Commit Graph

4127 Commits

Author SHA1 Message Date
Tomas Mraz de8e0851a1 rehash.c: Do not use NAME_MAX limit
On some systems it is too small although the system allows longer
filenames.

Fixes #22886

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22889)
2023-12-05 17:53:50 +01:00
Richard Levitte 7ebaab7689 Make 'openssl list' less sensitive for providers without params
When a provider can't return parameters, make that a warning instead of an
error, and continue to list further providers.

Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Todd Short <todd.short@me.com>
(Merged from https://github.com/openssl/openssl/pull/22866)
2023-12-04 15:12:34 +01:00
Bernd Edlinger bed7a87810 Fix a possible memory leak in make_receipt_request
When the CMS_ReceiptRequest cannot be created,
the rct_to and rct_from may be leaked.

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Todd Short <todd.short@me.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22742)
2023-12-01 11:05:42 +01:00
Markus Minichmayr b8590b2f36 Add option `SSL_OP_PREFER_NO_DHE_KEX`, allowing the server to prefer non-dhe psk key exchange over psk with dhe (config file option `PreferNoDHEKEX`, server option `prefer_no_dhe_kex`).
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22794)
2023-11-24 15:08:04 +00:00
James Muir 55ca75dd8f openssl-speed: support KMAC128 & KMAC256, refactor mac setup/teardown
Add ability to measure performance of the two kmac algorithms, and
reduce code duplication in mac testing by introducing mac_setup() and
mac_teardown().  Also, start accepting "cmac" as an algorithm string
(similar to how "hmac" is accepted).

We can now compare the performance of KMAC128, KMAC256 (mac algs) to
KECCAK-KMAC128, KECCAK-KMAC256 (digest/xof algs).

Fixes #22619

Testing:

  $ LD_LIBRARY_PATH=. ./apps/openssl speed kmac cmac hmac

  $ LD_LIBRARY_PATH=. ./apps/openssl speed kmac256
  $ LD_LIBRARY_PATH=. ./apps/openssl speed -evp KECCAK-KMAC256

Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22764)
2023-11-24 13:58:14 +01:00
James Muir e580f06dec speed: make hmac(sha256) the default hmac
prefer hmac(sha256) rather than hmac(md5).  Also, drop the "skip_hmac"
label.  If we are supposed to do hmac(hash_func) and hash_func cannot
be found, then error out immediately.

Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22793)
2023-11-23 15:10:57 +00:00
Neil Horman ae9fe65d9f Augment rand argument parsing to allow scaling
Instead of just accepting a number of bytes, allows openssl rand to
accept a k|m|g suffix to scale to kbytes/mbytes/gbytes

Fixes #22622

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22624)
2023-11-13 12:21:34 +01:00
Alexey Fofanov 8286e63271 apps/list.c: Check the result of inserting a provider into provider's stack
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22492)

(cherry picked from commit 15b83e04a5)
2023-11-10 11:33:41 +01:00
Matthias St. Pierre ec0d22fe15 apps/rehash.c: avoid printf format warning [-Wformat]
The `aarch64-linux-android33-clang` cross-compiler (v14.0.6)
complains twice about an unsupported '%n' format specifier,
preventing a successful `--strict-warnings` build:

    error: '%n' specifier not supported on this platform [-Werror,-Wformat]
                BIO_snprintf(buf, buflen, "%s%s%n%08x.%s%d",

This is a false positive, because BIO_snprintf() implements its
own format parsing (which is implemented in the _dopr() function).

This commit fixes the problem by rewriting the code to dispense with
the dubious '%n' format specifier. As a side-effect, the code becomes
a little bit more comprehensible and self-explaining.

Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22511)
2023-11-08 10:28:22 +01:00
Matt Caswell 74ff15e1a1 Don't error if s_client receives exactly BUFSIZZ data
We should accept that many bytes without failing

Fixes #22551

Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
(Merged from https://github.com/openssl/openssl/pull/22558)
2023-11-01 10:20:19 +00:00
Matt Caswell 95420a2500 Don't wait in select if we have data to write
In s_client, when using quic, if we have data from the user to write then we shouldn't
hang in "select" waiting for something to happen.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22480)
2023-10-25 09:40:48 +01:00
Matt Caswell 1a91fda183 Make s_client -quic -debug work
The callback that makes -debug print the data sent/received needed extending
for the new QUIC callback codes.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22480)
2023-10-25 09:40:48 +01:00
Ingo Franzki df5f419b14 speed: Correct handling of async_jobs for KEM and signature algos
Setup the loopargs array for all jobs, not only for the very first one.

It may fail with "Could not allocate 0 bytes for sig sign loop" and/or will
cause the loop functions to fail silently, because they operate on a NULL
PKEY context when "-async_jobs <n>" is specified.

Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Todd Short <todd.short@me.com>
(Merged from https://github.com/openssl/openssl/pull/22399)
2023-10-25 09:24:29 +01:00
Ingo Franzki 4e09305ee0 speed: Fix memory leaks
Free the PKEYs created for KEM and signature algorithms.
Free the encrypt/decrypt PKEY contexts for RSA.

Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Todd Short <todd.short@me.com>
(Merged from https://github.com/openssl/openssl/pull/22399)
2023-10-25 09:24:29 +01:00
Neil Horman 21f7a09ca2 Convert jdkTrustedKeyUsage to be a pkcs12 cmd line option
Creating JDK compatible pkcs12 files requires a bit more than just
adding the Trusted Key Usage OID to a certbag in the pkcs12 file.
Additionally the JDK currently requires that pkcs12 files setting this
oid _not_ contain any additional keys, and in response will produce
unpredictable results.

This could be solved by implying --nokeys when the pkcs12 utility is run
and the config option is set, but thatcould confuse users who didn't
specify nokeys on the command line.  As such, remove the config file
setting for this feature, and replace it with a -jdktrust command line
option, that is documented to assert nokeys when a users specifies the
new command line option.

Fixes #22215

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22422)
2023-10-20 16:30:43 +01:00
Tomas Mraz 1d768852e9 apps.c: Remove a redundant error print-out
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22318)
2023-10-19 10:10:00 +02:00
Tomas Mraz edc2b6e3b1 apps: Print out a proper message when a store cannot be opened
Fixes #22306

Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22318)
2023-10-19 10:10:00 +02:00
Dr. David von Oheimb ac0677bd23 CMP: fix OSSL_CMP_MSG_http_perform() by adding option OSSL_CMP_OPT_USE_TLS
Fixes #21120

Reviewed-by: Todd Short <todd.short@me.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21176)
2023-10-10 20:36:06 +02:00
Dr. David von Oheimb 4a9299ac50 apps/cmp.c: -tls_used may be implied by -server https:...; improve related checks and doc
Reviewed-by: Todd Short <todd.short@me.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21176)
2023-10-10 20:36:05 +02:00
Klavishnik 8d120aef95 Added check for the return value of the RAND_bytes() function
Call app_bail_out if RAND_bytes() fails.

Also changed the output parameter of RAND_bytes() to inp as
writing to encrypted output buffer does not make sense.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21706)
2023-10-10 17:15:54 +02:00
Matt Caswell 556009c596 Copyright year updates
Reviewed-by: Richard Levitte <levitte@openssl.org>
Release: yes
2023-09-28 14:23:29 +01:00
Michael Baentsch 6c03fa21ed adding -outpubkey option to genpkey
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22173)
2023-09-24 20:51:42 +02:00
Bernd Edlinger 8c040c086c Fix some memory leaks in the openssl app
In some error cases the normal cleanup did not
happen, but instead an exit(1) which caused some
memory leaks, as reported in #22049.

Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/22055)
2023-09-21 14:39:36 +02:00
Mathieu Tortuyaux 0e138b7b59 enc: "bad decrypt" only in decryption
CLA: trivial

Signed-off-by: Mathieu Tortuyaux <mathieu.tortuyaux@gmail.com>

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22134)
2023-09-20 08:12:07 +10:00
Matthias St. Pierre 46ea5486f3 APPS: remove duplicate definition of `trace_data_stack`
Note: It seems like the C compiler doesn't care about the duplicate.
(The first definition is eight lines above.) The C++ compiler however
didn't like it when I reused the tracing code snippets elsewhere.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22117)
2023-09-18 09:06:47 +10:00
Dimitri Papadopoulos 23def9d371 Fix typos found by codespell
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22063)
2023-09-13 08:13:08 +02:00
Dimitri Papadopoulos e22ebb893e Bad function definition
void f() should probably be void f(void)

Found by running the checkpatch.pl Linux script to enforce coding style.

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21468)
2023-09-11 10:15:30 +02:00
Dimitri Papadopoulos bbaeadb068 "foo * bar" should be "foo *bar"
Found by running the checkpatch.pl Linux script to enforce coding style.

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21468)
2023-09-11 10:15:30 +02:00
Dimitri Papadopoulos ad31628cfe Remove repeated words
Found by running the checkpatch.pl Linux script to enforce coding style.

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21468)
2023-09-11 10:15:30 +02:00
Bernd Edlinger d2873946df Fix output corruption in req command
when used in conjunction with -out and -modulus options.

Fixes #21403

Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22026)
2023-09-09 16:44:33 +02:00
Richard Levitte b0da24bd2d BIO_set_accept_name(): To accept from any interface, use *
Using "*:{port}" is preferred to "[::]:{port}", because it won't break on
IPv4-only machines.

This fixes test failures in 79-test_http.t and 80-test_ssl_new.t on machines
without IPv6.

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21989)
2023-09-08 08:25:08 +02:00
wangcheng b9a189ce87 Modify the dkeyform type to support engine
The valtype value of dkeyform defined in the s_server_options structure is F, which leads to the judgment that the engine is not supported when processing parameters in the opt_next function.
This the valtype value of dkeyform should be changed to "f".

CLA: trivial

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21982)
2023-09-08 16:16:31 +10:00
Matt Caswell da1c088f59 Copyright year updates
Reviewed-by: Richard Levitte <levitte@openssl.org>
Release: yes
2023-09-07 09:59:15 +01:00
Philip Prindeville c1673a60e4 Per other commands, make progress dots in req only w/ -verbose
Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21937)
2023-09-06 09:46:05 +10:00
Dr. David von Oheimb 374945a9aa apps/cmp.c: fix bug not allowing to reset -csr and -serial option values
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21659)
2023-09-05 11:47:59 +01:00
Dr. David von Oheimb 49e097344b apps.c: improve warning texts of parse_name() when skipping RDN input
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21659)
2023-09-05 11:47:59 +01:00
Dr. David von Oheimb 81d037b8ad apps.c: fix error messages (newline and needless text) in load_key_certs_crls()
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21659)
2023-09-05 11:47:59 +01:00
slontis e3994583a1 Added 'saltlen' option to the OpenSSL enc command line app.
This allows PBKDF2 to change the saltlen to something other than the
new default value of 16. Previously this app hardwired the salt length
to a maximum of 8 bytes. Non PBKDF2 mode uses EVP_BytesToKey()
internally, which is documented to only allow 8 bytes.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21858)
2023-09-04 14:15:34 +10:00
slontis 9f679bdc71 Added a 'saltlen' option to the openssl pkcs8 command line app.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21858)
2023-09-04 14:15:34 +10:00
olszomal 10536b7f5b Changed the default value of the "ess_cert_id_alg" option
This is used to calculate the TSA's public key certificate identifier.

The default algorithm is changed from sha1 to sha256.

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21794)
2023-08-25 15:05:51 +02:00
Hugo Landau ce7a9e23fb QUIC: Rename SSL_set_initial_peer_addr to SSL_set1_initial_peer_addr
Fixes #21701

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21814)
2023-08-24 11:47:57 +01:00
Tomas Mraz 20baa24f9f apps/spkac.c: Check result of ASN1_STRING_set()
Fixes Coverity 1027256

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21755)
2023-08-18 15:06:17 +02:00
Dr. David von Oheimb 830b6a13f9 http_server.c: allow clients to connect with IPv6
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/21033)
2023-08-15 20:41:26 +02:00
Ingo Franzki eb2ff04cc7 speed: Unify output messages regarding number of ops per time
Always report "<algo> ops in <time>", instead of "<algo>'s in <time>" or
similar. Avoid the use of apostrophes and/or plural with algorithm names.

Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21383)
2023-08-01 19:10:39 +02:00
Ingo Franzki 0195df8baa speed: Also measure RSA encrypt/decrypt, not only RSA sign/verify
While RSA encrypt/decrypt and sign/verify are basically the same mod-expo
operations, the speed of the operation may still differ, due to different
padding, as well as the use of implicit rejection for RSA decrypt.

Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21383)
2023-08-01 19:10:39 +02:00
Fatih Arslan Tugay ccb2f3080d Correct spelling of database
Apply normal sentence case to db update message

CLA: trivial

Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Todd Short <todd.short@me.com>
(Merged from https://github.com/openssl/openssl/pull/21535)
2023-07-27 10:12:18 -04:00
Ingo Franzki 0c85bcbaea speed: Fix execution of EdDSA measurement
Running 'openssl speed eddsa' fails with

Doing 253 bits sign Ed25519 ops for 10s: EdDSA sign failure
000003FF9306C7D0:error:030000BC:digital envelope routines:EVP_DigestSign:
                           final error:crypto/evp/m_sigver.c:585:
-1 253 bits Ed25519 sign ops in 0.00s
Doing 253 bits verify Ed25519 ops for 10s: EdDSA verify failure
000003FF9306C7D0:error:030000BC:digital envelope routines:EVP_DigestVerify:
                           final error:crypto/evp/m_sigver.c:694:
-1 253 bits Ed25519 verify ops in 0.00s

This is because the EVP_DigestSign/Verify() calls in the EdDSA_sign/verify_loop()
fail because the context has already been finalized by the previous
EVP_DigestSign/Verify call during the EdDSA signature test done by speed_main().

This happens since commit 3fc2b7d6b8 where the
EVP_DigestSign/Verify() functions have been changed to set a flag that the
context has been finalized.

Fix this by re-initializing the context using EVP_DigestSign/Verify() in the
EdDSA_sign/verify_loop().

Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21491)
2023-07-21 10:08:10 +10:00
Ingo Franzki cc7e2b20de speed: Fix memory leak
Free the signature stack after iterating over all found signatures.
Free the kem and signature stacks at the end of speed_main() if not
NULL.

Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21491)
2023-07-21 10:08:10 +10:00
atishkov 8c34367e43 apps/cms.c: Fix unreachable code in cms_main()
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21474)
2023-07-19 14:47:33 +02:00
Dimitri Papadopoulos a024ab984e Fix typos found by codespell
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21467)
2023-07-18 18:54:45 +10:00
Dr. David von Oheimb 01b0485131 CMP: add support for genm with rootCaCert and genp with rootCaKeyUpdate
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21129)
2023-07-17 08:48:36 +10:00
Dr. David von Oheimb ec5a9cd11b rename OSSL_CMP_get{,1}_caCerts and improve OSSL_CMP_exec_certreq.pod
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21129)
2023-07-17 08:48:26 +10:00
Dr. David von Oheimb 4085ba874e APPS load_key_certs_crls(): improve error string macro FAIL_NAME
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21129)
2023-07-17 08:48:26 +10:00
Rajeev Ranjan 1d32ec20fe CMP: support specifying certificate to be revoked via issuer and serial number
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/21116)
2023-07-10 08:03:38 +02:00
Matt Caswell 55d3a6be6b Fix typos in s_client
There was some typos of OPENSS_NO_QUIC (should be OPENSSL_NO_QUIC) in
s_client

Fixes #21291

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21293)
2023-06-30 09:34:03 +10:00
Jörg Sommer 33c09341bb openssl speed -multi -evp prints wrong algorithm name
When running `openssl speed -evp md5` the result shows `md5` as algorithm
name. But when adding the option `-multi 2` it gives `evp` as algorithm
name.

Signed-off-by: Jörg Sommer <joerg@jo-so.de>

Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21216)
2023-06-28 11:05:14 +02:00
Matt Caswell 849450746f Don't truncate the input when decrypting in pkeyutl
The pkeyutl app was truncating the input file for decryption leading to
incorrect results. This was probably ok historically when RSA was being
used for decryption which has short maximum sizes. This is not ok with SM2.

Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21272)
2023-06-26 09:28:23 +01:00
Yannik Sembritzki 7f4cc3bc34 Remove restriction to only cross-sign self-signed certificates
CLA: trivial

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21137)
2023-06-20 16:38:33 +10:00
Dimitri Papadopoulos 6ea4da6e4d Fix new typos found by codespell
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21210)
2023-06-18 16:53:09 +10:00
Richard Levitte af99d55078 apps/ca.c: Handle EVP_PKEY_get_default_digest_name() returning 1 with "UNDEF"
EVP_PKEY_get_default_digest_name() may return 1 with the returned digest
name "UNDEF".  This case hasn't been documented, and the meaning has been
left undefined, until now.

Reviewed-by: Todd Short <todd.short@me.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20460)
2023-06-15 14:03:57 +02:00
Dimitri Papadopoulos eb4129e12c Fix typos found by codespell
Typos in doc/man* will be fixed in a different commit.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20910)
2023-06-15 10:11:46 +10:00
Yi Li 4032cd9a14 configure: introduce no-ecx to remove ECX related feature
This can effectively reduce the binary size for platforms
that don't need ECX feature(~100KB).

Signed-off-by: Yi Li <yi1.li@intel.com>

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20781)
2023-06-14 13:06:22 +10:00
Tomas Mraz ef1ed411e1 Coverity 1528486: Avoid assignment of unused value of bags
It is used only within the loop and always initialized
2023-06-10 19:23:59 -04:00
Tomas Mraz 82b81161de Coverity 1528490: Avoid assignment of unused value of i
It is used only within the loop and initialized at the beginning
2023-06-10 19:23:59 -04:00
Michael Baentsch 8a2e74d053 Cast the argument to unsigned char when calling isspace()
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21151)
2023-06-09 17:30:28 +02:00
Dr. Matthias St. Pierre 34df960a75 apps/asn1parse: improve RFC7462 compliance
The asn1parse command now supports three different input formats:

     openssl asn1parse -inform PEM|DER|B64

       PEM: base64 encoded data enclosed by PEM markers (RFC7462)
       DER: der encoded binary data
       B64: raw base64 encoded data

The PEM input format is the default format. It is equivalent
to the former `-strictpem` option which is now marked obsolete
and kept for backward compatibility only.

The B64 is equivalent to the former default input format of the
asn1parse command (without `-strictpem`)

Fixes #7317

Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7320)
2023-06-09 09:47:34 +02:00
Dr. Matthias St. Pierre ca857d7332 apps/opt: refactor input format parsing
- split OPT_FMT_PEMDER flag into OPT_FMT_PEM and OPT_FMT_DER
- add OPT_FMT_B64 option (`-inform b64`)

Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7320)
2023-06-09 09:47:34 +02:00
Michael Baentsch 8229874476 Cast the argument to unsigned char when calling isdigit()
Fixes #21123

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21127)
2023-06-06 15:48:46 +02:00
Vladimír Kotal 3ca28c9e81 allow to disable http
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21108)
2023-06-06 11:05:02 +10:00
Dmitry Belyavskiy 4c56539cb3 Remove pointless warning on pkcs12 import
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21107)
2023-06-03 16:15:33 +02:00
Dr. David von Oheimb 5def4bbb4b cmp_mock_srv.c: improve comment on cert to be produced from request template
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/21086)
2023-06-01 10:03:06 +02:00
Dr. David von Oheimb 586b5407d6 apps.c: add comment to do_X509_sign() referring to question #19805
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/21086)
2023-06-01 10:03:06 +02:00
Dr. David von Oheimb dea5e2632c apps/cmp.c: make management of http_cb_arg pointer more robust
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/21086)
2023-06-01 10:03:06 +02:00
Dr. David von Oheimb 6ed117b32c apps/cmp.c: improve warnings on option use
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/21086)
2023-06-01 10:03:06 +02:00
Dr. David von Oheimb d477484d33 CMP: add support for genm/genp messages with id-it-caCerts
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/19231)
2023-06-01 09:39:12 +02:00
Hugo Landau a35e38a212 QUIC: Rename SSL_tick etc. in s_client
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20879)
2023-05-29 08:51:12 +02:00
minyong.ha 31c94b5e11 Fix a bug where the result of rehash is unstable
The root cause is that the file entries targeted for rehash are not actually sorted.
Sort was skipped because the compare function was null.
So a compare function has been implemented to allow file entries to be sorted.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21013)
2023-05-25 15:46:40 +02:00
Dr. David von Oheimb b77826877b APPS: replace awkward and error-prone pattern by calls to new app_conf_try_number()
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/20971)
2023-05-25 09:04:35 +02:00
Dr. David von Oheimb da7f81d393 APPS: replace awkward and error-prone pattern by calls to new app_conf_try_string()
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/20971)
2023-05-25 09:04:35 +02:00
Dr. David von Oheimb c8aec16383 APPS/ca: remove spurious errors when certain config file entries are not provided
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/20971)
2023-05-25 09:04:35 +02:00
Marco Abbadini 26cf0767a7 pkcs12: Fix macsaltlen parameter type
It expects an integer so change it from non-argument type to positive integer type.

Fixes #20969

CLA: trivial

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20979)
2023-05-18 13:25:28 +02:00
Marc Brooks 831ef53472 Add support for --version and synonyms
Just like --help is explicitly supported, we should support --version.
This will greatly ease people adopting openssl.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20936)
2023-05-18 17:18:10 +10:00
Dr. David von Oheimb 2d6585986f CMP client: fix error response on -csr without private key, also in docs
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Todd Short <todd.short@me.com>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/20832)
2023-05-12 10:46:27 +02:00
Dr. David von Oheimb 14ca1b6f46 apps/openssl.cnf: fix reference to insta.ca.crt
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Todd Short <todd.short@me.com>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/20832)
2023-05-12 10:46:14 +02:00
Michael Baentsch 316d5a982b restrict rsaBITS algorithm name check in speed
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20898)
2023-05-11 12:21:23 +10:00
Dr. David von Oheimb 20d4dc8898 CMP app: fix deallocated host/port fields in APP_HTTP_TLS_INFO
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20034)
2023-05-10 18:35:51 +01:00
Dr. David von Oheimb 30b9a6ec89 CMP app and app_http_tls_cb(): pick the right TLS hostname (also without port)
Fixes #20031

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20034)
2023-05-10 18:35:38 +01:00
Matt Caswell d98f4212b7 Don't attempt a QUIC connection without specifying ALPN
ALPN is required for a successful QUIC connection, so do not allow the
-quic option for s_client without -alpn

Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20580)
2023-05-08 10:13:39 +01:00
Matt Caswell c4f74e7fc9 Add the ability to send FIN on a QUIC stream from s_client
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20580)
2023-05-08 10:13:39 +01:00
Matt Caswell f34e5d7a12 Add QUIC support to s_client
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20580)
2023-05-08 10:13:39 +01:00
Rajarshi Karmakar c154f537c3 feature: openssl req -verify output to stderr instead of stdout #20728
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20858)
2023-05-04 11:58:36 +10:00
Tianjia Zhang a75f707fca apps: silent warning when loading CSR files with vfyopt option
When verifying or signing a CSR file with the -vfyopt option,
a warning message similar to the following will appear:

  Warning: CSR self-signature does not match the contents

This happens especially when the SM2 algorithm is used and the
distid parameter is added. Pass the vfyopts parameter to the
do_X509_REQ_verify() function to eliminate the warning message.

Signed-off-by: Tianjia Zhang <tianjia.zhang@linux.alibaba.com>

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20799)
2023-05-03 09:48:17 +02:00
Reinhard Urban a8eb81ccd2 speed.c: remove unused num print_message args
these num args went unused with the removal of the ifndef SIGALRM
branches, commit ee1d7f1d25 Feb 2021
PR #14228

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20795)
2023-05-03 09:33:29 +02:00
Dr. David von Oheimb 1f757df1f3 APPS/cmp: prevent HTTP client failure on -rspin option with too few filenames
The logic for handling inconsistent use of -rspin etc., -port, -server,
and -use_mock_srv options proved faulty.  This is fixed here, updating and
correcting also the documentation and diagnostics of the involved options.

In particular, the case that -rspin (or -rspout. reqin, -reqout) does not
provide enough message file names was not properly described and handled.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/20295)
2023-04-28 08:42:20 +02:00
Dr. David von Oheimb 57c0205b4d APPS: make sure the -CAfile argument can be in DER format
Note that PKCS#12 input is still not supported here-

Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18917)
2023-04-27 15:45:38 +01:00
Dr. David von Oheimb 2786160731 apps/smime: Point out that the six operations are mutually exclusive and add check
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18917)
2023-04-27 15:45:38 +01:00
Dr. David von Oheimb 87943b933e apps/ocsp: Tweak some places to make clear they refer to *lists* of certs
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18917)
2023-04-27 15:45:36 +01:00
Matt Caswell a80840c663 Replace use of strstr with strchr
It is better to use strchr where we are looking for a single character.

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20788)
2023-04-24 11:12:48 +01:00
Matt Caswell 6799fc2409 Coverity 1524619: unexpected control flow
Using "continue" in a do...while(0) loop is pointless. The original intent
was that the loop would continue to a second iteration in this case.

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20788)
2023-04-24 11:12:48 +01:00
Pauli bc2a4225a4 fipsinstall: add -pedantic option
This adds a -pedantic option to fipsinstall that adjusts the various
settings to ensure strict FIPS compliance rather than backwards
compatibility.

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20752)
2023-04-20 09:21:51 +10:00