xref: /minix/crypto/external/bsd/openssl/dist/apps/apps.c (revision 0a6a1f1d)
1 /* apps/apps.c */
2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3  * All rights reserved.
4  *
5  * This package is an SSL implementation written
6  * by Eric Young (eay@cryptsoft.com).
7  * The implementation was written so as to conform with Netscapes SSL.
8  *
9  * This library is free for commercial and non-commercial use as long as
10  * the following conditions are aheared to.  The following conditions
11  * apply to all code found in this distribution, be it the RC4, RSA,
12  * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
13  * included with this distribution is covered by the same copyright terms
14  * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15  *
16  * Copyright remains Eric Young's, and as such any Copyright notices in
17  * the code are not to be removed.
18  * If this package is used in a product, Eric Young should be given attribution
19  * as the author of the parts of the library used.
20  * This can be in the form of a textual message at program startup or
21  * in documentation (online or textual) provided with the package.
22  *
23  * Redistribution and use in source and binary forms, with or without
24  * modification, are permitted provided that the following conditions
25  * are met:
26  * 1. Redistributions of source code must retain the copyright
27  *    notice, this list of conditions and the following disclaimer.
28  * 2. Redistributions in binary form must reproduce the above copyright
29  *    notice, this list of conditions and the following disclaimer in the
30  *    documentation and/or other materials provided with the distribution.
31  * 3. All advertising materials mentioning features or use of this software
32  *    must display the following acknowledgement:
33  *    "This product includes cryptographic software written by
34  *     Eric Young (eay@cryptsoft.com)"
35  *    The word 'cryptographic' can be left out if the rouines from the library
36  *    being used are not cryptographic related :-).
37  * 4. If you include any Windows specific code (or a derivative thereof) from
38  *    the apps directory (application code) you must include an acknowledgement:
39  *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40  *
41  * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51  * SUCH DAMAGE.
52  *
53  * The licence and distribution terms for any publically available version or
54  * derivative of this code cannot be changed.  i.e. this code cannot simply be
55  * copied and put under another distribution licence
56  * [including the GNU Public Licence.]
57  */
58 /* ====================================================================
59  * Copyright (c) 1998-2001 The OpenSSL Project.  All rights reserved.
60  *
61  * Redistribution and use in source and binary forms, with or without
62  * modification, are permitted provided that the following conditions
63  * are met:
64  *
65  * 1. Redistributions of source code must retain the above copyright
66  *    notice, this list of conditions and the following disclaimer.
67  *
68  * 2. Redistributions in binary form must reproduce the above copyright
69  *    notice, this list of conditions and the following disclaimer in
70  *    the documentation and/or other materials provided with the
71  *    distribution.
72  *
73  * 3. All advertising materials mentioning features or use of this
74  *    software must display the following acknowledgment:
75  *    "This product includes software developed by the OpenSSL Project
76  *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
77  *
78  * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
79  *    endorse or promote products derived from this software without
80  *    prior written permission. For written permission, please contact
81  *    openssl-core@openssl.org.
82  *
83  * 5. Products derived from this software may not be called "OpenSSL"
84  *    nor may "OpenSSL" appear in their names without prior written
85  *    permission of the OpenSSL Project.
86  *
87  * 6. Redistributions of any form whatsoever must retain the following
88  *    acknowledgment:
89  *    "This product includes software developed by the OpenSSL Project
90  *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
91  *
92  * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
93  * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
94  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
95  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
96  * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
97  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
98  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
99  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
100  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
101  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
102  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
103  * OF THE POSSIBILITY OF SUCH DAMAGE.
104  * ====================================================================
105  *
106  * This product includes cryptographic software written by Eric Young
107  * (eay@cryptsoft.com).  This product includes software written by Tim
108  * Hudson (tjh@cryptsoft.com).
109  *
110  */
111 
112 #if !defined(_POSIX_C_SOURCE) && defined(OPENSSL_SYS_VMS)
113 /*
114  * On VMS, you need to define this to get the declaration of fileno().  The
115  * value 2 is to make sure no function defined in POSIX-2 is left undefined.
116  */
117 # define _POSIX_C_SOURCE 2
118 #endif
119 #include <stdio.h>
120 #include <stdlib.h>
121 #include <string.h>
122 #if !defined(OPENSSL_SYSNAME_WIN32) && !defined(NETWARE_CLIB)
123 # include <strings.h>
124 #endif
125 #include <sys/types.h>
126 #include <ctype.h>
127 #include <errno.h>
128 #include <assert.h>
129 #include <openssl/err.h>
130 #include <openssl/x509.h>
131 #include <openssl/x509v3.h>
132 #include <openssl/pem.h>
133 #include <openssl/pkcs12.h>
134 #include <openssl/ui.h>
135 #include <openssl/safestack.h>
136 #ifndef OPENSSL_NO_ENGINE
137 # include <openssl/engine.h>
138 #endif
139 #ifndef OPENSSL_NO_RSA
140 # include <openssl/rsa.h>
141 #endif
142 #include <openssl/bn.h>
143 #ifndef OPENSSL_NO_JPAKE
144 # include <openssl/jpake.h>
145 #endif
146 
147 #define NON_MAIN
148 #include "apps.h"
149 #undef NON_MAIN
150 
151 #ifdef _WIN32
152 static int WIN32_rename(const char *from, const char *to);
153 # define rename(from,to) WIN32_rename((from),(to))
154 #endif
155 
156 typedef struct {
157     const char *name;
158     unsigned long flag;
159     unsigned long mask;
160 } NAME_EX_TBL;
161 
162 static UI_METHOD *ui_method = NULL;
163 
164 static int set_table_opts(unsigned long *flags, const char *arg,
165                           const NAME_EX_TBL * in_tbl);
166 static int set_multi_opts(unsigned long *flags, const char *arg,
167                           const NAME_EX_TBL * in_tbl);
168 
169 #if !defined(OPENSSL_NO_RC4) && !defined(OPENSSL_NO_RSA)
170 /* Looks like this stuff is worth moving into separate function */
171 static EVP_PKEY *load_netscape_key(BIO *err, BIO *key, const char *file,
172                                    const char *key_descrip, int format);
173 #endif
174 
175 int app_init(long mesgwin);
176 #ifdef undef                    /* never finished - probably never will be
177                                  * :-) */
args_from_file(char * file,int * argc,char ** argv[])178 int args_from_file(char *file, int *argc, char **argv[])
179 {
180     FILE *fp;
181     int num, i;
182     unsigned int len;
183     static char *buf = NULL;
184     static char **arg = NULL;
185     char *p;
186 
187     fp = fopen(file, "r");
188     if (fp == NULL)
189         return (0);
190 
191     if (fseek(fp, 0, SEEK_END) == 0)
192         len = ftell(fp), rewind(fp);
193     else
194         len = -1;
195     if (len <= 0) {
196         fclose(fp);
197         return (0);
198     }
199 
200     *argc = 0;
201     *argv = NULL;
202 
203     if (buf != NULL)
204         OPENSSL_free(buf);
205     buf = (char *)OPENSSL_malloc(len + 1);
206     if (buf == NULL)
207         return (0);
208 
209     len = fread(buf, 1, len, fp);
210     if (len <= 1)
211         return (0);
212     buf[len] = '\0';
213 
214     i = 0;
215     for (p = buf; *p; p++)
216         if (*p == '\n')
217             i++;
218     if (arg != NULL)
219         OPENSSL_free(arg);
220     arg = (char **)OPENSSL_malloc(sizeof(char *) * (i * 2));
221 
222     *argv = arg;
223     num = 0;
224     p = buf;
225     for (;;) {
226         if (!*p)
227             break;
228         if (*p == '#') {        /* comment line */
229             while (*p && (*p != '\n'))
230                 p++;
231             continue;
232         }
233         /* else we have a line */
234         *(arg++) = p;
235         num++;
236         while (*p && ((*p != ' ') && (*p != '\t') && (*p != '\n')))
237             p++;
238         if (!*p)
239             break;
240         if (*p == '\n') {
241             *(p++) = '\0';
242             continue;
243         }
244         /* else it is a tab or space */
245         p++;
246         while (*p && ((*p == ' ') || (*p == '\t') || (*p == '\n')))
247             p++;
248         if (!*p)
249             break;
250         if (*p == '\n') {
251             p++;
252             continue;
253         }
254         *(arg++) = p++;
255         num++;
256         while (*p && (*p != '\n'))
257             p++;
258         if (!*p)
259             break;
260         /* else *p == '\n' */
261         *(p++) = '\0';
262     }
263     *argc = num;
264     return (1);
265 }
266 #endif
267 
str2fmt(char * s)268 int str2fmt(char *s)
269 {
270     if (s == NULL)
271         return FORMAT_UNDEF;
272     if ((*s == 'D') || (*s == 'd'))
273         return (FORMAT_ASN1);
274     else if ((*s == 'T') || (*s == 't'))
275         return (FORMAT_TEXT);
276     else if ((*s == 'N') || (*s == 'n'))
277         return (FORMAT_NETSCAPE);
278     else if ((*s == 'S') || (*s == 's'))
279         return (FORMAT_SMIME);
280     else if ((*s == 'M') || (*s == 'm'))
281         return (FORMAT_MSBLOB);
282     else if ((*s == '1')
283              || (strcmp(s, "PKCS12") == 0) || (strcmp(s, "pkcs12") == 0)
284              || (strcmp(s, "P12") == 0) || (strcmp(s, "p12") == 0))
285         return (FORMAT_PKCS12);
286     else if ((*s == 'E') || (*s == 'e'))
287         return (FORMAT_ENGINE);
288     else if ((*s == 'P') || (*s == 'p')) {
289         if (s[1] == 'V' || s[1] == 'v')
290             return FORMAT_PVK;
291         else
292             return (FORMAT_PEM);
293     } else
294         return (FORMAT_UNDEF);
295 }
296 
297 #if defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_WIN32) || defined(OPENSSL_SYS_WIN16) || defined(OPENSSL_SYS_NETWARE)
program_name(char * in,char * out,int size)298 void program_name(char *in, char *out, int size)
299 {
300     int i, n;
301     char *p = NULL;
302 
303     n = strlen(in);
304     /* find the last '/', '\' or ':' */
305     for (i = n - 1; i > 0; i--) {
306         if ((in[i] == '/') || (in[i] == '\\') || (in[i] == ':')) {
307             p = &(in[i + 1]);
308             break;
309         }
310     }
311     if (p == NULL)
312         p = in;
313     n = strlen(p);
314 
315 # if defined(OPENSSL_SYS_NETWARE)
316     /* strip off trailing .nlm if present. */
317     if ((n > 4) && (p[n - 4] == '.') &&
318         ((p[n - 3] == 'n') || (p[n - 3] == 'N')) &&
319         ((p[n - 2] == 'l') || (p[n - 2] == 'L')) &&
320         ((p[n - 1] == 'm') || (p[n - 1] == 'M')))
321         n -= 4;
322 # else
323     /* strip off trailing .exe if present. */
324     if ((n > 4) && (p[n - 4] == '.') &&
325         ((p[n - 3] == 'e') || (p[n - 3] == 'E')) &&
326         ((p[n - 2] == 'x') || (p[n - 2] == 'X')) &&
327         ((p[n - 1] == 'e') || (p[n - 1] == 'E')))
328         n -= 4;
329 # endif
330 
331     if (n > size - 1)
332         n = size - 1;
333 
334     for (i = 0; i < n; i++) {
335         if ((p[i] >= 'A') && (p[i] <= 'Z'))
336             out[i] = p[i] - 'A' + 'a';
337         else
338             out[i] = p[i];
339     }
340     out[n] = '\0';
341 }
342 #else
343 # ifdef OPENSSL_SYS_VMS
program_name(char * in,char * out,int size)344 void program_name(char *in, char *out, int size)
345 {
346     char *p = in, *q;
347     char *chars = ":]>";
348 
349     while (*chars != '\0') {
350         q = strrchr(p, *chars);
351         if (q > p)
352             p = q + 1;
353         chars++;
354     }
355 
356     q = strrchr(p, '.');
357     if (q == NULL)
358         q = p + strlen(p);
359     strncpy(out, p, size - 1);
360     if (q - p >= size) {
361         out[size - 1] = '\0';
362     } else {
363         out[q - p] = '\0';
364     }
365 }
366 # else
program_name(char * in,char * out,int size)367 void program_name(char *in, char *out, int size)
368 {
369     char *p;
370 
371     p = strrchr(in, '/');
372     if (p != NULL)
373         p++;
374     else
375         p = in;
376     BUF_strlcpy(out, p, size);
377 }
378 # endif
379 #endif
380 
chopup_args(ARGS * arg,char * buf,int * argc,char ** argv[])381 int chopup_args(ARGS *arg, char *buf, int *argc, char **argv[])
382 {
383     int num, i;
384     char *p;
385 
386     *argc = 0;
387     *argv = NULL;
388 
389     i = 0;
390     if (arg->count == 0) {
391         arg->count = 20;
392         arg->data = (char **)OPENSSL_malloc(sizeof(char *) * arg->count);
393         if (arg->data == NULL)
394             return 0;
395     }
396     for (i = 0; i < arg->count; i++)
397         arg->data[i] = NULL;
398 
399     num = 0;
400     p = buf;
401     for (;;) {
402         /* first scan over white space */
403         if (!*p)
404             break;
405         while (*p && ((*p == ' ') || (*p == '\t') || (*p == '\n')))
406             p++;
407         if (!*p)
408             break;
409 
410         /* The start of something good :-) */
411         if (num >= arg->count) {
412             char **tmp_p;
413             int tlen = arg->count + 20;
414             tmp_p = (char **)OPENSSL_realloc(arg->data,
415                                              sizeof(char *) * tlen);
416             if (tmp_p == NULL)
417                 return 0;
418             arg->data = tmp_p;
419             arg->count = tlen;
420             /* initialize newly allocated data */
421             for (i = num; i < arg->count; i++)
422                 arg->data[i] = NULL;
423         }
424         arg->data[num++] = p;
425 
426         /* now look for the end of this */
427         if ((*p == '\'') || (*p == '\"')) { /* scan for closing quote */
428             i = *(p++);
429             arg->data[num - 1]++; /* jump over quote */
430             while (*p && (*p != i))
431                 p++;
432             *p = '\0';
433         } else {
434             while (*p && ((*p != ' ') && (*p != '\t') && (*p != '\n')))
435                 p++;
436 
437             if (*p == '\0')
438                 p--;
439             else
440                 *p = '\0';
441         }
442         p++;
443     }
444     *argc = num;
445     *argv = arg->data;
446     return (1);
447 }
448 
449 #ifndef APP_INIT
app_init(long mesgwin)450 int app_init(long mesgwin)
451 {
452     return (1);
453 }
454 #endif
455 
dump_cert_text(BIO * out,X509 * x)456 int dump_cert_text(BIO *out, X509 *x)
457 {
458     char *p;
459 
460     p = X509_NAME_oneline(X509_get_subject_name(x), NULL, 0);
461     BIO_puts(out, "subject=");
462     BIO_puts(out, p);
463     OPENSSL_free(p);
464 
465     p = X509_NAME_oneline(X509_get_issuer_name(x), NULL, 0);
466     BIO_puts(out, "\nissuer=");
467     BIO_puts(out, p);
468     BIO_puts(out, "\n");
469     OPENSSL_free(p);
470 
471     return 0;
472 }
473 
ui_open(UI * ui)474 static int ui_open(UI *ui)
475 {
476     return UI_method_get_opener(UI_OpenSSL())(ui);
477 }
478 
ui_read(UI * ui,UI_STRING * uis)479 static int ui_read(UI *ui, UI_STRING *uis)
480 {
481     if (UI_get_input_flags(uis) & UI_INPUT_FLAG_DEFAULT_PWD
482         && UI_get0_user_data(ui)) {
483         switch (UI_get_string_type(uis)) {
484         case UIT_PROMPT:
485         case UIT_VERIFY:
486             {
487                 const char *password =
488                     ((PW_CB_DATA *)UI_get0_user_data(ui))->password;
489                 if (password && password[0] != '\0') {
490                     UI_set_result(ui, uis, password);
491                     return 1;
492                 }
493             }
494         default:
495             break;
496         }
497     }
498     return UI_method_get_reader(UI_OpenSSL())(ui, uis);
499 }
500 
ui_write(UI * ui,UI_STRING * uis)501 static int ui_write(UI *ui, UI_STRING *uis)
502 {
503     if (UI_get_input_flags(uis) & UI_INPUT_FLAG_DEFAULT_PWD
504         && UI_get0_user_data(ui)) {
505         switch (UI_get_string_type(uis)) {
506         case UIT_PROMPT:
507         case UIT_VERIFY:
508             {
509                 const char *password =
510                     ((PW_CB_DATA *)UI_get0_user_data(ui))->password;
511                 if (password && password[0] != '\0')
512                     return 1;
513             }
514         default:
515             break;
516         }
517     }
518     return UI_method_get_writer(UI_OpenSSL())(ui, uis);
519 }
520 
ui_close(UI * ui)521 static int ui_close(UI *ui)
522 {
523     return UI_method_get_closer(UI_OpenSSL())(ui);
524 }
525 
setup_ui_method(void)526 int setup_ui_method(void)
527 {
528     ui_method = UI_create_method("OpenSSL application user interface");
529     UI_method_set_opener(ui_method, ui_open);
530     UI_method_set_reader(ui_method, ui_read);
531     UI_method_set_writer(ui_method, ui_write);
532     UI_method_set_closer(ui_method, ui_close);
533     return 0;
534 }
535 
destroy_ui_method(void)536 void destroy_ui_method(void)
537 {
538     if (ui_method) {
539         UI_destroy_method(ui_method);
540         ui_method = NULL;
541     }
542 }
543 
password_callback(char * buf,int bufsiz,int verify,PW_CB_DATA * cb_tmp)544 int password_callback(char *buf, int bufsiz, int verify, PW_CB_DATA *cb_tmp)
545 {
546     UI *ui = NULL;
547     int res = 0;
548     const char *prompt_info = NULL;
549     const char *password = NULL;
550     PW_CB_DATA *cb_data = (PW_CB_DATA *)cb_tmp;
551 
552     if (cb_data) {
553         if (cb_data->password)
554             password = cb_data->password;
555         if (cb_data->prompt_info)
556             prompt_info = cb_data->prompt_info;
557     }
558 
559     if (password) {
560         res = strlen(password);
561         if (res > bufsiz)
562             res = bufsiz;
563         memcpy(buf, password, res);
564         return res;
565     }
566 
567     ui = UI_new_method(ui_method);
568     if (ui) {
569         int ok = 0;
570         char *buff = NULL;
571         int ui_flags = 0;
572         char *prompt = NULL;
573 
574         prompt = UI_construct_prompt(ui, "pass phrase", prompt_info);
575         if (!prompt) {
576             BIO_printf(bio_err, "Out of memory\n");
577             UI_free(ui);
578             return 0;
579         }
580 
581         ui_flags |= UI_INPUT_FLAG_DEFAULT_PWD;
582         UI_ctrl(ui, UI_CTRL_PRINT_ERRORS, 1, 0, 0);
583 
584         if (ok >= 0)
585             ok = UI_add_input_string(ui, prompt, ui_flags, buf,
586                                      PW_MIN_LENGTH, bufsiz - 1);
587         if (ok >= 0 && verify) {
588             buff = (char *)OPENSSL_malloc(bufsiz);
589             if (!buff) {
590                 BIO_printf(bio_err, "Out of memory\n");
591                 UI_free(ui);
592                 OPENSSL_free(prompt);
593                 return 0;
594             }
595             ok = UI_add_verify_string(ui, prompt, ui_flags, buff,
596                                       PW_MIN_LENGTH, bufsiz - 1, buf);
597         }
598         if (ok >= 0)
599             do {
600                 ok = UI_process(ui);
601             }
602             while (ok < 0 && UI_ctrl(ui, UI_CTRL_IS_REDOABLE, 0, 0, 0));
603 
604         if (buff) {
605             OPENSSL_cleanse(buff, (unsigned int)bufsiz);
606             OPENSSL_free(buff);
607         }
608 
609         if (ok >= 0)
610             res = strlen(buf);
611         if (ok == -1) {
612             BIO_printf(bio_err, "User interface error\n");
613             ERR_print_errors(bio_err);
614             OPENSSL_cleanse(buf, (unsigned int)bufsiz);
615             res = 0;
616         }
617         if (ok == -2) {
618             BIO_printf(bio_err, "aborted!\n");
619             OPENSSL_cleanse(buf, (unsigned int)bufsiz);
620             res = 0;
621         }
622         UI_free(ui);
623         OPENSSL_free(prompt);
624     }
625     return res;
626 }
627 
628 static char *app_get_pass(BIO *err, char *arg, int keepbio);
629 
app_passwd(BIO * err,char * arg1,char * arg2,char ** pass1,char ** pass2)630 int app_passwd(BIO *err, char *arg1, char *arg2, char **pass1, char **pass2)
631 {
632     int same;
633     if (!arg2 || !arg1 || strcmp(arg1, arg2))
634         same = 0;
635     else
636         same = 1;
637     if (arg1) {
638         *pass1 = app_get_pass(err, arg1, same);
639         if (!*pass1)
640             return 0;
641     } else if (pass1)
642         *pass1 = NULL;
643     if (arg2) {
644         *pass2 = app_get_pass(err, arg2, same ? 2 : 0);
645         if (!*pass2)
646             return 0;
647     } else if (pass2)
648         *pass2 = NULL;
649     return 1;
650 }
651 
app_get_pass(BIO * err,char * arg,int keepbio)652 static char *app_get_pass(BIO *err, char *arg, int keepbio)
653 {
654     char *tmp, tpass[APP_PASS_LEN];
655     static BIO *pwdbio = NULL;
656     int i;
657     if (!strncmp(arg, "pass:", 5))
658         return BUF_strdup(arg + 5);
659     if (!strncmp(arg, "env:", 4)) {
660         tmp = getenv(arg + 4);
661         if (!tmp) {
662             BIO_printf(err, "Can't read environment variable %s\n", arg + 4);
663             return NULL;
664         }
665         return BUF_strdup(tmp);
666     }
667     if (!keepbio || !pwdbio) {
668         if (!strncmp(arg, "file:", 5)) {
669             pwdbio = BIO_new_file(arg + 5, "r");
670             if (!pwdbio) {
671                 BIO_printf(err, "Can't open file %s\n", arg + 5);
672                 return NULL;
673             }
674 #if !defined(_WIN32)
675             /*
676              * Under _WIN32, which covers even Win64 and CE, file
677              * descriptors referenced by BIO_s_fd are not inherited
678              * by child process and therefore below is not an option.
679              * It could have been an option if bss_fd.c was operating
680              * on real Windows descriptors, such as those obtained
681              * with CreateFile.
682              */
683         } else if (!strncmp(arg, "fd:", 3)) {
684             BIO *btmp;
685             i = atoi(arg + 3);
686             if (i >= 0)
687                 pwdbio = BIO_new_fd(i, BIO_NOCLOSE);
688             if ((i < 0) || !pwdbio) {
689                 BIO_printf(err, "Can't access file descriptor %s\n", arg + 3);
690                 return NULL;
691             }
692             /*
693              * Can't do BIO_gets on an fd BIO so add a buffering BIO
694              */
695             btmp = BIO_new(BIO_f_buffer());
696             pwdbio = BIO_push(btmp, pwdbio);
697 #endif
698         } else if (!strcmp(arg, "stdin")) {
699             pwdbio = BIO_new_fp(stdin, BIO_NOCLOSE);
700             if (!pwdbio) {
701                 BIO_printf(err, "Can't open BIO for stdin\n");
702                 return NULL;
703             }
704         } else {
705             BIO_printf(err, "Invalid password argument \"%s\"\n", arg);
706             return NULL;
707         }
708     }
709     i = BIO_gets(pwdbio, tpass, APP_PASS_LEN);
710     if (keepbio != 1) {
711         BIO_free_all(pwdbio);
712         pwdbio = NULL;
713     }
714     if (i <= 0) {
715         BIO_printf(err, "Error reading password from BIO\n");
716         return NULL;
717     }
718     tmp = strchr(tpass, '\n');
719     if (tmp)
720         *tmp = 0;
721     return BUF_strdup(tpass);
722 }
723 
add_oid_section(BIO * err,CONF * conf)724 int add_oid_section(BIO *err, CONF *conf)
725 {
726     char *p;
727     STACK_OF(CONF_VALUE) *sktmp;
728     CONF_VALUE *cnf;
729     int i;
730     if (!(p = NCONF_get_string(conf, NULL, "oid_section"))) {
731         ERR_clear_error();
732         return 1;
733     }
734     if (!(sktmp = NCONF_get_section(conf, p))) {
735         BIO_printf(err, "problem loading oid section %s\n", p);
736         return 0;
737     }
738     for (i = 0; i < sk_CONF_VALUE_num(sktmp); i++) {
739         cnf = sk_CONF_VALUE_value(sktmp, i);
740         if (OBJ_create(cnf->value, cnf->name, cnf->name) == NID_undef) {
741             BIO_printf(err, "problem creating object %s=%s\n",
742                        cnf->name, cnf->value);
743             return 0;
744         }
745     }
746     return 1;
747 }
748 
load_pkcs12(BIO * err,BIO * in,const char * desc,pem_password_cb * pem_cb,void * cb_data,EVP_PKEY ** pkey,X509 ** cert,STACK_OF (X509)** ca)749 static int load_pkcs12(BIO *err, BIO *in, const char *desc,
750                        pem_password_cb *pem_cb, void *cb_data,
751                        EVP_PKEY **pkey, X509 **cert, STACK_OF(X509) **ca)
752 {
753     const char *pass;
754     char tpass[PEM_BUFSIZE];
755     int len, ret = 0;
756     PKCS12 *p12;
757     p12 = d2i_PKCS12_bio(in, NULL);
758     if (p12 == NULL) {
759         BIO_printf(err, "Error loading PKCS12 file for %s\n", desc);
760         goto die;
761     }
762     /* See if an empty password will do */
763     if (PKCS12_verify_mac(p12, "", 0) || PKCS12_verify_mac(p12, NULL, 0))
764         pass = "";
765     else {
766         if (!pem_cb)
767             pem_cb = (pem_password_cb *)password_callback;
768         len = pem_cb(tpass, PEM_BUFSIZE, 0, cb_data);
769         if (len < 0) {
770             BIO_printf(err, "Passpharse callback error for %s\n", desc);
771             goto die;
772         }
773         if (len < PEM_BUFSIZE)
774             tpass[len] = 0;
775         if (!PKCS12_verify_mac(p12, tpass, len)) {
776             BIO_printf(err,
777                        "Mac verify error (wrong password?) in PKCS12 file for %s\n",
778                        desc);
779             goto die;
780         }
781         pass = tpass;
782     }
783     ret = PKCS12_parse(p12, pass, pkey, cert, ca);
784  die:
785     if (p12)
786         PKCS12_free(p12);
787     return ret;
788 }
789 
load_cert(BIO * err,const char * file,int format,const char * pass,ENGINE * e,const char * cert_descrip)790 X509 *load_cert(BIO *err, const char *file, int format,
791                 const char *pass, ENGINE *e, const char *cert_descrip)
792 {
793     X509 *x = NULL;
794     BIO *cert;
795 
796     if ((cert = BIO_new(BIO_s_file())) == NULL) {
797         ERR_print_errors(err);
798         goto end;
799     }
800 
801     if (file == NULL) {
802 #ifdef _IONBF
803 # ifndef OPENSSL_NO_SETVBUF_IONBF
804         setvbuf(stdin, NULL, _IONBF, 0);
805 # endif                         /* ndef OPENSSL_NO_SETVBUF_IONBF */
806 #endif
807         BIO_set_fp(cert, stdin, BIO_NOCLOSE);
808     } else {
809         if (BIO_read_filename(cert, file) <= 0) {
810             BIO_printf(err, "Error opening %s %s\n", cert_descrip, file);
811             ERR_print_errors(err);
812             goto end;
813         }
814     }
815 
816     if (format == FORMAT_ASN1)
817         x = d2i_X509_bio(cert, NULL);
818     else if (format == FORMAT_NETSCAPE) {
819         NETSCAPE_X509 *nx;
820         nx = ASN1_item_d2i_bio(ASN1_ITEM_rptr(NETSCAPE_X509), cert, NULL);
821         if (nx == NULL)
822             goto end;
823 
824         if ((strncmp(NETSCAPE_CERT_HDR, (char *)nx->header->data,
825                      nx->header->length) != 0)) {
826             NETSCAPE_X509_free(nx);
827             BIO_printf(err, "Error reading header on certificate\n");
828             goto end;
829         }
830         x = nx->cert;
831         nx->cert = NULL;
832         NETSCAPE_X509_free(nx);
833     } else if (format == FORMAT_PEM)
834         x = PEM_read_bio_X509_AUX(cert, NULL,
835                                   (pem_password_cb *)password_callback, NULL);
836     else if (format == FORMAT_PKCS12) {
837         if (!load_pkcs12(err, cert, cert_descrip, NULL, NULL, NULL, &x, NULL))
838             goto end;
839     } else {
840         BIO_printf(err, "bad input format specified for %s\n", cert_descrip);
841         goto end;
842     }
843  end:
844     if (x == NULL) {
845         BIO_printf(err, "unable to load certificate\n");
846         ERR_print_errors(err);
847     }
848     if (cert != NULL)
849         BIO_free(cert);
850     return (x);
851 }
852 
load_key(BIO * err,const char * file,int format,int maybe_stdin,const char * pass,ENGINE * e,const char * key_descrip)853 EVP_PKEY *load_key(BIO *err, const char *file, int format, int maybe_stdin,
854                    const char *pass, ENGINE *e, const char *key_descrip)
855 {
856     BIO *key = NULL;
857     EVP_PKEY *pkey = NULL;
858     PW_CB_DATA cb_data;
859 
860     cb_data.password = pass;
861     cb_data.prompt_info = file;
862 
863     if (file == NULL && (!maybe_stdin || format == FORMAT_ENGINE)) {
864         BIO_printf(err, "no keyfile specified\n");
865         goto end;
866     }
867 #ifndef OPENSSL_NO_ENGINE
868     if (format == FORMAT_ENGINE) {
869         if (!e)
870             BIO_printf(err, "no engine specified\n");
871         else {
872             pkey = ENGINE_load_private_key(e, file, ui_method, &cb_data);
873             if (!pkey) {
874                 BIO_printf(err, "cannot load %s from engine\n", key_descrip);
875                 ERR_print_errors(err);
876             }
877         }
878         goto end;
879     }
880 #endif
881     key = BIO_new(BIO_s_file());
882     if (key == NULL) {
883         ERR_print_errors(err);
884         goto end;
885     }
886     if (file == NULL && maybe_stdin) {
887 #ifdef _IONBF
888 # ifndef OPENSSL_NO_SETVBUF_IONBF
889         setvbuf(stdin, NULL, _IONBF, 0);
890 # endif                         /* ndef OPENSSL_NO_SETVBUF_IONBF */
891 #endif
892         BIO_set_fp(key, stdin, BIO_NOCLOSE);
893     } else if (BIO_read_filename(key, file) <= 0) {
894         BIO_printf(err, "Error opening %s %s\n", key_descrip, file);
895         ERR_print_errors(err);
896         goto end;
897     }
898     if (format == FORMAT_ASN1) {
899         pkey = d2i_PrivateKey_bio(key, NULL);
900     } else if (format == FORMAT_PEM) {
901         pkey = PEM_read_bio_PrivateKey(key, NULL,
902                                        (pem_password_cb *)password_callback,
903                                        &cb_data);
904     }
905 #if !defined(OPENSSL_NO_RC4) && !defined(OPENSSL_NO_RSA)
906     else if (format == FORMAT_NETSCAPE || format == FORMAT_IISSGC)
907         pkey = load_netscape_key(err, key, file, key_descrip, format);
908 #endif
909     else if (format == FORMAT_PKCS12) {
910         if (!load_pkcs12(err, key, key_descrip,
911                          (pem_password_cb *)password_callback, &cb_data,
912                          &pkey, NULL, NULL))
913             goto end;
914     }
915 #if !defined(OPENSSL_NO_RSA) && !defined(OPENSSL_NO_DSA) && !defined (OPENSSL_NO_RC4)
916     else if (format == FORMAT_MSBLOB)
917         pkey = b2i_PrivateKey_bio(key);
918     else if (format == FORMAT_PVK)
919         pkey = b2i_PVK_bio(key, (pem_password_cb *)password_callback,
920                            &cb_data);
921 #endif
922     else {
923         BIO_printf(err, "bad input format specified for key file\n");
924         goto end;
925     }
926  end:
927     if (key != NULL)
928         BIO_free(key);
929     if (pkey == NULL) {
930         BIO_printf(err, "unable to load %s\n", key_descrip);
931         ERR_print_errors(err);
932     }
933     return (pkey);
934 }
935 
load_pubkey(BIO * err,const char * file,int format,int maybe_stdin,const char * pass,ENGINE * e,const char * key_descrip)936 EVP_PKEY *load_pubkey(BIO *err, const char *file, int format, int maybe_stdin,
937                       const char *pass, ENGINE *e, const char *key_descrip)
938 {
939     BIO *key = NULL;
940     EVP_PKEY *pkey = NULL;
941     PW_CB_DATA cb_data;
942 
943     cb_data.password = pass;
944     cb_data.prompt_info = file;
945 
946     if (file == NULL && (!maybe_stdin || format == FORMAT_ENGINE)) {
947         BIO_printf(err, "no keyfile specified\n");
948         goto end;
949     }
950 #ifndef OPENSSL_NO_ENGINE
951     if (format == FORMAT_ENGINE) {
952         if (!e)
953             BIO_printf(bio_err, "no engine specified\n");
954         else
955             pkey = ENGINE_load_public_key(e, file, ui_method, &cb_data);
956         goto end;
957     }
958 #endif
959     key = BIO_new(BIO_s_file());
960     if (key == NULL) {
961         ERR_print_errors(err);
962         goto end;
963     }
964     if (file == NULL && maybe_stdin) {
965 #ifdef _IONBF
966 # ifndef OPENSSL_NO_SETVBUF_IONBF
967         setvbuf(stdin, NULL, _IONBF, 0);
968 # endif                         /* ndef OPENSSL_NO_SETVBUF_IONBF */
969 #endif
970         BIO_set_fp(key, stdin, BIO_NOCLOSE);
971     } else if (BIO_read_filename(key, file) <= 0) {
972         BIO_printf(err, "Error opening %s %s\n", key_descrip, file);
973         ERR_print_errors(err);
974         goto end;
975     }
976     if (format == FORMAT_ASN1) {
977         pkey = d2i_PUBKEY_bio(key, NULL);
978     }
979 #ifndef OPENSSL_NO_RSA
980     else if (format == FORMAT_ASN1RSA) {
981         RSA *rsa;
982         rsa = d2i_RSAPublicKey_bio(key, NULL);
983         if (rsa) {
984             pkey = EVP_PKEY_new();
985             if (pkey)
986                 EVP_PKEY_set1_RSA(pkey, rsa);
987             RSA_free(rsa);
988         } else
989             pkey = NULL;
990     } else if (format == FORMAT_PEMRSA) {
991         RSA *rsa;
992         rsa = PEM_read_bio_RSAPublicKey(key, NULL,
993                                         (pem_password_cb *)password_callback,
994                                         &cb_data);
995         if (rsa) {
996             pkey = EVP_PKEY_new();
997             if (pkey)
998                 EVP_PKEY_set1_RSA(pkey, rsa);
999             RSA_free(rsa);
1000         } else
1001             pkey = NULL;
1002     }
1003 #endif
1004     else if (format == FORMAT_PEM) {
1005         pkey = PEM_read_bio_PUBKEY(key, NULL,
1006                                    (pem_password_cb *)password_callback,
1007                                    &cb_data);
1008     }
1009 #if !defined(OPENSSL_NO_RC4) && !defined(OPENSSL_NO_RSA)
1010     else if (format == FORMAT_NETSCAPE || format == FORMAT_IISSGC)
1011         pkey = load_netscape_key(err, key, file, key_descrip, format);
1012 #endif
1013 #if !defined(OPENSSL_NO_RSA) && !defined(OPENSSL_NO_DSA)
1014     else if (format == FORMAT_MSBLOB)
1015         pkey = b2i_PublicKey_bio(key);
1016 #endif
1017     else {
1018         BIO_printf(err, "bad input format specified for key file\n");
1019         goto end;
1020     }
1021  end:
1022     if (key != NULL)
1023         BIO_free(key);
1024     if (pkey == NULL)
1025         BIO_printf(err, "unable to load %s\n", key_descrip);
1026     return (pkey);
1027 }
1028 
1029 #if !defined(OPENSSL_NO_RC4) && !defined(OPENSSL_NO_RSA)
load_netscape_key(BIO * err,BIO * key,const char * file,const char * key_descrip,int format)1030 static EVP_PKEY *load_netscape_key(BIO *err, BIO *key, const char *file,
1031                                    const char *key_descrip, int format)
1032 {
1033     EVP_PKEY *pkey;
1034     BUF_MEM *buf;
1035     RSA *rsa;
1036     const unsigned char *p;
1037     int size, i;
1038 
1039     buf = BUF_MEM_new();
1040     pkey = EVP_PKEY_new();
1041     size = 0;
1042     if (buf == NULL || pkey == NULL)
1043         goto error;
1044     for (;;) {
1045         if (!BUF_MEM_grow_clean(buf, size + 1024 * 10))
1046             goto error;
1047         i = BIO_read(key, &(buf->data[size]), 1024 * 10);
1048         size += i;
1049         if (i == 0)
1050             break;
1051         if (i < 0) {
1052             BIO_printf(err, "Error reading %s %s", key_descrip, file);
1053             goto error;
1054         }
1055     }
1056     p = (unsigned char *)buf->data;
1057     rsa = d2i_RSA_NET(NULL, &p, (long)size, NULL,
1058                       (format == FORMAT_IISSGC ? 1 : 0));
1059     if (rsa == NULL)
1060         goto error;
1061     BUF_MEM_free(buf);
1062     EVP_PKEY_set1_RSA(pkey, rsa);
1063     return pkey;
1064  error:
1065     BUF_MEM_free(buf);
1066     EVP_PKEY_free(pkey);
1067     return NULL;
1068 }
1069 #endif                          /* ndef OPENSSL_NO_RC4 */
1070 
load_certs_crls(BIO * err,const char * file,int format,const char * pass,ENGINE * e,const char * desc,STACK_OF (X509)** pcerts,STACK_OF (X509_CRL)** pcrls)1071 static int load_certs_crls(BIO *err, const char *file, int format,
1072                            const char *pass, ENGINE *e, const char *desc,
1073                            STACK_OF(X509) **pcerts,
1074                            STACK_OF(X509_CRL) **pcrls)
1075 {
1076     int i;
1077     BIO *bio;
1078     STACK_OF(X509_INFO) *xis = NULL;
1079     X509_INFO *xi;
1080     PW_CB_DATA cb_data;
1081     int rv = 0;
1082 
1083     cb_data.password = pass;
1084     cb_data.prompt_info = file;
1085 
1086     if (format != FORMAT_PEM) {
1087         BIO_printf(err, "bad input format specified for %s\n", desc);
1088         return 0;
1089     }
1090 
1091     if (file == NULL)
1092         bio = BIO_new_fp(stdin, BIO_NOCLOSE);
1093     else
1094         bio = BIO_new_file(file, "r");
1095 
1096     if (bio == NULL) {
1097         BIO_printf(err, "Error opening %s %s\n", desc, file ? file : "stdin");
1098         ERR_print_errors(err);
1099         return 0;
1100     }
1101 
1102     xis = PEM_X509_INFO_read_bio(bio, NULL,
1103                                  (pem_password_cb *)password_callback,
1104                                  &cb_data);
1105 
1106     BIO_free(bio);
1107 
1108     if (pcerts) {
1109         *pcerts = sk_X509_new_null();
1110         if (!*pcerts)
1111             goto end;
1112     }
1113 
1114     if (pcrls) {
1115         *pcrls = sk_X509_CRL_new_null();
1116         if (!*pcrls)
1117             goto end;
1118     }
1119 
1120     for (i = 0; i < sk_X509_INFO_num(xis); i++) {
1121         xi = sk_X509_INFO_value(xis, i);
1122         if (xi->x509 && pcerts) {
1123             if (!sk_X509_push(*pcerts, xi->x509))
1124                 goto end;
1125             xi->x509 = NULL;
1126         }
1127         if (xi->crl && pcrls) {
1128             if (!sk_X509_CRL_push(*pcrls, xi->crl))
1129                 goto end;
1130             xi->crl = NULL;
1131         }
1132     }
1133 
1134     if (pcerts && sk_X509_num(*pcerts) > 0)
1135         rv = 1;
1136 
1137     if (pcrls && sk_X509_CRL_num(*pcrls) > 0)
1138         rv = 1;
1139 
1140  end:
1141 
1142     if (xis)
1143         sk_X509_INFO_pop_free(xis, X509_INFO_free);
1144 
1145     if (rv == 0) {
1146         if (pcerts) {
1147             sk_X509_pop_free(*pcerts, X509_free);
1148             *pcerts = NULL;
1149         }
1150         if (pcrls) {
1151             sk_X509_CRL_pop_free(*pcrls, X509_CRL_free);
1152             *pcrls = NULL;
1153         }
1154         BIO_printf(err, "unable to load %s\n",
1155                    pcerts ? "certificates" : "CRLs");
1156         ERR_print_errors(err);
1157     }
1158     return rv;
1159 }
1160 
STACK_OF(X509)1161 STACK_OF(X509) *load_certs(BIO *err, const char *file, int format,
1162                            const char *pass, ENGINE *e, const char *desc)
1163 {
1164     STACK_OF(X509) *certs;
1165     if (!load_certs_crls(err, file, format, pass, e, desc, &certs, NULL))
1166         return NULL;
1167     return certs;
1168 }
1169 
STACK_OF(X509_CRL)1170 STACK_OF(X509_CRL) *load_crls(BIO *err, const char *file, int format,
1171                               const char *pass, ENGINE *e, const char *desc)
1172 {
1173     STACK_OF(X509_CRL) *crls;
1174     if (!load_certs_crls(err, file, format, pass, e, desc, NULL, &crls))
1175         return NULL;
1176     return crls;
1177 }
1178 
1179 #define X509V3_EXT_UNKNOWN_MASK         (0xfL << 16)
1180 /* Return error for unknown extensions */
1181 #define X509V3_EXT_DEFAULT              0
1182 /* Print error for unknown extensions */
1183 #define X509V3_EXT_ERROR_UNKNOWN        (1L << 16)
1184 /* ASN1 parse unknown extensions */
1185 #define X509V3_EXT_PARSE_UNKNOWN        (2L << 16)
1186 /* BIO_dump unknown extensions */
1187 #define X509V3_EXT_DUMP_UNKNOWN         (3L << 16)
1188 
1189 #define X509_FLAG_CA (X509_FLAG_NO_ISSUER | X509_FLAG_NO_PUBKEY | \
1190                          X509_FLAG_NO_HEADER | X509_FLAG_NO_VERSION)
1191 
set_cert_ex(unsigned long * flags,const char * arg)1192 int set_cert_ex(unsigned long *flags, const char *arg)
1193 {
1194     static const NAME_EX_TBL cert_tbl[] = {
1195         {"compatible", X509_FLAG_COMPAT, 0xffffffffl},
1196         {"ca_default", X509_FLAG_CA, 0xffffffffl},
1197         {"no_header", X509_FLAG_NO_HEADER, 0},
1198         {"no_version", X509_FLAG_NO_VERSION, 0},
1199         {"no_serial", X509_FLAG_NO_SERIAL, 0},
1200         {"no_signame", X509_FLAG_NO_SIGNAME, 0},
1201         {"no_validity", X509_FLAG_NO_VALIDITY, 0},
1202         {"no_subject", X509_FLAG_NO_SUBJECT, 0},
1203         {"no_issuer", X509_FLAG_NO_ISSUER, 0},
1204         {"no_pubkey", X509_FLAG_NO_PUBKEY, 0},
1205         {"no_extensions", X509_FLAG_NO_EXTENSIONS, 0},
1206         {"no_sigdump", X509_FLAG_NO_SIGDUMP, 0},
1207         {"no_aux", X509_FLAG_NO_AUX, 0},
1208         {"no_attributes", X509_FLAG_NO_ATTRIBUTES, 0},
1209         {"ext_default", X509V3_EXT_DEFAULT, X509V3_EXT_UNKNOWN_MASK},
1210         {"ext_error", X509V3_EXT_ERROR_UNKNOWN, X509V3_EXT_UNKNOWN_MASK},
1211         {"ext_parse", X509V3_EXT_PARSE_UNKNOWN, X509V3_EXT_UNKNOWN_MASK},
1212         {"ext_dump", X509V3_EXT_DUMP_UNKNOWN, X509V3_EXT_UNKNOWN_MASK},
1213         {NULL, 0, 0}
1214     };
1215     return set_multi_opts(flags, arg, cert_tbl);
1216 }
1217 
set_name_ex(unsigned long * flags,const char * arg)1218 int set_name_ex(unsigned long *flags, const char *arg)
1219 {
1220     static const NAME_EX_TBL ex_tbl[] = {
1221         {"esc_2253", ASN1_STRFLGS_ESC_2253, 0},
1222         {"esc_ctrl", ASN1_STRFLGS_ESC_CTRL, 0},
1223         {"esc_msb", ASN1_STRFLGS_ESC_MSB, 0},
1224         {"use_quote", ASN1_STRFLGS_ESC_QUOTE, 0},
1225         {"utf8", ASN1_STRFLGS_UTF8_CONVERT, 0},
1226         {"ignore_type", ASN1_STRFLGS_IGNORE_TYPE, 0},
1227         {"show_type", ASN1_STRFLGS_SHOW_TYPE, 0},
1228         {"dump_all", ASN1_STRFLGS_DUMP_ALL, 0},
1229         {"dump_nostr", ASN1_STRFLGS_DUMP_UNKNOWN, 0},
1230         {"dump_der", ASN1_STRFLGS_DUMP_DER, 0},
1231         {"compat", XN_FLAG_COMPAT, 0xffffffffL},
1232         {"sep_comma_plus", XN_FLAG_SEP_COMMA_PLUS, XN_FLAG_SEP_MASK},
1233         {"sep_comma_plus_space", XN_FLAG_SEP_CPLUS_SPC, XN_FLAG_SEP_MASK},
1234         {"sep_semi_plus_space", XN_FLAG_SEP_SPLUS_SPC, XN_FLAG_SEP_MASK},
1235         {"sep_multiline", XN_FLAG_SEP_MULTILINE, XN_FLAG_SEP_MASK},
1236         {"dn_rev", XN_FLAG_DN_REV, 0},
1237         {"nofname", XN_FLAG_FN_NONE, XN_FLAG_FN_MASK},
1238         {"sname", XN_FLAG_FN_SN, XN_FLAG_FN_MASK},
1239         {"lname", XN_FLAG_FN_LN, XN_FLAG_FN_MASK},
1240         {"align", XN_FLAG_FN_ALIGN, 0},
1241         {"oid", XN_FLAG_FN_OID, XN_FLAG_FN_MASK},
1242         {"space_eq", XN_FLAG_SPC_EQ, 0},
1243         {"dump_unknown", XN_FLAG_DUMP_UNKNOWN_FIELDS, 0},
1244         {"RFC2253", XN_FLAG_RFC2253, 0xffffffffL},
1245         {"oneline", XN_FLAG_ONELINE, 0xffffffffL},
1246         {"multiline", XN_FLAG_MULTILINE, 0xffffffffL},
1247         {"ca_default", XN_FLAG_MULTILINE, 0xffffffffL},
1248         {NULL, 0, 0}
1249     };
1250     return set_multi_opts(flags, arg, ex_tbl);
1251 }
1252 
set_ext_copy(int * copy_type,const char * arg)1253 int set_ext_copy(int *copy_type, const char *arg)
1254 {
1255     if (!strcasecmp(arg, "none"))
1256         *copy_type = EXT_COPY_NONE;
1257     else if (!strcasecmp(arg, "copy"))
1258         *copy_type = EXT_COPY_ADD;
1259     else if (!strcasecmp(arg, "copyall"))
1260         *copy_type = EXT_COPY_ALL;
1261     else
1262         return 0;
1263     return 1;
1264 }
1265 
copy_extensions(X509 * x,X509_REQ * req,int copy_type)1266 int copy_extensions(X509 *x, X509_REQ *req, int copy_type)
1267 {
1268     STACK_OF(X509_EXTENSION) *exts = NULL;
1269     X509_EXTENSION *ext, *tmpext;
1270     ASN1_OBJECT *obj;
1271     int i, idx, ret = 0;
1272     if (!x || !req || (copy_type == EXT_COPY_NONE))
1273         return 1;
1274     exts = X509_REQ_get_extensions(req);
1275 
1276     for (i = 0; i < sk_X509_EXTENSION_num(exts); i++) {
1277         ext = sk_X509_EXTENSION_value(exts, i);
1278         obj = X509_EXTENSION_get_object(ext);
1279         idx = X509_get_ext_by_OBJ(x, obj, -1);
1280         /* Does extension exist? */
1281         if (idx != -1) {
1282             /* If normal copy don't override existing extension */
1283             if (copy_type == EXT_COPY_ADD)
1284                 continue;
1285             /* Delete all extensions of same type */
1286             do {
1287                 tmpext = X509_get_ext(x, idx);
1288                 X509_delete_ext(x, idx);
1289                 X509_EXTENSION_free(tmpext);
1290                 idx = X509_get_ext_by_OBJ(x, obj, -1);
1291             } while (idx != -1);
1292         }
1293         if (!X509_add_ext(x, ext, -1))
1294             goto end;
1295     }
1296 
1297     ret = 1;
1298 
1299  end:
1300 
1301     sk_X509_EXTENSION_pop_free(exts, X509_EXTENSION_free);
1302 
1303     return ret;
1304 }
1305 
set_multi_opts(unsigned long * flags,const char * arg,const NAME_EX_TBL * in_tbl)1306 static int set_multi_opts(unsigned long *flags, const char *arg,
1307                           const NAME_EX_TBL * in_tbl)
1308 {
1309     STACK_OF(CONF_VALUE) *vals;
1310     CONF_VALUE *val;
1311     int i, ret = 1;
1312     if (!arg)
1313         return 0;
1314     vals = X509V3_parse_list(arg);
1315     for (i = 0; i < sk_CONF_VALUE_num(vals); i++) {
1316         val = sk_CONF_VALUE_value(vals, i);
1317         if (!set_table_opts(flags, val->name, in_tbl))
1318             ret = 0;
1319     }
1320     sk_CONF_VALUE_pop_free(vals, X509V3_conf_free);
1321     return ret;
1322 }
1323 
set_table_opts(unsigned long * flags,const char * arg,const NAME_EX_TBL * in_tbl)1324 static int set_table_opts(unsigned long *flags, const char *arg,
1325                           const NAME_EX_TBL * in_tbl)
1326 {
1327     char c;
1328     const NAME_EX_TBL *ptbl;
1329     c = arg[0];
1330 
1331     if (c == '-') {
1332         c = 0;
1333         arg++;
1334     } else if (c == '+') {
1335         c = 1;
1336         arg++;
1337     } else
1338         c = 1;
1339 
1340     for (ptbl = in_tbl; ptbl->name; ptbl++) {
1341         if (!strcasecmp(arg, ptbl->name)) {
1342             *flags &= ~ptbl->mask;
1343             if (c)
1344                 *flags |= ptbl->flag;
1345             else
1346                 *flags &= ~ptbl->flag;
1347             return 1;
1348         }
1349     }
1350     return 0;
1351 }
1352 
print_name(BIO * out,const char * title,X509_NAME * nm,unsigned long lflags)1353 void print_name(BIO *out, const char *title, X509_NAME *nm,
1354                 unsigned long lflags)
1355 {
1356     char *buf;
1357     char mline = 0;
1358     int indent = 0;
1359 
1360     if (title)
1361         BIO_puts(out, title);
1362     if ((lflags & XN_FLAG_SEP_MASK) == XN_FLAG_SEP_MULTILINE) {
1363         mline = 1;
1364         indent = 4;
1365     }
1366     if (lflags == XN_FLAG_COMPAT) {
1367         buf = X509_NAME_oneline(nm, 0, 0);
1368         BIO_puts(out, buf);
1369         BIO_puts(out, "\n");
1370         OPENSSL_free(buf);
1371     } else {
1372         if (mline)
1373             BIO_puts(out, "\n");
1374         X509_NAME_print_ex(out, nm, indent, lflags);
1375         BIO_puts(out, "\n");
1376     }
1377 }
1378 
setup_verify(BIO * bp,char * CAfile,char * CApath)1379 X509_STORE *setup_verify(BIO *bp, char *CAfile, char *CApath)
1380 {
1381     X509_STORE *store;
1382     X509_LOOKUP *lookup;
1383     if (!(store = X509_STORE_new()))
1384         goto end;
1385     lookup = X509_STORE_add_lookup(store, X509_LOOKUP_file());
1386     if (lookup == NULL)
1387         goto end;
1388     if (CAfile) {
1389         if (!X509_LOOKUP_load_file(lookup, CAfile, X509_FILETYPE_PEM)) {
1390             BIO_printf(bp, "Error loading file %s\n", CAfile);
1391             goto end;
1392         }
1393     } else
1394         X509_LOOKUP_load_file(lookup, NULL, X509_FILETYPE_DEFAULT);
1395 
1396     lookup = X509_STORE_add_lookup(store, X509_LOOKUP_hash_dir());
1397     if (lookup == NULL)
1398         goto end;
1399     if (CApath) {
1400         if (!X509_LOOKUP_add_dir(lookup, CApath, X509_FILETYPE_PEM)) {
1401             BIO_printf(bp, "Error loading directory %s\n", CApath);
1402             goto end;
1403         }
1404     } else
1405         X509_LOOKUP_add_dir(lookup, NULL, X509_FILETYPE_DEFAULT);
1406 
1407     ERR_clear_error();
1408     return store;
1409  end:
1410     X509_STORE_free(store);
1411     return NULL;
1412 }
1413 
1414 #ifndef OPENSSL_NO_ENGINE
1415 /* Try to load an engine in a shareable library */
try_load_engine(BIO * err,const char * engine,int debug)1416 static ENGINE *try_load_engine(BIO *err, const char *engine, int debug)
1417 {
1418     ENGINE *e = ENGINE_by_id("dynamic");
1419     if (e) {
1420         if (!ENGINE_ctrl_cmd_string(e, "SO_PATH", engine, 0)
1421             || !ENGINE_ctrl_cmd_string(e, "LOAD", NULL, 0)) {
1422             ENGINE_free(e);
1423             e = NULL;
1424         }
1425     }
1426     return e;
1427 }
1428 
setup_engine(BIO * err,const char * engine,int debug)1429 ENGINE *setup_engine(BIO *err, const char *engine, int debug)
1430 {
1431     ENGINE *e = NULL;
1432 
1433     if (engine) {
1434         if (strcmp(engine, "auto") == 0) {
1435             BIO_printf(err, "enabling auto ENGINE support\n");
1436             ENGINE_register_all_complete();
1437             return NULL;
1438         }
1439         if ((e = ENGINE_by_id(engine)) == NULL
1440             && (e = try_load_engine(err, engine, debug)) == NULL) {
1441             BIO_printf(err, "invalid engine \"%s\"\n", engine);
1442             ERR_print_errors(err);
1443             return NULL;
1444         }
1445         if (debug) {
1446             ENGINE_ctrl(e, ENGINE_CTRL_SET_LOGSTREAM, 0, err, 0);
1447         }
1448         ENGINE_ctrl_cmd(e, "SET_USER_INTERFACE", 0, ui_method, 0, 1);
1449         if (!ENGINE_set_default(e, ENGINE_METHOD_ALL)) {
1450             BIO_printf(err, "can't use that engine\n");
1451             ERR_print_errors(err);
1452             ENGINE_free(e);
1453             return NULL;
1454         }
1455 
1456         BIO_printf(err, "engine \"%s\" set.\n", ENGINE_get_id(e));
1457 
1458         /* Free our "structural" reference. */
1459         ENGINE_free(e);
1460     }
1461     return e;
1462 }
1463 #endif
1464 
load_config(BIO * err,CONF * cnf)1465 int load_config(BIO *err, CONF *cnf)
1466 {
1467     static int load_config_called = 0;
1468     if (load_config_called)
1469         return 1;
1470     load_config_called = 1;
1471     if (!cnf)
1472         cnf = config;
1473     if (!cnf)
1474         return 1;
1475 
1476     OPENSSL_load_builtin_modules();
1477 
1478     if (CONF_modules_load(cnf, NULL, 0) <= 0) {
1479         BIO_printf(err, "Error configuring OpenSSL\n");
1480         ERR_print_errors(err);
1481         return 0;
1482     }
1483     return 1;
1484 }
1485 
make_config_name()1486 char *make_config_name()
1487 {
1488     const char *t = X509_get_default_cert_area();
1489     size_t len;
1490     char *p;
1491 
1492     len = strlen(t) + strlen(OPENSSL_CONF) + 2;
1493     p = OPENSSL_malloc(len);
1494     if (p == NULL)
1495         return NULL;
1496     BUF_strlcpy(p, t, len);
1497 #ifndef OPENSSL_SYS_VMS
1498     BUF_strlcat(p, "/", len);
1499 #endif
1500     BUF_strlcat(p, OPENSSL_CONF, len);
1501 
1502     return p;
1503 }
1504 
index_serial_hash(const OPENSSL_CSTRING * a)1505 static unsigned long index_serial_hash(const OPENSSL_CSTRING *a)
1506 {
1507     const char *n;
1508 
1509     n = a[DB_serial];
1510     while (*n == '0')
1511         n++;
1512     return (lh_strhash(n));
1513 }
1514 
index_serial_cmp(const OPENSSL_CSTRING * a,const OPENSSL_CSTRING * b)1515 static int index_serial_cmp(const OPENSSL_CSTRING *a,
1516                             const OPENSSL_CSTRING *b)
1517 {
1518     const char *aa, *bb;
1519 
1520     for (aa = a[DB_serial]; *aa == '0'; aa++) ;
1521     for (bb = b[DB_serial]; *bb == '0'; bb++) ;
1522     return (strcmp(aa, bb));
1523 }
1524 
index_name_qual(char ** a)1525 static int index_name_qual(char **a)
1526 {
1527     return (a[0][0] == 'V');
1528 }
1529 
index_name_hash(const OPENSSL_CSTRING * a)1530 static unsigned long index_name_hash(const OPENSSL_CSTRING *a)
1531 {
1532     return (lh_strhash(a[DB_name]));
1533 }
1534 
index_name_cmp(const OPENSSL_CSTRING * a,const OPENSSL_CSTRING * b)1535 int index_name_cmp(const OPENSSL_CSTRING *a, const OPENSSL_CSTRING *b)
1536 {
1537     return (strcmp(a[DB_name], b[DB_name]));
1538 }
1539 
IMPLEMENT_LHASH_HASH_FN(index_serial,OPENSSL_CSTRING)1540 static IMPLEMENT_LHASH_HASH_FN(index_serial, OPENSSL_CSTRING)
1541 static IMPLEMENT_LHASH_COMP_FN(index_serial, OPENSSL_CSTRING)
1542 static IMPLEMENT_LHASH_HASH_FN(index_name, OPENSSL_CSTRING)
1543 static IMPLEMENT_LHASH_COMP_FN(index_name, OPENSSL_CSTRING)
1544 #undef BSIZE
1545 #define BSIZE 256
1546 BIGNUM *load_serial(char *serialfile, int create, ASN1_INTEGER **retai)
1547 {
1548     BIO *in = NULL;
1549     BIGNUM *ret = NULL;
1550     MS_STATIC char buf[1024];
1551     ASN1_INTEGER *ai = NULL;
1552 
1553     ai = ASN1_INTEGER_new();
1554     if (ai == NULL)
1555         goto err;
1556 
1557     if ((in = BIO_new(BIO_s_file())) == NULL) {
1558         ERR_print_errors(bio_err);
1559         goto err;
1560     }
1561 
1562     if (BIO_read_filename(in, serialfile) <= 0) {
1563         if (!create) {
1564             perror(serialfile);
1565             goto err;
1566         } else {
1567             ret = BN_new();
1568             if (ret == NULL || !rand_serial(ret, ai))
1569                 BIO_printf(bio_err, "Out of memory\n");
1570         }
1571     } else {
1572         if (!a2i_ASN1_INTEGER(in, ai, buf, 1024)) {
1573             BIO_printf(bio_err, "unable to load number from %s\n",
1574                        serialfile);
1575             goto err;
1576         }
1577         ret = ASN1_INTEGER_to_BN(ai, NULL);
1578         if (ret == NULL) {
1579             BIO_printf(bio_err,
1580                        "error converting number from bin to BIGNUM\n");
1581             goto err;
1582         }
1583     }
1584 
1585     if (ret && retai) {
1586         *retai = ai;
1587         ai = NULL;
1588     }
1589  err:
1590     if (in != NULL)
1591         BIO_free(in);
1592     if (ai != NULL)
1593         ASN1_INTEGER_free(ai);
1594     return (ret);
1595 }
1596 
save_serial(char * serialfile,char * suffix,BIGNUM * serial,ASN1_INTEGER ** retai)1597 int save_serial(char *serialfile, char *suffix, BIGNUM *serial,
1598                 ASN1_INTEGER **retai)
1599 {
1600     char buf[1][BSIZE];
1601     BIO *out = NULL;
1602     int ret = 0;
1603     ASN1_INTEGER *ai = NULL;
1604     int j;
1605 
1606     if (suffix == NULL)
1607         j = strlen(serialfile);
1608     else
1609         j = strlen(serialfile) + strlen(suffix) + 1;
1610     if (j >= BSIZE) {
1611         BIO_printf(bio_err, "file name too long\n");
1612         goto err;
1613     }
1614 
1615     if (suffix == NULL)
1616         BUF_strlcpy(buf[0], serialfile, BSIZE);
1617     else {
1618 #ifndef OPENSSL_SYS_VMS
1619         j = BIO_snprintf(buf[0], sizeof buf[0], "%s.%s", serialfile, suffix);
1620 #else
1621         j = BIO_snprintf(buf[0], sizeof buf[0], "%s-%s", serialfile, suffix);
1622 #endif
1623     }
1624 #ifdef RL_DEBUG
1625     BIO_printf(bio_err, "DEBUG: writing \"%s\"\n", buf[0]);
1626 #endif
1627     out = BIO_new(BIO_s_file());
1628     if (out == NULL) {
1629         ERR_print_errors(bio_err);
1630         goto err;
1631     }
1632     if (BIO_write_filename(out, buf[0]) <= 0) {
1633         perror(serialfile);
1634         goto err;
1635     }
1636 
1637     if ((ai = BN_to_ASN1_INTEGER(serial, NULL)) == NULL) {
1638         BIO_printf(bio_err, "error converting serial to ASN.1 format\n");
1639         goto err;
1640     }
1641     i2a_ASN1_INTEGER(out, ai);
1642     BIO_puts(out, "\n");
1643     ret = 1;
1644     if (retai) {
1645         *retai = ai;
1646         ai = NULL;
1647     }
1648  err:
1649     if (out != NULL)
1650         BIO_free_all(out);
1651     if (ai != NULL)
1652         ASN1_INTEGER_free(ai);
1653     return (ret);
1654 }
1655 
rotate_serial(char * serialfile,char * new_suffix,char * old_suffix)1656 int rotate_serial(char *serialfile, char *new_suffix, char *old_suffix)
1657 {
1658     char buf[5][BSIZE];
1659     int i, j;
1660 
1661     i = strlen(serialfile) + strlen(old_suffix);
1662     j = strlen(serialfile) + strlen(new_suffix);
1663     if (i > j)
1664         j = i;
1665     if (j + 1 >= BSIZE) {
1666         BIO_printf(bio_err, "file name too long\n");
1667         goto err;
1668     }
1669 #ifndef OPENSSL_SYS_VMS
1670     j = BIO_snprintf(buf[0], sizeof buf[0], "%s.%s", serialfile, new_suffix);
1671 #else
1672     j = BIO_snprintf(buf[0], sizeof buf[0], "%s-%s", serialfile, new_suffix);
1673 #endif
1674 #ifndef OPENSSL_SYS_VMS
1675     j = BIO_snprintf(buf[1], sizeof buf[1], "%s.%s", serialfile, old_suffix);
1676 #else
1677     j = BIO_snprintf(buf[1], sizeof buf[1], "%s-%s", serialfile, old_suffix);
1678 #endif
1679 #ifdef RL_DEBUG
1680     BIO_printf(bio_err, "DEBUG: renaming \"%s\" to \"%s\"\n",
1681                serialfile, buf[1]);
1682 #endif
1683     if (rename(serialfile, buf[1]) < 0 && errno != ENOENT
1684 #ifdef ENOTDIR
1685         && errno != ENOTDIR
1686 #endif
1687         ) {
1688         BIO_printf(bio_err,
1689                    "unable to rename %s to %s\n", serialfile, buf[1]);
1690         perror("reason");
1691         goto err;
1692     }
1693 #ifdef RL_DEBUG
1694     BIO_printf(bio_err, "DEBUG: renaming \"%s\" to \"%s\"\n",
1695                buf[0], serialfile);
1696 #endif
1697     if (rename(buf[0], serialfile) < 0) {
1698         BIO_printf(bio_err,
1699                    "unable to rename %s to %s\n", buf[0], serialfile);
1700         perror("reason");
1701         rename(buf[1], serialfile);
1702         goto err;
1703     }
1704     return 1;
1705  err:
1706     return 0;
1707 }
1708 
rand_serial(BIGNUM * b,ASN1_INTEGER * ai)1709 int rand_serial(BIGNUM *b, ASN1_INTEGER *ai)
1710 {
1711     BIGNUM *btmp;
1712     int ret = 0;
1713     if (b)
1714         btmp = b;
1715     else
1716         btmp = BN_new();
1717 
1718     if (!btmp)
1719         return 0;
1720 
1721     if (!BN_pseudo_rand(btmp, SERIAL_RAND_BITS, 0, 0))
1722         goto error;
1723     if (ai && !BN_to_ASN1_INTEGER(btmp, ai))
1724         goto error;
1725 
1726     ret = 1;
1727 
1728  error:
1729 
1730     if (!b)
1731         BN_free(btmp);
1732 
1733     return ret;
1734 }
1735 
load_index(char * dbfile,DB_ATTR * db_attr)1736 CA_DB *load_index(char *dbfile, DB_ATTR *db_attr)
1737 {
1738     CA_DB *retdb = NULL;
1739     TXT_DB *tmpdb = NULL;
1740     BIO *in = BIO_new(BIO_s_file());
1741     CONF *dbattr_conf = NULL;
1742     char buf[1][BSIZE];
1743     long errorline = -1;
1744 
1745     if (in == NULL) {
1746         ERR_print_errors(bio_err);
1747         goto err;
1748     }
1749     if (BIO_read_filename(in, dbfile) <= 0) {
1750         perror(dbfile);
1751         BIO_printf(bio_err, "unable to open '%s'\n", dbfile);
1752         goto err;
1753     }
1754     if ((tmpdb = TXT_DB_read(in, DB_NUMBER)) == NULL)
1755         goto err;
1756 
1757 #ifndef OPENSSL_SYS_VMS
1758     BIO_snprintf(buf[0], sizeof buf[0], "%s.attr", dbfile);
1759 #else
1760     BIO_snprintf(buf[0], sizeof buf[0], "%s-attr", dbfile);
1761 #endif
1762     dbattr_conf = NCONF_new(NULL);
1763     if (NCONF_load(dbattr_conf, buf[0], &errorline) <= 0) {
1764         if (errorline > 0) {
1765             BIO_printf(bio_err,
1766                        "error on line %ld of db attribute file '%s'\n",
1767                        errorline, buf[0]);
1768             goto err;
1769         } else {
1770             NCONF_free(dbattr_conf);
1771             dbattr_conf = NULL;
1772         }
1773     }
1774 
1775     if ((retdb = OPENSSL_malloc(sizeof(CA_DB))) == NULL) {
1776         fprintf(stderr, "Out of memory\n");
1777         goto err;
1778     }
1779 
1780     retdb->db = tmpdb;
1781     tmpdb = NULL;
1782     if (db_attr)
1783         retdb->attributes = *db_attr;
1784     else {
1785         retdb->attributes.unique_subject = 1;
1786     }
1787 
1788     if (dbattr_conf) {
1789         char *p = NCONF_get_string(dbattr_conf, NULL, "unique_subject");
1790         if (p) {
1791 #ifdef RL_DEBUG
1792             BIO_printf(bio_err,
1793                        "DEBUG[load_index]: unique_subject = \"%s\"\n", p);
1794 #endif
1795             retdb->attributes.unique_subject = parse_yesno(p, 1);
1796         }
1797     }
1798 
1799  err:
1800     if (dbattr_conf)
1801         NCONF_free(dbattr_conf);
1802     if (tmpdb)
1803         TXT_DB_free(tmpdb);
1804     if (in)
1805         BIO_free_all(in);
1806     return retdb;
1807 }
1808 
index_index(CA_DB * db)1809 int index_index(CA_DB *db)
1810 {
1811     if (!TXT_DB_create_index(db->db, DB_serial, NULL,
1812                              LHASH_HASH_FN(index_serial),
1813                              LHASH_COMP_FN(index_serial))) {
1814         BIO_printf(bio_err,
1815                    "error creating serial number index:(%ld,%ld,%ld)\n",
1816                    db->db->error, db->db->arg1, db->db->arg2);
1817         return 0;
1818     }
1819 
1820     if (db->attributes.unique_subject
1821         && !TXT_DB_create_index(db->db, DB_name, index_name_qual,
1822                                 LHASH_HASH_FN(index_name),
1823                                 LHASH_COMP_FN(index_name))) {
1824         BIO_printf(bio_err, "error creating name index:(%ld,%ld,%ld)\n",
1825                    db->db->error, db->db->arg1, db->db->arg2);
1826         return 0;
1827     }
1828     return 1;
1829 }
1830 
save_index(const char * dbfile,const char * suffix,CA_DB * db)1831 int save_index(const char *dbfile, const char *suffix, CA_DB *db)
1832 {
1833     char buf[3][BSIZE];
1834     BIO *out = BIO_new(BIO_s_file());
1835     int j;
1836 
1837     if (out == NULL) {
1838         ERR_print_errors(bio_err);
1839         goto err;
1840     }
1841 
1842     j = strlen(dbfile) + strlen(suffix);
1843     if (j + 6 >= BSIZE) {
1844         BIO_printf(bio_err, "file name too long\n");
1845         goto err;
1846     }
1847 #ifndef OPENSSL_SYS_VMS
1848     j = BIO_snprintf(buf[2], sizeof buf[2], "%s.attr", dbfile);
1849 #else
1850     j = BIO_snprintf(buf[2], sizeof buf[2], "%s-attr", dbfile);
1851 #endif
1852 #ifndef OPENSSL_SYS_VMS
1853     j = BIO_snprintf(buf[1], sizeof buf[1], "%s.attr.%s", dbfile, suffix);
1854 #else
1855     j = BIO_snprintf(buf[1], sizeof buf[1], "%s-attr-%s", dbfile, suffix);
1856 #endif
1857 #ifndef OPENSSL_SYS_VMS
1858     j = BIO_snprintf(buf[0], sizeof buf[0], "%s.%s", dbfile, suffix);
1859 #else
1860     j = BIO_snprintf(buf[0], sizeof buf[0], "%s-%s", dbfile, suffix);
1861 #endif
1862 #ifdef RL_DEBUG
1863     BIO_printf(bio_err, "DEBUG: writing \"%s\"\n", buf[0]);
1864 #endif
1865     if (BIO_write_filename(out, buf[0]) <= 0) {
1866         perror(dbfile);
1867         BIO_printf(bio_err, "unable to open '%s'\n", dbfile);
1868         goto err;
1869     }
1870     j = TXT_DB_write(out, db->db);
1871     if (j <= 0)
1872         goto err;
1873 
1874     BIO_free(out);
1875 
1876     out = BIO_new(BIO_s_file());
1877 #ifdef RL_DEBUG
1878     BIO_printf(bio_err, "DEBUG: writing \"%s\"\n", buf[1]);
1879 #endif
1880     if (BIO_write_filename(out, buf[1]) <= 0) {
1881         perror(buf[2]);
1882         BIO_printf(bio_err, "unable to open '%s'\n", buf[2]);
1883         goto err;
1884     }
1885     BIO_printf(out, "unique_subject = %s\n",
1886                db->attributes.unique_subject ? "yes" : "no");
1887     BIO_free(out);
1888 
1889     return 1;
1890  err:
1891     return 0;
1892 }
1893 
rotate_index(const char * dbfile,const char * new_suffix,const char * old_suffix)1894 int rotate_index(const char *dbfile, const char *new_suffix,
1895                  const char *old_suffix)
1896 {
1897     char buf[5][BSIZE];
1898     int i, j;
1899 
1900     i = strlen(dbfile) + strlen(old_suffix);
1901     j = strlen(dbfile) + strlen(new_suffix);
1902     if (i > j)
1903         j = i;
1904     if (j + 6 >= BSIZE) {
1905         BIO_printf(bio_err, "file name too long\n");
1906         goto err;
1907     }
1908 #ifndef OPENSSL_SYS_VMS
1909     j = BIO_snprintf(buf[4], sizeof buf[4], "%s.attr", dbfile);
1910 #else
1911     j = BIO_snprintf(buf[4], sizeof buf[4], "%s-attr", dbfile);
1912 #endif
1913 #ifndef OPENSSL_SYS_VMS
1914     j = BIO_snprintf(buf[2], sizeof buf[2], "%s.attr.%s", dbfile, new_suffix);
1915 #else
1916     j = BIO_snprintf(buf[2], sizeof buf[2], "%s-attr-%s", dbfile, new_suffix);
1917 #endif
1918 #ifndef OPENSSL_SYS_VMS
1919     j = BIO_snprintf(buf[0], sizeof buf[0], "%s.%s", dbfile, new_suffix);
1920 #else
1921     j = BIO_snprintf(buf[0], sizeof buf[0], "%s-%s", dbfile, new_suffix);
1922 #endif
1923 #ifndef OPENSSL_SYS_VMS
1924     j = BIO_snprintf(buf[1], sizeof buf[1], "%s.%s", dbfile, old_suffix);
1925 #else
1926     j = BIO_snprintf(buf[1], sizeof buf[1], "%s-%s", dbfile, old_suffix);
1927 #endif
1928 #ifndef OPENSSL_SYS_VMS
1929     j = BIO_snprintf(buf[3], sizeof buf[3], "%s.attr.%s", dbfile, old_suffix);
1930 #else
1931     j = BIO_snprintf(buf[3], sizeof buf[3], "%s-attr-%s", dbfile, old_suffix);
1932 #endif
1933 #ifdef RL_DEBUG
1934     BIO_printf(bio_err, "DEBUG: renaming \"%s\" to \"%s\"\n", dbfile, buf[1]);
1935 #endif
1936     if (rename(dbfile, buf[1]) < 0 && errno != ENOENT
1937 #ifdef ENOTDIR
1938         && errno != ENOTDIR
1939 #endif
1940         ) {
1941         BIO_printf(bio_err, "unable to rename %s to %s\n", dbfile, buf[1]);
1942         perror("reason");
1943         goto err;
1944     }
1945 #ifdef RL_DEBUG
1946     BIO_printf(bio_err, "DEBUG: renaming \"%s\" to \"%s\"\n", buf[0], dbfile);
1947 #endif
1948     if (rename(buf[0], dbfile) < 0) {
1949         BIO_printf(bio_err, "unable to rename %s to %s\n", buf[0], dbfile);
1950         perror("reason");
1951         rename(buf[1], dbfile);
1952         goto err;
1953     }
1954 #ifdef RL_DEBUG
1955     BIO_printf(bio_err, "DEBUG: renaming \"%s\" to \"%s\"\n", buf[4], buf[3]);
1956 #endif
1957     if (rename(buf[4], buf[3]) < 0 && errno != ENOENT
1958 #ifdef ENOTDIR
1959         && errno != ENOTDIR
1960 #endif
1961         ) {
1962         BIO_printf(bio_err, "unable to rename %s to %s\n", buf[4], buf[3]);
1963         perror("reason");
1964         rename(dbfile, buf[0]);
1965         rename(buf[1], dbfile);
1966         goto err;
1967     }
1968 #ifdef RL_DEBUG
1969     BIO_printf(bio_err, "DEBUG: renaming \"%s\" to \"%s\"\n", buf[2], buf[4]);
1970 #endif
1971     if (rename(buf[2], buf[4]) < 0) {
1972         BIO_printf(bio_err, "unable to rename %s to %s\n", buf[2], buf[4]);
1973         perror("reason");
1974         rename(buf[3], buf[4]);
1975         rename(dbfile, buf[0]);
1976         rename(buf[1], dbfile);
1977         goto err;
1978     }
1979     return 1;
1980  err:
1981     return 0;
1982 }
1983 
free_index(CA_DB * db)1984 void free_index(CA_DB *db)
1985 {
1986     if (db) {
1987         if (db->db)
1988             TXT_DB_free(db->db);
1989         OPENSSL_free(db);
1990     }
1991 }
1992 
parse_yesno(const char * str,int def)1993 int parse_yesno(const char *str, int def)
1994 {
1995     int ret = def;
1996     if (str) {
1997         switch (*str) {
1998         case 'f':              /* false */
1999         case 'F':              /* FALSE */
2000         case 'n':              /* no */
2001         case 'N':              /* NO */
2002         case '0':              /* 0 */
2003             ret = 0;
2004             break;
2005         case 't':              /* true */
2006         case 'T':              /* TRUE */
2007         case 'y':              /* yes */
2008         case 'Y':              /* YES */
2009         case '1':              /* 1 */
2010             ret = 1;
2011             break;
2012         default:
2013             ret = def;
2014             break;
2015         }
2016     }
2017     return ret;
2018 }
2019 
2020 /*
2021  * subject is expected to be in the format /type0=value0/type1=value1/type2=...
2022  * where characters may be escaped by \
2023  */
parse_name(char * subject,long chtype,int multirdn)2024 X509_NAME *parse_name(char *subject, long chtype, int multirdn)
2025 {
2026     size_t buflen = strlen(subject) + 1; /* to copy the types and values
2027                                           * into. due to escaping, the copy
2028                                           * can only become shorter */
2029     char *buf = OPENSSL_malloc(buflen);
2030     size_t max_ne = buflen / 2 + 1; /* maximum number of name elements */
2031     char **ne_types = OPENSSL_malloc(max_ne * sizeof(char *));
2032     char **ne_values = OPENSSL_malloc(max_ne * sizeof(char *));
2033     int *mval = OPENSSL_malloc(max_ne * sizeof(int));
2034 
2035     char *sp = subject, *bp = buf;
2036     int i, ne_num = 0;
2037 
2038     X509_NAME *n = NULL;
2039     int nid;
2040 
2041     if (!buf || !ne_types || !ne_values || !mval) {
2042         BIO_printf(bio_err, "malloc error\n");
2043         goto error;
2044     }
2045 
2046     if (*subject != '/') {
2047         BIO_printf(bio_err, "Subject does not start with '/'.\n");
2048         goto error;
2049     }
2050     sp++;                       /* skip leading / */
2051 
2052     /* no multivalued RDN by default */
2053     mval[ne_num] = 0;
2054 
2055     while (*sp) {
2056         /* collect type */
2057         ne_types[ne_num] = bp;
2058         while (*sp) {
2059             if (*sp == '\\') {  /* is there anything to escape in the
2060                                  * type...? */
2061                 if (*++sp)
2062                     *bp++ = *sp++;
2063                 else {
2064                     BIO_printf(bio_err,
2065                                "escape character at end of string\n");
2066                     goto error;
2067                 }
2068             } else if (*sp == '=') {
2069                 sp++;
2070                 *bp++ = '\0';
2071                 break;
2072             } else
2073                 *bp++ = *sp++;
2074         }
2075         if (!*sp) {
2076             BIO_printf(bio_err,
2077                        "end of string encountered while processing type of subject name element #%d\n",
2078                        ne_num);
2079             goto error;
2080         }
2081         ne_values[ne_num] = bp;
2082         while (*sp) {
2083             if (*sp == '\\') {
2084                 if (*++sp)
2085                     *bp++ = *sp++;
2086                 else {
2087                     BIO_printf(bio_err,
2088                                "escape character at end of string\n");
2089                     goto error;
2090                 }
2091             } else if (*sp == '/') {
2092                 sp++;
2093                 /* no multivalued RDN by default */
2094                 mval[ne_num + 1] = 0;
2095                 break;
2096             } else if (*sp == '+' && multirdn) {
2097                 /*
2098                  * a not escaped + signals a mutlivalued RDN
2099                  */
2100                 sp++;
2101                 mval[ne_num + 1] = -1;
2102                 break;
2103             } else
2104                 *bp++ = *sp++;
2105         }
2106         *bp++ = '\0';
2107         ne_num++;
2108     }
2109 
2110     if (!(n = X509_NAME_new()))
2111         goto error;
2112 
2113     for (i = 0; i < ne_num; i++) {
2114         if ((nid = OBJ_txt2nid(ne_types[i])) == NID_undef) {
2115             BIO_printf(bio_err,
2116                        "Subject Attribute %s has no known NID, skipped\n",
2117                        ne_types[i]);
2118             continue;
2119         }
2120 
2121         if (!*ne_values[i]) {
2122             BIO_printf(bio_err,
2123                        "No value provided for Subject Attribute %s, skipped\n",
2124                        ne_types[i]);
2125             continue;
2126         }
2127 
2128         if (!X509_NAME_add_entry_by_NID
2129             (n, nid, chtype, (unsigned char *)ne_values[i], -1, -1, mval[i]))
2130             goto error;
2131     }
2132 
2133     OPENSSL_free(ne_values);
2134     OPENSSL_free(ne_types);
2135     OPENSSL_free(buf);
2136     OPENSSL_free(mval);
2137     return n;
2138 
2139  error:
2140     X509_NAME_free(n);
2141     if (ne_values)
2142         OPENSSL_free(ne_values);
2143     if (ne_types)
2144         OPENSSL_free(ne_types);
2145     if (mval)
2146         OPENSSL_free(mval);
2147     if (buf)
2148         OPENSSL_free(buf);
2149     return NULL;
2150 }
2151 
args_verify(char *** pargs,int * pargc,int * badarg,BIO * err,X509_VERIFY_PARAM ** pm)2152 int args_verify(char ***pargs, int *pargc,
2153                 int *badarg, BIO *err, X509_VERIFY_PARAM **pm)
2154 {
2155     ASN1_OBJECT *otmp = NULL;
2156     unsigned long flags = 0;
2157     int i;
2158     int purpose = 0, depth = -1;
2159     char **oldargs = *pargs;
2160     char *arg = **pargs, *argn = (*pargs)[1];
2161     time_t at_time = 0;
2162     if (!strcmp(arg, "-policy")) {
2163         if (!argn)
2164             *badarg = 1;
2165         else {
2166             otmp = OBJ_txt2obj(argn, 0);
2167             if (!otmp) {
2168                 BIO_printf(err, "Invalid Policy \"%s\"\n", argn);
2169                 *badarg = 1;
2170             }
2171         }
2172         (*pargs)++;
2173     } else if (strcmp(arg, "-purpose") == 0) {
2174         X509_PURPOSE *xptmp;
2175         if (!argn)
2176             *badarg = 1;
2177         else {
2178             i = X509_PURPOSE_get_by_sname(argn);
2179             if (i < 0) {
2180                 BIO_printf(err, "unrecognized purpose\n");
2181                 *badarg = 1;
2182             } else {
2183                 xptmp = X509_PURPOSE_get0(i);
2184                 purpose = X509_PURPOSE_get_id(xptmp);
2185             }
2186         }
2187         (*pargs)++;
2188     } else if (strcmp(arg, "-verify_depth") == 0) {
2189         if (!argn)
2190             *badarg = 1;
2191         else {
2192             depth = atoi(argn);
2193             if (depth < 0) {
2194                 BIO_printf(err, "invalid depth\n");
2195                 *badarg = 1;
2196             }
2197         }
2198         (*pargs)++;
2199     } else if (strcmp(arg, "-attime") == 0) {
2200         if (!argn)
2201             *badarg = 1;
2202         else {
2203             long timestamp;
2204             /*
2205              * interpret the -attime argument as seconds since Epoch
2206              */
2207             if (sscanf(argn, "%li", &timestamp) != 1) {
2208                 BIO_printf(bio_err, "Error parsing timestamp %s\n", argn);
2209                 *badarg = 1;
2210             }
2211             /* on some platforms time_t may be a float */
2212             at_time = (time_t)timestamp;
2213         }
2214         (*pargs)++;
2215     } else if (!strcmp(arg, "-ignore_critical"))
2216         flags |= X509_V_FLAG_IGNORE_CRITICAL;
2217     else if (!strcmp(arg, "-issuer_checks"))
2218         flags |= X509_V_FLAG_CB_ISSUER_CHECK;
2219     else if (!strcmp(arg, "-crl_check"))
2220         flags |= X509_V_FLAG_CRL_CHECK;
2221     else if (!strcmp(arg, "-crl_check_all"))
2222         flags |= X509_V_FLAG_CRL_CHECK | X509_V_FLAG_CRL_CHECK_ALL;
2223     else if (!strcmp(arg, "-policy_check"))
2224         flags |= X509_V_FLAG_POLICY_CHECK;
2225     else if (!strcmp(arg, "-explicit_policy"))
2226         flags |= X509_V_FLAG_EXPLICIT_POLICY;
2227     else if (!strcmp(arg, "-inhibit_any"))
2228         flags |= X509_V_FLAG_INHIBIT_ANY;
2229     else if (!strcmp(arg, "-inhibit_map"))
2230         flags |= X509_V_FLAG_INHIBIT_MAP;
2231     else if (!strcmp(arg, "-x509_strict"))
2232         flags |= X509_V_FLAG_X509_STRICT;
2233     else if (!strcmp(arg, "-extended_crl"))
2234         flags |= X509_V_FLAG_EXTENDED_CRL_SUPPORT;
2235     else if (!strcmp(arg, "-use_deltas"))
2236         flags |= X509_V_FLAG_USE_DELTAS;
2237     else if (!strcmp(arg, "-policy_print"))
2238         flags |= X509_V_FLAG_NOTIFY_POLICY;
2239     else if (!strcmp(arg, "-check_ss_sig"))
2240         flags |= X509_V_FLAG_CHECK_SS_SIGNATURE;
2241     else if (!strcmp(arg, "-no_alt_chains"))
2242         flags |= X509_V_FLAG_NO_ALT_CHAINS;
2243     else
2244         return 0;
2245 
2246     if (*badarg) {
2247         if (*pm)
2248             X509_VERIFY_PARAM_free(*pm);
2249         *pm = NULL;
2250         goto end;
2251     }
2252 
2253     if (!*pm && !(*pm = X509_VERIFY_PARAM_new())) {
2254         *badarg = 1;
2255         goto end;
2256     }
2257 
2258     if (otmp)
2259         X509_VERIFY_PARAM_add0_policy(*pm, otmp);
2260     if (flags)
2261         X509_VERIFY_PARAM_set_flags(*pm, flags);
2262 
2263     if (purpose)
2264         X509_VERIFY_PARAM_set_purpose(*pm, purpose);
2265 
2266     if (depth >= 0)
2267         X509_VERIFY_PARAM_set_depth(*pm, depth);
2268 
2269     if (at_time)
2270         X509_VERIFY_PARAM_set_time(*pm, at_time);
2271 
2272  end:
2273 
2274     (*pargs)++;
2275 
2276     if (pargc)
2277         *pargc -= *pargs - oldargs;
2278 
2279     return 1;
2280 
2281 }
2282 
2283 /*
2284  * Read whole contents of a BIO into an allocated memory buffer and return
2285  * it.
2286  */
2287 
bio_to_mem(unsigned char ** out,int maxlen,BIO * in)2288 int bio_to_mem(unsigned char **out, int maxlen, BIO *in)
2289 {
2290     BIO *mem;
2291     int len, ret;
2292     unsigned char tbuf[1024];
2293     mem = BIO_new(BIO_s_mem());
2294     if (!mem)
2295         return -1;
2296     for (;;) {
2297         if ((maxlen != -1) && maxlen < 1024)
2298             len = maxlen;
2299         else
2300             len = 1024;
2301         len = BIO_read(in, tbuf, len);
2302         if (len <= 0)
2303             break;
2304         if (BIO_write(mem, tbuf, len) != len) {
2305             BIO_free(mem);
2306             return -1;
2307         }
2308         maxlen -= len;
2309 
2310         if (maxlen == 0)
2311             break;
2312     }
2313     ret = BIO_get_mem_data(mem, (char **)out);
2314     BIO_set_flags(mem, BIO_FLAGS_MEM_RDONLY);
2315     BIO_free(mem);
2316     return ret;
2317 }
2318 
pkey_ctrl_string(EVP_PKEY_CTX * ctx,char * value)2319 int pkey_ctrl_string(EVP_PKEY_CTX *ctx, char *value)
2320 {
2321     int rv;
2322     char *stmp, *vtmp = NULL;
2323     stmp = BUF_strdup(value);
2324     if (!stmp)
2325         return -1;
2326     vtmp = strchr(stmp, ':');
2327     if (vtmp) {
2328         *vtmp = 0;
2329         vtmp++;
2330     }
2331     rv = EVP_PKEY_CTX_ctrl_str(ctx, stmp, vtmp);
2332     OPENSSL_free(stmp);
2333     return rv;
2334 }
2335 
nodes_print(BIO * out,const char * name,STACK_OF (X509_POLICY_NODE)* nodes)2336 static void nodes_print(BIO *out, const char *name,
2337                         STACK_OF(X509_POLICY_NODE) *nodes)
2338 {
2339     X509_POLICY_NODE *node;
2340     int i;
2341     BIO_printf(out, "%s Policies:", name);
2342     if (nodes) {
2343         BIO_puts(out, "\n");
2344         for (i = 0; i < sk_X509_POLICY_NODE_num(nodes); i++) {
2345             node = sk_X509_POLICY_NODE_value(nodes, i);
2346             X509_POLICY_NODE_print(out, node, 2);
2347         }
2348     } else
2349         BIO_puts(out, " <empty>\n");
2350 }
2351 
policies_print(BIO * out,X509_STORE_CTX * ctx)2352 void policies_print(BIO *out, X509_STORE_CTX *ctx)
2353 {
2354     X509_POLICY_TREE *tree;
2355     int explicit_policy;
2356     int free_out = 0;
2357     if (out == NULL) {
2358         out = BIO_new_fp(stderr, BIO_NOCLOSE);
2359         free_out = 1;
2360     }
2361     tree = X509_STORE_CTX_get0_policy_tree(ctx);
2362     explicit_policy = X509_STORE_CTX_get_explicit_policy(ctx);
2363 
2364     BIO_printf(out, "Require explicit Policy: %s\n",
2365                explicit_policy ? "True" : "False");
2366 
2367     nodes_print(out, "Authority", X509_policy_tree_get0_policies(tree));
2368     nodes_print(out, "User", X509_policy_tree_get0_user_policies(tree));
2369     if (free_out)
2370         BIO_free(out);
2371 }
2372 
2373 #if !defined(OPENSSL_NO_JPAKE) && !defined(OPENSSL_NO_PSK)
2374 
jpake_init(const char * us,const char * them,const char * secret)2375 static JPAKE_CTX *jpake_init(const char *us, const char *them,
2376                              const char *secret)
2377 {
2378     BIGNUM *p = NULL;
2379     BIGNUM *g = NULL;
2380     BIGNUM *q = NULL;
2381     BIGNUM *bnsecret = BN_new();
2382     JPAKE_CTX *ctx;
2383 
2384     /* Use a safe prime for p (that we found earlier) */
2385     BN_hex2bn(&p,
2386               "F9E5B365665EA7A05A9C534502780FEE6F1AB5BD4F49947FD036DBD7E905269AF46EF28B0FC07487EE4F5D20FB3C0AF8E700F3A2FA3414970CBED44FEDFF80CE78D800F184BB82435D137AADA2C6C16523247930A63B85661D1FC817A51ACD96168E95898A1F83A79FFB529368AA7833ABD1B0C3AEDDB14D2E1A2F71D99F763F");
2387     g = BN_new();
2388     BN_set_word(g, 2);
2389     q = BN_new();
2390     BN_rshift1(q, p);
2391 
2392     BN_bin2bn((const unsigned char *)secret, strlen(secret), bnsecret);
2393 
2394     ctx = JPAKE_CTX_new(us, them, p, g, q, bnsecret);
2395     BN_free(bnsecret);
2396     BN_free(q);
2397     BN_free(g);
2398     BN_free(p);
2399 
2400     return ctx;
2401 }
2402 
jpake_send_part(BIO * conn,const JPAKE_STEP_PART * p)2403 static void jpake_send_part(BIO *conn, const JPAKE_STEP_PART *p)
2404 {
2405     BN_print(conn, p->gx);
2406     BIO_puts(conn, "\n");
2407     BN_print(conn, p->zkpx.gr);
2408     BIO_puts(conn, "\n");
2409     BN_print(conn, p->zkpx.b);
2410     BIO_puts(conn, "\n");
2411 }
2412 
jpake_send_step1(BIO * bconn,JPAKE_CTX * ctx)2413 static void jpake_send_step1(BIO *bconn, JPAKE_CTX *ctx)
2414 {
2415     JPAKE_STEP1 s1;
2416 
2417     JPAKE_STEP1_init(&s1);
2418     JPAKE_STEP1_generate(&s1, ctx);
2419     jpake_send_part(bconn, &s1.p1);
2420     jpake_send_part(bconn, &s1.p2);
2421     (void)BIO_flush(bconn);
2422     JPAKE_STEP1_release(&s1);
2423 }
2424 
jpake_send_step2(BIO * bconn,JPAKE_CTX * ctx)2425 static void jpake_send_step2(BIO *bconn, JPAKE_CTX *ctx)
2426 {
2427     JPAKE_STEP2 s2;
2428 
2429     JPAKE_STEP2_init(&s2);
2430     JPAKE_STEP2_generate(&s2, ctx);
2431     jpake_send_part(bconn, &s2);
2432     (void)BIO_flush(bconn);
2433     JPAKE_STEP2_release(&s2);
2434 }
2435 
jpake_send_step3a(BIO * bconn,JPAKE_CTX * ctx)2436 static void jpake_send_step3a(BIO *bconn, JPAKE_CTX *ctx)
2437 {
2438     JPAKE_STEP3A s3a;
2439 
2440     JPAKE_STEP3A_init(&s3a);
2441     JPAKE_STEP3A_generate(&s3a, ctx);
2442     BIO_write(bconn, s3a.hhk, sizeof s3a.hhk);
2443     (void)BIO_flush(bconn);
2444     JPAKE_STEP3A_release(&s3a);
2445 }
2446 
jpake_send_step3b(BIO * bconn,JPAKE_CTX * ctx)2447 static void jpake_send_step3b(BIO *bconn, JPAKE_CTX *ctx)
2448 {
2449     JPAKE_STEP3B s3b;
2450 
2451     JPAKE_STEP3B_init(&s3b);
2452     JPAKE_STEP3B_generate(&s3b, ctx);
2453     BIO_write(bconn, s3b.hk, sizeof s3b.hk);
2454     (void)BIO_flush(bconn);
2455     JPAKE_STEP3B_release(&s3b);
2456 }
2457 
readbn(BIGNUM ** bn,BIO * bconn)2458 static void readbn(BIGNUM **bn, BIO *bconn)
2459 {
2460     char buf[10240];
2461     int l;
2462 
2463     l = BIO_gets(bconn, buf, sizeof buf);
2464     assert(l > 0);
2465     assert(buf[l - 1] == '\n');
2466     buf[l - 1] = '\0';
2467     BN_hex2bn(bn, buf);
2468 }
2469 
jpake_receive_part(JPAKE_STEP_PART * p,BIO * bconn)2470 static void jpake_receive_part(JPAKE_STEP_PART *p, BIO *bconn)
2471 {
2472     readbn(&p->gx, bconn);
2473     readbn(&p->zkpx.gr, bconn);
2474     readbn(&p->zkpx.b, bconn);
2475 }
2476 
jpake_receive_step1(JPAKE_CTX * ctx,BIO * bconn)2477 static void jpake_receive_step1(JPAKE_CTX *ctx, BIO *bconn)
2478 {
2479     JPAKE_STEP1 s1;
2480 
2481     JPAKE_STEP1_init(&s1);
2482     jpake_receive_part(&s1.p1, bconn);
2483     jpake_receive_part(&s1.p2, bconn);
2484     if (!JPAKE_STEP1_process(ctx, &s1)) {
2485         ERR_print_errors(bio_err);
2486         exit(1);
2487     }
2488     JPAKE_STEP1_release(&s1);
2489 }
2490 
jpake_receive_step2(JPAKE_CTX * ctx,BIO * bconn)2491 static void jpake_receive_step2(JPAKE_CTX *ctx, BIO *bconn)
2492 {
2493     JPAKE_STEP2 s2;
2494 
2495     JPAKE_STEP2_init(&s2);
2496     jpake_receive_part(&s2, bconn);
2497     if (!JPAKE_STEP2_process(ctx, &s2)) {
2498         ERR_print_errors(bio_err);
2499         exit(1);
2500     }
2501     JPAKE_STEP2_release(&s2);
2502 }
2503 
jpake_receive_step3a(JPAKE_CTX * ctx,BIO * bconn)2504 static void jpake_receive_step3a(JPAKE_CTX *ctx, BIO *bconn)
2505 {
2506     JPAKE_STEP3A s3a;
2507     int l;
2508 
2509     JPAKE_STEP3A_init(&s3a);
2510     l = BIO_read(bconn, s3a.hhk, sizeof s3a.hhk);
2511     assert(l == sizeof s3a.hhk);
2512     if (!JPAKE_STEP3A_process(ctx, &s3a)) {
2513         ERR_print_errors(bio_err);
2514         exit(1);
2515     }
2516     JPAKE_STEP3A_release(&s3a);
2517 }
2518 
jpake_receive_step3b(JPAKE_CTX * ctx,BIO * bconn)2519 static void jpake_receive_step3b(JPAKE_CTX *ctx, BIO *bconn)
2520 {
2521     JPAKE_STEP3B s3b;
2522     int l;
2523 
2524     JPAKE_STEP3B_init(&s3b);
2525     l = BIO_read(bconn, s3b.hk, sizeof s3b.hk);
2526     assert(l == sizeof s3b.hk);
2527     if (!JPAKE_STEP3B_process(ctx, &s3b)) {
2528         ERR_print_errors(bio_err);
2529         exit(1);
2530     }
2531     JPAKE_STEP3B_release(&s3b);
2532 }
2533 
jpake_client_auth(BIO * out,BIO * conn,const char * secret)2534 void jpake_client_auth(BIO *out, BIO *conn, const char *secret)
2535 {
2536     JPAKE_CTX *ctx;
2537     BIO *bconn;
2538 
2539     BIO_puts(out, "Authenticating with JPAKE\n");
2540 
2541     ctx = jpake_init("client", "server", secret);
2542 
2543     bconn = BIO_new(BIO_f_buffer());
2544     BIO_push(bconn, conn);
2545 
2546     jpake_send_step1(bconn, ctx);
2547     jpake_receive_step1(ctx, bconn);
2548     jpake_send_step2(bconn, ctx);
2549     jpake_receive_step2(ctx, bconn);
2550     jpake_send_step3a(bconn, ctx);
2551     jpake_receive_step3b(ctx, bconn);
2552 
2553     BIO_puts(out, "JPAKE authentication succeeded, setting PSK\n");
2554 
2555     psk_key = BN_bn2hex(JPAKE_get_shared_key(ctx));
2556 
2557     BIO_pop(bconn);
2558     BIO_free(bconn);
2559 
2560     JPAKE_CTX_free(ctx);
2561 }
2562 
jpake_server_auth(BIO * out,BIO * conn,const char * secret)2563 void jpake_server_auth(BIO *out, BIO *conn, const char *secret)
2564 {
2565     JPAKE_CTX *ctx;
2566     BIO *bconn;
2567 
2568     BIO_puts(out, "Authenticating with JPAKE\n");
2569 
2570     ctx = jpake_init("server", "client", secret);
2571 
2572     bconn = BIO_new(BIO_f_buffer());
2573     BIO_push(bconn, conn);
2574 
2575     jpake_receive_step1(ctx, bconn);
2576     jpake_send_step1(bconn, ctx);
2577     jpake_receive_step2(ctx, bconn);
2578     jpake_send_step2(bconn, ctx);
2579     jpake_receive_step3a(ctx, bconn);
2580     jpake_send_step3b(bconn, ctx);
2581 
2582     BIO_puts(out, "JPAKE authentication succeeded, setting PSK\n");
2583 
2584     psk_key = BN_bn2hex(JPAKE_get_shared_key(ctx));
2585 
2586     BIO_pop(bconn);
2587     BIO_free(bconn);
2588 
2589     JPAKE_CTX_free(ctx);
2590 }
2591 
2592 #endif
2593 
2594 #if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG)
2595 /*-
2596  * next_protos_parse parses a comma separated list of strings into a string
2597  * in a format suitable for passing to SSL_CTX_set_next_protos_advertised.
2598  *   outlen: (output) set to the length of the resulting buffer on success.
2599  *   err: (maybe NULL) on failure, an error message line is written to this BIO.
2600  *   in: a NUL termianted string like "abc,def,ghi"
2601  *
2602  *   returns: a malloced buffer or NULL on failure.
2603  */
next_protos_parse(unsigned short * outlen,const char * in)2604 unsigned char *next_protos_parse(unsigned short *outlen, const char *in)
2605 {
2606     size_t len;
2607     unsigned char *out;
2608     size_t i, start = 0;
2609 
2610     len = strlen(in);
2611     if (len >= 65535)
2612         return NULL;
2613 
2614     out = OPENSSL_malloc(strlen(in) + 1);
2615     if (!out)
2616         return NULL;
2617 
2618     for (i = 0; i <= len; ++i) {
2619         if (i == len || in[i] == ',') {
2620             if (i - start > 255) {
2621                 OPENSSL_free(out);
2622                 return NULL;
2623             }
2624             out[start] = i - start;
2625             start = i + 1;
2626         } else
2627             out[i + 1] = in[i];
2628     }
2629 
2630     *outlen = len + 1;
2631     return out;
2632 }
2633 #endif                          /* !OPENSSL_NO_TLSEXT &&
2634                                  * !OPENSSL_NO_NEXTPROTONEG */
2635 
2636 /*
2637  * Platform-specific sections
2638  */
2639 #if defined(_WIN32)
2640 # ifdef fileno
2641 #  undef fileno
2642 #  define fileno(a) (int)_fileno(a)
2643 # endif
2644 
2645 # include <windows.h>
2646 # include <tchar.h>
2647 
WIN32_rename(const char * from,const char * to)2648 static int WIN32_rename(const char *from, const char *to)
2649 {
2650     TCHAR *tfrom = NULL, *tto;
2651     DWORD err;
2652     int ret = 0;
2653 
2654     if (sizeof(TCHAR) == 1) {
2655         tfrom = (TCHAR *)from;
2656         tto = (TCHAR *)to;
2657     } else {                    /* UNICODE path */
2658 
2659         size_t i, flen = strlen(from) + 1, tlen = strlen(to) + 1;
2660         tfrom = (TCHAR *)malloc(sizeof(TCHAR) * (flen + tlen));
2661         if (tfrom == NULL)
2662             goto err;
2663         tto = tfrom + flen;
2664 # if !defined(_WIN32_WCE) || _WIN32_WCE>=101
2665         if (!MultiByteToWideChar(CP_ACP, 0, from, flen, (WCHAR *)tfrom, flen))
2666 # endif
2667             for (i = 0; i < flen; i++)
2668                 tfrom[i] = (TCHAR)from[i];
2669 # if !defined(_WIN32_WCE) || _WIN32_WCE>=101
2670         if (!MultiByteToWideChar(CP_ACP, 0, to, tlen, (WCHAR *)tto, tlen))
2671 # endif
2672             for (i = 0; i < tlen; i++)
2673                 tto[i] = (TCHAR)to[i];
2674     }
2675 
2676     if (MoveFile(tfrom, tto))
2677         goto ok;
2678     err = GetLastError();
2679     if (err == ERROR_ALREADY_EXISTS || err == ERROR_FILE_EXISTS) {
2680         if (DeleteFile(tto) && MoveFile(tfrom, tto))
2681             goto ok;
2682         err = GetLastError();
2683     }
2684     if (err == ERROR_FILE_NOT_FOUND || err == ERROR_PATH_NOT_FOUND)
2685         errno = ENOENT;
2686     else if (err == ERROR_ACCESS_DENIED)
2687         errno = EACCES;
2688     else
2689         errno = EINVAL;         /* we could map more codes... */
2690  err:
2691     ret = -1;
2692  ok:
2693     if (tfrom != NULL && tfrom != (TCHAR *)from)
2694         free(tfrom);
2695     return ret;
2696 }
2697 #endif
2698 
2699 /* app_tminterval section */
2700 #if defined(_WIN32)
app_tminterval(int stop,int usertime)2701 double app_tminterval(int stop, int usertime)
2702 {
2703     FILETIME now;
2704     double ret = 0;
2705     static ULARGE_INTEGER tmstart;
2706     static int warning = 1;
2707 # ifdef _WIN32_WINNT
2708     static HANDLE proc = NULL;
2709 
2710     if (proc == NULL) {
2711         if (check_winnt())
2712             proc = OpenProcess(PROCESS_QUERY_INFORMATION, FALSE,
2713                                GetCurrentProcessId());
2714         if (proc == NULL)
2715             proc = (HANDLE) - 1;
2716     }
2717 
2718     if (usertime && proc != (HANDLE) - 1) {
2719         FILETIME junk;
2720         GetProcessTimes(proc, &junk, &junk, &junk, &now);
2721     } else
2722 # endif
2723     {
2724         SYSTEMTIME systime;
2725 
2726         if (usertime && warning) {
2727             BIO_printf(bio_err, "To get meaningful results, run "
2728                        "this program on idle system.\n");
2729             warning = 0;
2730         }
2731         GetSystemTime(&systime);
2732         SystemTimeToFileTime(&systime, &now);
2733     }
2734 
2735     if (stop == TM_START) {
2736         tmstart.u.LowPart = now.dwLowDateTime;
2737         tmstart.u.HighPart = now.dwHighDateTime;
2738     } else {
2739         ULARGE_INTEGER tmstop;
2740 
2741         tmstop.u.LowPart = now.dwLowDateTime;
2742         tmstop.u.HighPart = now.dwHighDateTime;
2743 
2744         ret = (__int64)(tmstop.QuadPart - tmstart.QuadPart) * 1e-7;
2745     }
2746 
2747     return (ret);
2748 }
2749 
2750 #elif defined(OPENSSL_SYS_NETWARE)
2751 # include <time.h>
2752 
app_tminterval(int stop,int usertime)2753 double app_tminterval(int stop, int usertime)
2754 {
2755     double ret = 0;
2756     static clock_t tmstart;
2757     static int warning = 1;
2758 
2759     if (usertime && warning) {
2760         BIO_printf(bio_err, "To get meaningful results, run "
2761                    "this program on idle system.\n");
2762         warning = 0;
2763     }
2764 
2765     if (stop == TM_START)
2766         tmstart = clock();
2767     else
2768         ret = (clock() - tmstart) / (double)CLOCKS_PER_SEC;
2769 
2770     return (ret);
2771 }
2772 
2773 #elif defined(OPENSSL_SYSTEM_VXWORKS)
2774 # include <time.h>
2775 
app_tminterval(int stop,int usertime)2776 double app_tminterval(int stop, int usertime)
2777 {
2778     double ret = 0;
2779 # ifdef CLOCK_REALTIME
2780     static struct timespec tmstart;
2781     struct timespec now;
2782 # else
2783     static unsigned long tmstart;
2784     unsigned long now;
2785 # endif
2786     static int warning = 1;
2787 
2788     if (usertime && warning) {
2789         BIO_printf(bio_err, "To get meaningful results, run "
2790                    "this program on idle system.\n");
2791         warning = 0;
2792     }
2793 # ifdef CLOCK_REALTIME
2794     clock_gettime(CLOCK_REALTIME, &now);
2795     if (stop == TM_START)
2796         tmstart = now;
2797     else
2798         ret = ((now.tv_sec + now.tv_nsec * 1e-9)
2799                - (tmstart.tv_sec + tmstart.tv_nsec * 1e-9));
2800 # else
2801     now = tickGet();
2802     if (stop == TM_START)
2803         tmstart = now;
2804     else
2805         ret = (now - tmstart) / (double)sysClkRateGet();
2806 # endif
2807     return (ret);
2808 }
2809 
2810 #elif defined(OPENSSL_SYSTEM_VMS)
2811 # include <time.h>
2812 # include <times.h>
2813 
app_tminterval(int stop,int usertime)2814 double app_tminterval(int stop, int usertime)
2815 {
2816     static clock_t tmstart;
2817     double ret = 0;
2818     clock_t now;
2819 # ifdef __TMS
2820     struct tms rus;
2821 
2822     now = times(&rus);
2823     if (usertime)
2824         now = rus.tms_utime;
2825 # else
2826     if (usertime)
2827         now = clock();          /* sum of user and kernel times */
2828     else {
2829         struct timeval tv;
2830         gettimeofday(&tv, NULL);
2831         now = (clock_t)((unsigned long long)tv.tv_sec * CLK_TCK +
2832                         (unsigned long long)tv.tv_usec * (1000000 / CLK_TCK)
2833             );
2834     }
2835 # endif
2836     if (stop == TM_START)
2837         tmstart = now;
2838     else
2839         ret = (now - tmstart) / (double)(CLK_TCK);
2840 
2841     return (ret);
2842 }
2843 
2844 #elif defined(_SC_CLK_TCK)      /* by means of unistd.h */
2845 # include <sys/times.h>
2846 
app_tminterval(int stop,int usertime)2847 double app_tminterval(int stop, int usertime)
2848 {
2849     double ret = 0;
2850     struct tms rus;
2851     clock_t now = times(&rus);
2852     static clock_t tmstart;
2853 
2854     if (usertime)
2855         now = rus.tms_utime;
2856 
2857     if (stop == TM_START)
2858         tmstart = now;
2859     else {
2860         long int tck = sysconf(_SC_CLK_TCK);
2861         ret = (now - tmstart) / (double)tck;
2862     }
2863 
2864     return (ret);
2865 }
2866 
2867 #else
2868 # include <sys/time.h>
2869 # include <sys/resource.h>
2870 
app_tminterval(int stop,int usertime)2871 double app_tminterval(int stop, int usertime)
2872 {
2873     double ret = 0;
2874     struct rusage rus;
2875     struct timeval now;
2876     static struct timeval tmstart;
2877 
2878     if (usertime)
2879         getrusage(RUSAGE_SELF, &rus), now = rus.ru_utime;
2880     else
2881         gettimeofday(&now, NULL);
2882 
2883     if (stop == TM_START)
2884         tmstart = now;
2885     else
2886         ret = ((now.tv_sec + now.tv_usec * 1e-6)
2887                - (tmstart.tv_sec + tmstart.tv_usec * 1e-6));
2888 
2889     return ret;
2890 }
2891 #endif
2892 
2893 /* app_isdir section */
2894 #ifdef _WIN32
app_isdir(const char * name)2895 int app_isdir(const char *name)
2896 {
2897     HANDLE hList;
2898     WIN32_FIND_DATA FileData;
2899 # if defined(UNICODE) || defined(_UNICODE)
2900     size_t i, len_0 = strlen(name) + 1;
2901 
2902     if (len_0 > sizeof(FileData.cFileName) / sizeof(FileData.cFileName[0]))
2903         return -1;
2904 
2905 #  if !defined(_WIN32_WCE) || _WIN32_WCE>=101
2906     if (!MultiByteToWideChar
2907         (CP_ACP, 0, name, len_0, FileData.cFileName, len_0))
2908 #  endif
2909         for (i = 0; i < len_0; i++)
2910             FileData.cFileName[i] = (WCHAR)name[i];
2911 
2912     hList = FindFirstFile(FileData.cFileName, &FileData);
2913 # else
2914     hList = FindFirstFile(name, &FileData);
2915 # endif
2916     if (hList == INVALID_HANDLE_VALUE)
2917         return -1;
2918     FindClose(hList);
2919     return ((FileData.dwFileAttributes & FILE_ATTRIBUTE_DIRECTORY) != 0);
2920 }
2921 #else
2922 # include <sys/stat.h>
2923 # ifndef S_ISDIR
2924 #  if defined(_S_IFMT) && defined(_S_IFDIR)
2925 #   define S_ISDIR(a)   (((a) & _S_IFMT) == _S_IFDIR)
2926 #  else
2927 #   define S_ISDIR(a)   (((a) & S_IFMT) == S_IFDIR)
2928 #  endif
2929 # endif
2930 
app_isdir(const char * name)2931 int app_isdir(const char *name)
2932 {
2933 # if defined(S_ISDIR)
2934     struct stat st;
2935 
2936     if (stat(name, &st) == 0)
2937         return S_ISDIR(st.st_mode);
2938     else
2939         return -1;
2940 # else
2941     return -1;
2942 # endif
2943 }
2944 #endif
2945 
2946 /* raw_read|write section */
2947 #if defined(_WIN32) && defined(STD_INPUT_HANDLE)
raw_read_stdin(void * buf,int siz)2948 int raw_read_stdin(void *buf, int siz)
2949 {
2950     DWORD n;
2951     if (ReadFile(GetStdHandle(STD_INPUT_HANDLE), buf, siz, &n, NULL))
2952         return (n);
2953     else
2954         return (-1);
2955 }
2956 #else
raw_read_stdin(void * buf,int siz)2957 int raw_read_stdin(void *buf, int siz)
2958 {
2959     return read(fileno(stdin), buf, siz);
2960 }
2961 #endif
2962 
2963 #if defined(_WIN32) && defined(STD_OUTPUT_HANDLE)
raw_write_stdout(const void * buf,int siz)2964 int raw_write_stdout(const void *buf, int siz)
2965 {
2966     DWORD n;
2967     if (WriteFile(GetStdHandle(STD_OUTPUT_HANDLE), buf, siz, &n, NULL))
2968         return (n);
2969     else
2970         return (-1);
2971 }
2972 #else
raw_write_stdout(const void * buf,int siz)2973 int raw_write_stdout(const void *buf, int siz)
2974 {
2975     return write(fileno(stdout), buf, siz);
2976 }
2977 #endif
2978