Commit Graph

1274 Commits

Author SHA1 Message Date
Richard Levitte
05fdb8d355 Document the new EVP_CIPHER and EVP_CIPHER_CTX functionality
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-01-12 13:56:43 +01:00
Rich Salz
baf245ec5f GH528: "cipher -v" output is confusing.
Fix the docs, and refactor some common code.

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
2016-01-11 18:54:49 -05:00
Viktor Dukhovni
8106cb8b6d Make SSL{_CTX,}_{get,set,clear}_options functions
These now take and return unsigned long, and get is constified.
Updated related documentation and util/ssleay.num

Reviewed-by: Matt Caswell <matt@openssl.org>
2016-01-11 10:51:02 -05:00
Dr. Stephen Henson
4e482ae6ff Add memory leak return value.
Make CRYPTO_mem_leaks() and CRYPTO_mem_leaks_fp() return a status value.
Update documentation. Don't abort() if there are leaks.

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
2016-01-11 02:41:16 +00:00
Viktor Dukhovni
c2e27310c7 Enable/disable crypto-mdebug just like other features
Also always abort() on leak failure.

Reviewed-by: Stephen Henson <steve@openssl.org>
2016-01-11 02:41:16 +00:00
Kurt Roeckx
1918e01c9f File is about s_time, not s_client
Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
2016-01-10 13:13:20 +01:00
Kurt Roeckx
869e978c98 Allow disabling the min and max version
Reviewed-by: Viktor Dukhovni <openssl-users@dukhovni.org>
2016-01-10 13:04:55 +01:00
Viktor Dukhovni
98186eb4e4 Backwards-compatibility subject to OPENSSL_API_COMPAT
Provide backwards-compatiblity for functions, macros and include
files if OPENSSL_API_COMPAT is either not defined or defined less
than the version number of the release in which the feature was
deprecated.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-01-07 20:53:18 -05:00
Viktor Dukhovni
cddd424a5b DANE s_client support
Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-01-07 20:01:32 -05:00
Rich Salz
bbd86bf542 mem functions cleanup
Only two macros CRYPTO_MDEBUG and CRYPTO_MDEBUG_ABORT to control this.
If CRYPTO_MDEBUG is not set, #ifdef out the whole debug machinery.
        (Thanks to Jakob Bohm for the suggestion!)
Make the "change wrapper functions" be the only paradigm.
Wrote documentation!
Format the 'set func' functions so their paramlists are legible.
Format some multi-line comments.
Remove ability to get/set the "memory debug" functions at runtme.
Remove MemCheck_* and CRYPTO_malloc_debug_init macros.
Add CRYPTO_mem_debug(int flag) function.
Add test/memleaktest.
Rename CRYPTO_malloc_init to OPENSSL_malloc_init; remove needless calls.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-01-07 15:14:18 -05:00
Viktor Dukhovni
63b658341e DANE documentation typos
Reported-by: Claus Assmann

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-01-06 14:15:12 -05:00
Rich Salz
700b4a4ae7 Remove more (rest?) of FIPS build stuff.
Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
2016-01-06 12:07:26 -05:00
Viktor Dukhovni
919ba00942 DANE support structures, constructructors and accessors
Also tweak some of the code in demos/bio, to enable interactive
testing of BIO_s_accept's use of SSL_dup.  Changed the sconnect
client to authenticate the server, which now exercises the new
SSL_set1_host() function.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-01-05 19:31:49 -05:00
Viktor Dukhovni
57ce7b617c Refine and re-wrap Min/Max protocol docs
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
2016-01-02 10:48:35 -05:00
Kurt Roeckx
7946ab33ce Add support for minimum and maximum protocol version
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
2016-01-02 10:47:52 -05:00
Matt Caswell
43c34894d7 Add some documentation for the OCSP callback functions
Describe the usage of the OCSP callback functions on both the client and
the server side.

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
2015-12-27 21:59:04 +00:00
Dr. Stephen Henson
ffaef3f152 Always generate DH keys for ephemeral DH cipher suites.
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-12-23 22:26:31 +00:00
Daniel Kahn Gillmor
d938e8dfee The functions take a SSL *, not a SSL_CTX *
Signed-off-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Rich Salz <rsalz@openssl.org>

RT: #4192, MR: #1533
2015-12-23 22:30:31 +01:00
Dr. Stephen Henson
913592d2c5 SSL configuration module docs
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-12-22 15:14:14 +00:00
Rich Salz
7795475f53 Remove some L<asdf|asdf> which crept back in.
Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-12-18 14:55:37 -05:00
Rich Salz
3b089ca21b Rename sec_mem to mem_sec, like other files.
Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-12-16 22:09:39 -05:00
Rich Salz
7644a9aef8 Rename some BUF_xxx to OPENSSL_xxx
Rename BUF_{strdup,strlcat,strlcpy,memdup,strndup,strnlen}
to OPENSSL_{strdup,strlcat,strlcpy,memdup,strndup,strnlen}
Add #define's for the old names.
Add CRYPTO_{memdup,strndup}, called by OPENSSL_{memdup,strndup} macros.

Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-12-16 16:14:49 -05:00
Matt Caswell
8caab744f5 Fix s_server problem with no-ec
s_server was trying to set the ECDH curve when no-ec was defined. This also
highlighted the fact that the -no_ecdhe option to s_server is broken, and
doesn't make any sense any more (ECDHE is on by default and the only way it
can be disabled is through the cipherstring). Therefore this commit removes
the option.

Reviewed-by: Kurt Roeckx <kurt@openssl.org>
2015-12-15 11:26:38 +00:00
Dr. Stephen Henson
0c497e96c4 Update EVP_PKEY documentation.
Add EVP_PKEY_up_ref() documentation and fix various typos.

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
2015-12-14 23:06:14 +00:00
Dr. Stephen Henson
c01ff880d4 New function X509_get0_pubkey
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
2015-12-14 23:06:14 +00:00
Dr. Stephen Henson
2872dbe1c4 Add EVP_PKEY_get0_* functions.
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
2015-12-14 23:06:14 +00:00
Ben Kaduk
3903e1c334 Fix typo
Signed-off-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-12-13 22:19:22 -05:00
Rich Salz
9e8b6f0427 Use SHA256 not MD5 as default digest.
(Documentation update was in the MR but not the commit.  Oops.)
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
2015-12-12 19:25:25 -05:00
Dr. Stephen Henson
9391ba1b51 Add extension utility documentation.
Reviewed-by: Kurt Roeckx <kurt@openssl.org>
2015-12-12 14:11:20 +00:00
Dr. Stephen Henson
3a59ad98e9 add X509_up_ref() documentation
Reviewed-by: Kurt Roeckx <kurt@openssl.org>
2015-12-12 14:11:20 +00:00
Dr. Stephen Henson
e989e54f66 extension documentation
Reviewed-by: Kurt Roeckx <kurt@openssl.org>
2015-12-12 14:11:20 +00:00
Rob Stradling
ba67253db1 Support the TLS Feature (aka Must Staple) X.509v3 extension (RFC7633).
Signed-off-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Dr. Stephen Henson <steve@openssl.org>

GH: #495, MR: #1435
2015-12-10 19:27:40 +01:00
Richard Levitte
706e2462f1 Document EVP_MD constructors, destructors and manipulators
Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-12-07 17:40:20 +01:00
Richard Levitte
716854d74e Document the HMAC changes
Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-12-07 17:40:20 +01:00
Richard Levitte
25191fffb9 Document the EVP_MD_CTX changes
Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-12-07 17:40:20 +01:00
Richard Levitte
9b6c00707e Document the changed HMAC API.
Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-12-07 17:36:57 +01:00
Viktor Dukhovni
d231a4010b Fix typo and improve a bit of text
Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-12-06 22:22:44 -05:00
Viktor Dukhovni
1c735804a2 Really disable 56-bit (single-DES) ciphers
Reviewed-by: Kurt Roeckx <kurt@openssl.org>
2015-12-06 12:32:19 -05:00
Kurt Roeckx
361a119127 Remove support for all 40 and 56 bit ciphers.
Reviewed-by: Rich Salz <rsalz@openssl.org>

MR: #364
2015-12-05 17:45:59 +01:00
Kurt Roeckx
fe6ef2472d Remove SSL_{CTX_}set_ecdh_auto() and always enable ECDH
Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
2015-12-04 22:30:36 +01:00
Dr. Stephen Henson
19c6d3ea2d Remove RSA_FLAG_SIGN_VER flag.
Remove RSA_FLAG_SIGN_VER: this was origininally used to retain binary
compatibility after RSA_METHOD was extended to include rsa_sign and
rsa_verify fields. It is no longer needed.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-12-02 18:23:29 +00:00
Dr. Stephen Henson
7f572e958b Remove legacy sign/verify from EVP_MD.
Remove sign/verify and required_pkey_type fields of EVP_MD: these are a
legacy from when digests were linked to public key types. All signing is
now handled by the corresponding EVP_PKEY_METHOD.

Only allow supported digest types in RSA EVP_PKEY_METHOD: other algorithms
already block unsupported types.

Remove now obsolete EVP_dss1() and EVP_ecdsa().

Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-12-02 17:52:01 +00:00
Rich Salz
e6390acac9 ex_data part 2: doc fixes and CRYPTO_free_ex_index.
Add CRYPTO_free_ex_index (for shared libraries)
Unify and complete the documentation for all "ex_data" API's and objects.
Replace xxx_get_ex_new_index functions with a macro.
Added an exdata test.
Renamed the ex_data internal datatypes.

Reviewed-by: Matt Caswell <matt@openssl.org>
2015-12-01 11:48:37 -05:00
Rich Salz
d59c7c81e3 Remove BN_init
Rename it to be an internal function bn_init.

Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-11-30 16:10:12 -05:00
Viktor Dukhovni
9446daac5b Correct aes-128-cbc cipher name
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-11-28 15:07:34 -05:00
Matt Caswell
e113c9c59d Add documentation for BN_with_flags
Following on from the previous commit this adds some documentation for the
BN_with_flags function which is easy to misuse.

Reviewed-by: Emilia Käsper <emilia@openssl.org>
2015-11-26 10:20:36 +00:00
Rich Salz
35cb565a9b Turn B<...()> into ...()
For all functions, consistently use asdf() not B<asdf()>

Reviewed-by: Kurt Roeckx <kurt@openssl.org>
2015-11-21 11:50:01 -05:00
Matt Caswell
68487a9b06 Convert __thread to pthreads for Thread Local Storage
In theory the pthreads approach for Thread Local Storage should be more
portable.

This also changes some APIs in order to accommodate this change. In
particular ASYNC_init_pool is renamed ASYNC_init_thread and
ASYNC_free_pool is renamed ASYNC_cleanup_thread. Also introduced ASYNC_init
and ASYNC_cleanup.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-11-20 23:39:30 +00:00
Matt Caswell
e8dfb5bf8e Add ASYNC_block_pause and ASYNC_unblock_pause
There are potential deadlock situations that can occur if code executing
within the context of a job aquires a lock, and then pauses the job. This
adds an ability to temporarily block pauses from occuring whilst performing
work and holding a lock.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-11-20 23:37:17 +00:00
Matt Caswell
8227255006 Add clarification to docs on ASYNC_free_pool()
Clarify that you must only call this after all async jobs have
completed - otherwise you could get memory leaks.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-11-20 23:35:19 +00:00