summaryrefslogtreecommitdiff
path: root/doc/man1
Commit message (Collapse)AuthorAgeFilesLines
* openssl-cmp.pod.in: Update and extend example using Insta Demo CADr. David von Oheimb2020-08-041-0/+6
| | | | | Reviewed-by: Paul Dale <paul.dale@oracle.com> (Merged from https://github.com/openssl/openssl/pull/12534)
* apps/cmp.c: Improve documentation of -recipient optionDr. David von Oheimb2020-07-301-1/+2
| | | | | Reviewed-by: Paul Dale <paul.dale@oracle.com> (Merged from https://github.com/openssl/openssl/pull/12421)
* deserialisation: add deserialisation to the base providerPauli2020-07-301-0/+10
| | | | | Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/12104)
* serialisation: Add a built-in base provider.Pauli2020-07-301-0/+6
| | | | | | | | | | | | | | | Move the libcrypto serialisation functionality into a place where it can be provided at some point. The serialisation still remains native in the default provider. Add additional code to the list command to display what kind of serialisation each entry is capable of. Having the FIPS provider auto load the base provider is a future (but necessary) enhancement. Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/12104)
* Deprecate -nodes in favor of -noenc in pkcs12 and req appDr. David von Oheimb2020-07-282-4/+16
| | | | | | Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Shane Lontis <shane.lontis@oracle.com> (Merged from https://github.com/openssl/openssl/pull/12495)
* Test RSA oaep in fips modeShane Lontis2020-07-232-9/+14
| | | | | | | | | | Added RSA oaep test that uses the pkeyutl application. Added an openssl application option to support loading a (fips) provider via the '-config' option. Added openssl application related environment variable 'OPENSSL_TEST_LIBCTX' (for testing purposes only), that creates a non default library context. Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/11948)
* document the deprecation of the '-public-key-methods' option to listPauli2020-07-221-6/+9
| | | | | Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/11082)
* Align documentation with recommendations of Linux Documentation ProjectGustaf Neumann2020-07-224-8/+8
| | | | | | | | | | | | | This change applies the recommendation of the Linux Documentation Project to the documentation files of OpenSSL. Additionally, util/find-doc-nits was updated accordingly. The change follows a suggestion of mspncp on https://github.com/openssl/openssl/pull/12370 and incoporates the requested changes on the pull request Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com> (Merged from https://github.com/openssl/openssl/pull/12460)
* Add ERR_raise() errors to fips OSSL_provider_init and self tests.Shane Lontis2020-07-211-0/+17
| | | | | | | | | | | As the ERR_raise() is setup at this point returng a range of negative values for errors is not required. This will need to be revisited if the code ever moves to running from the DEP. Added a -config option to the fips install so that it can test if a fips module is loadable from configuration. (The -verify option only uses the generated config, whereas -config uses the normal way of including the generated data via another config file). Added more failure tests for the raised errors. Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/12346)
* x509_vfy.c: Improve key usage checks in internal_verify() of cert chainsDr. David von Oheimb2020-07-161-4/+5
| | | | | | | | | | | | | | | If a presumably self-signed cert is last in chain we verify its signature only if X509_V_FLAG_CHECK_SS_SIGNATURE is set. Upon this request we do the signature verification, but not in case it is a (non-conforming) self-issued CA certificate with a key usage extension that does not include keyCertSign. Make clear when we must verify the signature of a certificate and when we must adhere to key usage restrictions of the 'issuing' cert. Add some comments for making internal_verify() easier to understand. Update the documentation of X509_V_FLAG_CHECK_SS_SIGNATURE accordingly. Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/12375)
* Revert "kdf: make function naming consistent."Matt Caswell2020-07-161-1/+1
| | | | | | | | | | | | The commit claimed to make things more consistent. In fact it makes it less so. Revert back to the previous namig convention. This reverts commit 765d04c9460a304c8119f57941341a149498b9db. Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com> Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/12186)
* Revert "The EVP_MAC functions have been renamed for consistency. The ↵Matt Caswell2020-07-161-1/+1
| | | | | | | | | | | | | | EVP_MAC_CTX_*" The commit claimed to make things more consistent. In fact it makes it less so. Revert back to the previous namig convention. This reverts commit d9c2fd51e2e278bc3f7793a104ff7b4879f6d63a. Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com> Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/12186)
* apps: document the deprecation of the -engine optionPauli2020-07-1633-17/+106
| | | | | Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/12226)
* engine: document the engine app as deprecatedPauli2020-07-161-0/+6
| | | | | Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/12226)
* apps/list: deprecate engine supportPauli2020-07-161-6/+17
| | | | | Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/12226)
* Make -provider_name and -section_name optionalRich Salz2020-07-151-2/+2
| | | | | | Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com> Reviewed-by: Shane Lontis <shane.lontis@oracle.com> (Merged from https://github.com/openssl/openssl/pull/12311)
* Fix typos and repeated wordsGustaf Neumann2020-07-0512-16/+16
| | | | | | | | CLA: trivial Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com> (Merged from https://github.com/openssl/openssl/pull/12320)
* doc: Remove stray backtickJakub Wilk2020-07-031-1/+1
| | | | | | | | CLA: trivial Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/12329)
* Fix issue 1418 by moving check of KU_KEY_CERT_SIGN and weakening check_issued()Dr. David von Oheimb2020-07-011-5/+3
| | | | | | | | | | | | Move check that cert signing is allowed from x509v3_cache_extensions() to where it belongs: internal_verify(), generalize it for proxy cert signing. Correct and simplify check_issued(), now checking self-issued (not: self-signed). Add test case to 25-test_verify.t that demonstrates successful fix Fixes #1418 Reviewed-by: Viktor Dukhovni <viktor@openssl.org> (Merged from https://github.com/openssl/openssl/pull/10587)
* Improve documentation, layout, and code comments regarding self-issued certs ↵Dr. David von Oheimb2020-07-012-43/+62
| | | | | | | etc. Reviewed-by: Viktor Dukhovni <viktor@openssl.org> (Merged from https://github.com/openssl/openssl/pull/10587)
* Add --fips-key configuration parameter to fipsinstall application.Rich Salz2020-06-291-1/+6
| | | | | | | | | | | | | | Change default FIPS HMAC KEY from all-zero's Use default FIPSKEY if not given on command line. Make all -macopt in fipsinstall optional Make all tests, except fipsinstall, use the default -macopt and -mac_name flags. Define and use FIPSDIR variable on VMS/MMS. Also use SRCDIR/BLDDIR in SRCTOP/BLDTOP. Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com> Reviewed-by: Shane Lontis <shane.lontis@oracle.com> (Merged from https://github.com/openssl/openssl/pull/12235)
* evp_rand: documentationPauli2020-06-241-0/+11
| | | | | | | EVP_RAND, the RNGs and provider-rand. Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com> (Merged from https://github.com/openssl/openssl/pull/11682)
* CMS print should support string conversion: docsDmitry Belyavskiy2020-06-241-0/+9
| | | | | | | Documentation for -nameopt option Reviewed-by: Paul Dale <paul.dale@oracle.com> (Merged from https://github.com/openssl/openssl/pull/12206)
* Remove whitespace from 'white space'haykam8212020-06-194-7/+7
| | | | | | | | CLA: trivial Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com> Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/12161)
* DOC: Spelling fixesSebastian Andrzej Siewior2020-06-181-1/+1
| | | | | | | | Signed-off-by: Sebastian Andrzej Siewior <sebastian@breakpoint.cc> Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> (Merged from https://github.com/openssl/openssl/pull/12172)
* Improve description of CMP untrusted certs and msg 'sender' fieldDr. David von Oheimb2020-06-131-25/+23
| | | | | Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/11998)
* Allow subject of CMP -oldcert as sender unless protection cert is givenDr. David von Oheimb2020-06-131-2/+3
| | | | | Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/11998)
* Check expected sender not only for signature-protected CMP messagesDr. David von Oheimb2020-06-131-2/+1
| | | | | Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/11998)
* Improve description of -trusted, -srvcert, -recipient, and -expect_sender ↵Dr. David von Oheimb2020-06-131-35/+28
| | | | | | | CMP options Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/11998)
* The EVP_MAC functions have been renamed for consistency. The EVP_MAC_CTX_*Pauli2020-06-111-1/+1
| | | | | | | | | | | | | functions are now EVP_MAC functions, usually with ctx in their names. Before 3.0 is released, the names are mutable and this prevents more inconsistencies being introduced. There are no functional or code changes. Just the renaming and a little reformatting. Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/11997)
* kdf: make function naming consistent.Pauli2020-06-111-1/+1
| | | | | | | | The EVP_KDF_CTX_* functions have been relocated to the EVP_KDF_* namespace for consistency. Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/11996)
* Update RSA keygen to use sp800-56b by defaultShane Lontis2020-06-101-1/+2
| | | | | | | | | | | | | Fixes #11742 Fixes #11764 The newer RSA sp800-56b algorithm is being used for the normal case of a non multiprime key of at least length 2048. Insecure key lengths and mutltiprime RSA will use the old method. Bad public exponents are no longer allowed (i.e values less than 65537 or even). Values such as 2 that would cause a infinite loop now result in an error. The value of 3 has been marked as deprecated but is still allowed for legacy purposes. Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/11765)
* APPS: Drop interactive mode in the 'openssl' programRichard Levitte2020-06-051-1/+5
| | | | | | | | | | | | This mode is severely untested and unmaintained, is seems not to be used very much. Closes #4679 Closes #6292 Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/12023)
* Add cipher list ciphersuites which using encryption algorithm in mode CBC.Otto Hollmann2020-06-041-0/+7
| | | | | | Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> (Merged from https://github.com/openssl/openssl/pull/11984)
* crypto/cms: add CAdES-BES signed attributes validationFdaSilvaYY2020-05-271-4/+6
| | | | | | | | | | | | | | | | for signing certificate V2 and signing certificate extensions. CAdES: lowercase name for now internal methods. crypto/cms: generated file changes. Add some CHANGES entries. [extended tests] Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/8098)
* doc: fix trace category namesDr. Matthias St. Pierre2020-05-271-2/+2
| | | | | | | | The `ENGINE_CONF` and `PROVIDER_CONF` trace categories were merged into a single `CONF` category (see bc362b9b7202 and 71849dff56d6). Reviewed-by: Paul Dale <paul.dale@oracle.com> (Merged from https://github.com/openssl/openssl/pull/11806)
* There is no -signreq option in CA.plmettacrawler2020-05-211-2/+2
| | | | | | | | CLA: trivial Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/11876)
* Introducing option SSL_OP_IGNORE_UNEXPECTED_EOFDmitry Belyavskiy2020-05-192-0/+20
| | | | | | | | | | | | | | Partially fixes #11209. Before OpenSSL 3.0 in case when peer does not send close_notify, the behaviour was to set SSL_ERROR_SYSCALL error with errno 0. This behaviour has changed. The SSL_OP_IGNORE_UNEXPECTED_EOF restores the old behaviour for compatibility's sake. Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Kurt Roeckx <kurt@roeckx.be> Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/11735)
* Revise fips_install.podRich Salz2020-05-191-22/+26
| | | | | | Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/11369)
* Use OSSL_STORE for load_{,pub}key() and load_cert() in apps/lib/apps.cDr. David von Oheimb2020-05-1518-91/+188
| | | | | | | | | | This also adds the more flexible and general load_key_cert_crl() as well as helper functions get_passwd(), cleanse(), and clear_free() to be used also in apps/cmp.c etc. Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com> (Merged from https://github.com/openssl/openssl/pull/11755)
* Update copyright yearMatt Caswell2020-05-151-1/+1
| | | | | Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/11839)
* Add -reqin_new_tid option to apps/cmp.c and OSSL_CMP_MSG_update_transactionID()Dr. David von Oheimb2020-05-131-0/+8
| | | | | | Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com> (Merged from https://github.com/openssl/openssl/pull/11470)
* Improve CMP documentation regarding use of untrusted certsDr. David von Oheimb2020-05-131-1/+1
| | | | | | Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com> (Merged from https://github.com/openssl/openssl/pull/11470)
* Chunk 11 of CMP contribution to OpenSSL: CMP command-line interfaceDr. David von Oheimb2020-05-132-0/+1160
| | | | | | | | | | | Certificate Management Protocol (CMP, RFC 4210) extension to OpenSSL Also includes CRMF (RFC 4211) and HTTP transfer (RFC 6712). Adds the CMP and CRMF API to libcrypto and the "cmp" app to the CLI. Adds extensive documentation and tests. Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com> (Merged from https://github.com/openssl/openssl/pull/11470)
* doc: fix two invalid <B> tagsBeat Bolli2020-05-101-1/+1
| | | | | | | | | Signed-off-by: Beat Bolli <dev@drbeat.li> Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> Reviewed-by: Ben Kaduk <kaduk@mit.edu> (Merged from https://github.com/openssl/openssl/pull/11759)
* doc: remove deprecation notes for apps that are staying.Pauli2020-05-097-47/+3
| | | | | | | | | | | | The apps that are staying are: dhparam, dsa, dsaparam, ec, ecparam, gendsa and rsa. The rsautl app remains deprecated. The -dsaparam option to dhparam also remains deprecated. Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/11575)
* SSL_OP_DISABLE_TLSEXT_CA_NAMES option implementationNikolay Morozov2020-05-071-0/+7
| | | | | | Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> (Merged from https://github.com/openssl/openssl/pull/11709)
* Amend references to "OpenSSL license"Shourya Shukla2020-04-294-4/+4
| | | | | | | | | | | | A small number of files contain references to the "OpenSSL license" which has been deprecated and replaced by the "Apache License 2.0". Amend the occurences. Fixes #11649 Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/11663)
* doc: Random spellcheckingSebastian Andrzej Siewior2020-04-283-3/+3
| | | | | | | | | | A little spell checking. Signed-off-by: Sebastian Andrzej Siewior <sebastian@breakpoint.cc> Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com> (Merged from https://github.com/openssl/openssl/pull/11644)
* Add function load_csr(file,format,desc) to apps/lib/apps.cDavid von Oheimb2020-04-241-0/+12
| | | | | | | | | | | Make use of new load_csr() in 'ca', 'req', and 'x509' app Add '-inform' and '-certform' option to 'ca' app Add 'desc' parameter to load_crl() function defined in apps/lib/apps.c Allow 'desc' parameter to be NULL (gives option to suppress error output) Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com> (Merged from https://github.com/openssl/openssl/pull/4940)
View Lorry Controller Status