| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
| |
This option allows to verify certs in a CMS object against additional
CRLs.
Ported from work by Tom Harrison from APNIC
OK tb@
|
| |
|
|
|
| |
This should allow us to constify a sizable table in libcrypto in an
upcoming bump.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Nothing really uses the policy tree. It's desgined with built-in DoS
capabilities directly from the RFC. It will be removed from the attack
surface and replaced with something equivalent that doesn't grow
exponentially with the depth.
This removes the only reason the policy tree itself ever leaked out of
the library.
ok jsing
|
| |
|
|
|
|
|
|
|
| |
All the structs are static and we need to reach into them many times.
Having a shorter name is more concise and results in less visual clutter.
It also avoids many overlong lines and we will be able to get rid of some
unfortunate line wrapping down the road.
Discussed with jsing
|
| | |
|
| |
|
|
|
|
|
|
| |
This removes the legacy interactive mode from openssl(1) since it is
rarely used, complicates the code, and has also been removed from
OpenSSL in version 3.x.x.
ok tb@ jsing@
|
| |
|
|
|
|
|
| |
Two missing initializations in the new option handling cause a
segfault when -nodetach or -noindef is passed to openssl cms.
ok inoguchi jsing miod
|
| |
|
|
|
|
| |
CID 345314 345320
ok tb@
|
| | |
|
| |
|
|
| |
CID 313263 313301 313322
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
| |
suggested by tb@
|
| |
|
|
| |
suggested by tb@
|
| |
|
|
|
|
|
| |
Just applying new option handling and no functional changes.
Referred to verify.c and using 'verify_shared_options'.
ok and comments from jsing@ and tb@
|
| |
|
|
| |
CID 345119
|
| |
|
|
| |
ok jsing@
|
| |
|
|
|
|
| |
Checking return value of sk_.*_new_null().
ok beck@ jsing@
|
| |
|
|
|
|
|
|
| |
- Remove typedef and use 'struct cms_key_param' instead
- Check return value of sk_X509_push and sk_OPENSSL_STRING_push
- Add a blank line to separate variable declarations from code
comments from jsing@
|
| |
|
|
|
|
|
| |
This provides rsa_padding_mode:oaep for cms -encrypt,
and rsa_padding_mode:pss for cms -sign.
ok jsing@
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
| |
This was cleaned up after cms went to the attic.
|
| | |
|
| |
|
|
| |
ok jsing@
|
| |
|
|
| |
ok semarie@
|
| |
|
|
|
|
|
|
|
|
|
| |
it is needed in order to let libssl UI_* function plays with echo on/off when
asking for password on terminal.
passwd subcommand needs additionnal "wpath cpath" in order to let it calls
fopen("/dev/tty", "w") (O_WRONLY with O_CREAT | O_TRUNC).
problem reported by several
with and ok doug@
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
openssl(1) has two mechanisms for operating: either a single execution
of one command (looking at argv[0] or argv[1]) or as an interactive
session than may execute any number of commands.
We already have a top level pledge that should cover all commands
and that's what interactive mode must continue using. However, we can
tighten up the pledges when only executing one command.
This is an initial stab at support and may contain regressions. Most
commands only need "stdio rpath wpath cpath". The pledges could be
further restricted by evaluating the situation after parsing options.
deraadt@ and beck@ are roughly fine with this approach.
|
| |
|
|
|
|
|
| |
We do not have any builtin or dynamic engines, meaning openssl(1) has
no way to use the engine command or parameters at all.
ok jsing@
|
| |
|
|
|
|
|
|
|
| |
provided by progs.h). Also, move the FUNCTION type (and flags) into
openssl.c since that is the only place of use. Lastly, remove pointless
'extern' from the prototypes and use char **argv instead of char *argv[]
(the former is used elsewhere).
ok deraadt@ doug@
|
|
|
a system/superuser binary. At the same time, move the source code from its
current lib/libssl/src/apps location to a more appropriate home under
usr.bin/openssl.
ok deraadt@ miod@
|
