summaryrefslogtreecommitdiffstats
path: root/apps/pkcs12.c
AgeCommit message (Collapse)Author
2016-10-19If an engine comes up explicitely, it must also come down explicitelyRichard Levitte
In apps/apps.c, one can set up an engine with setup_engine(). However, we freed the structural reference immediately, which means that for engines that don't already have a structural reference somewhere else (because it's a built in engine), we end up returning an invalid reference. Instead, the function release_engine() is added, and called at the end of the routines that call setup_engine(). Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/1643)
2016-10-14Constify command optionsFdaSilvaYY
Reviewed-by: Kurt Roeckx <kurt@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/1694)
2016-08-25Support broken PKCS#12 key generation.Dr. Stephen Henson
OpenSSL versions before 1.1.0 didn't convert non-ASCII UTF8 PKCS#12 passwords to Unicode correctly. To correctly decrypt older files, if MAC verification fails with the supplied password attempt to use the broken format which is compatible with earlier versions of OpenSSL. Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-08-22Avoid more compiler warnings for use of uninitialised variablesRichard Levitte
Reviewed-by: Andy Polyakov <appro@openssl.org>
2016-08-19Convert PKCS12* functions to use const gettersMatt Caswell
Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Stephen Henson <steve@openssl.org>
2016-08-17Constify X509_SIG.Dr. Stephen Henson
Constify X509_SIG_get0() and order arguments to mactch new standard. Add X509_SIG_get0_mutable() to support modification or initialisation of an X509_SIG structure. Reviewed-by: Matt Caswell <matt@openssl.org>
2016-08-17Constify char* input parameters in apps codeFdaSilvaYY
Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org>
2016-08-17constify X509_ALGOR_get0()Dr. Stephen Henson
Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-08-16Convert PKCS8* functions to use const gettersMatt Caswell
Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: Stephen Henson <steve@openssl.org>
2016-07-29print out MAC algorithmDr. Stephen Henson
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-07-08Support PKCS v2.0 print in pkcs12 utility.Dr. Stephen Henson
Extended alg_print() in pkcs12 utility to support PBES2 algorithms. RT#4588 Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-05-17Copyright consolidation 01/10Rich Salz
Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Kurt Roeckx <kurt@openssl.org>
2016-05-04Check return of PEM_write_* functions and report possible errorsRichard Levitte
Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/1025)
2016-04-15Make many X509_xxx types opaque.Rich Salz
Make X509_OBJECT, X509_STORE_CTX, X509_STORE, X509_LOOKUP, and X509_LOOKUP_METHOD opaque. Remove unused X509_CERT_FILE_CTX Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
2016-03-31Fix "no-ui" configurationRichard Levitte
Reviewed-by: Matt Caswell <matt@openssl.org>
2016-03-18Fix no-desMatt Caswell
Numerous fixes for no-des. Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-03-11Make X509_SIG opaque.Dr. Stephen Henson
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-03-07Make PKCS8_PRIV_KEY_INFO opaque.Dr. Stephen Henson
Make PKCS8_PRIV_KEY_INFO opaque. Several accessor functions already exist for this structure. Two new ones were added to handle attributes. The old handling of broken formats has been removed and the corresponding structures simplified. Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-02-22Remove unused parameters from internal functionsRich Salz
Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-02-20argv was set but unusedKurt Roeckx
Also gives an error message when you gave it a parameter it didn't expect. Reviewed-by: Rich Salz <rsalz@openssl.org> MR: #2009
2016-02-08fix various formatting issuesDr. Stephen Henson
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-02-08Use new namesDr. Stephen Henson
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-02-08Use accessors in pkcs12 app.Dr. Stephen Henson
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-01-20Refactor apps load_certs/load_crls to work incrementallyViktor Dukhovni
Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-01-03Fix X509_STORE_CTX_cleanup()Viktor Dukhovni
Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
2015-12-16Rename some BUF_xxx to OPENSSL_xxxRich Salz
Rename BUF_{strdup,strlcat,strlcpy,memdup,strndup,strnlen} to OPENSSL_{strdup,strlcat,strlcpy,memdup,strndup,strnlen} Add #define's for the old names. Add CRYPTO_{memdup,strndup}, called by OPENSSL_{memdup,strndup} macros. Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-10-12Centralise loading default apps config fileMatt Caswell
Loading the config file after processing command line options can cause problems, e.g. where an engine provides new ciphers/digests these are not then recoginised on the command line. Move the default config file loading to before the command line option processing. Whilst we're doing this we might as well centralise this instead of doing it individually for each application. Finally if we do it before the OpenSSL_add_ssl_algorithms() call then ciphersuites provided by an engine (e.g. GOST) can be available to the apps. RT#4085 RT#4086 Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-09-25Add support for -no-CApath and -no-CAfile optionsMatt Caswell
For those command line options that take the verification options -CApath and -CAfile, if those options are absent then the default path or file is used instead. It is not currently possible to specify *no* path or file at all. This change adds the options -no-CApath and -no-CAfile to specify that the default locations should not be used to all relevant applications. Reviewed-by: Andy Polyakov <appro@openssl.org>
2015-09-06Change the way apps open their input and output filesRichard Levitte
The different apps had the liberty to decide whether they would open their input and output files in binary mode or not, which could be confusing if two different apps were handling the same type of file in different ways. The solution is to centralise the decision of low level file organisation, and that the apps would use a selection of formats to state the intent of the file. Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-06-15RT2547: Tighten perms on generated privkey filesRich Salz
When generating a private key, try to make the output file be readable only by the owner. Put it in CHANGES file since it might be noticeable. Add "int private" flag to apps that write private keys, and check that it's set whenever we do write a private key. Checked via assert so that this bug (security-related) gets fixed. Thanks to Viktor for help in tracing the code-paths where private keys are written. Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
2015-06-06Increase buffer size for passwords in pkcs12 CLIRodger Combs
Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-06-02Standardize handling of #ifdef'd options.Rich Salz
Here are the "rules" for handling flags that depend on #ifdef: - Do not ifdef the enum. Only ifdef the OPTIONS table. All ifdef'd entries appear at the end; by convention "engine" is last. This ensures that at run-time, the flag will never be recognized/allowed. The next two bullets entries are for silencing compiler warnings: - In the while/switch parsing statement, use #ifdef for the body to disable it; leave the "case OPT_xxx:" and "break" statements outside the ifdef/ifndef. See ciphers.c for example. - If there are multiple options controlled by a single guard, OPT_FOO, OPT_BAR, etc., put a an #ifdef around the set, and then do "#else" and a series of case labels and a break. See OPENSSL_NO_AES in cms.c for example. Reviewed-by: Matt Caswell <matt@openssl.org>
2015-05-29Restore module loadingRichard Levitte
The module loading feature got broken a while ago, so restore it, but have it a bit more explicit this time around. Reviewed-by: Stephen Henson <steve@openssl.org>
2015-05-11Use p==NULL not !p (in if statements, mainly)Rich Salz
Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-05-06Use "==0" instead of "!strcmp" etcRich Salz
For the various string-compare routines (strcmp, strcasecmp, str.*cmp) use "strcmp()==0" instead of "!strcmp()" Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-05-01free NULL cleanup -- codaRich Salz
After the finale, the "real" final part. :) Do a recursive grep with "-B1 -w [a-zA-Z0-9_]*_free" to see if any of the preceeding lines are an "if NULL" check that can be removed. Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-05-01free null cleanup finaleRich Salz
Don't check for NULL before calling OPENSSL_free Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-04-30free NULL cleanup 5aRich Salz
Don't check for NULL before calling a free routine. This gets X509_.*free: x509_name_ex_free X509_policy_tree_free X509_VERIFY_PARAM_free X509_STORE_free X509_STORE_CTX_free X509_PKEY_free X509_OBJECT_free_contents X509_LOOKUP_free X509_INFO_free Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-04-29Remove needless bio_err argumentRich Salz
Many functions had a BIO* parameter, and it was always called with bio_err. Remove the param and just use bio_err. Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-25fewer NO_ENGINE #ifdef'sRich Salz
Make setup_engine be a dummy if NO_ENGINE is enabled. The option is not enabled if NO_ENGINE is enabled, so the one "wasted" variable just sits there. Removes some variables and code. Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-04-24Big apps cleanup (option-parsing, etc)Rich Salz
This is merges the old "rsalz-monolith" branch over to master. The biggest change is that option parsing switch from cascasding 'else if strcmp("-foo")' to a utility routine and somethin akin to getopt. Also, an error in the command line no longer prints the full summary; use -help (or --help :) for that. There have been many other changes and code-cleanup, see bullet list below. Special thanks to Matt for the long and detailed code review. TEMPORARY: For now, comment out CRYPTO_mem_leaks() at end of main Tickets closed: RT3515: Use 3DES in pkcs12 if built with no-rc2 RT1766: s_client -reconnect and -starttls broke RT2932: Catch write errors RT2604: port should be 'unsigned short' RT2983: total_bytes undeclared #ifdef RENEG RT1523: Add -nocert to fix output in x509 app RT3508: Remove unused variable introduced by b09eb24 RT3511: doc fix; req default serial is random RT1325,2973: Add more extensions to c_rehash RT2119,3407: Updated to dgst.pod RT2379: Additional typo fix RT2693: Extra include of string.h RT2880: HFS is case-insensitive filenames RT3246: req command prints version number wrong Other changes; incompatibilities marked with *: Add SCSV support Add -misalign to speed command Make dhparam, dsaparam, ecparam, x509 output C in proper style Make some internal ocsp.c functions void Only display cert usages with -help in verify Use global bio_err, remove "BIO*err" parameter from functions For filenames, - always means stdin (or stdout as appropriate) Add aliases for -des/aes "wrap" ciphers. *Remove support for IISSGC (server gated crypto) *The undocumented OCSP -header flag is now "-header name=value" *Documented the OCSP -header flag Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-11free NULL cleanup 9Rich Salz
Ongoing work to skip NULL check before calling free routine. This gets: ecp_nistz256_pre_comp_free nistp224_pre_comp_free nistp256_pre_comp_free nistp521_pre_comp_free PKCS7_free PKCS7_RECIP_INFO_free PKCS7_SIGNER_INFO_free sk_PKCS7_pop_free PKCS8_PRIV_KEY_INFO_free PKCS12_free PKCS12_SAFEBAG_free PKCS12_free sk_PKCS12_SAFEBAG_pop_free SSL_CONF_CTX_free SSL_CTX_free SSL_SESSION_free SSL_free ssl_cert_free ssl_sess_cert_free Reviewed-by: Kurt Roeckx <kurt@openssl.org>
2015-03-28free NULL cleanupRich Salz
EVP_.*free; this gets: EVP_CIPHER_CTX_free EVP_PKEY_CTX_free EVP_PKEY_asn1_free EVP_PKEY_asn1_set_free EVP_PKEY_free EVP_PKEY_free_it EVP_PKEY_meth_free; and also EVP_CIPHER_CTX_cleanup Reviewed-by: Kurt Roeckx <kurt@openssl.org>
2015-03-16Make X509_ATTRIBUTE opaque.Dr. Stephen Henson
Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-01-29clang on Linux x86_64 complains about unreachable code.Richard Levitte
Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-01-27OPENSSL_NO_xxx cleanup: SHARich Salz
Remove support for SHA0 and DSS0 (they were broken), and remove the ability to attempt to build without SHA (it didn't work). For simplicity, remove the option of not building various SHA algorithms; you could argue that SHA_224/256/384/512 should be kept, since they're like crypto algorithms, but I decided to go the other way. So these options are gone: GENUINE_DSA OPENSSL_NO_SHA0 OPENSSL_NO_SHA OPENSSL_NO_SHA1 OPENSSL_NO_SHA224 OPENSSL_NO_SHA256 OPENSSL_NO_SHA384 OPENSSL_NO_SHA512 Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-01-22Run util/openssl-format-source -v -c .Matt Caswell
Reviewed-by: Tim Hudson <tjh@openssl.org>
2011-03-13PR: 2469Dr. Stephen Henson
Submitted by: Jim Studt <jim@studt.net> Reviewed by: steve Check mac is present before trying to retrieve mac iteration count.
2010-05-15oops, revert test patchDr. Stephen Henson
2010-05-15PR: 2253Dr. Stephen Henson
Submitted By: Ger Hobbelt <ger@hobbelt.com> Check callback return value when outputting errors.