[openssl-commits] [openssl] master update

Rich Salz rsalz at openssl.org
Wed Sep 28 16:23:43 UTC 2016


The branch master has been updated
       via  0a72002993b8619fd0642d19af3364bafbd9a06c (commit)
       via  a6972f346248fbc37e42056bb943fae0896a2967 (commit)
      from  f9b1b6644a3a8fc6d617625ad979ee61cb67d381 (commit)


- Log -----------------------------------------------------------------
commit 0a72002993b8619fd0642d19af3364bafbd9a06c
Author: David Woodhouse <David.Woodhouse at intel.com>
Date:   Wed Sep 28 13:08:45 2016 +0100

    Call ENGINE_init() before trying to use keys from engine
    
    When I said before that s_client "used to work in 1.0.2" that was only
    partly true. It worked for engines which provided a default generic
    method for some key type, because it called ENGINE_set_default() and
    that ended up being an implicit initialisation and functional refcount.
    
    But an engine which doesn't provide generic methods doesn't get initialised,
    and then when you try to use it you get an error:
    
    cannot load client certificate private key file from engine
    140688147056384:error:26096075:engine routines:ENGINE_load_private_key:not initialised:crypto/engine/eng_pkey.c:66:
    unable to load client certificate private key file
    
    cf. https://github.com/OpenSC/libp11/issues/107 (in which we discover
    that engine_pkcs11 *used* to provide generic methods that OpenSSL would
    try to use for ephemeral DH keys when negotiating ECDHE cipher suites in
    TLS, and that didn't work out very well.)
    
    Reviewed-by: Rich Salz <rsalz at openssl.org>
    Reviewed-by: Richard Levitte <levitte at openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/1639)

commit a6972f346248fbc37e42056bb943fae0896a2967
Author: David Woodhouse <David.Woodhouse at intel.com>
Date:   Wed Sep 28 13:07:52 2016 +0100

    Restore '-keyform engine' support for s_client
    
    This used to work in 1.0.2 but disappeared when the argument parsing was
    revamped.
    
    Reviewed-by: Rich Salz <rsalz at openssl.org>
    Reviewed-by: Richard Levitte <levitte at openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/1639)

-----------------------------------------------------------------------

Summary of changes:
 apps/apps.c     | 2 +-
 apps/s_client.c | 6 +++---
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/apps/apps.c b/apps/apps.c
index b287748..9a58f17 100644
--- a/apps/apps.c
+++ b/apps/apps.c
@@ -1269,7 +1269,7 @@ ENGINE *setup_engine(const char *engine, int debug)
             ENGINE_ctrl(e, ENGINE_CTRL_SET_LOGSTREAM, 0, bio_err, 0);
         }
         ENGINE_ctrl_cmd(e, "SET_USER_INTERFACE", 0, ui_method, 0, 1);
-        if (!ENGINE_set_default(e, ENGINE_METHOD_ALL)) {
+        if (!ENGINE_init(e) || !ENGINE_set_default(e, ENGINE_METHOD_ALL)) {
             BIO_printf(bio_err, "can't use that engine\n");
             ERR_print_errors(bio_err);
             ENGINE_free(e);
diff --git a/apps/s_client.c b/apps/s_client.c
index 41f6d48..10ea1f1 100644
--- a/apps/s_client.c
+++ b/apps/s_client.c
@@ -577,8 +577,8 @@ OPTIONS s_client_options[] = {
     {"cert", OPT_CERT, '<', "Certificate file to use, PEM format assumed"},
     {"certform", OPT_CERTFORM, 'F',
      "Certificate format (PEM or DER) PEM default"},
-    {"key", OPT_KEY, '<', "Private key file to use, if not in -cert file"},
-    {"keyform", OPT_KEYFORM, 'F', "Key format (PEM or DER) PEM default"},
+    {"key", OPT_KEY, 's', "Private key file to use, if not in -cert file"},
+    {"keyform", OPT_KEYFORM, 'E', "Key format (PEM, DER or engine) PEM default"},
     {"pass", OPT_PASS, 's', "Private key file pass phrase source"},
     {"CApath", OPT_CAPATH, '/', "PEM format directory of CA's"},
     {"CAfile", OPT_CAFILE, '<', "PEM format file of CA's"},
@@ -1202,7 +1202,7 @@ int s_client_main(int argc, char **argv)
             fallback_scsv = 1;
             break;
         case OPT_KEYFORM:
-            if (!opt_format(opt_arg(), OPT_FMT_PEMDER, &key_format))
+            if (!opt_format(opt_arg(), OPT_FMT_PDE, &key_format))
                 goto opthelp;
             break;
         case OPT_PASS:


More information about the openssl-commits mailing list