apps.h 25 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634
  1. /*
  2. * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
  3. *
  4. * Licensed under the OpenSSL license (the "License"). You may not use
  5. * this file except in compliance with the License. You can obtain a copy
  6. * in the file LICENSE in the source distribution or at
  7. * https://www.openssl.org/source/license.html
  8. */
  9. #ifndef HEADER_APPS_H
  10. # define HEADER_APPS_H
  11. # include "e_os.h" /* struct timeval for DTLS */
  12. # include "internal/nelem.h"
  13. # include <assert.h>
  14. # include <sys/types.h>
  15. # ifndef OPENSSL_NO_POSIX_IO
  16. # include <sys/stat.h>
  17. # include <fcntl.h>
  18. # endif
  19. # include <openssl/e_os2.h>
  20. # include <openssl/ossl_typ.h>
  21. # include <openssl/bio.h>
  22. # include <openssl/x509.h>
  23. # include <openssl/conf.h>
  24. # include <openssl/txt_db.h>
  25. # include <openssl/engine.h>
  26. # include <openssl/ocsp.h>
  27. # include <signal.h>
  28. # if defined(OPENSSL_SYS_WIN32) || defined(OPENSSL_SYS_WINCE)
  29. # define openssl_fdset(a,b) FD_SET((unsigned int)a, b)
  30. # else
  31. # define openssl_fdset(a,b) FD_SET(a, b)
  32. # endif
  33. /*
  34. * quick macro when you need to pass an unsigned char instead of a char.
  35. * this is true for some implementations of the is*() functions, for
  36. * example.
  37. */
  38. #define _UC(c) ((unsigned char)(c))
  39. void app_RAND_load_conf(CONF *c, const char *section);
  40. void app_RAND_write(void);
  41. extern char *default_config_file;
  42. extern BIO *bio_in;
  43. extern BIO *bio_out;
  44. extern BIO *bio_err;
  45. extern const unsigned char tls13_aes128gcmsha256_id[];
  46. extern const unsigned char tls13_aes256gcmsha384_id[];
  47. extern BIO_ADDR *ourpeer;
  48. BIO_METHOD *apps_bf_prefix(void);
  49. /*
  50. * The control used to set the prefix with BIO_ctrl()
  51. * We make it high enough so the chance of ever clashing with the BIO library
  52. * remains unlikely for the foreseeable future and beyond.
  53. */
  54. #define PREFIX_CTRL_SET_PREFIX (1 << 15)
  55. /*
  56. * apps_bf_prefix() returns a dynamically created BIO_METHOD, which we
  57. * need to destroy at some point. When created internally, it's stored
  58. * in an internal pointer which can be freed with the following function
  59. */
  60. void destroy_prefix_method(void);
  61. BIO *dup_bio_in(int format);
  62. BIO *dup_bio_out(int format);
  63. BIO *dup_bio_err(int format);
  64. BIO *bio_open_owner(const char *filename, int format, int private);
  65. BIO *bio_open_default(const char *filename, char mode, int format);
  66. BIO *bio_open_default_quiet(const char *filename, char mode, int format);
  67. CONF *app_load_config_bio(BIO *in, const char *filename);
  68. CONF *app_load_config(const char *filename);
  69. CONF *app_load_config_quiet(const char *filename);
  70. int app_load_modules(const CONF *config);
  71. void unbuffer(FILE *fp);
  72. void wait_for_async(SSL *s);
  73. # if defined(OPENSSL_SYS_MSDOS)
  74. int has_stdin_waiting(void);
  75. # endif
  76. void corrupt_signature(const ASN1_STRING *signature);
  77. int set_cert_times(X509 *x, const char *startdate, const char *enddate,
  78. int days);
  79. /*
  80. * Common verification options.
  81. */
  82. # define OPT_V_ENUM \
  83. OPT_V__FIRST=2000, \
  84. OPT_V_POLICY, OPT_V_PURPOSE, OPT_V_VERIFY_NAME, OPT_V_VERIFY_DEPTH, \
  85. OPT_V_ATTIME, OPT_V_VERIFY_HOSTNAME, OPT_V_VERIFY_EMAIL, \
  86. OPT_V_VERIFY_IP, OPT_V_IGNORE_CRITICAL, OPT_V_ISSUER_CHECKS, \
  87. OPT_V_CRL_CHECK, OPT_V_CRL_CHECK_ALL, OPT_V_POLICY_CHECK, \
  88. OPT_V_EXPLICIT_POLICY, OPT_V_INHIBIT_ANY, OPT_V_INHIBIT_MAP, \
  89. OPT_V_X509_STRICT, OPT_V_EXTENDED_CRL, OPT_V_USE_DELTAS, \
  90. OPT_V_POLICY_PRINT, OPT_V_CHECK_SS_SIG, OPT_V_TRUSTED_FIRST, \
  91. OPT_V_SUITEB_128_ONLY, OPT_V_SUITEB_128, OPT_V_SUITEB_192, \
  92. OPT_V_PARTIAL_CHAIN, OPT_V_NO_ALT_CHAINS, OPT_V_NO_CHECK_TIME, \
  93. OPT_V_VERIFY_AUTH_LEVEL, OPT_V_ALLOW_PROXY_CERTS, \
  94. OPT_V__LAST
  95. # define OPT_V_OPTIONS \
  96. { "policy", OPT_V_POLICY, 's', "adds policy to the acceptable policy set"}, \
  97. { "purpose", OPT_V_PURPOSE, 's', \
  98. "certificate chain purpose"}, \
  99. { "verify_name", OPT_V_VERIFY_NAME, 's', "verification policy name"}, \
  100. { "verify_depth", OPT_V_VERIFY_DEPTH, 'n', \
  101. "chain depth limit" }, \
  102. { "auth_level", OPT_V_VERIFY_AUTH_LEVEL, 'n', \
  103. "chain authentication security level" }, \
  104. { "attime", OPT_V_ATTIME, 'M', "verification epoch time" }, \
  105. { "verify_hostname", OPT_V_VERIFY_HOSTNAME, 's', \
  106. "expected peer hostname" }, \
  107. { "verify_email", OPT_V_VERIFY_EMAIL, 's', \
  108. "expected peer email" }, \
  109. { "verify_ip", OPT_V_VERIFY_IP, 's', \
  110. "expected peer IP address" }, \
  111. { "ignore_critical", OPT_V_IGNORE_CRITICAL, '-', \
  112. "permit unhandled critical extensions"}, \
  113. { "issuer_checks", OPT_V_ISSUER_CHECKS, '-', "(deprecated)"}, \
  114. { "crl_check", OPT_V_CRL_CHECK, '-', "check leaf certificate revocation" }, \
  115. { "crl_check_all", OPT_V_CRL_CHECK_ALL, '-', "check full chain revocation" }, \
  116. { "policy_check", OPT_V_POLICY_CHECK, '-', "perform rfc5280 policy checks"}, \
  117. { "explicit_policy", OPT_V_EXPLICIT_POLICY, '-', \
  118. "set policy variable require-explicit-policy"}, \
  119. { "inhibit_any", OPT_V_INHIBIT_ANY, '-', \
  120. "set policy variable inhibit-any-policy"}, \
  121. { "inhibit_map", OPT_V_INHIBIT_MAP, '-', \
  122. "set policy variable inhibit-policy-mapping"}, \
  123. { "x509_strict", OPT_V_X509_STRICT, '-', \
  124. "disable certificate compatibility work-arounds"}, \
  125. { "extended_crl", OPT_V_EXTENDED_CRL, '-', \
  126. "enable extended CRL features"}, \
  127. { "use_deltas", OPT_V_USE_DELTAS, '-', \
  128. "use delta CRLs"}, \
  129. { "policy_print", OPT_V_POLICY_PRINT, '-', \
  130. "print policy processing diagnostics"}, \
  131. { "check_ss_sig", OPT_V_CHECK_SS_SIG, '-', \
  132. "check root CA self-signatures"}, \
  133. { "trusted_first", OPT_V_TRUSTED_FIRST, '-', \
  134. "search trust store first (default)" }, \
  135. { "suiteB_128_only", OPT_V_SUITEB_128_ONLY, '-', "Suite B 128-bit-only mode"}, \
  136. { "suiteB_128", OPT_V_SUITEB_128, '-', \
  137. "Suite B 128-bit mode allowing 192-bit algorithms"}, \
  138. { "suiteB_192", OPT_V_SUITEB_192, '-', "Suite B 192-bit-only mode" }, \
  139. { "partial_chain", OPT_V_PARTIAL_CHAIN, '-', \
  140. "accept chains anchored by intermediate trust-store CAs"}, \
  141. { "no_alt_chains", OPT_V_NO_ALT_CHAINS, '-', "(deprecated)" }, \
  142. { "no_check_time", OPT_V_NO_CHECK_TIME, '-', "ignore certificate validity time" }, \
  143. { "allow_proxy_certs", OPT_V_ALLOW_PROXY_CERTS, '-', "allow the use of proxy certificates" }
  144. # define OPT_V_CASES \
  145. OPT_V__FIRST: case OPT_V__LAST: break; \
  146. case OPT_V_POLICY: \
  147. case OPT_V_PURPOSE: \
  148. case OPT_V_VERIFY_NAME: \
  149. case OPT_V_VERIFY_DEPTH: \
  150. case OPT_V_VERIFY_AUTH_LEVEL: \
  151. case OPT_V_ATTIME: \
  152. case OPT_V_VERIFY_HOSTNAME: \
  153. case OPT_V_VERIFY_EMAIL: \
  154. case OPT_V_VERIFY_IP: \
  155. case OPT_V_IGNORE_CRITICAL: \
  156. case OPT_V_ISSUER_CHECKS: \
  157. case OPT_V_CRL_CHECK: \
  158. case OPT_V_CRL_CHECK_ALL: \
  159. case OPT_V_POLICY_CHECK: \
  160. case OPT_V_EXPLICIT_POLICY: \
  161. case OPT_V_INHIBIT_ANY: \
  162. case OPT_V_INHIBIT_MAP: \
  163. case OPT_V_X509_STRICT: \
  164. case OPT_V_EXTENDED_CRL: \
  165. case OPT_V_USE_DELTAS: \
  166. case OPT_V_POLICY_PRINT: \
  167. case OPT_V_CHECK_SS_SIG: \
  168. case OPT_V_TRUSTED_FIRST: \
  169. case OPT_V_SUITEB_128_ONLY: \
  170. case OPT_V_SUITEB_128: \
  171. case OPT_V_SUITEB_192: \
  172. case OPT_V_PARTIAL_CHAIN: \
  173. case OPT_V_NO_ALT_CHAINS: \
  174. case OPT_V_NO_CHECK_TIME: \
  175. case OPT_V_ALLOW_PROXY_CERTS
  176. /*
  177. * Common "extended validation" options.
  178. */
  179. # define OPT_X_ENUM \
  180. OPT_X__FIRST=1000, \
  181. OPT_X_KEY, OPT_X_CERT, OPT_X_CHAIN, OPT_X_CHAIN_BUILD, \
  182. OPT_X_CERTFORM, OPT_X_KEYFORM, \
  183. OPT_X__LAST
  184. # define OPT_X_OPTIONS \
  185. { "xkey", OPT_X_KEY, '<', "key for Extended certificates"}, \
  186. { "xcert", OPT_X_CERT, '<', "cert for Extended certificates"}, \
  187. { "xchain", OPT_X_CHAIN, '<', "chain for Extended certificates"}, \
  188. { "xchain_build", OPT_X_CHAIN_BUILD, '-', \
  189. "build certificate chain for the extended certificates"}, \
  190. { "xcertform", OPT_X_CERTFORM, 'F', \
  191. "format of Extended certificate (PEM or DER) PEM default " }, \
  192. { "xkeyform", OPT_X_KEYFORM, 'F', \
  193. "format of Extended certificate's key (PEM or DER) PEM default"}
  194. # define OPT_X_CASES \
  195. OPT_X__FIRST: case OPT_X__LAST: break; \
  196. case OPT_X_KEY: \
  197. case OPT_X_CERT: \
  198. case OPT_X_CHAIN: \
  199. case OPT_X_CHAIN_BUILD: \
  200. case OPT_X_CERTFORM: \
  201. case OPT_X_KEYFORM
  202. /*
  203. * Common SSL options.
  204. * Any changes here must be coordinated with ../ssl/ssl_conf.c
  205. */
  206. # define OPT_S_ENUM \
  207. OPT_S__FIRST=3000, \
  208. OPT_S_NOSSL3, OPT_S_NOTLS1, OPT_S_NOTLS1_1, OPT_S_NOTLS1_2, \
  209. OPT_S_NOTLS1_3, OPT_S_BUGS, OPT_S_NO_COMP, OPT_S_NOTICKET, \
  210. OPT_S_SERVERPREF, OPT_S_LEGACYRENEG, OPT_S_LEGACYCONN, \
  211. OPT_S_ONRESUMP, OPT_S_NOLEGACYCONN, OPT_S_ALLOW_NO_DHE_KEX, \
  212. OPT_S_PRIORITIZE_CHACHA, \
  213. OPT_S_STRICT, OPT_S_SIGALGS, OPT_S_CLIENTSIGALGS, OPT_S_GROUPS, \
  214. OPT_S_CURVES, OPT_S_NAMEDCURVE, OPT_S_CIPHER, OPT_S_CIPHERSUITES, \
  215. OPT_S_RECORD_PADDING, OPT_S_DEBUGBROKE, OPT_S_COMP, \
  216. OPT_S_MINPROTO, OPT_S_MAXPROTO, \
  217. OPT_S_NO_RENEGOTIATION, OPT_S_NO_MIDDLEBOX, OPT_S__LAST
  218. # define OPT_S_OPTIONS \
  219. {"no_ssl3", OPT_S_NOSSL3, '-',"Just disable SSLv3" }, \
  220. {"no_tls1", OPT_S_NOTLS1, '-', "Just disable TLSv1"}, \
  221. {"no_tls1_1", OPT_S_NOTLS1_1, '-', "Just disable TLSv1.1" }, \
  222. {"no_tls1_2", OPT_S_NOTLS1_2, '-', "Just disable TLSv1.2"}, \
  223. {"no_tls1_3", OPT_S_NOTLS1_3, '-', "Just disable TLSv1.3"}, \
  224. {"bugs", OPT_S_BUGS, '-', "Turn on SSL bug compatibility"}, \
  225. {"no_comp", OPT_S_NO_COMP, '-', "Disable SSL/TLS compression (default)" }, \
  226. {"comp", OPT_S_COMP, '-', "Use SSL/TLS-level compression" }, \
  227. {"no_ticket", OPT_S_NOTICKET, '-', \
  228. "Disable use of TLS session tickets"}, \
  229. {"serverpref", OPT_S_SERVERPREF, '-', "Use server's cipher preferences"}, \
  230. {"legacy_renegotiation", OPT_S_LEGACYRENEG, '-', \
  231. "Enable use of legacy renegotiation (dangerous)"}, \
  232. {"no_renegotiation", OPT_S_NO_RENEGOTIATION, '-', \
  233. "Disable all renegotiation."}, \
  234. {"legacy_server_connect", OPT_S_LEGACYCONN, '-', \
  235. "Allow initial connection to servers that don't support RI"}, \
  236. {"no_resumption_on_reneg", OPT_S_ONRESUMP, '-', \
  237. "Disallow session resumption on renegotiation"}, \
  238. {"no_legacy_server_connect", OPT_S_NOLEGACYCONN, '-', \
  239. "Disallow initial connection to servers that don't support RI"}, \
  240. {"allow_no_dhe_kex", OPT_S_ALLOW_NO_DHE_KEX, '-', \
  241. "In TLSv1.3 allow non-(ec)dhe based key exchange on resumption"}, \
  242. {"prioritize_chacha", OPT_S_PRIORITIZE_CHACHA, '-', \
  243. "Prioritize ChaCha ciphers when preferred by clients"}, \
  244. {"strict", OPT_S_STRICT, '-', \
  245. "Enforce strict certificate checks as per TLS standard"}, \
  246. {"sigalgs", OPT_S_SIGALGS, 's', \
  247. "Signature algorithms to support (colon-separated list)" }, \
  248. {"client_sigalgs", OPT_S_CLIENTSIGALGS, 's', \
  249. "Signature algorithms to support for client certificate" \
  250. " authentication (colon-separated list)" }, \
  251. {"groups", OPT_S_GROUPS, 's', \
  252. "Groups to advertise (colon-separated list)" }, \
  253. {"curves", OPT_S_CURVES, 's', \
  254. "Groups to advertise (colon-separated list)" }, \
  255. {"named_curve", OPT_S_NAMEDCURVE, 's', \
  256. "Elliptic curve used for ECDHE (server-side only)" }, \
  257. {"cipher", OPT_S_CIPHER, 's', "Specify TLSv1.2 and below cipher list to be used"}, \
  258. {"ciphersuites", OPT_S_CIPHERSUITES, 's', "Specify TLSv1.3 ciphersuites to be used"}, \
  259. {"min_protocol", OPT_S_MINPROTO, 's', "Specify the minimum protocol version to be used"}, \
  260. {"max_protocol", OPT_S_MAXPROTO, 's', "Specify the maximum protocol version to be used"}, \
  261. {"record_padding", OPT_S_RECORD_PADDING, 's', \
  262. "Block size to pad TLS 1.3 records to."}, \
  263. {"debug_broken_protocol", OPT_S_DEBUGBROKE, '-', \
  264. "Perform all sorts of protocol violations for testing purposes"}, \
  265. {"no_middlebox", OPT_S_NO_MIDDLEBOX, '-', \
  266. "Disable TLSv1.3 middlebox compat mode" }
  267. # define OPT_S_CASES \
  268. OPT_S__FIRST: case OPT_S__LAST: break; \
  269. case OPT_S_NOSSL3: \
  270. case OPT_S_NOTLS1: \
  271. case OPT_S_NOTLS1_1: \
  272. case OPT_S_NOTLS1_2: \
  273. case OPT_S_NOTLS1_3: \
  274. case OPT_S_BUGS: \
  275. case OPT_S_NO_COMP: \
  276. case OPT_S_COMP: \
  277. case OPT_S_NOTICKET: \
  278. case OPT_S_SERVERPREF: \
  279. case OPT_S_LEGACYRENEG: \
  280. case OPT_S_LEGACYCONN: \
  281. case OPT_S_ONRESUMP: \
  282. case OPT_S_NOLEGACYCONN: \
  283. case OPT_S_ALLOW_NO_DHE_KEX: \
  284. case OPT_S_PRIORITIZE_CHACHA: \
  285. case OPT_S_STRICT: \
  286. case OPT_S_SIGALGS: \
  287. case OPT_S_CLIENTSIGALGS: \
  288. case OPT_S_GROUPS: \
  289. case OPT_S_CURVES: \
  290. case OPT_S_NAMEDCURVE: \
  291. case OPT_S_CIPHER: \
  292. case OPT_S_CIPHERSUITES: \
  293. case OPT_S_RECORD_PADDING: \
  294. case OPT_S_NO_RENEGOTIATION: \
  295. case OPT_S_MINPROTO: \
  296. case OPT_S_MAXPROTO: \
  297. case OPT_S_DEBUGBROKE: \
  298. case OPT_S_NO_MIDDLEBOX
  299. #define IS_NO_PROT_FLAG(o) \
  300. (o == OPT_S_NOSSL3 || o == OPT_S_NOTLS1 || o == OPT_S_NOTLS1_1 \
  301. || o == OPT_S_NOTLS1_2 || o == OPT_S_NOTLS1_3)
  302. /*
  303. * Random state options.
  304. */
  305. # define OPT_R_ENUM \
  306. OPT_R__FIRST=1500, OPT_R_RAND, OPT_R_WRITERAND, OPT_R__LAST
  307. # define OPT_R_OPTIONS \
  308. {"rand", OPT_R_RAND, 's', "Load the file(s) into the random number generator"}, \
  309. {"writerand", OPT_R_WRITERAND, '>', "Write random data to the specified file"}
  310. # define OPT_R_CASES \
  311. OPT_R__FIRST: case OPT_R__LAST: break; \
  312. case OPT_R_RAND: case OPT_R_WRITERAND
  313. /*
  314. * Option parsing.
  315. */
  316. extern const char OPT_HELP_STR[];
  317. extern const char OPT_MORE_STR[];
  318. typedef struct options_st {
  319. const char *name;
  320. int retval;
  321. /*
  322. * value type: - no value (also the value zero), n number, p positive
  323. * number, u unsigned, l long, s string, < input file, > output file,
  324. * f any format, F der/pem format, E der/pem/engine format identifier.
  325. * l, n and u include zero; p does not.
  326. */
  327. int valtype;
  328. const char *helpstr;
  329. } OPTIONS;
  330. /*
  331. * A string/int pairing; widely use for option value lookup, hence the
  332. * name OPT_PAIR. But that name is misleading in s_cb.c, so we also use
  333. * the "generic" name STRINT_PAIR.
  334. */
  335. typedef struct string_int_pair_st {
  336. const char *name;
  337. int retval;
  338. } OPT_PAIR, STRINT_PAIR;
  339. /* Flags to pass into opt_format; see FORMAT_xxx, below. */
  340. # define OPT_FMT_PEMDER (1L << 1)
  341. # define OPT_FMT_PKCS12 (1L << 2)
  342. # define OPT_FMT_SMIME (1L << 3)
  343. # define OPT_FMT_ENGINE (1L << 4)
  344. # define OPT_FMT_MSBLOB (1L << 5)
  345. /* (1L << 6) was OPT_FMT_NETSCAPE, but wasn't used */
  346. # define OPT_FMT_NSS (1L << 7)
  347. # define OPT_FMT_TEXT (1L << 8)
  348. # define OPT_FMT_HTTP (1L << 9)
  349. # define OPT_FMT_PVK (1L << 10)
  350. # define OPT_FMT_PDE (OPT_FMT_PEMDER | OPT_FMT_ENGINE)
  351. # define OPT_FMT_PDS (OPT_FMT_PEMDER | OPT_FMT_SMIME)
  352. # define OPT_FMT_ANY ( \
  353. OPT_FMT_PEMDER | OPT_FMT_PKCS12 | OPT_FMT_SMIME | \
  354. OPT_FMT_ENGINE | OPT_FMT_MSBLOB | OPT_FMT_NSS | \
  355. OPT_FMT_TEXT | OPT_FMT_HTTP | OPT_FMT_PVK)
  356. char *opt_progname(const char *argv0);
  357. char *opt_getprog(void);
  358. char *opt_init(int ac, char **av, const OPTIONS * o);
  359. int opt_next(void);
  360. int opt_format(const char *s, unsigned long flags, int *result);
  361. int opt_int(const char *arg, int *result);
  362. int opt_ulong(const char *arg, unsigned long *result);
  363. int opt_long(const char *arg, long *result);
  364. #if defined(__STDC_VERSION__) && __STDC_VERSION__ >= 199901L && \
  365. defined(INTMAX_MAX) && defined(UINTMAX_MAX)
  366. int opt_imax(const char *arg, intmax_t *result);
  367. int opt_umax(const char *arg, uintmax_t *result);
  368. #else
  369. # define opt_imax opt_long
  370. # define opt_umax opt_ulong
  371. # define intmax_t long
  372. # define uintmax_t unsigned long
  373. #endif
  374. int opt_pair(const char *arg, const OPT_PAIR * pairs, int *result);
  375. int opt_cipher(const char *name, const EVP_CIPHER **cipherp);
  376. int opt_md(const char *name, const EVP_MD **mdp);
  377. char *opt_arg(void);
  378. char *opt_flag(void);
  379. char *opt_unknown(void);
  380. char **opt_rest(void);
  381. int opt_num_rest(void);
  382. int opt_verify(int i, X509_VERIFY_PARAM *vpm);
  383. int opt_rand(int i);
  384. void opt_help(const OPTIONS * list);
  385. int opt_format_error(const char *s, unsigned long flags);
  386. typedef struct args_st {
  387. int size;
  388. int argc;
  389. char **argv;
  390. } ARGS;
  391. /*
  392. * VMS C only for now, implemented in vms_decc_init.c
  393. * If other C compilers forget to terminate argv with NULL, this function
  394. * can be re-used.
  395. */
  396. char **copy_argv(int *argc, char *argv[]);
  397. /*
  398. * Win32-specific argv initialization that splits OS-supplied UNICODE
  399. * command line string to array of UTF8-encoded strings.
  400. */
  401. void win32_utf8argv(int *argc, char **argv[]);
  402. # define PW_MIN_LENGTH 4
  403. typedef struct pw_cb_data {
  404. const void *password;
  405. const char *prompt_info;
  406. } PW_CB_DATA;
  407. int password_callback(char *buf, int bufsiz, int verify, PW_CB_DATA *cb_data);
  408. int setup_ui_method(void);
  409. void destroy_ui_method(void);
  410. const UI_METHOD *get_ui_method(void);
  411. int chopup_args(ARGS *arg, char *buf);
  412. # ifdef HEADER_X509_H
  413. int dump_cert_text(BIO *out, X509 *x);
  414. void print_name(BIO *out, const char *title, X509_NAME *nm,
  415. unsigned long lflags);
  416. # endif
  417. void print_bignum_var(BIO *, const BIGNUM *, const char*,
  418. int, unsigned char *);
  419. void print_array(BIO *, const char *, int, const unsigned char *);
  420. int set_nameopt(const char *arg);
  421. unsigned long get_nameopt(void);
  422. int set_cert_ex(unsigned long *flags, const char *arg);
  423. int set_name_ex(unsigned long *flags, const char *arg);
  424. int set_ext_copy(int *copy_type, const char *arg);
  425. int copy_extensions(X509 *x, X509_REQ *req, int copy_type);
  426. int app_passwd(const char *arg1, const char *arg2, char **pass1, char **pass2);
  427. int add_oid_section(CONF *conf);
  428. X509 *load_cert(const char *file, int format, const char *cert_descrip);
  429. X509_CRL *load_crl(const char *infile, int format);
  430. EVP_PKEY *load_key(const char *file, int format, int maybe_stdin,
  431. const char *pass, ENGINE *e, const char *key_descrip);
  432. EVP_PKEY *load_pubkey(const char *file, int format, int maybe_stdin,
  433. const char *pass, ENGINE *e, const char *key_descrip);
  434. int load_certs(const char *file, STACK_OF(X509) **certs, int format,
  435. const char *pass, const char *cert_descrip);
  436. int load_crls(const char *file, STACK_OF(X509_CRL) **crls, int format,
  437. const char *pass, const char *cert_descrip);
  438. X509_STORE *setup_verify(const char *CAfile, const char *CApath,
  439. int noCAfile, int noCApath);
  440. __owur int ctx_set_verify_locations(SSL_CTX *ctx, const char *CAfile,
  441. const char *CApath, int noCAfile,
  442. int noCApath);
  443. #ifndef OPENSSL_NO_CT
  444. /*
  445. * Sets the file to load the Certificate Transparency log list from.
  446. * If path is NULL, loads from the default file path.
  447. * Returns 1 on success, 0 otherwise.
  448. */
  449. __owur int ctx_set_ctlog_list_file(SSL_CTX *ctx, const char *path);
  450. #endif
  451. ENGINE *setup_engine(const char *engine, int debug);
  452. void release_engine(ENGINE *e);
  453. # ifndef OPENSSL_NO_OCSP
  454. OCSP_RESPONSE *process_responder(OCSP_REQUEST *req,
  455. const char *host, const char *path,
  456. const char *port, int use_ssl,
  457. STACK_OF(CONF_VALUE) *headers,
  458. int req_timeout);
  459. # endif
  460. /* Functions defined in ca.c and also used in ocsp.c */
  461. int unpack_revinfo(ASN1_TIME **prevtm, int *preason, ASN1_OBJECT **phold,
  462. ASN1_GENERALIZEDTIME **pinvtm, const char *str);
  463. # define DB_type 0
  464. # define DB_exp_date 1
  465. # define DB_rev_date 2
  466. # define DB_serial 3 /* index - unique */
  467. # define DB_file 4
  468. # define DB_name 5 /* index - unique when active and not
  469. * disabled */
  470. # define DB_NUMBER 6
  471. # define DB_TYPE_REV 'R' /* Revoked */
  472. # define DB_TYPE_EXP 'E' /* Expired */
  473. # define DB_TYPE_VAL 'V' /* Valid ; inserted with: ca ... -valid */
  474. # define DB_TYPE_SUSP 'S' /* Suspended */
  475. typedef struct db_attr_st {
  476. int unique_subject;
  477. } DB_ATTR;
  478. typedef struct ca_db_st {
  479. DB_ATTR attributes;
  480. TXT_DB *db;
  481. char *dbfname;
  482. # ifndef OPENSSL_NO_POSIX_IO
  483. struct stat dbst;
  484. # endif
  485. } CA_DB;
  486. void* app_malloc(int sz, const char *what);
  487. BIGNUM *load_serial(const char *serialfile, int create, ASN1_INTEGER **retai);
  488. int save_serial(const char *serialfile, const char *suffix, const BIGNUM *serial,
  489. ASN1_INTEGER **retai);
  490. int rotate_serial(const char *serialfile, const char *new_suffix,
  491. const char *old_suffix);
  492. int rand_serial(BIGNUM *b, ASN1_INTEGER *ai);
  493. CA_DB *load_index(const char *dbfile, DB_ATTR *dbattr);
  494. int index_index(CA_DB *db);
  495. int save_index(const char *dbfile, const char *suffix, CA_DB *db);
  496. int rotate_index(const char *dbfile, const char *new_suffix,
  497. const char *old_suffix);
  498. void free_index(CA_DB *db);
  499. # define index_name_cmp_noconst(a, b) \
  500. index_name_cmp((const OPENSSL_CSTRING *)CHECKED_PTR_OF(OPENSSL_STRING, a), \
  501. (const OPENSSL_CSTRING *)CHECKED_PTR_OF(OPENSSL_STRING, b))
  502. int index_name_cmp(const OPENSSL_CSTRING *a, const OPENSSL_CSTRING *b);
  503. int parse_yesno(const char *str, int def);
  504. X509_NAME *parse_name(const char *str, long chtype, int multirdn);
  505. void policies_print(X509_STORE_CTX *ctx);
  506. int bio_to_mem(unsigned char **out, int maxlen, BIO *in);
  507. int pkey_ctrl_string(EVP_PKEY_CTX *ctx, const char *value);
  508. int init_gen_str(EVP_PKEY_CTX **pctx,
  509. const char *algname, ENGINE *e, int do_param);
  510. int do_X509_sign(X509 *x, EVP_PKEY *pkey, const EVP_MD *md,
  511. STACK_OF(OPENSSL_STRING) *sigopts);
  512. int do_X509_REQ_sign(X509_REQ *x, EVP_PKEY *pkey, const EVP_MD *md,
  513. STACK_OF(OPENSSL_STRING) *sigopts);
  514. int do_X509_CRL_sign(X509_CRL *x, EVP_PKEY *pkey, const EVP_MD *md,
  515. STACK_OF(OPENSSL_STRING) *sigopts);
  516. extern char *psk_key;
  517. unsigned char *next_protos_parse(size_t *outlen, const char *in);
  518. void print_cert_checks(BIO *bio, X509 *x,
  519. const char *checkhost,
  520. const char *checkemail, const char *checkip);
  521. void store_setup_crl_download(X509_STORE *st);
  522. /* See OPT_FMT_xxx, above. */
  523. /* On some platforms, it's important to distinguish between text and binary
  524. * files. On some, there might even be specific file formats for different
  525. * contents. The FORMAT_xxx macros are meant to express an intent with the
  526. * file being read or created.
  527. */
  528. # define B_FORMAT_TEXT 0x8000
  529. # define FORMAT_UNDEF 0
  530. # define FORMAT_TEXT (1 | B_FORMAT_TEXT) /* Generic text */
  531. # define FORMAT_BINARY 2 /* Generic binary */
  532. # define FORMAT_BASE64 (3 | B_FORMAT_TEXT) /* Base64 */
  533. # define FORMAT_ASN1 4 /* ASN.1/DER */
  534. # define FORMAT_PEM (5 | B_FORMAT_TEXT)
  535. # define FORMAT_PKCS12 6
  536. # define FORMAT_SMIME (7 | B_FORMAT_TEXT)
  537. # define FORMAT_ENGINE 8 /* Not really a file format */
  538. # define FORMAT_PEMRSA (9 | B_FORMAT_TEXT) /* PEM RSAPubicKey format */
  539. # define FORMAT_ASN1RSA 10 /* DER RSAPubicKey format */
  540. # define FORMAT_MSBLOB 11 /* MS Key blob format */
  541. # define FORMAT_PVK 12 /* MS PVK file format */
  542. # define FORMAT_HTTP 13 /* Download using HTTP */
  543. # define FORMAT_NSS 14 /* NSS keylog format */
  544. # define EXT_COPY_NONE 0
  545. # define EXT_COPY_ADD 1
  546. # define EXT_COPY_ALL 2
  547. # define NETSCAPE_CERT_HDR "certificate"
  548. # define APP_PASS_LEN 1024
  549. /*
  550. * IETF RFC 5280 says serial number must be <= 20 bytes. Use 159 bits
  551. * so that the first bit will never be one, so that the DER encoding
  552. * rules won't force a leading octet.
  553. */
  554. # define SERIAL_RAND_BITS 159
  555. int app_isdir(const char *);
  556. int app_access(const char *, int flag);
  557. int fileno_stdin(void);
  558. int fileno_stdout(void);
  559. int raw_read_stdin(void *, int);
  560. int raw_write_stdout(const void *, int);
  561. # define TM_START 0
  562. # define TM_STOP 1
  563. double app_tminterval(int stop, int usertime);
  564. void make_uppercase(char *string);
  565. typedef struct verify_options_st {
  566. int depth;
  567. int quiet;
  568. int error;
  569. int return_error;
  570. } VERIFY_CB_ARGS;
  571. extern VERIFY_CB_ARGS verify_args;
  572. #endif