|  | Commit message (Collapse) | Author | Files | Lines | 
|---|
|  | Diff from Alexander Koeppe format_c -AT- online -DOT- de, thanks.
ok deraadt@ | 
|  | First step to adapt openssl(1) dgst command to new option handling.
There is no functional changes by this diff, and just moving variables
into dgst_config struct.
ok bcook@ | 
|  | - Add a space before 'export_end:'
- Remove space after '*'
- Wrap lines by 80 columns | 
|  | ok bcook@ tb@ | 
|  |  | 
|  | from Steven Roberts | 
|  |  | 
|  | Adapt openssl(1) pkcs12 command to new option handling.
Added pkcs12_options struct, and replaced for-if-strcmp handling with
options_parse().
ok and comments jsing@ | 
|  | First step to adapt openssl(1) pkcs12 command to new option handling.
There is no functional changes by this diff, and just moving variables into
pkcs12_config struct.
I still keep long lines more than 80 for this review to minimize diffs.
ok jsing@ tb@ | 
|  | - Add -modulus for dsa sub command
- Remove -nextprotoneg | 
|  |  | 
|  | As we did in other openssl sub command, move up option handlers above option
definition struct. No functional changes and just move up and remove prototype. | 
|  | - s/outputed/outputted/
- s/trused/trusted/
- add der as argument and describe pem is the default | 
|  | This moves them from .data to .data.rel.ro
ok deraadt@ inoguchi@ | 
|  |  | 
|  | - Add undocumented options below.
  -alpn, -cert2, -certform, -dcertform, -dkeyform, -dpass, -dtls1, -key2,
  -keyform, -keymatexport, -keymatexportlen, -mtu, -named_curve, -no_cache,
  -no_ecdhe, -no_ticket, -pass, -port, -servername, -servername_fatal,
  -status, -status_timeout, -status_url, -status_verbose, -timeout,
  -tlsextdebug, -use_srtp, -verify_return_error
- Remove -hack, -psk and -psk_hint since not exist in source code.
I didn't add these 5 options since these were no-op.
  -chain, -legacy_renegotiation, -nextprotoneg, -no_comp, -no_ssl2
This option was removed from manual in the past.
  -no_ssl3
ok and suggestions from jmc@ | 
|  | uClibc on noMMU doesn't provide __register_atfork().
Reported by redbirdtek on Github issue.
https://github.com/libressl-portable/portable/issues/538
ok bcook@ | 
|  | - Add undocumented options below.
  -alpn, -certform, -dtls1, -host, -keyform, -keymatexport, -keymatexportlen,
  -legacy_server_connect, -mtu, -no_ign_eof, -no_legacy_server_connect, -pass
  -port, -serverpref, -sess_in, -sess_out, -status, -timeout, -use_srtp,
  -verify_return_error
- Remove -psk and -psk_identity since not exist in source code.
I didn't add these 4 options since these were no-op.
  -nextprotoneg, -legacy_renegotiation, -no_comp, -no_ssl2
This option was removed from manual in the past.
  -no_ssl3
ok jmc@ | 
|  | ok bcook@ jsing@ | 
|  | Move the documentation for tls_error() down so that both the special return
values for tls_{handshake,read,write,close}() directly follow the standard
return values for the same functions.
Prompted by deraadt@.
ok deraadt@ schwarze@ | 
|  | Add missing -camellia*/-idea description to genrsa section.
ok jmc@ | 
|  | ok tb@ jsing@ | 
|  | - dsa   : add missing -pvk-none, -pvk-strong and -pvk-weak
          add pvk format to -inform and -outform
- ocsp  : add missing -header, -ignore_err, -no_explicit and -timeout
- rsa   : add missing -pvk-none, -pvk-strong and -pvk-weak
          add missing -RSAPublicKey_in and -RSAPublicKey_out
          add pvk format to -inform and -outform
- smime : add missing -nosmimecap
- add pvk description at common format part
ok jmc@ | 
|  | - Replace EVP_CIPHER_CTX_init with EVP_CIPHER_CTX_new and handle return value
- Replace EVP_CIPHER_CTX_cleanup with EVP_CIPHER_CTX_free
- Change two 'return -1;' to 'goto err;' for avoiding leak
- Remove the case if enclevel == 0
- Change enclevel checking to make more consistent
- Change all goto label to 'err' and insert space before goto label
ok and advise from tb@ | 
|  | - Return the valid pointer in i2b_PVK()
- Use EVP_Decrypt* instead of EVP_Encrypt*
- Fix error handling after BIO_write() in i2b_PVK_bio()
ok tb@ | 
|  | - For pkcs12, add -camellia*/-idea, -LMK and -password
- For req, add -multivalue-rdn, -pkeyopt and -sigopt
- For verify, add -CRLfile and -trusted, and down -check_ss_sig description
- For x509, add -next_serial and -sigopt
- Remove the escape in -multivalue-rdn from ca section
ok jmc@ | 
|  | - For ec, add -param_out description
- For enc, add -v usage and description
- For pkcs7, add -print usage and description
ok jmc@ | 
|  | ok guenther jmc | 
|  | - Add undocumented option -r
ok jmc@ | 
|  | requiring it (sftp-server).
Remove the /exists///// behaviour from here.  The /nonexistant
behaviour remains in the kernel and needs to be shot next.
There may be ports fallout, but we doubt it.
ok beck djm | 
|  | - Add undocumented options -crlnumber, -hash_old, -nameopt and -verify
ok jmc@ | 
|  | - Add undocumented options -crlsec and -sigopt
- Sync argument name between usage and options description
ok jmc@ | 
|  |  | 
|  | hardware crypto features are available.
"no objections" kettenis@ | 
|  |  | 
|  | have a different calling convention than the standard function...as seen
in kdump output.
ok deraadt@ schwarze@ | 
|  | value < 0.  errno is only updated in this case.  Change all (most?)
callers of syscalls to follow this better, and let's see if this strictness
helps us in the future. | 
|  | code was inspecting the pointer (which is, sadly, undefined on error, because
the current specification of asprintf is crazy sloppy) | 
|  | ok millert nicm tb, etc | 
|  | on error, so checking for -1 only is potentially non-portable.
Also mention that the C89 standard does not require errno to be set.
OK deraadt@ millert@ | 
|  |  | 
|  |  | 
|  |  | 
|  |  | 
|  |  | 
|  | TLS_WANT_POLLIN, -1, or 0.  After handling the first two, check for -1
rather than vaguely "< 0".
ok jsing | 
|  | -1 to mark failure, not arbitrary values < 0.  I believe manual pages
should follow the described contract precisely and accurately. | 
|  | - Move local variables in genrsa_main() to struct genrsa_config
- Leave long lines more than 80, still
ok bcook@ | 
|  | Previously, this function would leak the most significant word of its
argument due to branching and memory access pattern.  This patch is
enough to fix the use of BN_num_bits() on RSA prime factors in the
library.
The diff is a simplified and more readable (but perhaps less efficient)
version of https://github.com/openssl/openssl/commit/972c87df
by Andy Polyakov and David Benjamin (pre license change). Consult that
commit message for details. Subsequent fixes to follow in the near future.
Issue pointed out by David Schrammel and Samuel Weiser as part of
a larger report.
tests & ok inoguchi, ok jsing | 
|  | code.  We now user the simple userland wrapper on top of __realpath(2).
The non-POSIX behaviour still remains, that is the next component to fix.
From a diff by beck, but I managed to chainsaw it a bit further.  Tested
in snaps for a couple of days.
ok beck |