IABSD.fr/src/usr.bin/openssl

Branch :


Log

Author Commit Date CI Message
72a107cf 2020-07-27 13:06:13 Add function prototype and move sub functions to bottom
f94a2c25 2020-07-27 12:29:51 Remove space between '*' and pointer variable in s_server.c
0e15fe22 2020-07-27 12:19:51 Remove 's_' prefix from member of s_server_config struct
5a233072 2020-07-27 12:09:14 Convert openssl(1) s_server option handling ok and comments from jsing@
af806480 2020-07-14 19:08:30 Convert option handling for openssl(1) verify. ok inoguchi@, tb@
b38ea368 2020-07-14 09:52:46 Remove hyphen
53fa2216 2020-07-14 09:49:42 Add single space between pem and ...
f354b939 2020-07-14 09:46:17 Add manual for openssl(1) certhash ok jmc@
a2111520 2020-07-10 12:25:57 Clean up s_client.c - Remove space between '*' and pointer variable. - Add function prototype. - Move callback function to bottom. - Move typedef struct to up.
5042ef37 2020-07-10 12:05:52 Change variable bio_c_out from global to local ok tb@
6369f9f8 2020-07-09 14:09:19 Wrap long lines and put space in front of label in s_client.c
6dcdcd8f 2020-07-09 13:07:46 Remove c_ prefix from s_client_config member
10281ad2 2020-07-09 12:48:19 Convert openssl(1) s_client option handling suggestions and ok beck@ jsing@ tb@
a7150521 2020-05-23 13:00:30 While the second SSL_CTX in this code is only used on servername callback, so its mode is not used to update the ssl's mode, it seems more appropriate to clear the SSL_MODE_AUTO_RETRY flag on it as well. ok jsing
f4cc3564 2020-05-23 12:52:54 In ssl_lib.c revision 1.217, jsing enabled SSL_MODE_AUTO_RETRY by default. To avoid hanging on a blocking read, we need to clear the SSL_MODE_AUTO_RETRY flag in the s_client and the s_server. ok beck inoguchi jsing
5285fdef 2020-05-23 09:02:02 Avoid an out-of-bounds array access in the s_server. It can be triggered by sending a line to stdin while no connection is open and then connecting a client. The first SSL_write() fails, sends SSL_ERROR_WANT_* and then causes a segfault deep down in the tls stack when accessing &(buf[-1]). ok beck inoguchi
f91d157a 2020-05-22 16:11:23 sockaddr should be sockaddr_storage, otherwise "openssl s_client -6 -dtls1" (gurn) copies getsockname() retrieves a truncated result and 14 bytes of stack garbage get copied onwards. ok tb
283e98c7 2020-05-13 10:19:25 Add description for -tls1_3 and -no_tls1_3 options to openssl(1) s_server ok jsing@ tb@
95f83488 2020-05-13 10:18:03 Add -tls1_3 and -no_tls1_3 options to openssl(1) s_server - Add -tls1_3 and -no_tls1_3 to openssl(1) s_server - Stop using version pinned methods, instead setting the min and max protocol versions ok jsing@ tb@
bbdaa95a 2020-05-10 17:13:31 Make openssl X509 handle the failure case return code from X509_time_cmp. While we are in here also make it notice if time values in a certificate are bogus, and say so in the output. ok bcook@ jsing@
30d5484a 2020-05-10 16:55:28 Conditionalize sleep-before-retry in server code to only be done when debug is on. otherwise, just retry. Fixes problems this creates in testing. ok jsing@ tb@
e14d36e1 2020-04-26 02:09:21 Display TLSv1.3 extension type with openssl(1) -tlsextdebug Add TLSv1.3 extension type, and sort by the definition order in tls1.h. This helps that openssl(1) s_server and s_client with -tlsextdebug displays the TLS extension type instead of "unknown". ok beck@ jsing@ tb@
ac7717a1 2020-04-26 01:59:27 s_client: fix use of possibly uninitialized values Set initial value to variable 'p' and 'pending'. Reported and fix requested from leonklingele by GitHub pull request. https://github.com/libressl-portable/portable/issues/577 https://github.com/libressl-portable/openbsd/pull/114 ok bcook@ jsing@ tb@
997fb57a 2020-04-25 19:18:40 In s_server.c rev. 1.33, jsing added support for "openssl s_server -groups"; document it and deprecate "openssl s_server -named_curve". While here, fix the error in the synopsis for "openssl s_client -groups" and use unified argument naming and similar wording like in SSL_CTX_set1_groups_list(3). OK jsing@
480d2676 2020-04-19 17:05:55 Add -groups option to openssl(1) s_server. This allows supported EC groups to be configured, which will also control which TLSv1.3 key shares we'll accept. While here, deprecate the rather useless -named_curve option, which is effectively the same as -groups with a single group. Also stop setting a single default group of P-256 via SSL_CTX_set_tmp_ecdh() - use the library defaults instead. ok beck@ inoguchi@
60c2fcbe 2020-02-19 20:42:12 Tag subcommand sections Allow semantic lookup by manually tagging sections (.Sh) for which no automatic tagging has been implemented; this thereby also eliminates false positives such that ":tx509<Enter>" now jumps to the X509 section. feedback remi inoguchi schwarze OK tb
428703dc 2020-02-16 16:39:01 Add -tls1_3 and -notls1_3 options to openssl(1) s_client. Also stop using version pinned methods, instead setting the min and max protocol versions. Requested by inoguchi@ ok inoguchi@ tb@
88411e53 2020-01-25 05:29:10 add a couple of XXX for future cleanup
654e66e6 2020-01-24 09:42:32 Teach openssl s_client a bit about TLSv1.3. ok beck jsing
586463fe 2020-01-23 03:35:54 Make -peekaboo mode also use SSL_pending after peeking, to ensure SSL_pending implementation is correct. annoying jsing@
bfef4384 2020-01-22 06:40:42 Simplify the peekaboo code. ok beck@
9c84cee0 2020-01-22 04:51:48 Add -peekaboo option to s_client, to test SSL_peek peeks data before reading, compares to subsequent read. ok jsing@
6ee93950 2020-01-04 14:17:55 Check CMS API return value in openssl(1) cms ok jsing@
2961fddb 2019-12-18 12:38:15 use "Currently" in the doc for "openssl enc" when talking about default md, to hint that it might not always be the case (e.g. if dealing with files from a different version of the tool). ok tb@
6270d946 2019-12-18 07:54:28 In January, the default digest used in the openssl enc command was changed from md5 to sha256. Update manual to reflect that. From Fabio Scotoni ok jmc
d8fa3dd1 2019-11-28 11:21:33 Add manual for openssl(1) cms ok and comments jmc@
d4271273 2019-11-19 10:28:18 More return value check in openssl(1) cms Checking return value of sk_.*_new_null(). ok beck@ jsing@
f872ba1d 2019-11-19 10:20:10 Add manual descriptions for openssl(1) req -addext ok jmc@
514c2dab 2019-11-18 12:43:27 Remove typedef and check sk_push return value in openssl(1) cms - Remove typedef and use 'struct cms_key_param' instead - Check return value of sk_X509_push and sk_OPENSSL_STRING_push - Add a blank line to separate variable declarations from code comments from jsing@
99e5b935 2019-11-18 11:34:41 Add -keyopt opiton to openssl(1) cms subcommand This provides rsa_padding_mode:oaep for cms -encrypt, and rsa_padding_mode:pss for cms -sign. ok jsing@
efc1006d 2019-11-06 11:16:16 Check return value and remove unnecessary variable - Check NCONF_new() return value - Remove unnecessary 'i' comments from jsing@
a72a31a2 2019-11-06 10:35:40 Add -addext option to openssl(1) req subcommand First step of adding -addext option to openssl(1) req from OpenSSL 1.1.1d. ok jsing@
f3b9fd27 2019-11-04 15:34:27 Indent labels for diffability.
81f69065 2019-11-04 15:33:48 Remove spaces between * and variable names.
d852947d 2019-11-04 15:31:08 Remove explicit NULL checks before *_free() calls.
a9821b6a 2019-11-04 15:25:54 Hook openssl(1) cms back up.
6ff77328 2019-11-04 15:18:45 Currently we need to include pem.h before cms.h...
22f41c42 2019-11-04 14:49:59 Remove engine argument from load_cert() calls. This was cleaned up after cms went to the attic.
c8d13811 2019-11-04 14:47:43 Bring openssl(1) cms back from the attic.
e149b380 2019-10-04 09:47:34 Avoid a path traversal bug in s_server on Windows. openssl s_server has an arbitrary read vulnerability on Windows when run with the -WWW or -HTTP options, due to an incomplete path check logic. Thanks to Jobert Abma for reporting. ok tb@
936eb19c 2019-10-04 06:22:51 the formatting for the mini synopses in this page did not render well on html or groff. the solution, to replace the non-standard .nr macros with a hang list, was provided by ingo - thanks! ok schwarze
7e260d01 2019-08-30 12:32:14 Remove unnecessary NULL check before free function in openssl(1) dgst
b43c161c 2019-08-30 12:09:05 Wrap lines over 80 cols and put space before goto label in openssl(1) dgst
ddf8e1cb 2019-08-30 11:43:34 Simplify checking and more readable descriptions in openssl(1) dgst suggested from jsing@
704010f9 2019-08-30 11:19:00 Convert openssl(1) dgst to the newer style of option handling Adapt openssl(1) dgst command to new option handling. Added dgst_options struct and option handlers, and replaced for-if-strcmp handling with options_parse(). ok bcook@ jsing@
297e14c8 2019-08-05 12:01:51 Remove -port option from s_server since it is same as -accept ok schwarze@
ed873533 2019-07-29 10:06:55 Moving variables into struct in openssl(1) dgst First step to adapt openssl(1) dgst command to new option handling. There is no functional changes by this diff, and just moving variables into dgst_config struct. ok bcook@
02e96206 2019-07-26 12:35:59 Code clean up openssl(1) pkcs12 - Add a space before 'export_end:' - Remove space after '*' - Wrap lines by 80 columns
ac38447c 2019-07-26 11:52:51 Remove unnecessary NULL checks before free in openssl(1) pkcs12 ok bcook@ tb@
632daac0 2019-07-25 11:42:12 remove superfluous comment
972737a6 2019-07-25 11:41:03 zero tmpkeyiv buffer after use when encrypting from Steven Roberts
07a5d217 2019-07-24 14:23:25 Capitalize cipher name and mode in help message as sync with pkcs12
e21e78eb 2019-07-24 13:49:24 Convert openssl(1) pkcs12 to the newer style of option handling Adapt openssl(1) pkcs12 command to new option handling. Added pkcs12_options struct, and replaced for-if-strcmp handling with options_parse(). ok and comments jsing@
3ff5c216 2019-07-23 10:18:32 Moving variables into struct in openssl(1) pkcs12 First step to adapt openssl(1) pkcs12 command to new option handling. There is no functional changes by this diff, and just moving variables into pkcs12_config struct. I still keep long lines more than 80 for this review to minimize diffs. ok jsing@ tb@
279a27cf 2019-07-16 12:50:30 Fix long line by wrapping with 80 chars
4b6ea4e7 2019-07-16 12:36:50 Move option handlers up to option definition struct in gendsa.c As we did in other openssl sub command, move up option handlers above option definition struct. No functional changes and just move up and remove prototype.
b8cc3fef 2019-07-16 12:14:30 Fix typo and -keyform argument in openssl(1) manual - s/outputed/outputted/ - s/trused/trusted/ - add der as argument and describe pem is the default
ea149709 2019-07-14 03:30:45 Mark the initialized struct options arrays as both static and const. This moves them from .data to .data.rel.ro ok deraadt@ inoguchi@
d8518166 2019-07-12 10:21:08 Fix manual openssl(1) s_server - Add undocumented options below. -alpn, -cert2, -certform, -dcertform, -dkeyform, -dpass, -dtls1, -key2, -keyform, -keymatexport, -keymatexportlen, -mtu, -named_curve, -no_cache, -no_ecdhe, -no_ticket, -pass, -port, -servername, -servername_fatal, -status, -status_timeout, -status_url, -status_verbose, -timeout, -tlsextdebug, -use_srtp, -verify_return_error - Remove -hack, -psk and -psk_hint since not exist in source code. I didn't add these 5 options since these were no-op. -chain, -legacy_renegotiation, -nextprotoneg, -no_comp, -no_ssl2 This option was removed from manual in the past. -no_ssl3 ok and suggestions from jmc@
e218c379 2019-07-11 10:31:48 Fix manual openssl(1) s_client - Add undocumented options below. -alpn, -certform, -dtls1, -host, -keyform, -keymatexport, -keymatexportlen, -legacy_server_connect, -mtu, -no_ign_eof, -no_legacy_server_connect, -pass -port, -serverpref, -sess_in, -sess_out, -status, -timeout, -use_srtp, -verify_return_error - Remove -psk and -psk_identity since not exist in source code. I didn't add these 4 options since these were no-op. -nextprotoneg, -legacy_renegotiation, -no_comp, -no_ssl2 This option was removed from manual in the past. -no_ssl3 ok jmc@
9b8155cd 2019-07-10 10:28:28 Add missing option openssl dsa -modulus ok bcook@ jsing@
7561efde 2019-07-09 11:19:05 Fix manual openssl(1) genrsa Add missing -camellia*/-idea description to genrsa section. ok jmc@
19db20da 2019-07-09 11:02:52 Convert openssl(1) genrsa to the newer style of option handling ok tb@ jsing@
d263800a 2019-07-08 14:15:12 Fix manual openssl(1) dsa, ocsp, rsa and smime - dsa : add missing -pvk-none, -pvk-strong and -pvk-weak add pvk format to -inform and -outform - ocsp : add missing -header, -ignore_err, -no_explicit and -timeout - rsa : add missing -pvk-none, -pvk-strong and -pvk-weak add missing -RSAPublicKey_in and -RSAPublicKey_out add pvk format to -inform and -outform - smime : add missing -nosmimecap - add pvk description at common format part ok jmc@
1d8137f8 2019-07-07 02:04:40 Fix manual openssl(1) pkcs12, req, verify and x509 - For pkcs12, add -camellia*/-idea, -LMK and -password - For req, add -multivalue-rdn, -pkeyopt and -sigopt - For verify, add -CRLfile and -trusted, and down -check_ss_sig description - For x509, add -next_serial and -sigopt - Remove the escape in -multivalue-rdn from ca section ok jmc@
b95ac2a4 2019-07-05 14:33:10 Fix manual openssl(1) ec, enc and pkcs7 - For ec, add -param_out description - For enc, add -v usage and description - For pkcs7, add -print usage and description ok jmc@
c8247584 2019-07-05 11:50:46 Fix manual openssl(1) dgst - Add undocumented option -r ok jmc@
c3c80be4 2019-07-04 13:55:20 Fix manual openssl(1) crl - Add undocumented options -crlnumber, -hash_old, -nameopt and -verify ok jmc@
594cff4c 2019-07-04 13:00:42 Fix manual openssl(1) ca - Add undocumented options -crlsec and -sigopt - Sync argument name between usage and options description ok jmc@
515e489c 2019-07-03 03:24:01 snprintf/vsnprintf return < 0 on error, rather than -1.
3aaa63eb 2019-06-28 13:34:58 When system calls indicate an error they return -1, not some arbitrary value < 0. errno is only updated in this case. Change all (most?) callers of syscalls to follow this better, and let's see if this strictness helps us in the future.
e724e435 2019-06-19 01:51:14 Move variables into struct in openssl(1) genrsa - Move local variables in genrsa_main() to struct genrsa_config - Leave long lines more than 80, still ok bcook@
4b991305 2019-06-07 05:53:46 tidy up the formatting of gendsa synopsis a little;
eb6e8935 2019-06-07 02:32:22 Convert openssl(1) gendsa to the newer style of option handling - Adapt openssl(1) gendsa command to new option handling. - Add lacking ciphers and passout description in openssl.1 manpage. - Describe paramfile as argument in openssl.1 manpage. ok bcook@
e8e42339 2019-04-01 16:06:54 Sort.
ce0472c5 2019-04-01 16:05:14 Make the openssl(1) enc -iter flag actually work. Diff from Steven Roberts <sroberts at fenderq dot com> - thanks!
bdd6a469 2019-03-17 17:46:00 Add the SM4 block cipher from the Chinese standard GB/T 32907-2016. Patch from Daniel Wyatt ok inoguchi, jsing
06aa0bd7 2019-02-17 15:01:08 Convert openssl(1) pkeyutl to the newer style of option handling. ok jsing@ tb@
6685372a 2019-02-09 15:49:21 Fix weird wrap showing cipher list in interactive mode ok jsing@ tb@
4071f800 2019-02-09 06:27:37 Summarize the 4 same name functions and move it to apps.c ok tb@ jsing@
8d81c581 2019-02-05 12:45:47 Add islower check to show_ciphers in pkey.c and rsa.c. suggested by jsing@ ok tb@
fe082ddb 2019-02-05 11:26:21 Convert openssl(1) pkey to the newer style of option handling. ok jsing@
ce730975 2019-02-04 11:21:05 Document missing command line options for the rsautl command. ok jsing, "looks good!" jmc
358db57d 2019-02-03 15:40:32 zap spaces before tabs
94e38b1e 2019-02-03 14:20:07 Convert openssl(1) rsautl to the newer style of option handling. ok beck@ inoguchi@ tb@
bfd38911 2019-01-29 10:17:56 Remove SSLv23 padding mode from rsautl's usage (left behind in a removal from code and manual in 2017). Reported by KEINOS in github issue #101.
e84f51a6 2019-01-28 21:17:25 spelling;
d1ddd169 2019-01-20 01:59:06 Fix BN_is_prime_* calls in openssl(1), the API returns -1 on error. Found thanks to BoringSSL's commit 53409ee3d7595ed37da472bc73b010cd2c8a5ffd by David Benjamin. ok djm, jsing
020b59f8 2019-01-19 21:17:05 change the default digest used by openssl x509 -fingerprint openssl crl -fingerprint from sha1 to sha256 ok jsing@
02f94051 2019-01-18 23:33:57 switch the default algorithm for the dgst command from MD5 to SHA256 ok deraadt@