code and the associated standard is no longer considered fit-for-purpose.
[Matt Caswell]
+ *) RT2547 was closed. When generating a private key, try to make the
+ output file readable only by the owner. This behavior change might
+ be noticeable when interacting with other software.
+
*) Added HTTP GET support to the ocsp command.
[Rich Salz]
#include <sys/types.h>
#include <ctype.h>
#include <errno.h>
-#include <assert.h>
#include <openssl/err.h>
#include <openssl/x509.h>
#include <openssl/x509v3.h>
# define HEADER_APPS_H
# include "e_os.h"
+# include <assert.h>
# include <openssl/bio.h>
# include <openssl/x509.h>
extern BIO *bio_err;
BIO *dup_bio_in(void);
BIO *dup_bio_out(void);
+BIO *bio_open_owner(const char *filename, const char *mode, int private);
BIO *bio_open_default(const char *filename, const char *mode);
BIO *bio_open_default_quiet(const char *filename, const char *mode);
CONF *app_load_config(const char *filename);
OPTION_CHOICE o;
int informat = FORMAT_PEM, outformat = FORMAT_PEM, text = 0, noout = 0;
int i, modulus = 0, pubin = 0, pubout = 0, pvk_encr = 2, ret = 1;
+ int private = 0;
prog = opt_init(argc, argv, dsa_options);
while ((o = opt_next()) != OPT_EOF) {
}
argc = opt_num_rest();
argv = opt_rest();
+ private = pubin || pubout ? 0 : 1;
+ if (text)
+ private = 1;
if (!app_passwd(passinarg, passoutarg, &passin, &passout)) {
BIO_printf(bio_err, "Error getting passwords\n");
goto end;
}
- out = bio_open_default(outfile, "w");
+ out = bio_open_owner(outfile, "w", private);
if (out == NULL)
goto end;
- if (text)
+ if (text) {
+ assert(private);
if (!DSA_print(out, dsa, 0)) {
perror(outfile);
ERR_print_errors(bio_err);
goto end;
}
+ }
if (modulus) {
BIO_printf(out, "Public Key=");
if (outformat == FORMAT_ASN1) {
if (pubin || pubout)
i = i2d_DSA_PUBKEY_bio(out, dsa);
- else
+ else {
+ assert(private);
i = i2d_DSAPrivateKey_bio(out, dsa);
+ }
} else if (outformat == FORMAT_PEM) {
if (pubin || pubout)
i = PEM_write_bio_DSA_PUBKEY(out, dsa);
- else
+ else {
+ assert(private);
i = PEM_write_bio_DSAPrivateKey(out, dsa, enc,
NULL, 0, NULL, passout);
+ }
# if !defined(OPENSSL_NO_RSA) && !defined(OPENSSL_NO_RC4)
} else if (outformat == FORMAT_MSBLOB || outformat == FORMAT_PVK) {
EVP_PKEY *pk;
pk = EVP_PKEY_new();
EVP_PKEY_set1_DSA(pk, dsa);
- if (outformat == FORMAT_PVK)
+ if (outformat == FORMAT_PVK) {
+ assert(private);
i = i2b_PVK_bio(out, pk, pvk_encr, 0, passout);
+ }
else if (pubin || pubout)
i = i2b_PublicKey_bio(out, pk);
- else
+ else {
+ assert(private);
i = i2b_PrivateKey_bio(out, pk);
+ }
EVP_PKEY_free(pk);
# endif
} else {
#include <openssl/opensslconf.h> /* for OPENSSL_NO_DSA */
#ifndef OPENSSL_NO_DSA
-# include <assert.h>
# include <stdio.h>
# include <stdlib.h>
# include <time.h>
BIO *in = NULL, *out = NULL;
BN_GENCB *cb = NULL;
int numbits = -1, num = 0, genkey = 0, need_rand = 0, non_fips_allow = 0;
- int informat = FORMAT_PEM, outformat = FORMAT_PEM, noout = 0, C = 0, ret =
- 1;
- int i, text = 0;
+ int informat = FORMAT_PEM, outformat = FORMAT_PEM, noout = 0, C = 0;
+ int ret = 1, i, text = 0, private = 0;
# ifdef GENCB_TEST
int timebomb = 0;
# endif
numbits = num;
need_rand = 1;
}
+ private = genkey ? 1 : 0;
in = bio_open_default(infile, "r");
if (in == NULL)
goto end;
- out = bio_open_default(outfile, "w");
+ out = bio_open_owner(outfile, "w", private);
if (out == NULL)
goto end;
DSA_free(dsakey);
goto end;
}
+ assert(private);
if (outformat == FORMAT_ASN1)
i = i2d_DSAPrivateKey_bio(out, dsakey);
else
OPTION_CHOICE o;
int asn1_flag = OPENSSL_EC_NAMED_CURVE, new_form = 0, new_asn1_flag = 0;
int informat = FORMAT_PEM, outformat = FORMAT_PEM, text = 0, noout = 0;
- int pubin = 0, pubout = 0, param_out = 0, i, ret = 1;
+ int pubin = 0, pubout = 0, param_out = 0, i, ret = 1, private = 0;
prog = opt_init(argc, argv, ec_options);
while ((o = opt_next()) != OPT_EOF) {
}
argc = opt_num_rest();
argv = opt_rest();
+ private = param_out || pubin || pubout ? 0 : 1;
+ if (text)
+ private = 1;
if (!app_passwd(passinarg, passoutarg, &passin, &passout)) {
BIO_printf(bio_err, "Error getting passwords\n");
goto end;
}
- out = bio_open_default(outfile, WB(outformat));
+ out = bio_open_owner(outfile, WB(outformat), private);
if (out == NULL)
goto end;
if (new_asn1_flag)
EC_KEY_set_asn1_flag(eckey, asn1_flag);
- if (text)
+ if (text) {
+ assert(private);
if (!EC_KEY_print(out, eckey, 0)) {
perror(outfile);
ERR_print_errors(bio_err);
goto end;
}
+ }
if (noout) {
ret = 0;
i = i2d_ECPKParameters_bio(out, group);
else if (pubin || pubout)
i = i2d_EC_PUBKEY_bio(out, eckey);
- else
+ else {
+ assert(private);
i = i2d_ECPrivateKey_bio(out, eckey);
+ }
} else {
if (param_out)
i = PEM_write_bio_ECPKParameters(out, group);
else if (pubin || pubout)
i = PEM_write_bio_EC_PUBKEY(out, eckey);
- else
+ else {
+ assert(private);
i = PEM_write_bio_ECPrivateKey(out, eckey, enc,
NULL, 0, NULL, passout);
+ }
}
if (!i) {
#include <openssl/opensslconf.h>
#ifndef OPENSSL_NO_EC
-# include <assert.h>
# include <stdio.h>
# include <stdlib.h>
# include <time.h>
unsigned char *buffer = NULL;
OPTION_CHOICE o;
int asn1_flag = OPENSSL_EC_NAMED_CURVE, new_asn1_flag = 0;
- int informat = FORMAT_PEM, outformat = FORMAT_PEM, noout = 0, C = 0, ret =
- 1;
+ int informat = FORMAT_PEM, outformat = FORMAT_PEM, noout = 0, C = 0;
+ int ret = 1, private = 0;
int list_curves = 0, no_seed = 0, check = 0, new_form = 0;
int text = 0, i, need_rand = 0, genkey = 0;
}
argc = opt_num_rest();
argv = opt_rest();
+ private = genkey ? 1 : 0;
if (!app_load_modules(NULL))
goto end;
in = bio_open_default(infile, RB(informat));
if (in == NULL)
goto end;
- out = bio_open_default(outfile, WB(outformat));
+ out = bio_open_owner(outfile, WB(outformat), private);
if (out == NULL)
goto end;
EC_KEY_free(eckey);
goto end;
}
+ assert(private);
if (outformat == FORMAT_ASN1)
i = i2d_ECPrivateKey_bio(out, eckey);
else
char *inrand = NULL, *dsaparams = NULL;
char *outfile = NULL, *passoutarg = NULL, *passout = NULL, *prog;
OPTION_CHOICE o;
- int ret = 1;
+ int ret = 1, private = 0;
prog = opt_init(argc, argv, gendsa_options);
while ((o = opt_next()) != OPT_EOF) {
}
argc = opt_num_rest();
argv = opt_rest();
+ private = 1;
if (argc != 1)
goto opthelp;
BIO_free(in);
in = NULL;
- out = bio_open_default(outfile, "w");
+ out = bio_open_owner(outfile, "w", private);
if (out == NULL)
goto end2;
app_RAND_write_file(NULL);
+ assert(private);
if (!PEM_write_bio_DSAPrivateKey(out, dsa, enc, NULL, 0, NULL, passout))
goto end;
ret = 0;
const EVP_CIPHER *cipher = NULL;
OPTION_CHOICE o;
int outformat = FORMAT_PEM, text = 0, ret = 1, rv, do_param = 0;
+ int private = 0;
prog = opt_init(argc, argv, genpkey_options);
while ((o = opt_next()) != OPT_EOF) {
case OPT_OUT:
outfile = opt_arg();
break;
-
case OPT_PASS:
passarg = opt_arg();
break;
}
argc = opt_num_rest();
argv = opt_rest();
+ private = do_param ? 0 : 1;
if (ctx == NULL)
goto opthelp;
if (!app_load_modules(NULL))
goto end;
- out = bio_open_default(outfile, "wb");
+ out = bio_open_owner(outfile, "wb", private);
if (out == NULL)
goto end;
if (do_param)
rv = PEM_write_bio_Parameters(out, pkey);
- else if (outformat == FORMAT_PEM)
+ else if (outformat == FORMAT_PEM) {
+ assert(private);
rv = PEM_write_bio_PrivateKey(out, pkey, cipher, NULL, 0, NULL, pass);
- else if (outformat == FORMAT_ASN1)
+ } else if (outformat == FORMAT_ASN1) {
+ assert(private);
rv = i2d_PrivateKey_bio(out, pkey);
- else {
+ } else {
BIO_printf(bio_err, "Bad format specified for key\n");
goto end;
}
int genrsa_main(int argc, char **argv)
{
BN_GENCB *cb = BN_GENCB_new();
+ PW_CB_DATA cb_data;
ENGINE *e = NULL;
BIGNUM *bn = BN_new();
BIO *out = NULL;
RSA *rsa = NULL;
const EVP_CIPHER *enc = NULL;
- int ret = 1, non_fips_allow = 0, num = DEFBITS;
+ int ret = 1, non_fips_allow = 0, num = DEFBITS, private = 0;
unsigned long f4 = RSA_F4;
char *outfile = NULL, *passoutarg = NULL, *passout = NULL;
char *inrand = NULL, *prog, *hexe, *dece;
}
argc = opt_num_rest();
argv = opt_rest();
+ private = 1;
if (argv[0] && (!opt_int(argv[0], &num) || num <= 0))
goto end;
if (!app_load_modules(NULL))
goto end;
- out = bio_open_default(outfile, "w");
+ out = bio_open_owner(outfile, "w", private);
if (out == NULL)
goto end;
}
OPENSSL_free(hexe);
OPENSSL_free(dece);
- {
- PW_CB_DATA cb_data;
- cb_data.password = passout;
- cb_data.prompt_info = outfile;
- if (!PEM_write_bio_RSAPrivateKey(out, rsa, enc, NULL, 0,
- (pem_password_cb *)password_callback,
- &cb_data))
- goto end;
- }
+ cb_data.password = passout;
+ cb_data.prompt_info = outfile;
+ assert(private);
+ if (!PEM_write_bio_RSAPrivateKey(out, rsa, enc, NULL, 0,
+ (pem_password_cb *)password_callback,
+ &cb_data))
+ goto end;
ret = 0;
end:
#ifndef OPENSSL_NO_ENGINE
# include <openssl/engine.h>
#endif
-/* needed for the _O_BINARY defs in the MS world */
-#define USE_SOCKETS
-#include "s_apps.h"
#include <openssl/err.h>
#ifdef OPENSSL_FIPS
# include <openssl/fips.h>
#endif
+#define USE_SOCKETS /* needed for the _O_BINARY defs in the MS world */
+#include "s_apps.h"
+/* Needed to get the other O_xxx flags. */
+#ifdef OPENSSL_SYS_VMS
+# include <unixio.h>
+#endif
+#ifndef NO_SYS_TYPES_H
+# include <sys/types.h>
+#endif
+#ifndef OPENSSL_NO_POSIX_IO
+# include <sys/stat.h>
+# include <fcntl.h>
+#endif
#define INCLUDE_FUNCTION_TABLE
#include "apps.h"
setbuf(fp, NULL);
}
+/*
+ * Open a file for writing, owner-read-only.
+ */
+BIO *bio_open_owner(const char *filename, const char *modestr, int private)
+{
+ FILE *fp = NULL;
+ BIO *b = NULL;
+ int fd = -1, bflags, mode, binmode;
+
+ if (!private || filename == NULL || strcmp(filename, "-") == 0)
+ return bio_open_default(filename, modestr);
+
+ mode = O_WRONLY;
+#ifdef O_CREAT
+ mode |= O_CREAT;
+#endif
+#ifdef O_TRUNC
+ mode |= O_TRUNC;
+#endif
+ binmode = strchr(modestr, 'b') != NULL;
+ if (binmode) {
+#ifdef O_BINARY
+ mode |= O_BINARY;
+#elif defined(_O_BINARY)
+ mode |= _O_BINARY;
+#endif
+ }
+
+ fd = open(filename, mode, 0600);
+ if (fd < 0)
+ goto err;
+ fp = fdopen(fd, modestr);
+ if (fp == NULL)
+ goto err;
+ bflags = BIO_CLOSE;
+ if (!binmode)
+ bflags |= BIO_FP_TEXT;
+ b = BIO_new_fp(fp, bflags);
+ if (b)
+ return b;
+
+ err:
+ BIO_printf(bio_err, "%s: Can't open \"%s\" for writing, %s\n",
+ opt_getprog(), filename, strerror(errno));
+ ERR_print_errors(bio_err);
+ /* If we have fp, then fdopen took over fd, so don't close both. */
+ if (fp)
+ fclose(fp);
+ else if (fd >= 0)
+ close(fd);
+ return NULL;
+}
+
static BIO *bio_open_default_(const char *filename, const char *mode, int quiet)
{
BIO *ret;
ERR_print_errors(bio_err);
return NULL;
}
+
BIO *bio_open_default(const char *filename, const char *mode)
{
return bio_open_default_(filename, mode, 0);
}
+
BIO *bio_open_default_quiet(const char *filename, const char *mode)
{
return bio_open_default_(filename, mode, 1);
/* #define COMPILE_STANDALONE_TEST_DRIVER */
#include "apps.h"
-#include <assert.h>
#include <string.h>
#if !defined(OPENSSL_SYS_MSDOS)
# include OPENSSL_UNISTD
#if !defined(OPENSSL_NO_DES) || !defined(NO_MD5CRYPT_1)
-# include <assert.h>
# include <string.h>
# include "apps.h"
int cert_pbe = NID_pbe_WithSHA1And3_Key_TripleDES_CBC;
# endif
int key_pbe = NID_pbe_WithSHA1And3_Key_TripleDES_CBC;
- int ret = 1, macver = 1, noprompt = 0, add_lmk = 0;
+ int ret = 1, macver = 1, noprompt = 0, add_lmk = 0, private = 0;
char *passinarg = NULL, *passoutarg = NULL, *passarg = NULL;
char *passin = NULL, *passout = NULL, *inrand = NULL, *macalg = NULL;
char *cpass = NULL, *mpass = NULL, *CApath = NULL, *CAfile = NULL;
}
argc = opt_num_rest();
argv = opt_rest();
+ private = 1;
if (passarg) {
if (export_cert)
in = bio_open_default(infile, "rb");
if (in == NULL)
goto end;
-
- out = bio_open_default(outfile, "wb");
+ out = bio_open_owner(outfile, "wb", private);
if (out == NULL)
goto end;
if (maciter != -1)
PKCS12_set_mac(p12, mpass, -1, NULL, 0, maciter, macmd);
+ assert(private);
i2d_PKCS12_bio(out, p12);
ret = 0;
}
}
+ assert(private);
if (!dump_certs_keys_p12(out, p12, cpass, -1, options, passout, enc)) {
BIO_printf(bio_err, "Error outputting keys and certificates\n");
ERR_print_errors(bio_err);
OPTION_CHOICE o;
int nocrypt = 0, ret = 1, iter = PKCS12_DEFAULT_ITER, p8_broken = PKCS8_OK;
int informat = FORMAT_PEM, outformat = FORMAT_PEM, topk8 = 0, pbe_nid = -1;
+ int private = 0;
unsigned long scrypt_N = 0, scrypt_r = 0, scrypt_p = 0;
prog = opt_init(argc, argv, pkcs8_options);
}
argc = opt_num_rest();
argv = opt_rest();
+ private = 1;
if (!app_passwd(passinarg, passoutarg, &passin, &passout)) {
BIO_printf(bio_err, "Error getting passwords\n");
in = bio_open_default(infile, "rb");
if (in == NULL)
goto end;
- out = bio_open_default(outfile, "wb");
+ out = bio_open_owner(outfile, "wb", private);
if (out == NULL)
goto end;
+
if (topk8) {
pkey = load_key(infile, informat, 1, passin, e, "key");
if (!pkey)
goto end;
}
if (nocrypt) {
+ assert(private);
if (outformat == FORMAT_PEM)
PEM_write_bio_PKCS8_PRIV_KEY_INFO(out, p8inf);
else if (outformat == FORMAT_ASN1)
goto end;
}
app_RAND_write_file(NULL);
+ assert(private);
if (outformat == FORMAT_PEM)
PEM_write_bio_PKCS8(out, p8);
else if (outformat == FORMAT_ASN1)
}
}
+ assert(private);
if (outformat == FORMAT_PEM)
PEM_write_bio_PrivateKey(out, pkey, NULL, NULL, 0, NULL, passout);
else if (outformat == FORMAT_ASN1)
OPTION_CHOICE o;
int informat = FORMAT_PEM, outformat = FORMAT_PEM;
int pubin = 0, pubout = 0, pubtext = 0, text = 0, noout = 0, ret = 1;
+ int private = 0;
prog = opt_init(argc, argv, pkey_options);
while ((o = opt_next()) != OPT_EOF) {
}
argc = opt_num_rest();
argv = opt_rest();
+ private = !noout && !pubout ? 1 : 0;
+ if (text && !pubtext)
+ private = 1;
if (!app_passwd(passinarg, passoutarg, &passin, &passout)) {
BIO_printf(bio_err, "Error getting passwords\n");
if (!app_load_modules(NULL))
goto end;
- out = bio_open_default(outfile, "wb");
+ out = bio_open_owner(outfile, "wb", private);
if (out == NULL)
goto end;
if (!noout) {
if (outformat == FORMAT_PEM) {
+ assert(private);
if (pubout)
PEM_write_bio_PUBKEY(out, pkey);
else
PEM_write_bio_PrivateKey(out, pkey, cipher,
NULL, 0, NULL, passout);
} else if (outformat == FORMAT_ASN1) {
+ assert(private);
if (pubout)
i2d_PUBKEY_bio(out, pkey);
else
if (text) {
if (pubtext)
EVP_PKEY_print_public(out, pkey, 0, NULL);
- else
+ else {
+ assert(private);
EVP_PKEY_print_private(out, pkey, 0, NULL);
+ }
}
ret = 0;
char *template = default_config_file, *keyout = NULL;
const char *keyalg = NULL;
OPTION_CHOICE o;
- int ret = 1, x509 = 0, days = 30, i = 0, newreq = 0, verbose =
- 0, pkey_type = -1;
+ int ret = 1, x509 = 0, days = 30, i = 0, newreq = 0, verbose = 0;
+ int pkey_type = -1, private = 0;
int informat = FORMAT_PEM, outformat = FORMAT_PEM, keyform = FORMAT_PEM;
int modulus = 0, multirdn = 0, verify = 0, noout = 0, text = 0;
int nodes = 0, kludge = 0, newhdr = 0, subject = 0, pubkey = 0;
}
argc = opt_num_rest();
argv = opt_rest();
+ private = newreq && (pkey == NULL) ? 1 : 0;
if (!app_passwd(passargin, passargout, &passin, &passout)) {
BIO_printf(bio_err, "Error getting passwords\n");
BIO_printf(bio_err, "writing new private key to stdout\n");
else
BIO_printf(bio_err, "writing new private key to '%s'\n", keyout);
- out = bio_open_default(keyout, "w");
+ out = bio_open_owner(keyout, "w", private);
if (out == NULL)
goto end;
i = 0;
loop:
+ assert(private);
if (!PEM_write_bio_PrivateKey(out, pkey, cipher,
NULL, 0, NULL, passout)) {
if ((ERR_GET_REASON(ERR_peek_error()) ==
const EVP_CIPHER *enc = NULL;
char *infile = NULL, *outfile = NULL, *prog;
char *passin = NULL, *passout = NULL, *passinarg = NULL, *passoutarg = NULL;
- int i;
+ int i, private = 0;
int informat = FORMAT_PEM, outformat = FORMAT_PEM, text = 0, check = 0;
int noout = 0, modulus = 0, pubin = 0, pubout = 0, pvk_encr = 2, ret = 1;
OPTION_CHOICE o;
}
argc = opt_num_rest();
argv = opt_rest();
+ private = text || (!pubout && !noout) ? 1 : 0;
if (!app_passwd(passinarg, passoutarg, &passin, &passout)) {
BIO_printf(bio_err, "Error getting passwords\n");
goto end;
}
- out = bio_open_default(outfile, "w");
+ out = bio_open_owner(outfile, "w", private);
if (out == NULL)
goto end;
- if (text)
+ if (text) {
+ assert(private);
if (!RSA_print(out, rsa, 0)) {
perror(outfile);
ERR_print_errors(bio_err);
goto end;
}
+ }
if (modulus) {
BIO_printf(out, "Modulus=");
i = i2d_RSAPublicKey_bio(out, rsa);
else
i = i2d_RSA_PUBKEY_bio(out, rsa);
- } else
+ } else {
+ assert(private);
i = i2d_RSAPrivateKey_bio(out, rsa);
+ }
}
# ifndef OPENSSL_NO_RC4
else if (outformat == FORMAT_NETSCAPE) {
int size = i2d_RSA_NET(rsa, NULL, NULL, 0);
save = p = app_malloc(size, "RSA i2d buffer");
+ assert(private);
i2d_RSA_NET(rsa, &p, NULL, 0);
BIO_write(out, (char *)save, size);
OPENSSL_free(save);
i = PEM_write_bio_RSAPublicKey(out, rsa);
else
i = PEM_write_bio_RSA_PUBKEY(out, rsa);
- } else
+ } else {
+ assert(private);
i = PEM_write_bio_RSAPrivateKey(out, rsa,
enc, NULL, 0, NULL, passout);
+ }
# if !defined(OPENSSL_NO_DSA) && !defined(OPENSSL_NO_RC4)
} else if (outformat == FORMAT_MSBLOB || outformat == FORMAT_PVK) {
EVP_PKEY *pk;
i = i2b_PVK_bio(out, pk, pvk_encr, 0, passout);
else if (pubin || pubout)
i = i2b_PublicKey_bio(out, pk);
- else
+ else {
+ assert(private);
i = i2b_PrivateKey_bio(out, pk);
+ }
EVP_PKEY_free(pk);
# endif
} else {
/* callback functions used by s_client, s_server, and s_time */
#include <stdio.h>
#include <stdlib.h>
-#include <assert.h>
#include <string.h> /* for memcpy() and strcmp() */
#define USE_SOCKETS
#include "apps.h"
* OTHERWISE.
*/
-#include <assert.h>
#include <ctype.h>
#include <stdio.h>
#include <stdlib.h>
* OTHERWISE.
*/
-#include <assert.h>
#include <ctype.h>
#include <stdio.h>
#include <stdlib.h>
* [including the GNU Public Licence.]
*/
-#include <assert.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
projects / oweals / openssl.git / commitdiff