summaryrefslogtreecommitdiff
path: root/src/usr.bin/openssl (follow)
Commit message (Collapse)AuthorAgeFilesLines
* openssl ca: use BN_bn2hex() rather than reimplementing ittb2025-02-251-28/+18
| | | | ok jsing
* openssl x509: zap extra whitespace in usagetb2025-01-191-2/+2
|
* Remove -C option from "apps"tb2025-01-196-436/+12
| | | | | | | | As far as I can tell, this way of generating "C code" was only used to add stuff to pretty regress and even prettier speed "app" and otherwise it just served to make the library maintainer's lives even more miserable. ok jsing
* ecparam: remove GF2m remnanttb2025-01-191-14/+4
| | | | | | | | This removes the last in-tree dependency on EC_METHOD_get_field_type() and EC_GROUP_method_of() and removes some dead code which would generate code that wouldn't compile if it was reachable. ok jsing
* termianted -> terminatedtb2025-01-031-2/+2
|
* Remove some gloriously outdated commentstb2025-01-021-5/+1
| | | | | | | /*#define SSL_HOST_NAME "www.netscape.com" */ /*#define SSL_HOST_NAME "193.118.187.102" */ and /*#define TEST_CERT "client.pem" *//* no default cert. */
* Merge testdsa.h and tesrsa.h into speed.ctb2025-01-023-781/+712
| | | | | | | | | | | | Having constant arrays in a header is just stupid (whether the constants are static or not), and most of the contents of these two headers clearly belongs into a C file. Since the garbage pile that is speed.c was not ugly enough, merge all of it there, since it is the only consumer. discussed with jsing PS: still waiting for that elusive volunteer who reworks libdes's speed.c into something resembling C code.
* Remove some pointless header guards. The headers are in scope.tb2025-01-021-7/+1
|
* Merge s_apps.h into apps.htb2025-01-028-169/+47
| | | | discussed with jsing
* openssl(1) doesn't need 5 .h files: merge timeouts.h into apps.htb2025-01-024-72/+7
| | | | | | This is an extra header for two stupid constants... discussed with jsing
* openssl(1) doesn't need 6 .h files: fold progs.h into apps.htb2025-01-028-59/+52
| | | | discussed with jsing
* Plug a bunch of leaks in the PKCS 12 codetb2024-12-261-8/+24
| | | | | | | The competition whether the code or the standard it implements is worse is still ongoing, and still has two strong competitors... ok jsing
* Error check sk_push() in crl2p7tb2024-12-261-23/+21
| | | | | | | also remove a few NULL checks before free and drop a cryptic comment about not needing to free x - hard to free what's not there... ok jsing
* ciphers: remove tls1 and tls1_1 leftoverstb2024-12-111-16/+2
| | | | | | The options were already removed from the manual in 91e7614a. From Renaud Allard (hand-applied since patch was mangled)
* Fix up authority and subject key identifiers in force pubkey modetb2024-12-041-8/+133
| | | | | | | | | | | | Upstream decided that this nonsense was worth an ABI break and added stuff to the X509_CTX so they could hang the issuer's public key off it so that they could adjust the key identifiers as needed. Let's avoid that and do it the slightly less nasty way by updating the AKI and SKI as needed. We only do this when force pubkey is in place so we don't change the semantics of the batshit crazy config language that nobody understands. ok job
* openssl speed: stop trying to use small curvestb2024-11-301-25/+11
| | | | | | | secp160r1 and nistp192 are no longer available in libcrypto. Should have been committed along with disabling these curves, but was missed. ok jsing
* sync x509v3_add_value with x509_utl.ctb2024-08-311-19/+32
|
* Add and use local copy of X509V3_add_value()tb2024-08-301-2/+41
| | | | The public API will be removed. This fixes its only consumer.
* zap line missed in previous removal; ok tbjmc2024-08-301-3/+2
|
* Adjust documentation for check/pubcheck removaltb2024-08-291-11/+2
| | | | ok beck
* Remove check and pubcheck from openssl pkey and pkeyparamtb2024-08-294-73/+7
| | | | | | The underlying API will be removed, so these commands have to go. ok beck
* ocsp.c: zap trailing whitespacetb2024-08-291-2/+2
|
* ts.c: typo flaf -> flagtb2024-08-261-2/+2
|
* openssl: adjust manual for LMK and CSP removaltb2024-08-221-10/+2
|
* openssl pkcs12: remove support for LMK and CSP attributestb2024-08-221-25/+1
| | | | | | | | | | | | | Documentation on what the Microsoft-specific local machine keyset and the cryptographic service provider are actually good for is hard to find. For some reason (perhaps one million and two arguments for PKCS12_create() was considered two too many) these hang off the EVP_PKEY in the attributes member, which serves no other purpose. Every use of EVP_PKEY (of which there are far too many) pays extra memory taxes for this fringe use case. This complication is not worth it. ok miod
* Use OPENSSL_config() instead of OPENSSL_load_builtin_modules()tb2024-08-181-2/+2
|
* Add -CRLfile option to 'cms' sub commandjob2024-08-122-7/+38
| | | | | | | | | This option allows to verify certs in a CMS object against additional CRLs. Ported from work by Tom Harrison from APNIC OK tb@
* Move the sigaction next to multitb2024-07-131-2/+2
| | | | Reduces diff in -portable
* use sigaction() to setup SIGARLM so we can set SA_RESTART, andderaadt2024-07-121-6/+8
| | | | | | remove the re-arming in the handler. Better than using siginterrupt(), and avoids the errno saving requirement in the handler also. ok guenther millert
* do not need to force bss values to 0deraadt2024-07-091-2/+2
|
* KNF a pile of else if blocks; ok tbderaadt2024-07-091-19/+9
|
* Adjust manpage for SPKAC removaltb2024-07-081-84/+4
| | | | ok jsing
* Remove spkac subcommandtb2024-07-084-317/+4
| | | | | | | | | | | | | | Google killed efforts to have SPKAC in html5 by zapping it from chrome a decade ago. This effort doesn't look like it's going anywhere: https://datatracker.ietf.org/doc/draft-leggett-spkac/ Unfortunately, PHP and Ruby still support NETSCAPE_SPKI, so we can't kill that code, but I see no real reason we need to support this in our openssl command. If the need should arise we can write a somewhat less poor version of this. ok jsing
* Remove spkac handling from openssl(1) catb2024-07-081-187/+3
| | | | | | | This is very poorly written code and now the only consumer of some public API that should not have survived the turn of the millenium. ok jsing
* signal handler must use the save_errno dance, and massage a variablederaadt2024-07-011-2/+5
| | | | | of type 'volatile sig_atomic_t' ok tb
* openssl ca: avoid double free for spkac files without default sectiontb2024-06-231-2/+1
| | | | ok jsing
* openssl x509: rename pub_key to dsa_pub_keytb2024-05-271-4/+4
| | | | suggested by jsing
* openssl: enable -Wshadow for clangtb2024-05-271-2/+2
| | | | ok job jsing
* openssl: avoid shadowed pkeys in x509.ctb2024-05-271-12/+10
| | | | ok job jsing
* remove prototypes with no matching function and externs with no varjsg2024-05-211-2/+1
| | | | partly checked by millert@
* remove extern with no matching var; ok tb@jsg2024-05-181-2/+1
|
* remove prototypes with no matching function; ok tb@jsg2024-05-183-6/+3
|
* openssl: toolkit implementing the TLS v1 protocol is weirdtb2024-05-071-3/+3
| | | | | | Well, it's a toolkit alright, and a terrible one at that, but TLS v1 (which is this beloved toolkit's name for TLS v1.0) is a thing firmly from the past, so drop the v1.
* openssl req: plug obvious leaktb2024-04-171-1/+2
| | | | CID 492603
* Clean up create_digest()tb2024-03-251-16/+17
| | | | | | | | | The ts code is its own kind of special. I only sent this diff out to hear beck squeal. This diff doesn't actually fix anything, apart from (maybe) appeasing some obscure static analyzer. It is decidedly less bad than a similar change in openssl's issue tracker. ok beck
* Expand only ever user of PBEPARAM_free() outside of libcryptotb2024-02-281-2/+3
|
* Zap a useless comment followed by a stray semicolontb2024-02-041-2/+1
| | | | Noticed by Christian Andersen
* Remove GOST and STREEBOG support from libssl.beck2024-02-031-7/+1
| | | | | | | | | | | | | | | | | | This version of GOST is old and not anywhere close to compliant with modern GOST standards. It is also very intrusive in libssl and makes a mess everywhere. Efforts to entice a suitably minded anyone to care about it have been unsuccessful. At this point it is probably best to remove this, and if someone ever showed up who truly needed a working version, it should be a clean implementation from scratch, and have it use something closer to the typical API in libcrypto so it would integrate less painfully here. This removes it from libssl in preparation for it's removal from libcrypto with a future major bump ok tb@
* Add 'openssl x509 -new' functionality to the libcrypto CLI utilityjob2024-01-262-14/+71
| | | | | | | | | The ability to generate a new certificate is useful for testing and experimentation with rechaining PKIs. While there, alias '-key' to '-signkey' for compatibility. with and OK tb@
* Add -force_pubkey -multivalue-rdn -set_issuer -set_subject -utf8 to x509 appjob2024-01-122-27/+152
| | | | | | | | The -set_issuer, -set_subject, and -force_pubkey features can be used to 'rechain' PKIs, for more information see https://labs.apnic.net/nro-ta/ and https://blog.apnic.net/2023/12/14/models-of-trust-for-the-rpki/ OK tb@
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-03-18 03:07:56 +0000