summaryrefslogtreecommitdiff
path: root/src/usr.bin/openssl (follow)
Commit message (Collapse)AuthorAgeFilesLines
* openssl certhash: add digest param to certhash_directoryjoshua12 days1-13/+9
| | | | | | | This will allow us to call certhash_directory with other digests as required to implement the openssl rehash command, which uses SHA1 or MD5. ok jsing tb
* KNF for variations of get_cipher_by_name()tb2025-06-073-6/+9
|
* openssl.1: update defaults for cms and smimetb2025-06-071-4/+4
|
* openssl smime: switch default encryption from 40-bit RC2 to AES-256tb2025-06-071-11/+5
| | | | | | | | | The old default is still available with rc2-40. https://github.com/pyca/cryptography/issues/12949 https://github.com/libressl/portable/issues/1168 ok kenjiro
* openssl cms: switch default encryption from triple DES to AES-256tb2025-06-071-11/+5
| | | | | | | | | The old default is still available with "des3" https://github.com/pyca/cryptography/issues/12949 https://github.com/libressl/portable/issues/1168 ok kenjiro
* openssl speed: clean up time_fjoshua2025-05-251-79/+76
| | | | | | | | | Rename Time_F to time_f and tidy up implementation and usage. time_f still uses app_timer_{user,real}, which I will clean up in a future commit. ok jsing
* openssl speed: remove whirlpooljoshua2025-05-252-41/+12
| | | | | | | | whirlpool was previously removed from libcrypto, and OPENSSL_NO_WHIRLPOOL will always be defined. Remove whirlpool support from the openssl speed command entirely. ok jsing tb
* openssl pkcs8: zap an outdated lietb2025-05-241-4/+1
|
* openssl speed: remove MAX_BLOCK_SIZE definejoshua2025-05-241-8/+2
| | | | ok jsing
* openssl speed: move key{16,24,32} above speed_mainjoshua2025-05-241-33/+25
| | | | | | Also, reuse the same keys for Camellia instead of having duplicates. ok jsing tb
* Update and improve documentation for pkcs8 -v2tb2025-05-241-12/+8
| | | | with input from jsing
* Switch default to PBES2 for openssl pkcs8 -topk8tb2025-05-241-3/+3
| | | | | | | | | | | | | | | | | | | | We currently use the glorious default of NID_pbeWithMD5AndDES_CBC which we inherited from OpenSSL. This could have been worse - there is also NID_pbeWithMD2AndDES_CBC... The way this diff works is that the undocumented PKCS8_encrypt() API uses the PKCS#5v2 code path when it's passed a NID of -1 and requires a cipher to succeed, otherwise it uses the PKCS#5v1.5 path. So pass in a sensible cipher, namely AES-CBC-256, and let layers of muppetry cascade to doing something resembling the right thing. This still uses the default of hmacWithSHA1 and a somewhat short salt, which will be improved in a subsequent commit. https://github.com/pyca/cryptography/issues/12949 https://github.com/libressl/portable/issues/1168 ok kenjiro joshua jsing
* openssl speed: use single md buffer for digestsjoshua2025-05-241-31/+10
| | | | ok jsing tb
* cms: disallow AEAD ciphers and AES XTStb2025-05-101-3/+21
| | | | | | | | | | | | | | | | The CMS code doesn't support RFC 5083/5084 authenticated enveloped data and outputs garbage that even itself can't decrypt for a reason that I have not tried to pinpoint. So refuse using AEAD ciphers and AES XTS for enveloped data from the cms "app" and throw an error pointing out that this isn't supported. OpenSSL have since added incorrect support for AuthEnvelopedData (ASN.1 and code review are hard), so doing this right will need both correct and interoperable code, which I doubt anyone will bother to write anytime soon. Reported by Ben Cooper in https://github.com/libressl/portable/issues/1157 ok beck jsing
* openssl ocsp: switch from X509V3error() to perror()tb2025-05-091-6/+6
| | | | ok jsing
* Fix x509's -nameopt default and spell an option correctlykn2025-04-191-4/+4
| | | | Feedback OK tb
* Update openssl.1 for msie_hack removaltb2025-04-141-21/+4
| | | | ok jmc jsing
* Remove openssl ca -msie_hacktb2025-04-141-31/+2
| | | | | | The nineties called and wanted their garbage back. ok jsing
* save_index: fix some code quality issuestb2025-03-181-13/+16
| | | | | | | | | Error check BIO_new() both times it is used, drop unused j variable, Error check BIO_printf() call and turn the whole thing into single exit. Prompted by a diff by Niels Dossche ok jsing
* apps.c: don't leak out in error pathtb2025-03-171-1/+2
| | | | From Niels Dossche
* openssl ca: use BN_bn2hex() rather than reimplementing ittb2025-02-251-28/+18
| | | | ok jsing
* openssl x509: zap extra whitespace in usagetb2025-01-191-2/+2
|
* Remove -C option from "apps"tb2025-01-196-436/+12
| | | | | | | | As far as I can tell, this way of generating "C code" was only used to add stuff to pretty regress and even prettier speed "app" and otherwise it just served to make the library maintainer's lives even more miserable. ok jsing
* ecparam: remove GF2m remnanttb2025-01-191-14/+4
| | | | | | | | This removes the last in-tree dependency on EC_METHOD_get_field_type() and EC_GROUP_method_of() and removes some dead code which would generate code that wouldn't compile if it was reachable. ok jsing
* termianted -> terminatedtb2025-01-031-2/+2
|
* Remove some gloriously outdated commentstb2025-01-021-5/+1
| | | | | | | /*#define SSL_HOST_NAME "www.netscape.com" */ /*#define SSL_HOST_NAME "193.118.187.102" */ and /*#define TEST_CERT "client.pem" *//* no default cert. */
* Merge testdsa.h and tesrsa.h into speed.ctb2025-01-023-781/+712
| | | | | | | | | | | | Having constant arrays in a header is just stupid (whether the constants are static or not), and most of the contents of these two headers clearly belongs into a C file. Since the garbage pile that is speed.c was not ugly enough, merge all of it there, since it is the only consumer. discussed with jsing PS: still waiting for that elusive volunteer who reworks libdes's speed.c into something resembling C code.
* Remove some pointless header guards. The headers are in scope.tb2025-01-021-7/+1
|
* Merge s_apps.h into apps.htb2025-01-028-169/+47
| | | | discussed with jsing
* openssl(1) doesn't need 5 .h files: merge timeouts.h into apps.htb2025-01-024-72/+7
| | | | | | This is an extra header for two stupid constants... discussed with jsing
* openssl(1) doesn't need 6 .h files: fold progs.h into apps.htb2025-01-028-59/+52
| | | | discussed with jsing
* Plug a bunch of leaks in the PKCS 12 codetb2024-12-261-8/+24
| | | | | | | The competition whether the code or the standard it implements is worse is still ongoing, and still has two strong competitors... ok jsing
* Error check sk_push() in crl2p7tb2024-12-261-23/+21
| | | | | | | also remove a few NULL checks before free and drop a cryptic comment about not needing to free x - hard to free what's not there... ok jsing
* ciphers: remove tls1 and tls1_1 leftoverstb2024-12-111-16/+2
| | | | | | The options were already removed from the manual in 91e7614a. From Renaud Allard (hand-applied since patch was mangled)
* Fix up authority and subject key identifiers in force pubkey modetb2024-12-041-8/+133
| | | | | | | | | | | | Upstream decided that this nonsense was worth an ABI break and added stuff to the X509_CTX so they could hang the issuer's public key off it so that they could adjust the key identifiers as needed. Let's avoid that and do it the slightly less nasty way by updating the AKI and SKI as needed. We only do this when force pubkey is in place so we don't change the semantics of the batshit crazy config language that nobody understands. ok job
* openssl speed: stop trying to use small curvestb2024-11-301-25/+11
| | | | | | | secp160r1 and nistp192 are no longer available in libcrypto. Should have been committed along with disabling these curves, but was missed. ok jsing
* sync x509v3_add_value with x509_utl.ctb2024-08-311-19/+32
|
* Add and use local copy of X509V3_add_value()tb2024-08-301-2/+41
| | | | The public API will be removed. This fixes its only consumer.
* zap line missed in previous removal; ok tbjmc2024-08-301-3/+2
|
* Adjust documentation for check/pubcheck removaltb2024-08-291-11/+2
| | | | ok beck
* Remove check and pubcheck from openssl pkey and pkeyparamtb2024-08-294-73/+7
| | | | | | The underlying API will be removed, so these commands have to go. ok beck
* ocsp.c: zap trailing whitespacetb2024-08-291-2/+2
|
* ts.c: typo flaf -> flagtb2024-08-261-2/+2
|
* openssl: adjust manual for LMK and CSP removaltb2024-08-221-10/+2
|
* openssl pkcs12: remove support for LMK and CSP attributestb2024-08-221-25/+1
| | | | | | | | | | | | | Documentation on what the Microsoft-specific local machine keyset and the cryptographic service provider are actually good for is hard to find. For some reason (perhaps one million and two arguments for PKCS12_create() was considered two too many) these hang off the EVP_PKEY in the attributes member, which serves no other purpose. Every use of EVP_PKEY (of which there are far too many) pays extra memory taxes for this fringe use case. This complication is not worth it. ok miod
* Use OPENSSL_config() instead of OPENSSL_load_builtin_modules()tb2024-08-181-2/+2
|
* Add -CRLfile option to 'cms' sub commandjob2024-08-122-7/+38
| | | | | | | | | This option allows to verify certs in a CMS object against additional CRLs. Ported from work by Tom Harrison from APNIC OK tb@
* Move the sigaction next to multitb2024-07-131-2/+2
| | | | Reduces diff in -portable
* use sigaction() to setup SIGARLM so we can set SA_RESTART, andderaadt2024-07-121-6/+8
| | | | | | remove the re-arming in the handler. Better than using siginterrupt(), and avoids the errno saving requirement in the handler also. ok guenther millert
* do not need to force bss values to 0deraadt2024-07-091-2/+2
|