Re: [openssl.org #3343] [PATCH] implements name contraint for IP Address
Thanks Matt. Em 23/05/2014 19:36, Matt Caswell via RT r...@openssl.org escreveu: Hi Luiz Thanks for the patch. I've reviewed it and it looks good. With regards to your comments around X509_V_ERR_PERMITTED_VIOLATION vs X509_V_ERR_UNSUPPORTED_NAME_SYNTAX, I think you did it right. Therefore: http://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=dd36fce023a64d90058b8fefbd95dadaca98f9ca Many thanks for your contribution. Matt
Re: [openssl.org #3343] [PATCH] implements name contraint for IP Address
Thanks Matt. Em 23/05/2014 19:36, Matt Caswell via RT r...@openssl.org escreveu: Hi Luiz Thanks for the patch. I've reviewed it and it looks good. With regards to your comments around X509_V_ERR_PERMITTED_VIOLATION vs X509_V_ERR_UNSUPPORTED_NAME_SYNTAX, I think you did it right. Therefore: http://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=dd36fce023a64d90058b8fefbd95dadaca98f9ca Many thanks for your contribution. Matt __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
[openssl.org #3365] Wrong parameter types in SSL_set_msg_callback[_arg] man page
SSL_CTX_set_msg_callback.pod lists the first parameter to the SSL_set_msg_callback[_arg] functions as type SSL_CTX * when they are, in fact, SSL *. Geoff - Geoff Lowe Principal Engineer McAfee, Inc. __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
Re: [openssl.org #2578] s_client bind ip
Hello, This patch implements request for ticket 2578. I've also created pull request in github that you can find here: https://github.com/openssl/openssl/pull/108 Kris From 853496476dd838958f438bd66df5725d3075de8e Mon Sep 17 00:00:00 2001 From: flowher krzys...@leeds.pl Date: Wed, 14 May 2014 22:25:39 +0200 Subject: [PATCH 1/3] Possibility to bind to specific local IP in s_client --- apps/s_apps.h | 2 +- apps/s_client.c | 9 - apps/s_socket.c | 23 --- crypto/objects/obj_xref.h | 2 +- 4 files changed, 30 insertions(+), 6 deletions(-) diff --git a/apps/s_apps.h b/apps/s_apps.h index 9d16e45..55225fa 100644 --- a/apps/s_apps.h +++ b/apps/s_apps.h @@ -168,7 +168,7 @@ int ssl_print_point_formats(BIO *out, SSL *s); int ssl_print_curves(BIO *out, SSL *s, int noshared); #endif int ssl_print_tmp_key(BIO *out, SSL *s); -int init_client(int *sock, const char *server, int port, int type); +int init_client(int *sock, char *server, int port, int type, char* localip); #ifndef NO_SYS_UN_H int init_client_unix(int *sock, const char *server); #endif diff --git a/apps/s_client.c b/apps/s_client.c index eee0e2e..da41854 100644 --- a/apps/s_client.c +++ b/apps/s_client.c @@ -324,6 +324,7 @@ static void sc_usage(void) BIO_printf(bio_err, -host host - use -connect instead\n); BIO_printf(bio_err, -port port - use -connect instead\n); BIO_printf(bio_err, -connect host:port - connect over TCP/IP (default is %s:%s)\n,SSL_HOST_NAME,PORT_STR); + BIO_printf(bio_err, -localip arg - specify local address to use\n); BIO_printf(bio_err, -unix path- connect over unix domain sockets\n); BIO_printf(bio_err, -verify arg - turn on peer certificate verification\n); BIO_printf(bio_err, -cert arg - certificate file to use, PEM format assumed\n); @@ -628,6 +629,7 @@ int MAIN(int argc, char **argv) short port=PORT; int full_log=1; char *host=SSL_HOST_NAME; + char *localip=NULL; const char *unix_path = NULL; char *xmpphost = NULL; char *cert_file=NULL,*key_file=NULL,*chain_file=NULL; @@ -762,6 +764,11 @@ static char *jpake_secret = NULL; if (!extract_host_port(*(++argv),host,NULL,port)) goto bad; } + else if (strcmp(*argv,-localip) == 0) + { + if (--argc 1) goto bad; + localip=*(++argv); + } else if (strcmp(*argv,-unix) == 0) { if (--argc 1) goto bad; @@ -1511,7 +1518,7 @@ bad: re_start: - if ((!unix_path (init_client(s,host,port,socket_type) == 0)) || + if ((!unix_path (init_client(s,host,port,socket_type,localip) == 0)) || (unix_path (init_client_unix(s,unix_path) == 0))) { BIO_printf(bio_err,connect:errno=%d\n,get_last_socket_error()); diff --git a/apps/s_socket.c b/apps/s_socket.c index e83baf4..8fe6967 100644 --- a/apps/s_socket.c +++ b/apps/s_socket.c @@ -97,7 +97,7 @@ static void ssl_sock_cleanup(void); #endif static int ssl_sock_init(void); static int init_client_ip(int *sock, const unsigned char ip[4], int port, - int type); + int type, char* localip); static int init_server(int *sock, int port, int type); static int init_server_long(int *sock, int port,char *ip, int type); static int do_accept(int acc_sock, int *sock, char **host); @@ -233,14 +233,14 @@ static int ssl_sock_init(void) return(1); } -int init_client(int *sock, const char *host, int port, int type) +int init_client(int *sock, const char *host, int port, int type, char *localip) { unsigned char ip[4]; ip[0] = ip[1] = ip[2] = ip[3] = 0; if (!host_ip(host,(ip[0]))) return 0; - return init_client_ip(sock,ip,port,type); + return init_client_ip(sock,ip,port,type,localip); } static int init_client_ip(int *sock, const unsigned char ip[4], int port, @@ -277,7 +277,24 @@ static int init_client_ip(int *sock, const unsigned char ip[4], int port, if (i 0) { closesocket(s); perror(keepalive); return(0); } } #endif + if(NULL!=localip) + { + struct sockaddr_in me; + memset((char*)me,0,sizeof(me)); + me.sin_family = AF_INET; + /* inet_addr because it seems to be more portable than inet_aton */ + me.sin_addr.s_addr = inet_addr(localip); + if( me.sin_addr.s_addr == INADDR_NONE ) + { + BIO_printf(bio_err,Wrong format of local IP address: %s\n,localip); + closesocket(s); + perror(inet_addr); +
Re: [openssl.org #2578] s_client bind ip
Hello, This patch implements request for ticket 2578. I've also created pull request in github that you can find here: https://github.com/openssl/openssl/pull/108 Kris From 853496476dd838958f438bd66df5725d3075de8e Mon Sep 17 00:00:00 2001 From: flowher krzys...@leeds.pl Date: Wed, 14 May 2014 22:25:39 +0200 Subject: [PATCH 1/3] Possibility to bind to specific local IP in s_client --- apps/s_apps.h | 2 +- apps/s_client.c | 9 - apps/s_socket.c | 23 --- crypto/objects/obj_xref.h | 2 +- 4 files changed, 30 insertions(+), 6 deletions(-) diff --git a/apps/s_apps.h b/apps/s_apps.h index 9d16e45..55225fa 100644 --- a/apps/s_apps.h +++ b/apps/s_apps.h @@ -168,7 +168,7 @@ int ssl_print_point_formats(BIO *out, SSL *s); int ssl_print_curves(BIO *out, SSL *s, int noshared); #endif int ssl_print_tmp_key(BIO *out, SSL *s); -int init_client(int *sock, const char *server, int port, int type); +int init_client(int *sock, char *server, int port, int type, char* localip); #ifndef NO_SYS_UN_H int init_client_unix(int *sock, const char *server); #endif diff --git a/apps/s_client.c b/apps/s_client.c index eee0e2e..da41854 100644 --- a/apps/s_client.c +++ b/apps/s_client.c @@ -324,6 +324,7 @@ static void sc_usage(void) BIO_printf(bio_err, -host host - use -connect instead\n); BIO_printf(bio_err, -port port - use -connect instead\n); BIO_printf(bio_err, -connect host:port - connect over TCP/IP (default is %s:%s)\n,SSL_HOST_NAME,PORT_STR); + BIO_printf(bio_err, -localip arg - specify local address to use\n); BIO_printf(bio_err, -unix path- connect over unix domain sockets\n); BIO_printf(bio_err, -verify arg - turn on peer certificate verification\n); BIO_printf(bio_err, -cert arg - certificate file to use, PEM format assumed\n); @@ -628,6 +629,7 @@ int MAIN(int argc, char **argv) short port=PORT; int full_log=1; char *host=SSL_HOST_NAME; + char *localip=NULL; const char *unix_path = NULL; char *xmpphost = NULL; char *cert_file=NULL,*key_file=NULL,*chain_file=NULL; @@ -762,6 +764,11 @@ static char *jpake_secret = NULL; if (!extract_host_port(*(++argv),host,NULL,port)) goto bad; } + else if (strcmp(*argv,-localip) == 0) + { + if (--argc 1) goto bad; + localip=*(++argv); + } else if (strcmp(*argv,-unix) == 0) { if (--argc 1) goto bad; @@ -1511,7 +1518,7 @@ bad: re_start: - if ((!unix_path (init_client(s,host,port,socket_type) == 0)) || + if ((!unix_path (init_client(s,host,port,socket_type,localip) == 0)) || (unix_path (init_client_unix(s,unix_path) == 0))) { BIO_printf(bio_err,connect:errno=%d\n,get_last_socket_error()); diff --git a/apps/s_socket.c b/apps/s_socket.c index e83baf4..8fe6967 100644 --- a/apps/s_socket.c +++ b/apps/s_socket.c @@ -97,7 +97,7 @@ static void ssl_sock_cleanup(void); #endif static int ssl_sock_init(void); static int init_client_ip(int *sock, const unsigned char ip[4], int port, - int type); + int type, char* localip); static int init_server(int *sock, int port, int type); static int init_server_long(int *sock, int port,char *ip, int type); static int do_accept(int acc_sock, int *sock, char **host); @@ -233,14 +233,14 @@ static int ssl_sock_init(void) return(1); } -int init_client(int *sock, const char *host, int port, int type) +int init_client(int *sock, const char *host, int port, int type, char *localip) { unsigned char ip[4]; ip[0] = ip[1] = ip[2] = ip[3] = 0; if (!host_ip(host,(ip[0]))) return 0; - return init_client_ip(sock,ip,port,type); + return init_client_ip(sock,ip,port,type,localip); } static int init_client_ip(int *sock, const unsigned char ip[4], int port, @@ -277,7 +277,24 @@ static int init_client_ip(int *sock, const unsigned char ip[4], int port, if (i 0) { closesocket(s); perror(keepalive); return(0); } } #endif + if(NULL!=localip) + { + struct sockaddr_in me; + memset((char*)me,0,sizeof(me)); + me.sin_family = AF_INET; + /* inet_addr because it seems to be more portable than inet_aton */ + me.sin_addr.s_addr = inet_addr(localip); + if( me.sin_addr.s_addr == INADDR_NONE ) + { + BIO_printf(bio_err,Wrong format of local IP address: %s\n,localip); + closesocket(s); + perror(inet_addr); +
Re: [openssl.org #2578] s_client bind ip
On Sat, May 24, 2014 at 03:06:51PM +0200, Krzysztof Kwiatkowski via RT wrote: Hello, This patch implements request for ticket 2578. I've also created pull request in github that you can find here: https://github.com/openssl/openssl/pull/108 Thanks. Shouldn't this also support IPv6? -- Viktor. __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
[openssl.org #3360] Error building openssl with TLS_DEBUG
Fixed. http://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=955376fde3c60999b27deeebb41d82ad17dca3da Thanks for the report. Matt __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
Re: [openssl.org #2578] s_client bind ip
On 24/05/2014 11:06 PM, Krzysztof Kwiatkowski via RT wrote: Hello, This patch implements request for ticket 2578. I've also created pull request in github that you can find here: https://github.com/openssl/openssl/pull/108 Why is there a crypto/objects/obj_xref.h change mixed in with this patch? It does not belong there. Thanks, Tim. __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org