The branch master has been updated
via 0a72002993b8619fd0642d19af3364bafbd9a06c (commit)
via a6972f346248fbc37e42056bb943fae0896a2967 (commit)
from f9b1b6644a3a8fc6d617625ad979ee61cb67d381 (commit)
- Log -----------------------------------------------------------------
commit 0a72002993b8619fd0642d19af3364bafbd9a06c
Author: David Woodhouse <david.woodho...@intel.com>
Date: Wed Sep 28 13:08:45 2016 +0100
Call ENGINE_init() before trying to use keys from engine
When I said before that s_client "used to work in 1.0.2" that was only
partly true. It worked for engines which provided a default generic
method for some key type, because it called ENGINE_set_default() and
that ended up being an implicit initialisation and functional refcount.
But an engine which doesn't provide generic methods doesn't get initialised,
and then when you try to use it you get an error:
cannot load client certificate private key file from engine
140688147056384:error:26096075:engine routines:ENGINE_load_private_key:not
initialised:crypto/engine/eng_pkey.c:66:
unable to load client certificate private key file
cf. https://github.com/OpenSC/libp11/issues/107 (in which we discover
that engine_pkcs11 *used* to provide generic methods that OpenSSL would
try to use for ephemeral DH keys when negotiating ECDHE cipher suites in
TLS, and that didn't work out very well.)
Reviewed-by: Rich Salz <rs...@openssl.org>
Reviewed-by: Richard Levitte <levi...@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1639)
commit a6972f346248fbc37e42056bb943fae0896a2967
Author: David Woodhouse <david.woodho...@intel.com>
Date: Wed Sep 28 13:07:52 2016 +0100
Restore '-keyform engine' support for s_client
This used to work in 1.0.2 but disappeared when the argument parsing was
revamped.
Reviewed-by: Rich Salz <rs...@openssl.org>
Reviewed-by: Richard Levitte <levi...@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1639)
-----------------------------------------------------------------------
Summary of changes:
apps/apps.c | 2 +-
apps/s_client.c | 6 +++---
2 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/apps/apps.c b/apps/apps.c
index b287748..9a58f17 100644
--- a/apps/apps.c
+++ b/apps/apps.c
@@ -1269,7 +1269,7 @@ ENGINE *setup_engine(const char *engine, int debug)
ENGINE_ctrl(e, ENGINE_CTRL_SET_LOGSTREAM, 0, bio_err, 0);
}
ENGINE_ctrl_cmd(e, "SET_USER_INTERFACE", 0, ui_method, 0, 1);
- if (!ENGINE_set_default(e, ENGINE_METHOD_ALL)) {
+ if (!ENGINE_init(e) || !ENGINE_set_default(e, ENGINE_METHOD_ALL)) {
BIO_printf(bio_err, "can't use that engine\n");
ERR_print_errors(bio_err);
ENGINE_free(e);
diff --git a/apps/s_client.c b/apps/s_client.c
index 41f6d48..10ea1f1 100644
--- a/apps/s_client.c
+++ b/apps/s_client.c
@@ -577,8 +577,8 @@ OPTIONS s_client_options[] = {
{"cert", OPT_CERT, '<', "Certificate file to use, PEM format assumed"},
{"certform", OPT_CERTFORM, 'F',
"Certificate format (PEM or DER) PEM default"},
- {"key", OPT_KEY, '<', "Private key file to use, if not in -cert file"},
- {"keyform", OPT_KEYFORM, 'F', "Key format (PEM or DER) PEM default"},
+ {"key", OPT_KEY, 's', "Private key file to use, if not in -cert file"},
+ {"keyform", OPT_KEYFORM, 'E', "Key format (PEM, DER or engine) PEM
default"},
{"pass", OPT_PASS, 's', "Private key file pass phrase source"},
{"CApath", OPT_CAPATH, '/', "PEM format directory of CA's"},
{"CAfile", OPT_CAFILE, '<', "PEM format file of CA's"},
@@ -1202,7 +1202,7 @@ int s_client_main(int argc, char **argv)
fallback_scsv = 1;
break;
case OPT_KEYFORM:
- if (!opt_format(opt_arg(), OPT_FMT_PEMDER, &key_format))
+ if (!opt_format(opt_arg(), OPT_FMT_PDE, &key_format))
goto opthelp;
break;
case OPT_PASS:
_____
openssl-commits mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
