Commit Graph

2686 Commits

Author SHA1 Message Date
Richard Levitte
4881d849da Make sure that a cert with extensions gets version number 2 (v3)
Fixes #4419

Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4420)
2017-09-26 10:47:43 +02:00
Dr. Stephen Henson
4708afcb0a Remove dhparam from SSL_CONF list.
Avoid duplicate assertion by removing dhparam from SSL_CONF parameter list:
dhparam is handled manually by s_server.

Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4408)
2017-09-23 13:37:21 +01:00
Pichulin Dmitrii
75c445e49b Fix 'key' option in s_server can be in ENGINE keyform
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Stephen Henson <steve@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4405)
2017-09-23 12:59:46 +01:00
Benjamin Kaduk
51ac82702d Reenable s_server -dhparam option
This option was lost when converting to a table-driven option parser
in commit 7e1b748570.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4398)
2017-09-21 07:44:24 -05:00
Benjamin Kaduk
eff1752b66 Fix typo in comment
The peek result is now called 'err', not just 'e'.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4362)
2017-09-13 14:42:51 -05:00
Paul Yang
2aee35d37d Support key check in EVP interface
A new method is added to EVP_PKEY_METH as:

    int (*check) (EVP_PKEY_CTX *ctx);

and to EVP_PKEY_ASN1_METHOD as:

    int (*pkey_check) (EVP_PKEY_CTX *ctx);

This is used to check the validity of a specific key.

The order of calls is:
EVP_PKEY_check -> pmeth.check -> ameth.pkey_check.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4337)
2017-09-13 20:38:14 +02:00
Richard Levitte
fb43ddceda Add a recursive option to 'openssl storeutl'
Simply put, any NAME type OSS_STORE_INTO is a new object that can be
looked into, and potentially lead to a whole tree of data to dive
into.  The recursive option allows someone to view the whole tree and
its data in one go.

Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4336)
2017-09-12 11:38:16 +02:00
Matt Caswell
bac6abe18d Allow an endpoint to read the alert data before closing the socket
If an alert gets sent and then we close the connection immediately with
data still in the input buffer then a TCP-RST gets sent. Some OSs
immediately abandon data in their input buffer if a TCP-RST is received -
meaning the alert data itself gets ditched. Sending a TCP-FIN before the
TCP-RST seems to avoid this.

This was causing test failures in MSYS2 builds.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/4333)
2017-09-08 13:10:57 +01:00
Pauli
4cff10dcbf struct timeval include guards
Move struct timeval includes into e_os.h (where the Windows ones were).
Enaure that the include is guarded canonically.

Refer #4271

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4312)
2017-09-01 09:55:43 +10:00
Matt Caswell
0ef2802165 Various review fixes for PSK early_data support
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/3926)
2017-08-31 15:03:35 +01:00
Matt Caswell
dd5b98c55a Show the error stack if there was an error writing early data in s_client
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/3926)
2017-08-31 15:02:58 +01:00
Matt Caswell
c5de99a2d9 If no SNI has been explicitly set use the one from the session
If we have not decided on an SNI value yet, but we are attempting to reuse
a session, and SNI is set in that, then we should use that value by
default.

Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/3926)
2017-08-31 15:02:58 +01:00
Matt Caswell
add8d0e9e0 Enable the ability to use an external PSK for sending early_data
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/3926)
2017-08-31 15:02:22 +01:00
Pauli
198c42f5af Move OPENSSL_CONF from e_os.h to cryptlib.h
Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4188)
2017-08-30 07:20:44 +10:00
Pauli
07016a8a31 Move e_os.h to be the very first include.
cryptilib.h is the second.

Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4188)
2017-08-30 07:20:44 +10:00
Pauli
9590da2cd6 Remove the X_OK define, it is unused.
Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4188)
2017-08-30 07:20:44 +10:00
Pauli
677963e5a4 e_os.h removal from other headers and source files.
Removed e_os.h from all bar three headers (apps/apps.h crypto/bio/bio_lcl.h and
ssl/ssl_locl.h).

Added e_os.h into the files that need it now.

Directly reference internal/nelem.h when required.

Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4188)
2017-08-30 07:20:43 +10:00
Richard Levitte
b379fe6cd0 NO_SYS_TYPES_H isn't defined anywhere, stop using it as a guard
This is a vestige from pre-1.1.0 OpenSSL

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4256)
2017-08-25 15:50:59 +02:00
Matt Caswell
1b3011abb3 Ensure we exchange cookies in s_server even if SCTP is disabled
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4243)
2017-08-25 10:50:56 +01:00
Richard Levitte
0f3ffbd158 apps/passwd.c: Make MD5 and SHA password making EBCDIC aware
This mimics the behaviour of DES_crypt, where the salt and password
are expected to be in EBCDIC when CHARSET_EBCDIC is defined, and are
converted internally to ASCII.  This is also done with the magic ID
string if it's not already ASCII.  The resulting output is entirely
built up of ASCII components and is converted back to EBCDIC at the
end.

Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/4229)
2017-08-24 23:46:44 +02:00
Richard Levitte
17621bc2bc apps/passwd.c: Fix code layout
Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/4229)
2017-08-24 23:46:44 +02:00
Richard Levitte
16583e9179 apps/passwd.c: Don't disable MD5 and SHA when CHARSET_EBCDIC is defined
Fixes #4130

Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/4229)
2017-08-24 23:46:44 +02:00
Rich Salz
0e97f1e1a7 (Re)move some things from e_os.h
Remove GETPID_IS_MEANINGLESS and osslargused.

Move socket-related things to new file internal/sockets.h; this is now
only needed by four(!!!) files.  Compiles should be a bit faster.
Remove USE_SOCKETS ifdef's

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4209)
2017-08-22 14:15:40 -04:00
Paul Yang
94e1f8ab5a Remove useless macros in apps/speed.c
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4221)
2017-08-22 13:22:16 -04:00
Rich Salz
ffb46830e2 Add random serial# support.
Add -rand_serial to CA command and "serial_rand" config option.

Up RAND_BITS to 159, and comment why: now confirms to CABForum
guidelines (Ballot 164) as well as IETF RFC 5280 (PKIX).

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4185)
2017-08-22 09:00:04 -04:00
Pauli
9c481c2fdc Dead code elimination.
Remove the exit_main function which is never used.
Remove the exit_options array which is also unreferenced.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4213)
2017-08-22 10:46:19 +10:00
Pauli
00dfbaad88 Fix ctype arguments.
Cast arguments to the various ctype functions to unsigned char to match their
documentation.

Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4203)
2017-08-22 07:35:08 +10:00
Rich Salz
0d68367a12 Safely display SNI (just in case)
Thanks to Hubert Kario for pointing this out.

Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4193)
2017-08-21 15:28:56 -04:00
Rich Salz
c27363f566 Check # of arguments for remaining commands.
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/4201)
2017-08-21 10:58:49 -04:00
Richard Levitte
72460149db Fix ui_write in apps/apps.c
It used the default UI reader as fallback instead of the UI writer.

Fixes #4147
Fixes #4195

Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/4198)
2017-08-19 21:56:43 +02:00
Balaji Marisetti
326eaa941e Addressed build failure because of missing #ifdef AF_UNIX guard
CLA: trivial

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4067)
2017-08-18 14:43:15 +01:00
Pauli
296cbb5777 Determine the number of output columns for the list and help commands using
the command names rather than hard coding it (conditionally).

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4162)
2017-08-17 07:52:38 +10:00
Rich Salz
b35ef02628 Print pathnames for 'version -r'
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4168)
2017-08-15 16:45:32 -04:00
Rich Salz
12997aa984 Revert "Add some casts for %j"
This reverts commit c4d2e483a3.

Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/4160)
2017-08-15 09:42:38 -04:00
Rich Salz
c4d2e483a3 Add some casts for %j
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/4160)
2017-08-14 19:59:54 -04:00
Rich Salz
e75138abea Doc fixes
Write missing prime.pod and srp.pod
Implement -c in find-doc-nits (for command options)
Other fixes to some manpages
Use B<-I<digest|cipher>> notation
Split up multiple flags into a single entry in the synopsis.
Add -1 and missing-help to list command.

Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4144)
2017-08-14 09:32:07 -04:00
Johannes Bauer
bbe9c3d51a Clarify CLI OCSP documentation
This fixes issue #3043, which ultimately was reported because
documentation was not clear on the meaning of the "-ignore_err" option.
Update both command line documentation and add this option to manpage.

Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4143)
2017-08-11 19:00:21 -04:00
FdaSilvaYY
44e6995155 Fix some Typos and indents
Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4108)
2017-08-11 10:16:33 -04:00
Xiaoyin Liu
1a9f5cf0d5 Add missing HTML tag in www_body in s_server.c
In the generated HTML document, the `<pre>` tag is not closed. This patch also has a trivial code-style improvement, unrelated to the bug fix.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4088)
2017-08-09 11:30:55 -04:00
Johannes Bauer
402f26e6ee Fix building without scrypt
Building without the scrypt KDF is now possible, the OPENSSL_NO_SCRYPT
define is honored in code. Previous this lead to undefined references.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Stephen Henson <steve@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4116)
2017-08-08 20:50:44 +01:00
Rich Salz
ae3947de09 Add a DRBG to each SSL object
Give each SSL object it's own DRBG, chained to the parent global
DRBG which is used only as a source of randomness into the per-SSL
DRBG.  This is used for all session, ticket, and pre-master secret keys.
It is NOT used for ECDH key generation which use only the global
DRBG. (Doing that without changing the API is tricky, if not impossible.)

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/4050)
2017-08-03 10:24:03 -04:00
Rich Salz
75e2c87765 Switch from ossl_rand to DRBG rand
If RAND_add wraps around, XOR with existing. Add test to drbgtest that
does the wrap-around.

Re-order seeding and stop after first success.

Add RAND_poll_ex()

Use the DF and therefore lower RANDOMNESS_NEEDED.  Also, for child DRBG's,
mix in the address as the personalization bits.

Centralize the entropy callbacks, from drbg_lib to rand_lib.
(Conceptually, entropy is part of the enclosing application.)
Thanks to Dr. Matthias St Pierre for the suggestion.

Various code cleanups:
    -Make state an enum; inline RANDerr calls.
    -Add RAND_POLL_RETRIES (thanks Pauli for the idea)
    -Remove most RAND_seed calls from rest of library
    -Rename DRBG_CTX to RAND_DRBG, etc.
    -Move some code from drbg_lib to drbg_rand; drbg_lib is now only the
     implementation of NIST DRBG.
    -Remove blocklength

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/4019)
2017-08-03 09:23:28 -04:00
Dr. Stephen Henson
b15d5ab617 Allow use of long name for KDFs
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/4079)
2017-08-03 02:18:44 +01:00
Paul Yang
c290853878 Add '-ext' option to display extensions in 'x509'
This is to address issue #3932. Support comma-separated string
to specify what extensions to be displayed.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4016)

Remove redundant variable

[to be squashed]
2017-08-01 10:24:51 +02:00
Xiaoyin Liu
5bd051a0dc app_isdir() cleanup
I think it's better to use `GetFileAttributes` to obtain the attributes
of a file than `FindFirstFile`. If the input name contains `*`, this
function should return failure rather than check whether the first match
happens to be a file or a directory.

Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/3991)
2017-07-31 12:48:28 +02:00
Dr. Stephen Henson
e1631f5108 Add list -public-key-methods
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4015)
2017-07-29 23:04:10 +01:00
Paul Yang
03883e7e16 Fix rsa -check option
original problem: if a private key is invaild, nothing outputted.

the error filter in apps/rsa.c is not working any more.

Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4043)
2017-07-29 00:24:27 +08:00
Hubert Kario
75f163d335 handle scrypt PBKDF in PKCS#12 files info
Print the parameters for scrypt PBKDF when used in PKCS#12 files.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1334)
2017-07-26 15:04:54 -04:00
Hubert Kario
7eb370ee15 nicer formatting for MAC info
The info printing for PBES2 already uses space after type and commas to
separate items in the line so use the same format for MAC info too.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1334)
2017-07-26 15:04:54 -04:00
Hubert Kario
11a25d3454 more info about PKCS#12 structure MAC
report additional information about the MAC used over the
PKCS#12 structure: size of mac and salt as well as the
hash algorithm used for creating it

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1334)
2017-07-26 15:04:54 -04:00