Commit graph

1922 commits

Author SHA1 Message Date
Pauli
410e8c9356 Remove duplicate see also reference to BIO_s_mem.
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3731)
2017-06-22 08:13:11 +10:00
Sascha Steinbiss
db17e43d88 Add OCSP_resp_get1_id() accessor
Adding a get1 style accessor as brought up in mailing list post
https://mta.openssl.org/pipermail/openssl-users/2016-November/004796.html

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1876)
2017-06-21 15:01:54 -04:00
Matt Caswell
23cec1f4b4 Add documentation for the SSL_export_keying_material() function
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3735)
2017-06-21 16:18:36 +01:00
Matt Caswell
72257204bd PSK related tweaks based on review feedback
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3670)
2017-06-21 14:45:36 +01:00
Matt Caswell
725b0f1e13 Make the input parameters for SSL_SESSION_set1_master_key const
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3670)
2017-06-21 14:45:36 +01:00
Matt Caswell
8ead6158a9 Document SSL_set_psk_find_session_callback() and SSL_CTX equivalent
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3670)
2017-06-21 14:45:36 +01:00
Matt Caswell
93a048a1d8 Document SSL_set_psk_use_session_callback() and SSL_CTX equivalent
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3670)
2017-06-21 14:45:35 +01:00
Matt Caswell
801d9fbd97 Add documentation for SSL_CTX_set_psk_use_session_callback()
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3670)
2017-06-21 14:45:35 +01:00
Matt Caswell
9c39fa1e38 Document SSL_CIPHER_get_handshake_digest()
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3670)
2017-06-21 14:45:35 +01:00
Matt Caswell
267869d3f3 Document SSL_SESSION_set_protocol_version()
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3670)
2017-06-21 14:45:35 +01:00
Matt Caswell
5eb7273669 Document SSL_SESSION_set1_master_key()
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3670)
2017-06-21 14:45:35 +01:00
Matt Caswell
7721978ca8 Add documentation for SSL_SESSION_set_cipher()
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3670)
2017-06-21 14:45:35 +01:00
Dr. Stephen Henson
d2916a5b29 Use EVP_PKEY_X25519, EVP_PKEY_ED25519 instead of NIDs where appropriate.
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3585)
2017-06-21 14:11:01 +01:00
Rich Salz
c80149d9f0 Merge Nokia copyright notice into standard
This is done with the kind permission of Nokia.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3722)
2017-06-21 08:59:18 -04:00
Rich Salz
0ea155fc1c Add RAND_UNIMPLEMENTED error code
See old GitHub PR 38.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3714)
2017-06-20 08:12:04 -04:00
Cory Benfield
729ef85611 s_client accepts host/port as positional argument.
This allows the user to provide the target host and optional port to
openssl s_client as an optional positional argument, rather than as the
argument to the -connect flag. This rationalises the user experience of
s_client: given that the only logical purpose of s_client is to connect
to a host, it is difficult to understand why there is an (effectively
mandatory) command option to pass to make that happen.

This patch forbids providing *both* -connect and the positional
argument, because it would likely be too difficult to reconcile.
Otherwise, using the positional argument behaves exactly the same as
using -connect does.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1171)
2017-06-19 08:42:10 +01:00
Paul Yang
837f87c217 Forbid to specify -nextprotoneg if -tls1_3 is enabled
This applies both to s_client and s_server app.

Reaction to Issue #3665.

Signed-off-by: Paul Yang <paulyang.inf@gmail.com>

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3697)
2017-06-16 17:00:22 -04:00
Paul Yang
481afe2ad1 Make SNI behavior more clear in s_client doc & help
Update s_client -help and pod file.

Signed-off-by: Paul Yang <paulyang.inf@gmail.com>

Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3654)
2017-06-13 08:39:06 -04:00
Benjamin Kaduk
193b5d769c Add SSL_early_get1_extensions_present()
It is an API to be used from the early callback that indicates what
extensions were present in the ClientHello, and in what order.
This can be used to eliminate unneeded calls to SSL_early_get0_ext()
(which itself scales linearly in the number of extensions supported
by the library).

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2976)
2017-06-12 09:31:47 +01:00
Rich Salz
04e62715db Introduce ASN1_TIME_set_string_X509 API
Make funcs to deal with non-null-term'd string
in both asn1_generalizedtime_to_tm() and asn1_utctime_to_tm().

Fixes issue #3444.

This one is used to enforce strict format (RFC 5280) check and to
convert GeneralizedTime to UTCTime.

apps/ca has been changed to use the new API.

Test cases and documentation are updated/added

Signed-off-by: Paul Yang <paulyang.inf@gmail.com>

Reviewed-by: Kurt Roeckx <kurt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3566)
2017-06-11 16:36:07 -04:00
Beat Bolli
7aefa75490 doc/man3: use the documented coding style in the example code
Adjust brace placement, whitespace after keywords, indentation and empty
lines after variable declarations according to
https://www.openssl.org/policies/codingstyle.html.

Indent literal sections by exactly one space.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3580)
2017-06-11 16:28:11 -04:00
Josh Soref
27b138e9db Fix spelling errors in manpages
spelling: algorithm
spelling: anyway
spelling: assigned
spelling: authenticated
spelling: callback
spelling: certificate
spelling: compatibility
spelling: configuration
spelling: digest
spelling: encrypted
spelling: function
spelling: output
spelling: receive
spelling: renegotiation
spelling: signing
spelling: similar
spelling: string

(Merged from https://github.com/openssl/openssl/pull/3580)Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Kurt Roeckx <kurt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3580)
2017-06-11 16:21:33 -04:00
Luke Faraone
66e59702f1 Add support for using engine-backed keys in spkac
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3599)
2017-06-09 12:15:52 -04:00
Benjamin Kaduk
36c438514d Remove stale note from s_server.pod
Modern browsers are now, well, pretty modern.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3644)
2017-06-08 15:56:53 -05:00
Matt Caswell
0bae196072 Clean up s_server documentation
List the options in the same order and in the same style as the output from
"openssl s_server -help"

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/3628)
2017-06-08 20:29:26 +01:00
Rich Salz
1722496fca Remove doc of non-existent functions
Fix test for "documenting private functions"
And add -p flag to doc-nits recipe
Mark when things were deprecated, if doc'd as such

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3624)
2017-06-08 15:18:38 -04:00
Todd Short
1c036c6443 Fix #340: Parse ASN1_TIME to struct tm
This works with ASN1_UTCTIME and ASN1_GENERALIZED_TIME

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3378)
2017-06-08 13:19:13 +01:00
Beat Bolli
95dd5fb214 doc: use /* ... */ comments in code examples
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1956)
2017-06-08 11:54:16 +01:00
Beat Bolli
d42e7759f5 doc/man3: fix SSL_SESSSION typos
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1956)
2017-06-08 11:54:16 +01:00
Beat Bolli
89a01e692f SSL_CTX_set_verify.pod: move a typedef in front of its first usage
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1956)
2017-06-08 11:54:16 +01:00
Beat Bolli
32c57705c9 doc/man3: unindent a few unintended code blocks
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1956)
2017-06-08 11:54:16 +01:00
Beat Bolli
e9b7724687 doc/man3: reformat the function prototypes in the synopses
I tried hard to keep the lines at 80 characters or less, but in a few
cases I had to punt and just indented the subsequent lines by 4 spaces.

A few well-placed typedefs for callback functions would really help, but
these would be part of the API, so that's probably for later.

I also took the liberty of inserting empty lines in overlong blocks to
provide some visual space.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1956)
2017-06-08 11:54:16 +01:00
Beat Bolli
61ced34f8d ERR_put_error.pod: fix the name of function ERR_add_error_vdata()
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1956)
2017-06-08 11:54:16 +01:00
Beat Bolli
7a67a3ba04 doc/man3: remove a duplicate BIO_do_accept() call
The SSL server example in BIO_f_ssl.pod contains two copies of the
BIO_do_accept() call. Remove the second one.

Signed-off-by: Beat Bolli <dev@drbeat.li>

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1956)
2017-06-08 11:54:16 +01:00
Beat Bolli
2947af32a0 doc/man3: use the documented coding style in the example code
Adjust brace placement, whitespace after keywords, indentation and empty
lines after variable declarations according to
https://www.openssl.org/policies/codingstyle.html.

Indent literal sections by exactly one space.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1956)
2017-06-08 11:54:15 +01:00
Todd Short
db0f35dda1 Fix #2400 Add NO_RENEGOTIATE option
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3432)
2017-06-06 22:39:41 +01:00
Paul Yang
09ddb8785a Fix doc nits in X509_check_private_key.pod
remove the tailing dot

Signed-off-by: Paul Yang <paulyang.inf@gmail.com>

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3614)
2017-06-06 17:50:06 +01:00
Paul Yang
7b9863392b Document X509_check_private_key and relative
Document two private key check functions:

X509_check_private_key
X509_REQ_check_private_key

Signed-off-by: Paul Yang <paulyang.inf@gmail.com>

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3614)
2017-06-06 17:50:06 +01:00
Dr. Stephen Henson
bf0d560938 Move and update RSA-PSS documentation.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3621)
2017-06-06 13:37:41 +01:00
Rich Salz
9d772829c9 Document default client -psk_identity
Document that -psk is required to use PSK cipher
[skip ci]

Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/3607)
2017-06-05 14:13:50 -04:00
Daniel Kahn Gillmor
720b6cbe4a Avoid failing s_server when client's psk_identity is unexpected
s_server has traditionally been very brittle in PSK mode.  If the
client offered any PSK identity other than "Client_identity" s_server
would simply abort.

This is breakage for breakage's sake, and unlike most other parts of
s_server, which tend to allow more flexible connections.

This change accomplishes two things:

 * when the client's psk_identity does *not* match the identity
   expected by the server, just warn, don't fail.

 * allow the server to expect instead a different psk_identity from
   the client besides "Client_identity"

Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>

Reviewed-by: Ben Kaduk <kaduk@mit.edu>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3605)
2017-06-05 13:54:10 -04:00
Todd Short
1ee2125922 Fix ex_data and session_dup issues
Code was added in commit b3c31a65 that overwrote the last ex_data value
using CRYPTO_dup_ex_data() causing a memory leak, and potentially
confusing the ex_data dup() callback.

In ssl_session_dup(), fix error handling (properly reference and up-ref
shared data) and new-up the ex_data before calling CRYPTO_dup_ex_data();
all other structures that dup ex_data have the destination ex_data new'd
before the dup.

Fix up some of the ex_data documentation.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3323)
2017-06-02 12:11:38 -04:00
Keigo Tanaka
a2d9cfbac5 Added mysql as starttls protocol.
Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3456)
2017-06-01 16:32:50 -04:00
Rich Salz
274d1beea2 Add -p (public only) flag to find-doc-nits
Report if any non-public items are documented.
Add util/private.num that lists items that aren't in the public
(lib*.num) files that we do want to document.

Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3603)
2017-06-01 16:26:26 -04:00
Richard Levitte
545360c4df Add UI functionality to duplicate the user data
This can be used by engines that need to retain the data for a longer time
than just the call where this user data is passed.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3575)
2017-05-31 19:00:24 +02:00
Dr. Stephen Henson
74e7836104 Add Ed25519 documentation
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3503)
2017-05-30 20:38:21 +01:00
Rich Salz
2bcb232ebe Add stricter checking in NAME section
Require a comma between every name and a single space before the dash

Reviewed-by: Kurt Roeckx <kurt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3559)
2017-05-29 19:17:40 -04:00
Josh Soref
df578aa013 Fix spelling errors in CMS.
Unfortunately it affects error code macros in public cms.h header, for
which reason misspelled names are preserved for backward compatibility.

Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Kurt Roeckx <kurt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3463)
2017-05-27 14:15:24 +02:00
Kurt Roeckx
6061f80b5c Add missing commas in pod files
Reviewed-by: Rich Salz <rsalz@openssl.org>
GH: #3557
2017-05-25 19:31:01 +02:00
Matt Caswell
47695810b3 Document that HMAC() with a NULL md is not thread safe
Fixes #3541

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3553)
2017-05-25 15:34:30 +01:00