Age | Commit message (Collapse) | Author |
|
|
|
prompted by a mail from jiri navratil
help/ok sthen
|
|
|
|
|
|
|
|
|
|
ok jcs@ deraadt@ theo@
|
|
|
|
From todd@
|
|
|
|
|
|
ok semarie@
|
|
it is needed in order to let libssl UI_* function plays with echo on/off when
asking for password on terminal.
passwd subcommand needs additionnal "wpath cpath" in order to let it calls
fopen("/dev/tty", "w") (O_WRONLY with O_CREAT | O_TRUNC).
problem reported by several
with and ok doug@
|
|
use pledge and file locking. OK deraadt@
|
|
openssl(1) has two mechanisms for operating: either a single execution
of one command (looking at argv[0] or argv[1]) or as an interactive
session than may execute any number of commands.
We already have a top level pledge that should cover all commands
and that's what interactive mode must continue using. However, we can
tighten up the pledges when only executing one command.
This is an initial stab at support and may contain regressions. Most
commands only need "stdio rpath wpath cpath". The pledges could be
further restricted by evaluating the situation after parsing options.
deraadt@ and beck@ are roughly fine with this approach.
|
|
which i have put in that order). this is not important, but helps look
for outliers which might be strange. it hints that "ioctl" should be
reassessed in a few places, to see if "tty" is better; that "unix" may
be used in some places where "route" could now work.
|
|
|
|
all the wading in here. "proc" is for the speed command, which fork()'s.
ok doug
|
|
|
|
http://marc.info/?l=openssl-dev&m=144374015404899&w=2
ok doug
|
|
|
|
Found the hard way by Mark Patruck.
|
|
noted by Bill Parker (dogbert2) on github
|
|
noted by Bill Parker (dogbert2) on github
|
|
Noted by kinichiro on github. We probably need a better way to indicate the
list of message digests that are allowed, as the current ones are nowhere near
exhaustive (sigh - guenther@)
OK guenther@ jmc@
|
|
line in the summary.
|
|
|
|
MD4 should have been removed a long time ago. Also, RFC 6150 moved it to
historic in 2011. Rides the major crank from removing SHA-0.
Discussed with many including beck@, millert@, djm@, sthen@
ok jsing@, input + ok bcook@
|
|
|
|
This pulls out and renames setup_ui/destroy_ui so we have something that
can be replaced as-needed, moving the the console setup code for Windows
to app_win.c in -portable, instead of needing a local patch to enable binary
console mode
ui_read/write are also simplified.
|
|
ok jmc@
|
|
|
|
has been superseded by OPENSSL_CONF and discouraged from use for almost
16 years.
"Definately ok" jsing@
"burn it" deraadt@
"Kill it with fire" miod@
"KILL IT WITH FIRE!!! BURN!!!!" beck@
|
|
This adds aes-128-gcm aes-256-gcm chacha20-poly1305
from Adam Langley's original patch for OpenSSL
ok beck@ jsing@
|
|
primality, do not unnecessarily convert the original decimal number to
hex in the output.
Hex numbers explicitly specified with -hex remain unchanged.
ok beck@ deraadt@ jsing@ miod@
|
|
|
|
ok deraadt@
|
|
ok jsing@
|
|
flag. Pointed out by jmc@'s commit to the openssl(1) man page.
|
|
We do not have any builtin or dynamic engines, meaning openssl(1) has
no way to use the engine command or parameters at all.
ok jsing@
|
|
|
|
|
|
perform a proper shutdown by sending a "close notify" alert to the
server. This allows s_time to benchmark a full TLS connection
more accurately.
Introduce a new flag called -no_shutdown to make s_time adopt the
previous behavior (i.e. shut down the connection without notifying the
server) so that comparisons can still be made with OpenSSL's version.
The idea of using a flag (which replaces a #define) was suggested by
bcook@. Thanks to millert@ and miod@ as well for their feedback on an
earlier diff which resulted in this change.
ok bcook@ beck@
|
|
|
|
|
|
|
|
|
|
's_time -verify 1' will now actually verify the peer certificate.
ok beck@
|
|
No binary change.
ok millert@ miod@
|
|
ok deraadt@ miod@
|