CMS_NOOLDMIMETYPE and PKCS7_NOOLDMIMETYPE are unused in pkcs7/cms code.
Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1585)
This is needed, because on VMS, select() can only be used on sockets. being
able to use select() on all kinds of file descriptors is unique to Unix.
So, the solution for VMS is to create a layer that translates input from
standard input to socket communication.
Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
it appears when using gcc/mingw:
```
apps/s_client.c:815:9: warning: variable 'at_eof' set but not used [-Wunused-but-set-variable]
int at_eof = 0;
^~~~~~
```
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1512)
User can make Windows openssl.exe to treat command-line arguments
and console input as UTF-8 By setting OPENSSL_WIN32_UTF8 environment
variable (to any value). This is likely to be required for data
interchangeability with other OSes and PKCS#12 containers generated
with Windows CryptoAPI.
Reviewed-by: Richard Levitte <levitte@openssl.org>
OpenSSL versions before 1.1.0 didn't convert non-ASCII
UTF8 PKCS#12 passwords to Unicode correctly.
To correctly decrypt older files, if MAC verification fails
with the supplied password attempt to use the broken format
which is compatible with earlier versions of OpenSSL.
Reviewed-by: Richard Levitte <levitte@openssl.org>
In apps/rsa.c, we were second guessing RSA_check_key() to leave error
codes lying around without returning -1 properly. However, this also
catches other errors that are lying around and that we should not care
about.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Code was relying on an implicit data-sharing through duplication of
loopargs_t pointer-members made by ASYNC_start_job().
Now share structure address instead of structure content.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
The following would fail, or rather, freeze:
openssl genrsa -out rsa2048.pem 2048
openssl req -x509 -key rsa2048.pem -keyform PEM -out cert.pem
In that case, the second command wants to read a certificate request
from stdin, because -x509 wasn't fully flagged as being for creating
something new. This changes makes it fully flagged.
RT#4655
Reviewed-by: Andy Polyakov <appro@openssl.org>
Add mutable versions of X509_get0_notBefore and X509_get0_notAfter.
Rename X509_SIG_get0_mutable to X509_SIG_getm.
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
The DANE API supports a DANE_FLAG_NO_DANE_EE_NAMECHECKS option, but
there was no way to exercise/enable it via s_client. This commit
addresses that gap.
Reviewed-by: Rich Salz <rsalz@openssl.org>
... without any interruption.
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1468)
Constify X509_SIG_get0() and order arguments to mactch new standard.
Add X509_SIG_get0_mutable() to support modification or initialisation
of an X509_SIG structure.
Reviewed-by: Matt Caswell <matt@openssl.org>
using util/openssl-format-source on s_derver, s_client, ca.c, speed.c only...
Fix/merge some #ifndef
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
If -badsig is selected corrupt the signature before printing out
any details so the output reflects the modified signature.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Deprecate the function ASN1_STRING_data() and replace with a new function
ASN1_STRING_get0_data() which returns a constant pointer. Update library
to use new function.
Reviewed-by: Rich Salz <rsalz@openssl.org>
into a structure , to avoid any accident .
Plus some few cleanups
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
extra spacing and 80 cols
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1366)
Add some explanatory comments
Discard some useless parenthesis.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1342)
Fix an #if check about rsa_count...
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1342)
Simplify some loops to reuse k variable
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1342)
Fix compilation without SIGALRM.
It don't link because of remaning alarm(0); call.
Convert engine_id variable to local one
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1342)
do_passwd() was returning 0 on success and 1 on failure. However,
those values were interpreted the other way around. The fix that
makes the most sense is to change what do_passwd() returns.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Windows never composes UTF-8 strings as result of user interaction
such as passing command-line argument. The only way to compose one
is programmatic conversion from WCHAR string, which in turn can be
picked up on command line.
[For reference, why not wmain, it's not an option on MinGW.]
Reviewed-by: Richard Levitte <levitte@openssl.org>
This update syncs the #if guard protecting the pvk-* options
with the rest of the source handling those options. Also fix
some nearby whitespace.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1365)
Old inactive inherited code, a code relic for sure.
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1301)
Fix some indentation at the same time
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1292)
We shouldn't allow both "-tls1" and "-tls1_2", or "-tls1" and "-no_tls1_2".
The only time multiple flags are allowed is where they are all "-no_<prot>".
This fixes Github Issue #1268
Reviewed-by: Rich Salz <rsalz@openssl.org>
Make it possible to have a separate and different perl command string
for installable scripts than we use when building, with the
environment variable HASHBANGPERL. Its value default to the same as
the environment PERL if it's defined, otherwise '/usr/bin/env perl'.
Note: this is only relevant for Unix-like environments.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Kurt Roeckx <kurt@openssl.org>
Now that INCLUDE considers both the source and build trees, no need
for the rel2abs perl fragment hacks any more.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Kurt Roeckx <kurt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1264)
This function returns a tri-state -1 on error. See BoringSSL's
53409ee3d7595ed37da472bc73b010cd2c8a5ffd.
Signed-off-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Rich Salz <rsalz@openssl.org>
GH: #1251
Changing the type of the |str| variable in asn1pars enables us to remove
4 casts with just 1. This silences an OpenBSD warning along the way.
RT4378
Reviewed-by: Richard Levitte <levitte@openssl.org>
This reverts commit 9c1a9ccf65.
TerminateProcess is asynchronous, so the code as written in the above
commit is not correct. It is also probably not needed in the speed
case. Reverting in order to figure out the correct solution.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Don't use BN_hex2bn() for PSK key conversion as the conversion to
BN and back removes leading zeroes, use OPENSSL_hexstr2buf() instead.
RT#4554
Reviewed-by: Matt Caswell <matt@openssl.org>
If a user specifies -unix, -6, etc., then the program tries to
use the last one specified. This is confusing code and leads to
scripting errors. Instead, allow only one type.
Reviewed-by: Andy Polyakov <appro@openssl.org>
Add copyright to missing assembler files.
Add copyrights to missing test/* files.
Add copyrights
Various source and misc files.
Reviewed-by: Richard Levitte <levitte@openssl.org>
RT2630 -- segfault for int overlow
RT2877 -- check return values in apps/rand
Update CHANGES file for previous "windows rand" changes.
Reviewed-by: Richard Levitte <levitte@openssl.org>
The -check argument to dhparam should never identify any problems if we
have just generated the parameters. Add a sanity check for this and print
an error and fail if necessary.
Also updates the documentation for the -check argument, and the DH_check()
function.
RT#4244
Reviewed-by: Richard Levitte <levitte@openssl.org>
When the "req" command is used to generate a new EC key using the -newkey
option it will incorrectly display:
Generating a 2048 bit EC private key
This commit fixes the message to not display the bit length for EC keys
because we don't currently support getting that during generation.
GitHub Issue #1068
Reviewed-by: Richard Levitte <levitte@openssl.org>
When an unrecognized algorithm is given on command line together with
-async_jobs, speed_main will jump to clean-up and run
ASYNC_cleanup_thread without calling ASYNC_init_thread first.
Example:
openssl speed -async_jobs 4 ras2048
Signed-off-by: Cristian Stoica <cristian.stoica@nxp.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1084)
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1079)
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1079)
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1079)
When closing down the socket in s_client Windows will close it immediately
even if there is data in the write buffer still waiting to be sent. This
was causing tests to fail in Msys/Mingw builds because TLSProxy doesn't see
the final CloseNotify.
I have experimented with various ways of doing this "properly" (e.g.
shutting down the socket before closing, setting SO_LINGER etc). I can't
seem to find the "magic" formula that will make Windows do this. Inserting
a short 50ms sleep seems to do the trick...but its not very "nice" so I've
inserted a TODO on this item. Perhaps someone else will have better luck
in figuring this out.
RT#4255
Reviewed-by: Richard Levitte <levitte@openssl.org>
On Windows we were using the function _kbhit() to determine whether there
was input waiting in stdin for us to read. Actually all this does is work
out whether there is a keyboard press event waiting to be processed in the
input buffer. This only seems to work in a standard Windows console (not
Msys console) and also doesn't work if you redirect the input from some
other source (as we do in TLSProxy tests). This commit changes things to
work differently depending on whether we are on the Windows console or not.
RT#4255
Reviewed-by: Richard Levitte <levitte@openssl.org>
In s_server we call BIO_sock_should_retry() to determine the state of the
socket and work out whether we should retry an operation on it or not.
However if you leave it too long to call this then other operations may
have occurred in the meantime which affect the result. Therefore we should
call it early and remember the result for when we need to use it. This fixes
a test problem on Windows.
Another issue with s_server on Windows is that some of output to stdout does
not get displayed immediately. Apparently more liberal use of BIO_flush is
required.
RT#4255
Reviewed-by: Richard Levitte <levitte@openssl.org>
Especially on Windows, the .pl suffix is associated with the perl
interpreter, and therefore make those scripts usable as commands of
their own. On VMS, it simply looks better.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Add new function PEM_write_bio_PrivateKey_traditional() to enforce the
use of legacy "traditional" private key format. Add -traditional option
to pkcs8 and pkey utilities.
Reviewed-by: Matt Caswell <matt@openssl.org>
tofree pointer is no more used...
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1103)
Rename sk_xxx to OPENSSL_sk_xxx and _STACK to OPENSSL_STACK
Rename lh_xxx API to OPENSSL_LH_xxx and LHASH_NODE to OPENSSL_LH_NODE
Make lhash stuff opaque.
Use typedefs for function pointers; makes the code simpler.
Remove CHECKED_xxx macros.
Add documentation; remove old X509-oriented doc.
Add API-compat names for entire old API
Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
In the X509 app check that the obtained public key is valid before we
attempt to use it.
Issue reported by Yuan Jochen Kang.
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Discard useless static engine_id
Add a const qualifier
Fix some spelling
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Fix -signer option in smime utility to output signer certificates
when verifying.
Add support for format SMIME for -inform and -outform with cms and
smime utilities.
PR#4215
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Multiple digest options to the ocsp utility are allowed: e.g. to use
different digests for different certificate IDs. A digest option without
a following certificate is however illegal.
RT#4215
Reviewed-by: Rich Salz <rsalz@openssl.org>
Issue was introduced in
a0a82324f9
This patch fixes an issue which causes the 'openssl ca' commands to
fail if '-config' is not specified even if it says so otherwise.
Problem is that the default config is not loaded and the conf variable
is NULL which causes an exception.
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
The tests was incorrectly repeated multiple times when using the
async_jobs options
Reviewed-by: Kurt Roeckx <kurt@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
If the application has limited the size of the async pool using
ASYNC_init_thread() then we could run out of jobs while trying to start a
libssl io operation. However libssl was failing to handle this and treating
it like a fatal error. It should not be fatal...we just need to retry when
there are jobs available again.
Reviewed-by: Richard Levitte <levitte@openssl.org>
list -disabled was checking OPENSSL_NO_SSL/OPENSSL_NO_TLS, which are
not used to disable SSL/TLS respectively.
Building with these macros wrongly show as SSL/TLS disabled, hence
removing this code.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
The init_client() function in the apps sets up the client connection. It
may try multiple addresses until it finds one that works. We should clear
the error queue if we eventually get a successful connection because
otherwise we get stale errors hanging around. This can cause problems in
subsequent calls to SSL_get_error(), i.e. non-fatal NBIO events appear as
fatal.
Reviewed-by: Richard Levitte <levitte@openssl.org>
This replaces the old SKIP primes with the most current Diffie-Hellman
MODP groups defined by RFC 7296 and RFC 3526.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from GitHub https://github.com/openssl/openssl/pull/775)
The srp application created an uninitialised DB_ATTR object and then
passed it to the load_index function which attempted to read it. A
DB_ATTR object only contains a single field called "unique_subject".
AFAICT this attribute is unused in the SRP case, and therefore it would be
better to pass a NULL DB_ATTR to load_index (which handles that case
gracefully).
Reviewed-by: Rich Salz <rsalz@openssl.org>
Building with -DCHARSET_EBCDIC and using --strict-warnings resulted in
lots of miscellaneous errors. This fixes it.
Reviewed-by: Andy Polyakov <appro@openssl.org>
Passing the -stdin arg to the passwd command line app *and* supply a
password on the command line causes a seg fault.
Reviewed-by: Richard Levitte <levitte@openssl.org>
It was added as part of 2df84dd329
but has never actually been used for anything; presumably it was
a typo for one of SCTP or CT.
This removes the last '??' entry from INSTALL.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
Commit d064e6ab52 removed all the
OPENSSL_NO_SHA guards, but commit
a50ad1daaa regenerated some due to the
sha entries in the %md_disabler table in apps/progs.pl.
Update %md_disabler to reflect that sha is not disableable, and
remove OPENSSL_NO_SHA for good.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
