#
18295f0c |
| 14-Feb-2016 |
Richard Levitte |
Make sure to use unsigned char for is*() functions On some platforms, the implementation is such that a signed char triggers a warning when used with is*() functions. On others, the
Make sure to use unsigned char for is*() functions On some platforms, the implementation is such that a signed char triggers a warning when used with is*() functions. On others, the behavior is outright buggy when presented with a char that happens to get promoted to a negative integer. The safest thing is to cast the char that's used to an unsigned char. Reviewed-by: Andy Polyakov <appro@openssl.org>
show more ...
|
#
21c6c50f |
| 10-Feb-2016 |
Benjamin Kaduk |
GH650: Minor tidying around the ocsp app The ocsp utility is something of a jack-of-all-trades; most anything related to the OCSP can be done with it. In particular, the manual page
GH650: Minor tidying around the ocsp app The ocsp utility is something of a jack-of-all-trades; most anything related to the OCSP can be done with it. In particular, the manual page calls out that it can be used as either a client or a server of the protocol, but there are also a few things that it can do which do not quite fit into either role, such as encoding an OCSP request but not sending it, printing out a text form of an OCSP response (or request) from a file akin to the asn1parse utility, or performing a lookup into the server-side revocation database without actually sending a request or response. All three of these are documented as examples in the manual page, but the documentation prior to this commit is somewhat misleading, in that when printing the text form of an OCSP response, the code also attempts to verify the response, displaying an error message and returning failure if the response does not verify. (It is possible that the response would be able to verify with the given example, since the default trust roots are used for that verification, but OCSP responses frequently have alternate certification authorities that would require passing -CAfile or -CApath for verification.) Tidy up the documentation by passing -noverify for the case of converting from binary to textual representation, and also change a few instances of -respin to -reqin as appropriate, note that the -url option provides the same functionality as the -host and -path options, clarify that the example that saves an OCSP response to a file will also perform verification on that response, and fix a couple grammar nits in the manual page. Also remove an always-true conditional for rdb != NULL -- there are no codepaths in which it could be initialized at the time of this check. Signed-off-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Kurt Roeckx <kurt@openssl.org>
show more ...
|
#
0996dc54 |
| 16-Jan-2016 |
Viktor Dukhovni |
Refactor apps load_certs/load_crls to work incrementally Reviewed-by: Richard Levitte <levitte@openssl.org>
|
#
9aa00b18 |
| 14-Jan-2016 |
Dr. Stephen Henson |
To avoid possible time_t overflow use X509_time_adj_ex() Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
|
#
7644a9ae |
| 16-Dec-2015 |
Rich Salz |
Rename some BUF_xxx to OPENSSL_xxx Rename BUF_{strdup,strlcat,strlcpy,memdup,strndup,strnlen} to OPENSSL_{strdup,strlcat,strlcpy,memdup,strndup,strnlen} Add #define's for the old nam
Rename some BUF_xxx to OPENSSL_xxx Rename BUF_{strdup,strlcat,strlcpy,memdup,strndup,strnlen} to OPENSSL_{strdup,strlcat,strlcpy,memdup,strndup,strnlen} Add #define's for the old names. Add CRYPTO_{memdup,strndup}, called by OPENSSL_{memdup,strndup} macros. Reviewed-by: Tim Hudson <tjh@openssl.org>
show more ...
|
#
96487cdd |
| 30-Oct-2015 |
Matt Caswell |
Continue standardisation of malloc handling in apps continue on from previous commits but in the apps directory Reviewed-by: Kurt Roeckx <kurt@openssl.org>
|
#
4428c7db |
| 02-Oct-2015 |
Alessandro Ghedini |
Do not treat 0 return value from BIO_get_fd() as error 0 is a valid file descriptor. RT#4068 Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Richard Levitte <le
Do not treat 0 return value from BIO_get_fd() as error 0 is a valid file descriptor. RT#4068 Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org>
show more ...
|
#
76e0cd12 |
| 17-Oct-2015 |
Dr. Stephen Henson |
Move auto Host adding to query_responder Check for Host header in query_responder instead of process_responder. This also fixes a memory leak in the old code if the headers was NULL.
Move auto Host adding to query_responder Check for Host header in query_responder instead of process_responder. This also fixes a memory leak in the old code if the headers was NULL. Reviewed-by: Richard Levitte <levitte@openssl.org>
show more ...
|
#
bb7fc98c |
| 17-Oct-2015 |
Dr. Stephen Henson |
Fix memory leak with -issuer option. Reviewed-by: Richard Levitte <levitte@openssl.org>
|
#
a0a82324 |
| 12-Oct-2015 |
Matt Caswell |
Centralise loading default apps config file Loading the config file after processing command line options can cause problems, e.g. where an engine provides new ciphers/digests these
Centralise loading default apps config file Loading the config file after processing command line options can cause problems, e.g. where an engine provides new ciphers/digests these are not then recoginised on the command line. Move the default config file loading to before the command line option processing. Whilst we're doing this we might as well centralise this instead of doing it individually for each application. Finally if we do it before the OpenSSL_add_ssl_algorithms() call then ciphersuites provided by an engine (e.g. GOST) can be available to the apps. RT#4085 RT#4086 Reviewed-by: Richard Levitte <levitte@openssl.org>
show more ...
|
#
2b6bcb70 |
| 22-Sep-2015 |
Matt Caswell |
Add support for -no-CApath and -no-CAfile options For those command line options that take the verification options -CApath and -CAfile, if those options are absent then the default path
Add support for -no-CApath and -no-CAfile options For those command line options that take the verification options -CApath and -CAfile, if those options are absent then the default path or file is used instead. It is not currently possible to specify *no* path or file at all. This change adds the options -no-CApath and -no-CAfile to specify that the default locations should not be used to all relevant applications. Reviewed-by: Andy Polyakov <appro@openssl.org>
show more ...
|
#
bdd58d98 |
| 04-Sep-2015 |
Richard Levitte |
Change the way apps open their input and output files The different apps had the liberty to decide whether they would open their input and output files in binary mode or not, which could
Change the way apps open their input and output files The different apps had the liberty to decide whether they would open their input and output files in binary mode or not, which could be confusing if two different apps were handling the same type of file in different ways. The solution is to centralise the decision of low level file organisation, and that the apps would use a selection of formats to state the intent of the file. Reviewed-by: Tim Hudson <tjh@openssl.org>
show more ...
|
#
82c49427 |
| 10-Aug-2015 |
Rich Salz |
Fix build break. Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
|
#
ff4a9394 |
| 04-Aug-2015 |
bluelineXY |
GH357: Update ocsp.c Add Host Header in OCSP query if no host header is set via -header Signed-off-by: Rich Salz <rsalz@akamai.com> Reviewed-by: Ben Laurie <ben@openssl.org>
|
#
e46bcca2 |
| 30-Jul-2015 |
Adam Eijdenberg |
RT3962: Check accept_count only if not unlimited Reviewed-by: Matt Caswell <matt@openssl.org>
|
#
4b8d8e2a |
| 13-Jun-2015 |
Rich Salz |
RT3682: Avoid double-free on OCSP parse error Found by Kurt Cancemi. Reviewed-by: Matt Caswell <matt@openssl.org>
|
#
366e2a60 |
| 02-May-2015 |
Rich Salz |
RT832: Use REUSEADDR in ocsp responder I also re-ordered some of #ifdef's. Reviewed-by: Matt Caswell <matt@openssl.org>
|
#
296f54ee |
| 29-May-2015 |
Richard Levitte |
Restore module loading The module loading feature got broken a while ago, so restore it, but have it a bit more explicit this time around. Reviewed-by: Stephen Henson <steve@ope
Restore module loading The module loading feature got broken a while ago, so restore it, but have it a bit more explicit this time around. Reviewed-by: Stephen Henson <steve@openssl.org>
show more ...
|
#
13c9bb3e |
| 30-Mar-2015 |
Matt Caswell |
Client side version negotiation rewrite Continuing from the previous commit this changes the way we do client side version negotiation. Similarly all of the s23* "up front" state machine
Client side version negotiation rewrite Continuing from the previous commit this changes the way we do client side version negotiation. Similarly all of the s23* "up front" state machine code has been avoided and again things now work much the same way as they already did for DTLS, i.e. we just do most of the work in the ssl3_get_server_hello() function. Reviewed-by: Kurt Roeckx <kurt@openssl.org>
show more ...
|
#
98cd49db |
| 13-May-2015 |
Rich Salz |
Add missing ctype.h Had old patch, forgot to push/patch this to master Reviewed-by: Matt Caswell <matt@openssl.org>
|
#
fc3cec53 |
| 02-May-2015 |
Rich Salz |
Fix ocsp bugs Various bugs found by Viktor, Emilia, Matt, etc. Reviewed-by: Matt Caswell <matt@openssl.org>
|
#
25aaa98a |
| 01-May-2015 |
Rich Salz |
free NULL cleanup -- coda After the finale, the "real" final part. :) Do a recursive grep with "-B1 -w [a-zA-Z0-9_]*_free" to see if any of the preceeding lines are an "if NULL" che
free NULL cleanup -- coda After the finale, the "real" final part. :) Do a recursive grep with "-B1 -w [a-zA-Z0-9_]*_free" to see if any of the preceeding lines are an "if NULL" check that can be removed. Reviewed-by: Tim Hudson <tjh@openssl.org>
show more ...
|
#
b548a1f1 |
| 01-May-2015 |
Rich Salz |
free null cleanup finale Don't check for NULL before calling OPENSSL_free Reviewed-by: Richard Levitte <levitte@openssl.org>
|
#
895cba19 |
| 30-Apr-2015 |
Rich Salz |
free cleanup 12 Don't check for NULL before calling free function. This gets: NAME_CONSTRAINTS_free GENERAL_SUBTREE_free ECDSA_METHOD_free JPAKE_CTX_free OCSP_REQ_CT
free cleanup 12 Don't check for NULL before calling free function. This gets: NAME_CONSTRAINTS_free GENERAL_SUBTREE_free ECDSA_METHOD_free JPAKE_CTX_free OCSP_REQ_CTX_free SCT_free SRP_VBASE_free SRP_gN_free SRP_user_pwd_free TXT_DB_free Reviewed-by: Richard Levitte <levitte@openssl.org>
show more ...
|
#
222561fe |
| 30-Apr-2015 |
Rich Salz |
free NULL cleanup 5a Don't check for NULL before calling a free routine. This gets X509_.*free: x509_name_ex_free X509_policy_tree_free X509_VERIFY_PARAM_free X509_STORE_fre
free NULL cleanup 5a Don't check for NULL before calling a free routine. This gets X509_.*free: x509_name_ex_free X509_policy_tree_free X509_VERIFY_PARAM_free X509_STORE_free X509_STORE_CTX_free X509_PKEY_free X509_OBJECT_free_contents X509_LOOKUP_free X509_INFO_free Reviewed-by: Richard Levitte <levitte@openssl.org>
show more ...
|