Commit graph

2085 commits

Author SHA1 Message Date
Richard Levitte
2c9be7d09f Fix usage of BIO_ctrl_set_connected
Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-11-02 21:18:34 +01:00
Rich Salz
b0700d2c8d Replace "SSLeay" in API with OpenSSL
All instances of SSLeay (any combination of case) were replaced with
the case-equivalent OpenSSL.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-10-30 17:21:42 -04:00
Matt Caswell
5998e29035 Remove SSL_state and SSL_set_state
SSL_state has been replaced by SSL_get_state and SSL_set_state is no longer
supported.

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-10-30 08:39:46 +00:00
Matt Caswell
075c879585 Remove a call to SSL_set_state from s_server
s_server was (ab)using SSL_set_state to force a renegotiation. This is a
bad way to do things and does not work with the new state machine code, so
we need to do it a different way.

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-10-30 08:38:18 +00:00
Matt Caswell
49ae742398 Remove redundant code
Clean up and remove lots of code that is now no longer needed due to the
move to the new state machine.

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-10-30 08:38:18 +00:00
Alessandro Ghedini
070c23325a Remove useless code
RT#4081

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-10-23 19:52:08 +02:00
Alessandro Ghedini
4428c7dba8 Do not treat 0 return value from BIO_get_fd() as error
0 is a valid file descriptor.

RT#4068

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-10-23 19:52:08 +02:00
Dr. Stephen Henson
76e0cd12f6 Move auto Host adding to query_responder
Check for Host header in query_responder instead of process_responder. This
also fixes a memory leak in the old code if the headers was NULL.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-10-18 14:36:21 +01:00
Dr. Stephen Henson
bb7fc98c43 Fix memory leak with -issuer option.
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-10-18 14:36:21 +01:00
Dmitry Belyavsky
1f08d945a7 Fix error message when loading engines from config
When using command line applications errors occur when trying to
load engines specified in a config file. Introduced by commit
a0a82324f9

RT#4093

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-10-16 10:11:46 +01:00
Matt Caswell
1dce6c3f9e Rename -set-serial command to req
Previous OpenSSL versions used -set_serial, but master was using
-set-serial - so rename it back to the old version.

RT#4059

Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-10-12 22:42:23 +01:00
Matt Caswell
a0a82324f9 Centralise loading default apps config file
Loading the config file after processing command line options can
cause problems, e.g. where an engine provides new ciphers/digests
these are not then recoginised on the command line. Move the
default config file loading to before the command line option
processing. Whilst we're doing this we might as well centralise
this instead of doing it individually for each application. Finally
if we do it before the OpenSSL_add_ssl_algorithms() call then
ciphersuites provided by an engine (e.g. GOST) can be available to
the apps.

RT#4085
RT#4086

Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-10-12 22:31:00 +01:00
Matt Caswell
d175e8a6c2 Fix option name discrepancy
There used to be options -macopt and -sigopt in <=1.0.2 for the dgst
command line app. These were incorrectly spelled as -macop and -sigop in
master.

RT#4072

Reviewed-by: Andy Polyakov <appro@openssl.org>
2015-10-12 12:45:40 +01:00
Dr. Stephen Henson
9076bd25bf Make no-psk compile without warnings.
PR#4035

Reviewed-by: Matt Caswell <matt@openssl.org>
2015-10-11 13:38:01 +01:00
Emilia Kasper
3101154481 DTLS: remove unused cookie field
Note that this commit constifies a user callback parameter and therefore
will break compilation for applications using this callback. But unless
they are abusing write access to the buffer, the fix is trivial.

Reviewed-by: Andy Polyakov <appro@openssl.org>
2015-10-09 15:32:35 +02:00
Dr. Stephen Henson
e58c4d3cdd Don't try and parse boolean type.
Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-10-06 15:14:55 +01:00
Andy Polyakov
45f1351821 Address Windows warnings in apps/.
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-10-05 09:25:06 +02:00
Andy Polyakov
b13fdc4860 Explicitly cast INVALID_SOCKET to (int) to address warnings on Windows.
Even though SOCKET is effectively declared as (void *) on Windows, it's
not actually a pointer, but an index within per-process table of
kernel objects. The table size is actually limited and its upper limit
is far below upper limit for signed 32-bit integer. This is what makes
cast in question possible.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-10-05 09:22:54 +02:00
Ben Laurie
19948ceab7 Display brief help if no options for list.
Reviewed-by: Andy Polyakov <appro@openssl.org>
2015-09-30 13:55:56 +01:00
Andy Polyakov
db40a14ecb Fix -Wshadow warnings in mingw builds.
Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-09-29 18:05:55 +02:00
Alessandro Ghedini
fecd04e910 Print debug info for extended master secret extension
Signed-off-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-09-28 13:37:44 -04:00
Michal Bozon
5573ee3669 RT4053: Typo in error message
Signed-off-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-09-28 13:36:46 -04:00
Dr. Stephen Henson
d40a1f72b6 SRP memory leak fix
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-09-28 14:29:16 +01:00
Emilia Kasper
3a79618474 Silence Wconditional-uninitialized
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-09-28 15:28:16 +02:00
Alessandro Ghedini
c9c84a1391 GH408 follow-on: update buflen
Some builds break, as documented in:
  https://github.com/openssl/openssl/pull/408#issuecomment-142971427
This fixes it.

Signed-off-by: Rich Salz <rsalz@akamai.com>
Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-09-25 20:22:27 -04:00
Matt Caswell
2b6bcb702d Add support for -no-CApath and -no-CAfile options
For those command line options that take the verification options
-CApath and -CAfile, if those options are absent then the default path or
file is used instead. It is not currently possible to specify *no* path or
file at all. This change adds the options -no-CApath and -no-CAfile to
specify that the default locations should not be used to all relevant
applications.

Reviewed-by: Andy Polyakov <appro@openssl.org>
2015-09-25 14:49:59 +01:00
Vladimir Kotal
e7a68985d5 fix compilation on Solaris
Signed-off-by: Rich Salz <rsalz@akamai.com>
Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-09-24 11:25:25 -04:00
Rich Salz
1c9c243509 Restore the old interactive prompt.
Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-09-24 10:27:31 -04:00
Matt Caswell
d8249e99b9 Fix s_server DTLSv1_listen issues
Use sockaddr_storage not sockaddr for the client IP address to allow for
IPv6.
Also fixed a section of code which was conditional on OPENSSL_NO_DTLS1
which should not have been.

Reviewed-by: Andy Polyakov <appro@openssl.org>
2015-09-23 13:53:27 +01:00
Matt Caswell
fd4e98ec84 Add support for DTLSv1_listen in s_server
DTLSv1_listen is a commonly used function within DTLS solutions for
listening for new incoming connections. This commit adds support to s_server
for using it.

Reviewed-by: Andy Polyakov <appro@openssl.org>
2015-09-23 13:53:27 +01:00
Rich Salz
18cd23df8a Remove "noise" comments from TS files.
Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-09-22 00:40:31 -04:00
Matt Caswell
dfd6211ce3 Fix -srpvfile option in srp command line
The -srpvfile option was broken in the srp command line app. Using it would
always result in "-dbfile and -configfile cannot be specified together."
The error message is also wrong because the option is "-srpvfile" not
"-dbfile", so that has been fixed too.

Reviewed-by: Emilia Käsper <emilia@openssl.org>
2015-09-21 10:17:58 +01:00
Dr. Stephen Henson
4e7e623012 Make SRP work with -www
PR#3817

Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-09-20 14:19:49 +01:00
Dr. Stephen Henson
37f3a3b327 make no-dh work
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-09-20 12:50:55 +01:00
Richard Levitte
da9a22bb57 Finally, remove a possibly disabled feature
I have no clue why MD_GHOST94 was checked on, there is no
OPENSSL_NO_MD_GHOST94 in sight anywhere

Reviewed-by: Stephen Henson <steve@openssl.org>
2015-09-20 01:57:57 +02:00
Richard Levitte
56c1ef0501 Add more features that may be disabled
Have a look at the directories in crypto/, I found reason to add
checks on CMAC and HMAC.  This might be completely irrelevant, but I
prefered covering too much than not enough.

Reviewed-by: Stephen Henson <steve@openssl.org>
2015-09-20 01:57:57 +02:00
Richard Levitte
2df84dd329 Add more features that may be disabled
A grep of OPENSSL_NO_ in the rest of the source tree revealed a few
more features to check.

NOTE: there are some of those macros that I ignore because a check of
them doesn't seem useful to external apps.  This might change later on.

Reviewed-by: Stephen Henson <steve@openssl.org>
2015-09-20 01:57:57 +02:00
Richard Levitte
66b14bab0a Add more features that may be disabled
After a grep of OPENSSL_NO_ in apps/*.c, a few more features that may
be interesting to check the availability of came up.

Reviewed-by: Stephen Henson <steve@openssl.org>
2015-09-20 01:57:57 +02:00
Richard Levitte
27dae1b04f Add more features that may be disabled
I've tried to make this list as complete as possible, based on
information found in apps/progs.pl.

Reviewed-by: Stephen Henson <steve@openssl.org>
2015-09-20 01:57:57 +02:00
Richard Levitte
d230bd1ddd Sort the disabled features alphabetically
Reviewed-by: Stephen Henson <steve@openssl.org>
2015-09-20 01:57:57 +02:00
Richard Levitte
f5349f8ca5 Small typo
OPENSSL_NO_ECA changed to OPENSSL_NO_EC

Reviewed-by: Stephen Henson <steve@openssl.org>
2015-09-20 00:46:44 +02:00
Dr. Stephen Henson
a760a3805b Print out a list of disabled features.
New option "openssl list -disabled" this lists a set of disabled features
in a form which can be conveniently parsed by the test framework so it
knows which tests to skip.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-09-19 05:57:19 +01:00
Rich Salz
568b80206a RT4033: Use OPENSSL_SYS_UNIX not "unix"
Real fix for RT 4033

Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-09-17 12:05:14 -04:00
Dr. Stephen Henson
03706afa30 Use default field separator.
If the field separator isn't specified through -nameopt then use
XN_FLAG_SEP_CPLUS_SPC instead of printing nothing and returing an error.

PR#2397

Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-09-11 20:50:48 +01:00
Ben Laurie
df2ee0e27d Enable -Wmissing-variable-declarations and
-Wincompatible-pointer-types-discards-qualifiers (the latter did not require
any code changes).

Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-09-11 04:51:55 +01:00
Rich Salz
4c7103a5ee Unwriteable directories are errors
Make the script and app match the documentation.

Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-09-10 16:13:55 -04:00
Rich Salz
ff2f6bb084 Fix rehash/c_rehash doc and behavior.
Both now warn once if directory isn't writeable.
Both now warn on file-write errors (multiple times).
Update manpage to describe both program and script correctly.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-09-08 15:13:57 -04:00
Ben Laurie
8c82de991b Fix uninit warning. Remove unnecessary casts. Nothing to add is an error.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-09-08 05:46:38 +01:00
Rich Salz
5278dec375 add support for apple os/x
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-09-07 21:58:03 -04:00
Rich Salz
ce249fac57 GH391: Apple port
Also make internal functions consistently return values, and
add a comment documenting them.

Reviewed-by: Ben Laurie <ben@openssl.org>
2015-09-07 14:41:00 -04:00
Rich Salz
62fdf4ee6c fix build breakage on windows
Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-09-06 21:39:26 -04:00
Rich Salz
9e0da06089 Fix typo, that broke build on non-unix
Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-09-06 19:01:53 -04:00
Timo Teras
8f6f1441a3 Add rehash command to openssl
On Unix/Linux platforms, merge c_rehash script into openssl as a
C program.

Signed-off-by: Rich Salz <rsalz@akamai.com>
Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-09-06 18:03:54 -04:00
Richard Levitte
496f4f9d6a Small fix: make istext static
This takes away a build failure in some cases.

Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-09-06 23:41:12 +02:00
Richard Levitte
5f62e044d3 Fix enc so it properly treats BASE64 as text
To set both the incoming and outgoing data when 'encrypting' or
'decrypting' to FORMAT_BASE64 wasn't quite the right thing to do.

Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-09-06 17:12:39 +02:00
Richard Levitte
a60994df34 Change the treatment of stdin and stdout to allow binary data
If the output to stdout or the input from stdin is meant to be binary,
it's deeply unsetting to get the occasional LF converted to CRLF or
the other way around.  If someone happens to forget to redirect stdin
or stdout, they will get gibberish anyway, line ending conversion will
not change that.

Therefore, let's not have dup_bio_* decide unilaterally what mode the
BIO derived from stdin and stdout, and rather let the app decide by
declaring the intended format.

Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-09-06 13:34:49 +02:00
Richard Levitte
a412b89198 dup_bio_* and bio_open_* are utility functions and belong in apps.c
Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-09-06 13:34:48 +02:00
Richard Levitte
afc12d76f8 Have binary mode when the format is binary, not the other way around
Fixing a small mixup.

Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-09-06 01:35:54 +02:00
Richard Levitte
bdd58d9846 Change the way apps open their input and output files
The different apps had the liberty to decide whether they would open their
input and output files in binary mode or not, which could be confusing if
two different apps were handling the same type of file in different ways.

The solution is to centralise the decision of low level file organisation,
and that the apps would use a selection of formats to state the intent of
the file.

Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-09-06 01:35:54 +02:00
Richard Levitte
d303b9d85e Make the handling of output and input formats consistent
Most of all, we needed to sort out which ones are binary and which
ones are text, and make sure they are treated accordingly and
consistently so

Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-09-06 01:29:36 +02:00
Dr. Stephen Henson
a8d8e06b0a Avoid direct X509 structure access
Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-09-06 00:17:37 +01:00
Rich Salz
ca4a494cb7 Make TS structures opaque.
Most of the accessors existed and were already used so it was easy.
TS_VERIFY_CTX didn't have accessors/settors so I added the simple and
obvious ones, and changed the app to use them.  Also, within crypto/ts,
replaced the functions with direct access to the structure members
since we generally aren't opaque within a directory.

Also fix RT3901.

Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-09-05 17:49:20 -04:00
David Woodhouse
d35ff2c0ad RT3951: Add X509_V_FLAG_NO_CHECK_TIME to suppress time check
In some environments, such as firmware, the current system time is entirely
meaningless. Provide a clean mechanism to suppress the checks against it.

Signed-off-by: Rich Salz <rsalz@akamai.com>
Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-09-05 16:17:15 -04:00
Rich Salz
b0809bc8ff RT3998: Allow scrypt to be disabled
This does 64-bit division and multiplication, and on 32-bit platforms
pulls in libgcc symbols (and MSVC does similar) which may not be
available.  Mostly done by David Woodhouse.

Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
2015-09-04 14:09:14 -04:00
Rich Salz
64b25758ed remove 0 assignments.
After openssl_zalloc, cleanup more "set to 0/NULL" assignments.
Many are from github feedback.

Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-09-03 16:26:34 -04:00
Dr. Stephen Henson
e3e571925c make X509_CRL opaque
Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-09-02 21:26:17 +01:00
Adam Eijdenberg
fb029cebae RT3984: Fix clang compiler warning on Mac OS X where %ld is used for uint64_t.
clang suggests %llu instead, but it isn't clear that is portable on
all platforms.

C99 and above define a handy macro for us, so we try to use that
definition and fall back to current definition if needed (though we
switch to 'u' for unsigned).

Reviewed-by: Matt Caswell <matt@openssl.org>
2015-09-01 20:18:46 +02:00
Emilia Kasper
08a721ac61 apps/speed.c: fix memory leak
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-09-01 20:01:55 +02:00
Dr. Stephen Henson
124055a96e make X509_REQ opaque
Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-08-31 20:58:33 +01:00
Dr. Stephen Henson
d8c054f2da Remove asn1-kludge option.
Remove asn1-kludge option from the req utility. It was a decade old
workaround for CAs and software which required an invalid encoding
of PKCS#10 certificate requests: omitting the attributes field even
though it is not OPTIONAL.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-08-31 20:58:33 +01:00
Hubert Kario
ad775e04f6 GH350: -help text few s_client and s_server flags
add -help description of sigalgs, client_sigalgs, curves
and named_curve

Signed-off-by: Rich Salz <rsalz@akamai.com>
Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-08-26 17:43:20 -04:00
Alessandro Ghedini
b48357d995 GH371: Print debug info for ALPN extension
Also known as RT 4106
Signed-off-by: Rich Salz <rsalz@akamai.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-08-26 07:07:47 -04:00
Tim Hudson
dfba17b4f3 Restore previous behaviour of only running one algorithm when -evp alg is used.
Submitted by: Eric Young <eay@pobox.com>
Reviewed-by: Ben Laurie <ben@openssl.org>
2015-08-17 22:20:06 +10:00
Tim Hudson
686e344918 restore usage of -elapsed that was disabled in the ifdef reorg
Reviewed-by: Ben Laurie <ben@openssl.org>
2015-08-17 22:16:39 +10:00
Rich Salz
eb647452eb GH345: Remove stderr output
Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-08-16 21:08:25 -04:00
Rich Salz
ade44dcb16 Remove Gost94 signature algorithm.
This was obsolete in 2001.  This is not the same as Gost94 digest.
Thanks to Dmitry Belyavsky <beldmit@gmail.com> for review and advice.

Reviewed-by: Matt Caswell <matt@openssl.org>
2015-08-11 18:23:29 -04:00
Rich Salz
fd682e4cdd GH365: Missing #ifdef rename.
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-08-10 12:17:53 -04:00
Rich Salz
82c494276d Fix build break.
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
2015-08-10 12:00:23 -04:00
bluelineXY
ff4a9394a2 GH357: Update ocsp.c
Add Host Header in OCSP query if no host header is set via -header

Signed-off-by: Rich Salz <rsalz@akamai.com>
Reviewed-by: Ben Laurie <ben@openssl.org>
2015-08-08 18:18:03 -04:00
Matt Caswell
e77bdc7310 Fix SRTP s_client/s_server options
The -use_srtp s_client/s_server option is supposed to take a colon
separated string as an argument. In master this was incorrectly set to
expect a filename.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-08-04 19:20:11 +01:00
Ben Laurie
bb484020c3 Fix refactoring breakage.
Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-08-02 16:11:16 +01:00
Dr. Stephen Henson
5a168057bc don't reset return value to 0
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-08-02 14:28:50 +01:00
Ben Laurie
480405e4a9 Add -Wconditional-uninitialized to clang strict warnings.
Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-08-02 02:45:44 +01:00
Rich Salz
740ceb5b0c Various doc fixes from GH pull requests
Thanks folks:
        348 Benjamin Kaduk
        317 Christian Brueffer
        254 Erik Tews
        253 Erik Tews
        219 Carl Mehner
        155 (ghost)
        95 mancha
        51 DominikNeubauer

Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
2015-07-31 12:27:27 -04:00
Kai Engert
898ea7b855 RT3742: Add xmpp_server to s_client.
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-07-31 11:19:45 -04:00
Adam Eijdenberg
be0c03618a RT3963: Allow OCSP stapling with -rev and -www
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-07-31 11:15:42 -04:00
Adam Eijdenberg
e46bcca25e RT3962: Check accept_count only if not unlimited
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-07-31 11:13:58 -04:00
Adam Eijdenberg
902c6b95a3 RT3961: Fix switch/case errors in flag parsing
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-07-31 11:11:55 -04:00
Rich Salz
5bb17d1b3c RT3639: Add -no_comp description to online help
Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-07-29 16:58:55 -04:00
Rich Salz
0bc2f36555 Remove obsolete key formats.
Remove support for RSA_NET and Netscape key format (-keyform n).

Also removed documentation of SGC.

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
2015-07-16 01:06:48 -04:00
Rich Salz
5b89036c41 Can't use -trusted with -CA{path,file}
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
2015-07-14 07:46:20 -04:00
Richard Levitte
eeb97bce75 Remove extra '; \' in apps/Makefile
Fixes GH#330

Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-07-13 15:48:57 +02:00
Peter Waltenberg
99dcd88035 Exit on error in ecparam
Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-07-09 15:42:52 -04:00
Matt Caswell
7f3f41d816 Extend -show_chain option to verify to show more info
The -show_chain flag to the verify command line app shows information about
the chain that has been built. This commit adds the text "untrusted" against
those certificates that have been used from the untrusted list.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-07-07 21:57:12 +01:00
Matt Caswell
a64ba70dbb Add help text for some verify options
Fills in the help text for a number of options to verify that were blank.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-07-07 21:57:11 +01:00
Richard Levitte
f1cece554d Make "oneline" the default for nameopt
There's no reason why we should default to a output format that is
old, and confusing in some cases.

This affects the commands "ca", "crl", "req" and "x509".

Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-07-07 11:17:14 +02:00
Dr. Stephen Henson
13cbe5e711 missing break
Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-06-25 12:55:56 +01:00
Rich Salz
4b8d8e2ad3 RT3682: Avoid double-free on OCSP parse error
Found by Kurt Cancemi.

Reviewed-by: Matt Caswell <matt@openssl.org>
2015-06-23 08:12:01 -04:00
Rich Salz
3b061a00e3 RT2547: Tighten perms on generated privkey files
When generating a private key, try to make the output file be readable
only by the owner.  Put it in CHANGES file since it might be noticeable.

Add "int private" flag to apps that write private keys, and check that it's
set whenever we do write a private key.  Checked via assert so that this
bug (security-related) gets fixed.  Thanks to Viktor for help in tracing
the code-paths where private keys are written.

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
2015-06-15 18:26:56 -04:00
Tim Hudson
29eca1c0d5 Fix argument processing error from the option parsing change over.
Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-06-15 14:55:34 +10:00
Tim Hudson
e58ddf0af8 Fix argument processing error from the option parsing change over.
Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-06-15 11:36:32 +10:00
Emilia Kasper
a8e4ac6a2f Remove SSL_OP_TLS_BLOCK_PADDING_BUG
This is a workaround so old that nobody remembers what buggy clients
it was for. It's also been broken in stable branches for two years and
nobody noticed (see
https://boringssl-review.googlesource.com/#/c/1694/).

Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-06-10 13:55:11 +02:00
Richard Levitte
acaff3b797 When making libcrypto from apps or test, make sure to include engines
For librypto to be complete, the stuff in both crypto/ and engines/
have to be built.  Doing 'make test' or 'make apps' from a clean
source tree failed to do so.
Corrected by using the new 'build_libcrypto' in the top Makefile.

Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-06-10 02:01:49 +02:00
Rich Salz
7768e116dc Use bio_err not stderr in apps.
Except for VMS startup code.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-06-09 12:48:55 -04:00
Rodger Combs
65d3941f4a Increase buffer size for passwords in pkcs12 CLI
Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-06-06 22:24:01 -04:00
Rich Salz
9c3bcfa027 Standardize handling of #ifdef'd options.
Here are the "rules" for handling flags that depend on #ifdef:

- Do not ifdef the enum.  Only ifdef the OPTIONS table.  All ifdef'd
  entries appear at the end; by convention "engine" is last.  This
  ensures that at run-time, the flag will never be recognized/allowed.
  The next two bullets entries are for silencing compiler warnings:
- In the while/switch parsing statement, use #ifdef for the body to
  disable it; leave the "case OPT_xxx:" and "break" statements outside
  the ifdef/ifndef.  See ciphers.c for example.
- If there are multiple options controlled by a single guard, OPT_FOO,
  OPT_BAR, etc., put a an #ifdef around the set, and then do "#else"
  and a series of case labels and a break. See OPENSSL_NO_AES in cms.c
  for example.

Reviewed-by: Matt Caswell <matt@openssl.org>
2015-06-02 12:40:24 -04:00
Rich Salz
366e2a60b2 RT832: Use REUSEADDR in ocsp responder
I also re-ordered some of #ifdef's.

Reviewed-by: Matt Caswell <matt@openssl.org>
2015-06-02 12:22:38 -04:00
Gunnar Kudrjavets
45d051c825 RT3848: Call SSL_COMP_free_compression_methods
Signed-off-by: Rich Salz <rsalz@akamai.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-06-02 11:53:12 -04:00
Dr. Stephen Henson
688c244685 fix warning
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-05-30 23:07:06 +01:00
Dr. Stephen Henson
2d4deb256f fix asn1parse -inform
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-05-29 12:09:25 +01:00
Richard Levitte
296f54ee21 Restore module loading
The module loading feature got broken a while ago, so restore it, but
have it a bit more explicit this time around.

Reviewed-by: Stephen Henson <steve@openssl.org>
2015-05-29 12:41:50 +02:00
Richard Levitte
2142519500 Fix double BIO_free in req
Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-05-29 12:41:50 +02:00
Rich Salz
cc01d21756 RT3876: Only load config when needed
Create app_load_config(), a routine to load config file.  Remove the
"always load config" from the main app.  Change the places that used to
load config to call the new common routine.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-05-28 17:28:33 -04:00
Dr. Stephen Henson
0ceb8b74f5 scrypt in pkcs8 util
Add support for PKCS#8 private key encryption using the scrypt algorithm
in the pkcs8 utility. Update documentation.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-05-26 13:09:26 +01:00
Dr. Stephen Henson
6355d31538 Add function PKCS8_set0_pbe
This adds a new function which will encrypt a private key using PKCS#8
based on an X509_ALGOR structure and reimplements PKCS8_encrypt to use it.

Update pkcs8 utlity to use PKCS8_set0_pbe.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-05-26 13:09:26 +01:00
Hanno Böck
cf89a80e25 RT3861: Mem/bio leak in req command
The "out" variable is used for both key and csr.  Close it after
writing the first one so it can be re-used when writing the other.

Signed-off-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-05-25 19:13:26 -04:00
Rich Salz
cc630cdbcc Fix segfault in ec command
Thanks to Brian Carpenter <brian.carpenter@gmail.com> for finding this.

Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-05-25 19:11:22 -04:00
Rich Salz
fc0eb00bca fix s_client crash
The 'http proxy' commit broke s_client default host/port value.
Thanks to Matt for the simplest fix.

Reviewed-by: Matt Caswell <matt@openssl.org>
2015-05-25 12:46:57 -04:00
Richard Levitte
6f45032f67 Missed a couple of spots in the update change
Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-05-23 06:14:22 +02:00
Matt Caswell
e481f9b90b Remove support for OPENSSL_NO_TLSEXT
Given the pervasive nature of TLS extensions it is inadvisable to run
OpenSSL without support for them. It also means that maintaining
the OPENSSL_NO_TLSEXT option within the code is very invasive (and probably
not well tested). Therefore it is being removed.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-05-22 23:10:51 +01:00
Michael Trapp
552bf8ec5e RT266: Add HTTP proxy/CONNECT to s_client
Signed-off-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-05-22 16:56:59 -04:00
Richard Levitte
0f539dc1a2 Fix the update target and remove duplicate file updates
We had updates of certain header files in both Makefile.org and the
Makefile in the directory the header file lived in.  This is error
prone and also sometimes generates slightly different results (usually
just a comment that differs) depending on which way the update was
done.

This removes the file update targets from the top level Makefile, adds
an update: target in all Makefiles and has it depend on the depend: or
local_depend: targets, whichever is appropriate, so we don't get a
double run through the whole file tree.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-05-22 18:44:33 +02:00
Matt Caswell
a7f82a1ab2 Fix various OPENSSL_NO_* options
This fixes compilation with various OPENSSL_NO_* options that got broken
during the big apps cleanup.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-05-22 09:38:37 +01:00
Rich Salz
3e8e688f86 Replace switch/assignments with table lookup
Typedef STRINT_PAIR to be the same as OPT_PAIR, and use that structure and
a bunch of tables instead of switch statements to lookup various values
out of the SSL/TLS message buffers.  Shrinks a bunch of code.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-05-20 17:51:52 -04:00
Emilia Kasper
1554d55318 Remove dh512.pem
Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-05-20 15:10:26 +02:00
Robert Swiecki
00d565cfbe Don't add write errors into bytecounts
Signed-off-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-05-19 07:19:38 -04:00
Matt Caswell
a3680c8f9c Version negotiation rewrite cleanup
Following the version negotiation rewrite all of the previous code that was
dedicated to version negotiation can now be deleted - all six source files
of it!!

Reviewed-by: Kurt Roeckx <kurt@openssl.org>
2015-05-16 09:20:38 +01:00
Matt Caswell
13c9bb3ece Client side version negotiation rewrite
Continuing from the previous commit this changes the way we do client side
version negotiation. Similarly all of the s23* "up front" state machine code
has been avoided and again things now work much the same way as they already
did for DTLS, i.e. we just do most of the work in the
ssl3_get_server_hello() function.

Reviewed-by: Kurt Roeckx <kurt@openssl.org>
2015-05-16 09:20:31 +01:00
Matt Caswell
32ec41539b Server side version negotiation rewrite
This commit changes the way that we do server side protocol version
negotiation. Previously we had a whole set of code that had an "up front"
state machine dedicated to the negotiating the protocol version. This adds
significant complexity to the state machine. Historically the justification
for doing this was the support of SSLv2 which works quite differently to
SSLv3+. However, we have now removed support for SSLv2 so there is little
reason to maintain this complexity.

The one slight difficulty is that, although we no longer support SSLv2, we
do still support an SSLv3+ ClientHello in an SSLv2 backward compatible
ClientHello format. This is generally only used by legacy clients. This
commit adds support within the SSLv3 code for these legacy format
ClientHellos.

Server side version negotiation now works in much the same was as DTLS,
i.e. we introduce the concept of TLS_ANY_VERSION. If s->version is set to
that then when a ClientHello is received it will work out the most
appropriate version to respond with. Also, SSLv23_method and
SSLv23_server_method have been replaced with TLS_method and
TLS_server_method respectively. The old SSLv23* names still exist as
macros pointing at the new name, although they are deprecated.

Subsequent commits will look at client side version negotiation, as well of
removal of the old s23* code.

Reviewed-by: Kurt Roeckx <kurt@openssl.org>
2015-05-16 09:19:56 +01:00
Rich Salz
857048a7f3 Use #error in openssl/srp.h
Follow the same convention the other OPENSSL_NO_xxx header files
do, and use #error instead of making the header file be a no-op.

Reviewed-by: Matt Caswell <matt@openssl.org>
2015-05-15 08:16:21 -04:00
Rich Salz
98cd49db1d Add missing ctype.h
Had old patch, forgot to push/patch this to master

Reviewed-by: Matt Caswell <matt@openssl.org>
2015-05-13 14:41:53 -04:00
Rich Salz
fc3cec5350 Fix ocsp bugs
Various bugs found by Viktor, Emilia, Matt, etc.

Reviewed-by: Matt Caswell <matt@openssl.org>
2015-05-13 13:19:14 -04:00
Matt Caswell
55a9a16f1c Remove Kerberos support from libssl
Remove RFC2712 Kerberos support from libssl. This code and the associated
standard is no longer considered fit-for-purpose.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-05-13 15:07:57 +01:00
Matt Caswell
5561419a60 Remove Kerberos support from apps
Remove Kerberos related options from the apps to prepare for the
subsequent commits which will remove libcrypto and libssl support for
Kerberos.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-05-13 15:07:34 +01:00
Rich Salz
75ebbd9aa4 Use p==NULL not !p (in if statements, mainly)
Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-05-11 10:06:38 -04:00
Kurt Cancemi
7786005d0d Add missing terminating NULL to speed_options table.
This would cause memory corruption in opt_init() because it relies on the
terminating NULL.

RT#3842

Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-05-11 12:09:52 +01:00
Bjoern D. Rasmussen
8f744cceff Fix for memcpy() and strcmp() being undefined.
clang says: "s_cb.c:958:9: error: implicitly declaring library function
'memcpy'"

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-05-11 12:01:51 +01:00
Rich Salz
86885c2895 Use "==0" instead of "!strcmp" etc
For the various string-compare routines (strcmp, strcasecmp, str.*cmp)
use "strcmp()==0" instead of "!strcmp()"

Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-05-06 22:37:53 -04:00
Richard Levitte
5c4e3a4e60 Make -CAserial a type 's' option
The file name given to -CAserial might not exist yet.  The
-CAcreateserial option decides if this is ok or not.

Previous to this change, -CAserial was a type '<' option, and in that
case, the existence of the file given as argument is tested quite
early, and is a failure if it doesn't.  With the type 's' option, the
argument is just a string that the application can do whatever it
wants with.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-05-06 19:43:59 +02:00
Gunnar Kudrjavets
4c9b0a0314 Initialize potentially uninitialized local variables
Compiling OpenSSL code with MSVC and /W4 results in a number of warnings.
One category of warnings is particularly interesting - C4701 (potentially
uninitialized local variable 'name' used). This warning pretty much means
that there's a code path which results in uninitialized variables being used
or returned. Depending on compiler, its options, OS, values in registers
and/or stack, the results can be nondeterministic. Cases like this are very
hard to debug so it's rational to fix these issues.

This patch contains a set of trivial fixes for all the C4701 warnings (just
initializing variables to 0 or NULL or appropriate error code) to make sure
that deterministic values will be returned from all the execution paths.

RT#3835

Signed-off-by: Matt Caswell <matt@openssl.org>

Matt's note: All of these appear to be bogus warnings, i.e. there isn't
actually a code path where an unitialised variable could be used - its just
that the compiler hasn't been able to figure that out from the logic. So
this commit is just about silencing spurious warnings.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-05-06 13:06:46 +01:00
Matt Caswell
4407d070e5 Fix s_server version specific methods
A copy&paste error as a result of the big apps cleanup broke the version
specific methods in s_server.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-05-06 13:03:43 +01:00
Rich Salz
16f8d4ebf0 memset, memcpy, sizeof consistency fixes
Just as with the OPENSSL_malloc calls, consistently use sizeof(*ptr)
for memset and memcpy.  Remove needless casts for those functions.
For memset, replace alternative forms of zero with 0.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-05-05 22:18:59 -04:00
Matt Caswell
b1ad95e328 Fix windows build
Fix error in WIN32_rename() introduced by commit b4faea50c3.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-05-05 22:16:08 +01:00
Rich Salz
ff660b9312 Remove apps cache for gethostbyname
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-05-05 09:25:29 -04:00
Rich Salz
0fd75c7e6e GH271: Warning on </dev/null to CA.pl
If CA.pl is reading from /dev/null, then "chop $FILE" gives a warning.
Sigh.  Have to add "if $FILE".  This just silences a build warning.
Thanks to GitHub user andrejs-igumenovs for help with this.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-05-04 15:07:52 -04:00
Rich Salz
b4faea50c3 Use safer sizeof variant in malloc
For a local variable:
        TYPE *p;
Allocations like this are "risky":
        p = OPENSSL_malloc(sizeof(TYPE));
if the type of p changes, and the malloc call isn't updated, you
could get memory corruption.  Instead do this:
        p = OPENSSL_malloc(sizeof(*p));
Also fixed a few memset() calls that I noticed while doing this.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-05-04 15:00:13 -04:00
Richard Levitte
8920a7cd04 RT2943: Check sizes if -iv and -K arguments
RT2943 only complains about the incorrect check of -K argument size,
we might as well do the same thing with the -iv argument.

Before this, we only checked that the given argument wouldn't give a
bitstring larger than EVP_MAX_KEY_LENGTH.  we can be more precise and
check against the size of the actual cipher used.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-05-04 20:15:54 +02:00
Richard Levitte
b256f717f8 Have -K actually take an argument, and correct help text
Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-05-04 20:15:54 +02:00
Rich Salz
b6d3cb543c RT1369: don't do "helpful" access check.
Don't do access check on destination directory; it breaks when euid/egid
is different from real uid/gid.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Signed-off-by: Rich Salz <rsalz@akamai.com>
2015-05-04 10:44:58 -04:00
Dr. Stephen Henson
bdcb1a2cf5 more OSSL_NELEM cases
Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-05-04 13:03:49 +01:00
Hanno Böck
539ed89f68 Fix uninitialized variable.
Signed-off-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
2015-05-02 07:44:25 -04:00
Rich Salz
25aaa98aa2 free NULL cleanup -- coda
After the finale, the "real" final part. :)  Do a recursive grep with
"-B1 -w [a-zA-Z0-9_]*_free" to see if any of the preceeding lines are
an "if NULL" check that can be removed.

Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-05-01 14:37:16 -04:00
Rich Salz
efa7dd6444 free NULL cleanup 11
Don't check for NULL before calling free functions. This gets:
        ERR_STATE_free
        ENGINE_free
        DSO_free
        CMAC_CTX_free
        COMP_CTX_free
        CONF_free
        NCONF_free NCONF_free_data _CONF_free_data
        A sk_free use within OBJ_sigid_free
        TS_TST_INFO_free (rest of TS_ API was okay)
        Doc update for UI_free (all uses were fine)
        X509V3_conf_free
        X509V3_section_free
        X509V3_string_free

Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-05-01 10:15:18 -04:00
Rich Salz
b548a1f11c free null cleanup finale
Don't check for NULL before calling OPENSSL_free

Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-05-01 10:02:07 -04:00
Rich Salz
33fbca83dc Fix some typo's, silence warnings.
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-05-01 07:11:17 -04:00
Rich Salz
5a3aa85252 Rewrite CA.pl.in
Reformat CA.pl.in to follow coding style.
Also add "use strict" and "use warnings"
Also modify it to exit properly and report only when succeeded.
And some perl tweaks via Richard.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-04-30 21:44:40 -04:00
Rich Salz
23a1d5e97c free NULL cleanup 7
This gets BN_.*free:
    BN_BLINDING_free BN_CTX_free BN_FLG_FREE BN_GENCB_free
    BN_MONT_CTX_free BN_RECP_CTX_free BN_clear_free BN_free BUF_MEM_free

Also fix a call to DSA_SIG_free to ccgost engine and remove some #ifdef'd
dead code in engines/e_ubsec.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-04-30 21:37:06 -04:00
Matt Caswell
c826988109 Sanity check EVP_CTRL_AEAD_TLS_AAD
The various implementations of EVP_CTRL_AEAD_TLS_AAD expect a buffer of at
least 13 bytes long. Add sanity checks to ensure that the length is at
least that. Also add a new constant (EVP_AEAD_TLS1_AAD_LEN) to evp.h to
represent this length. Thanks to Kevin Wojtysiak (Int3 Solutions) and
Paramjot Oberoi (Int3 Solutions) for reporting this issue.

Reviewed-by: Andy Polyakov <appro@openssl.org>
2015-04-30 23:12:39 +01:00
Rich Salz
895cba195a free cleanup 12
Don't check for NULL before calling free function.  This gets:
        NAME_CONSTRAINTS_free GENERAL_SUBTREE_free ECDSA_METHOD_free
        JPAKE_CTX_free OCSP_REQ_CTX_free SCT_free SRP_VBASE_free
        SRP_gN_free SRP_user_pwd_free TXT_DB_free

Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-04-30 18:10:52 -04:00
Matt Caswell
b0696f8b0b make update
Run make update following previous header file changes.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-04-30 23:00:44 +01:00
Rich Salz
4b45c6e52b free cleanup almost the finale
Add OPENSSL_clear_free which merges cleanse and free.
(Names was picked to be similar to BN_clear_free, etc.)
Removed OPENSSL_freeFunc macro.
Fixed the small simple ones that are left:
        CRYPTO_free CRYPTO_free_locked OPENSSL_free_locked

Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-04-30 17:57:32 -04:00
Rich Salz
68dc682499 In apps, malloc or die
No point in proceeding if you're out of memory.  So change
*all* OPENSSL_malloc calls in apps to use the new routine which
prints a message and exits.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-04-30 17:48:31 -04:00
Rich Salz
222561fe8e free NULL cleanup 5a
Don't check for NULL before calling a free routine.  This gets X509_.*free:
    x509_name_ex_free X509_policy_tree_free X509_VERIFY_PARAM_free
    X509_STORE_free X509_STORE_CTX_free X509_PKEY_free
    X509_OBJECT_free_contents X509_LOOKUP_free X509_INFO_free

Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-04-30 17:33:59 -04:00
Rich Salz
2ace745022 free NULL cleanup 8
Do not check for NULL before calling a free routine.  This addresses:
    ASN1_BIT_STRING_free ASN1_GENERALIZEDTIME_free ASN1_INTEGER_free
    ASN1_OBJECT_free ASN1_OCTET_STRING_free ASN1_PCTX_free ASN1_SCTX_free
    ASN1_STRING_clear_free ASN1_STRING_free ASN1_TYPE_free
    ASN1_UTCTIME_free M_ASN1_free_of

Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-04-30 11:31:07 -04:00
Rich Salz
5a80d9fbfe Fix bug, "what mode" test was wrong.
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-30 11:31:07 -04:00
Matt Caswell
a3ed492f58 Fix windows build
The big apps cleanup broke the windows build. This commit
fixes some miscellaneous issues so that it builds again.

Reviewed-by: Andy Polyakov <appro@openssl.org>
2015-04-30 11:35:18 +01:00
Rich Salz
995101d654 Add HTTP GET support to OCSP server
Reviewed-by: Andy Polyakov <appro@openssl.org>
2015-04-29 17:37:04 -04:00
Rich Salz
db4c08f019 Rewrite parse_name
Remove need for multiple arrays, parse the X509 name
one RDN at a time.  Thanks to Andy for careful review.

Reviewed-by: Andy Polyakov <appro@openssl.org>
2015-04-29 14:50:00 -04:00
Rich Salz
2fa45e6ee7 use isxdigit and apps_tohex
Replace ad-hoc ascii->hex with isxdigit and new app_tohex.

Reviewed-by: Andy Polyakov <appro@openssl.org>
2015-04-29 14:15:50 -04:00
Rich Salz
ecf3a1fb18 Remove needless bio_err argument
Many functions had a BIO* parameter, and it was always called
with bio_err.  Remove the param and just use bio_err.

Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-29 11:27:08 -04:00
Rich Salz
b196e7d936 remove malloc casts
Following ANSI C rules, remove the casts from calls to
OPENSSL_malloc and OPENSSL_realloc.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-04-28 15:28:14 -04:00
Rich Salz
31b222da1e CRYPTO_mem_leaks should ignore it's BIO argument.
CRYPTO_mem_leaks takes a BIO* argument.  It's not a leak if that
argument hasn't been free'd.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-04-27 12:29:39 -04:00
Emilia Kasper
2f5997b7b9 Fix Wmaybe-uninitialized: initialize variable
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-04-27 16:17:27 +02:00
Rich Salz
57d5edada7 Add readline (etc) support
Compile with -DREADLINE and the appropriate library.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-04-26 23:45:12 -04:00
Rich Salz
1bb2daead8 Simplify parse_yesno; remove local variable
Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-04-26 21:28:38 -04:00
Rich Salz
bc2f5803cc Fix typo in help & comment formatting
Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-04-26 21:23:43 -04:00
Rich Salz
ce6766de69 Fix error message
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
2015-04-26 16:43:18 -04:00
Rich Salz
88806cfc61 Fix main build breakage.
A variable declaration got dropped during a merge.
And if a compiler inlines strcmp() and you put a strcmp in an
assert message, the resultant stringification exceeds ANSI string
limits.

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
2015-04-26 13:12:04 -04:00
Rich Salz
2f58faad66 Remove the special list-xxxx commands
There's a new "list" command, which takes a flag to say what
to list.  Removing the old hacky commands.  Re-ordered some
functions to remove some needless declarations.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-04-26 10:31:48 -04:00
Rich Salz
5d307e7b5a RT2962: add -keytab and -krb5svc flags.
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-04-25 23:08:00 -04:00
Rich Salz
a194ee7b9a Free malloc data on encoding errors.
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-04-25 22:55:36 -04:00
Rich Salz
f92beb98de Quote HTML entities in s_server output
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-04-25 16:06:19 -04:00
Rich Salz
c6724060e2 RT2206: Add -issuer flag to ocsp command
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-04-25 16:04:42 -04:00
Rich Salz
239f2771e1 Remove EFENCE support.
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-04-25 16:03:07 -04:00
Rich Salz
d8c25de595 RT2451: Add telnet to s_client -starttls
Also add -xmpphost and -smtphost flags.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-04-25 16:01:21 -04:00
Rich Salz
6ba8a5b77a Add -nocommands to s_client.
Add flag to disable the 'command letters' from s_client.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-04-25 15:58:22 -04:00
Rich Salz
333b070ec0 fewer NO_ENGINE #ifdef's
Make setup_engine be a dummy if NO_ENGINE is enabled.
The option is not enabled if NO_ENGINE is enabled, so the one "wasted"
variable just sits there. Removes some variables and code.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-04-25 15:41:29 -04:00
Rich Salz
c54cc2b15d Add missing BIO_flush() calls
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-04-25 09:26:48 -04:00
Rich Salz
7e1b748570 Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master.  The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt.  Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that.  There have been many other changes and code-cleanup, see
bullet list below.

Special thanks to Matt for the long and detailed code review.

TEMPORARY:
        For now, comment out CRYPTO_mem_leaks() at end of main

Tickets closed:
        RT3515: Use 3DES in pkcs12 if built with no-rc2
        RT1766: s_client -reconnect and -starttls broke
        RT2932: Catch write errors
        RT2604: port should be 'unsigned short'
        RT2983: total_bytes undeclared #ifdef RENEG
        RT1523: Add -nocert to fix output in x509 app
        RT3508: Remove unused variable introduced by b09eb24
        RT3511: doc fix; req default serial is random
        RT1325,2973: Add more extensions to c_rehash
        RT2119,3407: Updated to dgst.pod
        RT2379: Additional typo fix
        RT2693: Extra include of string.h
        RT2880: HFS is case-insensitive filenames
        RT3246: req command prints version number wrong

Other changes; incompatibilities marked with *:
        Add SCSV support
        Add -misalign to speed command
        Make dhparam, dsaparam, ecparam, x509 output C in proper style
        Make some internal ocsp.c functions void
        Only display cert usages with -help in verify
        Use global bio_err, remove "BIO*err" parameter from functions
        For filenames, - always means stdin (or stdout as appropriate)
        Add aliases for -des/aes "wrap" ciphers.
        *Remove support for IISSGC (server gated crypto)
        *The undocumented OCSP -header flag is now "-header name=value"
        *Documented the OCSP -header flag

Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 15:26:15 -04:00
Rich Salz
3b34b7319e Remove SET oid config file and SET certs
Reviewed-by: Andy Polyakov <appro@openssl.org>
2015-04-20 07:24:23 -04:00
Viktor Dukhovni
61986d32f3 Code style: space after 'if'
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-16 13:44:59 -04:00
Rich Salz
e0e920b1a0 free NULL cleanup 9
Ongoing work to skip NULL check before calling free routine.  This gets:
    ecp_nistz256_pre_comp_free nistp224_pre_comp_free nistp256_pre_comp_free
    nistp521_pre_comp_free PKCS7_free PKCS7_RECIP_INFO_free
    PKCS7_SIGNER_INFO_free sk_PKCS7_pop_free PKCS8_PRIV_KEY_INFO_free
    PKCS12_free PKCS12_SAFEBAG_free PKCS12_free sk_PKCS12_SAFEBAG_pop_free
    SSL_CONF_CTX_free SSL_CTX_free SSL_SESSION_free SSL_free ssl_cert_free
    ssl_sess_cert_free

Reviewed-by: Kurt Roeckx <kurt@openssl.org>
2015-04-11 16:32:54 -04:00
Rich Salz
62adbcee39 free NULL cleanup 10
Avoid checking for NULL before calling free functions.  This gets
ssl.*free:
    ssl_sess_cert_free ssl_free ssl_excert_free ssl_cert_free
    SSL_free SSL_SRP_CTX_free SSL_SESSION_free SSL_CTX_free
    SSL_CTX_SRP_CTX_free SSL_CONF_CTX_free

Reviewed-by: Kurt Roeckx <kurt@openssl.org>
2015-04-11 10:22:36 -04:00
Rich Salz
be739b0cc0 Drop CA.sh for CA.pl
Remove CA.sh script and use CA.pl for testing, etc.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-04-08 14:07:39 -04:00
Richard Levitte
a80e33b991 Remove EXHEADER, TEST, APPS, links:, install: and uninstall: where relevant
With no more symlinks, there's no need for those variables, or the links
target.  This also goes for all install: and uninstall: targets that do
nothing but copy $(EXHEADER) files, since that's now taken care of by the
top Makefile.

Also, removed METHTEST from test/Makefile.  It looks like an old test that's
forgotten...

Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-03-31 20:16:01 +02:00
Rich Salz
c5ba2d9904 free NULL cleanup
EVP_.*free; this gets:
        EVP_CIPHER_CTX_free EVP_PKEY_CTX_free EVP_PKEY_asn1_free
        EVP_PKEY_asn1_set_free EVP_PKEY_free EVP_PKEY_free_it
        EVP_PKEY_meth_free; and also EVP_CIPHER_CTX_cleanup

Reviewed-by: Kurt Roeckx <kurt@openssl.org>
2015-03-28 10:54:15 -04:00
Rich Salz
8fdc3734c0 free NULL cleanup.
This gets EC_GROUP_clear_free EC_GROUP_free, EC_KEY_free,
EC_POINT_clear_free, EC_POINT_free

Reviewed-by: Kurt Roeckx <kurt@openssl.org>
2015-03-25 18:35:24 -04:00
Rich Salz
ca3a82c3b3 free NULL cleanup
This commit handles BIO_ACCEPT_free BIO_CB_FREE BIO_CONNECT_free
BIO_free BIO_free_all BIO_vfree

Reviewed-by: Matt Caswell <matt@openssl.org>
2015-03-25 11:31:18 -04:00
Dr. Stephen Henson
2743e38c2f make X509_NAME opaque
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-03-25 14:15:00 +00:00
Matt Caswell
70e5fd8778 Fix bug in s_client. Previously default verify locations would only be loaded
if CAfile or CApath were also supplied and successfully loaded first.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-03-25 13:03:57 +00:00