Running s_server in WWW mode on Windows can allow a client to read files
outside the s_server directory by including backslashes in the name, e.g.
GET /..\myfile.txt HTTP/1.0
There exists a check for this for Unix paths but it is not sufficient
for Windows.
Since s_server is a test tool no CVE is assigned.
Thanks to Jobert Abma for reporting this.
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10215)
(cherry picked from commit 0a4d6c67480a4d2fce514e08d3efe571f2ee99c9)
With the introduction of -pkeyopt, the number of bits may change
without |newkey| being updated. Unfortunately, there is no API to
retrieve the information from a EVP_PKEY_CTX either, so chances are
that we report incorrect information. For the moment, it's better not
to try to report the number of bits at all.
Fixes#7086
Reviewed-by: Paul Yang <yang.yang@baishancloud.com>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/7096)
(cherry picked from commit 17147181bd3f97c53592e2a5c9319b854b954039)
XN_FLAG_COMPAT has a unique property, its zero for value. This means
it needs special treatment; if it has been set (which can only be
determined indirectly) and set alone (*), no other flags should be
set.
(*) if any other nameopt flag has been set by the user, compatibility
mode is blown away.
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6382)
(cherry picked from commit 3190d1dca43ecfd748c06aa06752de06af3768b9)
(cherry picked from commit aebd0e5ca12d1ba0b229a4121a54afa5ea2d8aa1)
Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6238)
This patch fixes the following two warnings when OpenSSL is built with no-dh option:
s_server.c: In function 's_server_main':
s_server.c:1105:25: warning: variable 'no_dhe' set but not used [-Wunused-but-set-variable]
int no_tmp_rsa = 0, no_dhe = 0, no_ecdhe = 0, nocert = 0;
^
s_server.c:1101:11: warning: variable 'dhfile' set but not used [-Wunused-but-set-variable]
char *dhfile = NULL;
^
CLA: trivial
Signed-off-by: Cristian Stoica <cristian.stoica@nxp.com>
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6087)
This option shows the certificates as sent by the server. It is not the
full verified chain.
Fixes#4933
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6069)
do_accept() checked that the peer IP address had a PTR record, and would
fail if not. The retrieved named was then never used, even though passed
around. All this is unnecessary, so we remove it.
Fixes#3407
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6018)
If we run the ocsp command line app and the responder returns a
non-successful status code then the app should exit with a failure code.
Based on an original patch by Tatsuhiro Tsujikawa.
Fixes#2387
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5999)
(cherry picked from commit 2add645dfc364cfc609e6138de1bf43c217bb557)
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/5826)
(cherry picked from commit 1518c55a796b058eff01f3cbf177f4b726c01d7c)
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/5826)
(cherry picked from commit 16e1eea6a67c85c9d786f3c4448182b1aca101b8)
Thanks to Sem Voigtländer for reporting this issue.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/5826)
(cherry picked from commit 752837e0664e990b5edf6f0b69e1b4612efadce0)
It is quite likely for there to be multiple certificates with empty
subjects, which are still distinct because of subjectAltName. Therefore
we allow multiple certificates with an empty Subject even if
unique_subject is set to yes.
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5445)
Commit 87e8fec (16 years ago!) introduced a bug where if we are
attempting to insert a cert with a duplicate subject name, and
duplicate subject names are not allowed (which is the default),
then we get an unhelpful error message back (error number 2). Prior
to that commit we got a helpful error message which displayed details
of the conflicting entry in the database.
That commit was itself attempting to fix a bug with the noemailDN option
where we were setting the subject field in the database too early
(before extensions had made any amendments to it).
This PR moves the check for a conflicting Subject name until after all
changes to the Subject have been made by extensions etc.
This also, co-incidentally Fixes the ca crashing bug described in issue
5109.
Fixes#5109
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5445)
This reverts commit a3d684ffca282796511cb8f3593a59a80109eed8.
Empty Subjects are permissible
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5445)
This reverts commit dd37f6f12cc14cc4710289746b112eb0fed3b0b7.
Empty Subjects are permissible.
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5445)
The memory pointed to by the 'push' is freed by the
X509_NAME_ENTRY_free() in do_body(). The second time
it is referenced to (indirectly) in certify_cert:X509_REQ_free().
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4896)
An index.txt entry which has an empty Subject name field will cause ca
to crash. Therefore check it when we load it to make sure its not empty.
Fixes#5109
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5115)
Misconfiguration (e.g. an empty policy section in the config file) can
lead to an empty Subject. Since certificates should have unique Subjects
this should not be allowed.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5115)
It's argued that /WX allows to keep better focus on new code, which
motivates its comeback...
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4718)
In the generated HTML document, the `<pre>` tag is not closed.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4088)
(cherry picked from commit 1a9f5cf0d58629ab8972f50e937d8ab78bf27b6f)
When an error occurs during the starttls handskake, s_client gets stuck
looping around zero bytes reads, because the server won't sent anything more
after its error tag. Shutting down on the first zero byte read fixes this.
Fixes#3980
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3981)
This function is undocumented, but similarly named functions (such as
'curl_global_cleanup') are documented as internals that should not be
called by scripts.
Fixes#3765
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3769)
Check return value of NETSCAPE_SPKI_new() and
NETSCAPE_SPKI_b64_encode(), and also clean up coding style incidentally.
Signed-off-by: Paul Yang <paulyang.inf@gmail.com>
Reviewed-by: Kurt Roeckx <kurt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3647)
(cherry picked from commit f2582f08d5167ee84b7b313fd1435fe91ee44880)
The password_callback() function does not necessarily NULL terminate
the password buffer, the caller must use the returned length but the
srp app uses this function as if it was doing NULL termination.
This made the -passin and -passout options of "openssl srp"
fail inexpicably and randomly or even crash.
Fixed by enlarging the buffer by one, so that the maximum password length
remains unchanged, and adding NULL termination upon return.
[Rearrange code for coding style compliance in process.]
This backport of 0e83981d61fc435f42d4bb4d774272b69556b7bc.
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3579)
Allow conversion of existing requests to certificates again.
Fixes the issue #3396
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3485)
If exiting non-zero, which not consistent with shell conventions,
the shells/scripts treat the cmd as failed.
CLA: trivial
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3213)
dhparams correctly handles X9.42 params in PEM format. However it failed
to correctly processes them when reading/writing DER format.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3112)
This causes a minor (64 bytes on my machine) mem leak in s_server/s_client.
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3040)
even if run several times in a session.
This amounts to moving the column counter so it isn't a function local
static variable and reinitialising it each time.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2884)
(cherry picked from commit 2b305ab02e0977ed71c255cc386ff75c397d7820)
to just the ciphers enc can
process. This means no AEAD ciphers and no XTS mode.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2876)
(cherry picked from commit 777f1708a88f85569304caeca197c96ef912b236)
(cherry picked from commit b97324dbcb12e8b509d513ded9ba3f71c14547d8)
