Commit graph

458 commits

Author SHA1 Message Date
Viktor Dukhovni
aed4d5b7cb Clarify negative return from X509_verify_cert()
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-05-26 16:36:35 -04:00
Dr. Stephen Henson
c3011e3e1d add documentation
Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit b1b3e14fbe)
2016-05-04 13:00:17 +01:00
Matt Caswell
e903aaf894 Remove some documentation for functions not in 1.0.x
A few functions in the recently added EVP_EncodeInit docs don't apply to
the 1.0.x branches.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-05-03 12:54:06 +01:00
Matt Caswell
fec6d1e868 Add documentation for EVP_EncodeInit() and similar functions
Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-05-03 11:54:00 +01:00
Richard Levitte
0dae9636e8 Document how BIO_get_conn_ip and BIO_get_conn_int_port actually work
No dummy arguments.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 7eb5125125)
2015-12-19 22:10:32 +01:00
Matt Caswell
1fe1c65c3b Minor EVP_SignInit_ex doc fix
EVP_SignInit_ex was missing from the NAME section of its man page so
typing "man EVP_SignInit_ex" failed to load the page.

Reviewed-by: Stephen Henson <steve@openssl.org>
(cherry picked from commit 3d866ea67e)
2015-11-04 14:39:32 +00:00
Alessandro Ghedini
020bc42893 Fix typos
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit d900a015b5)
2015-10-23 20:41:17 +02:00
Adam Eijdenberg
2d404dc380 Clarify return values for EVP_DigestVerifyFinal.
Previous language was unclear.  New language isn't pretty but I believe
it is more accurate.

Signed-off-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Ben Laurie <ben@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit 8cbb048c3e)
2015-10-22 21:11:19 -04:00
Ismo Puustinen
72ac982306 GH367: use random data if seed too short.
Signed-off-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Emilia Käsper <emilia@openssl.org>
(cherry picked from commit 6f997dc365)
2015-09-29 12:49:16 -04:00
Emilia Kasper
456b9820eb BUF_strdup and friends: update docs
Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit 58e3457a82)
(cherry picked from commit be250ee2d3)
2015-09-22 20:09:42 +02:00
Rich Salz
628c15039f This undoes GH367 for non-master
Was only approved for master, to avoid compatibility issues on
previous releases.

Reviewed-by: Emilia Käsper <emilia@openssl.org>
(cherry picked from commit 6be18a2219)
2015-09-18 15:56:45 -04:00
Ben Kaduk
a6ce498b2a GH367 follow-up, for more clarity
Signed-off-by: Rich Salz <rsalz@akamai.com>
Reviewed-by: Emilia Käsper <emilia@openssl.org>
(cherry picked from commit 36ac7bc8a9)
2015-08-31 13:47:12 -04:00
Ismo Puustinen
9a97446468 GH367: Fix dsa keygen for too-short seed
If the seed value for dsa key generation is too short (< qsize),
return an error. Also update the documentation.

Signed-off-by: Rich Salz <rsalz@akamai.com>
Reviewed-by: Emilia Käsper <emilia@openssl.org>
(cherry picked from commit f00a10b897)
2015-08-28 11:25:44 -04:00
mancha
396a2dc071 Fix author credit for e5c0bc6
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-07-15 06:50:12 -04:00
Rich Salz
001c957676 Revert "Missing perldoc markup around < literal"
This reverts commit e5c0bc6cc4.
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-07-15 06:50:12 -04:00
GitHub User
432785095c Missing perldoc markup around < literal
Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit e5c0bc6cc4)
2015-07-14 01:33:29 -04:00
Matt Caswell
b3b1eb5735 Reject calls to X509_verify_cert that have not been reinitialised
The function X509_verify_cert checks the value of |ctx->chain| at the
beginning, and if it is NULL then it initialises it, along with the value
of ctx->untrusted. The normal way to use X509_verify_cert() is to first
call X509_STORE_CTX_init(); then set up various parameters etc; then call
X509_verify_cert(); then check the results; and finally call
X509_STORE_CTX_cleanup(). The initial call to X509_STORE_CTX_init() sets
|ctx->chain| to NULL. The only place in the OpenSSL codebase  where
|ctx->chain| is set to anything other than a non NULL value is in
X509_verify_cert itself. Therefore the only ways that |ctx->chain| could be
non NULL on entry to X509_verify_cert is if one of the following occurs:
1) An application calls X509_verify_cert() twice without re-initialising
in between.
2) An application reaches inside the X509_STORE_CTX structure and changes
the value of |ctx->chain| directly.

With regards to the second of these, we should discount this - it should
not be supported to allow this.

With regards to the first of these, the documentation is not exactly
crystal clear, but the implication is that you must call
X509_STORE_CTX_init() before each call to X509_verify_cert(). If you fail
to do this then, at best, the results would be undefined.

Calling X509_verify_cert() with |ctx->chain| set to a non NULL value is
likely to have unexpected results, and could be dangerous. This commit
changes the behaviour of X509_verify_cert() so that it causes an error if
|ctx->chain| is anything other than NULL (because this indicates that we
have not been initialised properly). It also clarifies the associated
documentation. This is a follow up commit to CVE-2015-1793.

Reviewed-by: Stephen Henson <steve@openssl.org>
2015-07-07 22:52:36 +01:00
Dr. Stephen Henson
e5d5019a23 document -2 return value
Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 5727582cf5)
2015-07-06 18:36:10 +01:00
Dr. Stephen Henson
e2cf18c635 PEM doc fixes
Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit f097f81c89)
2015-05-28 18:02:19 +01:00
Matt Caswell
b484b040e3 Fix off-by-one in BN_rand
If BN_rand is called with |bits| set to 1 and |top| set to 1 then a 1 byte
buffer overflow can occur. There are no such instances within the OpenSSL at
the moment.

Thanks to Mateusz Kocielski (LogicalTrust), Marek Kroemeke, Filip Palian for
discovering and reporting this issue.

Reviewed-by: Kurt Roeckx <kurt@openssl.org>
2015-05-22 23:45:33 +01:00
Matt Caswell
726b5e7132 Reject negative shifts for BN_rshift and BN_lshift
The functions BN_rshift and BN_lshift shift their arguments to the right or
left by a specified number of bits. Unpredicatable results (including
crashes) can occur if a negative number is supplied for the shift value.

Thanks to Mateusz Kocielski (LogicalTrust), Marek Kroemeke and Filip Palian
for discovering and reporting this issue.

Reviewed-by: Kurt Roeckx <kurt@openssl.org>
(cherry picked from commit 7cc18d8158)

Conflicts:
	crypto/bn/bn.h
	crypto/bn/bn_err.c
2015-05-22 23:21:55 +01:00
Matt Caswell
1c687ff4dd Add documentation for the -no_alt_chains option for various apps, as well as the X509_V_FLAG_NO_ALT_CHAINS flag.
Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>

Conflicts:
	doc/apps/cms.pod
	doc/apps/ocsp.pod
	doc/apps/s_client.pod
	doc/apps/s_server.pod
	doc/apps/smime.pod
	doc/apps/verify.pod
2015-05-20 23:14:25 +02:00
Dr. Stephen Henson
1a09816435 additional configuration documentation
Reviewed-by: Andy Polyakov <appro@openssl.org>
(cherry picked from commit 3d764db7a2)
2015-03-12 13:45:52 +00:00
Dr. Stephen Henson
876ed10574 Additional CMS documentation.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit e3013932df)
2015-03-08 16:19:38 +00:00
Matt Caswell
1aff39de76 Fix some minor documentation issues
Reviewed-by: Emilia Käsper <emilia@openssl.org>
2015-02-25 17:46:20 +00:00
Matt Caswell
1159e24d56 Add dire warnings about the "reuse" capability of the d2i_* functions.
Reviewed-by: Emilia Käsper <emilia@openssl.org>
2015-02-25 17:46:20 +00:00
Matt Caswell
b91058d222 Provide documentation for i2d_ECPrivateKey and d2i_ECPrivateKey
Reviewed-by: Emilia Käsper <emilia@openssl.org>

Conflicts:
	doc/crypto/EC_KEY_new.pod
	doc/crypto/EC_POINT_new.pod
2015-02-25 17:46:20 +00:00
Rich Salz
491f3e4e8e Make OPENSSL_config truly ignore errors.
Per discussion: should not exit. Should not print to stderr.
Errors are ignored.  Updated doc to reflect that, and the fact
that this function is to be avoided.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(cherry picked from commit abdd677125)
2015-01-25 21:15:57 -05:00
Matt Caswell
ff60f33811 Updates to X509_NAME_get_index_by_NID.pod submitted by user Bernardh via the wiki
Minor changes made by Matt Caswell

Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
(cherry picked from commit 6484958645)
2014-11-27 13:57:23 +00:00
Matt Caswell
2cfa5edb26 Updates to X509_NAME_add_entry_by_txt.pod submitted by user Bernardh via the wiki
Minor changes made by Matt Caswell.

Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
(cherry picked from commit f281b8df70)
2014-11-27 13:57:23 +00:00
Matt Caswell
291a3e9629 Updates to EVP_PKEY_encrypt.pod submitted by user Bernardh via the wiki
Minor changes made by Matt Caswell.

Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
(cherry picked from commit 34890ac18e)
2014-11-27 13:57:23 +00:00
Alok Menghrajani
e7768ebbd2 Fixes a minor typo in the EVP docs.
Out is the buffer which needs to contain at least inl + cipher_block_size - 1 bytes. Outl
is just an int*.

Reviewed-by: Emilia Käsper <emilia@openssl.org>
(cherry picked from commit 5211e094de)
2014-11-12 21:05:24 +00:00
Dr. Stephen Henson
4ed98b6e25 Use correct function name: CMS_add1_signer()
Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit 5886354dcc)
2014-09-25 00:06:59 +01:00
Rich Salz
4d16915381 RT2379: Bug in BIO_set_accept_port.pod
The doc says that port can be "*" to mean any port.
That's wrong.

Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
(cherry picked from commit 07e3b31fae)
2014-08-29 16:46:28 -04:00
Mihai Militaru
48ecdec7a0 RT2210: Add missing EVP_cleanup to example
I also removed some trailing whitespace and cleaned
up the "see also" list.

Reviewed-by: Emilia Kasper <emilia@openssl.org>
(cherry picked from commit 7b3e11c544)
2014-08-27 13:27:06 -04:00
Jan Schaumann
228a77a4ad RT1804: fix EXAMPLE in EVP_EncryptInit.pod
The EXAMPLE that used FILE and RC2 doesn't compile due to a
few minor errors.  Tweak to use IDEA and AES-128. Remove
examples about RC2 and RC5.

Reviewed-by: Emilia Kasper <emilia@openssl.org>
2014-08-25 10:26:57 -04:00
Matt Caswell
03b17a5789 Typo fixes to evp documentation.
This patch was submitted by user "Kox" via the wiki

Reviewed-by: Tim Hudson <tjh@openssl.org>
(cherry picked from commit 2dd8cb3b95)
2014-08-24 21:26:40 +01:00
Emilia Kasper
9f96ea4c2b Improve EVP_PKEY_sign documentation
Clarify the intended use of EVP_PKEY_sign. Make the code example compile.

Reviewed-by: Dr Stephen Henson <steve@openssl.org>
(cherry picked from commit d64c533a20)
2014-08-22 15:06:09 +02:00
Tim Hudson
690998f904 Minor documentation update removing "really" and a
statement of opinion rather than a fact.

Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit c8d133e4b6)
2014-07-21 20:24:47 +10:00
Dr. Stephen Henson
3221da845f Fix documentation for RSA_set_method(3)
PR#1675
Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit 197400c3f0d617d71ad8167b52fb73046d334320)
2014-07-19 18:26:12 +01:00
Jeffrey Walton
9aeb410419 Fix typo, add reference.
PR#3456
Reviewed-by: Stephen Henson <steve@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit d48e78f0cf)
2014-07-17 12:08:52 +01:00
Jeffrey Walton
157fd05aad Added reference to platform specific cryptographic acceleration such as AES-NI 2014-07-06 00:04:32 +01:00
Rich Salz
3fa2fff86f Merge branch 'rsalz-docfixes' 2014-07-03 12:53:36 -04:00
Matt Smart
a6cc0e0a0d Fix doc typo.
ERR_get_error(3) references the non-existent
ERR_get_last_error_line_data instead of the one that does exist,
ERR_peek_last_error_line_data.

PR#3283
(cherry picked from commit 5cc99c6cf5)
2014-07-02 03:45:07 +01:00
Jeffrey Walton
02e8d46119 Clarified that the signature's buffer size, s, is not used as an
IN parameter.

Under the old docs, the only thing stated was "at most
EVP_PKEY_size(pkey) bytes will be written". It was kind of misleading
since it appears EVP_PKEY_size(pkey) WILL be written regardless of the
signature's buffer size.

(cherry picked from commit 6e6ba36d98)
2014-06-29 23:36:51 +01:00
Ken Ballou
cb34cb1f23 Typo.
PR#3173
(cherry picked from commit 76ed5a42ea)
2014-06-29 13:39:24 +01:00
Matt Caswell
151399a944 Fixed minor duplication in docs 2014-06-07 12:32:00 +01:00
Michal Bozon
bfdaf45141 Corrected POD syntax errors. PR#3353 2014-05-14 22:59:48 +01:00
Jean-Paul Calderone
778f2b648c Correct the return type on the signature for X509_STORE_CTX_get_ex_data given in the pod file. 2014-05-12 22:48:34 +01:00
Dr. Stephen Henson
602b2790ca Clarify CMS_decrypt behaviour.
(cherry picked from commit 5f8e9a477a)
2014-04-15 18:19:40 +01:00