PR: 2908

[oweals/openssl.git] / apps / apps.c

diff --git a/apps/apps.c b/apps/apps.c
index f6b3ac56676d83dbad8963fe34c2c4a7e6d46736..a4b77e13e3ad47458b644b8e8d14da3af5fd66da 100644 (file)
--- a/apps/apps.c
+++ b/apps/apps.c
@@ -130,7 +130,9 @@
 #include <openssl/rsa.h>
 #endif
 #include <openssl/bn.h>
+#ifndef OPENSSL_NO_JPAKE
 #include <openssl/jpake.h>
+#endif
 
 #define NON_MAIN
 #include "apps.h"
@@ -349,13 +351,12 @@ void program_name(char *in, char *out, int size)
 
 int chopup_args(ARGS *arg, char *buf, int *argc, char **argv[])
        {
-       int num,len,i;
+       int num,i;
        char *p;
 
        *argc=0;
        *argv=NULL;
 
-       len=strlen(buf);
        i=0;
        if (arg->count == 0)
                {
@@ -864,10 +865,17 @@ EVP_PKEY *load_key(BIO *err, const char *file, int format, int maybe_stdin,
        if (format == FORMAT_ENGINE)
                {
                if (!e)
-                       BIO_printf(bio_err,"no engine specified\n");
+                       BIO_printf(err,"no engine specified\n");
                else
+                       {
                        pkey = ENGINE_load_private_key(e, file,
                                ui_method, &cb_data);
+                       if (!pkey) 
+                               {
+                               BIO_printf(err,"cannot load %s from engine\n",key_descrip);
+                               ERR_print_errors(err);
+                               }       
+                       }
                goto end;
                }
 #endif
@@ -917,8 +925,11 @@ EVP_PKEY *load_key(BIO *err, const char *file, int format, int maybe_stdin,
                }
  end:
        if (key != NULL) BIO_free(key);
-       if (pkey == NULL)
+       if (pkey == NULL) 
+               {
                BIO_printf(err,"unable to load %s\n", key_descrip);
+               ERR_print_errors(err);
+               }       
        return(pkey);
        }
 
@@ -2259,6 +2270,8 @@ int args_verify(char ***pargs, int *pargc,
                flags |= X509_V_FLAG_X509_STRICT;
        else if (!strcmp(arg, "-policy_print"))
                flags |= X509_V_FLAG_NOTIFY_POLICY;
+       else if (!strcmp(arg, "-check_ss_sig"))
+               flags |= X509_V_FLAG_CHECK_SS_SIGNATURE;
        else
                return 0;
 
@@ -2336,6 +2349,8 @@ void policies_print(BIO *out, X509_STORE_CTX *ctx)
                BIO_free(out);
        }
 
+#ifndef OPENSSL_NO_JPAKE
+
 static JPAKE_CTX *jpake_init(const char *us, const char *them,
                                                         const char *secret)
        {
@@ -2424,7 +2439,7 @@ static void readbn(BIGNUM **bn, BIO *bconn)
        int l;
 
        l = BIO_gets(bconn, buf, sizeof buf);
-       assert(l >= 0);
+       assert(l > 0);
        assert(buf[l-1] == '\n');
        buf[l-1] = '\0';
        BN_hex2bn(bn, buf);
@@ -2517,7 +2532,14 @@ void jpake_client_auth(BIO *out, BIO *conn, const char *secret)
        jpake_send_step3a(bconn, ctx);
        jpake_receive_step3b(ctx, bconn);
 
-       BIO_puts(out, "JPAKE authentication succeeded\n");
+       /*
+        * The problem is that you must use the derived key in the
+        * session key or you are subject to man-in-the-middle
+        * attacks.
+        */
+       BIO_puts(out, "JPAKE authentication succeeded (N.B. This version can"
+                " be MitMed. See the version in HEAD for how to do it"
+                " properly)\n");
 
        BIO_pop(bconn);
        BIO_free(bconn);
@@ -2542,8 +2564,17 @@ void jpake_server_auth(BIO *out, BIO *conn, const char *secret)
        jpake_receive_step3a(ctx, bconn);
        jpake_send_step3b(bconn, ctx);
 
-       BIO_puts(out, "JPAKE authentication succeeded\n");
+       /*
+        * The problem is that you must use the derived key in the
+        * session key or you are subject to man-in-the-middle
+        * attacks.
+        */
+       BIO_puts(out, "JPAKE authentication succeeded (N.B. This version can"
+                " be MitMed. See the version in HEAD for how to do it"
+                " properly)\n");
 
        BIO_pop(bconn);
        BIO_free(bconn);
        }
+
+#endif