=================================================================== RCS file: /cvsrepo/anoncvs/cvs/src/usr.bin/openssl/pkeyutl.c,v retrieving revision 1.18 retrieving revision 1.19 diff -c -r1.18 -r1.19 *** src/usr.bin/openssl/pkeyutl.c 2023/03/05 13:12:53 1.18 --- src/usr.bin/openssl/pkeyutl.c 2023/03/06 14:32:06 1.19 *************** *** 1,4 **** ! /* $OpenBSD: pkeyutl.c,v 1.18 2023/03/05 13:12:53 tb Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 2006. */ --- 1,4 ---- ! /* $OpenBSD: pkeyutl.c,v 1.19 2023/03/06 14:32:06 tb Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 2006. */ *************** *** 82,88 **** int pkey_op; int rev; char *sigfile; ! } pkeyutl_config; static void pkeyutl_usage(void); --- 82,88 ---- int pkey_op; int rev; char *sigfile; ! } cfg; static void pkeyutl_usage(void); *************** *** 101,148 **** .name = "asn1parse", .desc = "ASN.1 parse the output data", .type = OPTION_FLAG, ! .opt.flag = &pkeyutl_config.asn1parse, }, { .name = "certin", .desc = "Input is a certificate containing a public key", .type = OPTION_VALUE, .value = KEY_CERT, ! .opt.value = &pkeyutl_config.key_type, }, { .name = "decrypt", .desc = "Decrypt the input data using a private key", .type = OPTION_VALUE, .value = EVP_PKEY_OP_DECRYPT, ! .opt.value = &pkeyutl_config.pkey_op, }, { .name = "derive", .desc = "Derive a shared secret using the peer key", .type = OPTION_VALUE, .value = EVP_PKEY_OP_DERIVE, ! .opt.value = &pkeyutl_config.pkey_op, }, { .name = "encrypt", .desc = "Encrypt the input data using a public key", .type = OPTION_VALUE, .value = EVP_PKEY_OP_ENCRYPT, ! .opt.value = &pkeyutl_config.pkey_op, }, { .name = "hexdump", .desc = "Hex dump the output data", .type = OPTION_FLAG, ! .opt.flag = &pkeyutl_config.hexdump, }, { .name = "in", .argname = "file", .desc = "Input file (default stdin)", .type = OPTION_ARG, ! .opt.arg = &pkeyutl_config.infile, }, { .name = "inkey", --- 101,148 ---- .name = "asn1parse", .desc = "ASN.1 parse the output data", .type = OPTION_FLAG, ! .opt.flag = &cfg.asn1parse, }, { .name = "certin", .desc = "Input is a certificate containing a public key", .type = OPTION_VALUE, .value = KEY_CERT, ! .opt.value = &cfg.key_type, }, { .name = "decrypt", .desc = "Decrypt the input data using a private key", .type = OPTION_VALUE, .value = EVP_PKEY_OP_DECRYPT, ! .opt.value = &cfg.pkey_op, }, { .name = "derive", .desc = "Derive a shared secret using the peer key", .type = OPTION_VALUE, .value = EVP_PKEY_OP_DERIVE, ! .opt.value = &cfg.pkey_op, }, { .name = "encrypt", .desc = "Encrypt the input data using a public key", .type = OPTION_VALUE, .value = EVP_PKEY_OP_ENCRYPT, ! .opt.value = &cfg.pkey_op, }, { .name = "hexdump", .desc = "Hex dump the output data", .type = OPTION_FLAG, ! .opt.flag = &cfg.hexdump, }, { .name = "in", .argname = "file", .desc = "Input file (default stdin)", .type = OPTION_ARG, ! .opt.arg = &cfg.infile, }, { .name = "inkey", *************** *** 156,183 **** .argname = "fmt", .desc = "Input key format (DER or PEM (default))", .type = OPTION_ARG_FORMAT, ! .opt.value = &pkeyutl_config.keyform, }, { .name = "out", .argname = "file", .desc = "Output file (default stdout)", .type = OPTION_ARG, ! .opt.arg = &pkeyutl_config.outfile, }, { .name = "passin", .argname = "arg", .desc = "Key password source", .type = OPTION_ARG, ! .opt.arg = &pkeyutl_config.passargin, }, { .name = "peerform", .argname = "fmt", .desc = "Input key format (DER or PEM (default))", .type = OPTION_ARG_FORMAT, ! .opt.value = &pkeyutl_config.peerform, }, { .name = "peerkey", --- 156,183 ---- .argname = "fmt", .desc = "Input key format (DER or PEM (default))", .type = OPTION_ARG_FORMAT, ! .opt.value = &cfg.keyform, }, { .name = "out", .argname = "file", .desc = "Output file (default stdout)", .type = OPTION_ARG, ! .opt.arg = &cfg.outfile, }, { .name = "passin", .argname = "arg", .desc = "Key password source", .type = OPTION_ARG, ! .opt.arg = &cfg.passargin, }, { .name = "peerform", .argname = "fmt", .desc = "Input key format (DER or PEM (default))", .type = OPTION_ARG_FORMAT, ! .opt.value = &cfg.peerform, }, { .name = "peerkey", *************** *** 198,238 **** .desc = "Input is a public key", .type = OPTION_VALUE, .value = KEY_PUBKEY, ! .opt.value = &pkeyutl_config.key_type, }, { .name = "rev", .desc = "Reverse the input data", .type = OPTION_FLAG, ! .opt.flag = &pkeyutl_config.rev, }, { .name = "sigfile", .argname = "file", .desc = "Signature file (verify operation only)", .type = OPTION_ARG, ! .opt.arg = &pkeyutl_config.sigfile, }, { .name = "sign", .desc = "Sign the input data using private key", .type = OPTION_VALUE, .value = EVP_PKEY_OP_SIGN, ! .opt.value = &pkeyutl_config.pkey_op, }, { .name = "verify", .desc = "Verify the input data using public key", .type = OPTION_VALUE, .value = EVP_PKEY_OP_VERIFY, ! .opt.value = &pkeyutl_config.pkey_op, }, { .name = "verifyrecover", .desc = "Verify with public key, recover original data", .type = OPTION_VALUE, .value = EVP_PKEY_OP_VERIFYRECOVER, ! .opt.value = &pkeyutl_config.pkey_op, }, {NULL}, --- 198,238 ---- .desc = "Input is a public key", .type = OPTION_VALUE, .value = KEY_PUBKEY, ! .opt.value = &cfg.key_type, }, { .name = "rev", .desc = "Reverse the input data", .type = OPTION_FLAG, ! .opt.flag = &cfg.rev, }, { .name = "sigfile", .argname = "file", .desc = "Signature file (verify operation only)", .type = OPTION_ARG, ! .opt.arg = &cfg.sigfile, }, { .name = "sign", .desc = "Sign the input data using private key", .type = OPTION_VALUE, .value = EVP_PKEY_OP_SIGN, ! .opt.value = &cfg.pkey_op, }, { .name = "verify", .desc = "Verify the input data using public key", .type = OPTION_VALUE, .value = EVP_PKEY_OP_VERIFY, ! .opt.value = &cfg.pkey_op, }, { .name = "verifyrecover", .desc = "Verify with public key, recover original data", .type = OPTION_VALUE, .value = EVP_PKEY_OP_VERIFYRECOVER, ! .opt.value = &cfg.pkey_op, }, {NULL}, *************** *** 268,303 **** exit(1); } ! memset(&pkeyutl_config, 0, sizeof(pkeyutl_config)); ! pkeyutl_config.pkey_op = EVP_PKEY_OP_SIGN; ! pkeyutl_config.key_type = KEY_PRIVKEY; ! pkeyutl_config.keyform = FORMAT_PEM; ! pkeyutl_config.peerform = FORMAT_PEM; ! pkeyutl_config.keysize = -1; if (options_parse(argc, argv, pkeyutl_options, NULL, NULL) != 0) { pkeyutl_usage(); goto end; } ! if (!pkeyutl_config.ctx) { pkeyutl_usage(); goto end; } ! if (pkeyutl_config.sigfile && ! (pkeyutl_config.pkey_op != EVP_PKEY_OP_VERIFY)) { BIO_puts(bio_err, "Signature file specified for non verify\n"); goto end; } ! if (!pkeyutl_config.sigfile && ! (pkeyutl_config.pkey_op == EVP_PKEY_OP_VERIFY)) { BIO_puts(bio_err, "No signature file specified for verify\n"); goto end; } ! if (pkeyutl_config.pkey_op != EVP_PKEY_OP_DERIVE) { ! if (pkeyutl_config.infile) { ! if (!(in = BIO_new_file(pkeyutl_config.infile, "rb"))) { BIO_puts(bio_err, "Error Opening Input File\n"); ERR_print_errors(bio_err); --- 268,303 ---- exit(1); } ! memset(&cfg, 0, sizeof(cfg)); ! cfg.pkey_op = EVP_PKEY_OP_SIGN; ! cfg.key_type = KEY_PRIVKEY; ! cfg.keyform = FORMAT_PEM; ! cfg.peerform = FORMAT_PEM; ! cfg.keysize = -1; if (options_parse(argc, argv, pkeyutl_options, NULL, NULL) != 0) { pkeyutl_usage(); goto end; } ! if (!cfg.ctx) { pkeyutl_usage(); goto end; } ! if (cfg.sigfile && ! (cfg.pkey_op != EVP_PKEY_OP_VERIFY)) { BIO_puts(bio_err, "Signature file specified for non verify\n"); goto end; } ! if (!cfg.sigfile && ! (cfg.pkey_op == EVP_PKEY_OP_VERIFY)) { BIO_puts(bio_err, "No signature file specified for verify\n"); goto end; } ! if (cfg.pkey_op != EVP_PKEY_OP_DERIVE) { ! if (cfg.infile) { ! if (!(in = BIO_new_file(cfg.infile, "rb"))) { BIO_puts(bio_err, "Error Opening Input File\n"); ERR_print_errors(bio_err); *************** *** 306,313 **** } else in = BIO_new_fp(stdin, BIO_NOCLOSE); } ! if (pkeyutl_config.outfile) { ! if (!(out = BIO_new_file(pkeyutl_config.outfile, "wb"))) { BIO_printf(bio_err, "Error Creating Output File\n"); ERR_print_errors(bio_err); goto end; --- 306,313 ---- } else in = BIO_new_fp(stdin, BIO_NOCLOSE); } ! if (cfg.outfile) { ! if (!(out = BIO_new_file(cfg.outfile, "wb"))) { BIO_printf(bio_err, "Error Creating Output File\n"); ERR_print_errors(bio_err); goto end; *************** *** 316,329 **** out = BIO_new_fp(stdout, BIO_NOCLOSE); } ! if (pkeyutl_config.sigfile) { ! BIO *sigbio = BIO_new_file(pkeyutl_config.sigfile, "rb"); if (!sigbio) { BIO_printf(bio_err, "Can't open signature file %s\n", ! pkeyutl_config.sigfile); goto end; } ! siglen = bio_to_mem(&sig, pkeyutl_config.keysize * 10, sigbio); BIO_free(sigbio); if (siglen <= 0) { BIO_printf(bio_err, "Error reading signature data\n"); --- 316,329 ---- out = BIO_new_fp(stdout, BIO_NOCLOSE); } ! if (cfg.sigfile) { ! BIO *sigbio = BIO_new_file(cfg.sigfile, "rb"); if (!sigbio) { BIO_printf(bio_err, "Can't open signature file %s\n", ! cfg.sigfile); goto end; } ! siglen = bio_to_mem(&sig, cfg.keysize * 10, sigbio); BIO_free(sigbio); if (siglen <= 0) { BIO_printf(bio_err, "Error reading signature data\n"); *************** *** 332,343 **** } if (in) { /* Read the input data */ ! buf_inlen = bio_to_mem(&buf_in, pkeyutl_config.keysize * 10, in); if (buf_inlen <= 0) { BIO_printf(bio_err, "Error reading input Data\n"); exit(1); } ! if (pkeyutl_config.rev) { size_t i; unsigned char ctmp; size_t l = (size_t) buf_inlen; --- 332,343 ---- } if (in) { /* Read the input data */ ! buf_inlen = bio_to_mem(&buf_in, cfg.keysize * 10, in); if (buf_inlen <= 0) { BIO_printf(bio_err, "Error reading input Data\n"); exit(1); } ! if (cfg.rev) { size_t i; unsigned char ctmp; size_t l = (size_t) buf_inlen; *************** *** 348,355 **** } } } ! if (pkeyutl_config.pkey_op == EVP_PKEY_OP_VERIFY) { ! rv = EVP_PKEY_verify(pkeyutl_config.ctx, sig, (size_t) siglen, buf_in, (size_t) buf_inlen); if (rv == 1) { BIO_puts(out, "Signature Verified Successfully\n"); --- 348,355 ---- } } } ! if (cfg.pkey_op == EVP_PKEY_OP_VERIFY) { ! rv = EVP_PKEY_verify(cfg.ctx, sig, (size_t) siglen, buf_in, (size_t) buf_inlen); if (rv == 1) { BIO_puts(out, "Signature Verified Successfully\n"); *************** *** 359,373 **** if (rv >= 0) goto end; } else { ! rv = do_keyop(pkeyutl_config.ctx, pkeyutl_config.pkey_op, NULL, (size_t *)&buf_outlen, buf_in, (size_t) buf_inlen); if (rv > 0) { buf_out = malloc(buf_outlen); if (!buf_out) rv = -1; else ! rv = do_keyop(pkeyutl_config.ctx, ! pkeyutl_config.pkey_op, buf_out, (size_t *) & buf_outlen, buf_in, (size_t) buf_inlen); } --- 359,373 ---- if (rv >= 0) goto end; } else { ! rv = do_keyop(cfg.ctx, cfg.pkey_op, NULL, (size_t *)&buf_outlen, buf_in, (size_t) buf_inlen); if (rv > 0) { buf_out = malloc(buf_outlen); if (!buf_out) rv = -1; else ! rv = do_keyop(cfg.ctx, ! cfg.pkey_op, buf_out, (size_t *) & buf_outlen, buf_in, (size_t) buf_inlen); } *************** *** 379,394 **** goto end; } ret = 0; ! if (pkeyutl_config.asn1parse) { if (!ASN1_parse_dump(out, buf_out, buf_outlen, 1, -1)) ERR_print_errors(bio_err); ! } else if (pkeyutl_config.hexdump) BIO_dump(out, (char *) buf_out, buf_outlen); else BIO_write(out, buf_out, buf_outlen); end: ! EVP_PKEY_CTX_free(pkeyutl_config.ctx); BIO_free(in); BIO_free_all(out); free(buf_in); --- 379,394 ---- goto end; } ret = 0; ! if (cfg.asn1parse) { if (!ASN1_parse_dump(out, buf_out, buf_outlen, 1, -1)) ERR_print_errors(bio_err); ! } else if (cfg.hexdump) BIO_dump(out, (char *) buf_out, buf_outlen); else BIO_write(out, buf_out, buf_outlen); end: ! EVP_PKEY_CTX_free(cfg.ctx); BIO_free(in); BIO_free_all(out); free(buf_in); *************** *** 406,437 **** int rv = -1; X509 *x; ! if (((pkeyutl_config.pkey_op == EVP_PKEY_OP_SIGN) ! || (pkeyutl_config.pkey_op == EVP_PKEY_OP_DECRYPT) ! || (pkeyutl_config.pkey_op == EVP_PKEY_OP_DERIVE)) ! && (pkeyutl_config.key_type != KEY_PRIVKEY)) { BIO_printf(bio_err, "A private key is needed for this operation\n"); goto end; } ! if (!app_passwd(bio_err, pkeyutl_config.passargin, NULL, &passin, NULL)) { BIO_printf(bio_err, "Error getting password\n"); goto end; } ! switch (pkeyutl_config.key_type) { case KEY_PRIVKEY: ! pkey = load_key(bio_err, keyfile, pkeyutl_config.keyform, 0, passin, "Private Key"); break; case KEY_PUBKEY: ! pkey = load_pubkey(bio_err, keyfile, pkeyutl_config.keyform, 0, NULL, "Public Key"); break; case KEY_CERT: ! x = load_cert(bio_err, keyfile, pkeyutl_config.keyform, NULL, "Certificate"); if (x) { pkey = X509_get_pubkey(x); --- 406,437 ---- int rv = -1; X509 *x; ! if (((cfg.pkey_op == EVP_PKEY_OP_SIGN) ! || (cfg.pkey_op == EVP_PKEY_OP_DECRYPT) ! || (cfg.pkey_op == EVP_PKEY_OP_DERIVE)) ! && (cfg.key_type != KEY_PRIVKEY)) { BIO_printf(bio_err, "A private key is needed for this operation\n"); goto end; } ! if (!app_passwd(bio_err, cfg.passargin, NULL, &passin, NULL)) { BIO_printf(bio_err, "Error getting password\n"); goto end; } ! switch (cfg.key_type) { case KEY_PRIVKEY: ! pkey = load_key(bio_err, keyfile, cfg.keyform, 0, passin, "Private Key"); break; case KEY_PUBKEY: ! pkey = load_pubkey(bio_err, keyfile, cfg.keyform, 0, NULL, "Public Key"); break; case KEY_CERT: ! x = load_cert(bio_err, keyfile, cfg.keyform, NULL, "Certificate"); if (x) { pkey = X509_get_pubkey(x); *************** *** 440,492 **** break; } ! pkeyutl_config.keysize = EVP_PKEY_size(pkey); if (!pkey) goto end; ! pkeyutl_config.ctx = EVP_PKEY_CTX_new(pkey, NULL); EVP_PKEY_free(pkey); ! if (!pkeyutl_config.ctx) goto end; ! switch (pkeyutl_config.pkey_op) { case EVP_PKEY_OP_SIGN: ! rv = EVP_PKEY_sign_init(pkeyutl_config.ctx); break; case EVP_PKEY_OP_VERIFY: ! rv = EVP_PKEY_verify_init(pkeyutl_config.ctx); break; case EVP_PKEY_OP_VERIFYRECOVER: ! rv = EVP_PKEY_verify_recover_init(pkeyutl_config.ctx); break; case EVP_PKEY_OP_ENCRYPT: ! rv = EVP_PKEY_encrypt_init(pkeyutl_config.ctx); break; case EVP_PKEY_OP_DECRYPT: ! rv = EVP_PKEY_decrypt_init(pkeyutl_config.ctx); break; case EVP_PKEY_OP_DERIVE: ! rv = EVP_PKEY_derive_init(pkeyutl_config.ctx); break; } if (rv <= 0) { ! EVP_PKEY_CTX_free(pkeyutl_config.ctx); ! pkeyutl_config.ctx = NULL; } end: free(passin); ! if (!pkeyutl_config.ctx) { BIO_puts(bio_err, "Error initializing context\n"); ERR_print_errors(bio_err); return (1); --- 440,492 ---- break; } ! cfg.keysize = EVP_PKEY_size(pkey); if (!pkey) goto end; ! cfg.ctx = EVP_PKEY_CTX_new(pkey, NULL); EVP_PKEY_free(pkey); ! if (!cfg.ctx) goto end; ! switch (cfg.pkey_op) { case EVP_PKEY_OP_SIGN: ! rv = EVP_PKEY_sign_init(cfg.ctx); break; case EVP_PKEY_OP_VERIFY: ! rv = EVP_PKEY_verify_init(cfg.ctx); break; case EVP_PKEY_OP_VERIFYRECOVER: ! rv = EVP_PKEY_verify_recover_init(cfg.ctx); break; case EVP_PKEY_OP_ENCRYPT: ! rv = EVP_PKEY_encrypt_init(cfg.ctx); break; case EVP_PKEY_OP_DECRYPT: ! rv = EVP_PKEY_decrypt_init(cfg.ctx); break; case EVP_PKEY_OP_DERIVE: ! rv = EVP_PKEY_derive_init(cfg.ctx); break; } if (rv <= 0) { ! EVP_PKEY_CTX_free(cfg.ctx); ! cfg.ctx = NULL; } end: free(passin); ! if (!cfg.ctx) { BIO_puts(bio_err, "Error initializing context\n"); ERR_print_errors(bio_err); return (1); *************** *** 501,511 **** EVP_PKEY *peer = NULL; int ret; ! if (!pkeyutl_config.ctx) { BIO_puts(bio_err, "-peerkey command before -inkey\n"); return (1); } ! peer = load_pubkey(bio_err, file, pkeyutl_config.peerform, 0, NULL, "Peer Key"); if (!peer) { --- 501,511 ---- EVP_PKEY *peer = NULL; int ret; ! if (!cfg.ctx) { BIO_puts(bio_err, "-peerkey command before -inkey\n"); return (1); } ! peer = load_pubkey(bio_err, file, cfg.peerform, 0, NULL, "Peer Key"); if (!peer) { *************** *** 513,519 **** ERR_print_errors(bio_err); return (1); } ! ret = EVP_PKEY_derive_set_peer(pkeyutl_config.ctx, peer); EVP_PKEY_free(peer); if (ret <= 0) { --- 513,519 ---- ERR_print_errors(bio_err); return (1); } ! ret = EVP_PKEY_derive_set_peer(cfg.ctx, peer); EVP_PKEY_free(peer); if (ret <= 0) { *************** *** 527,536 **** static int pkeyutl_pkeyopt(char *pkeyopt) { ! if (!pkeyutl_config.ctx) { BIO_puts(bio_err, "-pkeyopt command before -inkey\n"); return (1); ! } else if (pkey_ctrl_string(pkeyutl_config.ctx, pkeyopt) <= 0) { BIO_puts(bio_err, "parameter setting error\n"); ERR_print_errors(bio_err); return (1); --- 527,536 ---- static int pkeyutl_pkeyopt(char *pkeyopt) { ! if (!cfg.ctx) { BIO_puts(bio_err, "-pkeyopt command before -inkey\n"); return (1); ! } else if (pkey_ctrl_string(cfg.ctx, pkeyopt) <= 0) { BIO_puts(bio_err, "parameter setting error\n"); ERR_print_errors(bio_err); return (1);