Ything-RepoMirrors/openssl
2
0
Fork 0
mirror of https://github.com/openssl/openssl.git synced 2026-01-25 02:56:43 +00:00
Code Issues Packages Projects Releases Wiki Activity
38,829 Commits 37 Branches 420 Tags
master
Commit Graph

175 Commits

Author SHA1 Message Date
Dr. David von Oheimb
2f949642a1 apps/lib/apps.c: fix load_certs_multifile() and load_certstore() w.r.t. password source vs. actual password 
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Norbert Pocs <norbertp@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/28477)
 2026-01-07 12:56:15 +01:00
Andrew Dinh
6821363f28 Add no-ssl3 back as a no-op 
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Paul Yang <paulyang.inf@gmail.com>
Reviewed-by: Saša Nedvědický <sashan@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/29338)
 2025-12-23 10:54:08 -05:00
Kurt Roeckx
60c15b2aff Remove support for SSLv3 
Reviewed-by: Saša Nedvědický <sashan@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Saša Nedvědický <sashan@openssl.org>
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/29338)
 2025-12-23 10:54:06 -05:00
Viktor Dukhovni
473dff4781 New -encopt option for pkey(1) and genpkey(1) 
This allows setting the ML-KEM and ML-DSA output formats.
At the same fixing surprising lack of password encryption
of PKCS#8 private keys in DER output form in the CLI apps.

Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/29324)
 2025-12-17 13:40:17 +01:00
Dmitry Belyavskiy
d328874645 Document skey decoder 
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Simo Sorce <simo@redhat.com>
(Merged from https://github.com/openssl/openssl/pull/28278)
 2025-12-10 12:20:44 -05:00
Dmitry Belyavskiy
1b0f21f055 Implementing store support for EVP_SKEY 
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Simo Sorce <simo@redhat.com>
(Merged from https://github.com/openssl/openssl/pull/28278)
 2025-12-10 12:20:44 -05:00
Bob Beck
2fab90bb5e 4.0-POST-CLANG-FORMAT-WEBKIT 
Reviewed-by: Saša Nedvědický <sashan@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/29242)
 2025-12-09 00:28:19 -07:00
Norbert Pocs
4e96426a8d apps: Remove opt_legacy_okay function 
The function used to check for ENGINEs to determine if a legacy code
path is available, but it makes no sense to keep it after the ENGINE
removal, as the legacy path will always fail.

Signed-off-by: Norbert Pocs <norbertp@openssl.org>

Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Saša Nedvědický <sashan@openssl.org>
Reviewed-by: Saša Nedvědický <sashan@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/29305)
 2025-12-04 07:32:18 -05:00
Milan Broz
bf24dd887c Remove engine.h includes for internal code. 
This should no be used anywhere, as typedef for ENGINE is in types.h.

Only apps should include this header for compatibility stubs.

Signed-off-by: Milan Broz <gmazyland@gmail.com>

Reviewed-by: Norbert Pocs <norbertp@openssl.org>
Reviewed-by: Saša Nedvědický <sashan@openssl.org>
Reviewed-by: Saša Nedvědický <sashan@openssl.org>
Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/29305)
 2025-12-04 07:32:18 -05:00
Norbert Pocs
9425238145 apps/: Remove "-keyform engine" 
Resolves: https://github.com/openssl/project/issues/1354

Signed-off-by: Norbert Pocs <norbertp@openssl.org>

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Saša Nedvědický <sashan@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Saša Nedvědický <sashan@openssl.org>
Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/29305)
 2025-12-04 07:31:06 -05:00
Norbert Pocs
26b1723ed4 apps/: Remove engines 
Signed-off-by: Norbert Pocs <norbertp@openssl.org>

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Saša Nedvědický <sashan@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Saša Nedvědický <sashan@openssl.org>
Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/29305)
 2025-12-04 07:31:05 -05:00
Igor Ustinov
bd91eb6658 dgst and mac apps: Added new ways for obtaining a MAC key 
Resolves #24584

It is now possible to obtain a MAC key from an environment variable,
a file or read it from the standard input.

Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28160)
 2025-09-09 09:58:10 +02:00
Eugene Syromiatnikov
3f77491cb3 apps: remove chopup_args() 
The last (and only?) user has been removed in commit eca4713913 "APPS:
Drop interactive mode in the 'openssl' program".

Complements: eca4713913 "APPS: Drop interactive mode in the 'openssl' program"
Signed-off-by: Eugene Syromiatnikov <esyr@openssl.org>

Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28441)
 2025-09-08 15:04:14 -04:00
Eugene Syromiatnikov
4f288b60e8 apps: introduce app_malloc_array() 
Similar to app_malloc(), provides a wrapper for OPENSSL_malloc_array()
that bails out when a NULL pointer is returned.

Signed-off-by: Eugene Syromiatnikov <esyr@openssl.org>

Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28444)
 2025-09-07 07:22:24 -04:00
Norbert Pocs
af2aaf3271 Deprecate ASN1_METH internal usage 
Some of them are needed and were kept by adding `#include
"internal/deprecated"` and some had to be turned off.

Signed-off-by: Norbert Pocs <norbertp@openssl.org>

Reviewed-by: Saša Nedvědický <sashan@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27727)
 2025-07-17 11:25:18 -04:00
openssl-machine
0c679f5566 Copyright year updates 
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Release: yes
 2025-03-12 13:35:59 +00:00
Rajeev Ranjan
0048817523 CMP: add support for central key generation 
- add testcase for central keygen
- add documentation

Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25132)
 2025-01-27 08:56:46 +01:00
Viktor Dukhovni
38a0926528 Support CLI and API setting of provider configuration parameters 
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26427)
 2025-01-18 03:46:37 +11:00
shridhar kalavagunta
21f72fa4c8 genpkey: Avoid leaving empty file if encryption passphrase does not match 
Fixes #25440

Reviewed-by: Hugo Landau <hlandau@devever.net>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26081)
 2025-01-15 13:26:41 +01:00
FdaSilvaYY
23b795d34f apps: directly inclusion of "e_os.h when needed 
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14344)
 2024-09-05 17:02:51 +02:00
Tomas Mraz
7ed6de997f Copyright year updates 
Reviewed-by: Neil Horman <nhorman@openssl.org>
Release: yes
 2024-09-05 09:35:49 +02:00
Dimitri Papadopoulos
8f250985ad Fix typos found by codespell 
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/24691)
 2024-06-24 15:09:11 +02:00
Dr. David von Oheimb
40a200f9e7 CMP: add support for genm with crlStatusList and genp with crls 
Introduce the capability to retrieve and update Certificate Revocation Lists
(CRLs) in the CMP client, as specified in section 4.3.4 of RFC 9483.

To request a CRL update, the CMP client can send a genm message with the
option -infotype crlStatusList. The server will respond with a genp message
containing the updated CRL, using the -infoType id-it-crls. The client can
then save the CRL in a specified file using the -crlout parameter.

Co-authored-by: Rajeev Ranjan <ranjan.rajeev@siemens.com>

Reviewed-by: Todd Short <todd.short@me.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23768)
 2024-05-01 14:58:35 +02:00
Stephan Wurm
8120223773 apps: ca,req,x509: Add explicit start and end dates options 
- Added options `-not_before` (start date) and `-not-after` (end date)
  for explicit setting of the validity period of a certificate in the
  apps `ca`, `req` and `x509`
- The new options accept time strings or "today"
- In app `ca`, use the new options as aliases of the already existing
  options `-startdate` and `-enddate`
- When used in apps `req` and `x509`, the end date must be >= the start
  date, in app `ca` end date < start date is also accepted
- In any case, `-not-after` overrides the `-days` option
- Added helper function `check_cert_time_string` to validate given
  certificate time strings
- Use the new helper function in apps `ca`, `req` and `x509`
- Moved redundant code for time string checking into `set_cert_times`
  helper function.
- Added tests for explicit start and end dates in apps `req` and `x509`
- test: Added auxiliary functions for parsing fields from `-text`
  formatted output to `tconversion.pl`
- CHANGES: Added to new section 3.4

Signed-off-by: Stephan Wurm <atomisirsi@gsklan.de>

Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21716)
 2024-04-09 20:13:31 +02:00
Markus Minichmayr
b8590b2f36 Add option SSL_OP_PREFER_NO_DHE_KEX, allowing the server to prefer non-dhe psk key exchange over psk with dhe (config file option PreferNoDHEKEX, server option prefer_no_dhe_kex). 
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22794)
 2023-11-24 15:08:04 +00:00
Dimitri Papadopoulos
bbaeadb068 "foo * bar" should be "foo *bar" 
Found by running the checkpatch.pl Linux script to enforce coding style.

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21468)
 2023-09-11 10:15:30 +02:00
Matt Caswell
da1c088f59 Copyright year updates 
Reviewed-by: Richard Levitte <levitte@openssl.org>
Release: yes
 2023-09-07 09:59:15 +01:00
Dr. David von Oheimb
01b0485131 CMP: add support for genm with rootCaCert and genp with rootCaKeyUpdate 
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21129)
 2023-07-17 08:48:36 +10:00
Dr. Matthias St. Pierre
34df960a75 apps/asn1parse: improve RFC7462 compliance 
The asn1parse command now supports three different input formats:

     openssl asn1parse -inform PEM|DER|B64

       PEM: base64 encoded data enclosed by PEM markers (RFC7462)
       DER: der encoded binary data
       B64: raw base64 encoded data

The PEM input format is the default format. It is equivalent
to the former `-strictpem` option which is now marked obsolete
and kept for backward compatibility only.

The B64 is equivalent to the former default input format of the
asn1parse command (without `-strictpem`)

Fixes #7317

Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7320)
 2023-06-09 09:47:34 +02:00
Dr. Matthias St. Pierre
ca857d7332 apps/opt: refactor input format parsing 
- split OPT_FMT_PEMDER flag into OPT_FMT_PEM and OPT_FMT_DER
- add OPT_FMT_B64 option (`-inform b64`)

Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7320)
 2023-06-09 09:47:34 +02:00
Dr. David von Oheimb
b77826877b APPS: replace awkward and error-prone pattern by calls to new app_conf_try_number() 
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/20971)
 2023-05-25 09:04:35 +02:00
Dr. David von Oheimb
da7f81d393 APPS: replace awkward and error-prone pattern by calls to new app_conf_try_string() 
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/20971)
 2023-05-25 09:04:35 +02:00
Matt Caswell
f34e5d7a12 Add QUIC support to s_client 
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20580)
 2023-05-08 10:13:39 +01:00
Tianjia Zhang
a75f707fca apps: silent warning when loading CSR files with vfyopt option 
When verifying or signing a CSR file with the -vfyopt option,
a warning message similar to the following will appear:

  Warning: CSR self-signature does not match the contents

This happens especially when the SM2 algorithm is used and the
distid parameter is added. Pass the vfyopts parameter to the
do_X509_REQ_verify() function to eliminate the warning message.

Signed-off-by: Tianjia Zhang <tianjia.zhang@linux.alibaba.com>

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20799)
 2023-05-03 09:48:17 +02:00
Dr. David von Oheimb
0e89b39619 apps/x509 etc.: allow private key input when public key is expected 
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/19076)
 2023-03-14 17:26:49 +01:00
Dr. David von Oheimb
6f88876d4e cmp_client_test.c: add tests for errors reported by server on subsequent requests in a transaction 
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20190)
 2023-02-08 17:05:47 +01:00
Dr. David von Oheimb
342e3652c7 APPS: generated certs bear X.509 V3, unless -x509v1 option of req app is given 
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/19271)
 2023-01-24 15:16:47 +01:00
Todd Short
b67cb09f8d Add support for compressed certificates (RFC8879) 
* Compressed Certificate extension (server/client)
* Server certificates (send/receive)
* Client certificate (send/receive)

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18186)
 2022-10-18 09:30:22 -04:00
Dr. David von Oheimb
200d844782 APPS: Move load_csr_autofmt() from apps/cmp.c to apps.c and use it also for apps, too 
Also add related references to FR #15725.

Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/18900)
 2022-09-20 20:59:50 +02:00
Dr. David von Oheimb
8a2ec00d7f apps/lib/http_server.{c,h}: clean up logging and move it to log.{c,h} 
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/18434)
 2022-09-07 23:04:25 +02:00
Dr. David von Oheimb
5e87fddc97 apps/ocsp.c etc.: rename 'multi' to 'n_responders' for clarity 
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/18434)
 2022-09-07 23:04:25 +02:00
Dr. David von Oheimb
8aff29f020 APPS HTTP server: trace requests and responses when enabled 
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/18434)
 2022-09-07 23:04:25 +02:00
Dr. David von Oheimb
ec8a340948 APPS/x509: With -CA but both -CAserial and -CAcreateserial not given, use random serial. 
Also improve openssl-x509.pod.in and error handling of load_serial() in apps.c.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18373)
 2022-07-14 07:23:58 +01:00
Hugo Landau
5317b6ee1f Add deprecation macro for 3.1 and deprecate OPENSSL_LH_stats 
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17937)
 2022-06-22 09:36:14 +02:00
Matt Caswell
fecb3aae22 Update copyright year 
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Release: yes
 2022-05-03 13:34:51 +01:00
Todd Short
a3e53d5683 Add TFO support to socket BIO and s_client/s_server 
Supports Linux, MacOS and FreeBSD
Disabled by default, enabled via `enabled-tfo`
Some tests

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8692)
 2022-03-10 10:42:43 -05:00
Armin Fuerst
065121ff19 Add tests for do_updatedb 
Fixes #13944

Moved "opt_printf_stderr" out of apps.c to avoid duplicate definition in tests.

Added function "asn1_string_to_time_t" including tests.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17645)
 2022-02-14 10:18:46 +01:00
Richard Levitte
d5f9166bac Move e_os.h to include/internal 
Including e_os.h with a path from a header file doesn't work well on
certain exotic platform.  It simply fails to build.

Since we don't seem to be able to stop ourselves, the better move is
to move e_os.h to an include directory that's part of the inclusion
path given to the compiler.

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17641)
 2022-02-05 05:31:09 +01:00
Todd Short
9d987de3aa Fix copyrights 
Add copyright to files that were missing it.
Update license from OpenSSL to Apache as needed.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17606)
 2022-02-03 13:56:38 +01:00
yangyangtiantianlonglong
a829d53a14 apps: Add option -no_ems to s_client/s_server apps 
The option SSL_OP_NO_EXTENDED_MASTER_SECRET was added in #3910.
And it is valid for versions below (D)TLS 1.2.

Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17597)
 2022-01-28 15:32:58 +01:00