This makes it a little easier to create a pre-certificate.
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/843)
In apps/apps.c, one can set up an engine with setup_engine().
However, we freed the structural reference immediately, which means
that for engines that don't already have a structural reference
somewhere else (because it's a built in engine), we end up returning
an invalid reference.
Instead, the function release_engine() is added, and called at the end
of the routines that call setup_engine().
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1643)
Reviewed-by: Kurt Roeckx <kurt@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1694)
The following would fail, or rather, freeze:
openssl genrsa -out rsa2048.pem 2048
openssl req -x509 -key rsa2048.pem -keyform PEM -out cert.pem
In that case, the second command wants to read a certificate request
from stdin, because -x509 wasn't fully flagged as being for creating
something new. This changes makes it fully flagged.
RT#4655
Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Kurt Roeckx <kurt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1264)
When the "req" command is used to generate a new EC key using the -newkey
option it will incorrectly display:
Generating a 2048 bit EC private key
This commit fixes the message to not display the bit length for EC keys
because we don't currently support getting that during generation.
GitHub Issue #1068
Reviewed-by: Richard Levitte <levitte@openssl.org>
OBJ_cleanup() should not be called expicitly - we should leave
auto-deinit to clean this up instead.
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Move rsa_st away from public headers.
Add accessor/writer functions for the public RSA data.
Adapt all other source to use the accessors and writers.
Reviewed-by: Matt Caswell <matt@openssl.org>
Don't free up passed EVP_MD_CTX in ASN1_item_sign_ctx(). This
simplifies handling and retains compatiblity with previous behaviour.
PR#4446
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Stephen Henson <steve@openssl.org>
Simplifies calling code. Also fixed up any !ptr tests that were
nearby, turning them into NULL tests.
Reviewed-by: Richard Levitte <levitte@openssl.org>
enc:
- typo in -base64 option
- missing help opt text
ocsp, req, rsautl, s_client:
- missing help opt text
Signed-off-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
Rename BUF_{strdup,strlcat,strlcpy,memdup,strndup,strnlen}
to OPENSSL_{strdup,strlcat,strlcpy,memdup,strndup,strnlen}
Add #define's for the old names.
Add CRYPTO_{memdup,strndup}, called by OPENSSL_{memdup,strndup} macros.
Reviewed-by: Tim Hudson <tjh@openssl.org>
Previous OpenSSL versions used -set_serial, but master was using
-set-serial - so rename it back to the old version.
RT#4059
Reviewed-by: Richard Levitte <levitte@openssl.org>
The different apps had the liberty to decide whether they would open their
input and output files in binary mode or not, which could be confusing if
two different apps were handling the same type of file in different ways.
The solution is to centralise the decision of low level file organisation,
and that the apps would use a selection of formats to state the intent of
the file.
Reviewed-by: Tim Hudson <tjh@openssl.org>
Most of all, we needed to sort out which ones are binary and which
ones are text, and make sure they are treated accordingly and
consistently so
Reviewed-by: Tim Hudson <tjh@openssl.org>
Remove asn1-kludge option from the req utility. It was a decade old
workaround for CAs and software which required an invalid encoding
of PKCS#10 certificate requests: omitting the attributes field even
though it is not OPTIONAL.
Reviewed-by: Rich Salz <rsalz@openssl.org>
There's no reason why we should default to a output format that is
old, and confusing in some cases.
This affects the commands "ca", "crl", "req" and "x509".
Reviewed-by: Rich Salz <rsalz@openssl.org>
When generating a private key, try to make the output file be readable
only by the owner. Put it in CHANGES file since it might be noticeable.
Add "int private" flag to apps that write private keys, and check that it's
set whenever we do write a private key. Checked via assert so that this
bug (security-related) gets fixed. Thanks to Viktor for help in tracing
the code-paths where private keys are written.
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Here are the "rules" for handling flags that depend on #ifdef:
- Do not ifdef the enum. Only ifdef the OPTIONS table. All ifdef'd
entries appear at the end; by convention "engine" is last. This
ensures that at run-time, the flag will never be recognized/allowed.
The next two bullets entries are for silencing compiler warnings:
- In the while/switch parsing statement, use #ifdef for the body to
disable it; leave the "case OPT_xxx:" and "break" statements outside
the ifdef/ifndef. See ciphers.c for example.
- If there are multiple options controlled by a single guard, OPT_FOO,
OPT_BAR, etc., put a an #ifdef around the set, and then do "#else"
and a series of case labels and a break. See OPENSSL_NO_AES in cms.c
for example.
Reviewed-by: Matt Caswell <matt@openssl.org>
The module loading feature got broken a while ago, so restore it, but
have it a bit more explicit this time around.
Reviewed-by: Stephen Henson <steve@openssl.org>
Create app_load_config(), a routine to load config file. Remove the
"always load config" from the main app. Change the places that used to
load config to call the new common routine.
Reviewed-by: Richard Levitte <levitte@openssl.org>
The "out" variable is used for both key and csr. Close it after
writing the first one so it can be re-used when writing the other.
Signed-off-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
