Handle write() errors.

ok patrick@

Handle errors and truncated output from snprintf().

ok patrick@

convert system() calls to an execv() like interface.
avoids sh difficulties, etc.
from Matthew Martin.
ok deraadt reyk

ikectl's built-in CA command for simple configurations has a fixed certificate
validity for the ca certificate. Raise this from 365 days to 4500 as expiry means
installing new CA certificates on all

ikectl's built-in CA command for simple configurations has a fixed certificate
validity for the ca certificate. Raise this from 365 days to 4500 as expiry means
installing new CA certificates on all client machines which can cause significant
pain. This doesn't change the default validity for server certificates which
remains at 1 year (controlled by ikeca.cnf) - refreshing key and certificate
on these can be done easily without visiting all machines. ok deraadt@

show more ...

Since r1.41 the extensions are included in the CSR. Thus ca_request()
already sets the extension values and returns. ca_sign() re-uses the
information to write out the extension file. Since ca_req

Since r1.41 the extensions are included in the CSR. Thus ca_request()
already sets the extension values and returns. ca_sign() re-uses the
information to write out the extension file. Since ca_request() uses
strings stored on the stack, on return the pointers to those strings
will be unusable. To fix this, strdup() the strings passed ca_setenv()
so we can re-use them in another scope. And free() them when we clear
the environment in ca_clrenv().

Initial report and diff from Andrei-Marius Radu.

ok markus@

show more ...

Invoke openssl with -passin file rather than -key in ca_revoke().
From Andrei-Marius Radu via sthen@

ca_revoke() gets called two ways. Directly from ca_opt() with keyname
set to the cert to revoke, and indirectly from ca_create() with a
keyname set to NULL.

ca_create() sets REQ_EXT so avoid settin

ca_revoke() gets called two ways. Directly from ca_opt() with keyname
set to the cert to revoke, and indirectly from ca_create() with a
keyname set to NULL.

ca_create() sets REQ_EXT so avoid setting it in ca_revoke() when keyname
is NULL and the crl database is being initialised.

Avoids "REQ_EXT already set" when creating a CA error introduced
in rev 1.44 which set REQ_EXT unconditionally in ca_revoke().

show more ...

Set REQ_EXT in req section so ikectl ca certificate revoke will work again.

A few more freezero() uses
ok yasuoka mikeb

set REQ_EXT to x509v3_CA, fixing "ikectl ca XX create" inadvertently broken
in r1.41. ok reyk deraadt

Teach ikectl to include extensions in the CSR, rather than just adding them
when signing the certificates by the local CA. This can make things easier if
you want to take a CSR from ikectl to another

Teach ikectl to include extensions in the CSR, rather than just adding them
when signing the certificates by the local CA. This can make things easier if
you want to take a CSR from ikectl to another CA for signing, they often copy
extensions from the request. ok reyk@

show more ...

switch from using sha1 to sha256

As the ca section of the cnf file requires a default_md line
(unlike req) this change also requires updating the installed ikeca.cnf
or equivalent files.

Requested

switch from using sha1 to sha256

As the ca section of the cnf file requires a default_md line
(unlike req) this change also requires updating the installed ikeca.cnf
or equivalent files.

Requested by and ok reyk@ who also tested this against ios9 with iked.

show more ...

sign csrs with openssl ca instead of x509 -req

This way openssl will add valid signed certs to the index file
which is required to use the builtin openssl OCSP server.

This change requires installi

sign csrs with openssl ca instead of x509 -req

This way openssl will add valid signed certs to the index file
which is required to use the builtin openssl OCSP server.

This change requires installing a new ikeca.cnf or updating
the default cnf files with equivalent sections.

Requested by and ok reyk@

show more ...

Accept an ocsp option when creating certificates to set the extended
key usage for OCSP signing.

Requested by and ok reyk@

ca_hier() und ca_newpass() abort on failure, return void instead of int.

Based on previous observation by semarie@

spacing

fcopy_env() should return void as it aborts on failure.

Pointed out by semarie@

Use C99 integer types in ikectl(8).

OK jsg@

Support for overwriting $ENV:: variables in OpenSSL .cnf files from
the environment has been removed in LibreSSL. This was a good step
but it unintentionally broke the "ikectl ca" commands. Rework

Support for overwriting $ENV:: variables in OpenSSL .cnf files from
the environment has been removed in LibreSSL. This was a good step
but it unintentionally broke the "ikectl ca" commands. Rework the
implementation for copying the .cnf files and expanding the $ENV::
variables ourselves before passing the generated .cnf file to the
"openssl" command.

Reported and tested by Jona Joachim (thanks!)
OK jsg@

show more ...

correct mode_t 644 to 0644

ok sthen@

corrects three err() to errx() calls
- a if condition don't set errno
- strlcpy(3) don't set errno (no mention is man page)
- ca_readpass() already manage errno error message with warn(3)

ok s

corrects three err() to errx() calls
- a if condition don't set errno
- strlcpy(3) don't set errno (no mention is man page)
- ca_readpass() already manage errno error message with warn(3)

ok sthen@

show more ...

Replace <sys/param.h> with <limits.h> and other less dirty headers where
possible. Annotate <sys/param.h> lines with their current reasons. Switch
to PATH_MAX, NGROUPS_MAX, HOST_NAME_MAX+1, LOGIN_N

Replace <sys/param.h> with <limits.h> and other less dirty headers where
possible. Annotate <sys/param.h> lines with their current reasons. Switch
to PATH_MAX, NGROUPS_MAX, HOST_NAME_MAX+1, LOGIN_NAME_MAX, etc. Change
MIN() and MAX() to local definitions of MINIMUM() and MAXIMUM() where
sensible to avoid pulling in the pollution. These are the files confirmed
through binary verification.
ok guenther, millert, doug (helped with the verification protocol)

show more ...

Move openssl(1) from /usr/sbin/openssl to /usr/bin/openssl, since it is not
a system/superuser binary. At the same time, move the source code from its
current lib/libssl/src/apps location to a more a

Move openssl(1) from /usr/sbin/openssl to /usr/bin/openssl, since it is not
a system/superuser binary. At the same time, move the source code from its
current lib/libssl/src/apps location to a more appropriate home under
usr.bin/openssl.

ok deraadt@ miod@

show more ...

Delete secret or secret-derived data with explicit_bzero.

concept ok deraadt@
diff looks ok tedu@

Make sure the correct errno is reported by warn* or err* and not
the errno of an intervening cleanup operation like close/unlink/etc.

Diff from Doug Hogan (doug (at) acyclic.org)