Prepare for 1.1.0-pre2 release

Reviewed-by: Matt Caswell <matt@openssl.org>

.gitignore

@@ -5,15 +5,16 @@
 # editor artefacts
 *.swp
 .#*
-#*#
+\#*#
 *~
+/.dir-locals.el
 
 # Top level excludes
-/Makefile.bak
+/Makefile.orig
 /Makefile
 /MINFO
+/TABLE
 /*.a
-/include
 /*.pc
 /rehash.time
 /inc.*
@@ -21,22 +22,14 @@
 /out.*
 /tmp.*
 
-# Most *.c files under test/ are symlinks
-/test/*.c
-# Apart from these
-!/test/asn1test.c
-!/test/methtest.c
-!/test/dummytest.c
-!/test/igetest.c
-!/test/r160test.c
-!/test/fips_algvs.c
-!/test/testutil.c
+**/Makefile
 
 /test/*.ss
 /test/*.srl
 /test/.rnd
 /test/test*.pem
 /test/newkey.pem
+/test/*.log
 
 # Certificate symbolic links
 *.0
@@ -52,23 +45,11 @@
 
 # Auto generated assembly language source files
 *.s
-!/crypto/bn/asm/pa-risc2.s
-!/crypto/bn/asm/pa-risc2W.s
-crypto/aes/asm/a_win32.asm
-crypto/bf/asm/b_win32.asm
-crypto/bn/asm/bn_win32.asm
-crypto/bn/asm/co_win32.asm
-crypto/bn/asm/mt_win32.asm
-crypto/cast/asm/c_win32.asm
-crypto/cpu_win32.asm
-crypto/des/asm/d_win32.asm
-crypto/des/asm/y_win32.asm
-crypto/md5/asm/m5_win32.asm
-crypto/rc4/asm/r4_win32.asm
-crypto/rc5/asm/r5_win32.asm
-crypto/ripemd/asm/rm_win32.asm
-crypto/sha/asm/s1_win32.asm
-crypto/sha/asm/sha512-sse2.asm
+!/crypto/*/asm/*.s
+/crypto/arm*.S
+/crypto/*/*.S
+*.asm
+!/crypto/*/asm/*.asm
 
 # Executables
 /apps/openssl
@@ -88,13 +69,14 @@ crypto/sha/asm/sha512-sse2.asm
 *.so*
 *.dylib*
 *.dll*
+*.exe
 # Exceptions
 !/test/bctest
 !/crypto/des/times/486-50.sol
 
 # Misc auto generated files
+include/openssl/opensslconf.h
 /tools/c_rehash
-/test/evptests.txt
 lib
 Makefile.save
 *.bak
@@ -102,10 +84,16 @@ tags
 TAGS
 cscope.out
 *.d
+crypto.map
+ssl.map
 
 # Windows
+/tmp32
+/tmp32.dbg
 /tmp32dll
 /tmp32dll.dbg
+/out32
+/out32.dbg
 /out32dll
 /out32dll.dbg
 /inc32
@@ -116,3 +104,29 @@ ms/nt.mak
 ms/ntdll.mak
 ms/ssleay32.def
 ms/version32.rc
+
+# Files created on other branches that are not held in git, and are not
+# needed on this branch
+include/openssl/asn1_mac.h
+include/openssl/des_old.h
+include/openssl/fips.h
+include/openssl/fips_rand.h
+include/openssl/krb5_asn.h
+include/openssl/kssl.h
+include/openssl/pq_compat.h
+include/openssl/ssl23.h
+include/openssl/tmdiff.h
+include/openssl/ui_compat.h
+test/fips_aesavs.c
+test/fips_desmovs.c
+test/fips_dsatest.c
+test/fips_dssvs.c
+test/fips_hmactest.c
+test/fips_randtest.c
+test/fips_rngvs.c
+test/fips_rsagtest.c
+test/fips_rsastest.c
+test/fips_rsavtest.c
+test/fips_shatest.c
+test/fips_test_suite.c
+test/shatest.c

.travis-create-release.sh

@@ -0,0 +1,10 @@
+#! /bin/sh
+
+# $1 is expected to be $TRAVIS_OS_NAME
+
+if [ "$1" == osx ]; then
+    make -f Makefile.in \
+	 DISTTARVARS="NAME=_srcdist TAR_COMMAND='\$\$(TAR) \$\$(TARFLAGS) -s \"|^|\$\$(NAME)/|\" -T \$\$(TARFILE).list -cvf -' TARFLAGS='-n' TARFILE=_srcdist.tar" SHELL='sh -vx' dist
+else
+    make -f Makefile.in DISTTARVARS='TARFILE=_srcdist.tar NAME=_srcdist' SHELL='sh -v' dist
+fi

.travis.yml

@@ -0,0 +1,96 @@
+language: c
+
+addons:
+    apt:
+        packages:
+            - clang-3.6
+            - gcc-5
+            - binutils-mingw-w64
+            - gcc-mingw-w64
+            - wine
+        sources:
+            - llvm-toolchain-precise-3.6
+            - ubuntu-toolchain-r-test
+
+os:
+    - linux
+    - osx
+
+compiler:
+    - clang
+    - clang-3.6
+    - gcc
+    - gcc-5
+    - i686-w64-mingw32-gcc
+    - x86_64-w64-mingw32-gcc
+
+env:
+    - CONFIG_OPTS=""
+    - CONFIG_OPTS="shared"
+    - CONFIG_OPTS="no-asm"
+    - CONFIG_OPTS="--debug --strict-warnings"
+
+matrix:
+    include:
+        - os: linux
+          compiler: clang-3.6
+          env: CONFIG_OPTS="-fsanitize=address"
+        - os: linux
+          compiler: clang-3.6
+          env: CONFIG_OPTS="no-asm --debug --strict-warnings -fno-sanitize-recover -fsanitize=address -fsanitize=undefined"
+        - os: linux
+          compiler: gcc-5
+          env: CONFIG_OPTS="-fsanitize=address"
+        - os: linux
+          compiler: gcc-5
+          env: CONFIG_OPTS="no-asm --debug --strict-warnings -fno-sanitize-recover -fsanitize=address -fsanitize=undefined"
+    exclude:
+        - os: osx
+          compiler: clang-3.6
+        - os: osx
+          compiler: gcc-5
+        - os: osx
+          compiler: i686-w64-mingw32-gcc
+        - os: osx
+          compiler: x86_64-w64-mingw32-gcc
+        - compiler: i686-w64-mingw32-gcc
+          env: CONFIG_OPTS="shared"
+        - compiler: x86_64-w64-mingw32-gcc
+          env: CONFIG_OPTS="shared"
+        - compiler: i686-w64-mingw32-gcc
+          env: CONFIG_OPTS="no-asm"
+        - compiler: x86_64-w64-mingw32-gcc
+          env: CONFIG_OPTS="no-asm"
+    allow_failures:
+        - compiler: i686-w64-mingw32-gcc
+          env: CONFIG_OPTS="--debug --strict-warnings"
+        - compiler: x86_64-w64-mingw32-gcc
+          env: CONFIG_OPTS="--debug --strict-warnings"
+
+before_script:
+    - sh .travis-create-release.sh $TRAVIS_OS_NAME
+    - tar -xvzf _srcdist.tar.gz
+    - cd _srcdist
+    - if [ "$CC" == i686-w64-mingw32-gcc ]; then
+          export CROSS_COMPILE=${CC%%gcc}; unset CC;
+          ./Configure mingw $CONFIG_OPTS -Wno-pedantic-ms-format;
+      elif [ "$CC" == x86_64-w64-mingw32-gcc ]; then
+          export CROSS_COMPILE=${CC%%gcc}; unset CC;
+          ./Configure mingw64 $CONFIG_OPTS -Wno-pedantic-ms-format;
+      else
+          ./config $CONFIG_OPTS;
+      fi
+    - cd ..
+
+script:
+    - cd _srcdist
+    - make
+    - if [ -n "$CROSS_COMPILE" ]; then
+          export EXE_SHELL="wine" WINEPREFIX=`pwd`;
+      fi
+    - make test
+    - cd ..
+
+notifications:
+    email:
+        - openssl-commits@openssl.org

ACKNOWLEDGEMENTS

@@ -0,0 +1,2 @@
+Please https://www.openssl.org/community/thanks.html for the current
+acknowledgements.

ACKNOWLEDGMENTS

@@ -1,30 +0,0 @@
-The OpenSSL project depends on volunteer efforts and financial support from
-the end user community. That support comes in the form of donations and paid
-sponsorships, software support contracts, paid consulting services
-and commissioned software development.
-
-Since all these activities support the continued development and improvement
-of OpenSSL we consider all these clients and customers as sponsors of the
-OpenSSL project.
-
-We would like to identify and thank the following such sponsors for their past
-or current significant support of the OpenSSL project:
-
-Major support:
-
-	Qualys		http://www.qualys.com/
-
-Very significant support:
-
-	OpenGear:	http://www.opengear.com/
-
-Significant support:
-
-	PSW Group:	http://www.psw.net/
-	Acano Ltd.	http://acano.com/
-
-Please note that we ask permission to identify sponsors and that some sponsors
-we consider eligible for inclusion here have requested to remain anonymous.
-
-Additional sponsorship or financial support is always welcome: for more
-information please contact the OpenSSL Software Foundation.

CHANGES.SSLeay

@@ -1,968 +0,0 @@
-This file contains the changes for the SSLeay library up to version
-0.9.0b. For later changes, see the file "CHANGES".
-
-  SSLeay CHANGES
-  ______________
-
-Changes between 0.8.x and 0.9.0b
-
-10-Apr-1998
-
-I said the next version would go out at easter, and so it shall.
-I expect a 0.9.1 will follow with portability fixes in the next few weeks.
-
-This is a quick, meet the deadline.  Look to ssl-users for comments on what
-is new etc.
-
-eric (about to go bushwalking for the 4 day easter break :-)
-
-16-Mar-98
-    - Patch for Cray T90 from Wayne Schroeder <schroede@SDSC.EDU>
-    - Lots and lots of changes
-
-29-Jan-98
-    - ASN1_BIT_STRING_set_bit()/ASN1_BIT_STRING_get_bit() from
-      Goetz Babin-Ebell <babinebell@trustcenter.de>.
-    - SSL_version() now returns SSL2_VERSION, SSL3_VERSION or
-      TLS1_VERSION.
-
-7-Jan-98
-    - Finally reworked the cipher string to ciphers again, so it
-      works correctly
-    - All the app_data stuff is now ex_data with function calls to access.
-      The index is supplied by a function and 'methods' can be setup
-      for the types that are called on XXX_new/XXX_free.  This lets
-      applications get notified on creation and destruction.  Some of
-      the RSA methods could be implemented this way and I may do so.
-    - Oh yes, SSL under perl5 is working at the basic level.
-
-15-Dec-97
-    - Warning - the gethostbyname cache is not fully thread safe,
-      but it should work well enough.
-    - Major internal reworking of the app_data stuff.  More functions
-      but if you were accessing ->app_data directly, things will
-      stop working.
-    - The perlv5 stuff is working.  Currently on message digests,
-      ciphers and the bignum library.
-
-9-Dec-97
-    - Modified re-negotiation so that server initated re-neg
-      will cause a SSL_read() to return -1 should retry.
-      The danger otherwise was that the server and the
-      client could end up both trying to read when using non-blocking
-      sockets.
-
-4-Dec-97
-    - Lots of small changes
-    - Fix for binaray mode in Windows for the FILE BIO, thanks to
-      Bob Denny <rdenny@dc3.com>
-
-17-Nov-97
-    - Quite a few internal cleanups, (removal of errno, and using macros
-      defined in e_os.h).
-    - A bug in ca.c, pointed out by yasuyuki-ito@d-cruise.co.jp, where
-      the automactic naming out output files was being stuffed up.
-
-29-Oct-97
-    - The Cast5 cipher has been added.  MD5 and SHA-1 are now in assember
-      for x86.
-
-21-Oct-97
-    - Fixed a bug in the BIO_gethostbyname() cache.
-
-15-Oct-97
-    - cbc mode for blowfish/des/3des is now in assember.  Blowfish asm
-      has also been improved.  At this point in time, on the pentium,
-      md5 is %80 faster, the unoptimesed sha-1 is %79 faster,
-      des-cbc is %28 faster, des-ede3-cbc is %9 faster and blowfish-cbc
-      is %62 faster.
-
-12-Oct-97
-    - MEM_BUF_grow() has been fixed so that it always sets the buf->length
-      to the value we are 'growing' to.  Think of MEM_BUF_grow() as the
-      way to set the length value correctly.
-
-10-Oct-97
-    - I now hash for certificate lookup on the raw DER encoded RDN (md5).
-      This breaks things again :-(.  This is efficent since I cache
-      the DER encoding of the RDN.
-    - The text DN now puts in the numeric OID instead of UNKNOWN.
-    - req can now process arbitary OIDs in the config file.
-    - I've been implementing md5 in x86 asm, much faster :-).
-    - Started sha1 in x86 asm, needs more work.
-    - Quite a few speedups in the BN stuff.  RSA public operation
-      has been made faster by caching the BN_MONT_CTX structure.
-      The calulating of the Ai where A*Ai === 1 mod m was rather
-      expensive.  Basically a 40-50% speedup on public operations.
-      The RSA speedup is now 15% on pentiums and %20 on pentium
-      pro.
-
-30-Sep-97
-    - After doing some profiling, I added x86 adm for bn_add_words(),
-      which just adds 2 arrays of longs together.  A %10 speedup
-      for 512 and 1024 bit RSA on the pentium pro.
-
-29-Sep-97
-    - Converted the x86 bignum assembler to us the perl scripts
-      for generation.
-
-23-Sep-97
-    - If SSL_set_session() is passed a NULL session, it now clears the
-      current session-id.
-
-22-Sep-97
-    - Added a '-ss_cert file' to apps/ca.c.  This will sign selfsigned
-      certificates.
-    - Bug in crypto/evp/encode.c where by decoding of 65 base64
-      encoded lines, one line at a time (via a memory BIO) would report
-      EOF after the first line was decoded.
-    - Fix in X509_find_by_issuer_and_serial() from
-      Dr Stephen Henson <shenson@bigfoot.com>
-
-19-Sep-97
-    - NO_FP_API and NO_STDIO added.
-    - Put in sh config command.  It auto runs Configure with the correct
-      parameters.
-
-18-Sep-97
-    - Fix x509.c so if a DSA cert has different parameters to its parent,
-      they are left in place.  Not tested yet.
-
-16-Sep-97
-    - ssl_create_cipher_list() had some bugs, fixes from
-      Patrick Eisenacher <eisenach@stud.uni-frankfurt.de>
-    - Fixed a bug in the Base64 BIO, where it would return 1 instead
-      of -1 when end of input was encountered but should retry.
-      Basically a Base64/Memory BIO interaction problem.
-    - Added a HMAC set of functions in preporarion for TLS work.
-
-15-Sep-97
-    - Top level makefile tweak - Cameron Simpson <cs@zip.com.au>
-    - Prime generation spead up %25 (512 bit prime, pentium pro linux)
-      by using montgomery multiplication in the prime number test.
-
-11-Sep-97
-    - Ugly bug in ssl3_write_bytes().  Basically if application land
-      does a SSL_write(ssl,buf,len) where len > 16k, the SSLv3 write code
-      did not check the size and tried to copy the entire buffer.
-      This would tend to cause memory overwrites since SSLv3 has
-      a maximum packet size of 16k.  If your program uses
-      buffers <= 16k, you would probably never see this problem.
-    - Fixed a few errors that were cause by malloc() not returning
-      0 initialised memory..
-    - SSL_OP_NETSCAPE_CA_DN_BUG was being switched on when using
-      SSL_CTX_set_options(ssl_ctx,SSL_OP_ALL); which was a bad thing
-      since this flags stops SSLeay being able to handle client
-      cert requests correctly.
-
-08-Sep-97
-    - SSL_SESS_CACHE_NO_INTERNAL_LOOKUP option added.  When switched
-      on, the SSL server routines will not use a SSL_SESSION that is
-      held in it's cache.  This in intended to be used with the session-id
-      callbacks so that while the session-ids are still stored in the
-      cache, the decision to use them and how to look them up can be
-      done by the callbacks.  The are the 'new', 'get' and 'remove'
-      callbacks.  This can be used to determine the session-id
-      to use depending on information like which port/host the connection
-      is coming from.  Since the are also SSL_SESSION_set_app_data() and
-      SSL_SESSION_get_app_data() functions, the application can hold
-      information against the session-id as well.
-
-03-Sep-97
-    - Added lookup of CRLs to the by_dir method,
-      X509_load_crl_file() also added.  Basically it means you can
-      lookup CRLs via the same system used to lookup certificates.
-    - Changed things so that the X509_NAME structure can contain
-      ASN.1 BIT_STRINGS which is required for the unique
-      identifier OID.
-    - Fixed some problems with the auto flushing of the session-id
-      cache.  It was not occuring on the server side.
-
-02-Sep-97
-    - Added SSL_CTX_sess_cache_size(SSL_CTX *ctx,unsigned long size)
-      which is the maximum number of entries allowed in the
-      session-id cache.  This is enforced with a simple FIFO list.
-      The default size is 20*1024 entries which is rather large :-).
-      The Timeout code is still always operating.
-
-01-Sep-97
-    - Added an argument to all the 'generate private key/prime`
-      callbacks.  It is the last parameter so this should not
-      break existing code but it is needed for C++.
-    - Added the BIO_FLAGS_BASE64_NO_NL flag for the BIO_f_base64()
-      BIO.  This lets the BIO read and write base64 encoded data
-      without inserting or looking for '\n' characters.  The '-A'
-      flag turns this on when using apps/enc.c.
-    - RSA_NO_PADDING added to help BSAFE functionality.  This is a
-      very dangerous thing to use, since RSA private key
-      operations without random padding bytes (as PKCS#1 adds) can
-      be attacked such that the private key can be revealed.
-    - ASN.1 bug and rc2-40-cbc and rc4-40 added by
-      Dr Stephen Henson <shenson@bigfoot.com>
-
-31-Aug-97 (stuff added while I was away)    
-    - Linux pthreads by Tim Hudson (tjh@cryptsoft.com).
-    - RSA_flags() added allowing bypass of pub/priv match check
-      in ssl/ssl_rsa.c - Tim Hudson.
-    - A few minor bugs.
-
-SSLeay 0.8.1 released.
-
-19-Jul-97
-    - Server side initated dynamic renegotiation is broken.  I will fix
-      it when I get back from holidays.
-
-15-Jul-97
-    - Quite a few small changes.
-    - INVALID_SOCKET usage cleanups from Alex Kiernan <alex@hisoft.co.uk>
-
-09-Jul-97
-    - Added 2 new values to the SSL info callback.
-      SSL_CB_START which is passed when the SSL protocol is started
-      and SSL_CB_DONE when it has finished sucsessfully.
-
-08-Jul-97
-    - Fixed a few bugs problems in apps/req.c and crypto/asn1/x_pkey.c
-      that related to DSA public/private keys.
-    - Added all the relevent PEM and normal IO functions to support
-      reading and writing RSAPublic keys.
-    - Changed makefiles to use ${AR} instead of 'ar r'
-
-07-Jul-97
-    - Error in ERR_remove_state() that would leave a dangling reference
-      to a free()ed location - thanks to Alex Kiernan <alex@hisoft.co.uk>
-    - s_client now prints the X509_NAMEs passed from the server
-      when requesting a client cert.
-    - Added a ssl->type, which is one of SSL_ST_CONNECT or
-      SSL_ST_ACCEPT.  I had to add it so I could tell if I was
-      a connect or an accept after the handshake had finished.
-    - SSL_get_client_CA_list(SSL *s) now returns the CA names
-      passed by the server if called by a client side SSL.
-
-05-Jul-97
-    - Bug in X509_NAME_get_text_by_OBJ(), looking starting at index
-      0, not -1 :-(  Fix from Tim Hudson (tjh@cryptsoft.com).
-
-04-Jul-97
-    - Fixed some things in X509_NAME_add_entry(), thanks to
-      Matthew Donald <matthew@world.net>.
-    - I had a look at the cipher section and though that it was a
-      bit confused, so I've changed it.
-    - I was not setting up the RC4-64-MD5 cipher correctly.  It is
-      a MS special that appears in exported MS Money.
-    - Error in all my DH ciphers.  Section 7.6.7.3 of the SSLv3
-      spec.  I was missing the two byte length header for the
-      ClientDiffieHellmanPublic value.  This is a packet sent from
-      the client to the server.  The SSL_OP_SSLEAY_080_CLIENT_DH_BUG
-      option will enable SSLeay server side SSLv3 accept either
-      the correct or my 080 packet format.
-    - Fixed a few typos in crypto/pem.org.
-
-02-Jul-97
-    - Alias mapping for EVP_get_(digest|cipher)byname is now
-      performed before a lookup for actual cipher.  This means
-      that an alias can be used to 're-direct' a cipher or a
-      digest.
-    - ASN1_read_bio() had a bug that only showed up when using a
-      memory BIO.  When EOF is reached in the memory BIO, it is
-      reported as a -1 with BIO_should_retry() set to true.
-
-01-Jul-97
-    - Fixed an error in X509_verify_cert() caused by my
-      miss-understanding how 'do { contine } while(0);' works.
-      Thanks to Emil Sit <sit@mit.edu> for educating me :-)
-
-30-Jun-97
-    - Base64 decoding error.  If the last data line did not end with
-      a '=', sometimes extra data would be returned.
-    - Another 'cut and paste' bug in x509.c related to setting up the
-      STDout BIO.
-
-27-Jun-97
-    - apps/ciphers.c was not printing due to an editing error.
-    - Alex Kiernan <alex@hisoft.co.uk> send in a nice fix for
-      a library build error in util/mk1mf.pl
-
-26-Jun-97
-    - Still did not have the auto 'experimental' code removal
-      script correct.
-    - A few header tweaks for Watcom 11.0 under Win32 from
-      Rolf Lindemann <Lindemann@maz-hh.de>
-    - 0 length OCTET_STRING bug in asn1_parse
-    - A minor fix with an non-existent function in the MS .def files.
-    - A few changes to the PKCS7 stuff.
-
-25-Jun-97
-    SSLeay 0.8.0 finally it gets released.
-
-24-Jun-97
-    Added a SSL_OP_EPHEMERAL_RSA option which causes all SSLv3 RSA keys to
-    use a temporary RSA key.  This is experimental and needs some more work.
-    Fixed a few Win16 build problems.
-
-23-Jun-97
-    SSLv3 bug. I was not doing the 'lookup' of the CERT structure
-    correctly. I was taking the SSL->ctx->default_cert when I should
-    have been using SSL->cert. The bug was in ssl/s3_srvr.c
-
-20-Jun-97
-    X509_ATTRIBUTES were being encoded wrongly by apps/reg.c and the
-    rest of the library. Even though I had the code required to do
-    it correctly, apps/req.c was doing the wrong thing.  I have fixed
-    and tested everything.
-
-    Missing a few #ifdef FIONBIO sections in crypto/bio/bss_acpt.c.
-
-19-Jun-97
-    Fixed a bug in the SSLv2 server side first packet handling. When
-    using the non-blocking test BIO, the ssl->s2->first_packet flag
-    was being reset when a would-block failure occurred when reading
-    the first 5 bytes of the first packet. This caused the checking
-    logic to run at the wrong time and cause an error.
-
-    Fixed a problem with specifying cipher. If RC4-MD5 were used,
-    only the SSLv3 version would be picked up.  Now this will pick
-    up both SSLv2 and SSLv3 versions. This required changing the
-    SSL_CIPHER->mask values so that they only mask the ciphers,
-    digests, authentication, export type and key-exchange algorithms.
-
-    I found that when a SSLv23 session is established, a reused
-    session, of type SSLv3 was attempting to write the SSLv2 
-    ciphers, which were invalid. The SSL_METHOD->put_cipher_by_char 
-    method has been modified so it will only write out cipher which
-    that method knows about.  
-
-
- Changes between 0.8.0 and 0.8.1
-
-  *) Mostly bug fixes. 
-     There is an Ephemeral DH cipher problem which is fixed.
-
- SSLeay 0.8.0
-
-This version of SSLeay has quite a lot of things different from the
-previous version.
-
-Basically check all callback parameters, I will be producing documentation
-about how to use things in th future.  Currently I'm just getting 080 out
-the door.  Please not that there are several ways to do everything, and
-most of the applications in the apps directory are hybrids, some using old
-methods and some using new methods.
-
-Have a look in demos/bio for some very simple programs and
-apps/s_client.c and apps/s_server.c for some more advanced versions.
-Notes are definitly needed but they are a week or so away.
-
-Anyway, some quick nots from Tim Hudson (tjh@cryptsoft.com)
----
-Quick porting notes for moving from SSLeay-0.6.x to SSLeay-0.8.x to
-get those people that want to move to using the new code base off to
-a quick start.
-
-Note that Eric has tidied up a lot of the areas of the API that were
-less than desirable and renamed quite a few things (as he had to break
-the API in lots of places anyrate). There are a whole pile of additional
-functions for making dealing with (and creating) certificates a lot
-cleaner.
-
-01-Jul-97
-Tim Hudson
-tjh@cryptsoft.com
-
----8<---
-
-To maintain code that uses both SSLeay-0.6.x and SSLeay-0.8.x you could
-use something like the following (assuming you #include "crypto.h" which
-is something that you really should be doing).
-
-#if SSLEAY_VERSION_NUMBER >= 0x0800
-#define SSLEAY8
-#endif
-
-buffer.h -> splits into buffer.h and bio.h so you need to include bio.h
-            too if you are working with BIO internal stuff (as distinct
-        from simply using the interface in an opaque manner)
-
-#include "bio.h"    - required along with "buffer.h" if you write
-              your own BIO routines as the buffer and bio
-              stuff that was intermixed has been separated
-              out 
-            
-envelope.h -> evp.h  (which should have been done ages ago)
-
-Initialisation ... don't forget these or you end up with code that
-is missing the bits required to do useful things (like ciphers):
-
-SSLeay_add_ssl_algorithms()
-(probably also want SSL_load_error_strings() too but you should have
- already had that call in place)
-
-SSL_CTX_new()   - requires an extra method parameter
-              SSL_CTX_new(SSLv23_method()) 
-              SSL_CTX_new(SSLv2_method()) 
-              SSL_CTX_new(SSLv3_method()) 
-
-          OR to only have the server or the client code
-              SSL_CTX_new(SSLv23_server_method()) 
-              SSL_CTX_new(SSLv2_server_method()) 
-              SSL_CTX_new(SSLv3_server_method()) 
-          or  
-              SSL_CTX_new(SSLv23_client_method()) 
-              SSL_CTX_new(SSLv2_client_method()) 
-              SSL_CTX_new(SSLv3_client_method()) 
-
-SSL_set_default_verify_paths() ... renamed to the more appropriate
-SSL_CTX_set_default_verify_paths()
-
-If you want to use client certificates then you have to add in a bit
-of extra stuff in that a SSLv3 server sends a list of those CAs that
-it will accept certificates from ... so you have to provide a list to
-SSLeay otherwise certain browsers will not send client certs.
-
-SSL_CTX_set_client_CA_list(ctx,SSL_load_client_CA_file(s_cert_file));
-
-
-X509_NAME_oneline(X)    -> X509_NAME_oneline(X,NULL,0)  
-               or provide a buffer and size to copy the
-               result into
-
-X509_add_cert ->  X509_STORE_add_cert (and you might want to read the
-          notes on X509_NAME structure changes too)
-
-
-VERIFICATION CODE
-=================
-
-The codes have all be renamed from VERIFY_ERR_* to X509_V_ERR_* to
-more accurately reflect things.
-
-The verification callback args are now packaged differently so that
-extra fields for verification can be added easily in future without
-having to break things by adding extra parameters each release :-)
-
-X509_cert_verify_error_string -> X509_verify_cert_error_string
-
-
-BIO INTERNALS
-=============
-
-Eric has fixed things so that extra flags can be introduced in
-the BIO layer in future without having to play with all the BIO
-modules by adding in some macros.
-
-The ugly stuff using 
-    b->flags ~= (BIO_FLAGS_RW|BIO_FLAGS_SHOULD_RETRY)
-becomes
-    BIO_clear_retry_flags(b)
-
-    b->flags |= (BIO_FLAGS_READ|BIO_FLAGS_SHOULD_RETRY)
-becomes
-    BIO_set_retry_read(b)
-
-Also ... BIO_get_retry_flags(b), BIO_set_flags(b)
-
-
-
-OTHER THINGS
-============
-
-X509_NAME has been altered so that it isn't just a STACK ... the STACK
-is now in the "entries" field ... and there are a pile of nice functions
-for getting at the details in a much cleaner manner.
-
-SSL_CTX has been altered ... "cert" is no longer a direct member of this
-structure ... things are now down under "cert_store" (see x509_vfy.h) and
-things are no longer in a CERTIFICATE_CTX but instead in a X509_STORE.
-If your code "knows" about this level of detail then it will need some 
-surgery.
-
-If you depending on the incorrect spelling of a number of the error codes
-then you will have to change your code as these have been fixed.
-
-ENV_CIPHER "type" got renamed to "nid" and as that is what it actually
-has been all along so this makes things clearer.
-ify_cert_error_string(ctx->error));
-
-SSL_R_NO_CIPHER_WE_TRUST -> SSL_R_NO_CIPHER_LIST
-            and SSL_R_REUSE_CIPHER_LIST_NOT_ZERO
-
-
-
- Changes between 0.7.x and 0.8.0
-  
-  *) There have been lots of changes, mostly the addition of SSLv3.
-     There have been many additions from people and amongst
-     others, C2Net has assisted greatly.
- 
- Changes between 0.7.x and 0.7.x
-
-  *) Internal development version only
-
-SSLeay 0.6.6 13-Jan-1997
-
-The main additions are
-
-- assember for x86 DES improvments.
-  From 191,000 per second on a pentium 100, I now get 281,000.  The inner
-  loop and the IP/FP modifications are from
-  Svend Olaf Mikkelsen <svolaf@inet.uni-c.dk>.  Many thanks for his
-  contribution.
-- The 'DES macros' introduced in 0.6.5 now have 3 types.
-  DES_PTR1, DES_PTR2 and 'normal'.  As per before, des_opts reports which
-  is best and there is a summery of mine in crypto/des/options.txt
-- A few bug fixes.
-- Added blowfish.  It is not used by SSL but all the other stuff that
-  deals with ciphers can use it in either ecb, cbc, cfb64 or ofb64 modes.
-  There are 3 options for optimising Blowfish.  BF_PTR, BF_PTR2 and 'normal'.
-  BF_PTR2 is pentium/x86 specific.  The correct option is setup in
-  the 'Configure' script.
-- There is now a 'get client certificate' callback which can be
-  'non-blocking'.  If more details are required, let me know.  It will
-  documented more in SSLv3 when I finish it.
-- Bug fixes from 0.6.5 including the infamous 'ca' bug.  The 'make test'
-  now tests the ca program.
-- Lots of little things modified and tweaked.
-
- SSLeay 0.6.5
-
-After quite some time (3 months), the new release.  I have been very busy
-for the last few months and so this is mostly bug fixes and improvments.
-
-The main additions are
-
-- assember for x86 DES.  For all those gcc based systems, this is a big
-  improvement.  From 117,000 DES operation a second on a pentium 100,
-  I now get 191,000.  I have also reworked the C version so it
-  now gives 148,000 DESs per second.  
-- As mentioned above, the inner DES macros now have some more variant that
-  sometimes help, sometimes hinder performance.  There are now 3 options
-  DES_PTR (ptr vs array lookup), DES_UNROLL (full vs partial loop unrolling)
-  and DES_RISC (a more register intensive version of the inner macro).
-  The crypto/des/des_opts.c program, when compiled and run, will give
-  an indication of the correct options to use.
-- The BIO stuff has been improved.  Read doc/bio.doc.  There are now
-  modules for encryption and base64 encoding and a BIO_printf() function.
-- The CA program will accept simple one line X509v3 extensions in the
-  ssleay.cnf file.  Have a look at the example.  Currently this just
-  puts the text into the certificate as an OCTET_STRING so currently
-  the more advanced X509v3 data types are not handled but this is enough
-  for the netscape extensions.
-- There is the start of a nicer higher level interface to the X509
-  strucutre.
-- Quite a lot of bug fixes.
-- CRYPTO_malloc_init()  (or CRYPTO_set_mem_functions()) can be used
-  to define the malloc(), free() and realloc() routines to use
-  (look in crypto/crypto.h).  This is mostly needed for Windows NT/95 when
-  using DLLs and mixing CRT libraries.
-
-In general, read the 'VERSION' file for changes and be aware that some of
-the new stuff may not have been tested quite enough yet, so don't just plonk
-in SSLeay 0.6.5 when 0.6.4 used to work and expect nothing to break.
-
-SSLeay 0.6.4 30/08/96 eay
-
-I've just finished some test builds on Windows NT, Windows 3.1, Solaris 2.3,
-Solaris 2.5, Linux, IRIX, HPUX 10 and everthing seems to work :-).
-
-The main changes in this release
-
-- Thread safe.  have a read of doc/threads.doc and play in the mt directory.
-  For anyone using 0.6.3 with threads, I found 2 major errors so consider
-  moving to 0.6.4.  I have a test program that builds under NT and
-  solaris.
-- The get session-id callback has changed.  Have a read of doc/callback.doc.
-- The X509_cert_verify callback (the SSL_verify callback) now
-  has another argument.  Have a read of doc/callback.doc
-- 'ca -preserve', sign without re-ordering the DN.  Not tested much.
-- VMS support.
-- Compile time memory leak detection can now be built into SSLeay.
-  Read doc/memory.doc
-- CONF routines now understand '\', '\n', '\r' etc.  What this means is that
-  the  SPKAC object mentioned in doc/ns-ca.doc can be on multiple lines.
-- 'ssleay ciphers' added, lists the default cipher list for SSLeay.
-- RC2 key setup is now compatable with Netscape.
-- Modifed server side of SSL implementation, big performance difference when
-      using session-id reuse.
-
-0.6.3
-
-Bug fixes and the addition of some nice stuff to the 'ca' program.
-Have a read of doc/ns-ca.doc for how hit has been modified so
-it can be driven from a CGI script.  The CGI script is not provided,
-but that is just being left as an excersize for the reader :-).
-
-0.6.2
-
-This is most bug fixes and functionality improvements.
-
-Additions are
-- More thread debugging patches, the thread stuff is still being
-  tested, but for those keep to play with stuff, have a look in
-  crypto/cryptlib.c.  The application needs to define 1 (or optionaly
-  a second) callback that is used to implement locking.  Compiling
-  with LOCK_DEBUG spits out lots of locking crud :-).
-  This is what I'm currently working on.
-- SSL_CTX_set_default_passwd_cb() can be used to define the callback
-  function used in the SSL*_file() functions used to load keys.  I was
-  always of the opinion that people should call
-  PEM_read_RSAPrivateKey() and pass the callback they want to use, but
-  it appears they just want to use the SSL_*_file() function() :-(.
-- 'enc' now has a -kfile so a key can be read from a file.  This is
-  mostly used so that the passwd does not appear when using 'ps',
-  which appears imposible to stop under solaris.
-- X509v3 certificates now work correctly.  I even have more examples
-  in my tests :-).  There is now a X509_EXTENSION type that is used in
-  X509v3 certificates and CRLv2.
-- Fixed that signature type error :-(
-- Fixed quite a few potential memory leaks and problems when reusing
-  X509, CRL and REQ structures.
-- EVP_set_pw_prompt() now sets the library wide default password
-  prompt.
-- The 'pkcs7' command will now, given the -print_certs flag, output in
-  pem format, all certificates and CRL contained within.  This is more
-  of a pre-emtive thing for the new verisign distribution method.  I
-  should also note, that this also gives and example in code, of how
-  to do this :-), or for that matter, what is involved in going the
-  other way (list of certs and crl -> pkcs7).
-- Added RSA's DESX to the DES library.  It is also available via the
-  EVP_desx_cbc() method and via 'enc desx'. 
-
-SSLeay 0.6.1
-
-The main functional changes since 0.6.0 are as follows
-- Bad news, the Microsoft 060 DLL's are not compatable, but the good news is
-  that from now on, I'll keep the .def numbers the same so they will be.
-- RSA private key operations are about 2 times faster that 0.6.0
-- The SSL_CTX now has more fields so default values can be put against
-  it.  When an SSL structure is created, these default values are used
-  but can be overwritten.  There are defaults for cipher, certificate,
-  private key, verify mode and callback.  This means SSL session
-  creation can now be
-  ssl=SSL_new()
-  SSL_set_fd(ssl,sock);
-  SSL_accept(ssl)
-  ....
-  All the other uglyness with having to keep a global copy of the
-  private key and certificate/verify mode in the server is now gone.
-- ssl/ssltest.c - one process talking SSL to its self for testing.
-- Storage of Session-id's can be controled via a session_cache_mode
-  flag.  There is also now an automatic default flushing of 
-  old session-id's.
-- The X509_cert_verify() function now has another parameter, this
-  should not effect most people but it now means that the reason for
-  the failure to verify is now available via SSL_get_verify_result(ssl).
-  You don't have to use a global variable.
-- SSL_get_app_data() and SSL_set_app_data() can be used to keep some
-  application data against the SSL structure.  It is upto the application
-  to free the data.  I don't use it, but it is available.
-- SSL_CTX_set_cert_verify_callback() can be used to specify a
-  verify callback function that completly replaces my certificate
-  verification code.  Xcert should be able to use this :-).
-  The callback is of the form int app_verify_callback(arg,ssl,cert).
-  This needs to be documented more.
-- I have started playing with shared library builds, have a look in
-  the shlib directory.  It is very simple.  If you need a numbered
-  list of functions, have a look at misc/crypto.num and misc/ssl.num.
-- There is some stuff to do locking to make the library thread safe.
-  I have only started this stuff and have not finished.  If anyone is
-  keen to do so, please send me the patches when finished.
-
-So I have finally made most of the additions to the SSL interface that
-I thought were needed.
-
-There will probably be a pause before I make any non-bug/documentation
-related changes to SSLeay since I'm feeling like a bit of a break.
-
-eric - 12 Jul 1996
-I saw recently a comment by some-one that we now seem to be entering
-the age of perpetual Beta software.
-Pioneered by packages like linux but refined to an art form by
-netscape.
-
-I too wish to join this trend with the anouncement of SSLeay 0.6.0 :-).
-
-There are quite a large number of sections that are 'works in
-progress' in this package.  I will also list the major changes and
-what files you should read.
-
-BIO - this is the new IO structure being used everywhere in SSLeay.  I
-started out developing this because of microsoft, I wanted a mechanism
-to callback to the application for all IO, so Windows 3.1 DLL
-perversion could be hidden from me and the 15 different ways to write
-to a file under NT would also not be dictated by me at library build
-time.  What the 'package' is is an API for a data structure containing
-functions.  IO interfaces can be written to conform to the
-specification.  This in not intended to hide the underlying data type
-from the application, but to hide it from SSLeay :-).
-I have only really finished testing the FILE * and socket/fd modules.
-There are also 'filter' BIO's.  Currently I have only implemented
-message digests, and it is in use in the dgst application.  This
-functionality will allow base64/encrypto/buffering modules to be
-'push' into a BIO without it affecting the semantics.  I'm also
-working on an SSL BIO which will hide the SSL_accept()/SLL_connet()
-from an event loop which uses the interface.
-It is also possible to 'attach' callbacks to a BIO so they get called
-before and after each operation, alowing extensive debug output
-to be generated (try running dgst with -d).
-
-Unfortunaly in the conversion from 0.5.x to 0.6.0, quite a few
-functions that used to take FILE *, now take BIO *.
-The wrappers are easy to write
-
-function_fp(fp,x)
-FILE *fp;
-    {
-    BIO *b;
-    int ret;
-
-    if ((b=BIO_new(BIO_s_file())) == NULL) error.....
-    BIO_set_fp(b,fp,BIO_NOCLOSE);
-    ret=function_bio(b,x);
-    BIO_free(b);
-    return(ret);
-    }
-Remember, there are no functions that take FILE * in SSLeay when
-compiled for Windows 3.1 DLL's.
-
---
-I have added a general EVP_PKEY type that can hold a public/private
-key.  This is now what is used by the EVP_ functions and is passed
-around internally.  I still have not done the PKCS#8 stuff, but
-X509_PKEY is defined and waiting :-)
-
---
-For a full function name listings, have a look at ms/crypt32.def and
-ms/ssl32.def.  These are auto-generated but are complete.
-Things like ASN1_INTEGER_get() have been added and are in here if you
-look.  I have renamed a few things, again, have a look through the
-function list and you will probably find what you are after.  I intend
-to at least put a one line descrition for each one.....
-
---
-Microsoft - thats what this release is about, read the MICROSOFT file.
-
---
-Multi-threading support.  I have started hunting through the code and
-flaging where things need to be done.  In a state of work but high on
-the list.
-
---
-For random numbers, edit e_os.h and set DEVRANDOM (it's near the top)
-be be you random data device, otherwise 'RFILE' in e_os.h
-will be used, in your home directory.  It will be updated
-periodically.  The environment variable RANDFILE will override this
-choice and read/write to that file instead.  DEVRANDOM is used in
-conjunction to the RFILE/RANDFILE.  If you wish to 'seed' the random
-number generator, pick on one of these files.
-
---
-
-The list of things to read and do
-
-dgst -d
-s_client -state (this uses a callback placed in the SSL state loop and
-        will be used else-where to help debug/monitor what
-        is happening.)
-
-doc/why.doc
-doc/bio.doc <- hmmm, needs lots of work.
-doc/bss_file.doc <- one that is working :-)
-doc/session.doc <- it has changed
-doc/speed.doc
- also play with ssleay version -a.  I have now added a SSLeay()
- function that returns a version number, eg 0600 for this release
- which is primarily to be used to check DLL version against the
- application.
-util/*  Quite a few will not interest people, but some may, like
- mk1mf.pl, mkdef.pl,
-util/do_ms.sh
-
-try
-cc -Iinclude -Icrypto -c crypto/crypto.c
-cc -Iinclude -Issl -c ssl/ssl.c
-You have just built the SSLeay libraries as 2 object files :-)
-
-Have a general rummage around in the bin stall directory and look at
-what is in there, like CA.sh and c_rehash
-
-There are lots more things but it is 12:30am on a Friday night and I'm
-heading home :-).
-
-eric 22-Jun-1996
-This version has quite a few major bug fixes and improvements.  It DOES NOT
-do SSLv3 yet.
-
-The main things changed
-- A Few days ago I added the s_mult application to ssleay which is
-  a demo of an SSL server running in an event loop type thing.
-  It supports non-blocking IO, I have finally gotten it right, SSL_accept()
-  can operate in non-blocking IO mode, look at the code to see how :-).
-  Have a read of doc/s_mult as well.  This program leaks memory and
-  file descriptors everywhere but I have not cleaned it up yet.
-  This is a demo of how to do non-blocking IO.
-- The SSL session management has been 'worked over' and there is now
-  quite an expansive set of functions to manipulate them.  Have a read of
-  doc/session.doc for some-things I quickly whipped up about how it now works.
-  This assume you know the SSLv2 protocol :-)
-- I can now read/write the netscape certificate format, use the
-  -inform/-outform  'net' options to the x509 command.  I have not put support
-  for this type in the other demo programs, but it would be easy to add.
-- asn1parse and 'enc' have been modified so that when reading base64
-  encoded files (pem format), they do not require '-----BEGIN' header lines.
-  The 'enc' program had a buffering bug fixed, it can be used as a general
-  base64 -> binary -> base64 filter by doing 'enc -a -e' and 'enc -a -d'
-  respecivly.  Leaving out the '-a' flag in this case makes the 'enc' command
-  into a form of 'cat'.
-- The 'x509' and 'req' programs have been fixed and modified a little so
-  that they generate self-signed certificates correctly.  The test
-  script actually generates a 'CA' certificate and then 'signs' a
-  'user' certificate.  Have a look at this shell script (test/sstest)
-  to see how things work, it tests most possible combinations of what can
-  be done.
-- The 'SSL_set_pref_cipher()' function has been 'fixed' and the prefered name
-  of SSL_set_cipher_list() is now the correct API (stops confusion :-).
-  If this function is used in the client, only the specified ciphers can
-  be used, with preference given to the order the ciphers were listed.
-  For the server, if this is used, only the specified ciphers will be used
-  to accept connections.  If this 'option' is not used, a default set of
-  ciphers will be used.  The SSL_CTX_set_cipher_list(SSL_CTX *ctx) sets this
-  list for all ciphers started against the SSL_CTX.  So the order is
-  SSL cipher_list, if not present, SSL_CTX cipher list, if not
-  present, then the library default.
-  What this means is that normally ciphers like
-  NULL-MD5 will never be used.  The only way this cipher can be used
-  for both ends to specify to use it.
-  To enable or disable ciphers in the library at build time, modify the
-  first field for the cipher in the ssl_ciphers array in ssl/ssl_lib.c.
-  This file also contains the 'pref_cipher' list which is the default
-  cipher preference order.
-- I'm not currently sure if the 'rsa -inform net' and the 'rsa -outform net'
-  options work.  They should, and they enable loading and writing the
-  netscape rsa private key format.  I will be re-working this section of
-  SSLeay for the next version.  What is currently in place is a quick and
-  dirty hack.
-- I've re-written parts of the bignum library.  This gives speedups
-  for all platforms.  I now provide assembler for use under Windows NT.
-  I have not tested the Windows 3.1 assembler but it is quite simple code.
-  This gives RSAprivate_key operation encryption times of 0.047s (512bit key)
-  and 0.230s (1024bit key) on a pentium 100 which I consider reasonable.
-  Basically the times available under linux/solaris x86 can be achieve under
-  Windows NT.  I still don't know how these times compare to RSA's BSAFE
-  library but I have been emailing with people and with their help, I should
-  be able to get my library's quite a bit faster still (more algorithm changes).
-  The object file crypto/bn/asm/x86-32.obj should be used when linking
-  under NT.
-- 'make makefile.one' in the top directory will generate a single makefile
-  called 'makefile.one'  This makefile contains no perl references and
-  will build the SSLeay library into the 'tmp' and 'out' directories.
-  util/mk1mf.pl >makefile.one is how this makefile is
-  generated.  The mk1mf.pl command take several option to generate the
-  makefile for use with cc, gcc, Visual C++ and Borland C++.  This is
-  still under development.  I have only build .lib's for NT and MSDOS
-  I will be working on this more.  I still need to play with the
-  correct compiler setups for these compilers and add some more stuff but
-  basically if you just want to compile the library
-  on a 'non-unix' platform, this is a very very good file to start with :-).
-  Have a look in the 'microsoft' directory for my current makefiles.
-  I have not yet modified things to link with sockets under Windows NT.
-  You guys should be able to do this since this is actually outside of the
-  SSLeay scope :-).  I will be doing it for myself soon.
-  util/mk1mf.pl takes quite a few options including no-rc, rsaref  and no-sock
-  to build without RC2/RC4, to require RSAref for linking, and to
-  build with no socket code.
-
-- Oh yes, the cipher that was reported to be compatible with RSA's RC2 cipher
-  that was posted to sci.crypt has been added to the library and SSL.
-  I take the view that if RC2 is going to be included in a standard,
-  I'll include the cipher to make my package complete.
-  There are NO_RC2, NO_RC4 and NO_IDEA macros to remove these ciphers
-  at compile time.  I have not tested this recently but it should all work
-  and if you are in the USA and don't want RSA threatening to sue you,
-  you could probably remove the RC4/RC2 code inside these sections.
-  I may in the future include a perl script that does this code
-  removal automatically for those in the USA :-).
-- I have removed all references to sed in the makefiles.  So basically,
-  the development environment requires perl and sh.  The build environment
-  does not (use the makefile.one makefile).
-  The Configure script still requires perl, this will probably stay that way
-  since I have perl for Windows NT :-).
-
-eric (03-May-1996)
-
-PS Have a look in the VERSION file for more details on the changes and
-   bug fixes.
-I have fixed a few bugs, added alpha and x86 assembler and generally cleaned
-things up.  This version will be quite stable, mostly because I'm on
-holidays until 10-March-1996.  For any problems in the interum, send email
-to Tim Hudson <tjh@mincom.oz.au>.
-
-SSLeay 0.5.0
-
-12-12-95
-This is going out before it should really be released.
-
-I leave for 11 weeks holidays on the 22-12-95 and so I either sit on
-this for 11 weeks or get things out.  It is still going to change a
-lot in the next week so if you do grab this version, please test and
-give me feed back ASAP, inculuding questions on how to do things with
-the library.  This will prompt me to write documentation so I don't
-have to answer the same question again :-).
-
-This 'pre' release version is for people who are interested in the
-library.  The applications will have to be changed to use
-the new version of the SSL interface.  I intend to finish more
-documentation before I leave but until then, look at the programs in
-the apps directory.  As far as code goes, it is much much nicer than
-the old version.
-
-The current library works, has no memory leaks (as far as I can tell)
-and is far more bug free that 0.4.5d.  There are no global variable of
-consequence (I believe) and I will produce some documentation that
-tell where to look for those people that do want to do multi-threaded
-stuff.
-
-There should be more documentation.  Have a look in the
-doc directory.  I'll be adding more before I leave, it is a start
-by mostly documents the crypto library.  Tim Hudson will update
-the web page ASAP.  The spelling and grammar are crap but
-it is better than nothing :-)
-
-Reasons to start playing with version 0.5.0
-- All the programs in the apps directory build into one ssleay binary.
-- There is a new version of the 'req' program that generates certificate
-  requests, there is even documentation for this one :-)
-- There is a demo certification authorithy program.  Currently it will
-  look at the simple database and update it.  It will generate CRL from
-  the data base.  You need to edit the database by hand to revoke a
-  certificate, it is my aim to use perl5/Tk but I don't have time to do
-  this right now.  It will generate the certificates but the management
-  scripts still need to be written.  This is not a hard task.
-- Things have been cleaned up a lot.
-- Have a look at the enc and dgst programs in the apps directory.
-- It supports v3 of x509 certiticates.
-
-
-Major things missing.
-- I have been working on (and thinging about) the distributed x509
-  hierachy problem.  I have not had time to put my solution in place.
-  It will have to wait until I come back.
-- I have not put in CRL checking in the certificate verification but
-  it would not be hard to do.  I was waiting until I could generate my
-  own CRL (which has only been in the last week) and I don't have time
-  to put it in correctly.
-- Montgomery multiplication need to be implemented.  I know the
-  algorithm, just ran out of time.
-- PKCS#7.  I can load and write the DER version.  I need to re-work
-  things to support BER (if that means nothing, read the ASN1 spec :-).
-- Testing of the higher level digital envelope routines.  I have not
-  played with the *_seal() and *_open() type functions.  They are
-  written but need testing.  The *_sign() and *_verify() functions are
-  rock solid. 
-- PEM.  Doing this and PKCS#7 have been dependant on the distributed
-  x509 heirachy problem.  I started implementing my ideas, got
-  distracted writing a CA program and then ran out of time.  I provide
-  the functionality of RSAref at least.
-- Re work the asm. code for the x86.  I've changed by low level bignum
-  interface again, so I really need to tweak the x86 stuff.  gcc is
-  good enough for the other boxes.
-

CONTRIBUTING

@@ -0,0 +1,38 @@
+HOW TO CONTRIBUTE TO OpenSSL
+----------------------------
+
+Development is coordinated on the openssl-dev mailing list (see
+http://www.openssl.org for information on subscribing). If you
+would like to submit a patch, send it to rt@openssl.org with
+the string "[PATCH]" in the subject. Please be sure to include a
+textual explanation of what your patch does.
+
+You can also make GitHub pull requests. If you do this, please also send
+mail to rt@openssl.org with a brief description and a link to the PR so
+that we can more easily keep track of it.
+
+If you are unsure as to whether a feature will be useful for the general
+OpenSSL community please discuss it on the openssl-dev mailing list first.
+Someone may be already working on the same thing or there may be a good
+reason as to why that feature isn't implemented.
+
+Patches should be as up to date as possible, preferably relative to the
+current Git or the last snapshot. They should follow our coding style
+(see https://www.openssl.org/policies/codingstyle.html) and compile without
+warnings using the --strict-warnings flag.  OpenSSL compiles on many varied
+platforms: try to ensure you only use portable features.
+
+Our preferred format for patch files is "git format-patch" output. For example
+to provide a patch file containing the last commit in your local git repository
+use the following command:
+
+# git format-patch --stdout HEAD^ >mydiffs.patch
+
+Another method of creating an acceptable patch file without using git is as
+follows:
+
+# cd openssl-work
+# [your changes]
+# ./Configure dist; make clean
+# cd ..
+# diff -ur openssl-orig openssl-work > mydiffs.patch

Configurations/90-team.conf

@@ -0,0 +1,123 @@
+## -*- mode: perl; -*-
+## Build configuration targets for openssl-team members
+##
+## If you edit this file, run this command before committing
+##	make -f Makefile.in TABLE
+## This file is interpolated by the Configure script.
+
+%targets = (
+    "purify" => {
+        cc               => "purify gcc",
+        cflags           => "-g -DPURIFY -Wall",
+        thread_cflag     => "(unknown)",
+        lflags           => "-lsocket -lnsl",
+    },
+    "debug" => {
+        cc               => "gcc",
+        cflags           => "-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DOPENSSL_NO_ASM -ggdb -g2 -Wformat -Wshadow -Wmissing-prototypes -Wmissing-declarations -Werror",
+        thread_cflag     => "(unknown)",
+        lflags           => "-lefence",
+    },
+    "debug-erbridge" => {
+        inherit_from     => [ "x86_64_asm" ],
+        cc               => "gcc",
+        cflags           => "$gcc_devteam_warn -DBN_DEBUG -DCONF_DEBUG -m64 -DL_ENDIAN -DTERMIO -g",
+        thread_cflag     => "-D_REENTRANT",
+        lflags           => "-ldl",
+        bn_ops           => "SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL",
+        perlasm_scheme   => "elf",
+        dso_scheme       => "dlfcn",
+        shared_target    => "linux-shared",
+        shared_cflag     => "-fPIC",
+        shared_ldflag    => "-m64",
+        shared_extension => ".so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+        multilib         => "64",
+    },
+    "debug-linux-pentium" => {
+        inherit_from     => [ "x86_elf_asm" ],
+        cc               => "gcc",
+        cflags           => "-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DL_ENDIAN -g -mcpu=pentium -Wall",
+        thread_cflag     => "-D_REENTRANT",
+        lflags           => "-ldl",
+        bn_ops           => "BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}",
+        dso_scheme       => "dlfcn",
+    },
+    "debug-linux-ppro" => {
+        inherit_from     => [ "x86_elf_asm" ],
+        cc               => "gcc",
+        cflags           => "-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DL_ENDIAN -g -mcpu=pentiumpro -Wall",
+        thread_cflag     => "-D_REENTRANT",
+        lflags           => "-ldl",
+        bn_ops           => "BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}",
+        dso_scheme       => "dlfcn",
+    },
+    "debug-linux-elf-noefence" => {
+        inherit_from     => [ "x86_elf_asm" ],
+        cc               => "gcc",
+        cflags           => "-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DL_ENDIAN -g -march=i486 -Wall",
+        thread_cflag     => "-D_REENTRANT",
+        lflags           => "-ldl",
+        bn_ops           => "BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}",
+        dso_scheme       => "dlfcn",
+        shared_target    => "linux-shared",
+        shared_cflag     => "-fPIC",
+        shared_extension => ".so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+    },
+    "debug-linux-ia32-aes" => {
+        cc               => "gcc",
+        cflags           => "-DAES_EXPERIMENTAL -DL_ENDIAN -O3 -fomit-frame-pointer -Wall",
+        thread_cflag     => "-D_REENTRANT",
+        lflags           => "-ldl",
+        bn_ops           => "BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}",
+        cpuid_obj        => "x86cpuid.o",
+        bn_obj           => "bn-586.o co-586.o x86-mont.o",
+        des_obj          => "des-586.o crypt586.o",
+        aes_obj          => "aes_x86core.o aes_cbc.o aesni-x86.o",
+        bf_obj           => "bf-586.o",
+        md5_obj          => "md5-586.o",
+        sha1_obj         => "sha1-586.o sha256-586.o sha512-586.o",
+        cast_obj         => "cast-586.o",
+        rc4_obj          => "rc4-586.o",
+        rmd160_obj       => "rmd-586.o",
+        rc5_obj          => "rc5-586.o",
+        wp_obj           => "wp_block.o wp-mmx.o",
+        modes_obj        => "ghash-x86.o",
+        engines_obj      => "e_padlock-x86.o",
+        perlasm_scheme   => "elf",
+        dso_scheme       => "dlfcn",
+        shared_target    => "linux-shared",
+        shared_cflag     => "-fPIC",
+        shared_extension => ".so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+    },
+    "dist" => {
+        cc               => "cc",
+        cflags           => "-O",
+        thread_cflag     => "(unknown)",
+    },
+    "debug-test-64-clang" => {
+        inherit_from     => [ "x86_64_asm" ],
+        cc               => "clang",
+        cflags           => "$gcc_devteam_warn -Wno-error=overlength-strings -Wno-error=extended-offsetof -Wno-error=language-extension-token -Wno-error=unused-const-variable -Wstrict-overflow -Qunused-arguments -DBN_DEBUG -DCONF_DEBUG -DDEBUG_SAFESTACK -DDEBUG_UNUSED -g3 -O3 -pipe",
+        thread_cflag     => "${BSDthreads}",
+        bn_ops           => "SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL",
+        perlasm_scheme   => "elf",
+        dso_scheme       => "dlfcn",
+        shared_target    => "bsd-gcc-shared",
+        shared_cflag     => "-fPIC",
+        shared_extension => ".so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+    },
+    "darwin64-debug-test-64-clang" => {
+        inherit_from     => [ "x86_64_asm" ],
+        cc               => "clang",
+        cflags           => "-arch x86_64 -DL_ENDIAN $gcc_devteam_warn -Wno-error=overlength-strings -Wno-error=extended-offsetof -Wno-error=language-extension-token -Wno-error=unused-const-variable -Wstrict-overflow -Qunused-arguments -DBN_DEBUG -DCONF_DEBUG -DDEBUG_SAFESTACK -DDEBUG_UNUSED -g3 -O3 -pipe",
+        thread_cflag     => "${BSDthreads}",
+        sys_id           => "MACOSX",
+        bn_ops           => "SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL",
+        perlasm_scheme   => "macosx",
+        dso_scheme       => "dlfcn",
+        shared_target    => "darwin-shared",
+        shared_cflag     => "-fPIC -fno-common",
+        shared_ldflag    => "-arch x86_64 -dynamiclib",
+        shared_extension => ".\$(SHLIB_MAJOR).\$(SHLIB_MINOR).dylib",
+    },
+);

Configurations/99-personal-ben.conf

@@ -0,0 +1,95 @@
+## -*- mode: perl; -*-
+## Personal configuration targets
+##
+## If you edit this file, run this command before committing
+##	make -f Makefile.in TABLE
+## This file is interpolated by the Configure script.
+
+%targets = (
+    "debug-ben" => {
+        cc               => "gcc",
+        cflags           => "$gcc_devteam_warn -DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DDEBUG_SAFESTACK -O2 -pipe",
+        thread_cflag     => "(unknown)",
+    },
+    "debug-ben-openbsd" => {
+        cc               => "gcc",
+        cflags           => "-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DPEDANTIC -DDEBUG_SAFESTACK -DOPENSSL_OPENBSD_DEV_CRYPTO -DOPENSSL_NO_ASM -O2 -pedantic -Wall -Wshadow -Werror -pipe",
+        thread_cflag     => "(unknown)",
+    },
+    "debug-ben-openbsd-debug" => {
+        cc               => "gcc",
+        cflags           => "-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DPEDANTIC -DDEBUG_SAFESTACK -DOPENSSL_OPENBSD_DEV_CRYPTO -DOPENSSL_NO_ASM -g3 -O2 -pedantic -Wall -Wshadow -Werror -pipe",
+        thread_cflag     => "(unknown)",
+    },
+    "debug-ben-debug" => {
+        cc               => "gcc",
+        cflags           => "$gcc_devteam_warn -DBN_DEBUG -DCONF_DEBUG -DDEBUG_SAFESTACK -DOPENSSL_NO_HW_PADLOCK -g3 -O2 -pipe",
+        thread_cflag     => "(unknown)",
+    },
+    "debug-ben-debug-64" => {
+        inherit_from     => [ "x86_64_asm" ],
+        cc               => "gcc",
+        cflags           => "$gcc_devteam_warn -Wno-error=overlength-strings -DBN_DEBUG -DCONF_DEBUG -DDEBUG_SAFESTACK -DDEBUG_UNUSED -g3 -O3 -pipe",
+        thread_cflag     => "${BSDthreads}",
+        bn_ops           => "SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL",
+        perlasm_scheme   => "elf",
+        dso_scheme       => "dlfcn",
+        shared_target    => "bsd-gcc-shared",
+        shared_cflag     => "-fPIC",
+        shared_extension => ".so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+    },
+    "debug-ben-debug-64-clang" => {
+        inherit_from     => [ "x86_64_asm" ],
+        cc               => "clang",
+        cflags           => "$gcc_devteam_warn -Wno-error=overlength-strings -Wno-error=extended-offsetof -Wno-error=language-extension-token -Wstrict-overflow -Qunused-arguments -DBN_DEBUG -DCONF_DEBUG -DDEBUG_SAFESTACK -DDEBUG_UNUSED -g3 -O3 -pipe",
+        thread_cflag     => "${BSDthreads}",
+        bn_ops           => "SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL",
+        perlasm_scheme   => "elf",
+        dso_scheme       => "dlfcn",
+        shared_target    => "bsd-gcc-shared",
+        shared_cflag     => "-fPIC",
+        shared_extension => ".so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+    },
+    "debug-ben-debug-64-noopt" => {
+        inherit_from     => [ "x86_64_asm" ],
+        cc               => "gcc",
+        cflags           => "$gcc_devteam_warn -Wno-error=overlength-strings -DBN_DEBUG -DCONF_DEBUG -DDEBUG_SAFESTACK -DDEBUG_UNUSED -g3 -pipe",
+        thread_cflag     => "${BSDthreads}",
+        bn_ops           => "SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL",
+        perlasm_scheme   => "elf",
+        dso_scheme       => "dlfcn",
+        shared_target    => "bsd-gcc-shared",
+        shared_cflag     => "-fPIC",
+        shared_extension => ".so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+    },
+    "debug-ben-macos" => {
+        cc               => "cc",
+        cflags           => "$gcc_devteam_warn -DOPENSSL_NO_ASM -DBN_DEBUG -DCONF_DEBUG -DDEBUG_SAFESTACK -DDEBUG_UNUSED -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -arch i386 -O3 -DL_ENDIAN -g3 -pipe",
+        thread_cflag     => "(unknown)",
+    },
+    "debug-ben-no-opt" => {
+        cc               => "gcc",
+        cflags           => " -Wall -Wmissing-prototypes -Wstrict-prototypes -Wmissing-declarations -DDEBUG_SAFESTACK -Werror -DL_ENDIAN -Wall -g3",
+        thread_cflag     => "(unknown)",
+    },
+    "debug-ben-strict" => {
+        cc               => "gcc",
+        cflags           => "-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCONST_STRICT -O2 -Wall -Wshadow -Werror -Wpointer-arith -Wcast-qual -Wwrite-strings -pipe",
+        thread_cflag     => "(unknown)",
+    },
+    "debug-ben-darwin64" => {
+        inherit_from     => [ "x86_64_asm" ],
+        cc               => "cc",
+        cflags           => "$gcc_devteam_warn -Wno-language-extension-token -Wno-extended-offsetof -arch x86_64 -O3 -DL_ENDIAN -DMD32_REG_T=int -Wall",
+        thread_cflag     => "-D_REENTRANT",
+        sys_id           => "MACOSX",
+        lflags           => "-Wl,-search_paths_first%",
+        bn_ops           => "SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL",
+        perlasm_scheme   => "macosx",
+        dso_scheme       => "dlfcn",
+        shared_target    => "darwin-shared",
+        shared_cflag     => "-fPIC -fno-common",
+        shared_ldflag    => "-arch x86_64 -dynamiclib",
+        shared_extension => ".\$(SHLIB_MAJOR).\$(SHLIB_MINOR).dylib",
+    },
+);

Configurations/99-personal-bodo.conf

@@ -0,0 +1,24 @@
+## -*- mode: perl; -*-
+## Personal configuration targets
+##
+## If you edit this file, run this command before committing
+##	make -f Makefile.in TABLE
+## This file is interpolated by the Configure script.
+
+%targets = (
+    "debug-bodo" => {
+        inherit_from     => [ "x86_64_asm" ],
+        cc               => "gcc",
+        cflags           => "$gcc_devteam_warn -Wno-error=overlength-strings -DBN_DEBUG -DBN_DEBUG_RAND -DCONF_DEBUG -DBIO_PAIR_DEBUG -m64 -DL_ENDIAN -DTERMIO -g -DMD32_REG_T=int",
+        thread_cflag     => "-D_REENTRANT",
+        lflags           => "-ldl",
+        bn_ops           => "SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL",
+        perlasm_scheme   => "elf",
+        dso_scheme       => "dlfcn",
+        shared_target    => "linux-shared",
+        shared_cflag     => "-fPIC",
+        shared_ldflag    => "-m64",
+        shared_extension => ".so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+        multilib         => "64",
+    },
+);

Configurations/99-personal-geoff.conf

@@ -0,0 +1,33 @@
+## -*- mode: perl; -*-
+## Personal configuration targets
+##
+## If you edit this file, run this command before committing
+##	make -f Makefile.in TABLE
+## This file is interpolated by the Configure script.
+
+%targets = (
+    "debug-geoff32" => {
+        inherit_from     => [ "no_asm_filler" ],
+        cc               => "gcc",
+        cflags           => "-DBN_DEBUG -DBN_DEBUG_RAND -DBN_STRICT -DPURIFY -DOPENSSL_NO_DEPRECATED -DOPENSSL_NO_ASM -DOPENSSL_NO_INLINE_ASM -DL_ENDIAN -DTERMIO -DPEDANTIC -O1 -ggdb2 -Wall -Werror -Wundef -pedantic -Wshadow -Wpointer-arith -Wbad-function-cast -Wcast-align -Wsign-compare -Wmissing-prototypes -Wmissing-declarations -Wno-long-long",
+        thread_cflag     => "-D_REENTRANT",
+        lflags           => "-ldl",
+        bn_ops           => "BN_LLONG",
+        dso_scheme       => "dlfcn",
+        shared_target    => "linux-shared",
+        shared_cflag     => "-fPIC",
+        shared_extension => ".so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+    },
+    "debug-geoff64" => {
+        inherit_from     => [ "no_asm_filler" ],
+        cc               => "gcc",
+        cflags           => "-DBN_DEBUG -DBN_DEBUG_RAND -DBN_STRICT -DPURIFY -DOPENSSL_NO_DEPRECATED -DOPENSSL_NO_ASM -DOPENSSL_NO_INLINE_ASM -DL_ENDIAN -DTERMIO -DPEDANTIC -O1 -ggdb2 -Wall -Werror -Wundef -pedantic -Wshadow -Wpointer-arith -Wbad-function-cast -Wcast-align -Wsign-compare -Wmissing-prototypes -Wmissing-declarations -Wno-long-long",
+        thread_cflag     => "-D_REENTRANT",
+        lflags           => "-ldl",
+        bn_ops           => "SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR",
+        dso_scheme       => "dlfcn",
+        shared_target    => "linux-shared",
+        shared_cflag     => "-fPIC",
+        shared_extension => ".so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+    },
+);

Configurations/99-personal-levitte.conf

@@ -0,0 +1,60 @@
+## -*- mode: perl; -*-
+## Personal configuration targets
+##
+## If you edit this file, run this command before committing
+##	make -f Makefile.in TABLE
+## This file is interpolated by the Configure script.
+
+%targets = (
+    "levitte-linux-elf" => {
+        inherit_from     => [ "x86_elf_asm" ],
+        cc               => "gcc",
+        cflags           => "-DL_ENDIAN -Wall",
+        debug_cflags     => "-DLEVITTE_DEBUG -DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -ggdb -g3",
+        thread_cflag     => "-D_REENTRANT",
+        lflags           => "-ldl",
+        bn_ops           => "BN_LLONG DES_PTR DES_RISC1 DES_UNROLL RC4_INDEX MD2_INT",
+        dso_scheme       => "dlfcn",
+        shared_target    => "linux-shared",
+        shared_cflag     => "-fPIC",
+        shared_extension => ".so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+    },
+    "debug-levitte-linux-noasm" => {
+        inherit_from     => [ "no_asm_filler" ],
+        cc               => "gcc",
+        cflags           => "-DLEVITTE_DEBUG -DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DOPENSSL_NO_ASM -DL_ENDIAN -ggdb -g3 -Wall",
+        thread_cflag     => "-D_REENTRANT",
+        lflags           => "-ldl",
+        bn_ops           => "BN_LLONG DES_PTR DES_RISC1 DES_UNROLL RC4_INDEX MD2_INT",
+        dso_scheme       => "dlfcn",
+        shared_target    => "linux-shared",
+        shared_cflag     => "-fPIC",
+        shared_extension => ".so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+    },
+    "debug-levitte-linux-elf-extreme" => {
+        inherit_from     => [ "x86_elf_asm" ],
+        cc               => "gcc",
+        cflags           => "-DLEVITTE_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_DEBUG -DBN_DEBUG_RAND -DENGINE_CONF_DEBUG -DL_ENDIAN -DPEDANTIC -ggdb -g3 -pedantic -ansi -Wall -W -Wundef -Wshadow -Wcast-align -Wstrict-prototypes -Wmissing-prototypes -Wno-long-long -Wundef -Wconversion -pipe",
+        thread_cflag     => "-D_REENTRANT",
+        lflags           => "-ldl",
+        bn_ops           => "BN_LLONG DES_PTR DES_RISC1 DES_UNROLL RC4_INDEX MD2_INT",
+        perlasm_scheme   => "elf",
+        dso_scheme       => "dlfcn",
+        shared_target    => "linux-shared",
+        shared_cflag     => "-fPIC",
+        shared_extension => ".so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+    },
+    "debug-levitte-linux-noasm-extreme" => {
+        inherit_from     => [ "no_asm_filler" ],
+        cc               => "gcc",
+        cflags           => "-DLEVITTE_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_DEBUG -DBN_DEBUG_RAND -DENGINE_CONF_DEBUG -DOPENSSL_NO_ASM -DL_ENDIAN -DPEDANTIC -ggdb -g3 -pedantic -ansi -Wall -W -Wundef -Wshadow -Wcast-align -Wstrict-prototypes -Wmissing-prototypes -Wno-long-long -Wundef -Wconversion -pipe",
+        thread_cflag     => "-D_REENTRANT",
+        lflags           => "-ldl",
+        bn_ops           => "BN_LLONG DES_PTR DES_RISC1 DES_UNROLL RC4_INDEX MD2_INT",
+        perlasm_scheme   => "void",
+        dso_scheme       => "dlfcn",
+        shared_target    => "linux-shared",
+        shared_cflag     => "-fPIC",
+        shared_extension => ".so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+    },
+);

Configurations/99-personal-rse.conf

@@ -0,0 +1,16 @@
+## -*- mode: perl; -*-
+## Personal configuration targets
+##
+## If you edit this file, run this command before committing
+##	make -f Makefile.in TABLE
+## This file is interpolated by the Configure script.
+
+%targets = (
+    "debug-rse" => {
+        inherit_from     => [ "x86_elf_asm" ],
+        cc               => "cc",
+        cflags           => "-DL_ENDIAN -pipe -O -g -ggdb3 -Wall",
+        thread_cflag     => "(unknown)",
+        bn_ops           => "BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}",
+    },
+);

Configurations/99-personal-steve.conf

@@ -0,0 +1,50 @@
+## -*- mode: perl; -*-
+## Personal configuration targets
+##
+## If you edit this file, run this command before committing
+##	make -f Makefile.in TABLE
+## This file is interpolated by the Configure script.
+
+%targets = (
+    "debug-steve64" => {
+        inherit_from     => [ "x86_64_asm" ],
+        cc               => "gcc",
+        cflags           => "$gcc_devteam_warn -pthread -m64 -DL_ENDIAN -DTERMIO -DCONF_DEBUG -g",
+        thread_cflag     => "-D_REENTRANT",
+        lflags           => "-ldl",
+        bn_ops           => "SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL",
+        perlasm_scheme   => "elf",
+        dso_scheme       => "dlfcn",
+        shared_target    => "linux-shared",
+        shared_cflag     => "-fPIC",
+        shared_ldflag    => "-m64",
+        shared_extension => ".so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+    },
+    "debug-steve32" => {
+        inherit_from     => [ "x86_elf_asm" ],
+        cc               => "gcc",
+        cflags           => "$gcc_devteam_warn -pthread -m32 -DL_ENDIAN -DCONF_DEBUG -g",
+        thread_cflag     => "-D_REENTRANT",
+        lflags           => "-rdynamic -ldl",
+        bn_ops           => "BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}",
+        dso_scheme       => "dlfcn",
+        shared_target    => "linux-shared",
+        shared_cflag     => "-fPIC",
+        shared_ldflag    => "-m32",
+        shared_extension => ".so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+    },
+    "debug-steve-opt" => {
+        inherit_from     => [ "x86_64_asm" ],
+        cc               => "gcc",
+        cflags           => "$gcc_devteam_warn -pthread -m64 -O3 -DL_ENDIAN -DTERMIO -DCONF_DEBUG -g",
+        thread_cflag     => "-D_REENTRANT",
+        lflags           => "-ldl",
+        bn_ops           => "SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL",
+        perlasm_scheme   => "elf",
+        dso_scheme       => "dlfcn",
+        shared_target    => "linux-shared",
+        shared_cflag     => "-fPIC",
+        shared_ldflag    => "-m64",
+        shared_extension => ".so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+    },
+);

GitConfigure

@@ -2,7 +2,7 @@
 
 BRANCH=`git rev-parse --abbrev-ref HEAD`
 
-./Configure $@ no-symlinks
+./Configure $@
 make files
 util/mk1mf.pl OUT=out.$BRANCH TMP=tmp.$BRANCH INC=inc.$BRANCH copy > makefile.$BRANCH
 MAKE=make

INSTALL

@@ -12,7 +12,7 @@
  To install OpenSSL, you will need:
 
   * make
-  * Perl 5
+  * Perl 5 with core modules (see 'Note on Perl' further down)
   * an ANSI C compiler
   * a development environment in form of development libraries and C
     header files
@@ -141,7 +141,7 @@
      generic configurations "cc" or "gcc" should usually work on 32 bit
      systems.
 
-     Configure creates the file Makefile.ssl from Makefile.org and
+     Configure creates the file Makefile.ssl from Makefile.in and
      defines various macros in crypto/opensslconf.h (generated from
      crypto/opensslconf.h.in).
 
@@ -158,10 +158,10 @@
      standard headers).  If it is a problem with OpenSSL itself, please
      report the problem to <openssl-bugs@openssl.org> (note that your
      message will be recorded in the request tracker publicly readable
-     via http://www.openssl.org/support/rt.html and will be forwarded to a
-     public mailing list). Include the output of "make report" in your message.
-     Please check out the request tracker. Maybe the bug was already
-     reported or has already been fixed.
+     at https://www.openssl.org/community/index.html#bugs and will be
+     forwarded to a public mailing list). Include the output of "make
+     report" in your message.  Please check out the request tracker. Maybe
+     the bug was already reported or has already been fixed.
 
      [If you encounter assembler error messages, try the "no-asm"
      configuration option as an immediate fix.]
@@ -173,14 +173,38 @@
 
        $ make test
 
-     If a test fails, look at the output.  There may be reasons for
-     the failure that isn't a problem in OpenSSL itself (like a missing
-     or malfunctioning bc).  If it is a problem with OpenSSL itself,
-     try removing any compiler optimization flags from the CFLAG line
-     in Makefile.ssl and run "make clean; make". Please send a bug
-     report to <openssl-bugs@openssl.org>, including the output of
-     "make report" in order to be added to the request tracker at
-     http://www.openssl.org/support/rt.html.
+     If some tests fail, look at the output.  There may be reasons for
+     the failure that isn't a problem in OpenSSL itself (like a
+     malfunction with Perl).  You may want increased verbosity, that
+     can be accomplished like this:
+
+       $ HARNESS_VERBOSE=yes make test
+
+     Also, you will find logs for all commands the tests have executed
+     in logs, test/test_*.log, one for each individual test.
+
+     If you want to run just one or a few specific tests, you can use
+     the make variable TESTS to specify them, like this:
+
+       $ make TESTS='test_rsa test_dsa' test
+
+     And of course, you can combine:
+       
+       $ HARNESS_VERBOSE=yes make TESTS='test_rsa test_dsa' test
+
+     You can find the list of available tests like this:
+
+       $ make list-tests
+
+     If you find a problem with OpenSSL itself, try removing any
+     compiler optimization flags from the CFLAG line in Makefile and
+     run "make clean; make".
+
+     Please send a bug report to <openssl-bugs@openssl.org>, and when
+     you do, please run the following and include the output in your
+     report:
+
+       $ make report
 
   4. If everything tests ok, install OpenSSL with
 
@@ -286,6 +310,26 @@
      with names of the form <foo.h>.
 
 
+ Note on Perl
+ ------------
+
+ For our scripts, we rely quite a bit on Perl, and increasingly on
+ some core Perl modules.  These Perl modules are part of the Perl
+ source, so if you build Perl on your own, you should be set.
+
+ However, if you install Perl as binary packages, the outcome might
+ differ, and you may have to check that you do get the core modules
+ installed properly.  We do not claim to know them all, but experience
+ has told us the following:
+
+ - on Linux distributions based on Debian, the package 'perl' will
+   install the core Perl modules as well, so you will be fine.
+ - on Linux distributions based on RPMs, you will need to install
+   'perl-core' rather than just 'perl'.
+
+ It is highly recommended that you have at least Perl version 5.12
+ installed.
+
  Note on multi-threading
  -----------------------
 
@@ -346,7 +390,7 @@
 		rm -f $F; ln -s $OPENSSL_SOURCE/$F $F
 		echo $F '->' $OPENSSL_SOURCE/$F
 	done
-	make -f Makefile.org clean
+	make -f Makefile.in clean
 
  OPENSSL_SOURCE is an environment variable that contains the absolute (this
  is important!) path to the OpenSSL source tree.

INSTALL.VMS

@@ -25,6 +25,8 @@ Requirements:
 
 To build and install OpenSSL, you will need:
 
+ * Perl 5 with core modules.  If you don't want to build it yourself,
+   we suggest you look here: http://sourceforge.net/projects/vmsperlkit/files/
  * DEC C or some other ANSI C compiler.  VAX C is *not* supported.
    [Note: OpenSSL has only been tested with DEC C.  Compiling with 
     a different ANSI C compiler may require some work]
@@ -83,7 +85,6 @@ directory.  The syntax is the following:
       RSAREF    Just build the "[.xxx.EXE.RSAREF]LIBRSAGLUE.OLB" library.
       CRYPTO    Just build the "[.xxx.EXE.CRYPTO]LIBCRYPTO.OLB" library.
       SSL       Just build the "[.xxx.EXE.SSL]LIBSSL.OLB" library.
-      SSL_TASK  Just build the "[.xxx.EXE.SSL]SSL_TASK.EXE" program.
       TEST      Just build the "[.xxx.EXE.TEST]" test programs for OpenSSL.
       APPS      Just build the "[.xxx.EXE.APPS]" application programs for OpenSSL.
 
@@ -130,15 +131,23 @@ Currently, the logical names supported are:
       OPENSSL_NO_ASM    with value YES, the assembler parts of OpenSSL will
                         not be used.  Instead, plain C implementations are
                         used.  This is good to try if something doesn't work.
-      OPENSSL_NO_'alg'  with value YES, the corresponding crypto algorithm
-                        will not be implemented.  Supported algorithms to
-                        do this with are: RSA, DSA, DH, MD2, MD4, MD5, RIPEMD,
-                        SHA, DES, MDC2, CR2, RC4, RC5, IDEA, BF, CAST, HMAC,
-                        SSL3.  So, for example, having the logical name
-                        OPENSSL_NO_RSA with the value YES means that the
-                        LIBCRYPTO.OLB library will not contain an RSA
-                        implementation.
-
+      OPENSSL_NO_'alg'  with value YES, the corresponding crypto algorithm,
+                        protocol or other routine will not be implemented if
+                        disabling it is supported.  Supported algorithms to
+                        do this with are: AES, BF, CAMELLIA, CAST, CMS, COMP,
+                        DES, DGRAM, DH, DSA, EC, EC2M, ECDH, ECDSA, ENGINE,
+                        ERR, GOST, HEARTBEATS, HMAC, IDEA, MD2, MD4,
+                        MD5, OCB, OCSP, PSK, RC2, RC4, RC5, RMD160, RSA, SCTP,
+                        SEED, SOCK, SRP, SRTP, WHIRLPOOL.  So, for
+                        example, having the logical name OPENSSL_NO_RSA with
+                        the value YES means that the LIBCRYPTO.OLB library
+                        will not contain an RSA implementation.
+      OPENSSL_EXPERIMENTAL_'alg'
+                        with value YES, the corresponding experimental
+                        algorithm is enabled.  Note that is also requires
+                        the application using this to define the C macro
+                        OPENSSL_EXPERIMENTAL_'alg'.  Supported algorithms
+                        to do this with are: JPAKE, STORE.
 
 Test:
 =====

Makefile.in

@@ -26,14 +26,14 @@ HERE=.
 INSTALL_PREFIX=
 INSTALLTOP=/usr/local/ssl
 
-# Do not edit this manually. Use Configure --openssldir=DIR do change this!
+# Do not edit this manually. Use Configure --openssldir=DIR to change this!
 OPENSSLDIR=/usr/local/ssl
 
 # NO_IDEA - Define to build without the IDEA algorithm
 # NO_RC4  - Define to build without the RC4 algorithm
 # NO_RC2  - Define to build without the RC2 algorithm
 # THREADS - Define when building with threads, you will probably also need any
-#           system defines as well, i.e. _REENTERANT for Solaris 2.[34]
+#           system defines as well, i.e. _REENTRANT for Solaris 2.[34]
 # TERMIO  - Define the termio terminal subsystem, needed if sgtty is missing.
 # TERMIOS - Define the termios terminal subsystem, Silicon Graphics.
 # LONGCRYPT - Define to use HPUX 10.x's long password modification to crypt(3).
@@ -46,7 +46,6 @@ OPENSSLDIR=/usr/local/ssl
 # LOCK_DEBUG - turns on lots of lock debug output :-)
 # REF_CHECK - turn on some xyz_free() assertions.
 # REF_PRINT - prints some stuff on structure free.
-# CRYPTO_MDEBUG - turns on my 'memory leak' detecting stuff
 # MFUNC - Make all Malloc/Free/Realloc calls call
 #       CRYPTO_malloc/CRYPTO_free/CRYPTO_realloc which can be setup to
 #       call application defined callbacks via CRYPTO_set_mem_functions()
@@ -104,12 +103,10 @@ WP_ASM_OBJ=
 CMLL_ENC=
 MODES_ASM_OBJ=
 ENGINES_ASM_OBJ=
+CHACHA_ENC= chacha_enc.o
+POLY1305_ASM_OBJ=
 PERLASM_SCHEME=
 
-# KRB5 stuff
-KRB5_INCLUDES=
-LIBKRB5=
-
 # Zlib stuff
 ZLIB_INCLUDE=
 LIBZLIB=
@@ -137,16 +134,17 @@ BASEADDR=
 DIRS=   crypto ssl engines apps test tools
 ENGDIRS= ccgost
 SHLIBDIRS= crypto ssl
+INSTALL_SUBS= engines apps tools
 
 # dirs in crypto to build
 SDIRS=  \
 	objects \
-	md2 md4 md5 sha mdc2 hmac ripemd whrlpool \
-	des aes rc2 rc4 rc5 idea bf cast camellia seed modes \
-	bn ec rsa dsa ecdsa dh ecdh dso engine \
+	md2 md4 md5 sha mdc2 hmac ripemd whrlpool poly1305 \
+	des aes rc2 rc4 rc5 idea bf cast camellia seed chacha modes \
+	bn ec rsa dsa dh dso engine \
 	buffer bio stack lhash rand err \
-	evp asn1 pem x509 x509v3 conf txt_db pkcs7 pkcs12 comp ocsp ui krb5 \
-	cms pqueue ts jpake srp store cmac
+	evp asn1 pem x509 x509v3 conf txt_db pkcs7 pkcs12 comp ocsp ui \
+	cms pqueue ts jpake srp store cmac ct async
 # keep in mind that the above list is adjusted by ./Configure
 # according to no-xxx arguments...
 
@@ -165,9 +163,6 @@ HTMLDIR=$(OPENSSLDIR)/html
 SHELL=/bin/sh
 
 TOP=    .
-ONEDIRS=out tmp
-EDIRS=  times doc bugs util include certs ms shlib mt demos perl sf dep VMS
-WDIRS=  windows
 LIBS=   libcrypto.a libssl.a
 SHARED_CRYPTO=libcrypto$(SHLIB_EXT)
 SHARED_SSL=libssl$(SHLIB_EXT)
@@ -178,9 +173,7 @@ SHARED_LDFLAGS=
 GENERAL=        Makefile
 BASENAME=       openssl
 NAME=           $(BASENAME)-$(VERSION)
-TARFILE=        $(NAME).tar
-WTARFILE=       $(NAME)-win.tar
-EXHEADER=       e_os2.h
+TARFILE=        ../$(NAME).tar
 HEADER=         e_os.h
 
 # Directories created on install if they don't exist.
@@ -194,7 +187,7 @@ INSTALLDIRS=	\
 		$(INSTALL_PREFIX)$(OPENSSLDIR)/certs \
 		$(INSTALL_PREFIX)$(OPENSSLDIR)/private
 
-all: Makefile build_all openssl.pc libssl.pc libcrypto.pc
+all: Makefile build_all
 
 # as we stick to -e, CLEARENV ensures that local variables in lower
 # Makefiles remain local and variable. $${VAR+VAR} is tribute to Korn
@@ -205,14 +198,16 @@ CLEARENV=	TOP= && unset TOP $${LIB+LIB} $${LIBS+LIBS}	\
 		$${INCLUDE+INCLUDE} $${INCLUDES+INCLUDES}	\
 		$${DIR+DIR} $${DIRS+DIRS} $${SRC+SRC}		\
 		$${LIBSRC+LIBSRC} $${LIBOBJ+LIBOBJ} $${ALL+ALL}	\
-		$${EXHEADER+EXHEADER} $${HEADER+HEADER}		\
+		$${HEADER+HEADER}				\
 		$${GENERAL+GENERAL} $${CFLAGS+CFLAGS}		\
 		$${ASFLAGS+ASFLAGS} $${AFLAGS+AFLAGS}		\
 		$${LDCMD+LDCMD} $${LDFLAGS+LDFLAGS} $${SCRIPTS+SCRIPTS}	\
 		$${SHAREDCMD+SHAREDCMD} $${SHAREDFLAGS+SHAREDFLAGS}	\
 		$${SHARED_LIB+SHARED_LIB} $${LIBEXTRAS+LIBEXTRAS}
 
-BUILDENV=	PLATFORM='$(PLATFORM)' PROCESSOR='$(PROCESSOR)' \
+# LC_ALL=C ensures that error [and other] messages are delivered in
+# same language for uniform treatment.
+BUILDENV=	LC_ALL=C PLATFORM='$(PLATFORM)' PROCESSOR='$(PROCESSOR)'\
 		CC='$(CC)' CFLAG='$(CFLAG)' 			\
 		AS='$(CC)' ASFLAG='$(CFLAG) -c'			\
 		AR='$(AR)' NM='$(NM)' RANLIB='$(RANLIB)'	\
@@ -223,10 +218,9 @@ BUILDENV=	PLATFORM='$(PLATFORM)' PROCESSOR='$(PROCESSOR)' \
 		INSTALLTOP='$(INSTALLTOP)' OPENSSLDIR='$(OPENSSLDIR)'	\
 		LIBDIR='$(LIBDIR)'				\
 		MAKEDEPEND='$$$${TOP}/util/domd $$$${TOP} -MD $(MAKEDEPPROG)' \
-		DEPFLAG='-DOPENSSL_NO_DEPRECATED $(DEPFLAG)'	\
+		DEPFLAG='$(DEPFLAG)'                    	\
 		MAKEDEPPROG='$(MAKEDEPPROG)'			\
 		SHARED_LDFLAGS='$(SHARED_LDFLAGS)'		\
-		KRB5_INCLUDES='$(KRB5_INCLUDES)' LIBKRB5='$(LIBKRB5)'	\
 		ZLIB_INCLUDE='$(ZLIB_INCLUDE)' LIBZLIB='$(LIBZLIB)'	\
 		EXE_EXT='$(EXE_EXT)' SHARED_LIBS='$(SHARED_LIBS)'	\
 		SHLIB_EXT='$(SHLIB_EXT)' SHLIB_TARGET='$(SHLIB_TARGET)'	\
@@ -242,10 +236,11 @@ BUILDENV=	PLATFORM='$(PLATFORM)' PROCESSOR='$(PROCESSOR)' \
 		WP_ASM_OBJ='$(WP_ASM_OBJ)'			\
 		MODES_ASM_OBJ='$(MODES_ASM_OBJ)'		\
 		ENGINES_ASM_OBJ='$(ENGINES_ASM_OBJ)'		\
+		CHACHA_ENC='$(CHACHA_ENC)'			\
+		POLY1305_ASM_OBJ='$(POLY1305_ASM_OBJ)'		\
 		PERLASM_SCHEME='$(PERLASM_SCHEME)'		\
 		FIPSLIBDIR='${FIPSLIBDIR}'			\
 		FIPSCANLIB="$${FIPSCANLIB:-$(FIPSCANLIB)}"	\
-		FIPS_EX_OBJ='${FIPS_EX_OBJ}'	\
 		THIS=$${THIS:-$@} MAKEFILE=Makefile MAKEOVERRIDES=
 # MAKEOVERRIDES= effectively "equalizes" GNU-ish and SysV-ish make flavors,
 # which in turn eliminates ambiguities in variable treatment with -e.
@@ -277,94 +272,14 @@ BUILD_ONE_CMD=\
 reflect:
 	@[ -n "$(THIS)" ] && $(CLEARENV) && $(MAKE) $(THIS) -e $(BUILDENV)
 
-FIPS_EX_OBJ= ../crypto/aes/aes_cfb.o \
-	../crypto/aes/aes_ecb.o \
-	../crypto/aes/aes_ofb.o \
-	../crypto/bn/bn_add.o \
-	../crypto/bn/bn_blind.o \
-	../crypto/bn/bn_ctx.o \
-	../crypto/bn/bn_div.o \
-	../crypto/bn/bn_exp2.o \
-	../crypto/bn/bn_exp.o \
-	../crypto/bn/bn_gcd.o \
-	../crypto/bn/bn_gf2m.o \
-	../crypto/bn/bn_lib.o \
-	../crypto/bn/bn_mod.o \
-	../crypto/bn/bn_mont.o \
-	../crypto/bn/bn_mul.o \
-	../crypto/bn/bn_nist.o \
-	../crypto/bn/bn_prime.o \
-	../crypto/bn/bn_rand.o \
-	../crypto/bn/bn_recp.o \
-	../crypto/bn/bn_shift.o \
-	../crypto/bn/bn_sqr.o \
-	../crypto/bn/bn_word.o \
-	../crypto/bn/bn_x931p.o \
-	../crypto/buffer/buf_str.o \
-	../crypto/cmac/cmac.o \
-	../crypto/cryptlib.o \
-	../crypto/des/cfb64ede.o \
-	../crypto/des/cfb64enc.o \
-	../crypto/des/cfb_enc.o \
-	../crypto/des/ecb3_enc.o \
-	../crypto/des/ofb64ede.o \
-	../crypto/des/fcrypt.o \
-	../crypto/des/set_key.o \
-	../crypto/dh/dh_check.o \
-	../crypto/dh/dh_gen.o \
-	../crypto/dh/dh_key.o \
-	../crypto/dsa/dsa_gen.o \
-	../crypto/dsa/dsa_key.o \
-	../crypto/dsa/dsa_ossl.o \
-	../crypto/ec/ec_curve.o \
-	../crypto/ec/ec_cvt.o \
-	../crypto/ec/ec_key.o \
-	../crypto/ec/ec_lib.o \
-	../crypto/ec/ecp_mont.o \
-	../crypto/ec/ec_mult.o \
-	../crypto/ec/ecp_nist.o \
-	../crypto/ec/ecp_smpl.o \
-	../crypto/ec/ec2_mult.o \
-	../crypto/ec/ec2_smpl.o \
-	../crypto/ecdh/ech_key.o \
-	../crypto/ecdh/ech_ossl.o \
-	../crypto/ecdsa/ecs_ossl.o \
-	../crypto/evp/e_aes.o \
-	../crypto/evp/e_des3.o \
-	../crypto/evp/e_null.o \
-	../crypto/evp/m_sha1.o \
-	../crypto/evp/m_dss1.o \
-	../crypto/evp/m_dss.o \
-	../crypto/evp/m_ecdsa.o \
-	../crypto/hmac/hmac.o \
-	../crypto/modes/cbc128.o \
-	../crypto/modes/ccm128.o \
-	../crypto/modes/cfb128.o \
-	../crypto/modes/ctr128.o \
-	../crypto/modes/gcm128.o \
-	../crypto/modes/ofb128.o \
-	../crypto/modes/xts128.o \
-	../crypto/rsa/rsa_eay.o \
-	../crypto/rsa/rsa_gen.o \
-	../crypto/rsa/rsa_crpt.o \
-	../crypto/rsa/rsa_none.o \
-	../crypto/rsa/rsa_oaep.o \
-	../crypto/rsa/rsa_pk1.o \
-	../crypto/rsa/rsa_pss.o \
-	../crypto/rsa/rsa_ssl.o \
-	../crypto/rsa/rsa_x931.o \
-	../crypto/rsa/rsa_x931g.o \
-	../crypto/sha/sha1dgst.o \
-	../crypto/sha/sha256.o \
-	../crypto/sha/sha512.o \
-	../crypto/thr_id.o \
-	../crypto/uid.o
-
 sub_all: build_all
 
 build_all: build_libs build_apps build_tests build_tools
 
-build_libs: build_crypto build_ssl build_engines
+build_libs: build_libcrypto build_libssl openssl.pc
+
+build_libcrypto: build_crypto build_engines libcrypto.pc
+build_libssl: build_ssl libssl.pc
 
 build_crypto:
 	@dir=crypto; target=all; $(BUILD_ONE_CMD)
@@ -431,9 +346,6 @@ build-shared: do_$(SHLIB_TARGET) link-shared
 
 do_$(SHLIB_TARGET):
 	@ set -e; libs='-L. $(SHLIBDEPS)'; for i in $(SHLIBDIRS); do \
-		if [ "$$i" = "ssl" -a -n "$(LIBKRB5)" ]; then \
-			libs="$(LIBKRB5) $$libs"; \
-		fi; \
 		$(CLEARENV) && $(MAKE) -f Makefile.shared -e $(BUILDENV) \
 			LIBNAME=$$i LIBVERSION=$(SHLIB_MAJOR).$(SHLIB_MINOR) \
 			LIBCOMPATVERSIONS=";$(SHLIB_VERSION_HISTORY)" \
@@ -454,7 +366,7 @@ libcrypto.pc: Makefile
 	    echo 'Requires: '; \
 	    echo 'Libs: -L$${libdir} -lcrypto'; \
 	    echo 'Libs.private: $(EX_LIBS)'; \
-	    echo 'Cflags: -I$${includedir} $(KRB5_INCLUDES)' ) > libcrypto.pc
+	    echo 'Cflags: -I$${includedir}' ) > libcrypto.pc
 
 libssl.pc: Makefile
 	@ ( echo 'prefix=$(INSTALLTOP)'; \
@@ -468,7 +380,7 @@ libssl.pc: Makefile
 	    echo 'Requires.private: libcrypto'; \
 	    echo 'Libs: -L$${libdir} -lssl'; \
 	    echo 'Libs.private: $(EX_LIBS)'; \
-	    echo 'Cflags: -I$${includedir} $(KRB5_INCLUDES)' ) > libssl.pc
+	    echo 'Cflags: -I$${includedir}' ) > libssl.pc
 
 openssl.pc: Makefile
 	@ ( echo 'prefix=$(INSTALLTOP)'; \
@@ -481,8 +393,8 @@ openssl.pc: Makefile
 	    echo 'Version: '$(VERSION); \
 	    echo 'Requires: libssl libcrypto' ) > openssl.pc
 
-Makefile: Makefile.org Configure config
-	@echo "Makefile is older than Makefile.org, Configure or config."
+Makefile: Makefile.in Configure config
+	@echo "Makefile is older than Makefile.in, Configure or config."
 	@echo "Reconfigure the source tree (via './config' or 'perl Configure'), please."
 	@false
 
@@ -490,17 +402,13 @@ libclean:
 	rm -f *.map *.so *.so.* *.dylib *.dll engines/*.so engines/*.dll engines/*.dylib *.a engines/*.a */lib */*/lib
 
 clean:	libclean
-	rm -f shlib/*.o *.o core a.out fluff rehash.time testlog make.log cctest cctest.c
+	rm -f */*/*.o */*.o *.o core a.out fluff rehash.time testlog make.log cctest cctest.c
 	rm -rf *.bak certs/.0
 	@set -e; target=clean; $(RECURSIVE_BUILD_CMD)
 	rm -f $(LIBS) tags TAGS
 	rm -f openssl.pc libssl.pc libcrypto.pc
 	rm -f speed.* .pure
 	rm -f $(TARFILE)
-	@set -e; for i in $(ONEDIRS) ;\
-	do \
-	rm -fr $$i/*; \
-	done
 
 makefile.one: files
 	$(PERL) util/mk1mf.pl >makefile.one; \
@@ -510,11 +418,6 @@ files:
 	$(PERL) $(TOP)/util/files.pl Makefile > $(TOP)/MINFO
 	@set -e; target=files; $(RECURSIVE_BUILD_CMD)
 
-links:
-	@$(PERL) $(TOP)/util/mkdir-p.pl include/openssl
-	@$(PERL) $(TOP)/util/mklink.pl include/openssl $(EXHEADER)
-	@set -e; target=links; $(RECURSIVE_BUILD_CMD)
-
 gentests:
 	@(cd test && echo "generating dummy tests (if needed)..." && \
 	$(CLEARENV) && $(MAKE) -e $(BUILDENV) TESTS='$(TESTS)' OPENSSL_DEBUG_MEMORY=on generate );
@@ -523,26 +426,39 @@ dclean:
 	@set -e; target=dclean; $(RECURSIVE_BUILD_CMD)
 
 rehash: rehash.time
-rehash.time: certs apps
+rehash.time: certs build_apps
 	@if [ -z "$(CROSS_COMPILE)" ]; then \
 		(OPENSSL="`pwd`/util/opensslwrap.sh"; \
 		[ -x "apps/openssl.exe" ] && OPENSSL="apps/openssl.exe" || :; \
-		OPENSSL_DEBUG_MEMORY=on; \
-		export OPENSSL OPENSSL_DEBUG_MEMORY; \
-		$(PERL) tools/c_rehash certs/demo) && \
+		OPENSSL_DEBUG_MEMORY=on; OPENSSL_CONF=/dev/null ; \
+		export OPENSSL OPENSSL_DEBUG_MEMORY OPENSSL_CONF; \
+		$$OPENSSL rehash certs/demo \
+		|| $(PERL) tools/c_rehash certs/demo) && \
 		touch rehash.time; \
 	else :; fi
 
 test:   tests
 
+test_ordinals:
+	TOP=$(TOP) PERL=$(PERL) $(PERL) test/run_tests.pl test_ordinals
+
 tests: rehash
 	@(cd test && echo "testing..." && \
 	$(CLEARENV) && $(MAKE) -e $(BUILDENV) TOP=.. TESTS='$(TESTS)' OPENSSL_DEBUG_MEMORY=on OPENSSL_CONF=../apps/openssl.cnf tests );
-	OPENSSL_CONF=apps/openssl.cnf util/opensslwrap.sh version -a
+	@if [ -z "$(CROSS_COMPILE)" ]; then \
+		OPENSSL_CONF=apps/openssl.cnf util/opensslwrap.sh version -a; \
+	fi
+
+list-tests:
+	@(cd test && \
+	        $(CLEARENV) && $(MAKE) -e $(BUILDENV) TOP=.. list-tests)
 
 report:
 	@$(PERL) util/selftest.pl
 
+update: errors util/libeay.num util/ssleay.num TABLE test_ordinals
+	@set -e; target=update; $(RECURSIVE_BUILD_CMD)
+
 depend:
 	@set -e; target=depend; $(RECURSIVE_BUILD_CMD)
 
@@ -552,7 +468,7 @@ lint:
 tags TAGS: FORCE
 	rm -f TAGS tags
 	-ctags -R .
-	-etags -R .
+	-etags `find . -name '*.[ch]' -o -name '*.pm'`
 
 FORCE:
 
@@ -560,9 +476,7 @@ errors:
 	$(PERL) util/ck_errf.pl -strict */*.c */*/*.c
 	$(PERL) util/mkerr.pl -recurse -write
 	(cd engines; $(MAKE) PERL=$(PERL) errors)
-
-stacks:
-	$(PERL) util/mkstack.pl -write
+	(cd crypto/ct; $(MAKE) PERL=$(PERL) errors)
 
 util/libeay.num::
 	$(PERL) util/mkdef.pl crypto update
@@ -570,60 +484,43 @@ util/libeay.num::
 util/ssleay.num::
 	$(PERL) util/mkdef.pl ssl update
 
-crypto/objects/obj_dat.h: crypto/objects/obj_dat.pl crypto/objects/obj_mac.h
-	$(PERL) crypto/objects/obj_dat.pl crypto/objects/obj_mac.h crypto/objects/obj_dat.h
-crypto/objects/obj_mac.h: crypto/objects/objects.pl crypto/objects/objects.txt crypto/objects/obj_mac.num
-	$(PERL) crypto/objects/objects.pl crypto/objects/objects.txt crypto/objects/obj_mac.num crypto/objects/obj_mac.h
-crypto/objects/obj_xref.h: crypto/objects/objxref.pl crypto/objects/obj_xref.txt crypto/objects/obj_mac.num
-	$(PERL) crypto/objects/objxref.pl crypto/objects/obj_mac.num crypto/objects/obj_xref.txt >crypto/objects/obj_xref.h
-
-apps/openssl-vms.cnf: apps/openssl.cnf
-	$(PERL) VMS/VMSify-conf.pl < apps/openssl.cnf > apps/openssl-vms.cnf
-
-crypto/bn/bn_prime.h: crypto/bn/bn_prime.pl
-	$(PERL) crypto/bn/bn_prime.pl >crypto/bn/bn_prime.h
-
-
-TABLE: Configure
+TABLE: Configure Configurations/*.conf
 	(echo 'Output of `Configure TABLE'"':"; \
 	$(PERL) Configure TABLE) > TABLE
 
-update: errors stacks util/libeay.num util/ssleay.num crypto/objects/obj_dat.h crypto/objects/obj_xref.h apps/openssl-vms.cnf crypto/bn/bn_prime.h TABLE depend
-
 # Build distribution tar-file. As the list of files returned by "find" is
 # pretty long, on several platforms a "too many arguments" error or similar
 # would occur. Therefore the list of files is temporarily stored into a file
 # and read directly, requiring GNU-Tar. Call "make TAR=gtar dist" if the normal
 # tar does not support the --files-from option.
-tar:
+TAR_COMMAND=$(TAR) $(TARFLAGS) --files-from $(TARFILE).list \
+	                       --owner 0 --group 0 \
+			       --transform 's|^|$(NAME)/|' \
+			       -cvf -
+
+$(TARFILE).list:
+	find * \! -name STATUS \! -name TABLE \! -name '*.o' \! -name '*.a' \
+	       \! -name '*.so' \! -name '*.so.*'  \! -name 'openssl' \
+	       \! -name '*test' \! -name '.#*' \! -name '*~' \!	-type l \
+	    | sort > $(TARFILE).list
+
+tar: $(TARFILE).list
 	find . -type d -print | xargs chmod 755
 	find . -type f -print | xargs chmod a+r
 	find . -type f -perm -0100 -print | xargs chmod a+x
-	find * \! -path CVS/\* \! -path \*/CVS/\* \! -name CVS \! -name .cvsignore \! -name STATUS \! -name TABLE | sort > ../$(TARFILE).list; \
-	$(TAR) $(TARFLAGS) --files-from ../$(TARFILE).list -cvf - | \
-	tardy --user_number=0  --user_name=openssl \
-	      --group_number=0 --group_name=openssl \
-	      --prefix=openssl-$(VERSION) - |\
-	gzip --best >../$(TARFILE).gz; \
-	rm -f ../$(TARFILE).list; \
-	ls -l ../$(TARFILE).gz
+	$(TAR_COMMAND) | gzip --best > $(TARFILE).gz
+	rm -f $(TARFILE).list
+	ls -l $(TARFILE).gz
 
-tar-snap:
-	@$(TAR) $(TARFLAGS) -cvf - \
-		`find * \! -path CVS/\* \! -path \*/CVS/\* \! -name CVS \! -name .cvsignore \! -name STATUS \! -name TABLE \! -name '*.o' \! -name '*.a' \! -name '*.so' \! -name '*.so.*'  \! -name 'openssl' \! -name '*test' \! -name '.#*' \! -name '*~' | sort` |\
-	tardy --user_number=0  --user_name=openssl \
-	      --group_number=0 --group_name=openssl \
-	      --prefix=openssl-$(VERSION) - > ../$(TARFILE);\
-	ls -l ../$(TARFILE)
+tar-snap: $(TARFILE).list
+	$(TAR_COMMAND) > $(TARFILE)
+	rm -f $(TARFILE).list
+	ls -l $(TARFILE)
 
 dist:   
 	$(PERL) Configure dist
-	@$(MAKE) dist_pem_h
 	@$(MAKE) SDIRS='$(SDIRS)' clean
-	@$(MAKE) TAR='$(TAR)' TARFLAGS='$(TARFLAGS)' tar
-
-dist_pem_h:
-	(cd crypto/pem; $(MAKE) -e $(BUILDENV) pem.h; $(MAKE) clean)
+	@$(MAKE) TAR='$(TAR)' TARFLAGS='$(TARFLAGS)' $(DISTTARVARS) tar
 
 install: all install_docs install_sw
 
@@ -631,12 +528,11 @@ uninstall: uninstall_sw uninstall_docs
 
 install_sw:
 	@$(PERL) $(TOP)/util/mkdir-p.pl $(INSTALLDIRS)
-	@set -e; headerlist="$(EXHEADER)"; for i in $$headerlist;\
-	do \
-	(cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \
-	chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \
+	@set -e; for i in include/openssl/*.h; do \
+	(cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/$$i; \
+	chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/$$i ); \
 	done;
-	@set -e; target=install; $(RECURSIVE_BUILD_CMD)
+	@set -e; target=install; for dir in $(INSTALL_SUBS); do $(BUILD_CMD); done
 	@set -e; liblist="$(LIBS)"; for i in $$liblist ;\
 	do \
 		if [ -f "$$i" ]; then \
@@ -684,8 +580,6 @@ install_sw:
 		if [ "$(INSTALLTOP)" != "/usr" ]; then \
 			echo 'OpenSSL shared libraries have been installed in:'; \
 			echo '  $(INSTALLTOP)'; \
-			echo ''; \
-			sed -e '1,/^$$/d' doc/openssl-shared.txt; \
 		fi; \
 	fi
 	cp libcrypto.pc $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/pkgconfig

Makefile.shared

@@ -170,6 +170,17 @@ link_a.gnu:
 link_app.gnu:
 	@ $(DO_GNU_APP); $(LINK_APP)
 
+link_a.linux-shared:
+	@if [ $(LIBNAME) != "crypto" -a $(LIBNAME) != "ssl" ]; then echo libname is $(LIBNAME); sleep 2; $(DO_GNU_SO); else \
+	$(PERL) util/mkdef.pl $(LIBNAME) linux >$(LIBNAME).map; \
+	$(CALC_VERSIONS); \
+	SHLIB=lib$(LIBNAME).so; \
+	SHLIB_SUFFIX=; \
+	ALLSYMSFLAGS='-Wl,--whole-archive,--version-script=$(LIBNAME).map'; \
+	NOALLSYMSFLAGS='-Wl,--no-whole-archive'; \
+	SHAREDFLAGS="$(CFLAGS) $(SHARED_LDFLAGS) -shared -Wl,-Bsymbolic -Wl,-soname=$$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX"; \
+	fi; $(LINK_SO_A)
+
 link_o.bsd:
 	@if $(DETECT_GNU_LD); then $(DO_GNU_SO); else \
 	$(CALC_VERSIONS); \
@@ -566,7 +577,7 @@ symlink.cygwin symlink.alpha-osf1 symlink.tru64 symlink.tru64-rpath:
 
 # Compatibility targets
 link_o.bsd-gcc-shared link_o.linux-shared link_o.gnu-shared: link_o.gnu
-link_a.bsd-gcc-shared link_a.linux-shared link_a.gnu-shared: link_a.gnu
+link_a.bsd-gcc-shared link_a.gnu-shared: link_a.gnu
 link_app.bsd-gcc-shared link_app.linux-shared link_app.gnu-shared: link_app.gnu
 symlink.bsd-gcc-shared symlink.bsd-shared symlink.linux-shared symlink.gnu-shared: symlink.gnu
 link_o.bsd-shared: link_o.bsd

NEWS

@@ -5,7 +5,74 @@
   This file gives a brief overview of the major changes between each OpenSSL
   release. For more details please read the CHANGES file.
 
-  Major changes between OpenSSL 1.0.1j and OpenSSL 1.0.2 [in beta]:
+  Major changes between OpenSSL 1.0.2e and OpenSSL 1.1.0 [in pre-release]
+
+      o Support for ChaCha20 and Poly1305 added to libcrypto and libssl
+      o Support for extended master secret
+      o CCM ciphersuites
+      o Reworked test suite, now based on perl, Test::Harness and Test::More
+      o Varous libcrypto structures made opaque including: BIGNUM, EVP_MD,
+        EVP_MD_CTX, HMAC_CTX, EVP_CIPHER and EVP_CIPHER_CTX.
+      o libssl internal structures made opaque
+      o SSLv2 support removed
+      o Kerberos ciphersuite support removed
+      o RC4 removed from DEFAULT ciphersuites in libssl
+      o 40 and 56 bit cipher support removed from libssl
+      o All public header files moved to include/openssl, no more symlinking
+      o SSL/TLS state machine, version negotiation and record layer rewritten
+      o EC revision: now operations use new EC_KEY_METHOD.
+      o Support for OCB mode added to libcrypto
+      o Support for asynchronous crypto operations added to libcrypto and libssl
+      o Deprecated interfaces can now be disabled at build time either
+        relative to the latest relate via the "no-deprecated" Configure
+        argument, or via the "--api=1.1.0|1.0.0|0.9.8" option.
+      o Application software can be compiled with -DOPENSSL_API_COMPAT=version
+        to ensure that features deprecated before that version are not exposed.
+      o Support for RFC6698/RFC7671 DANE TLSA peer authentication
+
+  Major changes between OpenSSL 1.0.2d and OpenSSL 1.0.2e [3 Dec 2015]
+
+      o BN_mod_exp may produce incorrect results on x86_64 (CVE-2015-3193)
+      o Certificate verify crash with missing PSS parameter (CVE-2015-3194)
+      o X509_ATTRIBUTE memory leak (CVE-2015-3195)
+      o Rewrite EVP_DecodeUpdate (base64 decoding) to fix several bugs
+      o In DSA_generate_parameters_ex, if the provided seed is too short,
+        return an error
+
+  Major changes between OpenSSL 1.0.2c and OpenSSL 1.0.2d [9 Jul 2015]
+
+      o Alternate chains certificate forgery (CVE-2015-1793)
+      o Race condition handling PSK identify hint (CVE-2015-3196)
+
+  Major changes between OpenSSL 1.0.2b and OpenSSL 1.0.2c [12 Jun 2015]
+
+      o Fix HMAC ABI incompatibility
+
+  Major changes between OpenSSL 1.0.2a and OpenSSL 1.0.2b [11 Jun 2015]
+
+      o Malformed ECParameters causes infinite loop (CVE-2015-1788)
+      o Exploitable out-of-bounds read in X509_cmp_time (CVE-2015-1789)
+      o PKCS7 crash with missing EnvelopedContent (CVE-2015-1790)
+      o CMS verify infinite loop with unknown hash function (CVE-2015-1792)
+      o Race condition handling NewSessionTicket (CVE-2015-1791)
+
+  Major changes between OpenSSL 1.0.2 and OpenSSL 1.0.2a [19 Mar 2015]
+
+      o OpenSSL 1.0.2 ClientHello sigalgs DoS fix (CVE-2015-0291)
+      o Multiblock corrupted pointer fix (CVE-2015-0290)
+      o Segmentation fault in DTLSv1_listen fix (CVE-2015-0207)
+      o Segmentation fault in ASN1_TYPE_cmp fix (CVE-2015-0286)
+      o Segmentation fault for invalid PSS parameters fix (CVE-2015-0208)
+      o ASN.1 structure reuse memory corruption fix (CVE-2015-0287)
+      o PKCS7 NULL pointer dereferences fix (CVE-2015-0289)
+      o DoS via reachable assert in SSLv2 servers fix (CVE-2015-0293)
+      o Empty CKE with client auth and DHE fix (CVE-2015-1787)
+      o Handshake with unseeded PRNG fix (CVE-2015-0285)
+      o Use After Free following d2i_ECPrivatekey error fix (CVE-2015-0209)
+      o X509_to_X509_REQ NULL pointer deref fix (CVE-2015-0288)
+      o Removed the export ciphers from the DEFAULT ciphers
+
+  Major changes between OpenSSL 1.0.1l and OpenSSL 1.0.2 [22 Jan 2015]:
 
       o Suite B support for TLS 1.2 and DTLS 1.2
       o Support for DTLS 1.2
@@ -16,6 +83,21 @@
       o ALPN support.
       o CMS support for RSA-PSS, RSA-OAEP, ECDH and X9.42 DH.
 
+  Major changes between OpenSSL 1.0.1k and OpenSSL 1.0.1l [15 Jan 2015]
+
+      o Build fixes for the Windows and OpenVMS platforms
+
+  Major changes between OpenSSL 1.0.1j and OpenSSL 1.0.1k [8 Jan 2015]
+
+      o Fix for CVE-2014-3571
+      o Fix for CVE-2015-0206
+      o Fix for CVE-2014-3569
+      o Fix for CVE-2014-3572
+      o Fix for CVE-2015-0204
+      o Fix for CVE-2015-0205
+      o Fix for CVE-2014-8275
+      o Fix for CVE-2014-3570
+
   Major changes between OpenSSL 1.0.1i and OpenSSL 1.0.1j [15 Oct 2014]
 
       o Fix for CVE-2014-3513
@@ -39,6 +121,7 @@
 
       o Fix for CVE-2014-0224
       o Fix for CVE-2014-0221
+      o Fix for CVE-2014-0198
       o Fix for CVE-2014-0195
       o Fix for CVE-2014-3470
       o Fix for CVE-2010-5298
@@ -98,23 +181,6 @@
       o Preliminary FIPS capability for unvalidated 2.0 FIPS module.
       o SRP support.
 
-  Major changes between OpenSSL 1.0.0k and OpenSSL 1.0.0l [6 Jan 2014]
-
-      o Fix for DTLS retransmission bug CVE-2013-6450
-
-  Major changes between OpenSSL 1.0.0j and OpenSSL 1.0.0k [5 Feb 2013]:
-
-      o Fix for SSL/TLS/DTLS CBC plaintext recovery attack CVE-2013-0169
-      o Fix OCSP bad key DoS attack CVE-2013-0166
-
-  Major changes between OpenSSL 1.0.0i and OpenSSL 1.0.0j [10 May 2012]:
-
-      o Fix DTLS record length checking bug CVE-2012-2333
-
-  Major changes between OpenSSL 1.0.0h and OpenSSL 1.0.0i [19 Apr 2012]:
-
-      o Fix for ASN1 overflow bug CVE-2012-2110
-
   Major changes between OpenSSL 1.0.0g and OpenSSL 1.0.0h [12 Mar 2012]:
 
       o Fix for CMS/PKCS#7 MMA CVE-2012-0884
@@ -187,72 +253,6 @@
       o Opaque PRF Input TLS extension support.
       o Updated time routines to avoid OS limitations.
 
-  Major changes between OpenSSL 0.9.8y and OpenSSL 0.9.8za [5 Jun 2014]:
-
-      o Fix for CVE-2014-0224
-      o Fix for CVE-2014-0221
-      o Fix for CVE-2014-0195
-      o Fix for CVE-2014-3470
-      o Fix for CVE-2014-0076
-      o Fix for CVE-2010-5298
-      o Fix to TLS alert handling.
-
-  Major changes between OpenSSL 0.9.8x and OpenSSL 0.9.8y [5 Feb 2013]:
-
-      o Fix for SSL/TLS/DTLS CBC plaintext recovery attack CVE-2013-0169
-      o Fix OCSP bad key DoS attack CVE-2013-0166
-
-  Major changes between OpenSSL 0.9.8w and OpenSSL 0.9.8x [10 May 2012]:
-
-      o Fix DTLS record length checking bug CVE-2012-2333
-
-  Major changes between OpenSSL 0.9.8v and OpenSSL 0.9.8w [23 Apr 2012]:
-
-      o Fix for CVE-2012-2131 (corrected fix for 0.9.8 and CVE-2012-2110)
-
-  Major changes between OpenSSL 0.9.8u and OpenSSL 0.9.8v [19 Apr 2012]:
-
-      o Fix for ASN1 overflow bug CVE-2012-2110
-
-  Major changes between OpenSSL 0.9.8t and OpenSSL 0.9.8u [12 Mar 2012]:
-
-      o Fix for CMS/PKCS#7 MMA CVE-2012-0884
-      o Corrected fix for CVE-2011-4619
-      o Various DTLS fixes.
-
-  Major changes between OpenSSL 0.9.8s and OpenSSL 0.9.8t [18 Jan 2012]:
-
-      o Fix for DTLS DoS issue CVE-2012-0050
-
-  Major changes between OpenSSL 0.9.8r and OpenSSL 0.9.8s [4 Jan 2012]:
-
-      o Fix for DTLS plaintext recovery attack CVE-2011-4108
-      o Fix policy check double free error CVE-2011-4109
-      o Clear block padding bytes of SSL 3.0 records CVE-2011-4576
-      o Only allow one SGC handshake restart for SSL/TLS CVE-2011-4619
-      o Check for malformed RFC3779 data CVE-2011-4577
-
-  Major changes between OpenSSL 0.9.8q and OpenSSL 0.9.8r [8 Feb 2011]:
-
-      o Fix for security issue CVE-2011-0014
-
-  Major changes between OpenSSL 0.9.8p and OpenSSL 0.9.8q [2 Dec 2010]:
-
-      o Fix for security issue CVE-2010-4180
-      o Fix for CVE-2010-4252
-
-  Major changes between OpenSSL 0.9.8o and OpenSSL 0.9.8p [16 Nov 2010]:
-
-      o Fix for security issue CVE-2010-3864.
-
-  Major changes between OpenSSL 0.9.8n and OpenSSL 0.9.8o [1 Jun 2010]:
-
-      o Fix for security issue CVE-2010-0742.
-      o Various DTLS fixes.
-      o Recognise SHA2 certificates if only SSL algorithms added.
-      o Fix for no-rc4 compilation.
-      o Chil ENGINE unload workaround.
-
   Major changes between OpenSSL 0.9.8m and OpenSSL 0.9.8n [24 Mar 2010]:
 
       o CFB cipher definition fixes.

PROBLEMS

@@ -47,7 +47,7 @@ While running tests, running a parallell make is a bad idea.  Many test
 scripts use the same name for output and input files, which means different
 will interfere with each other and lead to test failure.
 
-The solution is simple for now: don't run parallell make when testing.
+The solution is simple for now: don't run parallel make when testing.
 
 
 * Bugs in gcc triggered

README

@@ -1,7 +1,7 @@
 
- OpenSSL 1.1.0-dev
+ OpenSSL 1.1.0-pre2 (alpha) 14 Jan 2016
 
- Copyright (c) 1998-2011 The OpenSSL Project
+ Copyright (c) 1998-2016 The OpenSSL Project
  Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson
  All rights reserved.
 
@@ -10,17 +10,17 @@
 
  The OpenSSL Project is a collaborative effort to develop a robust,
  commercial-grade, fully featured, and Open Source toolkit implementing the
- Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1)
- protocols as well as a full-strength general purpose cryptography library.
- The project is managed by a worldwide community of volunteers that use the
- Internet to communicate, plan, and develop the OpenSSL toolkit and its
- related documentation.
+ Secure Sockets Layer (SSLv3) and Transport Layer Security (TLS) protocols as
+ well as a full-strength general purpose cryptograpic library. The project is
+ managed by a worldwide community of volunteers that use the Internet to
+ communicate, plan, and develop the OpenSSL toolkit and its related
+ documentation.
 
- OpenSSL is based on the excellent SSLeay library developed from Eric A. Young
+ OpenSSL is descended from the SSLeay library developed by Eric A. Young
  and Tim J. Hudson.  The OpenSSL toolkit is licensed under a dual-license (the
- OpenSSL license plus the SSLeay license) situation, which basically means
- that you are free to get and use it for commercial and non-commercial
- purposes as long as you fulfill the conditions of both licenses.
+ OpenSSL license plus the SSLeay license), which means that you are free to
+ get and use it for commercial and non-commercial purposes as long as you
+ fulfill the conditions of both licenses.
 
  OVERVIEW
  --------
@@ -28,90 +28,39 @@
  The OpenSSL toolkit includes:
 
  libssl.a:
-     Implementation of SSLv2, SSLv3, TLSv1 and the required code to support
-     both SSLv2, SSLv3 and TLSv1 in the one server and client.
+     Provides the client and server-side implementations for SSLv3 and TLS.
 
  libcrypto.a:
-     General encryption and X.509 v1/v3 stuff needed by SSL/TLS but not
-     actually logically part of it. It includes routines for the following:
-
-     Ciphers
-        libdes - EAY's libdes DES encryption package which was floating
-                 around the net for a few years, and was then relicensed by
-                 him as part of SSLeay.  It includes 15 'modes/variations'
-                 of DES (1, 2 and 3 key versions of ecb, cbc, cfb and ofb;
-                 pcbc and a more general form of cfb and ofb) including desx
-                 in cbc mode, a fast crypt(3), and routines to read
-                 passwords from the keyboard.
-        RC4 encryption,
-        RC2 encryption      - 4 different modes, ecb, cbc, cfb and ofb.
-        Blowfish encryption - 4 different modes, ecb, cbc, cfb and ofb.
-        IDEA encryption     - 4 different modes, ecb, cbc, cfb and ofb.
-
-     Digests
-        MD5 and MD2 message digest algorithms, fast implementations,
-        SHA (SHA-0) and SHA-1 message digest algorithms,
-        MDC2 message digest. A DES based hash that is popular on smart cards.
-
-     Public Key
-        RSA encryption/decryption/generation.
-            There is no limit on the number of bits.
-        DSA encryption/decryption/generation.
-            There is no limit on the number of bits.
-        Diffie-Hellman key-exchange/key generation.
-            There is no limit on the number of bits.
-
-     X.509v3 certificates
-        X509 encoding/decoding into/from binary ASN1 and a PEM
-             based ASCII-binary encoding which supports encryption with a
-             private key.  Program to generate RSA and DSA certificate
-             requests and to generate RSA and DSA certificates.
-
-     Systems
-        The normal digital envelope routines and base64 encoding.  Higher
-        level access to ciphers and digests by name.  New ciphers can be
-        loaded at run time.  The BIO io system which is a simple non-blocking
-        IO abstraction.  Current methods supported are file descriptors,
-        sockets, socket accept, socket connect, memory buffer, buffering, SSL
-        client/server, file pointer, encryption, digest, non-blocking testing
-        and null.
-
-     Data structures
-        A dynamically growing hashing system
-        A simple stack.
-        A Configuration loader that uses a format similar to MS .ini files.
+     Provides general cryptographic and X.509 support needed by SSL/TLS but
+     not logically part of it.
 
  openssl:
      A command line tool that can be used for:
-        Creation of RSA, DH and DSA key parameters
+        Creation of key parameters
         Creation of X.509 certificates, CSRs and CRLs
-        Calculation of Message Digests
-        Encryption and Decryption with Ciphers
-        SSL/TLS Client and Server Tests
+        Calculation of message digests
+        Encryption and decryption
+        SSL/TLS client and server tests
         Handling of S/MIME signed or encrypted mail
+        And more...
 
  INSTALLATION
  ------------
 
- To install this package under a Unix derivative, read the INSTALL file.  For
- a Win32 platform, read the INSTALL.W32 file.  For OpenVMS systems, read
- INSTALL.VMS.
-
- Read the documentation in the doc/ directory.  It is quite rough, but it
- lists the functions; you will probably have to look at the code to work out
- how to use them. Look at the example programs.
-
- PROBLEMS
- --------
-
- For some platforms, there are some known problems that may affect the user
- or application author.  We try to collect those in doc/PROBLEMS, with current
- thoughts on how they should be solved in a future of OpenSSL.
+ See the appropriate file:
+        INSTALL         Linux, Unix, etc.
+        INSTALL.DJGPP   DOS platform with DJGPP
+        INSTALL.NW      Netware
+        INSTALL.OS2     OS/2
+        INSTALL.VMS     VMS
+        INSTALL.W32     Windows (32bit)
+        INSTALL.W64     Windows (64bit)
+        INSTALL.WCE     Windows CE
 
  SUPPORT
  -------
 
- See the OpenSSL website www.openssl.org for details of how to obtain
+ See the OpenSSL website www.openssl.org for details on how to obtain
  commercial technical support.
 
  If you have any problems with OpenSSL then please take the following steps
@@ -137,56 +86,34 @@
 
  Email the report to:
 
-    openssl-bugs@openssl.org
+    rt@openssl.org
 
- Note that the request tracker should NOT be used for general assistance
- or support queries. Just because something doesn't work the way you expect
- does not mean it is necessarily a bug in OpenSSL.
+ In order to avoid spam, this is a moderated mailing list, and it might
+ take a day for the ticket to show up.  (We also scan posts to make sure
+ that security disclosures aren't publically posted by mistake.) Mail
+ to this address is recorded in the public RT (request tracker) database
+ (see https://www.openssl.org/community/index.html#bugs for details) and
+ also forwarded the public openssl-dev mailing list.  Confidential mail
+ may be sent to openssl-security@openssl.org (PGP key available from the
+ key servers).
 
- Note that mail to openssl-bugs@openssl.org is recorded in the public
- request tracker database (see https://www.openssl.org/support/rt.html
- for details) and also forwarded to a public mailing list. Confidential
- mail may be sent to openssl-security@openssl.org (PGP key available from
- the key servers).
+ Please do NOT use this for general assistance or support queries.
+ Just because something doesn't work the way you expect does not mean it
+ is necessarily a bug in OpenSSL.
+
+ You can also make GitHub pull requests. If you do this, please also send
+ mail to rt@openssl.org with a link to the PR so that we can more easily
+ keep track of it.
 
  HOW TO CONTRIBUTE TO OpenSSL
  ----------------------------
 
- Development is coordinated on the openssl-dev mailing list (see
- http://www.openssl.org for information on subscribing). If you
- would like to submit a patch, send it to openssl-bugs@openssl.org with
- the string "[PATCH]" in the subject. Please be sure to include a
- textual explanation of what your patch does.
+ See CONTRIBUTING
 
- If you are unsure as to whether a feature will be useful for the general
- OpenSSL community please discuss it on the openssl-dev mailing list first.
- Someone may be already working on the same thing or there may be a good
- reason as to why that feature isn't implemented.
-
- Patches should be as up to date as possible, preferably relative to the
- current Git or the last snapshot. They should follow the coding style of
- OpenSSL and compile without warnings. Some of the core team developer targets
- can be used for testing purposes, (debug-steve64, debug-geoff etc). OpenSSL
- compiles on many varied platforms: try to ensure you only use portable
- features.
-
- Note: For legal reasons, contributions from the US can be accepted only
- if a TSU notification and a copy of the patch are sent to crypt@bis.doc.gov
- (formerly BXA) with a copy to the ENC Encryption Request Coordinator;
- please take some time to look at
-    http://www.bis.doc.gov/Encryption/PubAvailEncSourceCodeNofify.html [sic]
- and
-    http://w3.access.gpo.gov/bis/ear/pdf/740.pdf (EAR Section 740.13(e))
- for the details. If "your encryption source code is too large to serve as
- an email attachment", they are glad to receive it by fax instead; hope you
- have a cheap long-distance plan.
-
- Our preferred format for changes is "diff -u" output. You might
- generate it like this:
-
- # cd openssl-work
- # [your changes]
- # ./Configure dist; make clean
- # cd ..
- # diff -ur openssl-orig openssl-work > mydiffs.patch
+ LEGALITIES
+ ----------
 
+ A number of nations, in particular the U.S., restrict the use or export
+ of cryptography. If you are potentially subject to such restrictions
+ you should seek competent professional legal advice before attempting to
+ develop or distribute cryptographic code.

README.ASN1

@@ -1,187 +0,0 @@
-
-OpenSSL ASN1 Revision
-=====================
-
-This document describes some of the issues relating to the new ASN1 code.
-
-Previous OpenSSL ASN1 problems
-=============================
-
-OK why did the OpenSSL ASN1 code need revising in the first place? Well
-there are lots of reasons some of which are included below...
-
-1. The code is difficult to read and write. For every single ASN1 structure
-(e.g. SEQUENCE) four functions need to be written for new, free, encode and
-decode operations. This is a very painful and error prone operation. Very few
-people have ever written any OpenSSL ASN1 and those that have usually wish
-they hadn't.
-
-2. Partly because of 1. the code is bloated and takes up a disproportionate
-amount of space. The SEQUENCE encoder is particularly bad: it essentially
-contains two copies of the same operation, one to compute the SEQUENCE length
-and the other to encode it.
-
-3. The code is memory based: that is it expects to be able to read the whole
-structure from memory. This is fine for small structures but if you have a
-(say) 1Gb PKCS#7 signedData structure it isn't such a good idea...
-
-4. The code for the ASN1 IMPLICIT tag is evil. It is handled by temporarily
-changing the tag to the expected one, attempting to read it, then changing it
-back again. This means that decode buffers have to be writable even though they
-are ultimately unchanged. This gets in the way of constification.
-
-5. The handling of EXPLICIT isn't much better. It adds a chunk of code into 
-the decoder and encoder for every EXPLICIT tag.
-
-6. APPLICATION and PRIVATE tags aren't even supported at all.
-
-7. Even IMPLICIT isn't complete: there is no support for implicitly tagged
-types that are not OPTIONAL.
-
-8. Much of the code assumes that a tag will fit in a single octet. This is
-only true if the tag is 30 or less (mercifully tags over 30 are rare).
-
-9. The ASN1 CHOICE type has to be largely handled manually, there aren't any
-macros that properly support it.
-
-10. Encoders have no concept of OPTIONAL and have no error checking. If the
-passed structure contains a NULL in a mandatory field it will not be encoded,
-resulting in an invalid structure.
-
-11. It is tricky to add ASN1 encoders and decoders to external applications.
-
-Template model
-==============
-
-One of the major problems with revision is the sheer volume of the ASN1 code.
-Attempts to change (for example) the IMPLICIT behaviour would result in a
-modification of *every* single decode function. 
-
-I decided to adopt a template based approach. I'm using the term 'template'
-in a manner similar to SNACC templates: it has nothing to do with C++
-templates.
-
-A template is a description of an ASN1 module as several constant C structures.
-It describes in a machine readable way exactly how the ASN1 structure should
-behave. If this template contains enough detail then it is possible to write
-versions of new, free, encode, decode (and possibly others operations) that
-operate on templates.
-
-Instead of having to write code to handle each operation only a single
-template needs to be written. If new operations are needed (such as a 'print'
-operation) only a single new template based function needs to be written 
-which will then automatically handle all existing templates.
-
-Plans for revision
-==================
-
-The revision will consist of the following steps. Other than the first two
-these can be handled in any order.
- 
-o Design and write template new, free, encode and decode operations, initially
-memory based. *DONE*
-
-o Convert existing ASN1 code to template form. *IN PROGRESS*
-
-o Convert an existing ASN1 compiler (probably SNACC) to output templates
-in OpenSSL form.
-
-o Add support for BIO based ASN1 encoders and decoders to handle large
-structures, initially blocking I/O.
-
-o Add support for non blocking I/O: this is quite a bit harder than blocking
-I/O.
-
-o Add new ASN1 structures, such as OCSP, CRMF, S/MIME v3 (CMS), attribute
-certificates etc etc.
-
-Description of major changes
-============================
-
-The BOOLEAN type now takes three values. 0xff is TRUE, 0 is FALSE and -1 is
-absent. The meaning of absent depends on the context. If for example the
-boolean type is DEFAULT FALSE (as in the case of the critical flag for
-certificate extensions) then -1 is FALSE, if DEFAULT TRUE then -1 is TRUE.
-Usually the value will only ever be read via an API which will hide this from
-an application.
-
-There is an evil bug in the old ASN1 code that mishandles OPTIONAL with
-SEQUENCE OF or SET OF. These are both implemented as a STACK structure. The
-old code would omit the structure if the STACK was NULL (which is fine) or if
-it had zero elements (which is NOT OK). This causes problems because an empty
-SEQUENCE OF or SET OF will result in an empty STACK when it is decoded but when
-it is encoded it will be omitted resulting in different encodings. The new code
-only omits the encoding if the STACK is NULL, if it contains zero elements it
-is encoded and empty. There is an additional problem though: because an empty
-STACK was omitted, sometimes the corresponding *_new() function would
-initialize the STACK to empty so an application could immediately use it, if
-this is done with the new code (i.e. a NULL) it wont work. Therefore a new
-STACK should be allocated first. One instance of this is the X509_CRL list of
-revoked certificates: a helper function X509_CRL_add0_revoked() has been added
-for this purpose.
-
-The X509_ATTRIBUTE structure used to have an element called 'set' which took
-the value 1 if the attribute value was a SET OF or 0 if it was a single. Due
-to the behaviour of CHOICE in the new code this has been changed to a field
-called 'single' which is 0 for a SET OF and 1 for single. The old field has
-been deleted to deliberately break source compatibility. Since this structure
-is normally accessed via higher level functions this shouldn't break too much.
-
-The X509_REQ_INFO certificate request info structure no longer has a field
-called 'req_kludge'. This used to be set to 1 if the attributes field was
-(incorrectly) omitted. You can check to see if the field is omitted now by
-checking if the attributes field is NULL. Similarly if you need to omit
-the field then free attributes and set it to NULL.
-
-The top level 'detached' field in the PKCS7 structure is no longer set when
-a PKCS#7 structure is read in. PKCS7_is_detached() should be called instead.
-The behaviour of PKCS7_get_detached() is unaffected.
-
-The values of 'type' in the GENERAL_NAME structure have changed. This is
-because the old code use the ASN1 initial octet as the selector. The new
-code uses the index in the ASN1_CHOICE template.
-
-The DIST_POINT_NAME structure has changed to be a true CHOICE type.
-
-typedef struct DIST_POINT_NAME_st {
-int type;
-union {
-	STACK_OF(GENERAL_NAME) *fullname;
-	STACK_OF(X509_NAME_ENTRY) *relativename;
-} name;
-} DIST_POINT_NAME;
-
-This means that name.fullname or name.relativename should be set
-and type reflects the option. That is if name.fullname is set then
-type is 0 and if name.relativename is set type is 1.
-
-With the old code using the i2d functions would typically involve:
-
-unsigned char *buf, *p;
-int len;
-/* Find length of encoding */
-len = i2d_SOMETHING(x, NULL);
-/* Allocate buffer */
-buf = OPENSSL_malloc(len);
-if(buf == NULL) {
-	/* Malloc error */
-}
-/* Use temp variable because &p gets updated to point to end of
- * encoding.
- */
-p = buf;
-i2d_SOMETHING(x, &p);
-
-
-Using the new i2d you can also do:
-
-unsigned char *buf = NULL;
-int len;
-len = i2d_SOMETHING(x, &buf);
-if(len < 0) {
-	/* Malloc error */
-}
-
-and it will automatically allocate and populate a buffer with the
-encoding. After this call 'buf' will point to the start of the
-encoding which is len bytes long.

README.FIPS

@@ -1,130 +1 @@
-Preliminary status and build information for FIPS module v2.0
-
-NB: if you are cross compiling you now need to use the latest "incore" script
-this can be found at util/incore in the tarballs.
-
-If you have any object files from a previous build do:
-
-make clean
-
-To build the module do:
-
-./config fipscanisteronly
-make
-
-Build should complete without errors.
-
-Build test utilities:
-
-make build_tests
-
-Run test suite:
-
-test/fips_test_suite
-
-again should complete without errors.
-
-Run test vectors: 
-
-1. Download an appropriate set of testvectors from www.openssl.org/docs/fips
-   only the fips-2.0 testvector files are usable for complete tests.
-
-2. Extract the files to a suitable directory.
-
-3. Run the test vector perl script, for example:
-
-   cd fips
-   perl fipsalgtest.pl --dir=/wherever/stuff/was/extracted
-
-4. It should say "passed all tests" at the end. Report full details of any
-   failures.
-
-If you wish to use the older 1.2.x testvectors (for example those from 2007)
-you need the command line switch --disable-v2 to fipsalgtest.pl
-
-Examine the external symbols in fips/fipscanister.o they should all begin
-with FIPS or fips. One way to check with GNU nm is:
-
-	nm -g --defined-only fips/fipscanister.o | grep -v -i fips
-
-If you get *any* output at all from this test (i.e. symbols not starting with
-fips or FIPS) please report it.
-
-Restricted tarball tests.
-
-The validated module will have its own tarball containing sufficient code to
-build fipscanister.o and the associated algorithm tests. You can create a
-similar tarball yourself for testing purposes using the commands below.
-
-Standard restricted tarball:
-
-make -f Makefile.fips dist
-
-Prime field field only ECC tarball:
-
-make NOEC2M=1 -f Makefile.fips dist
-
-Once you've created the tarball extract into a fresh directory and do:
-
-./config
-make
-
-You can then run the algorithm tests as above. This build automatically uses
-fipscanisterbuild and no-ec2m as appropriate.
-
-FIPS capable OpenSSL test: WARNING PRELIMINARY INSTRUCTIONS, SUBJECT TO CHANGE.
-
-At least initially the test module and FIPS capable OpenSSL may change and
-by out of sync. You are advised to check for any changes and pull the latest
-source from CVS if you have problems. See anon CVS and rsync instructions at:
-
-http://www.openssl.org/source/repos.html
-
-Make or download a restricted tarball from ftp://ftp.openssl.org/snapshot/
-
-If required set the environment variable FIPSDIR to an appropriate location
-to install the test module. If cross compiling set other environment
-variables too.
-
-In this restricted tarball on a Linux or U*ix like system run:
-
-./config
-make
-make install
-
-On Windows from a VC++ environment do:
-
-ms\do_fips
-
-This will build and install the test module and some associated files.
-
-Now download the latest version of the OpenSSL 1.0.1 branch from either a
-snapshot or preferably CVS. For Linux do:
-
-./config fips [other args]
-make
-
-For Windows:
-
-perl Configure VC-WIN32 fips [other args]
-ms\do_nasm
-nmake -f ms\ntdll.mak
-
-(or ms\nt.mak for a static build).
-
-Where [other args] can be any other arguments you use for an OpenSSL build
-such as "shared" or "zlib".
-
-This will build the fips capable OpenSSL and link it to the test module. You
-can now try linking and testing applications against the FIPS capable OpenSSL.
-
-Please report any problems to either the openssl-dev mailing list or directly
-to me steve@openssl.org . Check the mailing lists regularly to avoid duplicate
-reports.
-
-Known issues:
-
-Code needs extensively reviewing to ensure it builds correctly on 
-supported platforms and is compliant with FIPS 140-2.
-The "FIPS capable OpenSSL" is still largely untested, it builds and runs
-some simple tests OK on some systems but needs far more "real world" testing.
+This release does not support a FIPS 140-2 validated module.

VMS/mkshared.com

@@ -1,476 +0,0 @@
-$! MKSHARED.COM -- Create shareable images.
-$!
-$! P1: "64" for 64-bit pointers.
-$!
-$! P2: Zlib object library path (optional).
-$!
-$! Input:	[.UTIL]LIBEAY.NUM,[.xxx.EXE.CRYPTO]SSL_LIBCRYPTO[32].OLB
-$!		[.UTIL]SSLEAY.NUM,[.xxx.EXE.SSL]SSL_LIBSSL[32].OLB
-$!		[.CRYPTO.xxx]OPENSSLCONF.H
-$! Output:	[.xxx.EXE.CRYPTO]SSL_LIBCRYPTO_SHR[32].OPT,.MAP,.EXE
-$!		[.xxx.EXE.SSL]SSL_LIBSSL_SRH[32].OPT,.MAP,.EXE
-$!
-$! So far, tests have only been made on VMS for Alpha.  VAX will come in time.
-$! ===========================================================================
-$!
-$! Announce/identify.
-$!
-$ proc = f$environment( "procedure")
-$ write sys$output "@@@ "+ -
-   f$parse( proc, , , "name")+ f$parse( proc, , , "type")
-$!
-$! Save the original default device:[directory].
-$!
-$ def_orig = f$environment( "default")
-$ on error then goto tidy
-$ on control_c then goto tidy
-$!
-$! SET DEFAULT to the main kit directory.
-$!
-$ proc = f$environment("procedure")
-$ proc = f$parse( "A.;", proc)- "A.;"
-$ set default 'proc'
-$ set default [-]
-$!
-$! ----- Prepare info for processing: version number and file info
-$ gosub read_version_info
-$ if libver .eqs. ""
-$ then
-$   write sys$error "ERROR: Couldn't find any library version info..."
-$   go to tidy:
-$ endif
-$
-$ if (f$getsyi("cpu") .lt. 128)
-$ then
-$   arch_vax = 1
-$   arch = "VAX"
-$ else
-$   arch_vax = 0
-$   arch = f$edit( f$getsyi( "ARCH_NAME"), "UPCASE")
-$   if (arch .eqs. "") then arch = "UNK"
-$ endif
-$!
-$ archd = arch
-$ lib32 = "32"
-$ shr = "SHR32"
-$!
-$ if (p1 .nes. "")
-$ then
-$   if (p1 .eqs. "64")
-$   then
-$     archd = arch+ "_64"
-$     lib32 = ""
-$     shr = "SHR"
-$   else
-$     if (p1 .nes. "32")
-$     then
-$       write sys$output "Second argument invalid."
-$       write sys$output "It should be "32", "64", or nothing."
-$       exit
-$     endif
-$   endif
-$ endif
-$!
-$! ----- Prepare info for processing: disabled algorithms info
-$ gosub read_disabled_algorithms_info
-$!
-$ ZLIB = p2
-$ zlib_lib = ""
-$ if (ZLIB .nes. "")
-$ then
-$   file2 = f$parse( ZLIB, "libz.olb", , , "syntax_only")
-$   if (f$search( file2) .eqs. "")
-$   then
-$     write sys$output ""
-$     write sys$output "The Option ", ZLIB, " Is Invalid."
-$     write sys$output "    Can't find library: ''file2'"
-$     write sys$output ""
-$     goto tidy
-$   endif
-$   zlib_lib = ", ''file2' /library"
-$ endif
-$!
-$ if (arch_vax)
-$ then
-$   libtit = "CRYPTO_TRANSFER_VECTOR"
-$   libid  = "Crypto"
-$   libnum = "[.UTIL]LIBEAY.NUM"
-$   libdir = "[.''ARCHD'.EXE.CRYPTO]"
-$   libmar = "''libdir'SSL_LIBCRYPTO_''shr'.MAR"
-$   libolb = "''libdir'SSL_LIBCRYPTO''lib32'.OLB"
-$   libopt = "''libdir'SSL_LIBCRYPTO_''shr'.OPT"
-$   libobj = "''libdir'SSL_LIBCRYPTO_''shr'.OBJ"
-$   libmap = "''libdir'SSL_LIBCRYPTO_''shr'.MAP"
-$   libgoal= "''libdir'SSL_LIBCRYPTO_''shr'.EXE"
-$   libref = ""
-$   libvec = "LIBCRYPTO"
-$   if f$search( libolb) .nes. "" then gosub create_vax_shr
-$   libtit = "SSL_TRANSFER_VECTOR"
-$   libid  = "SSL"
-$   libnum = "[.UTIL]SSLEAY.NUM"
-$   libdir = "[.''ARCHD'.EXE.SSL]"
-$   libmar = "''libdir'SSL_LIBSSL_''shr'.MAR"
-$   libolb = "''libdir'SSL_LIBSSL''lib32'.OLB"
-$   libopt = "''libdir'SSL_LIBSSL_''shr'.OPT"
-$   libobj = "''libdir'SSL_LIBSSL_''shr'.OBJ"
-$   libmap = "''libdir'SSL_LIBSSL_''shr'.MAP"
-$   libgoal= "''libdir'SSL_LIBSSL_''shr'.EXE"
-$   libref = "[.''ARCHD'.EXE.CRYPTO]SSL_LIBCRYPTO_''shr'.EXE"
-$   libvec = "LIBSSL"
-$   if f$search( libolb) .nes. "" then gosub create_vax_shr
-$ else
-$   libid  = "Crypto"
-$   libnum = "[.UTIL]LIBEAY.NUM"
-$   libdir = "[.''ARCHD'.EXE.CRYPTO]"
-$   libolb = "''libdir'SSL_LIBCRYPTO''lib32'.OLB"
-$   libopt = "''libdir'SSL_LIBCRYPTO_''shr'.OPT"
-$   libmap = "''libdir'SSL_LIBCRYPTO_''shr'.MAP"
-$   libgoal= "''libdir'SSL_LIBCRYPTO_''shr'.EXE"
-$   libref = ""
-$   if f$search( libolb) .nes. "" then gosub create_nonvax_shr
-$   libid  = "SSL"
-$   libnum = "[.UTIL]SSLEAY.NUM"
-$   libdir = "[.''ARCHD'.EXE.SSL]"
-$   libolb = "''libdir'SSL_LIBSSL''lib32'.OLB"
-$   libopt = "''libdir'SSL_LIBSSL_''shr'.OPT"
-$   libmap = "''libdir'SSL_LIBSSL_''shr'.MAP"
-$   libgoal= "''libdir'SSL_LIBSSL_''shr'.EXE"
-$   libref = "[.''ARCHD'.EXE.CRYPTO]SSL_LIBCRYPTO_''shr'.EXE"
-$   if f$search( libolb) .nes. "" then gosub create_nonvax_shr
-$ endif
-$!
-$ tidy:
-$!
-$! Close any open files.
-$!
-$ if (f$trnlnm( "libnum", "LNM$PROCESS", 0, "SUPERVISOR") .nes. "") then -
-   close libnum
-$!
-$ if (f$trnlnm( "mar", "LNM$PROCESS", 0, "SUPERVISOR") .nes. "") then -
-   close mar
-$!
-$ if (f$trnlnm( "opt", "LNM$PROCESS", 0, "SUPERVISOR") .nes. "") then -
-   close opt
-$!
-$ if (f$trnlnm( "vf", "LNM$PROCESS", 0, "SUPERVISOR") .nes. "") then -
-   close vf
-$!
-$! Restore the original default device:[directory].
-$!
-$ set default 'def_orig'
-$ exit
-$
-$! ----- Subroutines to build the shareable libraries
-$! For each supported architecture, there's a main shareable library
-$! creator, which is called from the main code above.
-$! The creator will define a number of variables to tell the next levels of
-$! subroutines what routines to use to write to the option files, call the
-$! main processor, read_func_num, and when that is done, it will write version
-$! data at the end of the .opt file, close it, and link the library.
-$!
-$! read_func_num reads through a .num file and calls the writer routine for
-$! each line.  It's also responsible for checking that order is properly kept
-$! in the .num file, check that each line applies to VMS and the architecture,
-$! and to fill in "holes" with dummy entries.
-$!
-$! The creator routines depend on the following variables:
-$! libnum	The name of the .num file to use as input
-$! libolb	The name of the object library to build from
-$! libid	The identification string of the shareable library
-$! libopt	The name of the .opt file to write
-$! libtit	The title of the assembler transfer vector file (VAX only)
-$! libmar	The name of the assembler transfer vector file (VAX only)
-$! libmap	The name of the map file to write
-$! libgoal	The name of the shareable library to write
-$! libref	The name of a shareable library to link in
-$!
-$! read_func_num depends on the following variables from the creator:
-$! libwriter	The name of the writer routine to call for each .num file line
-$! -----
-$
-$! ----- Subroutines for non-VAX
-$! -----
-$! The creator routine
-$ create_nonvax_shr:
-$   open /write opt 'libopt'
-$   write opt "identification=""",libid," ",libverstr,""""
-$   write opt libolb, " /library"
-$   if libref .nes. "" then write opt libref,"/SHARE"
-$   write opt "SYMBOL_VECTOR=(-"
-$   libfirstentry := true
-$   libwrch   := opt
-$   libwriter := write_nonvax_transfer_entry
-$   textcount = 0
-$   gosub read_func_num
-$   write opt ")"
-$   write opt "GSMATCH=",libvmatch,",",libver
-$   close opt
-$   link /map = 'libmap' /full /share = 'libgoal' 'libopt' /options -
-     'zlib_lib'
-$   return
-$
-$! The record writer routine
-$ write_nonvax_transfer_entry:
-$   if libentry .eqs. ".dummy" then return
-$   if info_kind .eqs. "VARIABLE"
-$   then
-$     pr:=DATA
-$   else
-$     pr:=PROCEDURE
-$   endif
-$   textcount_this = f$length(pr) + f$length(libentry) + 5
-$   if textcount + textcount_this .gt. 1024
-$   then
-$     write opt ")"
-$     write opt "SYMBOL_VECTOR=(-"
-$     textcount = 16
-$     libfirstentry := true
-$   endif
-$   if libfirstentry
-$   then
-$     write 'libwrch' "    ",libentry,"=",pr," -"
-$   else
-$     write 'libwrch' "    ,",libentry,"=",pr," -"
-$   endif
-$   libfirstentry := false
-$   textcount = textcount + textcount_this
-$   return
-$
-$! ----- Subroutines for VAX
-$! -----
-$! The creator routine
-$ create_vax_shr:
-$   open /write mar 'libmar'
-$   type sys$input:/out=mar:
-;
-; Transfer vector for VAX shareable image
-;
-$   write mar "	.TITLE ",libtit
-$   write mar "	.IDENT /",libid,"/"
-$   type sys$input:/out=mar:
-;
-; Define macro to assist in building transfer vector entries.  Each entry
-; should take no more than 8 bytes.
-;
-	.MACRO FTRANSFER_ENTRY routine
-	.ALIGN QUAD
-	.TRANSFER routine
-	.MASK	routine
-	JMP	routine+2
-	.ENDM FTRANSFER_ENTRY
-;
-; Place entries in own program section.
-;
-$   write mar "	.PSECT $$",libvec,",QUAD,PIC,USR,CON,REL,LCL,SHR,EXE,RD,NOWRT"
-$   write mar libvec,"_xfer:"
-$   libwrch   := mar
-$   libwriter := write_vax_ftransfer_entry
-$   gosub read_func_num
-$   type sys$input:/out=mar:
-;
-; Allocate extra storage at end of vector to allow for expansion.
-;
-$   write mar "	.BLKB 32768-<.-",libvec,"_xfer>	; 64 pages total."
-$!   libwriter := write_vax_vtransfer_entry
-$!   gosub read_func_num
-$   write mar "	.END"
-$   close mar
-$   open /write opt 'libopt'
-$   write opt "identification=""",libid," ",libverstr,""""
-$   write opt libobj
-$   write opt libolb, " /library"
-$   if libref .nes. "" then write opt libref,"/SHARE"
-$   type sys$input:/out=opt:
-!
-! Ensure transfer vector is at beginning of image
-!
-CLUSTER=FIRST
-$   write opt "COLLECT=FIRST,$$",libvec
-$   write opt "GSMATCH=",libvmatch,",",libver
-$   type sys$input:/out=opt:
-!
-! make psects nonshareable so image can be installed.
-!
-PSECT_ATTR=$CHAR_STRING_CONSTANTS,NOWRT
-$   libwrch   := opt
-$   libwriter := write_vax_psect_attr
-$   gosub read_func_num
-$   close opt
-$   macro/obj='libobj' 'libmar'
-$   link /map = 'libmap' /full /share = 'libgoal' 'libopt' /options -
-     'zlib_lib'
-$   return
-$
-$! The record writer routine for VAX functions
-$ write_vax_ftransfer_entry:
-$   if info_kind .nes. "FUNCTION" then return
-$   if libentry .eqs ".dummy"
-$   then
-$     write 'libwrch' "	.BLKB 8" ! Dummy is zeroes...
-$   else
-$     write 'libwrch' "	FTRANSFER_ENTRY ",libentry
-$   endif
-$   return
-$! The record writer routine for VAX variables (should never happen!)
-$ write_vax_psect_attr:
-$   if info_kind .nes. "VARIABLE" then return
-$   if libentry .eqs ".dummy" then return
-$   write 'libwrch' "PSECT_ATTR=",libentry,",NOSHR"
-$   return
-$
-$! ----- Common subroutines
-$! -----
-$! The .num file reader.  This one has great responsibility.
-$ read_func_num:
-$   open /read libnum 'libnum'
-$   goto read_nums
-$
-$ read_nums:
-$   libentrynum=0
-$   liblastentry:=false
-$   entrycount=0
-$   loop:
-$     read /end=loop_end /err=loop_end libnum line
-$     lin = f$edit( line, "COMPRESS,TRIM")
-$!    Skip a "#" comment line.
-$     if (f$extract( 0, 1, lin) .eqs. "#") then goto loop
-$     entrynum = f$int(f$element( 1, " ", lin))
-$     entryinfo = f$element( 2, " ", lin)
-$     curentry = f$element( 0, " ", lin)
-$     info_exist = f$element( 0, ":", entryinfo)
-$     info_platforms = ","+ f$element(1, ":", entryinfo)+ ","
-$     info_kind = f$element( 2, ":", entryinfo)
-$     info_algorithms = ","+ f$element( 3, ":", entryinfo)+ ","
-$     if info_exist .eqs. "NOEXIST" then goto loop
-$     truesum = 0
-$     falsesum = 0
-$     negatives = 1
-$     plat_i = 0
-$     loop1:
-$       plat_entry = f$element( plat_i, ",", info_platforms)
-$       plat_i = plat_i + 1
-$       if plat_entry .eqs. "" then goto loop1
-$       if plat_entry .nes. ","
-$       then
-$         if f$extract(0,1,plat_entry) .nes. "!" then negatives = 0
-$         if (arch_vax)
-$         then
-$           if plat_entry .eqs. "EXPORT_VAR_AS_FUNCTION" then -
-$             truesum = truesum + 1
-$           if plat_entry .eqs. "!EXPORT_VAR_AS_FUNCTION" then -
-$             falsesum = falsesum + 1
-$         endif
-$!
-$         if ((plat_entry .eqs. "VMS") .or. -
-            ((plat_entry .eqs. "ZLIB") .and. (ZLIB .nes. "")) .or. -
-            (arch_vax .and. (plat_entry .eqs. "VMSVAX"))) then -
-            truesum = truesum + 1
-$!
-$         if ((plat_entry .eqs. "!VMS") .or. -
-            (arch_vax .and. (plat_entry .eqs. "!VMSVAX"))) then -
-            falsesum = falsesum + 1
-$!
-$	  goto loop1
-$       endif
-$     endloop1:
-$!DEBUG!$     if info_platforms - "EXPORT_VAR_AS_FUNCTION" .nes. info_platforms
-$!DEBUG!$     then
-$!DEBUG!$       write sys$output line
-$!DEBUG!$       write sys$output "        truesum = ",truesum,-
-$!DEBUG!		", negatives = ",negatives,", falsesum = ",falsesum
-$!DEBUG!$     endif
-$     if falsesum .ne. 0 then goto loop
-$     if truesum+negatives .eq. 0 then goto loop
-$     alg_i = 0
-$     loop2:
-$       alg_entry = f$element(alg_i,",",info_algorithms)
-$	alg_i = alg_i + 1
-$       if alg_entry .eqs. "" then goto loop2
-$       if alg_entry .nes. ","
-$       then
-$	  if disabled_algorithms - ("," + alg_entry + ",") .nes disabled_algorithms then goto loop
-$         if f$trnlnm("OPENSSL_NO_"+alg_entry) .nes. "" then goto loop
-$	  goto loop2
-$       endif
-$     endloop2:
-$     if info_platforms - "EXPORT_VAR_AS_FUNCTION" .nes. info_platforms
-$     then
-$!DEBUG!$     write sys$output curentry," ; ",entrynum," ; ",entryinfo
-$     endif
-$   redo:
-$     next:=loop
-$     tolibentry=curentry
-$     if libentrynum .ne. entrynum
-$     then
-$       entrycount=entrycount+1
-$       if entrycount .lt. entrynum
-$       then
-$!DEBUG!$         write sys$output "Info: entrycount: ''entrycount', entrynum: ''entrynum' => 0"
-$         tolibentry=".dummy"
-$         next:=redo
-$       endif
-$       if entrycount .gt. entrynum
-$       then
-$         write sys$error "Decreasing library entry numbers!  Can't continue"
-$         write sys$error """",line,""""
-$         close libnum
-$         return
-$       endif
-$       libentry=tolibentry
-$!DEBUG!$       write sys$output entrycount," ",libentry," ",entryinfo
-$       if libentry .nes. "" .and. libwriter .nes. "" then gosub 'libwriter'
-$     else
-$       write sys$error "Info: ""''curentry'"" is an alias for ""''libentry'"".  Overriding..."
-$     endif
-$     libentrynum=entrycount
-$     goto 'next'
-$   loop_end:
-$   close libnum
-$   return
-$
-$! The version number reader
-$ read_version_info:
-$   libver = ""
-$   open /read vf [.CRYPTO]OPENSSLV.H
-$   loop_rvi:
-$     read/err=endloop_rvi/end=endloop_rvi vf rvi_line
-$     if rvi_line - "SHLIB_VERSION_NUMBER """ .eqs. rvi_line then -
-	goto loop_rvi
-$     libverstr = f$element(1,"""",rvi_line)
-$     libvmajor = f$element(0,".",libverstr)
-$     libvminor = f$element(1,".",libverstr)
-$     libvedit = f$element(2,".",libverstr)
-$     libvpatch = f$cvui(0,8,f$extract(1,1,libvedit)+"@")-f$cvui(0,8,"@")
-$     libvedit = f$extract(0,1,libvedit)
-$     libver = f$string(f$int(libvmajor)*100)+","+-
-	f$string(f$int(libvminor)*100+f$int(libvedit)*10+f$int(libvpatch))
-$     if libvmajor .eqs. "0"
-$     then
-$       libvmatch = "EQUAL"
-$     else
-$       ! Starting with the 1.0 release, backward compatibility should be
-$       ! kept, so switch over to the following
-$       libvmatch = "LEQUAL"
-$     endif
-$   endloop_rvi:
-$   close vf
-$   return
-$
-$! The disabled algorithms reader
-$ read_disabled_algorithms_info:
-$   disabled_algorithms = ","
-$   open /read cf [.CRYPTO.'ARCH']OPENSSLCONF.H
-$   loop_rci:
-$     read/err=endloop_rci/end=endloop_rci cf rci_line
-$     rci_line = f$edit(rci_line,"TRIM,COMPRESS")
-$     rci_ei = 0
-$     if f$extract(0,9,rci_line) .eqs. "# define " then rci_ei = 2
-$     if f$extract(0,8,rci_line) .eqs. "#define " then rci_ei = 1
-$     if rci_ei .eq. 0 then goto loop_rci
-$     rci_e = f$element(rci_ei," ",rci_line)
-$     if f$extract(0,11,rci_e) .nes. "OPENSSL_NO_" then goto loop_rci
-$     disabled_algorithms = disabled_algorithms + f$extract(11,999,rci_e) + ","
-$     goto loop_rci
-$   endloop_rci:
-$   close cf
-$   return

apps/CA.com

@@ -10,29 +10,14 @@ $! At the end of that grab newreq.pem and newcert.pem (one has the key
 $! and the other the certificate) and cat them together and that is what
 $! you want/need ... I'll make even this a little cleaner later.
 $!
-$!
-$! 12-Jan-96 tjh    Added more things ... including CA -signcert which
-$!                  converts a certificate to a request and then signs it.
-$! 10-Jan-96 eay    Fixed a few more bugs and added the SSLEAY_CONFIG
-$!                 environment variable so this can be driven from
-$!                 a script.
-$! 25-Jul-96 eay    Cleaned up filenames some more.
-$! 11-Jun-96 eay    Fixed a few filename missmatches.
-$! 03-May-96 eay    Modified to use 'openssl cmd' instead of 'cmd'.
-$! 18-Apr-96 tjh    Original hacking
-$!
-$! Tim Hudson
-$! tjh@cryptsoft.com
-$!
-$!
-$! default ssleay.cnf file has setup as per the following
+$! default openssl.cnf file has setup as per the following
 $! demoCA ... where everything is stored
 $
-$ IF F$TYPE(SSLEAY_CONFIG) .EQS. "" THEN SSLEAY_CONFIG := SSLLIB:SSLEAY.CNF
+$ IF F$TYPE(OPENSSL_CONFIG) .EQS. "" THEN OPENSSL_CONFIG := SSLLIB:OPENSSL.CNF
 $
 $ DAYS   = "-days 365"
-$ REQ    = openssl + " req " + SSLEAY_CONFIG
-$ CA     = openssl + " ca " + SSLEAY_CONFIG
+$ REQ    = openssl + " req " + OPENSSL_CONFIG
+$ CA     = openssl + " ca " + OPENSSL_CONFIG
 $ VERIFY = openssl + " verify"
 $ X509   = openssl + " x509"
 $ PKCS12 = openssl + " pkcs12"

apps/CA.pl.in

@@ -1,197 +1,189 @@
-#!/usr/local/bin/perl
+#!/usr/bin/perl
 #
-# CA - wrapper around ca to make it easier to use
-#
-# CA -newca ... will setup the right stuff
-# CA -newreq[-nodes] ... will generate a certificate request 
-# CA -sign ... will sign the generated request and output 
+# Wrapper around the ca to make it easier to use
+# Edit CA.pl.in not CA.pl!
 
-# default openssl.cnf file has setup as per the following
-# demoCA ... where everything is stored
 
-my $openssl;
-if(defined $ENV{OPENSSL}) {
-	$openssl = $ENV{OPENSSL};
+use strict;
+use warnings;
+
+my $openssl = "openssl";
+if(defined $ENV{'OPENSSL'}) {
+    $openssl = $ENV{'OPENSSL'};
 } else {
-	$openssl = "openssl";
-	$ENV{OPENSSL} = $openssl;
+    $ENV{'OPENSSL'} = $openssl;
 }
 
-$SSLEAY_CONFIG=$ENV{"SSLEAY_CONFIG"};
-$DAYS="-days 365";	# 1 year
-$CADAYS="-days 1095";	# 3 years
-$REQ="$openssl req $SSLEAY_CONFIG";
-$CA="$openssl ca $SSLEAY_CONFIG";
-$VERIFY="$openssl verify";
-$X509="$openssl x509";
-$PKCS12="$openssl pkcs12";
+my $verbose = 1;
 
-$CATOP="./demoCA";
-$CAKEY="cakey.pem";
-$CAREQ="careq.pem";
-$CACERT="cacert.pem";
-$CACRL="crl.pem";
+my $OPENSSL_CONFIG = $ENV{"OPENSSL_CONFIG"};
+my $DAYS = "-days 365";
+my $CADAYS = "-days 1095";	# 3 years
+my $REQ = "$openssl req $OPENSSL_CONFIG";
+my $CA = "$openssl ca $OPENSSL_CONFIG";
+my $VERIFY = "$openssl verify";
+my $X509 = "$openssl x509";
+my $PKCS12 = "$openssl pkcs12";
 
-$DIRMODE = 0777;
+# default openssl.cnf file has setup as per the following
+my $CATOP = "./demoCA";
+my $CAKEY = "cakey.pem";
+my $CAREQ = "careq.pem";
+my $CACERT = "cacert.pem";
+my $CACRL = "crl.pem";
+my $DIRMODE = 0777;
 
-$RET = 0;
+my $NEWKEY = "newkey.pem";
+my $NEWREQ = "newreq.pem";
+my $NEWCERT = "newcert.pem";
+my $NEWP12 = "newcert.p12";
+my $RET = 0;
+my $WHAT = shift @ARGV;
+my $FILE;
 
-foreach (@ARGV) {
-	if ( /^(-\?|-h|-help)$/ ) {
-	    print STDERR "usage: CA -newcert|-newreq|-newreq-nodes|-newca|-sign|-verify\n";
-	    print STDERR "       CA -crl|-revoke cert-filename [reason]\n";
-	    exit 0;
-	} elsif (/^-newcert$/) {
-	    # create a certificate
-	    system ("$REQ -new -x509 -keyout newkey.pem -out newcert.pem $DAYS");
-	    $RET=$?;
-	    print "Certificate is in newcert.pem, private key is in newkey.pem\n"
-	} elsif (/^-newreq$/) {
-	    # create a certificate request
-	    system ("$REQ -new -keyout newkey.pem -out newreq.pem $DAYS");
-	    $RET=$?;
-	    print "Request is in newreq.pem, private key is in newkey.pem\n";
-	} elsif (/^-newreq-nodes$/) {
-	    # create a certificate request
-	    system ("$REQ -new -nodes -keyout newkey.pem -out newreq.pem $DAYS");
-	    $RET=$?;
-	    print "Request is in newreq.pem, private key is in newkey.pem\n";
-	} elsif (/^-newca$/) {
-		# if explicitly asked for or it doesn't exist then setup the
-		# directory structure that Eric likes to manage things 
-	    $NEW="1";
-	    if ( "$NEW" || ! -f "${CATOP}/serial" ) {
-		# create the directory hierarchy
-		mkdir $CATOP, $DIRMODE;
-		mkdir "${CATOP}/certs", $DIRMODE;
-		mkdir "${CATOP}/crl", $DIRMODE ;
-		mkdir "${CATOP}/newcerts", $DIRMODE;
-		mkdir "${CATOP}/private", $DIRMODE;
-		open OUT, ">${CATOP}/index.txt";
-		close OUT;
-		open OUT, ">${CATOP}/crlnumber";
-		print OUT "01\n";
-		close OUT;
-	    }
-	    if ( ! -f "${CATOP}/private/$CAKEY" ) {
-		print "CA certificate filename (or enter to create)\n";
-		$FILE = <STDIN>;
+# See if reason for a CRL entry is valid; exit if not.
+sub crl_reason_ok
+{
+    my $r = shift;
 
-		chop $FILE;
+    if ($r eq 'unspecified' || $r eq 'keyCompromise'
+        || $r eq 'CACompromise' || $r eq 'affiliationChanged'
+        || $r eq 'superseded' || $r eq 'cessationOfOperation'
+        || $r eq 'certificateHold' || $r eq 'removeFromCRL') {
+        return 1;
+    }
+    print STDERR "Invalid CRL reason; must be one of:\n";
+    print STDERR "    unspecified, keyCompromise, CACompromise,\n";
+    print STDERR "    affiliationChanged, superseded, cessationOfOperation\n";
+    print STDERR "    certificateHold, removeFromCRL";
+    exit 1;
+}
 
-		# ask user for existing CA certificate
-		if ($FILE) {
-		    cp_pem($FILE,"${CATOP}/private/$CAKEY", "PRIVATE");
-		    cp_pem($FILE,"${CATOP}/$CACERT", "CERTIFICATE");
-		    $RET=$?;
-		} else {
-		    print "Making CA certificate ...\n";
-		    system ("$REQ -new -keyout " .
-			"${CATOP}/private/$CAKEY -out ${CATOP}/$CAREQ");
-		    system ("$CA -create_serial " .
-			"-out ${CATOP}/$CACERT $CADAYS -batch " . 
-			"-keyfile ${CATOP}/private/$CAKEY -selfsign " .
-			"-extensions v3_ca " .
-			"-infiles ${CATOP}/$CAREQ ");
-		    $RET=$?;
-		}
-	    }
-	} elsif (/^-pkcs12$/) {
-	    my $cname = $ARGV[1];
-	    $cname = "My Certificate" unless defined $cname;
-	    system ("$PKCS12 -in newcert.pem -inkey newkey.pem " .
-			"-certfile ${CATOP}/$CACERT -out newcert.p12 " .
-			"-export -name \"$cname\"");
-	    $RET=$?;
-	    print "PKCS #12 file is in newcert.p12\n";
-	    exit $RET;
-	} elsif (/^-xsign$/) {
-	    system ("$CA -policy policy_anything -infiles newreq.pem");
-	    $RET=$?;
-	} elsif (/^(-sign|-signreq)$/) {
-	    system ("$CA -policy policy_anything -out newcert.pem " .
-							"-infiles newreq.pem");
-	    $RET=$?;
-	    print "Signed certificate is in newcert.pem\n";
-	} elsif (/^(-signCA)$/) {
-	    system ("$CA -policy policy_anything -out newcert.pem " .
-					"-extensions v3_ca -infiles newreq.pem");
-	    $RET=$?;
-	    print "Signed CA certificate is in newcert.pem\n";
-	} elsif (/^-signcert$/) {
-	    system ("$X509 -x509toreq -in newreq.pem -signkey newreq.pem " .
-								"-out tmp.pem");
-	    system ("$CA -policy policy_anything -out newcert.pem " .
-							"-infiles tmp.pem");
-	    $RET = $?;
-	    print "Signed certificate is in newcert.pem\n";
-	} elsif (/^-verify$/) {
-	    if (shift) {
-		foreach $j (@ARGV) {
-		    system ("$VERIFY -CAfile $CATOP/$CACERT $j");
-		    $RET=$? if ($? != 0);
-		}
-		exit $RET;
-	    } else {
-		    system ("$VERIFY -CAfile $CATOP/$CACERT newcert.pem");
-		    $RET=$?;
-		    exit $RET;
-	    }
-	} elsif (/^-crl$/) {
-		system ("$CA -gencrl -out $CATOP/crl/$CACRL");
-		$RET=$?;
-		print "Generated CRL is in $CATOP/crl/$CACRL\n" if (!$RET);
-	} elsif (/^-revoke$/) {
-		my $cname = $ARGV[1];
-		if (!defined $cname) {
-			print "Certificate filename is required; reason optional.\n";
-			exit 1;
-		}
-		my $reason = $ARGV[2];
-		$reason = " -crl_reason $reason"
-			if defined $reason && crl_reason_ok($reason);
-		my $cmd = "$CA -revoke \"$cname\"".$reason;
-		system ($cmd);
-		$RET=$?;
-		exit $RET;
-	} else {
-	    print STDERR "Unknown arg $_\n";
-	    print STDERR "usage: CA -newcert|-newreq|-newreq-nodes|-newca|-sign|-verify\n";
-	    print STDERR "       CA -crl|-revoke cert-filename [reason]\n";
-	    exit 1;
-	}
+# Copy a PEM-format file; return like exit status (zero means ok)
+sub copy_pemfile
+{
+    my ($infile, $outfile, $bound) = @_;
+    my $found = 0;
+
+    open IN, $infile || die "Cannot open $infile, $!";
+    open OUT, ">$outfile" || die "Cannot write to $outfile, $!";
+    while (<IN>) {
+        $found = 1 if /^-----BEGIN.*$bound/;
+        print OUT $_ if $found;
+        $found = 2, last if /^-----END.*$bound/;
+    }
+    close IN;
+    close OUT;
+    return $found == 2 ? 0 : 1;
+}
+
+# Wrapper around system; useful for debugging.  Returns just the exit status
+sub run
+{
+    my $cmd = shift;
+    print "====\n$cmd\n" if $verbose;
+    my $status = system($cmd);
+    print "==> $status\n====\n" if $verbose;
+    return $status >> 8;
+}
+
+
+if ( $WHAT =~ /^(-\?|-h|-help)$/ ) {
+    print STDERR "usage: CA -newcert|-newreq|-newreq-nodes|-newca|-sign|-verify\n";
+    print STDERR "       CA -pkcs12 [certname]\n";
+    print STDERR "       CA -crl|-revoke cert-filename [reason]\n";
+    exit 0;
+}
+if ($WHAT eq '-newcert' ) {
+    # create a certificate
+    $RET = run("$REQ -new -x509 -keyout $NEWKEY -out $NEWCERT $DAYS");
+    print "Cert is in $NEWCERT, private key is in $NEWKEY\n" if $RET == 0;
+} elsif ($WHAT eq '-newreq' ) {
+    # create a certificate request
+    $RET = run("$REQ -new -keyout $NEWKEY -out $NEWREQ $DAYS");
+    print "Request is in $NEWREQ, private key is in $NEWKEY\n" if $RET == 0;
+} elsif ($WHAT eq '-newreq-nodes' ) {
+    # create a certificate request
+    $RET = run("$REQ -new -nodes -keyout $NEWKEY -out $NEWREQ $DAYS");
+    print "Request is in $NEWREQ, private key is in $NEWKEY\n" if $RET == 0;
+} elsif ($WHAT eq '-newca' ) {
+    # create the directory hierarchy
+    mkdir ${CATOP}, $DIRMODE;
+    mkdir "${CATOP}/certs", $DIRMODE;
+    mkdir "${CATOP}/crl", $DIRMODE ;
+    mkdir "${CATOP}/newcerts", $DIRMODE;
+    mkdir "${CATOP}/private", $DIRMODE;
+    open OUT, ">${CATOP}/index.txt";
+    close OUT;
+    open OUT, ">${CATOP}/crlnumber";
+    print OUT "01\n";
+    close OUT;
+    # ask user for existing CA certificate
+    print "CA certificate filename (or enter to create)\n";
+    $FILE = <STDIN>;
+    chop $FILE if $FILE;
+    if ($FILE) {
+        copy_pemfile($FILE,"${CATOP}/private/$CAKEY", "PRIVATE");
+        copy_pemfile($FILE,"${CATOP}/$CACERT", "CERTIFICATE");
+    } else {
+        print "Making CA certificate ...\n";
+        $RET = run("$REQ -new -keyout"
+                . " ${CATOP}/private/$CAKEY"
+                . " -out ${CATOP}/$CAREQ");
+        $RET = run("$CA -create_serial"
+                . " -out ${CATOP}/$CACERT $CADAYS -batch"
+                . " -keyfile ${CATOP}/private/$CAKEY -selfsign"
+                . " -extensions v3_ca"
+                . " -infiles ${CATOP}/$CAREQ") if $RET == 0;
+        print "CA certificate is in ${CATOP}/$CACERT\n" if $RET == 0;
+    }
+} elsif ($WHAT eq '-pkcs12' ) {
+    my $cname = $ARGV[1];
+    $cname = "My Certificate" unless defined $cname;
+    $RET = run("$PKCS12 -in $NEWCERT -inkey $NEWKEY"
+            . " -certfile ${CATOP}/$CACERT"
+            . " -out $NEWP12"
+            . " -export -name \"$cname\"");
+    print "PKCS #12 file is in $NEWP12\n" if $RET == 0;
+} elsif ($WHAT eq '-xsign' ) {
+    $RET = run("$CA -policy policy_anything -infiles $NEWREQ");
+} elsif ($WHAT eq '-sign' ) {
+    $RET = run("$CA -policy policy_anything -out $NEWCERT -infiles $NEWREQ");
+    print "Signed certificate is in $NEWCERT\n" if $RET == 0;
+} elsif ($WHAT eq '-signCA' ) {
+    $RET = run("$CA -policy policy_anything -out $NEWCERT"
+            . " -extensions v3_ca -infiles $NEWREQ");
+    print "Signed CA certificate is in $NEWCERT\n" if $RET == 0;
+} elsif ($WHAT eq '-signcert' ) {
+    $RET = run("$X509 -x509toreq -in $NEWREQ -signkey $NEWREQ"
+            . " -out tmp.pem");
+    $RET = run("$CA -policy policy_anything -out $NEWCERT"
+            . " -infiles tmp.pem") if $RET == 0;
+    print "Signed certificate is in $NEWCERT\n" if $RET == 0;
+} elsif ($WHAT eq '-verify' ) {
+    my @files = @ARGV ? @ARGV : ( $NEWCERT );
+    my $file;
+    foreach $file (@files) {
+        my $status = run("$VERIFY \"-CAfile\" ${CATOP}/$CACERT $file");
+        $RET = $status if $status != 0;
+    }
+} elsif ($WHAT eq '-crl' ) {
+    $RET = run("$CA -gencrl -out ${CATOP}/crl/$CACRL");
+    print "Generated CRL is in ${CATOP}/crl/$CACRL\n" if $RET == 0;
+} elsif ($WHAT eq '-revoke' ) {
+    my $cname = $ARGV[1];
+    if (!defined $cname) {
+        print "Certificate filename is required; reason optional.\n";
+        exit 1;
+    }
+    my $reason = $ARGV[2];
+    $reason = " -crl_reason $reason"
+        if defined $reason && crl_reason_ok($reason);
+    $RET = run("$CA -revoke \"$cname\"" . $reason);
+} else {
+    print STDERR "Unknown arg \"$WHAT\"\n";
+    print STDERR "Use -help for help.\n";
+    exit 1;
 }
 
 exit $RET;
-
-sub crl_reason_ok {
-	my ($r) = shift;
-	if ($r eq 'unspecified' || $r eq 'keyCompromise' ||
-	$r eq 'CACompromise' || $r eq 'affiliationChanged' ||
-	$r eq 'superseded' || $r eq 'cessationOfOperation' ||
-	$r eq 'certificateHold' || $r eq 'removeFromCRL') {
-		return 1;
-	}
-	print STDERR "Invalid CRL reason; must be one of:\n";
-	print STDERR "    unspecified, keyCompromise, CACompromise,\n";
-	print STDERR "    affiliationChanged, superseded, cessationOfOperation\n";
-	print STDERR "    certificateHold, removeFromCRL";
-	exit 1;
-}
-
-sub cp_pem {
-my ($infile, $outfile, $bound) = @_;
-open IN, $infile;
-open OUT, ">$outfile";
-my $flag = 0;
-while (<IN>) {
-	$flag = 1 if (/^-----BEGIN.*$bound/) ;
-	print OUT $_ if ($flag);
-	if (/^-----END.*$bound/) {
-		close IN;
-		close OUT;
-		return;
-	}
-}
-}
-

apps/CA.sh

@@ -1,198 +0,0 @@
-#!/bin/sh
-#
-# CA - wrapper around ca to make it easier to use ... basically ca requires
-#      some setup stuff to be done before you can use it and this makes
-#      things easier between now and when Eric is convinced to fix it :-)
-#
-# CA -newca ... will setup the right stuff
-# CA -newreq ... will generate a certificate request
-# CA -sign ... will sign the generated request and output
-#
-# At the end of that grab newreq.pem and newcert.pem (one has the key
-# and the other the certificate) and cat them together and that is what
-# you want/need ... I'll make even this a little cleaner later.
-#
-#
-# 12-Jan-96 tjh    Added more things ... including CA -signcert which
-#                  converts a certificate to a request and then signs it.
-# 10-Jan-96 eay    Fixed a few more bugs and added the SSLEAY_CONFIG
-#                  environment variable so this can be driven from
-#                  a script.
-# 25-Jul-96 eay    Cleaned up filenames some more.
-# 11-Jun-96 eay    Fixed a few filename missmatches.
-# 03-May-96 eay    Modified to use 'ssleay cmd' instead of 'cmd'.
-# 18-Apr-96 tjh    Original hacking
-#
-# Tim Hudson
-# tjh@cryptsoft.com
-#
-
-# default openssl.cnf file has setup as per the following
-# demoCA ... where everything is stored
-cp_pem() {
-    infile=$1
-    outfile=$2
-    bound=$3
-    flag=0
-    exec <$infile;
-    while read line; do
-	if [ $flag -eq 1 ]; then
-		echo $line|grep "^-----END.*$bound"  2>/dev/null 1>/dev/null
-		if [ $? -eq 0 ] ; then
-			echo $line >>$outfile
-			break
-		else
-			echo $line >>$outfile
-		fi
-	fi
-
-	echo $line|grep "^-----BEGIN.*$bound"  2>/dev/null 1>/dev/null
-	if [ $? -eq 0 ]; then
-		echo $line >$outfile
-		flag=1
-	fi
-    done
-}
-
-usage() {
- echo "usage: $0 -newcert|-newreq|-newreq-nodes|-newca|-sign|-verify" >&2
-}
-
-if [ -z "$OPENSSL" ]; then OPENSSL=openssl; fi
-
-if [ -z "$DAYS" ] ; then DAYS="-days 365" ; fi	# 1 year
-CADAYS="-days 1095"	# 3 years
-REQ="$OPENSSL req $SSLEAY_CONFIG"
-CA="$OPENSSL ca $SSLEAY_CONFIG"
-VERIFY="$OPENSSL verify"
-X509="$OPENSSL x509"
-PKCS12="openssl pkcs12"
-
-if [ -z "$CATOP" ] ; then CATOP=./demoCA ; fi
-CAKEY=./cakey.pem
-CAREQ=./careq.pem
-CACERT=./cacert.pem
-
-RET=0
-
-while [ "$1" != "" ] ; do
-case $1 in
--\?|-h|-help)
-    usage
-    exit 0
-    ;;
--newcert)
-    # create a certificate
-    $REQ -new -x509 -keyout newkey.pem -out newcert.pem $DAYS
-    RET=$?
-    echo "Certificate is in newcert.pem, private key is in newkey.pem"
-    ;;
--newreq)
-    # create a certificate request
-    $REQ -new -keyout newkey.pem -out newreq.pem $DAYS
-    RET=$?
-    echo "Request is in newreq.pem, private key is in newkey.pem"
-    ;;
--newreq-nodes) 
-    # create a certificate request
-    $REQ -new -nodes -keyout newreq.pem -out newreq.pem $DAYS
-    RET=$?
-    echo "Request (and private key) is in newreq.pem"
-    ;;
--newca)
-    # if explicitly asked for or it doesn't exist then setup the directory
-    # structure that Eric likes to manage things
-    NEW="1"
-    if [ "$NEW" -o ! -f ${CATOP}/serial ]; then
-	# create the directory hierarchy
-	mkdir -p ${CATOP}
-	mkdir -p ${CATOP}/certs
-	mkdir -p ${CATOP}/crl
-	mkdir -p ${CATOP}/newcerts
-	mkdir -p ${CATOP}/private
-	touch ${CATOP}/index.txt
-    fi
-    if [ ! -f ${CATOP}/private/$CAKEY ]; then
-	echo "CA certificate filename (or enter to create)"
-	read FILE
-
-	# ask user for existing CA certificate
-	if [ "$FILE" ]; then
-	    cp_pem $FILE ${CATOP}/private/$CAKEY PRIVATE
-	    cp_pem $FILE ${CATOP}/$CACERT CERTIFICATE
-	    RET=$?
-	    if [ ! -f "${CATOP}/serial" ]; then
-		$X509 -in ${CATOP}/$CACERT -noout -next_serial \
-		      -out ${CATOP}/serial
-	    fi
-	else
-	    echo "Making CA certificate ..."
-	    $REQ -new -keyout ${CATOP}/private/$CAKEY \
-			   -out ${CATOP}/$CAREQ
-	    $CA -create_serial -out ${CATOP}/$CACERT $CADAYS -batch \
-			   -keyfile ${CATOP}/private/$CAKEY -selfsign \
-			   -extensions v3_ca \
-			   -infiles ${CATOP}/$CAREQ
-	    RET=$?
-	fi
-    fi
-    ;;
--xsign)
-    $CA -policy policy_anything -infiles newreq.pem
-    RET=$?
-    ;;
--pkcs12)
-    if [ -z "$2" ] ; then
-	CNAME="My Certificate"
-    else
-	CNAME="$2"
-    fi
-    $PKCS12 -in newcert.pem -inkey newreq.pem -certfile ${CATOP}/$CACERT \
-	    -out newcert.p12 -export -name "$CNAME"
-    RET=$?
-    exit $RET
-    ;;
--sign|-signreq)
-    $CA -policy policy_anything -out newcert.pem -infiles newreq.pem
-    RET=$?
-    cat newcert.pem
-    echo "Signed certificate is in newcert.pem"
-    ;;
--signCA)
-    $CA -policy policy_anything -out newcert.pem -extensions v3_ca -infiles newreq.pem
-    RET=$?
-    echo "Signed CA certificate is in newcert.pem"
-    ;;
--signcert)
-    echo "Cert passphrase will be requested twice - bug?"
-    $X509 -x509toreq -in newreq.pem -signkey newreq.pem -out tmp.pem
-    $CA -policy policy_anything -out newcert.pem -infiles tmp.pem
-    RET=$?
-    cat newcert.pem
-    echo "Signed certificate is in newcert.pem"
-    ;;
--verify)
-    shift
-    if [ -z "$1" ]; then
-	    $VERIFY -CAfile $CATOP/$CACERT newcert.pem
-	    RET=$?
-    else
-	for j
-	do
-	    $VERIFY -CAfile $CATOP/$CACERT $j
-	    if [ $? != 0 ]; then
-		    RET=$?
-	    fi
-	done
-    fi
-    exit $RET
-    ;;
-*)
-    echo "Unknown arg $i" >&2
-    usage
-    exit 1
-    ;;
-esac
-shift
-done
-exit $RET

apps/Makefile.in

@@ -0,0 +1,154 @@
+#
+#  apps/Makefile
+#
+
+DIR=		apps
+TOP=		..
+CC=		cc
+INCLUDES=	-I$(TOP) -I../crypto -I../include
+CFLAG=		-g -static -Wswitch
+MAKEFILE=	Makefile
+PERL=		perl
+RM=		rm -f
+
+PEX_LIBS=
+EX_LIBS= 
+EXE_EXT= 
+
+SHLIB_TARGET=
+
+CFLAGS= $(INCLUDES) $(CFLAG)
+
+GENERAL=Makefile makeapps.com install.com
+
+DLIBCRYPTO=../libcrypto.a
+DLIBSSL=../libssl.a
+LIBCRYPTO=-L.. -lcrypto
+LIBSSL=-L.. -lssl
+
+SCRIPTS=CA.pl tsget
+EXE= openssl$(EXE_EXT)
+
+COMMANDS= \
+	asn1pars.o ca.o ciphers.o cms.o crl.o crl2p7.o dgst.o dhparam.o \
+	dsa.o dsaparam.o ec.o ecparam.o enc.o engine.o errstr.o gendsa.o \
+	genpkey.o genrsa.o nseq.o ocsp.o passwd.o pkcs12.o pkcs7.o pkcs8.o \
+	pkey.o pkeyparam.o pkeyutl.o prime.o rand.o req.o rsa.o rsautl.o \
+	s_client.o s_server.o s_time.o sess_id.o smime.o speed.o spkac.o \
+	srp.o ts.o verify.o version.o x509.o rehash.o
+
+EXTRA_OBJ=apps.o opt.o s_cb.o s_socket.o
+EXTRA_SRC=apps.c opt.c s_cb.c s_socket.c
+RAND_OBJ=app_rand.o
+RAND_SRC=app_rand.c
+
+OBJ	= $(COMMANDS)
+
+SRC	= \
+	asn1pars.c ca.c ciphers.c cms.c crl.c crl2p7.c dgst.c dhparam.c \
+	dsa.c dsaparam.c ec.c ecparam.c enc.c engine.c errstr.c gendsa.c \
+	genpkey.c genrsa.c nseq.c ocsp.c passwd.c pkcs12.c pkcs7.c pkcs8.c \
+	pkey.c pkeyparam.c pkeyutl.c prime.c rand.c req.c rsa.c rsautl.c \
+	s_client.c s_server.c s_time.c sess_id.c smime.c speed.c spkac.c \
+	srp.c ts.c verify.c version.c x509.c
+
+EXE_OBJ	= openssl.o $(OBJ) $(EXTRA_OBJ) $(RAND_OBJ)
+EXE_SRC = openssl.c $(SRC) $(EXTRA_SRC) $(RAND_SRC)
+
+HEADER=	apps.h progs.h s_apps.h \
+	testdsa.h testrsa.h timeouts.h
+
+ALL=    $(GENERAL) $(EXE_SRC) $(HEADER)
+
+top:
+	@(cd ..; $(MAKE) DIRS=$(DIR) all)
+
+all:	exe
+
+exe:	$(EXE)
+
+openssl-vms.cnf: openssl.cnf
+	$(PERL) $(TOP)/VMS/VMSify-conf.pl < openssl.cnf > openssl-vms.cnf
+
+files:
+	$(PERL) $(TOP)/util/files.pl Makefile >> $(TOP)/MINFO
+
+install:
+	@[ -n "$(INSTALLTOP)" ] # should be set by top Makefile...
+	@set -e; for i in $(EXE); \
+	do  \
+	(echo installing $$i; \
+	 cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$i.new; \
+	 chmod 755 $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$i.new; \
+	 mv -f $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$i.new $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$i ); \
+	 done;
+	@set -e; for i in $(SCRIPTS); \
+	do  \
+	(echo installing $$i; \
+	 cp $$i $(INSTALL_PREFIX)$(OPENSSLDIR)/misc/$$i.new; \
+	 chmod 755 $(INSTALL_PREFIX)$(OPENSSLDIR)/misc/$$i.new; \
+	 mv -f $(INSTALL_PREFIX)$(OPENSSLDIR)/misc/$$i.new $(INSTALL_PREFIX)$(OPENSSLDIR)/misc/$$i ); \
+	 done
+	@cp openssl.cnf $(INSTALL_PREFIX)$(OPENSSLDIR)/openssl.cnf.new; \
+	chmod 644 $(INSTALL_PREFIX)$(OPENSSLDIR)/openssl.cnf.new; \
+	mv -f  $(INSTALL_PREFIX)$(OPENSSLDIR)/openssl.cnf.new $(INSTALL_PREFIX)$(OPENSSLDIR)/openssl.cnf
+
+uninstall:
+	@set -e; for i in $(EXE); \
+	do  \
+		echo $(RM) $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$i; \
+		$(RM) $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$i; \
+	done;
+	@set -e; for i in $(SCRIPTS); \
+	do  \
+		echo $(RM) $(INSTALL_PREFIX)$(OPENSSLDIR)/misc/$$i; \
+		$(RM) $(INSTALL_PREFIX)$(OPENSSLDIR)/misc/$$i; \
+	done
+	$(RM) $(INSTALL_PREFIX)$(OPENSSLDIR)/openssl.cnf
+
+tags:
+	ctags $(EXE_SRC) $(HEADER)
+
+tests:
+
+lint:
+	echo nope >fluff
+
+update: openssl-vms.cnf local_depend
+
+depend: local_depend
+	@if [ -z "$(THIS)" ]; then $(MAKE) -f $(TOP)/Makefile reflect THIS=$@; fi
+local_depend:
+	@[ -z "$(THIS)" ] || $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(EXE_SRC)
+
+dclean:
+	$(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
+	mv -f Makefile.new $(MAKEFILE)
+
+clean:
+	rm -f *.o *.obj *.dll lib tags core .pure .nfs* *.old *.bak fluff $(EXE)
+	rm -f req
+
+$(DLIBSSL):
+	(cd ..; $(MAKE) build_libssl)
+
+$(DLIBCRYPTO):
+	(cd ..; $(MAKE) build_libcrypto)
+
+$(EXE): progs.h $(EXE_OBJ) $(DLIBCRYPTO) $(DLIBSSL)
+	$(RM) $(EXE)
+	shlib_target=; if [ -n "$(SHARED_LIBS)" ]; then \
+		shlib_target="$(SHLIB_TARGET)"; \
+	fi; \
+	LIBRARIES="$(LIBSSL) $(LIBCRYPTO)" ; \
+	$(MAKE) -f $(TOP)/Makefile.shared -e \
+		APPNAME=$(EXE) OBJECTS="$(EXE_OBJ)" \
+		LIBDEPS="$(PEX_LIBS) $$LIBRARIES $(EX_LIBS)" \
+		link_app.$${shlib_target}
+
+progs.h: progs.pl Makefile
+	$(RM) progs.h
+	$(PERL) progs.pl $(COMMANDS) >progs.h
+	$(RM) openssl.o
+
+# DO NOT DELETE THIS LINE -- make depend depends on it.

apps/app_rand.c

@@ -1,4 +1,3 @@
-/* apps/app_rand.c */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -109,25 +108,20 @@
  *
  */
 
-#define NON_MAIN
 #include "apps.h"
-#undef NON_MAIN
 #include <openssl/bio.h>
 #include <openssl/rand.h>
 
 static int seeded = 0;
 static int egdsocket = 0;
 
-int app_RAND_load_file(const char *file, BIO *bio_e, int dont_warn)
+int app_RAND_load_file(const char *file, int dont_warn)
 {
     int consider_randfile = (file == NULL);
     char buffer[200];
 
 #ifdef OPENSSL_SYS_WINDOWS
-    BIO_printf(bio_e, "Loading 'screen' into random state -");
-    BIO_flush(bio_e);
     RAND_screen();
-    BIO_printf(bio_e, " done\n");
 #endif
 
     if (file == NULL)
@@ -143,15 +137,15 @@ int app_RAND_load_file(const char *file, BIO *bio_e, int dont_warn)
     if (file == NULL || !RAND_load_file(file, -1)) {
         if (RAND_status() == 0) {
             if (!dont_warn) {
-                BIO_printf(bio_e, "unable to load 'random state'\n");
-                BIO_printf(bio_e,
+                BIO_printf(bio_err, "unable to load 'random state'\n");
+                BIO_printf(bio_err,
                            "This means that the random number generator has not been seeded\n");
-                BIO_printf(bio_e, "with much random data.\n");
+                BIO_printf(bio_err, "with much random data.\n");
                 if (consider_randfile) { /* explanation does not apply when a
                                           * file is explicitly named */
-                    BIO_printf(bio_e,
+                    BIO_printf(bio_err,
                                "Consider setting the RANDFILE environment variable to point at a file that\n");
-                    BIO_printf(bio_e,
+                    BIO_printf(bio_err,
                                "'random' data can be kept in (the file will be overwritten).\n");
                 }
             }
@@ -193,7 +187,7 @@ long app_RAND_load_files(char *name)
     return (tot);
 }
 
-int app_RAND_write_file(const char *file, BIO *bio_e)
+int app_RAND_write_file(const char *file)
 {
     char buffer[200];
 
@@ -208,7 +202,7 @@ int app_RAND_write_file(const char *file, BIO *bio_e)
     if (file == NULL)
         file = RAND_file_name(buffer, sizeof buffer);
     if (file == NULL || !RAND_write_file(file)) {
-        BIO_printf(bio_e, "unable to write 'random state'\n");
+        BIO_printf(bio_err, "unable to write 'random state'\n");
         return 0;
     }
     return 1;

apps/apps.h

@@ -113,7 +113,10 @@
 # define HEADER_APPS_H
 
 # include "e_os.h"
+# include <assert.h>
 
+# include <openssl/e_os2.h>
+# include <openssl/ossl_typ.h>
 # include <openssl/bio.h>
 # include <openssl/x509.h>
 # include <openssl/lhash.h>
@@ -126,9 +129,18 @@
 #  include <openssl/ocsp.h>
 # endif
 # include <openssl/ossl_typ.h>
+# ifndef OPENSSL_SYS_NETWARE
+#  include <signal.h>
+# endif
 
-int app_RAND_load_file(const char *file, BIO *bio_e, int dont_warn);
-int app_RAND_write_file(const char *file, BIO *bio_e);
+# if defined(OPENSSL_SYS_WIN32) || defined(OPENSSL_SYS_WINCE)
+#  define openssl_fdset(a,b) FD_SET((unsigned int)a, b)
+# else
+#  define openssl_fdset(a,b) FD_SET(a, b)
+# endif
+
+int app_RAND_load_file(const char *file, int dont_warn);
+int app_RAND_write_file(const char *file);
 /*
  * When `file' is NULL, use defaults. `bio_e' is for error messages.
  */
@@ -138,82 +150,264 @@ long app_RAND_load_files(char *file); /* `file' is a list of files to read,
                                        * (see e_os.h).  The string is
                                        * destroyed! */
 
-# ifndef MONOLITH
-
-#  define MAIN(a,v)       main(a,v)
-
-#  ifndef NON_MAIN
-CONF *config = NULL;
-BIO *bio_err = NULL;
-#  else
-extern CONF *config;
-extern BIO *bio_err;
-#  endif
-
-# else
-
-#  define MAIN(a,v)       PROG(a,v)
-extern CONF *config;
 extern char *default_config_file;
+extern BIO *bio_in;
+extern BIO *bio_out;
 extern BIO *bio_err;
+BIO *dup_bio_in(int format);
+BIO *dup_bio_out(int format);
+BIO *bio_open_owner(const char *filename, int format, int private);
+BIO *bio_open_default(const char *filename, char mode, int format);
+BIO *bio_open_default_quiet(const char *filename, char mode, int format);
+CONF *app_load_config(const char *filename);
+CONF *app_load_config_quiet(const char *filename);
+int app_load_modules(const CONF *config);
+void unbuffer(FILE *fp);
+void wait_for_async(SSL *s);
 
-# endif
+/*
+ * Common verification options.
+ */
+# define OPT_V_ENUM \
+        OPT_V__FIRST=2000, \
+        OPT_V_POLICY, OPT_V_PURPOSE, OPT_V_VERIFY_NAME, OPT_V_VERIFY_DEPTH, \
+        OPT_V_ATTIME, OPT_V_VERIFY_HOSTNAME, OPT_V_VERIFY_EMAIL, \
+        OPT_V_VERIFY_IP, OPT_V_IGNORE_CRITICAL, OPT_V_ISSUER_CHECKS, \
+        OPT_V_CRL_CHECK, OPT_V_CRL_CHECK_ALL, OPT_V_POLICY_CHECK, \
+        OPT_V_EXPLICIT_POLICY, OPT_V_INHIBIT_ANY, OPT_V_INHIBIT_MAP, \
+        OPT_V_X509_STRICT, OPT_V_EXTENDED_CRL, OPT_V_USE_DELTAS, \
+        OPT_V_POLICY_PRINT, OPT_V_CHECK_SS_SIG, OPT_V_TRUSTED_FIRST, \
+        OPT_V_SUITEB_128_ONLY, OPT_V_SUITEB_128, OPT_V_SUITEB_192, \
+        OPT_V_PARTIAL_CHAIN, OPT_V_NO_ALT_CHAINS, OPT_V_NO_CHECK_TIME, \
+        OPT_V__LAST
 
-# ifndef OPENSSL_SYS_NETWARE
-#  include <signal.h>
-# endif
+# define OPT_V_OPTIONS \
+        { "policy", OPT_V_POLICY, 's' }, \
+        { "purpose", OPT_V_PURPOSE, 's' }, \
+        { "verify_name", OPT_V_VERIFY_NAME, 's' }, \
+        { "verify_depth", OPT_V_VERIFY_DEPTH, 'p' }, \
+        { "attime", OPT_V_ATTIME, 'M' }, \
+        { "verify_hostname", OPT_V_VERIFY_HOSTNAME, 's' }, \
+        { "verify_email", OPT_V_VERIFY_EMAIL, 's' }, \
+        { "verify_ip", OPT_V_VERIFY_IP, 's' }, \
+        { "ignore_critical", OPT_V_IGNORE_CRITICAL, '-' }, \
+        { "issuer_checks", OPT_V_ISSUER_CHECKS, '-' }, \
+        { "crl_check", OPT_V_CRL_CHECK, '-', "Check that peer cert has not been revoked" }, \
+        { "crl_check_all", OPT_V_CRL_CHECK_ALL, '-', "Also check all certs in the chain" }, \
+        { "policy_check", OPT_V_POLICY_CHECK, '-' }, \
+        { "explicit_policy", OPT_V_EXPLICIT_POLICY, '-' }, \
+        { "inhibit_any", OPT_V_INHIBIT_ANY, '-' }, \
+        { "inhibit_map", OPT_V_INHIBIT_MAP, '-' }, \
+        { "x509_strict", OPT_V_X509_STRICT, '-' }, \
+        { "extended_crl", OPT_V_EXTENDED_CRL, '-' }, \
+        { "use_deltas", OPT_V_USE_DELTAS, '-' }, \
+        { "policy_print", OPT_V_POLICY_PRINT, '-' }, \
+        { "check_ss_sig", OPT_V_CHECK_SS_SIG, '-' }, \
+        { "trusted_first", OPT_V_TRUSTED_FIRST, '-', "Use locally-trusted CA's first in building chain" }, \
+        { "suiteB_128_only", OPT_V_SUITEB_128_ONLY, '-' }, \
+        { "suiteB_128", OPT_V_SUITEB_128, '-' }, \
+        { "suiteB_192", OPT_V_SUITEB_192, '-' }, \
+        { "partial_chain", OPT_V_PARTIAL_CHAIN, '-' }, \
+        { "no_alt_chains", OPT_V_NO_ALT_CHAINS, '-', "Only use the first cert chain found" }, \
+        { "no_check_time", OPT_V_NO_CHECK_TIME, '-', "Do not check validity against current time" }
 
-# ifdef SIGPIPE
-#  define do_pipe_sig()   signal(SIGPIPE,SIG_IGN)
-# else
-#  define do_pipe_sig()
-# endif
+# define OPT_V_CASES \
+        OPT_V__FIRST: case OPT_V__LAST: break; \
+        case OPT_V_POLICY: \
+        case OPT_V_PURPOSE: \
+        case OPT_V_VERIFY_NAME: \
+        case OPT_V_VERIFY_DEPTH: \
+        case OPT_V_ATTIME: \
+        case OPT_V_VERIFY_HOSTNAME: \
+        case OPT_V_VERIFY_EMAIL: \
+        case OPT_V_VERIFY_IP: \
+        case OPT_V_IGNORE_CRITICAL: \
+        case OPT_V_ISSUER_CHECKS: \
+        case OPT_V_CRL_CHECK: \
+        case OPT_V_CRL_CHECK_ALL: \
+        case OPT_V_POLICY_CHECK: \
+        case OPT_V_EXPLICIT_POLICY: \
+        case OPT_V_INHIBIT_ANY: \
+        case OPT_V_INHIBIT_MAP: \
+        case OPT_V_X509_STRICT: \
+        case OPT_V_EXTENDED_CRL: \
+        case OPT_V_USE_DELTAS: \
+        case OPT_V_POLICY_PRINT: \
+        case OPT_V_CHECK_SS_SIG: \
+        case OPT_V_TRUSTED_FIRST: \
+        case OPT_V_SUITEB_128_ONLY: \
+        case OPT_V_SUITEB_128: \
+        case OPT_V_SUITEB_192: \
+        case OPT_V_PARTIAL_CHAIN: \
+        case OPT_V_NO_ALT_CHAINS: \
+        case OPT_V_NO_CHECK_TIME
 
-# ifdef OPENSSL_NO_COMP
-#  define zlib_cleanup()
-# else
-#  define zlib_cleanup() COMP_zlib_cleanup()
-# endif
+/*
+ * Common "extended"? options.
+ */
+# define OPT_X_ENUM \
+        OPT_X__FIRST=1000, \
+        OPT_X_KEY, OPT_X_CERT, OPT_X_CHAIN, OPT_X_CHAIN_BUILD, \
+        OPT_X_CERTFORM, OPT_X_KEYFORM, \
+        OPT_X__LAST
 
-# if defined(MONOLITH) && !defined(OPENSSL_C)
-#  define apps_startup() \
-                do_pipe_sig()
-#  define apps_shutdown()
-# else
-#  ifndef OPENSSL_NO_ENGINE
-#   define apps_startup() \
-                        do { do_pipe_sig(); CRYPTO_malloc_init(); \
-                        ERR_load_crypto_strings(); OpenSSL_add_all_algorithms(); \
-                        ENGINE_load_builtin_engines(); setup_ui_method(); } while(0)
-#   define apps_shutdown() \
-                        do { CONF_modules_unload(1); destroy_ui_method(); \
-                        OBJ_cleanup(); EVP_cleanup(); ENGINE_cleanup(); \
-                        CRYPTO_cleanup_all_ex_data(); ERR_remove_thread_state(NULL); \
-                        RAND_cleanup(); \
-                        ERR_free_strings(); zlib_cleanup();} while(0)
-#  else
-#   define apps_startup() \
-                        do { do_pipe_sig(); CRYPTO_malloc_init(); \
-                        ERR_load_crypto_strings(); OpenSSL_add_all_algorithms(); \
-                        setup_ui_method(); } while(0)
-#   define apps_shutdown() \
-                        do { CONF_modules_unload(1); destroy_ui_method(); \
-                        OBJ_cleanup(); EVP_cleanup(); \
-                        CRYPTO_cleanup_all_ex_data(); ERR_remove_thread_state(NULL); \
-                        RAND_cleanup(); \
-                        ERR_free_strings(); zlib_cleanup(); } while(0)
-#  endif
-# endif
+# define OPT_X_OPTIONS \
+        { "xkey", OPT_X_KEY, '<' }, \
+        { "xcert", OPT_X_CERT, '<' }, \
+        { "xchain", OPT_X_CHAIN, '<' }, \
+        { "xchain_build", OPT_X_CHAIN_BUILD, '-' }, \
+        { "xcertform", OPT_X_CERTFORM, 'F' }, \
+        { "xkeyform", OPT_X_KEYFORM, 'F' }
 
-# if defined(OPENSSL_SYSNAME_WIN32) || defined(OPENSSL_SYSNAME_WINCE)
-#  define openssl_fdset(a,b) FD_SET((unsigned int)a, b)
-# else
-#  define openssl_fdset(a,b) FD_SET(a, b)
-# endif
+# define OPT_X_CASES \
+        OPT_X__FIRST: case OPT_X__LAST: break; \
+        case OPT_X_KEY: \
+        case OPT_X_CERT: \
+        case OPT_X_CHAIN: \
+        case OPT_X_CHAIN_BUILD: \
+        case OPT_X_CERTFORM: \
+        case OPT_X_KEYFORM
+
+/*
+ * Common SSL options.
+ * Any changes here must be coordinated with ../ssl/ssl_conf.c
+ */
+# define OPT_S_ENUM \
+        OPT_S__FIRST=3000, \
+        OPT_S_NOSSL3, OPT_S_NOTLS1, OPT_S_NOTLS1_1, OPT_S_NOTLS1_2, \
+        OPT_S_BUGS, OPT_S_NOCOMP, OPT_S_ECDHSINGLE, OPT_S_NOTICKET, \
+        OPT_S_SERVERPREF, OPT_S_LEGACYRENEG, OPT_S_LEGACYCONN, \
+        OPT_S_ONRESUMP, OPT_S_NOLEGACYCONN, OPT_S_STRICT, OPT_S_SIGALGS, \
+        OPT_S_CLIENTSIGALGS, OPT_S_CURVES, OPT_S_NAMEDCURVE, OPT_S_CIPHER, \
+        OPT_S_DHPARAM, OPT_S_DEBUGBROKE, \
+        OPT_S__LAST
+
+# define OPT_S_OPTIONS \
+        {"no_ssl3", OPT_S_NOSSL3, '-' }, \
+        {"no_tls1", OPT_S_NOTLS1, '-' }, \
+        {"no_tls1_1", OPT_S_NOTLS1_1, '-' }, \
+        {"no_tls1_2", OPT_S_NOTLS1_2, '-' }, \
+        {"bugs", OPT_S_BUGS, '-' }, \
+        {"no_comp", OPT_S_NOCOMP, '-', "Don't use SSL/TLS-level compression" }, \
+        {"ecdh_single", OPT_S_ECDHSINGLE, '-' }, \
+        {"no_ticket", OPT_S_NOTICKET, '-' }, \
+        {"serverpref", OPT_S_SERVERPREF, '-' }, \
+        {"legacy_renegotiation", OPT_S_LEGACYRENEG, '-' }, \
+        {"legacy_server_connect", OPT_S_LEGACYCONN, '-' }, \
+        {"no_resumption_on_reneg", OPT_S_ONRESUMP, '-' }, \
+        {"no_legacy_server_connect", OPT_S_NOLEGACYCONN, '-' }, \
+        {"strict", OPT_S_STRICT, '-' }, \
+        {"sigalgs", OPT_S_SIGALGS, 's', \
+            "Signature algorithms to support (colon-separated list)" }, \
+        {"client_sigalgs", OPT_S_CLIENTSIGALGS, 's', \
+            "Signature algorithms to support for client certificate" \
+            " authentication (colon-separated list)" }, \
+        {"curves", OPT_S_CURVES, 's', \
+            "Elliptic curves to advertise (colon-separated list)" }, \
+        {"named_curve", OPT_S_NAMEDCURVE, 's', \
+            "Elliptic curve used for ECDHE (server-side only)" }, \
+        {"cipher", OPT_S_CIPHER, 's', }, \
+        {"dhparam", OPT_S_DHPARAM, '<' }, \
+        {"debug_broken_protocol", OPT_S_DEBUGBROKE, '-' }
+
+# define OPT_S_CASES \
+        OPT_S__FIRST: case OPT_S__LAST: break; \
+        case OPT_S_NOSSL3: \
+        case OPT_S_NOTLS1: \
+        case OPT_S_NOTLS1_1: \
+        case OPT_S_NOTLS1_2: \
+        case OPT_S_BUGS: \
+        case OPT_S_NOCOMP: \
+        case OPT_S_ECDHSINGLE: \
+        case OPT_S_NOTICKET: \
+        case OPT_S_SERVERPREF: \
+        case OPT_S_LEGACYRENEG: \
+        case OPT_S_LEGACYCONN: \
+        case OPT_S_ONRESUMP: \
+        case OPT_S_NOLEGACYCONN: \
+        case OPT_S_STRICT: \
+        case OPT_S_SIGALGS: \
+        case OPT_S_CLIENTSIGALGS: \
+        case OPT_S_CURVES: \
+        case OPT_S_NAMEDCURVE: \
+        case OPT_S_CIPHER: \
+        case OPT_S_DHPARAM: \
+        case OPT_S_DEBUGBROKE
+
+/*
+ * Option parsing.
+ */
+extern const char OPT_HELP_STR[];
+extern const char OPT_MORE_STR[];
+typedef struct options_st {
+    const char *name;
+    int retval;
+    /*
+     * value type: - no value (also the value zero), n number, p positive
+     * number, u unsigned, s string, < input file, > output file, f der/pem
+     * format, F any format identifier.  n and u include zero; p does not.
+     */
+    int valtype;
+    const char *helpstr;
+} OPTIONS;
+
+/*
+ * A string/int pairing; widely use for option value lookup, hence the
+ * name OPT_PAIR. But that name is misleading in s_cb.c, so we also use
+ * the "generic" name STRINT_PAIR.
+ */
+typedef struct string_int_pair_st {
+    const char *name;
+    int retval;
+} OPT_PAIR, STRINT_PAIR;
+
+/* Flags to pass into opt_format; see FORMAT_xxx, below. */
+# define OPT_FMT_PEMDER          (1L <<  1)
+# define OPT_FMT_PKCS12          (1L <<  2)
+# define OPT_FMT_SMIME           (1L <<  3)
+# define OPT_FMT_ENGINE          (1L <<  4)
+# define OPT_FMT_MSBLOB          (1L <<  5)
+# define OPT_FMT_NETSCAPE        (1L <<  6)
+# define OPT_FMT_NSS             (1L <<  7)
+# define OPT_FMT_TEXT            (1L <<  8)
+# define OPT_FMT_HTTP            (1L <<  9)
+# define OPT_FMT_PVK             (1L << 10)
+# define OPT_FMT_ANY     ( \
+        OPT_FMT_PEMDER | OPT_FMT_PKCS12 | OPT_FMT_SMIME | \
+        OPT_FMT_ENGINE | OPT_FMT_MSBLOB | OPT_FMT_NETSCAPE | \
+        OPT_FMT_NSS | OPT_FMT_TEXT | OPT_FMT_HTTP | OPT_FMT_PVK)
+
+char *opt_progname(const char *argv0);
+char *opt_getprog(void);
+char *opt_init(int ac, char **av, const OPTIONS * o);
+int opt_next();
+int opt_format(const char *s, unsigned long flags, int *result);
+int opt_int(const char *arg, int *result);
+int opt_ulong(const char *arg, unsigned long *result);
+int opt_long(const char *arg, long *result);
+#if defined(__STDC_VERSION__) && __STDC_VERSION__ >= 199901L && \
+    defined(INTMAX_MAX) && defined(UINTMAX_MAX)
+int opt_imax(const char *arg, intmax_t *result);
+int opt_umax(const char *arg, uintmax_t *result);
+#endif
+int opt_pair(const char *arg, const OPT_PAIR * pairs, int *result);
+int opt_cipher(const char *name, const EVP_CIPHER **cipherp);
+int opt_md(const char *name, const EVP_MD **mdp);
+char *opt_arg(void);
+char *opt_flag(void);
+char *opt_unknown(void);
+char *opt_reset(void);
+char **opt_rest(void);
+int opt_num_rest(void);
+int opt_verify(int i, X509_VERIFY_PARAM *vpm);
+void opt_help(const OPTIONS * list);
+int opt_format_error(const char *s, unsigned long flags);
+int opt_next(void);
 
 typedef struct args_st {
-    char **data;
-    int count;
+    int size;
+    int argc;
+    char **argv;
 } ARGS;
 
 # define PW_MIN_LENGTH 4
@@ -227,53 +421,51 @@ int password_callback(char *buf, int bufsiz, int verify, PW_CB_DATA *cb_data);
 int setup_ui_method(void);
 void destroy_ui_method(void);
 
-int should_retry(int i);
-int args_from_file(char *file, int *argc, char **argv[]);
-int str2fmt(char *s);
-void program_name(char *in, char *out, int size);
-int chopup_args(ARGS *arg, char *buf, int *argc, char **argv[]);
+int chopup_args(ARGS *arg, char *buf);
 # ifdef HEADER_X509_H
 int dump_cert_text(BIO *out, X509 *x);
 void print_name(BIO *out, const char *title, X509_NAME *nm,
                 unsigned long lflags);
 # endif
+void print_bignum_var(BIO *, BIGNUM *, const char*, int, unsigned char *);
+void print_array(BIO *, const char *, int, const unsigned char *);
 int set_cert_ex(unsigned long *flags, const char *arg);
 int set_name_ex(unsigned long *flags, const char *arg);
 int set_ext_copy(int *copy_type, const char *arg);
 int copy_extensions(X509 *x, X509_REQ *req, int copy_type);
-int app_passwd(BIO *err, char *arg1, char *arg2, char **pass1, char **pass2);
-int add_oid_section(BIO *err, CONF *conf);
-X509 *load_cert(BIO *err, const char *file, int format,
+int app_passwd(char *arg1, char *arg2, char **pass1, char **pass2);
+int add_oid_section(CONF *conf);
+X509 *load_cert(const char *file, int format,
                 const char *pass, ENGINE *e, const char *cert_descrip);
 X509_CRL *load_crl(const char *infile, int format);
-int load_cert_crl_http(const char *url, BIO *err,
-                       X509 **pcert, X509_CRL **pcrl);
-EVP_PKEY *load_key(BIO *err, const char *file, int format, int maybe_stdin,
+int load_cert_crl_http(const char *url, X509 **pcert, X509_CRL **pcrl);
+EVP_PKEY *load_key(const char *file, int format, int maybe_stdin,
                    const char *pass, ENGINE *e, const char *key_descrip);
-EVP_PKEY *load_pubkey(BIO *err, const char *file, int format, int maybe_stdin,
+EVP_PKEY *load_pubkey(const char *file, int format, int maybe_stdin,
                       const char *pass, ENGINE *e, const char *key_descrip);
-STACK_OF(X509) *load_certs(BIO *err, const char *file, int format,
+STACK_OF(X509) *load_certs(const char *file, int format,
                            const char *pass, ENGINE *e,
                            const char *cert_descrip);
-STACK_OF(X509_CRL) *load_crls(BIO *err, const char *file, int format,
+STACK_OF(X509_CRL) *load_crls(const char *file, int format,
                               const char *pass, ENGINE *e,
                               const char *cert_descrip);
-X509_STORE *setup_verify(BIO *bp, char *CAfile, char *CApath);
-# ifndef OPENSSL_NO_ENGINE
-ENGINE *setup_engine(BIO *err, const char *engine, int debug);
+X509_STORE *setup_verify(char *CAfile, char *CApath,
+                         int noCAfile, int noCApath);
+int ctx_set_verify_locations(SSL_CTX *ctx, const char *CAfile,
+                             const char *CApath, int noCAfile, int noCApath);
+# ifdef OPENSSL_NO_ENGINE
+#  define setup_engine(engine, debug) NULL
+# else
+ENGINE *setup_engine(const char *engine, int debug);
 # endif
-
 # ifndef OPENSSL_NO_OCSP
-OCSP_RESPONSE *process_responder(BIO *err, OCSP_REQUEST *req,
+OCSP_RESPONSE *process_responder(OCSP_REQUEST *req,
                                  const char *host, const char *path,
                                  const char *port, int use_ssl,
-                                 const STACK_OF(CONF_VALUE) *headers,
+                                 STACK_OF(CONF_VALUE) *headers,
                                  int req_timeout);
 # endif
 
-int load_config(BIO *err, CONF *cnf);
-char *make_config_name(void);
-
 /* Functions defined in ca.c and also used in ocsp.c */
 int unpack_revinfo(ASN1_TIME **prevtm, int *preason, ASN1_OBJECT **phold,
                    ASN1_GENERALIZEDTIME **pinvtm, const char *str);
@@ -299,6 +491,7 @@ typedef struct ca_db_st {
     TXT_DB *db;
 } CA_DB;
 
+void* app_malloc(int sz, const char *what);
 BIGNUM *load_serial(char *serialfile, int create, ASN1_INTEGER **retai);
 int save_serial(char *serialfile, char *suffix, BIGNUM *serial,
                 ASN1_INTEGER **retai);
@@ -316,19 +509,19 @@ void free_index(CA_DB *db);
 int index_name_cmp(const OPENSSL_CSTRING *a, const OPENSSL_CSTRING *b);
 int parse_yesno(const char *str, int def);
 
-X509_NAME *parse_name(char *str, long chtype, int multirdn);
+X509_NAME *parse_name(const char *str, long chtype, int multirdn);
 int args_verify(char ***pargs, int *pargc,
-                int *badarg, BIO *err, X509_VERIFY_PARAM **pm);
-void policies_print(BIO *out, X509_STORE_CTX *ctx);
+                int *badarg, X509_VERIFY_PARAM **pm);
+void policies_print(X509_STORE_CTX *ctx);
 int bio_to_mem(unsigned char **out, int maxlen, BIO *in);
 int pkey_ctrl_string(EVP_PKEY_CTX *ctx, char *value);
-int init_gen_str(BIO *err, EVP_PKEY_CTX **pctx,
+int init_gen_str(EVP_PKEY_CTX **pctx,
                  const char *algname, ENGINE *e, int do_param);
-int do_X509_sign(BIO *err, X509 *x, EVP_PKEY *pkey, const EVP_MD *md,
+int do_X509_sign(X509 *x, EVP_PKEY *pkey, const EVP_MD *md,
                  STACK_OF(OPENSSL_STRING) *sigopts);
-int do_X509_REQ_sign(BIO *err, X509_REQ *x, EVP_PKEY *pkey, const EVP_MD *md,
+int do_X509_REQ_sign(X509_REQ *x, EVP_PKEY *pkey, const EVP_MD *md,
                      STACK_OF(OPENSSL_STRING) *sigopts);
-int do_X509_CRL_sign(BIO *err, X509_CRL *x, EVP_PKEY *pkey, const EVP_MD *md,
+int do_X509_CRL_sign(X509_CRL *x, EVP_PKEY *pkey, const EVP_MD *md,
                      STACK_OF(OPENSSL_STRING) *sigopts);
 # ifndef OPENSSL_NO_PSK
 extern char *psk_key;
@@ -338,9 +531,7 @@ void jpake_client_auth(BIO *out, BIO *conn, const char *secret);
 void jpake_server_auth(BIO *out, BIO *conn, const char *secret);
 # endif
 
-# ifndef OPENSSL_NO_TLSEXT
 unsigned char *next_protos_parse(unsigned short *outlen, const char *in);
-# endif                         /* ndef OPENSSL_NO_TLSEXT */
 
 void print_cert_checks(BIO *bio, X509 *x,
                        const char *checkhost,
@@ -348,22 +539,28 @@ void print_cert_checks(BIO *bio, X509 *x,
 
 void store_setup_crl_download(X509_STORE *st);
 
+/* See OPT_FMT_xxx, above. */
+/* On some platforms, it's important to distinguish between text and binary
+ * files.  On some, there might even be specific file formats for different
+ * contents.  The FORMAT_xxx macros are meant to express an intent with the
+ * file being read or created.
+ */
+# define B_FORMAT_TEXT   0x8000
 # define FORMAT_UNDEF    0
-# define FORMAT_ASN1     1
-# define FORMAT_TEXT     2
-# define FORMAT_PEM      3
-# define FORMAT_NETSCAPE 4
-# define FORMAT_PKCS12   5
-# define FORMAT_SMIME    6
-# define FORMAT_ENGINE   7
-# define FORMAT_IISSGC   8      /* XXX this stupid macro helps us to avoid
-                                 * adding yet another param to load_*key() */
-# define FORMAT_PEMRSA   9      /* PEM RSAPubicKey format */
-# define FORMAT_ASN1RSA  10     /* DER RSAPubicKey format */
-# define FORMAT_MSBLOB   11     /* MS Key blob format */
-# define FORMAT_PVK      12     /* MS PVK file format */
-# define FORMAT_HTTP     13     /* Download using HTTP */
-# define FORMAT_NSS      14     /* NSS keylog format */
+# define FORMAT_TEXT    (1 | B_FORMAT_TEXT)     /* Generic text */
+# define FORMAT_BINARY   2                      /* Generic binary */
+# define FORMAT_BASE64  (3 | B_FORMAT_TEXT)     /* Base64 */
+# define FORMAT_ASN1     4                      /* ASN.1/DER */
+# define FORMAT_PEM     (5 | B_FORMAT_TEXT)
+# define FORMAT_PKCS12   6
+# define FORMAT_SMIME   (7 | B_FORMAT_TEXT)
+# define FORMAT_ENGINE   8                      /* Not really a file format */
+# define FORMAT_PEMRSA  (9 | B_FORMAT_TEXT)     /* PEM RSAPubicKey format */
+# define FORMAT_ASN1RSA  10                     /* DER RSAPubicKey format */
+# define FORMAT_MSBLOB   11                     /* MS Key blob format */
+# define FORMAT_PVK      12                     /* MS PVK file format */
+# define FORMAT_HTTP     13                     /* Download using HTTP */
+# define FORMAT_NSS      14                     /* NSS keylog format */
 
 # define EXT_COPY_NONE   0
 # define EXT_COPY_ADD    1
@@ -375,7 +572,9 @@ void store_setup_crl_download(X509_STORE *st);
 
 # define SERIAL_RAND_BITS        64
 
+int app_hex(char);
 int app_isdir(const char *);
+int app_access(const char *, int flag);
 int raw_read_stdin(void *, int);
 int raw_write_stdout(const void *, int);
 
@@ -383,6 +582,12 @@ int raw_write_stdout(const void *, int);
 # define TM_STOP         1
 double app_tminterval(int stop, int usertime);
 
-# define OPENSSL_NO_SSL_INTERN
+/* this is an accident waiting to happen (-Wshadow is your friend) */
+extern int verify_depth;
+extern int verify_quiet;
+extern int verify_error;
+extern int verify_return_error;
+
+# include "progs.h"
 
 #endif

apps/asn1pars.c

@@ -1,4 +1,3 @@
-/* apps/asn1pars.c */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -70,190 +69,136 @@
 #include <openssl/x509.h>
 #include <openssl/pem.h>
 
-/*-
- * -inform arg  - input format - default PEM (DER or PEM)
- * -in arg      - input file - default stdin
- * -i           - indent the details by depth
- * -offset      - where in the file to start
- * -length      - how many bytes to use
- * -oid file    - extra oid description file
- */
+typedef enum OPTION_choice {
+    OPT_ERR = -1, OPT_EOF = 0, OPT_HELP,
+    OPT_INFORM, OPT_IN, OPT_OUT, OPT_INDENT, OPT_NOOUT,
+    OPT_OID, OPT_OFFSET, OPT_LENGTH, OPT_DUMP, OPT_DLIMIT,
+    OPT_STRPARSE, OPT_GENSTR, OPT_GENCONF, OPT_STRICTPEM
+} OPTION_CHOICE;
 
-#undef PROG
-#define PROG    asn1parse_main
+OPTIONS asn1parse_options[] = {
+    {"help", OPT_HELP, '-', "Display this summary"},
+    {"inform", OPT_INFORM, 'F', "input format - one of DER PEM"},
+    {"in", OPT_IN, '<', "input file"},
+    {"out", OPT_OUT, '>', "output file (output format is always DER)"},
+    {"i", OPT_INDENT, 0, "entries"},
+    {"noout", OPT_NOOUT, 0, "don't produce any output"},
+    {"offset", OPT_OFFSET, 'p', "offset into file"},
+    {"length", OPT_LENGTH, 'p', "length of section in file"},
+    {"oid", OPT_OID, '<', "file of extra oid definitions"},
+    {"dump", OPT_DUMP, 0, "unknown data in hex form"},
+    {"dlimit", OPT_DLIMIT, 'p',
+     "dump the first arg bytes of unknown data in hex form"},
+    {"strparse", OPT_STRPARSE, 's',
+     "offset; a series of these can be used to 'dig'"},
+    {OPT_MORE_STR, 0, 0, "into multiple ASN1 blob wrappings"},
+    {"genstr", OPT_GENSTR, 's', "string to generate ASN1 structure from"},
+    {"genconf", OPT_GENCONF, 's', "file to generate ASN1 structure from"},
+    {OPT_MORE_STR, 0, 0, "(-inform  will be ignored)"},
+    {"strictpem", OPT_STRICTPEM, 0,
+     "do not attempt base64 decode outside PEM markers"},
+    {NULL}
+};
 
-int MAIN(int, char **);
+static int do_generate(char *genstr, char *genconf, BUF_MEM *buf);
 
-static int do_generate(BIO *bio, char *genstr, char *genconf, BUF_MEM *buf);
-
-int MAIN(int argc, char **argv)
+int asn1parse_main(int argc, char **argv)
 {
-    int i, badops = 0, offset = 0, ret = 1, j;
-    unsigned int length = 0;
-    long num, tmplen;
-    BIO *in = NULL, *out = NULL, *b64 = NULL, *derout = NULL;
-    int informat, indent = 0, noout = 0, dump = 0, strictpem = 0;
-    char *infile = NULL, *str = NULL, *prog, *oidfile = NULL, *derfile =
-        NULL, *name = NULL, *header = NULL;
-    char *genstr = NULL, *genconf = NULL;
-    unsigned char *tmpbuf;
-    const unsigned char *ctmpbuf;
+    ASN1_TYPE *at = NULL;
+    BIO *in = NULL, *b64 = NULL, *derout = NULL;
     BUF_MEM *buf = NULL;
     STACK_OF(OPENSSL_STRING) *osk = NULL;
-    ASN1_TYPE *at = NULL;
+    char *genstr = NULL, *genconf = NULL;
+    char *infile = NULL, *str = NULL, *oidfile = NULL, *derfile = NULL;
+    char *name = NULL, *header = NULL, *prog;
+    const unsigned char *ctmpbuf;
+    int indent = 0, noout = 0, dump = 0, strictpem = 0, informat = FORMAT_PEM;
+    int offset = 0, ret = 1, i, j;
+    long num, tmplen;
+    unsigned char *tmpbuf;
+    unsigned int length = 0;
+    OPTION_CHOICE o;
 
-    informat = FORMAT_PEM;
+    prog = opt_init(argc, argv, asn1parse_options);
 
-    apps_startup();
-
-    if (bio_err == NULL)
-        if ((bio_err = BIO_new(BIO_s_file())) != NULL)
-            BIO_set_fp(bio_err, stderr, BIO_NOCLOSE | BIO_FP_TEXT);
-
-    if (!load_config(bio_err, NULL))
-        goto end;
-
-    prog = argv[0];
-    argc--;
-    argv++;
     if ((osk = sk_OPENSSL_STRING_new_null()) == NULL) {
-        BIO_printf(bio_err, "Memory allocation failure\n");
+        BIO_printf(bio_err, "%s: Memory allocation failure\n", prog);
         goto end;
     }
-    while (argc >= 1) {
-        if (strcmp(*argv, "-inform") == 0) {
-            if (--argc < 1)
-                goto bad;
-            informat = str2fmt(*(++argv));
-        } else if (strcmp(*argv, "-in") == 0) {
-            if (--argc < 1)
-                goto bad;
-            infile = *(++argv);
-        } else if (strcmp(*argv, "-out") == 0) {
-            if (--argc < 1)
-                goto bad;
-            derfile = *(++argv);
-        } else if (strcmp(*argv, "-i") == 0) {
+
+    while ((o = opt_next()) != OPT_EOF) {
+        switch (o) {
+        case OPT_EOF:
+        case OPT_ERR:
+ opthelp:
+            BIO_printf(bio_err, "%s: Use -help for summary.\n", prog);
+            goto end;
+        case OPT_HELP:
+            opt_help(asn1parse_options);
+            ret = 0;
+            goto end;
+        case OPT_INFORM:
+            if (!opt_format(opt_arg(), OPT_FMT_PEMDER, &informat))
+                goto opthelp;
+            break;
+        case OPT_IN:
+            infile = opt_arg();
+            break;
+        case OPT_OUT:
+            derfile = opt_arg();
+            break;
+        case OPT_INDENT:
             indent = 1;
-        } else if (strcmp(*argv, "-noout") == 0)
+            break;
+        case OPT_NOOUT:
             noout = 1;
-        else if (strcmp(*argv, "-oid") == 0) {
-            if (--argc < 1)
-                goto bad;
-            oidfile = *(++argv);
-        } else if (strcmp(*argv, "-offset") == 0) {
-            if (--argc < 1)
-                goto bad;
-            offset = atoi(*(++argv));
-        } else if (strcmp(*argv, "-length") == 0) {
-            if (--argc < 1)
-                goto bad;
-            length = atoi(*(++argv));
-            if (length == 0)
-                goto bad;
-        } else if (strcmp(*argv, "-dump") == 0) {
+            break;
+        case OPT_OID:
+            oidfile = opt_arg();
+            break;
+        case OPT_OFFSET:
+            offset = strtol(opt_arg(), NULL, 0);
+            break;
+        case OPT_LENGTH:
+            length = atoi(opt_arg());
+            break;
+        case OPT_DUMP:
             dump = -1;
-        } else if (strcmp(*argv, "-dlimit") == 0) {
-            if (--argc < 1)
-                goto bad;
-            dump = atoi(*(++argv));
-            if (dump <= 0)
-                goto bad;
-        } else if (strcmp(*argv, "-strparse") == 0) {
-            if (--argc < 1)
-                goto bad;
-            sk_OPENSSL_STRING_push(osk, *(++argv));
-        } else if (strcmp(*argv, "-genstr") == 0) {
-            if (--argc < 1)
-                goto bad;
-            genstr = *(++argv);
-        } else if (strcmp(*argv, "-genconf") == 0) {
-            if (--argc < 1)
-                goto bad;
-            genconf = *(++argv);
-        } else if (strcmp(*argv, "-strictpem") == 0) {
+            break;
+        case OPT_DLIMIT:
+            dump = atoi(opt_arg());
+            break;
+        case OPT_STRPARSE:
+            sk_OPENSSL_STRING_push(osk, opt_arg());
+            break;
+        case OPT_GENSTR:
+            genstr = opt_arg();
+            break;
+        case OPT_GENCONF:
+            genconf = opt_arg();
+            break;
+        case OPT_STRICTPEM:
             strictpem = 1;
             informat = FORMAT_PEM;
-        } else {
-            BIO_printf(bio_err, "unknown option %s\n", *argv);
-            badops = 1;
             break;
         }
-        argc--;
-        argv++;
     }
-
-    if (badops) {
- bad:
-        BIO_printf(bio_err, "%s [options] <infile\n", prog);
-        BIO_printf(bio_err, "where options are\n");
-        BIO_printf(bio_err, " -inform arg   input format - one of DER PEM\n");
-        BIO_printf(bio_err, " -in arg       input file\n");
-        BIO_printf(bio_err,
-                   " -out arg      output file (output format is always DER\n");
-        BIO_printf(bio_err, " -noout arg    don't produce any output\n");
-        BIO_printf(bio_err, " -offset arg   offset into file\n");
-        BIO_printf(bio_err, " -length arg   length of section in file\n");
-        BIO_printf(bio_err, " -i            indent entries\n");
-        BIO_printf(bio_err, " -dump         dump unknown data in hex form\n");
-        BIO_printf(bio_err,
-                   " -dlimit arg   dump the first arg bytes of unknown data in hex form\n");
-        BIO_printf(bio_err, " -oid file     file of extra oid definitions\n");
-        BIO_printf(bio_err, " -strparse offset\n");
-        BIO_printf(bio_err,
-                   "               a series of these can be used to 'dig' into multiple\n");
-        BIO_printf(bio_err, "               ASN1 blob wrappings\n");
-        BIO_printf(bio_err,
-                   " -genstr str   string to generate ASN1 structure from\n");
-        BIO_printf(bio_err,
-                   " -genconf file file to generate ASN1 structure from\n");
-        BIO_printf(bio_err,
-                   " -strictpem    do not attempt base64 decode outside PEM markers (-inform \n");
-        BIO_printf(bio_err, "               will be ignored)\n");
-        goto end;
-    }
-
-    ERR_load_crypto_strings();
-
-    in = BIO_new(BIO_s_file());
-    out = BIO_new(BIO_s_file());
-    if ((in == NULL) || (out == NULL)) {
-        ERR_print_errors(bio_err);
-        goto end;
-    }
-    BIO_set_fp(out, stdout, BIO_NOCLOSE | BIO_FP_TEXT);
-#ifdef OPENSSL_SYS_VMS
-    {
-        BIO *tmpbio = BIO_new(BIO_f_linebuffer());
-        out = BIO_push(tmpbio, out);
-    }
-#endif
+    argc = opt_num_rest();
+    argv = opt_rest();
 
     if (oidfile != NULL) {
-        if (BIO_read_filename(in, oidfile) <= 0) {
-            BIO_printf(bio_err, "problems opening %s\n", oidfile);
-            ERR_print_errors(bio_err);
+        in = bio_open_default(oidfile, 'r', FORMAT_TEXT);
+        if (in == NULL)
             goto end;
-        }
         OBJ_create_objects(in);
+        BIO_free(in);
     }
 
-    if (infile == NULL)
-        BIO_set_fp(in, stdin, BIO_NOCLOSE);
-    else {
-        if (BIO_read_filename(in, infile) <= 0) {
-            perror(infile);
-            goto end;
-        }
-    }
+    if ((in = bio_open_default(infile, 'r', informat)) == NULL)
+        goto end;
 
-    if (derfile) {
-        if (!(derout = BIO_new_file(derfile, "wb"))) {
-            BIO_printf(bio_err, "problems opening %s\n", derfile);
-            ERR_print_errors(bio_err);
-            goto end;
-        }
-    }
+    if (derfile && (derout = bio_open_default(derfile, 'w', FORMAT_ASN1)) == NULL)
+        goto end;
 
     if (strictpem) {
         if (PEM_read_bio(in, &name, &header, (unsigned char **)&str, &num) !=
@@ -270,7 +215,7 @@ int MAIN(int argc, char **argv)
             goto end;           /* Pre-allocate :-) */
 
         if (genstr || genconf) {
-            num = do_generate(bio_err, genstr, genconf, buf);
+            num = do_generate(genstr, genconf, buf);
             if (num < 0) {
                 ERR_print_errors(bio_err);
                 goto end;
@@ -331,9 +276,9 @@ int MAIN(int argc, char **argv)
             }
             typ = ASN1_TYPE_get(at);
             if ((typ == V_ASN1_OBJECT)
+                || (typ == V_ASN1_BOOLEAN)
                 || (typ == V_ASN1_NULL)) {
-                BIO_printf(bio_err, "Can't parse %s type\n",
-                           typ == V_ASN1_NULL ? "NULL" : "OBJECT");
+                BIO_printf(bio_err, "Can't parse %s type\n", ASN1_tag2str(typ));
                 ERR_print_errors(bio_err);
                 goto end;
             }
@@ -362,7 +307,7 @@ int MAIN(int argc, char **argv)
         }
     }
     if (!noout &&
-        !ASN1_parse_dump(out, (unsigned char *)&(str[offset]), length,
+        !ASN1_parse_dump(bio_out, (unsigned char *)&(str[offset]), length,
                          indent, dump)) {
         ERR_print_errors(bio_err);
         goto end;
@@ -370,47 +315,35 @@ int MAIN(int argc, char **argv)
     ret = 0;
  end:
     BIO_free(derout);
-    if (in != NULL)
-        BIO_free(in);
-    if (out != NULL)
-        BIO_free_all(out);
-    if (b64 != NULL)
-        BIO_free(b64);
+    BIO_free(in);
+    BIO_free(b64);
     if (ret != 0)
         ERR_print_errors(bio_err);
-    if (buf != NULL)
-        BUF_MEM_free(buf);
-    if (name != NULL)
-        OPENSSL_free(name);
-    if (header != NULL)
-        OPENSSL_free(header);
-    if (strictpem && str != NULL)
+    BUF_MEM_free(buf);
+    OPENSSL_free(name);
+    OPENSSL_free(header);
+    if (strictpem)
         OPENSSL_free(str);
-    if (at != NULL)
-        ASN1_TYPE_free(at);
-    if (osk != NULL)
-        sk_OPENSSL_STRING_free(osk);
+    ASN1_TYPE_free(at);
+    sk_OPENSSL_STRING_free(osk);
     OBJ_cleanup();
-    apps_shutdown();
-    OPENSSL_EXIT(ret);
+    return (ret);
 }
 
-static int do_generate(BIO *bio, char *genstr, char *genconf, BUF_MEM *buf)
+static int do_generate(char *genstr, char *genconf, BUF_MEM *buf)
 {
     CONF *cnf = NULL;
     int len;
-    long errline;
     unsigned char *p;
     ASN1_TYPE *atyp = NULL;
 
     if (genconf) {
-        cnf = NCONF_new(NULL);
-        if (!NCONF_load(cnf, genconf, &errline))
-            goto conferr;
+        if ((cnf = app_load_config(genconf)) == NULL)
+            goto err;
         if (!genstr)
             genstr = NCONF_get_string(cnf, "default", "asn1");
         if (!genstr) {
-            BIO_printf(bio, "Can't find 'asn1' in '%s'\n", genconf);
+            BIO_printf(bio_err, "Can't find 'asn1' in '%s'\n", genconf);
             goto err;
         }
     }
@@ -437,18 +370,8 @@ static int do_generate(BIO *bio, char *genstr, char *genconf, BUF_MEM *buf)
     ASN1_TYPE_free(atyp);
     return len;
 
- conferr:
-
-    if (errline > 0)
-        BIO_printf(bio, "Error on line %ld of config file '%s'\n",
-                   errline, genconf);
-    else
-        BIO_printf(bio, "Error loading config file '%s'\n", genconf);
-
  err:
     NCONF_free(cnf);
     ASN1_TYPE_free(atyp);
-
     return -1;
-
 }

apps/ca-key.pem

@@ -1,15 +1,16 @@
------BEGIN RSA PRIVATE KEY-----
-MIICXQIBAAKBgQCju6PLddelT+nIMm07GQwmYa/eZ2JWbsmt2gotSCqM7asFp425
-gxSK4jqhhT62UPpqDBEwvQ+fYkVv3RV0r9ReuZGv12NoS4fXsQgqO17lHA7Od0Kd
-2yNwJjKh44MxPKDt2o8iQMyZE0zlHnEFNpsP4COLTDNC6ljEEu5bk8uPsQIDAQAB
-AoGAVZmpFZsDZfr0l2S9tLLwpjRWNOlKATQkno6q2WesT0eGLQufTciY+c8ypfU6
-hyio8r5iUl/VhhdjhAtKx1mRpiotftHo/eYf8rtsrnprOnWG0bWjLjtIoMbcxGn2
-J3bN6LJmbJMjDs0eJ3KnTu646F3nDUw2oGAwmpzKXA1KAP0CQQDRvQhxk2D3Pehs
-HvG665u2pB5ipYQngEFlZO7RHJZzJOZEWSLuuMqaF/7pTfA5jiBvWqCgJeCRRInL
-21ru4dlPAkEAx9jj7BgKn5TYnMoBSSe0afjsV9oApVpN1Nacb1YDtCwy+scp3++s
-nFxlv98wxIlSdpwMUn+AUWfjiWR7Tu/G/wJBAJ/KjwZIrFVxewP0x2ILYsTRYLzz
-MS4PDsO7FB+I0i7DbBOifXS2oNSpd3I0CNMwrxFnUHzynpbOStVfN3ZL5w0CQQCa
-pwFahxBRhkJKsxhjoFJBX9yl75JoY4Wvm5Tbo9ih6UJaRx3kqfkN14L2BKYcsZgb
-KY9vmDOYy6iNfjDeWTfJAkBkfPUb8oTJ/nSP5zN6sqGxSY4krc4xLxpRmxoJ8HL2
-XfhqXkTzbU13RX9JJ/NZ8vQN9Vm2NhxRGJocQkmcdVtJ
------END RSA PRIVATE KEY-----
+-----BEGIN PRIVATE KEY-----
+MIICdgIBADANBgkqhkiG9w0BAQEFAASCAmAwggJcAgEAAoGBAL4tQNyKy4U2zX6l
+IZvORB1edmwMwIgSB4cgoFECrG5pixzYxKauZkAwKG9/+L4DB8qXRjfXWcvafcOU
+DlYpRROykJ7wGkiqmqbZyrxY8DWjk5ZZQXiSuhYOAJB+Fyfb11JZV6+CvBQX/1g+
+vhJr39Gmp6oAesoYrj90ecozClmnAgMBAAECgYA3j6sSg+5f9hnldUMzbPjTh8Sb
+XsJlPrc6UFrmMBzGiUleXSpe9Dbla+x0XvQCN4pwMvAN4nnWp/f0Su5BV/9Y93nb
+im5ijGNrfN9i6QrnqGCr+MMute+4E8HR2pCScX0mBLDDf40SmDvMzCaxtd21keyr
+9DqHgInQZNEi6NKlkQJBAPCbUTFg6iQ6VTCQ8CsEf5q2xHhuTK23fJ999lvWVxN7
+QsvWb9RP9Ng34HVtvB7Pl6P7FyHLQYiDJhhvYR0L0+kCQQDKV/09Kt6Wjf5Omp1I
+wd3A+tFnipdqnPw+qNHGjevv0hYiEIWQOYbx00zXgaX+WN/pzV9eeNN2XAxlNJ++
+dxcPAkBrzeuPKFFAcjKBVC+H1rgl5gYZv7Hzk+buv02G0H6rZ+sB0c7BXiHiTwbv
+Fn/XfkP/YR14Ms3mEH0dLaphjU8hAkEAh3Ar/rRiN04mCcEuRFQXtaNtZSv8PA2G
+Pf7MI2Y9pdHupLCAZlBLRjTUO2/5hu1AO4QPMPIZQSFN3rRBtMCL+wJAMp/m2hvI
+TmtbMp/IrKGfma09e3yFiCmoNn7cHLJ7jLvXcacV2XNzpr9YHfBxiZo0g9FqZKvv
+PZoQ5B2XJ7bhTQ==
+-----END PRIVATE KEY-----

apps/ca-req.pem

@@ -1,11 +1,11 @@
 -----BEGIN CERTIFICATE REQUEST-----
-MIIBmTCCAQICAQAwWzELMAkGA1UEBhMCQVUxEzARBgNVBAgTClF1ZWVuc2xhbmQx
-GjAYBgNVBAoTEUNyeXB0U29mdCBQdHkgTHRkMRswGQYDVQQDExJUZXN0IENBICgx
-MDI0IGJpdCkwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAKO7o8t116VP6cgy
-bTsZDCZhr95nYlZuya3aCi1IKoztqwWnjbmDFIriOqGFPrZQ+moMETC9D59iRW/d
-FXSv1F65ka/XY2hLh9exCCo7XuUcDs53Qp3bI3AmMqHjgzE8oO3ajyJAzJkTTOUe
-cQU2mw/gI4tMM0LqWMQS7luTy4+xAgMBAAEwDQYJKoZIhvcNAQEEBQADgYEAKlk7
-cxu9gCJN3/iQFyJXQ6YphaiQAT5VBXTx9ftRrQIjA3vxlDzPWGDy+V5Tqa7h8PtR
-5Bn00JShII2zf0hjyjKils6x/UkWmjEiwSiFp4hR70iE8XwSNEHY2P6j6nQEIpgW
-kbfgmmUqk7dl2V+ossTJ80B8SBpEhrn81V/cHxA=
+MIIBmzCCAQQCAQAwWzELMAkGA1UEBhMCQVUxEzARBgNVBAgMClF1ZWVuc2xhbmQx
+GjAYBgNVBAoMEUNyeXB0U29mdCBQdHkgTHRkMRswGQYDVQQDDBJUZXN0IENBICgx
+MDI0IGJpdCkwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAL4tQNyKy4U2zX6l
+IZvORB1edmwMwIgSB4cgoFECrG5pixzYxKauZkAwKG9/+L4DB8qXRjfXWcvafcOU
+DlYpRROykJ7wGkiqmqbZyrxY8DWjk5ZZQXiSuhYOAJB+Fyfb11JZV6+CvBQX/1g+
+vhJr39Gmp6oAesoYrj90ecozClmnAgMBAAGgADANBgkqhkiG9w0BAQsFAAOBgQCo
+2jE7J1SNV7kyRm9m8CoPw8xYsuVcVFxPheBymYp8BlO0/rSdYygRjobpYnLVRUPZ
+pV792wzT1Rp4sXfZWO10lkFY4yi0pH2cdK2RX7qedibV1Xu9vt/yYANFBKVpA4dy
+PRyTQwi3In1N8hdfddpYR8f5MIUYRe5poFMIJcf8JA==
 -----END CERTIFICATE REQUEST-----

apps/ciphers.c

@@ -1,4 +1,3 @@
-/* apps/ciphers.c */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -63,97 +62,127 @@
 #include <openssl/err.h>
 #include <openssl/ssl.h>
 
-#undef PROG
-#define PROG    ciphers_main
+typedef enum OPTION_choice {
+    OPT_ERR = -1, OPT_EOF = 0, OPT_HELP,
+    OPT_STDNAME,
+    OPT_SSL3,
+    OPT_TLS1,
+    OPT_TLS1_1,
+    OPT_TLS1_2,
+    OPT_PSK,
+    OPT_V, OPT_UPPER_V, OPT_S
+} OPTION_CHOICE;
 
-static const char *ciphers_usage[] = {
-    "usage: ciphers args\n",
-    " -v          - verbose mode, a textual listing of the SSL/TLS ciphers in OpenSSL\n",
-    " -V          - even more verbose\n",
-    " -ssl3       - SSL3 mode\n",
-    " -tls1       - TLS1 mode\n",
-    NULL
+OPTIONS ciphers_options[] = {
+    {"help", OPT_HELP, '-', "Display this summary"},
+    {"v", OPT_V, '-', "Verbose listing of the SSL/TLS ciphers"},
+    {"V", OPT_UPPER_V, '-', "Even more verbose"},
+    {"s", OPT_S, '-', "Only supported ciphers"},
+    {"tls1", OPT_TLS1, '-', "TLS1 mode"},
+    {"tls1_1", OPT_TLS1_1, '-', "TLS1.1 mode"},
+    {"tls1_2", OPT_TLS1_2, '-', "TLS1.2 mode"},
+#ifndef OPENSSL_NO_SSL_TRACE
+    {"stdname", OPT_STDNAME, '-', "Show standard cipher names"},
+#endif
+#ifndef OPENSSL_NO_SSL3
+    {"ssl3", OPT_SSL3, '-', "SSL3 mode"},
+#endif
+#ifndef OPENSSL_NO_PSK
+    {"psk", OPT_PSK, '-', "include ciphersuites requiring PSK"},
+#endif
+    {NULL}
 };
 
-int MAIN(int, char **);
-
-int MAIN(int argc, char **argv)
+#ifndef OPENSSL_NO_PSK
+static unsigned int dummy_psk(SSL *ssl, const char *hint, char *identity,
+                              unsigned int max_identity_len,
+                              unsigned char *psk,
+                              unsigned int max_psk_len)
 {
-    int ret = 1, i;
-    int verbose = 0, Verbose = 0;
-    int use_supported = 0;
+    return 0;
+}
+#endif
+
+int ciphers_main(int argc, char **argv)
+{
+    SSL_CTX *ctx = NULL;
+    SSL *ssl = NULL;
+    STACK_OF(SSL_CIPHER) *sk = NULL;
+    const SSL_METHOD *meth = TLS_server_method();
+    int ret = 1, i, verbose = 0, Verbose = 0, use_supported = 0;
 #ifndef OPENSSL_NO_SSL_TRACE
     int stdname = 0;
 #endif
-    const char **pp;
-    const char *p;
-    int badops = 0;
-    SSL_CTX *ctx = NULL;
-    SSL *ssl = NULL;
-    char *ciphers = NULL;
-    const SSL_METHOD *meth = NULL;
-    STACK_OF(SSL_CIPHER) *sk = NULL;
-    char buf[512];
-    BIO *STDout = NULL;
-
-    meth = SSLv23_server_method();
-
-    apps_startup();
-
-    if (bio_err == NULL)
-        bio_err = BIO_new_fp(stderr, BIO_NOCLOSE);
-    STDout = BIO_new_fp(stdout, BIO_NOCLOSE);
-#ifdef OPENSSL_SYS_VMS
-    {
-        BIO *tmpbio = BIO_new(BIO_f_linebuffer());
-        STDout = BIO_push(tmpbio, STDout);
-    }
+#ifndef OPENSSL_NO_PSK
+    int psk = 0;
 #endif
-    if (!load_config(bio_err, NULL))
-        goto end;
+    const char *p;
+    char *ciphers = NULL, *prog;
+    char buf[512];
+    OPTION_CHOICE o;
 
-    argc--;
-    argv++;
-    while (argc >= 1) {
-        if (strcmp(*argv, "-v") == 0)
+    prog = opt_init(argc, argv, ciphers_options);
+    while ((o = opt_next()) != OPT_EOF) {
+        switch (o) {
+        case OPT_EOF:
+        case OPT_ERR:
+ opthelp:
+            BIO_printf(bio_err, "%s: Use -help for summary.\n", prog);
+            goto end;
+        case OPT_HELP:
+            opt_help(ciphers_options);
+            ret = 0;
+            goto end;
+        case OPT_V:
             verbose = 1;
-        else if (strcmp(*argv, "-V") == 0)
+            break;
+        case OPT_UPPER_V:
             verbose = Verbose = 1;
-        else if (strcmp(*argv, "-s") == 0)
+            break;
+        case OPT_S:
             use_supported = 1;
+            break;
+        case OPT_STDNAME:
 #ifndef OPENSSL_NO_SSL_TRACE
-        else if (strcmp(*argv, "-stdname") == 0)
             stdname = verbose = 1;
 #endif
+            break;
+        case OPT_SSL3:
 #ifndef OPENSSL_NO_SSL3
-        else if (strcmp(*argv, "-ssl3") == 0)
             meth = SSLv3_client_method();
 #endif
-#ifndef OPENSSL_NO_TLS1
-        else if (strcmp(*argv, "-tls1") == 0)
-            meth = TLSv1_client_method();
-#endif
-        else if ((strncmp(*argv, "-h", 2) == 0) || (strcmp(*argv, "-?") == 0)) {
-            badops = 1;
             break;
-        } else {
-            ciphers = *argv;
+        case OPT_TLS1:
+            meth = TLSv1_client_method();
+            break;
+        case OPT_TLS1_1:
+            meth = TLSv1_1_client_method();
+            break;
+        case OPT_TLS1_2:
+            meth = TLSv1_2_client_method();
+            break;
+        case OPT_PSK:
+#ifndef OPENSSL_NO_PSK
+            psk = 1;
+#endif
+            break;
         }
-        argc--;
-        argv++;
     }
+    argv = opt_rest();
+    argc = opt_num_rest();
 
-    if (badops) {
-        for (pp = ciphers_usage; (*pp != NULL); pp++)
-            BIO_printf(bio_err, "%s", *pp);
-        goto end;
-    }
-
-    OpenSSL_add_ssl_algorithms();
+    if (argc == 1)
+        ciphers = *argv;
+    else if (argc != 0)
+        goto opthelp;
 
     ctx = SSL_CTX_new(meth);
     if (ctx == NULL)
         goto err;
+#ifndef OPENSSL_NO_PSK
+    if (psk)
+        SSL_CTX_set_psk_client_callback(ctx, dummy_psk);
+#endif
     if (ciphers != NULL) {
         if (!SSL_CTX_set_cipher_list(ctx, ciphers)) {
             BIO_printf(bio_err, "Error in cipher list\n");
@@ -171,19 +200,19 @@ int MAIN(int argc, char **argv)
 
     if (!verbose) {
         for (i = 0; i < sk_SSL_CIPHER_num(sk); i++) {
-            SSL_CIPHER *c = sk_SSL_CIPHER_value(sk, i);
+            const SSL_CIPHER *c = sk_SSL_CIPHER_value(sk, i);
             p = SSL_CIPHER_get_name(c);
             if (p == NULL)
                 break;
             if (i != 0)
-                BIO_printf(STDout, ":");
-            BIO_printf(STDout, "%s", p);
+                BIO_printf(bio_out, ":");
+            BIO_printf(bio_out, "%s", p);
         }
-        BIO_printf(STDout, "\n");
-    } else {                    /* verbose */
+        BIO_printf(bio_out, "\n");
+    } else {
 
         for (i = 0; i < sk_SSL_CIPHER_num(sk); i++) {
-            SSL_CIPHER *c;
+            const SSL_CIPHER *c;
 
             c = sk_SSL_CIPHER_value(sk, i);
 
@@ -194,43 +223,32 @@ int MAIN(int argc, char **argv)
                 int id2 = (int)((id >> 8) & 0xffL);
                 int id3 = (int)(id & 0xffL);
 
-                if ((id & 0xff000000L) == 0x03000000L) {
-                    /* SSL3 cipher */
-                    BIO_printf(STDout, "          0x%02X,0x%02X - ", id2,
-                               id3);
-                } else {
-                    /* whatever */
-                    BIO_printf(STDout, "0x%02X,0x%02X,0x%02X,0x%02X - ", id0,
-                               id1, id2, id3);
-                }
+                if ((id & 0xff000000L) == 0x03000000L)
+                    BIO_printf(bio_out, "          0x%02X,0x%02X - ", id2, id3); /* SSL3
+                                                                                  * cipher */
+                else
+                    BIO_printf(bio_out, "0x%02X,0x%02X,0x%02X,0x%02X - ", id0, id1, id2, id3); /* whatever */
             }
 #ifndef OPENSSL_NO_SSL_TRACE
             if (stdname) {
                 const char *nm = SSL_CIPHER_standard_name(c);
                 if (nm == NULL)
                     nm = "UNKNOWN";
-                BIO_printf(STDout, "%s - ", nm);
+                BIO_printf(bio_out, "%s - ", nm);
             }
 #endif
-            BIO_puts(STDout, SSL_CIPHER_description(c, buf, sizeof buf));
+            BIO_puts(bio_out, SSL_CIPHER_description(c, buf, sizeof buf));
         }
     }
 
     ret = 0;
-    if (0) {
+    goto end;
  err:
-        SSL_load_error_strings();
-        ERR_print_errors(bio_err);
-    }
+    ERR_print_errors(bio_err);
  end:
-    if (use_supported && sk)
+    if (use_supported)
         sk_SSL_CIPHER_free(sk);
-    if (ctx != NULL)
-        SSL_CTX_free(ctx);
-    if (ssl != NULL)
-        SSL_free(ssl);
-    if (STDout != NULL)
-        BIO_free_all(STDout);
-    apps_shutdown();
-    OPENSSL_EXIT(ret);
+    SSL_CTX_free(ctx);
+    SSL_free(ssl);
+    return (ret);
 }

apps/crl.c

@@ -1,4 +1,3 @@
-/* apps/crl.c */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -66,208 +65,183 @@
 #include <openssl/x509v3.h>
 #include <openssl/pem.h>
 
-#undef PROG
-#define PROG    crl_main
+typedef enum OPTION_choice {
+    OPT_ERR = -1, OPT_EOF = 0, OPT_HELP,
+    OPT_INFORM, OPT_IN, OPT_OUTFORM, OPT_OUT, OPT_KEYFORM, OPT_KEY,
+    OPT_ISSUER, OPT_LASTUPDATE, OPT_NEXTUPDATE, OPT_FINGERPRINT,
+    OPT_CRLNUMBER, OPT_BADSIG, OPT_GENDELTA, OPT_CAPATH, OPT_CAFILE,
+    OPT_NOCAPATH, OPT_NOCAFILE, OPT_VERIFY, OPT_TEXT, OPT_HASH, OPT_HASH_OLD,
+    OPT_NOOUT, OPT_NAMEOPT, OPT_MD
+} OPTION_CHOICE;
 
-#undef POSTFIX
-#define POSTFIX ".rvk"
-
-static const char *crl_usage[] = {
-    "usage: crl args\n",
-    "\n",
-    " -inform arg     - input format - default PEM (DER or PEM)\n",
-    " -outform arg    - output format - default PEM\n",
-    " -text           - print out a text format version\n",
-    " -in arg         - input file - default stdin\n",
-    " -out arg        - output file - default stdout\n",
-    " -hash           - print hash value\n",
+OPTIONS crl_options[] = {
+    {"help", OPT_HELP, '-', "Display this summary"},
+    {"inform", OPT_INFORM, 'F', "Input format; default PEM"},
+    {"in", OPT_IN, '<', "Input file - default stdin"},
+    {"outform", OPT_OUTFORM, 'F', "Output format - default PEM"},
+    {"out", OPT_OUT, '>', "output file - default stdout"},
+    {"keyform", OPT_KEYFORM, 'F'},
+    {"key", OPT_KEY, '<'},
+    {"issuer", OPT_ISSUER, '-', "Print issuer DN"},
+    {"lastupdate", OPT_LASTUPDATE, '-', "Set lastUpdate field"},
+    {"nextupdate", OPT_NEXTUPDATE, '-', "Set nextUpdate field"},
+    {"noout", OPT_NOOUT, '-', "No CRL output"},
+    {"fingerprint", OPT_FINGERPRINT, '-', "Print the crl fingerprint"},
+    {"crlnumber", OPT_CRLNUMBER, '-', "Print CRL number"},
+    {"badsig", OPT_BADSIG, '-'},
+    {"gendelta", OPT_GENDELTA, '<'},
+    {"CApath", OPT_CAPATH, '/', "Verify CRL using certificates in dir"},
+    {"CAfile", OPT_CAFILE, '<', "Verify CRL using certificates in file name"},
+    {"no-CAfile", OPT_NOCAFILE, '-',
+     "Do not load the default certificates file"},
+    {"no-CApath", OPT_NOCAPATH, '-',
+     "Do not load certificates from the default certificates directory"},
+    {"verify", OPT_VERIFY, '-'},
+    {"text", OPT_TEXT, '-', "Print out a text format version"},
+    {"hash", OPT_HASH, '-', "Print hash value"},
+    {"nameopt", OPT_NAMEOPT, 's', "Various certificate name options"},
+    {"", OPT_MD, '-', "Any supported digest"},
 #ifndef OPENSSL_NO_MD5
-    " -hash_old       - print old-style (MD5) hash value\n",
+    {"hash_old", OPT_HASH_OLD, '-', "Print old-style (MD5) hash value"},
 #endif
-    " -fingerprint    - print the crl fingerprint\n",
-    " -issuer         - print issuer DN\n",
-    " -lastupdate     - lastUpdate field\n",
-    " -nextupdate     - nextUpdate field\n",
-    " -crlnumber      - print CRL number\n",
-    " -noout          - no CRL output\n",
-    " -CAfile  name   - verify CRL using certificates in file \"name\"\n",
-    " -CApath  dir    - verify CRL using certificates in \"dir\"\n",
-    " -nameopt arg    - various certificate name options\n",
-    NULL
+    {NULL}
 };
 
-static BIO *bio_out = NULL;
-
-int MAIN(int, char **);
-
-int MAIN(int argc, char **argv)
+int crl_main(int argc, char **argv)
 {
-    unsigned long nmflag = 0;
     X509_CRL *x = NULL;
-    char *CAfile = NULL, *CApath = NULL;
-    int ret = 1, i, num, badops = 0, badsig = 0;
     BIO *out = NULL;
-    int informat, outformat, keyformat;
-    char *infile = NULL, *outfile = NULL, *crldiff = NULL, *keyfile = NULL;
-    int hash = 0, issuer = 0, lastupdate = 0, nextupdate = 0, noout =
-        0, text = 0;
-#ifndef OPENSSL_NO_MD5
-    int hash_old = 0;
-#endif
-    int fingerprint = 0, crlnumber = 0;
-    const char **pp;
     X509_STORE *store = NULL;
     X509_STORE_CTX ctx;
     X509_LOOKUP *lookup = NULL;
     X509_OBJECT xobj;
     EVP_PKEY *pkey;
-    int do_ver = 0;
-    const EVP_MD *md_alg, *digest = EVP_sha1();
-
-    apps_startup();
-
-    if (bio_err == NULL)
-        if ((bio_err = BIO_new(BIO_s_file())) != NULL)
-            BIO_set_fp(bio_err, stderr, BIO_NOCLOSE | BIO_FP_TEXT);
-
-    if (!load_config(bio_err, NULL))
-        goto end;
-
-    if (bio_out == NULL)
-        if ((bio_out = BIO_new(BIO_s_file())) != NULL) {
-            BIO_set_fp(bio_out, stdout, BIO_NOCLOSE);
-#ifdef OPENSSL_SYS_VMS
-            {
-                BIO *tmpbio = BIO_new(BIO_f_linebuffer());
-                bio_out = BIO_push(tmpbio, bio_out);
-            }
-#endif
-        }
-
-    informat = FORMAT_PEM;
-    outformat = FORMAT_PEM;
-    keyformat = FORMAT_PEM;
-
-    argc--;
-    argv++;
-    num = 0;
-    while (argc >= 1) {
-#ifdef undef
-        if (strcmp(*argv, "-p") == 0) {
-            if (--argc < 1)
-                goto bad;
-            if (!args_from_file(++argv, Nargc, Nargv)) {
-                goto end;
-            }
-        */}
-#endif
-        if (strcmp(*argv, "-inform") == 0) {
-            if (--argc < 1)
-                goto bad;
-            informat = str2fmt(*(++argv));
-        } else if (strcmp(*argv, "-outform") == 0) {
-            if (--argc < 1)
-                goto bad;
-            outformat = str2fmt(*(++argv));
-        } else if (strcmp(*argv, "-in") == 0) {
-            if (--argc < 1)
-                goto bad;
-            infile = *(++argv);
-        } else if (strcmp(*argv, "-gendelta") == 0) {
-            if (--argc < 1)
-                goto bad;
-            crldiff = *(++argv);
-        } else if (strcmp(*argv, "-key") == 0) {
-            if (--argc < 1)
-                goto bad;
-            keyfile = *(++argv);
-        } else if (strcmp(*argv, "-keyform") == 0) {
-            if (--argc < 1)
-                goto bad;
-            keyformat = str2fmt(*(++argv));
-        } else if (strcmp(*argv, "-out") == 0) {
-            if (--argc < 1)
-                goto bad;
-            outfile = *(++argv);
-        } else if (strcmp(*argv, "-CApath") == 0) {
-            if (--argc < 1)
-                goto bad;
-            CApath = *(++argv);
-            do_ver = 1;
-        } else if (strcmp(*argv, "-CAfile") == 0) {
-            if (--argc < 1)
-                goto bad;
-            CAfile = *(++argv);
-            do_ver = 1;
-        } else if (strcmp(*argv, "-verify") == 0)
-            do_ver = 1;
-        else if (strcmp(*argv, "-text") == 0)
-            text = 1;
-        else if (strcmp(*argv, "-hash") == 0)
-            hash = ++num;
+    const EVP_MD *digest = EVP_sha1();
+    unsigned long nmflag = 0;
+    char nmflag_set = 0;
+    char *infile = NULL, *outfile = NULL, *crldiff = NULL, *keyfile = NULL;
+    char *CAfile = NULL, *CApath = NULL, *prog;
+    OPTION_CHOICE o;
+    int hash = 0, issuer = 0, lastupdate = 0, nextupdate = 0, noout = 0;
+    int informat = FORMAT_PEM, outformat = FORMAT_PEM, keyformat = FORMAT_PEM;
+    int ret = 1, num = 0, badsig = 0, fingerprint = 0, crlnumber = 0;
+    int text = 0, do_ver = 0, noCAfile = 0, noCApath = 0;
+    int i;
+#ifndef OPENSSL_NO_MD5
+    int hash_old = 0;
+#endif
+
+    prog = opt_init(argc, argv, crl_options);
+    while ((o = opt_next()) != OPT_EOF) {
+        switch (o) {
+        case OPT_EOF:
+        case OPT_ERR:
+ opthelp:
+            BIO_printf(bio_err, "%s: Use -help for summary.\n", prog);
+            goto end;
+        case OPT_HELP:
+            opt_help(crl_options);
+            ret = 0;
+            goto end;
+        case OPT_INFORM:
+            if (!opt_format(opt_arg(), OPT_FMT_PEMDER, &informat))
+                goto opthelp;
+            break;
+        case OPT_IN:
+            infile = opt_arg();
+            break;
+        case OPT_OUTFORM:
+            if (!opt_format(opt_arg(), OPT_FMT_PEMDER, &outformat))
+                goto opthelp;
+            break;
+        case OPT_OUT:
+            outfile = opt_arg();
+            break;
+        case OPT_KEYFORM:
+            if (!opt_format(opt_arg(), OPT_FMT_PEMDER, &keyformat))
+                goto opthelp;
+            break;
+        case OPT_KEY:
+            keyfile = opt_arg();
+            break;
+        case OPT_GENDELTA:
+            crldiff = opt_arg();
+            break;
+        case OPT_CAPATH:
+            CApath = opt_arg();
+            do_ver = 1;
+            break;
+        case OPT_CAFILE:
+            CAfile = opt_arg();
+            do_ver = 1;
+            break;
+        case OPT_NOCAPATH:
+            noCApath =  1;
+            break;
+        case OPT_NOCAFILE:
+            noCAfile =  1;
+            break;
+        case OPT_HASH_OLD:
 #ifndef OPENSSL_NO_MD5
-        else if (strcmp(*argv, "-hash_old") == 0)
             hash_old = ++num;
 #endif
-        else if (strcmp(*argv, "-nameopt") == 0) {
-            if (--argc < 1)
-                goto bad;
-            if (!set_name_ex(&nmflag, *(++argv)))
-                goto bad;
-        } else if (strcmp(*argv, "-issuer") == 0)
-            issuer = ++num;
-        else if (strcmp(*argv, "-lastupdate") == 0)
-            lastupdate = ++num;
-        else if (strcmp(*argv, "-nextupdate") == 0)
-            nextupdate = ++num;
-        else if (strcmp(*argv, "-noout") == 0)
-            noout = ++num;
-        else if (strcmp(*argv, "-fingerprint") == 0)
-            fingerprint = ++num;
-        else if (strcmp(*argv, "-crlnumber") == 0)
-            crlnumber = ++num;
-        else if (strcmp(*argv, "-badsig") == 0)
-            badsig = 1;
-        else if ((md_alg = EVP_get_digestbyname(*argv + 1))) {
-            /* ok */
-            digest = md_alg;
-        } else {
-            BIO_printf(bio_err, "unknown option %s\n", *argv);
-            badops = 1;
             break;
+        case OPT_VERIFY:
+            do_ver = 1;
+            break;
+        case OPT_TEXT:
+            text = 1;
+            break;
+        case OPT_HASH:
+            hash = ++num;
+            break;
+        case OPT_ISSUER:
+            issuer = ++num;
+            break;
+        case OPT_LASTUPDATE:
+            lastupdate = ++num;
+            break;
+        case OPT_NEXTUPDATE:
+            nextupdate = ++num;
+            break;
+        case OPT_NOOUT:
+            noout = ++num;
+            break;
+        case OPT_FINGERPRINT:
+            fingerprint = ++num;
+            break;
+        case OPT_CRLNUMBER:
+            crlnumber = ++num;
+            break;
+        case OPT_BADSIG:
+            badsig = 1;
+            break;
+        case OPT_NAMEOPT:
+            nmflag_set = 1;
+            if (!set_name_ex(&nmflag, opt_arg()))
+                goto opthelp;
+            break;
+        case OPT_MD:
+            if (!opt_md(opt_unknown(), &digest))
+                goto opthelp;
         }
-        argc--;
-        argv++;
     }
+    argc = opt_num_rest();
+    argv = opt_rest();
 
-    if (badops) {
- bad:
-        for (pp = crl_usage; (*pp != NULL); pp++)
-            BIO_printf(bio_err, "%s", *pp);
-        goto end;
-    }
+    if (!nmflag_set)
+        nmflag = XN_FLAG_ONELINE;
 
-    ERR_load_crypto_strings();
     x = load_crl(infile, informat);
-    if (x == NULL) {
+    if (x == NULL)
         goto end;
-    }
 
     if (do_ver) {
-        store = X509_STORE_new();
+        if ((store = setup_verify(CAfile, CApath, noCAfile, noCApath)) == NULL)
+            goto end;
         lookup = X509_STORE_add_lookup(store, X509_LOOKUP_file());
         if (lookup == NULL)
             goto end;
-        if (!X509_LOOKUP_load_file(lookup, CAfile, X509_FILETYPE_PEM))
-            X509_LOOKUP_load_file(lookup, NULL, X509_FILETYPE_DEFAULT);
-
-        lookup = X509_STORE_add_lookup(store, X509_LOOKUP_hash_dir());
-        if (lookup == NULL)
-            goto end;
-        if (!X509_LOOKUP_add_dir(lookup, CApath, X509_FILETYPE_PEM))
-            X509_LOOKUP_add_dir(lookup, NULL, X509_FILETYPE_DEFAULT);
-        ERR_clear_error();
-
         if (!X509_STORE_CTX_init(&ctx, store, NULL, NULL)) {
             BIO_printf(bio_err, "Error initialising X509 store\n");
             goto end;
@@ -279,14 +253,13 @@ int MAIN(int argc, char **argv)
             BIO_printf(bio_err, "Error getting CRL issuer certificate\n");
             goto end;
         }
-        pkey = X509_get_pubkey(xobj.data.x509);
+        pkey = X509_get0_pubkey(xobj.data.x509);
         X509_OBJECT_free_contents(&xobj);
         if (!pkey) {
             BIO_printf(bio_err, "Error getting CRL issuer public key\n");
             goto end;
         }
         i = X509_CRL_verify(x, pkey);
-        EVP_PKEY_free(pkey);
         if (i < 0)
             goto end;
         if (i == 0)
@@ -304,8 +277,7 @@ int MAIN(int argc, char **argv)
         newcrl = load_crl(crldiff, informat);
         if (!newcrl)
             goto end;
-        pkey = load_key(bio_err, keyfile, keyformat, 0, NULL, NULL,
-                        "CRL signing key");
+        pkey = load_key(keyfile, keyformat, 0, NULL, NULL, "CRL signing key");
         if (!pkey) {
             X509_CRL_free(newcrl);
             goto end;
@@ -380,27 +352,9 @@ int MAIN(int argc, char **argv)
             }
         }
     }
-
-    out = BIO_new(BIO_s_file());
-    if (out == NULL) {
-        ERR_print_errors(bio_err);
+    out = bio_open_default(outfile, 'w', outformat);
+    if (out == NULL)
         goto end;
-    }
-
-    if (outfile == NULL) {
-        BIO_set_fp(out, stdout, BIO_NOCLOSE);
-#ifdef OPENSSL_SYS_VMS
-        {
-            BIO *tmpbio = BIO_new(BIO_f_linebuffer());
-            out = BIO_push(tmpbio, out);
-        }
-#endif
-    } else {
-        if (BIO_write_filename(out, outfile) <= 0) {
-            perror(outfile);
-            goto end;
-        }
-    }
 
     if (text)
         X509_CRL_print(out, x);
@@ -410,33 +364,32 @@ int MAIN(int argc, char **argv)
         goto end;
     }
 
-    if (badsig)
-        x->signature->data[x->signature->length - 1] ^= 0x1;
+    if (badsig) {
+        ASN1_BIT_STRING *sig;
+        unsigned char *psig;
+        X509_CRL_get0_signature(&sig, NULL, x);
+        psig = ASN1_STRING_data(sig);
+        psig[ASN1_STRING_length(sig) - 1] ^= 0x1;
+    }
 
     if (outformat == FORMAT_ASN1)
         i = (int)i2d_X509_CRL_bio(out, x);
-    else if (outformat == FORMAT_PEM)
+    else
         i = PEM_write_bio_X509_CRL(out, x);
-    else {
-        BIO_printf(bio_err, "bad output format specified for outfile\n");
-        goto end;
-    }
     if (!i) {
         BIO_printf(bio_err, "unable to write CRL\n");
         goto end;
     }
     ret = 0;
+
  end:
     if (ret != 0)
         ERR_print_errors(bio_err);
     BIO_free_all(out);
-    BIO_free_all(bio_out);
-    bio_out = NULL;
     X509_CRL_free(x);
     if (store) {
         X509_STORE_CTX_cleanup(&ctx);
         X509_STORE_free(store);
     }
-    apps_shutdown();
-    OPENSSL_EXIT(ret);
+    return (ret);
 }

apps/crl2p7.c

@@ -1,4 +1,3 @@
-/* apps/crl2p7.c */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -74,129 +73,90 @@
 #include <openssl/objects.h>
 
 static int add_certs_from_file(STACK_OF(X509) *stack, char *certfile);
-#undef PROG
-#define PROG    crl2pkcs7_main
 
-/*-
- * -inform arg  - input format - default PEM (DER or PEM)
- * -outform arg - output format - default PEM
- * -in arg      - input file - default stdin
- * -out arg     - output file - default stdout
- */
+typedef enum OPTION_choice {
+    OPT_ERR = -1, OPT_EOF = 0, OPT_HELP,
+    OPT_INFORM, OPT_OUTFORM, OPT_IN, OPT_OUT, OPT_NOCRL, OPT_CERTFILE
+} OPTION_CHOICE;
 
-int MAIN(int, char **);
+OPTIONS crl2pkcs7_options[] = {
+    {"help", OPT_HELP, '-', "Display this summary"},
+    {"inform", OPT_INFORM, 'F', "Input format - DER or PEM"},
+    {"outform", OPT_OUTFORM, 'F', "Output format - DER or PEM"},
+    {"in", OPT_IN, '<', "Input file"},
+    {"out", OPT_OUT, '>', "Output file"},
+    {"nocrl", OPT_NOCRL, '-', "No crl to load, just certs from '-certfile'"},
+    {"certfile", OPT_CERTFILE, '<',
+     "File of chain of certs to a trusted CA; can be repeated"},
+    {NULL}
+};
 
-int MAIN(int argc, char **argv)
+int crl2pkcs7_main(int argc, char **argv)
 {
-    int i, badops = 0;
     BIO *in = NULL, *out = NULL;
-    int informat, outformat;
-    char *infile, *outfile, *prog, *certfile;
     PKCS7 *p7 = NULL;
     PKCS7_SIGNED *p7s = NULL;
-    X509_CRL *crl = NULL;
     STACK_OF(OPENSSL_STRING) *certflst = NULL;
-    STACK_OF(X509_CRL) *crl_stack = NULL;
     STACK_OF(X509) *cert_stack = NULL;
-    int ret = 1, nocrl = 0;
+    STACK_OF(X509_CRL) *crl_stack = NULL;
+    X509_CRL *crl = NULL;
+    char *infile = NULL, *outfile = NULL, *prog, *certfile;
+    int i = 0, informat = FORMAT_PEM, outformat = FORMAT_PEM, ret = 1, nocrl =
+        0;
+    OPTION_CHOICE o;
 
-    apps_startup();
-
-    if (bio_err == NULL)
-        if ((bio_err = BIO_new(BIO_s_file())) != NULL)
-            BIO_set_fp(bio_err, stderr, BIO_NOCLOSE | BIO_FP_TEXT);
-
-    infile = NULL;
-    outfile = NULL;
-    informat = FORMAT_PEM;
-    outformat = FORMAT_PEM;
-
-    prog = argv[0];
-    argc--;
-    argv++;
-    while (argc >= 1) {
-        if (strcmp(*argv, "-inform") == 0) {
-            if (--argc < 1)
-                goto bad;
-            informat = str2fmt(*(++argv));
-        } else if (strcmp(*argv, "-outform") == 0) {
-            if (--argc < 1)
-                goto bad;
-            outformat = str2fmt(*(++argv));
-        } else if (strcmp(*argv, "-in") == 0) {
-            if (--argc < 1)
-                goto bad;
-            infile = *(++argv);
-        } else if (strcmp(*argv, "-nocrl") == 0) {
+    prog = opt_init(argc, argv, crl2pkcs7_options);
+    while ((o = opt_next()) != OPT_EOF) {
+        switch (o) {
+        case OPT_EOF:
+        case OPT_ERR:
+ opthelp:
+            BIO_printf(bio_err, "%s: Use -help for summary.\n", prog);
+            goto end;
+        case OPT_HELP:
+            opt_help(crl2pkcs7_options);
+            ret = 0;
+            goto end;
+        case OPT_INFORM:
+            if (!opt_format(opt_arg(), OPT_FMT_PEMDER, &informat))
+                goto opthelp;
+            break;
+        case OPT_OUTFORM:
+            if (!opt_format(opt_arg(), OPT_FMT_PEMDER, &outformat))
+                goto opthelp;
+            break;
+        case OPT_IN:
+            infile = opt_arg();
+            break;
+        case OPT_OUT:
+            outfile = opt_arg();
+            break;
+        case OPT_NOCRL:
             nocrl = 1;
-        } else if (strcmp(*argv, "-out") == 0) {
-            if (--argc < 1)
-                goto bad;
-            outfile = *(++argv);
-        } else if (strcmp(*argv, "-certfile") == 0) {
-            if (--argc < 1)
-                goto bad;
-            if (!certflst)
-                certflst = sk_OPENSSL_STRING_new_null();
-            if (!certflst)
+            break;
+        case OPT_CERTFILE:
+            if ((certflst == NULL)
+                && (certflst = sk_OPENSSL_STRING_new_null()) == NULL)
                 goto end;
-            if (!sk_OPENSSL_STRING_push(certflst, *(++argv))) {
+            if (!sk_OPENSSL_STRING_push(certflst, opt_arg())) {
                 sk_OPENSSL_STRING_free(certflst);
                 goto end;
             }
-        } else {
-            BIO_printf(bio_err, "unknown option %s\n", *argv);
-            badops = 1;
             break;
         }
-        argc--;
-        argv++;
-    }
-
-    if (badops) {
- bad:
-        BIO_printf(bio_err, "%s [options] <infile >outfile\n", prog);
-        BIO_printf(bio_err, "where options are\n");
-        BIO_printf(bio_err, " -inform arg    input format - DER or PEM\n");
-        BIO_printf(bio_err, " -outform arg   output format - DER or PEM\n");
-        BIO_printf(bio_err, " -in arg        input file\n");
-        BIO_printf(bio_err, " -out arg       output file\n");
-        BIO_printf(bio_err,
-                   " -certfile arg  certificates file of chain to a trusted CA\n");
-        BIO_printf(bio_err, "                (can be used more than once)\n");
-        BIO_printf(bio_err,
-                   " -nocrl         no crl to load, just certs from '-certfile'\n");
-        ret = 1;
-        goto end;
-    }
-
-    ERR_load_crypto_strings();
-
-    in = BIO_new(BIO_s_file());
-    out = BIO_new(BIO_s_file());
-    if ((in == NULL) || (out == NULL)) {
-        ERR_print_errors(bio_err);
-        goto end;
     }
+    argc = opt_num_rest();
+    argv = opt_rest();
 
     if (!nocrl) {
-        if (infile == NULL)
-            BIO_set_fp(in, stdin, BIO_NOCLOSE);
-        else {
-            if (BIO_read_filename(in, infile) <= 0) {
-                perror(infile);
-                goto end;
-            }
-        }
+        in = bio_open_default(infile, 'r', informat);
+        if (in == NULL)
+            goto end;
 
         if (informat == FORMAT_ASN1)
             crl = d2i_X509_CRL_bio(in, NULL);
         else if (informat == FORMAT_PEM)
             crl = PEM_read_bio_X509_CRL(in, NULL, NULL, NULL);
-        else {
-            BIO_printf(bio_err, "bad input format specified for input crl\n");
-            goto end;
-        }
         if (crl == NULL) {
             BIO_printf(bio_err, "unable to load CRL\n");
             ERR_print_errors(bio_err);
@@ -238,29 +198,14 @@ int MAIN(int argc, char **argv)
 
     sk_OPENSSL_STRING_free(certflst);
 
-    if (outfile == NULL) {
-        BIO_set_fp(out, stdout, BIO_NOCLOSE);
-#ifdef OPENSSL_SYS_VMS
-        {
-            BIO *tmpbio = BIO_new(BIO_f_linebuffer());
-            out = BIO_push(tmpbio, out);
-        }
-#endif
-    } else {
-        if (BIO_write_filename(out, outfile) <= 0) {
-            perror(outfile);
-            goto end;
-        }
-    }
+    out = bio_open_default(outfile, 'w', outformat);
+    if (out == NULL)
+        goto end;
 
     if (outformat == FORMAT_ASN1)
         i = i2d_PKCS7_bio(out, p7);
     else if (outformat == FORMAT_PEM)
         i = PEM_write_bio_PKCS7(out, p7);
-    else {
-        BIO_printf(bio_err, "bad output format specified for outfile\n");
-        goto end;
-    }
     if (!i) {
         BIO_printf(bio_err, "unable to write pkcs7 object\n");
         ERR_print_errors(bio_err);
@@ -268,17 +213,12 @@ int MAIN(int argc, char **argv)
     }
     ret = 0;
  end:
-    if (in != NULL)
-        BIO_free(in);
-    if (out != NULL)
-        BIO_free_all(out);
-    if (p7 != NULL)
-        PKCS7_free(p7);
-    if (crl != NULL)
-        X509_CRL_free(crl);
+    BIO_free(in);
+    BIO_free_all(out);
+    PKCS7_free(p7);
+    X509_CRL_free(crl);
 
-    apps_shutdown();
-    OPENSSL_EXIT(ret);
+    return (ret);
 }
 
 /*-
@@ -299,8 +239,8 @@ static int add_certs_from_file(STACK_OF(X509) *stack, char *certfile)
     STACK_OF(X509_INFO) *sk = NULL;
     X509_INFO *xi;
 
-    in = BIO_new(BIO_s_file());
-    if ((in == NULL) || (BIO_read_filename(in, certfile) <= 0)) {
+    in = BIO_new_file(certfile, "r");
+    if (in == NULL) {
         BIO_printf(bio_err, "error opening the file, %s\n", certfile);
         goto end;
     }
@@ -326,9 +266,7 @@ static int add_certs_from_file(STACK_OF(X509) *stack, char *certfile)
     ret = count;
  end:
     /* never need to OPENSSL_free x */
-    if (in != NULL)
-        BIO_free(in);
-    if (sk != NULL)
-        sk_X509_INFO_free(sk);
+    BIO_free(in);
+    sk_X509_INFO_free(sk);
     return (ret);
 }

apps/dgst.c

@@ -1,4 +1,3 @@
-/* apps/dgst.c */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -71,244 +70,193 @@
 #undef BUFSIZE
 #define BUFSIZE 1024*8
 
-#undef PROG
-#define PROG    dgst_main
-
 int do_fp(BIO *out, unsigned char *buf, BIO *bp, int sep, int binout,
           EVP_PKEY *key, unsigned char *sigin, int siglen,
           const char *sig_name, const char *md_name,
           const char *file, BIO *bmd);
 
-static void list_md_fn(const EVP_MD *m,
-                       const char *from, const char *to, void *arg)
-{
-    const char *mname;
-    /* Skip aliases */
-    if (!m)
-        return;
-    mname = OBJ_nid2ln(EVP_MD_type(m));
-    /* Skip shortnames */
-    if (strcmp(from, mname))
-        return;
-    /* Skip clones */
-    if (EVP_MD_flags(m) & EVP_MD_FLAG_PKEY_DIGEST)
-        return;
-    if (strchr(mname, ' '))
-        mname = EVP_MD_name(m);
-    BIO_printf(arg, "-%-14s to use the %s message digest algorithm\n",
-               mname, mname);
-}
+typedef enum OPTION_choice {
+    OPT_ERR = -1, OPT_EOF = 0, OPT_HELP,
+    OPT_C, OPT_R, OPT_RAND, OPT_OUT, OPT_SIGN, OPT_PASSIN, OPT_VERIFY,
+    OPT_PRVERIFY, OPT_SIGNATURE, OPT_KEYFORM, OPT_ENGINE, OPT_ENGINE_IMPL,
+    OPT_HEX, OPT_BINARY, OPT_DEBUG, OPT_FIPS_FINGERPRINT,
+    OPT_HMAC, OPT_MAC, OPT_SIGOPT, OPT_MACOPT,
+    OPT_DIGEST
+} OPTION_CHOICE;
 
-int MAIN(int, char **);
-
-int MAIN(int argc, char **argv)
-{
-    ENGINE *e = NULL, *impl = NULL;
-    unsigned char *buf = NULL;
-    int i, err = 1;
-    const EVP_MD *md = NULL, *m;
-    BIO *in = NULL, *inp;
-    BIO *bmd = NULL;
-    BIO *out = NULL;
-#define PROG_NAME_SIZE  39
-    char pname[PROG_NAME_SIZE + 1];
-    int separator = 0;
-    int debug = 0;
-    int keyform = FORMAT_PEM;
-    const char *outfile = NULL, *keyfile = NULL;
-    const char *sigfile = NULL, *randfile = NULL;
-    int out_bin = -1, want_pub = 0, do_verify = 0;
-    EVP_PKEY *sigkey = NULL;
-    unsigned char *sigbuf = NULL;
-    int siglen = 0;
-    char *passargin = NULL, *passin = NULL;
+OPTIONS dgst_options[] = {
+    {OPT_HELP_STR, 1, '-', "Usage: %s [options] [file...]\n"},
+    {OPT_HELP_STR, 1, '-',
+        "  file... files to digest (default is stdin)\n"},
+    {"help", OPT_HELP, '-', "Display this summary"},
+    {"c", OPT_C, '-', "Print the digest with separating colons"},
+    {"r", OPT_R, '-', "Print the digest in coreutils format"},
+    {"rand", OPT_RAND, 's'},
+    {"out", OPT_OUT, '>', "Output to filename rather than stdout"},
+    {"passin", OPT_PASSIN, 's'},
+    {"sign", OPT_SIGN, '<', "Sign digest using private key in file"},
+    {"verify", OPT_VERIFY, '<',
+     "Verify a signature using public key in file"},
+    {"prverify", OPT_PRVERIFY, '<',
+     "Verify a signature using private key in file"},
+    {"signature", OPT_SIGNATURE, '<', "File with signature to verify"},
+    {"keyform", OPT_KEYFORM, 'f', "Key file format (PEM or ENGINE)"},
+    {"hex", OPT_HEX, '-', "Print as hex dump"},
+    {"binary", OPT_BINARY, '-', "Print in binary form"},
+    {"d", OPT_DEBUG, '-', "Print debug info"},
+    {"debug", OPT_DEBUG, '-'},
+    {"fips-fingerprint", OPT_FIPS_FINGERPRINT, '-'},
+    {"hmac", OPT_HMAC, 's', "Create hashed MAC with key"},
+    {"mac", OPT_MAC, 's', "Create MAC (not neccessarily HMAC)"},
+    {"sigopt", OPT_SIGOPT, 's', "Signature parameter in n:v form"},
+    {"macopt", OPT_MACOPT, 's', "MAC algorithm parameters in n:v form or key"},
+    {"", OPT_DIGEST, '-', "Any supported digest"},
 #ifndef OPENSSL_NO_ENGINE
-    char *engine = NULL;
-    int engine_impl = 0;
+    {"engine", OPT_ENGINE, 's', "Use engine e, possibly a hardware device"},
+    {"engine_impl", OPT_ENGINE_IMPL, '-'},
 #endif
+    {NULL}
+};
+
+int dgst_main(int argc, char **argv)
+{
+    BIO *in = NULL, *inp, *bmd = NULL, *out = NULL;
+    ENGINE *e = NULL, *impl = NULL;
+    EVP_PKEY *sigkey = NULL;
+    STACK_OF(OPENSSL_STRING) *sigopts = NULL, *macopts = NULL;
     char *hmac_key = NULL;
     char *mac_name = NULL;
-    int non_fips_allow = 0;
-    STACK_OF(OPENSSL_STRING) *sigopts = NULL, *macopts = NULL;
+    char *passinarg = NULL, *passin = NULL;
+    const EVP_MD *md = NULL, *m;
+    const char *outfile = NULL, *keyfile = NULL, *prog = NULL;
+    const char *sigfile = NULL, *randfile = NULL;
+    OPTION_CHOICE o;
+    int separator = 0, debug = 0, keyform = FORMAT_PEM, siglen = 0;
+    int i, ret = 1, out_bin = -1, want_pub = 0, do_verify = 0;
+    unsigned char *buf = NULL, *sigbuf = NULL;
+    int engine_impl = 0;
 
-    apps_startup();
+    prog = opt_progname(argv[0]);
+    buf = app_malloc(BUFSIZE, "I/O buffer");
+    md = EVP_get_digestbyname(prog);
 
-    if ((buf = (unsigned char *)OPENSSL_malloc(BUFSIZE)) == NULL) {
-        BIO_printf(bio_err, "out of memory\n");
-        goto end;
-    }
-    if (bio_err == NULL)
-        if ((bio_err = BIO_new(BIO_s_file())) != NULL)
-            BIO_set_fp(bio_err, stderr, BIO_NOCLOSE | BIO_FP_TEXT);
-
-    if (!load_config(bio_err, NULL))
-        goto end;
-
-    /* first check the program name */
-    program_name(argv[0], pname, sizeof pname);
-
-    md = EVP_get_digestbyname(pname);
-
-    argc--;
-    argv++;
-    while (argc > 0) {
-        if ((*argv)[0] != '-')
-            break;
-        if (strcmp(*argv, "-c") == 0)
+    prog = opt_init(argc, argv, dgst_options);
+    while ((o = opt_next()) != OPT_EOF) {
+        switch (o) {
+        case OPT_EOF:
+        case OPT_ERR:
+ opthelp:
+            BIO_printf(bio_err, "%s: Use -help for summary.\n", prog);
+            goto end;
+        case OPT_HELP:
+            opt_help(dgst_options);
+            ret = 0;
+            goto end;
+        case OPT_C:
             separator = 1;
-        else if (strcmp(*argv, "-r") == 0)
+            break;
+        case OPT_R:
             separator = 2;
-        else if (strcmp(*argv, "-rand") == 0) {
-            if (--argc < 1)
-                break;
-            randfile = *(++argv);
-        } else if (strcmp(*argv, "-out") == 0) {
-            if (--argc < 1)
-                break;
-            outfile = *(++argv);
-        } else if (strcmp(*argv, "-sign") == 0) {
-            if (--argc < 1)
-                break;
-            keyfile = *(++argv);
-        } else if (!strcmp(*argv, "-passin")) {
-            if (--argc < 1)
-                break;
-            passargin = *++argv;
-        } else if (strcmp(*argv, "-verify") == 0) {
-            if (--argc < 1)
-                break;
-            keyfile = *(++argv);
-            want_pub = 1;
+            break;
+        case OPT_RAND:
+            randfile = opt_arg();
+            break;
+        case OPT_OUT:
+            outfile = opt_arg();
+            break;
+        case OPT_SIGN:
+            keyfile = opt_arg();
+            break;
+        case OPT_PASSIN:
+            passinarg = opt_arg();
+            break;
+        case OPT_VERIFY:
+            keyfile = opt_arg();
+            want_pub = do_verify = 1;
+            break;
+        case OPT_PRVERIFY:
+            keyfile = opt_arg();
             do_verify = 1;
-        } else if (strcmp(*argv, "-prverify") == 0) {
-            if (--argc < 1)
-                break;
-            keyfile = *(++argv);
-            do_verify = 1;
-        } else if (strcmp(*argv, "-signature") == 0) {
-            if (--argc < 1)
-                break;
-            sigfile = *(++argv);
-        } else if (strcmp(*argv, "-keyform") == 0) {
-            if (--argc < 1)
-                break;
-            keyform = str2fmt(*(++argv));
-        }
-#ifndef OPENSSL_NO_ENGINE
-        else if (strcmp(*argv, "-engine") == 0) {
-            if (--argc < 1)
-                break;
-            engine = *(++argv);
-            e = setup_engine(bio_err, engine, 0);
-        } else if (strcmp(*argv, "-engine_impl") == 0)
+            break;
+        case OPT_SIGNATURE:
+            sigfile = opt_arg();
+            break;
+        case OPT_KEYFORM:
+            if (!opt_format(opt_arg(), OPT_FMT_ANY, &keyform))
+                goto opthelp;
+            break;
+        case OPT_ENGINE:
+            e = setup_engine(opt_arg(), 0);
+            break;
+        case OPT_ENGINE_IMPL:
             engine_impl = 1;
-#endif
-        else if (strcmp(*argv, "-hex") == 0)
+            break;
+        case OPT_HEX:
             out_bin = 0;
-        else if (strcmp(*argv, "-binary") == 0)
+            break;
+        case OPT_BINARY:
             out_bin = 1;
-        else if (strcmp(*argv, "-d") == 0)
+            break;
+        case OPT_DEBUG:
             debug = 1;
-        else if (!strcmp(*argv, "-fips-fingerprint"))
+            break;
+        case OPT_FIPS_FINGERPRINT:
             hmac_key = "etaonrishdlcupfm";
-        else if (strcmp(*argv, "-non-fips-allow") == 0)
-            non_fips_allow = 1;
-        else if (!strcmp(*argv, "-hmac")) {
-            if (--argc < 1)
-                break;
-            hmac_key = *++argv;
-        } else if (!strcmp(*argv, "-mac")) {
-            if (--argc < 1)
-                break;
-            mac_name = *++argv;
-        } else if (strcmp(*argv, "-sigopt") == 0) {
-            if (--argc < 1)
-                break;
+            break;
+        case OPT_HMAC:
+            hmac_key = opt_arg();
+            break;
+        case OPT_MAC:
+            mac_name = opt_arg();
+            break;
+        case OPT_SIGOPT:
             if (!sigopts)
                 sigopts = sk_OPENSSL_STRING_new_null();
-            if (!sigopts || !sk_OPENSSL_STRING_push(sigopts, *(++argv)))
-                break;
-        } else if (strcmp(*argv, "-macopt") == 0) {
-            if (--argc < 1)
-                break;
+            if (!sigopts || !sk_OPENSSL_STRING_push(sigopts, opt_arg()))
+                goto opthelp;
+            break;
+        case OPT_MACOPT:
             if (!macopts)
                 macopts = sk_OPENSSL_STRING_new_null();
-            if (!macopts || !sk_OPENSSL_STRING_push(macopts, *(++argv)))
-                break;
-        } else if ((m = EVP_get_digestbyname(&((*argv)[1]))) != NULL)
-            md = m;
-        else
+            if (!macopts || !sk_OPENSSL_STRING_push(macopts, opt_arg()))
+                goto opthelp;
             break;
-        argc--;
-        argv++;
+        case OPT_DIGEST:
+            if (!opt_md(opt_unknown(), &m))
+                goto opthelp;
+            md = m;
+            break;
+        }
     }
+    argc = opt_num_rest();
+    argv = opt_rest();
 
     if (do_verify && !sigfile) {
         BIO_printf(bio_err,
                    "No signature to verify: use the -signature option\n");
         goto end;
     }
-
-    if ((argc > 0) && (argv[0][0] == '-')) { /* bad option */
-        BIO_printf(bio_err, "unknown option '%s'\n", *argv);
-        BIO_printf(bio_err, "options are\n");
-        BIO_printf(bio_err,
-                   "-c              to output the digest with separating colons\n");
-        BIO_printf(bio_err,
-                   "-r              to output the digest in coreutils format\n");
-        BIO_printf(bio_err, "-d              to output debug info\n");
-        BIO_printf(bio_err, "-hex            output as hex dump\n");
-        BIO_printf(bio_err, "-binary         output in binary form\n");
-        BIO_printf(bio_err, "-hmac arg       set the HMAC key to arg\n");
-        BIO_printf(bio_err, "-non-fips-allow allow use of non FIPS digest\n");
-        BIO_printf(bio_err,
-                   "-sign   file    sign digest using private key in file\n");
-        BIO_printf(bio_err,
-                   "-verify file    verify a signature using public key in file\n");
-        BIO_printf(bio_err,
-                   "-prverify file  verify a signature using private key in file\n");
-        BIO_printf(bio_err,
-                   "-keyform arg    key file format (PEM or ENGINE)\n");
-        BIO_printf(bio_err,
-                   "-out filename   output to filename rather than stdout\n");
-        BIO_printf(bio_err, "-signature file signature to verify\n");
-        BIO_printf(bio_err, "-sigopt nm:v    signature parameter\n");
-        BIO_printf(bio_err, "-hmac key       create hashed MAC with key\n");
-        BIO_printf(bio_err,
-                   "-mac algorithm  create MAC (not neccessarily HMAC)\n");
-        BIO_printf(bio_err,
-                   "-macopt nm:v    MAC algorithm parameters or key\n");
-#ifndef OPENSSL_NO_ENGINE
-        BIO_printf(bio_err,
-                   "-engine e       use engine e, possibly a hardware device.\n");
-#endif
-
-        EVP_MD_do_all_sorted(list_md_fn, bio_err);
-        goto end;
-    }
-#ifndef OPENSSL_NO_ENGINE
     if (engine_impl)
         impl = e;
-#endif
 
     in = BIO_new(BIO_s_file());
     bmd = BIO_new(BIO_f_md());
+    if ((in == NULL) || (bmd == NULL)) {
+        ERR_print_errors(bio_err);
+        goto end;
+    }
+
     if (debug) {
         BIO_set_callback(in, BIO_debug_callback);
         /* needed for windows 3.1 */
         BIO_set_callback_arg(in, (char *)bio_err);
     }
 
-    if (!app_passwd(bio_err, passargin, NULL, &passin, NULL)) {
+    if (!app_passwd(passinarg, NULL, &passin, NULL)) {
         BIO_printf(bio_err, "Error getting password\n");
         goto end;
     }
 
-    if ((in == NULL) || (bmd == NULL)) {
-        ERR_print_errors(bio_err);
-        goto end;
-    }
-
     if (out_bin == -1) {
         if (keyfile)
             out_bin = 1;
@@ -317,29 +265,12 @@ int MAIN(int argc, char **argv)
     }
 
     if (randfile)
-        app_RAND_load_file(randfile, bio_err, 0);
+        app_RAND_load_file(randfile, 0);
 
-    if (outfile) {
-        if (out_bin)
-            out = BIO_new_file(outfile, "wb");
-        else
-            out = BIO_new_file(outfile, "w");
-    } else {
-        out = BIO_new_fp(stdout, BIO_NOCLOSE);
-#ifdef OPENSSL_SYS_VMS
-        {
-            BIO *tmpbio = BIO_new(BIO_f_linebuffer());
-            out = BIO_push(tmpbio, out);
-        }
-#endif
-    }
-
-    if (!out) {
-        BIO_printf(bio_err, "Error opening output file %s\n",
-                   outfile ? outfile : "(stdout)");
-        ERR_print_errors(bio_err);
+    out = bio_open_default(outfile, 'w', out_bin ? FORMAT_BINARY : FORMAT_TEXT);
+    if (out == NULL)
         goto end;
-    }
+
     if ((! !mac_name + ! !keyfile + ! !hmac_key) > 1) {
         BIO_printf(bio_err, "MAC and Signing key cannot both be specified\n");
         goto end;
@@ -347,11 +278,9 @@ int MAIN(int argc, char **argv)
 
     if (keyfile) {
         if (want_pub)
-            sigkey = load_pubkey(bio_err, keyfile, keyform, 0, NULL,
-                                 e, "key file");
+            sigkey = load_pubkey(keyfile, keyform, 0, NULL, e, "key file");
         else
-            sigkey = load_key(bio_err, keyfile, keyform, 0, passin,
-                              e, "key file");
+            sigkey = load_key(keyfile, keyform, 0, passin, e, "key file");
         if (!sigkey) {
             /*
              * load_[pub]key() has already printed an appropriate message
@@ -363,7 +292,7 @@ int MAIN(int argc, char **argv)
     if (mac_name) {
         EVP_PKEY_CTX *mac_ctx = NULL;
         int r = 0;
-        if (!init_gen_str(bio_err, &mac_ctx, mac_name, impl, 0))
+        if (!init_gen_str(&mac_ctx, mac_name, impl, 0))
             goto mac_end;
         if (macopts) {
             char *macopt;
@@ -384,18 +313,11 @@ int MAIN(int argc, char **argv)
         }
         r = 1;
  mac_end:
-        if (mac_ctx)
-            EVP_PKEY_CTX_free(mac_ctx);
+        EVP_PKEY_CTX_free(mac_ctx);
         if (r == 0)
             goto end;
     }
 
-    if (non_fips_allow) {
-        EVP_MD_CTX *md_ctx;
-        BIO_get_md_ctx(bmd, &md_ctx);
-        EVP_MD_CTX_set_flags(md_ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
-    }
-
     if (hmac_key) {
         sigkey = EVP_PKEY_new_mac_key(EVP_PKEY_HMAC, impl,
                                       (unsigned char *)hmac_key, -1);
@@ -442,24 +364,23 @@ int MAIN(int argc, char **argv)
             goto end;
         }
         if (md == NULL)
-            md = EVP_md5();
+            md = EVP_sha256();
         if (!EVP_DigestInit_ex(mctx, md, impl)) {
-            BIO_printf(bio_err, "Error setting digest %s\n", pname);
+            BIO_printf(bio_err, "Error setting digest\n");
             ERR_print_errors(bio_err);
             goto end;
         }
     }
 
     if (sigfile && sigkey) {
-        BIO *sigbio;
-        sigbio = BIO_new_file(sigfile, "rb");
-        siglen = EVP_PKEY_size(sigkey);
-        sigbuf = OPENSSL_malloc(siglen);
+        BIO *sigbio = BIO_new_file(sigfile, "rb");
         if (!sigbio) {
             BIO_printf(bio_err, "Error opening signature file %s\n", sigfile);
             ERR_print_errors(bio_err);
             goto end;
         }
+        siglen = EVP_PKEY_size(sigkey);
+        sigbuf = app_malloc(siglen, "signature buffer");
         siglen = BIO_read(sigbio, sigbuf, siglen);
         BIO_free(sigbio);
         if (siglen <= 0) {
@@ -478,7 +399,7 @@ int MAIN(int argc, char **argv)
 
     if (argc == 0) {
         BIO_set_fp(in, stdin, BIO_NOCLOSE);
-        err = do_fp(out, buf, inp, separator, out_bin, sigkey, sigbuf,
+        ret = do_fp(out, buf, inp, separator, out_bin, sigkey, sigbuf,
                     siglen, NULL, NULL, "stdin", bmd);
     } else {
         const char *md_name = NULL, *sig_name = NULL;
@@ -493,42 +414,32 @@ int MAIN(int argc, char **argv)
             if (md)
                 md_name = EVP_MD_name(md);
         }
-        err = 0;
+        ret = 0;
         for (i = 0; i < argc; i++) {
             int r;
             if (BIO_read_filename(in, argv[i]) <= 0) {
                 perror(argv[i]);
-                err++;
+                ret++;
                 continue;
             } else
                 r = do_fp(out, buf, inp, separator, out_bin, sigkey, sigbuf,
                           siglen, sig_name, md_name, argv[i], bmd);
             if (r)
-                err = r;
+                ret = r;
             (void)BIO_reset(bmd);
         }
     }
  end:
-    if (buf != NULL) {
-        OPENSSL_cleanse(buf, BUFSIZE);
-        OPENSSL_free(buf);
-    }
-    if (in != NULL)
-        BIO_free(in);
-    if (passin)
-        OPENSSL_free(passin);
+    OPENSSL_clear_free(buf, BUFSIZE);
+    BIO_free(in);
+    OPENSSL_free(passin);
     BIO_free_all(out);
     EVP_PKEY_free(sigkey);
-    if (sigopts)
-        sk_OPENSSL_STRING_free(sigopts);
-    if (macopts)
-        sk_OPENSSL_STRING_free(macopts);
-    if (sigbuf)
-        OPENSSL_free(sigbuf);
-    if (bmd != NULL)
-        BIO_free(bmd);
-    apps_shutdown();
-    OPENSSL_EXIT(err);
+    sk_OPENSSL_STRING_free(sigopts);
+    sk_OPENSSL_STRING_free(macopts);
+    OPENSSL_free(sigbuf);
+    BIO_free(bmd);
+    return (ret);
 }
 
 int do_fp(BIO *out, unsigned char *buf, BIO *bp, int sep, int binout,

apps/dh.c

@@ -1,337 +0,0 @@
-/* apps/dh.c */
-/* obsoleted by dhparam.c */
-/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
- * All rights reserved.
- *
- * This package is an SSL implementation written
- * by Eric Young (eay@cryptsoft.com).
- * The implementation was written so as to conform with Netscapes SSL.
- *
- * This library is free for commercial and non-commercial use as long as
- * the following conditions are aheared to.  The following conditions
- * apply to all code found in this distribution, be it the RC4, RSA,
- * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
- * included with this distribution is covered by the same copyright terms
- * except that the holder is Tim Hudson (tjh@cryptsoft.com).
- *
- * Copyright remains Eric Young's, and as such any Copyright notices in
- * the code are not to be removed.
- * If this package is used in a product, Eric Young should be given attribution
- * as the author of the parts of the library used.
- * This can be in the form of a textual message at program startup or
- * in documentation (online or textual) provided with the package.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *    "This product includes cryptographic software written by
- *     Eric Young (eay@cryptsoft.com)"
- *    The word 'cryptographic' can be left out if the rouines from the library
- *    being used are not cryptographic related :-).
- * 4. If you include any Windows specific code (or a derivative thereof) from
- *    the apps directory (application code) you must include an acknowledgement:
- *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
- *
- * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- *
- * The licence and distribution terms for any publically available version or
- * derivative of this code cannot be changed.  i.e. this code cannot simply be
- * copied and put under another distribution licence
- * [including the GNU Public Licence.]
- */
-
-#include <openssl/opensslconf.h> /* for OPENSSL_NO_DH */
-#ifndef OPENSSL_NO_DH
-# include <stdio.h>
-# include <stdlib.h>
-# include <time.h>
-# include <string.h>
-# include "apps.h"
-# include <openssl/bio.h>
-# include <openssl/err.h>
-# include <openssl/bn.h>
-# include <openssl/dh.h>
-# include <openssl/x509.h>
-# include <openssl/pem.h>
-
-# undef PROG
-# define PROG    dh_main
-
-/*-
- * -inform arg  - input format - default PEM (DER or PEM)
- * -outform arg - output format - default PEM
- * -in arg      - input file - default stdin
- * -out arg     - output file - default stdout
- * -check       - check the parameters are ok
- * -noout
- * -text
- * -C
- */
-
-int MAIN(int, char **);
-
-int MAIN(int argc, char **argv)
-{
-    DH *dh = NULL;
-    int i, badops = 0, text = 0;
-    BIO *in = NULL, *out = NULL;
-    int informat, outformat, check = 0, noout = 0, C = 0, ret = 1;
-    char *infile, *outfile, *prog;
-# ifndef OPENSSL_NO_ENGINE
-    char *engine;
-# endif
-
-    apps_startup();
-
-    if (bio_err == NULL)
-        if ((bio_err = BIO_new(BIO_s_file())) != NULL)
-            BIO_set_fp(bio_err, stderr, BIO_NOCLOSE | BIO_FP_TEXT);
-
-    if (!load_config(bio_err, NULL))
-        goto end;
-
-# ifndef OPENSSL_NO_ENGINE
-    engine = NULL;
-# endif
-    infile = NULL;
-    outfile = NULL;
-    informat = FORMAT_PEM;
-    outformat = FORMAT_PEM;
-
-    prog = argv[0];
-    argc--;
-    argv++;
-    while (argc >= 1) {
-        if (strcmp(*argv, "-inform") == 0) {
-            if (--argc < 1)
-                goto bad;
-            informat = str2fmt(*(++argv));
-        } else if (strcmp(*argv, "-outform") == 0) {
-            if (--argc < 1)
-                goto bad;
-            outformat = str2fmt(*(++argv));
-        } else if (strcmp(*argv, "-in") == 0) {
-            if (--argc < 1)
-                goto bad;
-            infile = *(++argv);
-        } else if (strcmp(*argv, "-out") == 0) {
-            if (--argc < 1)
-                goto bad;
-            outfile = *(++argv);
-        }
-# ifndef OPENSSL_NO_ENGINE
-        else if (strcmp(*argv, "-engine") == 0) {
-            if (--argc < 1)
-                goto bad;
-            engine = *(++argv);
-        }
-# endif
-        else if (strcmp(*argv, "-check") == 0)
-            check = 1;
-        else if (strcmp(*argv, "-text") == 0)
-            text = 1;
-        else if (strcmp(*argv, "-C") == 0)
-            C = 1;
-        else if (strcmp(*argv, "-noout") == 0)
-            noout = 1;
-        else {
-            BIO_printf(bio_err, "unknown option %s\n", *argv);
-            badops = 1;
-            break;
-        }
-        argc--;
-        argv++;
-    }
-
-    if (badops) {
- bad:
-        BIO_printf(bio_err, "%s [options] <infile >outfile\n", prog);
-        BIO_printf(bio_err, "where options are\n");
-        BIO_printf(bio_err, " -inform arg   input format - one of DER PEM\n");
-        BIO_printf(bio_err,
-                   " -outform arg  output format - one of DER PEM\n");
-        BIO_printf(bio_err, " -in arg       input file\n");
-        BIO_printf(bio_err, " -out arg      output file\n");
-        BIO_printf(bio_err, " -check        check the DH parameters\n");
-        BIO_printf(bio_err,
-                   " -text         print a text form of the DH parameters\n");
-        BIO_printf(bio_err, " -C            Output C code\n");
-        BIO_printf(bio_err, " -noout        no output\n");
-# ifndef OPENSSL_NO_ENGINE
-        BIO_printf(bio_err,
-                   " -engine e     use engine e, possibly a hardware device.\n");
-# endif
-        goto end;
-    }
-
-    ERR_load_crypto_strings();
-
-# ifndef OPENSSL_NO_ENGINE
-    setup_engine(bio_err, engine, 0);
-# endif
-
-    in = BIO_new(BIO_s_file());
-    out = BIO_new(BIO_s_file());
-    if ((in == NULL) || (out == NULL)) {
-        ERR_print_errors(bio_err);
-        goto end;
-    }
-
-    if (infile == NULL)
-        BIO_set_fp(in, stdin, BIO_NOCLOSE);
-    else {
-        if (BIO_read_filename(in, infile) <= 0) {
-            perror(infile);
-            goto end;
-        }
-    }
-    if (outfile == NULL) {
-        BIO_set_fp(out, stdout, BIO_NOCLOSE);
-# ifdef OPENSSL_SYS_VMS
-        {
-            BIO *tmpbio = BIO_new(BIO_f_linebuffer());
-            out = BIO_push(tmpbio, out);
-        }
-# endif
-    } else {
-        if (BIO_write_filename(out, outfile) <= 0) {
-            perror(outfile);
-            goto end;
-        }
-    }
-
-    if (informat == FORMAT_ASN1)
-        dh = d2i_DHparams_bio(in, NULL);
-    else if (informat == FORMAT_PEM)
-        dh = PEM_read_bio_DHparams(in, NULL, NULL, NULL);
-    else {
-        BIO_printf(bio_err, "bad input format specified\n");
-        goto end;
-    }
-    if (dh == NULL) {
-        BIO_printf(bio_err, "unable to load DH parameters\n");
-        ERR_print_errors(bio_err);
-        goto end;
-    }
-
-    if (text) {
-        DHparams_print(out, dh);
-# ifdef undef
-        printf("p=");
-        BN_print(stdout, dh->p);
-        printf("\ng=");
-        BN_print(stdout, dh->g);
-        printf("\n");
-        if (dh->length != 0)
-            printf("recommended private length=%ld\n", dh->length);
-# endif
-    }
-
-    if (check) {
-        if (!DH_check(dh, &i)) {
-            ERR_print_errors(bio_err);
-            goto end;
-        }
-        if (i & DH_CHECK_P_NOT_PRIME)
-            printf("p value is not prime\n");
-        if (i & DH_CHECK_P_NOT_SAFE_PRIME)
-            printf("p value is not a safe prime\n");
-        if (i & DH_UNABLE_TO_CHECK_GENERATOR)
-            printf("unable to check the generator value\n");
-        if (i & DH_NOT_SUITABLE_GENERATOR)
-            printf("the g value is not a generator\n");
-        if (i == 0)
-            printf("DH parameters appear to be ok.\n");
-    }
-    if (C) {
-        unsigned char *data;
-        int len, l, bits;
-
-        len = BN_num_bytes(dh->p);
-        bits = BN_num_bits(dh->p);
-        data = (unsigned char *)OPENSSL_malloc(len);
-        if (data == NULL) {
-            perror("OPENSSL_malloc");
-            goto end;
-        }
-        l = BN_bn2bin(dh->p, data);
-        printf("static unsigned char dh%d_p[]={", bits);
-        for (i = 0; i < l; i++) {
-            if ((i % 12) == 0)
-                printf("\n\t");
-            printf("0x%02X,", data[i]);
-        }
-        printf("\n\t};\n");
-
-        l = BN_bn2bin(dh->g, data);
-        printf("static unsigned char dh%d_g[]={", bits);
-        for (i = 0; i < l; i++) {
-            if ((i % 12) == 0)
-                printf("\n\t");
-            printf("0x%02X,", data[i]);
-        }
-        printf("\n\t};\n\n");
-
-        printf("DH *get_dh%d()\n\t{\n", bits);
-        printf("\tDH *dh;\n\n");
-        printf("\tif ((dh=DH_new()) == NULL) return(NULL);\n");
-        printf("\tdh->p=BN_bin2bn(dh%d_p,sizeof(dh%d_p),NULL);\n",
-               bits, bits);
-        printf("\tdh->g=BN_bin2bn(dh%d_g,sizeof(dh%d_g),NULL);\n",
-               bits, bits);
-        printf("\tif ((dh->p == NULL) || (dh->g == NULL))\n");
-        printf("\t\treturn(NULL);\n");
-        printf("\treturn(dh);\n\t}\n");
-        OPENSSL_free(data);
-    }
-
-    if (!noout) {
-        if (outformat == FORMAT_ASN1)
-            i = i2d_DHparams_bio(out, dh);
-        else if (outformat == FORMAT_PEM)
-            i = PEM_write_bio_DHparams(out, dh);
-        else {
-            BIO_printf(bio_err, "bad output format specified for outfile\n");
-            goto end;
-        }
-        if (!i) {
-            BIO_printf(bio_err, "unable to write DH parameters\n");
-            ERR_print_errors(bio_err);
-            goto end;
-        }
-    }
-    ret = 0;
- end:
-    if (in != NULL)
-        BIO_free(in);
-    if (out != NULL)
-        BIO_free_all(out);
-    if (dh != NULL)
-        DH_free(dh);
-    apps_shutdown();
-    OPENSSL_EXIT(ret);
-}
-#else                           /* !OPENSSL_NO_DH */
-
-# if PEDANTIC
-static void *dummy = &dummy;
-# endif
-
-#endif

apps/dh512.pem

@@ -1,9 +0,0 @@
------BEGIN DH PARAMETERS-----
-MEYCQQD1Kv884bEpQBgRjXyEpwpy1obEAxnIByl6ypUM2Zafq9AKUJsCRtMIPWak
-XUGfnHy9iUsiGSa6q6Jew1XpKgVfAgEC
------END DH PARAMETERS-----
-
-These are the 512 bit DH parameters from "Assigned Number for SKIP Protocols"
-(http://www.skip-vpn.org/spec/numbers.html).
-See there for how they were generated.
-Note that g is not a generator, but this is not a problem since p is a safe prime.

apps/dhparam.c

@@ -1,4 +1,3 @@
-/* apps/dhparam.c */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -127,182 +126,138 @@
 #  include <openssl/dsa.h>
 # endif
 
-# undef PROG
-# define PROG    dhparam_main
-
 # define DEFBITS 2048
 
-/*-
- * -inform arg  - input format - default PEM (DER or PEM)
- * -outform arg - output format - default PEM
- * -in arg      - input file - default stdin
- * -out arg     - output file - default stdout
- * -dsaparam  - read or generate DSA parameters, convert to DH
- * -check       - check the parameters are ok
- * -noout
- * -text
- * -C
- */
-
 static int dh_cb(int p, int n, BN_GENCB *cb);
 
-int MAIN(int, char **);
+typedef enum OPTION_choice {
+    OPT_ERR = -1, OPT_EOF = 0, OPT_HELP,
+    OPT_INFORM, OPT_OUTFORM, OPT_IN, OPT_OUT,
+    OPT_ENGINE, OPT_CHECK, OPT_TEXT, OPT_NOOUT,
+    OPT_RAND, OPT_DSAPARAM, OPT_C, OPT_2, OPT_5
+} OPTION_CHOICE;
 
-int MAIN(int argc, char **argv)
+OPTIONS dhparam_options[] = {
+    {OPT_HELP_STR, 1, '-', "Usage: %s [flags] [numbits]\n"},
+    {OPT_HELP_STR, 1, '-', "Valid options are:\n"},
+    {"help", OPT_HELP, '-', "Display this summary"},
+    {"in", OPT_IN, '<', "Input file"},
+    {"inform", OPT_INFORM, 'F', "Input format, DER or PEM"},
+    {"outform", OPT_OUTFORM, 'F', "Output format, DER or PEM"},
+    {"out", OPT_OUT, '>', "Output file"},
+    {"check", OPT_CHECK, '-', "Check the DH parameters"},
+    {"text", OPT_TEXT, '-', "Print a text form of the DH parameters"},
+    {"noout", OPT_NOOUT, '-'},
+    {"rand", OPT_RAND, 's',
+     "Load the file(s) into the random number generator"},
+    {"C", OPT_C, '-', "Print C code"},
+    {"2", OPT_2, '-', "Generate parameters using 2 as the generator value"},
+    {"5", OPT_5, '-', "Generate parameters using 5 as the generator value"},
+# ifndef OPENSSL_NO_DSA
+    {"dsaparam", OPT_DSAPARAM, '-',
+     "Read or generate DSA parameters, convert to DH"},
+# endif
+# ifndef OPENSSL_NO_ENGINE
+    {"engine", OPT_ENGINE, 's', "Use engine e, possibly a hardware device"},
+# endif
+    {NULL}
+};
+
+int dhparam_main(int argc, char **argv)
 {
-    DH *dh = NULL;
-    int i, badops = 0, text = 0;
-# ifndef OPENSSL_NO_DSA
-    int dsaparam = 0;
-# endif
     BIO *in = NULL, *out = NULL;
-    int informat, outformat, check = 0, noout = 0, C = 0, ret = 1;
-    char *infile, *outfile, *prog;
-    char *inrand = NULL;
-# ifndef OPENSSL_NO_ENGINE
-    char *engine = NULL;
-# endif
-    int num = 0, g = 0;
+    DH *dh = NULL;
+    char *infile = NULL, *outfile = NULL, *prog, *inrand = NULL;
+    int dsaparam = 0, i, text = 0, C = 0, ret = 1, num = 0, g = 0;
+    int informat = FORMAT_PEM, outformat = FORMAT_PEM, check = 0, noout = 0;
+    OPTION_CHOICE o;
 
-    apps_startup();
-
-    if (bio_err == NULL)
-        if ((bio_err = BIO_new(BIO_s_file())) != NULL)
-            BIO_set_fp(bio_err, stderr, BIO_NOCLOSE | BIO_FP_TEXT);
-
-    if (!load_config(bio_err, NULL))
-        goto end;
-
-    infile = NULL;
-    outfile = NULL;
-    informat = FORMAT_PEM;
-    outformat = FORMAT_PEM;
-
-    prog = argv[0];
-    argc--;
-    argv++;
-    while (argc >= 1) {
-        if (strcmp(*argv, "-inform") == 0) {
-            if (--argc < 1)
-                goto bad;
-            informat = str2fmt(*(++argv));
-        } else if (strcmp(*argv, "-outform") == 0) {
-            if (--argc < 1)
-                goto bad;
-            outformat = str2fmt(*(++argv));
-        } else if (strcmp(*argv, "-in") == 0) {
-            if (--argc < 1)
-                goto bad;
-            infile = *(++argv);
-        } else if (strcmp(*argv, "-out") == 0) {
-            if (--argc < 1)
-                goto bad;
-            outfile = *(++argv);
-        }
-# ifndef OPENSSL_NO_ENGINE
-        else if (strcmp(*argv, "-engine") == 0) {
-            if (--argc < 1)
-                goto bad;
-            engine = *(++argv);
-        }
-# endif
-        else if (strcmp(*argv, "-check") == 0)
+    prog = opt_init(argc, argv, dhparam_options);
+    while ((o = opt_next()) != OPT_EOF) {
+        switch (o) {
+        case OPT_EOF:
+        case OPT_ERR:
+ opthelp:
+            BIO_printf(bio_err, "%s: Use -help for summary.\n", prog);
+            goto end;
+        case OPT_HELP:
+            opt_help(dhparam_options);
+            ret = 0;
+            goto end;
+        case OPT_INFORM:
+            if (!opt_format(opt_arg(), OPT_FMT_PEMDER, &informat))
+                goto opthelp;
+            break;
+        case OPT_OUTFORM:
+            if (!opt_format(opt_arg(), OPT_FMT_PEMDER, &outformat))
+                goto opthelp;
+            break;
+        case OPT_IN:
+            infile = opt_arg();
+            break;
+        case OPT_OUT:
+            outfile = opt_arg();
+            break;
+        case OPT_ENGINE:
+            (void)setup_engine(opt_arg(), 0);
+            break;
+        case OPT_CHECK:
             check = 1;
-        else if (strcmp(*argv, "-text") == 0)
+            break;
+        case OPT_TEXT:
             text = 1;
-# ifndef OPENSSL_NO_DSA
-        else if (strcmp(*argv, "-dsaparam") == 0)
+            break;
+        case OPT_DSAPARAM:
             dsaparam = 1;
-# endif
-        else if (strcmp(*argv, "-C") == 0)
+            break;
+        case OPT_C:
             C = 1;
-        else if (strcmp(*argv, "-noout") == 0)
-            noout = 1;
-        else if (strcmp(*argv, "-2") == 0)
+            break;
+        case OPT_2:
             g = 2;
-        else if (strcmp(*argv, "-5") == 0)
+            break;
+        case OPT_5:
             g = 5;
-        else if (strcmp(*argv, "-rand") == 0) {
-            if (--argc < 1)
-                goto bad;
-            inrand = *(++argv);
-        } else if (((sscanf(*argv, "%d", &num) == 0) || (num <= 0)))
-            goto bad;
-        argv++;
-        argc--;
+            break;
+        case OPT_NOOUT:
+            noout = 1;
+            break;
+        case OPT_RAND:
+            inrand = opt_arg();
+            break;
+        }
     }
+    argc = opt_num_rest();
+    argv = opt_rest();
 
-    if (badops) {
- bad:
-        BIO_printf(bio_err, "%s [options] [numbits]\n", prog);
-        BIO_printf(bio_err, "where options are\n");
-        BIO_printf(bio_err, " -inform arg   input format - one of DER PEM\n");
-        BIO_printf(bio_err,
-                   " -outform arg  output format - one of DER PEM\n");
-        BIO_printf(bio_err, " -in arg       input file\n");
-        BIO_printf(bio_err, " -out arg      output file\n");
-# ifndef OPENSSL_NO_DSA
-        BIO_printf(bio_err,
-                   " -dsaparam     read or generate DSA parameters, convert to DH\n");
-# endif
-        BIO_printf(bio_err, " -check        check the DH parameters\n");
-        BIO_printf(bio_err,
-                   " -text         print a text form of the DH parameters\n");
-        BIO_printf(bio_err, " -C            Output C code\n");
-        BIO_printf(bio_err,
-                   " -2            generate parameters using  2 as the generator value\n");
-        BIO_printf(bio_err,
-                   " -5            generate parameters using  5 as the generator value\n");
-        BIO_printf(bio_err,
-                   " numbits       number of bits in to generate (default 2048)\n");
-# ifndef OPENSSL_NO_ENGINE
-        BIO_printf(bio_err,
-                   " -engine e     use engine e, possibly a hardware device.\n");
-# endif
-        BIO_printf(bio_err, " -rand file%cfile%c...\n", LIST_SEPARATOR_CHAR,
-                   LIST_SEPARATOR_CHAR);
-        BIO_printf(bio_err,
-                   "               - load the file (or the files in the directory) into\n");
-        BIO_printf(bio_err, "               the random number generator\n");
-        BIO_printf(bio_err, " -noout        no output\n");
+    if (argv[0] && (!opt_int(argv[0], &num) || num <= 0))
         goto end;
-    }
-
-    ERR_load_crypto_strings();
-
-# ifndef OPENSSL_NO_ENGINE
-    setup_engine(bio_err, engine, 0);
-# endif
 
     if (g && !num)
         num = DEFBITS;
 
 # ifndef OPENSSL_NO_DSA
-    if (dsaparam) {
-        if (g) {
-            BIO_printf(bio_err,
-                       "generator may not be chosen for DSA parameters\n");
-            goto end;
-        }
-    } else
-# endif
-    {
-        /* DH parameters */
-        if (num && !g)
-            g = 2;
+    if (dsaparam && g) {
+        BIO_printf(bio_err,
+                   "generator may not be chosen for DSA parameters\n");
+        goto end;
     }
+# endif
+    /* DH parameters */
+    if (num && !g)
+        g = 2;
 
     if (num) {
 
         BN_GENCB *cb;
         cb = BN_GENCB_new();
-        if (!cb) {
+        if (cb == NULL) {
             ERR_print_errors(bio_err);
             goto end;
         }
 
         BN_GENCB_set(cb, dh_cb, bio_err);
-        if (!app_RAND_load_file(NULL, bio_err, 1) && inrand == NULL) {
+        if (!app_RAND_load_file(NULL, 1) && inrand == NULL) {
             BIO_printf(bio_err,
                        "warning, not much extra random data, consider using the -rand option\n");
         }
@@ -316,11 +271,10 @@ int MAIN(int argc, char **argv)
 
             BIO_printf(bio_err,
                        "Generating DSA parameters, %d bit long prime\n", num);
-            if (!dsa
+            if (dsa == NULL
                 || !DSA_generate_parameters_ex(dsa, num, NULL, 0, NULL, NULL,
                                                cb)) {
-                if (dsa)
-                    DSA_free(dsa);
+                DSA_free(dsa);
                 BN_GENCB_free(cb);
                 ERR_print_errors(bio_err);
                 goto end;
@@ -341,7 +295,7 @@ int MAIN(int argc, char **argv)
                        "Generating DH parameters, %d bit long safe prime, generator %d\n",
                        num, g);
             BIO_printf(bio_err, "This is going to take a long time\n");
-            if (!dh || !DH_generate_parameters_ex(dh, num, g, cb)) {
+            if (dh == NULL || !DH_generate_parameters_ex(dh, num, g, cb)) {
                 BN_GENCB_free(cb);
                 ERR_print_errors(bio_err);
                 goto end;
@@ -349,27 +303,13 @@ int MAIN(int argc, char **argv)
         }
 
         BN_GENCB_free(cb);
-        app_RAND_write_file(NULL, bio_err);
+        app_RAND_write_file(NULL);
     } else {
 
-        in = BIO_new(BIO_s_file());
-        if (in == NULL) {
-            ERR_print_errors(bio_err);
+        in = bio_open_default(infile, 'r', informat);
+        if (in == NULL)
             goto end;
-        }
-        if (infile == NULL)
-            BIO_set_fp(in, stdin, BIO_NOCLOSE);
-        else {
-            if (BIO_read_filename(in, infile) <= 0) {
-                perror(infile);
-                goto end;
-            }
-        }
 
-        if (informat != FORMAT_ASN1 && informat != FORMAT_PEM) {
-            BIO_printf(bio_err, "bad input format specified\n");
-            goto end;
-        }
 # ifndef OPENSSL_NO_DSA
         if (dsaparam) {
             DSA *dsa;
@@ -409,25 +349,9 @@ int MAIN(int argc, char **argv)
         /* dh != NULL */
     }
 
-    out = BIO_new(BIO_s_file());
-    if (out == NULL) {
-        ERR_print_errors(bio_err);
+    out = bio_open_default(outfile, 'w', outformat);
+    if (out == NULL)
         goto end;
-    }
-    if (outfile == NULL) {
-        BIO_set_fp(out, stdout, BIO_NOCLOSE);
-# ifdef OPENSSL_SYS_VMS
-        {
-            BIO *tmpbio = BIO_new(BIO_f_linebuffer());
-            out = BIO_push(tmpbio, out);
-        }
-# endif
-    } else {
-        if (BIO_write_filename(out, outfile) <= 0) {
-            perror(outfile);
-            goto end;
-        }
-    }
 
     if (text) {
         DHparams_print(out, dh);
@@ -451,63 +375,44 @@ int MAIN(int argc, char **argv)
     }
     if (C) {
         unsigned char *data;
-        int len, l, bits;
+        int len, bits;
 
         len = BN_num_bytes(dh->p);
         bits = BN_num_bits(dh->p);
-        data = (unsigned char *)OPENSSL_malloc(len);
-        if (data == NULL) {
-            perror("OPENSSL_malloc");
-            goto end;
-        }
-        printf("#ifndef HEADER_DH_H\n"
-               "#include <openssl/dh.h>\n" "#endif\n");
-        printf("DH *get_dh%d()\n\t{\n", bits);
-
-        l = BN_bn2bin(dh->p, data);
-        printf("\tstatic unsigned char dh%d_p[]={", bits);
-        for (i = 0; i < l; i++) {
-            if ((i % 12) == 0)
-                printf("\n\t\t");
-            printf("0x%02X,", data[i]);
-        }
-        printf("\n\t\t};\n");
-
-        l = BN_bn2bin(dh->g, data);
-        printf("\tstatic unsigned char dh%d_g[]={", bits);
-        for (i = 0; i < l; i++) {
-            if ((i % 12) == 0)
-                printf("\n\t\t");
-            printf("0x%02X,", data[i]);
-        }
-        printf("\n\t\t};\n");
-
-        printf("\tDH *dh;\n\n");
-        printf("\tif ((dh=DH_new()) == NULL) return(NULL);\n");
-        printf("\tdh->p=BN_bin2bn(dh%d_p,sizeof(dh%d_p),NULL);\n",
+        data = app_malloc(len, "print a BN");
+        BIO_printf(out, "#ifndef HEADER_DH_H\n"
+                        "# include <openssl/dh.h>\n"
+                        "#endif\n"
+                        "\n");
+        BIO_printf(out, "DH *get_dh%d()\n{\n", bits);
+        print_bignum_var(out, dh->p, "dhp", bits, data);
+        print_bignum_var(out, dh->g, "dhg", bits, data);
+        BIO_printf(out, "    DH *dh = DN_new();\n"
+                        "\n"
+                        "    if (dh == NULL)\n"
+                        "        return NULL;\n");
+        BIO_printf(out, "    dh->p = BN_bin2bn(dhp_%d, sizeof (dhp_%d), NULL);\n",
                bits, bits);
-        printf("\tdh->g=BN_bin2bn(dh%d_g,sizeof(dh%d_g),NULL);\n",
+        BIO_printf(out, "    dh->g = BN_bin2bn(dhg_%d, sizeof (dhg_%d), NULL);\n",
                bits, bits);
-        printf("\tif ((dh->p == NULL) || (dh->g == NULL))\n");
-        printf("\t\t{ DH_free(dh); return(NULL); }\n");
+        BIO_printf(out, "    if (!dh->p || !dh->g) {\n"
+                        "        DH_free(dh);\n"
+                        "        return NULL;\n"
+                        "    }\n");
         if (dh->length)
-            printf("\tdh->length = %ld;\n", dh->length);
-        printf("\treturn(dh);\n\t}\n");
+            BIO_printf(out,
+                        "    dh->length = %ld;\n", dh->length);
+        BIO_printf(out, "    return dh;\n}\n");
         OPENSSL_free(data);
     }
 
     if (!noout) {
         if (outformat == FORMAT_ASN1)
             i = i2d_DHparams_bio(out, dh);
-        else if (outformat == FORMAT_PEM) {
-            if (dh->q)
-                i = PEM_write_bio_DHxparams(out, dh);
-            else
-                i = PEM_write_bio_DHparams(out, dh);
-        } else {
-            BIO_printf(bio_err, "bad output format specified for outfile\n");
-            goto end;
-        }
+        else if (dh->q)
+            i = PEM_write_bio_DHxparams(out, dh);
+        else
+            i = PEM_write_bio_DHparams(out, dh);
         if (!i) {
             BIO_printf(bio_err, "unable to write DH parameters\n");
             ERR_print_errors(bio_err);
@@ -516,17 +421,12 @@ int MAIN(int argc, char **argv)
     }
     ret = 0;
  end:
-    if (in != NULL)
-        BIO_free(in);
-    if (out != NULL)
-        BIO_free_all(out);
-    if (dh != NULL)
-        DH_free(dh);
-    apps_shutdown();
-    OPENSSL_EXIT(ret);
+    BIO_free(in);
+    BIO_free_all(out);
+    DH_free(dh);
+    return (ret);
 }
 
-/* dh_cb is identical to dsa_cb in apps/dsaparam.c */
 static int dh_cb(int p, int n, BN_GENCB *cb)
 {
     char c = '*';

apps/dsa-ca.pem

@@ -11,30 +11,37 @@ tOFDITEAl+YZZariXOD7tdOSOl9RLMPC6+daHKS9e68u3enxhqnDGQIUB78dhW77
 J6zsFbSEHaQGUmfSeoM=
 -----END DSA PRIVATE KEY-----
 -----BEGIN CERTIFICATE REQUEST-----
-MIICUjCCAhECAQAwUjELMAkGA1UEBhMCQVUxEzARBgNVBAgTClNvbWUtU3RhdGUx
-ITAfBgNVBAoTGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDELMAkGA1UEAxMCQ0Ew
-ggG0MIIBKQYFKw4DAgwwggEeAoGBAKc/boW/QWopffCfRxkwkJoJHdpqMx7FPYaW
-sxXgUy6P4FmCc5A+dTGZR3pS+4Xk2aZ7OJtoioSbh8YetX6GS1NbWc9xZRmIbs5m
-rmuINvvsKNzC16W75Sw5JkvamnAYlTeVEFYj9hXtugRe3jlP/bdDH7WkZW/NgBHk
-cJVbUM1JAhUA9wcx7fpsBgPVhYocrJxl51BmZW8CgYBN30wDppGK9RlvUEYlmeVo
-bzDjaeHls12YuyiGSPzemQQ/X4gMnHMkDSBduSqaPxiWJ+Rih8F7dGJT/GEnqHqR
-CZ228U2cVA9YBu5JdAfOVX4jzhb2ytxaYQF+yXG1TfbcNCmHaPZeIJOz2/XkCWxB
-F5WS6wG1c6Vqftgy7Q4CuAOBhAACgYAapll6iqz9XrZFlk2GCVcB+KihxWnH7IuH
-vSLw9YUrJahcBHmbpvt494lF4gC5w3WPM+vXJofbusk4GoQEEsQNMDaah4m49uUq
-AylOVFJJJXuirVJ+o+0TtOFDITEAl+YZZariXOD7tdOSOl9RLMPC6+daHKS9e68u
-3enxhqnDGaAAMAkGBSsOAwIbBQADMAAwLQIVAJGVuFsG/0DBuSZ0jF7ypdU0/G0v
-AhQfeF5BoMMDbX/kidUVpQ6gadPlZA==
+MIICVjCCAhMCAQAwUjELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUx
+ITAfBgNVBAoMGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDELMAkGA1UEAwwCQ0Ew
+ggG2MIIBKwYHKoZIzjgEATCCAR4CgYEApz9uhb9Bail98J9HGTCQmgkd2mozHsU9
+hpazFeBTLo/gWYJzkD51MZlHelL7heTZpns4m2iKhJuHxh61foZLU1tZz3FlGYhu
+zmaua4g2++wo3MLXpbvlLDkmS9qacBiVN5UQViP2Fe26BF7eOU/9t0MftaRlb82A
+EeRwlVtQzUkCFQD3BzHt+mwGA9WFihysnGXnUGZlbwKBgE3fTAOmkYr1GW9QRiWZ
+5WhvMONp4eWzXZi7KIZI/N6ZBD9fiAyccyQNIF25Kpo/GJYn5GKHwXt0YlP8YSeo
+epEJnbbxTZxUD1gG7kl0B85VfiPOFvbK3FphAX7JcbVN9tw0KYdo9l4gk7Pb9eQJ
+bEEXlZLrAbVzpWp+2DLtDgK4A4GEAAKBgBqmWXqKrP1etkWWTYYJVwH4qKHFacfs
+i4e9IvD1hSslqFwEeZum+3j3iUXiALnDdY8z69cmh9u6yTgahAQSxA0wNpqHibj2
+5SoDKU5UUkkle6KtUn6j7RO04UMhMQCX5hllquJc4Pu105I6X1Esw8Lr51ocpL17
+ry7d6fGGqcMZoAAwCwYJYIZIAWUDBAMCAzAAMC0CFCp7rUwGJNtxK6Aqo6k6US+S
+KP8sAhUAyfSi8Zs3QAvkJoFG0IMRaq8M03I=
 -----END CERTIFICATE REQUEST-----
 -----BEGIN CERTIFICATE-----
-MIIBrjCCAWwCAQswCQYFKw4DAhsFADBTMQswCQYDVQQGEwJBVTETMBEGA1UECBMK
-U29tZS1TdGF0ZTEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMQww
-CgYDVQQDEwNQQ0EwHhcNOTcwNjE1MDIxNDI5WhcNOTcwNzE1MDIxNDI5WjBSMQsw
-CQYDVQQGEwJBVTETMBEGA1UECBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50ZXJu
-ZXQgV2lkZ2l0cyBQdHkgTHRkMQswCQYDVQQDEwJDQTCBkjAJBgUrDgMCDAUAA4GE
-AAKBgBqmWXqKrP1etkWWTYYJVwH4qKHFacfsi4e9IvD1hSslqFwEeZum+3j3iUXi
-ALnDdY8z69cmh9u6yTgahAQSxA0wNpqHibj25SoDKU5UUkkle6KtUn6j7RO04UMh
-MQCX5hllquJc4Pu105I6X1Esw8Lr51ocpL17ry7d6fGGqcMZMAkGBSsOAwIbBQAD
-MQAwLgIVAJ4wtQsANPxHo7Q4IQZYsL12SKdbAhUAjJ9n38zxT+iai2164xS+LIfa
-C1Q=
+MIIDMDCCAuygAwIBAgIBAjALBglghkgBZQMEAwIwUzELMAkGA1UEBhMCQVUxEzAR
+BgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoMGEludGVybmV0IFdpZGdpdHMgUHR5
+IEx0ZDEMMAoGA1UEAwwDUENBMCAXDTE2MDExMzIxNDE0OVoYDzMwMTUwNTE2MjE0
+MTQ5WjBSMQswCQYDVQQGEwJBVTETMBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UE
+CgwYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMQswCQYDVQQDDAJDQTCCAbYwggEr
+BgcqhkjOOAQBMIIBHgKBgQCnP26Fv0FqKX3wn0cZMJCaCR3aajMexT2GlrMV4FMu
+j+BZgnOQPnUxmUd6UvuF5NmmezibaIqEm4fGHrV+hktTW1nPcWUZiG7OZq5riDb7
+7Cjcwtelu+UsOSZL2ppwGJU3lRBWI/YV7boEXt45T/23Qx+1pGVvzYAR5HCVW1DN
+SQIVAPcHMe36bAYD1YWKHKycZedQZmVvAoGATd9MA6aRivUZb1BGJZnlaG8w42nh
+5bNdmLsohkj83pkEP1+IDJxzJA0gXbkqmj8YlifkYofBe3RiU/xhJ6h6kQmdtvFN
+nFQPWAbuSXQHzlV+I84W9srcWmEBfslxtU323DQph2j2XiCTs9v15AlsQReVkusB
+tXOlan7YMu0OArgDgYQAAoGAGqZZeoqs/V62RZZNhglXAfioocVpx+yLh70i8PWF
+KyWoXAR5m6b7ePeJReIAucN1jzPr1yaH27rJOBqEBBLEDTA2moeJuPblKgMpTlRS
+SSV7oq1SfqPtE7ThQyExAJfmGWWq4lzg+7XTkjpfUSzDwuvnWhykvXuvLt3p8Yap
+wxmjUDBOMB0GA1UdDgQWBBTMZcORcBEVlqO/CD4pf4V6N1NM1zAfBgNVHSMEGDAW
+gBTGjwJ33uvjSa20RNrMKWoGptOLdDAMBgNVHRMEBTADAQH/MAsGCWCGSAFlAwQD
+AgMxADAuAhUA4V6MrHufG8R79E+AtVO02olPxK8CFQDkZyo/TWpavsUBRDJbCeD9
+jgjIkA==
 -----END CERTIFICATE-----
-

apps/dsa-pca.pem

@@ -11,36 +11,37 @@ umz6tl+iUcNe5EoxdsYV1IXSddjOi08LOLsZq7AQlNnKvbtlmMDULpqkZJD0bO7A
 6TicfImU7UFRn9h00j0lJQ==
 -----END DSA PRIVATE KEY-----
 -----BEGIN CERTIFICATE REQUEST-----
-MIICVTCCAhMCAQAwUzELMAkGA1UEBhMCQVUxEzARBgNVBAgTClNvbWUtU3RhdGUx
-ITAfBgNVBAoTGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDEMMAoGA1UEAxMDUENB
-MIIBtTCCASkGBSsOAwIMMIIBHgKBgQCnP26Fv0FqKX3wn0cZMJCaCR3aajMexT2G
-lrMV4FMuj+BZgnOQPnUxmUd6UvuF5NmmezibaIqEm4fGHrV+hktTW1nPcWUZiG7O
-Zq5riDb77Cjcwtelu+UsOSZL2ppwGJU3lRBWI/YV7boEXt45T/23Qx+1pGVvzYAR
-5HCVW1DNSQIVAPcHMe36bAYD1YWKHKycZedQZmVvAoGATd9MA6aRivUZb1BGJZnl
-aG8w42nh5bNdmLsohkj83pkEP1+IDJxzJA0gXbkqmj8YlifkYofBe3RiU/xhJ6h6
-kQmdtvFNnFQPWAbuSXQHzlV+I84W9srcWmEBfslxtU323DQph2j2XiCTs9v15Als
-QReVkusBtXOlan7YMu0OArgDgYUAAoGBAKbtuR5AdW+ICjCFe2ixjUiJJzM2IKwe
-6NZEMXg39+HQ1UTPTmfLZLps+rZfolHDXuRKMXbGFdSF0nXYzotPCzi7GauwEJTZ
-yr27ZZjA1C6apGSQ9GzuwNvZ4rCXystVEagAS8OQ4H3D4dWS17Zg31ICb5o4E5r0
-z09o/Uz46u0VoAAwCQYFKw4DAhsFAAMxADAuAhUArRubTxsbIXy3AhtjQ943AbNB
-nSICFQCu+g1iW3jwF+gOcbroD4S/ZcvB3w==
+MIICWDCCAhUCAQAwUzELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUx
+ITAfBgNVBAoMGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDEMMAoGA1UEAwwDUENB
+MIIBtzCCASsGByqGSM44BAEwggEeAoGBAKc/boW/QWopffCfRxkwkJoJHdpqMx7F
+PYaWsxXgUy6P4FmCc5A+dTGZR3pS+4Xk2aZ7OJtoioSbh8YetX6GS1NbWc9xZRmI
+bs5mrmuINvvsKNzC16W75Sw5JkvamnAYlTeVEFYj9hXtugRe3jlP/bdDH7WkZW/N
+gBHkcJVbUM1JAhUA9wcx7fpsBgPVhYocrJxl51BmZW8CgYBN30wDppGK9RlvUEYl
+meVobzDjaeHls12YuyiGSPzemQQ/X4gMnHMkDSBduSqaPxiWJ+Rih8F7dGJT/GEn
+qHqRCZ228U2cVA9YBu5JdAfOVX4jzhb2ytxaYQF+yXG1TfbcNCmHaPZeIJOz2/Xk
+CWxBF5WS6wG1c6Vqftgy7Q4CuAOBhQACgYEApu25HkB1b4gKMIV7aLGNSIknMzYg
+rB7o1kQxeDf34dDVRM9OZ8tkumz6tl+iUcNe5EoxdsYV1IXSddjOi08LOLsZq7AQ
+lNnKvbtlmMDULpqkZJD0bO7A29nisJfKy1URqABLw5DgfcPh1ZLXtmDfUgJvmjgT
+mvTPT2j9TPjq7RWgADALBglghkgBZQMEAwIDMAAwLQIVAPA6/jxCT1D2HgzE4iZR
+AEup/C7YAhRPLTQvQnAiS5FRrA+8SwBLvDAsaw==
 -----END CERTIFICATE REQUEST-----
 -----BEGIN CERTIFICATE-----
-MIIC0zCCApECAQAwCQYFKw4DAhsFADBTMQswCQYDVQQGEwJBVTETMBEGA1UECBMK
-U29tZS1TdGF0ZTEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMQww
-CgYDVQQDEwNQQ0EwHhcNOTcwNjE0MjI1NDQ1WhcNOTcwNzE0MjI1NDQ1WjBTMQsw
-CQYDVQQGEwJBVTETMBEGA1UECBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50ZXJu
-ZXQgV2lkZ2l0cyBQdHkgTHRkMQwwCgYDVQQDEwNQQ0EwggG1MIIBKQYFKw4DAgww
-ggEeAoGBAKc/boW/QWopffCfRxkwkJoJHdpqMx7FPYaWsxXgUy6P4FmCc5A+dTGZ
-R3pS+4Xk2aZ7OJtoioSbh8YetX6GS1NbWc9xZRmIbs5mrmuINvvsKNzC16W75Sw5
-JkvamnAYlTeVEFYj9hXtugRe3jlP/bdDH7WkZW/NgBHkcJVbUM1JAhUA9wcx7fps
-BgPVhYocrJxl51BmZW8CgYBN30wDppGK9RlvUEYlmeVobzDjaeHls12YuyiGSPze
-mQQ/X4gMnHMkDSBduSqaPxiWJ+Rih8F7dGJT/GEnqHqRCZ228U2cVA9YBu5JdAfO
-VX4jzhb2ytxaYQF+yXG1TfbcNCmHaPZeIJOz2/XkCWxBF5WS6wG1c6Vqftgy7Q4C
-uAOBhQACgYEApu25HkB1b4gKMIV7aLGNSIknMzYgrB7o1kQxeDf34dDVRM9OZ8tk
-umz6tl+iUcNe5EoxdsYV1IXSddjOi08LOLsZq7AQlNnKvbtlmMDULpqkZJD0bO7A
-29nisJfKy1URqABLw5DgfcPh1ZLXtmDfUgJvmjgTmvTPT2j9TPjq7RUwCQYFKw4D
-AhsFAAMxADAuAhUAvtv6AkMolix1Jvy3UnVEIUqdCUICFQC+jq8P49mwrY9oJ24n
-5rKUjNBhSg==
+MIIDMDCCAu6gAwIBAgIBATALBglghkgBZQMEAwIwUzELMAkGA1UEBhMCQVUxEzAR
+BgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoMGEludGVybmV0IFdpZGdpdHMgUHR5
+IEx0ZDEMMAoGA1UEAwwDUENBMCAXDTE2MDExMzIxNDE0OVoYDzMwMTUwNTE2MjE0
+MTQ5WjBTMQswCQYDVQQGEwJBVTETMBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UE
+CgwYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMQwwCgYDVQQDDANQQ0EwggG3MIIB
+KwYHKoZIzjgEATCCAR4CgYEApz9uhb9Bail98J9HGTCQmgkd2mozHsU9hpazFeBT
+Lo/gWYJzkD51MZlHelL7heTZpns4m2iKhJuHxh61foZLU1tZz3FlGYhuzmaua4g2
+++wo3MLXpbvlLDkmS9qacBiVN5UQViP2Fe26BF7eOU/9t0MftaRlb82AEeRwlVtQ
+zUkCFQD3BzHt+mwGA9WFihysnGXnUGZlbwKBgE3fTAOmkYr1GW9QRiWZ5WhvMONp
+4eWzXZi7KIZI/N6ZBD9fiAyccyQNIF25Kpo/GJYn5GKHwXt0YlP8YSeoepEJnbbx
+TZxUD1gG7kl0B85VfiPOFvbK3FphAX7JcbVN9tw0KYdo9l4gk7Pb9eQJbEEXlZLr
+AbVzpWp+2DLtDgK4A4GFAAKBgQCm7bkeQHVviAowhXtosY1IiSczNiCsHujWRDF4
+N/fh0NVEz05ny2S6bPq2X6JRw17kSjF2xhXUhdJ12M6LTws4uxmrsBCU2cq9u2WY
+wNQumqRkkPRs7sDb2eKwl8rLVRGoAEvDkOB9w+HVkte2YN9SAm+aOBOa9M9PaP1M
++OrtFaNQME4wHQYDVR0OBBYEFMaPAnfe6+NJrbRE2swpagam04t0MB8GA1UdIwQY
+MBaAFMaPAnfe6+NJrbRE2swpagam04t0MAwGA1UdEwQFMAMBAf8wCwYJYIZIAWUD
+BAMCAy8AMCwCFFhdz4fzQo9BBF20U1CHldYTi/D7AhQydDnDMj21y+U1UhDZJrvh
+lnt88g==
 -----END CERTIFICATE-----
-

apps/dsa.c

@@ -1,4 +1,3 @@
-/* apps/dsa.c */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -71,210 +70,146 @@
 # include <openssl/pem.h>
 # include <openssl/bn.h>
 
-# undef PROG
-# define PROG    dsa_main
+typedef enum OPTION_choice {
+    OPT_ERR = -1, OPT_EOF = 0, OPT_HELP,
+    OPT_INFORM, OPT_OUTFORM, OPT_IN, OPT_OUT,
+    OPT_ENGINE, OPT_PVK_STRONG, OPT_PVK_WEAK,
+    OPT_PVK_NONE, OPT_NOOUT, OPT_TEXT, OPT_MODULUS, OPT_PUBIN,
+    OPT_PUBOUT, OPT_CIPHER, OPT_PASSIN, OPT_PASSOUT
+} OPTION_CHOICE;
 
-/*-
- * -inform arg  - input format - default PEM (one of DER, NET or PEM)
- * -outform arg - output format - default PEM
- * -in arg      - input file - default stdin
- * -out arg     - output file - default stdout
- * -des         - encrypt output if PEM format with DES in cbc mode
- * -des3        - encrypt output if PEM format
- * -idea        - encrypt output if PEM format
- * -aes128      - encrypt output if PEM format
- * -aes192      - encrypt output if PEM format
- * -aes256      - encrypt output if PEM format
- * -camellia128 - encrypt output if PEM format
- * -camellia192 - encrypt output if PEM format
- * -camellia256 - encrypt output if PEM format
- * -seed        - encrypt output if PEM format
- * -text        - print a text version
- * -modulus     - print the DSA public key
- */
+OPTIONS dsa_options[] = {
+    {"help", OPT_HELP, '-', "Display this summary"},
+    {"inform", OPT_INFORM, 'F', "Input format, DER PEM PVK"},
+    {"outform", OPT_OUTFORM, 'F', "Output format, DER PEM PVK"},
+    {"in", OPT_IN, '<', "Input file"},
+    {"out", OPT_OUT, '>', "Output file"},
+    {"noout", OPT_NOOUT, '-', "Don't print key out"},
+    {"text", OPT_TEXT, '-', "Print the key in text"},
+    {"modulus", OPT_MODULUS, '-', "Print the DSA public value"},
+    {"pubin", OPT_PUBIN, '-'},
+    {"pubout", OPT_PUBOUT, '-'},
+    {"passin", OPT_PASSIN, 's', "Input file pass phrase source"},
+    {"passout", OPT_PASSOUT, 's', "Output file pass phrase source"},
+    {"", OPT_CIPHER, '-', "Any supported cipher"},
+# ifndef OPENSSL_NO_RC4
+    {"pvk-strong", OPT_PVK_STRONG, '-'},
+    {"pvk-weak", OPT_PVK_WEAK, '-'},
+    {"pvk-none", OPT_PVK_NONE, '-'},
+# endif
+# ifndef OPENSSL_NO_ENGINE
+    {"engine", OPT_ENGINE, 's', "Use engine e, possibly a hardware device"},
+# endif
+    {NULL}
+};
 
-int MAIN(int, char **);
-
-int MAIN(int argc, char **argv)
+int dsa_main(int argc, char **argv)
 {
-    ENGINE *e = NULL;
-    int ret = 1;
+    BIO *out = NULL;
     DSA *dsa = NULL;
-    int i, badops = 0;
+    ENGINE *e = NULL;
     const EVP_CIPHER *enc = NULL;
-    BIO *in = NULL, *out = NULL;
-    int informat, outformat, text = 0, noout = 0;
-    int pubin = 0, pubout = 0;
-    char *infile, *outfile, *prog;
-# ifndef OPENSSL_NO_ENGINE
-    char *engine;
-# endif
-    char *passargin = NULL, *passargout = NULL;
-    char *passin = NULL, *passout = NULL;
-    int modulus = 0;
+    char *infile = NULL, *outfile = NULL, *prog;
+    char *passin = NULL, *passout = NULL, *passinarg = NULL, *passoutarg = NULL;
+    OPTION_CHOICE o;
+    int informat = FORMAT_PEM, outformat = FORMAT_PEM, text = 0, noout = 0;
+    int i, modulus = 0, pubin = 0, pubout = 0, pvk_encr = 2, ret = 1;
+    int private = 0;
 
-    int pvk_encr = 2;
-
-    apps_startup();
-
-    if (bio_err == NULL)
-        if ((bio_err = BIO_new(BIO_s_file())) != NULL)
-            BIO_set_fp(bio_err, stderr, BIO_NOCLOSE | BIO_FP_TEXT);
-
-    if (!load_config(bio_err, NULL))
-        goto end;
-
-# ifndef OPENSSL_NO_ENGINE
-    engine = NULL;
-# endif
-    infile = NULL;
-    outfile = NULL;
-    informat = FORMAT_PEM;
-    outformat = FORMAT_PEM;
-
-    prog = argv[0];
-    argc--;
-    argv++;
-    while (argc >= 1) {
-        if (strcmp(*argv, "-inform") == 0) {
-            if (--argc < 1)
-                goto bad;
-            informat = str2fmt(*(++argv));
-        } else if (strcmp(*argv, "-outform") == 0) {
-            if (--argc < 1)
-                goto bad;
-            outformat = str2fmt(*(++argv));
-        } else if (strcmp(*argv, "-in") == 0) {
-            if (--argc < 1)
-                goto bad;
-            infile = *(++argv);
-        } else if (strcmp(*argv, "-out") == 0) {
-            if (--argc < 1)
-                goto bad;
-            outfile = *(++argv);
-        } else if (strcmp(*argv, "-passin") == 0) {
-            if (--argc < 1)
-                goto bad;
-            passargin = *(++argv);
-        } else if (strcmp(*argv, "-passout") == 0) {
-            if (--argc < 1)
-                goto bad;
-            passargout = *(++argv);
-        }
-# ifndef OPENSSL_NO_ENGINE
-        else if (strcmp(*argv, "-engine") == 0) {
-            if (--argc < 1)
-                goto bad;
-            engine = *(++argv);
-        }
-# endif
-        else if (strcmp(*argv, "-pvk-strong") == 0)
+    prog = opt_init(argc, argv, dsa_options);
+    while ((o = opt_next()) != OPT_EOF) {
+        switch (o) {
+        case OPT_EOF:
+        case OPT_ERR:
+ opthelp:
+            ret = 0;
+            BIO_printf(bio_err, "%s: Use -help for summary.\n", prog);
+            goto end;
+        case OPT_HELP:
+            opt_help(dsa_options);
+            ret = 0;
+            goto end;
+        case OPT_INFORM:
+            if (!opt_format
+                (opt_arg(), OPT_FMT_PEMDER | OPT_FMT_PVK, &informat))
+                goto opthelp;
+            break;
+        case OPT_IN:
+            infile = opt_arg();
+            break;
+        case OPT_OUTFORM:
+            if (!opt_format
+                (opt_arg(), OPT_FMT_PEMDER | OPT_FMT_PVK, &outformat))
+                goto opthelp;
+            break;
+        case OPT_OUT:
+            outfile = opt_arg();
+            break;
+        case OPT_ENGINE:
+            e = setup_engine(opt_arg(), 0);
+            break;
+        case OPT_PASSIN:
+            passinarg = opt_arg();
+            break;
+        case OPT_PASSOUT:
+            passoutarg = opt_arg();
+            break;
+#ifndef OPENSSL_NO_RC4
+        case OPT_PVK_STRONG:
             pvk_encr = 2;
-        else if (strcmp(*argv, "-pvk-weak") == 0)
+            break;
+        case OPT_PVK_WEAK:
             pvk_encr = 1;
-        else if (strcmp(*argv, "-pvk-none") == 0)
+            break;
+        case OPT_PVK_NONE:
             pvk_encr = 0;
-        else if (strcmp(*argv, "-noout") == 0)
+            break;
+#else
+        case OPT_PVK_STRONG:
+        case OPT_PVK_WEAK:
+        case OPT_PVK_NONE:
+            break;
+#endif
+        case OPT_NOOUT:
             noout = 1;
-        else if (strcmp(*argv, "-text") == 0)
+            break;
+        case OPT_TEXT:
             text = 1;
-        else if (strcmp(*argv, "-modulus") == 0)
+            break;
+        case OPT_MODULUS:
             modulus = 1;
-        else if (strcmp(*argv, "-pubin") == 0)
+            break;
+        case OPT_PUBIN:
             pubin = 1;
-        else if (strcmp(*argv, "-pubout") == 0)
+            break;
+        case OPT_PUBOUT:
             pubout = 1;
-        else if ((enc = EVP_get_cipherbyname(&(argv[0][1]))) == NULL) {
-            BIO_printf(bio_err, "unknown option %s\n", *argv);
-            badops = 1;
+            break;
+        case OPT_CIPHER:
+            if (!opt_cipher(opt_unknown(), &enc))
+                goto end;
             break;
         }
-        argc--;
-        argv++;
     }
+    argc = opt_num_rest();
+    argv = opt_rest();
+    private = pubin || pubout ? 0 : 1;
+    if (text && !pubin)
+        private = 1;
 
-    if (badops) {
- bad:
-        BIO_printf(bio_err, "%s [options] <infile >outfile\n", prog);
-        BIO_printf(bio_err, "where options are\n");
-        BIO_printf(bio_err, " -inform arg     input format - DER or PEM\n");
-        BIO_printf(bio_err, " -outform arg    output format - DER or PEM\n");
-        BIO_printf(bio_err, " -in arg         input file\n");
-        BIO_printf(bio_err,
-                   " -passin arg     input file pass phrase source\n");
-        BIO_printf(bio_err, " -out arg        output file\n");
-        BIO_printf(bio_err,
-                   " -passout arg    output file pass phrase source\n");
-# ifndef OPENSSL_NO_ENGINE
-        BIO_printf(bio_err,
-                   " -engine e       use engine e, possibly a hardware device.\n");
-# endif
-        BIO_printf(bio_err,
-                   " -des            encrypt PEM output with cbc des\n");
-        BIO_printf(bio_err,
-                   " -des3           encrypt PEM output with ede cbc des using 168 bit key\n");
-# ifndef OPENSSL_NO_IDEA
-        BIO_printf(bio_err,
-                   " -idea           encrypt PEM output with cbc idea\n");
-# endif
-# ifndef OPENSSL_NO_AES
-        BIO_printf(bio_err, " -aes128, -aes192, -aes256\n");
-        BIO_printf(bio_err,
-                   "                 encrypt PEM output with cbc aes\n");
-# endif
-# ifndef OPENSSL_NO_CAMELLIA
-        BIO_printf(bio_err, " -camellia128, -camellia192, -camellia256\n");
-        BIO_printf(bio_err,
-                   "                 encrypt PEM output with cbc camellia\n");
-# endif
-# ifndef OPENSSL_NO_SEED
-        BIO_printf(bio_err,
-                   " -seed           encrypt PEM output with cbc seed\n");
-# endif
-        BIO_printf(bio_err, " -text           print the key in text\n");
-        BIO_printf(bio_err, " -noout          don't print key out\n");
-        BIO_printf(bio_err, " -modulus        print the DSA public value\n");
-        goto end;
-    }
-
-    ERR_load_crypto_strings();
-
-# ifndef OPENSSL_NO_ENGINE
-    e = setup_engine(bio_err, engine, 0);
-# endif
-
-    if (!app_passwd(bio_err, passargin, passargout, &passin, &passout)) {
+    if (!app_passwd(passinarg, passoutarg, &passin, &passout)) {
         BIO_printf(bio_err, "Error getting passwords\n");
         goto end;
     }
 
-    in = BIO_new(BIO_s_file());
-    out = BIO_new(BIO_s_file());
-    if ((in == NULL) || (out == NULL)) {
-        ERR_print_errors(bio_err);
-        goto end;
-    }
-
-    if (infile == NULL)
-        BIO_set_fp(in, stdin, BIO_NOCLOSE);
-    else {
-        if (BIO_read_filename(in, infile) <= 0) {
-            perror(infile);
-            goto end;
-        }
-    }
-
     BIO_printf(bio_err, "read DSA key\n");
-
     {
         EVP_PKEY *pkey;
 
         if (pubin)
-            pkey = load_pubkey(bio_err, infile, informat, 1,
-                               passin, e, "Public Key");
+            pkey = load_pubkey(infile, informat, 1, passin, e, "Public Key");
         else
-            pkey = load_key(bio_err, infile, informat, 1,
-                            passin, e, "Private Key");
+            pkey = load_key(infile, informat, 1, passin, e, "Private Key");
 
         if (pkey) {
             dsa = EVP_PKEY_get1_DSA(pkey);
@@ -287,59 +222,65 @@ int MAIN(int argc, char **argv)
         goto end;
     }
 
-    if (outfile == NULL) {
-        BIO_set_fp(out, stdout, BIO_NOCLOSE);
-# ifdef OPENSSL_SYS_VMS
-        {
-            BIO *tmpbio = BIO_new(BIO_f_linebuffer());
-            out = BIO_push(tmpbio, out);
-        }
-# endif
-    } else {
-        if (BIO_write_filename(out, outfile) <= 0) {
-            perror(outfile);
-            goto end;
-        }
-    }
+    out = bio_open_owner(outfile, outformat, private);
+    if (out == NULL)
+        goto end;
 
-    if (text)
+    if (text) {
+        assert(pubin || private);
         if (!DSA_print(out, dsa, 0)) {
             perror(outfile);
             ERR_print_errors(bio_err);
             goto end;
         }
-
-    if (modulus) {
-        fprintf(stdout, "Public Key=");
-        BN_print(out, dsa->pub_key);
-        fprintf(stdout, "\n");
     }
 
-    if (noout)
+    if (modulus) {
+        BIO_printf(out, "Public Key=");
+        BN_print(out, dsa->pub_key);
+        BIO_printf(out, "\n");
+    }
+
+    if (noout) {
+        ret = 0;
         goto end;
+    }
     BIO_printf(bio_err, "writing DSA key\n");
     if (outformat == FORMAT_ASN1) {
         if (pubin || pubout)
             i = i2d_DSA_PUBKEY_bio(out, dsa);
-        else
+        else {
+            assert(private);
             i = i2d_DSAPrivateKey_bio(out, dsa);
+        }
     } else if (outformat == FORMAT_PEM) {
         if (pubin || pubout)
             i = PEM_write_bio_DSA_PUBKEY(out, dsa);
-        else
+        else {
+            assert(private);
             i = PEM_write_bio_DSAPrivateKey(out, dsa, enc,
                                             NULL, 0, NULL, passout);
+        }
 # if !defined(OPENSSL_NO_RSA) && !defined(OPENSSL_NO_RC4)
     } else if (outformat == FORMAT_MSBLOB || outformat == FORMAT_PVK) {
         EVP_PKEY *pk;
         pk = EVP_PKEY_new();
         EVP_PKEY_set1_DSA(pk, dsa);
-        if (outformat == FORMAT_PVK)
+        if (outformat == FORMAT_PVK) {
+            if (pubin) {
+                BIO_printf(bio_err, "PVK form impossible with public key input\n");
+                EVP_PKEY_free(pk);
+                goto end;
+            }
+            assert(private);
             i = i2b_PVK_bio(out, pk, pvk_encr, 0, passout);
+        }
         else if (pubin || pubout)
             i = i2b_PublicKey_bio(out, pk);
-        else
+        else {
+            assert(private);
             i = i2b_PrivateKey_bio(out, pk);
+        }
         EVP_PKEY_free(pk);
 # endif
     } else {
@@ -349,21 +290,15 @@ int MAIN(int argc, char **argv)
     if (i <= 0) {
         BIO_printf(bio_err, "unable to write private key\n");
         ERR_print_errors(bio_err);
-    } else
-        ret = 0;
+        goto end;
+    }
+    ret = 0;
  end:
-    if (in != NULL)
-        BIO_free(in);
-    if (out != NULL)
-        BIO_free_all(out);
-    if (dsa != NULL)
-        DSA_free(dsa);
-    if (passin)
-        OPENSSL_free(passin);
-    if (passout)
-        OPENSSL_free(passout);
-    apps_shutdown();
-    OPENSSL_EXIT(ret);
+    BIO_free_all(out);
+    DSA_free(dsa);
+    OPENSSL_free(passin);
+    OPENSSL_free(passout);
+    return (ret);
 }
 #else                           /* !OPENSSL_NO_DSA */
 

apps/dsaparam.c

@@ -1,4 +1,3 @@
-/* apps/dsaparam.c */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -59,7 +58,6 @@
 #include <openssl/opensslconf.h> /* for OPENSSL_NO_DSA */
 
 #ifndef OPENSSL_NO_DSA
-# include <assert.h>
 # include <stdio.h>
 # include <stdlib.h>
 # include <time.h>
@@ -72,24 +70,6 @@
 # include <openssl/x509.h>
 # include <openssl/pem.h>
 
-# undef PROG
-# define PROG    dsaparam_main
-
-/*-
- * -inform arg  - input format - default PEM (DER or PEM)
- * -outform arg - output format - default PEM
- * -in arg      - input file - default stdin
- * -out arg     - output file - default stdout
- * -noout
- * -text
- * -C
- * -noout
- * -genkey
- *  #ifdef GENCB_TEST
- * -timebomb n  - interrupt keygen after <n> seconds
- *  #endif
- */
-
 # ifdef GENCB_TEST
 
 static int stop_keygen_flag = 0;
@@ -103,169 +83,120 @@ static void timebomb_sigalarm(int foo)
 
 static int dsa_cb(int p, int n, BN_GENCB *cb);
 
-int MAIN(int, char **);
+typedef enum OPTION_choice {
+    OPT_ERR = -1, OPT_EOF = 0, OPT_HELP,
+    OPT_INFORM, OPT_OUTFORM, OPT_IN, OPT_OUT, OPT_TEXT, OPT_C,
+    OPT_NOOUT, OPT_GENKEY, OPT_RAND, OPT_ENGINE,
+    OPT_TIMEBOMB
+} OPTION_CHOICE;
 
-int MAIN(int argc, char **argv)
+OPTIONS dsaparam_options[] = {
+    {"help", OPT_HELP, '-', "Display this summary"},
+    {"inform", OPT_INFORM, 'F', "Input format - DER or PEM"},
+    {"in", OPT_IN, '<', "Input file"},
+    {"outform", OPT_OUTFORM, 'F', "Output format - DER or PEM"},
+    {"out", OPT_OUT, '>', "Output file"},
+    {"text", OPT_TEXT, '-', "Print as text"},
+    {"C", OPT_C, '-', "Output C code"},
+    {"noout", OPT_NOOUT, '-', "No output"},
+    {"genkey", OPT_GENKEY, '-', "Generate a DSA key"},
+    {"rand", OPT_RAND, 's', "Files to use for random number input"},
+# ifdef GENCB_TEST
+    {"timebomb", OPT_TIMEBOMB, 'p', "Interrupt keygen after 'pnum' seconds"},
+# endif
+# ifndef OPENSSL_NO_ENGINE
+    {"engine", OPT_ENGINE, 's', "Use engine e, possibly a hardware device"},
+# endif
+    {NULL}
+};
+
+int dsaparam_main(int argc, char **argv)
 {
     DSA *dsa = NULL;
-    int i, badops = 0, text = 0;
     BIO *in = NULL, *out = NULL;
-    int informat, outformat, noout = 0, C = 0, ret = 1;
-    char *infile, *outfile, *prog, *inrand = NULL;
-    int numbits = -1, num, genkey = 0;
-    int need_rand = 0;
-    int non_fips_allow = 0;
     BN_GENCB *cb = NULL;
-# ifndef OPENSSL_NO_ENGINE
-    char *engine = NULL;
-# endif
+    int numbits = -1, num = 0, genkey = 0, need_rand = 0;
+    int informat = FORMAT_PEM, outformat = FORMAT_PEM, noout = 0, C = 0;
+    int ret = 1, i, text = 0, private = 0;
 # ifdef GENCB_TEST
     int timebomb = 0;
 # endif
+    char *infile = NULL, *outfile = NULL, *prog, *inrand = NULL;
+    OPTION_CHOICE o;
 
-    apps_startup();
-
-    if (bio_err == NULL)
-        if ((bio_err = BIO_new(BIO_s_file())) != NULL)
-            BIO_set_fp(bio_err, stderr, BIO_NOCLOSE | BIO_FP_TEXT);
-
-    if (!load_config(bio_err, NULL))
-        goto end;
-
-    infile = NULL;
-    outfile = NULL;
-    informat = FORMAT_PEM;
-    outformat = FORMAT_PEM;
-
-    prog = argv[0];
-    argc--;
-    argv++;
-    while (argc >= 1) {
-        if (strcmp(*argv, "-inform") == 0) {
-            if (--argc < 1)
-                goto bad;
-            informat = str2fmt(*(++argv));
-        } else if (strcmp(*argv, "-outform") == 0) {
-            if (--argc < 1)
-                goto bad;
-            outformat = str2fmt(*(++argv));
-        } else if (strcmp(*argv, "-in") == 0) {
-            if (--argc < 1)
-                goto bad;
-            infile = *(++argv);
-        } else if (strcmp(*argv, "-out") == 0) {
-            if (--argc < 1)
-                goto bad;
-            outfile = *(++argv);
-        }
-# ifndef OPENSSL_NO_ENGINE
-        else if (strcmp(*argv, "-engine") == 0) {
-            if (--argc < 1)
-                goto bad;
-            engine = *(++argv);
-        }
-# endif
+    prog = opt_init(argc, argv, dsaparam_options);
+    while ((o = opt_next()) != OPT_EOF) {
+        switch (o) {
+        case OPT_EOF:
+        case OPT_ERR:
+ opthelp:
+            BIO_printf(bio_err, "%s: Use -help for summary.\n", prog);
+            goto end;
+        case OPT_HELP:
+            opt_help(dsaparam_options);
+            ret = 0;
+            goto end;
+        case OPT_INFORM:
+            if (!opt_format(opt_arg(), OPT_FMT_PEMDER, &informat))
+                goto opthelp;
+            break;
+        case OPT_IN:
+            infile = opt_arg();
+            break;
+        case OPT_OUTFORM:
+            if (!opt_format(opt_arg(), OPT_FMT_PEMDER, &outformat))
+                goto opthelp;
+            break;
+        case OPT_OUT:
+            outfile = opt_arg();
+            break;
+        case OPT_ENGINE:
+            (void)setup_engine(opt_arg(), 0);
+            break;
+        case OPT_TIMEBOMB:
 # ifdef GENCB_TEST
-        else if (strcmp(*argv, "-timebomb") == 0) {
-            if (--argc < 1)
-                goto bad;
-            timebomb = atoi(*(++argv));
-        }
+            timebomb = atoi(opt_arg());
+            break;
 # endif
-        else if (strcmp(*argv, "-text") == 0)
+        case OPT_TEXT:
             text = 1;
-        else if (strcmp(*argv, "-C") == 0)
+            break;
+        case OPT_C:
             C = 1;
-        else if (strcmp(*argv, "-genkey") == 0) {
-            genkey = 1;
+            break;
+        case OPT_GENKEY:
+            genkey = need_rand = 1;
+            break;
+        case OPT_RAND:
+            inrand = opt_arg();
             need_rand = 1;
-        } else if (strcmp(*argv, "-rand") == 0) {
-            if (--argc < 1)
-                goto bad;
-            inrand = *(++argv);
-            need_rand = 1;
-        } else if (strcmp(*argv, "-noout") == 0)
+            break;
+        case OPT_NOOUT:
             noout = 1;
-        else if (strcmp(*argv, "-non-fips-allow") == 0)
-            non_fips_allow = 1;
-        else if (sscanf(*argv, "%d", &num) == 1) {
-            /* generate a key */
-            numbits = num;
-            need_rand = 1;
-        } else {
-            BIO_printf(bio_err, "unknown option %s\n", *argv);
-            badops = 1;
             break;
         }
-        argc--;
-        argv++;
     }
+    argc = opt_num_rest();
+    argv = opt_rest();
 
-    if (badops) {
- bad:
-        BIO_printf(bio_err, "%s [options] [bits] <infile >outfile\n", prog);
-        BIO_printf(bio_err, "where options are\n");
-        BIO_printf(bio_err, " -inform arg   input format - DER or PEM\n");
-        BIO_printf(bio_err, " -outform arg  output format - DER or PEM\n");
-        BIO_printf(bio_err, " -in arg       input file\n");
-        BIO_printf(bio_err, " -out arg      output file\n");
-        BIO_printf(bio_err, " -text         print as text\n");
-        BIO_printf(bio_err, " -C            Output C code\n");
-        BIO_printf(bio_err, " -noout        no output\n");
-        BIO_printf(bio_err, " -genkey       generate a DSA key\n");
-        BIO_printf(bio_err,
-                   " -rand         files to use for random number input\n");
-# ifndef OPENSSL_NO_ENGINE
-        BIO_printf(bio_err,
-                   " -engine e     use engine e, possibly a hardware device.\n");
-# endif
-# ifdef GENCB_TEST
-        BIO_printf(bio_err,
-                   " -timebomb n   interrupt keygen after <n> seconds\n");
-# endif
-        BIO_printf(bio_err,
-                   " number        number of bits to use for generating private key\n");
-        goto end;
-    }
-
-    ERR_load_crypto_strings();
-
-    in = BIO_new(BIO_s_file());
-    out = BIO_new(BIO_s_file());
-    if ((in == NULL) || (out == NULL)) {
-        ERR_print_errors(bio_err);
-        goto end;
-    }
-
-    if (infile == NULL)
-        BIO_set_fp(in, stdin, BIO_NOCLOSE);
-    else {
-        if (BIO_read_filename(in, infile) <= 0) {
-            perror(infile);
+    if (argc == 1) {
+        if (!opt_int(argv[0], &num) || num < 0)
             goto end;
-        }
-    }
-    if (outfile == NULL) {
-        BIO_set_fp(out, stdout, BIO_NOCLOSE);
-# ifdef OPENSSL_SYS_VMS
-        {
-            BIO *tmpbio = BIO_new(BIO_f_linebuffer());
-            out = BIO_push(tmpbio, out);
-        }
-# endif
-    } else {
-        if (BIO_write_filename(out, outfile) <= 0) {
-            perror(outfile);
-            goto end;
-        }
+        /* generate a key */
+        numbits = num;
+        need_rand = 1;
     }
+    private = genkey ? 1 : 0;
 
-# ifndef OPENSSL_NO_ENGINE
-    setup_engine(bio_err, engine, 0);
-# endif
+    in = bio_open_default(infile, 'r', informat);
+    if (in == NULL)
+        goto end;
+    out = bio_open_owner(outfile, outformat, private);
+    if (out == NULL)
+        goto end;
 
     if (need_rand) {
-        app_RAND_load_file(NULL, bio_err, (inrand != NULL));
+        app_RAND_load_file(NULL, (inrand != NULL));
         if (inrand != NULL)
             BIO_printf(bio_err, "%ld semi-random bytes loaded\n",
                        app_RAND_load_files(inrand));
@@ -273,19 +204,17 @@ int MAIN(int argc, char **argv)
 
     if (numbits > 0) {
         cb = BN_GENCB_new();
-        if (!cb) {
+        if (cb == NULL) {
             BIO_printf(bio_err, "Error allocating BN_GENCB object\n");
             goto end;
         }
         BN_GENCB_set(cb, dsa_cb, bio_err);
         assert(need_rand);
         dsa = DSA_new();
-        if (!dsa) {
+        if (dsa == NULL) {
             BIO_printf(bio_err, "Error allocating DSA object\n");
             goto end;
         }
-        if (non_fips_allow)
-            dsa->flags |= DSA_FLAG_NON_FIPS_ALLOW;
         BIO_printf(bio_err, "Generating DSA parameters, %d bit long prime\n",
                    num);
         BIO_printf(bio_err, "This could take some time\n");
@@ -319,12 +248,8 @@ int MAIN(int argc, char **argv)
         }
     } else if (informat == FORMAT_ASN1)
         dsa = d2i_DSAparams_bio(in, NULL);
-    else if (informat == FORMAT_PEM)
+    else
         dsa = PEM_read_bio_DSAparams(in, NULL, NULL, NULL);
-    else {
-        BIO_printf(bio_err, "bad input format specified\n");
-        goto end;
-    }
     if (dsa == NULL) {
         BIO_printf(bio_err, "unable to load DSA parameters\n");
         ERR_print_errors(bio_err);
@@ -336,67 +261,36 @@ int MAIN(int argc, char **argv)
     }
 
     if (C) {
-        unsigned char *data;
-        int l, len, bits_p;
+        int len = BN_num_bytes(dsa->p);
+        int bits_p = BN_num_bits(dsa->p);
+        unsigned char *data = app_malloc(len + 20, "BN space");
 
-        len = BN_num_bytes(dsa->p);
-        bits_p = BN_num_bits(dsa->p);
-        data = (unsigned char *)OPENSSL_malloc(len + 20);
-        if (data == NULL) {
-            perror("OPENSSL_malloc");
-            goto end;
-        }
-        l = BN_bn2bin(dsa->p, data);
-        printf("static unsigned char dsa%d_p[]={", bits_p);
-        for (i = 0; i < l; i++) {
-            if ((i % 12) == 0)
-                printf("\n\t");
-            printf("0x%02X,", data[i]);
-        }
-        printf("\n\t};\n");
-
-        l = BN_bn2bin(dsa->q, data);
-        printf("static unsigned char dsa%d_q[]={", bits_p);
-        for (i = 0; i < l; i++) {
-            if ((i % 12) == 0)
-                printf("\n\t");
-            printf("0x%02X,", data[i]);
-        }
-        printf("\n\t};\n");
-
-        l = BN_bn2bin(dsa->g, data);
-        printf("static unsigned char dsa%d_g[]={", bits_p);
-        for (i = 0; i < l; i++) {
-            if ((i % 12) == 0)
-                printf("\n\t");
-            printf("0x%02X,", data[i]);
-        }
-        printf("\n\t};\n\n");
-
-        printf("DSA *get_dsa%d()\n\t{\n", bits_p);
-        printf("\tDSA *dsa;\n\n");
-        printf("\tif ((dsa=DSA_new()) == NULL) return(NULL);\n");
-        printf("\tdsa->p=BN_bin2bn(dsa%d_p,sizeof(dsa%d_p),NULL);\n",
+        BIO_printf(bio_out, "DSA *get_dsa%d()\n{\n", bits_p);
+        print_bignum_var(bio_out, dsa->p, "dsap", len, data);
+        print_bignum_var(bio_out, dsa->q, "dsaq", len, data);
+        print_bignum_var(bio_out, dsa->g, "dsag", len, data);
+        BIO_printf(bio_out, "    DSA *dsa = DSA_new();\n"
+                            "\n");
+        BIO_printf(bio_out, "    if (dsa == NULL)\n"
+                            "        return NULL;\n");
+        BIO_printf(bio_out, "    dsa->p = BN_bin2bn(dsap_%d, sizeof (dsap_%d), NULL);\n",
                bits_p, bits_p);
-        printf("\tdsa->q=BN_bin2bn(dsa%d_q,sizeof(dsa%d_q),NULL);\n",
+        BIO_printf(bio_out, "    dsa->q = BN_bin2bn(dsaq_%d, sizeof (dsaq_%d), NULL);\n",
                bits_p, bits_p);
-        printf("\tdsa->g=BN_bin2bn(dsa%d_g,sizeof(dsa%d_g),NULL);\n",
+        BIO_printf(bio_out, "    dsa->g = BN_bin2bn(dsag_%d, sizeof (dsag_%d), NULL);\n",
                bits_p, bits_p);
-        printf
-            ("\tif ((dsa->p == NULL) || (dsa->q == NULL) || (dsa->g == NULL))\n");
-        printf("\t\t{ DSA_free(dsa); return(NULL); }\n");
-        printf("\treturn(dsa);\n\t}\n");
+        BIO_printf(bio_out, "    if (!dsa->p || !dsa->q || !dsa->g) {\n"
+                            "        DSA_free(dsa);\n"
+                            "        return NULL;\n"
+                            "    }\n"
+                            "    return(dsa);\n}\n");
     }
 
     if (!noout) {
         if (outformat == FORMAT_ASN1)
             i = i2d_DSAparams_bio(out, dsa);
-        else if (outformat == FORMAT_PEM)
+        else
             i = PEM_write_bio_DSAparams(out, dsa);
-        else {
-            BIO_printf(bio_err, "bad output format specified for outfile\n");
-            goto end;
-        }
         if (!i) {
             BIO_printf(bio_err, "unable to write DSA parameters\n");
             ERR_print_errors(bio_err);
@@ -409,39 +303,28 @@ int MAIN(int argc, char **argv)
         assert(need_rand);
         if ((dsakey = DSAparams_dup(dsa)) == NULL)
             goto end;
-        if (non_fips_allow)
-            dsakey->flags |= DSA_FLAG_NON_FIPS_ALLOW;
         if (!DSA_generate_key(dsakey)) {
             ERR_print_errors(bio_err);
             DSA_free(dsakey);
             goto end;
         }
+        assert(private);
         if (outformat == FORMAT_ASN1)
             i = i2d_DSAPrivateKey_bio(out, dsakey);
-        else if (outformat == FORMAT_PEM)
+        else
             i = PEM_write_bio_DSAPrivateKey(out, dsakey, NULL, NULL, 0, NULL,
                                             NULL);
-        else {
-            BIO_printf(bio_err, "bad output format specified for outfile\n");
-            DSA_free(dsakey);
-            goto end;
-        }
         DSA_free(dsakey);
     }
     if (need_rand)
-        app_RAND_write_file(NULL, bio_err);
+        app_RAND_write_file(NULL);
     ret = 0;
  end:
-    if (cb != NULL)
-        BN_GENCB_free(cb);
-    if (in != NULL)
-        BIO_free(in);
-    if (out != NULL)
-        BIO_free_all(out);
-    if (dsa != NULL)
-        DSA_free(dsa);
-    apps_shutdown();
-    OPENSSL_EXIT(ret);
+    BN_GENCB_free(cb);
+    BIO_free(in);
+    BIO_free_all(out);
+    DSA_free(dsa);
+    return (ret);
 }
 
 static int dsa_cb(int p, int n, BN_GENCB *cb)

apps/ec.c

@@ -1,4 +1,3 @@
-/* apps/ec.c */
 /*
  * Written by Nils Larsch for the OpenSSL project.
  */
@@ -67,198 +66,145 @@
 # include <openssl/evp.h>
 # include <openssl/pem.h>
 
-# undef PROG
-# define PROG    ec_main
+static OPT_PAIR conv_forms[] = {
+    {"compressed", POINT_CONVERSION_COMPRESSED},
+    {"uncompressed", POINT_CONVERSION_UNCOMPRESSED},
+    {"hybrid", POINT_CONVERSION_HYBRID},
+    {NULL}
+};
 
-/*-
- * -inform arg    - input format - default PEM (one of DER, NET or PEM)
- * -outform arg   - output format - default PEM
- * -in arg        - input file - default stdin
- * -out arg       - output file - default stdout
- * -des           - encrypt output if PEM format with DES in cbc mode
- * -text          - print a text version
- * -param_out     - print the elliptic curve parameters
- * -conv_form arg - specifies the point encoding form
- * -param_enc arg - specifies the parameter encoding
- */
+static OPT_PAIR param_enc[] = {
+    {"named_curve", OPENSSL_EC_NAMED_CURVE},
+    {"explicit", 0},
+    {NULL}
+};
 
-int MAIN(int, char **);
+typedef enum OPTION_choice {
+    OPT_ERR = -1, OPT_EOF = 0, OPT_HELP,
+    OPT_INFORM, OPT_OUTFORM, OPT_ENGINE, OPT_IN, OPT_OUT,
+    OPT_NOOUT, OPT_TEXT, OPT_PARAM_OUT, OPT_PUBIN, OPT_PUBOUT,
+    OPT_PASSIN, OPT_PASSOUT, OPT_PARAM_ENC, OPT_CONV_FORM, OPT_CIPHER
+} OPTION_CHOICE;
 
-int MAIN(int argc, char **argv)
+OPTIONS ec_options[] = {
+    {"help", OPT_HELP, '-', "Display this summary"},
+    {"in", OPT_IN, '<', "Input file"},
+    {"inform", OPT_INFORM, 'F', "Input format - DER or PEM"},
+    {"out", OPT_OUT, '>', "Output file"},
+    {"outform", OPT_OUTFORM, 'F', "Output format - DER or PEM"},
+    {"noout", OPT_NOOUT, '-', "Don't print key out"},
+    {"text", OPT_TEXT, '-', "Print the key"},
+    {"param_out", OPT_PARAM_OUT, '-', "Print the elliptic curve parameters"},
+    {"pubin", OPT_PUBIN, '-'},
+    {"pubout", OPT_PUBOUT, '-'},
+    {"passin", OPT_PASSIN, 's', "Input file pass phrase source"},
+    {"passout", OPT_PASSOUT, 's', "Output file pass phrase source"},
+    {"param_enc", OPT_PARAM_ENC, 's',
+     "Specifies the way the ec parameters are encoded"},
+    {"conv_form", OPT_CONV_FORM, 's', "Specifies the point conversion form "},
+    {"", OPT_CIPHER, '-', "Any supported cipher"},
+# ifndef OPENSSL_NO_ENGINE
+    {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"},
+# endif
+    {NULL}
+};
+
+int ec_main(int argc, char **argv)
 {
-    int ret = 1;
+    BIO *in = NULL, *out = NULL;
     EC_KEY *eckey = NULL;
     const EC_GROUP *group;
-    int i, badops = 0;
     const EVP_CIPHER *enc = NULL;
-    BIO *in = NULL, *out = NULL;
-    int informat, outformat, text = 0, noout = 0;
-    int pubin = 0, pubout = 0, param_out = 0;
-    char *infile, *outfile, *prog, *engine;
-    char *passargin = NULL, *passargout = NULL;
-    char *passin = NULL, *passout = NULL;
     point_conversion_form_t form = POINT_CONVERSION_UNCOMPRESSED;
-    int new_form = 0;
-    int asn1_flag = OPENSSL_EC_NAMED_CURVE;
-    int new_asn1_flag = 0;
+    char *infile = NULL, *outfile = NULL, *prog;
+    char *passin = NULL, *passout = NULL, *passinarg = NULL, *passoutarg = NULL;
+    OPTION_CHOICE o;
+    int asn1_flag = OPENSSL_EC_NAMED_CURVE, new_form = 0, new_asn1_flag = 0;
+    int informat = FORMAT_PEM, outformat = FORMAT_PEM, text = 0, noout = 0;
+    int pubin = 0, pubout = 0, param_out = 0, i, ret = 1, private = 0;
 
-    apps_startup();
-
-    if (bio_err == NULL)
-        if ((bio_err = BIO_new(BIO_s_file())) != NULL)
-            BIO_set_fp(bio_err, stderr, BIO_NOCLOSE | BIO_FP_TEXT);
-
-    if (!load_config(bio_err, NULL))
-        goto end;
-
-    engine = NULL;
-    infile = NULL;
-    outfile = NULL;
-    informat = FORMAT_PEM;
-    outformat = FORMAT_PEM;
-
-    prog = argv[0];
-    argc--;
-    argv++;
-    while (argc >= 1) {
-        if (strcmp(*argv, "-inform") == 0) {
-            if (--argc < 1)
-                goto bad;
-            informat = str2fmt(*(++argv));
-        } else if (strcmp(*argv, "-outform") == 0) {
-            if (--argc < 1)
-                goto bad;
-            outformat = str2fmt(*(++argv));
-        } else if (strcmp(*argv, "-in") == 0) {
-            if (--argc < 1)
-                goto bad;
-            infile = *(++argv);
-        } else if (strcmp(*argv, "-out") == 0) {
-            if (--argc < 1)
-                goto bad;
-            outfile = *(++argv);
-        } else if (strcmp(*argv, "-passin") == 0) {
-            if (--argc < 1)
-                goto bad;
-            passargin = *(++argv);
-        } else if (strcmp(*argv, "-passout") == 0) {
-            if (--argc < 1)
-                goto bad;
-            passargout = *(++argv);
-        } else if (strcmp(*argv, "-engine") == 0) {
-            if (--argc < 1)
-                goto bad;
-            engine = *(++argv);
-        } else if (strcmp(*argv, "-noout") == 0)
+    prog = opt_init(argc, argv, ec_options);
+    while ((o = opt_next()) != OPT_EOF) {
+        switch (o) {
+        case OPT_EOF:
+        case OPT_ERR:
+ opthelp:
+            BIO_printf(bio_err, "%s: Use -help for summary.\n", prog);
+            goto end;
+        case OPT_HELP:
+            opt_help(ec_options);
+            ret = 0;
+            goto end;
+        case OPT_INFORM:
+            if (!opt_format(opt_arg(), OPT_FMT_PEMDER, &informat))
+                goto opthelp;
+            break;
+        case OPT_IN:
+            infile = opt_arg();
+            break;
+        case OPT_OUTFORM:
+            if (!opt_format(opt_arg(), OPT_FMT_PEMDER, &outformat))
+                goto opthelp;
+            break;
+        case OPT_OUT:
+            outfile = opt_arg();
+            break;
+        case OPT_NOOUT:
             noout = 1;
-        else if (strcmp(*argv, "-text") == 0)
+            break;
+        case OPT_TEXT:
             text = 1;
-        else if (strcmp(*argv, "-conv_form") == 0) {
-            if (--argc < 1)
-                goto bad;
-            ++argv;
-            new_form = 1;
-            if (strcmp(*argv, "compressed") == 0)
-                form = POINT_CONVERSION_COMPRESSED;
-            else if (strcmp(*argv, "uncompressed") == 0)
-                form = POINT_CONVERSION_UNCOMPRESSED;
-            else if (strcmp(*argv, "hybrid") == 0)
-                form = POINT_CONVERSION_HYBRID;
-            else
-                goto bad;
-        } else if (strcmp(*argv, "-param_enc") == 0) {
-            if (--argc < 1)
-                goto bad;
-            ++argv;
-            new_asn1_flag = 1;
-            if (strcmp(*argv, "named_curve") == 0)
-                asn1_flag = OPENSSL_EC_NAMED_CURVE;
-            else if (strcmp(*argv, "explicit") == 0)
-                asn1_flag = 0;
-            else
-                goto bad;
-        } else if (strcmp(*argv, "-param_out") == 0)
+            break;
+        case OPT_PARAM_OUT:
             param_out = 1;
-        else if (strcmp(*argv, "-pubin") == 0)
+            break;
+        case OPT_PUBIN:
             pubin = 1;
-        else if (strcmp(*argv, "-pubout") == 0)
+            break;
+        case OPT_PUBOUT:
             pubout = 1;
-        else if ((enc = EVP_get_cipherbyname(&(argv[0][1]))) == NULL) {
-            BIO_printf(bio_err, "unknown option %s\n", *argv);
-            badops = 1;
+            break;
+        case OPT_PASSIN:
+            passinarg = opt_arg();
+            break;
+        case OPT_PASSOUT:
+            passoutarg = opt_arg();
+            break;
+        case OPT_ENGINE:
+            (void)setup_engine(opt_arg(), 0);
+            break;
+        case OPT_CIPHER:
+            if (!opt_cipher(opt_unknown(), &enc))
+                goto opthelp;
+            break;
+        case OPT_CONV_FORM:
+            if (!opt_pair(opt_arg(), conv_forms, &i))
+                goto opthelp;
+            new_form = 1;
+            form = i;
+            break;
+        case OPT_PARAM_ENC:
+            if (!opt_pair(opt_arg(), param_enc, &i))
+                goto opthelp;
+            new_asn1_flag = 1;
+            asn1_flag = i;
             break;
         }
-        argc--;
-        argv++;
     }
+    argc = opt_num_rest();
+    argv = opt_rest();
+    private = param_out || pubin || pubout ? 0 : 1;
+    if (text && !pubin)
+        private = 1;
 
-    if (badops) {
- bad:
-        BIO_printf(bio_err, "%s [options] <infile >outfile\n", prog);
-        BIO_printf(bio_err, "where options are\n");
-        BIO_printf(bio_err, " -inform arg     input format - "
-                   "DER or PEM\n");
-        BIO_printf(bio_err, " -outform arg    output format - "
-                   "DER or PEM\n");
-        BIO_printf(bio_err, " -in arg         input file\n");
-        BIO_printf(bio_err, " -passin arg     input file pass "
-                   "phrase source\n");
-        BIO_printf(bio_err, " -out arg        output file\n");
-        BIO_printf(bio_err, " -passout arg    output file pass "
-                   "phrase source\n");
-        BIO_printf(bio_err, " -engine e       use engine e, "
-                   "possibly a hardware device.\n");
-        BIO_printf(bio_err, " -des            encrypt PEM output, "
-                   "instead of 'des' every other \n"
-                   "                 cipher "
-                   "supported by OpenSSL can be used\n");
-        BIO_printf(bio_err, " -text           print the key\n");
-        BIO_printf(bio_err, " -noout          don't print key out\n");
-        BIO_printf(bio_err, " -param_out      print the elliptic "
-                   "curve parameters\n");
-        BIO_printf(bio_err, " -conv_form arg  specifies the "
-                   "point conversion form \n");
-        BIO_printf(bio_err, "                 possible values:"
-                   " compressed\n");
-        BIO_printf(bio_err, "                                 "
-                   " uncompressed (default)\n");
-        BIO_printf(bio_err, "                                  " " hybrid\n");
-        BIO_printf(bio_err, " -param_enc arg  specifies the way"
-                   " the ec parameters are encoded\n");
-        BIO_printf(bio_err, "                 in the asn1 der " "encoding\n");
-        BIO_printf(bio_err, "                 possible values:"
-                   " named_curve (default)\n");
-        BIO_printf(bio_err, "                                  "
-                   "explicit\n");
-        goto end;
-    }
-
-    ERR_load_crypto_strings();
-
-# ifndef OPENSSL_NO_ENGINE
-    setup_engine(bio_err, engine, 0);
-# endif
-
-    if (!app_passwd(bio_err, passargin, passargout, &passin, &passout)) {
+    if (!app_passwd(passinarg, passoutarg, &passin, &passout)) {
         BIO_printf(bio_err, "Error getting passwords\n");
         goto end;
     }
 
-    in = BIO_new(BIO_s_file());
-    out = BIO_new(BIO_s_file());
-    if ((in == NULL) || (out == NULL)) {
-        ERR_print_errors(bio_err);
+    in = bio_open_default(infile, 'r', informat);
+    if (in == NULL)
         goto end;
-    }
-
-    if (infile == NULL)
-        BIO_set_fp(in, stdin, BIO_NOCLOSE);
-    else {
-        if (BIO_read_filename(in, infile) <= 0) {
-            perror(infile);
-            goto end;
-        }
-    }
 
     BIO_printf(bio_err, "read EC key\n");
     if (informat == FORMAT_ASN1) {
@@ -266,14 +212,11 @@ int MAIN(int argc, char **argv)
             eckey = d2i_EC_PUBKEY_bio(in, NULL);
         else
             eckey = d2i_ECPrivateKey_bio(in, NULL);
-    } else if (informat == FORMAT_PEM) {
+    } else {
         if (pubin)
             eckey = PEM_read_bio_EC_PUBKEY(in, NULL, NULL, NULL);
         else
             eckey = PEM_read_bio_ECPrivateKey(in, NULL, NULL, passin);
-    } else {
-        BIO_printf(bio_err, "bad input format specified for key\n");
-        goto end;
     }
     if (eckey == NULL) {
         BIO_printf(bio_err, "unable to load Key\n");
@@ -281,20 +224,9 @@ int MAIN(int argc, char **argv)
         goto end;
     }
 
-    if (outfile == NULL) {
-        BIO_set_fp(out, stdout, BIO_NOCLOSE);
-# ifdef OPENSSL_SYS_VMS
-        {
-            BIO *tmpbio = BIO_new(BIO_f_linebuffer());
-            out = BIO_push(tmpbio, out);
-        }
-# endif
-    } else {
-        if (BIO_write_filename(out, outfile) <= 0) {
-            perror(outfile);
-            goto end;
-        }
-    }
+    out = bio_open_owner(outfile, outformat, private);
+    if (out == NULL)
+        goto end;
 
     group = EC_KEY_get0_group(eckey);
 
@@ -304,12 +236,14 @@ int MAIN(int argc, char **argv)
     if (new_asn1_flag)
         EC_KEY_set_asn1_flag(eckey, asn1_flag);
 
-    if (text)
+    if (text) {
+        assert(pubin || private);
         if (!EC_KEY_print(out, eckey, 0)) {
             perror(outfile);
             ERR_print_errors(bio_err);
             goto end;
         }
+    }
 
     if (noout) {
         ret = 0;
@@ -322,19 +256,20 @@ int MAIN(int argc, char **argv)
             i = i2d_ECPKParameters_bio(out, group);
         else if (pubin || pubout)
             i = i2d_EC_PUBKEY_bio(out, eckey);
-        else
+        else {
+            assert(private);
             i = i2d_ECPrivateKey_bio(out, eckey);
-    } else if (outformat == FORMAT_PEM) {
+        }
+    } else {
         if (param_out)
             i = PEM_write_bio_ECPKParameters(out, group);
         else if (pubin || pubout)
             i = PEM_write_bio_EC_PUBKEY(out, eckey);
-        else
+        else {
+            assert(private);
             i = PEM_write_bio_ECPrivateKey(out, eckey, enc,
                                            NULL, 0, NULL, passout);
-    } else {
-        BIO_printf(bio_err, "bad output format specified for " "outfile\n");
-        goto end;
+        }
     }
 
     if (!i) {
@@ -343,18 +278,12 @@ int MAIN(int argc, char **argv)
     } else
         ret = 0;
  end:
-    if (in)
-        BIO_free(in);
-    if (out)
-        BIO_free_all(out);
-    if (eckey)
-        EC_KEY_free(eckey);
-    if (passin)
-        OPENSSL_free(passin);
-    if (passout)
-        OPENSSL_free(passout);
-    apps_shutdown();
-    OPENSSL_EXIT(ret);
+    BIO_free(in);
+    BIO_free_all(out);
+    EC_KEY_free(eckey);
+    OPENSSL_free(passin);
+    OPENSSL_free(passout);
+    return (ret);
 }
 #else                           /* !OPENSSL_NO_EC */
 

apps/ecparam.c

@@ -1,4 +1,3 @@
-/* apps/ecparam.c */
 /*
  * Written by Nils Larsch for the OpenSSL project.
  */
@@ -71,7 +70,6 @@
 
 #include <openssl/opensslconf.h>
 #ifndef OPENSSL_NO_EC
-# include <assert.h>
 # include <stdio.h>
 # include <stdlib.h>
 # include <time.h>
@@ -84,249 +82,157 @@
 # include <openssl/x509.h>
 # include <openssl/pem.h>
 
-# undef PROG
-# define PROG    ecparam_main
+typedef enum OPTION_choice {
+    OPT_ERR = -1, OPT_EOF = 0, OPT_HELP,
+    OPT_INFORM, OPT_OUTFORM, OPT_IN, OPT_OUT, OPT_TEXT, OPT_C,
+    OPT_CHECK, OPT_LIST_CURVES, OPT_NO_SEED, OPT_NOOUT, OPT_NAME,
+    OPT_CONV_FORM, OPT_PARAM_ENC, OPT_GENKEY, OPT_RAND, OPT_ENGINE
+} OPTION_CHOICE;
 
-/*-
- * -inform arg      - input format - default PEM (DER or PEM)
- * -outform arg     - output format - default PEM
- * -in  arg         - input file  - default stdin
- * -out arg         - output file - default stdout
- * -noout           - do not print the ec parameter
- * -text            - print the ec parameters in text form
- * -check           - validate the ec parameters
- * -C               - print a 'C' function creating the parameters
- * -name arg        - use the ec parameters with 'short name' name
- * -list_curves     - prints a list of all currently available curve 'short names'
- * -conv_form arg   - specifies the point conversion form
- *                  - possible values: compressed
- *                                     uncompressed (default)
- *                                     hybrid
- * -param_enc arg   - specifies the way the ec parameters are encoded
- *                    in the asn1 der encoding
- *                    possible values: named_curve (default)
- *                                     explicit
- * -no_seed         - if 'explicit' parameters are chosen do not use the seed
- * -genkey          - generate ec key
- * -rand file       - files to use for random number input
- * -engine e        - use engine e, possibly a hardware device
- */
+OPTIONS ecparam_options[] = {
+    {"help", OPT_HELP, '-', "Display this summary"},
+    {"inform", OPT_INFORM, 'F', "Input format - default PEM (DER or PEM)"},
+    {"outform", OPT_OUTFORM, 'F', "Output format - default PEM"},
+    {"in", OPT_IN, '<', "Input file  - default stdin"},
+    {"out", OPT_OUT, '>', "Output file - default stdout"},
+    {"text", OPT_TEXT, '-', "Print the ec parameters in text form"},
+    {"C", OPT_C, '-', "Print a 'C' function creating the parameters"},
+    {"check", OPT_CHECK, '-', "Validate the ec parameters"},
+    {"list_curves", OPT_LIST_CURVES, '-',
+     "Prints a list of all curve 'short names'"},
+    {"no_seed", OPT_NO_SEED, '-',
+     "If 'explicit' parameters are chosen do not use the seed"},
+    {"noout", OPT_NOOUT, '-', "Do not print the ec parameter"},
+    {"name", OPT_NAME, 's',
+     "Use the ec parameters with specified 'short name'"},
+    {"conv_form", OPT_CONV_FORM, 's', "Specifies the point conversion form "},
+    {"param_enc", OPT_PARAM_ENC, 's',
+     "Specifies the way the ec parameters are encoded"},
+    {"genkey", OPT_GENKEY, '-', "Generate ec key"},
+    {"rand", OPT_RAND, 's', "Files to use for random number input"},
+# ifndef OPENSSL_NO_ENGINE
+    {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"},
+# endif
+    {NULL}
+};
 
-static int ecparam_print_var(BIO *, BIGNUM *, const char *, int,
-                             unsigned char *);
+static OPT_PAIR forms[] = {
+    {"compressed", POINT_CONVERSION_COMPRESSED},
+    {"uncompressed", POINT_CONVERSION_UNCOMPRESSED},
+    {"hybrid", POINT_CONVERSION_HYBRID},
+    {NULL}
+};
 
-int MAIN(int, char **);
+static OPT_PAIR encodings[] = {
+    {"named_curve", OPENSSL_EC_NAMED_CURVE},
+    {"explicit", 0},
+    {NULL}
+};
 
-int MAIN(int argc, char **argv)
+int ecparam_main(int argc, char **argv)
 {
+    BIGNUM *ec_gen = NULL, *ec_order = NULL, *ec_cofactor = NULL;
+    BIGNUM *ec_p = NULL, *ec_a = NULL, *ec_b = NULL;
+    BIO *in = NULL, *out = NULL;
     EC_GROUP *group = NULL;
     point_conversion_form_t form = POINT_CONVERSION_UNCOMPRESSED;
-    int new_form = 0;
-    int asn1_flag = OPENSSL_EC_NAMED_CURVE;
-    int new_asn1_flag = 0;
     char *curve_name = NULL, *inrand = NULL;
-    int list_curves = 0, no_seed = 0, check = 0,
-        badops = 0, text = 0, i, need_rand = 0, genkey = 0;
     char *infile = NULL, *outfile = NULL, *prog;
-    BIO *in = NULL, *out = NULL;
-    int informat, outformat, noout = 0, C = 0, ret = 1;
-    char *engine = NULL;
-
-    BIGNUM *ec_p = NULL, *ec_a = NULL, *ec_b = NULL,
-        *ec_gen = NULL, *ec_order = NULL, *ec_cofactor = NULL;
     unsigned char *buffer = NULL;
+    OPTION_CHOICE o;
+    int asn1_flag = OPENSSL_EC_NAMED_CURVE, new_asn1_flag = 0;
+    int informat = FORMAT_PEM, outformat = FORMAT_PEM, noout = 0, C = 0;
+    int ret = 1, private = 0;
+    int list_curves = 0, no_seed = 0, check = 0, new_form = 0;
+    int text = 0, i, need_rand = 0, genkey = 0;
 
-    apps_startup();
-
-    if (bio_err == NULL)
-        if ((bio_err = BIO_new(BIO_s_file())) != NULL)
-            BIO_set_fp(bio_err, stderr, BIO_NOCLOSE | BIO_FP_TEXT);
-
-    if (!load_config(bio_err, NULL))
-        goto end;
-
-    informat = FORMAT_PEM;
-    outformat = FORMAT_PEM;
-
-    prog = argv[0];
-    argc--;
-    argv++;
-    while (argc >= 1) {
-        if (strcmp(*argv, "-inform") == 0) {
-            if (--argc < 1)
-                goto bad;
-            informat = str2fmt(*(++argv));
-        } else if (strcmp(*argv, "-outform") == 0) {
-            if (--argc < 1)
-                goto bad;
-            outformat = str2fmt(*(++argv));
-        } else if (strcmp(*argv, "-in") == 0) {
-            if (--argc < 1)
-                goto bad;
-            infile = *(++argv);
-        } else if (strcmp(*argv, "-out") == 0) {
-            if (--argc < 1)
-                goto bad;
-            outfile = *(++argv);
-        } else if (strcmp(*argv, "-text") == 0)
+    prog = opt_init(argc, argv, ecparam_options);
+    while ((o = opt_next()) != OPT_EOF) {
+        switch (o) {
+        case OPT_EOF:
+        case OPT_ERR:
+ opthelp:
+            BIO_printf(bio_err, "%s: Use -help for summary.\n", prog);
+            goto end;
+        case OPT_HELP:
+            opt_help(ecparam_options);
+            ret = 0;
+            goto end;
+        case OPT_INFORM:
+            if (!opt_format(opt_arg(), OPT_FMT_PEMDER, &informat))
+                goto opthelp;
+            break;
+        case OPT_IN:
+            infile = opt_arg();
+            break;
+        case OPT_OUTFORM:
+            if (!opt_format(opt_arg(), OPT_FMT_PEMDER, &outformat))
+                goto opthelp;
+            break;
+        case OPT_OUT:
+            outfile = opt_arg();
+            break;
+        case OPT_TEXT:
             text = 1;
-        else if (strcmp(*argv, "-C") == 0)
+            break;
+        case OPT_C:
             C = 1;
-        else if (strcmp(*argv, "-check") == 0)
+            break;
+        case OPT_CHECK:
             check = 1;
-        else if (strcmp(*argv, "-name") == 0) {
-            if (--argc < 1)
-                goto bad;
-            curve_name = *(++argv);
-        } else if (strcmp(*argv, "-list_curves") == 0)
+            break;
+        case OPT_LIST_CURVES:
             list_curves = 1;
-        else if (strcmp(*argv, "-conv_form") == 0) {
-            if (--argc < 1)
-                goto bad;
-            ++argv;
-            new_form = 1;
-            if (strcmp(*argv, "compressed") == 0)
-                form = POINT_CONVERSION_COMPRESSED;
-            else if (strcmp(*argv, "uncompressed") == 0)
-                form = POINT_CONVERSION_UNCOMPRESSED;
-            else if (strcmp(*argv, "hybrid") == 0)
-                form = POINT_CONVERSION_HYBRID;
-            else
-                goto bad;
-        } else if (strcmp(*argv, "-param_enc") == 0) {
-            if (--argc < 1)
-                goto bad;
-            ++argv;
-            new_asn1_flag = 1;
-            if (strcmp(*argv, "named_curve") == 0)
-                asn1_flag = OPENSSL_EC_NAMED_CURVE;
-            else if (strcmp(*argv, "explicit") == 0)
-                asn1_flag = 0;
-            else
-                goto bad;
-        } else if (strcmp(*argv, "-no_seed") == 0)
+            break;
+        case OPT_NO_SEED:
             no_seed = 1;
-        else if (strcmp(*argv, "-noout") == 0)
+            break;
+        case OPT_NOOUT:
             noout = 1;
-        else if (strcmp(*argv, "-genkey") == 0) {
-            genkey = 1;
+            break;
+        case OPT_NAME:
+            curve_name = opt_arg();
+            break;
+        case OPT_CONV_FORM:
+            if (!opt_pair(opt_arg(), forms, &new_form))
+                goto opthelp;
+            form = new_form;
+            new_form = 1;
+            break;
+        case OPT_PARAM_ENC:
+            if (!opt_pair(opt_arg(), encodings, &asn1_flag))
+                goto opthelp;
+            new_asn1_flag = 1;
+            break;
+        case OPT_GENKEY:
+            genkey = need_rand = 1;
+            break;
+        case OPT_RAND:
+            inrand = opt_arg();
             need_rand = 1;
-        } else if (strcmp(*argv, "-rand") == 0) {
-            if (--argc < 1)
-                goto bad;
-            inrand = *(++argv);
-            need_rand = 1;
-        } else if (strcmp(*argv, "-engine") == 0) {
-            if (--argc < 1)
-                goto bad;
-            engine = *(++argv);
-        } else {
-            BIO_printf(bio_err, "unknown option %s\n", *argv);
-            badops = 1;
+            break;
+        case OPT_ENGINE:
+            (void)setup_engine(opt_arg(), 0);
             break;
         }
-        argc--;
-        argv++;
     }
+    argc = opt_num_rest();
+    argv = opt_rest();
+    private = genkey ? 1 : 0;
 
-    if (badops) {
- bad:
-        BIO_printf(bio_err, "%s [options] <infile >outfile\n", prog);
-        BIO_printf(bio_err, "where options are\n");
-        BIO_printf(bio_err, " -inform arg       input format - "
-                   "default PEM (DER or PEM)\n");
-        BIO_printf(bio_err, " -outform arg      output format - "
-                   "default PEM\n");
-        BIO_printf(bio_err, " -in  arg          input file  - "
-                   "default stdin\n");
-        BIO_printf(bio_err, " -out arg          output file - "
-                   "default stdout\n");
-        BIO_printf(bio_err, " -noout            do not print the "
-                   "ec parameter\n");
-        BIO_printf(bio_err, " -text             print the ec "
-                   "parameters in text form\n");
-        BIO_printf(bio_err, " -check            validate the ec "
-                   "parameters\n");
-        BIO_printf(bio_err, " -C                print a 'C' "
-                   "function creating the parameters\n");
-        BIO_printf(bio_err, " -name arg         use the "
-                   "ec parameters with 'short name' name\n");
-        BIO_printf(bio_err, " -list_curves      prints a list of "
-                   "all currently available curve 'short names'\n");
-        BIO_printf(bio_err, " -conv_form arg    specifies the "
-                   "point conversion form \n");
-        BIO_printf(bio_err, "                   possible values:"
-                   " compressed\n");
-        BIO_printf(bio_err, "                                   "
-                   " uncompressed (default)\n");
-        BIO_printf(bio_err, "                                   "
-                   " hybrid\n");
-        BIO_printf(bio_err, " -param_enc arg    specifies the way"
-                   " the ec parameters are encoded\n");
-        BIO_printf(bio_err, "                   in the asn1 der "
-                   "encoding\n");
-        BIO_printf(bio_err, "                   possible values:"
-                   " named_curve (default)\n");
-        BIO_printf(bio_err, "                                   "
-                   " explicit\n");
-        BIO_printf(bio_err, " -no_seed          if 'explicit'"
-                   " parameters are chosen do not" " use the seed\n");
-        BIO_printf(bio_err, " -genkey           generate ec" " key\n");
-        BIO_printf(bio_err, " -rand file        files to use for"
-                   " random number input\n");
-        BIO_printf(bio_err, " -engine e         use engine e, "
-                   "possibly a hardware device\n");
+    in = bio_open_default(infile, 'r', informat);
+    if (in == NULL)
         goto end;
-    }
-
-    ERR_load_crypto_strings();
-
-    in = BIO_new(BIO_s_file());
-    out = BIO_new(BIO_s_file());
-    if ((in == NULL) || (out == NULL)) {
-        ERR_print_errors(bio_err);
+    out = bio_open_owner(outfile, outformat, private);
+    if (out == NULL)
         goto end;
-    }
-
-    if (infile == NULL)
-        BIO_set_fp(in, stdin, BIO_NOCLOSE);
-    else {
-        if (BIO_read_filename(in, infile) <= 0) {
-            perror(infile);
-            goto end;
-        }
-    }
-    if (outfile == NULL) {
-        BIO_set_fp(out, stdout, BIO_NOCLOSE);
-# ifdef OPENSSL_SYS_VMS
-        {
-            BIO *tmpbio = BIO_new(BIO_f_linebuffer());
-            out = BIO_push(tmpbio, out);
-        }
-# endif
-    } else {
-        if (BIO_write_filename(out, outfile) <= 0) {
-            perror(outfile);
-            goto end;
-        }
-    }
-
-# ifndef OPENSSL_NO_ENGINE
-    setup_engine(bio_err, engine, 0);
-# endif
 
     if (list_curves) {
         EC_builtin_curve *curves = NULL;
-        size_t crv_len = 0;
-        size_t n = 0;
-
-        crv_len = EC_get_builtin_curves(NULL, 0);
-
-        curves = OPENSSL_malloc((int)(sizeof(EC_builtin_curve) * crv_len));
-
-        if (curves == NULL)
-            goto end;
+        size_t crv_len = EC_get_builtin_curves(NULL, 0);
+        size_t n;
 
+        curves = app_malloc((int)sizeof(*curves) * crv_len, "list curves");
         if (!EC_get_builtin_curves(curves, crv_len)) {
             OPENSSL_free(curves);
             goto end;
@@ -359,11 +265,11 @@ int MAIN(int argc, char **argv)
          * are the same as the curves prime192v1 and prime256v1 defined in
          * X9.62)
          */
-        if (!strcmp(curve_name, "secp192r1")) {
+        if (strcmp(curve_name, "secp192r1") == 0) {
             BIO_printf(bio_err, "using curve name prime192v1 "
                        "instead of secp192r1\n");
             nid = NID_X9_62_prime192v1;
-        } else if (!strcmp(curve_name, "secp256r1")) {
+        } else if (strcmp(curve_name, "secp256r1") == 0) {
             BIO_printf(bio_err, "using curve name prime256v1 "
                        "instead of secp256r1\n");
             nid = NID_X9_62_prime256v1;
@@ -385,15 +291,10 @@ int MAIN(int argc, char **argv)
         }
         EC_GROUP_set_asn1_flag(group, asn1_flag);
         EC_GROUP_set_point_conversion_form(group, form);
-    } else if (informat == FORMAT_ASN1) {
+    } else if (informat == FORMAT_ASN1)
         group = d2i_ECPKParameters_bio(in, NULL);
-    } else if (informat == FORMAT_PEM) {
+    else
         group = PEM_read_bio_ECPKParameters(in, NULL, NULL, NULL);
-    } else {
-        BIO_printf(bio_err, "bad input format specified\n");
-        goto end;
-    }
-
     if (group == NULL) {
         BIO_printf(bio_err, "unable to load elliptic curve parameters\n");
         ERR_print_errors(bio_err);
@@ -416,14 +317,13 @@ int MAIN(int argc, char **argv)
     }
 
     if (check) {
-        if (group == NULL)
-            BIO_printf(bio_err, "no elliptic curve parameters\n");
         BIO_printf(bio_err, "checking elliptic curve parameters: ");
         if (!EC_GROUP_check(group, NULL)) {
             BIO_printf(bio_err, "failed\n");
             ERR_print_errors(bio_err);
-        } else
-            BIO_printf(bio_err, "ok\n");
+            goto end;
+        }
+        BIO_printf(bio_err, "ok\n");
 
     }
 
@@ -433,24 +333,25 @@ int MAIN(int argc, char **argv)
         int is_prime, len = 0;
         const EC_METHOD *meth = EC_GROUP_method_of(group);
 
-        if ((ec_p = BN_new()) == NULL || (ec_a = BN_new()) == NULL ||
-            (ec_b = BN_new()) == NULL || (ec_gen = BN_new()) == NULL ||
-            (ec_order = BN_new()) == NULL ||
-            (ec_cofactor = BN_new()) == NULL) {
-            perror("OPENSSL_malloc");
+        if ((ec_p = BN_new()) == NULL
+                || (ec_a = BN_new()) == NULL
+                || (ec_b = BN_new()) == NULL
+                || (ec_gen = BN_new()) == NULL
+                || (ec_order = BN_new()) == NULL
+                || (ec_cofactor = BN_new()) == NULL) {
+            perror("Can't allocate BN");
             goto end;
         }
 
         is_prime = (EC_METHOD_get_field_type(meth) == NID_X9_62_prime_field);
-
-        if (is_prime) {
-            if (!EC_GROUP_get_curve_GFp(group, ec_p, ec_a, ec_b, NULL))
-                goto end;
-        } else {
-            /* TODO */
+        if (!is_prime) {
+            BIO_printf(bio_err, "Can only handle X9.62 prime fields\n");
             goto end;
         }
 
+        if (!EC_GROUP_get_curve_GFp(group, ec_p, ec_a, ec_b, NULL))
+            goto end;
+
         if ((point = EC_GROUP_get0_generator(group)) == NULL)
             goto end;
         if (!EC_POINT_point2bn(group, point,
@@ -480,84 +381,64 @@ int MAIN(int argc, char **argv)
         if ((tmp_len = (size_t)BN_num_bytes(ec_cofactor)) > buf_len)
             buf_len = tmp_len;
 
-        buffer = (unsigned char *)OPENSSL_malloc(buf_len);
+        buffer = app_malloc(buf_len, "BN buffer");
 
-        if (buffer == NULL) {
-            perror("OPENSSL_malloc");
-            goto end;
-        }
+        BIO_printf(out, "EC_GROUP *get_ec_group_%d(void)\n{\n", len);
+        print_bignum_var(out, ec_p, "ec_p", len, buffer);
+        print_bignum_var(out, ec_a, "ec_a", len, buffer);
+        print_bignum_var(out, ec_b, "ec_b", len, buffer);
+        print_bignum_var(out, ec_gen, "ec_gen", len, buffer);
+        print_bignum_var(out, ec_order, "ec_order", len, buffer);
+        print_bignum_var(out, ec_cofactor, "ec_cofactor", len, buffer);
+        BIO_printf(out, "    int ok = 0;\n"
+                        "    EC_GROUP *group = NULL;\n"
+                        "    EC_POINT *point = NULL;\n"
+                        "    BIGNUM *tmp_1 = NULL;\n"
+                        "    BIGNUM *tmp_2 = NULL;\n"
+                        "    BIGNUM *tmp_3 = NULL;\n"
+                        "\n");
 
-        ecparam_print_var(out, ec_p, "ec_p", len, buffer);
-        ecparam_print_var(out, ec_a, "ec_a", len, buffer);
-        ecparam_print_var(out, ec_b, "ec_b", len, buffer);
-        ecparam_print_var(out, ec_gen, "ec_gen", len, buffer);
-        ecparam_print_var(out, ec_order, "ec_order", len, buffer);
-        ecparam_print_var(out, ec_cofactor, "ec_cofactor", len, buffer);
-
-        BIO_printf(out, "\n\n");
-
-        BIO_printf(out, "EC_GROUP *get_ec_group_%d(void)\n\t{\n", len);
-        BIO_printf(out, "\tint ok=0;\n");
-        BIO_printf(out, "\tEC_GROUP *group = NULL;\n");
-        BIO_printf(out, "\tEC_POINT *point = NULL;\n");
-        BIO_printf(out, "\tBIGNUM   *tmp_1 = NULL, *tmp_2 = NULL, "
-                   "*tmp_3 = NULL;\n\n");
-        BIO_printf(out, "\tif ((tmp_1 = BN_bin2bn(ec_p_%d, "
-                   "sizeof(ec_p_%d), NULL)) == NULL)\n\t\t"
-                   "goto err;\n", len, len);
-        BIO_printf(out, "\tif ((tmp_2 = BN_bin2bn(ec_a_%d, "
-                   "sizeof(ec_a_%d), NULL)) == NULL)\n\t\t"
-                   "goto err;\n", len, len);
-        BIO_printf(out, "\tif ((tmp_3 = BN_bin2bn(ec_b_%d, "
-                   "sizeof(ec_b_%d), NULL)) == NULL)\n\t\t"
-                   "goto err;\n", len, len);
-        if (is_prime) {
-            BIO_printf(out, "\tif ((group = EC_GROUP_new_curve_"
-                       "GFp(tmp_1, tmp_2, tmp_3, NULL)) == NULL)"
-                       "\n\t\tgoto err;\n\n");
-        } else {
-            /* TODO */
-            goto end;
-        }
-        BIO_printf(out, "\t/* build generator */\n");
-        BIO_printf(out, "\tif ((tmp_1 = BN_bin2bn(ec_gen_%d, "
-                   "sizeof(ec_gen_%d), tmp_1)) == NULL)"
-                   "\n\t\tgoto err;\n", len, len);
-        BIO_printf(out, "\tpoint = EC_POINT_bn2point(group, tmp_1, "
-                   "NULL, NULL);\n");
-        BIO_printf(out, "\tif (point == NULL)\n\t\tgoto err;\n");
-        BIO_printf(out, "\tif ((tmp_2 = BN_bin2bn(ec_order_%d, "
-                   "sizeof(ec_order_%d), tmp_2)) == NULL)"
-                   "\n\t\tgoto err;\n", len, len);
-        BIO_printf(out, "\tif ((tmp_3 = BN_bin2bn(ec_cofactor_%d, "
-                   "sizeof(ec_cofactor_%d), tmp_3)) == NULL)"
-                   "\n\t\tgoto err;\n", len, len);
-        BIO_printf(out, "\tif (!EC_GROUP_set_generator(group, point,"
-                   " tmp_2, tmp_3))\n\t\tgoto err;\n");
-        BIO_printf(out, "\n\tok=1;\n");
-        BIO_printf(out, "err:\n");
-        BIO_printf(out, "\tif (tmp_1)\n\t\tBN_free(tmp_1);\n");
-        BIO_printf(out, "\tif (tmp_2)\n\t\tBN_free(tmp_2);\n");
-        BIO_printf(out, "\tif (tmp_3)\n\t\tBN_free(tmp_3);\n");
-        BIO_printf(out, "\tif (point)\n\t\tEC_POINT_free(point);\n");
-        BIO_printf(out, "\tif (!ok)\n");
-        BIO_printf(out, "\t\t{\n");
-        BIO_printf(out, "\t\tEC_GROUP_free(group);\n");
-        BIO_printf(out, "\t\tgroup = NULL;\n");
-        BIO_printf(out, "\t\t}\n");
-        BIO_printf(out, "\treturn(group);\n\t}\n");
+        BIO_printf(out, "    if ((tmp_1 = BN_bin2bn(ec_p_%d, sizeof (ec_p_%d), NULL)) == NULL)\n"
+                        "        goto err;\n", len, len);
+        BIO_printf(out, "    if ((tmp_2 = BN_bin2bn(ec_a_%d, sizeof (ec_a_%d), NULL)) == NULL)\n"
+                        "        goto err;\n", len, len);
+        BIO_printf(out, "    if ((tmp_3 = BN_bin2bn(ec_b_%d, sizeof (ec_b_%d), NULL)) == NULL)\n"
+                        "        goto err;\n", len, len);
+        BIO_printf(out, "    if ((group = EC_GROUP_new_curve_GFp(tmp_1, tmp_2, tmp_3, NULL)) == NULL)\n"
+                        "        goto err;\n"
+                        "\n");
+        BIO_printf(out, "    /* build generator */\n");
+        BIO_printf(out, "    if ((tmp_1 = BN_bin2bn(ec_gen_%d, sizeof (ec_gen_%d), tmp_1)) == NULL)\n"
+                        "        goto err;\n", len, len);
+        BIO_printf(out, "    point = EC_POINT_bn2point(group, tmp_1, NULL, NULL);\n");
+        BIO_printf(out, "    if (point == NULL)\n"
+                        "        goto err;\n");
+        BIO_printf(out, "    if ((tmp_2 = BN_bin2bn(ec_order_%d, sizeof (ec_order_%d), tmp_2)) == NULL)\n"
+                        "        goto err;\n", len, len);
+        BIO_printf(out, "    if ((tmp_3 = BN_bin2bn(ec_cofactor_%d, sizeof (ec_cofactor_%d), tmp_3)) == NULL)\n"
+                        "        goto err;\n", len, len);
+        BIO_printf(out, "    if (!EC_GROUP_set_generator(group, point, tmp_2, tmp_3))\n"
+                        "        goto err;\n"
+                        "ok = 1;"
+                        "\n");
+        BIO_printf(out, "err:\n"
+                        "    BN_free(tmp_1);\n"
+                        "    BN_free(tmp_2);\n"
+                        "    BN_free(tmp_3);\n"
+                        "    EC_POINT_free(point);\n"
+                        "    if (!ok) {\n"
+                        "        EC_GROUP_free(group);\n"
+                        "        return NULL;\n"
+                        "    }\n"
+                        "    return (group);\n"
+                        "}\n");
     }
 
     if (!noout) {
         if (outformat == FORMAT_ASN1)
             i = i2d_ECPKParameters_bio(out, group);
-        else if (outformat == FORMAT_PEM)
+        else
             i = PEM_write_bio_ECPKParameters(out, group);
-        else {
-            BIO_printf(bio_err, "bad output format specified for"
-                       " outfile\n");
-            goto end;
-        }
         if (!i) {
             BIO_printf(bio_err, "unable to write elliptic "
                        "curve parameters\n");
@@ -567,7 +448,7 @@ int MAIN(int argc, char **argv)
     }
 
     if (need_rand) {
-        app_RAND_load_file(NULL, bio_err, (inrand != NULL));
+        app_RAND_load_file(NULL, (inrand != NULL));
         if (inrand != NULL)
             BIO_printf(bio_err, "%ld semi-random bytes loaded\n",
                        app_RAND_load_files(inrand));
@@ -588,71 +469,33 @@ int MAIN(int argc, char **argv)
             EC_KEY_free(eckey);
             goto end;
         }
+        assert(private);
         if (outformat == FORMAT_ASN1)
             i = i2d_ECPrivateKey_bio(out, eckey);
-        else if (outformat == FORMAT_PEM)
+        else
             i = PEM_write_bio_ECPrivateKey(out, eckey, NULL,
                                            NULL, 0, NULL, NULL);
-        else {
-            BIO_printf(bio_err, "bad output format specified "
-                       "for outfile\n");
-            EC_KEY_free(eckey);
-            goto end;
-        }
         EC_KEY_free(eckey);
     }
 
     if (need_rand)
-        app_RAND_write_file(NULL, bio_err);
+        app_RAND_write_file(NULL);
 
     ret = 0;
  end:
-    if (ec_p)
-        BN_free(ec_p);
-    if (ec_a)
-        BN_free(ec_a);
-    if (ec_b)
-        BN_free(ec_b);
-    if (ec_gen)
-        BN_free(ec_gen);
-    if (ec_order)
-        BN_free(ec_order);
-    if (ec_cofactor)
-        BN_free(ec_cofactor);
-    if (buffer)
-        OPENSSL_free(buffer);
-    if (in != NULL)
-        BIO_free(in);
-    if (out != NULL)
-        BIO_free_all(out);
-    if (group != NULL)
-        EC_GROUP_free(group);
-    apps_shutdown();
-    OPENSSL_EXIT(ret);
+    BN_free(ec_p);
+    BN_free(ec_a);
+    BN_free(ec_b);
+    BN_free(ec_gen);
+    BN_free(ec_order);
+    BN_free(ec_cofactor);
+    OPENSSL_free(buffer);
+    BIO_free(in);
+    BIO_free_all(out);
+    EC_GROUP_free(group);
+    return (ret);
 }
 
-static int ecparam_print_var(BIO *out, BIGNUM *in, const char *var,
-                             int len, unsigned char *buffer)
-{
-    BIO_printf(out, "static unsigned char %s_%d[] = {", var, len);
-    if (BN_is_zero(in))
-        BIO_printf(out, "\n\t0x00");
-    else {
-        int i, l;
-
-        l = BN_bn2bin(in, buffer);
-        for (i = 0; i < l - 1; i++) {
-            if ((i % 12) == 0)
-                BIO_printf(out, "\n\t");
-            BIO_printf(out, "0x%02X,", buffer[i]);
-        }
-        if ((i % 12) == 0)
-            BIO_printf(out, "\n\t");
-        BIO_printf(out, "0x%02X", buffer[i]);
-    }
-    BIO_printf(out, "\n\t};\n\n");
-    return 1;
-}
 #else                           /* !OPENSSL_NO_EC */
 
 # if PEDANTIC

apps/enc.c

@@ -1,4 +1,3 @@
-/* apps/enc.c */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -59,6 +58,7 @@
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
+#include <limits.h>
 #include "apps.h"
 #include <openssl/bio.h>
 #include <openssl/err.h>
@@ -72,322 +72,256 @@
 #endif
 #include <ctype.h>
 
-int set_hex(char *in, unsigned char *out, int size);
 #undef SIZE
 #undef BSIZE
-#undef PROG
-
 #define SIZE    (512)
 #define BSIZE   (8*1024)
-#define PROG    enc_main
 
-static void show_ciphers(const OBJ_NAME *name, void *bio_)
-{
-    BIO *bio = bio_;
-    static int n;
-
-    if (!islower((unsigned char)*name->name))
-        return;
-
-    BIO_printf(bio, "-%-25s", name->name);
-    if (++n == 3) {
-        BIO_printf(bio, "\n");
-        n = 0;
-    } else
-        BIO_printf(bio, " ");
-}
-
-int MAIN(int, char **);
-
-int MAIN(int argc, char **argv)
+static int set_hex(char *in, unsigned char *out, int size);
+static void show_ciphers(const OBJ_NAME *name, void *bio_);
+
+typedef enum OPTION_choice {
+    OPT_ERR = -1, OPT_EOF = 0, OPT_HELP,
+    OPT_E, OPT_IN, OPT_OUT, OPT_PASS, OPT_ENGINE, OPT_D, OPT_P, OPT_V,
+    OPT_NOPAD, OPT_SALT, OPT_NOSALT, OPT_DEBUG, OPT_UPPER_P, OPT_UPPER_A,
+    OPT_A, OPT_Z, OPT_BUFSIZE, OPT_K, OPT_KFILE, OPT_UPPER_K, OPT_NONE,
+    OPT_UPPER_S, OPT_IV, OPT_MD, OPT_CIPHER
+} OPTION_CHOICE;
+
+OPTIONS enc_options[] = {
+    {"help", OPT_HELP, '-', "Display this summary"},
+    {"in", OPT_IN, '<', "Input file"},
+    {"out", OPT_OUT, '>', "Output file"},
+    {"pass", OPT_PASS, 's', "Passphrase source"},
+    {"e", OPT_E, '-', "Encrypt"},
+    {"d", OPT_D, '-', "Decrypt"},
+    {"p", OPT_P, '-', "Print the iv/key"},
+    {"P", OPT_UPPER_P, '-', "Print the iv/key and exit"},
+    {"v", OPT_V, '-'},
+    {"nopad", OPT_NOPAD, '-', "Disable standard block padding"},
+    {"salt", OPT_SALT, '-'},
+    {"nosalt", OPT_NOSALT, '-'},
+    {"debug", OPT_DEBUG, '-'},
+    {"A", OPT_UPPER_A, '-'},
+    {"a", OPT_A, '-', "base64 encode/decode, depending on encryption flag"},
+    {"base64", OPT_A, '-', "Base64 output as a single line"},
+    {"bufsize", OPT_BUFSIZE, 's', "Buffer size"},
+    {"k", OPT_K, 's', "Passphrase"},
+    {"kfile", OPT_KFILE, '<', "Fead passphrase from file"},
+    {"K", OPT_UPPER_K, 's', "Raw key, in hex"},
+    {"S", OPT_UPPER_S, 's', "Salt, in hex"},
+    {"iv", OPT_IV, 's', "IV in hex"},
+    {"md", OPT_MD, 's', "Use specified digest to create key from passphrase"},
+    {"none", OPT_NONE, '-', "Don't encrypt"},
+    {"", OPT_CIPHER, '-', "Any supported cipher"},
+#ifdef ZLIB
+    {"z", OPT_Z, '-', "Use zlib as the 'encryption'"},
+#endif
+#ifndef OPENSSL_NO_ENGINE
+    {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"},
+#endif
+    {NULL}
+};
+
+int enc_main(int argc, char **argv)
 {
+    static char buf[128];
     static const char magic[] = "Salted__";
+    BIO *in = NULL, *out = NULL, *b64 = NULL, *benc = NULL, *rbio =
+        NULL, *wbio = NULL;
+    EVP_CIPHER_CTX *ctx = NULL;
+    const EVP_CIPHER *cipher = NULL, *c;
+    const EVP_MD *dgst = NULL;
+    char *hkey = NULL, *hiv = NULL, *hsalt = NULL, *p;
+    char *infile = NULL, *outfile = NULL, *prog;
+    char *str = NULL, *passarg = NULL, *pass = NULL, *strbuf = NULL;
     char mbuf[sizeof magic - 1];
-    char *strbuf = NULL;
-    unsigned char *buff = NULL, *bufsize = NULL;
-    int bsize = BSIZE, verbose = 0;
-    int ret = 1, inl;
-    int nopad = 0;
+    OPTION_CHOICE o;
+    int bsize = BSIZE, verbose = 0, debug = 0, olb64 = 0, nosalt = 0;
+    int enc = 1, printkey = 0, i, k;
+    int base64 = 0, informat = FORMAT_BINARY, outformat = FORMAT_BINARY;
+    int ret = 1, inl, nopad = 0;
     unsigned char key[EVP_MAX_KEY_LENGTH], iv[EVP_MAX_IV_LENGTH];
-    unsigned char salt[PKCS5_SALT_LEN];
-    char *str = NULL, *passarg = NULL, *pass = NULL;
-    char *hkey = NULL, *hiv = NULL, *hsalt = NULL;
-    char *md = NULL;
-    int enc = 1, printkey = 0, i, base64 = 0;
+    unsigned char *buff = NULL, salt[PKCS5_SALT_LEN];
+    long n;
 #ifdef ZLIB
     int do_zlib = 0;
     BIO *bzl = NULL;
 #endif
-    int debug = 0, olb64 = 0, nosalt = 0;
-    const EVP_CIPHER *cipher = NULL, *c;
-    EVP_CIPHER_CTX *ctx = NULL;
-    char *inf = NULL, *outf = NULL;
-    BIO *in = NULL, *out = NULL, *b64 = NULL, *benc = NULL, *rbio =
-        NULL, *wbio = NULL;
-#define PROG_NAME_SIZE  39
-    char pname[PROG_NAME_SIZE + 1];
-#ifndef OPENSSL_NO_ENGINE
-    char *engine = NULL;
-#endif
-    const EVP_MD *dgst = NULL;
-    int non_fips_allow = 0;
-
-    apps_startup();
-
-    if (bio_err == NULL)
-        if ((bio_err = BIO_new(BIO_s_file())) != NULL)
-            BIO_set_fp(bio_err, stderr, BIO_NOCLOSE | BIO_FP_TEXT);
-
-    if (!load_config(bio_err, NULL))
-        goto end;
 
     /* first check the program name */
-    program_name(argv[0], pname, sizeof pname);
-    if (strcmp(pname, "base64") == 0)
+    prog = opt_progname(argv[0]);
+    if (strcmp(prog, "base64") == 0)
         base64 = 1;
 #ifdef ZLIB
-    if (strcmp(pname, "zlib") == 0)
+    else if (strcmp(prog, "zlib") == 0)
         do_zlib = 1;
 #endif
-
-    cipher = EVP_get_cipherbyname(pname);
-#ifdef ZLIB
-    if (!do_zlib && !base64 && (cipher == NULL)
-        && (strcmp(pname, "enc") != 0))
-#else
-    if (!base64 && (cipher == NULL) && (strcmp(pname, "enc") != 0))
-#endif
-    {
-        BIO_printf(bio_err, "%s is an unknown cipher\n", pname);
-        goto bad;
+    else {
+        cipher = EVP_get_cipherbyname(prog);
+        if (cipher == NULL && strcmp(prog, "enc") != 0) {
+            BIO_printf(bio_err, "%s is not a known cipher\n", prog);
+            goto end;
+        }
     }
 
-    argc--;
-    argv++;
-    while (argc >= 1) {
-        if (strcmp(*argv, "-e") == 0)
-            enc = 1;
-        else if (strcmp(*argv, "-in") == 0) {
-            if (--argc < 1)
-                goto bad;
-            inf = *(++argv);
-        } else if (strcmp(*argv, "-out") == 0) {
-            if (--argc < 1)
-                goto bad;
-            outf = *(++argv);
-        } else if (strcmp(*argv, "-pass") == 0) {
-            if (--argc < 1)
-                goto bad;
-            passarg = *(++argv);
-        }
-#ifndef OPENSSL_NO_ENGINE
-        else if (strcmp(*argv, "-engine") == 0) {
-            if (--argc < 1)
-                goto bad;
-            engine = *(++argv);
-        }
-#endif
-        else if (strcmp(*argv, "-d") == 0)
-            enc = 0;
-        else if (strcmp(*argv, "-p") == 0)
-            printkey = 1;
-        else if (strcmp(*argv, "-v") == 0)
-            verbose = 1;
-        else if (strcmp(*argv, "-nopad") == 0)
-            nopad = 1;
-        else if (strcmp(*argv, "-salt") == 0)
-            nosalt = 0;
-        else if (strcmp(*argv, "-nosalt") == 0)
-            nosalt = 1;
-        else if (strcmp(*argv, "-debug") == 0)
-            debug = 1;
-        else if (strcmp(*argv, "-P") == 0)
-            printkey = 2;
-        else if (strcmp(*argv, "-A") == 0)
-            olb64 = 1;
-        else if (strcmp(*argv, "-a") == 0)
-            base64 = 1;
-        else if (strcmp(*argv, "-base64") == 0)
-            base64 = 1;
-#ifdef ZLIB
-        else if (strcmp(*argv, "-z") == 0)
-            do_zlib = 1;
-#endif
-        else if (strcmp(*argv, "-bufsize") == 0) {
-            if (--argc < 1)
-                goto bad;
-            bufsize = (unsigned char *)*(++argv);
-        } else if (strcmp(*argv, "-k") == 0) {
-            if (--argc < 1)
-                goto bad;
-            str = *(++argv);
-        } else if (strcmp(*argv, "-kfile") == 0) {
-            static char buf[128];
-            FILE *infile;
-            char *file;
-
-            if (--argc < 1)
-                goto bad;
-            file = *(++argv);
-            infile = fopen(file, "r");
-            if (infile == NULL) {
-                BIO_printf(bio_err, "unable to read key from '%s'\n", file);
-                goto bad;
-            }
-            buf[0] = '\0';
-            if (!fgets(buf, sizeof buf, infile)) {
-                BIO_printf(bio_err, "unable to read key from '%s'\n", file);
-                goto bad;
-            }
-            fclose(infile);
-            i = strlen(buf);
-            if ((i > 0) && ((buf[i - 1] == '\n') || (buf[i - 1] == '\r')))
-                buf[--i] = '\0';
-            if ((i > 0) && ((buf[i - 1] == '\n') || (buf[i - 1] == '\r')))
-                buf[--i] = '\0';
-            if (i < 1) {
-                BIO_printf(bio_err, "zero length password\n");
-                goto bad;
-            }
-            str = buf;
-        } else if (strcmp(*argv, "-K") == 0) {
-            if (--argc < 1)
-                goto bad;
-            hkey = *(++argv);
-        } else if (strcmp(*argv, "-S") == 0) {
-            if (--argc < 1)
-                goto bad;
-            hsalt = *(++argv);
-        } else if (strcmp(*argv, "-iv") == 0) {
-            if (--argc < 1)
-                goto bad;
-            hiv = *(++argv);
-        } else if (strcmp(*argv, "-md") == 0) {
-            if (--argc < 1)
-                goto bad;
-            md = *(++argv);
-        } else if (strcmp(*argv, "-non-fips-allow") == 0)
-            non_fips_allow = 1;
-        else if ((argv[0][0] == '-') &&
-                 ((c = EVP_get_cipherbyname(&(argv[0][1]))) != NULL)) {
-            cipher = c;
-        } else if (strcmp(*argv, "-none") == 0)
-            cipher = NULL;
-        else {
-            BIO_printf(bio_err, "unknown option '%s'\n", *argv);
- bad:
-            BIO_printf(bio_err, "options are\n");
-            BIO_printf(bio_err, "%-14s input file\n", "-in <file>");
-            BIO_printf(bio_err, "%-14s output file\n", "-out <file>");
-            BIO_printf(bio_err, "%-14s pass phrase source\n", "-pass <arg>");
-            BIO_printf(bio_err, "%-14s encrypt\n", "-e");
-            BIO_printf(bio_err, "%-14s decrypt\n", "-d");
-            BIO_printf(bio_err,
-                       "%-14s base64 encode/decode, depending on encryption flag\n",
-                       "-a/-base64");
-            BIO_printf(bio_err, "%-14s passphrase is the next argument\n",
-                       "-k");
-            BIO_printf(bio_err,
-                       "%-14s passphrase is the first line of the file argument\n",
-                       "-kfile");
-            BIO_printf(bio_err,
-                       "%-14s the next argument is the md to use to create a key\n",
-                       "-md");
-            BIO_printf(bio_err,
-                       "%-14s   from a passphrase.  One of md2, md5, sha or sha1\n",
-                       "");
-            BIO_printf(bio_err, "%-14s salt in hex is the next argument\n",
-                       "-S");
-            BIO_printf(bio_err, "%-14s key/iv in hex is the next argument\n",
-                       "-K/-iv");
-            BIO_printf(bio_err, "%-14s print the iv/key (then exit if -P)\n",
-                       "-[pP]");
-            BIO_printf(bio_err, "%-14s buffer size\n", "-bufsize <n>");
-            BIO_printf(bio_err, "%-14s disable standard block padding\n",
-                       "-nopad");
-#ifndef OPENSSL_NO_ENGINE
-            BIO_printf(bio_err,
-                       "%-14s use engine e, possibly a hardware device.\n",
-                       "-engine e");
-#endif
-
+    prog = opt_init(argc, argv, enc_options);
+    while ((o = opt_next()) != OPT_EOF) {
+        switch (o) {
+        case OPT_EOF:
+        case OPT_ERR:
+ opthelp:
+            BIO_printf(bio_err, "%s: Use -help for summary.\n", prog);
+            goto end;
+        case OPT_HELP:
+            opt_help(enc_options);
+            ret = 0;
             BIO_printf(bio_err, "Cipher Types\n");
             OBJ_NAME_do_all_sorted(OBJ_NAME_TYPE_CIPHER_METH,
                                    show_ciphers, bio_err);
             BIO_printf(bio_err, "\n");
-
             goto end;
-        }
-        argc--;
-        argv++;
-    }
-
-#ifndef OPENSSL_NO_ENGINE
-    setup_engine(bio_err, engine, 0);
+        case OPT_E:
+            enc = 1;
+            break;
+        case OPT_IN:
+            infile = opt_arg();
+            break;
+        case OPT_OUT:
+            outfile = opt_arg();
+            break;
+        case OPT_PASS:
+            passarg = opt_arg();
+            break;
+        case OPT_ENGINE:
+            (void)setup_engine(opt_arg(), 0);
+            break;
+        case OPT_D:
+            enc = 0;
+            break;
+        case OPT_P:
+            printkey = 1;
+            break;
+        case OPT_V:
+            verbose = 1;
+            break;
+        case OPT_NOPAD:
+            nopad = 1;
+            break;
+        case OPT_SALT:
+            nosalt = 0;
+            break;
+        case OPT_NOSALT:
+            nosalt = 1;
+            break;
+        case OPT_DEBUG:
+            debug = 1;
+            break;
+        case OPT_UPPER_P:
+            printkey = 2;
+            break;
+        case OPT_UPPER_A:
+            olb64 = 1;
+            break;
+        case OPT_A:
+            base64 = 1;
+            break;
+        case OPT_Z:
+#ifdef ZLIB
+            do_zlib = 1;
 #endif
+            break;
+        case OPT_BUFSIZE:
+            p = opt_arg();
+            i = (int)strlen(p) - 1;
+            k = i >= 1 && p[i] == 'k';
+            if (k)
+                p[i] = '\0';
+            if (!opt_long(opt_arg(), &n)
+                    || n < 0 || (k && n >= LONG_MAX / 1024))
+                goto opthelp;
+            if (k)
+                n *= 1024;
+            bsize = (int)n;
+            break;
+        case OPT_K:
+            str = opt_arg();
+            break;
+        case OPT_KFILE:
+            in = bio_open_default(opt_arg(), 'r', FORMAT_TEXT);
+            if (in == NULL)
+                goto opthelp;
+            i = BIO_gets(in, buf, sizeof buf);
+            BIO_free(in);
+            in = NULL;
+            if (i <= 0) {
+                BIO_printf(bio_err,
+                           "%s Can't read key from %s\n", prog, opt_arg());
+                goto opthelp;
+            }
+            while (--i > 0 && (buf[i] == '\r' || buf[i] == '\n'))
+                buf[i] = '\0';
+            if (i <= 0) {
+                BIO_printf(bio_err, "%s: zero length password\n", prog);
+                goto opthelp;
+            }
+            str = buf;
+            break;
+        case OPT_UPPER_K:
+            hkey = opt_arg();
+            break;
+        case OPT_UPPER_S:
+            hsalt = opt_arg();
+            break;
+        case OPT_IV:
+            hiv = opt_arg();
+            break;
+        case OPT_MD:
+            if (!opt_md(opt_arg(), &dgst))
+                goto opthelp;
+            break;
+        case OPT_CIPHER:
+            if (!opt_cipher(opt_unknown(), &c))
+                goto opthelp;
+            cipher = c;
+            break;
+        case OPT_NONE:
+            cipher = NULL;
+            break;
+        }
+    }
+    argc = opt_num_rest();
+    argv = opt_rest();
 
     if (cipher && EVP_CIPHER_flags(cipher) & EVP_CIPH_FLAG_AEAD_CIPHER) {
-        BIO_printf(bio_err,
-                   "AEAD ciphers not supported by the enc utility\n");
+        BIO_printf(bio_err, "%s: AEAD ciphers not supported\n", prog);
         goto end;
     }
 
     if (cipher && (EVP_CIPHER_mode(cipher) == EVP_CIPH_XTS_MODE)) {
-        BIO_printf(bio_err,
-                   "Ciphers in XTS mode are not supported by the enc utility\n");
+        BIO_printf(bio_err, "%s XTS ciphers not supported\n", prog);
         goto end;
     }
 
-    if (md && (dgst = EVP_get_digestbyname(md)) == NULL) {
-        BIO_printf(bio_err, "%s is an unsupported message digest type\n", md);
-        goto end;
+    if (dgst == NULL)
+        dgst = EVP_sha256();
+
+    /* It must be large enough for a base64 encoded line */
+    if (base64 && bsize < 80)
+        bsize = 80;
+    if (verbose)
+        BIO_printf(bio_err, "bufsize=%d\n", bsize);
+
+    if (base64) {
+        if (enc)
+            outformat = FORMAT_BASE64;
+        else
+            informat = FORMAT_BASE64;
     }
 
-    if (dgst == NULL) {
-        dgst = EVP_md5();
-    }
+    strbuf = app_malloc(SIZE, "strbuf");
+    buff = app_malloc(EVP_ENCODE_LENGTH(bsize), "evp buffer");
 
-    if (bufsize != NULL) {
-        unsigned long n;
-
-        for (n = 0; *bufsize; bufsize++) {
-            i = *bufsize;
-            if ((i <= '9') && (i >= '0'))
-                n = n * 10 + i - '0';
-            else if (i == 'k') {
-                n *= 1024;
-                bufsize++;
-                break;
-            }
-        }
-        if (*bufsize != '\0') {
-            BIO_printf(bio_err, "invalid 'bufsize' specified.\n");
-            goto end;
-        }
-
-        /* It must be large enough for a base64 encoded line */
-        if (base64 && n < 80)
-            n = 80;
-
-        bsize = (int)n;
-        if (verbose)
-            BIO_printf(bio_err, "bufsize=%d\n", bsize);
-    }
-
-    strbuf = OPENSSL_malloc(SIZE);
-    buff = (unsigned char *)OPENSSL_malloc(EVP_ENCODE_LENGTH(bsize));
-    if ((buff == NULL) || (strbuf == NULL)) {
-        BIO_printf(bio_err, "OPENSSL_malloc failure %ld\n",
-                   (long)EVP_ENCODE_LENGTH(bsize));
-        goto end;
-    }
-
-    in = BIO_new(BIO_s_file());
-    out = BIO_new(BIO_s_file());
-    if ((in == NULL) || (out == NULL)) {
-        ERR_print_errors(bio_err);
-        goto end;
-    }
     if (debug) {
         BIO_set_callback(in, BIO_debug_callback);
         BIO_set_callback(out, BIO_debug_callback);
@@ -395,21 +329,16 @@ int MAIN(int argc, char **argv)
         BIO_set_callback_arg(out, (char *)bio_err);
     }
 
-    if (inf == NULL) {
-#ifndef OPENSSL_NO_SETVBUF_IONBF
-        if (bufsize != NULL)
-            setvbuf(stdin, (char *)NULL, _IONBF, 0);
-#endif                          /* ndef OPENSSL_NO_SETVBUF_IONBF */
-        BIO_set_fp(in, stdin, BIO_NOCLOSE);
-    } else {
-        if (BIO_read_filename(in, inf) <= 0) {
-            perror(inf);
-            goto end;
-        }
-    }
+    if (infile == NULL) {
+        unbuffer(stdin);
+        in = dup_bio_in(informat);
+    } else
+        in = bio_open_default(infile, 'r', informat);
+    if (in == NULL)
+        goto end;
 
     if (!str && passarg) {
-        if (!app_passwd(bio_err, passarg, NULL, &pass, NULL)) {
+        if (!app_passwd(passarg, NULL, &pass, NULL)) {
             BIO_printf(bio_err, "Error getting password\n");
             goto end;
         }
@@ -418,13 +347,13 @@ int MAIN(int argc, char **argv)
 
     if ((str == NULL) && (cipher != NULL) && (hkey == NULL)) {
         for (;;) {
-            char buf[200];
+            char prompt[200];
 
-            BIO_snprintf(buf, sizeof buf, "enter %s %s password:",
+            BIO_snprintf(prompt, sizeof prompt, "enter %s %s password:",
                          OBJ_nid2ln(EVP_CIPHER_nid(cipher)),
                          (enc) ? "encryption" : "decryption");
             strbuf[0] = '\0';
-            i = EVP_read_pw_string((char *)strbuf, SIZE, buf, enc);
+            i = EVP_read_pw_string((char *)strbuf, SIZE, prompt, enc);
             if (i == 0) {
                 if (strbuf[0] == '\0') {
                     ret = 1;
@@ -440,30 +369,14 @@ int MAIN(int argc, char **argv)
         }
     }
 
-    if (outf == NULL) {
-        BIO_set_fp(out, stdout, BIO_NOCLOSE);
-#ifndef OPENSSL_NO_SETVBUF_IONBF
-        if (bufsize != NULL)
-            setvbuf(stdout, (char *)NULL, _IONBF, 0);
-#endif                          /* ndef OPENSSL_NO_SETVBUF_IONBF */
-#ifdef OPENSSL_SYS_VMS
-        {
-            BIO *tmpbio = BIO_new(BIO_f_linebuffer());
-            out = BIO_push(tmpbio, out);
-        }
-#endif
-    } else {
-        if (BIO_write_filename(out, outf) <= 0) {
-            perror(outf);
-            goto end;
-        }
-    }
+    out = bio_open_default(outfile, 'w', outformat);
+    if (out == NULL)
+        goto end;
 
     rbio = in;
     wbio = out;
 
 #ifdef ZLIB
-
     if (do_zlib) {
         if ((bzl = BIO_new(BIO_f_zlib())) == NULL)
             goto end;
@@ -509,7 +422,7 @@ int MAIN(int argc, char **argv)
                             BIO_printf(bio_err, "invalid hex salt value\n");
                             goto end;
                         }
-                    } else if (RAND_pseudo_bytes(salt, sizeof salt) < 0)
+                    } else if (RAND_bytes(salt, sizeof salt) <= 0)
                         goto end;
                     /*
                      * If -P option then don't bother writing
@@ -552,9 +465,14 @@ int MAIN(int argc, char **argv)
             else
                 OPENSSL_cleanse(str, strlen(str));
         }
-        if ((hiv != NULL) && !set_hex(hiv, iv, sizeof iv)) {
-            BIO_printf(bio_err, "invalid hex iv value\n");
-            goto end;
+        if (hiv != NULL) {
+            int siz = EVP_CIPHER_iv_length(cipher);
+            if (siz == 0) {
+                BIO_printf(bio_err, "warning: iv not use by this cipher\n");
+            } else if (!set_hex(hiv, iv, sizeof iv)) {
+                BIO_printf(bio_err, "invalid hex iv value\n");
+                goto end;
+            }
         }
         if ((hiv == NULL) && (str == NULL)
             && EVP_CIPHER_iv_length(cipher) != 0) {
@@ -566,7 +484,7 @@ int MAIN(int argc, char **argv)
             BIO_printf(bio_err, "iv undefined\n");
             goto end;
         }
-        if ((hkey != NULL) && !set_hex(hkey, key, sizeof key)) {
+        if ((hkey != NULL) && !set_hex(hkey, key, EVP_CIPHER_key_length(cipher))) {
             BIO_printf(bio_err, "invalid hex key value\n");
             goto end;
         }
@@ -581,9 +499,6 @@ int MAIN(int argc, char **argv)
 
         BIO_get_cipher_ctx(benc, &ctx);
 
-        if (non_fips_allow)
-            EVP_CIPHER_CTX_set_flags(ctx, EVP_CIPH_FLAG_NON_FIPS_ALLOW);
-
         if (!EVP_CipherInit_ex(ctx, cipher, NULL, NULL, NULL, enc)) {
             BIO_printf(bio_err, "Error setting cipher %s\n",
                        EVP_CIPHER_name(cipher));
@@ -613,15 +528,15 @@ int MAIN(int argc, char **argv)
                     printf("%02X", salt[i]);
                 printf("\n");
             }
-            if (cipher->key_len > 0) {
+            if (EVP_CIPHER_key_length(cipher) > 0) {
                 printf("key=");
-                for (i = 0; i < cipher->key_len; i++)
+                for (i = 0; i < EVP_CIPHER_key_length(cipher); i++)
                     printf("%02X", key[i]);
                 printf("\n");
             }
-            if (cipher->iv_len > 0) {
+            if (EVP_CIPHER_iv_length(cipher) > 0) {
                 printf("iv =");
-                for (i = 0; i < cipher->iv_len; i++)
+                for (i = 0; i < EVP_CIPHER_iv_length(cipher); i++)
                     printf("%02X", iv[i]);
                 printf("\n");
             }
@@ -652,34 +567,41 @@ int MAIN(int argc, char **argv)
 
     ret = 0;
     if (verbose) {
-        BIO_printf(bio_err, "bytes read   :%8ld\n", BIO_number_read(in));
-        BIO_printf(bio_err, "bytes written:%8ld\n", BIO_number_written(out));
+        BIO_printf(bio_err, "bytes read   :%8"PRIu64"\n", BIO_number_read(in));
+        BIO_printf(bio_err, "bytes written:%8"PRIu64"\n", BIO_number_written(out));
     }
  end:
     ERR_print_errors(bio_err);
-    if (strbuf != NULL)
-        OPENSSL_free(strbuf);
-    if (buff != NULL)
-        OPENSSL_free(buff);
-    if (in != NULL)
-        BIO_free(in);
-    if (out != NULL)
-        BIO_free_all(out);
-    if (benc != NULL)
-        BIO_free(benc);
-    if (b64 != NULL)
-        BIO_free(b64);
+    OPENSSL_free(strbuf);
+    OPENSSL_free(buff);
+    BIO_free(in);
+    BIO_free_all(out);
+    BIO_free(benc);
+    BIO_free(b64);
 #ifdef ZLIB
-    if (bzl != NULL)
-        BIO_free(bzl);
+    BIO_free(bzl);
 #endif
-    if (pass)
-        OPENSSL_free(pass);
-    apps_shutdown();
-    OPENSSL_EXIT(ret);
+    OPENSSL_free(pass);
+    return (ret);
 }
 
-int set_hex(char *in, unsigned char *out, int size)
+static void show_ciphers(const OBJ_NAME *name, void *bio_)
+{
+    BIO *bio = bio_;
+    static int n;
+
+    if (!islower((unsigned char)*name->name))
+        return;
+
+    BIO_printf(bio, "-%-25s", name->name);
+    if (++n == 3) {
+        BIO_printf(bio, "\n");
+        n = 0;
+    } else
+        BIO_printf(bio, " ");
+}
+
+static int set_hex(char *in, unsigned char *out, int size)
 {
     int i, n;
     unsigned char j;
@@ -695,16 +617,11 @@ int set_hex(char *in, unsigned char *out, int size)
         *(in++) = '\0';
         if (j == 0)
             break;
-        if ((j >= '0') && (j <= '9'))
-            j -= '0';
-        else if ((j >= 'A') && (j <= 'F'))
-            j = j - 'A' + 10;
-        else if ((j >= 'a') && (j <= 'f'))
-            j = j - 'a' + 10;
-        else {
+        if (!isxdigit(j)) {
             BIO_printf(bio_err, "non-hex digit\n");
             return (0);
         }
+        j = (unsigned char)app_hex(j);
         if (i & 1)
             out[i / 2] |= j;
         else

apps/engine.c

@@ -1,4 +1,3 @@
-/* apps/engine.c -*- mode: C; c-file-style: "eay" -*- */
 /*
  * Written by Richard Levitte <richard@levitte.org> for the OpenSSL project
  * 2000.
@@ -66,27 +65,26 @@
 # include <openssl/engine.h>
 # include <openssl/ssl.h>
 
-# undef PROG
-# define PROG    engine_main
+typedef enum OPTION_choice {
+    OPT_ERR = -1, OPT_EOF = 0, OPT_HELP,
+    OPT_C, OPT_T, OPT_TT, OPT_PRE, OPT_POST,
+    OPT_V = 100, OPT_VV, OPT_VVV, OPT_VVVV
+} OPTION_CHOICE;
 
-static const char *engine_usage[] = {
-    "usage: engine opts [engine ...]\n",
-    " -v[v[v[v]]] - verbose mode, for each engine, list its 'control commands'\n",
-    "               -vv will additionally display each command's description\n",
-    "               -vvv will also add the input flags for each command\n",
-    "               -vvvv will also show internal input flags\n",
-    " -c          - for each engine, also list the capabilities\n",
-    " -t[t]       - for each engine, check that they are really available\n",
-    "               -tt will display error trace for unavailable engines\n",
-    " -pre <cmd>  - runs command 'cmd' against the ENGINE before any attempts\n",
-    "               to load it (if -t is used)\n",
-    " -post <cmd> - runs command 'cmd' against the ENGINE after loading it\n",
-    "               (only used if -t is also provided)\n",
-    " NB: -pre and -post will be applied to all ENGINEs supplied on the command\n",
-    " line, or all supported ENGINEs if none are specified.\n",
-    " Eg. '-pre \"SO_PATH:/lib/libdriver.so\"' calls command \"SO_PATH\" with\n",
-    " argument \"/lib/libdriver.so\".\n",
-    NULL
+OPTIONS engine_options[] = {
+    {"help", OPT_HELP, '-', "Display this summary"},
+    {"vvvv", OPT_VVVV, '-', "Also show internal input flags"},
+    {"vvv", OPT_VVV, '-', "Also add the input flags for each command"},
+    {"vv", OPT_VV, '-', "Also display each command's description"},
+    {"v", OPT_V, '-', "For each engine, list its 'control commands'"},
+    {"c", OPT_C, '-', "List the capabilities of each engine"},
+    {"t", OPT_T, '-', "Check that each engine is available"},
+    {"tt", OPT_TT, '-', "Display error trace for unavailable engines"},
+    {"pre", OPT_PRE, 's', "Run command against the ENGINE before loading it"},
+    {"post", OPT_POST, 's', "Run command against the ENGINE after loading it"},
+    {OPT_MORE_STR, OPT_EOF, 1,
+     "Commands are like \"SO_PATH:/lib/libdriver.so\""},
+    {NULL}
 };
 
 static void identity(char *ptr)
@@ -96,19 +94,12 @@ static void identity(char *ptr)
 
 static int append_buf(char **buf, const char *s, int *size, int step)
 {
-    int l = strlen(s);
-
     if (*buf == NULL) {
         *size = step;
-        *buf = OPENSSL_malloc(*size);
-        if (*buf == NULL)
-            return 0;
+        *buf = app_malloc(*size, "engine buffer");
         **buf = '\0';
     }
 
-    if (**buf != '\0')
-        l += 2;                 /* ", " */
-
     if (strlen(*buf) + strlen(s) >= (unsigned int)*size) {
         *size += step;
         *buf = OPENSSL_realloc(*buf, *size);
@@ -118,19 +109,19 @@ static int append_buf(char **buf, const char *s, int *size, int step)
         return 0;
 
     if (**buf != '\0')
-        BUF_strlcat(*buf, ", ", *size);
-    BUF_strlcat(*buf, s, *size);
+        OPENSSL_strlcat(*buf, ", ", *size);
+    OPENSSL_strlcat(*buf, s, *size);
 
     return 1;
 }
 
-static int util_flags(BIO *bio_out, unsigned int flags, const char *indent)
+static int util_flags(BIO *out, unsigned int flags, const char *indent)
 {
     int started = 0, err = 0;
     /* Indent before displaying input flags */
-    BIO_printf(bio_out, "%s%s(input flags): ", indent, indent);
+    BIO_printf(out, "%s%s(input flags): ", indent, indent);
     if (flags == 0) {
-        BIO_printf(bio_out, "<no flags>\n");
+        BIO_printf(out, "<no flags>\n");
         return 1;
     }
     /*
@@ -138,11 +129,11 @@ static int util_flags(BIO *bio_out, unsigned int flags, const char *indent)
      * having it part of all the other flags, even if it really is.
      */
     if (flags & ENGINE_CMD_FLAG_INTERNAL) {
-        BIO_printf(bio_out, "[Internal] ");
+        BIO_printf(out, "[Internal] ");
     }
 
     if (flags & ENGINE_CMD_FLAG_NUMERIC) {
-        BIO_printf(bio_out, "NUMERIC");
+        BIO_printf(out, "NUMERIC");
         started = 1;
     }
     /*
@@ -153,18 +144,18 @@ static int util_flags(BIO *bio_out, unsigned int flags, const char *indent)
      */
     if (flags & ENGINE_CMD_FLAG_STRING) {
         if (started) {
-            BIO_printf(bio_out, "|");
+            BIO_printf(out, "|");
             err = 1;
         }
-        BIO_printf(bio_out, "STRING");
+        BIO_printf(out, "STRING");
         started = 1;
     }
     if (flags & ENGINE_CMD_FLAG_NO_INPUT) {
         if (started) {
-            BIO_printf(bio_out, "|");
+            BIO_printf(out, "|");
             err = 1;
         }
-        BIO_printf(bio_out, "NO_INPUT");
+        BIO_printf(out, "NO_INPUT");
         started = 1;
     }
     /* Check for unknown flags */
@@ -173,17 +164,16 @@ static int util_flags(BIO *bio_out, unsigned int flags, const char *indent)
         ~ENGINE_CMD_FLAG_NO_INPUT & ~ENGINE_CMD_FLAG_INTERNAL;
     if (flags) {
         if (started)
-            BIO_printf(bio_out, "|");
-        BIO_printf(bio_out, "<0x%04X>", flags);
+            BIO_printf(out, "|");
+        BIO_printf(out, "<0x%04X>", flags);
     }
     if (err)
-        BIO_printf(bio_out, "  <illegal flags!>");
-    BIO_printf(bio_out, "\n");
+        BIO_printf(out, "  <illegal flags!>");
+    BIO_printf(out, "\n");
     return 1;
 }
 
-static int util_verbose(ENGINE *e, int verbose, BIO *bio_out,
-                        const char *indent)
+static int util_verbose(ENGINE *e, int verbose, BIO *out, const char *indent)
 {
     static const int line_wrap = 78;
     int num;
@@ -196,16 +186,13 @@ static int util_verbose(ENGINE *e, int verbose, BIO *bio_out,
     if (!ENGINE_ctrl(e, ENGINE_CTRL_HAS_CTRL_FUNCTION, 0, NULL, NULL) ||
         ((num = ENGINE_ctrl(e, ENGINE_CTRL_GET_FIRST_CMD_TYPE,
                             0, NULL, NULL)) <= 0)) {
-# if 0
-        BIO_printf(bio_out, "%s<no control commands>\n", indent);
-# endif
         return 1;
     }
 
     cmds = sk_OPENSSL_STRING_new_null();
-
     if (!cmds)
         goto err;
+
     do {
         int len;
         /* Get the command input flags */
@@ -217,8 +204,7 @@ static int util_verbose(ENGINE *e, int verbose, BIO *bio_out,
             if ((len = ENGINE_ctrl(e, ENGINE_CTRL_GET_NAME_LEN_FROM_CMD, num,
                                    NULL, NULL)) <= 0)
                 goto err;
-            if ((name = OPENSSL_malloc(len + 1)) == NULL)
-                goto err;
+            name = app_malloc(len + 1, "name buffer");
             if (ENGINE_ctrl(e, ENGINE_CTRL_GET_NAME_FROM_CMD, num, name,
                             NULL) <= 0)
                 goto err;
@@ -227,8 +213,7 @@ static int util_verbose(ENGINE *e, int verbose, BIO *bio_out,
                                    NULL, NULL)) < 0)
                 goto err;
             if (len > 0) {
-                if ((desc = OPENSSL_malloc(len + 1)) == NULL)
-                    goto err;
+                desc = app_malloc(len + 1, "description buffer");
                 if (ENGINE_ctrl(e, ENGINE_CTRL_GET_DESC_FROM_CMD, num, desc,
                                 NULL) <= 0)
                     goto err;
@@ -236,59 +221,54 @@ static int util_verbose(ENGINE *e, int verbose, BIO *bio_out,
             /* Now decide on the output */
             if (xpos == 0)
                 /* Do an indent */
-                xpos = BIO_puts(bio_out, indent);
+                xpos = BIO_puts(out, indent);
             else
                 /* Otherwise prepend a ", " */
-                xpos += BIO_printf(bio_out, ", ");
+                xpos += BIO_printf(out, ", ");
             if (verbose == 1) {
                 /*
                  * We're just listing names, comma-delimited
                  */
                 if ((xpos > (int)strlen(indent)) &&
                     (xpos + (int)strlen(name) > line_wrap)) {
-                    BIO_printf(bio_out, "\n");
-                    xpos = BIO_puts(bio_out, indent);
+                    BIO_printf(out, "\n");
+                    xpos = BIO_puts(out, indent);
                 }
-                xpos += BIO_printf(bio_out, "%s", name);
+                xpos += BIO_printf(out, "%s", name);
             } else {
                 /* We're listing names plus descriptions */
-                BIO_printf(bio_out, "%s: %s\n", name,
+                BIO_printf(out, "%s: %s\n", name,
                            (desc == NULL) ? "<no description>" : desc);
                 /* ... and sometimes input flags */
-                if ((verbose >= 3) && !util_flags(bio_out, flags, indent))
+                if ((verbose >= 3) && !util_flags(out, flags, indent))
                     goto err;
                 xpos = 0;
             }
         }
         OPENSSL_free(name);
         name = NULL;
-        if (desc) {
-            OPENSSL_free(desc);
-            desc = NULL;
-        }
+        OPENSSL_free(desc);
+        desc = NULL;
         /* Move to the next command */
         num = ENGINE_ctrl(e, ENGINE_CTRL_GET_NEXT_CMD_TYPE, num, NULL, NULL);
     } while (num > 0);
     if (xpos > 0)
-        BIO_printf(bio_out, "\n");
+        BIO_printf(out, "\n");
     ret = 1;
  err:
-    if (cmds)
-        sk_OPENSSL_STRING_pop_free(cmds, identity);
-    if (name)
-        OPENSSL_free(name);
-    if (desc)
-        OPENSSL_free(desc);
+    sk_OPENSSL_STRING_pop_free(cmds, identity);
+    OPENSSL_free(name);
+    OPENSSL_free(desc);
     return ret;
 }
 
 static void util_do_cmds(ENGINE *e, STACK_OF(OPENSSL_STRING) *cmds,
-                         BIO *bio_out, const char *indent)
+                         BIO *out, const char *indent)
 {
     int loop, res, num = sk_OPENSSL_STRING_num(cmds);
 
     if (num < 0) {
-        BIO_printf(bio_out, "[Error]: internal stack error\n");
+        BIO_printf(out, "[Error]: internal stack error\n");
         return;
     }
     for (loop = 0; loop < num; loop++) {
@@ -302,7 +282,7 @@ static void util_do_cmds(ENGINE *e, STACK_OF(OPENSSL_STRING) *cmds,
                 res = 0;
         } else {
             if ((int)(arg - cmd) > 254) {
-                BIO_printf(bio_out, "[Error]: command name too long\n");
+                BIO_printf(out, "[Error]: command name too long\n");
                 return;
             }
             memcpy(buf, cmd, (int)(arg - cmd));
@@ -313,90 +293,70 @@ static void util_do_cmds(ENGINE *e, STACK_OF(OPENSSL_STRING) *cmds,
                 res = 0;
         }
         if (res)
-            BIO_printf(bio_out, "[Success]: %s\n", cmd);
+            BIO_printf(out, "[Success]: %s\n", cmd);
         else {
-            BIO_printf(bio_out, "[Failure]: %s\n", cmd);
-            ERR_print_errors(bio_out);
+            BIO_printf(out, "[Failure]: %s\n", cmd);
+            ERR_print_errors(out);
         }
     }
 }
 
-int MAIN(int, char **);
-
-int MAIN(int argc, char **argv)
+int engine_main(int argc, char **argv)
 {
     int ret = 1, i;
-    const char **pp;
     int verbose = 0, list_cap = 0, test_avail = 0, test_avail_noise = 0;
     ENGINE *e;
     STACK_OF(OPENSSL_STRING) *engines = sk_OPENSSL_STRING_new_null();
     STACK_OF(OPENSSL_STRING) *pre_cmds = sk_OPENSSL_STRING_new_null();
     STACK_OF(OPENSSL_STRING) *post_cmds = sk_OPENSSL_STRING_new_null();
-    int badops = 1;
-    BIO *bio_out = NULL;
+    BIO *out;
     const char *indent = "     ";
+    OPTION_CHOICE o;
+    char *prog;
 
-    apps_startup();
-    SSL_load_error_strings();
-
-    if (bio_err == NULL)
-        bio_err = BIO_new_fp(stderr, BIO_NOCLOSE);
-
-    if (!load_config(bio_err, NULL))
+    out = dup_bio_out(FORMAT_TEXT);
+    prog = opt_init(argc, argv, engine_options);
+    if (!engines || !pre_cmds || !post_cmds)
         goto end;
-    bio_out = BIO_new_fp(stdout, BIO_NOCLOSE);
-# ifdef OPENSSL_SYS_VMS
-    {
-        BIO *tmpbio = BIO_new(BIO_f_linebuffer());
-        bio_out = BIO_push(tmpbio, bio_out);
-    }
-# endif
-
-    argc--;
-    argv++;
-    while (argc >= 1) {
-        if (strncmp(*argv, "-v", 2) == 0) {
-            if (strspn(*argv + 1, "v") < strlen(*argv + 1))
-                goto skip_arg_loop;
-            if ((verbose = strlen(*argv + 1)) > 4)
-                goto skip_arg_loop;
-        } else if (strcmp(*argv, "-c") == 0)
+    while ((o = opt_next()) != OPT_EOF) {
+        switch (o) {
+        case OPT_EOF:
+        case OPT_ERR:
+            BIO_printf(bio_err, "%s: Use -help for summary.\n", prog);
+            goto end;
+        case OPT_HELP:
+            opt_help(engine_options);
+            ret = 0;
+            goto end;
+        case OPT_VVVV:
+        case OPT_VVV:
+        case OPT_VV:
+        case OPT_V:
+            /* Convert to an integer from one to four. */
+            i = (int)(o - OPT_V) + 1;
+            if (verbose < i)
+                verbose = i;
+            break;
+        case OPT_C:
             list_cap = 1;
-        else if (strncmp(*argv, "-t", 2) == 0) {
-            test_avail = 1;
-            if (strspn(*argv + 1, "t") < strlen(*argv + 1))
-                goto skip_arg_loop;
-            if ((test_avail_noise = strlen(*argv + 1) - 1) > 1)
-                goto skip_arg_loop;
-        } else if (strcmp(*argv, "-pre") == 0) {
-            argc--;
-            argv++;
-            if (argc == 0)
-                goto skip_arg_loop;
-            sk_OPENSSL_STRING_push(pre_cmds, *argv);
-        } else if (strcmp(*argv, "-post") == 0) {
-            argc--;
-            argv++;
-            if (argc == 0)
-                goto skip_arg_loop;
-            sk_OPENSSL_STRING_push(post_cmds, *argv);
-        } else if ((strncmp(*argv, "-h", 2) == 0) ||
-                   (strcmp(*argv, "-?") == 0))
-            goto skip_arg_loop;
-        else
-            sk_OPENSSL_STRING_push(engines, *argv);
-        argc--;
-        argv++;
-    }
-    /* Looks like everything went OK */
-    badops = 0;
- skip_arg_loop:
-
-    if (badops) {
-        for (pp = engine_usage; (*pp != NULL); pp++)
-            BIO_printf(bio_err, "%s", *pp);
-        goto end;
+            break;
+        case OPT_TT:
+            test_avail_noise++;
+        case OPT_T:
+            test_avail++;
+            break;
+        case OPT_PRE:
+            sk_OPENSSL_STRING_push(pre_cmds, opt_arg());
+            break;
+        case OPT_POST:
+            sk_OPENSSL_STRING_push(post_cmds, opt_arg());
+            break;
+        }
     }
+    argc = opt_num_rest();
+    argv = opt_rest();
+    for ( ; *argv; argv++)
+        sk_OPENSSL_STRING_push(engines, *argv);
 
     if (sk_OPENSSL_STRING_num(engines) == 0) {
         for (e = ENGINE_get_first(); e != NULL; e = ENGINE_get_next(e)) {
@@ -411,10 +371,10 @@ int MAIN(int argc, char **argv)
             /*
              * Do "id" first, then "name". Easier to auto-parse.
              */
-            BIO_printf(bio_out, "(%s) %s\n", id, name);
-            util_do_cmds(e, pre_cmds, bio_out, indent);
+            BIO_printf(out, "(%s) %s\n", id, name);
+            util_do_cmds(e, pre_cmds, out, indent);
             if (strcmp(ENGINE_get_id(e), id) != 0) {
-                BIO_printf(bio_out, "Loaded: (%s) %s\n",
+                BIO_printf(out, "Loaded: (%s) %s\n",
                            ENGINE_get_id(e), ENGINE_get_name(e));
             }
             if (list_cap) {
@@ -469,24 +429,24 @@ int MAIN(int argc, char **argv)
                         goto end;
  skip_pmeths:
                 if (cap_buf && (*cap_buf != '\0'))
-                    BIO_printf(bio_out, " [%s]\n", cap_buf);
+                    BIO_printf(out, " [%s]\n", cap_buf);
 
                 OPENSSL_free(cap_buf);
             }
             if (test_avail) {
-                BIO_printf(bio_out, "%s", indent);
+                BIO_printf(out, "%s", indent);
                 if (ENGINE_init(e)) {
-                    BIO_printf(bio_out, "[ available ]\n");
-                    util_do_cmds(e, post_cmds, bio_out, indent);
+                    BIO_printf(out, "[ available ]\n");
+                    util_do_cmds(e, post_cmds, out, indent);
                     ENGINE_finish(e);
                 } else {
-                    BIO_printf(bio_out, "[ unavailable ]\n");
+                    BIO_printf(out, "[ unavailable ]\n");
                     if (test_avail_noise)
                         ERR_print_errors_fp(stdout);
                     ERR_clear_error();
                 }
             }
-            if ((verbose > 0) && !util_verbose(e, verbose, bio_out, indent))
+            if ((verbose > 0) && !util_verbose(e, verbose, out, indent))
                 goto end;
             ENGINE_free(e);
         } else
@@ -500,10 +460,8 @@ int MAIN(int argc, char **argv)
     sk_OPENSSL_STRING_pop_free(engines, identity);
     sk_OPENSSL_STRING_pop_free(pre_cmds, identity);
     sk_OPENSSL_STRING_pop_free(post_cmds, identity);
-    if (bio_out != NULL)
-        BIO_free_all(bio_out);
-    apps_shutdown();
-    OPENSSL_EXIT(ret);
+    BIO_free_all(out);
+    return (ret);
 }
 #else
 

apps/errstr.c

@@ -1,4 +1,3 @@
-/* apps/errstr.c */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -65,57 +64,60 @@
 #include <openssl/err.h>
 #include <openssl/ssl.h>
 
-#undef PROG
-#define PROG    errstr_main
+typedef enum OPTION_choice {
+    OPT_ERR = -1, OPT_EOF = 0, OPT_HELP,
+    OPT_STATS
+} OPTION_CHOICE;
 
-int MAIN(int, char **);
+OPTIONS errstr_options[] = {
+    {OPT_HELP_STR, 1, '-', "Usage: %s [options] errnum...\n"},
+    {OPT_HELP_STR, 1, '-', "  errnum  Error number\n"},
+    {"help", OPT_HELP, '-', "Display this summary"},
+    {"stats", OPT_STATS, '-',
+     "Print internal hashtable statistics (long!)"},
+    {NULL}
+};
 
-int MAIN(int argc, char **argv)
+int errstr_main(int argc, char **argv)
 {
-    int i, ret = 0;
-    char buf[256];
+    OPTION_CHOICE o;
+    char buf[256], *prog;
+    int ret = 1;
     unsigned long l;
 
-    apps_startup();
-
-    if (bio_err == NULL)
-        if ((bio_err = BIO_new(BIO_s_file())) != NULL)
-            BIO_set_fp(bio_err, stderr, BIO_NOCLOSE | BIO_FP_TEXT);
-
-    SSL_load_error_strings();
-
-    if ((argc > 1) && (strcmp(argv[1], "-stats") == 0)) {
-        BIO *out = NULL;
-
-        out = BIO_new(BIO_s_file());
-        if ((out != NULL) && BIO_set_fp(out, stdout, BIO_NOCLOSE)) {
-#ifdef OPENSSL_SYS_VMS
-            {
-                BIO *tmpbio = BIO_new(BIO_f_linebuffer());
-                out = BIO_push(tmpbio, out);
-            }
-#endif
-            lh_ERR_STRING_DATA_node_stats_bio(ERR_get_string_table(), out);
-            lh_ERR_STRING_DATA_stats_bio(ERR_get_string_table(), out);
+    prog = opt_init(argc, argv, errstr_options);
+    while ((o = opt_next()) != OPT_EOF) {
+        switch (o) {
+        case OPT_EOF:
+        case OPT_ERR:
+            BIO_printf(bio_err, "%s: Use -help for summary.\n", prog);
+            goto end;
+        case OPT_HELP:
+            opt_help(errstr_options);
+            ret = 0;
+            goto end;
+        case OPT_STATS:
+            lh_ERR_STRING_DATA_node_stats_bio(ERR_get_string_table(),
+                                              bio_out);
+            lh_ERR_STRING_DATA_stats_bio(ERR_get_string_table(), bio_out);
             lh_ERR_STRING_DATA_node_usage_stats_bio(ERR_get_string_table(),
-                                                    out);
+                                                    bio_out);
+            ret = 0;
+            goto end;
         }
-        if (out != NULL)
-            BIO_free_all(out);
-        argc--;
-        argv++;
     }
+    argc = opt_num_rest();
+    argv = opt_rest();
 
-    for (i = 1; i < argc; i++) {
-        if (sscanf(argv[i], "%lx", &l)) {
-            ERR_error_string_n(l, buf, sizeof buf);
-            printf("%s\n", buf);
-        } else {
-            printf("%s: bad error code\n", argv[i]);
-            printf("usage: errstr [-stats] <errno> ...\n");
+    ret = 0;
+    for (argv = opt_rest(); *argv; argv++) {
+        if (!opt_ulong(*argv, &l))
             ret++;
+        else {
+            ERR_error_string_n(l, buf, sizeof buf);
+            BIO_printf(bio_out, "%s\n", buf);
         }
     }
-    apps_shutdown();
-    OPENSSL_EXIT(ret);
+ end:
+    return (ret);
 }

apps/gendh.c

@@ -1,245 +0,0 @@
-/* apps/gendh.c */
-/* obsoleted by dhparam.c */
-/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
- * All rights reserved.
- *
- * This package is an SSL implementation written
- * by Eric Young (eay@cryptsoft.com).
- * The implementation was written so as to conform with Netscapes SSL.
- *
- * This library is free for commercial and non-commercial use as long as
- * the following conditions are aheared to.  The following conditions
- * apply to all code found in this distribution, be it the RC4, RSA,
- * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
- * included with this distribution is covered by the same copyright terms
- * except that the holder is Tim Hudson (tjh@cryptsoft.com).
- *
- * Copyright remains Eric Young's, and as such any Copyright notices in
- * the code are not to be removed.
- * If this package is used in a product, Eric Young should be given attribution
- * as the author of the parts of the library used.
- * This can be in the form of a textual message at program startup or
- * in documentation (online or textual) provided with the package.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *    "This product includes cryptographic software written by
- *     Eric Young (eay@cryptsoft.com)"
- *    The word 'cryptographic' can be left out if the rouines from the library
- *    being used are not cryptographic related :-).
- * 4. If you include any Windows specific code (or a derivative thereof) from
- *    the apps directory (application code) you must include an acknowledgement:
- *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
- *
- * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- *
- * The licence and distribution terms for any publically available version or
- * derivative of this code cannot be changed.  i.e. this code cannot simply be
- * copied and put under another distribution licence
- * [including the GNU Public Licence.]
- */
-
-#include <openssl/opensslconf.h>
-
-#ifndef OPENSSL_NO_DH
-# include <stdio.h>
-# include <string.h>
-# include <sys/types.h>
-# include <sys/stat.h>
-# include "apps.h"
-# include <openssl/bio.h>
-# include <openssl/rand.h>
-# include <openssl/err.h>
-# include <openssl/bn.h>
-# include <openssl/dh.h>
-# include <openssl/x509.h>
-# include <openssl/pem.h>
-
-# define DEFBITS 2048
-# undef PROG
-# define PROG gendh_main
-
-static int dh_cb(int p, int n, BN_GENCB *cb);
-
-int MAIN(int, char **);
-
-int MAIN(int argc, char **argv)
-{
-    BN_GENCB *cb = NULL;
-    DH *dh = NULL;
-    int ret = 1, num = DEFBITS;
-    int g = 2;
-    char *outfile = NULL;
-    char *inrand = NULL;
-# ifndef OPENSSL_NO_ENGINE
-    char *engine = NULL;
-# endif
-    BIO *out = NULL;
-
-    apps_startup();
-
-    if (bio_err == NULL)
-        if ((bio_err = BIO_new(BIO_s_file())) != NULL)
-            BIO_set_fp(bio_err, stderr, BIO_NOCLOSE | BIO_FP_TEXT);
-
-    cb = BN_GENCB_new();
-    if (!cb)
-        goto end;
-
-    BN_GENCB_set(cb, dh_cb, bio_err);
-
-    if (!load_config(bio_err, NULL))
-        goto end;
-
-    argv++;
-    argc--;
-    for (;;) {
-        if (argc <= 0)
-            break;
-        if (strcmp(*argv, "-out") == 0) {
-            if (--argc < 1)
-                goto bad;
-            outfile = *(++argv);
-        } else if (strcmp(*argv, "-2") == 0)
-            g = 2;
-/*-     else if (strcmp(*argv,"-3") == 0)
-                g=3; */
-        else if (strcmp(*argv, "-5") == 0)
-            g = 5;
-# ifndef OPENSSL_NO_ENGINE
-        else if (strcmp(*argv, "-engine") == 0) {
-            if (--argc < 1)
-                goto bad;
-            engine = *(++argv);
-        }
-# endif
-        else if (strcmp(*argv, "-rand") == 0) {
-            if (--argc < 1)
-                goto bad;
-            inrand = *(++argv);
-        } else
-            break;
-        argv++;
-        argc--;
-    }
-    if ((argc >= 1) && ((sscanf(*argv, "%d", &num) == 0) || (num < 0))) {
- bad:
-        BIO_printf(bio_err, "usage: gendh [args] [numbits]\n");
-        BIO_printf(bio_err, " -out file - output the key to 'file\n");
-        BIO_printf(bio_err, " -2        - use 2 as the generator value\n");
-        /*
-         * BIO_printf(bio_err," -3 - use 3 as the generator value\n");
-         */
-        BIO_printf(bio_err, " -5        - use 5 as the generator value\n");
-# ifndef OPENSSL_NO_ENGINE
-        BIO_printf(bio_err,
-                   " -engine e - use engine e, possibly a hardware device.\n");
-# endif
-        BIO_printf(bio_err, " -rand file%cfile%c...\n", LIST_SEPARATOR_CHAR,
-                   LIST_SEPARATOR_CHAR);
-        BIO_printf(bio_err,
-                   "           - load the file (or the files in the directory) into\n");
-        BIO_printf(bio_err, "             the random number generator\n");
-        goto end;
-    }
-# ifndef OPENSSL_NO_ENGINE
-    setup_engine(bio_err, engine, 0);
-# endif
-
-    out = BIO_new(BIO_s_file());
-    if (out == NULL) {
-        ERR_print_errors(bio_err);
-        goto end;
-    }
-
-    if (outfile == NULL) {
-        BIO_set_fp(out, stdout, BIO_NOCLOSE);
-# ifdef OPENSSL_SYS_VMS
-        {
-            BIO *tmpbio = BIO_new(BIO_f_linebuffer());
-            out = BIO_push(tmpbio, out);
-        }
-# endif
-    } else {
-        if (BIO_write_filename(out, outfile) <= 0) {
-            perror(outfile);
-            goto end;
-        }
-    }
-
-    if (!app_RAND_load_file(NULL, bio_err, 1) && inrand == NULL) {
-        BIO_printf(bio_err,
-                   "warning, not much extra random data, consider using the -rand option\n");
-    }
-    if (inrand != NULL)
-        BIO_printf(bio_err, "%ld semi-random bytes loaded\n",
-                   app_RAND_load_files(inrand));
-
-    BIO_printf(bio_err,
-               "Generating DH parameters, %d bit long safe prime, generator %d\n",
-               num, g);
-    BIO_printf(bio_err, "This is going to take a long time\n");
-
-    if (((dh = DH_new()) == NULL)
-        || !DH_generate_parameters_ex(dh, num, g, cb))
-        goto end;
-
-    app_RAND_write_file(NULL, bio_err);
-
-    if (!PEM_write_bio_DHparams(out, dh))
-        goto end;
-    ret = 0;
- end:
-    if (ret != 0)
-        ERR_print_errors(bio_err);
-    if (out != NULL)
-        BIO_free_all(out);
-    if (dh != NULL)
-        DH_free(dh);
-    if (cb != NULL)
-        BN_GENCB_free(cb);
-    apps_shutdown();
-    OPENSSL_EXIT(ret);
-}
-
-static int dh_cb(int p, int n, BN_GENCB *cb)
-{
-    char c = '*';
-
-    if (p == 0)
-        c = '.';
-    if (p == 1)
-        c = '+';
-    if (p == 2)
-        c = '*';
-    if (p == 3)
-        c = '\n';
-    BIO_write(BN_GENCB_get_arg(cb), &c, 1);
-    (void)BIO_flush(BN_GENCB_get_arg(cb));
-    return 1;
-}
-#else                           /* !OPENSSL_NO_DH */
-
-# if PEDANTIC
-static void *dummy = &dummy;
-# endif
-
-#endif

apps/gendsa.c

@@ -1,4 +1,3 @@
-/* apps/gendsa.c */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -70,156 +69,82 @@
 # include <openssl/x509.h>
 # include <openssl/pem.h>
 
-# define DEFBITS 512
-# undef PROG
-# define PROG gendsa_main
+typedef enum OPTION_choice {
+    OPT_ERR = -1, OPT_EOF = 0, OPT_HELP,
+    OPT_OUT, OPT_PASSOUT, OPT_ENGINE, OPT_RAND, OPT_CIPHER
+} OPTION_CHOICE;
 
-int MAIN(int, char **);
+OPTIONS gendsa_options[] = {
+    {OPT_HELP_STR, 1, '-', "Usage: %s [args] dsaparam-file\n"},
+    {OPT_HELP_STR, 1, '-', "Valid options are:\n"},
+    {"help", OPT_HELP, '-', "Display this summary"},
+    {"out", OPT_OUT, '>', "Output the key to the specified file"},
+    {"passout", OPT_PASSOUT, 's'},
+    {"rand", OPT_RAND, 's',
+     "Load the file(s) into the random number generator"},
+    {"", OPT_CIPHER, '-', "Encrypt the output with any supported cipher"},
+# ifndef OPENSSL_NO_ENGINE
+    {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"},
+# endif
+    {NULL}
+};
 
-int MAIN(int argc, char **argv)
+int gendsa_main(int argc, char **argv)
 {
-    DSA *dsa = NULL;
-    int ret = 1;
-    char *outfile = NULL;
-    char *inrand = NULL, *dsaparams = NULL;
-    char *passargout = NULL, *passout = NULL;
     BIO *out = NULL, *in = NULL;
+    DSA *dsa = NULL;
     const EVP_CIPHER *enc = NULL;
-# ifndef OPENSSL_NO_ENGINE
-    char *engine = NULL;
-# endif
+    char *inrand = NULL, *dsaparams = NULL;
+    char *outfile = NULL, *passoutarg = NULL, *passout = NULL, *prog;
+    OPTION_CHOICE o;
+    int ret = 1, private = 0;
 
-    apps_startup();
-
-    if (bio_err == NULL)
-        if ((bio_err = BIO_new(BIO_s_file())) != NULL)
-            BIO_set_fp(bio_err, stderr, BIO_NOCLOSE | BIO_FP_TEXT);
-
-    if (!load_config(bio_err, NULL))
-        goto end;
-
-    argv++;
-    argc--;
-    for (;;) {
-        if (argc <= 0)
+    prog = opt_init(argc, argv, gendsa_options);
+    while ((o = opt_next()) != OPT_EOF) {
+        switch (o) {
+        case OPT_EOF:
+        case OPT_ERR:
+ opthelp:
+            BIO_printf(bio_err, "%s: Use -help for summary.\n", prog);
+            goto end;
+        case OPT_HELP:
+            ret = 0;
+            opt_help(gendsa_options);
+            goto end;
+        case OPT_OUT:
+            outfile = opt_arg();
+            break;
+        case OPT_PASSOUT:
+            passoutarg = opt_arg();
+            break;
+        case OPT_ENGINE:
+            (void)setup_engine(opt_arg(), 0);
+            break;
+        case OPT_RAND:
+            inrand = opt_arg();
+            break;
+        case OPT_CIPHER:
+            if (!opt_cipher(opt_unknown(), &enc))
+                goto end;
             break;
-        if (strcmp(*argv, "-out") == 0) {
-            if (--argc < 1)
-                goto bad;
-            outfile = *(++argv);
-        } else if (strcmp(*argv, "-passout") == 0) {
-            if (--argc < 1)
-                goto bad;
-            passargout = *(++argv);
         }
-# ifndef OPENSSL_NO_ENGINE
-        else if (strcmp(*argv, "-engine") == 0) {
-            if (--argc < 1)
-                goto bad;
-            engine = *(++argv);
-        }
-# endif
-        else if (strcmp(*argv, "-rand") == 0) {
-            if (--argc < 1)
-                goto bad;
-            inrand = *(++argv);
-        } else if (strcmp(*argv, "-") == 0)
-            goto bad;
-# ifndef OPENSSL_NO_DES
-        else if (strcmp(*argv, "-des") == 0)
-            enc = EVP_des_cbc();
-        else if (strcmp(*argv, "-des3") == 0)
-            enc = EVP_des_ede3_cbc();
-# endif
-# ifndef OPENSSL_NO_IDEA
-        else if (strcmp(*argv, "-idea") == 0)
-            enc = EVP_idea_cbc();
-# endif
-# ifndef OPENSSL_NO_SEED
-        else if (strcmp(*argv, "-seed") == 0)
-            enc = EVP_seed_cbc();
-# endif
-# ifndef OPENSSL_NO_AES
-        else if (strcmp(*argv, "-aes128") == 0)
-            enc = EVP_aes_128_cbc();
-        else if (strcmp(*argv, "-aes192") == 0)
-            enc = EVP_aes_192_cbc();
-        else if (strcmp(*argv, "-aes256") == 0)
-            enc = EVP_aes_256_cbc();
-# endif
-# ifndef OPENSSL_NO_CAMELLIA
-        else if (strcmp(*argv, "-camellia128") == 0)
-            enc = EVP_camellia_128_cbc();
-        else if (strcmp(*argv, "-camellia192") == 0)
-            enc = EVP_camellia_192_cbc();
-        else if (strcmp(*argv, "-camellia256") == 0)
-            enc = EVP_camellia_256_cbc();
-# endif
-        else if (**argv != '-' && dsaparams == NULL) {
-            dsaparams = *argv;
-        } else
-            goto bad;
-        argv++;
-        argc--;
     }
+    argc = opt_num_rest();
+    argv = opt_rest();
+    private = 1;
 
-    if (dsaparams == NULL) {
- bad:
-        BIO_printf(bio_err, "usage: gendsa [args] dsaparam-file\n");
-        BIO_printf(bio_err, " -out file - output the key to 'file'\n");
-# ifndef OPENSSL_NO_DES
-        BIO_printf(bio_err,
-                   " -des      - encrypt the generated key with DES in cbc mode\n");
-        BIO_printf(bio_err,
-                   " -des3     - encrypt the generated key with DES in ede cbc mode (168 bit key)\n");
-# endif
-# ifndef OPENSSL_NO_IDEA
-        BIO_printf(bio_err,
-                   " -idea     - encrypt the generated key with IDEA in cbc mode\n");
-# endif
-# ifndef OPENSSL_NO_SEED
-        BIO_printf(bio_err, " -seed\n");
-        BIO_printf(bio_err,
-                   "                 encrypt PEM output with cbc seed\n");
-# endif
-# ifndef OPENSSL_NO_AES
-        BIO_printf(bio_err, " -aes128, -aes192, -aes256\n");
-        BIO_printf(bio_err,
-                   "                 encrypt PEM output with cbc aes\n");
-# endif
-# ifndef OPENSSL_NO_CAMELLIA
-        BIO_printf(bio_err, " -camellia128, -camellia192, -camellia256\n");
-        BIO_printf(bio_err,
-                   "                 encrypt PEM output with cbc camellia\n");
-# endif
-# ifndef OPENSSL_NO_ENGINE
-        BIO_printf(bio_err,
-                   " -engine e - use engine e, possibly a hardware device.\n");
-# endif
-        BIO_printf(bio_err, " -rand file%cfile%c...\n", LIST_SEPARATOR_CHAR,
-                   LIST_SEPARATOR_CHAR);
-        BIO_printf(bio_err,
-                   "           - load the file (or the files in the directory) into\n");
-        BIO_printf(bio_err, "             the random number generator\n");
-        BIO_printf(bio_err, " dsaparam-file\n");
-        BIO_printf(bio_err,
-                   "           - a DSA parameter file as generated by the dsaparam command\n");
-        goto end;
-    }
-# ifndef OPENSSL_NO_ENGINE
-    setup_engine(bio_err, engine, 0);
-# endif
+    if (argc != 1)
+        goto opthelp;
+    dsaparams = *argv;
 
-    if (!app_passwd(bio_err, NULL, passargout, NULL, &passout)) {
+    if (!app_passwd(NULL, passoutarg, NULL, &passout)) {
         BIO_printf(bio_err, "Error getting password\n");
         goto end;
     }
 
-    in = BIO_new(BIO_s_file());
-    if (!(BIO_read_filename(in, dsaparams))) {
-        perror(dsaparams);
-        goto end;
-    }
+    in = bio_open_default(dsaparams, 'r', FORMAT_PEM);
+    if (in == NULL)
+        goto end2;
 
     if ((dsa = PEM_read_bio_DSAparams(in, NULL, NULL, NULL)) == NULL) {
         BIO_printf(bio_err, "unable to load DSA parameter file\n");
@@ -228,26 +153,11 @@ int MAIN(int argc, char **argv)
     BIO_free(in);
     in = NULL;
 
-    out = BIO_new(BIO_s_file());
+    out = bio_open_owner(outfile, FORMAT_PEM, private);
     if (out == NULL)
-        goto end;
+        goto end2;
 
-    if (outfile == NULL) {
-        BIO_set_fp(out, stdout, BIO_NOCLOSE);
-# ifdef OPENSSL_SYS_VMS
-        {
-            BIO *tmpbio = BIO_new(BIO_f_linebuffer());
-            out = BIO_push(tmpbio, out);
-        }
-# endif
-    } else {
-        if (BIO_write_filename(out, outfile) <= 0) {
-            perror(outfile);
-            goto end;
-        }
-    }
-
-    if (!app_RAND_load_file(NULL, bio_err, 1) && inrand == NULL) {
+    if (!app_RAND_load_file(NULL, 1) && inrand == NULL) {
         BIO_printf(bio_err,
                    "warning, not much extra random data, consider using the -rand option\n");
     }
@@ -259,24 +169,21 @@ int MAIN(int argc, char **argv)
     if (!DSA_generate_key(dsa))
         goto end;
 
-    app_RAND_write_file(NULL, bio_err);
+    app_RAND_write_file(NULL);
 
+    assert(private);
     if (!PEM_write_bio_DSAPrivateKey(out, dsa, enc, NULL, 0, NULL, passout))
         goto end;
     ret = 0;
  end:
     if (ret != 0)
         ERR_print_errors(bio_err);
-    if (in != NULL)
-        BIO_free(in);
-    if (out != NULL)
-        BIO_free_all(out);
-    if (dsa != NULL)
-        DSA_free(dsa);
-    if (passout)
-        OPENSSL_free(passout);
-    apps_shutdown();
-    OPENSSL_EXIT(ret);
+ end2:
+    BIO_free(in);
+    BIO_free_all(out);
+    DSA_free(dsa);
+    OPENSSL_free(passout);
+    return (ret);
 }
 #else                           /* !OPENSSL_NO_DSA */
 

apps/genpkey.c

@@ -1,4 +1,3 @@
-/* apps/genpkey.c */
 /*
  * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL project
  * 2006
@@ -66,159 +65,125 @@
 # include <openssl/engine.h>
 #endif
 
-static int init_keygen_file(BIO *err, EVP_PKEY_CTX **pctx,
-                            const char *file, ENGINE *e);
+static int init_keygen_file(EVP_PKEY_CTX **pctx, const char *file, ENGINE *e);
 static int genpkey_cb(EVP_PKEY_CTX *ctx);
 
-#define PROG genpkey_main
+typedef enum OPTION_choice {
+    OPT_ERR = -1, OPT_EOF = 0, OPT_HELP,
+    OPT_ENGINE, OPT_OUTFORM, OPT_OUT, OPT_PASS, OPT_PARAMFILE,
+    OPT_ALGORITHM, OPT_PKEYOPT, OPT_GENPARAM, OPT_TEXT, OPT_CIPHER
+} OPTION_CHOICE;
 
-int MAIN(int, char **);
+OPTIONS genpkey_options[] = {
+    {"help", OPT_HELP, '-', "Display this summary"},
+    {"out", OPT_OUT, '>', "Output file"},
+    {"outform", OPT_OUTFORM, 'F', "output format (DER or PEM)"},
+    {"pass", OPT_PASS, 's', "Output file pass phrase source"},
+    {"paramfile", OPT_PARAMFILE, '<', "Parameters file"},
+    {"algorithm", OPT_ALGORITHM, 's', "The public key algorithm"},
+    {"pkeyopt", OPT_PKEYOPT, 's',
+     "Set the public key algorithm option as opt:value"},
+    {"genparam", OPT_GENPARAM, '-', "Generate parameters, not key"},
+    {"text", OPT_TEXT, '-', "Print the in text"},
+    {"", OPT_CIPHER, '-', "Cipher to use to encrypt the key"},
+#ifndef OPENSSL_NO_ENGINE
+    {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"},
+#endif
+    /* This is deliberately last. */
+    {OPT_HELP_STR, 1, 1,
+     "Order of options may be important!  See the documentation.\n"},
+    {NULL}
+};
 
-int MAIN(int argc, char **argv)
+int genpkey_main(int argc, char **argv)
 {
-    ENGINE *e = NULL;
-    char **args, *outfile = NULL;
-    char *passarg = NULL;
     BIO *in = NULL, *out = NULL;
-    const EVP_CIPHER *cipher = NULL;
-    int outformat;
-    int text = 0;
+    ENGINE *e = NULL;
     EVP_PKEY *pkey = NULL;
     EVP_PKEY_CTX *ctx = NULL;
-    char *pass = NULL;
-    int badarg = 0;
-    int ret = 1, rv;
+    char *outfile = NULL, *passarg = NULL, *pass = NULL, *prog;
+    const EVP_CIPHER *cipher = NULL;
+    OPTION_CHOICE o;
+    int outformat = FORMAT_PEM, text = 0, ret = 1, rv, do_param = 0;
+    int private = 0;
 
-    int do_param = 0;
-
-    if (bio_err == NULL)
-        bio_err = BIO_new_fp(stderr, BIO_NOCLOSE);
-
-    if (!load_config(bio_err, NULL))
-        goto end;
-
-    outformat = FORMAT_PEM;
-
-    ERR_load_crypto_strings();
-    OpenSSL_add_all_algorithms();
-    args = argv + 1;
-    while (!badarg && *args && *args[0] == '-') {
-        if (!strcmp(*args, "-outform")) {
-            if (args[1]) {
-                args++;
-                outformat = str2fmt(*args);
-            } else
-                badarg = 1;
-        } else if (!strcmp(*args, "-pass")) {
-            if (!args[1])
-                goto bad;
-            passarg = *(++args);
-        }
-#ifndef OPENSSL_NO_ENGINE
-        else if (strcmp(*args, "-engine") == 0) {
-            if (!args[1])
-                goto bad;
-            e = setup_engine(bio_err, *(++args), 0);
-        }
-#endif
-        else if (!strcmp(*args, "-paramfile")) {
-            if (!args[1])
-                goto bad;
-            args++;
+    prog = opt_init(argc, argv, genpkey_options);
+    while ((o = opt_next()) != OPT_EOF) {
+        switch (o) {
+        case OPT_EOF:
+        case OPT_ERR:
+ opthelp:
+            BIO_printf(bio_err, "%s: Use -help for summary.\n", prog);
+            goto end;
+        case OPT_HELP:
+            ret = 0;
+            opt_help(genpkey_options);
+            goto end;
+        case OPT_OUTFORM:
+            if (!opt_format(opt_arg(), OPT_FMT_PEMDER, &outformat))
+                goto opthelp;
+            break;
+        case OPT_OUT:
+            outfile = opt_arg();
+            break;
+        case OPT_PASS:
+            passarg = opt_arg();
+            break;
+        case OPT_ENGINE:
+            e = setup_engine(opt_arg(), 0);
+            break;
+        case OPT_PARAMFILE:
             if (do_param == 1)
-                goto bad;
-            if (!init_keygen_file(bio_err, &ctx, *args, e))
+                goto opthelp;
+            if (!init_keygen_file(&ctx, opt_arg(), e))
                 goto end;
-        } else if (!strcmp(*args, "-out")) {
-            if (args[1]) {
-                args++;
-                outfile = *args;
-            } else
-                badarg = 1;
-        } else if (strcmp(*args, "-algorithm") == 0) {
-            if (!args[1])
-                goto bad;
-            if (!init_gen_str(bio_err, &ctx, *(++args), e, do_param))
+            break;
+        case OPT_ALGORITHM:
+            if (!init_gen_str(&ctx, opt_arg(), e, do_param))
                 goto end;
-        } else if (strcmp(*args, "-pkeyopt") == 0) {
-            if (!args[1])
-                goto bad;
-            if (!ctx) {
-                BIO_puts(bio_err, "No keytype specified\n");
-                goto bad;
-            } else if (pkey_ctrl_string(ctx, *(++args)) <= 0) {
-                BIO_puts(bio_err, "parameter setting error\n");
+            break;
+        case OPT_PKEYOPT:
+            if (ctx == NULL) {
+                BIO_printf(bio_err, "%s: No keytype specified.\n", prog);
+                goto opthelp;
+            }
+            if (pkey_ctrl_string(ctx, opt_arg()) <= 0) {
+                BIO_printf(bio_err,
+                           "%s: Error setting %s parameter:\n",
+                           prog, opt_arg());
                 ERR_print_errors(bio_err);
                 goto end;
             }
-        } else if (strcmp(*args, "-genparam") == 0) {
-            if (ctx)
-                goto bad;
+            break;
+        case OPT_GENPARAM:
+            if (ctx != NULL)
+                goto opthelp;
             do_param = 1;
-        } else if (strcmp(*args, "-text") == 0)
+            break;
+        case OPT_TEXT:
             text = 1;
-        else {
-            cipher = EVP_get_cipherbyname(*args + 1);
-            if (!cipher) {
-                BIO_printf(bio_err, "Unknown cipher %s\n", *args + 1);
-                badarg = 1;
-            }
-            if (do_param == 1)
-                badarg = 1;
+            break;
+        case OPT_CIPHER:
+            if (!opt_cipher(opt_unknown(), &cipher)
+                || do_param == 1)
+                goto opthelp;
         }
-        args++;
     }
+    argc = opt_num_rest();
+    argv = opt_rest();
+    private = do_param ? 0 : 1;
 
-    if (!ctx)
-        badarg = 1;
+    if (ctx == NULL)
+        goto opthelp;
 
-    if (badarg) {
- bad:
-        BIO_printf(bio_err, "Usage: genpkey [options]\n");
-        BIO_printf(bio_err, "where options may be\n");
-        BIO_printf(bio_err, "-out file          output file\n");
-        BIO_printf(bio_err,
-                   "-outform X         output format (DER or PEM)\n");
-        BIO_printf(bio_err,
-                   "-pass arg          output file pass phrase source\n");
-        BIO_printf(bio_err,
-                   "-<cipher>          use cipher <cipher> to encrypt the key\n");
-#ifndef OPENSSL_NO_ENGINE
-        BIO_printf(bio_err,
-                   "-engine e          use engine e, possibly a hardware device.\n");
-#endif
-        BIO_printf(bio_err, "-paramfile file    parameters file\n");
-        BIO_printf(bio_err, "-algorithm alg     the public key algorithm\n");
-        BIO_printf(bio_err,
-                   "-pkeyopt opt:value set the public key algorithm option <opt>\n"
-                   "                   to value <value>\n");
-        BIO_printf(bio_err,
-                   "-genparam          generate parameters, not key\n");
-        BIO_printf(bio_err, "-text              print the in text\n");
-        BIO_printf(bio_err,
-                   "NB: options order may be important!  See the manual page.\n");
-        goto end;
-    }
-
-    if (!app_passwd(bio_err, passarg, NULL, &pass, NULL)) {
+    if (!app_passwd(passarg, NULL, &pass, NULL)) {
         BIO_puts(bio_err, "Error getting password\n");
         goto end;
     }
 
-    if (outfile) {
-        if (!(out = BIO_new_file(outfile, "wb"))) {
-            BIO_printf(bio_err, "Can't open output file %s\n", outfile);
-            goto end;
-        }
-    } else {
-        out = BIO_new_fp(stdout, BIO_NOCLOSE);
-#ifdef OPENSSL_SYS_VMS
-        {
-            BIO *tmpbio = BIO_new(BIO_f_linebuffer());
-            out = BIO_push(tmpbio, out);
-        }
-#endif
-    }
+    out = bio_open_owner(outfile, outformat, private);
+    if (out == NULL)
+        goto end;
 
     EVP_PKEY_CTX_set_cb(ctx, genpkey_cb);
     EVP_PKEY_CTX_set_app_data(ctx, bio_err);
@@ -239,11 +204,13 @@ int MAIN(int argc, char **argv)
 
     if (do_param)
         rv = PEM_write_bio_Parameters(out, pkey);
-    else if (outformat == FORMAT_PEM)
+    else if (outformat == FORMAT_PEM) {
+        assert(private);
         rv = PEM_write_bio_PrivateKey(out, pkey, cipher, NULL, 0, NULL, pass);
-    else if (outformat == FORMAT_ASN1)
+    } else if (outformat == FORMAT_ASN1) {
+        assert(private);
         rv = i2d_PrivateKey_bio(out, pkey);
-    else {
+    } else {
         BIO_printf(bio_err, "Bad format specified for key\n");
         goto end;
     }
@@ -268,33 +235,28 @@ int MAIN(int argc, char **argv)
     ret = 0;
 
  end:
-    if (pkey)
-        EVP_PKEY_free(pkey);
-    if (ctx)
-        EVP_PKEY_CTX_free(ctx);
-    if (out)
-        BIO_free_all(out);
+    EVP_PKEY_free(pkey);
+    EVP_PKEY_CTX_free(ctx);
+    BIO_free_all(out);
     BIO_free(in);
-    if (pass)
-        OPENSSL_free(pass);
+    OPENSSL_free(pass);
 
     return ret;
 }
 
-static int init_keygen_file(BIO *err, EVP_PKEY_CTX **pctx,
-                            const char *file, ENGINE *e)
+static int init_keygen_file(EVP_PKEY_CTX **pctx, const char *file, ENGINE *e)
 {
     BIO *pbio;
     EVP_PKEY *pkey = NULL;
     EVP_PKEY_CTX *ctx = NULL;
     if (*pctx) {
-        BIO_puts(err, "Parameters already set!\n");
+        BIO_puts(bio_err, "Parameters already set!\n");
         return 0;
     }
 
     pbio = BIO_new_file(file, "r");
     if (!pbio) {
-        BIO_printf(err, "Can't open parameter file %s\n", file);
+        BIO_printf(bio_err, "Can't open parameter file %s\n", file);
         return 0;
     }
 
@@ -307,7 +269,7 @@ static int init_keygen_file(BIO *err, EVP_PKEY_CTX **pctx,
     }
 
     ctx = EVP_PKEY_CTX_new(pkey, e);
-    if (!ctx)
+    if (ctx == NULL)
         goto err;
     if (EVP_PKEY_keygen_init(ctx) <= 0)
         goto err;
@@ -316,17 +278,15 @@ static int init_keygen_file(BIO *err, EVP_PKEY_CTX **pctx,
     return 1;
 
  err:
-    BIO_puts(err, "Error initializing context\n");
-    ERR_print_errors(err);
-    if (ctx)
-        EVP_PKEY_CTX_free(ctx);
-    if (pkey)
-        EVP_PKEY_free(pkey);
+    BIO_puts(bio_err, "Error initializing context\n");
+    ERR_print_errors(bio_err);
+    EVP_PKEY_CTX_free(ctx);
+    EVP_PKEY_free(pkey);
     return 0;
 
 }
 
-int init_gen_str(BIO *err, EVP_PKEY_CTX **pctx,
+int init_gen_str(EVP_PKEY_CTX **pctx,
                  const char *algname, ENGINE *e, int do_param)
 {
     EVP_PKEY_CTX *ctx = NULL;
@@ -335,7 +295,7 @@ int init_gen_str(BIO *err, EVP_PKEY_CTX **pctx,
     int pkey_id;
 
     if (*pctx) {
-        BIO_puts(err, "Algorithm already set!\n");
+        BIO_puts(bio_err, "Algorithm already set!\n");
         return 0;
     }
 
@@ -374,10 +334,9 @@ int init_gen_str(BIO *err, EVP_PKEY_CTX **pctx,
     return 1;
 
  err:
-    BIO_printf(err, "Error initializing %s context\n", algname);
-    ERR_print_errors(err);
-    if (ctx)
-        EVP_PKEY_CTX_free(ctx);
+    BIO_printf(bio_err, "Error initializing %s context\n", algname);
+    ERR_print_errors(bio_err);
+    EVP_PKEY_CTX_free(ctx);
     return 0;
 
 }

apps/genrsa.c

@@ -1,4 +1,3 @@
-/* apps/genrsa.c */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -74,192 +73,103 @@
 # include <openssl/rand.h>
 
 # define DEFBITS 2048
-# undef PROG
-# define PROG genrsa_main
 
 static int genrsa_cb(int p, int n, BN_GENCB *cb);
 
-int MAIN(int, char **);
+typedef enum OPTION_choice {
+    OPT_ERR = -1, OPT_EOF = 0, OPT_HELP,
+    OPT_3, OPT_F4, OPT_ENGINE,
+    OPT_OUT, OPT_RAND, OPT_PASSOUT, OPT_CIPHER
+} OPTION_CHOICE;
 
-int MAIN(int argc, char **argv)
+OPTIONS genrsa_options[] = {
+    {"help", OPT_HELP, '-', "Display this summary"},
+    {"3", OPT_3, '-', "Use 3 for the E value"},
+    {"F4", OPT_F4, '-', "Use F4 (0x10001) for the E value"},
+    {"f4", OPT_F4, '-', "Use F4 (0x10001) for the E value"},
+    {"out", OPT_OUT, 's', "Output the key to specified file"},
+    {"rand", OPT_RAND, 's',
+     "Load the file(s) into the random number generator"},
+    {"passout", OPT_PASSOUT, 's', "Output file pass phrase source"},
+    {"", OPT_CIPHER, '-', "Encrypt the output with any supported cipher"},
+# ifndef OPENSSL_NO_ENGINE
+    {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"},
+# endif
+    {NULL}
+};
+
+int genrsa_main(int argc, char **argv)
 {
-    BN_GENCB *cb = NULL;
-# ifndef OPENSSL_NO_ENGINE
+    BN_GENCB *cb = BN_GENCB_new();
+    PW_CB_DATA cb_data;
     ENGINE *e = NULL;
-# endif
-    int ret = 1;
-    int non_fips_allow = 0;
-    int num = DEFBITS;
-    const EVP_CIPHER *enc = NULL;
-    unsigned long f4 = RSA_F4;
-    char *outfile = NULL;
-    char *passargout = NULL, *passout = NULL;
-    char *hexe, *dece;
-# ifndef OPENSSL_NO_ENGINE
-    char *engine = NULL;
-# endif
-    char *inrand = NULL;
-    BIO *out = NULL;
     BIGNUM *bn = BN_new();
+    BIO *out = NULL;
     RSA *rsa = NULL;
-    if (!bn)
-        goto err;
+    const EVP_CIPHER *enc = NULL;
+    int ret = 1, num = DEFBITS, private = 0;
+    unsigned long f4 = RSA_F4;
+    char *outfile = NULL, *passoutarg = NULL, *passout = NULL;
+    char *inrand = NULL, *prog, *hexe, *dece;
+    OPTION_CHOICE o;
 
-    cb = BN_GENCB_new();
-    if (!cb)
-        goto err;
-
-    apps_startup();
+    if (bn == NULL || cb == NULL)
+        goto end;
 
     BN_GENCB_set(cb, genrsa_cb, bio_err);
 
-    if (bio_err == NULL)
-        if ((bio_err = BIO_new(BIO_s_file())) != NULL)
-            BIO_set_fp(bio_err, stderr, BIO_NOCLOSE | BIO_FP_TEXT);
-
-    if (!load_config(bio_err, NULL))
-        goto err;
-    if ((out = BIO_new(BIO_s_file())) == NULL) {
-        BIO_printf(bio_err, "unable to create BIO for output\n");
-        goto err;
-    }
-
-    argv++;
-    argc--;
-    for (;;) {
-        if (argc <= 0)
-            break;
-        if (strcmp(*argv, "-out") == 0) {
-            if (--argc < 1)
-                goto bad;
-            outfile = *(++argv);
-        } else if (strcmp(*argv, "-3") == 0)
+    prog = opt_init(argc, argv, genrsa_options);
+    while ((o = opt_next()) != OPT_EOF) {
+        switch (o) {
+        case OPT_EOF:
+        case OPT_ERR:
+            BIO_printf(bio_err, "%s: Use -help for summary.\n", prog);
+            goto end;
+        case OPT_HELP:
+            ret = 0;
+            opt_help(genrsa_options);
+            goto end;
+        case OPT_3:
             f4 = 3;
-        else if (strcmp(*argv, "-F4") == 0 || strcmp(*argv, "-f4") == 0)
-            f4 = RSA_F4;
-# ifndef OPENSSL_NO_ENGINE
-        else if (strcmp(*argv, "-engine") == 0) {
-            if (--argc < 1)
-                goto bad;
-            engine = *(++argv);
-        }
-# endif
-        else if (strcmp(*argv, "-rand") == 0) {
-            if (--argc < 1)
-                goto bad;
-            inrand = *(++argv);
-        }
-# ifndef OPENSSL_NO_DES
-        else if (strcmp(*argv, "-des") == 0)
-            enc = EVP_des_cbc();
-        else if (strcmp(*argv, "-des3") == 0)
-            enc = EVP_des_ede3_cbc();
-# endif
-# ifndef OPENSSL_NO_IDEA
-        else if (strcmp(*argv, "-idea") == 0)
-            enc = EVP_idea_cbc();
-# endif
-# ifndef OPENSSL_NO_SEED
-        else if (strcmp(*argv, "-seed") == 0)
-            enc = EVP_seed_cbc();
-# endif
-# ifndef OPENSSL_NO_AES
-        else if (strcmp(*argv, "-aes128") == 0)
-            enc = EVP_aes_128_cbc();
-        else if (strcmp(*argv, "-aes192") == 0)
-            enc = EVP_aes_192_cbc();
-        else if (strcmp(*argv, "-aes256") == 0)
-            enc = EVP_aes_256_cbc();
-# endif
-# ifndef OPENSSL_NO_CAMELLIA
-        else if (strcmp(*argv, "-camellia128") == 0)
-            enc = EVP_camellia_128_cbc();
-        else if (strcmp(*argv, "-camellia192") == 0)
-            enc = EVP_camellia_192_cbc();
-        else if (strcmp(*argv, "-camellia256") == 0)
-            enc = EVP_camellia_256_cbc();
-# endif
-        else if (strcmp(*argv, "-passout") == 0) {
-            if (--argc < 1)
-                goto bad;
-            passargout = *(++argv);
-        } else if (strcmp(*argv, "-non-fips-allow") == 0)
-            non_fips_allow = 1;
-        else
             break;
-        argv++;
-        argc--;
-    }
-    if ((argc >= 1) && ((sscanf(*argv, "%d", &num) == 0) || (num < 0))) {
- bad:
-        BIO_printf(bio_err, "usage: genrsa [args] [numbits]\n");
-        BIO_printf(bio_err,
-                   " -des            encrypt the generated key with DES in cbc mode\n");
-        BIO_printf(bio_err,
-                   " -des3           encrypt the generated key with DES in ede cbc mode (168 bit key)\n");
-# ifndef OPENSSL_NO_IDEA
-        BIO_printf(bio_err,
-                   " -idea           encrypt the generated key with IDEA in cbc mode\n");
-# endif
-# ifndef OPENSSL_NO_SEED
-        BIO_printf(bio_err, " -seed\n");
-        BIO_printf(bio_err,
-                   "                 encrypt PEM output with cbc seed\n");
-# endif
-# ifndef OPENSSL_NO_AES
-        BIO_printf(bio_err, " -aes128, -aes192, -aes256\n");
-        BIO_printf(bio_err,
-                   "                 encrypt PEM output with cbc aes\n");
-# endif
-# ifndef OPENSSL_NO_CAMELLIA
-        BIO_printf(bio_err, " -camellia128, -camellia192, -camellia256\n");
-        BIO_printf(bio_err,
-                   "                 encrypt PEM output with cbc camellia\n");
-# endif
-        BIO_printf(bio_err, " -out file       output the key to 'file\n");
-        BIO_printf(bio_err,
-                   " -passout arg    output file pass phrase source\n");
-        BIO_printf(bio_err,
-                   " -f4             use F4 (0x10001) for the E value\n");
-        BIO_printf(bio_err, " -3              use 3 for the E value\n");
-# ifndef OPENSSL_NO_ENGINE
-        BIO_printf(bio_err,
-                   " -engine e       use engine e, possibly a hardware device.\n");
-# endif
-        BIO_printf(bio_err, " -rand file%cfile%c...\n", LIST_SEPARATOR_CHAR,
-                   LIST_SEPARATOR_CHAR);
-        BIO_printf(bio_err,
-                   "                 load the file (or the files in the directory) into\n");
-        BIO_printf(bio_err, "                 the random number generator\n");
-        goto err;
+        case OPT_F4:
+            f4 = RSA_F4;
+            break;
+        case OPT_OUT:
+            outfile = opt_arg();
+            break;
+        case OPT_ENGINE:
+            e = setup_engine(opt_arg(), 0);
+            break;
+        case OPT_RAND:
+            inrand = opt_arg();
+            break;
+        case OPT_PASSOUT:
+            passoutarg = opt_arg();
+            break;
+        case OPT_CIPHER:
+            if (!opt_cipher(opt_unknown(), &enc))
+                goto end;
+            break;
+        }
     }
+    argc = opt_num_rest();
+    argv = opt_rest();
+    private = 1;
 
-    ERR_load_crypto_strings();
+    if (argv[0] && (!opt_int(argv[0], &num) || num <= 0))
+        goto end;
 
-    if (!app_passwd(bio_err, NULL, passargout, NULL, &passout)) {
+    if (!app_passwd(NULL, passoutarg, NULL, &passout)) {
         BIO_printf(bio_err, "Error getting password\n");
-        goto err;
-    }
-# ifndef OPENSSL_NO_ENGINE
-    e = setup_engine(bio_err, engine, 0);
-# endif
-
-    if (outfile == NULL) {
-        BIO_set_fp(out, stdout, BIO_NOCLOSE);
-# ifdef OPENSSL_SYS_VMS
-        {
-            BIO *tmpbio = BIO_new(BIO_f_linebuffer());
-            out = BIO_push(tmpbio, out);
-        }
-# endif
-    } else {
-        if (BIO_write_filename(out, outfile) <= 0) {
-            perror(outfile);
-            goto err;
-        }
+        goto end;
     }
 
-    if (!app_RAND_load_file(NULL, bio_err, 1) && inrand == NULL
+    out = bio_open_owner(outfile, FORMAT_PEM, private);
+    if (out == NULL)
+        goto end;
+
+    if (!app_RAND_load_file(NULL, 1) && inrand == NULL
         && !RAND_status()) {
         BIO_printf(bio_err,
                    "warning, not much extra random data, consider using the -rand option\n");
@@ -270,57 +180,40 @@ int MAIN(int argc, char **argv)
 
     BIO_printf(bio_err, "Generating RSA private key, %d bit long modulus\n",
                num);
-# ifdef OPENSSL_NO_ENGINE
-    rsa = RSA_new();
-# else
-    rsa = RSA_new_method(e);
-# endif
-    if (!rsa)
-        goto err;
-
-    if (non_fips_allow)
-        rsa->flags |= RSA_FLAG_NON_FIPS_ALLOW;
+    rsa = e ? RSA_new_method(e) : RSA_new();
+    if (rsa == NULL)
+        goto end;
 
     if (!BN_set_word(bn, f4) || !RSA_generate_key_ex(rsa, num, bn, cb))
-        goto err;
+        goto end;
 
-    app_RAND_write_file(NULL, bio_err);
+    app_RAND_write_file(NULL);
 
     hexe = BN_bn2hex(rsa->e);
     dece = BN_bn2dec(rsa->e);
     if (hexe && dece) {
         BIO_printf(bio_err, "e is %s (0x%s)\n", dece, hexe);
     }
-    if (hexe)
-        OPENSSL_free(hexe);
-    if (dece)
-        OPENSSL_free(dece);
-    {
-        PW_CB_DATA cb_data;
-        cb_data.password = passout;
-        cb_data.prompt_info = outfile;
-        if (!PEM_write_bio_RSAPrivateKey(out, rsa, enc, NULL, 0,
-                                         (pem_password_cb *)password_callback,
-                                         &cb_data))
-            goto err;
-    }
+    OPENSSL_free(hexe);
+    OPENSSL_free(dece);
+    cb_data.password = passout;
+    cb_data.prompt_info = outfile;
+    assert(private);
+    if (!PEM_write_bio_RSAPrivateKey(out, rsa, enc, NULL, 0,
+                                     (pem_password_cb *)password_callback,
+                                     &cb_data))
+        goto end;
 
     ret = 0;
- err:
-    if (bn)
-        BN_free(bn);
-    if (cb)
-        BN_GENCB_free(cb);
-    if (rsa)
-        RSA_free(rsa);
-    if (out)
-        BIO_free_all(out);
-    if (passout)
-        OPENSSL_free(passout);
+ end:
+    BN_free(bn);
+    BN_GENCB_free(cb);
+    RSA_free(rsa);
+    BIO_free_all(out);
+    OPENSSL_free(passout);
     if (ret != 0)
         ERR_print_errors(bio_err);
-    apps_shutdown();
-    OPENSSL_EXIT(ret);
+    return (ret);
 }
 
 static int genrsa_cb(int p, int n, BN_GENCB *cb)

apps/makeapps.com

@@ -178,7 +178,7 @@ $! NOTE: Some might think this list ugly.  However, it's made this way to
 $! reflect the E_OBJ variable in Makefile as closely as possible, thereby
 $! making it fairly easy to verify that the lists are the same.
 $!
-$ LIB_OPENSSL = "VERIFY,ASN1PARS,REQ,DGST,DH,DHPARAM,ENC,PASSWD,GENDH,ERRSTR,"+-
+$ LIB_OPENSSL = "VERIFY,ASN1PARS,REQ,DGST,DHPARAM,ENC,PASSWD,ERRSTR,"+-
 	     	"CA,PKCS7,CRL2P7,CRL,"+-
 	      	"RSA,RSAUTL,DSA,DSAPARAM,EC,ECPARAM,"+-
 	      	"X509,GENRSA,GENDSA,GENPKEY,S_SERVER,S_CLIENT,SPEED,"+-

apps/nseq.c

@@ -1,4 +1,3 @@
-/* nseq.c */
 /*
  * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL project
  * 1999.
@@ -63,84 +62,73 @@
 #include <openssl/pem.h>
 #include <openssl/err.h>
 
-#undef PROG
-#define PROG nseq_main
+typedef enum OPTION_choice {
+    OPT_ERR = -1, OPT_EOF = 0, OPT_HELP,
+    OPT_TOSEQ, OPT_IN, OPT_OUT
+} OPTION_CHOICE;
 
-int MAIN(int, char **);
+OPTIONS nseq_options[] = {
+    {"help", OPT_HELP, '-', "Display this summary"},
+    {"toseq", OPT_TOSEQ, '-', "Output NS Sequence file"},
+    {"in", OPT_IN, '<', "Input file"},
+    {"out", OPT_OUT, '>', "Output file"},
+    {NULL}
+};
 
-int MAIN(int argc, char **argv)
+int nseq_main(int argc, char **argv)
 {
-    char **args, *infile = NULL, *outfile = NULL;
     BIO *in = NULL, *out = NULL;
-    int toseq = 0;
     X509 *x509 = NULL;
     NETSCAPE_CERT_SEQUENCE *seq = NULL;
-    int i, ret = 1;
-    int badarg = 0;
-    if (bio_err == NULL)
-        bio_err = BIO_new_fp(stderr, BIO_NOCLOSE);
-    ERR_load_crypto_strings();
-    args = argv + 1;
-    while (!badarg && *args && *args[0] == '-') {
-        if (!strcmp(*args, "-toseq"))
+    OPTION_CHOICE o;
+    int toseq = 0, ret = 1, i;
+    char *infile = NULL, *outfile = NULL, *prog;
+
+    prog = opt_init(argc, argv, nseq_options);
+    while ((o = opt_next()) != OPT_EOF) {
+        switch (o) {
+        case OPT_EOF:
+        case OPT_ERR:
+            BIO_printf(bio_err, "%s: Use -help for summary.\n", prog);
+            goto end;
+        case OPT_HELP:
+            ret = 0;
+            opt_help(nseq_options);
+            goto end;
+        case OPT_TOSEQ:
             toseq = 1;
-        else if (!strcmp(*args, "-in")) {
-            if (args[1]) {
-                args++;
-                infile = *args;
-            } else
-                badarg = 1;
-        } else if (!strcmp(*args, "-out")) {
-            if (args[1]) {
-                args++;
-                outfile = *args;
-            } else
-                badarg = 1;
-        } else
-            badarg = 1;
-        args++;
-    }
-
-    if (badarg) {
-        BIO_printf(bio_err, "Netscape certificate sequence utility\n");
-        BIO_printf(bio_err, "Usage nseq [options]\n");
-        BIO_printf(bio_err, "where options are\n");
-        BIO_printf(bio_err, "-in file  input file\n");
-        BIO_printf(bio_err, "-out file output file\n");
-        BIO_printf(bio_err, "-toseq    output NS Sequence file\n");
-        OPENSSL_EXIT(1);
-    }
-
-    if (infile) {
-        if (!(in = BIO_new_file(infile, "r"))) {
-            BIO_printf(bio_err, "Can't open input file %s\n", infile);
-            goto end;
+            break;
+        case OPT_IN:
+            infile = opt_arg();
+            break;
+        case OPT_OUT:
+            outfile = opt_arg();
+            break;
         }
-    } else
-        in = BIO_new_fp(stdin, BIO_NOCLOSE);
-
-    if (outfile) {
-        if (!(out = BIO_new_file(outfile, "w"))) {
-            BIO_printf(bio_err, "Can't open output file %s\n", outfile);
-            goto end;
-        }
-    } else {
-        out = BIO_new_fp(stdout, BIO_NOCLOSE);
-#ifdef OPENSSL_SYS_VMS
-        {
-            BIO *tmpbio = BIO_new(BIO_f_linebuffer());
-            out = BIO_push(tmpbio, out);
-        }
-#endif
     }
+    argc = opt_num_rest();
+    argv = opt_rest();
+
+    in = bio_open_default(infile, 'r', FORMAT_PEM);
+    if (in == NULL)
+        goto end;
+    out = bio_open_default(outfile, 'w', FORMAT_PEM);
+    if (out == NULL)
+        goto end;
+
     if (toseq) {
         seq = NETSCAPE_CERT_SEQUENCE_new();
+        if (seq == NULL)
+            goto end;
         seq->certs = sk_X509_new_null();
+        if (seq->certs == NULL)
+            goto end;
         while ((x509 = PEM_read_bio_X509(in, NULL, NULL, NULL)))
             sk_X509_push(seq->certs, x509);
 
         if (!sk_X509_num(seq->certs)) {
-            BIO_printf(bio_err, "Error reading certs file %s\n", infile);
+            BIO_printf(bio_err, "%s: Error reading certs file %s\n",
+                       prog, infile);
             ERR_print_errors(bio_err);
             goto end;
         }
@@ -149,8 +137,10 @@ int MAIN(int argc, char **argv)
         goto end;
     }
 
-    if (!(seq = PEM_read_bio_NETSCAPE_CERT_SEQUENCE(in, NULL, NULL, NULL))) {
-        BIO_printf(bio_err, "Error reading sequence file %s\n", infile);
+    seq = PEM_read_bio_NETSCAPE_CERT_SEQUENCE(in, NULL, NULL, NULL);
+    if (seq == NULL) {
+        BIO_printf(bio_err, "%s: Error reading sequence file %s\n",
+                   prog, infile);
         ERR_print_errors(bio_err);
         goto end;
     }
@@ -166,5 +156,5 @@ int MAIN(int argc, char **argv)
     BIO_free_all(out);
     NETSCAPE_CERT_SEQUENCE_free(seq);
 
-    OPENSSL_EXIT(ret);
+    return (ret);
 }

apps/oid.cnf

@@ -1,6 +0,0 @@
-2.99999.1       SET.ex1         SET x509v3 extension 1
-2.99999.2       SET.ex2         SET x509v3 extension 2
-2.99999.3       SET.ex3         SET x509v3 extension 3
-2.99999.4       SET.ex4         SET x509v3 extension 4
-2.99999.5       SET.ex5         SET x509v3 extension 5
-2.99999.6       SET.ex6         SET x509v3 extension 6

apps/openssl-vms.cnf

@@ -335,11 +335,12 @@ signer_cert	= $dir/tsacert.pem 	# The TSA signing certificate
 certs		= $dir.cacert.pem]	# Certificate chain to include in reply
 					# (optional)
 signer_key	= $dir/private/tsakey.pem # The TSA private key (optional)
+signer_digest  = sha256			# Signing digest to use. (Optional)
 
 default_policy	= tsa_policy1		# Policy if request did not specify it
 					# (optional)
 other_policies	= tsa_policy2, tsa_policy3	# acceptable policies (optional)
-digests		= md5, sha1		# Acceptable message digests (mandatory)
+digests     = sha1, sha256, sha384, sha512  # Acceptable message digests (mandatory)
 accuracy	= secs:1, millisecs:500, microsecs:100	# (optional)
 clock_precision_digits  = 0	# number of digits after dot. (optional)
 ordering		= yes	# Is ordering defined for timestamps?

apps/openssl.cnf

@@ -335,11 +335,11 @@ signer_cert	= $dir/tsacert.pem 	# The TSA signing certificate
 certs		= $dir/cacert.pem	# Certificate chain to include in reply
 					# (optional)
 signer_key	= $dir/private/tsakey.pem # The TSA private key (optional)
-
+signer_digest  = sha256			# Signing digest to use. (Optional)
 default_policy	= tsa_policy1		# Policy if request did not specify it
 					# (optional)
 other_policies	= tsa_policy2, tsa_policy3	# acceptable policies (optional)
-digests		= md5, sha1		# Acceptable message digests (mandatory)
+digests     = sha1, sha256, sha384, sha512  # Acceptable message digests (mandatory)
 accuracy	= secs:1, millisecs:500, microsecs:100	# (optional)
 clock_precision_digits  = 0	# number of digits after dot. (optional)
 ordering		= yes	# Is ordering defined for timestamps?

apps/opt.c

@@ -0,0 +1,990 @@
+/* ====================================================================
+ * Copyright (c) 2015 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ */
+
+/* #define COMPILE_STANDALONE_TEST_DRIVER  */
+#include "apps.h"
+#include <string.h>
+#if !defined(OPENSSL_SYS_MSDOS)
+# include OPENSSL_UNISTD
+#endif
+
+#include <stdlib.h>
+#include <errno.h>
+#include <ctype.h>
+#include <limits.h>
+#include <openssl/bio.h>
+
+#define MAX_OPT_HELP_WIDTH 30
+const char OPT_HELP_STR[] = "--";
+const char OPT_MORE_STR[] = "---";
+
+/* Our state */
+static char **argv;
+static int argc;
+static int opt_index;
+static char *arg;
+static char *flag;
+static char *dunno;
+static const OPTIONS *unknown;
+static const OPTIONS *opts;
+static char prog[40];
+
+#if !defined(__STDC_VERSION__) || __STDC_VERSION__ < 199901L || \
+    !defined(INTMAX_MAX) && !defined(UINTMAX_MAX)
+#define opt_imax opt_long
+#define opt_umax opt_ulong
+#endif
+
+/*
+ * Return the simple name of the program; removing various platform gunk.
+ */
+#if defined(OPENSSL_SYS_WIN32) || defined(OPENSSL_SYS_NETWARE)
+char *opt_progname(const char *argv0)
+{
+    size_t i, n;
+    const char *p;
+    char *q;
+
+    /* find the last '/', '\' or ':' */
+    for (p = argv0 + strlen(argv0); --p > argv0;)
+        if (*p == '/' || *p == '\\' || *p == ':') {
+            p++;
+            break;
+        }
+
+    /* Strip off trailing nonsense. */
+    n = strlen(p);
+    if (n > 4 &&
+        (strcmp(&p[n - 4], ".exe") == 0 || strcmp(&p[n - 4], ".EXE") == 0))
+        n -= 4;
+#if defined(OPENSSL_SYS_NETWARE)
+    if (n > 4 &&
+        (strcmp(&p[n - 4], ".nlm") == 0 || strcmp(&p[n - 4], ".NLM") == 0))
+        n -= 4;
+#endif
+
+    /* Copy over the name, in lowercase. */
+    if (n > sizeof prog - 1)
+        n = sizeof prog - 1;
+    for (q = prog, i = 0; i < n; i++, p++)
+        *q++ = isupper(*p) ? tolower(*p) : *p;
+    *q = '\0';
+    return prog;
+}
+
+#elif defined(OPENSSL_SYS_VMS)
+
+char *opt_progname(const char *argv0)
+{
+    const char *p, *q;
+
+    /* Find last special charcter sys:[foo.bar]openssl */
+    for (p = argv0 + strlen(argv0); --p > argv0;)
+        if (*p == ':' || *p == ']' || *p == '>') {
+            p++;
+            break;
+        }
+
+    q = strrchr(p, '.');
+    strncpy(prog, p, sizeof prog - 1);
+    prog[sizeof prog - 1] = '\0';
+    if (q != NULL && q - p < sizeof prog)
+        prog[q - p] = '\0';
+    return prog;
+}
+
+#else
+
+char *opt_progname(const char *argv0)
+{
+    const char *p;
+
+    /* Could use strchr, but this is like the ones above. */
+    for (p = argv0 + strlen(argv0); --p > argv0;)
+        if (*p == '/') {
+            p++;
+            break;
+        }
+    strncpy(prog, p, sizeof prog - 1);
+    prog[sizeof prog - 1] = '\0';
+    return prog;
+}
+#endif
+
+char *opt_getprog(void)
+{
+    return prog;
+}
+
+/* Set up the arg parsing. */
+char *opt_init(int ac, char **av, const OPTIONS *o)
+{
+    /* Store state. */
+    argc = ac;
+    argv = av;
+    opt_index = 1;
+    opts = o;
+    opt_progname(av[0]);
+    unknown = NULL;
+
+    for (; o->name; ++o) {
+        const OPTIONS *next;
+#ifndef NDEBUG
+        int duplicated, i;
+#endif
+
+        if (o->name == OPT_HELP_STR || o->name == OPT_MORE_STR)
+            continue;
+#ifndef NDEBUG
+        i = o->valtype;
+
+        /* Make sure options are legit. */
+        assert(o->name[0] != '-');
+        assert(o->retval > 0);
+        switch (i) {
+        case   0: case '-': case '/': case '<': case '>': case 'F': case 'M':
+        case 'L': case 'U': case 'f': case 'n': case 'p': case 's': case 'u':
+            break;
+        default:
+            assert(0);
+        }
+
+        /* Make sure there are no duplicates. */
+        for (next = o + 1; next->name; ++next) {
+            /*
+             * Some compilers inline strcmp and the assert string is too long.
+             */
+            duplicated = strcmp(o->name, next->name) == 0;
+            assert(!duplicated);
+        }
+#endif
+        if (o->name[0] == '\0') {
+            assert(unknown == NULL);
+            unknown = o;
+            assert(unknown->valtype == 0 || unknown->valtype == '-');
+        }
+    }
+    return prog;
+}
+
+static OPT_PAIR formats[] = {
+    {"PEM/DER", OPT_FMT_PEMDER},
+    {"pkcs12", OPT_FMT_PKCS12},
+    {"smime", OPT_FMT_SMIME},
+    {"engine", OPT_FMT_ENGINE},
+    {"msblob", OPT_FMT_MSBLOB},
+    {"netscape", OPT_FMT_NETSCAPE},
+    {"nss", OPT_FMT_NSS},
+    {"text", OPT_FMT_TEXT},
+    {"http", OPT_FMT_HTTP},
+    {"pvk", OPT_FMT_PVK},
+    {NULL}
+};
+
+/* Print an error message about a failed format parse. */
+int opt_format_error(const char *s, unsigned long flags)
+{
+    OPT_PAIR *ap;
+
+    if (flags == OPT_FMT_PEMDER)
+        BIO_printf(bio_err, "%s: Bad format \"%s\"; must be pem or der\n",
+                   prog, s);
+    else {
+        BIO_printf(bio_err, "%s: Bad format \"%s\"; must be one of:\n",
+                   prog, s);
+        for (ap = formats; ap->name; ap++)
+            if (flags & ap->retval)
+                BIO_printf(bio_err, "   %s\n", ap->name);
+    }
+    return 0;
+}
+
+/* Parse a format string, put it into *result; return 0 on failure, else 1. */
+int opt_format(const char *s, unsigned long flags, int *result)
+{
+    switch (*s) {
+    default:
+        return 0;
+    case 'D':
+    case 'd':
+        if ((flags & OPT_FMT_PEMDER) == 0)
+            return opt_format_error(s, flags);
+        *result = FORMAT_ASN1;
+        break;
+    case 'T':
+    case 't':
+        if ((flags & OPT_FMT_TEXT) == 0)
+            return opt_format_error(s, flags);
+        *result = FORMAT_TEXT;
+        break;
+    case 'N':
+    case 'n':
+        if ((flags & OPT_FMT_NSS) == 0)
+            return opt_format_error(s, flags);
+        if (strcmp(s, "NSS") != 0 && strcmp(s, "nss") != 0)
+            return opt_format_error(s, flags);
+        *result = FORMAT_NSS;
+        break;
+    case 'S':
+    case 's':
+        if ((flags & OPT_FMT_SMIME) == 0)
+            return opt_format_error(s, flags);
+        *result = FORMAT_SMIME;
+        break;
+    case 'M':
+    case 'm':
+        if ((flags & OPT_FMT_MSBLOB) == 0)
+            return opt_format_error(s, flags);
+        *result = FORMAT_MSBLOB;
+        break;
+    case 'E':
+    case 'e':
+        if ((flags & OPT_FMT_ENGINE) == 0)
+            return opt_format_error(s, flags);
+        *result = FORMAT_ENGINE;
+        break;
+    case 'H':
+    case 'h':
+        if ((flags & OPT_FMT_HTTP) == 0)
+            return opt_format_error(s, flags);
+        *result = FORMAT_HTTP;
+        break;
+    case '1':
+        if ((flags & OPT_FMT_PKCS12) == 0)
+            return opt_format_error(s, flags);
+        *result = FORMAT_PKCS12;
+        break;
+    case 'P':
+    case 'p':
+        if (s[1] == '\0' || strcmp(s, "PEM") == 0 || strcmp(s, "pem") == 0) {
+            if ((flags & OPT_FMT_PEMDER) == 0)
+                return opt_format_error(s, flags);
+            *result = FORMAT_PEM;
+        } else if (strcmp(s, "PVK") == 0 || strcmp(s, "pvk") == 0) {
+            if ((flags & OPT_FMT_PVK) == 0)
+                return opt_format_error(s, flags);
+            *result = FORMAT_PVK;
+        } else if (strcmp(s, "P12") == 0 || strcmp(s, "p12") == 0
+                   || strcmp(s, "PKCS12") == 0 || strcmp(s, "pkcs12") == 0) {
+            if ((flags & OPT_FMT_PKCS12) == 0)
+                return opt_format_error(s, flags);
+            *result = FORMAT_PKCS12;
+        } else
+            return 0;
+        break;
+    }
+    return 1;
+}
+
+/* Parse a cipher name, put it in *EVP_CIPHER; return 0 on failure, else 1. */
+int opt_cipher(const char *name, const EVP_CIPHER **cipherp)
+{
+    *cipherp = EVP_get_cipherbyname(name);
+    if (*cipherp)
+        return 1;
+    BIO_printf(bio_err, "%s: Unknown cipher %s\n", prog, name);
+    return 0;
+}
+
+/*
+ * Parse message digest name, put it in *EVP_MD; return 0 on failure, else 1.
+ */
+int opt_md(const char *name, const EVP_MD **mdp)
+{
+    *mdp = EVP_get_digestbyname(name);
+    if (*mdp)
+        return 1;
+    BIO_printf(bio_err, "%s: Unknown digest %s\n", prog, name);
+    return 0;
+}
+
+/* Look through a list of name/value pairs. */
+int opt_pair(const char *name, const OPT_PAIR* pairs, int *result)
+{
+    const OPT_PAIR *pp;
+
+    for (pp = pairs; pp->name; pp++)
+        if (strcmp(pp->name, name) == 0) {
+            *result = pp->retval;
+            return 1;
+        }
+    BIO_printf(bio_err, "%s: Value must be one of:\n", prog);
+    for (pp = pairs; pp->name; pp++)
+        BIO_printf(bio_err, "\t%s\n", pp->name);
+    return 0;
+}
+
+/* Parse an int, put it into *result; return 0 on failure, else 1. */
+int opt_int(const char *value, int *result)
+{
+    long l;
+
+    if (!opt_long(value, &l))
+        return 0;
+    *result = (int)l;
+    if (*result != l) {
+        BIO_printf(bio_err, "%s: Value \"%s\" outside integer range\n",
+                   prog, value);
+        return 0;
+    }
+    return 1;
+}
+
+/* Parse a long, put it into *result; return 0 on failure, else 1. */
+int opt_long(const char *value, long *result)
+{
+    int oerrno = errno;
+    long l;
+    char *endp;
+
+    l = strtol(value, &endp, 0);
+    if (*endp
+            || endp == value
+            || ((l == LONG_MAX || l == LONG_MIN) && errno == ERANGE)
+            || (l == 0 && errno != 0)) {
+        BIO_printf(bio_err, "%s: Can't parse \"%s\" as a number\n",
+                   prog, value);
+        errno = oerrno;
+        return 0;
+    }
+    *result = l;
+    errno = oerrno;
+    return 1;
+}
+
+#if defined(__STDC_VERSION__) && __STDC_VERSION__ >= 199901L && \
+    defined(INTMAX_MAX) && defined(UINTMAX_MAX)
+
+/* Parse an intmax_t, put it into *result; return 0 on failure, else 1. */
+int opt_imax(const char *value, intmax_t *result)
+{
+    int oerrno = errno;
+    intmax_t m;
+    char *endp;
+
+    m = strtoimax(value, &endp, 0);
+    if (*endp
+            || endp == value
+            || ((m == INTMAX_MAX || m == INTMAX_MIN) && errno == ERANGE)
+            || (m == 0 && errno != 0)) {
+        BIO_printf(bio_err, "%s: Can't parse \"%s\" as a number\n",
+                   prog, value);
+        errno = oerrno;
+        return 0;
+    }
+    *result = m;
+    errno = oerrno;
+    return 1;
+}
+
+/* Parse a uintmax_t, put it into *result; return 0 on failure, else 1. */
+int opt_umax(const char *value, uintmax_t *result)
+{
+    int oerrno = errno;
+    uintmax_t m;
+    char *endp;
+
+    m = strtoumax(value, &endp, 0);
+    if (*endp
+            || endp == value
+            || (m == UINTMAX_MAX && errno == ERANGE)
+            || (m == 0 && errno != 0)) {
+        BIO_printf(bio_err, "%s: Can't parse \"%s\" as a number\n",
+                   prog, value);
+        errno = oerrno;
+        return 0;
+    }
+    *result = m;
+    errno = oerrno;
+    return 1;
+}
+#endif
+
+/*
+ * Parse an unsigned long, put it into *result; return 0 on failure, else 1.
+ */
+int opt_ulong(const char *value, unsigned long *result)
+{
+    int oerrno = errno;
+    char *endptr;
+    unsigned long l;
+
+    l = strtoul(value, &endptr, 0);
+    if (*endptr
+            || endptr == value
+            || ((l == ULONG_MAX) && errno == ERANGE)
+            || (l == 0 && errno != 0)) {
+        BIO_printf(bio_err, "%s: Can't parse \"%s\" as an unsigned number\n",
+                   prog, value);
+        errno = oerrno;
+        return 0;
+    }
+    *result = l;
+    errno = oerrno;
+    return 1;
+}
+
+/*
+ * We pass opt as an int but cast it to "enum range" so that all the
+ * items in the OPT_V_ENUM enumeration are caught; this makes -Wswitch
+ * in gcc do the right thing.
+ */
+enum range { OPT_V_ENUM };
+
+int opt_verify(int opt, X509_VERIFY_PARAM *vpm)
+{
+    int i;
+    ossl_intmax_t t = 0;
+    ASN1_OBJECT *otmp;
+    X509_PURPOSE *xptmp;
+    const X509_VERIFY_PARAM *vtmp;
+
+    assert(vpm != NULL);
+    assert(opt > OPT_V__FIRST);
+    assert(opt < OPT_V__LAST);
+
+    switch ((enum range)opt) {
+    case OPT_V__FIRST:
+    case OPT_V__LAST:
+        return 0;
+    case OPT_V_POLICY:
+        otmp = OBJ_txt2obj(opt_arg(), 0);
+        if (otmp == NULL) {
+            BIO_printf(bio_err, "%s: Invalid Policy %s\n", prog, opt_arg());
+            return 0;
+        }
+        X509_VERIFY_PARAM_add0_policy(vpm, otmp);
+        break;
+    case OPT_V_PURPOSE:
+        i = X509_PURPOSE_get_by_sname(opt_arg());
+        if (i < 0) {
+            BIO_printf(bio_err, "%s: Invalid purpose %s\n", prog, opt_arg());
+            return 0;
+        }
+        xptmp = X509_PURPOSE_get0(i);
+        i = X509_PURPOSE_get_id(xptmp);
+        X509_VERIFY_PARAM_set_purpose(vpm, i);
+        break;
+    case OPT_V_VERIFY_NAME:
+        vtmp = X509_VERIFY_PARAM_lookup(opt_arg());
+        if (vtmp == NULL) {
+            BIO_printf(bio_err, "%s: Invalid verify name %s\n",
+                       prog, opt_arg());
+            return 0;
+        }
+        X509_VERIFY_PARAM_set1(vpm, vtmp);
+        break;
+    case OPT_V_VERIFY_DEPTH:
+        i = atoi(opt_arg());
+        if (i >= 0)
+            X509_VERIFY_PARAM_set_depth(vpm, i);
+        break;
+    case OPT_V_ATTIME:
+        if (!opt_imax(opt_arg(), &t))
+            return 0;
+        if (t != (time_t)t) {
+            BIO_printf(bio_err, "%s: epoch time out of range %s\n",
+                       prog, opt_arg());
+            return 0;
+        }
+        X509_VERIFY_PARAM_set_time(vpm, (time_t)t);
+        break;
+    case OPT_V_VERIFY_HOSTNAME:
+        if (!X509_VERIFY_PARAM_set1_host(vpm, opt_arg(), 0))
+            return 0;
+        break;
+    case OPT_V_VERIFY_EMAIL:
+        if (!X509_VERIFY_PARAM_set1_email(vpm, opt_arg(), 0))
+            return 0;
+        break;
+    case OPT_V_VERIFY_IP:
+        if (!X509_VERIFY_PARAM_set1_ip_asc(vpm, opt_arg()))
+            return 0;
+        break;
+    case OPT_V_IGNORE_CRITICAL:
+        X509_VERIFY_PARAM_set_flags(vpm, X509_V_FLAG_IGNORE_CRITICAL);
+        break;
+    case OPT_V_ISSUER_CHECKS:
+        X509_VERIFY_PARAM_set_flags(vpm, X509_V_FLAG_CB_ISSUER_CHECK);
+        break;
+    case OPT_V_CRL_CHECK:
+        X509_VERIFY_PARAM_set_flags(vpm, X509_V_FLAG_CRL_CHECK);
+        break;
+    case OPT_V_CRL_CHECK_ALL:
+        X509_VERIFY_PARAM_set_flags(vpm,
+                                    X509_V_FLAG_CRL_CHECK |
+                                    X509_V_FLAG_CRL_CHECK_ALL);
+        break;
+    case OPT_V_POLICY_CHECK:
+        X509_VERIFY_PARAM_set_flags(vpm, X509_V_FLAG_POLICY_CHECK);
+        break;
+    case OPT_V_EXPLICIT_POLICY:
+        X509_VERIFY_PARAM_set_flags(vpm, X509_V_FLAG_EXPLICIT_POLICY);
+        break;
+    case OPT_V_INHIBIT_ANY:
+        X509_VERIFY_PARAM_set_flags(vpm, X509_V_FLAG_INHIBIT_ANY);
+        break;
+    case OPT_V_INHIBIT_MAP:
+        X509_VERIFY_PARAM_set_flags(vpm, X509_V_FLAG_INHIBIT_MAP);
+        break;
+    case OPT_V_X509_STRICT:
+        X509_VERIFY_PARAM_set_flags(vpm, X509_V_FLAG_X509_STRICT);
+        break;
+    case OPT_V_EXTENDED_CRL:
+        X509_VERIFY_PARAM_set_flags(vpm, X509_V_FLAG_EXTENDED_CRL_SUPPORT);
+        break;
+    case OPT_V_USE_DELTAS:
+        X509_VERIFY_PARAM_set_flags(vpm, X509_V_FLAG_USE_DELTAS);
+        break;
+    case OPT_V_POLICY_PRINT:
+        X509_VERIFY_PARAM_set_flags(vpm, X509_V_FLAG_NOTIFY_POLICY);
+        break;
+    case OPT_V_CHECK_SS_SIG:
+        X509_VERIFY_PARAM_set_flags(vpm, X509_V_FLAG_CHECK_SS_SIGNATURE);
+        break;
+    case OPT_V_TRUSTED_FIRST:
+        X509_VERIFY_PARAM_set_flags(vpm, X509_V_FLAG_TRUSTED_FIRST);
+        break;
+    case OPT_V_SUITEB_128_ONLY:
+        X509_VERIFY_PARAM_set_flags(vpm, X509_V_FLAG_SUITEB_128_LOS_ONLY);
+        break;
+    case OPT_V_SUITEB_128:
+        X509_VERIFY_PARAM_set_flags(vpm, X509_V_FLAG_SUITEB_128_LOS);
+        break;
+    case OPT_V_SUITEB_192:
+        X509_VERIFY_PARAM_set_flags(vpm, X509_V_FLAG_SUITEB_192_LOS);
+        break;
+    case OPT_V_PARTIAL_CHAIN:
+        X509_VERIFY_PARAM_set_flags(vpm, X509_V_FLAG_PARTIAL_CHAIN);
+        break;
+    case OPT_V_NO_ALT_CHAINS:
+        X509_VERIFY_PARAM_set_flags(vpm, X509_V_FLAG_NO_ALT_CHAINS);
+	break;
+    case OPT_V_NO_CHECK_TIME:
+        X509_VERIFY_PARAM_set_flags(vpm, X509_V_FLAG_NO_CHECK_TIME);
+	break;
+    }
+    return 1;
+
+}
+
+/*
+ * Parse the next flag (and value if specified), return 0 if done, -1 on
+ * error, otherwise the flag's retval.
+ */
+int opt_next(void)
+{
+    char *p;
+    const OPTIONS *o;
+    int ival;
+    long lval;
+    unsigned long ulval;
+    ossl_intmax_t imval;
+    ossl_uintmax_t umval;
+
+    /* Look at current arg; at end of the list? */
+    arg = NULL;
+    p = argv[opt_index];
+    if (p == NULL)
+        return 0;
+
+    /* If word doesn't start with a -, we're done. */
+    if (*p != '-')
+        return 0;
+
+    /* Hit "--" ? We're done. */
+    opt_index++;
+    if (strcmp(p, "--") == 0)
+        return 0;
+
+    /* Allow -nnn and --nnn */
+    if (*++p == '-')
+        p++;
+    flag = p - 1;
+
+    /* If we have --flag=foo, snip it off */
+    if ((arg = strchr(p, '=')) != NULL)
+        *arg++ = '\0';
+    for (o = opts; o->name; ++o) {
+        /* If not this option, move on to the next one. */
+        if (strcmp(p, o->name) != 0)
+            continue;
+
+        /* If it doesn't take a value, make sure none was given. */
+        if (o->valtype == 0 || o->valtype == '-') {
+            if (arg) {
+                BIO_printf(bio_err,
+                           "%s: Option -%s does not take a value\n", prog, p);
+                return -1;
+            }
+            return o->retval;
+        }
+
+        /* Want a value; get the next param if =foo not used. */
+        if (arg == NULL) {
+            if (argv[opt_index] == NULL) {
+                BIO_printf(bio_err,
+                           "%s: Option -%s needs a value\n", prog, o->name);
+                return -1;
+            }
+            arg = argv[opt_index++];
+        }
+
+        /* Syntax-check value. */
+        switch (o->valtype) {
+        default:
+        case 's':
+            /* Just a string. */
+            break;
+        case '/':
+            if (app_isdir(arg) >= 0)
+                break;
+            BIO_printf(bio_err, "%s: Not a directory: %s\n", prog, arg);
+            return -1;
+        case '<':
+            /* Input file. */
+            if (strcmp(arg, "-") == 0 || app_access(arg, R_OK) >= 0)
+                break;
+            BIO_printf(bio_err,
+                       "%s: Cannot open input file %s, %s\n",
+                       prog, arg, strerror(errno));
+            return -1;
+        case '>':
+            /* Output file. */
+            if (strcmp(arg, "-") == 0 || app_access(arg, W_OK) >= 0 || errno == ENOENT)
+                break;
+            BIO_printf(bio_err,
+                       "%s: Cannot open output file %s, %s\n",
+                       prog, arg, strerror(errno));
+            return -1;
+        case 'p':
+        case 'n':
+            if (!opt_int(arg, &ival)
+                    || (o->valtype == 'p' && ival <= 0)) {
+                BIO_printf(bio_err,
+                           "%s: Non-positive number \"%s\" for -%s\n",
+                           prog, arg, o->name);
+                return -1;
+            }
+            break;
+        case 'M':
+            if (!opt_imax(arg, &imval)) {
+                BIO_printf(bio_err,
+                           "%s: Invalid number \"%s\" for -%s\n",
+                           prog, arg, o->name);
+                return -1;
+            }
+            break;
+        case 'U':
+            if (!opt_umax(arg, &umval)) {
+                BIO_printf(bio_err,
+                           "%s: Invalid number \"%s\" for -%s\n",
+                           prog, arg, o->name);
+                return -1;
+            }
+            break;
+        case 'L':
+            if (!opt_long(arg, &lval)) {
+                BIO_printf(bio_err,
+                           "%s: Invalid number \"%s\" for -%s\n",
+                           prog, arg, o->name);
+                return -1;
+            }
+            break;
+        case 'u':
+            if (!opt_ulong(arg, &ulval)) {
+                BIO_printf(bio_err,
+                           "%s: Invalid number \"%s\" for -%s\n",
+                           prog, arg, o->name);
+                return -1;
+            }
+            break;
+        case 'f':
+        case 'F':
+            if (opt_format(arg,
+                           o->valtype == 'F' ? OPT_FMT_PEMDER
+                           : OPT_FMT_ANY, &ival))
+                break;
+            BIO_printf(bio_err,
+                       "%s: Invalid format \"%s\" for -%s\n",
+                       prog, arg, o->name);
+            return -1;
+        }
+
+        /* Return the flag value. */
+        return o->retval;
+    }
+    if (unknown != NULL) {
+        dunno = p;
+        return unknown->retval;
+    }
+    BIO_printf(bio_err, "%s: Option unknown option -%s\n", prog, p);
+    return -1;
+}
+
+/* Return the most recent flag parameter. */
+char *opt_arg(void)
+{
+    return arg;
+}
+
+/* Return the most recent flag. */
+char *opt_flag(void)
+{
+    return flag;
+}
+
+/* Return the unknown option. */
+char *opt_unknown(void)
+{
+    return dunno;
+}
+
+/* Return the rest of the arguments after parsing flags. */
+char **opt_rest(void)
+{
+    return &argv[opt_index];
+}
+
+/* How many items in remaining args? */
+int opt_num_rest(void)
+{
+    int i = 0;
+    char **pp;
+
+    for (pp = opt_rest(); *pp; pp++, i++)
+        continue;
+    return i;
+}
+
+/* Return a string describing the parameter type. */
+static const char *valtype2param(const OPTIONS *o)
+{
+    switch (o->valtype) {
+    case '-':
+        return "";
+    case 's':
+        return "val";
+    case '/':
+        return "dir";
+    case '<':
+        return "infile";
+    case '>':
+        return "outfile";
+    case 'p':
+        return "pnum";
+    case 'n':
+        return "num";
+    case 'u':
+        return "unum";
+    case 'F':
+        return "der/pem";
+    case 'f':
+        return "format";
+    }
+    return "parm";
+}
+
+void opt_help(const OPTIONS *list)
+{
+    const OPTIONS *o;
+    int i;
+    int standard_prolog;
+    int width = 5;
+    char start[80 + 1];
+    char *p;
+    const char *help;
+
+    /* Starts with its own help message? */
+    standard_prolog = list[0].name != OPT_HELP_STR;
+
+    /* Find the widest help. */
+    for (o = list; o->name; o++) {
+        if (o->name == OPT_MORE_STR)
+            continue;
+        i = 2 + (int)strlen(o->name);
+        if (o->valtype != '-')
+            i += 1 + strlen(valtype2param(o));
+        if (i < MAX_OPT_HELP_WIDTH && i > width)
+            width = i;
+        assert(i < (int)sizeof start);
+    }
+
+    if (standard_prolog)
+        BIO_printf(bio_err, "Usage: %s [options]\nValid options are:\n",
+                   prog);
+
+    /* Now let's print. */
+    for (o = list; o->name; o++) {
+        help = o->helpstr ? o->helpstr : "(No additional info)";
+        if (o->name == OPT_HELP_STR) {
+            BIO_printf(bio_err, help, prog);
+            continue;
+        }
+
+        /* Pad out prefix */
+        memset(start, ' ', sizeof(start) - 1);
+        start[sizeof start - 1] = '\0';
+
+        if (o->name == OPT_MORE_STR) {
+            /* Continuation of previous line; padd and print. */
+            start[width] = '\0';
+            BIO_printf(bio_err, "%s  %s\n", start, help);
+            continue;
+        }
+
+        /* Build up the "-flag [param]" part. */
+        p = start;
+        *p++ = ' ';
+        *p++ = '-';
+        if (o->name[0])
+            p += strlen(strcpy(p, o->name));
+        else
+            *p++ = '*';
+        if (o->valtype != '-') {
+            *p++ = ' ';
+            p += strlen(strcpy(p, valtype2param(o)));
+        }
+        *p = ' ';
+        if ((int)(p - start) >= MAX_OPT_HELP_WIDTH) {
+            *p = '\0';
+            BIO_printf(bio_err, "%s\n", start);
+            memset(start, ' ', sizeof(start));
+        }
+        start[width] = '\0';
+        BIO_printf(bio_err, "%s  %s\n", start, help);
+    }
+}
+
+#ifdef COMPILE_STANDALONE_TEST_DRIVER
+# include <sys/stat.h>
+
+typedef enum OPTION_choice {
+    OPT_ERR = -1, OPT_EOF = 0, OPT_HELP,
+    OPT_IN, OPT_INFORM, OPT_OUT, OPT_COUNT, OPT_U, OPT_FLAG,
+    OPT_STR, OPT_NOTUSED
+} OPTION_CHOICE;
+
+static OPTIONS options[] = {
+    {OPT_HELP_STR, 1, '-', "Usage: %s flags\n"},
+    {OPT_HELP_STR, 1, '-', "Valid options are:\n"},
+    {"help", OPT_HELP, '-', "Display this summary"},
+    {"in", OPT_IN, '<', "input file"},
+    {OPT_MORE_STR, 1, '-', "more detail about input"},
+    {"inform", OPT_INFORM, 'f', "input file format; defaults to pem"},
+    {"out", OPT_OUT, '>', "output file"},
+    {"count", OPT_COUNT, 'p', "a counter greater than zero"},
+    {"u", OPT_U, 'u', "an unsigned number"},
+    {"flag", OPT_FLAG, 0, "just some flag"},
+    {"str", OPT_STR, 's', "the magic word"},
+    {"areallyverylongoption", OPT_HELP, '-', "long way for help"},
+    {NULL}
+};
+
+BIO *bio_err;
+
+int app_isdir(const char *name)
+{
+    struct stat sb;
+
+    return name != NULL && stat(name, &sb) >= 0 && S_ISDIR(sb.st_mode);
+}
+
+int main(int ac, char **av)
+{
+    OPTION_CHOICE o;
+    char **rest;
+    char *prog;
+
+    bio_err = BIO_new_fp(stderr, BIO_NOCLOSE | BIO_FP_TEXT);
+
+    prog = opt_init(ac, av, options);
+    while ((o = opt_next()) != OPT_EOF) {
+        switch (c) {
+        case OPT_NOTUSED:
+        case OPT_EOF:
+        case OPT_ERR:
+            printf("%s: Usage error; try -help.\n", prog);
+            return 1;
+        case OPT_HELP:
+            opt_help(options);
+            return 0;
+        case OPT_IN:
+            printf("in %s\n", opt_arg());
+            break;
+        case OPT_INFORM:
+            printf("inform %s\n", opt_arg());
+            break;
+        case OPT_OUT:
+            printf("out %s\n", opt_arg());
+            break;
+        case OPT_COUNT:
+            printf("count %s\n", opt_arg());
+            break;
+        case OPT_U:
+            printf("u %s\n", opt_arg());
+            break;
+        case OPT_FLAG:
+            printf("flag\n");
+            break;
+        case OPT_STR:
+            printf("str %s\n", opt_arg());
+            break;
+        }
+    }
+    argc = opt_num_rest();
+    argv = opt_rest();
+
+    printf("args = %d\n", argc);
+    if (argc)
+        while (*argv)
+            printf("  %s\n", *argv++);
+    return 0;
+}
+#endif

apps/passwd.c

@@ -1,4 +1,51 @@
-/* apps/passwd.c */
+/* ====================================================================
+ * Copyright (c) 2000-2015 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ */
 
 #if defined OPENSSL_NO_MD5 || defined CHARSET_EBCDIC
 # define NO_MD5CRYPT_1
@@ -6,7 +53,6 @@
 
 #if !defined(OPENSSL_NO_DES) || !defined(NO_MD5CRYPT_1)
 
-# include <assert.h>
 # include <string.h>
 
 # include "apps.h"
@@ -22,9 +68,6 @@
 #  include <openssl/md5.h>
 # endif
 
-# undef PROG
-# define PROG passwd_main
-
 static unsigned const char cov_2char[64] = {
     /* from crypto/des/fcrypt.c */
     0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34, 0x35,
@@ -42,156 +85,130 @@ static int do_passwd(int passed_salt, char **salt_p, char **salt_malloc_p,
                      int reverse, size_t pw_maxlen, int usecrypt, int use1,
                      int useapr1);
 
-/*-
- * -crypt        - standard Unix password algorithm (default)
- * -1            - MD5-based password algorithm
- * -apr1         - MD5-based password algorithm, Apache variant
- * -salt string  - salt
- * -in file      - read passwords from file
- * -stdin        - read passwords from stdin
- * -noverify     - never verify when reading password from terminal
- * -quiet        - no warnings
- * -table        - format output as table
- * -reverse      - switch table columns
- */
+typedef enum OPTION_choice {
+    OPT_ERR = -1, OPT_EOF = 0, OPT_HELP,
+    OPT_IN,
+    OPT_NOVERIFY, OPT_QUIET, OPT_TABLE, OPT_REVERSE, OPT_APR1,
+    OPT_1, OPT_CRYPT, OPT_SALT, OPT_STDIN
+} OPTION_CHOICE;
 
-int MAIN(int, char **);
-
-int MAIN(int argc, char **argv)
-{
-    int ret = 1;
-    char *infile = NULL;
-    int in_stdin = 0;
-    int in_noverify = 0;
-    char *salt = NULL, *passwd = NULL, **passwds = NULL;
-    char *salt_malloc = NULL, *passwd_malloc = NULL;
-    size_t passwd_malloc_size = 0;
-    int pw_source_defined = 0;
-    BIO *in = NULL, *out = NULL;
-    int i, badopt, opt_done;
-    int passed_salt = 0, quiet = 0, table = 0, reverse = 0;
-    int usecrypt = 0, use1 = 0, useapr1 = 0;
-    size_t pw_maxlen = 0;
-
-    apps_startup();
-
-    if (bio_err == NULL)
-        if ((bio_err = BIO_new(BIO_s_file())) != NULL)
-            BIO_set_fp(bio_err, stderr, BIO_NOCLOSE | BIO_FP_TEXT);
-
-    if (!load_config(bio_err, NULL))
-        goto err;
-    out = BIO_new(BIO_s_file());
-    if (out == NULL)
-        goto err;
-    BIO_set_fp(out, stdout, BIO_NOCLOSE | BIO_FP_TEXT);
-# ifdef OPENSSL_SYS_VMS
-    {
-        BIO *tmpbio = BIO_new(BIO_f_linebuffer());
-        out = BIO_push(tmpbio, out);
-    }
+OPTIONS passwd_options[] = {
+    {"help", OPT_HELP, '-', "Display this summary"},
+    {"in", OPT_IN, '<', "Pead passwords from file"},
+    {"noverify", OPT_NOVERIFY, '-',
+     "Never verify when reading password from terminal"},
+    {"quiet", OPT_QUIET, '-', "No warnings"},
+    {"table", OPT_TABLE, '-', "Format output as table"},
+    {"reverse", OPT_REVERSE, '-', "Switch table columns"},
+    {"salt", OPT_SALT, 's', "Use provided salt"},
+    {"stdin", OPT_STDIN, '-', "Read passwords from stdin"},
+# ifndef NO_MD5CRYPT_1
+    {"apr1", OPT_APR1, '-', "MD5-based password algorithm, Apache variant"},
+    {"1", OPT_1, '-', "MD5-based password algorithm"},
 # endif
+# ifndef OPENSSL_NO_DES
+    {"crypt", OPT_CRYPT, '-', "Standard Unix password algorithm (default)"},
+# endif
+    {NULL}
+};
 
-    badopt = 0, opt_done = 0;
-    i = 0;
-    while (!badopt && !opt_done && argv[++i] != NULL) {
-        if (strcmp(argv[i], "-crypt") == 0)
-            usecrypt = 1;
-        else if (strcmp(argv[i], "-1") == 0)
-            use1 = 1;
-        else if (strcmp(argv[i], "-apr1") == 0)
-            useapr1 = 1;
-        else if (strcmp(argv[i], "-salt") == 0) {
-            if ((argv[i + 1] != NULL) && (salt == NULL)) {
-                passed_salt = 1;
-                salt = argv[++i];
-            } else
-                badopt = 1;
-        } else if (strcmp(argv[i], "-in") == 0) {
-            if ((argv[i + 1] != NULL) && !pw_source_defined) {
-                pw_source_defined = 1;
-                infile = argv[++i];
-            } else
-                badopt = 1;
-        } else if (strcmp(argv[i], "-stdin") == 0) {
-            if (!pw_source_defined) {
-                pw_source_defined = 1;
-                in_stdin = 1;
-            } else
-                badopt = 1;
-        } else if (strcmp(argv[i], "-noverify") == 0)
-            in_noverify = 1;
-        else if (strcmp(argv[i], "-quiet") == 0)
-            quiet = 1;
-        else if (strcmp(argv[i], "-table") == 0)
-            table = 1;
-        else if (strcmp(argv[i], "-reverse") == 0)
-            reverse = 1;
-        else if (argv[i][0] == '-')
-            badopt = 1;
-        else if (!pw_source_defined)
-            /* non-option arguments, use as passwords */
-        {
+int passwd_main(int argc, char **argv)
+{
+    BIO *in = NULL;
+    char *infile = NULL, *salt = NULL, *passwd = NULL, **passwds = NULL;
+    char *salt_malloc = NULL, *passwd_malloc = NULL, *prog;
+    OPTION_CHOICE o;
+    int in_stdin = 0, in_noverify = 0, pw_source_defined = 0;
+    int passed_salt = 0, quiet = 0, table = 0, reverse = 0;
+    int ret = 1, usecrypt = 0, use1 = 0, useapr1 = 0;
+    size_t passwd_malloc_size = 0, pw_maxlen = 256;
+
+    prog = opt_init(argc, argv, passwd_options);
+    while ((o = opt_next()) != OPT_EOF) {
+        switch (o) {
+        case OPT_EOF:
+        case OPT_ERR:
+ opthelp:
+            BIO_printf(bio_err, "%s: Use -help for summary.\n", prog);
+            goto end;
+        case OPT_HELP:
+            opt_help(passwd_options);
+            ret = 0;
+            goto end;
+        case OPT_IN:
+            if (pw_source_defined)
+                goto opthelp;
+            infile = opt_arg();
             pw_source_defined = 1;
-            passwds = &argv[i];
-            opt_done = 1;
-        } else
-            badopt = 1;
+            break;
+        case OPT_NOVERIFY:
+            in_noverify = 1;
+            break;
+        case OPT_QUIET:
+            quiet = 1;
+            break;
+        case OPT_TABLE:
+            table = 1;
+            break;
+        case OPT_REVERSE:
+            reverse = 1;
+            break;
+        case OPT_1:
+            use1 = 1;
+            break;
+        case OPT_APR1:
+            useapr1 = 1;
+            break;
+        case OPT_CRYPT:
+            usecrypt = 1;
+            break;
+        case OPT_SALT:
+            passed_salt = 1;
+            salt = opt_arg();
+            break;
+        case OPT_STDIN:
+            if (pw_source_defined)
+                goto opthelp;
+            in_stdin = 1;
+            break;
+        }
+    }
+    argc = opt_num_rest();
+    argv = opt_rest();
+
+    if (*argv) {
+        if (pw_source_defined)
+            goto opthelp;
+        pw_source_defined = 1;
+        passwds = argv;
     }
 
-    if (!usecrypt && !use1 && !useapr1) /* use default */
+    if (!usecrypt && !use1 && !useapr1) {
+        /* use default */
         usecrypt = 1;
-    if (usecrypt + use1 + useapr1 > 1) /* conflict */
-        badopt = 1;
+    }
+    if (usecrypt + use1 + useapr1 > 1) {
+        /* conflict */
+        goto opthelp;
+    }
 
-    /* reject unsupported algorithms */
 # ifdef OPENSSL_NO_DES
     if (usecrypt)
-        badopt = 1;
+        goto opthelp;
 # endif
 # ifdef NO_MD5CRYPT_1
     if (use1 || useapr1)
-        badopt = 1;
+        goto opthelp;
 # endif
 
-    if (badopt) {
-        BIO_printf(bio_err, "Usage: passwd [options] [passwords]\n");
-        BIO_printf(bio_err, "where options are\n");
-# ifndef OPENSSL_NO_DES
-        BIO_printf(bio_err,
-                   "-crypt             standard Unix password algorithm (default)\n");
-# endif
-# ifndef NO_MD5CRYPT_1
-        BIO_printf(bio_err,
-                   "-1                 MD5-based password algorithm\n");
-        BIO_printf(bio_err,
-                   "-apr1              MD5-based password algorithm, Apache variant\n");
-# endif
-        BIO_printf(bio_err, "-salt string       use provided salt\n");
-        BIO_printf(bio_err, "-in file           read passwords from file\n");
-        BIO_printf(bio_err, "-stdin             read passwords from stdin\n");
-        BIO_printf(bio_err,
-                   "-noverify          never verify when reading password from terminal\n");
-        BIO_printf(bio_err, "-quiet             no warnings\n");
-        BIO_printf(bio_err, "-table             format output as table\n");
-        BIO_printf(bio_err, "-reverse           switch table columns\n");
-
-        goto err;
+    if (infile && in_stdin) {
+        BIO_printf(bio_err, "%s: Can't combine -in and -stdin\n", prog);
+        goto end;
     }
 
-    if ((infile != NULL) || in_stdin) {
-        in = BIO_new(BIO_s_file());
-        if (in == NULL)
-            goto err;
-        if (infile != NULL) {
-            assert(in_stdin == 0);
-            if (BIO_read_filename(in, infile) <= 0)
-                goto err;
-        } else {
-            assert(in_stdin);
-            BIO_set_fp(in, stdin, BIO_NOCLOSE);
-        }
-    }
+    in = bio_open_default(infile, 'r', FORMAT_TEXT);
+    if (in == NULL)
+        goto end;
 
     if (usecrypt)
         pw_maxlen = 8;
@@ -203,12 +220,9 @@ int MAIN(int argc, char **argv)
         /* no passwords on the command line */
 
         passwd_malloc_size = pw_maxlen + 2;
-        /*
-         * longer than necessary so that we can warn about truncation
-         */
-        passwd = passwd_malloc = OPENSSL_malloc(passwd_malloc_size);
-        if (passwd_malloc == NULL)
-            goto err;
+        /* longer than necessary so that we can warn about truncation */
+        passwd = passwd_malloc =
+            app_malloc(passwd_malloc_size, "password buffer");
     }
 
     if ((in == NULL) && (passwds == NULL)) {
@@ -220,7 +234,7 @@ int MAIN(int argc, char **argv)
             if (EVP_read_pw_string
                 (passwd_malloc, passwd_malloc_size, "Password: ",
                  !(passed_salt || in_noverify)) != 0)
-                goto err;
+                goto end;
         passwds[0] = passwd_malloc;
     }
 
@@ -230,10 +244,10 @@ int MAIN(int argc, char **argv)
 
         do {                    /* loop over list of passwords */
             passwd = *passwds++;
-            if (!do_passwd(passed_salt, &salt, &salt_malloc, passwd, out,
+            if (!do_passwd(passed_salt, &salt, &salt_malloc, passwd, bio_out,
                            quiet, table, reverse, pw_maxlen, usecrypt, use1,
                            useapr1))
-                goto err;
+                goto end;
         }
         while (*passwds != NULL);
     } else
@@ -256,10 +270,10 @@ int MAIN(int argc, char **argv)
                     while ((r > 0) && (!strchr(trash, '\n')));
                 }
 
-                if (!do_passwd(passed_salt, &salt, &salt_malloc, passwd, out,
-                               quiet, table, reverse, pw_maxlen, usecrypt,
-                               use1, useapr1))
-                    goto err;
+                if (!do_passwd
+                    (passed_salt, &salt, &salt_malloc, passwd, bio_out, quiet,
+                     table, reverse, pw_maxlen, usecrypt, use1, useapr1))
+                    goto end;
             }
             done = (r <= 0);
         }
@@ -267,18 +281,12 @@ int MAIN(int argc, char **argv)
     }
     ret = 0;
 
- err:
+ end:
     ERR_print_errors(bio_err);
-    if (salt_malloc)
-        OPENSSL_free(salt_malloc);
-    if (passwd_malloc)
-        OPENSSL_free(passwd_malloc);
-    if (in)
-        BIO_free(in);
-    if (out)
-        BIO_free_all(out);
-    apps_shutdown();
-    OPENSSL_EXIT(ret);
+    OPENSSL_free(salt_malloc);
+    OPENSSL_free(passwd_malloc);
+    BIO_free(in);
+    return (ret);
 }
 
 # ifndef NO_MD5CRYPT_1
@@ -299,60 +307,65 @@ static char *md5crypt(const char *passwd, const char *magic, const char *salt)
     char *salt_out;
     int n;
     unsigned int i;
-    EVP_MD_CTX md, md2;
+    EVP_MD_CTX *md, *md2;
     size_t passwd_len, salt_len;
 
     passwd_len = strlen(passwd);
     out_buf[0] = '$';
     out_buf[1] = 0;
     assert(strlen(magic) <= 4); /* "1" or "apr1" */
-    strncat(out_buf, magic, 4);
-    strncat(out_buf, "$", 1);
-    strncat(out_buf, salt, 8);
+    OPENSSL_strlcat(out_buf, magic, sizeof out_buf);
+    OPENSSL_strlcat(out_buf, "$", sizeof out_buf);
+    OPENSSL_strlcat(out_buf, salt, sizeof out_buf);
     assert(strlen(out_buf) <= 6 + 8); /* "$apr1$..salt.." */
     salt_out = out_buf + 2 + strlen(magic);
     salt_len = strlen(salt_out);
     assert(salt_len <= 8);
 
-    EVP_MD_CTX_init(&md);
-    EVP_DigestInit_ex(&md, EVP_md5(), NULL);
-    EVP_DigestUpdate(&md, passwd, passwd_len);
-    EVP_DigestUpdate(&md, "$", 1);
-    EVP_DigestUpdate(&md, magic, strlen(magic));
-    EVP_DigestUpdate(&md, "$", 1);
-    EVP_DigestUpdate(&md, salt_out, salt_len);
+    md = EVP_MD_CTX_new();
+    if (md == NULL)
+        return NULL;
+    EVP_DigestInit_ex(md, EVP_md5(), NULL);
+    EVP_DigestUpdate(md, passwd, passwd_len);
+    EVP_DigestUpdate(md, "$", 1);
+    EVP_DigestUpdate(md, magic, strlen(magic));
+    EVP_DigestUpdate(md, "$", 1);
+    EVP_DigestUpdate(md, salt_out, salt_len);
 
-    EVP_MD_CTX_init(&md2);
-    EVP_DigestInit_ex(&md2, EVP_md5(), NULL);
-    EVP_DigestUpdate(&md2, passwd, passwd_len);
-    EVP_DigestUpdate(&md2, salt_out, salt_len);
-    EVP_DigestUpdate(&md2, passwd, passwd_len);
-    EVP_DigestFinal_ex(&md2, buf, NULL);
+    md2 = EVP_MD_CTX_new();
+    if (md2 == NULL)
+        return NULL;
+    EVP_DigestInit_ex(md2, EVP_md5(), NULL);
+    EVP_DigestUpdate(md2, passwd, passwd_len);
+    EVP_DigestUpdate(md2, salt_out, salt_len);
+    EVP_DigestUpdate(md2, passwd, passwd_len);
+    EVP_DigestFinal_ex(md2, buf, NULL);
 
     for (i = passwd_len; i > sizeof buf; i -= sizeof buf)
-        EVP_DigestUpdate(&md, buf, sizeof buf);
-    EVP_DigestUpdate(&md, buf, i);
+        EVP_DigestUpdate(md, buf, sizeof buf);
+    EVP_DigestUpdate(md, buf, i);
 
     n = passwd_len;
     while (n) {
-        EVP_DigestUpdate(&md, (n & 1) ? "\0" : passwd, 1);
+        EVP_DigestUpdate(md, (n & 1) ? "\0" : passwd, 1);
         n >>= 1;
     }
-    EVP_DigestFinal_ex(&md, buf, NULL);
+    EVP_DigestFinal_ex(md, buf, NULL);
 
     for (i = 0; i < 1000; i++) {
-        EVP_DigestInit_ex(&md2, EVP_md5(), NULL);
-        EVP_DigestUpdate(&md2, (i & 1) ? (unsigned const char *)passwd : buf,
+        EVP_DigestInit_ex(md2, EVP_md5(), NULL);
+        EVP_DigestUpdate(md2, (i & 1) ? (unsigned const char *)passwd : buf,
                          (i & 1) ? passwd_len : sizeof buf);
         if (i % 3)
-            EVP_DigestUpdate(&md2, salt_out, salt_len);
+            EVP_DigestUpdate(md2, salt_out, salt_len);
         if (i % 7)
-            EVP_DigestUpdate(&md2, passwd, passwd_len);
-        EVP_DigestUpdate(&md2, (i & 1) ? buf : (unsigned const char *)passwd,
+            EVP_DigestUpdate(md2, passwd, passwd_len);
+        EVP_DigestUpdate(md2, (i & 1) ? buf : (unsigned const char *)passwd,
                          (i & 1) ? sizeof buf : passwd_len);
-        EVP_DigestFinal_ex(&md2, buf, NULL);
+        EVP_DigestFinal_ex(md2, buf, NULL);
     }
-    EVP_MD_CTX_cleanup(&md2);
+    EVP_MD_CTX_free(md2);
+    EVP_MD_CTX_free(md);
 
     {
         /* transform buf into output string */
@@ -391,7 +404,6 @@ static char *md5crypt(const char *passwd, const char *magic, const char *salt)
         *output = 0;
         assert(strlen(out_buf) < sizeof(out_buf));
     }
-    EVP_MD_CTX_cleanup(&md);
 
     return out_buf;
 }
@@ -412,12 +424,10 @@ static int do_passwd(int passed_salt, char **salt_p, char **salt_malloc_p,
 # ifndef OPENSSL_NO_DES
         if (usecrypt) {
             if (*salt_malloc_p == NULL) {
-                *salt_p = *salt_malloc_p = OPENSSL_malloc(3);
-                if (*salt_malloc_p == NULL)
-                    goto err;
+                *salt_p = *salt_malloc_p = app_malloc(3, "salt buffer");
             }
-            if (RAND_pseudo_bytes((unsigned char *)*salt_p, 2) < 0)
-                goto err;
+            if (RAND_bytes((unsigned char *)*salt_p, 2) <= 0)
+                goto end;
             (*salt_p)[0] = cov_2char[(*salt_p)[0] & 0x3f]; /* 6 bits */
             (*salt_p)[1] = cov_2char[(*salt_p)[1] & 0x3f]; /* 6 bits */
             (*salt_p)[2] = 0;
@@ -433,12 +443,10 @@ static int do_passwd(int passed_salt, char **salt_p, char **salt_malloc_p,
             int i;
 
             if (*salt_malloc_p == NULL) {
-                *salt_p = *salt_malloc_p = OPENSSL_malloc(9);
-                if (*salt_malloc_p == NULL)
-                    goto err;
+                *salt_p = *salt_malloc_p = app_malloc(9, "salt buffer");
             }
-            if (RAND_pseudo_bytes((unsigned char *)*salt_p, 8) < 0)
-                goto err;
+            if (RAND_bytes((unsigned char *)*salt_p, 8) <= 0)
+                goto end;
 
             for (i = 0; i < 8; i++)
                 (*salt_p)[i] = cov_2char[(*salt_p)[i] & 0x3f]; /* 6 bits */
@@ -479,16 +487,16 @@ static int do_passwd(int passed_salt, char **salt_p, char **salt_malloc_p,
         BIO_printf(out, "%s\t%s\n", hash, passwd);
     else
         BIO_printf(out, "%s\n", hash);
-    return 1;
-
- err:
     return 0;
+
+ end:
+    return 1;
 }
 #else
 
-int MAIN(int argc, char **argv)
+int passwd_main(int argc, char **argv)
 {
-    fputs("Program not available.\n", stderr)
-        OPENSSL_EXIT(1);
+    BIO_printf(bio_err, "Program not available.\n");
+    return (1);
 }
 #endif

apps/pca-key.pem

@@ -1,15 +1,16 @@
------BEGIN RSA PRIVATE KEY-----
-MIICXAIBAAKBgQCdoWk/3+WcMlfjIrkg40ketmnQaEogQe1LLcuOJV6rKfUSAsPg
-wgsabJ/wn8TxA1yy3eKJbFl3OiUXMRsp22Jp85PmemiDzyUIStwk72qhp1imbANZ
-vlmlCFKiQrjUyuDfu4TABmn+kkt3vR1YBEOGt+IFye1UBVSATVdRJ2UVhwIDAQAB
-AoGAba4fTtuap5l7/8ZsbE7Z1O32KJY4ZcOZukLOLUUhXxXduT+FTgGWujc0/rgc
-z9qYCLlNZHOouMYTgtSfYvuMuLZ11VIt0GYH+nRioLShE59Yy+zCRyC+gPigS1kz
-xvo14AsOIPYV14Tk/SsHyq6E0eTk7VzaIE197giiINUERPECQQDSKmtPTh/lRKw7
-HSZSM0I1mFWn/1zqrAbontRQY5w98QWIOe5qmzYyFbPXYT3d9BzlsMyhgiRNoBbD
-yvohSHXJAkEAwAHx6ezAZeWWzD5yXD36nyjpkVCw7Tk7TSmOceLJMWt1QcrCfqlS
-xA5jjpQ6Z8suU5DdtWAryM2sAir1WisYzwJAd6Zcx56jvAQ3xcPXsE6scBTVFzrj
-7FqZ6E+cclPzfLQ+QQsyOBE7bpI6e/FJppY26XGZXo3YGzV8IGXrt40oOQJALETG
-h86EFXo3qGOFbmsDy4pdP5nBERCu8X1xUCSfintiD4c2DInxgS5oGclnJeMcjTvL
-QjQoJCX3UJCi/OUO1QJBAKgcDHWjMvt+l1pjJBsSEZ0HX9AAIIVx0RQmbFGS+F2Q
-hhu5l77WnnZOQ9vvhV5u7NPCUF9nhU3jh60qWWO8mkc=
------END RSA PRIVATE KEY-----
+-----BEGIN PRIVATE KEY-----
+MIICdgIBADANBgkqhkiG9w0BAQEFAASCAmAwggJcAgEAAoGBALYYjjtpLs/lfkPF
+xAFZ4V3He5mZFbsEakK9bA2fQaryreRwyfhbXbDJHyBV+c4xI5fbmmVd2t/us4k4
+rMhGsBtL89SqCEHhPJpLFywiQVmJTAjANYrWkZK5uR/++YmZyzuLfPHLButuK6cF
+GKXw3NNToxjYooMf0mad2rPX3cKTAgMBAAECgYBvrJ+Nz/Pli9jjt2V9bqHH4Y7r
+o/avuwVv6Ltbn0+mhy4d6w3yQhYzVSTBr/iDe59YglUt1WFl8/4nKZrNOIzHJlav
+Sw4hd3fYBHxbT+DgZMQ9ikjHECWRdDffrnlTLsSJAcxnpMJBPe3dKCRDMUrqWUvB
+IIKaxyqmXJms5Y/wAQJBAPFL9NMKJcWBftMKXCasxsV0ZGjgqHGZODYjtGFN9jJO
+6AbZrxfCcapTWG4RCC2o/EDEMN8aArEhfdrYY3lhXGsCQQDBMRzFevkD7SYXTw5G
+NA/gJOAsFMYbt7tebcCRsHT7t3ymVfO2QwK7ZF0f/SYvi7cMAPraHvO7s3kFdGTB
+kDx5AkAHBICASsFCdzurA5gef9PgFjx9WFtNwnkCChPK6KuKVwUkfdw7wqnvnDDs
+Mo6cVVfQwmPxeR4u7JxuavCprQ01AkEAp5ZGAh1J9Jj9CQ1AMbAp8WOrvzGKJTM9
+641Dll4/LLif/d7j2kDJFuvaSMyeGnKVqGkVMq/U+QeYPR4Z5TuM6QJAWK05qFed
+wYgTZyVN0MY53ZOMAIWwjz0cr24TvDfmsZqIvguGL616GKQZKdKDZQyQHg+dCzqJ
+HgIoacuFDKz5CA==
+-----END PRIVATE KEY-----

apps/pca-req.pem

@@ -1,11 +1,11 @@
 -----BEGIN CERTIFICATE REQUEST-----
-MIIBmjCCAQMCAQAwXDELMAkGA1UEBhMCQVUxEzARBgNVBAgTClF1ZWVuc2xhbmQx
-GjAYBgNVBAoTEUNyeXB0U29mdCBQdHkgTHRkMRwwGgYDVQQDExNUZXN0IFBDQSAo
-MTAyNCBiaXQpMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCdoWk/3+WcMlfj
-Irkg40ketmnQaEogQe1LLcuOJV6rKfUSAsPgwgsabJ/wn8TxA1yy3eKJbFl3OiUX
-MRsp22Jp85PmemiDzyUIStwk72qhp1imbANZvlmlCFKiQrjUyuDfu4TABmn+kkt3
-vR1YBEOGt+IFye1UBVSATVdRJ2UVhwIDAQABMA0GCSqGSIb3DQEBBAUAA4GBAEzz
-IG8NnfpnPTQSCN5zJhOfy6p9AcDyQzuJirYv1HR/qoYWalPh/U2uiK0lAim7qMcv
-wOlK3I7A8B7/4dLqvIqgtUj9b1WT8zIrnwdvJI4osLI2BY+c1pVlp174DHLMol1L
-Cl1e3N5BTm7lCitTYjuUhsw6hiA8IcdNKDo6sktV
+MIIBnDCCAQUCAQAwXDELMAkGA1UEBhMCQVUxEzARBgNVBAgMClF1ZWVuc2xhbmQx
+GjAYBgNVBAoMEUNyeXB0U29mdCBQdHkgTHRkMRwwGgYDVQQDDBNUZXN0IFBDQSAo
+MTAyNCBiaXQpMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC2GI47aS7P5X5D
+xcQBWeFdx3uZmRW7BGpCvWwNn0Gq8q3kcMn4W12wyR8gVfnOMSOX25plXdrf7rOJ
+OKzIRrAbS/PUqghB4TyaSxcsIkFZiUwIwDWK1pGSubkf/vmJmcs7i3zxywbrbiun
+BRil8NzTU6MY2KKDH9Jmndqz193CkwIDAQABoAAwDQYJKoZIhvcNAQELBQADgYEA
+eJdCB0nHnFK0hek4biAxX0GuJXkknuUy46NKEhv3GBwt4gtO29bfkbQTGOsBBKNs
+KptlnkItscOXY+0lSva9K3XlwD9do7k2IZFtXJVayZVw1GcKybIY0l7B6kcSxG7T
+f3CsO+ifdrsJKtyoZNs96lBMrtXyGybt3mgQNdZauQU=
 -----END CERTIFICATE REQUEST-----

apps/pkcs7.c

@@ -1,4 +1,3 @@
-/* apps/pkcs7.c */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -55,6 +54,54 @@
  * copied and put under another distribution licence
  * [including the GNU Public Licence.]
  */
+/* ====================================================================
+ * Copyright (c) 1999-2015 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ */
 
 #include <stdio.h>
 #include <stdlib.h>
@@ -68,162 +115,101 @@
 #include <openssl/pkcs7.h>
 #include <openssl/pem.h>
 
-#undef PROG
-#define PROG    pkcs7_main
+typedef enum OPTION_choice {
+    OPT_ERR = -1, OPT_EOF = 0, OPT_HELP,
+    OPT_INFORM, OPT_OUTFORM, OPT_IN, OPT_OUT, OPT_NOOUT,
+    OPT_TEXT, OPT_PRINT, OPT_PRINT_CERTS, OPT_ENGINE
+} OPTION_CHOICE;
 
-/*-
- * -inform arg  - input format - default PEM (DER or PEM)
- * -outform arg - output format - default PEM
- * -in arg      - input file - default stdin
- * -out arg     - output file - default stdout
- * -print_certs
- */
+OPTIONS pkcs7_options[] = {
+    {"help", OPT_HELP, '-', "Display this summary"},
+    {"inform", OPT_INFORM, 'F', "Input format - DER or PEM"},
+    {"in", OPT_IN, '<', "Input file"},
+    {"outform", OPT_OUTFORM, 'F', "Output format - DER or PEM"},
+    {"out", OPT_OUT, '>', "Output file"},
+    {"noout", OPT_NOOUT, '-', "Don't output encoded data"},
+    {"text", OPT_TEXT, '-', "Print full details of certificates"},
+    {"print", OPT_PRINT, '-'},
+    {"print_certs", OPT_PRINT_CERTS, '-',
+     "Print_certs  print any certs or crl in the input"},
+#ifndef OPENSSL_NO_ENGINE
+    {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"},
+#endif
+    {NULL}
+};
 
-int MAIN(int, char **);
-
-int MAIN(int argc, char **argv)
+int pkcs7_main(int argc, char **argv)
 {
     PKCS7 *p7 = NULL;
-    int i, badops = 0;
     BIO *in = NULL, *out = NULL;
-    int informat, outformat;
-    char *infile, *outfile, *prog;
-    int print_certs = 0, text = 0, noout = 0, p7_print = 0;
-    int ret = 1;
-#ifndef OPENSSL_NO_ENGINE
-    char *engine = NULL;
-#endif
+    int informat = FORMAT_PEM, outformat = FORMAT_PEM;
+    char *infile = NULL, *outfile = NULL, *prog;
+    int i, print_certs = 0, text = 0, noout = 0, p7_print = 0, ret = 1;
+    OPTION_CHOICE o;
 
-    apps_startup();
-
-    if (bio_err == NULL)
-        if ((bio_err = BIO_new(BIO_s_file())) != NULL)
-            BIO_set_fp(bio_err, stderr, BIO_NOCLOSE | BIO_FP_TEXT);
-
-    if (!load_config(bio_err, NULL))
-        goto end;
-
-    infile = NULL;
-    outfile = NULL;
-    informat = FORMAT_PEM;
-    outformat = FORMAT_PEM;
-
-    prog = argv[0];
-    argc--;
-    argv++;
-    while (argc >= 1) {
-        if (strcmp(*argv, "-inform") == 0) {
-            if (--argc < 1)
-                goto bad;
-            informat = str2fmt(*(++argv));
-        } else if (strcmp(*argv, "-outform") == 0) {
-            if (--argc < 1)
-                goto bad;
-            outformat = str2fmt(*(++argv));
-        } else if (strcmp(*argv, "-in") == 0) {
-            if (--argc < 1)
-                goto bad;
-            infile = *(++argv);
-        } else if (strcmp(*argv, "-out") == 0) {
-            if (--argc < 1)
-                goto bad;
-            outfile = *(++argv);
-        } else if (strcmp(*argv, "-noout") == 0)
+    prog = opt_init(argc, argv, pkcs7_options);
+    while ((o = opt_next()) != OPT_EOF) {
+        switch (o) {
+        case OPT_EOF:
+        case OPT_ERR:
+ opthelp:
+            BIO_printf(bio_err, "%s: Use -help for summary.\n", prog);
+            goto end;
+        case OPT_HELP:
+            opt_help(pkcs7_options);
+            ret = 0;
+            goto end;
+        case OPT_INFORM:
+            if (!opt_format(opt_arg(), OPT_FMT_PEMDER, &informat))
+                goto opthelp;
+            break;
+        case OPT_OUTFORM:
+            if (!opt_format(opt_arg(), OPT_FMT_PEMDER, &outformat))
+                goto opthelp;
+            break;
+        case OPT_IN:
+            infile = opt_arg();
+            break;
+        case OPT_OUT:
+            outfile = opt_arg();
+            break;
+        case OPT_NOOUT:
             noout = 1;
-        else if (strcmp(*argv, "-text") == 0)
+            break;
+        case OPT_TEXT:
             text = 1;
-        else if (strcmp(*argv, "-print") == 0)
+            break;
+        case OPT_PRINT:
             p7_print = 1;
-        else if (strcmp(*argv, "-print_certs") == 0)
+            break;
+        case OPT_PRINT_CERTS:
             print_certs = 1;
-#ifndef OPENSSL_NO_ENGINE
-        else if (strcmp(*argv, "-engine") == 0) {
-            if (--argc < 1)
-                goto bad;
-            engine = *(++argv);
-        }
-#endif
-        else {
-            BIO_printf(bio_err, "unknown option %s\n", *argv);
-            badops = 1;
+            break;
+        case OPT_ENGINE:
+            (void)setup_engine(opt_arg(), 0);
             break;
         }
-        argc--;
-        argv++;
     }
+    argc = opt_num_rest();
+    argv = opt_rest();
 
-    if (badops) {
- bad:
-        BIO_printf(bio_err, "%s [options] <infile >outfile\n", prog);
-        BIO_printf(bio_err, "where options are\n");
-        BIO_printf(bio_err, " -inform arg   input format - DER or PEM\n");
-        BIO_printf(bio_err, " -outform arg  output format - DER or PEM\n");
-        BIO_printf(bio_err, " -in arg       input file\n");
-        BIO_printf(bio_err, " -out arg      output file\n");
-        BIO_printf(bio_err,
-                   " -print_certs  print any certs or crl in the input\n");
-        BIO_printf(bio_err,
-                   " -text         print full details of certificates\n");
-        BIO_printf(bio_err, " -noout        don't output encoded data\n");
-#ifndef OPENSSL_NO_ENGINE
-        BIO_printf(bio_err,
-                   " -engine e     use engine e, possibly a hardware device.\n");
-#endif
-        ret = 1;
+    in = bio_open_default(infile, 'r', informat);
+    if (in == NULL)
         goto end;
-    }
-
-    ERR_load_crypto_strings();
-
-#ifndef OPENSSL_NO_ENGINE
-    setup_engine(bio_err, engine, 0);
-#endif
-
-    in = BIO_new(BIO_s_file());
-    out = BIO_new(BIO_s_file());
-    if ((in == NULL) || (out == NULL)) {
-        ERR_print_errors(bio_err);
-        goto end;
-    }
-
-    if (infile == NULL)
-        BIO_set_fp(in, stdin, BIO_NOCLOSE);
-    else {
-        if (BIO_read_filename(in, infile) <= 0)
-            if (in == NULL) {
-                perror(infile);
-                goto end;
-            }
-    }
 
     if (informat == FORMAT_ASN1)
         p7 = d2i_PKCS7_bio(in, NULL);
-    else if (informat == FORMAT_PEM)
+    else
         p7 = PEM_read_bio_PKCS7(in, NULL, NULL, NULL);
-    else {
-        BIO_printf(bio_err, "bad input format specified for pkcs7 object\n");
-        goto end;
-    }
     if (p7 == NULL) {
         BIO_printf(bio_err, "unable to load PKCS7 object\n");
         ERR_print_errors(bio_err);
         goto end;
     }
 
-    if (outfile == NULL) {
-        BIO_set_fp(out, stdout, BIO_NOCLOSE);
-#ifdef OPENSSL_SYS_VMS
-        {
-            BIO *tmpbio = BIO_new(BIO_f_linebuffer());
-            out = BIO_push(tmpbio, out);
-        }
-#endif
-    } else {
-        if (BIO_write_filename(out, outfile) <= 0) {
-            perror(outfile);
-            goto end;
-        }
-    }
+    out = bio_open_default(outfile, 'w', outformat);
+    if (out == NULL)
+        goto end;
 
     if (p7_print)
         PKCS7_print_ctx(out, p7, 0, NULL);
@@ -282,12 +268,8 @@ int MAIN(int argc, char **argv)
     if (!noout) {
         if (outformat == FORMAT_ASN1)
             i = i2d_PKCS7_bio(out, p7);
-        else if (outformat == FORMAT_PEM)
+        else
             i = PEM_write_bio_PKCS7(out, p7);
-        else {
-            BIO_printf(bio_err, "bad output format specified for outfile\n");
-            goto end;
-        }
 
         if (!i) {
             BIO_printf(bio_err, "unable to write pkcs7 object\n");
@@ -297,12 +279,8 @@ int MAIN(int argc, char **argv)
     }
     ret = 0;
  end:
-    if (p7 != NULL)
-        PKCS7_free(p7);
-    if (in != NULL)
-        BIO_free(in);
-    if (out != NULL)
-        BIO_free_all(out);
-    apps_shutdown();
-    OPENSSL_EXIT(ret);
+    PKCS7_free(p7);
+    BIO_free(in);
+    BIO_free_all(out);
+    return (ret);
 }

apps/pkcs8.c

@@ -1,4 +1,3 @@
-/* pkcs8.c */
 /*
  * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL project
  * 1999-2004.
@@ -65,180 +64,171 @@
 #include <openssl/evp.h>
 #include <openssl/pkcs12.h>
 
-#define PROG pkcs8_main
+typedef enum OPTION_choice {
+    OPT_ERR = -1, OPT_EOF = 0, OPT_HELP,
+    OPT_INFORM, OPT_OUTFORM, OPT_ENGINE, OPT_IN, OPT_OUT,
+    OPT_TOPK8, OPT_NOITER, OPT_NOCRYPT, OPT_NOOCT, OPT_NSDB, OPT_EMBED,
+#ifndef OPENSSL_NO_SCRYPT
+    OPT_SCRYPT, OPT_SCRYPT_N, OPT_SCRYPT_R, OPT_SCRYPT_P,
+#endif
+    OPT_V2, OPT_V1, OPT_V2PRF, OPT_ITER, OPT_PASSIN, OPT_PASSOUT
+} OPTION_CHOICE;
 
-int MAIN(int, char **);
+OPTIONS pkcs8_options[] = {
+    {"help", OPT_HELP, '-', "Display this summary"},
+    {"inform", OPT_INFORM, 'F', "Input format (DER or PEM)"},
+    {"outform", OPT_OUTFORM, 'F', "Output format (DER or PEM)"},
+    {"in", OPT_IN, '<', "Input file"},
+    {"out", OPT_OUT, '>', "Output file"},
+    {"topk8", OPT_TOPK8, '-', "Output PKCS8 file"},
+    {"noiter", OPT_NOITER, '-', "Use 1 as iteration count"},
+    {"nocrypt", OPT_NOCRYPT, '-', "Use or expect unencrypted private key"},
+    {"nooct", OPT_NOOCT, '-', "Use (nonstandard) no octet format"},
+    {"nsdb", OPT_NSDB, '-', "Use (nonstandard) DSA Netscape DB format"},
+    {"embed", OPT_EMBED, '-',
+     "Use (nonstandard) embedded DSA parameters format"},
+    {"v2", OPT_V2, 's', "Use PKCS#5 v2.0 and cipher"},
+    {"v1", OPT_V1, 's', "Use PKCS#5 v1.5 and cipher"},
+    {"v2prf", OPT_V2PRF, 's'},
+    {"iter", OPT_ITER, 'p', "Specify the iteration count"},
+    {"passin", OPT_PASSIN, 's', "Input file pass phrase source"},
+    {"passout", OPT_PASSOUT, 's', "Output file pass phrase source"},
+#ifndef OPENSSL_NO_ENGINE
+    {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"},
+#endif
+#ifndef OPENSSL_NO_SCRYPT
+    {"scrypt", OPT_SCRYPT, '-', "Use scrypt algorithm"},
+    {"scrypt_N", OPT_SCRYPT_N, 's', "Set scrypt N parameter"},
+    {"scrypt_r", OPT_SCRYPT_R, 's', "Set scrypt r parameter"},
+    {"scrypt_p", OPT_SCRYPT_P, 's', "Set scrypt p parameter"},
+#endif
+    {NULL}
+};
 
-int MAIN(int argc, char **argv)
+int pkcs8_main(int argc, char **argv)
 {
-    ENGINE *e = NULL;
-    char **args, *infile = NULL, *outfile = NULL;
-    char *passargin = NULL, *passargout = NULL;
     BIO *in = NULL, *out = NULL;
-    int topk8 = 0;
-    int pbe_nid = -1;
-    const EVP_CIPHER *cipher = NULL;
-    int iter = PKCS12_DEFAULT_ITER;
-    int informat, outformat;
-    int p8_broken = PKCS8_OK;
-    int nocrypt = 0;
-    X509_SIG *p8 = NULL;
-    PKCS8_PRIV_KEY_INFO *p8inf = NULL;
+    ENGINE *e = NULL;
     EVP_PKEY *pkey = NULL;
+    PKCS8_PRIV_KEY_INFO *p8inf = NULL;
+    X509_SIG *p8 = NULL;
+    const EVP_CIPHER *cipher = NULL;
+    char *infile = NULL, *outfile = NULL;
+    char *passinarg = NULL, *passoutarg = NULL, *prog;
     char pass[50], *passin = NULL, *passout = NULL, *p8pass = NULL;
-    int badarg = 0;
-    int ret = 1;
-#ifndef OPENSSL_NO_ENGINE
-    char *engine = NULL;
+    OPTION_CHOICE o;
+    int nocrypt = 0, ret = 1, iter = PKCS12_DEFAULT_ITER, p8_broken = PKCS8_OK;
+    int informat = FORMAT_PEM, outformat = FORMAT_PEM, topk8 = 0, pbe_nid = -1;
+    int private = 0;
+#ifndef OPENSSL_NO_SCRYPT
+    long scrypt_N = 0, scrypt_r = 0, scrypt_p = 0;
 #endif
 
-    if (bio_err == NULL)
-        bio_err = BIO_new_fp(stderr, BIO_NOCLOSE);
-
-    if (!load_config(bio_err, NULL))
-        goto end;
-
-    informat = FORMAT_PEM;
-    outformat = FORMAT_PEM;
-
-    ERR_load_crypto_strings();
-    OpenSSL_add_all_algorithms();
-    args = argv + 1;
-    while (!badarg && *args && *args[0] == '-') {
-        if (!strcmp(*args, "-v2")) {
-            if (args[1]) {
-                args++;
-                cipher = EVP_get_cipherbyname(*args);
-                if (!cipher) {
-                    BIO_printf(bio_err, "Unknown cipher %s\n", *args);
-                    badarg = 1;
-                }
-            } else
-                badarg = 1;
-        } else if (!strcmp(*args, "-v1")) {
-            if (args[1]) {
-                args++;
-                pbe_nid = OBJ_txt2nid(*args);
-                if (pbe_nid == NID_undef) {
-                    BIO_printf(bio_err, "Unknown PBE algorithm %s\n", *args);
-                    badarg = 1;
-                }
-            } else
-                badarg = 1;
-        } else if (!strcmp(*args, "-v2prf")) {
-            if (args[1]) {
-                args++;
-                pbe_nid = OBJ_txt2nid(*args);
-                if (!EVP_PBE_find(EVP_PBE_TYPE_PRF, pbe_nid, NULL, NULL, 0)) {
-                    BIO_printf(bio_err, "Unknown PRF algorithm %s\n", *args);
-                    badarg = 1;
-                }
-            } else
-                badarg = 1;
-        } else if (!strcmp(*args, "-inform")) {
-            if (args[1]) {
-                args++;
-                informat = str2fmt(*args);
-            } else
-                badarg = 1;
-        } else if (!strcmp(*args, "-outform")) {
-            if (args[1]) {
-                args++;
-                outformat = str2fmt(*args);
-            } else
-                badarg = 1;
-        } else if (!strcmp(*args, "-topk8"))
+    prog = opt_init(argc, argv, pkcs8_options);
+    while ((o = opt_next()) != OPT_EOF) {
+        switch (o) {
+        case OPT_EOF:
+        case OPT_ERR:
+ opthelp:
+            BIO_printf(bio_err, "%s: Use -help for summary.\n", prog);
+            goto end;
+        case OPT_HELP:
+            opt_help(pkcs8_options);
+            ret = 0;
+            goto end;
+        case OPT_INFORM:
+            if (!opt_format(opt_arg(), OPT_FMT_PEMDER, &informat))
+                goto opthelp;
+            break;
+        case OPT_IN:
+            infile = opt_arg();
+            break;
+        case OPT_OUTFORM:
+            if (!opt_format(opt_arg(), OPT_FMT_PEMDER, &outformat))
+                goto opthelp;
+            break;
+        case OPT_OUT:
+            outfile = opt_arg();
+            break;
+        case OPT_TOPK8:
             topk8 = 1;
-        else if (!strcmp(*args, "-noiter"))
+            break;
+        case OPT_NOITER:
             iter = 1;
-        else if (!strcmp(*args, "-iter")) {
-            if (args[1]) {
-                iter = atoi(*(++args));
-                if (iter <= 0)
-                    badarg = 1;
-            } else
-                badarg = 1;
-        } else if (!strcmp(*args, "-nocrypt"))
+            break;
+        case OPT_NOCRYPT:
             nocrypt = 1;
-        else if (!strcmp(*args, "-nooct"))
+            break;
+        case OPT_NOOCT:
             p8_broken = PKCS8_NO_OCTET;
-        else if (!strcmp(*args, "-nsdb"))
+            break;
+        case OPT_NSDB:
             p8_broken = PKCS8_NS_DB;
-        else if (!strcmp(*args, "-embed"))
+            break;
+        case OPT_EMBED:
             p8_broken = PKCS8_EMBEDDED_PARAM;
-        else if (!strcmp(*args, "-passin")) {
-            if (args[1])
-                passargin = *(++args);
-            else
-                badarg = 1;
-        } else if (!strcmp(*args, "-passout")) {
-            if (args[1])
-                passargout = *(++args);
-            else
-                badarg = 1;
+            break;
+        case OPT_V2:
+            if (!opt_cipher(opt_arg(), &cipher))
+                goto opthelp;
+            break;
+        case OPT_V1:
+            pbe_nid = OBJ_txt2nid(opt_arg());
+            if (pbe_nid == NID_undef) {
+                BIO_printf(bio_err,
+                           "%s: Unknown PBE algorithm %s\n", prog, opt_arg());
+                goto opthelp;
+            }
+            break;
+        case OPT_V2PRF:
+            pbe_nid = OBJ_txt2nid(opt_arg());
+            if (!EVP_PBE_find(EVP_PBE_TYPE_PRF, pbe_nid, NULL, NULL, 0)) {
+                BIO_printf(bio_err,
+                           "%s: Unknown PRF algorithm %s\n", prog, opt_arg());
+                goto opthelp;
+            }
+            break;
+        case OPT_ITER:
+            if (!opt_int(opt_arg(), &iter))
+                goto opthelp;
+            break;
+        case OPT_PASSIN:
+            passinarg = opt_arg();
+            break;
+        case OPT_PASSOUT:
+            passoutarg = opt_arg();
+            break;
+        case OPT_ENGINE:
+            e = setup_engine(opt_arg(), 0);
+            break;
+#ifndef OPENSSL_NO_SCRYPT
+        case OPT_SCRYPT:
+            scrypt_N = 1024;
+            scrypt_r = 8;
+            scrypt_p = 16;
+            if (cipher == NULL)
+                cipher = EVP_aes_256_cbc();
+            break;
+        case OPT_SCRYPT_N:
+            if (!opt_long(opt_arg(), &scrypt_N) || scrypt_N <= 0)
+                goto opthelp;
+            break;
+        case OPT_SCRYPT_R:
+            if (!opt_long(opt_arg(), &scrypt_r) || scrypt_r <= 0)
+                goto opthelp;
+            break;
+        case OPT_SCRYPT_P:
+            if (!opt_long(opt_arg(), &scrypt_p) || scrypt_p <= 0)
+                goto opthelp;
+            break;
+#endif
         }
-#ifndef OPENSSL_NO_ENGINE
-        else if (strcmp(*args, "-engine") == 0) {
-            if (args[1])
-                engine = *(++args);
-            else
-                badarg = 1;
-        }
-#endif
-        else if (!strcmp(*args, "-in")) {
-            if (args[1]) {
-                args++;
-                infile = *args;
-            } else
-                badarg = 1;
-        } else if (!strcmp(*args, "-out")) {
-            if (args[1]) {
-                args++;
-                outfile = *args;
-            } else
-                badarg = 1;
-        } else
-            badarg = 1;
-        args++;
     }
+    argc = opt_num_rest();
+    argv = opt_rest();
+    private = 1;
 
-    if (badarg) {
-        BIO_printf(bio_err, "Usage pkcs8 [options]\n");
-        BIO_printf(bio_err, "where options are\n");
-        BIO_printf(bio_err, "-in file        input file\n");
-        BIO_printf(bio_err, "-inform X       input format (DER or PEM)\n");
-        BIO_printf(bio_err,
-                   "-passin arg     input file pass phrase source\n");
-        BIO_printf(bio_err, "-outform X      output format (DER or PEM)\n");
-        BIO_printf(bio_err, "-out file       output file\n");
-        BIO_printf(bio_err,
-                   "-passout arg    output file pass phrase source\n");
-        BIO_printf(bio_err, "-topk8          output PKCS8 file\n");
-        BIO_printf(bio_err,
-                   "-nooct          use (nonstandard) no octet format\n");
-        BIO_printf(bio_err,
-                   "-embed          use (nonstandard) embedded DSA parameters format\n");
-        BIO_printf(bio_err,
-                   "-nsdb           use (nonstandard) DSA Netscape DB format\n");
-        BIO_printf(bio_err, "-iter count     use count as iteration count\n");
-        BIO_printf(bio_err, "-noiter         use 1 as iteration count\n");
-        BIO_printf(bio_err,
-                   "-nocrypt        use or expect unencrypted private key\n");
-        BIO_printf(bio_err,
-                   "-v2 alg         use PKCS#5 v2.0 and cipher \"alg\"\n");
-        BIO_printf(bio_err,
-                   "-v1 obj         use PKCS#5 v1.5 and cipher \"alg\"\n");
-#ifndef OPENSSL_NO_ENGINE
-        BIO_printf(bio_err,
-                   " -engine e       use engine e, possibly a hardware device.\n");
-#endif
-        goto end;
-    }
-#ifndef OPENSSL_NO_ENGINE
-    e = setup_engine(bio_err, engine, 0);
-#endif
-
-    if (!app_passwd(bio_err, passargin, passargout, &passin, &passout)) {
+    if (!app_passwd(passinarg, passoutarg, &passin, &passout)) {
         BIO_printf(bio_err, "Error getting passwords\n");
         goto end;
     }
@@ -246,38 +236,24 @@ int MAIN(int argc, char **argv)
     if ((pbe_nid == -1) && !cipher)
         pbe_nid = NID_pbeWithMD5AndDES_CBC;
 
-    if (infile) {
-        if (!(in = BIO_new_file(infile, "rb"))) {
-            BIO_printf(bio_err, "Can't open input file %s\n", infile);
-            goto end;
-        }
-    } else
-        in = BIO_new_fp(stdin, BIO_NOCLOSE);
+    in = bio_open_default(infile, 'r', informat);
+    if (in == NULL)
+        goto end;
+    out = bio_open_owner(outfile, outformat, private);
+    if (out == NULL)
+        goto end;
 
-    if (outfile) {
-        if (!(out = BIO_new_file(outfile, "wb"))) {
-            BIO_printf(bio_err, "Can't open output file %s\n", outfile);
-            goto end;
-        }
-    } else {
-        out = BIO_new_fp(stdout, BIO_NOCLOSE);
-#ifdef OPENSSL_SYS_VMS
-        {
-            BIO *tmpbio = BIO_new(BIO_f_linebuffer());
-            out = BIO_push(tmpbio, out);
-        }
-#endif
-    }
     if (topk8) {
-        pkey = load_key(bio_err, infile, informat, 1, passin, e, "key");
+        pkey = load_key(infile, informat, 1, passin, e, "key");
         if (!pkey)
             goto end;
-        if (!(p8inf = EVP_PKEY2PKCS8_broken(pkey, p8_broken))) {
+        if ((p8inf = EVP_PKEY2PKCS8_broken(pkey, p8_broken)) == NULL) {
             BIO_printf(bio_err, "Error converting key\n");
             ERR_print_errors(bio_err);
             goto end;
         }
         if (nocrypt) {
+            assert(private);
             if (outformat == FORMAT_PEM)
                 PEM_write_bio_PKCS8_PRIV_KEY_INFO(out, p8inf);
             else if (outformat == FORMAT_ASN1)
@@ -287,23 +263,44 @@ int MAIN(int argc, char **argv)
                 goto end;
             }
         } else {
+            X509_ALGOR *pbe;
+            if (cipher) {
+#ifndef OPENSSL_NO_SCRYPT
+                if (scrypt_N && scrypt_r && scrypt_p)
+                    pbe = PKCS5_pbe2_set_scrypt(cipher, NULL, 0, NULL,
+                                                scrypt_N, scrypt_r, scrypt_p);
+                else
+#endif
+                    pbe = PKCS5_pbe2_set_iv(cipher, iter, NULL, 0, NULL,
+                                            pbe_nid);
+            } else {
+                pbe = PKCS5_pbe_set(pbe_nid, iter, NULL, 0);
+            }
+            if (pbe == NULL) {
+                BIO_printf(bio_err, "Error setting PBE algorithm\n");
+                ERR_print_errors(bio_err);
+                goto end;
+            }
             if (passout)
                 p8pass = passout;
             else {
                 p8pass = pass;
                 if (EVP_read_pw_string
-                    (pass, sizeof pass, "Enter Encryption Password:", 1))
+                    (pass, sizeof pass, "Enter Encryption Password:", 1)) {
+                    X509_ALGOR_free(pbe);
                     goto end;
+                }
             }
-            app_RAND_load_file(NULL, bio_err, 0);
-            if (!(p8 = PKCS8_encrypt(pbe_nid, cipher,
-                                     p8pass, strlen(p8pass),
-                                     NULL, 0, iter, p8inf))) {
+            app_RAND_load_file(NULL, 0);
+            p8 = PKCS8_set0_pbe(p8pass, strlen(p8pass), p8inf, pbe);
+            if (p8 == NULL) {
+                X509_ALGOR_free(pbe);
                 BIO_printf(bio_err, "Error encrypting key\n");
                 ERR_print_errors(bio_err);
                 goto end;
             }
-            app_RAND_write_file(NULL, bio_err);
+            app_RAND_write_file(NULL);
+            assert(private);
             if (outformat == FORMAT_PEM)
                 PEM_write_bio_PKCS8(out, p8);
             else if (outformat == FORMAT_ASN1)
@@ -357,7 +354,7 @@ int MAIN(int argc, char **argv)
         goto end;
     }
 
-    if (!(pkey = EVP_PKCS82PKEY(p8inf))) {
+    if ((pkey = EVP_PKCS82PKEY(p8inf)) == NULL) {
         BIO_printf(bio_err, "Error converting key\n");
         ERR_print_errors(bio_err);
         goto end;
@@ -388,6 +385,7 @@ int MAIN(int argc, char **argv)
         }
     }
 
+    assert(private);
     if (outformat == FORMAT_PEM)
         PEM_write_bio_PrivateKey(out, pkey, NULL, NULL, 0, NULL, passout);
     else if (outformat == FORMAT_ASN1)
@@ -404,10 +402,8 @@ int MAIN(int argc, char **argv)
     EVP_PKEY_free(pkey);
     BIO_free_all(out);
     BIO_free(in);
-    if (passin)
-        OPENSSL_free(passin);
-    if (passout)
-        OPENSSL_free(passout);
+    OPENSSL_free(passin);
+    OPENSSL_free(passout);
 
     return ret;
 }

apps/pkey.c

@@ -1,4 +1,3 @@
-/* apps/pkey.c */
 /*
  * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL project
  * 2006
@@ -63,150 +62,121 @@
 #include <openssl/err.h>
 #include <openssl/evp.h>
 
-#define PROG pkey_main
+typedef enum OPTION_choice {
+    OPT_ERR = -1, OPT_EOF = 0, OPT_HELP,
+    OPT_INFORM, OPT_OUTFORM, OPT_PASSIN, OPT_PASSOUT, OPT_ENGINE,
+    OPT_IN, OPT_OUT, OPT_PUBIN, OPT_PUBOUT, OPT_TEXT_PUB,
+    OPT_TEXT, OPT_NOOUT, OPT_MD
+} OPTION_CHOICE;
 
-int MAIN(int, char **);
+OPTIONS pkey_options[] = {
+    {"help", OPT_HELP, '-', "Display this summary"},
+    {"inform", OPT_INFORM, 'F', "Input format (DER or PEM)"},
+    {"outform", OPT_OUTFORM, 'F', "Output format (DER or PEM)"},
+    {"passin", OPT_PASSIN, 's', "Input file pass phrase source"},
+    {"passout", OPT_PASSOUT, 's', "Output file pass phrase source"},
+    {"in", OPT_IN, '<', "Input file"},
+    {"out", OPT_OUT, '>', "Output file"},
+    {"pubin", OPT_PUBIN, '-',
+     "Read public key from input (default is private key)"},
+    {"pubout", OPT_PUBOUT, '-', "Output public key, not private"},
+    {"text_pub", OPT_TEXT_PUB, '-', "Only output public key components"},
+    {"text", OPT_TEXT, '-', "Output in plaintext as well"},
+    {"noout", OPT_NOOUT, '-', "Don't output the key"},
+    {"", OPT_MD, '-', "Any supported cipher"},
+#ifndef OPENSSL_NO_ENGINE
+    {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"},
+#endif
+    {NULL}
+};
 
-int MAIN(int argc, char **argv)
+int pkey_main(int argc, char **argv)
 {
-    ENGINE *e = NULL;
-    char **args, *infile = NULL, *outfile = NULL;
-    char *passargin = NULL, *passargout = NULL;
     BIO *in = NULL, *out = NULL;
-    const EVP_CIPHER *cipher = NULL;
-    int informat, outformat;
-    int pubin = 0, pubout = 0, pubtext = 0, text = 0, noout = 0;
+    ENGINE *e = NULL;
     EVP_PKEY *pkey = NULL;
-    char *passin = NULL, *passout = NULL;
-    int badarg = 0;
-#ifndef OPENSSL_NO_ENGINE
-    char *engine = NULL;
-#endif
-    int ret = 1;
+    const EVP_CIPHER *cipher = NULL;
+    char *infile = NULL, *outfile = NULL, *passin = NULL, *passout = NULL;
+    char *passinarg = NULL, *passoutarg = NULL, *prog;
+    OPTION_CHOICE o;
+    int informat = FORMAT_PEM, outformat = FORMAT_PEM;
+    int pubin = 0, pubout = 0, pubtext = 0, text = 0, noout = 0, ret = 1;
+    int private = 0;
 
-    if (bio_err == NULL)
-        bio_err = BIO_new_fp(stderr, BIO_NOCLOSE);
-
-    if (!load_config(bio_err, NULL))
-        goto end;
-
-    informat = FORMAT_PEM;
-    outformat = FORMAT_PEM;
-
-    ERR_load_crypto_strings();
-    OpenSSL_add_all_algorithms();
-    args = argv + 1;
-    while (!badarg && *args && *args[0] == '-') {
-        if (!strcmp(*args, "-inform")) {
-            if (args[1]) {
-                args++;
-                informat = str2fmt(*args);
-            } else
-                badarg = 1;
-        } else if (!strcmp(*args, "-outform")) {
-            if (args[1]) {
-                args++;
-                outformat = str2fmt(*args);
-            } else
-                badarg = 1;
-        } else if (!strcmp(*args, "-passin")) {
-            if (!args[1])
-                goto bad;
-            passargin = *(++args);
-        } else if (!strcmp(*args, "-passout")) {
-            if (!args[1])
-                goto bad;
-            passargout = *(++args);
-        }
-#ifndef OPENSSL_NO_ENGINE
-        else if (strcmp(*args, "-engine") == 0) {
-            if (!args[1])
-                goto bad;
-            engine = *(++args);
-        }
-#endif
-        else if (!strcmp(*args, "-in")) {
-            if (args[1]) {
-                args++;
-                infile = *args;
-            } else
-                badarg = 1;
-        } else if (!strcmp(*args, "-out")) {
-            if (args[1]) {
-                args++;
-                outfile = *args;
-            } else
-                badarg = 1;
-        } else if (strcmp(*args, "-pubin") == 0) {
-            pubin = 1;
+    prog = opt_init(argc, argv, pkey_options);
+    while ((o = opt_next()) != OPT_EOF) {
+        switch (o) {
+        case OPT_EOF:
+        case OPT_ERR:
+ opthelp:
+            BIO_printf(bio_err, "%s: Use -help for summary.\n", prog);
+            goto end;
+        case OPT_HELP:
+            opt_help(pkey_options);
+            ret = 0;
+            goto end;
+        case OPT_INFORM:
+            if (!opt_format(opt_arg(), OPT_FMT_PEMDER, &informat))
+                goto opthelp;
+            break;
+        case OPT_OUTFORM:
+            if (!opt_format(opt_arg(), OPT_FMT_PEMDER, &outformat))
+                goto opthelp;
+            break;
+        case OPT_PASSIN:
+            passinarg = opt_arg();
+            break;
+        case OPT_PASSOUT:
+            passoutarg = opt_arg();
+            break;
+        case OPT_ENGINE:
+            e = setup_engine(opt_arg(), 0);
+            break;
+        case OPT_IN:
+            infile = opt_arg();
+            break;
+        case OPT_OUT:
+            outfile = opt_arg();
+            break;
+        case OPT_PUBIN:
+            pubin = pubout = pubtext = 1;
+            break;
+        case OPT_PUBOUT:
             pubout = 1;
-            pubtext = 1;
-        } else if (strcmp(*args, "-pubout") == 0)
-            pubout = 1;
-        else if (strcmp(*args, "-text_pub") == 0) {
-            pubtext = 1;
+            break;
+        case OPT_TEXT_PUB:
+            pubtext = text = 1;
+            break;
+        case OPT_TEXT:
             text = 1;
-        } else if (strcmp(*args, "-text") == 0)
-            text = 1;
-        else if (strcmp(*args, "-noout") == 0)
+            break;
+        case OPT_NOOUT:
             noout = 1;
-        else {
-            cipher = EVP_get_cipherbyname(*args + 1);
-            if (!cipher) {
-                BIO_printf(bio_err, "Unknown cipher %s\n", *args + 1);
-                badarg = 1;
-            }
+            break;
+        case OPT_MD:
+            if (!opt_cipher(opt_unknown(), &cipher))
+                goto opthelp;
         }
-        args++;
     }
+    argc = opt_num_rest();
+    argv = opt_rest();
+    private = !noout && !pubout ? 1 : 0;
+    if (text && !pubtext)
+        private = 1;
 
-    if (badarg) {
- bad:
-        BIO_printf(bio_err, "Usage pkey [options]\n");
-        BIO_printf(bio_err, "where options are\n");
-        BIO_printf(bio_err, "-in file        input file\n");
-        BIO_printf(bio_err, "-inform X       input format (DER or PEM)\n");
-        BIO_printf(bio_err,
-                   "-passin arg     input file pass phrase source\n");
-        BIO_printf(bio_err, "-outform X      output format (DER or PEM)\n");
-        BIO_printf(bio_err, "-out file       output file\n");
-        BIO_printf(bio_err,
-                   "-passout arg    output file pass phrase source\n");
-#ifndef OPENSSL_NO_ENGINE
-        BIO_printf(bio_err,
-                   "-engine e       use engine e, possibly a hardware device.\n");
-#endif
-        return 1;
-    }
-#ifndef OPENSSL_NO_ENGINE
-    e = setup_engine(bio_err, engine, 0);
-#endif
-
-    if (!app_passwd(bio_err, passargin, passargout, &passin, &passout)) {
+    if (!app_passwd(passinarg, passoutarg, &passin, &passout)) {
         BIO_printf(bio_err, "Error getting passwords\n");
         goto end;
     }
 
-    if (outfile) {
-        if (!(out = BIO_new_file(outfile, "wb"))) {
-            BIO_printf(bio_err, "Can't open output file %s\n", outfile);
-            goto end;
-        }
-    } else {
-        out = BIO_new_fp(stdout, BIO_NOCLOSE);
-#ifdef OPENSSL_SYS_VMS
-        {
-            BIO *tmpbio = BIO_new(BIO_f_linebuffer());
-            out = BIO_push(tmpbio, out);
-        }
-#endif
-    }
+    out = bio_open_owner(outfile, outformat, private);
+    if (out == NULL)
+        goto end;
 
     if (pubin)
-        pkey = load_pubkey(bio_err, infile, informat, 1,
-                           passin, e, "Public Key");
+        pkey = load_pubkey(infile, informat, 1, passin, e, "Public Key");
     else
-        pkey = load_key(bio_err, infile, informat, 1, passin, e, "key");
+        pkey = load_key(infile, informat, 1, passin, e, "key");
     if (!pkey)
         goto end;
 
@@ -214,14 +184,18 @@ int MAIN(int argc, char **argv)
         if (outformat == FORMAT_PEM) {
             if (pubout)
                 PEM_write_bio_PUBKEY(out, pkey);
-            else
+            else {
+                assert(private);
                 PEM_write_bio_PrivateKey(out, pkey, cipher,
                                          NULL, 0, NULL, passout);
+            }
         } else if (outformat == FORMAT_ASN1) {
             if (pubout)
                 i2d_PUBKEY_bio(out, pkey);
-            else
+            else {
+                assert(private);
                 i2d_PrivateKey_bio(out, pkey);
+            }
         } else {
             BIO_printf(bio_err, "Bad format specified for key\n");
             goto end;
@@ -232,8 +206,10 @@ int MAIN(int argc, char **argv)
     if (text) {
         if (pubtext)
             EVP_PKEY_print_public(out, pkey, 0, NULL);
-        else
+        else {
+            assert(private);
             EVP_PKEY_print_private(out, pkey, 0, NULL);
+        }
     }
 
     ret = 0;
@@ -242,10 +218,8 @@ int MAIN(int argc, char **argv)
     EVP_PKEY_free(pkey);
     BIO_free_all(out);
     BIO_free(in);
-    if (passin)
-        OPENSSL_free(passin);
-    if (passout)
-        OPENSSL_free(passout);
+    OPENSSL_free(passin);
+    OPENSSL_free(passout);
 
     return ret;
 }

apps/pkeyparam.c

@@ -1,4 +1,3 @@
-/* apps/pkeyparam.c */
 /*
  * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL project
  * 2006
@@ -63,104 +62,68 @@
 #include <openssl/err.h>
 #include <openssl/evp.h>
 
-#define PROG pkeyparam_main
+typedef enum OPTION_choice {
+    OPT_ERR = -1, OPT_EOF = 0, OPT_HELP,
+    OPT_IN, OPT_OUT, OPT_TEXT, OPT_NOOUT, OPT_ENGINE
+} OPTION_CHOICE;
 
-int MAIN(int, char **);
+OPTIONS pkeyparam_options[] = {
+    {"help", OPT_HELP, '-', "Display this summary"},
+    {"in", OPT_IN, '<', "Input file"},
+    {"out", OPT_OUT, '>', "Output file"},
+    {"text", OPT_TEXT, '-', "Print parameters as text"},
+    {"noout", OPT_NOOUT, '-', "Don't output encoded parameters"},
+#ifndef OPENSSL_NO_ENGINE
+    {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"},
+#endif
+    {NULL}
+};
 
-int MAIN(int argc, char **argv)
+int pkeyparam_main(int argc, char **argv)
 {
-    char **args, *infile = NULL, *outfile = NULL;
     BIO *in = NULL, *out = NULL;
-    int text = 0, noout = 0;
     EVP_PKEY *pkey = NULL;
-    int badarg = 0;
-#ifndef OPENSSL_NO_ENGINE
-    char *engine = NULL;
-#endif
-    int ret = 1;
+    int text = 0, noout = 0, ret = 1;
+    OPTION_CHOICE o;
+    char *infile = NULL, *outfile = NULL, *prog;
 
-    if (bio_err == NULL)
-        bio_err = BIO_new_fp(stderr, BIO_NOCLOSE);
-
-    if (!load_config(bio_err, NULL))
-        goto end;
-
-    ERR_load_crypto_strings();
-    OpenSSL_add_all_algorithms();
-    args = argv + 1;
-    while (!badarg && *args && *args[0] == '-') {
-        if (!strcmp(*args, "-in")) {
-            if (args[1]) {
-                args++;
-                infile = *args;
-            } else
-                badarg = 1;
-        } else if (!strcmp(*args, "-out")) {
-            if (args[1]) {
-                args++;
-                outfile = *args;
-            } else
-                badarg = 1;
-        }
-#ifndef OPENSSL_NO_ENGINE
-        else if (strcmp(*args, "-engine") == 0) {
-            if (!args[1])
-                goto bad;
-            engine = *(++args);
-        }
-#endif
-
-        else if (strcmp(*args, "-text") == 0)
+    prog = opt_init(argc, argv, pkeyparam_options);
+    while ((o = opt_next()) != OPT_EOF) {
+        switch (o) {
+        case OPT_EOF:
+        case OPT_ERR:
+            BIO_printf(bio_err, "%s: Use -help for summary.\n", prog);
+            goto end;
+        case OPT_HELP:
+            opt_help(pkeyparam_options);
+            ret = 0;
+            goto end;
+        case OPT_IN:
+            infile = opt_arg();
+            break;
+        case OPT_OUT:
+            outfile = opt_arg();
+            break;
+        case OPT_ENGINE:
+            (void)setup_engine(opt_arg(), 0);
+            break;
+        case OPT_TEXT:
             text = 1;
-        else if (strcmp(*args, "-noout") == 0)
+            break;
+        case OPT_NOOUT:
             noout = 1;
-        args++;
-    }
-
-    if (badarg) {
-#ifndef OPENSSL_NO_ENGINE
- bad:
-#endif
-        BIO_printf(bio_err, "Usage pkeyparam [options]\n");
-        BIO_printf(bio_err, "where options are\n");
-        BIO_printf(bio_err, "-in file        input file\n");
-        BIO_printf(bio_err, "-out file       output file\n");
-        BIO_printf(bio_err, "-text           print parameters as text\n");
-        BIO_printf(bio_err,
-                   "-noout          don't output encoded parameters\n");
-#ifndef OPENSSL_NO_ENGINE
-        BIO_printf(bio_err,
-                   "-engine e       use engine e, possibly a hardware device.\n");
-#endif
-        return 1;
-    }
-#ifndef OPENSSL_NO_ENGINE
-    setup_engine(bio_err, engine, 0);
-#endif
-
-    if (infile) {
-        if (!(in = BIO_new_file(infile, "r"))) {
-            BIO_printf(bio_err, "Can't open input file %s\n", infile);
-            goto end;
+            break;
         }
-    } else
-        in = BIO_new_fp(stdin, BIO_NOCLOSE);
-
-    if (outfile) {
-        if (!(out = BIO_new_file(outfile, "w"))) {
-            BIO_printf(bio_err, "Can't open output file %s\n", outfile);
-            goto end;
-        }
-    } else {
-        out = BIO_new_fp(stdout, BIO_NOCLOSE);
-#ifdef OPENSSL_SYS_VMS
-        {
-            BIO *tmpbio = BIO_new(BIO_f_linebuffer());
-            out = BIO_push(tmpbio, out);
-        }
-#endif
     }
+    argc = opt_num_rest();
+    argv = opt_rest();
 
+    in = bio_open_default(infile, 'r', FORMAT_PEM);
+    if (in == NULL)
+        goto end;
+    out = bio_open_default(outfile, 'w', FORMAT_PEM);
+    if (out == NULL)
+        goto end;
     pkey = PEM_read_bio_Parameters(in, NULL);
     if (!pkey) {
         BIO_printf(bio_err, "Error reading parameters\n");

apps/pkeyutl.c

@@ -66,200 +66,193 @@
 #define KEY_PUBKEY      2
 #define KEY_CERT        3
 
-static void usage(void);
-
-#undef PROG
-
-#define PROG pkeyutl_main
-
 static EVP_PKEY_CTX *init_ctx(int *pkeysize,
                               char *keyfile, int keyform, int key_type,
-                              char *passargin, int pkey_op, ENGINE *e);
+                              char *passinarg, int pkey_op, ENGINE *e);
 
-static int setup_peer(BIO *err, EVP_PKEY_CTX *ctx, int peerform,
-                      const char *file);
+static int setup_peer(EVP_PKEY_CTX *ctx, int peerform, const char *file);
 
 static int do_keyop(EVP_PKEY_CTX *ctx, int pkey_op,
                     unsigned char *out, size_t *poutlen,
                     unsigned char *in, size_t inlen);
 
-int MAIN(int argc, char **);
+typedef enum OPTION_choice {
+    OPT_ERR = -1, OPT_EOF = 0, OPT_HELP,
+    OPT_ENGINE, OPT_IN, OPT_OUT,
+    OPT_PUBIN, OPT_CERTIN, OPT_ASN1PARSE, OPT_HEXDUMP, OPT_SIGN,
+    OPT_VERIFY, OPT_VERIFYRECOVER, OPT_REV, OPT_ENCRYPT, OPT_DECRYPT,
+    OPT_DERIVE, OPT_SIGFILE, OPT_INKEY, OPT_PEERKEY, OPT_PASSIN,
+    OPT_PEERFORM, OPT_KEYFORM, OPT_PKEYOPT
+} OPTION_CHOICE;
 
-int MAIN(int argc, char **argv)
+OPTIONS pkeyutl_options[] = {
+    {"help", OPT_HELP, '-', "Display this summary"},
+    {"in", OPT_IN, '<', "Input file"},
+    {"out", OPT_OUT, '>', "Output file"},
+    {"pubin", OPT_PUBIN, '-', "Input is a public key"},
+    {"certin", OPT_CERTIN, '-', "Input is a cert with a public key"},
+    {"asn1parse", OPT_ASN1PARSE, '-'},
+    {"hexdump", OPT_HEXDUMP, '-', "Hex dump output"},
+    {"sign", OPT_SIGN, '-', "Sign with private key"},
+    {"verify", OPT_VERIFY, '-', "Verify with public key"},
+    {"verifyrecover", OPT_VERIFYRECOVER, '-',
+     "Verify with public key, recover original data"},
+    {"rev", OPT_REV, '-'},
+    {"encrypt", OPT_ENCRYPT, '-', "Encrypt with public key"},
+    {"decrypt", OPT_DECRYPT, '-', "Decrypt with private key"},
+    {"derive", OPT_DERIVE, '-', "Derive shared secret"},
+    {"sigfile", OPT_SIGFILE, '<', "Signature file (verify operation only)"},
+    {"inkey", OPT_INKEY, 's', "Input key"},
+    {"peerkey", OPT_PEERKEY, 's'},
+    {"passin", OPT_PASSIN, 's', "Pass phrase source"},
+    {"peerform", OPT_PEERFORM, 'F'},
+    {"keyform", OPT_KEYFORM, 'F', "Private key format - default PEM"},
+    {"pkeyopt", OPT_PKEYOPT, 's', "Public key options as opt:value"},
+#ifndef OPENSSL_NO_ENGINE
+    {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"},
+#endif
+    {NULL}
+};
+
+int pkeyutl_main(int argc, char **argv)
 {
     BIO *in = NULL, *out = NULL;
-    char *infile = NULL, *outfile = NULL, *sigfile = NULL;
     ENGINE *e = NULL;
-    int pkey_op = EVP_PKEY_OP_SIGN, key_type = KEY_PRIVKEY;
-    int keyform = FORMAT_PEM, peerform = FORMAT_PEM;
-    char badarg = 0, rev = 0;
-    char hexdump = 0, asn1parse = 0;
     EVP_PKEY_CTX *ctx = NULL;
-    char *passargin = NULL;
-    int keysize = -1;
-
+    char *infile = NULL, *outfile = NULL, *sigfile = NULL, *passinarg = NULL;
+    char hexdump = 0, asn1parse = 0, rev = 0, *prog;
     unsigned char *buf_in = NULL, *buf_out = NULL, *sig = NULL;
-    size_t buf_outlen;
-    int buf_inlen = 0, siglen = -1;
-
+    OPTION_CHOICE o;
+    int buf_inlen = 0, siglen = -1, keyform = FORMAT_PEM, peerform =
+        FORMAT_PEM;
+    int keysize = -1, pkey_op = EVP_PKEY_OP_SIGN, key_type = KEY_PRIVKEY;
     int ret = 1, rv = -1;
+    size_t buf_outlen;
 
-    argc--;
-    argv++;
-
-    if (!bio_err)
-        bio_err = BIO_new_fp(stderr, BIO_NOCLOSE);
-
-    if (!load_config(bio_err, NULL))
-        goto end;
-    ERR_load_crypto_strings();
-    OpenSSL_add_all_algorithms();
-
-    while (argc >= 1) {
-        if (!strcmp(*argv, "-in")) {
-            if (--argc < 1)
-                badarg = 1;
-            else
-                infile = *(++argv);
-        } else if (!strcmp(*argv, "-out")) {
-            if (--argc < 1)
-                badarg = 1;
-            else
-                outfile = *(++argv);
-        } else if (!strcmp(*argv, "-sigfile")) {
-            if (--argc < 1)
-                badarg = 1;
-            else
-                sigfile = *(++argv);
-        } else if (!strcmp(*argv, "-inkey")) {
-            if (--argc < 1)
-                badarg = 1;
-            else {
-                ctx = init_ctx(&keysize,
-                               *(++argv), keyform, key_type,
-                               passargin, pkey_op, e);
-                if (!ctx) {
-                    BIO_puts(bio_err, "Error initializing context\n");
-                    ERR_print_errors(bio_err);
-                    badarg = 1;
-                }
+    prog = opt_init(argc, argv, pkeyutl_options);
+    while ((o = opt_next()) != OPT_EOF) {
+        switch (o) {
+        case OPT_EOF:
+        case OPT_ERR:
+ opthelp:
+            BIO_printf(bio_err, "%s: Use -help for summary.\n", prog);
+            goto end;
+        case OPT_HELP:
+            opt_help(pkeyutl_options);
+            ret = 0;
+            goto end;
+        case OPT_IN:
+            infile = opt_arg();
+            break;
+        case OPT_OUT:
+            outfile = opt_arg();
+            break;
+        case OPT_SIGFILE:
+            sigfile = opt_arg();
+            break;
+        case OPT_INKEY:
+            ctx = init_ctx(&keysize, opt_arg(), keyform, key_type,
+                           passinarg, pkey_op, e);
+            if (ctx == NULL) {
+                BIO_puts(bio_err, "%s: Error initializing context\n");
+                ERR_print_errors(bio_err);
+                goto opthelp;
             }
-        } else if (!strcmp(*argv, "-peerkey")) {
-            if (--argc < 1)
-                badarg = 1;
-            else if (!setup_peer(bio_err, ctx, peerform, *(++argv)))
-                badarg = 1;
-        } else if (!strcmp(*argv, "-passin")) {
-            if (--argc < 1)
-                badarg = 1;
-            else
-                passargin = *(++argv);
-        } else if (strcmp(*argv, "-peerform") == 0) {
-            if (--argc < 1)
-                badarg = 1;
-            else
-                peerform = str2fmt(*(++argv));
-        } else if (strcmp(*argv, "-keyform") == 0) {
-            if (--argc < 1)
-                badarg = 1;
-            else
-                keyform = str2fmt(*(++argv));
-        }
-#ifndef OPENSSL_NO_ENGINE
-        else if (!strcmp(*argv, "-engine")) {
-            if (--argc < 1)
-                badarg = 1;
-            else
-                e = setup_engine(bio_err, *(++argv), 0);
-        }
-#endif
-        else if (!strcmp(*argv, "-pubin"))
+            break;
+        case OPT_PEERKEY:
+            if (!setup_peer(ctx, peerform, opt_arg()))
+                goto opthelp;
+            break;
+        case OPT_PASSIN:
+            passinarg = opt_arg();
+            break;
+        case OPT_PEERFORM:
+            if (!opt_format(opt_arg(), OPT_FMT_PEMDER, &peerform))
+                goto opthelp;
+            break;
+        case OPT_KEYFORM:
+            if (!opt_format(opt_arg(), OPT_FMT_PEMDER, &keyform))
+                goto opthelp;
+            break;
+        case OPT_ENGINE:
+            e = setup_engine(opt_arg(), 0);
+            break;
+        case OPT_PUBIN:
             key_type = KEY_PUBKEY;
-        else if (!strcmp(*argv, "-certin"))
+            break;
+        case OPT_CERTIN:
             key_type = KEY_CERT;
-        else if (!strcmp(*argv, "-asn1parse"))
+            break;
+        case OPT_ASN1PARSE:
             asn1parse = 1;
-        else if (!strcmp(*argv, "-hexdump"))
+            break;
+        case OPT_HEXDUMP:
             hexdump = 1;
-        else if (!strcmp(*argv, "-sign"))
+            break;
+        case OPT_SIGN:
             pkey_op = EVP_PKEY_OP_SIGN;
-        else if (!strcmp(*argv, "-verify"))
+            break;
+        case OPT_VERIFY:
             pkey_op = EVP_PKEY_OP_VERIFY;
-        else if (!strcmp(*argv, "-verifyrecover"))
+            break;
+        case OPT_VERIFYRECOVER:
             pkey_op = EVP_PKEY_OP_VERIFYRECOVER;
-        else if (!strcmp(*argv, "-rev"))
+            break;
+        case OPT_REV:
             rev = 1;
-        else if (!strcmp(*argv, "-encrypt"))
+            break;
+        case OPT_ENCRYPT:
             pkey_op = EVP_PKEY_OP_ENCRYPT;
-        else if (!strcmp(*argv, "-decrypt"))
+            break;
+        case OPT_DECRYPT:
             pkey_op = EVP_PKEY_OP_DECRYPT;
-        else if (!strcmp(*argv, "-derive"))
+            break;
+        case OPT_DERIVE:
             pkey_op = EVP_PKEY_OP_DERIVE;
-        else if (strcmp(*argv, "-pkeyopt") == 0) {
-            if (--argc < 1)
-                badarg = 1;
-            else if (!ctx) {
-                BIO_puts(bio_err, "-pkeyopt command before -inkey\n");
-                badarg = 1;
-            } else if (pkey_ctrl_string(ctx, *(++argv)) <= 0) {
-                BIO_puts(bio_err, "parameter setting error\n");
+            break;
+        case OPT_PKEYOPT:
+            if (ctx == NULL) {
+                BIO_printf(bio_err,
+                           "%s: Must have -inkey before -pkeyopt\n", prog);
+                goto opthelp;
+            }
+            if (pkey_ctrl_string(ctx, opt_arg()) <= 0) {
+                BIO_printf(bio_err, "%s: Can't set parameter:\n", prog);
                 ERR_print_errors(bio_err);
                 goto end;
             }
-        } else
-            badarg = 1;
-        if (badarg) {
-            usage();
-            goto end;
+            break;
         }
-        argc--;
-        argv++;
     }
+    argc = opt_num_rest();
+    argv = opt_rest();
 
-    if (!ctx) {
-        usage();
-        goto end;
-    }
+    if (ctx == NULL)
+        goto opthelp;
 
     if (sigfile && (pkey_op != EVP_PKEY_OP_VERIFY)) {
-        BIO_puts(bio_err, "Signature file specified for non verify\n");
+        BIO_printf(bio_err,
+                   "%s: Signature file specified for non verify\n", prog);
         goto end;
     }
 
     if (!sigfile && (pkey_op == EVP_PKEY_OP_VERIFY)) {
-        BIO_puts(bio_err, "No signature file specified for verify\n");
+        BIO_printf(bio_err,
+                   "%s: No signature file specified for verify\n", prog);
         goto end;
     }
 
 /* FIXME: seed PRNG only if needed */
-    app_RAND_load_file(NULL, bio_err, 0);
+    app_RAND_load_file(NULL, 0);
 
     if (pkey_op != EVP_PKEY_OP_DERIVE) {
-        if (infile) {
-            if (!(in = BIO_new_file(infile, "rb"))) {
-                BIO_puts(bio_err, "Error Opening Input File\n");
-                ERR_print_errors(bio_err);
-                goto end;
-            }
-        } else
-            in = BIO_new_fp(stdin, BIO_NOCLOSE);
-    }
-
-    if (outfile) {
-        if (!(out = BIO_new_file(outfile, "wb"))) {
-            BIO_printf(bio_err, "Error Creating Output File\n");
-            ERR_print_errors(bio_err);
+        in = bio_open_default(infile, 'r', FORMAT_BINARY);
+        if (in == NULL)
             goto end;
-        }
-    } else {
-        out = BIO_new_fp(stdout, BIO_NOCLOSE);
-#ifdef OPENSSL_SYS_VMS
-        {
-            BIO *tmpbio = BIO_new(BIO_f_linebuffer());
-            out = BIO_push(tmpbio, out);
-        }
-#endif
     }
+    out = bio_open_default(outfile, 'w', FORMAT_BINARY);
+    if (out == NULL)
+        goto end;
 
     if (sigfile) {
         BIO *sigbio = BIO_new_file(sigfile, "rb");
@@ -297,32 +290,27 @@ int MAIN(int argc, char **argv)
     if (pkey_op == EVP_PKEY_OP_VERIFY) {
         rv = EVP_PKEY_verify(ctx, sig, (size_t)siglen,
                              buf_in, (size_t)buf_inlen);
-        if (rv == 0)
-            BIO_puts(out, "Signature Verification Failure\n");
-        else if (rv == 1)
+        if (rv == 1) {
             BIO_puts(out, "Signature Verified Successfully\n");
-        if (rv >= 0)
-            goto end;
-    } else {
-        rv = do_keyop(ctx, pkey_op, NULL, (size_t *)&buf_outlen,
-                      buf_in, (size_t)buf_inlen);
-        if (rv > 0) {
-            buf_out = OPENSSL_malloc(buf_outlen);
-            if (!buf_out)
-                rv = -1;
-            else
-                rv = do_keyop(ctx, pkey_op,
-                              buf_out, (size_t *)&buf_outlen,
-                              buf_in, (size_t)buf_inlen);
-        }
+            ret = 0;
+        } else
+            BIO_puts(out, "Signature Verification Failure\n");
+        goto end;
+    }
+    rv = do_keyop(ctx, pkey_op, NULL, (size_t *)&buf_outlen,
+                  buf_in, (size_t)buf_inlen);
+    if (rv > 0) {
+        buf_out = app_malloc(buf_outlen, "buffer output");
+        rv = do_keyop(ctx, pkey_op,
+                      buf_out, (size_t *)&buf_outlen,
+                      buf_in, (size_t)buf_inlen);
     }
-
     if (rv <= 0) {
-        BIO_printf(bio_err, "Public Key operation error\n");
         ERR_print_errors(bio_err);
         goto end;
     }
     ret = 0;
+
     if (asn1parse) {
         if (!ASN1_parse_dump(out, buf_out, buf_outlen, 1, -1))
             ERR_print_errors(bio_err);
@@ -332,51 +320,18 @@ int MAIN(int argc, char **argv)
         BIO_write(out, buf_out, buf_outlen);
 
  end:
-    if (ctx)
-        EVP_PKEY_CTX_free(ctx);
+    EVP_PKEY_CTX_free(ctx);
     BIO_free(in);
     BIO_free_all(out);
-    if (buf_in)
-        OPENSSL_free(buf_in);
-    if (buf_out)
-        OPENSSL_free(buf_out);
-    if (sig)
-        OPENSSL_free(sig);
+    OPENSSL_free(buf_in);
+    OPENSSL_free(buf_out);
+    OPENSSL_free(sig);
     return ret;
 }
 
-static void usage()
-{
-    BIO_printf(bio_err, "Usage: pkeyutl [options]\n");
-    BIO_printf(bio_err, "-in file        input file\n");
-    BIO_printf(bio_err, "-out file       output file\n");
-    BIO_printf(bio_err,
-               "-sigfile file signature file (verify operation only)\n");
-    BIO_printf(bio_err, "-inkey file     input key\n");
-    BIO_printf(bio_err, "-keyform arg    private key format - default PEM\n");
-    BIO_printf(bio_err, "-pubin          input is a public key\n");
-    BIO_printf(bio_err,
-               "-certin         input is a certificate carrying a public key\n");
-    BIO_printf(bio_err, "-pkeyopt X:Y    public key options\n");
-    BIO_printf(bio_err, "-sign           sign with private key\n");
-    BIO_printf(bio_err, "-verify         verify with public key\n");
-    BIO_printf(bio_err,
-               "-verifyrecover  verify with public key, recover original data\n");
-    BIO_printf(bio_err, "-encrypt        encrypt with public key\n");
-    BIO_printf(bio_err, "-decrypt        decrypt with private key\n");
-    BIO_printf(bio_err, "-derive         derive shared secret\n");
-    BIO_printf(bio_err, "-hexdump        hex dump output\n");
-#ifndef OPENSSL_NO_ENGINE
-    BIO_printf(bio_err,
-               "-engine e       use engine e, possibly a hardware device.\n");
-#endif
-    BIO_printf(bio_err, "-passin arg     pass phrase source\n");
-
-}
-
 static EVP_PKEY_CTX *init_ctx(int *pkeysize,
                               char *keyfile, int keyform, int key_type,
-                              char *passargin, int pkey_op, ENGINE *e)
+                              char *passinarg, int pkey_op, ENGINE *e)
 {
     EVP_PKEY *pkey = NULL;
     EVP_PKEY_CTX *ctx = NULL;
@@ -389,23 +344,21 @@ static EVP_PKEY_CTX *init_ctx(int *pkeysize,
         BIO_printf(bio_err, "A private key is needed for this operation\n");
         goto end;
     }
-    if (!app_passwd(bio_err, passargin, NULL, &passin, NULL)) {
+    if (!app_passwd(passinarg, NULL, &passin, NULL)) {
         BIO_printf(bio_err, "Error getting password\n");
         goto end;
     }
     switch (key_type) {
     case KEY_PRIVKEY:
-        pkey = load_key(bio_err, keyfile, keyform, 0,
-                        passin, e, "Private Key");
+        pkey = load_key(keyfile, keyform, 0, passin, e, "Private Key");
         break;
 
     case KEY_PUBKEY:
-        pkey = load_pubkey(bio_err, keyfile, keyform, 0,
-                           NULL, e, "Public Key");
+        pkey = load_pubkey(keyfile, keyform, 0, NULL, e, "Public Key");
         break;
 
     case KEY_CERT:
-        x = load_cert(bio_err, keyfile, keyform, NULL, e, "Certificate");
+        x = load_cert(keyfile, keyform, NULL, e, "Certificate");
         if (x) {
             pkey = X509_get_pubkey(x);
             X509_free(x);
@@ -423,7 +376,7 @@ static EVP_PKEY_CTX *init_ctx(int *pkeysize,
 
     EVP_PKEY_free(pkey);
 
-    if (!ctx)
+    if (ctx == NULL)
         goto end;
 
     switch (pkey_op) {
@@ -458,29 +411,25 @@ static EVP_PKEY_CTX *init_ctx(int *pkeysize,
     }
 
  end:
-
-    if (passin)
-        OPENSSL_free(passin);
-
+    OPENSSL_free(passin);
     return ctx;
 
 }
 
-static int setup_peer(BIO *err, EVP_PKEY_CTX *ctx, int peerform,
-                      const char *file)
+static int setup_peer(EVP_PKEY_CTX *ctx, int peerform, const char *file)
 {
     EVP_PKEY *peer = NULL;
     int ret;
     if (!ctx) {
-        BIO_puts(err, "-peerkey command before -inkey\n");
+        BIO_puts(bio_err, "-peerkey command before -inkey\n");
         return 0;
     }
 
-    peer = load_pubkey(bio_err, file, peerform, 0, NULL, NULL, "Peer Key");
+    peer = load_pubkey(file, peerform, 0, NULL, NULL, "Peer Key");
 
     if (!peer) {
         BIO_printf(bio_err, "Error reading peer key %s\n", file);
-        ERR_print_errors(err);
+        ERR_print_errors(bio_err);
         return 0;
     }
 
@@ -488,7 +437,7 @@ static int setup_peer(BIO *err, EVP_PKEY_CTX *ctx, int peerform,
 
     EVP_PKEY_free(peer);
     if (ret <= 0)
-        ERR_print_errors(err);
+        ERR_print_errors(bio_err);
     return ret;
 }
 

apps/prime.c

@@ -52,75 +52,74 @@
 #include "apps.h"
 #include <openssl/bn.h>
 
-#undef PROG
-#define PROG prime_main
+typedef enum OPTION_choice {
+    OPT_ERR = -1, OPT_EOF = 0, OPT_HELP,
+    OPT_HEX, OPT_GENERATE, OPT_BITS, OPT_SAFE, OPT_CHECKS
+} OPTION_CHOICE;
 
-int MAIN(int, char **);
+OPTIONS prime_options[] = {
+    {OPT_HELP_STR, 1, '-', "Usage: %s [options] [number...]\n"},
+    {OPT_HELP_STR, 1, '-',
+        "  number Number to check for primality\n"},
+    {"help", OPT_HELP, '-', "Display this summary"},
+    {"hex", OPT_HEX, '-', "Hex output"},
+    {"generate", OPT_GENERATE, '-', "Generate a prime"},
+    {"bits", OPT_BITS, 'p', "Size of number in bits"},
+    {"safe", OPT_SAFE, '-',
+     "When used with -generate, generate a safe prime"},
+    {"checks", OPT_CHECKS, 'p', "Number of checks"},
+    {NULL}
+};
 
-int MAIN(int argc, char **argv)
+int prime_main(int argc, char **argv)
 {
-    int hex = 0;
-    int checks = 20;
-    int generate = 0;
-    int bits = 0;
-    int safe = 0;
     BIGNUM *bn = NULL;
-    BIO *bio_out;
+    int hex = 0, checks = 20, generate = 0, bits = 0, safe = 0, ret = 1;
+    char *prog;
+    OPTION_CHOICE o;
 
-    apps_startup();
-
-    if (bio_err == NULL)
-        if ((bio_err = BIO_new(BIO_s_file())) != NULL)
-            BIO_set_fp(bio_err, stderr, BIO_NOCLOSE | BIO_FP_TEXT);
-
-    --argc;
-    ++argv;
-    while (argc >= 1 && **argv == '-') {
-        if (!strcmp(*argv, "-hex"))
+    prog = opt_init(argc, argv, prime_options);
+    while ((o = opt_next()) != OPT_EOF) {
+        switch (o) {
+        case OPT_EOF:
+        case OPT_ERR:
+            BIO_printf(bio_err, "%s: Use -help for summary.\n", prog);
+            goto end;
+        case OPT_HELP:
+            opt_help(prime_options);
+            ret = 0;
+            goto end;
+        case OPT_HEX:
             hex = 1;
-        else if (!strcmp(*argv, "-generate"))
+            break;
+        case OPT_GENERATE:
             generate = 1;
-        else if (!strcmp(*argv, "-bits"))
-            if (--argc < 1)
-                goto bad;
-            else
-                bits = atoi(*++argv);
-        else if (!strcmp(*argv, "-safe"))
+            break;
+        case OPT_BITS:
+            bits = atoi(opt_arg());
+            break;
+        case OPT_SAFE:
             safe = 1;
-        else if (!strcmp(*argv, "-checks"))
-            if (--argc < 1)
-                goto bad;
-            else
-                checks = atoi(*++argv);
-        else {
-            BIO_printf(bio_err, "Unknown option '%s'\n", *argv);
-            goto bad;
+            break;
+        case OPT_CHECKS:
+            checks = atoi(opt_arg());
+            break;
         }
-        --argc;
-        ++argv;
     }
+    argc = opt_num_rest();
+    argv = opt_rest();
 
-    if (argv[0] == NULL && !generate) {
-        BIO_printf(bio_err, "No prime specified\n");
-        goto bad;
-    }
-
-    if ((bio_out = BIO_new(BIO_s_file())) != NULL) {
-        BIO_set_fp(bio_out, stdout, BIO_NOCLOSE);
-#ifdef OPENSSL_SYS_VMS
-        {
-            BIO *tmpbio = BIO_new(BIO_f_linebuffer());
-            bio_out = BIO_push(tmpbio, bio_out);
-        }
-#endif
+    if (argc == 0 && !generate) {
+        BIO_printf(bio_err, "%s: No prime specified\n", prog);
+        goto end;
     }
 
     if (generate) {
         char *s;
 
         if (!bits) {
-            BIO_printf(bio_err, "Specifiy the number of bits.\n");
-            return 1;
+            BIO_printf(bio_err, "Specify the number of bits.\n");
+            goto end;
         }
         bn = BN_new();
         BN_generate_prime_ex(bn, bits, safe, NULL, NULL, NULL);
@@ -128,24 +127,22 @@ int MAIN(int argc, char **argv)
         BIO_printf(bio_out, "%s\n", s);
         OPENSSL_free(s);
     } else {
-        if (hex)
-            BN_hex2bn(&bn, argv[0]);
-        else
-            BN_dec2bn(&bn, argv[0]);
+        for ( ; *argv; argv++) {
+            if (hex)
+                BN_hex2bn(&bn, argv[0]);
+            else
+                BN_dec2bn(&bn, argv[0]);
 
-        BN_print(bio_out, bn);
-        BIO_printf(bio_out, " is %sprime\n",
-                   BN_is_prime_ex(bn, checks, NULL, NULL) ? "" : "not ");
+            BN_print(bio_out, bn);
+            BIO_printf(bio_out, " (%s) %s prime\n",
+                       argv[0],
+                       BN_is_prime_ex(bn, checks, NULL, NULL)
+                           ? "is" : "is not");
+        }
     }
 
     BN_free(bn);
-    BIO_free_all(bio_out);
 
-    return 0;
-
- bad:
-    BIO_printf(bio_err, "options are\n");
-    BIO_printf(bio_err, "%-14s hex\n", "-hex");
-    BIO_printf(bio_err, "%-14s number of checks\n", "-checks <n>");
-    return 1;
+ end:
+    return ret;
 }

apps/progs.h

@@ -1,378 +1,421 @@
-/* apps/progs.h */
-/* automatically generated by progs.pl for openssl.c */
+/*
+ * Automatically generated by progs.pl for openssl.c
+ * Copyright (c) 2008 The OpenSSL Project.  All rights reserved.
+ * See the openssl.c for copyright details.
+ */
+
+typedef enum FUNC_TYPE {
+    FT_none, FT_general, FT_md, FT_cipher, FT_pkey,
+    FT_md_alg, FT_cipher_alg
+} FUNC_TYPE;
+
+typedef struct function_st {
+    FUNC_TYPE type;
+    const char *name;
+    int (*func)(int argc,char *argv[]);
+    const OPTIONS *help;
+} FUNCTION;
+
+DEFINE_LHASH_OF(FUNCTION);
 
-extern int verify_main(int argc, char *argv[]);
 extern int asn1parse_main(int argc, char *argv[]);
-extern int req_main(int argc, char *argv[]);
-extern int dgst_main(int argc, char *argv[]);
-extern int dh_main(int argc, char *argv[]);
-extern int dhparam_main(int argc, char *argv[]);
-extern int enc_main(int argc, char *argv[]);
-extern int passwd_main(int argc, char *argv[]);
-extern int gendh_main(int argc, char *argv[]);
-extern int errstr_main(int argc, char *argv[]);
 extern int ca_main(int argc, char *argv[]);
+extern int ciphers_main(int argc, char *argv[]);
+extern int cms_main(int argc, char *argv[]);
 extern int crl_main(int argc, char *argv[]);
-extern int rsa_main(int argc, char *argv[]);
-extern int rsautl_main(int argc, char *argv[]);
+extern int crl2pkcs7_main(int argc, char *argv[]);
+extern int dgst_main(int argc, char *argv[]);
+extern int dhparam_main(int argc, char *argv[]);
 extern int dsa_main(int argc, char *argv[]);
 extern int dsaparam_main(int argc, char *argv[]);
 extern int ec_main(int argc, char *argv[]);
 extern int ecparam_main(int argc, char *argv[]);
-extern int x509_main(int argc, char *argv[]);
-extern int genrsa_main(int argc, char *argv[]);
+extern int enc_main(int argc, char *argv[]);
+extern int engine_main(int argc, char *argv[]);
+extern int errstr_main(int argc, char *argv[]);
 extern int gendsa_main(int argc, char *argv[]);
 extern int genpkey_main(int argc, char *argv[]);
-extern int s_server_main(int argc, char *argv[]);
-extern int s_client_main(int argc, char *argv[]);
-extern int speed_main(int argc, char *argv[]);
-extern int s_time_main(int argc, char *argv[]);
-extern int version_main(int argc, char *argv[]);
-extern int pkcs7_main(int argc, char *argv[]);
-extern int cms_main(int argc, char *argv[]);
-extern int crl2pkcs7_main(int argc, char *argv[]);
-extern int sess_id_main(int argc, char *argv[]);
-extern int ciphers_main(int argc, char *argv[]);
+extern int genrsa_main(int argc, char *argv[]);
 extern int nseq_main(int argc, char *argv[]);
+extern int ocsp_main(int argc, char *argv[]);
+extern int passwd_main(int argc, char *argv[]);
 extern int pkcs12_main(int argc, char *argv[]);
+extern int pkcs7_main(int argc, char *argv[]);
 extern int pkcs8_main(int argc, char *argv[]);
 extern int pkey_main(int argc, char *argv[]);
 extern int pkeyparam_main(int argc, char *argv[]);
 extern int pkeyutl_main(int argc, char *argv[]);
-extern int spkac_main(int argc, char *argv[]);
-extern int smime_main(int argc, char *argv[]);
-extern int rand_main(int argc, char *argv[]);
-extern int engine_main(int argc, char *argv[]);
-extern int ocsp_main(int argc, char *argv[]);
 extern int prime_main(int argc, char *argv[]);
-extern int ts_main(int argc, char *argv[]);
+extern int rand_main(int argc, char *argv[]);
+extern int req_main(int argc, char *argv[]);
+extern int rsa_main(int argc, char *argv[]);
+extern int rsautl_main(int argc, char *argv[]);
+extern int s_client_main(int argc, char *argv[]);
+extern int s_server_main(int argc, char *argv[]);
+extern int s_time_main(int argc, char *argv[]);
+extern int sess_id_main(int argc, char *argv[]);
+extern int smime_main(int argc, char *argv[]);
+extern int speed_main(int argc, char *argv[]);
+extern int spkac_main(int argc, char *argv[]);
 extern int srp_main(int argc, char *argv[]);
+extern int ts_main(int argc, char *argv[]);
+extern int verify_main(int argc, char *argv[]);
+extern int version_main(int argc, char *argv[]);
+extern int x509_main(int argc, char *argv[]);
+extern int rehash_main(int argc, char *argv[]);
+extern int list_main(int argc, char *argv[]);
+extern int help_main(int argc, char *argv[]);
+extern int exit_main(int argc, char *argv[]);
 
-#define FUNC_TYPE_GENERAL       1
-#define FUNC_TYPE_MD            2
-#define FUNC_TYPE_CIPHER        3
-#define FUNC_TYPE_PKEY          4
-#define FUNC_TYPE_MD_ALG        5
-#define FUNC_TYPE_CIPHER_ALG    6
+extern OPTIONS asn1parse_options[];
+extern OPTIONS ca_options[];
+extern OPTIONS ciphers_options[];
+extern OPTIONS cms_options[];
+extern OPTIONS crl_options[];
+extern OPTIONS crl2pkcs7_options[];
+extern OPTIONS dgst_options[];
+extern OPTIONS dhparam_options[];
+extern OPTIONS dsa_options[];
+extern OPTIONS dsaparam_options[];
+extern OPTIONS ec_options[];
+extern OPTIONS ecparam_options[];
+extern OPTIONS enc_options[];
+extern OPTIONS engine_options[];
+extern OPTIONS errstr_options[];
+extern OPTIONS gendsa_options[];
+extern OPTIONS genpkey_options[];
+extern OPTIONS genrsa_options[];
+extern OPTIONS nseq_options[];
+extern OPTIONS ocsp_options[];
+extern OPTIONS passwd_options[];
+extern OPTIONS pkcs12_options[];
+extern OPTIONS pkcs7_options[];
+extern OPTIONS pkcs8_options[];
+extern OPTIONS pkey_options[];
+extern OPTIONS pkeyparam_options[];
+extern OPTIONS pkeyutl_options[];
+extern OPTIONS prime_options[];
+extern OPTIONS rand_options[];
+extern OPTIONS req_options[];
+extern OPTIONS rsa_options[];
+extern OPTIONS rsautl_options[];
+extern OPTIONS s_client_options[];
+extern OPTIONS s_server_options[];
+extern OPTIONS s_time_options[];
+extern OPTIONS sess_id_options[];
+extern OPTIONS smime_options[];
+extern OPTIONS speed_options[];
+extern OPTIONS spkac_options[];
+extern OPTIONS srp_options[];
+extern OPTIONS ts_options[];
+extern OPTIONS verify_options[];
+extern OPTIONS version_options[];
+extern OPTIONS x509_options[];
+extern OPTIONS rehash_options[];
+extern OPTIONS list_options[];
+extern OPTIONS help_options[];
+extern OPTIONS exit_options[];
 
-typedef struct {
-    int type;
-    const char *name;
-    int (*func) (int argc, char *argv[]);
-} FUNCTION;
-DECLARE_LHASH_OF(FUNCTION);
-
-FUNCTION functions[] = {
-    {FUNC_TYPE_GENERAL, "verify", verify_main},
-    {FUNC_TYPE_GENERAL, "asn1parse", asn1parse_main},
-    {FUNC_TYPE_GENERAL, "req", req_main},
-    {FUNC_TYPE_GENERAL, "dgst", dgst_main},
-#ifndef OPENSSL_NO_DH
-    {FUNC_TYPE_GENERAL, "dh", dh_main},
-#endif
-#ifndef OPENSSL_NO_DH
-    {FUNC_TYPE_GENERAL, "dhparam", dhparam_main},
-#endif
-    {FUNC_TYPE_GENERAL, "enc", enc_main},
-    {FUNC_TYPE_GENERAL, "passwd", passwd_main},
-#ifndef OPENSSL_NO_DH
-    {FUNC_TYPE_GENERAL, "gendh", gendh_main},
-#endif
-    {FUNC_TYPE_GENERAL, "errstr", errstr_main},
-    {FUNC_TYPE_GENERAL, "ca", ca_main},
-    {FUNC_TYPE_GENERAL, "crl", crl_main},
-#ifndef OPENSSL_NO_RSA
-    {FUNC_TYPE_GENERAL, "rsa", rsa_main},
-#endif
-#ifndef OPENSSL_NO_RSA
-    {FUNC_TYPE_GENERAL, "rsautl", rsautl_main},
-#endif
-#ifndef OPENSSL_NO_DSA
-    {FUNC_TYPE_GENERAL, "dsa", dsa_main},
-#endif
-#ifndef OPENSSL_NO_DSA
-    {FUNC_TYPE_GENERAL, "dsaparam", dsaparam_main},
-#endif
-#ifndef OPENSSL_NO_EC
-    {FUNC_TYPE_GENERAL, "ec", ec_main},
-#endif
-#ifndef OPENSSL_NO_EC
-    {FUNC_TYPE_GENERAL, "ecparam", ecparam_main},
-#endif
-    {FUNC_TYPE_GENERAL, "x509", x509_main},
-#ifndef OPENSSL_NO_RSA
-    {FUNC_TYPE_GENERAL, "genrsa", genrsa_main},
-#endif
-#ifndef OPENSSL_NO_DSA
-    {FUNC_TYPE_GENERAL, "gendsa", gendsa_main},
-#endif
-    {FUNC_TYPE_GENERAL, "genpkey", genpkey_main},
+#ifdef INCLUDE_FUNCTION_TABLE
+static FUNCTION functions[] = {
+    { FT_general, "asn1parse", asn1parse_main, asn1parse_options },
+    { FT_general, "ca", ca_main, ca_options },
 #if !defined(OPENSSL_NO_SOCK)
-    {FUNC_TYPE_GENERAL, "s_server", s_server_main},
+    { FT_general, "ciphers", ciphers_main, ciphers_options },
 #endif
-#if !defined(OPENSSL_NO_SOCK)
-    {FUNC_TYPE_GENERAL, "s_client", s_client_main},
-#endif
-#ifndef OPENSSL_NO_SPEED
-    {FUNC_TYPE_GENERAL, "speed", speed_main},
-#endif
-#if !defined(OPENSSL_NO_SOCK)
-    {FUNC_TYPE_GENERAL, "s_time", s_time_main},
-#endif
-    {FUNC_TYPE_GENERAL, "version", version_main},
-    {FUNC_TYPE_GENERAL, "pkcs7", pkcs7_main},
 #ifndef OPENSSL_NO_CMS
-    {FUNC_TYPE_GENERAL, "cms", cms_main},
+    { FT_general, "cms", cms_main, cms_options },
 #endif
-    {FUNC_TYPE_GENERAL, "crl2pkcs7", crl2pkcs7_main},
-    {FUNC_TYPE_GENERAL, "sess_id", sess_id_main},
-#if !defined(OPENSSL_NO_SOCK)
-    {FUNC_TYPE_GENERAL, "ciphers", ciphers_main},
+    { FT_general, "crl", crl_main, crl_options },
+    { FT_general, "crl2pkcs7", crl2pkcs7_main, crl2pkcs7_options },
+    { FT_general, "dgst", dgst_main, dgst_options },
+#ifndef OPENSSL_NO_DH
+    { FT_general, "dhparam", dhparam_main, dhparam_options },
 #endif
-    {FUNC_TYPE_GENERAL, "nseq", nseq_main},
-#if !defined(OPENSSL_NO_DES) && !defined(OPENSSL_NO_SHA1)
-    {FUNC_TYPE_GENERAL, "pkcs12", pkcs12_main},
+#ifndef OPENSSL_NO_DSA
+    { FT_general, "dsa", dsa_main, dsa_options },
 #endif
-    {FUNC_TYPE_GENERAL, "pkcs8", pkcs8_main},
-    {FUNC_TYPE_GENERAL, "pkey", pkey_main},
-    {FUNC_TYPE_GENERAL, "pkeyparam", pkeyparam_main},
-    {FUNC_TYPE_GENERAL, "pkeyutl", pkeyutl_main},
-    {FUNC_TYPE_GENERAL, "spkac", spkac_main},
-    {FUNC_TYPE_GENERAL, "smime", smime_main},
-    {FUNC_TYPE_GENERAL, "rand", rand_main},
+#ifndef OPENSSL_NO_DSA
+    { FT_general, "dsaparam", dsaparam_main, dsaparam_options },
+#endif
+#ifndef OPENSSL_NO_EC
+    { FT_general, "ec", ec_main, ec_options },
+#endif
+#ifndef OPENSSL_NO_EC
+    { FT_general, "ecparam", ecparam_main, ecparam_options },
+#endif
+    { FT_general, "enc", enc_main, enc_options },
 #ifndef OPENSSL_NO_ENGINE
-    {FUNC_TYPE_GENERAL, "engine", engine_main},
+    { FT_general, "engine", engine_main, engine_options },
 #endif
+    { FT_general, "errstr", errstr_main, errstr_options },
+#ifndef OPENSSL_NO_DSA
+    { FT_general, "gendsa", gendsa_main, gendsa_options },
+#endif
+    { FT_general, "genpkey", genpkey_main, genpkey_options },
+#ifndef OPENSSL_NO_RSA
+    { FT_general, "genrsa", genrsa_main, genrsa_options },
+#endif
+    { FT_general, "nseq", nseq_main, nseq_options },
 #ifndef OPENSSL_NO_OCSP
-    {FUNC_TYPE_GENERAL, "ocsp", ocsp_main},
+    { FT_general, "ocsp", ocsp_main, ocsp_options },
 #endif
-    {FUNC_TYPE_GENERAL, "prime", prime_main},
-    {FUNC_TYPE_GENERAL, "ts", ts_main},
+    { FT_general, "passwd", passwd_main, passwd_options },
+#if !defined(OPENSSL_NO_DES)
+    { FT_general, "pkcs12", pkcs12_main, pkcs12_options },
+#endif
+    { FT_general, "pkcs7", pkcs7_main, pkcs7_options },
+    { FT_general, "pkcs8", pkcs8_main, pkcs8_options },
+    { FT_general, "pkey", pkey_main, pkey_options },
+    { FT_general, "pkeyparam", pkeyparam_main, pkeyparam_options },
+    { FT_general, "pkeyutl", pkeyutl_main, pkeyutl_options },
+    { FT_general, "prime", prime_main, prime_options },
+    { FT_general, "rand", rand_main, rand_options },
+    { FT_general, "req", req_main, req_options },
+#ifndef OPENSSL_NO_RSA
+    { FT_general, "rsa", rsa_main, rsa_options },
+#endif
+#ifndef OPENSSL_NO_RSA
+    { FT_general, "rsautl", rsautl_main, rsautl_options },
+#endif
+#if !defined(OPENSSL_NO_SOCK)
+    { FT_general, "s_client", s_client_main, s_client_options },
+#endif
+#if !defined(OPENSSL_NO_SOCK)
+    { FT_general, "s_server", s_server_main, s_server_options },
+#endif
+#if !defined(OPENSSL_NO_SOCK)
+    { FT_general, "s_time", s_time_main, s_time_options },
+#endif
+    { FT_general, "sess_id", sess_id_main, sess_id_options },
+    { FT_general, "smime", smime_main, smime_options },
+    { FT_general, "speed", speed_main, speed_options },
+    { FT_general, "spkac", spkac_main, spkac_options },
 #ifndef OPENSSL_NO_SRP
-    {FUNC_TYPE_GENERAL, "srp", srp_main},
+    { FT_general, "srp", srp_main, srp_options },
 #endif
+    { FT_general, "ts", ts_main, ts_options },
+    { FT_general, "verify", verify_main, verify_options },
+    { FT_general, "version", version_main, version_options },
+    { FT_general, "x509", x509_main, x509_options },
+    { FT_general, "rehash", rehash_main, rehash_options },
+    { FT_general, "list", list_main, list_options },
+    { FT_general, "help", help_main, help_options },
+    { FT_general, "exit", exit_main, exit_options },
 #ifndef OPENSSL_NO_MD2
-    {FUNC_TYPE_MD, "md2", dgst_main},
+    { FT_md, "md2", dgst_main},
 #endif
 #ifndef OPENSSL_NO_MD4
-    {FUNC_TYPE_MD, "md4", dgst_main},
+    { FT_md, "md4", dgst_main},
 #endif
 #ifndef OPENSSL_NO_MD5
-    {FUNC_TYPE_MD, "md5", dgst_main},
+    { FT_md, "md5", dgst_main},
 #endif
-#ifndef OPENSSL_NO_SHA
-    {FUNC_TYPE_MD, "sha", dgst_main},
-#endif
-#ifndef OPENSSL_NO_SHA1
-    {FUNC_TYPE_MD, "sha1", dgst_main},
+#ifndef OPENSSL_NO_MD_GHOST94
+    { FT_md, "md_ghost94", dgst_main},
 #endif
+    { FT_md, "sha", dgst_main},
+    { FT_md, "sha1", dgst_main},
+    { FT_md, "sha224", dgst_main},
+    { FT_md, "sha256", dgst_main},
+    { FT_md, "sha384", dgst_main},
+    { FT_md, "sha512", dgst_main},
 #ifndef OPENSSL_NO_MDC2
-    {FUNC_TYPE_MD, "mdc2", dgst_main},
+    { FT_md, "mdc2", dgst_main},
 #endif
 #ifndef OPENSSL_NO_RMD160
-    {FUNC_TYPE_MD, "rmd160", dgst_main},
-#endif
-#ifndef OPENSSL_NO_SHA224
-    {FUNC_TYPE_MD, "sha224", dgst_main},
-#endif
-#ifndef OPENSSL_NO_SHA256
-    {FUNC_TYPE_MD, "sha256", dgst_main},
-#endif
-#ifndef OPENSSL_NO_SHA384
-    {FUNC_TYPE_MD, "sha384", dgst_main},
-#endif
-#ifndef OPENSSL_NO_SHA512
-    {FUNC_TYPE_MD, "sha512", dgst_main},
+    { FT_md, "rmd160", dgst_main},
 #endif
 #ifndef OPENSSL_NO_AES
-    {FUNC_TYPE_CIPHER, "aes-128-cbc", enc_main},
+    { FT_cipher, "aes-128-cbc", enc_main, enc_options },
 #endif
 #ifndef OPENSSL_NO_AES
-    {FUNC_TYPE_CIPHER, "aes-128-ecb", enc_main},
+    { FT_cipher, "aes-128-ecb", enc_main, enc_options },
 #endif
 #ifndef OPENSSL_NO_AES
-    {FUNC_TYPE_CIPHER, "aes-192-cbc", enc_main},
+    { FT_cipher, "aes-192-cbc", enc_main, enc_options },
 #endif
 #ifndef OPENSSL_NO_AES
-    {FUNC_TYPE_CIPHER, "aes-192-ecb", enc_main},
+    { FT_cipher, "aes-192-ecb", enc_main, enc_options },
 #endif
 #ifndef OPENSSL_NO_AES
-    {FUNC_TYPE_CIPHER, "aes-256-cbc", enc_main},
+    { FT_cipher, "aes-256-cbc", enc_main, enc_options },
 #endif
 #ifndef OPENSSL_NO_AES
-    {FUNC_TYPE_CIPHER, "aes-256-ecb", enc_main},
+    { FT_cipher, "aes-256-ecb", enc_main, enc_options },
 #endif
 #ifndef OPENSSL_NO_CAMELLIA
-    {FUNC_TYPE_CIPHER, "camellia-128-cbc", enc_main},
+    { FT_cipher, "camellia-128-cbc", enc_main, enc_options },
 #endif
 #ifndef OPENSSL_NO_CAMELLIA
-    {FUNC_TYPE_CIPHER, "camellia-128-ecb", enc_main},
+    { FT_cipher, "camellia-128-ecb", enc_main, enc_options },
 #endif
 #ifndef OPENSSL_NO_CAMELLIA
-    {FUNC_TYPE_CIPHER, "camellia-192-cbc", enc_main},
+    { FT_cipher, "camellia-192-cbc", enc_main, enc_options },
 #endif
 #ifndef OPENSSL_NO_CAMELLIA
-    {FUNC_TYPE_CIPHER, "camellia-192-ecb", enc_main},
+    { FT_cipher, "camellia-192-ecb", enc_main, enc_options },
 #endif
 #ifndef OPENSSL_NO_CAMELLIA
-    {FUNC_TYPE_CIPHER, "camellia-256-cbc", enc_main},
+    { FT_cipher, "camellia-256-cbc", enc_main, enc_options },
 #endif
 #ifndef OPENSSL_NO_CAMELLIA
-    {FUNC_TYPE_CIPHER, "camellia-256-ecb", enc_main},
+    { FT_cipher, "camellia-256-ecb", enc_main, enc_options },
 #endif
-    {FUNC_TYPE_CIPHER, "base64", enc_main},
+    { FT_cipher, "base64", enc_main, enc_options },
 #ifdef ZLIB
-    {FUNC_TYPE_CIPHER, "zlib", enc_main},
+    { FT_cipher, "zlib", enc_main, enc_options },
 #endif
 #ifndef OPENSSL_NO_DES
-    {FUNC_TYPE_CIPHER, "des", enc_main},
+    { FT_cipher, "des", enc_main, enc_options },
 #endif
 #ifndef OPENSSL_NO_DES
-    {FUNC_TYPE_CIPHER, "des3", enc_main},
+    { FT_cipher, "des3", enc_main, enc_options },
 #endif
 #ifndef OPENSSL_NO_DES
-    {FUNC_TYPE_CIPHER, "desx", enc_main},
+    { FT_cipher, "desx", enc_main, enc_options },
 #endif
 #ifndef OPENSSL_NO_IDEA
-    {FUNC_TYPE_CIPHER, "idea", enc_main},
+    { FT_cipher, "idea", enc_main, enc_options },
 #endif
 #ifndef OPENSSL_NO_SEED
-    {FUNC_TYPE_CIPHER, "seed", enc_main},
+    { FT_cipher, "seed", enc_main, enc_options },
 #endif
 #ifndef OPENSSL_NO_RC4
-    {FUNC_TYPE_CIPHER, "rc4", enc_main},
+    { FT_cipher, "rc4", enc_main, enc_options },
 #endif
 #ifndef OPENSSL_NO_RC4
-    {FUNC_TYPE_CIPHER, "rc4-40", enc_main},
+    { FT_cipher, "rc4-40", enc_main, enc_options },
 #endif
 #ifndef OPENSSL_NO_RC2
-    {FUNC_TYPE_CIPHER, "rc2", enc_main},
+    { FT_cipher, "rc2", enc_main, enc_options },
 #endif
 #ifndef OPENSSL_NO_BF
-    {FUNC_TYPE_CIPHER, "bf", enc_main},
+    { FT_cipher, "bf", enc_main, enc_options },
 #endif
 #ifndef OPENSSL_NO_CAST
-    {FUNC_TYPE_CIPHER, "cast", enc_main},
+    { FT_cipher, "cast", enc_main, enc_options },
 #endif
 #ifndef OPENSSL_NO_RC5
-    {FUNC_TYPE_CIPHER, "rc5", enc_main},
+    { FT_cipher, "rc5", enc_main, enc_options },
 #endif
 #ifndef OPENSSL_NO_DES
-    {FUNC_TYPE_CIPHER, "des-ecb", enc_main},
+    { FT_cipher, "des-ecb", enc_main, enc_options },
 #endif
 #ifndef OPENSSL_NO_DES
-    {FUNC_TYPE_CIPHER, "des-ede", enc_main},
+    { FT_cipher, "des-ede", enc_main, enc_options },
 #endif
 #ifndef OPENSSL_NO_DES
-    {FUNC_TYPE_CIPHER, "des-ede3", enc_main},
+    { FT_cipher, "des-ede3", enc_main, enc_options },
 #endif
 #ifndef OPENSSL_NO_DES
-    {FUNC_TYPE_CIPHER, "des-cbc", enc_main},
+    { FT_cipher, "des-cbc", enc_main, enc_options },
 #endif
 #ifndef OPENSSL_NO_DES
-    {FUNC_TYPE_CIPHER, "des-ede-cbc", enc_main},
+    { FT_cipher, "des-ede-cbc", enc_main, enc_options },
 #endif
 #ifndef OPENSSL_NO_DES
-    {FUNC_TYPE_CIPHER, "des-ede3-cbc", enc_main},
+    { FT_cipher, "des-ede3-cbc", enc_main, enc_options },
 #endif
 #ifndef OPENSSL_NO_DES
-    {FUNC_TYPE_CIPHER, "des-cfb", enc_main},
+    { FT_cipher, "des-cfb", enc_main, enc_options },
 #endif
 #ifndef OPENSSL_NO_DES
-    {FUNC_TYPE_CIPHER, "des-ede-cfb", enc_main},
+    { FT_cipher, "des-ede-cfb", enc_main, enc_options },
 #endif
 #ifndef OPENSSL_NO_DES
-    {FUNC_TYPE_CIPHER, "des-ede3-cfb", enc_main},
+    { FT_cipher, "des-ede3-cfb", enc_main, enc_options },
 #endif
 #ifndef OPENSSL_NO_DES
-    {FUNC_TYPE_CIPHER, "des-ofb", enc_main},
+    { FT_cipher, "des-ofb", enc_main, enc_options },
 #endif
 #ifndef OPENSSL_NO_DES
-    {FUNC_TYPE_CIPHER, "des-ede-ofb", enc_main},
+    { FT_cipher, "des-ede-ofb", enc_main, enc_options },
 #endif
 #ifndef OPENSSL_NO_DES
-    {FUNC_TYPE_CIPHER, "des-ede3-ofb", enc_main},
+    { FT_cipher, "des-ede3-ofb", enc_main, enc_options },
 #endif
 #ifndef OPENSSL_NO_IDEA
-    {FUNC_TYPE_CIPHER, "idea-cbc", enc_main},
+    { FT_cipher, "idea-cbc", enc_main, enc_options },
 #endif
 #ifndef OPENSSL_NO_IDEA
-    {FUNC_TYPE_CIPHER, "idea-ecb", enc_main},
+    { FT_cipher, "idea-ecb", enc_main, enc_options },
 #endif
 #ifndef OPENSSL_NO_IDEA
-    {FUNC_TYPE_CIPHER, "idea-cfb", enc_main},
+    { FT_cipher, "idea-cfb", enc_main, enc_options },
 #endif
 #ifndef OPENSSL_NO_IDEA
-    {FUNC_TYPE_CIPHER, "idea-ofb", enc_main},
+    { FT_cipher, "idea-ofb", enc_main, enc_options },
 #endif
 #ifndef OPENSSL_NO_SEED
-    {FUNC_TYPE_CIPHER, "seed-cbc", enc_main},
+    { FT_cipher, "seed-cbc", enc_main, enc_options },
 #endif
 #ifndef OPENSSL_NO_SEED
-    {FUNC_TYPE_CIPHER, "seed-ecb", enc_main},
+    { FT_cipher, "seed-ecb", enc_main, enc_options },
 #endif
 #ifndef OPENSSL_NO_SEED
-    {FUNC_TYPE_CIPHER, "seed-cfb", enc_main},
+    { FT_cipher, "seed-cfb", enc_main, enc_options },
 #endif
 #ifndef OPENSSL_NO_SEED
-    {FUNC_TYPE_CIPHER, "seed-ofb", enc_main},
+    { FT_cipher, "seed-ofb", enc_main, enc_options },
 #endif
 #ifndef OPENSSL_NO_RC2
-    {FUNC_TYPE_CIPHER, "rc2-cbc", enc_main},
+    { FT_cipher, "rc2-cbc", enc_main, enc_options },
 #endif
 #ifndef OPENSSL_NO_RC2
-    {FUNC_TYPE_CIPHER, "rc2-ecb", enc_main},
+    { FT_cipher, "rc2-ecb", enc_main, enc_options },
 #endif
 #ifndef OPENSSL_NO_RC2
-    {FUNC_TYPE_CIPHER, "rc2-cfb", enc_main},
+    { FT_cipher, "rc2-cfb", enc_main, enc_options },
 #endif
 #ifndef OPENSSL_NO_RC2
-    {FUNC_TYPE_CIPHER, "rc2-ofb", enc_main},
+    { FT_cipher, "rc2-ofb", enc_main, enc_options },
 #endif
 #ifndef OPENSSL_NO_RC2
-    {FUNC_TYPE_CIPHER, "rc2-64-cbc", enc_main},
+    { FT_cipher, "rc2-64-cbc", enc_main, enc_options },
 #endif
 #ifndef OPENSSL_NO_RC2
-    {FUNC_TYPE_CIPHER, "rc2-40-cbc", enc_main},
+    { FT_cipher, "rc2-40-cbc", enc_main, enc_options },
 #endif
 #ifndef OPENSSL_NO_BF
-    {FUNC_TYPE_CIPHER, "bf-cbc", enc_main},
+    { FT_cipher, "bf-cbc", enc_main, enc_options },
 #endif
 #ifndef OPENSSL_NO_BF
-    {FUNC_TYPE_CIPHER, "bf-ecb", enc_main},
+    { FT_cipher, "bf-ecb", enc_main, enc_options },
 #endif
 #ifndef OPENSSL_NO_BF
-    {FUNC_TYPE_CIPHER, "bf-cfb", enc_main},
+    { FT_cipher, "bf-cfb", enc_main, enc_options },
 #endif
 #ifndef OPENSSL_NO_BF
-    {FUNC_TYPE_CIPHER, "bf-ofb", enc_main},
+    { FT_cipher, "bf-ofb", enc_main, enc_options },
 #endif
 #ifndef OPENSSL_NO_CAST
-    {FUNC_TYPE_CIPHER, "cast5-cbc", enc_main},
+    { FT_cipher, "cast5-cbc", enc_main, enc_options },
 #endif
 #ifndef OPENSSL_NO_CAST
-    {FUNC_TYPE_CIPHER, "cast5-ecb", enc_main},
+    { FT_cipher, "cast5-ecb", enc_main, enc_options },
 #endif
 #ifndef OPENSSL_NO_CAST
-    {FUNC_TYPE_CIPHER, "cast5-cfb", enc_main},
+    { FT_cipher, "cast5-cfb", enc_main, enc_options },
 #endif
 #ifndef OPENSSL_NO_CAST
-    {FUNC_TYPE_CIPHER, "cast5-ofb", enc_main},
+    { FT_cipher, "cast5-ofb", enc_main, enc_options },
 #endif
 #ifndef OPENSSL_NO_CAST
-    {FUNC_TYPE_CIPHER, "cast-cbc", enc_main},
+    { FT_cipher, "cast-cbc", enc_main, enc_options },
 #endif
 #ifndef OPENSSL_NO_RC5
-    {FUNC_TYPE_CIPHER, "rc5-cbc", enc_main},
+    { FT_cipher, "rc5-cbc", enc_main, enc_options },
 #endif
 #ifndef OPENSSL_NO_RC5
-    {FUNC_TYPE_CIPHER, "rc5-ecb", enc_main},
+    { FT_cipher, "rc5-ecb", enc_main, enc_options },
 #endif
 #ifndef OPENSSL_NO_RC5
-    {FUNC_TYPE_CIPHER, "rc5-cfb", enc_main},
+    { FT_cipher, "rc5-cfb", enc_main, enc_options },
 #endif
 #ifndef OPENSSL_NO_RC5
-    {FUNC_TYPE_CIPHER, "rc5-ofb", enc_main},
+    { FT_cipher, "rc5-ofb", enc_main, enc_options },
 #endif
-    {0, NULL, NULL}
+    { 0, NULL, NULL}
 };
+#endif

apps/progs.pl

@@ -1,67 +1,84 @@
 #!/usr/local/bin/perl
-
-print "/* apps/progs.h */\n";
-print "/* automatically generated by progs.pl for openssl.c */\n\n";
-
-grep(s/^asn1pars$/asn1parse/,@ARGV);
-
-foreach (@ARGV)
-	{ printf "extern int %s_main(int argc,char *argv[]);\n",$_; }
+# Generate progs.h file from list of "programs" passed on the command line.
 
 print <<'EOF';
+/*
+ * Automatically generated by progs.pl for openssl.c
+ * Copyright (c) 2008 The OpenSSL Project.  All rights reserved.
+ * See the openssl.c for copyright details.
+ */
 
-#define FUNC_TYPE_GENERAL	1
-#define FUNC_TYPE_MD		2
-#define FUNC_TYPE_CIPHER	3
-#define FUNC_TYPE_PKEY		4
-#define FUNC_TYPE_MD_ALG	5
-#define FUNC_TYPE_CIPHER_ALG	6
+typedef enum FUNC_TYPE {
+    FT_none, FT_general, FT_md, FT_cipher, FT_pkey,
+    FT_md_alg, FT_cipher_alg
+} FUNC_TYPE;
 
-typedef struct {
-	int type;
-	const char *name;
-	int (*func)(int argc,char *argv[]);
-	} FUNCTION;
-DECLARE_LHASH_OF(FUNCTION);
+typedef struct function_st {
+    FUNC_TYPE type;
+    const char *name;
+    int (*func)(int argc,char *argv[]);
+    const OPTIONS *help;
+} FUNCTION;
+
+DEFINE_LHASH_OF(FUNCTION);
 
-FUNCTION functions[] = {
 EOF
 
-foreach (@ARGV)
-	{
-	push(@files,$_);
-	$str="\t{FUNC_TYPE_GENERAL,\"$_\",${_}_main},\n";
-	if (($_ =~ /^s_/) || ($_ =~ /^ciphers$/))
-		{ print "#if !defined(OPENSSL_NO_SOCK)\n${str}#endif\n"; } 
-	elsif ( ($_ =~ /^speed$/))
-		{ print "#ifndef OPENSSL_NO_SPEED\n${str}#endif\n"; }
-	elsif ( ($_ =~ /^engine$/))
-		{ print "#ifndef OPENSSL_NO_ENGINE\n${str}#endif\n"; }
-	elsif ( ($_ =~ /^rsa$/) || ($_ =~ /^genrsa$/) || ($_ =~ /^rsautl$/)) 
-		{ print "#ifndef OPENSSL_NO_RSA\n${str}#endif\n";  }
-	elsif ( ($_ =~ /^dsa$/) || ($_ =~ /^gendsa$/) || ($_ =~ /^dsaparam$/))
-		{ print "#ifndef OPENSSL_NO_DSA\n${str}#endif\n"; }
-	elsif ( ($_ =~ /^ec$/) || ($_ =~ /^ecparam$/))
-		{ print "#ifndef OPENSSL_NO_EC\n${str}#endif\n";}
-	elsif ( ($_ =~ /^dh$/) || ($_ =~ /^gendh$/) || ($_ =~ /^dhparam$/))
-		{ print "#ifndef OPENSSL_NO_DH\n${str}#endif\n"; }
-	elsif ( ($_ =~ /^pkcs12$/))
-		{ print "#if !defined(OPENSSL_NO_DES) && !defined(OPENSSL_NO_SHA1)\n${str}#endif\n"; }
-	elsif ( ($_ =~ /^cms$/))
-		{ print "#ifndef OPENSSL_NO_CMS\n${str}#endif\n"; }
-	elsif ( ($_ =~ /^ocsp$/))
-		{ print "#ifndef OPENSSL_NO_OCSP\n${str}#endif\n"; }
-	elsif ( ($_ =~ /^srp$/))
-		{ print "#ifndef OPENSSL_NO_SRP\n${str}#endif\n"; }
-	else
-		{ print $str; }
-	}
+grep(s/\.o//, @ARGV);
+grep(s/^asn1pars$/asn1parse/, @ARGV);
+grep(s/^crl2p7$/crl2pkcs7/, @ARGV);
+push @ARGV, 'list';
+push @ARGV, 'help';
+push @ARGV, 'exit';
 
-foreach ("md2","md4","md5","sha","sha1","mdc2","rmd160","sha224","sha256","sha384","sha512")
-	{
-	push(@files,$_);
-	printf "#ifndef OPENSSL_NO_".uc($_)."\n\t{FUNC_TYPE_MD,\"".$_."\",dgst_main},\n#endif\n";
+foreach (@ARGV) {
+	printf "extern int %s_main(int argc, char *argv[]);\n", $_;
+}
+
+print "\n";
+
+foreach (@ARGV) {
+	printf "extern OPTIONS %s_options[];\n", $_;
+}
+print "\n#ifdef INCLUDE_FUNCTION_TABLE\n";
+print "static FUNCTION functions[] = {\n";
+foreach (@ARGV) {
+	$str="    { FT_general, \"$_\", ${_}_main, ${_}_options },\n";
+	if (/^s_/ || /^ciphers$/) {
+		print "#if !defined(OPENSSL_NO_SOCK)\n${str}#endif\n";
+	} elsif (/^engine$/) {
+		print "#ifndef OPENSSL_NO_ENGINE\n${str}#endif\n";
+	} elsif (/^rsa$/ || /^genrsa$/ || /^rsautl$/) {
+		print "#ifndef OPENSSL_NO_RSA\n${str}#endif\n";
+	} elsif (/^dsa$/ || /^gendsa$/ || /^dsaparam$/) {
+		print "#ifndef OPENSSL_NO_DSA\n${str}#endif\n";
+	} elsif (/^ec$/ || /^ecparam$/) {
+		print "#ifndef OPENSSL_NO_EC\n${str}#endif\n";
+	} elsif (/^dh$/ || /^gendh$/ || /^dhparam$/) {
+		print "#ifndef OPENSSL_NO_DH\n${str}#endif\n";
+	} elsif (/^pkcs12$/) {
+		print "#if !defined(OPENSSL_NO_DES)\n${str}#endif\n";
+	} elsif (/^cms$/) {
+		print "#ifndef OPENSSL_NO_CMS\n${str}#endif\n";
+	} elsif (/^ocsp$/) {
+		print "#ifndef OPENSSL_NO_OCSP\n${str}#endif\n";
+	} elsif (/^srp$/) {
+		print "#ifndef OPENSSL_NO_SRP\n${str}#endif\n";
+	} else {
+		print $str;
 	}
+}
+
+foreach (
+	"md2", "md4", "md5",
+	"md_ghost94",
+	"sha", "sha1", "sha224", "sha256", "sha384", "sha512",
+	"mdc2", "rmd160"
+) {
+        printf "#ifndef OPENSSL_NO_".uc($_)."\n" if ! /sha/;
+        printf "    { FT_md, \"".$_."\", dgst_main},\n";
+        printf "#endif\n" if ! /sha/;
+}
 
 foreach (
 	"aes-128-cbc", "aes-128-ecb",
@@ -82,23 +99,35 @@ foreach (
 	"rc2-cbc", "rc2-ecb", "rc2-cfb","rc2-ofb", "rc2-64-cbc", "rc2-40-cbc",
 	"bf-cbc",  "bf-ecb",     "bf-cfb",   "bf-ofb",
 	"cast5-cbc","cast5-ecb", "cast5-cfb","cast5-ofb",
-	"cast-cbc", "rc5-cbc",   "rc5-ecb",  "rc5-cfb",  "rc5-ofb")
-	{
-	push(@files,$_);
-
-	$t=sprintf("\t{FUNC_TYPE_CIPHER,\"%s\",enc_main},\n",$_);
-	if    ($_ =~ /des/)  { $t="#ifndef OPENSSL_NO_DES\n${t}#endif\n"; }
-	elsif ($_ =~ /aes/)  { $t="#ifndef OPENSSL_NO_AES\n${t}#endif\n"; }
-	elsif ($_ =~ /camellia/)  { $t="#ifndef OPENSSL_NO_CAMELLIA\n${t}#endif\n"; }
-	elsif ($_ =~ /idea/) { $t="#ifndef OPENSSL_NO_IDEA\n${t}#endif\n"; }
-	elsif ($_ =~ /seed/) { $t="#ifndef OPENSSL_NO_SEED\n${t}#endif\n"; }
-	elsif ($_ =~ /rc4/)  { $t="#ifndef OPENSSL_NO_RC4\n${t}#endif\n"; }
-	elsif ($_ =~ /rc2/)  { $t="#ifndef OPENSSL_NO_RC2\n${t}#endif\n"; }
-	elsif ($_ =~ /bf/)   { $t="#ifndef OPENSSL_NO_BF\n${t}#endif\n"; }
-	elsif ($_ =~ /cast/) { $t="#ifndef OPENSSL_NO_CAST\n${t}#endif\n"; }
-	elsif ($_ =~ /rc5/)  { $t="#ifndef OPENSSL_NO_RC5\n${t}#endif\n"; }
-	elsif ($_ =~ /zlib/)  { $t="#ifdef ZLIB\n${t}#endif\n"; }
-	print $t;
+	"cast-cbc", "rc5-cbc",   "rc5-ecb",  "rc5-cfb",  "rc5-ofb"
+) {
+	$str="    { FT_cipher, \"$_\", enc_main, enc_options },\n";
+	if (/des/) {
+		printf "#ifndef OPENSSL_NO_DES\n${str}#endif\n";
+	} elsif (/aes/) {
+		printf "#ifndef OPENSSL_NO_AES\n${str}#endif\n";
+	} elsif (/camellia/) {
+		printf "#ifndef OPENSSL_NO_CAMELLIA\n${str}#endif\n";
+	} elsif (/idea/) {
+		printf "#ifndef OPENSSL_NO_IDEA\n${str}#endif\n";
+	} elsif (/seed/) {
+		printf "#ifndef OPENSSL_NO_SEED\n${str}#endif\n";
+	} elsif (/rc4/) {
+		printf "#ifndef OPENSSL_NO_RC4\n${str}#endif\n";
+	} elsif (/rc2/) {
+		printf "#ifndef OPENSSL_NO_RC2\n${str}#endif\n";
+	} elsif (/bf/) {
+		printf "#ifndef OPENSSL_NO_BF\n${str}#endif\n";
+	} elsif (/cast/) {
+		printf "#ifndef OPENSSL_NO_CAST\n${str}#endif\n";
+	} elsif (/rc5/) {
+		printf "#ifndef OPENSSL_NO_RC5\n${str}#endif\n";
+	} elsif (/zlib/) {
+		printf "#ifdef ZLIB\n${str}#endif\n";
+	} else {
+		print $str;
 	}
+}
 
-print "\t{0,NULL,NULL}\n\t};\n";
+print "    { 0, NULL, NULL}\n};\n";
+printf "#endif\n";

apps/rand.c

@@ -1,4 +1,3 @@
-/* apps/rand.c */
 /* ====================================================================
  * Copyright (c) 1998-2001 The OpenSSL Project.  All rights reserved.
  *
@@ -63,135 +62,81 @@
 #include <openssl/err.h>
 #include <openssl/rand.h>
 
-#undef PROG
-#define PROG rand_main
+typedef enum OPTION_choice {
+    OPT_ERR = -1, OPT_EOF = 0, OPT_HELP,
+    OPT_OUT, OPT_ENGINE, OPT_RAND, OPT_BASE64, OPT_HEX
+} OPTION_CHOICE;
 
-/*-
- * -out file         - write to file
- * -rand file:file   - PRNG seed files
- * -base64           - base64 encode output
- * -hex              - hex encode output
- * num               - write 'num' bytes
- */
+OPTIONS rand_options[] = {
+    {OPT_HELP_STR, 1, '-', "Usage: %s [flags] num\n"},
+    {OPT_HELP_STR, 1, '-', "Valid options are:\n"},
+    {"help", OPT_HELP, '-', "Display this summary"},
+    {"out", OPT_OUT, '>', "Output file"},
+    {"rand", OPT_RAND, 's',
+     "Load the file(s) into the random number generator"},
+    {"base64", OPT_BASE64, '-', "Base64 encode output"},
+    {"hex", OPT_HEX, '-', "Hex encode output"},
+#ifndef OPENSSL_NO_ENGINE
+    {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"},
+#endif
+    {NULL}
+};
 
-int MAIN(int, char **);
-
-int MAIN(int argc, char **argv)
+int rand_main(int argc, char **argv)
 {
-    int i, r, ret = 1;
-    int badopt;
-    char *outfile = NULL;
-    char *inrand = NULL;
-    int base64 = 0;
-    int hex = 0;
     BIO *out = NULL;
-    int num = -1;
-#ifndef OPENSSL_NO_ENGINE
-    char *engine = NULL;
-#endif
+    char *inrand = NULL, *outfile = NULL, *prog;
+    OPTION_CHOICE o;
+    int format = FORMAT_BINARY, i, num = -1, r, ret = 1;
 
-    apps_startup();
-
-    if (bio_err == NULL)
-        if ((bio_err = BIO_new(BIO_s_file())) != NULL)
-            BIO_set_fp(bio_err, stderr, BIO_NOCLOSE | BIO_FP_TEXT);
-
-    if (!load_config(bio_err, NULL))
-        goto err;
-
-    badopt = 0;
-    i = 0;
-    while (!badopt && argv[++i] != NULL) {
-        if (strcmp(argv[i], "-out") == 0) {
-            if ((argv[i + 1] != NULL) && (outfile == NULL))
-                outfile = argv[++i];
-            else
-                badopt = 1;
+    prog = opt_init(argc, argv, rand_options);
+    while ((o = opt_next()) != OPT_EOF) {
+        switch (o) {
+        case OPT_EOF:
+        case OPT_ERR:
+ opthelp:
+            BIO_printf(bio_err, "%s: Use -help for summary.\n", prog);
+            goto end;
+        case OPT_HELP:
+            opt_help(rand_options);
+            ret = 0;
+            goto end;
+        case OPT_OUT:
+            outfile = opt_arg();
+            break;
+        case OPT_ENGINE:
+            (void)setup_engine(opt_arg(), 0);
+            break;
+        case OPT_RAND:
+            inrand = opt_arg();
+            break;
+        case OPT_BASE64:
+            format = FORMAT_BASE64;
+            break;
+        case OPT_HEX:
+            format = FORMAT_TEXT;
+            break;
         }
-#ifndef OPENSSL_NO_ENGINE
-        else if (strcmp(argv[i], "-engine") == 0) {
-            if ((argv[i + 1] != NULL) && (engine == NULL))
-                engine = argv[++i];
-            else
-                badopt = 1;
-        }
-#endif
-        else if (strcmp(argv[i], "-rand") == 0) {
-            if ((argv[i + 1] != NULL) && (inrand == NULL))
-                inrand = argv[++i];
-            else
-                badopt = 1;
-        } else if (strcmp(argv[i], "-base64") == 0) {
-            if (!base64)
-                base64 = 1;
-            else
-                badopt = 1;
-        } else if (strcmp(argv[i], "-hex") == 0) {
-            if (!hex)
-                hex = 1;
-            else
-                badopt = 1;
-        } else if (isdigit((unsigned char)argv[i][0])) {
-            if (num < 0) {
-                r = sscanf(argv[i], "%d", &num);
-                if (r == 0 || num < 0)
-                    badopt = 1;
-            } else
-                badopt = 1;
-        } else
-            badopt = 1;
     }
+    argc = opt_num_rest();
+    argv = opt_rest();
 
-    if (hex && base64)
-        badopt = 1;
+    if (argc != 1 || !opt_int(argv[0], &num) || num < 0)
+        goto opthelp;
 
-    if (num < 0)
-        badopt = 1;
-
-    if (badopt) {
-        BIO_printf(bio_err, "Usage: rand [options] num\n");
-        BIO_printf(bio_err, "where options are\n");
-        BIO_printf(bio_err, "-out file             - write to file\n");
-#ifndef OPENSSL_NO_ENGINE
-        BIO_printf(bio_err,
-                   "-engine e             - use engine e, possibly a hardware device.\n");
-#endif
-        BIO_printf(bio_err, "-rand file%cfile%c... - seed PRNG from files\n",
-                   LIST_SEPARATOR_CHAR, LIST_SEPARATOR_CHAR);
-        BIO_printf(bio_err, "-base64               - base64 encode output\n");
-        BIO_printf(bio_err, "-hex                  - hex encode output\n");
-        goto err;
-    }
-#ifndef OPENSSL_NO_ENGINE
-    setup_engine(bio_err, engine, 0);
-#endif
-
-    app_RAND_load_file(NULL, bio_err, (inrand != NULL));
+    app_RAND_load_file(NULL, (inrand != NULL));
     if (inrand != NULL)
         BIO_printf(bio_err, "%ld semi-random bytes loaded\n",
                    app_RAND_load_files(inrand));
 
-    out = BIO_new(BIO_s_file());
+    out = bio_open_default(outfile, 'w', format);
     if (out == NULL)
-        goto err;
-    if (outfile != NULL)
-        r = BIO_write_filename(out, outfile);
-    else {
-        r = BIO_set_fp(out, stdout, BIO_NOCLOSE | BIO_FP_TEXT);
-#ifdef OPENSSL_SYS_VMS
-        {
-            BIO *tmpbio = BIO_new(BIO_f_linebuffer());
-            out = BIO_push(tmpbio, out);
-        }
-#endif
-    }
-    if (r <= 0)
-        goto err;
+        goto end;
 
-    if (base64) {
+    if (format == FORMAT_BASE64) {
         BIO *b64 = BIO_new(BIO_f_base64());
         if (b64 == NULL)
-            goto err;
+            goto end;
         out = BIO_push(b64, out);
     }
 
@@ -204,8 +149,8 @@ int MAIN(int argc, char **argv)
             chunk = sizeof buf;
         r = RAND_bytes(buf, chunk);
         if (r <= 0)
-            goto err;
-        if (!hex)
+            goto end;
+        if (format != FORMAT_TEXT) /* hex */
             BIO_write(out, buf, chunk);
         else {
             for (i = 0; i < chunk; i++)
@@ -213,17 +158,14 @@ int MAIN(int argc, char **argv)
         }
         num -= chunk;
     }
-    if (hex)
+    if (format == FORMAT_TEXT)
         BIO_puts(out, "\n");
     (void)BIO_flush(out);
 
-    app_RAND_write_file(NULL, bio_err);
+    app_RAND_write_file(NULL);
     ret = 0;
 
- err:
-    ERR_print_errors(bio_err);
-    if (out)
-        BIO_free_all(out);
-    apps_shutdown();
-    OPENSSL_EXIT(ret);
+ end:
+    BIO_free_all(out);
+    return (ret);
 }

apps/rehash.c

@@ -0,0 +1,494 @@
+/*
+ * C implementation based on the original Perl and shell versions
+ *
+ * Copyright (c) 2013-2014 Timo Teräs <timo.teras@iki.fi>
+ */
+/* ====================================================================
+ * Copyright (c) 2015 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include "apps.h"
+
+#if defined(OPENSSL_SYS_UNIX) || defined(__APPLE__)
+# include <unistd.h>
+# include <stdio.h>
+# include <limits.h>
+# include <errno.h>
+# include <string.h>
+# include <ctype.h>
+# include <sys/stat.h>
+
+# include "internal/o_dir.h"
+# include <openssl/evp.h>
+# include <openssl/pem.h>
+# include <openssl/x509.h>
+
+
+# ifndef NAME_MAX
+#  define NAME_MAX 255
+# endif
+# define MAX_COLLISIONS  256
+
+typedef struct hentry_st {
+    struct hentry_st *next;
+    char *filename;
+    unsigned short old_id;
+    unsigned char need_symlink;
+    unsigned char digest[EVP_MAX_MD_SIZE];
+} HENTRY;
+
+typedef struct bucket_st {
+    struct bucket_st *next;
+    HENTRY *first_entry, *last_entry;
+    unsigned int hash;
+    unsigned short type;
+    unsigned short num_needed;
+} BUCKET;
+
+enum Type {
+    /* Keep in sync with |suffixes|, below. */
+    TYPE_CERT=0, TYPE_CRL=1
+};
+
+enum Hash {
+    HASH_OLD, HASH_NEW, HASH_BOTH
+};
+
+
+static int evpmdsize;
+static const EVP_MD *evpmd;
+static int remove_links = 1;
+static int verbose = 0;
+static BUCKET *hash_table[257];
+
+static const char *suffixes[] = { "", "r" };
+static const char *extensions[] = { "pem", "crt", "cer", "crl" };
+
+
+static void bit_set(unsigned char *set, unsigned int bit)
+{
+    set[bit >> 3] |= 1 << (bit & 0x7);
+}
+
+static int bit_isset(unsigned char *set, unsigned int bit)
+{
+    return set[bit >> 3] & (1 << (bit & 0x7));
+}
+
+
+/*
+ * Process an entry; return number of errors.
+ */
+static int add_entry(enum Type type, unsigned int hash, const char *filename,
+                      const unsigned char *digest, int need_symlink,
+                      unsigned short old_id)
+{
+    static BUCKET nilbucket;
+    static HENTRY nilhentry;
+    BUCKET *bp;
+    HENTRY *ep, *found = NULL;
+    unsigned int ndx = (type + hash) % OSSL_NELEM(hash_table);
+
+    for (bp = hash_table[ndx]; bp; bp = bp->next)
+        if (bp->type == type && bp->hash == hash)
+            break;
+    if (bp == NULL) {
+        bp = app_malloc(sizeof(*bp), "hash bucket");
+        *bp = nilbucket;
+        bp->next = hash_table[ndx];
+        bp->type = type;
+        bp->hash = hash;
+        hash_table[ndx] = bp;
+    }
+
+    for (ep = bp->first_entry; ep; ep = ep->next) {
+        if (digest && memcmp(digest, ep->digest, evpmdsize) == 0) {
+            BIO_printf(bio_err,
+                       "%s: skipping duplicate certificate in %s\n",
+                       opt_getprog(), filename);
+            return 1;
+        }
+        if (strcmp(filename, ep->filename) == 0) {
+            found = ep;
+            if (digest == NULL)
+                break;
+        }
+    }
+    ep = found;
+    if (ep == NULL) {
+        if (bp->num_needed >= MAX_COLLISIONS) {
+            BIO_printf(bio_err,
+                       "%s: hash table overflow for %s\n",
+                       opt_getprog(), filename);
+            return 1;
+        }
+        ep = app_malloc(sizeof(*ep), "collision bucket");
+        *ep = nilhentry;
+        ep->old_id = ~0;
+        ep->filename = OPENSSL_strdup(filename);
+        if (bp->last_entry)
+            bp->last_entry->next = ep;
+        if (bp->first_entry == NULL)
+            bp->first_entry = ep;
+        bp->last_entry = ep;
+    }
+
+    if (old_id < ep->old_id)
+        ep->old_id = old_id;
+    if (need_symlink && !ep->need_symlink) {
+        ep->need_symlink = 1;
+        bp->num_needed++;
+        memcpy(ep->digest, digest, evpmdsize);
+    }
+    return 0;
+}
+
+/*
+ * Check if a symlink goes to the right spot; return 0 if okay.
+ * This can be -1 if bad filename, or an error count.
+ */
+static int handle_symlink(const char *filename, const char *fullpath)
+{
+    unsigned int hash = 0;
+    int i, type, id;
+    unsigned char ch;
+    char linktarget[PATH_MAX], *endptr;
+    ssize_t n;
+
+    for (i = 0; i < 8; i++) {
+        ch = filename[i];
+        if (!isxdigit(ch))
+            return -1;
+        hash <<= 4;
+        hash += app_hex(ch);
+    }
+    if (filename[i++] != '.')
+        return -1;
+    for (type = OSSL_NELEM(suffixes) - 1; type > 0; type--)
+        if (strcasecmp(suffixes[type], &filename[i]) == 0)
+            break;
+    i += strlen(suffixes[type]);
+
+    id = strtoul(&filename[i], &endptr, 10);
+    if (*endptr != '\0')
+        return -1;
+
+    n = readlink(fullpath, linktarget, sizeof(linktarget));
+    if (n < 0 || n >= (int)sizeof(linktarget))
+        return -1;
+    linktarget[n] = 0;
+
+    return add_entry(type, hash, linktarget, NULL, 0, id);
+}
+
+/*
+ * process a file, return number of errors.
+ */
+static int do_file(const char *filename, const char *fullpath, enum Hash h)
+{
+    STACK_OF (X509_INFO) *inf = NULL;
+    X509_INFO *x;
+    X509_NAME *name = NULL;
+    BIO *b;
+    const char *ext;
+    unsigned char digest[EVP_MAX_MD_SIZE];
+    int type, errs = 0;
+    size_t i;
+
+    /* Does it end with a recognized extension? */
+    if ((ext = strrchr(filename, '.')) == NULL)
+        goto end;
+    for (i = 0; i < OSSL_NELEM(extensions); i++) {
+        if (strcasecmp(extensions[i], ext + 1) == 0)
+            break;
+    }
+    if (i >= OSSL_NELEM(extensions))
+        goto end;
+
+    /* Does it have X.509 data in it? */
+    if ((b = BIO_new_file(fullpath, "r")) == NULL) {
+        BIO_printf(bio_err, "%s: skipping %s, cannot open file\n",
+                   opt_getprog(), filename);
+        errs++;
+        goto end;
+    }
+    inf = PEM_X509_INFO_read_bio(b, NULL, NULL, NULL);
+    BIO_free(b);
+    if (inf == NULL)
+        goto end;
+
+    if (sk_X509_INFO_num(inf) != 1) {
+        BIO_printf(bio_err,
+                   "%s: skipping %s,"
+                   "it does not contain exactly one certificate or CRL\n",
+                   opt_getprog(), filename);
+        /* This is not an error. */
+        goto end;
+    }
+    x = sk_X509_INFO_value(inf, 0);
+    if (x->x509) {
+        type = TYPE_CERT;
+        name = X509_get_subject_name(x->x509);
+        X509_digest(x->x509, evpmd, digest, NULL);
+    } else if (x->crl) {
+        type = TYPE_CRL;
+        name = X509_CRL_get_issuer(x->crl);
+        X509_CRL_digest(x->crl, evpmd, digest, NULL);
+    } else {
+        ++errs;
+        goto end;
+    }
+    if (name) {
+        if ((h == HASH_NEW) || (h == HASH_BOTH))
+            errs += add_entry(type, X509_NAME_hash(name), filename, digest, 1, ~0);
+        if ((h == HASH_OLD) || (h == HASH_BOTH))
+            errs += add_entry(type, X509_NAME_hash_old(name), filename, digest, 1, ~0);
+    }
+
+end:
+    sk_X509_INFO_pop_free(inf, X509_INFO_free);
+    return errs;
+}
+
+/*
+ * Process a directory; return number of errors found.
+ */
+static int do_dir(const char *dirname, enum Hash h)
+{
+    BUCKET *bp, *nextbp;
+    HENTRY *ep, *nextep;
+    OPENSSL_DIR_CTX *d = NULL;
+    struct stat st;
+    unsigned char idmask[MAX_COLLISIONS / 8];
+    int n, nextid, buflen, errs = 0;
+    size_t i;
+    const char *pathsep;
+    const char *filename;
+    char *buf;
+
+    if (app_access(dirname, W_OK) < 0) {
+        BIO_printf(bio_err, "Skipping %s, can't write\n", dirname);
+        return 1;
+    }
+    buflen = strlen(dirname);
+    pathsep = (buflen && dirname[buflen - 1] == '/') ? "" : "/";
+    buflen += NAME_MAX + 1 + 1;
+    buf = app_malloc(buflen, "filename buffer");
+
+    if (verbose)
+        BIO_printf(bio_out, "Doing %s\n", dirname);
+
+    while ((filename = OPENSSL_DIR_read(&d, dirname)) != NULL) {
+        if (snprintf(buf, buflen, "%s%s%s",
+                    dirname, pathsep, filename) >= buflen)
+            continue;
+        if (lstat(buf, &st) < 0)
+            continue;
+        if (S_ISLNK(st.st_mode) && handle_symlink(filename, buf) == 0)
+            continue;
+        errs += do_file(filename, buf, h);
+    }
+    OPENSSL_DIR_end(&d);
+
+    for (i = 0; i < OSSL_NELEM(hash_table); i++) {
+        for (bp = hash_table[i]; bp; bp = nextbp) {
+            nextbp = bp->next;
+            nextid = 0;
+            memset(idmask, 0, (bp->num_needed + 7) / 8);
+            for (ep = bp->first_entry; ep; ep = ep->next)
+                if (ep->old_id < bp->num_needed)
+                    bit_set(idmask, ep->old_id);
+
+            for (ep = bp->first_entry; ep; ep = nextep) {
+                nextep = ep->next;
+                if (ep->old_id < bp->num_needed) {
+                    /* Link exists, and is used as-is */
+                    snprintf(buf, buflen, "%08x.%s%d", bp->hash,
+                             suffixes[bp->type], ep->old_id);
+                    if (verbose)
+                        BIO_printf(bio_out, "link %s -> %s\n",
+                                   ep->filename, buf);
+                } else if (ep->need_symlink) {
+                    /* New link needed (it may replace something) */
+                    while (bit_isset(idmask, nextid))
+                        nextid++;
+
+                    snprintf(buf, buflen, "%s%s%n%08x.%s%d",
+                             dirname, pathsep, &n, bp->hash,
+                             suffixes[bp->type], nextid);
+                    if (verbose)
+                        BIO_printf(bio_out, "link %s -> %s\n",
+                                   ep->filename, &buf[n]);
+                    if (unlink(buf) < 0 && errno != ENOENT) {
+                        BIO_printf(bio_err,
+                                   "%s: Can't unlink %s, %s\n",
+                                   opt_getprog(), buf, strerror(errno));
+                        errs++;
+                    }
+                    if (symlink(ep->filename, buf) < 0) {
+                        BIO_printf(bio_err,
+                                   "%s: Can't symlink %s, %s\n",
+                                   opt_getprog(), ep->filename,
+                                   strerror(errno));
+                        errs++;
+                    }
+                } else if (remove_links) {
+                    /* Link to be deleted */
+                    snprintf(buf, buflen, "%s%s%n%08x.%s%d",
+                             dirname, pathsep, &n, bp->hash,
+                             suffixes[bp->type], ep->old_id);
+                    if (verbose)
+                        BIO_printf(bio_out, "unlink %s\n",
+                                   &buf[n]);
+                    if (unlink(buf) < 0 && errno != ENOENT) {
+                        BIO_printf(bio_err,
+                                   "%s: Can't unlink %s, %s\n",
+                                   opt_getprog(), buf, strerror(errno));
+                        errs++;
+                    }
+                }
+                OPENSSL_free(ep->filename);
+                OPENSSL_free(ep);
+            }
+            OPENSSL_free(bp);
+        }
+        hash_table[i] = NULL;
+    }
+
+    OPENSSL_free(buf);
+    return errs;
+}
+
+typedef enum OPTION_choice {
+    OPT_ERR = -1, OPT_EOF = 0, OPT_HELP,
+    OPT_COMPAT, OPT_OLD, OPT_N, OPT_VERBOSE
+} OPTION_CHOICE;
+
+OPTIONS rehash_options[] = {
+    {OPT_HELP_STR, 1, '-', "Usage: %s [options] [cert-directory...]\n"},
+    {OPT_HELP_STR, 1, '-', "Valid options are:\n"},
+    {"help", OPT_HELP, '-', "Display this summary"},
+    {"compat", OPT_COMPAT, '-', "Create both new- and old-style hash links"},
+    {"old", OPT_OLD, '-', "Use old-style hash to generate links"},
+    {"n", OPT_N, '-', "Do not remove existing links"},
+    {"v", OPT_VERBOSE, '-', "Verbose output"},
+    {NULL}
+};
+
+
+int rehash_main(int argc, char **argv)
+{
+    const char *env, *prog;
+    char *e, *m;
+    int errs = 0;
+    OPTION_CHOICE o;
+    enum Hash h = HASH_NEW;
+
+    prog = opt_init(argc, argv, rehash_options);
+    while ((o = opt_next()) != OPT_EOF) {
+        switch (o) {
+        case OPT_EOF:
+        case OPT_ERR:
+            BIO_printf(bio_err, "%s: Use -help for summary.\n", prog);
+            goto end;
+        case OPT_HELP:
+            opt_help(rehash_options);
+            goto end;
+        case OPT_COMPAT:
+            h = HASH_BOTH;
+            break;
+        case OPT_OLD:
+            h = HASH_OLD;
+            break;
+        case OPT_N:
+            remove_links = 0;
+            break;
+        case OPT_VERBOSE:
+            verbose = 1;
+            break;
+        }
+    }
+    argc = opt_num_rest();
+    argv = opt_rest();
+
+    evpmd = EVP_sha1();
+    evpmdsize = EVP_MD_size(evpmd);
+
+    if (*argv) {
+        while (*argv)
+            errs += do_dir(*argv++, h);
+    } else if ((env = getenv("SSL_CERT_DIR")) != NULL) {
+        m = OPENSSL_strdup(env);
+        for (e = strtok(m, ":"); e != NULL; e = strtok(NULL, ":"))
+            errs += do_dir(e, h);
+        OPENSSL_free(m);
+    } else {
+        errs += do_dir("/etc/ssl/certs", h);
+    }
+
+ end:
+    return errs;
+}
+
+#else
+OPTIONS rehash_options[] = {
+    {NULL}
+};
+
+int rehash_main(int argc, char **argv)
+{
+    BIO_printf(bio_err, "Not available; use c_rehash script\n");
+    return (1);
+}
+
+#endif /* defined(OPENSSL_SYS_UNIX) || defined(__APPLE__) */

apps/rsa.c

@@ -1,4 +1,3 @@
-/* apps/rsa.c */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -55,6 +54,54 @@
  * copied and put under another distribution licence
  * [including the GNU Public Licence.]
  */
+/* ====================================================================
+ * Copyright (c) 1999-2015 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ */
 
 #include <openssl/opensslconf.h>
 #ifndef OPENSSL_NO_RSA
@@ -71,205 +118,149 @@
 # include <openssl/pem.h>
 # include <openssl/bn.h>
 
-# undef PROG
-# define PROG    rsa_main
+typedef enum OPTION_choice {
+    OPT_ERR = -1, OPT_EOF = 0, OPT_HELP,
+    OPT_INFORM, OPT_OUTFORM, OPT_ENGINE, OPT_IN, OPT_OUT,
+    OPT_PUBIN, OPT_PUBOUT, OPT_PASSOUT, OPT_PASSIN,
+    OPT_RSAPUBKEY_IN, OPT_RSAPUBKEY_OUT, OPT_PVK_STRONG, OPT_PVK_WEAK,
+    OPT_PVK_NONE, OPT_NOOUT, OPT_TEXT, OPT_MODULUS, OPT_CHECK, OPT_CIPHER
+} OPTION_CHOICE;
 
-/*-
- * -inform arg  - input format - default PEM (one of DER, NET or PEM)
- * -outform arg - output format - default PEM
- * -in arg      - input file - default stdin
- * -out arg     - output file - default stdout
- * -des         - encrypt output if PEM format with DES in cbc mode
- * -des3        - encrypt output if PEM format
- * -idea        - encrypt output if PEM format
- * -seed        - encrypt output if PEM format
- * -aes128      - encrypt output if PEM format
- * -aes192      - encrypt output if PEM format
- * -aes256      - encrypt output if PEM format
- * -camellia128 - encrypt output if PEM format
- * -camellia192 - encrypt output if PEM format
- * -camellia256 - encrypt output if PEM format
- * -text        - print a text version
- * -modulus     - print the RSA key modulus
- * -check       - verify key consistency
- * -pubin       - Expect a public key in input file.
- * -pubout      - Output a public key.
- */
+OPTIONS rsa_options[] = {
+    {"help", OPT_HELP, '-', "Display this summary"},
+    {"inform", OPT_INFORM, 'f', "Input format, one of DER NET PEM"},
+    {"outform", OPT_OUTFORM, 'f', "Output format, one of DER NET PEM PVK"},
+    {"in", OPT_IN, '<', "Input file"},
+    {"out", OPT_OUT, '>', "Output file"},
+    {"pubin", OPT_PUBIN, '-', "Expect a public key in input file"},
+    {"pubout", OPT_PUBOUT, '-', "Output a public key"},
+    {"passout", OPT_PASSOUT, 's', "Output file pass phrase source"},
+    {"passin", OPT_PASSIN, 's', "Input file pass phrase source"},
+    {"RSAPublicKey_in", OPT_RSAPUBKEY_IN, '-', "Input is an RSAPublicKey"},
+    {"RSAPublicKey_out", OPT_RSAPUBKEY_OUT, '-', "Output is an RSAPublicKey"},
+    {"noout", OPT_NOOUT, '-', "Don't print key out"},
+    {"text", OPT_TEXT, '-', "Print the key in text"},
+    {"modulus", OPT_MODULUS, '-', "Print the RSA key modulus"},
+    {"check", OPT_CHECK, '-', "Verify key consistency"},
+    {"", OPT_CIPHER, '-', "Any supported cipher"},
+# ifdef OPENSSL_NO_RC4
+    {"pvk-strong", OPT_PVK_STRONG, '-'},
+    {"pvk-weak", OPT_PVK_WEAK, '-'},
+    {"pvk-none", OPT_PVK_NONE, '-'},
+# endif
+# ifndef OPENSSL_NO_ENGINE
+    {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"},
+# endif
+    {NULL}
+};
 
-int MAIN(int, char **);
-
-int MAIN(int argc, char **argv)
+int rsa_main(int argc, char **argv)
 {
     ENGINE *e = NULL;
-    int ret = 1;
-    RSA *rsa = NULL;
-    int i, badops = 0, sgckey = 0;
-    const EVP_CIPHER *enc = NULL;
     BIO *out = NULL;
-    int informat, outformat, text = 0, check = 0, noout = 0;
-    int pubin = 0, pubout = 0;
-    char *infile, *outfile, *prog;
-    char *passargin = NULL, *passargout = NULL;
-    char *passin = NULL, *passout = NULL;
-# ifndef OPENSSL_NO_ENGINE
-    char *engine = NULL;
-# endif
-    int modulus = 0;
+    RSA *rsa = NULL;
+    const EVP_CIPHER *enc = NULL;
+    char *infile = NULL, *outfile = NULL, *prog;
+    char *passin = NULL, *passout = NULL, *passinarg = NULL, *passoutarg = NULL;
+    int i, private = 0;
+    int informat = FORMAT_PEM, outformat = FORMAT_PEM, text = 0, check = 0;
+    int noout = 0, modulus = 0, pubin = 0, pubout = 0, pvk_encr = 2, ret = 1;
+    OPTION_CHOICE o;
 
-    int pvk_encr = 2;
-
-    apps_startup();
-
-    if (bio_err == NULL)
-        if ((bio_err = BIO_new(BIO_s_file())) != NULL)
-            BIO_set_fp(bio_err, stderr, BIO_NOCLOSE | BIO_FP_TEXT);
-
-    if (!load_config(bio_err, NULL))
-        goto end;
-
-    infile = NULL;
-    outfile = NULL;
-    informat = FORMAT_PEM;
-    outformat = FORMAT_PEM;
-
-    prog = argv[0];
-    argc--;
-    argv++;
-    while (argc >= 1) {
-        if (strcmp(*argv, "-inform") == 0) {
-            if (--argc < 1)
-                goto bad;
-            informat = str2fmt(*(++argv));
-        } else if (strcmp(*argv, "-outform") == 0) {
-            if (--argc < 1)
-                goto bad;
-            outformat = str2fmt(*(++argv));
-        } else if (strcmp(*argv, "-in") == 0) {
-            if (--argc < 1)
-                goto bad;
-            infile = *(++argv);
-        } else if (strcmp(*argv, "-out") == 0) {
-            if (--argc < 1)
-                goto bad;
-            outfile = *(++argv);
-        } else if (strcmp(*argv, "-passin") == 0) {
-            if (--argc < 1)
-                goto bad;
-            passargin = *(++argv);
-        } else if (strcmp(*argv, "-passout") == 0) {
-            if (--argc < 1)
-                goto bad;
-            passargout = *(++argv);
-        }
-# ifndef OPENSSL_NO_ENGINE
-        else if (strcmp(*argv, "-engine") == 0) {
-            if (--argc < 1)
-                goto bad;
-            engine = *(++argv);
-        }
-# endif
-        else if (strcmp(*argv, "-sgckey") == 0)
-            sgckey = 1;
-        else if (strcmp(*argv, "-pubin") == 0)
+    prog = opt_init(argc, argv, rsa_options);
+    while ((o = opt_next()) != OPT_EOF) {
+        switch (o) {
+        case OPT_EOF:
+        case OPT_ERR:
+ opthelp:
+            BIO_printf(bio_err, "%s: Use -help for summary.\n", prog);
+            goto end;
+        case OPT_HELP:
+            opt_help(rsa_options);
+            ret = 0;
+            goto end;
+        case OPT_INFORM:
+            if (!opt_format(opt_arg(), OPT_FMT_ANY, &informat))
+                goto opthelp;
+            break;
+        case OPT_IN:
+            infile = opt_arg();
+            break;
+        case OPT_OUTFORM:
+            if (!opt_format(opt_arg(), OPT_FMT_ANY, &outformat))
+                goto opthelp;
+            break;
+        case OPT_OUT:
+            outfile = opt_arg();
+            break;
+        case OPT_PASSIN:
+            passinarg = opt_arg();
+            break;
+        case OPT_PASSOUT:
+            passoutarg = opt_arg();
+            break;
+        case OPT_ENGINE:
+            e = setup_engine(opt_arg(), 0);
+            break;
+        case OPT_PUBIN:
             pubin = 1;
-        else if (strcmp(*argv, "-pubout") == 0)
+            break;
+        case OPT_PUBOUT:
             pubout = 1;
-        else if (strcmp(*argv, "-RSAPublicKey_in") == 0)
+            break;
+        case OPT_RSAPUBKEY_IN:
             pubin = 2;
-        else if (strcmp(*argv, "-RSAPublicKey_out") == 0)
+            break;
+        case OPT_RSAPUBKEY_OUT:
             pubout = 2;
-        else if (strcmp(*argv, "-pvk-strong") == 0)
+            break;
+#ifndef OPENSSL_NO_RC4
+        case OPT_PVK_STRONG:
             pvk_encr = 2;
-        else if (strcmp(*argv, "-pvk-weak") == 0)
+            break;
+        case OPT_PVK_WEAK:
             pvk_encr = 1;
-        else if (strcmp(*argv, "-pvk-none") == 0)
+            break;
+        case OPT_PVK_NONE:
             pvk_encr = 0;
-        else if (strcmp(*argv, "-noout") == 0)
+            break;
+#else
+        case OPT_PVK_STRONG:
+        case OPT_PVK_WEAK:
+        case OPT_PVK_NONE:
+            break;
+#endif
+        case OPT_NOOUT:
             noout = 1;
-        else if (strcmp(*argv, "-text") == 0)
+            break;
+        case OPT_TEXT:
             text = 1;
-        else if (strcmp(*argv, "-modulus") == 0)
+            break;
+        case OPT_MODULUS:
             modulus = 1;
-        else if (strcmp(*argv, "-check") == 0)
+            break;
+        case OPT_CHECK:
             check = 1;
-        else if ((enc = EVP_get_cipherbyname(&(argv[0][1]))) == NULL) {
-            BIO_printf(bio_err, "unknown option %s\n", *argv);
-            badops = 1;
+            break;
+        case OPT_CIPHER:
+            if (!opt_cipher(opt_unknown(), &enc))
+                goto opthelp;
             break;
         }
-        argc--;
-        argv++;
     }
+    argc = opt_num_rest();
+    argv = opt_rest();
+    private = (text && !pubin) || (!pubout && !noout) ? 1 : 0;
 
-    if (badops) {
- bad:
-        BIO_printf(bio_err, "%s [options] <infile >outfile\n", prog);
-        BIO_printf(bio_err, "where options are\n");
-        BIO_printf(bio_err,
-                   " -inform arg     input format - one of DER NET PEM\n");
-        BIO_printf(bio_err,
-                   " -outform arg    output format - one of DER NET PEM\n");
-        BIO_printf(bio_err, " -in arg         input file\n");
-        BIO_printf(bio_err, " -sgckey         Use IIS SGC key format\n");
-        BIO_printf(bio_err,
-                   " -passin arg     input file pass phrase source\n");
-        BIO_printf(bio_err, " -out arg        output file\n");
-        BIO_printf(bio_err,
-                   " -passout arg    output file pass phrase source\n");
-        BIO_printf(bio_err,
-                   " -des            encrypt PEM output with cbc des\n");
-        BIO_printf(bio_err,
-                   " -des3           encrypt PEM output with ede cbc des using 168 bit key\n");
-# ifndef OPENSSL_NO_IDEA
-        BIO_printf(bio_err,
-                   " -idea           encrypt PEM output with cbc idea\n");
-# endif
-# ifndef OPENSSL_NO_SEED
-        BIO_printf(bio_err,
-                   " -seed           encrypt PEM output with cbc seed\n");
-# endif
-# ifndef OPENSSL_NO_AES
-        BIO_printf(bio_err, " -aes128, -aes192, -aes256\n");
-        BIO_printf(bio_err,
-                   "                 encrypt PEM output with cbc aes\n");
-# endif
-# ifndef OPENSSL_NO_CAMELLIA
-        BIO_printf(bio_err, " -camellia128, -camellia192, -camellia256\n");
-        BIO_printf(bio_err,
-                   "                 encrypt PEM output with cbc camellia\n");
-# endif
-        BIO_printf(bio_err, " -text           print the key in text\n");
-        BIO_printf(bio_err, " -noout          don't print key out\n");
-        BIO_printf(bio_err, " -modulus        print the RSA key modulus\n");
-        BIO_printf(bio_err, " -check          verify key consistency\n");
-        BIO_printf(bio_err,
-                   " -pubin          expect a public key in input file\n");
-        BIO_printf(bio_err, " -pubout         output a public key\n");
-# ifndef OPENSSL_NO_ENGINE
-        BIO_printf(bio_err,
-                   " -engine e       use engine e, possibly a hardware device.\n");
-# endif
-        goto end;
-    }
-
-    ERR_load_crypto_strings();
-
-# ifndef OPENSSL_NO_ENGINE
-    e = setup_engine(bio_err, engine, 0);
-# endif
-
-    if (!app_passwd(bio_err, passargin, passargout, &passin, &passout)) {
+    if (!app_passwd(passinarg, passoutarg, &passin, &passout)) {
         BIO_printf(bio_err, "Error getting passwords\n");
         goto end;
     }
-
     if (check && pubin) {
         BIO_printf(bio_err, "Only private keys can be checked\n");
         goto end;
     }
 
-    out = BIO_new(BIO_s_file());
-
     {
         EVP_PKEY *pkey;
 
@@ -280,18 +271,12 @@ int MAIN(int argc, char **argv)
                     tmpformat = FORMAT_PEMRSA;
                 else if (informat == FORMAT_ASN1)
                     tmpformat = FORMAT_ASN1RSA;
-            } else if (informat == FORMAT_NETSCAPE && sgckey)
-                tmpformat = FORMAT_IISSGC;
-            else
+            } else
                 tmpformat = informat;
 
-            pkey = load_pubkey(bio_err, infile, tmpformat, 1,
-                               passin, e, "Public Key");
+            pkey = load_pubkey(infile, tmpformat, 1, passin, e, "Public Key");
         } else
-            pkey = load_key(bio_err, infile,
-                            (informat == FORMAT_NETSCAPE && sgckey ?
-                             FORMAT_IISSGC : informat), 1,
-                            passin, e, "Private Key");
+            pkey = load_key(infile, informat, 1, passin, e, "Private Key");
 
         if (pkey != NULL)
             rsa = EVP_PKEY_get1_RSA(pkey);
@@ -303,27 +288,18 @@ int MAIN(int argc, char **argv)
         goto end;
     }
 
-    if (outfile == NULL) {
-        BIO_set_fp(out, stdout, BIO_NOCLOSE);
-# ifdef OPENSSL_SYS_VMS
-        {
-            BIO *tmpbio = BIO_new(BIO_f_linebuffer());
-            out = BIO_push(tmpbio, out);
-        }
-# endif
-    } else {
-        if (BIO_write_filename(out, outfile) <= 0) {
-            perror(outfile);
-            goto end;
-        }
-    }
+    out = bio_open_owner(outfile, outformat, private);
+    if (out == NULL)
+        goto end;
 
-    if (text)
+    if (text) {
+        assert(pubin || private);
         if (!RSA_print(out, rsa, 0)) {
             perror(outfile);
             ERR_print_errors(bio_err);
             goto end;
         }
+    }
 
     if (modulus) {
         BIO_printf(out, "Modulus=");
@@ -349,8 +325,8 @@ int MAIN(int argc, char **argv)
             }
         }
 
-        if (r == -1 || ERR_peek_error() != 0) { /* should happen only if r ==
-                                                 * -1 */
+        /* should happen only if r == -1 */
+        if (r == -1 || ERR_peek_error() != 0) {
             ERR_print_errors(bio_err);
             goto end;
         }
@@ -367,46 +343,41 @@ int MAIN(int argc, char **argv)
                 i = i2d_RSAPublicKey_bio(out, rsa);
             else
                 i = i2d_RSA_PUBKEY_bio(out, rsa);
-        } else
+        } else {
+            assert(private);
             i = i2d_RSAPrivateKey_bio(out, rsa);
-    }
-# ifndef OPENSSL_NO_RC4
-    else if (outformat == FORMAT_NETSCAPE) {
-        unsigned char *p, *pp;
-        int size;
-
-        i = 1;
-        size = i2d_RSA_NET(rsa, NULL, NULL, sgckey);
-        if ((p = (unsigned char *)OPENSSL_malloc(size)) == NULL) {
-            BIO_printf(bio_err, "Memory allocation failure\n");
-            goto end;
         }
-        pp = p;
-        i2d_RSA_NET(rsa, &p, NULL, sgckey);
-        BIO_write(out, (char *)pp, size);
-        OPENSSL_free(pp);
     }
-# endif
     else if (outformat == FORMAT_PEM) {
         if (pubout || pubin) {
             if (pubout == 2)
                 i = PEM_write_bio_RSAPublicKey(out, rsa);
             else
                 i = PEM_write_bio_RSA_PUBKEY(out, rsa);
-        } else
+        } else {
+            assert(private);
             i = PEM_write_bio_RSAPrivateKey(out, rsa,
                                             enc, NULL, 0, NULL, passout);
+        }
 # if !defined(OPENSSL_NO_DSA) && !defined(OPENSSL_NO_RC4)
     } else if (outformat == FORMAT_MSBLOB || outformat == FORMAT_PVK) {
         EVP_PKEY *pk;
         pk = EVP_PKEY_new();
         EVP_PKEY_set1_RSA(pk, rsa);
-        if (outformat == FORMAT_PVK)
+        if (outformat == FORMAT_PVK) {
+            if (pubin) {
+                BIO_printf(bio_err, "PVK form impossible with public key input\n");
+                EVP_PKEY_free(pk);
+                goto end;
+            }
+            assert(private);
             i = i2b_PVK_bio(out, pk, pvk_encr, 0, passout);
-        else if (pubin || pubout)
+        } else if (pubin || pubout) {
             i = i2b_PublicKey_bio(out, pk);
-        else
+        } else {
+            assert(private);
             i = i2b_PrivateKey_bio(out, pk);
+        }
         EVP_PKEY_free(pk);
 # endif
     } else {
@@ -419,16 +390,11 @@ int MAIN(int argc, char **argv)
     } else
         ret = 0;
  end:
-    if (out != NULL)
-        BIO_free_all(out);
-    if (rsa != NULL)
-        RSA_free(rsa);
-    if (passin)
-        OPENSSL_free(passin);
-    if (passout)
-        OPENSSL_free(passout);
-    apps_shutdown();
-    OPENSSL_EXIT(ret);
+    BIO_free_all(out);
+    RSA_free(rsa);
+    OPENSSL_free(passin);
+    OPENSSL_free(passout);
+    return (ret);
 }
 #else                           /* !OPENSSL_NO_RSA */
 

apps/rsautl.c

@@ -1,4 +1,3 @@
-/* rsautl.c */
 /*
  * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL project
  * 2000.
@@ -75,150 +74,160 @@
 # define KEY_PUBKEY      2
 # define KEY_CERT        3
 
-static void usage(void);
+typedef enum OPTION_choice {
+    OPT_ERR = -1, OPT_EOF = 0, OPT_HELP,
+    OPT_ENGINE, OPT_IN, OPT_OUT, OPT_ASN1PARSE, OPT_HEXDUMP,
+    OPT_RAW, OPT_OAEP, OPT_SSL, OPT_PKCS, OPT_X931,
+    OPT_SIGN, OPT_VERIFY, OPT_REV, OPT_ENCRYPT, OPT_DECRYPT,
+    OPT_PUBIN, OPT_CERTIN, OPT_INKEY, OPT_PASSIN, OPT_KEYFORM
+} OPTION_CHOICE;
 
-# undef PROG
-
-# define PROG rsautl_main
-
-int MAIN(int argc, char **);
-
-int MAIN(int argc, char **argv)
-{
-    ENGINE *e = NULL;
-    BIO *in = NULL, *out = NULL;
-    char *infile = NULL, *outfile = NULL;
+OPTIONS rsautl_options[] = {
+    {"help", OPT_HELP, '-', "Display this summary"},
+    {"in", OPT_IN, '<', "Input file"},
+    {"out", OPT_OUT, '>', "Output file"},
+    {"inkey", OPT_INKEY, '<', "Input key"},
+    {"keyform", OPT_KEYFORM, 'F', "Private key format - default PEM"},
+    {"pubin", OPT_PUBIN, '-', "Input is an RSA public"},
+    {"certin", OPT_CERTIN, '-', "Input is a cert carrying an RSA public key"},
+    {"ssl", OPT_SSL, '-', "Use SSL v2 padding"},
+    {"raw", OPT_RAW, '-', "Use no padding"},
+    {"pkcs", OPT_PKCS, '-', "Use PKCS#1 v1.5 padding (default)"},
+    {"oaep", OPT_OAEP, '-', "Use PKCS#1 OAEP"},
+    {"sign", OPT_SIGN, '-', "Sign with private key"},
+    {"verify", OPT_VERIFY, '-', "Verify with public key"},
+    {"asn1parse", OPT_ASN1PARSE, '-'},
+    {"hexdump", OPT_HEXDUMP, '-', "Hex dump output"},
+    {"x931", OPT_X931, '-', "Use ANSI X9.31 padding"},
+    {"rev", OPT_REV, '-'},
+    {"encrypt", OPT_ENCRYPT, '-', "Encrypt with public key"},
+    {"decrypt", OPT_DECRYPT, '-', "Decrypt with private key"},
+    {"passin", OPT_PASSIN, 's', "Pass phrase source"},
 # ifndef OPENSSL_NO_ENGINE
-    char *engine = NULL;
+    {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"},
 # endif
-    char *keyfile = NULL;
-    char rsa_mode = RSA_VERIFY, key_type = KEY_PRIVKEY;
-    int keyform = FORMAT_PEM;
-    char need_priv = 0, badarg = 0, rev = 0;
-    char hexdump = 0, asn1parse = 0;
-    X509 *x;
+    {NULL}
+};
+
+int rsautl_main(int argc, char **argv)
+{
+    BIO *in = NULL, *out = NULL;
+    ENGINE *e = NULL;
     EVP_PKEY *pkey = NULL;
     RSA *rsa = NULL;
-    unsigned char *rsa_in = NULL, *rsa_out = NULL, pad;
-    char *passargin = NULL, *passin = NULL;
-    int rsa_inlen, rsa_outlen = 0;
-    int keysize;
+    X509 *x;
+    char *infile = NULL, *outfile = NULL, *keyfile = NULL;
+    char *passinarg = NULL, *passin = NULL, *prog;
+    char rsa_mode = RSA_VERIFY, key_type = KEY_PRIVKEY;
+    unsigned char *rsa_in = NULL, *rsa_out = NULL, pad = RSA_PKCS1_PADDING;
+    int rsa_inlen, keyformat = FORMAT_PEM, keysize, ret = 1;
+    int rsa_outlen = 0, hexdump = 0, asn1parse = 0, need_priv = 0, rev = 0;
+    OPTION_CHOICE o;
 
-    int ret = 1;
-
-    argc--;
-    argv++;
-
-    if (!bio_err)
-        bio_err = BIO_new_fp(stderr, BIO_NOCLOSE);
-
-    if (!load_config(bio_err, NULL))
-        goto end;
-    ERR_load_crypto_strings();
-    OpenSSL_add_all_algorithms();
-    pad = RSA_PKCS1_PADDING;
-
-    while (argc >= 1) {
-        if (!strcmp(*argv, "-in")) {
-            if (--argc < 1)
-                badarg = 1;
-            else
-                infile = *(++argv);
-        } else if (!strcmp(*argv, "-out")) {
-            if (--argc < 1)
-                badarg = 1;
-            else
-                outfile = *(++argv);
-        } else if (!strcmp(*argv, "-inkey")) {
-            if (--argc < 1)
-                badarg = 1;
-            else
-                keyfile = *(++argv);
-        } else if (!strcmp(*argv, "-passin")) {
-            if (--argc < 1)
-                badarg = 1;
-            else
-                passargin = *(++argv);
-        } else if (strcmp(*argv, "-keyform") == 0) {
-            if (--argc < 1)
-                badarg = 1;
-            else
-                keyform = str2fmt(*(++argv));
-# ifndef OPENSSL_NO_ENGINE
-        } else if (!strcmp(*argv, "-engine")) {
-            if (--argc < 1)
-                badarg = 1;
-            else
-                engine = *(++argv);
-# endif
-        } else if (!strcmp(*argv, "-pubin")) {
-            key_type = KEY_PUBKEY;
-        } else if (!strcmp(*argv, "-certin")) {
-            key_type = KEY_CERT;
-        } else if (!strcmp(*argv, "-asn1parse"))
+    prog = opt_init(argc, argv, rsautl_options);
+    while ((o = opt_next()) != OPT_EOF) {
+        switch (o) {
+        case OPT_EOF:
+        case OPT_ERR:
+ opthelp:
+            BIO_printf(bio_err, "%s: Use -help for summary.\n", prog);
+            goto end;
+        case OPT_HELP:
+            opt_help(rsautl_options);
+            ret = 0;
+            goto end;
+        case OPT_KEYFORM:
+            if (!opt_format(opt_arg(), OPT_FMT_PEMDER, &keyformat))
+                goto opthelp;
+            break;
+        case OPT_IN:
+            infile = opt_arg();
+            break;
+        case OPT_OUT:
+            outfile = opt_arg();
+            break;
+        case OPT_ENGINE:
+            e = setup_engine(opt_arg(), 0);
+            break;
+        case OPT_ASN1PARSE:
             asn1parse = 1;
-        else if (!strcmp(*argv, "-hexdump"))
+            break;
+        case OPT_HEXDUMP:
             hexdump = 1;
-        else if (!strcmp(*argv, "-raw"))
+            break;
+        case OPT_RAW:
             pad = RSA_NO_PADDING;
-        else if (!strcmp(*argv, "-oaep"))
+            break;
+        case OPT_OAEP:
             pad = RSA_PKCS1_OAEP_PADDING;
-        else if (!strcmp(*argv, "-ssl"))
+            break;
+        case OPT_SSL:
             pad = RSA_SSLV23_PADDING;
-        else if (!strcmp(*argv, "-pkcs"))
+            break;
+        case OPT_PKCS:
             pad = RSA_PKCS1_PADDING;
-        else if (!strcmp(*argv, "-x931"))
+            break;
+        case OPT_X931:
             pad = RSA_X931_PADDING;
-        else if (!strcmp(*argv, "-sign")) {
+            break;
+        case OPT_SIGN:
             rsa_mode = RSA_SIGN;
             need_priv = 1;
-        } else if (!strcmp(*argv, "-verify"))
+            break;
+        case OPT_VERIFY:
             rsa_mode = RSA_VERIFY;
-        else if (!strcmp(*argv, "-rev"))
+            break;
+        case OPT_REV:
             rev = 1;
-        else if (!strcmp(*argv, "-encrypt"))
+            break;
+        case OPT_ENCRYPT:
             rsa_mode = RSA_ENCRYPT;
-        else if (!strcmp(*argv, "-decrypt")) {
+            break;
+        case OPT_DECRYPT:
             rsa_mode = RSA_DECRYPT;
             need_priv = 1;
-        } else
-            badarg = 1;
-        if (badarg) {
-            usage();
-            goto end;
+            break;
+        case OPT_PUBIN:
+            key_type = KEY_PUBKEY;
+            break;
+        case OPT_CERTIN:
+            key_type = KEY_CERT;
+            break;
+        case OPT_INKEY:
+            keyfile = opt_arg();
+            break;
+        case OPT_PASSIN:
+            passinarg = opt_arg();
+            break;
         }
-        argc--;
-        argv++;
     }
+    argc = opt_num_rest();
+    argv = opt_rest();
 
     if (need_priv && (key_type != KEY_PRIVKEY)) {
         BIO_printf(bio_err, "A private key is needed for this operation\n");
         goto end;
     }
-# ifndef OPENSSL_NO_ENGINE
-    e = setup_engine(bio_err, engine, 0);
-# endif
-    if (!app_passwd(bio_err, passargin, NULL, &passin, NULL)) {
+
+    if (!app_passwd(passinarg, NULL, &passin, NULL)) {
         BIO_printf(bio_err, "Error getting password\n");
         goto end;
     }
 
 /* FIXME: seed PRNG only if needed */
-    app_RAND_load_file(NULL, bio_err, 0);
+    app_RAND_load_file(NULL, 0);
 
     switch (key_type) {
     case KEY_PRIVKEY:
-        pkey = load_key(bio_err, keyfile, keyform, 0,
-                        passin, e, "Private Key");
+        pkey = load_key(keyfile, keyformat, 0, passin, e, "Private Key");
         break;
 
     case KEY_PUBKEY:
-        pkey = load_pubkey(bio_err, keyfile, keyform, 0,
-                           NULL, e, "Public Key");
+        pkey = load_pubkey(keyfile, keyformat, 0, NULL, e, "Public Key");
         break;
 
     case KEY_CERT:
-        x = load_cert(bio_err, keyfile, keyform, NULL, e, "Certificate");
+        x = load_cert(keyfile, keyformat, NULL, e, "Certificate");
         if (x) {
             pkey = X509_get_pubkey(x);
             X509_free(x);
@@ -239,41 +248,23 @@ int MAIN(int argc, char **argv)
         goto end;
     }
 
-    if (infile) {
-        if (!(in = BIO_new_file(infile, "rb"))) {
-            BIO_printf(bio_err, "Error Reading Input File\n");
-            ERR_print_errors(bio_err);
-            goto end;
-        }
-    } else
-        in = BIO_new_fp(stdin, BIO_NOCLOSE);
-
-    if (outfile) {
-        if (!(out = BIO_new_file(outfile, "wb"))) {
-            BIO_printf(bio_err, "Error Reading Output File\n");
-            ERR_print_errors(bio_err);
-            goto end;
-        }
-    } else {
-        out = BIO_new_fp(stdout, BIO_NOCLOSE);
-# ifdef OPENSSL_SYS_VMS
-        {
-            BIO *tmpbio = BIO_new(BIO_f_linebuffer());
-            out = BIO_push(tmpbio, out);
-        }
-# endif
-    }
+    in = bio_open_default(infile, 'r', FORMAT_BINARY);
+    if (in == NULL)
+        goto end;
+    out = bio_open_default(outfile, 'w', FORMAT_BINARY);
+    if (out == NULL)
+        goto end;
 
     keysize = RSA_size(rsa);
 
-    rsa_in = OPENSSL_malloc(keysize * 2);
-    rsa_out = OPENSSL_malloc(keysize);
+    rsa_in = app_malloc(keysize * 2, "hold rsa key");
+    rsa_out = app_malloc(keysize, "output rsa key");
 
     /* Read the input data */
     rsa_inlen = BIO_read(in, rsa_in, keysize * 2);
     if (rsa_inlen <= 0) {
         BIO_printf(bio_err, "Error reading input Data\n");
-        exit(1);
+        goto end;
     }
     if (rev) {
         int i;
@@ -324,43 +315,12 @@ int MAIN(int argc, char **argv)
     RSA_free(rsa);
     BIO_free(in);
     BIO_free_all(out);
-    if (rsa_in)
-        OPENSSL_free(rsa_in);
-    if (rsa_out)
-        OPENSSL_free(rsa_out);
-    if (passin)
-        OPENSSL_free(passin);
+    OPENSSL_free(rsa_in);
+    OPENSSL_free(rsa_out);
+    OPENSSL_free(passin);
     return ret;
 }
 
-static void usage()
-{
-    BIO_printf(bio_err, "Usage: rsautl [options]\n");
-    BIO_printf(bio_err, "-in file        input file\n");
-    BIO_printf(bio_err, "-out file       output file\n");
-    BIO_printf(bio_err, "-inkey file     input key\n");
-    BIO_printf(bio_err, "-keyform arg    private key format - default PEM\n");
-    BIO_printf(bio_err, "-pubin          input is an RSA public\n");
-    BIO_printf(bio_err,
-               "-certin         input is a certificate carrying an RSA public key\n");
-    BIO_printf(bio_err, "-ssl            use SSL v2 padding\n");
-    BIO_printf(bio_err, "-raw            use no padding\n");
-    BIO_printf(bio_err,
-               "-pkcs           use PKCS#1 v1.5 padding (default)\n");
-    BIO_printf(bio_err, "-oaep           use PKCS#1 OAEP\n");
-    BIO_printf(bio_err, "-sign           sign with private key\n");
-    BIO_printf(bio_err, "-verify         verify with public key\n");
-    BIO_printf(bio_err, "-encrypt        encrypt with public key\n");
-    BIO_printf(bio_err, "-decrypt        decrypt with private key\n");
-    BIO_printf(bio_err, "-hexdump        hex dump output\n");
-# ifndef OPENSSL_NO_ENGINE
-    BIO_printf(bio_err,
-               "-engine e       use engine e, possibly a hardware device.\n");
-    BIO_printf(bio_err, "-passin arg    pass phrase source\n");
-# endif
-
-}
-
 #else                           /* !OPENSSL_NO_RSA */
 
 # if PEDANTIC

apps/s_apps.h

@@ -144,7 +144,7 @@ typedef fd_mask fd_set;
 # define FD_SET(n, p)    (*(p) |= (1 << ((n) % NFDBITS)))
 # define FD_CLR(n, p)    (*(p) &= ~(1 << ((n) % NFDBITS)))
 # define FD_ISSET(n, p)  (*(p) & (1 << ((n) % NFDBITS)))
-# define FD_ZERO(p)      memset((char *)(p), 0, sizeof(*(p)))
+# define FD_ZERO(p)      memset((p), 0, sizeof(*(p)))
 #endif
 
 #define PORT            4433
@@ -178,9 +178,9 @@ int init_client(int *sock, const char *server, int port, int type);
 int init_client_unix(int *sock, const char *server);
 #endif
 int should_retry(int i);
-int extract_port(const char *str, short *port_ptr);
+int extract_port(const char *str, unsigned short *port_ptr);
 int extract_host_port(char *str, char **host_ptr, unsigned char *ip,
-                      short *p);
+                      unsigned short *p);
 
 long bio_dump_callback(BIO *bio, int cmd, const char *argp,
                        int argi, long argl, long ret);
@@ -195,27 +195,24 @@ void tlsext_cb(SSL *s, int client_server, int type, unsigned char *data,
 
 int generate_cookie_callback(SSL *ssl, unsigned char *cookie,
                              unsigned int *cookie_len);
-int verify_cookie_callback(SSL *ssl, unsigned char *cookie,
+int verify_cookie_callback(SSL *ssl, const unsigned char *cookie,
                            unsigned int cookie_len);
 
 typedef struct ssl_excert_st SSL_EXCERT;
 
 void ssl_ctx_set_excert(SSL_CTX *ctx, SSL_EXCERT *exc);
 void ssl_excert_free(SSL_EXCERT *exc);
-int args_excert(char ***pargs, int *pargc,
-                int *badarg, BIO *err, SSL_EXCERT **pexc);
-int load_excert(SSL_EXCERT **pexc, BIO *err);
-void print_ssl_summary(BIO *bio, SSL *s);
+int args_excert(int option, SSL_EXCERT **pexc);
+int load_excert(SSL_EXCERT **pexc);
+void print_ssl_summary(SSL *s);
 #ifdef HEADER_SSL_H
-int args_ssl(char ***pargs, int *pargc, SSL_CONF_CTX *cctx,
-             int *badarg, BIO *err, STACK_OF(OPENSSL_STRING) **pstr);
-int args_ssl_call(SSL_CTX *ctx, BIO *err, SSL_CONF_CTX *cctx,
-                  STACK_OF(OPENSSL_STRING) *str, int no_ecdhe, int no_jpake);
+int config_ctx(SSL_CONF_CTX *cctx, STACK_OF(OPENSSL_STRING) *str,
+               SSL_CTX *ctx, int no_jpake);
 int ssl_ctx_add_crls(SSL_CTX *ctx, STACK_OF(X509_CRL) *crls,
                      int crl_download);
 int ssl_load_stores(SSL_CTX *ctx, const char *vfyCApath,
                     const char *vfyCAfile, const char *chCApath,
                     const char *chCAfile, STACK_OF(X509_CRL) *crls,
                     int crl_download);
-void ssl_ctx_security_debug(SSL_CTX *ctx, BIO *out, int verbose);
+void ssl_ctx_security_debug(SSL_CTX *ctx, int verbose);
 #endif

apps/s_socket.c

@@ -1,6 +1,3 @@
-/*
- * apps/s_socket.c - socket-related functions used by s_client and s_server
- */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -57,7 +54,56 @@
  * copied and put under another distribution licence
  * [including the GNU Public Licence.]
  */
+/* ====================================================================
+ * Copyright (c) 199-2015 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ */
 
+/* socket-related functions used by s_client and s_server */
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
@@ -76,10 +122,8 @@ typedef unsigned int u_int;
 #endif
 
 #define USE_SOCKETS
-#define NON_MAIN
 #include "apps.h"
 #undef USE_SOCKETS
-#undef NON_MAIN
 #include "s_apps.h"
 #include <openssl/ssl.h>
 
@@ -95,7 +139,6 @@ typedef unsigned int u_int;
 #  include "netdb.h"
 # endif
 
-static struct hostent *GetHostByName(const char *name);
 # if defined(OPENSSL_SYS_WINDOWS) || (defined(OPENSSL_SYS_NETWARE) && !defined(NETWARE_BSDSOCK))
 static void ssl_sock_cleanup(void);
 # endif
@@ -185,7 +228,7 @@ static int ssl_sock_init(void)
             return (0);
         }
     }
-# endif                         /* OPENSSL_SYS_WINDOWS */
+# endif
     return (1);
 }
 
@@ -209,7 +252,7 @@ static int init_client_ip(int *sock, const unsigned char ip[4], int port,
     if (!ssl_sock_init())
         return (0);
 
-    memset((char *)&them, 0, sizeof(them));
+    memset(&them, 0, sizeof(them));
     them.sin_family = AF_INET;
     them.sin_port = htons((unsigned short)port);
     addr = (unsigned long)
@@ -223,7 +266,7 @@ static int init_client_ip(int *sock, const unsigned char ip[4], int port,
     else                        /* ( type == SOCK_DGRAM) */
         s = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP);
 
-    if (s == INVALID_SOCKET) {
+    if (s == (int)INVALID_SOCKET) {
         perror("socket");
         return (0);
     }
@@ -260,12 +303,12 @@ int init_client_unix(int *sock, const char *server)
         return (0);
 
     s = socket(AF_UNIX, SOCK_STREAM, 0);
-    if (s == INVALID_SOCKET) {
+    if (s == (int)INVALID_SOCKET) {
         perror("socket");
         return (0);
     }
 
-    memset((char *)&them, 0, sizeof(them));
+    memset(&them, 0, sizeof(them));
     them.sun_family = AF_UNIX;
     strcpy(them.sun_path, server);
 
@@ -310,8 +353,7 @@ int do_server(int port, int type, int *ret,
         } else
             sock = accept_socket;
         i = (*cb) (name, sock, type, context);
-        if (name != NULL)
-            OPENSSL_free(name);
+        OPENSSL_free(name);
         if (type == SOCK_STREAM)
             SHUTDOWN2(sock);
         if (naccept != -1)
@@ -368,7 +410,7 @@ static int init_server_long(int *sock, int port, char *ip, int type)
     if (!ssl_sock_init())
         return (0);
 
-    memset((char *)&server, 0, sizeof(server));
+    memset(&server, 0, sizeof(server));
     server.sin_family = AF_INET;
     server.sin_port = htons((unsigned short)port);
     if (ip == NULL)
@@ -386,7 +428,7 @@ static int init_server_long(int *sock, int port, char *ip, int type)
     else                        /* type == SOCK_DGRAM */
         s = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP);
 
-    if (s == INVALID_SOCKET)
+    if (s == (int)INVALID_SOCKET)
         goto err;
 # if defined SOL_SOCKET && defined SO_REUSEADDR
     {
@@ -430,10 +472,10 @@ static int init_server_unix(int *sock, const char *path)
         return (0);
 
     s = socket(AF_UNIX, SOCK_STREAM, 0);
-    if (s == INVALID_SOCKET)
+    if (s == (int)INVALID_SOCKET)
         goto err;
 
-    memset((char *)&server, 0, sizeof(server));
+    memset(&server, 0, sizeof(server));
     server.sun_family = AF_UNIX;
     strcpy(server.sun_path, path);
 
@@ -476,7 +518,7 @@ static int do_accept(int acc_sock, int *sock, char **host)
  redoit:
 # endif
 
-    memset((char *)&from, 0, sizeof(from));
+    memset(&from, 0, sizeof(from));
     len = sizeof(from);
     /*
      * Note: under VMS with SOCKETSHR the fourth parameter is currently of
@@ -485,7 +527,7 @@ static int do_accept(int acc_sock, int *sock, char **host)
      * can either go for (int *) or (void *).
      */
     ret = accept(acc_sock, (struct sockaddr *)&from, (void *)&len);
-    if (ret == INVALID_SOCKET) {
+    if (ret == (int)INVALID_SOCKET) {
 # if defined(OPENSSL_SYS_WINDOWS) || (defined(OPENSSL_SYS_NETWARE) && !defined(NETWARE_BSDSOCK))
         int i;
         i = WSAGetLastError();
@@ -497,22 +539,11 @@ static int do_accept(int acc_sock, int *sock, char **host)
              */
             goto redoit;
         }
-        fprintf(stderr, "errno=%d ", errno);
-        perror("accept");
+        BIO_printf(bio_err, "accept errno=%d, %s\n", errno, strerror(errno));
 # endif
         return (0);
     }
 
-/*-
-    ling.l_onoff=1;
-    ling.l_linger=0;
-    i=setsockopt(ret,SOL_SOCKET,SO_LINGER,(char *)&ling,sizeof(ling));
-    if (i < 0) { perror("linger"); return(0); }
-    i=0;
-    i=setsockopt(ret,SOL_SOCKET,SO_KEEPALIVE,(char *)&i,sizeof(i));
-    if (i < 0) { perror("keepalive"); return(0); }
-*/
-
     if (host == NULL)
         goto end;
 # ifndef BIT_FIELD_LIMITS
@@ -528,14 +559,10 @@ static int do_accept(int acc_sock, int *sock, char **host)
         *host = NULL;
         /* return(0); */
     } else {
-        if ((*host = (char *)OPENSSL_malloc(strlen(h1->h_name) + 1)) == NULL) {
-            perror("OPENSSL_malloc");
-            closesocket(ret);
-            return (0);
-        }
-        BUF_strlcpy(*host, h1->h_name, strlen(h1->h_name) + 1);
+        *host = app_malloc(strlen(h1->h_name) + 1, "copy hostname");
+        OPENSSL_strlcpy(*host, h1->h_name, strlen(h1->h_name) + 1);
 
-        h2 = GetHostByName(*host);
+        h2 = gethostbyname(*host);
         if (h2 == NULL) {
             BIO_printf(bio_err, "gethostbyname failure\n");
             closesocket(ret);
@@ -562,15 +589,14 @@ static int do_accept_unix(int acc_sock, int *sock)
 
  redoit:
     ret = accept(acc_sock, NULL, NULL);
-    if (ret == INVALID_SOCKET) {
+    if (ret == (int)INVALID_SOCKET) {
         if (errno == EINTR) {
             /*
              * check_timeout();
              */
             goto redoit;
         }
-        fprintf(stderr, "errno=%d ", errno);
-        perror("accept");
+        BIO_printf(bio_err, "accept errno=%d, %s\n", errno, strerror(errno));
         return (0);
     }
 
@@ -580,7 +606,7 @@ static int do_accept_unix(int acc_sock, int *sock)
 # endif
 
 int extract_host_port(char *str, char **host_ptr, unsigned char *ip,
-                      short *port_ptr)
+                      unsigned short *port_ptr)
 {
     char *h, *p;
 
@@ -626,7 +652,7 @@ static int host_ip(const char *str, unsigned char ip[4])
         if (!ssl_sock_init())
             return (0);
 
-        he = GetHostByName(str);
+        he = gethostbyname(str);
         if (he == NULL) {
             BIO_printf(bio_err, "gethostbyname failure\n");
             goto err;
@@ -645,7 +671,7 @@ static int host_ip(const char *str, unsigned char ip[4])
     return (0);
 }
 
-int extract_port(const char *str, short *port_ptr)
+int extract_port(const char *str, unsigned short *port_ptr)
 {
     int i;
     struct servent *s;
@@ -664,51 +690,4 @@ int extract_port(const char *str, short *port_ptr)
     return (1);
 }
 
-# define GHBN_NUM        4
-static struct ghbn_cache_st {
-    char name[128];
-    struct hostent ent;
-    unsigned long order;
-} ghbn_cache[GHBN_NUM];
-
-static unsigned long ghbn_hits = 0L;
-static unsigned long ghbn_miss = 0L;
-
-static struct hostent *GetHostByName(const char *name)
-{
-    struct hostent *ret;
-    int i, lowi = 0;
-    unsigned long low = (unsigned long)-1;
-
-    for (i = 0; i < GHBN_NUM; i++) {
-        if (low > ghbn_cache[i].order) {
-            low = ghbn_cache[i].order;
-            lowi = i;
-        }
-        if (ghbn_cache[i].order > 0) {
-            if (strncmp(name, ghbn_cache[i].name, 128) == 0)
-                break;
-        }
-    }
-    if (i == GHBN_NUM) {        /* no hit */
-        ghbn_miss++;
-        ret = gethostbyname(name);
-        if (ret == NULL)
-            return (NULL);
-        /* else add to cache */
-        if (strlen(name) < sizeof ghbn_cache[0].name) {
-            strcpy(ghbn_cache[lowi].name, name);
-            memcpy((char *)&(ghbn_cache[lowi].ent), ret,
-                   sizeof(struct hostent));
-            ghbn_cache[lowi].order = ghbn_miss + ghbn_hits;
-        }
-        return (ret);
-    } else {
-        ghbn_hits++;
-        ret = &(ghbn_cache[i].ent);
-        ghbn_cache[i].order = ghbn_miss + ghbn_hits;
-        return (ret);
-    }
-}
-
 #endif

apps/s_time.c

@@ -1,4 +1,3 @@
-/* apps/s_time.c */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -74,17 +73,10 @@
 #include <openssl/pem.h>
 #include "s_apps.h"
 #include <openssl/err.h>
-#ifdef WIN32_STUFF
-# include "winmain.h"
-# include "wintext.h"
-#endif
 #if !defined(OPENSSL_SYS_MSDOS)
 # include OPENSSL_UNISTD
 #endif
 
-#undef PROG
-#define PROG s_time_main
-
 #undef ioctl
 #define ioctl ioctlsocket
 
@@ -107,218 +99,47 @@
 
 #undef SECONDS
 #define SECONDS 30
+#define SECONDSSTR "30"
+
 extern int verify_depth;
 extern int verify_error;
 
-static void s_time_usage(void);
-static int parseArgs(int argc, char **argv);
-static SSL *doConnection(SSL *scon);
-static void s_time_init(void);
+static SSL *doConnection(SSL *scon, const char *host, SSL_CTX *ctx);
 
-/***********************************************************************
- * Static data declarations
- */
+typedef enum OPTION_choice {
+    OPT_ERR = -1, OPT_EOF = 0, OPT_HELP,
+    OPT_CONNECT, OPT_CIPHER, OPT_CERT, OPT_KEY, OPT_CAPATH,
+    OPT_CAFILE, OPT_NOCAPATH, OPT_NOCAFILE, OPT_NEW, OPT_REUSE, OPT_BUGS,
+    OPT_VERIFY, OPT_TIME, OPT_SSL3,
+    OPT_WWW
+} OPTION_CHOICE;
 
-/* static char *port=PORT_STR;*/
-static char *host = SSL_CONNECT_NAME;
-static char *t_cert_file = NULL;
-static char *t_key_file = NULL;
-static char *CApath = NULL;
-static char *CAfile = NULL;
-static char *tm_cipher = NULL;
-static int tm_verify = SSL_VERIFY_NONE;
-static int maxTime = SECONDS;
-static SSL_CTX *tm_ctx = NULL;
-static const SSL_METHOD *s_time_meth = NULL;
-static char *s_www_path = NULL;
-static long bytes_read = 0;
-static int st_bugs = 0;
-static int perform = 0;
-#ifdef FIONBIO
-static int t_nbio = 0;
-#endif
-#ifdef OPENSSL_SYS_WIN32
-static int exitNow = 0;         /* Set when it's time to exit main */
-#endif
-
-static void s_time_init(void)
-{
-    host = SSL_CONNECT_NAME;
-    t_cert_file = NULL;
-    t_key_file = NULL;
-    CApath = NULL;
-    CAfile = NULL;
-    tm_cipher = NULL;
-    tm_verify = SSL_VERIFY_NONE;
-    maxTime = SECONDS;
-    tm_ctx = NULL;
-    s_time_meth = NULL;
-    s_www_path = NULL;
-    bytes_read = 0;
-    st_bugs = 0;
-    perform = 0;
-
-#ifdef FIONBIO
-    t_nbio = 0;
-#endif
-#ifdef OPENSSL_SYS_WIN32
-    exitNow = 0;                /* Set when it's time to exit main */
-#endif
-}
-
-/***********************************************************************
- * usage - display usage message
- */
-static void s_time_usage(void)
-{
-    static char umsg[] = "\
--time arg     - max number of seconds to collect data, default %d\n\
--verify arg   - turn on peer certificate verification, arg == depth\n\
--cert arg     - certificate file to use, PEM format assumed\n\
--key arg      - RSA file to use, PEM format assumed, key is in cert file\n\
-                file if not specified by this option\n\
--CApath arg   - PEM format directory of CA's\n\
--CAfile arg   - PEM format file of CA's\n\
--cipher       - preferred cipher to use, play with 'openssl ciphers'\n\n";
-
-    printf("usage: s_time <args>\n\n");
-
-    printf("-connect host:port - host:port to connect to (default is %s)\n",
-           SSL_CONNECT_NAME);
-#ifdef FIONBIO
-    printf("-nbio         - Run with non-blocking IO\n");
-    printf("-ssl3         - Just use SSLv3\n");
-    printf("-bugs         - Turn on SSL bug compatibility\n");
-    printf("-new          - Just time new connections\n");
-    printf("-reuse        - Just time connection reuse\n");
-    printf("-www page     - Retrieve 'page' from the site\n");
-#endif
-    printf(umsg, SECONDS);
-}
-
-/***********************************************************************
- * parseArgs - Parse command line arguments and initialize data
- *
- * Returns 0 if ok, -1 on bad args
- */
-static int parseArgs(int argc, char **argv)
-{
-    int badop = 0;
-
-    verify_depth = 0;
-    verify_error = X509_V_OK;
-
-    argc--;
-    argv++;
-
-    while (argc >= 1) {
-        if (strcmp(*argv, "-connect") == 0) {
-            if (--argc < 1)
-                goto bad;
-            host = *(++argv);
-        }
-#if 0
-        else if (strcmp(*argv, "-host") == 0) {
-            if (--argc < 1)
-                goto bad;
-            host = *(++argv);
-        } else if (strcmp(*argv, "-port") == 0) {
-            if (--argc < 1)
-                goto bad;
-            port = *(++argv);
-        }
-#endif
-        else if (strcmp(*argv, "-reuse") == 0)
-            perform = 2;
-        else if (strcmp(*argv, "-new") == 0)
-            perform = 1;
-        else if (strcmp(*argv, "-verify") == 0) {
-
-            tm_verify = SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE;
-            if (--argc < 1)
-                goto bad;
-            verify_depth = atoi(*(++argv));
-            BIO_printf(bio_err, "verify depth is %d\n", verify_depth);
-
-        } else if (strcmp(*argv, "-cert") == 0) {
-
-            if (--argc < 1)
-                goto bad;
-            t_cert_file = *(++argv);
-
-        } else if (strcmp(*argv, "-key") == 0) {
-
-            if (--argc < 1)
-                goto bad;
-            t_key_file = *(++argv);
-
-        } else if (strcmp(*argv, "-CApath") == 0) {
-
-            if (--argc < 1)
-                goto bad;
-            CApath = *(++argv);
-
-        } else if (strcmp(*argv, "-CAfile") == 0) {
-
-            if (--argc < 1)
-                goto bad;
-            CAfile = *(++argv);
-
-        } else if (strcmp(*argv, "-cipher") == 0) {
-
-            if (--argc < 1)
-                goto bad;
-            tm_cipher = *(++argv);
-        }
-#ifdef FIONBIO
-        else if (strcmp(*argv, "-nbio") == 0) {
-            t_nbio = 1;
-        }
-#endif
-        else if (strcmp(*argv, "-www") == 0) {
-            if (--argc < 1)
-                goto bad;
-            s_www_path = *(++argv);
-            if (strlen(s_www_path) > MYBUFSIZ - 100) {
-                BIO_printf(bio_err, "-www option too long\n");
-                badop = 1;
-            }
-        } else if (strcmp(*argv, "-bugs") == 0)
-            st_bugs = 1;
+OPTIONS s_time_options[] = {
+    {"help", OPT_HELP, '-', "Display this summary"},
+    {"connect", OPT_CONNECT, 's',
+     "Where to connect as post:port (default is " SSL_CONNECT_NAME ")"},
+    {"cipher", OPT_CIPHER, 's', "Cipher to use, see 'openssl ciphers'"},
+    {"cert", OPT_CERT, '<', "Cert file to use, PEM format assumed"},
+    {"key", OPT_KEY, '<', "File with key, PEM; default is -cert file"},
+    {"CApath", OPT_CAPATH, '/', "PEM format directory of CA's"},
+    {"cafile", OPT_CAFILE, '<', "PEM format file of CA's"},
+    {"no-CAfile", OPT_NOCAFILE, '-',
+     "Do not load the default certificates file"},
+    {"no-CApath", OPT_NOCAPATH, '-',
+     "Do not load certificates from the default certificates directory"},
+    {"new", OPT_NEW, '-', "Just time new connections"},
+    {"reuse", OPT_REUSE, '-', "Just time connection reuse"},
+    {"bugs", OPT_BUGS, '-', "Turn on SSL bug compatibility"},
+    {"verify", OPT_VERIFY, 'p',
+     "Turn on peer certificate verification, set depth"},
+    {"time", OPT_TIME, 'p', "Sf seconds to collect data, default" SECONDSSTR},
+    {"www", OPT_WWW, 's', "Fetch specified page from the site"},
 #ifndef OPENSSL_NO_SSL3
-        else if (strcmp(*argv, "-ssl3") == 0)
-            s_time_meth = SSLv3_client_method();
+    {"ssl3", OPT_SSL3, '-', "Just use SSLv3"},
 #endif
-        else if (strcmp(*argv, "-time") == 0) {
+    {NULL}
+};
 
-            if (--argc < 1)
-                goto bad;
-            maxTime = atoi(*(++argv));
-        } else {
-            BIO_printf(bio_err, "unknown option %s\n", *argv);
-            badop = 1;
-            break;
-        }
-
-        argc--;
-        argv++;
-    }
-
-    if (perform == 0)
-        perform = 3;
-
-    if (badop) {
- bad:
-        s_time_usage();
-        return -1;
-    }
-
-    return 0;                   /* Valid args */
-}
-
-/***********************************************************************
- * TIME - time functions
- */
 #define START   0
 #define STOP    1
 
@@ -327,92 +148,141 @@ static double tm_Time_F(int s)
     return app_tminterval(s, 1);
 }
 
-/***********************************************************************
- * MAIN - main processing area for client
- *                      real name depends on MONOLITH
- */
-int MAIN(int, char **);
-
-int MAIN(int argc, char **argv)
+int s_time_main(int argc, char **argv)
 {
-    double totalTime = 0.0;
-    int nConn = 0;
+    char buf[1024 * 8];
     SSL *scon = NULL;
-    long finishtime = 0;
-    int ret = 1, i;
-    MS_STATIC char buf[1024 * 8];
-    int ver;
+    SSL_CTX *ctx = NULL;
+    const SSL_METHOD *meth = NULL;
+    char *CApath = NULL, *CAfile = NULL, *cipher = NULL, *www_path = NULL;
+    char *host = SSL_CONNECT_NAME, *certfile = NULL, *keyfile = NULL, *prog;
+    double totalTime = 0.0;
+    int noCApath = 0, noCAfile = 0;
+    int maxtime = SECONDS, nConn = 0, perform = 3, ret = 1, i, st_bugs =
+        0, ver;
+    long bytes_read = 0, finishtime = 0;
+    OPTION_CHOICE o;
 
-    apps_startup();
-    s_time_init();
+    meth = TLS_client_method();
+    verify_depth = 0;
+    verify_error = X509_V_OK;
 
-    if (bio_err == NULL)
-        bio_err = BIO_new_fp(stderr, BIO_NOCLOSE);
+    prog = opt_init(argc, argv, s_time_options);
+    while ((o = opt_next()) != OPT_EOF) {
+        switch (o) {
+        case OPT_EOF:
+        case OPT_ERR:
+ opthelp:
+            BIO_printf(bio_err, "%s: Use -help for summary.\n", prog);
+            goto end;
+        case OPT_HELP:
+            opt_help(s_time_options);
+            ret = 0;
+            goto end;
+        case OPT_CONNECT:
+            host = opt_arg();
+            break;
+        case OPT_REUSE:
+            perform = 2;
+            break;
+        case OPT_NEW:
+            perform = 1;
+            break;
+        case OPT_VERIFY:
+            if (!opt_int(opt_arg(), &verify_depth))
+                goto opthelp;
+            BIO_printf(bio_err, "%s: verify depth is %d\n",
+                       prog, verify_depth);
+            break;
+        case OPT_CERT:
+            certfile = opt_arg();
+            break;
+        case OPT_KEY:
+            keyfile = opt_arg();
+            break;
+        case OPT_CAPATH:
+            CApath = opt_arg();
+            break;
+        case OPT_CAFILE:
+            CAfile = opt_arg();
+            break;
+        case OPT_NOCAPATH:
+            noCApath = 1;
+            break;
+        case OPT_NOCAFILE:
+            noCAfile = 1;
+            break;
+        case OPT_CIPHER:
+            cipher = opt_arg();
+            break;
+        case OPT_BUGS:
+            st_bugs = 1;
+            break;
+        case OPT_TIME:
+            if (!opt_int(opt_arg(), &maxtime))
+                goto opthelp;
+            break;
+        case OPT_WWW:
+            www_path = opt_arg();
+            if (strlen(www_path) > MYBUFSIZ - 100) {
+                BIO_printf(bio_err, "%s: -www option too long\n", prog);
+                goto end;
+            }
+            break;
+        case OPT_SSL3:
+#ifndef OPENSSL_NO_SSL3
+            meth = SSLv3_client_method();
+#endif
+            break;
+        }
+    }
+    argc = opt_num_rest();
+    argv = opt_rest();
 
-    s_time_meth = SSLv23_client_method();
+    if (cipher == NULL)
+        cipher = getenv("SSL_CIPHER");
+    if (cipher == NULL) {
+        BIO_printf(bio_err, "No CIPHER specified\n");
+        goto end;
+    }
 
-    /* parse the command line arguments */
-    if (parseArgs(argc, argv) < 0)
+    if ((ctx = SSL_CTX_new(meth)) == NULL)
         goto end;
 
-    OpenSSL_add_ssl_algorithms();
-    if ((tm_ctx = SSL_CTX_new(s_time_meth)) == NULL)
-        return (1);
-
-    SSL_CTX_set_quiet_shutdown(tm_ctx, 1);
+    SSL_CTX_set_quiet_shutdown(ctx, 1);
 
     if (st_bugs)
-        SSL_CTX_set_options(tm_ctx, SSL_OP_ALL);
-    SSL_CTX_set_cipher_list(tm_ctx, tm_cipher);
-    if (!set_cert_stuff(tm_ctx, t_cert_file, t_key_file))
+        SSL_CTX_set_options(ctx, SSL_OP_ALL);
+    if (!SSL_CTX_set_cipher_list(ctx, cipher))
+        goto end;
+    if (!set_cert_stuff(ctx, certfile, keyfile))
         goto end;
 
-    SSL_load_error_strings();
-
-    if ((!SSL_CTX_load_verify_locations(tm_ctx, CAfile, CApath)) ||
-        (!SSL_CTX_set_default_verify_paths(tm_ctx))) {
-        /*
-         * BIO_printf(bio_err,"error setting default verify locations\n");
-         */
+    if (!ctx_set_verify_locations(ctx, CAfile, CApath, noCAfile, noCApath)) {
         ERR_print_errors(bio_err);
-        /* goto end; */
+        goto end;
     }
-
-    if (tm_cipher == NULL)
-        tm_cipher = getenv("SSL_CIPHER");
-
-    if (tm_cipher == NULL) {
-        fprintf(stderr, "No CIPHER specified\n");
-    }
-
     if (!(perform & 1))
         goto next;
-    printf("Collecting connection statistics for %d seconds\n", maxTime);
+    printf("Collecting connection statistics for %d seconds\n", maxtime);
 
     /* Loop and time how long it takes to make connections */
 
     bytes_read = 0;
-    finishtime = (long)time(NULL) + maxTime;
+    finishtime = (long)time(NULL) + maxtime;
     tm_Time_F(START);
     for (;;) {
         if (finishtime < (long)time(NULL))
             break;
-#ifdef WIN32_STUFF
 
-        if (flushWinMsgs(0) == -1)
+        if ((scon = doConnection(NULL, host, ctx)) == NULL)
             goto end;
 
-        if (waitingToDie || exitNow) /* we're dead */
-            goto end;
-#endif
-
-        if ((scon = doConnection(NULL)) == NULL)
-            goto end;
-
-        if (s_www_path != NULL) {
+        if (www_path != NULL) {
             BIO_snprintf(buf, sizeof buf, "GET %s HTTP/1.0\r\n\r\n",
-                         s_www_path);
-            SSL_write(scon, buf, strlen(buf));
+                         www_path);
+            if (SSL_write(scon, buf, strlen(buf)) <= 0)
+                goto end;
             while ((i = SSL_read(scon, buf, sizeof(buf))) > 0)
                 bytes_read += i;
         }
@@ -443,13 +313,13 @@ int MAIN(int argc, char **argv)
     }
     totalTime += tm_Time_F(STOP); /* Add the time for this iteration */
 
-    i = (int)((long)time(NULL) - finishtime + maxTime);
+    i = (int)((long)time(NULL) - finishtime + maxtime);
     printf
         ("\n\n%d connections in %.2fs; %.2f connections/user sec, bytes read %ld\n",
          nConn, totalTime, ((double)nConn / totalTime), bytes_read);
     printf
         ("%d connections in %ld real seconds, %ld bytes read per connection\n",
-         nConn, (long)time(NULL) - finishtime + maxTime, bytes_read / nConn);
+         nConn, (long)time(NULL) - finishtime + maxtime, bytes_read / nConn);
 
     /*
      * Now loop and time connections using the same session id over and over
@@ -461,15 +331,17 @@ int MAIN(int argc, char **argv)
     printf("\n\nNow timing with session id reuse.\n");
 
     /* Get an SSL object so we can reuse the session id */
-    if ((scon = doConnection(NULL)) == NULL) {
-        fprintf(stderr, "Unable to get connection\n");
+    if ((scon = doConnection(NULL, host, ctx)) == NULL) {
+        BIO_printf(bio_err, "Unable to get connection\n");
         goto end;
     }
 
-    if (s_www_path != NULL) {
-        BIO_snprintf(buf, sizeof buf, "GET %s HTTP/1.0\r\n\r\n", s_www_path);
-        SSL_write(scon, buf, strlen(buf));
-        while (SSL_read(scon, buf, sizeof(buf)) > 0) ;
+    if (www_path != NULL) {
+        BIO_snprintf(buf, sizeof buf, "GET %s HTTP/1.0\r\n\r\n", www_path);
+        if (SSL_write(scon, buf, strlen(buf)) <= 0)
+            goto end;
+        while (SSL_read(scon, buf, sizeof(buf)) > 0)
+            continue;
     }
 #ifdef NO_SHUTDOWN
     SSL_set_shutdown(scon, SSL_SENT_SHUTDOWN | SSL_RECEIVED_SHUTDOWN);
@@ -481,7 +353,7 @@ int MAIN(int argc, char **argv)
     nConn = 0;
     totalTime = 0.0;
 
-    finishtime = (long)time(NULL) + maxTime;
+    finishtime = (long)time(NULL) + maxtime;
 
     printf("starting\n");
     bytes_read = 0;
@@ -491,21 +363,14 @@ int MAIN(int argc, char **argv)
         if (finishtime < (long)time(NULL))
             break;
 
-#ifdef WIN32_STUFF
-        if (flushWinMsgs(0) == -1)
+        if ((doConnection(scon, host, ctx)) == NULL)
             goto end;
 
-        if (waitingToDie || exitNow) /* we're dead */
-            goto end;
-#endif
-
-        if ((doConnection(scon)) == NULL)
-            goto end;
-
-        if (s_www_path) {
+        if (www_path) {
             BIO_snprintf(buf, sizeof buf, "GET %s HTTP/1.0\r\n\r\n",
-                         s_www_path);
-            SSL_write(scon, buf, strlen(buf));
+                         www_path);
+            if (SSL_write(scon, buf, strlen(buf)) <= 0)
+                goto end;
             while ((i = SSL_read(scon, buf, sizeof(buf))) > 0)
                 bytes_read += i;
         }
@@ -538,29 +403,20 @@ int MAIN(int argc, char **argv)
          nConn, totalTime, ((double)nConn / totalTime), bytes_read);
     printf
         ("%d connections in %ld real seconds, %ld bytes read per connection\n",
-         nConn, (long)time(NULL) - finishtime + maxTime, bytes_read / nConn);
+         nConn, (long)time(NULL) - finishtime + maxtime, bytes_read / nConn);
 
     ret = 0;
- end:
-    if (scon != NULL)
-        SSL_free(scon);
 
-    if (tm_ctx != NULL) {
-        SSL_CTX_free(tm_ctx);
-        tm_ctx = NULL;
-    }
-    apps_shutdown();
-    OPENSSL_EXIT(ret);
+ end:
+    SSL_free(scon);
+    SSL_CTX_free(ctx);
+    return (ret);
 }
 
 /*-
  * doConnection - make a connection
- * Args:
- *              scon    = earlier ssl connection for session id, or NULL
- * Returns:
- *              SSL *   = the connection pointer.
  */
-static SSL *doConnection(SSL *scon)
+static SSL *doConnection(SSL *scon, const char *host, SSL_CTX *ctx)
 {
     BIO *conn;
     SSL *serverCon;
@@ -570,11 +426,10 @@ static SSL *doConnection(SSL *scon)
     if ((conn = BIO_new(BIO_s_connect())) == NULL)
         return (NULL);
 
-/*      BIO_set_conn_port(conn,port);*/
     BIO_set_conn_hostname(conn, host);
 
     if (scon == NULL)
-        serverCon = SSL_new(tm_ctx);
+        serverCon = SSL_new(ctx);
     else {
         serverCon = scon;
         SSL_set_connect_state(serverCon);
@@ -582,11 +437,6 @@ static SSL *doConnection(SSL *scon)
 
     SSL_set_bio(serverCon, conn, conn);
 
-#if 0
-    if (scon != NULL)
-        SSL_set_session(serverCon, SSL_get_session(scon));
-#endif
-
     /* ok, lets connect */
     for (;;) {
         i = SSL_connect(serverCon);

apps/sess_id.c

@@ -1,4 +1,3 @@
-/* apps/sess_id.c */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -66,94 +65,82 @@
 #include <openssl/pem.h>
 #include <openssl/ssl.h>
 
-#undef PROG
-#define PROG    sess_id_main
+typedef enum OPTION_choice {
+    OPT_ERR = -1, OPT_EOF = 0, OPT_HELP,
+    OPT_INFORM, OPT_OUTFORM, OPT_IN, OPT_OUT,
+    OPT_TEXT, OPT_CERT, OPT_NOOUT, OPT_CONTEXT
+} OPTION_CHOICE;
 
-static const char *sess_id_usage[] = {
-    "usage: sess_id args\n",
-    "\n",
-    " -inform arg     - input format - default PEM (DER or PEM)\n",
-    " -outform arg    - output format - default PEM (PEM, DER or NSS)\n",
-    " -in arg         - input file - default stdin\n",
-    " -out arg        - output file - default stdout\n",
-    " -text           - print ssl session id details\n",
-    " -cert           - output certificate \n",
-    " -noout          - no output of encoded session info\n",
-    " -context arg    - set the session ID context\n",
-    NULL
+OPTIONS sess_id_options[] = {
+    {"help", OPT_HELP, '-', "Display this summary"},
+    {"inform", OPT_INFORM, 'F', "Input format - default PEM (DER or PEM)"},
+    {"outform", OPT_OUTFORM, 'f',
+     "Output format - default PEM (PEM, DER or NSS)"},
+    {"in", OPT_IN, 's', "Input file - default stdin"},
+    {"out", OPT_OUT, 's', "Output file - default stdout"},
+    {"text", OPT_TEXT, '-', "Print ssl session id details"},
+    {"cert", OPT_CERT, '-', "Output certificate "},
+    {"noout", OPT_NOOUT, '-', "Don't output the encoded session info"},
+    {"context", OPT_CONTEXT, 's', "Set the session ID context"},
+    {NULL}
 };
 
 static SSL_SESSION *load_sess_id(char *file, int format);
 
-int MAIN(int, char **);
-
-int MAIN(int argc, char **argv)
+int sess_id_main(int argc, char **argv)
 {
     SSL_SESSION *x = NULL;
     X509 *peer = NULL;
-    int ret = 1, i, num, badops = 0;
     BIO *out = NULL;
-    int informat, outformat;
-    char *infile = NULL, *outfile = NULL, *context = NULL;
-    int cert = 0, noout = 0, text = 0;
-    const char **pp;
+    char *infile = NULL, *outfile = NULL, *context = NULL, *prog;
+    int informat = FORMAT_PEM, outformat = FORMAT_PEM;
+    int cert = 0, noout = 0, text = 0, ret = 1, i, num = 0;
+    OPTION_CHOICE o;
 
-    apps_startup();
-
-    if (bio_err == NULL)
-        if ((bio_err = BIO_new(BIO_s_file())) != NULL)
-            BIO_set_fp(bio_err, stderr, BIO_NOCLOSE | BIO_FP_TEXT);
-
-    informat = FORMAT_PEM;
-    outformat = FORMAT_PEM;
-
-    argc--;
-    argv++;
-    num = 0;
-    while (argc >= 1) {
-        if (strcmp(*argv, "-inform") == 0) {
-            if (--argc < 1)
-                goto bad;
-            informat = str2fmt(*(++argv));
-        } else if (strcmp(*argv, "-outform") == 0) {
-            if (--argc < 1)
-                goto bad;
-            outformat = str2fmt(*(++argv));
-        } else if (strcmp(*argv, "-in") == 0) {
-            if (--argc < 1)
-                goto bad;
-            infile = *(++argv);
-        } else if (strcmp(*argv, "-out") == 0) {
-            if (--argc < 1)
-                goto bad;
-            outfile = *(++argv);
-        } else if (strcmp(*argv, "-text") == 0)
+    prog = opt_init(argc, argv, sess_id_options);
+    while ((o = opt_next()) != OPT_EOF) {
+        switch (o) {
+        case OPT_EOF:
+        case OPT_ERR:
+ opthelp:
+            BIO_printf(bio_err, "%s: Use -help for summary.\n", prog);
+            goto end;
+        case OPT_HELP:
+            opt_help(sess_id_options);
+            ret = 0;
+            goto end;
+        case OPT_INFORM:
+            if (!opt_format(opt_arg(), OPT_FMT_PEMDER, &informat))
+                goto opthelp;
+            break;
+        case OPT_OUTFORM:
+            if (!opt_format(opt_arg(), OPT_FMT_PEMDER | OPT_FMT_NSS,
+                            &outformat))
+                goto opthelp;
+            break;
+        case OPT_IN:
+            infile = opt_arg();
+            break;
+        case OPT_OUT:
+            outfile = opt_arg();
+            break;
+        case OPT_TEXT:
             text = ++num;
-        else if (strcmp(*argv, "-cert") == 0)
+            break;
+        case OPT_CERT:
             cert = ++num;
-        else if (strcmp(*argv, "-noout") == 0)
+            break;
+        case OPT_NOOUT:
             noout = ++num;
-        else if (strcmp(*argv, "-context") == 0) {
-            if (--argc < 1)
-                goto bad;
-            context = *++argv;
-        } else {
-            BIO_printf(bio_err, "unknown option %s\n", *argv);
-            badops = 1;
+            break;
+        case OPT_CONTEXT:
+            context = opt_arg();
             break;
         }
-        argc--;
-        argv++;
     }
+    argc = opt_num_rest();
+    argv = opt_rest();
 
-    if (badops) {
- bad:
-        for (pp = sess_id_usage; (*pp != NULL); pp++)
-            BIO_printf(bio_err, "%s", *pp);
-        goto end;
-    }
-
-    ERR_load_crypto_strings();
     x = load_sess_id(infile, informat);
     if (x == NULL) {
         goto end;
@@ -166,50 +153,17 @@ int MAIN(int argc, char **argv)
             BIO_printf(bio_err, "Context too long\n");
             goto end;
         }
-        SSL_SESSION_set1_id_context(x, (unsigned char *)context, ctx_len);
-    }
-#ifdef undef
-    /* just testing for memory leaks :-) */
-    {
-        SSL_SESSION *s;
-        char buf[1024 * 10], *p;
-        int i;
-
-        s = SSL_SESSION_new();
-
-        p = &buf;
-        i = i2d_SSL_SESSION(x, &p);
-        p = &buf;
-        d2i_SSL_SESSION(&s, &p, (long)i);
-        p = &buf;
-        d2i_SSL_SESSION(&s, &p, (long)i);
-        p = &buf;
-        d2i_SSL_SESSION(&s, &p, (long)i);
-        SSL_SESSION_free(s);
-    }
-#endif
-
-    if (!noout || text) {
-        out = BIO_new(BIO_s_file());
-        if (out == NULL) {
-            ERR_print_errors(bio_err);
+        if (!SSL_SESSION_set1_id_context(x, (unsigned char *)context,
+                    ctx_len)) {
+            BIO_printf(bio_err, "Error setting id context\n");
             goto end;
         }
+    }
 
-        if (outfile == NULL) {
-            BIO_set_fp(out, stdout, BIO_NOCLOSE);
-#ifdef OPENSSL_SYS_VMS
-            {
-                BIO *tmpbio = BIO_new(BIO_f_linebuffer());
-                out = BIO_push(tmpbio, out);
-            }
-#endif
-        } else {
-            if (BIO_write_filename(out, outfile) <= 0) {
-                perror(outfile);
-                goto end;
-            }
-        }
+    if (!noout || text) {
+        out = bio_open_default(outfile, 'w', outformat);
+        if (out == NULL)
+            goto end;
     }
 
     if (text) {
@@ -254,12 +208,9 @@ int MAIN(int argc, char **argv)
     }
     ret = 0;
  end:
-    if (out != NULL)
-        BIO_free_all(out);
-    if (x != NULL)
-        SSL_SESSION_free(x);
-    apps_shutdown();
-    OPENSSL_EXIT(ret);
+    BIO_free_all(out);
+    SSL_SESSION_free(x);
+    return (ret);
 }
 
 static SSL_SESSION *load_sess_id(char *infile, int format)
@@ -267,28 +218,13 @@ static SSL_SESSION *load_sess_id(char *infile, int format)
     SSL_SESSION *x = NULL;
     BIO *in = NULL;
 
-    in = BIO_new(BIO_s_file());
-    if (in == NULL) {
-        ERR_print_errors(bio_err);
+    in = bio_open_default(infile, 'r', format);
+    if (in == NULL)
         goto end;
-    }
-
-    if (infile == NULL)
-        BIO_set_fp(in, stdin, BIO_NOCLOSE);
-    else {
-        if (BIO_read_filename(in, infile) <= 0) {
-            perror(infile);
-            goto end;
-        }
-    }
     if (format == FORMAT_ASN1)
         x = d2i_SSL_SESSION_bio(in, NULL);
-    else if (format == FORMAT_PEM)
+    else
         x = PEM_read_bio_SSL_SESSION(in, NULL, NULL, NULL);
-    else {
-        BIO_printf(bio_err, "bad input format specified for input crl\n");
-        goto end;
-    }
     if (x == NULL) {
         BIO_printf(bio_err, "unable to load SSL_SESSION\n");
         ERR_print_errors(bio_err);
@@ -296,7 +232,6 @@ static SSL_SESSION *load_sess_id(char *infile, int format)
     }
 
  end:
-    if (in != NULL)
-        BIO_free(in);
+    BIO_free(in);
     return (x);
 }

apps/set/set-g-ca.pem

@@ -1,21 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDeDCCAuGgAwIBAgIgYCYUeg8NJ9kO1q3z6vGCkAmPRfu5+Nur0FyGF79MADMw
-DQYJKoZIhvcNAQEFBQAwRTELMAkGA1UEBhMCVVMxFDASBgNVBAoTC0JDQTEwMTcx
-MTA0MSAwHgYDVQQDExdCcmFuZCBOYW1lOlByb2R1Y3QgVHlwZTAeFw05NjEwMjIw
-MDAwMDBaFw05NjExMjEyMzU5NTlaMEUxCzAJBgNVBAYTAlVTMRQwEgYDVQQKEwtQ
-Q0ExMDIxMTgyODEgMB4GA1UEAxMXQnJhbmQgTmFtZTpQcm9kdWN0IFR5cGUwgZ8w
-DQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAJyi5V7l1HohY6hN/2N9x6mvWeMy8rD1
-6lfXjgmiuGmhpaszWYaalesMcS2OGuG8Lq3PkaSzpVzqASKfIOjxLMsdpYyYJRub
-vRPDWi3xd8wlp9xUwWHKqn+ki8mPo0yN4eONwZZ4rcZr6K+tWd+5EJZSjuENJoQ/
-SRRmGRzdcS7XAgMBAAGjggFXMIIBUzBUBgNVHSMETTBLoSekJTAjMQswCQYDVQQG
-EwJVUzEUMBIGA1UEChMLUkNBMTAxMTE4MjmCIGApUs14Ad7t9VTGq2PpV8DylPQ7
-aATM2mor7lc1fWvZMA4GA1UdDwEB/wQEAwIBBjAuBgNVHRABAf8EJDAigA8xOTk2
-MTAyMjAxMjIwMFqBDzE5OTYxMTIxMjM1OTU5WjAbBgNVHSABAf8EETAPMA0GC2CG
-SAGG+EUBBwEBMBIGA1UdEwEB/wQIMAYBAf8CAQAwDwYEho1vAwEB/wQEAwICBDB5
-BgSGjW8HAQH/BG4wbDAkAgEAMAkGBSsOAwIaBQAEFDJmNzRiMWFmNGZjYzA2MGY3
-Njc2Ew90ZXJzZSBzdGF0ZW1lbnSAF2h0dHA6Ly93d3cudmVyaXNpZ24uY29tgRpn
-ZXRzZXQtY2VudGVyQHZlcmlzaWduLmNvbTANBgkqhkiG9w0BAQUFAAOBgQBn19R2
-AgGvpJDmfXrHTDdCoYyMkaP2MPzw0hFRwh+wqnw0/pqUXa7MrLXMqtD3rUyOWaNR
-9fYpJZd0Bh/1OeIc2+U+VNfUovLLuZ8nNemdxyq2KMYnHtnh7UdO7atZ+PFLVu8x
-a+J2Mtj8MGy12CJNTJcjLSrJ/1f3AuVrwELjlQ==
------END CERTIFICATE-----

apps/set/set-m-ca.pem

@@ -1,21 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDeDCCAuGgAwIBAgIgEGvcf5aUnufALdVMa/dmPdflq1CoORGeK5DUwbqhVYcw
-DQYJKoZIhvcNAQEFBQAwRTELMAkGA1UEBhMCVVMxFDASBgNVBAoTC0JDQTEwMTcx
-MTA0MSAwHgYDVQQDExdCcmFuZCBOYW1lOlByb2R1Y3QgVHlwZTAeFw05NjEwMjIw
-MDAwMDBaFw05NjExMjEyMzU5NTlaMEUxCzAJBgNVBAYTAlVTMRQwEgYDVQQKEwtN
-Q0ExMDIxMTgyNzEgMB4GA1UEAxMXQnJhbmQgTmFtZTpQcm9kdWN0IFR5cGUwgZ8w
-DQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALuWwr63YrT1GIZpYKfIeiVFHESG/FZO
-7RAJKml/p12ZyZ7D5YPP4BBXVsa1H8e8arR1LKC4rdCArrtKKlBeBiMo9+NB+u35
-FnLnTmfzM4iZ2Syw35DXY8+Xn/LM7RJ1RG+vMNcTqpoUg7QPye7flq2Pt7vVROPn
-SZxPyVxmILe3AgMBAAGjggFXMIIBUzBUBgNVHSMETTBLoSekJTAjMQswCQYDVQQG
-EwJVUzEUMBIGA1UEChMLUkNBMTAxMTE4MjmCIGApUs14Ad7t9VTGq2PpV8DylPQ7
-aATM2mor7lc1fWvZMA4GA1UdDwEB/wQEAwIBBjAuBgNVHRABAf8EJDAigA8xOTk2
-MTAyMjAxMjEwMFqBDzE5OTYxMTIxMjM1OTU5WjAbBgNVHSABAf8EETAPMA0GC2CG
-SAGG+EUBBwEBMBIGA1UdEwEB/wQIMAYBAf8CAQAwDwYEho1vAwEB/wQEAwIDCDB5
-BgSGjW8HAQH/BG4wbDAkAgEAMAkGBSsOAwIaBQAEFDJmNzRiMWFmNGZjYzA2MGY3
-Njc2Ew90ZXJzZSBzdGF0ZW1lbnSAF2h0dHA6Ly93d3cudmVyaXNpZ24uY29tgRpn
-ZXRzZXQtY2VudGVyQHZlcmlzaWduLmNvbTANBgkqhkiG9w0BAQUFAAOBgQApaj0W
-GgyR47URZEZ7z83yivvnVErqtodub/nR1fMgJ4bDC0ofjA0SzXBP1/3eDq9VkPuS
-EKUw9BpM2XrSUKhJ6F1CbBjWpM0M7GC1nTSxMxmV+XL+Ab/Gn2SwozUApWtht29/
-x9VLB8qsi6wN2aOsVdQMl5iVCjGQYfEkyuoIgA==
------END CERTIFICATE-----

apps/set/set_b_ca.pem

@@ -1,23 +0,0 @@
------BEGIN CERTIFICATE-----
-MIID1zCCAr+gAwIBAgIgYClSzXgB3u31VMarY+lXwPKU9DtoBMzaaivuVzV9a9kw
-DQYJKoZIhvcNAQEFBQAwIzELMAkGA1UEBhMCVVMxFDASBgNVBAoTC1JDQTEwMTEx
-ODI5MB4XDTk2MTAxNzAwMDAwMFoXDTk2MTExNjIzNTk1OVowRTELMAkGA1UEBhMC
-VVMxFDASBgNVBAoTC0JDQTEwMTcxMTA0MSAwHgYDVQQDExdCcmFuZCBOYW1lOlBy
-b2R1Y3QgVHlwZTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEApPewvR0BwV02
-9E12ic48pMY/aMB6SkMEWPDx2hURr0DKYGJ6qMvzZn2pSfaVH1BqDtK6oK4Ye5Mj
-ItywwQIdXXO9Ut8+TLnvtzq9ByCJ0YThjZJBc7ZcpJxSV7QAoBON/lzxZuAVq3+L
-3uc39MgRwmBpRllZEpWrkojxs6166X0CAwEAAaOCAVcwggFTMFQGA1UdIwRNMEuh
-J6QlMCMxCzAJBgNVBAYTAlVTMRQwEgYDVQQKEwtSQ0ExMDExMTgyOYIgVqenwCYv
-mmxUIvi9gUMCa+uJGJ60mZecw9HrISXnLaYwDgYDVR0PAQH/BAQDAgEGMC4GA1Ud
-EAEB/wQkMCKADzE5OTYxMDE3MTc1NzAwWoEPMTk5NjExMTYyMzU5NTlaMBsGA1Ud
-IAEB/wQRMA8wDQYLYIZIAYb4RQEHAQEwEgYDVR0TAQH/BAgwBgEB/wIBATAPBgSG
-jW8DAQH/BAQDAgABMHkGBIaNbwcBAf8EbjBsMCQCAQAwCQYFKw4DAhoFAAQUMmY3
-NGIxYWY0ZmNjMDYwZjc2NzYTD3RlcnNlIHN0YXRlbWVudIAXaHR0cDovL3d3dy52
-ZXJpc2lnbi5jb22BGmdldHNldC1jZW50ZXJAdmVyaXNpZ24uY29tMA0GCSqGSIb3
-DQEBBQUAA4IBAQAWoMS8Aj2sO0LDxRoMcnWTKY8nd8Jw2vl2Mgsm+0qCvcndICM5
-43N0y9uHlP8WeCZULbFz95gTL8mfP/QTu4EctMUkQgRHJnx80f0XSF3HE/X6zBbI
-9rit/bF6yP1mhkdss/vGanReDpki7q8pLx+VIIcxWst/366HP3dW1Fb7ECW/WmVV
-VMN93f/xqk9I4sXchVZcVKQT3W4tzv+qQvugrEi1dSEkbAy1CITEAEGiaFhGUyCe
-WPox3guRXaEHoINNeajGrISe6d//alsz5EEroBoLnM2ryqWfLAtRsf4rjNzTgklw
-lbiz0fw7bNkXKp5ZVr0wlnOjQnoSM6dTI0AV
------END CERTIFICATE-----

apps/set/set_c_ca.pem

@@ -1,21 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDeDCCAuGgAwIBAgIgOnl8J6lAYNDdTWtIojWCGnloNf4ufHjOZ4Fkxwg5xOsw
-DQYJKoZIhvcNAQEFBQAwRTELMAkGA1UEBhMCVVMxFDASBgNVBAoTC0JDQTEwMTcx
-MTA0MSAwHgYDVQQDExdCcmFuZCBOYW1lOlByb2R1Y3QgVHlwZTAeFw05NjEwMjIw
-MDAwMDBaFw05NjExMjEyMzU5NTlaMEUxCzAJBgNVBAYTAlVTMRQwEgYDVQQKEwtD
-Q0ExMDIxMTYxNjEgMB4GA1UEAxMXQnJhbmQgTmFtZTpQcm9kdWN0IFR5cGUwgZ8w
-DQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANA3a9+U8oXU3Dv1wJf8g0A7HjCRZAXc
-Y8E4OLOdye5aUssxifCE05qTPVqHMXo6cnCYcfroMdURhjQlswyTGtjQybgUnXjp
-pchw+V4D1DkN0ThErrMCh9ZFSykC0lUhQTRLESvbIb4Gal/HMAFAF5sj0GoOFi2H
-RRj7gpzBIU3xAgMBAAGjggFXMIIBUzBUBgNVHSMETTBLoSekJTAjMQswCQYDVQQG
-EwJVUzEUMBIGA1UEChMLUkNBMTAxMTE4MjmCIGApUs14Ad7t9VTGq2PpV8DylPQ7
-aATM2mor7lc1fWvZMA4GA1UdDwEB/wQEAwIBBjAuBgNVHRABAf8EJDAigA8xOTk2
-MTAyMjAxMTAwMFqBDzE5OTYxMTIxMjM1OTU5WjAbBgNVHSABAf8EETAPMA0GC2CG
-SAGG+EUBBwEBMBIGA1UdEwEB/wQIMAYBAf8CAQAwDwYEho1vAwEB/wQEAwIEEDB5
-BgSGjW8HAQH/BG4wbDAkAgEAMAkGBSsOAwIaBQAEFDJmNzRiMWFmNGZjYzA2MGY3
-Njc2Ew90ZXJzZSBzdGF0ZW1lbnSAF2h0dHA6Ly93d3cudmVyaXNpZ24uY29tgRpn
-ZXRzZXQtY2VudGVyQHZlcmlzaWduLmNvbTANBgkqhkiG9w0BAQUFAAOBgQBteLaZ
-u/TASC64UWPfhxYAUdys9DQ1pG/J1qPWNTkjOmpXFvW+7l/3nkxyRPgUoFNwx1e7
-XVVPr6zhy8LaaXppwfIZvVryzAUdbtijiUf/MO0hvV3w7e9NlCVProdU5H9EvCXr
-+IV8rH8fdEkirIVyw0JGHkuWhkmtS1HEwai9vg==
------END CERTIFICATE-----

apps/set/set_d_ct.pem

@@ -1,21 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDdjCCAt+gAwIBAgIgRU5t24v72xVDpZ4iHpyoOAQaQmfio1yhTZAOkBfT2uUw
-DQYJKoZIhvcNAQEFBQAwRTELMAkGA1UEBhMCVVMxFDASBgNVBAoTC0NDQTEwMjEx
-NjE2MSAwHgYDVQQDExdCcmFuZCBOYW1lOlByb2R1Y3QgVHlwZTAeFw05NjEwMjQw
-MDAwMDBaFw05NjExMjMyMzU5NTlaMG4xCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdC
-cmFuZElEMSYwJAYDVQQLEx1Jc3N1aW5nIEZpbmFuY2lhbCBJbnN0aXR1dGlvbjEl
-MCMGA1UEAxMcR2lYb0t0VjViN1V0MHZKa2hkSG5RYmNzc2JrPTBcMA0GCSqGSIb3
-DQEBAQUAA0sAMEgCQQDIUxgpNB1aoSW585WErtN8WInCRWCqDj3RGT2mJye0F4SM
-/iT5ywdWMasmw18vpEpDlMypfZnRkUAdfyHcRABVAgMBAAGjggFwMIIBbDB2BgNV
-HSMEbzBtoUmkRzBFMQswCQYDVQQGEwJVUzEUMBIGA1UEChMLQkNBMTAxNzExMDQx
-IDAeBgNVBAMTF0JyYW5kIE5hbWU6UHJvZHVjdCBUeXBlgiA6eXwnqUBg0N1Na0ii
-NYIaeWg1/i58eM5ngWTHCDnE6zAOBgNVHQ8BAf8EBAMCB4AwLgYDVR0QAQH/BCQw
-IoAPMTk5NjEwMjQwMTA0MDBagQ8xOTk2MTEyMzIzNTk1OVowGAYDVR0gBBEwDzAN
-BgtghkgBhvhFAQcBATAMBgNVHRMBAf8EAjAAMA8GBIaNbwMBAf8EBAMCB4AweQYE
-ho1vBwEB/wRuMGwwJAIBADAJBgUrDgMCGgUABBQzOTgyMzk4NzIzNzg5MTM0OTc4
-MhMPdGVyc2Ugc3RhdGVtZW50gBdodHRwOi8vd3d3LnZlcmlzaWduLmNvbYEaZ2V0
-c2V0LWNlbnRlckB2ZXJpc2lnbi5jb20wDQYJKoZIhvcNAQEFBQADgYEAVHCjhxeD
-mIFSkm3DpQAq7pGfcAFPWvSM9I9bK8qeFT1M5YQ+5fbPqaWlNcQlGKIe3cHd4+0P
-ndL5lb6UBhhA0kTzEYA38+HtBxPe/lokCv0bYfyWY9asUmvfbUrTYta0yjN7ixnV
-UqvxxHQHOAwhf6bcc7xNHapOxloWzGUU0RQ=
------END CERTIFICATE-----