Commit graph

2352 commits

Author SHA1 Message Date
Kurt Roeckx
00f561ab9c Improve SSL_shutdown() documentation
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
GH: #7188
(cherry picked from commit 8e593f0a0d)
2018-09-16 13:43:17 +02:00
Matt Caswell
76864436b3 Don't allow -early_data with other options where it doesn't work
-early_data is not compatible with -www, -WWW, -HTTP or -rev.

Fixes #7200

Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7206)

(cherry picked from commit 6ef40f1fc0)
2018-09-13 10:10:13 +01:00
Matt Caswell
1212818eb0 Update copyright year
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7176)
2018-09-11 13:45:17 +01:00
Matt Caswell
7789055376 Remove a reference to SSL_force_post_handshake_auth()
That function was removed in favour of SSL_set_post_handshake_auth().
Update the docs accordingly.

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/7139)
2018-09-07 11:17:55 +01:00
Paul Yang
f922dac87d Add missing SM2err and fix doc nits
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7113)
2018-09-07 18:12:26 +08:00
Paul Yang
81c7945388 Allow EVP_MD_CTX_set_pkey_ctx to accept NULL pctx
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7113)
2018-09-07 18:12:26 +08:00
Paul Yang
571286b0a4 Add a SM2(7) man page
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7113)
2018-09-07 18:12:26 +08:00
Paul Yang
675f4ceef8 Update document for SM2 stuffs
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7113)
2018-09-07 18:12:26 +08:00
Paul Yang
d3a9fb10ee Support EdDSA in apps/speed
This addresses issue #6922.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7073)
2018-09-07 14:39:19 +08:00
Matt Caswell
8ec2bde994 Clarify the return value of SSL_client_version()
The SSL_client_version() function returns the value held in the
legacy_version field of the ClientHello. This is never greater than
TLSv1.2, even if TLSv1.3 later gets negotiated.

Fixes #7079

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/7095)
2018-09-04 11:34:40 +01:00
Matt Caswell
f097e87598 Clarify the EVP_DigestSignInit docs
They did not make it clear how the memory management works for the |pctx|
parameter.

Fixes #7037

Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7042)
2018-09-04 11:16:05 +01:00
Jakub Wilk
785e614a95 Fix example in crl(1) man page
The default input format is PEM, so explicit "-inform DER" is needed to
read DER-encoded CRL.

CLA: trivial

Reviewed-by: Paul Yang <yang.yang@baishancloud.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7094)
2018-09-04 12:01:24 +02:00
Richard Levitte
64a48fc7f0 Rename SSL[_CTX]_add1_CA_list -> SSL[_CTX]_add1_to_CA_list
They add a single item, so the names give a false impression of what
they do, making them hard to remember.  Better to give them a somewhat
better name.

Fixes #6930

Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6931)
2018-09-03 13:10:17 +02:00
Paul Kehrer
6ad952ba75 add docs for OCSP_resp_get0_signature
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/7082)
2018-09-03 06:07:22 +02:00
Paul Kehrer
20c3672174 add getter for tbsResponseData and signatureAlgorithm on OCSP_BASICRESP
fixes #7081

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/7082)
2018-09-03 06:07:22 +02:00
Matt Caswell
354e010757 Add a note in the docs about sharing PSKs between TLSv1.2 and TLSv1.3
Fixes #6490

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Paul Yang <yang.yang@baishancloud.com>
(Merged from https://github.com/openssl/openssl/pull/7044)
2018-09-01 09:06:10 +08:00
Hubert Kario
322755cc2a TLSv1.3 related changes to man pages
Add or update the documentation of the different man pages in relation to TLSv1.3 behaviour.

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
Reviewed-by: Paul Yang <yang.yang@baishancloud.com>
(Merged from https://github.com/openssl/openssl/pull/6939)
2018-09-01 08:45:04 +08:00
Paul Yang
21ebd2fc3f Add semicolon at the end of the function prototypes
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/7041)
2018-08-24 20:45:47 +08:00
parasssh
fa332bba91 Fix typos in documentation.
CLA: trivial

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7038)
2018-08-22 22:42:11 -07:00
Andy Polyakov
2d162ea93f man3/OBJ_nid2obj.pod: mention failure code for OBJ_create.
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6998)
2018-08-22 21:37:43 +02:00
Matt Caswell
f112dc82a4 Ignore the digest in req app if using EdDSA
This follows on from the previous commit, and makes the same change to
ignore the digest if we are using EdDSA.

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6901)
2018-08-22 16:35:54 +01:00
Matt Caswell
aabbc24e42 Improve the usability of the ca app using EdDSA
Previously you had to supply "null" as the digest to use EdDSA. This changes
things so that any digest is ignored.

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6901)
2018-08-22 16:35:54 +01:00
Jakub Wilk
a21285b363 Fix typos in documentation
CLA: trivial

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/7021)
2018-08-22 07:06:44 +02:00
Matt Caswell
e97be71804 Add support for SSL_CTX_set_post_handshake_auth()
We already have SSL_set_post_handshake_auth(). This just adds the SSL_CTX
equivalent.

Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6938)
2018-08-20 15:14:01 +01:00
Matt Caswell
32097b33bd Change Post Handshake auth so that it is opt-in
Having post handshake auth automatically switched on breaks some
applications written for TLSv1.2. This changes things so that an explicit
function call is required for a client to indicate support for
post-handshake auth.

Fixes #6933.

Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6938)
2018-08-20 15:14:01 +01:00
parasssh
723bd00473 Fix typos and errors in Ed25519.pod documentation
CLA: trivial

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/7005)
2018-08-20 00:09:58 +02:00
Andy Polyakov
d2b863643d crypto/threads_*: remove CRYPTO_atomic_{read|write}.
CRYPTO_atomic_read was added with intention to read statistics counters,
but readings are effectively indistinguishable from regular load (even
in non-lock-free case). This is because you can get out-dated value in
both cases. CRYPTO_atomic_write was added for symmetry and was never used.

Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/6883)
2018-08-17 12:40:39 +02:00
Matt Caswell
35e742ecac Update code for the final RFC version of TLSv1.3 (RFC8446)
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6741)
2018-08-15 12:33:30 +01:00
Andy Polyakov
d1f8b74c58 man3/OPENSSL_LH_COMPFUNC.pod: clarifications and updates.
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6786)
2018-08-07 09:08:35 +02:00
Rich Salz
ed4fc85359 Some protocol versions are build-time
Clarify docs to list that some protocol flags might not be available
depending on how OpenSSL was build.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/6816)
2018-07-31 11:36:44 -04:00
Matt Caswell
50db81633e Deprecate the EC curve type specific functions in 1.2.0
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6815)
2018-07-31 09:08:50 +01:00
Matt Caswell
de34e45a64 Add documentation for the new non-curve type specific EC functions
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6815)
2018-07-31 09:08:38 +01:00
Beat Bolli
bd93f1ac27 doc/BN_generate_prime: update doc about other callback values
This here page only documents the callback values 0 to 2, but the
callers of BN_generate_prime_ex() call it with the value 3.

The list of manual pages in the SEE ALSO section was extended with the
output from

    git grep BN_GENCB_call.*[3-9]

while in the doc/man3 directory.

Signed-off-by: Beat Bolli <dev@drbeat.li>

Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6802)
2018-07-28 16:45:22 -04:00
Kurt Roeckx
b9e54e9806 Fix inconsisten use of bit vs bits
Reviewed-by: Tim Hudson <tjh@openssl.org>
GH: #6794
2018-07-26 11:25:04 +02:00
Kurt Roeckx
feac7a1c8b Make number of Miller-Rabin tests for a prime tests depend on the security level of the prime
The old numbers where all generated for an 80 bit security level. But
the number should depend on security level you want to reach. For bigger
primes we want a higher security level and so need to do more tests.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
GH: #6075
Fixes: #6012
2018-07-26 06:27:23 +02:00
Matt Caswell
b5cd751c69 Add a note about aborts encountered while sending early_data
In some circumstances it is possible for a client to have a session
reporting a max early data value that is greater than the server will
support. In such cases the client could encounter an aborted connection.

Fixes #6735

Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/6740)
2018-07-23 09:36:24 +01:00
Benjamin Kaduk
4cc968df40 const-ify some input SSL * arguments
These tiny functions only read from the input SSL, and we are
about to use them from functions that only have a const SSL* available,
so propagate const a bit further.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6378)
2018-07-20 07:12:24 -05:00
Kurt Roeckx
57fd517066 Improve documentation about reading and writing
Reviewed-by: Matt Caswell <matt@openssl.org>
GH: #6240
2018-07-17 00:01:00 +02:00
Alexandre Perrin
1f4add418d Documentation typo fix in BN_bn2bin.pod
Change the description for BN_hex2bn() so that it uses the same BIGNUM argument name as its prototype.

CLA: trivial

Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6712)
2018-07-13 10:42:15 +02:00
Matt Caswell
2ce71b6027 Document SSL_CTX_set_recv_max_early_data() etc
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/6655)
2018-07-06 09:26:39 +01:00
Rich Salz
f27b906703 Add missing include file to doc
Reported by Ingo Schwarze

Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/6656)
2018-07-05 16:10:55 -04:00
Richard Levitte
a9cf71a371 Document more EVP_MD_CTX functions
Fixes #6644

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6645)
2018-07-04 18:22:33 +02:00
Rich Salz
dfee8626a8 Fix some issues found by Denian's lintian tool
Also fix some L<> labels and =item entries found while doing this.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/6630)
2018-07-03 13:35:27 -04:00
Matt Caswell
3bb5e5b09e Add the ability to configure anti-replay via SSL_CONF
This also adds the ability to control this through s_server

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6469)
2018-07-02 15:06:12 +01:00
Matt Caswell
dc7a3543e0 Document the new early data callback and option
Document SSL_OP_NO_ANTI_REPLAY and SSL_CTX_set_allow_early_data_cb()

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6469)
2018-07-02 15:06:12 +01:00
Pauli
c7504aeb64 Modify the DEVRANDOM source so that the files are kept open persistently.
This allows operation inside a chroot environment without having the
random device present.

A new call, RAND_keep_random_devices_open(), has been introduced that can
be used to control file descriptor use by the random seed sources. Some
seed sources maintain open file descriptors by default, which allows
such sources to operate in a chroot(2) jail without the associated device
nodes being available.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/6432)
2018-06-27 07:15:36 +10:00
Matt Caswell
41145c35bf Document changes to SSL_OP_NO_TICKET for TLSv1.3
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6563)
2018-06-26 18:09:46 +01:00
Kurt Roeckx
eaf39a9fe6 Fix prototype of ASN1_INTEGER_get and ASN1_INTEGER_set
The parameters where switched

Reviewed-by: Rich Salz <rsalz@openssl.org>
GH: #6578
2018-06-23 20:29:11 +02:00
Richard Levitte
8973112884 OpenSSL-II style for emacs: don't indent because of extern block
We don't want an indentation step inside a 'extern "C" {' .. '}'
block.  Apparently, cc-mode has a c-offsets-alist keyword to allow
exactly this.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/6557)
2018-06-23 07:59:06 +02:00
David von Oheimb
b8c32081e0 add documentation for OCSP_basic_verify()
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6227)
2018-06-21 20:39:49 +02:00
Pauli
6e501c4719 Fix spelling errors in documentation.
Also fix some clumsy wording.

[skip_ci]

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6545)
2018-06-21 14:54:27 +10:00
Matt Caswell
fd38836ba8 Update copyright year
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6538)
2018-06-20 15:29:23 +01:00
Nicola Tuveri
b26befb541 Fix & update documentation about RAND_priv_bytes()
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/6514)
2018-06-19 17:06:38 +02:00
Jack Lloyd
2f2e6b6278 Add EVP_PKEY_set_alias_type
Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6443)
2018-06-19 11:29:44 +01:00
David von Oheimb
49c9c1b3d0 add 'unsupported cipher mode' diagnostics to evp_lib.c and genpkey.c
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6217)
2018-06-18 10:45:35 +01:00
Eric S. Raymond
86a92bcb13 Repair broken C syntax (missing close parens) in a manual page.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/6491)
2018-06-15 10:32:41 +10:00
Eric S. Raymond
17e822e9f8 Fix manpage problems
CLA: trivial

Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
GH: #6472
2018-06-13 20:12:45 +02:00
Richard Levitte
55c5c1b63a doc/man7/passphrase-encoding.pod: Make consistent
The man name didn't match the file name, and some places had
'password' instead of 'pass phrase'.

Fixes #6474

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6476)
2018-06-13 10:27:03 +02:00
Viktor Dukhovni
0df65d82db Document return value of X509_add_ext
and also X509_delete_ext()

Reviewed-by: Matt Caswell <matt@openssl.org>
2018-06-12 12:23:51 -04:00
Nicola Tuveri
8fe4c0b001 Deprecate DSA_sign_setup() in the documentation
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6460)
2018-06-12 13:28:35 +01:00
Dmitry Belyavskiy
7cacbe9d66 Documentation for missing s_client/s_server options
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6209)
2018-06-08 16:55:54 +01:00
Matt Caswell
72ff0a5400 Add function for setting the EVP_PKEY_ASN1_METHOD raw key getter functions
EVP_PKEY_asn1_set_get_priv_key() and EVP_PKEY_asn1_set_get_pub_key()

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6394)
2018-06-08 10:04:09 +01:00
Matt Caswell
edb77a4d0f Document the raw key getter functions
EVP_PKEY_get_raw_private_key() and EVP_PKEY_get_raw_public_key()

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6394)
2018-06-08 10:04:09 +01:00
Richard Levitte
0189bf2bbe Document UTF-8 expectation for pass phrases passed to OSSL_STORE
After some discussion, it was concluded that the better idea is to
stipulate that the pass phrases passed to the OSSL_STORE API are
expected to be UTF-8 encoded, and that all objects made accessible
through OSSL_STORE URIs should adhere to this expectation (at the
discretion of the loaders).

Email ref:
https://mta.openssl.org/pipermail/openssl-project/2018-June/000771.html

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6416)
2018-06-07 13:25:03 +02:00
Ken Goldman
6da34cfbdd Document failure return for ECDSA_SIG_new
ECDSA_SIG_new() returns NULL on error.

Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6398)
2018-06-02 16:17:32 -04:00
Richard Levitte
166f0082e7 STORE: split off the description of the 'file' scheme loader
This includes a quick recommendation on how to name loader docmentation.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6350)
2018-06-01 19:37:09 +02:00
Andy Polyakov
44ca7565a6 apps/speed.c: add -aead flag.
Goal is to exercise AEAD ciphers in TLS-like sequence, i.e. 13-byte
AAD followed by payload. Update doc/man1/speed.pod accordingly.

[While we are at it, address even some styling and readability issues.]

Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6311)
2018-05-30 18:26:21 +02:00
Mingtao Yang
0124f32a01 Add APIs for custom X509_LOOKUP_METHOD creation
OpenSSL 1.1.0 made the X509_LOOKUP_METHOD structure opaque, so
applications that were previously able to define a custom lookup method
are not able to be ported.

This commit adds getters and setters for each of the current fields of
X509_LOOKUP_METHOD, along with getters and setters on several associated
opaque types (such as X509_LOOKUP and X509_OBJECT).

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6152)
2018-05-30 15:45:48 +02:00
Matt Caswell
3d0dde847e Update the "Connected Commands" section of s_client/s_server docs
Fixes #6307

Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/6330)
2018-05-29 16:41:17 +01:00
Matt Caswell
83cf7abf8e Update copyright year
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6371)
2018-05-29 13:16:04 +01:00
Dr. Matthias St. Pierre
0396401d1c ECDSA_SIG: add simple getters for commonly used struct members
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6290)
2018-05-28 19:11:23 +02:00
Dr. Matthias St. Pierre
6692ff7777 RSA: add simple getters for commonly used struct members
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6290)
2018-05-28 19:11:23 +02:00
Dr. Matthias St. Pierre
e6f35b5768 DSA: add simple getters for commonly used struct members
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6290)
2018-05-28 19:11:23 +02:00
Dr. Matthias St. Pierre
5777254b7a DH: fix: add simple getters for commonly used struct members
amends 6db7fadf09

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6290)
2018-05-28 19:11:22 +02:00
Nick Mathewson
c8c250333c Improve the example getpass() implementation to show an error return
Also, modernize the code, so that it isn't trying to store a size_t
into an int, and then check the int's sign. :/

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6271)
2018-05-26 08:36:42 +02:00
Nick Mathewson
bbbf752a3c Update documentation for PEM callback: error is now -1.
In previous versions of OpenSSL, the documentation for PEM_read_*
said:

   The callback B<must> return the number of characters in the
   passphrase or 0 if an error occurred.

But since c82c346226, 0 is now treated as a non-error
return value.  Applications that want to indicate an error need to
return -1 instead.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6271)
2018-05-26 08:36:42 +02:00
Matt Caswell
a0abb6a10f Add a sanity check on the length of pkeyutl inputs
When signing or verifying a file using pkeyutl the input is supposed to
be a hash. Some algorithms sanity check the length of the input, while
others don't and silently truncate. To avoid accidents we check that the
length of the input looks sane.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6284)
2018-05-24 17:26:03 +01:00
Viktor Dukhovni
55a6250f1e Skip CN DNS name constraint checks when not needed
Only check the CN against DNS name contraints if the
`X509_CHECK_FLAG_NEVER_CHECK_SUBJECT` flag is not set, and either the
certificate has no DNS subject alternative names or the
`X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT` flag is set.

Add pertinent documentation, and touch up some stale text about
name checks and DANE.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
2018-05-23 11:12:17 -04:00
Matt Caswell
f3021aca4a Allow the ca application to use EdDSA
Using the ca application to sign certificates with EdDSA failed because it
is not possible to set the digest to "null". This adds the capability and
updates the documentation accordingly.

Fixes #6201

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6286)
2018-05-18 10:14:29 +01:00
Dr. Matthias St. Pierre
6db7fadf09 DH: add simple getters for commonly used DH struct members
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6273)
2018-05-18 08:53:48 +02:00
Matt Caswell
56548e86ac Add documentation for the ability to control the number of tickets
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5227)
2018-05-17 16:48:25 +01:00
Matt Caswell
394159da60 Allow configuation of the number of TLSv1.3 session tickets via SSL_CONF
Also allows the apps to set it.

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5227)
2018-05-17 16:48:25 +01:00
Richard Levitte
8481434439 Link in passphrase-encoding(7) in relevant documentation
Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6179)
2018-05-14 15:56:59 +02:00
Richard Levitte
491c35324c Docs: add general document on how pass phrases are handled
Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6179)
2018-05-14 15:56:59 +02:00
Dr. Matthias St. Pierre
34e4a964af Fix typo: 'is an error occurred' in documentation
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6229)
2018-05-11 17:02:49 +02:00
Matt Caswell
61fb59238d Rework the decrypt ticket callback
Don't call the decrypt ticket callback if we've already encountered a
fatal error. Do call it if we have an empty ticket present.

Change the return code to have 5 distinct returns codes and separate it
from the input status value.

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6198)
2018-05-11 14:51:09 +01:00
Matt Caswell
2448bb8cf7 Document when a new session ticket gets created on resumption
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6198)
2018-05-11 14:51:08 +01:00
Matt Caswell
9e064bc170 Provide documentation for the -psk_session option
The s_client/s_server docs were missing documentation for this option.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6215)
2018-05-11 13:47:13 +01:00
Dr. Matthias St. Pierre
7f35627c79 Fix typos in x509 documentation
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6207)
2018-05-09 17:15:58 +02:00
Billy Brumley
fe2d397588 ECDSA: remove nonce padding (delegated to EC_POINT_mul)
* EC_POINT_mul is now responsible for constant time point multiplication
  (for single fixed or variable point multiplication, when the scalar is
  in the range [0,group_order), so we need to strip the nonce padding
  from ECDSA.
* Entry added to CHANGES
* Updated EC_POINT_mul documentation
  - Integrate existing EC_POINT_mul and EC_POINTs_mul entries in the
    manpage to reflect the shift in constant-time expectations when
    performing a single fixed or variable point multiplication;
  - Add documentation to ec_method_st to reflect the updated "contract"
    between callers and implementations of ec_method_st.mul.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6070)
2018-05-09 13:29:48 +02:00
Richard Levitte
c16ab9dc63 docs: Fix typo EVP_PKEY_new_id -> EVP_PKEY_CTX_new_id
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6177)
2018-05-04 19:52:01 +02:00
Matt Caswell
4db296d9f0 Make X509_VERIFY_PARAM_get_hostflags() take a const arg
Commit 5b748dea5 added this function which should have taken a const
argument.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6154)
2018-05-02 23:43:52 +01:00
Matt Caswell
3bfa4756bd Add some documentation for SSL_get_shared_ciphers()
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6113)
2018-05-02 23:30:47 +01:00
Matt Caswell
6299c7a402 Add a note about Nagle's algorithm on the SSL_connect man page
Fixes #4237

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/6143)
2018-05-02 08:49:58 +01:00
Matt Caswell
5b748dea5d Add getter for X509_VERIFY_PARAM_get_hostflags
Fixes #5061

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6139)
2018-05-01 15:06:16 +01:00
Matt Caswell
3a070e255f Clarify BN_mod_exp docs
Specifically this is not supported with an even modulus and
BN_FLG_CONSTTIME.

Fixes #5082

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6137)
2018-05-01 14:23:27 +01:00
Matt Caswell
ecd4b8fe85 Fix some errors and missing info in the CMS docs
Fixes #5063

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6134)
2018-05-01 14:16:42 +01:00
Matt Caswell
6ec5fce25e Update copyright year
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6145)
2018-05-01 13:34:30 +01:00
Matt Caswell
ddba302a0f Update version docs
Make it clear that you should not attempt to get the version before the
first handshake is complete.

Fixes #2893

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6013)
2018-04-27 10:10:53 +01:00
Matt Caswell
d1f7a1e62a Update the *use_certificate* docs
Note that calling the *use_certificate* functions will replace any existing
certificate of the same type. The same thing applies for private keys.

Fixes #2147

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6092)
2018-04-26 16:39:55 +01:00