Otherwise, any command that relies on ssl modules may fail, because
SSL_add_ssl_module() will be called after the config file has already
been loaded.
Fixes#4788
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4792)
The Chinese cryptographic operations should appear in the disabled list if they
are disabled.
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4678)
Since return is inconsistent, I removed unnecessary parentheses and
unified them.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4541)
Remove GETPID_IS_MEANINGLESS and osslargused.
Move socket-related things to new file internal/sockets.h; this is now
only needed by four(!!!) files. Compiles should be a bit faster.
Remove USE_SOCKETS ifdef's
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4209)
Remove the exit_main function which is never used.
Remove the exit_options array which is also unreferenced.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4213)
Write missing prime.pod and srp.pod
Implement -c in find-doc-nits (for command options)
Other fixes to some manpages
Use B<-I<digest|cipher>> notation
Split up multiple flags into a single entry in the synopsis.
Add -1 and missing-help to list command.
Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4144)
Standardized the -rand flag and added a new one:
-rand file...
Always reads the specified files
-writerand file
Always writes to the file on exit
For apps that use a config file, the RANDFILE config parameter reads
the file at startup (to seed the RNG) and write to it on exit if
the -writerand flag isn't used.
Ensured that every app that took -rand also took -writerand, and
made sure all of that agreed with all the documentation.
Fix error reporting in write_file and -rand
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/3862)
Instead, make it possible to disable the console reader that's part of
the UI module. This makes it possible to use the UI API and other UI
methods in environments where the console reader isn't useful.
To disable the console reader, configure with 'no-ui-console' /
'disable-ui-console'.
'no-ui' / 'disable-ui' is now an alias for 'no-ui-console' /
'disable-ui-console'.
Fixes#3806
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3820)
Mostly braces and NULL pointer check and also copyright year bump
Signed-off-by: Paul Yang <paulyang.inf@gmail.com>
Reviewed-by: Kurt Roeckx <kurt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3657)
This removes the fips configure option. This option is broken as the
required FIPS code is not available.
FIPS_mode() and FIPS_mode_set() are retained for compatibility, but
FIPS_mode() always returns 0, and FIPS_mode_set() can only be used to
turn FIPS mode off.
Reviewed-by: Stephen Henson <steve@openssl.org>
This implementation is written in endian agnostic C code. No attempt
at providing machine specific assembly code has been made. This
implementation expands the evptests by including the test cases from
RFC 5794 and ARIA official site rather than providing an individual
test case. Support for ARIA has been integrated into the command line
applications, but not TLS. Implemented modes are CBC, CFB1, CFB8,
CFB128, CTR, ECB and OFB128.
Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2337)
Reviewed-by: Kurt Roeckx <kurt@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1694)
Windows never composes UTF-8 strings as result of user interaction
such as passing command-line argument. The only way to compose one
is programmatic conversion from WCHAR string, which in turn can be
picked up on command line.
[For reference, why not wmain, it's not an option on MinGW.]
Reviewed-by: Richard Levitte <levitte@openssl.org>
Rename sk_xxx to OPENSSL_sk_xxx and _STACK to OPENSSL_STACK
Rename lh_xxx API to OPENSSL_LH_xxx and LHASH_NODE to OPENSSL_LH_NODE
Make lhash stuff opaque.
Use typedefs for function pointers; makes the code simpler.
Remove CHECKED_xxx macros.
Add documentation; remove old X509-oriented doc.
Add API-compat names for entire old API
Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
list -disabled was checking OPENSSL_NO_SSL/OPENSSL_NO_TLS, which are
not used to disable SSL/TLS respectively.
Building with these macros wrongly show as SSL/TLS disabled, hence
removing this code.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
It was added as part of 2df84dd329
but has never actually been used for anything; presumably it was
a typo for one of SCTP or CT.
This removes the last '??' entry from INSTALL.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reverts commit 087ca80ad8
Instead of battling the odd format of argv given to main() in default
P64 mode, tell the compiler to make it an array of 64-bit pointers
when compiling in P64 mode.
A note is added in NOTES.VMS regarding minimum DEC C version.
Reviewed-by: Andy Polyakov <appro@openssl.org>
The argument 'argv' in 'main' is a short pointer to a short pointer on
VMS, regardless of initial pointer size. We must therefore make sure
that 'copy_argv' gets a 32-bit pointer for argv, and that the copied
argv is used for the rest of main().
This introduces the local type argv_t, which will have correct pointer
size in all cases (and be harmless on all other platforms) as well as
the macro Argv, which is defined as 'copied_argv' or 'argv', as the
case may be.
Reviewed-by: Andy Polyakov <appro@openssl.org>
All OpenSSL code has now been transferred to use the new threading API,
so the old one is no longer used and can be removed. We provide some compat
macros for removed functions which are all no-ops.
There is now no longer a need to set locking callbacks!!
Reviewed-by: Richard Levitte <levitte@openssl.org>
To enable heartbeats for DTLS, configure with enable-heartbeats.
Heartbeats for TLS have been completely removed.
This addresses RT 3647
Reviewed-by: Richard Levitte <levitte@openssl.org>
The new init functions can fail if the library has already been stopped. We
should be able to indicate failure with a 0 return value.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Some users want to disable SSL 3.0/TLS 1.0/TLS 1.1, and enable just
TLS 1.2. In the future they might want to disable TLS 1.2 and
enable just TLS 1.3, ...
This commit makes it possible to disable any or all of the TLS or
DTLS protocols. It also considerably simplifies the SSL/TLS tests,
by auto-generating the min/max version tests based on the set of
supported protocols (425 explicitly written out tests got replaced
by two loops that generate all 425 tests if all protocols are
enabled, fewer otherwise).
Reviewed-by: Richard Levitte <levitte@openssl.org>
Make LHASH_OF use static inline functions.
Add new lh_get_down_load and lh_set_down_load functions and their
typesafe inline equivalents.
Make lh_error a function instead of a macro.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Only two macros CRYPTO_MDEBUG and CRYPTO_MDEBUG_ABORT to control this.
If CRYPTO_MDEBUG is not set, #ifdef out the whole debug machinery.
(Thanks to Jakob Bohm for the suggestion!)
Make the "change wrapper functions" be the only paradigm.
Wrote documentation!
Format the 'set func' functions so their paramlists are legible.
Format some multi-line comments.
Remove ability to get/set the "memory debug" functions at runtme.
Remove MemCheck_* and CRYPTO_malloc_debug_init macros.
Add CRYPTO_mem_debug(int flag) function.
Add test/memleaktest.
Rename CRYPTO_malloc_init to OPENSSL_malloc_init; remove needless calls.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Rename BUF_{strdup,strlcat,strlcpy,memdup,strndup,strnlen}
to OPENSSL_{strdup,strlcat,strlcpy,memdup,strndup,strnlen}
Add #define's for the old names.
Add CRYPTO_{memdup,strndup}, called by OPENSSL_{memdup,strndup} macros.
Reviewed-by: Tim Hudson <tjh@openssl.org>
When using command line applications errors occur when trying to
load engines specified in a config file. Introduced by commit
a0a82324f9
RT#4093
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Loading the config file after processing command line options can
cause problems, e.g. where an engine provides new ciphers/digests
these are not then recoginised on the command line. Move the
default config file loading to before the command line option
processing. Whilst we're doing this we might as well centralise
this instead of doing it individually for each application. Finally
if we do it before the OpenSSL_add_ssl_algorithms() call then
ciphersuites provided by an engine (e.g. GOST) can be available to
the apps.
RT#4085
RT#4086
Reviewed-by: Richard Levitte <levitte@openssl.org>
Have a look at the directories in crypto/, I found reason to add
checks on CMAC and HMAC. This might be completely irrelevant, but I
prefered covering too much than not enough.
Reviewed-by: Stephen Henson <steve@openssl.org>
A grep of OPENSSL_NO_ in the rest of the source tree revealed a few
more features to check.
NOTE: there are some of those macros that I ignore because a check of
them doesn't seem useful to external apps. This might change later on.
Reviewed-by: Stephen Henson <steve@openssl.org>
After a grep of OPENSSL_NO_ in apps/*.c, a few more features that may
be interesting to check the availability of came up.
Reviewed-by: Stephen Henson <steve@openssl.org>
New option "openssl list -disabled" this lists a set of disabled features
in a form which can be conveniently parsed by the test framework so it
knows which tests to skip.
Reviewed-by: Richard Levitte <levitte@openssl.org>
If the output to stdout or the input from stdin is meant to be binary,
it's deeply unsetting to get the occasional LF converted to CRLF or
the other way around. If someone happens to forget to redirect stdin
or stdout, they will get gibberish anyway, line ending conversion will
not change that.
Therefore, let's not have dup_bio_* decide unilaterally what mode the
BIO derived from stdin and stdout, and rather let the app decide by
declaring the intended format.
Reviewed-by: Tim Hudson <tjh@openssl.org>
The different apps had the liberty to decide whether they would open their
input and output files in binary mode or not, which could be confusing if
two different apps were handling the same type of file in different ways.
The solution is to centralise the decision of low level file organisation,
and that the apps would use a selection of formats to state the intent of
the file.
Reviewed-by: Tim Hudson <tjh@openssl.org>
When generating a private key, try to make the output file be readable
only by the owner. Put it in CHANGES file since it might be noticeable.
Add "int private" flag to apps that write private keys, and check that it's
set whenever we do write a private key. Checked via assert so that this
bug (security-related) gets fixed. Thanks to Viktor for help in tracing
the code-paths where private keys are written.
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
The module loading feature got broken a while ago, so restore it, but
have it a bit more explicit this time around.
Reviewed-by: Stephen Henson <steve@openssl.org>
Create app_load_config(), a routine to load config file. Remove the
"always load config" from the main app. Change the places that used to
load config to call the new common routine.
Reviewed-by: Richard Levitte <levitte@openssl.org>
For a local variable:
TYPE *p;
Allocations like this are "risky":
p = OPENSSL_malloc(sizeof(TYPE));
if the type of p changes, and the malloc call isn't updated, you
could get memory corruption. Instead do this:
p = OPENSSL_malloc(sizeof(*p));
Also fixed a few memset() calls that I noticed while doing this.
Reviewed-by: Richard Levitte <levitte@openssl.org>
After the finale, the "real" final part. :) Do a recursive grep with
"-B1 -w [a-zA-Z0-9_]*_free" to see if any of the preceeding lines are
an "if NULL" check that can be removed.
Reviewed-by: Tim Hudson <tjh@openssl.org>
No point in proceeding if you're out of memory. So change
*all* OPENSSL_malloc calls in apps to use the new routine which
prints a message and exits.
Reviewed-by: Richard Levitte <levitte@openssl.org>
There's a new "list" command, which takes a flag to say what
to list. Removing the old hacky commands. Re-ordered some
functions to remove some needless declarations.
Reviewed-by: Richard Levitte <levitte@openssl.org>
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
Free up bio_err after memory leak data has been printed to it.
In int_free_ex_data if ex_data is NULL there is nothing to free up
so return immediately and don't reallocate it.
Reviewed-by: Tim Hudson <tjh@openssl.org>
Rename OPENSSL_SYSNAME_xxx to OPENSSL_SYS_xxx
Remove MS_STATIC; it's a relic from platforms <32 bits.
Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
