string (some engines may have certificates protected by a PIN!) and
a description to put into error messages.
Also, have our own password callback that we can send both a password
and some prompt info to. The default password callback in EVP assumes
that the passed parameter is a password, which isn't always the right
thing, and the ENGINE code (at least the nCipher one) makes other
assumptions...
Also, in spite of having the functions to load keys, some utilities
did the loading all by themselves... That's changed too.
ENGINE.
* Extra verbosity can be added with more "v"'s, eg. '-vvv' gives
information about input flags and descriptions for each control command
in each ENGINE. Check the output of "openssl engine -vvv" for example.
* '-pre <cmd>' and '-post <cmd>' can be used to invoke control commands on
the specified ENGINE (or on all of them if no engine id is specified,
although that usually gets pretty ugly). '-post' commands are only
attempted if '-t' is specified and the engine successfully initialises.
'-pre' commands are always attempted whether or not '-t' causes an
initialisation to be tried afterwards. Multiple '-pre' and/or '-post'
commands can be specified and they will be called in the order they
occur on the command line.
Parameterised commands (the normal case, there are currently no
unparameterised ones) are split into command and argument via a separating
colon. Eg. "openssl engine -pre SO_PATH:/lib/libdriver.so <id>" results in
the call;
ENGINE_ctrl_cmd_string(e, "SO_PATH", "/lib/libdriver.so", 0);
Application code should similarly allow arbitrary name-value string pairs
to be passed into ENGINEs in a manner matching that in apps/engine.c,
either using the same colon-separated format, or entered as two distinct
strings. Eg. as stored in a registry. The last parameter of
ENGINE_ctrl_cmd_string can be changed from 0 to 1 if the command should
only be attempted if it's supported by the specified ENGINE (eg. for
commands like "FORK_CHECK:1" that may or may not apply to the run-time
ENGINE).
the 'ca' utility. This can now be extensively
customised in the configuration file and handles
multibyte strings and extensions properly.
This is required when extensions copying from
certificate requests is supported: the user
must be able to view the extensions before
allowing a certificate to be issued.
sets the subject name for a new request or supersedes the
subject name in a given request.
Add options '-batch' and '-verbose' to 'openssl req'.
Submitted by: Massimiliano Pala <madwolf@hackmasters.net>
Reviewed by: Bodo Moeller
and make all files the depend on it include it without prefixing it
with openssl/.
This means that all Makefiles will have $(TOP) as one of the include
directories.
of session IDs. Namely, passing "-id_prefix <text>" will set a
generate_session_id() callback that generates session IDs as random data
with <text> block-copied over the top of the start of the ID. This can be
viewed by watching the session ID s_client's output when it connects.
This is mostly useful for testing any SSL/TLS code (eg. proxies) that wish
to deal with multiple servers, when each of which might be generating a
unique range of session IDs (eg. with a certain prefix).
sure they are available in opensslconf.h, by giving them names starting
with "OPENSSL_" to avoid conflicts with other packages and by making
sure e_os2.h will cover all platform-specific cases together with
opensslconf.h.
I've checked fairly well that nothing breaks with this (apart from
external software that will adapt if they have used something like
NO_KRB5), but I can't guarantee it completely, so a review of this
change would be a good thing.
Remove the old broken bio read of serial numbers in the 'ca' index
file. This would choke if a revoked certificate was specified with
a negative serial number.
Fix typo in uid.c
Make ca.c correctly initialize the revocation date.
Make ASN1_UTCTIME_set_string() and ASN1_GENERALIZEDTIME_set_string() set the
string type: so they can initialize ASN1_TIME structures properly.
client code certificates to use to only check response signatures.
I'm not entirely sure if the way I just implemented the verification
is the right way to do it, and would be happy if someone would like to
review this.
OCSP requests. It can also query reponders and parse or
print out responses.
Still needs some more work: OCSP response checks and
of course documentation.
horrible macros.
Fix two evil ASN1 bugs. Attempt to use 'ctx' when
NULL if input is indefinite length constructed
in asn1_check_tlen() and invalid pointer to ASN1_TYPE
when reusing existing structure (this took *ages* to
find because the new PKCS#12 code triggered it).
functions need to be constified, and therefore meant a number of easy
changes a little everywhere.
Now, if someone could explain to me why OBJ_dup() cheats...
DECLARE/IMPLEMENT macros now exist to create type (and prototype) safe
wrapper functions that avoid the use of function pointer casting yet retain
type-safety for type-specific callbacks. However, most of the usage within
OpenSSL itself doesn't really require the extra function because the hash
and compare callbacks are internal functions declared only for use by the
hash table. So this change catches all those cases and reimplements the
functions using the base-level LHASH prototypes and does per-variable
casting inside those functions to convert to the appropriate item type.
The exception so far is in ssl_lib.c where the hash and compare callbacks
are not static - they're exposed in ssl.h so their prototypes should not be
changed. In this last case, the IMPLEMENT_LHASH_*** macros have been left
intact.
