Commit graph

417 commits

Author SHA1 Message Date
Matt Caswell
ddba302a0f Update version docs
Make it clear that you should not attempt to get the version before the
first handshake is complete.

Fixes #2893

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6013)
2018-04-27 10:10:53 +01:00
Matt Caswell
d1f7a1e62a Update the *use_certificate* docs
Note that calling the *use_certificate* functions will replace any existing
certificate of the same type. The same thing applies for private keys.

Fixes #2147

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6092)
2018-04-26 16:39:55 +01:00
Matt Caswell
4753ad858c Document when a session gets removed from cache
Document the fact that if a session is not closed down cleanly then the
session gets removed from the cache and marked as non-resumable.

Fixes #4720

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/6053)
2018-04-24 09:23:23 +01:00
Matt Caswell
ededc88dd5 Improve backwards compat with 1.0.2 for ECDHParameters
In 1.0.2 you could configure automatic ecdh params by using the
ECDHParameters config directive and setting it to the value
"+Automatic" or just "Automatic". This is no longer required in 1.1.0+
but we still recognise the "+Automatic" keyword for backwards compatibility.
However we did not recognise just "Automatic" without the leading "+" which
is equally valid. This commit fixes that omission.

Fixes #4113

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6035)
2018-04-24 09:09:43 +01:00
Bernd Edlinger
eb2b989206 Ensure the thread keys are always allocated in the same order
Fixes: #5899

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5911)
2018-04-20 15:45:06 +02:00
A. Schulze
aa3b328541 correct spelling errors detected by Debian lintian
CLA: trivial

Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5801)
2018-04-19 11:10:17 +02:00
Matt Caswell
c637891310 Correct an ommission in the EVP_DigestSignInit docs
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5996)
2018-04-19 08:35:47 +01:00
Matt Caswell
be93b0e863 Update EVP_DigestSignInit() docs
Explicitly state which digests can be used with which algorithms.

Fixes #5854

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5992)
2018-04-18 08:26:35 +01:00
Matt Caswell
5bbf42a519 Update the info callback documentation for TLSv1.3
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5874)
2018-04-17 16:51:03 +01:00
Dr. Matthias St. Pierre
a12de2cba8 SSL_CTX_set_tlsext_ticket_key_cb.pod: fix error check of RAND_bytes() call
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5977)
2018-04-17 17:31:09 +02:00
Richard Levitte
28428130db Update copyright year
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5990)
2018-04-17 15:18:40 +02:00
Dr. Matthias St. Pierre
b7fb239438 Revert "Add OPENSSL_VERSION_AT_LEAST"
Fixes #5961

This reverts commit 3c5a61dd0f.

The macros OPENSSL_MAKE_VERSION() and OPENSSL_VERSION_AT_LEAST() contain
errors and don't work as designed. Apart from that, their introduction
should be held back until a decision has been mad about the future
versioning scheme.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5968)
2018-04-16 18:43:52 +02:00
Richard Levitte
a8ca496ddb Split the scrypt and RSA-PSS into man3 and man7 pages
The scrypt and RSA-PSS documents were a mixture of section 3 and
section 7 material.  With pre-1.1.1 OpenSSL, this is understandable,
since we had a different directory layout.  With 1.1.1, we've moved to
the typical man-page directory layout, and the documents need to be
updated accordingly.

Also, the scrypt document contained a description of
EVP_PKEY_CTX_set1_pbe_pass(), which is a generic function rather than
an scrypt specific function, and therefore should be documented
separately.

Fixes #5802

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5942)
2018-04-13 11:55:13 +02:00
Richard Levitte
0320e8e286 Docs for OpenSSL_init_crypto: there is no way to specify another file
The documentation erroneously stated that one can change the default
configuration file name.

Fixes #5939

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5941)
2018-04-13 10:24:18 +02:00
Theo Buehler
c12a2d2728 EVP_MD_CTX_cleanup replaced with EVP_MD_CTX_reset
The EVP_MD_CTX_cleanup() function was merged into EVP_MD_CTX_reset()
which is called by EVP_MD_CTX_free().  Adjust the documentation to say
that the latter should be used to avoid leaking memory.

CLA: trivial

Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5921)
2018-04-11 12:59:25 -04:00
Dr. Matthias St. Pierre
f7bef277ea Minor corrections for the RAND_DRBG API documentation
- added some explaining text to a sentence that lost its context.
- removed mention of per-ssl drbg
- fix whitespace errors

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5804)
2018-04-11 18:56:03 +02:00
Matt Caswell
fdb8113dae Document the change in the previous commit about loading the config file
When libssl is initialised it will attempt to load any config file. This
ensures any system_default configuration (as per
https://github.com/openssl/openssl/pull/4848) is used.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5818)
2018-04-05 15:30:12 +01:00
Bernd Edlinger
284f4f6b70 Don't use getenv for critical functions when run as setuid/setgid
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5856)
2018-04-04 14:45:49 +02:00
Matt Caswell
29f484d00d Fix some errors in the mem leaks docs
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5794)
2018-04-03 16:17:34 +01:00
Matt Caswell
c4d3c19b4c Update copyright year
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5851)
2018-04-03 13:57:12 +01:00
Alexandre Perrin
1238caa725 Documentation typo fix in EVP_EncryptInit.pod
Remove duplicate declaration of `EVP_CIPHER_key_length` in the synopsis.

CLA: trivial

Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5792)
2018-04-02 07:16:12 -04:00
Kurt Roeckx
2f6f913e9e Update documentation on how to close a connection
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
GH: #5823
2018-04-01 21:07:06 +02:00
Dr. Matthias St. Pierre
a73d990e2b Add documentation for the RAND_DRBG API
The RAND_DRBG API was added in PR #5462 and modified by PR #5547.
This commit adds the corresponding documention.

Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5461)
2018-03-30 00:10:38 +02:00
Vitezslav Cizek
88b8d83e9e BIO_s_accept.pod: add documentation for the new macros
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/5007)
2018-03-29 09:18:43 -05:00
Vitezslav Cizek
2cb8445ab5 Document BIO_{get,set}_conn_ip_family macros.
Add BIO_get_conn_ip_family and BIO_set_conn_ip_family macros to
util/private.num and document them in BIO_s_connect.pod.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/5007)
2018-03-29 09:18:43 -05:00
Vitezslav Cizek
0f1c0cf154 Update the BIO_s_connect documentation after the BIO refactoring.
The BIO was refactored in 417be660e1,
but the manual wasn't fully updated to reflect some of the changes.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/5007)
2018-03-29 09:18:43 -05:00
Andy Polyakov
242fcd695d rand/randfile.c: permit non-regular files in RAND_load_file.
Apparently applications rely on RAND_load_file's ability to work with
non-regular files, customarily with /dev/urandom, so that the ban was
not exactly appropriate.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5737)
2018-03-27 19:55:54 +02:00
Andy Polyakov
100ebb32d1 man3/OPENSSL_ia32cap.pod: update assembler version requirements.
Reviewed-by: Rich Salz <rsalz@openssl.org>
2018-03-22 11:54:31 +01:00
David Benjamin
ddc1caac2d Document EC_POINT_get_affine_coordinates_*.
In particular, x and y may be NULL, as used in ecdsa_ossl.c. Make use of
this in ecdh_ossl.c as well, to save an otherwise unnecessary temporary.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5532)
2018-03-21 12:39:36 -04:00
Jack Bates
693be9a2cb Convert _meth_get_ functions to const getters
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2181)
2018-03-21 10:37:05 +00:00
Pauli
79b49fb00d Remove mention of link between message digests and public key algorithms.
The comment in EVP_DigestInit.pod is:

> Returns the NID of the public key signing algorithm associated with this
digest. For example EVP_sha1() is associated with RSA so this will return
B<NID_sha1WithRSAEncryption>. Since digests and signature algorithms are no
longer linked this function is only retained for compatibility reasons.


I.e. there is no link anymore.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5682)
2018-03-21 07:24:27 +10:00
Matt Caswell
b0edda11cb Update copyright year
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5689)
2018-03-20 13:08:46 +00:00
Tomas Mraz
8a5ed9dce8 Apply system_default configuration on SSL_CTX_new().
When SSL_CTX is created preinitialize it with system default
configuration from system_default section.

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4848)
2018-03-19 10:22:49 -04:00
Kurt Roeckx
16cfc2c90d Don't use a ssl specific DRBG anymore
Since the public and private DRBG are per thread we don't need one
per ssl object anymore. It could also try to get entropy from a DRBG
that's really from an other thread because the SSL object moved to an
other thread.

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/5547)
2018-03-19 15:04:40 +01:00
Bernd Edlinger
c911e5da3c Fix bio callback backward compatibility
Don't pass a pointer to uninitialized processed value
for BIO_CB_READ and BIO_CB_WRITE

Check the correct cmd code in BIO_callback_ctrl

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5516)
2018-03-19 14:20:53 +01:00
Matt Caswell
d2d67a4cda Document the replay protection capabilities
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5644)
2018-03-19 12:21:42 +00:00
Dr. Matthias St. Pierre
dd07e68b20 Fix miscellaneous typos in docs and source
- d2i_PKC8PrivateKey -> d2i_PKCS8PrivateKey
- bechmark -> benchmark
- ciperhsuite -> ciphersuite
- EncyptedPreMasterSecret -> EncryptedPreMasterSecret

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5570)
2018-03-17 18:24:03 +01:00
Matt Caswell
f929439f61 Rename EVP_PKEY_new_private_key()/EVP_PKEY_new_public_key()
Renamed to EVP_PKEY_new_raw_private_key()/EVP_new_raw_public_key() as per
feedback.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5520)
2018-03-15 12:47:27 +00:00
Matt Caswell
e8f9f08f17 Add functions for setting the new EVP_PKEY_ASN1_METHOD functions
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5520)
2018-03-15 12:47:27 +00:00
Matt Caswell
d45a97f475 Add documentation for the newly added EVP_PKEY_new*() functions
Also adds some documentation for related existing functions/macros

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5520)
2018-03-15 12:47:27 +00:00
Matt Caswell
9d2674cd23 Add documentation for TLSv1.3 ciphersuite configuration
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5392)
2018-03-14 10:15:50 +00:00
Benjamin Saunders
3fa2812f32 Introduce SSL_CTX_set_stateless_cookie_{generate,verify}_cb
These functions are similar to SSL_CTX_set_cookie_{generate,verify}_cb,
but used for the application-controlled portion of TLS1.3 stateless
handshake cookies rather than entire DTLSv1 cookies.

Reviewed-by: Ben Kaduk <kaduk@mit.edu>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5463)
2018-03-12 19:34:13 +00:00
Todd Short
df0fed9aab Session Ticket app data
Adds application data into the encrypted session ticket

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3802)
2018-03-12 10:31:09 +00:00
Kurt Roeckx
b38fa9855f Fix propotype to include the const qualifier
Reviewed-by: Andy Polyakov <appro@openssl.org>
GH: #5582
2018-03-11 14:22:31 +01:00
Alex Gaynor
3266cf582a Fixed a handful of typos
Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5583)
2018-03-10 13:13:23 -05:00
Benjamin Kaduk
d1142857e4 Document more X509_STORE functions
X509_STORE_set_verify_cb_func.pod has documentation for various callbacks
and function pointers that can be set and retrieved, but neither it nor
X509_STORE_new has much documentation for the actual purpose and usage
of X509_STORE objects.  Remedy this disparity with new documentation
for adding certificates and CRLs, expected usage, and for modifying
the default verifification behavior.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3958)
2018-03-09 17:02:26 -06:00
Ben Kaduk
379cc0893e Fix doc-nits
Remove a space from a whitespace-only line.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5575)
2018-03-09 11:30:06 -06:00
Todd Short
37933acbea Add SSL/SSL_CTX_use_cert_and_key()
Add functions that will do the work of assigning certificate, privatekey
and chain certs to an SSL or SSL_CTX. If no privatekey is given, use the
publickey. This will permit the keys to pass validation for both ECDSA
and RSA. If a private key has already been set for the certificate, it
is discarded. A real private key can be set later.

This is an all-or-nothing setting of these parameters. Unlike the
SSL/SSL_CTX_use_certificate() and SSL/SSL_CTX_use_PrivateKey() functions,
the existing cert or privatekey is not modified (i.e. parameters copied).
This permits the existing cert/privatekey to be replaced.

It replaces the sequence of:
* SSL_use_certificate()
* SSL_use_privatekey()
* SSL_set1_chain()
And may actually be faster, as multiple checks are consolidated.

The private key can be NULL, if so an ENGINE module needs to contain the
actual private key that is to be used.

Note that ECDH (using the certificate's ECDSA key) ciphers do not work
without the private key being present, based on how the private key is
used in ECDH. ECDH does not offer PFS; ECDHE ciphers should be used instead.

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/1130)
2018-03-09 10:28:04 -06:00
Alex Gaynor
d47eaaf41f Fixed a spelling mistake in ASN1_TIME_set.pod
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5569)
2018-03-09 07:11:13 -05:00
Matt Caswell
e440f51395 Give more information in the SSL_stateless return code
Allow users to distinguish between an error occurring and an HRR being
issued.

Fixes #5549

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5562)
2018-03-09 11:37:58 +00:00