summaryrefslogtreecommitdiffstats
path: root/apps (follow)
Commit message (Collapse)AuthorAgeFilesLines
* apps/pkcs12: Do not assume null termination of ASN1_UTF8STRINGTomas Mraz2021-08-311-1/+2
| | | | | | Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de> (Merged from https://github.com/openssl/openssl/pull/16433)
* APPS/req: Fix AKID generation in case -CA option is usedDr. David von Oheimb2021-08-261-5/+6
| | | | | Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/16420)
* APPS/req: Fix misconceptions on -CA, -CAkey, and -key options. -CA now ↵Dr. David von Oheimb2021-08-261-23/+17
| | | | | | | implies -x509 Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/16420)
* APPS/x509: fix -extfile option, which was ignored with -x509toreqDr. David von Oheimb2021-08-261-8/+13
| | | | | Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/16417)
* CMS app: Fix new -wrap optionDr. David von Oheimb2021-08-251-1/+1
| | | | | | Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> (Merged from https://github.com/openssl/openssl/pull/16396)
* Avoid using undefined value in generate_stateless_cookie_callbackBernd Edlinger2021-08-251-1/+2
| | | | | | Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/16384)
* apps/ciphers: Fix wrong return value when using -convert parameterTianjia Zhang2021-08-251-0/+1
| | | | | | | | | | | | Command 'openssl ciphers -convert <name>' always returns failure, this patch set the correct return value. Signed-off-by: Tianjia Zhang <tianjia.zhang@linux.alibaba.com> Reviewed-by: Paul Yang <kaishen.yy@antfin.com> Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/16383)
* APPS: Fix result type of dump_cert_text() and behavior of print_name() on ↵Dr. David von Oheimb2021-08-252-6/+4
| | | | | | | | out==NULL Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/16344)
* rsa: Try legacy encoding functions for pubkeyTomas Mraz2021-08-241-1/+38
| | | | | | | | | | | | If there are no suitable encoders it might mean the key is in an engine and thus it is a legacy key. Try legacy encoding routines to encode the public key. We do not attempt encoding a private key as it would be in most cases impossible anyway. Fixes #16256 Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/16289)
* Get rid of warn_binaryDmitry Belyavskiy2021-08-201-29/+0
| | | | | | | | | | | | | Current implementation of warn_binary introduces a regression when the content is passed in /dev/stdin as an explicit file name and reads the file to be processed twice otherwise. I suggest to reimplement this functionality after 3.0 if necessary. Fixes #16359 Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com> (Merged from https://github.com/openssl/openssl/pull/16367)
* Disclaimer about the default provider activation added to configDmitry Belyavskiy2021-08-122-0/+16
| | | | | | | | Fixes #16249 Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/16280)
* genpkey: -quiet doesn't take an argumentPauli2021-08-121-1/+1
| | | | | | | Fixes #16238 Reviewed-by: Tim Hudson <tjh@openssl.org> (Merged from https://github.com/openssl/openssl/pull/16240)
* Fix CMP app TLS connection not respecting vpm options like -crl_checkDr. David von Oheimb2021-08-061-5/+2
| | | | | Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/16225)
* cms: Fix handling of -rctform optionTomas Mraz2021-08-051-8/+4
| | | | | | Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> (Merged from https://github.com/openssl/openssl/pull/16216)
* cms: Do not try to check binary format on stdinTomas Mraz2021-08-051-0/+2
| | | | | | | | Fixes #16195 Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> (Merged from https://github.com/openssl/openssl/pull/16216)
* req: Avoid segfault when -modulus is usedTomas Mraz2021-08-051-2/+2
| | | | | | | | Fixes #16196 Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> (Merged from https://github.com/openssl/openssl/pull/16215)
* apps/pkeyutl.c: call ERR_print_errors() on all errors, including Signature ↵Dr. David von Oheimb2021-08-041-9/+4
| | | | | | | | Verification Failure Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/16209)
* Add config_diagnostics to our configuration files.Pauli2021-08-042-4/+2
| | | | | | | | | | | | | | | | The change to a more configuration based approach to enable FIPS mode operation highlights a shortcoming in the default should do something approach we've taken for bad configuration files. Currently, a bad configuration file will be automatically loaded and once the badness is detected, it will silently stop processing the configuration and continue normal operations. This is good for remote servers, allowing changes to be made without bricking things. It's bad when a user thinks they've configured what they want but got something wrong and it still appears to work. Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> (Merged from https://github.com/openssl/openssl/pull/16171)
* If we have passed the private key, don't copy it implicitlyDmitry Belyavskiy2021-08-031-1/+1
| | | | | | | | | Fixes #16197 Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com> Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/16199)
* Redefine getpid() -> _getpid() only for MSVCTanzinul Islam2021-07-311-5/+5
| | | | | | | | | This was introduced in 814b5133e for MSVC. C++Builder doesn't need it. Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> (Merged from https://github.com/openssl/openssl/pull/16192)
* apps: Use the first detected address family if IPv6 is not availableDaiki Ueno2021-07-161-0/+10
| | | | | | | | | | | | | | | | | | | | | | | | This is a follow up of 15729bef385211bc2a0497e2d53a45c45d677d2c. Even when the host does not support IPv6 at all, BIO_lookup_ex may now return IN6ADDR_ANY in addition to INADDR_ANY, as the second element of the ai_next field. After eee8a40aa5e06841eed6fa8eb4f6109238d59aea, the do_server function prefers the IPv6 address and fails on the BIO_socket call. This adds a fallback code to retry with the IPv4 address returned as the first element to avoid the error. The failure had been partially avoided in the previous code with AI_ADDRCONFIG, because getaddrinfo returns only IPv4 address if no IPv6 address is associated with external interface. However, it would be still a problem if the external interface has an IPv6 address assigned, while the loopback interface doesn't. Signed-off-by: Daiki Ueno <dueno@redhat.com> Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/16074)
* apps: avoid using POSIX IO macros and functions when built without them.Pauli2021-07-141-13/+23
| | | | | | | | | | Fall back to stdio functions if not available. Fixes a daily run-checker failure (no-posix-io) Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/16073)
* Remove executable mode attributes of non-executable filesTianjia Zhang2021-07-131-0/+0
| | | | | | | | | | | Remove the executable attributes of some C code files and key files, change the file mode from 0755 to 0644. Signed-off-by: Tianjia Zhang <tianjia.zhang@linux.alibaba.com> Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/16045)
* app: add library context and propq arguments to opt_md() and opt_cipher()Pauli2021-07-121-5/+14
| | | | | | | Also avoid calling EVP_get_XXXbyname() if legacy paths aren't allowed. Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/16022)
* apps: add a function opt_legacy_okay() that indicates if legacy paths are ↵Pauli2021-07-121-0/+32
| | | | | | | | | | | permitted or not By default they are. However, if a provider, provider path or a property query has been specified they are not. Likewise, if a library context or a property query has been specified by the command, they are not. Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/16022)
* apps: add query to allow a command to know of a provider command line option ↵Pauli2021-07-122-0/+18
| | | | | | | | | | | | | | | | | was processed Better fixing: Fixing #15683 Fixing #15686 Replacing rather than fixing: Fixing #15414 Since that claims to fix another: Fixing #15372 Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/16022)
* Fix s_server PSK handlingMatt Caswell2021-07-091-0/+11
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Issue #15951 describes a scenario which causes s_server to fail when using a PSK. In the originally described issue this only impacted master and not 1.1.1. However, in fact this issue does also impact 1.1.1 - but only if you additionally supply the option "-no_ticket" to the s_server command line. The difference between the behaviour in master and 1.1.1 is due to 9c13b49, which changed PSK_MAX_IDENTITY_LEN from 128 to 256. It just so happens that a default OpenSSL TLSv1.3 ticket length happens to fall between those 2 values. Tickets are presented in TLSv1.3 as a PSK "identity". Passing "no_ticket" doesn't actually stop TLSv1.3 tickets completely, it just forces the use of "session ids as a ticket" instead. This significantly reduces the ticket size to below 128 in 1.1.1. The problem was due to s_server setting a TLSv1.2 PSK callback and a TLSv1.3 PSK callback. For backwards compat reasons the TLSv1.2 PSK callbacks also work in TLSv1.3 but are not preferred. In the described scenario we use a PSK to create the initial connection. Subsequent to that we attempt a resumption using a TLSv1.3 ticket (psk). If the psk length is below PSK_MAX_IDENTITY_LEN then we first call the TLSv1.2 PSK callback. Subsequently we call the TLSv1.3 PSK callback. Unfortunately s_server's TLSv1.2 PSK callback accepts the identity regardless, even though it is an unexpected value, and hence the binder subsequently fails to verify. The fix is to bail early in the TLSv1.2 callback if we detect we are being called from a TLSv1.3 connection. Fixes #15951 Reviewed-by: Ben Kaduk <kaduk@mit.edu> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/16008)
* Don't add the first pkcs12 certificate multiple timesMatt Caswell2021-07-091-4/+7
| | | | | | | | | | | | | | This fixes a regression introduced by commit 1d6c867. When exporting a set of certificates to a PKCS12 file we shouldn't add the first one twice. Also we restore historic behaviour with respect to the canames option where we have no ee certificate with key. Fixes #15983 Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com> Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/16001)
* apps: fix Coverity 1451531 Unchecked return valuePauli2021-07-091-11/+13
| | | | | | Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Ben Kaduk <kaduk@mit.edu> (Merged from https://github.com/openssl/openssl/pull/15994)
* load_key_certs_crls: Avoid reporting any spurious errorsTomas Mraz2021-07-021-9/+3
| | | | | | | | | | | When there is other PEM data in between certs the OSSL_STORE_load returns NULL and reports error. Avoid printing that error unless there was nothing read at all. Fixes #15945 Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/15949)
* cmp_mock_srv.c: Add missing OldCertID check for 'kur' cert update requestsDr. David von Oheimb2021-06-301-0/+23
| | | | | | | Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/15790)
* s_time: avoid unlikely division by zeroPauli2021-06-301-4/+7
| | | | | | | Fixing coverity 966560 Division or modulo by zero (DIVIDE_BY_ZERO) Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/15943)
* Fix 'openssl req' to correctly use the algorithm from '-newkey algo:nnnn'Richard Levitte2021-06-261-2/+2
| | | | | | | | We used the original string, which meant fetching for, for example, 'rsa:2048'. That was, of course, doomed to fail. Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/15912)
* apps/CA.pl.in: restore the quotes around -CAfile, they were there for a reasonRichard Levitte2021-06-261-1/+3
| | | | | Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/15823)
* Fix segfault in openssl x509 -modulusChristian Heimes2021-06-261-1/+1
| | | | | | | | | | | | | | The command ``openssl x509 -noout -modulus -in cert.pem`` used to segfaults sometimes because an uninitialized variable was passed to ``BN_lebin2bn``. The bug triggered an assertion in bn_expand_internal(). Fixes: https://github.com/openssl/openssl/issues/15899 Signed-off-by: Christian Heimes <christian@python.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/15900)
* apps: address potential memory leaksPauli2021-06-261-0/+4
| | | | | Reviewed-by: Shane Lontis <shane.lontis@oracle.com> (Merged from https://github.com/openssl/openssl/pull/15910)
* apps: properly initialise arguments to EVP_PKEY_get_bn_param()Pauli2021-06-262-2/+2
| | | | | | | | | | This avoids use of uninitialised memory. Follow on to #15900 Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/15908)
* Adapt other parts of the source to the changed EVP_Q_digest() and EVP_Q_mac()Richard Levitte2021-06-231-14/+14
| | | | | | | | | Fixes #15839 Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com> Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tim Hudson <tjh@openssl.org> (Merged from https://github.com/openssl/openssl/pull/15861)
* cmp_mock_srv.c: Fix polling mode such that it can be done multiple timesDr. David von Oheimb2021-06-231-6/+22
| | | | | Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/15848)
* APPS & TEST: Use ossl_[u]intmax_t rather than [u]intmax_tRichard Levitte2021-06-221-2/+2
| | | | | Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/15825)
* APPS: Make fallback opt_[u]intmax() implementations based on longRichard Levitte2021-06-222-16/+42
| | | | | | | | Also ensure that opt_intmax() and opt_uintmax() does the right thing if sizeof([u]intmax_t) is smaller than sizeof(ossl_[u]intmax_t). Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/15825)
* Update copyright yearMatt Caswell2021-06-175-5/+5
| | | | | Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/15801)
* HTTP client: fix use of OSSL_HTTP_adapt_proxy(), which is needed also in cmp.cDr. David von Oheimb2021-06-161-6/+4
| | | | | | | For this reason, export this function, which allows removing http_local.h Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/15764)
* X509_digest_sig(): Improve default hash for EdDSA and allow to return the ↵Dr. David von Oheimb2021-06-161-1/+1
| | | | | | | | chosen default Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/15762)
* apps: remove AEAD/mode checks that are now redundantPauli2021-06-162-20/+5
| | | | | Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/15747)
* apps: use get_cipher_any() instead of get_cipher() for commands that support ↵Pauli2021-06-163-4/+4
| | | | | | | these ciphers/modes Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/15747)
* apps: limit get_cipher() to not return AEAD or XTS ciphersPauli2021-06-162-6/+38
| | | | | | | | | Add a get_cipher_any() function to access these in addition to more normal ciphers Fixes #7720 Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/15747)
* Disabling Encrypt-then-MAC extension in s_client/s_serverDmitry Belyavskiy2021-06-151-3/+6
| | | | | | Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/15735)
* s_server: make -rev option easier to find (mention echo)Hubert Kario2021-06-151-1/+1
| | | | | | | | | | | | Since the service is echo-like (see TCP port 7 from RFC 862 or gnutls-serv --echo), make it easier to find by mentioning "echo" in the description of it in the help message an man page Also fixes the man page inconsistency ("sends it back to the server") Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> (Merged from https://github.com/openssl/openssl/pull/15739)
* Remove "-immedate_renegotiation" optionRich Salz2021-06-153-12/+1
| | | | | | | Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/15415)
generated by cgit v1.2.3 (git 2.39.1) at 2024-12-02 11:52:10 +0100