summaryrefslogtreecommitdiff
path: root/doc
Commit message (Collapse)AuthorAgeFilesLines
* Add option to FIPS module to enforce EMS check during KDF TLS1_PRF.slontis2023-03-072-0/+25
| | | | | | | | Fixes #19989 Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/20241)
* DOCS: provider-keymgmt(7) - params for EVP_PKEY_get_default_digest_{name,nid}()Richard Levitte2023-03-072-1/+31
| | | | | | | | This describes them in detail in provider-keymgmt(7). Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/20430)
* Fix typo in base provider example codeHansHoogerwerf2023-03-031-1/+1
| | | | | | | | CLA: trivial Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/20411)
* Update AES documentation excluding AES SIV from the FIPS providerPauli2023-03-011-2/+2
| | | | | | | Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Shane Lontis <shane.lontis@oracle.com> (Merged from https://github.com/openssl/openssl/pull/20386)
* Update FIPS provider documentation to note that fips=yes is mandatoryPauli2023-03-011-8/+11
| | | | | | | | | | | This was in the notes section but an earlier comment about it not being mandatory was missed. Fixes #20376 Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Shane Lontis <shane.lontis@oracle.com> (Merged from https://github.com/openssl/openssl/pull/20382)
* Document the list of RAND algorithms in the default and fips providers.slontis2023-02-282-0/+32
| | | | | | | Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Hugo Landau <hlandau@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/20361)
* Add provider pre-fetching documentationslontis2023-02-2827-8/+246
| | | | | | | | | | | | Clearly document that implicit fetching is slower when using providers, and explain prefetching. Added to crypto.pod and migration_guide.pod links to it. Add a link to EVP_default_properties_enable_fips() in crypto.pod. Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/20354)
* Add documentation for "NULL" cipher and digest algorithms.slontis2023-02-286-1/+132
| | | | | | | | Fixes #20340 Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/20356)
* CMS_add0_cert.pod: add missing man section numbers in recently added ↵Dr. David von Oheimb2023-02-241-3/+3
| | | | | | | | | L<fun()> refs Reviewed-by: Hugo Landau <hlandau@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com> (Merged from https://github.com/openssl/openssl/pull/20369)
* Add OSSL_FUNC_keymgmt_im/export_types function that gets the provider contextIngo Franzki2023-02-241-4/+24
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The provider functions OSSL_FUNC_keymgmt_import_types() and OSSL_FUNC_keymgmt_export_types() do not get the provider context passed. This makes it difficult for providers to implement these functions unless its a static implementation returning a truly constant OSSL_PARAM array. Some providers may have a need to return an OSSL_PARAM array that is dependent on the provider configuration, or anything else that is contained in its provider context. Add extended variants of these functions that get the provider context passed. The functions should still return a static and constant OSSL_PARAM array, but may use the provider context to select the array to return dependent on its context. The returned array must be constant at least until the provider is unloaded. Providers can implement only the original functions, or only the extended functions, or both. Implementing at least one of those functions is required if also the respective OSSL_FUNC_keymgmt_import() or OSSL_FUNC_keymgmt_export() function is implemented. If an extended function is available, it is called by evp_keymgmt_import_types() or evp_keymgmt_export_types(), otherwise the original function is called. This makes the code backward compatible. Existing providers will only implement the original functions, so these functions will continued to be called. Newer providers can choose to implement the extended functions, and thus can benefit from the provider context being passed to the implementation. Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com> Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/20255)
* CMS_add0_cert: if cert already present, do not throw error but ignore itDr. David von Oheimb2023-02-243-11/+19
| | | | | | | | | Also add checks on failing cert/CRL up_ref calls; improve coding style. Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com> (Merged from https://github.com/openssl/openssl/pull/19199)
* first cut at sigalg loadingMichael Baentsch2023-02-241-0/+123
| | | | | | Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/19312)
* Add help for pkeyopt values for the genpkey commandline app.slontis2023-02-231-0/+3
| | | | | | | Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Todd Short <todd.short@me.com> (Merged from https://github.com/openssl/openssl/pull/19931)
* update documentation to note that EdDSA is not FIPS approvedPauli2023-02-222-0/+4
| | | | | | Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Hugo Landau <hlandau@openssl.org> (Merged from https://github.com/openssl/openssl/pull/20343)
* Document return value of OSSL_DECODER_from_dataBenno Evers2023-02-211-2/+2
| | | | | | | | | CLA: trivial Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Kurt Roeckx <kurt@roeckx.be> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/20327)
* openssl-3.0#20290: Fixed typo in "config" man pageJeeban Sethi2023-02-201-1/+1
| | | | | | | | | | | CLA: trivial Reviewed-by: Todd Short <todd.short@me.com> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/20311) (cherry picked from commit 3da073c405e2d2000188571c23f3a79cf67a6e9d)
* OSSL_CMP_certConf_cb(): fix regression on checking newly enrolled certDr. David von Oheimb2023-02-132-0/+2
| | | | | | | | | Also add corresponding tests and to this end update credentials Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com> (Merged from https://github.com/openssl/openssl/pull/20160)
* cmp_client_test.c: add tests for errors reported by server on subsequent ↵Dr. David von Oheimb2023-02-081-3/+5
| | | | | | | | requests in a transaction Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/20190)
* ossl_cmp_mock_srv_new.pod: correct/update names of internal test support ↵Dr. David von Oheimb2023-02-081-10/+9
| | | | | | | | functions Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/20190)
* S390x: Support ME and CRT offloadingJuergen Christ2023-02-081-1/+6
| | | | | | | | | | | | | | | | S390x has to ability to offload modular exponentiation and CRT operations to Crypto Express Adapters. This possible performance optimization was not yet used by OpenSSL. Add support for offloading and implement an optimized version of RSA and DH with it. The environment variable OPENSSL_s390xcap now recognizes the token "nocex" to prevent offloading. Signed-off-by: Juergen Christ <jchrist@linux.ibm.com> Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/20113)
* CMP app and doc: improve texts on (un-)trusted certs, srvCert, etc.Dr. David von Oheimb2023-02-082-32/+34
| | | | | | | Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Hugo Landau <hlandau@openssl.org> Reviewed-by: Tim Hudson <tjh@openssl.org> (Merged from https://github.com/openssl/openssl/pull/19946)
* New function EC_GROUP_to_params to convert an EC_GROUP to an array of ↵Oliver Mihatsch2023-02-081-0/+13
| | | | | | | | | OSSL_PARAM. Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Todd Short <todd.short@me.com> (Merged from https://github.com/openssl/openssl/pull/20205)
* Add more punycode tests and remove ossl_a2ucompare()slontis2023-02-081-9/+1
| | | | | | | | | The unused and untested internal function ossl_a2ucompare() has been removed. Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> (Merged from https://github.com/openssl/openssl/pull/20177)
* doc: remove EdDSA from list of non-FIPS algorithms.Pauli2023-02-083-5/+7
| | | | | | Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> (Merged from https://github.com/openssl/openssl/pull/20219)
* APPS/{storeutl,gendsa}: give error on extra arguments, improve docDr. David von Oheimb2023-02-022-2/+6
| | | | | | | | Point out that options must be given before the final file/URI arg. Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/20156)
* BIO_read.pod: fix small typoAndrea Pappacoda2023-01-311-1/+1
| | | | | | | | | | Add missing `I` to `<b>` CLA: trivial Reviewed-by: Hugo Landau <hlandau@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/20169)
* Design for the Fault InjectorMatt Caswell2023-01-311-0/+555
| | | | | | Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Hugo Landau <hlandau@openssl.org> (Merged from https://github.com/openssl/openssl/pull/19877)
* [doc] Sync documentation now that 3.0 honors ↵Nicola Tuveri2023-01-311-2/+2
| | | | | | | | | | | | | | | | | | | | | OSSL_PKEY_PARAM_EC_POINT_CONVERSION_FORMAT https://github.com/openssl/openssl/pull/19901 backported the "Honor OSSL_PKEY_PARAM_EC_POINT_CONVERSION_FORMAT as set and default to UNCOMPRESSED" changeset to 3.0. This commit updates: - the HISTORY notes of the relevant documentation to mark the change happened since 3.0.8. - the `CHANGES.md file` to sync up with the tip of the `openssl-3.0` branch Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/20003)
* ChaCha20-Poly1305 no longer supports truncated IV's.slontis2023-01-302-5/+12
| | | | | | | | | | | | | | | | | | | | | Fixes #20084 In the 3.0 provider implementation the generic code that handles IV's only allows a 12 byte IV. Older code intentionally added the ability for the IV to be truncated. As this truncation is unsafe, the documentation has been updated to state that this in no longer allowed. The code has been updated to produce an error when the iv length is set to any value other than 12. NOTE: It appears that this additional padding may have originated from the code which uses a 12 byte IV, that is then passed to CHACHA which zero pads it to 16 bytes. Note that legacy behaviour in e_chacha20_poly1305.c has not been updated. Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/20151)
* QUIC ACKM: Rework probe reporting to allow use for bookkeepingHugo Landau2023-01-301-1/+1
| | | | | | Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/19925)
* SSL_conf_cmd: add support for IgnoreUnexpectedEOFSteffen Nurpmeso2023-01-301-0/+5
| | | | | | | | CLA: trivial Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/20089)
* Implement BIO_s_dgram_mem() reusing the BIO_s_dgram_pair() codeTomas Mraz2023-01-271-3/+13
| | | | | | Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Hugo Landau <hlandau@openssl.org> (Merged from https://github.com/openssl/openssl/pull/20012)
* QUIC FIN Support: Documentation fixupsHugo Landau2023-01-272-13/+21
| | | | | | Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/19897)
* QUIC FIN Support: Various fixesHugo Landau2023-01-272-9/+13
| | | | | | Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/19897)
* QUIC: Add documentation for stream and connection shutdown functionsHugo Landau2023-01-273-6/+178
| | | | | | Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/19897)
* Add notes about ignoring initialization failures on contextsTomas Mraz2023-01-274-8/+58
| | | | | | | | Fixes #20130 Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> (Merged from https://github.com/openssl/openssl/pull/20136)
* Document that the RSA e value is mandatory when importing.slontis2023-01-261-3/+6
| | | | | | | | | | | | | | | | The lab tried doing a RSA decryption primitive using just n (using p, q) and d. This failed for 2 reasons: (1) e is required when importing (2) Internally e is used for blinding. Note n and e can be calculated using: n = pq e = (1/d) mod (p-1)(q-1) Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/20133)
* Clarify the change of enc -S behavior in 3.0Viktor Dukhovni2023-01-261-0/+13
| | | | | | | | | Fixes #19730 Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/19732)
* OSSL_HTTP_REQ_CTX_nbio(): use OSSL_TRACE_STRING() for msg body where it ↵Dr. David von Oheimb2023-01-261-2/+2
| | | | | | | | | makes sense Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com> (Merged from https://github.com/openssl/openssl/pull/18704)
* add OSSL_TRACE_STRING(), OSSL_TRACE_STRING_MAX, and OSSL_trace_string()Dr. David von Oheimb2023-01-261-1/+27
| | | | | | | Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com> (Merged from https://github.com/openssl/openssl/pull/18704)
* APPS: generated certs bear X.509 V3, unless -x509v1 option of req app is givenDr. David von Oheimb2023-01-246-11/+60
| | | | | | | Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Hugo Landau <hlandau@openssl.org> Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com> (Merged from https://github.com/openssl/openssl/pull/19271)
* X509{,_CRL,_REVOKED}_{set,sign}*(): fix 'modified' field and return valuesDr. David von Oheimb2023-01-241-8/+10
| | | | | | | Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Hugo Landau <hlandau@openssl.org> Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com> (Merged from https://github.com/openssl/openssl/pull/19271)
* fips: document that the EdDSA algorithms are not-validatedPauli2023-01-243-4/+64
| | | | | | | | | | | Ed25519 and Ed448 are included in the FIPS 140-3 provider for compatibility purposes but are flagged as "fips=no" to prevent their accidental use. This therefore requires that applications always specify the "fips=yes" property query to enforce FIPS correctness. Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Hugo Landau <hlandau@openssl.org> (Merged from https://github.com/openssl/openssl/pull/20079)
* OSSL_trace_set_channel(): add important statement that it takes BIO ownershipDr. David von Oheimb2023-01-241-0/+2
| | | | | | Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Hugo Landau <hlandau@openssl.org> (Merged from https://github.com/openssl/openssl/pull/19959)
* Typos fixingFdaSilvaYY2023-01-245-6/+6
| | | | | | | Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Hugo Landau <hlandau@openssl.org> (Merged from https://github.com/openssl/openssl/pull/20109)
* MD5.pod: Recommend SHA-2 or SHA-3 family hashes instead of legacy onesTomas Mraz2023-01-231-3/+3
| | | | | | | | Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com> Reviewed-by: Hugo Landau <hlandau@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/20095)
* X509_V_ERR_INVALID_PURPOSE: fix misleading text; Fix omission in ↵Dr. David von Oheimb2023-01-232-1/+2
| | | | | | | | | X509_VERIFY_PARAM_clear_flags doc Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com> (Merged from https://github.com/openssl/openssl/pull/20052)
* CMP docs: clarify behavior on message/total timeout values givenDr. David von Oheimb2023-01-232-9/+14
| | | | | | | | | | | Clarify behavior of OSSL_CMP_CTX_set_option() when given (negative) values for OSSL_CMP_OPT_MSG_TIMEOUT or OSSL_CMP_OPT_TOTAL_TIMEOUT. Fix doc of -msg_timeout and -total_timeout in openssl-cmp.pod.in Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Hugo Landau <hlandau@openssl.org> Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com> (Merged from https://github.com/openssl/openssl/pull/19391)
* Fixes wrong return type in BIO_do_connect man page.Thib2023-01-231-1/+1
| | | | | | | | | | | | | Current man page indicates the function returns an int while it returns a long. Fixes #20096. CLA: trivial Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/20097)
* Allow OSSL_SIGNATURE_PARAM_NONCE_TYPE to be retrievedIngo Franzki2023-01-232-0/+4
| | | | | | | | | | | Context parameter OSSL_SIGNATURE_PARAM_NONCE_TYPE can now also be retrieved for ECDSA and DSA. Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com> Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/20070)
View Lorry Controller Status