Commit graph

1108 commits

Author SHA1 Message Date
Dr. Stephen Henson
656b26055c SSL_CONF table reorganisation.
Add command line switch entries to table and return SSL_CONF_TYPE_NONE for
them in SSL_CONF_cmd_value_type.

Update docs.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-05-06 14:17:42 +01:00
Alok Menghrajani
5812e6f175 Fixes some typos in doc/ssl/
This is the last of Alok's PR260
Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-05-03 08:52:11 -04:00
Alok Menghrajani
4c583c3659 Fixes some typos in doc/apps/
Signed-off-by: Rich Salz <rsalz@akamai.com>
Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-05-03 08:51:43 -04:00
Alok Menghrajani
186bb90705 RT3802: Fixes typos in doc/crypto/
Signed-off-by: Rich Salz <rsalz@akamai.com>
Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-05-03 08:51:23 -04:00
Rich Salz
8332f91cc0 fix various typo's
https://github.com/openssl/openssl/pull/176 (CHANGES)
 https://rt.openssl.org/Ticket/Display.html?id=3545 (objects.txt)
 https://rt.openssl.org/Ticket/Display.html?id=3796 (verify.pod)

Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-05-03 08:50:34 -04:00
Rich Salz
23a1d5e97c free NULL cleanup 7
This gets BN_.*free:
    BN_BLINDING_free BN_CTX_free BN_FLG_FREE BN_GENCB_free
    BN_MONT_CTX_free BN_RECP_CTX_free BN_clear_free BN_free BUF_MEM_free

Also fix a call to DSA_SIG_free to ccgost engine and remove some #ifdef'd
dead code in engines/e_ubsec.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-04-30 21:37:06 -04:00
Rich Salz
222561fe8e free NULL cleanup 5a
Don't check for NULL before calling a free routine.  This gets X509_.*free:
    x509_name_ex_free X509_policy_tree_free X509_VERIFY_PARAM_free
    X509_STORE_free X509_STORE_CTX_free X509_PKEY_free
    X509_OBJECT_free_contents X509_LOOKUP_free X509_INFO_free

Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-04-30 17:33:59 -04:00
Rich Salz
46aa607867 apps-cleanup: the doc fixes
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-04-25 16:07:28 -04:00
Dr. Stephen Henson
98c9ce2f55 SSL_CIPHER lookup functions.
Add tables to convert between SSL_CIPHER fields and indices for ciphers
and MACs.

Reorganise ssl_ciph.c to use tables to lookup values and load them.

New functions SSL_CIPHER_get_cipher_nid and SSL_CIPHER_get_digest_nid.

Add documentation.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-04-22 15:00:53 +01:00
Rich Salz
62adbcee39 free NULL cleanup 10
Avoid checking for NULL before calling free functions.  This gets
ssl.*free:
    ssl_sess_cert_free ssl_free ssl_excert_free ssl_cert_free
    SSL_free SSL_SRP_CTX_free SSL_SESSION_free SSL_CTX_free
    SSL_CTX_SRP_CTX_free SSL_CONF_CTX_free

Reviewed-by: Kurt Roeckx <kurt@openssl.org>
2015-04-11 10:22:36 -04:00
Rich Salz
be739b0cc0 Drop CA.sh for CA.pl
Remove CA.sh script and use CA.pl for testing, etc.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-04-08 14:07:39 -04:00
Dr. Stephen Henson
22f5bd3dd2 New ASN1_TYPE SEQUENCE functions.
Add new functions ASN1_TYPE_pack_sequence and ASN1_TYPE_unpack_sequence:
these encode and decode ASN.1 SEQUENCE using an ASN1_TYPE structure.

Update ordinals.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-03-30 22:01:31 +01:00
Rich Salz
c5ba2d9904 free NULL cleanup
EVP_.*free; this gets:
        EVP_CIPHER_CTX_free EVP_PKEY_CTX_free EVP_PKEY_asn1_free
        EVP_PKEY_asn1_set_free EVP_PKEY_free EVP_PKEY_free_it
        EVP_PKEY_meth_free; and also EVP_CIPHER_CTX_cleanup

Reviewed-by: Kurt Roeckx <kurt@openssl.org>
2015-03-28 10:54:15 -04:00
Dr. Stephen Henson
dd14f91171 ASN1_TYPE documentation.
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-03-26 21:59:17 +00:00
Rich Salz
8fdc3734c0 free NULL cleanup.
This gets EC_GROUP_clear_free EC_GROUP_free, EC_KEY_free,
EC_POINT_clear_free, EC_POINT_free

Reviewed-by: Kurt Roeckx <kurt@openssl.org>
2015-03-25 18:35:24 -04:00
Matt Caswell
17dd65e6e1 Resolve swallowed returns codes
The recent updates to libssl to enforce stricter return code checking, left
a small number of instances behind where return codes were being swallowed
(typically because the function they were being called from was declared as
void). This commit fixes those instances to handle the return codes more
appropriately.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-03-25 18:52:13 +00:00
Rich Salz
ca3a82c3b3 free NULL cleanup
This commit handles BIO_ACCEPT_free BIO_CB_FREE BIO_CONNECT_free
BIO_free BIO_free_all BIO_vfree

Reviewed-by: Matt Caswell <matt@openssl.org>
2015-03-25 11:31:18 -04:00
Dr. Stephen Henson
2011b169fa Support key loading from certificate file
Support loading of key and certificate from the same file if
SSL_CONF_FLAG_REQUIRE_PRIVATE is set. This is done by remembering the
filename used for each certificate type and attempting to load a private
key from the file when SSL_CONF_CTX_finish is called.

Update docs.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-03-25 14:19:04 +00:00
Matt Caswell
302d38e3f7 Deprecate RAND_pseudo_bytes
The justification for RAND_pseudo_bytes is somewhat dubious, and the reality
is that it is frequently being misused. RAND_bytes and RAND_pseudo_bytes in
the default implementation both end up calling ssleay_rand_bytes. Both may
return -1 in an error condition. If there is insufficient entropy then
both will return 0, but RAND_bytes will additionally add an error to the
error queue. They both return 1 on success.
Therefore the fundamental difference between the two is that one will add an
error to the error queue with insufficient entory whilst the other will not.
Frequently there are constructions of this form:

if(RAND_pseudo_bytes(...) <= 1)
	goto err;

In the above form insufficient entropy is treated as an error anyway, so
RAND_bytes is probably the better form to use.

This form is also seen:
if(!RAND_pseudo_bytes(...))
	goto err;

This is technically not correct at all since a -1 return value is
incorrectly handled - but this form will also treat insufficient entropy as
an error.

Within libssl it is required that you have correctly seeded your entropy
pool and so there seems little benefit in using RAND_pseudo_bytes.
Similarly in libcrypto many operations also require a correctly seeded
entropy pool and so in most interesting cases you would be better off
using RAND_bytes anyway. There is a significant risk of RAND_pseudo_bytes
being incorrectly used in scenarios where security can be compromised by
insufficient entropy.

If you are not using the default implementation, then most engines use the
same function to implement RAND_bytes and RAND_pseudo_bytes in any case.

Given its misuse, limited benefit, and potential to compromise security,
RAND_pseudo_bytes has been deprecated.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-03-25 12:38:19 +00:00
Rich Salz
d64070838e free NULL cleanup
Start ensuring all OpenSSL "free" routines allow NULL, and remove
any if check before calling them.
This gets DH_free, DSA_free, RSA_free

Reviewed-by: Matt Caswell <matt@openssl.org>
2015-03-24 23:17:16 -04:00
Dr. Stephen Henson
2e43027757 make ASN1_OBJECT opaque
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-03-24 17:35:58 +00:00
Dr. Stephen Henson
7b68c30da0 Configuration file examples.
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-03-24 12:22:52 +00:00
Rich Salz
0dfb9398bb free NULL cleanup
Start ensuring all OpenSSL "free" routines allow NULL, and remove
any if check before calling them.
This gets ASN1_OBJECT_free and ASN1_STRING_free.

Reviewed-by: Matt Caswell <matt@openssl.org>
2015-03-24 07:52:24 -04:00
Dr. Stephen Henson
3d764db7a2 additional configuration documentation
Reviewed-by: Andy Polyakov <appro@openssl.org>
2015-03-12 13:31:43 +00:00
Dr. Stephen Henson
e3013932df Additional CMS documentation.
Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-03-08 16:18:21 +00:00
Viktor Szakats
63a3c45582 GitHub 237: Use https for IETF links
Signed-off-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-03-07 21:24:40 -05:00
Rich Salz
9f7f8eced5 Cleanup some doc files
ACKNOWLEDGEMENTS is now spelled correctly :)
README.ASN1 talked about 0.9.6, so it's deleted.
I turned doc/standards.txt into a set of one-line summaries of RFCs, and
also updated the pointers to original sources (to be web links)

Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-03-01 20:46:38 -05:00
Matt Caswell
7a4dadc3a6 Removed support for SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG. Also removed
the "-hack" option from s_server that set this option.

Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-02-26 23:22:46 +00:00
Matt Caswell
f7812493a0 Update the SHA* documentation
Updates to include SHA224, SHA256, SHA384 and SHA512. In particular note
the restriction on setting md to NULL with regards to thread safety.

Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-02-25 20:52:34 +00:00
Rainer Jung
64d2733176 Fix NAME section of d2i_ECPKParameters to prevent broken symlinks when using
the extract-names.pl script.

RT#3718

Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-02-25 20:46:51 +00:00
Matt Caswell
12e0ea306a Fix some minor documentation issues
Reviewed-by: Emilia Käsper <emilia@openssl.org>
2015-02-25 17:13:34 +00:00
Matt Caswell
09f278f925 Add dire warnings about the "reuse" capability of the d2i_* functions.
Reviewed-by: Emilia Käsper <emilia@openssl.org>
2015-02-25 17:13:19 +00:00
Matt Caswell
93b83d0626 Provide documentation for i2d_ECPrivateKey and d2i_ECPrivateKey
Reviewed-by: Emilia Käsper <emilia@openssl.org>
2015-02-25 17:13:14 +00:00
Matt Caswell
fa7b01115b Add documentation for the -no_alt_chains option for various apps, as well as
the X509_V_FLAG_NO_ALT_CHAINS flag.

Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
2015-02-25 09:15:10 +00:00
Dr. Stephen Henson
384dee5124 Document -no_explicit
Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-02-24 15:27:33 +00:00
Dr. Stephen Henson
15b5d6585d typo
Reviewed-by: Kurt Roeckx <kurt@openssl.org>
2015-02-22 14:43:09 +00:00
Dr. Stephen Henson
146ca72cca Add additional EC documentation.
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-02-21 00:45:06 +00:00
Matt Caswell
b7c9187b32 Add SSL_SESSION_get0_ticket API function.
Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-02-10 22:54:27 +00:00
Matt Caswell
f2baac27d5 Provide the API functions SSL_SESSION_has_ticket and
SSL_SESSION_get_ticket_lifetime_hint. The latter has been reported as
required to fix Qt for OpenSSL 1.1.0. I have also added the former in order
to determine whether a ticket is present or not - otherwise it is difficult
to know whether a zero lifetime hint is because the server set it to 0, or
because there is no ticket.

Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-02-10 22:54:09 +00:00
Emilia Kasper
0923e7df9e Fix hostname validation in the command-line tool to honour negative return values.
Specifically, an ASN.1 NumericString in the certificate CN will fail UTF-8 conversion
and result in a negative return value, which the "x509 -checkhost" command-line option
incorrectly interpreted as success.

Also update X509_check_host docs to reflect reality.

Thanks to Sean Burford (Google) for reporting this issue.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-02-10 15:35:20 +01:00
Matt Caswell
0350ef69ad Remove stray "=back". This was causing newer versions of pod2man to choke.
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-02-09 09:13:09 +00:00
Matt Caswell
3ffbe00808 Apache Traffic Server has a need to set the rbio without touching the wbio.
There is no mechanism to do that at the moment - SSL_set_bio makes changes
to the wbio even if you pass in SSL_get_wbio().

This commit introduces two new API functions SSL_set_rbio() and
SSL_set_wbio(). These do the same job as SSL_set_bio() except they enable
you to manage the rbio and wbio individually.

Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-02-07 14:29:16 +00:00
Matt Caswell
3c33c6f6b1 Remove support for SSL_OP_NETSCAPE_CA_DN_BUG.
This is an ancient bug workaround for Netscape clients. The documentation
talks about versions 3.x and 4.x beta.

Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-02-06 11:35:07 +00:00
Dr. Stephen Henson
a724e79ed7 Preliminary ASN1_TIME documentation.
Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-02-03 16:47:57 +00:00
Dr. Stephen Henson
156a872233 Add SSL_get_extms_support documentation.
Document SSL_get_extms_support().

Modify behaviour of SSL_get_extms_support() so it returns -1 if the
master secret support of the peer is not known (e.g. handshake in progress).
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-02-03 14:50:08 +00:00
Rich Salz
c303d4d868 old_des fix windows build, remove docs
Remove outdated doc files.
Fix windows build after old_des was removed.

Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-02-02 22:40:36 -05:00
Rich Salz
625a9baf11 Finish removal of DSS
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-01-28 12:21:55 -05:00
Matt Caswell
e640fa0200 Harmonise use of EVP_CTRL_GET_TAG/EVP_CTRL_SET_TAG/EVP_CTRL_SET_IVLEN
Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-01-28 10:39:01 +00:00
Rich Salz
646e8c1d6b Dead code removal: Fortezza identifiers
Not interested in helping the NSA in the slightest.
And anyway, it was never implemented, #if'd out.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-01-27 21:00:03 -05:00
Rich Salz
63c574f6a6 OPENSSL_NO_XXX cleanup: OPENSSL_NO_BUF_FREELISTS
Remove OPENSSL_NO_BUF_FREELISTS. This was turned on by default,
so the work here is removing the 'maintain our own freelist' code.
Also removed a minor old Windows-multibyte/widechar conversion flag.

Reviewed-by: Andy Polyakov <appro@openssl.org>
2015-01-27 16:43:53 -05:00