Commit graph

236 commits

Author SHA1 Message Date
David Benjamin
ee1ed1d380 Fix the names of older ciphers.
The names of these ciphers have an "SSL_" prefix, but the RFC names use
"TLS_":
https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-4

This dates back to these ciphers being originally defined in SSLv3. As
SSLv3 is on its way out anyway and this is a new set of APIs,
consistently use the TLS names.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4007)
2017-07-31 09:11:18 -04:00
Xiaoyin Liu
27eb9f23e6 Fix typo in ASN1_TIME_set.pod
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4053)
2017-07-30 19:59:39 -04:00
Paul Yang
1c026996da Update ASN1_TIME_to_tm's documentation
To state the fractional seconds part will be lost in the conversion.

Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4041)
2017-07-30 18:28:54 -04:00
Dr. Stephen Henson
48ed9c23b0 Add public key method enumeration function.
Add functions to enumerate public key methods. Add test to ensure table
is in the correct order.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4015)
2017-07-29 23:04:09 +01:00
Bernd Edlinger
2928b29b2f Document OPENSSL_secure_clear_free
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4044)
2017-07-29 19:30:39 +02:00
Paul Yang
190b9a03b7 Make SSL_set_tlsext_host_name no effect from server side
Documentation and test cases are also updated

Reviewed-by: Ben Kaduk <kaduk@mit.edu>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3783)
2017-07-28 11:51:59 -04:00
Paul Yang
dbd007d7d2 Fix a reference nit in doc
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4036)
2017-07-28 11:34:55 -04:00
Benjamin Kaduk
d3b58b953c Remove trailing whitespace from store-related man pages
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3860)
2017-07-27 14:32:13 -05:00
Benjamin Kaduk
1fb2993d9e Catch up to the removal of OSSL_STORE_open_file()
Remove references to it in documentation.

Unfortunately, it is too late to renumber symbols in libcrypto.num
and avoid the NOEXIST entry there.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3860)
2017-07-27 14:32:13 -05:00
Hubert Kario
00606b06d5 add basic references to the new methods in documentation
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1334)
2017-07-26 15:04:54 -04:00
Hubert Kario
dae2218d76 fix OSSL_STORE man pages
the man pages have lines that contain nothing but whitespace,
clean it up by removing that whitespace

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1334)
2017-07-26 15:04:54 -04:00
Paul Yang
7b608d0828 Add test cases and docs for ASN1_STRING_TABLE_* functions
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3998)
2017-07-26 20:06:51 +02:00
Todd Short
a58eb06d52 Add support to free/allocate SSL buffers
OpenSSL already has the feature of SSL_MODE_RELEASE_BUFFERS that can
be set to release the read or write buffers when data has finished
reading or writing. OpenSSL will automatically re-allocate the buffers
as needed. This can be quite aggressive in terms of memory allocation.

This provides a manual mechanism. SSL_free_buffers() will free
the data buffers if there's no pending data. SSL_alloc_buffers()
will realloc them; but this function is not strictly necessary, as it's
still done automatically in the state machine.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2240)
2017-07-26 11:42:17 -04:00
Andy Polyakov
e4adad92b3 Wire SHA3 EVPs and add tests.
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3943)
2017-07-25 21:40:30 +02:00
Pauli
1a68e5b0d9 Improve struct tm population
Using Zeller's congruence to fill the day of week field,
Also populate the day of year field.

Add unit test to cover a number of cases.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3999)
2017-07-24 11:24:27 +10:00
Paul Yang
3d0f1cb9fd Add asn1_time_to_tm function and check days in month
Based on discussion in PR #3566. Reduce duplicated code in original
asn1_utctime_to_tm and asn1_generalizedtime_to_tm, and introduce a new
internal function asn1_time_to_tm. This function also checks if the days
in the input time string is valid or not for the corresponding month.

Test cases are also added.

Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/3905)
2017-07-24 08:27:27 +10:00
Paul Yang
a1099821f9 Update documentation for SSL_is_server()
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3893)
2017-07-24 07:59:40 +10:00
Rich Salz
8389ec4b49 Add --with-rand-seed
Add a new config param to specify how the CSPRNG should be seeded.
Illegal values or nonsensical combinations (e.g., anything other
than "os" on VMS or HP VOS etc) result in build failures.
Add RDSEED support.
Add RDTSC but leave it disabled for now pending more investigation.

Refactor and reorganization all seeding files (rand_unix/win/vms) so
that they are simpler.

Only require 128 bits of seeding material.

Many document improvements, including why to not use RAND_add() and the
limitations around using load_file/write_file.
Document RAND_poll().

Cleanup Windows RAND_poll and return correct status

More completely initialize the default DRBG.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/3965)
2017-07-22 14:00:07 -04:00
Paul Yang
bbb4ceb86e Support converting cipher name to RFC name and vice versa
Fixes: issue #3747

make SSL_CIPHER_standard_name globally available and introduce a new
function OPENSSL_cipher_name.

A new option '-convert' is also added to 'openssl ciphers' app.

Documentation and test cases are added.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/3859)
2017-07-21 07:20:14 +10:00
Matt Caswell
0299f3f790 Add some performance notes about early data
In particular add information about the effect of Nagle's algorithm on
early data.

Fixes #3906

Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/3955)
2017-07-18 17:43:06 +01:00
Emilia Kasper
1e3f62a382 RSA_padding_check_PKCS1_type_2 is not constant time.
This is an inherent weakness of the padding mode. We can't make the
implementation constant time (see the comments in rsa_pk1.c), so add a
warning to the docs.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2017-07-18 11:16:39 +02:00
Rich Salz
e90fc053c3 Don't use "version" in "OpenSSL Version 1.1.0" etc
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/3938)
2017-07-16 17:28:41 -04:00
Rich Salz
e0c89df9e4 Rewrite RAND_egd
Use stdio and its buffering.
Limit to 255 bytes (could remove that if neceessary).

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/3888)
2017-07-12 11:09:39 -04:00
Rich Salz
04256277cb Update various RAND podpages
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3883)
2017-07-07 23:53:54 -04:00
Matt Caswell
4e2bd9cb0f Update the documentation for the new SSL_OP_ALLOW_NO_DHE_KEX option
Also the associated configuration parameters and command line switches.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3833)
2017-07-07 16:08:05 +01:00
Rich Salz
9ee344f5cd Cleanup RAND_load_file,RAND_write_file
Document an internal assumption that these are only for use with files,
and return an error if not. That made the code much simpler.
Leave it as writing 1024 bytes, even though we don't need more than 256
from a security perspective.  But the amount isn't specified, now, so we
can change it later if we want.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3864)
2017-07-06 13:59:11 -04:00
Benjamin Kaduk
7b5b2c4614 Improve BN_CTX documentation
Since BN_CTX_init() is gone, all calls use BN_CTX_new().  Also,
essentially all consumers will use BN_CTX_start()/BN_CTX_end(),
so make that more clear from the BN_CTX_new() man page.

Document the thread-unsafety of individual BN_CTX objects.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3682)
2017-07-05 12:53:28 -05:00
Rich Salz
5ecff87d66 BN_pseudo_rand is really BN_rand
And BN_pseudo_rand_range is really BN_rand_range.
Document that we might deprecate those functions.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3743)
2017-07-03 19:26:56 -04:00
Richard Levitte
e9c9971b35 Correct documentation for UI_get0_result_string
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/3824)
2017-07-03 19:32:18 +02:00
Rich Salz
a95d7574db Various doc fixes
Fix a =head1 section name
Fix a typo in POD label
Remove a spurious =back
Add a missing blank line
Avoid 'legacy' -- use 'deprecated' if still needed if we cannot just reword.
Always do strict checking
Do not warn about missing "RETURN VALUES" unless -s is set.
Change OpenSSL version 1.1 -> 1.1.0

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3830)
2017-07-03 10:40:33 -04:00
Rich Salz
b5319bdbd0 Fix atfork flag. Avoid double-negatives :)
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/3815)
2017-06-30 14:47:02 -04:00
Rich Salz
2915fe19a6 Add fork handlers, based on pthread_atfork
Only for Unix platforms

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3754)
2017-06-29 16:19:41 -04:00
Richard Levitte
7852f588a6 Make it possible to tell the file loader to use secure memory
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3483)
2017-06-29 19:19:40 +02:00
Richard Levitte
6fc1d33c90 STORE 'file' scheme loader: refactor the treatment of matches
Sometimes, 'file_load' couldn't really distinguish if a file handler
matched the data and produced an error or if it didn't match the data
at all.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3542)
2017-06-29 11:55:33 +02:00
Richard Levitte
e2e603fe7c Add documentation for STORE functions
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3542)
2017-06-29 11:55:32 +02:00
Matt Caswell
a599574be1 Updates following review of SSL_export_key_material() changes
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3782)
2017-06-29 10:15:50 +01:00
Matt Caswell
e88c40af45 Update the SSL_export_keying_material() documentation for TLSv1.3
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3782)
2017-06-29 10:15:50 +01:00
Greg Zaverucha
519a5d1ef2 Fix sample code
Fix memory leak in sample encryption code and check return value of
fopen.

CLA: trivial

Signed-off-by: Greg Zaverucha <gregz@microsoft.com>

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3790)
2017-06-29 00:38:26 +02:00
Rich Salz
f367ac2b26 Use randomness not entropy
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/3773)
2017-06-27 12:14:49 -04:00
Sascha Steinbiss
db17e43d88 Add OCSP_resp_get1_id() accessor
Adding a get1 style accessor as brought up in mailing list post
https://mta.openssl.org/pipermail/openssl-users/2016-November/004796.html

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1876)
2017-06-21 15:01:54 -04:00
Matt Caswell
23cec1f4b4 Add documentation for the SSL_export_keying_material() function
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3735)
2017-06-21 16:18:36 +01:00
Matt Caswell
72257204bd PSK related tweaks based on review feedback
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3670)
2017-06-21 14:45:36 +01:00
Matt Caswell
725b0f1e13 Make the input parameters for SSL_SESSION_set1_master_key const
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3670)
2017-06-21 14:45:36 +01:00
Matt Caswell
8ead6158a9 Document SSL_set_psk_find_session_callback() and SSL_CTX equivalent
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3670)
2017-06-21 14:45:36 +01:00
Matt Caswell
93a048a1d8 Document SSL_set_psk_use_session_callback() and SSL_CTX equivalent
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3670)
2017-06-21 14:45:35 +01:00
Matt Caswell
801d9fbd97 Add documentation for SSL_CTX_set_psk_use_session_callback()
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3670)
2017-06-21 14:45:35 +01:00
Matt Caswell
9c39fa1e38 Document SSL_CIPHER_get_handshake_digest()
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3670)
2017-06-21 14:45:35 +01:00
Matt Caswell
267869d3f3 Document SSL_SESSION_set_protocol_version()
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3670)
2017-06-21 14:45:35 +01:00
Matt Caswell
5eb7273669 Document SSL_SESSION_set1_master_key()
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3670)
2017-06-21 14:45:35 +01:00
Matt Caswell
7721978ca8 Add documentation for SSL_SESSION_set_cipher()
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3670)
2017-06-21 14:45:35 +01:00