Commit graph

2558 commits

Author SHA1 Message Date
Richard Levitte
7c95390ef0 ossl_provider_upref to ossl_provider_up_ref
Common pattern is that the routines to increment the reference count
are called something_up_ref, not something_upref.  Adapt
ossl_provider_upref() accordingly.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9293)
2019-07-02 16:30:56 +02:00
Antoine Cœur
c2969ff6e7 Fix Typos
CLA: trivial

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/9288)
2019-07-02 14:22:29 +02:00
Rich Salz
b66a481888 Remove DES_check_key global
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/9284)
2019-07-01 19:42:12 -04:00
Matt Caswell
792cb4ee8d Ensure that rc5 doesn't try to use a key longer than 2040 bits
The maximum key length for rc5 is 2040 bits so we should not attempt to
use keys longer than this.

Issue found by OSS-Fuzz and Guido Vranken.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/8834)
2019-07-01 10:18:37 +01:00
Antoine Cœur
68756b12f5 Fix Typos
CLA: trivial

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/9275)
2019-07-01 10:09:22 +02:00
Patrick Steuer
da93b5cc2b s390x assembly pack: update OPENSSL_s390xcap(3)
Add description of capability vector's pcc and kma parts.

Signed-off-by: Patrick Steuer <patrick.steuer@de.ibm.com>

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/9258)
2019-06-29 23:13:45 +02:00
Paul Yang
bc42bd6298
Support SM2 certificate signing
SM2 certificate signing request can be created and signed by OpenSSL
now, both in library and apps.

Documentation and test cases are added.

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/9085)
2019-06-28 18:58:19 +08:00
Matt Caswell
4cecf7a127 Add a nid 2 algorithm name mapping capability
Providers that link against libcrypto can just use OBJ_nid2sn() to look
up the name of an algorithm given a NID. However that doesn't work for the
FIPS provider because OBJ_nid2sn() is not available there (due to the
reliance of the code on ASN.1 types). Therefore we provider a new function
to do this mapping. For providers linking against libcrypto the new function
just wraps OBJ_nid2sn(). For the FIPS provider it has a look up for all the
NIDs known there.

Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/9035)
2019-06-28 10:22:21 +01:00
Matt Caswell
0da1d43a94 Document EVP_CIPHER_up_ref()
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/9233)
2019-06-28 10:02:09 +01:00
Matt Caswell
70c35fd1f6 Rename EVP_MD_upref/EVP_CIPHER_upref to EVP_MD_up_ref/EVP_CIPHER_up_ref
All the other upref functions are spelled as "up_ref". These new functions
should be consistent.

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/9233)
2019-06-28 10:02:09 +01:00
Matt Caswell
42738cdeaa Add documentation for EVP_CIPHER_fetch
We extend the EVP_MD_fetch documentation to be more generic and to also
cover EVP_CIPHER_fetch. We expect this to be further expanded with other
"fetch" functions in the future.

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/9233)
2019-06-28 10:02:09 +01:00
Dr. Matthias St. Pierre
262c00882a man: clarify the 'random number generator must be seeded' requirement
The manual pages require for some API functions that the 'random number
generator must be seeded' before calling the function.  Initially, this
was meant literally, i.e. the OpenSSL CSPRNG had to be seeded manually
before calling these functions.

Since version 1.1.1, the CSPRNG is seeded automatically on first use,
so it's not the responsibility of the programmer anymore.  Still, he
needs to be aware that the seeding might fail.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/9257)
2019-06-27 14:39:07 +02:00
Dr. Matthias St. Pierre
0588be2e01 man: fix documentation for RSA_generate_key()
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/9260)
2019-06-27 12:53:30 +02:00
Dr. Matthias St. Pierre
6f92692bd9 OSSL_TRACE: enhance documentation and fix doc-nit errors
- Add the following macros to the NAME section:

  - with synopsis
        OSSL_TRACE_CANCEL, OSSL_TRACE, OSSL_TRACE_ENABLED
  - without synopsis
        OSSL_TRACEV (helper macro, not intended for public use)
        OSSL_TRACE[3-8] (omitted on purpose)

- Revise the NOTES section

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9224)
2019-06-24 16:26:43 +02:00
Santhosh Rameshwarapu
460b8d175b Cross-linked the man(1) pages of kdf & pkeyutl.
Fixes #8784

Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/9228)
2019-06-24 19:18:34 +10:00
Richard Levitte
651d44183e Replumbing: add support for multiple names per algorithm
Algorithms may have multiple names, as seen in the legacy names
database.  We need to support that as well.

This implementations modifies ossl_namemap to support multiple names
for the same identifier.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/8967)
2019-06-24 10:58:13 +02:00
Richard Levitte
3bbec1afed Enhance and update the docs of the internal ossl_provider API
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/9200)
2019-06-24 07:57:03 +02:00
Pauli
4e7991b497 Change OSSL_PARAM return size to not be a pointer.
Instead of referencing the return size from the OSSL_PARAM structure, make the
size a field within the structure.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9135)
2019-06-24 14:43:55 +10:00
Pauli
0ccff7a7ea Add documentation for CRYPTO_memcmp.
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/9225)
2019-06-24 10:19:04 +10:00
Miquel Ruiz
df9fd168ce Add SSL_shutdown to SSL_get_error's documentation
SSL_shutdown can fail if called during initialization, and in such case, it'll
add an error to the error queue. This adds SSL_shutdown to the list of functions
that should preceed the call to SSL_get_error.

CLA: trivial

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/7465)
2019-06-19 15:11:36 +02:00
Matt Caswell
1ff030c0a6 Fix a doc-nits failure
We need blank lines on each side of a section heading.

Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/9192)
2019-06-19 13:31:08 +01:00
Tomas Mraz
8b7b32921e Fix and document BIO_FLAGS_NONCLEAR_RST behavior on memory BIO
The BIO_FLAGS_NONCLEAR_RST flag behavior was not properly documented
and it also caused the length to be incorrectly set after the reset
operation.

Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/9179)
2019-06-19 14:29:27 +02:00
Matt Caswell
a1998897f6 Add some internal documentation for some thread related functions
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9186)
2019-06-19 11:54:34 +01:00
Pauli
b720949ec0 ARIA documentation titled itself AES
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9188)
2019-06-19 10:20:49 +10:00
Rich Salz
8908d18cb1 Change ERR_add_error_[v]data to append
The "add error data" functions now append to the current error.
Add a test for this.
Cleanup some of the ERR_put functions.
In the FIPS module, always append "(in the FIPS module)" to any errors.

Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9181)
2019-06-18 23:21:38 +02:00
Matt Caswell
ff6da65e0d Document OPENSSL_thread_stop_ex()
This new function works in the same way as OPENSSL_thread_stop() but
for a specified OPENSSL_CTX.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9040)
2019-06-17 16:19:44 +01:00
Pauli
1313e37ab9 Better document specific OSSL_PARAM symbols.
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9114)
2019-06-17 11:34:09 +10:00
Paul Yang
4bfe304ea8 Add documentation for X509_cmp and related APIs
Fixes: #9088

Functions documented in this commit: X509_cmp, X509_NAME_cmp,
X509_issuer_and_serial_cmp, X509_issuer_name_cmp, X509_subject_name_cmp,
X509_CRL_cmp, X509_CRL_match

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9091)
2019-06-15 20:31:05 +08:00
Matt Caswell
b1d14c412a Update the d2i docs to reflect reality
The d2i docs state that if an error occurs then |*a| is not freed. This
is not correct. On error it is freed and set to NULL. We update the docs
to say this, and also discuss the fact that this behaviour was inconsistent
prior to OpenSSL 1.1.0.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/9146)
2019-06-13 10:23:54 +01:00
Tomas Mraz
02f209bb47 ts: Fix awkward sentences in the documentation and the default digest
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9143)
2019-06-12 12:06:15 +02:00
Tomas Mraz
a6dfa18820 ts: Use sha256 as default digest for TS query
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/7900)
2019-06-12 11:45:57 +02:00
raja-ashok
dfa1f5476e Update docs for TLS1.3 FFDHE
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8178)
2019-06-12 10:18:34 +01:00
Matt Caswell
4ff4e53f81 i2d_PublicKey was listed in 2 different man pages
find-doc-nits complains if a symbol is documented in more than one
location.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9094)
2019-06-12 10:12:14 +01:00
Matt Caswell
7bc081dda3 Create BN_CTX_new_ex() and BN_CTX_secure_new_ex()
These variants of BN_CTX_new() and BN_CTX_secure_new() enable passing
an OPENSSL_CTX so that we can access this where needed throughout the
BIGNUM sub library.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/9130)
2019-06-12 09:16:43 +01:00
Pauli
c79b6b874b OSSL_PARAM example code bug fix.
Technically not a bug since the code worked but the array index shouldn't have
been constant after searching for the field.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9136)
2019-06-12 09:50:11 +10:00
Shane Lontis
f0efeea29e PBKDF2 updates to conform to SP800-132
The existing code used PKCS5 specifications.
SP800-132 adds the following additional constraints for:
  - the range of the key length.
  - the minimum iteration count (1000 recommended).
  - salt length (at least 128 bits).
These additional constraints may cause errors (in scrypt, and
some PKCS5 related test vectors). To disable the new
constraints use the new ctrl string "pkcs5".
For backwards compatability, the checks are only enabled by
default for fips mode.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8868)
2019-06-11 20:40:07 +10:00
Shane Lontis
83b4a24384 Make EVP_MD_CTX_ctrl() work for legacy use cases (ssl3).
This is still required currently by engines and digestsign/digestverify.
This PR contains merged in code from Richard Levitte's PR #9126.

[extended tests]

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9103)
2019-06-11 20:25:33 +10:00
Shigeki Ohtsu
7588660a53 Fix doc to remove const arg in GEN_SESSION_CB
ae3947de09 changed the callback arg not to have a const parameter.

CLA: trivial

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9104)
2019-06-11 09:54:04 +01:00
Todd Short
5d12051167 Change cipher default strings to a function
Making the default cipher strings a function gives the library more
control over the defaults. Potentially allowing a change in the
future as ciphers become deprecated or dangerous.
Also allows third party distributors to change the defaults for their
installations.

Reviewed-by: Paul Yang <yang.yang@baishancloud.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8686)
2019-06-11 09:44:26 +01:00
Richard Levitte
b4d3f203da doc/internal/man3/ossl_method_construct.pod: follow common conventions
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/9109)
2019-06-10 08:01:58 +02:00
Richard Levitte
2ccb1b4eca EVP fetching: make operation_id part of the method identity
Because the operation identity wasn't integrated with the created
methods, the following code would give unexpected results:

    EVP_MD *md = EVP_MD_fetch(NULL, "MD5", NULL);
    EVP_CIPHER *cipher = EVP_CIPHER_fetch(NULL, "MD5", NULL);

    if (md != NULL)
        printf("MD5 is a digest\n");
    if (cipher != NULL)
        printf("MD5 is a cipher\n");

The message is that MD5 is both a digest and a cipher.

Partially fixes #9106

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/9109)
2019-06-10 08:01:19 +02:00
Matt Caswell
37ca204b96 Add documentation for new functions taking an OPENSSL_CTX parameter
Various functions have been added that take an OPENSSL_CTX parameter as
a result of moving the RAND code into the FIPS module. We document all of
those functions.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9039)
2019-06-07 12:04:42 +01:00
Kurt Roeckx
be5fc053ed Replace EVP_MAC_CTX_copy() by EVP_MAC_CTX_dup()
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
GH: #7651
2019-06-06 17:41:41 +02:00
Pauli
355b419698 Address property documentation concerns.
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/9090)
2019-06-06 16:38:26 +10:00
Dr. Matthias St. Pierre
b1f6925754 man: fix doc-nit in property.pod
This causes travis build failures on master

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9087)
2019-06-05 21:06:08 +02:00
Pauli
85e0ad9f13 Document property hierarchy.
Add documentation to indicate the interaction between global (context level)
property queries and local (passed to fetch) ones.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9042)
2019-06-05 14:28:20 +10:00
Dr. Matthias St. Pierre
f308fa2573 Document deprecation of version-specific SSL/TLS methods
In commit 2b8fa1d56c the version-specific SSL/TLS methods were
deprecated. This patch improves the documentation of that change
by stating the deprecation more prominently in the manual page
and explaining the reason for the deprecation.

Fixes #8989

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9001)
2019-06-04 16:29:12 +02:00
Shane Lontis
d5e5e2ffaf Move digests to providers
Move digest code into the relevant providers (fips, default, legacy).
The headers are temporarily moved to be internal, and will be moved
into providers after all external references are resolved. The deprecated
digest code can not be removed until EVP_PKEY (signing) is supported by
providers. EVP_MD data can also not yet be cleaned up for the same reasons.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8763)
2019-06-04 12:09:50 +10:00
Pauli
b6db5b3d50 Remove file reference from property documentation.
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/9066)
2019-06-03 16:42:50 +10:00
Pauli
915bf45ee3 Fix a typo in the property grammar that creates an ambiguous parse.
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9065)
2019-06-03 08:30:49 +10:00