Commit graph

131 commits

Author SHA1 Message Date
Rich Salz
82c494276d Fix build break.
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
2015-08-10 12:00:23 -04:00
Rich Salz
5bb17d1b3c RT3639: Add -no_comp description to online help
Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-07-29 16:58:55 -04:00
Rich Salz
0bc2f36555 Remove obsolete key formats.
Remove support for RSA_NET and Netscape key format (-keyform n).

Also removed documentation of SGC.

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
2015-07-16 01:06:48 -04:00
Rich Salz
3b061a00e3 RT2547: Tighten perms on generated privkey files
When generating a private key, try to make the output file be readable
only by the owner.  Put it in CHANGES file since it might be noticeable.

Add "int private" flag to apps that write private keys, and check that it's
set whenever we do write a private key.  Checked via assert so that this
bug (security-related) gets fixed.  Thanks to Viktor for help in tracing
the code-paths where private keys are written.

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
2015-06-15 18:26:56 -04:00
Richard Levitte
296f54ee21 Restore module loading
The module loading feature got broken a while ago, so restore it, but
have it a bit more explicit this time around.

Reviewed-by: Stephen Henson <steve@openssl.org>
2015-05-29 12:41:50 +02:00
Rich Salz
cc01d21756 RT3876: Only load config when needed
Create app_load_config(), a routine to load config file.  Remove the
"always load config" from the main app.  Change the places that used to
load config to call the new common routine.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-05-28 17:28:33 -04:00
Matt Caswell
e481f9b90b Remove support for OPENSSL_NO_TLSEXT
Given the pervasive nature of TLS extensions it is inadvisable to run
OpenSSL without support for them. It also means that maintaining
the OPENSSL_NO_TLSEXT option within the code is very invasive (and probably
not well tested). Therefore it is being removed.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-05-22 23:10:51 +01:00
Rich Salz
3e8e688f86 Replace switch/assignments with table lookup
Typedef STRINT_PAIR to be the same as OPT_PAIR, and use that structure and
a bunch of tables instead of switch statements to lookup various values
out of the SSL/TLS message buffers.  Shrinks a bunch of code.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-05-20 17:51:52 -04:00
Rich Salz
68dc682499 In apps, malloc or die
No point in proceeding if you're out of memory.  So change
*all* OPENSSL_malloc calls in apps to use the new routine which
prints a message and exits.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-04-30 17:48:31 -04:00
Rich Salz
db4c08f019 Rewrite parse_name
Remove need for multiple arrays, parse the X509 name
one RDN at a time.  Thanks to Andy for careful review.

Reviewed-by: Andy Polyakov <appro@openssl.org>
2015-04-29 14:50:00 -04:00
Rich Salz
2fa45e6ee7 use isxdigit and apps_tohex
Replace ad-hoc ascii->hex with isxdigit and new app_tohex.

Reviewed-by: Andy Polyakov <appro@openssl.org>
2015-04-29 14:15:50 -04:00
Rich Salz
ecf3a1fb18 Remove needless bio_err argument
Many functions had a BIO* parameter, and it was always called
with bio_err.  Remove the param and just use bio_err.

Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-29 11:27:08 -04:00
Rich Salz
333b070ec0 fewer NO_ENGINE #ifdef's
Make setup_engine be a dummy if NO_ENGINE is enabled.
The option is not enabled if NO_ENGINE is enabled, so the one "wasted"
variable just sits there. Removes some variables and code.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-04-25 15:41:29 -04:00
Rich Salz
7e1b748570 Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master.  The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt.  Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that.  There have been many other changes and code-cleanup, see
bullet list below.

Special thanks to Matt for the long and detailed code review.

TEMPORARY:
        For now, comment out CRYPTO_mem_leaks() at end of main

Tickets closed:
        RT3515: Use 3DES in pkcs12 if built with no-rc2
        RT1766: s_client -reconnect and -starttls broke
        RT2932: Catch write errors
        RT2604: port should be 'unsigned short'
        RT2983: total_bytes undeclared #ifdef RENEG
        RT1523: Add -nocert to fix output in x509 app
        RT3508: Remove unused variable introduced by b09eb24
        RT3511: doc fix; req default serial is random
        RT1325,2973: Add more extensions to c_rehash
        RT2119,3407: Updated to dgst.pod
        RT2379: Additional typo fix
        RT2693: Extra include of string.h
        RT2880: HFS is case-insensitive filenames
        RT3246: req command prints version number wrong

Other changes; incompatibilities marked with *:
        Add SCSV support
        Add -misalign to speed command
        Make dhparam, dsaparam, ecparam, x509 output C in proper style
        Make some internal ocsp.c functions void
        Only display cert usages with -help in verify
        Use global bio_err, remove "BIO*err" parameter from functions
        For filenames, - always means stdin (or stdout as appropriate)
        Add aliases for -des/aes "wrap" ciphers.
        *Remove support for IISSGC (server gated crypto)
        *The undocumented OCSP -header flag is now "-header name=value"
        *Documented the OCSP -header flag

Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 15:26:15 -04:00
Matt Caswell
0c2837564c Remove OPENSSL_NO_SSL_INTERN as it is now redundant - all internals
previously protected by this have been moved into non-public headers

Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-01-31 18:07:11 +00:00
Rich Salz
68b00c2372 ifdef cleanup part 3: OPENSSL_SYSNAME
Rename OPENSSL_SYSNAME_xxx to OPENSSL_SYS_xxx
Remove MS_STATIC; it's a relic from platforms <32 bits.

Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-01-23 11:58:26 -05:00
Matt Caswell
0f113f3ee4 Run util/openssl-format-source -v -c .
Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-01-22 09:20:09 +00:00
Viktor Dukhovni
297c67fcd8 Update API to use (char *) for email addresses and hostnames
Reduces number of silly casts in OpenSSL code and likely most
applications.  Consistent with (char *) for "peername" value from
X509_check_host() and X509_VERIFY_PARAM_get0_peername().
2014-07-07 19:11:38 +10:00
Martin Kaiser
189ae368d9 Add an NSS output format to sess_id to export to export the session id and the master key in NSS keylog format. PR#3352 2014-05-24 00:02:24 +01:00
Piotr Sikora
2911575c6e Fix compilation with no-nextprotoneg.
PR#3106
2013-11-14 01:20:12 +00:00
Ben Laurie
c45a48c186 Constification. 2013-10-07 12:45:26 +01:00
Dr. Stephen Henson
fcb2bcfe65 Typo: don't call RAND_cleanup during app startup.
(cherry picked from commit 90e7f983b5)
2013-08-18 19:06:51 +01:00
Dr. Stephen Henson
3d1160d58b Call RAND_cleanup in openssl application.
(cherry picked from commit 944bc29f90)
2013-03-28 14:29:39 +00:00
Andy Polyakov
a006fef78e Improve WINCE support.
Submitted by: Pierre Delaage
2013-01-19 21:23:13 +01:00
Dr. Stephen Henson
4badfebefc Typo (PR2959). 2013-01-17 18:20:18 +00:00
Dr. Stephen Henson
0090a686c0 Add code to download CRLs based on CRLDP extension.
Just a sample, real world applications would have to be cleverer.
2012-12-06 18:43:40 +00:00
Dr. Stephen Henson
fdb78f3d88 New option to add CRLs for s_client and s_server. 2012-12-02 16:16:28 +00:00
Dr. Stephen Henson
95ea531864 add option to get a certificate or CRL from a URL 2012-12-02 14:00:22 +00:00
Dr. Stephen Henson
a70da5b3ec New functions to check a hostname email or IP address against a
certificate. Add options to s_client, s_server and x509 utilities
to print results of checks.
2012-10-08 15:10:07 +00:00
Ben Laurie
71fa451343 Version skew reduction: trivia (I hope). 2012-06-03 22:00:21 +00:00
Dr. Stephen Henson
08557cf22c Initial "opaque SSL" framework. If an application defines
OPENSSL_NO_SSL_INTERN all ssl related structures are opaque
and internals cannot be directly accessed. Many applications
will need some modification to support this and most likely some
additional functions added to OpenSSL.

The advantage of this option is that any application supporting
it will still be binary compatible if SSL structures change.
2011-04-29 22:37:12 +00:00
Ben Laurie
bf48836c7c Fixes to NPN from Adam Langley. 2010-09-05 17:14:01 +00:00
Ben Laurie
ee2ffc2794 Add Next Protocol Negotiation. 2010-07-28 10:06:55 +00:00
Dr. Stephen Henson
4c623cddbe add -sigopt option to ca utility 2010-03-14 12:54:45 +00:00
Dr. Stephen Henson
cdb182b55a new sigopt and PSS support for req and x509 utilities 2010-03-12 14:41:00 +00:00
Dr. Stephen Henson
245d2ee3d0 Add option to allow in-band CRL loading in verify utility. Add function
load_crls and tidy up load_certs. Remove useless purpose variable from
verify utility: now done with args_verify.
2009-10-31 13:33:57 +00:00
Dr. Stephen Henson
18e503f30f PR: 2064, 728
Submitted by: steve@openssl.org

Add support for custom headers in OCSP requests.
2009-09-30 21:40:55 +00:00
Dr. Stephen Henson
f10f4447da Update from 1.0.0-stable. 2009-08-05 15:29:58 +00:00
Dr. Stephen Henson
c869da8839 Update from 1.0.0-stable 2009-07-27 21:10:00 +00:00
Dr. Stephen Henson
79bd20fd17 Update from stable-branch. 2008-11-24 17:27:08 +00:00
Ben Laurie
f3b7bdadbc Integrate J-PAKE and TLS-PSK. Increase PSK buffer size. Fix memory leaks. 2008-11-16 12:47:12 +00:00
Dr. Stephen Henson
ed551cddf7 Update from stable branch. 2008-11-12 17:28:18 +00:00
Ben Laurie
6caa4edd3e Add JPAKE. 2008-10-26 18:40:52 +00:00
Geoff Thorpe
4c3296960d Remove the dual-callback scheme for numeric and pointer thread IDs,
deprecate the original (numeric-only) scheme, and replace with the
CRYPTO_THREADID object. This hides the platform-specifics and should reduce
the possibility for programming errors (where failing to explicitly check
both thread ID forms could create subtle, platform-specific bugs).

Thanks to Bodo, for invaluable review and feedback.
2008-08-06 15:54:15 +00:00
Geoff Thorpe
5f834ab123 Revert my earlier CRYPTO_THREADID commit, I will commit a reworked
version some time soon.
2008-07-03 19:59:25 +00:00
Dr. Stephen Henson
c451bd828f Avoid case in ca.c fix. 2008-06-02 12:10:06 +00:00
Dr. Stephen Henson
dd043cd501 Stop const mismatch warning in VC++. 2008-05-31 18:55:23 +00:00
Ben Laurie
3c1d6bbc92 LHASH revamp. make depend. 2008-05-26 11:24:29 +00:00
Geoff Thorpe
f7ccba3edf There was a need to support thread ID types that couldn't be reliably cast
to 'unsigned long' (ie. odd platforms/compilers), so a pointer-typed
version was added but it required portable code to check *both* modes to
determine equality. This commit maintains the availability of both thread
ID types, but deprecates the type-specific accessor APIs that invoke the
callbacks - instead a single type-independent API is used.  This simplifies
software that calls into this interface, and should also make it less
error-prone - as forgetting to call and compare *both* thread ID accessors
could have led to hard-to-debug/infrequent bugs (that might only affect
certain platforms or thread implementations). As the CHANGES note says,
there were corresponding deprecations and replacements in the
thread-related functions for BN_BLINDING and ERR too.
2008-03-28 02:49:43 +00:00
Dr. Stephen Henson
8931b30d84 And so it begins...
Initial support for CMS.

Add zlib compression BIO.

Add AES key wrap implementation.

Generalize S/MIME MIME code to support CMS and/or PKCS7.
2008-03-12 21:14:28 +00:00