Commit Graph

2612 Commits

Author SHA1 Message Date
FdaSilvaYY
28e5ea88a8 Add a 'max_send_frag' option to configure maximum size of send fragments
Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3141)
2017-04-28 15:49:36 +02:00
Todd Short
9ff2cebf29 Fix s_client when no-dtls
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3344)
2017-04-28 15:42:41 +02:00
Rich Salz
f2150cd74f Remove (broken) diagnostic print
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3336)
2017-04-27 11:38:17 -04:00
Matt Caswell
11ba87f2ff Ensure s_client sends an SNI extension by default
Enforcement of an SNI extension in the initial ClientHello is becoming
increasingly common (e.g. see GitHub issue #2580). This commit changes
s_client so that it adds SNI be default, unless explicitly told not to via
the new "-noservername" option.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2614)
2017-04-27 11:43:55 +01:00
Dmitry Belyavskiy
b5c4209be9 Switch command-line utils to new nameopt API.
The CA names should be printed according to user's decision
print_name instead of set of BIO_printf
dump_cert_text instead of set of BIO_printf
Testing cyrillic output of X509_CRL_print_ex
Write and use X509_CRL_print_ex
Reduce usage of X509_NAME_online
Using X509_REQ_print_ex instead of X509_REQ_print
Fix nameopt processing.
Make dump_cert_text nameopt-friendly
Move nameopt getter/setter to apps/apps.c

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3262)
2017-04-25 12:37:17 -04:00
Richard Levitte
d88ab353d3 Correct some badly formated preprocessor lines
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3304)
2017-04-25 15:44:48 +02:00
Richard Levitte
a5eef31e25 Add guards around one of use of IPPROTO_SCTP where it was missing
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3304)
2017-04-25 15:44:48 +02:00
Bernard Spil
65d62488b8 openssl enc: Don't unbuffer stdin
- unbuffer causes single-byte reads from stdin and poor performance

Fixes #3281
CLA: trivial

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3299)
2017-04-25 15:03:11 +02:00
Matt Caswell
c90da922dd Fix some variable references in init_client
We were incorrectly using "res" when we meant "ai"

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3286)
2017-04-25 11:13:39 +01:00
Matt Caswell
c4666bfa13 Ask libssl if we should retry not the socket
s_server was asking the underlying socket if it is a retryable error rather
than libssl which has more information.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3286)
2017-04-25 11:13:39 +01:00
Matt Caswell
8ccc237720 Add a -sctp option to s_client
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3286)
2017-04-25 11:13:39 +01:00
Matt Caswell
72d0bc84de Add a -sctp option to s_server
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3286)
2017-04-25 11:13:39 +01:00
Todd Short
3bb0f989b5 OCSP Updates: error codes and multiple certificates
RT3877: Add X509 OCSP error codes and messages
Add additional OCSP error codes for X509 verify usage

RT3867: Support Multiple CA certs in ocsp app
Add the ability to read multiple CA certs from a single file in the
ocsp app.

Update some missing X509 errors in documentation.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/941)
2017-04-12 14:41:10 -04:00
Rich Salz
076fc55527 Make default_method mostly compile-time
Document thread-safety issues
Have RSA_null return NULL (always fails)

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2244)
2017-04-07 12:19:46 -04:00
Dr. Stephen Henson
5969a2dd2c Print CA names in s_server, add -requestCAfile to s_client
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3015)
2017-04-03 23:47:22 +01:00
Dr. Stephen Henson
d2add501f0 Add requestCAfile option
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3015)
2017-04-03 23:47:21 +01:00
Dr. Stephen Henson
3578020bb1 Add extensions to debug list
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3015)
2017-04-03 23:47:21 +01:00
Matt Caswell
18d20b5eb6 Ensure dhparams can handle X9.42 params in DER
dhparams correctly handles X9.42 params in PEM format. However it failed
to correctly processes them when reading/writing DER format.

Fixes #3102

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3111)
2017-04-03 20:04:06 +01:00
Andy Polyakov
7d672984f4 apps/*.c: switch to platform-neutral format modifiers in BIO_print calls.
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3083)
2017-03-30 19:34:18 +02:00
Matt Caswell
12557a3445 Fix s_client early data indicator
s_client was always saying that early_data was rejected even when it was
accepted. This was because it was using the wrong test to detect the end
of the handshake. It was using SSL_in_init() which only tells you whether
it is currently processing/sending/expecting handshake messages. It should
use SSL_is_init_finished() which tells you that no handshake messages are
being processed/sent/expected AND we have completed the handshake. In the
early data case we are not processing/sending handshake messages and we
are expecting early data (not a handshake message) - but the handshake has
not yet completed.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3090)
2017-03-30 16:16:38 +01:00
FdaSilvaYY
69687aa829 More typo fixes
Fix some comments too
[skip ci]

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3069)
2017-03-29 07:14:29 +02:00
Andy Polyakov
a4c74e88e4 apps/passwd.c: 32 bits are sufficient to hold ROUNDS_MAX.
Even though C standard defines 'z' modifier, recent mingw compilers break
the contract by defining __STDC_VERSION__ with non-compliant MSVCRT.DLL.
In other words we can't use %zu with mingw, but insteadl of cooking

Reviewed-by: Tim Hudson <tjh@openssl.org>
2017-03-27 21:09:06 +02:00
Matt Caswell
9998b32cb6 Fix no-dtls builds
Commits f2ff1432f in master and 14d4d7eda in 1.1.0 broke the no-dtls build
by moving the position of a "#endif" for OPENSSL_NO_DTLS in a change
which is otherwise unrelated to DTLS. This puts it back to where it was.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2974)
2017-03-17 12:32:59 +00:00
Todd Short
07518cfb38 Add TLSv1.3 draft-19 messages to trace
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2970)
2017-03-16 13:16:51 -04:00
FdaSilvaYY
f2ff1432fc Simplify code around next_proto.len by changing 'len' data type.
clean an useless static qualifier and a dead comment.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2278)
2017-03-16 11:43:39 +01:00
Benjamin Kaduk
96a5d7fdba Fix a -Wsign-compare warning
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2940)
2017-03-14 11:44:34 -05:00
Todd Short
f282e954ec Add HelloRetryRequest text to s_client/s_server
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2900)
2017-03-10 12:01:08 -05:00
Pauli
2b305ab02e Make the output of enc -ciphers identical even if run several times in a session.
This amounts to moving the column counter so it isn't a function local static variable and reinitialising it each time.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2884)
2017-03-09 09:34:42 -05:00
Todd Short
b35fb005bd Add some TLS13 values to s_client/s_server
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2882)
2017-03-08 13:49:44 -05:00
Pauli
777f1708a8 Limit the output of the enc -ciphers command to just the ciphers enc can
process.  This means no AEAD ciphers and no XTS mode.

Update the test script that uses this output to test cipher suites to not
filter out the now missing cipher modes.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2876)
2017-03-08 10:01:28 -05:00
Pauli
bf580d5f30 Increase the password buffer size to APP_PASS_LEN.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2868)
2017-03-07 10:12:05 +10:00
Matt Caswell
593a2aa3eb Fix no-psk
Fixes #2847

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2856)
2017-03-06 09:52:21 +00:00
Andy Polyakov
8b0d424240 apps/s_client.c: harden ldap_ExtendedResponse_parse.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
2017-03-04 23:16:17 +01:00
edelangh
dbaa069a5e use OSSLzu instead of lu format for size_t display
CLA: trivial

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2660)
2017-03-03 08:04:47 -05:00
Matt Caswell
30d1bab146 Silence some clang warnings
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2831)
2017-03-02 23:56:36 +00:00
Matt Caswell
0665b4edae Rename SSL_write_early() to SSL_write_early_data()
This is for consistency with the rest of the API where all the functions
are called *early_data*.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2737)
2017-03-02 17:44:16 +00:00
Matt Caswell
f533fbd44a Rename SSL_read_early() to SSL_read_early_data()
This is for consistency with the rest of the API where all the functions
are called *early_data*.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2737)
2017-03-02 17:44:16 +00:00
Matt Caswell
ade1e88806 Updates to s_server and s_client for the latest early_data API changes
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2737)
2017-03-02 17:44:16 +00:00
Matt Caswell
0a5ece5bd2 Tighten sanity checks when calling early data functions
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2737)
2017-03-02 17:44:16 +00:00
Matt Caswell
6746648c42 Ensure the max_early_data option to s_server can be 0
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2737)
2017-03-02 17:44:15 +00:00
Matt Caswell
576eb3958c Get s_client to report on whether early data was accepted or not
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2737)
2017-03-02 17:44:15 +00:00
Matt Caswell
e0655186f9 Add a "-early_data" option to s_server
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2737)
2017-03-02 17:44:15 +00:00
Matt Caswell
923ac8271b Add an option to s_client to send early_data
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2737)
2017-03-02 17:44:15 +00:00
Matt Caswell
048b189336 Add a -max_early_data option to s_server
Allows you to set the number of bytes that can be sent as early data

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2737)
2017-03-02 17:44:14 +00:00
Robert Scheck
398b0bbdf7 Add LDAP support (RFC 4511) to s_client ("-starttls ldap")
Based on initial patch by Alex Bergmann <alex@linlab.net> and new function
ldap_ExtendedResponse_parse() by Andy Polyakov <appro@openssl.org>. Thanks
very much to both.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2293)
2017-03-02 16:33:22 +01:00
Bernd Edlinger
f8aa15728b Check that async_jobs is not negative and not too high.
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2693)
2017-03-01 12:19:46 -05:00
Rich Salz
a2b22cd6a8 Remove GENCB_TEST compile flag
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2790)
2017-02-28 12:59:22 -05:00
Matt Caswell
9fa36f5f4b Remove some commented out code in the apps
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2774)
2017-02-28 16:02:11 +00:00
Richard Levitte
e627a13cd5 Code health: Remove obvious VAX C fixups
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2775)
2017-02-28 15:32:01 +01:00
Emilia Kasper
b53338cbf8 Clean up references to FIPS
This removes the fips configure option. This option is broken as the
required FIPS code is not available.

FIPS_mode() and FIPS_mode_set() are retained for compatibility, but
FIPS_mode() always returns 0, and FIPS_mode_set() can only be used to
turn FIPS mode off.

Reviewed-by: Stephen Henson <steve@openssl.org>
2017-02-28 15:26:25 +01:00
Emilia Kasper
e546e2cc8c Remove debugging leftovers in apps/opt.c
Reviewed-by: Stephen Henson <steve@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
2017-02-28 15:23:40 +01:00
Dr. Stephen Henson
d86f2f26c8 Remove ancient demoCA directory
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2760)
2017-02-28 10:50:32 +00:00
Dr. Stephen Henson
395f7c4217 Print signature type to out, not bio_err
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2747)
2017-02-26 18:26:08 +00:00
Richard Levitte
46958a043d Check for the presence of _WIN32 rather than its value.
Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2727)
2017-02-23 14:41:20 +01:00
Richard Levitte
2ac915f162 In apps/rehash.c, decorate the inclusion of internal/o_dir.h for VMS
The library files are built with symbol names as is, while the
application is built with the default uppercase-all-symbols mode.
That's fine for public APIs, because we have __DECC_INCLUDE_PROLOGUE.H
and __DECC_INCLUDE_EPILOGUE.H automatically telling the compiler how
to treat the public header files.  However, we don't have the same
setup for internal library APIs, since they are usually only used by
the libraries.

Because apps/rehash.c uses a library internal header file, we have to
surround that inclusion with the same kind of pragmas found in
__DECC_INCLUDE_PROLOGUE.H and __DECC_INCLUDE_EPILOGUE.H, or we get
unresolved symbols when building no-shared.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2725)
2017-02-23 13:45:00 +01:00
Richard Levitte
39aceac320 On VMS, massage the fetch file names to remove the generation number
The generation number is ';nnn' at the end of the file name fetched
with readdir().  Because rehash checks for specific extensions and
doesn't expect an additional generation number, the easiest is to
massage the received file name early by simply removing the generation
number.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2717)
2017-02-23 02:19:55 +01:00
Richard Levitte
341de5f199 Let the output from 'openssl enc -ciphers' go to stdout
Also, don't exit with an error code

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2716)
2017-02-23 00:11:18 +01:00
Richard Levitte
5c80e2af3a Make "openssl rehash" work on VMS 8.3 and up
A spelling error prevented it from building correctly.
Furthermore, we need to be more careful when to add a / at the end
of the dirname and when not.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2706)
2017-02-22 18:36:32 +01:00
Rob Percival
65b3dff76b apps/req.c: flag "-new" is implied by "-precert"
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/843)
2017-02-22 10:40:30 -05:00
Rob Percival
505fb99964 Change CA.pl flag from --newprecert to --precert
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/843)
2017-02-22 10:40:30 -05:00
Rob Percival
b6486bf749 Adds a "-precert" flag to "openssl req" for creating pre-certificates
This makes it a little easier to create a pre-certificate.

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/843)
2017-02-22 10:40:30 -05:00
Bernd Edlinger
0fbaef9e64 Fix some more memory leaks with TXT_DB_insert.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2684)
2017-02-21 14:13:58 -05:00
Bernd Edlinger
9ad52c562a Fix a few memleaks in TXT_DB.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2684)
2017-02-21 14:13:58 -05:00
Dmitry Belyavskiy
a7c04f2b54 Provided support for the -nameopt flag in s_client, s_server and s_time
commands.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2695)
2017-02-21 13:50:00 -05:00
Pauli
d42d0a4dc7 Implementation of the ARIA cipher as described in RFC 5794.
This implementation is written in endian agnostic C code. No attempt
at providing machine specific assembly code has been made. This
implementation expands the evptests by including the test cases from
RFC 5794 and ARIA official site rather than providing an individual
test case. Support for ARIA has been integrated into the command line
applications, but not TLS. Implemented modes are CBC, CFB1, CFB8,
CFB128, CTR, ECB and OFB128.

Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2337)
2017-02-21 11:51:45 +01:00
Dmitry Belyavskiy
ad39b31c1c Added '-nameopt' option to the verify command.
It makes possible to print the certificate's DN correctly in case of verification errors.

Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2656)
2017-02-20 19:35:14 -05:00
Matt Caswell
f14afcaa42 Updates following review feedback
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2609)
2017-02-17 10:28:01 +00:00
Matt Caswell
b07b2a1b44 Add the ability for s_client to send a KeyUpdate message
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2609)
2017-02-17 10:28:00 +00:00
Matt Caswell
34df45b531 Add a capability to s_server to send KeyUpdate messages
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2609)
2017-02-17 10:28:00 +00:00
lrns
0cb8c9d85e Change req_check_len error message, it also accepts 20 bytes, but states 'less than' in the error message
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2648)
2017-02-16 09:18:11 -05:00
Robert Scheck
af7e05c7c6 Handle negative reply for NNTP STARTTLS in s_client
Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2629)
2017-02-15 20:28:44 -05:00
Robert Scheck
20967afb7f Add Sieve support (RFC 5804) to s_client ("-starttls sieve")
Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2300)
2017-02-14 14:15:28 -05:00
Dr. Stephen Henson
52f4840cb2 Make -xcert work again.
When a certificate is prepended update the list pointer.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2628)
2017-02-14 17:46:47 +00:00
Yuchi
e0670973d5 mem leak on error path and error propagation fix
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2559)
2017-02-14 10:19:50 +00:00
Cristian Stoica
222c3da35c speed.c: simplify aggregation of ecdh --multi results
CLA: trivial

Signed-off-by: Cristian Stoica <cristian.stoica@nxp.com>

Reviewed-by: Geoff Thorpe <geoff@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1377)
2017-02-10 11:59:33 +01:00
Cristian Stoica
c8bff7ad50 speed.c: simplify aggregation of ecdsa --multi results
CLA: trivial

Signed-off-by: Cristian Stoica <cristian.stoica@nxp.com>

Reviewed-by: Geoff Thorpe <geoff@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1377)
2017-02-10 11:59:33 +01:00
Cristian Stoica
0d4de7563c speed.c: simplify aggregation of dsa --multi results
CLA: trivial

Signed-off-by: Cristian Stoica <cristian.stoica@nxp.com>

Reviewed-by: Geoff Thorpe <geoff@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1377)
2017-02-10 11:59:33 +01:00
Cristian Stoica
8ac2d1abb3 speed.c: simplify aggregation of rsa --multi results
CLA: trivial

Signed-off-by: Cristian Stoica <cristian.stoica@nxp.com>

Reviewed-by: Geoff Thorpe <geoff@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1377)
2017-02-10 11:59:33 +01:00
Peter Wu
6d047e06e6 SSL_get_shared_sigalgs: handle negative idx parameter
When idx is negative (as is the case with do_print_sigalgs in
apps/s_cb.c), AddressSanitizer complains about a buffer overflow (read).
Even if the pointer is not dereferenced, this is undefined behavior.

Change the user not to use "-1" as index since the function is
documented to return 0 on out-of-range values.

Tested with `openssl s_server` and `curl -k https://localhost:4433`.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2349)
2017-02-09 09:48:46 +00:00
Peter Wu
4bf73e9f86 apps: Add support for writing a keylog file
The server and client demos (s_client and s_server) are extended with a
-keylogfile option. This is similar as setting the SSLKEYLOGFILE
environment variable for NSS and creates a keylog file which is suitable
for Wireshark.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2343)
2017-02-07 19:20:56 +01:00
Pauli
a19a6c8179 Remove unused variable
Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2566)
2017-02-07 10:25:51 -05:00
Rich Salz
be4c82aa76 Fix parsing of serial# in req
Reported by Jakub Wilk.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2556)
2017-02-06 09:48:21 -05:00
Robert Scheck
8f85aa6bd3 Add NNTP support (RFC 4642) to s_client ("-starttls nntp")
Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2310)
2017-02-03 09:49:54 -05:00
Dr. Stephen Henson
91410d40cb fix style issues
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2301)
2017-01-30 13:00:18 +00:00
Dr. Stephen Henson
42ef7aead2 Add SSL_get_peer_signature_type_nid() function.
Add function to retrieve signature type: in the case of RSA
keys the signature type can be EVP_PKEY_RSA or EVP_PKEY_RSA_PSS.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2301)
2017-01-30 13:00:16 +00:00
Dr. Stephen Henson
b2eb699874 More complete PSS support.
Extend support for PSS key signatures by using the EVP_PKEY_RSA_PSS type
to distinguish them from PKCS1 signature types.

Allow setting of PSS signature algorithms using the string "PSS" or
"RSA-PSS".

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2301)
2017-01-30 12:59:28 +00:00
Matt Caswell
1f5b44e943 Miscellaneous style tweaks based on feedback received
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2259)
2017-01-30 10:18:23 +00:00
Matt Caswell
be62b22b52 Update the s_client -sess_out feature to work for TLSv1.3
Previously "-sess_out" wrote out the session as soon as the handshake
finished. In TLSv1.3 this won't work because the NewSessionTicket message
arrives post-handshake. Instead we use the session callback mechanism to
do this.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2259)
2017-01-30 10:17:52 +00:00
FdaSilvaYY
0fe2a0af89 Fix a few double ;
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1618)
2017-01-25 09:06:34 +00:00
FdaSilvaYY
07a38fd2bf Fix some style and indent issue
simplify some code.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1618)
2017-01-25 09:06:34 +00:00
FdaSilvaYY
28b86f313b Fix some extra or missing whitespaces...
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1618)
2017-01-25 09:06:34 +00:00
Richard Levitte
ec2a0e6065 s_client: Better response success check for CONNECT
Instead of looking for "200" and "established" (and failing all other
2xx responses or "Established"), let's look for a line that's not a
header (i.e. doesn't contain a ':') and where the first space is
followed by a '2'.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1664)
2017-01-25 00:40:17 +01:00
Todd Short
9d6fcd4295 Cleanup EVP_CIPH/EP_CTRL duplicate defines
Remove duplicate defines from EVP source files.
Most of them were in evp.h, which is always included.
Add new ones evp_int.h
EVP_CIPH_FLAG_TLS1_1_MULTIBLOCK is now always defined in evp.h, so
remove conditionals on it

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2201)
2017-01-24 18:47:10 +01:00
FdaSilvaYY
0db1fb3fc1 Fix use before assignment
it was getting the SerialNumber of a previous cert.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2272)
2017-01-23 14:29:33 +00:00
Gaétan Njinang
037f2c3f48 'openssl passwd' command can now compute AIX MD5-based passwords hashes.
The difference between the AIX MD5 password algorithm and the standard MD5
password algorithm is that in AIX there is no magic string while in the
standard MD5 password algorithm the magic string is "$1$"

Documentation of '-aixmd5' option of 'openssl passwd' command is added.

1 test is added in test/recipes/20-test-passwd.t

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2251)
2017-01-21 10:44:23 -05:00
EasySec
487d3a726a Fix list -disabled for blake2 alg
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2241)
2017-01-17 17:21:55 +01:00
Richard Levitte
264b2d9251 Enable apps to get a UI_METHOD for the default prompter
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2204)
2017-01-11 18:27:27 +01:00
Dr. Stephen Henson
0396a447f2 print errors in pkey utility
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2177)
2017-01-08 01:42:50 +00:00
Richard Levitte
57c0f378b8 Make sure that password_callback exercises UI
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2040)
2016-12-08 10:26:04 +01:00
Matt Caswell
6530c4909f Fix some style issues with TLSv1.3 state machine PR
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-11-23 15:38:32 +00:00