Home | History | Annotate | Download | only in apps
      1 /* apps/apps.c */
      2 /* Copyright (C) 1995-1998 Eric Young (eay (at) cryptsoft.com)
      3  * All rights reserved.
      4  *
      5  * This package is an SSL implementation written
      6  * by Eric Young (eay (at) cryptsoft.com).
      7  * The implementation was written so as to conform with Netscapes SSL.
      8  *
      9  * This library is free for commercial and non-commercial use as long as
     10  * the following conditions are aheared to.  The following conditions
     11  * apply to all code found in this distribution, be it the RC4, RSA,
     12  * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
     13  * included with this distribution is covered by the same copyright terms
     14  * except that the holder is Tim Hudson (tjh (at) cryptsoft.com).
     15  *
     16  * Copyright remains Eric Young's, and as such any Copyright notices in
     17  * the code are not to be removed.
     18  * If this package is used in a product, Eric Young should be given attribution
     19  * as the author of the parts of the library used.
     20  * This can be in the form of a textual message at program startup or
     21  * in documentation (online or textual) provided with the package.
     22  *
     23  * Redistribution and use in source and binary forms, with or without
     24  * modification, are permitted provided that the following conditions
     25  * are met:
     26  * 1. Redistributions of source code must retain the copyright
     27  *    notice, this list of conditions and the following disclaimer.
     28  * 2. Redistributions in binary form must reproduce the above copyright
     29  *    notice, this list of conditions and the following disclaimer in the
     30  *    documentation and/or other materials provided with the distribution.
     31  * 3. All advertising materials mentioning features or use of this software
     32  *    must display the following acknowledgement:
     33  *    "This product includes cryptographic software written by
     34  *     Eric Young (eay (at) cryptsoft.com)"
     35  *    The word 'cryptographic' can be left out if the rouines from the library
     36  *    being used are not cryptographic related :-).
     37  * 4. If you include any Windows specific code (or a derivative thereof) from
     38  *    the apps directory (application code) you must include an acknowledgement:
     39  *    "This product includes software written by Tim Hudson (tjh (at) cryptsoft.com)"
     40  *
     41  * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
     42  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
     43  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
     44  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
     45  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
     46  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
     47  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
     48  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
     49  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
     50  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
     51  * SUCH DAMAGE.
     52  *
     53  * The licence and distribution terms for any publically available version or
     54  * derivative of this code cannot be changed.  i.e. this code cannot simply be
     55  * copied and put under another distribution licence
     56  * [including the GNU Public Licence.]
     57  */
     58 /* ====================================================================
     59  * Copyright (c) 1998-2001 The OpenSSL Project.  All rights reserved.
     60  *
     61  * Redistribution and use in source and binary forms, with or without
     62  * modification, are permitted provided that the following conditions
     63  * are met:
     64  *
     65  * 1. Redistributions of source code must retain the above copyright
     66  *    notice, this list of conditions and the following disclaimer.
     67  *
     68  * 2. Redistributions in binary form must reproduce the above copyright
     69  *    notice, this list of conditions and the following disclaimer in
     70  *    the documentation and/or other materials provided with the
     71  *    distribution.
     72  *
     73  * 3. All advertising materials mentioning features or use of this
     74  *    software must display the following acknowledgment:
     75  *    "This product includes software developed by the OpenSSL Project
     76  *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
     77  *
     78  * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
     79  *    endorse or promote products derived from this software without
     80  *    prior written permission. For written permission, please contact
     81  *    openssl-core (at) openssl.org.
     82  *
     83  * 5. Products derived from this software may not be called "OpenSSL"
     84  *    nor may "OpenSSL" appear in their names without prior written
     85  *    permission of the OpenSSL Project.
     86  *
     87  * 6. Redistributions of any form whatsoever must retain the following
     88  *    acknowledgment:
     89  *    "This product includes software developed by the OpenSSL Project
     90  *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
     91  *
     92  * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
     93  * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
     94  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
     95  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
     96  * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
     97  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
     98  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
     99  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
    100  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
    101  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
    102  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
    103  * OF THE POSSIBILITY OF SUCH DAMAGE.
    104  * ====================================================================
    105  *
    106  * This product includes cryptographic software written by Eric Young
    107  * (eay (at) cryptsoft.com).  This product includes software written by Tim
    108  * Hudson (tjh (at) cryptsoft.com).
    109  *
    110  */
    111 
    112 #ifndef _POSIX_C_SOURCE
    113 #define _POSIX_C_SOURCE 2	/* On VMS, you need to define this to get
    114 				   the declaration of fileno().  The value
    115 				   2 is to make sure no function defined
    116 				   in POSIX-2 is left undefined. */
    117 #endif
    118 #include <stdio.h>
    119 #include <stdlib.h>
    120 #include <string.h>
    121 #if !defined(OPENSSL_SYSNAME_WIN32) && !defined(NETWARE_CLIB)
    122 #include <strings.h>
    123 #endif
    124 #include <sys/types.h>
    125 #include <ctype.h>
    126 #include <errno.h>
    127 #include <assert.h>
    128 #include <openssl/err.h>
    129 #include <openssl/x509.h>
    130 #include <openssl/x509v3.h>
    131 #include <openssl/pem.h>
    132 #include <openssl/pkcs12.h>
    133 #include <openssl/ui.h>
    134 #include <openssl/safestack.h>
    135 #ifndef OPENSSL_NO_ENGINE
    136 #include <openssl/engine.h>
    137 #endif
    138 #ifndef OPENSSL_NO_RSA
    139 #include <openssl/rsa.h>
    140 #endif
    141 #include <openssl/bn.h>
    142 #ifndef OPENSSL_NO_JPAKE
    143 #include <openssl/jpake.h>
    144 #endif
    145 
    146 #define NON_MAIN
    147 #include "apps.h"
    148 #undef NON_MAIN
    149 
    150 #ifdef _WIN32
    151 static int WIN32_rename(const char *from, const char *to);
    152 #define rename(from,to) WIN32_rename((from),(to))
    153 #endif
    154 
    155 typedef struct {
    156 	const char *name;
    157 	unsigned long flag;
    158 	unsigned long mask;
    159 } NAME_EX_TBL;
    160 
    161 static UI_METHOD *ui_method = NULL;
    162 
    163 static int set_table_opts(unsigned long *flags, const char *arg, const NAME_EX_TBL *in_tbl);
    164 static int set_multi_opts(unsigned long *flags, const char *arg, const NAME_EX_TBL *in_tbl);
    165 
    166 #if !defined(OPENSSL_NO_RC4) && !defined(OPENSSL_NO_RSA)
    167 /* Looks like this stuff is worth moving into separate function */
    168 static EVP_PKEY *
    169 load_netscape_key(BIO *err, BIO *key, const char *file,
    170 		const char *key_descrip, int format);
    171 #endif
    172 
    173 int app_init(long mesgwin);
    174 #ifdef undef /* never finished - probably never will be :-) */
    175 int args_from_file(char *file, int *argc, char **argv[])
    176 	{
    177 	FILE *fp;
    178 	int num,i;
    179 	unsigned int len;
    180 	static char *buf=NULL;
    181 	static char **arg=NULL;
    182 	char *p;
    183 
    184 	fp=fopen(file,"r");
    185 	if (fp == NULL)
    186 		return(0);
    187 
    188 	if (fseek(fp,0,SEEK_END)==0)
    189 		len=ftell(fp), rewind(fp);
    190 	else	len=-1;
    191 	if (len<=0)
    192 		{
    193 		fclose(fp);
    194 		return(0);
    195 		}
    196 
    197 	*argc=0;
    198 	*argv=NULL;
    199 
    200 	if (buf != NULL) OPENSSL_free(buf);
    201 	buf=(char *)OPENSSL_malloc(len+1);
    202 	if (buf == NULL) return(0);
    203 
    204 	len=fread(buf,1,len,fp);
    205 	if (len <= 1) return(0);
    206 	buf[len]='\0';
    207 
    208 	i=0;
    209 	for (p=buf; *p; p++)
    210 		if (*p == '\n') i++;
    211 	if (arg != NULL) OPENSSL_free(arg);
    212 	arg=(char **)OPENSSL_malloc(sizeof(char *)*(i*2));
    213 
    214 	*argv=arg;
    215 	num=0;
    216 	p=buf;
    217 	for (;;)
    218 		{
    219 		if (!*p) break;
    220 		if (*p == '#') /* comment line */
    221 			{
    222 			while (*p && (*p != '\n')) p++;
    223 			continue;
    224 			}
    225 		/* else we have a line */
    226 		*(arg++)=p;
    227 		num++;
    228 		while (*p && ((*p != ' ') && (*p != '\t') && (*p != '\n')))
    229 			p++;
    230 		if (!*p) break;
    231 		if (*p == '\n')
    232 			{
    233 			*(p++)='\0';
    234 			continue;
    235 			}
    236 		/* else it is a tab or space */
    237 		p++;
    238 		while (*p && ((*p == ' ') || (*p == '\t') || (*p == '\n')))
    239 			p++;
    240 		if (!*p) break;
    241 		if (*p == '\n')
    242 			{
    243 			p++;
    244 			continue;
    245 			}
    246 		*(arg++)=p++;
    247 		num++;
    248 		while (*p && (*p != '\n')) p++;
    249 		if (!*p) break;
    250 		/* else *p == '\n' */
    251 		*(p++)='\0';
    252 		}
    253 	*argc=num;
    254 	return(1);
    255 	}
    256 #endif
    257 
    258 int str2fmt(char *s)
    259 	{
    260 	if (s == NULL)
    261 		return FORMAT_UNDEF;
    262 	if 	((*s == 'D') || (*s == 'd'))
    263 		return(FORMAT_ASN1);
    264 	else if ((*s == 'T') || (*s == 't'))
    265 		return(FORMAT_TEXT);
    266   	else if ((*s == 'N') || (*s == 'n'))
    267   		return(FORMAT_NETSCAPE);
    268   	else if ((*s == 'S') || (*s == 's'))
    269   		return(FORMAT_SMIME);
    270  	else if ((*s == 'M') || (*s == 'm'))
    271  		return(FORMAT_MSBLOB);
    272 	else if ((*s == '1')
    273 		|| (strcmp(s,"PKCS12") == 0) || (strcmp(s,"pkcs12") == 0)
    274 		|| (strcmp(s,"P12") == 0) || (strcmp(s,"p12") == 0))
    275 		return(FORMAT_PKCS12);
    276 	else if ((*s == 'E') || (*s == 'e'))
    277 		return(FORMAT_ENGINE);
    278 	else if ((*s == 'P') || (*s == 'p'))
    279  		{
    280  		if (s[1] == 'V' || s[1] == 'v')
    281  			return FORMAT_PVK;
    282  		else
    283   			return(FORMAT_PEM);
    284  		}
    285 	else
    286 		return(FORMAT_UNDEF);
    287 	}
    288 
    289 #if defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_WIN32) || defined(OPENSSL_SYS_WIN16) || defined(OPENSSL_SYS_NETWARE)
    290 void program_name(char *in, char *out, int size)
    291 	{
    292 	int i,n;
    293 	char *p=NULL;
    294 
    295 	n=strlen(in);
    296 	/* find the last '/', '\' or ':' */
    297 	for (i=n-1; i>0; i--)
    298 		{
    299 		if ((in[i] == '/') || (in[i] == '\\') || (in[i] == ':'))
    300 			{
    301 			p= &(in[i+1]);
    302 			break;
    303 			}
    304 		}
    305 	if (p == NULL)
    306 		p=in;
    307 	n=strlen(p);
    308 
    309 #if defined(OPENSSL_SYS_NETWARE)
    310    /* strip off trailing .nlm if present. */
    311    if ((n > 4) && (p[n-4] == '.') &&
    312       ((p[n-3] == 'n') || (p[n-3] == 'N')) &&
    313       ((p[n-2] == 'l') || (p[n-2] == 'L')) &&
    314       ((p[n-1] == 'm') || (p[n-1] == 'M')))
    315       n-=4;
    316 #else
    317 	/* strip off trailing .exe if present. */
    318 	if ((n > 4) && (p[n-4] == '.') &&
    319 		((p[n-3] == 'e') || (p[n-3] == 'E')) &&
    320 		((p[n-2] == 'x') || (p[n-2] == 'X')) &&
    321 		((p[n-1] == 'e') || (p[n-1] == 'E')))
    322 		n-=4;
    323 #endif
    324 
    325 	if (n > size-1)
    326 		n=size-1;
    327 
    328 	for (i=0; i<n; i++)
    329 		{
    330 		if ((p[i] >= 'A') && (p[i] <= 'Z'))
    331 			out[i]=p[i]-'A'+'a';
    332 		else
    333 			out[i]=p[i];
    334 		}
    335 	out[n]='\0';
    336 	}
    337 #else
    338 #ifdef OPENSSL_SYS_VMS
    339 void program_name(char *in, char *out, int size)
    340 	{
    341 	char *p=in, *q;
    342 	char *chars=":]>";
    343 
    344 	while(*chars != '\0')
    345 		{
    346 		q=strrchr(p,*chars);
    347 		if (q > p)
    348 			p = q + 1;
    349 		chars++;
    350 		}
    351 
    352 	q=strrchr(p,'.');
    353 	if (q == NULL)
    354 		q = p + strlen(p);
    355 	strncpy(out,p,size-1);
    356 	if (q-p >= size)
    357 		{
    358 		out[size-1]='\0';
    359 		}
    360 	else
    361 		{
    362 		out[q-p]='\0';
    363 		}
    364 	}
    365 #else
    366 void program_name(char *in, char *out, int size)
    367 	{
    368 	char *p;
    369 
    370 	p=strrchr(in,'/');
    371 	if (p != NULL)
    372 		p++;
    373 	else
    374 		p=in;
    375 	BUF_strlcpy(out,p,size);
    376 	}
    377 #endif
    378 #endif
    379 
    380 int chopup_args(ARGS *arg, char *buf, int *argc, char **argv[])
    381 	{
    382 	int num,i;
    383 	char *p;
    384 
    385 	*argc=0;
    386 	*argv=NULL;
    387 
    388 	i=0;
    389 	if (arg->count == 0)
    390 		{
    391 		arg->count=20;
    392 		arg->data=(char **)OPENSSL_malloc(sizeof(char *)*arg->count);
    393 		}
    394 	for (i=0; i<arg->count; i++)
    395 		arg->data[i]=NULL;
    396 
    397 	num=0;
    398 	p=buf;
    399 	for (;;)
    400 		{
    401 		/* first scan over white space */
    402 		if (!*p) break;
    403 		while (*p && ((*p == ' ') || (*p == '\t') || (*p == '\n')))
    404 			p++;
    405 		if (!*p) break;
    406 
    407 		/* The start of something good :-) */
    408 		if (num >= arg->count)
    409 			{
    410 			char **tmp_p;
    411 			int tlen = arg->count + 20;
    412 			tmp_p = (char **)OPENSSL_realloc(arg->data,
    413 				sizeof(char *)*tlen);
    414 			if (tmp_p == NULL)
    415 				return 0;
    416 			arg->data  = tmp_p;
    417 			arg->count = tlen;
    418 			/* initialize newly allocated data */
    419 			for (i = num; i < arg->count; i++)
    420 				arg->data[i] = NULL;
    421 			}
    422 		arg->data[num++]=p;
    423 
    424 		/* now look for the end of this */
    425 		if ((*p == '\'') || (*p == '\"')) /* scan for closing quote */
    426 			{
    427 			i= *(p++);
    428 			arg->data[num-1]++; /* jump over quote */
    429 			while (*p && (*p != i))
    430 				p++;
    431 			*p='\0';
    432 			}
    433 		else
    434 			{
    435 			while (*p && ((*p != ' ') &&
    436 				(*p != '\t') && (*p != '\n')))
    437 				p++;
    438 
    439 			if (*p == '\0')
    440 				p--;
    441 			else
    442 				*p='\0';
    443 			}
    444 		p++;
    445 		}
    446 	*argc=num;
    447 	*argv=arg->data;
    448 	return(1);
    449 	}
    450 
    451 #ifndef APP_INIT
    452 int app_init(long mesgwin)
    453 	{
    454 	return(1);
    455 	}
    456 #endif
    457 
    458 
    459 int dump_cert_text (BIO *out, X509 *x)
    460 {
    461 	char *p;
    462 
    463 	p=X509_NAME_oneline(X509_get_subject_name(x),NULL,0);
    464 	BIO_puts(out,"subject=");
    465 	BIO_puts(out,p);
    466 	OPENSSL_free(p);
    467 
    468 	p=X509_NAME_oneline(X509_get_issuer_name(x),NULL,0);
    469 	BIO_puts(out,"\nissuer=");
    470 	BIO_puts(out,p);
    471 	BIO_puts(out,"\n");
    472 	OPENSSL_free(p);
    473 
    474 	return 0;
    475 }
    476 
    477 static int ui_open(UI *ui)
    478 	{
    479 	return UI_method_get_opener(UI_OpenSSL())(ui);
    480 	}
    481 static int ui_read(UI *ui, UI_STRING *uis)
    482 	{
    483 	if (UI_get_input_flags(uis) & UI_INPUT_FLAG_DEFAULT_PWD
    484 		&& UI_get0_user_data(ui))
    485 		{
    486 		switch(UI_get_string_type(uis))
    487 			{
    488 		case UIT_PROMPT:
    489 		case UIT_VERIFY:
    490 			{
    491 			const char *password =
    492 				((PW_CB_DATA *)UI_get0_user_data(ui))->password;
    493 			if (password && password[0] != '\0')
    494 				{
    495 				UI_set_result(ui, uis, password);
    496 				return 1;
    497 				}
    498 			}
    499 		default:
    500 			break;
    501 			}
    502 		}
    503 	return UI_method_get_reader(UI_OpenSSL())(ui, uis);
    504 	}
    505 static int ui_write(UI *ui, UI_STRING *uis)
    506 	{
    507 	if (UI_get_input_flags(uis) & UI_INPUT_FLAG_DEFAULT_PWD
    508 		&& UI_get0_user_data(ui))
    509 		{
    510 		switch(UI_get_string_type(uis))
    511 			{
    512 		case UIT_PROMPT:
    513 		case UIT_VERIFY:
    514 			{
    515 			const char *password =
    516 				((PW_CB_DATA *)UI_get0_user_data(ui))->password;
    517 			if (password && password[0] != '\0')
    518 				return 1;
    519 			}
    520 		default:
    521 			break;
    522 			}
    523 		}
    524 	return UI_method_get_writer(UI_OpenSSL())(ui, uis);
    525 	}
    526 static int ui_close(UI *ui)
    527 	{
    528 	return UI_method_get_closer(UI_OpenSSL())(ui);
    529 	}
    530 int setup_ui_method(void)
    531 	{
    532 	ui_method = UI_create_method("OpenSSL application user interface");
    533 	UI_method_set_opener(ui_method, ui_open);
    534 	UI_method_set_reader(ui_method, ui_read);
    535 	UI_method_set_writer(ui_method, ui_write);
    536 	UI_method_set_closer(ui_method, ui_close);
    537 	return 0;
    538 	}
    539 void destroy_ui_method(void)
    540 	{
    541 	if(ui_method)
    542 		{
    543 		UI_destroy_method(ui_method);
    544 		ui_method = NULL;
    545 		}
    546 	}
    547 int password_callback(char *buf, int bufsiz, int verify,
    548 	PW_CB_DATA *cb_tmp)
    549 	{
    550 	UI *ui = NULL;
    551 	int res = 0;
    552 	const char *prompt_info = NULL;
    553 	const char *password = NULL;
    554 	PW_CB_DATA *cb_data = (PW_CB_DATA *)cb_tmp;
    555 
    556 	if (cb_data)
    557 		{
    558 		if (cb_data->password)
    559 			password = cb_data->password;
    560 		if (cb_data->prompt_info)
    561 			prompt_info = cb_data->prompt_info;
    562 		}
    563 
    564 	if (password)
    565 		{
    566 		res = strlen(password);
    567 		if (res > bufsiz)
    568 			res = bufsiz;
    569 		memcpy(buf, password, res);
    570 		return res;
    571 		}
    572 
    573 	ui = UI_new_method(ui_method);
    574 	if (ui)
    575 		{
    576 		int ok = 0;
    577 		char *buff = NULL;
    578 		int ui_flags = 0;
    579 		char *prompt = NULL;
    580 
    581 		prompt = UI_construct_prompt(ui, "pass phrase",
    582 			prompt_info);
    583 
    584 		ui_flags |= UI_INPUT_FLAG_DEFAULT_PWD;
    585 		UI_ctrl(ui, UI_CTRL_PRINT_ERRORS, 1, 0, 0);
    586 
    587 		if (ok >= 0)
    588 			ok = UI_add_input_string(ui,prompt,ui_flags,buf,
    589 				PW_MIN_LENGTH,BUFSIZ-1);
    590 		if (ok >= 0 && verify)
    591 			{
    592 			buff = (char *)OPENSSL_malloc(bufsiz);
    593 			ok = UI_add_verify_string(ui,prompt,ui_flags,buff,
    594 				PW_MIN_LENGTH,BUFSIZ-1, buf);
    595 			}
    596 		if (ok >= 0)
    597 			do
    598 				{
    599 				ok = UI_process(ui);
    600 				}
    601 			while (ok < 0 && UI_ctrl(ui, UI_CTRL_IS_REDOABLE, 0, 0, 0));
    602 
    603 		if (buff)
    604 			{
    605 			OPENSSL_cleanse(buff,(unsigned int)bufsiz);
    606 			OPENSSL_free(buff);
    607 			}
    608 
    609 		if (ok >= 0)
    610 			res = strlen(buf);
    611 		if (ok == -1)
    612 			{
    613 			BIO_printf(bio_err, "User interface error\n");
    614 			ERR_print_errors(bio_err);
    615 			OPENSSL_cleanse(buf,(unsigned int)bufsiz);
    616 			res = 0;
    617 			}
    618 		if (ok == -2)
    619 			{
    620 			BIO_printf(bio_err,"aborted!\n");
    621 			OPENSSL_cleanse(buf,(unsigned int)bufsiz);
    622 			res = 0;
    623 			}
    624 		UI_free(ui);
    625 		OPENSSL_free(prompt);
    626 		}
    627 	return res;
    628 	}
    629 
    630 static char *app_get_pass(BIO *err, char *arg, int keepbio);
    631 
    632 int app_passwd(BIO *err, char *arg1, char *arg2, char **pass1, char **pass2)
    633 {
    634 	int same;
    635 	if(!arg2 || !arg1 || strcmp(arg1, arg2)) same = 0;
    636 	else same = 1;
    637 	if(arg1) {
    638 		*pass1 = app_get_pass(err, arg1, same);
    639 		if(!*pass1) return 0;
    640 	} else if(pass1) *pass1 = NULL;
    641 	if(arg2) {
    642 		*pass2 = app_get_pass(err, arg2, same ? 2 : 0);
    643 		if(!*pass2) return 0;
    644 	} else if(pass2) *pass2 = NULL;
    645 	return 1;
    646 }
    647 
    648 static char *app_get_pass(BIO *err, char *arg, int keepbio)
    649 {
    650 	char *tmp, tpass[APP_PASS_LEN];
    651 	static BIO *pwdbio = NULL;
    652 	int i;
    653 	if(!strncmp(arg, "pass:", 5)) return BUF_strdup(arg + 5);
    654 	if(!strncmp(arg, "env:", 4)) {
    655 		tmp = getenv(arg + 4);
    656 		if(!tmp) {
    657 			BIO_printf(err, "Can't read environment variable %s\n", arg + 4);
    658 			return NULL;
    659 		}
    660 		return BUF_strdup(tmp);
    661 	}
    662 	if(!keepbio || !pwdbio) {
    663 		if(!strncmp(arg, "file:", 5)) {
    664 			pwdbio = BIO_new_file(arg + 5, "r");
    665 			if(!pwdbio) {
    666 				BIO_printf(err, "Can't open file %s\n", arg + 5);
    667 				return NULL;
    668 			}
    669 #if !defined(_WIN32)
    670 		/*
    671 		 * Under _WIN32, which covers even Win64 and CE, file
    672 		 * descriptors referenced by BIO_s_fd are not inherited
    673 		 * by child process and therefore below is not an option.
    674 		 * It could have been an option if bss_fd.c was operating
    675 		 * on real Windows descriptors, such as those obtained
    676 		 * with CreateFile.
    677 		 */
    678 		} else if(!strncmp(arg, "fd:", 3)) {
    679 			BIO *btmp;
    680 			i = atoi(arg + 3);
    681 			if(i >= 0) pwdbio = BIO_new_fd(i, BIO_NOCLOSE);
    682 			if((i < 0) || !pwdbio) {
    683 				BIO_printf(err, "Can't access file descriptor %s\n", arg + 3);
    684 				return NULL;
    685 			}
    686 			/* Can't do BIO_gets on an fd BIO so add a buffering BIO */
    687 			btmp = BIO_new(BIO_f_buffer());
    688 			pwdbio = BIO_push(btmp, pwdbio);
    689 #endif
    690 		} else if(!strcmp(arg, "stdin")) {
    691 			pwdbio = BIO_new_fp(stdin, BIO_NOCLOSE);
    692 			if(!pwdbio) {
    693 				BIO_printf(err, "Can't open BIO for stdin\n");
    694 				return NULL;
    695 			}
    696 		} else {
    697 			BIO_printf(err, "Invalid password argument \"%s\"\n", arg);
    698 			return NULL;
    699 		}
    700 	}
    701 	i = BIO_gets(pwdbio, tpass, APP_PASS_LEN);
    702 	if(keepbio != 1) {
    703 		BIO_free_all(pwdbio);
    704 		pwdbio = NULL;
    705 	}
    706 	if(i <= 0) {
    707 		BIO_printf(err, "Error reading password from BIO\n");
    708 		return NULL;
    709 	}
    710 	tmp = strchr(tpass, '\n');
    711 	if(tmp) *tmp = 0;
    712 	return BUF_strdup(tpass);
    713 }
    714 
    715 int add_oid_section(BIO *err, CONF *conf)
    716 {
    717 	char *p;
    718 	STACK_OF(CONF_VALUE) *sktmp;
    719 	CONF_VALUE *cnf;
    720 	int i;
    721 	if(!(p=NCONF_get_string(conf,NULL,"oid_section")))
    722 		{
    723 		ERR_clear_error();
    724 		return 1;
    725 		}
    726 	if(!(sktmp = NCONF_get_section(conf, p))) {
    727 		BIO_printf(err, "problem loading oid section %s\n", p);
    728 		return 0;
    729 	}
    730 	for(i = 0; i < sk_CONF_VALUE_num(sktmp); i++) {
    731 		cnf = sk_CONF_VALUE_value(sktmp, i);
    732 		if(OBJ_create(cnf->value, cnf->name, cnf->name) == NID_undef) {
    733 			BIO_printf(err, "problem creating object %s=%s\n",
    734 							 cnf->name, cnf->value);
    735 			return 0;
    736 		}
    737 	}
    738 	return 1;
    739 }
    740 
    741 static int load_pkcs12(BIO *err, BIO *in, const char *desc,
    742 		pem_password_cb *pem_cb,  void *cb_data,
    743 		EVP_PKEY **pkey, X509 **cert, STACK_OF(X509) **ca)
    744 	{
    745  	const char *pass;
    746 	char tpass[PEM_BUFSIZE];
    747 	int len, ret = 0;
    748 	PKCS12 *p12;
    749 	p12 = d2i_PKCS12_bio(in, NULL);
    750 	if (p12 == NULL)
    751 		{
    752 		BIO_printf(err, "Error loading PKCS12 file for %s\n", desc);
    753 		goto die;
    754 		}
    755 	/* See if an empty password will do */
    756 	if (PKCS12_verify_mac(p12, "", 0) || PKCS12_verify_mac(p12, NULL, 0))
    757 		pass = "";
    758 	else
    759 		{
    760 		if (!pem_cb)
    761 			pem_cb = (pem_password_cb *)password_callback;
    762 		len = pem_cb(tpass, PEM_BUFSIZE, 0, cb_data);
    763 		if (len < 0)
    764 			{
    765 			BIO_printf(err, "Passpharse callback error for %s\n",
    766 					desc);
    767 			goto die;
    768 			}
    769 		if (len < PEM_BUFSIZE)
    770 			tpass[len] = 0;
    771 		if (!PKCS12_verify_mac(p12, tpass, len))
    772 			{
    773 			BIO_printf(err,
    774 	"Mac verify error (wrong password?) in PKCS12 file for %s\n", desc);
    775 			goto die;
    776 			}
    777 		pass = tpass;
    778 		}
    779 	ret = PKCS12_parse(p12, pass, pkey, cert, ca);
    780 	die:
    781 	if (p12)
    782 		PKCS12_free(p12);
    783 	return ret;
    784 	}
    785 
    786 X509 *load_cert(BIO *err, const char *file, int format,
    787 	const char *pass, ENGINE *e, const char *cert_descrip)
    788 	{
    789 	X509 *x=NULL;
    790 	BIO *cert;
    791 
    792 	if ((cert=BIO_new(BIO_s_file())) == NULL)
    793 		{
    794 		ERR_print_errors(err);
    795 		goto end;
    796 		}
    797 
    798 	if (file == NULL)
    799 		{
    800 #ifdef _IONBF
    801 # ifndef OPENSSL_NO_SETVBUF_IONBF
    802 		setvbuf(stdin, NULL, _IONBF, 0);
    803 # endif /* ndef OPENSSL_NO_SETVBUF_IONBF */
    804 #endif
    805 		BIO_set_fp(cert,stdin,BIO_NOCLOSE);
    806 		}
    807 	else
    808 		{
    809 		if (BIO_read_filename(cert,file) <= 0)
    810 			{
    811 			BIO_printf(err, "Error opening %s %s\n",
    812 				cert_descrip, file);
    813 			ERR_print_errors(err);
    814 			goto end;
    815 			}
    816 		}
    817 
    818 	if 	(format == FORMAT_ASN1)
    819 		x=d2i_X509_bio(cert,NULL);
    820 	else if (format == FORMAT_NETSCAPE)
    821 		{
    822 		NETSCAPE_X509 *nx;
    823 		nx=ASN1_item_d2i_bio(ASN1_ITEM_rptr(NETSCAPE_X509),cert,NULL);
    824 		if (nx == NULL)
    825 				goto end;
    826 
    827 		if ((strncmp(NETSCAPE_CERT_HDR,(char *)nx->header->data,
    828 			nx->header->length) != 0))
    829 			{
    830 			NETSCAPE_X509_free(nx);
    831 			BIO_printf(err,"Error reading header on certificate\n");
    832 			goto end;
    833 			}
    834 		x=nx->cert;
    835 		nx->cert = NULL;
    836 		NETSCAPE_X509_free(nx);
    837 		}
    838 	else if (format == FORMAT_PEM)
    839 		x=PEM_read_bio_X509_AUX(cert,NULL,
    840 			(pem_password_cb *)password_callback, NULL);
    841 	else if (format == FORMAT_PKCS12)
    842 		{
    843 		if (!load_pkcs12(err, cert,cert_descrip, NULL, NULL,
    844 					NULL, &x, NULL))
    845 			goto end;
    846 		}
    847 	else	{
    848 		BIO_printf(err,"bad input format specified for %s\n",
    849 			cert_descrip);
    850 		goto end;
    851 		}
    852 end:
    853 	if (x == NULL)
    854 		{
    855 		BIO_printf(err,"unable to load certificate\n");
    856 		ERR_print_errors(err);
    857 		}
    858 	if (cert != NULL) BIO_free(cert);
    859 	return(x);
    860 	}
    861 
    862 EVP_PKEY *load_key(BIO *err, const char *file, int format, int maybe_stdin,
    863 	const char *pass, ENGINE *e, const char *key_descrip)
    864 	{
    865 	BIO *key=NULL;
    866 	EVP_PKEY *pkey=NULL;
    867 	PW_CB_DATA cb_data;
    868 
    869 	cb_data.password = pass;
    870 	cb_data.prompt_info = file;
    871 
    872 	if (file == NULL && (!maybe_stdin || format == FORMAT_ENGINE))
    873 		{
    874 		BIO_printf(err,"no keyfile specified\n");
    875 		goto end;
    876 		}
    877 #ifndef OPENSSL_NO_ENGINE
    878 	if (format == FORMAT_ENGINE)
    879 		{
    880 		if (!e)
    881 			BIO_printf(err,"no engine specified\n");
    882 		else
    883 			{
    884 			pkey = ENGINE_load_private_key(e, file,
    885 				ui_method, &cb_data);
    886 			if (!pkey)
    887 				{
    888 				BIO_printf(err,"cannot load %s from engine\n",key_descrip);
    889 				ERR_print_errors(err);
    890 				}
    891 			}
    892 		goto end;
    893 		}
    894 #endif
    895 	key=BIO_new(BIO_s_file());
    896 	if (key == NULL)
    897 		{
    898 		ERR_print_errors(err);
    899 		goto end;
    900 		}
    901 	if (file == NULL && maybe_stdin)
    902 		{
    903 #ifdef _IONBF
    904 # ifndef OPENSSL_NO_SETVBUF_IONBF
    905 		setvbuf(stdin, NULL, _IONBF, 0);
    906 # endif /* ndef OPENSSL_NO_SETVBUF_IONBF */
    907 #endif
    908 		BIO_set_fp(key,stdin,BIO_NOCLOSE);
    909 		}
    910 	else
    911 		if (BIO_read_filename(key,file) <= 0)
    912 			{
    913 			BIO_printf(err, "Error opening %s %s\n",
    914 				key_descrip, file);
    915 			ERR_print_errors(err);
    916 			goto end;
    917 			}
    918 	if (format == FORMAT_ASN1)
    919 		{
    920 		pkey=d2i_PrivateKey_bio(key, NULL);
    921 		}
    922 	else if (format == FORMAT_PEM)
    923 		{
    924 		pkey=PEM_read_bio_PrivateKey(key,NULL,
    925 			(pem_password_cb *)password_callback, &cb_data);
    926 		}
    927 #if !defined(OPENSSL_NO_RC4) && !defined(OPENSSL_NO_RSA)
    928 	else if (format == FORMAT_NETSCAPE || format == FORMAT_IISSGC)
    929 		pkey = load_netscape_key(err, key, file, key_descrip, format);
    930 #endif
    931 	else if (format == FORMAT_PKCS12)
    932 		{
    933 		if (!load_pkcs12(err, key, key_descrip,
    934 				(pem_password_cb *)password_callback, &cb_data,
    935 				&pkey, NULL, NULL))
    936 			goto end;
    937 		}
    938 #if !defined(OPENSSL_NO_RSA) && !defined(OPENSSL_NO_DSA) && !defined (OPENSSL_NO_RC4)
    939 	else if (format == FORMAT_MSBLOB)
    940 		pkey = b2i_PrivateKey_bio(key);
    941 	else if (format == FORMAT_PVK)
    942 		pkey = b2i_PVK_bio(key, (pem_password_cb *)password_callback,
    943 								&cb_data);
    944 #endif
    945 	else
    946 		{
    947 		BIO_printf(err,"bad input format specified for key file\n");
    948 		goto end;
    949 		}
    950  end:
    951 	if (key != NULL) BIO_free(key);
    952 	if (pkey == NULL)
    953 		{
    954 		BIO_printf(err,"unable to load %s\n", key_descrip);
    955 		ERR_print_errors(err);
    956 		}
    957 	return(pkey);
    958 	}
    959 
    960 EVP_PKEY *load_pubkey(BIO *err, const char *file, int format, int maybe_stdin,
    961 	const char *pass, ENGINE *e, const char *key_descrip)
    962 	{
    963 	BIO *key=NULL;
    964 	EVP_PKEY *pkey=NULL;
    965 	PW_CB_DATA cb_data;
    966 
    967 	cb_data.password = pass;
    968 	cb_data.prompt_info = file;
    969 
    970 	if (file == NULL && (!maybe_stdin || format == FORMAT_ENGINE))
    971 		{
    972 		BIO_printf(err,"no keyfile specified\n");
    973 		goto end;
    974 		}
    975 #ifndef OPENSSL_NO_ENGINE
    976 	if (format == FORMAT_ENGINE)
    977 		{
    978 		if (!e)
    979 			BIO_printf(bio_err,"no engine specified\n");
    980 		else
    981 			pkey = ENGINE_load_public_key(e, file,
    982 				ui_method, &cb_data);
    983 		goto end;
    984 		}
    985 #endif
    986 	key=BIO_new(BIO_s_file());
    987 	if (key == NULL)
    988 		{
    989 		ERR_print_errors(err);
    990 		goto end;
    991 		}
    992 	if (file == NULL && maybe_stdin)
    993 		{
    994 #ifdef _IONBF
    995 # ifndef OPENSSL_NO_SETVBUF_IONBF
    996 		setvbuf(stdin, NULL, _IONBF, 0);
    997 # endif /* ndef OPENSSL_NO_SETVBUF_IONBF */
    998 #endif
    999 		BIO_set_fp(key,stdin,BIO_NOCLOSE);
   1000 		}
   1001 	else
   1002 		if (BIO_read_filename(key,file) <= 0)
   1003 			{
   1004 			BIO_printf(err, "Error opening %s %s\n",
   1005 				key_descrip, file);
   1006 			ERR_print_errors(err);
   1007 			goto end;
   1008 		}
   1009 	if (format == FORMAT_ASN1)
   1010 		{
   1011 		pkey=d2i_PUBKEY_bio(key, NULL);
   1012 		}
   1013 #ifndef OPENSSL_NO_RSA
   1014 	else if (format == FORMAT_ASN1RSA)
   1015 		{
   1016 		RSA *rsa;
   1017 		rsa = d2i_RSAPublicKey_bio(key, NULL);
   1018 		if (rsa)
   1019 			{
   1020 			pkey = EVP_PKEY_new();
   1021 			if (pkey)
   1022 				EVP_PKEY_set1_RSA(pkey, rsa);
   1023 			RSA_free(rsa);
   1024 			}
   1025 		else
   1026 			pkey = NULL;
   1027 		}
   1028 	else if (format == FORMAT_PEMRSA)
   1029 		{
   1030 		RSA *rsa;
   1031 		rsa = PEM_read_bio_RSAPublicKey(key, NULL,
   1032 			(pem_password_cb *)password_callback, &cb_data);
   1033 		if (rsa)
   1034 			{
   1035 			pkey = EVP_PKEY_new();
   1036 			if (pkey)
   1037 				EVP_PKEY_set1_RSA(pkey, rsa);
   1038 			RSA_free(rsa);
   1039 			}
   1040 		else
   1041 			pkey = NULL;
   1042 		}
   1043 #endif
   1044 	else if (format == FORMAT_PEM)
   1045 		{
   1046 		pkey=PEM_read_bio_PUBKEY(key,NULL,
   1047 			(pem_password_cb *)password_callback, &cb_data);
   1048 		}
   1049 #if !defined(OPENSSL_NO_RC4) && !defined(OPENSSL_NO_RSA)
   1050 	else if (format == FORMAT_NETSCAPE || format == FORMAT_IISSGC)
   1051 		pkey = load_netscape_key(err, key, file, key_descrip, format);
   1052 #endif
   1053 #if !defined(OPENSSL_NO_RSA) && !defined(OPENSSL_NO_DSA)
   1054 	else if (format == FORMAT_MSBLOB)
   1055 		pkey = b2i_PublicKey_bio(key);
   1056 #endif
   1057 	else
   1058 		{
   1059 		BIO_printf(err,"bad input format specified for key file\n");
   1060 		goto end;
   1061 		}
   1062  end:
   1063 	if (key != NULL) BIO_free(key);
   1064 	if (pkey == NULL)
   1065 		BIO_printf(err,"unable to load %s\n", key_descrip);
   1066 	return(pkey);
   1067 	}
   1068 
   1069 #if !defined(OPENSSL_NO_RC4) && !defined(OPENSSL_NO_RSA)
   1070 static EVP_PKEY *
   1071 load_netscape_key(BIO *err, BIO *key, const char *file,
   1072 		const char *key_descrip, int format)
   1073 	{
   1074 	EVP_PKEY *pkey;
   1075 	BUF_MEM *buf;
   1076 	RSA	*rsa;
   1077 	const unsigned char *p;
   1078 	int size, i;
   1079 
   1080 	buf=BUF_MEM_new();
   1081 	pkey = EVP_PKEY_new();
   1082 	size = 0;
   1083 	if (buf == NULL || pkey == NULL)
   1084 		goto error;
   1085 	for (;;)
   1086 		{
   1087 		if (!BUF_MEM_grow_clean(buf,size+1024*10))
   1088 			goto error;
   1089 		i = BIO_read(key, &(buf->data[size]), 1024*10);
   1090 		size += i;
   1091 		if (i == 0)
   1092 			break;
   1093 		if (i < 0)
   1094 			{
   1095 				BIO_printf(err, "Error reading %s %s",
   1096 					key_descrip, file);
   1097 				goto error;
   1098 			}
   1099 		}
   1100 	p=(unsigned char *)buf->data;
   1101 	rsa = d2i_RSA_NET(NULL,&p,(long)size,NULL,
   1102 		(format == FORMAT_IISSGC ? 1 : 0));
   1103 	if (rsa == NULL)
   1104 		goto error;
   1105 	BUF_MEM_free(buf);
   1106 	EVP_PKEY_set1_RSA(pkey, rsa);
   1107 	return pkey;
   1108 error:
   1109 	BUF_MEM_free(buf);
   1110 	EVP_PKEY_free(pkey);
   1111 	return NULL;
   1112 	}
   1113 #endif /* ndef OPENSSL_NO_RC4 */
   1114 
   1115 static int load_certs_crls(BIO *err, const char *file, int format,
   1116 	const char *pass, ENGINE *e, const char *desc,
   1117 	STACK_OF(X509) **pcerts, STACK_OF(X509_CRL) **pcrls)
   1118 	{
   1119 	int i;
   1120 	BIO *bio;
   1121 	STACK_OF(X509_INFO) *xis = NULL;
   1122 	X509_INFO *xi;
   1123 	PW_CB_DATA cb_data;
   1124 	int rv = 0;
   1125 
   1126 	cb_data.password = pass;
   1127 	cb_data.prompt_info = file;
   1128 
   1129 	if (format != FORMAT_PEM)
   1130 		{
   1131 		BIO_printf(err,"bad input format specified for %s\n", desc);
   1132 		return 0;
   1133 		}
   1134 
   1135 	if (file == NULL)
   1136 		bio = BIO_new_fp(stdin,BIO_NOCLOSE);
   1137 	else
   1138 		bio = BIO_new_file(file, "r");
   1139 
   1140 	if (bio == NULL)
   1141 		{
   1142 		BIO_printf(err, "Error opening %s %s\n",
   1143 				desc, file ? file : "stdin");
   1144 		ERR_print_errors(err);
   1145 		return 0;
   1146 		}
   1147 
   1148 	xis = PEM_X509_INFO_read_bio(bio, NULL,
   1149 				(pem_password_cb *)password_callback, &cb_data);
   1150 
   1151 	BIO_free(bio);
   1152 
   1153 	if (pcerts)
   1154 		{
   1155 		*pcerts = sk_X509_new_null();
   1156 		if (!*pcerts)
   1157 			goto end;
   1158 		}
   1159 
   1160 	if (pcrls)
   1161 		{
   1162 		*pcrls = sk_X509_CRL_new_null();
   1163 		if (!*pcrls)
   1164 			goto end;
   1165 		}
   1166 
   1167 	for(i = 0; i < sk_X509_INFO_num(xis); i++)
   1168 		{
   1169 		xi = sk_X509_INFO_value (xis, i);
   1170 		if (xi->x509 && pcerts)
   1171 			{
   1172 			if (!sk_X509_push(*pcerts, xi->x509))
   1173 				goto end;
   1174 			xi->x509 = NULL;
   1175 			}
   1176 		if (xi->crl && pcrls)
   1177 			{
   1178 			if (!sk_X509_CRL_push(*pcrls, xi->crl))
   1179 				goto end;
   1180 			xi->crl = NULL;
   1181 			}
   1182 		}
   1183 
   1184 	if (pcerts && sk_X509_num(*pcerts) > 0)
   1185 		rv = 1;
   1186 
   1187 	if (pcrls && sk_X509_CRL_num(*pcrls) > 0)
   1188 		rv = 1;
   1189 
   1190 	end:
   1191 
   1192 	if (xis)
   1193 		sk_X509_INFO_pop_free(xis, X509_INFO_free);
   1194 
   1195 	if (rv == 0)
   1196 		{
   1197 		if (pcerts)
   1198 			{
   1199 			sk_X509_pop_free(*pcerts, X509_free);
   1200 			*pcerts = NULL;
   1201 			}
   1202 		if (pcrls)
   1203 			{
   1204 			sk_X509_CRL_pop_free(*pcrls, X509_CRL_free);
   1205 			*pcrls = NULL;
   1206 			}
   1207 		BIO_printf(err,"unable to load %s\n",
   1208 				pcerts ? "certificates" : "CRLs");
   1209 		ERR_print_errors(err);
   1210 		}
   1211 	return rv;
   1212 	}
   1213 
   1214 STACK_OF(X509) *load_certs(BIO *err, const char *file, int format,
   1215 	const char *pass, ENGINE *e, const char *desc)
   1216 	{
   1217 	STACK_OF(X509) *certs;
   1218 	load_certs_crls(err, file, format, pass, e, desc, &certs, NULL);
   1219 	return certs;
   1220 	}
   1221 
   1222 STACK_OF(X509_CRL) *load_crls(BIO *err, const char *file, int format,
   1223 	const char *pass, ENGINE *e, const char *desc)
   1224 	{
   1225 	STACK_OF(X509_CRL) *crls;
   1226 	load_certs_crls(err, file, format, pass, e, desc, NULL, &crls);
   1227 	return crls;
   1228 	}
   1229 
   1230 #define X509V3_EXT_UNKNOWN_MASK		(0xfL << 16)
   1231 /* Return error for unknown extensions */
   1232 #define X509V3_EXT_DEFAULT		0
   1233 /* Print error for unknown extensions */
   1234 #define X509V3_EXT_ERROR_UNKNOWN	(1L << 16)
   1235 /* ASN1 parse unknown extensions */
   1236 #define X509V3_EXT_PARSE_UNKNOWN	(2L << 16)
   1237 /* BIO_dump unknown extensions */
   1238 #define X509V3_EXT_DUMP_UNKNOWN		(3L << 16)
   1239 
   1240 #define X509_FLAG_CA (X509_FLAG_NO_ISSUER | X509_FLAG_NO_PUBKEY | \
   1241 			 X509_FLAG_NO_HEADER | X509_FLAG_NO_VERSION)
   1242 
   1243 int set_cert_ex(unsigned long *flags, const char *arg)
   1244 {
   1245 	static const NAME_EX_TBL cert_tbl[] = {
   1246 		{ "compatible", X509_FLAG_COMPAT, 0xffffffffl},
   1247 		{ "ca_default", X509_FLAG_CA, 0xffffffffl},
   1248 		{ "no_header", X509_FLAG_NO_HEADER, 0},
   1249 		{ "no_version", X509_FLAG_NO_VERSION, 0},
   1250 		{ "no_serial", X509_FLAG_NO_SERIAL, 0},
   1251 		{ "no_signame", X509_FLAG_NO_SIGNAME, 0},
   1252 		{ "no_validity", X509_FLAG_NO_VALIDITY, 0},
   1253 		{ "no_subject", X509_FLAG_NO_SUBJECT, 0},
   1254 		{ "no_issuer", X509_FLAG_NO_ISSUER, 0},
   1255 		{ "no_pubkey", X509_FLAG_NO_PUBKEY, 0},
   1256 		{ "no_extensions", X509_FLAG_NO_EXTENSIONS, 0},
   1257 		{ "no_sigdump", X509_FLAG_NO_SIGDUMP, 0},
   1258 		{ "no_aux", X509_FLAG_NO_AUX, 0},
   1259 		{ "no_attributes", X509_FLAG_NO_ATTRIBUTES, 0},
   1260 		{ "ext_default", X509V3_EXT_DEFAULT, X509V3_EXT_UNKNOWN_MASK},
   1261 		{ "ext_error", X509V3_EXT_ERROR_UNKNOWN, X509V3_EXT_UNKNOWN_MASK},
   1262 		{ "ext_parse", X509V3_EXT_PARSE_UNKNOWN, X509V3_EXT_UNKNOWN_MASK},
   1263 		{ "ext_dump", X509V3_EXT_DUMP_UNKNOWN, X509V3_EXT_UNKNOWN_MASK},
   1264 		{ NULL, 0, 0}
   1265 	};
   1266 	return set_multi_opts(flags, arg, cert_tbl);
   1267 }
   1268 
   1269 int set_name_ex(unsigned long *flags, const char *arg)
   1270 {
   1271 	static const NAME_EX_TBL ex_tbl[] = {
   1272 		{ "esc_2253", ASN1_STRFLGS_ESC_2253, 0},
   1273 		{ "esc_ctrl", ASN1_STRFLGS_ESC_CTRL, 0},
   1274 		{ "esc_msb", ASN1_STRFLGS_ESC_MSB, 0},
   1275 		{ "use_quote", ASN1_STRFLGS_ESC_QUOTE, 0},
   1276 		{ "utf8", ASN1_STRFLGS_UTF8_CONVERT, 0},
   1277 		{ "ignore_type", ASN1_STRFLGS_IGNORE_TYPE, 0},
   1278 		{ "show_type", ASN1_STRFLGS_SHOW_TYPE, 0},
   1279 		{ "dump_all", ASN1_STRFLGS_DUMP_ALL, 0},
   1280 		{ "dump_nostr", ASN1_STRFLGS_DUMP_UNKNOWN, 0},
   1281 		{ "dump_der", ASN1_STRFLGS_DUMP_DER, 0},
   1282 		{ "compat", XN_FLAG_COMPAT, 0xffffffffL},
   1283 		{ "sep_comma_plus", XN_FLAG_SEP_COMMA_PLUS, XN_FLAG_SEP_MASK},
   1284 		{ "sep_comma_plus_space", XN_FLAG_SEP_CPLUS_SPC, XN_FLAG_SEP_MASK},
   1285 		{ "sep_semi_plus_space", XN_FLAG_SEP_SPLUS_SPC, XN_FLAG_SEP_MASK},
   1286 		{ "sep_multiline", XN_FLAG_SEP_MULTILINE, XN_FLAG_SEP_MASK},
   1287 		{ "dn_rev", XN_FLAG_DN_REV, 0},
   1288 		{ "nofname", XN_FLAG_FN_NONE, XN_FLAG_FN_MASK},
   1289 		{ "sname", XN_FLAG_FN_SN, XN_FLAG_FN_MASK},
   1290 		{ "lname", XN_FLAG_FN_LN, XN_FLAG_FN_MASK},
   1291 		{ "align", XN_FLAG_FN_ALIGN, 0},
   1292 		{ "oid", XN_FLAG_FN_OID, XN_FLAG_FN_MASK},
   1293 		{ "space_eq", XN_FLAG_SPC_EQ, 0},
   1294 		{ "dump_unknown", XN_FLAG_DUMP_UNKNOWN_FIELDS, 0},
   1295 		{ "RFC2253", XN_FLAG_RFC2253, 0xffffffffL},
   1296 		{ "oneline", XN_FLAG_ONELINE, 0xffffffffL},
   1297 		{ "multiline", XN_FLAG_MULTILINE, 0xffffffffL},
   1298 		{ "ca_default", XN_FLAG_MULTILINE, 0xffffffffL},
   1299 		{ NULL, 0, 0}
   1300 	};
   1301 	return set_multi_opts(flags, arg, ex_tbl);
   1302 }
   1303 
   1304 int set_ext_copy(int *copy_type, const char *arg)
   1305 {
   1306 	if (!strcasecmp(arg, "none"))
   1307 		*copy_type = EXT_COPY_NONE;
   1308 	else if (!strcasecmp(arg, "copy"))
   1309 		*copy_type = EXT_COPY_ADD;
   1310 	else if (!strcasecmp(arg, "copyall"))
   1311 		*copy_type = EXT_COPY_ALL;
   1312 	else
   1313 		return 0;
   1314 	return 1;
   1315 }
   1316 
   1317 int copy_extensions(X509 *x, X509_REQ *req, int copy_type)
   1318 {
   1319 	STACK_OF(X509_EXTENSION) *exts = NULL;
   1320 	X509_EXTENSION *ext, *tmpext;
   1321 	ASN1_OBJECT *obj;
   1322 	int i, idx, ret = 0;
   1323 	if (!x || !req || (copy_type == EXT_COPY_NONE))
   1324 		return 1;
   1325 	exts = X509_REQ_get_extensions(req);
   1326 
   1327 	for(i = 0; i < sk_X509_EXTENSION_num(exts); i++) {
   1328 		ext = sk_X509_EXTENSION_value(exts, i);
   1329 		obj = X509_EXTENSION_get_object(ext);
   1330 		idx = X509_get_ext_by_OBJ(x, obj, -1);
   1331 		/* Does extension exist? */
   1332 		if (idx != -1) {
   1333 			/* If normal copy don't override existing extension */
   1334 			if (copy_type == EXT_COPY_ADD)
   1335 				continue;
   1336 			/* Delete all extensions of same type */
   1337 			do {
   1338 				tmpext = X509_get_ext(x, idx);
   1339 				X509_delete_ext(x, idx);
   1340 				X509_EXTENSION_free(tmpext);
   1341 				idx = X509_get_ext_by_OBJ(x, obj, -1);
   1342 			} while (idx != -1);
   1343 		}
   1344 		if (!X509_add_ext(x, ext, -1))
   1345 			goto end;
   1346 	}
   1347 
   1348 	ret = 1;
   1349 
   1350 	end:
   1351 
   1352 	sk_X509_EXTENSION_pop_free(exts, X509_EXTENSION_free);
   1353 
   1354 	return ret;
   1355 }
   1356 
   1357 
   1358 
   1359 
   1360 static int set_multi_opts(unsigned long *flags, const char *arg, const NAME_EX_TBL *in_tbl)
   1361 {
   1362 	STACK_OF(CONF_VALUE) *vals;
   1363 	CONF_VALUE *val;
   1364 	int i, ret = 1;
   1365 	if(!arg) return 0;
   1366 	vals = X509V3_parse_list(arg);
   1367 	for (i = 0; i < sk_CONF_VALUE_num(vals); i++) {
   1368 		val = sk_CONF_VALUE_value(vals, i);
   1369 		if (!set_table_opts(flags, val->name, in_tbl))
   1370 			ret = 0;
   1371 	}
   1372 	sk_CONF_VALUE_pop_free(vals, X509V3_conf_free);
   1373 	return ret;
   1374 }
   1375 
   1376 static int set_table_opts(unsigned long *flags, const char *arg, const NAME_EX_TBL *in_tbl)
   1377 {
   1378 	char c;
   1379 	const NAME_EX_TBL *ptbl;
   1380 	c = arg[0];
   1381 
   1382 	if(c == '-') {
   1383 		c = 0;
   1384 		arg++;
   1385 	} else if (c == '+') {
   1386 		c = 1;
   1387 		arg++;
   1388 	} else c = 1;
   1389 
   1390 	for(ptbl = in_tbl; ptbl->name; ptbl++) {
   1391 		if(!strcasecmp(arg, ptbl->name)) {
   1392 			*flags &= ~ptbl->mask;
   1393 			if(c) *flags |= ptbl->flag;
   1394 			else *flags &= ~ptbl->flag;
   1395 			return 1;
   1396 		}
   1397 	}
   1398 	return 0;
   1399 }
   1400 
   1401 void print_name(BIO *out, const char *title, X509_NAME *nm, unsigned long lflags)
   1402 {
   1403 	char *buf;
   1404 	char mline = 0;
   1405 	int indent = 0;
   1406 
   1407 	if(title) BIO_puts(out, title);
   1408 	if((lflags & XN_FLAG_SEP_MASK) == XN_FLAG_SEP_MULTILINE) {
   1409 		mline = 1;
   1410 		indent = 4;
   1411 	}
   1412 	if(lflags == XN_FLAG_COMPAT) {
   1413 		buf = X509_NAME_oneline(nm, 0, 0);
   1414 		BIO_puts(out, buf);
   1415 		BIO_puts(out, "\n");
   1416 		OPENSSL_free(buf);
   1417 	} else {
   1418 		if(mline) BIO_puts(out, "\n");
   1419 		X509_NAME_print_ex(out, nm, indent, lflags);
   1420 		BIO_puts(out, "\n");
   1421 	}
   1422 }
   1423 
   1424 X509_STORE *setup_verify(BIO *bp, char *CAfile, char *CApath)
   1425 {
   1426 	X509_STORE *store;
   1427 	X509_LOOKUP *lookup;
   1428 	if(!(store = X509_STORE_new())) goto end;
   1429 	lookup=X509_STORE_add_lookup(store,X509_LOOKUP_file());
   1430 	if (lookup == NULL) goto end;
   1431 	if (CAfile) {
   1432 		if(!X509_LOOKUP_load_file(lookup,CAfile,X509_FILETYPE_PEM)) {
   1433 			BIO_printf(bp, "Error loading file %s\n", CAfile);
   1434 			goto end;
   1435 		}
   1436 	} else X509_LOOKUP_load_file(lookup,NULL,X509_FILETYPE_DEFAULT);
   1437 
   1438 	lookup=X509_STORE_add_lookup(store,X509_LOOKUP_hash_dir());
   1439 	if (lookup == NULL) goto end;
   1440 	if (CApath) {
   1441 		if(!X509_LOOKUP_add_dir(lookup,CApath,X509_FILETYPE_PEM)) {
   1442 			BIO_printf(bp, "Error loading directory %s\n", CApath);
   1443 			goto end;
   1444 		}
   1445 	} else X509_LOOKUP_add_dir(lookup,NULL,X509_FILETYPE_DEFAULT);
   1446 
   1447 	ERR_clear_error();
   1448 	return store;
   1449 	end:
   1450 	X509_STORE_free(store);
   1451 	return NULL;
   1452 }
   1453 
   1454 #ifndef OPENSSL_NO_ENGINE
   1455 /* Try to load an engine in a shareable library */
   1456 static ENGINE *try_load_engine(BIO *err, const char *engine, int debug)
   1457 	{
   1458 	ENGINE *e = ENGINE_by_id("dynamic");
   1459 	if (e)
   1460 		{
   1461 		if (!ENGINE_ctrl_cmd_string(e, "SO_PATH", engine, 0)
   1462 			|| !ENGINE_ctrl_cmd_string(e, "LOAD", NULL, 0))
   1463 			{
   1464 			ENGINE_free(e);
   1465 			e = NULL;
   1466 			}
   1467 		}
   1468 	return e;
   1469 	}
   1470 
   1471 ENGINE *setup_engine(BIO *err, const char *engine, int debug)
   1472         {
   1473         ENGINE *e = NULL;
   1474 
   1475         if (engine)
   1476                 {
   1477 		if(strcmp(engine, "auto") == 0)
   1478 			{
   1479 			BIO_printf(err,"enabling auto ENGINE support\n");
   1480 			ENGINE_register_all_complete();
   1481 			return NULL;
   1482 			}
   1483 		if((e = ENGINE_by_id(engine)) == NULL
   1484 			&& (e = try_load_engine(err, engine, debug)) == NULL)
   1485 			{
   1486 			BIO_printf(err,"invalid engine \"%s\"\n", engine);
   1487 			ERR_print_errors(err);
   1488 			return NULL;
   1489 			}
   1490 		if (debug)
   1491 			{
   1492 			ENGINE_ctrl(e, ENGINE_CTRL_SET_LOGSTREAM,
   1493 				0, err, 0);
   1494 			}
   1495                 ENGINE_ctrl_cmd(e, "SET_USER_INTERFACE", 0, ui_method, 0, 1);
   1496 		if(!ENGINE_set_default(e, ENGINE_METHOD_ALL))
   1497 			{
   1498 			BIO_printf(err,"can't use that engine\n");
   1499 			ERR_print_errors(err);
   1500 			ENGINE_free(e);
   1501 			return NULL;
   1502 			}
   1503 
   1504 		BIO_printf(err,"engine \"%s\" set.\n", ENGINE_get_id(e));
   1505 
   1506 		/* Free our "structural" reference. */
   1507 		ENGINE_free(e);
   1508 		}
   1509         return e;
   1510         }
   1511 #endif
   1512 
   1513 int load_config(BIO *err, CONF *cnf)
   1514 	{
   1515 	static int load_config_called = 0;
   1516 	if (load_config_called)
   1517 		return 1;
   1518 	load_config_called = 1;
   1519 	if (!cnf)
   1520 		cnf = config;
   1521 	if (!cnf)
   1522 		return 1;
   1523 
   1524 	OPENSSL_load_builtin_modules();
   1525 
   1526 	if (CONF_modules_load(cnf, NULL, 0) <= 0)
   1527 		{
   1528 		BIO_printf(err, "Error configuring OpenSSL\n");
   1529 		ERR_print_errors(err);
   1530 		return 0;
   1531 		}
   1532 	return 1;
   1533 	}
   1534 
   1535 char *make_config_name()
   1536 	{
   1537 	const char *t=X509_get_default_cert_area();
   1538 	size_t len;
   1539 	char *p;
   1540 
   1541 	len=strlen(t)+strlen(OPENSSL_CONF)+2;
   1542 	p=OPENSSL_malloc(len);
   1543 	BUF_strlcpy(p,t,len);
   1544 #ifndef OPENSSL_SYS_VMS
   1545 	BUF_strlcat(p,"/",len);
   1546 #endif
   1547 	BUF_strlcat(p,OPENSSL_CONF,len);
   1548 
   1549 	return p;
   1550 	}
   1551 
   1552 static unsigned long index_serial_hash(const OPENSSL_CSTRING *a)
   1553 	{
   1554 	const char *n;
   1555 
   1556 	n=a[DB_serial];
   1557 	while (*n == '0') n++;
   1558 	return(lh_strhash(n));
   1559 	}
   1560 
   1561 static int index_serial_cmp(const OPENSSL_CSTRING *a, const OPENSSL_CSTRING *b)
   1562 	{
   1563 	const char *aa,*bb;
   1564 
   1565 	for (aa=a[DB_serial]; *aa == '0'; aa++);
   1566 	for (bb=b[DB_serial]; *bb == '0'; bb++);
   1567 	return(strcmp(aa,bb));
   1568 	}
   1569 
   1570 static int index_name_qual(char **a)
   1571 	{ return(a[0][0] == 'V'); }
   1572 
   1573 static unsigned long index_name_hash(const OPENSSL_CSTRING *a)
   1574 	{ return(lh_strhash(a[DB_name])); }
   1575 
   1576 int index_name_cmp(const OPENSSL_CSTRING *a, const OPENSSL_CSTRING *b)
   1577 	{ return(strcmp(a[DB_name], b[DB_name])); }
   1578 
   1579 static IMPLEMENT_LHASH_HASH_FN(index_serial, OPENSSL_CSTRING)
   1580 static IMPLEMENT_LHASH_COMP_FN(index_serial, OPENSSL_CSTRING)
   1581 static IMPLEMENT_LHASH_HASH_FN(index_name, OPENSSL_CSTRING)
   1582 static IMPLEMENT_LHASH_COMP_FN(index_name, OPENSSL_CSTRING)
   1583 
   1584 #undef BSIZE
   1585 #define BSIZE 256
   1586 
   1587 BIGNUM *load_serial(char *serialfile, int create, ASN1_INTEGER **retai)
   1588 	{
   1589 	BIO *in=NULL;
   1590 	BIGNUM *ret=NULL;
   1591 	MS_STATIC char buf[1024];
   1592 	ASN1_INTEGER *ai=NULL;
   1593 
   1594 	ai=ASN1_INTEGER_new();
   1595 	if (ai == NULL) goto err;
   1596 
   1597 	if ((in=BIO_new(BIO_s_file())) == NULL)
   1598 		{
   1599 		ERR_print_errors(bio_err);
   1600 		goto err;
   1601 		}
   1602 
   1603 	if (BIO_read_filename(in,serialfile) <= 0)
   1604 		{
   1605 		if (!create)
   1606 			{
   1607 			perror(serialfile);
   1608 			goto err;
   1609 			}
   1610 		else
   1611 			{
   1612 			ret=BN_new();
   1613 			if (ret == NULL || !rand_serial(ret, ai))
   1614 				BIO_printf(bio_err, "Out of memory\n");
   1615 			}
   1616 		}
   1617 	else
   1618 		{
   1619 		if (!a2i_ASN1_INTEGER(in,ai,buf,1024))
   1620 			{
   1621 			BIO_printf(bio_err,"unable to load number from %s\n",
   1622 				serialfile);
   1623 			goto err;
   1624 			}
   1625 		ret=ASN1_INTEGER_to_BN(ai,NULL);
   1626 		if (ret == NULL)
   1627 			{
   1628 			BIO_printf(bio_err,"error converting number from bin to BIGNUM\n");
   1629 			goto err;
   1630 			}
   1631 		}
   1632 
   1633 	if (ret && retai)
   1634 		{
   1635 		*retai = ai;
   1636 		ai = NULL;
   1637 		}
   1638  err:
   1639 	if (in != NULL) BIO_free(in);
   1640 	if (ai != NULL) ASN1_INTEGER_free(ai);
   1641 	return(ret);
   1642 	}
   1643 
   1644 int save_serial(char *serialfile, char *suffix, BIGNUM *serial, ASN1_INTEGER **retai)
   1645 	{
   1646 	char buf[1][BSIZE];
   1647 	BIO *out = NULL;
   1648 	int ret=0;
   1649 	ASN1_INTEGER *ai=NULL;
   1650 	int j;
   1651 
   1652 	if (suffix == NULL)
   1653 		j = strlen(serialfile);
   1654 	else
   1655 		j = strlen(serialfile) + strlen(suffix) + 1;
   1656 	if (j >= BSIZE)
   1657 		{
   1658 		BIO_printf(bio_err,"file name too long\n");
   1659 		goto err;
   1660 		}
   1661 
   1662 	if (suffix == NULL)
   1663 		BUF_strlcpy(buf[0], serialfile, BSIZE);
   1664 	else
   1665 		{
   1666 #ifndef OPENSSL_SYS_VMS
   1667 		j = BIO_snprintf(buf[0], sizeof buf[0], "%s.%s", serialfile, suffix);
   1668 #else
   1669 		j = BIO_snprintf(buf[0], sizeof buf[0], "%s-%s", serialfile, suffix);
   1670 #endif
   1671 		}
   1672 #ifdef RL_DEBUG
   1673 	BIO_printf(bio_err, "DEBUG: writing \"%s\"\n", buf[0]);
   1674 #endif
   1675 	out=BIO_new(BIO_s_file());
   1676 	if (out == NULL)
   1677 		{
   1678 		ERR_print_errors(bio_err);
   1679 		goto err;
   1680 		}
   1681 	if (BIO_write_filename(out,buf[0]) <= 0)
   1682 		{
   1683 		perror(serialfile);
   1684 		goto err;
   1685 		}
   1686 
   1687 	if ((ai=BN_to_ASN1_INTEGER(serial,NULL)) == NULL)
   1688 		{
   1689 		BIO_printf(bio_err,"error converting serial to ASN.1 format\n");
   1690 		goto err;
   1691 		}
   1692 	i2a_ASN1_INTEGER(out,ai);
   1693 	BIO_puts(out,"\n");
   1694 	ret=1;
   1695 	if (retai)
   1696 		{
   1697 		*retai = ai;
   1698 		ai = NULL;
   1699 		}
   1700 err:
   1701 	if (out != NULL) BIO_free_all(out);
   1702 	if (ai != NULL) ASN1_INTEGER_free(ai);
   1703 	return(ret);
   1704 	}
   1705 
   1706 int rotate_serial(char *serialfile, char *new_suffix, char *old_suffix)
   1707 	{
   1708 	char buf[5][BSIZE];
   1709 	int i,j;
   1710 
   1711 	i = strlen(serialfile) + strlen(old_suffix);
   1712 	j = strlen(serialfile) + strlen(new_suffix);
   1713 	if (i > j) j = i;
   1714 	if (j + 1 >= BSIZE)
   1715 		{
   1716 		BIO_printf(bio_err,"file name too long\n");
   1717 		goto err;
   1718 		}
   1719 
   1720 #ifndef OPENSSL_SYS_VMS
   1721 	j = BIO_snprintf(buf[0], sizeof buf[0], "%s.%s",
   1722 		serialfile, new_suffix);
   1723 #else
   1724 	j = BIO_snprintf(buf[0], sizeof buf[0], "%s-%s",
   1725 		serialfile, new_suffix);
   1726 #endif
   1727 #ifndef OPENSSL_SYS_VMS
   1728 	j = BIO_snprintf(buf[1], sizeof buf[1], "%s.%s",
   1729 		serialfile, old_suffix);
   1730 #else
   1731 	j = BIO_snprintf(buf[1], sizeof buf[1], "%s-%s",
   1732 		serialfile, old_suffix);
   1733 #endif
   1734 #ifdef RL_DEBUG
   1735 	BIO_printf(bio_err, "DEBUG: renaming \"%s\" to \"%s\"\n",
   1736 		serialfile, buf[1]);
   1737 #endif
   1738 	if (rename(serialfile,buf[1]) < 0 && errno != ENOENT
   1739 #ifdef ENOTDIR
   1740 			&& errno != ENOTDIR
   1741 #endif
   1742 	   )		{
   1743 			BIO_printf(bio_err,
   1744 				"unable to rename %s to %s\n",
   1745 				serialfile, buf[1]);
   1746 			perror("reason");
   1747 			goto err;
   1748 			}
   1749 #ifdef RL_DEBUG
   1750 	BIO_printf(bio_err, "DEBUG: renaming \"%s\" to \"%s\"\n",
   1751 		buf[0],serialfile);
   1752 #endif
   1753 	if (rename(buf[0],serialfile) < 0)
   1754 		{
   1755 		BIO_printf(bio_err,
   1756 			"unable to rename %s to %s\n",
   1757 			buf[0],serialfile);
   1758 		perror("reason");
   1759 		rename(buf[1],serialfile);
   1760 		goto err;
   1761 		}
   1762 	return 1;
   1763  err:
   1764 	return 0;
   1765 	}
   1766 
   1767 int rand_serial(BIGNUM *b, ASN1_INTEGER *ai)
   1768 	{
   1769 	BIGNUM *btmp;
   1770 	int ret = 0;
   1771 	if (b)
   1772 		btmp = b;
   1773 	else
   1774 		btmp = BN_new();
   1775 
   1776 	if (!btmp)
   1777 		return 0;
   1778 
   1779 	if (!BN_pseudo_rand(btmp, SERIAL_RAND_BITS, 0, 0))
   1780 		goto error;
   1781 	if (ai && !BN_to_ASN1_INTEGER(btmp, ai))
   1782 		goto error;
   1783 
   1784 	ret = 1;
   1785 
   1786 	error:
   1787 
   1788 	if (!b)
   1789 		BN_free(btmp);
   1790 
   1791 	return ret;
   1792 	}
   1793 
   1794 CA_DB *load_index(char *dbfile, DB_ATTR *db_attr)
   1795 	{
   1796 	CA_DB *retdb = NULL;
   1797 	TXT_DB *tmpdb = NULL;
   1798 	BIO *in = BIO_new(BIO_s_file());
   1799 	CONF *dbattr_conf = NULL;
   1800 	char buf[1][BSIZE];
   1801 	long errorline= -1;
   1802 
   1803 	if (in == NULL)
   1804 		{
   1805 		ERR_print_errors(bio_err);
   1806 		goto err;
   1807 		}
   1808 	if (BIO_read_filename(in,dbfile) <= 0)
   1809 		{
   1810 		perror(dbfile);
   1811 		BIO_printf(bio_err,"unable to open '%s'\n",dbfile);
   1812 		goto err;
   1813 		}
   1814 	if ((tmpdb = TXT_DB_read(in,DB_NUMBER)) == NULL)
   1815 		goto err;
   1816 
   1817 #ifndef OPENSSL_SYS_VMS
   1818 	BIO_snprintf(buf[0], sizeof buf[0], "%s.attr", dbfile);
   1819 #else
   1820 	BIO_snprintf(buf[0], sizeof buf[0], "%s-attr", dbfile);
   1821 #endif
   1822 	dbattr_conf = NCONF_new(NULL);
   1823 	if (NCONF_load(dbattr_conf,buf[0],&errorline) <= 0)
   1824 		{
   1825 		if (errorline > 0)
   1826 			{
   1827 			BIO_printf(bio_err,
   1828 				"error on line %ld of db attribute file '%s'\n"
   1829 				,errorline,buf[0]);
   1830 			goto err;
   1831 			}
   1832 		else
   1833 			{
   1834 			NCONF_free(dbattr_conf);
   1835 			dbattr_conf = NULL;
   1836 			}
   1837 		}
   1838 
   1839 	if ((retdb = OPENSSL_malloc(sizeof(CA_DB))) == NULL)
   1840 		{
   1841 		fprintf(stderr, "Out of memory\n");
   1842 		goto err;
   1843 		}
   1844 
   1845 	retdb->db = tmpdb;
   1846 	tmpdb = NULL;
   1847 	if (db_attr)
   1848 		retdb->attributes = *db_attr;
   1849 	else
   1850 		{
   1851 		retdb->attributes.unique_subject = 1;
   1852 		}
   1853 
   1854 	if (dbattr_conf)
   1855 		{
   1856 		char *p = NCONF_get_string(dbattr_conf,NULL,"unique_subject");
   1857 		if (p)
   1858 			{
   1859 #ifdef RL_DEBUG
   1860 			BIO_printf(bio_err, "DEBUG[load_index]: unique_subject = \"%s\"\n", p);
   1861 #endif
   1862 			retdb->attributes.unique_subject = parse_yesno(p,1);
   1863 			}
   1864 		}
   1865 
   1866  err:
   1867 	if (dbattr_conf) NCONF_free(dbattr_conf);
   1868 	if (tmpdb) TXT_DB_free(tmpdb);
   1869 	if (in) BIO_free_all(in);
   1870 	return retdb;
   1871 	}
   1872 
   1873 int index_index(CA_DB *db)
   1874 	{
   1875 	if (!TXT_DB_create_index(db->db, DB_serial, NULL,
   1876 				LHASH_HASH_FN(index_serial),
   1877 				LHASH_COMP_FN(index_serial)))
   1878 		{
   1879 		BIO_printf(bio_err,
   1880 		  "error creating serial number index:(%ld,%ld,%ld)\n",
   1881 		  			db->db->error,db->db->arg1,db->db->arg2);
   1882 			return 0;
   1883 		}
   1884 
   1885 	if (db->attributes.unique_subject
   1886 		&& !TXT_DB_create_index(db->db, DB_name, index_name_qual,
   1887 			LHASH_HASH_FN(index_name),
   1888 			LHASH_COMP_FN(index_name)))
   1889 		{
   1890 		BIO_printf(bio_err,"error creating name index:(%ld,%ld,%ld)\n",
   1891 			db->db->error,db->db->arg1,db->db->arg2);
   1892 		return 0;
   1893 		}
   1894 	return 1;
   1895 	}
   1896 
   1897 int save_index(const char *dbfile, const char *suffix, CA_DB *db)
   1898 	{
   1899 	char buf[3][BSIZE];
   1900 	BIO *out = BIO_new(BIO_s_file());
   1901 	int j;
   1902 
   1903 	if (out == NULL)
   1904 		{
   1905 		ERR_print_errors(bio_err);
   1906 		goto err;
   1907 		}
   1908 
   1909 	j = strlen(dbfile) + strlen(suffix);
   1910 	if (j + 6 >= BSIZE)
   1911 		{
   1912 		BIO_printf(bio_err,"file name too long\n");
   1913 		goto err;
   1914 		}
   1915 
   1916 #ifndef OPENSSL_SYS_VMS
   1917 	j = BIO_snprintf(buf[2], sizeof buf[2], "%s.attr", dbfile);
   1918 #else
   1919 	j = BIO_snprintf(buf[2], sizeof buf[2], "%s-attr", dbfile);
   1920 #endif
   1921 #ifndef OPENSSL_SYS_VMS
   1922 	j = BIO_snprintf(buf[1], sizeof buf[1], "%s.attr.%s", dbfile, suffix);
   1923 #else
   1924 	j = BIO_snprintf(buf[1], sizeof buf[1], "%s-attr-%s", dbfile, suffix);
   1925 #endif
   1926 #ifndef OPENSSL_SYS_VMS
   1927 	j = BIO_snprintf(buf[0], sizeof buf[0], "%s.%s", dbfile, suffix);
   1928 #else
   1929 	j = BIO_snprintf(buf[0], sizeof buf[0], "%s-%s", dbfile, suffix);
   1930 #endif
   1931 #ifdef RL_DEBUG
   1932 	BIO_printf(bio_err, "DEBUG: writing \"%s\"\n", buf[0]);
   1933 #endif
   1934 	if (BIO_write_filename(out,buf[0]) <= 0)
   1935 		{
   1936 		perror(dbfile);
   1937 		BIO_printf(bio_err,"unable to open '%s'\n", dbfile);
   1938 		goto err;
   1939 		}
   1940 	j=TXT_DB_write(out,db->db);
   1941 	if (j <= 0) goto err;
   1942 
   1943 	BIO_free(out);
   1944 
   1945 	out = BIO_new(BIO_s_file());
   1946 #ifdef RL_DEBUG
   1947 	BIO_printf(bio_err, "DEBUG: writing \"%s\"\n", buf[1]);
   1948 #endif
   1949 	if (BIO_write_filename(out,buf[1]) <= 0)
   1950 		{
   1951 		perror(buf[2]);
   1952 		BIO_printf(bio_err,"unable to open '%s'\n", buf[2]);
   1953 		goto err;
   1954 		}
   1955 	BIO_printf(out,"unique_subject = %s\n",
   1956 		db->attributes.unique_subject ? "yes" : "no");
   1957 	BIO_free(out);
   1958 
   1959 	return 1;
   1960  err:
   1961 	return 0;
   1962 	}
   1963 
   1964 int rotate_index(const char *dbfile, const char *new_suffix, const char *old_suffix)
   1965 	{
   1966 	char buf[5][BSIZE];
   1967 	int i,j;
   1968 
   1969 	i = strlen(dbfile) + strlen(old_suffix);
   1970 	j = strlen(dbfile) + strlen(new_suffix);
   1971 	if (i > j) j = i;
   1972 	if (j + 6 >= BSIZE)
   1973 		{
   1974 		BIO_printf(bio_err,"file name too long\n");
   1975 		goto err;
   1976 		}
   1977 
   1978 #ifndef OPENSSL_SYS_VMS
   1979 	j = BIO_snprintf(buf[4], sizeof buf[4], "%s.attr", dbfile);
   1980 #else
   1981 	j = BIO_snprintf(buf[4], sizeof buf[4], "%s-attr", dbfile);
   1982 #endif
   1983 #ifndef OPENSSL_SYS_VMS
   1984 	j = BIO_snprintf(buf[2], sizeof buf[2], "%s.attr.%s",
   1985 		dbfile, new_suffix);
   1986 #else
   1987 	j = BIO_snprintf(buf[2], sizeof buf[2], "%s-attr-%s",
   1988 		dbfile, new_suffix);
   1989 #endif
   1990 #ifndef OPENSSL_SYS_VMS
   1991 	j = BIO_snprintf(buf[0], sizeof buf[0], "%s.%s",
   1992 		dbfile, new_suffix);
   1993 #else
   1994 	j = BIO_snprintf(buf[0], sizeof buf[0], "%s-%s",
   1995 		dbfile, new_suffix);
   1996 #endif
   1997 #ifndef OPENSSL_SYS_VMS
   1998 	j = BIO_snprintf(buf[1], sizeof buf[1], "%s.%s",
   1999 		dbfile, old_suffix);
   2000 #else
   2001 	j = BIO_snprintf(buf[1], sizeof buf[1], "%s-%s",
   2002 		dbfile, old_suffix);
   2003 #endif
   2004 #ifndef OPENSSL_SYS_VMS
   2005 	j = BIO_snprintf(buf[3], sizeof buf[3], "%s.attr.%s",
   2006 		dbfile, old_suffix);
   2007 #else
   2008 	j = BIO_snprintf(buf[3], sizeof buf[3], "%s-attr-%s",
   2009 		dbfile, old_suffix);
   2010 #endif
   2011 #ifdef RL_DEBUG
   2012 	BIO_printf(bio_err, "DEBUG: renaming \"%s\" to \"%s\"\n",
   2013 		dbfile, buf[1]);
   2014 #endif
   2015 	if (rename(dbfile,buf[1]) < 0 && errno != ENOENT
   2016 #ifdef ENOTDIR
   2017 		&& errno != ENOTDIR
   2018 #endif
   2019 	   )		{
   2020 			BIO_printf(bio_err,
   2021 				"unable to rename %s to %s\n",
   2022 				dbfile, buf[1]);
   2023 			perror("reason");
   2024 			goto err;
   2025 			}
   2026 #ifdef RL_DEBUG
   2027 	BIO_printf(bio_err, "DEBUG: renaming \"%s\" to \"%s\"\n",
   2028 		buf[0],dbfile);
   2029 #endif
   2030 	if (rename(buf[0],dbfile) < 0)
   2031 		{
   2032 		BIO_printf(bio_err,
   2033 			"unable to rename %s to %s\n",
   2034 			buf[0],dbfile);
   2035 		perror("reason");
   2036 		rename(buf[1],dbfile);
   2037 		goto err;
   2038 		}
   2039 #ifdef RL_DEBUG
   2040 	BIO_printf(bio_err, "DEBUG: renaming \"%s\" to \"%s\"\n",
   2041 		buf[4],buf[3]);
   2042 #endif
   2043 	if (rename(buf[4],buf[3]) < 0 && errno != ENOENT
   2044 #ifdef ENOTDIR
   2045 		&& errno != ENOTDIR
   2046 #endif
   2047 	   )		{
   2048 			BIO_printf(bio_err,
   2049 				"unable to rename %s to %s\n",
   2050 				buf[4], buf[3]);
   2051 			perror("reason");
   2052 			rename(dbfile,buf[0]);
   2053 			rename(buf[1],dbfile);
   2054 			goto err;
   2055 			}
   2056 #ifdef RL_DEBUG
   2057 	BIO_printf(bio_err, "DEBUG: renaming \"%s\" to \"%s\"\n",
   2058 		buf[2],buf[4]);
   2059 #endif
   2060 	if (rename(buf[2],buf[4]) < 0)
   2061 		{
   2062 		BIO_printf(bio_err,
   2063 			"unable to rename %s to %s\n",
   2064 			buf[2],buf[4]);
   2065 		perror("reason");
   2066 		rename(buf[3],buf[4]);
   2067 		rename(dbfile,buf[0]);
   2068 		rename(buf[1],dbfile);
   2069 		goto err;
   2070 		}
   2071 	return 1;
   2072  err:
   2073 	return 0;
   2074 	}
   2075 
   2076 void free_index(CA_DB *db)
   2077 	{
   2078 	if (db)
   2079 		{
   2080 		if (db->db) TXT_DB_free(db->db);
   2081 		OPENSSL_free(db);
   2082 		}
   2083 	}
   2084 
   2085 int parse_yesno(const char *str, int def)
   2086 	{
   2087 	int ret = def;
   2088 	if (str)
   2089 		{
   2090 		switch (*str)
   2091 			{
   2092 		case 'f': /* false */
   2093 		case 'F': /* FALSE */
   2094 		case 'n': /* no */
   2095 		case 'N': /* NO */
   2096 		case '0': /* 0 */
   2097 			ret = 0;
   2098 			break;
   2099 		case 't': /* true */
   2100 		case 'T': /* TRUE */
   2101 		case 'y': /* yes */
   2102 		case 'Y': /* YES */
   2103 		case '1': /* 1 */
   2104 			ret = 1;
   2105 			break;
   2106 		default:
   2107 			ret = def;
   2108 			break;
   2109 			}
   2110 		}
   2111 	return ret;
   2112 	}
   2113 
   2114 /*
   2115  * subject is expected to be in the format /type0=value0/type1=value1/type2=...
   2116  * where characters may be escaped by \
   2117  */
   2118 X509_NAME *parse_name(char *subject, long chtype, int multirdn)
   2119 	{
   2120 	size_t buflen = strlen(subject)+1; /* to copy the types and values into. due to escaping, the copy can only become shorter */
   2121 	char *buf = OPENSSL_malloc(buflen);
   2122 	size_t max_ne = buflen / 2 + 1; /* maximum number of name elements */
   2123 	char **ne_types = OPENSSL_malloc(max_ne * sizeof (char *));
   2124 	char **ne_values = OPENSSL_malloc(max_ne * sizeof (char *));
   2125 	int *mval = OPENSSL_malloc (max_ne * sizeof (int));
   2126 
   2127 	char *sp = subject, *bp = buf;
   2128 	int i, ne_num = 0;
   2129 
   2130 	X509_NAME *n = NULL;
   2131 	int nid;
   2132 
   2133 	if (!buf || !ne_types || !ne_values)
   2134 		{
   2135 		BIO_printf(bio_err, "malloc error\n");
   2136 		goto error;
   2137 		}
   2138 
   2139 	if (*subject != '/')
   2140 		{
   2141 		BIO_printf(bio_err, "Subject does not start with '/'.\n");
   2142 		goto error;
   2143 		}
   2144 	sp++; /* skip leading / */
   2145 
   2146 	/* no multivalued RDN by default */
   2147 	mval[ne_num] = 0;
   2148 
   2149 	while (*sp)
   2150 		{
   2151 		/* collect type */
   2152 		ne_types[ne_num] = bp;
   2153 		while (*sp)
   2154 			{
   2155 			if (*sp == '\\') /* is there anything to escape in the type...? */
   2156 				{
   2157 				if (*++sp)
   2158 					*bp++ = *sp++;
   2159 				else
   2160 					{
   2161 					BIO_printf(bio_err, "escape character at end of string\n");
   2162 					goto error;
   2163 					}
   2164 				}
   2165 			else if (*sp == '=')
   2166 				{
   2167 				sp++;
   2168 				*bp++ = '\0';
   2169 				break;
   2170 				}
   2171 			else
   2172 				*bp++ = *sp++;
   2173 			}
   2174 		if (!*sp)
   2175 			{
   2176 			BIO_printf(bio_err, "end of string encountered while processing type of subject name element #%d\n", ne_num);
   2177 			goto error;
   2178 			}
   2179 		ne_values[ne_num] = bp;
   2180 		while (*sp)
   2181 			{
   2182 			if (*sp == '\\')
   2183 				{
   2184 				if (*++sp)
   2185 					*bp++ = *sp++;
   2186 				else
   2187 					{
   2188 					BIO_printf(bio_err, "escape character at end of string\n");
   2189 					goto error;
   2190 					}
   2191 				}
   2192 			else if (*sp == '/')
   2193 				{
   2194 				sp++;
   2195 				/* no multivalued RDN by default */
   2196 				mval[ne_num+1] = 0;
   2197 				break;
   2198 				}
   2199 			else if (*sp == '+' && multirdn)
   2200 				{
   2201 				/* a not escaped + signals a mutlivalued RDN */
   2202 				sp++;
   2203 				mval[ne_num+1] = -1;
   2204 				break;
   2205 				}
   2206 			else
   2207 				*bp++ = *sp++;
   2208 			}
   2209 		*bp++ = '\0';
   2210 		ne_num++;
   2211 		}
   2212 
   2213 	if (!(n = X509_NAME_new()))
   2214 		goto error;
   2215 
   2216 	for (i = 0; i < ne_num; i++)
   2217 		{
   2218 		if ((nid=OBJ_txt2nid(ne_types[i])) == NID_undef)
   2219 			{
   2220 			BIO_printf(bio_err, "Subject Attribute %s has no known NID, skipped\n", ne_types[i]);
   2221 			continue;
   2222 			}
   2223 
   2224 		if (!*ne_values[i])
   2225 			{
   2226 			BIO_printf(bio_err, "No value provided for Subject Attribute %s, skipped\n", ne_types[i]);
   2227 			continue;
   2228 			}
   2229 
   2230 		if (!X509_NAME_add_entry_by_NID(n, nid, chtype, (unsigned char*)ne_values[i], -1,-1,mval[i]))
   2231 			goto error;
   2232 		}
   2233 
   2234 	OPENSSL_free(ne_values);
   2235 	OPENSSL_free(ne_types);
   2236 	OPENSSL_free(buf);
   2237 	return n;
   2238 
   2239 error:
   2240 	X509_NAME_free(n);
   2241 	if (ne_values)
   2242 		OPENSSL_free(ne_values);
   2243 	if (ne_types)
   2244 		OPENSSL_free(ne_types);
   2245 	if (buf)
   2246 		OPENSSL_free(buf);
   2247 	return NULL;
   2248 }
   2249 
   2250 int args_verify(char ***pargs, int *pargc,
   2251 			int *badarg, BIO *err, X509_VERIFY_PARAM **pm)
   2252 	{
   2253 	ASN1_OBJECT *otmp = NULL;
   2254 	unsigned long flags = 0;
   2255 	int i;
   2256 	int purpose = 0, depth = -1;
   2257 	char **oldargs = *pargs;
   2258 	char *arg = **pargs, *argn = (*pargs)[1];
   2259 	if (!strcmp(arg, "-policy"))
   2260 		{
   2261 		if (!argn)
   2262 			*badarg = 1;
   2263 		else
   2264 			{
   2265 			otmp = OBJ_txt2obj(argn, 0);
   2266 			if (!otmp)
   2267 				{
   2268 				BIO_printf(err, "Invalid Policy \"%s\"\n",
   2269 									argn);
   2270 				*badarg = 1;
   2271 				}
   2272 			}
   2273 		(*pargs)++;
   2274 		}
   2275 	else if (strcmp(arg,"-purpose") == 0)
   2276 		{
   2277 		X509_PURPOSE *xptmp;
   2278 		if (!argn)
   2279 			*badarg = 1;
   2280 		else
   2281 			{
   2282 			i = X509_PURPOSE_get_by_sname(argn);
   2283 			if(i < 0)
   2284 				{
   2285 				BIO_printf(err, "unrecognized purpose\n");
   2286 				*badarg = 1;
   2287 				}
   2288 			else
   2289 				{
   2290 				xptmp = X509_PURPOSE_get0(i);
   2291 				purpose = X509_PURPOSE_get_id(xptmp);
   2292 				}
   2293 			}
   2294 		(*pargs)++;
   2295 		}
   2296 	else if (strcmp(arg,"-verify_depth") == 0)
   2297 		{
   2298 		if (!argn)
   2299 			*badarg = 1;
   2300 		else
   2301 			{
   2302 			depth = atoi(argn);
   2303 			if(depth < 0)
   2304 				{
   2305 				BIO_printf(err, "invalid depth\n");
   2306 				*badarg = 1;
   2307 				}
   2308 			}
   2309 		(*pargs)++;
   2310 		}
   2311 	else if (!strcmp(arg, "-ignore_critical"))
   2312 		flags |= X509_V_FLAG_IGNORE_CRITICAL;
   2313 	else if (!strcmp(arg, "-issuer_checks"))
   2314 		flags |= X509_V_FLAG_CB_ISSUER_CHECK;
   2315 	else if (!strcmp(arg, "-crl_check"))
   2316 		flags |=  X509_V_FLAG_CRL_CHECK;
   2317 	else if (!strcmp(arg, "-crl_check_all"))
   2318 		flags |= X509_V_FLAG_CRL_CHECK|X509_V_FLAG_CRL_CHECK_ALL;
   2319 	else if (!strcmp(arg, "-policy_check"))
   2320 		flags |= X509_V_FLAG_POLICY_CHECK;
   2321 	else if (!strcmp(arg, "-explicit_policy"))
   2322 		flags |= X509_V_FLAG_EXPLICIT_POLICY;
   2323 	else if (!strcmp(arg, "-inhibit_any"))
   2324 		flags |= X509_V_FLAG_INHIBIT_ANY;
   2325 	else if (!strcmp(arg, "-inhibit_map"))
   2326 		flags |= X509_V_FLAG_INHIBIT_MAP;
   2327 	else if (!strcmp(arg, "-x509_strict"))
   2328 		flags |= X509_V_FLAG_X509_STRICT;
   2329 	else if (!strcmp(arg, "-extended_crl"))
   2330 		flags |= X509_V_FLAG_EXTENDED_CRL_SUPPORT;
   2331 	else if (!strcmp(arg, "-use_deltas"))
   2332 		flags |= X509_V_FLAG_USE_DELTAS;
   2333 	else if (!strcmp(arg, "-policy_print"))
   2334 		flags |= X509_V_FLAG_NOTIFY_POLICY;
   2335 	else if (!strcmp(arg, "-check_ss_sig"))
   2336 		flags |= X509_V_FLAG_CHECK_SS_SIGNATURE;
   2337 	else
   2338 		return 0;
   2339 
   2340 	if (*badarg)
   2341 		{
   2342 		if (*pm)
   2343 			X509_VERIFY_PARAM_free(*pm);
   2344 		*pm = NULL;
   2345 		goto end;
   2346 		}
   2347 
   2348 	if (!*pm && !(*pm = X509_VERIFY_PARAM_new()))
   2349 		{
   2350 		*badarg = 1;
   2351 		goto end;
   2352 		}
   2353 
   2354 	if (otmp)
   2355 		X509_VERIFY_PARAM_add0_policy(*pm, otmp);
   2356 	if (flags)
   2357 		X509_VERIFY_PARAM_set_flags(*pm, flags);
   2358 
   2359 	if (purpose)
   2360 		X509_VERIFY_PARAM_set_purpose(*pm, purpose);
   2361 
   2362 	if (depth >= 0)
   2363 		X509_VERIFY_PARAM_set_depth(*pm, depth);
   2364 
   2365 	end:
   2366 
   2367 	(*pargs)++;
   2368 
   2369 	if (pargc)
   2370 		*pargc -= *pargs - oldargs;
   2371 
   2372 	return 1;
   2373 
   2374 	}
   2375 
   2376 /* Read whole contents of a BIO into an allocated memory buffer and
   2377  * return it.
   2378  */
   2379 
   2380 int bio_to_mem(unsigned char **out, int maxlen, BIO *in)
   2381 	{
   2382 	BIO *mem;
   2383 	int len, ret;
   2384 	unsigned char tbuf[1024];
   2385 	mem = BIO_new(BIO_s_mem());
   2386 	if (!mem)
   2387 		return -1;
   2388 	for(;;)
   2389 		{
   2390 		if ((maxlen != -1) && maxlen < 1024)
   2391 			len = maxlen;
   2392 		else
   2393 			len = 1024;
   2394 		len = BIO_read(in, tbuf, len);
   2395 		if (len <= 0)
   2396 			break;
   2397 		if (BIO_write(mem, tbuf, len) != len)
   2398 			{
   2399 			BIO_free(mem);
   2400 			return -1;
   2401 			}
   2402 		maxlen -= len;
   2403 
   2404 		if (maxlen == 0)
   2405 			break;
   2406 		}
   2407 	ret = BIO_get_mem_data(mem, (char **)out);
   2408 	BIO_set_flags(mem, BIO_FLAGS_MEM_RDONLY);
   2409 	BIO_free(mem);
   2410 	return ret;
   2411 	}
   2412 
   2413 int pkey_ctrl_string(EVP_PKEY_CTX *ctx, char *value)
   2414 	{
   2415 	int rv;
   2416 	char *stmp, *vtmp = NULL;
   2417 	stmp = BUF_strdup(value);
   2418 	if (!stmp)
   2419 		return -1;
   2420 	vtmp = strchr(stmp, ':');
   2421 	if (vtmp)
   2422 		{
   2423 		*vtmp = 0;
   2424 		vtmp++;
   2425 		}
   2426 	rv = EVP_PKEY_CTX_ctrl_str(ctx, stmp, vtmp);
   2427 	OPENSSL_free(stmp);
   2428 	return rv;
   2429 	}
   2430 
   2431 static void nodes_print(BIO *out, const char *name,
   2432 	STACK_OF(X509_POLICY_NODE) *nodes)
   2433 	{
   2434 	X509_POLICY_NODE *node;
   2435 	int i;
   2436 	BIO_printf(out, "%s Policies:", name);
   2437 	if (nodes)
   2438 		{
   2439 		BIO_puts(out, "\n");
   2440 		for (i = 0; i < sk_X509_POLICY_NODE_num(nodes); i++)
   2441 			{
   2442 			node = sk_X509_POLICY_NODE_value(nodes, i);
   2443 			X509_POLICY_NODE_print(out, node, 2);
   2444 			}
   2445 		}
   2446 	else
   2447 		BIO_puts(out, " <empty>\n");
   2448 	}
   2449 
   2450 void policies_print(BIO *out, X509_STORE_CTX *ctx)
   2451 	{
   2452 	X509_POLICY_TREE *tree;
   2453 	int explicit_policy;
   2454 	int free_out = 0;
   2455 	if (out == NULL)
   2456 		{
   2457 		out = BIO_new_fp(stderr, BIO_NOCLOSE);
   2458 		free_out = 1;
   2459 		}
   2460 	tree = X509_STORE_CTX_get0_policy_tree(ctx);
   2461 	explicit_policy = X509_STORE_CTX_get_explicit_policy(ctx);
   2462 
   2463 	BIO_printf(out, "Require explicit Policy: %s\n",
   2464 				explicit_policy ? "True" : "False");
   2465 
   2466 	nodes_print(out, "Authority", X509_policy_tree_get0_policies(tree));
   2467 	nodes_print(out, "User", X509_policy_tree_get0_user_policies(tree));
   2468 	if (free_out)
   2469 		BIO_free(out);
   2470 	}
   2471 
   2472 #if !defined(OPENSSL_NO_JPAKE) && !defined(OPENSSL_NO_PSK)
   2473 
   2474 static JPAKE_CTX *jpake_init(const char *us, const char *them,
   2475 							 const char *secret)
   2476 	{
   2477 	BIGNUM *p = NULL;
   2478 	BIGNUM *g = NULL;
   2479 	BIGNUM *q = NULL;
   2480 	BIGNUM *bnsecret = BN_new();
   2481 	JPAKE_CTX *ctx;
   2482 
   2483 	/* Use a safe prime for p (that we found earlier) */
   2484 	BN_hex2bn(&p, "F9E5B365665EA7A05A9C534502780FEE6F1AB5BD4F49947FD036DBD7E905269AF46EF28B0FC07487EE4F5D20FB3C0AF8E700F3A2FA3414970CBED44FEDFF80CE78D800F184BB82435D137AADA2C6C16523247930A63B85661D1FC817A51ACD96168E95898A1F83A79FFB529368AA7833ABD1B0C3AEDDB14D2E1A2F71D99F763F");
   2485 	g = BN_new();
   2486 	BN_set_word(g, 2);
   2487 	q = BN_new();
   2488 	BN_rshift1(q, p);
   2489 
   2490 	BN_bin2bn((const unsigned char *)secret, strlen(secret), bnsecret);
   2491 
   2492 	ctx = JPAKE_CTX_new(us, them, p, g, q, bnsecret);
   2493 	BN_free(bnsecret);
   2494 	BN_free(q);
   2495 	BN_free(g);
   2496 	BN_free(p);
   2497 
   2498 	return ctx;
   2499 	}
   2500 
   2501 static void jpake_send_part(BIO *conn, const JPAKE_STEP_PART *p)
   2502 	{
   2503 	BN_print(conn, p->gx);
   2504 	BIO_puts(conn, "\n");
   2505 	BN_print(conn, p->zkpx.gr);
   2506 	BIO_puts(conn, "\n");
   2507 	BN_print(conn, p->zkpx.b);
   2508 	BIO_puts(conn, "\n");
   2509 	}
   2510 
   2511 static void jpake_send_step1(BIO *bconn, JPAKE_CTX *ctx)
   2512 	{
   2513 	JPAKE_STEP1 s1;
   2514 
   2515 	JPAKE_STEP1_init(&s1);
   2516 	JPAKE_STEP1_generate(&s1, ctx);
   2517 	jpake_send_part(bconn, &s1.p1);
   2518 	jpake_send_part(bconn, &s1.p2);
   2519 	(void)BIO_flush(bconn);
   2520 	JPAKE_STEP1_release(&s1);
   2521 	}
   2522 
   2523 static void jpake_send_step2(BIO *bconn, JPAKE_CTX *ctx)
   2524 	{
   2525 	JPAKE_STEP2 s2;
   2526 
   2527 	JPAKE_STEP2_init(&s2);
   2528 	JPAKE_STEP2_generate(&s2, ctx);
   2529 	jpake_send_part(bconn, &s2);
   2530 	(void)BIO_flush(bconn);
   2531 	JPAKE_STEP2_release(&s2);
   2532 	}
   2533 
   2534 static void jpake_send_step3a(BIO *bconn, JPAKE_CTX *ctx)
   2535 	{
   2536 	JPAKE_STEP3A s3a;
   2537 
   2538 	JPAKE_STEP3A_init(&s3a);
   2539 	JPAKE_STEP3A_generate(&s3a, ctx);
   2540 	BIO_write(bconn, s3a.hhk, sizeof s3a.hhk);
   2541 	(void)BIO_flush(bconn);
   2542 	JPAKE_STEP3A_release(&s3a);
   2543 	}
   2544 
   2545 static void jpake_send_step3b(BIO *bconn, JPAKE_CTX *ctx)
   2546 	{
   2547 	JPAKE_STEP3B s3b;
   2548 
   2549 	JPAKE_STEP3B_init(&s3b);
   2550 	JPAKE_STEP3B_generate(&s3b, ctx);
   2551 	BIO_write(bconn, s3b.hk, sizeof s3b.hk);
   2552 	(void)BIO_flush(bconn);
   2553 	JPAKE_STEP3B_release(&s3b);
   2554 	}
   2555 
   2556 static void readbn(BIGNUM **bn, BIO *bconn)
   2557 	{
   2558 	char buf[10240];
   2559 	int l;
   2560 
   2561 	l = BIO_gets(bconn, buf, sizeof buf);
   2562 	assert(l > 0);
   2563 	assert(buf[l-1] == '\n');
   2564 	buf[l-1] = '\0';
   2565 	BN_hex2bn(bn, buf);
   2566 	}
   2567 
   2568 static void jpake_receive_part(JPAKE_STEP_PART *p, BIO *bconn)
   2569 	{
   2570 	readbn(&p->gx, bconn);
   2571 	readbn(&p->zkpx.gr, bconn);
   2572 	readbn(&p->zkpx.b, bconn);
   2573 	}
   2574 
   2575 static void jpake_receive_step1(JPAKE_CTX *ctx, BIO *bconn)
   2576 	{
   2577 	JPAKE_STEP1 s1;
   2578 
   2579 	JPAKE_STEP1_init(&s1);
   2580 	jpake_receive_part(&s1.p1, bconn);
   2581 	jpake_receive_part(&s1.p2, bconn);
   2582 	if(!JPAKE_STEP1_process(ctx, &s1))
   2583 		{
   2584 		ERR_print_errors(bio_err);
   2585 		exit(1);
   2586 		}
   2587 	JPAKE_STEP1_release(&s1);
   2588 	}
   2589 
   2590 static void jpake_receive_step2(JPAKE_CTX *ctx, BIO *bconn)
   2591 	{
   2592 	JPAKE_STEP2 s2;
   2593 
   2594 	JPAKE_STEP2_init(&s2);
   2595 	jpake_receive_part(&s2, bconn);
   2596 	if(!JPAKE_STEP2_process(ctx, &s2))
   2597 		{
   2598 		ERR_print_errors(bio_err);
   2599 		exit(1);
   2600 		}
   2601 	JPAKE_STEP2_release(&s2);
   2602 	}
   2603 
   2604 static void jpake_receive_step3a(JPAKE_CTX *ctx, BIO *bconn)
   2605 	{
   2606 	JPAKE_STEP3A s3a;
   2607 	int l;
   2608 
   2609 	JPAKE_STEP3A_init(&s3a);
   2610 	l = BIO_read(bconn, s3a.hhk, sizeof s3a.hhk);
   2611 	assert(l == sizeof s3a.hhk);
   2612 	if(!JPAKE_STEP3A_process(ctx, &s3a))
   2613 		{
   2614 		ERR_print_errors(bio_err);
   2615 		exit(1);
   2616 		}
   2617 	JPAKE_STEP3A_release(&s3a);
   2618 	}
   2619 
   2620 static void jpake_receive_step3b(JPAKE_CTX *ctx, BIO *bconn)
   2621 	{
   2622 	JPAKE_STEP3B s3b;
   2623 	int l;
   2624 
   2625 	JPAKE_STEP3B_init(&s3b);
   2626 	l = BIO_read(bconn, s3b.hk, sizeof s3b.hk);
   2627 	assert(l == sizeof s3b.hk);
   2628 	if(!JPAKE_STEP3B_process(ctx, &s3b))
   2629 		{
   2630 		ERR_print_errors(bio_err);
   2631 		exit(1);
   2632 		}
   2633 	JPAKE_STEP3B_release(&s3b);
   2634 	}
   2635 
   2636 void jpake_client_auth(BIO *out, BIO *conn, const char *secret)
   2637 	{
   2638 	JPAKE_CTX *ctx;
   2639 	BIO *bconn;
   2640 
   2641 	BIO_puts(out, "Authenticating with JPAKE\n");
   2642 
   2643 	ctx = jpake_init("client", "server", secret);
   2644 
   2645 	bconn = BIO_new(BIO_f_buffer());
   2646 	BIO_push(bconn, conn);
   2647 
   2648 	jpake_send_step1(bconn, ctx);
   2649 	jpake_receive_step1(ctx, bconn);
   2650 	jpake_send_step2(bconn, ctx);
   2651 	jpake_receive_step2(ctx, bconn);
   2652 	jpake_send_step3a(bconn, ctx);
   2653 	jpake_receive_step3b(ctx, bconn);
   2654 
   2655 	BIO_puts(out, "JPAKE authentication succeeded, setting PSK\n");
   2656 
   2657 	psk_key = BN_bn2hex(JPAKE_get_shared_key(ctx));
   2658 
   2659 	BIO_pop(bconn);
   2660 	BIO_free(bconn);
   2661 
   2662 	JPAKE_CTX_free(ctx);
   2663 	}
   2664 
   2665 void jpake_server_auth(BIO *out, BIO *conn, const char *secret)
   2666 	{
   2667 	JPAKE_CTX *ctx;
   2668 	BIO *bconn;
   2669 
   2670 	BIO_puts(out, "Authenticating with JPAKE\n");
   2671 
   2672 	ctx = jpake_init("server", "client", secret);
   2673 
   2674 	bconn = BIO_new(BIO_f_buffer());
   2675 	BIO_push(bconn, conn);
   2676 
   2677 	jpake_receive_step1(ctx, bconn);
   2678 	jpake_send_step1(bconn, ctx);
   2679 	jpake_receive_step2(ctx, bconn);
   2680 	jpake_send_step2(bconn, ctx);
   2681 	jpake_receive_step3a(ctx, bconn);
   2682 	jpake_send_step3b(bconn, ctx);
   2683 
   2684 	BIO_puts(out, "JPAKE authentication succeeded, setting PSK\n");
   2685 
   2686 	psk_key = BN_bn2hex(JPAKE_get_shared_key(ctx));
   2687 
   2688 	BIO_pop(bconn);
   2689 	BIO_free(bconn);
   2690 
   2691 	JPAKE_CTX_free(ctx);
   2692 	}
   2693 
   2694 #endif
   2695 
   2696 /*
   2697  * Platform-specific sections
   2698  */
   2699 #if defined(_WIN32)
   2700 # ifdef fileno
   2701 #  undef fileno
   2702 #  define fileno(a) (int)_fileno(a)
   2703 # endif
   2704 
   2705 # include <windows.h>
   2706 # include <tchar.h>
   2707 
   2708 static int WIN32_rename(const char *from, const char *to)
   2709 	{
   2710 	TCHAR  *tfrom=NULL,*tto;
   2711 	DWORD	err;
   2712 	int	ret=0;
   2713 
   2714 	if (sizeof(TCHAR) == 1)
   2715 		{
   2716 		tfrom = (TCHAR *)from;
   2717 		tto   = (TCHAR *)to;
   2718 		}
   2719 	else	/* UNICODE path */
   2720 		{
   2721 		size_t i,flen=strlen(from)+1,tlen=strlen(to)+1;
   2722 		tfrom = (TCHAR *)malloc(sizeof(TCHAR)*(flen+tlen));
   2723 		if (tfrom==NULL) goto err;
   2724 		tto=tfrom+flen;
   2725 #if !defined(_WIN32_WCE) || _WIN32_WCE>=101
   2726 		if (!MultiByteToWideChar(CP_ACP,0,from,flen,(WCHAR *)tfrom,flen))
   2727 #endif
   2728 			for (i=0;i<flen;i++)	tfrom[i]=(TCHAR)from[i];
   2729 #if !defined(_WIN32_WCE) || _WIN32_WCE>=101
   2730 		if (!MultiByteToWideChar(CP_ACP,0,to,  tlen,(WCHAR *)tto,  tlen))
   2731 #endif
   2732 			for (i=0;i<tlen;i++)	tto[i]  =(TCHAR)to[i];
   2733 		}
   2734 
   2735 	if (MoveFile(tfrom,tto))	goto ok;
   2736 	err=GetLastError();
   2737 	if (err==ERROR_ALREADY_EXISTS || err==ERROR_FILE_EXISTS)
   2738 		{
   2739 		if (DeleteFile(tto) && MoveFile(tfrom,tto))
   2740 			goto ok;
   2741 		err=GetLastError();
   2742 		}
   2743 	if (err==ERROR_FILE_NOT_FOUND || err==ERROR_PATH_NOT_FOUND)
   2744 		errno = ENOENT;
   2745 	else if (err==ERROR_ACCESS_DENIED)
   2746 		errno = EACCES;
   2747 	else
   2748 		errno = EINVAL;	/* we could map more codes... */
   2749 err:
   2750 	ret=-1;
   2751 ok:
   2752 	if (tfrom!=NULL && tfrom!=(TCHAR *)from)	free(tfrom);
   2753 	return ret;
   2754 	}
   2755 #endif
   2756 
   2757 /* app_tminterval section */
   2758 #if defined(_WIN32)
   2759 double app_tminterval(int stop,int usertime)
   2760 	{
   2761 	FILETIME		now;
   2762 	double			ret=0;
   2763 	static ULARGE_INTEGER	tmstart;
   2764 	static int		warning=1;
   2765 #ifdef _WIN32_WINNT
   2766 	static HANDLE		proc=NULL;
   2767 
   2768 	if (proc==NULL)
   2769 		{
   2770 		if (GetVersion() < 0x80000000)
   2771 			proc = OpenProcess(PROCESS_QUERY_INFORMATION,FALSE,
   2772 						GetCurrentProcessId());
   2773 		if (proc==NULL) proc = (HANDLE)-1;
   2774 		}
   2775 
   2776 	if (usertime && proc!=(HANDLE)-1)
   2777 		{
   2778 		FILETIME junk;
   2779 		GetProcessTimes(proc,&junk,&junk,&junk,&now);
   2780 		}
   2781 	else
   2782 #endif
   2783 		{
   2784 		SYSTEMTIME systime;
   2785 
   2786 		if (usertime && warning)
   2787 			{
   2788 			BIO_printf(bio_err,"To get meaningful results, run "
   2789 					   "this program on idle system.\n");
   2790 			warning=0;
   2791 			}
   2792 		GetSystemTime(&systime);
   2793 		SystemTimeToFileTime(&systime,&now);
   2794 		}
   2795 
   2796 	if (stop==TM_START)
   2797 		{
   2798 		tmstart.u.LowPart  = now.dwLowDateTime;
   2799 		tmstart.u.HighPart = now.dwHighDateTime;
   2800 		}
   2801 	else	{
   2802 		ULARGE_INTEGER tmstop;
   2803 
   2804 		tmstop.u.LowPart   = now.dwLowDateTime;
   2805 		tmstop.u.HighPart  = now.dwHighDateTime;
   2806 
   2807 		ret = (__int64)(tmstop.QuadPart - tmstart.QuadPart)*1e-7;
   2808 		}
   2809 
   2810 	return (ret);
   2811 	}
   2812 
   2813 #elif defined(OPENSSL_SYS_NETWARE)
   2814 #include <time.h>
   2815 
   2816 double app_tminterval(int stop,int usertime)
   2817 	{
   2818 	double		ret=0;
   2819 	static clock_t	tmstart;
   2820 	static int	warning=1;
   2821 
   2822 	if (usertime && warning)
   2823 		{
   2824 		BIO_printf(bio_err,"To get meaningful results, run "
   2825 				   "this program on idle system.\n");
   2826 		warning=0;
   2827 		}
   2828 
   2829 	if (stop==TM_START)	tmstart = clock();
   2830 	else			ret     = (clock()-tmstart)/(double)CLOCKS_PER_SEC;
   2831 
   2832 	return (ret);
   2833 	}
   2834 
   2835 #elif defined(OPENSSL_SYSTEM_VXWORKS)
   2836 #include <time.h>
   2837 
   2838 double app_tminterval(int stop,int usertime)
   2839 	{
   2840 	double ret=0;
   2841 #ifdef CLOCK_REALTIME
   2842 	static struct timespec	tmstart;
   2843 	struct timespec		now;
   2844 #else
   2845 	static unsigned long	tmstart;
   2846 	unsigned long		now;
   2847 #endif
   2848 	static int warning=1;
   2849 
   2850 	if (usertime && warning)
   2851 		{
   2852 		BIO_printf(bio_err,"To get meaningful results, run "
   2853 				   "this program on idle system.\n");
   2854 		warning=0;
   2855 		}
   2856 
   2857 #ifdef CLOCK_REALTIME
   2858 	clock_gettime(CLOCK_REALTIME,&now);
   2859 	if (stop==TM_START)	tmstart = now;
   2860 	else	ret = ( (now.tv_sec+now.tv_nsec*1e-9)
   2861 			- (tmstart.tv_sec+tmstart.tv_nsec*1e-9) );
   2862 #else
   2863 	now = tickGet();
   2864 	if (stop==TM_START)	tmstart = now;
   2865 	else			ret = (now - tmstart)/(double)sysClkRateGet();
   2866 #endif
   2867 	return (ret);
   2868 	}
   2869 
   2870 #elif defined(OPENSSL_SYSTEM_VMS)
   2871 #include <time.h>
   2872 #include <times.h>
   2873 
   2874 double app_tminterval(int stop,int usertime)
   2875 	{
   2876 	static clock_t	tmstart;
   2877 	double		ret = 0;
   2878 	clock_t		now;
   2879 #ifdef __TMS
   2880 	struct tms	rus;
   2881 
   2882 	now = times(&rus);
   2883 	if (usertime)	now = rus.tms_utime;
   2884 #else
   2885 	if (usertime)
   2886 		now = clock(); /* sum of user and kernel times */
   2887 	else	{
   2888 		struct timeval tv;
   2889 		gettimeofday(&tv,NULL);
   2890 		now = (clock_t)(
   2891 			(unsigned long long)tv.tv_sec*CLK_TCK +
   2892 			(unsigned long long)tv.tv_usec*(1000000/CLK_TCK)
   2893 			);
   2894 		}
   2895 #endif
   2896 	if (stop==TM_START)	tmstart = now;
   2897 	else			ret = (now - tmstart)/(double)(CLK_TCK);
   2898 
   2899 	return (ret);
   2900 	}
   2901 
   2902 #elif defined(_SC_CLK_TCK)	/* by means of unistd.h */
   2903 #include <sys/times.h>
   2904 
   2905 double app_tminterval(int stop,int usertime)
   2906 	{
   2907 	double		ret = 0;
   2908 	struct tms	rus;
   2909 	clock_t		now = times(&rus);
   2910 	static clock_t	tmstart;
   2911 
   2912 	if (usertime)		now = rus.tms_utime;
   2913 
   2914 	if (stop==TM_START)	tmstart = now;
   2915 	else
   2916 		{
   2917 		long int tck = sysconf(_SC_CLK_TCK);
   2918 		ret = (now - tmstart)/(double)tck;
   2919 		}
   2920 
   2921 	return (ret);
   2922 	}
   2923 
   2924 #else
   2925 #include <sys/time.h>
   2926 #include <sys/resource.h>
   2927 
   2928 double app_tminterval(int stop,int usertime)
   2929 	{
   2930 	double		ret = 0;
   2931 	struct rusage	rus;
   2932 	struct timeval	now;
   2933 	static struct timeval tmstart;
   2934 
   2935 	if (usertime)		getrusage(RUSAGE_SELF,&rus), now = rus.ru_utime;
   2936 	else			gettimeofday(&now,NULL);
   2937 
   2938 	if (stop==TM_START)	tmstart = now;
   2939 	else			ret = ( (now.tv_sec+now.tv_usec*1e-6)
   2940 					- (tmstart.tv_sec+tmstart.tv_usec*1e-6) );
   2941 
   2942 	return ret;
   2943 	}
   2944 #endif
   2945 
   2946 /* app_isdir section */
   2947 #ifdef _WIN32
   2948 int app_isdir(const char *name)
   2949 	{
   2950 	HANDLE		hList;
   2951 	WIN32_FIND_DATA	FileData;
   2952 #if defined(UNICODE) || defined(_UNICODE)
   2953 	size_t i, len_0 = strlen(name)+1;
   2954 
   2955 	if (len_0 > sizeof(FileData.cFileName)/sizeof(FileData.cFileName[0]))
   2956 		return -1;
   2957 
   2958 #if !defined(_WIN32_WCE) || _WIN32_WCE>=101
   2959 	if (!MultiByteToWideChar(CP_ACP,0,name,len_0,FileData.cFileName,len_0))
   2960 #endif
   2961 		for (i=0;i<len_0;i++)
   2962 			FileData.cFileName[i] = (WCHAR)name[i];
   2963 
   2964 	hList = FindFirstFile(FileData.cFileName,&FileData);
   2965 #else
   2966 	hList = FindFirstFile(name,&FileData);
   2967 #endif
   2968 	if (hList == INVALID_HANDLE_VALUE)	return -1;
   2969 	FindClose(hList);
   2970 	return ((FileData.dwFileAttributes&FILE_ATTRIBUTE_DIRECTORY)!=0);
   2971 	}
   2972 #else
   2973 #include <sys/stat.h>
   2974 #ifndef S_ISDIR
   2975 # if defined(_S_IFMT) && defined(_S_IFDIR)
   2976 #  define S_ISDIR(a)   (((a) & _S_IFMT) == _S_IFDIR)
   2977 # else
   2978 #  define S_ISDIR(a)   (((a) & S_IFMT) == S_IFDIR)
   2979 # endif
   2980 #endif
   2981 
   2982 int app_isdir(const char *name)
   2983 	{
   2984 #if defined(S_ISDIR)
   2985 	struct stat st;
   2986 
   2987 	if (stat(name,&st)==0)	return S_ISDIR(st.st_mode);
   2988 	else			return -1;
   2989 #else
   2990 	return -1;
   2991 #endif
   2992 	}
   2993 #endif
   2994 
   2995 /* raw_read|write section */
   2996 #if defined(_WIN32) && defined(STD_INPUT_HANDLE)
   2997 int raw_read_stdin(void *buf,int siz)
   2998 	{
   2999 	DWORD n;
   3000 	if (ReadFile(GetStdHandle(STD_INPUT_HANDLE),buf,siz,&n,NULL))
   3001 		return (n);
   3002 	else	return (-1);
   3003 	}
   3004 #else
   3005 int raw_read_stdin(void *buf,int siz)
   3006 	{	return read(fileno(stdin),buf,siz);	}
   3007 #endif
   3008 
   3009 #if defined(_WIN32) && defined(STD_OUTPUT_HANDLE)
   3010 int raw_write_stdout(const void *buf,int siz)
   3011 	{
   3012 	DWORD n;
   3013 	if (WriteFile(GetStdHandle(STD_OUTPUT_HANDLE),buf,siz,&n,NULL))
   3014 		return (n);
   3015 	else	return (-1);
   3016 	}
   3017 #else
   3018 int raw_write_stdout(const void *buf,int siz)
   3019 	{	return write(fileno(stdout),buf,siz);	}
   3020 #endif
   3021 
   3022 #if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG)
   3023 /* next_protos_parse parses a comma separated list of strings into a string
   3024  * in a format suitable for passing to SSL_CTX_set_next_protos_advertised.
   3025  *   outlen: (output) set to the length of the resulting buffer on success.
   3026  *   in: a NUL termianted string like "abc,def,ghi"
   3027  *
   3028  *   returns: a malloced buffer or NULL on failure.
   3029  */
   3030 unsigned char *next_protos_parse(unsigned short *outlen, const char *in)
   3031 	{
   3032 	size_t len;
   3033 	unsigned char *out;
   3034 	size_t i, start = 0;
   3035 
   3036 	len = strlen(in);
   3037 	if (len >= 65535)
   3038 		return NULL;
   3039 
   3040 	out = OPENSSL_malloc(strlen(in) + 1);
   3041 	if (!out)
   3042 		return NULL;
   3043 
   3044 	for (i = 0; i <= len; ++i)
   3045 		{
   3046 		if (i == len || in[i] == ',')
   3047 			{
   3048 			if (i - start > 255)
   3049 				{
   3050 				OPENSSL_free(out);
   3051 				return NULL;
   3052 				}
   3053 			out[start] = i - start;
   3054 			start = i + 1;
   3055 			}
   3056 		else
   3057 			out[i+1] = in[i];
   3058 		}
   3059 
   3060 	*outlen = len + 1;
   3061 	return out;
   3062 	}
   3063 #endif  /* !OPENSSL_NO_TLSEXT && !OPENSSL_NO_NEXTPROTONEG */
   3064