aboutsummaryrefslogtreecommitdiffstats
path: root/apps
diff options
context:
space:
mode:
Diffstat (limited to 'apps')
-rwxr-xr-xapps/CA.pl3
-rw-r--r--apps/CA.pl.in3
-rw-r--r--apps/apps.c46
-rw-r--r--apps/apps.h2
-rw-r--r--apps/ca.c23
-rw-r--r--apps/dgst.c5
-rw-r--r--apps/enc.c2
-rw-r--r--apps/passwd.c4
-rw-r--r--apps/pkcs12.c83
-rw-r--r--apps/req.c14
-rw-r--r--apps/s_apps.h3
-rw-r--r--apps/s_cb.c9
-rw-r--r--apps/s_client.c92
-rw-r--r--apps/s_server.c76
-rw-r--r--apps/speed.c4
-rw-r--r--apps/srp.c2
-rw-r--r--apps/verify.c21
-rw-r--r--apps/x509.c6
18 files changed, 281 insertions, 117 deletions
diff --git a/apps/CA.pl b/apps/CA.pl
index a3965ecea96e..43c20b201c79 100755
--- a/apps/CA.pl
+++ b/apps/CA.pl
@@ -64,7 +64,7 @@ $RET = 0;
foreach (@ARGV) {
if ( /^(-\?|-h|-help)$/ ) {
- print STDERR "usage: CA -newcert|-newreq|-newreq-nodes|-newca|-sign|-verify\n";
+ print STDERR "usage: CA -newcert|-newreq|-newreq-nodes|-newca|-sign|-signcert|-verify\n";
exit 0;
} elsif (/^-newcert$/) {
# create a certificate
@@ -186,4 +186,3 @@ while (<IN>) {
}
}
}
-
diff --git a/apps/CA.pl.in b/apps/CA.pl.in
index c783a6e6a541..3bf4c99f3102 100644
--- a/apps/CA.pl.in
+++ b/apps/CA.pl.in
@@ -64,7 +64,7 @@ $RET = 0;
foreach (@ARGV) {
if ( /^(-\?|-h|-help)$/ ) {
- print STDERR "usage: CA -newcert|-newreq|-newreq-nodes|-newca|-sign|-verify\n";
+ print STDERR "usage: CA -newcert|-newreq|-newreq-nodes|-newca|-sign|-signcert|-verify\n";
exit 0;
} elsif (/^-newcert$/) {
# create a certificate
@@ -186,4 +186,3 @@ while (<IN>) {
}
}
}
-
diff --git a/apps/apps.c b/apps/apps.c
index b1dd97038f7d..9fdc3e0097c5 100644
--- a/apps/apps.c
+++ b/apps/apps.c
@@ -215,7 +215,8 @@ int args_from_file(char *file, int *argc, char **argv[])
if (arg != NULL)
OPENSSL_free(arg);
arg = (char **)OPENSSL_malloc(sizeof(char *) * (i * 2));
-
+ if (arg == NULL)
+ return 0;
*argv = arg;
num = 0;
p = buf;
@@ -2374,6 +2375,8 @@ int args_verify(char ***pargs, int *pargc,
flags |= X509_V_FLAG_PARTIAL_CHAIN;
else if (!strcmp(arg, "-no_alt_chains"))
flags |= X509_V_FLAG_NO_ALT_CHAINS;
+ else if (!strcmp(arg, "-allow_proxy_certs"))
+ flags |= X509_V_FLAG_ALLOW_PROXY_CERTS;
else
return 0;
@@ -3195,6 +3198,36 @@ int app_isdir(const char *name)
#endif
/* raw_read|write section */
+#if defined(__VMS)
+# include "vms_term_sock.h"
+static int stdin_sock = -1;
+
+static void close_stdin_sock(void)
+{
+ TerminalSocket (TERM_SOCK_DELETE, &stdin_sock);
+}
+
+int fileno_stdin(void)
+{
+ if (stdin_sock == -1) {
+ TerminalSocket(TERM_SOCK_CREATE, &stdin_sock);
+ atexit(close_stdin_sock);
+ }
+
+ return stdin_sock;
+}
+#else
+int fileno_stdin(void)
+{
+ return fileno(stdin);
+}
+#endif
+
+int fileno_stdout(void)
+{
+ return fileno(stdout);
+}
+
#if defined(_WIN32) && defined(STD_INPUT_HANDLE)
int raw_read_stdin(void *buf, int siz)
{
@@ -3204,10 +3237,17 @@ int raw_read_stdin(void *buf, int siz)
else
return (-1);
}
+#elif defined(__VMS)
+#include <sys/socket.h>
+
+int raw_read_stdin(void *buf, int siz)
+{
+ return recv(fileno_stdin(), buf, siz, 0);
+}
#else
int raw_read_stdin(void *buf, int siz)
{
- return read(fileno(stdin), buf, siz);
+ return read(fileno_stdin(), buf, siz);
}
#endif
@@ -3223,6 +3263,6 @@ int raw_write_stdout(const void *buf, int siz)
#else
int raw_write_stdout(const void *buf, int siz)
{
- return write(fileno(stdout), buf, siz);
+ return write(fileno_stdout(), buf, siz);
}
#endif
diff --git a/apps/apps.h b/apps/apps.h
index 19bf5cc3337d..c6c3881f31e1 100644
--- a/apps/apps.h
+++ b/apps/apps.h
@@ -375,6 +375,8 @@ void store_setup_crl_download(X509_STORE *st);
# define SERIAL_RAND_BITS 64
int app_isdir(const char *);
+int fileno_stdin(void);
+int fileno_stdout(void);
int raw_read_stdin(void *, int);
int raw_write_stdout(const void *, int);
diff --git a/apps/ca.c b/apps/ca.c
index 0b66095b83b6..a0ec5838fa7c 100644
--- a/apps/ca.c
+++ b/apps/ca.c
@@ -2103,25 +2103,23 @@ static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509,
goto err;
/* We now just add it to the database */
- row[DB_type] = (char *)OPENSSL_malloc(2);
-
tm = X509_get_notAfter(ret);
- row[DB_exp_date] = (char *)OPENSSL_malloc(tm->length + 1);
- memcpy(row[DB_exp_date], tm->data, tm->length);
- row[DB_exp_date][tm->length] = '\0';
-
- row[DB_rev_date] = NULL;
-
- /* row[DB_serial] done already */
- row[DB_file] = (char *)OPENSSL_malloc(8);
+ row[DB_type] = OPENSSL_malloc(2);
+ row[DB_exp_date] = OPENSSL_malloc(tm->length + 1);
+ row[DB_rev_date] = OPENSSL_malloc(1);
+ row[DB_file] = OPENSSL_malloc(8);
row[DB_name] = X509_NAME_oneline(X509_get_subject_name(ret), NULL, 0);
-
if ((row[DB_type] == NULL) || (row[DB_exp_date] == NULL) ||
+ (row[DB_rev_date] == NULL) ||
(row[DB_file] == NULL) || (row[DB_name] == NULL)) {
BIO_printf(bio_err, "Memory allocation failure\n");
goto err;
}
- BUF_strlcpy(row[DB_file], "unknown", 8);
+
+ memcpy(row[DB_exp_date], tm->data, tm->length);
+ row[DB_exp_date][tm->length] = '\0';
+ row[DB_rev_date][0] = '\0';
+ strcpy(row[DB_file], "unknown");
row[DB_type][0] = 'V';
row[DB_type][1] = '\0';
@@ -2307,6 +2305,7 @@ static int certify_spkac(X509 **xret, char *infile, EVP_PKEY *pkey,
j = NETSCAPE_SPKI_verify(spki, pktmp);
if (j <= 0) {
+ EVP_PKEY_free(pktmp);
BIO_printf(bio_err,
"signature verification failed on SPKAC public key\n");
goto err;
diff --git a/apps/dgst.c b/apps/dgst.c
index 95e5fa3fc7b7..26afcd7b30ba 100644
--- a/apps/dgst.c
+++ b/apps/dgst.c
@@ -243,6 +243,11 @@ int MAIN(int argc, char **argv)
argv++;
}
+ if (keyfile != NULL && argc > 1) {
+ BIO_printf(bio_err, "Can only sign or verify one file\n");
+ goto end;
+ }
+
if (do_verify && !sigfile) {
BIO_printf(bio_err,
"No signature to verify: use the -signature option\n");
diff --git a/apps/enc.c b/apps/enc.c
index 7b7c70b132d7..8e2ef27aca34 100644
--- a/apps/enc.c
+++ b/apps/enc.c
@@ -509,7 +509,7 @@ int MAIN(int argc, char **argv)
BIO_printf(bio_err, "invalid hex salt value\n");
goto end;
}
- } else if (RAND_pseudo_bytes(salt, sizeof salt) < 0)
+ } else if (RAND_bytes(salt, sizeof salt) <= 0)
goto end;
/*
* If -P option then don't bother writing
diff --git a/apps/passwd.c b/apps/passwd.c
index 5ff53b5743c6..798a6d593616 100644
--- a/apps/passwd.c
+++ b/apps/passwd.c
@@ -416,7 +416,7 @@ static int do_passwd(int passed_salt, char **salt_p, char **salt_malloc_p,
if (*salt_malloc_p == NULL)
goto err;
}
- if (RAND_pseudo_bytes((unsigned char *)*salt_p, 2) < 0)
+ if (RAND_bytes((unsigned char *)*salt_p, 2) <= 0)
goto err;
(*salt_p)[0] = cov_2char[(*salt_p)[0] & 0x3f]; /* 6 bits */
(*salt_p)[1] = cov_2char[(*salt_p)[1] & 0x3f]; /* 6 bits */
@@ -437,7 +437,7 @@ static int do_passwd(int passed_salt, char **salt_p, char **salt_malloc_p,
if (*salt_malloc_p == NULL)
goto err;
}
- if (RAND_pseudo_bytes((unsigned char *)*salt_p, 8) < 0)
+ if (RAND_bytes((unsigned char *)*salt_p, 8) <= 0)
goto err;
for (i = 0; i < 8; i++)
diff --git a/apps/pkcs12.c b/apps/pkcs12.c
index cbb75b7d5fe4..82182c29b86d 100644
--- a/apps/pkcs12.c
+++ b/apps/pkcs12.c
@@ -832,6 +832,7 @@ int dump_certs_pkeys_bag(BIO *out, PKCS12_SAFEBAG *bag, char *pass,
EVP_PKEY *pkey;
PKCS8_PRIV_KEY_INFO *p8;
X509 *x509;
+ int ret = 0;
switch (M_PKCS12_bag_type(bag)) {
case NID_keyBag:
@@ -844,7 +845,7 @@ int dump_certs_pkeys_bag(BIO *out, PKCS12_SAFEBAG *bag, char *pass,
if (!(pkey = EVP_PKCS82PKEY(p8)))
return 0;
print_attribs(out, p8->attributes, "Key Attributes");
- PEM_write_bio_PrivateKey(out, pkey, enc, NULL, 0, NULL, pempass);
+ ret = PEM_write_bio_PrivateKey(out, pkey, enc, NULL, 0, NULL, pempass);
EVP_PKEY_free(pkey);
break;
@@ -864,7 +865,7 @@ int dump_certs_pkeys_bag(BIO *out, PKCS12_SAFEBAG *bag, char *pass,
}
print_attribs(out, p8->attributes, "Key Attributes");
PKCS8_PRIV_KEY_INFO_free(p8);
- PEM_write_bio_PrivateKey(out, pkey, enc, NULL, 0, NULL, pempass);
+ ret = PEM_write_bio_PrivateKey(out, pkey, enc, NULL, 0, NULL, pempass);
EVP_PKEY_free(pkey);
break;
@@ -884,7 +885,7 @@ int dump_certs_pkeys_bag(BIO *out, PKCS12_SAFEBAG *bag, char *pass,
if (!(x509 = PKCS12_certbag2x509(bag)))
return 0;
dump_cert_text(out, x509);
- PEM_write_bio_X509(out, x509);
+ ret = PEM_write_bio_X509(out, x509);
X509_free(x509);
break;
@@ -902,7 +903,7 @@ int dump_certs_pkeys_bag(BIO *out, PKCS12_SAFEBAG *bag, char *pass,
return 1;
break;
}
- return 1;
+ return ret;
}
/* Given a single certificate return a verified chain or NULL if error */
@@ -931,16 +932,70 @@ static int get_cert_chain(X509 *cert, X509_STORE *store,
int alg_print(BIO *x, X509_ALGOR *alg)
{
- PBEPARAM *pbe;
- const unsigned char *p;
- p = alg->parameter->value.sequence->data;
- pbe = d2i_PBEPARAM(NULL, &p, alg->parameter->value.sequence->length);
- if (!pbe)
- return 1;
- BIO_printf(bio_err, "%s, Iteration %ld\n",
- OBJ_nid2ln(OBJ_obj2nid(alg->algorithm)),
- ASN1_INTEGER_get(pbe->iter));
- PBEPARAM_free(pbe);
+ int pbenid, aparamtype;
+ ASN1_OBJECT *aoid;
+ void *aparam;
+ PBEPARAM *pbe = NULL;
+
+ X509_ALGOR_get0(&aoid, &aparamtype, &aparam, alg);
+
+ pbenid = OBJ_obj2nid(aoid);
+
+ BIO_printf(x, "%s", OBJ_nid2ln(pbenid));
+
+ /*
+ * If PBE algorithm is PBES2 decode algorithm parameters
+ * for additional details.
+ */
+ if (pbenid == NID_pbes2) {
+ PBE2PARAM *pbe2 = NULL;
+ int encnid;
+ if (aparamtype == V_ASN1_SEQUENCE)
+ pbe2 = ASN1_item_unpack(aparam, ASN1_ITEM_rptr(PBE2PARAM));
+ if (pbe2 == NULL) {
+ BIO_puts(x, "<unsupported parameters>");
+ goto done;
+ }
+ X509_ALGOR_get0(&aoid, &aparamtype, &aparam, pbe2->keyfunc);
+ pbenid = OBJ_obj2nid(aoid);
+ X509_ALGOR_get0(&aoid, NULL, NULL, pbe2->encryption);
+ encnid = OBJ_obj2nid(aoid);
+ BIO_printf(x, ", %s, %s", OBJ_nid2ln(pbenid),
+ OBJ_nid2sn(encnid));
+ /* If KDF is PBKDF2 decode parameters */
+ if (pbenid == NID_id_pbkdf2) {
+ PBKDF2PARAM *kdf = NULL;
+ int prfnid;
+ if (aparamtype == V_ASN1_SEQUENCE)
+ kdf = ASN1_item_unpack(aparam, ASN1_ITEM_rptr(PBKDF2PARAM));
+ if (kdf == NULL) {
+ BIO_puts(x, "<unsupported parameters>");
+ goto done;
+ }
+
+ if (kdf->prf == NULL) {
+ prfnid = NID_hmacWithSHA1;
+ } else {
+ X509_ALGOR_get0(&aoid, NULL, NULL, kdf->prf);
+ prfnid = OBJ_obj2nid(aoid);
+ }
+ BIO_printf(x, ", Iteration %ld, PRF %s",
+ ASN1_INTEGER_get(kdf->iter), OBJ_nid2sn(prfnid));
+ PBKDF2PARAM_free(kdf);
+ }
+ PBE2PARAM_free(pbe2);
+ } else {
+ if (aparamtype == V_ASN1_SEQUENCE)
+ pbe = ASN1_item_unpack(aparam, ASN1_ITEM_rptr(PBEPARAM));
+ if (pbe == NULL) {
+ BIO_puts(x, "<unsupported parameters>");
+ goto done;
+ }
+ BIO_printf(x, ", Iteration %ld", ASN1_INTEGER_get(pbe->iter));
+ PBEPARAM_free(pbe);
+ }
+ done:
+ BIO_puts(x, "\n");
return 1;
}
diff --git a/apps/req.c b/apps/req.c
index e818bd2976d6..d1411c91bbb8 100644
--- a/apps/req.c
+++ b/apps/req.c
@@ -332,9 +332,10 @@ int MAIN(int argc, char **argv)
subject = 1;
else if (strcmp(*argv, "-text") == 0)
text = 1;
- else if (strcmp(*argv, "-x509") == 0)
+ else if (strcmp(*argv, "-x509") == 0) {
+ newreq = 1;
x509 = 1;
- else if (strcmp(*argv, "-asn1-kludge") == 0)
+ } else if (strcmp(*argv, "-asn1-kludge") == 0)
kludge = 1;
else if (strcmp(*argv, "-no-asn1-kludge") == 0)
kludge = 0;
@@ -756,7 +757,7 @@ int MAIN(int argc, char **argv)
}
}
- if (newreq || x509) {
+ if (newreq) {
if (pkey == NULL) {
BIO_printf(bio_err, "you need to specify a private key\n");
goto end;
@@ -1331,12 +1332,11 @@ static int auto_info(X509_REQ *req, STACK_OF(CONF_VALUE) *dn_sk,
break;
}
#ifndef CHARSET_EBCDIC
- if (*p == '+')
+ if (*type == '+') {
#else
- if (*p == os_toascii['+'])
+ if (*type == os_toascii['+']) {
#endif
- {
- p++;
+ type++;
mval = -1;
} else
mval = 0;
diff --git a/apps/s_apps.h b/apps/s_apps.h
index 5b54bfdc4e1c..5ba1e1d6d86d 100644
--- a/apps/s_apps.h
+++ b/apps/s_apps.h
@@ -199,7 +199,8 @@ int load_excert(SSL_EXCERT **pexc, BIO *err);
void print_ssl_summary(BIO *bio, SSL *s);
#ifdef HEADER_SSL_H
int args_ssl(char ***pargs, int *pargc, SSL_CONF_CTX *cctx,
- int *badarg, BIO *err, STACK_OF(OPENSSL_STRING) **pstr);
+ int *badarg, BIO *err, STACK_OF(OPENSSL_STRING) **pstr,
+ int *no_prot_opt);
int args_ssl_call(SSL_CTX *ctx, BIO *err, SSL_CONF_CTX *cctx,
STACK_OF(OPENSSL_STRING) *str, int no_ecdhe, int no_jpake);
int ssl_ctx_add_crls(SSL_CTX *ctx, STACK_OF(X509_CRL) *crls,
diff --git a/apps/s_cb.c b/apps/s_cb.c
index 5b5e711bf2eb..d1a99a7bd605 100644
--- a/apps/s_cb.c
+++ b/apps/s_cb.c
@@ -1507,11 +1507,18 @@ void print_ssl_summary(BIO *bio, SSL *s)
}
int args_ssl(char ***pargs, int *pargc, SSL_CONF_CTX *cctx,
- int *badarg, BIO *err, STACK_OF(OPENSSL_STRING) **pstr)
+ int *badarg, BIO *err, STACK_OF(OPENSSL_STRING) **pstr,
+ int *no_prot_opt)
{
char *arg = **pargs, *argn = (*pargs)[1];
int rv;
+ if (strcmp(arg, "-no_ssl2") == 0 || strcmp(arg, "-no_ssl3") == 0
+ || strcmp(arg, "-no_tls1") == 0 || strcmp(arg, "-no_tls1_1") == 0
+ || strcmp(arg, "-no_tls1_2") == 0) {
+ *no_prot_opt = 1;
+ }
+
/* Attempt to run SSL configuration command */
rv = SSL_CONF_cmd_argv(cctx, pargc, pargs);
/* If parameter not recognised just return */
diff --git a/apps/s_client.c b/apps/s_client.c
index 0c1102b9c36a..41a326fbb859 100644
--- a/apps/s_client.c
+++ b/apps/s_client.c
@@ -242,9 +242,9 @@ static unsigned int psk_client_cb(SSL *ssl, const char *hint, char *identity,
unsigned char *psk,
unsigned int max_psk_len)
{
- unsigned int psk_len = 0;
int ret;
- BIGNUM *bn = NULL;
+ long key_len;
+ unsigned char *key;
if (c_debug)
BIO_printf(bio_c_out, "psk_client_cb\n");
@@ -265,32 +265,29 @@ static unsigned int psk_client_cb(SSL *ssl, const char *hint, char *identity,
if (c_debug)
BIO_printf(bio_c_out, "created identity '%s' len=%d\n", identity,
ret);
- ret = BN_hex2bn(&bn, psk_key);
- if (!ret) {
- BIO_printf(bio_err, "Could not convert PSK key '%s' to BIGNUM\n",
+
+ /* convert the PSK key to binary */
+ key = string_to_hex(psk_key, &key_len);
+ if (key == NULL) {
+ BIO_printf(bio_err, "Could not convert PSK key '%s' to buffer\n",
psk_key);
- if (bn)
- BN_free(bn);
return 0;
}
-
- if ((unsigned int)BN_num_bytes(bn) > max_psk_len) {
+ if ((unsigned long)key_len > (unsigned long)max_psk_len) {
BIO_printf(bio_err,
- "psk buffer of callback is too small (%d) for key (%d)\n",
- max_psk_len, BN_num_bytes(bn));
- BN_free(bn);
+ "psk buffer of callback is too small (%d) for key (%ld)\n",
+ max_psk_len, key_len);
+ OPENSSL_free(key);
return 0;
}
- psk_len = BN_bn2bin(bn, psk);
- BN_free(bn);
- if (psk_len == 0)
- goto out_err;
+ memcpy(psk, key, key_len);
+ OPENSSL_free(key);
if (c_debug)
- BIO_printf(bio_c_out, "created PSK len=%d\n", psk_len);
+ BIO_printf(bio_c_out, "created PSK len=%ld\n", key_len);
- return psk_len;
+ return key_len;
out_err:
if (c_debug)
BIO_printf(bio_err, "Error in PSK client callback\n");
@@ -747,6 +744,7 @@ int MAIN(int argc, char **argv)
int crl_format = FORMAT_PEM;
int crl_download = 0;
STACK_OF(X509_CRL) *crls = NULL;
+ int prot_opt = 0, no_prot_opt = 0;
meth = SSLv23_client_method();
@@ -850,7 +848,8 @@ int MAIN(int argc, char **argv)
if (badarg)
goto bad;
continue;
- } else if (args_ssl(&argv, &argc, cctx, &badarg, bio_err, &ssl_args)) {
+ } else if (args_ssl(&argv, &argc, cctx, &badarg, bio_err, &ssl_args,
+ &no_prot_opt)) {
if (badarg)
goto bad;
continue;
@@ -942,31 +941,42 @@ int MAIN(int argc, char **argv)
}
#endif
#ifndef OPENSSL_NO_SSL2
- else if (strcmp(*argv, "-ssl2") == 0)
+ else if (strcmp(*argv, "-ssl2") == 0) {
meth = SSLv2_client_method();
+ prot_opt++;
+ }
#endif
#ifndef OPENSSL_NO_SSL3_METHOD
- else if (strcmp(*argv, "-ssl3") == 0)
+ else if (strcmp(*argv, "-ssl3") == 0) {
meth = SSLv3_client_method();
+ prot_opt++;
+ }
#endif
#ifndef OPENSSL_NO_TLS1
- else if (strcmp(*argv, "-tls1_2") == 0)
+ else if (strcmp(*argv, "-tls1_2") == 0) {
meth = TLSv1_2_client_method();
- else if (strcmp(*argv, "-tls1_1") == 0)
+ prot_opt++;
+ } else if (strcmp(*argv, "-tls1_1") == 0) {
meth = TLSv1_1_client_method();
- else if (strcmp(*argv, "-tls1") == 0)
+ prot_opt++;
+ } else if (strcmp(*argv, "-tls1") == 0) {
meth = TLSv1_client_method();
+ prot_opt++;
+ }
#endif
#ifndef OPENSSL_NO_DTLS1
else if (strcmp(*argv, "-dtls") == 0) {
meth = DTLS_client_method();
socket_type = SOCK_DGRAM;
+ prot_opt++;
} else if (strcmp(*argv, "-dtls1") == 0) {
meth = DTLSv1_client_method();
socket_type = SOCK_DGRAM;
+ prot_opt++;
} else if (strcmp(*argv, "-dtls1_2") == 0) {
meth = DTLSv1_2_client_method();
socket_type = SOCK_DGRAM;
+ prot_opt++;
} else if (strcmp(*argv, "-timeout") == 0)
enable_timeouts = 1;
else if (strcmp(*argv, "-mtu") == 0) {
@@ -1149,6 +1159,17 @@ int MAIN(int argc, char **argv)
}
#endif
+ if (prot_opt > 1) {
+ BIO_printf(bio_err, "Cannot supply multiple protocol flags\n");
+ goto end;
+ }
+
+ if (prot_opt == 1 && no_prot_opt) {
+ BIO_printf(bio_err, "Cannot supply both a protocol flag and "
+ "\"-no_<prot>\"\n");
+ goto end;
+ }
+
OpenSSL_add_ssl_algorithms();
SSL_load_error_strings();
@@ -1540,7 +1561,10 @@ int MAIN(int argc, char **argv)
SSL_set_connect_state(con);
/* ok, lets connect */
- width = SSL_get_fd(con) + 1;
+ if (fileno_stdin() > SSL_get_fd(con))
+ width = fileno_stdin() + 1;
+ else
+ width = SSL_get_fd(con) + 1;
read_tty = 1;
write_tty = 0;
@@ -1723,9 +1747,11 @@ int MAIN(int argc, char **argv)
#if !defined(OPENSSL_SYS_WINDOWS) && !defined(OPENSSL_SYS_MSDOS) && !defined(OPENSSL_SYS_NETWARE) && !defined (OPENSSL_SYS_BEOS_R5)
if (tty_on) {
if (read_tty)
- openssl_fdset(fileno(stdin), &readfds);
+ openssl_fdset(fileno_stdin(), &readfds);
+#if !defined(OPENSSL_SYS_VMS)
if (write_tty)
- openssl_fdset(fileno(stdout), &writefds);
+ openssl_fdset(fileno_stdout(), &writefds);
+#endif
}
if (read_ssl)
openssl_fdset(SSL_get_fd(con), &readfds);
@@ -1795,14 +1821,14 @@ int MAIN(int argc, char **argv)
/* Under BeOS-R5 the situation is similar to DOS */
i = 0;
stdin_set = 0;
- (void)fcntl(fileno(stdin), F_SETFL, O_NONBLOCK);
+ (void)fcntl(fileno_stdin(), F_SETFL, O_NONBLOCK);
if (!write_tty) {
if (read_tty) {
tv.tv_sec = 1;
tv.tv_usec = 0;
i = select(width, (void *)&readfds, (void *)&writefds,
NULL, &tv);
- if (read(fileno(stdin), sbuf, 0) >= 0)
+ if (read(fileno_stdin(), sbuf, 0) >= 0)
stdin_set = 1;
if (!i && (stdin_set != 1 || !read_tty))
continue;
@@ -1810,7 +1836,7 @@ int MAIN(int argc, char **argv)
i = select(width, (void *)&readfds, (void *)&writefds,
NULL, timeoutp);
}
- (void)fcntl(fileno(stdin), F_SETFL, 0);
+ (void)fcntl(fileno_stdin(), F_SETFL, 0);
#else
i = select(width, (void *)&readfds, (void *)&writefds,
NULL, timeoutp);
@@ -1886,11 +1912,11 @@ int MAIN(int argc, char **argv)
goto shut;
}
}
-#if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_NETWARE) || defined(OPENSSL_SYS_BEOS_R5)
+#if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_NETWARE) || defined(OPENSSL_SYS_BEOS_R5) || defined(OPENSSL_SYS_VMS)
/* Assume Windows/DOS/BeOS can always write */
else if (!ssl_pending && write_tty)
#else
- else if (!ssl_pending && FD_ISSET(fileno(stdout), &writefds))
+ else if (!ssl_pending && FD_ISSET(fileno_stdout(), &writefds))
#endif
{
#ifdef CHARSET_EBCDIC
@@ -1988,7 +2014,7 @@ int MAIN(int argc, char **argv)
#elif defined(OPENSSL_SYS_BEOS_R5)
else if (stdin_set)
#else
- else if (FD_ISSET(fileno(stdin), &readfds))
+ else if (FD_ISSET(fileno_stdin(), &readfds))
#endif
{
if (crlf) {
diff --git a/apps/s_server.c b/apps/s_server.c
index 09c755b55cfe..857a70e3e4c5 100644
--- a/apps/s_server.c
+++ b/apps/s_server.c
@@ -353,9 +353,8 @@ static unsigned int psk_server_cb(SSL *ssl, const char *identity,
unsigned char *psk,
unsigned int max_psk_len)
{
- unsigned int psk_len = 0;
- int ret;
- BIGNUM *bn = NULL;
+ long key_len = 0;
+ unsigned char *key;
if (s_debug)
BIO_printf(bio_s_out, "psk_server_cb\n");
@@ -377,32 +376,26 @@ static unsigned int psk_server_cb(SSL *ssl, const char *identity,
BIO_printf(bio_s_out, "PSK client identity found\n");
/* convert the PSK key to binary */
- ret = BN_hex2bn(&bn, psk_key);
- if (!ret) {
- BIO_printf(bio_err, "Could not convert PSK key '%s' to BIGNUM\n",
+ key = string_to_hex(psk_key, &key_len);
+ if (key == NULL) {
+ BIO_printf(bio_err, "Could not convert PSK key '%s' to buffer\n",
psk_key);
- if (bn)
- BN_free(bn);
return 0;
}
- if (BN_num_bytes(bn) > (int)max_psk_len) {
+ if (key_len > (int)max_psk_len) {
BIO_printf(bio_err,
- "psk buffer of callback is too small (%d) for key (%d)\n",
- max_psk_len, BN_num_bytes(bn));
- BN_free(bn);
+ "psk buffer of callback is too small (%d) for key (%ld)\n",
+ max_psk_len, key_len);
+ OPENSSL_free(key);
return 0;
}
- ret = BN_bn2bin(bn, psk);
- BN_free(bn);
-
- if (ret < 0)
- goto out_err;
- psk_len = (unsigned int)ret;
+ memcpy(psk, key, key_len);
+ OPENSSL_free(key);
if (s_debug)
- BIO_printf(bio_s_out, "fetched PSK len=%d\n", psk_len);
- return psk_len;
+ BIO_printf(bio_s_out, "fetched PSK len=%ld\n", key_len);
+ return key_len;
out_err:
if (s_debug)
BIO_printf(bio_err, "Error in PSK server callback\n");
@@ -1144,6 +1137,7 @@ int MAIN(int argc, char *argv[])
int crl_format = FORMAT_PEM;
int crl_download = 0;
STACK_OF(X509_CRL) *crls = NULL;
+ int prot_opt = 0, no_prot_opt = 0;
meth = SSLv23_server_method();
@@ -1307,7 +1301,8 @@ int MAIN(int argc, char *argv[])
if (badarg)
goto bad;
continue;
- } else if (args_ssl(&argv, &argc, cctx, &badarg, bio_err, &ssl_args)) {
+ } else if (args_ssl(&argv, &argc, cctx, &badarg, bio_err, &ssl_args,
+ &no_prot_opt)) {
if (badarg)
goto bad;
continue;
@@ -1451,32 +1446,40 @@ int MAIN(int argc, char *argv[])
else if (strcmp(*argv, "-ssl2") == 0) {
no_ecdhe = 1;
meth = SSLv2_server_method();
+ prot_opt++;
}
#endif
#ifndef OPENSSL_NO_SSL3_METHOD
else if (strcmp(*argv, "-ssl3") == 0) {
meth = SSLv3_server_method();
+ prot_opt++;
}
#endif
#ifndef OPENSSL_NO_TLS1
else if (strcmp(*argv, "-tls1") == 0) {
meth = TLSv1_server_method();
+ prot_opt++;
} else if (strcmp(*argv, "-tls1_1") == 0) {
meth = TLSv1_1_server_method();
+ prot_opt++;
} else if (strcmp(*argv, "-tls1_2") == 0) {
meth = TLSv1_2_server_method();
+ prot_opt++;
}
#endif
#ifndef OPENSSL_NO_DTLS1
else if (strcmp(*argv, "-dtls") == 0) {
meth = DTLS_server_method();
socket_type = SOCK_DGRAM;
+ prot_opt++;
} else if (strcmp(*argv, "-dtls1") == 0) {
meth = DTLSv1_server_method();
socket_type = SOCK_DGRAM;
+ prot_opt++;
} else if (strcmp(*argv, "-dtls1_2") == 0) {
meth = DTLSv1_2_server_method();
socket_type = SOCK_DGRAM;
+ prot_opt++;
} else if (strcmp(*argv, "-timeout") == 0)
enable_timeouts = 1;
else if (strcmp(*argv, "-mtu") == 0) {
@@ -1586,6 +1589,17 @@ int MAIN(int argc, char *argv[])
}
#endif
+ if (prot_opt > 1) {
+ BIO_printf(bio_err, "Cannot supply multiple protocol flags\n");
+ goto end;
+ }
+
+ if (prot_opt == 1 && no_prot_opt) {
+ BIO_printf(bio_err, "Cannot supply both a protocol flag and "
+ "\"-no_<prot>\"\n");
+ goto end;
+ }
+
SSL_load_error_strings();
OpenSSL_add_ssl_algorithms();
@@ -2293,7 +2307,10 @@ static int sv_body(char *hostname, int s, int stype, unsigned char *context)
}
#endif
- width = s + 1;
+ if (fileno_stdin() > s)
+ width = fileno_stdin() + 1;
+ else
+ width = s + 1;
for (;;) {
int read_from_terminal;
int read_from_sslcon;
@@ -2304,7 +2321,7 @@ static int sv_body(char *hostname, int s, int stype, unsigned char *context)
if (!read_from_sslcon) {
FD_ZERO(&readfds);
#if !defined(OPENSSL_SYS_WINDOWS) && !defined(OPENSSL_SYS_MSDOS) && !defined(OPENSSL_SYS_NETWARE) && !defined(OPENSSL_SYS_BEOS_R5)
- openssl_fdset(fileno(stdin), &readfds);
+ openssl_fdset(fileno_stdin(), &readfds);
#endif
openssl_fdset(s, &readfds);
/*
@@ -2332,13 +2349,13 @@ static int sv_body(char *hostname, int s, int stype, unsigned char *context)
/* Under BeOS-R5 the situation is similar to DOS */
tv.tv_sec = 1;
tv.tv_usec = 0;
- (void)fcntl(fileno(stdin), F_SETFL, O_NONBLOCK);
+ (void)fcntl(fileno_stdin(), F_SETFL, O_NONBLOCK);
i = select(width, (void *)&readfds, NULL, NULL, &tv);
- if ((i < 0) || (!i && read(fileno(stdin), buf, 0) < 0))
+ if ((i < 0) || (!i && read(fileno_stdin(), buf, 0) < 0))
continue;
- if (read(fileno(stdin), buf, 0) >= 0)
+ if (read(fileno_stdin(), buf, 0) >= 0)
read_from_terminal = 1;
- (void)fcntl(fileno(stdin), F_SETFL, 0);
+ (void)fcntl(fileno_stdin(), F_SETFL, 0);
#else
if ((SSL_version(con) == DTLS1_VERSION) &&
DTLSv1_get_timeout(con, &timeout))
@@ -2355,7 +2372,7 @@ static int sv_body(char *hostname, int s, int stype, unsigned char *context)
if (i <= 0)
continue;
- if (FD_ISSET(fileno(stdin), &readfds))
+ if (FD_ISSET(fileno_stdin(), &readfds))
read_from_terminal = 1;
#endif
if (FD_ISSET(s, &readfds))
@@ -2382,6 +2399,7 @@ static int sv_body(char *hostname, int s, int stype, unsigned char *context)
assert(lf_num == 0);
} else
i = raw_read_stdin(buf, bufsize);
+
if (!s_quiet && !s_brief) {
if ((i <= 0) || (buf[0] == 'Q')) {
BIO_printf(bio_s_out, "DONE\n");
@@ -3371,7 +3389,7 @@ static int generate_session_id(const SSL *ssl, unsigned char *id,
{
unsigned int count = 0;
do {
- if (RAND_pseudo_bytes(id, *id_len) < 0)
+ if (RAND_bytes(id, *id_len) <= 0)
return 0;
/*
* Prefix the session_id with the required prefix. NB: If our prefix
diff --git a/apps/speed.c b/apps/speed.c
index 95adcc19cc15..b862868eacc7 100644
--- a/apps/speed.c
+++ b/apps/speed.c
@@ -2614,6 +2614,10 @@ static int do_multi(int multi)
static char sep[] = ":";
fds = malloc(multi * sizeof *fds);
+ if (fds == NULL) {
+ fprintf(stderr, "Out of memory in speed (do_multi)\n");
+ exit(1);
+ }
for (n = 0; n < multi; ++n) {
if (pipe(fd) == -1) {
fprintf(stderr, "pipe failure\n");
diff --git a/apps/srp.c b/apps/srp.c
index c0ff4171cabf..c75052f38dd4 100644
--- a/apps/srp.c
+++ b/apps/srp.c
@@ -765,4 +765,6 @@ int MAIN(int argc, char **argv)
OPENSSL_EXIT(ret);
}
+#else
+static void *dummy = &dummy;
#endif
diff --git a/apps/verify.c b/apps/verify.c
index 78e729fc890f..b5ae6b370e1e 100644
--- a/apps/verify.c
+++ b/apps/verify.c
@@ -115,43 +115,43 @@ int MAIN(int argc, char **argv)
if (argc >= 1) {
if (strcmp(*argv, "-CApath") == 0) {
if (argc-- < 1)
- goto end;
+ goto usage;
CApath = *(++argv);
} else if (strcmp(*argv, "-CAfile") == 0) {
if (argc-- < 1)
- goto end;
+ goto usage;
CAfile = *(++argv);
} else if (args_verify(&argv, &argc, &badarg, bio_err, &vpm)) {
if (badarg)
- goto end;
+ goto usage;
continue;
} else if (strcmp(*argv, "-untrusted") == 0) {
if (argc-- < 1)
- goto end;
+ goto usage;
untfile = *(++argv);
} else if (strcmp(*argv, "-trusted") == 0) {
if (argc-- < 1)
- goto end;
+ goto usage;
trustfile = *(++argv);
} else if (strcmp(*argv, "-CRLfile") == 0) {
if (argc-- < 1)
- goto end;
+ goto usage;
crlfile = *(++argv);
} else if (strcmp(*argv, "-crl_download") == 0)
crl_download = 1;
#ifndef OPENSSL_NO_ENGINE
else if (strcmp(*argv, "-engine") == 0) {
if (--argc < 1)
- goto end;
+ goto usage;
engine = *(++argv);
}
#endif
else if (strcmp(*argv, "-help") == 0)
- goto end;
+ goto usage;
else if (strcmp(*argv, "-verbose") == 0)
v_verbose = 1;
else if (argv[0][0] == '-')
- goto end;
+ goto usage;
else
break;
argc--;
@@ -228,7 +228,7 @@ int MAIN(int argc, char **argv)
ret = -1;
}
- end:
+ usage:
if (ret == 1) {
BIO_printf(bio_err,
"usage: verify [-verbose] [-CApath path] [-CAfile file] [-purpose purpose] [-crl_check]");
@@ -247,6 +247,7 @@ int MAIN(int argc, char **argv)
X509_PURPOSE_get0_name(ptmp));
}
}
+ end:
if (vpm)
X509_VERIFY_PARAM_free(vpm);
if (cert_ctx != NULL)
diff --git a/apps/x509.c b/apps/x509.c
index 7c215bced001..17cb62da726d 100644
--- a/apps/x509.c
+++ b/apps/x509.c
@@ -1105,6 +1105,10 @@ static int x509_certify(X509_STORE *ctx, char *CAfile, const EVP_MD *digest,
EVP_PKEY *upkey;
upkey = X509_get_pubkey(xca);
+ if (upkey == NULL) {
+ BIO_printf(bio_err, "Error obtaining CA X509 public key\n");
+ goto end;
+ }
EVP_PKEY_copy_parameters(upkey, pkey);
EVP_PKEY_free(upkey);
@@ -1217,6 +1221,8 @@ static int sign(X509 *x, EVP_PKEY *pkey, int days, int clrext,
EVP_PKEY *pktmp;
pktmp = X509_get_pubkey(x);
+ if (pktmp == NULL)
+ goto err;
EVP_PKEY_copy_parameters(pktmp, pkey);
EVP_PKEY_save_parameters(pktmp, 1);
EVP_PKEY_free(pktmp);