[openssl-commits] [openssl] master update
Rich Salz
rsalz at openssl.org
Wed Sep 28 16:23:43 UTC 2016
The branch master has been updated
via 0a72002993b8619fd0642d19af3364bafbd9a06c (commit)
via a6972f346248fbc37e42056bb943fae0896a2967 (commit)
from f9b1b6644a3a8fc6d617625ad979ee61cb67d381 (commit)
- Log -----------------------------------------------------------------
commit 0a72002993b8619fd0642d19af3364bafbd9a06c
Author: David Woodhouse <David.Woodhouse at intel.com>
Date: Wed Sep 28 13:08:45 2016 +0100
Call ENGINE_init() before trying to use keys from engine
When I said before that s_client "used to work in 1.0.2" that was only
partly true. It worked for engines which provided a default generic
method for some key type, because it called ENGINE_set_default() and
that ended up being an implicit initialisation and functional refcount.
But an engine which doesn't provide generic methods doesn't get initialised,
and then when you try to use it you get an error:
cannot load client certificate private key file from engine
140688147056384:error:26096075:engine routines:ENGINE_load_private_key:not initialised:crypto/engine/eng_pkey.c:66:
unable to load client certificate private key file
cf. https://github.com/OpenSC/libp11/issues/107 (in which we discover
that engine_pkcs11 *used* to provide generic methods that OpenSSL would
try to use for ephemeral DH keys when negotiating ECDHE cipher suites in
TLS, and that didn't work out very well.)
Reviewed-by: Rich Salz <rsalz at openssl.org>
Reviewed-by: Richard Levitte <levitte at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1639)
commit a6972f346248fbc37e42056bb943fae0896a2967
Author: David Woodhouse <David.Woodhouse at intel.com>
Date: Wed Sep 28 13:07:52 2016 +0100
Restore '-keyform engine' support for s_client
This used to work in 1.0.2 but disappeared when the argument parsing was
revamped.
Reviewed-by: Rich Salz <rsalz at openssl.org>
Reviewed-by: Richard Levitte <levitte at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1639)
-----------------------------------------------------------------------
Summary of changes:
apps/apps.c | 2 +-
apps/s_client.c | 6 +++---
2 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/apps/apps.c b/apps/apps.c
index b287748..9a58f17 100644
--- a/apps/apps.c
+++ b/apps/apps.c
@@ -1269,7 +1269,7 @@ ENGINE *setup_engine(const char *engine, int debug)
ENGINE_ctrl(e, ENGINE_CTRL_SET_LOGSTREAM, 0, bio_err, 0);
}
ENGINE_ctrl_cmd(e, "SET_USER_INTERFACE", 0, ui_method, 0, 1);
- if (!ENGINE_set_default(e, ENGINE_METHOD_ALL)) {
+ if (!ENGINE_init(e) || !ENGINE_set_default(e, ENGINE_METHOD_ALL)) {
BIO_printf(bio_err, "can't use that engine\n");
ERR_print_errors(bio_err);
ENGINE_free(e);
diff --git a/apps/s_client.c b/apps/s_client.c
index 41f6d48..10ea1f1 100644
--- a/apps/s_client.c
+++ b/apps/s_client.c
@@ -577,8 +577,8 @@ OPTIONS s_client_options[] = {
{"cert", OPT_CERT, '<', "Certificate file to use, PEM format assumed"},
{"certform", OPT_CERTFORM, 'F',
"Certificate format (PEM or DER) PEM default"},
- {"key", OPT_KEY, '<', "Private key file to use, if not in -cert file"},
- {"keyform", OPT_KEYFORM, 'F', "Key format (PEM or DER) PEM default"},
+ {"key", OPT_KEY, 's', "Private key file to use, if not in -cert file"},
+ {"keyform", OPT_KEYFORM, 'E', "Key format (PEM, DER or engine) PEM default"},
{"pass", OPT_PASS, 's', "Private key file pass phrase source"},
{"CApath", OPT_CAPATH, '/', "PEM format directory of CA's"},
{"CAfile", OPT_CAFILE, '<', "PEM format file of CA's"},
@@ -1202,7 +1202,7 @@ int s_client_main(int argc, char **argv)
fallback_scsv = 1;
break;
case OPT_KEYFORM:
- if (!opt_format(opt_arg(), OPT_FMT_PEMDER, &key_format))
+ if (!opt_format(opt_arg(), OPT_FMT_PDE, &key_format))
goto opthelp;
break;
case OPT_PASS:
More information about the openssl-commits
mailing list