Commit graph

2085 commits

Author SHA1 Message Date
Rich Salz
7ff970ef55 Portability fix for apps/s_client.c
Make some local variables and a table of them be static.

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
2016-01-08 12:48:15 -05:00
Viktor Dukhovni
cddd424a5b DANE s_client support
Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-01-07 20:01:32 -05:00
Rich Salz
bbd86bf542 mem functions cleanup
Only two macros CRYPTO_MDEBUG and CRYPTO_MDEBUG_ABORT to control this.
If CRYPTO_MDEBUG is not set, #ifdef out the whole debug machinery.
        (Thanks to Jakob Bohm for the suggestion!)
Make the "change wrapper functions" be the only paradigm.
Wrote documentation!
Format the 'set func' functions so their paramlists are legible.
Format some multi-line comments.
Remove ability to get/set the "memory debug" functions at runtme.
Remove MemCheck_* and CRYPTO_malloc_debug_init macros.
Add CRYPTO_mem_debug(int flag) function.
Add test/memleaktest.
Rename CRYPTO_malloc_init to OPENSSL_malloc_init; remove needless calls.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-01-07 15:14:18 -05:00
Dr. Stephen Henson
4a640fb6c3 Fix declarations and constification for inline stack.
Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-01-07 18:00:51 +00:00
Rich Salz
700b4a4ae7 Remove more (rest?) of FIPS build stuff.
Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
2016-01-06 12:07:26 -05:00
Viktor Dukhovni
e29c73c93b Fix X509_STORE_CTX_cleanup()
Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
2016-01-03 18:45:05 -05:00
Viktor Dukhovni
63c6aa6b93 Cleanup of verify(1) failure output
Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-01-03 17:05:50 -05:00
Rich Salz
39a6a4a707 Update to SHA256 for TSA signing digest.
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-12-30 18:18:08 -05:00
Richard Levitte
211a68b41a Fix faulty check in the VMS version of opt_progname
Reviewed-by: Stephen Henson <steve@openssl.org>
2015-12-30 16:57:05 +01:00
Richard Levitte
3dc9589cc8 Fix some missing or faulty header file inclusions
Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-12-30 14:54:29 +01:00
Richard Levitte
87a595e554 Refactor DTLS cookie generation and verification
DTLS cookie generation and verification were exact copies of each
other save the last few lines.  This refactors them to avoid code
copying.

Reviewed-by: Matt Caswell <matt@openssl.org>
2015-12-23 12:44:55 +01:00
Dr. Stephen Henson
287d0b948d Add ssl configuration support to s_server and s_client
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-12-22 15:14:14 +00:00
Ben Laurie
a7a14a23a9 Fix no-dgram.
Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-12-16 21:31:56 +00:00
Rich Salz
7644a9aef8 Rename some BUF_xxx to OPENSSL_xxx
Rename BUF_{strdup,strlcat,strlcpy,memdup,strndup,strnlen}
to OPENSSL_{strdup,strlcat,strlcpy,memdup,strndup,strnlen}
Add #define's for the old names.
Add CRYPTO_{memdup,strndup}, called by OPENSSL_{memdup,strndup} macros.

Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-12-16 16:14:49 -05:00
Matt Caswell
8caab744f5 Fix s_server problem with no-ec
s_server was trying to set the ECDH curve when no-ec was defined. This also
highlighted the fact that the -no_ecdhe option to s_server is broken, and
doesn't make any sense any more (ECDHE is on by default and the only way it
can be disabled is through the cipherstring). Therefore this commit removes
the option.

Reviewed-by: Kurt Roeckx <kurt@openssl.org>
2015-12-15 11:26:38 +00:00
Matt Caswell
73cd6175b9 Fix no-psk compile failure
Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-12-15 11:22:34 +00:00
Dr. Stephen Henson
c01ff880d4 New function X509_get0_pubkey
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
2015-12-14 23:06:14 +00:00
Viktor Dukhovni
a465ca7841 Fix option value parsing in crl2pkcs7 -certfile
Reviewed-by: Rich Saltz <rsalz@openssl.org>
2015-12-13 21:31:03 -05:00
Viktor Dukhovni
7eff6aa0d6 Avoid erroneous "assert(private)" failures.
When processing a public key input via "-pubin", "private" was
sometimes erroneously set, or else not set and incorrectly asserted.

Reviewed-by: Rich salz <rsalz@openssl.org>
2015-12-13 20:13:49 -05:00
Kurt Roeckx
a5ecdc6af8 Use OPENSSL_NO_DTLS instead of OPENSSL_NO_DTLS1
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-12-12 12:07:14 +01:00
Rich Salz
f8547f62c2 Use SHA256 not MD5 as default digest.
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
2015-12-11 11:59:59 -05:00
Richard Levitte
e798664726 Don't run rehash as part of building the openssl app
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-12-10 15:03:52 +01:00
Dr. Stephen Henson
3c4e064e78 make update
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-12-09 22:09:19 +00:00
Dr. Stephen Henson
fb29bb5926 remove ecdsa.h header
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-12-09 22:09:19 +00:00
Dr. Stephen Henson
30243c9523 remove ecdh.h header
Remove redundant ecdh.h header and any references to it.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-12-09 22:09:18 +00:00
Richard Levitte
bfb0641f93 Cleanup: fix all sources that used EVP_MD_CTX_(create|init|destroy)
Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-12-07 17:40:20 +01:00
Richard Levitte
bf7c68177b Adapt the rest of the source to the opaque HMAC_CTX
Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-12-07 17:39:23 +01:00
Richard Levitte
cc9d6655a1 Have the few apps that accessed EVP_MD directly use accessors instead
Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-12-07 17:39:23 +01:00
Richard Levitte
6e59a892db Adjust all accesses to EVP_MD_CTX to use accessor functions.
Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-12-07 17:39:23 +01:00
Richard Levitte
fa0c23de83 Adapt HMAC to the EVP_MD_CTX changes
This change required some special treatment, as HMAC is intertwined
with EVP_MD.  For now, all local HMAC_CTX variables MUST be
initialised with HMAC_CTX_EMPTY, or whatever happens to be on the
stack will be mistaken for actual pointers to EVP_MD_CTX.  This will
change as soon as HMAC_CTX becomes opaque.

Also, since HMAC_CTX_init() can fail now, its return type changes from
void to int, and it will return 0 on failure, 1 on success.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-12-07 17:36:57 +01:00
Kurt Roeckx
361a119127 Remove support for all 40 and 56 bit ciphers.
Reviewed-by: Rich Salz <rsalz@openssl.org>

MR: #364
2015-12-05 17:45:59 +01:00
Quanah Gibson-Mount
c7944cf1f6 Fix grammar errors
Signed-off-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Rich Salz <rsalz@akamai.com>

GH: #481
2015-11-24 22:01:35 +01:00
Michal Bozon
e61434b427 Fix "primarility" typo
Signed-off-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Rich Salz <rsalz@akamai.com>

GH: #458
2015-11-21 14:37:24 +01:00
Matt Caswell
68487a9b06 Convert __thread to pthreads for Thread Local Storage
In theory the pthreads approach for Thread Local Storage should be more
portable.

This also changes some APIs in order to accommodate this change. In
particular ASYNC_init_pool is renamed ASYNC_init_thread and
ASYNC_free_pool is renamed ASYNC_cleanup_thread. Also introduced ASYNC_init
and ASYNC_cleanup.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-11-20 23:39:30 +00:00
Matt Caswell
e1b9840ed7 Add s_client support for waiting for async
s_server already had the ability to wait on an async file descriptor. This
adds it to s_client too.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-11-20 23:34:35 +00:00
Matt Caswell
9920a58eb2 Fix the error code for SSL_get_async_wait_fd()
0 is a valid file descriptor so SSL_get_async_wait_fd should instead return
-1 on error.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-11-20 23:34:35 +00:00
Matt Caswell
4f70d04593 make update
Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-11-20 23:34:34 +00:00
Matt Caswell
5e6f9775a9 Fix pools for s_client
s_client was not freeing up the async pool if async mode was enabled.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-11-20 23:33:46 +00:00
Matt Caswell
64c07bd2d8 Fix s_server bug
If an async event occurs during a renegotiation in SSL_read then s_server
was looping around, detecting we were in init and calling
init_ssl_connection instead of re-calling SSL_read.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-11-20 23:33:46 +00:00
Matt Caswell
0ff2b9ac0b Implement local thread pools
Implement the ASYNC_JOB as a local thread pool. Remove the API support
for global pools.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-11-20 23:33:46 +00:00
Matt Caswell
f4da39d200 Initial Async notify code changes
Initial API implemented for notifying applications that an ASYNC_JOB
has completed. Currently only s_server is using this. The Dummy Async
engine "cheats" in that it notifies that it has completed *before* it
pauses the job. A normal async engine would not do that.

Only the posix version of this has been implemented so far, so it will
probably fail to compile on Windows at the moment.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-11-20 23:33:46 +00:00
Matt Caswell
252d6d3aa6 Add ASYNC_JOB pools
It is expensive to create the ASYNC_JOB objects due to the "makecontext"
call. This change adds support for pools of ASYNC_JOB objects so that we
don't have to create a new ASYNC_JOB every time we want to use one.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-11-20 23:33:46 +00:00
Matt Caswell
4cfa6204e8 Fix s_server -WWW with -async
The s_server option -WWW was not async aware, and therefore was not
handling SSL_ERROR_WANT_ASYNC conditions. This commit fixes that.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-11-20 23:32:18 +00:00
Matt Caswell
7e25dd6da1 Add s_server and s_client async support
A new -async option is added which activates SSL_MODE_ASYNC. Also
SSL_WANT_ASYNC errors are handled appropriately.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-11-20 23:31:42 +00:00
Dr. Stephen Henson
2cc7acd273 Use better defaults for TSA.
Use SHA256 for TSA and setted permitted digests to a sensible value.

Based on PR#4141

Reviewed-by: Matt Caswell <matt@openssl.org>
2015-11-20 13:40:53 +00:00
Dr. Stephen Henson
e20b472751 Add support for signer_digest option in TS.
Based on PR#2145

Reviewed-by: Matt Caswell <matt@openssl.org>
2015-11-20 13:40:53 +00:00
Dr. Stephen Henson
9650919915 add -psk option to ciphers command
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-11-14 00:06:33 +00:00
Dr. Stephen Henson
2a802c8029 add -tls1_2,-tls1_1 options to ciphers command
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-11-14 00:06:33 +00:00
Nathan Phillip Brink
cfb4f1efba RT2667: Add IRC support to -starttls
Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-11-13 17:17:18 -05:00
Matt Caswell
96487cddd4 Continue standardisation of malloc handling in apps
continue on from previous commits but in the apps directory

Reviewed-by: Kurt Roeckx <kurt@openssl.org>
2015-11-09 22:48:41 +00:00
Richard Levitte
2c9be7d09f Fix usage of BIO_ctrl_set_connected
Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-11-02 21:18:34 +01:00
Rich Salz
b0700d2c8d Replace "SSLeay" in API with OpenSSL
All instances of SSLeay (any combination of case) were replaced with
the case-equivalent OpenSSL.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-10-30 17:21:42 -04:00
Matt Caswell
5998e29035 Remove SSL_state and SSL_set_state
SSL_state has been replaced by SSL_get_state and SSL_set_state is no longer
supported.

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-10-30 08:39:46 +00:00
Matt Caswell
075c879585 Remove a call to SSL_set_state from s_server
s_server was (ab)using SSL_set_state to force a renegotiation. This is a
bad way to do things and does not work with the new state machine code, so
we need to do it a different way.

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-10-30 08:38:18 +00:00
Matt Caswell
49ae742398 Remove redundant code
Clean up and remove lots of code that is now no longer needed due to the
move to the new state machine.

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-10-30 08:38:18 +00:00
Alessandro Ghedini
070c23325a Remove useless code
RT#4081

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-10-23 19:52:08 +02:00
Alessandro Ghedini
4428c7dba8 Do not treat 0 return value from BIO_get_fd() as error
0 is a valid file descriptor.

RT#4068

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-10-23 19:52:08 +02:00
Dr. Stephen Henson
76e0cd12f6 Move auto Host adding to query_responder
Check for Host header in query_responder instead of process_responder. This
also fixes a memory leak in the old code if the headers was NULL.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-10-18 14:36:21 +01:00
Dr. Stephen Henson
bb7fc98c43 Fix memory leak with -issuer option.
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-10-18 14:36:21 +01:00
Dmitry Belyavsky
1f08d945a7 Fix error message when loading engines from config
When using command line applications errors occur when trying to
load engines specified in a config file. Introduced by commit
a0a82324f9

RT#4093

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-10-16 10:11:46 +01:00
Matt Caswell
1dce6c3f9e Rename -set-serial command to req
Previous OpenSSL versions used -set_serial, but master was using
-set-serial - so rename it back to the old version.

RT#4059

Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-10-12 22:42:23 +01:00
Matt Caswell
a0a82324f9 Centralise loading default apps config file
Loading the config file after processing command line options can
cause problems, e.g. where an engine provides new ciphers/digests
these are not then recoginised on the command line. Move the
default config file loading to before the command line option
processing. Whilst we're doing this we might as well centralise
this instead of doing it individually for each application. Finally
if we do it before the OpenSSL_add_ssl_algorithms() call then
ciphersuites provided by an engine (e.g. GOST) can be available to
the apps.

RT#4085
RT#4086

Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-10-12 22:31:00 +01:00
Matt Caswell
d175e8a6c2 Fix option name discrepancy
There used to be options -macopt and -sigopt in <=1.0.2 for the dgst
command line app. These were incorrectly spelled as -macop and -sigop in
master.

RT#4072

Reviewed-by: Andy Polyakov <appro@openssl.org>
2015-10-12 12:45:40 +01:00
Dr. Stephen Henson
9076bd25bf Make no-psk compile without warnings.
PR#4035

Reviewed-by: Matt Caswell <matt@openssl.org>
2015-10-11 13:38:01 +01:00
Emilia Kasper
3101154481 DTLS: remove unused cookie field
Note that this commit constifies a user callback parameter and therefore
will break compilation for applications using this callback. But unless
they are abusing write access to the buffer, the fix is trivial.

Reviewed-by: Andy Polyakov <appro@openssl.org>
2015-10-09 15:32:35 +02:00
Dr. Stephen Henson
e58c4d3cdd Don't try and parse boolean type.
Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-10-06 15:14:55 +01:00
Andy Polyakov
45f1351821 Address Windows warnings in apps/.
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-10-05 09:25:06 +02:00
Andy Polyakov
b13fdc4860 Explicitly cast INVALID_SOCKET to (int) to address warnings on Windows.
Even though SOCKET is effectively declared as (void *) on Windows, it's
not actually a pointer, but an index within per-process table of
kernel objects. The table size is actually limited and its upper limit
is far below upper limit for signed 32-bit integer. This is what makes
cast in question possible.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-10-05 09:22:54 +02:00
Ben Laurie
19948ceab7 Display brief help if no options for list.
Reviewed-by: Andy Polyakov <appro@openssl.org>
2015-09-30 13:55:56 +01:00
Andy Polyakov
db40a14ecb Fix -Wshadow warnings in mingw builds.
Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-09-29 18:05:55 +02:00
Alessandro Ghedini
fecd04e910 Print debug info for extended master secret extension
Signed-off-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-09-28 13:37:44 -04:00
Michal Bozon
5573ee3669 RT4053: Typo in error message
Signed-off-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-09-28 13:36:46 -04:00
Dr. Stephen Henson
d40a1f72b6 SRP memory leak fix
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-09-28 14:29:16 +01:00
Emilia Kasper
3a79618474 Silence Wconditional-uninitialized
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-09-28 15:28:16 +02:00
Alessandro Ghedini
c9c84a1391 GH408 follow-on: update buflen
Some builds break, as documented in:
  https://github.com/openssl/openssl/pull/408#issuecomment-142971427
This fixes it.

Signed-off-by: Rich Salz <rsalz@akamai.com>
Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-09-25 20:22:27 -04:00
Matt Caswell
2b6bcb702d Add support for -no-CApath and -no-CAfile options
For those command line options that take the verification options
-CApath and -CAfile, if those options are absent then the default path or
file is used instead. It is not currently possible to specify *no* path or
file at all. This change adds the options -no-CApath and -no-CAfile to
specify that the default locations should not be used to all relevant
applications.

Reviewed-by: Andy Polyakov <appro@openssl.org>
2015-09-25 14:49:59 +01:00
Vladimir Kotal
e7a68985d5 fix compilation on Solaris
Signed-off-by: Rich Salz <rsalz@akamai.com>
Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-09-24 11:25:25 -04:00
Rich Salz
1c9c243509 Restore the old interactive prompt.
Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-09-24 10:27:31 -04:00
Matt Caswell
d8249e99b9 Fix s_server DTLSv1_listen issues
Use sockaddr_storage not sockaddr for the client IP address to allow for
IPv6.
Also fixed a section of code which was conditional on OPENSSL_NO_DTLS1
which should not have been.

Reviewed-by: Andy Polyakov <appro@openssl.org>
2015-09-23 13:53:27 +01:00
Matt Caswell
fd4e98ec84 Add support for DTLSv1_listen in s_server
DTLSv1_listen is a commonly used function within DTLS solutions for
listening for new incoming connections. This commit adds support to s_server
for using it.

Reviewed-by: Andy Polyakov <appro@openssl.org>
2015-09-23 13:53:27 +01:00
Rich Salz
18cd23df8a Remove "noise" comments from TS files.
Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-09-22 00:40:31 -04:00
Matt Caswell
dfd6211ce3 Fix -srpvfile option in srp command line
The -srpvfile option was broken in the srp command line app. Using it would
always result in "-dbfile and -configfile cannot be specified together."
The error message is also wrong because the option is "-srpvfile" not
"-dbfile", so that has been fixed too.

Reviewed-by: Emilia Käsper <emilia@openssl.org>
2015-09-21 10:17:58 +01:00
Dr. Stephen Henson
4e7e623012 Make SRP work with -www
PR#3817

Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-09-20 14:19:49 +01:00
Dr. Stephen Henson
37f3a3b327 make no-dh work
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-09-20 12:50:55 +01:00
Richard Levitte
da9a22bb57 Finally, remove a possibly disabled feature
I have no clue why MD_GHOST94 was checked on, there is no
OPENSSL_NO_MD_GHOST94 in sight anywhere

Reviewed-by: Stephen Henson <steve@openssl.org>
2015-09-20 01:57:57 +02:00
Richard Levitte
56c1ef0501 Add more features that may be disabled
Have a look at the directories in crypto/, I found reason to add
checks on CMAC and HMAC.  This might be completely irrelevant, but I
prefered covering too much than not enough.

Reviewed-by: Stephen Henson <steve@openssl.org>
2015-09-20 01:57:57 +02:00
Richard Levitte
2df84dd329 Add more features that may be disabled
A grep of OPENSSL_NO_ in the rest of the source tree revealed a few
more features to check.

NOTE: there are some of those macros that I ignore because a check of
them doesn't seem useful to external apps.  This might change later on.

Reviewed-by: Stephen Henson <steve@openssl.org>
2015-09-20 01:57:57 +02:00
Richard Levitte
66b14bab0a Add more features that may be disabled
After a grep of OPENSSL_NO_ in apps/*.c, a few more features that may
be interesting to check the availability of came up.

Reviewed-by: Stephen Henson <steve@openssl.org>
2015-09-20 01:57:57 +02:00
Richard Levitte
27dae1b04f Add more features that may be disabled
I've tried to make this list as complete as possible, based on
information found in apps/progs.pl.

Reviewed-by: Stephen Henson <steve@openssl.org>
2015-09-20 01:57:57 +02:00
Richard Levitte
d230bd1ddd Sort the disabled features alphabetically
Reviewed-by: Stephen Henson <steve@openssl.org>
2015-09-20 01:57:57 +02:00
Richard Levitte
f5349f8ca5 Small typo
OPENSSL_NO_ECA changed to OPENSSL_NO_EC

Reviewed-by: Stephen Henson <steve@openssl.org>
2015-09-20 00:46:44 +02:00
Dr. Stephen Henson
a760a3805b Print out a list of disabled features.
New option "openssl list -disabled" this lists a set of disabled features
in a form which can be conveniently parsed by the test framework so it
knows which tests to skip.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-09-19 05:57:19 +01:00
Rich Salz
568b80206a RT4033: Use OPENSSL_SYS_UNIX not "unix"
Real fix for RT 4033

Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-09-17 12:05:14 -04:00
Dr. Stephen Henson
03706afa30 Use default field separator.
If the field separator isn't specified through -nameopt then use
XN_FLAG_SEP_CPLUS_SPC instead of printing nothing and returing an error.

PR#2397

Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-09-11 20:50:48 +01:00
Ben Laurie
df2ee0e27d Enable -Wmissing-variable-declarations and
-Wincompatible-pointer-types-discards-qualifiers (the latter did not require
any code changes).

Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-09-11 04:51:55 +01:00
Rich Salz
4c7103a5ee Unwriteable directories are errors
Make the script and app match the documentation.

Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-09-10 16:13:55 -04:00
Rich Salz
ff2f6bb084 Fix rehash/c_rehash doc and behavior.
Both now warn once if directory isn't writeable.
Both now warn on file-write errors (multiple times).
Update manpage to describe both program and script correctly.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-09-08 15:13:57 -04:00
Ben Laurie
8c82de991b Fix uninit warning. Remove unnecessary casts. Nothing to add is an error.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-09-08 05:46:38 +01:00
Rich Salz
5278dec375 add support for apple os/x
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-09-07 21:58:03 -04:00
Rich Salz
ce249fac57 GH391: Apple port
Also make internal functions consistently return values, and
add a comment documenting them.

Reviewed-by: Ben Laurie <ben@openssl.org>
2015-09-07 14:41:00 -04:00
Rich Salz
62fdf4ee6c fix build breakage on windows
Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-09-06 21:39:26 -04:00
Rich Salz
9e0da06089 Fix typo, that broke build on non-unix
Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-09-06 19:01:53 -04:00
Timo Teras
8f6f1441a3 Add rehash command to openssl
On Unix/Linux platforms, merge c_rehash script into openssl as a
C program.

Signed-off-by: Rich Salz <rsalz@akamai.com>
Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-09-06 18:03:54 -04:00
Richard Levitte
496f4f9d6a Small fix: make istext static
This takes away a build failure in some cases.

Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-09-06 23:41:12 +02:00
Richard Levitte
5f62e044d3 Fix enc so it properly treats BASE64 as text
To set both the incoming and outgoing data when 'encrypting' or
'decrypting' to FORMAT_BASE64 wasn't quite the right thing to do.

Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-09-06 17:12:39 +02:00
Richard Levitte
a60994df34 Change the treatment of stdin and stdout to allow binary data
If the output to stdout or the input from stdin is meant to be binary,
it's deeply unsetting to get the occasional LF converted to CRLF or
the other way around.  If someone happens to forget to redirect stdin
or stdout, they will get gibberish anyway, line ending conversion will
not change that.

Therefore, let's not have dup_bio_* decide unilaterally what mode the
BIO derived from stdin and stdout, and rather let the app decide by
declaring the intended format.

Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-09-06 13:34:49 +02:00
Richard Levitte
a412b89198 dup_bio_* and bio_open_* are utility functions and belong in apps.c
Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-09-06 13:34:48 +02:00
Richard Levitte
afc12d76f8 Have binary mode when the format is binary, not the other way around
Fixing a small mixup.

Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-09-06 01:35:54 +02:00
Richard Levitte
bdd58d9846 Change the way apps open their input and output files
The different apps had the liberty to decide whether they would open their
input and output files in binary mode or not, which could be confusing if
two different apps were handling the same type of file in different ways.

The solution is to centralise the decision of low level file organisation,
and that the apps would use a selection of formats to state the intent of
the file.

Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-09-06 01:35:54 +02:00
Richard Levitte
d303b9d85e Make the handling of output and input formats consistent
Most of all, we needed to sort out which ones are binary and which
ones are text, and make sure they are treated accordingly and
consistently so

Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-09-06 01:29:36 +02:00
Dr. Stephen Henson
a8d8e06b0a Avoid direct X509 structure access
Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-09-06 00:17:37 +01:00
Rich Salz
ca4a494cb7 Make TS structures opaque.
Most of the accessors existed and were already used so it was easy.
TS_VERIFY_CTX didn't have accessors/settors so I added the simple and
obvious ones, and changed the app to use them.  Also, within crypto/ts,
replaced the functions with direct access to the structure members
since we generally aren't opaque within a directory.

Also fix RT3901.

Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-09-05 17:49:20 -04:00
David Woodhouse
d35ff2c0ad RT3951: Add X509_V_FLAG_NO_CHECK_TIME to suppress time check
In some environments, such as firmware, the current system time is entirely
meaningless. Provide a clean mechanism to suppress the checks against it.

Signed-off-by: Rich Salz <rsalz@akamai.com>
Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-09-05 16:17:15 -04:00
Rich Salz
b0809bc8ff RT3998: Allow scrypt to be disabled
This does 64-bit division and multiplication, and on 32-bit platforms
pulls in libgcc symbols (and MSVC does similar) which may not be
available.  Mostly done by David Woodhouse.

Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
2015-09-04 14:09:14 -04:00
Rich Salz
64b25758ed remove 0 assignments.
After openssl_zalloc, cleanup more "set to 0/NULL" assignments.
Many are from github feedback.

Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-09-03 16:26:34 -04:00
Dr. Stephen Henson
e3e571925c make X509_CRL opaque
Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-09-02 21:26:17 +01:00
Adam Eijdenberg
fb029cebae RT3984: Fix clang compiler warning on Mac OS X where %ld is used for uint64_t.
clang suggests %llu instead, but it isn't clear that is portable on
all platforms.

C99 and above define a handy macro for us, so we try to use that
definition and fall back to current definition if needed (though we
switch to 'u' for unsigned).

Reviewed-by: Matt Caswell <matt@openssl.org>
2015-09-01 20:18:46 +02:00
Emilia Kasper
08a721ac61 apps/speed.c: fix memory leak
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-09-01 20:01:55 +02:00
Dr. Stephen Henson
124055a96e make X509_REQ opaque
Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-08-31 20:58:33 +01:00
Dr. Stephen Henson
d8c054f2da Remove asn1-kludge option.
Remove asn1-kludge option from the req utility. It was a decade old
workaround for CAs and software which required an invalid encoding
of PKCS#10 certificate requests: omitting the attributes field even
though it is not OPTIONAL.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-08-31 20:58:33 +01:00
Hubert Kario
ad775e04f6 GH350: -help text few s_client and s_server flags
add -help description of sigalgs, client_sigalgs, curves
and named_curve

Signed-off-by: Rich Salz <rsalz@akamai.com>
Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-08-26 17:43:20 -04:00
Alessandro Ghedini
b48357d995 GH371: Print debug info for ALPN extension
Also known as RT 4106
Signed-off-by: Rich Salz <rsalz@akamai.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-08-26 07:07:47 -04:00
Tim Hudson
dfba17b4f3 Restore previous behaviour of only running one algorithm when -evp alg is used.
Submitted by: Eric Young <eay@pobox.com>
Reviewed-by: Ben Laurie <ben@openssl.org>
2015-08-17 22:20:06 +10:00
Tim Hudson
686e344918 restore usage of -elapsed that was disabled in the ifdef reorg
Reviewed-by: Ben Laurie <ben@openssl.org>
2015-08-17 22:16:39 +10:00
Rich Salz
eb647452eb GH345: Remove stderr output
Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-08-16 21:08:25 -04:00
Rich Salz
ade44dcb16 Remove Gost94 signature algorithm.
This was obsolete in 2001.  This is not the same as Gost94 digest.
Thanks to Dmitry Belyavsky <beldmit@gmail.com> for review and advice.

Reviewed-by: Matt Caswell <matt@openssl.org>
2015-08-11 18:23:29 -04:00
Rich Salz
fd682e4cdd GH365: Missing #ifdef rename.
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-08-10 12:17:53 -04:00
Rich Salz
82c494276d Fix build break.
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
2015-08-10 12:00:23 -04:00
bluelineXY
ff4a9394a2 GH357: Update ocsp.c
Add Host Header in OCSP query if no host header is set via -header

Signed-off-by: Rich Salz <rsalz@akamai.com>
Reviewed-by: Ben Laurie <ben@openssl.org>
2015-08-08 18:18:03 -04:00
Matt Caswell
e77bdc7310 Fix SRTP s_client/s_server options
The -use_srtp s_client/s_server option is supposed to take a colon
separated string as an argument. In master this was incorrectly set to
expect a filename.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-08-04 19:20:11 +01:00
Ben Laurie
bb484020c3 Fix refactoring breakage.
Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-08-02 16:11:16 +01:00
Dr. Stephen Henson
5a168057bc don't reset return value to 0
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-08-02 14:28:50 +01:00
Ben Laurie
480405e4a9 Add -Wconditional-uninitialized to clang strict warnings.
Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-08-02 02:45:44 +01:00
Rich Salz
740ceb5b0c Various doc fixes from GH pull requests
Thanks folks:
        348 Benjamin Kaduk
        317 Christian Brueffer
        254 Erik Tews
        253 Erik Tews
        219 Carl Mehner
        155 (ghost)
        95 mancha
        51 DominikNeubauer

Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
2015-07-31 12:27:27 -04:00
Kai Engert
898ea7b855 RT3742: Add xmpp_server to s_client.
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-07-31 11:19:45 -04:00
Adam Eijdenberg
be0c03618a RT3963: Allow OCSP stapling with -rev and -www
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-07-31 11:15:42 -04:00
Adam Eijdenberg
e46bcca25e RT3962: Check accept_count only if not unlimited
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-07-31 11:13:58 -04:00
Adam Eijdenberg
902c6b95a3 RT3961: Fix switch/case errors in flag parsing
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-07-31 11:11:55 -04:00
Rich Salz
5bb17d1b3c RT3639: Add -no_comp description to online help
Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-07-29 16:58:55 -04:00
Rich Salz
0bc2f36555 Remove obsolete key formats.
Remove support for RSA_NET and Netscape key format (-keyform n).

Also removed documentation of SGC.

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
2015-07-16 01:06:48 -04:00
Rich Salz
5b89036c41 Can't use -trusted with -CA{path,file}
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
2015-07-14 07:46:20 -04:00
Richard Levitte
eeb97bce75 Remove extra '; \' in apps/Makefile
Fixes GH#330

Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-07-13 15:48:57 +02:00
Peter Waltenberg
99dcd88035 Exit on error in ecparam
Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-07-09 15:42:52 -04:00
Matt Caswell
7f3f41d816 Extend -show_chain option to verify to show more info
The -show_chain flag to the verify command line app shows information about
the chain that has been built. This commit adds the text "untrusted" against
those certificates that have been used from the untrusted list.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-07-07 21:57:12 +01:00
Matt Caswell
a64ba70dbb Add help text for some verify options
Fills in the help text for a number of options to verify that were blank.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-07-07 21:57:11 +01:00
Richard Levitte
f1cece554d Make "oneline" the default for nameopt
There's no reason why we should default to a output format that is
old, and confusing in some cases.

This affects the commands "ca", "crl", "req" and "x509".

Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-07-07 11:17:14 +02:00
Dr. Stephen Henson
13cbe5e711 missing break
Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-06-25 12:55:56 +01:00
Rich Salz
4b8d8e2ad3 RT3682: Avoid double-free on OCSP parse error
Found by Kurt Cancemi.

Reviewed-by: Matt Caswell <matt@openssl.org>
2015-06-23 08:12:01 -04:00
Rich Salz
3b061a00e3 RT2547: Tighten perms on generated privkey files
When generating a private key, try to make the output file be readable
only by the owner.  Put it in CHANGES file since it might be noticeable.

Add "int private" flag to apps that write private keys, and check that it's
set whenever we do write a private key.  Checked via assert so that this
bug (security-related) gets fixed.  Thanks to Viktor for help in tracing
the code-paths where private keys are written.

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
2015-06-15 18:26:56 -04:00
Tim Hudson
29eca1c0d5 Fix argument processing error from the option parsing change over.
Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-06-15 14:55:34 +10:00