Skip to content

Commit

Permalink
Import OpenSSL 3.0.0-alpha7
Browse files Browse the repository at this point in the history
  • Loading branch information
@schwabe
schwabe committed Oct 30, 2020
1 parent 373d1ee commit 2d16af8
Show file tree
Hide file tree
Showing 897 changed files with 49,071 additions and 25,431 deletions.
3 changes: 0 additions & 3 deletions apps/asn1pars.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -18,9 +18,6 @@
#include <openssl/pem.h>
#include <openssl/asn1t.h>

DEFINE_STACK_OF(ASN1_OBJECT)
DEFINE_STACK_OF_STRING()

typedef enum OPTION_choice {
OPT_ERR = -1, OPT_EOF = 0, OPT_HELP,
OPT_INFORM, OPT_IN, OPT_OUT, OPT_INDENT, OPT_NOOUT,
Expand Down
2 changes: 1 addition & 1 deletion apps/build.info
View file
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,7 @@ $OPENSSLSRC=\
pkcs8.c pkey.c pkeyparam.c pkeyutl.c prime.c rand.c req.c \
s_client.c s_server.c s_time.c sess_id.c smime.c speed.c \
spkac.c verify.c version.c x509.c rehash.c storeutl.c \
list.c info.c provider.c fipsinstall.c
list.c info.c fipsinstall.c
IF[{- !$disabled{'des'} -}]
$OPENSSLSRC=$OPENSSLSRC pkcs12.c
ENDIF
Expand Down
111 changes: 60 additions & 51 deletions apps/ca.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -26,19 +26,14 @@
#ifndef W_OK
# ifdef OPENSSL_SYS_VMS
# include <unistd.h>
# elif !defined(OPENSSL_SYS_VXWORKS) && !defined(OPENSSL_SYS_WINDOWS)
# elif !defined(OPENSSL_SYS_VXWORKS) && !defined(OPENSSL_SYS_WINDOWS) && !defined(OPENSSL_SYS_TANDEM)
# include <sys/file.h>
# endif
#endif

#include "apps.h"
#include "progs.h"

DEFINE_STACK_OF(X509)
DEFINE_STACK_OF(X509_EXTENSION)
DEFINE_STACK_OF(CONF_VALUE)
DEFINE_STACK_OF_STRING()

#ifndef W_OK
# define F_OK 0
# define W_OK 2
Expand Down Expand Up @@ -106,7 +101,7 @@ static int certify(X509 **xret, const char *infile, int informat,
int verbose, unsigned long certopt, unsigned long nameopt,
int default_op, int ext_copy, int selfsign);
static int certify_cert(X509 **xret, const char *infile, int informat,
EVP_PKEY *pkey, X509 *x509,
const char *passin, EVP_PKEY *pkey, X509 *x509,
const EVP_MD *dgst,
STACK_OF(OPENSSL_STRING) *sigopts,
STACK_OF(OPENSSL_STRING) *vfyopts,
Expand Down Expand Up @@ -155,7 +150,8 @@ typedef enum OPTION_choice {
OPT_KEY, OPT_CERT, OPT_CERTFORM, OPT_SELFSIGN,
OPT_IN, OPT_INFORM, OPT_OUT, OPT_OUTDIR, OPT_VFYOPT,
OPT_SIGOPT, OPT_NOTEXT, OPT_BATCH, OPT_PRESERVEDN, OPT_NOEMAILDN,
OPT_GENCRL, OPT_MSIE_HACK, OPT_CRLDAYS, OPT_CRLHOURS, OPT_CRLSEC,
OPT_GENCRL, OPT_MSIE_HACK, OPT_CRL_LASTUPDATE, OPT_CRL_NEXTUPDATE,
OPT_CRLDAYS, OPT_CRLHOURS, OPT_CRLSEC,
OPT_INFILES, OPT_SS_CERT, OPT_SPKAC, OPT_REVOKE, OPT_VALID,
OPT_EXTENSIONS, OPT_EXTFILE, OPT_STATUS, OPT_UPDATEDB, OPT_CRLEXTS,
OPT_RAND_SERIAL,
Expand Down Expand Up @@ -200,7 +196,7 @@ const OPTIONS ca_options[] = {
{"rand_serial", OPT_RAND_SERIAL, '-',
"Always create a random serial; do not store it"},
{"multivalue-rdn", OPT_MULTIVALUE_RDN, '-',
"Enable support for multivalued RDNs"},
"Deprecated; multi-valued RDNs support is always on."},
{"startdate", OPT_STARTDATE, 's', "Cert notBefore, YYMMDDHHMMSSZ"},
{"enddate", OPT_ENDDATE, 's',
"YYMMDDHHMMSSZ cert notAfter (overrides -days)"},
Expand All @@ -214,17 +210,17 @@ const OPTIONS ca_options[] = {

OPT_SECTION("Signing"),
{"md", OPT_MD, 's', "md to use; one of md2, md5, sha or sha1"},
{"keyfile", OPT_KEYFILE, 's', "Private key"},
{"keyfile", OPT_KEYFILE, 's', "The CA private key"},
{"keyform", OPT_KEYFORM, 'f', "Private key file format (ENGINE, other values ignored)"},
{"passin", OPT_PASSIN, 's', "Input file pass phrase source"},
{"key", OPT_KEY, 's', "Key to decode the private key if it is encrypted"},
{"passin", OPT_PASSIN, 's', "Key and cert input file pass phrase source"},
{"key", OPT_KEY, 's', "Key to decrypt key or cert files. Better use -passin"},
{"cert", OPT_CERT, '<', "The CA cert"},
{"certform", OPT_CERTFORM, 'F',
"certificate input format (DER/PEM/P12); has no effect"},
"Certificate input format (DER/PEM/P12); has no effect"},
{"selfsign", OPT_SELFSIGN, '-',
"Sign a cert with the key associated with it"},
{"sigopt", OPT_SIGOPT, 's', "Signature parameter in n:v form"},
{"vfyopt", OPT_SIGOPT, 's', "Verification parameter in n:v form"},
{"vfyopt", OPT_VFYOPT, 's', "Verification parameter in n:v form"},

OPT_SECTION("Revocation"),
{"gencrl", OPT_GENCRL, '-', "Generate a new CRL"},
Expand All @@ -241,6 +237,10 @@ const OPTIONS ca_options[] = {
"sets compromise time to val and the revocation reason to keyCompromise"},
{"crl_CA_compromise", OPT_CRL_CA_COMPROMISE, 's',
"sets compromise time to val and the revocation reason to CACompromise"},
{"crl_lastupdate", OPT_CRL_LASTUPDATE, 's',
"Sets the CRL lastUpdate time to val (YYMMDDHHMMSSZ or YYYYMMDDHHMMSSZ)"},
{"crl_nextupdate", OPT_CRL_NEXTUPDATE, 's',
"Sets the CRL nextUpdate time to val (YYMMDDHHMMSSZ or YYYYMMDDHHMMSSZ)"},
{"crldays", OPT_CRLDAYS, 'p', "Days until the next CRL is due"},
{"crlhours", OPT_CRLHOURS, 'p', "Hours until the next CRL is due"},
{"crlsec", OPT_CRLSEC, 'p', "Seconds until the next CRL is due"},
Expand All @@ -262,7 +262,6 @@ int ca_main(int argc, char **argv)
EVP_PKEY *pkey = NULL;
BIO *in = NULL, *out = NULL, *Sout = NULL;
ASN1_INTEGER *tmpser;
ASN1_TIME *tmptm;
CA_DB *db = NULL;
DB_ATTR db_attr;
STACK_OF(CONF_VALUE) *attribs = NULL;
Expand All @@ -272,10 +271,11 @@ int ca_main(int argc, char **argv)
const EVP_MD *dgst = NULL;
char *configfile = default_config_file, *section = NULL;
char *md = NULL, *policy = NULL, *keyfile = NULL;
char *certfile = NULL, *crl_ext = NULL, *crlnumberfile = NULL, *key = NULL;
char *certfile = NULL, *crl_ext = NULL, *crlnumberfile = NULL;
int certformat = FORMAT_PEM, informat = FORMAT_PEM;
const char *infile = NULL, *spkac_file = NULL, *ss_cert_file = NULL;
const char *extensions = NULL, *extfile = NULL, *passinarg = NULL;
char *passin = NULL;
char *outdir = NULL, *outfile = NULL, *rev_arg = NULL, *ser_status = NULL;
const char *serialfile = NULL, *subj = NULL;
char *prog, *startdate = NULL, *enddate = NULL;
Expand All @@ -285,11 +285,12 @@ int ca_main(int argc, char **argv)
char *const *pp;
const char *p;
size_t outdirlen = 0;
int create_ser = 0, free_key = 0, total = 0, total_done = 0;
int create_ser = 0, free_passin = 0, total = 0, total_done = 0;
int batch = 0, default_op = 1, doupdatedb = 0, ext_copy = EXT_COPY_NONE;
int keyformat = FORMAT_PEM, multirdn = 0, notext = 0, output_der = 0;
int keyformat = FORMAT_PEM, multirdn = 1, notext = 0, output_der = 0;
int ret = 1, email_dn = 1, req = 0, verbose = 0, gencrl = 0, dorevoke = 0;
int rand_ser = 0, i, j, selfsign = 0, def_nid, def_ret;
char *crl_lastupdate = NULL, *crl_nextupdate = NULL;
long crldays = 0, crlhours = 0, crlsec = 0, days = 0;
unsigned long chtype = MBSTRING_ASC, certopt = 0;
X509 *x509 = NULL, *x509p = NULL, *x = NULL;
Expand Down Expand Up @@ -343,7 +344,7 @@ int ca_main(int argc, char **argv)
create_ser = 1;
break;
case OPT_MULTIVALUE_RDN:
multirdn = 1;
/* obsolete */
break;
case OPT_STARTDATE:
startdate = opt_arg();
Expand Down Expand Up @@ -379,7 +380,7 @@ int ca_main(int argc, char **argv)
goto end;
break;
case OPT_KEY:
key = opt_arg();
passin = opt_arg();
break;
case OPT_CERT:
certfile = opt_arg();
Expand Down Expand Up @@ -424,6 +425,12 @@ int ca_main(int argc, char **argv)
case OPT_MSIE_HACK:
msie_hack = 1;
break;
case OPT_CRL_LASTUPDATE:
crl_lastupdate = opt_arg();
break;
case OPT_CRL_NEXTUPDATE:
crl_nextupdate = opt_arg();
break;
case OPT_CRLDAYS:
crldays = atol(opt_arg());
break;
Expand Down Expand Up @@ -565,15 +572,14 @@ int ca_main(int argc, char **argv)
&& (keyfile = lookup_conf(conf, section, ENV_PRIVATE_KEY)) == NULL)
goto end;

if (key == NULL) {
free_key = 1;
if (!app_passwd(passinarg, NULL, &key, NULL)) {
if (passin == NULL) {
free_passin = 1;
if (!app_passwd(passinarg, NULL, &passin, NULL)) {
BIO_printf(bio_err, "Error getting password\n");
goto end;
}
}
pkey = load_key(keyfile, keyformat, 0, key, e, "CA private key");
cleanse(key);
pkey = load_key(keyfile, keyformat, 0, passin, e, "CA private key");
if (pkey == NULL)
/* load_key() has already printed an appropriate message */
goto end;
Expand All @@ -585,7 +591,7 @@ int ca_main(int argc, char **argv)
&& (certfile = lookup_conf(conf, section, ENV_CERTIFICATE)) == NULL)
goto end;

x509 = load_cert(certfile, certformat, "CA certificate");
x509 = load_cert_pass(certfile, certformat, passin, "CA certificate");
if (x509 == NULL)
goto end;

Expand Down Expand Up @@ -940,8 +946,8 @@ int ca_main(int argc, char **argv)
}
if (ss_cert_file != NULL) {
total++;
j = certify_cert(&x, ss_cert_file, certformat, pkey, x509, dgst,
sigopts, vfyopts, attribs,
j = certify_cert(&x, ss_cert_file, certformat, passin, pkey,
x509, dgst, sigopts, vfyopts, attribs,
db, serial, subj, chtype, multirdn, email_dn,
startdate, enddate, days, batch, extensions,
conf, verbose, certopt, get_nameopt(), default_op,
Expand Down Expand Up @@ -1146,7 +1152,8 @@ int ca_main(int argc, char **argv)
crlhours = 0;
ERR_clear_error();
}
if ((crldays == 0) && (crlhours == 0) && (crlsec == 0)) {
if ((crl_nextupdate == NULL) &&
(crldays == 0) && (crlhours == 0) && (crlsec == 0)) {
BIO_printf(bio_err,
"cannot lookup how long until the next CRL is issued\n");
goto end;
Expand All @@ -1159,19 +1166,18 @@ int ca_main(int argc, char **argv)
if (!X509_CRL_set_issuer_name(crl, X509_get_subject_name(x509)))
goto end;

tmptm = ASN1_TIME_new();
if (tmptm == NULL
|| X509_gmtime_adj(tmptm, 0) == NULL
|| !X509_CRL_set1_lastUpdate(crl, tmptm)
|| X509_time_adj_ex(tmptm, crldays, crlhours * 60 * 60 + crlsec,
NULL) == NULL) {
BIO_puts(bio_err, "error setting CRL nextUpdate\n");
ASN1_TIME_free(tmptm);
if (!set_crl_lastupdate(crl, crl_lastupdate)) {
BIO_puts(bio_err, "error setting CRL lastUpdate\n");
ret = 1;
goto end;
}
X509_CRL_set1_nextUpdate(crl, tmptm);

ASN1_TIME_free(tmptm);
if (!set_crl_nextupdate(crl, crl_nextupdate,
crldays, crlhours, crlsec)) {
BIO_puts(bio_err, "error setting CRL nextUpdate\n");
ret = 1;
goto end;
}

for (i = 0; i < sk_OPENSSL_PSTRING_num(db->db->data); i++) {
pp = sk_OPENSSL_PSTRING_value(db->db->data, i);
Expand Down Expand Up @@ -1262,7 +1268,9 @@ int ca_main(int argc, char **argv)
goto end;
} else {
X509 *revcert;
revcert = load_cert(infile, certformat, infile);

revcert = load_cert_pass(infile, certformat, passin,
"certificate to be revoked");
if (revcert == NULL)
goto end;
if (dorevoke == 2)
Expand Down Expand Up @@ -1291,8 +1299,9 @@ int ca_main(int argc, char **argv)
BIO_free_all(in);
sk_X509_pop_free(cert_sk, X509_free);

if (free_key)
OPENSSL_free(key);
cleanse(passin);
if (free_passin)
OPENSSL_free(passin);
BN_free(serial);
BN_free(crlnumber);
free_index(db);
Expand Down Expand Up @@ -1379,7 +1388,7 @@ static int certify(X509 **xret, const char *infile, int informat,
}

static int certify_cert(X509 **xret, const char *infile, int certformat,
EVP_PKEY *pkey, X509 *x509,
const char *passin, EVP_PKEY *pkey, X509 *x509,
const EVP_MD *dgst,
STACK_OF(OPENSSL_STRING) *sigopts,
STACK_OF(OPENSSL_STRING) *vfyopts,
Expand All @@ -1390,23 +1399,23 @@ static int certify_cert(X509 **xret, const char *infile, int certformat,
CONF *lconf, int verbose, unsigned long certopt,
unsigned long nameopt, int default_op, int ext_copy)
{
X509 *req = NULL;
X509 *template_cert = NULL;
X509_REQ *rreq = NULL;
EVP_PKEY *pktmp = NULL;
int ok = -1, i;

if ((req = load_cert(infile, certformat, infile)) == NULL)
if ((template_cert = load_cert_pass(infile, certformat, passin, "template certificate")) == NULL)
goto end;
if (verbose)
X509_print(bio_err, req);
X509_print(bio_err, template_cert);

BIO_printf(bio_err, "Check that the request matches the signature\n");

if ((pktmp = X509_get0_pubkey(req)) == NULL) {
if ((pktmp = X509_get0_pubkey(template_cert)) == NULL) {
BIO_printf(bio_err, "error unpacking public key\n");
goto end;
}
i = do_X509_verify(req, pktmp, vfyopts);
i = do_X509_verify(template_cert, pktmp, vfyopts);
if (i < 0) {
ok = 0;
BIO_printf(bio_err, "Signature verification problems....\n");
Expand All @@ -1420,7 +1429,7 @@ static int certify_cert(X509 **xret, const char *infile, int certformat,
BIO_printf(bio_err, "Signature ok\n");
}

if ((rreq = X509_to_X509_REQ(req, NULL, NULL)) == NULL)
if ((rreq = X509_to_X509_REQ(template_cert, NULL, NULL)) == NULL)
goto end;

ok = do_body(xret, pkey, x509, dgst, sigopts, policy, db, serial, subj,
Expand All @@ -1430,7 +1439,7 @@ static int certify_cert(X509 **xret, const char *infile, int certformat,

end:
X509_REQ_free(rreq);
X509_free(req);
X509_free(template_cert);
return ok;
}

Expand Down Expand Up @@ -1643,7 +1652,7 @@ static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509,
BIO_printf(bio_err,
"Everything appears to be ok, creating and signing the certificate\n");

if ((ret = X509_new_with_libctx(app_get0_libctx(), app_get0_propq())) == NULL)
if ((ret = X509_new_ex(app_get0_libctx(), app_get0_propq())) == NULL)
goto end;

#ifdef X509_V3
Expand Down
2 changes: 0 additions & 2 deletions apps/ciphers.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -15,8 +15,6 @@
#include <openssl/err.h>
#include <openssl/ssl.h>

DEFINE_STACK_OF_CONST(SSL_CIPHER)

typedef enum OPTION_choice {
OPT_ERR = -1, OPT_EOF = 0, OPT_HELP,
OPT_STDNAME,
Expand Down
Loading

0 comments on commit 2d16af8

Please sign in to comment.