err, "bad magic number\n"); + goto end; + } + + sptr = salt; + } + + if (!EVP_BytesToKey(cipher, dgst, sptr, + (unsigned char *)str, + str_len, 1, key, iv)) { + BIO_printf(bio_err, "EVP_BytesToKey failed\n"); + goto end; + } + /* + * zero the complete buffer or the string passed from the command + * line bug picked up by Larry J. Hughes Jr. + */ + if (str == strbuf) + OPENSSL_cleanse(str, SIZE); + else + OPENSSL_cleanse(str, str_len); + } + if (hiv != NULL) { + int siz = EVP_CIPHER_iv_length(cipher); + if (siz == 0) { + BIO_printf(bio_err, "warning: iv not use by this cipher\n"); + } else if (!set_hex(hiv, iv, sizeof(iv))) { + BIO_printf(bio_err, "invalid hex iv value\n"); + goto end; + } + } + if ((hiv == NULL) && (str == NULL) + && EVP_CIPHER_iv_length(cipher) != 0) { + /* + * No IV was explicitly set and no IV was generated during + * EVP_BytesToKey. Hence the IV is undefined, making correct + * decryption impossible. + */ + BIO_printf(bio_err, "iv undefined\n"); + goto end; + } + if ((hkey != NULL) && !set_hex(hkey, key, EVP_CIPHER_key_length(cipher))) { + BIO_printf(bio_err, "invalid hex key value\n"); + goto end; + } + + if ((benc = BIO_new(BIO_f_cipher())) == NULL) + goto end; + + /* + * Since we may be changing parameters work on the encryption context + * rather than calling BIO_set_cipher(). + */ + + BIO_get_cipher_ctx(benc, &ctx); + + if (!EVP_CipherInit_ex(ctx, cipher, NULL, NULL, NULL, enc)) { + BIO_printf(bio_err, "Error setting cipher %s\n", + EVP_CIPHER_name(cipher)); + ERR_print_errors(bio_err); + goto end; + } + + if (nopad) + EVP_CIPHER_CTX_set_padding(ctx, 0); + + if (!EVP_CipherInit_ex(ctx, NULL, NULL, key, iv, enc)) { + BIO_printf(bio_err, "Error setting cipher %s\n", + EVP_CIPHER_name(cipher)); + ERR_print_errors(bio_err); + goto end; + } + + if (debug) { + BIO_set_callback(benc, BIO_debug_callback); + BIO_set_callback_arg(benc, (char *)bio_err); + } + + if (printkey) { + if (!nosalt) { + printf("salt="); + for (i = 0; i < (int)sizeof(salt); i++) + printf("%02X", salt[i]); + printf("\n"); + } + if (EVP_CIPHER_key_length(cipher) > 0) { + printf("key="); + for (i = 0; i < EVP_CIPHER_key_length(cipher); i++) + printf("%02X", key[i]); + printf("\n"); + } + if (EVP_CIPHER_iv_length(cipher) > 0) { + printf("iv ="); + for (i = 0; i < EVP_CIPHER_iv_length(cipher); i++) + printf("%02X", iv[i]); + printf("\n"); + } + if (printkey == 2) { + ret = 0; + goto end; + } + } + } + + /* Only encrypt/decrypt as we write the file */ + if (benc != NULL) + wbio = BIO_push(benc, wbio); + + for (;;) { + inl = BIO_read(rbio, (char *)buff, bsize); + if (inl <= 0) + break; + if (BIO_write(wbio, (char *)buff, inl) != inl) { + BIO_printf(bio_err, "error writing output file\n"); + goto end; + } + } + if (!BIO_flush(wbio)) { + BIO_printf(bio_err, "bad decrypt\n"); + goto end; + } + + ret = 0; + if (verbose) { + BIO_printf(bio_err, "bytes read :%8"BIO_PRI64"u\n", BIO_number_read(in)); + BIO_printf(bio_err, "bytes written:%8"BIO_PRI64"u\n", BIO_number_written(out)); + } + end: + ERR_print_errors(bio_err); + OPENSSL_free(strbuf); + OPENSSL_free(buff); + BIO_free(in); + BIO_free_all(out); + BIO_free(benc); + BIO_free(b64); +#ifdef ZLIB + BIO_free(bzl); +#endif + release_engine(e); + OPENSSL_free(pass); + return (ret); +} + +static void show_ciphers(const OBJ_NAME *name, void *arg) +{ + struct doall_enc_ciphers *dec = (struct doall_enc_ciphers *)arg; + const EVP_CIPHER *cipher; + + if (!islower((unsigned char)*name->name)) + return; + + /* Filter out ciphers that we cannot use */ + cipher = EVP_get_cipherbyname(name->name); + if (cipher == NULL || + (EVP_CIPHER_flags(cipher) & EVP_CIPH_FLAG_AEAD_CIPHER) != 0 || + EVP_CIPHER_mode(cipher) == EVP_CIPH_XTS_MODE) + return; + + BIO_printf(dec->bio, "-%-25s", name->name); + if (++dec->n == 3) { + BIO_printf(dec->bio, "\n"); + dec->n = 0; + } else + BIO_printf(dec->bio, " "); +} + +static int set_hex(char *in, unsigned char *out, int size) +{ + int i, n; + unsigned char j; + + n = strlen(in); + if (n > (size * 2)) { + BIO_printf(bio_err, "hex string is too long\n"); + return (0); + } + memset(out, 0, size); + for (i = 0; i < n; i++) { + j = (unsigned char)*in; + *(in++) = '\0'; + if (j == 0) + break; + if (!isxdigit(j)) { + BIO_printf(bio_err, "non-hex digit\n"); + return (0); + } + j = (unsigned char)OPENSSL_hexchar2int(j); + if (i & 1) + out[i / 2] |= j; + else + out[i / 2] = (j << 4); + } + return (1); +} diff --git a/openssl-1.1.0h/apps/engine.c b/openssl-1.1.0h/apps/engine.c new file mode 100644 index 0000000..4eeb642 --- /dev/null +++ b/openssl-1.1.0h/apps/engine.c @@ -0,0 +1,446 @@ +/* + * Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the OpenSSL license (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +#include +#ifdef OPENSSL_NO_ENGINE +NON_EMPTY_TRANSLATION_UNIT +#else + +# include "apps.h" +# include +# include +# include +# include +# include +# include + +typedef enum OPTION_choice { + OPT_ERR = -1, OPT_EOF = 0, OPT_HELP, + OPT_C, OPT_T, OPT_TT, OPT_PRE, OPT_POST, + OPT_V = 100, OPT_VV, OPT_VVV, OPT_VVVV +} OPTION_CHOICE; + +OPTIONS engine_options[] = { + {OPT_HELP_STR, 1, '-', "Usage: %s [options] engine...\n"}, + {OPT_HELP_STR, 1, '-', + " engine... Engines to load\n"}, + {"help", OPT_HELP, '-', "Display this summary"}, + {"v", OPT_V, '-', "List 'control commands' For each specified engine"}, + {"vv", OPT_VV, '-', "Also display each command's description"}, + {"vvv", OPT_VVV, '-', "Also add the input flags for each command"}, + {"vvvv", OPT_VVVV, '-', "Also show internal input flags"}, + {"c", OPT_C, '-', "List the capabilities of specified engine"}, + {"t", OPT_T, '-', "Check that specified engine is available"}, + {"tt", OPT_TT, '-', "Display error trace for unavailable engines"}, + {"pre", OPT_PRE, 's', "Run command against the ENGINE before loading it"}, + {"post", OPT_POST, 's', "Run command against the ENGINE after loading it"}, + {OPT_MORE_STR, OPT_EOF, 1, + "Commands are like \"SO_PATH:/lib/libdriver.so\""}, + {NULL} +}; + +static int append_buf(char **buf, int *size, const char *s) +{ + if (*buf == NULL) { + *size = 256; + *buf = app_malloc(*size, "engine buffer"); + **buf = '\0'; + } + + if (strlen(*buf) + strlen(s) >= (unsigned int)*size) { + char *tmp; + *size += 256; + tmp = OPENSSL_realloc(*buf, *size); + if (tmp == NULL) { + OPENSSL_free(*buf); + *buf = NULL; + return 0; + } + *buf = tmp; + } + + if (**buf != '\0') + OPENSSL_strlcat(*buf, ", ", *size); + OPENSSL_strlcat(*buf, s, *size); + + return 1; +} + +static int util_flags(BIO *out, unsigned int flags, const char *indent) +{ + int started = 0, err = 0; + /* Indent before displaying input flags */ + BIO_printf(out, "%s%s(input flags): ", indent, indent); + if (flags == 0) { + BIO_printf(out, "\n"); + return 1; + } + /* + * If the object is internal, mark it in a way that shows instead of + * having it part of all the other flags, even if it really is. + */ + if (flags & ENGINE_CMD_FLAG_INTERNAL) { + BIO_printf(out, "[Internal] "); + } + + if (flags & ENGINE_CMD_FLAG_NUMERIC) { + BIO_printf(out, "NUMERIC"); + started = 1; + } + /* + * Now we check that no combinations of the mutually exclusive NUMERIC, + * STRING, and NO_INPUT flags have been used. Future flags that can be + * OR'd together with these would need to added after these to preserve + * the testing logic. + */ + if (flags & ENGINE_CMD_FLAG_STRING) { + if (started) { + BIO_printf(out, "|"); + err = 1; + } + BIO_printf(out, "STRING"); + started = 1; + } + if (flags & ENGINE_CMD_FLAG_NO_INPUT) { + if (started) { + BIO_printf(out, "|"); + err = 1; + } + BIO_printf(out, "NO_INPUT"); + started = 1; + } + /* Check for unknown flags */ + flags = flags & ~ENGINE_CMD_FLAG_NUMERIC & + ~ENGINE_CMD_FLAG_STRING & + ~ENGINE_CMD_FLAG_NO_INPUT & ~ENGINE_CMD_FLAG_INTERNAL; + if (flags) { + if (started) + BIO_printf(out, "|"); + BIO_printf(out, "<0x%04X>", flags); + } + if (err) + BIO_printf(out, " "); + BIO_printf(out, "\n"); + return 1; +} + +static int util_verbose(ENGINE *e, int verbose, BIO *out, const char *indent) +{ + static const int line_wrap = 78; + int num; + int ret = 0; + char *name = NULL; + char *desc = NULL; + int flags; + int xpos = 0; + STACK_OF(OPENSSL_STRING) *cmds = NULL; + if (!ENGINE_ctrl(e, ENGINE_CTRL_HAS_CTRL_FUNCTION, 0, NULL, NULL) || + ((num = ENGINE_ctrl(e, ENGINE_CTRL_GET_FIRST_CMD_TYPE, + 0, NULL, NULL)) <= 0)) { + return 1; + } + + cmds = sk_OPENSSL_STRING_new_null(); + if (!cmds) + goto err; + + do { + int len; + /* Get the command input flags */ + if ((flags = ENGINE_ctrl(e, ENGINE_CTRL_GET_CMD_FLAGS, num, + NULL, NULL)) < 0) + goto err; + if (!(flags & ENGINE_CMD_FLAG_INTERNAL) || verbose >= 4) { + /* Get the command name */ + if ((len = ENGINE_ctrl(e, ENGINE_CTRL_GET_NAME_LEN_FROM_CMD, num, + NULL, NULL)) <= 0) + goto err; + name = app_malloc(len + 1, "name buffer"); + if (ENGINE_ctrl(e, ENGINE_CTRL_GET_NAME_FROM_CMD, num, name, + NULL) <= 0) + goto err; + /* Get the command description */ + if ((len = ENGINE_ctrl(e, ENGINE_CTRL_GET_DESC_LEN_FROM_CMD, num, + NULL, NULL)) < 0) + goto err; + if (len > 0) { + desc = app_malloc(len + 1, "description buffer"); + if (ENGINE_ctrl(e, ENGINE_CTRL_GET_DESC_FROM_CMD, num, desc, + NULL) <= 0) + goto err; + } + /* Now decide on the output */ + if (xpos == 0) + /* Do an indent */ + xpos = BIO_puts(out, indent); + else + /* Otherwise prepend a ", " */ + xpos += BIO_printf(out, ", "); + if (verbose == 1) { + /* + * We're just listing names, comma-delimited + */ + if ((xpos > (int)strlen(indent)) && + (xpos + (int)strlen(name) > line_wrap)) { + BIO_printf(out, "\n"); + xpos = BIO_puts(out, indent); + } + xpos += BIO_printf(out, "%s", name); + } else { + /* We're listing names plus descriptions */ + BIO_printf(out, "%s: %s\n", name, + (desc == NULL) ? "" : desc); + /* ... and sometimes input flags */ + if ((verbose >= 3) && !util_flags(out, flags, indent)) + goto err; + xpos = 0; + } + } + OPENSSL_free(name); + name = NULL; + OPENSSL_free(desc); + desc = NULL; + /* Move to the next command */ + num = ENGINE_ctrl(e, ENGINE_CTRL_GET_NEXT_CMD_TYPE, num, NULL, NULL); + } while (num > 0); + if (xpos > 0) + BIO_printf(out, "\n"); + ret = 1; + err: + sk_OPENSSL_STRING_free(cmds); + OPENSSL_free(name); + OPENSSL_free(desc); + return ret; +} + +static void util_do_cmds(ENGINE *e, STACK_OF(OPENSSL_STRING) *cmds, + BIO *out, const char *indent) +{ + int loop, res, num = sk_OPENSSL_STRING_num(cmds); + + if (num < 0) { + BIO_printf(out, "[Error]: internal stack error\n"); + return; + } + for (loop = 0; loop < num; loop++) { + char buf[256]; + const char *cmd, *arg; + cmd = sk_OPENSSL_STRING_value(cmds, loop); + res = 1; /* assume success */ + /* Check if this command has no ":arg" */ + if ((arg = strstr(cmd, ":")) == NULL) { + if (!ENGINE_ctrl_cmd_string(e, cmd, NULL, 0)) + res = 0; + } else { + if ((int)(arg - cmd) > 254) { + BIO_printf(out, "[Error]: command name too long\n"); + return; + } + memcpy(buf, cmd, (int)(arg - cmd)); + buf[arg - cmd] = '\0'; + arg++; /* Move past the ":" */ + /* Call the command with the argument */ + if (!ENGINE_ctrl_cmd_string(e, buf, arg, 0)) + res = 0; + } + if (res) + BIO_printf(out, "[Success]: %s\n", cmd); + else { + BIO_printf(out, "[Failure]: %s\n", cmd); + ERR_print_errors(out); + } + } +} + +int engine_main(int argc, char **argv) +{ + int ret = 1, i; + int verbose = 0, list_cap = 0, test_avail = 0, test_avail_noise = 0; + ENGINE *e; + STACK_OF(OPENSSL_CSTRING) *engines = sk_OPENSSL_CSTRING_new_null(); + STACK_OF(OPENSSL_STRING) *pre_cmds = sk_OPENSSL_STRING_new_null(); + STACK_OF(OPENSSL_STRING) *post_cmds = sk_OPENSSL_STRING_new_null(); + BIO *out; + const char *indent = " "; + OPTION_CHOICE o; + char *prog; + char *argv1; + + out = dup_bio_out(FORMAT_TEXT); + if (engines == NULL || pre_cmds == NULL || post_cmds == NULL) + goto end; + + /* Remember the original command name, parse/skip any leading engine + * names, and then setup to parse the rest of the line as flags. */ + prog = argv[0]; + while ((argv1 = argv[1]) != NULL && *argv1 != '-') { + sk_OPENSSL_CSTRING_push(engines, argv1); + argc--; + argv++; + } + argv[0] = prog; + opt_init(argc, argv, engine_options); + + while ((o = opt_next()) != OPT_EOF) { + switch (o) { + case OPT_EOF: + case OPT_ERR: + BIO_printf(bio_err, "%s: Use -help for summary.\n", prog); + goto end; + case OPT_HELP: + opt_help(engine_options); + ret = 0; + goto end; + case OPT_VVVV: + case OPT_VVV: + case OPT_VV: + case OPT_V: + /* Convert to an integer from one to four. */ + i = (int)(o - OPT_V) + 1; + if (verbose < i) + verbose = i; + break; + case OPT_C: + list_cap = 1; + break; + case OPT_TT: + test_avail_noise++; + /* fall thru */ + case OPT_T: + test_avail++; + break; + case OPT_PRE: + sk_OPENSSL_STRING_push(pre_cmds, opt_arg()); + break; + case OPT_POST: + sk_OPENSSL_STRING_push(post_cmds, opt_arg()); + break; + } + } + + /* Allow any trailing parameters as engine names. */ + argc = opt_num_rest(); + argv = opt_rest(); + for ( ; *argv; argv++) { + if (**argv == '-') { + BIO_printf(bio_err, "%s: Cannot mix flags and engine names.\n", + prog); + BIO_printf(bio_err, "%s: Use -help for summary.\n", prog); + goto end; + } + sk_OPENSSL_CSTRING_push(engines, *argv); + } + + if (sk_OPENSSL_CSTRING_num(engines) == 0) { + for (e = ENGINE_get_first(); e != NULL; e = ENGINE_get_next(e)) { + sk_OPENSSL_CSTRING_push(engines, ENGINE_get_id(e)); + } + } + + ret = 0; + for (i = 0; i < sk_OPENSSL_CSTRING_num(engines); i++) { + const char *id = sk_OPENSSL_CSTRING_value(engines, i); + if ((e = ENGINE_by_id(id)) != NULL) { + const char *name = ENGINE_get_name(e); + /* + * Do "id" first, then "name". Easier to auto-parse. + */ + BIO_printf(out, "(%s) %s\n", id, name); + util_do_cmds(e, pre_cmds, out, indent); + if (strcmp(ENGINE_get_id(e), id) != 0) { + BIO_printf(out, "Loaded: (%s) %s\n", + ENGINE_get_id(e), ENGINE_get_name(e)); + } + if (list_cap) { + int cap_size = 256; + char *cap_buf = NULL; + int k, n; + const int *nids; + ENGINE_CIPHERS_PTR fn_c; + ENGINE_DIGESTS_PTR fn_d; + ENGINE_PKEY_METHS_PTR fn_pk; + + if (ENGINE_get_RSA(e) != NULL + && !append_buf(&cap_buf, &cap_size, "RSA")) + goto end; + if (ENGINE_get_DSA(e) != NULL + && !append_buf(&cap_buf, &cap_size, "DSA")) + goto end; + if (ENGINE_get_DH(e) != NULL + && !append_buf(&cap_buf, &cap_size, "DH")) + goto end; + if (ENGINE_get_RAND(e) != NULL + && !append_buf(&cap_buf, &cap_size, "RAND")) + goto end; + + fn_c = ENGINE_get_ciphers(e); + if (!fn_c) + goto skip_ciphers; + n = fn_c(e, NULL, &nids, 0); + for (k = 0; k < n; ++k) + if (!append_buf(&cap_buf, &cap_size, OBJ_nid2sn(nids[k]))) + goto end; + + skip_ciphers: + fn_d = ENGINE_get_digests(e); + if (!fn_d) + goto skip_digests; + n = fn_d(e, NULL, &nids, 0); + for (k = 0; k < n; ++k) + if (!append_buf(&cap_buf, &cap_size, OBJ_nid2sn(nids[k]))) + goto end; + + skip_digests: + fn_pk = ENGINE_get_pkey_meths(e); + if (!fn_pk) + goto skip_pmeths; + n = fn_pk(e, NULL, &nids, 0); + for (k = 0; k < n; ++k) + if (!append_buf(&cap_buf, &cap_size, OBJ_nid2sn(nids[k]))) + goto end; + skip_pmeths: + if (cap_buf && (*cap_buf != '\0')) + BIO_printf(out, " [%s]\n", cap_buf); + + OPENSSL_free(cap_buf); + } + if (test_avail) { + BIO_printf(out, "%s", indent); + if (ENGINE_init(e)) { + BIO_printf(out, "[ available ]\n"); + util_do_cmds(e, post_cmds, out, indent); + ENGINE_finish(e); + } else { + BIO_printf(out, "[ unavailable ]\n"); + if (test_avail_noise) + ERR_print_errors_fp(stdout); + ERR_clear_error(); + } + } + if ((verbose > 0) && !util_verbose(e, verbose, out, indent)) + goto end; + ENGINE_free(e); + } else { + ERR_print_errors(bio_err); + /* because exit codes above 127 have special meaning on Unix */ + if (++ret > 127) + ret = 127; + } + } + + end: + + ERR_print_errors(bio_err); + sk_OPENSSL_CSTRING_free(engines); + sk_OPENSSL_STRING_free(pre_cmds); + sk_OPENSSL_STRING_free(post_cmds); + BIO_free_all(out); + return (ret); +} +#endif diff --git a/openssl-1.1.0h/apps/errstr.c b/openssl-1.1.0h/apps/errstr.c new file mode 100644 index 0000000..79d83ee --- /dev/null +++ b/openssl-1.1.0h/apps/errstr.c @@ -0,0 +1,67 @@ +/* + * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the OpenSSL license (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +#include +#include +#include +#include "apps.h" +#include +#include +#include +#include + +typedef enum OPTION_choice { + OPT_ERR = -1, OPT_EOF = 0, OPT_HELP +} OPTION_CHOICE; + +OPTIONS errstr_options[] = { + {OPT_HELP_STR, 1, '-', "Usage: %s [options] errnum...\n"}, + {OPT_HELP_STR, 1, '-', " errnum Error number\n"}, + {"help", OPT_HELP, '-', "Display this summary"}, + {NULL} +}; + +int errstr_main(int argc, char **argv) +{ + OPTION_CHOICE o; + char buf[256], *prog; + int ret = 1; + unsigned long l; + + prog = opt_init(argc, argv, errstr_options); + while ((o = opt_next()) != OPT_EOF) { + switch (o) { + case OPT_EOF: + case OPT_ERR: + BIO_printf(bio_err, "%s: Use -help for summary.\n", prog); + goto end; + case OPT_HELP: + opt_help(errstr_options); + ret = 0; + goto end; + } + } + + ret = 0; + for (argv = opt_rest(); *argv; argv++) { + if (sscanf(*argv, "%lx", &l) == 0) + ret++; + else { + /* We're not really an SSL application so this won't auto-init, but + * we're still interested in SSL error strings + */ + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_SSL_STRINGS + | OPENSSL_INIT_LOAD_CRYPTO_STRINGS, NULL); + ERR_error_string_n(l, buf, sizeof(buf)); + BIO_printf(bio_out, "%s\n", buf); + } + } + end: + return (ret); +} diff --git a/openssl-1.1.0h/apps/gendsa.c b/openssl-1.1.0h/apps/gendsa.c new file mode 100644 index 0000000..bdef022 --- /dev/null +++ b/openssl-1.1.0h/apps/gendsa.c @@ -0,0 +1,147 @@ +/* + * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the OpenSSL license (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +#include +#ifdef OPENSSL_NO_DSA +NON_EMPTY_TRANSLATION_UNIT +#else + +# include +# include +# include +# include +# include "apps.h" +# include +# include +# include +# include +# include +# include + +typedef enum OPTION_choice { + OPT_ERR = -1, OPT_EOF = 0, OPT_HELP, + OPT_OUT, OPT_PASSOUT, OPT_ENGINE, OPT_RAND, OPT_CIPHER +} OPTION_CHOICE; + +OPTIONS gendsa_options[] = { + {OPT_HELP_STR, 1, '-', "Usage: %s [args] dsaparam-file\n"}, + {OPT_HELP_STR, 1, '-', "Valid options are:\n"}, + {"help", OPT_HELP, '-', "Display this summary"}, + {"out", OPT_OUT, '>', "Output the key to the specified file"}, + {"passout", OPT_PASSOUT, 's', "Output file pass phrase source"}, + {"rand", OPT_RAND, 's', + "Load the file(s) into the random number generator"}, + {"", OPT_CIPHER, '-', "Encrypt the output with any supported cipher"}, +# ifndef OPENSSL_NO_ENGINE + {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"}, +# endif + {NULL} +}; + +int gendsa_main(int argc, char **argv) +{ + ENGINE *e = NULL; + BIO *out = NULL, *in = NULL; + DSA *dsa = NULL; + const EVP_CIPHER *enc = NULL; + char *inrand = NULL, *dsaparams = NULL; + char *outfile = NULL, *passoutarg = NULL, *passout = NULL, *prog; + OPTION_CHOICE o; + int ret = 1, private = 0; + const BIGNUM *p = NULL; + + prog = opt_init(argc, argv, gendsa_options); + while ((o = opt_next()) != OPT_EOF) { + switch (o) { + case OPT_EOF: + case OPT_ERR: + opthelp: + BIO_printf(bio_err, "%s: Use -help for summary.\n", prog); + goto end; + case OPT_HELP: + ret = 0; + opt_help(gendsa_options); + goto end; + case OPT_OUT: + outfile = opt_arg(); + break; + case OPT_PASSOUT: + passoutarg = opt_arg(); + break; + case OPT_ENGINE: + e = setup_engine(opt_arg(), 0); + break; + case OPT_RAND: + inrand = opt_arg(); + break; + case OPT_CIPHER: + if (!opt_cipher(opt_unknown(), &enc)) + goto end; + break; + } + } + argc = opt_num_rest(); + argv = opt_rest(); + private = 1; + + if (argc != 1) + goto opthelp; + dsaparams = *argv; + + if (!app_passwd(NULL, passoutarg, NULL, &passout)) { + BIO_printf(bio_err, "Error getting password\n"); + goto end; + } + + in = bio_open_default(dsaparams, 'r', FORMAT_PEM); + if (in == NULL) + goto end2; + + if ((dsa = PEM_read_bio_DSAparams(in, NULL, NULL, NULL)) == NULL) { + BIO_printf(bio_err, "unable to load DSA parameter file\n"); + goto end; + } + BIO_free(in); + in = NULL; + + out = bio_open_owner(outfile, FORMAT_PEM, private); + if (out == NULL) + goto end2; + + if (!app_RAND_load_file(NULL, 1) && inrand == NULL) { + BIO_printf(bio_err, + "warning, not much extra random data, consider using the -rand option\n"); + } + if (inrand != NULL) + BIO_printf(bio_err, "%ld semi-random bytes loaded\n", + app_RAND_load_files(inrand)); + + DSA_get0_pqg(dsa, &p, NULL, NULL); + BIO_printf(bio_err, "Generating DSA key, %d bits\n", BN_num_bits(p)); + if (!DSA_generate_key(dsa)) + goto end; + + app_RAND_write_file(NULL); + + assert(private); + if (!PEM_write_bio_DSAPrivateKey(out, dsa, enc, NULL, 0, NULL, passout)) + goto end; + ret = 0; + end: + if (ret != 0) + ERR_print_errors(bio_err); + end2: + BIO_free(in); + BIO_free_all(out); + DSA_free(dsa); + release_engine(e); + OPENSSL_free(passout); + return (ret); +} +#endif diff --git a/openssl-1.1.0h/apps/genpkey.c b/openssl-1.1.0h/apps/genpkey.c new file mode 100644 index 0000000..9e37977 --- /dev/null +++ b/openssl-1.1.0h/apps/genpkey.c @@ -0,0 +1,314 @@ +/* + * Copyright 2006-2016 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the OpenSSL license (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +#include +#include +#include "apps.h" +#include +#include +#include +#ifndef OPENSSL_NO_ENGINE +# include +#endif + +static int init_keygen_file(EVP_PKEY_CTX **pctx, const char *file, ENGINE *e); +static int genpkey_cb(EVP_PKEY_CTX *ctx); + +typedef enum OPTION_choice { + OPT_ERR = -1, OPT_EOF = 0, OPT_HELP, + OPT_ENGINE, OPT_OUTFORM, OPT_OUT, OPT_PASS, OPT_PARAMFILE, + OPT_ALGORITHM, OPT_PKEYOPT, OPT_GENPARAM, OPT_TEXT, OPT_CIPHER +} OPTION_CHOICE; + +OPTIONS genpkey_options[] = { + {"help", OPT_HELP, '-', "Display this summary"}, + {"out", OPT_OUT, '>', "Output file"}, + {"outform", OPT_OUTFORM, 'F', "output format (DER or PEM)"}, + {"pass", OPT_PASS, 's', "Output file pass phrase source"}, + {"paramfile", OPT_PARAMFILE, '<', "Parameters file"}, + {"algorithm", OPT_ALGORITHM, 's', "The public key algorithm"}, + {"pkeyopt", OPT_PKEYOPT, 's', + "Set the public key algorithm option as opt:value"}, + {"genparam", OPT_GENPARAM, '-', "Generate parameters, not key"}, + {"text", OPT_TEXT, '-', "Print the in text"}, + {"", OPT_CIPHER, '-', "Cipher to use to encrypt the key"}, +#ifndef OPENSSL_NO_ENGINE + {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"}, +#endif + /* This is deliberately last. */ + {OPT_HELP_STR, 1, 1, + "Order of options may be important! See the documentation.\n"}, + {NULL} +}; + +int genpkey_main(int argc, char **argv) +{ + BIO *in = NULL, *out = NULL; + ENGINE *e = NULL; + EVP_PKEY *pkey = NULL; + EVP_PKEY_CTX *ctx = NULL; + char *outfile = NULL, *passarg = NULL, *pass = NULL, *prog; + const EVP_CIPHER *cipher = NULL; + OPTION_CHOICE o; + int outformat = FORMAT_PEM, text = 0, ret = 1, rv, do_param = 0; + int private = 0; + + prog = opt_init(argc, argv, genpkey_options); + while ((o = opt_next()) != OPT_EOF) { + switch (o) { + case OPT_EOF: + case OPT_ERR: + opthelp: + BIO_printf(bio_err, "%s: Use -help for summary.\n", prog); + goto end; + case OPT_HELP: + ret = 0; + opt_help(genpkey_options); + goto end; + case OPT_OUTFORM: + if (!opt_format(opt_arg(), OPT_FMT_PEMDER, &outformat)) + goto opthelp; + break; + case OPT_OUT: + outfile = opt_arg(); + break; + case OPT_PASS: + passarg = opt_arg(); + break; + case OPT_ENGINE: + e = setup_engine(opt_arg(), 0); + break; + case OPT_PARAMFILE: + if (do_param == 1) + goto opthelp; + if (!init_keygen_file(&ctx, opt_arg(), e)) + goto end; + break; + case OPT_ALGORITHM: + if (!init_gen_str(&ctx, opt_arg(), e, do_param)) + goto end; + break; + case OPT_PKEYOPT: + if (ctx == NULL) { + BIO_printf(bio_err, "%s: No keytype specified.\n", prog); + goto opthelp; + } + if (pkey_ctrl_string(ctx, opt_arg()) <= 0) { + BIO_printf(bio_err, + "%s: Error setting %s parameter:\n", + prog, opt_arg()); + ERR_print_errors(bio_err); + goto end; + } + break; + case OPT_GENPARAM: + if (ctx != NULL) + goto opthelp; + do_param = 1; + break; + case OPT_TEXT: + text = 1; + break; + case OPT_CIPHER: + if (!opt_cipher(opt_unknown(), &cipher) + || do_param == 1) + goto opthelp; + } + } + argc = opt_num_rest(); + if (argc != 0) + goto opthelp; + + private = do_param ? 0 : 1; + + if (ctx == NULL) + goto opthelp; + + if (!app_passwd(passarg, NULL, &pass, NULL)) { + BIO_puts(bio_err, "Error getting password\n"); + goto end; + } + + out = bio_open_owner(outfile, outformat, private); + if (out == NULL) + goto end; + + EVP_PKEY_CTX_set_cb(ctx, genpkey_cb); + EVP_PKEY_CTX_set_app_data(ctx, bio_err); + + if (do_param) { + if (EVP_PKEY_paramgen(ctx, &pkey) <= 0) { + BIO_puts(bio_err, "Error generating parameters\n"); + ERR_print_errors(bio_err); + goto end; + } + } else { + if (EVP_PKEY_keygen(ctx, &pkey) <= 0) { + BIO_puts(bio_err, "Error generating key\n"); + ERR_print_errors(bio_err); + goto end; + } + } + + if (do_param) + rv = PEM_write_bio_Parameters(out, pkey); + else if (outformat == FORMAT_PEM) { + assert(private); + rv = PEM_write_bio_PrivateKey(out, pkey, cipher, NULL, 0, NULL, pass); + } else if (outformat == FORMAT_ASN1) { + assert(private); + rv = i2d_PrivateKey_bio(out, pkey); + } else { + BIO_printf(bio_err, "Bad format specified for key\n"); + goto end; + } + + if (rv <= 0) { + BIO_puts(bio_err, "Error writing key\n"); + ERR_print_errors(bio_err); + } + + if (text) { + if (do_param) + rv = EVP_PKEY_print_params(out, pkey, 0, NULL); + else + rv = EVP_PKEY_print_private(out, pkey, 0, NULL); + + if (rv <= 0) { + BIO_puts(bio_err, "Error printing key\n"); + ERR_print_errors(bio_err); + } + } + + ret = 0; + + end: + EVP_PKEY_free(pkey); + EVP_PKEY_CTX_free(ctx); + BIO_free_all(out); + BIO_free(in); + release_engine(e); + OPENSSL_free(pass); + return ret; +} + +static int init_keygen_file(EVP_PKEY_CTX **pctx, const char *file, ENGINE *e) +{ + BIO *pbio; + EVP_PKEY *pkey = NULL; + EVP_PKEY_CTX *ctx = NULL; + if (*pctx) { + BIO_puts(bio_err, "Parameters already set!\n"); + return 0; + } + + pbio = BIO_new_file(file, "r"); + if (!pbio) { + BIO_printf(bio_err, "Can't open parameter file %s\n", file); + return 0; + } + + pkey = PEM_read_bio_Parameters(pbio, NULL); + BIO_free(pbio); + + if (!pkey) { + BIO_printf(bio_err, "Error reading parameter file %s\n", file); + return 0; + } + + ctx = EVP_PKEY_CTX_new(pkey, e); + if (ctx == NULL) + goto err; + if (EVP_PKEY_keygen_init(ctx) <= 0) + goto err; + EVP_PKEY_free(pkey); + *pctx = ctx; + return 1; + + err: + BIO_puts(bio_err, "Error initializing context\n"); + ERR_print_errors(bio_err); + EVP_PKEY_CTX_free(ctx); + EVP_PKEY_free(pkey); + return 0; + +} + +int init_gen_str(EVP_PKEY_CTX **pctx, + const char *algname, ENGINE *e, int do_param) +{ + EVP_PKEY_CTX *ctx = NULL; + const EVP_PKEY_ASN1_METHOD *ameth; + ENGINE *tmpeng = NULL; + int pkey_id; + + if (*pctx) { + BIO_puts(bio_err, "Algorithm already set!\n"); + return 0; + } + + ameth = EVP_PKEY_asn1_find_str(&tmpeng, algname, -1); + +#ifndef OPENSSL_NO_ENGINE + if (!ameth && e) + ameth = ENGINE_get_pkey_asn1_meth_str(e, algname, -1); +#endif + + if (!ameth) { + BIO_printf(bio_err, "Algorithm %s not found\n", algname); + return 0; + } + + ERR_clear_error(); + + EVP_PKEY_asn1_get0_info(&pkey_id, NULL, NULL, NULL, NULL, ameth); +#ifndef OPENSSL_NO_ENGINE + ENGINE_finish(tmpeng); +#endif + ctx = EVP_PKEY_CTX_new_id(pkey_id, e); + + if (!ctx) + goto err; + if (do_param) { + if (EVP_PKEY_paramgen_init(ctx) <= 0) + goto err; + } else { + if (EVP_PKEY_keygen_init(ctx) <= 0) + goto err; + } + + *pctx = ctx; + return 1; + + err: + BIO_printf(bio_err, "Error initializing %s context\n", algname); + ERR_print_errors(bio_err); + EVP_PKEY_CTX_free(ctx); + return 0; + +} + +static int genpkey_cb(EVP_PKEY_CTX *ctx) +{ + char c = '*'; + BIO *b = EVP_PKEY_CTX_get_app_data(ctx); + int p; + p = EVP_PKEY_CTX_get_keygen_info(ctx, 0); + if (p == 0) + c = '.'; + if (p == 1) + c = '+'; + if (p == 2) + c = '*'; + if (p == 3) + c = '\n'; + BIO_write(b, &c, 1); + (void)BIO_flush(b); + return 1; +} diff --git a/openssl-1.1.0h/apps/genrsa.c b/openssl-1.1.0h/apps/genrsa.c new file mode 100644 index 0000000..19bc753 --- /dev/null +++ b/openssl-1.1.0h/apps/genrsa.c @@ -0,0 +1,198 @@ +/* + * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the OpenSSL license (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +#include +#ifdef OPENSSL_NO_RSA +NON_EMPTY_TRANSLATION_UNIT +#else + +# include +# include +# include +# include +# include "apps.h" +# include +# include +# include +# include +# include +# include +# include +# include + +# define DEFBITS 2048 + +static int genrsa_cb(int p, int n, BN_GENCB *cb); + +typedef enum OPTION_choice { + OPT_ERR = -1, OPT_EOF = 0, OPT_HELP, + OPT_3, OPT_F4, OPT_ENGINE, + OPT_OUT, OPT_RAND, OPT_PASSOUT, OPT_CIPHER +} OPTION_CHOICE; + +OPTIONS genrsa_options[] = { + {"help", OPT_HELP, '-', "Display this summary"}, + {"3", OPT_3, '-', "Use 3 for the E value"}, + {"F4", OPT_F4, '-', "Use F4 (0x10001) for the E value"}, + {"f4", OPT_F4, '-', "Use F4 (0x10001) for the E value"}, + {"out", OPT_OUT, 's', "Output the key to specified file"}, + {"rand", OPT_RAND, 's', + "Load the file(s) into the random number generator"}, + {"passout", OPT_PASSOUT, 's', "Output file pass phrase source"}, + {"", OPT_CIPHER, '-', "Encrypt the output with any supported cipher"}, +# ifndef OPENSSL_NO_ENGINE + {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"}, +# endif + {NULL} +}; + +int genrsa_main(int argc, char **argv) +{ + BN_GENCB *cb = BN_GENCB_new(); + PW_CB_DATA cb_data; + ENGINE *eng = NULL; + BIGNUM *bn = BN_new(); + BIO *out = NULL; + const BIGNUM *e; + RSA *rsa = NULL; + const EVP_CIPHER *enc = NULL; + int ret = 1, num = DEFBITS, private = 0; + unsigned long f4 = RSA_F4; + char *outfile = NULL, *passoutarg = NULL, *passout = NULL; + char *inrand = NULL, *prog, *hexe, *dece; + OPTION_CHOICE o; + + if (bn == NULL || cb == NULL) + goto end; + + BN_GENCB_set(cb, genrsa_cb, bio_err); + + prog = opt_init(argc, argv, genrsa_options); + while ((o = opt_next()) != OPT_EOF) { + switch (o) { + case OPT_EOF: + case OPT_ERR: +opthelp: + BIO_printf(bio_err, "%s: Use -help for summary.\n", prog); + goto end; + case OPT_HELP: + ret = 0; + opt_help(genrsa_options); + goto end; + case OPT_3: + f4 = 3; + break; + case OPT_F4: + f4 = RSA_F4; + break; + case OPT_OUT: + outfile = opt_arg(); + break; + case OPT_ENGINE: + eng = setup_engine(opt_arg(), 0); + break; + case OPT_RAND: + inrand = opt_arg(); + break; + case OPT_PASSOUT: + passoutarg = opt_arg(); + break; + case OPT_CIPHER: + if (!opt_cipher(opt_unknown(), &enc)) + goto end; + break; + } + } + argc = opt_num_rest(); + argv = opt_rest(); + + if (argc == 1) { + if (!opt_int(argv[0], &num) || num <= 0) + goto end; + } else if (argc > 0) { + BIO_printf(bio_err, "Extra arguments given.\n"); + goto opthelp; + } + + private = 1; + if (!app_passwd(NULL, passoutarg, NULL, &passout)) { + BIO_printf(bio_err, "Error getting password\n"); + goto end; + } + + out = bio_open_owner(outfile, FORMAT_PEM, private); + if (out == NULL) + goto end; + + if (!app_RAND_load_file(NULL, 1) && inrand == NULL + && !RAND_status()) { + BIO_printf(bio_err, + "warning, not much extra random data, consider using the -rand option\n"); + } + if (inrand != NULL) + BIO_printf(bio_err, "%ld semi-random bytes loaded\n", + app_RAND_load_files(inrand)); + + BIO_printf(bio_err, "Generating RSA private key, %d bit long modulus\n", + num); + rsa = eng ? RSA_new_method(eng) : RSA_new(); + if (rsa == NULL) + goto end; + + if (!BN_set_word(bn, f4) || !RSA_generate_key_ex(rsa, num, bn, cb)) + goto end; + + app_RAND_write_file(NULL); + + RSA_get0_key(rsa, NULL, &e, NULL); + hexe = BN_bn2hex(e); + dece = BN_bn2dec(e); + if (hexe && dece) { + BIO_printf(bio_err, "e is %s (0x%s)\n", dece, hexe); + } + OPENSSL_free(hexe); + OPENSSL_free(dece); + cb_data.password = passout; + cb_data.prompt_info = outfile; + assert(private); + if (!PEM_write_bio_RSAPrivateKey(out, rsa, enc, NULL, 0, + (pem_password_cb *)password_callback, + &cb_data)) + goto end; + + ret = 0; + end: + BN_free(bn); + BN_GENCB_free(cb); + RSA_free(rsa); + BIO_free_all(out); + release_engine(eng); + OPENSSL_free(passout); + if (ret != 0) + ERR_print_errors(bio_err); + return (ret); +} + +static int genrsa_cb(int p, int n, BN_GENCB *cb) +{ + char c = '*'; + + if (p == 0) + c = '.'; + if (p == 1) + c = '+'; + if (p == 2) + c = '*'; + if (p == 3) + c = '\n'; + BIO_write(BN_GENCB_get_arg(cb), &c, 1); + (void)BIO_flush(BN_GENCB_get_arg(cb)); + return 1; +} +#endif diff --git a/openssl-1.1.0h/apps/nseq.c b/openssl-1.1.0h/apps/nseq.c new file mode 100644 index 0000000..018d5eb --- /dev/null +++ b/openssl-1.1.0h/apps/nseq.c @@ -0,0 +1,113 @@ +/* + * Copyright 1999-2016 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the OpenSSL license (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +#include +#include +#include "apps.h" +#include +#include + +typedef enum OPTION_choice { + OPT_ERR = -1, OPT_EOF = 0, OPT_HELP, + OPT_TOSEQ, OPT_IN, OPT_OUT +} OPTION_CHOICE; + +OPTIONS nseq_options[] = { + {"help", OPT_HELP, '-', "Display this summary"}, + {"toseq", OPT_TOSEQ, '-', "Output NS Sequence file"}, + {"in", OPT_IN, '<', "Input file"}, + {"out", OPT_OUT, '>', "Output file"}, + {NULL} +}; + +int nseq_main(int argc, char **argv) +{ + BIO *in = NULL, *out = NULL; + X509 *x509 = NULL; + NETSCAPE_CERT_SEQUENCE *seq = NULL; + OPTION_CHOICE o; + int toseq = 0, ret = 1, i; + char *infile = NULL, *outfile = NULL, *prog; + + prog = opt_init(argc, argv, nseq_options); + while ((o = opt_next()) != OPT_EOF) { + switch (o) { + case OPT_EOF: + case OPT_ERR: + opthelp: + BIO_printf(bio_err, "%s: Use -help for summary.\n", prog); + goto end; + case OPT_HELP: + ret = 0; + opt_help(nseq_options); + goto end; + case OPT_TOSEQ: + toseq = 1; + break; + case OPT_IN: + infile = opt_arg(); + break; + case OPT_OUT: + outfile = opt_arg(); + break; + } + } + argc = opt_num_rest(); + if (argc != 0) + goto opthelp; + + in = bio_open_default(infile, 'r', FORMAT_PEM); + if (in == NULL) + goto end; + out = bio_open_default(outfile, 'w', FORMAT_PEM); + if (out == NULL) + goto end; + + if (toseq) { + seq = NETSCAPE_CERT_SEQUENCE_new(); + if (seq == NULL) + goto end; + seq->certs = sk_X509_new_null(); + if (seq->certs == NULL) + goto end; + while ((x509 = PEM_read_bio_X509(in, NULL, NULL, NULL))) + sk_X509_push(seq->certs, x509); + + if (!sk_X509_num(seq->certs)) { + BIO_printf(bio_err, "%s: Error reading certs file %s\n", + prog, infile); + ERR_print_errors(bio_err); + goto end; + } + PEM_write_bio_NETSCAPE_CERT_SEQUENCE(out, seq); + ret = 0; + goto end; + } + + seq = PEM_read_bio_NETSCAPE_CERT_SEQUENCE(in, NULL, NULL, NULL); + if (seq == NULL) { + BIO_printf(bio_err, "%s: Error reading sequence file %s\n", + prog, infile); + ERR_print_errors(bio_err); + goto end; + } + + for (i = 0; i < sk_X509_num(seq->certs); i++) { + x509 = sk_X509_value(seq->certs, i); + dump_cert_text(out, x509); + PEM_write_bio_X509(out, x509); + } + ret = 0; + end: + BIO_free(in); + BIO_free_all(out); + NETSCAPE_CERT_SEQUENCE_free(seq); + + return (ret); +} diff --git a/openssl-1.1.0h/apps/ocsp.c b/openssl-1.1.0h/apps/ocsp.c new file mode 100644 index 0000000..4b53334 --- /dev/null +++ b/openssl-1.1.0h/apps/ocsp.c @@ -0,0 +1,1290 @@ +/* + * Copyright 2001-2016 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the OpenSSL license (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +#include + +#ifdef OPENSSL_NO_OCSP +NON_EMPTY_TRANSLATION_UNIT +#else +# ifdef OPENSSL_SYS_VMS +# define _XOPEN_SOURCE_EXTENDED/* So fd_set and friends get properly defined + * on OpenVMS */ +# endif + +# define USE_SOCKETS + +# include +# include +# include +# include +# include + +/* Needs to be included before the openssl headers */ +# include "apps.h" +# include +# include +# include +# include +# include +# include +# include + +# if defined(NETWARE_CLIB) +# ifdef NETWARE_BSDSOCK +# include +# include +# else +# include +# endif +# elif defined(NETWARE_LIBC) +# ifdef NETWARE_BSDSOCK +# include +# else +# include +# endif +# endif + +/* Maximum leeway in validity period: default 5 minutes */ +# define MAX_VALIDITY_PERIOD (5 * 60) + +static int add_ocsp_cert(OCSP_REQUEST **req, X509 *cert, + const EVP_MD *cert_id_md, X509 *issuer, + STACK_OF(OCSP_CERTID) *ids); +static int add_ocsp_serial(OCSP_REQUEST **req, char *serial, + const EVP_MD *cert_id_md, X509 *issuer, + STACK_OF(OCSP_CERTID) *ids); +static void print_ocsp_summary(BIO *out, OCSP_BASICRESP *bs, OCSP_REQUEST *req, + STACK_OF(OPENSSL_STRING) *names, + STACK_OF(OCSP_CERTID) *ids, long nsec, + long maxage); +static void make_ocsp_response(OCSP_RESPONSE **resp, OCSP_REQUEST *req, + CA_DB *db, X509 *ca, X509 *rcert, + EVP_PKEY *rkey, const EVP_MD *md, + STACK_OF(X509) *rother, unsigned long flags, + int nmin, int ndays, int badsig); + +static char **lookup_serial(CA_DB *db, ASN1_INTEGER *ser); +static BIO *init_responder(const char *port); +static int do_responder(OCSP_REQUEST **preq, BIO **pcbio, BIO *acbio); +static int send_ocsp_response(BIO *cbio, OCSP_RESPONSE *resp); + +# ifndef OPENSSL_NO_SOCK +static OCSP_RESPONSE *query_responder(BIO *cbio, const char *host, + const char *path, + const STACK_OF(CONF_VALUE) *headers, + OCSP_REQUEST *req, int req_timeout); +# endif + +typedef enum OPTION_choice { + OPT_ERR = -1, OPT_EOF = 0, OPT_HELP, + OPT_OUTFILE, OPT_TIMEOUT, OPT_URL, OPT_HOST, OPT_PORT, + OPT_IGNORE_ERR, OPT_NOVERIFY, OPT_NONCE, OPT_NO_NONCE, + OPT_RESP_NO_CERTS, OPT_RESP_KEY_ID, OPT_NO_CERTS, + OPT_NO_SIGNATURE_VERIFY, OPT_NO_CERT_VERIFY, OPT_NO_CHAIN, + OPT_NO_CERT_CHECKS, OPT_NO_EXPLICIT, OPT_TRUST_OTHER, + OPT_NO_INTERN, OPT_BADSIG, OPT_TEXT, OPT_REQ_TEXT, OPT_RESP_TEXT, + OPT_REQIN, OPT_RESPIN, OPT_SIGNER, OPT_VAFILE, OPT_SIGN_OTHER, + OPT_VERIFY_OTHER, OPT_CAFILE, OPT_CAPATH, OPT_NOCAFILE, OPT_NOCAPATH, + OPT_VALIDITY_PERIOD, OPT_STATUS_AGE, OPT_SIGNKEY, OPT_REQOUT, + OPT_RESPOUT, OPT_PATH, OPT_ISSUER, OPT_CERT, OPT_SERIAL, + OPT_INDEX, OPT_CA, OPT_NMIN, OPT_REQUEST, OPT_NDAYS, OPT_RSIGNER, + OPT_RKEY, OPT_ROTHER, OPT_RMD, OPT_HEADER, + OPT_V_ENUM, + OPT_MD +} OPTION_CHOICE; + +OPTIONS ocsp_options[] = { + {"help", OPT_HELP, '-', "Display this summary"}, + {"out", OPT_OUTFILE, '>', "Output filename"}, + {"timeout", OPT_TIMEOUT, 'p', + "Connection timeout (in seconds) to the OCSP responder"}, + {"url", OPT_URL, 's', "Responder URL"}, + {"host", OPT_HOST, 's', "TCP/IP hostname:port to connect to"}, + {"port", OPT_PORT, 'p', "Port to run responder on"}, + {"ignore_err", OPT_IGNORE_ERR, '-', + "Ignore Error response from OCSP responder, and retry "}, + {"noverify", OPT_NOVERIFY, '-', "Don't verify response at all"}, + {"nonce", OPT_NONCE, '-', "Add OCSP nonce to request"}, + {"no_nonce", OPT_NO_NONCE, '-', "Don't add OCSP nonce to request"}, + {"resp_no_certs", OPT_RESP_NO_CERTS, '-', + "Don't include any certificates in response"}, + {"resp_key_id", OPT_RESP_KEY_ID, '-', + "Identify response by signing certificate key ID"}, + {"no_certs", OPT_NO_CERTS, '-', + "Don't include any certificates in signed request"}, + {"no_signature_verify", OPT_NO_SIGNATURE_VERIFY, '-', + "Don't check signature on response"}, + {"no_cert_verify", OPT_NO_CERT_VERIFY, '-', + "Don't check signing certificate"}, + {"no_chain", OPT_NO_CHAIN, '-', "Don't chain verify response"}, + {"no_cert_checks", OPT_NO_CERT_CHECKS, '-', + "Don't do additional checks on signing certificate"}, + {"no_explicit", OPT_NO_EXPLICIT, '-', + "Do not explicitly check the chain, just verify the root"}, + {"trust_other", OPT_TRUST_OTHER, '-', + "Don't verify additional certificates"}, + {"no_intern", OPT_NO_INTERN, '-', + "Don't search certificates contained in response for signer"}, + {"badsig", OPT_BADSIG, '-', + "Corrupt last byte of loaded OSCP response signature (for test)"}, + {"text", OPT_TEXT, '-', "Print text form of request and response"}, + {"req_text", OPT_REQ_TEXT, '-', "Print text form of request"}, + {"resp_text", OPT_RESP_TEXT, '-', "Print text form of response"}, + {"reqin", OPT_REQIN, 's', "File with the DER-encoded request"}, + {"respin", OPT_RESPIN, 's', "File with the DER-encoded response"}, + {"signer", OPT_SIGNER, '<', "Certificate to sign OCSP request with"}, + {"VAfile", OPT_VAFILE, '<', "Validator certificates file"}, + {"sign_other", OPT_SIGN_OTHER, '<', + "Additional certificates to include in signed request"}, + {"verify_other", OPT_VERIFY_OTHER, '<', + "Additional certificates to search for signer"}, + {"CAfile", OPT_CAFILE, '<', "Trusted certificates file"}, + {"CApath", OPT_CAPATH, '<', "Trusted certificates directory"}, + {"no-CAfile", OPT_NOCAFILE, '-', + "Do not load the default certificates file"}, + {"no-CApath", OPT_NOCAPATH, '-', + "Do not load certificates from the default certificates directory"}, + {"validity_period", OPT_VALIDITY_PERIOD, 'u', + "Maximum validity discrepancy in seconds"}, + {"status_age", OPT_STATUS_AGE, 'p', "Maximum status age in seconds"}, + {"signkey", OPT_SIGNKEY, 's', "Private key to sign OCSP request with"}, + {"reqout", OPT_REQOUT, 's', "Output file for the DER-encoded request"}, + {"respout", OPT_RESPOUT, 's', "Output file for the DER-encoded response"}, + {"path", OPT_PATH, 's', "Path to use in OCSP request"}, + {"issuer", OPT_ISSUER, '<', "Issuer certificate"}, + {"cert", OPT_CERT, '<', "Certificate to check"}, + {"serial", OPT_SERIAL, 's', "Serial number to check"}, + {"index", OPT_INDEX, '<', "Certificate status index file"}, + {"CA", OPT_CA, '<', "CA certificate"}, + {"nmin", OPT_NMIN, 'p', "Number of minutes before next update"}, + {"nrequest", OPT_REQUEST, 'p', + "Number of requests to accept (default unlimited)"}, + {"ndays", OPT_NDAYS, 'p', "Number of days before next update"}, + {"rsigner", OPT_RSIGNER, '<', + "Responder certificate to sign responses with"}, + {"rkey", OPT_RKEY, '<', "Responder key to sign responses with"}, + {"rother", OPT_ROTHER, '<', "Other certificates to include in response"}, + {"rmd", OPT_RMD, 's', "Digest Algorithm to use in signature of OCSP response"}, + {"header", OPT_HEADER, 's', "key=value header to add"}, + {"", OPT_MD, '-', "Any supported digest algorithm (sha1,sha256, ... )"}, + OPT_V_OPTIONS, + {NULL} +}; + +int ocsp_main(int argc, char **argv) +{ + BIO *acbio = NULL, *cbio = NULL, *derbio = NULL, *out = NULL; + const EVP_MD *cert_id_md = NULL, *rsign_md = NULL; + int trailing_md = 0; + CA_DB *rdb = NULL; + EVP_PKEY *key = NULL, *rkey = NULL; + OCSP_BASICRESP *bs = NULL; + OCSP_REQUEST *req = NULL; + OCSP_RESPONSE *resp = NULL; + STACK_OF(CONF_VALUE) *headers = NULL; + STACK_OF(OCSP_CERTID) *ids = NULL; + STACK_OF(OPENSSL_STRING) *reqnames = NULL; + STACK_OF(X509) *sign_other = NULL, *verify_other = NULL, *rother = NULL; + STACK_OF(X509) *issuers = NULL; + X509 *issuer = NULL, *cert = NULL, *rca_cert = NULL; + X509 *signer = NULL, *rsigner = NULL; + X509_STORE *store = NULL; + X509_VERIFY_PARAM *vpm = NULL; + const char *CAfile = NULL, *CApath = NULL; + char *header, *value; + char *host = NULL, *port = NULL, *path = "/", *outfile = NULL; + char *rca_filename = NULL, *reqin = NULL, *respin = NULL; + char *reqout = NULL, *respout = NULL, *ridx_filename = NULL; + char *rsignfile = NULL, *rkeyfile = NULL; + char *sign_certfile = NULL, *verify_certfile = NULL, *rcertfile = NULL; + char *signfile = NULL, *keyfile = NULL; + char *thost = NULL, *tport = NULL, *tpath = NULL; + int noCAfile = 0, noCApath = 0; + int accept_count = -1, add_nonce = 1, noverify = 0, use_ssl = -1; + int vpmtouched = 0, badsig = 0, i, ignore_err = 0, nmin = 0, ndays = -1; + int req_text = 0, resp_text = 0, ret = 1; +#ifndef OPENSSL_NO_SOCK + int req_timeout = -1; +#endif + long nsec = MAX_VALIDITY_PERIOD, maxage = -1; + unsigned long sign_flags = 0, verify_flags = 0, rflags = 0; + OPTION_CHOICE o; + char *prog; + + reqnames = sk_OPENSSL_STRING_new_null(); + if (!reqnames) + goto end; + ids = sk_OCSP_CERTID_new_null(); + if (!ids) + goto end; + if ((vpm = X509_VERIFY_PARAM_new()) == NULL) + return 1; + + prog = opt_init(argc, argv, ocsp_options); + while ((o = opt_next()) != OPT_EOF) { + switch (o) { + case OPT_EOF: + case OPT_ERR: + opthelp: + BIO_printf(bio_err, "%s: Use -help for summary.\n", prog); + goto end; + case OPT_HELP: + ret = 0; + opt_help(ocsp_options); + goto end; + case OPT_OUTFILE: + outfile = opt_arg(); + break; + case OPT_TIMEOUT: +#ifndef OPENSSL_NO_SOCK + req_timeout = atoi(opt_arg()); +#endif + break; + case OPT_URL: + OPENSSL_free(thost); + OPENSSL_free(tport); + OPENSSL_free(tpath); + thost = tport = tpath = NULL; + if (!OCSP_parse_url(opt_arg(), &host, &port, &path, &use_ssl)) { + BIO_printf(bio_err, "%s Error parsing URL\n", prog); + goto end; + } + thost = host; + tport = port; + tpath = path; + break; + case OPT_HOST: + host = opt_arg(); + break; + case OPT_PORT: + port = opt_arg(); + break; + case OPT_IGNORE_ERR: + ignore_err = 1; + break; + case OPT_NOVERIFY: + noverify = 1; + break; + case OPT_NONCE: + add_nonce = 2; + break; + case OPT_NO_NONCE: + add_nonce = 0; + break; + case OPT_RESP_NO_CERTS: + rflags |= OCSP_NOCERTS; + break; + case OPT_RESP_KEY_ID: + rflags |= OCSP_RESPID_KEY; + break; + case OPT_NO_CERTS: + sign_flags |= OCSP_NOCERTS; + break; + case OPT_NO_SIGNATURE_VERIFY: + verify_flags |= OCSP_NOSIGS; + break; + case OPT_NO_CERT_VERIFY: + verify_flags |= OCSP_NOVERIFY; + break; + case OPT_NO_CHAIN: + verify_flags |= OCSP_NOCHAIN; + break; + case OPT_NO_CERT_CHECKS: + verify_flags |= OCSP_NOCHECKS; + break; + case OPT_NO_EXPLICIT: + verify_flags |= OCSP_NOEXPLICIT; + break; + case OPT_TRUST_OTHER: + verify_flags |= OCSP_TRUSTOTHER; + break; + case OPT_NO_INTERN: + verify_flags |= OCSP_NOINTERN; + break; + case OPT_BADSIG: + badsig = 1; + break; + case OPT_TEXT: + req_text = resp_text = 1; + break; + case OPT_REQ_TEXT: + req_text = 1; + break; + case OPT_RESP_TEXT: + resp_text = 1; + break; + case OPT_REQIN: + reqin = opt_arg(); + break; + case OPT_RESPIN: + respin = opt_arg(); + break; + case OPT_SIGNER: + signfile = opt_arg(); + break; + case OPT_VAFILE: + verify_certfile = opt_arg(); + verify_flags |= OCSP_TRUSTOTHER; + break; + case OPT_SIGN_OTHER: + sign_certfile = opt_arg(); + break; + case OPT_VERIFY_OTHER: + verify_certfile = opt_arg(); + break; + case OPT_CAFILE: + CAfile = opt_arg(); + break; + case OPT_CAPATH: + CApath = opt_arg(); + break; + case OPT_NOCAFILE: + noCAfile = 1; + break; + case OPT_NOCAPATH: + noCApath = 1; + break; + case OPT_V_CASES: + if (!opt_verify(o, vpm)) + goto end; + vpmtouched++; + break; + case OPT_VALIDITY_PERIOD: + opt_long(opt_arg(), &nsec); + break; + case OPT_STATUS_AGE: + opt_long(opt_arg(), &maxage); + break; + case OPT_SIGNKEY: + keyfile = opt_arg(); + break; + case OPT_REQOUT: + reqout = opt_arg(); + break; + case OPT_RESPOUT: + respout = opt_arg(); + break; + case OPT_PATH: + path = opt_arg(); + break; + case OPT_ISSUER: + issuer = load_cert(opt_arg(), FORMAT_PEM, "issuer certificate"); + if (issuer == NULL) + goto end; + if (issuers == NULL) { + if ((issuers = sk_X509_new_null()) == NULL) + goto end; + } + sk_X509_push(issuers, issuer); + break; + case OPT_CERT: + X509_free(cert); + cert = load_cert(opt_arg(), FORMAT_PEM, "certificate"); + if (cert == NULL) + goto end; + if (cert_id_md == NULL) + cert_id_md = EVP_sha1(); + if (!add_ocsp_cert(&req, cert, cert_id_md, issuer, ids)) + goto end; + if (!sk_OPENSSL_STRING_push(reqnames, opt_arg())) + goto end; + trailing_md = 0; + break; + case OPT_SERIAL: + if (cert_id_md == NULL) + cert_id_md = EVP_sha1(); + if (!add_ocsp_serial(&req, opt_arg(), cert_id_md, issuer, ids)) + goto end; + if (!sk_OPENSSL_STRING_push(reqnames, opt_arg())) + goto end; + trailing_md = 0; + break; + case OPT_INDEX: + ridx_filename = opt_arg(); + break; + case OPT_CA: + rca_filename = opt_arg(); + break; + case OPT_NMIN: + opt_int(opt_arg(), &nmin); + if (ndays == -1) + ndays = 0; + break; + case OPT_REQUEST: + opt_int(opt_arg(), &accept_count); + break; + case OPT_NDAYS: + ndays = atoi(opt_arg()); + break; + case OPT_RSIGNER: + rsignfile = opt_arg(); + break; + case OPT_RKEY: + rkeyfile = opt_arg(); + break; + case OPT_ROTHER: + rcertfile = opt_arg(); + break; + case OPT_RMD: /* Response MessageDigest */ + if (!opt_md(opt_arg(), &rsign_md)) + goto end; + break; + case OPT_HEADER: + header = opt_arg(); + value = strchr(header, '='); + if (value == NULL) { + BIO_printf(bio_err, "Missing = in header key=value\n"); + goto opthelp; + } + *value++ = '\0'; + if (!X509V3_add_value(header, value, &headers)) + goto end; + break; + case OPT_MD: + if (trailing_md) { + BIO_printf(bio_err, + "%s: Digest must be before -cert or -serial\n", + prog); + goto opthelp; + } + if (!opt_md(opt_unknown(), &cert_id_md)) + goto opthelp; + trailing_md = 1; + break; + } + } + + if (trailing_md) { + BIO_printf(bio_err, "%s: Digest must be before -cert or -serial\n", + prog); + goto opthelp; + } + argc = opt_num_rest(); + if (argc != 0) + goto opthelp; + + /* Have we anything to do? */ + if (!req && !reqin && !respin && !(port && ridx_filename)) + goto opthelp; + + out = bio_open_default(outfile, 'w', FORMAT_TEXT); + if (out == NULL) + goto end; + + if (!req && (add_nonce != 2)) + add_nonce = 0; + + if (!req && reqin) { + derbio = bio_open_default(reqin, 'r', FORMAT_ASN1); + if (derbio == NULL) + goto end; + req = d2i_OCSP_REQUEST_bio(derbio, NULL); + BIO_free(derbio); + if (!req) { + BIO_printf(bio_err, "Error reading OCSP request\n"); + goto end; + } + } + + if (!req && port) { + acbio = init_responder(port); + if (!acbio) + goto end; + } + + if (rsignfile) { + if (!rkeyfile) + rkeyfile = rsignfile; + rsigner = load_cert(rsignfile, FORMAT_PEM, "responder certificate"); + if (!rsigner) { + BIO_printf(bio_err, "Error loading responder certificate\n"); + goto end; + } + rca_cert = load_cert(rca_filename, FORMAT_PEM, "CA certificate"); + if (rcertfile) { + if (!load_certs(rcertfile, &rother, FORMAT_PEM, NULL, + "responder other certificates")) + goto end; + } + rkey = load_key(rkeyfile, FORMAT_PEM, 0, NULL, NULL, + "responder private key"); + if (!rkey) + goto end; + } + if (acbio) + BIO_printf(bio_err, "Waiting for OCSP client connections...\n"); + + redo_accept: + + if (acbio) { + if (!do_responder(&req, &cbio, acbio)) + goto end; + if (!req) { + resp = + OCSP_response_create(OCSP_RESPONSE_STATUS_MALFORMEDREQUEST, + NULL); + send_ocsp_response(cbio, resp); + goto done_resp; + } + } + + if (!req && (signfile || reqout || host || add_nonce || ridx_filename)) { + BIO_printf(bio_err, "Need an OCSP request for this operation!\n"); + goto end; + } + + if (req && add_nonce) + OCSP_request_add1_nonce(req, NULL, -1); + + if (signfile) { + if (!keyfile) + keyfile = signfile; + signer = load_cert(signfile, FORMAT_PEM, "signer certificate"); + if (!signer) { + BIO_printf(bio_err, "Error loading signer certificate\n"); + goto end; + } + if (sign_certfile) { + if (!load_certs(sign_certfile, &sign_other, FORMAT_PEM, NULL, + "signer certificates")) + goto end; + } + key = load_key(keyfile, FORMAT_PEM, 0, NULL, NULL, + "signer private key"); + if (!key) + goto end; + + if (!OCSP_request_sign + (req, signer, key, NULL, sign_other, sign_flags)) { + BIO_printf(bio_err, "Error signing OCSP request\n"); + goto end; + } + } + + if (req_text && req) + OCSP_REQUEST_print(out, req, 0); + + if (reqout) { + derbio = bio_open_default(reqout, 'w', FORMAT_ASN1); + if (derbio == NULL) + goto end; + i2d_OCSP_REQUEST_bio(derbio, req); + BIO_free(derbio); + } + + if (ridx_filename && (!rkey || !rsigner || !rca_cert)) { + BIO_printf(bio_err, + "Need a responder certificate, key and CA for this operation!\n"); + goto end; + } + + if (ridx_filename && !rdb) { + rdb = load_index(ridx_filename, NULL); + if (!rdb) + goto end; + if (!index_index(rdb)) + goto end; + } + + if (rdb) { + make_ocsp_response(&resp, req, rdb, rca_cert, rsigner, rkey, + rsign_md, rother, rflags, nmin, ndays, badsig); + if (cbio) + send_ocsp_response(cbio, resp); + } else if (host) { +# ifndef OPENSSL_NO_SOCK + resp = process_responder(req, host, path, + port, use_ssl, headers, req_timeout); + if (!resp) + goto end; +# else + BIO_printf(bio_err, + "Error creating connect BIO - sockets not supported.\n"); + goto end; +# endif + } else if (respin) { + derbio = bio_open_default(respin, 'r', FORMAT_ASN1); + if (derbio == NULL) + goto end; + resp = d2i_OCSP_RESPONSE_bio(derbio, NULL); + BIO_free(derbio); + if (!resp) { + BIO_printf(bio_err, "Error reading OCSP response\n"); + goto end; + } + } else { + ret = 0; + goto end; + } + + done_resp: + + if (respout) { + derbio = bio_open_default(respout, 'w', FORMAT_ASN1); + if (derbio == NULL) + goto end; + i2d_OCSP_RESPONSE_bio(derbio, resp); + BIO_free(derbio); + } + + i = OCSP_response_status(resp); + if (i != OCSP_RESPONSE_STATUS_SUCCESSFUL) { + BIO_printf(out, "Responder Error: %s (%d)\n", + OCSP_response_status_str(i), i); + if (ignore_err) + goto redo_accept; + ret = 0; + goto end; + } + + if (resp_text) + OCSP_RESPONSE_print(out, resp, 0); + + /* If running as responder don't verify our own response */ + if (cbio) { + /* If not unlimited, see if we took all we should. */ + if (accept_count != -1 && --accept_count <= 0) { + ret = 0; + goto end; + } + BIO_free_all(cbio); + cbio = NULL; + OCSP_REQUEST_free(req); + req = NULL; + OCSP_RESPONSE_free(resp); + resp = NULL; + goto redo_accept; + } + if (ridx_filename) { + ret = 0; + goto end; + } + + if (!store) { + store = setup_verify(CAfile, CApath, noCAfile, noCApath); + if (!store) + goto end; + } + if (vpmtouched) + X509_STORE_set1_param(store, vpm); + if (verify_certfile) { + if (!load_certs(verify_certfile, &verify_other, FORMAT_PEM, NULL, + "validator certificate")) + goto end; + } + + bs = OCSP_response_get1_basic(resp); + if (!bs) { + BIO_printf(bio_err, "Error parsing response\n"); + goto end; + } + + ret = 0; + + if (!noverify) { + if (req && ((i = OCSP_check_nonce(req, bs)) <= 0)) { + if (i == -1) + BIO_printf(bio_err, "WARNING: no nonce in response\n"); + else { + BIO_printf(bio_err, "Nonce Verify error\n"); + ret = 1; + goto end; + } + } + + i = OCSP_basic_verify(bs, verify_other, store, verify_flags); + if (i <= 0 && issuers) { + i = OCSP_basic_verify(bs, issuers, store, OCSP_TRUSTOTHER); + if (i > 0) + ERR_clear_error(); + } + if (i <= 0) { + BIO_printf(bio_err, "Response Verify Failure\n"); + ERR_print_errors(bio_err); + ret = 1; + } else + BIO_printf(bio_err, "Response verify OK\n"); + + } + + print_ocsp_summary(out, bs, req, reqnames, ids, nsec, maxage); + + end: + ERR_print_errors(bio_err); + X509_free(signer); + X509_STORE_free(store); + X509_VERIFY_PARAM_free(vpm); + EVP_PKEY_free(key); + EVP_PKEY_free(rkey); + X509_free(cert); + sk_X509_pop_free(issuers, X509_free); + X509_free(rsigner); + X509_free(rca_cert); + free_index(rdb); + BIO_free_all(cbio); + BIO_free_all(acbio); + BIO_free(out); + OCSP_REQUEST_free(req); + OCSP_RESPONSE_free(resp); + OCSP_BASICRESP_free(bs); + sk_OPENSSL_STRING_free(reqnames); + sk_OCSP_CERTID_free(ids); + sk_X509_pop_free(sign_other, X509_free); + sk_X509_pop_free(verify_other, X509_free); + sk_CONF_VALUE_pop_free(headers, X509V3_conf_free); + OPENSSL_free(thost); + OPENSSL_free(tport); + OPENSSL_free(tpath); + + return (ret); +} + +static int add_ocsp_cert(OCSP_REQUEST **req, X509 *cert, + const EVP_MD *cert_id_md, X509 *issuer, + STACK_OF(OCSP_CERTID) *ids) +{ + OCSP_CERTID *id; + if (!issuer) { + BIO_printf(bio_err, "No issuer certificate specified\n"); + return 0; + } + if (*req == NULL) + *req = OCSP_REQUEST_new(); + if (*req == NULL) + goto err; + id = OCSP_cert_to_id(cert_id_md, cert, issuer); + if (!id || !sk_OCSP_CERTID_push(ids, id)) + goto err; + if (!OCSP_request_add0_id(*req, id)) + goto err; + return 1; + + err: + BIO_printf(bio_err, "Error Creating OCSP request\n"); + return 0; +} + +static int add_ocsp_serial(OCSP_REQUEST **req, char *serial, + const EVP_MD *cert_id_md, X509 *issuer, + STACK_OF(OCSP_CERTID) *ids) +{ + OCSP_CERTID *id; + X509_NAME *iname; + ASN1_BIT_STRING *ikey; + ASN1_INTEGER *sno; + if (!issuer) { + BIO_printf(bio_err, "No issuer certificate specified\n"); + return 0; + } + if (*req == NULL) + *req = OCSP_REQUEST_new(); + if (*req == NULL) + goto err; + iname = X509_get_subject_name(issuer); + ikey = X509_get0_pubkey_bitstr(issuer); + sno = s2i_ASN1_INTEGER(NULL, serial); + if (!sno) { + BIO_printf(bio_err, "Error converting serial number %s\n", serial); + return 0; + } + id = OCSP_cert_id_new(cert_id_md, iname, ikey, sno); + ASN1_INTEGER_free(sno); + if (id == NULL || !sk_OCSP_CERTID_push(ids, id)) + goto err; + if (!OCSP_request_add0_id(*req, id)) + goto err; + return 1; + + err: + BIO_printf(bio_err, "Error Creating OCSP request\n"); + return 0; +} + +static void print_ocsp_summary(BIO *out, OCSP_BASICRESP *bs, OCSP_REQUEST *req, + STACK_OF(OPENSSL_STRING) *names, + STACK_OF(OCSP_CERTID) *ids, long nsec, + long maxage) +{ + OCSP_CERTID *id; + const char *name; + int i, status, reason; + ASN1_GENERALIZEDTIME *rev, *thisupd, *nextupd; + + if (!bs || !req || !sk_OPENSSL_STRING_num(names) + || !sk_OCSP_CERTID_num(ids)) + return; + + for (i = 0; i < sk_OCSP_CERTID_num(ids); i++) { + id = sk_OCSP_CERTID_value(ids, i); + name = sk_OPENSSL_STRING_value(names, i); + BIO_printf(out, "%s: ", name); + + if (!OCSP_resp_find_status(bs, id, &status, &reason, + &rev, &thisupd, &nextupd)) { + BIO_puts(out, "ERROR: No Status found.\n"); + continue; + } + + /* + * Check validity: if invalid write to output BIO so we know which + * response this refers to. + */ + if (!OCSP_check_validity(thisupd, nextupd, nsec, maxage)) { + BIO_puts(out, "WARNING: Status times invalid.\n"); + ERR_print_errors(out); + } + BIO_printf(out, "%s\n", OCSP_cert_status_str(status)); + + BIO_puts(out, "\tThis Update: "); + ASN1_GENERALIZEDTIME_print(out, thisupd); + BIO_puts(out, "\n"); + + if (nextupd) { + BIO_puts(out, "\tNext Update: "); + ASN1_GENERALIZEDTIME_print(out, nextupd); + BIO_puts(out, "\n"); + } + + if (status != V_OCSP_CERTSTATUS_REVOKED) + continue; + + if (reason != -1) + BIO_printf(out, "\tReason: %s\n", OCSP_crl_reason_str(reason)); + + BIO_puts(out, "\tRevocation Time: "); + ASN1_GENERALIZEDTIME_print(out, rev); + BIO_puts(out, "\n"); + } +} + +static void make_ocsp_response(OCSP_RESPONSE **resp, OCSP_REQUEST *req, + CA_DB *db, X509 *ca, X509 *rcert, + EVP_PKEY *rkey, const EVP_MD *rmd, + STACK_OF(X509) *rother, unsigned long flags, + int nmin, int ndays, int badsig) +{ + ASN1_TIME *thisupd = NULL, *nextupd = NULL; + OCSP_CERTID *cid, *ca_id = NULL; + OCSP_BASICRESP *bs = NULL; + int i, id_count; + + id_count = OCSP_request_onereq_count(req); + + if (id_count <= 0) { + *resp = + OCSP_response_create(OCSP_RESPONSE_STATUS_MALFORMEDREQUEST, NULL); + goto end; + } + + bs = OCSP_BASICRESP_new(); + thisupd = X509_gmtime_adj(NULL, 0); + if (ndays != -1) + nextupd = X509_time_adj_ex(NULL, ndays, nmin * 60, NULL); + + /* Examine each certificate id in the request */ + for (i = 0; i < id_count; i++) { + OCSP_ONEREQ *one; + ASN1_INTEGER *serial; + char **inf; + ASN1_OBJECT *cert_id_md_oid; + const EVP_MD *cert_id_md; + one = OCSP_request_onereq_get0(req, i); + cid = OCSP_onereq_get0_id(one); + + OCSP_id_get0_info(NULL, &cert_id_md_oid, NULL, NULL, cid); + + cert_id_md = EVP_get_digestbyobj(cert_id_md_oid); + if (!cert_id_md) { + *resp = OCSP_response_create(OCSP_RESPONSE_STATUS_INTERNALERROR, + NULL); + goto end; + } + OCSP_CERTID_free(ca_id); + ca_id = OCSP_cert_to_id(cert_id_md, NULL, ca); + + /* Is this request about our CA? */ + if (OCSP_id_issuer_cmp(ca_id, cid)) { + OCSP_basic_add1_status(bs, cid, + V_OCSP_CERTSTATUS_UNKNOWN, + 0, NULL, thisupd, nextupd); + continue; + } + OCSP_id_get0_info(NULL, NULL, NULL, &serial, cid); + inf = lookup_serial(db, serial); + if (!inf) + OCSP_basic_add1_status(bs, cid, + V_OCSP_CERTSTATUS_UNKNOWN, + 0, NULL, thisupd, nextupd); + else if (inf[DB_type][0] == DB_TYPE_VAL) + OCSP_basic_add1_status(bs, cid, + V_OCSP_CERTSTATUS_GOOD, + 0, NULL, thisupd, nextupd); + else if (inf[DB_type][0] == DB_TYPE_REV) { + ASN1_OBJECT *inst = NULL; + ASN1_TIME *revtm = NULL; + ASN1_GENERALIZEDTIME *invtm = NULL; + OCSP_SINGLERESP *single; + int reason = -1; + unpack_revinfo(&revtm, &reason, &inst, &invtm, inf[DB_rev_date]); + single = OCSP_basic_add1_status(bs, cid, + V_OCSP_CERTSTATUS_REVOKED, + reason, revtm, thisupd, nextupd); + if (invtm) + OCSP_SINGLERESP_add1_ext_i2d(single, NID_invalidity_date, + invtm, 0, 0); + else if (inst) + OCSP_SINGLERESP_add1_ext_i2d(single, + NID_hold_instruction_code, inst, + 0, 0); + ASN1_OBJECT_free(inst); + ASN1_TIME_free(revtm); + ASN1_GENERALIZEDTIME_free(invtm); + } + } + + OCSP_copy_nonce(bs, req); + + OCSP_basic_sign(bs, rcert, rkey, rmd, rother, flags); + + if (badsig) { + const ASN1_OCTET_STRING *sig = OCSP_resp_get0_signature(bs); + corrupt_signature(sig); + } + + *resp = OCSP_response_create(OCSP_RESPONSE_STATUS_SUCCESSFUL, bs); + + end: + ASN1_TIME_free(thisupd); + ASN1_TIME_free(nextupd); + OCSP_CERTID_free(ca_id); + OCSP_BASICRESP_free(bs); +} + +static char **lookup_serial(CA_DB *db, ASN1_INTEGER *ser) +{ + int i; + BIGNUM *bn = NULL; + char *itmp, *row[DB_NUMBER], **rrow; + for (i = 0; i < DB_NUMBER; i++) + row[i] = NULL; + bn = ASN1_INTEGER_to_BN(ser, NULL); + OPENSSL_assert(bn); /* FIXME: should report an error at this + * point and abort */ + if (BN_is_zero(bn)) + itmp = OPENSSL_strdup("00"); + else + itmp = BN_bn2hex(bn); + row[DB_serial] = itmp; + BN_free(bn); + rrow = TXT_DB_get_by_index(db->db, DB_serial, row); + OPENSSL_free(itmp); + return rrow; +} + +/* Quick and dirty OCSP server: read in and parse input request */ + +static BIO *init_responder(const char *port) +{ +# ifdef OPENSSL_NO_SOCK + BIO_printf(bio_err, + "Error setting up accept BIO - sockets not supported.\n"); + return NULL; +# else + BIO *acbio = NULL, *bufbio = NULL; + + bufbio = BIO_new(BIO_f_buffer()); + if (bufbio == NULL) + goto err; + acbio = BIO_new(BIO_s_accept()); + if (acbio == NULL + || BIO_set_bind_mode(acbio, BIO_BIND_REUSEADDR) < 0 + || BIO_set_accept_port(acbio, port) < 0) { + BIO_printf(bio_err, "Error setting up accept BIO\n"); + ERR_print_errors(bio_err); + goto err; + } + + BIO_set_accept_bios(acbio, bufbio); + bufbio = NULL; + if (BIO_do_accept(acbio) <= 0) { + BIO_printf(bio_err, "Error starting accept\n"); + ERR_print_errors(bio_err); + goto err; + } + + return acbio; + + err: + BIO_free_all(acbio); + BIO_free(bufbio); + return NULL; +# endif +} + +# ifndef OPENSSL_NO_SOCK +/* + * Decode %xx URL-decoding in-place. Ignores mal-formed sequences. + */ +static int urldecode(char *p) +{ + unsigned char *out = (unsigned char *)p; + unsigned char *save = out; + + for (; *p; p++) { + if (*p != '%') + *out++ = *p; + else if (isxdigit(_UC(p[1])) && isxdigit(_UC(p[2]))) { + /* Don't check, can't fail because of ixdigit() call. */ + *out++ = (OPENSSL_hexchar2int(p[1]) << 4) + | OPENSSL_hexchar2int(p[2]); + p += 2; + } + else + return -1; + } + *out = '\0'; + return (int)(out - save); +} +# endif + +static int do_responder(OCSP_REQUEST **preq, BIO **pcbio, BIO *acbio) +{ +# ifdef OPENSSL_NO_SOCK + return 0; +# else + int len; + OCSP_REQUEST *req = NULL; + char inbuf[2048], reqbuf[2048]; + char *p, *q; + BIO *cbio = NULL, *getbio = NULL, *b64 = NULL; + + if (BIO_do_accept(acbio) <= 0) { + BIO_printf(bio_err, "Error accepting connection\n"); + ERR_print_errors(bio_err); + return 0; + } + + cbio = BIO_pop(acbio); + *pcbio = cbio; + + /* Read the request line. */ + len = BIO_gets(cbio, reqbuf, sizeof(reqbuf)); + if (len <= 0) + return 1; + if (strncmp(reqbuf, "GET ", 4) == 0) { + /* Expecting GET {sp} /URL {sp} HTTP/1.x */ + for (p = reqbuf + 4; *p == ' '; ++p) + continue; + if (*p != '/') { + BIO_printf(bio_err, "Invalid request -- bad URL\n"); + return 1; + } + p++; + + /* Splice off the HTTP version identifier. */ + for (q = p; *q; q++) + if (*q == ' ') + break; + if (strncmp(q, " HTTP/1.", 8) != 0) { + BIO_printf(bio_err, "Invalid request -- bad HTTP vesion\n"); + return 1; + } + *q = '\0'; + len = urldecode(p); + if (len <= 0) { + BIO_printf(bio_err, "Invalid request -- bad URL encoding\n"); + return 1; + } + if ((getbio = BIO_new_mem_buf(p, len)) == NULL + || (b64 = BIO_new(BIO_f_base64())) == NULL) { + BIO_printf(bio_err, "Could not allocate memory\n"); + ERR_print_errors(bio_err); + return 1; + } + BIO_set_flags(b64, BIO_FLAGS_BASE64_NO_NL); + getbio = BIO_push(b64, getbio); + } else if (strncmp(reqbuf, "POST ", 5) != 0) { + BIO_printf(bio_err, "Invalid request -- bad HTTP verb\n"); + return 1; + } + + /* Read and skip past the headers. */ + for (;;) { + len = BIO_gets(cbio, inbuf, sizeof(inbuf)); + if (len <= 0) + return 1; + if ((inbuf[0] == '\r') || (inbuf[0] == '\n')) + break; + } + + /* Try to read OCSP request */ + if (getbio) { + req = d2i_OCSP_REQUEST_bio(getbio, NULL); + BIO_free_all(getbio); + } else + req = d2i_OCSP_REQUEST_bio(cbio, NULL); + + if (!req) { + BIO_printf(bio_err, "Error parsing OCSP request\n"); + ERR_print_errors(bio_err); + } + + *preq = req; + + return 1; +# endif +} + +static int send_ocsp_response(BIO *cbio, OCSP_RESPONSE *resp) +{ + char http_resp[] = + "HTTP/1.0 200 OK\r\nContent-type: application/ocsp-response\r\n" + "Content-Length: %d\r\n\r\n"; + if (!cbio) + return 0; + BIO_printf(cbio, http_resp, i2d_OCSP_RESPONSE(resp, NULL)); + i2d_OCSP_RESPONSE_bio(cbio, resp); + (void)BIO_flush(cbio); + return 1; +} + +# ifndef OPENSSL_NO_SOCK +static OCSP_RESPONSE *query_responder(BIO *cbio, const char *host, + const char *path, + const STACK_OF(CONF_VALUE) *headers, + OCSP_REQUEST *req, int req_timeout) +{ + int fd; + int rv; + int i; + int add_host = 1; + OCSP_REQ_CTX *ctx = NULL; + OCSP_RESPONSE *rsp = NULL; + fd_set confds; + struct timeval tv; + + if (req_timeout != -1) + BIO_set_nbio(cbio, 1); + + rv = BIO_do_connect(cbio); + + if ((rv <= 0) && ((req_timeout == -1) || !BIO_should_retry(cbio))) { + BIO_puts(bio_err, "Error connecting BIO\n"); + return NULL; + } + + if (BIO_get_fd(cbio, &fd) < 0) { + BIO_puts(bio_err, "Can't get connection fd\n"); + goto err; + } + + if (req_timeout != -1 && rv <= 0) { + FD_ZERO(&confds); + openssl_fdset(fd, &confds); + tv.tv_usec = 0; + tv.tv_sec = req_timeout; + rv = select(fd + 1, NULL, (void *)&confds, NULL, &tv); + if (rv == 0) { + BIO_puts(bio_err, "Timeout on connect\n"); + return NULL; + } + } + + ctx = OCSP_sendreq_new(cbio, path, NULL, -1); + if (ctx == NULL) + return NULL; + + for (i = 0; i < sk_CONF_VALUE_num(headers); i++) { + CONF_VALUE *hdr = sk_CONF_VALUE_value(headers, i); + if (add_host == 1 && strcasecmp("host", hdr->name) == 0) + add_host = 0; + if (!OCSP_REQ_CTX_add1_header(ctx, hdr->name, hdr->value)) + goto err; + } + + if (add_host == 1 && OCSP_REQ_CTX_add1_header(ctx, "Host", host) == 0) + goto err; + + if (!OCSP_REQ_CTX_set1_req(ctx, req)) + goto err; + + for (;;) { + rv = OCSP_sendreq_nbio(&rsp, ctx); + if (rv != -1) + break; + if (req_timeout == -1) + continue; + FD_ZERO(&confds); + openssl_fdset(fd, &confds); + tv.tv_usec = 0; + tv.tv_sec = req_timeout; + if (BIO_should_read(cbio)) + rv = select(fd + 1, (void *)&confds, NULL, NULL, &tv); + else if (BIO_should_write(cbio)) + rv = select(fd + 1, NULL, (void *)&confds, NULL, &tv); + else { + BIO_puts(bio_err, "Unexpected retry condition\n"); + goto err; + } + if (rv == 0) { + BIO_puts(bio_err, "Timeout on request\n"); + break; + } + if (rv == -1) { + BIO_puts(bio_err, "Select error\n"); + break; + } + + } + err: + OCSP_REQ_CTX_free(ctx); + + return rsp; +} + +OCSP_RESPONSE *process_responder(OCSP_REQUEST *req, + const char *host, const char *path, + const char *port, int use_ssl, + STACK_OF(CONF_VALUE) *headers, + int req_timeout) +{ + BIO *cbio = NULL; + SSL_CTX *ctx = NULL; + OCSP_RESPONSE *resp = NULL; + + cbio = BIO_new_connect(host); + if (!cbio) { + BIO_printf(bio_err, "Error creating connect BIO\n"); + goto end; + } + if (port) + BIO_set_conn_port(cbio, port); + if (use_ssl == 1) { + BIO *sbio; + ctx = SSL_CTX_new(TLS_client_method()); + if (ctx == NULL) { + BIO_printf(bio_err, "Error creating SSL context.\n"); + goto end; + } + SSL_CTX_set_mode(ctx, SSL_MODE_AUTO_RETRY); + sbio = BIO_new_ssl(ctx, 1); + cbio = BIO_push(sbio, cbio); + } + + resp = query_responder(cbio, host, path, headers, req, req_timeout); + if (!resp) + BIO_printf(bio_err, "Error querying OCSP responder\n"); + end: + BIO_free_all(cbio); + SSL_CTX_free(ctx); + return resp; +} +# endif + +#endif diff --git a/openssl-1.1.0h/apps/openssl-vms.cnf b/openssl-1.1.0h/apps/openssl-vms.cnf new file mode 100644 index 0000000..0092a65 --- /dev/null +++ b/openssl-1.1.0h/apps/openssl-vms.cnf @@ -0,0 +1,346 @@ +# +# OpenSSL example configuration file. +# This is mostly being used for generation of certificate requests. +# + +# This definition stops the following lines choking if HOME isn't +# defined. +HOME = . +RANDFILE = $ENV::HOME/.rnd + +# Extra OBJECT IDENTIFIER info: +#oid_file = $ENV::HOME/.oid +oid_section = new_oids + +# To use this configuration file with the "-extfile" option of the +# "openssl x509" utility, name here the section containing the +# X.509v3 extensions to use: +# extensions = +# (Alternatively, use a configuration file that has only +# X.509v3 extensions in its main [= default] section.) + +[ new_oids ] + +# We can add new OIDs in here for use by 'ca', 'req' and 'ts'. +# Add a simple OID like this: +# testoid1=1.2.3.4 +# Or use config file substitution like this: +# testoid2=${testoid1}.5.6 + +# Policies used by the TSA examples. +tsa_policy1 = 1.2.3.4.1 +tsa_policy2 = 1.2.3.4.5.6 +tsa_policy3 = 1.2.3.4.5.7 + +#################################################################### +[ ca ] +default_ca = CA_default # The default ca section + +#################################################################### +[ CA_default ] + +dir = sys\$disk:[.demoCA # Where everything is kept +certs = $dir.certs] # Where the issued certs are kept +crl_dir = $dir.crl] # Where the issued crl are kept +database = $dir]index.txt # database index file. +#unique_subject = no # Set to 'no' to allow creation of + # several certs with same subject. +new_certs_dir = $dir.newcerts] # default place for new certs. + +certificate = $dir]cacert.pem # The CA certificate +serial = $dir]serial. # The current serial number +crlnumber = $dir]crlnumber. # the current crl number + # must be commented out to leave a V1 CRL +crl = $dir]crl.pem # The current CRL +private_key = $dir.private]cakey.pem# The private key +RANDFILE = $dir.private].rand # private random number file + +x509_extensions = usr_cert # The extensions to add to the cert + +# Comment out the following two lines for the "traditional" +# (and highly broken) format. +name_opt = ca_default # Subject Name options +cert_opt = ca_default # Certificate field options + +# Extension copying option: use with caution. +# copy_extensions = copy + +# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs +# so this is commented out by default to leave a V1 CRL. +# crlnumber must also be commented out to leave a V1 CRL. +# crl_extensions = crl_ext + +default_days = 365 # how long to certify for +default_crl_days= 30 # how long before next CRL +default_md = default # use public key default MD +preserve = no # keep passed DN ordering + +# A few difference way of specifying how similar the request should look +# For type CA, the listed attributes must be the same, and the optional +# and supplied fields are just that :-) +policy = policy_match + +# For the CA policy +[ policy_match ] +countryName = match +stateOrProvinceName = match +organizationName = match +organizationalUnitName = optional +commonName = supplied +emailAddress = optional + +# For the 'anything' policy +# At this point in time, you must list all acceptable 'object' +# types. +[ policy_anything ] +countryName = optional +stateOrProvinceName = optional +localityName = optional +organizationName = optional +organizationalUnitName = optional +commonName = supplied +emailAddress = optional + +#################################################################### +[ req ] +default_bits = 2048 +default_keyfile = privkey.pem +distinguished_name = req_distinguished_name +attributes = req_attributes +x509_extensions = v3_ca # The extensions to add to the self signed cert + +# Passwords for private keys if not present they will be prompted for +# input_password = secret +# output_password = secret + +# This sets a mask for permitted string types. There are several options. +# default: PrintableString, T61String, BMPString. +# pkix : PrintableString, BMPString (PKIX recommendation before 2004) +# utf8only: only UTF8Strings (PKIX recommendation after 2004). +# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings). +# MASK:XXXX a literal mask value. +# WARNING: ancient versions of Netscape crash on BMPStrings or UTF8Strings. +string_mask = utf8only + +# req_extensions = v3_req # The extensions to add to a certificate request + +[ req_distinguished_name ] +countryName = Country Name (2 letter code) +countryName_default = AU +countryName_min = 2 +countryName_max = 2 + +stateOrProvinceName = State or Province Name (full name) +stateOrProvinceName_default = Some-State + +localityName = Locality Name (eg, city) + +0.organizationName = Organization Name (eg, company) +0.organizationName_default = Internet Widgits Pty Ltd + +# we can do this but it is not needed normally :-) +#1.organizationName = Second Organization Name (eg, company) +#1.organizationName_default = World Wide Web Pty Ltd + +organizationalUnitName = Organizational Unit Name (eg, section) +#organizationalUnitName_default = + +commonName = Common Name (e.g. server FQDN or YOUR name) +commonName_max = 64 + +emailAddress = Email Address +emailAddress_max = 64 + +# SET-ex3 = SET extension number 3 + +[ req_attributes ] +challengePassword = A challenge password +challengePassword_min = 4 +challengePassword_max = 20 + +unstructuredName = An optional company name + +[ usr_cert ] + +# These extensions are added when 'ca' signs a request. + +# This goes against PKIX guidelines but some CAs do it and some software +# requires this to avoid interpreting an end user certificate as a CA. + +basicConstraints=CA:FALSE + +# Here are some examples of the usage of nsCertType. If it is omitted +# the certificate can be used for anything *except* object signing. + +# This is OK for an SSL server. +# nsCertType = server + +# For an object signing certificate this would be used. +# nsCertType = objsign + +# For normal client use this is typical +# nsCertType = client, email + +# and for everything including object signing: +# nsCertType = client, email, objsign + +# This is typical in keyUsage for a client certificate. +# keyUsage = nonRepudiation, digitalSignature, keyEncipherment + +# This will be displayed in Netscape's comment listbox. +nsComment = "OpenSSL Generated Certificate" + +# PKIX recommendations harmless if included in all certificates. +subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid,issuer + +# This stuff is for subjectAltName and issuerAltname. +# Import the email address. +# subjectAltName=email:copy +# An alternative to produce certificates that aren't +# deprecated according to PKIX. +# subjectAltName=email:move + +# Copy subject details +# issuerAltName=issuer:copy + +#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem +#nsBaseUrl +#nsRevocationUrl +#nsRenewalUrl +#nsCaPolicyUrl +#nsSslServerName + +# This is required for TSA certificates. +# extendedKeyUsage = critical,timeStamping + +[ v3_req ] + +# Extensions to add to a certificate request + +basicConstraints = CA:FALSE +keyUsage = nonRepudiation, digitalSignature, keyEncipherment + +[ v3_ca ] + + +# Extensions for a typical CA + + +# PKIX recommendation. + +subjectKeyIdentifier=hash + +authorityKeyIdentifier=keyid:always,issuer + +basicConstraints = critical,CA:true + +# Key usage: this is typical for a CA certificate. However since it will +# prevent it being used as an test self-signed certificate it is best +# left out by default. +# keyUsage = cRLSign, keyCertSign + +# Some might want this also +# nsCertType = sslCA, emailCA + +# Include email address in subject alt name: another PKIX recommendation +# subjectAltName=email:copy +# Copy issuer details +# issuerAltName=issuer:copy + +# DER hex encoding of an extension: beware experts only! +# obj=DER:02:03 +# Where 'obj' is a standard or added object +# You can even override a supported extension: +# basicConstraints= critical, DER:30:03:01:01:FF + +[ crl_ext ] + +# CRL extensions. +# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL. + +# issuerAltName=issuer:copy +authorityKeyIdentifier=keyid:always + +[ proxy_cert_ext ] +# These extensions should be added when creating a proxy certificate + +# This goes against PKIX guidelines but some CAs do it and some software +# requires this to avoid interpreting an end user certificate as a CA. + +basicConstraints=CA:FALSE + +# Here are some examples of the usage of nsCertType. If it is omitted +# the certificate can be used for anything *except* object signing. + +# This is OK for an SSL server. +# nsCertType = server + +# For an object signing certificate this would be used. +# nsCertType = objsign + +# For normal client use this is typical +# nsCertType = client, email + +# and for everything including object signing: +# nsCertType = client, email, objsign + +# This is typical in keyUsage for a client certificate. +# keyUsage = nonRepudiation, digitalSignature, keyEncipherment + +# This will be displayed in Netscape's comment listbox. +nsComment = "OpenSSL Generated Certificate" + +# PKIX recommendations harmless if included in all certificates. +subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid,issuer + +# This stuff is for subjectAltName and issuerAltname. +# Import the email address. +# subjectAltName=email:copy +# An alternative to produce certificates that aren't +# deprecated according to PKIX. +# subjectAltName=email:move + +# Copy subject details +# issuerAltName=issuer:copy + +#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem +#nsBaseUrl +#nsRevocationUrl +#nsRenewalUrl +#nsCaPolicyUrl +#nsSslServerName + +# This really needs to be in place for it to be a proxy certificate. +proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo + +#################################################################### +[ tsa ] + +default_tsa = tsa_config1 # the default TSA section + +[ tsa_config1 ] + +# These are used by the TSA reply generation only. +dir = sys\$disk:[.demoCA # TSA root directory +serial = $dir]tsaserial. # The current serial number (mandatory) +crypto_device = builtin # OpenSSL engine to use for signing +signer_cert = $dir/tsacert.pem # The TSA signing certificate + # (optional) +certs = $dir.cacert.pem] # Certificate chain to include in reply + # (optional) +signer_key = $dir/private/tsakey.pem # The TSA private key (optional) +signer_digest = sha256 # Signing digest to use. (Optional) +default_policy = tsa_policy1 # Policy if request did not specify it + # (optional) +other_policies = tsa_policy2, tsa_policy3 # acceptable policies (optional) +digests = sha1, sha256, sha384, sha512 # Acceptable message digests (mandatory) +accuracy = secs:1, millisecs:500, microsecs:100 # (optional) +clock_precision_digits = 0 # number of digits after dot. (optional) +ordering = yes # Is ordering defined for timestamps? + # (optional, default: no) +tsa_name = yes # Must the TSA name be included in the reply? + # (optional, default: no) +ess_cert_id_chain = no # Must the ESS cert id chain be included? + # (optional, default: no) diff --git a/openssl-1.1.0h/apps/openssl.c b/openssl-1.1.0h/apps/openssl.c new file mode 100644 index 0000000..2607694 --- /dev/null +++ b/openssl-1.1.0h/apps/openssl.c @@ -0,0 +1,703 @@ +/* + * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the OpenSSL license (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#ifndef OPENSSL_NO_ENGINE +# include +#endif +#include +#ifdef OPENSSL_FIPS +# include +#endif +#define USE_SOCKETS /* needed for the _O_BINARY defs in the MS world */ +#include "s_apps.h" +/* Needed to get the other O_xxx flags. */ +#ifdef OPENSSL_SYS_VMS +# include +#endif +#define INCLUDE_FUNCTION_TABLE +#include "apps.h" + + +#ifdef OPENSSL_NO_CAMELLIA +# define FORMAT "%-15s" +# define COLUMNS 5 +#else +# define FORMAT "%-18s" +# define COLUMNS 4 +#endif + +/* Special sentinel to exit the program. */ +#define EXIT_THE_PROGRAM (-1) + +/* + * The LHASH callbacks ("hash" & "cmp") have been replaced by functions with + * the base prototypes (we cast each variable inside the function to the + * required type of "FUNCTION*"). This removes the necessity for + * macro-generated wrapper functions. + */ +static LHASH_OF(FUNCTION) *prog_init(void); +static int do_cmd(LHASH_OF(FUNCTION) *prog, int argc, char *argv[]); +static void list_pkey(void); +static void list_type(FUNC_TYPE ft); +static void list_disabled(void); +char *default_config_file = NULL; + +BIO *bio_in = NULL; +BIO *bio_out = NULL; +BIO *bio_err = NULL; + +static int apps_startup() +{ +#ifdef SIGPIPE + signal(SIGPIPE, SIG_IGN); +#endif + + /* Set non-default library initialisation settings */ + if (!OPENSSL_init_ssl(OPENSSL_INIT_ENGINE_ALL_BUILTIN + | OPENSSL_INIT_LOAD_CONFIG, NULL)) + return 0; + +#ifndef OPENSSL_NO_UI + setup_ui_method(); +#endif + + return 1; +} + +static void apps_shutdown() +{ +#ifndef OPENSSL_NO_UI + destroy_ui_method(); +#endif +} + +static char *make_config_name() +{ + const char *t; + size_t len; + char *p; + + if ((t = getenv("OPENSSL_CONF")) != NULL) + return OPENSSL_strdup(t); + + t = X509_get_default_cert_area(); + len = strlen(t) + 1 + strlen(OPENSSL_CONF) + 1; + p = app_malloc(len, "config filename buffer"); + strcpy(p, t); +#ifndef OPENSSL_SYS_VMS + strcat(p, "/"); +#endif + strcat(p, OPENSSL_CONF); + + return p; +} + +int main(int argc, char *argv[]) +{ + FUNCTION f, *fp; + LHASH_OF(FUNCTION) *prog = NULL; + char **copied_argv = NULL; + char *p, *pname; + char buf[1024]; + const char *prompt; + ARGS arg; + int first, n, i, ret = 0; + + arg.argv = NULL; + arg.size = 0; + + /* Set up some of the environment. */ + default_config_file = make_config_name(); + bio_in = dup_bio_in(FORMAT_TEXT); + bio_out = dup_bio_out(FORMAT_TEXT); + bio_err = dup_bio_err(FORMAT_TEXT); + +#if defined(OPENSSL_SYS_VMS) && defined(__DECC) + copied_argv = argv = copy_argv(&argc, argv); +#elif defined(_WIN32) + /* + * Replace argv[] with UTF-8 encoded strings. + */ + win32_utf8argv(&argc, &argv); +#endif + + p = getenv("OPENSSL_DEBUG_MEMORY"); + if (p != NULL && strcmp(p, "on") == 0) + CRYPTO_set_mem_debug(1); + CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON); + + if (getenv("OPENSSL_FIPS")) { +#ifdef OPENSSL_FIPS + if (!FIPS_mode_set(1)) { + ERR_print_errors(bio_err); + return 1; + } +#else + BIO_printf(bio_err, "FIPS mode not supported.\n"); + return 1; +#endif + } + + if (!apps_startup()) { + BIO_printf(bio_err, + "FATAL: Startup failure (dev note: apps_startup() failed)\n"); + ERR_print_errors(bio_err); + ret = 1; + goto end; + } + + prog = prog_init(); + pname = opt_progname(argv[0]); + + /* first check the program name */ + f.name = pname; + fp = lh_FUNCTION_retrieve(prog, &f); + if (fp != NULL) { + argv[0] = pname; + ret = fp->func(argc, argv); + goto end; + } + + /* If there is stuff on the command line, run with that. */ + if (argc != 1) { + argc--; + argv++; + ret = do_cmd(prog, argc, argv); + if (ret < 0) + ret = 0; + goto end; + } + + /* ok, lets enter interactive mode */ + for (;;) { + ret = 0; + /* Read a line, continue reading if line ends with \ */ + for (p = buf, n = sizeof(buf), i = 0, first = 1; n > 0; first = 0) { + prompt = first ? "OpenSSL> " : "> "; + p[0] = '\0'; +#ifndef READLINE + fputs(prompt, stdout); + fflush(stdout); + if (!fgets(p, n, stdin)) + goto end; + if (p[0] == '\0') + goto end; + i = strlen(p); + if (i <= 1) + break; + if (p[i - 2] != '\\') + break; + i -= 2; + p += i; + n -= i; +#else + { + extern char *readline(const char *); + extern void add_history(const char *cp); + char *text; + + text = readline(prompt); + if (text == NULL) + goto end; + i = strlen(text); + if (i == 0 || i > n) + break; + if (text[i - 1] != '\\') { + p += strlen(strcpy(p, text)); + free(text); + add_history(buf); + break; + } + + text[i - 1] = '\0'; + p += strlen(strcpy(p, text)); + free(text); + n -= i; + } +#endif + } + + if (!chopup_args(&arg, buf)) { + BIO_printf(bio_err, "Can't parse (no memory?)\n"); + break; + } + + ret = do_cmd(prog, arg.argc, arg.argv); + if (ret == EXIT_THE_PROGRAM) { + ret = 0; + goto end; + } + if (ret != 0) + BIO_printf(bio_err, "error in %s\n", arg.argv[0]); + (void)BIO_flush(bio_out); + (void)BIO_flush(bio_err); + } + ret = 1; + end: + OPENSSL_free(copied_argv); + OPENSSL_free(default_config_file); + lh_FUNCTION_free(prog); + OPENSSL_free(arg.argv); + + BIO_free(bio_in); + BIO_free_all(bio_out); + apps_shutdown(); +#ifndef OPENSSL_NO_CRYPTO_MDEBUG + if (CRYPTO_mem_leaks(bio_err) <= 0) + ret = 1; +#endif + BIO_free(bio_err); + EXIT(ret); +} + +OPTIONS exit_options[] = { + {NULL} +}; + +static void list_cipher_fn(const EVP_CIPHER *c, + const char *from, const char *to, void *arg) +{ + if (c) + BIO_printf(arg, "%s\n", EVP_CIPHER_name(c)); + else { + if (!from) + from = ""; + if (!to) + to = ""; + BIO_printf(arg, "%s => %s\n", from, to); + } +} + +static void list_md_fn(const EVP_MD *m, + const char *from, const char *to, void *arg) +{ + if (m) + BIO_printf(arg, "%s\n", EVP_MD_name(m)); + else { + if (!from) + from = ""; + if (!to) + to = ""; + BIO_printf((BIO *)arg, "%s => %s\n", from, to); + } +} + +/* Unified enum for help and list commands. */ +typedef enum HELPLIST_CHOICE { + OPT_ERR = -1, OPT_EOF = 0, OPT_HELP, + OPT_COMMANDS, OPT_DIGEST_COMMANDS, + OPT_DIGEST_ALGORITHMS, OPT_CIPHER_COMMANDS, OPT_CIPHER_ALGORITHMS, + OPT_PK_ALGORITHMS, OPT_DISABLED +} HELPLIST_CHOICE; + +OPTIONS list_options[] = { + {"help", OPT_HELP, '-', "Display this summary"}, + {"commands", OPT_COMMANDS, '-', "List of standard commands"}, + {"digest-commands", OPT_DIGEST_COMMANDS, '-', + "List of message digest commands"}, + {"digest-algorithms", OPT_DIGEST_ALGORITHMS, '-', + "List of message digest algorithms"}, + {"cipher-commands", OPT_CIPHER_COMMANDS, '-', "List of cipher commands"}, + {"cipher-algorithms", OPT_CIPHER_ALGORITHMS, '-', + "List of cipher algorithms"}, + {"public-key-algorithms", OPT_PK_ALGORITHMS, '-', + "List of public key algorithms"}, + {"disabled", OPT_DISABLED, '-', + "List of disabled features"}, + {NULL} +}; + +int list_main(int argc, char **argv) +{ + char *prog; + HELPLIST_CHOICE o; + int done = 0; + + prog = opt_init(argc, argv, list_options); + while ((o = opt_next()) != OPT_EOF) { + switch (o) { + case OPT_EOF: /* Never hit, but suppresses warning */ + case OPT_ERR: +opthelp: + BIO_printf(bio_err, "%s: Use -help for summary.\n", prog); + return 1; + case OPT_HELP: + opt_help(list_options); + break; + case OPT_COMMANDS: + list_type(FT_general); + break; + case OPT_DIGEST_COMMANDS: + list_type(FT_md); + break; + case OPT_DIGEST_ALGORITHMS: + EVP_MD_do_all_sorted(list_md_fn, bio_out); + break; + case OPT_CIPHER_COMMANDS: + list_type(FT_cipher); + break; + case OPT_CIPHER_ALGORITHMS: + EVP_CIPHER_do_all_sorted(list_cipher_fn, bio_out); + break; + case OPT_PK_ALGORITHMS: + list_pkey(); + break; + case OPT_DISABLED: + list_disabled(); + break; + } + done = 1; + } + if (opt_num_rest() != 0) { + BIO_printf(bio_err, "Extra arguments given.\n"); + goto opthelp; + } + + if (!done) + goto opthelp; + + return 0; +} + +OPTIONS help_options[] = { + {"help", OPT_HELP, '-', "Display this summary"}, + {NULL} +}; + +int help_main(int argc, char **argv) +{ + FUNCTION *fp; + int i, nl; + FUNC_TYPE tp; + char *prog; + HELPLIST_CHOICE o; + + prog = opt_init(argc, argv, help_options); + while ((o = opt_next()) != OPT_EOF) { + switch (o) { + default: + BIO_printf(bio_err, "%s: Use -help for summary.\n", prog); + return 1; + case OPT_HELP: + opt_help(help_options); + return 0; + } + } + + if (opt_num_rest() != 0) { + BIO_printf(bio_err, "Usage: %s\n", prog); + return 1; + } + + BIO_printf(bio_err, "\nStandard commands"); + i = 0; + tp = FT_none; + for (fp = functions; fp->name != NULL; fp++) { + nl = 0; + if (((i++) % COLUMNS) == 0) { + BIO_printf(bio_err, "\n"); + nl = 1; + } + if (fp->type != tp) { + tp = fp->type; + if (!nl) + BIO_printf(bio_err, "\n"); + if (tp == FT_md) { + i = 1; + BIO_printf(bio_err, + "\nMessage Digest commands (see the `dgst' command for more details)\n"); + } else if (tp == FT_cipher) { + i = 1; + BIO_printf(bio_err, + "\nCipher commands (see the `enc' command for more details)\n"); + } + } + BIO_printf(bio_err, FORMAT, fp->name); + } + BIO_printf(bio_err, "\n\n"); + return 0; +} + +int exit_main(int argc, char **argv) +{ + return EXIT_THE_PROGRAM; +} + +static void list_type(FUNC_TYPE ft) +{ + FUNCTION *fp; + int i = 0; + + for (fp = functions; fp->name != NULL; fp++) + if (fp->type == ft) { + if ((i++ % COLUMNS) == 0) + BIO_printf(bio_out, "\n"); + BIO_printf(bio_out, FORMAT, fp->name); + } + BIO_printf(bio_out, "\n"); +} + +static int do_cmd(LHASH_OF(FUNCTION) *prog, int argc, char *argv[]) +{ + FUNCTION f, *fp; + + if (argc <= 0 || argv[0] == NULL) + return (0); + f.name = argv[0]; + fp = lh_FUNCTION_retrieve(prog, &f); + if (fp == NULL) { + if (EVP_get_digestbyname(argv[0])) { + f.type = FT_md; + f.func = dgst_main; + fp = &f; + } else if (EVP_get_cipherbyname(argv[0])) { + f.type = FT_cipher; + f.func = enc_main; + fp = &f; + } + } + if (fp != NULL) { + return (fp->func(argc, argv)); + } + if ((strncmp(argv[0], "no-", 3)) == 0) { + /* + * User is asking if foo is unsupported, by trying to "run" the + * no-foo command. Strange. + */ + f.name = argv[0] + 3; + if (lh_FUNCTION_retrieve(prog, &f) == NULL) { + BIO_printf(bio_out, "%s\n", argv[0]); + return (0); + } + BIO_printf(bio_out, "%s\n", argv[0] + 3); + return 1; + } + if (strcmp(argv[0], "quit") == 0 || strcmp(argv[0], "q") == 0 || + strcmp(argv[0], "exit") == 0 || strcmp(argv[0], "bye") == 0) + /* Special value to mean "exit the program. */ + return EXIT_THE_PROGRAM; + + BIO_printf(bio_err, "Invalid command '%s'; type \"help\" for a list.\n", + argv[0]); + return (1); +} + +static void list_pkey(void) +{ + int i; + + for (i = 0; i < EVP_PKEY_asn1_get_count(); i++) { + const EVP_PKEY_ASN1_METHOD *ameth; + int pkey_id, pkey_base_id, pkey_flags; + const char *pinfo, *pem_str; + ameth = EVP_PKEY_asn1_get0(i); + EVP_PKEY_asn1_get0_info(&pkey_id, &pkey_base_id, &pkey_flags, + &pinfo, &pem_str, ameth); + if (pkey_flags & ASN1_PKEY_ALIAS) { + BIO_printf(bio_out, "Name: %s\n", OBJ_nid2ln(pkey_id)); + BIO_printf(bio_out, "\tAlias for: %s\n", + OBJ_nid2ln(pkey_base_id)); + } else { + BIO_printf(bio_out, "Name: %s\n", pinfo); + BIO_printf(bio_out, "\tType: %s Algorithm\n", + pkey_flags & ASN1_PKEY_DYNAMIC ? + "External" : "Builtin"); + BIO_printf(bio_out, "\tOID: %s\n", OBJ_nid2ln(pkey_id)); + if (pem_str == NULL) + pem_str = "(none)"; + BIO_printf(bio_out, "\tPEM string: %s\n", pem_str); + } + + } +} + +static int function_cmp(const FUNCTION * a, const FUNCTION * b) +{ + return strncmp(a->name, b->name, 8); +} + +static unsigned long function_hash(const FUNCTION * a) +{ + return OPENSSL_LH_strhash(a->name); +} + +static int SortFnByName(const void *_f1, const void *_f2) +{ + const FUNCTION *f1 = _f1; + const FUNCTION *f2 = _f2; + + if (f1->type != f2->type) + return f1->type - f2->type; + return strcmp(f1->name, f2->name); +} + +static void list_disabled(void) +{ + BIO_puts(bio_out, "Disabled algorithms:\n"); +#ifdef OPENSSL_NO_BF + BIO_puts(bio_out, "BF\n"); +#endif +#ifdef OPENSSL_NO_BLAKE2 + BIO_puts(bio_out, "BLAKE2\n"); +#endif +#ifdef OPENSSL_NO_CAMELLIA + BIO_puts(bio_out, "CAMELLIA\n"); +#endif +#ifdef OPENSSL_NO_CAST + BIO_puts(bio_out, "CAST\n"); +#endif +#ifdef OPENSSL_NO_CMAC + BIO_puts(bio_out, "CMAC\n"); +#endif +#ifdef OPENSSL_NO_CMS + BIO_puts(bio_out, "CMS\n"); +#endif +#ifdef OPENSSL_NO_COMP + BIO_puts(bio_out, "COMP\n"); +#endif +#ifdef OPENSSL_NO_DES + BIO_puts(bio_out, "DES\n"); +#endif +#ifdef OPENSSL_NO_DGRAM + BIO_puts(bio_out, "DGRAM\n"); +#endif +#ifdef OPENSSL_NO_DH + BIO_puts(bio_out, "DH\n"); +#endif +#ifdef OPENSSL_NO_DSA + BIO_puts(bio_out, "DSA\n"); +#endif +#if defined(OPENSSL_NO_DTLS) + BIO_puts(bio_out, "DTLS\n"); +#endif +#if defined(OPENSSL_NO_DTLS1) + BIO_puts(bio_out, "DTLS1\n"); +#endif +#if defined(OPENSSL_NO_DTLS1_2) + BIO_puts(bio_out, "DTLS1_2\n"); +#endif +#ifdef OPENSSL_NO_EC + BIO_puts(bio_out, "EC\n"); +#endif +#ifdef OPENSSL_NO_EC2M + BIO_puts(bio_out, "EC2M\n"); +#endif +#ifdef OPENSSL_NO_ENGINE + BIO_puts(bio_out, "ENGINE\n"); +#endif +#ifdef OPENSSL_NO_GOST + BIO_puts(bio_out, "GOST\n"); +#endif +#ifdef OPENSSL_NO_HEARTBEATS + BIO_puts(bio_out, "HEARTBEATS\n"); +#endif +#ifdef OPENSSL_NO_IDEA + BIO_puts(bio_out, "IDEA\n"); +#endif +#ifdef OPENSSL_NO_MD2 + BIO_puts(bio_out, "MD2\n"); +#endif +#ifdef OPENSSL_NO_MD4 + BIO_puts(bio_out, "MD4\n"); +#endif +#ifdef OPENSSL_NO_MD5 + BIO_puts(bio_out, "MD5\n"); +#endif +#ifdef OPENSSL_NO_MDC2 + BIO_puts(bio_out, "MDC2\n"); +#endif +#ifdef OPENSSL_NO_OCB + BIO_puts(bio_out, "OCB\n"); +#endif +#ifdef OPENSSL_NO_OCSP + BIO_puts(bio_out, "OCSP\n"); +#endif +#ifdef OPENSSL_NO_PSK + BIO_puts(bio_out, "PSK\n"); +#endif +#ifdef OPENSSL_NO_RC2 + BIO_puts(bio_out, "RC2\n"); +#endif +#ifdef OPENSSL_NO_RC4 + BIO_puts(bio_out, "RC4\n"); +#endif +#ifdef OPENSSL_NO_RC5 + BIO_puts(bio_out, "RC5\n"); +#endif +#ifdef OPENSSL_NO_RMD160 + BIO_puts(bio_out, "RMD160\n"); +#endif +#ifdef OPENSSL_NO_RSA + BIO_puts(bio_out, "RSA\n"); +#endif +#ifdef OPENSSL_NO_SCRYPT + BIO_puts(bio_out, "SCRYPT\n"); +#endif +#ifdef OPENSSL_NO_SCTP + BIO_puts(bio_out, "SCTP\n"); +#endif +#ifdef OPENSSL_NO_SEED + BIO_puts(bio_out, "SEED\n"); +#endif +#ifdef OPENSSL_NO_SOCK + BIO_puts(bio_out, "SOCK\n"); +#endif +#ifdef OPENSSL_NO_SRP + BIO_puts(bio_out, "SRP\n"); +#endif +#ifdef OPENSSL_NO_SRTP + BIO_puts(bio_out, "SRTP\n"); +#endif +#ifdef OPENSSL_NO_SSL3 + BIO_puts(bio_out, "SSL3\n"); +#endif +#ifdef OPENSSL_NO_TLS1 + BIO_puts(bio_out, "TLS1\n"); +#endif +#ifdef OPENSSL_NO_TLS1_1 + BIO_puts(bio_out, "TLS1_1\n"); +#endif +#ifdef OPENSSL_NO_TLS1_2 + BIO_puts(bio_out, "TLS1_2\n"); +#endif +#ifdef OPENSSL_NO_WHIRLPOOL + BIO_puts(bio_out, "WHIRLPOOL\n"); +#endif +#ifndef ZLIB + BIO_puts(bio_out, "ZLIB\n"); +#endif +} + +static LHASH_OF(FUNCTION) *prog_init(void) +{ + LHASH_OF(FUNCTION) *ret; + FUNCTION *f; + size_t i; + + /* Sort alphabetically within category. For nicer help displays. */ + for (i = 0, f = functions; f->name != NULL; ++f, ++i) ; + qsort(functions, i, sizeof(*functions), SortFnByName); + + if ((ret = lh_FUNCTION_new(function_hash, function_cmp)) == NULL) + return (NULL); + + for (f = functions; f->name != NULL; f++) + (void)lh_FUNCTION_insert(ret, f); + return (ret); +} diff --git a/openssl-1.1.0h/apps/openssl.cnf b/openssl-1.1.0h/apps/openssl.cnf new file mode 100644 index 0000000..b3e7444 --- /dev/null +++ b/openssl-1.1.0h/apps/openssl.cnf @@ -0,0 +1,346 @@ +# +# OpenSSL example configuration file. +# This is mostly being used for generation of certificate requests. +# + +# This definition stops the following lines choking if HOME isn't +# defined. +HOME = . +RANDFILE = $ENV::HOME/.rnd + +# Extra OBJECT IDENTIFIER info: +#oid_file = $ENV::HOME/.oid +oid_section = new_oids + +# To use this configuration file with the "-extfile" option of the +# "openssl x509" utility, name here the section containing the +# X.509v3 extensions to use: +# extensions = +# (Alternatively, use a configuration file that has only +# X.509v3 extensions in its main [= default] section.) + +[ new_oids ] + +# We can add new OIDs in here for use by 'ca', 'req' and 'ts'. +# Add a simple OID like this: +# testoid1=1.2.3.4 +# Or use config file substitution like this: +# testoid2=${testoid1}.5.6 + +# Policies used by the TSA examples. +tsa_policy1 = 1.2.3.4.1 +tsa_policy2 = 1.2.3.4.5.6 +tsa_policy3 = 1.2.3.4.5.7 + +#################################################################### +[ ca ] +default_ca = CA_default # The default ca section + +#################################################################### +[ CA_default ] + +dir = ./demoCA # Where everything is kept +certs = $dir/certs # Where the issued certs are kept +crl_dir = $dir/crl # Where the issued crl are kept +database = $dir/index.txt # database index file. +#unique_subject = no # Set to 'no' to allow creation of + # several certs with same subject. +new_certs_dir = $dir/newcerts # default place for new certs. + +certificate = $dir/cacert.pem # The CA certificate +serial = $dir/serial # The current serial number +crlnumber = $dir/crlnumber # the current crl number + # must be commented out to leave a V1 CRL +crl = $dir/crl.pem # The current CRL +private_key = $dir/private/cakey.pem# The private key +RANDFILE = $dir/private/.rand # private random number file + +x509_extensions = usr_cert # The extensions to add to the cert + +# Comment out the following two lines for the "traditional" +# (and highly broken) format. +name_opt = ca_default # Subject Name options +cert_opt = ca_default # Certificate field options + +# Extension copying option: use with caution. +# copy_extensions = copy + +# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs +# so this is commented out by default to leave a V1 CRL. +# crlnumber must also be commented out to leave a V1 CRL. +# crl_extensions = crl_ext + +default_days = 365 # how long to certify for +default_crl_days= 30 # how long before next CRL +default_md = default # use public key default MD +preserve = no # keep passed DN ordering + +# A few difference way of specifying how similar the request should look +# For type CA, the listed attributes must be the same, and the optional +# and supplied fields are just that :-) +policy = policy_match + +# For the CA policy +[ policy_match ] +countryName = match +stateOrProvinceName = match +organizationName = match +organizationalUnitName = optional +commonName = supplied +emailAddress = optional + +# For the 'anything' policy +# At this point in time, you must list all acceptable 'object' +# types. +[ policy_anything ] +countryName = optional +stateOrProvinceName = optional +localityName = optional +organizationName = optional +organizationalUnitName = optional +commonName = supplied +emailAddress = optional + +#################################################################### +[ req ] +default_bits = 2048 +default_keyfile = privkey.pem +distinguished_name = req_distinguished_name +attributes = req_attributes +x509_extensions = v3_ca # The extensions to add to the self signed cert + +# Passwords for private keys if not present they will be prompted for +# input_password = secret +# output_password = secret + +# This sets a mask for permitted string types. There are several options. +# default: PrintableString, T61String, BMPString. +# pkix : PrintableString, BMPString (PKIX recommendation before 2004) +# utf8only: only UTF8Strings (PKIX recommendation after 2004). +# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings). +# MASK:XXXX a literal mask value. +# WARNING: ancient versions of Netscape crash on BMPStrings or UTF8Strings. +string_mask = utf8only + +# req_extensions = v3_req # The extensions to add to a certificate request + +[ req_distinguished_name ] +countryName = Country Name (2 letter code) +countryName_default = AU +countryName_min = 2 +countryName_max = 2 + +stateOrProvinceName = State or Province Name (full name) +stateOrProvinceName_default = Some-State + +localityName = Locality Name (eg, city) + +0.organizationName = Organization Name (eg, company) +0.organizationName_default = Internet Widgits Pty Ltd + +# we can do this but it is not needed normally :-) +#1.organizationName = Second Organization Name (eg, company) +#1.organizationName_default = World Wide Web Pty Ltd + +organizationalUnitName = Organizational Unit Name (eg, section) +#organizationalUnitName_default = + +commonName = Common Name (e.g. server FQDN or YOUR name) +commonName_max = 64 + +emailAddress = Email Address +emailAddress_max = 64 + +# SET-ex3 = SET extension number 3 + +[ req_attributes ] +challengePassword = A challenge password +challengePassword_min = 4 +challengePassword_max = 20 + +unstructuredName = An optional company name + +[ usr_cert ] + +# These extensions are added when 'ca' signs a request. + +# This goes against PKIX guidelines but some CAs do it and some software +# requires this to avoid interpreting an end user certificate as a CA. + +basicConstraints=CA:FALSE + +# Here are some examples of the usage of nsCertType. If it is omitted +# the certificate can be used for anything *except* object signing. + +# This is OK for an SSL server. +# nsCertType = server + +# For an object signing certificate this would be used. +# nsCertType = objsign + +# For normal client use this is typical +# nsCertType = client, email + +# and for everything including object signing: +# nsCertType = client, email, objsign + +# This is typical in keyUsage for a client certificate. +# keyUsage = nonRepudiation, digitalSignature, keyEncipherment + +# This will be displayed in Netscape's comment listbox. +nsComment = "OpenSSL Generated Certificate" + +# PKIX recommendations harmless if included in all certificates. +subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid,issuer + +# This stuff is for subjectAltName and issuerAltname. +# Import the email address. +# subjectAltName=email:copy +# An alternative to produce certificates that aren't +# deprecated according to PKIX. +# subjectAltName=email:move + +# Copy subject details +# issuerAltName=issuer:copy + +#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem +#nsBaseUrl +#nsRevocationUrl +#nsRenewalUrl +#nsCaPolicyUrl +#nsSslServerName + +# This is required for TSA certificates. +# extendedKeyUsage = critical,timeStamping + +[ v3_req ] + +# Extensions to add to a certificate request + +basicConstraints = CA:FALSE +keyUsage = nonRepudiation, digitalSignature, keyEncipherment + +[ v3_ca ] + + +# Extensions for a typical CA + + +# PKIX recommendation. + +subjectKeyIdentifier=hash + +authorityKeyIdentifier=keyid:always,issuer + +basicConstraints = critical,CA:true + +# Key usage: this is typical for a CA certificate. However since it will +# prevent it being used as an test self-signed certificate it is best +# left out by default. +# keyUsage = cRLSign, keyCertSign + +# Some might want this also +# nsCertType = sslCA, emailCA + +# Include email address in subject alt name: another PKIX recommendation +# subjectAltName=email:copy +# Copy issuer details +# issuerAltName=issuer:copy + +# DER hex encoding of an extension: beware experts only! +# obj=DER:02:03 +# Where 'obj' is a standard or added object +# You can even override a supported extension: +# basicConstraints= critical, DER:30:03:01:01:FF + +[ crl_ext ] + +# CRL extensions. +# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL. + +# issuerAltName=issuer:copy +authorityKeyIdentifier=keyid:always + +[ proxy_cert_ext ] +# These extensions should be added when creating a proxy certificate + +# This goes against PKIX guidelines but some CAs do it and some software +# requires this to avoid interpreting an end user certificate as a CA. + +basicConstraints=CA:FALSE + +# Here are some examples of the usage of nsCertType. If it is omitted +# the certificate can be used for anything *except* object signing. + +# This is OK for an SSL server. +# nsCertType = server + +# For an object signing certificate this would be used. +# nsCertType = objsign + +# For normal client use this is typical +# nsCertType = client, email + +# and for everything including object signing: +# nsCertType = client, email, objsign + +# This is typical in keyUsage for a client certificate. +# keyUsage = nonRepudiation, digitalSignature, keyEncipherment + +# This will be displayed in Netscape's comment listbox. +nsComment = "OpenSSL Generated Certificate" + +# PKIX recommendations harmless if included in all certificates. +subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid,issuer + +# This stuff is for subjectAltName and issuerAltname. +# Import the email address. +# subjectAltName=email:copy +# An alternative to produce certificates that aren't +# deprecated according to PKIX. +# subjectAltName=email:move + +# Copy subject details +# issuerAltName=issuer:copy + +#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem +#nsBaseUrl +#nsRevocationUrl +#nsRenewalUrl +#nsCaPolicyUrl +#nsSslServerName + +# This really needs to be in place for it to be a proxy certificate. +proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo + +#################################################################### +[ tsa ] + +default_tsa = tsa_config1 # the default TSA section + +[ tsa_config1 ] + +# These are used by the TSA reply generation only. +dir = ./demoCA # TSA root directory +serial = $dir/tsaserial # The current serial number (mandatory) +crypto_device = builtin # OpenSSL engine to use for signing +signer_cert = $dir/tsacert.pem # The TSA signing certificate + # (optional) +certs = $dir/cacert.pem # Certificate chain to include in reply + # (optional) +signer_key = $dir/private/tsakey.pem # The TSA private key (optional) +signer_digest = sha256 # Signing digest to use. (Optional) +default_policy = tsa_policy1 # Policy if request did not specify it + # (optional) +other_policies = tsa_policy2, tsa_policy3 # acceptable policies (optional) +digests = sha1, sha256, sha384, sha512 # Acceptable message digests (mandatory) +accuracy = secs:1, millisecs:500, microsecs:100 # (optional) +clock_precision_digits = 0 # number of digits after dot. (optional) +ordering = yes # Is ordering defined for timestamps? + # (optional, default: no) +tsa_name = yes # Must the TSA name be included in the reply? + # (optional, default: no) +ess_cert_id_chain = no # Must the ESS cert id chain be included? + # (optional, default: no) diff --git a/openssl-1.1.0h/apps/opt.c b/openssl-1.1.0h/apps/opt.c new file mode 100644 index 0000000..6e40f64 --- /dev/null +++ b/openssl-1.1.0h/apps/opt.c @@ -0,0 +1,977 @@ +/* + * Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the OpenSSL license (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +/* #define COMPILE_STANDALONE_TEST_DRIVER */ +#include "apps.h" +#include +#if !defined(OPENSSL_SYS_MSDOS) +# include OPENSSL_UNISTD +#endif + +#include +#include +#include +#include +#include +#include + +#define MAX_OPT_HELP_WIDTH 30 +const char OPT_HELP_STR[] = "--"; +const char OPT_MORE_STR[] = "---"; + +/* Our state */ +static char **argv; +static int argc; +static int opt_index; +static char *arg; +static char *flag; +static char *dunno; +static const OPTIONS *unknown; +static const OPTIONS *opts; +static char prog[40]; + +/* + * Return the simple name of the program; removing various platform gunk. + */ +#if defined(OPENSSL_SYS_WIN32) +char *opt_progname(const char *argv0) +{ + size_t i, n; + const char *p; + char *q; + + /* find the last '/', '\' or ':' */ + for (p = argv0 + strlen(argv0); --p > argv0;) + if (*p == '/' || *p == '\\' || *p == ':') { + p++; + break; + } + + /* Strip off trailing nonsense. */ + n = strlen(p); + if (n > 4 && + (strcmp(&p[n - 4], ".exe") == 0 || strcmp(&p[n - 4], ".EXE") == 0)) + n -= 4; + + /* Copy over the name, in lowercase. */ + if (n > sizeof(prog) - 1) + n = sizeof(prog) - 1; + for (q = prog, i = 0; i < n; i++, p++) + *q++ = tolower((unsigned char)*p); + *q = '\0'; + return prog; +} + +#elif defined(OPENSSL_SYS_VMS) + +char *opt_progname(const char *argv0) +{ + const char *p, *q; + + /* Find last special character sys:[foo.bar]openssl */ + for (p = argv0 + strlen(argv0); --p > argv0;) + if (*p == ':' || *p == ']' || *p == '>') { + p++; + break; + } + + q = strrchr(p, '.'); + strncpy(prog, p, sizeof(prog) - 1); + prog[sizeof(prog) - 1] = '\0'; + if (q != NULL && q - p < sizeof(prog)) + prog[q - p] = '\0'; + return prog; +} + +#else + +char *opt_progname(const char *argv0) +{ + const char *p; + + /* Could use strchr, but this is like the ones above. */ + for (p = argv0 + strlen(argv0); --p > argv0;) + if (*p == '/') { + p++; + break; + } + strncpy(prog, p, sizeof(prog) - 1); + prog[sizeof(prog) - 1] = '\0'; + return prog; +} +#endif + +char *opt_getprog(void) +{ + return prog; +} + +/* Set up the arg parsing. */ +char *opt_init(int ac, char **av, const OPTIONS *o) +{ + /* Store state. */ + argc = ac; + argv = av; + opt_index = 1; + opts = o; + opt_progname(av[0]); + unknown = NULL; + + for (; o->name; ++o) { +#ifndef NDEBUG + const OPTIONS *next; + int duplicated, i; +#endif + + if (o->name == OPT_HELP_STR || o->name == OPT_MORE_STR) + continue; +#ifndef NDEBUG + i = o->valtype; + + /* Make sure options are legit. */ + assert(o->name[0] != '-'); + assert(o->retval > 0); + switch (i) { + case 0: case '-': case '/': case '<': case '>': case 'E': case 'F': + case 'M': case 'U': case 'f': case 'l': case 'n': case 'p': case 's': + case 'u': case 'c': + break; + default: + assert(0); + } + + /* Make sure there are no duplicates. */ + for (next = o + 1; next->name; ++next) { + /* + * Some compilers inline strcmp and the assert string is too long. + */ + duplicated = strcmp(o->name, next->name) == 0; + assert(!duplicated); + } +#endif + if (o->name[0] == '\0') { + assert(unknown == NULL); + unknown = o; + assert(unknown->valtype == 0 || unknown->valtype == '-'); + } + } + return prog; +} + +static OPT_PAIR formats[] = { + {"PEM/DER", OPT_FMT_PEMDER}, + {"pkcs12", OPT_FMT_PKCS12}, + {"smime", OPT_FMT_SMIME}, + {"engine", OPT_FMT_ENGINE}, + {"msblob", OPT_FMT_MSBLOB}, + {"netscape", OPT_FMT_NETSCAPE}, + {"nss", OPT_FMT_NSS}, + {"text", OPT_FMT_TEXT}, + {"http", OPT_FMT_HTTP}, + {"pvk", OPT_FMT_PVK}, + {NULL} +}; + +/* Print an error message about a failed format parse. */ +int opt_format_error(const char *s, unsigned long flags) +{ + OPT_PAIR *ap; + + if (flags == OPT_FMT_PEMDER) + BIO_printf(bio_err, "%s: Bad format \"%s\"; must be pem or der\n", + prog, s); + else { + BIO_printf(bio_err, "%s: Bad format \"%s\"; must be one of:\n", + prog, s); + for (ap = formats; ap->name; ap++) + if (flags & ap->retval) + BIO_printf(bio_err, " %s\n", ap->name); + } + return 0; +} + +/* Parse a format string, put it into *result; return 0 on failure, else 1. */ +int opt_format(const char *s, unsigned long flags, int *result) +{ + switch (*s) { + default: + return 0; + case 'D': + case 'd': + if ((flags & OPT_FMT_PEMDER) == 0) + return opt_format_error(s, flags); + *result = FORMAT_ASN1; + break; + case 'T': + case 't': + if ((flags & OPT_FMT_TEXT) == 0) + return opt_format_error(s, flags); + *result = FORMAT_TEXT; + break; + case 'N': + case 'n': + if ((flags & OPT_FMT_NSS) == 0) + return opt_format_error(s, flags); + if (strcmp(s, "NSS") != 0 && strcmp(s, "nss") != 0) + return opt_format_error(s, flags); + *result = FORMAT_NSS; + break; + case 'S': + case 's': + if ((flags & OPT_FMT_SMIME) == 0) + return opt_format_error(s, flags); + *result = FORMAT_SMIME; + break; + case 'M': + case 'm': + if ((flags & OPT_FMT_MSBLOB) == 0) + return opt_format_error(s, flags); + *result = FORMAT_MSBLOB; + break; + case 'E': + case 'e': + if ((flags & OPT_FMT_ENGINE) == 0) + return opt_format_error(s, flags); + *result = FORMAT_ENGINE; + break; + case 'H': + case 'h': + if ((flags & OPT_FMT_HTTP) == 0) + return opt_format_error(s, flags); + *result = FORMAT_HTTP; + break; + case '1': + if ((flags & OPT_FMT_PKCS12) == 0) + return opt_format_error(s, flags); + *result = FORMAT_PKCS12; + break; + case 'P': + case 'p': + if (s[1] == '\0' || strcmp(s, "PEM") == 0 || strcmp(s, "pem") == 0) { + if ((flags & OPT_FMT_PEMDER) == 0) + return opt_format_error(s, flags); + *result = FORMAT_PEM; + } else if (strcmp(s, "PVK") == 0 || strcmp(s, "pvk") == 0) { + if ((flags & OPT_FMT_PVK) == 0) + return opt_format_error(s, flags); + *result = FORMAT_PVK; + } else if (strcmp(s, "P12") == 0 || strcmp(s, "p12") == 0 + || strcmp(s, "PKCS12") == 0 || strcmp(s, "pkcs12") == 0) { + if ((flags & OPT_FMT_PKCS12) == 0) + return opt_format_error(s, flags); + *result = FORMAT_PKCS12; + } else + return 0; + break; + } + return 1; +} + +/* Parse a cipher name, put it in *EVP_CIPHER; return 0 on failure, else 1. */ +int opt_cipher(const char *name, const EVP_CIPHER **cipherp) +{ + *cipherp = EVP_get_cipherbyname(name); + if (*cipherp) + return 1; + BIO_printf(bio_err, "%s: Unknown cipher %s\n", prog, name); + return 0; +} + +/* + * Parse message digest name, put it in *EVP_MD; return 0 on failure, else 1. + */ +int opt_md(const char *name, const EVP_MD **mdp) +{ + *mdp = EVP_get_digestbyname(name); + if (*mdp) + return 1; + BIO_printf(bio_err, "%s: Unknown digest %s\n", prog, name); + return 0; +} + +/* Look through a list of name/value pairs. */ +int opt_pair(const char *name, const OPT_PAIR* pairs, int *result) +{ + const OPT_PAIR *pp; + + for (pp = pairs; pp->name; pp++) + if (strcmp(pp->name, name) == 0) { + *result = pp->retval; + return 1; + } + BIO_printf(bio_err, "%s: Value must be one of:\n", prog); + for (pp = pairs; pp->name; pp++) + BIO_printf(bio_err, "\t%s\n", pp->name); + return 0; +} + +/* Parse an int, put it into *result; return 0 on failure, else 1. */ +int opt_int(const char *value, int *result) +{ + long l; + + if (!opt_long(value, &l)) + return 0; + *result = (int)l; + if (*result != l) { + BIO_printf(bio_err, "%s: Value \"%s\" outside integer range\n", + prog, value); + return 0; + } + return 1; +} + +/* Parse a long, put it into *result; return 0 on failure, else 1. */ +int opt_long(const char *value, long *result) +{ + int oerrno = errno; + long l; + char *endp; + + errno = 0; + l = strtol(value, &endp, 0); + if (*endp + || endp == value + || ((l == LONG_MAX || l == LONG_MIN) && errno == ERANGE) + || (l == 0 && errno != 0)) { + BIO_printf(bio_err, "%s: Can't parse \"%s\" as a number\n", + prog, value); + errno = oerrno; + return 0; + } + *result = l; + errno = oerrno; + return 1; +} + +#if defined(__STDC_VERSION__) && __STDC_VERSION__ >= 199901L && \ + defined(INTMAX_MAX) && defined(UINTMAX_MAX) + +/* Parse an intmax_t, put it into *result; return 0 on failure, else 1. */ +int opt_imax(const char *value, intmax_t *result) +{ + int oerrno = errno; + intmax_t m; + char *endp; + + errno = 0; + m = strtoimax(value, &endp, 0); + if (*endp + || endp == value + || ((m == INTMAX_MAX || m == INTMAX_MIN) && errno == ERANGE) + || (m == 0 && errno != 0)) { + BIO_printf(bio_err, "%s: Can't parse \"%s\" as a number\n", + prog, value); + errno = oerrno; + return 0; + } + *result = m; + errno = oerrno; + return 1; +} + +/* Parse a uintmax_t, put it into *result; return 0 on failure, else 1. */ +int opt_umax(const char *value, uintmax_t *result) +{ + int oerrno = errno; + uintmax_t m; + char *endp; + + errno = 0; + m = strtoumax(value, &endp, 0); + if (*endp + || endp == value + || (m == UINTMAX_MAX && errno == ERANGE) + || (m == 0 && errno != 0)) { + BIO_printf(bio_err, "%s: Can't parse \"%s\" as a number\n", + prog, value); + errno = oerrno; + return 0; + } + *result = m; + errno = oerrno; + return 1; +} +#endif + +/* + * Parse an unsigned long, put it into *result; return 0 on failure, else 1. + */ +int opt_ulong(const char *value, unsigned long *result) +{ + int oerrno = errno; + char *endptr; + unsigned long l; + + errno = 0; + l = strtoul(value, &endptr, 0); + if (*endptr + || endptr == value + || ((l == ULONG_MAX) && errno == ERANGE) + || (l == 0 && errno != 0)) { + BIO_printf(bio_err, "%s: Can't parse \"%s\" as an unsigned number\n", + prog, value); + errno = oerrno; + return 0; + } + *result = l; + errno = oerrno; + return 1; +} + +/* + * We pass opt as an int but cast it to "enum range" so that all the + * items in the OPT_V_ENUM enumeration are caught; this makes -Wswitch + * in gcc do the right thing. + */ +enum range { OPT_V_ENUM }; + +int opt_verify(int opt, X509_VERIFY_PARAM *vpm) +{ + int i; + ossl_intmax_t t = 0; + ASN1_OBJECT *otmp; + X509_PURPOSE *xptmp; + const X509_VERIFY_PARAM *vtmp; + + assert(vpm != NULL); + assert(opt > OPT_V__FIRST); + assert(opt < OPT_V__LAST); + + switch ((enum range)opt) { + case OPT_V__FIRST: + case OPT_V__LAST: + return 0; + case OPT_V_POLICY: + otmp = OBJ_txt2obj(opt_arg(), 0); + if (otmp == NULL) { + BIO_printf(bio_err, "%s: Invalid Policy %s\n", prog, opt_arg()); + return 0; + } + X509_VERIFY_PARAM_add0_policy(vpm, otmp); + break; + case OPT_V_PURPOSE: + /* purpose name -> purpose index */ + i = X509_PURPOSE_get_by_sname(opt_arg()); + if (i < 0) { + BIO_printf(bio_err, "%s: Invalid purpose %s\n", prog, opt_arg()); + return 0; + } + + /* purpose index -> purpose object */ + xptmp = X509_PURPOSE_get0(i); + + /* purpose object -> purpose value */ + i = X509_PURPOSE_get_id(xptmp); + + if (!X509_VERIFY_PARAM_set_purpose(vpm, i)) { + BIO_printf(bio_err, + "%s: Internal error setting purpose %s\n", + prog, opt_arg()); + return 0; + } + break; + case OPT_V_VERIFY_NAME: + vtmp = X509_VERIFY_PARAM_lookup(opt_arg()); + if (vtmp == NULL) { + BIO_printf(bio_err, "%s: Invalid verify name %s\n", + prog, opt_arg()); + return 0; + } + X509_VERIFY_PARAM_set1(vpm, vtmp); + break; + case OPT_V_VERIFY_DEPTH: + i = atoi(opt_arg()); + if (i >= 0) + X509_VERIFY_PARAM_set_depth(vpm, i); + break; + case OPT_V_VERIFY_AUTH_LEVEL: + i = atoi(opt_arg()); + if (i >= 0) + X509_VERIFY_PARAM_set_auth_level(vpm, i); + break; + case OPT_V_ATTIME: + if (!opt_imax(opt_arg(), &t)) + return 0; + if (t != (time_t)t) { + BIO_printf(bio_err, "%s: epoch time out of range %s\n", + prog, opt_arg()); + return 0; + } + X509_VERIFY_PARAM_set_time(vpm, (time_t)t); + break; + case OPT_V_VERIFY_HOSTNAME: + if (!X509_VERIFY_PARAM_set1_host(vpm, opt_arg(), 0)) + return 0; + break; + case OPT_V_VERIFY_EMAIL: + if (!X509_VERIFY_PARAM_set1_email(vpm, opt_arg(), 0)) + return 0; + break; + case OPT_V_VERIFY_IP: + if (!X509_VERIFY_PARAM_set1_ip_asc(vpm, opt_arg())) + return 0; + break; + case OPT_V_IGNORE_CRITICAL: + X509_VERIFY_PARAM_set_flags(vpm, X509_V_FLAG_IGNORE_CRITICAL); + break; + case OPT_V_ISSUER_CHECKS: + /* NOP, deprecated */ + break; + case OPT_V_CRL_CHECK: + X509_VERIFY_PARAM_set_flags(vpm, X509_V_FLAG_CRL_CHECK); + break; + case OPT_V_CRL_CHECK_ALL: + X509_VERIFY_PARAM_set_flags(vpm, + X509_V_FLAG_CRL_CHECK | + X509_V_FLAG_CRL_CHECK_ALL); + break; + case OPT_V_POLICY_CHECK: + X509_VERIFY_PARAM_set_flags(vpm, X509_V_FLAG_POLICY_CHECK); + break; + case OPT_V_EXPLICIT_POLICY: + X509_VERIFY_PARAM_set_flags(vpm, X509_V_FLAG_EXPLICIT_POLICY); + break; + case OPT_V_INHIBIT_ANY: + X509_VERIFY_PARAM_set_flags(vpm, X509_V_FLAG_INHIBIT_ANY); + break; + case OPT_V_INHIBIT_MAP: + X509_VERIFY_PARAM_set_flags(vpm, X509_V_FLAG_INHIBIT_MAP); + break; + case OPT_V_X509_STRICT: + X509_VERIFY_PARAM_set_flags(vpm, X509_V_FLAG_X509_STRICT); + break; + case OPT_V_EXTENDED_CRL: + X509_VERIFY_PARAM_set_flags(vpm, X509_V_FLAG_EXTENDED_CRL_SUPPORT); + break; + case OPT_V_USE_DELTAS: + X509_VERIFY_PARAM_set_flags(vpm, X509_V_FLAG_USE_DELTAS); + break; + case OPT_V_POLICY_PRINT: + X509_VERIFY_PARAM_set_flags(vpm, X509_V_FLAG_NOTIFY_POLICY); + break; + case OPT_V_CHECK_SS_SIG: + X509_VERIFY_PARAM_set_flags(vpm, X509_V_FLAG_CHECK_SS_SIGNATURE); + break; + case OPT_V_TRUSTED_FIRST: + X509_VERIFY_PARAM_set_flags(vpm, X509_V_FLAG_TRUSTED_FIRST); + break; + case OPT_V_SUITEB_128_ONLY: + X509_VERIFY_PARAM_set_flags(vpm, X509_V_FLAG_SUITEB_128_LOS_ONLY); + break; + case OPT_V_SUITEB_128: + X509_VERIFY_PARAM_set_flags(vpm, X509_V_FLAG_SUITEB_128_LOS); + break; + case OPT_V_SUITEB_192: + X509_VERIFY_PARAM_set_flags(vpm, X509_V_FLAG_SUITEB_192_LOS); + break; + case OPT_V_PARTIAL_CHAIN: + X509_VERIFY_PARAM_set_flags(vpm, X509_V_FLAG_PARTIAL_CHAIN); + break; + case OPT_V_NO_ALT_CHAINS: + X509_VERIFY_PARAM_set_flags(vpm, X509_V_FLAG_NO_ALT_CHAINS); + break; + case OPT_V_NO_CHECK_TIME: + X509_VERIFY_PARAM_set_flags(vpm, X509_V_FLAG_NO_CHECK_TIME); + break; + case OPT_V_ALLOW_PROXY_CERTS: + X509_VERIFY_PARAM_set_flags(vpm, X509_V_FLAG_ALLOW_PROXY_CERTS); + break; + } + return 1; + +} + +/* + * Parse the next flag (and value if specified), return 0 if done, -1 on + * error, otherwise the flag's retval. + */ +int opt_next(void) +{ + char *p; + const OPTIONS *o; + int ival; + long lval; + unsigned long ulval; + ossl_intmax_t imval; + ossl_uintmax_t umval; + + /* Look at current arg; at end of the list? */ + arg = NULL; + p = argv[opt_index]; + if (p == NULL) + return 0; + + /* If word doesn't start with a -, we're done. */ + if (*p != '-') + return 0; + + /* Hit "--" ? We're done. */ + opt_index++; + if (strcmp(p, "--") == 0) + return 0; + + /* Allow -nnn and --nnn */ + if (*++p == '-') + p++; + flag = p - 1; + + /* If we have --flag=foo, snip it off */ + if ((arg = strchr(p, '=')) != NULL) + *arg++ = '\0'; + for (o = opts; o->name; ++o) { + /* If not this option, move on to the next one. */ + if (strcmp(p, o->name) != 0) + continue; + + /* If it doesn't take a value, make sure none was given. */ + if (o->valtype == 0 || o->valtype == '-') { + if (arg) { + BIO_printf(bio_err, + "%s: Option -%s does not take a value\n", prog, p); + return -1; + } + return o->retval; + } + + /* Want a value; get the next param if =foo not used. */ + if (arg == NULL) { + if (argv[opt_index] == NULL) { + BIO_printf(bio_err, + "%s: Option -%s needs a value\n", prog, o->name); + return -1; + } + arg = argv[opt_index++]; + } + + /* Syntax-check value. */ + switch (o->valtype) { + default: + case 's': + /* Just a string. */ + break; + case '/': + if (app_isdir(arg) >= 0) + break; + BIO_printf(bio_err, "%s: Not a directory: %s\n", prog, arg); + return -1; + case '<': + /* Input file. */ + if (strcmp(arg, "-") == 0 || app_access(arg, R_OK) >= 0) + break; + BIO_printf(bio_err, + "%s: Cannot open input file %s, %s\n", + prog, arg, strerror(errno)); + return -1; + case '>': + /* Output file. */ + if (strcmp(arg, "-") == 0 || app_access(arg, W_OK) >= 0 || errno == ENOENT) + break; + BIO_printf(bio_err, + "%s: Cannot open output file %s, %s\n", + prog, arg, strerror(errno)); + return -1; + case 'p': + case 'n': + if (!opt_int(arg, &ival) + || (o->valtype == 'p' && ival <= 0)) { + BIO_printf(bio_err, + "%s: Non-positive number \"%s\" for -%s\n", + prog, arg, o->name); + return -1; + } + break; + case 'M': + if (!opt_imax(arg, &imval)) { + BIO_printf(bio_err, + "%s: Invalid number \"%s\" for -%s\n", + prog, arg, o->name); + return -1; + } + break; + case 'U': + if (!opt_umax(arg, &umval)) { + BIO_printf(bio_err, + "%s: Invalid number \"%s\" for -%s\n", + prog, arg, o->name); + return -1; + } + break; + case 'l': + if (!opt_long(arg, &lval)) { + BIO_printf(bio_err, + "%s: Invalid number \"%s\" for -%s\n", + prog, arg, o->name); + return -1; + } + break; + case 'u': + if (!opt_ulong(arg, &ulval)) { + BIO_printf(bio_err, + "%s: Invalid number \"%s\" for -%s\n", + prog, arg, o->name); + return -1; + } + break; + case 'c': + case 'E': + case 'F': + case 'f': + if (opt_format(arg, + o->valtype == 'c' ? OPT_FMT_PDS : + o->valtype == 'E' ? OPT_FMT_PDE : + o->valtype == 'F' ? OPT_FMT_PEMDER + : OPT_FMT_ANY, &ival)) + break; + BIO_printf(bio_err, + "%s: Invalid format \"%s\" for -%s\n", + prog, arg, o->name); + return -1; + } + + /* Return the flag value. */ + return o->retval; + } + if (unknown != NULL) { + dunno = p; + return unknown->retval; + } + BIO_printf(bio_err, "%s: Option unknown option -%s\n", prog, p); + return -1; +} + +/* Return the most recent flag parameter. */ +char *opt_arg(void) +{ + return arg; +} + +/* Return the most recent flag. */ +char *opt_flag(void) +{ + return flag; +} + +/* Return the unknown option. */ +char *opt_unknown(void) +{ + return dunno; +} + +/* Return the rest of the arguments after parsing flags. */ +char **opt_rest(void) +{ + return &argv[opt_index]; +} + +/* How many items in remaining args? */ +int opt_num_rest(void) +{ + int i = 0; + char **pp; + + for (pp = opt_rest(); *pp; pp++, i++) + continue; + return i; +} + +/* Return a string describing the parameter type. */ +static const char *valtype2param(const OPTIONS *o) +{ + switch (o->valtype) { + case 0: + case '-': + return ""; + case 's': + return "val"; + case '/': + return "dir"; + case '<': + return "infile"; + case '>': + return "outfile"; + case 'p': + return "+int"; + case 'n': + return "int"; + case 'l': + return "long"; + case 'u': + return "ulong"; + case 'E': + return "PEM|DER|ENGINE"; + case 'F': + return "PEM|DER"; + case 'f': + return "format"; + case 'M': + return "intmax"; + case 'U': + return "uintmax"; + } + return "parm"; +} + +void opt_help(const OPTIONS *list) +{ + const OPTIONS *o; + int i; + int standard_prolog; + int width = 5; + char start[80 + 1]; + char *p; + const char *help; + + /* Starts with its own help message? */ + standard_prolog = list[0].name != OPT_HELP_STR; + + /* Find the widest help. */ + for (o = list; o->name; o++) { + if (o->name == OPT_MORE_STR) + continue; + i = 2 + (int)strlen(o->name); + if (o->valtype != '-') + i += 1 + strlen(valtype2param(o)); + if (i < MAX_OPT_HELP_WIDTH && i > width) + width = i; + assert(i < (int)sizeof(start)); + } + + if (standard_prolog) + BIO_printf(bio_err, "Usage: %s [options]\nValid options are:\n", + prog); + + /* Now let's print. */ + for (o = list; o->name; o++) { + help = o->helpstr ? o->helpstr : "(No additional info)"; + if (o->name == OPT_HELP_STR) { + BIO_printf(bio_err, help, prog); + continue; + } + + /* Pad out prefix */ + memset(start, ' ', sizeof(start) - 1); + start[sizeof(start) - 1] = '\0'; + + if (o->name == OPT_MORE_STR) { + /* Continuation of previous line; pad and print. */ + start[width] = '\0'; + BIO_printf(bio_err, "%s %s\n", start, help); + continue; + } + + /* Build up the "-flag [param]" part. */ + p = start; + *p++ = ' '; + *p++ = '-'; + if (o->name[0]) + p += strlen(strcpy(p, o->name)); + else + *p++ = '*'; + if (o->valtype != '-') { + *p++ = ' '; + p += strlen(strcpy(p, valtype2param(o))); + } + *p = ' '; + if ((int)(p - start) >= MAX_OPT_HELP_WIDTH) { + *p = '\0'; + BIO_printf(bio_err, "%s\n", start); + memset(start, ' ', sizeof(start)); + } + start[width] = '\0'; + BIO_printf(bio_err, "%s %s\n", start, help); + } +} + +#ifdef COMPILE_STANDALONE_TEST_DRIVER +# include + +typedef enum OPTION_choice { + OPT_ERR = -1, OPT_EOF = 0, OPT_HELP, + OPT_IN, OPT_INFORM, OPT_OUT, OPT_COUNT, OPT_U, OPT_FLAG, + OPT_STR, OPT_NOTUSED +} OPTION_CHOICE; + +static OPTIONS options[] = { + {OPT_HELP_STR, 1, '-', "Usage: %s flags\n"}, + {OPT_HELP_STR, 1, '-', "Valid options are:\n"}, + {"help", OPT_HELP, '-', "Display this summary"}, + {"in", OPT_IN, '<', "input file"}, + {OPT_MORE_STR, 1, '-', "more detail about input"}, + {"inform", OPT_INFORM, 'f', "input file format; defaults to pem"}, + {"out", OPT_OUT, '>', "output file"}, + {"count", OPT_COUNT, 'p', "a counter greater than zero"}, + {"u", OPT_U, 'u', "an unsigned number"}, + {"flag", OPT_FLAG, 0, "just some flag"}, + {"str", OPT_STR, 's', "the magic word"}, + {"areallyverylongoption", OPT_HELP, '-', "long way for help"}, + {NULL} +}; + +BIO *bio_err; + +int app_isdir(const char *name) +{ + struct stat sb; + + return name != NULL && stat(name, &sb) >= 0 && S_ISDIR(sb.st_mode); +} + +int main(int ac, char **av) +{ + OPTION_CHOICE o; + char **rest; + char *prog; + + bio_err = BIO_new_fp(stderr, BIO_NOCLOSE | BIO_FP_TEXT); + + prog = opt_init(ac, av, options); + while ((o = opt_next()) != OPT_EOF) { + switch (c) { + case OPT_NOTUSED: + case OPT_EOF: + case OPT_ERR: + printf("%s: Usage error; try -help.\n", prog); + return 1; + case OPT_HELP: + opt_help(options); + return 0; + case OPT_IN: + printf("in %s\n", opt_arg()); + break; + case OPT_INFORM: + printf("inform %s\n", opt_arg()); + break; + case OPT_OUT: + printf("out %s\n", opt_arg()); + break; + case OPT_COUNT: + printf("count %s\n", opt_arg()); + break; + case OPT_U: + printf("u %s\n", opt_arg()); + break; + case OPT_FLAG: + printf("flag\n"); + break; + case OPT_STR: + printf("str %s\n", opt_arg()); + break; + } + } + argc = opt_num_rest(); + argv = opt_rest(); + + printf("args = %d\n", argc); + if (argc) + while (*argv) + printf(" %s\n", *argv++); + return 0; +} +#endif diff --git a/openssl-1.1.0h/apps/passwd.c b/openssl-1.1.0h/apps/passwd.c new file mode 100644 index 0000000..f2b0d9a --- /dev/null +++ b/openssl-1.1.0h/apps/passwd.c @@ -0,0 +1,512 @@ +/* + * Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the OpenSSL license (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +#if defined OPENSSL_NO_MD5 || defined CHARSET_EBCDIC +# define NO_MD5CRYPT_1 +#endif + +#if !defined(OPENSSL_NO_DES) || !defined(NO_MD5CRYPT_1) + +# include + +# include "apps.h" + +# include +# include +# include +# include +# ifndef OPENSSL_NO_DES +# include +# endif +# ifndef NO_MD5CRYPT_1 +# include +# endif + +static unsigned const char cov_2char[64] = { + /* from crypto/des/fcrypt.c */ + 0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34, 0x35, + 0x36, 0x37, 0x38, 0x39, 0x41, 0x42, 0x43, 0x44, + 0x45, 0x46, 0x47, 0x48, 0x49, 0x4A, 0x4B, 0x4C, + 0x4D, 0x4E, 0x4F, 0x50, 0x51, 0x52, 0x53, 0x54, + 0x55, 0x56, 0x57, 0x58, 0x59, 0x5A, 0x61, 0x62, + 0x63, 0x64, 0x65, 0x66, 0x67, 0x68, 0x69, 0x6A, + 0x6B, 0x6C, 0x6D, 0x6E, 0x6F, 0x70, 0x71, 0x72, + 0x73, 0x74, 0x75, 0x76, 0x77, 0x78, 0x79, 0x7A +}; + +static int do_passwd(int passed_salt, char **salt_p, char **salt_malloc_p, + char *passwd, BIO *out, int quiet, int table, + int reverse, size_t pw_maxlen, int usecrypt, int use1, + int useapr1); + +typedef enum OPTION_choice { + OPT_ERR = -1, OPT_EOF = 0, OPT_HELP, + OPT_IN, + OPT_NOVERIFY, OPT_QUIET, OPT_TABLE, OPT_REVERSE, OPT_APR1, + OPT_1, OPT_CRYPT, OPT_SALT, OPT_STDIN +} OPTION_CHOICE; + +OPTIONS passwd_options[] = { + {"help", OPT_HELP, '-', "Display this summary"}, + {"in", OPT_IN, '<', "Read passwords from file"}, + {"noverify", OPT_NOVERIFY, '-', + "Never verify when reading password from terminal"}, + {"quiet", OPT_QUIET, '-', "No warnings"}, + {"table", OPT_TABLE, '-', "Format output as table"}, + {"reverse", OPT_REVERSE, '-', "Switch table columns"}, + {"salt", OPT_SALT, 's', "Use provided salt"}, + {"stdin", OPT_STDIN, '-', "Read passwords from stdin"}, +# ifndef NO_MD5CRYPT_1 + {"apr1", OPT_APR1, '-', "MD5-based password algorithm, Apache variant"}, + {"1", OPT_1, '-', "MD5-based password algorithm"}, +# endif +# ifndef OPENSSL_NO_DES + {"crypt", OPT_CRYPT, '-', "Standard Unix password algorithm (default)"}, +# endif + {NULL} +}; + +int passwd_main(int argc, char **argv) +{ + BIO *in = NULL; + char *infile = NULL, *salt = NULL, *passwd = NULL, **passwds = NULL; + char *salt_malloc = NULL, *passwd_malloc = NULL, *prog; + OPTION_CHOICE o; + int in_stdin = 0, pw_source_defined = 0; +# ifndef OPENSSL_NO_UI + int in_noverify = 0; +# endif + int passed_salt = 0, quiet = 0, table = 0, reverse = 0; + int ret = 1, usecrypt = 0, use1 = 0, useapr1 = 0; + size_t passwd_malloc_size = 0, pw_maxlen = 256; + + prog = opt_init(argc, argv, passwd_options); + while ((o = opt_next()) != OPT_EOF) { + switch (o) { + case OPT_EOF: + case OPT_ERR: + opthelp: + BIO_printf(bio_err, "%s: Use -help for summary.\n", prog); + goto end; + case OPT_HELP: + opt_help(passwd_options); + ret = 0; + goto end; + case OPT_IN: + if (pw_source_defined) + goto opthelp; + infile = opt_arg(); + pw_source_defined = 1; + break; + case OPT_NOVERIFY: +# ifndef OPENSSL_NO_UI + in_noverify = 1; +# endif + break; + case OPT_QUIET: + quiet = 1; + break; + case OPT_TABLE: + table = 1; + break; + case OPT_REVERSE: + reverse = 1; + break; + case OPT_1: + use1 = 1; + break; + case OPT_APR1: + useapr1 = 1; + break; + case OPT_CRYPT: + usecrypt = 1; + break; + case OPT_SALT: + passed_salt = 1; + salt = opt_arg(); + break; + case OPT_STDIN: + if (pw_source_defined) + goto opthelp; + in_stdin = 1; + pw_source_defined = 1; + break; + } + } + argc = opt_num_rest(); + argv = opt_rest(); + + if (*argv) { + if (pw_source_defined) + goto opthelp; + pw_source_defined = 1; + passwds = argv; + } + + if (!usecrypt && !use1 && !useapr1) { + /* use default */ + usecrypt = 1; + } + if (usecrypt + use1 + useapr1 > 1) { + /* conflict */ + goto opthelp; + } + +# ifdef OPENSSL_NO_DES + if (usecrypt) + goto opthelp; +# endif +# ifdef NO_MD5CRYPT_1 + if (use1 || useapr1) + goto opthelp; +# endif + + if (infile != NULL && in_stdin) { + BIO_printf(bio_err, "%s: Can't combine -in and -stdin\n", prog); + goto end; + } + + if (infile != NULL || in_stdin) { + /* + * If in_stdin is true, we know that infile is NULL, and that + * bio_open_default() will give us back an alias for stdin. + */ + in = bio_open_default(infile, 'r', FORMAT_TEXT); + if (in == NULL) + goto end; + } + + if (usecrypt) + pw_maxlen = 8; + else if (use1 || useapr1) + pw_maxlen = 256; /* arbitrary limit, should be enough for most + * passwords */ + + if (passwds == NULL) { + /* no passwords on the command line */ + + passwd_malloc_size = pw_maxlen + 2; + /* longer than necessary so that we can warn about truncation */ + passwd = passwd_malloc = + app_malloc(passwd_malloc_size, "password buffer"); + } + + if ((in == NULL) && (passwds == NULL)) { + /* + * we use the following method to make sure what + * in the 'else' section is always compiled, to + * avoid rot of not-frequently-used code. + */ + if (1) { +# ifndef OPENSSL_NO_UI + /* build a null-terminated list */ + static char *passwds_static[2] = { NULL, NULL }; + + passwds = passwds_static; + if (in == NULL) { + if (EVP_read_pw_string + (passwd_malloc, passwd_malloc_size, "Password: ", + !(passed_salt || in_noverify)) != 0) + goto end; + } + passwds[0] = passwd_malloc; + } else { +# endif + BIO_printf(bio_err, "password required\n"); + goto end; + } + } + + if (in == NULL) { + assert(passwds != NULL); + assert(*passwds != NULL); + + do { /* loop over list of passwords */ + passwd = *passwds++; + if (!do_passwd(passed_salt, &salt, &salt_malloc, passwd, bio_out, + quiet, table, reverse, pw_maxlen, usecrypt, use1, + useapr1)) + goto end; + } while (*passwds != NULL); + } else { + /* in != NULL */ + int done; + + assert(passwd != NULL); + do { + int r = BIO_gets(in, passwd, pw_maxlen + 1); + if (r > 0) { + char *c = (strchr(passwd, '\n')); + if (c != NULL) { + *c = 0; /* truncate at newline */ + } else { + /* ignore rest of line */ + char trash[BUFSIZ]; + do + r = BIO_gets(in, trash, sizeof(trash)); + while ((r > 0) && (!strchr(trash, '\n'))); + } + + if (!do_passwd + (passed_salt, &salt, &salt_malloc, passwd, bio_out, quiet, + table, reverse, pw_maxlen, usecrypt, use1, useapr1)) + goto end; + } + done = (r <= 0); + } while (!done); + } + ret = 0; + + end: + ERR_print_errors(bio_err); + OPENSSL_free(salt_malloc); + OPENSSL_free(passwd_malloc); + BIO_free(in); + return (ret); +} + +# ifndef NO_MD5CRYPT_1 +/* + * MD5-based password algorithm (should probably be available as a library + * function; then the static buffer would not be acceptable). For magic + * string "1", this should be compatible to the MD5-based BSD password + * algorithm. For 'magic' string "apr1", this is compatible to the MD5-based + * Apache password algorithm. (Apparently, the Apache password algorithm is + * identical except that the 'magic' string was changed -- the laziest + * application of the NIH principle I've ever encountered.) + */ +static char *md5crypt(const char *passwd, const char *magic, const char *salt) +{ + /* "$apr1$..salt..$.......md5hash..........\0" */ + static char out_buf[6 + 9 + 24 + 2]; + unsigned char buf[MD5_DIGEST_LENGTH]; + char *salt_out; + int n; + unsigned int i; + EVP_MD_CTX *md = NULL, *md2 = NULL; + size_t passwd_len, salt_len, magic_len; + + passwd_len = strlen(passwd); + out_buf[0] = '$'; + out_buf[1] = 0; + magic_len = strlen(magic); + + if (magic_len > 4) /* assert it's "1" or "apr1" */ + return NULL; + + OPENSSL_strlcat(out_buf, magic, sizeof(out_buf)); + OPENSSL_strlcat(out_buf, "$", sizeof(out_buf)); + OPENSSL_strlcat(out_buf, salt, sizeof(out_buf)); + + if (strlen(out_buf) > 6 + 8) /* assert "$apr1$..salt.." */ + return NULL; + + salt_out = out_buf + 2 + magic_len; + salt_len = strlen(salt_out); + + if (salt_len > 8) + return NULL; + + md = EVP_MD_CTX_new(); + if (md == NULL + || !EVP_DigestInit_ex(md, EVP_md5(), NULL) + || !EVP_DigestUpdate(md, passwd, passwd_len) + || !EVP_DigestUpdate(md, "$", 1) + || !EVP_DigestUpdate(md, magic, magic_len) + || !EVP_DigestUpdate(md, "$", 1) + || !EVP_DigestUpdate(md, salt_out, salt_len)) + goto err; + + md2 = EVP_MD_CTX_new(); + if (md2 == NULL + || !EVP_DigestInit_ex(md2, EVP_md5(), NULL) + || !EVP_DigestUpdate(md2, passwd, passwd_len) + || !EVP_DigestUpdate(md2, salt_out, salt_len) + || !EVP_DigestUpdate(md2, passwd, passwd_len) + || !EVP_DigestFinal_ex(md2, buf, NULL)) + goto err; + + for (i = passwd_len; i > sizeof(buf); i -= sizeof(buf)) { + if (!EVP_DigestUpdate(md, buf, sizeof(buf))) + goto err; + } + if (!EVP_DigestUpdate(md, buf, i)) + goto err; + + n = passwd_len; + while (n) { + if (!EVP_DigestUpdate(md, (n & 1) ? "\0" : passwd, 1)) + goto err; + n >>= 1; + } + if (!EVP_DigestFinal_ex(md, buf, NULL)) + return NULL; + + for (i = 0; i < 1000; i++) { + if (!EVP_DigestInit_ex(md2, EVP_md5(), NULL)) + goto err; + if (!EVP_DigestUpdate(md2, + (i & 1) ? (unsigned const char *)passwd : buf, + (i & 1) ? passwd_len : sizeof(buf))) + goto err; + if (i % 3) { + if (!EVP_DigestUpdate(md2, salt_out, salt_len)) + goto err; + } + if (i % 7) { + if (!EVP_DigestUpdate(md2, passwd, passwd_len)) + goto err; + } + if (!EVP_DigestUpdate(md2, + (i & 1) ? buf : (unsigned const char *)passwd, + (i & 1) ? sizeof(buf) : passwd_len)) + goto err; + if (!EVP_DigestFinal_ex(md2, buf, NULL)) + goto err; + } + EVP_MD_CTX_free(md2); + EVP_MD_CTX_free(md); + md2 = NULL; + md = NULL; + + { + /* transform buf into output string */ + unsigned char buf_perm[sizeof(buf)]; + int dest, source; + char *output; + + /* silly output permutation */ + for (dest = 0, source = 0; dest < 14; + dest++, source = (source + 6) % 17) + buf_perm[dest] = buf[source]; + buf_perm[14] = buf[5]; + buf_perm[15] = buf[11]; +# ifndef PEDANTIC /* Unfortunately, this generates a "no + * effect" warning */ + assert(16 == sizeof(buf_perm)); +# endif + + output = salt_out + salt_len; + assert(output == out_buf + strlen(out_buf)); + + *output++ = '$'; + + for (i = 0; i < 15; i += 3) { + *output++ = cov_2char[buf_perm[i + 2] & 0x3f]; + *output++ = cov_2char[((buf_perm[i + 1] & 0xf) << 2) | + (buf_perm[i + 2] >> 6)]; + *output++ = cov_2char[((buf_perm[i] & 3) << 4) | + (buf_perm[i + 1] >> 4)]; + *output++ = cov_2char[buf_perm[i] >> 2]; + } + assert(i == 15); + *output++ = cov_2char[buf_perm[i] & 0x3f]; + *output++ = cov_2char[buf_perm[i] >> 6]; + *output = 0; + assert(strlen(out_buf) < sizeof(out_buf)); + } + + return out_buf; + + err: + EVP_MD_CTX_free(md2); + EVP_MD_CTX_free(md); + return NULL; +} +# endif + +static int do_passwd(int passed_salt, char **salt_p, char **salt_malloc_p, + char *passwd, BIO *out, int quiet, int table, + int reverse, size_t pw_maxlen, int usecrypt, int use1, + int useapr1) +{ + char *hash = NULL; + + assert(salt_p != NULL); + assert(salt_malloc_p != NULL); + + /* first make sure we have a salt */ + if (!passed_salt) { +# ifndef OPENSSL_NO_DES + if (usecrypt) { + if (*salt_malloc_p == NULL) + *salt_p = *salt_malloc_p = app_malloc(3, "salt buffer"); + if (RAND_bytes((unsigned char *)*salt_p, 2) <= 0) + goto end; + (*salt_p)[0] = cov_2char[(*salt_p)[0] & 0x3f]; /* 6 bits */ + (*salt_p)[1] = cov_2char[(*salt_p)[1] & 0x3f]; /* 6 bits */ + (*salt_p)[2] = 0; +# ifdef CHARSET_EBCDIC + ascii2ebcdic(*salt_p, *salt_p, 2); /* des_crypt will convert back + * to ASCII */ +# endif + } +# endif /* !OPENSSL_NO_DES */ + +# ifndef NO_MD5CRYPT_1 + if (use1 || useapr1) { + int i; + + if (*salt_malloc_p == NULL) + *salt_p = *salt_malloc_p = app_malloc(9, "salt buffer"); + if (RAND_bytes((unsigned char *)*salt_p, 8) <= 0) + goto end; + + for (i = 0; i < 8; i++) + (*salt_p)[i] = cov_2char[(*salt_p)[i] & 0x3f]; /* 6 bits */ + (*salt_p)[8] = 0; + } +# endif /* !NO_MD5CRYPT_1 */ + } + + assert(*salt_p != NULL); + + /* truncate password if necessary */ + if ((strlen(passwd) > pw_maxlen)) { + if (!quiet) + /* + * XXX: really we should know how to print a size_t, not cast it + */ + BIO_printf(bio_err, + "Warning: truncating password to %u characters\n", + (unsigned)pw_maxlen); + passwd[pw_maxlen] = 0; + } + assert(strlen(passwd) <= pw_maxlen); + + /* now compute password hash */ +# ifndef OPENSSL_NO_DES + if (usecrypt) + hash = DES_crypt(passwd, *salt_p); +# endif +# ifndef NO_MD5CRYPT_1 + if (use1 || useapr1) + hash = md5crypt(passwd, (use1 ? "1" : "apr1"), *salt_p); +# endif + assert(hash != NULL); + + if (table && !reverse) + BIO_printf(out, "%s\t%s\n", passwd, hash); + else if (table && reverse) + BIO_printf(out, "%s\t%s\n", hash, passwd); + else + BIO_printf(out, "%s\n", hash); + return 1; + + end: + return 0; +} +#else + +int passwd_main(int argc, char **argv) +{ + BIO_printf(bio_err, "Program not available.\n"); + return (1); +} +#endif diff --git a/openssl-1.1.0h/apps/pca-cert.srl b/openssl-1.1.0h/apps/pca-cert.srl new file mode 100644 index 0000000..2c7456e --- /dev/null +++ b/openssl-1.1.0h/apps/pca-cert.srl @@ -0,0 +1 @@ +07 diff --git a/openssl-1.1.0h/apps/pca-key.pem b/openssl-1.1.0h/apps/pca-key.pem new file mode 100644 index 0000000..c6ad0e9 --- /dev/null +++ b/openssl-1.1.0h/apps/pca-key.pem @@ -0,0 +1,16 @@ +-----BEGIN PRIVATE KEY----- +MIICdgIBADANBgkqhkiG9w0BAQEFAASCAmAwggJcAgEAAoGBALYYjjtpLs/lfkPF +xAFZ4V3He5mZFbsEakK9bA2fQaryreRwyfhbXbDJHyBV+c4xI5fbmmVd2t/us4k4 +rMhGsBtL89SqCEHhPJpLFywiQVmJTAjANYrWkZK5uR/++YmZyzuLfPHLButuK6cF +GKXw3NNToxjYooMf0mad2rPX3cKTAgMBAAECgYBvrJ+Nz/Pli9jjt2V9bqHH4Y7r +o/avuwVv6Ltbn0+mhy4d6w3yQhYzVSTBr/iDe59YglUt1WFl8/4nKZrNOIzHJlav +Sw4hd3fYBHxbT+DgZMQ9ikjHECWRdDffrnlTLsSJAcxnpMJBPe3dKCRDMUrqWUvB +IIKaxyqmXJms5Y/wAQJBAPFL9NMKJcWBftMKXCasxsV0ZGjgqHGZODYjtGFN9jJO +6AbZrxfCcapTWG4RCC2o/EDEMN8aArEhfdrYY3lhXGsCQQDBMRzFevkD7SYXTw5G +NA/gJOAsFMYbt7tebcCRsHT7t3ymVfO2QwK7ZF0f/SYvi7cMAPraHvO7s3kFdGTB +kDx5AkAHBICASsFCdzurA5gef9PgFjx9WFtNwnkCChPK6KuKVwUkfdw7wqnvnDDs +Mo6cVVfQwmPxeR4u7JxuavCprQ01AkEAp5ZGAh1J9Jj9CQ1AMbAp8WOrvzGKJTM9 +641Dll4/LLif/d7j2kDJFuvaSMyeGnKVqGkVMq/U+QeYPR4Z5TuM6QJAWK05qFed +wYgTZyVN0MY53ZOMAIWwjz0cr24TvDfmsZqIvguGL616GKQZKdKDZQyQHg+dCzqJ +HgIoacuFDKz5CA== +-----END PRIVATE KEY----- diff --git a/openssl-1.1.0h/apps/pca-req.pem b/openssl-1.1.0h/apps/pca-req.pem new file mode 100644 index 0000000..5a8c5cb --- /dev/null +++ b/openssl-1.1.0h/apps/pca-req.pem @@ -0,0 +1,11 @@ +-----BEGIN CERTIFICATE REQUEST----- +MIIBnDCCAQUCAQAwXDELMAkGA1UEBhMCQVUxEzARBgNVBAgMClF1ZWVuc2xhbmQx +GjAYBgNVBAoMEUNyeXB0U29mdCBQdHkgTHRkMRwwGgYDVQQDDBNUZXN0IFBDQSAo +MTAyNCBiaXQpMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC2GI47aS7P5X5D +xcQBWeFdx3uZmRW7BGpCvWwNn0Gq8q3kcMn4W12wyR8gVfnOMSOX25plXdrf7rOJ +OKzIRrAbS/PUqghB4TyaSxcsIkFZiUwIwDWK1pGSubkf/vmJmcs7i3zxywbrbiun +BRil8NzTU6MY2KKDH9Jmndqz193CkwIDAQABoAAwDQYJKoZIhvcNAQELBQADgYEA +eJdCB0nHnFK0hek4biAxX0GuJXkknuUy46NKEhv3GBwt4gtO29bfkbQTGOsBBKNs +KptlnkItscOXY+0lSva9K3XlwD9do7k2IZFtXJVayZVw1GcKybIY0l7B6kcSxG7T +f3CsO+ifdrsJKtyoZNs96lBMrtXyGybt3mgQNdZauQU= +-----END CERTIFICATE REQUEST----- diff --git a/openssl-1.1.0h/apps/pkcs12.c b/openssl-1.1.0h/apps/pkcs12.c new file mode 100644 index 0000000..85f649d --- /dev/null +++ b/openssl-1.1.0h/apps/pkcs12.c @@ -0,0 +1,935 @@ +/* + * Copyright 1999-2016 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the OpenSSL license (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +#include +#if defined(OPENSSL_NO_DES) +NON_EMPTY_TRANSLATION_UNIT +#else + +# include +# include +# include +# include "apps.h" +# include +# include +# include +# include + +# define NOKEYS 0x1 +# define NOCERTS 0x2 +# define INFO 0x4 +# define CLCERTS 0x8 +# define CACERTS 0x10 + +static int get_cert_chain(X509 *cert, X509_STORE *store, + STACK_OF(X509) **chain); +int dump_certs_keys_p12(BIO *out, const PKCS12 *p12, + const char *pass, int passlen, int options, + char *pempass, const EVP_CIPHER *enc); +int dump_certs_pkeys_bags(BIO *out, const STACK_OF(PKCS12_SAFEBAG) *bags, + const char *pass, int passlen, int options, + char *pempass, const EVP_CIPHER *enc); +int dump_certs_pkeys_bag(BIO *out, const PKCS12_SAFEBAG *bags, + const char *pass, int passlen, + int options, char *pempass, const EVP_CIPHER *enc); +int print_attribs(BIO *out, const STACK_OF(X509_ATTRIBUTE) *attrlst, + const char *name); +void hex_prin(BIO *out, unsigned char *buf, int len); +static int alg_print(const X509_ALGOR *alg); +int cert_load(BIO *in, STACK_OF(X509) *sk); +static int set_pbe(int *ppbe, const char *str); + +typedef enum OPTION_choice { + OPT_ERR = -1, OPT_EOF = 0, OPT_HELP, + OPT_CIPHER, OPT_NOKEYS, OPT_KEYEX, OPT_KEYSIG, OPT_NOCERTS, OPT_CLCERTS, + OPT_CACERTS, OPT_NOOUT, OPT_INFO, OPT_CHAIN, OPT_TWOPASS, OPT_NOMACVER, + OPT_DESCERT, OPT_EXPORT, OPT_NOITER, OPT_MACITER, OPT_NOMACITER, + OPT_NOMAC, OPT_LMK, OPT_NODES, OPT_MACALG, OPT_CERTPBE, OPT_KEYPBE, + OPT_RAND, OPT_INKEY, OPT_CERTFILE, OPT_NAME, OPT_CSP, OPT_CANAME, + OPT_IN, OPT_OUT, OPT_PASSIN, OPT_PASSOUT, OPT_PASSWORD, OPT_CAPATH, + OPT_CAFILE, OPT_NOCAPATH, OPT_NOCAFILE, OPT_ENGINE +} OPTION_CHOICE; + +OPTIONS pkcs12_options[] = { + {"help", OPT_HELP, '-', "Display this summary"}, + {"nokeys", OPT_NOKEYS, '-', "Don't output private keys"}, + {"keyex", OPT_KEYEX, '-', "Set MS key exchange type"}, + {"keysig", OPT_KEYSIG, '-', "Set MS key signature type"}, + {"nocerts", OPT_NOCERTS, '-', "Don't output certificates"}, + {"clcerts", OPT_CLCERTS, '-', "Only output client certificates"}, + {"cacerts", OPT_CACERTS, '-', "Only output CA certificates"}, + {"noout", OPT_NOOUT, '-', "Don't output anything, just verify"}, + {"info", OPT_INFO, '-', "Print info about PKCS#12 structure"}, + {"chain", OPT_CHAIN, '-', "Add certificate chain"}, + {"twopass", OPT_TWOPASS, '-', "Separate MAC, encryption passwords"}, + {"nomacver", OPT_NOMACVER, '-', "Don't verify MAC"}, +# ifndef OPENSSL_NO_RC2 + {"descert", OPT_DESCERT, '-', + "Encrypt output with 3DES (default RC2-40)"}, + {"certpbe", OPT_CERTPBE, 's', + "Certificate PBE algorithm (default RC2-40)"}, +# else + {"descert", OPT_DESCERT, '-', "Encrypt output with 3DES (the default)"}, + {"certpbe", OPT_CERTPBE, 's', "Certificate PBE algorithm (default 3DES)"}, +# endif + {"export", OPT_EXPORT, '-', "Output PKCS12 file"}, + {"noiter", OPT_NOITER, '-', "Don't use encryption iteration"}, + {"maciter", OPT_MACITER, '-', "Use MAC iteration"}, + {"nomaciter", OPT_NOMACITER, '-', "Don't use MAC iteration"}, + {"nomac", OPT_NOMAC, '-', "Don't generate MAC"}, + {"LMK", OPT_LMK, '-', + "Add local machine keyset attribute to private key"}, + {"nodes", OPT_NODES, '-', "Don't encrypt private keys"}, + {"macalg", OPT_MACALG, 's', + "Digest algorithm used in MAC (default SHA1)"}, + {"keypbe", OPT_KEYPBE, 's', "Private key PBE algorithm (default 3DES)"}, + {"rand", OPT_RAND, 's', + "Load the file(s) into the random number generator"}, + {"inkey", OPT_INKEY, 's', "Private key if not infile"}, + {"certfile", OPT_CERTFILE, '<', "Load certs from file"}, + {"name", OPT_NAME, 's', "Use name as friendly name"}, + {"CSP", OPT_CSP, 's', "Microsoft CSP name"}, + {"caname", OPT_CANAME, 's', + "Use name as CA friendly name (can be repeated)"}, + {"in", OPT_IN, '<', "Input filename"}, + {"out", OPT_OUT, '>', "Output filename"}, + {"passin", OPT_PASSIN, 's', "Input file pass phrase source"}, + {"passout", OPT_PASSOUT, 's', "Output file pass phrase source"}, + {"password", OPT_PASSWORD, 's', "Set import/export password source"}, + {"CApath", OPT_CAPATH, '/', "PEM-format directory of CA's"}, + {"CAfile", OPT_CAFILE, '<', "PEM-format file of CA's"}, + {"no-CAfile", OPT_NOCAFILE, '-', + "Do not load the default certificates file"}, + {"no-CApath", OPT_NOCAPATH, '-', + "Do not load certificates from the default certificates directory"}, + {"", OPT_CIPHER, '-', "Any supported cipher"}, +# ifndef OPENSSL_NO_ENGINE + {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"}, +# endif + {NULL} +}; + +int pkcs12_main(int argc, char **argv) +{ + char *infile = NULL, *outfile = NULL, *keyname = NULL, *certfile = NULL; + char *name = NULL, *csp_name = NULL; + char pass[2048] = "", macpass[2048] = ""; + int export_cert = 0, options = 0, chain = 0, twopass = 0, keytype = 0; + int iter = PKCS12_DEFAULT_ITER, maciter = PKCS12_DEFAULT_ITER; +# ifndef OPENSSL_NO_RC2 + int cert_pbe = NID_pbe_WithSHA1And40BitRC2_CBC; +# else + int cert_pbe = NID_pbe_WithSHA1And3_Key_TripleDES_CBC; +# endif + int key_pbe = NID_pbe_WithSHA1And3_Key_TripleDES_CBC; + int ret = 1, macver = 1, add_lmk = 0, private = 0; + int noprompt = 0; + char *passinarg = NULL, *passoutarg = NULL, *passarg = NULL; + char *passin = NULL, *passout = NULL, *inrand = NULL, *macalg = NULL; + char *cpass = NULL, *mpass = NULL, *badpass = NULL; + const char *CApath = NULL, *CAfile = NULL, *prog; + int noCApath = 0, noCAfile = 0; + ENGINE *e = NULL; + BIO *in = NULL, *out = NULL; + PKCS12 *p12 = NULL; + STACK_OF(OPENSSL_STRING) *canames = NULL; + const EVP_CIPHER *enc = EVP_des_ede3_cbc(); + OPTION_CHOICE o; + + prog = opt_init(argc, argv, pkcs12_options); + while ((o = opt_next()) != OPT_EOF) { + switch (o) { + case OPT_EOF: + case OPT_ERR: + opthelp: + BIO_printf(bio_err, "%s: Use -help for summary.\n", prog); + goto end; + case OPT_HELP: + opt_help(pkcs12_options); + ret = 0; + goto end; + case OPT_NOKEYS: + options |= NOKEYS; + break; + case OPT_KEYEX: + keytype = KEY_EX; + break; + case OPT_KEYSIG: + keytype = KEY_SIG; + break; + case OPT_NOCERTS: + options |= NOCERTS; + break; + case OPT_CLCERTS: + options |= CLCERTS; + break; + case OPT_CACERTS: + options |= CACERTS; + break; + case OPT_NOOUT: + options |= (NOKEYS | NOCERTS); + break; + case OPT_INFO: + options |= INFO; + break; + case OPT_CHAIN: + chain = 1; + break; + case OPT_TWOPASS: + twopass = 1; + break; + case OPT_NOMACVER: + macver = 0; + break; + case OPT_DESCERT: + cert_pbe = NID_pbe_WithSHA1And3_Key_TripleDES_CBC; + break; + case OPT_EXPORT: + export_cert = 1; + break; + case OPT_CIPHER: + if (!opt_cipher(opt_unknown(), &enc)) + goto opthelp; + break; + case OPT_NOITER: + iter = 1; + break; + case OPT_MACITER: + maciter = PKCS12_DEFAULT_ITER; + break; + case OPT_NOMACITER: + maciter = 1; + break; + case OPT_NOMAC: + maciter = -1; + break; + case OPT_MACALG: + macalg = opt_arg(); + break; + case OPT_NODES: + enc = NULL; + break; + case OPT_CERTPBE: + if (!set_pbe(&cert_pbe, opt_arg())) + goto opthelp; + break; + case OPT_KEYPBE: + if (!set_pbe(&key_pbe, opt_arg())) + goto opthelp; + break; + case OPT_RAND: + inrand = opt_arg(); + break; + case OPT_INKEY: + keyname = opt_arg(); + break; + case OPT_CERTFILE: + certfile = opt_arg(); + break; + case OPT_NAME: + name = opt_arg(); + break; + case OPT_LMK: + add_lmk = 1; + break; + case OPT_CSP: + csp_name = opt_arg(); + break; + case OPT_CANAME: + if (canames == NULL + && (canames = sk_OPENSSL_STRING_new_null()) == NULL) + goto end; + sk_OPENSSL_STRING_push(canames, opt_arg()); + break; + case OPT_IN: + infile = opt_arg(); + break; + case OPT_OUT: + outfile = opt_arg(); + break; + case OPT_PASSIN: + passinarg = opt_arg(); + break; + case OPT_PASSOUT: + passoutarg = opt_arg(); + break; + case OPT_PASSWORD: + passarg = opt_arg(); + break; + case OPT_CAPATH: + CApath = opt_arg(); + break; + case OPT_CAFILE: + CAfile = opt_arg(); + break; + case OPT_NOCAPATH: + noCApath = 1; + break; + case OPT_NOCAFILE: + noCAfile = 1; + break; + case OPT_ENGINE: + e = setup_engine(opt_arg(), 0); + break; + } + } + argc = opt_num_rest(); + if (argc != 0) + goto opthelp; + + private = 1; + + if (passarg) { + if (export_cert) + passoutarg = passarg; + else + passinarg = passarg; + } + + if (!app_passwd(passinarg, passoutarg, &passin, &passout)) { + BIO_printf(bio_err, "Error getting passwords\n"); + goto end; + } + + if (!cpass) { + if (export_cert) + cpass = passout; + else + cpass = passin; + } + + if (cpass) { + mpass = cpass; + noprompt = 1; + } else { + cpass = pass; + mpass = macpass; + } + + if (export_cert || inrand) { + app_RAND_load_file(NULL, (inrand != NULL)); + if (inrand != NULL) + BIO_printf(bio_err, "%ld semi-random bytes loaded\n", + app_RAND_load_files(inrand)); + } + + if (twopass) { + if (1) { +#ifndef OPENSSL_NO_UI + if (EVP_read_pw_string + (macpass, sizeof(macpass), "Enter MAC Password:", export_cert)) { + BIO_printf(bio_err, "Can't read Password\n"); + goto end; + } + } else { +#endif + BIO_printf(bio_err, "Unsupported option -twopass\n"); + goto end; + } + } + + if (export_cert) { + EVP_PKEY *key = NULL; + X509 *ucert = NULL, *x = NULL; + STACK_OF(X509) *certs = NULL; + const EVP_MD *macmd = NULL; + unsigned char *catmp = NULL; + int i; + + if ((options & (NOCERTS | NOKEYS)) == (NOCERTS | NOKEYS)) { + BIO_printf(bio_err, "Nothing to do!\n"); + goto export_end; + } + + if (options & NOCERTS) + chain = 0; + + if (!(options & NOKEYS)) { + key = load_key(keyname ? keyname : infile, + FORMAT_PEM, 1, passin, e, "private key"); + if (!key) + goto export_end; + } + + /* Load in all certs in input file */ + if (!(options & NOCERTS)) { + if (!load_certs(infile, &certs, FORMAT_PEM, NULL, + "certificates")) + goto export_end; + + if (key) { + /* Look for matching private key */ + for (i = 0; i < sk_X509_num(certs); i++) { + x = sk_X509_value(certs, i); + if (X509_check_private_key(x, key)) { + ucert = x; + /* Zero keyid and alias */ + X509_keyid_set1(ucert, NULL, 0); + X509_alias_set1(ucert, NULL, 0); + /* Remove from list */ + (void)sk_X509_delete(certs, i); + break; + } + } + if (!ucert) { + BIO_printf(bio_err, + "No certificate matches private key\n"); + goto export_end; + } + } + + } + + /* Add any more certificates asked for */ + if (certfile) { + if (!load_certs(certfile, &certs, FORMAT_PEM, NULL, + "certificates from certfile")) + goto export_end; + } + + /* If chaining get chain from user cert */ + if (chain) { + int vret; + STACK_OF(X509) *chain2; + X509_STORE *store; + if ((store = setup_verify(CAfile, CApath, noCAfile, noCApath)) + == NULL) + goto export_end; + + vret = get_cert_chain(ucert, store, &chain2); + X509_STORE_free(store); + + if (vret == X509_V_OK) { + /* Exclude verified certificate */ + for (i = 1; i < sk_X509_num(chain2); i++) + sk_X509_push(certs, sk_X509_value(chain2, i)); + /* Free first certificate */ + X509_free(sk_X509_value(chain2, 0)); + sk_X509_free(chain2); + } else { + if (vret != X509_V_ERR_UNSPECIFIED) + BIO_printf(bio_err, "Error %s getting chain.\n", + X509_verify_cert_error_string(vret)); + else + ERR_print_errors(bio_err); + goto export_end; + } + } + + /* Add any CA names */ + + for (i = 0; i < sk_OPENSSL_STRING_num(canames); i++) { + catmp = (unsigned char *)sk_OPENSSL_STRING_value(canames, i); + X509_alias_set1(sk_X509_value(certs, i), catmp, -1); + } + + if (csp_name && key) + EVP_PKEY_add1_attr_by_NID(key, NID_ms_csp_name, + MBSTRING_ASC, (unsigned char *)csp_name, + -1); + + if (add_lmk && key) + EVP_PKEY_add1_attr_by_NID(key, NID_LocalKeySet, 0, NULL, -1); + + if (!noprompt) { + if (1) { +#ifndef OPENSSL_NO_UI + if (EVP_read_pw_string(pass, sizeof(pass), "Enter Export Password:", + 1)) { + BIO_printf(bio_err, "Can't read Password\n"); + goto export_end; + } + } else { +#endif + BIO_printf(bio_err, "Password required\n"); + goto export_end; + } + } + + if (!twopass) + OPENSSL_strlcpy(macpass, pass, sizeof(macpass)); + + p12 = PKCS12_create(cpass, name, key, ucert, certs, + key_pbe, cert_pbe, iter, -1, keytype); + + if (!p12) { + ERR_print_errors(bio_err); + goto export_end; + } + + if (macalg) { + if (!opt_md(macalg, &macmd)) + goto opthelp; + } + + if (maciter != -1) + PKCS12_set_mac(p12, mpass, -1, NULL, 0, maciter, macmd); + + assert(private); + + out = bio_open_owner(outfile, FORMAT_PKCS12, private); + if (out == NULL) + goto end; + + i2d_PKCS12_bio(out, p12); + + ret = 0; + + export_end: + + EVP_PKEY_free(key); + sk_X509_pop_free(certs, X509_free); + X509_free(ucert); + + goto end; + + } + + in = bio_open_default(infile, 'r', FORMAT_PKCS12); + if (in == NULL) + goto end; + out = bio_open_owner(outfile, FORMAT_PEM, private); + if (out == NULL) + goto end; + + if ((p12 = d2i_PKCS12_bio(in, NULL)) == NULL) { + ERR_print_errors(bio_err); + goto end; + } + + if (!noprompt) { + if (1) { +#ifndef OPENSSL_NO_UI + if (EVP_read_pw_string(pass, sizeof(pass), "Enter Import Password:", + 0)) { + BIO_printf(bio_err, "Can't read Password\n"); + goto end; + } + } else { +#endif + BIO_printf(bio_err, "Password required\n"); + goto end; + } + } + + if (!twopass) + OPENSSL_strlcpy(macpass, pass, sizeof(macpass)); + + if ((options & INFO) && PKCS12_mac_present(p12)) { + const ASN1_INTEGER *tmaciter; + const X509_ALGOR *macalgid; + const ASN1_OBJECT *macobj; + PKCS12_get0_mac(NULL, &macalgid, NULL, &tmaciter, p12); + X509_ALGOR_get0(&macobj, NULL, NULL, macalgid); + BIO_puts(bio_err, "MAC:"); + i2a_ASN1_OBJECT(bio_err, macobj); + BIO_printf(bio_err, " Iteration %ld\n", + tmaciter != NULL ? ASN1_INTEGER_get(tmaciter) : 1L); + } + if (macver) { + /* If we enter empty password try no password first */ + if (!mpass[0] && PKCS12_verify_mac(p12, NULL, 0)) { + /* If mac and crypto pass the same set it to NULL too */ + if (!twopass) + cpass = NULL; + } else if (!PKCS12_verify_mac(p12, mpass, -1)) { + /* + * May be UTF8 from previous version of OpenSSL: + * convert to a UTF8 form which will translate + * to the same Unicode password. + */ + unsigned char *utmp; + int utmplen; + utmp = OPENSSL_asc2uni(mpass, -1, NULL, &utmplen); + if (utmp == NULL) + goto end; + badpass = OPENSSL_uni2utf8(utmp, utmplen); + OPENSSL_free(utmp); + if (!PKCS12_verify_mac(p12, badpass, -1)) { + BIO_printf(bio_err, "Mac verify error: invalid password?\n"); + ERR_print_errors(bio_err); + goto end; + } else { + BIO_printf(bio_err, "Warning: using broken algorithm\n"); + if (!twopass) + cpass = badpass; + } + } + } + + assert(private); + if (!dump_certs_keys_p12(out, p12, cpass, -1, options, passout, enc)) { + BIO_printf(bio_err, "Error outputting keys and certificates\n"); + ERR_print_errors(bio_err); + goto end; + } + ret = 0; + end: + PKCS12_free(p12); + if (export_cert || inrand) + app_RAND_write_file(NULL); + release_engine(e); + BIO_free(in); + BIO_free_all(out); + sk_OPENSSL_STRING_free(canames); + OPENSSL_free(badpass); + OPENSSL_free(passin); + OPENSSL_free(passout); + return (ret); +} + +int dump_certs_keys_p12(BIO *out, const PKCS12 *p12, const char *pass, + int passlen, int options, char *pempass, + const EVP_CIPHER *enc) +{ + STACK_OF(PKCS7) *asafes = NULL; + STACK_OF(PKCS12_SAFEBAG) *bags; + int i, bagnid; + int ret = 0; + PKCS7 *p7; + + if ((asafes = PKCS12_unpack_authsafes(p12)) == NULL) + return 0; + for (i = 0; i < sk_PKCS7_num(asafes); i++) { + p7 = sk_PKCS7_value(asafes, i); + bagnid = OBJ_obj2nid(p7->type); + if (bagnid == NID_pkcs7_data) { + bags = PKCS12_unpack_p7data(p7); + if (options & INFO) + BIO_printf(bio_err, "PKCS7 Data\n"); + } else if (bagnid == NID_pkcs7_encrypted) { + if (options & INFO) { + BIO_printf(bio_err, "PKCS7 Encrypted data: "); + alg_print(p7->d.encrypted->enc_data->algorithm); + } + bags = PKCS12_unpack_p7encdata(p7, pass, passlen); + } else + continue; + if (!bags) + goto err; + if (!dump_certs_pkeys_bags(out, bags, pass, passlen, + options, pempass, enc)) { + sk_PKCS12_SAFEBAG_pop_free(bags, PKCS12_SAFEBAG_free); + goto err; + } + sk_PKCS12_SAFEBAG_pop_free(bags, PKCS12_SAFEBAG_free); + bags = NULL; + } + ret = 1; + + err: + sk_PKCS7_pop_free(asafes, PKCS7_free); + return ret; +} + +int dump_certs_pkeys_bags(BIO *out, const STACK_OF(PKCS12_SAFEBAG) *bags, + const char *pass, int passlen, int options, + char *pempass, const EVP_CIPHER *enc) +{ + int i; + for (i = 0; i < sk_PKCS12_SAFEBAG_num(bags); i++) { + if (!dump_certs_pkeys_bag(out, + sk_PKCS12_SAFEBAG_value(bags, i), + pass, passlen, options, pempass, enc)) + return 0; + } + return 1; +} + +int dump_certs_pkeys_bag(BIO *out, const PKCS12_SAFEBAG *bag, + const char *pass, int passlen, int options, + char *pempass, const EVP_CIPHER *enc) +{ + EVP_PKEY *pkey; + PKCS8_PRIV_KEY_INFO *p8; + const PKCS8_PRIV_KEY_INFO *p8c; + X509 *x509; + const STACK_OF(X509_ATTRIBUTE) *attrs; + int ret = 0; + + attrs = PKCS12_SAFEBAG_get0_attrs(bag); + + switch (PKCS12_SAFEBAG_get_nid(bag)) { + case NID_keyBag: + if (options & INFO) + BIO_printf(bio_err, "Key bag\n"); + if (options & NOKEYS) + return 1; + print_attribs(out, attrs, "Bag Attributes"); + p8c = PKCS12_SAFEBAG_get0_p8inf(bag); + if ((pkey = EVP_PKCS82PKEY(p8c)) == NULL) + return 0; + print_attribs(out, PKCS8_pkey_get0_attrs(p8c), "Key Attributes"); + ret = PEM_write_bio_PrivateKey(out, pkey, enc, NULL, 0, NULL, pempass); + EVP_PKEY_free(pkey); + break; + + case NID_pkcs8ShroudedKeyBag: + if (options & INFO) { + const X509_SIG *tp8; + const X509_ALGOR *tp8alg; + + BIO_printf(bio_err, "Shrouded Keybag: "); + tp8 = PKCS12_SAFEBAG_get0_pkcs8(bag); + X509_SIG_get0(tp8, &tp8alg, NULL); + alg_print(tp8alg); + } + if (options & NOKEYS) + return 1; + print_attribs(out, attrs, "Bag Attributes"); + if ((p8 = PKCS12_decrypt_skey(bag, pass, passlen)) == NULL) + return 0; + if ((pkey = EVP_PKCS82PKEY(p8)) == NULL) { + PKCS8_PRIV_KEY_INFO_free(p8); + return 0; + } + print_attribs(out, PKCS8_pkey_get0_attrs(p8), "Key Attributes"); + PKCS8_PRIV_KEY_INFO_free(p8); + ret = PEM_write_bio_PrivateKey(out, pkey, enc, NULL, 0, NULL, pempass); + EVP_PKEY_free(pkey); + break; + + case NID_certBag: + if (options & INFO) + BIO_printf(bio_err, "Certificate bag\n"); + if (options & NOCERTS) + return 1; + if (PKCS12_SAFEBAG_get0_attr(bag, NID_localKeyID)) { + if (options & CACERTS) + return 1; + } else if (options & CLCERTS) + return 1; + print_attribs(out, attrs, "Bag Attributes"); + if (PKCS12_SAFEBAG_get_bag_nid(bag) != NID_x509Certificate) + return 1; + if ((x509 = PKCS12_SAFEBAG_get1_cert(bag)) == NULL) + return 0; + dump_cert_text(out, x509); + ret = PEM_write_bio_X509(out, x509); + X509_free(x509); + break; + + case NID_safeContentsBag: + if (options & INFO) + BIO_printf(bio_err, "Safe Contents bag\n"); + print_attribs(out, attrs, "Bag Attributes"); + return dump_certs_pkeys_bags(out, PKCS12_SAFEBAG_get0_safes(bag), + pass, passlen, options, pempass, enc); + + default: + BIO_printf(bio_err, "Warning unsupported bag type: "); + i2a_ASN1_OBJECT(bio_err, PKCS12_SAFEBAG_get0_type(bag)); + BIO_printf(bio_err, "\n"); + return 1; + } + return ret; +} + +/* Given a single certificate return a verified chain or NULL if error */ + +static int get_cert_chain(X509 *cert, X509_STORE *store, + STACK_OF(X509) **chain) +{ + X509_STORE_CTX *store_ctx = NULL; + STACK_OF(X509) *chn = NULL; + int i = 0; + + store_ctx = X509_STORE_CTX_new(); + if (store_ctx == NULL) { + i = X509_V_ERR_UNSPECIFIED; + goto end; + } + if (!X509_STORE_CTX_init(store_ctx, store, cert, NULL)) { + i = X509_V_ERR_UNSPECIFIED; + goto end; + } + + + if (X509_verify_cert(store_ctx) > 0) + chn = X509_STORE_CTX_get1_chain(store_ctx); + else if ((i = X509_STORE_CTX_get_error(store_ctx)) == 0) + i = X509_V_ERR_UNSPECIFIED; + +end: + X509_STORE_CTX_free(store_ctx); + *chain = chn; + return i; +} + +static int alg_print(const X509_ALGOR *alg) +{ + int pbenid, aparamtype; + const ASN1_OBJECT *aoid; + const void *aparam; + PBEPARAM *pbe = NULL; + + X509_ALGOR_get0(&aoid, &aparamtype, &aparam, alg); + + pbenid = OBJ_obj2nid(aoid); + + BIO_printf(bio_err, "%s", OBJ_nid2ln(pbenid)); + + /* + * If PBE algorithm is PBES2 decode algorithm parameters + * for additional details. + */ + if (pbenid == NID_pbes2) { + PBE2PARAM *pbe2 = NULL; + int encnid; + if (aparamtype == V_ASN1_SEQUENCE) + pbe2 = ASN1_item_unpack(aparam, ASN1_ITEM_rptr(PBE2PARAM)); + if (pbe2 == NULL) { + BIO_puts(bio_err, ""); + goto done; + } + X509_ALGOR_get0(&aoid, &aparamtype, &aparam, pbe2->keyfunc); + pbenid = OBJ_obj2nid(aoid); + X509_ALGOR_get0(&aoid, NULL, NULL, pbe2->encryption); + encnid = OBJ_obj2nid(aoid); + BIO_printf(bio_err, ", %s, %s", OBJ_nid2ln(pbenid), + OBJ_nid2sn(encnid)); + /* If KDF is PBKDF2 decode parameters */ + if (pbenid == NID_id_pbkdf2) { + PBKDF2PARAM *kdf = NULL; + int prfnid; + if (aparamtype == V_ASN1_SEQUENCE) + kdf = ASN1_item_unpack(aparam, ASN1_ITEM_rptr(PBKDF2PARAM)); + if (kdf == NULL) { + BIO_puts(bio_err, ""); + goto done; + } + + if (kdf->prf == NULL) { + prfnid = NID_hmacWithSHA1; + } else { + X509_ALGOR_get0(&aoid, NULL, NULL, kdf->prf); + prfnid = OBJ_obj2nid(aoid); + } + BIO_printf(bio_err, ", Iteration %ld, PRF %s", + ASN1_INTEGER_get(kdf->iter), OBJ_nid2sn(prfnid)); + PBKDF2PARAM_free(kdf); + } + PBE2PARAM_free(pbe2); + } else { + if (aparamtype == V_ASN1_SEQUENCE) + pbe = ASN1_item_unpack(aparam, ASN1_ITEM_rptr(PBEPARAM)); + if (pbe == NULL) { + BIO_puts(bio_err, ""); + goto done; + } + BIO_printf(bio_err, ", Iteration %ld", ASN1_INTEGER_get(pbe->iter)); + PBEPARAM_free(pbe); + } + done: + BIO_puts(bio_err, "\n"); + return 1; +} + +/* Load all certificates from a given file */ + +int cert_load(BIO *in, STACK_OF(X509) *sk) +{ + int ret; + X509 *cert; + ret = 0; + while ((cert = PEM_read_bio_X509(in, NULL, NULL, NULL))) { + ret = 1; + sk_X509_push(sk, cert); + } + if (ret) + ERR_clear_error(); + return ret; +} + +/* Generalised attribute print: handle PKCS#8 and bag attributes */ + +int print_attribs(BIO *out, const STACK_OF(X509_ATTRIBUTE) *attrlst, + const char *name) +{ + X509_ATTRIBUTE *attr; + ASN1_TYPE *av; + char *value; + int i, attr_nid; + if (!attrlst) { + BIO_printf(out, "%s: \n", name); + return 1; + } + if (!sk_X509_ATTRIBUTE_num(attrlst)) { + BIO_printf(out, "%s: \n", name); + return 1; + } + BIO_printf(out, "%s\n", name); + for (i = 0; i < sk_X509_ATTRIBUTE_num(attrlst); i++) { + ASN1_OBJECT *attr_obj; + attr = sk_X509_ATTRIBUTE_value(attrlst, i); + attr_obj = X509_ATTRIBUTE_get0_object(attr); + attr_nid = OBJ_obj2nid(attr_obj); + BIO_printf(out, " "); + if (attr_nid == NID_undef) { + i2a_ASN1_OBJECT(out, attr_obj); + BIO_printf(out, ": "); + } else + BIO_printf(out, "%s: ", OBJ_nid2ln(attr_nid)); + + if (X509_ATTRIBUTE_count(attr)) { + av = X509_ATTRIBUTE_get0_type(attr, 0); + switch (av->type) { + case V_ASN1_BMPSTRING: + value = OPENSSL_uni2asc(av->value.bmpstring->data, + av->value.bmpstring->length); + BIO_printf(out, "%s\n", value); + OPENSSL_free(value); + break; + + case V_ASN1_OCTET_STRING: + hex_prin(out, av->value.octet_string->data, + av->value.octet_string->length); + BIO_printf(out, "\n"); + break; + + case V_ASN1_BIT_STRING: + hex_prin(out, av->value.bit_string->data, + av->value.bit_string->length); + BIO_printf(out, "\n"); + break; + + default: + BIO_printf(out, "\n", av->type); + break; + } + } else + BIO_printf(out, "\n"); + } + return 1; +} + +void hex_prin(BIO *out, unsigned char *buf, int len) +{ + int i; + for (i = 0; i < len; i++) + BIO_printf(out, "%02X ", buf[i]); +} + +static int set_pbe(int *ppbe, const char *str) +{ + if (!str) + return 0; + if (strcmp(str, "NONE") == 0) { + *ppbe = -1; + return 1; + } + *ppbe = OBJ_txt2nid(str); + if (*ppbe == NID_undef) { + BIO_printf(bio_err, "Unknown PBE algorithm %s\n", str); + return 0; + } + return 1; +} + +#endif diff --git a/openssl-1.1.0h/apps/pkcs7.c b/openssl-1.1.0h/apps/pkcs7.c new file mode 100644 index 0000000..209e30d --- /dev/null +++ b/openssl-1.1.0h/apps/pkcs7.c @@ -0,0 +1,197 @@ +/* + * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the OpenSSL license (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +#include +#include +#include +#include +#include "apps.h" +#include +#include +#include +#include +#include +#include + +typedef enum OPTION_choice { + OPT_ERR = -1, OPT_EOF = 0, OPT_HELP, + OPT_INFORM, OPT_OUTFORM, OPT_IN, OPT_OUT, OPT_NOOUT, + OPT_TEXT, OPT_PRINT, OPT_PRINT_CERTS, OPT_ENGINE +} OPTION_CHOICE; + +OPTIONS pkcs7_options[] = { + {"help", OPT_HELP, '-', "Display this summary"}, + {"inform", OPT_INFORM, 'F', "Input format - DER or PEM"}, + {"in", OPT_IN, '<', "Input file"}, + {"outform", OPT_OUTFORM, 'F', "Output format - DER or PEM"}, + {"out", OPT_OUT, '>', "Output file"}, + {"noout", OPT_NOOUT, '-', "Don't output encoded data"}, + {"text", OPT_TEXT, '-', "Print full details of certificates"}, + {"print", OPT_PRINT, '-', "Print out all fields of the PKCS7 structure"}, + {"print_certs", OPT_PRINT_CERTS, '-', + "Print_certs print any certs or crl in the input"}, +#ifndef OPENSSL_NO_ENGINE + {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"}, +#endif + {NULL} +}; + +int pkcs7_main(int argc, char **argv) +{ + ENGINE *e = NULL; + PKCS7 *p7 = NULL; + BIO *in = NULL, *out = NULL; + int informat = FORMAT_PEM, outformat = FORMAT_PEM; + char *infile = NULL, *outfile = NULL, *prog; + int i, print_certs = 0, text = 0, noout = 0, p7_print = 0, ret = 1; + OPTION_CHOICE o; + + prog = opt_init(argc, argv, pkcs7_options); + while ((o = opt_next()) != OPT_EOF) { + switch (o) { + case OPT_EOF: + case OPT_ERR: + opthelp: + BIO_printf(bio_err, "%s: Use -help for summary.\n", prog); + goto end; + case OPT_HELP: + opt_help(pkcs7_options); + ret = 0; + goto end; + case OPT_INFORM: + if (!opt_format(opt_arg(), OPT_FMT_PEMDER, &informat)) + goto opthelp; + break; + case OPT_OUTFORM: + if (!opt_format(opt_arg(), OPT_FMT_PEMDER, &outformat)) + goto opthelp; + break; + case OPT_IN: + infile = opt_arg(); + break; + case OPT_OUT: + outfile = opt_arg(); + break; + case OPT_NOOUT: + noout = 1; + break; + case OPT_TEXT: + text = 1; + break; + case OPT_PRINT: + p7_print = 1; + break; + case OPT_PRINT_CERTS: + print_certs = 1; + break; + case OPT_ENGINE: + e = setup_engine(opt_arg(), 0); + break; + } + } + argc = opt_num_rest(); + if (argc != 0) + goto opthelp; + + in = bio_open_default(infile, 'r', informat); + if (in == NULL) + goto end; + + if (informat == FORMAT_ASN1) + p7 = d2i_PKCS7_bio(in, NULL); + else + p7 = PEM_read_bio_PKCS7(in, NULL, NULL, NULL); + if (p7 == NULL) { + BIO_printf(bio_err, "unable to load PKCS7 object\n"); + ERR_print_errors(bio_err); + goto end; + } + + out = bio_open_default(outfile, 'w', outformat); + if (out == NULL) + goto end; + + if (p7_print) + PKCS7_print_ctx(out, p7, 0, NULL); + + if (print_certs) { + STACK_OF(X509) *certs = NULL; + STACK_OF(X509_CRL) *crls = NULL; + + i = OBJ_obj2nid(p7->type); + switch (i) { + case NID_pkcs7_signed: + if (p7->d.sign != NULL) { + certs = p7->d.sign->cert; + crls = p7->d.sign->crl; + } + break; + case NID_pkcs7_signedAndEnveloped: + if (p7->d.signed_and_enveloped != NULL) { + certs = p7->d.signed_and_enveloped->cert; + crls = p7->d.signed_and_enveloped->crl; + } + break; + default: + break; + } + + if (certs != NULL) { + X509 *x; + + for (i = 0; i < sk_X509_num(certs); i++) { + x = sk_X509_value(certs, i); + if (text) + X509_print(out, x); + else + dump_cert_text(out, x); + + if (!noout) + PEM_write_bio_X509(out, x); + BIO_puts(out, "\n"); + } + } + if (crls != NULL) { + X509_CRL *crl; + + for (i = 0; i < sk_X509_CRL_num(crls); i++) { + crl = sk_X509_CRL_value(crls, i); + + X509_CRL_print(out, crl); + + if (!noout) + PEM_write_bio_X509_CRL(out, crl); + BIO_puts(out, "\n"); + } + } + + ret = 0; + goto end; + } + + if (!noout) { + if (outformat == FORMAT_ASN1) + i = i2d_PKCS7_bio(out, p7); + else + i = PEM_write_bio_PKCS7(out, p7); + + if (!i) { + BIO_printf(bio_err, "unable to write pkcs7 object\n"); + ERR_print_errors(bio_err); + goto end; + } + } + ret = 0; + end: + PKCS7_free(p7); + release_engine(e); + BIO_free(in); + BIO_free_all(out); + return (ret); +} diff --git a/openssl-1.1.0h/apps/pkcs8.c b/openssl-1.1.0h/apps/pkcs8.c new file mode 100644 index 0000000..0874370 --- /dev/null +++ b/openssl-1.1.0h/apps/pkcs8.c @@ -0,0 +1,353 @@ +/* + * Copyright 1999-2016 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the OpenSSL license (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +#include +#include +#include +#include "apps.h" +#include +#include +#include +#include + +typedef enum OPTION_choice { + OPT_ERR = -1, OPT_EOF = 0, OPT_HELP, + OPT_INFORM, OPT_OUTFORM, OPT_ENGINE, OPT_IN, OPT_OUT, + OPT_TOPK8, OPT_NOITER, OPT_NOCRYPT, +#ifndef OPENSSL_NO_SCRYPT + OPT_SCRYPT, OPT_SCRYPT_N, OPT_SCRYPT_R, OPT_SCRYPT_P, +#endif + OPT_V2, OPT_V1, OPT_V2PRF, OPT_ITER, OPT_PASSIN, OPT_PASSOUT, + OPT_TRADITIONAL +} OPTION_CHOICE; + +OPTIONS pkcs8_options[] = { + {"help", OPT_HELP, '-', "Display this summary"}, + {"inform", OPT_INFORM, 'F', "Input format (DER or PEM)"}, + {"outform", OPT_OUTFORM, 'F', "Output format (DER or PEM)"}, + {"in", OPT_IN, '<', "Input file"}, + {"out", OPT_OUT, '>', "Output file"}, + {"topk8", OPT_TOPK8, '-', "Output PKCS8 file"}, + {"noiter", OPT_NOITER, '-', "Use 1 as iteration count"}, + {"nocrypt", OPT_NOCRYPT, '-', "Use or expect unencrypted private key"}, + {"v2", OPT_V2, 's', "Use PKCS#5 v2.0 and cipher"}, + {"v1", OPT_V1, 's', "Use PKCS#5 v1.5 and cipher"}, + {"v2prf", OPT_V2PRF, 's', "Set the PRF algorithm to use with PKCS#5 v2.0"}, + {"iter", OPT_ITER, 'p', "Specify the iteration count"}, + {"passin", OPT_PASSIN, 's', "Input file pass phrase source"}, + {"passout", OPT_PASSOUT, 's', "Output file pass phrase source"}, + {"traditional", OPT_TRADITIONAL, '-', "use traditional format private key"}, +#ifndef OPENSSL_NO_ENGINE + {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"}, +#endif +#ifndef OPENSSL_NO_SCRYPT + {"scrypt", OPT_SCRYPT, '-', "Use scrypt algorithm"}, + {"scrypt_N", OPT_SCRYPT_N, 's', "Set scrypt N parameter"}, + {"scrypt_r", OPT_SCRYPT_R, 's', "Set scrypt r parameter"}, + {"scrypt_p", OPT_SCRYPT_P, 's', "Set scrypt p parameter"}, +#endif + {NULL} +}; + +int pkcs8_main(int argc, char **argv) +{ + BIO *in = NULL, *out = NULL; + ENGINE *e = NULL; + EVP_PKEY *pkey = NULL; + PKCS8_PRIV_KEY_INFO *p8inf = NULL; + X509_SIG *p8 = NULL; + const EVP_CIPHER *cipher = NULL; + char *infile = NULL, *outfile = NULL; + char *passinarg = NULL, *passoutarg = NULL, *prog; +#ifndef OPENSSL_NO_UI + char pass[APP_PASS_LEN]; +#endif + char *passin = NULL, *passout = NULL, *p8pass = NULL; + OPTION_CHOICE o; + int nocrypt = 0, ret = 1, iter = PKCS12_DEFAULT_ITER; + int informat = FORMAT_PEM, outformat = FORMAT_PEM, topk8 = 0, pbe_nid = -1; + int private = 0, traditional = 0; +#ifndef OPENSSL_NO_SCRYPT + long scrypt_N = 0, scrypt_r = 0, scrypt_p = 0; +#endif + + prog = opt_init(argc, argv, pkcs8_options); + while ((o = opt_next()) != OPT_EOF) { + switch (o) { + case OPT_EOF: + case OPT_ERR: + opthelp: + BIO_printf(bio_err, "%s: Use -help for summary.\n", prog); + goto end; + case OPT_HELP: + opt_help(pkcs8_options); + ret = 0; + goto end; + case OPT_INFORM: + if (!opt_format(opt_arg(), OPT_FMT_PEMDER, &informat)) + goto opthelp; + break; + case OPT_IN: + infile = opt_arg(); + break; + case OPT_OUTFORM: + if (!opt_format(opt_arg(), OPT_FMT_PEMDER, &outformat)) + goto opthelp; + break; + case OPT_OUT: + outfile = opt_arg(); + break; + case OPT_TOPK8: + topk8 = 1; + break; + case OPT_NOITER: + iter = 1; + break; + case OPT_NOCRYPT: + nocrypt = 1; + break; + case OPT_TRADITIONAL: + traditional = 1; + break; + case OPT_V2: + if (!opt_cipher(opt_arg(), &cipher)) + goto opthelp; + break; + case OPT_V1: + pbe_nid = OBJ_txt2nid(opt_arg()); + if (pbe_nid == NID_undef) { + BIO_printf(bio_err, + "%s: Unknown PBE algorithm %s\n", prog, opt_arg()); + goto opthelp; + } + break; + case OPT_V2PRF: + pbe_nid = OBJ_txt2nid(opt_arg()); + if (!EVP_PBE_find(EVP_PBE_TYPE_PRF, pbe_nid, NULL, NULL, 0)) { + BIO_printf(bio_err, + "%s: Unknown PRF algorithm %s\n", prog, opt_arg()); + goto opthelp; + } + if (cipher == NULL) + cipher = EVP_aes_256_cbc(); + break; + case OPT_ITER: + if (!opt_int(opt_arg(), &iter)) + goto opthelp; + break; + case OPT_PASSIN: + passinarg = opt_arg(); + break; + case OPT_PASSOUT: + passoutarg = opt_arg(); + break; + case OPT_ENGINE: + e = setup_engine(opt_arg(), 0); + break; +#ifndef OPENSSL_NO_SCRYPT + case OPT_SCRYPT: + scrypt_N = 16384; + scrypt_r = 8; + scrypt_p = 1; + if (cipher == NULL) + cipher = EVP_aes_256_cbc(); + break; + case OPT_SCRYPT_N: + if (!opt_long(opt_arg(), &scrypt_N) || scrypt_N <= 0) + goto opthelp; + break; + case OPT_SCRYPT_R: + if (!opt_long(opt_arg(), &scrypt_r) || scrypt_r <= 0) + goto opthelp; + break; + case OPT_SCRYPT_P: + if (!opt_long(opt_arg(), &scrypt_p) || scrypt_p <= 0) + goto opthelp; + break; +#endif + } + } + argc = opt_num_rest(); + if (argc != 0) + goto opthelp; + + private = 1; + + if (!app_passwd(passinarg, passoutarg, &passin, &passout)) { + BIO_printf(bio_err, "Error getting passwords\n"); + goto end; + } + + if ((pbe_nid == -1) && cipher == NULL) + cipher = EVP_aes_256_cbc(); + + in = bio_open_default(infile, 'r', informat); + if (in == NULL) + goto end; + out = bio_open_owner(outfile, outformat, private); + if (out == NULL) + goto end; + + if (topk8) { + pkey = load_key(infile, informat, 1, passin, e, "key"); + if (!pkey) + goto end; + if ((p8inf = EVP_PKEY2PKCS8(pkey)) == NULL) { + BIO_printf(bio_err, "Error converting key\n"); + ERR_print_errors(bio_err); + goto end; + } + if (nocrypt) { + assert(private); + if (outformat == FORMAT_PEM) + PEM_write_bio_PKCS8_PRIV_KEY_INFO(out, p8inf); + else if (outformat == FORMAT_ASN1) + i2d_PKCS8_PRIV_KEY_INFO_bio(out, p8inf); + else { + BIO_printf(bio_err, "Bad format specified for key\n"); + goto end; + } + } else { + X509_ALGOR *pbe; + if (cipher) { +#ifndef OPENSSL_NO_SCRYPT + if (scrypt_N && scrypt_r && scrypt_p) + pbe = PKCS5_pbe2_set_scrypt(cipher, NULL, 0, NULL, + scrypt_N, scrypt_r, scrypt_p); + else +#endif + pbe = PKCS5_pbe2_set_iv(cipher, iter, NULL, 0, NULL, + pbe_nid); + } else { + pbe = PKCS5_pbe_set(pbe_nid, iter, NULL, 0); + } + if (pbe == NULL) { + BIO_printf(bio_err, "Error setting PBE algorithm\n"); + ERR_print_errors(bio_err); + goto end; + } + if (passout) + p8pass = passout; + else if (1) { +#ifndef OPENSSL_NO_UI + p8pass = pass; + if (EVP_read_pw_string + (pass, sizeof(pass), "Enter Encryption Password:", 1)) { + X509_ALGOR_free(pbe); + goto end; + } + } else { +#endif + BIO_printf(bio_err, "Password required\n"); + goto end; + } + app_RAND_load_file(NULL, 0); + p8 = PKCS8_set0_pbe(p8pass, strlen(p8pass), p8inf, pbe); + if (p8 == NULL) { + X509_ALGOR_free(pbe); + BIO_printf(bio_err, "Error encrypting key\n"); + ERR_print_errors(bio_err); + goto end; + } + app_RAND_write_file(NULL); + assert(private); + if (outformat == FORMAT_PEM) + PEM_write_bio_PKCS8(out, p8); + else if (outformat == FORMAT_ASN1) + i2d_PKCS8_bio(out, p8); + else { + BIO_printf(bio_err, "Bad format specified for key\n"); + goto end; + } + } + + ret = 0; + goto end; + } + + if (nocrypt) { + if (informat == FORMAT_PEM) + p8inf = PEM_read_bio_PKCS8_PRIV_KEY_INFO(in, NULL, NULL, NULL); + else if (informat == FORMAT_ASN1) + p8inf = d2i_PKCS8_PRIV_KEY_INFO_bio(in, NULL); + else { + BIO_printf(bio_err, "Bad format specified for key\n"); + goto end; + } + } else { + if (informat == FORMAT_PEM) + p8 = PEM_read_bio_PKCS8(in, NULL, NULL, NULL); + else if (informat == FORMAT_ASN1) + p8 = d2i_PKCS8_bio(in, NULL); + else { + BIO_printf(bio_err, "Bad format specified for key\n"); + goto end; + } + + if (!p8) { + BIO_printf(bio_err, "Error reading key\n"); + ERR_print_errors(bio_err); + goto end; + } + if (passin) + p8pass = passin; + else if (1) { +#ifndef OPENSSL_NO_UI + p8pass = pass; + if (EVP_read_pw_string(pass, sizeof(pass), "Enter Password:", 0)) { + BIO_printf(bio_err, "Can't read Password\n"); + goto end; + } + } else { +#endif + BIO_printf(bio_err, "Password required\n"); + goto end; + } + p8inf = PKCS8_decrypt(p8, p8pass, strlen(p8pass)); + } + + if (!p8inf) { + BIO_printf(bio_err, "Error decrypting key\n"); + ERR_print_errors(bio_err); + goto end; + } + + if ((pkey = EVP_PKCS82PKEY(p8inf)) == NULL) { + BIO_printf(bio_err, "Error converting key\n"); + ERR_print_errors(bio_err); + goto end; + } + + assert(private); + if (outformat == FORMAT_PEM) { + if (traditional) + PEM_write_bio_PrivateKey_traditional(out, pkey, NULL, NULL, 0, + NULL, passout); + else + PEM_write_bio_PrivateKey(out, pkey, NULL, NULL, 0, NULL, passout); + } else if (outformat == FORMAT_ASN1) { + i2d_PrivateKey_bio(out, pkey); + } else { + BIO_printf(bio_err, "Bad format specified for key\n"); + goto end; + } + ret = 0; + + end: + X509_SIG_free(p8); + PKCS8_PRIV_KEY_INFO_free(p8inf); + EVP_PKEY_free(pkey); + release_engine(e); + BIO_free_all(out); + BIO_free(in); + OPENSSL_free(passin); + OPENSSL_free(passout); + + return ret; +} diff --git a/openssl-1.1.0h/apps/pkey.c b/openssl-1.1.0h/apps/pkey.c new file mode 100644 index 0000000..ad1a3b1 --- /dev/null +++ b/openssl-1.1.0h/apps/pkey.c @@ -0,0 +1,190 @@ +/* + * Copyright 2006-2016 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the OpenSSL license (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +#include +#include +#include "apps.h" +#include +#include +#include + +typedef enum OPTION_choice { + OPT_ERR = -1, OPT_EOF = 0, OPT_HELP, + OPT_INFORM, OPT_OUTFORM, OPT_PASSIN, OPT_PASSOUT, OPT_ENGINE, + OPT_IN, OPT_OUT, OPT_PUBIN, OPT_PUBOUT, OPT_TEXT_PUB, + OPT_TEXT, OPT_NOOUT, OPT_MD, OPT_TRADITIONAL +} OPTION_CHOICE; + +OPTIONS pkey_options[] = { + {"help", OPT_HELP, '-', "Display this summary"}, + {"inform", OPT_INFORM, 'f', "Input format (DER or PEM)"}, + {"outform", OPT_OUTFORM, 'F', "Output format (DER or PEM)"}, + {"passin", OPT_PASSIN, 's', "Input file pass phrase source"}, + {"passout", OPT_PASSOUT, 's', "Output file pass phrase source"}, + {"in", OPT_IN, 's', "Input key"}, + {"out", OPT_OUT, '>', "Output file"}, + {"pubin", OPT_PUBIN, '-', + "Read public key from input (default is private key)"}, + {"pubout", OPT_PUBOUT, '-', "Output public key, not private"}, + {"text_pub", OPT_TEXT_PUB, '-', "Only output public key components"}, + {"text", OPT_TEXT, '-', "Output in plaintext as well"}, + {"noout", OPT_NOOUT, '-', "Don't output the key"}, + {"", OPT_MD, '-', "Any supported cipher"}, + {"traditional", OPT_TRADITIONAL, '-', + "Use traditional format for private keys"}, +#ifndef OPENSSL_NO_ENGINE + {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"}, +#endif + {NULL} +}; + +int pkey_main(int argc, char **argv) +{ + BIO *in = NULL, *out = NULL; + ENGINE *e = NULL; + EVP_PKEY *pkey = NULL; + const EVP_CIPHER *cipher = NULL; + char *infile = NULL, *outfile = NULL, *passin = NULL, *passout = NULL; + char *passinarg = NULL, *passoutarg = NULL, *prog; + OPTION_CHOICE o; + int informat = FORMAT_PEM, outformat = FORMAT_PEM; + int pubin = 0, pubout = 0, pubtext = 0, text = 0, noout = 0, ret = 1; + int private = 0, traditional = 0; + + prog = opt_init(argc, argv, pkey_options); + while ((o = opt_next()) != OPT_EOF) { + switch (o) { + case OPT_EOF: + case OPT_ERR: + opthelp: + BIO_printf(bio_err, "%s: Use -help for summary.\n", prog); + goto end; + case OPT_HELP: + opt_help(pkey_options); + ret = 0; + goto end; + case OPT_INFORM: + if (!opt_format(opt_arg(), OPT_FMT_ANY, &informat)) + goto opthelp; + break; + case OPT_OUTFORM: + if (!opt_format(opt_arg(), OPT_FMT_PEMDER, &outformat)) + goto opthelp; + break; + case OPT_PASSIN: + passinarg = opt_arg(); + break; + case OPT_PASSOUT: + passoutarg = opt_arg(); + break; + case OPT_ENGINE: + e = setup_engine(opt_arg(), 0); + break; + case OPT_IN: + infile = opt_arg(); + break; + case OPT_OUT: + outfile = opt_arg(); + break; + case OPT_PUBIN: + pubin = pubout = pubtext = 1; + break; + case OPT_PUBOUT: + pubout = 1; + break; + case OPT_TEXT_PUB: + pubtext = text = 1; + break; + case OPT_TEXT: + text = 1; + break; + case OPT_NOOUT: + noout = 1; + break; + case OPT_TRADITIONAL: + traditional = 1; + break; + case OPT_MD: + if (!opt_cipher(opt_unknown(), &cipher)) + goto opthelp; + } + } + argc = opt_num_rest(); + if (argc != 0) + goto opthelp; + + private = !noout && !pubout ? 1 : 0; + if (text && !pubtext) + private = 1; + + if (!app_passwd(passinarg, passoutarg, &passin, &passout)) { + BIO_printf(bio_err, "Error getting passwords\n"); + goto end; + } + + out = bio_open_owner(outfile, outformat, private); + if (out == NULL) + goto end; + + if (pubin) + pkey = load_pubkey(infile, informat, 1, passin, e, "Public Key"); + else + pkey = load_key(infile, informat, 1, passin, e, "key"); + if (!pkey) + goto end; + + if (!noout) { + if (outformat == FORMAT_PEM) { + if (pubout) + PEM_write_bio_PUBKEY(out, pkey); + else { + assert(private); + if (traditional) + PEM_write_bio_PrivateKey_traditional(out, pkey, cipher, + NULL, 0, NULL, + passout); + else + PEM_write_bio_PrivateKey(out, pkey, cipher, + NULL, 0, NULL, passout); + } + } else if (outformat == FORMAT_ASN1) { + if (pubout) + i2d_PUBKEY_bio(out, pkey); + else { + assert(private); + i2d_PrivateKey_bio(out, pkey); + } + } else { + BIO_printf(bio_err, "Bad format specified for key\n"); + goto end; + } + + } + + if (text) { + if (pubtext) + EVP_PKEY_print_public(out, pkey, 0, NULL); + else { + assert(private); + EVP_PKEY_print_private(out, pkey, 0, NULL); + } + } + + ret = 0; + + end: + EVP_PKEY_free(pkey); + release_engine(e); + BIO_free_all(out); + BIO_free(in); + OPENSSL_free(passin); + OPENSSL_free(passout); + + return ret; +} diff --git a/openssl-1.1.0h/apps/pkeyparam.c b/openssl-1.1.0h/apps/pkeyparam.c new file mode 100644 index 0000000..0a1b2d1 --- /dev/null +++ b/openssl-1.1.0h/apps/pkeyparam.c @@ -0,0 +1,104 @@ +/* + * Copyright 2006-2016 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the OpenSSL license (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +#include +#include +#include "apps.h" +#include +#include +#include + +typedef enum OPTION_choice { + OPT_ERR = -1, OPT_EOF = 0, OPT_HELP, + OPT_IN, OPT_OUT, OPT_TEXT, OPT_NOOUT, OPT_ENGINE +} OPTION_CHOICE; + +OPTIONS pkeyparam_options[] = { + {"help", OPT_HELP, '-', "Display this summary"}, + {"in", OPT_IN, '<', "Input file"}, + {"out", OPT_OUT, '>', "Output file"}, + {"text", OPT_TEXT, '-', "Print parameters as text"}, + {"noout", OPT_NOOUT, '-', "Don't output encoded parameters"}, +#ifndef OPENSSL_NO_ENGINE + {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"}, +#endif + {NULL} +}; + +int pkeyparam_main(int argc, char **argv) +{ + ENGINE *e = NULL; + BIO *in = NULL, *out = NULL; + EVP_PKEY *pkey = NULL; + int text = 0, noout = 0, ret = 1; + OPTION_CHOICE o; + char *infile = NULL, *outfile = NULL, *prog; + + prog = opt_init(argc, argv, pkeyparam_options); + while ((o = opt_next()) != OPT_EOF) { + switch (o) { + case OPT_EOF: + case OPT_ERR: + opthelp: + BIO_printf(bio_err, "%s: Use -help for summary.\n", prog); + goto end; + case OPT_HELP: + opt_help(pkeyparam_options); + ret = 0; + goto end; + case OPT_IN: + infile = opt_arg(); + break; + case OPT_OUT: + outfile = opt_arg(); + break; + case OPT_ENGINE: + e = setup_engine(opt_arg(), 0); + break; + case OPT_TEXT: + text = 1; + break; + case OPT_NOOUT: + noout = 1; + break; + } + } + argc = opt_num_rest(); + if (argc != 0) + goto opthelp; + + in = bio_open_default(infile, 'r', FORMAT_PEM); + if (in == NULL) + goto end; + out = bio_open_default(outfile, 'w', FORMAT_PEM); + if (out == NULL) + goto end; + pkey = PEM_read_bio_Parameters(in, NULL); + if (!pkey) { + BIO_printf(bio_err, "Error reading parameters\n"); + ERR_print_errors(bio_err); + goto end; + } + + if (!noout) + PEM_write_bio_Parameters(out, pkey); + + if (text) + EVP_PKEY_print_params(out, pkey, 0, NULL); + + ret = 0; + + end: + EVP_PKEY_free(pkey); + release_engine(e); + BIO_free_all(out); + BIO_free(in); + + return ret; +} diff --git a/openssl-1.1.0h/apps/pkeyutl.c b/openssl-1.1.0h/apps/pkeyutl.c new file mode 100644 index 0000000..bbb1274 --- /dev/null +++ b/openssl-1.1.0h/apps/pkeyutl.c @@ -0,0 +1,508 @@ +/* + * Copyright 2006-2018 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the OpenSSL license (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +#include "apps.h" +#include +#include +#include +#include + +#define KEY_NONE 0 +#define KEY_PRIVKEY 1 +#define KEY_PUBKEY 2 +#define KEY_CERT 3 + +static EVP_PKEY_CTX *init_ctx(const char *kdfalg, int *pkeysize, + const char *keyfile, int keyform, int key_type, + char *passinarg, int pkey_op, ENGINE *e, + const int impl); + +static int setup_peer(EVP_PKEY_CTX *ctx, int peerform, const char *file, + ENGINE *e); + +static int do_keyop(EVP_PKEY_CTX *ctx, int pkey_op, + unsigned char *out, size_t *poutlen, + const unsigned char *in, size_t inlen); + +typedef enum OPTION_choice { + OPT_ERR = -1, OPT_EOF = 0, OPT_HELP, + OPT_ENGINE, OPT_ENGINE_IMPL, OPT_IN, OPT_OUT, + OPT_PUBIN, OPT_CERTIN, OPT_ASN1PARSE, OPT_HEXDUMP, OPT_SIGN, + OPT_VERIFY, OPT_VERIFYRECOVER, OPT_REV, OPT_ENCRYPT, OPT_DECRYPT, + OPT_DERIVE, OPT_SIGFILE, OPT_INKEY, OPT_PEERKEY, OPT_PASSIN, + OPT_PEERFORM, OPT_KEYFORM, OPT_PKEYOPT, OPT_KDF, OPT_KDFLEN +} OPTION_CHOICE; + +OPTIONS pkeyutl_options[] = { + {"help", OPT_HELP, '-', "Display this summary"}, + {"in", OPT_IN, '<', "Input file - default stdin"}, + {"out", OPT_OUT, '>', "Output file - default stdout"}, + {"pubin", OPT_PUBIN, '-', "Input is a public key"}, + {"certin", OPT_CERTIN, '-', "Input is a cert with a public key"}, + {"asn1parse", OPT_ASN1PARSE, '-', "asn1parse the output data"}, + {"hexdump", OPT_HEXDUMP, '-', "Hex dump output"}, + {"sign", OPT_SIGN, '-', "Sign input data with private key"}, + {"verify", OPT_VERIFY, '-', "Verify with public key"}, + {"verifyrecover", OPT_VERIFYRECOVER, '-', + "Verify with public key, recover original data"}, + {"rev", OPT_REV, '-', "Reverse the order of the input buffer"}, + {"encrypt", OPT_ENCRYPT, '-', "Encrypt input data with public key"}, + {"decrypt", OPT_DECRYPT, '-', "Decrypt input data with private key"}, + {"derive", OPT_DERIVE, '-', "Derive shared secret"}, + {"kdf", OPT_KDF, 's', "Use KDF algorithm"}, + {"kdflen", OPT_KDFLEN, 'p', "KDF algorithm output length"}, + {"sigfile", OPT_SIGFILE, '<', "Signature file (verify operation only)"}, + {"inkey", OPT_INKEY, 's', "Input private key file"}, + {"peerkey", OPT_PEERKEY, 's', "Peer key file used in key derivation"}, + {"passin", OPT_PASSIN, 's', "Input file pass phrase source"}, + {"peerform", OPT_PEERFORM, 'E', "Peer key format - default PEM"}, + {"keyform", OPT_KEYFORM, 'E', "Private key format - default PEM"}, + {"pkeyopt", OPT_PKEYOPT, 's', "Public key options as opt:value"}, +#ifndef OPENSSL_NO_ENGINE + {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"}, + {"engine_impl", OPT_ENGINE_IMPL, '-', + "Also use engine given by -engine for crypto operations"}, +#endif + {NULL} +}; + +int pkeyutl_main(int argc, char **argv) +{ + BIO *in = NULL, *out = NULL; + ENGINE *e = NULL; + EVP_PKEY_CTX *ctx = NULL; + char *infile = NULL, *outfile = NULL, *sigfile = NULL, *passinarg = NULL; + char hexdump = 0, asn1parse = 0, rev = 0, *prog; + unsigned char *buf_in = NULL, *buf_out = NULL, *sig = NULL; + OPTION_CHOICE o; + int buf_inlen = 0, siglen = -1, keyform = FORMAT_PEM, peerform = FORMAT_PEM; + int keysize = -1, pkey_op = EVP_PKEY_OP_SIGN, key_type = KEY_PRIVKEY; + int engine_impl = 0; + int ret = 1, rv = -1; + size_t buf_outlen; + const char *inkey = NULL; + const char *peerkey = NULL; + const char *kdfalg = NULL; + int kdflen = 0; + STACK_OF(OPENSSL_STRING) *pkeyopts = NULL; + + prog = opt_init(argc, argv, pkeyutl_options); + while ((o = opt_next()) != OPT_EOF) { + switch (o) { + case OPT_EOF: + case OPT_ERR: + opthelp: + BIO_printf(bio_err, "%s: Use -help for summary.\n", prog); + goto end; + case OPT_HELP: + opt_help(pkeyutl_options); + ret = 0; + goto end; + case OPT_IN: + infile = opt_arg(); + break; + case OPT_OUT: + outfile = opt_arg(); + break; + case OPT_SIGFILE: + sigfile = opt_arg(); + break; + case OPT_ENGINE_IMPL: + engine_impl = 1; + break; + case OPT_INKEY: + inkey = opt_arg(); + break; + case OPT_PEERKEY: + peerkey = opt_arg(); + break; + case OPT_PASSIN: + passinarg = opt_arg(); + break; + case OPT_PEERFORM: + if (!opt_format(opt_arg(), OPT_FMT_PDE, &peerform)) + goto opthelp; + break; + case OPT_KEYFORM: + if (!opt_format(opt_arg(), OPT_FMT_PDE, &keyform)) + goto opthelp; + break; + case OPT_ENGINE: + e = setup_engine(opt_arg(), 0); + break; + case OPT_PUBIN: + key_type = KEY_PUBKEY; + break; + case OPT_CERTIN: + key_type = KEY_CERT; + break; + case OPT_ASN1PARSE: + asn1parse = 1; + break; + case OPT_HEXDUMP: + hexdump = 1; + break; + case OPT_SIGN: + pkey_op = EVP_PKEY_OP_SIGN; + break; + case OPT_VERIFY: + pkey_op = EVP_PKEY_OP_VERIFY; + break; + case OPT_VERIFYRECOVER: + pkey_op = EVP_PKEY_OP_VERIFYRECOVER; + break; + case OPT_ENCRYPT: + pkey_op = EVP_PKEY_OP_ENCRYPT; + break; + case OPT_DECRYPT: + pkey_op = EVP_PKEY_OP_DECRYPT; + break; + case OPT_DERIVE: + pkey_op = EVP_PKEY_OP_DERIVE; + break; + case OPT_KDF: + pkey_op = EVP_PKEY_OP_DERIVE; + key_type = KEY_NONE; + kdfalg = opt_arg(); + break; + case OPT_KDFLEN: + kdflen = atoi(opt_arg()); + break; + case OPT_REV: + rev = 1; + break; + case OPT_PKEYOPT: + if ((pkeyopts == NULL && + (pkeyopts = sk_OPENSSL_STRING_new_null()) == NULL) || + sk_OPENSSL_STRING_push(pkeyopts, opt_arg()) == 0) { + BIO_puts(bio_err, "out of memory\n"); + goto end; + } + break; + } + } + argc = opt_num_rest(); + if (argc != 0) + goto opthelp; + + if (kdfalg != NULL) { + if (kdflen == 0) { + BIO_printf(bio_err, + "%s: no KDF length given (-kdflen parameter).\n", prog); + goto opthelp; + } + } else if (inkey == NULL) { + BIO_printf(bio_err, + "%s: no private key given (-inkey parameter).\n", prog); + goto opthelp; + } else if (peerkey != NULL && pkey_op != EVP_PKEY_OP_DERIVE) { + BIO_printf(bio_err, + "%s: no peer key given (-peerkey parameter).\n", prog); + goto opthelp; + } + ctx = init_ctx(kdfalg, &keysize, inkey, keyform, key_type, + passinarg, pkey_op, e, engine_impl); + if (ctx == NULL) { + BIO_printf(bio_err, "%s: Error initializing context\n", prog); + ERR_print_errors(bio_err); + goto end; + } + if (peerkey != NULL && !setup_peer(ctx, peerform, peerkey, e)) { + BIO_printf(bio_err, "%s: Error setting up peer key\n", prog); + ERR_print_errors(bio_err); + goto end; + } + if (pkeyopts != NULL) { + int num = sk_OPENSSL_STRING_num(pkeyopts); + int i; + + for (i = 0; i < num; ++i) { + const char *opt = sk_OPENSSL_STRING_value(pkeyopts, i); + + if (pkey_ctrl_string(ctx, opt) <= 0) { + BIO_printf(bio_err, "%s: Can't set parameter \"%s\":\n", + prog, opt); + ERR_print_errors(bio_err); + goto end; + } + } + } + + if (sigfile && (pkey_op != EVP_PKEY_OP_VERIFY)) { + BIO_printf(bio_err, + "%s: Signature file specified for non verify\n", prog); + goto end; + } + + if (!sigfile && (pkey_op == EVP_PKEY_OP_VERIFY)) { + BIO_printf(bio_err, + "%s: No signature file specified for verify\n", prog); + goto end; + } + +/* FIXME: seed PRNG only if needed */ + app_RAND_load_file(NULL, 0); + + if (pkey_op != EVP_PKEY_OP_DERIVE) { + in = bio_open_default(infile, 'r', FORMAT_BINARY); + if (in == NULL) + goto end; + } + out = bio_open_default(outfile, 'w', FORMAT_BINARY); + if (out == NULL) + goto end; + + if (sigfile) { + BIO *sigbio = BIO_new_file(sigfile, "rb"); + if (!sigbio) { + BIO_printf(bio_err, "Can't open signature file %s\n", sigfile); + goto end; + } + siglen = bio_to_mem(&sig, keysize * 10, sigbio); + BIO_free(sigbio); + if (siglen < 0) { + BIO_printf(bio_err, "Error reading signature data\n"); + goto end; + } + } + + if (in) { + /* Read the input data */ + buf_inlen = bio_to_mem(&buf_in, keysize * 10, in); + if (buf_inlen < 0) { + BIO_printf(bio_err, "Error reading input Data\n"); + exit(1); + } + if (rev) { + size_t i; + unsigned char ctmp; + size_t l = (size_t)buf_inlen; + for (i = 0; i < l / 2; i++) { + ctmp = buf_in[i]; + buf_in[i] = buf_in[l - 1 - i]; + buf_in[l - 1 - i] = ctmp; + } + } + } + + if (pkey_op == EVP_PKEY_OP_VERIFY) { + rv = EVP_PKEY_verify(ctx, sig, (size_t)siglen, + buf_in, (size_t)buf_inlen); + if (rv == 1) { + BIO_puts(out, "Signature Verified Successfully\n"); + ret = 0; + } else + BIO_puts(out, "Signature Verification Failure\n"); + goto end; + } + if (kdflen != 0) { + buf_outlen = kdflen; + rv = 1; + } else { + rv = do_keyop(ctx, pkey_op, NULL, (size_t *)&buf_outlen, + buf_in, (size_t)buf_inlen); + } + if (rv > 0 && buf_outlen != 0) { + buf_out = app_malloc(buf_outlen, "buffer output"); + rv = do_keyop(ctx, pkey_op, + buf_out, (size_t *)&buf_outlen, + buf_in, (size_t)buf_inlen); + } + if (rv <= 0) { + if (pkey_op != EVP_PKEY_OP_DERIVE) { + BIO_puts(bio_err, "Public Key operation error\n"); + } else { + BIO_puts(bio_err, "Key derivation failed\n"); + } + ERR_print_errors(bio_err); + goto end; + } + ret = 0; + + if (asn1parse) { + if (!ASN1_parse_dump(out, buf_out, buf_outlen, 1, -1)) + ERR_print_errors(bio_err); + } else if (hexdump) + BIO_dump(out, (char *)buf_out, buf_outlen); + else + BIO_write(out, buf_out, buf_outlen); + + end: + EVP_PKEY_CTX_free(ctx); + release_engine(e); + BIO_free(in); + BIO_free_all(out); + OPENSSL_free(buf_in); + OPENSSL_free(buf_out); + OPENSSL_free(sig); + sk_OPENSSL_STRING_free(pkeyopts); + return ret; +} + +static EVP_PKEY_CTX *init_ctx(const char *kdfalg, int *pkeysize, + const char *keyfile, int keyform, int key_type, + char *passinarg, int pkey_op, ENGINE *e, + const int engine_impl) +{ + EVP_PKEY *pkey = NULL; + EVP_PKEY_CTX *ctx = NULL; + ENGINE *impl = NULL; + char *passin = NULL; + int rv = -1; + X509 *x; + if (((pkey_op == EVP_PKEY_OP_SIGN) || (pkey_op == EVP_PKEY_OP_DECRYPT) + || (pkey_op == EVP_PKEY_OP_DERIVE)) + && (key_type != KEY_PRIVKEY && kdfalg == NULL)) { + BIO_printf(bio_err, "A private key is needed for this operation\n"); + goto end; + } + if (!app_passwd(passinarg, NULL, &passin, NULL)) { + BIO_printf(bio_err, "Error getting password\n"); + goto end; + } + switch (key_type) { + case KEY_PRIVKEY: + pkey = load_key(keyfile, keyform, 0, passin, e, "Private Key"); + break; + + case KEY_PUBKEY: + pkey = load_pubkey(keyfile, keyform, 0, NULL, e, "Public Key"); + break; + + case KEY_CERT: + x = load_cert(keyfile, keyform, "Certificate"); + if (x) { + pkey = X509_get_pubkey(x); + X509_free(x); + } + break; + + case KEY_NONE: + break; + + } + +#ifndef OPENSSL_NO_ENGINE + if (engine_impl) + impl = e; +#endif + + if (kdfalg) { + int kdfnid = OBJ_sn2nid(kdfalg); + + if (kdfnid == NID_undef) { + kdfnid = OBJ_ln2nid(kdfalg); + if (kdfnid == NID_undef) { + BIO_printf(bio_err, "The given KDF \"%s\" is unknown.\n", + kdfalg); + goto end; + } + } + ctx = EVP_PKEY_CTX_new_id(kdfnid, impl); + } else { + if (pkey == NULL) + goto end; + *pkeysize = EVP_PKEY_size(pkey); + ctx = EVP_PKEY_CTX_new(pkey, impl); + EVP_PKEY_free(pkey); + } + + if (ctx == NULL) + goto end; + + switch (pkey_op) { + case EVP_PKEY_OP_SIGN: + rv = EVP_PKEY_sign_init(ctx); + break; + + case EVP_PKEY_OP_VERIFY: + rv = EVP_PKEY_verify_init(ctx); + break; + + case EVP_PKEY_OP_VERIFYRECOVER: + rv = EVP_PKEY_verify_recover_init(ctx); + break; + + case EVP_PKEY_OP_ENCRYPT: + rv = EVP_PKEY_encrypt_init(ctx); + break; + + case EVP_PKEY_OP_DECRYPT: + rv = EVP_PKEY_decrypt_init(ctx); + break; + + case EVP_PKEY_OP_DERIVE: + rv = EVP_PKEY_derive_init(ctx); + break; + } + + if (rv <= 0) { + EVP_PKEY_CTX_free(ctx); + ctx = NULL; + } + + end: + OPENSSL_free(passin); + return ctx; + +} + +static int setup_peer(EVP_PKEY_CTX *ctx, int peerform, const char *file, + ENGINE *e) +{ + EVP_PKEY *peer = NULL; + ENGINE *engine = NULL; + int ret; + + if (peerform == FORMAT_ENGINE) + engine = e; + peer = load_pubkey(file, peerform, 0, NULL, engine, "Peer Key"); + if (!peer) { + BIO_printf(bio_err, "Error reading peer key %s\n", file); + ERR_print_errors(bio_err); + return 0; + } + + ret = EVP_PKEY_derive_set_peer(ctx, peer); + + EVP_PKEY_free(peer); + if (ret <= 0) + ERR_print_errors(bio_err); + return ret; +} + +static int do_keyop(EVP_PKEY_CTX *ctx, int pkey_op, + unsigned char *out, size_t *poutlen, + const unsigned char *in, size_t inlen) +{ + int rv = 0; + switch (pkey_op) { + case EVP_PKEY_OP_VERIFYRECOVER: + rv = EVP_PKEY_verify_recover(ctx, out, poutlen, in, inlen); + break; + + case EVP_PKEY_OP_SIGN: + rv = EVP_PKEY_sign(ctx, out, poutlen, in, inlen); + break; + + case EVP_PKEY_OP_ENCRYPT: + rv = EVP_PKEY_encrypt(ctx, out, poutlen, in, inlen); + break; + + case EVP_PKEY_OP_DECRYPT: + rv = EVP_PKEY_decrypt(ctx, out, poutlen, in, inlen); + break; + + case EVP_PKEY_OP_DERIVE: + rv = EVP_PKEY_derive(ctx, out, poutlen); + break; + + } + return rv; +} diff --git a/openssl-1.1.0h/apps/prime.c b/openssl-1.1.0h/apps/prime.c new file mode 100644 index 0000000..c12463d --- /dev/null +++ b/openssl-1.1.0h/apps/prime.c @@ -0,0 +1,132 @@ +/* + * Copyright 2004-2018 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the OpenSSL license (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +#include + +#include "apps.h" +#include + +typedef enum OPTION_choice { + OPT_ERR = -1, OPT_EOF = 0, OPT_HELP, + OPT_HEX, OPT_GENERATE, OPT_BITS, OPT_SAFE, OPT_CHECKS +} OPTION_CHOICE; + +OPTIONS prime_options[] = { + {OPT_HELP_STR, 1, '-', "Usage: %s [options] [number...]\n"}, + {OPT_HELP_STR, 1, '-', + " number Number to check for primality\n"}, + {"help", OPT_HELP, '-', "Display this summary"}, + {"hex", OPT_HEX, '-', "Hex output"}, + {"generate", OPT_GENERATE, '-', "Generate a prime"}, + {"bits", OPT_BITS, 'p', "Size of number in bits"}, + {"safe", OPT_SAFE, '-', + "When used with -generate, generate a safe prime"}, + {"checks", OPT_CHECKS, 'p', "Number of checks"}, + {NULL} +}; + +int prime_main(int argc, char **argv) +{ + BIGNUM *bn = NULL; + int hex = 0, checks = 20, generate = 0, bits = 0, safe = 0, ret = 1; + char *prog; + OPTION_CHOICE o; + + prog = opt_init(argc, argv, prime_options); + while ((o = opt_next()) != OPT_EOF) { + switch (o) { + case OPT_EOF: + case OPT_ERR: +opthelp: + BIO_printf(bio_err, "%s: Use -help for summary.\n", prog); + goto end; + case OPT_HELP: + opt_help(prime_options); + ret = 0; + goto end; + case OPT_HEX: + hex = 1; + break; + case OPT_GENERATE: + generate = 1; + break; + case OPT_BITS: + bits = atoi(opt_arg()); + break; + case OPT_SAFE: + safe = 1; + break; + case OPT_CHECKS: + checks = atoi(opt_arg()); + break; + } + } + argc = opt_num_rest(); + argv = opt_rest(); + + if (generate) { + if (argc != 0) { + BIO_printf(bio_err, "Extra arguments given.\n"); + goto opthelp; + } + } else if (argc == 0) { + BIO_printf(bio_err, "%s: No prime specified\n", prog); + goto opthelp; + } + + if (generate) { + char *s; + + if (!bits) { + BIO_printf(bio_err, "Specify the number of bits.\n"); + goto end; + } + bn = BN_new(); + if (bn == NULL) { + BIO_printf(bio_err, "Out of memory.\n"); + goto end; + } + if (!BN_generate_prime_ex(bn, bits, safe, NULL, NULL, NULL)) { + BIO_printf(bio_err, "Failed to generate prime.\n"); + goto end; + } + s = hex ? BN_bn2hex(bn) : BN_bn2dec(bn); + if (s == NULL) { + BIO_printf(bio_err, "Out of memory.\n"); + goto end; + } + BIO_printf(bio_out, "%s\n", s); + OPENSSL_free(s); + } else { + for ( ; *argv; argv++) { + int r; + + if (hex) + r = BN_hex2bn(&bn, argv[0]); + else + r = BN_dec2bn(&bn, argv[0]); + + if(!r) { + BIO_printf(bio_err, "Failed to process value (%s)\n", argv[0]); + goto end; + } + + BN_print(bio_out, bn); + BIO_printf(bio_out, " (%s) %s prime\n", + argv[0], + BN_is_prime_ex(bn, checks, NULL, NULL) + ? "is" : "is not"); + } + } + + ret = 0; + end: + BN_free(bn); + return ret; +} diff --git a/openssl-1.1.0h/apps/privkey.pem b/openssl-1.1.0h/apps/privkey.pem new file mode 100644 index 0000000..02f3498 --- /dev/null +++ b/openssl-1.1.0h/apps/privkey.pem @@ -0,0 +1,16 @@ +-----BEGIN PRIVATE KEY----- +MIICdgIBADANBgkqhkiG9w0BAQEFAASCAmAwggJcAgEAAoGBAMo7DFNMqywUA1O/ +qvWqCOm6rGrUAcR+dKsSXw6y2qiKO7APDDyotc0b4Mxwqjga98npex2RBIwUoCGJ +iEmMXo/a8RbXVUZ+ZwcAX7PC+XeXVC5qoajaBBkd2MvYmib/2PqnNrgvhHsUL5dO +xhC7cRqxLM/g45k3Yyw+nGa+WkTdAgMBAAECgYBMBT5w4dVG0I8foGFnz+9hzWab +Ee9IKjE5TcKmB93ilXQyjrWO5+zPmbc7ou6aAKk9IaPCTY1kCyzW7pho7Xdt+RFq +TgVXGZZfqtixO7f2/5oqZAkd00eOn9ZrhBpVMu4yXbbDvhDyFe4/oy0HGDjRUhxa +Lf6ZlBuTherxm4eFkQJBAPBQwRs9UtqaMAQlagA9pV5UsQjV1WT4IxDURMPfXgCd +ETNkB6pP0SmxQm5xhv9N2HY1UtoWpug9s0OU5IJB15sCQQDXbfbjiujNbuOxCFNw +68JZaCFVdNovyOWORkpenQLNEjVkmTCS9OayK09ADEYtsdpUGKeF+2EYBNkFr5px +CajnAkBMYI4PNz1HBuwt1SpMa0tMoMQnV7bbwVV7usskKbC5pzHZUHhzM6z5gEHp +0iEisT4Ty7zKXZqsgzefSgoaMAzzAkEAoCIaUhtwXzwdPfvNYnOs3J6doJMimECB ++lbfcyLM8TimvadtRt+KGEg/OYGmLNM2UiqdY+duzdbUpvhYGcwvYwJAQvaoi9z2 +CkiwSs/PFrLaNlfLJmXRsUBzmiWYoh6+IQJJorEXz7ewI72ee9RBO4s746cgUFwH +Ri+qO+HhZFUBqQ== +-----END PRIVATE KEY----- diff --git a/openssl-1.1.0h/apps/progs.pl b/openssl-1.1.0h/apps/progs.pl new file mode 100644 index 0000000..0d3b446 --- /dev/null +++ b/openssl-1.1.0h/apps/progs.pl @@ -0,0 +1,164 @@ +#! /usr/bin/env perl +# Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved. +# +# Licensed under the OpenSSL license (the "License"). You may not use +# this file except in compliance with the License. You can obtain a copy +# in the file LICENSE in the source distribution or at +# https://www.openssl.org/source/license.html + +# Generate progs.h file by looking for command mains in list of C files +# passed on the command line. + +use strict; +use warnings; +use lib '.'; +use configdata qw/@disablables %unified_info/; + +my %commands = (); +my $cmdre = qr/^\s*int\s+([a-z_][a-z0-9_]*)_main\(\s*int\s+argc\s*,/; + +my $apps_openssl = shift @ARGV; +# because the program apps/openssl has object files as sources, and +# they then have the corresponding C files as source, we need to chain +# the lookups in %unified_info +my @openssl_source = + map { @{$unified_info{sources}->{$_}} } + @{$unified_info{sources}->{$apps_openssl}}; + +foreach my $filename (@openssl_source) { + open F, $filename or die "Couldn't open $filename: $!\n"; + foreach (grep /$cmdre/, ) { + my @foo = /$cmdre/; + $commands{$1} = 1; + } + close F; +} + +@ARGV = sort keys %commands; + +print <<'EOF'; +/* + * WARNING: do not edit! + * Generated by apps/progs.pl + * + * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the OpenSSL license (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +typedef enum FUNC_TYPE { + FT_none, FT_general, FT_md, FT_cipher, FT_pkey, + FT_md_alg, FT_cipher_alg +} FUNC_TYPE; + +typedef struct function_st { + FUNC_TYPE type; + const char *name; + int (*func)(int argc, char *argv[]); + const OPTIONS *help; +} FUNCTION; + +DEFINE_LHASH_OF(FUNCTION); + +EOF + +foreach (@ARGV) { + printf "extern int %s_main(int argc, char *argv[]);\n", $_; +} + +print "\n"; + +foreach (@ARGV) { + printf "extern OPTIONS %s_options[];\n", $_; +} + +print "\n#ifdef INCLUDE_FUNCTION_TABLE\n"; +print "static FUNCTION functions[] = {\n"; +my %cmd_disabler = ( + ciphers => "sock", + genrsa => "rsa", + rsautl => "rsa", + gendsa => "dsa", + dsaparam => "dsa", + gendh => "dh", + dhparam => "dh", + ecparam => "ec", + pkcs12 => "des", + ); +foreach my $cmd (@ARGV) { + my $str=" { FT_general, \"$cmd\", ${cmd}_main, ${cmd}_options },\n"; + if ($cmd =~ /^s_/) { + print "#ifndef OPENSSL_NO_SOCK\n${str}#endif\n"; + } elsif (grep { $cmd eq $_ } @disablables) { + print "#ifndef OPENSSL_NO_".uc($cmd)."\n${str}#endif\n"; + } elsif (my $disabler = $cmd_disabler{$cmd}) { + print "#ifndef OPENSSL_NO_".uc($disabler)."\n${str}#endif\n"; + } else { + print $str; + } +} + +my %md_disabler = ( + blake2b512 => "blake2", + blake2s256 => "blake2", + ); +foreach my $cmd ( + "md2", "md4", "md5", + "gost", + "sha1", "sha224", "sha256", "sha384", "sha512", + "mdc2", "rmd160", "blake2b512", "blake2s256" +) { + my $str = " { FT_md, \"".$cmd."\", dgst_main},\n"; + if (grep { $cmd eq $_ } @disablables) { + print "#ifndef OPENSSL_NO_".uc($cmd)."\n${str}#endif\n"; + } elsif (my $disabler = $md_disabler{$cmd}) { + print "#ifndef OPENSSL_NO_".uc($disabler)."\n${str}#endif\n"; + } else { + print $str; + } +} + +my %cipher_disabler = ( + des3 => "des", + desx => "des", + cast5 => "cast", + ); +foreach my $cmd ( + "aes-128-cbc", "aes-128-ecb", + "aes-192-cbc", "aes-192-ecb", + "aes-256-cbc", "aes-256-ecb", + "camellia-128-cbc", "camellia-128-ecb", + "camellia-192-cbc", "camellia-192-ecb", + "camellia-256-cbc", "camellia-256-ecb", + "base64", "zlib", + "des", "des3", "desx", "idea", "seed", "rc4", "rc4-40", + "rc2", "bf", "cast", "rc5", + "des-ecb", "des-ede", "des-ede3", + "des-cbc", "des-ede-cbc","des-ede3-cbc", + "des-cfb", "des-ede-cfb","des-ede3-cfb", + "des-ofb", "des-ede-ofb","des-ede3-ofb", + "idea-cbc","idea-ecb", "idea-cfb", "idea-ofb", + "seed-cbc","seed-ecb", "seed-cfb", "seed-ofb", + "rc2-cbc", "rc2-ecb", "rc2-cfb","rc2-ofb", "rc2-64-cbc", "rc2-40-cbc", + "bf-cbc", "bf-ecb", "bf-cfb", "bf-ofb", + "cast5-cbc","cast5-ecb", "cast5-cfb","cast5-ofb", + "cast-cbc", "rc5-cbc", "rc5-ecb", "rc5-cfb", "rc5-ofb" +) { + my $str=" { FT_cipher, \"$cmd\", enc_main, enc_options },\n"; + (my $algo= $cmd) =~ s/-.*//g; + if ($cmd eq "zlib") { + print "#ifdef ZLIB\n${str}#endif\n"; + } elsif (grep { $algo eq $_ } @disablables) { + print "#ifndef OPENSSL_NO_".uc($algo)."\n${str}#endif\n"; + } elsif (my $disabler = $cipher_disabler{$algo}) { + print "#ifndef OPENSSL_NO_".uc($disabler)."\n${str}#endif\n"; + } else { + print $str; + } +} + +print " { 0, NULL, NULL}\n};\n"; +print "#endif\n"; diff --git a/openssl-1.1.0h/apps/rand.c b/openssl-1.1.0h/apps/rand.c new file mode 100644 index 0000000..b3ec70a --- /dev/null +++ b/openssl-1.1.0h/apps/rand.c @@ -0,0 +1,136 @@ +/* + * Copyright 1998-2018 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the OpenSSL license (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +#include "apps.h" + +#include +#include +#include + +#include +#include +#include + +typedef enum OPTION_choice { + OPT_ERR = -1, OPT_EOF = 0, OPT_HELP, + OPT_OUT, OPT_ENGINE, OPT_RAND, OPT_BASE64, OPT_HEX +} OPTION_CHOICE; + +OPTIONS rand_options[] = { + {OPT_HELP_STR, 1, '-', "Usage: %s [flags] num\n"}, + {OPT_HELP_STR, 1, '-', "Valid options are:\n"}, + {"help", OPT_HELP, '-', "Display this summary"}, + {"out", OPT_OUT, '>', "Output file"}, + {"rand", OPT_RAND, 's', + "Load the file(s) into the random number generator"}, + {"base64", OPT_BASE64, '-', "Base64 encode output"}, + {"hex", OPT_HEX, '-', "Hex encode output"}, +#ifndef OPENSSL_NO_ENGINE + {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"}, +#endif + {NULL} +}; + +int rand_main(int argc, char **argv) +{ + ENGINE *e = NULL; + BIO *out = NULL; + char *inrand = NULL, *outfile = NULL, *prog; + OPTION_CHOICE o; + int format = FORMAT_BINARY, i, num = -1, r, ret = 1; + + prog = opt_init(argc, argv, rand_options); + while ((o = opt_next()) != OPT_EOF) { + switch (o) { + case OPT_EOF: + case OPT_ERR: + opthelp: + BIO_printf(bio_err, "%s: Use -help for summary.\n", prog); + goto end; + case OPT_HELP: + opt_help(rand_options); + ret = 0; + goto end; + case OPT_OUT: + outfile = opt_arg(); + break; + case OPT_ENGINE: + e = setup_engine(opt_arg(), 0); + break; + case OPT_RAND: + inrand = opt_arg(); + break; + case OPT_BASE64: + format = FORMAT_BASE64; + break; + case OPT_HEX: + format = FORMAT_TEXT; + break; + } + } + argc = opt_num_rest(); + argv = opt_rest(); + if (argc == 1) { + if (!opt_int(argv[0], &num) || num <= 0) + goto end; + } else if (argc > 0) { + BIO_printf(bio_err, "Extra arguments given.\n"); + goto opthelp; + } + + app_RAND_load_file(NULL, (inrand != NULL)); + if (inrand != NULL) + BIO_printf(bio_err, "%ld semi-random bytes loaded\n", + app_RAND_load_files(inrand)); + + out = bio_open_default(outfile, 'w', format); + if (out == NULL) + goto end; + + if (format == FORMAT_BASE64) { + BIO *b64 = BIO_new(BIO_f_base64()); + if (b64 == NULL) + goto end; + out = BIO_push(b64, out); + } + + while (num > 0) { + unsigned char buf[4096]; + int chunk; + + chunk = num; + if (chunk > (int)sizeof(buf)) + chunk = sizeof(buf); + r = RAND_bytes(buf, chunk); + if (r <= 0) + goto end; + if (format != FORMAT_TEXT) { + if (BIO_write(out, buf, chunk) != chunk) + goto end; + } else { + for (i = 0; i < chunk; i++) + if (BIO_printf(out, "%02x", buf[i]) != 2) + goto end; + } + num -= chunk; + } + if (format == FORMAT_TEXT) + BIO_puts(out, "\n"); + if (BIO_flush(out) <= 0 || !app_RAND_write_file(NULL)) + goto end; + + ret = 0; + + end: + if (ret != 0) + ERR_print_errors(bio_err); + release_engine(e); + BIO_free_all(out); + return (ret); +} diff --git a/openssl-1.1.0h/apps/rehash.c b/openssl-1.1.0h/apps/rehash.c new file mode 100644 index 0000000..273ad74 --- /dev/null +++ b/openssl-1.1.0h/apps/rehash.c @@ -0,0 +1,529 @@ +/* + * Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the OpenSSL license (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +/* + * C implementation based on the original Perl and shell versions + * + * Copyright (c) 2013-2014 Timo Teräs + */ + +#include "apps.h" + +#if defined(OPENSSL_SYS_UNIX) || defined(__APPLE__) || \ + (defined(__VMS) && defined(__DECC) && __CRTL_VER >= 80300000) +# include +# include +# include +# include +# include +# include +# include + +/* + * Make sure that the processing of symbol names is treated the same as when + * libcrypto is built. This is done automatically for public headers (see + * include/openssl/__DECC_INCLUDE_PROLOGUE.H and __DECC_INCLUDE_EPILOGUE.H), + * but not for internal headers. + */ +# ifdef __VMS +# pragma names save +# pragma names as_is,shortened +# endif + +# include "internal/o_dir.h" + +# ifdef __VMS +# pragma names restore +# endif + +# include +# include +# include + + +# ifndef PATH_MAX +# define PATH_MAX 4096 +# endif +# ifndef NAME_MAX +# define NAME_MAX 255 +# endif +# define MAX_COLLISIONS 256 + +typedef struct hentry_st { + struct hentry_st *next; + char *filename; + unsigned short old_id; + unsigned char need_symlink; + unsigned char digest[EVP_MAX_MD_SIZE]; +} HENTRY; + +typedef struct bucket_st { + struct bucket_st *next; + HENTRY *first_entry, *last_entry; + unsigned int hash; + unsigned short type; + unsigned short num_needed; +} BUCKET; + +enum Type { + /* Keep in sync with |suffixes|, below. */ + TYPE_CERT=0, TYPE_CRL=1 +}; + +enum Hash { + HASH_OLD, HASH_NEW, HASH_BOTH +}; + + +static int evpmdsize; +static const EVP_MD *evpmd; +static int remove_links = 1; +static int verbose = 0; +static BUCKET *hash_table[257]; + +static const char *suffixes[] = { "", "r" }; +static const char *extensions[] = { "pem", "crt", "cer", "crl" }; + + +static void bit_set(unsigned char *set, unsigned int bit) +{ + set[bit >> 3] |= 1 << (bit & 0x7); +} + +static int bit_isset(unsigned char *set, unsigned int bit) +{ + return set[bit >> 3] & (1 << (bit & 0x7)); +} + + +/* + * Process an entry; return number of errors. + */ +static int add_entry(enum Type type, unsigned int hash, const char *filename, + const unsigned char *digest, int need_symlink, + unsigned short old_id) +{ + static BUCKET nilbucket; + static HENTRY nilhentry; + BUCKET *bp; + HENTRY *ep, *found = NULL; + unsigned int ndx = (type + hash) % OSSL_NELEM(hash_table); + + for (bp = hash_table[ndx]; bp; bp = bp->next) + if (bp->type == type && bp->hash == hash) + break; + if (bp == NULL) { + bp = app_malloc(sizeof(*bp), "hash bucket"); + *bp = nilbucket; + bp->next = hash_table[ndx]; + bp->type = type; + bp->hash = hash; + hash_table[ndx] = bp; + } + + for (ep = bp->first_entry; ep; ep = ep->next) { + if (digest && memcmp(digest, ep->digest, evpmdsize) == 0) { + BIO_printf(bio_err, + "%s: skipping duplicate %s in %s\n", opt_getprog(), + type == TYPE_CERT ? "certificate" : "CRL", filename); + return 1; + } + if (strcmp(filename, ep->filename) == 0) { + found = ep; + if (digest == NULL) + break; + } + } + ep = found; + if (ep == NULL) { + if (bp->num_needed >= MAX_COLLISIONS) { + BIO_printf(bio_err, + "%s: hash table overflow for %s\n", + opt_getprog(), filename); + return 1; + } + ep = app_malloc(sizeof(*ep), "collision bucket"); + *ep = nilhentry; + ep->old_id = ~0; + ep->filename = OPENSSL_strdup(filename); + if (bp->last_entry) + bp->last_entry->next = ep; + if (bp->first_entry == NULL) + bp->first_entry = ep; + bp->last_entry = ep; + } + + if (old_id < ep->old_id) + ep->old_id = old_id; + if (need_symlink && !ep->need_symlink) { + ep->need_symlink = 1; + bp->num_needed++; + memcpy(ep->digest, digest, evpmdsize); + } + return 0; +} + +/* + * Check if a symlink goes to the right spot; return 0 if okay. + * This can be -1 if bad filename, or an error count. + */ +static int handle_symlink(const char *filename, const char *fullpath) +{ + unsigned int hash = 0; + int i, type, id; + unsigned char ch; + char linktarget[PATH_MAX], *endptr; + ossl_ssize_t n; + + for (i = 0; i < 8; i++) { + ch = filename[i]; + if (!isxdigit(ch)) + return -1; + hash <<= 4; + hash += OPENSSL_hexchar2int(ch); + } + if (filename[i++] != '.') + return -1; + for (type = OSSL_NELEM(suffixes) - 1; type > 0; type--) { + const char *suffix = suffixes[type]; + if (strncasecmp(suffix, &filename[i], strlen(suffix)) == 0) + break; + } + i += strlen(suffixes[type]); + + id = strtoul(&filename[i], &endptr, 10); + if (*endptr != '\0') + return -1; + + n = readlink(fullpath, linktarget, sizeof(linktarget)); + if (n < 0 || n >= (int)sizeof(linktarget)) + return -1; + linktarget[n] = 0; + + return add_entry(type, hash, linktarget, NULL, 0, id); +} + +/* + * process a file, return number of errors. + */ +static int do_file(const char *filename, const char *fullpath, enum Hash h) +{ + STACK_OF (X509_INFO) *inf = NULL; + X509_INFO *x; + X509_NAME *name = NULL; + BIO *b; + const char *ext; + unsigned char digest[EVP_MAX_MD_SIZE]; + int type, errs = 0; + size_t i; + + /* Does it end with a recognized extension? */ + if ((ext = strrchr(filename, '.')) == NULL) + goto end; + for (i = 0; i < OSSL_NELEM(extensions); i++) { + if (strcasecmp(extensions[i], ext + 1) == 0) + break; + } + if (i >= OSSL_NELEM(extensions)) + goto end; + + /* Does it have X.509 data in it? */ + if ((b = BIO_new_file(fullpath, "r")) == NULL) { + BIO_printf(bio_err, "%s: skipping %s, cannot open file\n", + opt_getprog(), filename); + errs++; + goto end; + } + inf = PEM_X509_INFO_read_bio(b, NULL, NULL, NULL); + BIO_free(b); + if (inf == NULL) + goto end; + + if (sk_X509_INFO_num(inf) != 1) { + BIO_printf(bio_err, + "%s: skipping %s," + "it does not contain exactly one certificate or CRL\n", + opt_getprog(), filename); + /* This is not an error. */ + goto end; + } + x = sk_X509_INFO_value(inf, 0); + if (x->x509) { + type = TYPE_CERT; + name = X509_get_subject_name(x->x509); + X509_digest(x->x509, evpmd, digest, NULL); + } else if (x->crl) { + type = TYPE_CRL; + name = X509_CRL_get_issuer(x->crl); + X509_CRL_digest(x->crl, evpmd, digest, NULL); + } else { + ++errs; + goto end; + } + if (name) { + if ((h == HASH_NEW) || (h == HASH_BOTH)) + errs += add_entry(type, X509_NAME_hash(name), filename, digest, 1, ~0); + if ((h == HASH_OLD) || (h == HASH_BOTH)) + errs += add_entry(type, X509_NAME_hash_old(name), filename, digest, 1, ~0); + } + +end: + sk_X509_INFO_pop_free(inf, X509_INFO_free); + return errs; +} + +static void str_free(char *s) +{ + OPENSSL_free(s); +} + +static int ends_with_dirsep(const char *path) +{ + if (*path != '\0') + path += strlen(path) - 1; +# if defined __VMS + if (*path == ']' || *path == '>' || *path == ':') + return 1; +# elif defined _WIN32 + if (*path == '\\') + return 1; +# endif + return *path == '/'; +} + +static int massage_filename(char *name) +{ +# ifdef __VMS + char *p = strchr(name, ';'); + char *q = p; + + if (q != NULL) { + for (q++; *q != '\0'; q++) { + if (!isdigit((unsigned char)*q)) + return 1; + } + } + + *p = '\0'; +# endif + return 1; +} + +/* + * Process a directory; return number of errors found. + */ +static int do_dir(const char *dirname, enum Hash h) +{ + BUCKET *bp, *nextbp; + HENTRY *ep, *nextep; + OPENSSL_DIR_CTX *d = NULL; + struct stat st; + unsigned char idmask[MAX_COLLISIONS / 8]; + int n, numfiles, nextid, buflen, errs = 0; + size_t i; + const char *pathsep; + const char *filename; + char *buf, *copy; + STACK_OF(OPENSSL_STRING) *files = NULL; + + if (app_access(dirname, W_OK) < 0) { + BIO_printf(bio_err, "Skipping %s, can't write\n", dirname); + return 1; + } + buflen = strlen(dirname); + pathsep = (buflen && !ends_with_dirsep(dirname)) ? "/": ""; + buflen += NAME_MAX + 1 + 1; + buf = app_malloc(buflen, "filename buffer"); + + if (verbose) + BIO_printf(bio_out, "Doing %s\n", dirname); + + if ((files = sk_OPENSSL_STRING_new_null()) == NULL) { + BIO_printf(bio_err, "Skipping %s, out of memory\n", dirname); + exit(1); + } + while ((filename = OPENSSL_DIR_read(&d, dirname)) != NULL) { + if ((copy = strdup(filename)) == NULL + || !massage_filename(copy) + || sk_OPENSSL_STRING_push(files, copy) == 0) { + BIO_puts(bio_err, "out of memory\n"); + exit(1); + } + } + OPENSSL_DIR_end(&d); + sk_OPENSSL_STRING_sort(files); + + numfiles = sk_OPENSSL_STRING_num(files); + for (n = 0; n < numfiles; ++n) { + filename = sk_OPENSSL_STRING_value(files, n); + if (BIO_snprintf(buf, buflen, "%s%s%s", + dirname, pathsep, filename) >= buflen) + continue; + if (lstat(buf, &st) < 0) + continue; + if (S_ISLNK(st.st_mode) && handle_symlink(filename, buf) == 0) + continue; + errs += do_file(filename, buf, h); + } + sk_OPENSSL_STRING_pop_free(files, str_free); + + for (i = 0; i < OSSL_NELEM(hash_table); i++) { + for (bp = hash_table[i]; bp; bp = nextbp) { + nextbp = bp->next; + nextid = 0; + memset(idmask, 0, (bp->num_needed + 7) / 8); + for (ep = bp->first_entry; ep; ep = ep->next) + if (ep->old_id < bp->num_needed) + bit_set(idmask, ep->old_id); + + for (ep = bp->first_entry; ep; ep = nextep) { + nextep = ep->next; + if (ep->old_id < bp->num_needed) { + /* Link exists, and is used as-is */ + BIO_snprintf(buf, buflen, "%08x.%s%d", bp->hash, + suffixes[bp->type], ep->old_id); + if (verbose) + BIO_printf(bio_out, "link %s -> %s\n", + ep->filename, buf); + } else if (ep->need_symlink) { + /* New link needed (it may replace something) */ + while (bit_isset(idmask, nextid)) + nextid++; + + BIO_snprintf(buf, buflen, "%s%s%n%08x.%s%d", + dirname, pathsep, &n, bp->hash, + suffixes[bp->type], nextid); + if (verbose) + BIO_printf(bio_out, "link %s -> %s\n", + ep->filename, &buf[n]); + if (unlink(buf) < 0 && errno != ENOENT) { + BIO_printf(bio_err, + "%s: Can't unlink %s, %s\n", + opt_getprog(), buf, strerror(errno)); + errs++; + } + if (symlink(ep->filename, buf) < 0) { + BIO_printf(bio_err, + "%s: Can't symlink %s, %s\n", + opt_getprog(), ep->filename, + strerror(errno)); + errs++; + } + bit_set(idmask, nextid); + } else if (remove_links) { + /* Link to be deleted */ + BIO_snprintf(buf, buflen, "%s%s%n%08x.%s%d", + dirname, pathsep, &n, bp->hash, + suffixes[bp->type], ep->old_id); + if (verbose) + BIO_printf(bio_out, "unlink %s\n", + &buf[n]); + if (unlink(buf) < 0 && errno != ENOENT) { + BIO_printf(bio_err, + "%s: Can't unlink %s, %s\n", + opt_getprog(), buf, strerror(errno)); + errs++; + } + } + OPENSSL_free(ep->filename); + OPENSSL_free(ep); + } + OPENSSL_free(bp); + } + hash_table[i] = NULL; + } + + OPENSSL_free(buf); + return errs; +} + +typedef enum OPTION_choice { + OPT_ERR = -1, OPT_EOF = 0, OPT_HELP, + OPT_COMPAT, OPT_OLD, OPT_N, OPT_VERBOSE +} OPTION_CHOICE; + +OPTIONS rehash_options[] = { + {OPT_HELP_STR, 1, '-', "Usage: %s [options] [cert-directory...]\n"}, + {OPT_HELP_STR, 1, '-', "Valid options are:\n"}, + {"help", OPT_HELP, '-', "Display this summary"}, + {"h", OPT_HELP, '-', "Display this summary"}, + {"compat", OPT_COMPAT, '-', "Create both new- and old-style hash links"}, + {"old", OPT_OLD, '-', "Use old-style hash to generate links"}, + {"n", OPT_N, '-', "Do not remove existing links"}, + {"v", OPT_VERBOSE, '-', "Verbose output"}, + {NULL} +}; + + +int rehash_main(int argc, char **argv) +{ + const char *env, *prog; + char *e, *m; + int errs = 0; + OPTION_CHOICE o; + enum Hash h = HASH_NEW; + + prog = opt_init(argc, argv, rehash_options); + while ((o = opt_next()) != OPT_EOF) { + switch (o) { + case OPT_EOF: + case OPT_ERR: + BIO_printf(bio_err, "%s: Use -help for summary.\n", prog); + goto end; + case OPT_HELP: + opt_help(rehash_options); + goto end; + case OPT_COMPAT: + h = HASH_BOTH; + break; + case OPT_OLD: + h = HASH_OLD; + break; + case OPT_N: + remove_links = 0; + break; + case OPT_VERBOSE: + verbose = 1; + break; + } + } + argc = opt_num_rest(); + argv = opt_rest(); + + evpmd = EVP_sha1(); + evpmdsize = EVP_MD_size(evpmd); + + if (*argv) { + while (*argv) + errs += do_dir(*argv++, h); + } else if ((env = getenv("SSL_CERT_DIR")) != NULL) { + m = OPENSSL_strdup(env); + for (e = strtok(m, ":"); e != NULL; e = strtok(NULL, ":")) + errs += do_dir(e, h); + OPENSSL_free(m); + } else { + errs += do_dir("/etc/ssl/certs", h); + } + + end: + return errs; +} + +#else +OPTIONS rehash_options[] = { + {NULL} +}; + +int rehash_main(int argc, char **argv) +{ + BIO_printf(bio_err, "Not available; use c_rehash script\n"); + return (1); +} + +#endif /* defined(OPENSSL_SYS_UNIX) || defined(__APPLE__) */ diff --git a/openssl-1.1.0h/apps/req.c b/openssl-1.1.0h/apps/req.c new file mode 100644 index 0000000..2a21569 --- /dev/null +++ b/openssl-1.1.0h/apps/req.c @@ -0,0 +1,1510 @@ +/* + * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the OpenSSL license (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +#include +#include +#include +#include +#include "apps.h" +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#ifndef OPENSSL_NO_RSA +# include +#endif +#ifndef OPENSSL_NO_DSA +# include +#endif + +#define SECTION "req" + +#define BITS "default_bits" +#define KEYFILE "default_keyfile" +#define PROMPT "prompt" +#define DISTINGUISHED_NAME "distinguished_name" +#define ATTRIBUTES "attributes" +#define V3_EXTENSIONS "x509_extensions" +#define REQ_EXTENSIONS "req_extensions" +#define STRING_MASK "string_mask" +#define UTF8_IN "utf8" + +#define DEFAULT_KEY_LENGTH 2048 +#define MIN_KEY_LENGTH 512 + +static int make_REQ(X509_REQ *req, EVP_PKEY *pkey, char *dn, int mutlirdn, + int attribs, unsigned long chtype); +static int build_subject(X509_REQ *req, const char *subj, unsigned long chtype, + int multirdn); +static int prompt_info(X509_REQ *req, + STACK_OF(CONF_VALUE) *dn_sk, const char *dn_sect, + STACK_OF(CONF_VALUE) *attr_sk, const char *attr_sect, + int attribs, unsigned long chtype); +static int auto_info(X509_REQ *req, STACK_OF(CONF_VALUE) *sk, + STACK_OF(CONF_VALUE) *attr, int attribs, + unsigned long chtype); +static int add_attribute_object(X509_REQ *req, char *text, const char *def, + char *value, int nid, int n_min, int n_max, + unsigned long chtype); +static int add_DN_object(X509_NAME *n, char *text, const char *def, + char *value, int nid, int n_min, int n_max, + unsigned long chtype, int mval); +static int genpkey_cb(EVP_PKEY_CTX *ctx); +static int req_check_len(int len, int n_min, int n_max); +static int check_end(const char *str, const char *end); +static EVP_PKEY_CTX *set_keygen_ctx(const char *gstr, + int *pkey_type, long *pkeylen, + char **palgnam, ENGINE *keygen_engine); +static CONF *req_conf = NULL; +static int batch = 0; + +typedef enum OPTION_choice { + OPT_ERR = -1, OPT_EOF = 0, OPT_HELP, + OPT_INFORM, OPT_OUTFORM, OPT_ENGINE, OPT_KEYGEN_ENGINE, OPT_KEY, + OPT_PUBKEY, OPT_NEW, OPT_CONFIG, OPT_KEYFORM, OPT_IN, OPT_OUT, + OPT_KEYOUT, OPT_PASSIN, OPT_PASSOUT, OPT_RAND, OPT_NEWKEY, + OPT_PKEYOPT, OPT_SIGOPT, OPT_BATCH, OPT_NEWHDR, OPT_MODULUS, + OPT_VERIFY, OPT_NODES, OPT_NOOUT, OPT_VERBOSE, OPT_UTF8, + OPT_NAMEOPT, OPT_REQOPT, OPT_SUBJ, OPT_SUBJECT, OPT_TEXT, OPT_X509, + OPT_MULTIVALUE_RDN, OPT_DAYS, OPT_SET_SERIAL, OPT_EXTENSIONS, + OPT_REQEXTS, OPT_MD +} OPTION_CHOICE; + +OPTIONS req_options[] = { + {"help", OPT_HELP, '-', "Display this summary"}, + {"inform", OPT_INFORM, 'F', "Input format - DER or PEM"}, + {"outform", OPT_OUTFORM, 'F', "Output format - DER or PEM"}, + {"in", OPT_IN, '<', "Input file"}, + {"out", OPT_OUT, '>', "Output file"}, + {"key", OPT_KEY, 's', "Private key to use"}, + {"keyform", OPT_KEYFORM, 'f', "Key file format"}, + {"pubkey", OPT_PUBKEY, '-', "Output public key"}, + {"new", OPT_NEW, '-', "New request"}, + {"config", OPT_CONFIG, '<', "Request template file"}, + {"keyout", OPT_KEYOUT, '>', "File to send the key to"}, + {"passin", OPT_PASSIN, 's', "Private key password source"}, + {"passout", OPT_PASSOUT, 's', "Output file pass phrase source"}, + {"rand", OPT_RAND, 's', + "Load the file(s) into the random number generator"}, + {"newkey", OPT_NEWKEY, 's', "Specify as type:bits"}, + {"pkeyopt", OPT_PKEYOPT, 's', "Public key options as opt:value"}, + {"sigopt", OPT_SIGOPT, 's', "Signature parameter in n:v form"}, + {"batch", OPT_BATCH, '-', + "Do not ask anything during request generation"}, + {"newhdr", OPT_NEWHDR, '-', "Output \"NEW\" in the header lines"}, + {"modulus", OPT_MODULUS, '-', "RSA modulus"}, + {"verify", OPT_VERIFY, '-', "Verify signature on REQ"}, + {"nodes", OPT_NODES, '-', "Don't encrypt the output key"}, + {"noout", OPT_NOOUT, '-', "Do not output REQ"}, + {"verbose", OPT_VERBOSE, '-', "Verbose output"}, + {"utf8", OPT_UTF8, '-', "Input characters are UTF8 (default ASCII)"}, + {"nameopt", OPT_NAMEOPT, 's', "Various certificate name options"}, + {"reqopt", OPT_REQOPT, 's', "Various request text options"}, + {"text", OPT_TEXT, '-', "Text form of request"}, + {"x509", OPT_X509, '-', + "Output a x509 structure instead of a cert request"}, + {OPT_MORE_STR, 1, 1, "(Required by some CA's)"}, + {"subj", OPT_SUBJ, 's', "Set or modify request subject"}, + {"subject", OPT_SUBJECT, '-', "Output the request's subject"}, + {"multivalue-rdn", OPT_MULTIVALUE_RDN, '-', + "Enable support for multivalued RDNs"}, + {"days", OPT_DAYS, 'p', "Number of days cert is valid for"}, + {"set_serial", OPT_SET_SERIAL, 's', "Serial number to use"}, + {"extensions", OPT_EXTENSIONS, 's', + "Cert extension section (override value in config file)"}, + {"reqexts", OPT_REQEXTS, 's', + "Request extension section (override value in config file)"}, + {"", OPT_MD, '-', "Any supported digest"}, +#ifndef OPENSSL_NO_ENGINE + {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"}, + {"keygen_engine", OPT_KEYGEN_ENGINE, 's', + "Specify engine to be used for key generation operations"}, +#endif + {NULL} +}; + +int req_main(int argc, char **argv) +{ + ASN1_INTEGER *serial = NULL; + BIO *in = NULL, *out = NULL; + ENGINE *e = NULL, *gen_eng = NULL; + EVP_PKEY *pkey = NULL; + EVP_PKEY_CTX *genctx = NULL; + STACK_OF(OPENSSL_STRING) *pkeyopts = NULL, *sigopts = NULL; + X509 *x509ss = NULL; + X509_REQ *req = NULL; + const EVP_CIPHER *cipher = NULL; + const EVP_MD *md_alg = NULL, *digest = NULL; + char *extensions = NULL, *infile = NULL; + char *outfile = NULL, *keyfile = NULL, *inrand = NULL; + char *keyalgstr = NULL, *p, *prog, *passargin = NULL, *passargout = NULL; + char *passin = NULL, *passout = NULL; + char *nofree_passin = NULL, *nofree_passout = NULL; + char *req_exts = NULL, *subj = NULL; + char *template = default_config_file, *keyout = NULL; + const char *keyalg = NULL; + OPTION_CHOICE o; + int ret = 1, x509 = 0, days = 30, i = 0, newreq = 0, verbose = 0; + int pkey_type = -1, private = 0; + int informat = FORMAT_PEM, outformat = FORMAT_PEM, keyform = FORMAT_PEM; + int modulus = 0, multirdn = 0, verify = 0, noout = 0, text = 0; + int nodes = 0, newhdr = 0, subject = 0, pubkey = 0; + long newkey = -1; + unsigned long chtype = MBSTRING_ASC, nmflag = 0, reqflag = 0; + char nmflag_set = 0; + +#ifndef OPENSSL_NO_DES + cipher = EVP_des_ede3_cbc(); +#endif + + prog = opt_init(argc, argv, req_options); + while ((o = opt_next()) != OPT_EOF) { + switch (o) { + case OPT_EOF: + case OPT_ERR: + opthelp: + BIO_printf(bio_err, "%s: Use -help for summary.\n", prog); + goto end; + case OPT_HELP: + opt_help(req_options); + ret = 0; + goto end; + case OPT_INFORM: + if (!opt_format(opt_arg(), OPT_FMT_PEMDER, &informat)) + goto opthelp; + break; + case OPT_OUTFORM: + if (!opt_format(opt_arg(), OPT_FMT_PEMDER, &outformat)) + goto opthelp; + break; + case OPT_ENGINE: + e = setup_engine(opt_arg(), 0); + break; + case OPT_KEYGEN_ENGINE: +#ifndef OPENSSL_NO_ENGINE + gen_eng = ENGINE_by_id(opt_arg()); + if (gen_eng == NULL) { + BIO_printf(bio_err, "Can't find keygen engine %s\n", *argv); + goto opthelp; + } +#endif + break; + case OPT_KEY: + keyfile = opt_arg(); + break; + case OPT_PUBKEY: + pubkey = 1; + break; + case OPT_NEW: + newreq = 1; + break; + case OPT_CONFIG: + template = opt_arg(); + break; + case OPT_KEYFORM: + if (!opt_format(opt_arg(), OPT_FMT_ANY, &keyform)) + goto opthelp; + break; + case OPT_IN: + infile = opt_arg(); + break; + case OPT_OUT: + outfile = opt_arg(); + break; + case OPT_KEYOUT: + keyout = opt_arg(); + break; + case OPT_PASSIN: + passargin = opt_arg(); + break; + case OPT_PASSOUT: + passargout = opt_arg(); + break; + case OPT_RAND: + inrand = opt_arg(); + break; + case OPT_NEWKEY: + keyalg = opt_arg(); + newreq = 1; + break; + case OPT_PKEYOPT: + if (!pkeyopts) + pkeyopts = sk_OPENSSL_STRING_new_null(); + if (!pkeyopts || !sk_OPENSSL_STRING_push(pkeyopts, opt_arg())) + goto opthelp; + break; + case OPT_SIGOPT: + if (!sigopts) + sigopts = sk_OPENSSL_STRING_new_null(); + if (!sigopts || !sk_OPENSSL_STRING_push(sigopts, opt_arg())) + goto opthelp; + break; + case OPT_BATCH: + batch = 1; + break; + case OPT_NEWHDR: + newhdr = 1; + break; + case OPT_MODULUS: + modulus = 1; + break; + case OPT_VERIFY: + verify = 1; + break; + case OPT_NODES: + nodes = 1; + break; + case OPT_NOOUT: + noout = 1; + break; + case OPT_VERBOSE: + verbose = 1; + break; + case OPT_UTF8: + chtype = MBSTRING_UTF8; + break; + case OPT_NAMEOPT: + nmflag_set = 1; + if (!set_name_ex(&nmflag, opt_arg())) + goto opthelp; + break; + case OPT_REQOPT: + if (!set_cert_ex(&reqflag, opt_arg())) + goto opthelp; + break; + case OPT_TEXT: + text = 1; + break; + case OPT_X509: + x509 = 1; + break; + case OPT_DAYS: + days = atoi(opt_arg()); + break; + case OPT_SET_SERIAL: + if (serial != NULL) { + BIO_printf(bio_err, "Serial number supplied twice\n"); + goto opthelp; + } + serial = s2i_ASN1_INTEGER(NULL, opt_arg()); + if (serial == NULL) + goto opthelp; + break; + case OPT_SUBJECT: + subject = 1; + break; + case OPT_SUBJ: + subj = opt_arg(); + break; + case OPT_MULTIVALUE_RDN: + multirdn = 1; + break; + case OPT_EXTENSIONS: + extensions = opt_arg(); + break; + case OPT_REQEXTS: + req_exts = opt_arg(); + break; + case OPT_MD: + if (!opt_md(opt_unknown(), &md_alg)) + goto opthelp; + digest = md_alg; + break; + } + } + argc = opt_num_rest(); + if (argc != 0) + goto opthelp; + + if (x509 && infile == NULL) + newreq = 1; + + if (!nmflag_set) + nmflag = XN_FLAG_ONELINE; + + /* TODO: simplify this as pkey is still always NULL here */ + private = newreq && (pkey == NULL) ? 1 : 0; + + if (!app_passwd(passargin, passargout, &passin, &passout)) { + BIO_printf(bio_err, "Error getting passwords\n"); + goto end; + } + + if (verbose) + BIO_printf(bio_err, "Using configuration from %s\n", template); + req_conf = app_load_config(template); + if (template != default_config_file && !app_load_modules(req_conf)) + goto end; + + if (req_conf != NULL) { + p = NCONF_get_string(req_conf, NULL, "oid_file"); + if (p == NULL) + ERR_clear_error(); + if (p != NULL) { + BIO *oid_bio; + + oid_bio = BIO_new_file(p, "r"); + if (oid_bio == NULL) { + /*- + BIO_printf(bio_err,"problems opening %s for extra oid's\n",p); + ERR_print_errors(bio_err); + */ + } else { + OBJ_create_objects(oid_bio); + BIO_free(oid_bio); + } + } + } + if (!add_oid_section(req_conf)) + goto end; + + if (md_alg == NULL) { + p = NCONF_get_string(req_conf, SECTION, "default_md"); + if (p == NULL) + ERR_clear_error(); + else { + if (!opt_md(p, &md_alg)) + goto opthelp; + digest = md_alg; + } + } + + if (!extensions) { + extensions = NCONF_get_string(req_conf, SECTION, V3_EXTENSIONS); + if (!extensions) + ERR_clear_error(); + } + if (extensions) { + /* Check syntax of file */ + X509V3_CTX ctx; + X509V3_set_ctx_test(&ctx); + X509V3_set_nconf(&ctx, req_conf); + if (!X509V3_EXT_add_nconf(req_conf, &ctx, extensions, NULL)) { + BIO_printf(bio_err, + "Error Loading extension section %s\n", extensions); + goto end; + } + } + + if (passin == NULL) { + passin = nofree_passin = + NCONF_get_string(req_conf, SECTION, "input_password"); + if (passin == NULL) + ERR_clear_error(); + } + + if (passout == NULL) { + passout = nofree_passout = + NCONF_get_string(req_conf, SECTION, "output_password"); + if (passout == NULL) + ERR_clear_error(); + } + + p = NCONF_get_string(req_conf, SECTION, STRING_MASK); + if (!p) + ERR_clear_error(); + + if (p && !ASN1_STRING_set_default_mask_asc(p)) { + BIO_printf(bio_err, "Invalid global string mask setting %s\n", p); + goto end; + } + + if (chtype != MBSTRING_UTF8) { + p = NCONF_get_string(req_conf, SECTION, UTF8_IN); + if (!p) + ERR_clear_error(); + else if (strcmp(p, "yes") == 0) + chtype = MBSTRING_UTF8; + } + + if (!req_exts) { + req_exts = NCONF_get_string(req_conf, SECTION, REQ_EXTENSIONS); + if (!req_exts) + ERR_clear_error(); + } + if (req_exts) { + /* Check syntax of file */ + X509V3_CTX ctx; + X509V3_set_ctx_test(&ctx); + X509V3_set_nconf(&ctx, req_conf); + if (!X509V3_EXT_add_nconf(req_conf, &ctx, req_exts, NULL)) { + BIO_printf(bio_err, + "Error Loading request extension section %s\n", + req_exts); + goto end; + } + } + + if (keyfile != NULL) { + pkey = load_key(keyfile, keyform, 0, passin, e, "Private Key"); + if (!pkey) { + /* load_key() has already printed an appropriate message */ + goto end; + } else { + char *randfile = NCONF_get_string(req_conf, SECTION, "RANDFILE"); + if (randfile == NULL) + ERR_clear_error(); + app_RAND_load_file(randfile, 0); + } + } + + if (newreq && (pkey == NULL)) { + char *randfile = NCONF_get_string(req_conf, SECTION, "RANDFILE"); + if (randfile == NULL) + ERR_clear_error(); + app_RAND_load_file(randfile, 0); + if (inrand) + app_RAND_load_files(inrand); + + if (!NCONF_get_number(req_conf, SECTION, BITS, &newkey)) { + newkey = DEFAULT_KEY_LENGTH; + } + + if (keyalg) { + genctx = set_keygen_ctx(keyalg, &pkey_type, &newkey, + &keyalgstr, gen_eng); + if (!genctx) + goto end; + } + + if (newkey < MIN_KEY_LENGTH + && (pkey_type == EVP_PKEY_RSA || pkey_type == EVP_PKEY_DSA)) { + BIO_printf(bio_err, "private key length is too short,\n"); + BIO_printf(bio_err, "it needs to be at least %d bits, not %ld\n", + MIN_KEY_LENGTH, newkey); + goto end; + } + + if (!genctx) { + genctx = set_keygen_ctx(NULL, &pkey_type, &newkey, + &keyalgstr, gen_eng); + if (!genctx) + goto end; + } + + if (pkeyopts) { + char *genopt; + for (i = 0; i < sk_OPENSSL_STRING_num(pkeyopts); i++) { + genopt = sk_OPENSSL_STRING_value(pkeyopts, i); + if (pkey_ctrl_string(genctx, genopt) <= 0) { + BIO_printf(bio_err, "parameter error \"%s\"\n", genopt); + ERR_print_errors(bio_err); + goto end; + } + } + } + + if (pkey_type == EVP_PKEY_EC) { + BIO_printf(bio_err, "Generating an EC private key\n"); + } else { + BIO_printf(bio_err, "Generating a %ld bit %s private key\n", + newkey, keyalgstr); + } + + EVP_PKEY_CTX_set_cb(genctx, genpkey_cb); + EVP_PKEY_CTX_set_app_data(genctx, bio_err); + + if (EVP_PKEY_keygen(genctx, &pkey) <= 0) { + BIO_puts(bio_err, "Error Generating Key\n"); + goto end; + } + + EVP_PKEY_CTX_free(genctx); + genctx = NULL; + + app_RAND_write_file(randfile); + + if (keyout == NULL) { + keyout = NCONF_get_string(req_conf, SECTION, KEYFILE); + if (keyout == NULL) + ERR_clear_error(); + } + + if (keyout == NULL) + BIO_printf(bio_err, "writing new private key to stdout\n"); + else + BIO_printf(bio_err, "writing new private key to '%s'\n", keyout); + out = bio_open_owner(keyout, outformat, private); + if (out == NULL) + goto end; + + p = NCONF_get_string(req_conf, SECTION, "encrypt_rsa_key"); + if (p == NULL) { + ERR_clear_error(); + p = NCONF_get_string(req_conf, SECTION, "encrypt_key"); + if (p == NULL) + ERR_clear_error(); + } + if ((p != NULL) && (strcmp(p, "no") == 0)) + cipher = NULL; + if (nodes) + cipher = NULL; + + i = 0; + loop: + assert(private); + if (!PEM_write_bio_PrivateKey(out, pkey, cipher, + NULL, 0, NULL, passout)) { + if ((ERR_GET_REASON(ERR_peek_error()) == + PEM_R_PROBLEMS_GETTING_PASSWORD) && (i < 3)) { + ERR_clear_error(); + i++; + goto loop; + } + goto end; + } + BIO_free(out); + out = NULL; + BIO_printf(bio_err, "-----\n"); + } + + if (!newreq) { + in = bio_open_default(infile, 'r', informat); + if (in == NULL) + goto end; + + if (informat == FORMAT_ASN1) + req = d2i_X509_REQ_bio(in, NULL); + else + req = PEM_read_bio_X509_REQ(in, NULL, NULL, NULL); + if (req == NULL) { + BIO_printf(bio_err, "unable to load X509 request\n"); + goto end; + } + } + + if (newreq || x509) { + if (pkey == NULL) { + BIO_printf(bio_err, "you need to specify a private key\n"); + goto end; + } + + if (req == NULL) { + req = X509_REQ_new(); + if (req == NULL) { + goto end; + } + + i = make_REQ(req, pkey, subj, multirdn, !x509, chtype); + subj = NULL; /* done processing '-subj' option */ + if (!i) { + BIO_printf(bio_err, "problems making Certificate Request\n"); + goto end; + } + } + if (x509) { + EVP_PKEY *tmppkey; + X509V3_CTX ext_ctx; + if ((x509ss = X509_new()) == NULL) + goto end; + + /* Set version to V3 */ + if (extensions && !X509_set_version(x509ss, 2)) + goto end; + if (serial) { + if (!X509_set_serialNumber(x509ss, serial)) + goto end; + } else { + if (!rand_serial(NULL, X509_get_serialNumber(x509ss))) + goto end; + } + + if (!X509_set_issuer_name(x509ss, X509_REQ_get_subject_name(req))) + goto end; + if (!set_cert_times(x509ss, NULL, NULL, days)) + goto end; + if (!X509_set_subject_name + (x509ss, X509_REQ_get_subject_name(req))) + goto end; + tmppkey = X509_REQ_get0_pubkey(req); + if (!tmppkey || !X509_set_pubkey(x509ss, tmppkey)) + goto end; + + /* Set up V3 context struct */ + + X509V3_set_ctx(&ext_ctx, x509ss, x509ss, NULL, NULL, 0); + X509V3_set_nconf(&ext_ctx, req_conf); + + /* Add extensions */ + if (extensions && !X509V3_EXT_add_nconf(req_conf, + &ext_ctx, extensions, + x509ss)) { + BIO_printf(bio_err, "Error Loading extension section %s\n", + extensions); + goto end; + } + + i = do_X509_sign(x509ss, pkey, digest, sigopts); + if (!i) { + ERR_print_errors(bio_err); + goto end; + } + } else { + X509V3_CTX ext_ctx; + + /* Set up V3 context struct */ + + X509V3_set_ctx(&ext_ctx, NULL, NULL, req, NULL, 0); + X509V3_set_nconf(&ext_ctx, req_conf); + + /* Add extensions */ + if (req_exts && !X509V3_EXT_REQ_add_nconf(req_conf, + &ext_ctx, req_exts, + req)) { + BIO_printf(bio_err, "Error Loading extension section %s\n", + req_exts); + goto end; + } + i = do_X509_REQ_sign(req, pkey, digest, sigopts); + if (!i) { + ERR_print_errors(bio_err); + goto end; + } + } + } + + if (subj && x509) { + BIO_printf(bio_err, "Cannot modify certificate subject\n"); + goto end; + } + + if (subj && !x509) { + if (verbose) { + BIO_printf(bio_err, "Modifying Request's Subject\n"); + print_name(bio_err, "old subject=", + X509_REQ_get_subject_name(req), nmflag); + } + + if (build_subject(req, subj, chtype, multirdn) == 0) { + BIO_printf(bio_err, "ERROR: cannot modify subject\n"); + ret = 1; + goto end; + } + + if (verbose) { + print_name(bio_err, "new subject=", + X509_REQ_get_subject_name(req), nmflag); + } + } + + if (verify && !x509) { + EVP_PKEY *tpubkey = pkey; + + if (tpubkey == NULL) { + tpubkey = X509_REQ_get0_pubkey(req); + if (tpubkey == NULL) + goto end; + } + + i = X509_REQ_verify(req, tpubkey); + + if (i < 0) { + goto end; + } else if (i == 0) { + BIO_printf(bio_err, "verify failure\n"); + ERR_print_errors(bio_err); + } else /* if (i > 0) */ + BIO_printf(bio_err, "verify OK\n"); + } + + if (noout && !text && !modulus && !subject && !pubkey) { + ret = 0; + goto end; + } + + out = bio_open_default(outfile, + keyout != NULL && outfile != NULL && + strcmp(keyout, outfile) == 0 ? 'a' : 'w', + outformat); + if (out == NULL) + goto end; + + if (pubkey) { + EVP_PKEY *tpubkey = X509_REQ_get0_pubkey(req); + + if (tpubkey == NULL) { + BIO_printf(bio_err, "Error getting public key\n"); + ERR_print_errors(bio_err); + goto end; + } + PEM_write_bio_PUBKEY(out, tpubkey); + } + + if (text) { + if (x509) + X509_print_ex(out, x509ss, nmflag, reqflag); + else + X509_REQ_print_ex(out, req, nmflag, reqflag); + } + + if (subject) { + if (x509) + print_name(out, "subject=", X509_get_subject_name(x509ss), + nmflag); + else + print_name(out, "subject=", X509_REQ_get_subject_name(req), + nmflag); + } + + if (modulus) { + EVP_PKEY *tpubkey; + + if (x509) + tpubkey = X509_get0_pubkey(x509ss); + else + tpubkey = X509_REQ_get0_pubkey(req); + if (tpubkey == NULL) { + fprintf(stdout, "Modulus=unavailable\n"); + goto end; + } + fprintf(stdout, "Modulus="); +#ifndef OPENSSL_NO_RSA + if (EVP_PKEY_base_id(tpubkey) == EVP_PKEY_RSA) { + const BIGNUM *n; + RSA_get0_key(EVP_PKEY_get0_RSA(tpubkey), &n, NULL, NULL); + BN_print(out, n); + } else +#endif + fprintf(stdout, "Wrong Algorithm type"); + fprintf(stdout, "\n"); + } + + if (!noout && !x509) { + if (outformat == FORMAT_ASN1) + i = i2d_X509_REQ_bio(out, req); + else if (newhdr) + i = PEM_write_bio_X509_REQ_NEW(out, req); + else + i = PEM_write_bio_X509_REQ(out, req); + if (!i) { + BIO_printf(bio_err, "unable to write X509 request\n"); + goto end; + } + } + if (!noout && x509 && (x509ss != NULL)) { + if (outformat == FORMAT_ASN1) + i = i2d_X509_bio(out, x509ss); + else + i = PEM_write_bio_X509(out, x509ss); + if (!i) { + BIO_printf(bio_err, "unable to write X509 certificate\n"); + goto end; + } + } + ret = 0; + end: + if (ret) { + ERR_print_errors(bio_err); + } + NCONF_free(req_conf); + BIO_free(in); + BIO_free_all(out); + EVP_PKEY_free(pkey); + EVP_PKEY_CTX_free(genctx); + sk_OPENSSL_STRING_free(pkeyopts); + sk_OPENSSL_STRING_free(sigopts); +#ifndef OPENSSL_NO_ENGINE + ENGINE_free(gen_eng); +#endif + OPENSSL_free(keyalgstr); + X509_REQ_free(req); + X509_free(x509ss); + ASN1_INTEGER_free(serial); + release_engine(e); + if (passin != nofree_passin) + OPENSSL_free(passin); + if (passout != nofree_passout) + OPENSSL_free(passout); + return (ret); +} + +static int make_REQ(X509_REQ *req, EVP_PKEY *pkey, char *subj, int multirdn, + int attribs, unsigned long chtype) +{ + int ret = 0, i; + char no_prompt = 0; + STACK_OF(CONF_VALUE) *dn_sk, *attr_sk = NULL; + char *tmp, *dn_sect, *attr_sect; + + tmp = NCONF_get_string(req_conf, SECTION, PROMPT); + if (tmp == NULL) + ERR_clear_error(); + if ((tmp != NULL) && strcmp(tmp, "no") == 0) + no_prompt = 1; + + dn_sect = NCONF_get_string(req_conf, SECTION, DISTINGUISHED_NAME); + if (dn_sect == NULL) { + BIO_printf(bio_err, "unable to find '%s' in config\n", + DISTINGUISHED_NAME); + goto err; + } + dn_sk = NCONF_get_section(req_conf, dn_sect); + if (dn_sk == NULL) { + BIO_printf(bio_err, "unable to get '%s' section\n", dn_sect); + goto err; + } + + attr_sect = NCONF_get_string(req_conf, SECTION, ATTRIBUTES); + if (attr_sect == NULL) { + ERR_clear_error(); + attr_sk = NULL; + } else { + attr_sk = NCONF_get_section(req_conf, attr_sect); + if (attr_sk == NULL) { + BIO_printf(bio_err, "unable to get '%s' section\n", attr_sect); + goto err; + } + } + + /* setup version number */ + if (!X509_REQ_set_version(req, 0L)) + goto err; /* version 1 */ + + if (subj) + i = build_subject(req, subj, chtype, multirdn); + else if (no_prompt) + i = auto_info(req, dn_sk, attr_sk, attribs, chtype); + else + i = prompt_info(req, dn_sk, dn_sect, attr_sk, attr_sect, attribs, + chtype); + if (!i) + goto err; + + if (!X509_REQ_set_pubkey(req, pkey)) + goto err; + + ret = 1; + err: + return (ret); +} + +/* + * subject is expected to be in the format /type0=value0/type1=value1/type2=... + * where characters may be escaped by \ + */ +static int build_subject(X509_REQ *req, const char *subject, unsigned long chtype, + int multirdn) +{ + X509_NAME *n; + + if ((n = parse_name(subject, chtype, multirdn)) == NULL) + return 0; + + if (!X509_REQ_set_subject_name(req, n)) { + X509_NAME_free(n); + return 0; + } + X509_NAME_free(n); + return 1; +} + +static int prompt_info(X509_REQ *req, + STACK_OF(CONF_VALUE) *dn_sk, const char *dn_sect, + STACK_OF(CONF_VALUE) *attr_sk, const char *attr_sect, + int attribs, unsigned long chtype) +{ + int i; + char *p, *q; + char buf[100]; + int nid, mval; + long n_min, n_max; + char *type, *value; + const char *def; + CONF_VALUE *v; + X509_NAME *subj; + subj = X509_REQ_get_subject_name(req); + + if (!batch) { + BIO_printf(bio_err, + "You are about to be asked to enter information that will be incorporated\n"); + BIO_printf(bio_err, "into your certificate request.\n"); + BIO_printf(bio_err, + "What you are about to enter is what is called a Distinguished Name or a DN.\n"); + BIO_printf(bio_err, + "There are quite a few fields but you can leave some blank\n"); + BIO_printf(bio_err, + "For some fields there will be a default value,\n"); + BIO_printf(bio_err, + "If you enter '.', the field will be left blank.\n"); + BIO_printf(bio_err, "-----\n"); + } + + if (sk_CONF_VALUE_num(dn_sk)) { + i = -1; + start:for (;;) { + i++; + if (sk_CONF_VALUE_num(dn_sk) <= i) + break; + + v = sk_CONF_VALUE_value(dn_sk, i); + p = q = NULL; + type = v->name; + if (!check_end(type, "_min") || !check_end(type, "_max") || + !check_end(type, "_default") || !check_end(type, "_value")) + continue; + /* + * Skip past any leading X. X: X, etc to allow for multiple + * instances + */ + for (p = v->name; *p; p++) + if ((*p == ':') || (*p == ',') || (*p == '.')) { + p++; + if (*p) + type = p; + break; + } + if (*type == '+') { + mval = -1; + type++; + } else + mval = 0; + /* If OBJ not recognised ignore it */ + if ((nid = OBJ_txt2nid(type)) == NID_undef) + goto start; + if (BIO_snprintf(buf, sizeof(buf), "%s_default", v->name) + >= (int)sizeof(buf)) { + BIO_printf(bio_err, "Name '%s' too long\n", v->name); + return 0; + } + + if ((def = NCONF_get_string(req_conf, dn_sect, buf)) == NULL) { + ERR_clear_error(); + def = ""; + } + + BIO_snprintf(buf, sizeof(buf), "%s_value", v->name); + if ((value = NCONF_get_string(req_conf, dn_sect, buf)) == NULL) { + ERR_clear_error(); + value = NULL; + } + + BIO_snprintf(buf, sizeof(buf), "%s_min", v->name); + if (!NCONF_get_number(req_conf, dn_sect, buf, &n_min)) { + ERR_clear_error(); + n_min = -1; + } + + BIO_snprintf(buf, sizeof(buf), "%s_max", v->name); + if (!NCONF_get_number(req_conf, dn_sect, buf, &n_max)) { + ERR_clear_error(); + n_max = -1; + } + + if (!add_DN_object(subj, v->value, def, value, nid, + n_min, n_max, chtype, mval)) + return 0; + } + if (X509_NAME_entry_count(subj) == 0) { + BIO_printf(bio_err, + "error, no objects specified in config file\n"); + return 0; + } + + if (attribs) { + if ((attr_sk != NULL) && (sk_CONF_VALUE_num(attr_sk) > 0) + && (!batch)) { + BIO_printf(bio_err, + "\nPlease enter the following 'extra' attributes\n"); + BIO_printf(bio_err, + "to be sent with your certificate request\n"); + } + + i = -1; + start2: for (;;) { + i++; + if ((attr_sk == NULL) || (sk_CONF_VALUE_num(attr_sk) <= i)) + break; + + v = sk_CONF_VALUE_value(attr_sk, i); + type = v->name; + if ((nid = OBJ_txt2nid(type)) == NID_undef) + goto start2; + + if (BIO_snprintf(buf, sizeof(buf), "%s_default", type) + >= (int)sizeof(buf)) { + BIO_printf(bio_err, "Name '%s' too long\n", v->name); + return 0; + } + + if ((def = NCONF_get_string(req_conf, attr_sect, buf)) + == NULL) { + ERR_clear_error(); + def = ""; + } + + BIO_snprintf(buf, sizeof(buf), "%s_value", type); + if ((value = NCONF_get_string(req_conf, attr_sect, buf)) + == NULL) { + ERR_clear_error(); + value = NULL; + } + + BIO_snprintf(buf, sizeof(buf), "%s_min", type); + if (!NCONF_get_number(req_conf, attr_sect, buf, &n_min)) { + ERR_clear_error(); + n_min = -1; + } + + BIO_snprintf(buf, sizeof(buf), "%s_max", type); + if (!NCONF_get_number(req_conf, attr_sect, buf, &n_max)) { + ERR_clear_error(); + n_max = -1; + } + + if (!add_attribute_object(req, + v->value, def, value, nid, n_min, + n_max, chtype)) + return 0; + } + } + } else { + BIO_printf(bio_err, "No template, please set one up.\n"); + return 0; + } + + return 1; + +} + +static int auto_info(X509_REQ *req, STACK_OF(CONF_VALUE) *dn_sk, + STACK_OF(CONF_VALUE) *attr_sk, int attribs, + unsigned long chtype) +{ + int i, spec_char, plus_char; + char *p, *q; + char *type; + CONF_VALUE *v; + X509_NAME *subj; + + subj = X509_REQ_get_subject_name(req); + + for (i = 0; i < sk_CONF_VALUE_num(dn_sk); i++) { + int mval; + v = sk_CONF_VALUE_value(dn_sk, i); + p = q = NULL; + type = v->name; + /* + * Skip past any leading X. X: X, etc to allow for multiple instances + */ + for (p = v->name; *p; p++) { +#ifndef CHARSET_EBCDIC + spec_char = ((*p == ':') || (*p == ',') || (*p == '.')); +#else + spec_char = ((*p == os_toascii[':']) || (*p == os_toascii[',']) + || (*p == os_toascii['.'])); +#endif + if (spec_char) { + p++; + if (*p) + type = p; + break; + } + } +#ifndef CHARSET_EBCDIC + plus_char = (*type == '+'); +#else + plus_char = (*type == os_toascii['+']); +#endif + if (plus_char) { + type++; + mval = -1; + } else + mval = 0; + if (!X509_NAME_add_entry_by_txt(subj, type, chtype, + (unsigned char *)v->value, -1, -1, + mval)) + return 0; + + } + + if (!X509_NAME_entry_count(subj)) { + BIO_printf(bio_err, "error, no objects specified in config file\n"); + return 0; + } + if (attribs) { + for (i = 0; i < sk_CONF_VALUE_num(attr_sk); i++) { + v = sk_CONF_VALUE_value(attr_sk, i); + if (!X509_REQ_add1_attr_by_txt(req, v->name, chtype, + (unsigned char *)v->value, -1)) + return 0; + } + } + return 1; +} + +static int add_DN_object(X509_NAME *n, char *text, const char *def, + char *value, int nid, int n_min, int n_max, + unsigned long chtype, int mval) +{ + int i, ret = 0; + char buf[1024]; + start: + if (!batch) + BIO_printf(bio_err, "%s [%s]:", text, def); + (void)BIO_flush(bio_err); + if (value != NULL) { + OPENSSL_strlcpy(buf, value, sizeof(buf)); + OPENSSL_strlcat(buf, "\n", sizeof(buf)); + BIO_printf(bio_err, "%s\n", value); + } else { + buf[0] = '\0'; + if (!batch) { + if (!fgets(buf, sizeof(buf), stdin)) + return 0; + } else { + buf[0] = '\n'; + buf[1] = '\0'; + } + } + + if (buf[0] == '\0') + return (0); + else if (buf[0] == '\n') { + if ((def == NULL) || (def[0] == '\0')) + return (1); + OPENSSL_strlcpy(buf, def, sizeof(buf)); + OPENSSL_strlcat(buf, "\n", sizeof(buf)); + } else if ((buf[0] == '.') && (buf[1] == '\n')) + return (1); + + i = strlen(buf); + if (buf[i - 1] != '\n') { + BIO_printf(bio_err, "weird input :-(\n"); + return (0); + } + buf[--i] = '\0'; +#ifdef CHARSET_EBCDIC + ebcdic2ascii(buf, buf, i); +#endif + if (!req_check_len(i, n_min, n_max)) { + if (batch || value) + return 0; + goto start; + } + + if (!X509_NAME_add_entry_by_NID(n, nid, chtype, + (unsigned char *)buf, -1, -1, mval)) + goto err; + ret = 1; + err: + return (ret); +} + +static int add_attribute_object(X509_REQ *req, char *text, const char *def, + char *value, int nid, int n_min, + int n_max, unsigned long chtype) +{ + int i; + static char buf[1024]; + + start: + if (!batch) + BIO_printf(bio_err, "%s [%s]:", text, def); + (void)BIO_flush(bio_err); + if (value != NULL) { + OPENSSL_strlcpy(buf, value, sizeof(buf)); + OPENSSL_strlcat(buf, "\n", sizeof(buf)); + BIO_printf(bio_err, "%s\n", value); + } else { + buf[0] = '\0'; + if (!batch) { + if (!fgets(buf, sizeof(buf), stdin)) + return 0; + } else { + buf[0] = '\n'; + buf[1] = '\0'; + } + } + + if (buf[0] == '\0') + return (0); + else if (buf[0] == '\n') { + if ((def == NULL) || (def[0] == '\0')) + return (1); + OPENSSL_strlcpy(buf, def, sizeof(buf)); + OPENSSL_strlcat(buf, "\n", sizeof(buf)); + } else if ((buf[0] == '.') && (buf[1] == '\n')) + return (1); + + i = strlen(buf); + if (buf[i - 1] != '\n') { + BIO_printf(bio_err, "weird input :-(\n"); + return (0); + } + buf[--i] = '\0'; +#ifdef CHARSET_EBCDIC + ebcdic2ascii(buf, buf, i); +#endif + if (!req_check_len(i, n_min, n_max)) { + if (batch || value) + return 0; + goto start; + } + + if (!X509_REQ_add1_attr_by_NID(req, nid, chtype, + (unsigned char *)buf, -1)) { + BIO_printf(bio_err, "Error adding attribute\n"); + ERR_print_errors(bio_err); + goto err; + } + + return (1); + err: + return (0); +} + +static int req_check_len(int len, int n_min, int n_max) +{ + if ((n_min > 0) && (len < n_min)) { + BIO_printf(bio_err, + "string is too short, it needs to be at least %d bytes long\n", + n_min); + return (0); + } + if ((n_max >= 0) && (len > n_max)) { + BIO_printf(bio_err, + "string is too long, it needs to be no more than %d bytes long\n", + n_max); + return (0); + } + return (1); +} + +/* Check if the end of a string matches 'end' */ +static int check_end(const char *str, const char *end) +{ + int elen, slen; + const char *tmp; + elen = strlen(end); + slen = strlen(str); + if (elen > slen) + return 1; + tmp = str + slen - elen; + return strcmp(tmp, end); +} + +static EVP_PKEY_CTX *set_keygen_ctx(const char *gstr, + int *pkey_type, long *pkeylen, + char **palgnam, ENGINE *keygen_engine) +{ + EVP_PKEY_CTX *gctx = NULL; + EVP_PKEY *param = NULL; + long keylen = -1; + BIO *pbio = NULL; + const char *paramfile = NULL; + + if (gstr == NULL) { + *pkey_type = EVP_PKEY_RSA; + keylen = *pkeylen; + } else if (gstr[0] >= '0' && gstr[0] <= '9') { + *pkey_type = EVP_PKEY_RSA; + keylen = atol(gstr); + *pkeylen = keylen; + } else if (strncmp(gstr, "param:", 6) == 0) + paramfile = gstr + 6; + else { + const char *p = strchr(gstr, ':'); + int len; + ENGINE *tmpeng; + const EVP_PKEY_ASN1_METHOD *ameth; + + if (p) + len = p - gstr; + else + len = strlen(gstr); + /* + * The lookup of a the string will cover all engines so keep a note + * of the implementation. + */ + + ameth = EVP_PKEY_asn1_find_str(&tmpeng, gstr, len); + + if (!ameth) { + BIO_printf(bio_err, "Unknown algorithm %.*s\n", len, gstr); + return NULL; + } + + EVP_PKEY_asn1_get0_info(NULL, pkey_type, NULL, NULL, NULL, ameth); +#ifndef OPENSSL_NO_ENGINE + ENGINE_finish(tmpeng); +#endif + if (*pkey_type == EVP_PKEY_RSA) { + if (p) { + keylen = atol(p + 1); + *pkeylen = keylen; + } else + keylen = *pkeylen; + } else if (p) + paramfile = p + 1; + } + + if (paramfile) { + pbio = BIO_new_file(paramfile, "r"); + if (!pbio) { + BIO_printf(bio_err, "Can't open parameter file %s\n", paramfile); + return NULL; + } + param = PEM_read_bio_Parameters(pbio, NULL); + + if (!param) { + X509 *x; + (void)BIO_reset(pbio); + x = PEM_read_bio_X509(pbio, NULL, NULL, NULL); + if (x) { + param = X509_get_pubkey(x); + X509_free(x); + } + } + + BIO_free(pbio); + + if (!param) { + BIO_printf(bio_err, "Error reading parameter file %s\n", paramfile); + return NULL; + } + if (*pkey_type == -1) + *pkey_type = EVP_PKEY_id(param); + else if (*pkey_type != EVP_PKEY_base_id(param)) { + BIO_printf(bio_err, "Key Type does not match parameters\n"); + EVP_PKEY_free(param); + return NULL; + } + } + + if (palgnam) { + const EVP_PKEY_ASN1_METHOD *ameth; + ENGINE *tmpeng; + const char *anam; + ameth = EVP_PKEY_asn1_find(&tmpeng, *pkey_type); + if (!ameth) { + BIO_puts(bio_err, "Internal error: can't find key algorithm\n"); + return NULL; + } + EVP_PKEY_asn1_get0_info(NULL, NULL, NULL, NULL, &anam, ameth); + *palgnam = OPENSSL_strdup(anam); +#ifndef OPENSSL_NO_ENGINE + ENGINE_finish(tmpeng); +#endif + } + + if (param) { + gctx = EVP_PKEY_CTX_new(param, keygen_engine); + *pkeylen = EVP_PKEY_bits(param); + EVP_PKEY_free(param); + } else + gctx = EVP_PKEY_CTX_new_id(*pkey_type, keygen_engine); + + if (gctx == NULL) { + BIO_puts(bio_err, "Error allocating keygen context\n"); + ERR_print_errors(bio_err); + return NULL; + } + + if (EVP_PKEY_keygen_init(gctx) <= 0) { + BIO_puts(bio_err, "Error initializing keygen context\n"); + ERR_print_errors(bio_err); + EVP_PKEY_CTX_free(gctx); + return NULL; + } +#ifndef OPENSSL_NO_RSA + if ((*pkey_type == EVP_PKEY_RSA) && (keylen != -1)) { + if (EVP_PKEY_CTX_set_rsa_keygen_bits(gctx, keylen) <= 0) { + BIO_puts(bio_err, "Error setting RSA keysize\n"); + ERR_print_errors(bio_err); + EVP_PKEY_CTX_free(gctx); + return NULL; + } + } +#endif + + return gctx; +} + +static int genpkey_cb(EVP_PKEY_CTX *ctx) +{ + char c = '*'; + BIO *b = EVP_PKEY_CTX_get_app_data(ctx); + int p; + p = EVP_PKEY_CTX_get_keygen_info(ctx, 0); + if (p == 0) + c = '.'; + if (p == 1) + c = '+'; + if (p == 2) + c = '*'; + if (p == 3) + c = '\n'; + BIO_write(b, &c, 1); + (void)BIO_flush(b); + return 1; +} + +static int do_sign_init(EVP_MD_CTX *ctx, EVP_PKEY *pkey, + const EVP_MD *md, STACK_OF(OPENSSL_STRING) *sigopts) +{ + EVP_PKEY_CTX *pkctx = NULL; + int i; + + if (ctx == NULL) + return 0; + if (!EVP_DigestSignInit(ctx, &pkctx, md, NULL, pkey)) + return 0; + for (i = 0; i < sk_OPENSSL_STRING_num(sigopts); i++) { + char *sigopt = sk_OPENSSL_STRING_value(sigopts, i); + if (pkey_ctrl_string(pkctx, sigopt) <= 0) { + BIO_printf(bio_err, "parameter error \"%s\"\n", sigopt); + ERR_print_errors(bio_err); + return 0; + } + } + return 1; +} + +int do_X509_sign(X509 *x, EVP_PKEY *pkey, const EVP_MD *md, + STACK_OF(OPENSSL_STRING) *sigopts) +{ + int rv; + EVP_MD_CTX *mctx = EVP_MD_CTX_new(); + + rv = do_sign_init(mctx, pkey, md, sigopts); + if (rv > 0) + rv = X509_sign_ctx(x, mctx); + EVP_MD_CTX_free(mctx); + return rv > 0 ? 1 : 0; +} + +int do_X509_REQ_sign(X509_REQ *x, EVP_PKEY *pkey, const EVP_MD *md, + STACK_OF(OPENSSL_STRING) *sigopts) +{ + int rv; + EVP_MD_CTX *mctx = EVP_MD_CTX_new(); + rv = do_sign_init(mctx, pkey, md, sigopts); + if (rv > 0) + rv = X509_REQ_sign_ctx(x, mctx); + EVP_MD_CTX_free(mctx); + return rv > 0 ? 1 : 0; +} + +int do_X509_CRL_sign(X509_CRL *x, EVP_PKEY *pkey, const EVP_MD *md, + STACK_OF(OPENSSL_STRING) *sigopts) +{ + int rv; + EVP_MD_CTX *mctx = EVP_MD_CTX_new(); + rv = do_sign_init(mctx, pkey, md, sigopts); + if (rv > 0) + rv = X509_CRL_sign_ctx(x, mctx); + EVP_MD_CTX_free(mctx); + return rv > 0 ? 1 : 0; +} diff --git a/openssl-1.1.0h/apps/req.pem b/openssl-1.1.0h/apps/req.pem new file mode 100644 index 0000000..5537df6 --- /dev/null +++ b/openssl-1.1.0h/apps/req.pem @@ -0,0 +1,11 @@ +-----BEGIN CERTIFICATE REQUEST----- +MIIBlzCCAVcCAQAwXjELMAkGA1UEBhMCQVUxEzARBgNVBAgTClNvbWUtU3RhdGUx +ITAfBgNVBAoTGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDEXMBUGA1UEAxMORXJp +YyB0aGUgWW91bmcwge8wgaYGBSsOAwIMMIGcAkEA+ZiKEvZmc9MtnaFZh4NiZ3oZ +S4J1PHvPrm9MXj5ntVheDPkdmBDTncyaGAJcMjwsyB/GvLDGd6yGCw/8eF+09wIV +AK3VagOxGd/Q4Af5NbxR5FB7CXEjAkA2t/q7HgVLi0KeKvcDG8BRl3wuy7bCvpjg +tWiJc/tpvcuzeuAayH89UofjAGueKjXDADiRffvSdhrNw5dkqdqlA0QAAkEAtUSo +84OekjitKGVjxLu0HvXck29pu+foad53vPKXAsuJdACj88BPqZ91Y9PIJf1GUh38 +CuiHWi7z3cEDfZCyCKAAMAkGBSsOAwIbBQADLwAwLAIUTg8amKVBE9oqC5B75dDQ +Chy3LdQCFHKodGEj3LjuTzdm/RTe2KZL9Uzf +-----END CERTIFICATE REQUEST----- diff --git a/openssl-1.1.0h/apps/rsa.c b/openssl-1.1.0h/apps/rsa.c new file mode 100644 index 0000000..8b15fcb --- /dev/null +++ b/openssl-1.1.0h/apps/rsa.c @@ -0,0 +1,310 @@ +/* + * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the OpenSSL license (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +#include +#ifdef OPENSSL_NO_RSA +NON_EMPTY_TRANSLATION_UNIT +#else + +# include +# include +# include +# include +# include "apps.h" +# include +# include +# include +# include +# include +# include +# include + +typedef enum OPTION_choice { + OPT_ERR = -1, OPT_EOF = 0, OPT_HELP, + OPT_INFORM, OPT_OUTFORM, OPT_ENGINE, OPT_IN, OPT_OUT, + OPT_PUBIN, OPT_PUBOUT, OPT_PASSOUT, OPT_PASSIN, + OPT_RSAPUBKEY_IN, OPT_RSAPUBKEY_OUT, + /* Do not change the order here; see case statements below */ + OPT_PVK_NONE, OPT_PVK_WEAK, OPT_PVK_STRONG, + OPT_NOOUT, OPT_TEXT, OPT_MODULUS, OPT_CHECK, OPT_CIPHER +} OPTION_CHOICE; + +OPTIONS rsa_options[] = { + {"help", OPT_HELP, '-', "Display this summary"}, + {"inform", OPT_INFORM, 'f', "Input format, one of DER NET PEM"}, + {"outform", OPT_OUTFORM, 'f', "Output format, one of DER NET PEM PVK"}, + {"in", OPT_IN, 's', "Input file"}, + {"out", OPT_OUT, '>', "Output file"}, + {"pubin", OPT_PUBIN, '-', "Expect a public key in input file"}, + {"pubout", OPT_PUBOUT, '-', "Output a public key"}, + {"passout", OPT_PASSOUT, 's', "Output file pass phrase source"}, + {"passin", OPT_PASSIN, 's', "Input file pass phrase source"}, + {"RSAPublicKey_in", OPT_RSAPUBKEY_IN, '-', "Input is an RSAPublicKey"}, + {"RSAPublicKey_out", OPT_RSAPUBKEY_OUT, '-', "Output is an RSAPublicKey"}, + {"noout", OPT_NOOUT, '-', "Don't print key out"}, + {"text", OPT_TEXT, '-', "Print the key in text"}, + {"modulus", OPT_MODULUS, '-', "Print the RSA key modulus"}, + {"check", OPT_CHECK, '-', "Verify key consistency"}, + {"", OPT_CIPHER, '-', "Any supported cipher"}, +# if !defined(OPENSSL_NO_DSA) && !defined(OPENSSL_NO_RC4) + {"pvk-strong", OPT_PVK_STRONG, '-', "Enable 'Strong' PVK encoding level (default)"}, + {"pvk-weak", OPT_PVK_WEAK, '-', "Enable 'Weak' PVK encoding level"}, + {"pvk-none", OPT_PVK_NONE, '-', "Don't enforce PVK encoding"}, +# endif +# ifndef OPENSSL_NO_ENGINE + {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"}, +# endif + {NULL} +}; + +int rsa_main(int argc, char **argv) +{ + ENGINE *e = NULL; + BIO *out = NULL; + RSA *rsa = NULL; + const EVP_CIPHER *enc = NULL; + char *infile = NULL, *outfile = NULL, *prog; + char *passin = NULL, *passout = NULL, *passinarg = NULL, *passoutarg = NULL; + int i, private = 0; + int informat = FORMAT_PEM, outformat = FORMAT_PEM, text = 0, check = 0; + int noout = 0, modulus = 0, pubin = 0, pubout = 0, ret = 1; +# if !defined(OPENSSL_NO_DSA) && !defined(OPENSSL_NO_RC4) + int pvk_encr = 2; +# endif + OPTION_CHOICE o; + + prog = opt_init(argc, argv, rsa_options); + while ((o = opt_next()) != OPT_EOF) { + switch (o) { + case OPT_EOF: + case OPT_ERR: + opthelp: + BIO_printf(bio_err, "%s: Use -help for summary.\n", prog); + goto end; + case OPT_HELP: + opt_help(rsa_options); + ret = 0; + goto end; + case OPT_INFORM: + if (!opt_format(opt_arg(), OPT_FMT_ANY, &informat)) + goto opthelp; + break; + case OPT_IN: + infile = opt_arg(); + break; + case OPT_OUTFORM: + if (!opt_format(opt_arg(), OPT_FMT_ANY, &outformat)) + goto opthelp; + break; + case OPT_OUT: + outfile = opt_arg(); + break; + case OPT_PASSIN: + passinarg = opt_arg(); + break; + case OPT_PASSOUT: + passoutarg = opt_arg(); + break; + case OPT_ENGINE: + e = setup_engine(opt_arg(), 0); + break; + case OPT_PUBIN: + pubin = 1; + break; + case OPT_PUBOUT: + pubout = 1; + break; + case OPT_RSAPUBKEY_IN: + pubin = 2; + break; + case OPT_RSAPUBKEY_OUT: + pubout = 2; + break; + case OPT_PVK_STRONG: /* pvk_encr:= 2 */ + case OPT_PVK_WEAK: /* pvk_encr:= 1 */ + case OPT_PVK_NONE: /* pvk_encr:= 0 */ +# if !defined(OPENSSL_NO_DSA) && !defined(OPENSSL_NO_RC4) + pvk_encr = (o - OPT_PVK_NONE); +# endif + break; + case OPT_NOOUT: + noout = 1; + break; + case OPT_TEXT: + text = 1; + break; + case OPT_MODULUS: + modulus = 1; + break; + case OPT_CHECK: + check = 1; + break; + case OPT_CIPHER: + if (!opt_cipher(opt_unknown(), &enc)) + goto opthelp; + break; + } + } + argc = opt_num_rest(); + if (argc != 0) + goto opthelp; + + private = (text && !pubin) || (!pubout && !noout) ? 1 : 0; + + if (!app_passwd(passinarg, passoutarg, &passin, &passout)) { + BIO_printf(bio_err, "Error getting passwords\n"); + goto end; + } + if (check && pubin) { + BIO_printf(bio_err, "Only private keys can be checked\n"); + goto end; + } + + { + EVP_PKEY *pkey; + + if (pubin) { + int tmpformat = -1; + if (pubin == 2) { + if (informat == FORMAT_PEM) + tmpformat = FORMAT_PEMRSA; + else if (informat == FORMAT_ASN1) + tmpformat = FORMAT_ASN1RSA; + } else + tmpformat = informat; + + pkey = load_pubkey(infile, tmpformat, 1, passin, e, "Public Key"); + } else + pkey = load_key(infile, informat, 1, passin, e, "Private Key"); + + if (pkey != NULL) + rsa = EVP_PKEY_get1_RSA(pkey); + EVP_PKEY_free(pkey); + } + + if (rsa == NULL) { + ERR_print_errors(bio_err); + goto end; + } + + out = bio_open_owner(outfile, outformat, private); + if (out == NULL) + goto end; + + if (text) { + assert(pubin || private); + if (!RSA_print(out, rsa, 0)) { + perror(outfile); + ERR_print_errors(bio_err); + goto end; + } + } + + if (modulus) { + const BIGNUM *n; + RSA_get0_key(rsa, &n, NULL, NULL); + BIO_printf(out, "Modulus="); + BN_print(out, n); + BIO_printf(out, "\n"); + } + + if (check) { + int r = RSA_check_key_ex(rsa, NULL); + + if (r == 1) + BIO_printf(out, "RSA key ok\n"); + else if (r == 0) { + unsigned long err; + + while ((err = ERR_peek_error()) != 0 && + ERR_GET_LIB(err) == ERR_LIB_RSA && + ERR_GET_FUNC(err) == RSA_F_RSA_CHECK_KEY_EX && + ERR_GET_REASON(err) != ERR_R_MALLOC_FAILURE) { + BIO_printf(out, "RSA key error: %s\n", + ERR_reason_error_string(err)); + ERR_get_error(); /* remove e from error stack */ + } + } else if (r == -1) { + ERR_print_errors(bio_err); + goto end; + } + } + + if (noout) { + ret = 0; + goto end; + } + BIO_printf(bio_err, "writing RSA key\n"); + if (outformat == FORMAT_ASN1) { + if (pubout || pubin) { + if (pubout == 2) + i = i2d_RSAPublicKey_bio(out, rsa); + else + i = i2d_RSA_PUBKEY_bio(out, rsa); + } else { + assert(private); + i = i2d_RSAPrivateKey_bio(out, rsa); + } + } + else if (outformat == FORMAT_PEM) { + if (pubout || pubin) { + if (pubout == 2) + i = PEM_write_bio_RSAPublicKey(out, rsa); + else + i = PEM_write_bio_RSA_PUBKEY(out, rsa); + } else { + assert(private); + i = PEM_write_bio_RSAPrivateKey(out, rsa, + enc, NULL, 0, NULL, passout); + } +# ifndef OPENSSL_NO_DSA + } else if (outformat == FORMAT_MSBLOB || outformat == FORMAT_PVK) { + EVP_PKEY *pk; + pk = EVP_PKEY_new(); + EVP_PKEY_set1_RSA(pk, rsa); + if (outformat == FORMAT_PVK) { + if (pubin) { + BIO_printf(bio_err, "PVK form impossible with public key input\n"); + EVP_PKEY_free(pk); + goto end; + } + assert(private); +# ifdef OPENSSL_NO_RC4 + BIO_printf(bio_err, "PVK format not supported\n"); + EVP_PKEY_free(pk); + goto end; +# else + i = i2b_PVK_bio(out, pk, pvk_encr, 0, passout); +# endif + } else if (pubin || pubout) { + i = i2b_PublicKey_bio(out, pk); + } else { + assert(private); + i = i2b_PrivateKey_bio(out, pk); + } + EVP_PKEY_free(pk); +# endif + } else { + BIO_printf(bio_err, "bad output format specified for outfile\n"); + goto end; + } + if (i <= 0) { + BIO_printf(bio_err, "unable to write key\n"); + ERR_print_errors(bio_err); + } else + ret = 0; + end: + release_engine(e); + BIO_free_all(out); + RSA_free(rsa); + OPENSSL_free(passin); + OPENSSL_free(passout); + return (ret); +} +#endif diff --git a/openssl-1.1.0h/apps/rsa8192.pem b/openssl-1.1.0h/apps/rsa8192.pem new file mode 100644 index 0000000..946a6e5 --- /dev/null +++ b/openssl-1.1.0h/apps/rsa8192.pem @@ -0,0 +1,101 @@ +-----BEGIN RSA PRIVATE KEY----- + +MIISKAIBAAKCBAEAiQ2f1X6Bte1DKD0OoCBKEikzPW+5w3oXk3WwnE97Wxzy6wJZ +ebbZC3CZKKBnJeBMrysPf+lK+9+fP6Vm8bp1wvbcSIA59BDrX6irFSuM/bdnkbuF +MFlDjt+uVrxwoyqfPi2IPot1HQg3l5mdyBqcTWvbOnU2L9HZxJfPUCjfzdTMPrMY +55/A20XL7tlV2opEfwhy3uVlveQBM0DnZ3MUQfrk+lRRNWv7yE4ScbOfER9fjvOm +yJc3ZbOa3e+AMGGU9OqJ/fyOl0SGYyP2k23omy/idBV4uOs8QWdnAvq8UOzDdua3 +tuf5Tn17XBurPJ8juwyPBNispkwwn8BjxAZVPhwUIcxFBg339IxJ9cW0WdVy4nNA +LWo/8Ahlf+kZNnFNGCPFytU9gGMLMhab9w/rLrwa9qNe4L8Fmu1JxONn1WfhMOKE +aFmycf2olJsYLgUIGYZrjnYu0p/7P3yhTOv8JIhmK+SzmA/I0xiQoF84rpaQzH2d +PvxICOA9oQSowou0gLuBSZWm6LiXirg1DZCziU46v33ErQlWM1dSyNaUSzihcV59 +mVD0nmzboXH75lGiyiZlp8cLbozzoCwvk9rYqpUGSBzbAy0ECCpabGpzO2Ug+oDi +71e5z4WMpeoR4IS8MaOG/GsJnwaXhiB/gNYfK+8pRADVk5StEAZDE2alSuCbDs0z +d9zYr4/em5T9VZsLetxRE7pm/Es9yELuViz8/Tm0/8MVdmNYc/xZU1t6qYYFdyQ2 +wlGDTiNPsjR8yXCkmBjKwqnuleu1X6LaZu3VPhEkXGcyFAquQUkSiMv0Yu74qAe0 +bQ2v+jjZzP6AM9LUo89cW4Kd8SGD96BdNlAVPNMXoBcIOsZBwsOtETBd4KAyvkXE +Ob17u+PLl4UPnSxm9ypKZunUNFRPxtKUyjySYnvlGL+kTjAXrIrZwKJqIn0uhnfa +Ck3o7bU6yVMK22ODxy2/Vi3E0P6k5JLwnrF0VIOBqGhts66qo6mWDP8l6MZHARFd +pU+nofssVmr8tLKmMmjYGMM5GmKIXRNBs0ksTwFnKRs9AmpE5owC8tTSVdTAkGuS +os7QwLvyvNzq7BGJiVr0Iy3Dhsl1vzR35acNOrCsDl3DcCQONKJ2sVXV4pD3dBah +mG3sR/jHgjasffJJ35uiGoAua9dbT7HG/+D0z1SHYaVqH8zO4VZSOnGJh/P9rtxx +cckFDbiag/JMWig2lbnCjebTtp/BcUsK3TNaDOb7vb0LvbAeRJadd1EFu6PSlH3K +LykSUPm4UedvUU3cWjqkSY5lITFJkVaIYOv/EljYtK7p7kFZFTaEwMAWxgsXU3pQ +tTzVmq1gZ4vXPwcUq0zK50Frq0F7SQc21ZsunwIDAQABAoIEADuQAkDEpBausJsS +PgL1RXuzECPJJJCBxTE+2qx0FoY4hJICCWTORHGmU8nGPE3Ht0wBiNDsULw6KXl9 +psmzYW6D3qRbpdQebky6fu/KZ5H0XTyGpJGomaXELH5hkwo2gdKB805LSXB+m7p0 +9o96kSdMkpBLVGtf5iZ8W4rY2LsZmlI9f7taQHSLVt/M8HTz1mTnBRU92QO3zZW6 +xVa+OrWaFl18u3ZeIaSh2X40tBK68cqstXVD0r2OWuXNKobcQeJW8/XABzBShZ0c +ihL0lzyqiN4uXrLu+Nbr22b+FU2OODy6dGk3U6/69NvI4piMCPlHsfhHOnFjd1ZW +RIVywyUlCtLNdcn11CchuRro+0J3c2Ba+i9Cl9r3qzT11xFEGF8/XLyUBBCB+uGf +1dR/xJQhCA7cXWWLXyI/semxcvTaGpImP6kiIl1MAjHjXZTSdvyw4JmfXyYGhSjI +P0mw3Xn7FXxJ/os9gOfNKz2nZHjr0q4sgWRYO+4vllkeL0GteZrg4oVaVpmZb7LH +77afhodLylhijlEtV5skfkPujbBLQk6E5Ez3U/huEt2NLg6guADmwxMxfBRliZO4 +4Ex/td4cuggpEj3FGJV74qRvdvj/MF/uF7IxC/3WapPIsFBFH4zrJsUYt6u3L68I +/KC/bfioDeUR/8ANw1DNh+UsnPV3GJIwDkIJKdppi2uXPahJyJQQ8Inps53nn8Gg +GifS+HnOXNgMoKOJnZ9IDGjXpfjIs8dJNrGfDHF0mH30N2WARq2v/a3cNUC+f8Bq +HSKQ9YrZopktMunsut8u7ZYbTmjIqJpXCaM0CCrSlzSMTDHFSj2tzLk6+qnxeGxB +ZwIdShbdeK+0ETG91lE1e9RPQs/uXQP9+uCHJV0YpqQcA6pkCLYJfYpoSMu/Bafy +AgfVZz6l5tyEnV0wCcbopsQShc1k9xtTbYNF1h9AQHknj6zeDW4iZMvmVeh3RovT +52OA2R8oLyauF+QaG6x2wUjEx13SJlaBarJZ4seZIOJ+a8+oNzKsbgokXc2cyC9p +5FAZz1OsOb68o93qD1Xvl7bY97fq2q55L7G1XHPPLtZE5lGiLGDtnAuwY8UPrdpr +7Mv2yIxB7xVGurXyHb5PvusR88XED6HMPfLBG/55ENHTal7G5mRix+IWSBAIkxA5 +KZ0j8r5Ng4+wELZhqFQai39799bIAyiV6CEz4kyDXlo0kSSexp8o4iz5sPq5vp6h +cCb7rdRw7uRnbXrHmXahxoB+ibXaurgV/6B2yurrU/UFoxEp2sHp8LXZGfF6ztY1 +dMhSQAACK2vGy5yNagbkTHLgVaHicG5zavJBqzCE+lbPlCqhOUQPdOIwvjHNjdS/ +DL3WV/ECggIBAMbW65wPk/i43nSyeZeYwcHtR1SUJqDXavYfBPC0VRhKz+7DVMFw +Nwnocn6gITABc445W1yl7U3uww+LGuDlSlFnd8WuiXpVYud9/jeNu6Mu4wvNsnWr +f4f4ua8CcS03GmqmcbROD2Z6by1AblCZ2UL1kv9cUX1FLVjPP1ESAGKoePt3BmZQ +J1uJfK8HilNT8dcUlj/5CBi2uHxttDhoG0sxXE/SVsG9OD/Pjme0mj7gdzc6Ztd+ +TALuvpNQR4pRzfo5XWDZBcEYntcEE3PxYJB1+vnZ8509ew5/yLHTbLjFxIcx71zY +fhH0gM36Sz7mz37r0+E/QkRkc5bVIDC4LDnWmjpAde6QUx0d218ShNx6sJo4kt5c +Dd7tEVx8nuX8AIZYgwsOb382anLyFRkkmEdK3gRvwQ6SWR36Ez5L7/mHWODpLAX5 +mVBKSG4/ccFbc633/g0xHw0Nwajir/klckdakuYPlwF0yAxJSKDLhmNctDhRmxjC +YP+fISkl5oTvFRzJH6HEyNu8M3ybRvmpPIjM5J5JpnB2IYbohYBR+T6/97C1DKrd +mzL5PjlrWm0c1/d7LlDoP65fOShDMmj2zCiBAHHOM0Alokx+v5LmMd8NJumZIwGJ +Rt5OpeMOhowz6j1AjYxYgV7PmJL6Ovpfb775od/aLaUbbwHz2uWIvfF7AoICAQCw +c7NaO7oJVLJClhYw6OCvjT6oqtgNVWaennnDiJgzY9lv5HEgV0MAG0eYuB3hvj+w +Y1P9DJxP1D+R+cshYrAFg8yU/3kaYVNI0Bl3ygX0eW1b/0HZTdocs+8kM/9PZQDR +WrKQoU5lHvqRt99dXlD4NWGI2YQtzdZ8iet9QLqnjwRZabgE96mF01qKisMnFcsh +KjT7ieheU4J15TZj/mdZRNK126d7e3q/rNj73e5EJ9tkYLcolSr4gpknUMJULSEi +JH1/Qx7C/mTAMRsN5SkOthnGq0djCNWfPv/3JV0H67Uf5krFlnwLebrgfTYoPPdo +yO7iBUNJzv6Qh22malLp4P8gzACkD7DGlSTnoB5cLwcjmDGg+i9WrUBbOiVTeQfZ +kOj1o+Tz35ndpq/DDUVlqliB9krcxva+QHeJPH53EGI+YVg1nD+s/vUDZ3mQMGX9 +DQou2L8uU6RnWNv/BihGcL8QvS4Ty6QyPOUPpD3zc70JQAEcQk9BxQNaELgJX0IN +22cYn22tYvElew9G41OpDqzBRcfbdJmKXQ2HcroShutYJQRGUpAXHk24fy6JVkIU +ojF5U6cwextMja1ZIIZgh9eugIRUeIE7319nQNDzuXWjRCcoBLA25P7wnpHWDRpz +D9ovXCIvdja74lL5psqobV6L5+fbLPkSgXoImKR0LQKCAgAIC9Jk8kxumCyIVGCP +PeM5Uby9M3GMuKrfYsn0Y5e97+kSJF1dpojTodBgR2KQar6eVrvXt+8uZCcIjfx8 +dUrYmHNEUJfHl4T1ESgkX1vkcpVFeQFruZDjk7EP3+1sgvpSroGTZkVBRFsTXbQZ +FuCv0Pgt1TKG+zGmklxhj3TsiRy8MEjWAxBUp++ftZJnZNI4feDGnfEx7tLwVhAg +6DWSiWDO6hgQpvOLwX5lu+0x9itc1MQsnDO/OqIDnBAJDN5k7cVVkfKlqbVjxgpz +eqUJs3yAd81f44kDQTCB4ahYocgeIGsrOqd/WoGL1EEPPo/O9wQP7VtlIRt8UwuG +bS18+a4sBUfAa56xYu/pnPo7YcubsgZfcSIujzFQqMpVTClJRnOnEuJ4J1+PXzRz +XAO9fs4VJ+CMEmgAyonUz4Xadxulnknlw//sO9VKgM69oFHCDHL/XamAAbqAdwvf +7R/+uy+Ol7romC0wMhb6SsIZazrvvH2mNtduAKZ638nAP1x/WbQp+6iVG7yJok7w +82Q7tO7baOePTXh12Rrt4mNPor0HLYxhra4GFgfqkumJ2Mz0esuZAozxJXFOq8ly +beo9CVtXP5zbT6qNpeNismX6PLICaev8t+1iOZSE56WSLtefuuj/cOVrTMNDz1Rr +pUkEVV2zjUSjlcScM538A9iL2QKCAgBLbBk0r6T0ihRsK9UucMxhnYEz/Vq+UEu9 +70Vi1AciqEJv9nh4d3Q3HnH7EHANZxG4Jqzm1DYYVUQa9GfkTFeq88xFv/GW2hUM +YY8RSfRDrIeXNEOETCe37x2AHw25dRXlZtw+wARPau91y9+Y/FCl18NqCHfcUEin +ERjsf/eI2bPlODAlR2tZvZ7M60VBdqpN8cmV3zvI3e88z43xLfQlDyr1+v7a5Evy +lEJnXlSTI2o+vKxtl103vjMSwA1gh63K90gBVsJWXQDZueOzi8mB9UqNRfcMmOEe +4YHttTXPxeu0x+4cCRfam9zKShsVFgI28vRQ/ijl6qmbQ5gV8wqf18GV1j1L4z0P +lP6iVynDA4MMrug/w9DqPsHsfK0pwekeETfSj4y0xVXyjWZBfHG2ZBrS6mDTf+RG +LC4sJgR0hjdILLnUqIX7PzuhieBHRrjBcopwvcryVWRHnI7kslAS0+yHjiWc5oW3 +x5mtlum4HzelNYuD9cAE/95P6CeSMfp9CyIE/KSX4VvsRm6gQVkoQRKMxnQIFQ3w +O5gl1l88vhjoo2HxYScgCp70BsDwiUNTqIR3NM+ZBHYFweVf3Gwz5LzHZT2rEZtD +6VXRP75Q/2wOLnqCO4bK4BUs6sqxcQZmOldruPkPynrY0oPfHHExjxZDvQu4/r80 +Ls3n0L8yvQKCAgEAnYWS6EikwaQNpJEfiUnOlglgFz4EE1eVkrDbBY4J3oPU+doz +DrqmsvgpSZIAfd2MUbkN4pOMsMTjbeIYWDnZDa1RoctKs3FhwFPHwAjQpznab4mn +Bp81FMHM40qyb0NaNuFRwghdXvoQvBBX1p8oEnFzDRvTiuS/vTPTA8KDY8IeRp8R +oGzKHpfziNwq/URpqj7pwi9odNjGZvR2IwYw9jCLPIqaEbMoSOdI0mg4MoYyqP4q +nm7d4wqSDwrYxiXZ6f3nYpkhEY1lb0Wbksp1ig8sKSF4nDZRGK1RSfE+6gjBp94H +X/Wog6Zb6NC9ZpusTiDLvuIUXcyUJvmHiWjSNqiTv8jurlwEsgSwhziEQfqLrtdV +QI3PRMolBkD1iCk+HFE53r05LMf1bp3r4MS+naaQrLbIrl1kgDNGwVdgS+SCM7Bg +TwEgE67iOb2iIoUpon/NyP4LesMzvdpsu2JFlfz13PmmQ34mFI7tWvOb3NA5DP3c +46C6SaWI0TD9B11nJbHGTYN3Si9n0EBgoDJEXUKeh3km9O47dgvkSug4WzhYsvrE +rMlMLtKfp2w8HlMZpsUlToNCx6CI+tJrohzcs3BAVAbjFAXRKWGijB1rxwyDdHPv +I+/wJTNaRNPQ1M0SwtEL/zJd21y3KSPn4eL+GP3efhlDSjtlDvZqkdAUsU8= +-----END RSA PRIVATE KEY----- + diff --git a/openssl-1.1.0h/apps/rsautl.c b/openssl-1.1.0h/apps/rsautl.c new file mode 100644 index 0000000..d527bf4 --- /dev/null +++ b/openssl-1.1.0h/apps/rsautl.c @@ -0,0 +1,278 @@ +/* + * Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the OpenSSL license (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +#include +#ifdef OPENSSL_NO_RSA +NON_EMPTY_TRANSLATION_UNIT +#else + +# include "apps.h" +# include +# include +# include +# include + +# define RSA_SIGN 1 +# define RSA_VERIFY 2 +# define RSA_ENCRYPT 3 +# define RSA_DECRYPT 4 + +# define KEY_PRIVKEY 1 +# define KEY_PUBKEY 2 +# define KEY_CERT 3 + +typedef enum OPTION_choice { + OPT_ERR = -1, OPT_EOF = 0, OPT_HELP, + OPT_ENGINE, OPT_IN, OPT_OUT, OPT_ASN1PARSE, OPT_HEXDUMP, + OPT_RAW, OPT_OAEP, OPT_SSL, OPT_PKCS, OPT_X931, + OPT_SIGN, OPT_VERIFY, OPT_REV, OPT_ENCRYPT, OPT_DECRYPT, + OPT_PUBIN, OPT_CERTIN, OPT_INKEY, OPT_PASSIN, OPT_KEYFORM +} OPTION_CHOICE; + +OPTIONS rsautl_options[] = { + {"help", OPT_HELP, '-', "Display this summary"}, + {"in", OPT_IN, '<', "Input file"}, + {"out", OPT_OUT, '>', "Output file"}, + {"inkey", OPT_INKEY, 's', "Input key"}, + {"keyform", OPT_KEYFORM, 'E', "Private key format - default PEM"}, + {"pubin", OPT_PUBIN, '-', "Input is an RSA public"}, + {"certin", OPT_CERTIN, '-', "Input is a cert carrying an RSA public key"}, + {"ssl", OPT_SSL, '-', "Use SSL v2 padding"}, + {"raw", OPT_RAW, '-', "Use no padding"}, + {"pkcs", OPT_PKCS, '-', "Use PKCS#1 v1.5 padding (default)"}, + {"oaep", OPT_OAEP, '-', "Use PKCS#1 OAEP"}, + {"sign", OPT_SIGN, '-', "Sign with private key"}, + {"verify", OPT_VERIFY, '-', "Verify with public key"}, + {"asn1parse", OPT_ASN1PARSE, '-', + "Run output through asn1parse; useful with -verify"}, + {"hexdump", OPT_HEXDUMP, '-', "Hex dump output"}, + {"x931", OPT_X931, '-', "Use ANSI X9.31 padding"}, + {"rev", OPT_REV, '-', "Reverse the order of the input buffer"}, + {"encrypt", OPT_ENCRYPT, '-', "Encrypt with public key"}, + {"decrypt", OPT_DECRYPT, '-', "Decrypt with private key"}, + {"passin", OPT_PASSIN, 's', "Input file pass phrase source"}, +# ifndef OPENSSL_NO_ENGINE + {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"}, +# endif + {NULL} +}; + +int rsautl_main(int argc, char **argv) +{ + BIO *in = NULL, *out = NULL; + ENGINE *e = NULL; + EVP_PKEY *pkey = NULL; + RSA *rsa = NULL; + X509 *x; + char *infile = NULL, *outfile = NULL, *keyfile = NULL; + char *passinarg = NULL, *passin = NULL, *prog; + char rsa_mode = RSA_VERIFY, key_type = KEY_PRIVKEY; + unsigned char *rsa_in = NULL, *rsa_out = NULL, pad = RSA_PKCS1_PADDING; + int rsa_inlen, keyformat = FORMAT_PEM, keysize, ret = 1; + int rsa_outlen = 0, hexdump = 0, asn1parse = 0, need_priv = 0, rev = 0; + OPTION_CHOICE o; + + prog = opt_init(argc, argv, rsautl_options); + while ((o = opt_next()) != OPT_EOF) { + switch (o) { + case OPT_EOF: + case OPT_ERR: + opthelp: + BIO_printf(bio_err, "%s: Use -help for summary.\n", prog); + goto end; + case OPT_HELP: + opt_help(rsautl_options); + ret = 0; + goto end; + case OPT_KEYFORM: + if (!opt_format(opt_arg(), OPT_FMT_PDE, &keyformat)) + goto opthelp; + break; + case OPT_IN: + infile = opt_arg(); + break; + case OPT_OUT: + outfile = opt_arg(); + break; + case OPT_ENGINE: + e = setup_engine(opt_arg(), 0); + break; + case OPT_ASN1PARSE: + asn1parse = 1; + break; + case OPT_HEXDUMP: + hexdump = 1; + break; + case OPT_RAW: + pad = RSA_NO_PADDING; + break; + case OPT_OAEP: + pad = RSA_PKCS1_OAEP_PADDING; + break; + case OPT_SSL: + pad = RSA_SSLV23_PADDING; + break; + case OPT_PKCS: + pad = RSA_PKCS1_PADDING; + break; + case OPT_X931: + pad = RSA_X931_PADDING; + break; + case OPT_SIGN: + rsa_mode = RSA_SIGN; + need_priv = 1; + break; + case OPT_VERIFY: + rsa_mode = RSA_VERIFY; + break; + case OPT_REV: + rev = 1; + break; + case OPT_ENCRYPT: + rsa_mode = RSA_ENCRYPT; + break; + case OPT_DECRYPT: + rsa_mode = RSA_DECRYPT; + need_priv = 1; + break; + case OPT_PUBIN: + key_type = KEY_PUBKEY; + break; + case OPT_CERTIN: + key_type = KEY_CERT; + break; + case OPT_INKEY: + keyfile = opt_arg(); + break; + case OPT_PASSIN: + passinarg = opt_arg(); + break; + } + } + argc = opt_num_rest(); + if (argc != 0) + goto opthelp; + + if (need_priv && (key_type != KEY_PRIVKEY)) { + BIO_printf(bio_err, "A private key is needed for this operation\n"); + goto end; + } + + if (!app_passwd(passinarg, NULL, &passin, NULL)) { + BIO_printf(bio_err, "Error getting password\n"); + goto end; + } + +/* FIXME: seed PRNG only if needed */ + app_RAND_load_file(NULL, 0); + + switch (key_type) { + case KEY_PRIVKEY: + pkey = load_key(keyfile, keyformat, 0, passin, e, "Private Key"); + break; + + case KEY_PUBKEY: + pkey = load_pubkey(keyfile, keyformat, 0, NULL, e, "Public Key"); + break; + + case KEY_CERT: + x = load_cert(keyfile, keyformat, "Certificate"); + if (x) { + pkey = X509_get_pubkey(x); + X509_free(x); + } + break; + } + + if (!pkey) { + return 1; + } + + rsa = EVP_PKEY_get1_RSA(pkey); + EVP_PKEY_free(pkey); + + if (!rsa) { + BIO_printf(bio_err, "Error getting RSA key\n"); + ERR_print_errors(bio_err); + goto end; + } + + in = bio_open_default(infile, 'r', FORMAT_BINARY); + if (in == NULL) + goto end; + out = bio_open_default(outfile, 'w', FORMAT_BINARY); + if (out == NULL) + goto end; + + keysize = RSA_size(rsa); + + rsa_in = app_malloc(keysize * 2, "hold rsa key"); + rsa_out = app_malloc(keysize, "output rsa key"); + + /* Read the input data */ + rsa_inlen = BIO_read(in, rsa_in, keysize * 2); + if (rsa_inlen < 0) { + BIO_printf(bio_err, "Error reading input Data\n"); + goto end; + } + if (rev) { + int i; + unsigned char ctmp; + for (i = 0; i < rsa_inlen / 2; i++) { + ctmp = rsa_in[i]; + rsa_in[i] = rsa_in[rsa_inlen - 1 - i]; + rsa_in[rsa_inlen - 1 - i] = ctmp; + } + } + switch (rsa_mode) { + + case RSA_VERIFY: + rsa_outlen = RSA_public_decrypt(rsa_inlen, rsa_in, rsa_out, rsa, pad); + break; + + case RSA_SIGN: + rsa_outlen = + RSA_private_encrypt(rsa_inlen, rsa_in, rsa_out, rsa, pad); + break; + + case RSA_ENCRYPT: + rsa_outlen = RSA_public_encrypt(rsa_inlen, rsa_in, rsa_out, rsa, pad); + break; + + case RSA_DECRYPT: + rsa_outlen = + RSA_private_decrypt(rsa_inlen, rsa_in, rsa_out, rsa, pad); + break; + } + + if (rsa_outlen < 0) { + BIO_printf(bio_err, "RSA operation error\n"); + ERR_print_errors(bio_err); + goto end; + } + ret = 0; + if (asn1parse) { + if (!ASN1_parse_dump(out, rsa_out, rsa_outlen, 1, -1)) { + ERR_print_errors(bio_err); + } + } else if (hexdump) + BIO_dump(out, (char *)rsa_out, rsa_outlen); + else + BIO_write(out, rsa_out, rsa_outlen); + end: + RSA_free(rsa); + release_engine(e); + BIO_free(in); + BIO_free_all(out); + OPENSSL_free(rsa_in); + OPENSSL_free(rsa_out); + OPENSSL_free(passin); + return ret; +} +#endif diff --git a/openssl-1.1.0h/apps/s1024key.pem b/openssl-1.1.0h/apps/s1024key.pem new file mode 100644 index 0000000..19e0403 --- /dev/null +++ b/openssl-1.1.0h/apps/s1024key.pem @@ -0,0 +1,15 @@ +-----BEGIN RSA PRIVATE KEY----- +MIICXgIBAAKBgQCzEfU8E+ZGTGtHXV5XhvM2Lg32fXUIjydXb34BGVPX6oN7+aNV +S9eWayvW/+9/vUb0aCqilJrpFesgItV2T8VhhjOE++XUz46uNpcMU7wHMEAXUufP +pztpFm8ZEk2tFKvadkSSoN8lb11juvZVkSkPlB65pFhSe4QKSp6J4HrkYwIDAQAB +AoGBAKy8jvb0Lzby8q11yNLf7+78wCVdYi7ugMHcYA1JVFK8+zb1WfSm44FLQo/0 +dSChAjgz36TTexeLODPYxleJndjVcOMVzsLJjSM8dLpXsTS4FCeMbhw2s2u+xqKY +bbPWfk+HOTyJjfnkcC5Nbg44eOmruq0gSmBeUXVM5UntlTnxAkEA7TGCA3h7kx5E +Bl4zl2pc3gPAGt+dyfk5Po9mGJUUXhF5p2zueGmYWW74TmOWB1kzt4QRdYMzFePq +zfDNXEa1CwJBAMFErdY0xp0UJ13WwBbUTk8rujqQdHtjw0klhpbuKkjxu2hN0wwM +6p0D9qxF7JHaghqVRI0fAW/EE0OzdHMR9QkCQQDNR26dMFXKsoPu+vItljj/UEGf +QG7gERiQ4yxaFBPHgdpGo0kT31eh9x9hQGDkxTe0GNG/YSgCRvm8+C3TMcKXAkBD +dhGn36wkUFCddMSAM4NSJ1VN8/Z0y5HzCmI8dM3VwGtGMUQlxKxwOl30LEQzdS5M +0SWojNYXiT2gOBfBwtbhAkEAhafl5QEOIgUz+XazS/IlZ8goNKdDVfYgK3mHHjvv +nY5G+AuGebdNkXJr4KSWxDcN+C2i47zuj4QXA16MAOandA== +-----END RSA PRIVATE KEY----- diff --git a/openssl-1.1.0h/apps/s1024req.pem b/openssl-1.1.0h/apps/s1024req.pem new file mode 100644 index 0000000..bb75e7e --- /dev/null +++ b/openssl-1.1.0h/apps/s1024req.pem @@ -0,0 +1,11 @@ +-----BEGIN CERTIFICATE REQUEST----- +MIIBojCCAQsCAQAwZDELMAkGA1UEBhMCQVUxEzARBgNVBAgTClF1ZWVuc2xhbmQx +GjAYBgNVBAoTEUNyeXB0U29mdCBQdHkgTHRkMSQwIgYDVQQDExtTZXJ2ZXIgdGVz +dCBjZXJ0ICgxMDI0IGJpdCkwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALMR +9TwT5kZMa0ddXleG8zYuDfZ9dQiPJ1dvfgEZU9fqg3v5o1VL15ZrK9b/73+9RvRo +KqKUmukV6yAi1XZPxWGGM4T75dTPjq42lwxTvAcwQBdS58+nO2kWbxkSTa0Uq9p2 +RJKg3yVvXWO69lWRKQ+UHrmkWFJ7hApKnongeuRjAgMBAAEwDQYJKoZIhvcNAQEE +BQADgYEAStHlk4pBbwiNeQ2/PKTPPXzITYC8Gn0XMbrU94e/6JIKiO7aArq9Espq +nrBSvC14dHcNl6NNvnkEKdQ7hAkcACfBbnOXA/oQvMBd4GD78cH3k0jVDoVUEjil +frLfWlckW6WzpTktt0ZPDdAjJCmKVh0ABHimi7Bo9FC3wIGIe5M= +-----END CERTIFICATE REQUEST----- diff --git a/openssl-1.1.0h/apps/s512-key.pem b/openssl-1.1.0h/apps/s512-key.pem new file mode 100644 index 0000000..0e3ff2d --- /dev/null +++ b/openssl-1.1.0h/apps/s512-key.pem @@ -0,0 +1,9 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIBPAIBAAJBAJ+zw4Qnlf8SMVIPFe9GEcStgOY2Ww/dgNdhjeD8ckUJNP5VZkVD +TGiXav6ooKXfX3j/7tdkuD8Ey2//Kv7+ue0CAwEAAQJAN6W31vDEP2DjdqhzCDDu +OA4NACqoiFqyblo7yc2tM4h4xMbC3Yx5UKMN9ZkCtX0gzrz6DyF47bdKcWBzNWCj +gQIhANEoojVt7hq+SQ6MCN6FTAysGgQf56Q3TYoJMoWvdiXVAiEAw3e3rc+VJpOz +rHuDo6bgpjUAAXM+v3fcpsfZSNO6V7kCIQCtbVjanpUwvZkMI9by02oUk9taki3b +PzPfAfNPYAbCJQIhAJXNQDWyqwn/lGmR11cqY2y9nZ1+5w3yHGatLrcDnQHxAiEA +vnlEGo8K85u+KwIOimM48ZG8oTk7iFdkqLJR1utT3aU= +-----END RSA PRIVATE KEY----- diff --git a/openssl-1.1.0h/apps/s512-req.pem b/openssl-1.1.0h/apps/s512-req.pem new file mode 100644 index 0000000..ea314be --- /dev/null +++ b/openssl-1.1.0h/apps/s512-req.pem @@ -0,0 +1,8 @@ +-----BEGIN CERTIFICATE REQUEST----- +MIIBGzCBxgIBADBjMQswCQYDVQQGEwJBVTETMBEGA1UECBMKUXVlZW5zbGFuZDEa +MBgGA1UEChMRQ3J5cHRTb2Z0IFB0eSBMdGQxIzAhBgNVBAMTGlNlcnZlciB0ZXN0 +IGNlcnQgKDUxMiBiaXQpMFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAJ+zw4Qnlf8S +MVIPFe9GEcStgOY2Ww/dgNdhjeD8ckUJNP5VZkVDTGiXav6ooKXfX3j/7tdkuD8E +y2//Kv7+ue0CAwEAATANBgkqhkiG9w0BAQQFAANBAAB+uQi+qwn6qRSHB8EUTvsm +5TNTHzYDeN39nyIbZNX2s0se3Srn2Bxft5YCwD3moFZ9QoyDHxE0h6qLX5yjD+8= +-----END CERTIFICATE REQUEST----- diff --git a/openssl-1.1.0h/apps/s_apps.h b/openssl-1.1.0h/apps/s_apps.h new file mode 100644 index 0000000..c47932b --- /dev/null +++ b/openssl-1.1.0h/apps/s_apps.h @@ -0,0 +1,102 @@ +/* + * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the OpenSSL license (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +#include + +#if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS) +# include +#endif + +#if defined(OPENSSL_SYS_MSDOS) && !defined(_WIN32) +# define _kbhit kbhit +#endif + +#if defined(OPENSSL_SYS_VMS) && !defined(FD_SET) +/* + * VAX C does not defined fd_set and friends, but it's actually quite simple + */ +/* These definitions are borrowed from SOCKETSHR. /Richard Levitte */ +# define MAX_NOFILE 32 +# define NBBY 8 /* number of bits in a byte */ + +# ifndef FD_SETSIZE +# define FD_SETSIZE MAX_NOFILE +# endif /* FD_SETSIZE */ + +/* How many things we'll allow select to use. 0 if unlimited */ +# define MAXSELFD MAX_NOFILE +typedef int fd_mask; /* int here! VMS prototypes int, not long */ +# define NFDBITS (sizeof(fd_mask) * NBBY)/* bits per mask (power of 2!) */ +# define NFDSHIFT 5 /* Shift based on above */ + +typedef fd_mask fd_set; +# define FD_SET(n, p) (*(p) |= (1 << ((n) % NFDBITS))) +# define FD_CLR(n, p) (*(p) &= ~(1 << ((n) % NFDBITS))) +# define FD_ISSET(n, p) (*(p) & (1 << ((n) % NFDBITS))) +# define FD_ZERO(p) memset((p), 0, sizeof(*(p))) +#endif + +#define PORT "4433" +#define PROTOCOL "tcp" + +typedef int (*do_server_cb)(int s, int stype, unsigned char *context); +int do_server(int *accept_sock, const char *host, const char *port, + int family, int type, + do_server_cb cb, + unsigned char *context, int naccept); +#ifdef HEADER_X509_H +int verify_callback(int ok, X509_STORE_CTX *ctx); +#endif +#ifdef HEADER_SSL_H +int set_cert_stuff(SSL_CTX *ctx, char *cert_file, char *key_file); +int set_cert_key_stuff(SSL_CTX *ctx, X509 *cert, EVP_PKEY *key, + STACK_OF(X509) *chain, int build_chain); +int ssl_print_sigalgs(BIO *out, SSL *s); +int ssl_print_point_formats(BIO *out, SSL *s); +int ssl_print_curves(BIO *out, SSL *s, int noshared); +#endif +int ssl_print_tmp_key(BIO *out, SSL *s); +int init_client(int *sock, const char *host, const char *port, + int family, int type); +int should_retry(int i); + +long bio_dump_callback(BIO *bio, int cmd, const char *argp, + int argi, long argl, long ret); + +#ifdef HEADER_SSL_H +void apps_ssl_info_callback(const SSL *s, int where, int ret); +void msg_cb(int write_p, int version, int content_type, const void *buf, + size_t len, SSL *ssl, void *arg); +void tlsext_cb(SSL *s, int client_server, int type, const unsigned char *data, + int len, void *arg); +#endif + +int generate_cookie_callback(SSL *ssl, unsigned char *cookie, + unsigned int *cookie_len); +int verify_cookie_callback(SSL *ssl, const unsigned char *cookie, + unsigned int cookie_len); + +typedef struct ssl_excert_st SSL_EXCERT; + +void ssl_ctx_set_excert(SSL_CTX *ctx, SSL_EXCERT *exc); +void ssl_excert_free(SSL_EXCERT *exc); +int args_excert(int option, SSL_EXCERT **pexc); +int load_excert(SSL_EXCERT **pexc); +void print_verify_detail(SSL *s, BIO *bio); +void print_ssl_summary(SSL *s); +#ifdef HEADER_SSL_H +int config_ctx(SSL_CONF_CTX *cctx, STACK_OF(OPENSSL_STRING) *str, SSL_CTX *ctx); +int ssl_ctx_add_crls(SSL_CTX *ctx, STACK_OF(X509_CRL) *crls, + int crl_download); +int ssl_load_stores(SSL_CTX *ctx, const char *vfyCApath, + const char *vfyCAfile, const char *chCApath, + const char *chCAfile, STACK_OF(X509_CRL) *crls, + int crl_download); +void ssl_ctx_security_debug(SSL_CTX *ctx, int verbose); +#endif diff --git a/openssl-1.1.0h/apps/s_cb.c b/openssl-1.1.0h/apps/s_cb.c new file mode 100644 index 0000000..afa3065 --- /dev/null +++ b/openssl-1.1.0h/apps/s_cb.c @@ -0,0 +1,1335 @@ +/* + * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the OpenSSL license (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +/* callback functions used by s_client, s_server, and s_time */ +#include +#include +#include /* for memcpy() and strcmp() */ +#define USE_SOCKETS +#include "apps.h" +#undef USE_SOCKETS +#include +#include +#include +#include +#include +#ifndef OPENSSL_NO_DH +# include +#endif +#include "s_apps.h" + +#define COOKIE_SECRET_LENGTH 16 + +VERIFY_CB_ARGS verify_args = { 0, 0, X509_V_OK, 0 }; + +#ifndef OPENSSL_NO_SOCK +static unsigned char cookie_secret[COOKIE_SECRET_LENGTH]; +static int cookie_initialized = 0; +#endif + +static const char *lookup(int val, const STRINT_PAIR* list, const char* def) +{ + for ( ; list->name; ++list) + if (list->retval == val) + return list->name; + return def; +} + +int verify_callback(int ok, X509_STORE_CTX *ctx) +{ + X509 *err_cert; + int err, depth; + + err_cert = X509_STORE_CTX_get_current_cert(ctx); + err = X509_STORE_CTX_get_error(ctx); + depth = X509_STORE_CTX_get_error_depth(ctx); + + if (!verify_args.quiet || !ok) { + BIO_printf(bio_err, "depth=%d ", depth); + if (err_cert) { + X509_NAME_print_ex(bio_err, + X509_get_subject_name(err_cert), + 0, XN_FLAG_ONELINE); + BIO_puts(bio_err, "\n"); + } else + BIO_puts(bio_err, "\n"); + } + if (!ok) { + BIO_printf(bio_err, "verify error:num=%d:%s\n", err, + X509_verify_cert_error_string(err)); + if (verify_args.depth >= depth) { + if (!verify_args.return_error) + ok = 1; + verify_args.error = err; + } else { + ok = 0; + verify_args.error = X509_V_ERR_CERT_CHAIN_TOO_LONG; + } + } + switch (err) { + case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT: + BIO_puts(bio_err, "issuer= "); + X509_NAME_print_ex(bio_err, X509_get_issuer_name(err_cert), + 0, XN_FLAG_ONELINE); + BIO_puts(bio_err, "\n"); + break; + case X509_V_ERR_CERT_NOT_YET_VALID: + case X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD: + BIO_printf(bio_err, "notBefore="); + ASN1_TIME_print(bio_err, X509_get0_notBefore(err_cert)); + BIO_printf(bio_err, "\n"); + break; + case X509_V_ERR_CERT_HAS_EXPIRED: + case X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD: + BIO_printf(bio_err, "notAfter="); + ASN1_TIME_print(bio_err, X509_get0_notAfter(err_cert)); + BIO_printf(bio_err, "\n"); + break; + case X509_V_ERR_NO_EXPLICIT_POLICY: + if (!verify_args.quiet) + policies_print(ctx); + break; + } + if (err == X509_V_OK && ok == 2 && !verify_args.quiet) + policies_print(ctx); + if (ok && !verify_args.quiet) + BIO_printf(bio_err, "verify return:%d\n", ok); + return (ok); +} + +int set_cert_stuff(SSL_CTX *ctx, char *cert_file, char *key_file) +{ + if (cert_file != NULL) { + if (SSL_CTX_use_certificate_file(ctx, cert_file, + SSL_FILETYPE_PEM) <= 0) { + BIO_printf(bio_err, "unable to get certificate from '%s'\n", + cert_file); + ERR_print_errors(bio_err); + return (0); + } + if (key_file == NULL) + key_file = cert_file; + if (SSL_CTX_use_PrivateKey_file(ctx, key_file, SSL_FILETYPE_PEM) <= 0) { + BIO_printf(bio_err, "unable to get private key from '%s'\n", + key_file); + ERR_print_errors(bio_err); + return (0); + } + + /* + * If we are using DSA, we can copy the parameters from the private + * key + */ + + /* + * Now we know that a key and cert have been set against the SSL + * context + */ + if (!SSL_CTX_check_private_key(ctx)) { + BIO_printf(bio_err, + "Private key does not match the certificate public key\n"); + return (0); + } + } + return (1); +} + +int set_cert_key_stuff(SSL_CTX *ctx, X509 *cert, EVP_PKEY *key, + STACK_OF(X509) *chain, int build_chain) +{ + int chflags = chain ? SSL_BUILD_CHAIN_FLAG_CHECK : 0; + if (cert == NULL) + return 1; + if (SSL_CTX_use_certificate(ctx, cert) <= 0) { + BIO_printf(bio_err, "error setting certificate\n"); + ERR_print_errors(bio_err); + return 0; + } + + if (SSL_CTX_use_PrivateKey(ctx, key) <= 0) { + BIO_printf(bio_err, "error setting private key\n"); + ERR_print_errors(bio_err); + return 0; + } + + /* + * Now we know that a key and cert have been set against the SSL context + */ + if (!SSL_CTX_check_private_key(ctx)) { + BIO_printf(bio_err, + "Private key does not match the certificate public key\n"); + return 0; + } + if (chain && !SSL_CTX_set1_chain(ctx, chain)) { + BIO_printf(bio_err, "error setting certificate chain\n"); + ERR_print_errors(bio_err); + return 0; + } + if (build_chain && !SSL_CTX_build_cert_chain(ctx, chflags)) { + BIO_printf(bio_err, "error building certificate chain\n"); + ERR_print_errors(bio_err); + return 0; + } + return 1; +} + +static STRINT_PAIR cert_type_list[] = { + {"RSA sign", TLS_CT_RSA_SIGN}, + {"DSA sign", TLS_CT_DSS_SIGN}, + {"RSA fixed DH", TLS_CT_RSA_FIXED_DH}, + {"DSS fixed DH", TLS_CT_DSS_FIXED_DH}, + {"ECDSA sign", TLS_CT_ECDSA_SIGN}, + {"RSA fixed ECDH", TLS_CT_RSA_FIXED_ECDH}, + {"ECDSA fixed ECDH", TLS_CT_ECDSA_FIXED_ECDH}, + {"GOST01 Sign", TLS_CT_GOST01_SIGN}, + {NULL} +}; + +static void ssl_print_client_cert_types(BIO *bio, SSL *s) +{ + const unsigned char *p; + int i; + int cert_type_num = SSL_get0_certificate_types(s, &p); + if (!cert_type_num) + return; + BIO_puts(bio, "Client Certificate Types: "); + for (i = 0; i < cert_type_num; i++) { + unsigned char cert_type = p[i]; + const char *cname = lookup((int)cert_type, cert_type_list, NULL); + + if (i) + BIO_puts(bio, ", "); + if (cname) + BIO_puts(bio, cname); + else + BIO_printf(bio, "UNKNOWN (%d),", cert_type); + } + BIO_puts(bio, "\n"); +} + +static int do_print_sigalgs(BIO *out, SSL *s, int shared) +{ + int i, nsig, client; + client = SSL_is_server(s) ? 0 : 1; + if (shared) + nsig = SSL_get_shared_sigalgs(s, -1, NULL, NULL, NULL, NULL, NULL); + else + nsig = SSL_get_sigalgs(s, -1, NULL, NULL, NULL, NULL, NULL); + if (nsig == 0) + return 1; + + if (shared) + BIO_puts(out, "Shared "); + + if (client) + BIO_puts(out, "Requested "); + BIO_puts(out, "Signature Algorithms: "); + for (i = 0; i < nsig; i++) { + int hash_nid, sign_nid; + unsigned char rhash, rsign; + const char *sstr = NULL; + if (shared) + SSL_get_shared_sigalgs(s, i, &sign_nid, &hash_nid, NULL, + &rsign, &rhash); + else + SSL_get_sigalgs(s, i, &sign_nid, &hash_nid, NULL, &rsign, &rhash); + if (i) + BIO_puts(out, ":"); + if (sign_nid == EVP_PKEY_RSA) + sstr = "RSA"; + else if (sign_nid == EVP_PKEY_DSA) + sstr = "DSA"; + else if (sign_nid == EVP_PKEY_EC) + sstr = "ECDSA"; + if (sstr) + BIO_printf(out, "%s+", sstr); + else + BIO_printf(out, "0x%02X+", (int)rsign); + if (hash_nid != NID_undef) + BIO_printf(out, "%s", OBJ_nid2sn(hash_nid)); + else + BIO_printf(out, "0x%02X", (int)rhash); + } + BIO_puts(out, "\n"); + return 1; +} + +int ssl_print_sigalgs(BIO *out, SSL *s) +{ + int mdnid; + if (!SSL_is_server(s)) + ssl_print_client_cert_types(out, s); + do_print_sigalgs(out, s, 0); + do_print_sigalgs(out, s, 1); + if (SSL_get_peer_signature_nid(s, &mdnid)) + BIO_printf(out, "Peer signing digest: %s\n", OBJ_nid2sn(mdnid)); + return 1; +} + +#ifndef OPENSSL_NO_EC +int ssl_print_point_formats(BIO *out, SSL *s) +{ + int i, nformats; + const char *pformats; + nformats = SSL_get0_ec_point_formats(s, &pformats); + if (nformats <= 0) + return 1; + BIO_puts(out, "Supported Elliptic Curve Point Formats: "); + for (i = 0; i < nformats; i++, pformats++) { + if (i) + BIO_puts(out, ":"); + switch (*pformats) { + case TLSEXT_ECPOINTFORMAT_uncompressed: + BIO_puts(out, "uncompressed"); + break; + + case TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime: + BIO_puts(out, "ansiX962_compressed_prime"); + break; + + case TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2: + BIO_puts(out, "ansiX962_compressed_char2"); + break; + + default: + BIO_printf(out, "unknown(%d)", (int)*pformats); + break; + + } + } + BIO_puts(out, "\n"); + return 1; +} + +int ssl_print_curves(BIO *out, SSL *s, int noshared) +{ + int i, ncurves, *curves, nid; + const char *cname; + + ncurves = SSL_get1_curves(s, NULL); + if (ncurves <= 0) + return 1; + curves = app_malloc(ncurves * sizeof(int), "curves to print"); + SSL_get1_curves(s, curves); + + BIO_puts(out, "Supported Elliptic Curves: "); + for (i = 0; i < ncurves; i++) { + if (i) + BIO_puts(out, ":"); + nid = curves[i]; + /* If unrecognised print out hex version */ + if (nid & TLSEXT_nid_unknown) + BIO_printf(out, "0x%04X", nid & 0xFFFF); + else { + /* Use NIST name for curve if it exists */ + cname = EC_curve_nid2nist(nid); + if (!cname) + cname = OBJ_nid2sn(nid); + BIO_printf(out, "%s", cname); + } + } + OPENSSL_free(curves); + if (noshared) { + BIO_puts(out, "\n"); + return 1; + } + BIO_puts(out, "\nShared Elliptic curves: "); + ncurves = SSL_get_shared_curve(s, -1); + for (i = 0; i < ncurves; i++) { + if (i) + BIO_puts(out, ":"); + nid = SSL_get_shared_curve(s, i); + cname = EC_curve_nid2nist(nid); + if (!cname) + cname = OBJ_nid2sn(nid); + BIO_printf(out, "%s", cname); + } + if (ncurves == 0) + BIO_puts(out, "NONE"); + BIO_puts(out, "\n"); + return 1; +} +#endif +int ssl_print_tmp_key(BIO *out, SSL *s) +{ + EVP_PKEY *key; + if (!SSL_get_server_tmp_key(s, &key)) + return 1; + BIO_puts(out, "Server Temp Key: "); + switch (EVP_PKEY_id(key)) { + case EVP_PKEY_RSA: + BIO_printf(out, "RSA, %d bits\n", EVP_PKEY_bits(key)); + break; + + case EVP_PKEY_DH: + BIO_printf(out, "DH, %d bits\n", EVP_PKEY_bits(key)); + break; +#ifndef OPENSSL_NO_EC + case EVP_PKEY_EC: + { + EC_KEY *ec = EVP_PKEY_get1_EC_KEY(key); + int nid; + const char *cname; + nid = EC_GROUP_get_curve_name(EC_KEY_get0_group(ec)); + EC_KEY_free(ec); + cname = EC_curve_nid2nist(nid); + if (!cname) + cname = OBJ_nid2sn(nid); + BIO_printf(out, "ECDH, %s, %d bits\n", cname, EVP_PKEY_bits(key)); + } + break; +#endif + default: + BIO_printf(out, "%s, %d bits\n", OBJ_nid2sn(EVP_PKEY_id(key)), + EVP_PKEY_bits(key)); + } + EVP_PKEY_free(key); + return 1; +} + +long bio_dump_callback(BIO *bio, int cmd, const char *argp, + int argi, long argl, long ret) +{ + BIO *out; + + out = (BIO *)BIO_get_callback_arg(bio); + if (out == NULL) + return (ret); + + if (cmd == (BIO_CB_READ | BIO_CB_RETURN)) { + BIO_printf(out, "read from %p [%p] (%lu bytes => %ld (0x%lX))\n", + (void *)bio, (void *)argp, (unsigned long)argi, ret, ret); + BIO_dump(out, argp, (int)ret); + return (ret); + } else if (cmd == (BIO_CB_WRITE | BIO_CB_RETURN)) { + BIO_printf(out, "write to %p [%p] (%lu bytes => %ld (0x%lX))\n", + (void *)bio, (void *)argp, (unsigned long)argi, ret, ret); + BIO_dump(out, argp, (int)ret); + } + return (ret); +} + +void apps_ssl_info_callback(const SSL *s, int where, int ret) +{ + const char *str; + int w; + + w = where & ~SSL_ST_MASK; + + if (w & SSL_ST_CONNECT) + str = "SSL_connect"; + else if (w & SSL_ST_ACCEPT) + str = "SSL_accept"; + else + str = "undefined"; + + if (where & SSL_CB_LOOP) { + BIO_printf(bio_err, "%s:%s\n", str, SSL_state_string_long(s)); + } else if (where & SSL_CB_ALERT) { + str = (where & SSL_CB_READ) ? "read" : "write"; + BIO_printf(bio_err, "SSL3 alert %s:%s:%s\n", + str, + SSL_alert_type_string_long(ret), + SSL_alert_desc_string_long(ret)); + } else if (where & SSL_CB_EXIT) { + if (ret == 0) + BIO_printf(bio_err, "%s:failed in %s\n", + str, SSL_state_string_long(s)); + else if (ret < 0) { + BIO_printf(bio_err, "%s:error in %s\n", + str, SSL_state_string_long(s)); + } + } +} + +static STRINT_PAIR ssl_versions[] = { + {"SSL 3.0", SSL3_VERSION}, + {"TLS 1.0", TLS1_VERSION}, + {"TLS 1.1", TLS1_1_VERSION}, + {"TLS 1.2", TLS1_2_VERSION}, + {"DTLS 1.0", DTLS1_VERSION}, + {"DTLS 1.0 (bad)", DTLS1_BAD_VER}, + {NULL} +}; +static STRINT_PAIR alert_types[] = { + {" close_notify", 0}, + {" unexpected_message", 10}, + {" bad_record_mac", 20}, + {" decryption_failed", 21}, + {" record_overflow", 22}, + {" decompression_failure", 30}, + {" handshake_failure", 40}, + {" bad_certificate", 42}, + {" unsupported_certificate", 43}, + {" certificate_revoked", 44}, + {" certificate_expired", 45}, + {" certificate_unknown", 46}, + {" illegal_parameter", 47}, + {" unknown_ca", 48}, + {" access_denied", 49}, + {" decode_error", 50}, + {" decrypt_error", 51}, + {" export_restriction", 60}, + {" protocol_version", 70}, + {" insufficient_security", 71}, + {" internal_error", 80}, + {" user_canceled", 90}, + {" no_renegotiation", 100}, + {" unsupported_extension", 110}, + {" certificate_unobtainable", 111}, + {" unrecognized_name", 112}, + {" bad_certificate_status_response", 113}, + {" bad_certificate_hash_value", 114}, + {" unknown_psk_identity", 115}, + {NULL} +}; + +static STRINT_PAIR handshakes[] = { + {", HelloRequest", 0}, + {", ClientHello", 1}, + {", ServerHello", 2}, + {", HelloVerifyRequest", 3}, + {", NewSessionTicket", 4}, + {", Certificate", 11}, + {", ServerKeyExchange", 12}, + {", CertificateRequest", 13}, + {", ServerHelloDone", 14}, + {", CertificateVerify", 15}, + {", ClientKeyExchange", 16}, + {", Finished", 20}, + {", CertificateUrl", 21}, + {", CertificateStatus", 22}, + {", SupplementalData", 23}, + {NULL} +}; + +void msg_cb(int write_p, int version, int content_type, const void *buf, + size_t len, SSL *ssl, void *arg) +{ + BIO *bio = arg; + const char *str_write_p = write_p ? ">>>" : "<<<"; + const char *str_version = lookup(version, ssl_versions, "???"); + const char *str_content_type = "", *str_details1 = "", *str_details2 = ""; + const unsigned char* bp = buf; + + if (version == SSL3_VERSION || + version == TLS1_VERSION || + version == TLS1_1_VERSION || + version == TLS1_2_VERSION || + version == DTLS1_VERSION || version == DTLS1_BAD_VER) { + switch (content_type) { + case 20: + str_content_type = "ChangeCipherSpec"; + break; + case 21: + str_content_type = "Alert"; + str_details1 = ", ???"; + if (len == 2) { + switch (bp[0]) { + case 1: + str_details1 = ", warning"; + break; + case 2: + str_details1 = ", fatal"; + break; + } + str_details2 = lookup((int)bp[1], alert_types, " ???"); + } + break; + case 22: + str_content_type = "Handshake"; + str_details1 = "???"; + if (len > 0) + str_details1 = lookup((int)bp[0], handshakes, "???"); + break; + case 23: + str_content_type = "ApplicationData"; + break; +#ifndef OPENSSL_NO_HEARTBEATS + case 24: + str_details1 = ", Heartbeat"; + + if (len > 0) { + switch (bp[0]) { + case 1: + str_details1 = ", HeartbeatRequest"; + break; + case 2: + str_details1 = ", HeartbeatResponse"; + break; + } + } + break; +#endif + } + } + + BIO_printf(bio, "%s %s%s [length %04lx]%s%s\n", str_write_p, str_version, + str_content_type, (unsigned long)len, str_details1, + str_details2); + + if (len > 0) { + size_t num, i; + + BIO_printf(bio, " "); + num = len; + for (i = 0; i < num; i++) { + if (i % 16 == 0 && i > 0) + BIO_printf(bio, "\n "); + BIO_printf(bio, " %02x", ((const unsigned char *)buf)[i]); + } + if (i < len) + BIO_printf(bio, " ..."); + BIO_printf(bio, "\n"); + } + (void)BIO_flush(bio); +} + +static STRINT_PAIR tlsext_types[] = { + {"server name", TLSEXT_TYPE_server_name}, + {"max fragment length", TLSEXT_TYPE_max_fragment_length}, + {"client certificate URL", TLSEXT_TYPE_client_certificate_url}, + {"trusted CA keys", TLSEXT_TYPE_trusted_ca_keys}, + {"truncated HMAC", TLSEXT_TYPE_truncated_hmac}, + {"status request", TLSEXT_TYPE_status_request}, + {"user mapping", TLSEXT_TYPE_user_mapping}, + {"client authz", TLSEXT_TYPE_client_authz}, + {"server authz", TLSEXT_TYPE_server_authz}, + {"cert type", TLSEXT_TYPE_cert_type}, + {"elliptic curves", TLSEXT_TYPE_elliptic_curves}, + {"EC point formats", TLSEXT_TYPE_ec_point_formats}, + {"SRP", TLSEXT_TYPE_srp}, + {"signature algorithms", TLSEXT_TYPE_signature_algorithms}, + {"use SRTP", TLSEXT_TYPE_use_srtp}, + {"heartbeat", TLSEXT_TYPE_heartbeat}, + {"session ticket", TLSEXT_TYPE_session_ticket}, + {"renegotiation info", TLSEXT_TYPE_renegotiate}, + {"signed certificate timestamps", TLSEXT_TYPE_signed_certificate_timestamp}, + {"TLS padding", TLSEXT_TYPE_padding}, +#ifdef TLSEXT_TYPE_next_proto_neg + {"next protocol", TLSEXT_TYPE_next_proto_neg}, +#endif +#ifdef TLSEXT_TYPE_encrypt_then_mac + {"encrypt-then-mac", TLSEXT_TYPE_encrypt_then_mac}, +#endif +#ifdef TLSEXT_TYPE_application_layer_protocol_negotiation + {"application layer protocol negotiation", + TLSEXT_TYPE_application_layer_protocol_negotiation}, +#endif +#ifdef TLSEXT_TYPE_extended_master_secret + {"extended master secret", TLSEXT_TYPE_extended_master_secret}, +#endif + {NULL} +}; + +void tlsext_cb(SSL *s, int client_server, int type, + const unsigned char *data, int len, void *arg) +{ + BIO *bio = arg; + const char *extname = lookup(type, tlsext_types, "unknown"); + + BIO_printf(bio, "TLS %s extension \"%s\" (id=%d), len=%d\n", + client_server ? "server" : "client", extname, type, len); + BIO_dump(bio, (const char *)data, len); + (void)BIO_flush(bio); +} + +#ifndef OPENSSL_NO_SOCK +int generate_cookie_callback(SSL *ssl, unsigned char *cookie, + unsigned int *cookie_len) +{ + unsigned char *buffer; + size_t length; + unsigned short port; + BIO_ADDR *peer = NULL; + + /* Initialize a random secret */ + if (!cookie_initialized) { + if (RAND_bytes(cookie_secret, COOKIE_SECRET_LENGTH) <= 0) { + BIO_printf(bio_err, "error setting random cookie secret\n"); + return 0; + } + cookie_initialized = 1; + } + + peer = BIO_ADDR_new(); + if (peer == NULL) { + BIO_printf(bio_err, "memory full\n"); + return 0; + } + + /* Read peer information */ + (void)BIO_dgram_get_peer(SSL_get_rbio(ssl), peer); + + /* Create buffer with peer's address and port */ + BIO_ADDR_rawaddress(peer, NULL, &length); + OPENSSL_assert(length != 0); + port = BIO_ADDR_rawport(peer); + length += sizeof(port); + buffer = app_malloc(length, "cookie generate buffer"); + + memcpy(buffer, &port, sizeof(port)); + BIO_ADDR_rawaddress(peer, buffer + sizeof(port), NULL); + + /* Calculate HMAC of buffer using the secret */ + HMAC(EVP_sha1(), cookie_secret, COOKIE_SECRET_LENGTH, + buffer, length, cookie, cookie_len); + + OPENSSL_free(buffer); + BIO_ADDR_free(peer); + + return 1; +} + +int verify_cookie_callback(SSL *ssl, const unsigned char *cookie, + unsigned int cookie_len) +{ + unsigned char result[EVP_MAX_MD_SIZE]; + unsigned int resultlength; + + /* Note: we check cookie_initialized because if it's not, + * it cannot be valid */ + if (cookie_initialized + && generate_cookie_callback(ssl, result, &resultlength) + && cookie_len == resultlength + && memcmp(result, cookie, resultlength) == 0) + return 1; + + return 0; +} +#endif + +/* + * Example of extended certificate handling. Where the standard support of + * one certificate per algorithm is not sufficient an application can decide + * which certificate(s) to use at runtime based on whatever criteria it deems + * appropriate. + */ + +/* Linked list of certificates, keys and chains */ +struct ssl_excert_st { + int certform; + const char *certfile; + int keyform; + const char *keyfile; + const char *chainfile; + X509 *cert; + EVP_PKEY *key; + STACK_OF(X509) *chain; + int build_chain; + struct ssl_excert_st *next, *prev; +}; + +static STRINT_PAIR chain_flags[] = { + {"Overall Validity", CERT_PKEY_VALID}, + {"Sign with EE key", CERT_PKEY_SIGN}, + {"EE signature", CERT_PKEY_EE_SIGNATURE}, + {"CA signature", CERT_PKEY_CA_SIGNATURE}, + {"EE key parameters", CERT_PKEY_EE_PARAM}, + {"CA key parameters", CERT_PKEY_CA_PARAM}, + {"Explicitly sign with EE key", CERT_PKEY_EXPLICIT_SIGN}, + {"Issuer Name", CERT_PKEY_ISSUER_NAME}, + {"Certificate Type", CERT_PKEY_CERT_TYPE}, + {NULL} +}; + +static void print_chain_flags(SSL *s, int flags) +{ + STRINT_PAIR *pp; + + for (pp = chain_flags; pp->name; ++pp) + BIO_printf(bio_err, "\t%s: %s\n", + pp->name, + (flags & pp->retval) ? "OK" : "NOT OK"); + BIO_printf(bio_err, "\tSuite B: "); + if (SSL_set_cert_flags(s, 0) & SSL_CERT_FLAG_SUITEB_128_LOS) + BIO_puts(bio_err, flags & CERT_PKEY_SUITEB ? "OK\n" : "NOT OK\n"); + else + BIO_printf(bio_err, "not tested\n"); +} + +/* + * Very basic selection callback: just use any certificate chain reported as + * valid. More sophisticated could prioritise according to local policy. + */ +static int set_cert_cb(SSL *ssl, void *arg) +{ + int i, rv; + SSL_EXCERT *exc = arg; +#ifdef CERT_CB_TEST_RETRY + static int retry_cnt; + if (retry_cnt < 5) { + retry_cnt++; + BIO_printf(bio_err, + "Certificate callback retry test: count %d\n", + retry_cnt); + return -1; + } +#endif + SSL_certs_clear(ssl); + + if (!exc) + return 1; + + /* + * Go to end of list and traverse backwards since we prepend newer + * entries this retains the original order. + */ + while (exc->next) + exc = exc->next; + + i = 0; + + while (exc) { + i++; + rv = SSL_check_chain(ssl, exc->cert, exc->key, exc->chain); + BIO_printf(bio_err, "Checking cert chain %d:\nSubject: ", i); + X509_NAME_print_ex(bio_err, X509_get_subject_name(exc->cert), 0, + XN_FLAG_ONELINE); + BIO_puts(bio_err, "\n"); + print_chain_flags(ssl, rv); + if (rv & CERT_PKEY_VALID) { + if (!SSL_use_certificate(ssl, exc->cert) + || !SSL_use_PrivateKey(ssl, exc->key)) { + return 0; + } + /* + * NB: we wouldn't normally do this as it is not efficient + * building chains on each connection better to cache the chain + * in advance. + */ + if (exc->build_chain) { + if (!SSL_build_cert_chain(ssl, 0)) + return 0; + } else if (exc->chain) + SSL_set1_chain(ssl, exc->chain); + } + exc = exc->prev; + } + return 1; +} + +void ssl_ctx_set_excert(SSL_CTX *ctx, SSL_EXCERT *exc) +{ + SSL_CTX_set_cert_cb(ctx, set_cert_cb, exc); +} + +static int ssl_excert_prepend(SSL_EXCERT **pexc) +{ + SSL_EXCERT *exc = app_malloc(sizeof(*exc), "prepend cert"); + + memset(exc, 0, sizeof(*exc)); + + exc->next = *pexc; + *pexc = exc; + + if (exc->next) { + exc->certform = exc->next->certform; + exc->keyform = exc->next->keyform; + exc->next->prev = exc; + } else { + exc->certform = FORMAT_PEM; + exc->keyform = FORMAT_PEM; + } + return 1; + +} + +void ssl_excert_free(SSL_EXCERT *exc) +{ + SSL_EXCERT *curr; + + if (!exc) + return; + while (exc) { + X509_free(exc->cert); + EVP_PKEY_free(exc->key); + sk_X509_pop_free(exc->chain, X509_free); + curr = exc; + exc = exc->next; + OPENSSL_free(curr); + } +} + +int load_excert(SSL_EXCERT **pexc) +{ + SSL_EXCERT *exc = *pexc; + if (!exc) + return 1; + /* If nothing in list, free and set to NULL */ + if (!exc->certfile && !exc->next) { + ssl_excert_free(exc); + *pexc = NULL; + return 1; + } + for (; exc; exc = exc->next) { + if (!exc->certfile) { + BIO_printf(bio_err, "Missing filename\n"); + return 0; + } + exc->cert = load_cert(exc->certfile, exc->certform, + "Server Certificate"); + if (!exc->cert) + return 0; + if (exc->keyfile) { + exc->key = load_key(exc->keyfile, exc->keyform, + 0, NULL, NULL, "Server Key"); + } else { + exc->key = load_key(exc->certfile, exc->certform, + 0, NULL, NULL, "Server Key"); + } + if (!exc->key) + return 0; + if (exc->chainfile) { + if (!load_certs(exc->chainfile, &exc->chain, FORMAT_PEM, NULL, + "Server Chain")) + return 0; + } + } + return 1; +} + +enum range { OPT_X_ENUM }; + +int args_excert(int opt, SSL_EXCERT **pexc) +{ + SSL_EXCERT *exc = *pexc; + + assert(opt > OPT_X__FIRST); + assert(opt < OPT_X__LAST); + + if (exc == NULL) { + if (!ssl_excert_prepend(&exc)) { + BIO_printf(bio_err, " %s: Error initialising xcert\n", + opt_getprog()); + goto err; + } + *pexc = exc; + } + + switch ((enum range)opt) { + case OPT_X__FIRST: + case OPT_X__LAST: + return 0; + case OPT_X_CERT: + if (exc->certfile && !ssl_excert_prepend(&exc)) { + BIO_printf(bio_err, "%s: Error adding xcert\n", opt_getprog()); + goto err; + } + *pexc = exc; + exc->certfile = opt_arg(); + break; + case OPT_X_KEY: + if (exc->keyfile) { + BIO_printf(bio_err, "%s: Key already specified\n", opt_getprog()); + goto err; + } + exc->keyfile = opt_arg(); + break; + case OPT_X_CHAIN: + if (exc->chainfile) { + BIO_printf(bio_err, "%s: Chain already specified\n", + opt_getprog()); + goto err; + } + exc->chainfile = opt_arg(); + break; + case OPT_X_CHAIN_BUILD: + exc->build_chain = 1; + break; + case OPT_X_CERTFORM: + if (!opt_format(opt_arg(), OPT_FMT_PEMDER, &exc->certform)) + return 0; + break; + case OPT_X_KEYFORM: + if (!opt_format(opt_arg(), OPT_FMT_PEMDER, &exc->keyform)) + return 0; + break; + } + return 1; + + err: + ERR_print_errors(bio_err); + ssl_excert_free(exc); + *pexc = NULL; + return 0; +} + +static void print_raw_cipherlist(SSL *s) +{ + const unsigned char *rlist; + static const unsigned char scsv_id[] = { 0, 0xFF }; + size_t i, rlistlen, num; + if (!SSL_is_server(s)) + return; + num = SSL_get0_raw_cipherlist(s, NULL); + OPENSSL_assert(num == 2); + rlistlen = SSL_get0_raw_cipherlist(s, &rlist); + BIO_puts(bio_err, "Client cipher list: "); + for (i = 0; i < rlistlen; i += num, rlist += num) { + const SSL_CIPHER *c = SSL_CIPHER_find(s, rlist); + if (i) + BIO_puts(bio_err, ":"); + if (c) + BIO_puts(bio_err, SSL_CIPHER_get_name(c)); + else if (!memcmp(rlist, scsv_id, num)) + BIO_puts(bio_err, "SCSV"); + else { + size_t j; + BIO_puts(bio_err, "0x"); + for (j = 0; j < num; j++) + BIO_printf(bio_err, "%02X", rlist[j]); + } + } + BIO_puts(bio_err, "\n"); +} + +/* + * Hex encoder for TLSA RRdata, not ':' delimited. + */ +static char *hexencode(const unsigned char *data, size_t len) +{ + static const char *hex = "0123456789abcdef"; + char *out; + char *cp; + size_t outlen = 2 * len + 1; + int ilen = (int) outlen; + + if (outlen < len || ilen < 0 || outlen != (size_t)ilen) { + BIO_printf(bio_err, "%s: %"BIO_PRI64"u-byte buffer too large to hexencode\n", + opt_getprog(), (uint64_t)len); + exit(1); + } + cp = out = app_malloc(ilen, "TLSA hex data buffer"); + + while (len-- > 0) { + *cp++ = hex[(*data >> 4) & 0x0f]; + *cp++ = hex[*data++ & 0x0f]; + } + *cp = '\0'; + return out; +} + +void print_verify_detail(SSL *s, BIO *bio) +{ + int mdpth; + EVP_PKEY *mspki; + long verify_err = SSL_get_verify_result(s); + + if (verify_err == X509_V_OK) { + const char *peername = SSL_get0_peername(s); + + BIO_printf(bio, "Verification: OK\n"); + if (peername != NULL) + BIO_printf(bio, "Verified peername: %s\n", peername); + } else { + const char *reason = X509_verify_cert_error_string(verify_err); + + BIO_printf(bio, "Verification error: %s\n", reason); + } + + if ((mdpth = SSL_get0_dane_authority(s, NULL, &mspki)) >= 0) { + uint8_t usage, selector, mtype; + const unsigned char *data = NULL; + size_t dlen = 0; + char *hexdata; + + mdpth = SSL_get0_dane_tlsa(s, &usage, &selector, &mtype, &data, &dlen); + + /* + * The TLSA data field can be quite long when it is a certificate, + * public key or even a SHA2-512 digest. Because the initial octets of + * ASN.1 certificates and public keys contain mostly boilerplate OIDs + * and lengths, we show the last 12 bytes of the data instead, as these + * are more likely to distinguish distinct TLSA records. + */ +#define TLSA_TAIL_SIZE 12 + if (dlen > TLSA_TAIL_SIZE) + hexdata = hexencode(data + dlen - TLSA_TAIL_SIZE, TLSA_TAIL_SIZE); + else + hexdata = hexencode(data, dlen); + BIO_printf(bio, "DANE TLSA %d %d %d %s%s %s at depth %d\n", + usage, selector, mtype, + (dlen > TLSA_TAIL_SIZE) ? "..." : "", hexdata, + (mspki != NULL) ? "signed the certificate" : + mdpth ? "matched TA certificate" : "matched EE certificate", + mdpth); + OPENSSL_free(hexdata); + } +} + +void print_ssl_summary(SSL *s) +{ + const SSL_CIPHER *c; + X509 *peer; + /* const char *pnam = SSL_is_server(s) ? "client" : "server"; */ + + BIO_printf(bio_err, "Protocol version: %s\n", SSL_get_version(s)); + print_raw_cipherlist(s); + c = SSL_get_current_cipher(s); + BIO_printf(bio_err, "Ciphersuite: %s\n", SSL_CIPHER_get_name(c)); + do_print_sigalgs(bio_err, s, 0); + peer = SSL_get_peer_certificate(s); + if (peer) { + int nid; + + BIO_puts(bio_err, "Peer certificate: "); + X509_NAME_print_ex(bio_err, X509_get_subject_name(peer), + 0, XN_FLAG_ONELINE); + BIO_puts(bio_err, "\n"); + if (SSL_get_peer_signature_nid(s, &nid)) + BIO_printf(bio_err, "Hash used: %s\n", OBJ_nid2sn(nid)); + print_verify_detail(s, bio_err); + } else + BIO_puts(bio_err, "No peer certificate\n"); + X509_free(peer); +#ifndef OPENSSL_NO_EC + ssl_print_point_formats(bio_err, s); + if (SSL_is_server(s)) + ssl_print_curves(bio_err, s, 1); + else + ssl_print_tmp_key(bio_err, s); +#else + if (!SSL_is_server(s)) + ssl_print_tmp_key(bio_err, s); +#endif +} + +int config_ctx(SSL_CONF_CTX *cctx, STACK_OF(OPENSSL_STRING) *str, + SSL_CTX *ctx) +{ + int i; + + SSL_CONF_CTX_set_ssl_ctx(cctx, ctx); + for (i = 0; i < sk_OPENSSL_STRING_num(str); i += 2) { + const char *flag = sk_OPENSSL_STRING_value(str, i); + const char *arg = sk_OPENSSL_STRING_value(str, i + 1); + if (SSL_CONF_cmd(cctx, flag, arg) <= 0) { + if (arg) + BIO_printf(bio_err, "Error with command: \"%s %s\"\n", + flag, arg); + else + BIO_printf(bio_err, "Error with command: \"%s\"\n", flag); + ERR_print_errors(bio_err); + return 0; + } + } + if (!SSL_CONF_CTX_finish(cctx)) { + BIO_puts(bio_err, "Error finishing context\n"); + ERR_print_errors(bio_err); + return 0; + } + return 1; +} + +static int add_crls_store(X509_STORE *st, STACK_OF(X509_CRL) *crls) +{ + X509_CRL *crl; + int i; + for (i = 0; i < sk_X509_CRL_num(crls); i++) { + crl = sk_X509_CRL_value(crls, i); + X509_STORE_add_crl(st, crl); + } + return 1; +} + +int ssl_ctx_add_crls(SSL_CTX *ctx, STACK_OF(X509_CRL) *crls, int crl_download) +{ + X509_STORE *st; + st = SSL_CTX_get_cert_store(ctx); + add_crls_store(st, crls); + if (crl_download) + store_setup_crl_download(st); + return 1; +} + +int ssl_load_stores(SSL_CTX *ctx, + const char *vfyCApath, const char *vfyCAfile, + const char *chCApath, const char *chCAfile, + STACK_OF(X509_CRL) *crls, int crl_download) +{ + X509_STORE *vfy = NULL, *ch = NULL; + int rv = 0; + if (vfyCApath != NULL || vfyCAfile != NULL) { + vfy = X509_STORE_new(); + if (vfy == NULL) + goto err; + if (!X509_STORE_load_locations(vfy, vfyCAfile, vfyCApath)) + goto err; + add_crls_store(vfy, crls); + SSL_CTX_set1_verify_cert_store(ctx, vfy); + if (crl_download) + store_setup_crl_download(vfy); + } + if (chCApath != NULL || chCAfile != NULL) { + ch = X509_STORE_new(); + if (ch == NULL) + goto err; + if (!X509_STORE_load_locations(ch, chCAfile, chCApath)) + goto err; + SSL_CTX_set1_chain_cert_store(ctx, ch); + } + rv = 1; + err: + X509_STORE_free(vfy); + X509_STORE_free(ch); + return rv; +} + +/* Verbose print out of security callback */ + +typedef struct { + BIO *out; + int verbose; + int (*old_cb) (const SSL *s, const SSL_CTX *ctx, int op, int bits, int nid, + void *other, void *ex); +} security_debug_ex; + +static STRINT_PAIR callback_types[] = { + {"Supported Ciphersuite", SSL_SECOP_CIPHER_SUPPORTED}, + {"Shared Ciphersuite", SSL_SECOP_CIPHER_SHARED}, + {"Check Ciphersuite", SSL_SECOP_CIPHER_CHECK}, +#ifndef OPENSSL_NO_DH + {"Temp DH key bits", SSL_SECOP_TMP_DH}, +#endif + {"Supported Curve", SSL_SECOP_CURVE_SUPPORTED}, + {"Shared Curve", SSL_SECOP_CURVE_SHARED}, + {"Check Curve", SSL_SECOP_CURVE_CHECK}, + {"Supported Signature Algorithm digest", SSL_SECOP_SIGALG_SUPPORTED}, + {"Shared Signature Algorithm digest", SSL_SECOP_SIGALG_SHARED}, + {"Check Signature Algorithm digest", SSL_SECOP_SIGALG_CHECK}, + {"Signature Algorithm mask", SSL_SECOP_SIGALG_MASK}, + {"Certificate chain EE key", SSL_SECOP_EE_KEY}, + {"Certificate chain CA key", SSL_SECOP_CA_KEY}, + {"Peer Chain EE key", SSL_SECOP_PEER_EE_KEY}, + {"Peer Chain CA key", SSL_SECOP_PEER_CA_KEY}, + {"Certificate chain CA digest", SSL_SECOP_CA_MD}, + {"Peer chain CA digest", SSL_SECOP_PEER_CA_MD}, + {"SSL compression", SSL_SECOP_COMPRESSION}, + {"Session ticket", SSL_SECOP_TICKET}, + {NULL} +}; + +static int security_callback_debug(const SSL *s, const SSL_CTX *ctx, + int op, int bits, int nid, + void *other, void *ex) +{ + security_debug_ex *sdb = ex; + int rv, show_bits = 1, cert_md = 0; + const char *nm; + rv = sdb->old_cb(s, ctx, op, bits, nid, other, ex); + if (rv == 1 && sdb->verbose < 2) + return 1; + BIO_puts(sdb->out, "Security callback: "); + + nm = lookup(op, callback_types, NULL); + switch (op) { + case SSL_SECOP_TICKET: + case SSL_SECOP_COMPRESSION: + show_bits = 0; + nm = NULL; + break; + case SSL_SECOP_VERSION: + BIO_printf(sdb->out, "Version=%s", lookup(nid, ssl_versions, "???")); + show_bits = 0; + nm = NULL; + break; + case SSL_SECOP_CA_MD: + case SSL_SECOP_PEER_CA_MD: + cert_md = 1; + break; + } + if (nm) + BIO_printf(sdb->out, "%s=", nm); + + switch (op & SSL_SECOP_OTHER_TYPE) { + + case SSL_SECOP_OTHER_CIPHER: + BIO_puts(sdb->out, SSL_CIPHER_get_name(other)); + break; + +#ifndef OPENSSL_NO_EC + case SSL_SECOP_OTHER_CURVE: + { + const char *cname; + cname = EC_curve_nid2nist(nid); + if (cname == NULL) + cname = OBJ_nid2sn(nid); + BIO_puts(sdb->out, cname); + } + break; +#endif +#ifndef OPENSSL_NO_DH + case SSL_SECOP_OTHER_DH: + { + DH *dh = other; + BIO_printf(sdb->out, "%d", DH_bits(dh)); + break; + } +#endif + case SSL_SECOP_OTHER_CERT: + { + if (cert_md) { + int sig_nid = X509_get_signature_nid(other); + BIO_puts(sdb->out, OBJ_nid2sn(sig_nid)); + } else { + EVP_PKEY *pkey = X509_get0_pubkey(other); + const char *algname = ""; + EVP_PKEY_asn1_get0_info(NULL, NULL, NULL, NULL, + &algname, EVP_PKEY_get0_asn1(pkey)); + BIO_printf(sdb->out, "%s, bits=%d", + algname, EVP_PKEY_bits(pkey)); + } + break; + } + case SSL_SECOP_OTHER_SIGALG: + { + const unsigned char *salg = other; + const char *sname = NULL; + switch (salg[1]) { + case TLSEXT_signature_anonymous: + sname = "anonymous"; + break; + case TLSEXT_signature_rsa: + sname = "RSA"; + break; + case TLSEXT_signature_dsa: + sname = "DSA"; + break; + case TLSEXT_signature_ecdsa: + sname = "ECDSA"; + break; + } + + BIO_puts(sdb->out, OBJ_nid2sn(nid)); + if (sname) + BIO_printf(sdb->out, ", algorithm=%s", sname); + else + BIO_printf(sdb->out, ", algid=%d", salg[1]); + break; + } + + } + + if (show_bits) + BIO_printf(sdb->out, ", security bits=%d", bits); + BIO_printf(sdb->out, ": %s\n", rv ? "yes" : "no"); + return rv; +} + +void ssl_ctx_security_debug(SSL_CTX *ctx, int verbose) +{ + static security_debug_ex sdb; + + sdb.out = bio_err; + sdb.verbose = verbose; + sdb.old_cb = SSL_CTX_get_security_callback(ctx); + SSL_CTX_set_security_callback(ctx, security_callback_debug); + SSL_CTX_set0_security_ex_data(ctx, &sdb); +} diff --git a/openssl-1.1.0h/apps/s_client.c b/openssl-1.1.0h/apps/s_client.c new file mode 100644 index 0000000..fb89f0c --- /dev/null +++ b/openssl-1.1.0h/apps/s_client.c @@ -0,0 +1,2760 @@ +/* + * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the OpenSSL license (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +/* ==================================================================== + * Copyright 2005 Nokia. All rights reserved. + * + * The portions of the attached software ("Contribution") is developed by + * Nokia Corporation and is licensed pursuant to the OpenSSL open source + * license. + * + * The Contribution, originally written by Mika Kousa and Pasi Eronen of + * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites + * support (see RFC 4279) to OpenSSL. + * + * No patent licenses or other rights except those expressly stated in + * the OpenSSL open source license shall be deemed granted or received + * expressly, by implication, estoppel, or otherwise. + * + * No assurances are provided by Nokia that the Contribution does not + * infringe the patent or other intellectual property rights of any third + * party or that the license provides you with all the necessary rights + * to make use of the Contribution. + * + * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN + * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA + * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY + * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR + * OTHERWISE. + */ + +#include +#include +#include +#include +#include +#include + +#ifndef OPENSSL_NO_SOCK + +/* + * With IPv6, it looks like Digital has mixed up the proper order of + * recursive header file inclusion, resulting in the compiler complaining + * that u_int isn't defined, but only if _POSIX_C_SOURCE is defined, which is + * needed to have fileno() declared correctly... So let's define u_int + */ +#if defined(OPENSSL_SYS_VMS_DECC) && !defined(__U_INT) +# define __U_INT +typedef unsigned int u_int; +#endif + +#define USE_SOCKETS +#include "apps.h" +#include +#include +#include +#include +#include +#include +#include +#include +#ifndef OPENSSL_NO_SRP +# include +#endif +#ifndef OPENSSL_NO_CT +# include +#endif +#include "s_apps.h" +#include "timeouts.h" + +#if defined(__has_feature) +# if __has_feature(memory_sanitizer) +# include +# endif +#endif + +#undef BUFSIZZ +#define BUFSIZZ 1024*8 +#define S_CLIENT_IRC_READ_TIMEOUT 8 + +static char *prog; +static int c_debug = 0; +static int c_showcerts = 0; +static char *keymatexportlabel = NULL; +static int keymatexportlen = 20; +static BIO *bio_c_out = NULL; +static int c_quiet = 0; + +static void print_stuff(BIO *berr, SSL *con, int full); +#ifndef OPENSSL_NO_OCSP +static int ocsp_resp_cb(SSL *s, void *arg); +#endif + +static int saved_errno; + +static void save_errno(void) +{ + saved_errno = errno; + errno = 0; +} + +static int restore_errno(void) +{ + int ret = errno; + errno = saved_errno; + return ret; +} + +static void do_ssl_shutdown(SSL *ssl) +{ + int ret; + + do { + /* We only do unidirectional shutdown */ + ret = SSL_shutdown(ssl); + if (ret < 0) { + switch (SSL_get_error(ssl, ret)) { + case SSL_ERROR_WANT_READ: + case SSL_ERROR_WANT_WRITE: + case SSL_ERROR_WANT_ASYNC: + case SSL_ERROR_WANT_ASYNC_JOB: + /* We just do busy waiting. Nothing clever */ + continue; + } + ret = 0; + } + } while (ret < 0); +} + +#ifndef OPENSSL_NO_PSK +/* Default PSK identity and key */ +static char *psk_identity = "Client_identity"; +/* + * char *psk_key=NULL; by default PSK is not used + */ + +static unsigned int psk_client_cb(SSL *ssl, const char *hint, char *identity, + unsigned int max_identity_len, + unsigned char *psk, + unsigned int max_psk_len) +{ + int ret; + long key_len; + unsigned char *key; + + if (c_debug) + BIO_printf(bio_c_out, "psk_client_cb\n"); + if (!hint) { + /* no ServerKeyExchange message */ + if (c_debug) + BIO_printf(bio_c_out, + "NULL received PSK identity hint, continuing anyway\n"); + } else if (c_debug) + BIO_printf(bio_c_out, "Received PSK identity hint '%s'\n", hint); + + /* + * lookup PSK identity and PSK key based on the given identity hint here + */ + ret = BIO_snprintf(identity, max_identity_len, "%s", psk_identity); + if (ret < 0 || (unsigned int)ret > max_identity_len) + goto out_err; + if (c_debug) + BIO_printf(bio_c_out, "created identity '%s' len=%d\n", identity, + ret); + + /* convert the PSK key to binary */ + key = OPENSSL_hexstr2buf(psk_key, &key_len); + if (key == NULL) { + BIO_printf(bio_err, "Could not convert PSK key '%s' to buffer\n", + psk_key); + return 0; + } + if (max_psk_len > INT_MAX || key_len > (long)max_psk_len) { + BIO_printf(bio_err, + "psk buffer of callback is too small (%d) for key (%ld)\n", + max_psk_len, key_len); + OPENSSL_free(key); + return 0; + } + + memcpy(psk, key, key_len); + OPENSSL_free(key); + + if (c_debug) + BIO_printf(bio_c_out, "created PSK len=%ld\n", key_len); + + return key_len; + out_err: + if (c_debug) + BIO_printf(bio_err, "Error in PSK client callback\n"); + return 0; +} +#endif + +/* This is a context that we pass to callbacks */ +typedef struct tlsextctx_st { + BIO *biodebug; + int ack; +} tlsextctx; + +static int ssl_servername_cb(SSL *s, int *ad, void *arg) +{ + tlsextctx *p = (tlsextctx *) arg; + const char *hn = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name); + if (SSL_get_servername_type(s) != -1) + p->ack = !SSL_session_reused(s) && hn != NULL; + else + BIO_printf(bio_err, "Can't use SSL_get_servername\n"); + + return SSL_TLSEXT_ERR_OK; +} + +#ifndef OPENSSL_NO_SRP + +/* This is a context that we pass to all callbacks */ +typedef struct srp_arg_st { + char *srppassin; + char *srplogin; + int msg; /* copy from c_msg */ + int debug; /* copy from c_debug */ + int amp; /* allow more groups */ + int strength; /* minimal size for N */ +} SRP_ARG; + +# define SRP_NUMBER_ITERATIONS_FOR_PRIME 64 + +static int srp_Verify_N_and_g(const BIGNUM *N, const BIGNUM *g) +{ + BN_CTX *bn_ctx = BN_CTX_new(); + BIGNUM *p = BN_new(); + BIGNUM *r = BN_new(); + int ret = + g != NULL && N != NULL && bn_ctx != NULL && BN_is_odd(N) && + BN_is_prime_ex(N, SRP_NUMBER_ITERATIONS_FOR_PRIME, bn_ctx, NULL) == 1 && + p != NULL && BN_rshift1(p, N) && + /* p = (N-1)/2 */ + BN_is_prime_ex(p, SRP_NUMBER_ITERATIONS_FOR_PRIME, bn_ctx, NULL) == 1 && + r != NULL && + /* verify g^((N-1)/2) == -1 (mod N) */ + BN_mod_exp(r, g, p, N, bn_ctx) && + BN_add_word(r, 1) && BN_cmp(r, N) == 0; + + BN_free(r); + BN_free(p); + BN_CTX_free(bn_ctx); + return ret; +} + +/*- + * This callback is used here for two purposes: + * - extended debugging + * - making some primality tests for unknown groups + * The callback is only called for a non default group. + * + * An application does not need the call back at all if + * only the standard groups are used. In real life situations, + * client and server already share well known groups, + * thus there is no need to verify them. + * Furthermore, in case that a server actually proposes a group that + * is not one of those defined in RFC 5054, it is more appropriate + * to add the group to a static list and then compare since + * primality tests are rather cpu consuming. + */ + +static int ssl_srp_verify_param_cb(SSL *s, void *arg) +{ + SRP_ARG *srp_arg = (SRP_ARG *)arg; + BIGNUM *N = NULL, *g = NULL; + + if (((N = SSL_get_srp_N(s)) == NULL) || ((g = SSL_get_srp_g(s)) == NULL)) + return 0; + if (srp_arg->debug || srp_arg->msg || srp_arg->amp == 1) { + BIO_printf(bio_err, "SRP parameters:\n"); + BIO_printf(bio_err, "\tN="); + BN_print(bio_err, N); + BIO_printf(bio_err, "\n\tg="); + BN_print(bio_err, g); + BIO_printf(bio_err, "\n"); + } + + if (SRP_check_known_gN_param(g, N)) + return 1; + + if (srp_arg->amp == 1) { + if (srp_arg->debug) + BIO_printf(bio_err, + "SRP param N and g are not known params, going to check deeper.\n"); + + /* + * The srp_moregroups is a real debugging feature. Implementors + * should rather add the value to the known ones. The minimal size + * has already been tested. + */ + if (BN_num_bits(g) <= BN_BITS && srp_Verify_N_and_g(N, g)) + return 1; + } + BIO_printf(bio_err, "SRP param N and g rejected.\n"); + return 0; +} + +# define PWD_STRLEN 1024 + +static char *ssl_give_srp_client_pwd_cb(SSL *s, void *arg) +{ + SRP_ARG *srp_arg = (SRP_ARG *)arg; + char *pass = app_malloc(PWD_STRLEN + 1, "SRP password buffer"); + PW_CB_DATA cb_tmp; + int l; + + cb_tmp.password = (char *)srp_arg->srppassin; + cb_tmp.prompt_info = "SRP user"; + if ((l = password_callback(pass, PWD_STRLEN, 0, &cb_tmp)) < 0) { + BIO_printf(bio_err, "Can't read Password\n"); + OPENSSL_free(pass); + return NULL; + } + *(pass + l) = '\0'; + + return pass; +} + +#endif + +static char *srtp_profiles = NULL; + +#ifndef OPENSSL_NO_NEXTPROTONEG +/* This the context that we pass to next_proto_cb */ +typedef struct tlsextnextprotoctx_st { + unsigned char *data; + size_t len; + int status; +} tlsextnextprotoctx; + +static tlsextnextprotoctx next_proto; + +static int next_proto_cb(SSL *s, unsigned char **out, unsigned char *outlen, + const unsigned char *in, unsigned int inlen, + void *arg) +{ + tlsextnextprotoctx *ctx = arg; + + if (!c_quiet) { + /* We can assume that |in| is syntactically valid. */ + unsigned i; + BIO_printf(bio_c_out, "Protocols advertised by server: "); + for (i = 0; i < inlen;) { + if (i) + BIO_write(bio_c_out, ", ", 2); + BIO_write(bio_c_out, &in[i + 1], in[i]); + i += in[i] + 1; + } + BIO_write(bio_c_out, "\n", 1); + } + + ctx->status = + SSL_select_next_proto(out, outlen, in, inlen, ctx->data, ctx->len); + return SSL_TLSEXT_ERR_OK; +} +#endif /* ndef OPENSSL_NO_NEXTPROTONEG */ + +static int serverinfo_cli_parse_cb(SSL *s, unsigned int ext_type, + const unsigned char *in, size_t inlen, + int *al, void *arg) +{ + char pem_name[100]; + unsigned char ext_buf[4 + 65536]; + + /* Reconstruct the type/len fields prior to extension data */ + ext_buf[0] = ext_type >> 8; + ext_buf[1] = ext_type & 0xFF; + ext_buf[2] = inlen >> 8; + ext_buf[3] = inlen & 0xFF; + memcpy(ext_buf + 4, in, inlen); + + BIO_snprintf(pem_name, sizeof(pem_name), "SERVERINFO FOR EXTENSION %d", + ext_type); + PEM_write_bio(bio_c_out, pem_name, "", ext_buf, 4 + inlen); + return 1; +} + +/* + * Hex decoder that tolerates optional whitespace. Returns number of bytes + * produced, advances inptr to end of input string. + */ +static ossl_ssize_t hexdecode(const char **inptr, void *result) +{ + unsigned char **out = (unsigned char **)result; + const char *in = *inptr; + unsigned char *ret = app_malloc(strlen(in) / 2, "hexdecode"); + unsigned char *cp = ret; + uint8_t byte; + int nibble = 0; + + if (ret == NULL) + return -1; + + for (byte = 0; *in; ++in) { + int x; + + if (isspace(_UC(*in))) + continue; + x = OPENSSL_hexchar2int(*in); + if (x < 0) { + OPENSSL_free(ret); + return 0; + } + byte |= (char)x; + if ((nibble ^= 1) == 0) { + *cp++ = byte; + byte = 0; + } else { + byte <<= 4; + } + } + if (nibble != 0) { + OPENSSL_free(ret); + return 0; + } + *inptr = in; + + return cp - (*out = ret); +} + +/* + * Decode unsigned 0..255, returns 1 on success, <= 0 on failure. Advances + * inptr to next field skipping leading whitespace. + */ +static ossl_ssize_t checked_uint8(const char **inptr, void *out) +{ + uint8_t *result = (uint8_t *)out; + const char *in = *inptr; + char *endp; + long v; + int e; + + save_errno(); + v = strtol(in, &endp, 10); + e = restore_errno(); + + if (((v == LONG_MIN || v == LONG_MAX) && e == ERANGE) || + endp == in || !isspace(_UC(*endp)) || + v != (*result = (uint8_t) v)) { + return -1; + } + for (in = endp; isspace(_UC(*in)); ++in) + continue; + + *inptr = in; + return 1; +} + +struct tlsa_field { + void *var; + const char *name; + ossl_ssize_t (*parser)(const char **, void *); +}; + +static int tlsa_import_rr(SSL *con, const char *rrdata) +{ + /* Not necessary to re-init these values; the "parsers" do that. */ + static uint8_t usage; + static uint8_t selector; + static uint8_t mtype; + static unsigned char *data; + static struct tlsa_field tlsa_fields[] = { + { &usage, "usage", checked_uint8 }, + { &selector, "selector", checked_uint8 }, + { &mtype, "mtype", checked_uint8 }, + { &data, "data", hexdecode }, + { NULL, } + }; + struct tlsa_field *f; + int ret; + const char *cp = rrdata; + ossl_ssize_t len = 0; + + for (f = tlsa_fields; f->var; ++f) { + /* Returns number of bytes produced, advances cp to next field */ + if ((len = f->parser(&cp, f->var)) <= 0) { + BIO_printf(bio_err, "%s: warning: bad TLSA %s field in: %s\n", + prog, f->name, rrdata); + return 0; + } + } + /* The data field is last, so len is its length */ + ret = SSL_dane_tlsa_add(con, usage, selector, mtype, data, len); + OPENSSL_free(data); + + if (ret == 0) { + ERR_print_errors(bio_err); + BIO_printf(bio_err, "%s: warning: unusable TLSA rrdata: %s\n", + prog, rrdata); + return 0; + } + if (ret < 0) { + ERR_print_errors(bio_err); + BIO_printf(bio_err, "%s: warning: error loading TLSA rrdata: %s\n", + prog, rrdata); + return 0; + } + return ret; +} + +static int tlsa_import_rrset(SSL *con, STACK_OF(OPENSSL_STRING) *rrset) +{ + int num = sk_OPENSSL_STRING_num(rrset); + int count = 0; + int i; + + for (i = 0; i < num; ++i) { + char *rrdata = sk_OPENSSL_STRING_value(rrset, i); + if (tlsa_import_rr(con, rrdata) > 0) + ++count; + } + return count > 0; +} + +typedef enum OPTION_choice { + OPT_ERR = -1, OPT_EOF = 0, OPT_HELP, + OPT_4, OPT_6, OPT_HOST, OPT_PORT, OPT_CONNECT, OPT_UNIX, + OPT_XMPPHOST, OPT_VERIFY, + OPT_CERT, OPT_CRL, OPT_CRL_DOWNLOAD, OPT_SESS_OUT, OPT_SESS_IN, + OPT_CERTFORM, OPT_CRLFORM, OPT_VERIFY_RET_ERROR, OPT_VERIFY_QUIET, + OPT_BRIEF, OPT_PREXIT, OPT_CRLF, OPT_QUIET, OPT_NBIO, + OPT_SSL_CLIENT_ENGINE, OPT_RAND, OPT_IGN_EOF, OPT_NO_IGN_EOF, + OPT_DEBUG, OPT_TLSEXTDEBUG, OPT_STATUS, OPT_WDEBUG, + OPT_MSG, OPT_MSGFILE, OPT_ENGINE, OPT_TRACE, OPT_SECURITY_DEBUG, + OPT_SECURITY_DEBUG_VERBOSE, OPT_SHOWCERTS, OPT_NBIO_TEST, OPT_STATE, +#ifndef OPENSSL_NO_PSK + OPT_PSK_IDENTITY, OPT_PSK, +#endif +#ifndef OPENSSL_NO_SRP + OPT_SRPUSER, OPT_SRPPASS, OPT_SRP_STRENGTH, OPT_SRP_LATEUSER, + OPT_SRP_MOREGROUPS, +#endif + OPT_SSL3, OPT_SSL_CONFIG, + OPT_TLS1_2, OPT_TLS1_1, OPT_TLS1, OPT_DTLS, OPT_DTLS1, + OPT_DTLS1_2, OPT_TIMEOUT, OPT_MTU, OPT_KEYFORM, OPT_PASS, + OPT_CERT_CHAIN, OPT_CAPATH, OPT_NOCAPATH, OPT_CHAINCAPATH, + OPT_VERIFYCAPATH, + OPT_KEY, OPT_RECONNECT, OPT_BUILD_CHAIN, OPT_CAFILE, OPT_NOCAFILE, + OPT_CHAINCAFILE, OPT_VERIFYCAFILE, OPT_NEXTPROTONEG, OPT_ALPN, + OPT_SERVERINFO, OPT_STARTTLS, OPT_SERVERNAME, + OPT_USE_SRTP, OPT_KEYMATEXPORT, OPT_KEYMATEXPORTLEN, OPT_SMTPHOST, + OPT_ASYNC, OPT_SPLIT_SEND_FRAG, OPT_MAX_PIPELINES, OPT_READ_BUF, + OPT_V_ENUM, + OPT_X_ENUM, + OPT_S_ENUM, + OPT_FALLBACKSCSV, OPT_NOCMDS, OPT_PROXY, OPT_DANE_TLSA_DOMAIN, +#ifndef OPENSSL_NO_CT + OPT_CT, OPT_NOCT, OPT_CTLOG_FILE, +#endif + OPT_DANE_TLSA_RRDATA, OPT_DANE_EE_NO_NAME +} OPTION_CHOICE; + +OPTIONS s_client_options[] = { + {"help", OPT_HELP, '-', "Display this summary"}, + {"host", OPT_HOST, 's', "Use -connect instead"}, + {"port", OPT_PORT, 'p', "Use -connect instead"}, + {"connect", OPT_CONNECT, 's', + "TCP/IP where to connect (default is :" PORT ")"}, + {"proxy", OPT_PROXY, 's', + "Connect to via specified proxy to the real server"}, +#ifdef AF_UNIX + {"unix", OPT_UNIX, 's', "Connect over the specified Unix-domain socket"}, +#endif + {"4", OPT_4, '-', "Use IPv4 only"}, +#ifdef AF_INET6 + {"6", OPT_6, '-', "Use IPv6 only"}, +#endif + {"verify", OPT_VERIFY, 'p', "Turn on peer certificate verification"}, + {"cert", OPT_CERT, '<', "Certificate file to use, PEM format assumed"}, + {"certform", OPT_CERTFORM, 'F', + "Certificate format (PEM or DER) PEM default"}, + {"key", OPT_KEY, 's', "Private key file to use, if not in -cert file"}, + {"keyform", OPT_KEYFORM, 'E', "Key format (PEM, DER or engine) PEM default"}, + {"pass", OPT_PASS, 's', "Private key file pass phrase source"}, + {"CApath", OPT_CAPATH, '/', "PEM format directory of CA's"}, + {"CAfile", OPT_CAFILE, '<', "PEM format file of CA's"}, + {"no-CAfile", OPT_NOCAFILE, '-', + "Do not load the default certificates file"}, + {"no-CApath", OPT_NOCAPATH, '-', + "Do not load certificates from the default certificates directory"}, + {"dane_tlsa_domain", OPT_DANE_TLSA_DOMAIN, 's', "DANE TLSA base domain"}, + {"dane_tlsa_rrdata", OPT_DANE_TLSA_RRDATA, 's', + "DANE TLSA rrdata presentation form"}, + {"dane_ee_no_namechecks", OPT_DANE_EE_NO_NAME, '-', + "Disable name checks when matching DANE-EE(3) TLSA records"}, + {"reconnect", OPT_RECONNECT, '-', + "Drop and re-make the connection with the same Session-ID"}, + {"showcerts", OPT_SHOWCERTS, '-', "Show all certificates in the chain"}, + {"debug", OPT_DEBUG, '-', "Extra output"}, + {"msg", OPT_MSG, '-', "Show protocol messages"}, + {"msgfile", OPT_MSGFILE, '>', + "File to send output of -msg or -trace, instead of stdout"}, + {"nbio_test", OPT_NBIO_TEST, '-', "More ssl protocol testing"}, + {"state", OPT_STATE, '-', "Print the ssl states"}, + {"crlf", OPT_CRLF, '-', "Convert LF from terminal into CRLF"}, + {"quiet", OPT_QUIET, '-', "No s_client output"}, + {"ign_eof", OPT_IGN_EOF, '-', "Ignore input eof (default when -quiet)"}, + {"no_ign_eof", OPT_NO_IGN_EOF, '-', "Don't ignore input eof"}, + {"starttls", OPT_STARTTLS, 's', + "Use the appropriate STARTTLS command before starting TLS"}, + {"xmpphost", OPT_XMPPHOST, 's', + "Host to use with \"-starttls xmpp[-server]\""}, + {"rand", OPT_RAND, 's', + "Load the file(s) into the random number generator"}, + {"sess_out", OPT_SESS_OUT, '>', "File to write SSL session to"}, + {"sess_in", OPT_SESS_IN, '<', "File to read SSL session from"}, + {"use_srtp", OPT_USE_SRTP, 's', + "Offer SRTP key management with a colon-separated profile list"}, + {"keymatexport", OPT_KEYMATEXPORT, 's', + "Export keying material using label"}, + {"keymatexportlen", OPT_KEYMATEXPORTLEN, 'p', + "Export len bytes of keying material (default 20)"}, + {"fallback_scsv", OPT_FALLBACKSCSV, '-', "Send the fallback SCSV"}, + {"name", OPT_SMTPHOST, 's', "Hostname to use for \"-starttls smtp\""}, + {"CRL", OPT_CRL, '<', "CRL file to use"}, + {"crl_download", OPT_CRL_DOWNLOAD, '-', "Download CRL from distribution points"}, + {"CRLform", OPT_CRLFORM, 'F', "CRL format (PEM or DER) PEM is default"}, + {"verify_return_error", OPT_VERIFY_RET_ERROR, '-', + "Close connection on verification error"}, + {"verify_quiet", OPT_VERIFY_QUIET, '-', "Restrict verify output to errors"}, + {"brief", OPT_BRIEF, '-', + "Restrict output to brief summary of connection parameters"}, + {"prexit", OPT_PREXIT, '-', + "Print session information when the program exits"}, + {"security_debug", OPT_SECURITY_DEBUG, '-', + "Enable security debug messages"}, + {"security_debug_verbose", OPT_SECURITY_DEBUG_VERBOSE, '-', + "Output more security debug output"}, + {"cert_chain", OPT_CERT_CHAIN, '<', + "Certificate chain file (in PEM format)"}, + {"chainCApath", OPT_CHAINCAPATH, '/', + "Use dir as certificate store path to build CA certificate chain"}, + {"verifyCApath", OPT_VERIFYCAPATH, '/', + "Use dir as certificate store path to verify CA certificate"}, + {"build_chain", OPT_BUILD_CHAIN, '-', "Build certificate chain"}, + {"chainCAfile", OPT_CHAINCAFILE, '<', + "CA file for certificate chain (PEM format)"}, + {"verifyCAfile", OPT_VERIFYCAFILE, '<', + "CA file for certificate verification (PEM format)"}, + {"nocommands", OPT_NOCMDS, '-', "Do not use interactive command letters"}, + {"servername", OPT_SERVERNAME, 's', + "Set TLS extension servername in ClientHello"}, + {"tlsextdebug", OPT_TLSEXTDEBUG, '-', + "Hex dump of all TLS extensions received"}, +#ifndef OPENSSL_NO_OCSP + {"status", OPT_STATUS, '-', "Request certificate status from server"}, +#endif + {"serverinfo", OPT_SERVERINFO, 's', + "types Send empty ClientHello extensions (comma-separated numbers)"}, + {"alpn", OPT_ALPN, 's', + "Enable ALPN extension, considering named protocols supported (comma-separated list)"}, + {"async", OPT_ASYNC, '-', "Support asynchronous operation"}, + {"ssl_config", OPT_SSL_CONFIG, 's', "Use specified configuration file"}, + {"split_send_frag", OPT_SPLIT_SEND_FRAG, 'n', + "Size used to split data for encrypt pipelines"}, + {"max_pipelines", OPT_MAX_PIPELINES, 'n', + "Maximum number of encrypt/decrypt pipelines to be used"}, + {"read_buf", OPT_READ_BUF, 'n', + "Default read buffer size to be used for connections"}, + OPT_S_OPTIONS, + OPT_V_OPTIONS, + OPT_X_OPTIONS, +#ifndef OPENSSL_NO_SSL3 + {"ssl3", OPT_SSL3, '-', "Just use SSLv3"}, +#endif +#ifndef OPENSSL_NO_TLS1 + {"tls1", OPT_TLS1, '-', "Just use TLSv1"}, +#endif +#ifndef OPENSSL_NO_TLS1_1 + {"tls1_1", OPT_TLS1_1, '-', "Just use TLSv1.1"}, +#endif +#ifndef OPENSSL_NO_TLS1_2 + {"tls1_2", OPT_TLS1_2, '-', "Just use TLSv1.2"}, +#endif +#ifndef OPENSSL_NO_DTLS + {"dtls", OPT_DTLS, '-', "Use any version of DTLS"}, + {"timeout", OPT_TIMEOUT, '-', + "Enable send/receive timeout on DTLS connections"}, + {"mtu", OPT_MTU, 'p', "Set the link layer MTU"}, +#endif +#ifndef OPENSSL_NO_DTLS1 + {"dtls1", OPT_DTLS1, '-', "Just use DTLSv1"}, +#endif +#ifndef OPENSSL_NO_DTLS1_2 + {"dtls1_2", OPT_DTLS1_2, '-', "Just use DTLSv1.2"}, +#endif +#ifndef OPENSSL_NO_SSL_TRACE + {"trace", OPT_TRACE, '-', "Show trace output of protocol messages"}, +#endif +#ifdef WATT32 + {"wdebug", OPT_WDEBUG, '-', "WATT-32 tcp debugging"}, +#endif + {"nbio", OPT_NBIO, '-', "Use non-blocking IO"}, +#ifndef OPENSSL_NO_PSK + {"psk_identity", OPT_PSK_IDENTITY, 's', "PSK identity"}, + {"psk", OPT_PSK, 's', "PSK in hex (without 0x)"}, +#endif +#ifndef OPENSSL_NO_SRP + {"srpuser", OPT_SRPUSER, 's', "SRP authentication for 'user'"}, + {"srppass", OPT_SRPPASS, 's', "Password for 'user'"}, + {"srp_lateuser", OPT_SRP_LATEUSER, '-', + "SRP username into second ClientHello message"}, + {"srp_moregroups", OPT_SRP_MOREGROUPS, '-', + "Tolerate other than the known g N values."}, + {"srp_strength", OPT_SRP_STRENGTH, 'p', "Minimal length in bits for N"}, +#endif +#ifndef OPENSSL_NO_NEXTPROTONEG + {"nextprotoneg", OPT_NEXTPROTONEG, 's', + "Enable NPN extension, considering named protocols supported (comma-separated list)"}, +#endif +#ifndef OPENSSL_NO_ENGINE + {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"}, + {"ssl_client_engine", OPT_SSL_CLIENT_ENGINE, 's', + "Specify engine to be used for client certificate operations"}, +#endif +#ifndef OPENSSL_NO_CT + {"ct", OPT_CT, '-', "Request and parse SCTs (also enables OCSP stapling)"}, + {"noct", OPT_NOCT, '-', "Do not request or parse SCTs (default)"}, + {"ctlogfile", OPT_CTLOG_FILE, '<', "CT log list CONF file"}, +#endif + {NULL, OPT_EOF, 0x00, NULL} +}; + +typedef enum PROTOCOL_choice { + PROTO_OFF, + PROTO_SMTP, + PROTO_POP3, + PROTO_IMAP, + PROTO_FTP, + PROTO_TELNET, + PROTO_XMPP, + PROTO_XMPP_SERVER, + PROTO_CONNECT, + PROTO_IRC +} PROTOCOL_CHOICE; + +static const OPT_PAIR services[] = { + {"smtp", PROTO_SMTP}, + {"pop3", PROTO_POP3}, + {"imap", PROTO_IMAP}, + {"ftp", PROTO_FTP}, + {"xmpp", PROTO_XMPP}, + {"xmpp-server", PROTO_XMPP_SERVER}, + {"telnet", PROTO_TELNET}, + {"irc", PROTO_IRC}, + {NULL, 0} +}; + +#define IS_INET_FLAG(o) \ + (o == OPT_4 || o == OPT_6 || o == OPT_HOST || o == OPT_PORT || o == OPT_CONNECT) +#define IS_UNIX_FLAG(o) (o == OPT_UNIX) + +#define IS_PROT_FLAG(o) \ + (o == OPT_SSL3 || o == OPT_TLS1 || o == OPT_TLS1_1 || o == OPT_TLS1_2 \ + || o == OPT_DTLS || o == OPT_DTLS1 || o == OPT_DTLS1_2) + +/* Free |*dest| and optionally set it to a copy of |source|. */ +static void freeandcopy(char **dest, const char *source) +{ + OPENSSL_free(*dest); + *dest = NULL; + if (source != NULL) + *dest = OPENSSL_strdup(source); +} + +int s_client_main(int argc, char **argv) +{ + BIO *sbio; + EVP_PKEY *key = NULL; + SSL *con = NULL; + SSL_CTX *ctx = NULL; + STACK_OF(X509) *chain = NULL; + X509 *cert = NULL; + X509_VERIFY_PARAM *vpm = NULL; + SSL_EXCERT *exc = NULL; + SSL_CONF_CTX *cctx = NULL; + STACK_OF(OPENSSL_STRING) *ssl_args = NULL; + char *dane_tlsa_domain = NULL; + STACK_OF(OPENSSL_STRING) *dane_tlsa_rrset = NULL; + int dane_ee_no_name = 0; + STACK_OF(X509_CRL) *crls = NULL; + const SSL_METHOD *meth = TLS_client_method(); + const char *CApath = NULL, *CAfile = NULL; + char *cbuf = NULL, *sbuf = NULL; + char *mbuf = NULL, *proxystr = NULL, *connectstr = NULL; + char *cert_file = NULL, *key_file = NULL, *chain_file = NULL; + char *chCApath = NULL, *chCAfile = NULL, *host = NULL; + char *port = OPENSSL_strdup(PORT); + char *inrand = NULL; + char *passarg = NULL, *pass = NULL, *vfyCApath = NULL, *vfyCAfile = NULL; + char *sess_in = NULL, *sess_out = NULL, *crl_file = NULL, *p; + char *xmpphost = NULL; + const char *ehlo = "mail.example.com"; + struct timeval timeout, *timeoutp; + fd_set readfds, writefds; + int noCApath = 0, noCAfile = 0; + int build_chain = 0, cbuf_len, cbuf_off, cert_format = FORMAT_PEM; + int key_format = FORMAT_PEM, crlf = 0, full_log = 1, mbuf_len = 0; + int prexit = 0; + int sdebug = 0; + int reconnect = 0, verify = SSL_VERIFY_NONE, vpmtouched = 0; + int ret = 1, in_init = 1, i, nbio_test = 0, s = -1, k, width, state = 0; + int sbuf_len, sbuf_off, cmdletters = 1; + int socket_family = AF_UNSPEC, socket_type = SOCK_STREAM; + int starttls_proto = PROTO_OFF, crl_format = FORMAT_PEM, crl_download = 0; + int write_tty, read_tty, write_ssl, read_ssl, tty_on, ssl_pending; +#if !defined(OPENSSL_SYS_WINDOWS) && !defined(OPENSSL_SYS_MSDOS) + int at_eof = 0; +#endif + int read_buf_len = 0; + int fallback_scsv = 0; + long randamt = 0; + OPTION_CHOICE o; +#ifndef OPENSSL_NO_DTLS + int enable_timeouts = 0; + long socket_mtu = 0; +#endif +#ifndef OPENSSL_NO_ENGINE + ENGINE *ssl_client_engine = NULL; +#endif + ENGINE *e = NULL; +#if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS) + struct timeval tv; +#endif + char *servername = NULL; + const char *alpn_in = NULL; + tlsextctx tlsextcbp = { NULL, 0 }; + const char *ssl_config = NULL; +#define MAX_SI_TYPES 100 + unsigned short serverinfo_types[MAX_SI_TYPES]; + int serverinfo_count = 0, start = 0, len; +#ifndef OPENSSL_NO_NEXTPROTONEG + const char *next_proto_neg_in = NULL; +#endif +#ifndef OPENSSL_NO_SRP + char *srppass = NULL; + int srp_lateuser = 0; + SRP_ARG srp_arg = { NULL, NULL, 0, 0, 0, 1024 }; +#endif +#ifndef OPENSSL_NO_CT + char *ctlog_file = NULL; + int ct_validation = 0; +#endif + int min_version = 0, max_version = 0, prot_opt = 0, no_prot_opt = 0; + int async = 0; + unsigned int split_send_fragment = 0; + unsigned int max_pipelines = 0; + enum { use_inet, use_unix, use_unknown } connect_type = use_unknown; + int count4or6 = 0; + int c_nbio = 0, c_msg = 0, c_ign_eof = 0, c_brief = 0; + int c_tlsextdebug = 0; +#ifndef OPENSSL_NO_OCSP + int c_status_req = 0; +#endif + BIO *bio_c_msg = NULL; + + FD_ZERO(&readfds); + FD_ZERO(&writefds); +/* Known false-positive of MemorySanitizer. */ +#if defined(__has_feature) +# if __has_feature(memory_sanitizer) + __msan_unpoison(&readfds, sizeof(readfds)); + __msan_unpoison(&writefds, sizeof(writefds)); +# endif +#endif + + prog = opt_progname(argv[0]); + c_quiet = 0; + c_debug = 0; + c_showcerts = 0; + c_nbio = 0; + vpm = X509_VERIFY_PARAM_new(); + cctx = SSL_CONF_CTX_new(); + + if (vpm == NULL || cctx == NULL) { + BIO_printf(bio_err, "%s: out of memory\n", prog); + goto end; + } + + cbuf = app_malloc(BUFSIZZ, "cbuf"); + sbuf = app_malloc(BUFSIZZ, "sbuf"); + mbuf = app_malloc(BUFSIZZ, "mbuf"); + + SSL_CONF_CTX_set_flags(cctx, SSL_CONF_FLAG_CLIENT | SSL_CONF_FLAG_CMDLINE); + + prog = opt_init(argc, argv, s_client_options); + while ((o = opt_next()) != OPT_EOF) { + /* Check for intermixing flags. */ + if (connect_type == use_unix && IS_INET_FLAG(o)) { + BIO_printf(bio_err, + "%s: Intermixed protocol flags (unix and internet domains)\n", + prog); + goto end; + } + if (connect_type == use_inet && IS_UNIX_FLAG(o)) { + BIO_printf(bio_err, + "%s: Intermixed protocol flags (internet and unix domains)\n", + prog); + goto end; + } + + if (IS_PROT_FLAG(o) && ++prot_opt > 1) { + BIO_printf(bio_err, "Cannot supply multiple protocol flags\n"); + goto end; + } + if (IS_NO_PROT_FLAG(o)) + no_prot_opt++; + if (prot_opt == 1 && no_prot_opt) { + BIO_printf(bio_err, + "Cannot supply both a protocol flag and '-no_'\n"); + goto end; + } + + switch (o) { + case OPT_EOF: + case OPT_ERR: + opthelp: + BIO_printf(bio_err, "%s: Use -help for summary.\n", prog); + goto end; + case OPT_HELP: + opt_help(s_client_options); + ret = 0; + goto end; + case OPT_4: + connect_type = use_inet; + socket_family = AF_INET; + count4or6++; + break; +#ifdef AF_INET6 + case OPT_6: + connect_type = use_inet; + socket_family = AF_INET6; + count4or6++; + break; +#endif + case OPT_HOST: + connect_type = use_inet; + freeandcopy(&host, opt_arg()); + break; + case OPT_PORT: + connect_type = use_inet; + freeandcopy(&port, opt_arg()); + break; + case OPT_CONNECT: + connect_type = use_inet; + freeandcopy(&connectstr, opt_arg()); + break; + case OPT_PROXY: + proxystr = opt_arg(); + starttls_proto = PROTO_CONNECT; + break; +#ifdef AF_UNIX + case OPT_UNIX: + connect_type = use_unix; + socket_family = AF_UNIX; + freeandcopy(&host, opt_arg()); + break; +#endif + case OPT_XMPPHOST: + xmpphost = opt_arg(); + break; + case OPT_SMTPHOST: + ehlo = opt_arg(); + break; + case OPT_VERIFY: + verify = SSL_VERIFY_PEER; + verify_args.depth = atoi(opt_arg()); + if (!c_quiet) + BIO_printf(bio_err, "verify depth is %d\n", verify_args.depth); + break; + case OPT_CERT: + cert_file = opt_arg(); + break; + case OPT_CRL: + crl_file = opt_arg(); + break; + case OPT_CRL_DOWNLOAD: + crl_download = 1; + break; + case OPT_SESS_OUT: + sess_out = opt_arg(); + break; + case OPT_SESS_IN: + sess_in = opt_arg(); + break; + case OPT_CERTFORM: + if (!opt_format(opt_arg(), OPT_FMT_PEMDER, &cert_format)) + goto opthelp; + break; + case OPT_CRLFORM: + if (!opt_format(opt_arg(), OPT_FMT_PEMDER, &crl_format)) + goto opthelp; + break; + case OPT_VERIFY_RET_ERROR: + verify_args.return_error = 1; + break; + case OPT_VERIFY_QUIET: + verify_args.quiet = 1; + break; + case OPT_BRIEF: + c_brief = verify_args.quiet = c_quiet = 1; + break; + case OPT_S_CASES: + if (ssl_args == NULL) + ssl_args = sk_OPENSSL_STRING_new_null(); + if (ssl_args == NULL + || !sk_OPENSSL_STRING_push(ssl_args, opt_flag()) + || !sk_OPENSSL_STRING_push(ssl_args, opt_arg())) { + BIO_printf(bio_err, "%s: Memory allocation failure\n", prog); + goto end; + } + break; + case OPT_V_CASES: + if (!opt_verify(o, vpm)) + goto end; + vpmtouched++; + break; + case OPT_X_CASES: + if (!args_excert(o, &exc)) + goto end; + break; + case OPT_PREXIT: + prexit = 1; + break; + case OPT_CRLF: + crlf = 1; + break; + case OPT_QUIET: + c_quiet = c_ign_eof = 1; + break; + case OPT_NBIO: + c_nbio = 1; + break; + case OPT_NOCMDS: + cmdletters = 0; + break; + case OPT_ENGINE: + e = setup_engine(opt_arg(), 1); + break; + case OPT_SSL_CLIENT_ENGINE: +#ifndef OPENSSL_NO_ENGINE + ssl_client_engine = ENGINE_by_id(opt_arg()); + if (ssl_client_engine == NULL) { + BIO_printf(bio_err, "Error getting client auth engine\n"); + goto opthelp; + } +#endif + break; + case OPT_RAND: + inrand = opt_arg(); + break; + case OPT_IGN_EOF: + c_ign_eof = 1; + break; + case OPT_NO_IGN_EOF: + c_ign_eof = 0; + break; + case OPT_DEBUG: + c_debug = 1; + break; + case OPT_TLSEXTDEBUG: + c_tlsextdebug = 1; + break; + case OPT_STATUS: +#ifndef OPENSSL_NO_OCSP + c_status_req = 1; +#endif + break; + case OPT_WDEBUG: +#ifdef WATT32 + dbug_init(); +#endif + break; + case OPT_MSG: + c_msg = 1; + break; + case OPT_MSGFILE: + bio_c_msg = BIO_new_file(opt_arg(), "w"); + break; + case OPT_TRACE: +#ifndef OPENSSL_NO_SSL_TRACE + c_msg = 2; +#endif + break; + case OPT_SECURITY_DEBUG: + sdebug = 1; + break; + case OPT_SECURITY_DEBUG_VERBOSE: + sdebug = 2; + break; + case OPT_SHOWCERTS: + c_showcerts = 1; + break; + case OPT_NBIO_TEST: + nbio_test = 1; + break; + case OPT_STATE: + state = 1; + break; +#ifndef OPENSSL_NO_PSK + case OPT_PSK_IDENTITY: + psk_identity = opt_arg(); + break; + case OPT_PSK: + for (p = psk_key = opt_arg(); *p; p++) { + if (isxdigit(_UC(*p))) + continue; + BIO_printf(bio_err, "Not a hex number '%s'\n", psk_key); + goto end; + } + break; +#endif +#ifndef OPENSSL_NO_SRP + case OPT_SRPUSER: + srp_arg.srplogin = opt_arg(); + if (min_version < TLS1_VERSION) + min_version = TLS1_VERSION; + break; + case OPT_SRPPASS: + srppass = opt_arg(); + if (min_version < TLS1_VERSION) + min_version = TLS1_VERSION; + break; + case OPT_SRP_STRENGTH: + srp_arg.strength = atoi(opt_arg()); + BIO_printf(bio_err, "SRP minimal length for N is %d\n", + srp_arg.strength); + if (min_version < TLS1_VERSION) + min_version = TLS1_VERSION; + break; + case OPT_SRP_LATEUSER: + srp_lateuser = 1; + if (min_version < TLS1_VERSION) + min_version = TLS1_VERSION; + break; + case OPT_SRP_MOREGROUPS: + srp_arg.amp = 1; + if (min_version < TLS1_VERSION) + min_version = TLS1_VERSION; + break; +#endif + case OPT_SSL_CONFIG: + ssl_config = opt_arg(); + break; + case OPT_SSL3: + min_version = SSL3_VERSION; + max_version = SSL3_VERSION; + break; + case OPT_TLS1_2: + min_version = TLS1_2_VERSION; + max_version = TLS1_2_VERSION; + break; + case OPT_TLS1_1: + min_version = TLS1_1_VERSION; + max_version = TLS1_1_VERSION; + break; + case OPT_TLS1: + min_version = TLS1_VERSION; + max_version = TLS1_VERSION; + break; + case OPT_DTLS: +#ifndef OPENSSL_NO_DTLS + meth = DTLS_client_method(); + socket_type = SOCK_DGRAM; +#endif + break; + case OPT_DTLS1: +#ifndef OPENSSL_NO_DTLS1 + meth = DTLS_client_method(); + min_version = DTLS1_VERSION; + max_version = DTLS1_VERSION; + socket_type = SOCK_DGRAM; +#endif + break; + case OPT_DTLS1_2: +#ifndef OPENSSL_NO_DTLS1_2 + meth = DTLS_client_method(); + min_version = DTLS1_2_VERSION; + max_version = DTLS1_2_VERSION; + socket_type = SOCK_DGRAM; +#endif + break; + case OPT_TIMEOUT: +#ifndef OPENSSL_NO_DTLS + enable_timeouts = 1; +#endif + break; + case OPT_MTU: +#ifndef OPENSSL_NO_DTLS + socket_mtu = atol(opt_arg()); +#endif + break; + case OPT_FALLBACKSCSV: + fallback_scsv = 1; + break; + case OPT_KEYFORM: + if (!opt_format(opt_arg(), OPT_FMT_PDE, &key_format)) + goto opthelp; + break; + case OPT_PASS: + passarg = opt_arg(); + break; + case OPT_CERT_CHAIN: + chain_file = opt_arg(); + break; + case OPT_KEY: + key_file = opt_arg(); + break; + case OPT_RECONNECT: + reconnect = 5; + break; + case OPT_CAPATH: + CApath = opt_arg(); + break; + case OPT_NOCAPATH: + noCApath = 1; + break; + case OPT_CHAINCAPATH: + chCApath = opt_arg(); + break; + case OPT_VERIFYCAPATH: + vfyCApath = opt_arg(); + break; + case OPT_BUILD_CHAIN: + build_chain = 1; + break; + case OPT_CAFILE: + CAfile = opt_arg(); + break; + case OPT_NOCAFILE: + noCAfile = 1; + break; +#ifndef OPENSSL_NO_CT + case OPT_NOCT: + ct_validation = 0; + break; + case OPT_CT: + ct_validation = 1; + break; + case OPT_CTLOG_FILE: + ctlog_file = opt_arg(); + break; +#endif + case OPT_CHAINCAFILE: + chCAfile = opt_arg(); + break; + case OPT_VERIFYCAFILE: + vfyCAfile = opt_arg(); + break; + case OPT_DANE_TLSA_DOMAIN: + dane_tlsa_domain = opt_arg(); + break; + case OPT_DANE_TLSA_RRDATA: + if (dane_tlsa_rrset == NULL) + dane_tlsa_rrset = sk_OPENSSL_STRING_new_null(); + if (dane_tlsa_rrset == NULL || + !sk_OPENSSL_STRING_push(dane_tlsa_rrset, opt_arg())) { + BIO_printf(bio_err, "%s: Memory allocation failure\n", prog); + goto end; + } + break; + case OPT_DANE_EE_NO_NAME: + dane_ee_no_name = 1; + break; + case OPT_NEXTPROTONEG: +#ifndef OPENSSL_NO_NEXTPROTONEG + next_proto_neg_in = opt_arg(); +#endif + break; + case OPT_ALPN: + alpn_in = opt_arg(); + break; + case OPT_SERVERINFO: + p = opt_arg(); + len = strlen(p); + for (start = 0, i = 0; i <= len; ++i) { + if (i == len || p[i] == ',') { + serverinfo_types[serverinfo_count] = atoi(p + start); + if (++serverinfo_count == MAX_SI_TYPES) + break; + start = i + 1; + } + } + break; + case OPT_STARTTLS: + if (!opt_pair(opt_arg(), services, &starttls_proto)) + goto end; + break; + case OPT_SERVERNAME: + servername = opt_arg(); + break; + case OPT_USE_SRTP: + srtp_profiles = opt_arg(); + break; + case OPT_KEYMATEXPORT: + keymatexportlabel = opt_arg(); + break; + case OPT_KEYMATEXPORTLEN: + keymatexportlen = atoi(opt_arg()); + break; + case OPT_ASYNC: + async = 1; + break; + case OPT_SPLIT_SEND_FRAG: + split_send_fragment = atoi(opt_arg()); + if (split_send_fragment == 0) { + /* + * Not allowed - set to a deliberately bad value so we get an + * error message below + */ + split_send_fragment = SSL3_RT_MAX_PLAIN_LENGTH + 1; + } + break; + case OPT_MAX_PIPELINES: + max_pipelines = atoi(opt_arg()); + break; + case OPT_READ_BUF: + read_buf_len = atoi(opt_arg()); + break; + } + } + if (count4or6 >= 2) { + BIO_printf(bio_err, "%s: Can't use both -4 and -6\n", prog); + goto opthelp; + } + argc = opt_num_rest(); + if (argc != 0) + goto opthelp; + + if (proxystr) { + int res; + char *tmp_host = host, *tmp_port = port; + if (connectstr == NULL) { + BIO_printf(bio_err, "%s: -proxy requires use of -connect\n", prog); + goto opthelp; + } + res = BIO_parse_hostserv(proxystr, &host, &port, BIO_PARSE_PRIO_HOST); + if (tmp_host != host) + OPENSSL_free(tmp_host); + if (tmp_port != port) + OPENSSL_free(tmp_port); + if (!res) { + BIO_printf(bio_err, + "%s: -proxy argument malformed or ambiguous\n", prog); + goto end; + } + } else { + int res = 1; + char *tmp_host = host, *tmp_port = port; + if (connectstr != NULL) + res = BIO_parse_hostserv(connectstr, &host, &port, + BIO_PARSE_PRIO_HOST); + if (tmp_host != host) + OPENSSL_free(tmp_host); + if (tmp_port != port) + OPENSSL_free(tmp_port); + if (!res) { + BIO_printf(bio_err, + "%s: -connect argument malformed or ambiguous\n", + prog); + goto end; + } + } + +#ifdef AF_UNIX + if (socket_family == AF_UNIX && socket_type != SOCK_STREAM) { + BIO_printf(bio_err, + "Can't use unix sockets and datagrams together\n"); + goto end; + } +#endif + + if (split_send_fragment > SSL3_RT_MAX_PLAIN_LENGTH) { + BIO_printf(bio_err, "Bad split send fragment size\n"); + goto end; + } + + if (max_pipelines > SSL_MAX_PIPELINES) { + BIO_printf(bio_err, "Bad max pipelines value\n"); + goto end; + } + +#if !defined(OPENSSL_NO_NEXTPROTONEG) + next_proto.status = -1; + if (next_proto_neg_in) { + next_proto.data = + next_protos_parse(&next_proto.len, next_proto_neg_in); + if (next_proto.data == NULL) { + BIO_printf(bio_err, "Error parsing -nextprotoneg argument\n"); + goto end; + } + } else + next_proto.data = NULL; +#endif + + if (!app_passwd(passarg, NULL, &pass, NULL)) { + BIO_printf(bio_err, "Error getting password\n"); + goto end; + } + + if (key_file == NULL) + key_file = cert_file; + + if (key_file) { + key = load_key(key_file, key_format, 0, pass, e, + "client certificate private key file"); + if (key == NULL) { + ERR_print_errors(bio_err); + goto end; + } + } + + if (cert_file) { + cert = load_cert(cert_file, cert_format, "client certificate file"); + if (cert == NULL) { + ERR_print_errors(bio_err); + goto end; + } + } + + if (chain_file) { + if (!load_certs(chain_file, &chain, FORMAT_PEM, NULL, + "client certificate chain")) + goto end; + } + + if (crl_file) { + X509_CRL *crl; + crl = load_crl(crl_file, crl_format); + if (crl == NULL) { + BIO_puts(bio_err, "Error loading CRL\n"); + ERR_print_errors(bio_err); + goto end; + } + crls = sk_X509_CRL_new_null(); + if (crls == NULL || !sk_X509_CRL_push(crls, crl)) { + BIO_puts(bio_err, "Error adding CRL\n"); + ERR_print_errors(bio_err); + X509_CRL_free(crl); + goto end; + } + } + + if (!load_excert(&exc)) + goto end; + + if (!app_RAND_load_file(NULL, 1) && inrand == NULL + && !RAND_status()) { + BIO_printf(bio_err, + "warning, not much extra random data, consider using the -rand option\n"); + } + if (inrand != NULL) { + randamt = app_RAND_load_files(inrand); + BIO_printf(bio_err, "%ld semi-random bytes loaded\n", randamt); + } + + if (bio_c_out == NULL) { + if (c_quiet && !c_debug) { + bio_c_out = BIO_new(BIO_s_null()); + if (c_msg && !bio_c_msg) + bio_c_msg = dup_bio_out(FORMAT_TEXT); + } else if (bio_c_out == NULL) + bio_c_out = dup_bio_out(FORMAT_TEXT); + } +#ifndef OPENSSL_NO_SRP + if (!app_passwd(srppass, NULL, &srp_arg.srppassin, NULL)) { + BIO_printf(bio_err, "Error getting password\n"); + goto end; + } +#endif + + ctx = SSL_CTX_new(meth); + if (ctx == NULL) { + ERR_print_errors(bio_err); + goto end; + } + + if (sdebug) + ssl_ctx_security_debug(ctx, sdebug); + + if (!config_ctx(cctx, ssl_args, ctx)) + goto end; + + if (ssl_config) { + if (SSL_CTX_config(ctx, ssl_config) == 0) { + BIO_printf(bio_err, "Error using configuration \"%s\"\n", + ssl_config); + ERR_print_errors(bio_err); + goto end; + } + } + + if (min_version != 0 + && SSL_CTX_set_min_proto_version(ctx, min_version) == 0) + goto end; + if (max_version != 0 + && SSL_CTX_set_max_proto_version(ctx, max_version) == 0) + goto end; + + if (vpmtouched && !SSL_CTX_set1_param(ctx, vpm)) { + BIO_printf(bio_err, "Error setting verify params\n"); + ERR_print_errors(bio_err); + goto end; + } + + if (async) { + SSL_CTX_set_mode(ctx, SSL_MODE_ASYNC); + } + if (split_send_fragment > 0) { + SSL_CTX_set_split_send_fragment(ctx, split_send_fragment); + } + if (max_pipelines > 0) { + SSL_CTX_set_max_pipelines(ctx, max_pipelines); + } + + if (read_buf_len > 0) { + SSL_CTX_set_default_read_buffer_len(ctx, read_buf_len); + } + + if (!ssl_load_stores(ctx, vfyCApath, vfyCAfile, chCApath, chCAfile, + crls, crl_download)) { + BIO_printf(bio_err, "Error loading store locations\n"); + ERR_print_errors(bio_err); + goto end; + } +#ifndef OPENSSL_NO_ENGINE + if (ssl_client_engine) { + if (!SSL_CTX_set_client_cert_engine(ctx, ssl_client_engine)) { + BIO_puts(bio_err, "Error setting client auth engine\n"); + ERR_print_errors(bio_err); + ENGINE_free(ssl_client_engine); + goto end; + } + ENGINE_free(ssl_client_engine); + } +#endif + +#ifndef OPENSSL_NO_PSK + if (psk_key != NULL) { + if (c_debug) + BIO_printf(bio_c_out, "PSK key given, setting client callback\n"); + SSL_CTX_set_psk_client_callback(ctx, psk_client_cb); + } +#endif +#ifndef OPENSSL_NO_SRTP + if (srtp_profiles != NULL) { + /* Returns 0 on success! */ + if (SSL_CTX_set_tlsext_use_srtp(ctx, srtp_profiles) != 0) { + BIO_printf(bio_err, "Error setting SRTP profile\n"); + ERR_print_errors(bio_err); + goto end; + } + } +#endif + + if (exc) + ssl_ctx_set_excert(ctx, exc); + +#if !defined(OPENSSL_NO_NEXTPROTONEG) + if (next_proto.data) + SSL_CTX_set_next_proto_select_cb(ctx, next_proto_cb, &next_proto); +#endif + if (alpn_in) { + size_t alpn_len; + unsigned char *alpn = next_protos_parse(&alpn_len, alpn_in); + + if (alpn == NULL) { + BIO_printf(bio_err, "Error parsing -alpn argument\n"); + goto end; + } + /* Returns 0 on success! */ + if (SSL_CTX_set_alpn_protos(ctx, alpn, alpn_len) != 0) { + BIO_printf(bio_err, "Error setting ALPN\n"); + goto end; + } + OPENSSL_free(alpn); + } + + for (i = 0; i < serverinfo_count; i++) { + if (!SSL_CTX_add_client_custom_ext(ctx, + serverinfo_types[i], + NULL, NULL, NULL, + serverinfo_cli_parse_cb, NULL)) { + BIO_printf(bio_err, + "Warning: Unable to add custom extension %u, skipping\n", + serverinfo_types[i]); + } + } + + if (state) + SSL_CTX_set_info_callback(ctx, apps_ssl_info_callback); + +#ifndef OPENSSL_NO_CT + /* Enable SCT processing, without early connection termination */ + if (ct_validation && + !SSL_CTX_enable_ct(ctx, SSL_CT_VALIDATION_PERMISSIVE)) { + ERR_print_errors(bio_err); + goto end; + } + + if (!ctx_set_ctlog_list_file(ctx, ctlog_file)) { + if (ct_validation) { + ERR_print_errors(bio_err); + goto end; + } + + /* + * If CT validation is not enabled, the log list isn't needed so don't + * show errors or abort. We try to load it regardless because then we + * can show the names of the logs any SCTs came from (SCTs may be seen + * even with validation disabled). + */ + ERR_clear_error(); + } +#endif + + SSL_CTX_set_verify(ctx, verify, verify_callback); + + if (!ctx_set_verify_locations(ctx, CAfile, CApath, noCAfile, noCApath)) { + ERR_print_errors(bio_err); + goto end; + } + + ssl_ctx_add_crls(ctx, crls, crl_download); + + if (!set_cert_key_stuff(ctx, cert, key, chain, build_chain)) + goto end; + + if (servername != NULL) { + tlsextcbp.biodebug = bio_err; + SSL_CTX_set_tlsext_servername_callback(ctx, ssl_servername_cb); + SSL_CTX_set_tlsext_servername_arg(ctx, &tlsextcbp); + } +# ifndef OPENSSL_NO_SRP + if (srp_arg.srplogin) { + if (!srp_lateuser && !SSL_CTX_set_srp_username(ctx, srp_arg.srplogin)) { + BIO_printf(bio_err, "Unable to set SRP username\n"); + goto end; + } + srp_arg.msg = c_msg; + srp_arg.debug = c_debug; + SSL_CTX_set_srp_cb_arg(ctx, &srp_arg); + SSL_CTX_set_srp_client_pwd_callback(ctx, ssl_give_srp_client_pwd_cb); + SSL_CTX_set_srp_strength(ctx, srp_arg.strength); + if (c_msg || c_debug || srp_arg.amp == 0) + SSL_CTX_set_srp_verify_param_callback(ctx, + ssl_srp_verify_param_cb); + } +# endif + + if (dane_tlsa_domain != NULL) { + if (SSL_CTX_dane_enable(ctx) <= 0) { + BIO_printf(bio_err, + "%s: Error enabling DANE TLSA authentication.\n", + prog); + ERR_print_errors(bio_err); + goto end; + } + } + + con = SSL_new(ctx); + if (sess_in) { + SSL_SESSION *sess; + BIO *stmp = BIO_new_file(sess_in, "r"); + if (!stmp) { + BIO_printf(bio_err, "Can't open session file %s\n", sess_in); + ERR_print_errors(bio_err); + goto end; + } + sess = PEM_read_bio_SSL_SESSION(stmp, NULL, 0, NULL); + BIO_free(stmp); + if (!sess) { + BIO_printf(bio_err, "Can't open session file %s\n", sess_in); + ERR_print_errors(bio_err); + goto end; + } + if (!SSL_set_session(con, sess)) { + BIO_printf(bio_err, "Can't set session\n"); + ERR_print_errors(bio_err); + goto end; + } + SSL_SESSION_free(sess); + } + + if (fallback_scsv) + SSL_set_mode(con, SSL_MODE_SEND_FALLBACK_SCSV); + + if (servername != NULL) { + if (!SSL_set_tlsext_host_name(con, servername)) { + BIO_printf(bio_err, "Unable to set TLS servername extension.\n"); + ERR_print_errors(bio_err); + goto end; + } + } + + if (dane_tlsa_domain != NULL) { + if (SSL_dane_enable(con, dane_tlsa_domain) <= 0) { + BIO_printf(bio_err, "%s: Error enabling DANE TLSA " + "authentication.\n", prog); + ERR_print_errors(bio_err); + goto end; + } + if (dane_tlsa_rrset == NULL) { + BIO_printf(bio_err, "%s: DANE TLSA authentication requires at " + "least one -dane_tlsa_rrdata option.\n", prog); + goto end; + } + if (tlsa_import_rrset(con, dane_tlsa_rrset) <= 0) { + BIO_printf(bio_err, "%s: Failed to import any TLSA " + "records.\n", prog); + goto end; + } + if (dane_ee_no_name) + SSL_dane_set_flags(con, DANE_FLAG_NO_DANE_EE_NAMECHECKS); + } else if (dane_tlsa_rrset != NULL) { + BIO_printf(bio_err, "%s: DANE TLSA authentication requires the " + "-dane_tlsa_domain option.\n", prog); + goto end; + } + + re_start: + if (init_client(&s, host, port, socket_family, socket_type) == 0) { + BIO_printf(bio_err, "connect:errno=%d\n", get_last_socket_error()); + BIO_closesocket(s); + goto end; + } + BIO_printf(bio_c_out, "CONNECTED(%08X)\n", s); + + if (c_nbio) { + if (!BIO_socket_nbio(s, 1)) { + ERR_print_errors(bio_err); + goto end; + } + BIO_printf(bio_c_out, "Turned on non blocking io\n"); + } +#ifndef OPENSSL_NO_DTLS + if (socket_type == SOCK_DGRAM) { + union BIO_sock_info_u peer_info; + + sbio = BIO_new_dgram(s, BIO_NOCLOSE); + if ((peer_info.addr = BIO_ADDR_new()) == NULL) { + BIO_printf(bio_err, "memory allocation failure\n"); + BIO_closesocket(s); + goto end; + } + if (!BIO_sock_info(s, BIO_SOCK_INFO_ADDRESS, &peer_info)) { + BIO_printf(bio_err, "getsockname:errno=%d\n", + get_last_socket_error()); + BIO_ADDR_free(peer_info.addr); + BIO_closesocket(s); + goto end; + } + + (void)BIO_ctrl_set_connected(sbio, peer_info.addr); + BIO_ADDR_free(peer_info.addr); + peer_info.addr = NULL; + + if (enable_timeouts) { + timeout.tv_sec = 0; + timeout.tv_usec = DGRAM_RCV_TIMEOUT; + BIO_ctrl(sbio, BIO_CTRL_DGRAM_SET_RECV_TIMEOUT, 0, &timeout); + + timeout.tv_sec = 0; + timeout.tv_usec = DGRAM_SND_TIMEOUT; + BIO_ctrl(sbio, BIO_CTRL_DGRAM_SET_SEND_TIMEOUT, 0, &timeout); + } + + if (socket_mtu) { + if (socket_mtu < DTLS_get_link_min_mtu(con)) { + BIO_printf(bio_err, "MTU too small. Must be at least %ld\n", + DTLS_get_link_min_mtu(con)); + BIO_free(sbio); + goto shut; + } + SSL_set_options(con, SSL_OP_NO_QUERY_MTU); + if (!DTLS_set_link_mtu(con, socket_mtu)) { + BIO_printf(bio_err, "Failed to set MTU\n"); + BIO_free(sbio); + goto shut; + } + } else + /* want to do MTU discovery */ + BIO_ctrl(sbio, BIO_CTRL_DGRAM_MTU_DISCOVER, 0, NULL); + } else +#endif /* OPENSSL_NO_DTLS */ + sbio = BIO_new_socket(s, BIO_NOCLOSE); + + if (nbio_test) { + BIO *test; + + test = BIO_new(BIO_f_nbio_test()); + sbio = BIO_push(test, sbio); + } + + if (c_debug) { + BIO_set_callback(sbio, bio_dump_callback); + BIO_set_callback_arg(sbio, (char *)bio_c_out); + } + if (c_msg) { +#ifndef OPENSSL_NO_SSL_TRACE + if (c_msg == 2) + SSL_set_msg_callback(con, SSL_trace); + else +#endif + SSL_set_msg_callback(con, msg_cb); + SSL_set_msg_callback_arg(con, bio_c_msg ? bio_c_msg : bio_c_out); + } + + if (c_tlsextdebug) { + SSL_set_tlsext_debug_callback(con, tlsext_cb); + SSL_set_tlsext_debug_arg(con, bio_c_out); + } +#ifndef OPENSSL_NO_OCSP + if (c_status_req) { + SSL_set_tlsext_status_type(con, TLSEXT_STATUSTYPE_ocsp); + SSL_CTX_set_tlsext_status_cb(ctx, ocsp_resp_cb); + SSL_CTX_set_tlsext_status_arg(ctx, bio_c_out); + } +#endif + + SSL_set_bio(con, sbio, sbio); + SSL_set_connect_state(con); + + /* ok, lets connect */ + if (fileno_stdin() > SSL_get_fd(con)) + width = fileno_stdin() + 1; + else + width = SSL_get_fd(con) + 1; + + read_tty = 1; + write_tty = 0; + tty_on = 0; + read_ssl = 1; + write_ssl = 1; + + cbuf_len = 0; + cbuf_off = 0; + sbuf_len = 0; + sbuf_off = 0; + + switch ((PROTOCOL_CHOICE) starttls_proto) { + case PROTO_OFF: + break; + case PROTO_SMTP: + { + /* + * This is an ugly hack that does a lot of assumptions. We do + * have to handle multi-line responses which may come in a single + * packet or not. We therefore have to use BIO_gets() which does + * need a buffering BIO. So during the initial chitchat we do + * push a buffering BIO into the chain that is removed again + * later on to not disturb the rest of the s_client operation. + */ + int foundit = 0; + BIO *fbio = BIO_new(BIO_f_buffer()); + BIO_push(fbio, sbio); + /* wait for multi-line response to end from SMTP */ + do { + mbuf_len = BIO_gets(fbio, mbuf, BUFSIZZ); + } + while (mbuf_len > 3 && mbuf[3] == '-'); + BIO_printf(fbio, "EHLO %s\r\n", ehlo); + (void)BIO_flush(fbio); + /* wait for multi-line response to end EHLO SMTP response */ + do { + mbuf_len = BIO_gets(fbio, mbuf, BUFSIZZ); + if (strstr(mbuf, "STARTTLS")) + foundit = 1; + } + while (mbuf_len > 3 && mbuf[3] == '-'); + (void)BIO_flush(fbio); + BIO_pop(fbio); + BIO_free(fbio); + if (!foundit) + BIO_printf(bio_err, + "didn't find starttls in server response," + " trying anyway...\n"); + BIO_printf(sbio, "STARTTLS\r\n"); + BIO_read(sbio, sbuf, BUFSIZZ); + } + break; + case PROTO_POP3: + { + BIO_read(sbio, mbuf, BUFSIZZ); + BIO_printf(sbio, "STLS\r\n"); + mbuf_len = BIO_read(sbio, sbuf, BUFSIZZ); + if (mbuf_len < 0) { + BIO_printf(bio_err, "BIO_read failed\n"); + goto end; + } + } + break; + case PROTO_IMAP: + { + int foundit = 0; + BIO *fbio = BIO_new(BIO_f_buffer()); + BIO_push(fbio, sbio); + BIO_gets(fbio, mbuf, BUFSIZZ); + /* STARTTLS command requires CAPABILITY... */ + BIO_printf(fbio, ". CAPABILITY\r\n"); + (void)BIO_flush(fbio); + /* wait for multi-line CAPABILITY response */ + do { + mbuf_len = BIO_gets(fbio, mbuf, BUFSIZZ); + if (strstr(mbuf, "STARTTLS")) + foundit = 1; + } + while (mbuf_len > 3 && mbuf[0] != '.'); + (void)BIO_flush(fbio); + BIO_pop(fbio); + BIO_free(fbio); + if (!foundit) + BIO_printf(bio_err, + "didn't find STARTTLS in server response," + " trying anyway...\n"); + BIO_printf(sbio, ". STARTTLS\r\n"); + BIO_read(sbio, sbuf, BUFSIZZ); + } + break; + case PROTO_FTP: + { + BIO *fbio = BIO_new(BIO_f_buffer()); + BIO_push(fbio, sbio); + /* wait for multi-line response to end from FTP */ + do { + mbuf_len = BIO_gets(fbio, mbuf, BUFSIZZ); + } + while (mbuf_len > 3 && mbuf[3] == '-'); + (void)BIO_flush(fbio); + BIO_pop(fbio); + BIO_free(fbio); + BIO_printf(sbio, "AUTH TLS\r\n"); + BIO_read(sbio, sbuf, BUFSIZZ); + } + break; + case PROTO_XMPP: + case PROTO_XMPP_SERVER: + { + int seen = 0; + BIO_printf(sbio, "", + starttls_proto == PROTO_XMPP ? "client" : "server", + xmpphost ? xmpphost : host); + seen = BIO_read(sbio, mbuf, BUFSIZZ); + mbuf[seen] = 0; + while (!strstr + (mbuf, ""); + seen = BIO_read(sbio, sbuf, BUFSIZZ); + sbuf[seen] = 0; + if (!strstr(sbuf, " 2); + } + (void)BIO_flush(fbio); + BIO_pop(fbio); + BIO_free(fbio); + if (foundit != success) { + goto shut; + } + } + break; + case PROTO_IRC: + { + int numeric; + BIO *fbio = BIO_new(BIO_f_buffer()); + + BIO_push(fbio, sbio); + BIO_printf(fbio, "STARTTLS\r\n"); + (void)BIO_flush(fbio); + width = SSL_get_fd(con) + 1; + + do { + numeric = 0; + + FD_ZERO(&readfds); + openssl_fdset(SSL_get_fd(con), &readfds); + timeout.tv_sec = S_CLIENT_IRC_READ_TIMEOUT; + timeout.tv_usec = 0; + /* + * If the IRCd doesn't respond within + * S_CLIENT_IRC_READ_TIMEOUT seconds, assume + * it doesn't support STARTTLS. Many IRCds + * will not give _any_ sort of response to a + * STARTTLS command when it's not supported. + */ + if (!BIO_get_buffer_num_lines(fbio) + && !BIO_pending(fbio) + && !BIO_pending(sbio) + && select(width, (void *)&readfds, NULL, NULL, + &timeout) < 1) { + BIO_printf(bio_err, + "Timeout waiting for response (%d seconds).\n", + S_CLIENT_IRC_READ_TIMEOUT); + break; + } + + mbuf_len = BIO_gets(fbio, mbuf, BUFSIZZ); + if (mbuf_len < 1 || sscanf(mbuf, "%*s %d", &numeric) != 1) + break; + /* :example.net 451 STARTTLS :You have not registered */ + /* :example.net 421 STARTTLS :Unknown command */ + if ((numeric == 451 || numeric == 421) + && strstr(mbuf, "STARTTLS") != NULL) { + BIO_printf(bio_err, "STARTTLS not supported: %s", mbuf); + break; + } + if (numeric == 691) { + BIO_printf(bio_err, "STARTTLS negotiation failed: "); + ERR_print_errors(bio_err); + break; + } + } while (numeric != 670); + + (void)BIO_flush(fbio); + BIO_pop(fbio); + BIO_free(fbio); + if (numeric != 670) { + BIO_printf(bio_err, "Server does not support STARTTLS.\n"); + ret = 1; + goto shut; + } + } + } + + for (;;) { + FD_ZERO(&readfds); + FD_ZERO(&writefds); + + if ((SSL_version(con) == DTLS1_VERSION) && + DTLSv1_get_timeout(con, &timeout)) + timeoutp = &timeout; + else + timeoutp = NULL; + + if (SSL_in_init(con) && !SSL_total_renegotiations(con)) { + in_init = 1; + tty_on = 0; + } else { + tty_on = 1; + if (in_init) { + in_init = 0; + + if (sess_out) { + BIO *stmp = BIO_new_file(sess_out, "w"); + if (stmp) { + PEM_write_bio_SSL_SESSION(stmp, SSL_get_session(con)); + BIO_free(stmp); + } else + BIO_printf(bio_err, "Error writing session file %s\n", + sess_out); + } + if (c_brief) { + BIO_puts(bio_err, "CONNECTION ESTABLISHED\n"); + print_ssl_summary(con); + } + + print_stuff(bio_c_out, con, full_log); + if (full_log > 0) + full_log--; + + if (starttls_proto) { + BIO_write(bio_err, mbuf, mbuf_len); + /* We don't need to know any more */ + if (!reconnect) + starttls_proto = PROTO_OFF; + } + + if (reconnect) { + reconnect--; + BIO_printf(bio_c_out, + "drop connection and then reconnect\n"); + do_ssl_shutdown(con); + SSL_set_connect_state(con); + BIO_closesocket(SSL_get_fd(con)); + goto re_start; + } + } + } + + ssl_pending = read_ssl && SSL_has_pending(con); + + if (!ssl_pending) { +#if !defined(OPENSSL_SYS_WINDOWS) && !defined(OPENSSL_SYS_MSDOS) + if (tty_on) { + /* + * Note that select() returns when read _would not block_, + * and EOF satisfies that. To avoid a CPU-hogging loop, + * set the flag so we exit. + */ + if (read_tty && !at_eof) + openssl_fdset(fileno_stdin(), &readfds); +#if !defined(OPENSSL_SYS_VMS) + if (write_tty) + openssl_fdset(fileno_stdout(), &writefds); +#endif + } + if (read_ssl) + openssl_fdset(SSL_get_fd(con), &readfds); + if (write_ssl) + openssl_fdset(SSL_get_fd(con), &writefds); +#else + if (!tty_on || !write_tty) { + if (read_ssl) + openssl_fdset(SSL_get_fd(con), &readfds); + if (write_ssl) + openssl_fdset(SSL_get_fd(con), &writefds); + } +#endif + + /* + * Note: under VMS with SOCKETSHR the second parameter is + * currently of type (int *) whereas under other systems it is + * (void *) if you don't have a cast it will choke the compiler: + * if you do have a cast then you can either go for (int *) or + * (void *). + */ +#if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS) + /* + * Under Windows/DOS we make the assumption that we can always + * write to the tty: therefore if we need to write to the tty we + * just fall through. Otherwise we timeout the select every + * second and see if there are any keypresses. Note: this is a + * hack, in a proper Windows application we wouldn't do this. + */ + i = 0; + if (!write_tty) { + if (read_tty) { + tv.tv_sec = 1; + tv.tv_usec = 0; + i = select(width, (void *)&readfds, (void *)&writefds, + NULL, &tv); + if (!i && (!has_stdin_waiting() || !read_tty)) + continue; + } else + i = select(width, (void *)&readfds, (void *)&writefds, + NULL, timeoutp); + } +#else + i = select(width, (void *)&readfds, (void *)&writefds, + NULL, timeoutp); +#endif + if (i < 0) { + BIO_printf(bio_err, "bad select %d\n", + get_last_socket_error()); + goto shut; + /* goto end; */ + } + } + + if ((SSL_version(con) == DTLS1_VERSION) + && DTLSv1_handle_timeout(con) > 0) { + BIO_printf(bio_err, "TIMEOUT occurred\n"); + } + + if (!ssl_pending && FD_ISSET(SSL_get_fd(con), &writefds)) { + k = SSL_write(con, &(cbuf[cbuf_off]), (unsigned int)cbuf_len); + switch (SSL_get_error(con, k)) { + case SSL_ERROR_NONE: + cbuf_off += k; + cbuf_len -= k; + if (k <= 0) + goto end; + /* we have done a write(con,NULL,0); */ + if (cbuf_len <= 0) { + read_tty = 1; + write_ssl = 0; + } else { /* if (cbuf_len > 0) */ + + read_tty = 0; + write_ssl = 1; + } + break; + case SSL_ERROR_WANT_WRITE: + BIO_printf(bio_c_out, "write W BLOCK\n"); + write_ssl = 1; + read_tty = 0; + break; + case SSL_ERROR_WANT_ASYNC: + BIO_printf(bio_c_out, "write A BLOCK\n"); + wait_for_async(con); + write_ssl = 1; + read_tty = 0; + break; + case SSL_ERROR_WANT_READ: + BIO_printf(bio_c_out, "write R BLOCK\n"); + write_tty = 0; + read_ssl = 1; + write_ssl = 0; + break; + case SSL_ERROR_WANT_X509_LOOKUP: + BIO_printf(bio_c_out, "write X BLOCK\n"); + break; + case SSL_ERROR_ZERO_RETURN: + if (cbuf_len != 0) { + BIO_printf(bio_c_out, "shutdown\n"); + ret = 0; + goto shut; + } else { + read_tty = 1; + write_ssl = 0; + break; + } + + case SSL_ERROR_SYSCALL: + if ((k != 0) || (cbuf_len != 0)) { + BIO_printf(bio_err, "write:errno=%d\n", + get_last_socket_error()); + goto shut; + } else { + read_tty = 1; + write_ssl = 0; + } + break; + case SSL_ERROR_WANT_ASYNC_JOB: + /* This shouldn't ever happen in s_client - treat as an error */ + case SSL_ERROR_SSL: + ERR_print_errors(bio_err); + goto shut; + } + } +#if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_VMS) + /* Assume Windows/DOS/BeOS can always write */ + else if (!ssl_pending && write_tty) +#else + else if (!ssl_pending && FD_ISSET(fileno_stdout(), &writefds)) +#endif + { +#ifdef CHARSET_EBCDIC + ascii2ebcdic(&(sbuf[sbuf_off]), &(sbuf[sbuf_off]), sbuf_len); +#endif + i = raw_write_stdout(&(sbuf[sbuf_off]), sbuf_len); + + if (i <= 0) { + BIO_printf(bio_c_out, "DONE\n"); + ret = 0; + goto shut; + /* goto end; */ + } + + sbuf_len -= i;; + sbuf_off += i; + if (sbuf_len <= 0) { + read_ssl = 1; + write_tty = 0; + } + } else if (ssl_pending || FD_ISSET(SSL_get_fd(con), &readfds)) { +#ifdef RENEG + { + static int iiii; + if (++iiii == 52) { + SSL_renegotiate(con); + iiii = 0; + } + } +#endif + k = SSL_read(con, sbuf, 1024 /* BUFSIZZ */ ); + + switch (SSL_get_error(con, k)) { + case SSL_ERROR_NONE: + if (k <= 0) + goto end; + sbuf_off = 0; + sbuf_len = k; + + read_ssl = 0; + write_tty = 1; + break; + case SSL_ERROR_WANT_ASYNC: + BIO_printf(bio_c_out, "read A BLOCK\n"); + wait_for_async(con); + write_tty = 0; + read_ssl = 1; + if ((read_tty == 0) && (write_ssl == 0)) + write_ssl = 1; + break; + case SSL_ERROR_WANT_WRITE: + BIO_printf(bio_c_out, "read W BLOCK\n"); + write_ssl = 1; + read_tty = 0; + break; + case SSL_ERROR_WANT_READ: + BIO_printf(bio_c_out, "read R BLOCK\n"); + write_tty = 0; + read_ssl = 1; + if ((read_tty == 0) && (write_ssl == 0)) + write_ssl = 1; + break; + case SSL_ERROR_WANT_X509_LOOKUP: + BIO_printf(bio_c_out, "read X BLOCK\n"); + break; + case SSL_ERROR_SYSCALL: + ret = get_last_socket_error(); + if (c_brief) + BIO_puts(bio_err, "CONNECTION CLOSED BY SERVER\n"); + else + BIO_printf(bio_err, "read:errno=%d\n", ret); + goto shut; + case SSL_ERROR_ZERO_RETURN: + BIO_printf(bio_c_out, "closed\n"); + ret = 0; + goto shut; + case SSL_ERROR_WANT_ASYNC_JOB: + /* This shouldn't ever happen in s_client. Treat as an error */ + case SSL_ERROR_SSL: + ERR_print_errors(bio_err); + goto shut; + /* break; */ + } + } +/* OPENSSL_SYS_MSDOS includes OPENSSL_SYS_WINDOWS */ +#if defined(OPENSSL_SYS_MSDOS) + else if (has_stdin_waiting()) +#else + else if (FD_ISSET(fileno_stdin(), &readfds)) +#endif + { + if (crlf) { + int j, lf_num; + + i = raw_read_stdin(cbuf, BUFSIZZ / 2); + lf_num = 0; + /* both loops are skipped when i <= 0 */ + for (j = 0; j < i; j++) + if (cbuf[j] == '\n') + lf_num++; + for (j = i - 1; j >= 0; j--) { + cbuf[j + lf_num] = cbuf[j]; + if (cbuf[j] == '\n') { + lf_num--; + i++; + cbuf[j + lf_num] = '\r'; + } + } + assert(lf_num == 0); + } else + i = raw_read_stdin(cbuf, BUFSIZZ); +#if !defined(OPENSSL_SYS_WINDOWS) && !defined(OPENSSL_SYS_MSDOS) + if (i == 0) + at_eof = 1; +#endif + + if ((!c_ign_eof) && ((i <= 0) || (cbuf[0] == 'Q' && cmdletters))) { + BIO_printf(bio_err, "DONE\n"); + ret = 0; + goto shut; + } + + if ((!c_ign_eof) && (cbuf[0] == 'R' && cmdletters)) { + BIO_printf(bio_err, "RENEGOTIATING\n"); + SSL_renegotiate(con); + cbuf_len = 0; + } +#ifndef OPENSSL_NO_HEARTBEATS + else if ((!c_ign_eof) && (cbuf[0] == 'B' && cmdletters)) { + BIO_printf(bio_err, "HEARTBEATING\n"); + SSL_heartbeat(con); + cbuf_len = 0; + } +#endif + else { + cbuf_len = i; + cbuf_off = 0; +#ifdef CHARSET_EBCDIC + ebcdic2ascii(cbuf, cbuf, i); +#endif + } + + write_ssl = 1; + read_tty = 0; + } + } + + ret = 0; + shut: + if (in_init) + print_stuff(bio_c_out, con, full_log); + do_ssl_shutdown(con); + + /* + * Give the socket time to send its last data before we close it. + * No amount of setting SO_LINGER etc on the socket seems to persuade + * Windows to send the data before closing the socket...but sleeping + * for a short time seems to do it (units in ms) + * TODO: Find a better way to do this + */ +#if defined(OPENSSL_SYS_WINDOWS) + Sleep(50); +#elif defined(OPENSSL_SYS_CYGWIN) + usleep(50000); +#endif + + /* + * If we ended with an alert being sent, but still with data in the + * network buffer to be read, then calling BIO_closesocket() will + * result in a TCP-RST being sent. On some platforms (notably + * Windows) then this will result in the peer immediately abandoning + * the connection including any buffered alert data before it has + * had a chance to be read. Shutting down the sending side first, + * and then closing the socket sends TCP-FIN first followed by + * TCP-RST. This seems to allow the peer to read the alert data. + */ + shutdown(SSL_get_fd(con), 1); /* SHUT_WR */ + BIO_closesocket(SSL_get_fd(con)); + end: + if (con != NULL) { + if (prexit != 0) + print_stuff(bio_c_out, con, 1); + SSL_free(con); + } +#if !defined(OPENSSL_NO_NEXTPROTONEG) + OPENSSL_free(next_proto.data); +#endif + SSL_CTX_free(ctx); + X509_free(cert); + sk_X509_CRL_pop_free(crls, X509_CRL_free); + EVP_PKEY_free(key); + sk_X509_pop_free(chain, X509_free); + OPENSSL_free(pass); +#ifndef OPENSSL_NO_SRP + OPENSSL_free(srp_arg.srppassin); +#endif + OPENSSL_free(connectstr); + OPENSSL_free(host); + OPENSSL_free(port); + X509_VERIFY_PARAM_free(vpm); + ssl_excert_free(exc); + sk_OPENSSL_STRING_free(ssl_args); + sk_OPENSSL_STRING_free(dane_tlsa_rrset); + SSL_CONF_CTX_free(cctx); + OPENSSL_clear_free(cbuf, BUFSIZZ); + OPENSSL_clear_free(sbuf, BUFSIZZ); + OPENSSL_clear_free(mbuf, BUFSIZZ); + release_engine(e); + BIO_free(bio_c_out); + bio_c_out = NULL; + BIO_free(bio_c_msg); + bio_c_msg = NULL; + return (ret); +} + +static void print_stuff(BIO *bio, SSL *s, int full) +{ + X509 *peer = NULL; + char buf[BUFSIZ]; + STACK_OF(X509) *sk; + STACK_OF(X509_NAME) *sk2; + const SSL_CIPHER *c; + X509_NAME *xn; + int i; +#ifndef OPENSSL_NO_COMP + const COMP_METHOD *comp, *expansion; +#endif + unsigned char *exportedkeymat; +#ifndef OPENSSL_NO_CT + const SSL_CTX *ctx = SSL_get_SSL_CTX(s); +#endif + + if (full) { + int got_a_chain = 0; + + sk = SSL_get_peer_cert_chain(s); + if (sk != NULL) { + got_a_chain = 1; + + BIO_printf(bio, "---\nCertificate chain\n"); + for (i = 0; i < sk_X509_num(sk); i++) { + X509_NAME_oneline(X509_get_subject_name(sk_X509_value(sk, i)), + buf, sizeof(buf)); + BIO_printf(bio, "%2d s:%s\n", i, buf); + X509_NAME_oneline(X509_get_issuer_name(sk_X509_value(sk, i)), + buf, sizeof(buf)); + BIO_printf(bio, " i:%s\n", buf); + if (c_showcerts) + PEM_write_bio_X509(bio, sk_X509_value(sk, i)); + } + } + + BIO_printf(bio, "---\n"); + peer = SSL_get_peer_certificate(s); + if (peer != NULL) { + BIO_printf(bio, "Server certificate\n"); + + /* Redundant if we showed the whole chain */ + if (!(c_showcerts && got_a_chain)) + PEM_write_bio_X509(bio, peer); + X509_NAME_oneline(X509_get_subject_name(peer), buf, sizeof(buf)); + BIO_printf(bio, "subject=%s\n", buf); + X509_NAME_oneline(X509_get_issuer_name(peer), buf, sizeof(buf)); + BIO_printf(bio, "issuer=%s\n", buf); + } else + BIO_printf(bio, "no peer certificate available\n"); + + sk2 = SSL_get_client_CA_list(s); + if ((sk2 != NULL) && (sk_X509_NAME_num(sk2) > 0)) { + BIO_printf(bio, "---\nAcceptable client certificate CA names\n"); + for (i = 0; i < sk_X509_NAME_num(sk2); i++) { + xn = sk_X509_NAME_value(sk2, i); + X509_NAME_oneline(xn, buf, sizeof(buf)); + BIO_write(bio, buf, strlen(buf)); + BIO_write(bio, "\n", 1); + } + } else { + BIO_printf(bio, "---\nNo client certificate CA names sent\n"); + } + + ssl_print_sigalgs(bio, s); + ssl_print_tmp_key(bio, s); + +#ifndef OPENSSL_NO_CT + /* + * When the SSL session is anonymous, or resumed via an abbreviated + * handshake, no SCTs are provided as part of the handshake. While in + * a resumed session SCTs may be present in the session's certificate, + * no callbacks are invoked to revalidate these, and in any case that + * set of SCTs may be incomplete. Thus it makes little sense to + * attempt to display SCTs from a resumed session's certificate, and of + * course none are associated with an anonymous peer. + */ + if (peer != NULL && !SSL_session_reused(s) && SSL_ct_is_enabled(s)) { + const STACK_OF(SCT) *scts = SSL_get0_peer_scts(s); + int sct_count = scts != NULL ? sk_SCT_num(scts) : 0; + + BIO_printf(bio, "---\nSCTs present (%i)\n", sct_count); + if (sct_count > 0) { + const CTLOG_STORE *log_store = SSL_CTX_get0_ctlog_store(ctx); + + BIO_printf(bio, "---\n"); + for (i = 0; i < sct_count; ++i) { + SCT *sct = sk_SCT_value(scts, i); + + BIO_printf(bio, "SCT validation status: %s\n", + SCT_validation_status_string(sct)); + SCT_print(sct, bio, 0, log_store); + if (i < sct_count - 1) + BIO_printf(bio, "\n---\n"); + } + BIO_printf(bio, "\n"); + } + } +#endif + + BIO_printf(bio, + "---\nSSL handshake has read %"BIO_PRI64"u" + " bytes and written %"BIO_PRI64"u bytes\n", + BIO_number_read(SSL_get_rbio(s)), + BIO_number_written(SSL_get_wbio(s))); + } + print_verify_detail(s, bio); + BIO_printf(bio, (SSL_session_reused(s) ? "---\nReused, " : "---\nNew, ")); + c = SSL_get_current_cipher(s); + BIO_printf(bio, "%s, Cipher is %s\n", + SSL_CIPHER_get_version(c), SSL_CIPHER_get_name(c)); + if (peer != NULL) { + EVP_PKEY *pktmp; + + pktmp = X509_get0_pubkey(peer); + BIO_printf(bio, "Server public key is %d bit\n", + EVP_PKEY_bits(pktmp)); + } + BIO_printf(bio, "Secure Renegotiation IS%s supported\n", + SSL_get_secure_renegotiation_support(s) ? "" : " NOT"); +#ifndef OPENSSL_NO_COMP + comp = SSL_get_current_compression(s); + expansion = SSL_get_current_expansion(s); + BIO_printf(bio, "Compression: %s\n", + comp ? SSL_COMP_get_name(comp) : "NONE"); + BIO_printf(bio, "Expansion: %s\n", + expansion ? SSL_COMP_get_name(expansion) : "NONE"); +#endif + +#ifdef SSL_DEBUG + { + /* Print out local port of connection: useful for debugging */ + int sock; + union BIO_sock_info_u info; + + sock = SSL_get_fd(s); + if ((info.addr = BIO_ADDR_new()) != NULL + && BIO_sock_info(sock, BIO_SOCK_INFO_ADDRESS, &info)) { + BIO_printf(bio_c_out, "LOCAL PORT is %u\n", + ntohs(BIO_ADDR_rawport(info.addr))); + } + BIO_ADDR_free(info.addr); + } +#endif + +#if !defined(OPENSSL_NO_NEXTPROTONEG) + if (next_proto.status != -1) { + const unsigned char *proto; + unsigned int proto_len; + SSL_get0_next_proto_negotiated(s, &proto, &proto_len); + BIO_printf(bio, "Next protocol: (%d) ", next_proto.status); + BIO_write(bio, proto, proto_len); + BIO_write(bio, "\n", 1); + } +#endif + { + const unsigned char *proto; + unsigned int proto_len; + SSL_get0_alpn_selected(s, &proto, &proto_len); + if (proto_len > 0) { + BIO_printf(bio, "ALPN protocol: "); + BIO_write(bio, proto, proto_len); + BIO_write(bio, "\n", 1); + } else + BIO_printf(bio, "No ALPN negotiated\n"); + } + +#ifndef OPENSSL_NO_SRTP + { + SRTP_PROTECTION_PROFILE *srtp_profile = + SSL_get_selected_srtp_profile(s); + + if (srtp_profile) + BIO_printf(bio, "SRTP Extension negotiated, profile=%s\n", + srtp_profile->name); + } +#endif + + SSL_SESSION_print(bio, SSL_get_session(s)); + if (SSL_get_session(s) != NULL && keymatexportlabel != NULL) { + BIO_printf(bio, "Keying material exporter:\n"); + BIO_printf(bio, " Label: '%s'\n", keymatexportlabel); + BIO_printf(bio, " Length: %i bytes\n", keymatexportlen); + exportedkeymat = app_malloc(keymatexportlen, "export key"); + if (!SSL_export_keying_material(s, exportedkeymat, + keymatexportlen, + keymatexportlabel, + strlen(keymatexportlabel), + NULL, 0, 0)) { + BIO_printf(bio, " Error\n"); + } else { + BIO_printf(bio, " Keying material: "); + for (i = 0; i < keymatexportlen; i++) + BIO_printf(bio, "%02X", exportedkeymat[i]); + BIO_printf(bio, "\n"); + } + OPENSSL_free(exportedkeymat); + } + BIO_printf(bio, "---\n"); + X509_free(peer); + /* flush, or debugging output gets mixed with http response */ + (void)BIO_flush(bio); +} + +# ifndef OPENSSL_NO_OCSP +static int ocsp_resp_cb(SSL *s, void *arg) +{ + const unsigned char *p; + int len; + OCSP_RESPONSE *rsp; + len = SSL_get_tlsext_status_ocsp_resp(s, &p); + BIO_puts(arg, "OCSP response: "); + if (!p) { + BIO_puts(arg, "no response sent\n"); + return 1; + } + rsp = d2i_OCSP_RESPONSE(NULL, &p, len); + if (!rsp) { + BIO_puts(arg, "response parse error\n"); + BIO_dump_indent(arg, (char *)p, len, 4); + return 0; + } + BIO_puts(arg, "\n======================================\n"); + OCSP_RESPONSE_print(arg, rsp, 0); + BIO_puts(arg, "======================================\n"); + OCSP_RESPONSE_free(rsp); + return 1; +} +# endif + +#endif /* OPENSSL_NO_SOCK */ diff --git a/openssl-1.1.0h/apps/s_server.c b/openssl-1.1.0h/apps/s_server.c new file mode 100644 index 0000000..31c90fd --- /dev/null +++ b/openssl-1.1.0h/apps/s_server.c @@ -0,0 +1,3305 @@ +/* + * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the OpenSSL license (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +/* ==================================================================== + * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED. + * ECC cipher suite support in OpenSSL originally developed by + * SUN MICROSYSTEMS, INC., and contributed to the OpenSSL project. + */ +/* ==================================================================== + * Copyright 2005 Nokia. All rights reserved. + * + * The portions of the attached software ("Contribution") is developed by + * Nokia Corporation and is licensed pursuant to the OpenSSL open source + * license. + * + * The Contribution, originally written by Mika Kousa and Pasi Eronen of + * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites + * support (see RFC 4279) to OpenSSL. + * + * No patent licenses or other rights except those expressly stated in + * the OpenSSL open source license shall be deemed granted or received + * expressly, by implication, estoppel, or otherwise. + * + * No assurances are provided by Nokia that the Contribution does not + * infringe the patent or other intellectual property rights of any third + * party or that the license provides you with all the necessary rights + * to make use of the Contribution. + * + * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN + * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA + * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY + * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR + * OTHERWISE. + */ + +#include +#include +#include +#include +#if defined(_WIN32) +/* Included before async.h to avoid some warnings */ +# include +#endif + +#include +#include +#include + +#ifndef OPENSSL_NO_SOCK + +/* + * With IPv6, it looks like Digital has mixed up the proper order of + * recursive header file inclusion, resulting in the compiler complaining + * that u_int isn't defined, but only if _POSIX_C_SOURCE is defined, which is + * needed to have fileno() declared correctly... So let's define u_int + */ +#if defined(OPENSSL_SYS_VMS_DECC) && !defined(__U_INT) +# define __U_INT +typedef unsigned int u_int; +#endif + +#include +#include +#define USE_SOCKETS +#include "apps.h" +#include +#include +#include +#include +#include +#include +#ifndef OPENSSL_NO_DH +# include +#endif +#ifndef OPENSSL_NO_RSA +# include +#endif +#ifndef OPENSSL_NO_SRP +# include +#endif +#include "s_apps.h" +#include "timeouts.h" +#ifdef CHARSET_EBCDIC +#include +#endif + +static int not_resumable_sess_cb(SSL *s, int is_forward_secure); +static int sv_body(int s, int stype, unsigned char *context); +static int www_body(int s, int stype, unsigned char *context); +static int rev_body(int s, int stype, unsigned char *context); +static void close_accept_socket(void); +static int init_ssl_connection(SSL *s); +static void print_stats(BIO *bp, SSL_CTX *ctx); +static int generate_session_id(const SSL *ssl, unsigned char *id, + unsigned int *id_len); +static void init_session_cache_ctx(SSL_CTX *sctx); +static void free_sessions(void); +#ifndef OPENSSL_NO_DH +static DH *load_dh_param(const char *dhfile); +#endif + +static const int bufsize = 16 * 1024; +static int accept_socket = -1; + +#define TEST_CERT "server.pem" +#define TEST_CERT2 "server2.pem" + +static int s_nbio = 0; +static int s_nbio_test = 0; +static int s_crlf = 0; +static SSL_CTX *ctx = NULL; +static SSL_CTX *ctx2 = NULL; +static int www = 0; + +static BIO *bio_s_out = NULL; +static BIO *bio_s_msg = NULL; +static int s_debug = 0; +static int s_tlsextdebug = 0; +static int s_msg = 0; +static int s_quiet = 0; +static int s_ign_eof = 0; +static int s_brief = 0; + +static char *keymatexportlabel = NULL; +static int keymatexportlen = 20; + +static int async = 0; + +static const char *session_id_prefix = NULL; + +#ifndef OPENSSL_NO_DTLS +static int enable_timeouts = 0; +static long socket_mtu; +#endif + +/* + * We define this but make it always be 0 in no-dtls builds to simplify the + * code. + */ +static int dtlslisten = 0; + +#ifndef OPENSSL_NO_PSK +static const char psk_identity[] = "Client_identity"; +char *psk_key = NULL; /* by default PSK is not used */ + +static unsigned int psk_server_cb(SSL *ssl, const char *identity, + unsigned char *psk, + unsigned int max_psk_len) +{ + long key_len = 0; + unsigned char *key; + + if (s_debug) + BIO_printf(bio_s_out, "psk_server_cb\n"); + if (!identity) { + BIO_printf(bio_err, "Error: client did not send PSK identity\n"); + goto out_err; + } + if (s_debug) + BIO_printf(bio_s_out, "identity_len=%d identity=%s\n", + (int)strlen(identity), identity); + + /* here we could lookup the given identity e.g. from a database */ + if (strcmp(identity, psk_identity) != 0) { + BIO_printf(bio_s_out, "PSK error: client identity not found" + " (got '%s' expected '%s')\n", identity, psk_identity); + goto out_err; + } + if (s_debug) + BIO_printf(bio_s_out, "PSK client identity found\n"); + + /* convert the PSK key to binary */ + key = OPENSSL_hexstr2buf(psk_key, &key_len); + if (key == NULL) { + BIO_printf(bio_err, "Could not convert PSK key '%s' to buffer\n", + psk_key); + return 0; + } + if (key_len > (int)max_psk_len) { + BIO_printf(bio_err, + "psk buffer of callback is too small (%d) for key (%ld)\n", + max_psk_len, key_len); + OPENSSL_free(key); + return 0; + } + + memcpy(psk, key, key_len); + OPENSSL_free(key); + + if (s_debug) + BIO_printf(bio_s_out, "fetched PSK len=%ld\n", key_len); + return key_len; + out_err: + if (s_debug) + BIO_printf(bio_err, "Error in PSK server callback\n"); + (void)BIO_flush(bio_err); + (void)BIO_flush(bio_s_out); + return 0; +} +#endif + +#ifndef OPENSSL_NO_SRP +/* This is a context that we pass to callbacks */ +typedef struct srpsrvparm_st { + char *login; + SRP_VBASE *vb; + SRP_user_pwd *user; +} srpsrvparm; + +/* + * This callback pretends to require some asynchronous logic in order to + * obtain a verifier. When the callback is called for a new connection we + * return with a negative value. This will provoke the accept etc to return + * with an LOOKUP_X509. The main logic of the reinvokes the suspended call + * (which would normally occur after a worker has finished) and we set the + * user parameters. + */ +static int ssl_srp_server_param_cb(SSL *s, int *ad, void *arg) +{ + srpsrvparm *p = (srpsrvparm *) arg; + int ret = SSL3_AL_FATAL; + + if (p->login == NULL && p->user == NULL) { + p->login = SSL_get_srp_username(s); + BIO_printf(bio_err, "SRP username = \"%s\"\n", p->login); + return (-1); + } + + if (p->user == NULL) { + BIO_printf(bio_err, "User %s doesn't exist\n", p->login); + goto err; + } + + if (SSL_set_srp_server_param + (s, p->user->N, p->user->g, p->user->s, p->user->v, + p->user->info) < 0) { + *ad = SSL_AD_INTERNAL_ERROR; + goto err; + } + BIO_printf(bio_err, + "SRP parameters set: username = \"%s\" info=\"%s\" \n", + p->login, p->user->info); + ret = SSL_ERROR_NONE; + + err: + SRP_user_pwd_free(p->user); + p->user = NULL; + p->login = NULL; + return ret; +} + +#endif + +static int local_argc = 0; +static char **local_argv; + +#ifdef CHARSET_EBCDIC +static int ebcdic_new(BIO *bi); +static int ebcdic_free(BIO *a); +static int ebcdic_read(BIO *b, char *out, int outl); +static int ebcdic_write(BIO *b, const char *in, int inl); +static long ebcdic_ctrl(BIO *b, int cmd, long num, void *ptr); +static int ebcdic_gets(BIO *bp, char *buf, int size); +static int ebcdic_puts(BIO *bp, const char *str); + +# define BIO_TYPE_EBCDIC_FILTER (18|0x0200) +static BIO_METHOD *methods_ebcdic = NULL; + +/* This struct is "unwarranted chumminess with the compiler." */ +typedef struct { + size_t alloced; + char buff[1]; +} EBCDIC_OUTBUFF; + +static const BIO_METHOD *BIO_f_ebcdic_filter() +{ + if (methods_ebcdic == NULL) { + methods_ebcdic = BIO_meth_new(BIO_TYPE_EBCDIC_FILTER, + "EBCDIC/ASCII filter"); + if (methods_ebcdic == NULL + || !BIO_meth_set_write(methods_ebcdic, ebcdic_write) + || !BIO_meth_set_read(methods_ebcdic, ebcdic_read) + || !BIO_meth_set_puts(methods_ebcdic, ebcdic_puts) + || !BIO_meth_set_gets(methods_ebcdic, ebcdic_gets) + || !BIO_meth_set_ctrl(methods_ebcdic, ebcdic_ctrl) + || !BIO_meth_set_create(methods_ebcdic, ebcdic_new) + || !BIO_meth_set_destroy(methods_ebcdic, ebcdic_free)) + return NULL; + } + return methods_ebcdic; +} + +static int ebcdic_new(BIO *bi) +{ + EBCDIC_OUTBUFF *wbuf; + + wbuf = app_malloc(sizeof(*wbuf) + 1024, "ebcdic wbuf"); + wbuf->alloced = 1024; + wbuf->buff[0] = '\0'; + + BIO_set_data(bi, wbuf); + BIO_set_init(bi, 1); + return 1; +} + +static int ebcdic_free(BIO *a) +{ + EBCDIC_OUTBUFF *wbuf; + + if (a == NULL) + return 0; + wbuf = BIO_get_data(a); + OPENSSL_free(wbuf); + BIO_set_data(a, NULL); + BIO_set_init(a, 0); + + return 1; +} + +static int ebcdic_read(BIO *b, char *out, int outl) +{ + int ret = 0; + BIO *next = BIO_next(b); + + if (out == NULL || outl == 0) + return (0); + if (next == NULL) + return (0); + + ret = BIO_read(next, out, outl); + if (ret > 0) + ascii2ebcdic(out, out, ret); + return ret; +} + +static int ebcdic_write(BIO *b, const char *in, int inl) +{ + EBCDIC_OUTBUFF *wbuf; + BIO *next = BIO_next(b); + int ret = 0; + int num; + + if ((in == NULL) || (inl <= 0)) + return (0); + if (next == NULL) + return 0; + + wbuf = (EBCDIC_OUTBUFF *) BIO_get_data(b); + + if (inl > (num = wbuf->alloced)) { + num = num + num; /* double the size */ + if (num < inl) + num = inl; + OPENSSL_free(wbuf); + wbuf = app_malloc(sizeof(*wbuf) + num, "grow ebcdic wbuf"); + + wbuf->alloced = num; + wbuf->buff[0] = '\0'; + + BIO_set_data(b, wbuf); + } + + ebcdic2ascii(wbuf->buff, in, inl); + + ret = BIO_write(next, wbuf->buff, inl); + + return (ret); +} + +static long ebcdic_ctrl(BIO *b, int cmd, long num, void *ptr) +{ + long ret; + BIO *next = BIO_next(b); + + if (next == NULL) + return (0); + switch (cmd) { + case BIO_CTRL_DUP: + ret = 0L; + break; + default: + ret = BIO_ctrl(next, cmd, num, ptr); + break; + } + return (ret); +} + +static int ebcdic_gets(BIO *bp, char *buf, int size) +{ + int i, ret = 0; + BIO *next = BIO_next(bp); + + if (next == NULL) + return 0; +/* return(BIO_gets(bp->next_bio,buf,size));*/ + for (i = 0; i < size - 1; ++i) { + ret = ebcdic_read(bp, &buf[i], 1); + if (ret <= 0) + break; + else if (buf[i] == '\n') { + ++i; + break; + } + } + if (i < size) + buf[i] = '\0'; + return (ret < 0 && i == 0) ? ret : i; +} + +static int ebcdic_puts(BIO *bp, const char *str) +{ + if (BIO_next(bp) == NULL) + return 0; + return ebcdic_write(bp, str, strlen(str)); +} +#endif + +/* This is a context that we pass to callbacks */ +typedef struct tlsextctx_st { + char *servername; + BIO *biodebug; + int extension_error; +} tlsextctx; + +static int ssl_servername_cb(SSL *s, int *ad, void *arg) +{ + tlsextctx *p = (tlsextctx *) arg; + const char *servername = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name); + if (servername && p->biodebug) + BIO_printf(p->biodebug, "Hostname in TLS extension: \"%s\"\n", + servername); + + if (!p->servername) + return SSL_TLSEXT_ERR_NOACK; + + if (servername) { + if (strcasecmp(servername, p->servername)) + return p->extension_error; + if (ctx2) { + BIO_printf(p->biodebug, "Switching server context.\n"); + SSL_set_SSL_CTX(s, ctx2); + } + } + return SSL_TLSEXT_ERR_OK; +} + +/* Structure passed to cert status callback */ +typedef struct tlsextstatusctx_st { + /* Default responder to use */ + char *host, *path, *port; + int use_ssl; + int timeout; + int verbose; +} tlsextstatusctx; + +static tlsextstatusctx tlscstatp = { NULL, NULL, NULL, 0, -1, 0 }; + +#ifndef OPENSSL_NO_OCSP +/* + * Certificate Status callback. This is called when a client includes a + * certificate status request extension. This is a simplified version. It + * examines certificates each time and makes one OCSP responder query for + * each request. A full version would store details such as the OCSP + * certificate IDs and minimise the number of OCSP responses by caching them + * until they were considered "expired". + */ + +static int cert_status_cb(SSL *s, void *arg) +{ + tlsextstatusctx *srctx = arg; + char *host = NULL, *port = NULL, *path = NULL; + int use_ssl; + unsigned char *rspder = NULL; + int rspderlen; + STACK_OF(OPENSSL_STRING) *aia = NULL; + X509 *x = NULL; + X509_STORE_CTX *inctx = NULL; + X509_OBJECT *obj; + OCSP_REQUEST *req = NULL; + OCSP_RESPONSE *resp = NULL; + OCSP_CERTID *id = NULL; + STACK_OF(X509_EXTENSION) *exts; + int ret = SSL_TLSEXT_ERR_NOACK; + int i; + + if (srctx->verbose) + BIO_puts(bio_err, "cert_status: callback called\n"); + /* Build up OCSP query from server certificate */ + x = SSL_get_certificate(s); + aia = X509_get1_ocsp(x); + if (aia) { + if (!OCSP_parse_url(sk_OPENSSL_STRING_value(aia, 0), + &host, &port, &path, &use_ssl)) { + BIO_puts(bio_err, "cert_status: can't parse AIA URL\n"); + goto err; + } + if (srctx->verbose) + BIO_printf(bio_err, "cert_status: AIA URL: %s\n", + sk_OPENSSL_STRING_value(aia, 0)); + } else { + if (!srctx->host) { + BIO_puts(bio_err, + "cert_status: no AIA and no default responder URL\n"); + goto done; + } + host = srctx->host; + path = srctx->path; + port = srctx->port; + use_ssl = srctx->use_ssl; + } + + inctx = X509_STORE_CTX_new(); + if (inctx == NULL) + goto err; + if (!X509_STORE_CTX_init(inctx, + SSL_CTX_get_cert_store(SSL_get_SSL_CTX(s)), + NULL, NULL)) + goto err; + obj = X509_STORE_CTX_get_obj_by_subject(inctx, X509_LU_X509, + X509_get_issuer_name(x)); + if (obj == NULL) { + BIO_puts(bio_err, "cert_status: Can't retrieve issuer certificate.\n"); + goto done; + } + id = OCSP_cert_to_id(NULL, x, X509_OBJECT_get0_X509(obj)); + X509_OBJECT_free(obj); + if (!id) + goto err; + req = OCSP_REQUEST_new(); + if (req == NULL) + goto err; + if (!OCSP_request_add0_id(req, id)) + goto err; + id = NULL; + /* Add any extensions to the request */ + SSL_get_tlsext_status_exts(s, &exts); + for (i = 0; i < sk_X509_EXTENSION_num(exts); i++) { + X509_EXTENSION *ext = sk_X509_EXTENSION_value(exts, i); + if (!OCSP_REQUEST_add_ext(req, ext, -1)) + goto err; + } + resp = process_responder(req, host, path, port, use_ssl, NULL, + srctx->timeout); + if (!resp) { + BIO_puts(bio_err, "cert_status: error querying responder\n"); + goto done; + } + rspderlen = i2d_OCSP_RESPONSE(resp, &rspder); + if (rspderlen <= 0) + goto err; + SSL_set_tlsext_status_ocsp_resp(s, rspder, rspderlen); + if (srctx->verbose) { + BIO_puts(bio_err, "cert_status: ocsp response sent:\n"); + OCSP_RESPONSE_print(bio_err, resp, 2); + } + ret = SSL_TLSEXT_ERR_OK; + goto done; + + err: + ret = SSL_TLSEXT_ERR_ALERT_FATAL; + done: + if (ret != SSL_TLSEXT_ERR_OK) + ERR_print_errors(bio_err); + if (aia) { + OPENSSL_free(host); + OPENSSL_free(path); + OPENSSL_free(port); + X509_email_free(aia); + } + OCSP_CERTID_free(id); + OCSP_REQUEST_free(req); + OCSP_RESPONSE_free(resp); + X509_STORE_CTX_free(inctx); + return ret; +} +#endif + +#ifndef OPENSSL_NO_NEXTPROTONEG +/* This is the context that we pass to next_proto_cb */ +typedef struct tlsextnextprotoctx_st { + unsigned char *data; + size_t len; +} tlsextnextprotoctx; + +static int next_proto_cb(SSL *s, const unsigned char **data, + unsigned int *len, void *arg) +{ + tlsextnextprotoctx *next_proto = arg; + + *data = next_proto->data; + *len = next_proto->len; + + return SSL_TLSEXT_ERR_OK; +} +#endif /* ndef OPENSSL_NO_NEXTPROTONEG */ + +/* This the context that we pass to alpn_cb */ +typedef struct tlsextalpnctx_st { + unsigned char *data; + size_t len; +} tlsextalpnctx; + +static int alpn_cb(SSL *s, const unsigned char **out, unsigned char *outlen, + const unsigned char *in, unsigned int inlen, void *arg) +{ + tlsextalpnctx *alpn_ctx = arg; + + if (!s_quiet) { + /* We can assume that |in| is syntactically valid. */ + unsigned int i; + BIO_printf(bio_s_out, "ALPN protocols advertised by the client: "); + for (i = 0; i < inlen;) { + if (i) + BIO_write(bio_s_out, ", ", 2); + BIO_write(bio_s_out, &in[i + 1], in[i]); + i += in[i] + 1; + } + BIO_write(bio_s_out, "\n", 1); + } + + if (SSL_select_next_proto + ((unsigned char **)out, outlen, alpn_ctx->data, alpn_ctx->len, in, + inlen) != OPENSSL_NPN_NEGOTIATED) { + return SSL_TLSEXT_ERR_NOACK; + } + + if (!s_quiet) { + BIO_printf(bio_s_out, "ALPN protocols selected: "); + BIO_write(bio_s_out, *out, *outlen); + BIO_write(bio_s_out, "\n", 1); + } + + return SSL_TLSEXT_ERR_OK; +} + +static int not_resumable_sess_cb(SSL *s, int is_forward_secure) +{ + /* disable resumption for sessions with forward secure ciphers */ + return is_forward_secure; +} + +#ifndef OPENSSL_NO_SRP +static srpsrvparm srp_callback_parm; +#endif +#ifndef OPENSSL_NO_SRTP +static char *srtp_profiles = NULL; +#endif + +typedef enum OPTION_choice { + OPT_ERR = -1, OPT_EOF = 0, OPT_HELP, OPT_ENGINE, + OPT_4, OPT_6, OPT_ACCEPT, OPT_PORT, OPT_UNIX, OPT_UNLINK, OPT_NACCEPT, + OPT_VERIFY, OPT_UPPER_V_VERIFY, OPT_CONTEXT, OPT_CERT, OPT_CRL, + OPT_CRL_DOWNLOAD, OPT_SERVERINFO, OPT_CERTFORM, OPT_KEY, OPT_KEYFORM, + OPT_PASS, OPT_CERT_CHAIN, OPT_DHPARAM, OPT_DCERTFORM, OPT_DCERT, + OPT_DKEYFORM, OPT_DPASS, OPT_DKEY, OPT_DCERT_CHAIN, OPT_NOCERT, + OPT_CAPATH, OPT_NOCAPATH, OPT_CHAINCAPATH, OPT_VERIFYCAPATH, OPT_NO_CACHE, + OPT_EXT_CACHE, OPT_CRLFORM, OPT_VERIFY_RET_ERROR, OPT_VERIFY_QUIET, + OPT_BUILD_CHAIN, OPT_CAFILE, OPT_NOCAFILE, OPT_CHAINCAFILE, + OPT_VERIFYCAFILE, OPT_NBIO, OPT_NBIO_TEST, OPT_IGN_EOF, OPT_NO_IGN_EOF, + OPT_DEBUG, OPT_TLSEXTDEBUG, OPT_STATUS, OPT_STATUS_VERBOSE, + OPT_STATUS_TIMEOUT, OPT_STATUS_URL, OPT_MSG, OPT_MSGFILE, OPT_TRACE, + OPT_SECURITY_DEBUG, OPT_SECURITY_DEBUG_VERBOSE, OPT_STATE, OPT_CRLF, + OPT_QUIET, OPT_BRIEF, OPT_NO_DHE, + OPT_NO_RESUME_EPHEMERAL, OPT_PSK_HINT, OPT_PSK, OPT_SRPVFILE, + OPT_SRPUSERSEED, OPT_REV, OPT_WWW, OPT_UPPER_WWW, OPT_HTTP, OPT_ASYNC, + OPT_SSL_CONFIG, OPT_SPLIT_SEND_FRAG, OPT_MAX_PIPELINES, OPT_READ_BUF, + OPT_SSL3, OPT_TLS1_2, OPT_TLS1_1, OPT_TLS1, OPT_DTLS, OPT_DTLS1, + OPT_DTLS1_2, OPT_TIMEOUT, OPT_MTU, OPT_LISTEN, + OPT_ID_PREFIX, OPT_RAND, OPT_SERVERNAME, OPT_SERVERNAME_FATAL, + OPT_CERT2, OPT_KEY2, OPT_NEXTPROTONEG, OPT_ALPN, + OPT_SRTP_PROFILES, OPT_KEYMATEXPORT, OPT_KEYMATEXPORTLEN, + OPT_S_ENUM, + OPT_V_ENUM, + OPT_X_ENUM +} OPTION_CHOICE; + +OPTIONS s_server_options[] = { + {"help", OPT_HELP, '-', "Display this summary"}, + {"port", OPT_PORT, 'p', + "TCP/IP port to listen on for connections (default is " PORT ")"}, + {"accept", OPT_ACCEPT, 's', + "TCP/IP optional host and port to listen on for connections (default is *:" PORT ")"}, +#ifdef AF_UNIX + {"unix", OPT_UNIX, 's', "Unix domain socket to accept on"}, +#endif + {"4", OPT_4, '-', "Use IPv4 only"}, + {"6", OPT_6, '-', "Use IPv6 only"}, +#ifdef AF_UNIX + {"unlink", OPT_UNLINK, '-', "For -unix, unlink existing socket first"}, +#endif + {"context", OPT_CONTEXT, 's', "Set session ID context"}, + {"verify", OPT_VERIFY, 'n', "Turn on peer certificate verification"}, + {"Verify", OPT_UPPER_V_VERIFY, 'n', + "Turn on peer certificate verification, must have a cert"}, + {"cert", OPT_CERT, '<', "Certificate file to use; default is " TEST_CERT}, + {"naccept", OPT_NACCEPT, 'p', "Terminate after #num connections"}, + {"serverinfo", OPT_SERVERINFO, 's', + "PEM serverinfo file for certificate"}, + {"certform", OPT_CERTFORM, 'F', + "Certificate format (PEM or DER) PEM default"}, + {"key", OPT_KEY, 's', + "Private Key if not in -cert; default is " TEST_CERT}, + {"keyform", OPT_KEYFORM, 'f', + "Key format (PEM, DER or ENGINE) PEM default"}, + {"pass", OPT_PASS, 's', "Private key file pass phrase source"}, + {"dcert", OPT_DCERT, '<', + "Second certificate file to use (usually for DSA)"}, + {"dhparam", OPT_DHPARAM, '<', "DH parameters file to use"}, + {"dcertform", OPT_DCERTFORM, 'F', + "Second certificate format (PEM or DER) PEM default"}, + {"dkey", OPT_DKEY, '<', + "Second private key file to use (usually for DSA)"}, + {"dkeyform", OPT_DKEYFORM, 'F', + "Second key format (PEM, DER or ENGINE) PEM default"}, + {"dpass", OPT_DPASS, 's', "Second private key file pass phrase source"}, + {"nbio_test", OPT_NBIO_TEST, '-', "Test with the non-blocking test bio"}, + {"crlf", OPT_CRLF, '-', "Convert LF from terminal into CRLF"}, + {"debug", OPT_DEBUG, '-', "Print more output"}, + {"msg", OPT_MSG, '-', "Show protocol messages"}, + {"msgfile", OPT_MSGFILE, '>', + "File to send output of -msg or -trace, instead of stdout"}, + {"state", OPT_STATE, '-', "Print the SSL states"}, + {"CAfile", OPT_CAFILE, '<', "PEM format file of CA's"}, + {"CApath", OPT_CAPATH, '/', "PEM format directory of CA's"}, + {"no-CAfile", OPT_NOCAFILE, '-', + "Do not load the default certificates file"}, + {"no-CApath", OPT_NOCAPATH, '-', + "Do not load certificates from the default certificates directory"}, + {"nocert", OPT_NOCERT, '-', "Don't use any certificates (Anon-DH)"}, + {"quiet", OPT_QUIET, '-', "No server output"}, + {"no_resume_ephemeral", OPT_NO_RESUME_EPHEMERAL, '-', + "Disable caching and tickets if ephemeral (EC)DH is used"}, + {"www", OPT_WWW, '-', "Respond to a 'GET /' with a status page"}, + {"WWW", OPT_UPPER_WWW, '-', "Respond to a 'GET with the file ./path"}, + {"servername", OPT_SERVERNAME, 's', + "Servername for HostName TLS extension"}, + {"servername_fatal", OPT_SERVERNAME_FATAL, '-', + "mismatch send fatal alert (default warning alert)"}, + {"cert2", OPT_CERT2, '<', + "Certificate file to use for servername; default is" TEST_CERT2}, + {"key2", OPT_KEY2, '<', + "-Private Key file to use for servername if not in -cert2"}, + {"tlsextdebug", OPT_TLSEXTDEBUG, '-', + "Hex dump of all TLS extensions received"}, + {"HTTP", OPT_HTTP, '-', "Like -WWW but ./path includes HTTP headers"}, + {"id_prefix", OPT_ID_PREFIX, 's', + "Generate SSL/TLS session IDs prefixed by arg"}, + {"rand", OPT_RAND, 's', + "Load the file(s) into the random number generator"}, + {"keymatexport", OPT_KEYMATEXPORT, 's', + "Export keying material using label"}, + {"keymatexportlen", OPT_KEYMATEXPORTLEN, 'p', + "Export len bytes of keying material (default 20)"}, + {"CRL", OPT_CRL, '<', "CRL file to use"}, + {"crl_download", OPT_CRL_DOWNLOAD, '-', + "Download CRL from distribution points"}, + {"cert_chain", OPT_CERT_CHAIN, '<', + "certificate chain file in PEM format"}, + {"dcert_chain", OPT_DCERT_CHAIN, '<', + "second certificate chain file in PEM format"}, + {"chainCApath", OPT_CHAINCAPATH, '/', + "use dir as certificate store path to build CA certificate chain"}, + {"verifyCApath", OPT_VERIFYCAPATH, '/', + "use dir as certificate store path to verify CA certificate"}, + {"no_cache", OPT_NO_CACHE, '-', "Disable session cache"}, + {"ext_cache", OPT_EXT_CACHE, '-', + "Disable internal cache, setup and use external cache"}, + {"CRLform", OPT_CRLFORM, 'F', "CRL format (PEM or DER) PEM is default"}, + {"verify_return_error", OPT_VERIFY_RET_ERROR, '-', + "Close connection on verification error"}, + {"verify_quiet", OPT_VERIFY_QUIET, '-', + "No verify output except verify errors"}, + {"build_chain", OPT_BUILD_CHAIN, '-', "Build certificate chain"}, + {"chainCAfile", OPT_CHAINCAFILE, '<', + "CA file for certificate chain (PEM format)"}, + {"verifyCAfile", OPT_VERIFYCAFILE, '<', + "CA file for certificate verification (PEM format)"}, + {"ign_eof", OPT_IGN_EOF, '-', "ignore input eof (default when -quiet)"}, + {"no_ign_eof", OPT_NO_IGN_EOF, '-', "Do not ignore input eof"}, +#ifndef OPENSSL_NO_OCSP + {"status", OPT_STATUS, '-', "Request certificate status from server"}, + {"status_verbose", OPT_STATUS_VERBOSE, '-', + "Print more output in certificate status callback"}, + {"status_timeout", OPT_STATUS_TIMEOUT, 'n', + "Status request responder timeout"}, + {"status_url", OPT_STATUS_URL, 's', "Status request fallback URL"}, +#endif +#ifndef OPENSSL_NO_SSL_TRACE + {"trace", OPT_TRACE, '-', "trace protocol messages"}, +#endif + {"security_debug", OPT_SECURITY_DEBUG, '-', + "Print output from SSL/TLS security framework"}, + {"security_debug_verbose", OPT_SECURITY_DEBUG_VERBOSE, '-', + "Print more output from SSL/TLS security framework"}, + {"brief", OPT_BRIEF, '-', + "Restrict output to brief summary of connection parameters"}, + {"rev", OPT_REV, '-', + "act as a simple test server which just sends back with the received text reversed"}, + {"async", OPT_ASYNC, '-', "Operate in asynchronous mode"}, + {"ssl_config", OPT_SSL_CONFIG, 's', + "Configure SSL_CTX using the configuration 'val'"}, + {"split_send_frag", OPT_SPLIT_SEND_FRAG, 'n', + "Size used to split data for encrypt pipelines"}, + {"max_pipelines", OPT_MAX_PIPELINES, 'n', + "Maximum number of encrypt/decrypt pipelines to be used"}, + {"read_buf", OPT_READ_BUF, 'n', + "Default read buffer size to be used for connections"}, + OPT_S_OPTIONS, + OPT_V_OPTIONS, + OPT_X_OPTIONS, + {"nbio", OPT_NBIO, '-', "Use non-blocking IO"}, +#ifndef OPENSSL_NO_PSK + {"psk_hint", OPT_PSK_HINT, 's', "PSK identity hint to use"}, + {"psk", OPT_PSK, 's', "PSK in hex (without 0x)"}, +#endif +#ifndef OPENSSL_NO_SRP + {"srpvfile", OPT_SRPVFILE, '<', "The verifier file for SRP"}, + {"srpuserseed", OPT_SRPUSERSEED, 's', + "A seed string for a default user salt"}, +#endif +#ifndef OPENSSL_NO_SSL3 + {"ssl3", OPT_SSL3, '-', "Just talk SSLv3"}, +#endif +#ifndef OPENSSL_NO_TLS1 + {"tls1", OPT_TLS1, '-', "Just talk TLSv1"}, +#endif +#ifndef OPENSSL_NO_TLS1_1 + {"tls1_1", OPT_TLS1_1, '-', "Just talk TLSv1.1"}, +#endif +#ifndef OPENSSL_NO_TLS1_2 + {"tls1_2", OPT_TLS1_2, '-', "just talk TLSv1.2"}, +#endif +#ifndef OPENSSL_NO_DTLS + {"dtls", OPT_DTLS, '-', "Use any DTLS version"}, + {"timeout", OPT_TIMEOUT, '-', "Enable timeouts"}, + {"mtu", OPT_MTU, 'p', "Set link layer MTU"}, + {"listen", OPT_LISTEN, '-', + "Listen for a DTLS ClientHello with a cookie and then connect"}, +#endif +#ifndef OPENSSL_NO_DTLS1 + {"dtls1", OPT_DTLS1, '-', "Just talk DTLSv1"}, +#endif +#ifndef OPENSSL_NO_DTLS1_2 + {"dtls1_2", OPT_DTLS1_2, '-', "Just talk DTLSv1.2"}, +#endif +#ifndef OPENSSL_NO_DH + {"no_dhe", OPT_NO_DHE, '-', "Disable ephemeral DH"}, +#endif +#ifndef OPENSSL_NO_NEXTPROTONEG + {"nextprotoneg", OPT_NEXTPROTONEG, 's', + "Set the advertised protocols for the NPN extension (comma-separated list)"}, +#endif +#ifndef OPENSSL_NO_SRTP + {"use_srtp", OPT_SRTP_PROFILES, 's', + "Offer SRTP key management with a colon-separated profile list"}, +#endif + {"alpn", OPT_ALPN, 's', + "Set the advertised protocols for the ALPN extension (comma-separated list)"}, +#ifndef OPENSSL_NO_ENGINE + {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"}, +#endif + {NULL, OPT_EOF, 0, NULL} +}; + +#define IS_PROT_FLAG(o) \ + (o == OPT_SSL3 || o == OPT_TLS1 || o == OPT_TLS1_1 || o == OPT_TLS1_2 \ + || o == OPT_DTLS || o == OPT_DTLS1 || o == OPT_DTLS1_2) + +int s_server_main(int argc, char *argv[]) +{ + ENGINE *engine = NULL; + EVP_PKEY *s_key = NULL, *s_dkey = NULL; + SSL_CONF_CTX *cctx = NULL; + const SSL_METHOD *meth = TLS_server_method(); + SSL_EXCERT *exc = NULL; + STACK_OF(OPENSSL_STRING) *ssl_args = NULL; + STACK_OF(X509) *s_chain = NULL, *s_dchain = NULL; + STACK_OF(X509_CRL) *crls = NULL; + X509 *s_cert = NULL, *s_dcert = NULL; + X509_VERIFY_PARAM *vpm = NULL; + const char *CApath = NULL, *CAfile = NULL, *chCApath = NULL, *chCAfile = NULL; + char *dpassarg = NULL, *dpass = NULL, *inrand = NULL; + char *passarg = NULL, *pass = NULL, *vfyCApath = NULL, *vfyCAfile = NULL; + char *crl_file = NULL, *prog; +#ifdef AF_UNIX + int unlink_unix_path = 0; +#endif + do_server_cb server_cb; + int vpmtouched = 0, build_chain = 0, no_cache = 0, ext_cache = 0; +#ifndef OPENSSL_NO_DH + char *dhfile = NULL; + int no_dhe = 0; +#endif + int nocert = 0, ret = 1; + int noCApath = 0, noCAfile = 0; + int s_cert_format = FORMAT_PEM, s_key_format = FORMAT_PEM; + int s_dcert_format = FORMAT_PEM, s_dkey_format = FORMAT_PEM; + int rev = 0, naccept = -1, sdebug = 0; + int socket_family = AF_UNSPEC, socket_type = SOCK_STREAM; + int state = 0, crl_format = FORMAT_PEM, crl_download = 0; + char *host = NULL; + char *port = BUF_strdup(PORT); + unsigned char *context = NULL; + OPTION_CHOICE o; + EVP_PKEY *s_key2 = NULL; + X509 *s_cert2 = NULL; + tlsextctx tlsextcbp = { NULL, NULL, SSL_TLSEXT_ERR_ALERT_WARNING }; + const char *ssl_config = NULL; + int read_buf_len = 0; +#ifndef OPENSSL_NO_NEXTPROTONEG + const char *next_proto_neg_in = NULL; + tlsextnextprotoctx next_proto = { NULL, 0 }; +#endif + const char *alpn_in = NULL; + tlsextalpnctx alpn_ctx = { NULL, 0 }; +#ifndef OPENSSL_NO_PSK + /* by default do not send a PSK identity hint */ + char *psk_identity_hint = NULL; + char *p; +#endif +#ifndef OPENSSL_NO_SRP + char *srpuserseed = NULL; + char *srp_verifier_file = NULL; +#endif + int min_version = 0, max_version = 0, prot_opt = 0, no_prot_opt = 0; + int s_server_verify = SSL_VERIFY_NONE; + int s_server_session_id_context = 1; /* anything will do */ + const char *s_cert_file = TEST_CERT, *s_key_file = NULL, *s_chain_file = NULL; + const char *s_cert_file2 = TEST_CERT2, *s_key_file2 = NULL; + char *s_dcert_file = NULL, *s_dkey_file = NULL, *s_dchain_file = NULL; +#ifndef OPENSSL_NO_OCSP + int s_tlsextstatus = 0; +#endif + int no_resume_ephemeral = 0; + unsigned int split_send_fragment = 0, max_pipelines = 0; + const char *s_serverinfo_file = NULL; + + /* Init of few remaining global variables */ + local_argc = argc; + local_argv = argv; + + ctx = ctx2 = NULL; + s_nbio = s_nbio_test = 0; + www = 0; + bio_s_out = NULL; + s_debug = 0; + s_msg = 0; + s_quiet = 0; + s_brief = 0; + async = 0; + + cctx = SSL_CONF_CTX_new(); + vpm = X509_VERIFY_PARAM_new(); + if (cctx == NULL || vpm == NULL) + goto end; + SSL_CONF_CTX_set_flags(cctx, + SSL_CONF_FLAG_SERVER | SSL_CONF_FLAG_CMDLINE); + + prog = opt_init(argc, argv, s_server_options); + while ((o = opt_next()) != OPT_EOF) { + if (IS_PROT_FLAG(o) && ++prot_opt > 1) { + BIO_printf(bio_err, "Cannot supply multiple protocol flags\n"); + goto end; + } + if (IS_NO_PROT_FLAG(o)) + no_prot_opt++; + if (prot_opt == 1 && no_prot_opt) { + BIO_printf(bio_err, + "Cannot supply both a protocol flag and '-no_'\n"); + goto end; + } + switch (o) { + case OPT_EOF: + case OPT_ERR: + opthelp: + BIO_printf(bio_err, "%s: Use -help for summary.\n", prog); + goto end; + case OPT_HELP: + opt_help(s_server_options); + ret = 0; + goto end; + + case OPT_4: +#ifdef AF_UNIX + if (socket_family == AF_UNIX) { + OPENSSL_free(host); host = NULL; + OPENSSL_free(port); port = NULL; + } +#endif + socket_family = AF_INET; + break; + case OPT_6: + if (1) { +#ifdef AF_INET6 +#ifdef AF_UNIX + if (socket_family == AF_UNIX) { + OPENSSL_free(host); host = NULL; + OPENSSL_free(port); port = NULL; + } +#endif + socket_family = AF_INET6; + } else { +#endif + BIO_printf(bio_err, "%s: IPv6 domain sockets unsupported\n", prog); + goto end; + } + break; + case OPT_PORT: +#ifdef AF_UNIX + if (socket_family == AF_UNIX) { + socket_family = AF_UNSPEC; + } +#endif + OPENSSL_free(port); port = NULL; + OPENSSL_free(host); host = NULL; + if (BIO_parse_hostserv(opt_arg(), NULL, &port, BIO_PARSE_PRIO_SERV) < 1) { + BIO_printf(bio_err, + "%s: -port argument malformed or ambiguous\n", + port); + goto end; + } + break; + case OPT_ACCEPT: +#ifdef AF_UNIX + if (socket_family == AF_UNIX) { + socket_family = AF_UNSPEC; + } +#endif + OPENSSL_free(port); port = NULL; + OPENSSL_free(host); host = NULL; + if (BIO_parse_hostserv(opt_arg(), &host, &port, BIO_PARSE_PRIO_SERV) < 1) { + BIO_printf(bio_err, + "%s: -accept argument malformed or ambiguous\n", + port); + goto end; + } + break; +#ifdef AF_UNIX + case OPT_UNIX: + socket_family = AF_UNIX; + OPENSSL_free(host); host = BUF_strdup(opt_arg()); + OPENSSL_free(port); port = NULL; + break; + case OPT_UNLINK: + unlink_unix_path = 1; + break; +#endif + case OPT_NACCEPT: + naccept = atol(opt_arg()); + break; + case OPT_VERIFY: + s_server_verify = SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE; + verify_args.depth = atoi(opt_arg()); + if (!s_quiet) + BIO_printf(bio_err, "verify depth is %d\n", verify_args.depth); + break; + case OPT_UPPER_V_VERIFY: + s_server_verify = + SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT | + SSL_VERIFY_CLIENT_ONCE; + verify_args.depth = atoi(opt_arg()); + if (!s_quiet) + BIO_printf(bio_err, + "verify depth is %d, must return a certificate\n", + verify_args.depth); + break; + case OPT_CONTEXT: + context = (unsigned char *)opt_arg(); + break; + case OPT_CERT: + s_cert_file = opt_arg(); + break; + case OPT_CRL: + crl_file = opt_arg(); + break; + case OPT_CRL_DOWNLOAD: + crl_download = 1; + break; + case OPT_SERVERINFO: + s_serverinfo_file = opt_arg(); + break; + case OPT_CERTFORM: + if (!opt_format(opt_arg(), OPT_FMT_PEMDER, &s_cert_format)) + goto opthelp; + break; + case OPT_KEY: + s_key_file = opt_arg(); + break; + case OPT_KEYFORM: + if (!opt_format(opt_arg(), OPT_FMT_ANY, &s_key_format)) + goto opthelp; + break; + case OPT_PASS: + passarg = opt_arg(); + break; + case OPT_CERT_CHAIN: + s_chain_file = opt_arg(); + break; + case OPT_DHPARAM: +#ifndef OPENSSL_NO_DH + dhfile = opt_arg(); +#endif + break; + case OPT_DCERTFORM: + if (!opt_format(opt_arg(), OPT_FMT_PEMDER, &s_dcert_format)) + goto opthelp; + break; + case OPT_DCERT: + s_dcert_file = opt_arg(); + break; + case OPT_DKEYFORM: + if (!opt_format(opt_arg(), OPT_FMT_PEMDER, &s_dkey_format)) + goto opthelp; + break; + case OPT_DPASS: + dpassarg = opt_arg(); + break; + case OPT_DKEY: + s_dkey_file = opt_arg(); + break; + case OPT_DCERT_CHAIN: + s_dchain_file = opt_arg(); + break; + case OPT_NOCERT: + nocert = 1; + break; + case OPT_CAPATH: + CApath = opt_arg(); + break; + case OPT_NOCAPATH: + noCApath = 1; + break; + case OPT_CHAINCAPATH: + chCApath = opt_arg(); + break; + case OPT_VERIFYCAPATH: + vfyCApath = opt_arg(); + break; + case OPT_NO_CACHE: + no_cache = 1; + break; + case OPT_EXT_CACHE: + ext_cache = 1; + break; + case OPT_CRLFORM: + if (!opt_format(opt_arg(), OPT_FMT_PEMDER, &crl_format)) + goto opthelp; + break; + case OPT_S_CASES: + if (ssl_args == NULL) + ssl_args = sk_OPENSSL_STRING_new_null(); + if (ssl_args == NULL + || !sk_OPENSSL_STRING_push(ssl_args, opt_flag()) + || !sk_OPENSSL_STRING_push(ssl_args, opt_arg())) { + BIO_printf(bio_err, "%s: Memory allocation failure\n", prog); + goto end; + } + break; + case OPT_V_CASES: + if (!opt_verify(o, vpm)) + goto end; + vpmtouched++; + break; + case OPT_X_CASES: + if (!args_excert(o, &exc)) + goto end; + break; + case OPT_VERIFY_RET_ERROR: + verify_args.return_error = 1; + break; + case OPT_VERIFY_QUIET: + verify_args.quiet = 1; + break; + case OPT_BUILD_CHAIN: + build_chain = 1; + break; + case OPT_CAFILE: + CAfile = opt_arg(); + break; + case OPT_NOCAFILE: + noCAfile = 1; + break; + case OPT_CHAINCAFILE: + chCAfile = opt_arg(); + break; + case OPT_VERIFYCAFILE: + vfyCAfile = opt_arg(); + break; + case OPT_NBIO: + s_nbio = 1; + break; + case OPT_NBIO_TEST: + s_nbio = s_nbio_test = 1; + break; + case OPT_IGN_EOF: + s_ign_eof = 1; + break; + case OPT_NO_IGN_EOF: + s_ign_eof = 0; + break; + case OPT_DEBUG: + s_debug = 1; + break; + case OPT_TLSEXTDEBUG: + s_tlsextdebug = 1; + break; + case OPT_STATUS: +#ifndef OPENSSL_NO_OCSP + s_tlsextstatus = 1; +#endif + break; + case OPT_STATUS_VERBOSE: +#ifndef OPENSSL_NO_OCSP + s_tlsextstatus = tlscstatp.verbose = 1; +#endif + break; + case OPT_STATUS_TIMEOUT: +#ifndef OPENSSL_NO_OCSP + s_tlsextstatus = 1; + tlscstatp.timeout = atoi(opt_arg()); +#endif + break; + case OPT_STATUS_URL: +#ifndef OPENSSL_NO_OCSP + s_tlsextstatus = 1; + if (!OCSP_parse_url(opt_arg(), + &tlscstatp.host, + &tlscstatp.port, + &tlscstatp.path, &tlscstatp.use_ssl)) { + BIO_printf(bio_err, "Error parsing URL\n"); + goto end; + } +#endif + break; + case OPT_MSG: + s_msg = 1; + break; + case OPT_MSGFILE: + bio_s_msg = BIO_new_file(opt_arg(), "w"); + break; + case OPT_TRACE: +#ifndef OPENSSL_NO_SSL_TRACE + s_msg = 2; +#endif + break; + case OPT_SECURITY_DEBUG: + sdebug = 1; + break; + case OPT_SECURITY_DEBUG_VERBOSE: + sdebug = 2; + break; + case OPT_STATE: + state = 1; + break; + case OPT_CRLF: + s_crlf = 1; + break; + case OPT_QUIET: + s_quiet = 1; + break; + case OPT_BRIEF: + s_quiet = s_brief = verify_args.quiet = 1; + break; + case OPT_NO_DHE: +#ifndef OPENSSL_NO_DH + no_dhe = 1; +#endif + break; + case OPT_NO_RESUME_EPHEMERAL: + no_resume_ephemeral = 1; + break; + case OPT_PSK_HINT: +#ifndef OPENSSL_NO_PSK + psk_identity_hint = opt_arg(); +#endif + break; + case OPT_PSK: +#ifndef OPENSSL_NO_PSK + for (p = psk_key = opt_arg(); *p; p++) { + if (isxdigit(_UC(*p))) + continue; + BIO_printf(bio_err, "Not a hex number '%s'\n", *argv); + goto end; + } +#endif + break; + case OPT_SRPVFILE: +#ifndef OPENSSL_NO_SRP + srp_verifier_file = opt_arg(); + if (min_version < TLS1_VERSION) + min_version = TLS1_VERSION; +#endif + break; + case OPT_SRPUSERSEED: +#ifndef OPENSSL_NO_SRP + srpuserseed = opt_arg(); + if (min_version < TLS1_VERSION) + min_version = TLS1_VERSION; +#endif + break; + case OPT_REV: + rev = 1; + break; + case OPT_WWW: + www = 1; + break; + case OPT_UPPER_WWW: + www = 2; + break; + case OPT_HTTP: + www = 3; + break; + case OPT_SSL_CONFIG: + ssl_config = opt_arg(); + break; + case OPT_SSL3: + min_version = SSL3_VERSION; + max_version = SSL3_VERSION; + break; + case OPT_TLS1_2: + min_version = TLS1_2_VERSION; + max_version = TLS1_2_VERSION; + break; + case OPT_TLS1_1: + min_version = TLS1_1_VERSION; + max_version = TLS1_1_VERSION; + break; + case OPT_TLS1: + min_version = TLS1_VERSION; + max_version = TLS1_VERSION; + break; + case OPT_DTLS: +#ifndef OPENSSL_NO_DTLS + meth = DTLS_server_method(); + socket_type = SOCK_DGRAM; +#endif + break; + case OPT_DTLS1: +#ifndef OPENSSL_NO_DTLS + meth = DTLS_server_method(); + min_version = DTLS1_VERSION; + max_version = DTLS1_VERSION; + socket_type = SOCK_DGRAM; +#endif + break; + case OPT_DTLS1_2: +#ifndef OPENSSL_NO_DTLS + meth = DTLS_server_method(); + min_version = DTLS1_2_VERSION; + max_version = DTLS1_2_VERSION; + socket_type = SOCK_DGRAM; +#endif + break; + case OPT_TIMEOUT: +#ifndef OPENSSL_NO_DTLS + enable_timeouts = 1; +#endif + break; + case OPT_MTU: +#ifndef OPENSSL_NO_DTLS + socket_mtu = atol(opt_arg()); +#endif + break; + case OPT_LISTEN: +#ifndef OPENSSL_NO_DTLS + dtlslisten = 1; +#endif + break; + case OPT_ID_PREFIX: + session_id_prefix = opt_arg(); + break; + case OPT_ENGINE: + engine = setup_engine(opt_arg(), 1); + break; + case OPT_RAND: + inrand = opt_arg(); + break; + case OPT_SERVERNAME: + tlsextcbp.servername = opt_arg(); + break; + case OPT_SERVERNAME_FATAL: + tlsextcbp.extension_error = SSL_TLSEXT_ERR_ALERT_FATAL; + break; + case OPT_CERT2: + s_cert_file2 = opt_arg(); + break; + case OPT_KEY2: + s_key_file2 = opt_arg(); + break; + case OPT_NEXTPROTONEG: +# ifndef OPENSSL_NO_NEXTPROTONEG + next_proto_neg_in = opt_arg(); +#endif + break; + case OPT_ALPN: + alpn_in = opt_arg(); + break; + case OPT_SRTP_PROFILES: +#ifndef OPENSSL_NO_SRTP + srtp_profiles = opt_arg(); +#endif + break; + case OPT_KEYMATEXPORT: + keymatexportlabel = opt_arg(); + break; + case OPT_KEYMATEXPORTLEN: + keymatexportlen = atoi(opt_arg()); + break; + case OPT_ASYNC: + async = 1; + break; + case OPT_SPLIT_SEND_FRAG: + split_send_fragment = atoi(opt_arg()); + if (split_send_fragment == 0) { + /* + * Not allowed - set to a deliberately bad value so we get an + * error message below + */ + split_send_fragment = SSL3_RT_MAX_PLAIN_LENGTH + 1; + } + break; + case OPT_MAX_PIPELINES: + max_pipelines = atoi(opt_arg()); + break; + case OPT_READ_BUF: + read_buf_len = atoi(opt_arg()); + break; + + } + } + argc = opt_num_rest(); + argv = opt_rest(); + +#ifndef OPENSSL_NO_DTLS + if (www && socket_type == SOCK_DGRAM) { + BIO_printf(bio_err, "Can't use -HTTP, -www or -WWW with DTLS\n"); + goto end; + } + + if (dtlslisten && socket_type != SOCK_DGRAM) { + BIO_printf(bio_err, "Can only use -listen with DTLS\n"); + goto end; + } +#endif + +#ifdef AF_UNIX + if (socket_family == AF_UNIX && socket_type != SOCK_STREAM) { + BIO_printf(bio_err, + "Can't use unix sockets and datagrams together\n"); + goto end; + } +#endif + + if (split_send_fragment > SSL3_RT_MAX_PLAIN_LENGTH) { + BIO_printf(bio_err, "Bad split send fragment size\n"); + goto end; + } + + if (max_pipelines > SSL_MAX_PIPELINES) { + BIO_printf(bio_err, "Bad max pipelines value\n"); + goto end; + } + + if (!app_passwd(passarg, dpassarg, &pass, &dpass)) { + BIO_printf(bio_err, "Error getting password\n"); + goto end; + } + + if (s_key_file == NULL) + s_key_file = s_cert_file; + + if (s_key_file2 == NULL) + s_key_file2 = s_cert_file2; + + if (!load_excert(&exc)) + goto end; + + if (nocert == 0) { + s_key = load_key(s_key_file, s_key_format, 0, pass, engine, + "server certificate private key file"); + if (!s_key) { + ERR_print_errors(bio_err); + goto end; + } + + s_cert = load_cert(s_cert_file, s_cert_format, + "server certificate file"); + + if (!s_cert) { + ERR_print_errors(bio_err); + goto end; + } + if (s_chain_file) { + if (!load_certs(s_chain_file, &s_chain, FORMAT_PEM, NULL, + "server certificate chain")) + goto end; + } + + if (tlsextcbp.servername) { + s_key2 = load_key(s_key_file2, s_key_format, 0, pass, engine, + "second server certificate private key file"); + if (!s_key2) { + ERR_print_errors(bio_err); + goto end; + } + + s_cert2 = load_cert(s_cert_file2, s_cert_format, + "second server certificate file"); + + if (!s_cert2) { + ERR_print_errors(bio_err); + goto end; + } + } + } +#if !defined(OPENSSL_NO_NEXTPROTONEG) + if (next_proto_neg_in) { + next_proto.data = next_protos_parse(&next_proto.len, next_proto_neg_in); + if (next_proto.data == NULL) + goto end; + } +#endif + alpn_ctx.data = NULL; + if (alpn_in) { + alpn_ctx.data = next_protos_parse(&alpn_ctx.len, alpn_in); + if (alpn_ctx.data == NULL) + goto end; + } + + if (crl_file) { + X509_CRL *crl; + crl = load_crl(crl_file, crl_format); + if (!crl) { + BIO_puts(bio_err, "Error loading CRL\n"); + ERR_print_errors(bio_err); + goto end; + } + crls = sk_X509_CRL_new_null(); + if (!crls || !sk_X509_CRL_push(crls, crl)) { + BIO_puts(bio_err, "Error adding CRL\n"); + ERR_print_errors(bio_err); + X509_CRL_free(crl); + goto end; + } + } + + if (s_dcert_file) { + + if (s_dkey_file == NULL) + s_dkey_file = s_dcert_file; + + s_dkey = load_key(s_dkey_file, s_dkey_format, + 0, dpass, engine, "second certificate private key file"); + if (!s_dkey) { + ERR_print_errors(bio_err); + goto end; + } + + s_dcert = load_cert(s_dcert_file, s_dcert_format, + "second server certificate file"); + + if (!s_dcert) { + ERR_print_errors(bio_err); + goto end; + } + if (s_dchain_file) { + if (!load_certs(s_dchain_file, &s_dchain, FORMAT_PEM, NULL, + "second server certificate chain")) + goto end; + } + + } + + if (!app_RAND_load_file(NULL, 1) && inrand == NULL + && !RAND_status()) { + BIO_printf(bio_err, + "warning, not much extra random data, consider using the -rand option\n"); + } + if (inrand != NULL) + BIO_printf(bio_err, "%ld semi-random bytes loaded\n", + app_RAND_load_files(inrand)); + + if (bio_s_out == NULL) { + if (s_quiet && !s_debug) { + bio_s_out = BIO_new(BIO_s_null()); + if (s_msg && !bio_s_msg) + bio_s_msg = dup_bio_out(FORMAT_TEXT); + } else { + if (bio_s_out == NULL) + bio_s_out = dup_bio_out(FORMAT_TEXT); + } + } +#if !defined(OPENSSL_NO_RSA) || !defined(OPENSSL_NO_DSA) || !defined(OPENSSL_NO_EC) + if (nocert) +#endif + { + s_cert_file = NULL; + s_key_file = NULL; + s_dcert_file = NULL; + s_dkey_file = NULL; + s_cert_file2 = NULL; + s_key_file2 = NULL; + } + + ctx = SSL_CTX_new(meth); + if (ctx == NULL) { + ERR_print_errors(bio_err); + goto end; + } + if (sdebug) + ssl_ctx_security_debug(ctx, sdebug); + + if (!config_ctx(cctx, ssl_args, ctx)) + goto end; + + if (ssl_config) { + if (SSL_CTX_config(ctx, ssl_config) == 0) { + BIO_printf(bio_err, "Error using configuration \"%s\"\n", + ssl_config); + ERR_print_errors(bio_err); + goto end; + } + } + if (min_version != 0 + && SSL_CTX_set_min_proto_version(ctx, min_version) == 0) + goto end; + if (max_version != 0 + && SSL_CTX_set_max_proto_version(ctx, max_version) == 0) + goto end; + + if (session_id_prefix) { + if (strlen(session_id_prefix) >= 32) + BIO_printf(bio_err, + "warning: id_prefix is too long, only one new session will be possible\n"); + if (!SSL_CTX_set_generate_session_id(ctx, generate_session_id)) { + BIO_printf(bio_err, "error setting 'id_prefix'\n"); + ERR_print_errors(bio_err); + goto end; + } + BIO_printf(bio_err, "id_prefix '%s' set.\n", session_id_prefix); + } + SSL_CTX_set_quiet_shutdown(ctx, 1); + if (exc) + ssl_ctx_set_excert(ctx, exc); + + if (state) + SSL_CTX_set_info_callback(ctx, apps_ssl_info_callback); + if (no_cache) + SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_OFF); + else if (ext_cache) + init_session_cache_ctx(ctx); + else + SSL_CTX_sess_set_cache_size(ctx, 128); + + if (async) { + SSL_CTX_set_mode(ctx, SSL_MODE_ASYNC); + } + if (split_send_fragment > 0) { + SSL_CTX_set_split_send_fragment(ctx, split_send_fragment); + } + if (max_pipelines > 0) { + SSL_CTX_set_max_pipelines(ctx, max_pipelines); + } + + if (read_buf_len > 0) { + SSL_CTX_set_default_read_buffer_len(ctx, read_buf_len); + } +#ifndef OPENSSL_NO_SRTP + if (srtp_profiles != NULL) { + /* Returns 0 on success! */ + if (SSL_CTX_set_tlsext_use_srtp(ctx, srtp_profiles) != 0) { + BIO_printf(bio_err, "Error setting SRTP profile\n"); + ERR_print_errors(bio_err); + goto end; + } + } +#endif + + if (!ctx_set_verify_locations(ctx, CAfile, CApath, noCAfile, noCApath)) { + ERR_print_errors(bio_err); + goto end; + } + if (vpmtouched && !SSL_CTX_set1_param(ctx, vpm)) { + BIO_printf(bio_err, "Error setting verify params\n"); + ERR_print_errors(bio_err); + goto end; + } + + ssl_ctx_add_crls(ctx, crls, 0); + + if (!ssl_load_stores(ctx, vfyCApath, vfyCAfile, chCApath, chCAfile, + crls, crl_download)) { + BIO_printf(bio_err, "Error loading store locations\n"); + ERR_print_errors(bio_err); + goto end; + } + + if (s_cert2) { + ctx2 = SSL_CTX_new(meth); + if (ctx2 == NULL) { + ERR_print_errors(bio_err); + goto end; + } + } + + if (ctx2) { + BIO_printf(bio_s_out, "Setting secondary ctx parameters\n"); + + if (sdebug) + ssl_ctx_security_debug(ctx, sdebug); + + if (session_id_prefix) { + if (strlen(session_id_prefix) >= 32) + BIO_printf(bio_err, + "warning: id_prefix is too long, only one new session will be possible\n"); + if (!SSL_CTX_set_generate_session_id(ctx2, generate_session_id)) { + BIO_printf(bio_err, "error setting 'id_prefix'\n"); + ERR_print_errors(bio_err); + goto end; + } + BIO_printf(bio_err, "id_prefix '%s' set.\n", session_id_prefix); + } + SSL_CTX_set_quiet_shutdown(ctx2, 1); + if (exc) + ssl_ctx_set_excert(ctx2, exc); + + if (state) + SSL_CTX_set_info_callback(ctx2, apps_ssl_info_callback); + + if (no_cache) + SSL_CTX_set_session_cache_mode(ctx2, SSL_SESS_CACHE_OFF); + else if (ext_cache) + init_session_cache_ctx(ctx2); + else + SSL_CTX_sess_set_cache_size(ctx2, 128); + + if (async) + SSL_CTX_set_mode(ctx2, SSL_MODE_ASYNC); + + if (!ctx_set_verify_locations(ctx2, CAfile, CApath, noCAfile, + noCApath)) { + ERR_print_errors(bio_err); + goto end; + } + if (vpmtouched && !SSL_CTX_set1_param(ctx2, vpm)) { + BIO_printf(bio_err, "Error setting verify params\n"); + ERR_print_errors(bio_err); + goto end; + } + + ssl_ctx_add_crls(ctx2, crls, 0); + if (!config_ctx(cctx, ssl_args, ctx2)) + goto end; + } +#ifndef OPENSSL_NO_NEXTPROTONEG + if (next_proto.data) + SSL_CTX_set_next_protos_advertised_cb(ctx, next_proto_cb, + &next_proto); +#endif + if (alpn_ctx.data) + SSL_CTX_set_alpn_select_cb(ctx, alpn_cb, &alpn_ctx); + +#ifndef OPENSSL_NO_DH + if (!no_dhe) { + DH *dh = NULL; + + if (dhfile) + dh = load_dh_param(dhfile); + else if (s_cert_file) + dh = load_dh_param(s_cert_file); + + if (dh != NULL) { + BIO_printf(bio_s_out, "Setting temp DH parameters\n"); + } else { + BIO_printf(bio_s_out, "Using default temp DH parameters\n"); + } + (void)BIO_flush(bio_s_out); + + if (dh == NULL) + SSL_CTX_set_dh_auto(ctx, 1); + else if (!SSL_CTX_set_tmp_dh(ctx, dh)) { + BIO_puts(bio_err, "Error setting temp DH parameters\n"); + ERR_print_errors(bio_err); + DH_free(dh); + goto end; + } + + if (ctx2) { + if (!dhfile) { + DH *dh2 = load_dh_param(s_cert_file2); + if (dh2 != NULL) { + BIO_printf(bio_s_out, "Setting temp DH parameters\n"); + (void)BIO_flush(bio_s_out); + + DH_free(dh); + dh = dh2; + } + } + if (dh == NULL) + SSL_CTX_set_dh_auto(ctx2, 1); + else if (!SSL_CTX_set_tmp_dh(ctx2, dh)) { + BIO_puts(bio_err, "Error setting temp DH parameters\n"); + ERR_print_errors(bio_err); + DH_free(dh); + goto end; + } + } + DH_free(dh); + } +#endif + + if (!set_cert_key_stuff(ctx, s_cert, s_key, s_chain, build_chain)) + goto end; + + if (s_serverinfo_file != NULL + && !SSL_CTX_use_serverinfo_file(ctx, s_serverinfo_file)) { + ERR_print_errors(bio_err); + goto end; + } + + if (ctx2 && !set_cert_key_stuff(ctx2, s_cert2, s_key2, NULL, build_chain)) + goto end; + + if (s_dcert != NULL) { + if (!set_cert_key_stuff(ctx, s_dcert, s_dkey, s_dchain, build_chain)) + goto end; + } + + if (no_resume_ephemeral) { + SSL_CTX_set_not_resumable_session_callback(ctx, + not_resumable_sess_cb); + + if (ctx2) + SSL_CTX_set_not_resumable_session_callback(ctx2, + not_resumable_sess_cb); + } +#ifndef OPENSSL_NO_PSK + if (psk_key != NULL) { + if (s_debug) + BIO_printf(bio_s_out, "PSK key given, setting server callback\n"); + SSL_CTX_set_psk_server_callback(ctx, psk_server_cb); + } + + if (!SSL_CTX_use_psk_identity_hint(ctx, psk_identity_hint)) { + BIO_printf(bio_err, "error setting PSK identity hint to context\n"); + ERR_print_errors(bio_err); + goto end; + } +#endif + + SSL_CTX_set_verify(ctx, s_server_verify, verify_callback); + if (!SSL_CTX_set_session_id_context(ctx, + (void *)&s_server_session_id_context, + sizeof(s_server_session_id_context))) { + BIO_printf(bio_err, "error setting session id context\n"); + ERR_print_errors(bio_err); + goto end; + } + + /* Set DTLS cookie generation and verification callbacks */ + SSL_CTX_set_cookie_generate_cb(ctx, generate_cookie_callback); + SSL_CTX_set_cookie_verify_cb(ctx, verify_cookie_callback); + + if (ctx2) { + SSL_CTX_set_verify(ctx2, s_server_verify, verify_callback); + if (!SSL_CTX_set_session_id_context(ctx2, + (void *)&s_server_session_id_context, + sizeof(s_server_session_id_context))) { + BIO_printf(bio_err, "error setting session id context\n"); + ERR_print_errors(bio_err); + goto end; + } + tlsextcbp.biodebug = bio_s_out; + SSL_CTX_set_tlsext_servername_callback(ctx2, ssl_servername_cb); + SSL_CTX_set_tlsext_servername_arg(ctx2, &tlsextcbp); + SSL_CTX_set_tlsext_servername_callback(ctx, ssl_servername_cb); + SSL_CTX_set_tlsext_servername_arg(ctx, &tlsextcbp); + } + +#ifndef OPENSSL_NO_SRP + if (srp_verifier_file != NULL) { + srp_callback_parm.vb = SRP_VBASE_new(srpuserseed); + srp_callback_parm.user = NULL; + srp_callback_parm.login = NULL; + if ((ret = + SRP_VBASE_init(srp_callback_parm.vb, + srp_verifier_file)) != SRP_NO_ERROR) { + BIO_printf(bio_err, + "Cannot initialize SRP verifier file \"%s\":ret=%d\n", + srp_verifier_file, ret); + goto end; + } + SSL_CTX_set_verify(ctx, SSL_VERIFY_NONE, verify_callback); + SSL_CTX_set_srp_cb_arg(ctx, &srp_callback_parm); + SSL_CTX_set_srp_username_callback(ctx, ssl_srp_server_param_cb); + } else +#endif + if (CAfile != NULL) { + SSL_CTX_set_client_CA_list(ctx, SSL_load_client_CA_file(CAfile)); + + if (ctx2) + SSL_CTX_set_client_CA_list(ctx2, SSL_load_client_CA_file(CAfile)); + } +#ifndef OPENSSL_NO_OCSP + if (s_tlsextstatus) { + SSL_CTX_set_tlsext_status_cb(ctx, cert_status_cb); + SSL_CTX_set_tlsext_status_arg(ctx, &tlscstatp); + if (ctx2) { + SSL_CTX_set_tlsext_status_cb(ctx2, cert_status_cb); + SSL_CTX_set_tlsext_status_arg(ctx2, &tlscstatp); + } + } +#endif + + BIO_printf(bio_s_out, "ACCEPT\n"); + (void)BIO_flush(bio_s_out); + if (rev) + server_cb = rev_body; + else if (www) + server_cb = www_body; + else + server_cb = sv_body; +#ifdef AF_UNIX + if (socket_family == AF_UNIX + && unlink_unix_path) + unlink(host); +#endif + do_server(&accept_socket, host, port, socket_family, socket_type, + server_cb, context, naccept); + print_stats(bio_s_out, ctx); + ret = 0; + end: + SSL_CTX_free(ctx); + X509_free(s_cert); + sk_X509_CRL_pop_free(crls, X509_CRL_free); + X509_free(s_dcert); + EVP_PKEY_free(s_key); + EVP_PKEY_free(s_dkey); + sk_X509_pop_free(s_chain, X509_free); + sk_X509_pop_free(s_dchain, X509_free); + OPENSSL_free(pass); + OPENSSL_free(dpass); + OPENSSL_free(host); + OPENSSL_free(port); + X509_VERIFY_PARAM_free(vpm); + free_sessions(); + OPENSSL_free(tlscstatp.host); + OPENSSL_free(tlscstatp.port); + OPENSSL_free(tlscstatp.path); + SSL_CTX_free(ctx2); + X509_free(s_cert2); + EVP_PKEY_free(s_key2); +#ifndef OPENSSL_NO_NEXTPROTONEG + OPENSSL_free(next_proto.data); +#endif + OPENSSL_free(alpn_ctx.data); + ssl_excert_free(exc); + sk_OPENSSL_STRING_free(ssl_args); + SSL_CONF_CTX_free(cctx); + release_engine(engine); + BIO_free(bio_s_out); + bio_s_out = NULL; + BIO_free(bio_s_msg); + bio_s_msg = NULL; +#ifdef CHARSET_EBCDIC + BIO_meth_free(methods_ebcdic); +#endif + return (ret); +} + +static void print_stats(BIO *bio, SSL_CTX *ssl_ctx) +{ + BIO_printf(bio, "%4ld items in the session cache\n", + SSL_CTX_sess_number(ssl_ctx)); + BIO_printf(bio, "%4ld client connects (SSL_connect())\n", + SSL_CTX_sess_connect(ssl_ctx)); + BIO_printf(bio, "%4ld client renegotiates (SSL_connect())\n", + SSL_CTX_sess_connect_renegotiate(ssl_ctx)); + BIO_printf(bio, "%4ld client connects that finished\n", + SSL_CTX_sess_connect_good(ssl_ctx)); + BIO_printf(bio, "%4ld server accepts (SSL_accept())\n", + SSL_CTX_sess_accept(ssl_ctx)); + BIO_printf(bio, "%4ld server renegotiates (SSL_accept())\n", + SSL_CTX_sess_accept_renegotiate(ssl_ctx)); + BIO_printf(bio, "%4ld server accepts that finished\n", + SSL_CTX_sess_accept_good(ssl_ctx)); + BIO_printf(bio, "%4ld session cache hits\n", SSL_CTX_sess_hits(ssl_ctx)); + BIO_printf(bio, "%4ld session cache misses\n", + SSL_CTX_sess_misses(ssl_ctx)); + BIO_printf(bio, "%4ld session cache timeouts\n", + SSL_CTX_sess_timeouts(ssl_ctx)); + BIO_printf(bio, "%4ld callback cache hits\n", + SSL_CTX_sess_cb_hits(ssl_ctx)); + BIO_printf(bio, "%4ld cache full overflows (%ld allowed)\n", + SSL_CTX_sess_cache_full(ssl_ctx), + SSL_CTX_sess_get_cache_size(ssl_ctx)); +} + +static int sv_body(int s, int stype, unsigned char *context) +{ + char *buf = NULL; + fd_set readfds; + int ret = 1, width; + int k, i; + unsigned long l; + SSL *con = NULL; + BIO *sbio; + struct timeval timeout; +#if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS) + struct timeval tv; +#else + struct timeval *timeoutp; +#endif + + buf = app_malloc(bufsize, "server buffer"); + if (s_nbio) { + if (!BIO_socket_nbio(s, 1)) + ERR_print_errors(bio_err); + else if (!s_quiet) + BIO_printf(bio_err, "Turned on non blocking io\n"); + } + + if (con == NULL) { + con = SSL_new(ctx); + + if (s_tlsextdebug) { + SSL_set_tlsext_debug_callback(con, tlsext_cb); + SSL_set_tlsext_debug_arg(con, bio_s_out); + } + + if (context + && !SSL_set_session_id_context(con, + context, strlen((char *)context))) { + BIO_printf(bio_err, "Error setting session id context\n"); + ret = -1; + goto err; + } + } + if (!SSL_clear(con)) { + BIO_printf(bio_err, "Error clearing SSL connection\n"); + ret = -1; + goto err; + } +#ifndef OPENSSL_NO_DTLS + if (stype == SOCK_DGRAM) { + + sbio = BIO_new_dgram(s, BIO_NOCLOSE); + + if (enable_timeouts) { + timeout.tv_sec = 0; + timeout.tv_usec = DGRAM_RCV_TIMEOUT; + BIO_ctrl(sbio, BIO_CTRL_DGRAM_SET_RECV_TIMEOUT, 0, &timeout); + + timeout.tv_sec = 0; + timeout.tv_usec = DGRAM_SND_TIMEOUT; + BIO_ctrl(sbio, BIO_CTRL_DGRAM_SET_SEND_TIMEOUT, 0, &timeout); + } + + if (socket_mtu) { + if (socket_mtu < DTLS_get_link_min_mtu(con)) { + BIO_printf(bio_err, "MTU too small. Must be at least %ld\n", + DTLS_get_link_min_mtu(con)); + ret = -1; + BIO_free(sbio); + goto err; + } + SSL_set_options(con, SSL_OP_NO_QUERY_MTU); + if (!DTLS_set_link_mtu(con, socket_mtu)) { + BIO_printf(bio_err, "Failed to set MTU\n"); + ret = -1; + BIO_free(sbio); + goto err; + } + } else + /* want to do MTU discovery */ + BIO_ctrl(sbio, BIO_CTRL_DGRAM_MTU_DISCOVER, 0, NULL); + + /* turn on cookie exchange */ + SSL_set_options(con, SSL_OP_COOKIE_EXCHANGE); + } else +#endif + sbio = BIO_new_socket(s, BIO_NOCLOSE); + + if (s_nbio_test) { + BIO *test; + + test = BIO_new(BIO_f_nbio_test()); + sbio = BIO_push(test, sbio); + } + + SSL_set_bio(con, sbio, sbio); + SSL_set_accept_state(con); + /* SSL_set_fd(con,s); */ + + if (s_debug) { + BIO_set_callback(SSL_get_rbio(con), bio_dump_callback); + BIO_set_callback_arg(SSL_get_rbio(con), (char *)bio_s_out); + } + if (s_msg) { +#ifndef OPENSSL_NO_SSL_TRACE + if (s_msg == 2) + SSL_set_msg_callback(con, SSL_trace); + else +#endif + SSL_set_msg_callback(con, msg_cb); + SSL_set_msg_callback_arg(con, bio_s_msg ? bio_s_msg : bio_s_out); + } + + if (s_tlsextdebug) { + SSL_set_tlsext_debug_callback(con, tlsext_cb); + SSL_set_tlsext_debug_arg(con, bio_s_out); + } + + if (fileno_stdin() > s) + width = fileno_stdin() + 1; + else + width = s + 1; + for (;;) { + int read_from_terminal; + int read_from_sslcon; + + read_from_terminal = 0; + read_from_sslcon = SSL_has_pending(con) + || (async && SSL_waiting_for_async(con)); + + if (!read_from_sslcon) { + FD_ZERO(&readfds); +#if !defined(OPENSSL_SYS_WINDOWS) && !defined(OPENSSL_SYS_MSDOS) + openssl_fdset(fileno_stdin(), &readfds); +#endif + openssl_fdset(s, &readfds); + /* + * Note: under VMS with SOCKETSHR the second parameter is + * currently of type (int *) whereas under other systems it is + * (void *) if you don't have a cast it will choke the compiler: + * if you do have a cast then you can either go for (int *) or + * (void *). + */ +#if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS) + /* + * Under DOS (non-djgpp) and Windows we can't select on stdin: + * only on sockets. As a workaround we timeout the select every + * second and check for any keypress. In a proper Windows + * application we wouldn't do this because it is inefficient. + */ + tv.tv_sec = 1; + tv.tv_usec = 0; + i = select(width, (void *)&readfds, NULL, NULL, &tv); + if (has_stdin_waiting()) + read_from_terminal = 1; + if ((i < 0) || (!i && !read_from_terminal)) + continue; +#else + if ((SSL_version(con) == DTLS1_VERSION) && + DTLSv1_get_timeout(con, &timeout)) + timeoutp = &timeout; + else + timeoutp = NULL; + + i = select(width, (void *)&readfds, NULL, NULL, timeoutp); + + if ((SSL_version(con) == DTLS1_VERSION) + && DTLSv1_handle_timeout(con) > 0) { + BIO_printf(bio_err, "TIMEOUT occurred\n"); + } + + if (i <= 0) + continue; + if (FD_ISSET(fileno_stdin(), &readfds)) + read_from_terminal = 1; +#endif + if (FD_ISSET(s, &readfds)) + read_from_sslcon = 1; + } + if (read_from_terminal) { + if (s_crlf) { + int j, lf_num; + + i = raw_read_stdin(buf, bufsize / 2); + lf_num = 0; + /* both loops are skipped when i <= 0 */ + for (j = 0; j < i; j++) + if (buf[j] == '\n') + lf_num++; + for (j = i - 1; j >= 0; j--) { + buf[j + lf_num] = buf[j]; + if (buf[j] == '\n') { + lf_num--; + i++; + buf[j + lf_num] = '\r'; + } + } + assert(lf_num == 0); + } else + i = raw_read_stdin(buf, bufsize); + + if (!s_quiet && !s_brief) { + if ((i <= 0) || (buf[0] == 'Q')) { + BIO_printf(bio_s_out, "DONE\n"); + (void)BIO_flush(bio_s_out); + BIO_closesocket(s); + close_accept_socket(); + ret = -11; + goto err; + } + if ((i <= 0) || (buf[0] == 'q')) { + BIO_printf(bio_s_out, "DONE\n"); + (void)BIO_flush(bio_s_out); + if (SSL_version(con) != DTLS1_VERSION) + BIO_closesocket(s); + /* + * close_accept_socket(); ret= -11; + */ + goto err; + } +#ifndef OPENSSL_NO_HEARTBEATS + if ((buf[0] == 'B') && ((buf[1] == '\n') || (buf[1] == '\r'))) { + BIO_printf(bio_err, "HEARTBEATING\n"); + SSL_heartbeat(con); + i = 0; + continue; + } +#endif + if ((buf[0] == 'r') && ((buf[1] == '\n') || (buf[1] == '\r'))) { + SSL_renegotiate(con); + i = SSL_do_handshake(con); + printf("SSL_do_handshake -> %d\n", i); + i = 0; /* 13; */ + continue; + /* + * strcpy(buf,"server side RE-NEGOTIATE\n"); + */ + } + if ((buf[0] == 'R') && ((buf[1] == '\n') || (buf[1] == '\r'))) { + SSL_set_verify(con, + SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE, + NULL); + SSL_renegotiate(con); + i = SSL_do_handshake(con); + printf("SSL_do_handshake -> %d\n", i); + i = 0; /* 13; */ + continue; + /* + * strcpy(buf,"server side RE-NEGOTIATE asking for client + * cert\n"); + */ + } + if (buf[0] == 'P') { + static const char *str = "Lets print some clear text\n"; + BIO_write(SSL_get_wbio(con), str, strlen(str)); + } + if (buf[0] == 'S') { + print_stats(bio_s_out, SSL_get_SSL_CTX(con)); + } + } +#ifdef CHARSET_EBCDIC + ebcdic2ascii(buf, buf, i); +#endif + l = k = 0; + for (;;) { + /* should do a select for the write */ +#ifdef RENEG + static count = 0; + if (++count == 100) { + count = 0; + SSL_renegotiate(con); + } +#endif + k = SSL_write(con, &(buf[l]), (unsigned int)i); +#ifndef OPENSSL_NO_SRP + while (SSL_get_error(con, k) == SSL_ERROR_WANT_X509_LOOKUP) { + BIO_printf(bio_s_out, "LOOKUP renego during write\n"); + SRP_user_pwd_free(srp_callback_parm.user); + srp_callback_parm.user = + SRP_VBASE_get1_by_user(srp_callback_parm.vb, + srp_callback_parm.login); + if (srp_callback_parm.user) + BIO_printf(bio_s_out, "LOOKUP done %s\n", + srp_callback_parm.user->info); + else + BIO_printf(bio_s_out, "LOOKUP not successful\n"); + k = SSL_write(con, &(buf[l]), (unsigned int)i); + } +#endif + switch (SSL_get_error(con, k)) { + case SSL_ERROR_NONE: + break; + case SSL_ERROR_WANT_ASYNC: + BIO_printf(bio_s_out, "Write BLOCK (Async)\n"); + (void)BIO_flush(bio_s_out); + wait_for_async(con); + break; + case SSL_ERROR_WANT_WRITE: + case SSL_ERROR_WANT_READ: + case SSL_ERROR_WANT_X509_LOOKUP: + BIO_printf(bio_s_out, "Write BLOCK\n"); + (void)BIO_flush(bio_s_out); + break; + case SSL_ERROR_WANT_ASYNC_JOB: + /* + * This shouldn't ever happen in s_server. Treat as an error + */ + case SSL_ERROR_SYSCALL: + case SSL_ERROR_SSL: + BIO_printf(bio_s_out, "ERROR\n"); + (void)BIO_flush(bio_s_out); + ERR_print_errors(bio_err); + ret = 1; + goto err; + /* break; */ + case SSL_ERROR_ZERO_RETURN: + BIO_printf(bio_s_out, "DONE\n"); + (void)BIO_flush(bio_s_out); + ret = 1; + goto err; + } + if (k > 0) { + l += k; + i -= k; + } + if (i <= 0) + break; + } + } + if (read_from_sslcon) { + /* + * init_ssl_connection handles all async events itself so if we're + * waiting for async then we shouldn't go back into + * init_ssl_connection + */ + if ((!async || !SSL_waiting_for_async(con)) + && !SSL_is_init_finished(con)) { + i = init_ssl_connection(con); + + if (i < 0) { + ret = 0; + goto err; + } else if (i == 0) { + ret = 1; + goto err; + } + } else { + again: + i = SSL_read(con, (char *)buf, bufsize); +#ifndef OPENSSL_NO_SRP + while (SSL_get_error(con, i) == SSL_ERROR_WANT_X509_LOOKUP) { + BIO_printf(bio_s_out, "LOOKUP renego during read\n"); + SRP_user_pwd_free(srp_callback_parm.user); + srp_callback_parm.user = + SRP_VBASE_get1_by_user(srp_callback_parm.vb, + srp_callback_parm.login); + if (srp_callback_parm.user) + BIO_printf(bio_s_out, "LOOKUP done %s\n", + srp_callback_parm.user->info); + else + BIO_printf(bio_s_out, "LOOKUP not successful\n"); + i = SSL_read(con, (char *)buf, bufsize); + } +#endif + switch (SSL_get_error(con, i)) { + case SSL_ERROR_NONE: +#ifdef CHARSET_EBCDIC + ascii2ebcdic(buf, buf, i); +#endif + raw_write_stdout(buf, (unsigned int)i); + (void)BIO_flush(bio_s_out); + if (SSL_has_pending(con)) + goto again; + break; + case SSL_ERROR_WANT_ASYNC: + BIO_printf(bio_s_out, "Read BLOCK (Async)\n"); + (void)BIO_flush(bio_s_out); + wait_for_async(con); + break; + case SSL_ERROR_WANT_WRITE: + case SSL_ERROR_WANT_READ: + BIO_printf(bio_s_out, "Read BLOCK\n"); + (void)BIO_flush(bio_s_out); + break; + case SSL_ERROR_WANT_ASYNC_JOB: + /* + * This shouldn't ever happen in s_server. Treat as an error + */ + case SSL_ERROR_SYSCALL: + case SSL_ERROR_SSL: + BIO_printf(bio_s_out, "ERROR\n"); + (void)BIO_flush(bio_s_out); + ERR_print_errors(bio_err); + ret = 1; + goto err; + case SSL_ERROR_ZERO_RETURN: + BIO_printf(bio_s_out, "DONE\n"); + (void)BIO_flush(bio_s_out); + ret = 1; + goto err; + } + } + } + } + err: + if (con != NULL) { + BIO_printf(bio_s_out, "shutting down SSL\n"); + SSL_set_shutdown(con, SSL_SENT_SHUTDOWN | SSL_RECEIVED_SHUTDOWN); + SSL_free(con); + } + BIO_printf(bio_s_out, "CONNECTION CLOSED\n"); + OPENSSL_clear_free(buf, bufsize); + if (ret >= 0) + BIO_printf(bio_s_out, "ACCEPT\n"); + (void)BIO_flush(bio_s_out); + return (ret); +} + +static void close_accept_socket(void) +{ + BIO_printf(bio_err, "shutdown accept socket\n"); + if (accept_socket >= 0) { + BIO_closesocket(accept_socket); + } +} + +static int init_ssl_connection(SSL *con) +{ + int i; + const char *str; + X509 *peer; + long verify_err; + char buf[BUFSIZ]; +#if !defined(OPENSSL_NO_NEXTPROTONEG) + const unsigned char *next_proto_neg; + unsigned next_proto_neg_len; +#endif + unsigned char *exportedkeymat; + int retry = 0; + +#ifndef OPENSSL_NO_DTLS + if (dtlslisten) { + BIO_ADDR *client = NULL; + + if ((client = BIO_ADDR_new()) == NULL) { + BIO_printf(bio_err, "ERROR - memory\n"); + return 0; + } + i = DTLSv1_listen(con, client); + if (i > 0) { + BIO *wbio; + int fd = -1; + + wbio = SSL_get_wbio(con); + if (wbio) { + BIO_get_fd(wbio, &fd); + } + + if (!wbio || BIO_connect(fd, client, 0) == 0) { + BIO_printf(bio_err, "ERROR - unable to connect\n"); + BIO_ADDR_free(client); + return 0; + } + BIO_ADDR_free(client); + dtlslisten = 0; + i = SSL_accept(con); + } else { + BIO_ADDR_free(client); + } + } else +#endif + + do { + i = SSL_accept(con); + + if (i <= 0) + retry = BIO_sock_should_retry(i); +#ifdef CERT_CB_TEST_RETRY + { + while (i <= 0 + && SSL_get_error(con, i) == SSL_ERROR_WANT_X509_LOOKUP + && SSL_get_state(con) == TLS_ST_SR_CLNT_HELLO) { + BIO_printf(bio_err, + "LOOKUP from certificate callback during accept\n"); + i = SSL_accept(con); + if (i <= 0) + retry = BIO_sock_should_retry(i); + } + } +#endif + +#ifndef OPENSSL_NO_SRP + while (i <= 0 + && SSL_get_error(con, i) == SSL_ERROR_WANT_X509_LOOKUP) { + BIO_printf(bio_s_out, "LOOKUP during accept %s\n", + srp_callback_parm.login); + SRP_user_pwd_free(srp_callback_parm.user); + srp_callback_parm.user = + SRP_VBASE_get1_by_user(srp_callback_parm.vb, + srp_callback_parm.login); + if (srp_callback_parm.user) + BIO_printf(bio_s_out, "LOOKUP done %s\n", + srp_callback_parm.user->info); + else + BIO_printf(bio_s_out, "LOOKUP not successful\n"); + i = SSL_accept(con); + if (i <= 0) + retry = BIO_sock_should_retry(i); + } +#endif + } while (i < 0 && SSL_waiting_for_async(con)); + + if (i <= 0) { + if ((dtlslisten && i == 0) + || (!dtlslisten && retry)) { + BIO_printf(bio_s_out, "DELAY\n"); + return (1); + } + + BIO_printf(bio_err, "ERROR\n"); + + verify_err = SSL_get_verify_result(con); + if (verify_err != X509_V_OK) { + BIO_printf(bio_err, "verify error:%s\n", + X509_verify_cert_error_string(verify_err)); + } + /* Always print any error messages */ + ERR_print_errors(bio_err); + return (0); + } + + if (s_brief) + print_ssl_summary(con); + + PEM_write_bio_SSL_SESSION(bio_s_out, SSL_get_session(con)); + + peer = SSL_get_peer_certificate(con); + if (peer != NULL) { + BIO_printf(bio_s_out, "Client certificate\n"); + PEM_write_bio_X509(bio_s_out, peer); + X509_NAME_oneline(X509_get_subject_name(peer), buf, sizeof(buf)); + BIO_printf(bio_s_out, "subject=%s\n", buf); + X509_NAME_oneline(X509_get_issuer_name(peer), buf, sizeof(buf)); + BIO_printf(bio_s_out, "issuer=%s\n", buf); + X509_free(peer); + peer = NULL; + } + + if (SSL_get_shared_ciphers(con, buf, sizeof(buf)) != NULL) + BIO_printf(bio_s_out, "Shared ciphers:%s\n", buf); + str = SSL_CIPHER_get_name(SSL_get_current_cipher(con)); + ssl_print_sigalgs(bio_s_out, con); +#ifndef OPENSSL_NO_EC + ssl_print_point_formats(bio_s_out, con); + ssl_print_curves(bio_s_out, con, 0); +#endif + BIO_printf(bio_s_out, "CIPHER is %s\n", (str != NULL) ? str : "(NONE)"); + +#if !defined(OPENSSL_NO_NEXTPROTONEG) + SSL_get0_next_proto_negotiated(con, &next_proto_neg, &next_proto_neg_len); + if (next_proto_neg) { + BIO_printf(bio_s_out, "NEXTPROTO is "); + BIO_write(bio_s_out, next_proto_neg, next_proto_neg_len); + BIO_printf(bio_s_out, "\n"); + } +#endif +#ifndef OPENSSL_NO_SRTP + { + SRTP_PROTECTION_PROFILE *srtp_profile + = SSL_get_selected_srtp_profile(con); + + if (srtp_profile) + BIO_printf(bio_s_out, "SRTP Extension negotiated, profile=%s\n", + srtp_profile->name); + } +#endif + if (SSL_session_reused(con)) + BIO_printf(bio_s_out, "Reused session-id\n"); + BIO_printf(bio_s_out, "Secure Renegotiation IS%s supported\n", + SSL_get_secure_renegotiation_support(con) ? "" : " NOT"); + if ((SSL_get_options(con) & SSL_OP_NO_RENEGOTIATION)) + BIO_printf(bio_s_out, "Renegotiation is DISABLED\n"); + + if (keymatexportlabel != NULL) { + BIO_printf(bio_s_out, "Keying material exporter:\n"); + BIO_printf(bio_s_out, " Label: '%s'\n", keymatexportlabel); + BIO_printf(bio_s_out, " Length: %i bytes\n", keymatexportlen); + exportedkeymat = app_malloc(keymatexportlen, "export key"); + if (!SSL_export_keying_material(con, exportedkeymat, + keymatexportlen, + keymatexportlabel, + strlen(keymatexportlabel), + NULL, 0, 0)) { + BIO_printf(bio_s_out, " Error\n"); + } else { + BIO_printf(bio_s_out, " Keying material: "); + for (i = 0; i < keymatexportlen; i++) + BIO_printf(bio_s_out, "%02X", exportedkeymat[i]); + BIO_printf(bio_s_out, "\n"); + } + OPENSSL_free(exportedkeymat); + } + + (void)BIO_flush(bio_s_out); + return (1); +} + +#ifndef OPENSSL_NO_DH +static DH *load_dh_param(const char *dhfile) +{ + DH *ret = NULL; + BIO *bio; + + if ((bio = BIO_new_file(dhfile, "r")) == NULL) + goto err; + ret = PEM_read_bio_DHparams(bio, NULL, NULL, NULL); + err: + BIO_free(bio); + return (ret); +} +#endif + +static int www_body(int s, int stype, unsigned char *context) +{ + char *buf = NULL; + int ret = 1; + int i, j, k, dot; + SSL *con; + const SSL_CIPHER *c; + BIO *io, *ssl_bio, *sbio; +#ifdef RENEG + int total_bytes = 0; +#endif + int width; + fd_set readfds; + + /* Set width for a select call if needed */ + width = s + 1; + + buf = app_malloc(bufsize, "server www buffer"); + io = BIO_new(BIO_f_buffer()); + ssl_bio = BIO_new(BIO_f_ssl()); + if ((io == NULL) || (ssl_bio == NULL)) + goto err; + + if (s_nbio) { + if (!BIO_socket_nbio(s, 1)) + ERR_print_errors(bio_err); + else if (!s_quiet) + BIO_printf(bio_err, "Turned on non blocking io\n"); + } + + /* lets make the output buffer a reasonable size */ + if (!BIO_set_write_buffer_size(io, bufsize)) + goto err; + + if ((con = SSL_new(ctx)) == NULL) + goto err; + + if (s_tlsextdebug) { + SSL_set_tlsext_debug_callback(con, tlsext_cb); + SSL_set_tlsext_debug_arg(con, bio_s_out); + } + + if (context + && !SSL_set_session_id_context(con, context, + strlen((char *)context))) + goto err; + + sbio = BIO_new_socket(s, BIO_NOCLOSE); + if (s_nbio_test) { + BIO *test; + + test = BIO_new(BIO_f_nbio_test()); + sbio = BIO_push(test, sbio); + } + SSL_set_bio(con, sbio, sbio); + SSL_set_accept_state(con); + + /* SSL_set_fd(con,s); */ + BIO_set_ssl(ssl_bio, con, BIO_CLOSE); + BIO_push(io, ssl_bio); +#ifdef CHARSET_EBCDIC + io = BIO_push(BIO_new(BIO_f_ebcdic_filter()), io); +#endif + + if (s_debug) { + BIO_set_callback(SSL_get_rbio(con), bio_dump_callback); + BIO_set_callback_arg(SSL_get_rbio(con), (char *)bio_s_out); + } + if (s_msg) { +#ifndef OPENSSL_NO_SSL_TRACE + if (s_msg == 2) + SSL_set_msg_callback(con, SSL_trace); + else +#endif + SSL_set_msg_callback(con, msg_cb); + SSL_set_msg_callback_arg(con, bio_s_msg ? bio_s_msg : bio_s_out); + } + + for (;;) { + i = BIO_gets(io, buf, bufsize - 1); + if (i < 0) { /* error */ + if (!BIO_should_retry(io) && !SSL_waiting_for_async(con)) { + if (!s_quiet) + ERR_print_errors(bio_err); + goto err; + } else { + BIO_printf(bio_s_out, "read R BLOCK\n"); +#ifndef OPENSSL_NO_SRP + if (BIO_should_io_special(io) + && BIO_get_retry_reason(io) == BIO_RR_SSL_X509_LOOKUP) { + BIO_printf(bio_s_out, "LOOKUP renego during read\n"); + SRP_user_pwd_free(srp_callback_parm.user); + srp_callback_parm.user = + SRP_VBASE_get1_by_user(srp_callback_parm.vb, + srp_callback_parm.login); + if (srp_callback_parm.user) + BIO_printf(bio_s_out, "LOOKUP done %s\n", + srp_callback_parm.user->info); + else + BIO_printf(bio_s_out, "LOOKUP not successful\n"); + continue; + } +#endif +#if !defined(OPENSSL_SYS_MSDOS) + sleep(1); +#endif + continue; + } + } else if (i == 0) { /* end of input */ + ret = 1; + goto end; + } + + /* else we have data */ + if (((www == 1) && (strncmp("GET ", buf, 4) == 0)) || + ((www == 2) && (strncmp("GET /stats ", buf, 11) == 0))) { + char *p; + X509 *peer = NULL; + STACK_OF(SSL_CIPHER) *sk; + static const char *space = " "; + + if (www == 1 && strncmp("GET /reneg", buf, 10) == 0) { + if (strncmp("GET /renegcert", buf, 14) == 0) + SSL_set_verify(con, + SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE, + NULL); + i = SSL_renegotiate(con); + BIO_printf(bio_s_out, "SSL_renegotiate -> %d\n", i); + /* Send the HelloRequest */ + i = SSL_do_handshake(con); + if (i <= 0) { + BIO_printf(bio_s_out, "SSL_do_handshake() Retval %d\n", + SSL_get_error(con, i)); + ERR_print_errors(bio_err); + goto err; + } + /* Wait for a ClientHello to come back */ + FD_ZERO(&readfds); + openssl_fdset(s, &readfds); + i = select(width, (void *)&readfds, NULL, NULL, NULL); + if (i <= 0 || !FD_ISSET(s, &readfds)) { + BIO_printf(bio_s_out, + "Error waiting for client response\n"); + ERR_print_errors(bio_err); + goto err; + } + /* + * We're not actually expecting any data here and we ignore + * any that is sent. This is just to force the handshake that + * we're expecting to come from the client. If they haven't + * sent one there's not much we can do. + */ + BIO_gets(io, buf, bufsize - 1); + } + + BIO_puts(io, + "HTTP/1.0 200 ok\r\nContent-type: text/html\r\n\r\n"); + BIO_puts(io, "\n"); + BIO_puts(io, "
\n");
+            /* BIO_puts(io, OpenSSL_version(OPENSSL_VERSION)); */
+            BIO_puts(io, "\n");
+            for (i = 0; i < local_argc; i++) {
+                const char *myp;
+                for (myp = local_argv[i]; *myp; myp++)
+                    switch (*myp) {
+                    case '<':
+                        BIO_puts(io, "<");
+                        break;
+                    case '>':
+                        BIO_puts(io, ">");
+                        break;
+                    case '&':
+                        BIO_puts(io, "&");
+                        break;
+                    default:
+                        BIO_write(io, myp, 1);
+                        break;
+                    }
+                BIO_write(io, " ", 1);
+            }
+            BIO_puts(io, "\n");
+
+            BIO_printf(io,
+                       "Secure Renegotiation IS%s supported\n",
+                       SSL_get_secure_renegotiation_support(con) ?
+                       "" : " NOT");
+
+            /*
+             * The following is evil and should not really be done
+             */
+            BIO_printf(io, "Ciphers supported in s_server binary\n");
+            sk = SSL_get_ciphers(con);
+            j = sk_SSL_CIPHER_num(sk);
+            for (i = 0; i < j; i++) {
+                c = sk_SSL_CIPHER_value(sk, i);
+                BIO_printf(io, "%-11s:%-25s ",
+                           SSL_CIPHER_get_version(c), SSL_CIPHER_get_name(c));
+                if ((((i + 1) % 2) == 0) && (i + 1 != j))
+                    BIO_puts(io, "\n");
+            }
+            BIO_puts(io, "\n");
+            p = SSL_get_shared_ciphers(con, buf, bufsize);
+            if (p != NULL) {
+                BIO_printf(io,
+                           "---\nCiphers common between both SSL end points:\n");
+                j = i = 0;
+                while (*p) {
+                    if (*p == ':') {
+                        BIO_write(io, space, 26 - j);
+                        i++;
+                        j = 0;
+                        BIO_write(io, ((i % 3) ? " " : "\n"), 1);
+                    } else {
+                        BIO_write(io, p, 1);
+                        j++;
+                    }
+                    p++;
+                }
+                BIO_puts(io, "\n");
+            }
+            ssl_print_sigalgs(io, con);
+#ifndef OPENSSL_NO_EC
+            ssl_print_curves(io, con, 0);
+#endif
+            BIO_printf(io, (SSL_session_reused(con)
+                            ? "---\nReused, " : "---\nNew, "));
+            c = SSL_get_current_cipher(con);
+            BIO_printf(io, "%s, Cipher is %s\n",
+                       SSL_CIPHER_get_version(c), SSL_CIPHER_get_name(c));
+            SSL_SESSION_print(io, SSL_get_session(con));
+            BIO_printf(io, "---\n");
+            print_stats(io, SSL_get_SSL_CTX(con));
+            BIO_printf(io, "---\n");
+            peer = SSL_get_peer_certificate(con);
+            if (peer != NULL) {
+                BIO_printf(io, "Client certificate\n");
+                X509_print(io, peer);
+                PEM_write_bio_X509(io, peer);
+                X509_free(peer);
+                peer = NULL;
+            } else {
+                BIO_puts(io, "no client certificate available\n");
+            }
+            BIO_puts(io, "
\r\n\r\n"); + break; + } else if ((www == 2 || www == 3) + && (strncmp("GET /", buf, 5) == 0)) { + BIO *file; + char *p, *e; + static const char *text = + "HTTP/1.0 200 ok\r\nContent-type: text/plain\r\n\r\n"; + + /* skip the '/' */ + p = &(buf[5]); + + dot = 1; + for (e = p; *e != '\0'; e++) { + if (e[0] == ' ') + break; + + switch (dot) { + case 1: + dot = (e[0] == '.') ? 2 : 0; + break; + case 2: + dot = (e[0] == '.') ? 3 : 0; + break; + case 3: + dot = (e[0] == '/') ? -1 : 0; + break; + } + if (dot == 0) + dot = (e[0] == '/') ? 1 : 0; + } + dot = (dot == 3) || (dot == -1); /* filename contains ".." + * component */ + + if (*e == '\0') { + BIO_puts(io, text); + BIO_printf(io, "'%s' is an invalid file name\r\n", p); + break; + } + *e = '\0'; + + if (dot) { + BIO_puts(io, text); + BIO_printf(io, "'%s' contains '..' reference\r\n", p); + break; + } + + if (*p == '/') { + BIO_puts(io, text); + BIO_printf(io, "'%s' is an invalid path\r\n", p); + break; + } + + /* if a directory, do the index thang */ + if (app_isdir(p) > 0) { + BIO_puts(io, text); + BIO_printf(io, "'%s' is a directory\r\n", p); + break; + } + + if ((file = BIO_new_file(p, "r")) == NULL) { + BIO_puts(io, text); + BIO_printf(io, "Error opening '%s'\r\n", p); + ERR_print_errors(io); + break; + } + + if (!s_quiet) + BIO_printf(bio_err, "FILE:%s\n", p); + + if (www == 2) { + i = strlen(p); + if (((i > 5) && (strcmp(&(p[i - 5]), ".html") == 0)) || + ((i > 4) && (strcmp(&(p[i - 4]), ".php") == 0)) || + ((i > 4) && (strcmp(&(p[i - 4]), ".htm") == 0))) + BIO_puts(io, + "HTTP/1.0 200 ok\r\nContent-type: text/html\r\n\r\n"); + else + BIO_puts(io, + "HTTP/1.0 200 ok\r\nContent-type: text/plain\r\n\r\n"); + } + /* send the file */ + for (;;) { + i = BIO_read(file, buf, bufsize); + if (i <= 0) + break; + +#ifdef RENEG + total_bytes += i; + BIO_printf(bio_err, "%d\n", i); + if (total_bytes > 3 * 1024) { + total_bytes = 0; + BIO_printf(bio_err, "RENEGOTIATE\n"); + SSL_renegotiate(con); + } +#endif + + for (j = 0; j < i;) { +#ifdef RENEG + static count = 0; + if (++count == 13) { + SSL_renegotiate(con); + } +#endif + k = BIO_write(io, &(buf[j]), i - j); + if (k <= 0) { + if (!BIO_should_retry(io) + && !SSL_waiting_for_async(con)) + goto write_error; + else { + BIO_printf(bio_s_out, "rwrite W BLOCK\n"); + } + } else { + j += k; + } + } + } + write_error: + BIO_free(file); + break; + } + } + + for (;;) { + i = (int)BIO_flush(io); + if (i <= 0) { + if (!BIO_should_retry(io)) + break; + } else + break; + } + end: + /* make sure we re-use sessions */ + SSL_set_shutdown(con, SSL_SENT_SHUTDOWN | SSL_RECEIVED_SHUTDOWN); + + err: + if (ret >= 0) + BIO_printf(bio_s_out, "ACCEPT\n"); + OPENSSL_free(buf); + BIO_free_all(io); + return (ret); +} + +static int rev_body(int s, int stype, unsigned char *context) +{ + char *buf = NULL; + int i; + int ret = 1; + SSL *con; + BIO *io, *ssl_bio, *sbio; + + buf = app_malloc(bufsize, "server rev buffer"); + io = BIO_new(BIO_f_buffer()); + ssl_bio = BIO_new(BIO_f_ssl()); + if ((io == NULL) || (ssl_bio == NULL)) + goto err; + + /* lets make the output buffer a reasonable size */ + if (!BIO_set_write_buffer_size(io, bufsize)) + goto err; + + if ((con = SSL_new(ctx)) == NULL) + goto err; + + if (s_tlsextdebug) { + SSL_set_tlsext_debug_callback(con, tlsext_cb); + SSL_set_tlsext_debug_arg(con, bio_s_out); + } + if (context + && !SSL_set_session_id_context(con, context, + strlen((char *)context))) { + ERR_print_errors(bio_err); + goto err; + } + + sbio = BIO_new_socket(s, BIO_NOCLOSE); + SSL_set_bio(con, sbio, sbio); + SSL_set_accept_state(con); + + BIO_set_ssl(ssl_bio, con, BIO_CLOSE); + BIO_push(io, ssl_bio); +#ifdef CHARSET_EBCDIC + io = BIO_push(BIO_new(BIO_f_ebcdic_filter()), io); +#endif + + if (s_debug) { + BIO_set_callback(SSL_get_rbio(con), bio_dump_callback); + BIO_set_callback_arg(SSL_get_rbio(con), (char *)bio_s_out); + } + if (s_msg) { +#ifndef OPENSSL_NO_SSL_TRACE + if (s_msg == 2) + SSL_set_msg_callback(con, SSL_trace); + else +#endif + SSL_set_msg_callback(con, msg_cb); + SSL_set_msg_callback_arg(con, bio_s_msg ? bio_s_msg : bio_s_out); + } + + for (;;) { + i = BIO_do_handshake(io); + if (i > 0) + break; + if (!BIO_should_retry(io)) { + BIO_puts(bio_err, "CONNECTION FAILURE\n"); + ERR_print_errors(bio_err); + goto end; + } +#ifndef OPENSSL_NO_SRP + if (BIO_should_io_special(io) + && BIO_get_retry_reason(io) == BIO_RR_SSL_X509_LOOKUP) { + BIO_printf(bio_s_out, "LOOKUP renego during accept\n"); + SRP_user_pwd_free(srp_callback_parm.user); + srp_callback_parm.user = + SRP_VBASE_get1_by_user(srp_callback_parm.vb, + srp_callback_parm.login); + if (srp_callback_parm.user) + BIO_printf(bio_s_out, "LOOKUP done %s\n", + srp_callback_parm.user->info); + else + BIO_printf(bio_s_out, "LOOKUP not successful\n"); + continue; + } +#endif + } + BIO_printf(bio_err, "CONNECTION ESTABLISHED\n"); + print_ssl_summary(con); + + for (;;) { + i = BIO_gets(io, buf, bufsize - 1); + if (i < 0) { /* error */ + if (!BIO_should_retry(io)) { + if (!s_quiet) + ERR_print_errors(bio_err); + goto err; + } else { + BIO_printf(bio_s_out, "read R BLOCK\n"); +#ifndef OPENSSL_NO_SRP + if (BIO_should_io_special(io) + && BIO_get_retry_reason(io) == BIO_RR_SSL_X509_LOOKUP) { + BIO_printf(bio_s_out, "LOOKUP renego during read\n"); + SRP_user_pwd_free(srp_callback_parm.user); + srp_callback_parm.user = + SRP_VBASE_get1_by_user(srp_callback_parm.vb, + srp_callback_parm.login); + if (srp_callback_parm.user) + BIO_printf(bio_s_out, "LOOKUP done %s\n", + srp_callback_parm.user->info); + else + BIO_printf(bio_s_out, "LOOKUP not successful\n"); + continue; + } +#endif +#if !defined(OPENSSL_SYS_MSDOS) + sleep(1); +#endif + continue; + } + } else if (i == 0) { /* end of input */ + ret = 1; + BIO_printf(bio_err, "CONNECTION CLOSED\n"); + goto end; + } else { + char *p = buf + i - 1; + while (i && (*p == '\n' || *p == '\r')) { + p--; + i--; + } + if (!s_ign_eof && (i == 5) && (strncmp(buf, "CLOSE", 5) == 0)) { + ret = 1; + BIO_printf(bio_err, "CONNECTION CLOSED\n"); + goto end; + } + BUF_reverse((unsigned char *)buf, NULL, i); + buf[i] = '\n'; + BIO_write(io, buf, i + 1); + for (;;) { + i = BIO_flush(io); + if (i > 0) + break; + if (!BIO_should_retry(io)) + goto end; + } + } + } + end: + /* make sure we re-use sessions */ + SSL_set_shutdown(con, SSL_SENT_SHUTDOWN | SSL_RECEIVED_SHUTDOWN); + + err: + + OPENSSL_free(buf); + BIO_free_all(io); + return (ret); +} + +#define MAX_SESSION_ID_ATTEMPTS 10 +static int generate_session_id(const SSL *ssl, unsigned char *id, + unsigned int *id_len) +{ + unsigned int count = 0; + do { + if (RAND_bytes(id, *id_len) <= 0) + return 0; + /* + * Prefix the session_id with the required prefix. NB: If our prefix + * is too long, clip it - but there will be worse effects anyway, eg. + * the server could only possibly create 1 session ID (ie. the + * prefix!) so all future session negotiations will fail due to + * conflicts. + */ + memcpy(id, session_id_prefix, + (strlen(session_id_prefix) < *id_len) ? + strlen(session_id_prefix) : *id_len); + } + while (SSL_has_matching_session_id(ssl, id, *id_len) && + (++count < MAX_SESSION_ID_ATTEMPTS)); + if (count >= MAX_SESSION_ID_ATTEMPTS) + return 0; + return 1; +} + +/* + * By default s_server uses an in-memory cache which caches SSL_SESSION + * structures without any serialisation. This hides some bugs which only + * become apparent in deployed servers. By implementing a basic external + * session cache some issues can be debugged using s_server. + */ + +typedef struct simple_ssl_session_st { + unsigned char *id; + unsigned int idlen; + unsigned char *der; + int derlen; + struct simple_ssl_session_st *next; +} simple_ssl_session; + +static simple_ssl_session *first = NULL; + +static int add_session(SSL *ssl, SSL_SESSION *session) +{ + simple_ssl_session *sess = app_malloc(sizeof(*sess), "get session"); + unsigned char *p; + + SSL_SESSION_get_id(session, &sess->idlen); + sess->derlen = i2d_SSL_SESSION(session, NULL); + if (sess->derlen < 0) { + BIO_printf(bio_err, "Error encoding session\n"); + OPENSSL_free(sess); + return 0; + } + + sess->id = OPENSSL_memdup(SSL_SESSION_get_id(session, NULL), sess->idlen); + sess->der = app_malloc(sess->derlen, "get session buffer"); + if (!sess->id) { + BIO_printf(bio_err, "Out of memory adding to external cache\n"); + OPENSSL_free(sess->id); + OPENSSL_free(sess->der); + OPENSSL_free(sess); + return 0; + } + p = sess->der; + + /* Assume it still works. */ + if (i2d_SSL_SESSION(session, &p) != sess->derlen) { + BIO_printf(bio_err, "Unexpected session encoding length\n"); + OPENSSL_free(sess->id); + OPENSSL_free(sess->der); + OPENSSL_free(sess); + return 0; + } + + sess->next = first; + first = sess; + BIO_printf(bio_err, "New session added to external cache\n"); + return 0; +} + +static SSL_SESSION *get_session(SSL *ssl, const unsigned char *id, int idlen, + int *do_copy) +{ + simple_ssl_session *sess; + *do_copy = 0; + for (sess = first; sess; sess = sess->next) { + if (idlen == (int)sess->idlen && !memcmp(sess->id, id, idlen)) { + const unsigned char *p = sess->der; + BIO_printf(bio_err, "Lookup session: cache hit\n"); + return d2i_SSL_SESSION(NULL, &p, sess->derlen); + } + } + BIO_printf(bio_err, "Lookup session: cache miss\n"); + return NULL; +} + +static void del_session(SSL_CTX *sctx, SSL_SESSION *session) +{ + simple_ssl_session *sess, *prev = NULL; + const unsigned char *id; + unsigned int idlen; + id = SSL_SESSION_get_id(session, &idlen); + for (sess = first; sess; sess = sess->next) { + if (idlen == sess->idlen && !memcmp(sess->id, id, idlen)) { + if (prev) + prev->next = sess->next; + else + first = sess->next; + OPENSSL_free(sess->id); + OPENSSL_free(sess->der); + OPENSSL_free(sess); + return; + } + prev = sess; + } +} + +static void init_session_cache_ctx(SSL_CTX *sctx) +{ + SSL_CTX_set_session_cache_mode(sctx, + SSL_SESS_CACHE_NO_INTERNAL | + SSL_SESS_CACHE_SERVER); + SSL_CTX_sess_set_new_cb(sctx, add_session); + SSL_CTX_sess_set_get_cb(sctx, get_session); + SSL_CTX_sess_set_remove_cb(sctx, del_session); +} + +static void free_sessions(void) +{ + simple_ssl_session *sess, *tsess; + for (sess = first; sess;) { + OPENSSL_free(sess->id); + OPENSSL_free(sess->der); + tsess = sess; + sess = sess->next; + OPENSSL_free(tsess); + } + first = NULL; +} + +#endif /* OPENSSL_NO_SOCK */ diff --git a/openssl-1.1.0h/apps/s_socket.c b/openssl-1.1.0h/apps/s_socket.c new file mode 100644 index 0000000..458aa86 --- /dev/null +++ b/openssl-1.1.0h/apps/s_socket.c @@ -0,0 +1,250 @@ +/* + * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the OpenSSL license (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +/* socket-related functions used by s_client and s_server */ +#include +#include +#include +#include +#include +#include + +/* + * With IPv6, it looks like Digital has mixed up the proper order of + * recursive header file inclusion, resulting in the compiler complaining + * that u_int isn't defined, but only if _POSIX_C_SOURCE is defined, which is + * needed to have fileno() declared correctly... So let's define u_int + */ +#if defined(OPENSSL_SYS_VMS_DECC) && !defined(__U_INT) +# define __U_INT +typedef unsigned int u_int; +#endif + +#ifndef OPENSSL_NO_SOCK + +# define USE_SOCKETS +# include "apps.h" +# undef USE_SOCKETS +# include "s_apps.h" + +# include +# include + +/* + * init_client - helper routine to set up socket communication + * @sock: pointer to storage of resulting socket. + * @host: the host name or path (for AF_UNIX) to connect to. + * @port: the port to connect to (ignored for AF_UNIX). + * @family: desired socket family, may be AF_INET, AF_INET6, AF_UNIX or + * AF_UNSPEC + * @type: socket type, must be SOCK_STREAM or SOCK_DGRAM + * + * This will create a socket and use it to connect to a host:port, or if + * family == AF_UNIX, to the path found in host. + * + * If the host has more than one address, it will try them one by one until + * a successful connection is established. The resulting socket will be + * found in *sock on success, it will be given INVALID_SOCKET otherwise. + * + * Returns 1 on success, 0 on failure. + */ +int init_client(int *sock, const char *host, const char *port, + int family, int type) +{ + BIO_ADDRINFO *res = NULL; + const BIO_ADDRINFO *ai = NULL; + int ret; + + if (!BIO_sock_init()) + return 0; + + ret = BIO_lookup(host, port, BIO_LOOKUP_CLIENT, family, type, &res); + if (ret == 0) { + ERR_print_errors(bio_err); + return 0; + } + + ret = 0; + for (ai = res; ai != NULL; ai = BIO_ADDRINFO_next(ai)) { + /* Admittedly, these checks are quite paranoid, we should not get + * anything in the BIO_ADDRINFO chain that we haven't + * asked for. */ + OPENSSL_assert((family == AF_UNSPEC + || family == BIO_ADDRINFO_family(ai)) + && (type == 0 || type == BIO_ADDRINFO_socktype(ai))); + + *sock = BIO_socket(BIO_ADDRINFO_family(ai), BIO_ADDRINFO_socktype(ai), + BIO_ADDRINFO_protocol(ai), 0); + if (*sock == INVALID_SOCKET) { + /* Maybe the kernel doesn't support the socket family, even if + * BIO_lookup() added it in the returned result... + */ + continue; + } + if (!BIO_connect(*sock, BIO_ADDRINFO_address(ai), 0)) { + BIO_closesocket(*sock); + *sock = INVALID_SOCKET; + continue; + } + + /* Success, don't try any more addresses */ + break; + } + + if (*sock == INVALID_SOCKET) { + ERR_print_errors(bio_err); + } else { + /* Remove any stale errors from previous connection attempts */ + ERR_clear_error(); + ret = 1; + } + BIO_ADDRINFO_free(res); + return ret; +} + +/* + * do_server - helper routine to perform a server operation + * @accept_sock: pointer to storage of resulting socket. + * @host: the host name or path (for AF_UNIX) to connect to. + * @port: the port to connect to (ignored for AF_UNIX). + * @family: desired socket family, may be AF_INET, AF_INET6, AF_UNIX or + * AF_UNSPEC + * @type: socket type, must be SOCK_STREAM or SOCK_DGRAM + * @cb: pointer to a function that receives the accepted socket and + * should perform the communication with the connecting client. + * @context: pointer to memory that's passed verbatim to the cb function. + * @naccept: number of times an incoming connect should be accepted. If -1, + * unlimited number. + * + * This will create a socket and use it to listen to a host:port, or if + * family == AF_UNIX, to the path found in host, then start accepting + * incoming connections and run cb on the resulting socket. + * + * 0 on failure, something other on success. + */ +int do_server(int *accept_sock, const char *host, const char *port, + int family, int type, do_server_cb cb, + unsigned char *context, int naccept) +{ + int asock = 0; + int sock; + int i; + BIO_ADDRINFO *res = NULL; + const BIO_ADDRINFO *next; + int sock_family, sock_type, sock_protocol; + const BIO_ADDR *sock_address; + int sock_options = BIO_SOCK_REUSEADDR; + int ret = 0; + + if (!BIO_sock_init()) + return 0; + + if (!BIO_lookup(host, port, BIO_LOOKUP_SERVER, family, type, &res)) { + ERR_print_errors(bio_err); + return 0; + } + + /* Admittedly, these checks are quite paranoid, we should not get + * anything in the BIO_ADDRINFO chain that we haven't asked for */ + OPENSSL_assert((family == AF_UNSPEC || family == BIO_ADDRINFO_family(res)) + && (type == 0 || type == BIO_ADDRINFO_socktype(res))); + + sock_family = BIO_ADDRINFO_family(res); + sock_type = BIO_ADDRINFO_socktype(res); + sock_protocol = BIO_ADDRINFO_protocol(res); + sock_address = BIO_ADDRINFO_address(res); + next = BIO_ADDRINFO_next(res); + if (sock_family == AF_INET6) + sock_options |= BIO_SOCK_V6_ONLY; + if (next != NULL + && BIO_ADDRINFO_socktype(next) == sock_type + && BIO_ADDRINFO_protocol(next) == sock_protocol) { + if (sock_family == AF_INET + && BIO_ADDRINFO_family(next) == AF_INET6) { + sock_family = AF_INET6; + sock_address = BIO_ADDRINFO_address(next); + } else if (sock_family == AF_INET6 + && BIO_ADDRINFO_family(next) == AF_INET) { + sock_options &= ~BIO_SOCK_V6_ONLY; + } + } + + asock = BIO_socket(sock_family, sock_type, sock_protocol, 0); + if (asock == INVALID_SOCKET + || !BIO_listen(asock, sock_address, sock_options)) { + BIO_ADDRINFO_free(res); + ERR_print_errors(bio_err); + if (asock != INVALID_SOCKET) + BIO_closesocket(asock); + goto end; + } + + BIO_ADDRINFO_free(res); + res = NULL; + + if (accept_sock != NULL) + *accept_sock = asock; + for (;;) { + if (type == SOCK_STREAM) { + do { + sock = BIO_accept_ex(asock, NULL, 0); + } while (sock < 0 && BIO_sock_should_retry(sock)); + if (sock < 0) { + ERR_print_errors(bio_err); + BIO_closesocket(asock); + break; + } + i = (*cb)(sock, type, context); + + /* + * Give the socket time to send its last data before we close it. + * No amount of setting SO_LINGER etc on the socket seems to + * persuade Windows to send the data before closing the socket... + * but sleeping for a short time seems to do it (units in ms) + * TODO: Find a better way to do this + */ +#if defined(OPENSSL_SYS_WINDOWS) + Sleep(50); +#elif defined(OPENSSL_SYS_CYGWIN) + usleep(50000); +#endif + + /* + * If we ended with an alert being sent, but still with data in the + * network buffer to be read, then calling BIO_closesocket() will + * result in a TCP-RST being sent. On some platforms (notably + * Windows) then this will result in the peer immediately abandoning + * the connection including any buffered alert data before it has + * had a chance to be read. Shutting down the sending side first, + * and then closing the socket sends TCP-FIN first followed by + * TCP-RST. This seems to allow the peer to read the alert data. + */ + shutdown(sock, 1); /* SHUT_WR */ + BIO_closesocket(sock); + } else { + i = (*cb)(asock, type, context); + } + + if (naccept != -1) + naccept--; + if (i < 0 || naccept == 0) { + BIO_closesocket(asock); + ret = i; + break; + } + } + end: +# ifdef AF_UNIX + if (family == AF_UNIX) + unlink(host); +# endif + return ret; +} + +#endif /* OPENSSL_NO_SOCK */ diff --git a/openssl-1.1.0h/apps/s_time.c b/openssl-1.1.0h/apps/s_time.c new file mode 100644 index 0000000..dc0ec4a --- /dev/null +++ b/openssl-1.1.0h/apps/s_time.c @@ -0,0 +1,385 @@ +/* + * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the OpenSSL license (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +#include +#include +#include + +#include + +#ifndef OPENSSL_NO_SOCK + +#define USE_SOCKETS +#include "apps.h" +#include +#include +#include +#include "s_apps.h" +#include +#if !defined(OPENSSL_SYS_MSDOS) +# include OPENSSL_UNISTD +#endif + +#define SSL_CONNECT_NAME "localhost:4433" + +#define SECONDS 30 +#define SECONDSSTR "30" + +static SSL *doConnection(SSL *scon, const char *host, SSL_CTX *ctx); + +static const char fmt_http_get_cmd[] = "GET %s HTTP/1.0\r\n\r\n"; + +typedef enum OPTION_choice { + OPT_ERR = -1, OPT_EOF = 0, OPT_HELP, + OPT_CONNECT, OPT_CIPHER, OPT_CERT, OPT_KEY, OPT_CAPATH, + OPT_CAFILE, OPT_NOCAPATH, OPT_NOCAFILE, OPT_NEW, OPT_REUSE, OPT_BUGS, + OPT_VERIFY, OPT_TIME, OPT_SSL3, + OPT_WWW +} OPTION_CHOICE; + +OPTIONS s_time_options[] = { + {"help", OPT_HELP, '-', "Display this summary"}, + {"connect", OPT_CONNECT, 's', + "Where to connect as post:port (default is " SSL_CONNECT_NAME ")"}, + {"cipher", OPT_CIPHER, 's', "Cipher to use, see 'openssl ciphers'"}, + {"cert", OPT_CERT, '<', "Cert file to use, PEM format assumed"}, + {"key", OPT_KEY, '<', "File with key, PEM; default is -cert file"}, + {"CApath", OPT_CAPATH, '/', "PEM format directory of CA's"}, + {"cafile", OPT_CAFILE, '<', "PEM format file of CA's"}, + {"no-CAfile", OPT_NOCAFILE, '-', + "Do not load the default certificates file"}, + {"no-CApath", OPT_NOCAPATH, '-', + "Do not load certificates from the default certificates directory"}, + {"new", OPT_NEW, '-', "Just time new connections"}, + {"reuse", OPT_REUSE, '-', "Just time connection reuse"}, + {"bugs", OPT_BUGS, '-', "Turn on SSL bug compatibility"}, + {"verify", OPT_VERIFY, 'p', + "Turn on peer certificate verification, set depth"}, + {"time", OPT_TIME, 'p', "Seconds to collect data, default " SECONDSSTR}, + {"www", OPT_WWW, 's', "Fetch specified page from the site"}, +#ifndef OPENSSL_NO_SSL3 + {"ssl3", OPT_SSL3, '-', "Just use SSLv3"}, +#endif + {NULL} +}; + +#define START 0 +#define STOP 1 + +static double tm_Time_F(int s) +{ + return app_tminterval(s, 1); +} + +int s_time_main(int argc, char **argv) +{ + char buf[1024 * 8]; + SSL *scon = NULL; + SSL_CTX *ctx = NULL; + const SSL_METHOD *meth = NULL; + char *CApath = NULL, *CAfile = NULL, *cipher = NULL, *www_path = NULL; + char *host = SSL_CONNECT_NAME, *certfile = NULL, *keyfile = NULL, *prog; + double totalTime = 0.0; + int noCApath = 0, noCAfile = 0; + int maxtime = SECONDS, nConn = 0, perform = 3, ret = 1, i, st_bugs = 0; + long bytes_read = 0, finishtime = 0; + OPTION_CHOICE o; + int max_version = 0, ver, buf_len; + size_t buf_size; + + meth = TLS_client_method(); + + prog = opt_init(argc, argv, s_time_options); + while ((o = opt_next()) != OPT_EOF) { + switch (o) { + case OPT_EOF: + case OPT_ERR: + opthelp: + BIO_printf(bio_err, "%s: Use -help for summary.\n", prog); + goto end; + case OPT_HELP: + opt_help(s_time_options); + ret = 0; + goto end; + case OPT_CONNECT: + host = opt_arg(); + break; + case OPT_REUSE: + perform = 2; + break; + case OPT_NEW: + perform = 1; + break; + case OPT_VERIFY: + if (!opt_int(opt_arg(), &verify_args.depth)) + goto opthelp; + BIO_printf(bio_err, "%s: verify depth is %d\n", + prog, verify_args.depth); + break; + case OPT_CERT: + certfile = opt_arg(); + break; + case OPT_KEY: + keyfile = opt_arg(); + break; + case OPT_CAPATH: + CApath = opt_arg(); + break; + case OPT_CAFILE: + CAfile = opt_arg(); + break; + case OPT_NOCAPATH: + noCApath = 1; + break; + case OPT_NOCAFILE: + noCAfile = 1; + break; + case OPT_CIPHER: + cipher = opt_arg(); + break; + case OPT_BUGS: + st_bugs = 1; + break; + case OPT_TIME: + if (!opt_int(opt_arg(), &maxtime)) + goto opthelp; + break; + case OPT_WWW: + www_path = opt_arg(); + buf_size = strlen(www_path) + sizeof(fmt_http_get_cmd) - 2; /* 2 is for %s */ + if (buf_size > sizeof(buf)) { + BIO_printf(bio_err, "%s: -www option is too long\n", prog); + goto end; + } + break; + case OPT_SSL3: + max_version = SSL3_VERSION; + break; + } + } + argc = opt_num_rest(); + if (argc != 0) + goto opthelp; + + if (cipher == NULL) + cipher = getenv("SSL_CIPHER"); + if (cipher == NULL) + BIO_printf(bio_err, "No CIPHER specified\n"); + + if ((ctx = SSL_CTX_new(meth)) == NULL) + goto end; + + SSL_CTX_set_mode(ctx, SSL_MODE_AUTO_RETRY); + SSL_CTX_set_quiet_shutdown(ctx, 1); + if (SSL_CTX_set_max_proto_version(ctx, max_version) == 0) + goto end; + + if (st_bugs) + SSL_CTX_set_options(ctx, SSL_OP_ALL); + if (cipher != NULL && !SSL_CTX_set_cipher_list(ctx, cipher)) + goto end; + if (!set_cert_stuff(ctx, certfile, keyfile)) + goto end; + + if (!ctx_set_verify_locations(ctx, CAfile, CApath, noCAfile, noCApath)) { + ERR_print_errors(bio_err); + goto end; + } + if (!(perform & 1)) + goto next; + printf("Collecting connection statistics for %d seconds\n", maxtime); + + /* Loop and time how long it takes to make connections */ + + bytes_read = 0; + finishtime = (long)time(NULL) + maxtime; + tm_Time_F(START); + for (;;) { + if (finishtime < (long)time(NULL)) + break; + + if ((scon = doConnection(NULL, host, ctx)) == NULL) + goto end; + + if (www_path != NULL) { + buf_len = BIO_snprintf(buf, sizeof(buf), + fmt_http_get_cmd, www_path); + if (SSL_write(scon, buf, buf_len) <= 0) + goto end; + while ((i = SSL_read(scon, buf, sizeof(buf))) > 0) + bytes_read += i; + } + SSL_set_shutdown(scon, SSL_SENT_SHUTDOWN | SSL_RECEIVED_SHUTDOWN); + BIO_closesocket(SSL_get_fd(scon)); + + nConn += 1; + if (SSL_session_reused(scon)) + ver = 'r'; + else { + ver = SSL_version(scon); + if (ver == TLS1_VERSION) + ver = 't'; + else if (ver == SSL3_VERSION) + ver = '3'; + else + ver = '*'; + } + fputc(ver, stdout); + fflush(stdout); + + SSL_free(scon); + scon = NULL; + } + totalTime += tm_Time_F(STOP); /* Add the time for this iteration */ + + i = (int)((long)time(NULL) - finishtime + maxtime); + printf + ("\n\n%d connections in %.2fs; %.2f connections/user sec, bytes read %ld\n", + nConn, totalTime, ((double)nConn / totalTime), bytes_read); + printf + ("%d connections in %ld real seconds, %ld bytes read per connection\n", + nConn, (long)time(NULL) - finishtime + maxtime, bytes_read / nConn); + + /* + * Now loop and time connections using the same session id over and over + */ + + next: + if (!(perform & 2)) + goto end; + printf("\n\nNow timing with session id reuse.\n"); + + /* Get an SSL object so we can reuse the session id */ + if ((scon = doConnection(NULL, host, ctx)) == NULL) { + BIO_printf(bio_err, "Unable to get connection\n"); + goto end; + } + + if (www_path != NULL) { + buf_len = BIO_snprintf(buf, sizeof(buf), + fmt_http_get_cmd, www_path); + if (SSL_write(scon, buf, buf_len) <= 0) + goto end; + while ((i = SSL_read(scon, buf, sizeof(buf))) > 0) + continue; + } + SSL_set_shutdown(scon, SSL_SENT_SHUTDOWN | SSL_RECEIVED_SHUTDOWN); + BIO_closesocket(SSL_get_fd(scon)); + + nConn = 0; + totalTime = 0.0; + + finishtime = (long)time(NULL) + maxtime; + + printf("starting\n"); + bytes_read = 0; + tm_Time_F(START); + + for (;;) { + if (finishtime < (long)time(NULL)) + break; + + if ((doConnection(scon, host, ctx)) == NULL) + goto end; + + if (www_path) { + BIO_snprintf(buf, sizeof(buf), "GET %s HTTP/1.0\r\n\r\n", + www_path); + if (SSL_write(scon, buf, strlen(buf)) <= 0) + goto end; + while ((i = SSL_read(scon, buf, sizeof(buf))) > 0) + bytes_read += i; + } + SSL_set_shutdown(scon, SSL_SENT_SHUTDOWN | SSL_RECEIVED_SHUTDOWN); + BIO_closesocket(SSL_get_fd(scon)); + + nConn += 1; + if (SSL_session_reused(scon)) + ver = 'r'; + else { + ver = SSL_version(scon); + if (ver == TLS1_VERSION) + ver = 't'; + else if (ver == SSL3_VERSION) + ver = '3'; + else + ver = '*'; + } + fputc(ver, stdout); + fflush(stdout); + } + totalTime += tm_Time_F(STOP); /* Add the time for this iteration */ + + printf + ("\n\n%d connections in %.2fs; %.2f connections/user sec, bytes read %ld\n", + nConn, totalTime, ((double)nConn / totalTime), bytes_read); + printf + ("%d connections in %ld real seconds, %ld bytes read per connection\n", + nConn, (long)time(NULL) - finishtime + maxtime, bytes_read / nConn); + + ret = 0; + + end: + SSL_free(scon); + SSL_CTX_free(ctx); + return (ret); +} + +/*- + * doConnection - make a connection + */ +static SSL *doConnection(SSL *scon, const char *host, SSL_CTX *ctx) +{ + BIO *conn; + SSL *serverCon; + int i; + + if ((conn = BIO_new(BIO_s_connect())) == NULL) + return NULL; + + BIO_set_conn_hostname(conn, host); + BIO_set_conn_mode(conn, BIO_SOCK_NODELAY); + + if (scon == NULL) + serverCon = SSL_new(ctx); + else { + serverCon = scon; + SSL_set_connect_state(serverCon); + } + + SSL_set_bio(serverCon, conn, conn); + + /* ok, lets connect */ + i = SSL_connect(serverCon); + if (i <= 0) { + BIO_printf(bio_err, "ERROR\n"); + if (verify_args.error != X509_V_OK) + BIO_printf(bio_err, "verify error:%s\n", + X509_verify_cert_error_string(verify_args.error)); + else + ERR_print_errors(bio_err); + if (scon == NULL) + SSL_free(serverCon); + return NULL; + } + +#if defined(SOL_SOCKET) && defined(SO_LINGER) + { + struct linger no_linger; + + no_linger.l_onoff = 1; + no_linger.l_linger = 0; + (void) setsockopt(SSL_get_fd(serverCon), SOL_SOCKET, SO_LINGER, + (char*)&no_linger, sizeof(no_linger)); + } +#endif + + return serverCon; +} +#endif /* OPENSSL_NO_SOCK */ diff --git a/openssl-1.1.0h/apps/server.pem b/openssl-1.1.0h/apps/server.pem new file mode 100644 index 0000000..d0fc265 --- /dev/null +++ b/openssl-1.1.0h/apps/server.pem @@ -0,0 +1,52 @@ +subject= C = UK, O = OpenSSL Group, OU = FOR TESTING PURPOSES ONLY, CN = Test Server Cert +issuer= C = UK, O = OpenSSL Group, OU = FOR TESTING PURPOSES ONLY, CN = OpenSSL Test Intermediate CA +-----BEGIN CERTIFICATE----- +MIID5zCCAs+gAwIBAgIJALnu1NlVpZ6zMA0GCSqGSIb3DQEBBQUAMHAxCzAJBgNV +BAYTAlVLMRYwFAYDVQQKDA1PcGVuU1NMIEdyb3VwMSIwIAYDVQQLDBlGT1IgVEVT +VElORyBQVVJQT1NFUyBPTkxZMSUwIwYDVQQDDBxPcGVuU1NMIFRlc3QgSW50ZXJt +ZWRpYXRlIENBMB4XDTExMTIwODE0MDE0OFoXDTIxMTAxNjE0MDE0OFowZDELMAkG +A1UEBhMCVUsxFjAUBgNVBAoMDU9wZW5TU0wgR3JvdXAxIjAgBgNVBAsMGUZPUiBU +RVNUSU5HIFBVUlBPU0VTIE9OTFkxGTAXBgNVBAMMEFRlc3QgU2VydmVyIENlcnQw +ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDzhPOSNtyyRspmeuUpxfNJ +KCLTuf7g3uQ4zu4iHOmRO5TQci+HhVlLZrHF9XqFXcIP0y4pWDbMSGuiorUmzmfi +R7bfSdI/+qIQt8KXRH6HNG1t8ou0VSvWId5TS5Dq/er5ODUr9OaaDva7EquHIcMv +vPQGuI+OEAcnleVCy9HVEIySrO4P3CNIicnGkwwiAud05yUAq/gPXBC1hTtmlPD7 +TVcGVSEiJdvzqqlgv02qedGrkki6GY4S7GjZxrrf7Foc2EP+51LJzwLQx3/JfrCU +41NEWAsu/Sl0tQabXESN+zJ1pDqoZ3uHMgpQjeGiE0olr+YcsSW/tJmiU9OiAr8R +AgMBAAGjgY8wgYwwDAYDVR0TAQH/BAIwADAOBgNVHQ8BAf8EBAMCBeAwLAYJYIZI +AYb4QgENBB8WHU9wZW5TU0wgR2VuZXJhdGVkIENlcnRpZmljYXRlMB0GA1UdDgQW +BBSCvM8AABPR9zklmifnr9LvIBturDAfBgNVHSMEGDAWgBQ2w2yI55X+sL3szj49 +hqshgYfa2jANBgkqhkiG9w0BAQUFAAOCAQEAqb1NV0B0/pbpK9Z4/bNjzPQLTRLK +WnSNm/Jh5v0GEUOE/Beg7GNjNrmeNmqxAlpqWz9qoeoFZax+QBpIZYjROU3TS3fp +yLsrnlr0CDQ5R7kCCDGa8dkXxemmpZZLbUCpW2Uoy8sAA4JjN9OtsZY7dvUXFgJ7 +vVNTRnI01ghknbtD+2SxSQd3CWF6QhcRMAzZJ1z1cbbwGDDzfvGFPzJ+Sq+zEPds +xoVLLSetCiBc+40ZcDS5dV98h9XD7JMTQfxzA7mNGv73JoZJA6nFgj+ADSlJsY/t +JBv+z1iQRueoh9Qeee+ZbRifPouCB8FDx+AltvHTANdAq0t/K3o+pplMVA== +-----END CERTIFICATE----- +-----BEGIN RSA PRIVATE KEY----- +MIIEpAIBAAKCAQEA84TzkjbcskbKZnrlKcXzSSgi07n+4N7kOM7uIhzpkTuU0HIv +h4VZS2axxfV6hV3CD9MuKVg2zEhroqK1Js5n4ke230nSP/qiELfCl0R+hzRtbfKL +tFUr1iHeU0uQ6v3q+Tg1K/Tmmg72uxKrhyHDL7z0BriPjhAHJ5XlQsvR1RCMkqzu +D9wjSInJxpMMIgLndOclAKv4D1wQtYU7ZpTw+01XBlUhIiXb86qpYL9NqnnRq5JI +uhmOEuxo2ca63+xaHNhD/udSyc8C0Md/yX6wlONTRFgLLv0pdLUGm1xEjfsydaQ6 +qGd7hzIKUI3hohNKJa/mHLElv7SZolPTogK/EQIDAQABAoIBAADq9FwNtuE5IRQn +zGtO4q7Y5uCzZ8GDNYr9RKp+P2cbuWDbvVAecYq2NV9QoIiWJOAYZKklOvekIju3 +r0UZLA0PRiIrTg6NrESx3JrjWDK8QNlUO7CPTZ39/K+FrmMkV9lem9yxjJjyC34D +AQB+YRTx+l14HppjdxNwHjAVQpIx/uO2F5xAMuk32+3K+pq9CZUtrofe1q4Agj9R +5s8mSy9pbRo9kW9wl5xdEotz1LivFOEiqPUJTUq5J5PeMKao3vdK726XI4Z455Nm +W2/MA0YV0ug2FYinHcZdvKM6dimH8GLfa3X8xKRfzjGjTiMSwsdjgMa4awY3tEHH +674jhAECgYEA/zqMrc0zsbNk83sjgaYIug5kzEpN4ic020rSZsmQxSCerJTgNhmg +utKSCt0Re09Jt3LqG48msahX8ycqDsHNvlEGPQSbMu9IYeO3Wr3fAm75GEtFWePY +BhM73I7gkRt4s8bUiUepMG/wY45c5tRF23xi8foReHFFe9MDzh8fJFECgYEA9EFX +4qAik1pOJGNei9BMwmx0I0gfVEIgu0tzeVqT45vcxbxr7RkTEaDoAG6PlbWP6D9a +WQNLp4gsgRM90ZXOJ4up5DsAWDluvaF4/omabMA+MJJ5kGZ0gCj5rbZbKqUws7x8 +bp+6iBfUPJUbcqNqFmi/08Yt7vrDnMnyMw2A/sECgYEAiiuRMxnuzVm34hQcsbhH +6ymVqf7j0PW2qK0F4H1ocT9qhzWFd+RB3kHWrCjnqODQoI6GbGr/4JepHUpre1ex +4UEN5oSS3G0ru0rC3U4C59dZ5KwDHFm7ffZ1pr52ljfQDUsrjjIMRtuiwNK2OoRa +WSsqiaL+SDzSB+nBmpnAizECgYBdt/y6rerWUx4MhDwwtTnel7JwHyo2MDFS6/5g +n8qC2Lj6/fMDRE22w+CA2esp7EJNQJGv+b27iFpbJEDh+/Lf5YzIT4MwVskQ5bYB +JFcmRxUVmf4e09D7o705U/DjCgMH09iCsbLmqQ38ONIRSHZaJtMDtNTHD1yi+jF+ +OT43gQKBgQC/2OHZoko6iRlNOAQ/tMVFNq7fL81GivoQ9F1U0Qr+DH3ZfaH8eIkX +xT0ToMPJUzWAn8pZv0snA0um6SIgvkCuxO84OkANCVbttzXImIsL7pFzfcwV/ERK +UM6j0ZuSMFOCr/lGPAoOQU0fskidGEHi1/kW+suSr28TqsyYZpwBDQ== +-----END RSA PRIVATE KEY----- diff --git a/openssl-1.1.0h/apps/server.srl b/openssl-1.1.0h/apps/server.srl new file mode 100644 index 0000000..8a0f05e --- /dev/null +++ b/openssl-1.1.0h/apps/server.srl @@ -0,0 +1 @@ +01 diff --git a/openssl-1.1.0h/apps/server2.pem b/openssl-1.1.0h/apps/server2.pem new file mode 100644 index 0000000..a3927cf --- /dev/null +++ b/openssl-1.1.0h/apps/server2.pem @@ -0,0 +1,52 @@ +subject= C = UK, O = OpenSSL Group, OU = FOR TESTING PURPOSES ONLY, CN = Test Server Cert #2 +issuer= C = UK, O = OpenSSL Group, OU = FOR TESTING PURPOSES ONLY, CN = OpenSSL Test Intermediate CA +-----BEGIN CERTIFICATE----- +MIID6jCCAtKgAwIBAgIJALnu1NlVpZ60MA0GCSqGSIb3DQEBBQUAMHAxCzAJBgNV +BAYTAlVLMRYwFAYDVQQKDA1PcGVuU1NMIEdyb3VwMSIwIAYDVQQLDBlGT1IgVEVT +VElORyBQVVJQT1NFUyBPTkxZMSUwIwYDVQQDDBxPcGVuU1NMIFRlc3QgSW50ZXJt +ZWRpYXRlIENBMB4XDTExMTIwODE0MDE0OFoXDTIxMTAxNjE0MDE0OFowZzELMAkG +A1UEBhMCVUsxFjAUBgNVBAoMDU9wZW5TU0wgR3JvdXAxIjAgBgNVBAsMGUZPUiBU +RVNUSU5HIFBVUlBPU0VTIE9OTFkxHDAaBgNVBAMME1Rlc3QgU2VydmVyIENlcnQg +IzIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDrdi7j9yctG+L4EjBy +gjPmEqZzOJEQba26MoQGzglU7e5Xf59Rb/hgVQuKAoiZe7/R8rK4zJ4W7iXdXw0L +qBpyG8B5aGKeI32w+A9TcBApoXXL2CrYQEQjZwUIpLlYBIi2NkJj3nVkq5dgl1gO +ALiQ+W8jg3kzg5Ec9rimp9r93N8wsSL3awsafurmYCvOf7leHaMP1WJ/zDRGUNHG +/WtDjXc8ZUG1+6EXU9Jc2Fs+2Omf7fcN0l00AK/wPg8OaNS0rKyGq9JdIT9FRGV1 +bXe/rx58FaE5CItdwCSYhJvF/O95LWQoxJXye5bCFLmvDTEyVq9FMSCptfsmbXjE +ZGsXAgMBAAGjgY8wgYwwDAYDVR0TAQH/BAIwADAOBgNVHQ8BAf8EBAMCBeAwLAYJ +YIZIAYb4QgENBB8WHU9wZW5TU0wgR2VuZXJhdGVkIENlcnRpZmljYXRlMB0GA1Ud +DgQWBBR52UaWWTKzZGDH/X4mWNcuqeQVazAfBgNVHSMEGDAWgBQ2w2yI55X+sL3s +zj49hqshgYfa2jANBgkqhkiG9w0BAQUFAAOCAQEANBW+XYLlHBqVY/31ie+3gRlS +LPfy4SIqn0t3RJjagT29MXprblBO2cbMO8VGjkQdKGpmMXjxbht2arOOUXRHX4n/ +XTyn/QHEf0bcwIITMReO3DZUPAEw8hSjn9xEOM0IRVOCP+mH5fi74QzzQaZVCyYg +5VtLKdww/+sc0nCbKl2KWgDluriH0nfVx95qgW3mg9dhXRr0zmf1w2zkBHYpARYL +Dew6Z8EE4tS3HJu8/qM6meWzNtrfonQ3eiiMxjZBxzV46jchBwa2z9XYhP6AmpPb +oeTSzcQNbWsxaGYzWo46oLDUZmJOwSBawbS31bZNMCoPIY6ukoesCzFSsUKZww== +-----END CERTIFICATE----- +-----BEGIN RSA PRIVATE KEY----- +MIIEowIBAAKCAQEA63Yu4/cnLRvi+BIwcoIz5hKmcziREG2tujKEBs4JVO3uV3+f +UW/4YFULigKImXu/0fKyuMyeFu4l3V8NC6gachvAeWhiniN9sPgPU3AQKaF1y9gq +2EBEI2cFCKS5WASItjZCY951ZKuXYJdYDgC4kPlvI4N5M4ORHPa4pqfa/dzfMLEi +92sLGn7q5mArzn+5Xh2jD9Vif8w0RlDRxv1rQ413PGVBtfuhF1PSXNhbPtjpn+33 +DdJdNACv8D4PDmjUtKyshqvSXSE/RURldW13v68efBWhOQiLXcAkmISbxfzveS1k +KMSV8nuWwhS5rw0xMlavRTEgqbX7Jm14xGRrFwIDAQABAoIBAHLsTPihIfLnYIE5 +x4GsQQ5zXeBw5ITDM37ktwHnQDC+rIzyUl1aLD1AZRBoKinXd4lOTqLZ4/NHKx4A +DYr58mZtWyUmqLOMmQVuHXTZBlp7XtYuXMMNovQwjQlp9LicBeoBU6gQ5PVMtubD +F4xGF89Sn0cTHW3iMkqTtQ5KcR1j57OcJO0FEb1vPvk2MXI5ZyAatUYE7YacbEzd +rg02uIwx3FqNSkuSI79uz4hMdV5TPtuhxx9nTwj9aLUhXFeZ0mn2PVgVzEnnMoJb ++znlsZDgzDlJqdaD744YGWh8Z3OEssB35KfzFcdOeO6yH8lmv2Zfznk7pNPT7LTb +Lae9VgkCgYEA92p1qnAB3NtJtNcaW53i0S5WJgS1hxWKvUDx3lTB9s8X9fHpqL1a +E94fDfWzp/hax6FefUKIvBOukPLQ6bYjTMiFoOHzVirghAIuIUoMI5VtLhwD1hKs +Lr7l/dptMgKb1nZHyXoKHRBthsy3K4+udsPi8TzMvYElgEqyQIe/Rk0CgYEA86GL +8HC6zLszzKERDPBxrboRmoFvVUCTQDhsfj1M8aR3nQ8V5LkdIJc7Wqm/Ggfk9QRf +rJ8M2WUMlU5CNnCn/KCrKzCNZIReze3fV+HnKdbcXGLvgbHPrhnz8yYehUFG+RGq +bVyDWRU94T38izy2s5qMYrMJWZEYyXncSPbfcPMCgYAtaXfxcZ+V5xYPQFARMtiX +5nZfggvDoJuXgx0h3tK/N2HBfcaSdzbaYLG4gTmZggc/jwnl2dl5E++9oSPhUdIG +3ONSFUbxsOsGr9PBvnKd8WZZyUCXAVRjPBzAzF+whzQNWCZy/5htnz9LN7YDI9s0 +5113Q96cheDZPFydZY0hHQKBgQDVbEhNukM5xCiNcu+f2SaMnLp9EjQ4h5g3IvaP +5B16daw/Dw8LzcohWboqIxeAsze0GD/D1ZUJAEd0qBjC3g+a9BjefervCjKOzXng +38mEUm+6EwVjJSQcjSmycEs+Sr/kwr/8i5WYvU32+jk4tFgMoC+o6tQe/Uesf68k +z/dPVwKBgGbF7Vv1/3SmhlOy+zYyvJ0CrWtKxH9QP6tLIEgEpd8x7YTSuCH94yok +kToMXYA3sWNPt22GbRDZ+rcp4c7HkDx6I6vpdP9aQEwJTp0EPy0sgWr2XwYmreIQ +NFmkk8Itn9EY2R9VBaP7GLv5kvwxDdLAnmwGmzVtbmaVdxCaBwUk +-----END RSA PRIVATE KEY----- diff --git a/openssl-1.1.0h/apps/sess_id.c b/openssl-1.1.0h/apps/sess_id.c new file mode 100644 index 0000000..2b63e69 --- /dev/null +++ b/openssl-1.1.0h/apps/sess_id.c @@ -0,0 +1,190 @@ +/* + * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the OpenSSL license (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +#include +#include +#include +#include "apps.h" +#include +#include +#include +#include +#include + +typedef enum OPTION_choice { + OPT_ERR = -1, OPT_EOF = 0, OPT_HELP, + OPT_INFORM, OPT_OUTFORM, OPT_IN, OPT_OUT, + OPT_TEXT, OPT_CERT, OPT_NOOUT, OPT_CONTEXT +} OPTION_CHOICE; + +OPTIONS sess_id_options[] = { + {"help", OPT_HELP, '-', "Display this summary"}, + {"inform", OPT_INFORM, 'F', "Input format - default PEM (DER or PEM)"}, + {"outform", OPT_OUTFORM, 'f', + "Output format - default PEM (PEM, DER or NSS)"}, + {"in", OPT_IN, 's', "Input file - default stdin"}, + {"out", OPT_OUT, 's', "Output file - default stdout"}, + {"text", OPT_TEXT, '-', "Print ssl session id details"}, + {"cert", OPT_CERT, '-', "Output certificate "}, + {"noout", OPT_NOOUT, '-', "Don't output the encoded session info"}, + {"context", OPT_CONTEXT, 's', "Set the session ID context"}, + {NULL} +}; + +static SSL_SESSION *load_sess_id(char *file, int format); + +int sess_id_main(int argc, char **argv) +{ + SSL_SESSION *x = NULL; + X509 *peer = NULL; + BIO *out = NULL; + char *infile = NULL, *outfile = NULL, *context = NULL, *prog; + int informat = FORMAT_PEM, outformat = FORMAT_PEM; + int cert = 0, noout = 0, text = 0, ret = 1, i, num = 0; + OPTION_CHOICE o; + + prog = opt_init(argc, argv, sess_id_options); + while ((o = opt_next()) != OPT_EOF) { + switch (o) { + case OPT_EOF: + case OPT_ERR: + opthelp: + BIO_printf(bio_err, "%s: Use -help for summary.\n", prog); + goto end; + case OPT_HELP: + opt_help(sess_id_options); + ret = 0; + goto end; + case OPT_INFORM: + if (!opt_format(opt_arg(), OPT_FMT_PEMDER, &informat)) + goto opthelp; + break; + case OPT_OUTFORM: + if (!opt_format(opt_arg(), OPT_FMT_PEMDER | OPT_FMT_NSS, + &outformat)) + goto opthelp; + break; + case OPT_IN: + infile = opt_arg(); + break; + case OPT_OUT: + outfile = opt_arg(); + break; + case OPT_TEXT: + text = ++num; + break; + case OPT_CERT: + cert = ++num; + break; + case OPT_NOOUT: + noout = ++num; + break; + case OPT_CONTEXT: + context = opt_arg(); + break; + } + } + argc = opt_num_rest(); + if (argc != 0) + goto opthelp; + + x = load_sess_id(infile, informat); + if (x == NULL) { + goto end; + } + peer = SSL_SESSION_get0_peer(x); + + if (context) { + size_t ctx_len = strlen(context); + if (ctx_len > SSL_MAX_SID_CTX_LENGTH) { + BIO_printf(bio_err, "Context too long\n"); + goto end; + } + if (!SSL_SESSION_set1_id_context(x, (unsigned char *)context, + ctx_len)) { + BIO_printf(bio_err, "Error setting id context\n"); + goto end; + } + } + + if (!noout || text) { + out = bio_open_default(outfile, 'w', outformat); + if (out == NULL) + goto end; + } + + if (text) { + SSL_SESSION_print(out, x); + + if (cert) { + if (peer == NULL) + BIO_puts(out, "No certificate present\n"); + else + X509_print(out, peer); + } + } + + if (!noout && !cert) { + if (outformat == FORMAT_ASN1) + i = i2d_SSL_SESSION_bio(out, x); + else if (outformat == FORMAT_PEM) + i = PEM_write_bio_SSL_SESSION(out, x); + else if (outformat == FORMAT_NSS) + i = SSL_SESSION_print_keylog(out, x); + else { + BIO_printf(bio_err, "bad output format specified for outfile\n"); + goto end; + } + if (!i) { + BIO_printf(bio_err, "unable to write SSL_SESSION\n"); + goto end; + } + } else if (!noout && (peer != NULL)) { /* just print the certificate */ + if (outformat == FORMAT_ASN1) + i = (int)i2d_X509_bio(out, peer); + else if (outformat == FORMAT_PEM) + i = PEM_write_bio_X509(out, peer); + else { + BIO_printf(bio_err, "bad output format specified for outfile\n"); + goto end; + } + if (!i) { + BIO_printf(bio_err, "unable to write X509\n"); + goto end; + } + } + ret = 0; + end: + BIO_free_all(out); + SSL_SESSION_free(x); + return (ret); +} + +static SSL_SESSION *load_sess_id(char *infile, int format) +{ + SSL_SESSION *x = NULL; + BIO *in = NULL; + + in = bio_open_default(infile, 'r', format); + if (in == NULL) + goto end; + if (format == FORMAT_ASN1) + x = d2i_SSL_SESSION_bio(in, NULL); + else + x = PEM_read_bio_SSL_SESSION(in, NULL, NULL, NULL); + if (x == NULL) { + BIO_printf(bio_err, "unable to load SSL_SESSION\n"); + ERR_print_errors(bio_err); + goto end; + } + + end: + BIO_free(in); + return (x); +} diff --git a/openssl-1.1.0h/apps/smime.c b/openssl-1.1.0h/apps/smime.c new file mode 100644 index 0000000..e18d7de --- /dev/null +++ b/openssl-1.1.0h/apps/smime.c @@ -0,0 +1,656 @@ +/* + * Copyright 1999-2016 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the OpenSSL license (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +/* S/MIME utility function */ + +#include +#include +#include "apps.h" +#include +#include +#include +#include +#include + +static int save_certs(char *signerfile, STACK_OF(X509) *signers); +static int smime_cb(int ok, X509_STORE_CTX *ctx); + +#define SMIME_OP 0x10 +#define SMIME_IP 0x20 +#define SMIME_SIGNERS 0x40 +#define SMIME_ENCRYPT (1 | SMIME_OP) +#define SMIME_DECRYPT (2 | SMIME_IP) +#define SMIME_SIGN (3 | SMIME_OP | SMIME_SIGNERS) +#define SMIME_VERIFY (4 | SMIME_IP) +#define SMIME_PK7OUT (5 | SMIME_IP | SMIME_OP) +#define SMIME_RESIGN (6 | SMIME_IP | SMIME_OP | SMIME_SIGNERS) + +typedef enum OPTION_choice { + OPT_ERR = -1, OPT_EOF = 0, OPT_HELP, + OPT_ENCRYPT, OPT_DECRYPT, OPT_SIGN, OPT_RESIGN, OPT_VERIFY, + OPT_PK7OUT, OPT_TEXT, OPT_NOINTERN, OPT_NOVERIFY, OPT_NOCHAIN, + OPT_NOCERTS, OPT_NOATTR, OPT_NODETACH, OPT_NOSMIMECAP, + OPT_BINARY, OPT_NOSIGS, OPT_STREAM, OPT_INDEF, OPT_NOINDEF, + OPT_CRLFEOL, OPT_RAND, OPT_ENGINE, OPT_PASSIN, + OPT_TO, OPT_FROM, OPT_SUBJECT, OPT_SIGNER, OPT_RECIP, OPT_MD, + OPT_CIPHER, OPT_INKEY, OPT_KEYFORM, OPT_CERTFILE, OPT_CAFILE, + OPT_V_ENUM, + OPT_CAPATH, OPT_NOCAFILE, OPT_NOCAPATH, OPT_IN, OPT_INFORM, OPT_OUT, + OPT_OUTFORM, OPT_CONTENT +} OPTION_CHOICE; + +OPTIONS smime_options[] = { + {OPT_HELP_STR, 1, '-', "Usage: %s [options] cert.pem...\n"}, + {OPT_HELP_STR, 1, '-', + " cert.pem... recipient certs for encryption\n"}, + {OPT_HELP_STR, 1, '-', "Valid options are:\n"}, + {"help", OPT_HELP, '-', "Display this summary"}, + {"encrypt", OPT_ENCRYPT, '-', "Encrypt message"}, + {"decrypt", OPT_DECRYPT, '-', "Decrypt encrypted message"}, + {"sign", OPT_SIGN, '-', "Sign message"}, + {"verify", OPT_VERIFY, '-', "Verify signed message"}, + {"pk7out", OPT_PK7OUT, '-', "Output PKCS#7 structure"}, + {"nointern", OPT_NOINTERN, '-', + "Don't search certificates in message for signer"}, + {"nosigs", OPT_NOSIGS, '-', "Don't verify message signature"}, + {"noverify", OPT_NOVERIFY, '-', "Don't verify signers certificate"}, + {"nocerts", OPT_NOCERTS, '-', + "Don't include signers certificate when signing"}, + {"nodetach", OPT_NODETACH, '-', "Use opaque signing"}, + {"noattr", OPT_NOATTR, '-', "Don't include any signed attributes"}, + {"binary", OPT_BINARY, '-', "Don't translate message to text"}, + {"certfile", OPT_CERTFILE, '<', "Other certificates file"}, + {"signer", OPT_SIGNER, 's', "Signer certificate file"}, + {"recip", OPT_RECIP, '<', "Recipient certificate file for decryption"}, + {"in", OPT_IN, '<', "Input file"}, + {"inform", OPT_INFORM, 'c', "Input format SMIME (default), PEM or DER"}, + {"inkey", OPT_INKEY, 's', + "Input private key (if not signer or recipient)"}, + {"keyform", OPT_KEYFORM, 'f', "Input private key format (PEM or ENGINE)"}, + {"out", OPT_OUT, '>', "Output file"}, + {"outform", OPT_OUTFORM, 'c', + "Output format SMIME (default), PEM or DER"}, + {"content", OPT_CONTENT, '<', + "Supply or override content for detached signature"}, + {"to", OPT_TO, 's', "To address"}, + {"from", OPT_FROM, 's', "From address"}, + {"subject", OPT_SUBJECT, 's', "Subject"}, + {"text", OPT_TEXT, '-', "Include or delete text MIME headers"}, + {"CApath", OPT_CAPATH, '/', "Trusted certificates directory"}, + {"CAfile", OPT_CAFILE, '<', "Trusted certificates file"}, + {"no-CAfile", OPT_NOCAFILE, '-', + "Do not load the default certificates file"}, + {"no-CApath", OPT_NOCAPATH, '-', + "Do not load certificates from the default certificates directory"}, + {"resign", OPT_RESIGN, '-', "Resign a signed message"}, + {"nochain", OPT_NOCHAIN, '-', + "set PKCS7_NOCHAIN so certificates contained in the message are not used as untrusted CAs" }, + {"nosmimecap", OPT_NOSMIMECAP, '-', "Omit the SMIMECapabilities attribute"}, + {"stream", OPT_STREAM, '-', "Enable CMS streaming" }, + {"indef", OPT_INDEF, '-', "Same as -stream" }, + {"noindef", OPT_NOINDEF, '-', "Disable CMS streaming"}, + {"crlfeol", OPT_CRLFEOL, '-', "Use CRLF as EOL termination instead of CR only"}, + {"rand", OPT_RAND, 's', + "Load the file(s) into the random number generator"}, + {"passin", OPT_PASSIN, 's', "Input file pass phrase source"}, + {"md", OPT_MD, 's', "Digest algorithm to use when signing or resigning"}, + {"", OPT_CIPHER, '-', "Any supported cipher"}, + OPT_V_OPTIONS, +#ifndef OPENSSL_NO_ENGINE + {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"}, +#endif + {NULL} +}; + +int smime_main(int argc, char **argv) +{ + BIO *in = NULL, *out = NULL, *indata = NULL; + EVP_PKEY *key = NULL; + PKCS7 *p7 = NULL; + STACK_OF(OPENSSL_STRING) *sksigners = NULL, *skkeys = NULL; + STACK_OF(X509) *encerts = NULL, *other = NULL; + X509 *cert = NULL, *recip = NULL, *signer = NULL; + X509_STORE *store = NULL; + X509_VERIFY_PARAM *vpm = NULL; + const EVP_CIPHER *cipher = NULL; + const EVP_MD *sign_md = NULL; + const char *CAfile = NULL, *CApath = NULL, *prog = NULL; + char *certfile = NULL, *keyfile = NULL, *contfile = NULL, *inrand = NULL; + char *infile = NULL, *outfile = NULL, *signerfile = NULL, *recipfile = + NULL; + char *passinarg = NULL, *passin = NULL, *to = NULL, *from = + NULL, *subject = NULL; + OPTION_CHOICE o; + int noCApath = 0, noCAfile = 0; + int flags = PKCS7_DETACHED, operation = 0, ret = 0, need_rand = 0, indef = + 0; + int informat = FORMAT_SMIME, outformat = FORMAT_SMIME, keyform = + FORMAT_PEM; + int vpmtouched = 0, rv = 0; + ENGINE *e = NULL; + const char *mime_eol = "\n"; + + if ((vpm = X509_VERIFY_PARAM_new()) == NULL) + return 1; + + prog = opt_init(argc, argv, smime_options); + while ((o = opt_next()) != OPT_EOF) { + switch (o) { + case OPT_EOF: + case OPT_ERR: + opthelp: + BIO_printf(bio_err, "%s: Use -help for summary.\n", prog); + goto end; + case OPT_HELP: + opt_help(smime_options); + ret = 0; + goto end; + case OPT_INFORM: + if (!opt_format(opt_arg(), OPT_FMT_PDS, &informat)) + goto opthelp; + break; + case OPT_IN: + infile = opt_arg(); + break; + case OPT_OUTFORM: + if (!opt_format(opt_arg(), OPT_FMT_PDS, &outformat)) + goto opthelp; + break; + case OPT_OUT: + outfile = opt_arg(); + break; + case OPT_ENCRYPT: + operation = SMIME_ENCRYPT; + break; + case OPT_DECRYPT: + operation = SMIME_DECRYPT; + break; + case OPT_SIGN: + operation = SMIME_SIGN; + break; + case OPT_RESIGN: + operation = SMIME_RESIGN; + break; + case OPT_VERIFY: + operation = SMIME_VERIFY; + break; + case OPT_PK7OUT: + operation = SMIME_PK7OUT; + break; + case OPT_TEXT: + flags |= PKCS7_TEXT; + break; + case OPT_NOINTERN: + flags |= PKCS7_NOINTERN; + break; + case OPT_NOVERIFY: + flags |= PKCS7_NOVERIFY; + break; + case OPT_NOCHAIN: + flags |= PKCS7_NOCHAIN; + break; + case OPT_NOCERTS: + flags |= PKCS7_NOCERTS; + break; + case OPT_NOATTR: + flags |= PKCS7_NOATTR; + break; + case OPT_NODETACH: + flags &= ~PKCS7_DETACHED; + break; + case OPT_NOSMIMECAP: + flags |= PKCS7_NOSMIMECAP; + break; + case OPT_BINARY: + flags |= PKCS7_BINARY; + break; + case OPT_NOSIGS: + flags |= PKCS7_NOSIGS; + break; + case OPT_STREAM: + case OPT_INDEF: + indef = 1; + break; + case OPT_NOINDEF: + indef = 0; + break; + case OPT_CRLFEOL: + flags |= PKCS7_CRLFEOL; + mime_eol = "\r\n"; + break; + case OPT_RAND: + inrand = opt_arg(); + need_rand = 1; + break; + case OPT_ENGINE: + e = setup_engine(opt_arg(), 0); + break; + case OPT_PASSIN: + passinarg = opt_arg(); + break; + case OPT_TO: + to = opt_arg(); + break; + case OPT_FROM: + from = opt_arg(); + break; + case OPT_SUBJECT: + subject = opt_arg(); + break; + case OPT_SIGNER: + /* If previous -signer argument add signer to list */ + if (signerfile) { + if (sksigners == NULL + && (sksigners = sk_OPENSSL_STRING_new_null()) == NULL) + goto end; + sk_OPENSSL_STRING_push(sksigners, signerfile); + if (keyfile == NULL) + keyfile = signerfile; + if (skkeys == NULL + && (skkeys = sk_OPENSSL_STRING_new_null()) == NULL) + goto end; + sk_OPENSSL_STRING_push(skkeys, keyfile); + keyfile = NULL; + } + signerfile = opt_arg(); + break; + case OPT_RECIP: + recipfile = opt_arg(); + break; + case OPT_MD: + if (!opt_md(opt_arg(), &sign_md)) + goto opthelp; + break; + case OPT_CIPHER: + if (!opt_cipher(opt_unknown(), &cipher)) + goto opthelp; + break; + case OPT_INKEY: + /* If previous -inkey argument add signer to list */ + if (keyfile) { + if (signerfile == NULL) { + BIO_printf(bio_err, + "%s: Must have -signer before -inkey\n", prog); + goto opthelp; + } + if (sksigners == NULL + && (sksigners = sk_OPENSSL_STRING_new_null()) == NULL) + goto end; + sk_OPENSSL_STRING_push(sksigners, signerfile); + signerfile = NULL; + if (skkeys == NULL + && (skkeys = sk_OPENSSL_STRING_new_null()) == NULL) + goto end; + sk_OPENSSL_STRING_push(skkeys, keyfile); + } + keyfile = opt_arg(); + break; + case OPT_KEYFORM: + if (!opt_format(opt_arg(), OPT_FMT_ANY, &keyform)) + goto opthelp; + break; + case OPT_CERTFILE: + certfile = opt_arg(); + break; + case OPT_CAFILE: + CAfile = opt_arg(); + break; + case OPT_CAPATH: + CApath = opt_arg(); + break; + case OPT_NOCAFILE: + noCAfile = 1; + break; + case OPT_NOCAPATH: + noCApath = 1; + break; + case OPT_CONTENT: + contfile = opt_arg(); + break; + case OPT_V_CASES: + if (!opt_verify(o, vpm)) + goto opthelp; + vpmtouched++; + break; + } + } + argc = opt_num_rest(); + argv = opt_rest(); + + if (!(operation & SMIME_SIGNERS) && (skkeys || sksigners)) { + BIO_puts(bio_err, "Multiple signers or keys not allowed\n"); + goto opthelp; + } + + if (operation & SMIME_SIGNERS) { + /* Check to see if any final signer needs to be appended */ + if (keyfile && !signerfile) { + BIO_puts(bio_err, "Illegal -inkey without -signer\n"); + goto opthelp; + } + if (signerfile) { + if (!sksigners + && (sksigners = sk_OPENSSL_STRING_new_null()) == NULL) + goto end; + sk_OPENSSL_STRING_push(sksigners, signerfile); + if (!skkeys && (skkeys = sk_OPENSSL_STRING_new_null()) == NULL) + goto end; + if (!keyfile) + keyfile = signerfile; + sk_OPENSSL_STRING_push(skkeys, keyfile); + } + if (!sksigners) { + BIO_printf(bio_err, "No signer certificate specified\n"); + goto opthelp; + } + signerfile = NULL; + keyfile = NULL; + need_rand = 1; + } else if (operation == SMIME_DECRYPT) { + if (!recipfile && !keyfile) { + BIO_printf(bio_err, + "No recipient certificate or key specified\n"); + goto opthelp; + } + } else if (operation == SMIME_ENCRYPT) { + if (argc == 0) { + BIO_printf(bio_err, "No recipient(s) certificate(s) specified\n"); + goto opthelp; + } + need_rand = 1; + } else if (!operation) + goto opthelp; + + if (!app_passwd(passinarg, NULL, &passin, NULL)) { + BIO_printf(bio_err, "Error getting password\n"); + goto end; + } + + if (need_rand) { + app_RAND_load_file(NULL, (inrand != NULL)); + if (inrand != NULL) + BIO_printf(bio_err, "%ld semi-random bytes loaded\n", + app_RAND_load_files(inrand)); + } + + ret = 2; + + if (!(operation & SMIME_SIGNERS)) + flags &= ~PKCS7_DETACHED; + + if (!(operation & SMIME_OP)) { + if (flags & PKCS7_BINARY) + outformat = FORMAT_BINARY; + } + + if (!(operation & SMIME_IP)) { + if (flags & PKCS7_BINARY) + informat = FORMAT_BINARY; + } + + if (operation == SMIME_ENCRYPT) { + if (!cipher) { +#ifndef OPENSSL_NO_DES + cipher = EVP_des_ede3_cbc(); +#else + BIO_printf(bio_err, "No cipher selected\n"); + goto end; +#endif + } + encerts = sk_X509_new_null(); + if (!encerts) + goto end; + while (*argv) { + cert = load_cert(*argv, FORMAT_PEM, + "recipient certificate file"); + if (cert == NULL) + goto end; + sk_X509_push(encerts, cert); + cert = NULL; + argv++; + } + } + + if (certfile) { + if (!load_certs(certfile, &other, FORMAT_PEM, NULL, + "certificate file")) { + ERR_print_errors(bio_err); + goto end; + } + } + + if (recipfile && (operation == SMIME_DECRYPT)) { + if ((recip = load_cert(recipfile, FORMAT_PEM, + "recipient certificate file")) == NULL) { + ERR_print_errors(bio_err); + goto end; + } + } + + if (operation == SMIME_DECRYPT) { + if (!keyfile) + keyfile = recipfile; + } else if (operation == SMIME_SIGN) { + if (!keyfile) + keyfile = signerfile; + } else + keyfile = NULL; + + if (keyfile) { + key = load_key(keyfile, keyform, 0, passin, e, "signing key file"); + if (!key) + goto end; + } + + in = bio_open_default(infile, 'r', informat); + if (in == NULL) + goto end; + + if (operation & SMIME_IP) { + if (informat == FORMAT_SMIME) + p7 = SMIME_read_PKCS7(in, &indata); + else if (informat == FORMAT_PEM) + p7 = PEM_read_bio_PKCS7(in, NULL, NULL, NULL); + else if (informat == FORMAT_ASN1) + p7 = d2i_PKCS7_bio(in, NULL); + else { + BIO_printf(bio_err, "Bad input format for PKCS#7 file\n"); + goto end; + } + + if (!p7) { + BIO_printf(bio_err, "Error reading S/MIME message\n"); + goto end; + } + if (contfile) { + BIO_free(indata); + if ((indata = BIO_new_file(contfile, "rb")) == NULL) { + BIO_printf(bio_err, "Can't read content file %s\n", contfile); + goto end; + } + } + } + + out = bio_open_default(outfile, 'w', outformat); + if (out == NULL) + goto end; + + if (operation == SMIME_VERIFY) { + if ((store = setup_verify(CAfile, CApath, noCAfile, noCApath)) == NULL) + goto end; + X509_STORE_set_verify_cb(store, smime_cb); + if (vpmtouched) + X509_STORE_set1_param(store, vpm); + } + + ret = 3; + + if (operation == SMIME_ENCRYPT) { + if (indef) + flags |= PKCS7_STREAM; + p7 = PKCS7_encrypt(encerts, in, cipher, flags); + } else if (operation & SMIME_SIGNERS) { + int i; + /* + * If detached data content we only enable streaming if S/MIME output + * format. + */ + if (operation == SMIME_SIGN) { + if (flags & PKCS7_DETACHED) { + if (outformat == FORMAT_SMIME) + flags |= PKCS7_STREAM; + } else if (indef) + flags |= PKCS7_STREAM; + flags |= PKCS7_PARTIAL; + p7 = PKCS7_sign(NULL, NULL, other, in, flags); + if (!p7) + goto end; + if (flags & PKCS7_NOCERTS) { + for (i = 0; i < sk_X509_num(other); i++) { + X509 *x = sk_X509_value(other, i); + PKCS7_add_certificate(p7, x); + } + } + } else + flags |= PKCS7_REUSE_DIGEST; + for (i = 0; i < sk_OPENSSL_STRING_num(sksigners); i++) { + signerfile = sk_OPENSSL_STRING_value(sksigners, i); + keyfile = sk_OPENSSL_STRING_value(skkeys, i); + signer = load_cert(signerfile, FORMAT_PEM, + "signer certificate"); + if (!signer) + goto end; + key = load_key(keyfile, keyform, 0, passin, e, "signing key file"); + if (!key) + goto end; + if (!PKCS7_sign_add_signer(p7, signer, key, sign_md, flags)) + goto end; + X509_free(signer); + signer = NULL; + EVP_PKEY_free(key); + key = NULL; + } + /* If not streaming or resigning finalize structure */ + if ((operation == SMIME_SIGN) && !(flags & PKCS7_STREAM)) { + if (!PKCS7_final(p7, in, flags)) + goto end; + } + } + + if (!p7) { + BIO_printf(bio_err, "Error creating PKCS#7 structure\n"); + goto end; + } + + ret = 4; + if (operation == SMIME_DECRYPT) { + if (!PKCS7_decrypt(p7, key, recip, out, flags)) { + BIO_printf(bio_err, "Error decrypting PKCS#7 structure\n"); + goto end; + } + } else if (operation == SMIME_VERIFY) { + STACK_OF(X509) *signers; + if (PKCS7_verify(p7, other, store, indata, out, flags)) + BIO_printf(bio_err, "Verification successful\n"); + else { + BIO_printf(bio_err, "Verification failure\n"); + goto end; + } + signers = PKCS7_get0_signers(p7, other, flags); + if (!save_certs(signerfile, signers)) { + BIO_printf(bio_err, "Error writing signers to %s\n", signerfile); + ret = 5; + goto end; + } + sk_X509_free(signers); + } else if (operation == SMIME_PK7OUT) + PEM_write_bio_PKCS7(out, p7); + else { + if (to) + BIO_printf(out, "To: %s%s", to, mime_eol); + if (from) + BIO_printf(out, "From: %s%s", from, mime_eol); + if (subject) + BIO_printf(out, "Subject: %s%s", subject, mime_eol); + if (outformat == FORMAT_SMIME) { + if (operation == SMIME_RESIGN) + rv = SMIME_write_PKCS7(out, p7, indata, flags); + else + rv = SMIME_write_PKCS7(out, p7, in, flags); + } else if (outformat == FORMAT_PEM) + rv = PEM_write_bio_PKCS7_stream(out, p7, in, flags); + else if (outformat == FORMAT_ASN1) + rv = i2d_PKCS7_bio_stream(out, p7, in, flags); + else { + BIO_printf(bio_err, "Bad output format for PKCS#7 file\n"); + goto end; + } + if (rv == 0) { + BIO_printf(bio_err, "Error writing output\n"); + ret = 3; + goto end; + } + } + ret = 0; + end: + if (need_rand) + app_RAND_write_file(NULL); + if (ret) + ERR_print_errors(bio_err); + sk_X509_pop_free(encerts, X509_free); + sk_X509_pop_free(other, X509_free); + X509_VERIFY_PARAM_free(vpm); + sk_OPENSSL_STRING_free(sksigners); + sk_OPENSSL_STRING_free(skkeys); + X509_STORE_free(store); + X509_free(cert); + X509_free(recip); + X509_free(signer); + EVP_PKEY_free(key); + PKCS7_free(p7); + release_engine(e); + BIO_free(in); + BIO_free(indata); + BIO_free_all(out); + OPENSSL_free(passin); + return (ret); +} + +static int save_certs(char *signerfile, STACK_OF(X509) *signers) +{ + int i; + BIO *tmp; + if (!signerfile) + return 1; + tmp = BIO_new_file(signerfile, "w"); + if (!tmp) + return 0; + for (i = 0; i < sk_X509_num(signers); i++) + PEM_write_bio_X509(tmp, sk_X509_value(signers, i)); + BIO_free(tmp); + return 1; +} + +/* Minimal callback just to output policy info (if any) */ + +static int smime_cb(int ok, X509_STORE_CTX *ctx) +{ + int error; + + error = X509_STORE_CTX_get_error(ctx); + + if ((error != X509_V_ERR_NO_EXPLICIT_POLICY) + && ((error != X509_V_OK) || (ok != 2))) + return ok; + + policies_print(ctx); + + return ok; + +} diff --git a/openssl-1.1.0h/apps/speed.c b/openssl-1.1.0h/apps/speed.c new file mode 100644 index 0000000..b0a7b6e --- /dev/null +++ b/openssl-1.1.0h/apps/speed.c @@ -0,0 +1,3149 @@ +/* + * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the OpenSSL license (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +/* ==================================================================== + * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED. + * + * Portions of the attached software ("Contribution") are developed by + * SUN MICROSYSTEMS, INC., and are contributed to the OpenSSL project. + * + * The Contribution is licensed pursuant to the OpenSSL open source + * license provided above. + * + * The ECDH and ECDSA speed test software is originally written by + * Sumit Gupta of Sun Microsystems Laboratories. + * + */ + +#undef SECONDS +#define SECONDS 3 +#define PRIME_SECONDS 10 +#define RSA_SECONDS 10 +#define DSA_SECONDS 10 +#define ECDSA_SECONDS 10 +#define ECDH_SECONDS 10 + +#include +#include +#include +#include +#include "apps.h" +#include +#include +#include +#include +#include +#include +#if !defined(OPENSSL_SYS_MSDOS) +# include OPENSSL_UNISTD +#endif + +#if defined(_WIN32) +# include +#endif + +#include +#ifndef OPENSSL_NO_DES +# include +#endif +#include +#ifndef OPENSSL_NO_CAMELLIA +# include +#endif +#ifndef OPENSSL_NO_MD2 +# include +#endif +#ifndef OPENSSL_NO_MDC2 +# include +#endif +#ifndef OPENSSL_NO_MD4 +# include +#endif +#ifndef OPENSSL_NO_MD5 +# include +#endif +#include +#include +#ifndef OPENSSL_NO_RMD160 +# include +#endif +#ifndef OPENSSL_NO_WHIRLPOOL +# include +#endif +#ifndef OPENSSL_NO_RC4 +# include +#endif +#ifndef OPENSSL_NO_RC5 +# include +#endif +#ifndef OPENSSL_NO_RC2 +# include +#endif +#ifndef OPENSSL_NO_IDEA +# include +#endif +#ifndef OPENSSL_NO_SEED +# include +#endif +#ifndef OPENSSL_NO_BF +# include +#endif +#ifndef OPENSSL_NO_CAST +# include +#endif +#ifndef OPENSSL_NO_RSA +# include +# include "./testrsa.h" +#endif +#include +#ifndef OPENSSL_NO_DSA +# include +# include "./testdsa.h" +#endif +#ifndef OPENSSL_NO_EC +# include +#endif +#include + +#ifndef HAVE_FORK +# if defined(OPENSSL_SYS_VMS) || defined(OPENSSL_SYS_WINDOWS) +# define HAVE_FORK 0 +# else +# define HAVE_FORK 1 +# endif +#endif + +#if HAVE_FORK +# undef NO_FORK +#else +# define NO_FORK +#endif + +#undef BUFSIZE +#define BUFSIZE (1024*16+1) +#define MAX_MISALIGNMENT 63 + +#define ALGOR_NUM 30 +#define SIZE_NUM 6 +#define PRIME_NUM 3 +#define RSA_NUM 7 +#define DSA_NUM 3 + +#define EC_NUM 17 +#define MAX_ECDH_SIZE 256 +#define MISALIGN 64 + +static volatile int run = 0; + +static int mr = 0; +static int usertime = 1; + +typedef void *(*kdf_fn) ( + const void *in, size_t inlen, void *out, size_t *xoutlen); + +typedef struct loopargs_st { + ASYNC_JOB *inprogress_job; + ASYNC_WAIT_CTX *wait_ctx; + unsigned char *buf; + unsigned char *buf2; + unsigned char *buf_malloc; + unsigned char *buf2_malloc; + unsigned int siglen; +#ifndef OPENSSL_NO_RSA + RSA *rsa_key[RSA_NUM]; +#endif +#ifndef OPENSSL_NO_DSA + DSA *dsa_key[DSA_NUM]; +#endif +#ifndef OPENSSL_NO_EC + EC_KEY *ecdsa[EC_NUM]; + EC_KEY *ecdh_a[EC_NUM]; + EC_KEY *ecdh_b[EC_NUM]; + unsigned char *secret_a; + unsigned char *secret_b; + size_t outlen; + kdf_fn kdf; +#endif + EVP_CIPHER_CTX *ctx; + HMAC_CTX *hctx; + GCM128_CONTEXT *gcm_ctx; +} loopargs_t; + +#ifndef OPENSSL_NO_MD2 +static int EVP_Digest_MD2_loop(void *args); +#endif + +#ifndef OPENSSL_NO_MDC2 +static int EVP_Digest_MDC2_loop(void *args); +#endif +#ifndef OPENSSL_NO_MD4 +static int EVP_Digest_MD4_loop(void *args); +#endif +#ifndef OPENSSL_NO_MD5 +static int MD5_loop(void *args); +static int HMAC_loop(void *args); +#endif +static int SHA1_loop(void *args); +static int SHA256_loop(void *args); +static int SHA512_loop(void *args); +#ifndef OPENSSL_NO_WHIRLPOOL +static int WHIRLPOOL_loop(void *args); +#endif +#ifndef OPENSSL_NO_RMD160 +static int EVP_Digest_RMD160_loop(void *args); +#endif +#ifndef OPENSSL_NO_RC4 +static int RC4_loop(void *args); +#endif +#ifndef OPENSSL_NO_DES +static int DES_ncbc_encrypt_loop(void *args); +static int DES_ede3_cbc_encrypt_loop(void *args); +#endif +static int AES_cbc_128_encrypt_loop(void *args); +static int AES_cbc_192_encrypt_loop(void *args); +static int AES_ige_128_encrypt_loop(void *args); +static int AES_cbc_256_encrypt_loop(void *args); +static int AES_ige_192_encrypt_loop(void *args); +static int AES_ige_256_encrypt_loop(void *args); +static int CRYPTO_gcm128_aad_loop(void *args); +static int EVP_Update_loop(void *args); +static int EVP_Digest_loop(void *args); +#ifndef OPENSSL_NO_RSA +static int RSA_sign_loop(void *args); +static int RSA_verify_loop(void *args); +#endif +#ifndef OPENSSL_NO_DSA +static int DSA_sign_loop(void *args); +static int DSA_verify_loop(void *args); +#endif +#ifndef OPENSSL_NO_EC +static int ECDSA_sign_loop(void *args); +static int ECDSA_verify_loop(void *args); +static int ECDH_compute_key_loop(void *args); +#endif +static int run_benchmark(int async_jobs, int (*loop_function)(void *), loopargs_t *loopargs); + +static double Time_F(int s); +static void print_message(const char *s, long num, int length); +static void pkey_print_message(const char *str, const char *str2, + long num, int bits, int sec); +static void print_result(int alg, int run_no, int count, double time_used); +#ifndef NO_FORK +static int do_multi(int multi); +#endif + +static const char *names[ALGOR_NUM] = { + "md2", "mdc2", "md4", "md5", "hmac(md5)", "sha1", "rmd160", "rc4", + "des cbc", "des ede3", "idea cbc", "seed cbc", + "rc2 cbc", "rc5-32/12 cbc", "blowfish cbc", "cast cbc", + "aes-128 cbc", "aes-192 cbc", "aes-256 cbc", + "camellia-128 cbc", "camellia-192 cbc", "camellia-256 cbc", + "evp", "sha256", "sha512", "whirlpool", + "aes-128 ige", "aes-192 ige", "aes-256 ige", "ghash" +}; + +static double results[ALGOR_NUM][SIZE_NUM]; + +static const int lengths[SIZE_NUM] = { + 16, 64, 256, 1024, 8 * 1024, 16 * 1024 +}; + +#ifndef OPENSSL_NO_RSA +static double rsa_results[RSA_NUM][2]; +#endif +#ifndef OPENSSL_NO_DSA +static double dsa_results[DSA_NUM][2]; +#endif +#ifndef OPENSSL_NO_EC +static double ecdsa_results[EC_NUM][2]; +static double ecdh_results[EC_NUM][1]; +#endif + +#if !defined(OPENSSL_NO_DSA) || !defined(OPENSSL_NO_EC) +static const char rnd_seed[] = + "string to make the random number generator think it has entropy"; +#endif + +#ifdef SIGALRM +# if defined(__STDC__) || defined(sgi) || defined(_AIX) +# define SIGRETTYPE void +# else +# define SIGRETTYPE int +# endif + +static SIGRETTYPE sig_done(int sig); +static SIGRETTYPE sig_done(int sig) +{ + signal(SIGALRM, sig_done); + run = 0; +} +#endif + +#define START 0 +#define STOP 1 + +#if defined(_WIN32) + +# if !defined(SIGALRM) +# define SIGALRM +# endif +static unsigned int lapse; +static volatile unsigned int schlock; +static void alarm_win32(unsigned int secs) +{ + lapse = secs * 1000; +} + +# define alarm alarm_win32 + +static DWORD WINAPI sleepy(VOID * arg) +{ + schlock = 1; + Sleep(lapse); + run = 0; + return 0; +} + +static double Time_F(int s) +{ + double ret; + static HANDLE thr; + + if (s == START) { + schlock = 0; + thr = CreateThread(NULL, 4096, sleepy, NULL, 0, NULL); + if (thr == NULL) { + DWORD err = GetLastError(); + BIO_printf(bio_err, "unable to CreateThread (%lu)", err); + ExitProcess(err); + } + while (!schlock) + Sleep(0); /* scheduler spinlock */ + ret = app_tminterval(s, usertime); + } else { + ret = app_tminterval(s, usertime); + if (run) + TerminateThread(thr, 0); + CloseHandle(thr); + } + + return ret; +} +#else + +static double Time_F(int s) +{ + double ret = app_tminterval(s, usertime); + if (s == STOP) + alarm(0); + return ret; +} +#endif + +static void multiblock_speed(const EVP_CIPHER *evp_cipher); + +static int found(const char *name, const OPT_PAIR *pairs, int *result) +{ + for (; pairs->name; pairs++) + if (strcmp(name, pairs->name) == 0) { + *result = pairs->retval; + return 1; + } + return 0; +} + +typedef enum OPTION_choice { + OPT_ERR = -1, OPT_EOF = 0, OPT_HELP, + OPT_ELAPSED, OPT_EVP, OPT_DECRYPT, OPT_ENGINE, OPT_MULTI, + OPT_MR, OPT_MB, OPT_MISALIGN, OPT_ASYNCJOBS +} OPTION_CHOICE; + +OPTIONS speed_options[] = { + {OPT_HELP_STR, 1, '-', "Usage: %s [options] ciphers...\n"}, + {OPT_HELP_STR, 1, '-', "Valid options are:\n"}, + {"help", OPT_HELP, '-', "Display this summary"}, + {"evp", OPT_EVP, 's', "Use specified EVP cipher"}, + {"decrypt", OPT_DECRYPT, '-', + "Time decryption instead of encryption (only EVP)"}, + {"mr", OPT_MR, '-', "Produce machine readable output"}, + {"mb", OPT_MB, '-', + "Enable (tls1.1) multi-block mode on evp_cipher requested with -evp"}, + {"misalign", OPT_MISALIGN, 'n', "Amount to mis-align buffers"}, + {"elapsed", OPT_ELAPSED, '-', + "Measure time in real time instead of CPU user time"}, +#ifndef NO_FORK + {"multi", OPT_MULTI, 'p', "Run benchmarks in parallel"}, +#endif +#ifndef OPENSSL_NO_ASYNC + {"async_jobs", OPT_ASYNCJOBS, 'p', + "Enable async mode and start pnum jobs"}, +#endif +#ifndef OPENSSL_NO_ENGINE + {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"}, +#endif + {NULL}, +}; + +#define D_MD2 0 +#define D_MDC2 1 +#define D_MD4 2 +#define D_MD5 3 +#define D_HMAC 4 +#define D_SHA1 5 +#define D_RMD160 6 +#define D_RC4 7 +#define D_CBC_DES 8 +#define D_EDE3_DES 9 +#define D_CBC_IDEA 10 +#define D_CBC_SEED 11 +#define D_CBC_RC2 12 +#define D_CBC_RC5 13 +#define D_CBC_BF 14 +#define D_CBC_CAST 15 +#define D_CBC_128_AES 16 +#define D_CBC_192_AES 17 +#define D_CBC_256_AES 18 +#define D_CBC_128_CML 19 +#define D_CBC_192_CML 20 +#define D_CBC_256_CML 21 +#define D_EVP 22 +#define D_SHA256 23 +#define D_SHA512 24 +#define D_WHIRLPOOL 25 +#define D_IGE_128_AES 26 +#define D_IGE_192_AES 27 +#define D_IGE_256_AES 28 +#define D_GHASH 29 +static OPT_PAIR doit_choices[] = { +#ifndef OPENSSL_NO_MD2 + {"md2", D_MD2}, +#endif +#ifndef OPENSSL_NO_MDC2 + {"mdc2", D_MDC2}, +#endif +#ifndef OPENSSL_NO_MD4 + {"md4", D_MD4}, +#endif +#ifndef OPENSSL_NO_MD5 + {"md5", D_MD5}, + {"hmac", D_HMAC}, +#endif + {"sha1", D_SHA1}, + {"sha256", D_SHA256}, + {"sha512", D_SHA512}, +#ifndef OPENSSL_NO_WHIRLPOOL + {"whirlpool", D_WHIRLPOOL}, +#endif +#ifndef OPENSSL_NO_RMD160 + {"ripemd", D_RMD160}, + {"rmd160", D_RMD160}, + {"ripemd160", D_RMD160}, +#endif +#ifndef OPENSSL_NO_RC4 + {"rc4", D_RC4}, +#endif +#ifndef OPENSSL_NO_DES + {"des-cbc", D_CBC_DES}, + {"des-ede3", D_EDE3_DES}, +#endif + {"aes-128-cbc", D_CBC_128_AES}, + {"aes-192-cbc", D_CBC_192_AES}, + {"aes-256-cbc", D_CBC_256_AES}, + {"aes-128-ige", D_IGE_128_AES}, + {"aes-192-ige", D_IGE_192_AES}, + {"aes-256-ige", D_IGE_256_AES}, +#ifndef OPENSSL_NO_RC2 + {"rc2-cbc", D_CBC_RC2}, + {"rc2", D_CBC_RC2}, +#endif +#ifndef OPENSSL_NO_RC5 + {"rc5-cbc", D_CBC_RC5}, + {"rc5", D_CBC_RC5}, +#endif +#ifndef OPENSSL_NO_IDEA + {"idea-cbc", D_CBC_IDEA}, + {"idea", D_CBC_IDEA}, +#endif +#ifndef OPENSSL_NO_SEED + {"seed-cbc", D_CBC_SEED}, + {"seed", D_CBC_SEED}, +#endif +#ifndef OPENSSL_NO_BF + {"bf-cbc", D_CBC_BF}, + {"blowfish", D_CBC_BF}, + {"bf", D_CBC_BF}, +#endif +#ifndef OPENSSL_NO_CAST + {"cast-cbc", D_CBC_CAST}, + {"cast", D_CBC_CAST}, + {"cast5", D_CBC_CAST}, +#endif + {"ghash", D_GHASH}, + {NULL} +}; + +#ifndef OPENSSL_NO_DSA +# define R_DSA_512 0 +# define R_DSA_1024 1 +# define R_DSA_2048 2 +static OPT_PAIR dsa_choices[] = { + {"dsa512", R_DSA_512}, + {"dsa1024", R_DSA_1024}, + {"dsa2048", R_DSA_2048}, + {NULL}, +}; +#endif + +#define R_RSA_512 0 +#define R_RSA_1024 1 +#define R_RSA_2048 2 +#define R_RSA_3072 3 +#define R_RSA_4096 4 +#define R_RSA_7680 5 +#define R_RSA_15360 6 +static OPT_PAIR rsa_choices[] = { + {"rsa512", R_RSA_512}, + {"rsa1024", R_RSA_1024}, + {"rsa2048", R_RSA_2048}, + {"rsa3072", R_RSA_3072}, + {"rsa4096", R_RSA_4096}, + {"rsa7680", R_RSA_7680}, + {"rsa15360", R_RSA_15360}, + {NULL} +}; + +#define R_EC_P160 0 +#define R_EC_P192 1 +#define R_EC_P224 2 +#define R_EC_P256 3 +#define R_EC_P384 4 +#define R_EC_P521 5 +#define R_EC_K163 6 +#define R_EC_K233 7 +#define R_EC_K283 8 +#define R_EC_K409 9 +#define R_EC_K571 10 +#define R_EC_B163 11 +#define R_EC_B233 12 +#define R_EC_B283 13 +#define R_EC_B409 14 +#define R_EC_B571 15 +#define R_EC_X25519 16 +#ifndef OPENSSL_NO_EC +static OPT_PAIR ecdsa_choices[] = { + {"ecdsap160", R_EC_P160}, + {"ecdsap192", R_EC_P192}, + {"ecdsap224", R_EC_P224}, + {"ecdsap256", R_EC_P256}, + {"ecdsap384", R_EC_P384}, + {"ecdsap521", R_EC_P521}, + {"ecdsak163", R_EC_K163}, + {"ecdsak233", R_EC_K233}, + {"ecdsak283", R_EC_K283}, + {"ecdsak409", R_EC_K409}, + {"ecdsak571", R_EC_K571}, + {"ecdsab163", R_EC_B163}, + {"ecdsab233", R_EC_B233}, + {"ecdsab283", R_EC_B283}, + {"ecdsab409", R_EC_B409}, + {"ecdsab571", R_EC_B571}, + {NULL} +}; + +static OPT_PAIR ecdh_choices[] = { + {"ecdhp160", R_EC_P160}, + {"ecdhp192", R_EC_P192}, + {"ecdhp224", R_EC_P224}, + {"ecdhp256", R_EC_P256}, + {"ecdhp384", R_EC_P384}, + {"ecdhp521", R_EC_P521}, + {"ecdhk163", R_EC_K163}, + {"ecdhk233", R_EC_K233}, + {"ecdhk283", R_EC_K283}, + {"ecdhk409", R_EC_K409}, + {"ecdhk571", R_EC_K571}, + {"ecdhb163", R_EC_B163}, + {"ecdhb233", R_EC_B233}, + {"ecdhb283", R_EC_B283}, + {"ecdhb409", R_EC_B409}, + {"ecdhb571", R_EC_B571}, + {"ecdhx25519", R_EC_X25519}, + {NULL} +}; +#endif + +#ifndef SIGALRM +# define COND(d) (count < (d)) +# define COUNT(d) (d) +#else +# define COND(unused_cond) (run && count<0x7fffffff) +# define COUNT(d) (count) +#endif /* SIGALRM */ + +static int testnum; + +/* Nb of iterations to do per algorithm and key-size */ +static long c[ALGOR_NUM][SIZE_NUM]; + +#ifndef OPENSSL_NO_MD2 +static int EVP_Digest_MD2_loop(void *args) +{ + loopargs_t *tempargs = *(loopargs_t **)args; + unsigned char *buf = tempargs->buf; + unsigned char md2[MD2_DIGEST_LENGTH]; + int count; + + for (count = 0; COND(c[D_MD2][testnum]); count++) { + if (!EVP_Digest(buf, (size_t)lengths[testnum], md2, NULL, EVP_md2(), + NULL)) + return -1; + } + return count; +} +#endif + +#ifndef OPENSSL_NO_MDC2 +static int EVP_Digest_MDC2_loop(void *args) +{ + loopargs_t *tempargs = *(loopargs_t **)args; + unsigned char *buf = tempargs->buf; + unsigned char mdc2[MDC2_DIGEST_LENGTH]; + int count; + + for (count = 0; COND(c[D_MDC2][testnum]); count++) { + if (!EVP_Digest(buf, (size_t)lengths[testnum], mdc2, NULL, EVP_mdc2(), + NULL)) + return -1; + } + return count; +} +#endif + +#ifndef OPENSSL_NO_MD4 +static int EVP_Digest_MD4_loop(void *args) +{ + loopargs_t *tempargs = *(loopargs_t **)args; + unsigned char *buf = tempargs->buf; + unsigned char md4[MD4_DIGEST_LENGTH]; + int count; + + for (count = 0; COND(c[D_MD4][testnum]); count++) { + if (!EVP_Digest(buf, (size_t)lengths[testnum], md4, NULL, EVP_md4(), + NULL)) + return -1; + } + return count; +} +#endif + +#ifndef OPENSSL_NO_MD5 +static int MD5_loop(void *args) +{ + loopargs_t *tempargs = *(loopargs_t **)args; + unsigned char *buf = tempargs->buf; + unsigned char md5[MD5_DIGEST_LENGTH]; + int count; + for (count = 0; COND(c[D_MD5][testnum]); count++) + MD5(buf, lengths[testnum], md5); + return count; +} + +static int HMAC_loop(void *args) +{ + loopargs_t *tempargs = *(loopargs_t **)args; + unsigned char *buf = tempargs->buf; + HMAC_CTX *hctx = tempargs->hctx; + unsigned char hmac[MD5_DIGEST_LENGTH]; + int count; + + for (count = 0; COND(c[D_HMAC][testnum]); count++) { + HMAC_Init_ex(hctx, NULL, 0, NULL, NULL); + HMAC_Update(hctx, buf, lengths[testnum]); + HMAC_Final(hctx, hmac, NULL); + } + return count; +} +#endif + +static int SHA1_loop(void *args) +{ + loopargs_t *tempargs = *(loopargs_t **)args; + unsigned char *buf = tempargs->buf; + unsigned char sha[SHA_DIGEST_LENGTH]; + int count; + for (count = 0; COND(c[D_SHA1][testnum]); count++) + SHA1(buf, lengths[testnum], sha); + return count; +} + +static int SHA256_loop(void *args) +{ + loopargs_t *tempargs = *(loopargs_t **)args; + unsigned char *buf = tempargs->buf; + unsigned char sha256[SHA256_DIGEST_LENGTH]; + int count; + for (count = 0; COND(c[D_SHA256][testnum]); count++) + SHA256(buf, lengths[testnum], sha256); + return count; +} + +static int SHA512_loop(void *args) +{ + loopargs_t *tempargs = *(loopargs_t **)args; + unsigned char *buf = tempargs->buf; + unsigned char sha512[SHA512_DIGEST_LENGTH]; + int count; + for (count = 0; COND(c[D_SHA512][testnum]); count++) + SHA512(buf, lengths[testnum], sha512); + return count; +} + +#ifndef OPENSSL_NO_WHIRLPOOL +static int WHIRLPOOL_loop(void *args) +{ + loopargs_t *tempargs = *(loopargs_t **)args; + unsigned char *buf = tempargs->buf; + unsigned char whirlpool[WHIRLPOOL_DIGEST_LENGTH]; + int count; + for (count = 0; COND(c[D_WHIRLPOOL][testnum]); count++) + WHIRLPOOL(buf, lengths[testnum], whirlpool); + return count; +} +#endif + +#ifndef OPENSSL_NO_RMD160 +static int EVP_Digest_RMD160_loop(void *args) +{ + loopargs_t *tempargs = *(loopargs_t **)args; + unsigned char *buf = tempargs->buf; + unsigned char rmd160[RIPEMD160_DIGEST_LENGTH]; + int count; + for (count = 0; COND(c[D_RMD160][testnum]); count++) { + if (!EVP_Digest(buf, (size_t)lengths[testnum], &(rmd160[0]), + NULL, EVP_ripemd160(), NULL)) + return -1; + } + return count; +} +#endif + +#ifndef OPENSSL_NO_RC4 +static RC4_KEY rc4_ks; +static int RC4_loop(void *args) +{ + loopargs_t *tempargs = *(loopargs_t **)args; + unsigned char *buf = tempargs->buf; + int count; + for (count = 0; COND(c[D_RC4][testnum]); count++) + RC4(&rc4_ks, (size_t)lengths[testnum], buf, buf); + return count; +} +#endif + +#ifndef OPENSSL_NO_DES +static unsigned char DES_iv[8]; +static DES_key_schedule sch; +static DES_key_schedule sch2; +static DES_key_schedule sch3; +static int DES_ncbc_encrypt_loop(void *args) +{ + loopargs_t *tempargs = *(loopargs_t **)args; + unsigned char *buf = tempargs->buf; + int count; + for (count = 0; COND(c[D_CBC_DES][testnum]); count++) + DES_ncbc_encrypt(buf, buf, lengths[testnum], &sch, + &DES_iv, DES_ENCRYPT); + return count; +} + +static int DES_ede3_cbc_encrypt_loop(void *args) +{ + loopargs_t *tempargs = *(loopargs_t **)args; + unsigned char *buf = tempargs->buf; + int count; + for (count = 0; COND(c[D_EDE3_DES][testnum]); count++) + DES_ede3_cbc_encrypt(buf, buf, lengths[testnum], + &sch, &sch2, &sch3, + &DES_iv, DES_ENCRYPT); + return count; +} +#endif + +#define MAX_BLOCK_SIZE 128 + +static unsigned char iv[2 * MAX_BLOCK_SIZE / 8]; +static AES_KEY aes_ks1, aes_ks2, aes_ks3; +static int AES_cbc_128_encrypt_loop(void *args) +{ + loopargs_t *tempargs = *(loopargs_t **)args; + unsigned char *buf = tempargs->buf; + int count; + for (count = 0; COND(c[D_CBC_128_AES][testnum]); count++) + AES_cbc_encrypt(buf, buf, + (size_t)lengths[testnum], &aes_ks1, + iv, AES_ENCRYPT); + return count; +} + +static int AES_cbc_192_encrypt_loop(void *args) +{ + loopargs_t *tempargs = *(loopargs_t **)args; + unsigned char *buf = tempargs->buf; + int count; + for (count = 0; COND(c[D_CBC_192_AES][testnum]); count++) + AES_cbc_encrypt(buf, buf, + (size_t)lengths[testnum], &aes_ks2, + iv, AES_ENCRYPT); + return count; +} + +static int AES_cbc_256_encrypt_loop(void *args) +{ + loopargs_t *tempargs = *(loopargs_t **)args; + unsigned char *buf = tempargs->buf; + int count; + for (count = 0; COND(c[D_CBC_256_AES][testnum]); count++) + AES_cbc_encrypt(buf, buf, + (size_t)lengths[testnum], &aes_ks3, + iv, AES_ENCRYPT); + return count; +} + +static int AES_ige_128_encrypt_loop(void *args) +{ + loopargs_t *tempargs = *(loopargs_t **)args; + unsigned char *buf = tempargs->buf; + unsigned char *buf2 = tempargs->buf2; + int count; + for (count = 0; COND(c[D_IGE_128_AES][testnum]); count++) + AES_ige_encrypt(buf, buf2, + (size_t)lengths[testnum], &aes_ks1, + iv, AES_ENCRYPT); + return count; +} + +static int AES_ige_192_encrypt_loop(void *args) +{ + loopargs_t *tempargs = *(loopargs_t **)args; + unsigned char *buf = tempargs->buf; + unsigned char *buf2 = tempargs->buf2; + int count; + for (count = 0; COND(c[D_IGE_192_AES][testnum]); count++) + AES_ige_encrypt(buf, buf2, + (size_t)lengths[testnum], &aes_ks2, + iv, AES_ENCRYPT); + return count; +} + +static int AES_ige_256_encrypt_loop(void *args) +{ + loopargs_t *tempargs = *(loopargs_t **)args; + unsigned char *buf = tempargs->buf; + unsigned char *buf2 = tempargs->buf2; + int count; + for (count = 0; COND(c[D_IGE_256_AES][testnum]); count++) + AES_ige_encrypt(buf, buf2, + (size_t)lengths[testnum], &aes_ks3, + iv, AES_ENCRYPT); + return count; +} + +static int CRYPTO_gcm128_aad_loop(void *args) +{ + loopargs_t *tempargs = *(loopargs_t **)args; + unsigned char *buf = tempargs->buf; + GCM128_CONTEXT *gcm_ctx = tempargs->gcm_ctx; + int count; + for (count = 0; COND(c[D_GHASH][testnum]); count++) + CRYPTO_gcm128_aad(gcm_ctx, buf, lengths[testnum]); + return count; +} + +static long save_count = 0; +static int decrypt = 0; +static int EVP_Update_loop(void *args) +{ + loopargs_t *tempargs = *(loopargs_t **)args; + unsigned char *buf = tempargs->buf; + EVP_CIPHER_CTX *ctx = tempargs->ctx; + int outl, count; +#ifndef SIGALRM + int nb_iter = save_count * 4 * lengths[0] / lengths[testnum]; +#endif + if (decrypt) + for (count = 0; COND(nb_iter); count++) + EVP_DecryptUpdate(ctx, buf, &outl, buf, lengths[testnum]); + else + for (count = 0; COND(nb_iter); count++) + EVP_EncryptUpdate(ctx, buf, &outl, buf, lengths[testnum]); + if (decrypt) + EVP_DecryptFinal_ex(ctx, buf, &outl); + else + EVP_EncryptFinal_ex(ctx, buf, &outl); + return count; +} + +static const EVP_MD *evp_md = NULL; +static int EVP_Digest_loop(void *args) +{ + loopargs_t *tempargs = *(loopargs_t **)args; + unsigned char *buf = tempargs->buf; + unsigned char md[EVP_MAX_MD_SIZE]; + int count; +#ifndef SIGALRM + int nb_iter = save_count * 4 * lengths[0] / lengths[testnum]; +#endif + + for (count = 0; COND(nb_iter); count++) { + if (!EVP_Digest(buf, lengths[testnum], md, NULL, evp_md, NULL)) + return -1; + } + return count; +} + +#ifndef OPENSSL_NO_RSA +static long rsa_c[RSA_NUM][2]; /* # RSA iteration test */ + +static int RSA_sign_loop(void *args) +{ + loopargs_t *tempargs = *(loopargs_t **)args; + unsigned char *buf = tempargs->buf; + unsigned char *buf2 = tempargs->buf2; + unsigned int *rsa_num = &tempargs->siglen; + RSA **rsa_key = tempargs->rsa_key; + int ret, count; + for (count = 0; COND(rsa_c[testnum][0]); count++) { + ret = RSA_sign(NID_md5_sha1, buf, 36, buf2, rsa_num, rsa_key[testnum]); + if (ret == 0) { + BIO_printf(bio_err, "RSA sign failure\n"); + ERR_print_errors(bio_err); + count = -1; + break; + } + } + return count; +} + +static int RSA_verify_loop(void *args) +{ + loopargs_t *tempargs = *(loopargs_t **)args; + unsigned char *buf = tempargs->buf; + unsigned char *buf2 = tempargs->buf2; + unsigned int rsa_num = tempargs->siglen; + RSA **rsa_key = tempargs->rsa_key; + int ret, count; + for (count = 0; COND(rsa_c[testnum][1]); count++) { + ret = RSA_verify(NID_md5_sha1, buf, 36, buf2, rsa_num, rsa_key[testnum]); + if (ret <= 0) { + BIO_printf(bio_err, "RSA verify failure\n"); + ERR_print_errors(bio_err); + count = -1; + break; + } + } + return count; +} +#endif + +#ifndef OPENSSL_NO_DSA +static long dsa_c[DSA_NUM][2]; +static int DSA_sign_loop(void *args) +{ + loopargs_t *tempargs = *(loopargs_t **)args; + unsigned char *buf = tempargs->buf; + unsigned char *buf2 = tempargs->buf2; + DSA **dsa_key = tempargs->dsa_key; + unsigned int *siglen = &tempargs->siglen; + int ret, count; + for (count = 0; COND(dsa_c[testnum][0]); count++) { + ret = DSA_sign(0, buf, 20, buf2, siglen, dsa_key[testnum]); + if (ret == 0) { + BIO_printf(bio_err, "DSA sign failure\n"); + ERR_print_errors(bio_err); + count = -1; + break; + } + } + return count; +} + +static int DSA_verify_loop(void *args) +{ + loopargs_t *tempargs = *(loopargs_t **)args; + unsigned char *buf = tempargs->buf; + unsigned char *buf2 = tempargs->buf2; + DSA **dsa_key = tempargs->dsa_key; + unsigned int siglen = tempargs->siglen; + int ret, count; + for (count = 0; COND(dsa_c[testnum][1]); count++) { + ret = DSA_verify(0, buf, 20, buf2, siglen, dsa_key[testnum]); + if (ret <= 0) { + BIO_printf(bio_err, "DSA verify failure\n"); + ERR_print_errors(bio_err); + count = -1; + break; + } + } + return count; +} +#endif + +#ifndef OPENSSL_NO_EC +static long ecdsa_c[EC_NUM][2]; +static int ECDSA_sign_loop(void *args) +{ + loopargs_t *tempargs = *(loopargs_t **)args; + unsigned char *buf = tempargs->buf; + EC_KEY **ecdsa = tempargs->ecdsa; + unsigned char *ecdsasig = tempargs->buf2; + unsigned int *ecdsasiglen = &tempargs->siglen; + int ret, count; + for (count = 0; COND(ecdsa_c[testnum][0]); count++) { + ret = ECDSA_sign(0, buf, 20, + ecdsasig, ecdsasiglen, ecdsa[testnum]); + if (ret == 0) { + BIO_printf(bio_err, "ECDSA sign failure\n"); + ERR_print_errors(bio_err); + count = -1; + break; + } + } + return count; +} + +static int ECDSA_verify_loop(void *args) +{ + loopargs_t *tempargs = *(loopargs_t **)args; + unsigned char *buf = tempargs->buf; + EC_KEY **ecdsa = tempargs->ecdsa; + unsigned char *ecdsasig = tempargs->buf2; + unsigned int ecdsasiglen = tempargs->siglen; + int ret, count; + for (count = 0; COND(ecdsa_c[testnum][1]); count++) { + ret = ECDSA_verify(0, buf, 20, ecdsasig, ecdsasiglen, + ecdsa[testnum]); + if (ret != 1) { + BIO_printf(bio_err, "ECDSA verify failure\n"); + ERR_print_errors(bio_err); + count = -1; + break; + } + } + return count; +} + +/* ******************************************************************** */ +static long ecdh_c[EC_NUM][1]; + +static int ECDH_compute_key_loop(void *args) +{ + loopargs_t *tempargs = *(loopargs_t **)args; + EC_KEY **ecdh_a = tempargs->ecdh_a; + EC_KEY **ecdh_b = tempargs->ecdh_b; + unsigned char *secret_a = tempargs->secret_a; + int count; + size_t outlen = tempargs->outlen; + kdf_fn kdf = tempargs->kdf; + + for (count = 0; COND(ecdh_c[testnum][0]); count++) { + ECDH_compute_key(secret_a, outlen, + EC_KEY_get0_public_key(ecdh_b[testnum]), + ecdh_a[testnum], kdf); + } + return count; +} + +static const size_t KDF1_SHA1_len = 20; +static void *KDF1_SHA1(const void *in, size_t inlen, void *out, + size_t *outlen) +{ + if (*outlen < SHA_DIGEST_LENGTH) + return NULL; + *outlen = SHA_DIGEST_LENGTH; + return SHA1(in, inlen, out); +} +#endif /* OPENSSL_NO_EC */ + +static int run_benchmark(int async_jobs, + int (*loop_function)(void *), loopargs_t *loopargs) +{ + int job_op_count = 0; + int total_op_count = 0; + int num_inprogress = 0; + int error = 0, i = 0, ret = 0; + OSSL_ASYNC_FD job_fd = 0; + size_t num_job_fds = 0; + + run = 1; + + if (async_jobs == 0) { + return loop_function((void *)&loopargs); + } + + for (i = 0; i < async_jobs && !error; i++) { + loopargs_t *looparg_item = loopargs + i; + + /* Copy pointer content (looparg_t item address) into async context */ + ret = ASYNC_start_job(&loopargs[i].inprogress_job, loopargs[i].wait_ctx, + &job_op_count, loop_function, + (void *)&looparg_item, sizeof(looparg_item)); + switch (ret) { + case ASYNC_PAUSE: + ++num_inprogress; + break; + case ASYNC_FINISH: + if (job_op_count == -1) { + error = 1; + } else { + total_op_count += job_op_count; + } + break; + case ASYNC_NO_JOBS: + case ASYNC_ERR: + BIO_printf(bio_err, "Failure in the job\n"); + ERR_print_errors(bio_err); + error = 1; + break; + } + } + + while (num_inprogress > 0) { +#if defined(OPENSSL_SYS_WINDOWS) + DWORD avail = 0; +#elif defined(OPENSSL_SYS_UNIX) + int select_result = 0; + OSSL_ASYNC_FD max_fd = 0; + fd_set waitfdset; + + FD_ZERO(&waitfdset); + + for (i = 0; i < async_jobs && num_inprogress > 0; i++) { + if (loopargs[i].inprogress_job == NULL) + continue; + + if (!ASYNC_WAIT_CTX_get_all_fds(loopargs[i].wait_ctx, NULL, &num_job_fds) + || num_job_fds > 1) { + BIO_printf(bio_err, "Too many fds in ASYNC_WAIT_CTX\n"); + ERR_print_errors(bio_err); + error = 1; + break; + } + ASYNC_WAIT_CTX_get_all_fds(loopargs[i].wait_ctx, &job_fd, &num_job_fds); + FD_SET(job_fd, &waitfdset); + if (job_fd > max_fd) + max_fd = job_fd; + } + + if (max_fd >= (OSSL_ASYNC_FD)FD_SETSIZE) { + BIO_printf(bio_err, + "Error: max_fd (%d) must be smaller than FD_SETSIZE (%d). " + "Decrease the value of async_jobs\n", + max_fd, FD_SETSIZE); + ERR_print_errors(bio_err); + error = 1; + break; + } + + select_result = select(max_fd + 1, &waitfdset, NULL, NULL, NULL); + if (select_result == -1 && errno == EINTR) + continue; + + if (select_result == -1) { + BIO_printf(bio_err, "Failure in the select\n"); + ERR_print_errors(bio_err); + error = 1; + break; + } + + if (select_result == 0) + continue; +#endif + + for (i = 0; i < async_jobs; i++) { + if (loopargs[i].inprogress_job == NULL) + continue; + + if (!ASYNC_WAIT_CTX_get_all_fds(loopargs[i].wait_ctx, NULL, &num_job_fds) + || num_job_fds > 1) { + BIO_printf(bio_err, "Too many fds in ASYNC_WAIT_CTX\n"); + ERR_print_errors(bio_err); + error = 1; + break; + } + ASYNC_WAIT_CTX_get_all_fds(loopargs[i].wait_ctx, &job_fd, &num_job_fds); + +#if defined(OPENSSL_SYS_UNIX) + if (num_job_fds == 1 && !FD_ISSET(job_fd, &waitfdset)) + continue; +#elif defined(OPENSSL_SYS_WINDOWS) + if (num_job_fds == 1 + && !PeekNamedPipe(job_fd, NULL, 0, NULL, &avail, NULL) + && avail > 0) + continue; +#endif + + ret = ASYNC_start_job(&loopargs[i].inprogress_job, + loopargs[i].wait_ctx, &job_op_count, loop_function, + (void *)(loopargs + i), sizeof(loopargs_t)); + switch (ret) { + case ASYNC_PAUSE: + break; + case ASYNC_FINISH: + if (job_op_count == -1) { + error = 1; + } else { + total_op_count += job_op_count; + } + --num_inprogress; + loopargs[i].inprogress_job = NULL; + break; + case ASYNC_NO_JOBS: + case ASYNC_ERR: + --num_inprogress; + loopargs[i].inprogress_job = NULL; + BIO_printf(bio_err, "Failure in the job\n"); + ERR_print_errors(bio_err); + error = 1; + break; + } + } + } + + return error ? -1 : total_op_count; +} + +int speed_main(int argc, char **argv) +{ + ENGINE *e = NULL; + loopargs_t *loopargs = NULL; + int async_init = 0; + int loopargs_len = 0; + char *prog; + const char *engine_id = NULL; + const EVP_CIPHER *evp_cipher = NULL; + double d = 0.0; + OPTION_CHOICE o; + int multiblock = 0, pr_header = 0; + int doit[ALGOR_NUM] = { 0 }; + int ret = 1, i, k, misalign = 0; + long count = 0; +#ifndef NO_FORK + int multi = 0; +#endif + unsigned int async_jobs = 0; +#if !defined(OPENSSL_NO_RSA) || !defined(OPENSSL_NO_DSA) \ + || !defined(OPENSSL_NO_EC) + long rsa_count = 1; +#endif + size_t loop; + + /* What follows are the buffers and key material. */ +#ifndef OPENSSL_NO_RC5 + RC5_32_KEY rc5_ks; +#endif +#ifndef OPENSSL_NO_RC2 + RC2_KEY rc2_ks; +#endif +#ifndef OPENSSL_NO_IDEA + IDEA_KEY_SCHEDULE idea_ks; +#endif +#ifndef OPENSSL_NO_SEED + SEED_KEY_SCHEDULE seed_ks; +#endif +#ifndef OPENSSL_NO_BF + BF_KEY bf_ks; +#endif +#ifndef OPENSSL_NO_CAST + CAST_KEY cast_ks; +#endif + static const unsigned char key16[16] = { + 0x12, 0x34, 0x56, 0x78, 0x9a, 0xbc, 0xde, 0xf0, + 0x34, 0x56, 0x78, 0x9a, 0xbc, 0xde, 0xf0, 0x12 + }; + static const unsigned char key24[24] = { + 0x12, 0x34, 0x56, 0x78, 0x9a, 0xbc, 0xde, 0xf0, + 0x34, 0x56, 0x78, 0x9a, 0xbc, 0xde, 0xf0, 0x12, + 0x56, 0x78, 0x9a, 0xbc, 0xde, 0xf0, 0x12, 0x34 + }; + static const unsigned char key32[32] = { + 0x12, 0x34, 0x56, 0x78, 0x9a, 0xbc, 0xde, 0xf0, + 0x34, 0x56, 0x78, 0x9a, 0xbc, 0xde, 0xf0, 0x12, + 0x56, 0x78, 0x9a, 0xbc, 0xde, 0xf0, 0x12, 0x34, + 0x78, 0x9a, 0xbc, 0xde, 0xf0, 0x12, 0x34, 0x56 + }; +#ifndef OPENSSL_NO_CAMELLIA + static const unsigned char ckey24[24] = { + 0x12, 0x34, 0x56, 0x78, 0x9a, 0xbc, 0xde, 0xf0, + 0x34, 0x56, 0x78, 0x9a, 0xbc, 0xde, 0xf0, 0x12, + 0x56, 0x78, 0x9a, 0xbc, 0xde, 0xf0, 0x12, 0x34 + }; + static const unsigned char ckey32[32] = { + 0x12, 0x34, 0x56, 0x78, 0x9a, 0xbc, 0xde, 0xf0, + 0x34, 0x56, 0x78, 0x9a, 0xbc, 0xde, 0xf0, 0x12, + 0x56, 0x78, 0x9a, 0xbc, 0xde, 0xf0, 0x12, 0x34, + 0x78, 0x9a, 0xbc, 0xde, 0xf0, 0x12, 0x34, 0x56 + }; + CAMELLIA_KEY camellia_ks1, camellia_ks2, camellia_ks3; +#endif +#ifndef OPENSSL_NO_DES + static DES_cblock key = { + 0x12, 0x34, 0x56, 0x78, 0x9a, 0xbc, 0xde, 0xf0 + }; + static DES_cblock key2 = { + 0x34, 0x56, 0x78, 0x9a, 0xbc, 0xde, 0xf0, 0x12 + }; + static DES_cblock key3 = { + 0x56, 0x78, 0x9a, 0xbc, 0xde, 0xf0, 0x12, 0x34 + }; +#endif +#ifndef OPENSSL_NO_RSA + static const unsigned int rsa_bits[RSA_NUM] = { + 512, 1024, 2048, 3072, 4096, 7680, 15360 + }; + static const unsigned char *rsa_data[RSA_NUM] = { + test512, test1024, test2048, test3072, test4096, test7680, test15360 + }; + static const int rsa_data_length[RSA_NUM] = { + sizeof(test512), sizeof(test1024), + sizeof(test2048), sizeof(test3072), + sizeof(test4096), sizeof(test7680), + sizeof(test15360) + }; + int rsa_doit[RSA_NUM] = { 0 }; +#endif +#ifndef OPENSSL_NO_DSA + static const unsigned int dsa_bits[DSA_NUM] = { 512, 1024, 2048 }; + int dsa_doit[DSA_NUM] = { 0 }; +#endif +#ifndef OPENSSL_NO_EC + /* + * We only test over the following curves as they are representative, To + * add tests over more curves, simply add the curve NID and curve name to + * the following arrays and increase the EC_NUM value accordingly. + */ + static const unsigned int test_curves[EC_NUM] = { + /* Prime Curves */ + NID_secp160r1, NID_X9_62_prime192v1, NID_secp224r1, + NID_X9_62_prime256v1, NID_secp384r1, NID_secp521r1, + /* Binary Curves */ + NID_sect163k1, NID_sect233k1, NID_sect283k1, + NID_sect409k1, NID_sect571k1, NID_sect163r2, + NID_sect233r1, NID_sect283r1, NID_sect409r1, + NID_sect571r1, + /* Other */ + NID_X25519 + }; + static const char *test_curves_names[EC_NUM] = { + /* Prime Curves */ + "secp160r1", "nistp192", "nistp224", + "nistp256", "nistp384", "nistp521", + /* Binary Curves */ + "nistk163", "nistk233", "nistk283", + "nistk409", "nistk571", "nistb163", + "nistb233", "nistb283", "nistb409", + "nistb571", + /* Other */ + "X25519" + }; + static const int test_curves_bits[EC_NUM] = { + 160, 192, 224, + 256, 384, 521, + 163, 233, 283, + 409, 571, 163, + 233, 283, 409, + 571, 253 /* X25519 */ + }; + + int ecdsa_doit[EC_NUM] = { 0 }; + int ecdh_doit[EC_NUM] = { 0 }; +#endif /* ndef OPENSSL_NO_EC */ + + prog = opt_init(argc, argv, speed_options); + while ((o = opt_next()) != OPT_EOF) { + switch (o) { + case OPT_EOF: + case OPT_ERR: + opterr: + BIO_printf(bio_err, "%s: Use -help for summary.\n", prog); + goto end; + case OPT_HELP: + opt_help(speed_options); + ret = 0; + goto end; + case OPT_ELAPSED: + usertime = 0; + break; + case OPT_EVP: + evp_md = NULL; + evp_cipher = EVP_get_cipherbyname(opt_arg()); + if (evp_cipher == NULL) + evp_md = EVP_get_digestbyname(opt_arg()); + if (evp_cipher == NULL && evp_md == NULL) { + BIO_printf(bio_err, + "%s: %s is an unknown cipher or digest\n", + prog, opt_arg()); + goto end; + } + doit[D_EVP] = 1; + break; + case OPT_DECRYPT: + decrypt = 1; + break; + case OPT_ENGINE: + /* + * In a forked execution, an engine might need to be + * initialised by each child process, not by the parent. + * So store the name here and run setup_engine() later on. + */ + engine_id = opt_arg(); + break; + case OPT_MULTI: +#ifndef NO_FORK + multi = atoi(opt_arg()); +#endif + break; + case OPT_ASYNCJOBS: +#ifndef OPENSSL_NO_ASYNC + async_jobs = atoi(opt_arg()); + if (!ASYNC_is_capable()) { + BIO_printf(bio_err, + "%s: async_jobs specified but async not supported\n", + prog); + goto opterr; + } + if (async_jobs > 99999) { + BIO_printf(bio_err, + "%s: too many async_jobs\n", + prog); + goto opterr; + } +#endif + break; + case OPT_MISALIGN: + if (!opt_int(opt_arg(), &misalign)) + goto end; + if (misalign > MISALIGN) { + BIO_printf(bio_err, + "%s: Maximum offset is %d\n", prog, MISALIGN); + goto opterr; + } + break; + case OPT_MR: + mr = 1; + break; + case OPT_MB: + multiblock = 1; +#ifdef OPENSSL_NO_MULTIBLOCK + BIO_printf(bio_err, + "%s: -mb specified but multi-block support is disabled\n", + prog); + goto end; +#endif + break; + } + } + argc = opt_num_rest(); + argv = opt_rest(); + + /* Remaining arguments are algorithms. */ + for ( ; *argv; argv++) { + if (found(*argv, doit_choices, &i)) { + doit[i] = 1; + continue; + } +#ifndef OPENSSL_NO_DES + if (strcmp(*argv, "des") == 0) { + doit[D_CBC_DES] = doit[D_EDE3_DES] = 1; + continue; + } +#endif + if (strcmp(*argv, "sha") == 0) { + doit[D_SHA1] = doit[D_SHA256] = doit[D_SHA512] = 1; + continue; + } +#ifndef OPENSSL_NO_RSA + if (strcmp(*argv, "openssl") == 0) + continue; + if (strcmp(*argv, "rsa") == 0) { + rsa_doit[R_RSA_512] = rsa_doit[R_RSA_1024] = + rsa_doit[R_RSA_2048] = rsa_doit[R_RSA_3072] = + rsa_doit[R_RSA_4096] = rsa_doit[R_RSA_7680] = + rsa_doit[R_RSA_15360] = 1; + continue; + } + if (found(*argv, rsa_choices, &i)) { + rsa_doit[i] = 1; + continue; + } +#endif +#ifndef OPENSSL_NO_DSA + if (strcmp(*argv, "dsa") == 0) { + dsa_doit[R_DSA_512] = dsa_doit[R_DSA_1024] = + dsa_doit[R_DSA_2048] = 1; + continue; + } + if (found(*argv, dsa_choices, &i)) { + dsa_doit[i] = 2; + continue; + } +#endif + if (strcmp(*argv, "aes") == 0) { + doit[D_CBC_128_AES] = doit[D_CBC_192_AES] = + doit[D_CBC_256_AES] = 1; + continue; + } +#ifndef OPENSSL_NO_CAMELLIA + if (strcmp(*argv, "camellia") == 0) { + doit[D_CBC_128_CML] = doit[D_CBC_192_CML] = + doit[D_CBC_256_CML] = 1; + continue; + } +#endif +#ifndef OPENSSL_NO_EC + if (strcmp(*argv, "ecdsa") == 0) { + for (loop = 0; loop < OSSL_NELEM(ecdsa_choices); loop++) + ecdsa_doit[ecdsa_choices[loop].retval] = 1; + continue; + } + if (found(*argv, ecdsa_choices, &i)) { + ecdsa_doit[i] = 2; + continue; + } + if (strcmp(*argv, "ecdh") == 0) { + for (loop = 0; loop < OSSL_NELEM(ecdh_choices); loop++) + ecdh_doit[ecdh_choices[loop].retval] = 1; + continue; + } + if (found(*argv, ecdh_choices, &i)) { + ecdh_doit[i] = 2; + continue; + } +#endif + BIO_printf(bio_err, "%s: Unknown algorithm %s\n", prog, *argv); + goto end; + } + + /* Initialize the job pool if async mode is enabled */ + if (async_jobs > 0) { + async_init = ASYNC_init_thread(async_jobs, async_jobs); + if (!async_init) { + BIO_printf(bio_err, "Error creating the ASYNC job pool\n"); + goto end; + } + } + + loopargs_len = (async_jobs == 0 ? 1 : async_jobs); + loopargs = app_malloc(loopargs_len * sizeof(loopargs_t), "array of loopargs"); + memset(loopargs, 0, loopargs_len * sizeof(loopargs_t)); + + for (i = 0; i < loopargs_len; i++) { + if (async_jobs > 0) { + loopargs[i].wait_ctx = ASYNC_WAIT_CTX_new(); + if (loopargs[i].wait_ctx == NULL) { + BIO_printf(bio_err, "Error creating the ASYNC_WAIT_CTX\n"); + goto end; + } + } + + loopargs[i].buf_malloc = app_malloc((int)BUFSIZE + MAX_MISALIGNMENT + 1, "input buffer"); + loopargs[i].buf2_malloc = app_malloc((int)BUFSIZE + MAX_MISALIGNMENT + 1, "input buffer"); + /* Align the start of buffers on a 64 byte boundary */ + loopargs[i].buf = loopargs[i].buf_malloc + misalign; + loopargs[i].buf2 = loopargs[i].buf2_malloc + misalign; +#ifndef OPENSSL_NO_EC + loopargs[i].secret_a = app_malloc(MAX_ECDH_SIZE, "ECDH secret a"); + loopargs[i].secret_b = app_malloc(MAX_ECDH_SIZE, "ECDH secret b"); +#endif + } + +#ifndef NO_FORK + if (multi && do_multi(multi)) + goto show_res; +#endif + + /* Initialize the engine after the fork */ + e = setup_engine(engine_id, 0); + + /* No parameters; turn on everything. */ + if ((argc == 0) && !doit[D_EVP]) { + for (i = 0; i < ALGOR_NUM; i++) + if (i != D_EVP) + doit[i] = 1; +#ifndef OPENSSL_NO_RSA + for (i = 0; i < RSA_NUM; i++) + rsa_doit[i] = 1; +#endif +#ifndef OPENSSL_NO_DSA + for (i = 0; i < DSA_NUM; i++) + dsa_doit[i] = 1; +#endif +#ifndef OPENSSL_NO_EC + for (loop = 0; loop < OSSL_NELEM(ecdsa_choices); loop++) + ecdsa_doit[ecdsa_choices[loop].retval] = 1; + for (loop = 0; loop < OSSL_NELEM(ecdh_choices); loop++) + ecdh_doit[ecdh_choices[loop].retval] = 1; +#endif + } + for (i = 0; i < ALGOR_NUM; i++) + if (doit[i]) + pr_header++; + + if (usertime == 0 && !mr) + BIO_printf(bio_err, + "You have chosen to measure elapsed time " + "instead of user CPU time.\n"); + +#ifndef OPENSSL_NO_RSA + for (i = 0; i < loopargs_len; i++) { + for (k = 0; k < RSA_NUM; k++) { + const unsigned char *p; + + p = rsa_data[k]; + loopargs[i].rsa_key[k] = d2i_RSAPrivateKey(NULL, &p, rsa_data_length[k]); + if (loopargs[i].rsa_key[k] == NULL) { + BIO_printf(bio_err, "internal error loading RSA key number %d\n", + k); + goto end; + } + } + } +#endif +#ifndef OPENSSL_NO_DSA + for (i = 0; i < loopargs_len; i++) { + loopargs[i].dsa_key[0] = get_dsa512(); + loopargs[i].dsa_key[1] = get_dsa1024(); + loopargs[i].dsa_key[2] = get_dsa2048(); + } +#endif +#ifndef OPENSSL_NO_DES + DES_set_key_unchecked(&key, &sch); + DES_set_key_unchecked(&key2, &sch2); + DES_set_key_unchecked(&key3, &sch3); +#endif + AES_set_encrypt_key(key16, 128, &aes_ks1); + AES_set_encrypt_key(key24, 192, &aes_ks2); + AES_set_encrypt_key(key32, 256, &aes_ks3); +#ifndef OPENSSL_NO_CAMELLIA + Camellia_set_key(key16, 128, &camellia_ks1); + Camellia_set_key(ckey24, 192, &camellia_ks2); + Camellia_set_key(ckey32, 256, &camellia_ks3); +#endif +#ifndef OPENSSL_NO_IDEA + IDEA_set_encrypt_key(key16, &idea_ks); +#endif +#ifndef OPENSSL_NO_SEED + SEED_set_key(key16, &seed_ks); +#endif +#ifndef OPENSSL_NO_RC4 + RC4_set_key(&rc4_ks, 16, key16); +#endif +#ifndef OPENSSL_NO_RC2 + RC2_set_key(&rc2_ks, 16, key16, 128); +#endif +#ifndef OPENSSL_NO_RC5 + RC5_32_set_key(&rc5_ks, 16, key16, 12); +#endif +#ifndef OPENSSL_NO_BF + BF_set_key(&bf_ks, 16, key16); +#endif +#ifndef OPENSSL_NO_CAST + CAST_set_key(&cast_ks, 16, key16); +#endif +#ifndef SIGALRM +# ifndef OPENSSL_NO_DES + BIO_printf(bio_err, "First we calculate the approximate speed ...\n"); + count = 10; + do { + long it; + count *= 2; + Time_F(START); + for (it = count; it; it--) + DES_ecb_encrypt((DES_cblock *)loopargs[0].buf, + (DES_cblock *)loopargs[0].buf, &sch, DES_ENCRYPT); + d = Time_F(STOP); + } while (d < 3); + save_count = count; + c[D_MD2][0] = count / 10; + c[D_MDC2][0] = count / 10; + c[D_MD4][0] = count; + c[D_MD5][0] = count; + c[D_HMAC][0] = count; + c[D_SHA1][0] = count; + c[D_RMD160][0] = count; + c[D_RC4][0] = count * 5; + c[D_CBC_DES][0] = count; + c[D_EDE3_DES][0] = count / 3; + c[D_CBC_IDEA][0] = count; + c[D_CBC_SEED][0] = count; + c[D_CBC_RC2][0] = count; + c[D_CBC_RC5][0] = count; + c[D_CBC_BF][0] = count; + c[D_CBC_CAST][0] = count; + c[D_CBC_128_AES][0] = count; + c[D_CBC_192_AES][0] = count; + c[D_CBC_256_AES][0] = count; + c[D_CBC_128_CML][0] = count; + c[D_CBC_192_CML][0] = count; + c[D_CBC_256_CML][0] = count; + c[D_SHA256][0] = count; + c[D_SHA512][0] = count; + c[D_WHIRLPOOL][0] = count; + c[D_IGE_128_AES][0] = count; + c[D_IGE_192_AES][0] = count; + c[D_IGE_256_AES][0] = count; + c[D_GHASH][0] = count; + + for (i = 1; i < SIZE_NUM; i++) { + long l0, l1; + + l0 = (long)lengths[0]; + l1 = (long)lengths[i]; + + c[D_MD2][i] = c[D_MD2][0] * 4 * l0 / l1; + c[D_MDC2][i] = c[D_MDC2][0] * 4 * l0 / l1; + c[D_MD4][i] = c[D_MD4][0] * 4 * l0 / l1; + c[D_MD5][i] = c[D_MD5][0] * 4 * l0 / l1; + c[D_HMAC][i] = c[D_HMAC][0] * 4 * l0 / l1; + c[D_SHA1][i] = c[D_SHA1][0] * 4 * l0 / l1; + c[D_RMD160][i] = c[D_RMD160][0] * 4 * l0 / l1; + c[D_SHA256][i] = c[D_SHA256][0] * 4 * l0 / l1; + c[D_SHA512][i] = c[D_SHA512][0] * 4 * l0 / l1; + c[D_WHIRLPOOL][i] = c[D_WHIRLPOOL][0] * 4 * l0 / l1; + c[D_GHASH][i] = c[D_GHASH][0] * 4 * l0 / l1; + + l0 = (long)lengths[i - 1]; + + c[D_RC4][i] = c[D_RC4][i - 1] * l0 / l1; + c[D_CBC_DES][i] = c[D_CBC_DES][i - 1] * l0 / l1; + c[D_EDE3_DES][i] = c[D_EDE3_DES][i - 1] * l0 / l1; + c[D_CBC_IDEA][i] = c[D_CBC_IDEA][i - 1] * l0 / l1; + c[D_CBC_SEED][i] = c[D_CBC_SEED][i - 1] * l0 / l1; + c[D_CBC_RC2][i] = c[D_CBC_RC2][i - 1] * l0 / l1; + c[D_CBC_RC5][i] = c[D_CBC_RC5][i - 1] * l0 / l1; + c[D_CBC_BF][i] = c[D_CBC_BF][i - 1] * l0 / l1; + c[D_CBC_CAST][i] = c[D_CBC_CAST][i - 1] * l0 / l1; + c[D_CBC_128_AES][i] = c[D_CBC_128_AES][i - 1] * l0 / l1; + c[D_CBC_192_AES][i] = c[D_CBC_192_AES][i - 1] * l0 / l1; + c[D_CBC_256_AES][i] = c[D_CBC_256_AES][i - 1] * l0 / l1; + c[D_CBC_128_CML][i] = c[D_CBC_128_CML][i - 1] * l0 / l1; + c[D_CBC_192_CML][i] = c[D_CBC_192_CML][i - 1] * l0 / l1; + c[D_CBC_256_CML][i] = c[D_CBC_256_CML][i - 1] * l0 / l1; + c[D_IGE_128_AES][i] = c[D_IGE_128_AES][i - 1] * l0 / l1; + c[D_IGE_192_AES][i] = c[D_IGE_192_AES][i - 1] * l0 / l1; + c[D_IGE_256_AES][i] = c[D_IGE_256_AES][i - 1] * l0 / l1; + } + +# ifndef OPENSSL_NO_RSA + rsa_c[R_RSA_512][0] = count / 2000; + rsa_c[R_RSA_512][1] = count / 400; + for (i = 1; i < RSA_NUM; i++) { + rsa_c[i][0] = rsa_c[i - 1][0] / 8; + rsa_c[i][1] = rsa_c[i - 1][1] / 4; + if (rsa_doit[i] <= 1 && rsa_c[i][0] == 0) + rsa_doit[i] = 0; + else { + if (rsa_c[i][0] == 0) { + rsa_c[i][0] = 1; /* Set minimum iteration Nb to 1. */ + rsa_c[i][1] = 20; + } + } + } +# endif + +# ifndef OPENSSL_NO_DSA + dsa_c[R_DSA_512][0] = count / 1000; + dsa_c[R_DSA_512][1] = count / 1000 / 2; + for (i = 1; i < DSA_NUM; i++) { + dsa_c[i][0] = dsa_c[i - 1][0] / 4; + dsa_c[i][1] = dsa_c[i - 1][1] / 4; + if (dsa_doit[i] <= 1 && dsa_c[i][0] == 0) + dsa_doit[i] = 0; + else { + if (dsa_c[i][0] == 0) { + dsa_c[i][0] = 1; /* Set minimum iteration Nb to 1. */ + dsa_c[i][1] = 1; + } + } + } +# endif + +# ifndef OPENSSL_NO_EC + ecdsa_c[R_EC_P160][0] = count / 1000; + ecdsa_c[R_EC_P160][1] = count / 1000 / 2; + for (i = R_EC_P192; i <= R_EC_P521; i++) { + ecdsa_c[i][0] = ecdsa_c[i - 1][0] / 2; + ecdsa_c[i][1] = ecdsa_c[i - 1][1] / 2; + if (ecdsa_doit[i] <= 1 && ecdsa_c[i][0] == 0) + ecdsa_doit[i] = 0; + else { + if (ecdsa_c[i][0] == 0) { + ecdsa_c[i][0] = 1; + ecdsa_c[i][1] = 1; + } + } + } + ecdsa_c[R_EC_K163][0] = count / 1000; + ecdsa_c[R_EC_K163][1] = count / 1000 / 2; + for (i = R_EC_K233; i <= R_EC_K571; i++) { + ecdsa_c[i][0] = ecdsa_c[i - 1][0] / 2; + ecdsa_c[i][1] = ecdsa_c[i - 1][1] / 2; + if (ecdsa_doit[i] <= 1 && ecdsa_c[i][0] == 0) + ecdsa_doit[i] = 0; + else { + if (ecdsa_c[i][0] == 0) { + ecdsa_c[i][0] = 1; + ecdsa_c[i][1] = 1; + } + } + } + ecdsa_c[R_EC_B163][0] = count / 1000; + ecdsa_c[R_EC_B163][1] = count / 1000 / 2; + for (i = R_EC_B233; i <= R_EC_B571; i++) { + ecdsa_c[i][0] = ecdsa_c[i - 1][0] / 2; + ecdsa_c[i][1] = ecdsa_c[i - 1][1] / 2; + if (ecdsa_doit[i] <= 1 && ecdsa_c[i][0] == 0) + ecdsa_doit[i] = 0; + else { + if (ecdsa_c[i][0] == 0) { + ecdsa_c[i][0] = 1; + ecdsa_c[i][1] = 1; + } + } + } + + ecdh_c[R_EC_P160][0] = count / 1000; + for (i = R_EC_P192; i <= R_EC_P521; i++) { + ecdh_c[i][0] = ecdh_c[i - 1][0] / 2; + if (ecdh_doit[i] <= 1 && ecdh_c[i][0] == 0) + ecdh_doit[i] = 0; + else { + if (ecdh_c[i][0] == 0) { + ecdh_c[i][0] = 1; + } + } + } + ecdh_c[R_EC_K163][0] = count / 1000; + for (i = R_EC_K233; i <= R_EC_K571; i++) { + ecdh_c[i][0] = ecdh_c[i - 1][0] / 2; + if (ecdh_doit[i] <= 1 && ecdh_c[i][0] == 0) + ecdh_doit[i] = 0; + else { + if (ecdh_c[i][0] == 0) { + ecdh_c[i][0] = 1; + } + } + } + ecdh_c[R_EC_B163][0] = count / 1000; + for (i = R_EC_B233; i <= R_EC_B571; i++) { + ecdh_c[i][0] = ecdh_c[i - 1][0] / 2; + if (ecdh_doit[i] <= 1 && ecdh_c[i][0] == 0) + ecdh_doit[i] = 0; + else { + if (ecdh_c[i][0] == 0) { + ecdh_c[i][0] = 1; + } + } + } +# endif + +# else +/* not worth fixing */ +# error "You cannot disable DES on systems without SIGALRM." +# endif /* OPENSSL_NO_DES */ +#else +# ifndef _WIN32 + signal(SIGALRM, sig_done); +# endif +#endif /* SIGALRM */ + +#ifndef OPENSSL_NO_MD2 + if (doit[D_MD2]) { + for (testnum = 0; testnum < SIZE_NUM; testnum++) { + print_message(names[D_MD2], c[D_MD2][testnum], lengths[testnum]); + Time_F(START); + count = run_benchmark(async_jobs, EVP_Digest_MD2_loop, loopargs); + d = Time_F(STOP); + print_result(D_MD2, testnum, count, d); + } + } +#endif +#ifndef OPENSSL_NO_MDC2 + if (doit[D_MDC2]) { + for (testnum = 0; testnum < SIZE_NUM; testnum++) { + print_message(names[D_MDC2], c[D_MDC2][testnum], lengths[testnum]); + Time_F(START); + count = run_benchmark(async_jobs, EVP_Digest_MDC2_loop, loopargs); + d = Time_F(STOP); + print_result(D_MDC2, testnum, count, d); + } + } +#endif + +#ifndef OPENSSL_NO_MD4 + if (doit[D_MD4]) { + for (testnum = 0; testnum < SIZE_NUM; testnum++) { + print_message(names[D_MD4], c[D_MD4][testnum], lengths[testnum]); + Time_F(START); + count = run_benchmark(async_jobs, EVP_Digest_MD4_loop, loopargs); + d = Time_F(STOP); + print_result(D_MD4, testnum, count, d); + } + } +#endif + +#ifndef OPENSSL_NO_MD5 + if (doit[D_MD5]) { + for (testnum = 0; testnum < SIZE_NUM; testnum++) { + print_message(names[D_MD5], c[D_MD5][testnum], lengths[testnum]); + Time_F(START); + count = run_benchmark(async_jobs, MD5_loop, loopargs); + d = Time_F(STOP); + print_result(D_MD5, testnum, count, d); + } + } + + if (doit[D_HMAC]) { + static const char hmac_key[] = "This is a key..."; + int len = strlen(hmac_key); + + for (i = 0; i < loopargs_len; i++) { + loopargs[i].hctx = HMAC_CTX_new(); + if (loopargs[i].hctx == NULL) { + BIO_printf(bio_err, "HMAC malloc failure, exiting..."); + exit(1); + } + + HMAC_Init_ex(loopargs[i].hctx, hmac_key, len, EVP_md5(), NULL); + } + for (testnum = 0; testnum < SIZE_NUM; testnum++) { + print_message(names[D_HMAC], c[D_HMAC][testnum], lengths[testnum]); + Time_F(START); + count = run_benchmark(async_jobs, HMAC_loop, loopargs); + d = Time_F(STOP); + print_result(D_HMAC, testnum, count, d); + } + for (i = 0; i < loopargs_len; i++) { + HMAC_CTX_free(loopargs[i].hctx); + } + } +#endif + if (doit[D_SHA1]) { + for (testnum = 0; testnum < SIZE_NUM; testnum++) { + print_message(names[D_SHA1], c[D_SHA1][testnum], lengths[testnum]); + Time_F(START); + count = run_benchmark(async_jobs, SHA1_loop, loopargs); + d = Time_F(STOP); + print_result(D_SHA1, testnum, count, d); + } + } + if (doit[D_SHA256]) { + for (testnum = 0; testnum < SIZE_NUM; testnum++) { + print_message(names[D_SHA256], c[D_SHA256][testnum], lengths[testnum]); + Time_F(START); + count = run_benchmark(async_jobs, SHA256_loop, loopargs); + d = Time_F(STOP); + print_result(D_SHA256, testnum, count, d); + } + } + if (doit[D_SHA512]) { + for (testnum = 0; testnum < SIZE_NUM; testnum++) { + print_message(names[D_SHA512], c[D_SHA512][testnum], lengths[testnum]); + Time_F(START); + count = run_benchmark(async_jobs, SHA512_loop, loopargs); + d = Time_F(STOP); + print_result(D_SHA512, testnum, count, d); + } + } + +#ifndef OPENSSL_NO_WHIRLPOOL + if (doit[D_WHIRLPOOL]) { + for (testnum = 0; testnum < SIZE_NUM; testnum++) { + print_message(names[D_WHIRLPOOL], c[D_WHIRLPOOL][testnum], lengths[testnum]); + Time_F(START); + count = run_benchmark(async_jobs, WHIRLPOOL_loop, loopargs); + d = Time_F(STOP); + print_result(D_WHIRLPOOL, testnum, count, d); + } + } +#endif + +#ifndef OPENSSL_NO_RMD160 + if (doit[D_RMD160]) { + for (testnum = 0; testnum < SIZE_NUM; testnum++) { + print_message(names[D_RMD160], c[D_RMD160][testnum], lengths[testnum]); + Time_F(START); + count = run_benchmark(async_jobs, EVP_Digest_RMD160_loop, loopargs); + d = Time_F(STOP); + print_result(D_RMD160, testnum, count, d); + } + } +#endif +#ifndef OPENSSL_NO_RC4 + if (doit[D_RC4]) { + for (testnum = 0; testnum < SIZE_NUM; testnum++) { + print_message(names[D_RC4], c[D_RC4][testnum], lengths[testnum]); + Time_F(START); + count = run_benchmark(async_jobs, RC4_loop, loopargs); + d = Time_F(STOP); + print_result(D_RC4, testnum, count, d); + } + } +#endif +#ifndef OPENSSL_NO_DES + if (doit[D_CBC_DES]) { + for (testnum = 0; testnum < SIZE_NUM; testnum++) { + print_message(names[D_CBC_DES], c[D_CBC_DES][testnum], lengths[testnum]); + Time_F(START); + count = run_benchmark(async_jobs, DES_ncbc_encrypt_loop, loopargs); + d = Time_F(STOP); + print_result(D_CBC_DES, testnum, count, d); + } + } + + if (doit[D_EDE3_DES]) { + for (testnum = 0; testnum < SIZE_NUM; testnum++) { + print_message(names[D_EDE3_DES], c[D_EDE3_DES][testnum], lengths[testnum]); + Time_F(START); + count = run_benchmark(async_jobs, DES_ede3_cbc_encrypt_loop, loopargs); + d = Time_F(STOP); + print_result(D_EDE3_DES, testnum, count, d); + } + } +#endif + + if (doit[D_CBC_128_AES]) { + for (testnum = 0; testnum < SIZE_NUM; testnum++) { + print_message(names[D_CBC_128_AES], c[D_CBC_128_AES][testnum], + lengths[testnum]); + Time_F(START); + count = run_benchmark(async_jobs, AES_cbc_128_encrypt_loop, loopargs); + d = Time_F(STOP); + print_result(D_CBC_128_AES, testnum, count, d); + } + } + if (doit[D_CBC_192_AES]) { + for (testnum = 0; testnum < SIZE_NUM; testnum++) { + print_message(names[D_CBC_192_AES], c[D_CBC_192_AES][testnum], + lengths[testnum]); + Time_F(START); + count = run_benchmark(async_jobs, AES_cbc_192_encrypt_loop, loopargs); + d = Time_F(STOP); + print_result(D_CBC_192_AES, testnum, count, d); + } + } + if (doit[D_CBC_256_AES]) { + for (testnum = 0; testnum < SIZE_NUM; testnum++) { + print_message(names[D_CBC_256_AES], c[D_CBC_256_AES][testnum], + lengths[testnum]); + Time_F(START); + count = run_benchmark(async_jobs, AES_cbc_256_encrypt_loop, loopargs); + d = Time_F(STOP); + print_result(D_CBC_256_AES, testnum, count, d); + } + } + + if (doit[D_IGE_128_AES]) { + for (testnum = 0; testnum < SIZE_NUM; testnum++) { + print_message(names[D_IGE_128_AES], c[D_IGE_128_AES][testnum], + lengths[testnum]); + Time_F(START); + count = run_benchmark(async_jobs, AES_ige_128_encrypt_loop, loopargs); + d = Time_F(STOP); + print_result(D_IGE_128_AES, testnum, count, d); + } + } + if (doit[D_IGE_192_AES]) { + for (testnum = 0; testnum < SIZE_NUM; testnum++) { + print_message(names[D_IGE_192_AES], c[D_IGE_192_AES][testnum], + lengths[testnum]); + Time_F(START); + count = run_benchmark(async_jobs, AES_ige_192_encrypt_loop, loopargs); + d = Time_F(STOP); + print_result(D_IGE_192_AES, testnum, count, d); + } + } + if (doit[D_IGE_256_AES]) { + for (testnum = 0; testnum < SIZE_NUM; testnum++) { + print_message(names[D_IGE_256_AES], c[D_IGE_256_AES][testnum], + lengths[testnum]); + Time_F(START); + count = run_benchmark(async_jobs, AES_ige_256_encrypt_loop, loopargs); + d = Time_F(STOP); + print_result(D_IGE_256_AES, testnum, count, d); + } + } + if (doit[D_GHASH]) { + for (i = 0; i < loopargs_len; i++) { + loopargs[i].gcm_ctx = CRYPTO_gcm128_new(&aes_ks1, (block128_f) AES_encrypt); + CRYPTO_gcm128_setiv(loopargs[i].gcm_ctx, (unsigned char *)"0123456789ab", 12); + } + + for (testnum = 0; testnum < SIZE_NUM; testnum++) { + print_message(names[D_GHASH], c[D_GHASH][testnum], lengths[testnum]); + Time_F(START); + count = run_benchmark(async_jobs, CRYPTO_gcm128_aad_loop, loopargs); + d = Time_F(STOP); + print_result(D_GHASH, testnum, count, d); + } + for (i = 0; i < loopargs_len; i++) + CRYPTO_gcm128_release(loopargs[i].gcm_ctx); + } + +#ifndef OPENSSL_NO_CAMELLIA + if (doit[D_CBC_128_CML]) { + if (async_jobs > 0) { + BIO_printf(bio_err, "Async mode is not supported with %s\n", + names[D_CBC_128_CML]); + doit[D_CBC_128_CML] = 0; + } + for (testnum = 0; testnum < SIZE_NUM && async_init == 0; testnum++) { + print_message(names[D_CBC_128_CML], c[D_CBC_128_CML][testnum], + lengths[testnum]); + Time_F(START); + for (count = 0, run = 1; COND(c[D_CBC_128_CML][testnum]); count++) + Camellia_cbc_encrypt(loopargs[0].buf, loopargs[0].buf, + (size_t)lengths[testnum], &camellia_ks1, + iv, CAMELLIA_ENCRYPT); + d = Time_F(STOP); + print_result(D_CBC_128_CML, testnum, count, d); + } + } + if (doit[D_CBC_192_CML]) { + if (async_jobs > 0) { + BIO_printf(bio_err, "Async mode is not supported with %s\n", + names[D_CBC_192_CML]); + doit[D_CBC_192_CML] = 0; + } + for (testnum = 0; testnum < SIZE_NUM && async_init == 0; testnum++) { + print_message(names[D_CBC_192_CML], c[D_CBC_192_CML][testnum], + lengths[testnum]); + if (async_jobs > 0) { + BIO_printf(bio_err, "Async mode is not supported, exiting..."); + exit(1); + } + Time_F(START); + for (count = 0, run = 1; COND(c[D_CBC_192_CML][testnum]); count++) + Camellia_cbc_encrypt(loopargs[0].buf, loopargs[0].buf, + (size_t)lengths[testnum], &camellia_ks2, + iv, CAMELLIA_ENCRYPT); + d = Time_F(STOP); + print_result(D_CBC_192_CML, testnum, count, d); + } + } + if (doit[D_CBC_256_CML]) { + if (async_jobs > 0) { + BIO_printf(bio_err, "Async mode is not supported with %s\n", + names[D_CBC_256_CML]); + doit[D_CBC_256_CML] = 0; + } + for (testnum = 0; testnum < SIZE_NUM && async_init == 0; testnum++) { + print_message(names[D_CBC_256_CML], c[D_CBC_256_CML][testnum], + lengths[testnum]); + Time_F(START); + for (count = 0, run = 1; COND(c[D_CBC_256_CML][testnum]); count++) + Camellia_cbc_encrypt(loopargs[0].buf, loopargs[0].buf, + (size_t)lengths[testnum], &camellia_ks3, + iv, CAMELLIA_ENCRYPT); + d = Time_F(STOP); + print_result(D_CBC_256_CML, testnum, count, d); + } + } +#endif +#ifndef OPENSSL_NO_IDEA + if (doit[D_CBC_IDEA]) { + if (async_jobs > 0) { + BIO_printf(bio_err, "Async mode is not supported with %s\n", + names[D_CBC_IDEA]); + doit[D_CBC_IDEA] = 0; + } + for (testnum = 0; testnum < SIZE_NUM && async_init == 0; testnum++) { + print_message(names[D_CBC_IDEA], c[D_CBC_IDEA][testnum], lengths[testnum]); + Time_F(START); + for (count = 0, run = 1; COND(c[D_CBC_IDEA][testnum]); count++) + IDEA_cbc_encrypt(loopargs[0].buf, loopargs[0].buf, + (size_t)lengths[testnum], &idea_ks, + iv, IDEA_ENCRYPT); + d = Time_F(STOP); + print_result(D_CBC_IDEA, testnum, count, d); + } + } +#endif +#ifndef OPENSSL_NO_SEED + if (doit[D_CBC_SEED]) { + if (async_jobs > 0) { + BIO_printf(bio_err, "Async mode is not supported with %s\n", + names[D_CBC_SEED]); + doit[D_CBC_SEED] = 0; + } + for (testnum = 0; testnum < SIZE_NUM && async_init == 0; testnum++) { + print_message(names[D_CBC_SEED], c[D_CBC_SEED][testnum], lengths[testnum]); + Time_F(START); + for (count = 0, run = 1; COND(c[D_CBC_SEED][testnum]); count++) + SEED_cbc_encrypt(loopargs[0].buf, loopargs[0].buf, + (size_t)lengths[testnum], &seed_ks, iv, 1); + d = Time_F(STOP); + print_result(D_CBC_SEED, testnum, count, d); + } + } +#endif +#ifndef OPENSSL_NO_RC2 + if (doit[D_CBC_RC2]) { + if (async_jobs > 0) { + BIO_printf(bio_err, "Async mode is not supported with %s\n", + names[D_CBC_RC2]); + doit[D_CBC_RC2] = 0; + } + for (testnum = 0; testnum < SIZE_NUM && async_init == 0; testnum++) { + print_message(names[D_CBC_RC2], c[D_CBC_RC2][testnum], lengths[testnum]); + if (async_jobs > 0) { + BIO_printf(bio_err, "Async mode is not supported, exiting..."); + exit(1); + } + Time_F(START); + for (count = 0, run = 1; COND(c[D_CBC_RC2][testnum]); count++) + RC2_cbc_encrypt(loopargs[0].buf, loopargs[0].buf, + (size_t)lengths[testnum], &rc2_ks, + iv, RC2_ENCRYPT); + d = Time_F(STOP); + print_result(D_CBC_RC2, testnum, count, d); + } + } +#endif +#ifndef OPENSSL_NO_RC5 + if (doit[D_CBC_RC5]) { + if (async_jobs > 0) { + BIO_printf(bio_err, "Async mode is not supported with %s\n", + names[D_CBC_RC5]); + doit[D_CBC_RC5] = 0; + } + for (testnum = 0; testnum < SIZE_NUM && async_init == 0; testnum++) { + print_message(names[D_CBC_RC5], c[D_CBC_RC5][testnum], lengths[testnum]); + if (async_jobs > 0) { + BIO_printf(bio_err, "Async mode is not supported, exiting..."); + exit(1); + } + Time_F(START); + for (count = 0, run = 1; COND(c[D_CBC_RC5][testnum]); count++) + RC5_32_cbc_encrypt(loopargs[0].buf, loopargs[0].buf, + (size_t)lengths[testnum], &rc5_ks, + iv, RC5_ENCRYPT); + d = Time_F(STOP); + print_result(D_CBC_RC5, testnum, count, d); + } + } +#endif +#ifndef OPENSSL_NO_BF + if (doit[D_CBC_BF]) { + if (async_jobs > 0) { + BIO_printf(bio_err, "Async mode is not supported with %s\n", + names[D_CBC_BF]); + doit[D_CBC_BF] = 0; + } + for (testnum = 0; testnum < SIZE_NUM && async_init == 0; testnum++) { + print_message(names[D_CBC_BF], c[D_CBC_BF][testnum], lengths[testnum]); + Time_F(START); + for (count = 0, run = 1; COND(c[D_CBC_BF][testnum]); count++) + BF_cbc_encrypt(loopargs[0].buf, loopargs[0].buf, + (size_t)lengths[testnum], &bf_ks, + iv, BF_ENCRYPT); + d = Time_F(STOP); + print_result(D_CBC_BF, testnum, count, d); + } + } +#endif +#ifndef OPENSSL_NO_CAST + if (doit[D_CBC_CAST]) { + if (async_jobs > 0) { + BIO_printf(bio_err, "Async mode is not supported with %s\n", + names[D_CBC_CAST]); + doit[D_CBC_CAST] = 0; + } + for (testnum = 0; testnum < SIZE_NUM && async_init == 0; testnum++) { + print_message(names[D_CBC_CAST], c[D_CBC_CAST][testnum], lengths[testnum]); + Time_F(START); + for (count = 0, run = 1; COND(c[D_CBC_CAST][testnum]); count++) + CAST_cbc_encrypt(loopargs[0].buf, loopargs[0].buf, + (size_t)lengths[testnum], &cast_ks, + iv, CAST_ENCRYPT); + d = Time_F(STOP); + print_result(D_CBC_CAST, testnum, count, d); + } + } +#endif + + if (doit[D_EVP]) { + if (multiblock && evp_cipher) { + if (! + (EVP_CIPHER_flags(evp_cipher) & + EVP_CIPH_FLAG_TLS1_1_MULTIBLOCK)) { + BIO_printf(bio_err, "%s is not multi-block capable\n", + OBJ_nid2ln(EVP_CIPHER_nid(evp_cipher))); + goto end; + } + if (async_jobs > 0) { + BIO_printf(bio_err, "Async mode is not supported, exiting..."); + exit(1); + } + multiblock_speed(evp_cipher); + ret = 0; + goto end; + } + for (testnum = 0; testnum < SIZE_NUM; testnum++) { + if (evp_cipher) { + + names[D_EVP] = OBJ_nid2ln(EVP_CIPHER_nid(evp_cipher)); + /* + * -O3 -fschedule-insns messes up an optimization here! + * names[D_EVP] somehow becomes NULL + */ + print_message(names[D_EVP], save_count, lengths[testnum]); + + for (k = 0; k < loopargs_len; k++) { + loopargs[k].ctx = EVP_CIPHER_CTX_new(); + if (decrypt) + EVP_DecryptInit_ex(loopargs[k].ctx, evp_cipher, NULL, key16, iv); + else + EVP_EncryptInit_ex(loopargs[k].ctx, evp_cipher, NULL, key16, iv); + EVP_CIPHER_CTX_set_padding(loopargs[k].ctx, 0); + } + + Time_F(START); + count = run_benchmark(async_jobs, EVP_Update_loop, loopargs); + d = Time_F(STOP); + for (k = 0; k < loopargs_len; k++) { + EVP_CIPHER_CTX_free(loopargs[k].ctx); + } + } + if (evp_md) { + names[D_EVP] = OBJ_nid2ln(EVP_MD_type(evp_md)); + print_message(names[D_EVP], save_count, lengths[testnum]); + Time_F(START); + count = run_benchmark(async_jobs, EVP_Digest_loop, loopargs); + d = Time_F(STOP); + } + print_result(D_EVP, testnum, count, d); + } + } + + for (i = 0; i < loopargs_len; i++) + RAND_bytes(loopargs[i].buf, 36); + +#ifndef OPENSSL_NO_RSA + for (testnum = 0; testnum < RSA_NUM; testnum++) { + int st = 0; + if (!rsa_doit[testnum]) + continue; + for (i = 0; i < loopargs_len; i++) { + st = RSA_sign(NID_md5_sha1, loopargs[i].buf, 36, loopargs[i].buf2, + &loopargs[i].siglen, loopargs[i].rsa_key[testnum]); + if (st == 0) + break; + } + if (st == 0) { + BIO_printf(bio_err, + "RSA sign failure. No RSA sign will be done.\n"); + ERR_print_errors(bio_err); + rsa_count = 1; + } else { + pkey_print_message("private", "rsa", + rsa_c[testnum][0], rsa_bits[testnum], RSA_SECONDS); + /* RSA_blinding_on(rsa_key[testnum],NULL); */ + Time_F(START); + count = run_benchmark(async_jobs, RSA_sign_loop, loopargs); + d = Time_F(STOP); + BIO_printf(bio_err, + mr ? "+R1:%ld:%d:%.2f\n" + : "%ld %d bit private RSA's in %.2fs\n", + count, rsa_bits[testnum], d); + rsa_results[testnum][0] = d / (double)count; + rsa_count = count; + } + + for (i = 0; i < loopargs_len; i++) { + st = RSA_verify(NID_md5_sha1, loopargs[i].buf, 36, loopargs[i].buf2, + loopargs[i].siglen, loopargs[i].rsa_key[testnum]); + if (st <= 0) + break; + } + if (st <= 0) { + BIO_printf(bio_err, + "RSA verify failure. No RSA verify will be done.\n"); + ERR_print_errors(bio_err); + rsa_doit[testnum] = 0; + } else { + pkey_print_message("public", "rsa", + rsa_c[testnum][1], rsa_bits[testnum], RSA_SECONDS); + Time_F(START); + count = run_benchmark(async_jobs, RSA_verify_loop, loopargs); + d = Time_F(STOP); + BIO_printf(bio_err, + mr ? "+R2:%ld:%d:%.2f\n" + : "%ld %d bit public RSA's in %.2fs\n", + count, rsa_bits[testnum], d); + rsa_results[testnum][1] = d / (double)count; + } + + if (rsa_count <= 1) { + /* if longer than 10s, don't do any more */ + for (testnum++; testnum < RSA_NUM; testnum++) + rsa_doit[testnum] = 0; + } + } +#endif /* OPENSSL_NO_RSA */ + + for (i = 0; i < loopargs_len; i++) + RAND_bytes(loopargs[i].buf, 36); + +#ifndef OPENSSL_NO_DSA + if (RAND_status() != 1) { + RAND_seed(rnd_seed, sizeof(rnd_seed)); + } + for (testnum = 0; testnum < DSA_NUM; testnum++) { + int st = 0; + if (!dsa_doit[testnum]) + continue; + + /* DSA_generate_key(dsa_key[testnum]); */ + /* DSA_sign_setup(dsa_key[testnum],NULL); */ + for (i = 0; i < loopargs_len; i++) { + st = DSA_sign(0, loopargs[i].buf, 20, loopargs[i].buf2, + &loopargs[i].siglen, loopargs[i].dsa_key[testnum]); + if (st == 0) + break; + } + if (st == 0) { + BIO_printf(bio_err, + "DSA sign failure. No DSA sign will be done.\n"); + ERR_print_errors(bio_err); + rsa_count = 1; + } else { + pkey_print_message("sign", "dsa", + dsa_c[testnum][0], dsa_bits[testnum], DSA_SECONDS); + Time_F(START); + count = run_benchmark(async_jobs, DSA_sign_loop, loopargs); + d = Time_F(STOP); + BIO_printf(bio_err, + mr ? "+R3:%ld:%d:%.2f\n" + : "%ld %d bit DSA signs in %.2fs\n", + count, dsa_bits[testnum], d); + dsa_results[testnum][0] = d / (double)count; + rsa_count = count; + } + + for (i = 0; i < loopargs_len; i++) { + st = DSA_verify(0, loopargs[i].buf, 20, loopargs[i].buf2, + loopargs[i].siglen, loopargs[i].dsa_key[testnum]); + if (st <= 0) + break; + } + if (st <= 0) { + BIO_printf(bio_err, + "DSA verify failure. No DSA verify will be done.\n"); + ERR_print_errors(bio_err); + dsa_doit[testnum] = 0; + } else { + pkey_print_message("verify", "dsa", + dsa_c[testnum][1], dsa_bits[testnum], DSA_SECONDS); + Time_F(START); + count = run_benchmark(async_jobs, DSA_verify_loop, loopargs); + d = Time_F(STOP); + BIO_printf(bio_err, + mr ? "+R4:%ld:%d:%.2f\n" + : "%ld %d bit DSA verify in %.2fs\n", + count, dsa_bits[testnum], d); + dsa_results[testnum][1] = d / (double)count; + } + + if (rsa_count <= 1) { + /* if longer than 10s, don't do any more */ + for (testnum++; testnum < DSA_NUM; testnum++) + dsa_doit[testnum] = 0; + } + } +#endif /* OPENSSL_NO_DSA */ + +#ifndef OPENSSL_NO_EC + if (RAND_status() != 1) { + RAND_seed(rnd_seed, sizeof(rnd_seed)); + } + for (testnum = 0; testnum < EC_NUM; testnum++) { + int st = 1; + + if (!ecdsa_doit[testnum]) + continue; /* Ignore Curve */ + for (i = 0; i < loopargs_len; i++) { + loopargs[i].ecdsa[testnum] = EC_KEY_new_by_curve_name(test_curves[testnum]); + if (loopargs[i].ecdsa[testnum] == NULL) { + st = 0; + break; + } + } + if (st == 0) { + BIO_printf(bio_err, "ECDSA failure.\n"); + ERR_print_errors(bio_err); + rsa_count = 1; + } else { + for (i = 0; i < loopargs_len; i++) { + EC_KEY_precompute_mult(loopargs[i].ecdsa[testnum], NULL); + /* Perform ECDSA signature test */ + EC_KEY_generate_key(loopargs[i].ecdsa[testnum]); + st = ECDSA_sign(0, loopargs[i].buf, 20, loopargs[i].buf2, + &loopargs[i].siglen, loopargs[i].ecdsa[testnum]); + if (st == 0) + break; + } + if (st == 0) { + BIO_printf(bio_err, + "ECDSA sign failure. No ECDSA sign will be done.\n"); + ERR_print_errors(bio_err); + rsa_count = 1; + } else { + pkey_print_message("sign", "ecdsa", + ecdsa_c[testnum][0], + test_curves_bits[testnum], ECDSA_SECONDS); + Time_F(START); + count = run_benchmark(async_jobs, ECDSA_sign_loop, loopargs); + d = Time_F(STOP); + + BIO_printf(bio_err, + mr ? "+R5:%ld:%d:%.2f\n" : + "%ld %d bit ECDSA signs in %.2fs \n", + count, test_curves_bits[testnum], d); + ecdsa_results[testnum][0] = d / (double)count; + rsa_count = count; + } + + /* Perform ECDSA verification test */ + for (i = 0; i < loopargs_len; i++) { + st = ECDSA_verify(0, loopargs[i].buf, 20, loopargs[i].buf2, + loopargs[i].siglen, loopargs[i].ecdsa[testnum]); + if (st != 1) + break; + } + if (st != 1) { + BIO_printf(bio_err, + "ECDSA verify failure. No ECDSA verify will be done.\n"); + ERR_print_errors(bio_err); + ecdsa_doit[testnum] = 0; + } else { + pkey_print_message("verify", "ecdsa", + ecdsa_c[testnum][1], + test_curves_bits[testnum], ECDSA_SECONDS); + Time_F(START); + count = run_benchmark(async_jobs, ECDSA_verify_loop, loopargs); + d = Time_F(STOP); + BIO_printf(bio_err, + mr ? "+R6:%ld:%d:%.2f\n" + : "%ld %d bit ECDSA verify in %.2fs\n", + count, test_curves_bits[testnum], d); + ecdsa_results[testnum][1] = d / (double)count; + } + + if (rsa_count <= 1) { + /* if longer than 10s, don't do any more */ + for (testnum++; testnum < EC_NUM; testnum++) + ecdsa_doit[testnum] = 0; + } + } + } + + if (RAND_status() != 1) { + RAND_seed(rnd_seed, sizeof(rnd_seed)); + } + for (testnum = 0; testnum < EC_NUM; testnum++) { + int ecdh_checks = 1; + + if (!ecdh_doit[testnum]) + continue; + for (i = 0; i < loopargs_len; i++) { + loopargs[i].ecdh_a[testnum] = EC_KEY_new_by_curve_name(test_curves[testnum]); + loopargs[i].ecdh_b[testnum] = EC_KEY_new_by_curve_name(test_curves[testnum]); + if (loopargs[i].ecdh_a[testnum] == NULL || + loopargs[i].ecdh_b[testnum] == NULL) { + ecdh_checks = 0; + break; + } + } + if (ecdh_checks == 0) { + BIO_printf(bio_err, "ECDH failure.\n"); + ERR_print_errors(bio_err); + rsa_count = 1; + } else { + for (i = 0; i < loopargs_len; i++) { + /* generate two ECDH key pairs */ + if (!EC_KEY_generate_key(loopargs[i].ecdh_a[testnum]) || + !EC_KEY_generate_key(loopargs[i].ecdh_b[testnum])) { + BIO_printf(bio_err, "ECDH key generation failure.\n"); + ERR_print_errors(bio_err); + ecdh_checks = 0; + rsa_count = 1; + } else { + int secret_size_a, secret_size_b; + /* + * If field size is not more than 24 octets, then use SHA-1 + * hash of result; otherwise, use result (see section 4.8 of + * draft-ietf-tls-ecc-03.txt). + */ + int field_size = EC_GROUP_get_degree( + EC_KEY_get0_group(loopargs[i].ecdh_a[testnum])); + + if (field_size <= 24 * 8) { /* 192 bits */ + loopargs[i].outlen = KDF1_SHA1_len; + loopargs[i].kdf = KDF1_SHA1; + } else { + loopargs[i].outlen = (field_size + 7) / 8; + loopargs[i].kdf = NULL; + } + secret_size_a = + ECDH_compute_key(loopargs[i].secret_a, loopargs[i].outlen, + EC_KEY_get0_public_key(loopargs[i].ecdh_b[testnum]), + loopargs[i].ecdh_a[testnum], loopargs[i].kdf); + secret_size_b = + ECDH_compute_key(loopargs[i].secret_b, loopargs[i].outlen, + EC_KEY_get0_public_key(loopargs[i].ecdh_a[testnum]), + loopargs[i].ecdh_b[testnum], loopargs[i].kdf); + if (secret_size_a != secret_size_b) + ecdh_checks = 0; + else + ecdh_checks = 1; + + for (k = 0; k < secret_size_a && ecdh_checks == 1; k++) { + if (loopargs[i].secret_a[k] != loopargs[i].secret_b[k]) + ecdh_checks = 0; + } + + if (ecdh_checks == 0) { + BIO_printf(bio_err, "ECDH computations don't match.\n"); + ERR_print_errors(bio_err); + rsa_count = 1; + break; + } + } + } + if (ecdh_checks != 0) { + pkey_print_message("", "ecdh", + ecdh_c[testnum][0], + test_curves_bits[testnum], ECDH_SECONDS); + Time_F(START); + count = run_benchmark(async_jobs, ECDH_compute_key_loop, loopargs); + d = Time_F(STOP); + BIO_printf(bio_err, + mr ? "+R7:%ld:%d:%.2f\n" : + "%ld %d-bit ECDH ops in %.2fs\n", count, + test_curves_bits[testnum], d); + ecdh_results[testnum][0] = d / (double)count; + rsa_count = count; + } + } + + if (rsa_count <= 1) { + /* if longer than 10s, don't do any more */ + for (testnum++; testnum < EC_NUM; testnum++) + ecdh_doit[testnum] = 0; + } + } +#endif /* OPENSSL_NO_EC */ +#ifndef NO_FORK + show_res: +#endif + if (!mr) { + printf("%s\n", OpenSSL_version(OPENSSL_VERSION)); + printf("%s\n", OpenSSL_version(OPENSSL_BUILT_ON)); + printf("options:"); + printf("%s ", BN_options()); +#ifndef OPENSSL_NO_MD2 + printf("%s ", MD2_options()); +#endif +#ifndef OPENSSL_NO_RC4 + printf("%s ", RC4_options()); +#endif +#ifndef OPENSSL_NO_DES + printf("%s ", DES_options()); +#endif + printf("%s ", AES_options()); +#ifndef OPENSSL_NO_IDEA + printf("%s ", IDEA_options()); +#endif +#ifndef OPENSSL_NO_BF + printf("%s ", BF_options()); +#endif + printf("\n%s\n", OpenSSL_version(OPENSSL_CFLAGS)); + } + + if (pr_header) { + if (mr) + printf("+H"); + else { + printf + ("The 'numbers' are in 1000s of bytes per second processed.\n"); + printf("type "); + } + for (testnum = 0; testnum < SIZE_NUM; testnum++) + printf(mr ? ":%d" : "%7d bytes", lengths[testnum]); + printf("\n"); + } + + for (k = 0; k < ALGOR_NUM; k++) { + if (!doit[k]) + continue; + if (mr) + printf("+F:%d:%s", k, names[k]); + else + printf("%-13s", names[k]); + for (testnum = 0; testnum < SIZE_NUM; testnum++) { + if (results[k][testnum] > 10000 && !mr) + printf(" %11.2fk", results[k][testnum] / 1e3); + else + printf(mr ? ":%.2f" : " %11.2f ", results[k][testnum]); + } + printf("\n"); + } +#ifndef OPENSSL_NO_RSA + testnum = 1; + for (k = 0; k < RSA_NUM; k++) { + if (!rsa_doit[k]) + continue; + if (testnum && !mr) { + printf("%18ssign verify sign/s verify/s\n", " "); + testnum = 0; + } + if (mr) + printf("+F2:%u:%u:%f:%f\n", + k, rsa_bits[k], rsa_results[k][0], rsa_results[k][1]); + else + printf("rsa %4u bits %8.6fs %8.6fs %8.1f %8.1f\n", + rsa_bits[k], rsa_results[k][0], rsa_results[k][1], + 1.0 / rsa_results[k][0], 1.0 / rsa_results[k][1]); + } +#endif +#ifndef OPENSSL_NO_DSA + testnum = 1; + for (k = 0; k < DSA_NUM; k++) { + if (!dsa_doit[k]) + continue; + if (testnum && !mr) { + printf("%18ssign verify sign/s verify/s\n", " "); + testnum = 0; + } + if (mr) + printf("+F3:%u:%u:%f:%f\n", + k, dsa_bits[k], dsa_results[k][0], dsa_results[k][1]); + else + printf("dsa %4u bits %8.6fs %8.6fs %8.1f %8.1f\n", + dsa_bits[k], dsa_results[k][0], dsa_results[k][1], + 1.0 / dsa_results[k][0], 1.0 / dsa_results[k][1]); + } +#endif +#ifndef OPENSSL_NO_EC + testnum = 1; + for (k = 0; k < EC_NUM; k++) { + if (!ecdsa_doit[k]) + continue; + if (testnum && !mr) { + printf("%30ssign verify sign/s verify/s\n", " "); + testnum = 0; + } + + if (mr) + printf("+F4:%u:%u:%f:%f\n", + k, test_curves_bits[k], + ecdsa_results[k][0], ecdsa_results[k][1]); + else + printf("%4u bit ecdsa (%s) %8.4fs %8.4fs %8.1f %8.1f\n", + test_curves_bits[k], + test_curves_names[k], + ecdsa_results[k][0], ecdsa_results[k][1], + 1.0 / ecdsa_results[k][0], 1.0 / ecdsa_results[k][1]); + } + + testnum = 1; + for (k = 0; k < EC_NUM; k++) { + if (!ecdh_doit[k]) + continue; + if (testnum && !mr) { + printf("%30sop op/s\n", " "); + testnum = 0; + } + if (mr) + printf("+F5:%u:%u:%f:%f\n", + k, test_curves_bits[k], + ecdh_results[k][0], 1.0 / ecdh_results[k][0]); + + else + printf("%4u bit ecdh (%s) %8.4fs %8.1f\n", + test_curves_bits[k], + test_curves_names[k], + ecdh_results[k][0], 1.0 / ecdh_results[k][0]); + } +#endif + + ret = 0; + + end: + ERR_print_errors(bio_err); + for (i = 0; i < loopargs_len; i++) { + OPENSSL_free(loopargs[i].buf_malloc); + OPENSSL_free(loopargs[i].buf2_malloc); + +#ifndef OPENSSL_NO_RSA + for (k = 0; k < RSA_NUM; k++) + RSA_free(loopargs[i].rsa_key[k]); +#endif +#ifndef OPENSSL_NO_DSA + for (k = 0; k < DSA_NUM; k++) + DSA_free(loopargs[i].dsa_key[k]); +#endif +#ifndef OPENSSL_NO_EC + for (k = 0; k < EC_NUM; k++) { + EC_KEY_free(loopargs[i].ecdsa[k]); + EC_KEY_free(loopargs[i].ecdh_a[k]); + EC_KEY_free(loopargs[i].ecdh_b[k]); + } + OPENSSL_free(loopargs[i].secret_a); + OPENSSL_free(loopargs[i].secret_b); +#endif + } + + if (async_jobs > 0) { + for (i = 0; i < loopargs_len; i++) + ASYNC_WAIT_CTX_free(loopargs[i].wait_ctx); + } + + if (async_init) { + ASYNC_cleanup_thread(); + } + OPENSSL_free(loopargs); + release_engine(e); + return (ret); +} + +static void print_message(const char *s, long num, int length) +{ +#ifdef SIGALRM + BIO_printf(bio_err, + mr ? "+DT:%s:%d:%d\n" + : "Doing %s for %ds on %d size blocks: ", s, SECONDS, length); + (void)BIO_flush(bio_err); + alarm(SECONDS); +#else + BIO_printf(bio_err, + mr ? "+DN:%s:%ld:%d\n" + : "Doing %s %ld times on %d size blocks: ", s, num, length); + (void)BIO_flush(bio_err); +#endif +} + +static void pkey_print_message(const char *str, const char *str2, long num, + int bits, int tm) +{ +#ifdef SIGALRM + BIO_printf(bio_err, + mr ? "+DTP:%d:%s:%s:%d\n" + : "Doing %d bit %s %s's for %ds: ", bits, str, str2, tm); + (void)BIO_flush(bio_err); + alarm(tm); +#else + BIO_printf(bio_err, + mr ? "+DNP:%ld:%d:%s:%s\n" + : "Doing %ld %d bit %s %s's: ", num, bits, str, str2); + (void)BIO_flush(bio_err); +#endif +} + +static void print_result(int alg, int run_no, int count, double time_used) +{ + if (count == -1) { + BIO_puts(bio_err, "EVP error!\n"); + exit(1); + } + BIO_printf(bio_err, + mr ? "+R:%d:%s:%f\n" + : "%d %s's in %.2fs\n", count, names[alg], time_used); + results[alg][run_no] = ((double)count) / time_used * lengths[run_no]; +} + +#ifndef NO_FORK +static char *sstrsep(char **string, const char *delim) +{ + char isdelim[256]; + char *token = *string; + + if (**string == 0) + return NULL; + + memset(isdelim, 0, sizeof(isdelim)); + isdelim[0] = 1; + + while (*delim) { + isdelim[(unsigned char)(*delim)] = 1; + delim++; + } + + while (!isdelim[(unsigned char)(**string)]) { + (*string)++; + } + + if (**string) { + **string = 0; + (*string)++; + } + + return token; +} + +static int do_multi(int multi) +{ + int n; + int fd[2]; + int *fds; + static char sep[] = ":"; + + fds = malloc(sizeof(*fds) * multi); + for (n = 0; n < multi; ++n) { + if (pipe(fd) == -1) { + BIO_printf(bio_err, "pipe failure\n"); + exit(1); + } + fflush(stdout); + (void)BIO_flush(bio_err); + if (fork()) { + close(fd[1]); + fds[n] = fd[0]; + } else { + close(fd[0]); + close(1); + if (dup(fd[1]) == -1) { + BIO_printf(bio_err, "dup failed\n"); + exit(1); + } + close(fd[1]); + mr = 1; + usertime = 0; + free(fds); + return 0; + } + printf("Forked child %d\n", n); + } + + /* for now, assume the pipe is long enough to take all the output */ + for (n = 0; n < multi; ++n) { + FILE *f; + char buf[1024]; + char *p; + + f = fdopen(fds[n], "r"); + while (fgets(buf, sizeof(buf), f)) { + p = strchr(buf, '\n'); + if (p) + *p = '\0'; + if (buf[0] != '+') { + BIO_printf(bio_err, "Don't understand line '%s' from child %d\n", + buf, n); + continue; + } + printf("Got: %s from %d\n", buf, n); + if (strncmp(buf, "+F:", 3) == 0) { + int alg; + int j; + + p = buf + 3; + alg = atoi(sstrsep(&p, sep)); + sstrsep(&p, sep); + for (j = 0; j < SIZE_NUM; ++j) + results[alg][j] += atof(sstrsep(&p, sep)); + } else if (strncmp(buf, "+F2:", 4) == 0) { + int k; + double d; + + p = buf + 4; + k = atoi(sstrsep(&p, sep)); + sstrsep(&p, sep); + + d = atof(sstrsep(&p, sep)); + if (n) + rsa_results[k][0] = 1 / (1 / rsa_results[k][0] + 1 / d); + else + rsa_results[k][0] = d; + + d = atof(sstrsep(&p, sep)); + if (n) + rsa_results[k][1] = 1 / (1 / rsa_results[k][1] + 1 / d); + else + rsa_results[k][1] = d; + } +# ifndef OPENSSL_NO_DSA + else if (strncmp(buf, "+F3:", 4) == 0) { + int k; + double d; + + p = buf + 4; + k = atoi(sstrsep(&p, sep)); + sstrsep(&p, sep); + + d = atof(sstrsep(&p, sep)); + if (n) + dsa_results[k][0] = 1 / (1 / dsa_results[k][0] + 1 / d); + else + dsa_results[k][0] = d; + + d = atof(sstrsep(&p, sep)); + if (n) + dsa_results[k][1] = 1 / (1 / dsa_results[k][1] + 1 / d); + else + dsa_results[k][1] = d; + } +# endif +# ifndef OPENSSL_NO_EC + else if (strncmp(buf, "+F4:", 4) == 0) { + int k; + double d; + + p = buf + 4; + k = atoi(sstrsep(&p, sep)); + sstrsep(&p, sep); + + d = atof(sstrsep(&p, sep)); + if (n) + ecdsa_results[k][0] = + 1 / (1 / ecdsa_results[k][0] + 1 / d); + else + ecdsa_results[k][0] = d; + + d = atof(sstrsep(&p, sep)); + if (n) + ecdsa_results[k][1] = + 1 / (1 / ecdsa_results[k][1] + 1 / d); + else + ecdsa_results[k][1] = d; + } else if (strncmp(buf, "+F5:", 4) == 0) { + int k; + double d; + + p = buf + 4; + k = atoi(sstrsep(&p, sep)); + sstrsep(&p, sep); + + d = atof(sstrsep(&p, sep)); + if (n) + ecdh_results[k][0] = 1 / (1 / ecdh_results[k][0] + 1 / d); + else + ecdh_results[k][0] = d; + + } +# endif + + else if (strncmp(buf, "+H:", 3) == 0) { + ; + } else + BIO_printf(bio_err, "Unknown type '%s' from child %d\n", buf, n); + } + + fclose(f); + } + free(fds); + return 1; +} +#endif + +static void multiblock_speed(const EVP_CIPHER *evp_cipher) +{ + static int mblengths[] = + { 8 * 1024, 2 * 8 * 1024, 4 * 8 * 1024, 8 * 8 * 1024, 8 * 16 * 1024 }; + int j, count, num = OSSL_NELEM(mblengths); + const char *alg_name; + unsigned char *inp, *out, no_key[32], no_iv[16]; + EVP_CIPHER_CTX *ctx; + double d = 0.0; + + inp = app_malloc(mblengths[num - 1], "multiblock input buffer"); + out = app_malloc(mblengths[num - 1] + 1024, "multiblock output buffer"); + ctx = EVP_CIPHER_CTX_new(); + EVP_EncryptInit_ex(ctx, evp_cipher, NULL, no_key, no_iv); + EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_MAC_KEY, sizeof(no_key), + no_key); + alg_name = OBJ_nid2ln(EVP_CIPHER_nid(evp_cipher)); + + for (j = 0; j < num; j++) { + print_message(alg_name, 0, mblengths[j]); + Time_F(START); + for (count = 0, run = 1; run && count < 0x7fffffff; count++) { + unsigned char aad[EVP_AEAD_TLS1_AAD_LEN]; + EVP_CTRL_TLS1_1_MULTIBLOCK_PARAM mb_param; + size_t len = mblengths[j]; + int packlen; + + memset(aad, 0, 8); /* avoid uninitialized values */ + aad[8] = 23; /* SSL3_RT_APPLICATION_DATA */ + aad[9] = 3; /* version */ + aad[10] = 2; + aad[11] = 0; /* length */ + aad[12] = 0; + mb_param.out = NULL; + mb_param.inp = aad; + mb_param.len = len; + mb_param.interleave = 8; + + packlen = EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_TLS1_1_MULTIBLOCK_AAD, + sizeof(mb_param), &mb_param); + + if (packlen > 0) { + mb_param.out = out; + mb_param.inp = inp; + mb_param.len = len; + EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_TLS1_1_MULTIBLOCK_ENCRYPT, + sizeof(mb_param), &mb_param); + } else { + int pad; + + RAND_bytes(out, 16); + len += 16; + aad[11] = len >> 8; + aad[12] = len; + pad = EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_TLS1_AAD, + EVP_AEAD_TLS1_AAD_LEN, aad); + EVP_Cipher(ctx, out, inp, len + pad); + } + } + d = Time_F(STOP); + BIO_printf(bio_err, mr ? "+R:%d:%s:%f\n" + : "%d %s's in %.2fs\n", count, "evp", d); + results[D_EVP][j] = ((double)count) / d * mblengths[j]; + } + + if (mr) { + fprintf(stdout, "+H"); + for (j = 0; j < num; j++) + fprintf(stdout, ":%d", mblengths[j]); + fprintf(stdout, "\n"); + fprintf(stdout, "+F:%d:%s", D_EVP, alg_name); + for (j = 0; j < num; j++) + fprintf(stdout, ":%.2f", results[D_EVP][j]); + fprintf(stdout, "\n"); + } else { + fprintf(stdout, + "The 'numbers' are in 1000s of bytes per second processed.\n"); + fprintf(stdout, "type "); + for (j = 0; j < num; j++) + fprintf(stdout, "%7d bytes", mblengths[j]); + fprintf(stdout, "\n"); + fprintf(stdout, "%-24s", alg_name); + + for (j = 0; j < num; j++) { + if (results[D_EVP][j] > 10000) + fprintf(stdout, " %11.2fk", results[D_EVP][j] / 1e3); + else + fprintf(stdout, " %11.2f ", results[D_EVP][j]); + } + fprintf(stdout, "\n"); + } + + OPENSSL_free(inp); + OPENSSL_free(out); + EVP_CIPHER_CTX_free(ctx); +} diff --git a/openssl-1.1.0h/apps/spkac.c b/openssl-1.1.0h/apps/spkac.c new file mode 100644 index 0000000..3449067 --- /dev/null +++ b/openssl-1.1.0h/apps/spkac.c @@ -0,0 +1,196 @@ +/* + * Copyright 1999-2017 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the OpenSSL license (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +#include +#include +#include +#include +#include "apps.h" +#include +#include +#include +#include +#include +#include +#include + +typedef enum OPTION_choice { + OPT_ERR = -1, OPT_EOF = 0, OPT_HELP, + OPT_NOOUT, OPT_PUBKEY, OPT_VERIFY, OPT_IN, OPT_OUT, + OPT_ENGINE, OPT_KEY, OPT_CHALLENGE, OPT_PASSIN, OPT_SPKAC, + OPT_SPKSECT +} OPTION_CHOICE; + +OPTIONS spkac_options[] = { + {"help", OPT_HELP, '-', "Display this summary"}, + {"in", OPT_IN, '<', "Input file"}, + {"out", OPT_OUT, '>', "Output file"}, + {"key", OPT_KEY, '<', "Create SPKAC using private key"}, + {"passin", OPT_PASSIN, 's', "Input file pass phrase source"}, + {"challenge", OPT_CHALLENGE, 's', "Challenge string"}, + {"spkac", OPT_SPKAC, 's', "Alternative SPKAC name"}, + {"noout", OPT_NOOUT, '-', "Don't print SPKAC"}, + {"pubkey", OPT_PUBKEY, '-', "Output public key"}, + {"verify", OPT_VERIFY, '-', "Verify SPKAC signature"}, + {"spksect", OPT_SPKSECT, 's', + "Specify the name of an SPKAC-dedicated section of configuration"}, +#ifndef OPENSSL_NO_ENGINE + {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"}, +#endif + {NULL} +}; + +int spkac_main(int argc, char **argv) +{ + BIO *out = NULL; + CONF *conf = NULL; + ENGINE *e = NULL; + EVP_PKEY *pkey = NULL; + NETSCAPE_SPKI *spki = NULL; + char *challenge = NULL, *keyfile = NULL; + char *infile = NULL, *outfile = NULL, *passinarg = NULL, *passin = NULL; + char *spkstr = NULL, *prog; + const char *spkac = "SPKAC", *spksect = "default"; + int i, ret = 1, verify = 0, noout = 0, pubkey = 0; + OPTION_CHOICE o; + + prog = opt_init(argc, argv, spkac_options); + while ((o = opt_next()) != OPT_EOF) { + switch (o) { + case OPT_EOF: + case OPT_ERR: + opthelp: + BIO_printf(bio_err, "%s: Use -help for summary.\n", prog); + goto end; + case OPT_HELP: + opt_help(spkac_options); + ret = 0; + goto end; + case OPT_IN: + infile = opt_arg(); + break; + case OPT_OUT: + outfile = opt_arg(); + break; + case OPT_NOOUT: + noout = 1; + break; + case OPT_PUBKEY: + pubkey = 1; + break; + case OPT_VERIFY: + verify = 1; + break; + case OPT_PASSIN: + passinarg = opt_arg(); + break; + case OPT_KEY: + keyfile = opt_arg(); + break; + case OPT_CHALLENGE: + challenge = opt_arg(); + break; + case OPT_SPKAC: + spkac = opt_arg(); + break; + case OPT_SPKSECT: + spksect = opt_arg(); + break; + case OPT_ENGINE: + e = setup_engine(opt_arg(), 0); + break; + } + } + argc = opt_num_rest(); + if (argc != 0) + goto opthelp; + + if (!app_passwd(passinarg, NULL, &passin, NULL)) { + BIO_printf(bio_err, "Error getting password\n"); + goto end; + } + + if (keyfile != NULL) { + pkey = load_key(strcmp(keyfile, "-") ? keyfile : NULL, + FORMAT_PEM, 1, passin, e, "private key"); + if (pkey == NULL) + goto end; + spki = NETSCAPE_SPKI_new(); + if (spki == NULL) + goto end; + if (challenge != NULL) + ASN1_STRING_set(spki->spkac->challenge, + challenge, (int)strlen(challenge)); + NETSCAPE_SPKI_set_pubkey(spki, pkey); + NETSCAPE_SPKI_sign(spki, pkey, EVP_md5()); + spkstr = NETSCAPE_SPKI_b64_encode(spki); + if (spkstr == NULL) + goto end; + + out = bio_open_default(outfile, 'w', FORMAT_TEXT); + if (out == NULL) { + OPENSSL_free(spkstr); + goto end; + } + BIO_printf(out, "SPKAC=%s\n", spkstr); + OPENSSL_free(spkstr); + ret = 0; + goto end; + } + + if ((conf = app_load_config(infile)) == NULL) + goto end; + + spkstr = NCONF_get_string(conf, spksect, spkac); + + if (spkstr == NULL) { + BIO_printf(bio_err, "Can't find SPKAC called \"%s\"\n", spkac); + ERR_print_errors(bio_err); + goto end; + } + + spki = NETSCAPE_SPKI_b64_decode(spkstr, -1); + + if (spki == NULL) { + BIO_printf(bio_err, "Error loading SPKAC\n"); + ERR_print_errors(bio_err); + goto end; + } + + out = bio_open_default(outfile, 'w', FORMAT_TEXT); + if (out == NULL) + goto end; + + if (!noout) + NETSCAPE_SPKI_print(out, spki); + pkey = NETSCAPE_SPKI_get_pubkey(spki); + if (verify) { + i = NETSCAPE_SPKI_verify(spki, pkey); + if (i > 0) { + BIO_printf(bio_err, "Signature OK\n"); + } else { + BIO_printf(bio_err, "Signature Failure\n"); + ERR_print_errors(bio_err); + goto end; + } + } + if (pubkey) + PEM_write_bio_PUBKEY(out, pkey); + + ret = 0; + + end: + NCONF_free(conf); + NETSCAPE_SPKI_free(spki); + BIO_free_all(out); + EVP_PKEY_free(pkey); + release_engine(e); + OPENSSL_free(passin); + return (ret); +} diff --git a/openssl-1.1.0h/apps/srp.c b/openssl-1.1.0h/apps/srp.c new file mode 100644 index 0000000..0ead68e --- /dev/null +++ b/openssl-1.1.0h/apps/srp.c @@ -0,0 +1,613 @@ +/* + * Copyright 2004-2018 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the OpenSSL license (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +#include +#ifdef OPENSSL_NO_SRP +NON_EMPTY_TRANSLATION_UNIT +#else + +# include +# include +# include +# include +# include +# include +# include +# include +# include +# include "apps.h" + +# define BASE_SECTION "srp" +# define CONFIG_FILE "openssl.cnf" + +# define ENV_RANDFILE "RANDFILE" + +# define ENV_DATABASE "srpvfile" +# define ENV_DEFAULT_SRP "default_srp" + +static int get_index(CA_DB *db, char *id, char type) +{ + char **pp; + int i; + if (id == NULL) + return -1; + if (type == DB_SRP_INDEX) { + for (i = 0; i < sk_OPENSSL_PSTRING_num(db->db->data); i++) { + pp = sk_OPENSSL_PSTRING_value(db->db->data, i); + if (pp[DB_srptype][0] == DB_SRP_INDEX + && strcmp(id, pp[DB_srpid]) == 0) + return i; + } + } else { + for (i = 0; i < sk_OPENSSL_PSTRING_num(db->db->data); i++) { + pp = sk_OPENSSL_PSTRING_value(db->db->data, i); + + if (pp[DB_srptype][0] != DB_SRP_INDEX + && strcmp(id, pp[DB_srpid]) == 0) + return i; + } + } + + return -1; +} + +static void print_entry(CA_DB *db, int indx, int verbose, char *s) +{ + if (indx >= 0 && verbose) { + int j; + char **pp = sk_OPENSSL_PSTRING_value(db->db->data, indx); + BIO_printf(bio_err, "%s \"%s\"\n", s, pp[DB_srpid]); + for (j = 0; j < DB_NUMBER; j++) { + BIO_printf(bio_err, " %d = \"%s\"\n", j, pp[j]); + } + } +} + +static void print_index(CA_DB *db, int indexindex, int verbose) +{ + print_entry(db, indexindex, verbose, "g N entry"); +} + +static void print_user(CA_DB *db, int userindex, int verbose) +{ + if (verbose > 0) { + char **pp = sk_OPENSSL_PSTRING_value(db->db->data, userindex); + + if (pp[DB_srptype][0] != 'I') { + print_entry(db, userindex, verbose, "User entry"); + print_entry(db, get_index(db, pp[DB_srpgN], 'I'), verbose, + "g N entry"); + } + + } +} + +static int update_index(CA_DB *db, char **row) +{ + char **irow; + int i; + + irow = app_malloc(sizeof(*irow) * (DB_NUMBER + 1), "row pointers"); + for (i = 0; i < DB_NUMBER; i++) + irow[i] = row[i]; + irow[DB_NUMBER] = NULL; + + if (!TXT_DB_insert(db->db, irow)) { + BIO_printf(bio_err, "failed to update srpvfile\n"); + BIO_printf(bio_err, "TXT_DB error number %ld\n", db->db->error); + OPENSSL_free(irow); + return 0; + } + return 1; +} + +static char *lookup_conf(const CONF *conf, const char *section, const char *tag) +{ + char *entry = NCONF_get_string(conf, section, tag); + if (entry == NULL) + BIO_printf(bio_err, "variable lookup failed for %s::%s\n", section, tag); + return entry; +} + +static char *srp_verify_user(const char *user, const char *srp_verifier, + char *srp_usersalt, const char *g, const char *N, + const char *passin, int verbose) +{ + char password[1025]; + PW_CB_DATA cb_tmp; + char *verifier = NULL; + char *gNid = NULL; + int len; + + cb_tmp.prompt_info = user; + cb_tmp.password = passin; + + len = password_callback(password, sizeof(password)-1, 0, &cb_tmp); + if (len > 0) { + password[len] = 0; + if (verbose) + BIO_printf(bio_err, + "Validating\n user=\"%s\"\n srp_verifier=\"%s\"\n srp_usersalt=\"%s\"\n g=\"%s\"\n N=\"%s\"\n", + user, srp_verifier, srp_usersalt, g, N); + if (verbose > 1) + BIO_printf(bio_err, "Pass %s\n", password); + + OPENSSL_assert(srp_usersalt != NULL); + if (!(gNid = SRP_create_verifier(user, password, &srp_usersalt, + &verifier, N, g)) ) { + BIO_printf(bio_err, "Internal error validating SRP verifier\n"); + } else { + if (strcmp(verifier, srp_verifier)) + gNid = NULL; + OPENSSL_free(verifier); + } + OPENSSL_cleanse(password, len); + } + return gNid; +} + +static char *srp_create_user(char *user, char **srp_verifier, + char **srp_usersalt, char *g, char *N, + char *passout, int verbose) +{ + char password[1025]; + PW_CB_DATA cb_tmp; + char *gNid = NULL; + char *salt = NULL; + int len; + cb_tmp.prompt_info = user; + cb_tmp.password = passout; + + len = password_callback(password, sizeof(password)-1, 1, &cb_tmp); + if (len > 0) { + password[len] = 0; + if (verbose) + BIO_printf(bio_err, "Creating\n user=\"%s\"\n g=\"%s\"\n N=\"%s\"\n", + user, g, N); + if (!(gNid = SRP_create_verifier(user, password, &salt, + srp_verifier, N, g)) ) { + BIO_printf(bio_err, "Internal error creating SRP verifier\n"); + } else { + *srp_usersalt = salt; + } + OPENSSL_cleanse(password, len); + if (verbose > 1) + BIO_printf(bio_err, "gNid=%s salt =\"%s\"\n verifier =\"%s\"\n", + gNid, salt, *srp_verifier); + + } + return gNid; +} + +typedef enum OPTION_choice { + OPT_ERR = -1, OPT_EOF = 0, OPT_HELP, + OPT_VERBOSE, OPT_CONFIG, OPT_NAME, OPT_SRPVFILE, OPT_ADD, + OPT_DELETE, OPT_MODIFY, OPT_LIST, OPT_GN, OPT_USERINFO, + OPT_PASSIN, OPT_PASSOUT, OPT_ENGINE +} OPTION_CHOICE; + +OPTIONS srp_options[] = { + {"help", OPT_HELP, '-', "Display this summary"}, + {"verbose", OPT_VERBOSE, '-', "Talk a lot while doing things"}, + {"config", OPT_CONFIG, '<', "A config file"}, + {"name", OPT_NAME, 's', "The particular srp definition to use"}, + {"srpvfile", OPT_SRPVFILE, '<', "The srp verifier file name"}, + {"add", OPT_ADD, '-', "Add a user and srp verifier"}, + {"modify", OPT_MODIFY, '-', + "Modify the srp verifier of an existing user"}, + {"delete", OPT_DELETE, '-', "Delete user from verifier file"}, + {"list", OPT_LIST, '-', "List users"}, + {"gn", OPT_GN, 's', "Set g and N values to be used for new verifier"}, + {"userinfo", OPT_USERINFO, 's', "Additional info to be set for user"}, + {"passin", OPT_PASSIN, 's', "Input file pass phrase source"}, + {"passout", OPT_PASSOUT, 's', "Output file pass phrase source"}, +# ifndef OPENSSL_NO_ENGINE + {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"}, +# endif + {NULL} +}; + +int srp_main(int argc, char **argv) +{ + ENGINE *e = NULL; + CA_DB *db = NULL; + CONF *conf = NULL; + int gNindex = -1, maxgN = -1, ret = 1, errors = 0, verbose = 0, i; + int doupdatedb = 0, mode = OPT_ERR; + char *user = NULL, *passinarg = NULL, *passoutarg = NULL; + char *passin = NULL, *passout = NULL, *gN = NULL, *userinfo = NULL; + char *randfile = NULL, *section = NULL; + char **gNrow = NULL, *configfile = NULL; + char *srpvfile = NULL, **pp, *prog; + OPTION_CHOICE o; + + prog = opt_init(argc, argv, srp_options); + while ((o = opt_next()) != OPT_EOF) { + switch (o) { + case OPT_EOF: + case OPT_ERR: + opthelp: + BIO_printf(bio_err, "%s: Use -help for summary.\n", prog); + goto end; + case OPT_HELP: + opt_help(srp_options); + ret = 0; + goto end; + case OPT_VERBOSE: + verbose++; + break; + case OPT_CONFIG: + configfile = opt_arg(); + break; + case OPT_NAME: + section = opt_arg(); + break; + case OPT_SRPVFILE: + srpvfile = opt_arg(); + break; + case OPT_ADD: + case OPT_DELETE: + case OPT_MODIFY: + case OPT_LIST: + if (mode != OPT_ERR) { + BIO_printf(bio_err, + "%s: Only one of -add/-delete/-modify/-list\n", + prog); + goto opthelp; + } + mode = o; + break; + case OPT_GN: + gN = opt_arg(); + break; + case OPT_USERINFO: + userinfo = opt_arg(); + break; + case OPT_PASSIN: + passinarg = opt_arg(); + break; + case OPT_PASSOUT: + passoutarg = opt_arg(); + break; + case OPT_ENGINE: + e = setup_engine(opt_arg(), 0); + break; + } + } + argc = opt_num_rest(); + argv = opt_rest(); + + if (srpvfile && configfile) { + BIO_printf(bio_err, + "-srpvfile and -configfile cannot be specified together.\n"); + goto end; + } + if (mode == OPT_ERR) { + BIO_printf(bio_err, + "Exactly one of the options -add, -delete, -modify -list must be specified.\n"); + goto opthelp; + } + if (mode == OPT_DELETE || mode == OPT_MODIFY || mode == OPT_ADD) { + if (argc == 0) { + BIO_printf(bio_err, "Need at least one user.\n"); + goto opthelp; + } + user = *argv++; + } + if ((passinarg || passoutarg) && argc != 1) { + BIO_printf(bio_err, + "-passin, -passout arguments only valid with one user.\n"); + goto opthelp; + } + + if (!app_passwd(passinarg, passoutarg, &passin, &passout)) { + BIO_printf(bio_err, "Error getting passwords\n"); + goto end; + } + + if (!srpvfile) { + if (!configfile) + configfile = default_config_file; + + if (verbose) + BIO_printf(bio_err, "Using configuration from %s\n", + configfile); + conf = app_load_config(configfile); + if (conf == NULL) + goto end; + if (configfile != default_config_file && !app_load_modules(conf)) + goto end; + + /* Lets get the config section we are using */ + if (section == NULL) { + if (verbose) + BIO_printf(bio_err, + "trying to read " ENV_DEFAULT_SRP + " in " BASE_SECTION "\n"); + + section = lookup_conf(conf, BASE_SECTION, ENV_DEFAULT_SRP); + if (section == NULL) + goto end; + } + + if (randfile == NULL) + randfile = NCONF_get_string(conf, BASE_SECTION, "RANDFILE"); + + if (verbose) + BIO_printf(bio_err, + "trying to read " ENV_DATABASE " in section \"%s\"\n", + section); + + srpvfile = lookup_conf(conf, section, ENV_DATABASE); + if (srpvfile == NULL) + goto end; + } + if (randfile == NULL) + ERR_clear_error(); + else + app_RAND_load_file(randfile, 0); + + if (verbose) + BIO_printf(bio_err, "Trying to read SRP verifier file \"%s\"\n", + srpvfile); + + db = load_index(srpvfile, NULL); + if (db == NULL) + goto end; + + /* Lets check some fields */ + for (i = 0; i < sk_OPENSSL_PSTRING_num(db->db->data); i++) { + pp = sk_OPENSSL_PSTRING_value(db->db->data, i); + + if (pp[DB_srptype][0] == DB_SRP_INDEX) { + maxgN = i; + if ((gNindex < 0) && (gN != NULL) && strcmp(gN, pp[DB_srpid]) == 0) + gNindex = i; + + print_index(db, i, verbose > 1); + } + } + + if (verbose) + BIO_printf(bio_err, "Database initialised\n"); + + if (gNindex >= 0) { + gNrow = sk_OPENSSL_PSTRING_value(db->db->data, gNindex); + print_entry(db, gNindex, verbose > 1, "Default g and N"); + } else if (maxgN > 0 && !SRP_get_default_gN(gN)) { + BIO_printf(bio_err, "No g and N value for index \"%s\"\n", gN); + goto end; + } else { + if (verbose) + BIO_printf(bio_err, "Database has no g N information.\n"); + gNrow = NULL; + } + + if (verbose > 1) + BIO_printf(bio_err, "Starting user processing\n"); + + while (mode == OPT_LIST || user != NULL) { + int userindex = -1; + + if (user != NULL && verbose > 1) + BIO_printf(bio_err, "Processing user \"%s\"\n", user); + if ((userindex = get_index(db, user, 'U')) >= 0) { + print_user(db, userindex, (verbose > 0) || mode == OPT_LIST); + } + + if (mode == OPT_LIST) { + if (user == NULL) { + BIO_printf(bio_err, "List all users\n"); + + for (i = 0; i < sk_OPENSSL_PSTRING_num(db->db->data); i++) { + print_user(db, i, 1); + } + } else if (userindex < 0) { + BIO_printf(bio_err, + "user \"%s\" does not exist, ignored. t\n", user); + errors++; + } + } else if (mode == OPT_ADD) { + if (userindex >= 0) { + /* reactivation of a new user */ + char **row = + sk_OPENSSL_PSTRING_value(db->db->data, userindex); + BIO_printf(bio_err, "user \"%s\" reactivated.\n", user); + row[DB_srptype][0] = 'V'; + + doupdatedb = 1; + } else { + char *row[DB_NUMBER]; + char *gNid; + row[DB_srpverifier] = NULL; + row[DB_srpsalt] = NULL; + row[DB_srpinfo] = NULL; + if (! + (gNid = + srp_create_user(user, &(row[DB_srpverifier]), + &(row[DB_srpsalt]), + gNrow ? gNrow[DB_srpsalt] : gN, + gNrow ? gNrow[DB_srpverifier] : NULL, + passout, verbose))) { + BIO_printf(bio_err, + "Cannot create srp verifier for user \"%s\", operation abandoned .\n", + user); + errors++; + goto end; + } + row[DB_srpid] = OPENSSL_strdup(user); + row[DB_srptype] = OPENSSL_strdup("v"); + row[DB_srpgN] = OPENSSL_strdup(gNid); + + if ((row[DB_srpid] == NULL) + || (row[DB_srpgN] == NULL) + || (row[DB_srptype] == NULL) + || (row[DB_srpverifier] == NULL) + || (row[DB_srpsalt] == NULL) + || (userinfo + && ((row[DB_srpinfo] = OPENSSL_strdup(userinfo)) == NULL)) + || !update_index(db, row)) { + OPENSSL_free(row[DB_srpid]); + OPENSSL_free(row[DB_srpgN]); + OPENSSL_free(row[DB_srpinfo]); + OPENSSL_free(row[DB_srptype]); + OPENSSL_free(row[DB_srpverifier]); + OPENSSL_free(row[DB_srpsalt]); + goto end; + } + doupdatedb = 1; + } + } else if (mode == OPT_MODIFY) { + if (userindex < 0) { + BIO_printf(bio_err, + "user \"%s\" does not exist, operation ignored.\n", + user); + errors++; + } else { + + char **row = + sk_OPENSSL_PSTRING_value(db->db->data, userindex); + char type = row[DB_srptype][0]; + if (type == 'v') { + BIO_printf(bio_err, + "user \"%s\" already updated, operation ignored.\n", + user); + errors++; + } else { + char *gNid; + + if (row[DB_srptype][0] == 'V') { + int user_gN; + char **irow = NULL; + if (verbose) + BIO_printf(bio_err, + "Verifying password for user \"%s\"\n", + user); + if ((user_gN = + get_index(db, row[DB_srpgN], DB_SRP_INDEX)) >= 0) + irow = + sk_OPENSSL_PSTRING_value(db->db->data, + userindex); + + if (!srp_verify_user + (user, row[DB_srpverifier], row[DB_srpsalt], + irow ? irow[DB_srpsalt] : row[DB_srpgN], + irow ? irow[DB_srpverifier] : NULL, passin, + verbose)) { + BIO_printf(bio_err, + "Invalid password for user \"%s\", operation abandoned.\n", + user); + errors++; + goto end; + } + } + if (verbose) + BIO_printf(bio_err, "Password for user \"%s\" ok.\n", + user); + + if (! + (gNid = + srp_create_user(user, &(row[DB_srpverifier]), + &(row[DB_srpsalt]), + gNrow ? gNrow[DB_srpsalt] : NULL, + gNrow ? gNrow[DB_srpverifier] : NULL, + passout, verbose))) { + BIO_printf(bio_err, + "Cannot create srp verifier for user \"%s\", operation abandoned.\n", + user); + errors++; + goto end; + } + + row[DB_srptype][0] = 'v'; + row[DB_srpgN] = OPENSSL_strdup(gNid); + + if (row[DB_srpid] == NULL + || row[DB_srpgN] == NULL + || row[DB_srptype] == NULL + || row[DB_srpverifier] == NULL + || row[DB_srpsalt] == NULL + || (userinfo + && ((row[DB_srpinfo] = OPENSSL_strdup(userinfo)) + == NULL))) + goto end; + + doupdatedb = 1; + } + } + } else if (mode == OPT_DELETE) { + if (userindex < 0) { + BIO_printf(bio_err, + "user \"%s\" does not exist, operation ignored. t\n", + user); + errors++; + } else { + char **xpp = sk_OPENSSL_PSTRING_value(db->db->data, userindex); + + BIO_printf(bio_err, "user \"%s\" revoked. t\n", user); + xpp[DB_srptype][0] = 'R'; + doupdatedb = 1; + } + } + user = *argv++; + if (user == NULL) { + /* no more processing in any mode if no users left */ + break; + } + } + + if (verbose) + BIO_printf(bio_err, "User procession done.\n"); + + if (doupdatedb) { + /* Lets check some fields */ + for (i = 0; i < sk_OPENSSL_PSTRING_num(db->db->data); i++) { + pp = sk_OPENSSL_PSTRING_value(db->db->data, i); + + if (pp[DB_srptype][0] == 'v') { + pp[DB_srptype][0] = 'V'; + print_user(db, i, verbose); + } + } + + if (verbose) + BIO_printf(bio_err, "Trying to update srpvfile.\n"); + if (!save_index(srpvfile, "new", db)) + goto end; + + if (verbose) + BIO_printf(bio_err, "Temporary srpvfile created.\n"); + if (!rotate_index(srpvfile, "new", "old")) + goto end; + + if (verbose) + BIO_printf(bio_err, "srpvfile updated.\n"); + } + + ret = (errors != 0); + end: + if (errors != 0) + if (verbose) + BIO_printf(bio_err, "User errors %d.\n", errors); + + if (verbose) + BIO_printf(bio_err, "SRP terminating with code %d.\n", ret); + + OPENSSL_free(passin); + OPENSSL_free(passout); + if (ret) + ERR_print_errors(bio_err); + if (randfile) + app_RAND_write_file(randfile); + NCONF_free(conf); + free_index(db); + release_engine(e); + return (ret); +} +#endif diff --git a/openssl-1.1.0h/apps/testCA.pem b/openssl-1.1.0h/apps/testCA.pem new file mode 100644 index 0000000..dcb710a --- /dev/null +++ b/openssl-1.1.0h/apps/testCA.pem @@ -0,0 +1,8 @@ +-----BEGIN CERTIFICATE REQUEST----- +MIIBBzCBsgIBADBNMQswCQYDVQQGEwJBVTETMBEGA1UECBMKUXVlZW5zbGFuZDEX +MBUGA1UEChMOTWluY29tIFB0eSBMdGQxEDAOBgNVBAMTB1RFU1QgQ0EwXDANBgkq +hkiG9w0BAQEFAANLADBIAkEAzW9brgA8efT2ODB+NrsflJZj3KKqKsm4OrXTRqfL +VETj1ws/zCXl42XJAxdWQMCP0liKfc9Ut4xi1qCVI7N07wIDAQABoAAwDQYJKoZI +hvcNAQEEBQADQQBjZZ42Det9Uw0AFwJy4ufUEy5Cv74pxBp5SZnljgHY+Az0Hs2S +uNkIegr2ITX5azKi9nOkg9ZmsmGG13FIjiC/ +-----END CERTIFICATE REQUEST----- diff --git a/openssl-1.1.0h/apps/testdsa.h b/openssl-1.1.0h/apps/testdsa.h new file mode 100644 index 0000000..1e4502a --- /dev/null +++ b/openssl-1.1.0h/apps/testdsa.h @@ -0,0 +1,290 @@ +/* + * Copyright 1998-2016 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the OpenSSL license (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +/* used by speed.c */ +DSA *get_dsa512(void); +DSA *get_dsa1024(void); +DSA *get_dsa2048(void); + +static unsigned char dsa512_priv[] = { + 0x65, 0xe5, 0xc7, 0x38, 0x60, 0x24, 0xb5, 0x89, 0xd4, 0x9c, 0xeb, 0x4c, + 0x9c, 0x1d, 0x7a, 0x22, 0xbd, 0xd1, 0xc2, 0xd2, +}; + +static unsigned char dsa512_pub[] = { + 0x00, 0x95, 0xa7, 0x0d, 0xec, 0x93, 0x68, 0xba, 0x5f, 0xf7, 0x5f, 0x07, + 0xf2, 0x3b, 0xad, 0x6b, 0x01, 0xdc, 0xbe, 0xec, 0xde, 0x04, 0x7a, 0x3a, + 0x27, 0xb3, 0xec, 0x49, 0xfd, 0x08, 0x43, 0x3d, 0x7e, 0xa8, 0x2c, 0x5e, + 0x7b, 0xbb, 0xfc, 0xf4, 0x6e, 0xeb, 0x6c, 0xb0, 0x6e, 0xf8, 0x02, 0x12, + 0x8c, 0x38, 0x5d, 0x83, 0x56, 0x7d, 0xee, 0x53, 0x05, 0x3e, 0x24, 0x84, + 0xbe, 0xba, 0x0a, 0x6b, 0xc8, +}; + +static unsigned char dsa512_p[] = { + 0x9D, 0x1B, 0x69, 0x8E, 0x26, 0xDB, 0xF2, 0x2B, 0x11, 0x70, 0x19, 0x86, + 0xF6, 0x19, 0xC8, 0xF8, 0x19, 0xF2, 0x18, 0x53, 0x94, 0x46, 0x06, 0xD0, + 0x62, 0x50, 0x33, 0x4B, 0x02, 0x3C, 0x52, 0x30, 0x03, 0x8B, 0x3B, 0xF9, + 0x5F, 0xD1, 0x24, 0x06, 0x4F, 0x7B, 0x4C, 0xBA, 0xAA, 0x40, 0x9B, 0xFD, + 0x96, 0xE4, 0x37, 0x33, 0xBB, 0x2D, 0x5A, 0xD7, 0x5A, 0x11, 0x40, 0x66, + 0xA2, 0x76, 0x7D, 0x31, +}; + +static unsigned char dsa512_q[] = { + 0xFB, 0x53, 0xEF, 0x50, 0xB4, 0x40, 0x92, 0x31, 0x56, 0x86, 0x53, 0x7A, + 0xE8, 0x8B, 0x22, 0x9A, 0x49, 0xFB, 0x71, 0x8F, +}; + +static unsigned char dsa512_g[] = { + 0x83, 0x3E, 0x88, 0xE5, 0xC5, 0x89, 0x73, 0xCE, 0x3B, 0x6C, 0x01, 0x49, + 0xBF, 0xB3, 0xC7, 0x9F, 0x0A, 0xEA, 0x44, 0x91, 0xE5, 0x30, 0xAA, 0xD9, + 0xBE, 0x5B, 0x5F, 0xB7, 0x10, 0xD7, 0x89, 0xB7, 0x8E, 0x74, 0xFB, 0xCF, + 0x29, 0x1E, 0xEB, 0xA8, 0x2C, 0x54, 0x51, 0xB8, 0x10, 0xDE, 0xA0, 0xCE, + 0x2F, 0xCC, 0x24, 0x6B, 0x90, 0x77, 0xDE, 0xA2, 0x68, 0xA6, 0x52, 0x12, + 0xA2, 0x03, 0x9D, 0x20, +}; + +DSA *get_dsa512() +{ + DSA *dsa; + BIGNUM *priv_key, *pub_key, *p, *q, *g; + + if ((dsa = DSA_new()) == NULL) + return (NULL); + priv_key = BN_bin2bn(dsa512_priv, sizeof(dsa512_priv), NULL); + pub_key = BN_bin2bn(dsa512_pub, sizeof(dsa512_pub), NULL); + p = BN_bin2bn(dsa512_p, sizeof(dsa512_p), NULL); + q = BN_bin2bn(dsa512_q, sizeof(dsa512_q), NULL); + g = BN_bin2bn(dsa512_g, sizeof(dsa512_g), NULL); + if ((priv_key == NULL) || (pub_key == NULL) || (p == NULL) || (q == NULL) + || (g == NULL)) { + goto err; + } + if (!DSA_set0_pqg(dsa, p, q, g)) + goto err; + p = q = g = NULL; + + if (!DSA_set0_key(dsa, pub_key, priv_key)) + goto err; + + return dsa; + err: + DSA_free(dsa); + BN_free(priv_key); + BN_free(pub_key); + BN_free(p); + BN_free(q); + BN_free(g); + return NULL; +} + +static unsigned char dsa1024_priv[] = { + 0x7d, 0x21, 0xda, 0xbb, 0x62, 0x15, 0x47, 0x36, 0x07, 0x67, 0x12, 0xe8, + 0x8c, 0xaa, 0x1c, 0xcd, 0x38, 0x12, 0x61, 0x18, +}; + +static unsigned char dsa1024_pub[] = { + 0x3c, 0x4e, 0x9c, 0x2a, 0x7f, 0x16, 0xc1, 0x25, 0xeb, 0xac, 0x78, 0x63, + 0x90, 0x14, 0x8c, 0x8b, 0xf4, 0x68, 0x43, 0x3c, 0x2d, 0xee, 0x65, 0x50, + 0x7d, 0x9c, 0x8f, 0x8c, 0x8a, 0x51, 0xd6, 0x11, 0x2b, 0x99, 0xaf, 0x1e, + 0x90, 0x97, 0xb5, 0xd3, 0xa6, 0x20, 0x25, 0xd6, 0xfe, 0x43, 0x02, 0xd5, + 0x91, 0x7d, 0xa7, 0x8c, 0xdb, 0xc9, 0x85, 0xa3, 0x36, 0x48, 0xf7, 0x68, + 0xaa, 0x60, 0xb1, 0xf7, 0x05, 0x68, 0x3a, 0xa3, 0x3f, 0xd3, 0x19, 0x82, + 0xd8, 0x82, 0x7a, 0x77, 0xfb, 0xef, 0xf4, 0x15, 0x0a, 0xeb, 0x06, 0x04, + 0x7f, 0x53, 0x07, 0x0c, 0xbc, 0xcb, 0x2d, 0x83, 0xdb, 0x3e, 0xd1, 0x28, + 0xa5, 0xa1, 0x31, 0xe0, 0x67, 0xfa, 0x50, 0xde, 0x9b, 0x07, 0x83, 0x7e, + 0x2c, 0x0b, 0xc3, 0x13, 0x50, 0x61, 0xe5, 0xad, 0xbd, 0x36, 0xb8, 0x97, + 0x4e, 0x40, 0x7d, 0xe8, 0x83, 0x0d, 0xbc, 0x4b +}; + +static unsigned char dsa1024_p[] = { + 0xA7, 0x3F, 0x6E, 0x85, 0xBF, 0x41, 0x6A, 0x29, 0x7D, 0xF0, 0x9F, 0x47, + 0x19, 0x30, 0x90, 0x9A, 0x09, 0x1D, 0xDA, 0x6A, 0x33, 0x1E, 0xC5, 0x3D, + 0x86, 0x96, 0xB3, 0x15, 0xE0, 0x53, 0x2E, 0x8F, 0xE0, 0x59, 0x82, 0x73, + 0x90, 0x3E, 0x75, 0x31, 0x99, 0x47, 0x7A, 0x52, 0xFB, 0x85, 0xE4, 0xD9, + 0xA6, 0x7B, 0x38, 0x9B, 0x68, 0x8A, 0x84, 0x9B, 0x87, 0xC6, 0x1E, 0xB5, + 0x7E, 0x86, 0x4B, 0x53, 0x5B, 0x59, 0xCF, 0x71, 0x65, 0x19, 0x88, 0x6E, + 0xCE, 0x66, 0xAE, 0x6B, 0x88, 0x36, 0xFB, 0xEC, 0x28, 0xDC, 0xC2, 0xD7, + 0xA5, 0xBB, 0xE5, 0x2C, 0x39, 0x26, 0x4B, 0xDA, 0x9A, 0x70, 0x18, 0x95, + 0x37, 0x95, 0x10, 0x56, 0x23, 0xF6, 0x15, 0xED, 0xBA, 0x04, 0x5E, 0xDE, + 0x39, 0x4F, 0xFD, 0xB7, 0x43, 0x1F, 0xB5, 0xA4, 0x65, 0x6F, 0xCD, 0x80, + 0x11, 0xE4, 0x70, 0x95, 0x5B, 0x50, 0xCD, 0x49, +}; + +static unsigned char dsa1024_q[] = { + 0xF7, 0x07, 0x31, 0xED, 0xFA, 0x6C, 0x06, 0x03, 0xD5, 0x85, 0x8A, 0x1C, + 0xAC, 0x9C, 0x65, 0xE7, 0x50, 0x66, 0x65, 0x6F, +}; + +static unsigned char dsa1024_g[] = { + 0x4D, 0xDF, 0x4C, 0x03, 0xA6, 0x91, 0x8A, 0xF5, 0x19, 0x6F, 0x50, 0x46, + 0x25, 0x99, 0xE5, 0x68, 0x6F, 0x30, 0xE3, 0x69, 0xE1, 0xE5, 0xB3, 0x5D, + 0x98, 0xBB, 0x28, 0x86, 0x48, 0xFC, 0xDE, 0x99, 0x04, 0x3F, 0x5F, 0x88, + 0x0C, 0x9C, 0x73, 0x24, 0x0D, 0x20, 0x5D, 0xB9, 0x2A, 0x9A, 0x3F, 0x18, + 0x96, 0x27, 0xE4, 0x62, 0x87, 0xC1, 0x7B, 0x74, 0x62, 0x53, 0xFC, 0x61, + 0x27, 0xA8, 0x7A, 0x91, 0x09, 0x9D, 0xB6, 0xF1, 0x4D, 0x9C, 0x54, 0x0F, + 0x58, 0x06, 0xEE, 0x49, 0x74, 0x07, 0xCE, 0x55, 0x7E, 0x23, 0xCE, 0x16, + 0xF6, 0xCA, 0xDC, 0x5A, 0x61, 0x01, 0x7E, 0xC9, 0x71, 0xB5, 0x4D, 0xF6, + 0xDC, 0x34, 0x29, 0x87, 0x68, 0xF6, 0x5E, 0x20, 0x93, 0xB3, 0xDB, 0xF5, + 0xE4, 0x09, 0x6C, 0x41, 0x17, 0x95, 0x92, 0xEB, 0x01, 0xB5, 0x73, 0xA5, + 0x6A, 0x7E, 0xD8, 0x32, 0xED, 0x0E, 0x02, 0xB8, +}; + +DSA *get_dsa1024() +{ + DSA *dsa; + BIGNUM *priv_key, *pub_key, *p, *q, *g; + + if ((dsa = DSA_new()) == NULL) + return (NULL); + priv_key = BN_bin2bn(dsa1024_priv, sizeof(dsa1024_priv), NULL); + pub_key = BN_bin2bn(dsa1024_pub, sizeof(dsa1024_pub), NULL); + p = BN_bin2bn(dsa1024_p, sizeof(dsa1024_p), NULL); + q = BN_bin2bn(dsa1024_q, sizeof(dsa1024_q), NULL); + g = BN_bin2bn(dsa1024_g, sizeof(dsa1024_g), NULL); + if ((priv_key == NULL) || (pub_key == NULL) || (p == NULL) || (q == NULL) + || (g == NULL)) { + goto err; + } + if (!DSA_set0_pqg(dsa, p, q, g)) + goto err; + p = q = g = NULL; + + if (!DSA_set0_key(dsa, pub_key, priv_key)) + goto err; + + return dsa; + err: + DSA_free(dsa); + BN_free(priv_key); + BN_free(pub_key); + BN_free(p); + BN_free(q); + BN_free(g); + return NULL; +} + +static unsigned char dsa2048_priv[] = { + 0x32, 0x67, 0x92, 0xf6, 0xc4, 0xe2, 0xe2, 0xe8, 0xa0, 0x8b, 0x6b, 0x45, + 0x0c, 0x8a, 0x76, 0xb0, 0xee, 0xcf, 0x91, 0xa7, +}; + +static unsigned char dsa2048_pub[] = { + 0x17, 0x8f, 0xa8, 0x11, 0x84, 0x92, 0xec, 0x83, 0x47, 0xc7, 0x6a, 0xb0, + 0x92, 0xaf, 0x5a, 0x20, 0x37, 0xa3, 0x64, 0x79, 0xd2, 0xd0, 0x3d, 0xcd, + 0xe0, 0x61, 0x88, 0x88, 0x21, 0xcc, 0x74, 0x5d, 0xce, 0x4c, 0x51, 0x47, + 0xf0, 0xc5, 0x5c, 0x4c, 0x82, 0x7a, 0xaf, 0x72, 0xad, 0xb9, 0xe0, 0x53, + 0xf2, 0x78, 0xb7, 0xf0, 0xb5, 0x48, 0x7f, 0x8a, 0x3a, 0x18, 0xd1, 0x9f, + 0x8b, 0x7d, 0xa5, 0x47, 0xb7, 0x95, 0xab, 0x98, 0xf8, 0x7b, 0x74, 0x50, + 0x56, 0x8e, 0x57, 0xf0, 0xee, 0xf5, 0xb7, 0xba, 0xab, 0x85, 0x86, 0xf9, + 0x2b, 0xef, 0x41, 0x56, 0xa0, 0xa4, 0x9f, 0xb7, 0x38, 0x00, 0x46, 0x0a, + 0xa6, 0xf1, 0xfc, 0x1f, 0xd8, 0x4e, 0x85, 0x44, 0x92, 0x43, 0x21, 0x5d, + 0x6e, 0xcc, 0xc2, 0xcb, 0x26, 0x31, 0x0d, 0x21, 0xc4, 0xbd, 0x8d, 0x24, + 0xbc, 0xd9, 0x18, 0x19, 0xd7, 0xdc, 0xf1, 0xe7, 0x93, 0x50, 0x48, 0x03, + 0x2c, 0xae, 0x2e, 0xe7, 0x49, 0x88, 0x5f, 0x93, 0x57, 0x27, 0x99, 0x36, + 0xb4, 0x20, 0xab, 0xfc, 0xa7, 0x2b, 0xf2, 0xd9, 0x98, 0xd7, 0xd4, 0x34, + 0x9d, 0x96, 0x50, 0x58, 0x9a, 0xea, 0x54, 0xf3, 0xee, 0xf5, 0x63, 0x14, + 0xee, 0x85, 0x83, 0x74, 0x76, 0xe1, 0x52, 0x95, 0xc3, 0xf7, 0xeb, 0x04, + 0x04, 0x7b, 0xa7, 0x28, 0x1b, 0xcc, 0xea, 0x4a, 0x4e, 0x84, 0xda, 0xd8, + 0x9c, 0x79, 0xd8, 0x9b, 0x66, 0x89, 0x2f, 0xcf, 0xac, 0xd7, 0x79, 0xf9, + 0xa9, 0xd8, 0x45, 0x13, 0x78, 0xb9, 0x00, 0x14, 0xc9, 0x7e, 0x22, 0x51, + 0x86, 0x67, 0xb0, 0x9f, 0x26, 0x11, 0x23, 0xc8, 0x38, 0xd7, 0x70, 0x1d, + 0x15, 0x8e, 0x4d, 0x4f, 0x95, 0x97, 0x40, 0xa1, 0xc2, 0x7e, 0x01, 0x18, + 0x72, 0xf4, 0x10, 0xe6, 0x8d, 0x52, 0x16, 0x7f, 0xf2, 0xc9, 0xf8, 0x33, + 0x8b, 0x33, 0xb7, 0xce, +}; + +static unsigned char dsa2048_p[] = { + 0xA0, 0x25, 0xFA, 0xAD, 0xF4, 0x8E, 0xB9, 0xE5, 0x99, 0xF3, 0x5D, 0x6F, + 0x4F, 0x83, 0x34, 0xE2, 0x7E, 0xCF, 0x6F, 0xBF, 0x30, 0xAF, 0x6F, 0x81, + 0xEB, 0xF8, 0xC4, 0x13, 0xD9, 0xA0, 0x5D, 0x8B, 0x5C, 0x8E, 0xDC, 0xC2, + 0x1D, 0x0B, 0x41, 0x32, 0xB0, 0x1F, 0xFE, 0xEF, 0x0C, 0xC2, 0xA2, 0x7E, + 0x68, 0x5C, 0x28, 0x21, 0xE9, 0xF5, 0xB1, 0x58, 0x12, 0x63, 0x4C, 0x19, + 0x4E, 0xFF, 0x02, 0x4B, 0x92, 0xED, 0xD2, 0x07, 0x11, 0x4D, 0x8C, 0x58, + 0x16, 0x5C, 0x55, 0x8E, 0xAD, 0xA3, 0x67, 0x7D, 0xB9, 0x86, 0x6E, 0x0B, + 0xE6, 0x54, 0x6F, 0x40, 0xAE, 0x0E, 0x67, 0x4C, 0xF9, 0x12, 0x5B, 0x3C, + 0x08, 0x7A, 0xF7, 0xFC, 0x67, 0x86, 0x69, 0xE7, 0x0A, 0x94, 0x40, 0xBF, + 0x8B, 0x76, 0xFE, 0x26, 0xD1, 0xF2, 0xA1, 0x1A, 0x84, 0xA1, 0x43, 0x56, + 0x28, 0xBC, 0x9A, 0x5F, 0xD7, 0x3B, 0x69, 0x89, 0x8A, 0x36, 0x2C, 0x51, + 0xDF, 0x12, 0x77, 0x2F, 0x57, 0x7B, 0xA0, 0xAA, 0xDD, 0x7F, 0xA1, 0x62, + 0x3B, 0x40, 0x7B, 0x68, 0x1A, 0x8F, 0x0D, 0x38, 0xBB, 0x21, 0x5D, 0x18, + 0xFC, 0x0F, 0x46, 0xF7, 0xA3, 0xB0, 0x1D, 0x23, 0xC3, 0xD2, 0xC7, 0x72, + 0x51, 0x18, 0xDF, 0x46, 0x95, 0x79, 0xD9, 0xBD, 0xB5, 0x19, 0x02, 0x2C, + 0x87, 0xDC, 0xE7, 0x57, 0x82, 0x7E, 0xF1, 0x8B, 0x06, 0x3D, 0x00, 0xA5, + 0x7B, 0x6B, 0x26, 0x27, 0x91, 0x0F, 0x6A, 0x77, 0xE4, 0xD5, 0x04, 0xE4, + 0x12, 0x2C, 0x42, 0xFF, 0xD2, 0x88, 0xBB, 0xD3, 0x92, 0xA0, 0xF9, 0xC8, + 0x51, 0x64, 0x14, 0x5C, 0xD8, 0xF9, 0x6C, 0x47, 0x82, 0xB4, 0x1C, 0x7F, + 0x09, 0xB8, 0xF0, 0x25, 0x83, 0x1D, 0x3F, 0x3F, 0x05, 0xB3, 0x21, 0x0A, + 0x5D, 0xA7, 0xD8, 0x54, 0xC3, 0x65, 0x7D, 0xC3, 0xB0, 0x1D, 0xBF, 0xAE, + 0xF8, 0x68, 0xCF, 0x9B, +}; + +static unsigned char dsa2048_q[] = { + 0x97, 0xE7, 0x33, 0x4D, 0xD3, 0x94, 0x3E, 0x0B, 0xDB, 0x62, 0x74, 0xC6, + 0xA1, 0x08, 0xDD, 0x19, 0xA3, 0x75, 0x17, 0x1B, +}; + +static unsigned char dsa2048_g[] = { + 0x2C, 0x78, 0x16, 0x59, 0x34, 0x63, 0xF4, 0xF3, 0x92, 0xFC, 0xB5, 0xA5, + 0x4F, 0x13, 0xDE, 0x2F, 0x1C, 0xA4, 0x3C, 0xAE, 0xAD, 0x38, 0x3F, 0x7E, + 0x90, 0xBF, 0x96, 0xA6, 0xAE, 0x25, 0x90, 0x72, 0xF5, 0x8E, 0x80, 0x0C, + 0x39, 0x1C, 0xD9, 0xEC, 0xBA, 0x90, 0x5B, 0x3A, 0xE8, 0x58, 0x6C, 0x9E, + 0x30, 0x42, 0x37, 0x02, 0x31, 0x82, 0xBC, 0x6A, 0xDF, 0x6A, 0x09, 0x29, + 0xE3, 0xC0, 0x46, 0xD1, 0xCB, 0x85, 0xEC, 0x0C, 0x30, 0x5E, 0xEA, 0xC8, + 0x39, 0x8E, 0x22, 0x9F, 0x22, 0x10, 0xD2, 0x34, 0x61, 0x68, 0x37, 0x3D, + 0x2E, 0x4A, 0x5B, 0x9A, 0xF5, 0xC1, 0x48, 0xC6, 0xF6, 0xDC, 0x63, 0x1A, + 0xD3, 0x96, 0x64, 0xBA, 0x34, 0xC9, 0xD1, 0xA0, 0xD1, 0xAE, 0x6C, 0x2F, + 0x48, 0x17, 0x93, 0x14, 0x43, 0xED, 0xF0, 0x21, 0x30, 0x19, 0xC3, 0x1B, + 0x5F, 0xDE, 0xA3, 0xF0, 0x70, 0x78, 0x18, 0xE1, 0xA8, 0xE4, 0xEE, 0x2E, + 0x00, 0xA5, 0xE4, 0xB3, 0x17, 0xC8, 0x0C, 0x7D, 0x6E, 0x42, 0xDC, 0xB7, + 0x46, 0x00, 0x36, 0x4D, 0xD4, 0x46, 0xAA, 0x3D, 0x3C, 0x46, 0x89, 0x40, + 0xBF, 0x1D, 0x84, 0x77, 0x0A, 0x75, 0xF3, 0x87, 0x1D, 0x08, 0x4C, 0xA6, + 0xD1, 0xA9, 0x1C, 0x1E, 0x12, 0x1E, 0xE1, 0xC7, 0x30, 0x28, 0x76, 0xA5, + 0x7F, 0x6C, 0x85, 0x96, 0x2B, 0x6F, 0xDB, 0x80, 0x66, 0x26, 0xAE, 0xF5, + 0x93, 0xC7, 0x8E, 0xAE, 0x9A, 0xED, 0xE4, 0xCA, 0x04, 0xEA, 0x3B, 0x72, + 0xEF, 0xDC, 0x87, 0xED, 0x0D, 0xA5, 0x4C, 0x4A, 0xDD, 0x71, 0x22, 0x64, + 0x59, 0x69, 0x4E, 0x8E, 0xBF, 0x43, 0xDC, 0xAB, 0x8E, 0x66, 0xBB, 0x01, + 0xB6, 0xF4, 0xE7, 0xFD, 0xD2, 0xAD, 0x9F, 0x36, 0xC1, 0xA0, 0x29, 0x99, + 0xD1, 0x96, 0x70, 0x59, 0x06, 0x78, 0x35, 0xBD, 0x65, 0x55, 0x52, 0x9E, + 0xF8, 0xB2, 0xE5, 0x38, +}; + +DSA *get_dsa2048() +{ + DSA *dsa; + BIGNUM *priv_key, *pub_key, *p, *q, *g; + + if ((dsa = DSA_new()) == NULL) + return (NULL); + priv_key = BN_bin2bn(dsa2048_priv, sizeof(dsa2048_priv), NULL); + pub_key = BN_bin2bn(dsa2048_pub, sizeof(dsa2048_pub), NULL); + p = BN_bin2bn(dsa2048_p, sizeof(dsa2048_p), NULL); + q = BN_bin2bn(dsa2048_q, sizeof(dsa2048_q), NULL); + g = BN_bin2bn(dsa2048_g, sizeof(dsa2048_g), NULL); + if ((priv_key == NULL) || (pub_key == NULL) || (p == NULL) || (q == NULL) + || (g == NULL)) { + goto err; + } + if (!DSA_set0_pqg(dsa, p, q, g)) + goto err; + p = q = g = NULL; + + if (!DSA_set0_key(dsa, pub_key, priv_key)) + goto err; + + return dsa; + err: + DSA_free(dsa); + BN_free(priv_key); + BN_free(pub_key); + BN_free(p); + BN_free(q); + BN_free(g); + return NULL; +} + diff --git a/openssl-1.1.0h/apps/testrsa.h b/openssl-1.1.0h/apps/testrsa.h new file mode 100644 index 0000000..1350ce5 --- /dev/null +++ b/openssl-1.1.0h/apps/testrsa.h @@ -0,0 +1,1960 @@ +/* + * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the OpenSSL license (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +static unsigned char test512[] = { + 0x30, 0x82, 0x01, 0x3a, 0x02, 0x01, 0x00, 0x02, 0x41, 0x00, + 0xd6, 0x33, 0xb9, 0xc8, 0xfb, 0x4f, 0x3c, 0x7d, 0xc0, 0x01, + 0x86, 0xd0, 0xe7, 0xa0, 0x55, 0xf2, 0x95, 0x93, 0xcc, 0x4f, + 0xb7, 0x5b, 0x67, 0x5b, 0x94, 0x68, 0xc9, 0x34, 0x15, 0xde, + 0xa5, 0x2e, 0x1c, 0x33, 0xc2, 0x6e, 0xfc, 0x34, 0x5e, 0x71, + 0x13, 0xb7, 0xd6, 0xee, 0xd8, 0xa5, 0x65, 0x05, 0x72, 0x87, + 0xa8, 0xb0, 0x77, 0xfe, 0x57, 0xf5, 0xfc, 0x5f, 0x55, 0x83, + 0x87, 0xdd, 0x57, 0x49, 0x02, 0x03, 0x01, 0x00, 0x01, 0x02, + 0x41, 0x00, 0xa7, 0xf7, 0x91, 0xc5, 0x0f, 0x84, 0x57, 0xdc, + 0x07, 0xf7, 0x6a, 0x7f, 0x60, 0x52, 0xb3, 0x72, 0xf1, 0x66, + 0x1f, 0x7d, 0x97, 0x3b, 0x9e, 0xb6, 0x0a, 0x8f, 0x8c, 0xcf, + 0x42, 0x23, 0x00, 0x04, 0xd4, 0x28, 0x0e, 0x1c, 0x90, 0xc4, + 0x11, 0x25, 0x25, 0xa5, 0x93, 0xa5, 0x2f, 0x70, 0x02, 0xdf, + 0x81, 0x9c, 0x49, 0x03, 0xa0, 0xf8, 0x6d, 0x54, 0x2e, 0x26, + 0xde, 0xaa, 0x85, 0x59, 0xa8, 0x31, 0x02, 0x21, 0x00, 0xeb, + 0x47, 0xd7, 0x3b, 0xf6, 0xc3, 0xdd, 0x5a, 0x46, 0xc5, 0xb9, + 0x2b, 0x9a, 0xa0, 0x09, 0x8f, 0xa6, 0xfb, 0xf3, 0x78, 0x7a, + 0x33, 0x70, 0x9d, 0x0f, 0x42, 0x6b, 0x13, 0x68, 0x24, 0xd3, + 0x15, 0x02, 0x21, 0x00, 0xe9, 0x10, 0xb0, 0xb3, 0x0d, 0xe2, + 0x82, 0x68, 0x77, 0x8a, 0x6e, 0x7c, 0xda, 0xbc, 0x3e, 0x53, + 0x83, 0xfb, 0xd6, 0x22, 0xe7, 0xb5, 0xae, 0x6e, 0x80, 0xda, + 0x00, 0x55, 0x97, 0xc1, 0xd0, 0x65, 0x02, 0x20, 0x4c, 0xf8, + 0x73, 0xb1, 0x6a, 0x49, 0x29, 0x61, 0x1f, 0x46, 0x10, 0x0d, + 0xf3, 0xc7, 0xe7, 0x58, 0xd7, 0x88, 0x15, 0x5e, 0x94, 0x9b, + 0xbf, 0x7b, 0xa2, 0x42, 0x58, 0x45, 0x41, 0x0c, 0xcb, 0x01, + 0x02, 0x20, 0x12, 0x11, 0xba, 0x31, 0x57, 0x9d, 0x3d, 0x11, + 0x0e, 0x5b, 0x8c, 0x2f, 0x5f, 0xe2, 0x02, 0x4f, 0x05, 0x47, + 0x8c, 0x15, 0x8e, 0xb3, 0x56, 0x3f, 0xb8, 0xfb, 0xad, 0xd4, + 0xf4, 0xfc, 0x10, 0xc5, 0x02, 0x20, 0x18, 0xa1, 0x29, 0x99, + 0x5b, 0xd9, 0xc8, 0xd4, 0xfc, 0x49, 0x7a, 0x2a, 0x21, 0x2c, + 0x49, 0xe4, 0x4f, 0xeb, 0xef, 0x51, 0xf1, 0xab, 0x6d, 0xfb, + 0x4b, 0x14, 0xe9, 0x4b, 0x52, 0xb5, 0x82, 0x2c, +}; + +static unsigned char test1024[] = { + 0x30, 0x82, 0x02, 0x5c, 0x02, 0x01, 0x00, 0x02, 0x81, 0x81, + 0x00, 0xdc, 0x98, 0x43, 0xe8, 0x3d, 0x43, 0x5b, 0xe4, 0x05, + 0xcd, 0xd0, 0xa9, 0x3e, 0xcb, 0x83, 0x75, 0xf6, 0xb5, 0xa5, + 0x9f, 0x6b, 0xe9, 0x34, 0x41, 0x29, 0x18, 0xfa, 0x6a, 0x55, + 0x4d, 0x70, 0xfc, 0xec, 0xae, 0x87, 0x38, 0x0a, 0x20, 0xa9, + 0xc0, 0x45, 0x77, 0x6e, 0x57, 0x60, 0x57, 0xf4, 0xed, 0x96, + 0x22, 0xcb, 0x8f, 0xe1, 0x33, 0x3a, 0x17, 0x1f, 0xed, 0x37, + 0xa5, 0x6f, 0xeb, 0xa6, 0xbc, 0x12, 0x80, 0x1d, 0x53, 0xbd, + 0x70, 0xeb, 0x21, 0x76, 0x3e, 0xc9, 0x2f, 0x1a, 0x45, 0x24, + 0x82, 0xff, 0xcd, 0x59, 0x32, 0x06, 0x2e, 0x12, 0x3b, 0x23, + 0x78, 0xed, 0x12, 0x3d, 0xe0, 0x8d, 0xf9, 0x67, 0x4f, 0x37, + 0x4e, 0x47, 0x02, 0x4c, 0x2d, 0xc0, 0x4f, 0x1f, 0xb3, 0x94, + 0xe1, 0x41, 0x2e, 0x2d, 0x90, 0x10, 0xfc, 0x82, 0x91, 0x8b, + 0x0f, 0x22, 0xd4, 0xf2, 0xfc, 0x2c, 0xab, 0x53, 0x55, 0x02, + 0x03, 0x01, 0x00, 0x01, 0x02, 0x81, 0x80, 0x2b, 0xcc, 0x3f, + 0x8f, 0x58, 0xba, 0x8b, 0x00, 0x16, 0xf6, 0xea, 0x3a, 0xf0, + 0x30, 0xd0, 0x05, 0x17, 0xda, 0xb0, 0xeb, 0x9a, 0x2d, 0x4f, + 0x26, 0xb0, 0xd6, 0x38, 0xc1, 0xeb, 0xf5, 0xd8, 0x3d, 0x1f, + 0x70, 0xf7, 0x7f, 0xf4, 0xe2, 0xcf, 0x51, 0x51, 0x79, 0x88, + 0xfa, 0xe8, 0x32, 0x0e, 0x7b, 0x2d, 0x97, 0xf2, 0xfa, 0xba, + 0x27, 0xc5, 0x9c, 0xd9, 0xc5, 0xeb, 0x8a, 0x79, 0x52, 0x3c, + 0x64, 0x34, 0x7d, 0xc2, 0xcf, 0x28, 0xc7, 0x4e, 0xd5, 0x43, + 0x0b, 0xd1, 0xa6, 0xca, 0x6d, 0x03, 0x2d, 0x72, 0x23, 0xbc, + 0x6d, 0x05, 0xfa, 0x16, 0x09, 0x2f, 0x2e, 0x5c, 0xb6, 0xee, + 0x74, 0xdd, 0xd2, 0x48, 0x8e, 0x36, 0x0c, 0x06, 0x3d, 0x4d, + 0xe5, 0x10, 0x82, 0xeb, 0x6a, 0xf3, 0x4b, 0x9f, 0xd6, 0xed, + 0x11, 0xb1, 0x6e, 0xec, 0xf4, 0xfe, 0x8e, 0x75, 0x94, 0x20, + 0x2f, 0xcb, 0xac, 0x46, 0xf1, 0x02, 0x41, 0x00, 0xf9, 0x8c, + 0xa3, 0x85, 0xb1, 0xdd, 0x29, 0xaf, 0x65, 0xc1, 0x33, 0xf3, + 0x95, 0xc5, 0x52, 0x68, 0x0b, 0xd4, 0xf1, 0xe5, 0x0e, 0x02, + 0x9f, 0x4f, 0xfa, 0x77, 0xdc, 0x46, 0x9e, 0xc7, 0xa6, 0xe4, + 0x16, 0x29, 0xda, 0xb0, 0x07, 0xcf, 0x5b, 0xa9, 0x12, 0x8a, + 0xdd, 0x63, 0x0a, 0xde, 0x2e, 0x8c, 0x66, 0x8b, 0x8c, 0xdc, + 0x19, 0xa3, 0x7e, 0xf4, 0x3b, 0xd0, 0x1a, 0x8c, 0xa4, 0xc2, + 0xe1, 0xd3, 0x02, 0x41, 0x00, 0xe2, 0x4c, 0x05, 0xf2, 0x04, + 0x86, 0x4e, 0x61, 0x43, 0xdb, 0xb0, 0xb9, 0x96, 0x86, 0x52, + 0x2c, 0xca, 0x8d, 0x7b, 0xab, 0x0b, 0x13, 0x0d, 0x7e, 0x38, + 0x5b, 0xe2, 0x2e, 0x7b, 0x0e, 0xe7, 0x19, 0x99, 0x38, 0xe7, + 0xf2, 0x21, 0xbd, 0x85, 0x85, 0xe3, 0xfd, 0x28, 0x77, 0x20, + 0x31, 0x71, 0x2c, 0xd0, 0xff, 0xfb, 0x2e, 0xaf, 0x85, 0xb4, + 0x86, 0xca, 0xf3, 0xbb, 0xca, 0xaa, 0x0f, 0x95, 0x37, 0x02, + 0x40, 0x0e, 0x41, 0x9a, 0x95, 0xe8, 0xb3, 0x59, 0xce, 0x4b, + 0x61, 0xde, 0x35, 0xec, 0x38, 0x79, 0x9c, 0xb8, 0x10, 0x52, + 0x41, 0x63, 0xab, 0x82, 0xae, 0x6f, 0x00, 0xa9, 0xf4, 0xde, + 0xdd, 0x49, 0x0b, 0x7e, 0xb8, 0xa5, 0x65, 0xa9, 0x0c, 0x8f, + 0x8f, 0xf9, 0x1f, 0x35, 0xc6, 0x92, 0xb8, 0x5e, 0xb0, 0x66, + 0xab, 0x52, 0x40, 0xc0, 0xb6, 0x36, 0x6a, 0x7d, 0x80, 0x46, + 0x04, 0x02, 0xe5, 0x9f, 0x41, 0x02, 0x41, 0x00, 0xc0, 0xad, + 0xcc, 0x4e, 0x21, 0xee, 0x1d, 0x24, 0x91, 0xfb, 0xa7, 0x80, + 0x8d, 0x9a, 0xb6, 0xb3, 0x2e, 0x8f, 0xc2, 0xe1, 0x82, 0xdf, + 0x69, 0x18, 0xb4, 0x71, 0xff, 0xa6, 0x65, 0xde, 0xed, 0x84, + 0x8d, 0x42, 0xb7, 0xb3, 0x21, 0x69, 0x56, 0x1c, 0x07, 0x60, + 0x51, 0x29, 0x04, 0xff, 0x34, 0x06, 0xdd, 0xb9, 0x67, 0x2c, + 0x7c, 0x04, 0x93, 0x0e, 0x46, 0x15, 0xbb, 0x2a, 0xb7, 0x1b, + 0xe7, 0x87, 0x02, 0x40, 0x78, 0xda, 0x5d, 0x07, 0x51, 0x0c, + 0x16, 0x7a, 0x9f, 0x29, 0x20, 0x84, 0x0d, 0x42, 0xfa, 0xd7, + 0x00, 0xd8, 0x77, 0x7e, 0xb0, 0xb0, 0x6b, 0xd6, 0x5b, 0x53, + 0xb8, 0x9b, 0x7a, 0xcd, 0xc7, 0x2b, 0xb8, 0x6a, 0x63, 0xa9, + 0xfb, 0x6f, 0xa4, 0x72, 0xbf, 0x4c, 0x5d, 0x00, 0x14, 0xba, + 0xfa, 0x59, 0x88, 0xed, 0xe4, 0xe0, 0x8c, 0xa2, 0xec, 0x14, + 0x7e, 0x2d, 0xe2, 0xf0, 0x46, 0x49, 0x95, 0x45, +}; + +static unsigned char test2048[] = { + 0x30, 0x82, 0x04, 0xa3, 0x02, 0x01, 0x00, 0x02, 0x82, 0x01, + 0x01, 0x00, 0xc0, 0xc0, 0xce, 0x3e, 0x3c, 0x53, 0x67, 0x3f, + 0x4f, 0xc5, 0x2f, 0xa4, 0xc2, 0x5a, 0x2f, 0x58, 0xfd, 0x27, + 0x52, 0x6a, 0xe8, 0xcf, 0x4a, 0x73, 0x47, 0x8d, 0x25, 0x0f, + 0x5f, 0x03, 0x26, 0x78, 0xef, 0xf0, 0x22, 0x12, 0xd3, 0xde, + 0x47, 0xb2, 0x1c, 0x0b, 0x38, 0x63, 0x1a, 0x6c, 0x85, 0x7a, + 0x80, 0xc6, 0x8f, 0xa0, 0x41, 0xaf, 0x62, 0xc4, 0x67, 0x32, + 0x88, 0xf8, 0xa6, 0x9c, 0xf5, 0x23, 0x1d, 0xe4, 0xac, 0x3f, + 0x29, 0xf9, 0xec, 0xe1, 0x8b, 0x26, 0x03, 0x2c, 0xb2, 0xab, + 0xf3, 0x7d, 0xb5, 0xca, 0x49, 0xc0, 0x8f, 0x1c, 0xdf, 0x33, + 0x3a, 0x60, 0xda, 0x3c, 0xb0, 0x16, 0xf8, 0xa9, 0x12, 0x8f, + 0x64, 0xac, 0x23, 0x0c, 0x69, 0x64, 0x97, 0x5d, 0x99, 0xd4, + 0x09, 0x83, 0x9b, 0x61, 0xd3, 0xac, 0xf0, 0xde, 0xdd, 0x5e, + 0x9f, 0x44, 0x94, 0xdb, 0x3a, 0x4d, 0x97, 0xe8, 0x52, 0x29, + 0xf7, 0xdb, 0x94, 0x07, 0x45, 0x90, 0x78, 0x1e, 0x31, 0x0b, + 0x80, 0xf7, 0x57, 0xad, 0x1c, 0x79, 0xc5, 0xcb, 0x32, 0xb0, + 0xce, 0xcd, 0x74, 0xb3, 0xe2, 0x94, 0xc5, 0x78, 0x2f, 0x34, + 0x1a, 0x45, 0xf7, 0x8c, 0x52, 0xa5, 0xbc, 0x8d, 0xec, 0xd1, + 0x2f, 0x31, 0x3b, 0xf0, 0x49, 0x59, 0x5e, 0x88, 0x9d, 0x15, + 0x92, 0x35, 0x32, 0xc1, 0xe7, 0x61, 0xec, 0x50, 0x48, 0x7c, + 0xba, 0x05, 0xf9, 0xf8, 0xf8, 0xa7, 0x8c, 0x83, 0xe8, 0x66, + 0x5b, 0xeb, 0xfe, 0xd8, 0x4f, 0xdd, 0x6d, 0x36, 0xc0, 0xb2, + 0x90, 0x0f, 0xb8, 0x52, 0xf9, 0x04, 0x9b, 0x40, 0x2c, 0x27, + 0xd6, 0x36, 0x8e, 0xc2, 0x1b, 0x44, 0xf3, 0x92, 0xd5, 0x15, + 0x9e, 0x9a, 0xbc, 0xf3, 0x7d, 0x03, 0xd7, 0x02, 0x14, 0x20, + 0xe9, 0x10, 0x92, 0xfd, 0xf9, 0xfc, 0x8f, 0xe5, 0x18, 0xe1, + 0x95, 0xcc, 0x9e, 0x60, 0xa6, 0xfa, 0x38, 0x4d, 0x02, 0x03, + 0x01, 0x00, 0x01, 0x02, 0x82, 0x01, 0x00, 0x00, 0xc3, 0xc3, + 0x0d, 0xb4, 0x27, 0x90, 0x8d, 0x4b, 0xbf, 0xb8, 0x84, 0xaa, + 0xd0, 0xb8, 0xc7, 0x5d, 0x99, 0xbe, 0x55, 0xf6, 0x3e, 0x7c, + 0x49, 0x20, 0xcb, 0x8a, 0x8e, 0x19, 0x0e, 0x66, 0x24, 0xac, + 0xaf, 0x03, 0x33, 0x97, 0xeb, 0x95, 0xd5, 0x3b, 0x0f, 0x40, + 0x56, 0x04, 0x50, 0xd1, 0xe6, 0xbe, 0x84, 0x0b, 0x25, 0xd3, + 0x9c, 0xe2, 0x83, 0x6c, 0xf5, 0x62, 0x5d, 0xba, 0x2b, 0x7d, + 0x3d, 0x7a, 0x6c, 0xe1, 0xd2, 0x0e, 0x54, 0x93, 0x80, 0x01, + 0x91, 0x51, 0x09, 0xe8, 0x5b, 0x8e, 0x47, 0xbd, 0x64, 0xe4, + 0x0e, 0x03, 0x83, 0x55, 0xcf, 0x5a, 0x37, 0xf0, 0x25, 0xb5, + 0x7d, 0x21, 0xd7, 0x69, 0xdf, 0x6f, 0xc2, 0xcf, 0x10, 0xc9, + 0x8a, 0x40, 0x9f, 0x7a, 0x70, 0xc0, 0xe8, 0xe8, 0xc0, 0xe6, + 0x9a, 0x15, 0x0a, 0x8d, 0x4e, 0x46, 0xcb, 0x7a, 0xdb, 0xb3, + 0xcb, 0x83, 0x02, 0xc4, 0xf0, 0xab, 0xeb, 0x02, 0x01, 0x0e, + 0x23, 0xfc, 0x1d, 0xc4, 0xbd, 0xd4, 0xaa, 0x5d, 0x31, 0x46, + 0x99, 0xce, 0x9e, 0xf8, 0x04, 0x75, 0x10, 0x67, 0xc4, 0x53, + 0x47, 0x44, 0xfa, 0xc2, 0x25, 0x73, 0x7e, 0xd0, 0x8e, 0x59, + 0xd1, 0xb2, 0x5a, 0xf4, 0xc7, 0x18, 0x92, 0x2f, 0x39, 0xab, + 0xcd, 0xa3, 0xb5, 0xc2, 0xb9, 0xc7, 0xb9, 0x1b, 0x9f, 0x48, + 0xfa, 0x13, 0xc6, 0x98, 0x4d, 0xca, 0x84, 0x9c, 0x06, 0xca, + 0xe7, 0x89, 0x01, 0x04, 0xc4, 0x6c, 0xfd, 0x29, 0x59, 0x35, + 0xe7, 0xf3, 0xdd, 0xce, 0x64, 0x59, 0xbf, 0x21, 0x13, 0xa9, + 0x9f, 0x0e, 0xc5, 0xff, 0xbd, 0x33, 0x00, 0xec, 0xac, 0x6b, + 0x11, 0xef, 0x51, 0x5e, 0xad, 0x07, 0x15, 0xde, 0xb8, 0x5f, + 0xc6, 0xb9, 0xa3, 0x22, 0x65, 0x46, 0x83, 0x14, 0xdf, 0xd0, + 0xf1, 0x44, 0x8a, 0xe1, 0x9c, 0x23, 0x33, 0xb4, 0x97, 0x33, + 0xe6, 0x6b, 0x81, 0x02, 0x81, 0x81, 0x00, 0xec, 0x12, 0xa7, + 0x59, 0x74, 0x6a, 0xde, 0x3e, 0xad, 0xd8, 0x36, 0x80, 0x50, + 0xa2, 0xd5, 0x21, 0x81, 0x07, 0xf1, 0xd0, 0x91, 0xf2, 0x6c, + 0x12, 0x2f, 0x9d, 0x1a, 0x26, 0xf8, 0x30, 0x65, 0xdf, 0xe8, + 0xc0, 0x9b, 0x6a, 0x30, 0x98, 0x82, 0x87, 0xec, 0xa2, 0x56, + 0x87, 0x62, 0x6f, 0xe7, 0x9f, 0xf6, 0x56, 0xe6, 0x71, 0x8f, + 0x49, 0x86, 0x93, 0x5a, 0x4d, 0x34, 0x58, 0xfe, 0xd9, 0x04, + 0x13, 0xaf, 0x79, 0xb7, 0xad, 0x11, 0xd1, 0x30, 0x9a, 0x14, + 0x06, 0xa0, 0xfa, 0xb7, 0x55, 0xdc, 0x6c, 0x5a, 0x4c, 0x2c, + 0x59, 0x56, 0xf6, 0xe8, 0x9d, 0xaf, 0x0a, 0x78, 0x99, 0x06, + 0x06, 0x9e, 0xe7, 0x9c, 0x51, 0x55, 0x43, 0xfc, 0x3b, 0x6c, + 0x0b, 0xbf, 0x2d, 0x41, 0xa7, 0xaf, 0xb7, 0xe0, 0xe8, 0x28, + 0x18, 0xb4, 0x13, 0xd1, 0xe6, 0x97, 0xd0, 0x9f, 0x6a, 0x80, + 0xca, 0xdd, 0x1a, 0x7e, 0x15, 0x02, 0x81, 0x81, 0x00, 0xd1, + 0x06, 0x0c, 0x1f, 0xe3, 0xd0, 0xab, 0xd6, 0xca, 0x7c, 0xbc, + 0x7d, 0x13, 0x35, 0xce, 0x27, 0xcd, 0xd8, 0x49, 0x51, 0x63, + 0x64, 0x0f, 0xca, 0x06, 0x12, 0xfc, 0x07, 0x3e, 0xaf, 0x61, + 0x6d, 0xe2, 0x53, 0x39, 0x27, 0xae, 0xc3, 0x11, 0x9e, 0x94, + 0x01, 0x4f, 0xe3, 0xf3, 0x67, 0xf9, 0x77, 0xf9, 0xe7, 0x95, + 0x3a, 0x6f, 0xe2, 0x20, 0x73, 0x3e, 0xa4, 0x7a, 0x28, 0xd4, + 0x61, 0x97, 0xf6, 0x17, 0xa0, 0x23, 0x10, 0x2b, 0xce, 0x84, + 0x57, 0x7e, 0x25, 0x1f, 0xf4, 0xa8, 0x54, 0xd2, 0x65, 0x94, + 0xcc, 0x95, 0x0a, 0xab, 0x30, 0xc1, 0x59, 0x1f, 0x61, 0x8e, + 0xb9, 0x6b, 0xd7, 0x4e, 0xb9, 0x83, 0x43, 0x79, 0x85, 0x11, + 0xbc, 0x0f, 0xae, 0x25, 0x20, 0x05, 0xbc, 0xd2, 0x48, 0xa1, + 0x68, 0x09, 0x84, 0xf6, 0x12, 0x9a, 0x66, 0xb9, 0x2b, 0xbb, + 0x76, 0x03, 0x17, 0x46, 0x4e, 0x97, 0x59, 0x02, 0x81, 0x80, + 0x09, 0x4c, 0xfa, 0xd6, 0xe5, 0x65, 0x48, 0x78, 0x43, 0xb5, + 0x1f, 0x00, 0x93, 0x2c, 0xb7, 0x24, 0xe8, 0xc6, 0x7d, 0x5a, + 0x70, 0x45, 0x92, 0xc8, 0x6c, 0xa3, 0xcd, 0xe1, 0xf7, 0x29, + 0x40, 0xfa, 0x3f, 0x5b, 0x47, 0x44, 0x39, 0xc1, 0xe8, 0x72, + 0x9e, 0x7a, 0x0e, 0xda, 0xaa, 0xa0, 0x2a, 0x09, 0xfd, 0x54, + 0x93, 0x23, 0xaa, 0x37, 0x85, 0x5b, 0xcc, 0xd4, 0xf9, 0xd8, + 0xff, 0xc1, 0x61, 0x0d, 0xbd, 0x7e, 0x18, 0x24, 0x73, 0x6d, + 0x40, 0x72, 0xf1, 0x93, 0x09, 0x48, 0x97, 0x6c, 0x84, 0x90, + 0xa8, 0x46, 0x14, 0x01, 0x39, 0x11, 0xe5, 0x3c, 0x41, 0x27, + 0x32, 0x75, 0x24, 0xed, 0xa1, 0xd9, 0x12, 0x29, 0x8a, 0x28, + 0x71, 0x89, 0x8d, 0xca, 0x30, 0xb0, 0x01, 0xc4, 0x2f, 0x82, + 0x19, 0x14, 0x4c, 0x70, 0x1c, 0xb8, 0x23, 0x2e, 0xe8, 0x90, + 0x49, 0x97, 0x92, 0x97, 0x6b, 0x7a, 0x9d, 0xb9, 0x02, 0x81, + 0x80, 0x0f, 0x0e, 0xa1, 0x76, 0xf6, 0xa1, 0x44, 0x8f, 0xaf, + 0x7c, 0x76, 0xd3, 0x87, 0xbb, 0xbb, 0x83, 0x10, 0x88, 0x01, + 0x18, 0x14, 0xd1, 0xd3, 0x75, 0x59, 0x24, 0xaa, 0xf5, 0x16, + 0xa5, 0xe9, 0x9d, 0xd1, 0xcc, 0xee, 0xf4, 0x15, 0xd9, 0xc5, + 0x7e, 0x27, 0xe9, 0x44, 0x49, 0x06, 0x72, 0xb9, 0xfc, 0xd3, + 0x8a, 0xc4, 0x2c, 0x36, 0x7d, 0x12, 0x9b, 0x5a, 0xaa, 0xdc, + 0x85, 0xee, 0x6e, 0xad, 0x54, 0xb3, 0xf4, 0xfc, 0x31, 0xa1, + 0x06, 0x3a, 0x70, 0x57, 0x0c, 0xf3, 0x95, 0x5b, 0x3e, 0xe8, + 0xfd, 0x1a, 0x4f, 0xf6, 0x78, 0x93, 0x46, 0x6a, 0xd7, 0x31, + 0xb4, 0x84, 0x64, 0x85, 0x09, 0x38, 0x89, 0x92, 0x94, 0x1c, + 0xbf, 0xe2, 0x3c, 0x2a, 0xe0, 0xff, 0x99, 0xa3, 0xf0, 0x2b, + 0x31, 0xc2, 0x36, 0xcd, 0x60, 0xbf, 0x9d, 0x2d, 0x74, 0x32, + 0xe8, 0x9c, 0x93, 0x6e, 0xbb, 0x91, 0x7b, 0xfd, 0xd9, 0x02, + 0x81, 0x81, 0x00, 0xa2, 0x71, 0x25, 0x38, 0xeb, 0x2a, 0xe9, + 0x37, 0xcd, 0xfe, 0x44, 0xce, 0x90, 0x3f, 0x52, 0x87, 0x84, + 0x52, 0x1b, 0xae, 0x8d, 0x22, 0x94, 0xce, 0x38, 0xe6, 0x04, + 0x88, 0x76, 0x85, 0x9a, 0xd3, 0x14, 0x09, 0xe5, 0x69, 0x9a, + 0xff, 0x58, 0x92, 0x02, 0x6a, 0x7d, 0x7c, 0x1e, 0x2c, 0xfd, + 0xa8, 0xca, 0x32, 0x14, 0x4f, 0x0d, 0x84, 0x0d, 0x37, 0x43, + 0xbf, 0xe4, 0x5d, 0x12, 0xc8, 0x24, 0x91, 0x27, 0x8d, 0x46, + 0xd9, 0x54, 0x53, 0xe7, 0x62, 0x71, 0xa8, 0x2b, 0x71, 0x41, + 0x8d, 0x75, 0xf8, 0x3a, 0xa0, 0x61, 0x29, 0x46, 0xa6, 0xe5, + 0x82, 0xfa, 0x3a, 0xd9, 0x08, 0xfa, 0xfc, 0x63, 0xfd, 0x6b, + 0x30, 0xbc, 0xf4, 0x4e, 0x9e, 0x8c, 0x25, 0x0c, 0xb6, 0x55, + 0xe7, 0x3c, 0xd4, 0x4e, 0x0b, 0xfd, 0x8b, 0xc3, 0x0e, 0x1d, + 0x9c, 0x44, 0x57, 0x8f, 0x1f, 0x86, 0xf7, 0xd5, 0x1b, 0xe4, + 0x95, +}; + +static unsigned char test3072[] = { + 0x30, 0x82, 0x06, 0xe3, 0x02, 0x01, 0x00, 0x02, 0x82, 0x01, + 0x81, 0x00, 0xbc, 0x3b, 0x23, 0xc0, 0x33, 0xa7, 0x8b, 0xaa, + 0xca, 0xa3, 0x8c, 0x94, 0xf2, 0x4c, 0x52, 0x08, 0x85, 0x80, + 0xfc, 0x36, 0x15, 0xfa, 0x03, 0x06, 0xb6, 0xd6, 0x3f, 0x60, + 0x8a, 0x89, 0x0d, 0xba, 0x1a, 0x51, 0x0b, 0x12, 0xea, 0x71, + 0x77, 0xf6, 0x3a, 0x30, 0x21, 0x3d, 0x24, 0xf8, 0x2e, 0xd0, + 0x17, 0x3a, 0x85, 0x94, 0x25, 0x42, 0x89, 0xff, 0x6a, 0x68, + 0xdf, 0x1f, 0x86, 0xae, 0xa5, 0xbb, 0x9a, 0x79, 0xf6, 0x69, + 0x94, 0xfe, 0xde, 0xfe, 0xce, 0x1b, 0x2e, 0xae, 0x1d, 0x91, + 0xcb, 0xb9, 0xf1, 0x2d, 0xd8, 0x00, 0x82, 0x51, 0x8e, 0xf9, + 0xfd, 0xac, 0xf1, 0x0e, 0x7f, 0xb7, 0x95, 0x85, 0x35, 0xf9, + 0xcb, 0xbe, 0x5f, 0xd3, 0x58, 0xe3, 0xa1, 0x54, 0x9e, 0x30, + 0xb1, 0x8d, 0x01, 0x97, 0x82, 0x06, 0x8e, 0x77, 0xfb, 0xce, + 0x50, 0x2f, 0xbf, 0xf1, 0xff, 0x57, 0x0a, 0x42, 0x03, 0xfd, + 0x0e, 0xba, 0x1e, 0xca, 0x85, 0xc1, 0x9b, 0xa5, 0x9d, 0x09, + 0x0e, 0xe9, 0xbb, 0xc5, 0x73, 0x47, 0x0d, 0x39, 0x3c, 0x64, + 0x06, 0x9a, 0x79, 0x3f, 0x50, 0x87, 0x9c, 0x18, 0x2d, 0x62, + 0x01, 0xfc, 0xed, 0xc1, 0x58, 0x28, 0x21, 0x94, 0x1e, 0xf9, + 0x2d, 0x96, 0x4f, 0xd0, 0xbc, 0xf1, 0xe0, 0x8a, 0xfa, 0x4d, + 0xb6, 0x78, 0x4a, 0xde, 0x17, 0x59, 0xb0, 0x22, 0xa0, 0x9a, + 0xd3, 0x70, 0xb6, 0xc2, 0xbe, 0xbc, 0x96, 0xca, 0x41, 0x5f, + 0x58, 0x4e, 0xce, 0xef, 0x64, 0x45, 0xdd, 0x3f, 0x81, 0x92, + 0xcc, 0x40, 0x79, 0xfc, 0x19, 0xe2, 0xbc, 0x77, 0x2f, 0x43, + 0xfb, 0x8e, 0xad, 0x82, 0x4a, 0x0b, 0xb1, 0xbc, 0x09, 0x8a, + 0x80, 0xc3, 0x0f, 0xef, 0xd2, 0x06, 0xd3, 0x4b, 0x0c, 0x7f, + 0xae, 0x60, 0x3f, 0x2e, 0x52, 0xb4, 0xe4, 0xc2, 0x5c, 0xa6, + 0x71, 0xc0, 0x13, 0x9c, 0xca, 0xa6, 0x0d, 0x13, 0xd7, 0xb7, + 0x14, 0x94, 0x3f, 0x0d, 0x8b, 0x06, 0x70, 0x2f, 0x15, 0x82, + 0x8d, 0x47, 0x45, 0xa6, 0x00, 0x8a, 0x14, 0x91, 0xde, 0x2f, + 0x50, 0x17, 0xe3, 0x1d, 0x34, 0x29, 0x8c, 0xe4, 0x57, 0x74, + 0x2a, 0x3a, 0x82, 0x65, 0x26, 0xf7, 0x8d, 0xcc, 0x1b, 0x8f, + 0xaf, 0xe5, 0x85, 0xe5, 0xbe, 0x85, 0xd6, 0xb7, 0x04, 0xe8, + 0xf5, 0xd4, 0x74, 0xe2, 0x54, 0x14, 0xdd, 0x58, 0xcf, 0x1f, + 0x11, 0x8a, 0x9f, 0x82, 0xa2, 0x01, 0xf9, 0xc2, 0xdf, 0x7b, + 0x84, 0xb1, 0xd8, 0x5b, 0x70, 0xbb, 0x24, 0xe7, 0xd0, 0x2a, + 0x75, 0x3d, 0x55, 0xac, 0x45, 0xe9, 0xab, 0xc6, 0x84, 0x8a, + 0xe7, 0x6d, 0x26, 0x12, 0x89, 0xb5, 0x67, 0xe8, 0x46, 0x9d, + 0x46, 0x1a, 0xfa, 0x2d, 0xc0, 0x5b, 0x60, 0x46, 0x8b, 0xb7, + 0x32, 0x03, 0xff, 0x75, 0xee, 0x9f, 0x3c, 0xdd, 0xb6, 0x35, + 0x4e, 0x82, 0xbd, 0x99, 0x73, 0x51, 0x02, 0x03, 0x01, 0x00, + 0x01, 0x02, 0x82, 0x01, 0x80, 0x42, 0xee, 0xa4, 0x9f, 0xcb, + 0xbe, 0x60, 0x23, 0xb3, 0x3a, 0xc4, 0xda, 0x91, 0xee, 0x21, + 0x9d, 0x76, 0x1b, 0x8f, 0x93, 0x8b, 0xed, 0x02, 0xf6, 0x78, + 0x3d, 0x66, 0xfb, 0xe5, 0x47, 0x26, 0xe2, 0x6e, 0x49, 0x33, + 0x2e, 0xde, 0xbe, 0xca, 0x71, 0x7b, 0xef, 0x71, 0x62, 0x54, + 0xab, 0x0b, 0xba, 0x63, 0x08, 0x24, 0x47, 0xb1, 0x98, 0x1f, + 0x89, 0xfb, 0x44, 0x9f, 0x52, 0x8e, 0x89, 0xbb, 0xd5, 0x21, + 0xf1, 0x0c, 0x76, 0x2e, 0xcd, 0x12, 0x6e, 0x78, 0xcb, 0xa1, + 0xa5, 0xb8, 0x4e, 0x07, 0xab, 0x6e, 0xdf, 0x66, 0x57, 0x87, + 0xff, 0x88, 0x5f, 0xcc, 0x9c, 0x9a, 0x7b, 0x15, 0x5f, 0x2a, + 0x83, 0xdb, 0xd5, 0x9f, 0x65, 0x6a, 0x9d, 0xb4, 0x95, 0xfc, + 0xe0, 0x22, 0x00, 0x1e, 0xa2, 0x8d, 0x56, 0x5a, 0x9e, 0x0a, + 0x3b, 0x10, 0x07, 0x24, 0xec, 0x55, 0xcc, 0xaf, 0x87, 0x3b, + 0xd6, 0x8d, 0xa4, 0x86, 0x80, 0x18, 0x42, 0xdb, 0x9d, 0x24, + 0xc3, 0x97, 0x3b, 0x89, 0x5a, 0x03, 0xb3, 0x0a, 0x72, 0xd1, + 0x78, 0xf0, 0xc8, 0x80, 0xb0, 0x9d, 0x3c, 0xae, 0x5e, 0x0a, + 0x5b, 0x6e, 0x87, 0xd3, 0x3d, 0x25, 0x2e, 0x03, 0x33, 0x01, + 0xfd, 0xb1, 0xa5, 0xd9, 0x58, 0x01, 0xb9, 0xaf, 0xf6, 0x32, + 0x6a, 0x38, 0xe7, 0x39, 0x63, 0x3c, 0xfc, 0x0c, 0x41, 0x90, + 0x28, 0x40, 0x03, 0xcd, 0xfb, 0xde, 0x80, 0x74, 0x21, 0xaa, + 0xae, 0x58, 0xe9, 0x97, 0x18, 0x85, 0x58, 0x3d, 0x2b, 0xd6, + 0x61, 0xf6, 0xe8, 0xbc, 0x6d, 0x2a, 0xf3, 0xb8, 0xea, 0x8c, + 0x64, 0x44, 0xc6, 0xd3, 0x9f, 0x00, 0x7b, 0xb2, 0x52, 0x18, + 0x11, 0x04, 0x96, 0xb7, 0x05, 0xbb, 0xc2, 0x38, 0x5b, 0xa7, + 0x0a, 0x84, 0xb6, 0x4f, 0x02, 0x63, 0xa4, 0x57, 0x00, 0xe3, + 0xde, 0xe4, 0xf2, 0xb3, 0x55, 0xd9, 0x00, 0xa9, 0xd2, 0x5c, + 0x69, 0x9f, 0xe5, 0x80, 0x4f, 0x23, 0x7c, 0xd9, 0xa7, 0x77, + 0x4a, 0xbb, 0x09, 0x6d, 0x45, 0x02, 0xcf, 0x32, 0x90, 0xfd, + 0x10, 0xb6, 0xb3, 0x93, 0xd9, 0x3b, 0x1d, 0x57, 0x66, 0xb5, + 0xb3, 0xb1, 0x6e, 0x53, 0x5f, 0x04, 0x60, 0x29, 0xcd, 0xe8, + 0xb8, 0xab, 0x62, 0x82, 0x33, 0x40, 0xc7, 0xf8, 0x64, 0x60, + 0x0e, 0xab, 0x06, 0x3e, 0xa0, 0xa3, 0x62, 0x11, 0x3f, 0x67, + 0x5d, 0x24, 0x9e, 0x60, 0x29, 0xdc, 0x4c, 0xd5, 0x13, 0xee, + 0x3d, 0xb7, 0x84, 0x93, 0x27, 0xb5, 0x6a, 0xf9, 0xf0, 0xdd, + 0x50, 0xac, 0x46, 0x3c, 0xe6, 0xd5, 0xec, 0xf7, 0xb7, 0x9f, + 0x23, 0x39, 0x9c, 0x88, 0x8c, 0x5a, 0x62, 0x3f, 0x8d, 0x4a, + 0xd7, 0xeb, 0x5e, 0x1e, 0x49, 0xf8, 0xa9, 0x53, 0x11, 0x75, + 0xd0, 0x43, 0x1e, 0xc7, 0x29, 0x22, 0x80, 0x1f, 0xc5, 0x83, + 0x8d, 0x20, 0x04, 0x87, 0x7f, 0x57, 0x8c, 0xf5, 0xa1, 0x02, + 0x81, 0xc1, 0x00, 0xf7, 0xaa, 0xf5, 0xa5, 0x00, 0xdb, 0xd6, + 0x11, 0xfc, 0x07, 0x6d, 0x22, 0x24, 0x2b, 0x4b, 0xc5, 0x67, + 0x0f, 0x37, 0xa5, 0xdb, 0x8f, 0x38, 0xe2, 0x05, 0x43, 0x9a, + 0x44, 0x05, 0x3f, 0xa9, 0xac, 0x4c, 0x98, 0x3c, 0x72, 0x38, + 0xc3, 0x89, 0x33, 0x58, 0x73, 0x51, 0xcc, 0x5d, 0x2f, 0x8f, + 0x6d, 0x3f, 0xa1, 0x22, 0x9e, 0xfb, 0x9a, 0xb4, 0xb8, 0x79, + 0x95, 0xaf, 0x83, 0xcf, 0x5a, 0xb7, 0x14, 0x14, 0x0c, 0x51, + 0x8a, 0x11, 0xe6, 0xd6, 0x21, 0x1e, 0x17, 0x13, 0xd3, 0x69, + 0x7a, 0x3a, 0xd5, 0xaf, 0x3f, 0xb8, 0x25, 0x01, 0xcb, 0x2b, + 0xe6, 0xfc, 0x03, 0xd8, 0xd4, 0xf7, 0x20, 0xe0, 0x21, 0xef, + 0x1a, 0xca, 0x61, 0xeb, 0x8e, 0x96, 0x45, 0x8e, 0x5c, 0xe6, + 0x81, 0x0b, 0x2d, 0x05, 0x32, 0xf9, 0x41, 0x62, 0xb4, 0x33, + 0x98, 0x10, 0x3a, 0xcd, 0xf0, 0x7a, 0x8b, 0x1a, 0x48, 0xd7, + 0x3b, 0x01, 0xf5, 0x18, 0x65, 0x8f, 0x3c, 0xc2, 0x31, 0x3b, + 0xd3, 0xa7, 0x17, 0x5f, 0x7c, 0x0c, 0xe7, 0x25, 0x18, 0x5a, + 0x08, 0xe1, 0x09, 0x89, 0x13, 0xa7, 0xc5, 0x12, 0xab, 0x88, + 0x30, 0xcd, 0x06, 0xf9, 0xba, 0x6f, 0xca, 0x9c, 0x8a, 0xda, + 0x3e, 0x53, 0x90, 0xd7, 0x16, 0x2e, 0xfc, 0xbc, 0xad, 0xd6, + 0x3d, 0xc0, 0x66, 0x4c, 0x02, 0x3d, 0x31, 0xfd, 0x6c, 0xdb, + 0x1c, 0xdf, 0x96, 0x33, 0x23, 0x02, 0x81, 0xc1, 0x00, 0xc2, + 0x90, 0x47, 0xc4, 0xfb, 0x59, 0xf0, 0xc5, 0x14, 0x75, 0x29, + 0xfa, 0x77, 0xa1, 0x8d, 0xd4, 0x90, 0xa1, 0x0d, 0x3f, 0x16, + 0x88, 0xe3, 0x4c, 0x8f, 0x8f, 0x18, 0x8c, 0x9c, 0x8a, 0xd5, + 0xa7, 0x41, 0x99, 0xf3, 0x80, 0x8e, 0xb1, 0xb8, 0x63, 0xd8, + 0x3f, 0x95, 0xd0, 0xd0, 0x2b, 0xf5, 0xe6, 0x93, 0xe8, 0xfe, + 0xd0, 0x73, 0xd5, 0xbd, 0xb4, 0xee, 0x51, 0x19, 0x6a, 0x10, + 0xca, 0xc8, 0xba, 0xa4, 0x4d, 0x84, 0x54, 0x38, 0x17, 0xb5, + 0xd0, 0xa8, 0x75, 0x22, 0xc5, 0x1b, 0x61, 0xa6, 0x51, 0x88, + 0x63, 0xf0, 0x4f, 0xd1, 0x88, 0xd9, 0x16, 0x49, 0x30, 0xe1, + 0xa8, 0x47, 0xc9, 0x30, 0x1d, 0x5c, 0x75, 0xd8, 0x89, 0xb6, + 0x1d, 0x45, 0xd8, 0x0f, 0x94, 0x89, 0xb3, 0xe4, 0x51, 0xfa, + 0x21, 0xff, 0x6f, 0xb6, 0x30, 0x6f, 0x33, 0x24, 0xbc, 0x09, + 0x98, 0xe9, 0x20, 0x02, 0x0b, 0xde, 0xff, 0xc5, 0x06, 0xb6, + 0x28, 0xa3, 0xa1, 0x07, 0xe8, 0xe1, 0xd2, 0xc2, 0xf1, 0xd1, + 0x23, 0x6b, 0x4c, 0x3a, 0xae, 0x85, 0xec, 0xf9, 0xff, 0xa7, + 0x9b, 0x25, 0xb8, 0x95, 0x1d, 0xa8, 0x14, 0x81, 0x4f, 0x79, + 0x4f, 0xd6, 0x39, 0x5d, 0xe6, 0x5f, 0xd2, 0x34, 0x54, 0x8b, + 0x1e, 0x40, 0x4c, 0x15, 0x5a, 0x45, 0xce, 0x0c, 0xb0, 0xdf, + 0xa1, 0x17, 0xb8, 0xb0, 0x6a, 0x82, 0xa5, 0x97, 0x92, 0x70, + 0xfb, 0x02, 0x81, 0xc0, 0x77, 0x46, 0x44, 0x2b, 0x04, 0xf0, + 0xda, 0x75, 0xaa, 0xd4, 0xc0, 0xc0, 0x32, 0x7f, 0x0f, 0x6c, + 0xb0, 0x27, 0x69, 0xfb, 0x5c, 0x73, 0xeb, 0x47, 0x1e, 0x95, + 0xe2, 0x13, 0x64, 0x1b, 0xb6, 0xd1, 0x1d, 0xca, 0x2b, 0x42, + 0x2f, 0x08, 0x2c, 0x69, 0x27, 0xed, 0xd1, 0xb5, 0x04, 0x23, + 0xc5, 0x85, 0x2d, 0xa1, 0xa2, 0x94, 0xc2, 0x43, 0x4d, 0x49, + 0x92, 0x74, 0x7e, 0x24, 0x92, 0x95, 0xf3, 0x99, 0x9d, 0xd6, + 0x18, 0xe6, 0xcf, 0x9c, 0x45, 0xff, 0x89, 0x08, 0x40, 0x2a, + 0x0e, 0xa0, 0x28, 0xf9, 0x83, 0xfe, 0xc1, 0xe6, 0x40, 0xa8, + 0xe2, 0x29, 0xc9, 0xb0, 0xe8, 0x9a, 0x17, 0xb2, 0x23, 0x7e, + 0xf4, 0x32, 0x08, 0xc9, 0x83, 0xb2, 0x15, 0xb8, 0xc5, 0xc9, + 0x03, 0xd1, 0x9d, 0xda, 0x3e, 0xa8, 0xbf, 0xd5, 0xb7, 0x7d, + 0x65, 0x63, 0x94, 0x5d, 0x5d, 0x94, 0xb4, 0xcf, 0x8d, 0x07, + 0x0b, 0x70, 0x85, 0x8e, 0xce, 0x03, 0x0b, 0x2a, 0x8d, 0xb3, + 0x3c, 0x46, 0xc0, 0x2f, 0xc7, 0x72, 0x6c, 0x9c, 0x5d, 0x07, + 0x0f, 0x45, 0x3b, 0x6b, 0x66, 0x32, 0xab, 0x17, 0x83, 0xd8, + 0x4c, 0x2c, 0x84, 0x71, 0x19, 0x8f, 0xaa, 0x0a, 0xff, 0xbc, + 0xf7, 0x42, 0x10, 0xe8, 0xae, 0x4d, 0x26, 0xaf, 0xdd, 0x06, + 0x33, 0x29, 0x66, 0x21, 0x5d, 0xf5, 0xae, 0x17, 0x07, 0x1f, + 0x87, 0x9e, 0xae, 0x27, 0x1d, 0xd5, 0x02, 0x81, 0xc0, 0x56, + 0x17, 0x4f, 0x9a, 0x8a, 0xf9, 0xde, 0x3e, 0xe6, 0x71, 0x7d, + 0x94, 0xb5, 0xb0, 0xc7, 0xb8, 0x62, 0x12, 0xd1, 0x70, 0xb4, + 0x00, 0xf8, 0x4a, 0xdd, 0x4f, 0x1d, 0x36, 0xc2, 0xe1, 0xef, + 0xee, 0x25, 0x6a, 0x00, 0xc4, 0x46, 0xdf, 0xbe, 0xce, 0x77, + 0x56, 0x93, 0x6d, 0x25, 0x5f, 0xfe, 0x5b, 0xfb, 0xe0, 0xe2, + 0x37, 0xcc, 0xb9, 0xac, 0x4a, 0xce, 0x15, 0x16, 0xa0, 0xc7, + 0x33, 0x63, 0xa4, 0xaa, 0xa5, 0x1e, 0x43, 0xc1, 0xda, 0x43, + 0xfa, 0x43, 0x40, 0x29, 0x95, 0x7c, 0x2b, 0x36, 0x53, 0xe7, + 0x7d, 0x09, 0x4d, 0xd8, 0x52, 0xac, 0x74, 0x5f, 0x08, 0x81, + 0x21, 0x5c, 0x3a, 0x5a, 0xce, 0xf3, 0x25, 0xb6, 0x1e, 0x21, + 0x76, 0x4c, 0x7c, 0x71, 0x50, 0x71, 0xaa, 0x27, 0x02, 0x5b, + 0x23, 0x06, 0x0b, 0x21, 0x5b, 0xc7, 0x28, 0xa3, 0x3d, 0x8d, + 0x25, 0x9b, 0x2a, 0x2d, 0x9d, 0xa1, 0x1c, 0x1d, 0xcb, 0x7d, + 0x78, 0xf8, 0x06, 0x7e, 0x20, 0x7f, 0x24, 0x2a, 0x5c, 0xa4, + 0x04, 0xff, 0x2a, 0x68, 0xe0, 0xe6, 0xa3, 0xd8, 0x6f, 0x56, + 0x73, 0xa1, 0x3a, 0x4e, 0xc9, 0x23, 0xa1, 0x87, 0x22, 0x6a, + 0x74, 0x78, 0x3f, 0x44, 0x1c, 0x77, 0x13, 0xe5, 0x51, 0xef, + 0x89, 0x00, 0x3c, 0x6a, 0x4a, 0x5a, 0x8e, 0xf5, 0x30, 0xa2, + 0x93, 0x7e, 0x92, 0x9b, 0x85, 0x55, 0xaf, 0xfe, 0x24, 0xaf, + 0x57, 0x02, 0x81, 0xc1, 0x00, 0xa4, 0xc2, 0x6a, 0x59, 0x45, + 0xea, 0x71, 0x7d, 0x4c, 0xaf, 0xaf, 0xd6, 0x55, 0x97, 0x73, + 0xc5, 0xa1, 0x3c, 0xf6, 0x59, 0x23, 0xb6, 0x1f, 0x5e, 0x9c, + 0x96, 0x0f, 0x97, 0x66, 0x82, 0x91, 0x48, 0x36, 0x70, 0x02, + 0x67, 0xde, 0x34, 0xa6, 0x95, 0x7b, 0x51, 0x43, 0x66, 0xa4, + 0x16, 0x45, 0x59, 0x12, 0xdb, 0x35, 0x19, 0x4b, 0xbf, 0x1d, + 0xab, 0xf3, 0x3f, 0xb4, 0xb4, 0x6f, 0x66, 0xb0, 0x67, 0xc6, + 0x77, 0x2c, 0x46, 0xa8, 0x03, 0x64, 0x9a, 0x13, 0x9d, 0x40, + 0x22, 0x56, 0x76, 0x1a, 0x7c, 0x1e, 0xe2, 0xda, 0x7f, 0x09, + 0xcf, 0x10, 0xe3, 0xf2, 0xf4, 0x2a, 0x3b, 0x46, 0xc7, 0x61, + 0x9b, 0xef, 0x4a, 0x18, 0x60, 0x8c, 0x32, 0x71, 0xb9, 0xdd, + 0xac, 0xa0, 0xc6, 0x8d, 0x3f, 0xab, 0xc3, 0x21, 0x2c, 0xeb, + 0x91, 0x8f, 0xc7, 0x43, 0x0d, 0x0c, 0x67, 0x9e, 0xab, 0xe6, + 0x8d, 0xb6, 0x2d, 0x41, 0xca, 0x43, 0xd8, 0xcb, 0x30, 0xfb, + 0x3b, 0x40, 0x0d, 0x10, 0x9b, 0xb1, 0x55, 0x93, 0x73, 0x8b, + 0x60, 0xef, 0xc0, 0xee, 0xc0, 0xa6, 0x7a, 0x79, 0x90, 0xfd, + 0x4c, 0x25, 0xd4, 0x4f, 0x67, 0xbe, 0xf7, 0x86, 0x3c, 0x5d, + 0x2b, 0x7d, 0x97, 0x3d, 0xa2, 0x91, 0xa5, 0x06, 0x69, 0xf6, + 0x7a, 0xb8, 0x77, 0xe6, 0x70, 0xa9, 0xd8, 0x86, 0x4b, 0xa6, + 0xcf, 0x67, 0x1d, 0x33, 0xcf, 0xfe, 0x3e +}; + +static unsigned char test4096[] = { + 0x30, 0x82, 0x09, 0x29, 0x02, 0x01, 0x00, 0x02, 0x82, 0x02, + 0x01, 0x00, 0xc0, 0x71, 0xac, 0x1a, 0x13, 0x88, 0x82, 0x43, + 0x3b, 0x51, 0x57, 0x71, 0x8d, 0xb6, 0x2b, 0x82, 0x65, 0x21, + 0x53, 0x5f, 0x28, 0x29, 0x4f, 0x8d, 0x7c, 0x8a, 0xb9, 0x44, + 0xb3, 0x28, 0x41, 0x4f, 0xd3, 0xfa, 0x6a, 0xf8, 0xb9, 0x28, + 0x50, 0x39, 0x67, 0x53, 0x2c, 0x3c, 0xd7, 0xcb, 0x96, 0x41, + 0x40, 0x32, 0xbb, 0xeb, 0x70, 0xae, 0x1f, 0xb0, 0x65, 0xf7, + 0x3a, 0xd9, 0x22, 0xfd, 0x10, 0xae, 0xbd, 0x02, 0xe2, 0xdd, + 0xf3, 0xc2, 0x79, 0x3c, 0xc6, 0xfc, 0x75, 0xbb, 0xaf, 0x4e, + 0x3a, 0x36, 0xc2, 0x4f, 0xea, 0x25, 0xdf, 0x13, 0x16, 0x4b, + 0x20, 0xfe, 0x4b, 0x69, 0x16, 0xc4, 0x7f, 0x1a, 0x43, 0xa6, + 0x17, 0x1b, 0xb9, 0x0a, 0xf3, 0x09, 0x86, 0x28, 0x89, 0xcf, + 0x2c, 0xd0, 0xd4, 0x81, 0xaf, 0xc6, 0x6d, 0xe6, 0x21, 0x8d, + 0xee, 0xef, 0xea, 0xdc, 0xb7, 0xc6, 0x3b, 0x63, 0x9f, 0x0e, + 0xad, 0x89, 0x78, 0x23, 0x18, 0xbf, 0x70, 0x7e, 0x84, 0xe0, + 0x37, 0xec, 0xdb, 0x8e, 0x9c, 0x3e, 0x6a, 0x19, 0xcc, 0x99, + 0x72, 0xe6, 0xb5, 0x7d, 0x6d, 0xfa, 0xe5, 0xd3, 0xe4, 0x90, + 0xb5, 0xb2, 0xb2, 0x12, 0x70, 0x4e, 0xca, 0xf8, 0x10, 0xf8, + 0xa3, 0x14, 0xc2, 0x48, 0x19, 0xeb, 0x60, 0x99, 0xbb, 0x2a, + 0x1f, 0xb1, 0x7a, 0xb1, 0x3d, 0x24, 0xfb, 0xa0, 0x29, 0xda, + 0xbd, 0x1b, 0xd7, 0xa4, 0xbf, 0xef, 0x60, 0x2d, 0x22, 0xca, + 0x65, 0x98, 0xf1, 0xc4, 0xe1, 0xc9, 0x02, 0x6b, 0x16, 0x28, + 0x2f, 0xa1, 0xaa, 0x79, 0x00, 0xda, 0xdc, 0x7c, 0x43, 0xf7, + 0x42, 0x3c, 0xa0, 0xef, 0x68, 0xf7, 0xdf, 0xb9, 0x69, 0xfb, + 0x8e, 0x01, 0xed, 0x01, 0x42, 0xb5, 0x4e, 0x57, 0xa6, 0x26, + 0xb8, 0xd0, 0x7b, 0x56, 0x6d, 0x03, 0xc6, 0x40, 0x8c, 0x8c, + 0x2a, 0x55, 0xd7, 0x9c, 0x35, 0x00, 0x94, 0x93, 0xec, 0x03, + 0xeb, 0x22, 0xef, 0x77, 0xbb, 0x79, 0x13, 0x3f, 0x15, 0xa1, + 0x8f, 0xca, 0xdf, 0xfd, 0xd3, 0xb8, 0xe1, 0xd4, 0xcc, 0x09, + 0x3f, 0x3c, 0x2c, 0xdb, 0xd1, 0x49, 0x7f, 0x38, 0x07, 0x83, + 0x6d, 0xeb, 0x08, 0x66, 0xe9, 0x06, 0x44, 0x12, 0xac, 0x95, + 0x22, 0x90, 0x23, 0x67, 0xd4, 0x08, 0xcc, 0xf4, 0xb7, 0xdc, + 0xcc, 0x87, 0xd4, 0xac, 0x69, 0x35, 0x4c, 0xb5, 0x39, 0x36, + 0xcd, 0xa4, 0xd2, 0x95, 0xca, 0x0d, 0xc5, 0xda, 0xc2, 0xc5, + 0x22, 0x32, 0x28, 0x08, 0xe3, 0xd2, 0x8b, 0x38, 0x30, 0xdc, + 0x8c, 0x75, 0x4f, 0x6a, 0xec, 0x7a, 0xac, 0x16, 0x3e, 0xa8, + 0xd4, 0x6a, 0x45, 0xe1, 0xa8, 0x4f, 0x2e, 0x80, 0x34, 0xaa, + 0x54, 0x1b, 0x02, 0x95, 0x7d, 0x8a, 0x6d, 0xcc, 0x79, 0xca, + 0xf2, 0xa4, 0x2e, 0x8d, 0xfb, 0xfe, 0x15, 0x51, 0x10, 0x0e, + 0x4d, 0x88, 0xb1, 0xc7, 0xf4, 0x79, 0xdb, 0xf0, 0xb4, 0x56, + 0x44, 0x37, 0xca, 0x5a, 0xc1, 0x8c, 0x48, 0xac, 0xae, 0x48, + 0x80, 0x83, 0x01, 0x3f, 0xde, 0xd9, 0xd3, 0x2c, 0x51, 0x46, + 0xb1, 0x41, 0xb6, 0xc6, 0x91, 0x72, 0xf9, 0x83, 0x55, 0x1b, + 0x8c, 0xba, 0xf3, 0x73, 0xe5, 0x2c, 0x74, 0x50, 0x3a, 0xbe, + 0xc5, 0x2f, 0xa7, 0xb2, 0x6d, 0x8c, 0x9e, 0x13, 0x77, 0xa3, + 0x13, 0xcd, 0x6d, 0x8c, 0x45, 0xe1, 0xfc, 0x0b, 0xb7, 0x69, + 0xe9, 0x27, 0xbc, 0x65, 0xc3, 0xfa, 0x9b, 0xd0, 0xef, 0xfe, + 0xe8, 0x1f, 0xb3, 0x5e, 0x34, 0xf4, 0x8c, 0xea, 0xfc, 0xd3, + 0x81, 0xbf, 0x3d, 0x30, 0xb2, 0xb4, 0x01, 0xe8, 0x43, 0x0f, + 0xba, 0x02, 0x23, 0x42, 0x76, 0x82, 0x31, 0x73, 0x91, 0xed, + 0x07, 0x46, 0x61, 0x0d, 0x39, 0x83, 0x40, 0xce, 0x7a, 0xd4, + 0xdb, 0x80, 0x2c, 0x1f, 0x0d, 0xd1, 0x34, 0xd4, 0x92, 0xe3, + 0xd4, 0xf1, 0xc2, 0x01, 0x02, 0x03, 0x01, 0x00, 0x01, 0x02, + 0x82, 0x02, 0x01, 0x00, 0x97, 0x6c, 0xda, 0x6e, 0xea, 0x4f, + 0xcf, 0xaf, 0xf7, 0x4c, 0xd9, 0xf1, 0x90, 0x00, 0x77, 0xdb, + 0xf2, 0x97, 0x76, 0x72, 0xb9, 0xb7, 0x47, 0xd1, 0x9c, 0xdd, + 0xcb, 0x4a, 0x33, 0x6e, 0xc9, 0x75, 0x76, 0xe6, 0xe4, 0xa5, + 0x31, 0x8c, 0x77, 0x13, 0xb4, 0x29, 0xcd, 0xf5, 0x52, 0x17, + 0xef, 0xf3, 0x08, 0x00, 0xe3, 0xbd, 0x2e, 0xbc, 0xd4, 0x52, + 0x88, 0xe9, 0x30, 0x75, 0x0b, 0x02, 0xf5, 0xcd, 0x89, 0x0c, + 0x6c, 0x57, 0x19, 0x27, 0x3d, 0x1e, 0x85, 0xb4, 0xc1, 0x2f, + 0x1d, 0x92, 0x00, 0x5c, 0x76, 0x29, 0x4b, 0xa4, 0xe1, 0x12, + 0xb3, 0xc8, 0x09, 0xfe, 0x0e, 0x78, 0x72, 0x61, 0xcb, 0x61, + 0x6f, 0x39, 0x91, 0x95, 0x4e, 0xd5, 0x3e, 0xc7, 0x8f, 0xb8, + 0xf6, 0x36, 0xfe, 0x9c, 0x93, 0x9a, 0x38, 0x25, 0x7a, 0xf4, + 0x4a, 0x12, 0xd4, 0xa0, 0x13, 0xbd, 0xf9, 0x1d, 0x12, 0x3e, + 0x21, 0x39, 0xfb, 0x72, 0xe0, 0x05, 0x3d, 0xc3, 0xe5, 0x50, + 0xa8, 0x5d, 0x85, 0xa3, 0xea, 0x5f, 0x1c, 0xb2, 0x3f, 0xea, + 0x6d, 0x03, 0x91, 0x55, 0xd8, 0x19, 0x0a, 0x21, 0x12, 0x16, + 0xd9, 0x12, 0xc4, 0xe6, 0x07, 0x18, 0x5b, 0x26, 0xa4, 0xae, + 0xed, 0x2b, 0xb7, 0xa6, 0xed, 0xf8, 0xad, 0xec, 0x77, 0xe6, + 0x7f, 0x4f, 0x76, 0x00, 0xc0, 0xfa, 0x15, 0x92, 0xb4, 0x2c, + 0x22, 0xc2, 0xeb, 0x6a, 0xad, 0x14, 0x05, 0xb2, 0xe5, 0x8a, + 0x9e, 0x85, 0x83, 0xcc, 0x04, 0xf1, 0x56, 0x78, 0x44, 0x5e, + 0xde, 0xe0, 0x60, 0x1a, 0x65, 0x79, 0x31, 0x23, 0x05, 0xbb, + 0x01, 0xff, 0xdd, 0x2e, 0xb7, 0xb3, 0xaa, 0x74, 0xe0, 0xa5, + 0x94, 0xaf, 0x4b, 0xde, 0x58, 0x0f, 0x55, 0xde, 0x33, 0xf6, + 0xe3, 0xd6, 0x34, 0x36, 0x57, 0xd6, 0x79, 0x91, 0x2e, 0xbe, + 0x3b, 0xd9, 0x4e, 0xb6, 0x9d, 0x21, 0x5c, 0xd3, 0x48, 0x14, + 0x7f, 0x4a, 0xc4, 0x60, 0xa9, 0x29, 0xf8, 0x53, 0x7f, 0x88, + 0x11, 0x2d, 0xb5, 0xc5, 0x2d, 0x6f, 0xee, 0x85, 0x0b, 0xf7, + 0x8d, 0x9a, 0xbe, 0xb0, 0x42, 0xf2, 0x2e, 0x71, 0xaf, 0x19, + 0x31, 0x6d, 0xec, 0xcd, 0x6f, 0x2b, 0x23, 0xdf, 0xb4, 0x40, + 0xaf, 0x2c, 0x0a, 0xc3, 0x1b, 0x7d, 0x7d, 0x03, 0x1d, 0x4b, + 0xf3, 0xb5, 0xe0, 0x85, 0xd8, 0xdf, 0x91, 0x6b, 0x0a, 0x69, + 0xf7, 0xf2, 0x69, 0x66, 0x5b, 0xf1, 0xcf, 0x46, 0x7d, 0xe9, + 0x70, 0xfa, 0x6d, 0x7e, 0x75, 0x4e, 0xa9, 0x77, 0xe6, 0x8c, + 0x02, 0xf7, 0x14, 0x4d, 0xa5, 0x41, 0x8f, 0x3f, 0xc1, 0x62, + 0x1e, 0x71, 0x5e, 0x38, 0xb4, 0xd6, 0xe6, 0xe1, 0x4b, 0xc2, + 0x2c, 0x30, 0x83, 0x81, 0x6f, 0x49, 0x2e, 0x96, 0xe6, 0xc9, + 0x9a, 0xf7, 0x5d, 0x09, 0xa0, 0x55, 0x02, 0xa5, 0x3a, 0x25, + 0x23, 0xd0, 0x92, 0xc3, 0xa3, 0xe3, 0x0e, 0x12, 0x2f, 0x4d, + 0xef, 0xf3, 0x55, 0x5a, 0xbe, 0xe6, 0x19, 0x86, 0x31, 0xab, + 0x75, 0x9a, 0xd3, 0xf0, 0x2c, 0xc5, 0x41, 0x92, 0xd9, 0x1f, + 0x5f, 0x11, 0x8c, 0x75, 0x1c, 0x63, 0xd0, 0x02, 0x80, 0x2c, + 0x68, 0xcb, 0x93, 0xfb, 0x51, 0x73, 0x49, 0xb4, 0x60, 0xda, + 0xe2, 0x26, 0xaf, 0xa9, 0x46, 0x12, 0xb8, 0xec, 0x50, 0xdd, + 0x12, 0x06, 0x5f, 0xce, 0x59, 0xe6, 0xf6, 0x1c, 0xe0, 0x54, + 0x10, 0xad, 0xf6, 0xcd, 0x98, 0xcc, 0x0f, 0xfb, 0xcb, 0x41, + 0x14, 0x9d, 0xed, 0xe4, 0xb4, 0x74, 0x5f, 0x09, 0x60, 0xc7, + 0x12, 0xf6, 0x7b, 0x3c, 0x8f, 0xa7, 0x20, 0xbc, 0xe4, 0xb1, + 0xef, 0xeb, 0xa4, 0x93, 0xc5, 0x06, 0xca, 0x9a, 0x27, 0x9d, + 0x87, 0xf3, 0xde, 0xca, 0xe5, 0xe7, 0xf6, 0x1c, 0x01, 0x65, + 0x5b, 0xfb, 0x19, 0x79, 0x6e, 0x08, 0x26, 0xc5, 0xc8, 0x28, + 0x0e, 0xb6, 0x3b, 0x07, 0x08, 0xc1, 0x02, 0x82, 0x01, 0x01, + 0x00, 0xe8, 0x1c, 0x73, 0xa6, 0xb8, 0xe0, 0x0e, 0x6d, 0x8d, + 0x1b, 0xb9, 0x53, 0xed, 0x58, 0x94, 0xe6, 0x1d, 0x60, 0x14, + 0x5c, 0x76, 0x43, 0xc4, 0x58, 0x19, 0xc4, 0x24, 0xe8, 0xbc, + 0x1b, 0x3b, 0x0b, 0x13, 0x24, 0x45, 0x54, 0x0e, 0xcc, 0x37, + 0xf0, 0xe0, 0x63, 0x7d, 0xc3, 0xf7, 0xfb, 0x81, 0x74, 0x81, + 0xc4, 0x0f, 0x1a, 0x21, 0x48, 0xaf, 0xce, 0xc1, 0xc4, 0x94, + 0x18, 0x06, 0x44, 0x8d, 0xd3, 0xd2, 0x22, 0x2d, 0x2d, 0x3e, + 0x5a, 0x31, 0xdc, 0x95, 0x8e, 0xf4, 0x41, 0xfc, 0x58, 0xc9, + 0x40, 0x92, 0x17, 0x5f, 0xe3, 0xda, 0xac, 0x9e, 0x3f, 0x1c, + 0x2a, 0x6b, 0x58, 0x5f, 0x48, 0x78, 0x20, 0xb1, 0xaf, 0x24, + 0x9b, 0x3c, 0x20, 0x8b, 0x93, 0x25, 0x9e, 0xe6, 0x6b, 0xbc, + 0x13, 0x42, 0x14, 0x6c, 0x36, 0x31, 0xff, 0x7a, 0xd1, 0xc1, + 0x1a, 0x26, 0x14, 0x7f, 0xa9, 0x76, 0xa7, 0x0c, 0xf8, 0xcc, + 0xed, 0x07, 0x6a, 0xd2, 0xdf, 0x62, 0xee, 0x0a, 0x7c, 0x84, + 0xcb, 0x49, 0x90, 0xb2, 0x03, 0x0d, 0xa2, 0x82, 0x06, 0x77, + 0xf1, 0xcd, 0x67, 0xf2, 0x47, 0x21, 0x02, 0x3f, 0x43, 0x21, + 0xf0, 0x46, 0x30, 0x62, 0x51, 0x72, 0xb1, 0xe7, 0x48, 0xc6, + 0x67, 0x12, 0xcd, 0x9e, 0xd6, 0x15, 0xe5, 0x21, 0xed, 0xfa, + 0x8f, 0x30, 0xa6, 0x41, 0xfe, 0xb6, 0xfa, 0x8f, 0x34, 0x14, + 0x19, 0xe8, 0x11, 0xf7, 0xa5, 0x77, 0x3e, 0xb7, 0xf9, 0x39, + 0x07, 0x8c, 0x67, 0x2a, 0xab, 0x7b, 0x08, 0xf8, 0xb0, 0x06, + 0xa8, 0xea, 0x2f, 0x8f, 0xfa, 0xcc, 0xcc, 0x40, 0xce, 0xf3, + 0x70, 0x4f, 0x3f, 0x7f, 0xe2, 0x0c, 0xea, 0x76, 0x4a, 0x35, + 0x4e, 0x47, 0xad, 0x2b, 0xa7, 0x97, 0x5d, 0x74, 0x43, 0x97, + 0x90, 0xd2, 0xfb, 0xd9, 0xf9, 0x96, 0x01, 0x33, 0x05, 0xed, + 0x7b, 0x03, 0x05, 0xad, 0xf8, 0x49, 0x03, 0x02, 0x82, 0x01, + 0x01, 0x00, 0xd4, 0x40, 0x17, 0x66, 0x10, 0x92, 0x95, 0xc8, + 0xec, 0x62, 0xa9, 0x7a, 0xcb, 0x93, 0x8e, 0xe6, 0x53, 0xd4, + 0x80, 0x48, 0x27, 0x4b, 0x41, 0xce, 0x61, 0xdf, 0xbf, 0x94, + 0xa4, 0x3d, 0x71, 0x03, 0x0b, 0xed, 0x25, 0x71, 0x98, 0xa4, + 0xd6, 0xd5, 0x4a, 0x57, 0xf5, 0x6c, 0x1b, 0xda, 0x21, 0x7d, + 0x35, 0x45, 0xb3, 0xf3, 0x6a, 0xd9, 0xd3, 0x43, 0xe8, 0x5c, + 0x54, 0x1c, 0x83, 0x1b, 0xb4, 0x5f, 0xf2, 0x97, 0x24, 0x2e, + 0xdc, 0x40, 0xde, 0x92, 0x23, 0x59, 0x8e, 0xbc, 0xd2, 0xa1, + 0xf2, 0xe0, 0x4c, 0xdd, 0x0b, 0xd1, 0xe7, 0xae, 0x65, 0xbc, + 0xb5, 0xf5, 0x5b, 0x98, 0xe9, 0xd7, 0xc2, 0xb7, 0x0e, 0x55, + 0x71, 0x0e, 0x3c, 0x0a, 0x24, 0x6b, 0xa6, 0xe6, 0x14, 0x61, + 0x11, 0xfd, 0x33, 0x42, 0x99, 0x2b, 0x84, 0x77, 0x74, 0x92, + 0x91, 0xf5, 0x79, 0x79, 0xcf, 0xad, 0x8e, 0x04, 0xef, 0x80, + 0x1e, 0x57, 0xf4, 0x14, 0xf5, 0x35, 0x09, 0x74, 0xb2, 0x13, + 0x71, 0x58, 0x6b, 0xea, 0x32, 0x5d, 0xf3, 0xd3, 0x76, 0x48, + 0x39, 0x10, 0x23, 0x84, 0x9d, 0xbe, 0x92, 0x77, 0x4a, 0xed, + 0x70, 0x3e, 0x1a, 0xa2, 0x6c, 0xb3, 0x81, 0x00, 0xc3, 0xc9, + 0xe4, 0x52, 0xc8, 0x24, 0x88, 0x0c, 0x41, 0xad, 0x87, 0x5a, + 0xea, 0xa3, 0x7a, 0x85, 0x1c, 0x5e, 0x31, 0x7f, 0xc3, 0x35, + 0xc6, 0xfa, 0x10, 0xc8, 0x75, 0x10, 0xc4, 0x96, 0x99, 0xe7, + 0xfe, 0x01, 0xb4, 0x74, 0xdb, 0xb4, 0x11, 0xc3, 0xc8, 0x8c, + 0xf6, 0xf7, 0x3b, 0x66, 0x50, 0xfc, 0xdb, 0xeb, 0xca, 0x47, + 0x85, 0x89, 0xe1, 0x65, 0xd9, 0x62, 0x34, 0x3c, 0x70, 0xd8, + 0x2e, 0xb4, 0x2f, 0x65, 0x3c, 0x4a, 0xa6, 0x2a, 0xe7, 0xc7, + 0xd8, 0x41, 0x8f, 0x8a, 0x43, 0xbf, 0x42, 0xf2, 0x4d, 0xbc, + 0xfc, 0x9e, 0x27, 0x95, 0xfb, 0x75, 0xff, 0xab, 0x02, 0x82, + 0x01, 0x00, 0x41, 0x2f, 0x44, 0x57, 0x6d, 0x12, 0x17, 0x5b, + 0x32, 0xc6, 0xb7, 0x6c, 0x57, 0x7a, 0x8a, 0x0e, 0x79, 0xef, + 0x72, 0xa8, 0x68, 0xda, 0x2d, 0x38, 0xe4, 0xbb, 0x8d, 0xf6, + 0x02, 0x65, 0xcf, 0x56, 0x13, 0xe1, 0x1a, 0xcb, 0x39, 0x80, + 0xa6, 0xb1, 0x32, 0x03, 0x1e, 0xdd, 0xbb, 0x35, 0xd9, 0xac, + 0x43, 0x89, 0x31, 0x08, 0x90, 0x92, 0x5e, 0x35, 0x3d, 0x7b, + 0x9c, 0x6f, 0x86, 0xcb, 0x17, 0xdd, 0x85, 0xe4, 0xed, 0x35, + 0x08, 0x8e, 0xc1, 0xf4, 0x05, 0xd8, 0x68, 0xc6, 0x63, 0x3c, + 0xf7, 0xff, 0xf7, 0x47, 0x33, 0x39, 0xc5, 0x3e, 0xb7, 0x0e, + 0x58, 0x35, 0x9d, 0x81, 0xea, 0xf8, 0x6a, 0x2c, 0x1c, 0x5a, + 0x68, 0x78, 0x64, 0x11, 0x6b, 0xc1, 0x3e, 0x4e, 0x7a, 0xbd, + 0x84, 0xcb, 0x0f, 0xc2, 0xb6, 0x85, 0x1d, 0xd3, 0x76, 0xc5, + 0x93, 0x6a, 0x69, 0x89, 0x56, 0x34, 0xdc, 0x4a, 0x9b, 0xbc, + 0xff, 0xa8, 0x0d, 0x6e, 0x35, 0x9c, 0x60, 0xa7, 0x23, 0x30, + 0xc7, 0x06, 0x64, 0x39, 0x8b, 0x94, 0x89, 0xee, 0xba, 0x7f, + 0x60, 0x8d, 0xfa, 0xb6, 0x97, 0x76, 0xdc, 0x51, 0x4a, 0x3c, + 0xeb, 0x3a, 0x14, 0x2c, 0x20, 0x60, 0x69, 0x4a, 0x86, 0xfe, + 0x8c, 0x21, 0x84, 0x49, 0x54, 0xb3, 0x20, 0xe1, 0x01, 0x7f, + 0x58, 0xdf, 0x7f, 0xb5, 0x21, 0x51, 0x8c, 0x47, 0x9f, 0x91, + 0xeb, 0x97, 0x3e, 0xf2, 0x54, 0xcf, 0x16, 0x46, 0xf9, 0xd9, + 0xb6, 0xe7, 0x64, 0xc9, 0xd0, 0x54, 0xea, 0x2f, 0xa1, 0xcf, + 0xa5, 0x7f, 0x28, 0x8d, 0x84, 0xec, 0xd5, 0x39, 0x03, 0x76, + 0x5b, 0x2d, 0x8e, 0x43, 0xf2, 0x01, 0x24, 0xc9, 0x6f, 0xc0, + 0xf5, 0x69, 0x6f, 0x7d, 0xb5, 0x85, 0xd2, 0x5f, 0x7f, 0x78, + 0x40, 0x07, 0x7f, 0x09, 0x15, 0xb5, 0x1f, 0x28, 0x65, 0x10, + 0xe4, 0x19, 0xa8, 0xc6, 0x9e, 0x8d, 0xdc, 0xcb, 0x02, 0x82, + 0x01, 0x00, 0x13, 0x01, 0xee, 0x56, 0x80, 0x93, 0x70, 0x00, + 0x7f, 0x52, 0xd2, 0x94, 0xa1, 0x98, 0x84, 0x4a, 0x92, 0x25, + 0x4c, 0x9b, 0xa9, 0x91, 0x2e, 0xc2, 0x79, 0xb7, 0x5c, 0xe3, + 0xc5, 0xd5, 0x8e, 0xc2, 0x54, 0x16, 0x17, 0xad, 0x55, 0x9b, + 0x25, 0x76, 0x12, 0x63, 0x50, 0x22, 0x2f, 0x58, 0x58, 0x79, + 0x6b, 0x04, 0xe3, 0xf9, 0x9f, 0x8f, 0x04, 0x41, 0x67, 0x94, + 0xa5, 0x1f, 0xac, 0x8a, 0x15, 0x9c, 0x26, 0x10, 0x6c, 0xf8, + 0x19, 0x57, 0x61, 0xd7, 0x3a, 0x7d, 0x31, 0xb0, 0x2d, 0x38, + 0xbd, 0x94, 0x62, 0xad, 0xc4, 0xfa, 0x36, 0x42, 0x42, 0xf0, + 0x24, 0x67, 0x65, 0x9d, 0x8b, 0x0b, 0x7c, 0x6f, 0x82, 0x44, + 0x1a, 0x8c, 0xc8, 0xc9, 0xab, 0xbb, 0x4c, 0x45, 0xfc, 0x7b, + 0x38, 0xee, 0x30, 0xe1, 0xfc, 0xef, 0x8d, 0xbc, 0x58, 0xdf, + 0x2b, 0x5d, 0x0d, 0x54, 0xe0, 0x49, 0x4d, 0x97, 0x99, 0x8f, + 0x22, 0xa8, 0x83, 0xbe, 0x40, 0xbb, 0x50, 0x2e, 0x78, 0x28, + 0x0f, 0x95, 0x78, 0x8c, 0x8f, 0x98, 0x24, 0x56, 0xc2, 0x97, + 0xf3, 0x2c, 0x43, 0xd2, 0x03, 0x82, 0x66, 0x81, 0x72, 0x5f, + 0x53, 0x16, 0xec, 0xb1, 0xb1, 0x04, 0x5e, 0x40, 0x20, 0x48, + 0x7b, 0x3f, 0x02, 0x97, 0x6a, 0xeb, 0x96, 0x12, 0x21, 0x35, + 0xfe, 0x1f, 0x47, 0xc0, 0x95, 0xea, 0xc5, 0x8a, 0x08, 0x84, + 0x4f, 0x5e, 0x63, 0x94, 0x60, 0x0f, 0x71, 0x5b, 0x7f, 0x4a, + 0xec, 0x4f, 0x60, 0xc6, 0xba, 0x4a, 0x24, 0xf1, 0x20, 0x8b, + 0xa7, 0x2e, 0x3a, 0xce, 0x8d, 0xe0, 0x27, 0x1d, 0xb5, 0x8e, + 0xb4, 0x21, 0xc5, 0xe2, 0xa6, 0x16, 0x0a, 0x51, 0x83, 0x55, + 0x88, 0xd1, 0x30, 0x11, 0x63, 0xd5, 0xd7, 0x8d, 0xae, 0x16, + 0x12, 0x82, 0xc4, 0x85, 0x00, 0x4e, 0x27, 0x83, 0xa5, 0x7c, + 0x90, 0x2e, 0xe5, 0xa2, 0xa3, 0xd3, 0x4c, 0x63, 0x02, 0x82, + 0x01, 0x01, 0x00, 0x86, 0x08, 0x98, 0x98, 0xa5, 0x00, 0x05, + 0x39, 0x77, 0xd9, 0x66, 0xb3, 0xcf, 0xca, 0xa0, 0x71, 0xb3, + 0x50, 0xce, 0x3d, 0xb1, 0x93, 0x95, 0x35, 0xc4, 0xd4, 0x2e, + 0x90, 0xdf, 0x0f, 0xfc, 0x60, 0xc1, 0x94, 0x68, 0x61, 0x43, + 0xca, 0x9a, 0x23, 0x4a, 0x1e, 0x45, 0x72, 0x99, 0xb5, 0x1e, + 0x61, 0x8d, 0x77, 0x0f, 0xa0, 0xbb, 0xd7, 0x77, 0xb4, 0x2a, + 0x15, 0x11, 0x88, 0x2d, 0xb3, 0x56, 0x61, 0x5e, 0x6a, 0xed, + 0xa4, 0x46, 0x4a, 0x3f, 0x50, 0x11, 0xd6, 0xba, 0xb6, 0xd7, + 0x95, 0x65, 0x53, 0xc3, 0xa1, 0x8f, 0xe0, 0xa3, 0xf5, 0x1c, + 0xfd, 0xaf, 0x6e, 0x43, 0xd7, 0x17, 0xa7, 0xd3, 0x81, 0x1b, + 0xa4, 0xdf, 0xe0, 0x97, 0x8a, 0x46, 0x03, 0xd3, 0x46, 0x0e, + 0x83, 0x48, 0x4e, 0xd2, 0x02, 0xcb, 0xc0, 0xad, 0x79, 0x95, + 0x8c, 0x96, 0xba, 0x40, 0x34, 0x11, 0x71, 0x5e, 0xe9, 0x11, + 0xf9, 0xc5, 0x4a, 0x5e, 0x91, 0x9d, 0xf5, 0x92, 0x4f, 0xeb, + 0xc6, 0x70, 0x02, 0x2d, 0x3d, 0x04, 0xaa, 0xe9, 0x3a, 0x8e, + 0xd5, 0xa8, 0xad, 0xf7, 0xce, 0x0d, 0x16, 0xb2, 0xec, 0x0a, + 0x9c, 0xf5, 0x94, 0x39, 0xb9, 0x8a, 0xfc, 0x1e, 0xf9, 0xcc, + 0xf2, 0x5f, 0x21, 0x31, 0x74, 0x72, 0x6b, 0x64, 0xae, 0x35, + 0x61, 0x8d, 0x0d, 0xcb, 0xe7, 0xda, 0x39, 0xca, 0xf3, 0x21, + 0x66, 0x0b, 0x95, 0xd7, 0x0a, 0x7c, 0xca, 0xa1, 0xa9, 0x5a, + 0xe8, 0xac, 0xe0, 0x71, 0x54, 0xaf, 0x28, 0xcf, 0xd5, 0x70, + 0x89, 0xe0, 0xf3, 0x9e, 0x43, 0x6c, 0x8d, 0x7b, 0x99, 0x01, + 0x68, 0x4d, 0xa1, 0x45, 0x46, 0x0c, 0x43, 0xbc, 0xcc, 0x2c, + 0xdd, 0xc5, 0x46, 0xc8, 0x4e, 0x0e, 0xbe, 0xed, 0xb9, 0x26, + 0xab, 0x2e, 0xdb, 0xeb, 0x8f, 0xff, 0xdb, 0xb0, 0xc6, 0x55, + 0xaf, 0xf8, 0x2a, 0x91, 0x9d, 0x50, 0x44, 0x21, 0x17, +}; + +static unsigned char test7680[] = { + 0x30, 0x82, 0x11, 0x09, 0x02, 0x01, 0x00, 0x02, 0x82, 0x03, + 0xc1, 0x00, 0xe3, 0x27, 0x46, 0x99, 0xb5, 0x17, 0xab, 0xfa, + 0x65, 0x05, 0x7a, 0x06, 0x81, 0x14, 0xce, 0x43, 0x21, 0x49, + 0x0f, 0x08, 0xf1, 0x70, 0xb4, 0xc1, 0x10, 0xd1, 0x87, 0xf8, + 0x29, 0x91, 0x36, 0x66, 0x2d, 0xbe, 0x7b, 0x1d, 0xa2, 0x0b, + 0x20, 0x38, 0xd9, 0x8e, 0x78, 0x27, 0xcf, 0xb5, 0x45, 0x58, + 0x3d, 0xf4, 0xda, 0xf0, 0xdc, 0x21, 0x17, 0x52, 0xcd, 0x68, + 0xe2, 0x81, 0xac, 0x88, 0x61, 0x10, 0xbc, 0xb0, 0x7f, 0xe4, + 0xf3, 0x78, 0xb7, 0x28, 0x6c, 0x5f, 0x5c, 0xc2, 0x8d, 0x3d, + 0xb0, 0x87, 0x41, 0x15, 0x2e, 0x09, 0x5f, 0xea, 0x06, 0x7f, + 0xe9, 0x35, 0x18, 0x90, 0x50, 0xad, 0xf6, 0xb9, 0xfd, 0x33, + 0x02, 0x1a, 0x99, 0x9e, 0xa5, 0x7d, 0x2c, 0x3b, 0x24, 0xe7, + 0x31, 0x35, 0x73, 0x9a, 0xb0, 0xfe, 0x03, 0xfc, 0xc6, 0x98, + 0x78, 0xd9, 0x66, 0x95, 0xa5, 0x12, 0xbc, 0x1e, 0x82, 0xbc, + 0xf1, 0xc5, 0x31, 0xcd, 0xa6, 0xb1, 0x0c, 0x02, 0xbf, 0x7f, + 0xb7, 0xaf, 0x5f, 0xd6, 0xed, 0xf7, 0xc1, 0x59, 0x86, 0x3a, + 0x35, 0x95, 0x54, 0x21, 0x8d, 0x6a, 0xb3, 0xd1, 0x2b, 0x71, + 0xf5, 0xf1, 0x66, 0x00, 0xb1, 0x88, 0xee, 0x3b, 0xa4, 0x41, + 0x52, 0x1a, 0xf5, 0x0e, 0x32, 0xb6, 0xbf, 0x52, 0xab, 0x51, + 0x55, 0x91, 0x32, 0x4f, 0xaf, 0x91, 0xac, 0xf7, 0xff, 0x8e, + 0x3b, 0x2b, 0x61, 0xe9, 0x6d, 0x1d, 0x68, 0x80, 0x90, 0x79, + 0x34, 0x96, 0xca, 0x49, 0x43, 0x7c, 0x89, 0x4e, 0x5e, 0x31, + 0xb5, 0xce, 0x01, 0x9b, 0x09, 0xaf, 0x92, 0x06, 0x24, 0xe7, + 0x22, 0x35, 0xcc, 0xa2, 0x0b, 0xfb, 0x5b, 0x87, 0x65, 0x71, + 0xff, 0x64, 0x3e, 0xf9, 0xe8, 0x33, 0xa0, 0xc3, 0x4e, 0xb2, + 0x41, 0x98, 0x54, 0xeb, 0x13, 0x99, 0xfb, 0x32, 0x78, 0x7e, + 0xda, 0x4f, 0xd3, 0x46, 0x6a, 0xb5, 0x78, 0x81, 0x3f, 0x04, + 0x13, 0x5f, 0x67, 0xaf, 0x88, 0xa5, 0x9e, 0x0d, 0xc5, 0xf3, + 0xe7, 0x4c, 0x51, 0xf5, 0x51, 0x4a, 0xa4, 0x58, 0x64, 0xd9, + 0xa2, 0x32, 0x54, 0x36, 0xce, 0x38, 0xd8, 0xc2, 0x0e, 0x0d, + 0x60, 0x8e, 0x32, 0x7f, 0x90, 0x8a, 0xbc, 0x88, 0xbe, 0x6a, + 0xc0, 0x47, 0x0f, 0x02, 0x41, 0xff, 0x3b, 0x7e, 0xc5, 0xa6, + 0x33, 0x1d, 0x19, 0xd1, 0xd5, 0x67, 0x6c, 0xbf, 0x16, 0xb0, + 0x7e, 0x80, 0x10, 0xbf, 0x7f, 0xdd, 0xd0, 0xf4, 0xc3, 0x94, + 0x2c, 0x9a, 0x2c, 0xda, 0x69, 0x4e, 0xd6, 0x7b, 0x40, 0x4d, + 0x2a, 0x27, 0xcb, 0x5a, 0xe5, 0x2d, 0x3f, 0x7d, 0x51, 0x9d, + 0x9f, 0x70, 0xde, 0x50, 0xb1, 0xd3, 0xd2, 0x38, 0x4d, 0x1c, + 0xca, 0xc2, 0x1e, 0x80, 0xd0, 0x36, 0x82, 0x04, 0xe6, 0x17, + 0x79, 0x9f, 0x2e, 0xc9, 0xed, 0x2b, 0xd5, 0x1b, 0xfa, 0x7d, + 0x1a, 0x80, 0xb5, 0x0e, 0x2f, 0x05, 0xbe, 0x4a, 0x1b, 0xfe, + 0x0a, 0xad, 0x01, 0xde, 0x91, 0xc8, 0xf9, 0x81, 0xbe, 0xc7, + 0xaf, 0xe7, 0x87, 0xed, 0x9d, 0xb8, 0x6c, 0xad, 0x65, 0xed, + 0x5e, 0xd3, 0x67, 0x8c, 0x62, 0x3a, 0xe7, 0xfd, 0x67, 0xe0, + 0xbb, 0x57, 0xaf, 0x56, 0xeb, 0x4a, 0x58, 0x6e, 0xad, 0xf2, + 0xbe, 0xc3, 0x70, 0x29, 0xf8, 0xeb, 0x68, 0x45, 0xa0, 0xbd, + 0xcd, 0xa5, 0xb4, 0xd9, 0x01, 0xb7, 0x44, 0xeb, 0x97, 0xf3, + 0x0c, 0x56, 0xe4, 0x26, 0xd0, 0xa5, 0xb1, 0xa3, 0x49, 0x6e, + 0x88, 0xf2, 0x22, 0xe2, 0x7b, 0x58, 0x3a, 0xd9, 0x52, 0xa4, + 0xb1, 0x4c, 0x5c, 0x7c, 0xf0, 0x88, 0x7b, 0x9f, 0x06, 0xe9, + 0x32, 0x4e, 0xf2, 0x64, 0x83, 0x8b, 0xa2, 0xea, 0x1d, 0x25, + 0xf1, 0x8d, 0x16, 0x8b, 0xe0, 0xab, 0xd2, 0xe9, 0xe4, 0x6b, + 0x7d, 0x76, 0x98, 0x22, 0x53, 0x31, 0x6b, 0xcc, 0xf1, 0xe5, + 0x1d, 0xd7, 0xa5, 0xb0, 0xea, 0x6b, 0x38, 0x14, 0x0c, 0x06, + 0x10, 0x27, 0xd8, 0x33, 0xf3, 0x9a, 0xae, 0x94, 0xdd, 0x0b, + 0xb4, 0x6d, 0xe5, 0x91, 0xdd, 0xf1, 0x0f, 0x27, 0xa4, 0x94, + 0x55, 0xf0, 0xde, 0x07, 0x29, 0xe6, 0x3f, 0x26, 0x19, 0xa1, + 0xdd, 0xd1, 0x06, 0x99, 0xda, 0x54, 0x23, 0x3c, 0xf5, 0x5c, + 0x2e, 0x96, 0xa9, 0x21, 0x23, 0x25, 0x2e, 0x6f, 0xf1, 0xf9, + 0x11, 0x54, 0xe5, 0x7b, 0xb9, 0x1f, 0x11, 0xe2, 0x9e, 0x6b, + 0x61, 0x8b, 0xa3, 0x8b, 0xc1, 0x20, 0x9b, 0xfb, 0x51, 0xef, + 0xbb, 0xb9, 0xf6, 0xaf, 0x66, 0xb3, 0x2c, 0x25, 0xef, 0x76, + 0xcb, 0xbf, 0x7a, 0x93, 0x2f, 0xe1, 0x17, 0x56, 0xc1, 0x00, + 0x33, 0xb5, 0xd9, 0x91, 0x05, 0x31, 0xcc, 0x72, 0xcd, 0x4a, + 0x93, 0x9a, 0xe3, 0x21, 0x42, 0x9e, 0xb8, 0x4e, 0x6c, 0x27, + 0x93, 0xf0, 0x7f, 0x22, 0xdb, 0xe5, 0xb3, 0xa3, 0xf7, 0xe7, + 0x80, 0xbb, 0x91, 0xca, 0xf7, 0xe8, 0x52, 0xb8, 0x11, 0x64, + 0x66, 0x25, 0x94, 0xf8, 0x6f, 0x0b, 0x3b, 0xb7, 0xff, 0x80, + 0x9e, 0x36, 0xe9, 0x88, 0x2e, 0xab, 0x05, 0xbf, 0x99, 0x9f, + 0x2b, 0x4f, 0xc6, 0xb1, 0x13, 0x5b, 0x06, 0xff, 0x0a, 0x7b, + 0xbc, 0x7f, 0x07, 0xa0, 0x35, 0xc2, 0x2d, 0x44, 0x3e, 0xad, + 0x44, 0xcb, 0x47, 0x18, 0x26, 0x71, 0x7b, 0x17, 0xc9, 0x6d, + 0xb5, 0x4b, 0xcf, 0xdf, 0x14, 0x2c, 0x6c, 0xdf, 0x21, 0xce, + 0x93, 0x49, 0x34, 0x69, 0x49, 0xfd, 0x3e, 0x71, 0x5b, 0xfa, + 0x07, 0xc5, 0x7e, 0x5e, 0x54, 0x1a, 0x3c, 0xa6, 0x29, 0xb5, + 0xbf, 0x0d, 0xf1, 0xc6, 0xa4, 0x61, 0xd6, 0x17, 0x1d, 0xf0, + 0xa2, 0x78, 0x8f, 0xbc, 0x7e, 0x0c, 0xb4, 0xf0, 0x1e, 0x05, + 0xea, 0xb5, 0xad, 0x68, 0x95, 0x0b, 0x27, 0xb4, 0x29, 0x7c, + 0x70, 0x2a, 0x9a, 0x0a, 0x39, 0xd4, 0x76, 0xb7, 0x72, 0x30, + 0x5e, 0xae, 0x9c, 0x4a, 0x55, 0xc7, 0x46, 0xd7, 0x5f, 0xbe, + 0x10, 0x61, 0x25, 0x18, 0x7a, 0x9f, 0xd3, 0x05, 0x3d, 0x6f, + 0x9a, 0x1e, 0xec, 0x2b, 0x03, 0xe0, 0x49, 0x6a, 0x9c, 0xd6, + 0xdb, 0xc2, 0xa1, 0xe1, 0x0a, 0xbb, 0x31, 0x42, 0xc8, 0x43, + 0x4e, 0x7c, 0xa9, 0x7c, 0x60, 0xea, 0xbe, 0xf1, 0x8b, 0xe8, + 0xb2, 0x90, 0x83, 0x14, 0x21, 0xe4, 0xb3, 0x0d, 0x7c, 0x63, + 0x3c, 0x98, 0x55, 0xc6, 0x44, 0xa6, 0xa8, 0x1e, 0x42, 0xb7, + 0x89, 0xa8, 0xbd, 0xb8, 0x34, 0x3d, 0x09, 0x80, 0x99, 0x73, + 0x9f, 0xaf, 0x17, 0x56, 0xf2, 0x73, 0x3e, 0x1e, 0x6e, 0xe9, + 0x18, 0xa0, 0x5b, 0x69, 0xce, 0xfd, 0x3d, 0x77, 0x81, 0x95, + 0x3b, 0xf1, 0xde, 0x26, 0xe9, 0x27, 0xef, 0x92, 0x2a, 0x97, + 0xdc, 0x95, 0xa5, 0xa3, 0xb0, 0xfb, 0x96, 0x89, 0x4f, 0xe6, + 0xc1, 0x42, 0x0b, 0xfd, 0xb4, 0x6d, 0x0a, 0x9f, 0x9b, 0x31, + 0xd8, 0x21, 0x38, 0x8a, 0xee, 0xb6, 0x5c, 0x12, 0xa8, 0xb4, + 0x07, 0x79, 0x41, 0xa7, 0x7f, 0x13, 0x74, 0xad, 0x0b, 0xee, + 0x28, 0x52, 0xac, 0x2f, 0x4d, 0x30, 0x1c, 0xc5, 0xa6, 0xa5, + 0x61, 0x42, 0xbd, 0xe1, 0x4f, 0xd3, 0xec, 0x66, 0xf2, 0x63, + 0xf4, 0x93, 0xdb, 0x35, 0x2d, 0x3b, 0x71, 0x25, 0x09, 0xde, + 0xda, 0x46, 0xda, 0xe2, 0xa7, 0xa3, 0xdf, 0xcd, 0xbf, 0x58, + 0x05, 0x25, 0x02, 0x03, 0x01, 0x00, 0x01, 0x02, 0x82, 0x03, + 0xc0, 0x5f, 0xd5, 0x15, 0x1b, 0x09, 0xe4, 0xa7, 0xc0, 0xa6, + 0xd8, 0x0d, 0xa8, 0x2a, 0xd3, 0x1d, 0x46, 0x03, 0x07, 0xf0, + 0x98, 0xe4, 0x4b, 0x99, 0x66, 0x8e, 0x72, 0xe7, 0xbb, 0x51, + 0xc6, 0x1a, 0xbe, 0x36, 0xf4, 0x52, 0xba, 0xa8, 0xbf, 0xaa, + 0xe3, 0x71, 0x1d, 0x83, 0x21, 0xc0, 0xa6, 0x88, 0x4f, 0xf7, + 0x2b, 0x93, 0x26, 0xe4, 0xa7, 0xed, 0x50, 0x18, 0xaa, 0xf4, + 0x4c, 0xa2, 0xfe, 0x92, 0x7c, 0xde, 0x2e, 0x54, 0x76, 0xc2, + 0x25, 0x1e, 0x98, 0xa6, 0x48, 0x01, 0x39, 0x6f, 0x1f, 0x24, + 0x97, 0x9b, 0x64, 0x95, 0x1c, 0x8d, 0x63, 0x8d, 0x44, 0x6f, + 0x9d, 0xdf, 0xf4, 0x1a, 0xa5, 0x9a, 0x1e, 0xd3, 0x6c, 0xae, + 0xa9, 0x8c, 0x3f, 0xfb, 0x2f, 0x78, 0xf6, 0xa6, 0xd6, 0x06, + 0xd3, 0xb7, 0x26, 0xff, 0x1e, 0xdb, 0x8d, 0xcc, 0x37, 0x4d, + 0x5c, 0xe2, 0xc3, 0xa5, 0x75, 0xe6, 0xf9, 0xb4, 0x4c, 0x84, + 0x6f, 0x9e, 0x58, 0x55, 0xc8, 0x01, 0xfa, 0x32, 0xd2, 0x6e, + 0x2b, 0x45, 0xf2, 0xc6, 0x48, 0xad, 0x40, 0xd8, 0xb9, 0x3c, + 0x1b, 0xf8, 0xf7, 0x82, 0xd3, 0x0e, 0x73, 0xe3, 0xb1, 0x5b, + 0x82, 0x71, 0x77, 0x3f, 0x6f, 0x36, 0x9a, 0xe0, 0xec, 0x51, + 0xf8, 0x5f, 0x84, 0x92, 0xee, 0xb8, 0x7e, 0xe7, 0x1a, 0x14, + 0x50, 0x82, 0x7a, 0x4d, 0xe6, 0xd6, 0xa3, 0x76, 0x24, 0x8a, + 0x5f, 0xfe, 0x19, 0xdd, 0xd7, 0xf7, 0x5b, 0xae, 0x18, 0x04, + 0x90, 0xcd, 0x5c, 0xe5, 0x64, 0xe8, 0x04, 0xb1, 0x06, 0xa5, + 0xdd, 0xf8, 0x9d, 0x71, 0x13, 0xaa, 0x36, 0x7f, 0x61, 0x27, + 0xf4, 0xac, 0x95, 0x7d, 0x1a, 0x99, 0x7d, 0xe0, 0xd5, 0x9c, + 0x5a, 0xad, 0x9a, 0xff, 0x54, 0xb0, 0xb1, 0x55, 0x45, 0x2d, + 0x19, 0x58, 0x52, 0x28, 0xdd, 0xe0, 0xb5, 0x65, 0x52, 0x97, + 0x45, 0xf0, 0x2b, 0x98, 0x1f, 0x61, 0x6c, 0x9d, 0xaa, 0x59, + 0x85, 0xf9, 0x97, 0x7b, 0xbd, 0xeb, 0x95, 0x81, 0xfb, 0x29, + 0x8c, 0xf0, 0x52, 0xdf, 0xed, 0xee, 0xb2, 0x00, 0x32, 0x35, + 0x14, 0xa8, 0xa4, 0xca, 0x91, 0xff, 0x18, 0xb7, 0x96, 0xfb, + 0x32, 0x62, 0xa9, 0xa0, 0xd0, 0x77, 0x43, 0xf5, 0x99, 0xd1, + 0xee, 0xe8, 0xad, 0x1a, 0x2c, 0xd4, 0xeb, 0xe1, 0xf5, 0x01, + 0x41, 0x78, 0xc0, 0x27, 0x19, 0x50, 0x2e, 0xba, 0x22, 0xd1, + 0xeb, 0xb3, 0xa5, 0x27, 0x0b, 0xec, 0xf9, 0x26, 0x7e, 0x1f, + 0xe7, 0x17, 0x9f, 0x39, 0xa8, 0x72, 0x22, 0x63, 0x79, 0x6a, + 0x9c, 0x89, 0x55, 0x9a, 0xb4, 0x61, 0x41, 0xbc, 0xaa, 0x14, + 0x37, 0x29, 0x03, 0xc0, 0x52, 0x4e, 0x31, 0x44, 0x8f, 0x2e, + 0x17, 0x81, 0x88, 0xf4, 0xce, 0xda, 0x41, 0xb8, 0xd5, 0x14, + 0x91, 0x8c, 0xca, 0xd2, 0x0d, 0x99, 0x06, 0x09, 0xc2, 0xb7, + 0xe8, 0xae, 0xfa, 0x01, 0xea, 0x99, 0x62, 0x68, 0xb6, 0xdf, + 0xc8, 0x27, 0xae, 0xbf, 0xb0, 0x9b, 0x5b, 0x1a, 0xa2, 0xe2, + 0x5a, 0x7a, 0xe5, 0x4b, 0x92, 0x1f, 0xff, 0x73, 0xae, 0x16, + 0x40, 0x78, 0x42, 0x28, 0xbb, 0x13, 0x5e, 0xbc, 0x71, 0x7a, + 0x78, 0x3e, 0xd8, 0x1b, 0xc2, 0x2c, 0xd6, 0xdc, 0xfa, 0x39, + 0x72, 0xf8, 0xa2, 0x2c, 0x8b, 0x1c, 0x5d, 0xab, 0xb8, 0x07, + 0xc7, 0xae, 0x29, 0x93, 0x68, 0xbf, 0x61, 0xe9, 0xa4, 0x37, + 0x83, 0x7d, 0x13, 0xc7, 0x18, 0xf0, 0x7d, 0xa4, 0x20, 0x47, + 0x14, 0x68, 0x95, 0x46, 0x56, 0x6d, 0xd5, 0x7b, 0xe1, 0x51, + 0x8f, 0x96, 0xc1, 0x7b, 0x35, 0x09, 0x7a, 0x89, 0x0e, 0xdf, + 0x12, 0xd5, 0xe1, 0x9c, 0x2a, 0x94, 0x95, 0x43, 0x93, 0x48, + 0xa6, 0x23, 0xe6, 0xd8, 0xf2, 0xb8, 0x0e, 0xba, 0x6d, 0x61, + 0x03, 0xaf, 0x40, 0x63, 0x2b, 0x2f, 0xee, 0x61, 0x4c, 0xc4, + 0x70, 0x3d, 0x78, 0xc1, 0x4f, 0x8e, 0x0b, 0x9b, 0x06, 0x35, + 0x6d, 0x6d, 0x83, 0x37, 0xbb, 0x39, 0x7d, 0x7f, 0x33, 0x93, + 0xc4, 0xeb, 0x8e, 0xfc, 0xda, 0xf0, 0x54, 0xfe, 0x1d, 0xc4, + 0xd3, 0x83, 0x99, 0xdf, 0x65, 0xee, 0x00, 0x7d, 0x86, 0x27, + 0xd4, 0x3a, 0x6b, 0xe6, 0x82, 0x8e, 0x58, 0x2d, 0x03, 0x38, + 0xef, 0x6c, 0x82, 0x87, 0x18, 0x3b, 0x47, 0xe7, 0xbc, 0xe1, + 0x58, 0x70, 0x4d, 0x46, 0x96, 0x34, 0x60, 0x96, 0x15, 0x09, + 0x3c, 0x84, 0x40, 0xaf, 0x80, 0x32, 0x75, 0xc7, 0x23, 0x6c, + 0xfb, 0x1d, 0x57, 0x73, 0x19, 0x09, 0xe8, 0x1a, 0x4c, 0x02, + 0x5c, 0x7e, 0x4e, 0xbe, 0x75, 0xf8, 0x73, 0xff, 0x2d, 0x54, + 0x19, 0x55, 0xf5, 0xf4, 0x1b, 0xc9, 0xbc, 0xc2, 0x19, 0xcb, + 0xb7, 0x4e, 0x6a, 0x0d, 0xff, 0xca, 0x7d, 0xd0, 0x88, 0x91, + 0x8b, 0x9b, 0x21, 0xa4, 0xa2, 0x43, 0x0d, 0xbc, 0x9e, 0x73, + 0x7d, 0x54, 0x7d, 0x95, 0xcc, 0x63, 0x5e, 0xc1, 0xb8, 0xe6, + 0x27, 0xff, 0x20, 0x07, 0xe8, 0x6e, 0x7e, 0xf2, 0x0f, 0x5a, + 0x09, 0xef, 0xe5, 0x4d, 0x80, 0x39, 0x95, 0xd5, 0xf4, 0xee, + 0x3b, 0xca, 0x7c, 0x73, 0xf8, 0x39, 0x5a, 0xc1, 0x1d, 0x7d, + 0x94, 0x72, 0x32, 0xad, 0x58, 0xe2, 0xfc, 0x71, 0x6e, 0x66, + 0xaa, 0xa1, 0x59, 0xd6, 0xac, 0xab, 0xbe, 0x8c, 0x53, 0x99, + 0xcd, 0xe8, 0x2d, 0xb5, 0xb3, 0x46, 0x58, 0x2e, 0x16, 0xd7, + 0x4d, 0x8b, 0x7d, 0x4a, 0xb1, 0x4c, 0x85, 0x91, 0x1b, 0x57, + 0x54, 0xf8, 0x14, 0x59, 0xdb, 0xc4, 0x2c, 0x9c, 0x08, 0x6d, + 0x3d, 0xd7, 0xf6, 0xa6, 0xe6, 0xb3, 0x2a, 0xe7, 0x29, 0x1c, + 0xab, 0xb4, 0xed, 0x13, 0x19, 0xf8, 0xb6, 0x60, 0x92, 0x44, + 0x53, 0xd4, 0xa9, 0x7e, 0xba, 0x21, 0xa2, 0xdc, 0x6e, 0xa5, + 0x5e, 0x53, 0x59, 0x3c, 0x52, 0x61, 0x7b, 0x5f, 0x19, 0xad, + 0xc8, 0x6d, 0x68, 0x8d, 0x7a, 0xc9, 0xd6, 0xef, 0xeb, 0x67, + 0x4f, 0xca, 0xe7, 0xf6, 0x29, 0x36, 0x97, 0xfb, 0x3e, 0x37, + 0x95, 0x85, 0x71, 0x70, 0xf6, 0x63, 0x86, 0x2a, 0x29, 0xd7, + 0x9a, 0x96, 0x76, 0xa7, 0x47, 0x98, 0x4e, 0x06, 0x31, 0xaf, + 0xf3, 0x4f, 0x2a, 0x65, 0x90, 0x6a, 0x4b, 0x8e, 0x43, 0x79, + 0xe2, 0xdd, 0xce, 0x08, 0x1c, 0x01, 0xec, 0x38, 0x41, 0xdd, + 0x19, 0xd8, 0xf3, 0x36, 0x03, 0x35, 0x03, 0xaf, 0x1c, 0x45, + 0x3c, 0xac, 0x13, 0xaa, 0x36, 0x16, 0x48, 0x77, 0xb3, 0xbe, + 0xa3, 0xb3, 0x9d, 0x7f, 0x20, 0xca, 0x74, 0x65, 0xac, 0x93, + 0xa7, 0x54, 0xad, 0xc8, 0x68, 0x0e, 0xf8, 0x44, 0x1f, 0xad, + 0x2c, 0xb7, 0x9a, 0x9a, 0x07, 0xe5, 0xcd, 0x87, 0xe0, 0x14, + 0xb5, 0xaf, 0xd3, 0xd7, 0xcf, 0x13, 0x9f, 0x3b, 0xbd, 0xfe, + 0x29, 0x0b, 0x72, 0xf5, 0x4c, 0x54, 0x94, 0xc7, 0x66, 0xec, + 0xa8, 0x41, 0x96, 0x3d, 0x17, 0xed, 0x19, 0xc0, 0x82, 0x3e, + 0x5f, 0x9a, 0x91, 0xfe, 0xd1, 0x2f, 0xb8, 0x94, 0xaa, 0x58, + 0x68, 0x95, 0x31, 0x87, 0x57, 0x9a, 0x75, 0x94, 0x4d, 0x38, + 0x7d, 0x56, 0x82, 0x81, 0x9c, 0xb9, 0x34, 0x2b, 0xe7, 0x40, + 0xd9, 0x3c, 0x77, 0x5b, 0x95, 0x51, 0x06, 0x11, 0x41, 0xe3, + 0x8b, 0xb7, 0x32, 0xeb, 0xe1, 0x05, 0x1b, 0x10, 0xa8, 0x0e, + 0xa1, 0x02, 0x82, 0x01, 0xe1, 0x00, 0xfa, 0x38, 0x34, 0xfe, + 0x55, 0x87, 0x71, 0x62, 0x47, 0x00, 0x33, 0x64, 0x67, 0x70, + 0x79, 0x76, 0xdf, 0xfe, 0xc3, 0x28, 0x38, 0xdf, 0x90, 0xd4, + 0xc0, 0xee, 0x98, 0xbf, 0x9d, 0x9b, 0x85, 0xd8, 0x61, 0x65, + 0xa5, 0x70, 0xf5, 0xd2, 0x2c, 0xbf, 0x2f, 0xb5, 0x55, 0x79, + 0x92, 0x13, 0xba, 0x4d, 0x3c, 0x39, 0xbf, 0xd5, 0x31, 0x13, + 0x7a, 0x31, 0xf4, 0x8b, 0xce, 0xf8, 0xd0, 0xd3, 0x9b, 0xe2, + 0xee, 0x31, 0xdb, 0xba, 0xcc, 0x1a, 0xba, 0x1c, 0x8d, 0xee, + 0xea, 0xcb, 0xd3, 0x5a, 0xad, 0x87, 0xd6, 0xf9, 0x15, 0x2f, + 0x6e, 0x00, 0x06, 0x74, 0x25, 0x8d, 0xff, 0xc8, 0xa6, 0x11, + 0x1c, 0xe8, 0x16, 0x1a, 0xde, 0x53, 0x05, 0xb9, 0x53, 0x55, + 0x28, 0x83, 0x3d, 0xbe, 0x61, 0x0c, 0xc4, 0x98, 0x7d, 0xf6, + 0xec, 0x36, 0xc3, 0xe5, 0xe7, 0x1d, 0x14, 0x64, 0xcb, 0x0d, + 0x62, 0x5d, 0x7a, 0xcd, 0x88, 0xfc, 0x66, 0x4e, 0xf9, 0x36, + 0x47, 0x95, 0x18, 0x3a, 0x48, 0x2a, 0xff, 0x62, 0x8f, 0x6c, + 0xe2, 0xc2, 0xe9, 0xd3, 0x6a, 0x45, 0x5c, 0xf5, 0x89, 0x53, + 0x5c, 0xbe, 0xcf, 0xad, 0x87, 0x22, 0x9c, 0x31, 0x48, 0xdb, + 0xd8, 0xe4, 0xe5, 0x38, 0xae, 0xc2, 0xb0, 0xd2, 0xba, 0xb7, + 0x30, 0x53, 0x2d, 0xb1, 0x35, 0xf1, 0x58, 0x0f, 0x8a, 0x06, + 0x51, 0x76, 0xb9, 0x2c, 0x32, 0xe0, 0xd1, 0xaa, 0x82, 0x34, + 0x69, 0x71, 0x1c, 0x5f, 0x35, 0xa8, 0x9d, 0x11, 0xac, 0x13, + 0xdb, 0x7b, 0xf6, 0x93, 0xe3, 0xb9, 0xbd, 0xd9, 0xb2, 0x86, + 0xff, 0x61, 0x88, 0x2b, 0x72, 0x5c, 0x84, 0xe1, 0x0c, 0x72, + 0xab, 0x44, 0xff, 0x23, 0x13, 0xaf, 0xd1, 0x5a, 0xd3, 0xea, + 0x73, 0xfe, 0xd5, 0xa4, 0x7d, 0x9e, 0x4e, 0xac, 0x03, 0x93, + 0x72, 0x14, 0x2d, 0x96, 0x6f, 0xee, 0xb4, 0xcd, 0x4e, 0xab, + 0xea, 0x71, 0x93, 0x81, 0xe0, 0x3d, 0xcd, 0x61, 0x96, 0x25, + 0x76, 0xbd, 0xc4, 0xb5, 0xdd, 0x7c, 0xf1, 0xb9, 0xe1, 0x2c, + 0x58, 0x1b, 0xa4, 0x46, 0x4b, 0x12, 0x57, 0x58, 0xaa, 0x3a, + 0xae, 0x89, 0xa3, 0xb3, 0xcf, 0x1f, 0x8d, 0x67, 0xdf, 0x6d, + 0x7e, 0x8e, 0xfa, 0xc5, 0x09, 0x73, 0x46, 0x56, 0x55, 0x90, + 0xeb, 0x77, 0x4e, 0x16, 0x4f, 0x68, 0x7b, 0x1f, 0x61, 0x23, + 0xec, 0xa9, 0x71, 0x30, 0x33, 0x25, 0xc7, 0x4e, 0x26, 0x2e, + 0x4e, 0x2b, 0xc2, 0x64, 0x5f, 0xf5, 0x8f, 0x7a, 0x4b, 0x1c, + 0x06, 0xb3, 0x91, 0xf6, 0x9b, 0x51, 0xb7, 0xb0, 0x64, 0x72, + 0x04, 0xe5, 0xfa, 0x14, 0x2f, 0xed, 0x61, 0x29, 0x03, 0x73, + 0x19, 0x15, 0x6e, 0x2c, 0x8b, 0x0e, 0xec, 0x4d, 0xf1, 0xe3, + 0x6f, 0x58, 0x7c, 0xc9, 0x48, 0x67, 0x3f, 0x51, 0xb5, 0xb7, + 0x26, 0x46, 0xa7, 0x25, 0x79, 0x55, 0xfe, 0x3a, 0x44, 0xb4, + 0x44, 0xfc, 0xb8, 0x14, 0x34, 0x47, 0xd7, 0xa3, 0x0e, 0x76, + 0xe7, 0x83, 0x9a, 0x02, 0xc3, 0xcf, 0x2b, 0xd9, 0x83, 0x93, + 0xd5, 0xee, 0x99, 0x74, 0x45, 0x62, 0x23, 0xa6, 0x02, 0xc9, + 0xc0, 0x10, 0x70, 0x0a, 0x99, 0x29, 0x0c, 0x79, 0x04, 0x4c, + 0x77, 0x21, 0x96, 0xf0, 0xa5, 0x17, 0x22, 0xbe, 0xab, 0x9b, + 0xd7, 0x42, 0xd3, 0xe9, 0xc0, 0x42, 0x44, 0x7d, 0x9d, 0xc9, + 0x3d, 0xf9, 0x36, 0x97, 0x1b, 0x75, 0x52, 0x8f, 0xe9, 0xb9, + 0x8c, 0xa7, 0x64, 0x19, 0x5b, 0x5d, 0x60, 0xb4, 0x42, 0x95, + 0xc9, 0xdb, 0x82, 0x03, 0xc6, 0xb0, 0x28, 0x72, 0x64, 0x03, + 0x41, 0x4d, 0x8f, 0xc6, 0xd0, 0xcd, 0x02, 0x82, 0x01, 0xe1, + 0x00, 0xe8, 0x66, 0xa7, 0xf9, 0x0f, 0x5a, 0x21, 0xfc, 0x88, + 0x4e, 0x91, 0xd5, 0x4a, 0xf0, 0xf4, 0x32, 0xe5, 0x0d, 0xf3, + 0x06, 0x95, 0xd0, 0x4e, 0x47, 0x0c, 0x04, 0x66, 0x77, 0xfd, + 0xb8, 0x93, 0x0d, 0xff, 0x8f, 0x97, 0xa0, 0x4a, 0x36, 0x37, + 0xa6, 0x5e, 0x95, 0x79, 0xc8, 0xb2, 0x21, 0x98, 0x81, 0xf1, + 0xb8, 0xf4, 0x52, 0xaf, 0x3c, 0x8c, 0x86, 0x85, 0x55, 0x56, + 0xfc, 0x90, 0xe3, 0x32, 0x50, 0x7c, 0x54, 0x07, 0x9e, 0xed, + 0xfc, 0xd4, 0xb9, 0x5c, 0x98, 0x22, 0xfb, 0x72, 0xd7, 0x83, + 0xf0, 0xd1, 0x61, 0x10, 0xbd, 0x68, 0x5d, 0x72, 0xc1, 0xce, + 0x92, 0x43, 0x77, 0x9f, 0xb8, 0x8d, 0x8e, 0xf2, 0xe3, 0x62, + 0x4a, 0x93, 0x03, 0xd3, 0xd9, 0x01, 0xa8, 0x99, 0x6f, 0xa3, + 0x4c, 0x6d, 0x7a, 0xf2, 0x9e, 0x8e, 0x6b, 0xbc, 0xe4, 0x9d, + 0x8e, 0xe7, 0x25, 0x86, 0xa4, 0xa9, 0xc2, 0xef, 0xdf, 0xbb, + 0x6e, 0x3d, 0x4b, 0x57, 0x95, 0x81, 0x6f, 0x68, 0x3f, 0x19, + 0xa8, 0xff, 0x5a, 0x08, 0x7a, 0xe4, 0x4c, 0x4e, 0xb4, 0xea, + 0xf4, 0xc8, 0x2f, 0xef, 0x8c, 0x5e, 0xcd, 0x62, 0x1c, 0x8c, + 0x93, 0x60, 0x5d, 0xa3, 0x11, 0x64, 0x0b, 0xeb, 0x6d, 0x21, + 0xbc, 0x3a, 0x5b, 0x5c, 0x0c, 0xa7, 0x8a, 0xc6, 0xa8, 0xe1, + 0x48, 0x81, 0x01, 0xb5, 0x65, 0xab, 0x2e, 0xbe, 0x38, 0x94, + 0xf7, 0xa6, 0x33, 0xc1, 0x6e, 0x0b, 0x88, 0x38, 0xe7, 0x1b, + 0x04, 0x9a, 0x10, 0x2d, 0x1d, 0x3f, 0x5f, 0x5f, 0xc8, 0xef, + 0xcd, 0xc5, 0x16, 0xdc, 0x84, 0xc0, 0x66, 0xe0, 0xa3, 0xfc, + 0xfa, 0x96, 0xc7, 0xb7, 0xec, 0x4f, 0x40, 0x0a, 0xc5, 0xbe, + 0x6d, 0x39, 0x4a, 0x7e, 0x91, 0x4f, 0xe1, 0x03, 0xd2, 0x39, + 0xbc, 0x87, 0x69, 0xa1, 0xf0, 0x6d, 0x11, 0xf5, 0xb4, 0x9d, + 0xae, 0x76, 0x6b, 0xc6, 0xbf, 0xe4, 0x47, 0xbc, 0x4d, 0x13, + 0x88, 0xa8, 0x83, 0xf5, 0xae, 0x1d, 0xfb, 0x4d, 0x4c, 0x44, + 0x03, 0xd8, 0xa4, 0x2e, 0x4d, 0xf8, 0x5f, 0x45, 0x94, 0x58, + 0xd7, 0xd9, 0x4b, 0x47, 0xd8, 0xfc, 0x35, 0x05, 0xed, 0xb4, + 0xb6, 0xc2, 0x36, 0x2e, 0xba, 0xd2, 0x7a, 0xba, 0x69, 0x34, + 0xbf, 0xf1, 0xa1, 0x5e, 0x17, 0x71, 0x89, 0xd3, 0x54, 0x57, + 0x05, 0x2b, 0x82, 0xe3, 0x0a, 0x64, 0x5c, 0x3b, 0x8c, 0x6b, + 0xc7, 0x10, 0x8a, 0xb5, 0xd3, 0xd7, 0x90, 0xeb, 0xdb, 0x1d, + 0xa0, 0xbf, 0x6b, 0xea, 0xcd, 0x31, 0x7a, 0x8d, 0x64, 0xcc, + 0x58, 0xc0, 0x07, 0xa4, 0x6e, 0x14, 0x0b, 0xf3, 0xea, 0x3e, + 0x87, 0x9f, 0x7c, 0xb8, 0x1c, 0x22, 0x26, 0x8a, 0x7d, 0x90, + 0xdd, 0x57, 0x28, 0x38, 0xcc, 0x0e, 0x71, 0x92, 0x89, 0xee, + 0x79, 0x88, 0xbc, 0x05, 0x21, 0xda, 0x42, 0x92, 0x52, 0x66, + 0xac, 0x4a, 0xe5, 0xf5, 0x6e, 0x47, 0xd5, 0xba, 0x37, 0xd3, + 0x7c, 0x89, 0xd4, 0xd8, 0x6f, 0xde, 0x63, 0x44, 0xb5, 0x88, + 0xdd, 0xb1, 0x30, 0xb4, 0x6d, 0xcd, 0xbf, 0xc8, 0x34, 0x27, + 0x59, 0x7d, 0x79, 0xdc, 0x96, 0x5b, 0x8e, 0xc0, 0x87, 0xc0, + 0x4e, 0x40, 0x07, 0x13, 0x91, 0x6b, 0x3a, 0x12, 0x03, 0x64, + 0x70, 0xaf, 0x80, 0x24, 0x1c, 0x5c, 0xfb, 0xf5, 0xc0, 0x74, + 0x5e, 0xaf, 0x06, 0x18, 0x04, 0x67, 0x4a, 0xbd, 0xac, 0xd7, + 0xca, 0xbe, 0x4e, 0xa1, 0x19, 0x48, 0x7d, 0xa6, 0x59, 0xf6, + 0x1a, 0x62, 0x50, 0x53, 0x46, 0xa4, 0x5b, 0x9c, 0x5a, 0xfd, + 0x89, 0x9d, 0xd4, 0xde, 0xf4, 0xa7, 0x3d, 0x88, 0x73, 0xa5, + 0xb9, 0x02, 0x82, 0x01, 0xe1, 0x00, 0xe7, 0x70, 0x59, 0xc3, + 0xed, 0xc4, 0x6b, 0xa1, 0xa5, 0x5e, 0x90, 0x2a, 0x8c, 0x6a, + 0xc2, 0x4e, 0xab, 0xfc, 0xee, 0xf2, 0x23, 0x38, 0xd6, 0xb3, + 0x93, 0x08, 0x9e, 0x0c, 0x8e, 0x71, 0x2d, 0xa9, 0xe8, 0xdc, + 0xa5, 0xdc, 0x07, 0xe3, 0xb1, 0x33, 0xdd, 0xa2, 0xf2, 0x3e, + 0x92, 0x58, 0xe0, 0xf7, 0x53, 0x7f, 0x6e, 0xea, 0x78, 0x8c, + 0x35, 0x78, 0x43, 0x63, 0x95, 0xbb, 0x1b, 0x1c, 0xbf, 0x91, + 0x75, 0x14, 0x74, 0xd3, 0x20, 0xba, 0x8f, 0xee, 0x9d, 0x71, + 0xa1, 0x87, 0x8a, 0x24, 0xd3, 0x61, 0x53, 0xfb, 0xec, 0x16, + 0x84, 0xbe, 0x4d, 0x39, 0xdd, 0x0a, 0xac, 0xce, 0x20, 0x9c, + 0xaf, 0x8a, 0x13, 0xf8, 0x22, 0x2f, 0xd4, 0x99, 0x88, 0x74, + 0xba, 0x16, 0x3a, 0x63, 0xff, 0x4c, 0x5a, 0x03, 0x5a, 0x6f, + 0xac, 0x29, 0x33, 0xa5, 0x50, 0xd1, 0xda, 0xed, 0x27, 0xcb, + 0x67, 0x72, 0x63, 0x85, 0xfc, 0xf0, 0xc8, 0x88, 0xbf, 0x85, + 0xef, 0x4b, 0xfe, 0xae, 0xd9, 0xd5, 0xbb, 0x86, 0xa4, 0x76, + 0xe8, 0x7f, 0xb4, 0xdb, 0xb1, 0xee, 0x1a, 0x7f, 0x99, 0xd7, + 0x9b, 0x6f, 0x7a, 0x94, 0x5c, 0xec, 0x2c, 0x60, 0x81, 0xad, + 0xa7, 0xbe, 0x80, 0x2e, 0x9f, 0xa6, 0xc0, 0xfb, 0x09, 0x6d, + 0x2b, 0xab, 0xa4, 0x15, 0xc7, 0x79, 0x46, 0x24, 0x89, 0x5c, + 0x32, 0xb9, 0x87, 0xa9, 0x54, 0x1e, 0x12, 0x90, 0x8e, 0x02, + 0x80, 0x8c, 0xf8, 0xdb, 0x2f, 0xbc, 0x98, 0x1b, 0xa2, 0x78, + 0x73, 0x89, 0x03, 0x97, 0xe3, 0x09, 0x08, 0x8b, 0x75, 0xcf, + 0xdc, 0x23, 0x90, 0x59, 0xef, 0x5b, 0x98, 0x24, 0xb8, 0xe8, + 0xcf, 0x75, 0xf0, 0x2f, 0xb7, 0xa3, 0xe6, 0x17, 0x06, 0xf0, + 0x52, 0xfe, 0x21, 0x0a, 0x16, 0x8e, 0xf8, 0xe1, 0xae, 0x25, + 0x11, 0x5d, 0x8c, 0x95, 0x1b, 0x4f, 0x45, 0xb8, 0xa8, 0xcd, + 0xe6, 0xf9, 0xca, 0xa0, 0x54, 0x93, 0x95, 0x86, 0x6f, 0xe4, + 0x93, 0x22, 0x0f, 0xf2, 0xcf, 0xbd, 0x23, 0xb0, 0xf4, 0x8f, + 0x99, 0xa7, 0x67, 0x99, 0x05, 0x13, 0x1f, 0xeb, 0x88, 0xf8, + 0xe2, 0x3b, 0xb9, 0x49, 0x35, 0x89, 0x4f, 0xb8, 0x06, 0x37, + 0x36, 0xda, 0x75, 0x25, 0x0f, 0x0a, 0xaa, 0xc2, 0x6c, 0x3e, + 0xb1, 0x2d, 0x16, 0xf3, 0x17, 0xdb, 0xe2, 0x16, 0x32, 0x39, + 0x92, 0x4b, 0x5f, 0xc0, 0x5f, 0x6e, 0xd0, 0x1c, 0x7e, 0xc0, + 0x51, 0xd9, 0xb3, 0xe2, 0x37, 0xc7, 0xe0, 0x40, 0x13, 0x7d, + 0x06, 0xcd, 0xcd, 0x72, 0xb6, 0x53, 0x2d, 0x7e, 0x60, 0x49, + 0xfe, 0x31, 0xe1, 0xd0, 0x0e, 0x4c, 0x98, 0x93, 0xe0, 0xf6, + 0xf2, 0xfa, 0x99, 0x7f, 0x65, 0xd8, 0x15, 0xc6, 0x3a, 0xb8, + 0x4d, 0x63, 0x21, 0x78, 0xe4, 0x19, 0x6b, 0xbd, 0xde, 0x40, + 0x5b, 0x8c, 0xfa, 0x49, 0x75, 0x23, 0x8f, 0x14, 0xc2, 0x3b, + 0xa3, 0x9b, 0xc5, 0x80, 0x1a, 0xa3, 0x60, 0xd7, 0x17, 0x27, + 0xf0, 0x18, 0x0f, 0xba, 0x02, 0xf7, 0x7a, 0xed, 0xa4, 0x00, + 0x77, 0xde, 0x4b, 0xdd, 0xf9, 0xd7, 0x3e, 0x75, 0xed, 0x1a, + 0x43, 0x26, 0x71, 0x1b, 0xbc, 0x72, 0xf5, 0x70, 0x72, 0x03, + 0x70, 0x25, 0x87, 0x81, 0x6a, 0x92, 0x2d, 0xb7, 0x02, 0xf0, + 0x10, 0x79, 0x65, 0x9d, 0x4e, 0x11, 0x7d, 0x5c, 0x5b, 0x37, + 0xaa, 0xb4, 0xfa, 0x43, 0x66, 0x48, 0x6c, 0x67, 0x64, 0x9e, + 0x15, 0x75, 0x36, 0xe7, 0x25, 0x55, 0x07, 0x7f, 0x74, 0x1f, + 0x2c, 0x28, 0x76, 0xe7, 0x9b, 0x3d, 0x91, 0x0b, 0xcd, 0x6a, + 0x1d, 0x5a, 0xea, 0x63, 0xd0, 0xf9, 0x02, 0x82, 0x01, 0xe0, + 0x3e, 0x31, 0xf2, 0xf4, 0x29, 0x92, 0xa2, 0x93, 0xd5, 0xda, + 0xc9, 0x16, 0x7e, 0xf6, 0xdb, 0x33, 0x9f, 0xaf, 0x4b, 0x01, + 0xd1, 0x28, 0x2d, 0x3a, 0xc0, 0x51, 0x91, 0x26, 0xbd, 0xa5, + 0x1e, 0xdd, 0xd9, 0x2e, 0x11, 0x93, 0x19, 0x29, 0x47, 0x5d, + 0x63, 0xe4, 0xb6, 0xf1, 0xea, 0x12, 0x29, 0xa1, 0x65, 0x12, + 0x6d, 0x78, 0x8f, 0x63, 0x31, 0xec, 0x72, 0x54, 0x73, 0x72, + 0x26, 0x48, 0x57, 0x57, 0xc8, 0xde, 0x28, 0x27, 0xf5, 0x62, + 0xfb, 0x7f, 0x1b, 0xf3, 0xaf, 0x31, 0x01, 0xfc, 0x01, 0x58, + 0x7a, 0x80, 0x72, 0x9d, 0x6e, 0x07, 0xcc, 0x45, 0x67, 0xc6, + 0x26, 0xfe, 0x25, 0xa5, 0x9b, 0x64, 0xcd, 0x45, 0xe3, 0x31, + 0x38, 0x05, 0x07, 0x36, 0x05, 0x46, 0x9c, 0xc1, 0x8e, 0xbf, + 0x4e, 0x71, 0x5f, 0xea, 0xe5, 0x0c, 0x9a, 0x41, 0xc8, 0x94, + 0xcc, 0xf1, 0x73, 0x06, 0x30, 0x54, 0x76, 0x23, 0xb7, 0x22, + 0x7a, 0x8e, 0xe6, 0x42, 0xa1, 0xa0, 0x32, 0x12, 0xe9, 0x08, + 0x1c, 0x46, 0x79, 0x0c, 0x82, 0x7a, 0x95, 0x79, 0xbf, 0x83, + 0x80, 0xeb, 0xab, 0x3d, 0x32, 0xc5, 0xde, 0x62, 0xeb, 0x90, + 0x29, 0x73, 0x05, 0xc8, 0x0a, 0xb1, 0x51, 0xf1, 0x23, 0xdd, + 0x1e, 0xf5, 0x02, 0x3e, 0x74, 0xbc, 0x24, 0x0c, 0x60, 0x36, + 0x2a, 0x28, 0x4d, 0xe6, 0x86, 0x98, 0x7c, 0xd9, 0xe1, 0xac, + 0x21, 0x33, 0xaa, 0xa9, 0x8b, 0xb6, 0x8a, 0x1b, 0xf7, 0x54, + 0x14, 0xf3, 0x0d, 0x4f, 0xcd, 0x7c, 0xf5, 0xc2, 0x6d, 0xc2, + 0xf0, 0xe2, 0xfc, 0x63, 0x1e, 0xa6, 0xa9, 0xa9, 0xd9, 0x73, + 0x2a, 0xd5, 0x0a, 0x38, 0xd8, 0xc0, 0xb7, 0xe1, 0x51, 0xe4, + 0x23, 0x37, 0xf7, 0x85, 0x66, 0x0e, 0x3f, 0x1a, 0x8c, 0xcf, + 0x12, 0xa2, 0x47, 0x6f, 0x73, 0x91, 0x21, 0xe3, 0x93, 0x6b, + 0x74, 0x4f, 0xc5, 0xa1, 0xe7, 0x32, 0xf7, 0x86, 0xdd, 0x1a, + 0x6e, 0x96, 0xda, 0x32, 0x1d, 0xdd, 0xfa, 0x42, 0xd5, 0xd4, + 0xfd, 0xae, 0x7a, 0xa1, 0xed, 0x3d, 0x79, 0xfe, 0x88, 0x84, + 0x43, 0xa7, 0xec, 0xf3, 0x7a, 0x13, 0xaa, 0xa1, 0x82, 0x02, + 0x83, 0x19, 0x43, 0x0a, 0x46, 0x78, 0x07, 0xd9, 0x4d, 0xff, + 0xac, 0x67, 0xd6, 0x29, 0x89, 0xfe, 0x2b, 0xab, 0x5f, 0x9a, + 0x87, 0x99, 0x80, 0xaf, 0x70, 0x4a, 0x6a, 0xb9, 0x5a, 0xc2, + 0xac, 0x7f, 0xa2, 0xc7, 0xad, 0xe2, 0x1f, 0xec, 0xc5, 0x12, + 0x17, 0x08, 0x87, 0x8f, 0x20, 0x95, 0xbe, 0xaf, 0x62, 0x2c, + 0xc2, 0x3f, 0x89, 0x56, 0xd8, 0x50, 0x96, 0x97, 0x72, 0xe2, + 0x92, 0xe1, 0x2a, 0xd8, 0x84, 0x9f, 0x31, 0xe3, 0x06, 0xd8, + 0xe5, 0x91, 0x63, 0x19, 0xe1, 0x27, 0xad, 0xe2, 0xf2, 0x0a, + 0x5e, 0x78, 0x8b, 0x1b, 0x13, 0x31, 0x4b, 0xbd, 0x77, 0xb2, + 0xd6, 0x5c, 0x92, 0x81, 0x50, 0x02, 0x37, 0xd2, 0xe6, 0xeb, + 0x66, 0x6b, 0xaa, 0xfc, 0xcd, 0x54, 0x5d, 0xb8, 0x03, 0x87, + 0xe8, 0xfa, 0xb2, 0xde, 0xcb, 0xf8, 0x6e, 0x58, 0xde, 0xcb, + 0x09, 0x54, 0x8a, 0x9f, 0x46, 0xa3, 0x7e, 0x8d, 0x15, 0xff, + 0x1b, 0x0d, 0x89, 0xc4, 0x1a, 0x21, 0x31, 0x5e, 0xed, 0x0b, + 0x67, 0x3c, 0x70, 0xed, 0x92, 0x48, 0xef, 0xec, 0xf0, 0x77, + 0xc2, 0x79, 0x6c, 0x06, 0x09, 0xaa, 0xab, 0xf6, 0x4c, 0xcd, + 0xfa, 0x7e, 0x4a, 0x88, 0xdc, 0xa8, 0x9b, 0xd3, 0x69, 0x94, + 0x88, 0x09, 0x1d, 0x30, 0x43, 0x9e, 0x2c, 0xcb, 0x01, 0x1d, + 0x4a, 0x3b, 0x04, 0xec, 0x0e, 0xb1, 0xde, 0x09, 0xad, 0x29, + 0x02, 0x82, 0x01, 0xe1, 0x00, 0x9f, 0x02, 0x13, 0x7a, 0xd0, + 0xa9, 0x8a, 0x7a, 0xa0, 0x05, 0xbb, 0x44, 0x6f, 0xaf, 0xf7, + 0xe3, 0xd4, 0x35, 0xef, 0x73, 0x39, 0xd5, 0xe0, 0xa2, 0x0f, + 0x1a, 0x25, 0xa8, 0xf7, 0xc2, 0xa5, 0xec, 0x57, 0xf8, 0x0d, + 0x2a, 0xb6, 0x64, 0x03, 0x8c, 0x22, 0x0f, 0xe7, 0x98, 0xa1, + 0x12, 0xfe, 0x24, 0xef, 0x61, 0x28, 0x9f, 0xa7, 0x22, 0x6b, + 0x6d, 0xab, 0x8d, 0x7d, 0x2a, 0x8b, 0xae, 0x8b, 0xfd, 0xcb, + 0xd5, 0x0b, 0x79, 0x1b, 0x89, 0xcb, 0x5b, 0x7a, 0x8c, 0xdc, + 0xe8, 0x8d, 0xdd, 0x35, 0x9f, 0x06, 0x69, 0x64, 0x12, 0xeb, + 0x46, 0x79, 0xdf, 0x82, 0x2c, 0x89, 0x75, 0x9e, 0x7a, 0xec, + 0xad, 0xe5, 0x88, 0x31, 0xfa, 0x86, 0x93, 0xca, 0xf1, 0x2d, + 0x9b, 0x62, 0x5a, 0xe9, 0x43, 0x09, 0xf3, 0x8c, 0xe5, 0xc7, + 0xc0, 0xce, 0x86, 0xe7, 0xdb, 0xc7, 0x4d, 0x27, 0xd5, 0xee, + 0x76, 0xce, 0x35, 0x30, 0x47, 0xef, 0x00, 0x1b, 0x69, 0x9a, + 0x3f, 0xa5, 0x2a, 0xc9, 0x07, 0xab, 0x99, 0xba, 0x2a, 0xe7, + 0xfb, 0xa9, 0x4e, 0xb9, 0xae, 0x2c, 0x50, 0xfc, 0x35, 0x49, + 0xe6, 0x97, 0x78, 0x3c, 0xb1, 0x59, 0xd7, 0x1d, 0x4e, 0x4e, + 0xea, 0xde, 0xa0, 0xd0, 0xc4, 0x1d, 0xb1, 0xd3, 0x53, 0x1e, + 0xf9, 0xbf, 0xb3, 0x6a, 0x17, 0xb4, 0xda, 0xcc, 0x27, 0x19, + 0xc6, 0x35, 0xe8, 0x28, 0xd3, 0xe3, 0x76, 0x3a, 0xdc, 0xd0, + 0x75, 0xc8, 0xb4, 0x6c, 0xbe, 0x84, 0x2a, 0x45, 0xd1, 0x43, + 0x22, 0x54, 0xd7, 0xc5, 0xd0, 0xd7, 0x73, 0x35, 0x6b, 0xa8, + 0xfa, 0xad, 0x60, 0xc0, 0x64, 0xc1, 0x58, 0x89, 0x09, 0x81, + 0x0a, 0x0b, 0xea, 0x33, 0x91, 0xb0, 0xef, 0x53, 0x50, 0x41, + 0xae, 0xd9, 0xee, 0xbe, 0x9e, 0xf0, 0x0b, 0xa0, 0x7c, 0xbf, + 0x3f, 0xc9, 0x4b, 0xe0, 0x48, 0xd8, 0x10, 0xd5, 0x2e, 0xce, + 0xf0, 0x7c, 0xd8, 0x05, 0xde, 0x09, 0x7e, 0x8c, 0x63, 0x4c, + 0xdb, 0x8b, 0x91, 0xcd, 0x7f, 0xb6, 0x6b, 0xad, 0xce, 0xb1, + 0x17, 0x6c, 0xf7, 0x08, 0x0d, 0x7c, 0xda, 0x4f, 0x0a, 0x07, + 0xd0, 0xae, 0x72, 0x3c, 0x67, 0x4a, 0x44, 0x54, 0x47, 0xce, + 0xe1, 0x17, 0x07, 0x12, 0xde, 0x52, 0xef, 0xef, 0x4c, 0x2b, + 0x42, 0x7d, 0x09, 0x80, 0x36, 0x34, 0xdc, 0x45, 0x6f, 0xb0, + 0x2d, 0xab, 0xa0, 0x0c, 0x58, 0xae, 0x35, 0xd3, 0x9b, 0x37, + 0xc1, 0x1d, 0xeb, 0xfe, 0xc3, 0x04, 0xc9, 0x1d, 0xe7, 0x3d, + 0x16, 0x64, 0xed, 0xf5, 0xe8, 0xdf, 0x99, 0xa4, 0xfb, 0xad, + 0x79, 0x88, 0xd5, 0x8c, 0x62, 0x33, 0x9e, 0x35, 0xa6, 0x7f, + 0x9d, 0xb6, 0x1a, 0x40, 0x6d, 0xc3, 0x89, 0x5d, 0x7b, 0xe2, + 0xc8, 0xd3, 0x16, 0x13, 0x07, 0x9a, 0x38, 0x22, 0x33, 0x03, + 0xac, 0x70, 0x3e, 0xce, 0x32, 0x56, 0x0b, 0x58, 0x56, 0xb8, + 0xe9, 0xd8, 0x42, 0x35, 0x6c, 0xb9, 0x02, 0xb3, 0x64, 0xeb, + 0xaa, 0x09, 0x3f, 0xac, 0x66, 0x08, 0xb4, 0x5f, 0x3e, 0xb4, + 0xec, 0x39, 0xb1, 0x99, 0xe4, 0x5d, 0x1d, 0x32, 0x14, 0xc1, + 0x48, 0x8f, 0x6c, 0x65, 0x87, 0x34, 0x50, 0xa4, 0xf4, 0x9b, + 0x5b, 0x2e, 0xb5, 0x79, 0x0d, 0x11, 0x62, 0xa4, 0x35, 0x9c, + 0x6f, 0x92, 0xd0, 0x68, 0x07, 0xdd, 0x69, 0x85, 0x48, 0xe3, + 0x5d, 0x10, 0x34, 0xaf, 0xea, 0x41, 0x72, 0x5a, 0x71, 0x00, + 0xf8, 0xe6, 0x47, 0x7f, 0xa0, 0x6f, 0x91, 0x96, 0x40, 0x00, + 0x40, 0x70, 0xfb, 0x63, 0xcf, 0xc9, 0x36, 0x04, 0x1c, 0x3b, + 0x11, 0x08, 0x29, 0x81, 0x9f +}; + +static unsigned char test15360[] = { + 0x30, 0x82, 0x21, 0xe8, 0x02, 0x01, 0x00, 0x02, 0x82, 0x07, + 0x81, 0x00, 0xad, 0x3f, 0xaa, 0xdc, 0x8c, 0x85, 0xcb, 0x60, + 0xd2, 0xf5, 0x30, 0xa1, 0x0f, 0x26, 0xec, 0xdf, 0xfc, 0x91, + 0x39, 0xbd, 0x3e, 0x8f, 0x99, 0x64, 0x1e, 0x51, 0xd2, 0x27, + 0x5e, 0x76, 0xcd, 0x86, 0x33, 0x07, 0xf9, 0xbd, 0x3b, 0x06, + 0xc3, 0x3c, 0x85, 0xcb, 0x7e, 0x91, 0x14, 0xb0, 0x0b, 0x77, + 0x22, 0x30, 0x71, 0xb8, 0xbb, 0x74, 0x30, 0x33, 0x35, 0x56, + 0x34, 0x47, 0x10, 0x8f, 0x88, 0xe2, 0x6f, 0xdc, 0x3b, 0xe9, + 0x58, 0x9d, 0x0c, 0xdc, 0x8f, 0x70, 0x41, 0x7a, 0x12, 0xd2, + 0x9a, 0x35, 0xbe, 0x0a, 0x57, 0x13, 0x0c, 0xe9, 0xbf, 0x77, + 0x54, 0x00, 0x74, 0xb7, 0x1a, 0x3e, 0xa7, 0xe9, 0xb6, 0xe7, + 0x4f, 0x1e, 0xa4, 0xc0, 0x7c, 0x4c, 0x66, 0xc5, 0xce, 0xad, + 0x96, 0x1b, 0xe2, 0x1a, 0xf1, 0x3d, 0x8b, 0x50, 0xcf, 0xe2, + 0x15, 0x21, 0x6d, 0x83, 0x95, 0x00, 0xee, 0x97, 0xc4, 0xae, + 0xc9, 0x38, 0x62, 0x6c, 0xb2, 0xe7, 0x7f, 0x15, 0x0a, 0xab, + 0x86, 0xb9, 0xd9, 0x8a, 0xf8, 0xeb, 0x88, 0x5d, 0xdc, 0x0c, + 0x1e, 0xc5, 0xe6, 0xa1, 0x7b, 0xbf, 0xf1, 0x02, 0xe3, 0xad, + 0xf8, 0xed, 0x17, 0x9f, 0x83, 0x11, 0x31, 0x3b, 0xad, 0xb4, + 0xf9, 0x8d, 0x1d, 0x56, 0x9b, 0xac, 0x68, 0x55, 0x0a, 0x74, + 0x20, 0xee, 0x57, 0xe7, 0x1c, 0x6d, 0x05, 0xa1, 0x4e, 0xa5, + 0x11, 0x99, 0xb4, 0x86, 0xdb, 0x58, 0xe7, 0xf6, 0xb6, 0x4f, + 0x92, 0x58, 0x57, 0x9b, 0x74, 0x04, 0xe5, 0xd1, 0x1d, 0x7c, + 0x4b, 0xb8, 0x1f, 0x5d, 0x0e, 0x93, 0xee, 0x44, 0x18, 0xb6, + 0x58, 0x0e, 0xa1, 0x0b, 0x8e, 0x2e, 0x99, 0x4c, 0x72, 0x91, + 0xfa, 0xfa, 0xe2, 0x22, 0x05, 0x5d, 0x2b, 0x2d, 0xd8, 0x60, + 0xd5, 0x1b, 0x08, 0x56, 0x2b, 0xb5, 0x21, 0xdb, 0x1a, 0xe6, + 0xa8, 0x39, 0xa2, 0xf4, 0x58, 0xcb, 0xd2, 0xf9, 0xce, 0xc0, + 0x1e, 0x1b, 0xf9, 0xa7, 0x37, 0xca, 0xa3, 0x77, 0x6e, 0xb1, + 0xaf, 0x33, 0xb5, 0x6d, 0x5f, 0x33, 0x2e, 0x1a, 0x34, 0xdb, + 0x42, 0xbe, 0x5f, 0xf9, 0x09, 0xb7, 0x9f, 0xd4, 0x09, 0xfb, + 0x87, 0x13, 0x3c, 0xe2, 0x27, 0xb8, 0xf3, 0x1d, 0x7e, 0x92, + 0xdd, 0x87, 0x86, 0x55, 0x69, 0x9b, 0x55, 0xcd, 0xef, 0x7a, + 0x71, 0x5d, 0x81, 0x3a, 0xd9, 0xf7, 0x7f, 0xde, 0xe0, 0x92, + 0xd9, 0x78, 0x0f, 0x1d, 0x43, 0xb1, 0x1e, 0x29, 0xc1, 0x49, + 0xb6, 0x5e, 0x85, 0x83, 0xd9, 0x04, 0xfd, 0x79, 0xd8, 0x47, + 0x03, 0x2e, 0x85, 0x19, 0xfd, 0x63, 0xe7, 0xa4, 0x8b, 0xc0, + 0x94, 0x0e, 0xb7, 0x54, 0x97, 0xd6, 0x44, 0x5d, 0x63, 0x12, + 0xff, 0xdd, 0xde, 0x2c, 0x00, 0x0e, 0xc9, 0xca, 0x7e, 0xa2, + 0x65, 0x25, 0xb0, 0x1d, 0xa9, 0x20, 0x4f, 0xdd, 0xea, 0x3a, + 0xb5, 0xe8, 0x0f, 0xf3, 0xb2, 0xb7, 0x00, 0x4a, 0xe8, 0xa4, + 0x83, 0x49, 0xbd, 0x78, 0xdf, 0xac, 0x2c, 0x37, 0x81, 0xb3, + 0xf3, 0xb7, 0x13, 0x93, 0x3e, 0xb2, 0x79, 0x55, 0xf2, 0xd8, + 0x9c, 0xf7, 0xf2, 0xf1, 0xd5, 0x6c, 0x9c, 0xff, 0xec, 0xf4, + 0xea, 0x08, 0x3c, 0x65, 0x35, 0xb7, 0x09, 0x03, 0x6d, 0x99, + 0x1d, 0x5b, 0x73, 0x06, 0x61, 0xb4, 0xf0, 0xc5, 0xdb, 0x3e, + 0xe0, 0x1d, 0xa8, 0x5b, 0x7a, 0x5b, 0x5b, 0x9c, 0x11, 0x75, + 0x83, 0x1d, 0xf4, 0x73, 0x27, 0xf3, 0x79, 0xf2, 0x82, 0xd6, + 0x28, 0x45, 0x58, 0x23, 0x6c, 0x29, 0xd3, 0x50, 0x51, 0x1b, + 0x38, 0xef, 0x89, 0x90, 0x84, 0xa2, 0x4c, 0x35, 0x7b, 0x30, + 0x5e, 0xbd, 0x1a, 0xd5, 0xdf, 0xcd, 0xcd, 0x74, 0x3f, 0x2e, + 0x01, 0xea, 0x33, 0x07, 0x74, 0xfb, 0x86, 0x75, 0x20, 0x0e, + 0x4f, 0xbf, 0x65, 0xd4, 0x15, 0x19, 0x6f, 0x8d, 0x37, 0xcd, + 0xb6, 0x6f, 0x50, 0x9d, 0x5e, 0x04, 0x81, 0x7d, 0xec, 0xd6, + 0xbb, 0x40, 0x1b, 0xe0, 0xf5, 0xd5, 0x86, 0x26, 0xc5, 0x41, + 0x84, 0x0e, 0x3e, 0x73, 0xb7, 0xa4, 0xbe, 0x2a, 0xfe, 0xd7, + 0xe4, 0x4d, 0x5c, 0x2d, 0x6a, 0x04, 0xe6, 0xdd, 0x28, 0xa0, + 0x75, 0x4c, 0xe0, 0x23, 0x2c, 0xad, 0xec, 0xaa, 0x72, 0xfd, + 0x03, 0xc0, 0x65, 0xfa, 0xc4, 0x3c, 0x25, 0x10, 0xae, 0x3f, + 0x09, 0x96, 0x4e, 0xff, 0xfe, 0xc7, 0xe4, 0x9e, 0xec, 0xb5, + 0x6e, 0xec, 0xf3, 0x7a, 0x83, 0x7a, 0x8b, 0xbb, 0x91, 0x8d, + 0xab, 0x3c, 0x4d, 0x7f, 0x34, 0x77, 0xbe, 0x0c, 0x87, 0xf2, + 0xc3, 0xd6, 0xcb, 0xcc, 0xfa, 0x1e, 0xaf, 0x21, 0x24, 0xe9, + 0xaa, 0x89, 0x61, 0x0c, 0x7a, 0x1c, 0x7d, 0x00, 0x87, 0x69, + 0x30, 0xa0, 0xb4, 0x3b, 0x96, 0x1c, 0x00, 0x14, 0x07, 0xb8, + 0x3f, 0x59, 0x62, 0x3a, 0x3f, 0xfb, 0x68, 0xb8, 0x81, 0x7d, + 0x4a, 0x9d, 0x1c, 0xa2, 0x07, 0xa3, 0xb1, 0x42, 0x7b, 0xfa, + 0x9b, 0xbc, 0x94, 0x30, 0x7e, 0xea, 0xe7, 0x40, 0x7e, 0xd4, + 0x0f, 0x33, 0x3b, 0x57, 0xda, 0x8b, 0x6d, 0x64, 0xd5, 0xe4, + 0x91, 0x83, 0xf0, 0x3d, 0xae, 0x8b, 0x91, 0xf0, 0xcd, 0xb1, + 0xa0, 0xe0, 0x0d, 0xe1, 0xbb, 0x22, 0x78, 0x1f, 0x3a, 0xe5, + 0x53, 0x28, 0xf0, 0x35, 0xae, 0x71, 0xe6, 0xfd, 0x63, 0xb2, + 0x9c, 0x3f, 0xdd, 0x95, 0x7b, 0xc4, 0xe9, 0x2f, 0xd9, 0x93, + 0x3a, 0x10, 0x42, 0x1c, 0x90, 0xab, 0xfb, 0xd3, 0x02, 0xe9, + 0x59, 0xbc, 0x53, 0x7e, 0xf3, 0xe1, 0x52, 0x15, 0xa6, 0x58, + 0x9e, 0xc1, 0xa6, 0x0e, 0x2e, 0x35, 0x07, 0x3a, 0xc3, 0x1f, + 0xaa, 0x58, 0xe7, 0xc6, 0x33, 0x6a, 0x39, 0x4b, 0x21, 0x15, + 0x3d, 0x92, 0x4e, 0x5e, 0xf9, 0x01, 0xd6, 0x0f, 0x28, 0x61, + 0x15, 0xdf, 0xed, 0x6f, 0x75, 0xc4, 0x8f, 0xcb, 0x16, 0x55, + 0x09, 0xc7, 0x24, 0xb2, 0x0c, 0x49, 0x25, 0x8d, 0x5e, 0xf1, + 0x0e, 0xe0, 0xe2, 0xc4, 0xcc, 0x1f, 0x4e, 0x60, 0x5c, 0x5e, + 0xc6, 0x7f, 0x68, 0x7f, 0xdb, 0x1a, 0x01, 0x67, 0x07, 0xb1, + 0x56, 0x93, 0xf2, 0x26, 0x81, 0xc0, 0x33, 0xb8, 0x48, 0xf9, + 0x2c, 0x5c, 0x18, 0x29, 0xed, 0xe0, 0x6c, 0xa0, 0xac, 0xd2, + 0x90, 0x4b, 0x52, 0x87, 0xbb, 0xb5, 0x05, 0xd8, 0x56, 0xc5, + 0xb8, 0x8f, 0x3f, 0x49, 0x52, 0x9a, 0xa2, 0xd0, 0x40, 0x80, + 0x5b, 0x16, 0x15, 0xbc, 0x74, 0x8e, 0x00, 0x10, 0xaf, 0xfb, + 0x6d, 0xba, 0xcb, 0xbc, 0xe6, 0x13, 0x75, 0xce, 0x27, 0xae, + 0x85, 0x57, 0x6c, 0xc0, 0x8a, 0x84, 0x6f, 0x34, 0x16, 0xd4, + 0x35, 0xd2, 0xcc, 0x55, 0x00, 0xc1, 0xd8, 0x28, 0x2c, 0x9c, + 0x84, 0x78, 0xbf, 0xf0, 0x3b, 0x0d, 0x9f, 0x81, 0xd4, 0xef, + 0x99, 0x77, 0x53, 0xd2, 0x8e, 0x43, 0x52, 0xf0, 0x32, 0x7e, + 0xba, 0xbf, 0xb6, 0x0e, 0x9d, 0x9b, 0x00, 0xd0, 0x50, 0x55, + 0x67, 0x5a, 0x2c, 0x8b, 0x9b, 0x29, 0xfb, 0x41, 0x74, 0x4c, + 0xb7, 0xd8, 0x98, 0xa2, 0xfb, 0x73, 0x07, 0x96, 0xef, 0xcd, + 0x47, 0x13, 0x1d, 0xe2, 0xb1, 0xac, 0xf3, 0xcf, 0x47, 0x98, + 0x7b, 0x6f, 0xf6, 0x32, 0x44, 0x41, 0x78, 0x09, 0x8e, 0x64, + 0x0c, 0xbf, 0xe2, 0x0f, 0x8c, 0x44, 0x2f, 0x4e, 0x55, 0xe0, + 0xc6, 0xfd, 0x05, 0x74, 0x18, 0x1a, 0xb9, 0xfa, 0xcb, 0xd3, + 0xfa, 0x69, 0x50, 0x63, 0xce, 0x2b, 0xef, 0x92, 0x0f, 0x11, + 0xd4, 0x9b, 0x53, 0x6c, 0xed, 0xc5, 0x0b, 0x7c, 0xbd, 0xa1, + 0x5d, 0xdf, 0xab, 0xcf, 0xaa, 0x83, 0x5e, 0xa8, 0xc5, 0xfe, + 0x91, 0x2b, 0x23, 0x1f, 0x39, 0x3d, 0x71, 0x74, 0xbf, 0xa2, + 0xf1, 0xda, 0x2f, 0x29, 0x02, 0x9b, 0xea, 0x48, 0x2c, 0xaf, + 0xe7, 0xa9, 0xf5, 0x68, 0xab, 0x8f, 0x18, 0xb9, 0x7b, 0x28, + 0xf0, 0x92, 0xfb, 0x07, 0xd7, 0xbd, 0x43, 0xcd, 0x7f, 0xfc, + 0xb9, 0x5f, 0x24, 0xf8, 0x48, 0x2e, 0xbe, 0x42, 0x87, 0x80, + 0x38, 0x78, 0x9e, 0x8c, 0x52, 0x6d, 0xfa, 0x2e, 0x46, 0x35, + 0x7a, 0x59, 0x88, 0xb9, 0x3e, 0xcb, 0x79, 0xb4, 0x8a, 0x9e, + 0xd5, 0xd0, 0x30, 0x8c, 0xb2, 0x0c, 0x9d, 0x8d, 0x2d, 0x64, + 0x0b, 0xf6, 0xeb, 0xf1, 0xde, 0xea, 0x74, 0xfc, 0xbc, 0x01, + 0x18, 0x48, 0x4e, 0x35, 0x02, 0x83, 0x01, 0xb2, 0x50, 0xa0, + 0x44, 0x19, 0x30, 0x00, 0x12, 0x4a, 0xa0, 0x6d, 0x6b, 0x8b, + 0xf1, 0xce, 0xda, 0x2e, 0x16, 0x35, 0x52, 0x26, 0xf9, 0xbe, + 0xb1, 0x37, 0xfc, 0x0a, 0x8b, 0x6f, 0x06, 0x11, 0x7b, 0xf7, + 0xa8, 0x40, 0xbd, 0x8d, 0x94, 0xa4, 0xa2, 0xe0, 0xb6, 0xdf, + 0x62, 0xc0, 0x6f, 0xb3, 0x5d, 0x84, 0xb9, 0xaa, 0x2f, 0xc1, + 0x3b, 0xcb, 0x20, 0xc6, 0x68, 0x69, 0x15, 0x74, 0xbc, 0xdb, + 0x43, 0x9c, 0x4a, 0xfc, 0x72, 0xc1, 0xf5, 0x87, 0x80, 0xe8, + 0x6c, 0xd5, 0xc1, 0x2e, 0x34, 0x5e, 0x96, 0x76, 0x08, 0x3e, + 0x45, 0xe4, 0xa0, 0x4a, 0x7a, 0xc1, 0x67, 0x38, 0xf2, 0x31, + 0x1f, 0x7b, 0x0f, 0x54, 0xbd, 0x0d, 0x1f, 0x9e, 0x8e, 0x99, + 0x8b, 0x58, 0xd9, 0x94, 0x87, 0xaa, 0x8b, 0x82, 0x5d, 0x5e, + 0xe8, 0x50, 0xf4, 0xf2, 0xc7, 0xe9, 0x85, 0x6b, 0xd2, 0xef, + 0x13, 0xc1, 0xed, 0x57, 0x2a, 0xc5, 0xd6, 0x5d, 0xa4, 0x3b, + 0x29, 0xba, 0xab, 0x1b, 0xaa, 0x21, 0x41, 0xe9, 0xdc, 0x47, + 0x88, 0xef, 0x0c, 0xfc, 0xb2, 0xdc, 0xf7, 0xdb, 0x55, 0x4d, + 0x70, 0xc7, 0xe2, 0x8a, 0x8a, 0xe1, 0xde, 0xcf, 0xe5, 0xca, + 0x23, 0x36, 0x29, 0xe5, 0xfc, 0x54, 0x66, 0xda, 0xe9, 0xab, + 0x58, 0x20, 0xb2, 0x8e, 0xb2, 0x7d, 0x5d, 0xb8, 0xc7, 0x6c, + 0x48, 0x53, 0x2b, 0x47, 0xe0, 0x12, 0x00, 0x0e, 0xfe, 0xa5, + 0x93, 0x34, 0xf9, 0x3e, 0xa6, 0x3f, 0x56, 0xaa, 0x43, 0x65, + 0xbb, 0x5a, 0x70, 0x3e, 0x62, 0xac, 0x3f, 0x5b, 0x90, 0x02, + 0x50, 0x5d, 0x05, 0xa8, 0xd5, 0x67, 0x1a, 0x62, 0xec, 0xd4, + 0xde, 0x29, 0x04, 0xac, 0x6d, 0x15, 0x5d, 0xa0, 0xec, 0xf2, + 0x57, 0x13, 0x0e, 0x17, 0x96, 0x0c, 0x32, 0x6a, 0xc5, 0xe0, + 0xa8, 0xff, 0x85, 0xa4, 0xa3, 0xe3, 0x0e, 0x35, 0x5d, 0xd1, + 0x28, 0x84, 0xaa, 0xc4, 0x84, 0xcd, 0x25, 0x63, 0x85, 0x82, + 0x3e, 0x12, 0x30, 0x17, 0x57, 0x45, 0xb8, 0xb4, 0x34, 0x01, + 0x3a, 0xa2, 0x77, 0x61, 0xc8, 0x3d, 0x1f, 0xc5, 0x0e, 0x4a, + 0xbb, 0xf6, 0xa0, 0x5d, 0x79, 0x4b, 0xc8, 0xf3, 0x9c, 0x87, + 0x05, 0x2f, 0xea, 0x25, 0x28, 0x91, 0x69, 0x77, 0x7c, 0xba, + 0xea, 0x4a, 0x75, 0x2e, 0x2b, 0x17, 0x83, 0x50, 0x32, 0x43, + 0x4f, 0xcd, 0xf1, 0x77, 0xb1, 0x22, 0x0a, 0x8b, 0x69, 0x58, + 0x09, 0x35, 0x07, 0x6d, 0x61, 0x4a, 0x8d, 0x18, 0x65, 0x6e, + 0x9b, 0x62, 0x07, 0xd0, 0x6a, 0x92, 0x39, 0x05, 0x80, 0x14, + 0xfa, 0x1c, 0x93, 0x84, 0x0c, 0xb5, 0x8c, 0x41, 0x91, 0x4e, + 0x48, 0xf0, 0xf2, 0xba, 0x1d, 0x73, 0x2f, 0x1e, 0xa1, 0x55, + 0xc3, 0x02, 0x8c, 0xb1, 0xf2, 0x37, 0xa6, 0x9a, 0x6b, 0xcd, + 0x45, 0x2e, 0x08, 0x90, 0x26, 0x63, 0x91, 0xff, 0x22, 0x5e, + 0xcd, 0xae, 0x9b, 0x19, 0x1e, 0x10, 0x62, 0x4e, 0x1f, 0x2d, + 0x81, 0x69, 0x4f, 0x41, 0xe5, 0x94, 0xff, 0x7e, 0xcc, 0x15, + 0x36, 0x1e, 0x29, 0x59, 0x37, 0xe7, 0x64, 0x40, 0x17, 0x1a, + 0x32, 0xba, 0x01, 0x26, 0x30, 0x80, 0x60, 0x07, 0x86, 0x6e, + 0xd4, 0xb3, 0xe2, 0x44, 0x16, 0x33, 0xf2, 0x4c, 0x84, 0x0e, + 0xb1, 0x4a, 0xc7, 0x92, 0xa6, 0xa3, 0x42, 0x36, 0x05, 0x3e, + 0x74, 0xa8, 0xb1, 0xc5, 0x63, 0x59, 0x0d, 0x1e, 0x36, 0x45, + 0x2b, 0x36, 0x5e, 0xca, 0xab, 0x97, 0x49, 0xd3, 0xab, 0xae, + 0x63, 0x0a, 0xd1, 0x03, 0x57, 0x88, 0xa4, 0xa4, 0x3c, 0xda, + 0x15, 0x49, 0x1a, 0x5d, 0xe6, 0x5e, 0xb9, 0x82, 0x23, 0xc0, + 0x83, 0x96, 0xfe, 0x38, 0x0b, 0x80, 0x0e, 0xde, 0x22, 0xeb, + 0x5d, 0xe4, 0x56, 0x32, 0xbe, 0xe0, 0xc0, 0x6e, 0x69, 0x63, + 0x27, 0x4e, 0x00, 0x58, 0x80, 0x70, 0xd9, 0xcc, 0x4e, 0xae, + 0x6c, 0x5e, 0x6a, 0x43, 0x81, 0xfd, 0x45, 0xb2, 0xa4, 0x6c, + 0xf0, 0x9c, 0x66, 0x5c, 0x7d, 0x5c, 0x78, 0x55, 0x33, 0x4b, + 0x3c, 0x3b, 0x1d, 0x18, 0x58, 0x79, 0x6a, 0x02, 0xec, 0xce, + 0x53, 0x69, 0xc0, 0x17, 0xed, 0x57, 0xaf, 0x71, 0x5b, 0x42, + 0x1b, 0x49, 0xd8, 0xe8, 0x96, 0x80, 0xb6, 0x48, 0x1b, 0x7c, + 0xf8, 0x74, 0x1c, 0xb1, 0xc4, 0x10, 0xb7, 0xf4, 0x97, 0x7e, + 0x6b, 0x8f, 0x54, 0xba, 0x37, 0xb9, 0x35, 0x9e, 0x7b, 0x17, + 0x16, 0x9b, 0x89, 0x39, 0xae, 0x4f, 0x2e, 0x18, 0x65, 0xb4, + 0x76, 0x20, 0x9a, 0x58, 0xe2, 0x57, 0x6e, 0x1c, 0x3f, 0x8e, + 0x9a, 0xbb, 0xd8, 0xfc, 0x4c, 0xd6, 0x2d, 0xc1, 0xa6, 0x46, + 0xac, 0x13, 0x1e, 0xa7, 0xf7, 0x1d, 0x28, 0x3a, 0xf4, 0xd6, + 0x48, 0xfb, 0xe5, 0xb3, 0x84, 0x94, 0x47, 0x92, 0xae, 0x9a, + 0x58, 0xc5, 0xac, 0x23, 0x1b, 0xb5, 0xcd, 0x96, 0xd2, 0x5e, + 0xb2, 0x41, 0xfc, 0x9a, 0xae, 0x19, 0xf1, 0x7b, 0x4b, 0x53, + 0x1b, 0xfa, 0xa5, 0x0c, 0x49, 0x6d, 0xff, 0xf4, 0x51, 0x88, + 0x19, 0x04, 0xd9, 0x85, 0x8e, 0xe2, 0x3a, 0x62, 0x31, 0x5c, + 0x6e, 0xe8, 0x4d, 0x04, 0x1d, 0xd8, 0xc2, 0x7b, 0x51, 0xe7, + 0x59, 0xbc, 0x85, 0x5c, 0xc4, 0xcc, 0xad, 0xcb, 0x93, 0x69, + 0x18, 0xe4, 0x71, 0x9e, 0x63, 0x33, 0x99, 0xb6, 0x3b, 0x23, + 0x11, 0x17, 0x7a, 0x3d, 0x6f, 0xb9, 0x6b, 0xf1, 0xf2, 0xa7, + 0x03, 0xfd, 0xf0, 0xcd, 0x5b, 0xb5, 0xda, 0x9a, 0xd9, 0x95, + 0x02, 0x76, 0xd8, 0x38, 0xd3, 0xbd, 0xa0, 0x4a, 0x9a, 0xab, + 0x70, 0xde, 0xc6, 0xf9, 0xa5, 0x19, 0x9c, 0xc4, 0xf9, 0x07, + 0x4d, 0xea, 0x15, 0xc2, 0x91, 0x4d, 0x54, 0xa9, 0x2c, 0xca, + 0xdf, 0xaa, 0xd1, 0xc4, 0xc0, 0x18, 0x77, 0x28, 0x2a, 0x2c, + 0xc3, 0x7c, 0x26, 0xbd, 0xd8, 0x0d, 0x51, 0xa1, 0x4d, 0xad, + 0x76, 0x76, 0xaa, 0xa9, 0x45, 0x82, 0x4f, 0x76, 0xfb, 0x1a, + 0xd3, 0x71, 0x3c, 0x55, 0xa2, 0x5c, 0xe0, 0xd6, 0xda, 0x35, + 0xbe, 0x25, 0x23, 0x26, 0x51, 0xc6, 0xb4, 0xf3, 0x3e, 0x2c, + 0x54, 0x09, 0xc7, 0x6f, 0xa5, 0x08, 0x81, 0xba, 0x75, 0xda, + 0xcb, 0x4d, 0x05, 0xdd, 0xca, 0x93, 0x48, 0x30, 0xe8, 0x4a, + 0x1f, 0xfd, 0x02, 0x03, 0x01, 0x00, 0x01, 0x02, 0x82, 0x07, + 0x80, 0x25, 0x2f, 0xbc, 0x49, 0xf8, 0xb3, 0xa3, 0x32, 0xd6, + 0x35, 0x20, 0xca, 0x01, 0x49, 0x96, 0xa0, 0x81, 0x42, 0xde, + 0xc4, 0xdb, 0x0f, 0xd1, 0x99, 0xe6, 0xd4, 0x23, 0x2a, 0xa6, + 0x21, 0x13, 0xfe, 0x51, 0x27, 0xce, 0x18, 0x2a, 0xfa, 0x49, + 0x9f, 0xcd, 0x0c, 0x1f, 0xcf, 0x9e, 0x44, 0x27, 0x41, 0xdc, + 0x09, 0xcf, 0xef, 0x19, 0xf5, 0x57, 0x7f, 0x36, 0x5c, 0x99, + 0x7e, 0x03, 0x74, 0xfb, 0xa9, 0xb6, 0xde, 0xeb, 0xd1, 0x2b, + 0x5f, 0x12, 0x6a, 0xa9, 0x33, 0x2c, 0x2a, 0xba, 0xad, 0x8f, + 0xc2, 0x27, 0x57, 0x6a, 0xd7, 0x40, 0xf7, 0x4f, 0x4c, 0x9a, + 0xb0, 0x3a, 0x5d, 0x2e, 0xf9, 0xf1, 0xea, 0xbd, 0x82, 0xaa, + 0xbd, 0xe6, 0x19, 0x16, 0xd5, 0x03, 0x5e, 0x43, 0xfd, 0x88, + 0x71, 0xd5, 0xb7, 0x78, 0xbe, 0x80, 0x0f, 0xc9, 0x7f, 0x3a, + 0x8f, 0xe1, 0x44, 0xd4, 0x0f, 0xce, 0x26, 0xaf, 0x65, 0xe0, + 0xf5, 0x04, 0x53, 0x56, 0x97, 0x4f, 0xf4, 0xc1, 0x44, 0x8d, + 0xf7, 0x88, 0x55, 0x47, 0x16, 0xaf, 0x3f, 0x8e, 0x42, 0xdf, + 0xbc, 0x14, 0xc3, 0xe6, 0x9f, 0x0d, 0x69, 0x54, 0x5b, 0x7c, + 0x49, 0xcf, 0xbf, 0x42, 0x4f, 0xc7, 0x64, 0x8a, 0xe5, 0x84, + 0x87, 0x20, 0x9b, 0xfd, 0x70, 0x25, 0x38, 0xd3, 0xb4, 0x97, + 0x78, 0xf1, 0x4f, 0x3f, 0x0f, 0xbb, 0x9c, 0xa3, 0x17, 0xd5, + 0x4e, 0x4b, 0xac, 0x82, 0x9a, 0x73, 0xb7, 0xc5, 0xec, 0x10, + 0x7a, 0x7b, 0xdb, 0x77, 0x2c, 0xb1, 0xf3, 0x8f, 0xc3, 0xa5, + 0x31, 0x11, 0x32, 0x55, 0x35, 0xb5, 0x77, 0xd2, 0x62, 0x19, + 0x46, 0x92, 0x94, 0xbb, 0x61, 0x0f, 0x30, 0x94, 0x8a, 0xf6, + 0xf7, 0x30, 0xe0, 0xa2, 0x8c, 0x1b, 0xff, 0x8c, 0x29, 0x44, + 0xb4, 0xb7, 0xb6, 0x5f, 0x4d, 0x52, 0xc6, 0x07, 0xe1, 0x28, + 0x8c, 0xae, 0x88, 0x8a, 0x22, 0xbd, 0xd7, 0x36, 0xe4, 0x8f, + 0xd1, 0xeb, 0x65, 0x54, 0x19, 0x5f, 0xba, 0xfb, 0xfc, 0x91, + 0xa1, 0xa4, 0xb8, 0xa4, 0x2d, 0x85, 0x20, 0xc4, 0xe5, 0xa7, + 0x4e, 0xdb, 0xa4, 0xc5, 0xcc, 0x2f, 0x37, 0x41, 0x29, 0x47, + 0x15, 0xff, 0x04, 0x80, 0x08, 0x37, 0xce, 0xc5, 0xe3, 0x5a, + 0x3f, 0x83, 0xbb, 0x03, 0x9e, 0xfe, 0xec, 0xe4, 0x11, 0x41, + 0x12, 0x13, 0xf2, 0x00, 0xe5, 0x1a, 0x02, 0x49, 0xeb, 0xdb, + 0x57, 0xe4, 0xce, 0xa0, 0x3f, 0xfd, 0x3c, 0x73, 0x2b, 0x92, + 0x44, 0x79, 0x9e, 0x12, 0x4f, 0xfa, 0xe4, 0x53, 0x62, 0xf2, + 0xb0, 0xe2, 0x8a, 0xf0, 0x93, 0xa8, 0x1d, 0xee, 0x8d, 0x58, + 0x7a, 0x4c, 0x29, 0x91, 0x29, 0xc1, 0xa4, 0xd5, 0xe6, 0x37, + 0x1b, 0x75, 0x5b, 0xb6, 0x6b, 0x76, 0x2e, 0xcb, 0xbd, 0xa9, + 0xbe, 0x4c, 0x2e, 0x21, 0xa6, 0x38, 0xde, 0x66, 0x2f, 0x51, + 0xea, 0x4c, 0xba, 0x3f, 0x4a, 0xfe, 0x7a, 0x15, 0xb3, 0x72, + 0x26, 0xba, 0xcf, 0x9e, 0x1b, 0x03, 0xa6, 0xaa, 0x65, 0x68, + 0xd3, 0x8c, 0x15, 0x17, 0xe9, 0x11, 0x18, 0x3c, 0xb6, 0xf8, + 0x02, 0x54, 0x98, 0x49, 0xfa, 0x35, 0x3c, 0xcd, 0xac, 0xc8, + 0x2b, 0x1a, 0x63, 0x93, 0x03, 0x05, 0xa1, 0x41, 0xbe, 0x12, + 0xca, 0x15, 0x47, 0x72, 0x63, 0x77, 0x26, 0xd0, 0xe7, 0x8f, + 0x0d, 0x6e, 0x9c, 0xac, 0x07, 0xbe, 0x03, 0x22, 0xd0, 0x39, + 0x63, 0x8d, 0x9b, 0xc6, 0x20, 0x81, 0xb5, 0x67, 0x15, 0xf6, + 0xb0, 0xe3, 0xb9, 0x3e, 0xb7, 0x3f, 0x8f, 0x46, 0xc9, 0x74, + 0x10, 0x1e, 0x53, 0xf1, 0xd4, 0x30, 0x4d, 0x6e, 0x72, 0xb4, + 0x73, 0x1c, 0xb6, 0x79, 0x82, 0x60, 0x2e, 0x2a, 0x7d, 0x82, + 0x95, 0xb5, 0x7c, 0x4d, 0x44, 0xcb, 0xd8, 0x8a, 0x17, 0xe8, + 0x50, 0x29, 0xd8, 0x3a, 0xeb, 0x29, 0xc1, 0x83, 0x0f, 0xd9, + 0xaf, 0xcc, 0xfa, 0xea, 0x3a, 0x47, 0x5d, 0x33, 0x1f, 0xe8, + 0x33, 0x5b, 0x88, 0x8e, 0xdb, 0xd5, 0x1e, 0xaf, 0x4a, 0x5f, + 0xc0, 0xfa, 0xf0, 0xb5, 0xa3, 0x5b, 0xda, 0x38, 0xb7, 0x38, + 0x5e, 0xce, 0x81, 0x44, 0xf7, 0x66, 0x62, 0x64, 0x1d, 0x04, + 0xf0, 0x8a, 0x4f, 0xa2, 0x80, 0x76, 0x83, 0x23, 0x89, 0x61, + 0x6b, 0xc3, 0xb7, 0xee, 0xb5, 0x06, 0x33, 0xad, 0x63, 0x04, + 0x78, 0xc9, 0xde, 0x32, 0xde, 0xcf, 0x18, 0xb9, 0xb0, 0x3b, + 0xee, 0x0a, 0x58, 0xea, 0xad, 0xbc, 0x1e, 0x77, 0xa0, 0x93, + 0xf7, 0xae, 0x9e, 0xb6, 0x31, 0x59, 0x8e, 0xb1, 0x03, 0x8f, + 0xbb, 0xa4, 0x25, 0x0c, 0x2e, 0xd7, 0xe2, 0x62, 0x5c, 0xf1, + 0x68, 0xe9, 0x76, 0xd7, 0x23, 0x14, 0x45, 0xaf, 0xcb, 0x09, + 0x50, 0x05, 0x3f, 0xa0, 0xf9, 0xc3, 0x9e, 0x89, 0x05, 0xa8, + 0x3b, 0x54, 0x55, 0x32, 0x74, 0x91, 0x46, 0xc1, 0x2c, 0x96, + 0x7e, 0x60, 0xad, 0xfa, 0xbb, 0xcd, 0x09, 0x7b, 0x39, 0x10, + 0x82, 0x8a, 0xc0, 0x5a, 0x0d, 0xab, 0xb3, 0x71, 0x45, 0xad, + 0x39, 0x8e, 0xec, 0x4d, 0x91, 0x8d, 0xda, 0x8d, 0xfa, 0xb0, + 0xad, 0x44, 0x3c, 0xc9, 0x21, 0x56, 0x22, 0xfc, 0xd3, 0xba, + 0xb7, 0x3c, 0xe3, 0x8d, 0xda, 0x59, 0x34, 0x42, 0xdd, 0x04, + 0x5b, 0x8e, 0x2b, 0xc7, 0x94, 0xd5, 0x42, 0xe0, 0x4a, 0x6f, + 0x35, 0x5a, 0x27, 0x82, 0xd8, 0x82, 0x40, 0xee, 0x0f, 0xa6, + 0xef, 0xe4, 0x70, 0xe3, 0x30, 0xb7, 0x2d, 0xd4, 0xbb, 0x27, + 0xb2, 0xbf, 0xad, 0x49, 0x45, 0xbc, 0xeb, 0xbe, 0xb7, 0xd8, + 0xe3, 0xb1, 0xf3, 0xeb, 0x41, 0x20, 0x9b, 0x21, 0x54, 0xc3, + 0xa8, 0xaf, 0x9f, 0x20, 0x5c, 0x15, 0x8e, 0x25, 0xbc, 0xbc, + 0x69, 0x91, 0xfe, 0xda, 0xad, 0xe5, 0x37, 0x7d, 0xb0, 0x51, + 0x14, 0xae, 0x8f, 0x35, 0x15, 0x0a, 0xd4, 0x49, 0xa7, 0xd9, + 0x20, 0x70, 0xa4, 0xf2, 0xf4, 0x24, 0x66, 0x52, 0xd1, 0xa5, + 0x22, 0xea, 0x29, 0xd9, 0xb2, 0x82, 0x8d, 0x36, 0x66, 0x75, + 0x6e, 0xd5, 0x8c, 0x54, 0x08, 0x21, 0xf2, 0xee, 0x78, 0xc7, + 0x1f, 0x9c, 0x63, 0x5d, 0x88, 0x56, 0xd1, 0xa0, 0x80, 0x33, + 0x60, 0x55, 0x23, 0x72, 0xd6, 0xb0, 0x1a, 0x50, 0xde, 0x25, + 0x70, 0xb5, 0x77, 0x42, 0xf8, 0x19, 0x18, 0x15, 0x8f, 0xfd, + 0x0c, 0x6a, 0x46, 0x1f, 0xbf, 0xe7, 0x60, 0x91, 0xe7, 0xbb, + 0x25, 0x63, 0x66, 0xff, 0x11, 0x97, 0xbb, 0xfd, 0x3a, 0x17, + 0x94, 0x77, 0xb4, 0xc5, 0x21, 0xba, 0x30, 0x94, 0xdd, 0xe5, + 0xeb, 0x1d, 0x01, 0xba, 0xf9, 0xb0, 0x30, 0xdb, 0x11, 0x93, + 0xb7, 0xfa, 0x79, 0xe8, 0x5e, 0xb3, 0x39, 0xf4, 0x51, 0x68, + 0x31, 0xce, 0xe9, 0x0e, 0x93, 0xde, 0xff, 0xec, 0x27, 0xbd, + 0xa6, 0x1a, 0x4c, 0xe0, 0x92, 0x5c, 0xd4, 0x07, 0xd2, 0xa1, + 0xdd, 0x12, 0x83, 0xd2, 0x9a, 0x79, 0xb3, 0x3c, 0xfb, 0x07, + 0xe3, 0x18, 0x1a, 0xa3, 0x24, 0x80, 0xb4, 0xcc, 0xf4, 0xc6, + 0xa5, 0x6c, 0x25, 0xd7, 0x99, 0x1a, 0x30, 0xf0, 0xa9, 0xfc, + 0x2e, 0x83, 0x44, 0xac, 0x64, 0x76, 0x34, 0xb0, 0xa6, 0x6f, + 0x20, 0x5a, 0x14, 0xf2, 0x07, 0xa7, 0x6f, 0x4d, 0xab, 0xf5, + 0xfc, 0x9d, 0xd6, 0x3e, 0x82, 0x48, 0x31, 0x25, 0x47, 0xc9, + 0x0e, 0x1d, 0xdb, 0x98, 0x91, 0x56, 0xf5, 0xfe, 0x66, 0x8d, + 0x48, 0xf0, 0x4c, 0x6c, 0x2c, 0x96, 0x54, 0x43, 0xec, 0x76, + 0xf2, 0xe1, 0x76, 0x68, 0xc8, 0xe1, 0xde, 0x0d, 0x8e, 0x6f, + 0xfc, 0x15, 0xd5, 0x93, 0x92, 0xfe, 0xca, 0x9b, 0x30, 0x61, + 0x03, 0x0b, 0xca, 0x99, 0x2f, 0xd3, 0x15, 0xe9, 0x66, 0x81, + 0xbd, 0x56, 0x17, 0x14, 0x4a, 0x2e, 0xf1, 0x34, 0x84, 0x55, + 0x9d, 0xc0, 0x2b, 0xa7, 0x4a, 0xee, 0xf1, 0x7c, 0x67, 0xc7, + 0xf3, 0x08, 0x1e, 0x6d, 0x6b, 0x5b, 0xcc, 0x81, 0x91, 0x5c, + 0x94, 0x1a, 0x80, 0xda, 0x3a, 0xce, 0x36, 0x05, 0xb0, 0x7a, + 0xe8, 0xd0, 0xb4, 0x57, 0x9c, 0xf9, 0xea, 0xf3, 0x26, 0x1d, + 0xcb, 0xf8, 0xdd, 0x65, 0xaf, 0xf7, 0xcd, 0xf7, 0xa1, 0x3d, + 0xfc, 0x9a, 0x3b, 0x08, 0xb9, 0xfa, 0x3c, 0x16, 0x49, 0x4a, + 0xf1, 0xba, 0x4d, 0x31, 0xdd, 0x5e, 0x4f, 0x3d, 0x66, 0x22, + 0x1b, 0x08, 0x91, 0x7d, 0xc6, 0xaf, 0x15, 0x07, 0x3c, 0xa1, + 0xf7, 0x07, 0xfd, 0x3e, 0x90, 0xbb, 0x6f, 0x7a, 0xe9, 0xe1, + 0x2f, 0xb9, 0xee, 0x91, 0x8e, 0x18, 0xcc, 0x8d, 0x1d, 0x22, + 0xa0, 0xa0, 0x28, 0x25, 0xfc, 0xd4, 0x94, 0xd3, 0xaa, 0xcf, + 0xce, 0xd0, 0x85, 0x82, 0x6f, 0x20, 0x9f, 0x55, 0x0e, 0xe5, + 0x72, 0x0d, 0x17, 0x3e, 0x34, 0xc7, 0x2c, 0x0a, 0x14, 0x45, + 0x27, 0xe2, 0xc7, 0x2f, 0x86, 0xa1, 0x55, 0x3e, 0x78, 0x03, + 0xe9, 0x78, 0x2e, 0xd3, 0x99, 0xee, 0xa0, 0x14, 0xf8, 0xe3, + 0x6c, 0xeb, 0x3f, 0x9a, 0xf3, 0x15, 0xce, 0xd5, 0x76, 0xf6, + 0x3a, 0x86, 0x30, 0x76, 0xf9, 0x88, 0x30, 0xf5, 0x4a, 0x50, + 0x58, 0x80, 0xe9, 0xd9, 0xd4, 0xb9, 0x34, 0x42, 0xa6, 0x4e, + 0x9c, 0x1a, 0x07, 0x16, 0x9e, 0xee, 0xe4, 0x88, 0x04, 0x8e, + 0xa8, 0xe7, 0xcd, 0xe8, 0x47, 0x1e, 0x54, 0x45, 0xd2, 0x65, + 0xd8, 0xee, 0x4b, 0xbd, 0xd0, 0x85, 0xaa, 0xfb, 0x06, 0x53, + 0x91, 0x7e, 0xe0, 0x59, 0x20, 0x57, 0x6a, 0xee, 0xd8, 0x9f, + 0x77, 0x7f, 0xd7, 0x40, 0x63, 0xbb, 0x21, 0x75, 0x76, 0x11, + 0x27, 0xcf, 0x05, 0xbb, 0x41, 0x30, 0x98, 0xbf, 0xdc, 0x5f, + 0xc6, 0xa4, 0x1e, 0x30, 0xa1, 0x53, 0xd4, 0x36, 0x7f, 0x2e, + 0x86, 0xd7, 0xd9, 0x95, 0x29, 0xd5, 0x46, 0x18, 0x60, 0x27, + 0xe4, 0x6f, 0xcb, 0xf4, 0xe2, 0xfe, 0xff, 0x3e, 0xff, 0x15, + 0xc6, 0xf2, 0x31, 0xf9, 0x2a, 0xc8, 0x05, 0x4e, 0x7c, 0x2e, + 0x92, 0xc8, 0x41, 0x4f, 0x9e, 0x23, 0x21, 0x4d, 0x74, 0xf8, + 0xc3, 0x44, 0x39, 0xc2, 0x69, 0x4b, 0x2e, 0x76, 0x5e, 0x44, + 0x12, 0x65, 0x31, 0x98, 0xbe, 0x0a, 0x10, 0x11, 0x12, 0x2c, + 0x67, 0x3d, 0x85, 0x2e, 0xd3, 0x97, 0x54, 0x1e, 0xb6, 0xad, + 0xd9, 0x45, 0x11, 0x53, 0x04, 0x7c, 0x3f, 0xf4, 0xc9, 0xac, + 0x82, 0x1b, 0x84, 0xf4, 0x20, 0x6b, 0xf1, 0xf5, 0x72, 0x04, + 0x24, 0xc1, 0xd3, 0x42, 0x43, 0x52, 0x9d, 0x2d, 0xd3, 0x89, + 0x8e, 0xd8, 0x28, 0xb9, 0xa2, 0xb4, 0xed, 0xbc, 0x76, 0x87, + 0x55, 0x67, 0x39, 0xd9, 0xb7, 0x20, 0x6a, 0xec, 0xec, 0xb8, + 0x14, 0x51, 0x91, 0xb9, 0x96, 0x0f, 0x7a, 0x3a, 0x12, 0xde, + 0x14, 0x3b, 0x83, 0xcf, 0x41, 0x5b, 0x5d, 0xff, 0x33, 0x68, + 0xdb, 0x53, 0x64, 0x93, 0xb1, 0xc3, 0x8a, 0x46, 0xa8, 0x44, + 0x9c, 0x14, 0x12, 0x6c, 0x92, 0x6f, 0xae, 0xc3, 0x45, 0xb2, + 0xa1, 0x67, 0x81, 0x3c, 0x22, 0x47, 0xfd, 0xa4, 0x7a, 0x79, + 0xa8, 0x0a, 0xfb, 0x7a, 0x91, 0x6e, 0xe9, 0x53, 0xec, 0x98, + 0x82, 0x57, 0xad, 0x05, 0x38, 0x55, 0xc1, 0xce, 0x3a, 0x04, + 0x4d, 0x12, 0x72, 0x37, 0x4a, 0x36, 0x54, 0x3f, 0x67, 0x8a, + 0xee, 0xd9, 0xf3, 0x80, 0xd5, 0xd7, 0xb8, 0xfc, 0x6e, 0x4f, + 0x60, 0x2b, 0x5a, 0xa4, 0xc5, 0x05, 0xdb, 0xe5, 0x09, 0xe3, + 0xeb, 0xa2, 0x51, 0x33, 0x30, 0x96, 0x46, 0x01, 0x26, 0x8f, + 0x38, 0xc9, 0x97, 0x32, 0x2d, 0xb4, 0x59, 0x15, 0x15, 0x38, + 0x66, 0x66, 0xfe, 0xcb, 0xee, 0xc1, 0xf6, 0x4e, 0xb7, 0xdf, + 0x7b, 0x63, 0xe6, 0x3f, 0xe0, 0x1c, 0x97, 0xed, 0x86, 0xf3, + 0xd2, 0xad, 0x42, 0x29, 0x20, 0x28, 0xa6, 0x59, 0x58, 0x7d, + 0x8f, 0x5c, 0x43, 0x07, 0xd1, 0x7e, 0x83, 0xba, 0x9c, 0x1b, + 0xfe, 0x17, 0x9e, 0xc8, 0x09, 0x63, 0x9a, 0x2d, 0x61, 0x33, + 0x51, 0x46, 0x01, 0xa8, 0xe9, 0x43, 0x1e, 0x4e, 0xfe, 0x61, + 0x1a, 0x28, 0x11, 0x65, 0x70, 0x43, 0x9f, 0xfc, 0x21, 0x1d, + 0x76, 0x7b, 0x40, 0x08, 0x18, 0xd3, 0xe8, 0xc2, 0xe3, 0x8c, + 0xe7, 0x27, 0xc2, 0xec, 0xb0, 0x08, 0x3e, 0x6b, 0x8f, 0x77, + 0x6d, 0x9e, 0xa6, 0xab, 0xce, 0x9a, 0xf8, 0x8f, 0x77, 0xb3, + 0xf4, 0xe8, 0x8b, 0xe7, 0xd9, 0xa1, 0x95, 0x40, 0x6b, 0xca, + 0x21, 0x98, 0xff, 0xdc, 0xdc, 0x96, 0xc3, 0x08, 0x81, 0x72, + 0x9a, 0xdd, 0xe2, 0xcf, 0x95, 0x99, 0xa6, 0xa3, 0x5e, 0x9e, + 0x25, 0x60, 0xa3, 0xc3, 0x39, 0xf7, 0x54, 0x6c, 0xf2, 0x75, + 0xa9, 0x38, 0x12, 0x38, 0x4d, 0x42, 0xe8, 0xec, 0x13, 0x25, + 0xa0, 0xf8, 0x04, 0xb8, 0xf6, 0x66, 0x0b, 0x56, 0xe1, 0xfb, + 0x26, 0x03, 0xe6, 0xa5, 0xf1, 0x4d, 0x7f, 0xa5, 0x9d, 0x58, + 0x71, 0xd8, 0xc7, 0x6a, 0xbe, 0xdc, 0x90, 0x89, 0xb1, 0x36, + 0xb4, 0xb6, 0xb4, 0xbb, 0xaf, 0x6e, 0x43, 0x10, 0xa6, 0xea, + 0xee, 0x12, 0xcb, 0x08, 0x2c, 0x4e, 0x66, 0xf0, 0x1f, 0xf4, + 0xbf, 0xd3, 0xeb, 0x63, 0x48, 0xd0, 0xbe, 0x8a, 0xed, 0x24, + 0xdb, 0x0f, 0x23, 0x1d, 0x2e, 0x30, 0x97, 0x0f, 0xd8, 0xc6, + 0x3b, 0x04, 0x2f, 0x33, 0x78, 0x20, 0x6e, 0xb1, 0x33, 0x03, + 0x27, 0xac, 0x0a, 0x37, 0x15, 0x31, 0xef, 0x4d, 0x43, 0xcc, + 0xa0, 0x49, 0x80, 0xe3, 0x8c, 0xc0, 0xf3, 0xf7, 0x2d, 0x37, + 0x1d, 0xd3, 0x90, 0x5f, 0xad, 0x31, 0xb5, 0x95, 0x17, 0x69, + 0x4b, 0xec, 0x84, 0x9d, 0x2b, 0x8d, 0xdd, 0x9b, 0x58, 0x04, + 0xba, 0x28, 0x0e, 0x28, 0xc1, 0x54, 0x6c, 0xb0, 0x25, 0x0c, + 0x4f, 0x98, 0x47, 0xf7, 0x93, 0xc2, 0xae, 0x2f, 0x6d, 0x29, + 0x9c, 0x3d, 0xe3, 0xb5, 0xe3, 0x28, 0x43, 0x14, 0xe6, 0x92, + 0x4c, 0x79, 0x90, 0x59, 0x75, 0x77, 0x56, 0x43, 0xda, 0xac, + 0xa9, 0x42, 0xd7, 0xca, 0x95, 0x73, 0x26, 0x54, 0x1f, 0x3a, + 0x8a, 0x37, 0x64, 0xd7, 0xcf, 0xe1, 0x31, 0xf7, 0x40, 0x59, + 0xfd, 0xff, 0xea, 0x72, 0xfd, 0xc4, 0xde, 0xe3, 0x4d, 0x8a, + 0xf5, 0x80, 0xc0, 0x61, 0x21, 0xbd, 0xbd, 0x8e, 0x42, 0xd5, + 0x4c, 0xe4, 0xf4, 0x78, 0x31, 0xca, 0xf1, 0xec, 0x7c, 0x7b, + 0x85, 0x6a, 0x05, 0x54, 0xbe, 0x38, 0x54, 0x2f, 0x1f, 0xda, + 0x9f, 0x98, 0xe2, 0x79, 0xd7, 0x42, 0xca, 0xba, 0x85, 0x21, + 0xe2, 0xcb, 0x2b, 0xae, 0x4a, 0x4e, 0x35, 0xfb, 0xcf, 0x3d, + 0xc5, 0xae, 0x27, 0x30, 0xa9, 0x45, 0xe6, 0x3b, 0x43, 0x3e, + 0x35, 0xe3, 0xf2, 0x0d, 0x53, 0x32, 0x2b, 0xf6, 0xe6, 0xc7, + 0xd5, 0x02, 0x82, 0x03, 0xc1, 0x00, 0xd4, 0x04, 0x9b, 0xef, + 0x5d, 0x58, 0xb0, 0xa3, 0xaa, 0xd2, 0xab, 0x53, 0x65, 0x99, + 0x03, 0x49, 0x48, 0x4d, 0xf5, 0xdf, 0x5d, 0x16, 0x14, 0x11, + 0x60, 0x45, 0x1b, 0xff, 0x4a, 0x60, 0x2b, 0x37, 0x63, 0xf6, + 0xa7, 0x8a, 0xa8, 0xff, 0x08, 0x97, 0x08, 0xfc, 0xbb, 0xb3, + 0x20, 0xa3, 0xcd, 0xd9, 0x58, 0xdb, 0x16, 0x1b, 0x88, 0x02, + 0x1e, 0x0f, 0x43, 0x9b, 0x16, 0x7e, 0xbe, 0xb1, 0x9c, 0x13, + 0x10, 0xdc, 0xa1, 0x56, 0xff, 0xa3, 0xff, 0x5e, 0x69, 0x30, + 0xee, 0x7e, 0x76, 0x5f, 0x84, 0x94, 0xeb, 0x8f, 0x58, 0xf8, + 0xcf, 0xbb, 0x99, 0x6e, 0xf0, 0xd8, 0x32, 0xf6, 0xce, 0x48, + 0x6f, 0x7c, 0xc8, 0x8f, 0xd3, 0x86, 0x22, 0x49, 0x9f, 0xde, + 0x11, 0x05, 0xa4, 0xdc, 0x92, 0xfb, 0x0f, 0xfa, 0x09, 0x4d, + 0x17, 0x1a, 0xe2, 0x76, 0x67, 0x40, 0xa9, 0x5b, 0x1b, 0x54, + 0x66, 0x48, 0xf7, 0xc3, 0x59, 0xd4, 0xcf, 0x55, 0xd0, 0x7f, + 0x3b, 0xb0, 0xa2, 0xd8, 0xec, 0xb7, 0x88, 0xe7, 0xb0, 0x30, + 0x72, 0x42, 0x65, 0xe2, 0x91, 0xa7, 0x9b, 0xf6, 0x07, 0x45, + 0x52, 0x51, 0xaa, 0xbe, 0x32, 0x35, 0xe4, 0x88, 0x23, 0xe7, + 0xcb, 0x3c, 0x1c, 0xfb, 0x0b, 0x96, 0xd5, 0xb3, 0x92, 0x86, + 0x79, 0x5b, 0x47, 0x93, 0xd6, 0xbd, 0xc7, 0x21, 0x17, 0xd0, + 0xc9, 0xc7, 0x69, 0x84, 0x80, 0x98, 0xaf, 0x2c, 0x63, 0xd1, + 0xef, 0x6e, 0xca, 0x84, 0x30, 0x32, 0x83, 0x2d, 0x49, 0xbb, + 0x1f, 0x2a, 0xfe, 0x40, 0x7c, 0x03, 0xd4, 0x45, 0xdc, 0xfe, + 0x94, 0xf9, 0xe4, 0x36, 0x47, 0xfa, 0x7e, 0x2e, 0x93, 0x03, + 0xf8, 0x15, 0xf9, 0xce, 0xc3, 0x5b, 0x76, 0x10, 0xec, 0x89, + 0x8c, 0xce, 0x25, 0xa5, 0x77, 0x9a, 0xc5, 0x1e, 0xdd, 0x07, + 0x1b, 0x5b, 0xac, 0x6f, 0xdb, 0x94, 0x85, 0xdf, 0x02, 0x22, + 0xd1, 0xa9, 0x01, 0x8e, 0x63, 0xa1, 0xee, 0x94, 0x9c, 0xdb, + 0xb4, 0x1a, 0x43, 0xe1, 0x1f, 0x4e, 0x2f, 0x68, 0x50, 0x0c, + 0x2f, 0x5b, 0xc5, 0x1b, 0xe1, 0x8d, 0x4b, 0xe0, 0x63, 0x8d, + 0x7a, 0x30, 0xbe, 0xb7, 0x2e, 0x02, 0xc6, 0x02, 0xac, 0xa8, + 0xb8, 0x65, 0xc6, 0x28, 0xee, 0xe4, 0xec, 0x99, 0xa1, 0x9a, + 0xfd, 0x1f, 0xb5, 0x85, 0x7a, 0x94, 0x16, 0xe2, 0xe7, 0x74, + 0x06, 0x54, 0x1b, 0xd0, 0xaf, 0x58, 0x4e, 0x50, 0x7e, 0xd6, + 0xe4, 0x31, 0xd2, 0x0c, 0xd7, 0x9d, 0xe2, 0x00, 0x30, 0xbe, + 0x26, 0x30, 0x48, 0x99, 0x98, 0x58, 0x54, 0x5a, 0xc4, 0x0a, + 0x6c, 0xa1, 0x06, 0xe9, 0x38, 0xe6, 0x79, 0x39, 0x00, 0x9e, + 0xb6, 0xe3, 0xf7, 0x01, 0xcf, 0x2f, 0x82, 0x5e, 0xc3, 0x21, + 0x1b, 0x79, 0x93, 0xb5, 0xe4, 0x39, 0x9d, 0x32, 0x9d, 0x72, + 0xa4, 0xa8, 0xc9, 0x90, 0xce, 0xaf, 0xc0, 0x00, 0xad, 0x20, + 0x87, 0x26, 0xc7, 0xd3, 0x5f, 0x2e, 0xf0, 0x5e, 0xf8, 0x8b, + 0x85, 0xa3, 0xc6, 0x66, 0xd8, 0x2f, 0x86, 0xfe, 0x7d, 0x8d, + 0x22, 0xa5, 0x6d, 0x68, 0x3e, 0x87, 0x6e, 0xf7, 0xf1, 0xf0, + 0x07, 0xc4, 0xe3, 0xf1, 0x84, 0xc4, 0x93, 0x42, 0x06, 0x20, + 0x80, 0x64, 0xb3, 0x52, 0x5c, 0xa5, 0xcf, 0xee, 0xfe, 0xa4, + 0x09, 0x41, 0xbe, 0xaa, 0x78, 0x52, 0x76, 0x3f, 0xf7, 0xe8, + 0xa1, 0x6b, 0x0a, 0xbc, 0x22, 0xbe, 0xdf, 0x72, 0x7b, 0xea, + 0x90, 0x43, 0xee, 0xc2, 0x0b, 0x26, 0xdc, 0x02, 0x26, 0xa7, + 0x50, 0x04, 0x7a, 0x06, 0x91, 0xae, 0x93, 0xd5, 0xd2, 0xc9, + 0xa1, 0xe1, 0xfc, 0xb9, 0x8c, 0x94, 0xca, 0xa8, 0x1c, 0x2c, + 0x57, 0x97, 0x3e, 0x50, 0xed, 0x93, 0x45, 0x7a, 0x2c, 0x59, + 0x7b, 0x34, 0x8f, 0xcd, 0xd6, 0x17, 0x93, 0xd8, 0xde, 0xe8, + 0xb0, 0x9e, 0x27, 0x15, 0xc5, 0xbb, 0xa5, 0xbb, 0xc2, 0x30, + 0x9b, 0xc7, 0x27, 0x02, 0x18, 0xd8, 0xdb, 0xa4, 0x84, 0x37, + 0x64, 0xf7, 0xf7, 0xf1, 0xc8, 0x86, 0x4c, 0x64, 0x97, 0x08, + 0xe9, 0x4e, 0x0e, 0xb6, 0x92, 0xe9, 0x4c, 0x7b, 0x7f, 0xe1, + 0xcc, 0xa0, 0x71, 0xa7, 0x34, 0x48, 0x46, 0xbb, 0x37, 0xce, + 0xb0, 0x4d, 0x39, 0xa8, 0x0e, 0xab, 0xf6, 0x2f, 0x7c, 0x88, + 0xae, 0xcf, 0x90, 0xc6, 0x01, 0xd3, 0x5b, 0x37, 0xe9, 0xb1, + 0x28, 0x42, 0x14, 0xbf, 0x59, 0x35, 0x04, 0xab, 0x46, 0x6e, + 0xa8, 0x29, 0xe2, 0x7a, 0x77, 0x0e, 0x07, 0x67, 0xe4, 0x2b, + 0x03, 0xd2, 0x02, 0x36, 0x16, 0xd7, 0x81, 0x5d, 0x38, 0x9c, + 0x68, 0x9c, 0xf5, 0x9e, 0x49, 0x7d, 0x99, 0xfd, 0xcd, 0x1d, + 0xd2, 0xdf, 0x3c, 0x36, 0x19, 0x85, 0xaa, 0xb1, 0x30, 0x7a, + 0x21, 0xb1, 0x83, 0x16, 0xcf, 0xd1, 0x75, 0xa5, 0x9d, 0xd7, + 0xc1, 0x60, 0xa8, 0xdb, 0x1e, 0xb9, 0x3e, 0x9c, 0x12, 0x42, + 0xe8, 0x47, 0x49, 0x18, 0x9f, 0x5c, 0x12, 0xd1, 0x69, 0xd5, + 0x7d, 0xa8, 0x3c, 0xda, 0x35, 0x8a, 0x6c, 0x63, 0xb8, 0x62, + 0x8a, 0x61, 0xfa, 0xf2, 0x61, 0x11, 0x1e, 0xb6, 0xf3, 0x5c, + 0x62, 0x9d, 0xa7, 0x62, 0x0c, 0x87, 0x93, 0xe2, 0x23, 0x6c, + 0x3d, 0xa9, 0x2c, 0x4b, 0xd5, 0x7f, 0xfe, 0x72, 0x27, 0x36, + 0x06, 0xcb, 0x65, 0x38, 0xef, 0x13, 0x57, 0x6a, 0xc9, 0xc6, + 0x4f, 0x51, 0xd0, 0x90, 0x06, 0xa0, 0x23, 0x65, 0x95, 0xce, + 0x16, 0x8f, 0x8d, 0xb2, 0xf9, 0x7f, 0x3c, 0x2c, 0x30, 0x5a, + 0x38, 0xf1, 0x62, 0x79, 0x4b, 0xe5, 0xd7, 0x0a, 0x3f, 0x83, + 0x5f, 0x46, 0x26, 0x97, 0xb7, 0x08, 0x8c, 0x5b, 0xb8, 0x02, + 0x28, 0xf2, 0x4d, 0xdf, 0x93, 0x97, 0xc5, 0x94, 0x4b, 0x0e, + 0x42, 0xc3, 0x35, 0x91, 0x6b, 0x69, 0x61, 0x76, 0x7f, 0x94, + 0xcf, 0x0b, 0x81, 0x33, 0xff, 0xf3, 0x0c, 0xc7, 0x01, 0x94, + 0x94, 0xa9, 0xed, 0xcd, 0x4b, 0xc8, 0xcb, 0x91, 0xf9, 0x7a, + 0x47, 0xcd, 0x79, 0x3c, 0xa6, 0xde, 0x52, 0xd2, 0x47, 0x5c, + 0x10, 0x62, 0xbb, 0xe5, 0x32, 0xde, 0x83, 0xcf, 0xa8, 0x52, + 0xb3, 0xe7, 0xf9, 0xec, 0x17, 0x34, 0xbf, 0x33, 0x5d, 0xb2, + 0x4e, 0x56, 0xf7, 0x29, 0xd9, 0x5c, 0x1b, 0x83, 0x01, 0xbb, + 0xb9, 0x2b, 0x95, 0x52, 0x08, 0xab, 0xa4, 0x51, 0x03, 0xa1, + 0xfb, 0x6a, 0x50, 0xcd, 0xa8, 0x9d, 0x95, 0x6f, 0x7e, 0xb1, + 0x80, 0x1e, 0x9d, 0x81, 0x01, 0x26, 0x41, 0x78, 0x36, 0x3c, + 0x8a, 0x44, 0xf4, 0x98, 0x88, 0x1c, 0x5d, 0x06, 0xd3, 0xd2, + 0xb2, 0x58, 0x7d, 0xa1, 0x45, 0x1b, 0xbf, 0x8c, 0xf6, 0x6a, + 0xfa, 0xfd, 0x08, 0x29, 0x3e, 0x91, 0x57, 0xf1, 0x3d, 0x20, + 0xed, 0x49, 0x6e, 0x9c, 0x46, 0xd5, 0x08, 0x8d, 0x9b, 0xf8, + 0xef, 0xa3, 0x3a, 0x98, 0xcb, 0xb4, 0xcb, 0x5b, 0x30, 0x25, + 0x20, 0xcc, 0x04, 0xa1, 0xeb, 0xeb, 0xee, 0x1b, 0x36, 0x85, + 0xc1, 0x93, 0x16, 0x5a, 0x31, 0xdf, 0xd6, 0x0e, 0x73, 0x9e, + 0x63, 0x6e, 0x96, 0x90, 0x54, 0xd2, 0xc2, 0x53, 0x69, 0x93, + 0xd5, 0x54, 0xca, 0xd8, 0x84, 0xf7, 0x8f, 0x9a, 0xd1, 0x80, + 0x0d, 0x57, 0xa8, 0x26, 0xbe, 0x45, 0x64, 0xd5, 0x2b, 0xbb, + 0x45, 0xb5, 0x08, 0xb9, 0x37, 0x57, 0x02, 0x82, 0x03, 0xc1, + 0x00, 0xd1, 0x30, 0x2e, 0xb7, 0x9b, 0xe7, 0x5d, 0x13, 0x74, + 0x1f, 0x52, 0xf2, 0x02, 0x18, 0xe9, 0x07, 0x87, 0x9e, 0xed, + 0xde, 0x83, 0x92, 0xcf, 0x73, 0x61, 0x21, 0xc4, 0x62, 0x30, + 0x6c, 0xa2, 0x36, 0xbd, 0xe2, 0xc5, 0x19, 0xf6, 0xdf, 0x51, + 0x7b, 0xca, 0xd4, 0xe4, 0x51, 0x83, 0x49, 0x27, 0xdd, 0xbd, + 0xb0, 0x10, 0x79, 0x39, 0xdd, 0x0e, 0x3d, 0x65, 0xad, 0x6d, + 0xa3, 0x95, 0x52, 0x85, 0xdb, 0x18, 0x94, 0x60, 0xaa, 0xc0, + 0xc8, 0x8b, 0xdb, 0xfe, 0xf9, 0xf0, 0x86, 0xf9, 0x33, 0x8a, + 0xd7, 0xbe, 0x8d, 0x43, 0x83, 0x4d, 0xe4, 0x17, 0x2b, 0x46, + 0x54, 0x44, 0x1b, 0xbe, 0x52, 0x64, 0x47, 0x02, 0x6c, 0x4a, + 0x64, 0xb4, 0x3f, 0x21, 0x2f, 0xbb, 0xe3, 0x72, 0x7c, 0x26, + 0x14, 0xdf, 0x80, 0x50, 0xd4, 0x94, 0xe9, 0xc6, 0x7d, 0x71, + 0xd8, 0xaf, 0xfb, 0x74, 0x36, 0x33, 0xbe, 0x58, 0x63, 0xad, + 0xcb, 0xdf, 0xc0, 0x73, 0x9e, 0x19, 0xb0, 0x65, 0xe1, 0xd1, + 0x10, 0x44, 0xf1, 0xf0, 0x08, 0xa3, 0x09, 0x25, 0xeb, 0xd5, + 0xcb, 0xdd, 0x98, 0xdd, 0xbc, 0x09, 0x2c, 0xef, 0xc1, 0x8d, + 0x43, 0x15, 0x41, 0xc2, 0xa1, 0x84, 0x37, 0x70, 0x5a, 0xd5, + 0xf5, 0xb2, 0x6a, 0x1f, 0xbb, 0xcc, 0x30, 0xb9, 0xd9, 0xc7, + 0x36, 0x21, 0xf3, 0x69, 0x3e, 0x91, 0x38, 0x4d, 0xa5, 0xc4, + 0xf7, 0x84, 0x90, 0x34, 0x0e, 0x47, 0x7e, 0x26, 0xf2, 0x98, + 0x25, 0x26, 0xda, 0xf0, 0x4e, 0x55, 0xea, 0x4d, 0x9b, 0x8a, + 0x4a, 0xe1, 0x1f, 0xa0, 0x07, 0x90, 0x9e, 0x59, 0x64, 0xae, + 0xd9, 0xd6, 0x7e, 0x72, 0xa1, 0xc4, 0xea, 0x7d, 0xbd, 0x1f, + 0x7d, 0x2b, 0xd9, 0x2c, 0xdc, 0x8b, 0xc0, 0xda, 0x52, 0x0c, + 0xd1, 0xd0, 0x56, 0xb7, 0x93, 0xc7, 0x26, 0x79, 0x71, 0xd0, + 0x0d, 0xae, 0xaa, 0xa7, 0xe4, 0xc1, 0x59, 0x27, 0x68, 0x97, + 0x9a, 0xff, 0x3d, 0x36, 0x07, 0x55, 0x77, 0x07, 0x97, 0x69, + 0xf3, 0x99, 0x91, 0x3f, 0x63, 0xfd, 0x70, 0x8c, 0xa1, 0xeb, + 0xc5, 0x21, 0xa3, 0xfe, 0x99, 0x96, 0x11, 0x37, 0xb9, 0xe6, + 0x93, 0xf8, 0xd0, 0xb1, 0xa3, 0x57, 0x7a, 0xa8, 0x63, 0xdd, + 0x09, 0x56, 0xb0, 0x3b, 0xa6, 0x59, 0xc7, 0x89, 0x54, 0x16, + 0xe9, 0x2d, 0x78, 0x7d, 0xaf, 0x4e, 0x0a, 0x5b, 0x62, 0x3b, + 0x0b, 0xcb, 0x24, 0x89, 0x4e, 0x1c, 0x3d, 0xe1, 0xbd, 0x5a, + 0x3e, 0xc5, 0xfd, 0x15, 0x3d, 0x08, 0x38, 0x33, 0x5e, 0x37, + 0x4c, 0xe3, 0xe3, 0xe9, 0xc4, 0x1d, 0x2b, 0xd4, 0x58, 0x25, + 0x58, 0x23, 0x8e, 0xc6, 0x83, 0x9a, 0xf3, 0x9a, 0x78, 0xe9, + 0xa7, 0xca, 0xd7, 0xdd, 0x89, 0x20, 0x6e, 0x02, 0xea, 0x6b, + 0x37, 0x74, 0xda, 0xa0, 0xc2, 0x5a, 0x2b, 0x80, 0x1c, 0x28, + 0x91, 0x0d, 0x50, 0x64, 0xf0, 0x12, 0xe7, 0xc4, 0x7e, 0xdd, + 0x28, 0x3b, 0x26, 0x9a, 0xf4, 0x39, 0x56, 0xa4, 0x72, 0x4d, + 0xcb, 0x67, 0x3c, 0x68, 0xb2, 0x6f, 0xf0, 0xd0, 0x15, 0x90, + 0xc8, 0x08, 0xbb, 0x0b, 0x08, 0x6b, 0x8a, 0xde, 0x41, 0x57, + 0xbc, 0x63, 0x0e, 0x00, 0x8d, 0xf8, 0xdd, 0x93, 0xce, 0x58, + 0x7b, 0xa8, 0xb9, 0x64, 0x26, 0x06, 0xe7, 0x71, 0x23, 0x0f, + 0x41, 0xf1, 0xb7, 0xae, 0x59, 0x2e, 0xd0, 0x73, 0xc5, 0xd9, + 0xdc, 0x0e, 0x1c, 0x02, 0x58, 0x69, 0xb3, 0x15, 0x6d, 0x96, + 0x2b, 0xdb, 0x7b, 0x3b, 0x6c, 0x38, 0x32, 0x6b, 0xd8, 0x08, + 0xb2, 0xbd, 0xa7, 0x49, 0x43, 0xeb, 0x90, 0x42, 0x70, 0xc5, + 0xba, 0xcd, 0x4a, 0x44, 0x8f, 0x83, 0x0d, 0x17, 0x51, 0x5a, + 0x95, 0xa2, 0x57, 0x9a, 0x16, 0x19, 0x91, 0xbb, 0x90, 0x5c, + 0x2a, 0x16, 0xe8, 0x26, 0x10, 0x3c, 0xb7, 0x10, 0x5c, 0xf8, + 0xc5, 0x15, 0x2b, 0x70, 0x75, 0x69, 0xba, 0x7b, 0x3d, 0x0b, + 0x57, 0xac, 0x39, 0x12, 0x2e, 0xd6, 0xd9, 0x13, 0x74, 0x8e, + 0xa8, 0x0b, 0x17, 0xe1, 0x03, 0x7a, 0xba, 0x1d, 0x07, 0x91, + 0x8c, 0x2a, 0x3a, 0x8d, 0xe0, 0x2a, 0x94, 0xd4, 0x16, 0x35, + 0x64, 0x8b, 0x92, 0x2c, 0x2f, 0xa4, 0x18, 0xfe, 0x3f, 0x02, + 0x19, 0x8c, 0xb9, 0xeb, 0xaf, 0x01, 0x06, 0xa8, 0x37, 0x7f, + 0xe2, 0x44, 0x10, 0xce, 0xeb, 0x8d, 0xd0, 0x73, 0xc4, 0x1e, + 0x3d, 0x2c, 0xaf, 0x77, 0xb2, 0xef, 0xe5, 0x95, 0x8b, 0xdf, + 0x02, 0xfc, 0x93, 0xb8, 0xa9, 0x27, 0x88, 0x1d, 0x1d, 0x82, + 0x9f, 0xb6, 0xe4, 0x12, 0x05, 0x79, 0xb6, 0x1c, 0x41, 0x0d, + 0xc1, 0x53, 0x49, 0x8f, 0x3d, 0xc9, 0xad, 0x84, 0xcb, 0x0b, + 0x88, 0x7e, 0xfe, 0x73, 0x59, 0x21, 0x64, 0xc5, 0x50, 0x53, + 0xdc, 0x98, 0xc6, 0x43, 0xb8, 0xf5, 0xc3, 0xa1, 0xf5, 0xb2, + 0xd8, 0x86, 0xe9, 0xae, 0x98, 0xf9, 0x3b, 0x99, 0xc0, 0xe7, + 0xd7, 0x4a, 0xed, 0xac, 0x89, 0x84, 0xb0, 0x8e, 0xd3, 0xab, + 0xec, 0x03, 0x02, 0x12, 0x4b, 0x44, 0x17, 0x4d, 0x98, 0x26, + 0x1e, 0x51, 0xc5, 0xbb, 0xcd, 0xdc, 0x50, 0xab, 0x83, 0x37, + 0x49, 0x90, 0x1e, 0x34, 0xad, 0x81, 0x22, 0x6c, 0xe4, 0xdd, + 0x19, 0x01, 0x09, 0x25, 0x2d, 0x9e, 0x52, 0x90, 0x72, 0xa1, + 0x68, 0x3d, 0x0c, 0x49, 0x99, 0x19, 0x75, 0x5a, 0xca, 0x08, + 0x69, 0xa1, 0xd2, 0x88, 0x8c, 0xea, 0xcf, 0x9c, 0xbc, 0x23, + 0xad, 0x3f, 0xb9, 0xfc, 0xb9, 0x30, 0x0d, 0xd6, 0xd9, 0x65, + 0x0c, 0x7e, 0x99, 0x68, 0x35, 0x26, 0x07, 0xd1, 0x55, 0xbf, + 0x8e, 0xde, 0xe7, 0xe7, 0x01, 0xcb, 0xca, 0x0a, 0x39, 0x2e, + 0xcc, 0x19, 0xec, 0x77, 0xf3, 0xab, 0xb2, 0xe6, 0x0e, 0x54, + 0x06, 0x01, 0x50, 0x77, 0xd3, 0x61, 0x36, 0x05, 0x90, 0xe4, + 0xd8, 0xc4, 0x1d, 0xf5, 0xc7, 0xfa, 0x65, 0xf0, 0x46, 0x6a, + 0x5f, 0xa7, 0xc3, 0x8c, 0x6f, 0x04, 0x7f, 0xcf, 0x97, 0xb9, + 0x68, 0x92, 0x31, 0x09, 0x02, 0x9f, 0x22, 0xc9, 0xf8, 0xe6, + 0x7e, 0xa8, 0x95, 0x5b, 0x6b, 0xfe, 0x9c, 0x4e, 0x63, 0x2d, + 0x8c, 0x1a, 0x4c, 0x8b, 0x14, 0x79, 0x08, 0xd5, 0x96, 0x76, + 0xd1, 0xb4, 0x2f, 0xae, 0x5d, 0x91, 0x88, 0x7c, 0xdd, 0xd2, + 0x06, 0x86, 0xcf, 0x0a, 0x83, 0x6f, 0xda, 0xca, 0x71, 0x7c, + 0xe7, 0xe5, 0x34, 0xa8, 0x9a, 0x53, 0x8d, 0xa5, 0xaa, 0x5d, + 0xb5, 0x17, 0x81, 0x34, 0x6f, 0xbe, 0xbb, 0xb6, 0x58, 0x22, + 0x90, 0x80, 0xf6, 0x9c, 0x1c, 0xb0, 0x79, 0x8f, 0x92, 0x5b, + 0x7d, 0x1c, 0x71, 0x5f, 0xb4, 0x87, 0x36, 0xbe, 0x81, 0x8d, + 0x4a, 0xfc, 0x28, 0x72, 0x81, 0xaf, 0x5f, 0xbd, 0x5f, 0x99, + 0xe3, 0xc9, 0x37, 0xb0, 0x6e, 0xad, 0x70, 0x96, 0xfa, 0xe3, + 0x99, 0xf7, 0x08, 0x14, 0x21, 0x21, 0xb7, 0x1a, 0xaa, 0xe8, + 0x07, 0xb6, 0xfd, 0xa3, 0x7a, 0x2d, 0x93, 0x64, 0x8f, 0x89, + 0x2c, 0x71, 0x49, 0x71, 0xb8, 0x45, 0xca, 0xe0, 0x7c, 0x00, + 0x8d, 0xbd, 0xb8, 0x1c, 0x3a, 0x94, 0xa2, 0xa7, 0x6d, 0x0a, + 0x2e, 0x84, 0xaf, 0xbd, 0xab, 0x05, 0x95, 0x64, 0x8b, 0x05, + 0xc8, 0xc9, 0x4e, 0xea, 0xb5, 0x96, 0x4a, 0x47, 0xdd, 0xf2, + 0xcb, 0x02, 0x82, 0x03, 0xc0, 0x59, 0xb3, 0xd9, 0x85, 0xdc, + 0xa8, 0xb9, 0x93, 0x85, 0xa2, 0xbc, 0x79, 0xfc, 0x72, 0x50, + 0xc1, 0xa0, 0xa5, 0xdb, 0x71, 0x35, 0xa1, 0x31, 0xbc, 0x68, + 0x4e, 0xd5, 0x19, 0x9e, 0x0e, 0x32, 0x3a, 0xad, 0x40, 0x9e, + 0x82, 0x3c, 0x1e, 0x2b, 0x34, 0x3b, 0xc9, 0x32, 0x61, 0x07, + 0x5e, 0x46, 0xa9, 0xbe, 0xbe, 0x73, 0x0c, 0x12, 0xef, 0x52, + 0x68, 0x82, 0xe2, 0x0b, 0x12, 0x74, 0xfc, 0x10, 0x5c, 0xc0, + 0xb5, 0x98, 0x4d, 0x86, 0xbb, 0x8c, 0x40, 0x15, 0xa1, 0x6e, + 0x46, 0x73, 0x2e, 0xd6, 0x99, 0x6b, 0x50, 0xab, 0x04, 0x1a, + 0x5f, 0xf4, 0xfa, 0xcb, 0x4b, 0xad, 0xc4, 0x5e, 0x62, 0xa7, + 0x48, 0xd4, 0x52, 0x85, 0xdc, 0x2a, 0x85, 0x9b, 0xee, 0x08, + 0xa5, 0xaa, 0xaa, 0xe8, 0x44, 0xf0, 0xed, 0x89, 0x21, 0xe4, + 0xb4, 0xab, 0x3c, 0x0d, 0x53, 0x7e, 0x53, 0xdd, 0xac, 0x47, + 0xda, 0x77, 0x79, 0x5f, 0x78, 0x7a, 0x80, 0x84, 0x46, 0x50, + 0xaa, 0xdb, 0x3b, 0x8c, 0x6b, 0xda, 0xb0, 0xac, 0x0a, 0xd3, + 0x4c, 0xe4, 0x6e, 0x87, 0xd1, 0xb2, 0x5a, 0xd5, 0x98, 0xae, + 0xcb, 0x7e, 0xc2, 0x19, 0xdc, 0x53, 0x64, 0x86, 0x4c, 0x7b, + 0xe0, 0x63, 0x22, 0x94, 0x34, 0xad, 0x15, 0xdc, 0xd8, 0xa8, + 0x5f, 0xc6, 0x58, 0xf6, 0x72, 0x34, 0xdd, 0xfb, 0x85, 0x8a, + 0xd9, 0xa3, 0xfb, 0x3b, 0xad, 0x5d, 0xf0, 0x1a, 0x0b, 0xa8, + 0x91, 0xe7, 0x7d, 0x26, 0x27, 0x38, 0xf8, 0xe0, 0x49, 0x1b, + 0x56, 0xc5, 0x5b, 0xe3, 0x1c, 0x7b, 0xa3, 0x53, 0x6d, 0x22, + 0xfa, 0xd7, 0x63, 0x5f, 0xf0, 0xcb, 0x92, 0x49, 0x01, 0x54, + 0xe5, 0x77, 0x5b, 0xd3, 0xab, 0xce, 0xb8, 0x3a, 0x5b, 0xb8, + 0x07, 0x40, 0x46, 0x51, 0xe4, 0x59, 0xa2, 0x45, 0x41, 0xcc, + 0x81, 0x6c, 0xe3, 0xa6, 0xb3, 0xa0, 0x30, 0x4a, 0x67, 0x10, + 0xed, 0xc0, 0x8a, 0xcd, 0xfc, 0xa5, 0x44, 0x9b, 0x59, 0x19, + 0x4a, 0x43, 0x8d, 0xec, 0x00, 0xd8, 0x6d, 0xf9, 0xf0, 0x2d, + 0xd9, 0x55, 0xfc, 0x05, 0xe2, 0x12, 0x48, 0x4d, 0xd6, 0x7d, + 0xec, 0x41, 0xc4, 0x9e, 0xe2, 0xed, 0x84, 0x14, 0x29, 0x0e, + 0x5b, 0x81, 0x0b, 0xb0, 0x87, 0x8a, 0xd3, 0x35, 0x5c, 0xad, + 0xdb, 0xcc, 0xa1, 0x3c, 0xcb, 0x8b, 0x23, 0x55, 0x69, 0xf1, + 0x83, 0x84, 0x81, 0x36, 0xae, 0xd5, 0xf3, 0x98, 0xb6, 0xb2, + 0xb5, 0xa1, 0x79, 0x6d, 0x80, 0x8f, 0x2e, 0x25, 0x71, 0x4e, + 0x16, 0xff, 0xa0, 0x7c, 0xa4, 0x62, 0x8c, 0x44, 0x85, 0x64, + 0x90, 0x7c, 0xac, 0x10, 0x36, 0xf2, 0xf2, 0xfb, 0x20, 0x2b, + 0xa1, 0x27, 0xd0, 0xcc, 0x27, 0xfd, 0xb0, 0xba, 0x3e, 0x37, + 0xb1, 0xa8, 0x9d, 0x3c, 0x82, 0x63, 0xd0, 0x16, 0x6d, 0x7a, + 0xdd, 0x2e, 0xea, 0xe5, 0x87, 0xd6, 0x64, 0x72, 0xdb, 0x60, + 0x53, 0x38, 0x18, 0x66, 0x1d, 0x25, 0xf6, 0x08, 0x92, 0x7f, + 0x68, 0x5b, 0x79, 0x07, 0xde, 0x93, 0xee, 0xf8, 0x8f, 0xce, + 0x28, 0xcf, 0xb1, 0x5b, 0x43, 0x51, 0xdf, 0xf5, 0xac, 0xe8, + 0x9c, 0x95, 0x14, 0x8a, 0x67, 0xe1, 0x25, 0xfe, 0x11, 0xa2, + 0x40, 0xf8, 0xdd, 0xcf, 0xf5, 0x17, 0x94, 0xb6, 0x88, 0x10, + 0xa2, 0x90, 0x58, 0xef, 0xaf, 0x73, 0xf8, 0x7c, 0x9b, 0x20, + 0x30, 0x79, 0xca, 0x3f, 0xa9, 0x22, 0x40, 0xfd, 0xcc, 0xb0, + 0x5d, 0x0d, 0x97, 0x6b, 0xc0, 0x75, 0x35, 0x33, 0xc5, 0x76, + 0x45, 0x6e, 0x9b, 0x78, 0xe7, 0xb4, 0x04, 0xb3, 0xba, 0x3b, + 0x93, 0xb1, 0xa9, 0x8f, 0xa1, 0x24, 0x5d, 0x1c, 0x0e, 0x66, + 0xc0, 0xc6, 0xcc, 0xd6, 0xb7, 0x88, 0x9d, 0xb8, 0x45, 0xe3, + 0xaa, 0xc9, 0x6c, 0xfd, 0x37, 0xdc, 0x85, 0xd5, 0x49, 0xfd, + 0xef, 0xeb, 0xf9, 0x7a, 0x3f, 0x7a, 0x4f, 0x86, 0x49, 0xaa, + 0x9f, 0x08, 0x12, 0x0b, 0x11, 0x35, 0x5c, 0xd5, 0xd3, 0xda, + 0x14, 0x50, 0x03, 0x2c, 0x24, 0x26, 0x0e, 0x29, 0x18, 0xcc, + 0x1d, 0x0a, 0x7c, 0x94, 0x8b, 0xc0, 0xa0, 0x3f, 0xea, 0xf8, + 0xf8, 0xa9, 0x1d, 0x65, 0x31, 0x6f, 0x3b, 0xa6, 0xd0, 0xfc, + 0x26, 0xb0, 0x4e, 0x3a, 0x66, 0xe7, 0x32, 0x10, 0x2e, 0x84, + 0x47, 0xad, 0xa9, 0x18, 0xfc, 0xa3, 0x8b, 0x74, 0x84, 0x4f, + 0xd4, 0x25, 0x93, 0x0f, 0xdb, 0x2e, 0xae, 0x88, 0x8e, 0x28, + 0xf8, 0x0f, 0xaa, 0x60, 0xd4, 0xbe, 0xad, 0x66, 0x0c, 0x0d, + 0x01, 0xbd, 0x8d, 0xc4, 0xfc, 0x48, 0xef, 0x78, 0x14, 0x34, + 0xee, 0xb3, 0xbc, 0xd4, 0xbb, 0x1f, 0x7c, 0x12, 0x5c, 0x9b, + 0xeb, 0x77, 0x3e, 0x2c, 0x6e, 0x31, 0x59, 0xe6, 0x78, 0xc5, + 0xe8, 0xa4, 0xdd, 0xf1, 0xef, 0x5d, 0x27, 0x45, 0x31, 0x13, + 0xd0, 0x21, 0xa1, 0x13, 0xce, 0xac, 0x7e, 0xbb, 0xfb, 0x32, + 0xeb, 0x76, 0x31, 0xc4, 0xba, 0xdf, 0xfb, 0x5a, 0x1b, 0xc9, + 0x9e, 0x74, 0xa0, 0x9e, 0x26, 0x82, 0xd5, 0x6e, 0x1d, 0xc3, + 0x0e, 0xd1, 0x6d, 0xdb, 0x43, 0xb3, 0x0b, 0x14, 0xcb, 0xf1, + 0xad, 0x62, 0x34, 0x49, 0xb8, 0xd3, 0x08, 0xca, 0x93, 0xf1, + 0x42, 0xb2, 0x4b, 0x23, 0x79, 0x93, 0xde, 0x18, 0x58, 0xf3, + 0x66, 0xfa, 0xdc, 0xab, 0xca, 0x33, 0x22, 0x2b, 0x5c, 0x8c, + 0x12, 0xc1, 0x7b, 0x2e, 0x52, 0x72, 0xa7, 0x78, 0x4a, 0x49, + 0xa1, 0x53, 0x02, 0x76, 0x2d, 0x2e, 0xf8, 0x43, 0x3c, 0xe8, + 0xfa, 0xb7, 0xff, 0x39, 0xed, 0x74, 0x9e, 0x11, 0x61, 0x33, + 0xde, 0x2a, 0x55, 0xe6, 0x4a, 0xe7, 0x97, 0xa6, 0xb2, 0xc3, + 0x40, 0x41, 0x52, 0x66, 0xcf, 0xbf, 0xf8, 0x8e, 0x08, 0xea, + 0x96, 0x4d, 0x03, 0xc9, 0xbe, 0x3c, 0x4e, 0x36, 0x8c, 0x6f, + 0x4d, 0x1e, 0xcd, 0x31, 0x6d, 0x53, 0xea, 0x9e, 0xf0, 0x8e, + 0x35, 0x97, 0x37, 0x54, 0xe9, 0x0f, 0xb8, 0x23, 0x25, 0x69, + 0x5b, 0xb5, 0xff, 0xc3, 0x5a, 0x2d, 0x10, 0x6a, 0xc0, 0xb8, + 0xee, 0x0d, 0x31, 0x5b, 0xe4, 0x69, 0x40, 0x62, 0xa7, 0x1b, + 0x16, 0xfa, 0xd6, 0xb8, 0xba, 0xc8, 0x6a, 0xa3, 0x29, 0xdd, + 0x9b, 0x4d, 0xd7, 0x96, 0xef, 0x31, 0x74, 0xac, 0x37, 0x10, + 0x91, 0x30, 0x0c, 0x15, 0x3f, 0x09, 0xb6, 0x7d, 0x22, 0xfb, + 0x8c, 0x6f, 0xc3, 0x93, 0xa3, 0x98, 0xa6, 0x23, 0xa4, 0x55, + 0xe0, 0x9e, 0x23, 0x06, 0xa9, 0x78, 0xe9, 0xb3, 0x88, 0xc9, + 0xb7, 0x83, 0x05, 0x46, 0x11, 0x3a, 0x0a, 0xb9, 0x74, 0x5b, + 0xa0, 0xb5, 0x06, 0x96, 0x86, 0xb6, 0xf4, 0x9d, 0x0d, 0x86, + 0x43, 0xa8, 0x40, 0x4b, 0x08, 0x93, 0x7c, 0xad, 0xb0, 0x50, + 0xb4, 0xd0, 0xe7, 0xad, 0xd0, 0x54, 0x5e, 0x15, 0xaf, 0xad, + 0x34, 0x12, 0x86, 0xb3, 0x29, 0x3b, 0x20, 0xc9, 0xad, 0xeb, + 0xc2, 0x65, 0xf3, 0x5c, 0x2d, 0xe5, 0xff, 0xfd, 0x81, 0x79, + 0xf5, 0x11, 0x6f, 0xf7, 0xca, 0x0c, 0x76, 0xf0, 0xd4, 0x02, + 0x9d, 0xb7, 0x76, 0x39, 0x6d, 0x32, 0x6a, 0xb8, 0x30, 0xa4, + 0x01, 0xcc, 0x10, 0xef, 0xb1, 0x0e, 0x41, 0x22, 0x82, 0x5b, + 0x22, 0xcb, 0x32, 0x19, 0x2e, 0xa3, 0x0a, 0xce, 0x05, 0xdd, + 0xe8, 0x4a, 0x58, 0x92, 0xe1, 0x02, 0x82, 0x03, 0xc0, 0x22, + 0x0f, 0x95, 0x5b, 0xc2, 0x1f, 0xde, 0xf0, 0xde, 0xf4, 0x86, + 0xbd, 0xef, 0x07, 0x7d, 0x52, 0x03, 0x8c, 0x26, 0x31, 0x17, + 0xfd, 0x5c, 0x97, 0xed, 0xd5, 0xe0, 0xb3, 0x18, 0x2d, 0x68, + 0x10, 0x3f, 0xc4, 0xdf, 0xd1, 0x05, 0x78, 0x81, 0x3d, 0x05, + 0xde, 0xba, 0x3a, 0x67, 0x85, 0x0e, 0xdf, 0xb5, 0x16, 0x28, + 0xe8, 0x84, 0x3a, 0x71, 0x2a, 0x20, 0x17, 0x28, 0x05, 0xfd, + 0xb7, 0x4d, 0x22, 0x4a, 0x93, 0x46, 0x56, 0x27, 0x43, 0xc0, + 0x3a, 0x16, 0xff, 0x3d, 0x61, 0xcc, 0xcb, 0xce, 0xac, 0xa8, + 0x53, 0x3a, 0x0d, 0xf4, 0x2d, 0xd2, 0x73, 0xf2, 0x64, 0xa0, + 0x1e, 0x60, 0x53, 0xec, 0x0d, 0xff, 0xe0, 0x00, 0x10, 0xfb, + 0xa4, 0x57, 0xd3, 0xfc, 0xe4, 0xe0, 0xec, 0x44, 0x0b, 0x1c, + 0x05, 0x39, 0xa4, 0x13, 0x87, 0x29, 0x11, 0x9d, 0xea, 0xe9, + 0x64, 0xa9, 0x1c, 0x76, 0x3a, 0x65, 0x0b, 0xfd, 0xed, 0x77, + 0x46, 0x4f, 0xcd, 0x0b, 0x63, 0xc4, 0x83, 0x0b, 0x56, 0x79, + 0xd3, 0x67, 0x01, 0x11, 0x02, 0xd9, 0x50, 0xd8, 0x23, 0xf4, + 0xb6, 0x02, 0x4c, 0xae, 0xb5, 0xc9, 0x68, 0x1b, 0x87, 0x33, + 0xbb, 0xdc, 0x64, 0x0e, 0x32, 0x34, 0xb2, 0x25, 0xaa, 0x76, + 0xdd, 0x7e, 0xc3, 0x46, 0x51, 0x1c, 0xc1, 0xd0, 0x05, 0x09, + 0x6c, 0x27, 0xd3, 0xcf, 0x33, 0x7a, 0xb9, 0x26, 0x24, 0x23, + 0x4a, 0x93, 0x9f, 0x4b, 0x96, 0xc7, 0xe2, 0xb2, 0x51, 0x42, + 0x4d, 0x5d, 0xd9, 0x73, 0x75, 0xce, 0x23, 0x28, 0x56, 0x5e, + 0xe7, 0x96, 0x58, 0x04, 0xfd, 0x33, 0x93, 0x08, 0x41, 0x62, + 0x02, 0x7e, 0xc9, 0xc6, 0x55, 0x64, 0x19, 0xda, 0x39, 0xb8, + 0x5d, 0x09, 0x47, 0xf3, 0xdd, 0x77, 0xee, 0xea, 0x35, 0x73, + 0x95, 0xdb, 0x18, 0x4d, 0xd1, 0xfe, 0xee, 0x40, 0x31, 0x2a, + 0x22, 0x91, 0x69, 0xd6, 0xed, 0x9c, 0x54, 0x14, 0x73, 0x61, + 0x61, 0xe7, 0x1d, 0x34, 0x96, 0x47, 0xff, 0x28, 0x7a, 0x48, + 0xa3, 0xf4, 0xcd, 0x64, 0x23, 0xe2, 0x52, 0x2f, 0x20, 0x8f, + 0x04, 0xb3, 0xdc, 0xf0, 0x29, 0x67, 0x88, 0x76, 0x79, 0xdb, + 0x86, 0xa7, 0x95, 0xf0, 0x15, 0x81, 0xbb, 0x98, 0xee, 0xff, + 0x55, 0x7c, 0xb0, 0xee, 0x67, 0x65, 0xfd, 0xf2, 0x29, 0x0f, + 0x85, 0x51, 0xf9, 0xac, 0x5c, 0x55, 0x5a, 0xde, 0x40, 0x62, + 0x58, 0x55, 0x9f, 0x09, 0x4c, 0x2e, 0x28, 0x75, 0xbc, 0x48, + 0xe2, 0x97, 0x85, 0xb3, 0x83, 0xeb, 0x21, 0x49, 0x21, 0xd4, + 0xed, 0x74, 0x4f, 0xc1, 0x6c, 0x34, 0x8c, 0x11, 0xb0, 0x93, + 0x41, 0x99, 0x23, 0x2e, 0xa4, 0xc1, 0x9f, 0x34, 0x74, 0x64, + 0xbb, 0xd7, 0x4f, 0x8f, 0x9f, 0x3a, 0x0c, 0x4f, 0x5e, 0xdd, + 0x41, 0x07, 0xf1, 0xfd, 0x5a, 0x9d, 0xe6, 0x77, 0xd8, 0x7e, + 0x71, 0x7b, 0xad, 0xf7, 0x76, 0x13, 0x71, 0x90, 0xb3, 0x0f, + 0x46, 0x8e, 0xee, 0x7b, 0x33, 0x97, 0x5d, 0x21, 0x3b, 0xa0, + 0x58, 0x9e, 0xb7, 0x87, 0x30, 0x8f, 0xc1, 0x23, 0x2c, 0xde, + 0xf7, 0x0d, 0xa9, 0xd6, 0x50, 0xeb, 0x35, 0x7a, 0x82, 0xab, + 0x22, 0x49, 0x86, 0xd4, 0x61, 0xc7, 0xc2, 0x4e, 0x77, 0xfc, + 0x16, 0x0b, 0xaf, 0x81, 0x6a, 0x47, 0xea, 0xac, 0x7e, 0x51, + 0x4c, 0x56, 0x30, 0x21, 0x46, 0x41, 0xc3, 0x92, 0x60, 0x99, + 0x4f, 0x88, 0x36, 0x3b, 0x27, 0xb4, 0xb2, 0x7e, 0x44, 0x2f, + 0xdd, 0x95, 0xe4, 0x5e, 0x16, 0x1f, 0xa7, 0x32, 0x6b, 0x60, + 0x24, 0x0f, 0xf2, 0xe6, 0x35, 0x3c, 0x0c, 0x3e, 0xb5, 0xd6, + 0xdd, 0x63, 0xe2, 0x76, 0x35, 0x38, 0x79, 0xbf, 0xa5, 0x23, + 0xa4, 0xdd, 0xeb, 0x01, 0x48, 0xd0, 0x60, 0x86, 0x11, 0x38, + 0x5f, 0x9e, 0x6b, 0x00, 0x67, 0xd2, 0x5b, 0x41, 0x0a, 0x5e, + 0x13, 0x0f, 0xa1, 0x9e, 0x90, 0x85, 0xa6, 0x7f, 0xe5, 0x4b, + 0x9e, 0x93, 0x4e, 0x5b, 0x1f, 0x47, 0x62, 0xb0, 0x23, 0xbe, + 0x82, 0xa9, 0xd9, 0xb6, 0x2e, 0xfd, 0xb1, 0x10, 0xca, 0xe0, + 0xc9, 0x5d, 0xf6, 0x85, 0x18, 0x6c, 0x9c, 0x1d, 0x1f, 0x7c, + 0xf6, 0x55, 0x09, 0x80, 0xcf, 0xac, 0xfe, 0x37, 0x6a, 0x4f, + 0x96, 0xaa, 0x40, 0x79, 0x8b, 0x4a, 0xf2, 0x96, 0x79, 0x12, + 0x1a, 0x26, 0x87, 0x06, 0x35, 0x4d, 0xd4, 0x3e, 0x14, 0x39, + 0xe5, 0x6c, 0x39, 0x0f, 0x84, 0xb3, 0x5f, 0xed, 0xf4, 0xff, + 0x89, 0x52, 0x05, 0x00, 0xf1, 0xd1, 0xc3, 0xcf, 0x54, 0x10, + 0x24, 0x7c, 0xa6, 0xb5, 0x95, 0xa8, 0x6e, 0x13, 0x3e, 0x4a, + 0x40, 0x6c, 0xf9, 0x63, 0x90, 0x44, 0x52, 0x07, 0x53, 0xb7, + 0x51, 0xd9, 0x18, 0x47, 0x2e, 0xb0, 0x4e, 0x0f, 0x09, 0x99, + 0x3a, 0x97, 0x26, 0x53, 0xa6, 0x02, 0x06, 0x0e, 0x93, 0xe1, + 0x0b, 0xc5, 0xa9, 0x14, 0xd3, 0xd6, 0x8a, 0x29, 0x75, 0xcd, + 0xb6, 0x7b, 0x64, 0x7c, 0xdd, 0x7e, 0xb4, 0x0a, 0x87, 0x48, + 0x4a, 0x1b, 0x0e, 0x74, 0x4c, 0xd3, 0x0e, 0x96, 0x0e, 0x53, + 0xc4, 0x3d, 0x7b, 0x1c, 0x87, 0x6a, 0x15, 0xd8, 0x77, 0xba, + 0xe6, 0xa0, 0x2f, 0x2c, 0x1a, 0x9d, 0xde, 0x79, 0xfd, 0xab, + 0x44, 0x80, 0xf0, 0x37, 0x9a, 0x3b, 0xf8, 0xde, 0x3d, 0x29, + 0xcb, 0x89, 0x64, 0x4b, 0x57, 0xe7, 0x6b, 0x84, 0x09, 0x27, + 0x17, 0x2f, 0xb2, 0xba, 0x3d, 0x09, 0xc9, 0x3c, 0x89, 0xe6, + 0x19, 0x73, 0x83, 0xf7, 0xc6, 0x19, 0x18, 0x96, 0xb2, 0x7d, + 0x1e, 0x9f, 0x70, 0x1f, 0xfc, 0x1f, 0xe2, 0xb5, 0x69, 0x1e, + 0xf4, 0x65, 0x91, 0xce, 0x4b, 0xdc, 0x74, 0x49, 0x21, 0x64, + 0x8b, 0x33, 0x50, 0xd2, 0xc1, 0x33, 0x62, 0x5b, 0xde, 0x0a, + 0x72, 0xbe, 0xc0, 0x05, 0x51, 0x15, 0x80, 0xed, 0x32, 0x3a, + 0x64, 0xa2, 0x73, 0x68, 0x5b, 0x16, 0xcf, 0x70, 0x5c, 0x98, + 0xe5, 0x67, 0x45, 0x60, 0x57, 0x2b, 0x47, 0x0a, 0x22, 0x73, + 0xc3, 0x56, 0x33, 0x3e, 0x14, 0x1d, 0x0c, 0xd1, 0x03, 0x08, + 0x92, 0x21, 0x2b, 0xa9, 0x6e, 0x6b, 0xf9, 0x0c, 0x1e, 0x86, + 0xdd, 0xb5, 0xbb, 0xa4, 0xa5, 0x82, 0x99, 0x98, 0x49, 0x36, + 0xec, 0x98, 0x98, 0x95, 0xac, 0xc2, 0xa0, 0x1f, 0xa5, 0x7e, + 0x67, 0xd1, 0xcf, 0x6a, 0xf4, 0x16, 0x08, 0x7a, 0x8d, 0x0b, + 0xae, 0x12, 0x51, 0xe6, 0x8e, 0xe6, 0xcd, 0xa1, 0xaa, 0x6d, + 0xe4, 0x54, 0xd4, 0x69, 0x1b, 0x09, 0x6a, 0xba, 0x5e, 0x0b, + 0x11, 0x9c, 0x83, 0xb3, 0x5c, 0x67, 0xbb, 0x2d, 0xf8, 0x66, + 0x1c, 0x33, 0xb8, 0x22, 0x58, 0x10, 0x96, 0xe9, 0x99, 0xaf, + 0x0b, 0x2a, 0xf1, 0xe0, 0xcb, 0x56, 0xfb, 0x6d, 0x04, 0x40, + 0xec, 0x37, 0x67, 0x1e, 0x08, 0x7a, 0x1c, 0xe9, 0xd8, 0x54, + 0xf7, 0xd4, 0xc7, 0x3c, 0x45, 0x23, 0x2b, 0x76, 0xd2, 0x62, + 0xc2, 0x53, 0xce, 0xfe, 0x02, 0xc4, 0xd9, 0xf6, 0x3c, 0xed, + 0x49, 0x47, 0x21, 0xf9, 0x03, 0x3a, 0xa0, 0x16, 0x3a, 0xfe, + 0x0c, 0x2f, 0x54, 0x7e, 0x85, 0x29, 0x7b, 0xc0, 0xaf, 0xa8, + 0x5d, 0x31, 0x25, 0xda, 0xa7, 0xe3, 0x92, 0x1b, 0x64, 0x01, + 0x1b, 0x3f, 0x6e, 0x47, 0xc5, 0x5a, 0x84, 0x52, 0x17, 0x02, + 0x82, 0x03, 0xc1, 0x00, 0x81, 0x99, 0x2e, 0x72, 0x41, 0x6e, + 0x86, 0xeb, 0x6f, 0x42, 0xd1, 0x38, 0x6e, 0xaa, 0x1a, 0xd5, + 0x0a, 0xad, 0x51, 0xb1, 0xce, 0xd6, 0x35, 0xbe, 0x34, 0xd8, + 0xc1, 0xe4, 0x5f, 0xdf, 0x2e, 0xe4, 0x90, 0xf2, 0x61, 0x21, + 0x46, 0xc6, 0xfe, 0xab, 0x0f, 0x6c, 0x97, 0x78, 0xcd, 0x55, + 0x86, 0x83, 0x61, 0x99, 0x49, 0x14, 0x86, 0xc6, 0x86, 0xf1, + 0x41, 0x66, 0xc9, 0x39, 0x52, 0x99, 0x49, 0x07, 0xd6, 0x9d, + 0xb7, 0x40, 0x34, 0x5f, 0xe7, 0x3a, 0xfa, 0x95, 0xeb, 0xa1, + 0x03, 0xb7, 0x52, 0x71, 0x93, 0x30, 0x0b, 0x51, 0x58, 0x82, + 0x07, 0x2f, 0x44, 0xa9, 0x4f, 0x9b, 0x1b, 0xf3, 0xd6, 0x21, + 0x3d, 0x68, 0xef, 0x3f, 0xaf, 0xc2, 0x6f, 0xa0, 0xd5, 0x2b, + 0xb8, 0x73, 0x84, 0x67, 0x36, 0x8b, 0xa4, 0x25, 0xe0, 0x86, + 0xd9, 0x14, 0x5c, 0x6c, 0xd8, 0x61, 0xe1, 0x0a, 0x6c, 0xaf, + 0xbb, 0x9c, 0xf6, 0x74, 0xca, 0x5a, 0x04, 0xac, 0x85, 0xc1, + 0x1b, 0x4d, 0xf2, 0x07, 0xb6, 0x1e, 0x97, 0x7b, 0x75, 0xdf, + 0x9b, 0x8a, 0x31, 0xc6, 0x90, 0xd5, 0x8d, 0x39, 0xc2, 0x54, + 0xf4, 0xe2, 0x83, 0x57, 0x12, 0x19, 0xf5, 0xb2, 0xd2, 0x53, + 0x81, 0x6d, 0xf0, 0x09, 0xc9, 0x80, 0x8b, 0x07, 0x7c, 0x59, + 0xcd, 0x78, 0x00, 0xd6, 0x44, 0x7f, 0xe4, 0xdb, 0x77, 0x02, + 0x00, 0x25, 0x79, 0x91, 0xc9, 0xde, 0xd0, 0xed, 0x3f, 0xfc, + 0x37, 0x36, 0xea, 0xf0, 0x56, 0x50, 0xe7, 0x38, 0xca, 0xe1, + 0x67, 0x12, 0x96, 0x55, 0x3e, 0xff, 0x97, 0xe5, 0xa7, 0x03, + 0x5b, 0x72, 0x80, 0xd6, 0xa5, 0x23, 0x39, 0x78, 0x07, 0xc8, + 0x83, 0x19, 0x74, 0xfb, 0x79, 0xc2, 0x9e, 0xbd, 0xf9, 0xaf, + 0x09, 0x0f, 0xbd, 0x3d, 0x34, 0xe8, 0x44, 0x89, 0xb1, 0xf1, + 0x2b, 0xa5, 0xff, 0x22, 0xc9, 0x47, 0xe2, 0x31, 0xb5, 0x6b, + 0x8a, 0x65, 0x5f, 0x81, 0x5f, 0x89, 0xb0, 0x03, 0x5d, 0x53, + 0x0e, 0xdd, 0xfb, 0xe5, 0x70, 0xaa, 0xd2, 0x37, 0x4d, 0xa1, + 0x7c, 0xf2, 0xe4, 0x7f, 0xf1, 0x4a, 0xaf, 0x12, 0xd1, 0x83, + 0xdc, 0xb2, 0x9e, 0xc1, 0x95, 0x3d, 0x04, 0x9f, 0xa3, 0xad, + 0xcc, 0x78, 0x14, 0x9a, 0xf9, 0x58, 0x39, 0x08, 0x15, 0xda, + 0x1b, 0x94, 0x50, 0x2d, 0x44, 0xc0, 0x23, 0x1c, 0x36, 0x5f, + 0x16, 0x08, 0xa3, 0xdf, 0x9e, 0x4f, 0xbb, 0x07, 0xcd, 0xe3, + 0x8c, 0xbf, 0xf1, 0xc3, 0x3e, 0x98, 0xf8, 0x49, 0x79, 0x58, + 0xc9, 0x0f, 0x47, 0xc0, 0xab, 0x2f, 0x21, 0x63, 0xf6, 0xe6, + 0xfe, 0x8a, 0xea, 0xbc, 0x32, 0x63, 0xca, 0x75, 0xf8, 0xa4, + 0x1b, 0x6c, 0xfe, 0x9a, 0x6e, 0x68, 0x1f, 0x48, 0x59, 0xfb, + 0x34, 0x43, 0x10, 0xd5, 0x0d, 0x80, 0x54, 0xcb, 0x67, 0x21, + 0xc7, 0x13, 0x85, 0x38, 0x0c, 0xf9, 0x40, 0x2e, 0x2e, 0x4a, + 0x05, 0x9e, 0x51, 0xae, 0xdd, 0xba, 0x23, 0x83, 0x66, 0x2a, + 0xbf, 0x7f, 0xca, 0x9c, 0x6c, 0x2d, 0x6b, 0x7d, 0x68, 0x52, + 0x81, 0x56, 0x2f, 0xea, 0xf9, 0xe7, 0xf1, 0x55, 0x16, 0xfc, + 0x29, 0xe2, 0xa5, 0x1e, 0x0a, 0x06, 0xe0, 0x85, 0x4e, 0xa6, + 0x5d, 0x20, 0x9d, 0x2b, 0xa2, 0xad, 0xaa, 0xd6, 0x9b, 0xd2, + 0x98, 0x29, 0x45, 0x5c, 0x55, 0xc0, 0x91, 0xa2, 0x65, 0xcd, + 0xac, 0xc6, 0x1a, 0x53, 0xa1, 0x46, 0x13, 0xf9, 0xfe, 0x1a, + 0xf6, 0xdf, 0xa5, 0x1a, 0x58, 0x7c, 0x81, 0x2e, 0x46, 0x46, + 0xf7, 0x2f, 0xd6, 0xaa, 0x21, 0xb0, 0x0e, 0x7e, 0xac, 0xb8, + 0xc6, 0x76, 0x62, 0x82, 0x3b, 0x0a, 0x36, 0xbe, 0x97, 0x16, + 0xd5, 0x79, 0x55, 0x15, 0x64, 0x2a, 0xbe, 0x19, 0x4e, 0x93, + 0x3b, 0x44, 0x7c, 0xe2, 0xfc, 0x18, 0x4e, 0x83, 0x37, 0xfb, + 0x26, 0x78, 0x6d, 0x24, 0x6b, 0x48, 0x21, 0x67, 0xde, 0xf5, + 0x00, 0x22, 0x9a, 0xec, 0x40, 0x16, 0x96, 0x8a, 0x3f, 0xd5, + 0xa6, 0x5e, 0x03, 0x84, 0xbb, 0x15, 0x4d, 0x55, 0x71, 0x00, + 0x90, 0xc2, 0x96, 0x25, 0x01, 0xab, 0xe6, 0x47, 0x44, 0x6f, + 0xf9, 0x53, 0x80, 0x2b, 0xa8, 0x83, 0xc8, 0x14, 0x77, 0x13, + 0x00, 0x66, 0xee, 0x7e, 0x7a, 0xa0, 0x28, 0x65, 0xf3, 0x31, + 0xb6, 0xac, 0xd7, 0x87, 0x84, 0x29, 0xed, 0x5b, 0xcd, 0x74, + 0xc0, 0x89, 0x51, 0x11, 0x9a, 0xd5, 0x7b, 0xe0, 0x9c, 0xd0, + 0x8d, 0x72, 0xe3, 0x77, 0xda, 0x0a, 0xc2, 0xdc, 0x6f, 0xad, + 0x49, 0x03, 0xfa, 0xe6, 0x7e, 0xa6, 0x24, 0x32, 0xe6, 0x8f, + 0xd9, 0x70, 0xfa, 0x59, 0x70, 0xa9, 0xa3, 0x08, 0x7d, 0x89, + 0xc4, 0x96, 0x61, 0xc2, 0xf5, 0xe5, 0xb5, 0x3b, 0x0d, 0xec, + 0xb8, 0x9c, 0xee, 0x09, 0x77, 0x27, 0xbd, 0x35, 0x66, 0x90, + 0x9e, 0x46, 0xf7, 0xbd, 0xa6, 0xc5, 0x31, 0xd4, 0x6a, 0x52, + 0x17, 0x5d, 0x0a, 0x0e, 0x2c, 0x34, 0x7a, 0x6a, 0x21, 0xac, + 0x42, 0xf0, 0x31, 0xde, 0x48, 0xe0, 0x27, 0xd0, 0x79, 0xc9, + 0x06, 0x94, 0x7b, 0x51, 0x4b, 0x5b, 0x02, 0x6a, 0x19, 0xba, + 0x71, 0x45, 0x9c, 0xdf, 0xe6, 0x30, 0x9e, 0xaa, 0xad, 0xa1, + 0x87, 0xf6, 0x37, 0xde, 0xa2, 0x97, 0x68, 0x20, 0x2d, 0x5a, + 0xdc, 0xdd, 0x91, 0x63, 0x5f, 0x79, 0xda, 0x99, 0x20, 0x3a, + 0x4b, 0xe5, 0x43, 0x0e, 0x12, 0x70, 0x57, 0x91, 0xfa, 0xee, + 0xc4, 0xb6, 0xb6, 0xb1, 0xf1, 0x06, 0xbd, 0xcf, 0x8d, 0x2a, + 0x05, 0xc0, 0x07, 0x23, 0x84, 0x85, 0xef, 0x9c, 0xbb, 0x6f, + 0x5f, 0x4a, 0x9a, 0x27, 0x9f, 0x9f, 0x32, 0x97, 0xe8, 0x24, + 0xb9, 0x64, 0x2c, 0x39, 0xff, 0x2f, 0x4b, 0xc4, 0x7e, 0x65, + 0xfe, 0xbb, 0x5c, 0xa0, 0xb2, 0x6e, 0xc4, 0xb6, 0x93, 0x2b, + 0x51, 0x9e, 0x2e, 0x1f, 0xd8, 0xcf, 0x60, 0xe0, 0x75, 0x15, + 0xf9, 0xa0, 0x67, 0x99, 0x88, 0x2b, 0x76, 0xce, 0x41, 0x42, + 0x10, 0x29, 0x89, 0xbf, 0xca, 0xb7, 0x61, 0x08, 0x94, 0xee, + 0xa0, 0xb3, 0x3a, 0x09, 0xc5, 0x6f, 0x04, 0xf9, 0x1b, 0xb5, + 0x64, 0x99, 0x08, 0xe4, 0xcc, 0xce, 0xdf, 0x71, 0x65, 0x8a, + 0x6d, 0x62, 0xde, 0x76, 0x1d, 0x6d, 0x6b, 0x78, 0x22, 0x32, + 0x63, 0xdd, 0x53, 0x7d, 0xec, 0xed, 0x9d, 0x82, 0xa9, 0x2c, + 0x5c, 0x8a, 0x17, 0xdd, 0x85, 0xf9, 0xd2, 0xac, 0x6e, 0x98, + 0x60, 0x2e, 0x08, 0xd4, 0x06, 0x76, 0xf4, 0x97, 0xca, 0xb1, + 0x72, 0x50, 0x5b, 0x83, 0xea, 0xbb, 0x39, 0x0f, 0x18, 0xb3, + 0xb8, 0x03, 0xee, 0x7c, 0x84, 0xa9, 0x69, 0xcd, 0x1d, 0xbd, + 0xe2, 0xb7, 0xce, 0xe2, 0x6f, 0x03, 0x49, 0x52, 0x67, 0xa0, + 0x1b, 0x23, 0x43, 0x92, 0x2c, 0x7c, 0x3b, 0x65, 0xe8, 0x61, + 0x99, 0xde, 0xb5, 0xf1, 0x63, 0x73, 0x92, 0x6c, 0x70, 0x8b, + 0x83, 0x10, 0xb4, 0x06, 0x2c, 0x99, 0x12, 0x73, 0xec, 0x87, + 0x92, 0x09, 0x67, 0x96, 0xd6, 0x9c, 0x9f, 0x35, 0x48, 0x48, + 0x3b, 0x44, 0x00, 0x73, 0x1c, 0x59, 0xeb, 0x81, 0x7b, 0xd1, + 0xda, 0x76, 0xcf, 0xc2, 0x4d, 0xf1, 0xa2, 0x5b, 0x2f, 0x5f, + 0x91, 0x29, 0x6e, 0x08, 0x37, 0xd6, 0xaa, 0xd2, 0xf8, 0x4f, + 0x5e, 0x00, 0x16, 0x52 +}; diff --git a/openssl-1.1.0h/apps/timeouts.h b/openssl-1.1.0h/apps/timeouts.h new file mode 100644 index 0000000..e023b0a --- /dev/null +++ b/openssl-1.1.0h/apps/timeouts.h @@ -0,0 +1,17 @@ +/* + * Copyright 1999-2016 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the OpenSSL license (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +#ifndef INCLUDED_TIMEOUTS_H +# define INCLUDED_TIMEOUTS_H + +/* numbers in us */ +# define DGRAM_RCV_TIMEOUT 250000 +# define DGRAM_SND_TIMEOUT 250000 + +#endif /* ! INCLUDED_TIMEOUTS_H */ diff --git a/openssl-1.1.0h/apps/ts.c b/openssl-1.1.0h/apps/ts.c new file mode 100644 index 0000000..0e07c08 --- /dev/null +++ b/openssl-1.1.0h/apps/ts.c @@ -0,0 +1,995 @@ +/* + * Copyright 2006-2016 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the OpenSSL license (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +#include +#ifdef OPENSSL_NO_TS +NON_EMPTY_TRANSLATION_UNIT +#else +# include +# include +# include +# include "apps.h" +# include +# include +# include +# include +# include +# include + +/* Request nonce length, in bits (must be a multiple of 8). */ +# define NONCE_LENGTH 64 + +/* Name of config entry that defines the OID file. */ +# define ENV_OID_FILE "oid_file" + +/* Is |EXACTLY_ONE| of three pointers set? */ +# define EXACTLY_ONE(a, b, c) \ + (( a && !b && !c) || \ + ( b && !a && !c) || \ + ( c && !a && !b)) + +static ASN1_OBJECT *txt2obj(const char *oid); +static CONF *load_config_file(const char *configfile); + +/* Query related functions. */ +static int query_command(const char *data, const char *digest, + const EVP_MD *md, const char *policy, int no_nonce, + int cert, const char *in, const char *out, int text); +static TS_REQ *create_query(BIO *data_bio, const char *digest, const EVP_MD *md, + const char *policy, int no_nonce, int cert); +static int create_digest(BIO *input, const char *digest, + const EVP_MD *md, unsigned char **md_value); +static ASN1_INTEGER *create_nonce(int bits); + +/* Reply related functions. */ +static int reply_command(CONF *conf, const char *section, const char *engine, + const char *queryfile, const char *passin, const char *inkey, + const EVP_MD *md, const char *signer, const char *chain, + const char *policy, const char *in, int token_in, + const char *out, int token_out, int text); +static TS_RESP *read_PKCS7(BIO *in_bio); +static TS_RESP *create_response(CONF *conf, const char *section, const char *engine, + const char *queryfile, const char *passin, + const char *inkey, const EVP_MD *md, const char *signer, + const char *chain, const char *policy); +static ASN1_INTEGER *serial_cb(TS_RESP_CTX *ctx, void *data); +static ASN1_INTEGER *next_serial(const char *serialfile); +static int save_ts_serial(const char *serialfile, ASN1_INTEGER *serial); + +/* Verify related functions. */ +static int verify_command(const char *data, const char *digest, const char *queryfile, + const char *in, int token_in, + const char *CApath, const char *CAfile, const char *untrusted, + X509_VERIFY_PARAM *vpm); +static TS_VERIFY_CTX *create_verify_ctx(const char *data, const char *digest, + const char *queryfile, + const char *CApath, const char *CAfile, + const char *untrusted, + X509_VERIFY_PARAM *vpm); +static X509_STORE *create_cert_store(const char *CApath, const char *CAfile, + X509_VERIFY_PARAM *vpm); +static int verify_cb(int ok, X509_STORE_CTX *ctx); + +typedef enum OPTION_choice { + OPT_ERR = -1, OPT_EOF = 0, OPT_HELP, + OPT_ENGINE, OPT_CONFIG, OPT_SECTION, OPT_QUERY, OPT_DATA, + OPT_DIGEST, OPT_RAND, OPT_TSPOLICY, OPT_NO_NONCE, OPT_CERT, + OPT_IN, OPT_TOKEN_IN, OPT_OUT, OPT_TOKEN_OUT, OPT_TEXT, + OPT_REPLY, OPT_QUERYFILE, OPT_PASSIN, OPT_INKEY, OPT_SIGNER, + OPT_CHAIN, OPT_VERIFY, OPT_CAPATH, OPT_CAFILE, OPT_UNTRUSTED, + OPT_MD, OPT_V_ENUM +} OPTION_CHOICE; + +OPTIONS ts_options[] = { + {"help", OPT_HELP, '-', "Display this summary"}, + {"config", OPT_CONFIG, '<', "Configuration file"}, + {"section", OPT_SECTION, 's', "Section to use within config file"}, + {"query", OPT_QUERY, '-', "Generate a TS query"}, + {"data", OPT_DATA, '<', "File to hash"}, + {"digest", OPT_DIGEST, 's', "Digest (as a hex string)"}, + {"rand", OPT_RAND, 's', + "Load the file(s) into the random number generator"}, + {"tspolicy", OPT_TSPOLICY, 's', "Policy OID to use"}, + {"no_nonce", OPT_NO_NONCE, '-', "Do not include a nonce"}, + {"cert", OPT_CERT, '-', "Put cert request into query"}, + {"in", OPT_IN, '<', "Input file"}, + {"token_in", OPT_TOKEN_IN, '-', "Input is a PKCS#7 file"}, + {"out", OPT_OUT, '>', "Output file"}, + {"token_out", OPT_TOKEN_OUT, '-', "Output is a PKCS#7 file"}, + {"text", OPT_TEXT, '-', "Output text (not DER)"}, + {"reply", OPT_REPLY, '-', "Generate a TS reply"}, + {"queryfile", OPT_QUERYFILE, '<', "File containing a TS query"}, + {"passin", OPT_PASSIN, 's', "Input file pass phrase source"}, + {"inkey", OPT_INKEY, 's', "File with private key for reply"}, + {"signer", OPT_SIGNER, 's', "Signer certificate file"}, + {"chain", OPT_CHAIN, '<', "File with signer CA chain"}, + {"verify", OPT_VERIFY, '-', "Verify a TS response"}, + {"CApath", OPT_CAPATH, '/', "Path to trusted CA files"}, + {"CAfile", OPT_CAFILE, '<', "File with trusted CA certs"}, + {"untrusted", OPT_UNTRUSTED, '<', "File with untrusted certs"}, + {"", OPT_MD, '-', "Any supported digest"}, +# ifndef OPENSSL_NO_ENGINE + {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"}, +# endif + {OPT_HELP_STR, 1, '-', "\nOptions specific to 'ts -verify': \n"}, + OPT_V_OPTIONS, + {OPT_HELP_STR, 1, '-', "\n"}, + {NULL} +}; + +/* + * This command is so complex, special help is needed. + */ +static char* opt_helplist[] = { + "Typical uses:", + "ts -query [-rand file...] [-config file] [-data file]", + " [-digest hexstring] [-tspolicy oid] [-no_nonce] [-cert]", + " [-in file] [-out file] [-text]", + " or", + "ts -reply [-config file] [-section tsa_section]", + " [-queryfile file] [-passin password]", + " [-signer tsa_cert.pem] [-inkey private_key.pem]", + " [-chain certs_file.pem] [-tspolicy oid]", + " [-in file] [-token_in] [-out file] [-token_out]", +# ifndef OPENSSL_NO_ENGINE + " [-text] [-engine id]", +# else + " [-text]", +# endif + " or", + "ts -verify -CApath dir -CAfile file.pem -untrusted file.pem", + " [-data file] [-digest hexstring]", + " [-queryfile file] -in file [-token_in]", + " [[options specific to 'ts -verify']]", + NULL, +}; + +int ts_main(int argc, char **argv) +{ + CONF *conf = NULL; + const char *CAfile = NULL, *untrusted = NULL, *prog; + const char *configfile = default_config_file, *engine = NULL; + const char *section = NULL; + char **helpp; + char *password = NULL; + char *data = NULL, *digest = NULL, *rnd = NULL, *policy = NULL; + char *in = NULL, *out = NULL, *queryfile = NULL, *passin = NULL; + char *inkey = NULL, *signer = NULL, *chain = NULL, *CApath = NULL; + const EVP_MD *md = NULL; + OPTION_CHOICE o, mode = OPT_ERR; + int ret = 1, no_nonce = 0, cert = 0, text = 0; + int vpmtouched = 0; + X509_VERIFY_PARAM *vpm = NULL; + /* Input is ContentInfo instead of TimeStampResp. */ + int token_in = 0; + /* Output is ContentInfo instead of TimeStampResp. */ + int token_out = 0; + + if ((vpm = X509_VERIFY_PARAM_new()) == NULL) + goto end; + + prog = opt_init(argc, argv, ts_options); + while ((o = opt_next()) != OPT_EOF) { + switch (o) { + case OPT_EOF: + case OPT_ERR: + opthelp: + BIO_printf(bio_err, "%s: Use -help for summary.\n", prog); + goto end; + case OPT_HELP: + opt_help(ts_options); + for (helpp = opt_helplist; *helpp; ++helpp) + BIO_printf(bio_err, "%s\n", *helpp); + ret = 0; + goto end; + case OPT_CONFIG: + configfile = opt_arg(); + break; + case OPT_SECTION: + section = opt_arg(); + break; + case OPT_QUERY: + case OPT_REPLY: + case OPT_VERIFY: + if (mode != OPT_ERR) + goto opthelp; + mode = o; + break; + case OPT_DATA: + data = opt_arg(); + break; + case OPT_DIGEST: + digest = opt_arg(); + break; + case OPT_RAND: + rnd = opt_arg(); + break; + case OPT_TSPOLICY: + policy = opt_arg(); + break; + case OPT_NO_NONCE: + no_nonce = 1; + break; + case OPT_CERT: + cert = 1; + break; + case OPT_IN: + in = opt_arg(); + break; + case OPT_TOKEN_IN: + token_in = 1; + break; + case OPT_OUT: + out = opt_arg(); + break; + case OPT_TOKEN_OUT: + token_out = 1; + break; + case OPT_TEXT: + text = 1; + break; + case OPT_QUERYFILE: + queryfile = opt_arg(); + break; + case OPT_PASSIN: + passin = opt_arg(); + break; + case OPT_INKEY: + inkey = opt_arg(); + break; + case OPT_SIGNER: + signer = opt_arg(); + break; + case OPT_CHAIN: + chain = opt_arg(); + break; + case OPT_CAPATH: + CApath = opt_arg(); + break; + case OPT_CAFILE: + CAfile = opt_arg(); + break; + case OPT_UNTRUSTED: + untrusted = opt_arg(); + break; + case OPT_ENGINE: + engine = opt_arg(); + break; + case OPT_MD: + if (!opt_md(opt_unknown(), &md)) + goto opthelp; + break; + case OPT_V_CASES: + if (!opt_verify(o, vpm)) + goto end; + vpmtouched++; + break; + } + } + if (mode == OPT_ERR || opt_num_rest() != 0) + goto opthelp; + + /* Seed the random number generator if it is going to be used. */ + if (mode == OPT_QUERY && !no_nonce) { + if (!app_RAND_load_file(NULL, 1) && rnd == NULL) + BIO_printf(bio_err, "warning, not much extra random " + "data, consider using the -rand option\n"); + if (rnd != NULL) + BIO_printf(bio_err, "%ld semi-random bytes loaded\n", + app_RAND_load_files(rnd)); + } + + if (mode == OPT_REPLY && passin && + !app_passwd(passin, NULL, &password, NULL)) { + BIO_printf(bio_err, "Error getting password.\n"); + goto end; + } + + conf = load_config_file(configfile); + if (configfile != default_config_file && !app_load_modules(conf)) + goto end; + + /* Check parameter consistency and execute the appropriate function. */ + switch (mode) { + default: + case OPT_ERR: + goto opthelp; + case OPT_QUERY: + if (vpmtouched) + goto opthelp; + if ((data != NULL) && (digest != NULL)) + goto opthelp; + ret = !query_command(data, digest, md, policy, no_nonce, cert, + in, out, text); + break; + case OPT_REPLY: + if (vpmtouched) + goto opthelp; + if ((in != NULL) && (queryfile != NULL)) + goto opthelp; + if (in == NULL) { + if ((conf == NULL) || (token_in != 0)) + goto opthelp; + } + ret = !reply_command(conf, section, engine, queryfile, + password, inkey, md, signer, chain, policy, + in, token_in, out, token_out, text); + break; + case OPT_VERIFY: + if ((in == NULL) || !EXACTLY_ONE(queryfile, data, digest)) + goto opthelp; + ret = !verify_command(data, digest, queryfile, in, token_in, + CApath, CAfile, untrusted, + vpmtouched ? vpm : NULL); + } + + end: + X509_VERIFY_PARAM_free(vpm); + app_RAND_write_file(NULL); + NCONF_free(conf); + OPENSSL_free(password); + return (ret); +} + +/* + * Configuration file-related function definitions. + */ + +static ASN1_OBJECT *txt2obj(const char *oid) +{ + ASN1_OBJECT *oid_obj = NULL; + + if ((oid_obj = OBJ_txt2obj(oid, 0)) == NULL) + BIO_printf(bio_err, "cannot convert %s to OID\n", oid); + + return oid_obj; +} + +static CONF *load_config_file(const char *configfile) +{ + CONF *conf = app_load_config(configfile); + + if (conf != NULL) { + const char *p; + + BIO_printf(bio_err, "Using configuration from %s\n", configfile); + p = NCONF_get_string(conf, NULL, ENV_OID_FILE); + if (p != NULL) { + BIO *oid_bio = BIO_new_file(p, "r"); + if (!oid_bio) + ERR_print_errors(bio_err); + else { + OBJ_create_objects(oid_bio); + BIO_free_all(oid_bio); + } + } else + ERR_clear_error(); + if (!add_oid_section(conf)) + ERR_print_errors(bio_err); + } + return conf; +} + +/* + * Query-related method definitions. + */ +static int query_command(const char *data, const char *digest, const EVP_MD *md, + const char *policy, int no_nonce, + int cert, const char *in, const char *out, int text) +{ + int ret = 0; + TS_REQ *query = NULL; + BIO *in_bio = NULL; + BIO *data_bio = NULL; + BIO *out_bio = NULL; + + /* Build query object. */ + if (in != NULL) { + if ((in_bio = bio_open_default(in, 'r', FORMAT_ASN1)) == NULL) + goto end; + query = d2i_TS_REQ_bio(in_bio, NULL); + } else { + if (digest == NULL + && (data_bio = bio_open_default(data, 'r', FORMAT_ASN1)) == NULL) + goto end; + query = create_query(data_bio, digest, md, policy, no_nonce, cert); + } + if (query == NULL) + goto end; + + if (text) { + if ((out_bio = bio_open_default(out, 'w', FORMAT_TEXT)) == NULL) + goto end; + if (!TS_REQ_print_bio(out_bio, query)) + goto end; + } else { + if ((out_bio = bio_open_default(out, 'w', FORMAT_ASN1)) == NULL) + goto end; + if (!i2d_TS_REQ_bio(out_bio, query)) + goto end; + } + + ret = 1; + + end: + ERR_print_errors(bio_err); + BIO_free_all(in_bio); + BIO_free_all(data_bio); + BIO_free_all(out_bio); + TS_REQ_free(query); + return ret; +} + +static TS_REQ *create_query(BIO *data_bio, const char *digest, const EVP_MD *md, + const char *policy, int no_nonce, int cert) +{ + int ret = 0; + TS_REQ *ts_req = NULL; + int len; + TS_MSG_IMPRINT *msg_imprint = NULL; + X509_ALGOR *algo = NULL; + unsigned char *data = NULL; + ASN1_OBJECT *policy_obj = NULL; + ASN1_INTEGER *nonce_asn1 = NULL; + + if (md == NULL && (md = EVP_get_digestbyname("sha1")) == NULL) + goto err; + if ((ts_req = TS_REQ_new()) == NULL) + goto err; + if (!TS_REQ_set_version(ts_req, 1)) + goto err; + if ((msg_imprint = TS_MSG_IMPRINT_new()) == NULL) + goto err; + if ((algo = X509_ALGOR_new()) == NULL) + goto err; + if ((algo->algorithm = OBJ_nid2obj(EVP_MD_type(md))) == NULL) + goto err; + if ((algo->parameter = ASN1_TYPE_new()) == NULL) + goto err; + algo->parameter->type = V_ASN1_NULL; + if (!TS_MSG_IMPRINT_set_algo(msg_imprint, algo)) + goto err; + if ((len = create_digest(data_bio, digest, md, &data)) == 0) + goto err; + if (!TS_MSG_IMPRINT_set_msg(msg_imprint, data, len)) + goto err; + if (!TS_REQ_set_msg_imprint(ts_req, msg_imprint)) + goto err; + if (policy && (policy_obj = txt2obj(policy)) == NULL) + goto err; + if (policy_obj && !TS_REQ_set_policy_id(ts_req, policy_obj)) + goto err; + + /* Setting nonce if requested. */ + if (!no_nonce && (nonce_asn1 = create_nonce(NONCE_LENGTH)) == NULL) + goto err; + if (nonce_asn1 && !TS_REQ_set_nonce(ts_req, nonce_asn1)) + goto err; + if (!TS_REQ_set_cert_req(ts_req, cert)) + goto err; + + ret = 1; + err: + if (!ret) { + TS_REQ_free(ts_req); + ts_req = NULL; + BIO_printf(bio_err, "could not create query\n"); + ERR_print_errors(bio_err); + } + TS_MSG_IMPRINT_free(msg_imprint); + X509_ALGOR_free(algo); + OPENSSL_free(data); + ASN1_OBJECT_free(policy_obj); + ASN1_INTEGER_free(nonce_asn1); + return ts_req; +} + +static int create_digest(BIO *input, const char *digest, const EVP_MD *md, + unsigned char **md_value) +{ + int md_value_len; + int rv = 0; + EVP_MD_CTX *md_ctx = NULL; + + md_value_len = EVP_MD_size(md); + if (md_value_len < 0) + return 0; + + if (input) { + unsigned char buffer[4096]; + int length; + + md_ctx = EVP_MD_CTX_new(); + if (md_ctx == NULL) + return 0; + *md_value = app_malloc(md_value_len, "digest buffer"); + if (!EVP_DigestInit(md_ctx, md)) + goto err; + while ((length = BIO_read(input, buffer, sizeof(buffer))) > 0) { + if (!EVP_DigestUpdate(md_ctx, buffer, length)) + goto err; + } + if (!EVP_DigestFinal(md_ctx, *md_value, NULL)) + goto err; + md_value_len = EVP_MD_size(md); + } else { + long digest_len; + *md_value = OPENSSL_hexstr2buf(digest, &digest_len); + if (!*md_value || md_value_len != digest_len) { + OPENSSL_free(*md_value); + *md_value = NULL; + BIO_printf(bio_err, "bad digest, %d bytes " + "must be specified\n", md_value_len); + return 0; + } + } + rv = md_value_len; + err: + EVP_MD_CTX_free(md_ctx); + return rv; +} + +static ASN1_INTEGER *create_nonce(int bits) +{ + unsigned char buf[20]; + ASN1_INTEGER *nonce = NULL; + int len = (bits - 1) / 8 + 1; + int i; + + if (len > (int)sizeof(buf)) + goto err; + if (RAND_bytes(buf, len) <= 0) + goto err; + + /* Find the first non-zero byte and creating ASN1_INTEGER object. */ + for (i = 0; i < len && !buf[i]; ++i) + continue; + if ((nonce = ASN1_INTEGER_new()) == NULL) + goto err; + OPENSSL_free(nonce->data); + nonce->length = len - i; + nonce->data = app_malloc(nonce->length + 1, "nonce buffer"); + memcpy(nonce->data, buf + i, nonce->length); + return nonce; + + err: + BIO_printf(bio_err, "could not create nonce\n"); + ASN1_INTEGER_free(nonce); + return NULL; +} + +/* + * Reply-related method definitions. + */ + +static int reply_command(CONF *conf, const char *section, const char *engine, + const char *queryfile, const char *passin, const char *inkey, + const EVP_MD *md, const char *signer, const char *chain, + const char *policy, const char *in, int token_in, + const char *out, int token_out, int text) +{ + int ret = 0; + TS_RESP *response = NULL; + BIO *in_bio = NULL; + BIO *query_bio = NULL; + BIO *inkey_bio = NULL; + BIO *signer_bio = NULL; + BIO *out_bio = NULL; + + if (in != NULL) { + if ((in_bio = BIO_new_file(in, "rb")) == NULL) + goto end; + if (token_in) { + response = read_PKCS7(in_bio); + } else { + response = d2i_TS_RESP_bio(in_bio, NULL); + } + } else { + response = create_response(conf, section, engine, queryfile, + passin, inkey, md, signer, chain, policy); + if (response) + BIO_printf(bio_err, "Response has been generated.\n"); + else + BIO_printf(bio_err, "Response is not generated.\n"); + } + if (response == NULL) + goto end; + + /* Write response. */ + if (text) { + if ((out_bio = bio_open_default(out, 'w', FORMAT_TEXT)) == NULL) + goto end; + if (token_out) { + TS_TST_INFO *tst_info = TS_RESP_get_tst_info(response); + if (!TS_TST_INFO_print_bio(out_bio, tst_info)) + goto end; + } else { + if (!TS_RESP_print_bio(out_bio, response)) + goto end; + } + } else { + if ((out_bio = bio_open_default(out, 'w', FORMAT_ASN1)) == NULL) + goto end; + if (token_out) { + PKCS7 *token = TS_RESP_get_token(response); + if (!i2d_PKCS7_bio(out_bio, token)) + goto end; + } else { + if (!i2d_TS_RESP_bio(out_bio, response)) + goto end; + } + } + + ret = 1; + + end: + ERR_print_errors(bio_err); + BIO_free_all(in_bio); + BIO_free_all(query_bio); + BIO_free_all(inkey_bio); + BIO_free_all(signer_bio); + BIO_free_all(out_bio); + TS_RESP_free(response); + return ret; +} + +/* Reads a PKCS7 token and adds default 'granted' status info to it. */ +static TS_RESP *read_PKCS7(BIO *in_bio) +{ + int ret = 0; + PKCS7 *token = NULL; + TS_TST_INFO *tst_info = NULL; + TS_RESP *resp = NULL; + TS_STATUS_INFO *si = NULL; + + if ((token = d2i_PKCS7_bio(in_bio, NULL)) == NULL) + goto end; + if ((tst_info = PKCS7_to_TS_TST_INFO(token)) == NULL) + goto end; + if ((resp = TS_RESP_new()) == NULL) + goto end; + if ((si = TS_STATUS_INFO_new()) == NULL) + goto end; + if (!TS_STATUS_INFO_set_status(si, TS_STATUS_GRANTED)) + goto end; + if (!TS_RESP_set_status_info(resp, si)) + goto end; + TS_RESP_set_tst_info(resp, token, tst_info); + token = NULL; /* Ownership is lost. */ + tst_info = NULL; /* Ownership is lost. */ + ret = 1; + + end: + PKCS7_free(token); + TS_TST_INFO_free(tst_info); + if (!ret) { + TS_RESP_free(resp); + resp = NULL; + } + TS_STATUS_INFO_free(si); + return resp; +} + +static TS_RESP *create_response(CONF *conf, const char *section, const char *engine, + const char *queryfile, const char *passin, + const char *inkey, const EVP_MD *md, const char *signer, + const char *chain, const char *policy) +{ + int ret = 0; + TS_RESP *response = NULL; + BIO *query_bio = NULL; + TS_RESP_CTX *resp_ctx = NULL; + + if ((query_bio = BIO_new_file(queryfile, "rb")) == NULL) + goto end; + if ((section = TS_CONF_get_tsa_section(conf, section)) == NULL) + goto end; + if ((resp_ctx = TS_RESP_CTX_new()) == NULL) + goto end; + if (!TS_CONF_set_serial(conf, section, serial_cb, resp_ctx)) + goto end; +# ifndef OPENSSL_NO_ENGINE + if (!TS_CONF_set_crypto_device(conf, section, engine)) + goto end; +# endif + if (!TS_CONF_set_signer_cert(conf, section, signer, resp_ctx)) + goto end; + if (!TS_CONF_set_certs(conf, section, chain, resp_ctx)) + goto end; + if (!TS_CONF_set_signer_key(conf, section, inkey, passin, resp_ctx)) + goto end; + + if (md) { + if (!TS_RESP_CTX_set_signer_digest(resp_ctx, md)) + goto end; + } else if (!TS_CONF_set_signer_digest(conf, section, NULL, resp_ctx)) { + goto end; + } + + if (!TS_CONF_set_def_policy(conf, section, policy, resp_ctx)) + goto end; + if (!TS_CONF_set_policies(conf, section, resp_ctx)) + goto end; + if (!TS_CONF_set_digests(conf, section, resp_ctx)) + goto end; + if (!TS_CONF_set_accuracy(conf, section, resp_ctx)) + goto end; + if (!TS_CONF_set_clock_precision_digits(conf, section, resp_ctx)) + goto end; + if (!TS_CONF_set_ordering(conf, section, resp_ctx)) + goto end; + if (!TS_CONF_set_tsa_name(conf, section, resp_ctx)) + goto end; + if (!TS_CONF_set_ess_cert_id_chain(conf, section, resp_ctx)) + goto end; + if ((response = TS_RESP_create_response(resp_ctx, query_bio)) == NULL) + goto end; + ret = 1; + + end: + if (!ret) { + TS_RESP_free(response); + response = NULL; + } + TS_RESP_CTX_free(resp_ctx); + BIO_free_all(query_bio); + return response; +} + +static ASN1_INTEGER *serial_cb(TS_RESP_CTX *ctx, void *data) +{ + const char *serial_file = (const char *)data; + ASN1_INTEGER *serial = next_serial(serial_file); + + if (!serial) { + TS_RESP_CTX_set_status_info(ctx, TS_STATUS_REJECTION, + "Error during serial number " + "generation."); + TS_RESP_CTX_add_failure_info(ctx, TS_INFO_ADD_INFO_NOT_AVAILABLE); + } else + save_ts_serial(serial_file, serial); + + return serial; +} + +static ASN1_INTEGER *next_serial(const char *serialfile) +{ + int ret = 0; + BIO *in = NULL; + ASN1_INTEGER *serial = NULL; + BIGNUM *bn = NULL; + + if ((serial = ASN1_INTEGER_new()) == NULL) + goto err; + + if ((in = BIO_new_file(serialfile, "r")) == NULL) { + ERR_clear_error(); + BIO_printf(bio_err, "Warning: could not open file %s for " + "reading, using serial number: 1\n", serialfile); + if (!ASN1_INTEGER_set(serial, 1)) + goto err; + } else { + char buf[1024]; + if (!a2i_ASN1_INTEGER(in, serial, buf, sizeof(buf))) { + BIO_printf(bio_err, "unable to load number from %s\n", + serialfile); + goto err; + } + if ((bn = ASN1_INTEGER_to_BN(serial, NULL)) == NULL) + goto err; + ASN1_INTEGER_free(serial); + serial = NULL; + if (!BN_add_word(bn, 1)) + goto err; + if ((serial = BN_to_ASN1_INTEGER(bn, NULL)) == NULL) + goto err; + } + ret = 1; + + err: + if (!ret) { + ASN1_INTEGER_free(serial); + serial = NULL; + } + BIO_free_all(in); + BN_free(bn); + return serial; +} + +static int save_ts_serial(const char *serialfile, ASN1_INTEGER *serial) +{ + int ret = 0; + BIO *out = NULL; + + if ((out = BIO_new_file(serialfile, "w")) == NULL) + goto err; + if (i2a_ASN1_INTEGER(out, serial) <= 0) + goto err; + if (BIO_puts(out, "\n") <= 0) + goto err; + ret = 1; + err: + if (!ret) + BIO_printf(bio_err, "could not save serial number to %s\n", + serialfile); + BIO_free_all(out); + return ret; +} + + +/* + * Verify-related method definitions. + */ + +static int verify_command(const char *data, const char *digest, const char *queryfile, + const char *in, int token_in, + const char *CApath, const char *CAfile, const char *untrusted, + X509_VERIFY_PARAM *vpm) +{ + BIO *in_bio = NULL; + PKCS7 *token = NULL; + TS_RESP *response = NULL; + TS_VERIFY_CTX *verify_ctx = NULL; + int ret = 0; + + if ((in_bio = BIO_new_file(in, "rb")) == NULL) + goto end; + if (token_in) { + if ((token = d2i_PKCS7_bio(in_bio, NULL)) == NULL) + goto end; + } else { + if ((response = d2i_TS_RESP_bio(in_bio, NULL)) == NULL) + goto end; + } + + if ((verify_ctx = create_verify_ctx(data, digest, queryfile, + CApath, CAfile, untrusted, + vpm)) == NULL) + goto end; + + ret = token_in + ? TS_RESP_verify_token(verify_ctx, token) + : TS_RESP_verify_response(verify_ctx, response); + + end: + printf("Verification: "); + if (ret) + printf("OK\n"); + else { + printf("FAILED\n"); + ERR_print_errors(bio_err); + } + + BIO_free_all(in_bio); + PKCS7_free(token); + TS_RESP_free(response); + TS_VERIFY_CTX_free(verify_ctx); + return ret; +} + +static TS_VERIFY_CTX *create_verify_ctx(const char *data, const char *digest, + const char *queryfile, + const char *CApath, const char *CAfile, + const char *untrusted, + X509_VERIFY_PARAM *vpm) +{ + TS_VERIFY_CTX *ctx = NULL; + BIO *input = NULL; + TS_REQ *request = NULL; + int ret = 0; + int f = 0; + + if (data != NULL || digest != NULL) { + if ((ctx = TS_VERIFY_CTX_new()) == NULL) + goto err; + f = TS_VFY_VERSION | TS_VFY_SIGNER; + if (data != NULL) { + BIO *out = NULL; + + f |= TS_VFY_DATA; + if ((out = BIO_new_file(data, "rb")) == NULL) + goto err; + if (TS_VERIFY_CTX_set_data(ctx, out) == NULL) { + BIO_free_all(out); + goto err; + } + } else if (digest != NULL) { + long imprint_len; + unsigned char *hexstr = OPENSSL_hexstr2buf(digest, &imprint_len); + f |= TS_VFY_IMPRINT; + if (TS_VERIFY_CTX_set_imprint(ctx, hexstr, imprint_len) == NULL) { + BIO_printf(bio_err, "invalid digest string\n"); + goto err; + } + } + + } else if (queryfile != NULL) { + if ((input = BIO_new_file(queryfile, "rb")) == NULL) + goto err; + if ((request = d2i_TS_REQ_bio(input, NULL)) == NULL) + goto err; + if ((ctx = TS_REQ_to_TS_VERIFY_CTX(request, NULL)) == NULL) + goto err; + } else + return NULL; + + /* Add the signature verification flag and arguments. */ + TS_VERIFY_CTX_add_flags(ctx, f | TS_VFY_SIGNATURE); + + /* Initialising the X509_STORE object. */ + if (TS_VERIFY_CTX_set_store(ctx, create_cert_store(CApath, CAfile, vpm)) + == NULL) + goto err; + + /* Loading untrusted certificates. */ + if (untrusted + && TS_VERIFY_CTS_set_certs(ctx, TS_CONF_load_certs(untrusted)) == NULL) + goto err; + ret = 1; + + err: + if (!ret) { + TS_VERIFY_CTX_free(ctx); + ctx = NULL; + } + BIO_free_all(input); + TS_REQ_free(request); + return ctx; +} + +static X509_STORE *create_cert_store(const char *CApath, const char *CAfile, + X509_VERIFY_PARAM *vpm) +{ + X509_STORE *cert_ctx = NULL; + X509_LOOKUP *lookup = NULL; + int i; + + cert_ctx = X509_STORE_new(); + X509_STORE_set_verify_cb(cert_ctx, verify_cb); + if (CApath != NULL) { + lookup = X509_STORE_add_lookup(cert_ctx, X509_LOOKUP_hash_dir()); + if (lookup == NULL) { + BIO_printf(bio_err, "memory allocation failure\n"); + goto err; + } + i = X509_LOOKUP_add_dir(lookup, CApath, X509_FILETYPE_PEM); + if (!i) { + BIO_printf(bio_err, "Error loading directory %s\n", CApath); + goto err; + } + } + + if (CAfile != NULL) { + lookup = X509_STORE_add_lookup(cert_ctx, X509_LOOKUP_file()); + if (lookup == NULL) { + BIO_printf(bio_err, "memory allocation failure\n"); + goto err; + } + i = X509_LOOKUP_load_file(lookup, CAfile, X509_FILETYPE_PEM); + if (!i) { + BIO_printf(bio_err, "Error loading file %s\n", CAfile); + goto err; + } + } + + if (vpm != NULL) + X509_STORE_set1_param(cert_ctx, vpm); + + return cert_ctx; + + err: + X509_STORE_free(cert_ctx); + return NULL; +} + +static int verify_cb(int ok, X509_STORE_CTX *ctx) +{ + return ok; +} +#endif /* ndef OPENSSL_NO_TS */ diff --git a/openssl-1.1.0h/apps/tsget.in b/openssl-1.1.0h/apps/tsget.in new file mode 100644 index 0000000..c6193e5 --- /dev/null +++ b/openssl-1.1.0h/apps/tsget.in @@ -0,0 +1,200 @@ +#!{- $config{hashbangperl} -} +# Copyright (c) 2002 The OpenTSA Project. All rights reserved. +# Copyright 2002-2016 The OpenSSL Project Authors. All Rights Reserved. +# +# Licensed under the OpenSSL license (the "License"). You may not use +# this file except in compliance with the License. You can obtain a copy +# in the file LICENSE in the source distribution or at +# https://www.openssl.org/source/license.html + +use strict; +use IO::Handle; +use Getopt::Std; +use File::Basename; +use WWW::Curl::Easy; + +use vars qw(%options); + +# Callback for reading the body. +sub read_body { + my ($maxlength, $state) = @_; + my $return_data = ""; + my $data_len = length ${$state->{data}}; + if ($state->{bytes} < $data_len) { + $data_len = $data_len - $state->{bytes}; + $data_len = $maxlength if $data_len > $maxlength; + $return_data = substr ${$state->{data}}, $state->{bytes}, $data_len; + $state->{bytes} += $data_len; + } + return $return_data; +} + +# Callback for writing the body into a variable. +sub write_body { + my ($data, $pointer) = @_; + ${$pointer} .= $data; + return length($data); +} + +# Initialise a new Curl object. +sub create_curl { + my $url = shift; + + # Create Curl object. + my $curl = WWW::Curl::Easy::new(); + + # Error-handling related options. + $curl->setopt(CURLOPT_VERBOSE, 1) if $options{d}; + $curl->setopt(CURLOPT_FAILONERROR, 1); + $curl->setopt(CURLOPT_USERAGENT, + "OpenTSA tsget.pl/openssl-{- $config{version} -}"); + + # Options for POST method. + $curl->setopt(CURLOPT_UPLOAD, 1); + $curl->setopt(CURLOPT_CUSTOMREQUEST, "POST"); + $curl->setopt(CURLOPT_HTTPHEADER, + ["Content-Type: application/timestamp-query", + "Accept: application/timestamp-reply,application/timestamp-response"]); + $curl->setopt(CURLOPT_READFUNCTION, \&read_body); + $curl->setopt(CURLOPT_HEADERFUNCTION, sub { return length($_[0]); }); + + # Options for getting the result. + $curl->setopt(CURLOPT_WRITEFUNCTION, \&write_body); + + # SSL related options. + $curl->setopt(CURLOPT_SSLKEYTYPE, "PEM"); + $curl->setopt(CURLOPT_SSL_VERIFYPEER, 1); # Verify server's certificate. + $curl->setopt(CURLOPT_SSL_VERIFYHOST, 2); # Check server's CN. + $curl->setopt(CURLOPT_SSLKEY, $options{k}) if defined($options{k}); + $curl->setopt(CURLOPT_SSLKEYPASSWD, $options{p}) if defined($options{p}); + $curl->setopt(CURLOPT_SSLCERT, $options{c}) if defined($options{c}); + $curl->setopt(CURLOPT_CAINFO, $options{C}) if defined($options{C}); + $curl->setopt(CURLOPT_CAPATH, $options{P}) if defined($options{P}); + $curl->setopt(CURLOPT_RANDOM_FILE, $options{r}) if defined($options{r}); + $curl->setopt(CURLOPT_EGDSOCKET, $options{g}) if defined($options{g}); + + # Setting destination. + $curl->setopt(CURLOPT_URL, $url); + + return $curl; +} + +# Send a request and returns the body back. +sub get_timestamp { + my $curl = shift; + my $body = shift; + my $ts_body; + local $::error_buf; + + # Error-handling related options. + $curl->setopt(CURLOPT_ERRORBUFFER, "::error_buf"); + + # Options for POST method. + $curl->setopt(CURLOPT_INFILE, {data => $body, bytes => 0}); + $curl->setopt(CURLOPT_INFILESIZE, length(${$body})); + + # Options for getting the result. + $curl->setopt(CURLOPT_FILE, \$ts_body); + + # Send the request... + my $error_code = $curl->perform(); + my $error_string; + if ($error_code != 0) { + my $http_code = $curl->getinfo(CURLINFO_HTTP_CODE); + $error_string = "could not get timestamp"; + $error_string .= ", http code: $http_code" unless $http_code == 0; + $error_string .= ", curl code: $error_code"; + $error_string .= " ($::error_buf)" if defined($::error_buf); + } else { + my $ct = $curl->getinfo(CURLINFO_CONTENT_TYPE); + if (lc($ct) ne "application/timestamp-reply" + && lc($ct) ne "application/timestamp-response") { + $error_string = "unexpected content type returned: $ct"; + } + } + return ($ts_body, $error_string); + +} + +# Print usage information and exists. +sub usage { + + print STDERR "usage: $0 -h [-e ] [-o ] "; + print STDERR "[-v] [-d] [-k ] [-p ] "; + print STDERR "[-c ] [-C ] [-P ] "; + print STDERR "[-r ] [-g ] []...\n"; + exit 1; +} + +# ---------------------------------------------------------------------- +# Main program +# ---------------------------------------------------------------------- + +# Getting command-line options (default comes from TSGET environment variable). +my $getopt_arg = "h:e:o:vdk:p:c:C:P:r:g:"; +if (exists $ENV{TSGET}) { + my @old_argv = @ARGV; + @ARGV = split /\s+/, $ENV{TSGET}; + getopts($getopt_arg, \%options) or usage; + @ARGV = @old_argv; +} +getopts($getopt_arg, \%options) or usage; + +# Checking argument consistency. +if (!exists($options{h}) || (@ARGV == 0 && !exists($options{o})) + || (@ARGV > 1 && exists($options{o}))) { + print STDERR "Inconsistent command line options.\n"; + usage; +} +# Setting defaults. +@ARGV = ("-") unless @ARGV != 0; +$options{e} = ".tsr" unless defined($options{e}); + +# Processing requests. +my $curl = create_curl $options{h}; +undef $/; # For reading whole files. +REQUEST: foreach (@ARGV) { + my $input = $_; + my ($base, $path) = fileparse($input, '\.[^.]*'); + my $output_base = $base . $options{e}; + my $output = defined($options{o}) ? $options{o} : $path . $output_base; + + STDERR->printflush("$input: ") if $options{v}; + # Read request. + my $body; + if ($input eq "-") { + # Read the request from STDIN; + $body = ; + } else { + # Read the request from file. + open INPUT, "<" . $input + or warn("$input: could not open input file: $!\n"), next REQUEST; + $body = ; + close INPUT + or warn("$input: could not close input file: $!\n"), next REQUEST; + } + + # Send request. + STDERR->printflush("sending request") if $options{v}; + + my ($ts_body, $error) = get_timestamp $curl, \$body; + if (defined($error)) { + die "$input: fatal error: $error\n"; + } + STDERR->printflush(", reply received") if $options{v}; + + # Write response. + if ($output eq "-") { + # Write to STDOUT. + print $ts_body; + } else { + # Write to file. + open OUTPUT, ">", $output + or warn("$output: could not open output file: $!\n"), next REQUEST; + print OUTPUT $ts_body; + close OUTPUT + or warn("$output: could not close output file: $!\n"), next REQUEST; + } + STDERR->printflush(", $output written.\n") if $options{v}; +} +$curl->cleanup(); diff --git a/openssl-1.1.0h/apps/verify.c b/openssl-1.1.0h/apps/verify.c new file mode 100644 index 0000000..0925ee6 --- /dev/null +++ b/openssl-1.1.0h/apps/verify.c @@ -0,0 +1,312 @@ +/* + * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the OpenSSL license (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +#include +#include +#include +#include "apps.h" +#include +#include +#include +#include +#include + +static int cb(int ok, X509_STORE_CTX *ctx); +static int check(X509_STORE *ctx, const char *file, + STACK_OF(X509) *uchain, STACK_OF(X509) *tchain, + STACK_OF(X509_CRL) *crls, int show_chain); +static int v_verbose = 0, vflags = 0; + +typedef enum OPTION_choice { + OPT_ERR = -1, OPT_EOF = 0, OPT_HELP, + OPT_ENGINE, OPT_CAPATH, OPT_CAFILE, OPT_NOCAPATH, OPT_NOCAFILE, + OPT_UNTRUSTED, OPT_TRUSTED, OPT_CRLFILE, OPT_CRL_DOWNLOAD, OPT_SHOW_CHAIN, + OPT_V_ENUM, + OPT_VERBOSE +} OPTION_CHOICE; + +OPTIONS verify_options[] = { + {OPT_HELP_STR, 1, '-', "Usage: %s [options] cert.pem...\n"}, + {OPT_HELP_STR, 1, '-', "Valid options are:\n"}, + {"help", OPT_HELP, '-', "Display this summary"}, + {"verbose", OPT_VERBOSE, '-', + "Print extra information about the operations being performed."}, + {"CApath", OPT_CAPATH, '/', "A directory of trusted certificates"}, + {"CAfile", OPT_CAFILE, '<', "A file of trusted certificates"}, + {"no-CAfile", OPT_NOCAFILE, '-', + "Do not load the default certificates file"}, + {"no-CApath", OPT_NOCAPATH, '-', + "Do not load certificates from the default certificates directory"}, + {"untrusted", OPT_UNTRUSTED, '<', "A file of untrusted certificates"}, + {"trusted", OPT_TRUSTED, '<', "A file of trusted certificates"}, + {"CRLfile", OPT_CRLFILE, '<', + "File containing one or more CRL's (in PEM format) to load"}, + {"crl_download", OPT_CRL_DOWNLOAD, '-', + "Attempt to download CRL information for this certificate"}, + {"show_chain", OPT_SHOW_CHAIN, '-', + "Display information about the certificate chain"}, + OPT_V_OPTIONS, +#ifndef OPENSSL_NO_ENGINE + {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"}, +#endif + {NULL} +}; + +int verify_main(int argc, char **argv) +{ + ENGINE *e = NULL; + STACK_OF(X509) *untrusted = NULL, *trusted = NULL; + STACK_OF(X509_CRL) *crls = NULL; + X509_STORE *store = NULL; + X509_VERIFY_PARAM *vpm = NULL; + const char *prog, *CApath = NULL, *CAfile = NULL; + int noCApath = 0, noCAfile = 0; + int vpmtouched = 0, crl_download = 0, show_chain = 0, i = 0, ret = 1; + OPTION_CHOICE o; + + if ((vpm = X509_VERIFY_PARAM_new()) == NULL) + goto end; + + prog = opt_init(argc, argv, verify_options); + while ((o = opt_next()) != OPT_EOF) { + switch (o) { + case OPT_EOF: + case OPT_ERR: + BIO_printf(bio_err, "%s: Use -help for summary.\n", prog); + goto end; + case OPT_HELP: + opt_help(verify_options); + BIO_printf(bio_err, "Recognized usages:\n"); + for (i = 0; i < X509_PURPOSE_get_count(); i++) { + X509_PURPOSE *ptmp; + ptmp = X509_PURPOSE_get0(i); + BIO_printf(bio_err, "\t%-10s\t%s\n", + X509_PURPOSE_get0_sname(ptmp), + X509_PURPOSE_get0_name(ptmp)); + } + + BIO_printf(bio_err, "Recognized verify names:\n"); + for (i = 0; i < X509_VERIFY_PARAM_get_count(); i++) { + const X509_VERIFY_PARAM *vptmp; + vptmp = X509_VERIFY_PARAM_get0(i); + BIO_printf(bio_err, "\t%-10s\n", + X509_VERIFY_PARAM_get0_name(vptmp)); + } + ret = 0; + goto end; + case OPT_V_CASES: + if (!opt_verify(o, vpm)) + goto end; + vpmtouched++; + break; + case OPT_CAPATH: + CApath = opt_arg(); + break; + case OPT_CAFILE: + CAfile = opt_arg(); + break; + case OPT_NOCAPATH: + noCApath = 1; + break; + case OPT_NOCAFILE: + noCAfile = 1; + break; + case OPT_UNTRUSTED: + /* Zero or more times */ + if (!load_certs(opt_arg(), &untrusted, FORMAT_PEM, NULL, + "untrusted certificates")) + goto end; + break; + case OPT_TRUSTED: + /* Zero or more times */ + noCAfile = 1; + noCApath = 1; + if (!load_certs(opt_arg(), &trusted, FORMAT_PEM, NULL, + "trusted certificates")) + goto end; + break; + case OPT_CRLFILE: + /* Zero or more times */ + if (!load_crls(opt_arg(), &crls, FORMAT_PEM, NULL, + "other CRLs")) + goto end; + break; + case OPT_CRL_DOWNLOAD: + crl_download = 1; + break; + case OPT_ENGINE: + if ((e = setup_engine(opt_arg(), 0)) == NULL) { + /* Failure message already displayed */ + goto end; + } + break; + case OPT_SHOW_CHAIN: + show_chain = 1; + break; + case OPT_VERBOSE: + v_verbose = 1; + break; + } + } + argc = opt_num_rest(); + argv = opt_rest(); + if (trusted != NULL && (CAfile || CApath)) { + BIO_printf(bio_err, + "%s: Cannot use -trusted with -CAfile or -CApath\n", + prog); + goto end; + } + + if ((store = setup_verify(CAfile, CApath, noCAfile, noCApath)) == NULL) + goto end; + X509_STORE_set_verify_cb(store, cb); + + if (vpmtouched) + X509_STORE_set1_param(store, vpm); + + ERR_clear_error(); + + if (crl_download) + store_setup_crl_download(store); + + ret = 0; + if (argc < 1) { + if (check(store, NULL, untrusted, trusted, crls, show_chain) != 1) + ret = -1; + } else { + for (i = 0; i < argc; i++) + if (check(store, argv[i], untrusted, trusted, crls, + show_chain) != 1) + ret = -1; + } + + end: + X509_VERIFY_PARAM_free(vpm); + X509_STORE_free(store); + sk_X509_pop_free(untrusted, X509_free); + sk_X509_pop_free(trusted, X509_free); + sk_X509_CRL_pop_free(crls, X509_CRL_free); + release_engine(e); + return (ret < 0 ? 2 : ret); +} + +static int check(X509_STORE *ctx, const char *file, + STACK_OF(X509) *uchain, STACK_OF(X509) *tchain, + STACK_OF(X509_CRL) *crls, int show_chain) +{ + X509 *x = NULL; + int i = 0, ret = 0; + X509_STORE_CTX *csc; + STACK_OF(X509) *chain = NULL; + int num_untrusted; + + x = load_cert(file, FORMAT_PEM, "certificate file"); + if (x == NULL) + goto end; + + csc = X509_STORE_CTX_new(); + if (csc == NULL) { + printf("error %s: X.509 store context allocation failed\n", + (file == NULL) ? "stdin" : file); + goto end; + } + + X509_STORE_set_flags(ctx, vflags); + if (!X509_STORE_CTX_init(csc, ctx, x, uchain)) { + printf("error %s: X.509 store context initialization failed\n", + (file == NULL) ? "stdin" : file); + goto end; + } + if (tchain) + X509_STORE_CTX_set0_trusted_stack(csc, tchain); + if (crls) + X509_STORE_CTX_set0_crls(csc, crls); + i = X509_verify_cert(csc); + if (i > 0 && X509_STORE_CTX_get_error(csc) == X509_V_OK) { + printf("%s: OK\n", (file == NULL) ? "stdin" : file); + ret = 1; + if (show_chain) { + int j; + + chain = X509_STORE_CTX_get1_chain(csc); + num_untrusted = X509_STORE_CTX_get_num_untrusted(csc); + printf("Chain:\n"); + for (j = 0; j < sk_X509_num(chain); j++) { + X509 *cert = sk_X509_value(chain, j); + printf("depth=%d: ", j); + X509_NAME_print_ex_fp(stdout, + X509_get_subject_name(cert), + 0, XN_FLAG_ONELINE); + if (j < num_untrusted) + printf(" (untrusted)"); + printf("\n"); + } + sk_X509_pop_free(chain, X509_free); + } + } else { + printf("error %s: verification failed\n", (file == NULL) ? "stdin" : file); + } + X509_STORE_CTX_free(csc); + + end: + if (i <= 0) + ERR_print_errors(bio_err); + X509_free(x); + + return ret; +} + +static int cb(int ok, X509_STORE_CTX *ctx) +{ + int cert_error = X509_STORE_CTX_get_error(ctx); + X509 *current_cert = X509_STORE_CTX_get_current_cert(ctx); + + if (!ok) { + if (current_cert) { + X509_NAME_print_ex(bio_err, + X509_get_subject_name(current_cert), + 0, XN_FLAG_ONELINE); + BIO_printf(bio_err, "\n"); + } + BIO_printf(bio_err, "%serror %d at %d depth lookup: %s\n", + X509_STORE_CTX_get0_parent_ctx(ctx) ? "[CRL path] " : "", + cert_error, + X509_STORE_CTX_get_error_depth(ctx), + X509_verify_cert_error_string(cert_error)); + switch (cert_error) { + case X509_V_ERR_NO_EXPLICIT_POLICY: + policies_print(ctx); + /* fall thru */ + case X509_V_ERR_CERT_HAS_EXPIRED: + + /* + * since we are just checking the certificates, it is ok if they + * are self signed. But we should still warn the user. + */ + case X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT: + /* Continue after extension errors too */ + case X509_V_ERR_INVALID_CA: + case X509_V_ERR_INVALID_NON_CA: + case X509_V_ERR_PATH_LENGTH_EXCEEDED: + case X509_V_ERR_INVALID_PURPOSE: + case X509_V_ERR_CRL_HAS_EXPIRED: + case X509_V_ERR_CRL_NOT_YET_VALID: + case X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION: + ok = 1; + } + + return ok; + + } + if (cert_error == X509_V_OK && ok == 2) + policies_print(ctx); + if (!v_verbose) + ERR_clear_error(); + return (ok); +} diff --git a/openssl-1.1.0h/apps/version.c b/openssl-1.1.0h/apps/version.c new file mode 100644 index 0000000..2f8be36 --- /dev/null +++ b/openssl-1.1.0h/apps/version.c @@ -0,0 +1,145 @@ +/* + * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the OpenSSL license (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +#include +#include +#include +#include "apps.h" +#include +#include +#include +#ifndef OPENSSL_NO_MD2 +# include +#endif +#ifndef OPENSSL_NO_RC4 +# include +#endif +#ifndef OPENSSL_NO_DES +# include +#endif +#ifndef OPENSSL_NO_IDEA +# include +#endif +#ifndef OPENSSL_NO_BF +# include +#endif + +typedef enum OPTION_choice { + OPT_ERR = -1, OPT_EOF = 0, OPT_HELP, + OPT_B, OPT_D, OPT_E, OPT_F, OPT_O, OPT_P, OPT_V, OPT_A +} OPTION_CHOICE; + +OPTIONS version_options[] = { + {"help", OPT_HELP, '-', "Display this summary"}, + {"a", OPT_A, '-', "Show all data"}, + {"b", OPT_B, '-', "Show build date"}, + {"d", OPT_D, '-', "Show configuration directory"}, + {"e", OPT_E, '-', "Show engines directory"}, + {"f", OPT_F, '-', "Show compiler flags used"}, + {"o", OPT_O, '-', "Show some internal datatype options"}, + {"p", OPT_P, '-', "Show target build platform"}, + {"v", OPT_V, '-', "Show library version"}, + {NULL} +}; + +int version_main(int argc, char **argv) +{ + int ret = 1, dirty = 0; + int cflags = 0, version = 0, date = 0, options = 0, platform = 0, dir = 0; + int engdir = 0; + char *prog; + OPTION_CHOICE o; + + prog = opt_init(argc, argv, version_options); + while ((o = opt_next()) != OPT_EOF) { + switch (o) { + case OPT_EOF: + case OPT_ERR: +opthelp: + BIO_printf(bio_err, "%s: Use -help for summary.\n", prog); + goto end; + case OPT_HELP: + opt_help(version_options); + ret = 0; + goto end; + case OPT_B: + dirty = date = 1; + break; + case OPT_D: + dirty = dir = 1; + break; + case OPT_E: + dirty = engdir = 1; + break; + case OPT_F: + dirty = cflags = 1; + break; + case OPT_O: + dirty = options = 1; + break; + case OPT_P: + dirty = platform = 1; + break; + case OPT_V: + dirty = version = 1; + break; + case OPT_A: + options = cflags = version = date = platform = dir = engdir = 1; + break; + } + } + if (opt_num_rest() != 0) { + BIO_printf(bio_err, "Extra parameters given.\n"); + goto opthelp; + } + if (!dirty) + version = 1; + + if (version) { + if (OpenSSL_version_num() == OPENSSL_VERSION_NUMBER) { + printf("%s\n", OpenSSL_version(OPENSSL_VERSION)); + } else { + printf("%s (Library: %s)\n", + OPENSSL_VERSION_TEXT, OpenSSL_version(OPENSSL_VERSION)); + } + } + if (date) + printf("%s\n", OpenSSL_version(OPENSSL_BUILT_ON)); + if (platform) + printf("%s\n", OpenSSL_version(OPENSSL_PLATFORM)); + if (options) { + printf("options: "); + printf("%s ", BN_options()); +#ifndef OPENSSL_NO_MD2 + printf("%s ", MD2_options()); +#endif +#ifndef OPENSSL_NO_RC4 + printf("%s ", RC4_options()); +#endif +#ifndef OPENSSL_NO_DES + printf("%s ", DES_options()); +#endif +#ifndef OPENSSL_NO_IDEA + printf("%s ", IDEA_options()); +#endif +#ifndef OPENSSL_NO_BF + printf("%s ", BF_options()); +#endif + printf("\n"); + } + if (cflags) + printf("%s\n", OpenSSL_version(OPENSSL_CFLAGS)); + if (dir) + printf("%s\n", OpenSSL_version(OPENSSL_DIR)); + if (engdir) + printf("%s\n", OpenSSL_version(OPENSSL_ENGINES_DIR)); + ret = 0; + end: + return (ret); +} diff --git a/openssl-1.1.0h/apps/vms_decc_init.c b/openssl-1.1.0h/apps/vms_decc_init.c new file mode 100644 index 0000000..f83f716 --- /dev/null +++ b/openssl-1.1.0h/apps/vms_decc_init.c @@ -0,0 +1,214 @@ +/* + * Copyright 2010-2016 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the OpenSSL license (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +#if defined( __VMS) && !defined( OPENSSL_NO_DECC_INIT) && \ + defined( __DECC) && !defined( __VAX) && (__CRTL_VER >= 70301000) +# define USE_DECC_INIT 1 +#endif + +#ifdef USE_DECC_INIT + +/* + * ---------------------------------------------------------------------- + * decc_init() On non-VAX systems, uses LIB$INITIALIZE to set a collection + * of C RTL features without using the DECC$* logical name method. + * ---------------------------------------------------------------------- + */ + +# include +# include +# include + +# include "apps.h" + +/* Global storage. */ + +/* Flag to sense if decc_init() was called. */ + +int decc_init_done = -1; + +/* Structure to hold a DECC$* feature name and its desired value. */ + +typedef struct { + char *name; + int value; +} decc_feat_t; + +/* + * Array of DECC$* feature names and their desired values. Note: + * DECC$ARGV_PARSE_STYLE is the urgent one. + */ + +decc_feat_t decc_feat_array[] = { + /* Preserve command-line case with SET PROCESS/PARSE_STYLE=EXTENDED */ + {"DECC$ARGV_PARSE_STYLE", 1}, + + /* Preserve case for file names on ODS5 disks. */ + {"DECC$EFS_CASE_PRESERVE", 1}, + + /* + * Enable multiple dots (and most characters) in ODS5 file names, while + * preserving VMS-ness of ";version". + */ + {"DECC$EFS_CHARSET", 1}, + + /* List terminator. */ + {(char *)NULL, 0} +}; + + +char **copy_argv(int *argc, char *argv[]) +{ + /*- + * The note below is for historical purpose. On VMS now we always + * copy argv "safely." + * + * 2011-03-22 SMS. + * If we have 32-bit pointers everywhere, then we're safe, and + * we bypass this mess, as on non-VMS systems. + * Problem 1: Compaq/HP C before V7.3 always used 32-bit + * pointers for argv[]. + * Fix 1: For a 32-bit argv[], when we're using 64-bit pointers + * everywhere else, we always allocate and use a 64-bit + * duplicate of argv[]. + * Problem 2: Compaq/HP C V7.3 (Alpha, IA64) before ECO1 failed + * to NULL-terminate a 64-bit argv[]. (As this was written, the + * compiler ECO was available only on IA64.) + * Fix 2: Unless advised not to (VMS_TRUST_ARGV), we test a + * 64-bit argv[argc] for NULL, and, if necessary, use a + * (properly) NULL-terminated (64-bit) duplicate of argv[]. + * The same code is used in either case to duplicate argv[]. + * Some of these decisions could be handled in preprocessing, + * but the code tends to get even uglier, and the penalty for + * deciding at compile- or run-time is tiny. + */ + + int i, count = *argc; + char **newargv = app_malloc(sizeof(*newargv) * (count + 1), "argv copy"); + + for (i = 0; i < count; i++) + newargv[i] = argv[i]; + newargv[i] = NULL; + *argc = i; + return newargv; +} + +/* LIB$INITIALIZE initialization function. */ + +static void decc_init(void) +{ + char *openssl_debug_decc_init; + int verbose = 0; + int feat_index; + int feat_value; + int feat_value_max; + int feat_value_min; + int i; + int sts; + + /* Get debug option. */ + openssl_debug_decc_init = getenv("OPENSSL_DEBUG_DECC_INIT"); + if (openssl_debug_decc_init != NULL) { + verbose = strtol(openssl_debug_decc_init, NULL, 10); + if (verbose <= 0) { + verbose = 1; + } + } + + /* Set the global flag to indicate that LIB$INITIALIZE worked. */ + decc_init_done = 1; + + /* Loop through all items in the decc_feat_array[]. */ + + for (i = 0; decc_feat_array[i].name != NULL; i++) { + /* Get the feature index. */ + feat_index = decc$feature_get_index(decc_feat_array[i].name); + if (feat_index >= 0) { + /* Valid item. Collect its properties. */ + feat_value = decc$feature_get_value(feat_index, 1); + feat_value_min = decc$feature_get_value(feat_index, 2); + feat_value_max = decc$feature_get_value(feat_index, 3); + + /* Check the validity of our desired value. */ + if ((decc_feat_array[i].value >= feat_value_min) && + (decc_feat_array[i].value <= feat_value_max)) { + /* Valid value. Set it if necessary. */ + if (feat_value != decc_feat_array[i].value) { + sts = decc$feature_set_value(feat_index, + 1, decc_feat_array[i].value); + + if (verbose > 1) { + fprintf(stderr, " %s = %d, sts = %d.\n", + decc_feat_array[i].name, + decc_feat_array[i].value, sts); + } + } + } else { + /* Invalid DECC feature value. */ + fprintf(stderr, + " INVALID DECC$FEATURE VALUE, %d: %d <= %s <= %d.\n", + feat_value, + feat_value_min, decc_feat_array[i].name, + feat_value_max); + } + } else { + /* Invalid DECC feature name. */ + fprintf(stderr, + " UNKNOWN DECC$FEATURE: %s.\n", decc_feat_array[i].name); + } + } + + if (verbose > 0) { + fprintf(stderr, " DECC_INIT complete.\n"); + } +} + +/* Get "decc_init()" into a valid, loaded LIB$INITIALIZE PSECT. */ + +# pragma nostandard + +/* + * Establish the LIB$INITIALIZE PSECTs, with proper alignment and other + * attributes. Note that "nopic" is significant only on VAX. + */ +# pragma extern_model save + +# if __INITIAL_POINTER_SIZE == 64 +# define PSECT_ALIGN 3 +# else +# define PSECT_ALIGN 2 +# endif + +# pragma extern_model strict_refdef "LIB$INITIALIZ" PSECT_ALIGN, nopic, nowrt +const int spare[8] = { 0 }; + +# pragma extern_model strict_refdef "LIB$INITIALIZE" PSECT_ALIGN, nopic, nowrt +void (*const x_decc_init) () = decc_init; + +# pragma extern_model restore + +/* Fake reference to ensure loading the LIB$INITIALIZE PSECT. */ + +# pragma extern_model save + +int LIB$INITIALIZE(void); + +# pragma extern_model strict_refdef +int dmy_lib$initialize = (int)LIB$INITIALIZE; + +# pragma extern_model restore + +# pragma standard + +#else /* def USE_DECC_INIT */ + +/* Dummy code to avoid a %CC-W-EMPTYFILE complaint. */ +int decc_init_dummy(void); + +#endif /* def USE_DECC_INIT */ diff --git a/openssl-1.1.0h/apps/vms_term_sock.c b/openssl-1.1.0h/apps/vms_term_sock.c new file mode 100644 index 0000000..bc0c173 --- /dev/null +++ b/openssl-1.1.0h/apps/vms_term_sock.c @@ -0,0 +1,590 @@ +/* + * Copyright 2016 VMS Software, Inc. All Rights Reserved. + * + * Licensed under the OpenSSL license (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +#ifdef __VMS +# define OPENSSL_SYS_VMS +# pragma message disable DOLLARID + + +# include + +# if !defined(_POSIX_C_SOURCE) && defined(OPENSSL_SYS_VMS) +/* + * On VMS, you need to define this to get the declaration of fileno(). The + * value 2 is to make sure no function defined in POSIX-2 is left undefined. + */ +# define _POSIX_C_SOURCE 2 +# endif + +# include + +# undef _POSIX_C_SOURCE + +# include +# include +# include +# include +# include +# include +# include +# include +# include +# ifdef __alpha +# include +# else +typedef struct _iosb { /* Copied from IOSBDEF.H for Alpha */ +# pragma __nomember_alignment + __union { + __struct { + unsigned short int iosb$w_status; /* Final I/O status */ + __union { + __struct { /* 16-bit byte count variant */ + unsigned short int iosb$w_bcnt; /* 16-bit byte count */ + __union { + unsigned int iosb$l_dev_depend; /* 32-bit device dependent info */ + unsigned int iosb$l_pid; /* 32-bit pid */ + } iosb$r_l; + } iosb$r_bcnt_16; + __struct { /* 32-bit byte count variant */ + unsigned int iosb$l_bcnt; /* 32-bit byte count (unaligned) */ + unsigned short int iosb$w_dev_depend_high; /* 16-bit device dependent info */ + } iosb$r_bcnt_32; + } iosb$r_devdepend; + } iosb$r_io_64; + __struct { + __union { + unsigned int iosb$l_getxxi_status; /* Final GETxxI status */ + unsigned int iosb$l_reg_status; /* Final $Registry status */ + } iosb$r_l_status; + unsigned int iosb$l_reserved; /* Reserved field */ + } iosb$r_get_64; + } iosb$r_io_get; +} IOSB; + +# if !defined(__VAXC) +# define iosb$w_status iosb$r_io_get.iosb$r_io_64.iosb$w_status +# define iosb$w_bcnt iosb$r_io_get.iosb$r_io_64.iosb$r_devdepend.iosb$r_bcnt_16.iosb$w_bcnt +# define iosb$r_l iosb$r_io_get.iosb$r_io_64.iosb$r_devdepend.iosb$r_bcnt_16.iosb$r_l +# define iosb$l_dev_depend iosb$r_l.iosb$l_dev_depend +# define iosb$l_pid iosb$r_l.iosb$l_pid +# define iosb$l_bcnt iosb$r_io_get.iosb$r_io_64.iosb$r_devdepend.iosb$r_bcnt_32.iosb$l_bcnt +# define iosb$w_dev_depend_high iosb$r_io_get.iosb$r_io_64.iosb$r_devdepend.iosb$r_bcnt_32.iosb$w_dev_depend_high +# define iosb$l_getxxi_status iosb$r_io_get.iosb$r_get_64.iosb$r_l_status.iosb$l_getxxi_status +# define iosb$l_reg_status iosb$r_io_get.iosb$r_get_64.iosb$r_l_status.iosb$l_reg_status +# endif /* #if !defined(__VAXC) */ + +# endif /* End of IOSBDEF */ + +# include +# include +# include +# include +# include +# include + +# include "vms_term_sock.h" + +# ifdef __alpha +static struct _iosb TerminalDeviceIosb; +# else +IOSB TerminalDeviceIosb; +# endif + +static char TerminalDeviceBuff[255 + 2]; +static int TerminalSocketPair[2] = {0, 0}; +static unsigned short TerminalDeviceChan = 0; + +static int CreateSocketPair (int, int, int, int *); +static void SocketPairTimeoutAst (int); +static int TerminalDeviceAst (int); +static void LogMessage (char *, ...); + +/* +** Socket Pair Timeout Value (must be 0-59 seconds) +*/ +# define SOCKET_PAIR_TIMEOUT_VALUE 20 + +/* +** Socket Pair Timeout Block which is passed to timeout AST +*/ +typedef struct _SocketPairTimeoutBlock { + unsigned short SockChan1; + unsigned short SockChan2; +} SPTB; + +# ifdef TERM_SOCK_TEST + +/*----------------------------------------------------------------------------*/ +/* */ +/*----------------------------------------------------------------------------*/ +int main (int argc, char *argv[], char *envp[]) +{ + char TermBuff[80]; + int TermSock, + status, + len; + + LogMessage ("Enter 'q' or 'Q' to quit ..."); + while (strcasecmp (TermBuff, "Q")) { + /* + ** Create the terminal socket + */ + status = TerminalSocket (TERM_SOCK_CREATE, &TermSock); + if (status != TERM_SOCK_SUCCESS) + exit (1); + + /* + ** Process the terminal input + */ + LogMessage ("Waiting on terminal I/O ...\n"); + len = recv (TermSock, TermBuff, sizeof(TermBuff), 0) ; + TermBuff[len] = '\0'; + LogMessage ("Received terminal I/O [%s]", TermBuff); + + /* + ** Delete the terminal socket + */ + status = TerminalSocket (TERM_SOCK_DELETE, &TermSock); + if (status != TERM_SOCK_SUCCESS) + exit (1); + } + + return 1; + +} +# endif + +/*----------------------------------------------------------------------------*/ +/* */ +/*----------------------------------------------------------------------------*/ +int TerminalSocket (int FunctionCode, int *ReturnSocket) +{ + int status; + $DESCRIPTOR (TerminalDeviceDesc, "SYS$COMMAND"); + + /* + ** Process the requested function code + */ + switch (FunctionCode) { + case TERM_SOCK_CREATE: + /* + ** Create a socket pair + */ + status = CreateSocketPair (AF_INET, SOCK_STREAM, 0, TerminalSocketPair); + if (status == -1) { + LogMessage ("TerminalSocket: CreateSocketPair () - %08X", status); + if (TerminalSocketPair[0]) + close (TerminalSocketPair[0]); + if (TerminalSocketPair[1]) + close (TerminalSocketPair[1]); + return (TERM_SOCK_FAILURE); + } + + /* + ** Assign a channel to the terminal device + */ + status = sys$assign (&TerminalDeviceDesc, + &TerminalDeviceChan, + 0, 0, 0); + if (! (status & 1)) { + LogMessage ("TerminalSocket: SYS$ASSIGN () - %08X", status); + close (TerminalSocketPair[0]); + close (TerminalSocketPair[1]); + return (TERM_SOCK_FAILURE); + } + + /* + ** Queue an async IO to the terminal device + */ + status = sys$qio (EFN$C_ENF, + TerminalDeviceChan, + IO$_READVBLK, + &TerminalDeviceIosb, + TerminalDeviceAst, + 0, + TerminalDeviceBuff, + sizeof(TerminalDeviceBuff) - 2, + 0, 0, 0, 0); + if (! (status & 1)) { + LogMessage ("TerminalSocket: SYS$QIO () - %08X", status); + close (TerminalSocketPair[0]); + close (TerminalSocketPair[1]); + return (TERM_SOCK_FAILURE); + } + + /* + ** Return the input side of the socket pair + */ + *ReturnSocket = TerminalSocketPair[1]; + break; + + case TERM_SOCK_DELETE: + /* + ** Cancel any pending IO on the terminal channel + */ + status = sys$cancel (TerminalDeviceChan); + if (! (status & 1)) { + LogMessage ("TerminalSocket: SYS$CANCEL () - %08X", status); + close (TerminalSocketPair[0]); + close (TerminalSocketPair[1]); + return (TERM_SOCK_FAILURE); + } + + /* + ** Deassign the terminal channel + */ + status = sys$dassgn (TerminalDeviceChan); + if (! (status & 1)) { + LogMessage ("TerminalSocket: SYS$DASSGN () - %08X", status); + close (TerminalSocketPair[0]); + close (TerminalSocketPair[1]); + return (TERM_SOCK_FAILURE); + } + + /* + ** Close the terminal socket pair + */ + close (TerminalSocketPair[0]); + close (TerminalSocketPair[1]); + + /* + ** Return the initialized socket + */ + *ReturnSocket = 0; + break; + + default: + /* + ** Invalid function code + */ + LogMessage ("TerminalSocket: Invalid Function Code - %d", FunctionCode); + return (TERM_SOCK_FAILURE); + break; + } + + /* + ** Return success + */ + return (TERM_SOCK_SUCCESS); + +} + +/*----------------------------------------------------------------------------*/ +/* */ +/*----------------------------------------------------------------------------*/ +static int CreateSocketPair (int SocketFamily, + int SocketType, + int SocketProtocol, + int *SocketPair) +{ + struct dsc$descriptor AscTimeDesc = {0, DSC$K_DTYPE_T, DSC$K_CLASS_S, NULL}; + static const char* LocalHostAddr = {"127.0.0.1"}; + unsigned short TcpAcceptChan = 0, + TcpDeviceChan = 0; + unsigned long BinTimeBuff[2]; + struct sockaddr_in sin; + char AscTimeBuff[32]; + short LocalHostPort; + int status; + unsigned int slen; + +# ifdef __alpha + struct _iosb iosb; +# else + IOSB iosb; +# endif + + int SockDesc1 = 0, + SockDesc2 = 0; + SPTB sptb; + $DESCRIPTOR (TcpDeviceDesc, "TCPIP$DEVICE"); + + /* + ** Create a socket + */ + SockDesc1 = socket (SocketFamily, SocketType, 0); + if (SockDesc1 < 0) { + LogMessage ("CreateSocketPair: socket () - %d", errno); + return (-1); + } + + /* + ** Initialize the socket information + */ + slen = sizeof(sin); + memset ((char *) &sin, 0, slen); + sin.sin_family = SocketFamily; + sin.sin_addr.s_addr = inet_addr (LocalHostAddr); + sin.sin_port = 0; + + /* + ** Bind the socket to the local IP + */ + status = bind (SockDesc1, (struct sockaddr *) &sin, slen); + if (status < 0) { + LogMessage ("CreateSocketPair: bind () - %d", errno); + close (SockDesc1); + return (-1); + } + + /* + ** Get the socket name so we can save the port number + */ + status = getsockname (SockDesc1, (struct sockaddr *) &sin, &slen); + if (status < 0) { + LogMessage ("CreateSocketPair: getsockname () - %d", errno); + close (SockDesc1); + return (-1); + } else + LocalHostPort = sin.sin_port; + + /* + ** Setup a listen for the socket + */ + listen (SockDesc1, 5); + + /* + ** Get the binary (64-bit) time of the specified timeout value + */ + sprintf (AscTimeBuff, "0 0:0:%02d.00", SOCKET_PAIR_TIMEOUT_VALUE); + AscTimeDesc.dsc$w_length = strlen (AscTimeBuff); + AscTimeDesc.dsc$a_pointer = AscTimeBuff; + status = sys$bintim (&AscTimeDesc, BinTimeBuff); + if (! (status & 1)) { + LogMessage ("CreateSocketPair: SYS$BINTIM () - %08X", status); + close (SockDesc1); + return (-1); + } + + /* + ** Assign another channel to the TCP/IP device for the accept. + ** This is the channel that ends up being connected to. + */ + status = sys$assign (&TcpDeviceDesc, &TcpDeviceChan, 0, 0, 0); + if (! (status & 1)) { + LogMessage ("CreateSocketPair: SYS$ASSIGN () - %08X", status); + close (SockDesc1); + return (-1); + } + + /* + ** Get the channel of the first socket for the accept + */ + TcpAcceptChan = decc$get_sdc (SockDesc1); + + /* + ** Perform the accept using $QIO so we can do this asynchronously + */ + status = sys$qio (EFN$C_ENF, + TcpAcceptChan, + IO$_ACCESS | IO$M_ACCEPT, + &iosb, + 0, 0, 0, 0, 0, + &TcpDeviceChan, + 0, 0); + if (! (status & 1)) { + LogMessage ("CreateSocketPair: SYS$QIO () - %08X", status); + close (SockDesc1); + sys$dassgn (TcpDeviceChan); + return (-1); + } + + /* + ** Create the second socket to do the connect + */ + SockDesc2 = socket (SocketFamily, SocketType, 0); + if (SockDesc2 < 0) { + LogMessage ("CreateSocketPair: socket () - %d", errno); + sys$cancel (TcpAcceptChan); + close (SockDesc1); + sys$dassgn (TcpDeviceChan); + return (-1) ; + } + + /* + ** Setup the Socket Pair Timeout Block + */ + sptb.SockChan1 = TcpAcceptChan; + sptb.SockChan2 = decc$get_sdc (SockDesc2); + + /* + ** Before we block on the connect, set a timer that can cancel I/O on our + ** two sockets if it never connects. + */ + status = sys$setimr (EFN$C_ENF, + BinTimeBuff, + SocketPairTimeoutAst, + &sptb, + 0); + if (! (status & 1)) { + LogMessage ("CreateSocketPair: SYS$SETIMR () - %08X", status); + sys$cancel (TcpAcceptChan); + close (SockDesc1); + close (SockDesc2); + sys$dassgn (TcpDeviceChan); + return (-1); + } + + /* + ** Now issue the connect + */ + memset ((char *) &sin, 0, sizeof(sin)) ; + sin.sin_family = SocketFamily; + sin.sin_addr.s_addr = inet_addr (LocalHostAddr) ; + sin.sin_port = LocalHostPort ; + + status = connect (SockDesc2, (struct sockaddr *) &sin, sizeof(sin)); + if (status < 0 ) { + LogMessage ("CreateSocketPair: connect () - %d", errno); + sys$cantim (&sptb, 0); + sys$cancel (TcpAcceptChan); + close (SockDesc1); + close (SockDesc2); + sys$dassgn (TcpDeviceChan); + return (-1); + } + + /* + ** Wait for the asynch $QIO to finish. Note that if the I/O was aborted + ** (SS$_ABORT), then we probably canceled it from the AST routine - so log + ** a timeout. + */ + status = sys$synch (EFN$C_ENF, &iosb); + if (! (iosb.iosb$w_status & 1)) { + if (iosb.iosb$w_status == SS$_ABORT) + LogMessage ("CreateSocketPair: SYS$QIO(iosb) timeout"); + else { + LogMessage ("CreateSocketPair: SYS$QIO(iosb) - %d", + iosb.iosb$w_status); + sys$cantim (&sptb, 0); + } + close (SockDesc1); + close (SockDesc2); + sys$dassgn (TcpDeviceChan); + return (-1); + } + + /* + ** Here we're successfully connected, so cancel the timer, convert the + ** I/O channel to a socket fd, close the listener socket and return the + ** connected pair. + */ + sys$cantim (&sptb, 0); + + close (SockDesc1) ; + SocketPair[0] = SockDesc2 ; + SocketPair[1] = socket_fd (TcpDeviceChan); + + return (0) ; + +} + +/*----------------------------------------------------------------------------*/ +/* */ +/*----------------------------------------------------------------------------*/ +static void SocketPairTimeoutAst (int astparm) +{ + SPTB *sptb = (SPTB *) astparm; + + sys$cancel (sptb->SockChan2); /* Cancel the connect() */ + sys$cancel (sptb->SockChan1); /* Cancel the accept() */ + + return; + +} + +/*----------------------------------------------------------------------------*/ +/* */ +/*----------------------------------------------------------------------------*/ +static int TerminalDeviceAst (int astparm) +{ + int status; + + /* + ** Terminate the terminal buffer + */ + TerminalDeviceBuff[TerminalDeviceIosb.iosb$w_bcnt] = '\0'; + strcat (TerminalDeviceBuff, "\n"); + + /* + ** Send the data read from the terminal device throught the socket pair + */ + send (TerminalSocketPair[0], TerminalDeviceBuff, + TerminalDeviceIosb.iosb$w_bcnt + 1, 0); + + /* + ** Queue another async IO to the terminal device + */ + status = sys$qio (EFN$C_ENF, + TerminalDeviceChan, + IO$_READVBLK, + &TerminalDeviceIosb, + TerminalDeviceAst, + 0, + TerminalDeviceBuff, + sizeof(TerminalDeviceBuff) - 1, + 0, 0, 0, 0); + + /* + ** Return status + */ + return status; + +} + +/*----------------------------------------------------------------------------*/ +/* */ +/*----------------------------------------------------------------------------*/ +static void LogMessage (char *msg, ...) +{ + char *Month[] = {"Jan", "Feb", "Mar", "Apr", "May", "Jun", + "Jul", "Aug", "Sep", "Oct", "Nov", "Dec"}; + static unsigned int pid = 0; + va_list args; + time_t CurTime; + struct tm *LocTime; + char MsgBuff[256]; + + /* + ** Get the process pid + */ + if (pid == 0) + pid = getpid (); + + /* + ** Convert the current time into local time + */ + CurTime = time (NULL); + LocTime = localtime (&CurTime); + + /* + ** Format the message buffer + */ + sprintf (MsgBuff, "%02d-%s-%04d %02d:%02d:%02d [%08X] %s\n", + LocTime->tm_mday, Month[LocTime->tm_mon], + (LocTime->tm_year + 1900), LocTime->tm_hour, LocTime->tm_min, + LocTime->tm_sec, pid, msg); + + /* + ** Get any variable arguments and add them to the print of the message + ** buffer + */ + va_start (args, msg); + vfprintf (stderr, MsgBuff, args); + va_end (args); + + /* + ** Flush standard error output + */ + fsync (fileno (stderr)); + + return; + +} +#endif diff --git a/openssl-1.1.0h/apps/vms_term_sock.h b/openssl-1.1.0h/apps/vms_term_sock.h new file mode 100644 index 0000000..662fa0a --- /dev/null +++ b/openssl-1.1.0h/apps/vms_term_sock.h @@ -0,0 +1,30 @@ +/* + * Copyright 2016 VMS Software, Inc. All Rights Reserved. + * + * Licensed under the OpenSSL license (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +#ifndef TERM_SOCK_H +# define TERM_SOCK_H + +/* +** Terminal Socket Function Codes +*/ +# define TERM_SOCK_CREATE 1 +# define TERM_SOCK_DELETE 2 + +/* +** Terminal Socket Status Codes +*/ +# define TERM_SOCK_FAILURE 0 +# define TERM_SOCK_SUCCESS 1 + +/* +** Terminal Socket Prototype +*/ +int TerminalSocket (int FunctionCode, int *ReturnSocket); + +#endif diff --git a/openssl-1.1.0h/apps/win32_init.c b/openssl-1.1.0h/apps/win32_init.c new file mode 100644 index 0000000..ebe92bc --- /dev/null +++ b/openssl-1.1.0h/apps/win32_init.c @@ -0,0 +1,307 @@ +/* + * Copyright 2016 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the OpenSSL license (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +#include +#include +#include +#include + +#if defined(CP_UTF8) + +static UINT saved_cp; +static int newargc; +static char **newargv; + +static void cleanup(void) +{ + int i; + + SetConsoleOutputCP(saved_cp); + + for (i = 0; i < newargc; i++) + free(newargv[i]); + + free(newargv); +} + +/* + * Incrementally [re]allocate newargv and keep it NULL-terminated. + */ +static int validate_argv(int argc) +{ + static int size = 0; + + if (argc >= size) { + char **ptr; + + while (argc >= size) + size += 64; + + ptr = realloc(newargv, size * sizeof(newargv[0])); + if (ptr == NULL) + return 0; + + (newargv = ptr)[argc] = NULL; + } else { + newargv[argc] = NULL; + } + + return 1; +} + +static int process_glob(WCHAR *wstr, int wlen) +{ + int i, slash, udlen; + WCHAR saved_char; + WIN32_FIND_DATAW data; + HANDLE h; + + /* + * Note that we support wildcard characters only in filename part + * of the path, and not in directories. Windows users are used to + * this, that's why recursive glob processing is not implemented. + */ + /* + * Start by looking for last slash or backslash, ... + */ + for (slash = 0, i = 0; i < wlen; i++) + if (wstr[i] == L'/' || wstr[i] == L'\\') + slash = i + 1; + /* + * ... then look for asterisk or question mark in the file name. + */ + for (i = slash; i < wlen; i++) + if (wstr[i] == L'*' || wstr[i] == L'?') + break; + + if (i == wlen) + return 0; /* definitely not a glob */ + + saved_char = wstr[wlen]; + wstr[wlen] = L'\0'; + h = FindFirstFileW(wstr, &data); + wstr[wlen] = saved_char; + if (h == INVALID_HANDLE_VALUE) + return 0; /* not a valid glob, just pass... */ + + if (slash) + udlen = WideCharToMultiByte(CP_UTF8, 0, wstr, slash, + NULL, 0, NULL, NULL); + else + udlen = 0; + + do { + int uflen; + char *arg; + + /* + * skip over . and .. + */ + if (data.cFileName[0] == L'.') { + if ((data.cFileName[1] == L'\0') || + (data.cFileName[1] == L'.' && data.cFileName[2] == L'\0')) + continue; + } + + if (!validate_argv(newargc + 1)) + break; + + /* + * -1 below means "scan for trailing '\0' *and* count it", + * so that |uflen| covers even trailing '\0'. + */ + uflen = WideCharToMultiByte(CP_UTF8, 0, data.cFileName, -1, + NULL, 0, NULL, NULL); + + arg = malloc(udlen + uflen); + if (arg == NULL) + break; + + if (udlen) + WideCharToMultiByte(CP_UTF8, 0, wstr, slash, + arg, udlen, NULL, NULL); + + WideCharToMultiByte(CP_UTF8, 0, data.cFileName, -1, + arg + udlen, uflen, NULL, NULL); + + newargv[newargc++] = arg; + } while (FindNextFileW(h, &data)); + + CloseHandle(h); + + return 1; +} + +void win32_utf8argv(int *argc, char **argv[]) +{ + const WCHAR *wcmdline; + WCHAR *warg, *wend, *p; + int wlen, ulen, valid = 1; + char *arg; + + if (GetEnvironmentVariableW(L"OPENSSL_WIN32_UTF8", NULL, 0) == 0) + return; + + newargc = 0; + newargv = NULL; + if (!validate_argv(newargc)) + return; + + wcmdline = GetCommandLineW(); + if (wcmdline == NULL) return; + + /* + * make a copy of the command line, since we might have to modify it... + */ + wlen = wcslen(wcmdline); + p = _alloca((wlen + 1) * sizeof(WCHAR)); + wcscpy(p, wcmdline); + + while (*p != L'\0') { + int in_quote = 0; + + if (*p == L' ' || *p == L'\t') { + p++; /* skip over white spaces */ + continue; + } + + /* + * Note: because we may need to fiddle with the number of backslashes, + * the argument string is copied into itself. This is safe because + * the number of characters will never expand. + */ + warg = wend = p; + while (*p != L'\0' + && (in_quote || (*p != L' ' && *p != L'\t'))) { + switch (*p) { + case L'\\': + /* + * Microsoft documentation on how backslashes are treated + * is: + * + * + Backslashes are interpreted literally, unless they + * immediately precede a double quotation mark. + * + If an even number of backslashes is followed by a double + * quotation mark, one backslash is placed in the argv array + * for every pair of backslashes, and the double quotation + * mark is interpreted as a string delimiter. + * + If an odd number of backslashes is followed by a double + * quotation mark, one backslash is placed in the argv array + * for every pair of backslashes, and the double quotation + * mark is "escaped" by the remaining backslash, causing a + * literal double quotation mark (") to be placed in argv. + * + * Ref: https://msdn.microsoft.com/en-us/library/17w5ykft.aspx + * + * Though referred page doesn't mention it, multiple qouble + * quotes are also special. Pair of double quotes in quoted + * string is counted as single double quote. + */ + { + const WCHAR *q = p; + int i; + + while (*p == L'\\') + p++; + + if (*p == L'"') { + int i; + + for (i = (p - q) / 2; i > 0; i--) + *wend++ = L'\\'; + + /* + * if odd amount of backslashes before the quote, + * said quote is part of the argument, not a delimiter + */ + if ((p - q) % 2 == 1) + *wend++ = *p++; + } else { + for (i = p - q; i > 0; i--) + *wend++ = L'\\'; + } + } + break; + case L'"': + /* + * Without the preceding backslash (or when preceded with an + * even number of backslashes), the double quote is a simple + * string delimiter and just slightly change the parsing state + */ + if (in_quote && p[1] == L'"') + *wend++ = *p++; + else + in_quote = !in_quote; + p++; + break; + default: + /* + * Any other non-delimiter character is just taken verbatim + */ + *wend++ = *p++; + } + } + + wlen = wend - warg; + + if (wlen == 0 || !process_glob(warg, wlen)) { + if (!validate_argv(newargc + 1)) { + valid = 0; + break; + } + + ulen = 0; + if (wlen > 0) { + ulen = WideCharToMultiByte(CP_UTF8, 0, warg, wlen, + NULL, 0, NULL, NULL); + if (ulen <= 0) + continue; + } + + arg = malloc(ulen + 1); + if (arg == NULL) { + valid = 0; + break; + } + + if (wlen > 0) + WideCharToMultiByte(CP_UTF8, 0, warg, wlen, + arg, ulen, NULL, NULL); + arg[ulen] = '\0'; + + newargv[newargc++] = arg; + } + } + + if (valid) { + saved_cp = GetConsoleOutputCP(); + SetConsoleOutputCP(CP_UTF8); + + *argc = newargc; + *argv = newargv; + + atexit(cleanup); + } else if (newargv != NULL) { + int i; + + for (i = 0; i < newargc; i++) + free(newargv[i]); + + free(newargv); + + newargc = 0; + newargv = NULL; + } + + return; +} +#else +void win32_utf8argv(int &argc, char **argv[]) +{ return; } +#endif diff --git a/openssl-1.1.0h/apps/x509.c b/openssl-1.1.0h/apps/x509.c new file mode 100644 index 0000000..7a66ea6 --- /dev/null +++ b/openssl-1.1.0h/apps/x509.c @@ -0,0 +1,1099 @@ +/* + * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the OpenSSL license (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +#include +#include +#include +#include "apps.h" +#include +#include +#include +#include +#include +#include +#include +#include +#include +#ifndef OPENSSL_NO_RSA +# include +#endif +#ifndef OPENSSL_NO_DSA +# include +#endif + +#undef POSTFIX +#define POSTFIX ".srl" +#define DEF_DAYS 30 + +static int callb(int ok, X509_STORE_CTX *ctx); +static int sign(X509 *x, EVP_PKEY *pkey, int days, int clrext, + const EVP_MD *digest, CONF *conf, const char *section); +static int x509_certify(X509_STORE *ctx, const char *CAfile, const EVP_MD *digest, + X509 *x, X509 *xca, EVP_PKEY *pkey, + STACK_OF(OPENSSL_STRING) *sigopts, const char *serialfile, + int create, int days, int clrext, CONF *conf, + const char *section, ASN1_INTEGER *sno, int reqfile); +static int purpose_print(BIO *bio, X509 *cert, X509_PURPOSE *pt); + +typedef enum OPTION_choice { + OPT_ERR = -1, OPT_EOF = 0, OPT_HELP, + OPT_INFORM, OPT_OUTFORM, OPT_KEYFORM, OPT_REQ, OPT_CAFORM, + OPT_CAKEYFORM, OPT_SIGOPT, OPT_DAYS, OPT_PASSIN, OPT_EXTFILE, + OPT_EXTENSIONS, OPT_IN, OPT_OUT, OPT_SIGNKEY, OPT_CA, + OPT_CAKEY, OPT_CASERIAL, OPT_SET_SERIAL, OPT_FORCE_PUBKEY, + OPT_ADDTRUST, OPT_ADDREJECT, OPT_SETALIAS, OPT_CERTOPT, OPT_NAMEOPT, + OPT_C, OPT_EMAIL, OPT_OCSP_URI, OPT_SERIAL, OPT_NEXT_SERIAL, + OPT_MODULUS, OPT_PUBKEY, OPT_X509TOREQ, OPT_TEXT, OPT_HASH, + OPT_ISSUER_HASH, OPT_SUBJECT, OPT_ISSUER, OPT_FINGERPRINT, OPT_DATES, + OPT_PURPOSE, OPT_STARTDATE, OPT_ENDDATE, OPT_CHECKEND, OPT_CHECKHOST, + OPT_CHECKEMAIL, OPT_CHECKIP, OPT_NOOUT, OPT_TRUSTOUT, OPT_CLRTRUST, + OPT_CLRREJECT, OPT_ALIAS, OPT_CACREATESERIAL, OPT_CLREXT, OPT_OCSPID, + OPT_SUBJECT_HASH_OLD, + OPT_ISSUER_HASH_OLD, + OPT_BADSIG, OPT_MD, OPT_ENGINE, OPT_NOCERT +} OPTION_CHOICE; + +OPTIONS x509_options[] = { + {"help", OPT_HELP, '-', "Display this summary"}, + {"inform", OPT_INFORM, 'f', + "Input format - default PEM (one of DER, NET or PEM)"}, + {"in", OPT_IN, '<', "Input file - default stdin"}, + {"outform", OPT_OUTFORM, 'f', + "Output format - default PEM (one of DER, NET or PEM)"}, + {"out", OPT_OUT, '>', "Output file - default stdout"}, + {"keyform", OPT_KEYFORM, 'F', "Private key format - default PEM"}, + {"passin", OPT_PASSIN, 's', "Private key password/pass-phrase source"}, + {"serial", OPT_SERIAL, '-', "Print serial number value"}, + {"subject_hash", OPT_HASH, '-', "Print subject hash value"}, + {"issuer_hash", OPT_ISSUER_HASH, '-', "Print issuer hash value"}, + {"hash", OPT_HASH, '-', "Synonym for -subject_hash"}, + {"subject", OPT_SUBJECT, '-', "Print subject DN"}, + {"issuer", OPT_ISSUER, '-', "Print issuer DN"}, + {"email", OPT_EMAIL, '-', "Print email address(es)"}, + {"startdate", OPT_STARTDATE, '-', "Set notBefore field"}, + {"enddate", OPT_ENDDATE, '-', "Set notAfter field"}, + {"purpose", OPT_PURPOSE, '-', "Print out certificate purposes"}, + {"dates", OPT_DATES, '-', "Both Before and After dates"}, + {"modulus", OPT_MODULUS, '-', "Print the RSA key modulus"}, + {"pubkey", OPT_PUBKEY, '-', "Output the public key"}, + {"fingerprint", OPT_FINGERPRINT, '-', + "Print the certificate fingerprint"}, + {"alias", OPT_ALIAS, '-', "Output certificate alias"}, + {"noout", OPT_NOOUT, '-', "No output, just status"}, + {"nocert", OPT_NOCERT, '-', "No certificate output"}, + {"ocspid", OPT_OCSPID, '-', + "Print OCSP hash values for the subject name and public key"}, + {"ocsp_uri", OPT_OCSP_URI, '-', "Print OCSP Responder URL(s)"}, + {"trustout", OPT_TRUSTOUT, '-', "Output a trusted certificate"}, + {"clrtrust", OPT_CLRTRUST, '-', "Clear all trusted purposes"}, + {"clrext", OPT_CLREXT, '-', "Clear all certificate extensions"}, + {"addtrust", OPT_ADDTRUST, 's', "Trust certificate for a given purpose"}, + {"addreject", OPT_ADDREJECT, 's', + "Reject certificate for a given purpose"}, + {"setalias", OPT_SETALIAS, 's', "Set certificate alias"}, + {"days", OPT_DAYS, 'n', + "How long till expiry of a signed certificate - def 30 days"}, + {"checkend", OPT_CHECKEND, 'M', + "Check whether the cert expires in the next arg seconds"}, + {OPT_MORE_STR, 1, 1, "Exit 1 if so, 0 if not"}, + {"signkey", OPT_SIGNKEY, '<', "Self sign cert with arg"}, + {"x509toreq", OPT_X509TOREQ, '-', + "Output a certification request object"}, + {"req", OPT_REQ, '-', "Input is a certificate request, sign and output"}, + {"CA", OPT_CA, '<', "Set the CA certificate, must be PEM format"}, + {"CAkey", OPT_CAKEY, 's', + "The CA key, must be PEM format; if not in CAfile"}, + {"CAcreateserial", OPT_CACREATESERIAL, '-', + "Create serial number file if it does not exist"}, + {"CAserial", OPT_CASERIAL, 's', "Serial file"}, + {"set_serial", OPT_SET_SERIAL, 's', "Serial number to use"}, + {"text", OPT_TEXT, '-', "Print the certificate in text form"}, + {"C", OPT_C, '-', "Print out C code forms"}, + {"extfile", OPT_EXTFILE, '<', "File with X509V3 extensions to add"}, + {"extensions", OPT_EXTENSIONS, 's', "Section from config file to use"}, + {"nameopt", OPT_NAMEOPT, 's', "Various certificate name options"}, + {"certopt", OPT_CERTOPT, 's', "Various certificate text options"}, + {"checkhost", OPT_CHECKHOST, 's', "Check certificate matches host"}, + {"checkemail", OPT_CHECKEMAIL, 's', "Check certificate matches email"}, + {"checkip", OPT_CHECKIP, 's', "Check certificate matches ipaddr"}, + {"CAform", OPT_CAFORM, 'F', "CA format - default PEM"}, + {"CAkeyform", OPT_CAKEYFORM, 'f', "CA key format - default PEM"}, + {"sigopt", OPT_SIGOPT, 's', "Signature parameter in n:v form"}, + {"force_pubkey", OPT_FORCE_PUBKEY, '<', "Force the Key to put inside certificate"}, + {"next_serial", OPT_NEXT_SERIAL, '-', "Increment current certificate serial number"}, + {"clrreject", OPT_CLRREJECT, '-', + "Clears all the prohibited or rejected uses of the certificate"}, + {"badsig", OPT_BADSIG, '-', "Corrupt last byte of certificate signature (for test)"}, + {"", OPT_MD, '-', "Any supported digest"}, +#ifndef OPENSSL_NO_MD5 + {"subject_hash_old", OPT_SUBJECT_HASH_OLD, '-', + "Print old-style (MD5) issuer hash value"}, + {"issuer_hash_old", OPT_ISSUER_HASH_OLD, '-', + "Print old-style (MD5) subject hash value"}, +#endif +#ifndef OPENSSL_NO_ENGINE + {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"}, +#endif + {NULL} +}; + +int x509_main(int argc, char **argv) +{ + ASN1_INTEGER *sno = NULL; + ASN1_OBJECT *objtmp = NULL; + BIO *out = NULL; + CONF *extconf = NULL; + EVP_PKEY *Upkey = NULL, *CApkey = NULL, *fkey = NULL; + STACK_OF(ASN1_OBJECT) *trust = NULL, *reject = NULL; + STACK_OF(OPENSSL_STRING) *sigopts = NULL; + X509 *x = NULL, *xca = NULL; + X509_REQ *req = NULL, *rq = NULL; + X509_STORE *ctx = NULL; + const EVP_MD *digest = NULL; + char *CAkeyfile = NULL, *CAserial = NULL, *fkeyfile = NULL, *alias = NULL; + char *checkhost = NULL, *checkemail = NULL, *checkip = NULL; + char *extsect = NULL, *extfile = NULL, *passin = NULL, *passinarg = NULL; + char *infile = NULL, *outfile = NULL, *keyfile = NULL, *CAfile = NULL; + char buf[256], *prog; + int x509req = 0, days = DEF_DAYS, modulus = 0, pubkey = 0, pprint = 0; + int C = 0, CAformat = FORMAT_PEM, CAkeyformat = FORMAT_PEM; + int fingerprint = 0, reqfile = 0, need_rand = 0, checkend = 0; + int informat = FORMAT_PEM, outformat = FORMAT_PEM, keyformat = FORMAT_PEM; + int next_serial = 0, subject_hash = 0, issuer_hash = 0, ocspid = 0; + int noout = 0, sign_flag = 0, CA_flag = 0, CA_createserial = 0, email = 0; + int ocsp_uri = 0, trustout = 0, clrtrust = 0, clrreject = 0, aliasout = 0; + int ret = 1, i, num = 0, badsig = 0, clrext = 0, nocert = 0; + int text = 0, serial = 0, subject = 0, issuer = 0, startdate = 0; + int enddate = 0; + time_t checkoffset = 0; + unsigned long nmflag = 0, certflag = 0; + char nmflag_set = 0; + OPTION_CHOICE o; + ENGINE *e = NULL; +#ifndef OPENSSL_NO_MD5 + int subject_hash_old = 0, issuer_hash_old = 0; +#endif + + ctx = X509_STORE_new(); + if (ctx == NULL) + goto end; + X509_STORE_set_verify_cb(ctx, callb); + + prog = opt_init(argc, argv, x509_options); + while ((o = opt_next()) != OPT_EOF) { + switch (o) { + case OPT_EOF: + case OPT_ERR: + opthelp: + BIO_printf(bio_err, "%s: Use -help for summary.\n", prog); + goto end; + case OPT_HELP: + opt_help(x509_options); + ret = 0; + goto end; + case OPT_INFORM: + if (!opt_format(opt_arg(), OPT_FMT_ANY, &informat)) + goto opthelp; + break; + case OPT_IN: + infile = opt_arg(); + break; + case OPT_OUTFORM: + if (!opt_format(opt_arg(), OPT_FMT_ANY, &outformat)) + goto opthelp; + break; + case OPT_KEYFORM: + if (!opt_format(opt_arg(), OPT_FMT_PEMDER, &keyformat)) + goto opthelp; + break; + case OPT_CAFORM: + if (!opt_format(opt_arg(), OPT_FMT_PEMDER, &CAformat)) + goto opthelp; + break; + case OPT_CAKEYFORM: + if (!opt_format(opt_arg(), OPT_FMT_ANY, &CAkeyformat)) + goto opthelp; + break; + case OPT_OUT: + outfile = opt_arg(); + break; + case OPT_REQ: + reqfile = need_rand = 1; + break; + + case OPT_SIGOPT: + if (!sigopts) + sigopts = sk_OPENSSL_STRING_new_null(); + if (!sigopts || !sk_OPENSSL_STRING_push(sigopts, opt_arg())) + goto opthelp; + break; + case OPT_DAYS: + days = atoi(opt_arg()); + break; + case OPT_PASSIN: + passinarg = opt_arg(); + break; + case OPT_EXTFILE: + extfile = opt_arg(); + break; + case OPT_EXTENSIONS: + extsect = opt_arg(); + break; + case OPT_SIGNKEY: + keyfile = opt_arg(); + sign_flag = ++num; + need_rand = 1; + break; + case OPT_CA: + CAfile = opt_arg(); + CA_flag = ++num; + need_rand = 1; + break; + case OPT_CAKEY: + CAkeyfile = opt_arg(); + break; + case OPT_CASERIAL: + CAserial = opt_arg(); + break; + case OPT_SET_SERIAL: + if (sno != NULL) { + BIO_printf(bio_err, "Serial number supplied twice\n"); + goto opthelp; + } + if ((sno = s2i_ASN1_INTEGER(NULL, opt_arg())) == NULL) + goto opthelp; + break; + case OPT_FORCE_PUBKEY: + fkeyfile = opt_arg(); + break; + case OPT_ADDTRUST: + if ((objtmp = OBJ_txt2obj(opt_arg(), 0)) == NULL) { + BIO_printf(bio_err, + "%s: Invalid trust object value %s\n", + prog, opt_arg()); + goto opthelp; + } + if (trust == NULL && (trust = sk_ASN1_OBJECT_new_null()) == NULL) + goto end; + sk_ASN1_OBJECT_push(trust, objtmp); + objtmp = NULL; + trustout = 1; + break; + case OPT_ADDREJECT: + if ((objtmp = OBJ_txt2obj(opt_arg(), 0)) == NULL) { + BIO_printf(bio_err, + "%s: Invalid reject object value %s\n", + prog, opt_arg()); + goto opthelp; + } + if (reject == NULL + && (reject = sk_ASN1_OBJECT_new_null()) == NULL) + goto end; + sk_ASN1_OBJECT_push(reject, objtmp); + objtmp = NULL; + trustout = 1; + break; + case OPT_SETALIAS: + alias = opt_arg(); + trustout = 1; + break; + case OPT_CERTOPT: + if (!set_cert_ex(&certflag, opt_arg())) + goto opthelp; + break; + case OPT_NAMEOPT: + nmflag_set = 1; + if (!set_name_ex(&nmflag, opt_arg())) + goto opthelp; + break; + case OPT_ENGINE: + e = setup_engine(opt_arg(), 0); + break; + case OPT_C: + C = ++num; + break; + case OPT_EMAIL: + email = ++num; + break; + case OPT_OCSP_URI: + ocsp_uri = ++num; + break; + case OPT_SERIAL: + serial = ++num; + break; + case OPT_NEXT_SERIAL: + next_serial = ++num; + break; + case OPT_MODULUS: + modulus = ++num; + break; + case OPT_PUBKEY: + pubkey = ++num; + break; + case OPT_X509TOREQ: + x509req = ++num; + break; + case OPT_TEXT: + text = ++num; + break; + case OPT_SUBJECT: + subject = ++num; + break; + case OPT_ISSUER: + issuer = ++num; + break; + case OPT_FINGERPRINT: + fingerprint = ++num; + break; + case OPT_HASH: + subject_hash = ++num; + break; + case OPT_ISSUER_HASH: + issuer_hash = ++num; + break; + case OPT_PURPOSE: + pprint = ++num; + break; + case OPT_STARTDATE: + startdate = ++num; + break; + case OPT_ENDDATE: + enddate = ++num; + break; + case OPT_NOOUT: + noout = ++num; + break; + case OPT_NOCERT: + nocert = 1; + break; + case OPT_TRUSTOUT: + trustout = 1; + break; + case OPT_CLRTRUST: + clrtrust = ++num; + break; + case OPT_CLRREJECT: + clrreject = ++num; + break; + case OPT_ALIAS: + aliasout = ++num; + break; + case OPT_CACREATESERIAL: + CA_createserial = ++num; + break; + case OPT_CLREXT: + clrext = 1; + break; + case OPT_OCSPID: + ocspid = ++num; + break; + case OPT_BADSIG: + badsig = 1; + break; +#ifndef OPENSSL_NO_MD5 + case OPT_SUBJECT_HASH_OLD: + subject_hash_old = ++num; + break; + case OPT_ISSUER_HASH_OLD: + issuer_hash_old = ++num; + break; +#else + case OPT_SUBJECT_HASH_OLD: + case OPT_ISSUER_HASH_OLD: + break; +#endif + case OPT_DATES: + startdate = ++num; + enddate = ++num; + break; + case OPT_CHECKEND: + checkend = 1; + { + intmax_t temp = 0; + if (!opt_imax(opt_arg(), &temp)) + goto opthelp; + checkoffset = (time_t)temp; + if ((intmax_t)checkoffset != temp) { + BIO_printf(bio_err, "%s: checkend time out of range %s\n", + prog, opt_arg()); + goto opthelp; + } + } + break; + case OPT_CHECKHOST: + checkhost = opt_arg(); + break; + case OPT_CHECKEMAIL: + checkemail = opt_arg(); + break; + case OPT_CHECKIP: + checkip = opt_arg(); + break; + case OPT_MD: + if (!opt_md(opt_unknown(), &digest)) + goto opthelp; + } + } + argc = opt_num_rest(); + argv = opt_rest(); + if (argc != 0) { + BIO_printf(bio_err, "%s: Unknown parameter %s\n", prog, argv[0]); + goto opthelp; + } + + if (!nmflag_set) + nmflag = XN_FLAG_ONELINE; + + if (need_rand) + app_RAND_load_file(NULL, 0); + + if (!app_passwd(passinarg, NULL, &passin, NULL)) { + BIO_printf(bio_err, "Error getting password\n"); + goto end; + } + + if (!X509_STORE_set_default_paths(ctx)) { + ERR_print_errors(bio_err); + goto end; + } + + if (fkeyfile) { + fkey = load_pubkey(fkeyfile, keyformat, 0, NULL, e, "Forced key"); + if (fkey == NULL) + goto end; + } + + if ((CAkeyfile == NULL) && (CA_flag) && (CAformat == FORMAT_PEM)) { + CAkeyfile = CAfile; + } else if ((CA_flag) && (CAkeyfile == NULL)) { + BIO_printf(bio_err, + "need to specify a CAkey if using the CA command\n"); + goto end; + } + + if (extfile) { + X509V3_CTX ctx2; + if ((extconf = app_load_config(extfile)) == NULL) + goto end; + if (!extsect) { + extsect = NCONF_get_string(extconf, "default", "extensions"); + if (!extsect) { + ERR_clear_error(); + extsect = "default"; + } + } + X509V3_set_ctx_test(&ctx2); + X509V3_set_nconf(&ctx2, extconf); + if (!X509V3_EXT_add_nconf(extconf, &ctx2, extsect, NULL)) { + BIO_printf(bio_err, + "Error Loading extension section %s\n", extsect); + ERR_print_errors(bio_err); + goto end; + } + } + + if (reqfile) { + EVP_PKEY *pkey; + BIO *in; + + if (!sign_flag && !CA_flag) { + BIO_printf(bio_err, "We need a private key to sign with\n"); + goto end; + } + in = bio_open_default(infile, 'r', informat); + if (in == NULL) + goto end; + req = PEM_read_bio_X509_REQ(in, NULL, NULL, NULL); + BIO_free(in); + + if (req == NULL) { + ERR_print_errors(bio_err); + goto end; + } + + if ((pkey = X509_REQ_get0_pubkey(req)) == NULL) { + BIO_printf(bio_err, "error unpacking public key\n"); + goto end; + } + i = X509_REQ_verify(req, pkey); + if (i < 0) { + BIO_printf(bio_err, "Signature verification error\n"); + ERR_print_errors(bio_err); + goto end; + } + if (i == 0) { + BIO_printf(bio_err, + "Signature did not match the certificate request\n"); + goto end; + } else + BIO_printf(bio_err, "Signature ok\n"); + + print_name(bio_err, "subject=", X509_REQ_get_subject_name(req), + nmflag); + + if ((x = X509_new()) == NULL) + goto end; + + if (sno == NULL) { + sno = ASN1_INTEGER_new(); + if (sno == NULL || !rand_serial(NULL, sno)) + goto end; + if (!X509_set_serialNumber(x, sno)) + goto end; + ASN1_INTEGER_free(sno); + sno = NULL; + } else if (!X509_set_serialNumber(x, sno)) + goto end; + + if (!X509_set_issuer_name(x, X509_REQ_get_subject_name(req))) + goto end; + if (!X509_set_subject_name(x, X509_REQ_get_subject_name(req))) + goto end; + if (!set_cert_times(x, NULL, NULL, days)) + goto end; + + if (fkey) + X509_set_pubkey(x, fkey); + else { + pkey = X509_REQ_get0_pubkey(req); + X509_set_pubkey(x, pkey); + } + } else + x = load_cert(infile, informat, "Certificate"); + + if (x == NULL) + goto end; + if (CA_flag) { + xca = load_cert(CAfile, CAformat, "CA Certificate"); + if (xca == NULL) + goto end; + } + + out = bio_open_default(outfile, 'w', outformat); + if (out == NULL) + goto end; + + if (!noout || text || next_serial) + OBJ_create("2.99999.3", "SET.ex3", "SET x509v3 extension 3"); + + if (alias) + X509_alias_set1(x, (unsigned char *)alias, -1); + + if (clrtrust) + X509_trust_clear(x); + if (clrreject) + X509_reject_clear(x); + + if (trust) { + for (i = 0; i < sk_ASN1_OBJECT_num(trust); i++) { + objtmp = sk_ASN1_OBJECT_value(trust, i); + X509_add1_trust_object(x, objtmp); + } + objtmp = NULL; + } + + if (reject) { + for (i = 0; i < sk_ASN1_OBJECT_num(reject); i++) { + objtmp = sk_ASN1_OBJECT_value(reject, i); + X509_add1_reject_object(x, objtmp); + } + objtmp = NULL; + } + + if (badsig) { + const ASN1_BIT_STRING *signature; + + X509_get0_signature(&signature, NULL, x); + corrupt_signature(signature); + } + + if (num) { + for (i = 1; i <= num; i++) { + if (issuer == i) { + print_name(out, "issuer=", X509_get_issuer_name(x), nmflag); + } else if (subject == i) { + print_name(out, "subject=", + X509_get_subject_name(x), nmflag); + } else if (serial == i) { + BIO_printf(out, "serial="); + i2a_ASN1_INTEGER(out, X509_get_serialNumber(x)); + BIO_printf(out, "\n"); + } else if (next_serial == i) { + ASN1_INTEGER *ser = X509_get_serialNumber(x); + BIGNUM *bnser = ASN1_INTEGER_to_BN(ser, NULL); + + if (!bnser) + goto end; + if (!BN_add_word(bnser, 1)) + goto end; + ser = BN_to_ASN1_INTEGER(bnser, NULL); + if (!ser) + goto end; + BN_free(bnser); + i2a_ASN1_INTEGER(out, ser); + ASN1_INTEGER_free(ser); + BIO_puts(out, "\n"); + } else if ((email == i) || (ocsp_uri == i)) { + int j; + STACK_OF(OPENSSL_STRING) *emlst; + if (email == i) + emlst = X509_get1_email(x); + else + emlst = X509_get1_ocsp(x); + for (j = 0; j < sk_OPENSSL_STRING_num(emlst); j++) + BIO_printf(out, "%s\n", + sk_OPENSSL_STRING_value(emlst, j)); + X509_email_free(emlst); + } else if (aliasout == i) { + unsigned char *alstr; + alstr = X509_alias_get0(x, NULL); + if (alstr) + BIO_printf(out, "%s\n", alstr); + else + BIO_puts(out, "\n"); + } else if (subject_hash == i) { + BIO_printf(out, "%08lx\n", X509_subject_name_hash(x)); + } +#ifndef OPENSSL_NO_MD5 + else if (subject_hash_old == i) { + BIO_printf(out, "%08lx\n", X509_subject_name_hash_old(x)); + } +#endif + else if (issuer_hash == i) { + BIO_printf(out, "%08lx\n", X509_issuer_name_hash(x)); + } +#ifndef OPENSSL_NO_MD5 + else if (issuer_hash_old == i) { + BIO_printf(out, "%08lx\n", X509_issuer_name_hash_old(x)); + } +#endif + else if (pprint == i) { + X509_PURPOSE *ptmp; + int j; + BIO_printf(out, "Certificate purposes:\n"); + for (j = 0; j < X509_PURPOSE_get_count(); j++) { + ptmp = X509_PURPOSE_get0(j); + purpose_print(out, x, ptmp); + } + } else if (modulus == i) { + EVP_PKEY *pkey; + + pkey = X509_get0_pubkey(x); + if (pkey == NULL) { + BIO_printf(bio_err, "Modulus=unavailable\n"); + ERR_print_errors(bio_err); + goto end; + } + BIO_printf(out, "Modulus="); +#ifndef OPENSSL_NO_RSA + if (EVP_PKEY_id(pkey) == EVP_PKEY_RSA) { + const BIGNUM *n; + RSA_get0_key(EVP_PKEY_get0_RSA(pkey), &n, NULL, NULL); + BN_print(out, n); + } else +#endif +#ifndef OPENSSL_NO_DSA + if (EVP_PKEY_id(pkey) == EVP_PKEY_DSA) { + const BIGNUM *dsapub = NULL; + DSA_get0_key(EVP_PKEY_get0_DSA(pkey), &dsapub, NULL); + BN_print(out, dsapub); + } else +#endif + { + BIO_printf(out, "Wrong Algorithm type"); + } + BIO_printf(out, "\n"); + } else if (pubkey == i) { + EVP_PKEY *pkey; + + pkey = X509_get0_pubkey(x); + if (pkey == NULL) { + BIO_printf(bio_err, "Error getting public key\n"); + ERR_print_errors(bio_err); + goto end; + } + PEM_write_bio_PUBKEY(out, pkey); + } else if (C == i) { + unsigned char *d; + char *m; + int len; + + X509_NAME_oneline(X509_get_subject_name(x), buf, sizeof(buf)); + BIO_printf(out, "/*\n" + " * Subject: %s\n", buf); + + X509_NAME_oneline(X509_get_issuer_name(x), buf, sizeof(buf)); + BIO_printf(out, " * Issuer: %s\n" + " */\n", buf); + + len = i2d_X509(x, NULL); + m = app_malloc(len, "x509 name buffer"); + d = (unsigned char *)m; + len = i2d_X509_NAME(X509_get_subject_name(x), &d); + print_array(out, "the_subject_name", len, (unsigned char *)m); + d = (unsigned char *)m; + len = i2d_X509_PUBKEY(X509_get_X509_PUBKEY(x), &d); + print_array(out, "the_public_key", len, (unsigned char *)m); + d = (unsigned char *)m; + len = i2d_X509(x, &d); + print_array(out, "the_certificate", len, (unsigned char *)m); + OPENSSL_free(m); + } else if (text == i) { + X509_print_ex(out, x, nmflag, certflag); + } else if (startdate == i) { + BIO_puts(out, "notBefore="); + ASN1_TIME_print(out, X509_get0_notBefore(x)); + BIO_puts(out, "\n"); + } else if (enddate == i) { + BIO_puts(out, "notAfter="); + ASN1_TIME_print(out, X509_get0_notAfter(x)); + BIO_puts(out, "\n"); + } else if (fingerprint == i) { + int j; + unsigned int n; + unsigned char md[EVP_MAX_MD_SIZE]; + const EVP_MD *fdig = digest; + + if (!fdig) + fdig = EVP_sha1(); + + if (!X509_digest(x, fdig, md, &n)) { + BIO_printf(bio_err, "out of memory\n"); + goto end; + } + BIO_printf(out, "%s Fingerprint=", + OBJ_nid2sn(EVP_MD_type(fdig))); + for (j = 0; j < (int)n; j++) { + BIO_printf(out, "%02X%c", md[j], (j + 1 == (int)n) + ? '\n' : ':'); + } + } + + /* should be in the library */ + else if ((sign_flag == i) && (x509req == 0)) { + BIO_printf(bio_err, "Getting Private key\n"); + if (Upkey == NULL) { + Upkey = load_key(keyfile, keyformat, 0, + passin, e, "Private key"); + if (Upkey == NULL) + goto end; + } + + assert(need_rand); + if (!sign(x, Upkey, days, clrext, digest, extconf, extsect)) + goto end; + } else if (CA_flag == i) { + BIO_printf(bio_err, "Getting CA Private Key\n"); + if (CAkeyfile != NULL) { + CApkey = load_key(CAkeyfile, CAkeyformat, + 0, passin, e, "CA Private Key"); + if (CApkey == NULL) + goto end; + } + + assert(need_rand); + if (!x509_certify(ctx, CAfile, digest, x, xca, + CApkey, sigopts, + CAserial, CA_createserial, days, clrext, + extconf, extsect, sno, reqfile)) + goto end; + } else if (x509req == i) { + EVP_PKEY *pk; + + BIO_printf(bio_err, "Getting request Private Key\n"); + if (keyfile == NULL) { + BIO_printf(bio_err, "no request key file specified\n"); + goto end; + } else { + pk = load_key(keyfile, keyformat, 0, + passin, e, "request key"); + if (pk == NULL) + goto end; + } + + BIO_printf(bio_err, "Generating certificate request\n"); + + rq = X509_to_X509_REQ(x, pk, digest); + EVP_PKEY_free(pk); + if (rq == NULL) { + ERR_print_errors(bio_err); + goto end; + } + if (!noout) { + X509_REQ_print(out, rq); + PEM_write_bio_X509_REQ(out, rq); + } + noout = 1; + } else if (ocspid == i) { + X509_ocspid_print(out, x); + } + } + } + + if (checkend) { + time_t tcheck = time(NULL) + checkoffset; + + if (X509_cmp_time(X509_get0_notAfter(x), &tcheck) < 0) { + BIO_printf(out, "Certificate will expire\n"); + ret = 1; + } else { + BIO_printf(out, "Certificate will not expire\n"); + ret = 0; + } + goto end; + } + + print_cert_checks(out, x, checkhost, checkemail, checkip); + + if (noout || nocert) { + ret = 0; + goto end; + } + + if (outformat == FORMAT_ASN1) + i = i2d_X509_bio(out, x); + else if (outformat == FORMAT_PEM) { + if (trustout) + i = PEM_write_bio_X509_AUX(out, x); + else + i = PEM_write_bio_X509(out, x); + } else { + BIO_printf(bio_err, "bad output format specified for outfile\n"); + goto end; + } + if (!i) { + BIO_printf(bio_err, "unable to write certificate\n"); + ERR_print_errors(bio_err); + goto end; + } + ret = 0; + end: + if (need_rand) + app_RAND_write_file(NULL); + NCONF_free(extconf); + BIO_free_all(out); + X509_STORE_free(ctx); + X509_REQ_free(req); + X509_free(x); + X509_free(xca); + EVP_PKEY_free(Upkey); + EVP_PKEY_free(CApkey); + EVP_PKEY_free(fkey); + sk_OPENSSL_STRING_free(sigopts); + X509_REQ_free(rq); + ASN1_INTEGER_free(sno); + sk_ASN1_OBJECT_pop_free(trust, ASN1_OBJECT_free); + sk_ASN1_OBJECT_pop_free(reject, ASN1_OBJECT_free); + ASN1_OBJECT_free(objtmp); + release_engine(e); + OPENSSL_free(passin); + return (ret); +} + +static ASN1_INTEGER *x509_load_serial(const char *CAfile, const char *serialfile, + int create) +{ + char *buf = NULL, *p; + ASN1_INTEGER *bs = NULL; + BIGNUM *serial = NULL; + size_t len; + + len = ((serialfile == NULL) + ? (strlen(CAfile) + strlen(POSTFIX) + 1) + : (strlen(serialfile))) + 1; + buf = app_malloc(len, "serial# buffer"); + if (serialfile == NULL) { + OPENSSL_strlcpy(buf, CAfile, len); + for (p = buf; *p; p++) + if (*p == '.') { + *p = '\0'; + break; + } + OPENSSL_strlcat(buf, POSTFIX, len); + } else + OPENSSL_strlcpy(buf, serialfile, len); + + serial = load_serial(buf, create, NULL); + if (serial == NULL) + goto end; + + if (!BN_add_word(serial, 1)) { + BIO_printf(bio_err, "add_word failure\n"); + goto end; + } + + if (!save_serial(buf, NULL, serial, &bs)) + goto end; + + end: + OPENSSL_free(buf); + BN_free(serial); + return bs; +} + +static int x509_certify(X509_STORE *ctx, const char *CAfile, const EVP_MD *digest, + X509 *x, X509 *xca, EVP_PKEY *pkey, + STACK_OF(OPENSSL_STRING) *sigopts, + const char *serialfile, int create, + int days, int clrext, CONF *conf, const char *section, + ASN1_INTEGER *sno, int reqfile) +{ + int ret = 0; + ASN1_INTEGER *bs = NULL; + X509_STORE_CTX *xsc = NULL; + EVP_PKEY *upkey; + + upkey = X509_get0_pubkey(xca); + if (upkey == NULL) { + BIO_printf(bio_err, "Error obtaining CA X509 public key\n"); + goto end; + } + EVP_PKEY_copy_parameters(upkey, pkey); + + xsc = X509_STORE_CTX_new(); + if (xsc == NULL || !X509_STORE_CTX_init(xsc, ctx, x, NULL)) { + BIO_printf(bio_err, "Error initialising X509 store\n"); + goto end; + } + if (sno) + bs = sno; + else if ((bs = x509_load_serial(CAfile, serialfile, create)) == NULL) + goto end; + + /* + * NOTE: this certificate can/should be self signed, unless it was a + * certificate request in which case it is not. + */ + X509_STORE_CTX_set_cert(xsc, x); + X509_STORE_CTX_set_flags(xsc, X509_V_FLAG_CHECK_SS_SIGNATURE); + if (!reqfile && X509_verify_cert(xsc) <= 0) + goto end; + + if (!X509_check_private_key(xca, pkey)) { + BIO_printf(bio_err, + "CA certificate and CA private key do not match\n"); + goto end; + } + + if (!X509_set_issuer_name(x, X509_get_subject_name(xca))) + goto end; + if (!X509_set_serialNumber(x, bs)) + goto end; + + if (!set_cert_times(x, NULL, NULL, days)) + goto end; + + if (clrext) { + while (X509_get_ext_count(x) > 0) + X509_delete_ext(x, 0); + } + + if (conf) { + X509V3_CTX ctx2; + X509_set_version(x, 2); /* version 3 certificate */ + X509V3_set_ctx(&ctx2, xca, x, NULL, NULL, 0); + X509V3_set_nconf(&ctx2, conf); + if (!X509V3_EXT_add_nconf(conf, &ctx2, section, x)) + goto end; + } + + if (!do_X509_sign(x, pkey, digest, sigopts)) + goto end; + ret = 1; + end: + X509_STORE_CTX_free(xsc); + if (!ret) + ERR_print_errors(bio_err); + if (!sno) + ASN1_INTEGER_free(bs); + return ret; +} + +static int callb(int ok, X509_STORE_CTX *ctx) +{ + int err; + X509 *err_cert; + + /* + * it is ok to use a self signed certificate This case will catch both + * the initial ok == 0 and the final ok == 1 calls to this function + */ + err = X509_STORE_CTX_get_error(ctx); + if (err == X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT) + return 1; + + /* + * BAD we should have gotten an error. Normally if everything worked + * X509_STORE_CTX_get_error(ctx) will still be set to + * DEPTH_ZERO_SELF_.... + */ + if (ok) { + BIO_printf(bio_err, + "error with certificate to be certified - should be self signed\n"); + return 0; + } else { + err_cert = X509_STORE_CTX_get_current_cert(ctx); + print_name(bio_err, NULL, X509_get_subject_name(err_cert), 0); + BIO_printf(bio_err, + "error with certificate - error %d at depth %d\n%s\n", err, + X509_STORE_CTX_get_error_depth(ctx), + X509_verify_cert_error_string(err)); + return 1; + } +} + +/* self sign */ +static int sign(X509 *x, EVP_PKEY *pkey, int days, int clrext, + const EVP_MD *digest, CONF *conf, const char *section) +{ + + if (!X509_set_issuer_name(x, X509_get_subject_name(x))) + goto err; + if (!set_cert_times(x, NULL, NULL, days)) + goto err; + if (!X509_set_pubkey(x, pkey)) + goto err; + if (clrext) { + while (X509_get_ext_count(x) > 0) + X509_delete_ext(x, 0); + } + if (conf) { + X509V3_CTX ctx; + X509_set_version(x, 2); /* version 3 certificate */ + X509V3_set_ctx(&ctx, x, x, NULL, NULL, 0); + X509V3_set_nconf(&ctx, conf); + if (!X509V3_EXT_add_nconf(conf, &ctx, section, x)) + goto err; + } + if (!X509_sign(x, pkey, digest)) + goto err; + return 1; + err: + ERR_print_errors(bio_err); + return 0; +} + +static int purpose_print(BIO *bio, X509 *cert, X509_PURPOSE *pt) +{ + int id, i, idret; + const char *pname; + id = X509_PURPOSE_get_id(pt); + pname = X509_PURPOSE_get0_name(pt); + for (i = 0; i < 2; i++) { + idret = X509_check_purpose(cert, id, i); + BIO_printf(bio, "%s%s : ", pname, i ? " CA" : ""); + if (idret == 1) + BIO_printf(bio, "Yes\n"); + else if (idret == 0) + BIO_printf(bio, "No\n"); + else + BIO_printf(bio, "Yes (WARNING code=%d)\n", idret); + } + return 1; +} -- cgit v1.2.3