summaryrefslogtreecommitdiff
path: root/doc
Commit message (Collapse)AuthorAgeFilesLines
...
* Fixed a typo in a man pageAlex Gaynor2018-03-031-1/+1
| | | | | | Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com> Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/5498)
* Update some documentation for X448/Ed448Matt Caswell2018-03-025-21/+33
| | | | | | Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Kurt Roeckx <kurt@roeckx.be> (Merged from https://github.com/openssl/openssl/pull/5481)
* Fix typo in ASN1_STRING_length docIvan Filenko2018-03-011-2/+2
| | | | | | | | CLA: trivial Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com> (Merged from https://github.com/openssl/openssl/pull/5458)
* Do not set a nonzero default max_early_dataBenjamin Kaduk2018-02-281-3/+9
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | When early data support was first added, this seemed like a good idea, as it would allow applications to just add SSL_read_early_data() calls as needed and have things "Just Work". However, for applications that do not use TLS 1.3 early data, there is a negative side effect. Having a nonzero max_early_data in a SSL_CTX (and thus, SSL objects derived from it) means that when generating a session ticket, tls_construct_stoc_early_data() will indicate to the client that the server supports early data. This is true, in that the implementation of TLS 1.3 (i.e., OpenSSL) does support early data, but does not necessarily indicate that the server application supports early data, when the default value is nonzero. In this case a well-intentioned client would send early data along with its resumption attempt, which would then be ignored by the server application, a waste of network bandwidth. Since, in order to successfully use TLS 1.3 early data, the application must introduce calls to SSL_read_early_data(), it is not much additional burden to require that the application also calls SSL_{CTX_,}set_max_early_data() in order to enable the feature; doing so closes this scenario where early data packets would be sent on the wire but ignored. Update SSL_read_early_data.pod accordingly, and make s_server and our test programs into applications that are compliant with the new requirements on applications that use early data. Fixes #4725 Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/5483)
* Tell the ciphers which DRBG to use for generating random bytes.Kurt Roeckx2018-02-281-0/+14
| | | | | Reviewed-by: Richard Levitte <levitte@openssl.org> GH: #4672
* Fixed typo in description of EVP_CIPHER_meth_set_iv_length().David Makepeace2018-02-281-1/+1
| | | | | | Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com> (Merged from https://github.com/openssl/openssl/pull/5477)
* Fix documentation link to reference man3xemdetia2018-02-271-2/+2
| | | | | | | | CLA: trivial Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com> Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/5473)
* Update copyright yearMatt Caswell2018-02-276-6/+6
| | | | Reviewed-by: Richard Levitte <levitte@openssl.org>
* Export keying material using early exporter master secretTatsuhiro Tsujikawa2018-02-261-4/+27
| | | | | | | | | This commit adds SSL_export_keying_material_early() which exports keying material using early exporter master secret. Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/5252)
* STORE: Add documentation on search criteriaRichard Levitte2018-02-235-11/+278
| | | | | Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/2688)
* STORE: Add documentation on expecting specific infosRichard Levitte2018-02-234-7/+97
| | | | | Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/2688)
* Update EC_POINT_new.podPer Sandström2018-02-221-1/+1
| | | | | | | | | | CLA: trivial fix typo: EC_point2buf => EC_POINT_point2buf Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/5367)
* Add support for PBKDF2 for enc commandEasySec2018-02-211-2/+12
| | | | | | Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/2083)
* Add BIO_bind function to bind local address for a socket.John Hughes2018-02-192-3/+18
| | | | | | | | | Add -bind option to s_client application to allow specification of local address for connection. Reviewed-by: Andy Polyakov <appro@openssl.org> Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/5272)
* Add X509_get0_authority_key_id() functionMassimiliano Pala2018-02-191-0/+6
| | | | | | | | | This function makes it easier to retrieve a reference to the authority key identifier (akid->keyid) inside a certificate. Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/5271)
* Avoid mentioning uninitialised contexts.Pauli2018-02-192-10/+7
| | | | | | | | | All contexts must be initialised because they can only be created using the _new() calls. Remove the outdated mentions of uninitialised and initialised contexts. Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Kurt Roeckx <kurt@roeckx.be> (Merged from https://github.com/openssl/openssl/pull/5388)
* pkeyparam.pod: correct the command descriptionDr. Matthias St. Pierre2018-02-161-2/+2
| | | | | | | The description was probably copy&pasted from pkey.pod and forgotten. Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/5390)
* PEM_read_bio_PrivateKey.pod: replace geek speek by something more seriousDr. Matthias St. Pierre2018-02-141-3/+3
| | | | | Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/5369)
* d2i_X509.pod: clarify usage of the 'pp' function parameterDr. Matthias St. Pierre2018-02-141-9/+11
| | | | | | | | | The 'pp' function parameters of d2i_TYPE() and i2d_TYPE() are referenced in the DESCRIPTION section as 'in' resp. 'out'. This commit renames the references to 'ppin' resp. 'ppout' and adds an explaining sentence. Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/5365)
* Update copyright yearMatt Caswell2018-02-1314-14/+14
| | | | Reviewed-by: Richard Levitte <levitte@openssl.org>
* Fix include in manpage of X509_check_hostDaniël van Eeden2018-02-111-1/+1
| | | | | | | | | | Fixes Issue #5255 CLA: trivial Reviewed-by: Andy Polyakov <appro@openssl.org> Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/5256)
* CRYPTO_THREAD_run_once.pod: fix typo and punktuationDr. Matthias St. Pierre2018-02-091-3/+3
| | | | | Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/5293)
* Add MiddleboxCompat option to SSL_CONF_cmd man pageMatt Caswell2018-02-051-0/+6
| | | | | Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/5244)
* Document SSL_OP_ENABLE_MIDDLEBOX_COMPATMatt Caswell2018-02-021-0/+9
| | | | | Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/5237)
* Add OPENSSL_VERSION_AT_LEASTMichael Richardson2018-02-012-0/+11
| | | | | | | | | | | | added macro to create version number use the macro to build OPENSSL_VERSION_AT_LEAST(maj,min,fix) so that customers of libssl (such as ruby-openssl) do not need to be so aware of openssl version numbers. includes updates to ssl(7) and OPENSSL_VERSION_NUMBER(3) man page Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/5212)
* Fix doc nitsTodd Short2018-02-011-5/+5
| | | | | | Reviewed-by: Ben Kaduk <kaduk@mit.edu> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/4964)
* Add TLSv1.3 post-handshake authentication (PHA)Todd Short2018-02-013-7/+78
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Add SSL_verify_client_post_handshake() for servers to initiate PHA Add SSL_force_post_handshake_auth() for clients that don't have certificates initially configured, but use a certificate callback. Update SSL_CTX_set_verify()/SSL_set_verify() mode: * Add SSL_VERIFY_POST_HANDSHAKE to postpone client authentication until after the initial handshake. * Update SSL_VERIFY_CLIENT_ONCE now only sends out one CertRequest regardless of when the certificate authentication takes place; either initial handshake, re-negotiation, or post-handshake authentication. Add 'RequestPostHandshake' and 'RequirePostHandshake' SSL_CONF options that add the SSL_VERIFY_POST_HANDSHAKE to the 'Request' and 'Require' options Add support to s_client: * Enabled automatically when cert is configured * Can be forced enabled via -force_pha Add support to s_server: * Use 'c' to invoke PHA in s_server * Remove some dead code Update documentation Update unit tests: * Illegal use of PHA extension * TLSv1.3 certificate tests DTLS and TLS behave ever-so-slightly differently. So, when DTLS1.3 is implemented, it's PHA support state machine may need to be different. Add a TODO and a #error Update handshake context to deal with PHA. The handshake context for TLSv1.3 post-handshake auth is up through the ClientFinish message, plus the CertificateRequest message. Subsequent Certificate, CertificateVerify, and Finish messages are based on this handshake context (not the Certificate message per se, but it's included after the hash). KeyUpdate, NewSessionTicket, and prior Certificate Request messages are not included in post-handshake authentication. After the ClientFinished message is processed, save off the digest state for future post-handshake authentication. When post-handshake auth occurs, copy over the saved handshake context into the "main" handshake digest. This effectively discards the any KeyUpdate or NewSessionTicket messages and any prior post-handshake authentication. This, of course, assumes that the ID-22 did not mean to include any previous post-handshake authentication into the new handshake transcript. This is implied by section 4.4.1 that lists messages only up to the first ClientFinished. Reviewed-by: Ben Kaduk <kaduk@mit.edu> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/4964)
* Catch some more old sigalg names in commentsBenjamin Kaduk2018-01-261-1/+1
| | | | | | | | Make the sigalg name in comments reflect one that actually exists in the draft standard. Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/5174)
* Update documentation for SSL_set1_sigalgs()Benjamin Kaduk2018-01-251-3/+5
| | | | | | | | | | | | | | These functions can now take both "sig+hash" strings and algorithm-specific identifiers like "rsa_pss_pss_sha256" that indicate a particular entry from the TLS signature algorithm registry. Also clarify that only the "_list" form allows for the new-style names (the non-"list" interfaces take sig and hasn NIDs, which cannot access all of the new-style schemes). Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/5068)
* Added "B" tag to all variables.David Cooper2018-01-241-6/+6
| | | | | | Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/4190)
* Add documentation for the OCSP_basic_sign() and OCSP_basic_sign_ctx() functions.David Cooper2018-01-241-2/+19
| | | | | | | | Correct error return value in OCSP_basic_sign(). Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/4190)
* Make editorial changes suggested by Rich Salz and add the -rsigopt option to ↵David Cooper2018-01-241-0/+6
| | | | | | | | the man page for the ocsp command. Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/4190)
* Updates following review of SSL_stateless() codeMatt Caswell2018-01-241-1/+1
| | | | | Reviewed-by: Ben Kaduk <kaduk@mit.edu> (Merged from https://github.com/openssl/openssl/pull/4435)
* Add documentation for SSL_stateless()Matt Caswell2018-01-241-43/+73
| | | | | | | Fixes #4283 Reviewed-by: Ben Kaduk <kaduk@mit.edu> (Merged from https://github.com/openssl/openssl/pull/4435)
* SHA512/224 and SHA512/256Pauli2018-01-241-3/+14
| | | | | | | Support added for these two digests, available only via the EVP interface. Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/5093)
* Improve some BN documentation.Rich Salz2018-01-231-9/+14
| | | | | | | Thanks to Nicolas Schodet for pointing this out. Reviewed-by: Tim Hudson <tjh@openssl.org> (Merged from https://github.com/openssl/openssl/pull/5141)
* Add accessors for AdmissionSyntaxRich Salz2018-01-223-0/+197
| | | | | | | Based on code from Matthias Ballreich, Steve Henson, and Wolf Tobias. Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/4724)
* enc(1): document that AEAD is not and will not be supportedBenjamin Kaduk2018-01-191-2/+16
| | | | | | | | | | | | | | Note the reasons, including streaming output issues and key/iv/nonce management issues. Recommend the use of cms(1) instead. Fixes #471. Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Andy Polyakov <appro@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com> (Merged from https://github.com/openssl/openssl/pull/5048)
* Copyright update of more files that have changed this yearRichard Levitte2018-01-1910-10/+10
| | | | | Reviewed-by: Paul Dale <paul.dale@oracle.com> (Merged from https://github.com/openssl/openssl/pull/5110)
* doc: Bad prototypes of EVP_PKEY_CTX_new()Jakub Jelen2018-01-175-8/+11
| | | | | | | | | CLA: trivial Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/4861)
* Update all affected files' copyright year to 2018Paul Yang2018-01-1658-58/+58
| | | | | | | | Because the related PR/commits are merged in 2018... Reviewed-by: Andy Polyakov <appro@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/4976)
* Enforce return values section checkPaul Yang2018-01-162-0/+8
| | | | | | | | | To avoid check failure, make dummy RETURN VALUES sections in the docs which have no real functions decribed inside... Reviewed-by: Andy Polyakov <appro@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/4976)
* Add missing 'RETURN VALUES' sections in docPaul Yang2018-01-1659-61/+476
| | | | | | | | All missing sections are added. Reviewed-by: Andy Polyakov <appro@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/4976)
* Make data argument const in SSL_dane_tlsa_addPatrick Schlangen2018-01-101-1/+3
| | | | | | | | | The data argument of SSL_dane_tlsa_add is used read-only, so it should be const. Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/5056)
* Update copyright years on all files merged since Jan 1st 2018Richard Levitte2018-01-094-4/+4
| | | | | Reviewed-by: Tim Hudson <tjh@openssl.org> (Merged from https://github.com/openssl/openssl/pull/5038)
* Document SSL_OP_NO_RENEGOTIATION as new in 1.1.1Christian Heimes2018-01-081-1/+2
| | | | | | | | | | Closes: https://github.com/openssl/openssl/issues/4897 Signed-off-by: Christian Heimes <christian@python.org> Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/4898)
* Document OPENSSL_ENGINES environment variablePatrick Steuer2018-01-082-1/+26
| | | | | | | | | In man1/engine.pod and man3/ENGINE_add.pod Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Andy Polyakov <appro@openssl.org> Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/4956)
* Add fingerprint text, remove MD5Rich Salz2018-01-061-13/+5
| | | | | Reviewed-by: Ben Kaduk <kaduk@mit.edu> (Merged from https://github.com/openssl/openssl/pull/4906)
* Add x509(1) referenceViktor Dukhovni2018-01-051-1/+2
| | | | Reviewed-by: Ben Kaduk <kaduk@mit.edu>
* Improve readability of evp.podDr. Matthias St. Pierre2018-01-041-10/+10
| | | | | | | | | | The changes are analogous to the ones made in commit 0bf340e1350e to x509.pod, see PR #4924. Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Ben Kaduk <kaduk@mit.edu> (Merged from https://github.com/openssl/openssl/pull/5012)
View Lorry Controller Status