summaryrefslogtreecommitdiff
path: root/src/usr.bin/openssl (follow)
Commit message (Collapse)AuthorAgeFilesLines
...
* Adjust manpage for SPKAC removaltb2024-07-081-84/+4
| | | | ok jsing
* Remove spkac subcommandtb2024-07-084-317/+4
| | | | | | | | | | | | | | Google killed efforts to have SPKAC in html5 by zapping it from chrome a decade ago. This effort doesn't look like it's going anywhere: https://datatracker.ietf.org/doc/draft-leggett-spkac/ Unfortunately, PHP and Ruby still support NETSCAPE_SPKI, so we can't kill that code, but I see no real reason we need to support this in our openssl command. If the need should arise we can write a somewhat less poor version of this. ok jsing
* Remove spkac handling from openssl(1) catb2024-07-081-187/+3
| | | | | | | This is very poorly written code and now the only consumer of some public API that should not have survived the turn of the millenium. ok jsing
* signal handler must use the save_errno dance, and massage a variablederaadt2024-07-011-2/+5
| | | | | of type 'volatile sig_atomic_t' ok tb
* openssl ca: avoid double free for spkac files without default sectiontb2024-06-231-2/+1
| | | | ok jsing
* openssl x509: rename pub_key to dsa_pub_keytb2024-05-271-4/+4
| | | | suggested by jsing
* openssl: enable -Wshadow for clangtb2024-05-271-2/+2
| | | | ok job jsing
* openssl: avoid shadowed pkeys in x509.ctb2024-05-271-12/+10
| | | | ok job jsing
* remove prototypes with no matching function and externs with no varjsg2024-05-211-2/+1
| | | | partly checked by millert@
* remove extern with no matching var; ok tb@jsg2024-05-181-2/+1
|
* remove prototypes with no matching function; ok tb@jsg2024-05-183-6/+3
|
* openssl: toolkit implementing the TLS v1 protocol is weirdtb2024-05-071-3/+3
| | | | | | Well, it's a toolkit alright, and a terrible one at that, but TLS v1 (which is this beloved toolkit's name for TLS v1.0) is a thing firmly from the past, so drop the v1.
* openssl req: plug obvious leaktb2024-04-171-1/+2
| | | | CID 492603
* Clean up create_digest()tb2024-03-251-16/+17
| | | | | | | | | The ts code is its own kind of special. I only sent this diff out to hear beck squeal. This diff doesn't actually fix anything, apart from (maybe) appeasing some obscure static analyzer. It is decidedly less bad than a similar change in openssl's issue tracker. ok beck
* Expand only ever user of PBEPARAM_free() outside of libcryptotb2024-02-281-2/+3
|
* Zap a useless comment followed by a stray semicolontb2024-02-041-2/+1
| | | | Noticed by Christian Andersen
* Remove GOST and STREEBOG support from libssl.beck2024-02-031-7/+1
| | | | | | | | | | | | | | | | | | This version of GOST is old and not anywhere close to compliant with modern GOST standards. It is also very intrusive in libssl and makes a mess everywhere. Efforts to entice a suitably minded anyone to care about it have been unsuccessful. At this point it is probably best to remove this, and if someone ever showed up who truly needed a working version, it should be a clean implementation from scratch, and have it use something closer to the typical API in libcrypto so it would integrate less painfully here. This removes it from libssl in preparation for it's removal from libcrypto with a future major bump ok tb@
* Add 'openssl x509 -new' functionality to the libcrypto CLI utilityjob2024-01-262-14/+71
| | | | | | | | | The ability to generate a new certificate is useful for testing and experimentation with rechaining PKIs. While there, alias '-key' to '-signkey' for compatibility. with and OK tb@
* Add -force_pubkey -multivalue-rdn -set_issuer -set_subject -utf8 to x509 appjob2024-01-122-27/+152
| | | | | | | | The -set_issuer, -set_subject, and -force_pubkey features can be used to 'rechain' PKIs, for more information see https://labs.apnic.net/nro-ta/ and https://blog.apnic.net/2023/12/14/models-of-trust-for-the-rpki/ OK tb@
* Garbage collect the last users of SSL_set_debug(3)tb2023-12-292-5/+2
| | | | | | | | This undocumented, incomplete public function has never done anything useful. It will be removed from libssl. Removing it from openssl(1) clears the way for this. ok jsing
* s_client: pause hasn't worked in ages. Just ignore ittb2023-12-292-13/+5
| | | | ok jsing
* Make a few purpose things consttb2023-11-214-11/+11
| | | | | This should allow us to constify a sizable table in libcrypto in an upcoming bump.
* openssl pkcs12: rewrite without reaching into X509_ALGORtb2023-11-191-7/+10
| | | | | | | | | We can call ASN1_item_unpack() which will end up stuffing the same arguments into ASN1_item_d2i() as d2i_PBEPARAM(). This eliminates the last struct access into X509_ALGOR outside libcrypto in the base tree. ok jsing
* openssl ts: convert to X509_ALGOR_set0()tb2023-11-191-5/+8
| | | | ok jsing
* Kill last user of ASN1_time_parse() in the treetb2023-11-131-23/+3
| | | | | | | | ASN1_time_parse() was useful while OpenSSL didn't have something sort of equivalent, but now they do. Let's retire ASN1_time_parse() to internal. This will require some patching in ports, but shrug. ok beck
* Check notBefore/notAfter validity with ASN1_TIME_to_tm(3)tb2023-11-131-5/+3
| | | | ok beck
* Drop unused conf, pem, and x509 headers, add unistd for pledgetb2023-07-291-4/+2
|
* Remove antiquated options outputtb2023-07-273-44/+7
| | | | | | | | This is uninteresting and rather meaningless except for the implementer. No need to have several hundred lines of code backing half a dozen symbols in the public API for this. ok jsing
* sprinkle some void between () in function definitionstb2023-07-2313-26/+26
|
* Remove -stats option from openssl(1) errstr.tb2023-07-232-41/+5
| | | | | | This is the only consumer of ERR_get_string_table(), which will go away. ok jsing
* some minor fix up;jmc2023-07-031-5/+5
|
* Bring back no_tls1 and no_tls1_1 as undocumented silently discarded opitonsbeck2023-07-032-8/+20
| | | | | | | | While I'm here, change the no_ssl2 and no_ssl3 options to use OPTION_DISCARD as well instead of continuing to set a no-op option flag. ok jsing@ tb@
* Remove the tls1.0 and 1.1 related options from the openssl(1) toolkitbeck2023-07-033-159/+20
| | | | ok tb@
* Teach openssl ca about Ed25519 certificatestb2023-07-021-18/+27
| | | | | | | This adds a few logic curlies to end up setting the EVP_MD to EVP_md_null() as required by the API. This way ASN1_item_sign() now knows how to behave. "ok = (rv == 2);" beck
* Teach openssl req about EdDSA certstb2023-07-021-1/+8
| | | | | | | After a few things in libcrypto were adjusted, this diff makes issuing certificate requests with Ed25519 work. ok beck
* remove unused args_st structjsg2023-06-112-12/+2
| | | | ok tb@
* remove chopup_args() unused since apps.c rev 1.31jsg2023-06-112-72/+2
| | | | ok tb@
* openssl enc: drop a few parens and unwrap a few linestb2023-06-111-20/+14
| | | | No binary change on amd64
* openssl enc: small style fixup after ZLIB unifdeftb2023-06-111-4/+2
|
* Unifdef ZLIBtb2023-06-112-44/+2
| | | | | This is very dead code: the openssl app was never compiled with -DZLIB after January 1, 2015.
* From the description of "openssl verify", delete the duplicate andschwarze2023-06-081-130/+9
| | | | | | | outdated list of error messages. Instead, refer to the master copy of that list in X509_STORE_CTX_get_error(3). Suggested by and OK tb@, and beck@ also agrees with the idea.
* Refer to the field "thisUpdate" instead of the non-existent "lastUpdate".schwarze2023-06-071-4/+10
| | | | | Similar to X509_get0_notBefore(3) rev. 1.6. Requested by and OK tb@.
* Remove a space that I thought I had already deleted.tb2023-05-201-2/+2
| | | | Makes mandoc -Tlint happier
* openssl speed: add an '-unaligned n' optiontb2023-05-202-7/+37
| | | | | | | | | | | | | | | | All hashes and ciphers covered by speed should be able to handle unaligned input and output. The buffers used in openssl speed are well aligned since they are large, so will never exercise the more problematic unaligned case. I wished something like this was available on various occasions. It would have been useful to point more easily at OpenSSL's broken T4 assembly. Yesterday there were two independent reasons for wanting it, so I sat down and did it. It's trivial: make the allocations a bit larger and use buffers starting at an offset inside these allocations. Despite the trivality, I managed to have a stupid bug. Thanks miod. discussed with jsing ok miod
* openssl speed: minor style nitstb2023-05-201-8/+6
| | | | | | | This drops a bunch of unnecessary parentheses, makes the strcmp() checks consistent and moves some "}\n\telse" to "} else". Makes an upcoming commit smaller
* openssl speed: remove binary curve remnantstb2023-05-201-88/+5
| | | | | | | | | | | | | | | This wasn't properly hidden under OPENSSL_NO_EC2M, and all it does now is producing ugly errors and useless "statistics". While looking at this, I found that much of speed "has been pilfered from [Eric A. Young's] libdes speed.c program". Apparently this was an precursor and ingredient of SSLeay. Unfortunately, it seems that this piece of the history is lost. ok miod PS: If anyone is bored, a rewrite from scratch of the speed 'app' would be a welcome contribution and may be an instructive rainy day project. The current code was written in about the most stupid way possible so as to maximize fragility and unmaintainability.
* Reinstate X9.31 padding mode support in rsautltb2023-05-052-7/+18
|
* Remove the nseq commandtb2023-04-254-211/+5
|
* Document the change in default to comma plus space but leave out thetb2023-04-221-2/+5
| | | | compat nonsense
* Fix UTF-8 issuer printingtb2023-04-221-2/+6
| | | | | | | | | | | | | If no field separator is specified, default to using the comma plus space separation, unless the compat flag is set. Fixes an a bug with printing issuers and other things that contain UTF-8 Reported by Jean-Luc Duprat The very simple fix ix is a joint effort by Henson and Levitte Fixes libressl/portable issue #845 ok jsing
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-08-24 22:53:41 +0000