summaryrefslogtreecommitdiff
path: root/doc
Commit message (Collapse)AuthorAgeFilesLines
* crypto/cmp: fix CertReqId to use in p10cr transactions acc. to RFC 4210Dr. David von Oheimb2023-04-181-4/+5
| | | | | | | Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com> (Merged from https://github.com/openssl/openssl/pull/20298)
* Fix a HPKE API to put libctx, propq as last (optional parameters).slontis2023-04-141-3/+3
| | | | | | | | | This keeps the interface consistent with other HPKE API's. Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/20583)
* doc: Fix incorrect pairing of functionsLadislav Marko2023-04-131-1/+1
| | | | | | | | | | CLA: trivial The functions that should be implemented together are `OSSL_FUNC_signature_verify_recover_init` and `OSSL_FUNC_signature_verify_recover` and not `OSSL_FUNC_signature_verify_recover_init` with ` OSSL_FUNC_signature_verify_init` Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Hugo Landau <hlandau@openssl.org> (Merged from https://github.com/openssl/openssl/pull/20704)
* doc: Fix misleading stucture infoLadislav Marko2023-04-131-1/+1
| | | | | | | | | | CLA: trivial The thing created by `OSSL_FUNC_signature_newctx()` and `OSSL_FUNC_signature_dupctx()` is a signature context, not a signature. It's in the name of the function and surrounding documentation. Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Hugo Landau <hlandau@openssl.org> (Merged from https://github.com/openssl/openssl/pull/20705)
* Updated return value of PEM_write_TYPE() and PEM_write_bio_TYPE() in man-pages.Jeeban Sethi2023-04-111-2/+1
| | | | | | | | | | Fixes #20218 CLA: trivial Reviewed-by: Todd Short <todd.short@me.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/20673)
* Update the documentation for SSL_version et alMatt Caswell2023-04-041-4/+44
| | | | | | Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/20650)
* doc: Fix typo in EVP_EncryptInit.podSamuel Lee (ENS/CRYPTO)2023-03-311-1/+1
| | | | | | | | | CLA: trivial Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Todd Short <todd.short@me.com> (Merged from https://github.com/openssl/openssl/pull/20645)
* Provider-based KEM and SIG alg speed testing addedMichael Baentsch2023-03-311-0/+10
| | | | | | Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Todd Short <todd.short@me.com> (Merged from https://github.com/openssl/openssl/pull/19968)
* QUIC Thread Assisted mode: miscellaneous fixesHugo Landau2023-03-301-1/+1
| | | | | | Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/20348)
* QUIC Thread Assisted Mode: Add design documentHugo Landau2023-03-301-0/+104
| | | | | | Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/20348)
* Add some documentation for the new advanced s_client command modeMatt Caswell2023-03-301-7/+67
| | | | | | Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/20566)
* remove DSA512 from speed testingMichael Baentsch2023-03-301-0/+2
| | | | | | | Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Todd Short <todd.short@me.com> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/20603)
* doc: add HOWTO document about Documenting public Functions and MacrosMichael Richardson2023-03-291-0/+176
| | | | | | | | | | | | | | Co-authored-by: Matthias St. Pierre <matthias.st.pierre@ncp-e.com> Co-authored-by: Tomáš Mráz <tm@t8m.info> Co-authored-by: Lin2Jing4 <35728132+Lin2Jing4@users.noreply.github.com> Co-authored-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com> Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/17926)
* doc: note the restriction on digests used by DRBGs in FIPS mode.Pauli2023-03-293-2/+60
| | | | | | Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Shane Lontis <shane.lontis@oracle.com> (Merged from https://github.com/openssl/openssl/pull/20521)
* RFC7250 (RPK) supportTodd Short2023-03-2811-23/+440
| | | | | | | | | | | | | | Add support for the RFC7250 certificate-type extensions. Alows the use of only private keys for connection (i.e. certs not needed). Add APIs Add unit tests Add documentation Add s_client/s_server support Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Viktor Dukhovni <viktor@openssl.org> (Merged from https://github.com/openssl/openssl/pull/18185)
* Fix documentation of X509_VERIFY_PARAM_add0_policy()Tomas Mraz2023-03-281-2/+7
| | | | | | | | | | The function was incorrectly documented as enabling policy checking. Fixes: CVE-2023-0466 Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/20561)
* CMP add: fix -reqin option, which requires adding ↵Dr. David von Oheimb2023-03-253-5/+22
| | | | | | | | | OSSL_CMP_MSG_update_recipNonce() Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com> (Merged from https://github.com/openssl/openssl/pull/20204)
* CMP app: improve doc and help output on -{req,rsp}{in,out} optionsDr. David von Oheimb2023-03-251-4/+7
| | | | | | | Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com> (Merged from https://github.com/openssl/openssl/pull/20204)
* Update the EVP_PKEY_get_id documentationMichael Baentsch2023-03-252-4/+32
| | | | | | | | | | | | The documentation didn't mention the development where EVP_PKEY_get_id() returns a negative value for provider-only implementations, and the migration guide didn't mention how to cope with that. Fixes #20497 Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/20501)
* Add an option to specify number of bits in the subprime (q) when generating ↵Aleksey Sanin2023-03-231-3/+10
| | | | | | | | DSA keys Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/19898)
* QUIC: Add history section to SSL_inject_net_dgram()Hugo Landau2023-03-221-1/+5
| | | | | | Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/20451)
* QUIC: Add tests for datagram injection APIHugo Landau2023-03-221-0/+6
| | | | | | Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/20451)
* QUIC: Add support for datagram injectionHugo Landau2023-03-221-0/+51
| | | | | | Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/20451)
* cmp: fix --strict-warnings windows buildsFdaSilvaYY2023-03-211-1/+1
| | | | | | | | | remove unneeded const qualifier to keep method declaration and definition in sync. Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com> Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com> (Merged from https://github.com/openssl/openssl/pull/20436)
* nit: tidy-up code, and fix a typo.FdaSilvaYY2023-03-211-3/+3
| | | | | | Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com> Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com> (Merged from https://github.com/openssl/openssl/pull/20436)
* Add a simple QUIC test for blocking modeMatt Caswell2023-03-201-6/+7
| | | | | | | | We create "real" sockets for blocking mode so that we can block on them. Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/20514)
* doc: note the default iteration count for PBKDF2 in the enc commandPauli2023-03-201-1/+2
| | | | | | | | Fixes #20466 Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Shane Lontis <shane.lontis@oracle.com> (Merged from https://github.com/openssl/openssl/pull/20471)
* sleep.c: Limit the sleep time instead of sleeping for days or even yearsTomas Mraz2023-03-181-2/+7
| | | | | | | | | | | | | As the sleep() call is interruptible, it is not even a good idea to call it in a loop if the caller uses some ridiculously large value as an infinity just waiting for an interrupt. Fixes #20524 Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com> Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> (Merged from https://github.com/openssl/openssl/pull/20533)
* providers: add Argon2 KDFČestmír Kalina2023-03-173-0/+200
| | | | | | | | | | https://datatracker.ietf.org/doc/rfc9106/ Signed-off-by: Čestmír Kalina <ckalina@redhat.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/12256)
* Fix documented function return typesAndy Bernard2023-03-161-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | | The documented return type of the (incorrectly named; see below) OSSL_FUNC_decoder_export_object function signature is wrong; the correct type is int, due to the following line in core_dispatch.h: OSSL_CORE_MAKE_FUNC(int, decoder_export_object, Fixes #19543 Per the Github conversation with levitte and t8m for pull request #19964, the following issues are not addressed by this patch: The macro OSSL_CORE_MAKE_FUNC in core_dispatch.h generates a function, and a corresponding function signature typedef with name ending in "_fn". The typedefed signature is unrelated to the signature of the function. However, provider-decoder.pod describes typedefed signatures generated by the macro, but uses the names of the functions (lacking "_fn") instead of the typedefed signatures, which is a mismatch. Also, the documented claim about OSSL_FUNC_decoder_export_object, etc that "None of these are actual functions" is contradicted by the fact that the code actually calls those functions, and calls them specifically by those names. E.g. in decoder_meth.c: decoder->export_object = OSSL_FUNC_decoder_export_object(fns); The functions are generated by OSSL_CORE_MAKE_FUNC. The paragraph "None of these are actual functions"... should be replaced by something more like "These function signatures, generated by the OSSL_CORE_MAKE_FUNC macro, are for functions that are offered via function pointers in OSSL_DISPATCH arrays." CLA: trivial Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/19964)
* Do not fail if ctx dup does not succeedSimo Sorce2023-03-154-3/+31
| | | | | | | | | | | | | | | If the ctx was *really* needed we'll probably fail later with an error anyway, so no point in failing immediately. Document that this behavior is dependent on the provider used to implement the signature/verification. Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> (Merged from https://github.com/openssl/openssl/pull/20375)
* Document remaining obsolete SSL_OP_NETSCAPE_*_BUGTobias Nießen2023-03-151-0/+4
| | | | | | | | | | | | | | SSL_OP_NETSCAPE_CA_DN_BUG became obsolete in 3c33c6f6b1086435 and support for SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG was removed by 7a4dadc3a6a487db. The definitions are still listed under "OBSOLETE OPTIONS retained for compatibility" in ssl.h.in, so this commit adds them to the list of obsolete options in doc/man3. Refs: https://github.com/nodejs/node/pull/46954 Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/20443)
* doc/man3/X509_STORE_CTX_get_error.pod: make order consistent, add some ↵Dr. David von Oheimb2023-03-151-54/+71
| | | | | | | | missing entries Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/20450)
* doc: document that prediction resistance comes with a hidden costPauli2023-03-151-0/+12
| | | | | | | | | | | | In the default setup, using prediction resistance cascades to a reseeding of all DRBGs. The cost for this will be excessive for highly threaded applications. Fixes #20414 Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com> (Merged from https://github.com/openssl/openssl/pull/20452)
* apps/x509 etc.: allow private key input when public key is expectedDr. David von Oheimb2023-03-147-21/+30
| | | | | | | Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com> (Merged from https://github.com/openssl/openssl/pull/19076)
* Add option to FIPS module to enforce EMS check during KDF TLS1_PRF.slontis2023-03-072-0/+25
| | | | | | | | Fixes #19989 Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/20241)
* DOCS: provider-keymgmt(7) - params for EVP_PKEY_get_default_digest_{name,nid}()Richard Levitte2023-03-072-1/+31
| | | | | | | | This describes them in detail in provider-keymgmt(7). Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/20430)
* Fix typo in base provider example codeHansHoogerwerf2023-03-031-1/+1
| | | | | | | | CLA: trivial Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/20411)
* Update AES documentation excluding AES SIV from the FIPS providerPauli2023-03-011-2/+2
| | | | | | | Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Shane Lontis <shane.lontis@oracle.com> (Merged from https://github.com/openssl/openssl/pull/20386)
* Update FIPS provider documentation to note that fips=yes is mandatoryPauli2023-03-011-8/+11
| | | | | | | | | | | This was in the notes section but an earlier comment about it not being mandatory was missed. Fixes #20376 Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Shane Lontis <shane.lontis@oracle.com> (Merged from https://github.com/openssl/openssl/pull/20382)
* Document the list of RAND algorithms in the default and fips providers.slontis2023-02-282-0/+32
| | | | | | | Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Hugo Landau <hlandau@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/20361)
* Add provider pre-fetching documentationslontis2023-02-2827-8/+246
| | | | | | | | | | | | Clearly document that implicit fetching is slower when using providers, and explain prefetching. Added to crypto.pod and migration_guide.pod links to it. Add a link to EVP_default_properties_enable_fips() in crypto.pod. Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/20354)
* Add documentation for "NULL" cipher and digest algorithms.slontis2023-02-286-1/+132
| | | | | | | | Fixes #20340 Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/20356)
* CMS_add0_cert.pod: add missing man section numbers in recently added ↵Dr. David von Oheimb2023-02-241-3/+3
| | | | | | | | | L<fun()> refs Reviewed-by: Hugo Landau <hlandau@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com> (Merged from https://github.com/openssl/openssl/pull/20369)
* Add OSSL_FUNC_keymgmt_im/export_types function that gets the provider contextIngo Franzki2023-02-241-4/+24
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The provider functions OSSL_FUNC_keymgmt_import_types() and OSSL_FUNC_keymgmt_export_types() do not get the provider context passed. This makes it difficult for providers to implement these functions unless its a static implementation returning a truly constant OSSL_PARAM array. Some providers may have a need to return an OSSL_PARAM array that is dependent on the provider configuration, or anything else that is contained in its provider context. Add extended variants of these functions that get the provider context passed. The functions should still return a static and constant OSSL_PARAM array, but may use the provider context to select the array to return dependent on its context. The returned array must be constant at least until the provider is unloaded. Providers can implement only the original functions, or only the extended functions, or both. Implementing at least one of those functions is required if also the respective OSSL_FUNC_keymgmt_import() or OSSL_FUNC_keymgmt_export() function is implemented. If an extended function is available, it is called by evp_keymgmt_import_types() or evp_keymgmt_export_types(), otherwise the original function is called. This makes the code backward compatible. Existing providers will only implement the original functions, so these functions will continued to be called. Newer providers can choose to implement the extended functions, and thus can benefit from the provider context being passed to the implementation. Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com> Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/20255)
* CMS_add0_cert: if cert already present, do not throw error but ignore itDr. David von Oheimb2023-02-243-11/+19
| | | | | | | | | Also add checks on failing cert/CRL up_ref calls; improve coding style. Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com> (Merged from https://github.com/openssl/openssl/pull/19199)
* first cut at sigalg loadingMichael Baentsch2023-02-241-0/+123
| | | | | | Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/19312)
* Add help for pkeyopt values for the genpkey commandline app.slontis2023-02-231-0/+3
| | | | | | | Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Todd Short <todd.short@me.com> (Merged from https://github.com/openssl/openssl/pull/19931)
* update documentation to note that EdDSA is not FIPS approvedPauli2023-02-222-0/+4
| | | | | | Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Hugo Landau <hlandau@openssl.org> (Merged from https://github.com/openssl/openssl/pull/20343)
* Document return value of OSSL_DECODER_from_dataBenno Evers2023-02-211-2/+2
| | | | | | | | | CLA: trivial Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Kurt Roeckx <kurt@roeckx.be> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/20327)
View Lorry Controller Status