mirrors/openssl
0
0
Fork 0
mirror of https://github.com/openssl/openssl.git synced 2024-11-25 11:03:37 +08:00
Code Issues Packages Projects Releases Wiki Activity

Remove really old demo's

Browse Source 
Reviewed-by: Richard Levitte <levitte@openssl.org>
This commit is contained in:
Rich Salz 2016-03-07 14:55:44 -05:00 committed by Rich Salz
parent 691064c47f
commit ec59112a82
60 changed files with 0 additions and 11367 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

124
demos/easy_tls/Makefile.in
View File

@ -1,124 +0,0 @@
# Makefile for easy-tls example application (rudimentary client and server)
# $Id: Makefile,v 1.2 2001/09/18 09:15:40 bodo Exp $
SOLARIS_CFLAGS=-Wall -pedantic -g -O2
SOLARIS_LIBS=-lxnet
LINUX_CFLAGS=-Wall -pedantic -g -O2
LINUX_LIBS=
auto-all:
case `uname -s` in \
SunOS) echo Using SunOS configuration; \
make SYSCFLAGS="$(SOLARIS_CFLAGS)" SYSLIBS="$(SOLARIS_LIBS)" all;; \
Linux) echo Using Linux configuration; \
make SYSCFLAGS="$(LINUX_CFLAGS)" SYSLIBS="$(LINUX_LIBS)" all;; \
*) echo "unknown system"; exit 1;; \
esac
all: test TAGS
# For adapting this Makefile to a different system, only the following
# definitions should need customizing:
OPENSSLDIR=../..
CC=gcc
SYSCFLAGS=whatever
SYSLIBS=whatever
#############################################################################
#
# SSLeay/OpenSSL imports
#
# OPENSSLDIR (set above) can be either the directory where OpenSSL is
# installed or the directory where it was compiled.
# We rely on having a new OpenSSL release where include files
# have names like <openssl/ssl.h> (not just <ssl.h>).
OPENSSLINCLUDES=-I$(OPENSSLDIR)/include
# libcrypto.a and libssl.a are directly in $(OPENSSLDIR) if this is
# the compile directory, or in $(OPENSSLDIR)/lib if we use an installed
# library. With the following definition, we can handle either case.
OPENSSLLIBS=-L$(OPENSSLDIR) -L$(OPENSSLDIR)/lib -lssl -lcrypto
#############################################################################
#
# Stuff for handling the source files
#
SOURCES=easy-tls.c test.c
HEADERS=easy-tls.h test.h
DOCSandEXAMPLESetc=Makefile cert.pem cacerts.pem
EVERYTHING=$(SOURCES) $(HEADERS) $(DOCSandEXAMPLESetc)
ls: ls-l
ls-l:
ls -l $(EVERYTHING)
# For RCS:
tag:
-rcs -n_`date +%y%m%d`: $(EVERYTHING)
rcs -nMYTAG $(EVERYTHING)
rcs -nMYTAG: $(EVERYTHING)
diff:
-rcsdiff -rMYTAG -u $(EVERYTHING)
today:
-rcsdiff -r_`date +%y%m%d` -u $(EVERYTHING)
ident:
for a in $(EVERYTHING); do ident $$a; done
# Distribution .tar:
easy-tls.tar.gz: $(EVERYTHING)
tar cvf - $(EVERYTHING) | \
gzip -9 > easy-tls.tar.gz
# Working .tar:
tls.tgz: $(EVERYTHING)
tar cfv - `find . -type f -a ! -name '*.tgz' -a ! -name '*.tar.gz'` | \
gzip -9 > tls.tgz
# For emacs:
etags: TAGS
TAGS: $(SOURCES) $(HEADERS)
-etags $(SOURCES) $(HEADERS)
#############################################################################
#
# Compilation
#
# The following definitions are system dependent (and hence defined
# at the beginning of this Makefile, where they are more easily found):
### CC=gcc
### SYSCFLAGS=-Wall -pedantic -g -O2
### SYSLIBS=-lxnet
EXTRACFLAGS=-DTLS_APP=\"test.h\"
# EXTRACFLAGS=-DTLS_APP=\"test.h\" -DDEBUG_TLS
#
# The rest shouldn't need to be touched.
#
LDFLAGS=$(SYSLIBS) $(OPENSSLLIBS)
INCLUDES=$(OPENSSLINCLUDES)
CFLAGS=$(SYSCFLAGS) $(EXTRACFLAGS) $(INCLUDES)
OBJS=easy-tls.o test.o
clean:
@rm -f test
@rm -f TAGS
@rm -f *.o
@rm -f core
test: $(OBJS)
$(CC) $(OBJS) $(LDFLAGS) -o test
test.o: $(HEADERS)
easy-tls.o: $(HEADERS)
# DO NOT DELETE THIS LINE -- make depend depends on it.

65
demos/easy_tls/README
View File

@ -1,65 +0,0 @@
easy_tls - generic SSL/TLS proxy
========
(... and example for non-blocking SSL/TLS I/O multiplexing.)
easy_tls.c, easy_tls.h:
Small generic SSL/TLS proxy library: With a few function calls,
an application socket will be replaced by a pipe handled by a
separate SSL/TLS proxy process. This allows easily adding
SSL/TLS support to many programs not originally designed for it.
[Actually easy_tls.c is not a proper library: Customization
requires defining preprocessor macros while compiling it.
This is quite confusing, so I'll probably change it.]
These files may be used under the OpenSSL license.
test.c, test.h, Makefile, cert.pem, cacerts.pem:
Rudimentary example program using the easy_tls library, and
example key and certificates for it. Usage examples:
$ ./test 8443 # create server listening at port 8443
$ ./test 127.0.0.1 8443 # create client, connect to port 8443
# at IP address 127.0.0.1
'test' will not automatically do SSL/TLS, or even read or write
data -- it must be told to do so on input lines starting
with a command letter. 'W' means write a line, 'R' means
read a line, 'C' means close the connection, 'T' means
start an SSL/TLS proxy. E.g. (user input tagged with '*'):
* R
<<< 220 mail.example.net
* WSTARTTLS
>>> STARTTLS
* R
<<< 220 Ready to start TLS
* T
test_process_init(fd = 3, client_p = 1, apparg = (nil))
+++ `E:self signed certificate in certificate chain'
+++ `<... certificate info ...>'
* WHELO localhost
>>> HELO localhost
R
<<< 250 mail.example.net
You can even do SSL/TLS over SSL/TLS over SSL/TLS ... by using
'T' multiple times. I have no idea why you would want to though.
This code is rather old. When I find time I will update anything that
should be changed, and improve code comments. To compile the sample
program 'test' on platforms other then Linux or Solaris, you will have
to edit the Makefile.
As noted above, easy_tls.c will be changed to become a library one
day, which means that future revisions will not be fully compatible to
the current version.
Bodo Möller <bodo@openssl.org>

18
demos/easy_tls/cacerts.pem
View File

@ -1,18 +0,0 @@
$Id: cacerts.pem,v 1.1 2001/09/17 19:06:57 bodo Exp $
issuer= /C=AU/ST=Queensland/O=CryptSoft Pty Ltd/CN=Test PCA (1024 bit)
subject=/C=AU/ST=Queensland/O=CryptSoft Pty Ltd/CN=Test CA (1024 bit)
-----BEGIN CERTIFICATE-----
MIICJjCCAY8CAQAwDQYJKoZIhvcNAQEEBQAwXDELMAkGA1UEBhMCQVUxEzARBgNV
BAgTClF1ZWVuc2xhbmQxGjAYBgNVBAoTEUNyeXB0U29mdCBQdHkgTHRkMRwwGgYD
VQQDExNUZXN0IFBDQSAoMTAyNCBiaXQpMB4XDTk3MDYwOTEzNTc0M1oXDTAxMDYw
OTEzNTc0M1owWzELMAkGA1UEBhMCQVUxEzARBgNVBAgTClF1ZWVuc2xhbmQxGjAY
BgNVBAoTEUNyeXB0U29mdCBQdHkgTHRkMRswGQYDVQQDExJUZXN0IENBICgxMDI0
IGJpdCkwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAKO7o8t116VP6cgybTsZ
DCZhr95nYlZuya3aCi1IKoztqwWnjbmDFIriOqGFPrZQ+moMETC9D59iRW/dFXSv
1F65ka/XY2hLh9exCCo7XuUcDs53Qp3bI3AmMqHjgzE8oO3ajyJAzJkTTOUecQU2
mw/gI4tMM0LqWMQS7luTy4+xAgMBAAEwDQYJKoZIhvcNAQEEBQADgYEAM7achv3v
hLQJcv/65eGEpBXM40ZDVoFQFFJWaY5p883HTqLB1x4FdzsXHH0QKBTcKpWwqyu4
YDm3fb8oDugw72bCzfyZK/zVZPR/hVlqI/fvU109Qoc+7oPvIXWky71HfcK6ZBCA
q30KIqGM/uoM60INq97qjDmCJapagcNBGQs=
-----END CERTIFICATE-----

31
demos/easy_tls/cert.pem
View File

@ -1,31 +0,0 @@
$Id: cert.pem,v 1.1 2001/09/17 19:06:57 bodo Exp $
Example certificate and key.
-----BEGIN CERTIFICATE-----
MIIB1jCCAT8CAQEwDQYJKoZIhvcNAQEEBQAwRTELMAkGA1UEBhMCQVUxEzARBgNV
BAgTClNvbWUtU3RhdGUxITAfBgNVBAoTGEludGVybmV0IFdpZGdpdHMgUHR5IEx0
ZDAeFw05OTA1MDEwMTI2MzVaFw05OTA1MzEwMTI2MzVaMCIxCzAJBgNVBAYTAkRF
MRMwEQYDVQQDEwpUZXN0c2VydmVyMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB
gQD6I3oDKiexwwlkzjar69AIFnVUaG85LtCege2R+CtIDlkQYw68/8MbT3ou0pdF
AcL9IGiYY3Y0SHM9PqF00RO1MCtNpqTnF3ScLpbmggGjKilmWYn2ai7emdjMjXVL
tzWW2xGgIGATWQN32KgfJng4jXi1UjEiyLhkw0Zf1I/ggwIDAQABMA0GCSqGSIb3
DQEBBAUAA4GBAMgM+sbAk8DfjSfa+Rf2gcGXmbrvZAzKzC+5RU3kaq/NyxIXAGco
9dZjozzWfN/xuGup5boFk+KrP+xdgsaqGHsyzlgEoqz4ekqLjQeVbnoj339hVFU9
MhPi6JULPxjXKumjfX2LLNkikW5puz8Df3UiX0EiaJvd7EwP8J75tiUT
-----END CERTIFICATE-----
-----BEGIN RSA PRIVATE KEY-----
MIICXQIBAAKBgQD6I3oDKiexwwlkzjar69AIFnVUaG85LtCege2R+CtIDlkQYw68
/8MbT3ou0pdFAcL9IGiYY3Y0SHM9PqF00RO1MCtNpqTnF3ScLpbmggGjKilmWYn2
ai7emdjMjXVLtzWW2xGgIGATWQN32KgfJng4jXi1UjEiyLhkw0Zf1I/ggwIDAQAB
AoGANST8c1etf1MU19oIO5aqaE19OCXIG7oakNLCCtVTPMfvnE+vffBJH7BPIUuU
4BBzwRv1nQrkvk72TPjVjOAu81B1SStKQueun2flVuYxp9NyupNWCBley4QdohlP
I92ml2tzTSPmNIoA6jdGyNzFcGchapRRmejsC39F1RUbHQECQQD9KX81Wt8ZOrri
dWiEXja1L3X8Bkb9vvUjVMQDTJJPxBJjehC6eurgE6PP6SJD5p/f3RHPCcLr8tSM
D4P/OpKhAkEA/PFNlhIZUDKK6aTvG2mn7qQ5phbadOoyN1Js3ttWG5OMOZ6b/QlC
Wvp84h44506BIlv+Tg2YAI0AdBUrf7oEowJAM4joAVd/ROaEtqbJ4PBA2L9RmD06
5FqkEk4mHLnQqvYx/BgUIbH18ClvVlqSBBqFfw/EmU3WZSuogt6Bs0ocIQJBAOxB
AoPiYcxbeQ5kZIVJOXaX49SzUdaUDNVJYrEBUzsspHQJJo/Avz606kJVkjbSR6Ft
JWmIHuqcyMikIV4KxFsCQQCU2evoVjVsqkkbHi7W28f73PGBsyu0KIwlK7nu4h08
Daf7TAI+A6jW/WRUsJ6dFhUYi7/Jvkcdrlnbgm2fxziX
-----END RSA PRIVATE KEY-----

1293
demos/easy_tls/easy-tls.c
View File

File diff suppressed because it is too large Load Diff

59
demos/easy_tls/easy-tls.h
View File

@ -1,59 +0,0 @@
/* */
/*-
* easy-tls.h -- generic TLS proxy.
* $Id: easy-tls.h,v 1.1 2001/09/17 19:06:59 bodo Exp $
*/
/*
* (c) Copyright 1999 Bodo Moeller. All rights reserved.
*/
#ifndef HEADER_TLS_H
# define HEADER_TLS_H
# ifndef HEADER_SSL_H
typedef struct ssl_ctx_st SSL_CTX;
# endif
# define TLS_INFO_SIZE 512 /* max. # of bytes written to infofd */
void tls_set_dhe1024(int i, void *apparg);
/*
* Generate DHE parameters: i >= 0 deterministic (i selects seed), i < 0
* random (may take a while). tls_create_ctx calls this with random
* non-negative i if the application has never called it.
*/
void tls_rand_seed(void);
int tls_rand_seed_from_file(const char *filename, size_t n, void *apparg);
void tls_rand_seed_from_memory(const void *buf, size_t n);
struct tls_create_ctx_args {
int client_p;
const char *certificate_file;
const char *key_file;
const char *ca_file;
int verify_depth;
int fail_unless_verified;
};
struct tls_create_ctx_args tls_create_ctx_defaultargs(void);
/*
* struct tls_create_ctx_args is similar to a conventional argument list, but
* it can provide default values and allows for future extension.
*/
SSL_CTX *tls_create_ctx(struct tls_create_ctx_args, void *apparg);
struct tls_start_proxy_args {
int fd;
int client_p;
SSL_CTX *ctx;
pid_t *pid;
int *infofd;
};
struct tls_start_proxy_args tls_start_proxy_defaultargs(void);
/*
* tls_start_proxy return value *MUST* be checked! 0 means ok, otherwise
* we've probably run out of some resources.
*/
int tls_start_proxy(struct tls_start_proxy_args, void *apparg);
#endif

247
demos/easy_tls/test.c
View File

@ -1,247 +0,0 @@
/* $Id: test.c,v 1.1 2001/09/17 19:06:59 bodo Exp $ */
#define L_PORT 9999
#define C_PORT 443
#include <arpa/inet.h>
#include <assert.h>
#include <errno.h>
#include <fcntl.h>
#include <netinet/in.h>
#include <netinet/tcp.h>
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
#include <sys/select.h>
#include <sys/socket.h>
#include <unistd.h>
#include "test.h"
#include "easy-tls.h"
void test_process_init(int fd, int client_p, void *apparg)
{
fprintf(stderr,
"test_process_init(fd = %d, client_p = %d, apparg = %p)\n", fd,
client_p, apparg);
}
void test_errflush(int child_p, char *errbuf, size_t num, void *apparg)
{
fputs(errbuf, stderr);
}
int main(int argc, char *argv[])
{
int s, fd, r;
FILE *conn_in;
FILE *conn_out;
char buf[256];
SSL_CTX *ctx;
int client_p = 0;
int port;
int tls = 0;
char infobuf[TLS_INFO_SIZE + 1];
if (argc > 1 && argv[1][0] == '-') {
fputs("Usage: test [port] -- server\n"
" test num.num.num.num [port] -- client\n", stderr);
exit(1);
}
if (argc > 1) {
if (strchr(argv[1], '.')) {
client_p = 1;
}
}
fputs(client_p ? "Client\n" : "Server\n", stderr);
{
struct tls_create_ctx_args a = tls_create_ctx_defaultargs();
a.client_p = client_p;
a.certificate_file = "cert.pem";
a.key_file = "cert.pem";
a.ca_file = "cacerts.pem";
ctx = tls_create_ctx(a, NULL);
if (ctx == NULL)
exit(1);
}
s = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
if (s == -1) {
perror("socket");
exit(1);
}
if (client_p) {
struct sockaddr_in addr;
size_t addr_len = sizeof addr;
addr.sin_family = AF_INET;
assert(argc > 1);
if (argc > 2)
sscanf(argv[2], "%d", &port);
else
port = C_PORT;
addr.sin_port = htons(port);
addr.sin_addr.s_addr = inet_addr(argv[1]);
r = connect(s, &addr, addr_len);
if (r != 0) {
perror("connect");
exit(1);
}
fd = s;
fprintf(stderr, "Connect (fd = %d).\n", fd);
} else {
/* server */
{
int i = 1;
r = setsockopt(s, SOL_SOCKET, SO_REUSEADDR, (void *)&i, sizeof i);
if (r == -1) {
perror("setsockopt");
exit(1);
}
}
{
struct sockaddr_in addr;
size_t addr_len = sizeof addr;
if (argc > 1)
sscanf(argv[1], "%d", &port);
else
port = L_PORT;
addr.sin_family = AF_INET;
addr.sin_port = htons(port);
addr.sin_addr.s_addr = INADDR_ANY;
r = bind(s, &addr, addr_len);
if (r != 0) {
perror("bind");
exit(1);
}
}
r = listen(s, 1);
if (r == -1) {
perror("listen");
exit(1);
}
fprintf(stderr, "Listening at port %i.\n", port);
fd = accept(s, NULL, 0);
if (fd == -1) {
perror("accept");
exit(1);
}
fprintf(stderr, "Accept (fd = %d).\n", fd);
}
conn_in = fdopen(fd, "r");
if (conn_in == NULL) {
perror("fdopen");
exit(1);
}
conn_out = fdopen(fd, "w");
if (conn_out == NULL) {
perror("fdopen");
exit(1);
}
setvbuf(conn_in, NULL, _IOLBF, 256);
setvbuf(conn_out, NULL, _IOLBF, 256);
while (fgets(buf, sizeof buf, stdin) != NULL) {
if (buf[0] == 'W') {
fprintf(conn_out, "%.*s\r\n", (int)(strlen(buf + 1) - 1),
buf + 1);
fprintf(stderr, ">>> %.*s\n", (int)(strlen(buf + 1) - 1),
buf + 1);
} else if (buf[0] == 'C') {
fprintf(stderr, "Closing.\n");
fclose(conn_in);
fclose(conn_out);
exit(0);
} else if (buf[0] == 'R') {
int lines = 0;
sscanf(buf + 1, "%d", &lines);
do {
if (fgets(buf, sizeof buf, conn_in) == NULL) {
if (ferror(conn_in)) {
fprintf(stderr, "ERROR\n");
exit(1);
}
fprintf(stderr, "CLOSED\n");
return 0;
}
fprintf(stderr, "<<< %s", buf);
} while (--lines > 0);
} else if (buf[0] == 'T') {
int infofd;
tls++;
{
struct tls_start_proxy_args a = tls_start_proxy_defaultargs();
a.fd = fd;
a.client_p = client_p;
a.ctx = ctx;
a.infofd = &infofd;
r = tls_start_proxy(a, NULL);
}
assert(r != 1);
if (r != 0) {
fprintf(stderr, "tls_start_proxy failed: %d\n", r);
switch (r) {
case -1:
fputs("socketpair", stderr);
break;
case 2:
fputs("FD_SETSIZE exceeded", stderr);
break;
case -3:
fputs("pipe", stderr);
break;
case -4:
fputs("fork", stderr);
break;
case -5:
fputs("dup2", stderr);
break;
default:
fputs("?", stderr);
}
if (r < 0)
perror("");
else
fputc('\n', stderr);
exit(1);
}
r = read(infofd, infobuf, sizeof infobuf - 1);
if (r > 0) {
const char *info = infobuf;
const char *eol;
infobuf[r] = '\0';
while ((eol = strchr(info, '\n')) != NULL) {
fprintf(stderr, "+++ `%.*s'\n", eol - info, info);
info = eol + 1;
}
close(infofd);
}
} else {
fprintf(stderr, "W... write line to network\n"
"R[n] read line (n lines) from network\n"
"C close\n"
"T start %sTLS proxy\n", tls ? "another " : "");
}
}
return 0;
}

9
demos/easy_tls/test.h
View File

@ -1,9 +0,0 @@
/* $Id: test.h,v 1.1 2001/09/17 19:07:00 bodo Exp $ */
void test_process_init(int fd, int client_p, void *apparg);
#define TLS_APP_PROCESS_INIT test_process_init
#undef TLS_CUMULATE_ERRORS
void test_errflush(int child_p, char *errbuf, size_t num, void *apparg);
#define TLS_APP_ERRFLUSH test_errflush

93
demos/engines/cluster_labs/Makefile.in
View File

@ -1,93 +0,0 @@
LIBNAME= libclabs
SRC= hw_cluster_labs.c
OBJ= hw_cluster_labs.o
HEADER= hw_cluster_labs.h
CC= gcc
PIC= -fPIC
CFLAGS= -g -I../../../include $(PIC) -DENGINE_DYNAMIC_SUPPORT -DFLAT_INC
AR= ar r
RANLIB= ranlib
LIB= $(LIBNAME).a
SHLIB= $(LIBNAME).so
all:
@echo 'Please choose a system to build on:'
@echo ''
@echo 'tru64: Tru64 Unix, Digital Unix, Digital OSF/1'
@echo 'solaris: Solaris'
@echo 'irix: IRIX'
@echo 'hpux32: 32-bit HP/UX'
@echo 'hpux64: 64-bit HP/UX'
@echo 'aix: AIX'
@echo 'gnu: Generic GNU-based system (gcc and GNU ld)'
@echo ''
generate:
perl ../../../util/mkerr.pl -conf hw_cluster_labs.ec \
-nostatic -staticloader -write hw_cluster_labs.c
gnu: $(SHLIB).gnu
tru64: $(SHLIB).tru64
solaris: $(SHLIB).solaris
irix: $(SHLIB).irix
hpux32: $(SHLIB).hpux32
hpux64: $(SHLIB).hpux64
aix: $(SHLIB).aix
$(LIB): $(OBJ)
$(AR) $(LIB) $(OBJ)
- $(RANLIB) $(LIB)
LINK_SO= \
ld -r -o $(LIBNAME).o $$ALLSYMSFLAGS $(LIB) && \
(nm -Pg $(LIBNAME).o | grep ' [BDT] ' | cut -f1 -d' ' > $(LIBNAME).exp; \
$$SHAREDCMD $$SHAREDFLAGS -o $(SHLIB) $(LIBNAME).o -L ../../.. -lcrypto -lc)
$(SHLIB).gnu: $(LIB)
ALLSYMSFLAGS='--whole-archive' \
SHAREDFLAGS='-shared -Wl,-soname=$(SHLIB)' \
SHAREDCMD='$(CC)'; \
$(LINK_SO)
touch $(SHLIB).gnu
$(SHLIB).tru64: $(LIB)
ALLSYMSFLAGS='-all' \
SHAREDFLAGS='-shared' \
SHAREDCMD='$(CC)'; \
$(LINK_SO)
touch $(SHLIB).tru64
$(SHLIB).solaris: $(LIB)
ALLSYMSFLAGS='-z allextract' \
SHAREDFLAGS='-G -h $(SHLIB)' \
SHAREDCMD='$(CC)'; \
$(LINK_SO)
touch $(SHLIB).solaris
$(SHLIB).irix: $(LIB)
ALLSYMSFLAGS='-all' \
SHAREDFLAGS='-shared -Wl,-soname,$(SHLIB)' \
SHAREDCMD='$(CC)'; \
$(LINK_SO)
touch $(SHLIB).irix
$(SHLIB).hpux32: $(LIB)
ALLSYMSFLAGS='-Fl' \
SHAREDFLAGS='+vnocompatwarnings -b -z +s +h $(SHLIB)' \
SHAREDCMD='/usr/ccs/bin/ld'; \
$(LINK_SO)
touch $(SHLIB).hpux32
$(SHLIB).hpux64: $(LIB)
ALLSYMSFLAGS='+forceload' \
SHAREDFLAGS='-b -z +h $(SHLIB)' \
SHAREDCMD='/usr/ccs/bin/ld'; \
$(LINK_SO)
touch $(SHLIB).hpux64
$(SHLIB).aix: $(LIB)
ALLSYMSFLAGS='-bnogc' \
SHAREDFLAGS='-G -bE:$(LIBNAME).exp -bM:SRE' \
SHAREDCMD='$(CC)'; \
$(LINK_SO)
touch $(SHLIB).aix
depend:
# DO NOT DELETE THIS LINE -- make depend depends on it.

33
demos/engines/cluster_labs/cluster_labs.h
View File

@ -1,33 +0,0 @@
typedef int cl_engine_init(void);
typedef int cl_mod_exp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
const BIGNUM *m, BN_CTX *cgx);
typedef int cl_mod_exp_crt(BIGNUM *r, BIGNUM *a, const BIGNUM *p,
const BIGNUM *q, const BIGNUM *dmp1,
const BIGNUM *dmq1, const BIGNUM *iqmp,
BN_CTX *ctx);
typedef int cl_rsa_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa);
typedef int cl_rsa_pub_enc(int flen, const unsigned char *from,
unsigned char *to, RSA *rsa, int padding);
typedef int cl_rsa_pub_dec(int flen, const unsigned char *from,
unsigned char *to, RSA *rsa, int padding);
typedef int cl_rsa_priv_enc(int flen, const unsigned char *from,
unsigned char *to, RSA *rsa, int padding);
typedef int cl_rsa_priv_dec(int flen, const unsigned char *from,
unsigned char *to, RSA *rsa, int padding);
typedef int cl_rand_bytes(unsigned char *buf, int num);
typedef DSA_SIG *cl_dsa_sign(const unsigned char *dgst, int dlen, DSA *dsa);
typedef int cl_dsa_verify(const unsigned char *dgst, int dgst_len,
DSA_SIG *sig, DSA *dsa);
static const char *CLUSTER_LABS_LIB_NAME = "cluster_labs";
static const char *CLUSTER_LABS_F1 = "hw_engine_init";
static const char *CLUSTER_LABS_F2 = "hw_mod_exp";
static const char *CLUSTER_LABS_F3 = "hw_mod_exp_crt";
static const char *CLUSTER_LABS_F4 = "hw_rsa_mod_exp";
static const char *CLUSTER_LABS_F5 = "hw_rsa_priv_enc";
static const char *CLUSTER_LABS_F6 = "hw_rsa_priv_dec";
static const char *CLUSTER_LABS_F7 = "hw_rsa_pub_enc";
static const char *CLUSTER_LABS_F8 = "hw_rsa_pub_dec";
static const char *CLUSTER_LABS_F20 = "hw_rand_bytes";
static const char *CLUSTER_LABS_F30 = "hw_dsa_sign";
static const char *CLUSTER_LABS_F31 = "hw_dsa_verify";

684
demos/engines/cluster_labs/hw_cluster_labs.c
View File

@ -1,684 +0,0 @@
/*
* Written by Jan Tschirschwitz (jan.tschirschwitz@cluster-labs.com for the
* OpenSSL project 2000.
*/
/* ====================================================================
* Copyright (c) 1999 The OpenSSL Project. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in
* the documentation and/or other materials provided with the
* distribution.
*
* 3. All advertising materials mentioning features or use of this
* software must display the following acknowledgment:
* "This product includes software developed by the OpenSSL Project
* for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
*
* 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
* endorse or promote products derived from this software without
* prior written permission. For written permission, please contact
* licensing@OpenSSL.org.
*
* 5. Products derived from this software may not be called "OpenSSL"
* nor may "OpenSSL" appear in their names without prior written
* permission of the OpenSSL Project.
*
* 6. Redistributions of any form whatsoever must retain the following
* acknowledgment:
* "This product includes software developed by the OpenSSL Project
* for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
*
* THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
* EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
* ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
* OF THE POSSIBILITY OF SUCH DAMAGE.
* ====================================================================
*
* This product includes cryptographic software written by Eric Young
* (eay@cryptsoft.com). This product includes software written by Tim
* Hudson (tjh@cryptsoft.com).
*
*/
#define MSC_VER /* only used cryptic.h */
#include <stdio.h>
#include <openssl/crypto.h>
#include <openssl/dso.h>
#include <openssl/des.h>
#include <openssl/engine.h>
#ifndef NO_HW
# ifndef NO_HW_CLUSTER_LABS
# ifdef FLAT_INC
# include "cluster_labs.h"
# else
# include "vendor_defns/cluster_labs.h"
# endif
# define CL_LIB_NAME "cluster_labs engine"
# include "hw_cluster_labs_err.c"
static int cluster_labs_destroy(ENGINE *e);
static int cluster_labs_init(ENGINE *e);
static int cluster_labs_finish(ENGINE *e);
static int cluster_labs_ctrl(ENGINE *e, int cmd, long i, void *p,
void (*f) ());
/* BIGNUM stuff */
/* This function is aliased to mod_exp (with the mont stuff dropped). */
static int cluster_labs_mod_exp_mont(BIGNUM *r, const BIGNUM *a,
const BIGNUM *p, const BIGNUM *m,
BN_CTX *ctx, BN_MONT_CTX *m_ctx);
/* RSA stuff */
# ifndef OPENSSL_NO_RSA
static int cluster_labs_rsa_pub_enc(int flen, const unsigned char *from,
unsigned char *to, RSA *rsa, int padding);
static int cluster_labs_rsa_pub_dec(int flen, const unsigned char *from,
unsigned char *to, RSA *rsa, int padding);
static int cluster_labs_rsa_priv_enc(int flen, const unsigned char *from,
unsigned char *to, RSA *rsa,
int padding);
static int cluster_labs_rsa_priv_dec(int flen, const unsigned char *from,
unsigned char *to, RSA *rsa,
int padding);
static int cluster_labs_rsa_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa);
# endif
/* DSA stuff */
# ifndef OPENSSL_NO_DSA
static DSA_SIG *cluster_labs_dsa_sign(const unsigned char *dgst, int dlen,
DSA *dsa);
static int cluster_labs_dsa_verify(const unsigned char *dgst, int dgst_len,
DSA_SIG *sig, DSA *dsa);
static int cluster_labs_dsa_mod_exp(DSA *dsa, BIGNUM *rr, BIGNUM *a1,
BIGNUM *p1, BIGNUM *a2, BIGNUM *p2,
BIGNUM *m, BN_CTX *ctx,
BN_MONT_CTX *in_mont);
static int cluster_labs_mod_exp_dsa(DSA *dsa, BIGNUM *r, BIGNUM *a,
const BIGNUM *p, const BIGNUM *m,
BN_CTX *ctx, BN_MONT_CTX *m_ctx);
# endif
/* DH stuff */
# ifndef OPENSSL_NO_DH
/* This function is alised to mod_exp (with the DH and mont dropped). */
static int cluster_labs_mod_exp_dh(const DH *dh, BIGNUM *r, const BIGNUM *a,
const BIGNUM *p, const BIGNUM *m,
BN_CTX *ctx, BN_MONT_CTX *m_ctx);
# endif
/* RANDOM stuff */
static int cluster_labs_rand_bytes(unsigned char *buf, int num);
/* The definitions for control commands specific to this engine */
# define CLUSTER_LABS_CMD_SO_PATH ENGINE_CMD_BASE
static const ENGINE_CMD_DEFN cluster_labs_cmd_defns[] = {
{CLUSTER_LABS_CMD_SO_PATH,
"SO_PATH",
"Specifies the path to the 'cluster labs' shared library",
ENGINE_CMD_FLAG_STRING},
{0, NULL, NULL, 0}
};
/* Our internal RSA_METHOD that we provide pointers to */
# ifndef OPENSSL_NO_RSA
static RSA_METHOD cluster_labs_rsa = {
"Cluster Labs RSA method",
cluster_labs_rsa_pub_enc, /* rsa_pub_enc */
cluster_labs_rsa_pub_dec, /* rsa_pub_dec */
cluster_labs_rsa_priv_enc, /* rsa_priv_enc */
cluster_labs_rsa_priv_dec, /* rsa_priv_dec */
cluster_labs_rsa_mod_exp, /* rsa_mod_exp */
cluster_labs_mod_exp_mont, /* bn_mod_exp */
NULL, /* init */
NULL, /* finish */
0, /* flags */
NULL, /* apps_data */
NULL, /* rsa_sign */
NULL /* rsa_verify */
};
# endif
/* Our internal DSA_METHOD that we provide pointers to */
# ifndef OPENSSL_NO_DSA
static DSA_METHOD cluster_labs_dsa = {
"Cluster Labs DSA method",
cluster_labs_dsa_sign, /* dsa_do_sign */
NULL, /* dsa_sign_setup */
cluster_labs_dsa_verify, /* dsa_do_verify */
cluster_labs_dsa_mod_exp, /* dsa_mod_exp */
cluster_labs_mod_exp_dsa, /* bn_mod_exp */
NULL, /* init */
NULL, /* finish */
0, /* flags */
NULL /* app_data */
};
# endif
/* Our internal DH_METHOD that we provide pointers to */
# ifndef OPENSSL_NO_DH
static DH_METHOD cluster_labs_dh = {
"Cluster Labs DH method",
NULL, /* generate key */
NULL, /* compute key */
cluster_labs_mod_exp_dh, /* bn_mod_exp */
NULL, /* init */
NULL, /* finish */
0, /* flags */
NULL /* app_data */
};
# endif
static RAND_METHOD cluster_labs_rand = {
/* "Cluster Labs RAND method", */
NULL, /* seed */
cluster_labs_rand_bytes, /* bytes */
NULL, /* cleanup */
NULL, /* add */
cluster_labs_rand_bytes, /* pseudorand */
NULL, /* status */
};
static const char *engine_cluster_labs_id = "cluster_labs";
static const char *engine_cluster_labs_name =
"Cluster Labs hardware engine support";
/* engine implementation */
/* ---------------------*/
static int bind_helper(ENGINE *e)
{
if (!ENGINE_set_id(e, engine_cluster_labs_id) ||
!ENGINE_set_name(e, engine_cluster_labs_name) ||
# ifndef OPENSSL_NO_RSA
!ENGINE_set_RSA(e, &cluster_labs_rsa) ||
# endif
# ifndef OPENSSL_NO_DSA
!ENGINE_set_DSA(e, &cluster_labs_dsa) ||
# endif
# ifndef OPENSSL_NO_DH
!ENGINE_set_DH(e, &cluster_labs_dh) ||
# endif
!ENGINE_set_RAND(e, &cluster_labs_rand) ||
!ENGINE_set_destroy_function(e, cluster_labs_destroy) ||
!ENGINE_set_init_function(e, cluster_labs_init) ||
!ENGINE_set_finish_function(e, cluster_labs_finish) ||
!ENGINE_set_ctrl_function(e, cluster_labs_ctrl) ||
!ENGINE_set_cmd_defns(e, cluster_labs_cmd_defns))
return 0;
/* Ensure the error handling is set up */
ERR_load_CL_strings();
return 1;
}
# ifndef ENGINE_DYNAMIC_SUPPORT
static ENGINE *engine_cluster_labs(void)
{
ENGINE *ret = ENGINE_new();
if (!ret)
return NULL;
if (!bind_helper(ret)) {
ENGINE_free(ret);
return NULL;
}
return ret;
}
# ifdef ENGINE_DYNAMIC_SUPPORT
static
# endif
void ENGINE_load_cluster_labs(void)
{
ENGINE *cluster_labs = engine_cluster_labs();
if (!cluster_labs)
return;
ENGINE_add(cluster_labs);
ENGINE_free(cluster_labs);
ERR_clear_error();
}
# endif /* !ENGINE_DYNAMIC_SUPPORT */
static int cluster_labs_destroy(ENGINE *e)
{
ERR_unload_CL_strings();
return 1;
}
/*
* This is a process-global DSO handle used for loading and unloading the
* Cluster Labs library. NB: This is only set (or unset) during an init() or
* finish() call (reference counts permitting) and they're operating with
* global locks, so this should be thread-safe implicitly.
*/
static DSO *cluster_labs_dso = NULL;
/*
* These are the function pointers that are (un)set when the library has
* successfully (un)loaded.
*/
static cl_engine_init *p_cl_engine_init = NULL;
static cl_mod_exp *p_cl_mod_exp = NULL;
static cl_mod_exp_crt *p_cl_mod_exp_crt = NULL;
static cl_rsa_mod_exp *p_cl_rsa_mod_exp = NULL;
static cl_rsa_priv_enc *p_cl_rsa_priv_enc = NULL;
static cl_rsa_priv_dec *p_cl_rsa_priv_dec = NULL;
static cl_rsa_pub_enc *p_cl_rsa_pub_enc = NULL;
static cl_rsa_pub_dec *p_cl_rsa_pub_dec = NULL;
static cl_rand_bytes *p_cl_rand_bytes = NULL;
static cl_dsa_sign *p_cl_dsa_sign = NULL;
static cl_dsa_verify *p_cl_dsa_verify = NULL;
int cluster_labs_init(ENGINE *e)
{
cl_engine_init *p1;
cl_mod_exp *p2;
cl_mod_exp_crt *p3;
cl_rsa_mod_exp *p4;
cl_rsa_priv_enc *p5;
cl_rsa_priv_dec *p6;
cl_rsa_pub_enc *p7;
cl_rsa_pub_dec *p8;
cl_rand_bytes *p20;
cl_dsa_sign *p30;
cl_dsa_verify *p31;
/* engine already loaded */
if (cluster_labs_dso != NULL) {
CLerr(CL_F_CLUSTER_LABS_INIT, CL_R_ALREADY_LOADED);
goto err;
}
/* try to load engine */
cluster_labs_dso = DSO_load(NULL, CLUSTER_LABS_LIB_NAME, NULL, 0);
if (cluster_labs_dso == NULL) {
CLerr(CL_F_CLUSTER_LABS_INIT, CL_R_DSO_FAILURE);
goto err;
}
/* bind functions */
#define BINDIT(t, name) (t *)DSO_bind_func(cluster_labs_dso, name)
if ((p1 = (cl_engine_init, CLUSTER_LABS_F1)) == NULL
|| (p2 = BINDIT(cl_mod_exp, CLUSTER_LABS_F2)) == NULL
|| (p3 = BINDIT(cl_mod_exp_crt, CLUSTER_LABS_F3)) == NULL
|| (p4 = BINDIT(cl_rsa_mod_exp, CLUSTER_LABS_F4)) == NULL
|| (p5 = BINDIT(cl_rsa_priv_enc, CLUSTER_LABS_F5)) == NULL
|| (p6 = BINDIT(cl_rsa_priv_dec, CLUSTER_LABS_F6)) == NULL
|| (p7 = BINDIT(cl_rsa_pub_enc, CLUSTER_LABS_F7)) == NULL
|| (p8 = BINDIT(cl_rsa_pub_dec, CLUSTER_LABS_F8)) == NULL
|| (p20 = BINDIT(cl_rand_bytes, CLUSTER_LABS_F20)) == NULL
|| (p30 = BINDIT(cl_dsa_sign, CLUSTER_LABS_F30)) == NULL
|| (p31 = BINDIT(cl_dsa_verify, CLUSTER_LABS_F31)) == NULL) {
CLerr(CL_F_CLUSTER_LABS_INIT, CL_R_DSO_FAILURE);
goto err;
}
/* copy function pointers */
p_cl_engine_init = p1;
p_cl_mod_exp = p2;
p_cl_mod_exp_crt = p3;
p_cl_rsa_mod_exp = p4;
p_cl_rsa_priv_enc = p5;
p_cl_rsa_priv_dec = p6;
p_cl_rsa_pub_enc = p7;
p_cl_rsa_pub_dec = p8;
p_cl_rand_bytes = p20;
p_cl_dsa_sign = p30;
p_cl_dsa_verify = p31;
/* cluster labs engine init */
if (p_cl_engine_init() == 0) {
CLerr(CL_F_CLUSTER_LABS_INIT, CL_R_INIT_FAILED);
goto err;
}
return (1);
err:
/* reset all pointers */
DSO_free(cluster_labs_dso);
cluster_labs_dso = NULL;
p_cl_engine_init = NULL;
p_cl_mod_exp = NULL;
p_cl_mod_exp_crt = NULL;
p_cl_rsa_mod_exp = NULL;
p_cl_rsa_priv_enc = NULL;
p_cl_rsa_priv_dec = NULL;
p_cl_rsa_pub_enc = NULL;
p_cl_rsa_pub_dec = NULL;
p_cl_rand_bytes = NULL;
p_cl_dsa_sign = NULL;
p_cl_dsa_verify = NULL;
return (0);
}
static int cluster_labs_finish(ENGINE *e)
{
if (cluster_labs_dso == NULL) {
CLerr(CL_F_CLUSTER_LABS_FINISH, CL_R_NOT_LOADED);
return 0;
}
if (!DSO_free(cluster_labs_dso)) {
CLerr(CL_F_CLUSTER_LABS_FINISH, CL_R_DSO_FAILURE);
return 0;
}
cluster_labs_dso = NULL;
p_cl_engine_init = NULL;
p_cl_mod_exp = NULL;
p_cl_rsa_mod_exp = NULL;
p_cl_mod_exp_crt = NULL;
p_cl_rsa_priv_enc = NULL;
p_cl_rsa_priv_dec = NULL;
p_cl_rsa_pub_enc = NULL;
p_cl_rsa_pub_dec = NULL;
p_cl_rand_bytes = NULL;
p_cl_dsa_sign = NULL;
p_cl_dsa_verify = NULL;
return (1);
}
static int cluster_labs_ctrl(ENGINE *e, int cmd, long i, void *p,
void (*f) ())
{
int initialised = ((cluster_labs_dso == NULL) ? 0 : 1);
switch (cmd) {
case CLUSTER_LABS_CMD_SO_PATH:
if (p == NULL) {
CLerr(CL_F_CLUSTER_LABS_CTRL, ERR_R_PASSED_NULL_PARAMETER);
return 0;
}
if (initialised) {
CLerr(CL_F_CLUSTER_LABS_CTRL, CL_R_ALREADY_LOADED);
return 0;
}
CLUSTER_LABS_LIB_NAME = (const char *)p;
return 1;
default:
break;
}
CLerr(CL_F_CLUSTER_LABS_CTRL, CL_R_COMMAND_NOT_IMPLEMENTED);
return 0;
}
static int cluster_labs_mod_exp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
const BIGNUM *m, BN_CTX *ctx)
{
if (cluster_labs_dso == NULL) {
CLerr(CL_F_CLUSTER_LABS_MOD_EXP, CL_R_NOT_LOADED);
return 0;
}
if (p_cl_mod_exp == NULL) {
CLerr(CL_F_CLUSTER_LABS_MOD_EXP, CL_R_FUNCTION_NOT_BINDED);
return 0;
}
return p_cl_mod_exp(r, a, p, m, ctx);
}
static int cluster_labs_mod_exp_crt(BIGNUM *r, BIGNUM *a, const BIGNUM *p,
const BIGNUM *q, const BIGNUM *dmp1,
const BIGNUM *dmq1, const BIGNUM *iqmp,
BN_CTX *ctx)
{
if (cluster_labs_dso == NULL) {
CLerr(CL_F_CLUSTER_LABS_MOD_EXP_CRT, CL_R_NOT_LOADED);
return 0;
}
if (p_cl_mod_exp_crt == NULL) {
CLerr(CL_F_CLUSTER_LABS_MOD_EXP_CRT, CL_R_FUNCTION_NOT_BINDED);
return 0;
}
return p_cl_mod_exp_crt(r, a, p, q, dmp1, dmq1, iqmp, ctx);
}
static int cluster_labs_rsa_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa)
{
if (cluster_labs_dso == NULL) {
CLerr(CL_F_CLUSTER_LABS_RSA_MOD_EXP, CL_R_NOT_LOADED);
return 0;
}
if (p_cl_rsa_mod_exp == NULL) {
CLerr(CL_F_CLUSTER_LABS_RSA_MOD_EXP, CL_R_FUNCTION_NOT_BINDED);
return 0;
}
return p_cl_rsa_mod_exp(r0, I, rsa);
}
static DSA_SIG *cluster_labs_dsa_sign(const unsigned char *dgst, int dlen,
DSA *dsa)
{
if (cluster_labs_dso == NULL) {
CLerr(CL_F_CLUSTER_LABS_DSA_SIGN, CL_R_NOT_LOADED);
return 0;
}
if (p_cl_dsa_sign == NULL) {
CLerr(CL_F_CLUSTER_LABS_DSA_SIGN, CL_R_FUNCTION_NOT_BINDED);
return 0;
}
return p_cl_dsa_sign(dgst, dlen, dsa);
}
static int cluster_labs_dsa_verify(const unsigned char *dgst, int dgst_len,
DSA_SIG *sig, DSA *dsa)
{
if (cluster_labs_dso == NULL) {
CLerr(CL_F_CLUSTER_LABS_DSA_VERIFY, CL_R_NOT_LOADED);
return 0;
}
if (p_cl_dsa_verify == NULL) {
CLerr(CL_F_CLUSTER_LABS_DSA_VERIFY, CL_R_FUNCTION_NOT_BINDED);
return 0;
}
return p_cl_dsa_verify(dgst, dgst_len, sig, dsa);
}
static int cluster_labs_dsa_mod_exp(DSA *dsa, BIGNUM *rr, BIGNUM *a1,
BIGNUM *p1, BIGNUM *a2, BIGNUM *p2,
BIGNUM *m, BN_CTX *ctx,
BN_MONT_CTX *in_mont)
{
BIGNUM t;
int status = 0;
BN_init(&t);
/* let rr = a1 ^ p1 mod m */
if (!cluster_labs_mod_exp(rr, a1, p1, m, ctx))
goto end;
/* let t = a2 ^ p2 mod m */
if (!cluster_labs_mod_exp(&t, a2, p2, m, ctx))
goto end;
/* let rr = rr * t mod m */
if (!BN_mod_mul(rr, rr, &t, m, ctx))
goto end;
status = 1;
end:
BN_free(&t);
return (1);
}
static int cluster_labs_mod_exp_dsa(DSA *dsa, BIGNUM *r, BIGNUM *a,
const BIGNUM *p, const BIGNUM *m,
BN_CTX *ctx, BN_MONT_CTX *m_ctx)
{
return cluster_labs_mod_exp(r, a, p, m, ctx);
}
/* This function is aliased to mod_exp (with the mont stuff dropped). */
static int cluster_labs_mod_exp_mont(BIGNUM *r, const BIGNUM *a,
const BIGNUM *p, const BIGNUM *m,
BN_CTX *ctx, BN_MONT_CTX *m_ctx)
{
return cluster_labs_mod_exp(r, a, p, m, ctx);
}
/* This function is aliased to mod_exp (with the dh and mont dropped). */
static int cluster_labs_mod_exp_dh(const DH *dh, BIGNUM *r, const BIGNUM *a,
const BIGNUM *p, const BIGNUM *m,
BN_CTX *ctx, BN_MONT_CTX *m_ctx)
{
return cluster_labs_mod_exp(r, a, p, m, ctx);
}
static int cluster_labs_rsa_pub_enc(int flen, const unsigned char *from,
unsigned char *to, RSA *rsa, int padding)
{
if (cluster_labs_dso == NULL) {
CLerr(CL_F_CLUSTER_LABS_RSA_PUB_ENC, CL_R_NOT_LOADED);
return 0;
}
if (p_cl_rsa_priv_enc == NULL) {
CLerr(CL_F_CLUSTER_LABS_RSA_PUB_ENC, CL_R_FUNCTION_NOT_BINDED);
return 0;
}
return p_cl_rsa_pub_enc(flen, from, to, rsa, padding);
}
static int cluster_labs_rsa_pub_dec(int flen, const unsigned char *from,
unsigned char *to, RSA *rsa, int padding)
{
if (cluster_labs_dso == NULL) {
CLerr(CL_F_CLUSTER_LABS_RSA_PUB_DEC, CL_R_NOT_LOADED);
return 0;
}
if (p_cl_rsa_priv_enc == NULL) {
CLerr(CL_F_CLUSTER_LABS_RSA_PUB_DEC, CL_R_FUNCTION_NOT_BINDED);
return 0;
}
return p_cl_rsa_pub_dec(flen, from, to, rsa, padding);
}
static int cluster_labs_rsa_priv_enc(int flen, const unsigned char *from,
unsigned char *to, RSA *rsa, int padding)
{
if (cluster_labs_dso == NULL) {
CLerr(CL_F_CLUSTER_LABS_RSA_PRIV_ENC, CL_R_NOT_LOADED);
return 0;
}
if (p_cl_rsa_priv_enc == NULL) {
CLerr(CL_F_CLUSTER_LABS_RSA_PRIV_ENC, CL_R_FUNCTION_NOT_BINDED);
return 0;
}
return p_cl_rsa_priv_enc(flen, from, to, rsa, padding);
}
static int cluster_labs_rsa_priv_dec(int flen, const unsigned char *from,
unsigned char *to, RSA *rsa, int padding)
{
if (cluster_labs_dso == NULL) {
CLerr(CL_F_CLUSTER_LABS_RSA_PRIV_DEC, CL_R_NOT_LOADED);
return 0;
}
if (p_cl_rsa_priv_dec == NULL) {
CLerr(CL_F_CLUSTER_LABS_RSA_PRIV_DEC, CL_R_FUNCTION_NOT_BINDED);
return 0;
}
return p_cl_rsa_priv_dec(flen, from, to, rsa, padding);
}
/************************************************************************************
* Symmetric algorithms
************************************************************************************/
/* this will be come soon! */
/************************************************************************************
* Random generator
************************************************************************************/
static int cluster_labs_rand_bytes(unsigned char *buf, int num)
{
if (cluster_labs_dso == NULL) {
CLerr(CL_F_CLUSTER_LABS_RAND_BYTES, CL_R_NOT_LOADED);
return 0;
}
if (p_cl_mod_exp_crt == NULL) {
CLerr(CL_F_CLUSTER_LABS_RAND_BYTES, CL_R_FUNCTION_NOT_BINDED);
return 0;
}
return p_cl_rand_bytes(buf, num);
}
/*
* This stuff is needed if this ENGINE is being compiled into a
* self-contained shared-library.
*/
# ifdef ENGINE_DYNAMIC_SUPPORT
static int bind_fn(ENGINE *e, const char *id)
{
fprintf(stderr, "bind_fn CLUSTER_LABS\n");
if (id && (strcmp(id, engine_cluster_labs_id) != 0)) {
fprintf(stderr, "bind_fn return(0) first\n");
return 0;
}
if (!bind_helper(e)) {
fprintf(stderr, "bind_fn return(1) first\n");
return 0;
}
fprintf(stderr, "bind_fn return(1)\n");
return 1;
}
IMPLEMENT_DYNAMIC_CHECK_FN()
IMPLEMENT_DYNAMIC_BIND_FN(bind_fn)
# endif /* ENGINE_DYNAMIC_SUPPORT */
# endif /* !NO_HW_CLUSTER_LABS */
#endif /* !NO_HW */

8
demos/engines/cluster_labs/hw_cluster_labs.ec
View File

@ -1,8 +0,0 @@
# configuration file for util/mkerr.pl
#
# use like this:
#
# perl ../../../util/mkerr.pl -conf hw_cluster_labs.ec \
# -nostatic -staticloader -write *.c
L CL hw_cluster_labs_err.h hw_cluster_labs_err.c

151
demos/engines/cluster_labs/hw_cluster_labs_err.c
View File

@ -1,151 +0,0 @@
/* ====================================================================
* Copyright (c) 1999-2002 The OpenSSL Project. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in
* the documentation and/or other materials provided with the
* distribution.
*
* 3. All advertising materials mentioning features or use of this
* software must display the following acknowledgment:
* "This product includes software developed by the OpenSSL Project
* for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
*
* 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
* endorse or promote products derived from this software without
* prior written permission. For written permission, please contact
* openssl-core@OpenSSL.org.
*
* 5. Products derived from this software may not be called "OpenSSL"
* nor may "OpenSSL" appear in their names without prior written
* permission of the OpenSSL Project.
*
* 6. Redistributions of any form whatsoever must retain the following
* acknowledgment:
* "This product includes software developed by the OpenSSL Project
* for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
*
* THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
* EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
* ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
* OF THE POSSIBILITY OF SUCH DAMAGE.
* ====================================================================
*
* This product includes cryptographic software written by Eric Young
* (eay@cryptsoft.com). This product includes software written by Tim
* Hudson (tjh@cryptsoft.com).
*
*/
/*
* NOTE: this file was auto generated by the mkerr.pl script: any changes
* made to it will be overwritten when the script next updates this file,
* only reason strings will be preserved.
*/
#include <stdio.h>
#include <openssl/err.h>
#include "hw_cluster_labs_err.h"
/* BEGIN ERROR CODES */
#ifndef OPENSSL_NO_ERR
static ERR_STRING_DATA CL_str_functs[] = {
{ERR_PACK(0, CL_F_CLUSTER_LABS_CTRL, 0), "CLUSTER_LABS_CTRL"},
{ERR_PACK(0, CL_F_CLUSTER_LABS_DSA_SIGN, 0), "CLUSTER_LABS_DSA_SIGN"},
{ERR_PACK(0, CL_F_CLUSTER_LABS_DSA_VERIFY, 0), "CLUSTER_LABS_DSA_VERIFY"},
{ERR_PACK(0, CL_F_CLUSTER_LABS_FINISH, 0), "CLUSTER_LABS_FINISH"},
{ERR_PACK(0, CL_F_CLUSTER_LABS_INIT, 0), "CLUSTER_LABS_INIT"},
{ERR_PACK(0, CL_F_CLUSTER_LABS_MOD_EXP, 0), "CLUSTER_LABS_MOD_EXP"},
{ERR_PACK(0, CL_F_CLUSTER_LABS_MOD_EXP_CRT, 0),
"CLUSTER_LABS_MOD_EXP_CRT"},
{ERR_PACK(0, CL_F_CLUSTER_LABS_RAND_BYTES, 0), "CLUSTER_LABS_RAND_BYTES"},
{ERR_PACK(0, CL_F_CLUSTER_LABS_RSA_MOD_EXP, 0),
"CLUSTER_LABS_RSA_MOD_EXP"},
{ERR_PACK(0, CL_F_CLUSTER_LABS_RSA_PRIV_DEC, 0),
"CLUSTER_LABS_RSA_PRIV_DEC"},
{ERR_PACK(0, CL_F_CLUSTER_LABS_RSA_PRIV_ENC, 0),
"CLUSTER_LABS_RSA_PRIV_ENC"},
{ERR_PACK(0, CL_F_CLUSTER_LABS_RSA_PUB_DEC, 0),
"CLUSTER_LABS_RSA_PUB_DEC"},
{ERR_PACK(0, CL_F_CLUSTER_LABS_RSA_PUB_ENC, 0),
"CLUSTER_LABS_RSA_PUB_ENC"},
{0, NULL}
};
static ERR_STRING_DATA CL_str_reasons[] = {
{CL_R_ALREADY_LOADED, "already loaded"},
{CL_R_COMMAND_NOT_IMPLEMENTED, "command not implemented"},
{CL_R_DSO_FAILURE, "dso failure"},
{CL_R_FUNCTION_NOT_BINDED, "function not binded"},
{CL_R_INIT_FAILED, "init failed"},
{CL_R_NOT_LOADED, "not loaded"},
{0, NULL}
};
#endif
#ifdef CL_LIB_NAME
static ERR_STRING_DATA CL_lib_name[] = {
{0, CL_LIB_NAME},
{0, NULL}
};
#endif
static int CL_lib_error_code = 0;
static int CL_error_init = 1;
static void ERR_load_CL_strings(void)
{
if (CL_lib_error_code == 0)
CL_lib_error_code = ERR_get_next_error_library();
if (CL_error_init) {
CL_error_init = 0;
#ifndef OPENSSL_NO_ERR
ERR_load_strings(CL_lib_error_code, CL_str_functs);
ERR_load_strings(CL_lib_error_code, CL_str_reasons);
#endif
#ifdef CL_LIB_NAME
CL_lib_name->error = ERR_PACK(CL_lib_error_code, 0, 0);
ERR_load_strings(0, CL_lib_name);
#endif
}
}
static void ERR_unload_CL_strings(void)
{
if (CL_error_init == 0) {
#ifndef OPENSSL_NO_ERR
ERR_unload_strings(CL_lib_error_code, CL_str_functs);
ERR_unload_strings(CL_lib_error_code, CL_str_reasons);
#endif
#ifdef CL_LIB_NAME
ERR_unload_strings(0, CL_lib_name);
#endif
CL_error_init = 1;
}
}
static void ERR_CL_error(int function, int reason, char *file, int line)
{
if (CL_lib_error_code == 0)
CL_lib_error_code = ERR_get_next_error_library();
ERR_PUT_error(CL_lib_error_code, function, reason, file, line);
}

100
demos/engines/cluster_labs/hw_cluster_labs_err.h
View File

@ -1,100 +0,0 @@
/* ====================================================================
* Copyright (c) 2001-2002 The OpenSSL Project. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in
* the documentation and/or other materials provided with the
* distribution.
*
* 3. All advertising materials mentioning features or use of this
* software must display the following acknowledgment:
* "This product includes software developed by the OpenSSL Project
* for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
*
* 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
* endorse or promote products derived from this software without
* prior written permission. For written permission, please contact
* openssl-core@openssl.org.
*
* 5. Products derived from this software may not be called "OpenSSL"
* nor may "OpenSSL" appear in their names without prior written
* permission of the OpenSSL Project.
*
* 6. Redistributions of any form whatsoever must retain the following
* acknowledgment:
* "This product includes software developed by the OpenSSL Project
* for use in the OpenSSL Toolkit (http://www.openssl.org/)"
*
* THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
* EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
* ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
* OF THE POSSIBILITY OF SUCH DAMAGE.
* ====================================================================
*
* This product includes cryptographic software written by Eric Young
* (eay@cryptsoft.com). This product includes software written by Tim
* Hudson (tjh@cryptsoft.com).
*
*/
#ifndef HEADER_CL_ERR_H
# define HEADER_CL_ERR_H
#ifdef __cplusplus
extern "C" {
#endif
/* BEGIN ERROR CODES */
/*
* The following lines are auto generated by the script mkerr.pl. Any changes
* made after this point may be overwritten when the script is next run.
*/
static void ERR_load_CL_strings(void);
static void ERR_unload_CL_strings(void);
static void ERR_CL_error(int function, int reason, char *file, int line);
# define CLerr(f,r) ERR_CL_error((f),(r),OPENSSL_FILE,OPENSSL_LINE)
/* Error codes for the CL functions. */
/* Function codes. */
# define CL_F_CLUSTER_LABS_CTRL 100
# define CL_F_CLUSTER_LABS_DSA_SIGN 101
# define CL_F_CLUSTER_LABS_DSA_VERIFY 102
# define CL_F_CLUSTER_LABS_FINISH 103
# define CL_F_CLUSTER_LABS_INIT 104
# define CL_F_CLUSTER_LABS_MOD_EXP 105
# define CL_F_CLUSTER_LABS_MOD_EXP_CRT 106
# define CL_F_CLUSTER_LABS_RAND_BYTES 107
# define CL_F_CLUSTER_LABS_RSA_MOD_EXP 108
# define CL_F_CLUSTER_LABS_RSA_PRIV_DEC 109
# define CL_F_CLUSTER_LABS_RSA_PRIV_ENC 110
# define CL_F_CLUSTER_LABS_RSA_PUB_DEC 111
# define CL_F_CLUSTER_LABS_RSA_PUB_ENC 112
/* Reason codes. */
# define CL_R_ALREADY_LOADED 100
# define CL_R_COMMAND_NOT_IMPLEMENTED 101
# define CL_R_DSO_FAILURE 102
# define CL_R_FUNCTION_NOT_BINDED 103
# define CL_R_INIT_FAILED 104
# define CL_R_NOT_LOADED 105
#ifdef __cplusplus
}
#endif
#endif

93
demos/engines/ibmca/Makefile.in
View File

@ -1,93 +0,0 @@
LIBNAME= libibmca
SRC= hw_ibmca.c
OBJ= hw_ibmca.o
HEADER= hw_ibmca.h
CC= gcc
PIC= -fPIC
CFLAGS= -g -I../../../include $(PIC) -DENGINE_DYNAMIC_SUPPORT -DFLAT_INC
AR= ar r
RANLIB= ranlib
LIB= $(LIBNAME).a
SHLIB= $(LIBNAME).so
all:
@echo 'Please choose a system to build on:'
@echo ''
@echo 'tru64: Tru64 Unix, Digital Unix, Digital OSF/1'
@echo 'solaris: Solaris'
@echo 'irix: IRIX'
@echo 'hpux32: 32-bit HP/UX'
@echo 'hpux64: 64-bit HP/UX'
@echo 'aix: AIX'
@echo 'gnu: Generic GNU-based system (gcc and GNU ld)'
@echo ''
generate:
perl ../../../util/mkerr.pl -conf hw_ibmca.ec \
-nostatic -staticloader -write hw_ibmca.c
gnu: $(SHLIB).gnu
tru64: $(SHLIB).tru64
solaris: $(SHLIB).solaris
irix: $(SHLIB).irix
hpux32: $(SHLIB).hpux32
hpux64: $(SHLIB).hpux64
aix: $(SHLIB).aix
$(LIB): $(OBJ)
$(AR) $(LIB) $(OBJ)
- $(RANLIB) $(LIB)
LINK_SO= \
ld -r -o $(LIBNAME).o $$ALLSYMSFLAGS $(LIB) && \
(nm -Pg $(LIBNAME).o | grep ' [BDT] ' | cut -f1 -d' ' > $(LIBNAME).exp; \
$$SHAREDCMD $$SHAREDFLAGS -o $(SHLIB) $(LIBNAME).o -L ../../.. -lcrypto -lc)
$(SHLIB).gnu: $(LIB)
ALLSYMSFLAGS='--whole-archive' \
SHAREDFLAGS='-shared -Wl,-soname=$(SHLIB)' \
SHAREDCMD='$(CC)'; \
$(LINK_SO)
touch $(SHLIB).gnu
$(SHLIB).tru64: $(LIB)
ALLSYMSFLAGS='-all' \
SHAREDFLAGS='-shared' \
SHAREDCMD='$(CC)'; \
$(LINK_SO)
touch $(SHLIB).tru64
$(SHLIB).solaris: $(LIB)
ALLSYMSFLAGS='-z allextract' \
SHAREDFLAGS='-G -h $(SHLIB)' \
SHAREDCMD='$(CC)'; \
$(LINK_SO)
touch $(SHLIB).solaris
$(SHLIB).irix: $(LIB)
ALLSYMSFLAGS='-all' \
SHAREDFLAGS='-shared -Wl,-soname,$(SHLIB)' \
SHAREDCMD='$(CC)'; \
$(LINK_SO)
touch $(SHLIB).irix
$(SHLIB).hpux32: $(LIB)
ALLSYMSFLAGS='-Fl' \
SHAREDFLAGS='+vnocompatwarnings -b -z +s +h $(SHLIB)' \
SHAREDCMD='/usr/ccs/bin/ld'; \
$(LINK_SO)
touch $(SHLIB).hpux32
$(SHLIB).hpux64: $(LIB)
ALLSYMSFLAGS='+forceload' \
SHAREDFLAGS='-b -z +h $(SHLIB)' \
SHAREDCMD='/usr/ccs/bin/ld'; \
$(LINK_SO)
touch $(SHLIB).hpux64
$(SHLIB).aix: $(LIB)
ALLSYMSFLAGS='-bnogc' \
SHAREDFLAGS='-G -bE:$(LIBNAME).exp -bM:SRE' \
SHAREDCMD='$(CC)'; \
$(LINK_SO)
touch $(SHLIB).aix
depend:
# DO NOT DELETE THIS LINE -- make depend depends on it.

896
demos/engines/ibmca/hw_ibmca.c
View File

@ -1,896 +0,0 @@
/*
* Written by Geoff Thorpe (geoff@geoffthorpe.net) for the OpenSSL project
* 2000.
*/
/* ====================================================================
* Copyright (c) 1999 The OpenSSL Project. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in
* the documentation and/or other materials provided with the
* distribution.
*
* 3. All advertising materials mentioning features or use of this
* software must display the following acknowledgment:
* "This product includes software developed by the OpenSSL Project
* for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
*
* 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
* endorse or promote products derived from this software without
* prior written permission. For written permission, please contact
* licensing@OpenSSL.org.
*
* 5. Products derived from this software may not be called "OpenSSL"
* nor may "OpenSSL" appear in their names without prior written
* permission of the OpenSSL Project.
*
* 6. Redistributions of any form whatsoever must retain the following
* acknowledgment:
* "This product includes software developed by the OpenSSL Project
* for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
*
* THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
* EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
* ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
* OF THE POSSIBILITY OF SUCH DAMAGE.
* ====================================================================
*
* This product includes cryptographic software written by Eric Young
* (eay@cryptsoft.com). This product includes software written by Tim
* Hudson (tjh@cryptsoft.com).
*
*/
/* (C) COPYRIGHT International Business Machines Corp. 2001 */
#include <stdio.h>
#include <openssl/crypto.h>
#include <openssl/dso.h>
#include <openssl/engine.h>
#ifndef OPENSSL_NO_HW
# ifndef OPENSSL_NO_HW_IBMCA
# ifdef FLAT_INC
# include "ica_openssl_api.h"
# else
# include "vendor_defns/ica_openssl_api.h"
# endif
# define IBMCA_LIB_NAME "ibmca engine"
# include "hw_ibmca_err.c"
static int ibmca_destroy(ENGINE *e);
static int ibmca_init(ENGINE *e);
static int ibmca_finish(ENGINE *e);
static int ibmca_ctrl(ENGINE *e, int cmd, long i, void *p, void (*f) ());
static const char *IBMCA_F1 = "icaOpenAdapter";
static const char *IBMCA_F2 = "icaCloseAdapter";
static const char *IBMCA_F3 = "icaRsaModExpo";
static const char *IBMCA_F4 = "icaRandomNumberGenerate";
static const char *IBMCA_F5 = "icaRsaCrt";
ICA_ADAPTER_HANDLE handle = 0;
/* BIGNUM stuff */
static int ibmca_mod_exp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
const BIGNUM *m, BN_CTX *ctx);
static int ibmca_mod_exp_crt(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
const BIGNUM *q, const BIGNUM *dmp1,
const BIGNUM *dmq1, const BIGNUM *iqmp,
BN_CTX *ctx);
# ifndef OPENSSL_NO_RSA
/* RSA stuff */
static int ibmca_rsa_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa);
# endif
/* This function is aliased to mod_exp (with the mont stuff dropped). */
static int ibmca_mod_exp_mont(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
const BIGNUM *m, BN_CTX *ctx,
BN_MONT_CTX *m_ctx);
# ifndef OPENSSL_NO_DSA
/* DSA stuff */
static int ibmca_dsa_mod_exp(DSA *dsa, BIGNUM *rr, BIGNUM *a1,
BIGNUM *p1, BIGNUM *a2, BIGNUM *p2, BIGNUM *m,
BN_CTX *ctx, BN_MONT_CTX *in_mont);
static int ibmca_mod_exp_dsa(DSA *dsa, BIGNUM *r, BIGNUM *a,
const BIGNUM *p, const BIGNUM *m, BN_CTX *ctx,
BN_MONT_CTX *m_ctx);
# endif
# ifndef OPENSSL_NO_DH
/* DH stuff */
/* This function is alised to mod_exp (with the DH and mont dropped). */
static int ibmca_mod_exp_dh(const DH *dh, BIGNUM *r,
const BIGNUM *a, const BIGNUM *p,
const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx);
# endif
/* RAND stuff */
static int ibmca_rand_bytes(unsigned char *buf, int num);
static int ibmca_rand_status(void);
/* WJH - check for more commands, like in nuron */
/* The definitions for control commands specific to this engine */
# define IBMCA_CMD_SO_PATH ENGINE_CMD_BASE
static const ENGINE_CMD_DEFN ibmca_cmd_defns[] = {
{IBMCA_CMD_SO_PATH,
"SO_PATH",
"Specifies the path to the 'atasi' shared library",
ENGINE_CMD_FLAG_STRING},
{0, NULL, NULL, 0}
};
# ifndef OPENSSL_NO_RSA
/* Our internal RSA_METHOD that we provide pointers to */
static RSA_METHOD ibmca_rsa = {
"Ibmca RSA method",
NULL,
NULL,
NULL,
NULL,
ibmca_rsa_mod_exp,
ibmca_mod_exp_mont,
NULL,
NULL,
0,
NULL,
NULL,
NULL
};
# endif
# ifndef OPENSSL_NO_DSA
/* Our internal DSA_METHOD that we provide pointers to */
static DSA_METHOD ibmca_dsa = {
"Ibmca DSA method",
NULL, /* dsa_do_sign */
NULL, /* dsa_sign_setup */
NULL, /* dsa_do_verify */
ibmca_dsa_mod_exp, /* dsa_mod_exp */
ibmca_mod_exp_dsa, /* bn_mod_exp */
NULL, /* init */
NULL, /* finish */
0, /* flags */
NULL /* app_data */
};
# endif
# ifndef OPENSSL_NO_DH
/* Our internal DH_METHOD that we provide pointers to */
static DH_METHOD ibmca_dh = {
"Ibmca DH method",
NULL,
NULL,
ibmca_mod_exp_dh,
NULL,
NULL,
0,
NULL
};
# endif
static RAND_METHOD ibmca_rand = {
/* "IBMCA RAND method", */
NULL,
ibmca_rand_bytes,
NULL,
NULL,
ibmca_rand_bytes,
ibmca_rand_status,
};
/* Constants used when creating the ENGINE */
static const char *engine_ibmca_id = "ibmca";
static const char *engine_ibmca_name = "Ibmca hardware engine support";
/*
* This internal function is used by ENGINE_ibmca() and possibly by the
* "dynamic" ENGINE support too
*/
static int bind_helper(ENGINE *e)
{
# ifndef OPENSSL_NO_RSA
const RSA_METHOD *meth1;
# endif
# ifndef OPENSSL_NO_DSA
const DSA_METHOD *meth2;
# endif
# ifndef OPENSSL_NO_DH
const DH_METHOD *meth3;
# endif
if (!ENGINE_set_id(e, engine_ibmca_id) ||
!ENGINE_set_name(e, engine_ibmca_name) ||
# ifndef OPENSSL_NO_RSA
!ENGINE_set_RSA(e, &ibmca_rsa) ||
# endif
# ifndef OPENSSL_NO_DSA
!ENGINE_set_DSA(e, &ibmca_dsa) ||
# endif
# ifndef OPENSSL_NO_DH
!ENGINE_set_DH(e, &ibmca_dh) ||
# endif
!ENGINE_set_RAND(e, &ibmca_rand) ||
!ENGINE_set_destroy_function(e, ibmca_destroy) ||
!ENGINE_set_init_function(e, ibmca_init) ||
!ENGINE_set_finish_function(e, ibmca_finish) ||
!ENGINE_set_ctrl_function(e, ibmca_ctrl) ||
!ENGINE_set_cmd_defns(e, ibmca_cmd_defns))
return 0;
# ifndef OPENSSL_NO_RSA
/*
* We know that the "PKCS1_OpenSSL()" functions hook properly to the
* ibmca-specific mod_exp and mod_exp_crt so we use those functions. NB:
* We don't use ENGINE_openssl() or anything "more generic" because
* something like the RSAref code may not hook properly, and if you own
* one of these cards then you have the right to do RSA operations on it
* anyway!
*/
meth1 = RSA_PKCS1_OpenSSL();
ibmca_rsa.rsa_pub_enc = meth1->rsa_pub_enc;
ibmca_rsa.rsa_pub_dec = meth1->rsa_pub_dec;
ibmca_rsa.rsa_priv_enc = meth1->rsa_priv_enc;
ibmca_rsa.rsa_priv_dec = meth1->rsa_priv_dec;
# endif
# ifndef OPENSSL_NO_DSA
/*
* Use the DSA_OpenSSL() method and just hook the mod_exp-ish bits.
*/
meth2 = DSA_OpenSSL();
ibmca_dsa.dsa_do_sign = meth2->dsa_do_sign;
ibmca_dsa.dsa_sign_setup = meth2->dsa_sign_setup;
ibmca_dsa.dsa_do_verify = meth2->dsa_do_verify;
# endif
# ifndef OPENSSL_NO_DH
/* Much the same for Diffie-Hellman */
meth3 = DH_OpenSSL();
ibmca_dh.generate_key = meth3->generate_key;
ibmca_dh.compute_key = meth3->compute_key;
# endif
/* Ensure the ibmca error handling is set up */
ERR_load_IBMCA_strings();
return 1;
}
static ENGINE *engine_ibmca(void)
{
ENGINE *ret = ENGINE_new();
if (!ret)
return NULL;
if (!bind_helper(ret)) {
ENGINE_free(ret);
return NULL;
}
return ret;
}
# ifdef ENGINE_DYNAMIC_SUPPORT
static
# endif
void ENGINE_load_ibmca(void)
{
/* Copied from eng_[openssl|dyn].c */
ENGINE *toadd = engine_ibmca();
if (!toadd)
return;
ENGINE_add(toadd);
ENGINE_free(toadd);
ERR_clear_error();
}
/* Destructor (complements the "ENGINE_ibmca()" constructor) */
static int ibmca_destroy(ENGINE *e)
{
/*
* Unload the ibmca error strings so any error state including our functs
* or reasons won't lead to a segfault (they simply get displayed without
* corresponding string data because none will be found).
*/
ERR_unload_IBMCA_strings();
return 1;
}
/*
* This is a process-global DSO handle used for loading and unloading the
* Ibmca library. NB: This is only set (or unset) during an init() or
* finish() call (reference counts permitting) and they're operating with
* global locks, so this should be thread-safe implicitly.
*/
static DSO *ibmca_dso = NULL;
/*
* These are the function pointers that are (un)set when the library has
* successfully (un)loaded.
*/
static unsigned int (ICA_CALL * p_icaOpenAdapter) ();
static unsigned int (ICA_CALL * p_icaCloseAdapter) ();
static unsigned int (ICA_CALL * p_icaRsaModExpo) ();
static unsigned int (ICA_CALL * p_icaRandomNumberGenerate) ();
static unsigned int (ICA_CALL * p_icaRsaCrt) ();
/* utility function to obtain a context */
static int get_context(ICA_ADAPTER_HANDLE * p_handle)
{
unsigned int status = 0;
status = p_icaOpenAdapter(0, p_handle);
if (status != 0)
return 0;
return 1;
}
/* similarly to release one. */
static void release_context(ICA_ADAPTER_HANDLE handle)
{
p_icaCloseAdapter(handle);
}
/* (de)initialisation functions. */
static int ibmca_init(ENGINE *e)
{
void (*p1) ();
void (*p2) ();
void (*p3) ();
void (*p4) ();
void (*p5) ();
if (ibmca_dso != NULL) {
IBMCAerr(IBMCA_F_IBMCA_INIT, IBMCA_R_ALREADY_LOADED);
goto err;
}
/*
* Attempt to load libatasi.so/atasi.dll/whatever. Needs to be changed
* unfortunately because the Ibmca drivers don't have standard library
* names that can be platform-translated well.
*/
/*
* TODO: Work out how to actually map to the names the Ibmca drivers
* really use - for now a symbollic link needs to be created on the host
* system from libatasi.so to atasi.so on unix variants.
*/
/* WJH XXX check name translation */
ibmca_dso = DSO_load(NULL, IBMCA_LIBNAME, NULL,
/*
* DSO_FLAG_NAME_TRANSLATION
*/ 0);
if (ibmca_dso == NULL) {
IBMCAerr(IBMCA_F_IBMCA_INIT, IBMCA_R_DSO_FAILURE);
goto err;
}
if ((p1 = DSO_bind_func(ibmca_dso, IBMCA_F1)) == NULL
|| (p2 = DSO_bind_func(ibmca_dso, IBMCA_F2)) == NULL
|| (p3 = DSO_bind_func(ibmca_dso, IBMCA_F3)) == NULL
|| (p4 = DSO_bind_func(ibmca_dso, IBMCA_F4)) == NULL
|| (p5 = DSO_bind_func(ibmca_dso, IBMCA_F5)) == NULL) {
IBMCAerr(IBMCA_F_IBMCA_INIT, IBMCA_R_DSO_FAILURE);
goto err;
}
/* Copy the pointers */
p_icaOpenAdapter = (unsigned int (ICA_CALL *) ())p1;
p_icaCloseAdapter = (unsigned int (ICA_CALL *) ())p2;
p_icaRsaModExpo = (unsigned int (ICA_CALL *) ())p3;
p_icaRandomNumberGenerate = (unsigned int (ICA_CALL *) ())p4;
p_icaRsaCrt = (unsigned int (ICA_CALL *) ())p5;
if (!get_context(&handle)) {
IBMCAerr(IBMCA_F_IBMCA_INIT, IBMCA_R_UNIT_FAILURE);
goto err;
}
return 1;
err:
DSO_free(ibmca_dso);
p_icaOpenAdapter = NULL;
p_icaCloseAdapter = NULL;
p_icaRsaModExpo = NULL;
p_icaRandomNumberGenerate = NULL;
return 0;
}
static int ibmca_finish(ENGINE *e)
{
if (ibmca_dso == NULL) {
IBMCAerr(IBMCA_F_IBMCA_FINISH, IBMCA_R_NOT_LOADED);
return 0;
}
release_context(handle);
if (!DSO_free(ibmca_dso)) {
IBMCAerr(IBMCA_F_IBMCA_FINISH, IBMCA_R_DSO_FAILURE);
return 0;
}
ibmca_dso = NULL;
return 1;
}
static int ibmca_ctrl(ENGINE *e, int cmd, long i, void *p, void (*f) ())
{
int initialised = ((ibmca_dso == NULL) ? 0 : 1);
switch (cmd) {
case IBMCA_CMD_SO_PATH:
if (p == NULL) {
IBMCAerr(IBMCA_F_IBMCA_CTRL, ERR_R_PASSED_NULL_PARAMETER);
return 0;
}
if (initialised) {
IBMCAerr(IBMCA_F_IBMCA_CTRL, IBMCA_R_ALREADY_LOADED);
return 0;
}
IBMCA_LIBNAME = (const char *)p;
return 1;
default:
break;
}
IBMCAerr(IBMCA_F_IBMCA_CTRL, IBMCA_R_CTRL_COMMAND_NOT_IMPLEMENTED);
return 0;
}
static int ibmca_mod_exp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
const BIGNUM *m, BN_CTX *ctx)
{
/*
* I need somewhere to store temporary serialised values for use with the
* Ibmca API calls. A neat cheat - I'll use BIGNUMs from the BN_CTX but
* access their arrays directly as byte arrays <grin>. This way I don't
* have to clean anything up.
*/
BIGNUM *argument = NULL;
BIGNUM *result = NULL;
BIGNUM *key = NULL;
int to_return;
int inLen, outLen, tmpLen;
ICA_KEY_RSA_MODEXPO *publKey = NULL;
unsigned int rc;
to_return = 0; /* expect failure */
if (!ibmca_dso) {
IBMCAerr(IBMCA_F_IBMCA_MOD_EXP, IBMCA_R_NOT_LOADED);
goto err;
}
/* Prepare the params */
BN_CTX_start(ctx);
argument = BN_CTX_get(ctx);
result = BN_CTX_get(ctx);
key = BN_CTX_get(ctx);
if (!argument || !result || !key) {
IBMCAerr(IBMCA_F_IBMCA_MOD_EXP, IBMCA_R_BN_CTX_FULL);
goto err;
}
if (!bn_wexpand(argument, m->top) || !bn_wexpand(result, m->top) ||
!bn_wexpand(key, sizeof(*publKey) / BN_BYTES)) {
IBMCAerr(IBMCA_F_IBMCA_MOD_EXP, IBMCA_R_BN_EXPAND_FAIL);
goto err;
}
publKey = (ICA_KEY_RSA_MODEXPO *)key->d;
if (publKey == NULL) {
goto err;
}
memset(publKey, 0, sizeof(*publKey));
publKey->keyType = CORRECT_ENDIANNESS(ME_KEY_TYPE);
publKey->keyLength = CORRECT_ENDIANNESS(sizeof(ICA_KEY_RSA_MODEXPO));
publKey->expOffset = (char *)publKey->keyRecord - (char *)publKey;
/*
* A quirk of the card: the exponent length has to be the same as the
* modulus (key) length
*/
outLen = BN_num_bytes(m);
/* check for modulus length SAB*/
if (outLen > 256) {
IBMCAerr(IBMCA_F_IBMCA_MOD_EXP, IBMCA_R_MEXP_LENGTH_TO_LARGE);
goto err;
}
/* check for modulus length SAB*/
publKey->expLength = publKey->nLength = outLen;
/*
* SAB Check for underflow condition the size of the exponent is less
* than the size of the parameter then we have a big problem and will
* underflow the keyRecord buffer. Bad stuff could happen then
*/
if (outLen < BN_num_bytes(p)) {
IBMCAerr(IBMCA_F_IBMCA_MOD_EXP, IBMCA_R_UNDERFLOW_KEYRECORD);
goto err;
}
/* SAB End check for underflow */
BN_bn2bin(p, &publKey->keyRecord[publKey->expLength - BN_num_bytes(p)]);
BN_bn2bin(m, &publKey->keyRecord[publKey->expLength]);
publKey->modulusBitLength = CORRECT_ENDIANNESS(publKey->nLength * 8);
publKey->nOffset = CORRECT_ENDIANNESS(publKey->expOffset +
publKey->expLength);
publKey->expOffset = CORRECT_ENDIANNESS((char *)publKey->keyRecord -
(char *)publKey);
tmpLen = outLen;
publKey->expLength = publKey->nLength = CORRECT_ENDIANNESS(tmpLen);
/* Prepare the argument */
memset(argument->d, 0, outLen);
BN_bn2bin(a, (unsigned char *)argument->d + outLen - BN_num_bytes(a));
inLen = outLen;
/* Perform the operation */
if ((rc = p_icaRsaModExpo(handle, inLen, (unsigned char *)argument->d,
publKey, &outLen, (unsigned char *)result->d))
!= 0) {
printf("rc = %d\n", rc);
IBMCAerr(IBMCA_F_IBMCA_MOD_EXP, IBMCA_R_REQUEST_FAILED);
goto err;
}
/* Convert the response */
BN_bin2bn((unsigned char *)result->d, outLen, r);
to_return = 1;
err:
BN_CTX_end(ctx);
return to_return;
}
# ifndef OPENSSL_NO_RSA
static int ibmca_rsa_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa)
{
BN_CTX *ctx;
int to_return = 0;
if ((ctx = BN_CTX_new()) == NULL)
goto err;
if (!rsa->p || !rsa->q || !rsa->dmp1 || !rsa->dmq1 || !rsa->iqmp) {
if (!rsa->d || !rsa->n) {
IBMCAerr(IBMCA_F_IBMCA_RSA_MOD_EXP,
IBMCA_R_MISSING_KEY_COMPONENTS);
goto err;
}
to_return = ibmca_mod_exp(r0, I, rsa->d, rsa->n, ctx);
} else {
to_return = ibmca_mod_exp_crt(r0, I, rsa->p, rsa->q, rsa->dmp1,
rsa->dmq1, rsa->iqmp, ctx);
}
err:
BN_CTX_free(ctx);
return to_return;
}
# endif
/* Ein kleines chinesisches "Restessen" */
static int ibmca_mod_exp_crt(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
const BIGNUM *q, const BIGNUM *dmp1,
const BIGNUM *dmq1, const BIGNUM *iqmp,
BN_CTX *ctx)
{
BIGNUM *argument = NULL;
BIGNUM *result = NULL;
BIGNUM *key = NULL;
int to_return = 0; /* expect failure */
char *pkey = NULL;
ICA_KEY_RSA_CRT *privKey = NULL;
int inLen, outLen;
int rc;
unsigned int offset, pSize, qSize;
/* SAB New variables */
unsigned int keyRecordSize;
unsigned int pbytes = BN_num_bytes(p);
unsigned int qbytes = BN_num_bytes(q);
unsigned int dmp1bytes = BN_num_bytes(dmp1);
unsigned int dmq1bytes = BN_num_bytes(dmq1);
unsigned int iqmpbytes = BN_num_bytes(iqmp);
/* Prepare the params */
BN_CTX_start(ctx);
argument = BN_CTX_get(ctx);
result = BN_CTX_get(ctx);
key = BN_CTX_get(ctx);
if (!argument || !result || !key) {
IBMCAerr(IBMCA_F_IBMCA_MOD_EXP_CRT, IBMCA_R_BN_CTX_FULL);
goto err;
}
if (!bn_wexpand(argument, p->top + q->top) ||
!bn_wexpand(result, p->top + q->top) ||
!bn_wexpand(key, sizeof(*privKey) / BN_BYTES)) {
IBMCAerr(IBMCA_F_IBMCA_MOD_EXP_CRT, IBMCA_R_BN_EXPAND_FAIL);
goto err;
}
privKey = (ICA_KEY_RSA_CRT *)key->d;
/*
* SAB Add check for total size in bytes of the parms does not exceed the
* buffer space we have do this first
*/
keyRecordSize = pbytes + qbytes + dmp1bytes + dmq1bytes + iqmpbytes;
if (keyRecordSize > sizeof(privKey->keyRecord)) {
IBMCAerr(IBMCA_F_IBMCA_MOD_EXP_CRT, IBMCA_R_OPERANDS_TO_LARGE);
goto err;
}
if ((qbytes + dmq1bytes) > 256) {
IBMCAerr(IBMCA_F_IBMCA_MOD_EXP_CRT, IBMCA_R_OPERANDS_TO_LARGE);
goto err;
}
if (pbytes + dmp1bytes > 256) {
IBMCAerr(IBMCA_F_IBMCA_MOD_EXP_CRT, IBMCA_R_OPERANDS_TO_LARGE);
goto err;
}
/* end SAB additions */
memset(privKey, 0, sizeof(*privKey));
privKey->keyType = CORRECT_ENDIANNESS(CRT_KEY_TYPE);
privKey->keyLength = CORRECT_ENDIANNESS(sizeof(ICA_KEY_RSA_CRT));
privKey->modulusBitLength = CORRECT_ENDIANNESS(BN_num_bytes(q) * 2 * 8);
/*
* p,dp & qInv are 1 QWORD Larger
*/
privKey->pLength = CORRECT_ENDIANNESS(BN_num_bytes(p) + 8);
privKey->qLength = CORRECT_ENDIANNESS(BN_num_bytes(q));
privKey->dpLength = CORRECT_ENDIANNESS(BN_num_bytes(dmp1) + 8);
privKey->dqLength = CORRECT_ENDIANNESS(BN_num_bytes(dmq1));
privKey->qInvLength = CORRECT_ENDIANNESS(BN_num_bytes(iqmp) + 8);
offset = (char *)privKey->keyRecord - (char *)privKey;
qSize = BN_num_bytes(q);
pSize = qSize + 8; /* 1 QWORD larger */
/*
* SAB probably aittle redundant, but we'll verify that each of the
* components which make up a key record sent ot the card does not exceed
* the space that is allocated for it. this handles the case where even
* if the total length does not exceed keyrecord zied, if the operands are
* funny sized they could cause potential side affects on either the card
* or the result
*/
if ((pbytes > pSize) || (dmp1bytes > pSize) ||
(iqmpbytes > pSize) || (qbytes > qSize) || (dmq1bytes > qSize)) {
IBMCAerr(IBMCA_F_IBMCA_MOD_EXP_CRT, IBMCA_R_OPERANDS_TO_LARGE);
goto err;
}
privKey->dpOffset = CORRECT_ENDIANNESS(offset);
offset += pSize;
privKey->dqOffset = CORRECT_ENDIANNESS(offset);
offset += qSize;
privKey->pOffset = CORRECT_ENDIANNESS(offset);
offset += pSize;
privKey->qOffset = CORRECT_ENDIANNESS(offset);
offset += qSize;
privKey->qInvOffset = CORRECT_ENDIANNESS(offset);
pkey = (char *)privKey->keyRecord;
/* SAB first check that we don;t under flow the buffer */
if (pSize < pbytes) {
IBMCAerr(IBMCA_F_IBMCA_MOD_EXP_CRT, IBMCA_R_UNDERFLOW_CONDITION);
goto err;
}
/* pkey += pSize - BN_num_bytes(p); WROING this should be dmp1) */
pkey += pSize - BN_num_bytes(dmp1);
BN_bn2bin(dmp1, pkey);
pkey += BN_num_bytes(dmp1); /* move the pointer */
BN_bn2bin(dmq1, pkey); /* Copy over dmq1 */
pkey += qSize; /* move pointer */
/* set up for zero padding of next field */
pkey += pSize - BN_num_bytes(p);
BN_bn2bin(p, pkey);
/* increment pointer by number of bytes moved */
pkey += BN_num_bytes(p);
BN_bn2bin(q, pkey);
pkey += qSize; /* move the pointer */
pkey += pSize - BN_num_bytes(iqmp); /* Adjust for padding */
BN_bn2bin(iqmp, pkey);
/* Prepare the argument and response */
/*
* Correct endianess is used because the fields were converted above
*/
outLen = CORRECT_ENDIANNESS(privKey->qLength) * 2;
if (outLen > 256) {
IBMCAerr(IBMCA_F_IBMCA_MOD_EXP_CRT, IBMCA_R_OUTLEN_TO_LARGE);
goto err;
}
/* SAB check for underflow here on the argeument */
if (outLen < BN_num_bytes(a)) {
IBMCAerr(IBMCA_F_IBMCA_MOD_EXP_CRT, IBMCA_R_UNDERFLOW_CONDITION);
goto err;
}
BN_bn2bin(a, (unsigned char *)argument->d + outLen - BN_num_bytes(a));
inLen = outLen;
memset(result->d, 0, outLen);
/* Perform the operation */
if ((rc = p_icaRsaCrt(handle, inLen, (unsigned char *)argument->d,
privKey, &outLen, (unsigned char *)result->d)) != 0)
{
printf("rc = %d\n", rc);
IBMCAerr(IBMCA_F_IBMCA_MOD_EXP_CRT, IBMCA_R_REQUEST_FAILED);
goto err;
}
/* Convert the response */
BN_bin2bn((unsigned char *)result->d, outLen, r);
to_return = 1;
err:
BN_CTX_end(ctx);
return to_return;
}
# ifndef OPENSSL_NO_DSA
/*
* This code was liberated and adapted from the commented-out code in
* dsa_ossl.c. Because of the unoptimised form of the Ibmca acceleration (it
* doesn't have a CRT form for RSA), this function means that an Ibmca system
* running with a DSA server certificate can handshake around 5 or 6 times
* faster/more than an equivalent system running with RSA. Just check out the
* "signs" statistics from the RSA and DSA parts of "openssl speed -engine
* ibmca dsa1024 rsa1024".
*/
static int ibmca_dsa_mod_exp(DSA *dsa, BIGNUM *rr, BIGNUM *a1,
BIGNUM *p1, BIGNUM *a2, BIGNUM *p2, BIGNUM *m,
BN_CTX *ctx, BN_MONT_CTX *in_mont)
{
BIGNUM t;
int to_return = 0;
BN_init(&t);
/* let rr = a1 ^ p1 mod m */
if (!ibmca_mod_exp(rr, a1, p1, m, ctx))
goto end;
/* let t = a2 ^ p2 mod m */
if (!ibmca_mod_exp(&t, a2, p2, m, ctx))
goto end;
/* let rr = rr * t mod m */
if (!BN_mod_mul(rr, rr, &t, m, ctx))
goto end;
to_return = 1;
end:
BN_free(&t);
return to_return;
}
static int ibmca_mod_exp_dsa(DSA *dsa, BIGNUM *r, BIGNUM *a,
const BIGNUM *p, const BIGNUM *m, BN_CTX *ctx,
BN_MONT_CTX *m_ctx)
{
return ibmca_mod_exp(r, a, p, m, ctx);
}
# endif
/* This function is aliased to mod_exp (with the mont stuff dropped). */
static int ibmca_mod_exp_mont(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
const BIGNUM *m, BN_CTX *ctx,
BN_MONT_CTX *m_ctx)
{
return ibmca_mod_exp(r, a, p, m, ctx);
}
# ifndef OPENSSL_NO_DH
/* This function is aliased to mod_exp (with the dh and mont dropped). */
static int ibmca_mod_exp_dh(DH const *dh, BIGNUM *r,
const BIGNUM *a, const BIGNUM *p,
const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx)
{
return ibmca_mod_exp(r, a, p, m, ctx);
}
# endif
/* Random bytes are good */
static int ibmca_rand_bytes(unsigned char *buf, int num)
{
int to_return = 0; /* assume failure */
unsigned int ret;
if (handle == 0) {
IBMCAerr(IBMCA_F_IBMCA_RAND_BYTES, IBMCA_R_NOT_INITIALISED);
goto err;
}
ret = p_icaRandomNumberGenerate(handle, num, buf);
if (ret < 0) {
IBMCAerr(IBMCA_F_IBMCA_RAND_BYTES, IBMCA_R_REQUEST_FAILED);
goto err;
}
to_return = 1;
err:
return to_return;
}
static int ibmca_rand_status(void)
{
return 1;
}
/*
* This stuff is needed if this ENGINE is being compiled into a
* self-contained shared-library.
*/
# ifdef ENGINE_DYNAMIC_SUPPORT
static int bind_fn(ENGINE *e, const char *id)
{
if (id && (strcmp(id, engine_ibmca_id) != 0)) /* WJH XXX */
return 0;
if (!bind_helper(e))
return 0;
return 1;
}
IMPLEMENT_DYNAMIC_CHECK_FN()
IMPLEMENT_DYNAMIC_BIND_FN(bind_fn)
# endif /* ENGINE_DYNAMIC_SUPPORT */
# endif /* !OPENSSL_NO_HW_IBMCA */
#endif /* !OPENSSL_NO_HW */

8
demos/engines/ibmca/hw_ibmca.ec
View File

@ -1,8 +0,0 @@
# configuration file for util/mkerr.pl
#
# use like this:
#
# perl ../../../util/mkerr.pl -conf hw_ibmca.ec \
# -nostatic -staticloader -write *.c
L IBMCA hw_ibmca_err.h hw_ibmca_err.c

148
demos/engines/ibmca/hw_ibmca_err.c
View File

@ -1,148 +0,0 @@
/* ====================================================================
* Copyright (c) 1999-2002 The OpenSSL Project. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in
* the documentation and/or other materials provided with the
* distribution.
*
* 3. All advertising materials mentioning features or use of this
* software must display the following acknowledgment:
* "This product includes software developed by the OpenSSL Project
* for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
*
* 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
* endorse or promote products derived from this software without
* prior written permission. For written permission, please contact
* openssl-core@OpenSSL.org.
*
* 5. Products derived from this software may not be called "OpenSSL"
* nor may "OpenSSL" appear in their names without prior written
* permission of the OpenSSL Project.
*
* 6. Redistributions of any form whatsoever must retain the following
* acknowledgment:
* "This product includes software developed by the OpenSSL Project
* for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
*
* THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
* EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
* ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
* OF THE POSSIBILITY OF SUCH DAMAGE.
* ====================================================================
*
* This product includes cryptographic software written by Eric Young
* (eay@cryptsoft.com). This product includes software written by Tim
* Hudson (tjh@cryptsoft.com).
*
*/
/*
* NOTE: this file was auto generated by the mkerr.pl script: any changes
* made to it will be overwritten when the script next updates this file,
* only reason strings will be preserved.
*/
#include <stdio.h>
#include <openssl/err.h>
#include "hw_ibmca_err.h"
/* BEGIN ERROR CODES */
#ifndef OPENSSL_NO_ERR
static ERR_STRING_DATA IBMCA_str_functs[] = {
{ERR_PACK(0, IBMCA_F_IBMCA_CTRL, 0), "IBMCA_CTRL"},
{ERR_PACK(0, IBMCA_F_IBMCA_FINISH, 0), "IBMCA_FINISH"},
{ERR_PACK(0, IBMCA_F_IBMCA_INIT, 0), "IBMCA_INIT"},
{ERR_PACK(0, IBMCA_F_IBMCA_MOD_EXP, 0), "IBMCA_MOD_EXP"},
{ERR_PACK(0, IBMCA_F_IBMCA_MOD_EXP_CRT, 0), "IBMCA_MOD_EXP_CRT"},
{ERR_PACK(0, IBMCA_F_IBMCA_RAND_BYTES, 0), "IBMCA_RAND_BYTES"},
{ERR_PACK(0, IBMCA_F_IBMCA_RSA_MOD_EXP, 0), "IBMCA_RSA_MOD_EXP"},
{0, NULL}
};
static ERR_STRING_DATA IBMCA_str_reasons[] = {
{IBMCA_R_ALREADY_LOADED, "already loaded"},
{IBMCA_R_BN_CTX_FULL, "bn ctx full"},
{IBMCA_R_BN_EXPAND_FAIL, "bn expand fail"},
{IBMCA_R_CTRL_COMMAND_NOT_IMPLEMENTED, "ctrl command not implemented"},
{IBMCA_R_DSO_FAILURE, "dso failure"},
{IBMCA_R_MEXP_LENGTH_TO_LARGE, "mexp length to large"},
{IBMCA_R_MISSING_KEY_COMPONENTS, "missing key components"},
{IBMCA_R_NOT_INITIALISED, "not initialised"},
{IBMCA_R_NOT_LOADED, "not loaded"},
{IBMCA_R_OPERANDS_TO_LARGE, "operands to large"},
{IBMCA_R_OUTLEN_TO_LARGE, "outlen to large"},
{IBMCA_R_REQUEST_FAILED, "request failed"},
{IBMCA_R_UNDERFLOW_CONDITION, "underflow condition"},
{IBMCA_R_UNDERFLOW_KEYRECORD, "underflow keyrecord"},
{IBMCA_R_UNIT_FAILURE, "unit failure"},
{0, NULL}
};
#endif
#ifdef IBMCA_LIB_NAME
static ERR_STRING_DATA IBMCA_lib_name[] = {
{0, IBMCA_LIB_NAME},
{0, NULL}
};
#endif
static int IBMCA_lib_error_code = 0;
static int IBMCA_error_init = 1;
static void ERR_load_IBMCA_strings(void)
{
if (IBMCA_lib_error_code == 0)
IBMCA_lib_error_code = ERR_get_next_error_library();
if (IBMCA_error_init) {
IBMCA_error_init = 0;
#ifndef OPENSSL_NO_ERR
ERR_load_strings(IBMCA_lib_error_code, IBMCA_str_functs);
ERR_load_strings(IBMCA_lib_error_code, IBMCA_str_reasons);
#endif
#ifdef IBMCA_LIB_NAME
IBMCA_lib_name->error = ERR_PACK(IBMCA_lib_error_code, 0, 0);
ERR_load_strings(0, IBMCA_lib_name);
#endif
}
}
static void ERR_unload_IBMCA_strings(void)
{
if (IBMCA_error_init == 0) {
#ifndef OPENSSL_NO_ERR
ERR_unload_strings(IBMCA_lib_error_code, IBMCA_str_functs);
ERR_unload_strings(IBMCA_lib_error_code, IBMCA_str_reasons);
#endif
#ifdef IBMCA_LIB_NAME
ERR_unload_strings(0, IBMCA_lib_name);
#endif
IBMCA_error_init = 1;
}
}
static void ERR_IBMCA_error(int function, int reason, char *file, int line)
{
if (IBMCA_lib_error_code == 0)
IBMCA_lib_error_code = ERR_get_next_error_library();
ERR_PUT_error(IBMCA_lib_error_code, function, reason, file, line);
}

103
demos/engines/ibmca/hw_ibmca_err.h
View File

@ -1,103 +0,0 @@
/* ====================================================================
* Copyright (c) 2001-2002 The OpenSSL Project. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in
* the documentation and/or other materials provided with the
* distribution.
*
* 3. All advertising materials mentioning features or use of this
* software must display the following acknowledgment:
* "This product includes software developed by the OpenSSL Project
* for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
*
* 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
* endorse or promote products derived from this software without
* prior written permission. For written permission, please contact
* openssl-core@openssl.org.
*
* 5. Products derived from this software may not be called "OpenSSL"
* nor may "OpenSSL" appear in their names without prior written
* permission of the OpenSSL Project.
*
* 6. Redistributions of any form whatsoever must retain the following
* acknowledgment:
* "This product includes software developed by the OpenSSL Project
* for use in the OpenSSL Toolkit (http://www.openssl.org/)"
*
* THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
* EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
* ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
* OF THE POSSIBILITY OF SUCH DAMAGE.
* ====================================================================
*
* This product includes cryptographic software written by Eric Young
* (eay@cryptsoft.com). This product includes software written by Tim
* Hudson (tjh@cryptsoft.com).
*
*/
#ifndef HEADER_IBMCA_ERR_H
# define HEADER_IBMCA_ERR_H
#ifdef __cplusplus
extern "C" {
#endif
/* BEGIN ERROR CODES */
/*
* The following lines are auto generated by the script mkerr.pl. Any changes
* made after this point may be overwritten when the script is next run.
*/
static void ERR_load_IBMCA_strings(void);
static void ERR_unload_IBMCA_strings(void);
static void ERR_IBMCA_error(int function, int reason, char *file, int line);
# define IBMCAerr(f,r) ERR_IBMCA_error((f),(r),OPENSSL_FILE,OPENSSL_LINE)
/* Error codes for the IBMCA functions. */
/* Function codes. */
# define IBMCA_F_IBMCA_CTRL 100
# define IBMCA_F_IBMCA_FINISH 101
# define IBMCA_F_IBMCA_INIT 102
# define IBMCA_F_IBMCA_MOD_EXP 103
# define IBMCA_F_IBMCA_MOD_EXP_CRT 104
# define IBMCA_F_IBMCA_RAND_BYTES 105
# define IBMCA_F_IBMCA_RSA_MOD_EXP 106
/* Reason codes. */
# define IBMCA_R_ALREADY_LOADED 100
# define IBMCA_R_BN_CTX_FULL 101
# define IBMCA_R_BN_EXPAND_FAIL 102
# define IBMCA_R_CTRL_COMMAND_NOT_IMPLEMENTED 103
# define IBMCA_R_DSO_FAILURE 104
# define IBMCA_R_MEXP_LENGTH_TO_LARGE 105
# define IBMCA_R_MISSING_KEY_COMPONENTS 106
# define IBMCA_R_NOT_INITIALISED 107
# define IBMCA_R_NOT_LOADED 108
# define IBMCA_R_OPERANDS_TO_LARGE 109
# define IBMCA_R_OUTLEN_TO_LARGE 110
# define IBMCA_R_REQUEST_FAILED 111
# define IBMCA_R_UNDERFLOW_CONDITION 112
# define IBMCA_R_UNDERFLOW_KEYRECORD 113
# define IBMCA_R_UNIT_FAILURE 114
#ifdef __cplusplus
}
#endif
#endif

183
demos/engines/ibmca/ica_openssl_api.h
View File

@ -1,183 +0,0 @@
#ifndef __ICA_OPENSSL_API_H__
# define __ICA_OPENSSL_API_H__
/**
** abstract data types for API
**/
# define ICA_ADAPTER_HANDLE int
# if defined(linux) || defined (_AIX)
# define ICA_CALL
# endif
# if defined(WIN32) || defined(_WIN32)
# define ICA_CALL __stdcall
# endif
/* -----------------------------------------------*
| RSA defines and typedefs |
*------------------------------------------------*/
/*
* All data elements of the RSA key are in big-endian format
* Modulus-Exponent form of key
*
*/
# define MAX_EXP_SIZE 256
# define MAX_MODULUS_SIZE 256
# define MAX_MODEXP_SIZE (MAX_EXP_SIZE + MAX_MODULUS_SIZE)
# define MAX_OPERAND_SIZE MAX_EXP_SIZE
typedef unsigned char ICA_KEY_RSA_MODEXPO_REC[MAX_MODEXP_SIZE];
/*
* All data elements of the RSA key are in big-endian format
* Chinese Remainder Thereom(CRT) form of key
* Used only for Decrypt, the encrypt form is typically Modulus-Exponent
*
*/
# define MAX_BP_SIZE 136
# define MAX_BQ_SIZE 128
# define MAX_NP_SIZE 136
# define MAX_NQ_SIZE 128
# define MAX_QINV_SIZE 136
# define MAX_RSACRT_SIZE (MAX_BP_SIZE+MAX_BQ_SIZE+MAX_NP_SIZE+MAX_NQ_SIZE+MAX_QINV_SIZE)
# define RSA_GEN_OPERAND_MAX 256/* bytes */
typedef unsigned char ICA_KEY_RSA_CRT_REC[MAX_RSACRT_SIZE];
/* -----------------------------------------------*
| RSA key token types |
*------------------------------------------------*/
# define RSA_PUBLIC_MODULUS_EXPONENT 3
# define RSA_PKCS_PRIVATE_CHINESE_REMAINDER 6
# define KEYTYPE_MODEXPO 1
# define KEYTYPE_PKCSCRT 2
/* -----------------------------------------------*
| RSA Key Token format |
*------------------------------------------------*/
/*-
* NOTE: All the fields in the ICA_KEY_RSA_MODEXPO structure
* (lengths, offsets, exponents, modulus, etc.) are
* stored in big-endian format
*/
typedef struct _ICA_KEY_RSA_MODEXPO {
unsigned int keyType; /* RSA key type. */
unsigned int keyLength; /* Total length of the token. */
unsigned int modulusBitLength; /* Modulus n bit length. */
/* -- Start of the data length. */
unsigned int nLength; /* Modulus n = p * q */
unsigned int expLength; /* exponent (public or private) */
/* e = 1/d * mod(p-1)(q-1) */
/* -- Start of the data offsets */
unsigned int nOffset; /* Modulus n . */
unsigned int expOffset; /* exponent (public or private) */
unsigned char reserved[112]; /* reserved area */
/* -- Start of the variable -- */
/* -- length token data. -- */
ICA_KEY_RSA_MODEXPO_REC keyRecord;
} ICA_KEY_RSA_MODEXPO;
# define SZ_HEADER_MODEXPO (sizeof(ICA_KEY_RSA_MODEXPO) - sizeof(ICA_KEY_RSA_MODEXPO_REC))
/*-
* NOTE: All the fields in the ICA_KEY_RSA_CRT structure
* (lengths, offsets, exponents, modulus, etc.) are
* stored in big-endian format
*/
typedef struct _ICA_KEY_RSA_CRT {
unsigned int keyType; /* RSA key type. */
unsigned int keyLength; /* Total length of the token. */
unsigned int modulusBitLength; /* Modulus n bit length. */
/* -- Start of the data length. */
# if _AIX
unsigned int nLength; /* Modulus n = p * q */
# endif
unsigned int pLength; /* Prime number p . */
unsigned int qLength; /* Prime number q . */
unsigned int dpLength; /* dp = d * mod(p-1) . */
unsigned int dqLength; /* dq = d * mod(q-1) . */
unsigned int qInvLength; /* PKCS: qInv = Ap/q */
/* -- Start of the data offsets */
# if _AIX
unsigned int nOffset; /* Modulus n . */
# endif
unsigned int pOffset; /* Prime number p . */
unsigned int qOffset; /* Prime number q . */
unsigned int dpOffset; /* dp . */
unsigned int dqOffset; /* dq . */
unsigned int qInvOffset; /* qInv for PKCS */
# if _AIX
unsigned char reserved[80]; /* reserved area */
# else
unsigned char reserved[88]; /* reserved area */
# endif
/* -- Start of the variable -- */
/* -- length token data. -- */
ICA_KEY_RSA_CRT_REC keyRecord;
} ICA_KEY_RSA_CRT;
# define SZ_HEADER_CRT (sizeof(ICA_KEY_RSA_CRT) - sizeof(ICA_KEY_RSA_CRT_REC))
unsigned int
icaOpenAdapter(unsigned int adapterId, ICA_ADAPTER_HANDLE * pAdapterHandle);
unsigned int icaCloseAdapter(ICA_ADAPTER_HANDLE adapterHandle);
unsigned int
icaRsaModExpo(ICA_ADAPTER_HANDLE hAdapterHandle,
unsigned int inputDataLength,
unsigned char *pInputData,
ICA_KEY_RSA_MODEXPO *pKeyModExpo,
unsigned int *pOutputDataLength, unsigned char *pOutputData);
unsigned int
icaRsaCrt(ICA_ADAPTER_HANDLE hAdapterHandle,
unsigned int inputDataLength,
unsigned char *pInputData,
ICA_KEY_RSA_CRT *pKeyCrt,
unsigned int *pOutputDataLength, unsigned char *pOutputData);
unsigned int
icaRandomNumberGenerate(ICA_ADAPTER_HANDLE hAdapterHandle,
unsigned int outputDataLength,
unsigned char *pOutputData);
/*
* Specific macros and definitions to not have IFDEF;s all over the main code
*/
# if (_AIX)
static const char *IBMCA_LIBNAME = "/lib/libica.a(shr.o)";
# elif (WIN32)
static const char *IBMCA_LIBNAME = "cryptica";
# else
static const char *IBMCA_LIBNAME = "ica";
# endif
# if (WIN32)
/*
* The ICA_KEY_RSA_MODEXPO & ICA_KEY_RSA_CRT lengths and offsets must be in
* big-endian format.
*
*/
# define CORRECT_ENDIANNESS(b) ( \
(((unsigned long) (b) & 0x000000ff) << 24) | \
(((unsigned long) (b) & 0x0000ff00) << 8) | \
(((unsigned long) (b) & 0x00ff0000) >> 8) | \
(((unsigned long) (b) & 0xff000000) >> 24) \
)
# define CRT_KEY_TYPE RSA_PKCS_PRIVATE_CHINESE_REMAINDER
# define ME_KEY_TYPE RSA_PUBLIC_MODULUS_EXPONENT
# else
# define CORRECT_ENDIANNESS(b) (b)
# define CRT_KEY_TYPE KEYTYPE_PKCSCRT
# define ME_KEY_TYPE KEYTYPE_MODEXPO
# endif
#endif /* __ICA_OPENSSL_API_H__ */

114
demos/engines/rsaref/Makefile.in
View File

@ -1,114 +0,0 @@
LIBNAME= librsaref
SRC= rsaref.c
OBJ= rsaref.o
HEADER= rsaref.h
CC= gcc
PIC= -fPIC
CFLAGS= -g -I../../../include $(PIC) -DENGINE_DYNAMIC_SUPPORT
AR= ar r
RANLIB= ranlib
LIB= $(LIBNAME).a
SHLIB= $(LIBNAME).so
all:
@echo 'Please choose a system to build on:'
@echo ''
@echo 'tru64: Tru64 Unix, Digital Unix, Digital OSF/1'
@echo 'solaris: Solaris'
@echo 'irix: IRIX'
@echo 'hpux32: 32-bit HP/UX'
@echo 'hpux64: 64-bit HP/UX'
@echo 'aix: AIX'
@echo 'gnu: Generic GNU-based system (gcc and GNU ld)'
@echo ''
FORCE.install:
install: FORCE.install
cd install; \
make -f unix/makefile CFLAGS='-I. -DPROTOTYPES=1 -O -c' RSAREFLIB=librsaref.a librsaref.a
generate:
perl ../../../util/mkerr.pl -conf rsaref.ec \
-nostatic -staticloader -write rsaref.c
darwin: install $(SHLIB).darwin
cygwin: install $(SHLIB).cygwin
gnu: install $(SHLIB).gnu
alpha-osf1: install $(SHLIB).alpha-osf1
tru64: install $(SHLIB).tru64
solaris: install $(SHLIB).solaris
irix: install $(SHLIB).irix
hpux32: install $(SHLIB).hpux32
hpux64: install $(SHLIB).hpux64
aix: install $(SHLIB).aix
reliantunix: install $(SHLIB).reliantunix
$(LIB): $(OBJ)
$(AR) $(LIB) $(OBJ)
- $(RANLIB) $(LIB)
LINK_SO= \
ld -r -o $(LIBNAME).o $$ALLSYMSFLAGS $(LIB) install/librsaref.a && \
(nm -Pg $(LIBNAME).o | grep ' [BDT] ' | cut -f1 -d' ' > $(LIBNAME).exp; \
$$SHAREDCMD $$SHAREDFLAGS -o $(SHLIB) $(LIBNAME).o -L ../../.. -lcrypto -lc)
$(SHLIB).darwin: $(LIB) install/librsaref.a
ALLSYMSFLAGS='-all_load' \
SHAREDFLAGS='-dynamiclib -install_name $(SHLIB)' \
SHAREDCMD='$(CC)'; \
$(LINK_SO)
touch $(SHLIB).darwin
$(SHLIB).cygwin: $(LIB) install/librsaref.a
ALLSYMSFLAGS='--whole-archive' \
SHAREDFLAGS='-shared -Wl,-Bsymbolic -Wl,--out-implib,$(LIBNAME).dll.a' \
SHAREDCMD='$(CC)'; \
$(LINK_SO)
touch $(SHLIB).cygwin
$(SHLIB).gnu: $(LIB) install/librsaref.a
ALLSYMSFLAGS='--whole-archive' \
SHAREDFLAGS='-shared -Wl,-soname=$(SHLIB)' \
SHAREDCMD='$(CC)'; \
$(LINK_SO)
touch $(SHLIB).gnu
$(SHLIB).tru64: $(LIB) install/librsaref.a
ALLSYMSFLAGS='-all' \
SHAREDFLAGS='-shared' \
SHAREDCMD='$(CC)'; \
$(LINK_SO)
touch $(SHLIB).tru64
$(SHLIB).solaris: $(LIB) install/librsaref.a
ALLSYMSFLAGS='-z allextract' \
SHAREDFLAGS='-G -h $(SHLIB)' \
SHAREDCMD='$(CC)'; \
$(LINK_SO)
touch $(SHLIB).solaris
$(SHLIB).irix: $(LIB) install/librsaref.a
ALLSYMSFLAGS='-all' \
SHAREDFLAGS='-shared -Wl,-soname,$(SHLIB)' \
SHAREDCMD='$(CC)'; \
$(LINK_SO)
touch $(SHLIB).irix
$(SHLIB).hpux32: $(LIB) install/librsaref.a
ALLSYMSFLAGS='-Fl' \
SHAREDFLAGS='+vnocompatwarnings -b -z +s +h $(SHLIB)' \
SHAREDCMD='/usr/ccs/bin/ld'; \
$(LINK_SO)
touch $(SHLIB).hpux32
$(SHLIB).hpux64: $(LIB) install/librsaref.a
ALLSYMSFLAGS='+forceload' \
SHAREDFLAGS='-b -z +h $(SHLIB)' \
SHAREDCMD='/usr/ccs/bin/ld'; \
$(LINK_SO)
touch $(SHLIB).hpux64
$(SHLIB).aix: $(LIB) install/librsaref.a
ALLSYMSFLAGS='-bnogc' \
SHAREDFLAGS='-G -bE:$(LIBNAME).exp -bM:SRE' \
SHAREDCMD='$(CC)'; \
$(LINK_SO)
touch $(SHLIB).aix
depend:
# DO NOT DELETE THIS LINE -- make depend depends on it.

22
demos/engines/rsaref/README
View File

@ -1,22 +0,0 @@
librsaref.so is a demonstration dynamic engine that does RSA
operations using the old RSAref 2.0 implementation.
To make proper use of this engine, you must download RSAref 2.0
(search the web for rsaref.tar.Z for example) and unpack it in this
directory, so you'll end up having the subdirectories "install" and
"source" among others.
To build, do the following:
make
This will list a number of available targets to choose from. Most of
them are architecture-specific. The exception is "gnu" which is to be
used on systems where GNU ld and gcc have been installed in such a way
that gcc uses GNU ld to link together programs and shared libraries.
The make file assumes you use gcc. To change that, just reassign CC:
make CC=cc
The result is librsaref.so, which you can copy to any place you wish.

105
demos/engines/rsaref/build.com
View File

@ -1,105 +0,0 @@
$! BUILD.COM -- Building procedure for the RSAref engine
$
$ if f$search("source.dir") .eqs. "" -
.or. f$search("install.dir") .eqs. ""
$ then
$ write sys$error "RSAref 2.0 hasn't been properly extracted."
$ exit
$ endif
$
$ if (f$getsyi("cpu").lt.128)
$ then
$ arch := vax
$ else
$ arch = f$edit( f$getsyi( "ARCH_NAME"), "UPCASE")
$ if (arch .eqs. "") then arch = "UNK"
$ endif
$
$ _save_default = f$environment("default")
$ set default [.install]
$ files := desc,digit,md2c,md5c,nn,prime,-
rsa,r_encode,r_dh,r_enhanc,r_keygen,r_random,-
r_stdlib
$ delete rsaref.olb;*
$ library/create/object rsaref.olb
$ files_i = 0
$ rsaref_loop:
$ files_e = f$edit(f$element(files_i,",",files),"trim")
$ files_i = files_i + 1
$ if files_e .eqs. "," then goto rsaref_loop_end
$ cc/include=([-.source],[])/define=PROTOTYPES=1/object=[]'files_e'.obj -
[-.source]'files_e'.c
$ library/replace/object rsaref.olb 'files_e'.obj
$ goto rsaref_loop
$ rsaref_loop_end:
$
$ set default [-]
$ define/user openssl [---.include.openssl]
$ cc/define=ENGINE_DYNAMIC_SUPPORT rsaref.c
$
$ if arch .eqs. "VAX"
$ then
$ macro/object=rsaref_vec.obj sys$input:
;
; Transfer vector for VAX shareable image
;
.TITLE librsaref
;
; Define macro to assist in building transfer vector entries. Each entry
; should take no more than 8 bytes.
;
.MACRO FTRANSFER_ENTRY routine
.ALIGN QUAD
.TRANSFER routine
.MASK routine
JMP routine+2
.ENDM FTRANSFER_ENTRY
;
; Place entries in own program section.
;
.PSECT $$LIBRSAREF,QUAD,PIC,USR,CON,REL,LCL,SHR,EXE,RD,NOWRT
LIBRSAREF_xfer:
FTRANSFER_ENTRY bind_engine
FTRANSFER_ENTRY v_check
;
; Allocate extra storage at end of vector to allow for expansion.
;
.BLKB 512-<.-LIBRSAREF_xfer> ; 1 page.
.END
$ link/share=librsaref.exe sys$input:/option
!
! Ensure transfer vector is at beginning of image
!
CLUSTER=FIRST
COLLECT=FIRST,$$LIBRSAREF
!
! make psects nonshareable so image can be installed.
!
PSECT_ATTR=$CHAR_STRING_CONSTANTS,NOWRT
[]rsaref_vec.obj
[]rsaref.obj
[.install]rsaref.olb/lib
[---.vax.exe.crypto]libcrypto.olb/lib
$ else
$ if arch_name .eqs. "ALPHA"
$ then
$ link/share=librsaref.exe sys$input:/option
[]rsaref.obj
[.install]rsaref.olb/lib
[---.alpha.exe.crypto]libcrypto.olb/lib
symbol_vector=(bind_engine=procedure,v_check=procedure)
$ else
$ if arch_name .eqs. "IA64"
$ then
$ link /shareable=librsaref.exe sys$input: /options
[]rsaref.obj
[.install]rsaref.olb/lib
[---.ia64.exe.crypto]libcrypto.olb/lib
symbol_vector=(bind_engine=procedure,v_check=procedure)
$ endif
$ endif
$ endif
$
$ set default '_save_default'

658
demos/engines/rsaref/rsaref.c
View File

@ -1,658 +0,0 @@
/*
* Demo of how to construct your own engine and using it. The basis of this
* engine is RSAref, an old reference of the RSA algorithm which can still be
* found a little here and there.
*/
#include <stdio.h>
#include <string.h>
#include "./source/global.h"
#include "./source/rsaref.h"
#include "./source/rsa.h"
#include "./source/des.h"
#include <openssl/err.h>
#define OPENSSL_NO_MD2
#define OPENSSL_NO_MD5
#include <openssl/evp.h>
#include <openssl/bn.h>
#include <openssl/engine.h>
#define RSAREF_LIB_NAME "rsaref engine"
#include "rsaref_err.c"
/*****************************************************************************
*** Function declarations and global variable definitions ***
*****************************************************************************/
/*****************************************************************************
* Constants used when creating the ENGINE
**/
static const char *engine_rsaref_id = "rsaref";
static const char *engine_rsaref_name = "RSAref engine support";
/*****************************************************************************
* Functions to handle the engine
**/
static int rsaref_destroy(ENGINE *e);
static int rsaref_init(ENGINE *e);
static int rsaref_finish(ENGINE *e);
/*****************************************************************************
* Engine commands
**/
static const ENGINE_CMD_DEFN rsaref_cmd_defns[] = {
{0, NULL, NULL, 0}
};
/*****************************************************************************
* RSA functions
**/
static int rsaref_private_decrypt(int len, const unsigned char *from,
unsigned char *to, RSA *rsa, int padding);
static int rsaref_private_encrypt(int len, const unsigned char *from,
unsigned char *to, RSA *rsa, int padding);
static int rsaref_public_encrypt(int len, const unsigned char *from,
unsigned char *to, RSA *rsa, int padding);
static int rsaref_public_decrypt(int len, const unsigned char *from,
unsigned char *to, RSA *rsa, int padding);
static int bnref_mod_exp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx);
static int rsaref_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa);
/*****************************************************************************
* Our RSA method
**/
static RSA_METHOD rsaref_rsa = {
"RSAref PKCS#1 RSA",
rsaref_public_encrypt,
rsaref_public_decrypt,
rsaref_private_encrypt,
rsaref_private_decrypt,
rsaref_mod_exp,
bnref_mod_exp,
NULL,
NULL,
0,
NULL,
NULL,
NULL
};
/*****************************************************************************
* Symetric cipher and digest function registrars
**/
static int rsaref_ciphers(ENGINE *e, const EVP_CIPHER **cipher,
const int **nids, int nid);
static int rsaref_digests(ENGINE *e, const EVP_MD **digest,
const int **nids, int nid);
static int rsaref_cipher_nids[] =
{ NID_des_cbc, NID_des_ede3_cbc, NID_desx_cbc, 0 };
static int rsaref_digest_nids[] = { NID_md2, NID_md5, 0 };
/*****************************************************************************
* DES functions
**/
static int cipher_des_cbc_init(EVP_CIPHER_CTX *ctx, const unsigned char *key,
const unsigned char *iv, int enc);
static int cipher_des_cbc_code(EVP_CIPHER_CTX *ctx, unsigned char *out,
const unsigned char *in, unsigned int inl);
static int cipher_des_cbc_clean(EVP_CIPHER_CTX *);
static int cipher_des_ede3_cbc_init(EVP_CIPHER_CTX *ctx,
const unsigned char *key,
const unsigned char *iv, int enc);
static int cipher_des_ede3_cbc_code(EVP_CIPHER_CTX *ctx, unsigned char *out,
const unsigned char *in,
unsigned int inl);
static int cipher_des_ede3_cbc_clean(EVP_CIPHER_CTX *);
static int cipher_desx_cbc_init(EVP_CIPHER_CTX *ctx, const unsigned char *key,
const unsigned char *iv, int enc);
static int cipher_desx_cbc_code(EVP_CIPHER_CTX *ctx, unsigned char *out,
const unsigned char *in, unsigned int inl);
static int cipher_desx_cbc_clean(EVP_CIPHER_CTX *);
/*****************************************************************************
* Our DES ciphers
**/
static const EVP_CIPHER cipher_des_cbc = {
NID_des_cbc,
8, 8, 8,
0 | EVP_CIPH_CBC_MODE,
cipher_des_cbc_init,
cipher_des_cbc_code,
cipher_des_cbc_clean,
sizeof(DES_CBC_CTX),
NULL,
NULL,
NULL,
NULL
};
static const EVP_CIPHER cipher_des_ede3_cbc = {
NID_des_ede3_cbc,
8, 24, 8,
0 | EVP_CIPH_CBC_MODE,
cipher_des_ede3_cbc_init,
cipher_des_ede3_cbc_code,
cipher_des_ede3_cbc_clean,
sizeof(DES3_CBC_CTX),
NULL,
NULL,
NULL,
NULL
};
static const EVP_CIPHER cipher_desx_cbc = {
NID_desx_cbc,
8, 24, 8,
0 | EVP_CIPH_CBC_MODE,
cipher_desx_cbc_init,
cipher_desx_cbc_code,
cipher_desx_cbc_clean,
sizeof(DESX_CBC_CTX),
NULL,
NULL,
NULL,
NULL
};
/*****************************************************************************
* MD functions
**/
static int digest_md2_init(EVP_MD_CTX *ctx);
static int digest_md2_update(EVP_MD_CTX *ctx, const void *data,
unsigned long count);
static int digest_md2_final(EVP_MD_CTX *ctx, unsigned char *md);
static int digest_md5_init(EVP_MD_CTX *ctx);
static int digest_md5_update(EVP_MD_CTX *ctx, const void *data,
unsigned long count);
static int digest_md5_final(EVP_MD_CTX *ctx, unsigned char *md);
/*****************************************************************************
* Our MD digests
**/
static const EVP_MD digest_md2 = {
NID_md2,
NID_md2WithRSAEncryption,
16,
0,
digest_md2_init,
digest_md2_update,
digest_md2_final,
NULL,
NULL,
EVP_PKEY_RSA_method,
16,
sizeof(MD2_CTX)
};
static const EVP_MD digest_md5 = {
NID_md5,
NID_md5WithRSAEncryption,
16,
0,
digest_md5_init,
digest_md5_update,
digest_md5_final,
NULL,
NULL,
EVP_PKEY_RSA_method,
64,
sizeof(MD5_CTX)
};
/*****************************************************************************
*** Function definitions ***
*****************************************************************************/
/*****************************************************************************
* Functions to handle the engine
**/
static int bind_rsaref(ENGINE *e)
{
const RSA_METHOD *meth1;
if (!ENGINE_set_id(e, engine_rsaref_id)
|| !ENGINE_set_name(e, engine_rsaref_name)
|| !ENGINE_set_RSA(e, &rsaref_rsa)
|| !ENGINE_set_ciphers(e, rsaref_ciphers)
|| !ENGINE_set_digests(e, rsaref_digests)
|| !ENGINE_set_destroy_function(e, rsaref_destroy)
|| !ENGINE_set_init_function(e, rsaref_init)
|| !ENGINE_set_finish_function(e, rsaref_finish)
/* || !ENGINE_set_ctrl_function(e, rsaref_ctrl) */
/*
* || !ENGINE_set_cmd_defns(e, rsaref_cmd_defns)
*/ )
return 0;
/* Ensure the rsaref error handling is set up */
ERR_load_RSAREF_strings();
return 1;
}
#ifdef ENGINE_DYNAMIC_SUPPORT
static int bind_helper(ENGINE *e, const char *id)
{
if (id && (strcmp(id, engine_rsaref_id) != 0))
return 0;
if (!bind_rsaref(e))
return 0;
return 1;
}
IMPLEMENT_DYNAMIC_CHECK_FN()
IMPLEMENT_DYNAMIC_BIND_FN(bind_helper)
#else
static ENGINE *engine_rsaref(void)
{
ENGINE *ret = ENGINE_new();
if (!ret)
return NULL;
if (!bind_rsaref(ret)) {
ENGINE_free(ret);
return NULL;
}
return ret;
}
void ENGINE_load_rsaref(void)
{
/* Copied from eng_[openssl|dyn].c */
ENGINE *toadd = engine_rsaref();
if (!toadd)
return;
ENGINE_add(toadd);
ENGINE_free(toadd);
ERR_clear_error();
}
#endif
/* Initiator which is only present to make sure this engine looks available */
static int rsaref_init(ENGINE *e)
{
return 1;
}
/* Finisher which is only present to make sure this engine looks available */
static int rsaref_finish(ENGINE *e)
{
return 1;
}
/* Destructor (complements the "ENGINE_ncipher()" constructor) */
static int rsaref_destroy(ENGINE *e)
{
ERR_unload_RSAREF_strings();
return 1;
}
/*****************************************************************************
* RSA functions
**/
static int rsaref_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa)
{
RSAREFerr(RSAREF_F_RSAREF_MOD_EXP, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
return (0);
}
static int bnref_mod_exp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx)
{
RSAREFerr(RSAREF_F_BNREF_MOD_EXP, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
return (0);
}
/* unsigned char *to: [max] */
static int RSAref_bn2bin(BIGNUM *from, unsigned char *to, int max)
{
int i;
i = BN_num_bytes(from);
if (i > max) {
RSAREFerr(RSAREF_F_RSAREF_BN2BIN, RSAREF_R_LEN);
return (0);
}
memset(to, 0, (unsigned int)max);
if (!BN_bn2bin(from, &(to[max - i])))
return (0);
return (1);
}
static int RSAref_Public_eay2ref(RSA *from, R_RSA_PUBLIC_KEY * to)
{
to->bits = BN_num_bits(from->n);
if (!RSAref_bn2bin(from->n, to->modulus, MAX_RSA_MODULUS_LEN))
return (0);
if (!RSAref_bn2bin(from->e, to->exponent, MAX_RSA_MODULUS_LEN))
return (0);
return (1);
}
static int RSAref_Private_eay2ref(RSA *from, R_RSA_PRIVATE_KEY * to)
{
to->bits = BN_num_bits(from->n);
if (!RSAref_bn2bin(from->n, to->modulus, MAX_RSA_MODULUS_LEN))
return (0);
if (!RSAref_bn2bin(from->e, to->publicExponent, MAX_RSA_MODULUS_LEN))
return (0);
if (!RSAref_bn2bin(from->d, to->exponent, MAX_RSA_MODULUS_LEN))
return (0);
if (!RSAref_bn2bin(from->p, to->prime[0], MAX_RSA_PRIME_LEN))
return (0);
if (!RSAref_bn2bin(from->q, to->prime[1], MAX_RSA_PRIME_LEN))
return (0);
if (!RSAref_bn2bin(from->dmp1, to->primeExponent[0], MAX_RSA_PRIME_LEN))
return (0);
if (!RSAref_bn2bin(from->dmq1, to->primeExponent[1], MAX_RSA_PRIME_LEN))
return (0);
if (!RSAref_bn2bin(from->iqmp, to->coefficient, MAX_RSA_PRIME_LEN))
return (0);
return (1);
}
static int rsaref_private_decrypt(int len, const unsigned char *from,
unsigned char *to, RSA *rsa, int padding)
{
int i, outlen = -1;
R_RSA_PRIVATE_KEY RSAkey;
if (!RSAref_Private_eay2ref(rsa, &RSAkey))
goto err;
if ((i =
RSAPrivateDecrypt(to, (unsigned int *)&outlen, (unsigned char *)from,
len, &RSAkey)) != 0) {
RSAREFerr(RSAREF_F_RSAREF_PRIVATE_DECRYPT, i);
outlen = -1;
}
err:
memset(&RSAkey, 0, sizeof(RSAkey));
return (outlen);
}
static int rsaref_private_encrypt(int len, const unsigned char *from,
unsigned char *to, RSA *rsa, int padding)
{
int i, outlen = -1;
R_RSA_PRIVATE_KEY RSAkey;
if (padding != RSA_PKCS1_PADDING) {
RSAREFerr(RSAREF_F_RSAREF_PRIVATE_ENCRYPT,
RSA_R_UNKNOWN_PADDING_TYPE);
goto err;
}
if (!RSAref_Private_eay2ref(rsa, &RSAkey))
goto err;
if ((i =
RSAPrivateEncrypt(to, (unsigned int *)&outlen, (unsigned char *)from,
len, &RSAkey)) != 0) {
RSAREFerr(RSAREF_F_RSAREF_PRIVATE_ENCRYPT, i);
outlen = -1;
}
err:
memset(&RSAkey, 0, sizeof(RSAkey));
return (outlen);
}
static int rsaref_public_decrypt(int len, const unsigned char *from,
unsigned char *to, RSA *rsa, int padding)
{
int i, outlen = -1;
R_RSA_PUBLIC_KEY RSAkey;
if (!RSAref_Public_eay2ref(rsa, &RSAkey))
goto err;
if ((i =
RSAPublicDecrypt(to, (unsigned int *)&outlen, (unsigned char *)from,
len, &RSAkey)) != 0) {
RSAREFerr(RSAREF_F_RSAREF_PUBLIC_DECRYPT, i);
outlen = -1;
}
err:
memset(&RSAkey, 0, sizeof(RSAkey));
return (outlen);
}
static int rsaref_public_encrypt(int len, const unsigned char *from,
unsigned char *to, RSA *rsa, int padding)
{
int outlen = -1;
int i;
R_RSA_PUBLIC_KEY RSAkey;
R_RANDOM_STRUCT rnd;
unsigned char buf[16];
if (padding != RSA_PKCS1_PADDING && padding != RSA_SSLV23_PADDING) {
RSAREFerr(RSAREF_F_RSAREF_PUBLIC_ENCRYPT, RSA_R_UNKNOWN_PADDING_TYPE);
goto err;
}
R_RandomInit(&rnd);
R_GetRandomBytesNeeded((unsigned int *)&i, &rnd);
while (i > 0) {
if (RAND_bytes(buf, 16) <= 0)
goto err;
R_RandomUpdate(&rnd, buf, (unsigned int)((i > 16) ? 16 : i));
i -= 16;
}
if (!RSAref_Public_eay2ref(rsa, &RSAkey))
goto err;
if ((i =
RSAPublicEncrypt(to, (unsigned int *)&outlen, (unsigned char *)from,
len, &RSAkey, &rnd)) != 0) {
RSAREFerr(RSAREF_F_RSAREF_PUBLIC_ENCRYPT, i);
outlen = -1;
goto err;
}
err:
memset(&RSAkey, 0, sizeof(RSAkey));
R_RandomFinal(&rnd);
memset(&rnd, 0, sizeof(rnd));
return (outlen);
}
/*****************************************************************************
* Symetric cipher and digest function registrars
**/
static int rsaref_ciphers(ENGINE *e, const EVP_CIPHER **cipher,
const int **nids, int nid)
{
int ok = 1;
if (!cipher) {
/* We are returning a list of supported nids */
*nids = rsaref_cipher_nids;
return (sizeof(rsaref_cipher_nids) -
1) / sizeof(rsaref_cipher_nids[0]);
}
/* We are being asked for a specific cipher */
switch (nid) {
case NID_des_cbc:
*cipher = &cipher_des_cbc;
break;
case NID_des_ede3_cbc:
*cipher = &cipher_des_ede3_cbc;
break;
case NID_desx_cbc:
*cipher = &cipher_desx_cbc;
break;
default:
ok = 0;
*cipher = NULL;
break;
}
return ok;
}
static int rsaref_digests(ENGINE *e, const EVP_MD **digest,
const int **nids, int nid)
{
int ok = 1;
if (!digest) {
/* We are returning a list of supported nids */
*nids = rsaref_digest_nids;
return (sizeof(rsaref_digest_nids) -
1) / sizeof(rsaref_digest_nids[0]);
}
/* We are being asked for a specific digest */
switch (nid) {
case NID_md2:
*digest = &digest_md2;
break;
case NID_md5:
*digest = &digest_md5;
break;
default:
ok = 0;
*digest = NULL;
break;
}
return ok;
}
/*****************************************************************************
* DES functions
**/
#undef data
#define data(ctx) ((DES_CBC_CTX *)(ctx)->cipher_data)
static int cipher_des_cbc_init(EVP_CIPHER_CTX *ctx, const unsigned char *key,
const unsigned char *iv, int enc)
{
DES_CBCInit(data(ctx), (unsigned char *)key, (unsigned char *)iv, enc);
return 1;
}
static int cipher_des_cbc_code(EVP_CIPHER_CTX *ctx, unsigned char *out,
const unsigned char *in, unsigned int inl)
{
int ret = DES_CBCUpdate(data(ctx), out, (unsigned char *)in, inl);
switch (ret) {
case RE_LEN:
RSAREFerr(RSAREF_F_CIPHER_DES_CBC_CODE,
RSAREF_R_LENGTH_NOT_BLOCK_ALIGNED);
break;
case 0:
break;
default:
RSAREFerr(RSAREF_F_CIPHER_DES_CBC_CODE, RSAREF_R_UNKNOWN_FAULT);
}
return !ret;
}
static int cipher_des_cbc_clean(EVP_CIPHER_CTX *ctx)
{
memset(data(ctx), 0, ctx->cipher->ctx_size);
return 1;
}
#undef data
#define data(ctx) ((DES3_CBC_CTX *)(ctx)->cipher_data)
static int cipher_des_ede3_cbc_init(EVP_CIPHER_CTX *ctx,
const unsigned char *key,
const unsigned char *iv, int enc)
{
DES3_CBCInit(data(ctx), (unsigned char *)key, (unsigned char *)iv, enc);
return 1;
}
static int cipher_des_ede3_cbc_code(EVP_CIPHER_CTX *ctx, unsigned char *out,
const unsigned char *in, unsigned int inl)
{
int ret = DES3_CBCUpdate(data(ctx), out, (unsigned char *)in, inl);
switch (ret) {
case RE_LEN:
RSAREFerr(RSAREF_F_CIPHER_DES_CBC_CODE,
RSAREF_R_LENGTH_NOT_BLOCK_ALIGNED);
break;
case 0:
break;
default:
RSAREFerr(RSAREF_F_CIPHER_DES_CBC_CODE, RSAREF_R_UNKNOWN_FAULT);
}
return !ret;
}
static int cipher_des_ede3_cbc_clean(EVP_CIPHER_CTX *ctx)
{
memset(data(ctx), 0, ctx->cipher->ctx_size);
return 1;
}
#undef data
#define data(ctx) ((DESX_CBC_CTX *)(ctx)->cipher_data)
static int cipher_desx_cbc_init(EVP_CIPHER_CTX *ctx, const unsigned char *key,
const unsigned char *iv, int enc)
{
DESX_CBCInit(data(ctx), (unsigned char *)key, (unsigned char *)iv, enc);
return 1;
}
static int cipher_desx_cbc_code(EVP_CIPHER_CTX *ctx, unsigned char *out,
const unsigned char *in, unsigned int inl)
{
int ret = DESX_CBCUpdate(data(ctx), out, (unsigned char *)in, inl);
switch (ret) {
case RE_LEN:
RSAREFerr(RSAREF_F_CIPHER_DES_CBC_CODE,
RSAREF_R_LENGTH_NOT_BLOCK_ALIGNED);
break;
case 0:
break;
default:
RSAREFerr(RSAREF_F_CIPHER_DES_CBC_CODE, RSAREF_R_UNKNOWN_FAULT);
}
return !ret;
}
static int cipher_desx_cbc_clean(EVP_CIPHER_CTX *ctx)
{
memset(data(ctx), 0, ctx->cipher->ctx_size);
return 1;
}
/*****************************************************************************
* MD functions
**/
#undef data
#define data(ctx) ((MD2_CTX *)(ctx)->md_data)
static int digest_md2_init(EVP_MD_CTX *ctx)
{
MD2Init(data(ctx));
return 1;
}
static int digest_md2_update(EVP_MD_CTX *ctx, const void *data,
unsigned long count)
{
MD2Update(data(ctx), (unsigned char *)data, (unsigned int)count);
return 1;
}
static int digest_md2_final(EVP_MD_CTX *ctx, unsigned char *md)
{
MD2Final(md, data(ctx));
return 1;
}
#undef data
#define data(ctx) ((MD5_CTX *)(ctx)->md_data)
static int digest_md5_init(EVP_MD_CTX *ctx)
{
MD5Init(data(ctx));
return 1;
}
static int digest_md5_update(EVP_MD_CTX *ctx, const void *data,
unsigned long count)
{
MD5Update(data(ctx), (unsigned char *)data, (unsigned int)count);
return 1;
}
static int digest_md5_final(EVP_MD_CTX *ctx, unsigned char *md)
{
MD5Final(md, data(ctx));
return 1;
}

8
demos/engines/rsaref/rsaref.ec
View File

@ -1,8 +0,0 @@
# configuration file for util/mkerr.pl
#
# use like this:
#
# perl ../../../util/mkerr.pl -conf rsaref.ec \
# -nostatic -staticloader -write *.c
L RSAREF rsaref_err.h rsaref_err.c

157
demos/engines/rsaref/rsaref_err.c
View File

@ -1,157 +0,0 @@
/* ====================================================================
* Copyright (c) 1999 The OpenSSL Project. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in
* the documentation and/or other materials provided with the
* distribution.
*
* 3. All advertising materials mentioning features or use of this
* software must display the following acknowledgment:
* "This product includes software developed by the OpenSSL Project
* for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
*
* 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
* endorse or promote products derived from this software without
* prior written permission. For written permission, please contact
* openssl-core@OpenSSL.org.
*
* 5. Products derived from this software may not be called "OpenSSL"
* nor may "OpenSSL" appear in their names without prior written
* permission of the OpenSSL Project.
*
* 6. Redistributions of any form whatsoever must retain the following
* acknowledgment:
* "This product includes software developed by the OpenSSL Project
* for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
*
* THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
* EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
* ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
* OF THE POSSIBILITY OF SUCH DAMAGE.
* ====================================================================
*
* This product includes cryptographic software written by Eric Young
* (eay@cryptsoft.com). This product includes software written by Tim
* Hudson (tjh@cryptsoft.com).
*
*/
/*
* NOTE: this file was auto generated by the mkerr.pl script: any changes
* made to it will be overwritten when the script next updates this file,
* only reason strings will be preserved.
*/
#include <stdio.h>
#include <openssl/err.h>
#include "rsaref_err.h"
/* BEGIN ERROR CODES */
#ifndef OPENSSL_NO_ERR
static ERR_STRING_DATA RSAREF_str_functs[] = {
{ERR_PACK(0, RSAREF_F_BNREF_MOD_EXP, 0), "BNREF_MOD_EXP"},
{ERR_PACK(0, RSAREF_F_CIPHER_DES_CBC_CODE, 0), "CIPHER_DES_CBC_CODE"},
{ERR_PACK(0, RSAREF_F_RSAREF_BN2BIN, 0), "RSAREF_BN2BIN"},
{ERR_PACK(0, RSAREF_F_RSAREF_MOD_EXP, 0), "RSAREF_MOD_EXP"},
{ERR_PACK(0, RSAREF_F_RSAREF_PRIVATE_DECRYPT, 0),
"RSAREF_PRIVATE_DECRYPT"},
{ERR_PACK(0, RSAREF_F_RSAREF_PRIVATE_ENCRYPT, 0),
"RSAREF_PRIVATE_ENCRYPT"},
{ERR_PACK(0, RSAREF_F_RSAREF_PUBLIC_DECRYPT, 0), "RSAREF_PUBLIC_DECRYPT"},
{ERR_PACK(0, RSAREF_F_RSAREF_PUBLIC_ENCRYPT, 0), "RSAREF_PUBLIC_ENCRYPT"},
{ERR_PACK(0, RSAREF_F_RSA_BN2BIN, 0), "RSA_BN2BIN"},
{ERR_PACK(0, RSAREF_F_RSA_PRIVATE_DECRYPT, 0), "RSA_PRIVATE_DECRYPT"},
{ERR_PACK(0, RSAREF_F_RSA_PRIVATE_ENCRYPT, 0), "RSA_PRIVATE_ENCRYPT"},
{ERR_PACK(0, RSAREF_F_RSA_PUBLIC_DECRYPT, 0), "RSA_PUBLIC_DECRYPT"},
{ERR_PACK(0, RSAREF_F_RSA_PUBLIC_ENCRYPT, 0), "RSA_PUBLIC_ENCRYPT"},
{0, NULL}
};
static ERR_STRING_DATA RSAREF_str_reasons[] = {
{RSAREF_R_CONTENT_ENCODING, "content encoding"},
{RSAREF_R_DATA, "data"},
{RSAREF_R_DIGEST_ALGORITHM, "digest algorithm"},
{RSAREF_R_ENCODING, "encoding"},
{RSAREF_R_ENCRYPTION_ALGORITHM, "encryption algorithm"},
{RSAREF_R_KEY, "key"},
{RSAREF_R_KEY_ENCODING, "key encoding"},
{RSAREF_R_LEN, "len"},
{RSAREF_R_LENGTH_NOT_BLOCK_ALIGNED, "length not block aligned"},
{RSAREF_R_MODULUS_LEN, "modulus len"},
{RSAREF_R_NEED_RANDOM, "need random"},
{RSAREF_R_PRIVATE_KEY, "private key"},
{RSAREF_R_PUBLIC_KEY, "public key"},
{RSAREF_R_SIGNATURE, "signature"},
{RSAREF_R_SIGNATURE_ENCODING, "signature encoding"},
{RSAREF_R_UNKNOWN_FAULT, "unknown fault"},
{0, NULL}
};
#endif
#ifdef RSAREF_LIB_NAME
static ERR_STRING_DATA RSAREF_lib_name[] = {
{0, RSAREF_LIB_NAME},
{0, NULL}
};
#endif
static int RSAREF_lib_error_code = 0;
static int RSAREF_error_init = 1;
static void ERR_load_RSAREF_strings(void)
{
if (RSAREF_lib_error_code == 0)
RSAREF_lib_error_code = ERR_get_next_error_library();
if (RSAREF_error_init) {
RSAREF_error_init = 0;
#ifndef OPENSSL_NO_ERR
ERR_load_strings(RSAREF_lib_error_code, RSAREF_str_functs);
ERR_load_strings(RSAREF_lib_error_code, RSAREF_str_reasons);
#endif
#ifdef RSAREF_LIB_NAME
RSAREF_lib_name->error = ERR_PACK(RSAREF_lib_error_code, 0, 0);
ERR_load_strings(0, RSAREF_lib_name);
#endif
}
}
static void ERR_unload_RSAREF_strings(void)
{
if (RSAREF_error_init == 0) {
#ifndef OPENSSL_NO_ERR
ERR_unload_strings(RSAREF_lib_error_code, RSAREF_str_functs);
ERR_unload_strings(RSAREF_lib_error_code, RSAREF_str_reasons);
#endif
#ifdef RSAREF_LIB_NAME
ERR_unload_strings(0, RSAREF_lib_name);
#endif
RSAREF_error_init = 1;
}
}
static void ERR_RSAREF_error(int function, int reason, char *file, int line)
{
if (RSAREF_lib_error_code == 0)
RSAREF_lib_error_code = ERR_get_next_error_library();
ERR_PUT_error(RSAREF_lib_error_code, function, reason, file, line);
}

109
demos/engines/rsaref/rsaref_err.h
View File

@ -1,109 +0,0 @@
/* ====================================================================
* Copyright (c) 1998-2001 The OpenSSL Project. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in
* the documentation and/or other materials provided with the
* distribution.
*
* 3. All advertising materials mentioning features or use of this
* software must display the following acknowledgment:
* "This product includes software developed by the OpenSSL Project
* for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
*
* 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
* endorse or promote products derived from this software without
* prior written permission. For written permission, please contact
* openssl-core@openssl.org.
*
* 5. Products derived from this software may not be called "OpenSSL"
* nor may "OpenSSL" appear in their names without prior written
* permission of the OpenSSL Project.
*
* 6. Redistributions of any form whatsoever must retain the following
* acknowledgment:
* "This product includes software developed by the OpenSSL Project
* for use in the OpenSSL Toolkit (http://www.openssl.org/)"
*
* THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
* EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
* ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
* OF THE POSSIBILITY OF SUCH DAMAGE.
* ====================================================================
*
* This product includes cryptographic software written by Eric Young
* (eay@cryptsoft.com). This product includes software written by Tim
* Hudson (tjh@cryptsoft.com).
*
*/
#ifndef HEADER_RSAREF_ERR_H
# define HEADER_RSAREF_ERR_H
#ifdef __cplusplus
extern "C" {
#endif
/* BEGIN ERROR CODES */
/*
* The following lines are auto generated by the script mkerr.pl. Any changes
* made after this point may be overwritten when the script is next run.
*/
static void ERR_load_RSAREF_strings(void);
static void ERR_unload_RSAREF_strings(void);
static void ERR_RSAREF_error(int function, int reason, char *file, int line);
# define RSAREFerr(f,r) ERR_RSAREF_error((f),(r),OPENSSL_FILE,OPENSSL_LINE)
/* Error codes for the RSAREF functions. */
/* Function codes. */
# define RSAREF_F_BNREF_MOD_EXP 100
# define RSAREF_F_CIPHER_DES_CBC_CODE 112
# define RSAREF_F_RSAREF_BN2BIN 101
# define RSAREF_F_RSAREF_MOD_EXP 102
# define RSAREF_F_RSAREF_PRIVATE_DECRYPT 103
# define RSAREF_F_RSAREF_PRIVATE_ENCRYPT 104
# define RSAREF_F_RSAREF_PUBLIC_DECRYPT 105
# define RSAREF_F_RSAREF_PUBLIC_ENCRYPT 106
# define RSAREF_F_RSA_BN2BIN 107
# define RSAREF_F_RSA_PRIVATE_DECRYPT 108
# define RSAREF_F_RSA_PRIVATE_ENCRYPT 109
# define RSAREF_F_RSA_PUBLIC_DECRYPT 110
# define RSAREF_F_RSA_PUBLIC_ENCRYPT 111
/* Reason codes. */
# define RSAREF_R_CONTENT_ENCODING 100
# define RSAREF_R_DATA 101
# define RSAREF_R_DIGEST_ALGORITHM 102
# define RSAREF_R_ENCODING 103
# define RSAREF_R_ENCRYPTION_ALGORITHM 104
# define RSAREF_R_KEY 105
# define RSAREF_R_KEY_ENCODING 106
# define RSAREF_R_LEN 107
# define RSAREF_R_LENGTH_NOT_BLOCK_ALIGNED 114
# define RSAREF_R_MODULUS_LEN 108
# define RSAREF_R_NEED_RANDOM 109
# define RSAREF_R_PRIVATE_KEY 110
# define RSAREF_R_PUBLIC_KEY 111
# define RSAREF_R_SIGNATURE 112
# define RSAREF_R_SIGNATURE_ENCODING 113
# define RSAREF_R_UNKNOWN_FAULT 115
#ifdef __cplusplus
}
#endif
#endif

93
demos/engines/zencod/Makefile.in
View File

@ -1,93 +0,0 @@
LIBNAME= libzencod
SRC= hw_zencod.c
OBJ= hw_zencod.o
HEADER= hw_zencod.h
CC= gcc
PIC= -fPIC
CFLAGS= -g -I../../../include $(PIC) -DENGINE_DYNAMIC_SUPPORT -DFLAT_INC
AR= ar r
RANLIB= ranlib
LIB= $(LIBNAME).a
SHLIB= $(LIBNAME).so
all:
@echo 'Please choose a system to build on:'
@echo ''
@echo 'tru64: Tru64 Unix, Digital Unix, Digital OSF/1'
@echo 'solaris: Solaris'
@echo 'irix: IRIX'
@echo 'hpux32: 32-bit HP/UX'
@echo 'hpux64: 64-bit HP/UX'
@echo 'aix: AIX'
@echo 'gnu: Generic GNU-based system (gcc and GNU ld)'
@echo ''
generate:
perl ../../../util/mkerr.pl -conf hw_zencod.ec \
-nostatic -staticloader -write hw_zencod.c
gnu: $(SHLIB).gnu
tru64: $(SHLIB).tru64
solaris: $(SHLIB).solaris
irix: $(SHLIB).irix
hpux32: $(SHLIB).hpux32
hpux64: $(SHLIB).hpux64
aix: $(SHLIB).aix
$(LIB): $(OBJ)
$(AR) $(LIB) $(OBJ)
- $(RANLIB) $(LIB)
LINK_SO= \
ld -r -o $(LIBNAME).o $$ALLSYMSFLAGS $(LIB) && \
(nm -Pg $(LIBNAME).o | grep ' [BDT] ' | cut -f1 -d' ' > $(LIBNAME).exp; \
$$SHAREDCMD $$SHAREDFLAGS -o $(SHLIB) $(LIBNAME).o -L ../../.. -lcrypto -lc)
$(SHLIB).gnu: $(LIB)
ALLSYMSFLAGS='--whole-archive' \
SHAREDFLAGS='-shared -Wl,-soname=$(SHLIB)' \
SHAREDCMD='$(CC)'; \
$(LINK_SO)
touch $(SHLIB).gnu
$(SHLIB).tru64: $(LIB)
ALLSYMSFLAGS='-all' \
SHAREDFLAGS='-shared' \
SHAREDCMD='$(CC)'; \
$(LINK_SO)
touch $(SHLIB).tru64
$(SHLIB).solaris: $(LIB)
ALLSYMSFLAGS='-z allextract' \
SHAREDFLAGS='-G -h $(SHLIB)' \
SHAREDCMD='$(CC)'; \
$(LINK_SO)
touch $(SHLIB).solaris
$(SHLIB).irix: $(LIB)
ALLSYMSFLAGS='-all' \
SHAREDFLAGS='-shared -Wl,-soname,$(SHLIB)' \
SHAREDCMD='$(CC)'; \
$(LINK_SO)
touch $(SHLIB).irix
$(SHLIB).hpux32: $(LIB)
ALLSYMSFLAGS='-Fl' \
SHAREDFLAGS='+vnocompatwarnings -b -z +s +h $(SHLIB)' \
SHAREDCMD='/usr/ccs/bin/ld'; \
$(LINK_SO)
touch $(SHLIB).hpux32
$(SHLIB).hpux64: $(LIB)
ALLSYMSFLAGS='+forceload' \
SHAREDFLAGS='-b -z +h $(SHLIB)' \
SHAREDCMD='/usr/ccs/bin/ld'; \
$(LINK_SO)
touch $(SHLIB).hpux64
$(SHLIB).aix: $(LIB)
ALLSYMSFLAGS='-bnogc' \
SHAREDFLAGS='-G -bE:$(LIBNAME).exp -bM:SRE' \
SHAREDCMD='$(CC)'; \
$(LINK_SO)
touch $(SHLIB).aix
depend:
# DO NOT DELETE THIS LINE -- make depend depends on it.

1785
demos/engines/zencod/hw_zencod.c
View File

File diff suppressed because it is too large Load Diff

8
demos/engines/zencod/hw_zencod.ec
View File

@ -1,8 +0,0 @@
# configuration file for util/mkerr.pl
#
# use like this:
#
# perl ../../../util/mkerr.pl -conf hw_zencod.ec \
# -nostatic -staticloader -write *.c
L ZENCOD hw_zencod_err.h hw_zencod_err.c

158
demos/engines/zencod/hw_zencod.h
View File

@ -1,158 +0,0 @@
/* ====================================================================
* Written by Donnat Frederic (frederic.donnat@zencod.com) from ZENCOD
* for "zencod" ENGINE integration in OpenSSL project.
*/
#ifndef _HW_ZENCOD_H_
# define _HW_ZENCOD_H_
# include <stdio.h>
# ifdef __cplusplus
extern "C" {
# endif /* __cplusplus */
# define ZENBRIDGE_MAX_KEYSIZE_RSA 2048
# define ZENBRIDGE_MAX_KEYSIZE_RSA_CRT 1024
# define ZENBRIDGE_MAX_KEYSIZE_DSA_SIGN 1024
# define ZENBRIDGE_MAX_KEYSIZE_DSA_VRFY 1024
/* Library version computation */
# define ZENBRIDGE_VERSION_MAJOR(x) (((x) >> 16) | 0xff)
# define ZENBRIDGE_VERSION_MINOR(x) (((x) >> 8) | 0xff)
# define ZENBRIDGE_VERSION_PATCH(x) (((x) >> 0) | 0xff)
# define ZENBRIDGE_VERSION(x, y, z) ((x) << 16 | (y) << 8 | (z))
/*
* Memory type
*/
typedef struct zencod_number_s {
unsigned long len;
unsigned char *data;
} zen_nb_t;
# define KEY zen_nb_t
/*
* Misc
*/
typedef int t_zencod_lib_version(void);
typedef int t_zencod_hw_version(void);
typedef int t_zencod_test(void);
typedef int t_zencod_dump_key(FILE *stream, char *msg, KEY * key);
/*
* Key management tools
*/
typedef KEY *t_zencod_new_number(unsigned long len, unsigned char *data);
typedef int t_zencod_init_number(KEY * n, unsigned long len,
unsigned char *data);
typedef unsigned long t_zencod_bytes2bits(unsigned char *n,
unsigned long bytes);
typedef unsigned long t_zencod_bits2bytes(unsigned long bits);
/*
* RSA API
*/
/* Compute modular exponential : y = x**e | n */
typedef int t_zencod_rsa_mod_exp(KEY * y, KEY * x, KEY * n, KEY * e);
/*
* Compute modular exponential : y1 = (x | p)**edp | p, y2 = (x | p)**edp
* | p, y = y2 + (qinv * (y1 - y2) | p) * q
*/
typedef int t_zencod_rsa_mod_exp_crt(KEY * y, KEY * x, KEY * p, KEY * q,
KEY * edp, KEY * edq, KEY * qinv);
/*
* DSA API
*/
typedef int t_zencod_dsa_do_sign(unsigned int hash, KEY * data,
KEY * random, KEY * p, KEY * q, KEY * g,
KEY * x, KEY * r, KEY * s);
typedef int t_zencod_dsa_do_verify(unsigned int hash, KEY * data, KEY * p,
KEY * q, KEY * g, KEY * y, KEY * r,
KEY * s, KEY * v);
/*
* DH API
*/
/* Key generation : compute public value y = g**x | n */
typedef int t_zencod_dh_generate_key(KEY * y, KEY * x, KEY * g, KEY * n,
int gen_x);
typedef int t_zencod_dh_compute_key(KEY * k, KEY * y, KEY * x, KEY * n);
/*
* RNG API
*/
# define ZENBRIDGE_RNG_DIRECT 0
# define ZENBRIDGE_RNG_SHA1 1
typedef int t_zencod_rand_bytes(KEY * rand, unsigned int flags);
/*
* Math API
*/
typedef int t_zencod_math_mod_exp(KEY * r, KEY * a, KEY * e, KEY * n);
/*
* Symetric API
*/
/* Define a data structure for digests operations */
typedef struct ZEN_data_st {
unsigned int HashBufferSize;
unsigned char *HashBuffer;
} ZEN_MD_DATA;
/*
* Functions for Digest (MD5, SHA1) stuff
*/
/* output : output data buffer */
/* input : input data buffer */
/* algo : hash algorithm, MD5 or SHA1 */
/*-
* typedef int t_zencod_hash ( KEY *output, const KEY *input, int algo ) ;
* typedef int t_zencod_sha_hash ( KEY *output, const KEY *input, int algo ) ;
*/
/* For now separate this stuff that mad it easier to test */
typedef int t_zencod_md5_init(ZEN_MD_DATA *data);
typedef int t_zencod_md5_update(ZEN_MD_DATA *data, const KEY * input);
typedef int t_zencod_md5_do_final(ZEN_MD_DATA *data, KEY * output);
typedef int t_zencod_sha1_init(ZEN_MD_DATA *data);
typedef int t_zencod_sha1_update(ZEN_MD_DATA *data, const KEY * input);
typedef int t_zencod_sha1_do_final(ZEN_MD_DATA *data, KEY * output);
/*
* Functions for Cipher (RC4, DES, 3DES) stuff
*/
/* output : output data buffer */
/* input : input data buffer */
/* key : rc4 key data */
/* index_1 : value of index x from RC4 key structure */
/* index_2 : value of index y from RC4 key structure */
/*
* Be careful : RC4 key should be expanded before calling this method
* (Should we provide an expand function ??)
*/
typedef int t_zencod_rc4_cipher(KEY * output, const KEY * input,
const KEY * key, unsigned char *index_1,
unsigned char *index_2, int mode);
/* output : output data buffer */
/* input : input data buffer */
/* key_1 : des first key data */
/* key_2 : des second key data */
/* key_3 : des third key data */
/* iv : initial vector */
/* mode : xdes mode (encrypt or decrypt) */
/* Be careful : In DES mode key_1 = key_2 = key_3 (as far as i can see !!) */
typedef int t_zencod_xdes_cipher(KEY * output, const KEY * input,
const KEY * key_1, const KEY * key_2,
const KEY * key_3, const KEY * iv,
int mode);
# undef KEY
# ifdef __cplusplus
}
# endif /* __cplusplus */
#endif /* !_HW_ZENCOD_H_ */

146
demos/engines/zencod/hw_zencod_err.c
View File

@ -1,146 +0,0 @@
/* ====================================================================
* Copyright (c) 1999-2002 The OpenSSL Project. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in
* the documentation and/or other materials provided with the
* distribution.
*
* 3. All advertising materials mentioning features or use of this
* software must display the following acknowledgment:
* "This product includes software developed by the OpenSSL Project
* for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
*
* 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
* endorse or promote products derived from this software without
* prior written permission. For written permission, please contact
* openssl-core@OpenSSL.org.
*
* 5. Products derived from this software may not be called "OpenSSL"
* nor may "OpenSSL" appear in their names without prior written
* permission of the OpenSSL Project.
*
* 6. Redistributions of any form whatsoever must retain the following
* acknowledgment:
* "This product includes software developed by the OpenSSL Project
* for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
*
* THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
* EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
* ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
* OF THE POSSIBILITY OF SUCH DAMAGE.
* ====================================================================
*
* This product includes cryptographic software written by Eric Young
* (eay@cryptsoft.com). This product includes software written by Tim
* Hudson (tjh@cryptsoft.com).
*
*/
/*
* NOTE: this file was auto generated by the mkerr.pl script: any changes
* made to it will be overwritten when the script next updates this file,
* only reason strings will be preserved.
*/
#include <stdio.h>
#include <openssl/err.h>
#include "hw_zencod_err.h"
/* BEGIN ERROR CODES */
#ifndef OPENSSL_NO_ERR
static ERR_STRING_DATA ZENCOD_str_functs[] = {
{ERR_PACK(0, ZENCOD_F_ZENCOD_BN_MOD_EXP, 0), "ZENCOD_BN_MOD_EXP"},
{ERR_PACK(0, ZENCOD_F_ZENCOD_CTRL, 0), "ZENCOD_CTRL"},
{ERR_PACK(0, ZENCOD_F_ZENCOD_DH_COMPUTE, 0), "ZENCOD_DH_COMPUTE"},
{ERR_PACK(0, ZENCOD_F_ZENCOD_DH_GENERATE, 0), "ZENCOD_DH_GENERATE"},
{ERR_PACK(0, ZENCOD_F_ZENCOD_DSA_DO_SIGN, 0), "ZENCOD_DSA_DO_SIGN"},
{ERR_PACK(0, ZENCOD_F_ZENCOD_DSA_DO_VERIFY, 0), "ZENCOD_DSA_DO_VERIFY"},
{ERR_PACK(0, ZENCOD_F_ZENCOD_FINISH, 0), "ZENCOD_FINISH"},
{ERR_PACK(0, ZENCOD_F_ZENCOD_INIT, 0), "ZENCOD_INIT"},
{ERR_PACK(0, ZENCOD_F_ZENCOD_RAND, 0), "ZENCOD_RAND"},
{ERR_PACK(0, ZENCOD_F_ZENCOD_RSA_MOD_EXP, 0), "ZENCOD_RSA_MOD_EXP"},
{ERR_PACK(0, ZENCOD_F_ZENCOD_RSA_MOD_EXP_CRT, 0),
"ZENCOD_RSA_MOD_EXP_CRT"},
{0, NULL}
};
static ERR_STRING_DATA ZENCOD_str_reasons[] = {
{ZENCOD_R_ALREADY_LOADED, "already loaded"},
{ZENCOD_R_BAD_KEY_COMPONENTS, "bad key components"},
{ZENCOD_R_BN_EXPAND_FAIL, "bn expand fail"},
{ZENCOD_R_CTRL_COMMAND_NOT_IMPLEMENTED, "ctrl command not implemented"},
{ZENCOD_R_DSO_FAILURE, "dso failure"},
{ZENCOD_R_NOT_LOADED, "not loaded"},
{ZENCOD_R_REQUEST_FAILED, "request failed"},
{ZENCOD_R_UNIT_FAILURE, "unit failure"},
{0, NULL}
};
#endif
#ifdef ZENCOD_LIB_NAME
static ERR_STRING_DATA ZENCOD_lib_name[] = {
{0, ZENCOD_LIB_NAME},
{0, NULL}
};
#endif
static int ZENCOD_lib_error_code = 0;
static int ZENCOD_error_init = 1;
static void ERR_load_ZENCOD_strings(void)
{
if (ZENCOD_lib_error_code == 0)
ZENCOD_lib_error_code = ERR_get_next_error_library();
if (ZENCOD_error_init) {
ZENCOD_error_init = 0;
#ifndef OPENSSL_NO_ERR
ERR_load_strings(ZENCOD_lib_error_code, ZENCOD_str_functs);
ERR_load_strings(ZENCOD_lib_error_code, ZENCOD_str_reasons);
#endif
#ifdef ZENCOD_LIB_NAME
ZENCOD_lib_name->error = ERR_PACK(ZENCOD_lib_error_code, 0, 0);
ERR_load_strings(0, ZENCOD_lib_name);
#endif
}
}
static void ERR_unload_ZENCOD_strings(void)
{
if (ZENCOD_error_init == 0) {
#ifndef OPENSSL_NO_ERR
ERR_unload_strings(ZENCOD_lib_error_code, ZENCOD_str_functs);
ERR_unload_strings(ZENCOD_lib_error_code, ZENCOD_str_reasons);
#endif
#ifdef ZENCOD_LIB_NAME
ERR_unload_strings(0, ZENCOD_lib_name);
#endif
ZENCOD_error_init = 1;
}
}
static void ERR_ZENCOD_error(int function, int reason, char *file, int line)
{
if (ZENCOD_lib_error_code == 0)
ZENCOD_lib_error_code = ERR_get_next_error_library();
ERR_PUT_error(ZENCOD_lib_error_code, function, reason, file, line);
}

100
demos/engines/zencod/hw_zencod_err.h
View File

@ -1,100 +0,0 @@
/* ====================================================================
* Copyright (c) 2001-2002 The OpenSSL Project. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in
* the documentation and/or other materials provided with the
* distribution.
*
* 3. All advertising materials mentioning features or use of this
* software must display the following acknowledgment:
* "This product includes software developed by the OpenSSL Project
* for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
*
* 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
* endorse or promote products derived from this software without
* prior written permission. For written permission, please contact
* openssl-core@openssl.org.
*
* 5. Products derived from this software may not be called "OpenSSL"
* nor may "OpenSSL" appear in their names without prior written
* permission of the OpenSSL Project.
*
* 6. Redistributions of any form whatsoever must retain the following
* acknowledgment:
* "This product includes software developed by the OpenSSL Project
* for use in the OpenSSL Toolkit (http://www.openssl.org/)"
*
* THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
* EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
* ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
* OF THE POSSIBILITY OF SUCH DAMAGE.
* ====================================================================
*
* This product includes cryptographic software written by Eric Young
* (eay@cryptsoft.com). This product includes software written by Tim
* Hudson (tjh@cryptsoft.com).
*
*/
#ifndef HEADER_ZENCOD_ERR_H
# define HEADER_ZENCOD_ERR_H
#ifdef __cplusplus
extern "C" {
#endif
/* BEGIN ERROR CODES */
/*
* The following lines are auto generated by the script mkerr.pl. Any changes
* made after this point may be overwritten when the script is next run.
*/
static void ERR_load_ZENCOD_strings(void);
static void ERR_unload_ZENCOD_strings(void);
static void ERR_ZENCOD_error(int function, int reason, char *file, int line);
# define ZENCODerr(f,r) ERR_ZENCOD_error((f),(r),OPENSSL_FILE,OPENSSL_LINE)
/* Error codes for the ZENCOD functions. */
/* Function codes. */
# define ZENCOD_F_ZENCOD_BN_MOD_EXP 100
# define ZENCOD_F_ZENCOD_CTRL 101
# define ZENCOD_F_ZENCOD_DH_COMPUTE 102
# define ZENCOD_F_ZENCOD_DH_GENERATE 103
# define ZENCOD_F_ZENCOD_DSA_DO_SIGN 104
# define ZENCOD_F_ZENCOD_DSA_DO_VERIFY 105
# define ZENCOD_F_ZENCOD_FINISH 106
# define ZENCOD_F_ZENCOD_INIT 107
# define ZENCOD_F_ZENCOD_RAND 108
# define ZENCOD_F_ZENCOD_RSA_MOD_EXP 109
# define ZENCOD_F_ZENCOD_RSA_MOD_EXP_CRT 110
/* Reason codes. */
# define ZENCOD_R_ALREADY_LOADED 100
# define ZENCOD_R_BAD_KEY_COMPONENTS 101
# define ZENCOD_R_BN_EXPAND_FAIL 102
# define ZENCOD_R_CTRL_COMMAND_NOT_IMPLEMENTED 103
# define ZENCOD_R_DSO_FAILURE 104
# define ZENCOD_R_NOT_LOADED 105
# define ZENCOD_R_REQUEST_FAILED 106
# define ZENCOD_R_UNIT_FAILURE 107
#ifdef __cplusplus
}
#endif
#endif

9
demos/privkey.pem
View File

@ -1,9 +0,0 @@
-----BEGIN RSA PRIVATE KEY-----
MIIBPAIBAAJBAN+FmbxmHVOp/RxtpMGz0DvQEBz1sDktHp19hIoMSu0YZift5MAu
4xAEJYvWVCshDiyOTWsUBXwZkrkt87FyctkCAwEAAQJAG/vxBGpQb6IPo1iC0RF/
F430BnwoBPCGLbeCOXpSgx5X+19vuTSdEqMgeNB6+aNb+XY/7mvVfCjyD6WZ0oxs
JQIhAPO+uL9cP40lFs62pdL3QSWsh3VNDByvOtr9LpeaxBm/AiEA6sKVfXsDQ5hd
SHt9U61r2r8Lcxmzi9Kw6JNqjMmzqWcCIQCKoRy+aZ8Tjdas9yDVHh+FZ90bEBkl
b1xQFNOdEj8aTQIhAOJWrO6INYNsWTPS6+hLYZtLamyUsQj0H+B8kNQge/mtAiEA
nBfvUl243qbqN8gF7Az1u33uc9FsPVvQPiBzLxZ4ixw=
-----END RSA PRIVATE KEY-----

169
demos/selfsign.c
View File

@ -1,169 +0,0 @@
/* NOCW */
/* cc -o ssdemo -I../include selfsign.c ../libcrypto.a */
#include <stdio.h>
#include <stdlib.h>
#include <openssl/pem.h>
#include <openssl/conf.h>
#include <openssl/x509v3.h>
int mkit(X509 **x509p, EVP_PKEY **pkeyp, int bits, int serial, int days);
int main()
{
BIO *bio_err;
X509 *x509 = NULL;
EVP_PKEY *pkey = NULL;
CRYPTO_set_mem_debug(1);
CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON);
bio_err = BIO_new_fp(stderr, BIO_NOCLOSE);
mkit(&x509, &pkey, 512, 0, 365);
RSA_print_fp(stdout, pkey->pkey.rsa, 0);
X509_print_fp(stdout, x509);
PEM_write_PrivateKey(stdout, pkey, NULL, NULL, 0, NULL, NULL);
PEM_write_X509(stdout, x509);
X509_free(x509);
EVP_PKEY_free(pkey);
#ifdef CUSTOM_EXT
/* Only needed if we add objects or custom extensions */
X509V3_EXT_cleanup();
OBJ_cleanup();
#endif
CRYPTO_mem_leaks(bio_err);
BIO_free(bio_err);
return (0);
}
static void callback(p, n, arg)
int p;
int n;
void *arg;
{
char c = 'B';
if (p == 0)
c = '.';
if (p == 1)
c = '+';
if (p == 2)
c = '*';
if (p == 3)
c = '\n';
fputc(c, stderr);
}
int mkit(x509p, pkeyp, bits, serial, days)
X509 **x509p;
EVP_PKEY **pkeyp;
int bits;
int serial;
int days;
{
X509 *x;
EVP_PKEY *pk;
RSA *rsa;
X509_NAME *name = NULL;
X509_NAME_ENTRY *ne = NULL;
X509_EXTENSION *ex = NULL;
if ((pkeyp == NULL) || (*pkeyp == NULL)) {
if ((pk = EVP_PKEY_new()) == NULL) {
abort();
return (0);
}
} else
pk = *pkeyp;
if ((x509p == NULL) || (*x509p == NULL)) {
if ((x = X509_new()) == NULL)
goto err;
} else
x = *x509p;
rsa = RSA_generate_key(bits, RSA_F4, callback, NULL);
if (!EVP_PKEY_assign_RSA(pk, rsa)) {
abort();
goto err;
}
rsa = NULL;
X509_set_version(x, 3);
ASN1_INTEGER_set(X509_get_serialNumber(x), serial);
X509_gmtime_adj(X509_get_notBefore(x), 0);
X509_gmtime_adj(X509_get_notAfter(x), (long)60 * 60 * 24 * days);
X509_set_pubkey(x, pk);
name = X509_get_subject_name(x);
/*
* This function creates and adds the entry, working out the correct
* string type and performing checks on its length. Normally we'd check
* the return value for errors...
*/
X509_NAME_add_entry_by_txt(name, "C", MBSTRING_ASC, "UK", -1, -1, 0);
X509_NAME_add_entry_by_txt(name, "CN",
MBSTRING_ASC, "OpenSSL Group", -1, -1, 0);
X509_set_issuer_name(x, name);
/*
* Add extension using V3 code: we can set the config file as NULL
* because we wont reference any other sections. We can also set the
* context to NULL because none of these extensions below will need to
* access it.
*/
ex = X509V3_EXT_conf_nid(NULL, NULL, NID_netscape_cert_type, "server");
X509_add_ext(x, ex, -1);
X509_EXTENSION_free(ex);
ex = X509V3_EXT_conf_nid(NULL, NULL, NID_netscape_comment,
"example comment extension");
X509_add_ext(x, ex, -1);
X509_EXTENSION_free(ex);
ex = X509V3_EXT_conf_nid(NULL, NULL, NID_netscape_ssl_server_name,
"www.openssl.org");
X509_add_ext(x, ex, -1);
X509_EXTENSION_free(ex);
#ifdef ADD_CA_CONSTRAINT
/* might want something like this too.... */
ex = X509V3_EXT_conf_nid(NULL, NULL, NID_basic_constraints,
"critical,CA:TRUE");
X509_add_ext(x, ex, -1);
X509_EXTENSION_free(ex);
#endif
#ifdef ADD_A_CUSTOM_EXTENSION
/* Maybe even add our own extension based on existing */
{
int nid;
nid = OBJ_create("1.2.3.4", "MyAlias", "My Test Alias Extension");
X509V3_EXT_add_alias(nid, NID_netscape_comment);
ex = X509V3_EXT_conf_nid(NULL, NULL, nid, "example comment alias");
X509_add_ext(x, ex, -1);
X509_EXTENSION_free(ex);
}
#endif
if (!X509_sign(x, pk, EVP_md5()))
goto err;
*x509p = x;
*pkeyp = pk;
return (1);
err:
return (0);
}

16
demos/sign/Makefile.in
View File

@ -1,16 +0,0 @@
CC=cc
CFLAGS= -g -I../../include -Wall
LIBS= -L../.. -lcrypto
EXAMPLES=sign
all: $(EXAMPLES)
sign: sign.o
$(CC) -o sign sign.o $(LIBS)
clean:
rm -f $(EXAMPLES) *.o
test: all
./sign
# DO NOT DELETE THIS LINE -- make depend depends on it.

14
demos/sign/cert.pem
View File

@ -1,14 +0,0 @@
-----BEGIN CERTIFICATE-----
MIICLDCCAdYCAQAwDQYJKoZIhvcNAQEEBQAwgaAxCzAJBgNVBAYTAlBUMRMwEQYD
VQQIEwpRdWVlbnNsYW5kMQ8wDQYDVQQHEwZMaXNib2ExFzAVBgNVBAoTDk5ldXJv
bmlvLCBMZGEuMRgwFgYDVQQLEw9EZXNlbnZvbHZpbWVudG8xGzAZBgNVBAMTEmJy
dXR1cy5uZXVyb25pby5wdDEbMBkGCSqGSIb3DQEJARYMc2FtcG9AaWtpLmZpMB4X
DTk2MDkwNTAzNDI0M1oXDTk2MTAwNTAzNDI0M1owgaAxCzAJBgNVBAYTAlBUMRMw
EQYDVQQIEwpRdWVlbnNsYW5kMQ8wDQYDVQQHEwZMaXNib2ExFzAVBgNVBAoTDk5l
dXJvbmlvLCBMZGEuMRgwFgYDVQQLEw9EZXNlbnZvbHZpbWVudG8xGzAZBgNVBAMT
EmJydXR1cy5uZXVyb25pby5wdDEbMBkGCSqGSIb3DQEJARYMc2FtcG9AaWtpLmZp
MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAL7+aty3S1iBA/+yxjxv4q1MUTd1kjNw
L4lYKbpzzlmC5beaQXeQ2RmGMTXU+mDvuqItjVHOK3DvPK7lTcSGftUCAwEAATAN
BgkqhkiG9w0BAQQFAANBAFqPEKFjk6T6CKTHvaQeEAsX0/8YHPHqH/9AnhSjrwuX
9EBc0n6bVGhN7XaXd6sJ7dym9sbsWxb+pJdurnkxjx4=
-----END CERTIFICATE-----

9
demos/sign/key.pem
View File

@ -1,9 +0,0 @@
-----BEGIN RSA PRIVATE KEY-----
MIIBPAIBAAJBAL7+aty3S1iBA/+yxjxv4q1MUTd1kjNwL4lYKbpzzlmC5beaQXeQ
2RmGMTXU+mDvuqItjVHOK3DvPK7lTcSGftUCAwEAAQJBALjkK+jc2+iihI98riEF
oudmkNziSRTYjnwjx8mCoAjPWviB3c742eO3FG4/soi1jD9A5alihEOXfUzloenr
8IECIQD3B5+0l+68BA/6d76iUNqAAV8djGTzvxnCxycnxPQydQIhAMXt4trUI3nc
a+U8YL2HPFA3gmhBsSICbq2OptOCnM7hAiEA6Xi3JIQECob8YwkRj29DU3/4WYD7
WLPgsQpwo1GuSpECICGsnWH5oaeD9t9jbFoSfhJvv0IZmxdcLpRcpslpeWBBAiEA
6/5B8J0GHdJq89FHwEG/H2eVVUYu5y/aD6sgcm+0Avg=
-----END RSA PRIVATE KEY-----

158
demos/sign/sig.txt
View File

@ -1,158 +0,0 @@
From ssl-lists-owner@mincom.com Mon Sep 30 02:37:40 1996
Received: from cygnus.mincom.oz.au by orb.mincom.oz.au with SMTP id AA11782
(5.65c/IDA-1.4.4 for eay); Mon, 30 Sep 1996 11:46:21 +1000
Received: (from daemon@localhost) by cygnus.mincom.oz.au (8.7.5/8.7.3) id LAA18980 for ssl-users-outgoing; Mon, 30 Sep 1996 11:44:56 +1000 (EST)
Received: from minbne.mincom.oz.au (minbne.mincom.oz.au [192.55.196.247]) by cygnus.mincom.oz.au (8.7.5/8.7.3) with SMTP id LAA18962 for <ssl-users@listserv.mincom.oz.au>; Mon, 30 Sep 1996 11:44:51 +1000 (EST)
Received: by minbne.mincom.oz.au id AA22230
(5.65c/IDA-1.4.4 for ssl-users@listserv.mincom.oz.au); Mon, 30 Sep 1996 11:38:41 +1000
Received: from brutus.neuronio.pt (brutus.neuronio.pt [193.126.253.2]) by bunyip.cc.uq.oz.au (8.7.6/8.7.3) with SMTP id LAA15824 for <ssl-users@mincom.com>; Mon, 30 Sep 1996 11:40:07 +1000
Received: (from sampo@localhost) by brutus.neuronio.pt (8.6.11/8.6.11) id BAA08729; Mon, 30 Sep 1996 01:37:40 +0100
Date: Mon, 30 Sep 1996 01:37:40 +0100
Message-Id: <199609300037.BAA08729@brutus.neuronio.pt>
From: Sampo Kellomaki <sampo@neuronio.pt>
To: ssl-users@mincom.com
Cc: sampo@brutus.neuronio.pt
Subject: Signing with envelope routines
Sender: ssl-lists-owner@mincom.com
Precedence: bulk
Status: RO
X-Status: D
I have been trying to figure out how to produce signatures with EVP_
routines. I seem to be able to read in private key and sign some
data ok, but I can't figure out how I am supposed to read in
public key so that I could verify my signature. I use self signed
certificate.
I figured I should use
EVP_PKEY* pkey = PEM_ASN1_read(d2i_PrivateKey, PEM_STRING_EVP_PKEY,
fp, NULL, NULL);
to read in private key and this seems to work Ok.
However when I try analogous
EVP_PKEY* pkey = PEM_ASN1_read(d2i_PublicKey, PEM_STRING_X509,
fp, NULL, NULL);
the program fails with
error:0D09508D:asn1 encoding routines:D2I_PUBLICKEY:unknown public key type:d2i_pu.c:93
error:0906700D:PEM routines:PEM_ASN1_read_bio:ASN1 lib:pem_lib.c:232
I figured that the second argument to PEM_ASN1_read should match the
name in my PEM encoded object, hence PEM_STRING_X509.
PEM_STRING_EVP_PKEY seems to be somehow magical
because it matches whatever private key there happens to be. I could
not find a similar constant to use with getting the certificate, however.
Is my approach of using PEM_ASN1_read correct? What should I pass in
as name? Can I use normal (or even self signed) X509 certificate for
verifying the signature?
When will SSLeay documentation be written ;-)? If I would contribute
comments to the code, would Eric take time to review them and include
them in distribution?
I'm using SSLeay-0.6.4. My program is included below along with the
key and cert that I use.
--Sampo
-----------------------------------
/* sign-it.cpp - Simple test app using SSLeay envelopes to sign data
29.9.1996, Sampo Kellomaki <sampo@iki.fi> */
#include <stdio.h>
#include "rsa.h"
#include "evp.h"
#include "objects.h"
#include "x509.h"
#include "err.h"
#include "pem.h"
#include "ssl.h"
void main ()
{
int err;
int sig_len;
unsigned char sig_buf [4096];
const char certfile[] = "plain-cert.pem";
const char keyfile[] = "plain-key.pem";
const char data[] = "I owe you...";
EVP_MD_CTX md_ctx;
EVP_PKEY* pkey;
FILE* fp;
SSL_load_error_strings();
/* Read private key */
fp = fopen (keyfile, "r"); if (fp == NULL) exit (1);
pkey = (EVP_PKEY*)PEM_ASN1_read ((char *(*)())d2i_PrivateKey,
PEM_STRING_EVP_PKEY,
fp,
NULL, NULL);
if (pkey == NULL) { ERR_print_errors_fp (stderr); exit (1); }
fclose (fp);
/* Do the signature */
EVP_SignInit (&md_ctx, EVP_md5());
EVP_SignUpdate (&md_ctx, data, strlen(data));
sig_len = sizeof(sig_buf);
err = EVP_SignFinal (&md_ctx,
sig_buf,
&sig_len,
pkey);
if (err != 1) { ERR_print_errors_fp (stderr); exit (1); }
EVP_PKEY_free (pkey);
/* Read public key */
fp = fopen (certfile, "r"); if (fp == NULL) exit (1);
pkey = (EVP_PKEY*)PEM_ASN1_read ((char *(*)())d2i_PublicKey,
PEM_STRING_X509,
fp,
NULL, NULL);
if (pkey == NULL) { ERR_print_errors_fp (stderr); exit (1); }
fclose (fp);
/* Verify the signature */
EVP_VerifyInit (&md_ctx, EVP_md5());
EVP_VerifyUpdate (&md_ctx, data, strlen((char*)data));
err = EVP_VerifyFinal (&md_ctx,
sig_buf,
sig_len,
pkey);
if (err != 1) { ERR_print_errors_fp (stderr); exit (1); }
EVP_PKEY_free (pkey);
printf ("Signature Verified Ok.\n");
}
/* EOF */
--------------- plain-cert.pem -----------------
-----BEGIN CERTIFICATE-----
MIICLDCCAdYCAQAwDQYJKoZIhvcNAQEEBQAwgaAxCzAJBgNVBAYTAlBUMRMwEQYD
VQQIEwpRdWVlbnNsYW5kMQ8wDQYDVQQHEwZMaXNib2ExFzAVBgNVBAoTDk5ldXJv
bmlvLCBMZGEuMRgwFgYDVQQLEw9EZXNlbnZvbHZpbWVudG8xGzAZBgNVBAMTEmJy
dXR1cy5uZXVyb25pby5wdDEbMBkGCSqGSIb3DQEJARYMc2FtcG9AaWtpLmZpMB4X
DTk2MDkwNTAzNDI0M1oXDTk2MTAwNTAzNDI0M1owgaAxCzAJBgNVBAYTAlBUMRMw
EQYDVQQIEwpRdWVlbnNsYW5kMQ8wDQYDVQQHEwZMaXNib2ExFzAVBgNVBAoTDk5l
dXJvbmlvLCBMZGEuMRgwFgYDVQQLEw9EZXNlbnZvbHZpbWVudG8xGzAZBgNVBAMT
EmJydXR1cy5uZXVyb25pby5wdDEbMBkGCSqGSIb3DQEJARYMc2FtcG9AaWtpLmZp
MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAL7+aty3S1iBA/+yxjxv4q1MUTd1kjNw
L4lYKbpzzlmC5beaQXeQ2RmGMTXU+mDvuqItjVHOK3DvPK7lTcSGftUCAwEAATAN
BgkqhkiG9w0BAQQFAANBAFqPEKFjk6T6CKTHvaQeEAsX0/8YHPHqH/9AnhSjrwuX
9EBc0n6bVGhN7XaXd6sJ7dym9sbsWxb+pJdurnkxjx4=
-----END CERTIFICATE-----
---------------- plain-key.pem -----------------
-----BEGIN RSA PRIVATE KEY-----
MIIBPAIBAAJBAL7+aty3S1iBA/+yxjxv4q1MUTd1kjNwL4lYKbpzzlmC5beaQXeQ
2RmGMTXU+mDvuqItjVHOK3DvPK7lTcSGftUCAwEAAQJBALjkK+jc2+iihI98riEF
oudmkNziSRTYjnwjx8mCoAjPWviB3c742eO3FG4/soi1jD9A5alihEOXfUzloenr
8IECIQD3B5+0l+68BA/6d76iUNqAAV8djGTzvxnCxycnxPQydQIhAMXt4trUI3nc
a+U8YL2HPFA3gmhBsSICbq2OptOCnM7hAiEA6Xi3JIQECob8YwkRj29DU3/4WYD7
WLPgsQpwo1GuSpECICGsnWH5oaeD9t9jbFoSfhJvv0IZmxdcLpRcpslpeWBBAiEA
6/5B8J0GHdJq89FHwEG/H2eVVUYu5y/aD6sgcm+0Avg=
-----END RSA PRIVATE KEY-----
------------------------------------------------

159
demos/sign/sign.c
View File

@ -1,159 +0,0 @@
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
* All rights reserved.
*
* This package is an SSL implementation written
* by Eric Young (eay@cryptsoft.com).
* The implementation was written so as to conform with Netscapes SSL.
*
* This library is free for commercial and non-commercial use as long as
* the following conditions are aheared to. The following conditions
* apply to all code found in this distribution, be it the RC4, RSA,
* lhash, DES, etc., code; not just the SSL code. The SSL documentation
* included with this distribution is covered by the same copyright terms
* except that the holder is Tim Hudson (tjh@cryptsoft.com).
*
* Copyright remains Eric Young's, and as such any Copyright notices in
* the code are not to be removed.
* If this package is used in a product, Eric Young should be given attribution
* as the author of the parts of the library used.
* This can be in the form of a textual message at program startup or
* in documentation (online or textual) provided with the package.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* 3. All advertising materials mentioning features or use of this software
* must display the following acknowledgement:
* "This product includes cryptographic software written by
* Eric Young (eay@cryptsoft.com)"
* The word 'cryptographic' can be left out if the rouines from the library
* being used are not cryptographic related :-).
* 4. If you include any Windows specific code (or a derivative thereof) from
* the apps directory (application code) you must include an acknowledgement:
* "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
*
* THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
* The licence and distribution terms for any publically available version or
* derivative of this code cannot be changed. i.e. this code cannot simply be
* copied and put under another distribution licence
* [including the GNU Public Licence.]
*/
/*
* sign-it.cpp - Simple test app using EVP envelopes to sign data
* 29.9.1996, Sampo Kellomaki <sampo@iki.fi>
*/
/* converted to C - eay :-) */
/*
* reformated a bit and converted to use the more common functions: this was
* initially written at the dawn of time :-) - Steve.
*/
#include <stdio.h>
#include <openssl/rsa.h>
#include <openssl/evp.h>
#include <openssl/objects.h>
#include <openssl/x509.h>
#include <openssl/err.h>
#include <openssl/pem.h>
#include <openssl/ssl.h>
int main()
{
int err;
int sig_len;
unsigned char sig_buf[4096];
static char certfile[] = "cert.pem";
static char keyfile[] = "key.pem";
static char data[] = "I owe you...";
EVP_MD_CTX md_ctx;
EVP_PKEY *pkey;
FILE *fp;
X509 *x509;
/*
* Just load the crypto library error strings, SSL_load_error_strings()
* loads the crypto AND the SSL ones
*/
/* SSL_load_error_strings(); */
ERR_load_crypto_strings();
/* Read private key */
fp = fopen(keyfile, "r");
if (fp == NULL)
exit(1);
pkey = PEM_read_PrivateKey(fp, NULL, NULL, NULL);
fclose(fp);
if (pkey == NULL) {
ERR_print_errors_fp(stderr);
exit(1);
}
/* Do the signature */
EVP_SignInit(&md_ctx, EVP_sha1());
EVP_SignUpdate(&md_ctx, data, strlen(data));
sig_len = sizeof(sig_buf);
err = EVP_SignFinal(&md_ctx, sig_buf, &sig_len, pkey);
if (err != 1) {
ERR_print_errors_fp(stderr);
exit(1);
}
EVP_PKEY_free(pkey);
/* Read public key */
fp = fopen(certfile, "r");
if (fp == NULL)
exit(1);
x509 = PEM_read_X509(fp, NULL, NULL, NULL);
fclose(fp);
if (x509 == NULL) {
ERR_print_errors_fp(stderr);
exit(1);
}
/* Get public key - eay */
pkey = X509_get_pubkey(x509);
if (pkey == NULL) {
ERR_print_errors_fp(stderr);
exit(1);
}
/* Verify the signature */
EVP_VerifyInit(&md_ctx, EVP_sha1());
EVP_VerifyUpdate(&md_ctx, data, strlen((char *)data));
err = EVP_VerifyFinal(&md_ctx, sig_buf, sig_len, pkey);
EVP_PKEY_free(pkey);
if (err != 1) {
ERR_print_errors_fp(stderr);
exit(1);
}
printf("Signature Verified Ok.\n");
return (0);
}

170
demos/sign/sign.txt
View File

@ -1,170 +0,0 @@
From ssl-lists-owner@mincom.com Mon Sep 30 22:43:15 1996
Received: from cygnus.mincom.oz.au by orb.mincom.oz.au with SMTP id AA12802
(5.65c/IDA-1.4.4 for eay); Mon, 30 Sep 1996 12:45:43 +1000
Received: (from daemon@localhost) by cygnus.mincom.oz.au (8.7.5/8.7.3) id MAA25922 for ssl-users-outgoing; Mon, 30 Sep 1996 12:43:43 +1000 (EST)
Received: from orb.mincom.oz.au (eay@orb.mincom.oz.au [192.55.197.1]) by cygnus.mincom.oz.au (8.7.5/8.7.3) with SMTP id MAA25900 for <ssl-users@listserv.mincom.oz.au>; Mon, 30 Sep 1996 12:43:39 +1000 (EST)
Received: by orb.mincom.oz.au id AA12688
(5.65c/IDA-1.4.4 for ssl-users@listserv.mincom.oz.au); Mon, 30 Sep 1996 12:43:16 +1000
Date: Mon, 30 Sep 1996 12:43:15 +1000 (EST)
From: Eric Young <eay@mincom.com>
X-Sender: eay@orb
To: Sampo Kellomaki <sampo@neuronio.pt>
Cc: ssl-users@mincom.com, sampo@brutus.neuronio.pt
Subject: Re: Signing with envelope routines
In-Reply-To: <199609300037.BAA08729@brutus.neuronio.pt>
Message-Id: <Pine.SOL.3.91.960930121504.11800Y-100000@orb>
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: ssl-lists-owner@mincom.com
Precedence: bulk
Status: O
X-Status:
On Mon, 30 Sep 1996, Sampo Kellomaki wrote:
> I have been trying to figure out how to produce signatures with EVP_
> routines. I seem to be able to read in private key and sign some
> data ok, but I can't figure out how I am supposed to read in
> public key so that I could verify my signature. I use self signed
> certificate.
hmm... a rather poorly documented are of the library at this point in time.
> I figured I should use
> EVP_PKEY* pkey = PEM_ASN1_read(d2i_PrivateKey, PEM_STRING_EVP_PKEY,
> fp, NULL, NULL);
> to read in private key and this seems to work Ok.
>
> However when I try analogous
> EVP_PKEY* pkey = PEM_ASN1_read(d2i_PublicKey, PEM_STRING_X509,
> fp, NULL, NULL);
What you should do is
X509 *x509=PEM_read_X509(fp,NULL,NULL);
/* which is the same as PEM_ASN1_read(d2i_X509,PEM_STRING_X509,fp,
* NULL,NULL); */
Then
EVP_PKEY *pkey=X509_extract_key(x509);
There is also a X509_REQ_extract_key(req);
which gets the public key from a certificate request.
I re-worked quite a bit of this when I cleaned up the dependancy on
RSA as the private key.
> I figured that the second argument to PEM_ASN1_read should match the
> name in my PEM encoded object, hence PEM_STRING_X509.
> PEM_STRING_EVP_PKEY seems to be somehow magical
> because it matches whatever private key there happens to be. I could
> not find a similar constant to use with getting the certificate, however.
:-), PEM_STRING_EVP_PKEY is 'magical' :-). In theory I should be using a
standard such as PKCS#8 to store the private key so that the type is
encoded in the asn.1 encoding of the object.
> Is my approach of using PEM_ASN1_read correct? What should I pass in
> as name? Can I use normal (or even self signed) X509 certificate for
> verifying the signature?
The actual public key is kept in the certificate, so basically you have
to load the certificate and then 'unpack' the public key from the
certificate.
> When will SSLeay documentation be written ;-)? If I would contribute
> comments to the code, would Eric take time to review them and include
> them in distribution?
:-) After SSLv3 and PKCS#7 :-). I actually started doing a function list
but what I really need to do is do quite a few 'this is how you do xyz'
type documents. I suppose the current method is to post to ssl-users and
I'll respond :-).
I'll add a 'demo' directory for the next release, I've appended a
modified version of your program that works, you were very close :-).
eric
/* sign-it.cpp - Simple test app using SSLeay envelopes to sign data
29.9.1996, Sampo Kellomaki <sampo@iki.fi> */
/* converted to C - eay :-) */
#include <stdio.h>
#include "rsa.h"
#include "evp.h"
#include "objects.h"
#include "x509.h"
#include "err.h"
#include "pem.h"
#include "ssl.h"
void main ()
{
int err;
int sig_len;
unsigned char sig_buf [4096];
static char certfile[] = "plain-cert.pem";
static char keyfile[] = "plain-key.pem";
static char data[] = "I owe you...";
EVP_MD_CTX md_ctx;
EVP_PKEY * pkey;
FILE * fp;
X509 * x509;
/* Just load the crypto library error strings,
* SSL_load_error_strings() loads the crypto AND the SSL ones */
/* SSL_load_error_strings();*/
ERR_load_crypto_strings();
/* Read private key */
fp = fopen (keyfile, "r"); if (fp == NULL) exit (1);
pkey = (EVP_PKEY*)PEM_ASN1_read ((char *(*)())d2i_PrivateKey,
PEM_STRING_EVP_PKEY,
fp,
NULL, NULL);
if (pkey == NULL) { ERR_print_errors_fp (stderr); exit (1); }
fclose (fp);
/* Do the signature */
EVP_SignInit (&md_ctx, EVP_md5());
EVP_SignUpdate (&md_ctx, data, strlen(data));
sig_len = sizeof(sig_buf);
err = EVP_SignFinal (&md_ctx,
sig_buf,
&sig_len,
pkey);
if (err != 1) { ERR_print_errors_fp (stderr); exit (1); }
EVP_PKEY_free (pkey);
/* Read public key */
fp = fopen (certfile, "r"); if (fp == NULL) exit (1);
x509 = (X509 *)PEM_ASN1_read ((char *(*)())d2i_X509,
PEM_STRING_X509,
fp, NULL, NULL);
if (x509 == NULL) { ERR_print_errors_fp (stderr); exit (1); }
fclose (fp);
/* Get public key - eay */
pkey=X509_extract_key(x509);
if (pkey == NULL) { ERR_print_errors_fp (stderr); exit (1); }
/* Verify the signature */
EVP_VerifyInit (&md_ctx, EVP_md5());
EVP_VerifyUpdate (&md_ctx, data, strlen((char*)data));
err = EVP_VerifyFinal (&md_ctx,
sig_buf,
sig_len,
pkey);
if (err != 1) { ERR_print_errors_fp (stderr); exit (1); }
EVP_PKEY_free (pkey);
printf ("Signature Verified Ok.\n");
}

171
demos/spkigen.c
View File

@ -1,171 +0,0 @@
/* NOCW */
/*-
* demos/spkigen.c
* 18-Mar-1997 - eay - A quick hack :-)
* version 1.1, it would probably help to save or load the
* private key :-)
*/
#include <stdio.h>
#include <stdlib.h>
#include <openssl/err.h>
#include <openssl/asn1.h>
#include <openssl/objects.h>
#include <openssl/evp.h>
#include <openssl/x509.h>
#include <openssl/pem.h>
/*
* The following two don't exist in SSLeay but they are in here as examples
*/
#define PEM_write_SPKI(fp,x) \
PEM_ASN1_write((int (*)())i2d_NETSCAPE_SPKI,"SPKI",fp,\
(char *)x,NULL,NULL,0,NULL)
int SPKI_set_pubkey(NETSCAPE_SPKI *x, EVP_PKEY *pkey);
/* These are defined in the next version of SSLeay */
int EVP_PKEY_assign(EVP_PKEY *pkey, int type, char *key);
#define RSA_F4 0x10001
#define EVP_PKEY_assign_RSA(pkey,rsa) EVP_PKEY_assign((pkey),EVP_PKEY_RSA,\
(char *)(rsa))
int main(argc, argv)
int argc;
char *argv[];
{
RSA *rsa = NULL;
NETSCAPE_SPKI *spki = NULL;
EVP_PKEY *pkey = NULL;
char buf[128];
int ok = 0, i;
FILE *fp;
pkey = EVP_PKEY_new();
if (argc < 2) {
/*
* Generate an RSA key, the random state should have been seeded with
* lots of calls to RAND_seed(....)
*/
fprintf(stderr, "generating RSA key, could take some time...\n");
if ((rsa = RSA_generate_key(512, RSA_F4, NULL)) == NULL)
goto err;
} else {
if ((fp = fopen(argv[1], "r")) == NULL) {
perror(argv[1]);
goto err;
}
if ((rsa = PEM_read_RSAPrivateKey(fp, NULL, NULL)) == NULL)
goto err;
fclose(fp);
}
if (!EVP_PKEY_assign_RSA(pkey, rsa))
goto err;
rsa = NULL;
/* lets make the spki and set the public key and challenge */
if ((spki = NETSCAPE_SPKI_new()) == NULL)
goto err;
if (!SPKI_set_pubkey(spki, pkey))
goto err;
fprintf(stderr, "please enter challenge string:");
fflush(stderr);
buf[0] = '\0';
fgets(buf, sizeof buf, stdin);
i = strlen(buf);
if (i > 0)
buf[--i] = '\0';
if (!ASN1_STRING_set((ASN1_STRING *)spki->spkac->challenge, buf, i))
goto err;
if (!NETSCAPE_SPKI_sign(spki, pkey, EVP_md5()))
goto err;
PEM_write_SPKI(stdout, spki);
if (argc < 2)
PEM_write_RSAPrivateKey(stdout, pkey->pkey.rsa, NULL, NULL, 0, NULL);
ok = 1;
err:
if (!ok) {
fprintf(stderr, "something bad happened....");
ERR_print_errors_fp(stderr);
}
NETSCAPE_SPKI_free(spki);
EVP_PKEY_free(pkey);
exit(!ok);
}
/* This function is in the next version of SSLeay */
int EVP_PKEY_assign(pkey, type, key)
EVP_PKEY *pkey;
int type;
char *key;
{
if (pkey == NULL)
return (0);
if (pkey->pkey.ptr != NULL) {
if (pkey->type == EVP_PKEY_RSA)
RSA_free(pkey->pkey.rsa);
/* else memory leak */
}
pkey->type = type;
pkey->pkey.ptr = key;
return (1);
}
/*
* While I have a X509_set_pubkey() and X509_REQ_set_pubkey(),
* SPKI_set_pubkey() does not currently exist so here is a version of it. The
* next SSLeay release will probably have X509_set_pubkey(),
* X509_REQ_set_pubkey() and NETSCAPE_SPKI_set_pubkey() as macros calling the
* same function
*/
int SPKI_set_pubkey(x, pkey)
NETSCAPE_SPKI *x;
EVP_PKEY *pkey;
{
int ok = 0;
X509_PUBKEY *pk;
X509_ALGOR *a;
ASN1_OBJECT *o;
unsigned char *s, *p;
int i;
if (x == NULL)
return (0);
if ((pk = X509_PUBKEY_new()) == NULL)
goto err;
a = pk->algor;
/* set the algorithm id */
if ((o = OBJ_nid2obj(pkey->type)) == NULL)
goto err;
ASN1_OBJECT_free(a->algorithm);
a->algorithm = o;
/* Set the parameter list */
if ((a->parameter == NULL) || (a->parameter->type != V_ASN1_NULL)) {
ASN1_TYPE_free(a->parameter);
a->parameter = ASN1_TYPE_new();
a->parameter->type = V_ASN1_NULL;
}
i = i2d_PublicKey(pkey, NULL);
if ((s = (unsigned char *)malloc(i + 1)) == NULL)
goto err;
p = s;
i2d_PublicKey(pkey, &p);
if (!ASN1_BIT_STRING_set(pk->public_key, s, i))
goto err;
free(s);
X509_PUBKEY_free(x->spkac->pubkey);
x->spkac->pubkey = pk;
pk = NULL;
ok = 1;
err:
X509_PUBKEY_free(pk);
return (ok);
}

108
demos/ssl/cli.cpp
View File

@ -1,108 +0,0 @@
/* cli.cpp - Minimal ssleay client for Unix
30.9.1996, Sampo Kellomaki <sampo@iki.fi> */
/* mangled to work with OpenSSL 0.9.2b
Simplified to be even more minimal
12/98 - 4/99 Wade Scholine <wades@mail.cybg.com> */
#include <stdio.h>
#include <memory.h>
#include <errno.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <netdb.h>
#include <openssl/crypto.h>
#include <openssl/x509.h>
#include <openssl/pem.h>
#include <openssl/ssl.h>
#include <openssl/err.h>
#define CHK_NULL(x) if ((x)==NULL) exit (1)
#define CHK_ERR(err,s) if ((err)==-1) { perror(s); exit(1); }
#define CHK_SSL(err) if ((err)==-1) { ERR_print_errors_fp(stderr); exit(2); }
void main ()
{
int err;
int sd;
struct sockaddr_in sa;
SSL_CTX* ctx;
SSL* ssl;
X509* server_cert;
char* str;
char buf [4096];
SSL_METHOD *meth;
OpenSSL_add_ssl_algorithms();
meth = TLS_client_method();
SSL_load_error_strings();
ctx = SSL_CTX_new (meth); CHK_NULL(ctx);
/* ----------------------------------------------- */
/* Create a socket and connect to server using normal socket calls. */
sd = socket (AF_INET, SOCK_STREAM, 0); CHK_ERR(sd, "socket");
memset(&sa, 0, sizeof(sa));
sa.sin_family = AF_INET;
sa.sin_addr.s_addr = inet_addr ("127.0.0.1"); /* Server IP */
sa.sin_port = htons (1111); /* Server Port number */
err = connect(sd, (struct sockaddr*) &sa,
sizeof(sa)); CHK_ERR(err, "connect");
/* ----------------------------------------------- */
/* Now we have TCP conncetion. Start SSL negotiation. */
ssl = SSL_new (ctx); CHK_NULL(ssl);
SSL_set_fd (ssl, sd);
err = SSL_connect (ssl); CHK_SSL(err);
/* Following two steps are optional and not required for
data exchange to be successful. */
/* Get the cipher - opt */
printf ("SSL connection using %s\n", SSL_get_cipher (ssl));
/* Get server's certificate (note: beware of dynamic allocation) - opt */
server_cert = SSL_get_peer_certificate (ssl); CHK_NULL(server_cert);
printf ("Server certificate:\n");
str = X509_NAME_oneline (X509_get_subject_name (server_cert),0,0);
CHK_NULL(str);
printf ("\t subject: %s\n", str);
OPENSSL_free (str);
str = X509_NAME_oneline (X509_get_issuer_name (server_cert),0,0);
CHK_NULL(str);
printf ("\t issuer: %s\n", str);
OPENSSL_free (str);
/* We could do all sorts of certificate verification stuff here before
deallocating the certificate. */
X509_free (server_cert);
/* --------------------------------------------------- */
/* DATA EXCHANGE - Send a message and receive a reply. */
err = SSL_write (ssl, "Hello World!", strlen("Hello World!")); CHK_SSL(err);
err = SSL_read (ssl, buf, sizeof(buf) - 1); CHK_SSL(err);
buf[err] = '\0';
printf ("Got %d chars:'%s'\n", err, buf);
SSL_shutdown (ssl); /* send SSL/TLS close_notify */
/* Clean up. */
close (sd);
SSL_free (ssl);
SSL_CTX_free (ctx);
}
/* EOF - cli.cpp */

98
demos/ssl/inetdsrv.cpp
View File

@ -1,98 +0,0 @@
/* inetdserv.cpp - Minimal ssleay server for Unix inetd.conf
* 30.9.1996, Sampo Kellomaki <sampo@iki.fi>
* From /etc/inetd.conf:
* 1111 stream tcp nowait sampo /usr/users/sampo/demo/inetdserv inetdserv
*/
#include <stdio.h>
#include <errno.h>
#include "rsa.h"
#include <openssl/crypto.h>
#include <openssl/x509.h>
#include <openssl/pem.h>
#include <openssl/ssl.h>
#include <openssl/err.h>
#define HOME "/usr/users/sampo/demo/"
#define CERTF HOME "plain-cert.pem"
#define KEYF HOME "plain-key.pem"
#define CHK_NULL(x) if ((x)==NULL) exit (1)
#define CHK_ERR(err,s) if ((err)==-1) \
{ fprintf(log, "%s %d\n", (s), errno); exit(1); }
#define CHK_SSL(err) if ((err)==-1) { ERR_print_errors_fp(log); exit(2); }
void main ()
{
int err;
SSL_CTX* ctx;
SSL* ssl;
X509* client_cert;
char* str;
char buf [4096];
FILE* log;
log = fopen ("/dev/console", "a"); CHK_NULL(log);
fprintf (log, "inetdserv %ld\n", (long)getpid());
SSL_load_error_strings();
ctx = SSL_CTX_new (); CHK_NULL(ctx);
err = SSL_CTX_use_RSAPrivateKey_file (ctx, KEYF, SSL_FILETYPE_PEM);
CHK_SSL (err);
err = SSL_CTX_use_certificate_file (ctx, CERTF, SSL_FILETYPE_PEM);
CHK_SSL (err);
/* inetd has already opened the TCP connection, so we can get right
down to business. */
ssl = SSL_new (ctx); CHK_NULL(ssl);
SSL_set_fd (ssl, fileno(stdin));
err = SSL_accept (ssl); CHK_SSL(err);
/* Get the cipher - opt */
fprintf (log, "SSL connection using %s\n", SSL_get_cipher (ssl));
/* Get client's certificate (note: beware of dynamic allocation) - opt */
client_cert = SSL_get_peer_certificate (ssl);
if (client_cert != NULL) {
fprintf (log, "Client certificate:\n");
str = X509_NAME_oneline (X509_get_subject_name (client_cert));
CHK_NULL(str);
fprintf (log, "\t subject: %s\n", str);
OPENSSL_free (str);
str = X509_NAME_oneline (X509_get_issuer_name (client_cert));
CHK_NULL(str);
fprintf (log, "\t issuer: %s\n", str);
OPENSSL_free (str);
/* We could do all sorts of certificate verification stuff here before
deallocating the certificate. */
X509_free (client_cert);
} else
fprintf (log, "Client doe not have certificate.\n");
/* ------------------------------------------------- */
/* DATA EXCHANGE: Receive message and send reply */
err = SSL_read (ssl, buf, sizeof(buf) - 1); CHK_SSL(err);
buf[err] = '\0';
fprintf (log, "Got %d chars:'%s'\n", err, buf);
err = SSL_write (ssl, "Loud and clear.", strlen("Loud and clear."));
CHK_SSL(err);
/* Clean up. */
fclose (log);
SSL_free (ssl);
SSL_CTX_free (ctx);
}
/* EOF - inetdserv.cpp */

152
demos/ssl/serv.cpp
View File

@ -1,152 +0,0 @@
/* serv.cpp - Minimal ssleay server for Unix
30.9.1996, Sampo Kellomaki <sampo@iki.fi> */
/* mangled to work with OpenSSL 0.9.2b
Simplified to be even more minimal
12/98 - 4/99 Wade Scholine <wades@mail.cybg.com> */
#include <stdio.h>
#include <unistd.h>
#include <stdlib.h>
#include <memory.h>
#include <errno.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <netdb.h>
#include <openssl/rsa.h>
#include <openssl/crypto.h>
#include <openssl/x509.h>
#include <openssl/pem.h>
#include <openssl/ssl.h>
#include <openssl/err.h>
/* define HOME to be dir for key and cert files... */
#define HOME "./"
/* Make these what you want for cert & key files */
#define CERTF HOME "foo-cert.pem"
#define KEYF HOME "foo-cert.pem"
#define CHK_NULL(x) if ((x)==NULL) exit (1)
#define CHK_ERR(err,s) if ((err)==-1) { perror(s); exit(1); }
#define CHK_SSL(err) if ((err)==-1) { ERR_print_errors_fp(stderr); exit(2); }
void main ()
{
int err;
int listen_sd;
int sd;
struct sockaddr_in sa_serv;
struct sockaddr_in sa_cli;
size_t client_len;
SSL_CTX* ctx;
SSL* ssl;
X509* client_cert;
char* str;
char buf [4096];
SSL_METHOD *meth;
/* SSL preliminaries. We keep the certificate and key with the context. */
SSL_load_error_strings();
OpenSSL_add_ssl_algorithms();
meth = TLS_server_method();
ctx = SSL_CTX_new (meth);
if (!ctx) {
ERR_print_errors_fp(stderr);
exit(2);
}
if (SSL_CTX_use_certificate_file(ctx, CERTF, SSL_FILETYPE_PEM) <= 0) {
ERR_print_errors_fp(stderr);
exit(3);
}
if (SSL_CTX_use_PrivateKey_file(ctx, KEYF, SSL_FILETYPE_PEM) <= 0) {
ERR_print_errors_fp(stderr);
exit(4);
}
if (!SSL_CTX_check_private_key(ctx)) {
fprintf(stderr,"Private key does not match the certificate public key\n");
exit(5);
}
/* ----------------------------------------------- */
/* Prepare TCP socket for receiving connections */
listen_sd = socket (AF_INET, SOCK_STREAM, 0); CHK_ERR(listen_sd, "socket");
memset(&sa_serv, 0, sizeof(sa_serv));
sa_serv.sin_family = AF_INET;
sa_serv.sin_addr.s_addr = INADDR_ANY;
sa_serv.sin_port = htons (1111); /* Server Port number */
err = bind(listen_sd, (struct sockaddr*) &sa_serv,
sizeof (sa_serv)); CHK_ERR(err, "bind");
/* Receive a TCP connection. */
err = listen (listen_sd, 5); CHK_ERR(err, "listen");
client_len = sizeof(sa_cli);
sd = accept (listen_sd, (struct sockaddr*) &sa_cli, &client_len);
CHK_ERR(sd, "accept");
close (listen_sd);
printf ("Connection from %lx, port %x\n",
sa_cli.sin_addr.s_addr, sa_cli.sin_port);
/* ----------------------------------------------- */
/* TCP connection is ready. Do server side SSL. */
ssl = SSL_new (ctx); CHK_NULL(ssl);
SSL_set_fd (ssl, sd);
err = SSL_accept (ssl); CHK_SSL(err);
/* Get the cipher - opt */
printf ("SSL connection using %s\n", SSL_get_cipher (ssl));
/* Get client's certificate (note: beware of dynamic allocation) - opt */
client_cert = SSL_get_peer_certificate (ssl);
if (client_cert != NULL) {
printf ("Client certificate:\n");
str = X509_NAME_oneline (X509_get_subject_name (client_cert), 0, 0);
CHK_NULL(str);
printf ("\t subject: %s\n", str);
OPENSSL_free (str);
str = X509_NAME_oneline (X509_get_issuer_name (client_cert), 0, 0);
CHK_NULL(str);
printf ("\t issuer: %s\n", str);
OPENSSL_free (str);
/* We could do all sorts of certificate verification stuff here before
deallocating the certificate. */
X509_free (client_cert);
} else
printf ("Client does not have certificate.\n");
/* DATA EXCHANGE - Receive message and send reply. */
err = SSL_read (ssl, buf, sizeof(buf) - 1); CHK_SSL(err);
buf[err] = '\0';
printf ("Got %d chars:'%s'\n", err, buf);
err = SSL_write (ssl, "I hear you.", strlen("I hear you.")); CHK_SSL(err);
/* Clean up. */
close (sd);
SSL_free (ssl);
SSL_CTX_free (ctx);
}
/* EOF - serv.cpp */

98
demos/ssltest-ecc/ECC-RSAcertgen.sh
View File

@ -1,98 +0,0 @@
#!/bin/sh
# For a list of supported curves, use "apps/openssl ecparam -list_curves".
# Path to the openssl distribution
OPENSSL_DIR=../..
# Path to the openssl program
OPENSSL_CMD=$OPENSSL_DIR/apps/openssl
# Option to find configuration file
OPENSSL_CNF="-config $OPENSSL_DIR/apps/openssl.cnf"
# Directory where certificates are stored
CERTS_DIR=./Certs
# Directory where private key files are stored
KEYS_DIR=$CERTS_DIR
# Directory where combo files (containing a certificate and corresponding
# private key together) are stored
COMBO_DIR=$CERTS_DIR
# cat command
CAT=/bin/cat
# rm command
RM=/bin/rm
# mkdir command
MKDIR=/bin/mkdir
# The certificate will expire these many days after the issue date.
DAYS=1500
TEST_CA_FILE=rsa1024TestCA
TEST_SERVER_CURVE=sect163r1
TEST_SERVER_FILE=sect163r1-rsaTestServer
TEST_SERVER_DN="/C=US/ST=CA/L=Mountain View/O=Sun Microsystems, Inc./OU=Sun Microsystems Laboratories/CN=Test Server (sect163r1 key signed with RSA)"
TEST_CLIENT_CURVE=sect163r1
TEST_CLIENT_FILE=sect163r1-rsaTestClient
TEST_CLIENT_DN="/C=US/ST=CA/L=Mountain View/O=Sun Microsystems, Inc./OU=Sun Microsystems Laboratories/CN=Test Client (sect163r1 key signed with RSA)"
# Generating an EC certificate involves the following main steps
# 1. Generating curve parameters (if needed)
# 2. Generating a certificate request
# 3. Signing the certificate request
# 4. [Optional] One can combine the cert and private key into a single
# file and also delete the certificate request
$MKDIR -p $CERTS_DIR
$MKDIR -p $KEYS_DIR
$MKDIR -p $COMBO_DIR
echo "GENERATING A TEST SERVER CERTIFICATE (ECC key signed with RSA)"
echo "=============================================================="
$OPENSSL_CMD ecparam -name $TEST_SERVER_CURVE -out $TEST_SERVER_CURVE.pem
$OPENSSL_CMD req $OPENSSL_CNF -nodes -subj "$TEST_SERVER_DN" \
-keyout $KEYS_DIR/$TEST_SERVER_FILE.key.pem \
-newkey ec:$TEST_SERVER_CURVE.pem -new \
-out $CERTS_DIR/$TEST_SERVER_FILE.req.pem
$OPENSSL_CMD x509 -req -days $DAYS \
-in $CERTS_DIR/$TEST_SERVER_FILE.req.pem \
-CA $CERTS_DIR/$TEST_CA_FILE.cert.pem \
-CAkey $KEYS_DIR/$TEST_CA_FILE.key.pem \
-out $CERTS_DIR/$TEST_SERVER_FILE.cert.pem -CAcreateserial
# Display the certificate
$OPENSSL_CMD x509 -in $CERTS_DIR/$TEST_SERVER_FILE.cert.pem -text
# Place the certificate and key in a common file
$OPENSSL_CMD x509 -in $CERTS_DIR/$TEST_SERVER_FILE.cert.pem -issuer -subject \
> $COMBO_DIR/$TEST_SERVER_FILE.pem
$CAT $KEYS_DIR/$TEST_SERVER_FILE.key.pem >> $COMBO_DIR/$TEST_SERVER_FILE.pem
# Remove the cert request file (no longer needed)
$RM $CERTS_DIR/$TEST_SERVER_FILE.req.pem
echo "GENERATING A TEST CLIENT CERTIFICATE (ECC key signed with RSA)"
echo "=============================================================="
$OPENSSL_CMD ecparam -name $TEST_CLIENT_CURVE -out $TEST_CLIENT_CURVE.pem
$OPENSSL_CMD req $OPENSSL_CNF -nodes -subj "$TEST_CLIENT_DN" \
-keyout $KEYS_DIR/$TEST_CLIENT_FILE.key.pem \
-newkey ec:$TEST_CLIENT_CURVE.pem -new \
-out $CERTS_DIR/$TEST_CLIENT_FILE.req.pem
$OPENSSL_CMD x509 -req -days $DAYS \
-in $CERTS_DIR/$TEST_CLIENT_FILE.req.pem \
-CA $CERTS_DIR/$TEST_CA_FILE.cert.pem \
-CAkey $KEYS_DIR/$TEST_CA_FILE.key.pem \
-out $CERTS_DIR/$TEST_CLIENT_FILE.cert.pem -CAcreateserial
# Display the certificate
$OPENSSL_CMD x509 -in $CERTS_DIR/$TEST_CLIENT_FILE.cert.pem -text
# Place the certificate and key in a common file
$OPENSSL_CMD x509 -in $CERTS_DIR/$TEST_CLIENT_FILE.cert.pem -issuer -subject \
> $COMBO_DIR/$TEST_CLIENT_FILE.pem
$CAT $KEYS_DIR/$TEST_CLIENT_FILE.key.pem >> $COMBO_DIR/$TEST_CLIENT_FILE.pem
# Remove the cert request file (no longer needed)
$RM $CERTS_DIR/$TEST_CLIENT_FILE.req.pem

164
demos/ssltest-ecc/ECCcertgen.sh
View File

@ -1,164 +0,0 @@
#!/bin/sh
# For a list of supported curves, use "apps/openssl ecparam -list_curves".
# Path to the openssl distribution
OPENSSL_DIR=../..
# Path to the openssl program
OPENSSL_CMD=$OPENSSL_DIR/apps/openssl
# Option to find configuration file
OPENSSL_CNF="-config $OPENSSL_DIR/apps/openssl.cnf"
# Directory where certificates are stored
CERTS_DIR=./Certs
# Directory where private key files are stored
KEYS_DIR=$CERTS_DIR
# Directory where combo files (containing a certificate and corresponding
# private key together) are stored
COMBO_DIR=$CERTS_DIR
# cat command
CAT=/bin/cat
# rm command
RM=/bin/rm
# mkdir command
MKDIR=/bin/mkdir
# The certificate will expire these many days after the issue date.
DAYS=1500
TEST_CA_CURVE=secp160r1
TEST_CA_FILE=secp160r1TestCA
TEST_CA_DN="/C=US/ST=CA/L=Mountain View/O=Sun Microsystems, Inc./OU=Sun Microsystems Laboratories/CN=Test CA (Elliptic curve secp160r1)"
TEST_SERVER_CURVE=secp160r2
TEST_SERVER_FILE=secp160r2TestServer
TEST_SERVER_DN="/C=US/ST=CA/L=Mountain View/O=Sun Microsystems, Inc./OU=Sun Microsystems Laboratories/CN=Test Server (Elliptic curve secp160r2)"
TEST_CLIENT_CURVE=secp160r2
TEST_CLIENT_FILE=secp160r2TestClient
TEST_CLIENT_DN="/C=US/ST=CA/L=Mountain View/O=Sun Microsystems, Inc./OU=Sun Microsystems Laboratories/CN=Test Client (Elliptic curve secp160r2)"
# Generating an EC certificate involves the following main steps
# 1. Generating curve parameters (if needed)
# 2. Generating a certificate request
# 3. Signing the certificate request
# 4. [Optional] One can combine the cert and private key into a single
# file and also delete the certificate request
$MKDIR -p $CERTS_DIR
$MKDIR -p $KEYS_DIR
$MKDIR -p $COMBO_DIR
echo "Generating self-signed CA certificate (on curve $TEST_CA_CURVE)"
echo "==============================================================="
$OPENSSL_CMD ecparam -name $TEST_CA_CURVE -out $TEST_CA_CURVE.pem
# Generate a new certificate request in $TEST_CA_FILE.req.pem. A
# new ecdsa (actually ECC) key pair is generated on the parameters in
# $TEST_CA_CURVE.pem and the private key is saved in $TEST_CA_FILE.key.pem
# WARNING: By using the -nodes option, we force the private key to be
# stored in the clear (rather than encrypted with a password).
$OPENSSL_CMD req $OPENSSL_CNF -nodes -subj "$TEST_CA_DN" \
-keyout $KEYS_DIR/$TEST_CA_FILE.key.pem \
-newkey ec:$TEST_CA_CURVE.pem -new \
-out $CERTS_DIR/$TEST_CA_FILE.req.pem
# Sign the certificate request in $TEST_CA_FILE.req.pem using the
# private key in $TEST_CA_FILE.key.pem and include the CA extension.
# Make the certificate valid for 1500 days from the time of signing.
# The certificate is written into $TEST_CA_FILE.cert.pem
$OPENSSL_CMD x509 -req -days $DAYS \
-in $CERTS_DIR/$TEST_CA_FILE.req.pem \
-extfile $OPENSSL_DIR/apps/openssl.cnf \
-extensions v3_ca \
-signkey $KEYS_DIR/$TEST_CA_FILE.key.pem \
-out $CERTS_DIR/$TEST_CA_FILE.cert.pem
# Display the certificate
$OPENSSL_CMD x509 -in $CERTS_DIR/$TEST_CA_FILE.cert.pem -text
# Place the certificate and key in a common file
$OPENSSL_CMD x509 -in $CERTS_DIR/$TEST_CA_FILE.cert.pem -issuer -subject \
> $COMBO_DIR/$TEST_CA_FILE.pem
$CAT $KEYS_DIR/$TEST_CA_FILE.key.pem >> $COMBO_DIR/$TEST_CA_FILE.pem
# Remove the cert request file (no longer needed)
$RM $CERTS_DIR/$TEST_CA_FILE.req.pem
echo "GENERATING A TEST SERVER CERTIFICATE (on elliptic curve $TEST_SERVER_CURVE)"
echo "=========================================================================="
# Generate parameters for curve $TEST_SERVER_CURVE, if needed
$OPENSSL_CMD ecparam -name $TEST_SERVER_CURVE -out $TEST_SERVER_CURVE.pem
# Generate a new certificate request in $TEST_SERVER_FILE.req.pem. A
# new ecdsa (actually ECC) key pair is generated on the parameters in
# $TEST_SERVER_CURVE.pem and the private key is saved in
# $TEST_SERVER_FILE.key.pem
# WARNING: By using the -nodes option, we force the private key to be
# stored in the clear (rather than encrypted with a password).
$OPENSSL_CMD req $OPENSSL_CNF -nodes -subj "$TEST_SERVER_DN" \
-keyout $KEYS_DIR/$TEST_SERVER_FILE.key.pem \
-newkey ec:$TEST_SERVER_CURVE.pem -new \
-out $CERTS_DIR/$TEST_SERVER_FILE.req.pem
# Sign the certificate request in $TEST_SERVER_FILE.req.pem using the
# CA certificate in $TEST_CA_FILE.cert.pem and the CA private key in
# $TEST_CA_FILE.key.pem. Since we do not have an existing serial number
# file for this CA, create one. Make the certificate valid for $DAYS days
# from the time of signing. The certificate is written into
# $TEST_SERVER_FILE.cert.pem
$OPENSSL_CMD x509 -req -days $DAYS \
-in $CERTS_DIR/$TEST_SERVER_FILE.req.pem \
-CA $CERTS_DIR/$TEST_CA_FILE.cert.pem \
-CAkey $KEYS_DIR/$TEST_CA_FILE.key.pem \
-out $CERTS_DIR/$TEST_SERVER_FILE.cert.pem -CAcreateserial
# Display the certificate
$OPENSSL_CMD x509 -in $CERTS_DIR/$TEST_SERVER_FILE.cert.pem -text
# Place the certificate and key in a common file
$OPENSSL_CMD x509 -in $CERTS_DIR/$TEST_SERVER_FILE.cert.pem -issuer -subject \
> $COMBO_DIR/$TEST_SERVER_FILE.pem
$CAT $KEYS_DIR/$TEST_SERVER_FILE.key.pem >> $COMBO_DIR/$TEST_SERVER_FILE.pem
# Remove the cert request file (no longer needed)
$RM $CERTS_DIR/$TEST_SERVER_FILE.req.pem
echo "GENERATING A TEST CLIENT CERTIFICATE (on elliptic curve $TEST_CLIENT_CURVE)"
echo "=========================================================================="
# Generate parameters for curve $TEST_CLIENT_CURVE, if needed
$OPENSSL_CMD ecparam -name $TEST_CLIENT_CURVE -out $TEST_CLIENT_CURVE.pem
# Generate a new certificate request in $TEST_CLIENT_FILE.req.pem. A
# new ecdsa (actually ECC) key pair is generated on the parameters in
# $TEST_CLIENT_CURVE.pem and the private key is saved in
# $TEST_CLIENT_FILE.key.pem
# WARNING: By using the -nodes option, we force the private key to be
# stored in the clear (rather than encrypted with a password).
$OPENSSL_CMD req $OPENSSL_CNF -nodes -subj "$TEST_CLIENT_DN" \
-keyout $KEYS_DIR/$TEST_CLIENT_FILE.key.pem \
-newkey ec:$TEST_CLIENT_CURVE.pem -new \
-out $CERTS_DIR/$TEST_CLIENT_FILE.req.pem
# Sign the certificate request in $TEST_CLIENT_FILE.req.pem using the
# CA certificate in $TEST_CA_FILE.cert.pem and the CA private key in
# $TEST_CA_FILE.key.pem. Since we do not have an existing serial number
# file for this CA, create one. Make the certificate valid for $DAYS days
# from the time of signing. The certificate is written into
# $TEST_CLIENT_FILE.cert.pem
$OPENSSL_CMD x509 -req -days $DAYS \
-in $CERTS_DIR/$TEST_CLIENT_FILE.req.pem \
-CA $CERTS_DIR/$TEST_CA_FILE.cert.pem \
-CAkey $KEYS_DIR/$TEST_CA_FILE.key.pem \
-out $CERTS_DIR/$TEST_CLIENT_FILE.cert.pem -CAcreateserial
# Display the certificate
$OPENSSL_CMD x509 -in $CERTS_DIR/$TEST_CLIENT_FILE.cert.pem -text
# Place the certificate and key in a common file
$OPENSSL_CMD x509 -in $CERTS_DIR/$TEST_CLIENT_FILE.cert.pem -issuer -subject \
> $COMBO_DIR/$TEST_CLIENT_FILE.pem
$CAT $KEYS_DIR/$TEST_CLIENT_FILE.key.pem >> $COMBO_DIR/$TEST_CLIENT_FILE.pem
# Remove the cert request file (no longer needed)
$RM $CERTS_DIR/$TEST_CLIENT_FILE.req.pem

15
demos/ssltest-ecc/README
View File

@ -1,15 +0,0 @@
Scripts for using ECC ciphersuites with test/testssl
(these ciphersuites are described in the Internet Draft available at
http://www.ietf.org/internet-drafts/draft-ietf-tls-ecc-03.txt).
Use ECCcertgen.sh, RSAcertgen.sh, ECC-RSAcertgen.sh to generate
root, client and server certs of the following types:
ECC certs signed with ECDSA
RSA certs signed with RSA
ECC certs signed with RSA
Afterwards, you can use ssltest.sh to run the various tests;
specify one of the following options:
aecdh, ecdh-ecdsa, ecdhe-ecdsa, ecdh-rsa, ecdhe-rsa

121
demos/ssltest-ecc/RSAcertgen.sh
View File

@ -1,121 +0,0 @@
#!/bin/sh
# For a list of supported curves, use "apps/openssl ecparam -list_curves".
# Path to the openssl distribution
OPENSSL_DIR=../..
# Path to the openssl program
OPENSSL_CMD=$OPENSSL_DIR/apps/openssl
# Option to find configuration file
OPENSSL_CNF="-config $OPENSSL_DIR/apps/openssl.cnf"
# Directory where certificates are stored
CERTS_DIR=./Certs
# Directory where private key files are stored
KEYS_DIR=$CERTS_DIR
# Directory where combo files (containing a certificate and corresponding
# private key together) are stored
COMBO_DIR=$CERTS_DIR
# cat command
CAT=/bin/cat
# rm command
RM=/bin/rm
# mkdir command
MKDIR=/bin/mkdir
# The certificate will expire these many days after the issue date.
DAYS=1500
TEST_CA_FILE=rsa1024TestCA
TEST_CA_DN="/C=US/ST=CA/L=Mountain View/O=Sun Microsystems, Inc./OU=Sun Microsystems Laboratories/CN=Test CA (1024 bit RSA)"
TEST_SERVER_FILE=rsa1024TestServer
TEST_SERVER_DN="/C=US/ST=CA/L=Mountain View/O=Sun Microsystems, Inc./OU=Sun Microsystems Laboratories/CN=Test Server (1024 bit RSA)"
TEST_CLIENT_FILE=rsa1024TestClient
TEST_CLIENT_DN="/C=US/ST=CA/L=Mountain View/O=Sun Microsystems, Inc./OU=Sun Microsystems Laboratories/CN=Test Client (1024 bit RSA)"
# Generating an EC certificate involves the following main steps
# 1. Generating curve parameters (if needed)
# 2. Generating a certificate request
# 3. Signing the certificate request
# 4. [Optional] One can combine the cert and private key into a single
# file and also delete the certificate request
$MKDIR -p $CERTS_DIR
$MKDIR -p $KEYS_DIR
$MKDIR -p $COMBO_DIR
echo "Generating self-signed CA certificate (RSA)"
echo "==========================================="
$OPENSSL_CMD req $OPENSSL_CNF -nodes -subj "$TEST_CA_DN" \
-keyout $KEYS_DIR/$TEST_CA_FILE.key.pem \
-newkey rsa:1024 -new \
-out $CERTS_DIR/$TEST_CA_FILE.req.pem
$OPENSSL_CMD x509 -req -days $DAYS \
-in $CERTS_DIR/$TEST_CA_FILE.req.pem \
-extfile $OPENSSL_DIR/apps/openssl.cnf \
-extensions v3_ca \
-signkey $KEYS_DIR/$TEST_CA_FILE.key.pem \
-out $CERTS_DIR/$TEST_CA_FILE.cert.pem
# Display the certificate
$OPENSSL_CMD x509 -in $CERTS_DIR/$TEST_CA_FILE.cert.pem -text
# Place the certificate and key in a common file
$OPENSSL_CMD x509 -in $CERTS_DIR/$TEST_CA_FILE.cert.pem -issuer -subject \
> $COMBO_DIR/$TEST_CA_FILE.pem
$CAT $KEYS_DIR/$TEST_CA_FILE.key.pem >> $COMBO_DIR/$TEST_CA_FILE.pem
# Remove the cert request file (no longer needed)
$RM $CERTS_DIR/$TEST_CA_FILE.req.pem
echo "GENERATING A TEST SERVER CERTIFICATE (RSA)"
echo "=========================================="
$OPENSSL_CMD req $OPENSSL_CNF -nodes -subj "$TEST_SERVER_DN" \
-keyout $KEYS_DIR/$TEST_SERVER_FILE.key.pem \
-newkey rsa:1024 -new \
-out $CERTS_DIR/$TEST_SERVER_FILE.req.pem
$OPENSSL_CMD x509 -req -days $DAYS \
-in $CERTS_DIR/$TEST_SERVER_FILE.req.pem \
-CA $CERTS_DIR/$TEST_CA_FILE.cert.pem \
-CAkey $KEYS_DIR/$TEST_CA_FILE.key.pem \
-out $CERTS_DIR/$TEST_SERVER_FILE.cert.pem -CAcreateserial
# Display the certificate
$OPENSSL_CMD x509 -in $CERTS_DIR/$TEST_SERVER_FILE.cert.pem -text
# Place the certificate and key in a common file
$OPENSSL_CMD x509 -in $CERTS_DIR/$TEST_SERVER_FILE.cert.pem -issuer -subject \
> $COMBO_DIR/$TEST_SERVER_FILE.pem
$CAT $KEYS_DIR/$TEST_SERVER_FILE.key.pem >> $COMBO_DIR/$TEST_SERVER_FILE.pem
# Remove the cert request file (no longer needed)
$RM $CERTS_DIR/$TEST_SERVER_FILE.req.pem
echo "GENERATING A TEST CLIENT CERTIFICATE (RSA)"
echo "=========================================="
$OPENSSL_CMD req $OPENSSL_CNF -nodes -subj "$TEST_CLIENT_DN" \
-keyout $KEYS_DIR/$TEST_CLIENT_FILE.key.pem \
-newkey rsa:1024 -new \
-out $CERTS_DIR/$TEST_CLIENT_FILE.req.pem
$OPENSSL_CMD x509 -req -days $DAYS \
-in $CERTS_DIR/$TEST_CLIENT_FILE.req.pem \
-CA $CERTS_DIR/$TEST_CA_FILE.cert.pem \
-CAkey $KEYS_DIR/$TEST_CA_FILE.key.pem \
-out $CERTS_DIR/$TEST_CLIENT_FILE.cert.pem -CAcreateserial
# Display the certificate
$OPENSSL_CMD x509 -in $CERTS_DIR/$TEST_CLIENT_FILE.cert.pem -text
# Place the certificate and key in a common file
$OPENSSL_CMD x509 -in $CERTS_DIR/$TEST_CLIENT_FILE.cert.pem -issuer -subject \
> $COMBO_DIR/$TEST_CLIENT_FILE.pem
$CAT $KEYS_DIR/$TEST_CLIENT_FILE.key.pem >> $COMBO_DIR/$TEST_CLIENT_FILE.pem
# Remove the cert request file (no longer needed)
$RM $CERTS_DIR/$TEST_CLIENT_FILE.req.pem

188
demos/ssltest-ecc/ssltest.sh
View File

@ -1,188 +0,0 @@
#! /bin/sh
# Tests ECC cipher suites using ssltest. Requires one argument which could
# be aecdh or ecdh-ecdsa or ecdhe-ecdsa or ecdh-rsa or ecdhe-rsa.
# A second optional argument can be one of ssl2 ssl3 or tls1
if [ "$1" = "" ]; then
(echo "Usage: $0 test [ protocol ]"
echo " where test is one of aecdh, ecdh-ecdsa, ecdhe-ecdsa, ecdh-rsa, ecdhe-rsa"
echo " and protocol (optional) is one of ssl2, ssl3, tls1"
echo "Run RSAcertgen.sh, ECC-RSAcertgen.sh, ECCcertgen.sh first."
) >&2
exit 1
fi
OPENSSL_DIR=../..
CERTS_DIR=./Certs
SSLTEST=$OPENSSL_DIR/test/ssltest
# SSL protocol version to test (one of ssl2 ssl3 or tls1)"
SSLVERSION=
# These don't really require any certificates
AECDH_CIPHER_LIST="AECDH-AES256-SHA AECDH-AES128-SHA AECDH-DES-CBC3-SHA AECDH-RC4-SHA AECDH-NULL-SHA"
# These require ECC certificates signed with ECDSA
# The EC public key must be authorized for key agreement.
ECDH_ECDSA_CIPHER_LIST="ECDH-ECDSA-AES256-SHA ECDH-ECDSA-AES128-SHA ECDH-ECDSA-DES-CBC3-SHA ECDH-ECDSA-RC4-SHA ECDH-ECDSA-NULL-SHA"
# These require ECC certificates.
# The EC public key must be authorized for digital signature.
ECDHE_ECDSA_CIPHER_LIST="ECDHE-ECDSA-AES256-SHA ECDHE-ECDSA-AES128-SHA ECDHE-ECDSA-DES-CBC3-SHA ECDHE-ECDSA-RC4-SHA ECDHE-ECDSA-NULL-SHA"
# These require ECC certificates signed with RSA.
# The EC public key must be authorized for key agreement.
ECDH_RSA_CIPHER_LIST="ECDH-RSA-AES256-SHA ECDH-RSA-AES128-SHA ECDH-RSA-DES-CBC3-SHA ECDH-RSA-RC4-SHA ECDH-RSA-NULL-SHA"
# These require RSA certificates.
# The RSA public key must be authorized for digital signature.
ECDHE_RSA_CIPHER_LIST="ECDHE-RSA-AES256-SHA ECDHE-RSA-AES128-SHA ECDHE-RSA-DES-CBC3-SHA ECDHE-RSA-RC4-SHA ECDHE-RSA-NULL-SHA"
# List of Elliptic curves over which we wish to test generation of
# ephemeral ECDH keys when using AECDH or ECDHE ciphers
# NOTE: secp192r1 = prime192v1 and secp256r1 = prime256v1
#ELLIPTIC_CURVE_LIST="secp112r1 sect113r2 secp128r1 sect131r1 secp160k1 sect163r2 wap-wsg-idm-ecid-wtls7 c2pnb163v3 c2pnb176v3 c2tnb191v3 secp192r1 prime192v3 sect193r2 secp224r1 wap-wsg-idm-ecid-wtls10 sect239k1 prime239v2 secp256r1 prime256v1 sect283k1 secp384r1 sect409r1 secp521r1 sect571r1"
ELLIPTIC_CURVE_LIST="sect163k1 sect163r1 sect163r2 sect193r1 sect193r2 sect233k1 sect233r1 sect239k1 sect283k1 sect283r1 sect409k1 sect409r1 sect571k1 sect571r1 secp160k1 secp160r1 secp160r2 secp192k1 prime192v1 secp224k1 secp224r1 secp256k1 prime256v1 secp384r1 secp521r1"
DEFAULT_CURVE="sect163r2"
if [ "$2" = "" ]; then
if [ "$SSL_VERSION" = "" ]; then
SSL_VERSION=""
else
SSL_VERSION="-$SSL_VERSION"
fi
else
SSL_VERSION="-$2"
fi
#==============================================================
# Anonymous cipher suites do not require key or certificate files
# but ssltest expects a cert file and complains if it can't
# open the default one.
SERVER_PEM=$OPENSSL_DIR/apps/server.pem
if [ "$1" = "aecdh" ]; then
for cipher in $AECDH_CIPHER_LIST
do
echo "Testing $cipher"
$SSLTEST $SSL_VERSION -cert $SERVER_PEM -cipher $cipher
done
#--------------------------------------------------------------
for curve in $ELLIPTIC_CURVE_LIST
do
echo "Testing AECDH-NULL-SHA (with $curve)"
$SSLTEST $SSL_VERSION -cert $SERVER_PEM \
-named_curve $curve -cipher AECDH-NULL-SHA
done
for curve in $ELLIPTIC_CURVE_LIST
do
echo "Testing AECDH-RC4-SHA (with $curve)"
$SSLTEST $SSL_VERSION -cert $SERVER_PEM \
-named_curve $curve -cipher AECDH-RC4-SHA
done
fi
#==============================================================
# Both ECDH-ECDSA and ECDHE-ECDSA cipher suites require
# the server to have an ECC certificate signed with ECDSA.
CA_PEM=$CERTS_DIR/secp160r1TestCA.pem
SERVER_PEM=$CERTS_DIR/secp160r2TestServer.pem
CLIENT_PEM=$CERTS_DIR/secp160r2TestClient.pem
if [ "$1" = "ecdh-ecdsa" ]; then
for cipher in $ECDH_ECDSA_CIPHER_LIST
do
echo "Testing $cipher (with server authentication)"
$SSLTEST $SSL_VERSION -CAfile $CA_PEM \
-cert $SERVER_PEM -server_auth \
-cipher $cipher
echo "Testing $cipher (with server and client authentication)"
$SSLTEST $SSL_VERSION -CAfile $CA_PEM \
-cert $SERVER_PEM -server_auth \
-c_cert $CLIENT_PEM -client_auth \
-cipher $cipher
done
fi
#==============================================================
if [ "$1" = "ecdhe-ecdsa" ]; then
for cipher in $ECDHE_ECDSA_CIPHER_LIST
do
echo "Testing $cipher (with server authentication)"
$SSLTEST $SSL_VERSION -CAfile $CA_PEM \
-cert $SERVER_PEM -server_auth \
-cipher $cipher -named_curve $DEFAULT_CURVE
echo "Testing $cipher (with server and client authentication)"
$SSLTEST $SSL_VERSION -CAfile $CA_PEM \
-cert $SERVER_PEM -server_auth \
-c_cert $CLIENT_PEM -client_auth \
-cipher $cipher -named_curve $DEFAULT_CURVE
done
#--------------------------------------------------------------
for curve in $ELLIPTIC_CURVE_LIST
do
echo "Testing ECDHE-ECDSA-AES128-SHA (2-way auth with $curve)"
$SSLTEST $SSL_VERSION -CAfile $CA_PEM \
-cert $SERVER_PEM -server_auth \
-c_cert $CLIENT_PEM -client_auth \
-cipher ECDHE-ECDSA-AES128-SHA -named_curve $curve
done
fi
#==============================================================
# ECDH-RSA cipher suites require the server to have an ECC
# certificate signed with RSA.
CA_PEM=$CERTS_DIR/rsa1024TestCA.pem
SERVER_PEM=$CERTS_DIR/sect163r1-rsaTestServer.pem
CLIENT_PEM=$CERTS_DIR/sect163r1-rsaTestClient.pem
if [ "$1" = "ecdh-rsa" ]; then
for cipher in $ECDH_RSA_CIPHER_LIST
do
echo "Testing $cipher (with server authentication)"
$SSLTEST $SSL_VERSION -CAfile $CA_PEM \
-cert $SERVER_PEM -server_auth \
-cipher $cipher
echo "Testing $cipher (with server and client authentication)"
$SSLTEST $SSL_VERSION -CAfile $CA_PEM \
-cert $SERVER_PEM -server_auth \
-c_cert $CLIENT_PEM -client_auth \
-cipher $cipher
done
fi
#==============================================================
# ECDHE-RSA cipher suites require the server to have an RSA cert.
CA_PEM=$CERTS_DIR/rsa1024TestCA.pem
SERVER_PEM=$CERTS_DIR/rsa1024TestServer.pem
CLIENT_PEM=$CERTS_DIR/rsa1024TestClient.pem
if [ "$1" = "ecdhe-rsa" ]; then
for cipher in $ECDHE_RSA_CIPHER_LIST
do
echo "Testing $cipher (with server authentication)"
echo $SSLTEST $SSL_VERSION -CAfile $CA_PEM \
-cert $SERVER_PEM -server_auth \
-cipher $cipher -named_curve $DEFAULT_CURVE
$SSLTEST $SSL_VERSION -CAfile $CA_PEM \
-cert $SERVER_PEM -server_auth \
-cipher $cipher -named_curve $DEFAULT_CURVE
echo "Testing $cipher (with server and client authentication)"
$SSLTEST $SSL_VERSION -CAfile $CA_PEM \
-cert $SERVER_PEM -server_auth \
-c_cert $CLIENT_PEM -client_auth \
-cipher $cipher -named_curve $DEFAULT_CURVE
done
fi
#==============================================================

10
demos/state_machine/Makefile.in
View File

@ -1,10 +0,0 @@
CFLAGS=-I../../include -Wall -Werror -g
all: state_machine
state_machine: state_machine.o
$(CC) -o state_machine state_machine.o -L../.. -lssl -lcrypto
test: state_machine
./state_machine 10000 ../../apps/server.pem ../../apps/server.pem
# DO NOT DELETE THIS LINE -- make depend depends on it.

405
demos/state_machine/state_machine.c
View File

@ -1,405 +0,0 @@
/* ====================================================================
* Copyright (c) 2000 The OpenSSL Project. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in
* the documentation and/or other materials provided with the
* distribution.
*
* 3. All advertising materials mentioning features or use of this
* software must display the following acknowledgment:
* "This product includes software developed by the OpenSSL Project
* for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
*
* 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
* endorse or promote products derived from this software without
* prior written permission. For written permission, please contact
* openssl-core@openssl.org.
*
* 5. Products derived from this software may not be called "OpenSSL"
* nor may "OpenSSL" appear in their names without prior written
* permission of the OpenSSL Project.
*
* 6. Redistributions of any form whatsoever must retain the following
* acknowledgment:
* "This product includes software developed by the OpenSSL Project
* for use in the OpenSSL Toolkit (http://www.openssl.org/)"
*
* THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
* EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
* ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
* OF THE POSSIBILITY OF SUCH DAMAGE.
* ====================================================================
*
* This product includes cryptographic software written by Eric Young
* (eay@cryptsoft.com). This product includes software written by Tim
* Hudson (tjh@cryptsoft.com).
*
*/
/*
* Nuron, a leader in hardware encryption technology, generously
* sponsored the development of this demo by Ben Laurie.
*
* See http://www.nuron.com/.
*/
/*
* the aim of this demo is to provide a fully working state-machine
* style SSL implementation, i.e. one where the main loop acquires
* some data, then converts it from or to SSL by feeding it into the
* SSL state machine. It then does any I/O required by the state machine
* and loops.
*
* In order to keep things as simple as possible, this implementation
* listens on a TCP socket, which it expects to get an SSL connection
* on (for example, from s_client) and from then on writes decrypted
* data to stdout and encrypts anything arriving on stdin. Verbose
* commentary is written to stderr.
*
* This implementation acts as a server, but it can also be done for a client. */
#include <openssl/ssl.h>
#include <assert.h>
#include <unistd.h>
#include <string.h>
#include <openssl/err.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
/*
* die_unless is intended to work like assert, except that it happens always,
* even if NDEBUG is defined. Use assert as a stopgap.
*/
#define die_unless(x) assert(x)
typedef struct {
SSL_CTX *pCtx;
BIO *pbioRead;
BIO *pbioWrite;
SSL *pSSL;
} SSLStateMachine;
void SSLStateMachine_print_error(SSLStateMachine * pMachine,
const char *szErr)
{
unsigned long l;
fprintf(stderr, "%s\n", szErr);
while ((l = ERR_get_error())) {
char buf[1024];
ERR_error_string_n(l, buf, sizeof buf);
fprintf(stderr, "Error %lx: %s\n", l, buf);
}
}
SSLStateMachine *SSLStateMachine_new(const char *szCertificateFile,
const char *szKeyFile)
{
SSLStateMachine *pMachine = malloc(sizeof(*pMachine));
int n;
die_unless(pMachine);
pMachine->pCtx = SSL_CTX_new(TLS_server_method());
die_unless(pMachine->pCtx);
n = SSL_CTX_use_certificate_file(pMachine->pCtx, szCertificateFile,
SSL_FILETYPE_PEM);
die_unless(n > 0);
n = SSL_CTX_use_PrivateKey_file(pMachine->pCtx, szKeyFile,
SSL_FILETYPE_PEM);
die_unless(n > 0);
pMachine->pSSL = SSL_new(pMachine->pCtx);
die_unless(pMachine->pSSL);
pMachine->pbioRead = BIO_new(BIO_s_mem());
pMachine->pbioWrite = BIO_new(BIO_s_mem());
SSL_set_bio(pMachine->pSSL, pMachine->pbioRead, pMachine->pbioWrite);
SSL_set_accept_state(pMachine->pSSL);
return pMachine;
}
void SSLStateMachine_read_inject(SSLStateMachine * pMachine,
const unsigned char *aucBuf, int nBuf)
{
int n = BIO_write(pMachine->pbioRead, aucBuf, nBuf);
/*
* If it turns out this assert fails, then buffer the data here and just
* feed it in in churn instead. Seems to me that it should be guaranteed
* to succeed, though.
*/
assert(n == nBuf);
fprintf(stderr, "%d bytes of encrypted data fed to state machine\n", n);
}
int SSLStateMachine_read_extract(SSLStateMachine * pMachine,
unsigned char *aucBuf, int nBuf)
{
int n;
if (!SSL_is_init_finished(pMachine->pSSL)) {
fprintf(stderr, "Doing SSL_accept\n");
n = SSL_accept(pMachine->pSSL);
if (n == 0)
fprintf(stderr, "SSL_accept returned zero\n");
if (n < 0) {
int err;
if ((err =
SSL_get_error(pMachine->pSSL, n)) == SSL_ERROR_WANT_READ) {
fprintf(stderr, "SSL_accept wants more data\n");
return 0;
}
SSLStateMachine_print_error(pMachine, "SSL_accept error");
exit(7);
}
return 0;
}
n = SSL_read(pMachine->pSSL, aucBuf, nBuf);
if (n < 0) {
int err = SSL_get_error(pMachine->pSSL, n);
if (err == SSL_ERROR_WANT_READ) {
fprintf(stderr, "SSL_read wants more data\n");
return 0;
}
SSLStateMachine_print_error(pMachine, "SSL_read error");
exit(8);
}
fprintf(stderr, "%d bytes of decrypted data read from state machine\n",
n);
return n;
}
int SSLStateMachine_write_can_extract(SSLStateMachine * pMachine)
{
int n = BIO_pending(pMachine->pbioWrite);
if (n)
fprintf(stderr, "There is encrypted data available to write\n");
else
fprintf(stderr, "There is no encrypted data available to write\n");
return n;
}
int SSLStateMachine_write_extract(SSLStateMachine * pMachine,
unsigned char *aucBuf, int nBuf)
{
int n;
n = BIO_read(pMachine->pbioWrite, aucBuf, nBuf);
fprintf(stderr, "%d bytes of encrypted data read from state machine\n",
n);
return n;
}
void SSLStateMachine_write_inject(SSLStateMachine * pMachine,
const unsigned char *aucBuf, int nBuf)
{
int n = SSL_write(pMachine->pSSL, aucBuf, nBuf);
/*
* If it turns out this assert fails, then buffer the data here and just
* feed it in in churn instead. Seems to me that it should be guaranteed
* to succeed, though.
*/
assert(n == nBuf);
fprintf(stderr, "%d bytes of unencrypted data fed to state machine\n", n);
}
int OpenSocket(int nPort)
{
int nSocket;
struct sockaddr_in saServer;
struct sockaddr_in saClient;
int one = 1;
int nSize;
int nFD;
int nLen;
nSocket = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
if (nSocket < 0) {
perror("socket");
exit(1);
}
if (setsockopt
(nSocket, SOL_SOCKET, SO_REUSEADDR, (char *)&one, sizeof one) < 0) {
perror("setsockopt");
exit(2);
}
memset(&saServer, 0, sizeof(saServer));
saServer.sin_family = AF_INET;
saServer.sin_port = htons(nPort);
nSize = sizeof saServer;
if (bind(nSocket, (struct sockaddr *)&saServer, nSize) < 0) {
perror("bind");
exit(3);
}
if (listen(nSocket, 512) < 0) {
perror("listen");
exit(4);
}
nLen = sizeof saClient;
nFD = accept(nSocket, (struct sockaddr *)&saClient, &nLen);
if (nFD < 0) {
perror("accept");
exit(5);
}
fprintf(stderr, "Incoming accepted on port %d\n", nPort);
return nFD;
}
int main(int argc, char **argv)
{
SSLStateMachine *pMachine;
int nPort;
int nFD;
const char *szCertificateFile;
const char *szKeyFile;
char rbuf[1];
int nrbuf = 0;
if (argc != 4) {
fprintf(stderr, "%s <port> <certificate file> <key file>\n", argv[0]);
exit(6);
}
nPort = atoi(argv[1]);
szCertificateFile = argv[2];
szKeyFile = argv[3];
OpenSSL_add_ssl_algorithms();
SSL_load_error_strings();
nFD = OpenSocket(nPort);
pMachine = SSLStateMachine_new(szCertificateFile, szKeyFile);
for (;;) {
fd_set rfds, wfds;
unsigned char buf[1024];
int n;
FD_ZERO(&rfds);
FD_ZERO(&wfds);
/* Select socket for input */
FD_SET(nFD, &rfds);
/* check whether there's decrypted data */
if (!nrbuf)
nrbuf = SSLStateMachine_read_extract(pMachine, rbuf, 1);
/* if there's decrypted data, check whether we can write it */
if (nrbuf)
FD_SET(1, &wfds);
/* Select socket for output */
if (SSLStateMachine_write_can_extract(pMachine))
FD_SET(nFD, &wfds);
/* Select stdin for input */
FD_SET(0, &rfds);
/* Wait for something to do something */
n = select(nFD + 1, &rfds, &wfds, NULL, NULL);
assert(n > 0);
/* Socket is ready for input */
if (FD_ISSET(nFD, &rfds)) {
n = read(nFD, buf, sizeof buf);
if (n == 0) {
fprintf(stderr, "Got EOF on socket\n");
exit(0);
}
assert(n > 0);
SSLStateMachine_read_inject(pMachine, buf, n);
}
/* stdout is ready for output (and hence we have some to send it) */
if (FD_ISSET(1, &wfds)) {
assert(nrbuf == 1);
buf[0] = rbuf[0];
nrbuf = 0;
n = SSLStateMachine_read_extract(pMachine, buf + 1,
sizeof buf - 1);
if (n < 0) {
SSLStateMachine_print_error(pMachine, "read extract failed");
break;
}
assert(n >= 0);
++n;
if (n > 0) { /* FIXME: has to be true now */
int w;
w = write(1, buf, n);
/* FIXME: we should push back any unwritten data */
assert(w == n);
}
}
/*
* Socket is ready for output (and therefore we have output to send)
*/
if (FD_ISSET(nFD, &wfds)) {
int w;
n = SSLStateMachine_write_extract(pMachine, buf, sizeof buf);
assert(n > 0);
w = write(nFD, buf, n);
/* FIXME: we should push back any unwritten data */
assert(w == n);
}
/* Stdin is ready for input */
if (FD_ISSET(0, &rfds)) {
n = read(0, buf, sizeof buf);
if (n == 0) {
fprintf(stderr, "Got EOF on stdin\n");
exit(0);
}
assert(n > 0);
SSLStateMachine_write_inject(pMachine, buf, n);
}
}
/* not reached */
return 0;
}

7
demos/threads/README
View File

@ -1,7 +0,0 @@
This shows how to set up the OpenSSL callbacks for use in
multi-threaded programs.
Two implementations, one for Win32 native and one for pthreads, are provided
in th-lock.c A test program is in mttest.c
Build scripts are in pthread.sh and win32.bat

773
demos/threads/mttest.c
View File

@ -1,773 +0,0 @@
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
* All rights reserved.
*
* This package is an SSL implementation written
* by Eric Young (eay@cryptsoft.com).
* The implementation was written so as to conform with Netscapes SSL.
*
* This library is free for commercial and non-commercial use as long as
* the following conditions are aheared to. The following conditions
* apply to all code found in this distribution, be it the RC4, RSA,
* lhash, DES, etc., code; not just the SSL code. The SSL documentation
* included with this distribution is covered by the same copyright terms
* except that the holder is Tim Hudson (tjh@cryptsoft.com).
*
* Copyright remains Eric Young's, and as such any Copyright notices in
* the code are not to be removed.
* If this package is used in a product, Eric Young should be given attribution
* as the author of the parts of the library used.
* This can be in the form of a textual message at program startup or
* in documentation (online or textual) provided with the package.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* 3. All advertising materials mentioning features or use of this software
* must display the following acknowledgement:
* "This product includes cryptographic software written by
* Eric Young (eay@cryptsoft.com)"
* The word 'cryptographic' can be left out if the rouines from the library
* being used are not cryptographic related :-).
* 4. If you include any Windows specific code (or a derivative thereof) from
* the apps directory (application code) you must include an acknowledgement:
* "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
*
* THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
* The licence and distribution terms for any publically available version or
* derivative of this code cannot be changed. i.e. this code cannot simply be
* copied and put under another distribution licence
* [including the GNU Public Licence.]
*/
#include <stdlib.h>
#include <string.h>
#include <errno.h>
#ifdef LINUX
# include <typedefs.h>
#endif
#ifdef OPENSSL_SYS_WIN32
# include <windows.h>
#endif
#ifdef PTHREADS
# include <pthread.h>
#endif
#include <openssl/lhash.h>
#include <openssl/crypto.h>
#include <openssl/buffer.h>
#include <openssl/x509.h>
#include <openssl/ssl.h>
#include <openssl/err.h>
#include <openssl/rand.h>
#define TEST_SERVER_CERT "../../apps/server.pem"
#define TEST_CLIENT_CERT "../../apps/client.pem"
#define MAX_THREAD_NUMBER 100
int verify_callback(int ok, X509_STORE_CTX *xs);
void thread_setup(void);
void thread_cleanup(void);
void do_threads(SSL_CTX *s_ctx, SSL_CTX *c_ctx);
void win32_locking_callback(int mode, int type, const char *file, int line);
void pthreads_locking_callback(int mode, int type, const char *file, int line);
void irix_thread_id(CRYPTO_THREADID *tid);
void pthreads_thread_id(CRYPTO_THREADID *tid);
BIO *bio_err = NULL;
BIO *bio_stdout = NULL;
static char *cipher = NULL;
int verbose = 0;
#ifdef FIONBIO
static int s_nbio = 0;
#endif
int thread_number = 10;
int number_of_loops = 10;
int reconnect = 0;
int cache_stats = 0;
static const char rnd_seed[] =
"string to make the random number generator think it has entropy";
int doit(char *ctx[4]);
static void print_stats(BIO *bio, SSL_CTX *ctx)
{
BIO_printf(bio, "%4ld items in the session cache\n",
SSL_CTX_sess_number(ctx));
BIO_printf(bio, "%4d client connects (SSL_connect())\n",
SSL_CTX_sess_connect(ctx));
BIO_printf(bio, "%4d client connects that finished\n",
SSL_CTX_sess_connect_good(ctx));
BIO_printf(bio, "%4d server connects (SSL_accept())\n",
SSL_CTX_sess_accept(ctx));
BIO_printf(bio, "%4d server connects that finished\n",
SSL_CTX_sess_accept_good(ctx));
BIO_printf(bio, "%4d session cache hits\n", SSL_CTX_sess_hits(ctx));
BIO_printf(bio, "%4d session cache misses\n", SSL_CTX_sess_misses(ctx));
BIO_printf(bio, "%4d session cache timeouts\n", SSL_CTX_sess_timeouts(ctx));
}
static void sv_usage(void)
{
BIO_printf(bio_err, "usage: ssltest [args ...]\n");
BIO_printf(bio_err, "\n");
BIO_printf(bio_err, " -server_auth - check server certificate\n");
BIO_printf(bio_err, " -client_auth - do client authentication\n");
BIO_printf(bio_err, " -v - more output\n");
BIO_printf(bio_err, " -CApath arg - PEM format directory of CA's\n");
BIO_printf(bio_err, " -CAfile arg - PEM format file of CA's\n");
BIO_printf(bio_err, " -threads arg - number of threads\n");
BIO_printf(bio_err, " -loops arg - number of 'connections', per thread\n");
BIO_printf(bio_err, " -reconnect - reuse session-id's\n");
BIO_printf(bio_err, " -stats - server session-id cache stats\n");
BIO_printf(bio_err, " -cert arg - server certificate/key\n");
BIO_printf(bio_err, " -ccert arg - client certificate/key\n");
BIO_printf(bio_err, " -ssl3 - just SSLv3n\n");
}
int main(int argc, char *argv[])
{
char *CApath = NULL, *CAfile = NULL;
int badop = 0;
int ret = 1;
int client_auth = 0;
int server_auth = 0;
SSL_CTX *s_ctx = NULL;
SSL_CTX *c_ctx = NULL;
char *scert = TEST_SERVER_CERT;
char *ccert = TEST_CLIENT_CERT;
const SSL_METHOD *ssl_method = TLS_method();
RAND_seed(rnd_seed, sizeof rnd_seed);
if (bio_err == NULL)
bio_err = BIO_new_fd(2, BIO_NOCLOSE);
if (bio_stdout == NULL)
bio_stdout = BIO_new_fd(1, BIO_NOCLOSE);
argc--;
argv++;
while (argc >= 1) {
if (strcmp(*argv, "-server_auth") == 0)
server_auth = 1;
else if (strcmp(*argv, "-client_auth") == 0)
client_auth = 1;
else if (strcmp(*argv, "-reconnect") == 0)
reconnect = 1;
else if (strcmp(*argv, "-stats") == 0)
cache_stats = 1;
else if (strcmp(*argv, "-ssl3") == 0)
ssl_method = SSLv3_method();
else if (strcmp(*argv, "-CApath") == 0) {
if (--argc < 1)
goto bad;
CApath = *(++argv);
} else if (strcmp(*argv, "-CAfile") == 0) {
if (--argc < 1)
goto bad;
CAfile = *(++argv);
} else if (strcmp(*argv, "-cert") == 0) {
if (--argc < 1)
goto bad;
scert = *(++argv);
} else if (strcmp(*argv, "-ccert") == 0) {
if (--argc < 1)
goto bad;
ccert = *(++argv);
} else if (strcmp(*argv, "-threads") == 0) {
if (--argc < 1)
goto bad;
thread_number = atoi(*(++argv));
if (thread_number == 0)
thread_number = 1;
if (thread_number > MAX_THREAD_NUMBER)
thread_number = MAX_THREAD_NUMBER;
} else if (strcmp(*argv, "-loops") == 0) {
if (--argc < 1)
goto bad;
number_of_loops = atoi(*(++argv));
if (number_of_loops == 0)
number_of_loops = 1;
} else {
BIO_printf(bio_err, "unknown option %s\n", *argv);
badop = 1;
break;
}
argc--;
argv++;
}
if (badop) {
bad:
sv_usage();
goto end;
}
if (cipher == NULL && OPENSSL_issetugid() == 0)
cipher = getenv("SSL_CIPHER");
SSL_load_error_strings();
OpenSSL_add_ssl_algorithms();
c_ctx = SSL_CTX_new(ssl_method);
s_ctx = SSL_CTX_new(ssl_method);
if ((c_ctx == NULL) || (s_ctx == NULL)) {
ERR_print_errors(bio_err);
goto end;
}
SSL_CTX_set_session_cache_mode(s_ctx,
SSL_SESS_CACHE_NO_AUTO_CLEAR |
SSL_SESS_CACHE_SERVER);
SSL_CTX_set_session_cache_mode(c_ctx,
SSL_SESS_CACHE_NO_AUTO_CLEAR |
SSL_SESS_CACHE_SERVER);
if (!SSL_CTX_use_certificate_file(s_ctx, scert, SSL_FILETYPE_PEM)) {
BIO_printf(bio_err, "SSL_CTX_use_certificate_file (%s)\n", scert);
ERR_print_errors(bio_err);
goto end;
} else
if (!SSL_CTX_use_RSAPrivateKey_file(s_ctx, scert, SSL_FILETYPE_PEM)) {
BIO_printf(bio_err, "SSL_CTX_use_RSAPrivateKey_file (%s)\n", scert);
ERR_print_errors(bio_err);
goto end;
}
if (client_auth) {
SSL_CTX_use_certificate_file(c_ctx, ccert, SSL_FILETYPE_PEM);
SSL_CTX_use_RSAPrivateKey_file(c_ctx, ccert, SSL_FILETYPE_PEM);
}
if ((!SSL_CTX_load_verify_locations(s_ctx, CAfile, CApath)) ||
(!SSL_CTX_set_default_verify_paths(s_ctx)) ||
(!SSL_CTX_load_verify_locations(c_ctx, CAfile, CApath)) ||
(!SSL_CTX_set_default_verify_paths(c_ctx))) {
BIO_printf(bio_err, "SSL_load_verify_locations\n");
ERR_print_errors(bio_err);
goto end;
}
if (client_auth) {
BIO_printf(bio_err, "client authentication\n");
SSL_CTX_set_verify(s_ctx,
SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
verify_callback);
}
if (server_auth) {
BIO_printf(bio_err, "server authentication\n");
SSL_CTX_set_verify(c_ctx, SSL_VERIFY_PEER, verify_callback);
}
thread_setup();
do_threads(s_ctx, c_ctx);
thread_cleanup();
end:
if (c_ctx != NULL) {
BIO_printf(bio_err, "Client SSL_CTX stats then free it\n");
print_stats(bio_err, c_ctx);
SSL_CTX_free(c_ctx);
}
if (s_ctx != NULL) {
BIO_printf(bio_err, "Server SSL_CTX stats then free it\n");
print_stats(bio_err, s_ctx);
if (cache_stats) {
BIO_printf(bio_err, "-----\n");
lh_SSL_SESSION_stats_bio(SSL_CTX_sessions(s_ctx), bio_err);
BIO_printf(bio_err, "-----\n");
/*- lh_SSL_SESSION_node_stats_bio(SSL_CTX_sessions(s_ctx),bio_err);
BIO_printf(bio_err,"-----\n"); */
lh_SSL_SESSION_node_usage_stats_bio(SSL_CTX_sessions(s_ctx), bio_err);
BIO_printf(bio_err, "-----\n");
}
SSL_CTX_free(s_ctx);
BIO_printf(bio_err, "done free\n");
}
exit(ret);
return (0);
}
#define W_READ 1
#define W_WRITE 2
#define C_DONE 1
#define S_DONE 2
int ndoit(SSL_CTX *ssl_ctx[2])
{
int i;
int ret;
char *ctx[4];
CRYPTO_THREADID thread_id;
ctx[0] = (char *)ssl_ctx[0];
ctx[1] = (char *)ssl_ctx[1];
if (reconnect) {
ctx[2] = (char *)SSL_new(ssl_ctx[0]);
ctx[3] = (char *)SSL_new(ssl_ctx[1]);
} else {
ctx[2] = NULL;
ctx[3] = NULL;
}
CRYPTO_THREADID_current(&thread_id);
BIO_printf(bio_stdout, "started thread %lu\n",
CRYPTO_THREADID_hash(&thread_id));
for (i = 0; i < number_of_loops; i++) {
/*- BIO_printf(bio_err,"%4d %2d ctx->ref (%3d,%3d)\n",
CRYPTO_THREADID_hash(&thread_id),i,
ssl_ctx[0]->references,
ssl_ctx[1]->references); */
/* pthread_delay_np(&tm); */
ret = doit(ctx);
if (ret != 0) {
BIO_printf(bio_stdout, "error[%d] %lu - %d\n",
i, CRYPTO_THREADID_hash(&thread_id), ret);
return (ret);
}
}
BIO_printf(bio_stdout, "DONE %lu\n", CRYPTO_THREADID_hash(&thread_id));
if (reconnect) {
SSL_free((SSL *)ctx[2]);
SSL_free((SSL *)ctx[3]);
}
return (0);
}
int doit(char *ctx[4])
{
SSL_CTX *s_ctx, *c_ctx;
static char cbuf[200], sbuf[200];
SSL *c_ssl = NULL;
SSL *s_ssl = NULL;
BIO *c_to_s = NULL;
BIO *s_to_c = NULL;
BIO *c_bio = NULL;
BIO *s_bio = NULL;
int c_r, c_w, s_r, s_w;
int c_want, s_want;
int i;
int done = 0;
int c_write, s_write;
int do_server = 0, do_client = 0;
s_ctx = (SSL_CTX *)ctx[0];
c_ctx = (SSL_CTX *)ctx[1];
if (ctx[2] != NULL)
s_ssl = (SSL *)ctx[2];
else
s_ssl = SSL_new(s_ctx);
if (ctx[3] != NULL)
c_ssl = (SSL *)ctx[3];
else
c_ssl = SSL_new(c_ctx);
if ((s_ssl == NULL) || (c_ssl == NULL))
goto err;
c_to_s = BIO_new(BIO_s_mem());
s_to_c = BIO_new(BIO_s_mem());
if ((s_to_c == NULL) || (c_to_s == NULL))
goto err;
c_bio = BIO_new(BIO_f_ssl());
s_bio = BIO_new(BIO_f_ssl());
if ((c_bio == NULL) || (s_bio == NULL))
goto err;
SSL_set_connect_state(c_ssl);
SSL_set_bio(c_ssl, s_to_c, c_to_s);
BIO_set_ssl(c_bio, c_ssl, (ctx[2] == NULL) ? BIO_CLOSE : BIO_NOCLOSE);
SSL_set_accept_state(s_ssl);
SSL_set_bio(s_ssl, c_to_s, s_to_c);
BIO_set_ssl(s_bio, s_ssl, (ctx[3] == NULL) ? BIO_CLOSE : BIO_NOCLOSE);
c_r = 0;
s_r = 1;
c_w = 1;
s_w = 0;
c_want = W_WRITE;
s_want = 0;
c_write = 1, s_write = 0;
/* We can always do writes */
for (;;) {
do_server = 0;
do_client = 0;
i = (int)BIO_pending(s_bio);
if ((i && s_r) || s_w)
do_server = 1;
i = (int)BIO_pending(c_bio);
if ((i && c_r) || c_w)
do_client = 1;
if (do_server && verbose) {
if (SSL_in_init(s_ssl))
BIO_printf(bio_stdout, "server waiting in SSL_accept - %s\n",
SSL_state_string_long(s_ssl));
else if (s_write)
BIO_printf(bio_stdout, "server:SSL_write()\n");
else
BIO_printf(bio_stdout, "server:SSL_read()\n");
}
if (do_client && verbose) {
if (SSL_in_init(c_ssl))
BIO_printf(bio_stdout, "client waiting in SSL_connect - %s\n",
SSL_state_string_long(c_ssl));
else if (c_write)
BIO_printf(bio_stdout, "client:SSL_write()\n");
else
BIO_printf(bio_stdout, "client:SSL_read()\n");
}
if (!do_client && !do_server) {
BIO_printf(bio_stdout, "ERROR IN STARTUP\n");
break;
}
if (do_client && !(done & C_DONE)) {
if (c_write) {
i = BIO_write(c_bio, "hello from client\n", 18);
if (i < 0) {
c_r = 0;
c_w = 0;
if (BIO_should_retry(c_bio)) {
if (BIO_should_read(c_bio))
c_r = 1;
if (BIO_should_write(c_bio))
c_w = 1;
} else {
BIO_printf(bio_err, "ERROR in CLIENT\n");
ERR_print_errors_fp(stderr);
return (1);
}
} else if (i == 0) {
BIO_printf(bio_err, "SSL CLIENT STARTUP FAILED\n");
return (1);
} else {
/* ok */
c_write = 0;
}
} else {
i = BIO_read(c_bio, cbuf, 100);
if (i < 0) {
c_r = 0;
c_w = 0;
if (BIO_should_retry(c_bio)) {
if (BIO_should_read(c_bio))
c_r = 1;
if (BIO_should_write(c_bio))
c_w = 1;
} else {
BIO_printf(bio_err, "ERROR in CLIENT\n");
ERR_print_errors_fp(stderr);
return (1);
}
} else if (i == 0) {
BIO_printf(bio_err, "SSL CLIENT STARTUP FAILED\n");
return (1);
} else {
done |= C_DONE;
}
}
}
if (do_server && !(done & S_DONE)) {
if (!s_write) {
i = BIO_read(s_bio, sbuf, 100);
if (i < 0) {
s_r = 0;
s_w = 0;
if (BIO_should_retry(s_bio)) {
if (BIO_should_read(s_bio))
s_r = 1;
if (BIO_should_write(s_bio))
s_w = 1;
} else {
BIO_printf(bio_err, "ERROR in SERVER\n");
ERR_print_errors_fp(stderr);
return (1);
}
} else if (i == 0) {
BIO_printf(bio_err, "SSL SERVER STARTUP FAILED\n");
return (1);
} else {
s_write = 1;
s_w = 1;
}
} else {
i = BIO_write(s_bio, "hello from server\n", 18);
if (i < 0) {
s_r = 0;
s_w = 0;
if (BIO_should_retry(s_bio)) {
if (BIO_should_read(s_bio))
s_r = 1;
if (BIO_should_write(s_bio))
s_w = 1;
} else {
BIO_printf(bio_err, "ERROR in SERVER\n");
ERR_print_errors_fp(stderr);
return (1);
}
} else if (i == 0) {
BIO_printf(bio_err, "SSL SERVER STARTUP FAILED\n");
return (1);
} else {
s_write = 0;
s_r = 1;
done |= S_DONE;
}
}
}
if ((done & S_DONE) && (done & C_DONE))
break;
}
SSL_set_shutdown(c_ssl, SSL_SENT_SHUTDOWN | SSL_RECEIVED_SHUTDOWN);
SSL_set_shutdown(s_ssl, SSL_SENT_SHUTDOWN | SSL_RECEIVED_SHUTDOWN);
err:
#if 0
/*
* We have to set the BIO's to NULL otherwise they will be free()ed
* twice. Once when th s_ssl is SSL_free()ed and again when c_ssl is
* SSL_free()ed. This is a hack required because s_ssl and c_ssl are
* sharing the same BIO structure and SSL_set_bio() and SSL_free()
* automatically BIO_free non NULL entries. You should not normally do
* this or be required to do this
*/
if (s_ssl != NULL) {
s_ssl->rbio = NULL;
s_ssl->wbio = NULL;
}
if (c_ssl != NULL) {
c_ssl->rbio = NULL;
c_ssl->wbio = NULL;
}
/* The SSL's are optionally freed in the following calls */
BIO_free(c_to_s);
BIO_free(s_to_c);
#endif
BIO_free(c_bio);
BIO_free(s_bio);
return (0);
}
int verify_callback(int ok, X509_STORE_CTX *ctx)
{
char *s, buf[256];
if (verbose) {
s = X509_NAME_oneline(X509_get_subject_name(ctx->current_cert),
buf, 256);
if (s != NULL) {
if (ok)
BIO_printf(bio_err, "depth=%d %s\n", ctx->error_depth, buf);
else
BIO_printf(bio_err, "depth=%d error=%d %s\n",
ctx->error_depth, ctx->error, buf);
}
}
return (ok);
}
#define THREAD_STACK_SIZE (16*1024)
#ifdef OPENSSL_SYS_WIN32
static HANDLE *lock_cs;
void thread_setup(void)
{
int i;
lock_cs = OPENSSL_malloc(CRYPTO_num_locks() * sizeof(HANDLE));
for (i = 0; i < CRYPTO_num_locks(); i++) {
lock_cs[i] = CreateMutex(NULL, FALSE, NULL);
}
CRYPTO_set_locking_callback((void (*)(int, int, char *, int))
win32_locking_callback);
/* id callback defined */
}
void thread_cleanup(void)
{
int i;
CRYPTO_set_locking_callback(NULL);
for (i = 0; i < CRYPTO_num_locks(); i++)
CloseHandle(lock_cs[i]);
OPENSSL_free(lock_cs);
}
void win32_locking_callback(int mode, int type, const char *file, int line)
{
if (mode & CRYPTO_LOCK) {
WaitForSingleObject(lock_cs[type], INFINITE);
} else {
ReleaseMutex(lock_cs[type]);
}
}
void do_threads(SSL_CTX *s_ctx, SSL_CTX *c_ctx)
{
double ret;
SSL_CTX *ssl_ctx[2];
DWORD thread_id[MAX_THREAD_NUMBER];
HANDLE thread_handle[MAX_THREAD_NUMBER];
int i;
SYSTEMTIME start, end;
ssl_ctx[0] = s_ctx;
ssl_ctx[1] = c_ctx;
GetSystemTime(&start);
for (i = 0; i < thread_number; i++) {
thread_handle[i] = CreateThread(NULL,
THREAD_STACK_SIZE,
(LPTHREAD_START_ROUTINE) ndoit,
(void *)ssl_ctx, 0L, &(thread_id[i]));
}
BIO_printf(bio_stdout, "reaping\n");
for (i = 0; i < thread_number; i += 50) {
int j;
j = (thread_number < (i + 50)) ? (thread_number - i) : 50;
if (WaitForMultipleObjects(j,
(CONST HANDLE *) & (thread_handle[i]),
TRUE, INFINITE)
== WAIT_FAILED) {
BIO_printf(bio_err, "WaitForMultipleObjects failed:%d\n",
GetLastError());
exit(1);
}
}
GetSystemTime(&end);
if (start.wDayOfWeek > end.wDayOfWeek)
end.wDayOfWeek += 7;
ret = (end.wDayOfWeek - start.wDayOfWeek) * 24;
ret = (ret + end.wHour - start.wHour) * 60;
ret = (ret + end.wMinute - start.wMinute) * 60;
ret = (ret + end.wSecond - start.wSecond);
ret += (end.wMilliseconds - start.wMilliseconds) / 1000.0;
BIO_printf(bio_stdout, "win32 threads done - %.3f seconds\n", ret);
}
#endif /* OPENSSL_SYS_WIN32 */
#ifdef PTHREADS
static pthread_mutex_t *lock_cs;
static long *lock_count;
void thread_setup(void)
{
int i;
lock_cs = OPENSSL_malloc(CRYPTO_num_locks() * sizeof(pthread_mutex_t));
lock_count = OPENSSL_malloc(CRYPTO_num_locks() * sizeof(long));
for (i = 0; i < CRYPTO_num_locks(); i++) {
lock_count[i] = 0;
pthread_mutex_init(&(lock_cs[i]), NULL);
}
CRYPTO_THREADID_set_callback(pthreads_thread_id);
CRYPTO_set_locking_callback(pthreads_locking_callback);
}
void thread_cleanup(void)
{
int i;
CRYPTO_set_locking_callback(NULL);
BIO_printf(bio_err, "cleanup\n");
for (i = 0; i < CRYPTO_num_locks(); i++) {
pthread_mutex_destroy(&(lock_cs[i]));
BIO_printf(bio_err, "%8ld:%s\n", lock_count[i], CRYPTO_get_lock_name(i));
}
OPENSSL_free(lock_cs);
OPENSSL_free(lock_count);
BIO_printf(bio_err, "done cleanup\n");
}
void pthreads_locking_callback(int mode, int type, const char *file, int line)
{
if (mode & CRYPTO_LOCK) {
pthread_mutex_lock(&(lock_cs[type]));
lock_count[type]++;
} else {
pthread_mutex_unlock(&(lock_cs[type]));
}
}
void do_threads(SSL_CTX *s_ctx, SSL_CTX *c_ctx)
{
SSL_CTX *ssl_ctx[2];
pthread_t thread_ctx[MAX_THREAD_NUMBER];
int i;
ssl_ctx[0] = s_ctx;
ssl_ctx[1] = c_ctx;
for (i = 0; i < thread_number; i++) {
pthread_create(&(thread_ctx[i]), NULL,
(void *(*)())ndoit, (void *)ssl_ctx);
}
BIO_printf(bio_stdout, "reaping\n");
for (i = 0; i < thread_number; i++) {
pthread_join(thread_ctx[i], NULL);
}
#if 0 /* We can't currently find out the reference amount */
BIO_printf(bio_stdout, "pthreads threads done (%d,%d)\n",
s_ctx->references, c_ctx->references);
#else
BIO_printf(bio_stdout, "pthreads threads done\n");
#endif
}
void pthreads_thread_id(CRYPTO_THREADID *tid)
{
CRYPTO_THREADID_set_numeric(tid, (unsigned long)pthread_self());
}
#endif /* PTHREADS */

6
demos/threads/pthread.sh
View File

@ -1,6 +0,0 @@
#!/bin/sh
#
# build using pthreads where it's already built into the system
#
/bin/rm -f mttest
gcc -DPTHREADS -I../../include -g mttest.c -o mttest -L../.. -lssl -lcrypto -lpthread -ldl

194
demos/threads/th-lock.c
View File

@ -1,194 +0,0 @@
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
* All rights reserved.
*
* This package is an SSL implementation written
* by Eric Young (eay@cryptsoft.com).
* The implementation was written so as to conform with Netscapes SSL.
*
* This library is free for commercial and non-commercial use as long as
* the following conditions are aheared to. The following conditions
* apply to all code found in this distribution, be it the RC4, RSA,
* lhash, DES, etc., code; not just the SSL code. The SSL documentation
* included with this distribution is covered by the same copyright terms
* except that the holder is Tim Hudson (tjh@cryptsoft.com).
*
* Copyright remains Eric Young's, and as such any Copyright notices in
* the code are not to be removed.
* If this package is used in a product, Eric Young should be given attribution
* as the author of the parts of the library used.
* This can be in the form of a textual message at program startup or
* in documentation (online or textual) provided with the package.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* 3. All advertising materials mentioning features or use of this software
* must display the following acknowledgement:
* "This product includes cryptographic software written by
* Eric Young (eay@cryptsoft.com)"
* The word 'cryptographic' can be left out if the rouines from the library
* being used are not cryptographic related :-).
* 4. If you include any Windows specific code (or a derivative thereof) from
* the apps directory (application code) you must include an acknowledgement:
* "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
*
* THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
* The licence and distribution terms for any publically available version or
* derivative of this code cannot be changed. i.e. this code cannot simply be
* copied and put under another distribution licence
* [including the GNU Public Licence.]
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <errno.h>
#ifdef LINUX
# include <typedefs.h>
#endif
#ifdef OPENSSL_SYS_WIN32
# include <windows.h>
#endif
#ifdef PTHREADS
# include <pthread.h>
#endif
#include <openssl/lhash.h>
#include <openssl/crypto.h>
#include <openssl/buffer.h>
#include "../../e_os.h"
#include <openssl/x509.h>
#include <openssl/ssl.h>
#include <openssl/err.h>
void CRYPTO_thread_setup(void);
void CRYPTO_thread_cleanup(void);
static void win32_locking_callback(int mode, int type, char *file, int line);
static void pthreads_locking_callback(int mode, int type, char *file, int line);
static unsigned long pthreads_thread_id(void);
/*-
* usage:
* CRYPTO_thread_setup();
* application code
* CRYPTO_thread_cleanup();
*/
#ifdef OPENSSL_SYS_WIN32
static HANDLE *lock_cs;
void CRYPTO_thread_setup(void)
{
int i;
lock_cs = OPENSSL_malloc(CRYPTO_num_locks() * sizeof(HANDLE));
if (!lock_cs) {
/* Nothing we can do about this...void function! */
return;
}
for (i = 0; i < CRYPTO_num_locks(); i++) {
lock_cs[i] = CreateMutex(NULL, FALSE, NULL);
}
CRYPTO_set_locking_callback((void (*)(int, int, char *, int))
win32_locking_callback);
/* id callback defined */
return (1);
}
static void CRYPTO_thread_cleanup(void)
{
int i;
CRYPTO_set_locking_callback(NULL);
for (i = 0; i < CRYPTO_num_locks(); i++)
CloseHandle(lock_cs[i]);
OPENSSL_free(lock_cs);
}
void win32_locking_callback(int mode, int type, char *file, int line)
{
if (mode & CRYPTO_LOCK) {
WaitForSingleObject(lock_cs[type], INFINITE);
} else {
ReleaseMutex(lock_cs[type]);
}
}
#endif /* OPENSSL_SYS_WIN32 */
/* Linux and a few others */
#ifdef PTHREADS
static pthread_mutex_t *lock_cs;
static long *lock_count;
void CRYPTO_thread_setup(void)
{
int i;
lock_cs = OPENSSL_malloc(CRYPTO_num_locks() * sizeof(pthread_mutex_t));
lock_count = OPENSSL_malloc(CRYPTO_num_locks() * sizeof(long));
if (!lock_cs || !lock_count) {
/* Nothing we can do about this...void function! */
OPENSSL_free(lock_cs);
OPENSSL_free(lock_count);
return;
}
for (i = 0; i < CRYPTO_num_locks(); i++) {
lock_count[i] = 0;
pthread_mutex_init(&(lock_cs[i]), NULL);
}
CRYPTO_set_id_callback((unsigned long (*)())pthreads_thread_id);
CRYPTO_set_locking_callback((void (*)())pthreads_locking_callback);
}
void thread_cleanup(void)
{
int i;
CRYPTO_set_locking_callback(NULL);
for (i = 0; i < CRYPTO_num_locks(); i++) {
pthread_mutex_destroy(&(lock_cs[i]));
}
OPENSSL_free(lock_cs);
OPENSSL_free(lock_count);
}
void pthreads_locking_callback(int mode, int type, char *file, int line)
{
if (mode & CRYPTO_LOCK) {
pthread_mutex_lock(&(lock_cs[type]));
lock_count[type]++;
} else {
pthread_mutex_unlock(&(lock_cs[type]));
}
}
unsigned long pthreads_thread_id(void)
{
unsigned long ret;
ret = (unsigned long)pthread_self();
return (ret);
}
#endif /* PTHREADS */

4
demos/threads/win32.bat
View File

@ -1,4 +0,0 @@
del mttest.exe
cl /O2 -DWIN32 /MD -I..\..\out mttest.c /Femttest ..\..\out\ssleay32.lib ..\..\out\libeay32.lib

3
demos/x509/README
View File

@ -1,3 +0,0 @@
This directory contains examples of how to construct
various X509 structures. Certificates, certificate requests
and CRLs.

169
demos/x509/mkcert.c
View File

@ -1,169 +0,0 @@
/*
* Certificate creation. Demonstrates some certificate related operations.
*/
#include <stdio.h>
#include <stdlib.h>
#include <openssl/pem.h>
#include <openssl/conf.h>
#include <openssl/x509v3.h>
#ifndef OPENSSL_NO_ENGINE
# include <openssl/engine.h>
#endif
int mkcert(X509 **x509p, EVP_PKEY **pkeyp, int bits, int serial, int days);
int add_ext(X509 *cert, int nid, char *value);
int main(int argc, char **argv)
{
BIO *bio_err;
X509 *x509 = NULL;
EVP_PKEY *pkey = NULL;
CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON);
bio_err = BIO_new_fp(stderr, BIO_NOCLOSE);
mkcert(&x509, &pkey, 512, 0, 365);
RSA_print_fp(stdout, pkey->pkey.rsa, 0);
X509_print_fp(stdout, x509);
PEM_write_PrivateKey(stdout, pkey, NULL, NULL, 0, NULL, NULL);
PEM_write_X509(stdout, x509);
X509_free(x509);
EVP_PKEY_free(pkey);
#ifndef OPENSSL_NO_ENGINE
ENGINE_cleanup();
#endif
CRYPTO_cleanup_all_ex_data();
CRYPTO_mem_leaks(bio_err);
BIO_free(bio_err);
return (0);
}
static void callback(int p, int n, void *arg)
{
char c = 'B';
if (p == 0)
c = '.';
if (p == 1)
c = '+';
if (p == 2)
c = '*';
if (p == 3)
c = '\n';
fputc(c, stderr);
}
int mkcert(X509 **x509p, EVP_PKEY **pkeyp, int bits, int serial, int days)
{
X509 *x;
EVP_PKEY *pk;
RSA *rsa;
X509_NAME *name = NULL;
if ((pkeyp == NULL) || (*pkeyp == NULL)) {
if ((pk = EVP_PKEY_new()) == NULL) {
abort();
return (0);
}
} else
pk = *pkeyp;
if ((x509p == NULL) || (*x509p == NULL)) {
if ((x = X509_new()) == NULL)
goto err;
} else
x = *x509p;
rsa = RSA_generate_key(bits, RSA_F4, callback, NULL);
if (!EVP_PKEY_assign_RSA(pk, rsa)) {
abort();
goto err;
}
rsa = NULL;
X509_set_version(x, 2);
ASN1_INTEGER_set(X509_get_serialNumber(x), serial);
X509_gmtime_adj(X509_get_notBefore(x), 0);
X509_gmtime_adj(X509_get_notAfter(x), (long)60 * 60 * 24 * days);
X509_set_pubkey(x, pk);
name = X509_get_subject_name(x);
/*
* This function creates and adds the entry, working out the correct
* string type and performing checks on its length. Normally we'd check
* the return value for errors...
*/
X509_NAME_add_entry_by_txt(name, "C", MBSTRING_ASC, "UK", -1, -1, 0);
X509_NAME_add_entry_by_txt(name, "CN",
MBSTRING_ASC, "OpenSSL Group", -1, -1, 0);
/*
* Its self signed so set the issuer name to be the same as the subject.
*/
X509_set_issuer_name(x, name);
/* Add various extensions: standard extensions */
add_ext(x, NID_basic_constraints, "critical,CA:TRUE");
add_ext(x, NID_key_usage, "critical,keyCertSign,cRLSign");
add_ext(x, NID_subject_key_identifier, "hash");
/* Some Netscape specific extensions */
add_ext(x, NID_netscape_cert_type, "sslCA");
add_ext(x, NID_netscape_comment, "example comment extension");
#ifdef CUSTOM_EXT
/* Maybe even add our own extension based on existing */
{
int nid;
nid = OBJ_create("1.2.3.4", "MyAlias", "My Test Alias Extension");
X509V3_EXT_add_alias(nid, NID_netscape_comment);
add_ext(x, nid, "example comment alias");
}
#endif
if (!X509_sign(x, pk, EVP_sha1()))
goto err;
*x509p = x;
*pkeyp = pk;
return (1);
err:
return (0);
}
/*
* Add extension using V3 code: we can set the config file as NULL because we
* wont reference any other sections.
*/
int add_ext(X509 *cert, int nid, char *value)
{
X509_EXTENSION *ex;
X509V3_CTX ctx;
/* This sets the 'context' of the extensions. */
/* No configuration database */
X509V3_set_ctx_nodb(&ctx);
/*
* Issuer and subject certs: both the target since it is self signed, no
* request and no CRL
*/
X509V3_set_ctx(&ctx, cert, cert, NULL, NULL, 0);
ex = X509V3_EXT_conf_nid(NULL, &ctx, nid, value);
if (!ex)
return 0;
X509_add_ext(cert, ex, -1);
X509_EXTENSION_free(ex);
return 1;
}

168
demos/x509/mkreq.c
View File

@ -1,168 +0,0 @@
/*
* Certificate request creation. Demonstrates some request related
* operations.
*/
#include <stdio.h>
#include <stdlib.h>
#include <openssl/pem.h>
#include <openssl/conf.h>
#include <openssl/x509.h>
#include <openssl/x509v3.h>
#ifndef OPENSSL_NO_ENGINE
# include <openssl/engine.h>
#endif
int mkreq(X509_REQ **x509p, EVP_PKEY **pkeyp, int bits, int serial, int days);
int add_ext(STACK_OF(X509_EXTENSION) *sk, int nid, char *value);
int main(int argc, char **argv)
{
BIO *bio_err;
X509_REQ *req = NULL;
EVP_PKEY *pkey = NULL;
CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON);
bio_err = BIO_new_fp(stderr, BIO_NOCLOSE);
mkreq(&req, &pkey, 512, 0, 365);
RSA_print_fp(stdout, pkey->pkey.rsa, 0);
X509_REQ_print_fp(stdout, req);
PEM_write_X509_REQ(stdout, req);
X509_REQ_free(req);
EVP_PKEY_free(pkey);
#ifndef OPENSSL_NO_ENGINE
ENGINE_cleanup();
#endif
CRYPTO_cleanup_all_ex_data();
CRYPTO_mem_leaks(bio_err);
BIO_free(bio_err);
return (0);
}
static void callback(int p, int n, void *arg)
{
char c = 'B';
if (p == 0)
c = '.';
if (p == 1)
c = '+';
if (p == 2)
c = '*';
if (p == 3)
c = '\n';
fputc(c, stderr);
}
int mkreq(X509_REQ **req, EVP_PKEY **pkeyp, int bits, int serial, int days)
{
X509_REQ *x;
EVP_PKEY *pk;
RSA *rsa;
X509_NAME *name = NULL;
STACK_OF(X509_EXTENSION) *exts = NULL;
if ((pk = EVP_PKEY_new()) == NULL)
goto err;
if ((x = X509_REQ_new()) == NULL)
goto err;
rsa = RSA_generate_key(bits, RSA_F4, callback, NULL);
if (!EVP_PKEY_assign_RSA(pk, rsa))
goto err;
rsa = NULL;
X509_REQ_set_pubkey(x, pk);
name = X509_REQ_get_subject_name(x);
/*
* This function creates and adds the entry, working out the correct
* string type and performing checks on its length. Normally we'd check
* the return value for errors...
*/
X509_NAME_add_entry_by_txt(name, "C", MBSTRING_ASC, "UK", -1, -1, 0);
X509_NAME_add_entry_by_txt(name, "CN",
MBSTRING_ASC, "OpenSSL Group", -1, -1, 0);
#ifdef REQUEST_EXTENSIONS
/*
* Certificate requests can contain extensions, which can be used to
* indicate the extensions the requestor would like added to their
* certificate. CAs might ignore them however or even choke if they are
* present.
*/
/*
* For request extensions they are all packed in a single attribute. We
* save them in a STACK and add them all at once later...
*/
exts = sk_X509_EXTENSION_new_null();
/* Standard extenions */
add_ext(exts, NID_key_usage, "critical,digitalSignature,keyEncipherment");
/*
* This is a typical use for request extensions: requesting a value for
* subject alternative name.
*/
add_ext(exts, NID_subject_alt_name, "email:steve@openssl.org");
/* Some Netscape specific extensions */
add_ext(exts, NID_netscape_cert_type, "client,email");
# ifdef CUSTOM_EXT
/* Maybe even add our own extension based on existing */
{
int nid;
nid = OBJ_create("1.2.3.4", "MyAlias", "My Test Alias Extension");
X509V3_EXT_add_alias(nid, NID_netscape_comment);
add_ext(x, nid, "example comment alias");
}
# endif
/* Now we've created the extensions we add them to the request */
X509_REQ_add_extensions(x, exts);
sk_X509_EXTENSION_pop_free(exts, X509_EXTENSION_free);
#endif
if (!X509_REQ_sign(x, pk, EVP_sha1()))
goto err;
*req = x;
*pkeyp = pk;
return (1);
err:
return (0);
}
/*
* Add extension using V3 code: we can set the config file as NULL because we
* wont reference any other sections.
*/
int add_ext(STACK_OF(X509_EXTENSION) *sk, int nid, char *value)
{
X509_EXTENSION *ex;
ex = X509V3_EXT_conf_nid(NULL, NULL, nid, value);
if (!ex)
return 0;
sk_X509_EXTENSION_push(sk, ex);
return 1;
}