Commit Graph

4168 Commits

Author SHA1 Message Date
Matt Caswell
54b4053130 Update copyright year
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16176)
2021-07-29 15:41:35 +01:00
Matt Caswell
0136956dc6 Update fingerprints.txt
Add Paul Dale as an approved release signer.

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16175)
2021-07-29 14:09:55 +01:00
Matt Caswell
c6fcd88fa0 Mark the EVP_PKEY_METHOD arg as const on some EVP_PKEY_meth_get_*() funcs
Most EVP_PKEY_meth_get_*() functions mark the EVP_PKEY_METHOD argument as
const. But 3 did not. We fix those to be consistent.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16128)
2021-07-27 10:34:44 +01:00
Tomas Mraz
a7e62fbdf8 ECDSA_SIG_set0(): Clarify documentation and fix formatting errors
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16129)
2021-07-27 11:02:55 +10:00
Richard Levitte
317ed1b417 DOCS: Move the description of EVP_PKEY_get0_description()
It appears to have been misplaced

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16063)
2021-07-26 12:11:54 +02:00
Richard Levitte
ad0a2c0110 EVP: Add EVP_PKEY_get0_provider() and EVP_PKEY_CTX_get0_provider()
Fixes #16058

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16063)
2021-07-26 12:11:54 +02:00
Dr. David von Oheimb
4672e5de9e tls_process_{client,server}_certificate(): allow verify_callback return > 1
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13937)
2021-07-21 11:46:18 +02:00
Dr. David von Oheimb
ee11462d31 SSL_CTX_set_cert_verify_callback.pod: various corrections and clarifications
- Make clear the callback is called whenever a peer certificate has been received,
  which is independent of the verification mode.
- Make clear that a return value > 1 always leads to handshake failure.
- Make clear that in server mode also return values <= 0 lead to handshake failure.
- For client mode replace the incorrect formulation "if B<SSL_VERIFY_PEER> is set"
  by what is actually implemented: "if the verification mode is not B<SSL_VERIFY_NONE>".
- Refer to X509_STORE_CTX_set_error() rather than to internal error variable.

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13937)
2021-07-21 11:44:14 +02:00
yangyangtiantianlonglong
0c48fda8d3 Add testcases for SSL_key_update() corner case calls
Test that SSL_key_update() is not allowed if there are writes pending.
Test that there is no reset of the packet pointer in ssl3_setup_read_buffer().

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16085)
2021-07-21 14:11:56 +10:00
Pauli
9989a746eb docs: update CTR DRBG documentation to not mention the lack of a derivation function in FIPS
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/16096)
2021-07-20 18:34:07 +10:00
Petr Gotthard
718d55f43f doc: fix OPENSSL_VERSION_NUMBER length in the synopsis
The number has 8 digits (not 9). It is a single integer `0xMNN00PP0L`.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16106)
2021-07-20 10:19:05 +10:00
Tomas Mraz
24f84b4e4d doc: It is not possible to use SSL_OP_* value in preprocessor conditions
Fixes #16082

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16084)
2021-07-16 14:37:18 +02:00
Tomas Mraz
e0ad156d22 RSA_public_decrypt is equivalent to a verify recover operation
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/16068)
2021-07-16 11:29:34 +02:00
Pauli
8e94c51b32 doc: document the params arguments to the initialisation functions.
These were accidentally omitted when the arguments were added globally.

Fixes #16067

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16072)
2021-07-15 16:46:18 +10:00
Tomas Mraz
11f18ef1f5 Make EVP_PKEY_check() be an alias for EVP_PKEY_pairwise_check()
The implementation of EVP_PKEY_pairwise_check() is also changed
to handle the legacy keys.

Fixes #16046

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16069)
2021-07-15 10:54:25 +10:00
Tomas Mraz
54c0480dac doc: Document that incomplete certificates return error
Fixes #16065

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16070)
2021-07-15 10:23:41 +10:00
Pauli
d19dacd55f doc: document the new opt_legacy_okay() function's behaviour
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16022)
2021-07-12 09:13:41 +10:00
Dr. David von Oheimb
6a1f9cdc0c Improve doc of OSSL_HTTP_REQ_CTX_set_expected() on timeout param < 0
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16029)
2021-07-11 17:06:12 +02:00
Pauli
4e20312ba6 doc: update documentation to note removal of ERR_GET_FUNC()
Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/16004)
2021-07-06 20:14:41 +10:00
Pauli
f7546162d4 doc: include PBKDF1 documentation in build.info
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15967)
2021-07-05 11:49:42 +10:00
Pauli
97419ce97d doc: add PBKDF1 provider documentation
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15967)
2021-07-05 11:49:42 +10:00
Tomas Mraz
5cffc49f72 PEM_read_...: document that garbage and other PEM data is skipped
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15949)
2021-07-02 15:33:34 +02:00
Tomas Mraz
d60e719c2d doc: Mention the update of der data pointers in d2i/i2d
Fixes #15958

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/15959)
2021-07-01 16:04:13 +02:00
Richard Levitte
025312431d DOC: clarify OPENSSL_API_COMPAT
Fixes #15928

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15956)
2021-07-01 09:19:54 +02:00
Dr. David von Oheimb
1986f6152f OSSL_CRMF_{CERTTEMPLATE,CERTID}_get0_serialNumber(): Make result const for consistency
Also make doc/man3/OSSL_CRMF_MSG_get0_tmpl.pod consistent with crmf.h.in regarding const results

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15790)
2021-06-30 10:38:23 +02:00
Dr. David von Oheimb
7df56adac7 CMP: Add missing getter functions to CRMF API and CMP API
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15790)
2021-06-30 10:38:23 +02:00
Dmitry Belyavskiy
a73a5d0a14 Missing link to fips_config documentation
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15940)
2021-06-29 21:05:40 +02:00
Hubert Kario
b2eabccbe5 doc: make error checking in ticket handling code explicit
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15918)
2021-06-29 12:15:40 +02:00
Dr. David von Oheimb
4acda8635e DOC: Clarify the role of EKUs including defaults for TLS client and server use
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14199)
2021-06-26 15:38:40 +02:00
Pauli
56ba2b78eb doc: update up call documentation
Some of the BIO functions weren't included in the provider-base documentation.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15909)
2021-06-26 16:14:52 +10:00
Theo Buehler
3a1ec0c269 Fix two typos in OSSL_trace_enabled.pod
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15894)
2021-06-26 11:38:01 +10:00
Dr. David von Oheimb
991519aeb9 CMP: Improve reporting of error codes and related strings via 'error' msg
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15879)
2021-06-25 07:44:50 +02:00
Dr. David von Oheimb
7b3990e3f8 CMP: Clean up internal message creation API and its documentation
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15879)
2021-06-25 07:44:50 +02:00
Matt Caswell
59a783d05a Fix a race in ossl_provider_add_to_store()
If two threads both attempt to load the same provider at the same time,
they will first both check to see if the provider already exists. If it
doesn't then they will both then create new provider objects and call the
init function. However only one of the threads will be successful in adding
the provider to the store. For the "losing" thread we should still return
"success", but we should deinitialise and free the no longer required
provider object, and return the object that exists in the store.

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15854)
2021-06-24 14:48:15 +01:00
Matt Caswell
29d46e09ce Update documentation following updates to the provider code
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15854)
2021-06-24 14:48:15 +01:00
Matt Caswell
eb2263da9a Set use_fallbacks to zero when we add a provider to the store
Update use_fallbacks to zero when we add a provider to the store rather
than when we activate it. Its only at the point that we add it to the store
that it is actually usable and visible to other threads.

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15854)
2021-06-24 14:48:14 +01:00
Matt Caswell
8d4dec0d4b Instantiate predefined providers just-in-time
Previously we instantiated all the predefined providers at the point that
we create the provider store. Instead we move them to be instantiated as we
need them.

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15854)
2021-06-24 14:48:14 +01:00
Tomas Mraz
77072e2749 Documentation: SM2 keys can use only the SM2 curve
Fixes #14411

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15875)
2021-06-24 11:29:58 +02:00
Pauli
0218bcdd3f doc: Document that the OBJ creation functions don't lock.
Neither OBJ_create() nor OBJ_add_sigid() use locks.  They are not thread safe.
They can and will cause the other OBJ_ query functions to fail in mysterious
ways if called concurrently with them.

There is no problem calling multiple query functions concurrently.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15865)
2021-06-24 15:50:26 +10:00
Dmitry Belyavskiy
13757e1283 Some clear guidelines for the legacy algs.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15860)
2021-06-24 12:32:08 +10:00
Richard Levitte
006de7670a EVP: Change the output size type of EVP_Q_digest() and EVP_Q_mac()
This makes them more consistent with other new interfaces.

Fixes #15839

Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15861)
2021-06-23 23:00:36 +02:00
Shane Lontis
3b1978e486 Change self test for AES_CGM to perform both an encrypt and decrypt.
This is a request from the lab that changes the AES_GCM test back to perform both a encrypt and
decrypt. (This makes no logical sense since this is not an inverse cipher).
I have left the AES_ECB decrypt test in (although it may not be needed)
since it is actually testing the inverse cipher case.

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15844)
2021-06-22 15:04:30 +10:00
Matt Caswell
38fc02a708 Update copyright year
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15801)
2021-06-17 13:24:59 +01:00
Dr. David von Oheimb
ab9d67efa4 HTTP client: fix use of OSSL_HTTP_adapt_proxy(), which is needed also in cmp.c
For this reason, export this function, which allows removing http_local.h

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15764)
2021-06-16 14:36:01 +01:00
Dr. David von Oheimb
eefdb8e013 X509_digest_sig(): Improve default hash for EdDSA and allow to return the chosen default
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15762)
2021-06-16 14:30:35 +01:00
Pauli
6920055ec3 doc: document the various get_cipher functions in the commands lib.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15747)
2021-06-16 18:32:30 +10:00
Shane Lontis
1941684daf Add missing migration_guide API mappings.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15732)
2021-06-16 15:06:45 +10:00
Matt Caswell
599429e09a Add documentation for the newly added OBJ up calls
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15681)
2021-06-16 15:04:50 +10:00
Pauli
b88a3b1016 doc: finish the provider child up call documentation
The bulk of the documentation was there but it wasn't quite complete.

Fixes #15678

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/15734)
2021-06-16 14:51:27 +10:00
Dmitry Belyavskiy
4832560be3 Disabling Encrypt-then-MAC extension in s_client/s_server
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15735)
2021-06-15 22:14:34 +02:00
Hubert Kario
04fb4ec8fa s_server: make -rev option easier to find (mention echo)
Since the service is echo-like (see TCP port 7 from RFC 862 or
gnutls-serv --echo), make it easier to find by mentioning "echo" in
the description of it in the help message an man page

Also fixes the man page inconsistency ("sends it back to the server")

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/15739)
2021-06-15 15:16:15 +02:00
Rich Salz
5bbe213418 Remove "-immedate_renegotiation" option
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15415)
2021-06-15 12:36:51 +02:00
Pauli
81743ed9d7 spkac: document -digest option
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15687)
2021-06-15 18:26:34 +10:00
Dr. David von Oheimb
8ccbf00d17 Rename OSSL_HTTP_set_request() to OSSL_HTTP_set1_request() for clarity
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15697)
2021-06-11 14:41:20 +02:00
Dr. David von Oheimb
95c0b295de HTTP client: Fix GET request handling when rctx is reused (keep-alive)
This also updates the documentation of OSSL_HTTP_REQ_CTX_set1_req().

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15697)
2021-06-11 14:41:20 +02:00
William Edmisten
8c5bff2220 Add support for ISO 8601 datetime format
Fixes #5430

Added the configuration file option "date_opt" to the openssl applications ca,
crl and x509.
Added ASN1_TIME_print_ex which supports the new datetime format using the
flag ASN1_DTFLGS_ISO8601

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14384)
2021-06-11 12:39:46 +02:00
Tomas Mraz
20778ea7da BIO_write_ex: No error only on 0 bytes to write
Fixes #15682

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15672)
2021-06-11 09:51:14 +02:00
Todd Short
baa47ad3b1 Fix FIPS provider value in docs
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15676)
2021-06-11 09:36:41 +02:00
Richard Levitte
6309b799e9 STORE: Make OSSL_STORE_LOADER_fetch() consistent with all other fetch functions
The argument order was different on this one.

Fixes #15688

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15689)
2021-06-11 09:09:21 +02:00
Tomas Mraz
b19fcc66d3 Document that provider name can be a full path
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15680)
2021-06-11 08:52:26 +10:00
Petr Gotthard
586820831a doc: fix OSSL_PARAM_BLD pointers in the example
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15663)
2021-06-10 22:10:26 +10:00
Arran Cudbard-Bell
726f92e016 Enable ssl-trace by default
There doesn't appear to be a good reason to omit protocol message tracing by default.

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15665)
2021-06-10 09:42:12 +01:00
Todd Short
25959e04c3 Optimize session cache flushing
Sort SSL_SESSION structures by timeout in the linked list.
Iterate over the linked list for timeout, stopping when no more
session can be flushed.
Do SSL_SESSION_free() outside of SSL_CTX lock
Update timeout upon use

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8687)
2021-06-10 18:32:25 +10:00
Richard Levitte
5ac6d7d21b APPS: Restore the possibility to combine -pubout with -text
This applies to the 'openssl pkey' command.

Fixes #15645

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15658)
2021-06-10 08:34:09 +02:00
Richard Levitte
6a2b8ff392 Decoding PKCS#8: separate decoding of encrypted and unencrypted PKCS#8
This has us switch from the 'structure' "pkcs8" to "PrivateKeyInfo",
which is sensible considering we already have "SubjectPublicKeyInfo".
We also add "EncryptedPrivateKeyInfo", and use it for a special decoder
that detects and decrypts an EncryptedPrivateKeyInfo structured DER
blob into a PrivateKeyInfo structured DER blob and passes that on to
the next decoder implementation.

The result of this change is that PKCS#8 decryption should only happen
once per decoding instead of once for every expected key type.
Furthermore, this new decoder implementation sets the data type to the
OID of the algorithmIdentifier field, thus reducing how many decoder
implementations are tentativaly run further down the call chain.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15498)
2021-06-09 17:00:10 +02:00
Pauli
95c8a51252 doc: add PKEY life cycle documentation
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15637)
2021-06-08 18:59:25 +10:00
Pauli
75653c100f doc: build changes for PKEY life cycle documentation
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15637)
2021-06-08 18:56:53 +10:00
Pauli
dbf021c20e doc: add build info for cipher life cycle documentation
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15637)
2021-06-08 18:56:53 +10:00
Pauli
b1307e9421 doc: add references to cipher life cycle documentation
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15637)
2021-06-08 18:56:53 +10:00
Pauli
c0fc3fe349 doc: add cipher life cycle documentation
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15637)
2021-06-08 18:56:53 +10:00
Pauli
e748b4fbae doc: improve the cipher life cycle diagram
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15637)
2021-06-08 18:55:32 +10:00
Pauli
7f0dc8da7d doc: remove empty section
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15637)
2021-06-08 18:55:32 +10:00
Pauli
8809fdff93 doc: add references to digest life cycle documentation
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15637)
2021-06-08 18:55:32 +10:00
Pauli
7b9e236177 doc: add digest life cycle documentation
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15637)
2021-06-08 18:55:32 +10:00
Pauli
618523e728 doc: add digest lifecycle diagram
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15637)
2021-06-08 18:55:32 +10:00
Pauli
e4d69413c2 life-cycles: update digest state table
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15637)
2021-06-08 18:55:32 +10:00
Tomas Mraz
fccf3dcef4 X509_digest_sig: Handle RSA-PSS and EDDSA certificates
Identify digest from sigalg params for RSA-PSS and fallback
to SHA-256 for EDDSA.

Fixes #15477

Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/15618)
2021-06-08 09:20:15 +02:00
Dr. David von Oheimb
f9ac6f6956 Improve the documentation of cert path building and validation
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13735)
2021-06-08 07:47:41 +02:00
Dr. David von Oheimb
2576b9c31c X509_STORE_CTX_new.pod and x509_vfy.h.in: rename some params for clarity, improve their doc
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13735)
2021-06-08 07:47:18 +02:00
Dr. David von Oheimb
5d43bfa7d5 BIO_write-ex(): Improve behavior in corner cases and documentation
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15608)
2021-06-08 15:17:11 +10:00
Shane Lontis
f41fd10d90 Add a gettable for provider ciphers to return the EVP_CIPH_RAND_KEY flag
Fixes #15531

DES and TDES set this flag which could possibly be used by applications.
The gettable cipher param OSSL_CIPHER_PARAM_HAS_RAND_KEY has been added.

Note that EVP_CIPHER_CTX_rand_key() uses this flag.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15606)
2021-06-08 15:16:06 +10:00
Shane Lontis
5135a9bd92 Document missing EC/SM2 params
Fixes #15548

Document OSSL_PKEY_PARAM_EC_PUB_X, OSSL_PKEY_PARAM_EC_PUB_Y and OSSL_PKEY_PARAM_DEFAULT_DIGEST
Added a section related to parameters for SM2.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15601)
2021-06-08 15:15:01 +10:00
Pauli
0ebef5b509 doc: update generated image files
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15616)
2021-06-06 10:26:03 +10:00
Pauli
ee96d128d0 doc: update Graphviz images to have a transparent background
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15616)
2021-06-06 10:26:03 +10:00
Richard Levitte
e982e04f5d ENCODER: use property definitions instead of getting implementation parameters
The OSSL_ENCODER library used to ask each encoder implementation for
certain data in form of parameters to place them correctly in the
encoder chain, if at all.  These parameters were duplicates of
properties of those same implementations, and therefore unnecessarily
redundant.

Now that we have functionality to query property definition values,
those duplicates are no longer needed, and are therefore not looked at
any more.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15570)
2021-06-05 20:30:47 +10:00
Richard Levitte
73c02a6201 ENCODER: Drop OSSL_ENCODER_PARAM_INPUT_TYPE
This was a poor substitute for using the name of the decoder implementation,
and since there is functionality to get the latter now, this parameter
can be dropped.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15570)
2021-06-05 20:30:47 +10:00
Richard Levitte
9379bf943a DECODER: use property definitions instead of getting implementation parameters
The OSSL_DECODER library used to ask each decoder implementation for
certain data in form of parameters to place them correctly in the
decoder chain, if at all.  These parameters were duplicates of
properties of those same implementations, and therefore unnecessarily
redundant.

Now that we have functionality to query property definition values,
those duplicates are no longer needed, and are therefore not looked at
any more.

This adds the "global" error reason ERR_R_INVALID_PROPERTY_DEFINITION,
which can be re-used elsewhere.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15570)
2021-06-05 20:30:11 +10:00
Matt Caswell
3d9d1ce529 Add documentation for newly added ASN1 functions
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15591)
2021-06-05 17:39:27 +10:00
Matt Caswell
dea2878fac Teach more of the ASN.1 code about libctx/propq
Make sure we pass libctx/propq down to all the layers so that objects that
are created during parsing have the right values. Then use this new
capability for PKCS7.

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15591)
2021-06-05 17:39:10 +10:00
Pauli
d11e555082 doc: fix OSSL_(EN|DE)CODER_get0_name function names
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15564)
2021-06-02 20:45:51 +10:00
Pauli
6ea964cd4a doc: make XXX_get_number() internal
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15564)
2021-06-02 20:45:39 +10:00
Pauli
c768893e7d doc: move XXX_get_number() documentation to internal
These functions are effectively useless for users outside of libcrypto.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15564)
2021-06-02 20:45:39 +10:00
Tomas Mraz
b3c2ed7043 Add NCONF_get_section_names()
And a few additional fixups to make the no-deprecated configuration
to build.

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15466)
2021-06-02 12:40:02 +10:00
Rich Salz
6b750b89ee Add NCONF_get0_libctx()
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15466)
2021-06-02 12:40:02 +10:00
Tomas Mraz
31b7f23d2f Add documentation of the old names kept as alias macros
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15405)
2021-06-01 12:43:57 +02:00
Tomas Mraz
c4e9167437 Rename also the OSSL_PROVIDER_name() function
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15405)
2021-06-01 12:43:57 +02:00
Tomas Mraz
ed576acdf5 Rename all getters to use get/get0 in name
For functions that exist in 1.1.1 provide a simple aliases via #define.

Fixes #15236

Functions with OSSL_DECODER_, OSSL_ENCODER_, OSSL_STORE_LOADER_,
EVP_KEYEXCH_, EVP_KEM_, EVP_ASYM_CIPHER_, EVP_SIGNATURE_,
EVP_KEYMGMT_, EVP_RAND_, EVP_MAC_, EVP_KDF_, EVP_PKEY_,
EVP_MD_, and EVP_CIPHER_ prefixes are renamed.

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15405)
2021-06-01 12:40:00 +02:00
Jon Spillett
169eca602c Enhance the encoder/decoder tests to allow testing with a non-default library context and configurable providers
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14587)
2021-06-01 12:16:27 +02:00
Pauli
528685fe77 rand: use size_t for size argument to RAND_bytes_ex()
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/15540)
2021-06-01 18:13:36 +10:00
Shane Lontis
9ff4b7b0c7 Migration guide updates for flags and controls.
Provided a section that links to the ctrl/flags mappings to parameters
for digests and ciphers.

Added "EVP_CIPHER_CTX_set_flags() ordering" to changes section.

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15496)
2021-06-01 15:22:30 +10:00
Shane Lontis
7f9537d57a Document Settable EVP_CIPHER_CTX parameter "use-bits"
Added docs for EVP_CIPHER_CTX_set_flags(),
EVP_CIPHER_CTX_clear_flags() and EVP_CIPHER_CTX_test_flags().

Added section for "FLAGS" to show parameter mappings.

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15496)
2021-06-01 15:22:30 +10:00
Matt Caswell
3bcc933ec4 Teach EVP_PKEYs to say whether they were decoded from explicit params
Currently we explicitly downgrade an EVP_PKEY to an EC_KEY and ask
the EC_KEY directly whether it was decoded from explicit parameters or not.
Instead we teach EVP_PKEYs to respond to a new parameter for this purpose.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/15526)
2021-05-31 09:23:39 +10:00
Shane Lontis
f505161e62 Fix PKCS7_verify to not have an error stack if it succeeds.
Revert a change in behavior to BIO_write(). If a NULL BIO
is passed, no error is raised and the return value is 0. There are
many places where the return code from the write was not checked,
resulting in an error stack with no error status being returned.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15493)
2021-05-31 08:45:58 +10:00
Pauli
e587bccdf9 doc: document the strength arugments to the RNG functions
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15513)
2021-05-29 17:17:12 +10:00
Dr. David von Oheimb
a7014122ac BIO_s_accept.pod: Add missing documentation for BIO_{get,set}_accept_ip_family()
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15417)
2021-05-29 07:47:03 +02:00
Dr. David von Oheimb
f4706b165a apps/ocsp: Allow -port 0
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15417)
2021-05-29 07:47:03 +02:00
Dr. David von Oheimb
d318fc9545 DOC: Slightly improve the documentation of BIO_lookup() and related functions
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15417)
2021-05-29 07:47:03 +02:00
Shane Lontis
b9098d4edd Add Docs for EVP_CIPHER-*
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15416)
2021-05-28 14:29:13 +02:00
Shane Lontis
97aede6846 EVP_CIPHER Documentation updates
EVP_EncryptInit.pod now follows the pattern used in EVP_DigestInit.pod.
i.e.
'=item' is used for methods
PARAMETERS and CONTROLS sections have been added.

The PARAMETERS list has been moved from provider-cipher.pod (this file just
has a link now).
Missing fields were updated.

The CONTROLS shows the mappings to OSSL_PARAM keys.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15416)
2021-05-28 14:28:44 +02:00
Tommy Chiang
6c014da0b2 Fix typo about SSL_CONF_FLAG_CMDLINE
change SSL_CONF_CMDLINE to SSL_CONF_FLAG_CMDLINE
CLA: trivial

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15489)
2021-05-28 11:20:20 +02:00
Rich Salz
3e3ad3c548 Fix issues found by md-nits
Fixes #15460

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15461)
2021-05-28 11:14:46 +02:00
David Makepeace
6bf3692d31 Fix doc typos.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15483)
2021-05-28 14:03:36 +10:00
Dr. David von Oheimb
8b893c35da APPS req: Extend the -keyout option to be respected also with -key
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13715)
2021-05-27 11:06:01 +02:00
Dr. David von Oheimb
54e8f7259b DOC: Improve description of 'req' app: -new, -newkey, and -keyout options
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13715)
2021-05-27 11:06:01 +02:00
Shane Lontis
3257179b7a Fix spelling mistake in d2i_PrivateKey.pod
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15423)
2021-05-27 18:51:36 +10:00
Tomas Mraz
0800318a0c Deprecate old style BIO callback calls
New style BIO_debug_callback_ex() function added to provide
replacement for BIO_debug_callback().

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15440)
2021-05-26 17:18:34 +02:00
Pauli
edc9ce8ef4 doc: document the MAC block size getter
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15427)
2021-05-25 17:23:50 +10:00
Shane Lontis
2abffec0f0 Add fipsinstall option to run self test KATS on module load
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15149)
2021-05-25 14:57:48 +10:00
Richard Levitte
3c9f992aa0 DOCS: Don't mention internal functions in public documentation
This time noticed in OSSL_trace_set_channel.pod, and it turned out to
be easy to mention the public functions affected instead.

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15422)
2021-05-25 10:24:57 +10:00
Jon Spillett
8bb6fdfc99 Added PKCS5_PBE_keyivgen_ex() to allow PBKDF1 algorithms to be fetched for a specific library context
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14326)
2021-05-24 15:21:25 +10:00
Jon Spillett
0f183675b8 Add PBKDF1 to the legacy provider
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14326)
2021-05-24 15:21:25 +10:00
Pauli
bca0ffe8b3 doc: update core_thread_start() documentation
It is now passed an arugment to pass to the callback

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15278)
2021-05-24 09:39:15 +10:00
Dr. David von Oheimb
5771017d06 apps/cms.c: Correct -sign output and -verify input with -binary
Also add related warnings on irrelevant use of -nodetach and -content options.

Fixes #15347

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15358)
2021-05-22 14:28:51 +02:00
Robbie Harwood
84faea44e6 Fix upgrading docs for RSA_private_encrypt/RSA_public_decrypt
Despite the name, these functions manipulate signatures, which means
that their replacements are the EVP_PKEY_sign/EVP_PKEY_verify family.

Signed-off-by: Robbie Harwood <rharwood@redhat.com>

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/15359)
2021-05-22 12:18:14 +02:00
Pauli
f90040f805 doc: process images when installing
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15399)
2021-05-22 15:33:53 +10:00
Pauli
1d95931d56 doc: rereference img locations into subdirectory
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15399)
2021-05-22 15:33:53 +10:00
Pauli
810d2354c1 doc: move images into their own subdirectory
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15399)
2021-05-22 15:33:53 +10:00
Richard Levitte
0491691342 DOCS: Fixups of the migration guide and the FIPS module manual
The markup needed a few touch-ups

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/15377)
2021-05-21 15:01:47 +02:00
Matt Caswell
d2f82495a2 Cleanup the missing*.txt files
One macro existed that was added since 1.1.1 and was undocumented. This
had been added to missingmacro.txt. This is the wrong approach and so
has been removed from there.

There were some entries in missingcrypto.txt that don't exist as functions
at all. There were also some which were in fact documented.

Additionally 2 entries from missingcrypto.txt have been moved to
missingmacro.txt. These entries existed in 1.1.1 and were undocumented. In
master they have been deprecated and compatibility macros for them
implemented. The replacement functions have been documented.

An entry in missingcrypto111.txt was not in alphabetical order (and was
also) duplicated, but the equivalent entry in missingcrypto.txt was in the
correct place. This has been corrected to make comparisons between the files
easier.

Finally a function has been added to missingcrypto111.txt. This function
did exist in 1.1.1 and was undocumented. Its unclear why this wasn't in
missingcrypto111.txt to start with.

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15333)
2021-05-21 11:03:37 +02:00
Dr. David von Oheimb
8a196fe228 BIO_s_accept.pod: Document port auto-selection feature of BIO_set_accept_port()
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15354)
2021-05-21 10:06:35 +10:00
Dr. David von Oheimb
1202103583 EVP_DigestSignInit.pod: Clarification in EVP_DigestSignFinal() parameter 'sig'
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15354)
2021-05-21 10:06:35 +10:00
Dr. David von Oheimb
340cf8759f apps/cms: Clean up order of options in help output and documentation
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15126)
2021-05-20 16:31:30 +02:00
Dr. David von Oheimb
359efeac3f DOC: Fix nits found by new check on SYNOPSIS and OPTIONS consistency
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15299)
2021-05-20 16:24:43 +02:00
Dr. David von Oheimb
9c1582807b find-doc-nits: Check that man1 SYNOPSIS and OPTIONS contain same options
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15299)
2021-05-20 16:24:43 +02:00
Matt Caswell
0789c7d834 Update copyright year
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15381)
2021-05-20 14:22:33 +01:00
Pauli
e0113b79f2 app: add a -store_loaders option to list.
Fixes #15307

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15323)
2021-05-20 09:57:44 +01:00
Matt Caswell
b195677073 Update documentation for global properties mirroring
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15242)
2021-05-20 09:35:41 +01:00
Matt Caswell
366bf9aedb Documentation updates for mirroring of global properties
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15242)
2021-05-20 09:35:41 +01:00
Shane Lontis
b7140b0604 Add migration guide for 3.0
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14710)
2021-05-20 08:44:08 +01:00
Benjamin Kaduk
6e495312fd Update SSL_new_session_ticket() manual for triggered send
Document the recently added functionality.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14817)
2021-05-19 14:56:08 -07:00
Dr. David von Oheimb
e34e91d7e5 danetest.c: Improve code formatting
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14422)
2021-05-19 20:15:26 +02:00
Dr. David von Oheimb
d6bf19a465 X509_STORE_CTX_get1_issuer(): Simplify code, reducing risk of failure
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14422)
2021-05-19 20:15:26 +02:00
Richard Levitte
dd05c7938d build.info: Make it possible to set attributes on SOURCE / SHARED_SOURCE stmts
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15332)
2021-05-19 19:03:16 +02:00
Tomas Mraz
b41ebb991e speed: Document the deficiencies of the command
Fixes #7032

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15330)
2021-05-19 16:03:28 +02:00
Dr. David von Oheimb
25fad2ece8 apps/list: Remove obsolete -missing-help option
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15329)
2021-05-19 14:13:12 +02:00
Dr. David von Oheimb
7c701c590d Make SMIME_read_CMS_ex() and SMIME_read_ASN1_ex() support binary input
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12959)
2021-05-19 09:23:30 +02:00
Dr. David von Oheimb
184238794f bio_lib: Add BIO_get_line, correct doc of BIO_gets
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12959)
2021-05-19 09:23:30 +02:00
Rich Salz
e53ad1d8f2 Remove '=for openssl ifdef'
No longer needed after rewrite of cmd-nits

Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15311)
2021-05-19 10:34:43 +10:00
Dr. David von Oheimb
78c44e4f81 DOC: Fix nits found by improved find-doc-nits -c
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15298)
2021-05-18 13:02:41 +02:00
Dr. David von Oheimb
8a28134104 openssl-dsa.pod.in: Fix glitch: pvk-string -> pvk-strong
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15298)
2021-05-18 13:02:23 +02:00
Dr. David von Oheimb
f2431fe7df find-doc-nits: Make -c option (cmd-nits) independent of app build and execution
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15298)
2021-05-18 13:02:23 +02:00
Dr. David von Oheimb
80a4ac5783 apps/s_server: Add -proxy and -no_proxy options
Strongly related to feature request #6965

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15245)
2021-05-18 11:08:10 +02:00
Dr. David von Oheimb
88d96983d8 apps/ocsp: Add -proxy and -no_proxy options
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15245)
2021-05-18 11:08:10 +02:00
Rich Salz
7d72dc78ee Add -quiet flag to genpkey
Picking up late suggestions to PR #6909 by Philip Prindeville
<philipp@redfish-solutions.com>.

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15249)
2021-05-18 09:20:26 +02:00
Rich Salz
55373bfd41 Add SSL_OP_ALLOW_CLIENT_RENEGOTIATION
Add -client_renegotiation flag support.  The -client_renegotiation flag is
equivalent to SSL_OP_ALLOW_CLIENT_RENEGOTIATION. Add support to the app,
the config code, and the documentation.

Add SSL_OP_ALLOW_CLIENT_RENEGOTIATION to the SSL tests. We don't need to
always enable it, but there are so many tests so this is the easiest thing
to do.

Add a test where client tries to renegotiate and it fails as expected. Add
a test where server tries to renegotiate and it succeeds. The second test
is supported by a new flag, -immediate_renegotiation, which is ignored on
the client.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15184)
2021-05-17 10:53:30 +02:00
Shane Lontis
f2ceefc3f9 Add doc for ERR_clear_last_mark().
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15258)
2021-05-17 09:32:58 +10:00
Shane Lontis
00b8706c71 Fix OSSL_DECODER_new_for_pkey() selection parameter documentation
Fixes #14518

EVP_PKEY_fromdata() already defines this value so we link to this
documentation, 0 is also added as a possible input value.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15260)
2021-05-17 09:29:29 +10:00
Benjamin Kaduk
aa6bd216dd Promote SSL_get_negotiated_group() for non-TLSv1.3
It can be useful to know what group was used for the handshake's
key exchange process even on non-TLS 1.3 connections.  Allow this
API, new in OpenSSL 3.0.0, to be used on other TLS versions as well.
Since pre-TLS-1.3 key exchange occurs only on full handshakes, this
necessitates adding a field to the SSL_SESSION object to carry the
group information across resumptions.  The key exchange group in the
SSL_SESSION can also be relevant in TLS 1.3 when the resumption handshake
uses the "psk_ke" key-exchange mode, so also track whether a fresh key
exchange was done for TLS 1.3.

Since the new field is optional in the ASN.1 sense, there is no need
to increment SSL_SESSION_ASN1_VERSION (which incurs strong incompatibility
churn).

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14750)
2021-05-15 15:09:07 -07:00
Matt Caswell
36a89c0439 Init the child providers immediately on creation of the child libctx
We were deferring the initial creation of the child providers until the
first fetch. This is a carry over from an earlier iteration of the child
lib ctx development and is no longer necessary. In fact we need to init
the child providers immediately otherwise not all providers quite init
correctly.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15270)
2021-05-15 10:33:42 +01:00
Pauli
af3521656d doc: document all functions in provider-base(7)
Fixes #13358

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15259)
2021-05-15 11:49:20 +10:00
Dr. David von Oheimb
647a5dbf10 Add OSSL_ prefix to HTTP_DEFAULT_MAX_{LINE_LENGTH,RESP_LEN}
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15053)
2021-05-14 19:24:42 +02:00
Dr. David von Oheimb
be799eb7a3 HTTP client: Allow streaming of response data (with possibly indefinite length)
Also clean up max_resp_len and add OSSL_HTTP_REQ_CTX_get_resp_len().

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15053)
2021-05-14 19:24:42 +02:00
Dr. David von Oheimb
8b5ca5111e HTTP client: Allow streaming of request data (for POST method)
Also clean up OSSL_HTTP_REQ_CTX_nbio() states and make it more efficient.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15053)
2021-05-14 19:24:42 +02:00
Dr. David von Oheimb
829902879e HTTP client API: Generalize to arbitrary request and response contents
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15053)
2021-05-14 19:24:42 +02:00
Dr. David von Oheimb
22fe2b1299 OSSL_HTTP_transfer(): Fix error reporting in case rctx->server is NULL
Also improve doc of OSSL_parse_url() and OSSL_HTTP_parse_url().

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15053)
2021-05-14 19:24:42 +02:00
Dr. David von Oheimb
19f97fe6f1 HTTP: Implement persistent connections (keep-alive)
Both at API and at CLI level (for the CMP app only, so far)
there is a new parameter/option: keep_alive.
* 0 means HTTP connections are not kept open after
receiving a response, which is the default behavior for HTTP 1.0.
* 1 means that persistent connections are requested.
* 2 means that persistent connections are required, i.e.,
in case the server does not grant them an error occurs.

For the CMP app the default value is 1, which means preferring to keep
the connection open. For all other internal uses of the HTTP client
(fetching an OCSP response, a cert, or a CRL) it does not matter
because these operations just take one round trip.

If the client application requested or required a persistent connection
and this was granted by the server, it can keep the OSSL_HTTP_REQ_CTX *
as long as it wants to send further requests and OSSL_HTTP_is_alive()
returns nonzero,
else it should call OSSL_HTTP_REQ_CTX_free() or OSSL_HTTP_close().
In case the client application keeps the OSSL_HTTP_REQ_CTX *
but the connection then dies for any reason at the server side, it will
notice this obtaining an I/O error when trying to send the next request.

This requires extending the HTTP header parsing and
rearranging the high-level HTTP client API. In particular:
* Split the monolithic OSSL_HTTP_transfer() into OSSL_HTTP_open(),
  OSSL_HTTP_set_request(), a lean OSSL_HTTP_transfer(), and OSSL_HTTP_close().
* Split the timeout functionality accordingly and improve default behavior.
* Extract part of OSSL_HTTP_REQ_CTX_new() to OSSL_HTTP_REQ_CTX_set_expected().
* Extend struct ossl_http_req_ctx_st accordingly.

Use the new feature for the CMP client, which requires extending
related transaction management of CMP client and test server.

Update the documentation and extend the tests accordingly.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15053)
2021-05-14 19:24:42 +02:00
Pauli
bbf5ccfd87 mac: improve MAC documentation (Poly 1305 key reuse, nomenclature)
Fixes #12441

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15237)
2021-05-14 22:24:00 +10:00
Rich Salz
f04bb0bce4 Slightly reformat ssl.h.in
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15230)
2021-05-14 09:59:49 +01:00
Rich Salz
56bd17830f Convert SSL_{CTX}_[gs]et_options to 64
Less tersely: converted SSL_get_options, SSL_set_options,
SSL_CTX_get_options and SSL_CTX_get_options to take and return uint64_t
since we were running out of 32 bits.

Fixes: 15145

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15230)
2021-05-14 09:59:38 +01:00
Pauli
3ba3e350fd doc: remove references to undepreciated commands being deprecated.
The dsa, ec, ecparam, and rsa manual pages refer to themselves are being
deprecated which they aren't.  Address this and add a note pointing to
the pkey command equivalents albeit without recommending it.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15239)
2021-05-13 21:52:43 +10:00
Tomas Mraz
e9fe0f7e9d Replace EVP_PKEY_supports_digest_nid
The EVP_PKEY_supports_digest_nid() is renamed to
EVP_PKEY_digestsign_supports_digest() and implemented
via EVP_DigestSignInit_ex().

Fixes #14343

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15198)
2021-05-13 13:19:39 +02:00
Dmitry Belyavskiy
4639772523 clarification about the DES status
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15197)
2021-05-13 12:24:10 +02:00
Dmitry Belyavskiy
6581b17ded Enumerating the legacy provider's cipher algorithms
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15197)
2021-05-13 12:24:10 +02:00
Dr. David von Oheimb
7f24110a00 EVP_PKEY-X25519.pod: Correct EVP_PKEY_Q_keygen function name in example
fixup for #14695: Add convenience functions and macros for asymmetric key generation

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15226)
2021-05-13 11:56:47 +10:00
Rich Salz
36c5bb1aff Fix cut/paste (?) error.
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15232)
2021-05-13 11:18:27 +10:00
Shane Lontis
b98f752ec3 Export/import flags for FFC params changed to seperate fields.
An extra field got added to the ffc flags related to FIPS-186-2 key validation, but this field was
not handled by the export/import since the flags were done as string combinations.
To keep this consistent with other object flags they are now passed as seperate OSSL_PARAM fields.

Fixes 'no-cached-fetch' build which uses export/import.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15210)
2021-05-13 09:49:18 +10:00
Dr. David von Oheimb
8f965908a5 HTTP client: Minimal changes that include the improved API
This is a minimal version of pull request #15053 including all the
proposed improvements to the HTTP client API and its documentation
but only those code adaptations strictly needed for it.

The proposed new features include
* support for persistent connections (keep-alive),
* generalization to arbitrary request and response types, and
* support for streaming BIOs for request and response data.

The related API changes include:
* Split the monolithic OSSL_HTTP_transfer() into OSSL_HTTP_open(),
  OSSL_HTTP_set_request(), a lean OSSL_HTTP_transfer(), and OSSL_HTTP_close().
* Split the timeout functionality accordingly and improve default behavior.
* Extract part of OSSL_HTTP_REQ_CTX_new() to OSSL_HTTP_REQ_CTX_set_expected().

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15147)
2021-05-12 15:11:51 +02:00
Dr. David von Oheimb
4329f361ce Add ASN1_item_i2d_mem_bio(); document and improve also ASN1_item_d2i_bio()
ASN1_item_d2i_bio(): Do not report errors in queue on BIO input being NULL

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15147)
2021-05-12 15:04:01 +02:00
Pauli
b337741372 doc: document the encoder and decoder name functions
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15211)
2021-05-12 18:40:57 +10:00
EasySec
8975b76efa use LHASH_OF(TYPE) macro to make the example consistent with the declaration in ssl.h
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11481)
2021-05-12 14:50:15 +10:00
Matt Caswell
878be71c2d Update documentation following addition of OSSL_LIB_CTX_new_child()
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14991)
2021-05-11 15:03:13 +01:00
Matt Caswell
f12a5690de Add the concept of a child OSSL_LIB_CTX
Add a child OSSL_LIB_CTX that will mirror the providers loaded into the
parent libctx. This is useful for providers that want to use algorithms
from other providers and just need to inherit the providers used by the
application.

Fixes #14925

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14991)
2021-05-11 14:56:55 +01:00
Dr. David von Oheimb
56784203ec Constify EVP_PKEY_CTX_set_params(), EVP_PKEY_CTX_{set,get}table_params(), etc.
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/14695)
2021-05-11 12:46:42 +02:00
Dr. David von Oheimb
f925315203 Add convenience functions and macros for asymmetric key generation
Add EVP_PKEY_gen(), EVP_PKEY_Q_gen(), EVP_RSA_gen(), and EVP_EC_gen().
Also export auxiliary function OSSL_EC_curve_nid2name()
and improve deprecation info on RSA and EC key generation/management functions.

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/14695)
2021-05-11 12:46:42 +02:00
Michael Richardson
f60e35d01e reduce surprise in choice of CASE/String/STRING by allowing all inputs to be in any case
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14877)
2021-05-11 19:09:45 +10:00
Dr. David von Oheimb
4d49b68504 Crypto: Add deprecation compatibility declarations for SHA* message digest functions
Also add hints to SHA256_Init.pod and CHANGES.md how to replace SHA256() etc.

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14741)
2021-05-08 14:41:36 +02:00
Dr. David von Oheimb
0a8a6afdfb Add quick one-shot EVP_Q_mac() and deprecation compensation decls for MAC functions
This helps compensating for deprecated functions such as HMAC()
and reduces clutter in the crypto lib, apps, and tests.
Also fixes memory leaks in generate_cookie_callback() of apps/lib/s_cb.c.
and replaces 'B<...>' by 'I<...>' where appropriate in HMAC.pod

Partially fixes #14628.

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14664)
2021-05-08 14:35:03 +02:00
Dr. David von Oheimb
bea31afef0 DOC: Fix all wrong occurrences of '<propq>' to 'I<propq>'
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14664)
2021-05-08 14:32:43 +02:00
Pauli
0f4fb64785 apps/mac: Add digest and cipher command line options
Add -cipher and -digest as short forms of -macopt cipher: and -macopt digest:
respectively.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15189)
2021-05-08 22:15:56 +10:00
Pauli
a1230dea4d apps: add mac, cipher and digest arguments to the kdf applet.
This adds -digest, -mac and -cipher which correspond to -kdfopt digest: and
-kdfopt mac: and -kdfopt cipher: respectively.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15190)
2021-05-08 22:13:49 +10:00
Scott McPeak
531df8185f BIO_printf.pod: Clarify that output is always null terminated.
The original text was ambiguous about termination for errors other
than insufficient space.  See issue #14772.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15000)
2021-05-08 15:02:34 +10:00
Pauli
2876528de5 doc: document the new ossl_provider_clear_all_operation_bits() function
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15042)
2021-05-07 23:53:18 +10:00
Tomas Mraz
c9f18e5990 Unify parameter types in documentation
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15178)
2021-05-07 15:40:56 +02:00
Jon Spillett
592ea4ba94 Fixes #15070. Allow custom algorithm ID ASN.1 encoding for provided ciphers
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15130)
2021-05-07 11:00:54 +02:00
Matt Caswell
aff636a489 Update copyright year
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15181)
2021-05-06 13:03:23 +01:00
Tomas Mraz
bee3f38905 Document the behavior of the -inform and related options
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15100)
2021-05-06 11:43:32 +01:00
Tomas Mraz
3d1becd42a provider-storemgmt: Document the input-type and properties parameters.
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15100)
2021-05-06 11:43:32 +01:00
Tomas Mraz
d382e79632 Make the -inform option to be respected if possible
Add OSSL_STORE_PARAM_INPUT_TYPE and make it possible to be
set when OSSL_STORE_open_ex() or OSSL_STORE_attach() is called.

The input type format is enforced only in case the file
type file store is used.

By default we use FORMAT_UNDEF meaning the input type
is not enforced.

Fixes #14569

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15100)
2021-05-06 11:43:32 +01:00
EasySec
b86fa8c556 try to document changes in salt handling for the 'enc' command
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4486)
2021-05-06 11:24:30 +01:00
Dr. David von Oheimb
a07b0bfb99 Deprecate X509{,_CRL}_http_nbio() and simplify their definition
This is done by making use of OCSP_REQ_CTX_nbio_d2i().

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15131)
2021-05-05 20:50:15 +02:00
Dr. David von Oheimb
b0f960189b APPS: Replace 'OPT_ERR = -1, OPT_EOF = 0, OPT_HELP' by OPT_COMMON macro
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15111)
2021-05-05 20:48:20 +02:00
Dr. David von Oheimb
284076982d APPS: Slightly extend and improve documentation of the opt_ API
Also remove redundant opt_name() and make names of opt_{i,u}ntmax() consistent.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15111)
2021-05-05 20:48:20 +02:00
Benjamin Kaduk
cbbbc8fce4 Correct ssl_conf logic for "legacy_server_connect"
This option is only useful for the client, but it was previously
marked as only being applicable for servers.

Correct the entry to properly mark it as client-only, and update the
s_server/s_client manuals accordingly.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15127)
2021-05-05 08:13:51 -07:00
Benjamin Kaduk
72d2670bd2 Enforce secure renegotiation support by default
Previously we would set SSL_OP_LEGACY_SERVER_CONNECT by default in
SSL_CTX_new(), to allow connections to legacy servers that did not
implement RFC 5746.

It has been more than a decade since RFC 5746 was published, so
there has been plenty of time for implmentation support to roll out.

Change the default behavior to be to require peers to support
secure renegotiation.  Existing applications that already cleared
SSL_OP_LEGACY_SERVER_CONNECT will see no behavior change, as
re-clearing the flag is just a little bit of redundant work.
The old behavior is still available by explicitly setting the flag
in the application.

Also remove SSL_OP_LEGACY_SERVER_CONNECT from SSL_OP_ALL, for
similar reasons.

Document the behavior change in CHANGES.md, and update the
SSL_CTX_set_options() and SSL_CONF_cmd manuals to reflect the change
in default behavior.

Fixes: 14848

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15127)
2021-05-05 08:13:51 -07:00
Pauli
f14a2c9d7a mac: update life-cycle description and diagrams to include finalXOF
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15061)
2021-05-05 22:11:04 +10:00
Pauli
a59c69724d doc: document EVP_MAC_finalXOF()
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15061)
2021-05-05 22:11:04 +10:00
Rich Salz
f7050588bc Add .includedir pragma
Also add a negative test, and fix typo's.

Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15090)
2021-05-05 13:11:35 +02:00
Rich Salz
3fb985fd04 Allow absolute paths to be set
It was a mistake to allow relative paths for include files (just
like root shouldn't have "." in its PATH), but we probably can't
change it now. Add a new pragma "abspath" that someone can put
in the system-wide config file to require absolute paths.

Also update the config documentation to better explain how file
inclusion works.

Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15090)
2021-05-05 13:11:17 +02:00
Rich Salz
1127754e48 Note that dhparam does support X9.42
Fix other wording, too.

Fixes: #13151

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15038)
2021-05-05 18:09:49 +10:00
Richard Levitte
355e1f041c DOCS: Mention that libcrypto has helper functions for OSSL_PARAMs
Fixes #11165

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15073)
2021-05-05 09:29:08 +10:00
Dr. David von Oheimb
79a2bccdb0 HTTP client: Correct the use of optional proxy URL and its documentation
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15104)
2021-05-04 18:27:57 +02:00
Dr. David von Oheimb
8b25b0eb99 BIO_eof() and OSSL_STORE_eof(): Make sure to return 1 on error; improve related doc
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15029)
2021-05-04 18:16:56 +02:00
Dr. David von Oheimb
6e328484ab OSSL_STORE_expect(): Improve error handling and documentation
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15029)
2021-05-04 18:16:48 +02:00
Dr. David von Oheimb
7031f5821c OCSP: Minor improvements of documentation and header file
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15103)
2021-05-04 18:14:24 +02:00
Matt Caswell
f9548d21ba Document the new core BIO public API support
Fixes #14409

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15072)
2021-05-04 12:00:21 +01:00
Hubert Kario
dd28d1c4d3 man: s_server: fix text repetition in -alpn description
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/15099)
2021-05-01 17:53:24 +02:00
Rich Salz
f4407385f5 APPS: Document the core of the opt_ API
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/14995)
2021-05-01 13:11:49 +02:00
Shane Lontis
455f254252 Update OSSL_STORE_attach() documentation to indicate it increases the ref_count of the passed in bio
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15058)
2021-04-30 16:04:53 +10:00
Tomas Mraz
9ac653d81a Document the API breaking constification changes
The EVP_PKEY_asn1_set_public and EVP_PKEY_meth_set_copy have
some API breaking constification changes in 3.0.

Fixes #9296

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15068)
2021-04-30 11:06:47 +10:00
Pauli
c7d848e220 remove end of line whitespace
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14434)
2021-04-30 09:15:50 +10:00
Jon Spillett
b536880c45 Add library context and property query support into the PKCS12 API
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14434)
2021-04-30 09:15:50 +10:00
Dr. David von Oheimb
4189dc3782 CMS ESS: Move four internal aux function to where they belong in crypto/cms
Also constify and slightly refactor them.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14601)
2021-04-28 14:10:47 +02:00
Dr. David von Oheimb
1751768cd1 ESS: Export three core functions, clean up TS and CMS CAdES-BES usage
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14601)
2021-04-28 14:10:45 +02:00
David Benjamin
cdf63a3736 Add X509 version constants.
The X509 version APIs return the numerical values of the version
numbers, which are one off from the names. This is a bit confusing.
Where they don't get it wrong (accidentally making an "X509v4"
certificate), callers tend to try commenting every call site to explain
the mismatch, including in OpenSSL itself.

Define constants for these values, so code can be self-documenting and
callers are nudged towards the right values.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14549)
2021-04-28 11:40:06 +02:00
Tomas Mraz
67ea4beb94 OPENSSL_sk functions are effectively already documented
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14728)
2021-04-28 11:19:34 +02:00
Tomas Mraz
5fd7eb5c8a Improve the implementation of X509_STORE_CTX_get1_issuer()
It is possible for the stack of X509_OBJECTs held in an X509_STORE_CTX to
have a custom compare function associated with it. Normally (by default)
this uses X509_NAME_cmp(). The X509_STORE_CTX_get1_issuer() function
assumed that it would always be X509_NAME_cmp().

By implementing OPENSSL_sk_find_all() function we can avoid explicitly
using X509_NAME_cmp() in X509_STORE_CTX_get1_issuer().

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14728)
2021-04-28 11:19:34 +02:00
Shane Lontis
c85c5e1a53 Deprecate EVP_PKEY_cmp() and EVP_PKEY_cmp_parameters().
The replacement functions EVP_PKEY_eq() and EVP_PKEY_parameters_eq()
already exist.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/14997)
2021-04-27 09:45:53 +10:00
Shane Lontis
990aa405db Doc updates for DH/DSA examples
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14936)
2021-04-27 09:36:49 +10:00
Shane Lontis
f1ffaaeece Fixes related to separation of DH and DHX types
Fix dh_rfc5114 option in genpkey.

Fixes #14145
Fixes #13956
Fixes #13952
Fixes #13871
Fixes #14054
Fixes #14444

Updated documentation for app to indicate what options are available for
DH and DHX keys.

DH and DHX now have different keymanager gen_set_params() methods.

Added CHANGES entry to indicate the breaking change.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14883)
2021-04-26 19:52:11 +02:00
Tomas Mraz
6c9bc258d2 Add type_name member to provided methods and use it
Fixes #14701

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14898)
2021-04-26 12:05:05 +02:00
Klaas van Schelven
d21224f1ad Documentation fix for openssl-verify certificates
`openssl verify` silently ignores any but the first certificate in the
`certificates` argument.

See #14675

Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14754)
2021-04-26 11:38:22 +02:00
Dr. David von Oheimb
d830526c71 APPS: Improve diagnostics for string options and options expecting int >= 0
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14970)
2021-04-24 18:54:32 +02:00
Dr. David von Oheimb
75f036c6c5 BIO_s_connect.pod: Improve doc of BIO_set_conn_hostname() etc.
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14967)
2021-04-22 20:40:24 +02:00
Rich Salz
078fa35c7b Remove an unused parameter
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14943)
2021-04-22 18:11:18 +02:00
Matt Caswell
f5afac4bda Update copyright year
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14986)
2021-04-22 14:38:44 +01:00
Dr. David von Oheimb
c0e724fcbe DOC: Clarify EVP_MAC_init() params vs. EVP_MAC_CTX_set_params()
Fixes #14855

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14937)
2021-04-21 14:12:54 +02:00
Richard Levitte
f99659535d ENCODER & DECODER: Allow decoder implementations to specify "carry on"
So far, decoder implementations would return true (1) for a successful
decode all the way, including what the callback it called returned,
and false (0) in all other cases.

This construction didn't allow to stop to decoding process on fatal
errors, nor to choose what to report in the provider code.

This is now changed so that decoders implementations are made to
return false only on errors that should stop the decoding process from
carrying on with other implementations, and return true for all other
cases, even if that didn't result in a constructed object (EVP_PKEY
for example), essentially making it OK to return "empty handed".

The success of the decoding process is now all about successfully
constructing the final object, rather than about the return value of
the decoding chain.  If no construction is attempted, the central
decoding processing code concludes that whatever the input consisted
of, it's not supported by the available decoder implementations.

Fixes #14423

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14834)
2021-04-21 10:53:03 +02:00
Dr. David von Oheimb
1c0eede982 Improve ossl_cmp_build_cert_chain(); publish it as X509_build_chain()
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14128)
2021-04-20 10:47:24 +02:00
Dr. David von Oheimb
16b8862d80 PKCS12 etc.: Add hints on using -legacy and -provider-path options
Fixes #14790

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14891)
2021-04-19 16:23:46 +02:00
Matt Caswell
978e323a4d Add the function OSSL_LIB_CTX_get0_global_default()
An API function for obtaining the global default lib ctx.

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14890)
2021-04-19 10:52:18 +01:00
Matt Caswell
92b20fb8f7 Change the semantics of OSSL_LIB_CTX_set0_default() NULL handling
Change things so that passing NULL to OSSL_LIB_CTX_set0_default() means
keep the current library context unchanged.

This has the advantage of simplifying error handling, e.g. you can call
OSSL_LIB_CTX_set0_default in an error/finalisation block safe in the
knowledge the if the "prevctx" was never set then it will be a no-op (like
calling a "free" function with NULL).

Fixes #14593

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14890)
2021-04-19 10:50:29 +01:00
Tomas Mraz
185e1aa226 Add DHX FIPS 186-4 domain parameter validation example
Fixes #14369

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14896)
2021-04-19 09:30:02 +10:00
Rich Salz
f6c95e46c0 Add "origin" field to EVP_CIPHER, EVP_MD
Add a "where did this EVP_{CIPHER,MD} come from" flag: global, via fetch,
or via EVP_{CIPHER,MD}_meth_new.  Update EVP_{CIPHER,MD}_free to handle all
three origins. The flag is deliberately right before some function pointers,
so that compile-time failures (int/pointer) will occur, as opposed to
taking a bit in the existing "flags" field.  The "global variable" flag
is non-zero, so the default case of using OPENSSL_zalloc (for provider
ciphers), will do the right thing. Ref-counting is a no-op for
Make up_ref no-op for global MD and CIPHER objects

Deprecate EVP_MD_CTX_md().  Added EVP_MD_CTX_get0_md() (same semantics as
the deprecated function) and EVP_MD_CTX_get1_md().  Likewise, deprecate
EVP_CIPHER_CTX_cipher() in favor of EVP_CIPHER_CTX_get0_cipher(), and add
EVP_CIPHER_CTX_get1_CIPHER().

Refactor EVP_MD_free() and EVP_MD_meth_free() to call new common
evp_md_free_int() function.
Refactor EVP_CIPHER_free() and EVP_CIPHER_meth_free() to call new common
evp_cipher_free_int() function.

Also change some flags tests to explicit test == or != zero. E.g.,
        if (flags & x) --> if ((flags & x) != 0)
        if (!(flags & x)) --> if ((flags & x) == 0)
Only done for those lines where "get0_cipher" calls were made.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14193)
2021-04-18 10:03:07 +02:00
Pauli
e494fac705 Fix naming for EVP_RAND_CTX_gettable functions.
Change:

    EVP_RAND_gettable_ctx_params -> EVP_RAND_CTX_gettable_params
    EVP_RAND_settable_ctx_params -> EVP_RAND_CTX_settable_params

Which brings them in line with the other similar functions for other algorithm
types.

Fixes #14880

Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14893)
2021-04-17 18:22:13 +10:00
Pauli
81cc5ce1a0 lifecycle: update master lifecycle transition spreadsheet fixing the ettable issue
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14867)
2021-04-16 17:59:25 +10:00
Pauli
ed34837807 lifecycle: correct [sg]ettable to [sg]et
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14867)
2021-04-16 17:59:25 +10:00
Shane Lontis
a732a4c329 Add EVP_PKEY_todata() and EVP_PKEY_export() functions.
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14800)
2021-04-15 18:42:04 +02:00
Tomas Mraz
ddf0d149e2 Rename EVP_PKEY_get0_first_alg_name to EVP_PKEY_get0_type_name
We use type elsewhere and documenting the 'first' in the
name of the call is a little bit superfluous making the
name too mouthful.

Also rename EVP_PKEY_typenames_do_all to
EVP_PKEY_type_names_do_all to keep the words separated by
underscore.

Fixes #14701

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14868)
2021-04-15 17:38:19 +02:00
Tomas Mraz
85fcc3fb77 Remove keymgmt_copy function from the provider API
It is superceded by the keymgmt_dup.

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/14793)
2021-04-15 09:19:39 +02:00
Tomas Mraz
b4f447c038 Add selection support to the provider keymgmt_dup function
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/14793)
2021-04-15 09:19:39 +02:00