Ything-RepoMirrors/openssl
2
0
Fork 0
mirror of https://github.com/openssl/openssl.git synced 2026-01-25 11:07:00 +00:00
Code Issues Packages Projects Releases Wiki Activity
38,384 Commits 37 Branches 420 Tags
feature/ech
Commit Graph

164 Commits

Author SHA1 Message Date
Igor Ustinov
bd91eb6658 dgst and mac apps: Added new ways for obtaining a MAC key 
Resolves #24584

It is now possible to obtain a MAC key from an environment variable,
a file or read it from the standard input.

Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28160)
 2025-09-09 09:58:10 +02:00
Eugene Syromiatnikov
3f77491cb3 apps: remove chopup_args() 
The last (and only?) user has been removed in commit eca4713913 "APPS:
Drop interactive mode in the 'openssl' program".

Complements: eca4713913 "APPS: Drop interactive mode in the 'openssl' program"
Signed-off-by: Eugene Syromiatnikov <esyr@openssl.org>

Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28441)
 2025-09-08 15:04:14 -04:00
Eugene Syromiatnikov
4f288b60e8 apps: introduce app_malloc_array() 
Similar to app_malloc(), provides a wrapper for OPENSSL_malloc_array()
that bails out when a NULL pointer is returned.

Signed-off-by: Eugene Syromiatnikov <esyr@openssl.org>

Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28444)
 2025-09-07 07:22:24 -04:00
Norbert Pocs
af2aaf3271 Deprecate ASN1_METH internal usage 
Some of them are needed and were kept by adding `#include
"internal/deprecated"` and some had to be turned off.

Signed-off-by: Norbert Pocs <norbertp@openssl.org>

Reviewed-by: Saša Nedvědický <sashan@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27727)
 2025-07-17 11:25:18 -04:00
openssl-machine
0c679f5566 Copyright year updates 
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Release: yes
 2025-03-12 13:35:59 +00:00
Rajeev Ranjan
0048817523 CMP: add support for central key generation 
- add testcase for central keygen
- add documentation

Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25132)
 2025-01-27 08:56:46 +01:00
Viktor Dukhovni
38a0926528 Support CLI and API setting of provider configuration parameters 
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26427)
 2025-01-18 03:46:37 +11:00
shridhar kalavagunta
21f72fa4c8 genpkey: Avoid leaving empty file if encryption passphrase does not match 
Fixes #25440

Reviewed-by: Hugo Landau <hlandau@devever.net>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26081)
 2025-01-15 13:26:41 +01:00
FdaSilvaYY
23b795d34f apps: directly inclusion of "e_os.h when needed 
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14344)
 2024-09-05 17:02:51 +02:00
Tomas Mraz
7ed6de997f Copyright year updates 
Reviewed-by: Neil Horman <nhorman@openssl.org>
Release: yes
 2024-09-05 09:35:49 +02:00
Dimitri Papadopoulos
8f250985ad Fix typos found by codespell 
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/24691)
 2024-06-24 15:09:11 +02:00
Dr. David von Oheimb
40a200f9e7 CMP: add support for genm with crlStatusList and genp with crls 
Introduce the capability to retrieve and update Certificate Revocation Lists
(CRLs) in the CMP client, as specified in section 4.3.4 of RFC 9483.

To request a CRL update, the CMP client can send a genm message with the
option -infotype crlStatusList. The server will respond with a genp message
containing the updated CRL, using the -infoType id-it-crls. The client can
then save the CRL in a specified file using the -crlout parameter.

Co-authored-by: Rajeev Ranjan <ranjan.rajeev@siemens.com>

Reviewed-by: Todd Short <todd.short@me.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23768)
 2024-05-01 14:58:35 +02:00
Stephan Wurm
8120223773 apps: ca,req,x509: Add explicit start and end dates options 
- Added options `-not_before` (start date) and `-not-after` (end date)
  for explicit setting of the validity period of a certificate in the
  apps `ca`, `req` and `x509`
- The new options accept time strings or "today"
- In app `ca`, use the new options as aliases of the already existing
  options `-startdate` and `-enddate`
- When used in apps `req` and `x509`, the end date must be >= the start
  date, in app `ca` end date < start date is also accepted
- In any case, `-not-after` overrides the `-days` option
- Added helper function `check_cert_time_string` to validate given
  certificate time strings
- Use the new helper function in apps `ca`, `req` and `x509`
- Moved redundant code for time string checking into `set_cert_times`
  helper function.
- Added tests for explicit start and end dates in apps `req` and `x509`
- test: Added auxiliary functions for parsing fields from `-text`
  formatted output to `tconversion.pl`
- CHANGES: Added to new section 3.4

Signed-off-by: Stephan Wurm <atomisirsi@gsklan.de>

Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21716)
 2024-04-09 20:13:31 +02:00
Markus Minichmayr
b8590b2f36 Add option SSL_OP_PREFER_NO_DHE_KEX, allowing the server to prefer non-dhe psk key exchange over psk with dhe (config file option PreferNoDHEKEX, server option prefer_no_dhe_kex). 
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22794)
 2023-11-24 15:08:04 +00:00
Dimitri Papadopoulos
bbaeadb068 "foo * bar" should be "foo *bar" 
Found by running the checkpatch.pl Linux script to enforce coding style.

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21468)
 2023-09-11 10:15:30 +02:00
Matt Caswell
da1c088f59 Copyright year updates 
Reviewed-by: Richard Levitte <levitte@openssl.org>
Release: yes
 2023-09-07 09:59:15 +01:00
Dr. David von Oheimb
01b0485131 CMP: add support for genm with rootCaCert and genp with rootCaKeyUpdate 
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21129)
 2023-07-17 08:48:36 +10:00
Dr. Matthias St. Pierre
34df960a75 apps/asn1parse: improve RFC7462 compliance 
The asn1parse command now supports three different input formats:

     openssl asn1parse -inform PEM|DER|B64

       PEM: base64 encoded data enclosed by PEM markers (RFC7462)
       DER: der encoded binary data
       B64: raw base64 encoded data

The PEM input format is the default format. It is equivalent
to the former `-strictpem` option which is now marked obsolete
and kept for backward compatibility only.

The B64 is equivalent to the former default input format of the
asn1parse command (without `-strictpem`)

Fixes #7317

Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7320)
 2023-06-09 09:47:34 +02:00
Dr. Matthias St. Pierre
ca857d7332 apps/opt: refactor input format parsing 
- split OPT_FMT_PEMDER flag into OPT_FMT_PEM and OPT_FMT_DER
- add OPT_FMT_B64 option (`-inform b64`)

Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7320)
 2023-06-09 09:47:34 +02:00
Dr. David von Oheimb
b77826877b APPS: replace awkward and error-prone pattern by calls to new app_conf_try_number() 
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/20971)
 2023-05-25 09:04:35 +02:00
Dr. David von Oheimb
da7f81d393 APPS: replace awkward and error-prone pattern by calls to new app_conf_try_string() 
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/20971)
 2023-05-25 09:04:35 +02:00
Matt Caswell
f34e5d7a12 Add QUIC support to s_client 
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20580)
 2023-05-08 10:13:39 +01:00
Tianjia Zhang
a75f707fca apps: silent warning when loading CSR files with vfyopt option 
When verifying or signing a CSR file with the -vfyopt option,
a warning message similar to the following will appear:

  Warning: CSR self-signature does not match the contents

This happens especially when the SM2 algorithm is used and the
distid parameter is added. Pass the vfyopts parameter to the
do_X509_REQ_verify() function to eliminate the warning message.

Signed-off-by: Tianjia Zhang <tianjia.zhang@linux.alibaba.com>

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20799)
 2023-05-03 09:48:17 +02:00
Dr. David von Oheimb
0e89b39619 apps/x509 etc.: allow private key input when public key is expected 
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/19076)
 2023-03-14 17:26:49 +01:00
Dr. David von Oheimb
6f88876d4e cmp_client_test.c: add tests for errors reported by server on subsequent requests in a transaction 
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20190)
 2023-02-08 17:05:47 +01:00
Dr. David von Oheimb
342e3652c7 APPS: generated certs bear X.509 V3, unless -x509v1 option of req app is given 
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/19271)
 2023-01-24 15:16:47 +01:00
Todd Short
b67cb09f8d Add support for compressed certificates (RFC8879) 
* Compressed Certificate extension (server/client)
* Server certificates (send/receive)
* Client certificate (send/receive)

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18186)
 2022-10-18 09:30:22 -04:00
Dr. David von Oheimb
200d844782 APPS: Move load_csr_autofmt() from apps/cmp.c to apps.c and use it also for apps, too 
Also add related references to FR #15725.

Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/18900)
 2022-09-20 20:59:50 +02:00
Dr. David von Oheimb
8a2ec00d7f apps/lib/http_server.{c,h}: clean up logging and move it to log.{c,h} 
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/18434)
 2022-09-07 23:04:25 +02:00
Dr. David von Oheimb
5e87fddc97 apps/ocsp.c etc.: rename 'multi' to 'n_responders' for clarity 
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/18434)
 2022-09-07 23:04:25 +02:00
Dr. David von Oheimb
8aff29f020 APPS HTTP server: trace requests and responses when enabled 
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/18434)
 2022-09-07 23:04:25 +02:00
Dr. David von Oheimb
ec8a340948 APPS/x509: With -CA but both -CAserial and -CAcreateserial not given, use random serial. 
Also improve openssl-x509.pod.in and error handling of load_serial() in apps.c.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18373)
 2022-07-14 07:23:58 +01:00
Hugo Landau
5317b6ee1f Add deprecation macro for 3.1 and deprecate OPENSSL_LH_stats 
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17937)
 2022-06-22 09:36:14 +02:00
Matt Caswell
fecb3aae22 Update copyright year 
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Release: yes
 2022-05-03 13:34:51 +01:00
Todd Short
a3e53d5683 Add TFO support to socket BIO and s_client/s_server 
Supports Linux, MacOS and FreeBSD
Disabled by default, enabled via `enabled-tfo`
Some tests

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8692)
 2022-03-10 10:42:43 -05:00
Armin Fuerst
065121ff19 Add tests for do_updatedb 
Fixes #13944

Moved "opt_printf_stderr" out of apps.c to avoid duplicate definition in tests.

Added function "asn1_string_to_time_t" including tests.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17645)
 2022-02-14 10:18:46 +01:00
Richard Levitte
d5f9166bac Move e_os.h to include/internal 
Including e_os.h with a path from a header file doesn't work well on
certain exotic platform.  It simply fails to build.

Since we don't seem to be able to stop ourselves, the better move is
to move e_os.h to an include directory that's part of the inclusion
path given to the compiler.

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17641)
 2022-02-05 05:31:09 +01:00
Todd Short
9d987de3aa Fix copyrights 
Add copyright to files that were missing it.
Update license from OpenSSL to Apache as needed.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17606)
 2022-02-03 13:56:38 +01:00
yangyangtiantianlonglong
a829d53a14 apps: Add option -no_ems to s_client/s_server apps 
The option SSL_OP_NO_EXTENDED_MASTER_SECRET was added in #3910.
And it is valid for versions below (D)TLS 1.2.

Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17597)
 2022-01-28 15:32:58 +01:00
Philip Prindeville
e1cd94f2dc Standardize progress callback for dhparam, dsaparam, etc. 
Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17359)
 2022-01-21 15:44:28 +01:00
Dr. David von Oheimb
2c2724476e APPS: Add check for multiple 'unknown' options 
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/16416)
 2022-01-11 12:45:33 +01:00
Dimitris Apostolou
e304aa87b3 Fix typos 
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17392)
 2022-01-05 12:37:20 +01:00
Dr. David von Oheimb
b971d4198d CMP mock server: add -ref_cert option and corresponding ossl_cmp_mock_srv_set1_refCert() 
Fixes #16041

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16050)
 2022-01-04 17:04:56 +01:00
Dr. David von Oheimb
d9f073575f APPS: Improve diagnostics on missing/extra args and unknown cipher/digest 
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16450)
 2021-12-07 15:26:40 +01:00
Rami Khaldi
9567fd3819 x509: Return a nonzero exit code on error when checking ip/email/host 
In the x509 app when doing the ip/email/host validation of a
certificate we return nonzero exit code if the validation fails.

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17022)
 2021-11-24 11:37:49 +01:00
Dr. David von Oheimb
4599ea9fe3 Fix HTTP server port output and allow dynamic verbosity setting 
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16061)
 2021-11-22 15:38:39 +01:00
Dr. David von Oheimb
af16097feb Move more general parts of internal/cryptlib.h to new internal/common.h 
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15847)
 2021-11-17 15:48:37 +01:00
Dr. David von Oheimb
747adb6a01 Add and use HAS_CASE_PREFIX(), CHECK_AND_SKIP_CASE_PREFIX(), and HAS_CASE_SUFFIX() 
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15847)
 2021-11-17 15:48:37 +01:00
Dr. David von Oheimb
2ff286c26c Add and use HAS_PREFIX() and CHECK_AND_SKIP_PREFIX() for checking if string has literal prefix 
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15847)
 2021-11-17 15:48:34 +01:00
Dr. David von Oheimb
adbd77f6d7 X509: Fix handling of AKID and SKID extensions according to configuration 
Fixes #16300

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/16342)
 2021-11-11 20:18:55 +01:00