Commit graph

2225 commits

Author SHA1 Message Date
Viktor Dukhovni
55a6250f1e Skip CN DNS name constraint checks when not needed
Only check the CN against DNS name contraints if the
`X509_CHECK_FLAG_NEVER_CHECK_SUBJECT` flag is not set, and either the
certificate has no DNS subject alternative names or the
`X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT` flag is set.

Add pertinent documentation, and touch up some stale text about
name checks and DANE.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
2018-05-23 11:12:17 -04:00
Matt Caswell
f3021aca4a Allow the ca application to use EdDSA
Using the ca application to sign certificates with EdDSA failed because it
is not possible to set the digest to "null". This adds the capability and
updates the documentation accordingly.

Fixes #6201

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6286)
2018-05-18 10:14:29 +01:00
Dr. Matthias St. Pierre
6db7fadf09 DH: add simple getters for commonly used DH struct members
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6273)
2018-05-18 08:53:48 +02:00
Matt Caswell
56548e86ac Add documentation for the ability to control the number of tickets
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5227)
2018-05-17 16:48:25 +01:00
Matt Caswell
394159da60 Allow configuation of the number of TLSv1.3 session tickets via SSL_CONF
Also allows the apps to set it.

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5227)
2018-05-17 16:48:25 +01:00
Richard Levitte
8481434439 Link in passphrase-encoding(7) in relevant documentation
Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6179)
2018-05-14 15:56:59 +02:00
Richard Levitte
491c35324c Docs: add general document on how pass phrases are handled
Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6179)
2018-05-14 15:56:59 +02:00
Dr. Matthias St. Pierre
34e4a964af Fix typo: 'is an error occurred' in documentation
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6229)
2018-05-11 17:02:49 +02:00
Matt Caswell
61fb59238d Rework the decrypt ticket callback
Don't call the decrypt ticket callback if we've already encountered a
fatal error. Do call it if we have an empty ticket present.

Change the return code to have 5 distinct returns codes and separate it
from the input status value.

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6198)
2018-05-11 14:51:09 +01:00
Matt Caswell
2448bb8cf7 Document when a new session ticket gets created on resumption
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6198)
2018-05-11 14:51:08 +01:00
Matt Caswell
9e064bc170 Provide documentation for the -psk_session option
The s_client/s_server docs were missing documentation for this option.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6215)
2018-05-11 13:47:13 +01:00
Dr. Matthias St. Pierre
7f35627c79 Fix typos in x509 documentation
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6207)
2018-05-09 17:15:58 +02:00
Billy Brumley
fe2d397588 ECDSA: remove nonce padding (delegated to EC_POINT_mul)
* EC_POINT_mul is now responsible for constant time point multiplication
  (for single fixed or variable point multiplication, when the scalar is
  in the range [0,group_order), so we need to strip the nonce padding
  from ECDSA.
* Entry added to CHANGES
* Updated EC_POINT_mul documentation
  - Integrate existing EC_POINT_mul and EC_POINTs_mul entries in the
    manpage to reflect the shift in constant-time expectations when
    performing a single fixed or variable point multiplication;
  - Add documentation to ec_method_st to reflect the updated "contract"
    between callers and implementations of ec_method_st.mul.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6070)
2018-05-09 13:29:48 +02:00
Richard Levitte
c16ab9dc63 docs: Fix typo EVP_PKEY_new_id -> EVP_PKEY_CTX_new_id
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6177)
2018-05-04 19:52:01 +02:00
Matt Caswell
4db296d9f0 Make X509_VERIFY_PARAM_get_hostflags() take a const arg
Commit 5b748dea5 added this function which should have taken a const
argument.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6154)
2018-05-02 23:43:52 +01:00
Matt Caswell
3bfa4756bd Add some documentation for SSL_get_shared_ciphers()
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6113)
2018-05-02 23:30:47 +01:00
Matt Caswell
6299c7a402 Add a note about Nagle's algorithm on the SSL_connect man page
Fixes #4237

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/6143)
2018-05-02 08:49:58 +01:00
Matt Caswell
5b748dea5d Add getter for X509_VERIFY_PARAM_get_hostflags
Fixes #5061

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6139)
2018-05-01 15:06:16 +01:00
Matt Caswell
3a070e255f Clarify BN_mod_exp docs
Specifically this is not supported with an even modulus and
BN_FLG_CONSTTIME.

Fixes #5082

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6137)
2018-05-01 14:23:27 +01:00
Matt Caswell
ecd4b8fe85 Fix some errors and missing info in the CMS docs
Fixes #5063

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6134)
2018-05-01 14:16:42 +01:00
Matt Caswell
6ec5fce25e Update copyright year
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6145)
2018-05-01 13:34:30 +01:00
Matt Caswell
ddba302a0f Update version docs
Make it clear that you should not attempt to get the version before the
first handshake is complete.

Fixes #2893

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6013)
2018-04-27 10:10:53 +01:00
Matt Caswell
d1f7a1e62a Update the *use_certificate* docs
Note that calling the *use_certificate* functions will replace any existing
certificate of the same type. The same thing applies for private keys.

Fixes #2147

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6092)
2018-04-26 16:39:55 +01:00
Matt Caswell
bdb59d97a6 Fix documentation for the -showcerts s_client option
This option shows the certificates as sent by the server. It is not the
full verified chain.

Fixes #4933

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6067)
2018-04-25 10:50:54 +01:00
Matt Caswell
4753ad858c Document when a session gets removed from cache
Document the fact that if a session is not closed down cleanly then the
session gets removed from the cache and marked as non-resumable.

Fixes #4720

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/6053)
2018-04-24 09:23:23 +01:00
Matt Caswell
ededc88dd5 Improve backwards compat with 1.0.2 for ECDHParameters
In 1.0.2 you could configure automatic ecdh params by using the
ECDHParameters config directive and setting it to the value
"+Automatic" or just "Automatic". This is no longer required in 1.1.0+
but we still recognise the "+Automatic" keyword for backwards compatibility.
However we did not recognise just "Automatic" without the leading "+" which
is equally valid. This commit fixes that omission.

Fixes #4113

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6035)
2018-04-24 09:09:43 +01:00
Bernd Edlinger
eb2b989206 Ensure the thread keys are always allocated in the same order
Fixes: #5899

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5911)
2018-04-20 15:45:06 +02:00
Kurt Roeckx
4b7c6385f7 Document supported digest functions
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6024)
2018-04-19 21:05:01 +02:00
Alois Mahdal
c190506cd8 Reflect special DEFAULT behavior in ciphers(1)
Actual behavior of DEFAULT is different than currently described.
Rather than actinf as cipher string, DEFAULT cannot be combined using
logical operators, etc.

Fixes #5420.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5428)
2018-04-19 15:34:49 +02:00
A. Schulze
aa3b328541 correct spelling errors detected by Debian lintian
CLA: trivial

Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5801)
2018-04-19 11:10:17 +02:00
Matt Caswell
c637891310 Correct an ommission in the EVP_DigestSignInit docs
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5996)
2018-04-19 08:35:47 +01:00
Beat Bolli
cb1b2cafe1 Clarify the configuration module in config.pod
Similar to 0652e8a7 ("Clarify default section in config.pod",
2018-04-12), reword a sentence to make it easier to parse.

Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5794)
2018-04-18 16:42:11 -04:00
Matt Caswell
be93b0e863 Update EVP_DigestSignInit() docs
Explicitly state which digests can be used with which algorithms.

Fixes #5854

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5992)
2018-04-18 08:26:35 +01:00
Matt Caswell
2bdeffefdd Update fingerprints.txt
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5987)
2018-04-17 16:57:10 +01:00
Matt Caswell
5bbf42a519 Update the info callback documentation for TLSv1.3
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5874)
2018-04-17 16:51:03 +01:00
Dr. Matthias St. Pierre
a12de2cba8 SSL_CTX_set_tlsext_ticket_key_cb.pod: fix error check of RAND_bytes() call
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5977)
2018-04-17 17:31:09 +02:00
Richard Levitte
28428130db Update copyright year
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5990)
2018-04-17 15:18:40 +02:00
Dr. Matthias St. Pierre
b7fb239438 Revert "Add OPENSSL_VERSION_AT_LEAST"
Fixes #5961

This reverts commit 3c5a61dd0f.

The macros OPENSSL_MAKE_VERSION() and OPENSSL_VERSION_AT_LEAST() contain
errors and don't work as designed. Apart from that, their introduction
should be held back until a decision has been mad about the future
versioning scheme.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5968)
2018-04-16 18:43:52 +02:00
Richard Levitte
a8ca496ddb Split the scrypt and RSA-PSS into man3 and man7 pages
The scrypt and RSA-PSS documents were a mixture of section 3 and
section 7 material.  With pre-1.1.1 OpenSSL, this is understandable,
since we had a different directory layout.  With 1.1.1, we've moved to
the typical man-page directory layout, and the documents need to be
updated accordingly.

Also, the scrypt document contained a description of
EVP_PKEY_CTX_set1_pbe_pass(), which is a generic function rather than
an scrypt specific function, and therefore should be documented
separately.

Fixes #5802

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5942)
2018-04-13 11:55:13 +02:00
Richard Levitte
0320e8e286 Docs for OpenSSL_init_crypto: there is no way to specify another file
The documentation erroneously stated that one can change the default
configuration file name.

Fixes #5939

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5941)
2018-04-13 10:24:18 +02:00
Richard Levitte
adaf3cfad2 openssl rehash: document -compat
Fixes #5902

Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5937)
2018-04-12 15:34:58 +02:00
Daniel Bevenius
0652e8a7fe Clarify default section in config.pod
This is a minor update which hopefully makes these particular lines
read a little easier.

Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5938)
2018-04-12 13:39:37 +02:00
Theo Buehler
c12a2d2728 EVP_MD_CTX_cleanup replaced with EVP_MD_CTX_reset
The EVP_MD_CTX_cleanup() function was merged into EVP_MD_CTX_reset()
which is called by EVP_MD_CTX_free().  Adjust the documentation to say
that the latter should be used to avoid leaking memory.

CLA: trivial

Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5921)
2018-04-11 12:59:25 -04:00
Dr. Matthias St. Pierre
f7bef277ea Minor corrections for the RAND_DRBG API documentation
- added some explaining text to a sentence that lost its context.
- removed mention of per-ssl drbg
- fix whitespace errors

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5804)
2018-04-11 18:56:03 +02:00
Matt Caswell
e65c959f1f Add a note and better error if using Ed25519/Ed448 in dgst
Fixes #5873

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5880)
2018-04-06 10:10:05 +01:00
Matt Caswell
77579510aa Update the genpkey documentation
Fixes #5739

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5800)
2018-04-05 15:44:43 +01:00
Matt Caswell
fdb8113dae Document the change in the previous commit about loading the config file
When libssl is initialised it will attempt to load any config file. This
ensures any system_default configuration (as per
https://github.com/openssl/openssl/pull/4848) is used.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5818)
2018-04-05 15:30:12 +01:00
Bernd Edlinger
284f4f6b70 Don't use getenv for critical functions when run as setuid/setgid
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5856)
2018-04-04 14:45:49 +02:00
Matt Caswell
29f484d00d Fix some errors in the mem leaks docs
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5794)
2018-04-03 16:17:34 +01:00
Matt Caswell
c4d3c19b4c Update copyright year
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5851)
2018-04-03 13:57:12 +01:00