summaryrefslogtreecommitdiff
path: root/src/usr.bin (follow)
Commit message (Collapse)AuthorAgeFilesLines
...
* Zap a useless comment followed by a stray semicolontb2024-02-041-2/+1
| | | | Noticed by Christian Andersen
* Remove GOST and STREEBOG support from libssl.beck2024-02-031-7/+1
| | | | | | | | | | | | | | | | | | This version of GOST is old and not anywhere close to compliant with modern GOST standards. It is also very intrusive in libssl and makes a mess everywhere. Efforts to entice a suitably minded anyone to care about it have been unsuccessful. At this point it is probably best to remove this, and if someone ever showed up who truly needed a working version, it should be a clean implementation from scratch, and have it use something closer to the typical API in libcrypto so it would integrate less painfully here. This removes it from libssl in preparation for it's removal from libcrypto with a future major bump ok tb@
* Add 'openssl x509 -new' functionality to the libcrypto CLI utilityjob2024-01-262-14/+71
| | | | | | | | | The ability to generate a new certificate is useful for testing and experimentation with rechaining PKIs. While there, alias '-key' to '-signkey' for compatibility. with and OK tb@
* Add -force_pubkey -multivalue-rdn -set_issuer -set_subject -utf8 to x509 appjob2024-01-122-27/+152
| | | | | | | | The -set_issuer, -set_subject, and -force_pubkey features can be used to 'rechain' PKIs, for more information see https://labs.apnic.net/nro-ta/ and https://blog.apnic.net/2023/12/14/models-of-trust-for-the-rpki/ OK tb@
* Garbage collect the last users of SSL_set_debug(3)tb2023-12-292-5/+2
| | | | | | | | This undocumented, incomplete public function has never done anything useful. It will be removed from libssl. Removing it from openssl(1) clears the way for this. ok jsing
* s_client: pause hasn't worked in ages. Just ignore ittb2023-12-292-13/+5
| | | | ok jsing
* Make a few purpose things consttb2023-11-214-11/+11
| | | | | This should allow us to constify a sizable table in libcrypto in an upcoming bump.
* openssl pkcs12: rewrite without reaching into X509_ALGORtb2023-11-191-7/+10
| | | | | | | | | We can call ASN1_item_unpack() which will end up stuffing the same arguments into ASN1_item_d2i() as d2i_PBEPARAM(). This eliminates the last struct access into X509_ALGOR outside libcrypto in the base tree. ok jsing
* openssl ts: convert to X509_ALGOR_set0()tb2023-11-191-5/+8
| | | | ok jsing
* Kill last user of ASN1_time_parse() in the treetb2023-11-131-23/+3
| | | | | | | | ASN1_time_parse() was useful while OpenSSL didn't have something sort of equivalent, but now they do. Let's retire ASN1_time_parse() to internal. This will require some patching in ports, but shrug. ok beck
* Check notBefore/notAfter validity with ASN1_TIME_to_tm(3)tb2023-11-131-5/+3
| | | | ok beck
* netcat: avoid issuing syscalls on fd -1tb2023-08-141-3/+9
| | | | | | | | | | | In case a socket error condition occurs, readwrite() invalidates the corresponding fd. Later on, readwrite() may still issue a syscall on it. Avoid that by adding a couple of checks for fd == -1. Reported and fix suggested by Leah Neukirchen. Fixes https://github.com/libressl/openbsd/issues/143 "looks right" deraadt
* Drop unused conf, pem, and x509 headers, add unistd for pledgetb2023-07-291-4/+2
|
* Remove antiquated options outputtb2023-07-273-44/+7
| | | | | | | | This is uninteresting and rather meaningless except for the implementer. No need to have several hundred lines of code backing half a dozen symbols in the public API for this. ok jsing
* sprinkle some void between () in function definitionstb2023-07-2313-26/+26
|
* Remove -stats option from openssl(1) errstr.tb2023-07-232-41/+5
| | | | | | This is the only consumer of ERR_get_string_table(), which will go away. ok jsing
* some minor fix up;jmc2023-07-031-5/+5
|
* Bring back no_tls1 and no_tls1_1 as undocumented silently discarded opitonsbeck2023-07-032-8/+20
| | | | | | | | While I'm here, change the no_ssl2 and no_ssl3 options to use OPTION_DISCARD as well instead of continuing to set a no-op option flag. ok jsing@ tb@
* Remove the tls1.0 and 1.1 related options from the openssl(1) toolkitbeck2023-07-033-159/+20
| | | | ok tb@
* Teach openssl ca about Ed25519 certificatestb2023-07-021-18/+27
| | | | | | | This adds a few logic curlies to end up setting the EVP_MD to EVP_md_null() as required by the API. This way ASN1_item_sign() now knows how to behave. "ok = (rv == 2);" beck
* Teach openssl req about EdDSA certstb2023-07-021-1/+8
| | | | | | | After a few things in libcrypto were adjusted, this diff makes issuing certificate requests with Ed25519 work. ok beck
* remove unused args_st structjsg2023-06-112-12/+2
| | | | ok tb@
* remove chopup_args() unused since apps.c rev 1.31jsg2023-06-112-72/+2
| | | | ok tb@
* openssl enc: drop a few parens and unwrap a few linestb2023-06-111-20/+14
| | | | No binary change on amd64
* openssl enc: small style fixup after ZLIB unifdeftb2023-06-111-4/+2
|
* Unifdef ZLIBtb2023-06-112-44/+2
| | | | | This is very dead code: the openssl app was never compiled with -DZLIB after January 1, 2015.
* From the description of "openssl verify", delete the duplicate andschwarze2023-06-081-130/+9
| | | | | | | outdated list of error messages. Instead, refer to the master copy of that list in X509_STORE_CTX_get_error(3). Suggested by and OK tb@, and beck@ also agrees with the idea.
* Refer to the field "thisUpdate" instead of the non-existent "lastUpdate".schwarze2023-06-071-4/+10
| | | | | Similar to X509_get0_notBefore(3) rev. 1.6. Requested by and OK tb@.
* Remove a space that I thought I had already deleted.tb2023-05-201-2/+2
| | | | Makes mandoc -Tlint happier
* openssl speed: add an '-unaligned n' optiontb2023-05-202-7/+37
| | | | | | | | | | | | | | | | All hashes and ciphers covered by speed should be able to handle unaligned input and output. The buffers used in openssl speed are well aligned since they are large, so will never exercise the more problematic unaligned case. I wished something like this was available on various occasions. It would have been useful to point more easily at OpenSSL's broken T4 assembly. Yesterday there were two independent reasons for wanting it, so I sat down and did it. It's trivial: make the allocations a bit larger and use buffers starting at an offset inside these allocations. Despite the trivality, I managed to have a stupid bug. Thanks miod. discussed with jsing ok miod
* openssl speed: minor style nitstb2023-05-201-8/+6
| | | | | | | This drops a bunch of unnecessary parentheses, makes the strcmp() checks consistent and moves some "}\n\telse" to "} else". Makes an upcoming commit smaller
* openssl speed: remove binary curve remnantstb2023-05-201-88/+5
| | | | | | | | | | | | | | | This wasn't properly hidden under OPENSSL_NO_EC2M, and all it does now is producing ugly errors and useless "statistics". While looking at this, I found that much of speed "has been pilfered from [Eric A. Young's] libdes speed.c program". Apparently this was an precursor and ingredient of SSLeay. Unfortunately, it seems that this piece of the history is lost. ok miod PS: If anyone is bored, a rewrite from scratch of the speed 'app' would be a welcome contribution and may be an instructive rainy day project. The current code was written in about the most stupid way possible so as to maximize fragility and unmaintainability.
* Reinstate X9.31 padding mode support in rsautltb2023-05-052-7/+18
|
* Remove the nseq commandtb2023-04-254-211/+5
|
* Document the change in default to comma plus space but leave out thetb2023-04-221-2/+5
| | | | compat nonsense
* Fix UTF-8 issuer printingtb2023-04-221-2/+6
| | | | | | | | | | | | | If no field separator is specified, default to using the comma plus space separation, unless the compat flag is set. Fixes an a bug with printing issuers and other things that contain UTF-8 Reported by Jean-Luc Duprat The very simple fix ix is a joint effort by Henson and Levitte Fixes libressl/portable issue #845 ok jsing
* Drop policy printing from openssltb2023-04-146-95/+6
| | | | | | | | | | | | Nothing really uses the policy tree. It's desgined with built-in DoS capabilities directly from the RFC. It will be removed from the attack surface and replaced with something equivalent that doesn't grow exponentially with the depth. This removes the only reason the policy tree itself ever leaked out of the library. ok jsing
* Fix double free in error path in openssl(1) x509tb2023-04-141-4/+2
| | | | | | | | A conversion from X509_REQ_get_pubkey() to X509_REQ_get0_pubkey() missed one free of pkey in an unlikely error path. After the conversion pkey is no longer owned by us, so we mustn't free it. ok jsing
* Remove X9.31 support from openssl(1)tb2023-04-092-18/+7
| | | | | | | The X9.31 standard has long been retired and deprecated and libcrypto will drop support for it soon. This prepares userland. ok jsing
* Minor code cleanuptb2023-04-091-42/+31
| | | | | | Unwrap a few awkwardly wrapped lines, drop redundant parentheses and add empty lines after some variable declarations. No change in the generated assembly.
* openssl(1) asn1parse: avoid crash with ASN.1 BOOLEANStb2023-03-101-3/+4
| | | | | | | | | | | | | When pointing openssl asn1parse -strparse at DER octets 01 01, it crashes: $ printf '<\x01\x01>' | openssl asn1parse -inform der -strparse 1 Refuse to parse BOOLEAN types instead, which avoids a crash in hensonian /* hmm... this is a little evil, but it works */ code. Found while poking at CMS timestamps to understand one of job's diffs. with/ok jsing
* Basic cleanup in asn1pars.ctb2023-03-071-26/+16
| | | | Drop extra parentheses, unwrap some lines, compare pointers against NULL.
* Rename struct ${app}_config to plain cfgtb2023-03-0644-3260/+3260
| | | | | | | | | All the structs are static and we need to reach into them many times. Having a shorter name is more concise and results in less visual clutter. It also avoids many overlong lines and we will be able to get rid of some unfortunate line wrapping down the road. Discussed with jsing
* openssl: make all config structs statictb2023-03-0511-22/+22
| | | | | These are per-app, so per-file. Most of them already are static, adjust the rest of them.
* openssl/cms: zap some trailing whitespacetb2023-03-051-3/+3
|
* openssl enc doesn't really support AEAD ciphers and XTS modetb2023-03-041-2/+30
| | | | | | | | | | Do not display such ciphers in the usage display and error out if they are given. As pointed out by Pauli Dale, the current situation is confusing. Fixes GH issues #786 and #819 ok jsing
* openssl/req: garbage collect a pointless EVP_MD_CTX_init()tb2023-03-041-2/+2
| | | | | | | Before do_sign_init(), the ctx is always allocated by EVP_MD_CTX_new() aka calloc(). There is no point in doing EVP_MD_CTX_init(), aka bzero(). ok jsing
* openssl speed: avoid bad pluraltb2023-02-231-5/+5
| | | | | | | Remedy a case of twitching eyes caused by seeing "Doing ... rsa's for 10s". If this breaks someone's script, so be it. ok jsing sthen
* openssl(1) pkcs7 avoid crash on malformed filestb2023-02-081-5/+9
| | | | | | | | When printing certificates or CRLs, check signed and signedAndEnveloped before dereferencing them. Prevents crash on inspecting malformed PKCS7 files. ok jsing
* ugly white spacederaadt2023-01-041-2/+2
|