2
0
mirror of https://github.com/openssl/openssl.git synced 2025-01-06 13:26:43 +08:00
Commit Graph

3088 Commits

Author SHA1 Message Date
Dr. David von Oheimb
d3d0784e41 Improve description of algorithm NIDs in doc/man3/OSSL_CMP_CTX_new.pod
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/11470)
2020-05-13 19:42:00 +02:00
Dr. David von Oheimb
05f920db39 Reflect constifications of 62dcd2aa in doc/man3/OSSL_CRMF_MSG_get0_tmpl.pod
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/11470)
2020-05-13 19:42:00 +02:00
Richard Levitte
6ab6ecfd6d OSSL_STORE: Make it possible to attach an OSSL_STORE to an opened BIO
This capability existed internally, and is now made public.

Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/11756)
2020-05-13 18:51:14 +02:00
Richard Levitte
484c24c8d7 Remove explicit dependency on configdata.pm when processing .in files
For those files, the dependence on configdata.pm is automatic, adding
it explicitly only results in having that dependency twice.

Fixes 

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/11790)
2020-05-13 10:14:53 +02:00
Beat Bolli
3f2a8d971a doc: fix two invalid <B> tags
Signed-off-by: Beat Bolli <dev@drbeat.li>

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/11759)
2020-05-10 09:51:08 -07:00
Dr. David von Oheimb
9253f8346a Constify 'req' parameter of OSSL_HTTP_post_asn1()
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11736)
2020-05-09 16:57:08 +02:00
Pauli
8c30dfee3e doc: remove deprecation notes for apps that are staying.
The apps that are staying are: dhparam, dsa, dsaparam, ec, ecparam, gendsa and
rsa.

The rsautl app remains deprecated.

The -dsaparam option to dhparam also remains deprecated.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11575)
2020-05-09 09:44:20 +10:00
Nikolay Morozov
90fc2c26df SSL_OP_DISABLE_TLSEXT_CA_NAMES option implementation
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/11709)
2020-05-07 16:14:47 +03:00
Jakub Zelenka
2b5e12f509 Add documentation for CMS_EnvelopedData_create()
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/11529)
2020-05-07 10:55:57 +03:00
Shane Lontis
5e77b79a8c Remove gen_get_params & gen_gettable_params from keygen operation
EVP_PKEY_CTX_gettable_params() was missing code for the keygen operation.
After adding it it was noticed that it is probably not required for this type, so instead
the gen_get_params and gen_gettable_params have been remnoved from the provider interface.
gen_get_params was only implemented for ec to get the curve name. This seems redundant
since normally you would set parameters into the keygen_init() and then generate a key.
Normally you would expect to extract data from the key - not the object that we just set up
to do the keygen.

Added a simple settable and gettable test into a test that does keygen.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11683)
2020-05-07 15:31:05 +10:00
Christian Heimes
6763f9c7e6 Use fips=yes consistently in documentation
The documentation for ``EVP_default_properties_is_fips_enabled()`` uses
``fips=yes`` in one place and ``fips=true`` in another place. Stick to
``fips=yes`` like everywhere else.

Signed-off-by: Christian Heimes <christian@python.org>

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/11723)
2020-05-05 18:27:36 +02:00
Dr. David von Oheimb
278260bfa2 Strengthen X509_STORE_CTX_print_verify_cb() to print expected host etc.
Add X509_VERIFY_PARAM_get0_host(), X509_VERIFY_PARAM_get0_email(),
and X509_VERIFY_PARAM_get1_ip_asc() to support this,
as well as the internal helper function ipaddr_to_asc(), which
is used also for simplifying other IP address output functions.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/11693)
2020-05-05 10:27:28 +02:00
Kurt Roeckx
e307e616f2 Improve SSL_shutdown documentation.
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/11531)
2020-05-05 06:31:27 +02:00
Matt Caswell
b756626a37 Allow OSSL_PARAM_get_octet_string() to pass a NULL buffer
We may just want to know the number of octets so allow passing a NULL
buffer.

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/11635)
2020-05-04 09:30:55 +01:00
Matt Caswell
2b1bc78acc Document the new raw private/public key functions
Document the newly added EVP_PKEY_new_raw_private_key_with_libctx and
EVP_PKEY_new_raw_public_key_with_libctx functions.

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/11635)
2020-05-04 09:30:55 +01:00
Shane Lontis
e0624f0d70 Add default property API's to enable and test for fips
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/11239)
2020-05-02 14:17:54 +10:00
Benjamin Kaduk
3bfacb5fd4 Add SSL_new_session_ticket() API
This API requests that the TLS stack generate a (TLS 1.3)
NewSessionTicket message the next time it is safe to do so (i.e., we do
not have other data pending write, which could be mid-record).  For
efficiency, defer actually generating/writing the ticket until there
is other data to write, to avoid producing server-to-client traffic when
not needed.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11416)
2020-05-01 15:10:11 -07:00
Pauli
588d5d01fe Undeprecate DH, DSA and RSA _bits() functions.
These were deemed information and useful and that they should not be
deprecated.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/11669)
2020-04-30 14:51:37 +10:00
Shourya Shukla
a6ed19dc9a Amend references to "OpenSSL license"
A small number of files contain references to the "OpenSSL license"
which has been deprecated and replaced by the "Apache License 2.0".
Amend the occurences.

Fixes 

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11663)
2020-04-29 15:27:22 +02:00
opensignature
5e427a435b Update EVP_PKEY_fromdata.pod
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11660)
2020-04-29 10:49:59 +02:00
Sebastian Andrzej Siewior
af0d413654 doc: Random spellchecking
A little spell checking.

Signed-off-by: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/11644)
2020-04-28 09:06:04 +10:00
Pauli
3873887e89 params: change OSSL_PARAM_set_unmodified() to operate on a params array
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/11601)
2020-04-25 18:46:32 +10:00
David von Oheimb
9d5aca6553 Add function load_csr(file,format,desc) to apps/lib/apps.c
Make use of new load_csr() in 'ca', 'req', and 'x509' app
Add '-inform' and '-certform' option to 'ca' app
Add 'desc' parameter to load_crl() function defined in apps/lib/apps.c
Allow 'desc' parameter to be NULL (gives option to suppress error output)

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/4940)
2020-04-24 18:00:24 +02:00
Rich Salz
852c2ed260 In OpenSSL builds, declare STACK for datatypes ...
... and only *define* them in the source files that need them.
Use DEFINE_OR_DECLARE which is set appropriately for internal builds
and not non-deprecated builds.

Deprecate stack-of-block

Better documentation

Move some ASN1 struct typedefs to types.h

Update ParseC to handle this.  Most of all, ParseC needed to be more
consistent.  The handlers are "recursive", in so far that they are called
again and again until they terminate, which depends entirely on what the
"massager" returns.  There's a comment at the beginning of ParseC that
explains how that works. {Richard Levtte}

Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/10669)
2020-04-24 16:42:46 +02:00
Rich Salz
2b9bafe607 Rewrite man5/config.pod and related conf code cleanup
The manpage is basically rewritten.  Use consistent name/value
terminology. Use consistent phraseology to refer to section pointers
and lists of section pointers. Add more cross-references.

Also found a bunch of trivial style things in conf_api.c while
investigating how config works.

Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/11431)
2020-04-24 13:29:16 +02:00
Rich Salz
c16aec5246 SSL_CTX_config.pod: Remove needless "NOTE" heading
Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/11431)
2020-04-24 13:28:50 +02:00
Rich Salz
1cd2c1f857 Update some nits around the FIPS module
- Changed the generated FIPS signature file to be "fipsmodule.conf"
since it contains information about the FIPS module/file.
- Add -q option to fipsinstall command, to stop chatty verbose status
messages.
- Document env var OPENSSL_CONF_INCLUDE

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/11177)
2020-04-24 13:19:16 +02:00
Matt Caswell
33388b44b6 Update copyright year
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11616)
2020-04-23 13:55:52 +01:00
Richard Levitte
1a7328c882 PROV: Ensure that ED25519 & ED448 keys have a mandatory digest
This adds handling of the parameter "mandatory-digest" and responds
with an empty string, meaning that no digest may be used.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/11576)
2020-04-23 10:44:37 +01:00
Richard Levitte
3b924da0f0 EVP: add internal evp_keymgmt_util_get_deflt_digest_name() and use it
evp_keymgmt_util_get_deflt_digest_name() is a refactor of the provider
side key part of EVP_PKEY_get_default_digest_name(), that takes
EVP_KEYMGMT and provider keydata pointers instead of an EVP_PKEY
pointer.

We also ensure that it uses SN_undef as the default name if the
provider implementation gave us an empty string, since this is what
EVP_PKEY_get_default_digest_name() responds when getting the digest
name via a EVP_PKEY_ASN1_METHOD ctrl call that returns NID_undef.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/11576)
2020-04-23 10:44:37 +01:00
Pauli
8d5fb64852 params: add functionality to test if an OSSL_PARAM has been set.
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11588)
2020-04-22 13:56:44 +10:00
Billy Brumley
07caec83b8 [crypto/ec] deprecate Jprojective_coordinates_GFp functions
Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11527)
2020-04-22 02:06:50 +03:00
Dirk-Willem van Gulik
c72e59349f Add setter equivalents to X509_REQ_get0_signature
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/10563)
2020-04-21 16:52:50 +02:00
Dr. David von Oheimb
2b264aee6f Fix descriptions of credentials and verification options for various apps
fix doc of s_client and s_server credentials and verification options
fix doc of verification options also for s_time, x509, crl, req, ts, and verify
correcting and extending texts regarding untrusted and trusted certs,
making the order of options in the docs and help texts more consistent,
etc.

Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11273)
2020-04-20 11:33:53 +02:00
Shane Lontis
738ee1819e Fix DH_get_nid() so that it does not cache values.
DH_set0_pqg() is now responsible for caching the nid, q and length.

DH with or without named safe prime groups now default to using the maximum private key length (BN_num_bits(q) - 1)
when generating a DH private key. The code is now shared between fips and non fips mode for DH key generation.

The OSSL_PKEY_PARAM_DH_PRIV_LEN parameter can be used during keygen to override the maximum private key length to be
in the range (2 * strength ... bits(q) - 1). Where the strength depends on the length of p.

Added q = (p - 1) / 2 safe prime BIGNUMS so that the code is data driven (To simplify adding new names).
The BIGNUMS were code generated.

Fix error in documented return value for DH_get_nid

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11562)
2020-04-20 11:07:38 +10:00
Shane Lontis
9e537cd2ad DOC: Extend EVP_PKEY-DSA(7) / EVP_PKEY_DH(7) with FFC information
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/11546)
2020-04-20 08:56:05 +10:00
Richard Levitte
33df1cfdd5 DOC: Refactor provider-keymgmt(7) to give the keytypes their own pages
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/11546)
2020-04-20 08:56:05 +10:00
Pauli
769cfc3bd0 Undeprecate DH_get_length() and DH_set_length() functions
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/11225)
2020-04-19 10:37:39 +10:00
Pauli
ccefc3411e dhparam: update command line app to use EVP calls
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/11225)
2020-04-19 10:37:38 +10:00
Richard Levitte
ccb47dbf47 DOC: Extend the description of EVP_PKEY_CTX_new_from_name()
This adds text the should lead the user to documentation on different
KEYMGMT implementations.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/11220)
2020-04-18 11:35:56 +02:00
Richard Levitte
476de2e5e5 DOC: Add more description of EVP_PKEY_fromdata(), and examples
Fixes 

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/11220)
2020-04-18 11:35:56 +02:00
Pauli
4350a6bd42 doc: note that the FIPS provider contains some non-approved algorithms.
Also note how to select them.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11371)
2020-04-17 19:51:37 +10:00
Richard Levitte
d0ddf9b409 EVP: Fix calls to evp_pkey_export_to_provider()
The calls weren't quite right, as this function has changed its behaviour.
We also change the internal documentation of this function, and document
evp_pkey_downgrade().

Fixes 

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/11550)
2020-04-17 19:50:03 +10:00
Matt Caswell
7525c93030 Document X509_verify_ex() and X509_REQ_verify_ex()
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/11507)
2020-04-16 14:20:01 +01:00
Shane Lontis
7165593ce5 Add DH keygen to providers
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11332)
2020-04-16 01:14:00 +10:00
Shane Lontis
b03ec3b5d6 Add DSA keygen to provider
Moved some shared FFC code into the FFC files.
Added extra paramgen parameters for seed, gindex.
Fixed bug in ossl_prov util to print bignums.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11303)
2020-04-15 21:02:52 +10:00
Matt Caswell
137b274aee Document the new libctx aware private key functions
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/11494)
2020-04-15 11:24:13 +01:00
Richard Levitte
10d756a70e EC: Refactor EVP_PKEY_CTX curve setting macros for param generation
The macros are converted to functions, and are modified to support
provider implementations.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/11328)
2020-04-15 11:04:28 +02:00
Richard Levitte
2b9add6965 KEYMGMT: Add functions to get param/key generation parameters
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/11328)
2020-04-15 11:03:59 +02:00
Aaron Thompson
ff1f7cdeb1 Add ex_data to EVP_PKEY.
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/11515)
2020-04-14 17:58:17 +03:00