summaryrefslogtreecommitdiff
path: root/usr.bin/openssl
AgeCommit message (Collapse)Author
2016-02-12word fix from previous; ok sthenJason McIntyre
2016-02-08sslv3 has been removed;Jason McIntyre
prompted by a mail from jiri navratil help/ok sthen
2015-12-24more e-mail -> emailmmcc
2015-12-23remove NULL-check before free()mmcc
2015-12-01s_server also needs DNS; reported by tb@Jeremie Courreges-Anglas
2015-12-01Undo previous, pledge("dns") was already present. The problem was in s_server.Jeremie Courreges-Anglas
2015-12-01pledge dns so openssl can use dns.. noticed and fix by todd@Bob Beck
ok jcs@ deraadt@ theo@
2015-11-21In pledge(), put "dns" right after "inet".Jeremie Courreges-Anglas
2015-11-21Unbreak s_client, which should be allowed by pledge(2) to do DNS requests.Jeremie Courreges-Anglas
From todd@
2015-11-20do not need sys/param.hTheo de Raadt
2015-11-14mutli -> multiMiod Vallat
2015-10-17Exit if a pledge call fails in non-interactive mode.Doug Hogan
ok semarie@
2015-10-17add "tty" for several subcommands of opensslSebastien Marie
it is needed in order to let libssl UI_* function plays with echo on/off when asking for password on terminal. passwd subcommand needs additionnal "wpath cpath" in order to let it calls fopen("/dev/tty", "w") (O_WRONLY with O_CREAT | O_TRUNC). problem reported by several with and ok doug@
2015-10-16Implement real "flock" request and add it to userland programs thatTodd C. Miller
use pledge and file locking. OK deraadt@
2015-10-10Initial support for pledges in openssl(1) commands.Doug Hogan
openssl(1) has two mechanisms for operating: either a single execution of one command (looking at argv[0] or argv[1]) or as an interactive session than may execute any number of commands. We already have a top level pledge that should cover all commands and that's what interactive mode must continue using. However, we can tighten up the pledges when only executing one command. This is an initial stab at support and may contain regressions. Most commands only need "stdio rpath wpath cpath". The pledges could be further restricted by evaluating the situation after parsing options. deraadt@ and beck@ are roughly fine with this approach.
2015-10-10normalize the ordering of tame requests (particularily, "rpath wpath cpath",Theo de Raadt
which i have put in that order). this is not important, but helps look for outliers which might be strange. it hints that "ioctl" should be reassessed in a few places, to see if "tty" is better; that "unix" may be used in some places where "route" could now work.
2015-10-09Change all tame callers to namechange to pledge(2).Theo de Raadt
2015-10-07tame "stdio inet rpath cpath wpath proc" seems to be sufficient forTheo de Raadt
all the wading in here. "proc" is for the speed command, which fork()'s. ok doug
2015-10-06these do not use ioctl.hTheo de Raadt
2015-10-03BIO_get_fd() could return fd 0; fix error condition. Found atTheo de Raadt
http://marc.info/?l=openssl-dev&m=144374015404899&w=2 ok doug
2015-10-02avoid sys/param.h, by using PATH_MAXTheo de Raadt
2015-10-01Another s/M_ASN1_INTEGER_free/ASN1_INTEGER_free/.Joel Sing
Found the hard way by Mark Patruck.
2015-09-21add a missing NULL checkBrent Cook
noted by Bill Parker (dogbert2) on github
2015-09-21add a couple of missing NULL checksBrent Cook
noted by Bill Parker (dogbert2) on github
2015-09-21remove vestigial bits of sha-0 and md2 from openssl(1)Brent Cook
Noted by kinichiro on github. We probably need a better way to indicate the list of message digests that are allowed, as the current ones are nowhere near exhaustive (sigh - guenther@) OK guenther@ jmc@
2015-09-20Pack the algorithm numbers, to avoid printing a useless (null) 0 0 0 0Miod Vallat
line in the summary.
2015-09-14Temporarily revive MD4 for MS CHAP support.Doug Hogan
2015-09-13Remove MD4 support from LibreSSL.Doug Hogan
MD4 should have been removed a long time ago. Also, RFC 6150 moved it to historic in 2011. Rides the major crank from removing SHA-0. Discussed with many including beck@, millert@, djm@, sthen@ ok jsing@, input + ok bcook@
2015-09-13nc(1) seems worth an Xr in SEE ALSO now;Jason McIntyre
2015-09-13Factor out setup_up / destroy_ui functions.Brent Cook
This pulls out and renames setup_ui/destroy_ui so we have something that can be replaced as-needed, moving the the console setup code for Windows to app_win.c in -portable, instead of needing a local patch to enable binary console mode ui_read/write are also simplified.
2015-09-13document extra algorithms available with openssl speed commandBrent Cook
ok jmc@
2015-09-13tweak STANDARDS;Jason McIntyre
2015-09-12Nuke SSLEAY_CONF -- a backwards compatibility environment variable thatLawrence Teo
has been superseded by OPENSSL_CONF and discouraged from use for almost 16 years. "Definately ok" jsing@ "burn it" deraadt@ "Kill it with fire" miod@ "KILL IT WITH FIRE!!! BURN!!!!" beck@
2015-09-12Add openssl(1) speed support for AEAD algorithms.Brent Cook
This adds aes-128-gcm aes-256-gcm chacha20-poly1305 from Adam Langley's original patch for OpenSSL ok beck@ jsing@
2015-09-12Fix the openssl(1) prime command: When checking a decimal number forLawrence Teo
primality, do not unnecessarily convert the original decimal number to hex in the output. Hex numbers explicitly specified with -hex remain unchanged. ok beck@ deraadt@ jsing@ miod@
2015-09-11unifdef -DOPENSSL_NO_RC5Joel Sing
2015-09-11kill evil commentBob Beck
ok deraadt@
2015-09-11fix unchecked mallocs - coverity 130454 and 130455Bob Beck
ok jsing@
2015-09-11"Shutdown" should be "Shut down" in the usage for s_time's -no_shutdownLawrence Teo
flag. Pointed out by jmc@'s commit to the openssl(1) man page.
2015-09-11Remove engine command and parameters from openssl(1).Brent Cook
We do not have any builtin or dynamic engines, meaning openssl(1) has no way to use the engine command or parameters at all. ok jsing@
2015-09-11remove stupid castsTheo de Raadt
2015-09-11shutdown (n.) -> shut down (v.);Jason McIntyre
2015-09-11Change the default behavior of the s_time command so that it willLawrence Teo
perform a proper shutdown by sending a "close notify" alert to the server. This allows s_time to benchmark a full TLS connection more accurately. Introduce a new flag called -no_shutdown to make s_time adopt the previous behavior (i.e. shut down the connection without notifying the server) so that comparisons can still be made with OpenSSL's version. The idea of using a flag (which replaces a #define) was suggested by bcook@. Thanks to millert@ and miod@ as well for their feedback on an earlier diff which resulted in this change. ok bcook@ beck@
2015-09-11*** empty log message ***Lawrence Teo
2015-09-10Nuke references to DTLS1_BAD_VER and unbreak the tree.Joel Sing
2015-09-10Remove call to CRYPTO_malloc_init(), which does nothing.Joel Sing
2015-09-10Correct spelling of OPENSSL_cleanse.Joel Sing
2015-09-10Fix shadowed verify_error in s_server by removing the unused global.Brent Cook
's_time -verify 1' will now actually verify the peer certificate. ok beck@
2015-09-10Remove SOCKET_PROTOCOL, a redundant define that was only used once.Lawrence Teo
No binary change. ok millert@ miod@
2015-09-10Remove unused defines. No binary change.Lawrence Teo
ok deraadt@ miod@