aboutsummaryrefslogtreecommitdiffstats
path: root/apps
diff options
context:
space:
mode:
Diffstat (limited to 'apps')
-rw-r--r--apps/asn1pars.c14
-rw-r--r--apps/cms.c3
-rw-r--r--apps/enc.c4
-rw-r--r--apps/ocsp.c11
-rw-r--r--apps/s_cb.c106
-rw-r--r--apps/s_client.c2
-rw-r--r--apps/speed.c83
7 files changed, 155 insertions, 68 deletions
diff --git a/apps/asn1pars.c b/apps/asn1pars.c
index 62c70b9cc440..6c44df7de490 100644
--- a/apps/asn1pars.c
+++ b/apps/asn1pars.c
@@ -1,5 +1,5 @@
/*
- * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -170,17 +170,17 @@ int asn1parse_main(int argc, char **argv)
if (derfile && (derout = bio_open_default(derfile, 'w', FORMAT_ASN1)) == NULL)
goto end;
+ if ((buf = BUF_MEM_new()) == NULL)
+ goto end;
if (strictpem) {
- if (PEM_read_bio(in, &name, &header, &str, &num) !=
- 1) {
+ if (PEM_read_bio(in, &name, &header, &str, &num) != 1) {
BIO_printf(bio_err, "Error reading PEM file\n");
ERR_print_errors(bio_err);
goto end;
}
+ buf->data = (char *)str;
+ buf->length = buf->max = num;
} else {
-
- if ((buf = BUF_MEM_new()) == NULL)
- goto end;
if (!BUF_MEM_grow(buf, BUFSIZ * 8))
goto end; /* Pre-allocate :-) */
@@ -303,8 +303,6 @@ int asn1parse_main(int argc, char **argv)
BUF_MEM_free(buf);
OPENSSL_free(name);
OPENSSL_free(header);
- if (strictpem)
- OPENSSL_free(str);
ASN1_TYPE_free(at);
sk_OPENSSL_STRING_free(osk);
return ret;
diff --git a/apps/cms.c b/apps/cms.c
index e9d760c999b7..15edd67dbefd 100644
--- a/apps/cms.c
+++ b/apps/cms.c
@@ -1,5 +1,5 @@
/*
- * Copyright 2008-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2008-2019 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -636,6 +636,7 @@ int cms_main(int argc, char **argv)
goto opthelp;
}
} else if (!operation) {
+ BIO_printf(bio_err, "No operation option (-encrypt|-decrypt|-sign|-verify|...) specified.\n");
goto opthelp;
}
diff --git a/apps/enc.c b/apps/enc.c
index 8e5a57d3e5d7..de33e57a5f49 100644
--- a/apps/enc.c
+++ b/apps/enc.c
@@ -1,5 +1,5 @@
/*
- * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -500,7 +500,7 @@ int enc_main(int argc, char **argv)
if (hiv != NULL) {
int siz = EVP_CIPHER_iv_length(cipher);
if (siz == 0) {
- BIO_printf(bio_err, "warning: iv not use by this cipher\n");
+ BIO_printf(bio_err, "warning: iv not used by this cipher\n");
} else if (!set_hex(hiv, iv, siz)) {
BIO_printf(bio_err, "invalid hex iv value\n");
goto end;
diff --git a/apps/ocsp.c b/apps/ocsp.c
index e8aeb11cc51d..066a2e43af2b 100644
--- a/apps/ocsp.c
+++ b/apps/ocsp.c
@@ -641,8 +641,10 @@ redo_accept:
goto end;
}
- if (req != NULL && add_nonce)
- OCSP_request_add1_nonce(req, NULL, -1);
+ if (req != NULL && add_nonce) {
+ if (!OCSP_request_add1_nonce(req, NULL, -1))
+ goto end;
+ }
if (signfile != NULL) {
if (keyfile == NULL)
@@ -1245,7 +1247,10 @@ static void make_ocsp_response(BIO *err, OCSP_RESPONSE **resp, OCSP_REQUEST *req
goto end;
}
}
- OCSP_basic_sign_ctx(bs, rcert, mctx, rother, flags);
+ if (!OCSP_basic_sign_ctx(bs, rcert, mctx, rother, flags)) {
+ *resp = OCSP_response_create(OCSP_RESPONSE_STATUS_INTERNALERROR, bs);
+ goto end;
+ }
if (badsig) {
const ASN1_OCTET_STRING *sig = OCSP_resp_get0_signature(bs);
diff --git a/apps/s_cb.c b/apps/s_cb.c
index d0e332a7088a..520323c8b05c 100644
--- a/apps/s_cb.c
+++ b/apps/s_cb.c
@@ -683,6 +683,53 @@ static STRINT_PAIR tlsext_types[] = {
{NULL}
};
+/* from rfc8446 4.2.3. + gost (https://tools.ietf.org/id/draft-smyshlyaev-tls12-gost-suites-04.html) */
+static STRINT_PAIR signature_tls13_scheme_list[] = {
+ {"rsa_pkcs1_sha1", 0x0201 /* TLSEXT_SIGALG_rsa_pkcs1_sha1 */},
+ {"ecdsa_sha1", 0x0203 /* TLSEXT_SIGALG_ecdsa_sha1 */},
+/* {"rsa_pkcs1_sha224", 0x0301 TLSEXT_SIGALG_rsa_pkcs1_sha224}, not in rfc8446 */
+/* {"ecdsa_sha224", 0x0303 TLSEXT_SIGALG_ecdsa_sha224} not in rfc8446 */
+ {"rsa_pkcs1_sha256", 0x0401 /* TLSEXT_SIGALG_rsa_pkcs1_sha256 */},
+ {"ecdsa_secp256r1_sha256", 0x0403 /* TLSEXT_SIGALG_ecdsa_secp256r1_sha256 */},
+ {"rsa_pkcs1_sha384", 0x0501 /* TLSEXT_SIGALG_rsa_pkcs1_sha384 */},
+ {"ecdsa_secp384r1_sha384", 0x0503 /* TLSEXT_SIGALG_ecdsa_secp384r1_sha384 */},
+ {"rsa_pkcs1_sha512", 0x0601 /* TLSEXT_SIGALG_rsa_pkcs1_sha512 */},
+ {"ecdsa_secp521r1_sha512", 0x0603 /* TLSEXT_SIGALG_ecdsa_secp521r1_sha512 */},
+ {"rsa_pss_rsae_sha256", 0x0804 /* TLSEXT_SIGALG_rsa_pss_rsae_sha256 */},
+ {"rsa_pss_rsae_sha384", 0x0805 /* TLSEXT_SIGALG_rsa_pss_rsae_sha384 */},
+ {"rsa_pss_rsae_sha512", 0x0806 /* TLSEXT_SIGALG_rsa_pss_rsae_sha512 */},
+ {"ed25519", 0x0807 /* TLSEXT_SIGALG_ed25519 */},
+ {"ed448", 0x0808 /* TLSEXT_SIGALG_ed448 */},
+ {"rsa_pss_pss_sha256", 0x0809 /* TLSEXT_SIGALG_rsa_pss_pss_sha256 */},
+ {"rsa_pss_pss_sha384", 0x080a /* TLSEXT_SIGALG_rsa_pss_pss_sha384 */},
+ {"rsa_pss_pss_sha512", 0x080b /* TLSEXT_SIGALG_rsa_pss_pss_sha512 */},
+ {"gostr34102001", 0xeded /* TLSEXT_SIGALG_gostr34102001_gostr3411 */},
+ {"gostr34102012_256", 0xeeee /* TLSEXT_SIGALG_gostr34102012_256_gostr34112012_256 */},
+ {"gostr34102012_512", 0xefef /* TLSEXT_SIGALG_gostr34102012_512_gostr34112012_512 */},
+ {NULL}
+};
+
+/* from rfc5246 7.4.1.4.1. */
+static STRINT_PAIR signature_tls12_alg_list[] = {
+ {"anonymous", TLSEXT_signature_anonymous /* 0 */},
+ {"RSA", TLSEXT_signature_rsa /* 1 */},
+ {"DSA", TLSEXT_signature_dsa /* 2 */},
+ {"ECDSA", TLSEXT_signature_ecdsa /* 3 */},
+ {NULL}
+};
+
+/* from rfc5246 7.4.1.4.1. */
+static STRINT_PAIR signature_tls12_hash_list[] = {
+ {"none", TLSEXT_hash_none /* 0 */},
+ {"MD5", TLSEXT_hash_md5 /* 1 */},
+ {"SHA1", TLSEXT_hash_sha1 /* 2 */},
+ {"SHA224", TLSEXT_hash_sha224 /* 3 */},
+ {"SHA256", TLSEXT_hash_sha256 /* 4 */},
+ {"SHA384", TLSEXT_hash_sha384 /* 5 */},
+ {"SHA512", TLSEXT_hash_sha512 /* 6 */},
+ {NULL}
+};
+
void tlsext_cb(SSL *s, int client_server, int type,
const unsigned char *data, int len, void *arg)
{
@@ -1282,9 +1329,9 @@ static STRINT_PAIR callback_types[] = {
{"Supported Curve", SSL_SECOP_CURVE_SUPPORTED},
{"Shared Curve", SSL_SECOP_CURVE_SHARED},
{"Check Curve", SSL_SECOP_CURVE_CHECK},
- {"Supported Signature Algorithm digest", SSL_SECOP_SIGALG_SUPPORTED},
- {"Shared Signature Algorithm digest", SSL_SECOP_SIGALG_SHARED},
- {"Check Signature Algorithm digest", SSL_SECOP_SIGALG_CHECK},
+ {"Supported Signature Algorithm", SSL_SECOP_SIGALG_SUPPORTED},
+ {"Shared Signature Algorithm", SSL_SECOP_SIGALG_SHARED},
+ {"Check Signature Algorithm", SSL_SECOP_SIGALG_CHECK},
{"Signature Algorithm mask", SSL_SECOP_SIGALG_MASK},
{"Certificate chain EE key", SSL_SECOP_EE_KEY},
{"Certificate chain CA key", SSL_SECOP_CA_KEY},
@@ -1304,29 +1351,37 @@ static int security_callback_debug(const SSL *s, const SSL_CTX *ctx,
security_debug_ex *sdb = ex;
int rv, show_bits = 1, cert_md = 0;
const char *nm;
+ int show_nm;
rv = sdb->old_cb(s, ctx, op, bits, nid, other, ex);
if (rv == 1 && sdb->verbose < 2)
return 1;
BIO_puts(sdb->out, "Security callback: ");
nm = lookup(op, callback_types, NULL);
+ show_nm = nm != NULL;
switch (op) {
case SSL_SECOP_TICKET:
case SSL_SECOP_COMPRESSION:
show_bits = 0;
- nm = NULL;
+ show_nm = 0;
break;
case SSL_SECOP_VERSION:
BIO_printf(sdb->out, "Version=%s", lookup(nid, ssl_versions, "???"));
show_bits = 0;
- nm = NULL;
+ show_nm = 0;
break;
case SSL_SECOP_CA_MD:
case SSL_SECOP_PEER_CA_MD:
cert_md = 1;
break;
+ case SSL_SECOP_SIGALG_SUPPORTED:
+ case SSL_SECOP_SIGALG_SHARED:
+ case SSL_SECOP_SIGALG_CHECK:
+ case SSL_SECOP_SIGALG_MASK:
+ show_nm = 0;
+ break;
}
- if (nm != NULL)
+ if (show_nm)
BIO_printf(sdb->out, "%s=", nm);
switch (op & SSL_SECOP_OTHER_TYPE) {
@@ -1373,27 +1428,28 @@ static int security_callback_debug(const SSL *s, const SSL_CTX *ctx,
{
const unsigned char *salg = other;
const char *sname = NULL;
- switch (salg[1]) {
- case TLSEXT_signature_anonymous:
- sname = "anonymous";
- break;
- case TLSEXT_signature_rsa:
- sname = "RSA";
- break;
- case TLSEXT_signature_dsa:
- sname = "DSA";
- break;
- case TLSEXT_signature_ecdsa:
- sname = "ECDSA";
- break;
- }
+ int raw_sig_code = (salg[0] << 8) + salg[1]; /* always big endian (msb, lsb) */
+ /* raw_sig_code: signature_scheme from tls1.3, or signature_and_hash from tls1.2 */
- BIO_puts(sdb->out, OBJ_nid2sn(nid));
- if (sname)
- BIO_printf(sdb->out, ", algorithm=%s", sname);
+ if (nm != NULL)
+ BIO_printf(sdb->out, "%s", nm);
else
- BIO_printf(sdb->out, ", algid=%d", salg[1]);
- break;
+ BIO_printf(sdb->out, "s_cb.c:security_callback_debug op=0x%x", op);
+
+ sname = lookup(raw_sig_code, signature_tls13_scheme_list, NULL);
+ if (sname != NULL) {
+ BIO_printf(sdb->out, " scheme=%s", sname);
+ } else {
+ int alg_code = salg[1];
+ int hash_code = salg[0];
+ const char *alg_str = lookup(alg_code, signature_tls12_alg_list, NULL);
+ const char *hash_str = lookup(hash_code, signature_tls12_hash_list, NULL);
+
+ if (alg_str != NULL && hash_str != NULL)
+ BIO_printf(sdb->out, " digest=%s, algorithm=%s", hash_str, alg_str);
+ else
+ BIO_printf(sdb->out, " scheme=unknown(0x%04x)", raw_sig_code);
+ }
}
}
diff --git a/apps/s_client.c b/apps/s_client.c
index 4dd6e2fef4e4..b85339a0b870 100644
--- a/apps/s_client.c
+++ b/apps/s_client.c
@@ -2253,7 +2253,7 @@ int s_client_main(int argc, char **argv)
do {
mbuf_len = BIO_gets(fbio, mbuf, BUFSIZZ);
}
- while (mbuf_len > 3 && mbuf[3] == '-');
+ while (mbuf_len > 3 && (!isdigit(mbuf[0]) || !isdigit(mbuf[1]) || !isdigit(mbuf[2]) || mbuf[3] != ' '));
(void)BIO_flush(fbio);
BIO_pop(fbio);
BIO_free(fbio);
diff --git a/apps/speed.c b/apps/speed.c
index 506737d05fc6..8d4b1695d851 100644
--- a/apps/speed.c
+++ b/apps/speed.c
@@ -489,30 +489,35 @@ static const OPT_PAIR rsa_choices[] = {
static double rsa_results[RSA_NUM][2]; /* 2 ops: sign then verify */
#endif /* OPENSSL_NO_RSA */
-#define R_EC_P160 0
-#define R_EC_P192 1
-#define R_EC_P224 2
-#define R_EC_P256 3
-#define R_EC_P384 4
-#define R_EC_P521 5
-#define R_EC_K163 6
-#define R_EC_K233 7
-#define R_EC_K283 8
-#define R_EC_K409 9
-#define R_EC_K571 10
-#define R_EC_B163 11
-#define R_EC_B233 12
-#define R_EC_B283 13
-#define R_EC_B409 14
-#define R_EC_B571 15
-#define R_EC_BRP256R1 16
-#define R_EC_BRP256T1 17
-#define R_EC_BRP384R1 18
-#define R_EC_BRP384T1 19
-#define R_EC_BRP512R1 20
-#define R_EC_BRP512T1 21
-#define R_EC_X25519 22
-#define R_EC_X448 23
+enum {
+ R_EC_P160,
+ R_EC_P192,
+ R_EC_P224,
+ R_EC_P256,
+ R_EC_P384,
+ R_EC_P521,
+#ifndef OPENSSL_NO_EC2M
+ R_EC_K163,
+ R_EC_K233,
+ R_EC_K283,
+ R_EC_K409,
+ R_EC_K571,
+ R_EC_B163,
+ R_EC_B233,
+ R_EC_B283,
+ R_EC_B409,
+ R_EC_B571,
+#endif
+ R_EC_BRP256R1,
+ R_EC_BRP256T1,
+ R_EC_BRP384R1,
+ R_EC_BRP384T1,
+ R_EC_BRP512R1,
+ R_EC_BRP512T1,
+ R_EC_X25519,
+ R_EC_X448
+};
+
#ifndef OPENSSL_NO_EC
static OPT_PAIR ecdsa_choices[] = {
{"ecdsap160", R_EC_P160},
@@ -521,6 +526,7 @@ static OPT_PAIR ecdsa_choices[] = {
{"ecdsap256", R_EC_P256},
{"ecdsap384", R_EC_P384},
{"ecdsap521", R_EC_P521},
+# ifndef OPENSSL_NO_EC2M
{"ecdsak163", R_EC_K163},
{"ecdsak233", R_EC_K233},
{"ecdsak283", R_EC_K283},
@@ -531,6 +537,7 @@ static OPT_PAIR ecdsa_choices[] = {
{"ecdsab283", R_EC_B283},
{"ecdsab409", R_EC_B409},
{"ecdsab571", R_EC_B571},
+# endif
{"ecdsabrp256r1", R_EC_BRP256R1},
{"ecdsabrp256t1", R_EC_BRP256T1},
{"ecdsabrp384r1", R_EC_BRP384R1},
@@ -549,6 +556,7 @@ static const OPT_PAIR ecdh_choices[] = {
{"ecdhp256", R_EC_P256},
{"ecdhp384", R_EC_P384},
{"ecdhp521", R_EC_P521},
+# ifndef OPENSSL_NO_EC2M
{"ecdhk163", R_EC_K163},
{"ecdhk233", R_EC_K233},
{"ecdhk283", R_EC_K283},
@@ -559,6 +567,7 @@ static const OPT_PAIR ecdh_choices[] = {
{"ecdhb283", R_EC_B283},
{"ecdhb409", R_EC_B409},
{"ecdhb571", R_EC_B571},
+# endif
{"ecdhbrp256r1", R_EC_BRP256R1},
{"ecdhbrp256t1", R_EC_BRP256T1},
{"ecdhbrp384r1", R_EC_BRP384R1},
@@ -1501,6 +1510,7 @@ int speed_main(int argc, char **argv)
{"nistp256", NID_X9_62_prime256v1, 256},
{"nistp384", NID_secp384r1, 384},
{"nistp521", NID_secp521r1, 521},
+# ifndef OPENSSL_NO_EC2M
/* Binary Curves */
{"nistk163", NID_sect163k1, 163},
{"nistk233", NID_sect233k1, 233},
@@ -1512,6 +1522,7 @@ int speed_main(int argc, char **argv)
{"nistb283", NID_sect283r1, 283},
{"nistb409", NID_sect409r1, 409},
{"nistb571", NID_sect571r1, 571},
+# endif
{"brainpoolP256r1", NID_brainpoolP256r1, 256},
{"brainpoolP256t1", NID_brainpoolP256t1, 256},
{"brainpoolP384r1", NID_brainpoolP384r1, 384},
@@ -2031,6 +2042,7 @@ int speed_main(int argc, char **argv)
}
}
}
+# ifndef OPENSSL_NO_EC2M
ecdsa_c[R_EC_K163][0] = count / 1000;
ecdsa_c[R_EC_K163][1] = count / 1000 / 2;
for (i = R_EC_K233; i <= R_EC_K571; i++) {
@@ -2059,6 +2071,7 @@ int speed_main(int argc, char **argv)
}
}
}
+# endif
ecdh_c[R_EC_P160][0] = count / 1000;
for (i = R_EC_P192; i <= R_EC_P521; i++) {
@@ -2071,6 +2084,7 @@ int speed_main(int argc, char **argv)
}
}
}
+# ifndef OPENSSL_NO_EC2M
ecdh_c[R_EC_K163][0] = count / 1000;
for (i = R_EC_K233; i <= R_EC_K571; i++) {
ecdh_c[i][0] = ecdh_c[i - 1][0] / 2;
@@ -2093,6 +2107,7 @@ int speed_main(int argc, char **argv)
}
}
}
+# endif
/* repeated code good to factorize */
ecdh_c[R_EC_BRP256R1][0] = count / 1000;
for (i = R_EC_BRP384R1; i <= R_EC_BRP512R1; i += 2) {
@@ -2614,16 +2629,28 @@ int speed_main(int argc, char **argv)
for (k = 0; k < loopargs_len; k++) {
loopargs[k].ctx = EVP_CIPHER_CTX_new();
- EVP_CipherInit_ex(loopargs[k].ctx, evp_cipher, NULL, NULL,
- iv, decrypt ? 0 : 1);
+ if (loopargs[k].ctx == NULL) {
+ BIO_printf(bio_err, "\nEVP_CIPHER_CTX_new failure\n");
+ exit(1);
+ }
+ if (!EVP_CipherInit_ex(loopargs[k].ctx, evp_cipher, NULL,
+ NULL, iv, decrypt ? 0 : 1)) {
+ BIO_printf(bio_err, "\nEVP_CipherInit_ex failure\n");
+ ERR_print_errors(bio_err);
+ exit(1);
+ }
EVP_CIPHER_CTX_set_padding(loopargs[k].ctx, 0);
keylen = EVP_CIPHER_CTX_key_length(loopargs[k].ctx);
loopargs[k].key = app_malloc(keylen, "evp_cipher key");
EVP_CIPHER_CTX_rand_key(loopargs[k].ctx, loopargs[k].key);
- EVP_CipherInit_ex(loopargs[k].ctx, NULL, NULL,
- loopargs[k].key, NULL, -1);
+ if (!EVP_CipherInit_ex(loopargs[k].ctx, NULL, NULL,
+ loopargs[k].key, NULL, -1)) {
+ BIO_printf(bio_err, "\nEVP_CipherInit_ex failure\n");
+ ERR_print_errors(bio_err);
+ exit(1);
+ }
OPENSSL_clear_free(loopargs[k].key, keylen);
}