![[BACK]](/icons/back.gif){kind=icon}
Up to [local] / src / usr.bin / openssl
Request diff between arbitrary revisions
Default branch: MAIN
Revision 1.37 / (download) - annotate - [select for diffs], Fri Jan 26 11:58:37 2024 UTC (3 months, 3 weeks ago) by job
Branch: MAIN
CVS Tags: OPENBSD_7_5_BASE,
OPENBSD_7_5,
HEAD
Changes since 1.36: +50 -12 lines
Diff to previous 1.36 (colored)
Add 'openssl x509 -new' functionality to the libcrypto CLI utility The ability to generate a new certificate is useful for testing and experimentation with rechaining PKIs. While there, alias '-key' to '-signkey' for compatibility. with and OK tb@
Revision 1.36 / (download) - annotate - [select for diffs], Fri Jan 12 11:24:03 2024 UTC (4 months ago) by job
Branch: MAIN
Changes since 1.35: +108 -23 lines
Diff to previous 1.35 (colored)
Add -force_pubkey -multivalue-rdn -set_issuer -set_subject -utf8 to x509 app The -set_issuer, -set_subject, and -force_pubkey features can be used to 'rechain' PKIs, for more information see https://labs.apnic.net/nro-ta/ and https://blog.apnic.net/2023/12/14/models-of-trust-for-the-rpki/ OK tb@
Revision 1.35 / (download) - annotate - [select for diffs], Tue Nov 21 17:56:19 2023 UTC (5 months, 3 weeks ago) by tb
Branch: MAIN
Changes since 1.34: +5 -5 lines
Diff to previous 1.34 (colored)
Make a few purpose things const This should allow us to constify a sizable table in libcrypto in an upcoming bump.
Revision 1.34 / (download) - annotate - [select for diffs], Mon Nov 13 11:50:36 2023 UTC (6 months ago) by tb
Branch: MAIN
Changes since 1.33: +3 -5 lines
Diff to previous 1.33 (colored)
Check notBefore/notAfter validity with ASN1_TIME_to_tm(3) ok beck
Revision 1.33 / (download) - annotate - [select for diffs], Fri Apr 14 06:47:07 2023 UTC (13 months ago) by tb
Branch: MAIN
CVS Tags: OPENBSD_7_4_BASE,
OPENBSD_7_4
Changes since 1.32: +2 -4 lines
Diff to previous 1.32 (colored)
Fix double free in error path in openssl(1) x509 A conversion from X509_REQ_get_pubkey() to X509_REQ_get0_pubkey() missed one free of pkey in an unlikely error path. After the conversion pkey is no longer owned by us, so we mustn't free it. ok jsing
Revision 1.32 / (download) - annotate - [select for diffs], Sun Apr 9 17:28:52 2023 UTC (13 months, 1 week ago) by tb
Branch: MAIN
Changes since 1.31: +31 -42 lines
Diff to previous 1.31 (colored)
Minor code cleanup Unwrap a few awkwardly wrapped lines, drop redundant parentheses and add empty lines after some variable declarations. No change in the generated assembly.
Revision 1.31 / (download) - annotate - [select for diffs], Mon Mar 6 14:32:06 2023 UTC (14 months, 1 week ago) by tb
Branch: MAIN
CVS Tags: OPENBSD_7_3_BASE,
OPENBSD_7_3
Changes since 1.30: +224 -224 lines
Diff to previous 1.30 (colored)
Rename struct ${app}_config to plain cfg
All the structs are static and we need to reach into them many times.
Having a shorter name is more concise and results in less visual clutter.
It also avoids many overlong lines and we will be able to get rid of some
unfortunate line wrapping down the road.
Discussed with jsing
Revision 1.30 / (download) - annotate - [select for diffs], Fri Nov 11 17:07:39 2022 UTC (18 months, 1 week ago) by joshua
Branch: MAIN
Changes since 1.29: +4 -6 lines
Diff to previous 1.29 (colored)
Remove the legacy interactive mode from openssl(1). This removes the legacy interactive mode from openssl(1) since it is rarely used, complicates the code, and has also been removed from OpenSSL in version 3.x.x. ok tb@ jsing@
Revision 1.29 / (download) - annotate - [select for diffs], Sun Dec 12 20:34:04 2021 UTC (2 years, 5 months ago) by tb
Branch: MAIN
CVS Tags: OPENBSD_7_2_BASE,
OPENBSD_7_2,
OPENBSD_7_1_BASE,
OPENBSD_7_1
Changes since 1.28: +5 -9 lines
Diff to previous 1.28 (colored)
A few more simplifications using get0_pubkey instead of get_pubkey + free.
Revision 1.28 / (download) - annotate - [select for diffs], Sun Dec 12 20:29:15 2021 UTC (2 years, 5 months ago) by tb
Branch: MAIN
Changes since 1.27: +2 -4 lines
Diff to previous 1.27 (colored)
Simplify x509.c slightly by using X509_get0_pubkey() instead of X509_get_pubkey() ok inoguchi
Revision 1.27 / (download) - annotate - [select for diffs], Sun Dec 12 20:28:02 2021 UTC (2 years, 5 months ago) by tb
Branch: MAIN
Changes since 1.26: +15 -7 lines
Diff to previous 1.26 (colored)
Make x509.c compile with opaque EVP_PKEY. ok inoguchi
Revision 1.26 / (download) - annotate - [select for diffs], Fri Nov 26 16:23:27 2021 UTC (2 years, 5 months ago) by tb
Branch: MAIN
Changes since 1.25: +1 -11 lines
Diff to previous 1.25 (colored)
openssl(1): drop support for netscape certificates and server gated keys. ok inoguchi jsing
Revision 1.25 / (download) - annotate - [select for diffs], Sat Oct 23 15:44:39 2021 UTC (2 years, 6 months ago) by tb
Branch: MAIN
Changes since 1.24: +11 -19 lines
Diff to previous 1.24 (colored)
Preapre x509.c for upcoming libcrypto bump ok beck jsing
Revision 1.24 / (download) - annotate - [select for diffs], Sun Aug 29 19:56:40 2021 UTC (2 years, 8 months ago) by schwarze
Branch: MAIN
CVS Tags: OPENBSD_7_0_BASE,
OPENBSD_7_0
Changes since 1.23: +7 -5 lines
Diff to previous 1.23 (colored)
Do not call X509_alias_get0(3) with NULL as the second argument. Even if the buffer is guaranteed to be NUL-terminated in a particular case, it is still setting a bad example. Besides, it is unclear to me whether there is any such guarantee in the case at hand. Checking that would require auditing all of d2i_X509_bio(3), ASN1_item_d2i_bio(&NETSCAPE_X509_it, ...), PEM_read_bio_X509_AUX(3), and PKCS12_parse(3), since no such guarantee is documented for any of these functions, and even then it would remain fragile with respect to later changes of implementation details. In the worst case, this could potentially result in a read buffer overrun. OK tb@ on an earlier version of this patch. While we are here, deraadt@ requested to not use the word "string" in the name of a variable that is not a string in the sense of the C language.
Revision 1.23 / (download) - annotate - [select for diffs], Wed Apr 7 10:44:03 2021 UTC (3 years, 1 month ago) by inoguchi
Branch: MAIN
CVS Tags: OPENBSD_6_9_BASE,
OPENBSD_6_9
Changes since 1.22: +71 -24 lines
Diff to previous 1.22 (colored)
Check function return value in openssl(1) x509.c input from bcook@, ok and comments from tb@
Revision 1.22 / (download) - annotate - [select for diffs], Wed Apr 7 10:29:58 2021 UTC (3 years, 1 month ago) by inoguchi
Branch: MAIN
Changes since 1.21: +7 -3 lines
Diff to previous 1.21 (colored)
Avoid leak in error path ok and input from tb@
Revision 1.21 / (download) - annotate - [select for diffs], Thu Apr 1 10:47:38 2021 UTC (3 years, 1 month ago) by inoguchi
Branch: MAIN
Changes since 1.20: +17 -18 lines
Diff to previous 1.20 (colored)
Compare the pointer variable explicitly with NULL in if condition
Revision 1.20 / (download) - annotate - [select for diffs], Fri Mar 26 13:46:25 2021 UTC (3 years, 1 month ago) by inoguchi
Branch: MAIN
Changes since 1.19: +110 -67 lines
Diff to previous 1.19 (colored)
Sort header files and wrap long lines in x509.c
Revision 1.19 / (download) - annotate - [select for diffs], Wed Mar 24 12:09:16 2021 UTC (3 years, 1 month ago) by inoguchi
Branch: MAIN
Changes since 1.18: +747 -414 lines
Diff to previous 1.18 (colored)
Convert openssl(1) x509 option handling Apply new option handling to openssl(1) x509. To handle incremental order value, using newly added OPTION_ORDER. I left the descriptions for -CAform, -inform, and -outform as it was, for now. These description would be fixed. And digest option handler could be consolidated to one between some subcommands in the future. ok and comments from tb@, and "I'd move forward with your current plan." from jsing@
Revision 1.18 / (download) - annotate - [select for diffs], Sun May 10 17:13:31 2020 UTC (4 years ago) by beck
Branch: MAIN
CVS Tags: OPENBSD_6_8_BASE,
OPENBSD_6_8
Changes since 1.17: +16 -5 lines
Diff to previous 1.17 (colored)
Make openssl X509 handle the failure case return code from X509_time_cmp. While we are in here also make it notice if time values in a certificate are bogus, and say so in the output. ok bcook@ jsing@
Revision 1.17 / (download) - annotate - [select for diffs], Sat Jan 19 21:17:05 2019 UTC (5 years, 3 months ago) by jsg
Branch: MAIN
CVS Tags: OPENBSD_6_7_BASE,
OPENBSD_6_7,
OPENBSD_6_6_BASE,
OPENBSD_6_6,
OPENBSD_6_5_BASE,
OPENBSD_6_5
Changes since 1.16: +2 -2 lines
Diff to previous 1.16 (colored)
change the default digest used by openssl x509 -fingerprint openssl crl -fingerprint from sha1 to sha256 ok jsing@
Revision 1.16 / (download) - annotate - [select for diffs], Wed Feb 7 05:47:55 2018 UTC (6 years, 3 months ago) by jsing
Branch: MAIN
CVS Tags: OPENBSD_6_4_BASE,
OPENBSD_6_4,
OPENBSD_6_3_BASE,
OPENBSD_6_3
Changes since 1.15: +6 -6 lines
Diff to previous 1.15 (colored)
Indent labels with a single space so that diff prototypes are more useful.
Revision 1.15 / (download) - annotate - [select for diffs], Wed Feb 7 04:57:06 2018 UTC (6 years, 3 months ago) by jsing
Branch: MAIN
Changes since 1.14: +2 -3 lines
Diff to previous 1.14 (colored)
Remove guards around *_free() calls since these functions handle NULL.
Revision 1.14 / (download) - annotate - [select for diffs], Fri Jan 20 08:57:12 2017 UTC (7 years, 3 months ago) by deraadt
Branch: MAIN
CVS Tags: OPENBSD_6_2_BASE,
OPENBSD_6_2,
OPENBSD_6_1_BASE,
OPENBSD_6_1
Changes since 1.13: +2 -2 lines
Diff to previous 1.13 (colored)
rearrange pledge promises into the canonical order; easier to eyeball
Revision 1.13 / (download) - annotate - [select for diffs], Fri Dec 30 16:28:53 2016 UTC (7 years, 4 months ago) by jsing
Branch: MAIN
Changes since 1.12: +2 -2 lines
Diff to previous 1.12 (colored)
Expand ASN1_ITEM_rptr macros here as well... used with NETSCAPE_X509 of all things...
Revision 1.12 / (download) - annotate - [select for diffs], Sat Oct 17 15:00:11 2015 UTC (8 years, 7 months ago) by doug
Branch: MAIN
CVS Tags: OPENBSD_6_0_BASE,
OPENBSD_6_0,
OPENBSD_5_9_BASE,
OPENBSD_5_9
Changes since 1.11: +4 -2 lines
Diff to previous 1.11 (colored)
Exit if a pledge call fails in non-interactive mode. ok semarie@
Revision 1.11 / (download) - annotate - [select for diffs], Sat Oct 17 07:51:10 2015 UTC (8 years, 7 months ago) by semarie
Branch: MAIN
Changes since 1.10: +2 -2 lines
Diff to previous 1.10 (colored)
add "tty" for several subcommands of openssl
it is needed in order to let libssl UI_* function plays with echo on/off when
asking for password on terminal.
passwd subcommand needs additionnal "wpath cpath" in order to let it calls
fopen("/dev/tty", "w") (O_WRONLY with O_CREAT | O_TRUNC).
problem reported by several
with and ok doug@
Revision 1.10 / (download) - annotate - [select for diffs], Sat Oct 10 22:28:51 2015 UTC (8 years, 7 months ago) by doug
Branch: MAIN
Changes since 1.9: +6 -1 lines
Diff to previous 1.9 (colored)
Initial support for pledges in openssl(1) commands. openssl(1) has two mechanisms for operating: either a single execution of one command (looking at argv[0] or argv[1]) or as an interactive session than may execute any number of commands. We already have a top level pledge that should cover all commands and that's what interactive mode must continue using. However, we can tighten up the pledges when only executing one command. This is an initial stab at support and may contain regressions. Most commands only need "stdio rpath wpath cpath". The pledges could be further restricted by evaluating the situation after parsing options. deraadt@ and beck@ are roughly fine with this approach.
Revision 1.9 / (download) - annotate - [select for diffs], Thu Oct 1 06:31:21 2015 UTC (8 years, 7 months ago) by jsing
Branch: MAIN
Changes since 1.8: +2 -2 lines
Diff to previous 1.8 (colored)
Another s/M_ASN1_INTEGER_free/ASN1_INTEGER_free/. Found the hard way by Mark Patruck.
Revision 1.8 / (download) - annotate - [select for diffs], Mon Sep 21 13:32:55 2015 UTC (8 years, 7 months ago) by bcook
Branch: MAIN
Changes since 1.7: +5 -1 lines
Diff to previous 1.7 (colored)
add a missing NULL check noted by Bill Parker (dogbert2) on github
Revision 1.7 / (download) - annotate - [select for diffs], Mon Sep 21 13:13:06 2015 UTC (8 years, 7 months ago) by bcook
Branch: MAIN
Changes since 1.6: +2 -2 lines
Diff to previous 1.6 (colored)
remove vestigial bits of sha-0 and md2 from openssl(1) Noted by kinichiro on github. We probably need a better way to indicate the list of message digests that are allowed, as the current ones are nowhere near exhaustive (sigh - guenther@) OK guenther@ jmc@
Revision 1.6 / (download) - annotate - [select for diffs], Fri Sep 11 14:30:23 2015 UTC (8 years, 8 months ago) by bcook
Branch: MAIN
Changes since 1.5: +6 -24 lines
Diff to previous 1.5 (colored)
Remove engine command and parameters from openssl(1). We do not have any builtin or dynamic engines, meaning openssl(1) has no way to use the engine command or parameters at all. ok jsing@
Revision 1.5 / (download) - annotate - [select for diffs], Sat Aug 22 16:36:05 2015 UTC (8 years, 8 months ago) by jsing
Branch: MAIN
Changes since 1.4: +1 -3 lines
Diff to previous 1.4 (colored)
Remove all duplicate prototypes for *_main functions (these are already provided by progs.h). Also, move the FUNCTION type (and flags) into openssl.c since that is the only place of use. Lastly, remove pointless 'extern' from the prototypes and use char **argv instead of char *argv[] (the former is used elsewhere). ok deraadt@ doug@
Revision 1.4 / (download) - annotate - [select for diffs], Sun Jul 19 03:18:10 2015 UTC (8 years, 10 months ago) by doug
Branch: MAIN
CVS Tags: OPENBSD_5_8_BASE,
OPENBSD_5_8
Changes since 1.3: +2 -1 lines
Diff to previous 1.3 (colored)
Free variable before potentially reusing. Fixes coverity 78824. ok bcook@ miod@
Revision 1.3 / (download) - annotate - [select for diffs], Sat Jun 20 01:07:25 2015 UTC (8 years, 11 months ago) by doug
Branch: MAIN
Changes since 1.2: +2 -2 lines
Diff to previous 1.2 (colored)
Remove obsolete MDC-2DES from libcrypto. ok deraadt@ jsing@ miod@
Revision 1.2 / (download) - annotate - [select for diffs], Thu Aug 28 14:23:52 2014 UTC (9 years, 8 months ago) by jsing
Branch: MAIN
CVS Tags: OPENBSD_5_7_BASE,
OPENBSD_5_7
Changes since 1.1: +1 -3 lines
Diff to previous 1.1 (colored)
openssl_setup() calls SSL_load_error_strings(), which happens to call ERR_load_crypto_strings() - as such, we do not need to call the same function from most of the applications.
Revision 1.1 / (download) - annotate - [select for diffs], Tue Aug 26 17:47:25 2014 UTC (9 years, 8 months ago) by jsing
Branch: MAIN
Move openssl(1) from /usr/sbin/openssl to /usr/bin/openssl, since it is not a system/superuser binary. At the same time, move the source code from its current lib/libssl/src/apps location to a more appropriate home under usr.bin/openssl. ok deraadt@ miod@