diff --git a/secure/lib/libcrypto/Makefile.man b/secure/lib/libcrypto/Makefile.man index 9ba3c279cba8..7b734aec0781 100644 --- a/secure/lib/libcrypto/Makefile.man +++ b/secure/lib/libcrypto/Makefile.man @@ -1,11 +1,21 @@ # $FreeBSD$ -# DO NOT EDIT: generated from man-makefile-update target +MAN+= ADMISSIONS.3 +MAN+= ASN1_INTEGER_get_int64.3 +MAN+= ASN1_ITEM_lookup.3 MAN+= ASN1_OBJECT_new.3 +MAN+= ASN1_STRING_TABLE_add.3 MAN+= ASN1_STRING_length.3 MAN+= ASN1_STRING_new.3 MAN+= ASN1_STRING_print_ex.3 MAN+= ASN1_TIME_set.3 +MAN+= ASN1_TYPE_get.3 MAN+= ASN1_generate_nconf.3 +MAN+= ASYNC_WAIT_CTX_new.3 +MAN+= ASYNC_start_job.3 +MAN+= BF_encrypt.3 +MAN+= BIO_ADDR.3 +MAN+= BIO_ADDRINFO.3 +MAN+= BIO_connect.3 MAN+= BIO_ctrl.3 MAN+= BIO_f_base64.3 MAN+= BIO_f_buffer.3 @@ -14,8 +24,13 @@ MAN+= BIO_f_md.3 MAN+= BIO_f_null.3 MAN+= BIO_f_ssl.3 MAN+= BIO_find_type.3 +MAN+= BIO_get_data.3 +MAN+= BIO_get_ex_new_index.3 +MAN+= BIO_meth_new.3 MAN+= BIO_new.3 MAN+= BIO_new_CMS.3 +MAN+= BIO_parse_hostserv.3 +MAN+= BIO_printf.3 MAN+= BIO_push.3 MAN+= BIO_read.3 MAN+= BIO_s_accept.3 @@ -43,9 +58,11 @@ MAN+= BN_mod_mul_reciprocal.3 MAN+= BN_new.3 MAN+= BN_num_bytes.3 MAN+= BN_rand.3 +MAN+= BN_security_bits.3 MAN+= BN_set_bit.3 MAN+= BN_swap.3 MAN+= BN_zero.3 +MAN+= BUF_MEM_new.3 MAN+= CMS_add0_cert.3 MAN+= CMS_add1_recipient_cert.3 MAN+= CMS_add1_signer.3 @@ -64,11 +81,21 @@ MAN+= CMS_verify.3 MAN+= CMS_verify_receipt.3 MAN+= CONF_modules_free.3 MAN+= CONF_modules_load_file.3 -MAN+= CRYPTO_set_ex_data.3 +MAN+= CRYPTO_THREAD_run_once.3 +MAN+= CRYPTO_get_ex_new_index.3 +MAN+= CTLOG_STORE_get0_log_by_id.3 +MAN+= CTLOG_STORE_new.3 +MAN+= CTLOG_new.3 +MAN+= CT_POLICY_EVAL_CTX_new.3 +MAN+= DEFINE_STACK_OF.3 +MAN+= DES_random_key.3 MAN+= DH_generate_key.3 MAN+= DH_generate_parameters.3 -MAN+= DH_get_ex_new_index.3 +MAN+= DH_get0_pqg.3 +MAN+= DH_get_1024_160.3 +MAN+= DH_meth_new.3 MAN+= DH_new.3 +MAN+= DH_new_by_nid.3 MAN+= DH_set_method.3 MAN+= DH_size.3 MAN+= DSA_SIG_new.3 @@ -76,17 +103,25 @@ MAN+= DSA_do_sign.3 MAN+= DSA_dup_DH.3 MAN+= DSA_generate_key.3 MAN+= DSA_generate_parameters.3 -MAN+= DSA_get_ex_new_index.3 +MAN+= DSA_get0_pqg.3 +MAN+= DSA_meth_new.3 MAN+= DSA_new.3 MAN+= DSA_set_method.3 MAN+= DSA_sign.3 MAN+= DSA_size.3 +MAN+= DTLS_get_data_mtu.3 +MAN+= DTLS_set_timer_cb.3 +MAN+= DTLSv1_listen.3 +MAN+= ECDSA_SIG_new.3 +MAN+= ECPKParameters_print.3 MAN+= EC_GFp_simple_method.3 MAN+= EC_GROUP_copy.3 MAN+= EC_GROUP_new.3 +MAN+= EC_KEY_get_enc_flags.3 MAN+= EC_KEY_new.3 MAN+= EC_POINT_add.3 MAN+= EC_POINT_new.3 +MAN+= ENGINE_add.3 MAN+= ERR_GET_LIB.3 MAN+= ERR_clear_error.3 MAN+= ERR_error_string.3 @@ -98,20 +133,31 @@ MAN+= ERR_put_error.3 MAN+= ERR_remove_state.3 MAN+= ERR_set_mark.3 MAN+= EVP_BytesToKey.3 +MAN+= EVP_CIPHER_CTX_get_cipher_data.3 +MAN+= EVP_CIPHER_meth_new.3 MAN+= EVP_DigestInit.3 MAN+= EVP_DigestSignInit.3 MAN+= EVP_DigestVerifyInit.3 MAN+= EVP_EncodeInit.3 MAN+= EVP_EncryptInit.3 +MAN+= EVP_MD_meth_new.3 MAN+= EVP_OpenInit.3 +MAN+= EVP_PKEY_ASN1_METHOD.3 MAN+= EVP_PKEY_CTX_ctrl.3 MAN+= EVP_PKEY_CTX_new.3 +MAN+= EVP_PKEY_CTX_set1_pbe_pass.3 +MAN+= EVP_PKEY_CTX_set_hkdf_md.3 +MAN+= EVP_PKEY_CTX_set_rsa_pss_keygen_md.3 +MAN+= EVP_PKEY_CTX_set_scrypt_N.3 +MAN+= EVP_PKEY_CTX_set_tls1_prf_md.3 +MAN+= EVP_PKEY_asn1_get_count.3 MAN+= EVP_PKEY_cmp.3 MAN+= EVP_PKEY_decrypt.3 MAN+= EVP_PKEY_derive.3 MAN+= EVP_PKEY_encrypt.3 -MAN+= EVP_PKEY_get_default_digest.3 +MAN+= EVP_PKEY_get_default_digest_nid.3 MAN+= EVP_PKEY_keygen.3 +MAN+= EVP_PKEY_meth_get_count.3 MAN+= EVP_PKEY_meth_new.3 MAN+= EVP_PKEY_new.3 MAN+= EVP_PKEY_print_private.3 @@ -122,33 +168,95 @@ MAN+= EVP_PKEY_verify_recover.3 MAN+= EVP_SealInit.3 MAN+= EVP_SignInit.3 MAN+= EVP_VerifyInit.3 +MAN+= EVP_aes.3 +MAN+= EVP_aria.3 +MAN+= EVP_bf_cbc.3 +MAN+= EVP_blake2b512.3 +MAN+= EVP_camellia.3 +MAN+= EVP_cast5_cbc.3 +MAN+= EVP_chacha20.3 +MAN+= EVP_des.3 +MAN+= EVP_desx_cbc.3 +MAN+= EVP_idea_cbc.3 +MAN+= EVP_md2.3 +MAN+= EVP_md4.3 +MAN+= EVP_md5.3 +MAN+= EVP_mdc2.3 +MAN+= EVP_rc2_cbc.3 +MAN+= EVP_rc4.3 +MAN+= EVP_rc5_32_12_16_cbc.3 +MAN+= EVP_ripemd160.3 +MAN+= EVP_seed_cbc.3 +MAN+= EVP_sha1.3 +MAN+= EVP_sha224.3 +MAN+= EVP_sha3_224.3 +MAN+= EVP_sm3.3 +MAN+= EVP_sm4_cbc.3 +MAN+= EVP_whirlpool.3 +MAN+= HMAC.3 +MAN+= MD5.3 +MAN+= MDC2_Init.3 MAN+= OBJ_nid2obj.3 +MAN+= OCSP_REQUEST_new.3 +MAN+= OCSP_cert_to_id.3 +MAN+= OCSP_request_add1_nonce.3 +MAN+= OCSP_resp_find_status.3 +MAN+= OCSP_response_status.3 +MAN+= OCSP_sendreq_new.3 MAN+= OPENSSL_Applink.3 +MAN+= OPENSSL_LH_COMPFUNC.3 +MAN+= OPENSSL_LH_stats.3 MAN+= OPENSSL_VERSION_NUMBER.3 MAN+= OPENSSL_config.3 +MAN+= OPENSSL_fork_prepare.3 MAN+= OPENSSL_ia32cap.3 +MAN+= OPENSSL_init_crypto.3 +MAN+= OPENSSL_init_ssl.3 MAN+= OPENSSL_instrument_bus.3 MAN+= OPENSSL_load_builtin_modules.3 +MAN+= OPENSSL_malloc.3 +MAN+= OPENSSL_secure_malloc.3 +MAN+= OSSL_STORE_INFO.3 +MAN+= OSSL_STORE_LOADER.3 +MAN+= OSSL_STORE_SEARCH.3 +MAN+= OSSL_STORE_expect.3 +MAN+= OSSL_STORE_open.3 MAN+= OpenSSL_add_all_algorithms.3 +MAN+= PEM_bytes_read_bio.3 +MAN+= PEM_read.3 +MAN+= PEM_read_CMS.3 +MAN+= PEM_read_bio_PrivateKey.3 +MAN+= PEM_read_bio_ex.3 MAN+= PEM_write_bio_CMS_stream.3 MAN+= PEM_write_bio_PKCS7_stream.3 MAN+= PKCS12_create.3 +MAN+= PKCS12_newpass.3 MAN+= PKCS12_parse.3 +MAN+= PKCS5_PBKDF2_HMAC.3 MAN+= PKCS7_decrypt.3 MAN+= PKCS7_encrypt.3 MAN+= PKCS7_sign.3 MAN+= PKCS7_sign_add_signer.3 MAN+= PKCS7_verify.3 +MAN+= RAND_DRBG_generate.3 +MAN+= RAND_DRBG_get0_master.3 +MAN+= RAND_DRBG_new.3 +MAN+= RAND_DRBG_reseed.3 +MAN+= RAND_DRBG_set_callbacks.3 +MAN+= RAND_DRBG_set_ex_data.3 MAN+= RAND_add.3 MAN+= RAND_bytes.3 MAN+= RAND_cleanup.3 MAN+= RAND_egd.3 MAN+= RAND_load_file.3 MAN+= RAND_set_rand_method.3 +MAN+= RC4_set_key.3 +MAN+= RIPEMD160_Init.3 MAN+= RSA_blinding_on.3 MAN+= RSA_check_key.3 MAN+= RSA_generate_key.3 -MAN+= RSA_get_ex_new_index.3 +MAN+= RSA_get0_key.3 +MAN+= RSA_meth_new.3 MAN+= RSA_new.3 MAN+= RSA_padding_add_PKCS1_type_1.3 MAN+= RSA_print.3 @@ -158,76 +266,255 @@ MAN+= RSA_set_method.3 MAN+= RSA_sign.3 MAN+= RSA_sign_ASN1_OCTET_STRING.3 MAN+= RSA_size.3 +MAN+= SCT_new.3 +MAN+= SCT_print.3 +MAN+= SCT_validate.3 +MAN+= SHA256_Init.3 MAN+= SMIME_read_CMS.3 MAN+= SMIME_read_PKCS7.3 MAN+= SMIME_write_CMS.3 MAN+= SMIME_write_PKCS7.3 +MAN+= SSL_CIPHER_get_name.3 +MAN+= SSL_COMP_add_compression_method.3 +MAN+= SSL_CONF_CTX_new.3 +MAN+= SSL_CONF_CTX_set1_prefix.3 +MAN+= SSL_CONF_CTX_set_flags.3 +MAN+= SSL_CONF_CTX_set_ssl_ctx.3 +MAN+= SSL_CONF_cmd.3 +MAN+= SSL_CONF_cmd_argv.3 +MAN+= SSL_CTX_add1_chain_cert.3 +MAN+= SSL_CTX_add_extra_chain_cert.3 +MAN+= SSL_CTX_add_session.3 +MAN+= SSL_CTX_config.3 +MAN+= SSL_CTX_ctrl.3 +MAN+= SSL_CTX_dane_enable.3 +MAN+= SSL_CTX_flush_sessions.3 +MAN+= SSL_CTX_free.3 +MAN+= SSL_CTX_get0_param.3 +MAN+= SSL_CTX_get_verify_mode.3 +MAN+= SSL_CTX_has_client_custom_ext.3 +MAN+= SSL_CTX_load_verify_locations.3 +MAN+= SSL_CTX_new.3 +MAN+= SSL_CTX_sess_number.3 +MAN+= SSL_CTX_sess_set_cache_size.3 +MAN+= SSL_CTX_sess_set_get_cb.3 +MAN+= SSL_CTX_sessions.3 +MAN+= SSL_CTX_set0_CA_list.3 +MAN+= SSL_CTX_set1_curves.3 +MAN+= SSL_CTX_set1_sigalgs.3 +MAN+= SSL_CTX_set1_verify_cert_store.3 +MAN+= SSL_CTX_set_alpn_select_cb.3 +MAN+= SSL_CTX_set_cert_cb.3 +MAN+= SSL_CTX_set_cert_store.3 +MAN+= SSL_CTX_set_cert_verify_callback.3 +MAN+= SSL_CTX_set_cipher_list.3 +MAN+= SSL_CTX_set_client_CA_list.3 +MAN+= SSL_CTX_set_client_cert_cb.3 +MAN+= SSL_CTX_set_client_hello_cb.3 +MAN+= SSL_CTX_set_ct_validation_callback.3 +MAN+= SSL_CTX_set_ctlog_list_file.3 +MAN+= SSL_CTX_set_default_passwd_cb.3 +MAN+= SSL_CTX_set_ex_data.3 +MAN+= SSL_CTX_set_generate_session_id.3 +MAN+= SSL_CTX_set_info_callback.3 +MAN+= SSL_CTX_set_keylog_callback.3 +MAN+= SSL_CTX_set_max_cert_list.3 +MAN+= SSL_CTX_set_min_proto_version.3 +MAN+= SSL_CTX_set_mode.3 +MAN+= SSL_CTX_set_msg_callback.3 +MAN+= SSL_CTX_set_num_tickets.3 +MAN+= SSL_CTX_set_options.3 +MAN+= SSL_CTX_set_psk_client_callback.3 +MAN+= SSL_CTX_set_quiet_shutdown.3 +MAN+= SSL_CTX_set_read_ahead.3 +MAN+= SSL_CTX_set_record_padding_callback.3 +MAN+= SSL_CTX_set_security_level.3 +MAN+= SSL_CTX_set_session_cache_mode.3 +MAN+= SSL_CTX_set_session_id_context.3 +MAN+= SSL_CTX_set_session_ticket_cb.3 +MAN+= SSL_CTX_set_split_send_fragment.3 +MAN+= SSL_CTX_set_ssl_version.3 +MAN+= SSL_CTX_set_stateless_cookie_generate_cb.3 +MAN+= SSL_CTX_set_timeout.3 +MAN+= SSL_CTX_set_tlsext_servername_callback.3 +MAN+= SSL_CTX_set_tlsext_status_cb.3 +MAN+= SSL_CTX_set_tlsext_ticket_key_cb.3 +MAN+= SSL_CTX_set_tlsext_use_srtp.3 +MAN+= SSL_CTX_set_tmp_dh_callback.3 +MAN+= SSL_CTX_set_verify.3 +MAN+= SSL_CTX_use_certificate.3 +MAN+= SSL_CTX_use_psk_identity_hint.3 +MAN+= SSL_CTX_use_serverinfo.3 +MAN+= SSL_SESSION_free.3 +MAN+= SSL_SESSION_get0_cipher.3 +MAN+= SSL_SESSION_get0_hostname.3 +MAN+= SSL_SESSION_get0_id_context.3 +MAN+= SSL_SESSION_get0_peer.3 +MAN+= SSL_SESSION_get_compress_id.3 +MAN+= SSL_SESSION_get_ex_data.3 +MAN+= SSL_SESSION_get_protocol_version.3 +MAN+= SSL_SESSION_get_time.3 +MAN+= SSL_SESSION_has_ticket.3 +MAN+= SSL_SESSION_is_resumable.3 +MAN+= SSL_SESSION_print.3 +MAN+= SSL_SESSION_set1_id.3 +MAN+= SSL_accept.3 +MAN+= SSL_alert_type_string.3 +MAN+= SSL_alloc_buffers.3 +MAN+= SSL_check_chain.3 +MAN+= SSL_clear.3 +MAN+= SSL_connect.3 +MAN+= SSL_do_handshake.3 +MAN+= SSL_export_keying_material.3 +MAN+= SSL_extension_supported.3 +MAN+= SSL_free.3 +MAN+= SSL_get0_peer_scts.3 +MAN+= SSL_get_SSL_CTX.3 +MAN+= SSL_get_all_async_fds.3 +MAN+= SSL_get_ciphers.3 +MAN+= SSL_get_client_CA_list.3 +MAN+= SSL_get_client_random.3 +MAN+= SSL_get_current_cipher.3 +MAN+= SSL_get_default_timeout.3 +MAN+= SSL_get_error.3 +MAN+= SSL_get_extms_support.3 +MAN+= SSL_get_fd.3 +MAN+= SSL_get_peer_cert_chain.3 +MAN+= SSL_get_peer_certificate.3 +MAN+= SSL_get_peer_signature_nid.3 +MAN+= SSL_get_psk_identity.3 +MAN+= SSL_get_rbio.3 +MAN+= SSL_get_server_tmp_key.3 +MAN+= SSL_get_session.3 +MAN+= SSL_get_shared_sigalgs.3 +MAN+= SSL_get_verify_result.3 +MAN+= SSL_get_version.3 +MAN+= SSL_in_init.3 +MAN+= SSL_key_update.3 +MAN+= SSL_library_init.3 +MAN+= SSL_load_client_CA_file.3 +MAN+= SSL_new.3 +MAN+= SSL_pending.3 +MAN+= SSL_read.3 +MAN+= SSL_read_early_data.3 +MAN+= SSL_rstate_string.3 +MAN+= SSL_session_reused.3 +MAN+= SSL_set1_host.3 +MAN+= SSL_set_bio.3 +MAN+= SSL_set_connect_state.3 +MAN+= SSL_set_fd.3 +MAN+= SSL_set_session.3 +MAN+= SSL_set_shutdown.3 +MAN+= SSL_set_verify_result.3 +MAN+= SSL_shutdown.3 +MAN+= SSL_state_string.3 +MAN+= SSL_want.3 +MAN+= SSL_write.3 +MAN+= UI_STRING.3 +MAN+= UI_UTIL_read_pw.3 +MAN+= UI_create_method.3 +MAN+= UI_new.3 +MAN+= X509V3_get_d2i.3 +MAN+= X509_ALGOR_dup.3 +MAN+= X509_CRL_get0_by_serial.3 +MAN+= X509_EXTENSION_set_object.3 +MAN+= X509_LOOKUP_hash_dir.3 +MAN+= X509_LOOKUP_meth_new.3 MAN+= X509_NAME_ENTRY_get_object.3 MAN+= X509_NAME_add_entry_by_txt.3 +MAN+= X509_NAME_get0_der.3 MAN+= X509_NAME_get_index_by_NID.3 MAN+= X509_NAME_print_ex.3 +MAN+= X509_PUBKEY_new.3 +MAN+= X509_SIG_get0.3 MAN+= X509_STORE_CTX_get_error.3 -MAN+= X509_STORE_CTX_get_ex_new_index.3 MAN+= X509_STORE_CTX_new.3 MAN+= X509_STORE_CTX_set_verify_cb.3 +MAN+= X509_STORE_add_cert.3 +MAN+= X509_STORE_get0_param.3 +MAN+= X509_STORE_new.3 MAN+= X509_STORE_set_verify_cb_func.3 MAN+= X509_VERIFY_PARAM_set_flags.3 +MAN+= X509_check_ca.3 MAN+= X509_check_host.3 +MAN+= X509_check_issued.3 MAN+= X509_check_private_key.3 MAN+= X509_cmp_time.3 +MAN+= X509_digest.3 +MAN+= X509_dup.3 +MAN+= X509_get0_notBefore.3 +MAN+= X509_get0_signature.3 +MAN+= X509_get0_uids.3 +MAN+= X509_get_extension_flags.3 +MAN+= X509_get_pubkey.3 +MAN+= X509_get_serialNumber.3 +MAN+= X509_get_subject_name.3 +MAN+= X509_get_version.3 MAN+= X509_new.3 +MAN+= X509_sign.3 MAN+= X509_verify_cert.3 -MAN+= bio.3 -MAN+= blowfish.3 -MAN+= bn.3 -MAN+= bn_internal.3 -MAN+= buffer.3 -MAN+= crypto.3 -MAN+= d2i_ASN1_OBJECT.3 -MAN+= d2i_CMS_ContentInfo.3 +MAN+= X509v3_get_ext_by_NID.3 MAN+= d2i_DHparams.3 -MAN+= d2i_DSAPublicKey.3 -MAN+= d2i_ECPKParameters.3 -MAN+= d2i_ECPrivateKey.3 -MAN+= d2i_PKCS8PrivateKey.3 +MAN+= d2i_PKCS8PrivateKey_bio.3 MAN+= d2i_PrivateKey.3 -MAN+= d2i_RSAPublicKey.3 +MAN+= d2i_SSL_SESSION.3 MAN+= d2i_X509.3 -MAN+= d2i_X509_ALGOR.3 -MAN+= d2i_X509_CRL.3 -MAN+= d2i_X509_NAME.3 -MAN+= d2i_X509_REQ.3 -MAN+= d2i_X509_SIG.3 -MAN+= des.3 -MAN+= dh.3 -MAN+= dsa.3 -MAN+= ec.3 -MAN+= ecdsa.3 -MAN+= engine.3 -MAN+= err.3 -MAN+= evp.3 -MAN+= hmac.3 MAN+= i2d_CMS_bio_stream.3 MAN+= i2d_PKCS7_bio_stream.3 -MAN+= lh_stats.3 -MAN+= lhash.3 -MAN+= md5.3 -MAN+= mdc2.3 -MAN+= pem.3 -MAN+= rand.3 -MAN+= rc4.3 -MAN+= ripemd.3 -MAN+= rsa.3 -MAN+= sha.3 -MAN+= threads.3 -MAN+= ui.3 -MAN+= ui_compat.3 -MAN+= x509.3 +MAN+= i2d_re_X509_tbs.3 +MAN+= o2i_SCT_LIST.3 +MLINKS+= ADMISSIONS.3 ADMISSIONS_get0_admissionAuthority.3 +MLINKS+= ADMISSIONS.3 ADMISSIONS_get0_namingAuthority.3 +MLINKS+= ADMISSIONS.3 ADMISSIONS_get0_professionInfos.3 +MLINKS+= ADMISSIONS.3 ADMISSIONS_set0_admissionAuthority.3 +MLINKS+= ADMISSIONS.3 ADMISSIONS_set0_namingAuthority.3 +MLINKS+= ADMISSIONS.3 ADMISSIONS_set0_professionInfos.3 +MLINKS+= ADMISSIONS.3 ADMISSION_SYNTAX.3 +MLINKS+= ADMISSIONS.3 ADMISSION_SYNTAX_get0_admissionAuthority.3 +MLINKS+= ADMISSIONS.3 ADMISSION_SYNTAX_get0_contentsOfAdmissions.3 +MLINKS+= ADMISSIONS.3 ADMISSION_SYNTAX_set0_admissionAuthority.3 +MLINKS+= ADMISSIONS.3 ADMISSION_SYNTAX_set0_contentsOfAdmissions.3 +MLINKS+= ADMISSIONS.3 NAMING_AUTHORITY.3 +MLINKS+= ADMISSIONS.3 NAMING_AUTHORITY_get0_authorityId.3 +MLINKS+= ADMISSIONS.3 NAMING_AUTHORITY_get0_authorityText.3 +MLINKS+= ADMISSIONS.3 NAMING_AUTHORITY_get0_authorityURL.3 +MLINKS+= ADMISSIONS.3 NAMING_AUTHORITY_set0_authorityId.3 +MLINKS+= ADMISSIONS.3 NAMING_AUTHORITY_set0_authorityText.3 +MLINKS+= ADMISSIONS.3 NAMING_AUTHORITY_set0_authorityURL.3 +MLINKS+= ADMISSIONS.3 PROFESSION_INFO.3 +MLINKS+= ADMISSIONS.3 PROFESSION_INFOS.3 +MLINKS+= ADMISSIONS.3 PROFESSION_INFO_get0_addProfessionInfo.3 +MLINKS+= ADMISSIONS.3 PROFESSION_INFO_get0_namingAuthority.3 +MLINKS+= ADMISSIONS.3 PROFESSION_INFO_get0_professionItems.3 +MLINKS+= ADMISSIONS.3 PROFESSION_INFO_get0_professionOIDs.3 +MLINKS+= ADMISSIONS.3 PROFESSION_INFO_get0_registrationNumber.3 +MLINKS+= ADMISSIONS.3 PROFESSION_INFO_set0_addProfessionInfo.3 +MLINKS+= ADMISSIONS.3 PROFESSION_INFO_set0_namingAuthority.3 +MLINKS+= ADMISSIONS.3 PROFESSION_INFO_set0_professionItems.3 +MLINKS+= ADMISSIONS.3 PROFESSION_INFO_set0_professionOIDs.3 +MLINKS+= ADMISSIONS.3 PROFESSION_INFO_set0_registrationNumber.3 +MLINKS+= ASN1_INTEGER_get_int64.3 ASN1_ENUMERATED_get.3 +MLINKS+= ASN1_INTEGER_get_int64.3 ASN1_ENUMERATED_get_int64.3 +MLINKS+= ASN1_INTEGER_get_int64.3 ASN1_ENUMERATED_set.3 +MLINKS+= ASN1_INTEGER_get_int64.3 ASN1_ENUMERATED_set_int64.3 +MLINKS+= ASN1_INTEGER_get_int64.3 ASN1_ENUMERATED_to_BN.3 +MLINKS+= ASN1_INTEGER_get_int64.3 ASN1_INTEGER_get.3 +MLINKS+= ASN1_INTEGER_get_int64.3 ASN1_INTEGER_get_uint64.3 +MLINKS+= ASN1_INTEGER_get_int64.3 ASN1_INTEGER_set.3 +MLINKS+= ASN1_INTEGER_get_int64.3 ASN1_INTEGER_set_int64.3 +MLINKS+= ASN1_INTEGER_get_int64.3 ASN1_INTEGER_set_uint64.3 +MLINKS+= ASN1_INTEGER_get_int64.3 ASN1_INTEGER_to_BN.3 +MLINKS+= ASN1_INTEGER_get_int64.3 BN_to_ASN1_ENUMERATED.3 +MLINKS+= ASN1_INTEGER_get_int64.3 BN_to_ASN1_INTEGER.3 +MLINKS+= ASN1_ITEM_lookup.3 ASN1_ITEM_get.3 MLINKS+= ASN1_OBJECT_new.3 ASN1_OBJECT_free.3 +MLINKS+= ASN1_STRING_TABLE_add.3 ASN1_STRING_TABLE.3 +MLINKS+= ASN1_STRING_TABLE_add.3 ASN1_STRING_TABLE_cleanup.3 +MLINKS+= ASN1_STRING_TABLE_add.3 ASN1_STRING_TABLE_get.3 MLINKS+= ASN1_STRING_length.3 ASN1_STRING_cmp.3 MLINKS+= ASN1_STRING_length.3 ASN1_STRING_data.3 MLINKS+= ASN1_STRING_length.3 ASN1_STRING_dup.3 -MLINKS+= ASN1_STRING_length.3 ASN1_STRING_length_set.3 +MLINKS+= ASN1_STRING_length.3 ASN1_STRING_get0_data.3 MLINKS+= ASN1_STRING_length.3 ASN1_STRING_set.3 MLINKS+= ASN1_STRING_length.3 ASN1_STRING_to_UTF8.3 MLINKS+= ASN1_STRING_length.3 ASN1_STRING_type.3 @@ -235,12 +522,80 @@ MLINKS+= ASN1_STRING_new.3 ASN1_STRING_free.3 MLINKS+= ASN1_STRING_new.3 ASN1_STRING_type_new.3 MLINKS+= ASN1_STRING_print_ex.3 ASN1_STRING_print.3 MLINKS+= ASN1_STRING_print_ex.3 ASN1_STRING_print_ex_fp.3 +MLINKS+= ASN1_STRING_print_ex.3 ASN1_tag2str.3 +MLINKS+= ASN1_TIME_set.3 ASN1_GENERALIZEDTIME_adj.3 +MLINKS+= ASN1_TIME_set.3 ASN1_GENERALIZEDTIME_check.3 +MLINKS+= ASN1_TIME_set.3 ASN1_GENERALIZEDTIME_print.3 +MLINKS+= ASN1_TIME_set.3 ASN1_GENERALIZEDTIME_set.3 +MLINKS+= ASN1_TIME_set.3 ASN1_GENERALIZEDTIME_set_string.3 MLINKS+= ASN1_TIME_set.3 ASN1_TIME_adj.3 MLINKS+= ASN1_TIME_set.3 ASN1_TIME_check.3 +MLINKS+= ASN1_TIME_set.3 ASN1_TIME_cmp_time_t.3 +MLINKS+= ASN1_TIME_set.3 ASN1_TIME_compare.3 MLINKS+= ASN1_TIME_set.3 ASN1_TIME_diff.3 +MLINKS+= ASN1_TIME_set.3 ASN1_TIME_normalize.3 MLINKS+= ASN1_TIME_set.3 ASN1_TIME_print.3 MLINKS+= ASN1_TIME_set.3 ASN1_TIME_set_string.3 +MLINKS+= ASN1_TIME_set.3 ASN1_TIME_set_string_X509.3 +MLINKS+= ASN1_TIME_set.3 ASN1_TIME_to_generalizedtime.3 +MLINKS+= ASN1_TIME_set.3 ASN1_TIME_to_tm.3 +MLINKS+= ASN1_TIME_set.3 ASN1_UTCTIME_adj.3 +MLINKS+= ASN1_TIME_set.3 ASN1_UTCTIME_check.3 +MLINKS+= ASN1_TIME_set.3 ASN1_UTCTIME_cmp_time_t.3 +MLINKS+= ASN1_TIME_set.3 ASN1_UTCTIME_print.3 +MLINKS+= ASN1_TIME_set.3 ASN1_UTCTIME_set.3 +MLINKS+= ASN1_TIME_set.3 ASN1_UTCTIME_set_string.3 +MLINKS+= ASN1_TYPE_get.3 ASN1_TYPE_cmp.3 +MLINKS+= ASN1_TYPE_get.3 ASN1_TYPE_pack_sequence.3 +MLINKS+= ASN1_TYPE_get.3 ASN1_TYPE_set.3 +MLINKS+= ASN1_TYPE_get.3 ASN1_TYPE_set1.3 +MLINKS+= ASN1_TYPE_get.3 ASN1_TYPE_unpack_sequence.3 MLINKS+= ASN1_generate_nconf.3 ASN1_generate_v3.3 +MLINKS+= ASYNC_WAIT_CTX_new.3 ASYNC_WAIT_CTX_clear_fd.3 +MLINKS+= ASYNC_WAIT_CTX_new.3 ASYNC_WAIT_CTX_free.3 +MLINKS+= ASYNC_WAIT_CTX_new.3 ASYNC_WAIT_CTX_get_all_fds.3 +MLINKS+= ASYNC_WAIT_CTX_new.3 ASYNC_WAIT_CTX_get_changed_fds.3 +MLINKS+= ASYNC_WAIT_CTX_new.3 ASYNC_WAIT_CTX_get_fd.3 +MLINKS+= ASYNC_WAIT_CTX_new.3 ASYNC_WAIT_CTX_set_wait_fd.3 +MLINKS+= ASYNC_start_job.3 ASYNC_block_pause.3 +MLINKS+= ASYNC_start_job.3 ASYNC_cleanup_thread.3 +MLINKS+= ASYNC_start_job.3 ASYNC_get_current_job.3 +MLINKS+= ASYNC_start_job.3 ASYNC_get_wait_ctx.3 +MLINKS+= ASYNC_start_job.3 ASYNC_init_thread.3 +MLINKS+= ASYNC_start_job.3 ASYNC_is_capable.3 +MLINKS+= ASYNC_start_job.3 ASYNC_pause_job.3 +MLINKS+= ASYNC_start_job.3 ASYNC_unblock_pause.3 +MLINKS+= BF_encrypt.3 BF_cbc_encrypt.3 +MLINKS+= BF_encrypt.3 BF_cfb64_encrypt.3 +MLINKS+= BF_encrypt.3 BF_decrypt.3 +MLINKS+= BF_encrypt.3 BF_ecb_encrypt.3 +MLINKS+= BF_encrypt.3 BF_ofb64_encrypt.3 +MLINKS+= BF_encrypt.3 BF_options.3 +MLINKS+= BF_encrypt.3 BF_set_key.3 +MLINKS+= BIO_ADDR.3 BIO_ADDR_clear.3 +MLINKS+= BIO_ADDR.3 BIO_ADDR_family.3 +MLINKS+= BIO_ADDR.3 BIO_ADDR_free.3 +MLINKS+= BIO_ADDR.3 BIO_ADDR_hostname_string.3 +MLINKS+= BIO_ADDR.3 BIO_ADDR_new.3 +MLINKS+= BIO_ADDR.3 BIO_ADDR_path_string.3 +MLINKS+= BIO_ADDR.3 BIO_ADDR_rawaddress.3 +MLINKS+= BIO_ADDR.3 BIO_ADDR_rawmake.3 +MLINKS+= BIO_ADDR.3 BIO_ADDR_rawport.3 +MLINKS+= BIO_ADDR.3 BIO_ADDR_service_string.3 +MLINKS+= BIO_ADDRINFO.3 BIO_ADDRINFO_address.3 +MLINKS+= BIO_ADDRINFO.3 BIO_ADDRINFO_family.3 +MLINKS+= BIO_ADDRINFO.3 BIO_ADDRINFO_free.3 +MLINKS+= BIO_ADDRINFO.3 BIO_ADDRINFO_next.3 +MLINKS+= BIO_ADDRINFO.3 BIO_ADDRINFO_protocol.3 +MLINKS+= BIO_ADDRINFO.3 BIO_ADDRINFO_socktype.3 +MLINKS+= BIO_ADDRINFO.3 BIO_lookup.3 +MLINKS+= BIO_ADDRINFO.3 BIO_lookup_ex.3 +MLINKS+= BIO_ADDRINFO.3 BIO_lookup_type.3 +MLINKS+= BIO_connect.3 BIO_accept_ex.3 +MLINKS+= BIO_connect.3 BIO_bind.3 +MLINKS+= BIO_connect.3 BIO_closesocket.3 +MLINKS+= BIO_connect.3 BIO_listen.3 +MLINKS+= BIO_connect.3 BIO_socket.3 MLINKS+= BIO_ctrl.3 BIO_callback_ctrl.3 MLINKS+= BIO_ctrl.3 BIO_ctrl_pending.3 MLINKS+= BIO_ctrl.3 BIO_ctrl_wpending.3 @@ -248,6 +603,7 @@ MLINKS+= BIO_ctrl.3 BIO_eof.3 MLINKS+= BIO_ctrl.3 BIO_flush.3 MLINKS+= BIO_ctrl.3 BIO_get_close.3 MLINKS+= BIO_ctrl.3 BIO_get_info_callback.3 +MLINKS+= BIO_ctrl.3 BIO_info_cb.3 MLINKS+= BIO_ctrl.3 BIO_int_ctrl.3 MLINKS+= BIO_ctrl.3 BIO_pending.3 MLINKS+= BIO_ctrl.3 BIO_ptr_ctrl.3 @@ -257,12 +613,18 @@ MLINKS+= BIO_ctrl.3 BIO_set_close.3 MLINKS+= BIO_ctrl.3 BIO_set_info_callback.3 MLINKS+= BIO_ctrl.3 BIO_tell.3 MLINKS+= BIO_ctrl.3 BIO_wpending.3 +MLINKS+= BIO_f_buffer.3 BIO_get_buffer_num_lines.3 +MLINKS+= BIO_f_buffer.3 BIO_set_buffer_read_data.3 +MLINKS+= BIO_f_buffer.3 BIO_set_buffer_size.3 +MLINKS+= BIO_f_buffer.3 BIO_set_read_buffer_size.3 +MLINKS+= BIO_f_buffer.3 BIO_set_write_buffer_size.3 MLINKS+= BIO_f_cipher.3 BIO_get_cipher_ctx.3 MLINKS+= BIO_f_cipher.3 BIO_get_cipher_status.3 MLINKS+= BIO_f_cipher.3 BIO_set_cipher.3 MLINKS+= BIO_f_md.3 BIO_get_md.3 MLINKS+= BIO_f_md.3 BIO_get_md_ctx.3 MLINKS+= BIO_f_md.3 BIO_set_md.3 +MLINKS+= BIO_f_ssl.3 BIO_do_handshake.3 MLINKS+= BIO_f_ssl.3 BIO_get_num_renegotiates.3 MLINKS+= BIO_f_ssl.3 BIO_get_ssl.3 MLINKS+= BIO_f_ssl.3 BIO_new_buffer_ssl_connect.3 @@ -276,19 +638,91 @@ MLINKS+= BIO_f_ssl.3 BIO_ssl_copy_session_id.3 MLINKS+= BIO_f_ssl.3 BIO_ssl_shutdown.3 MLINKS+= BIO_find_type.3 BIO_method_type.3 MLINKS+= BIO_find_type.3 BIO_next.3 +MLINKS+= BIO_get_data.3 BIO_get_init.3 +MLINKS+= BIO_get_data.3 BIO_get_shutdown.3 +MLINKS+= BIO_get_data.3 BIO_set_data.3 +MLINKS+= BIO_get_data.3 BIO_set_init.3 +MLINKS+= BIO_get_data.3 BIO_set_shutdown.3 +MLINKS+= BIO_get_ex_new_index.3 BIO_get_ex_data.3 +MLINKS+= BIO_get_ex_new_index.3 BIO_set_ex_data.3 +MLINKS+= BIO_get_ex_new_index.3 DH_get_ex_data.3 +MLINKS+= BIO_get_ex_new_index.3 DH_get_ex_new_index.3 +MLINKS+= BIO_get_ex_new_index.3 DH_set_ex_data.3 +MLINKS+= BIO_get_ex_new_index.3 DSA_get_ex_data.3 +MLINKS+= BIO_get_ex_new_index.3 DSA_get_ex_new_index.3 +MLINKS+= BIO_get_ex_new_index.3 DSA_set_ex_data.3 +MLINKS+= BIO_get_ex_new_index.3 ECDH_get_ex_data.3 +MLINKS+= BIO_get_ex_new_index.3 ECDH_get_ex_new_index.3 +MLINKS+= BIO_get_ex_new_index.3 ECDH_set_ex_data.3 +MLINKS+= BIO_get_ex_new_index.3 EC_KEY_get_ex_data.3 +MLINKS+= BIO_get_ex_new_index.3 EC_KEY_get_ex_new_index.3 +MLINKS+= BIO_get_ex_new_index.3 EC_KEY_set_ex_data.3 +MLINKS+= BIO_get_ex_new_index.3 ENGINE_get_ex_data.3 +MLINKS+= BIO_get_ex_new_index.3 ENGINE_get_ex_new_index.3 +MLINKS+= BIO_get_ex_new_index.3 ENGINE_set_ex_data.3 +MLINKS+= BIO_get_ex_new_index.3 RSA_get_ex_data.3 +MLINKS+= BIO_get_ex_new_index.3 RSA_get_ex_new_index.3 +MLINKS+= BIO_get_ex_new_index.3 RSA_set_ex_data.3 +MLINKS+= BIO_get_ex_new_index.3 UI_get_ex_data.3 +MLINKS+= BIO_get_ex_new_index.3 UI_get_ex_new_index.3 +MLINKS+= BIO_get_ex_new_index.3 UI_set_ex_data.3 +MLINKS+= BIO_get_ex_new_index.3 X509_STORE_CTX_get_ex_data.3 +MLINKS+= BIO_get_ex_new_index.3 X509_STORE_CTX_get_ex_new_index.3 +MLINKS+= BIO_get_ex_new_index.3 X509_STORE_CTX_set_ex_data.3 +MLINKS+= BIO_get_ex_new_index.3 X509_STORE_get_ex_data.3 +MLINKS+= BIO_get_ex_new_index.3 X509_STORE_get_ex_new_index.3 +MLINKS+= BIO_get_ex_new_index.3 X509_STORE_set_ex_data.3 +MLINKS+= BIO_get_ex_new_index.3 X509_get_ex_data.3 +MLINKS+= BIO_get_ex_new_index.3 X509_get_ex_new_index.3 +MLINKS+= BIO_get_ex_new_index.3 X509_set_ex_data.3 +MLINKS+= BIO_meth_new.3 BIO_get_new_index.3 +MLINKS+= BIO_meth_new.3 BIO_meth_free.3 +MLINKS+= BIO_meth_new.3 BIO_meth_get_callback_ctrl.3 +MLINKS+= BIO_meth_new.3 BIO_meth_get_create.3 +MLINKS+= BIO_meth_new.3 BIO_meth_get_ctrl.3 +MLINKS+= BIO_meth_new.3 BIO_meth_get_destroy.3 +MLINKS+= BIO_meth_new.3 BIO_meth_get_gets.3 +MLINKS+= BIO_meth_new.3 BIO_meth_get_puts.3 +MLINKS+= BIO_meth_new.3 BIO_meth_get_read.3 +MLINKS+= BIO_meth_new.3 BIO_meth_get_read_ex.3 +MLINKS+= BIO_meth_new.3 BIO_meth_get_write.3 +MLINKS+= BIO_meth_new.3 BIO_meth_get_write_ex.3 +MLINKS+= BIO_meth_new.3 BIO_meth_set_callback_ctrl.3 +MLINKS+= BIO_meth_new.3 BIO_meth_set_create.3 +MLINKS+= BIO_meth_new.3 BIO_meth_set_ctrl.3 +MLINKS+= BIO_meth_new.3 BIO_meth_set_destroy.3 +MLINKS+= BIO_meth_new.3 BIO_meth_set_gets.3 +MLINKS+= BIO_meth_new.3 BIO_meth_set_puts.3 +MLINKS+= BIO_meth_new.3 BIO_meth_set_read.3 +MLINKS+= BIO_meth_new.3 BIO_meth_set_read_ex.3 +MLINKS+= BIO_meth_new.3 BIO_meth_set_write.3 +MLINKS+= BIO_meth_new.3 BIO_meth_set_write_ex.3 MLINKS+= BIO_new.3 BIO_free.3 MLINKS+= BIO_new.3 BIO_free_all.3 -MLINKS+= BIO_new.3 BIO_set.3 +MLINKS+= BIO_new.3 BIO_up_ref.3 MLINKS+= BIO_new.3 BIO_vfree.3 +MLINKS+= BIO_parse_hostserv.3 BIO_hostserv_priorities.3 +MLINKS+= BIO_printf.3 BIO_snprintf.3 +MLINKS+= BIO_printf.3 BIO_vprintf.3 +MLINKS+= BIO_printf.3 BIO_vsnprintf.3 MLINKS+= BIO_push.3 BIO_pop.3 +MLINKS+= BIO_push.3 BIO_set_next.3 MLINKS+= BIO_read.3 BIO_gets.3 MLINKS+= BIO_read.3 BIO_puts.3 +MLINKS+= BIO_read.3 BIO_read_ex.3 MLINKS+= BIO_read.3 BIO_write.3 +MLINKS+= BIO_read.3 BIO_write_ex.3 MLINKS+= BIO_s_accept.3 BIO_do_accept.3 +MLINKS+= BIO_s_accept.3 BIO_get_accept_ip_family.3 +MLINKS+= BIO_s_accept.3 BIO_get_accept_name.3 MLINKS+= BIO_s_accept.3 BIO_get_accept_port.3 MLINKS+= BIO_s_accept.3 BIO_get_bind_mode.3 +MLINKS+= BIO_s_accept.3 BIO_get_peer_name.3 +MLINKS+= BIO_s_accept.3 BIO_get_peer_port.3 MLINKS+= BIO_s_accept.3 BIO_new_accept.3 MLINKS+= BIO_s_accept.3 BIO_set_accept_bios.3 +MLINKS+= BIO_s_accept.3 BIO_set_accept_ip_family.3 +MLINKS+= BIO_s_accept.3 BIO_set_accept_name.3 MLINKS+= BIO_s_accept.3 BIO_set_accept_port.3 MLINKS+= BIO_s_accept.3 BIO_set_bind_mode.3 MLINKS+= BIO_s_accept.3 BIO_set_nbio_accept.3 @@ -304,14 +738,14 @@ MLINKS+= BIO_s_bio.3 BIO_new_bio_pair.3 MLINKS+= BIO_s_bio.3 BIO_set_write_buf_size.3 MLINKS+= BIO_s_bio.3 BIO_shutdown_wr.3 MLINKS+= BIO_s_connect.3 BIO_do_connect.3 +MLINKS+= BIO_s_connect.3 BIO_get_conn_address.3 MLINKS+= BIO_s_connect.3 BIO_get_conn_hostname.3 -MLINKS+= BIO_s_connect.3 BIO_get_conn_int_port.3 -MLINKS+= BIO_s_connect.3 BIO_get_conn_ip.3 +MLINKS+= BIO_s_connect.3 BIO_get_conn_ip_family.3 MLINKS+= BIO_s_connect.3 BIO_get_conn_port.3 MLINKS+= BIO_s_connect.3 BIO_new_connect.3 +MLINKS+= BIO_s_connect.3 BIO_set_conn_address.3 MLINKS+= BIO_s_connect.3 BIO_set_conn_hostname.3 -MLINKS+= BIO_s_connect.3 BIO_set_conn_int_port.3 -MLINKS+= BIO_s_connect.3 BIO_set_conn_ip.3 +MLINKS+= BIO_s_connect.3 BIO_set_conn_ip_family.3 MLINKS+= BIO_s_connect.3 BIO_set_conn_port.3 MLINKS+= BIO_s_connect.3 BIO_set_nbio.3 MLINKS+= BIO_s_fd.3 BIO_get_fd.3 @@ -328,16 +762,22 @@ MLINKS+= BIO_s_file.3 BIO_write_filename.3 MLINKS+= BIO_s_mem.3 BIO_get_mem_data.3 MLINKS+= BIO_s_mem.3 BIO_get_mem_ptr.3 MLINKS+= BIO_s_mem.3 BIO_new_mem_buf.3 +MLINKS+= BIO_s_mem.3 BIO_s_secmem.3 MLINKS+= BIO_s_mem.3 BIO_set_mem_buf.3 MLINKS+= BIO_s_mem.3 BIO_set_mem_eof_return.3 MLINKS+= BIO_s_socket.3 BIO_new_socket.3 +MLINKS+= BIO_set_callback.3 BIO_callback_fn.3 +MLINKS+= BIO_set_callback.3 BIO_callback_fn_ex.3 MLINKS+= BIO_set_callback.3 BIO_debug_callback.3 MLINKS+= BIO_set_callback.3 BIO_get_callback.3 MLINKS+= BIO_set_callback.3 BIO_get_callback_arg.3 +MLINKS+= BIO_set_callback.3 BIO_get_callback_ex.3 MLINKS+= BIO_set_callback.3 BIO_set_callback_arg.3 +MLINKS+= BIO_set_callback.3 BIO_set_callback_ex.3 MLINKS+= BIO_should_retry.3 BIO_get_retry_BIO.3 MLINKS+= BIO_should_retry.3 BIO_get_retry_reason.3 MLINKS+= BIO_should_retry.3 BIO_retry_type.3 +MLINKS+= BIO_should_retry.3 BIO_set_retry_reason.3 MLINKS+= BIO_should_retry.3 BIO_should_io_special.3 MLINKS+= BIO_should_retry.3 BIO_should_read.3 MLINKS+= BIO_should_retry.3 BIO_should_write.3 @@ -346,15 +786,16 @@ MLINKS+= BN_BLINDING_new.3 BN_BLINDING_convert_ex.3 MLINKS+= BN_BLINDING_new.3 BN_BLINDING_create_param.3 MLINKS+= BN_BLINDING_new.3 BN_BLINDING_free.3 MLINKS+= BN_BLINDING_new.3 BN_BLINDING_get_flags.3 -MLINKS+= BN_BLINDING_new.3 BN_BLINDING_get_thread_id.3 MLINKS+= BN_BLINDING_new.3 BN_BLINDING_invert.3 MLINKS+= BN_BLINDING_new.3 BN_BLINDING_invert_ex.3 +MLINKS+= BN_BLINDING_new.3 BN_BLINDING_is_current_thread.3 +MLINKS+= BN_BLINDING_new.3 BN_BLINDING_lock.3 +MLINKS+= BN_BLINDING_new.3 BN_BLINDING_set_current_thread.3 MLINKS+= BN_BLINDING_new.3 BN_BLINDING_set_flags.3 -MLINKS+= BN_BLINDING_new.3 BN_BLINDING_set_thread_id.3 -MLINKS+= BN_BLINDING_new.3 BN_BLINDING_thread_id.3 +MLINKS+= BN_BLINDING_new.3 BN_BLINDING_unlock.3 MLINKS+= BN_BLINDING_new.3 BN_BLINDING_update.3 MLINKS+= BN_CTX_new.3 BN_CTX_free.3 -MLINKS+= BN_CTX_new.3 BN_CTX_init.3 +MLINKS+= BN_CTX_new.3 BN_CTX_secure_new.3 MLINKS+= BN_CTX_start.3 BN_CTX_end.3 MLINKS+= BN_CTX_start.3 BN_CTX_get.3 MLINKS+= BN_add.3 BN_div.3 @@ -375,11 +816,14 @@ MLINKS+= BN_add_word.3 BN_mod_word.3 MLINKS+= BN_add_word.3 BN_mul_word.3 MLINKS+= BN_add_word.3 BN_sub_word.3 MLINKS+= BN_bn2bin.3 BN_bin2bn.3 +MLINKS+= BN_bn2bin.3 BN_bn2binpad.3 MLINKS+= BN_bn2bin.3 BN_bn2dec.3 MLINKS+= BN_bn2bin.3 BN_bn2hex.3 +MLINKS+= BN_bn2bin.3 BN_bn2lebinpad.3 MLINKS+= BN_bn2bin.3 BN_bn2mpi.3 MLINKS+= BN_bn2bin.3 BN_dec2bn.3 MLINKS+= BN_bn2bin.3 BN_hex2bn.3 +MLINKS+= BN_bn2bin.3 BN_lebin2bn.3 MLINKS+= BN_bn2bin.3 BN_mpi2bn.3 MLINKS+= BN_bn2bin.3 BN_print.3 MLINKS+= BN_bn2bin.3 BN_print_fp.3 @@ -389,7 +833,11 @@ MLINKS+= BN_cmp.3 BN_is_word.3 MLINKS+= BN_cmp.3 BN_is_zero.3 MLINKS+= BN_cmp.3 BN_ucmp.3 MLINKS+= BN_copy.3 BN_dup.3 +MLINKS+= BN_copy.3 BN_with_flags.3 MLINKS+= BN_generate_prime.3 BN_GENCB_call.3 +MLINKS+= BN_generate_prime.3 BN_GENCB_free.3 +MLINKS+= BN_generate_prime.3 BN_GENCB_get_arg.3 +MLINKS+= BN_generate_prime.3 BN_GENCB_new.3 MLINKS+= BN_generate_prime.3 BN_GENCB_set.3 MLINKS+= BN_generate_prime.3 BN_GENCB_set_old.3 MLINKS+= BN_generate_prime.3 BN_generate_prime_ex.3 @@ -399,22 +847,22 @@ MLINKS+= BN_generate_prime.3 BN_is_prime_fasttest.3 MLINKS+= BN_generate_prime.3 BN_is_prime_fasttest_ex.3 MLINKS+= BN_mod_mul_montgomery.3 BN_MONT_CTX_copy.3 MLINKS+= BN_mod_mul_montgomery.3 BN_MONT_CTX_free.3 -MLINKS+= BN_mod_mul_montgomery.3 BN_MONT_CTX_init.3 MLINKS+= BN_mod_mul_montgomery.3 BN_MONT_CTX_new.3 MLINKS+= BN_mod_mul_montgomery.3 BN_MONT_CTX_set.3 MLINKS+= BN_mod_mul_montgomery.3 BN_from_montgomery.3 MLINKS+= BN_mod_mul_montgomery.3 BN_to_montgomery.3 MLINKS+= BN_mod_mul_reciprocal.3 BN_RECP_CTX_free.3 -MLINKS+= BN_mod_mul_reciprocal.3 BN_RECP_CTX_init.3 MLINKS+= BN_mod_mul_reciprocal.3 BN_RECP_CTX_new.3 MLINKS+= BN_mod_mul_reciprocal.3 BN_RECP_CTX_set.3 MLINKS+= BN_mod_mul_reciprocal.3 BN_div_recp.3 MLINKS+= BN_new.3 BN_clear.3 MLINKS+= BN_new.3 BN_clear_free.3 MLINKS+= BN_new.3 BN_free.3 -MLINKS+= BN_new.3 BN_init.3 +MLINKS+= BN_new.3 BN_secure_new.3 MLINKS+= BN_num_bytes.3 BN_num_bits.3 MLINKS+= BN_num_bytes.3 BN_num_bits_word.3 +MLINKS+= BN_rand.3 BN_priv_rand.3 +MLINKS+= BN_rand.3 BN_priv_rand_range.3 MLINKS+= BN_rand.3 BN_pseudo_rand.3 MLINKS+= BN_rand.3 BN_pseudo_rand_range.3 MLINKS+= BN_rand.3 BN_rand_range.3 @@ -429,6 +877,11 @@ MLINKS+= BN_zero.3 BN_get_word.3 MLINKS+= BN_zero.3 BN_one.3 MLINKS+= BN_zero.3 BN_set_word.3 MLINKS+= BN_zero.3 BN_value_one.3 +MLINKS+= BUF_MEM_new.3 BUF_MEM_free.3 +MLINKS+= BUF_MEM_new.3 BUF_MEM_grow.3 +MLINKS+= BUF_MEM_new.3 BUF_MEM_grow_clean.3 +MLINKS+= BUF_MEM_new.3 BUF_MEM_new_ex.3 +MLINKS+= BUF_MEM_new.3 BUF_reverse.3 MLINKS+= CMS_add0_cert.3 CMS_add0_crl.3 MLINKS+= CMS_add0_cert.3 CMS_add1_cert.3 MLINKS+= CMS_add0_cert.3 CMS_add1_crl.3 @@ -448,7 +901,7 @@ MLINKS+= CMS_get0_RecipientInfos.3 CMS_RecipientInfo_type.3 MLINKS+= CMS_get0_SignerInfos.3 CMS_SignerInfo_cert_cmp.3 MLINKS+= CMS_get0_SignerInfos.3 CMS_SignerInfo_get0_signature.3 MLINKS+= CMS_get0_SignerInfos.3 CMS_SignerInfo_get0_signer_id.3 -MLINKS+= CMS_get0_SignerInfos.3 CMS_set1_signer_cert.3 +MLINKS+= CMS_get0_SignerInfos.3 CMS_SignerInfo_set1_signer_cert.3 MLINKS+= CMS_get0_type.3 CMS_get0_content.3 MLINKS+= CMS_get0_type.3 CMS_get0_eContentType.3 MLINKS+= CMS_get0_type.3 CMS_set1_eContentType.3 @@ -459,22 +912,199 @@ MLINKS+= CMS_verify.3 CMS_get0_signers.3 MLINKS+= CONF_modules_free.3 CONF_modules_finish.3 MLINKS+= CONF_modules_free.3 CONF_modules_unload.3 MLINKS+= CONF_modules_load_file.3 CONF_modules_load.3 -MLINKS+= CRYPTO_set_ex_data.3 CRYPTO_get_ex_data.3 +MLINKS+= CRYPTO_THREAD_run_once.3 CRYPTO_THREAD_lock_free.3 +MLINKS+= CRYPTO_THREAD_run_once.3 CRYPTO_THREAD_lock_new.3 +MLINKS+= CRYPTO_THREAD_run_once.3 CRYPTO_THREAD_read_lock.3 +MLINKS+= CRYPTO_THREAD_run_once.3 CRYPTO_THREAD_unlock.3 +MLINKS+= CRYPTO_THREAD_run_once.3 CRYPTO_THREAD_write_lock.3 +MLINKS+= CRYPTO_THREAD_run_once.3 CRYPTO_atomic_add.3 +MLINKS+= CRYPTO_get_ex_new_index.3 CRYPTO_EX_dup.3 +MLINKS+= CRYPTO_get_ex_new_index.3 CRYPTO_EX_free.3 +MLINKS+= CRYPTO_get_ex_new_index.3 CRYPTO_EX_new.3 +MLINKS+= CRYPTO_get_ex_new_index.3 CRYPTO_free_ex_data.3 +MLINKS+= CRYPTO_get_ex_new_index.3 CRYPTO_free_ex_index.3 +MLINKS+= CRYPTO_get_ex_new_index.3 CRYPTO_get_ex_data.3 +MLINKS+= CRYPTO_get_ex_new_index.3 CRYPTO_new_ex_data.3 +MLINKS+= CRYPTO_get_ex_new_index.3 CRYPTO_set_ex_data.3 +MLINKS+= CTLOG_STORE_new.3 CTLOG_STORE_free.3 +MLINKS+= CTLOG_STORE_new.3 CTLOG_STORE_load_default_file.3 +MLINKS+= CTLOG_STORE_new.3 CTLOG_STORE_load_file.3 +MLINKS+= CTLOG_new.3 CTLOG_free.3 +MLINKS+= CTLOG_new.3 CTLOG_get0_log_id.3 +MLINKS+= CTLOG_new.3 CTLOG_get0_name.3 +MLINKS+= CTLOG_new.3 CTLOG_get0_public_key.3 +MLINKS+= CTLOG_new.3 CTLOG_new_from_base64.3 +MLINKS+= CT_POLICY_EVAL_CTX_new.3 CT_POLICY_EVAL_CTX_free.3 +MLINKS+= CT_POLICY_EVAL_CTX_new.3 CT_POLICY_EVAL_CTX_get0_cert.3 +MLINKS+= CT_POLICY_EVAL_CTX_new.3 CT_POLICY_EVAL_CTX_get0_issuer.3 +MLINKS+= CT_POLICY_EVAL_CTX_new.3 CT_POLICY_EVAL_CTX_get0_log_store.3 +MLINKS+= CT_POLICY_EVAL_CTX_new.3 CT_POLICY_EVAL_CTX_get_time.3 +MLINKS+= CT_POLICY_EVAL_CTX_new.3 CT_POLICY_EVAL_CTX_set1_cert.3 +MLINKS+= CT_POLICY_EVAL_CTX_new.3 CT_POLICY_EVAL_CTX_set1_issuer.3 +MLINKS+= CT_POLICY_EVAL_CTX_new.3 CT_POLICY_EVAL_CTX_set_shared_CTLOG_STORE.3 +MLINKS+= CT_POLICY_EVAL_CTX_new.3 CT_POLICY_EVAL_CTX_set_time.3 +MLINKS+= DEFINE_STACK_OF.3 DEFINE_SPECIAL_STACK_OF.3 +MLINKS+= DEFINE_STACK_OF.3 DEFINE_SPECIAL_STACK_OF_CONST.3 +MLINKS+= DEFINE_STACK_OF.3 DEFINE_STACK_OF_CONST.3 +MLINKS+= DEFINE_STACK_OF.3 sk_TYPE_deep_copy.3 +MLINKS+= DEFINE_STACK_OF.3 sk_TYPE_delete.3 +MLINKS+= DEFINE_STACK_OF.3 sk_TYPE_delete_ptr.3 +MLINKS+= DEFINE_STACK_OF.3 sk_TYPE_dup.3 +MLINKS+= DEFINE_STACK_OF.3 sk_TYPE_find.3 +MLINKS+= DEFINE_STACK_OF.3 sk_TYPE_find_ex.3 +MLINKS+= DEFINE_STACK_OF.3 sk_TYPE_free.3 +MLINKS+= DEFINE_STACK_OF.3 sk_TYPE_insert.3 +MLINKS+= DEFINE_STACK_OF.3 sk_TYPE_is_sorted.3 +MLINKS+= DEFINE_STACK_OF.3 sk_TYPE_new.3 +MLINKS+= DEFINE_STACK_OF.3 sk_TYPE_new_null.3 +MLINKS+= DEFINE_STACK_OF.3 sk_TYPE_new_reserve.3 +MLINKS+= DEFINE_STACK_OF.3 sk_TYPE_num.3 +MLINKS+= DEFINE_STACK_OF.3 sk_TYPE_pop.3 +MLINKS+= DEFINE_STACK_OF.3 sk_TYPE_pop_free.3 +MLINKS+= DEFINE_STACK_OF.3 sk_TYPE_push.3 +MLINKS+= DEFINE_STACK_OF.3 sk_TYPE_reserve.3 +MLINKS+= DEFINE_STACK_OF.3 sk_TYPE_set.3 +MLINKS+= DEFINE_STACK_OF.3 sk_TYPE_set_cmp_func.3 +MLINKS+= DEFINE_STACK_OF.3 sk_TYPE_shift.3 +MLINKS+= DEFINE_STACK_OF.3 sk_TYPE_sort.3 +MLINKS+= DEFINE_STACK_OF.3 sk_TYPE_unshift.3 +MLINKS+= DEFINE_STACK_OF.3 sk_TYPE_value.3 +MLINKS+= DEFINE_STACK_OF.3 sk_TYPE_zero.3 +MLINKS+= DES_random_key.3 DES_cbc_cksum.3 +MLINKS+= DES_random_key.3 DES_cfb64_encrypt.3 +MLINKS+= DES_random_key.3 DES_cfb_encrypt.3 +MLINKS+= DES_random_key.3 DES_crypt.3 +MLINKS+= DES_random_key.3 DES_ecb2_encrypt.3 +MLINKS+= DES_random_key.3 DES_ecb3_encrypt.3 +MLINKS+= DES_random_key.3 DES_ecb_encrypt.3 +MLINKS+= DES_random_key.3 DES_ede2_cbc_encrypt.3 +MLINKS+= DES_random_key.3 DES_ede2_cfb64_encrypt.3 +MLINKS+= DES_random_key.3 DES_ede2_ofb64_encrypt.3 +MLINKS+= DES_random_key.3 DES_ede3_cbc_encrypt.3 +MLINKS+= DES_random_key.3 DES_ede3_cfb64_encrypt.3 +MLINKS+= DES_random_key.3 DES_ede3_ofb64_encrypt.3 +MLINKS+= DES_random_key.3 DES_fcrypt.3 +MLINKS+= DES_random_key.3 DES_is_weak_key.3 +MLINKS+= DES_random_key.3 DES_key_sched.3 +MLINKS+= DES_random_key.3 DES_ncbc_encrypt.3 +MLINKS+= DES_random_key.3 DES_ofb64_encrypt.3 +MLINKS+= DES_random_key.3 DES_ofb_encrypt.3 +MLINKS+= DES_random_key.3 DES_pcbc_encrypt.3 +MLINKS+= DES_random_key.3 DES_quad_cksum.3 +MLINKS+= DES_random_key.3 DES_set_key.3 +MLINKS+= DES_random_key.3 DES_set_key_checked.3 +MLINKS+= DES_random_key.3 DES_set_key_unchecked.3 +MLINKS+= DES_random_key.3 DES_set_odd_parity.3 +MLINKS+= DES_random_key.3 DES_string_to_2keys.3 +MLINKS+= DES_random_key.3 DES_string_to_key.3 +MLINKS+= DES_random_key.3 DES_xcbc_encrypt.3 MLINKS+= DH_generate_key.3 DH_compute_key.3 MLINKS+= DH_generate_parameters.3 DH_check.3 +MLINKS+= DH_generate_parameters.3 DH_check_ex.3 +MLINKS+= DH_generate_parameters.3 DH_check_params.3 +MLINKS+= DH_generate_parameters.3 DH_check_params_ex.3 +MLINKS+= DH_generate_parameters.3 DH_check_pub_key_ex.3 MLINKS+= DH_generate_parameters.3 DH_generate_parameters_ex.3 -MLINKS+= DH_get_ex_new_index.3 DH_get_ex_data.3 -MLINKS+= DH_get_ex_new_index.3 DH_set_ex_data.3 +MLINKS+= DH_get0_pqg.3 DH_clear_flags.3 +MLINKS+= DH_get0_pqg.3 DH_get0_engine.3 +MLINKS+= DH_get0_pqg.3 DH_get0_g.3 +MLINKS+= DH_get0_pqg.3 DH_get0_key.3 +MLINKS+= DH_get0_pqg.3 DH_get0_p.3 +MLINKS+= DH_get0_pqg.3 DH_get0_priv_key.3 +MLINKS+= DH_get0_pqg.3 DH_get0_pub_key.3 +MLINKS+= DH_get0_pqg.3 DH_get0_q.3 +MLINKS+= DH_get0_pqg.3 DH_get_length.3 +MLINKS+= DH_get0_pqg.3 DH_set0_key.3 +MLINKS+= DH_get0_pqg.3 DH_set0_pqg.3 +MLINKS+= DH_get0_pqg.3 DH_set_flags.3 +MLINKS+= DH_get0_pqg.3 DH_set_length.3 +MLINKS+= DH_get0_pqg.3 DH_test_flags.3 +MLINKS+= DH_get_1024_160.3 BN_get0_nist_prime_192.3 +MLINKS+= DH_get_1024_160.3 BN_get0_nist_prime_224.3 +MLINKS+= DH_get_1024_160.3 BN_get0_nist_prime_256.3 +MLINKS+= DH_get_1024_160.3 BN_get0_nist_prime_384.3 +MLINKS+= DH_get_1024_160.3 BN_get0_nist_prime_521.3 +MLINKS+= DH_get_1024_160.3 BN_get_rfc2409_prime_1024.3 +MLINKS+= DH_get_1024_160.3 BN_get_rfc2409_prime_768.3 +MLINKS+= DH_get_1024_160.3 BN_get_rfc3526_prime_1536.3 +MLINKS+= DH_get_1024_160.3 BN_get_rfc3526_prime_2048.3 +MLINKS+= DH_get_1024_160.3 BN_get_rfc3526_prime_3072.3 +MLINKS+= DH_get_1024_160.3 BN_get_rfc3526_prime_4096.3 +MLINKS+= DH_get_1024_160.3 BN_get_rfc3526_prime_6144.3 +MLINKS+= DH_get_1024_160.3 BN_get_rfc3526_prime_8192.3 +MLINKS+= DH_get_1024_160.3 DH_get_2048_224.3 +MLINKS+= DH_get_1024_160.3 DH_get_2048_256.3 +MLINKS+= DH_meth_new.3 DH_meth_dup.3 +MLINKS+= DH_meth_new.3 DH_meth_free.3 +MLINKS+= DH_meth_new.3 DH_meth_get0_app_data.3 +MLINKS+= DH_meth_new.3 DH_meth_get0_name.3 +MLINKS+= DH_meth_new.3 DH_meth_get_bn_mod_exp.3 +MLINKS+= DH_meth_new.3 DH_meth_get_compute_key.3 +MLINKS+= DH_meth_new.3 DH_meth_get_finish.3 +MLINKS+= DH_meth_new.3 DH_meth_get_flags.3 +MLINKS+= DH_meth_new.3 DH_meth_get_generate_key.3 +MLINKS+= DH_meth_new.3 DH_meth_get_generate_params.3 +MLINKS+= DH_meth_new.3 DH_meth_get_init.3 +MLINKS+= DH_meth_new.3 DH_meth_set0_app_data.3 +MLINKS+= DH_meth_new.3 DH_meth_set1_name.3 +MLINKS+= DH_meth_new.3 DH_meth_set_bn_mod_exp.3 +MLINKS+= DH_meth_new.3 DH_meth_set_compute_key.3 +MLINKS+= DH_meth_new.3 DH_meth_set_finish.3 +MLINKS+= DH_meth_new.3 DH_meth_set_flags.3 +MLINKS+= DH_meth_new.3 DH_meth_set_generate_key.3 +MLINKS+= DH_meth_new.3 DH_meth_set_generate_params.3 +MLINKS+= DH_meth_new.3 DH_meth_set_init.3 MLINKS+= DH_new.3 DH_free.3 +MLINKS+= DH_new_by_nid.3 DH_get_nid.3 MLINKS+= DH_set_method.3 DH_OpenSSL.3 MLINKS+= DH_set_method.3 DH_get_default_method.3 MLINKS+= DH_set_method.3 DH_new_method.3 MLINKS+= DH_set_method.3 DH_set_default_method.3 +MLINKS+= DH_size.3 DH_bits.3 +MLINKS+= DH_size.3 DH_security_bits.3 MLINKS+= DSA_SIG_new.3 DSA_SIG_free.3 +MLINKS+= DSA_SIG_new.3 DSA_SIG_get0.3 +MLINKS+= DSA_SIG_new.3 DSA_SIG_set0.3 MLINKS+= DSA_do_sign.3 DSA_do_verify.3 MLINKS+= DSA_generate_parameters.3 DSA_generate_parameters_ex.3 -MLINKS+= DSA_get_ex_new_index.3 DSA_get_ex_data.3 -MLINKS+= DSA_get_ex_new_index.3 DSA_set_ex_data.3 +MLINKS+= DSA_get0_pqg.3 DSA_clear_flags.3 +MLINKS+= DSA_get0_pqg.3 DSA_get0_engine.3 +MLINKS+= DSA_get0_pqg.3 DSA_get0_g.3 +MLINKS+= DSA_get0_pqg.3 DSA_get0_key.3 +MLINKS+= DSA_get0_pqg.3 DSA_get0_p.3 +MLINKS+= DSA_get0_pqg.3 DSA_get0_priv_key.3 +MLINKS+= DSA_get0_pqg.3 DSA_get0_pub_key.3 +MLINKS+= DSA_get0_pqg.3 DSA_get0_q.3 +MLINKS+= DSA_get0_pqg.3 DSA_set0_key.3 +MLINKS+= DSA_get0_pqg.3 DSA_set0_pqg.3 +MLINKS+= DSA_get0_pqg.3 DSA_set_flags.3 +MLINKS+= DSA_get0_pqg.3 DSA_test_flags.3 +MLINKS+= DSA_meth_new.3 DSA_meth_dup.3 +MLINKS+= DSA_meth_new.3 DSA_meth_free.3 +MLINKS+= DSA_meth_new.3 DSA_meth_get0_app_data.3 +MLINKS+= DSA_meth_new.3 DSA_meth_get0_name.3 +MLINKS+= DSA_meth_new.3 DSA_meth_get_bn_mod_exp.3 +MLINKS+= DSA_meth_new.3 DSA_meth_get_finish.3 +MLINKS+= DSA_meth_new.3 DSA_meth_get_flags.3 +MLINKS+= DSA_meth_new.3 DSA_meth_get_init.3 +MLINKS+= DSA_meth_new.3 DSA_meth_get_keygen.3 +MLINKS+= DSA_meth_new.3 DSA_meth_get_mod_exp.3 +MLINKS+= DSA_meth_new.3 DSA_meth_get_paramgen.3 +MLINKS+= DSA_meth_new.3 DSA_meth_get_sign.3 +MLINKS+= DSA_meth_new.3 DSA_meth_get_sign_setup.3 +MLINKS+= DSA_meth_new.3 DSA_meth_get_verify.3 +MLINKS+= DSA_meth_new.3 DSA_meth_set0_app_data.3 +MLINKS+= DSA_meth_new.3 DSA_meth_set1_name.3 +MLINKS+= DSA_meth_new.3 DSA_meth_set_bn_mod_exp.3 +MLINKS+= DSA_meth_new.3 DSA_meth_set_finish.3 +MLINKS+= DSA_meth_new.3 DSA_meth_set_flags.3 +MLINKS+= DSA_meth_new.3 DSA_meth_set_init.3 +MLINKS+= DSA_meth_new.3 DSA_meth_set_keygen.3 +MLINKS+= DSA_meth_new.3 DSA_meth_set_mod_exp.3 +MLINKS+= DSA_meth_new.3 DSA_meth_set_paramgen.3 +MLINKS+= DSA_meth_new.3 DSA_meth_set_sign.3 +MLINKS+= DSA_meth_new.3 DSA_meth_set_sign_setup.3 +MLINKS+= DSA_meth_new.3 DSA_meth_set_verify.3 MLINKS+= DSA_new.3 DSA_free.3 MLINKS+= DSA_set_method.3 DSA_OpenSSL.3 MLINKS+= DSA_set_method.3 DSA_get_default_method.3 @@ -482,6 +1112,26 @@ MLINKS+= DSA_set_method.3 DSA_new_method.3 MLINKS+= DSA_set_method.3 DSA_set_default_method.3 MLINKS+= DSA_sign.3 DSA_sign_setup.3 MLINKS+= DSA_sign.3 DSA_verify.3 +MLINKS+= DSA_size.3 DSA_bits.3 +MLINKS+= DSA_size.3 DSA_security_bits.3 +MLINKS+= DTLS_set_timer_cb.3 DTLS_timer_cb.3 +MLINKS+= DTLSv1_listen.3 SSL_stateless.3 +MLINKS+= ECDSA_SIG_new.3 ECDSA_SIG_free.3 +MLINKS+= ECDSA_SIG_new.3 ECDSA_SIG_get0.3 +MLINKS+= ECDSA_SIG_new.3 ECDSA_SIG_get0_r.3 +MLINKS+= ECDSA_SIG_new.3 ECDSA_SIG_get0_s.3 +MLINKS+= ECDSA_SIG_new.3 ECDSA_SIG_set0.3 +MLINKS+= ECDSA_SIG_new.3 ECDSA_do_sign.3 +MLINKS+= ECDSA_SIG_new.3 ECDSA_do_sign_ex.3 +MLINKS+= ECDSA_SIG_new.3 ECDSA_do_verify.3 +MLINKS+= ECDSA_SIG_new.3 ECDSA_sign.3 +MLINKS+= ECDSA_SIG_new.3 ECDSA_sign_ex.3 +MLINKS+= ECDSA_SIG_new.3 ECDSA_sign_setup.3 +MLINKS+= ECDSA_SIG_new.3 ECDSA_size.3 +MLINKS+= ECDSA_SIG_new.3 ECDSA_verify.3 +MLINKS+= ECDSA_SIG_new.3 d2i_ECDSA_SIG.3 +MLINKS+= ECDSA_SIG_new.3 i2d_ECDSA_SIG.3 +MLINKS+= ECPKParameters_print.3 ECPKParameters_print_fp.3 MLINKS+= EC_GFp_simple_method.3 EC_GF2m_simple_method.3 MLINKS+= EC_GFp_simple_method.3 EC_GFp_mont_method.3 MLINKS+= EC_GFp_simple_method.3 EC_GFp_nist_method.3 @@ -493,7 +1143,9 @@ MLINKS+= EC_GROUP_copy.3 EC_GROUP_check.3 MLINKS+= EC_GROUP_copy.3 EC_GROUP_check_discriminant.3 MLINKS+= EC_GROUP_copy.3 EC_GROUP_cmp.3 MLINKS+= EC_GROUP_copy.3 EC_GROUP_dup.3 +MLINKS+= EC_GROUP_copy.3 EC_GROUP_get0_cofactor.3 MLINKS+= EC_GROUP_copy.3 EC_GROUP_get0_generator.3 +MLINKS+= EC_GROUP_copy.3 EC_GROUP_get0_order.3 MLINKS+= EC_GROUP_copy.3 EC_GROUP_get0_seed.3 MLINKS+= EC_GROUP_copy.3 EC_GROUP_get_asn1_flag.3 MLINKS+= EC_GROUP_copy.3 EC_GROUP_get_basis_type.3 @@ -506,6 +1158,7 @@ MLINKS+= EC_GROUP_copy.3 EC_GROUP_get_point_conversion_form.3 MLINKS+= EC_GROUP_copy.3 EC_GROUP_get_seed_len.3 MLINKS+= EC_GROUP_copy.3 EC_GROUP_get_trinomial_basis.3 MLINKS+= EC_GROUP_copy.3 EC_GROUP_method_of.3 +MLINKS+= EC_GROUP_copy.3 EC_GROUP_order_bits.3 MLINKS+= EC_GROUP_copy.3 EC_GROUP_set_asn1_flag.3 MLINKS+= EC_GROUP_copy.3 EC_GROUP_set_curve_name.3 MLINKS+= EC_GROUP_copy.3 EC_GROUP_set_generator.3 @@ -513,35 +1166,46 @@ MLINKS+= EC_GROUP_copy.3 EC_GROUP_set_point_conversion_form.3 MLINKS+= EC_GROUP_copy.3 EC_GROUP_set_seed.3 MLINKS+= EC_GROUP_new.3 EC_GROUP_clear_free.3 MLINKS+= EC_GROUP_new.3 EC_GROUP_free.3 +MLINKS+= EC_GROUP_new.3 EC_GROUP_get_curve.3 MLINKS+= EC_GROUP_new.3 EC_GROUP_get_curve_GF2m.3 MLINKS+= EC_GROUP_new.3 EC_GROUP_get_curve_GFp.3 +MLINKS+= EC_GROUP_new.3 EC_GROUP_get_ecparameters.3 +MLINKS+= EC_GROUP_new.3 EC_GROUP_get_ecpkparameters.3 MLINKS+= EC_GROUP_new.3 EC_GROUP_new_by_curve_name.3 MLINKS+= EC_GROUP_new.3 EC_GROUP_new_curve_GF2m.3 MLINKS+= EC_GROUP_new.3 EC_GROUP_new_curve_GFp.3 +MLINKS+= EC_GROUP_new.3 EC_GROUP_new_from_ecparameters.3 +MLINKS+= EC_GROUP_new.3 EC_GROUP_new_from_ecpkparameters.3 +MLINKS+= EC_GROUP_new.3 EC_GROUP_set_curve.3 MLINKS+= EC_GROUP_new.3 EC_GROUP_set_curve_GF2m.3 MLINKS+= EC_GROUP_new.3 EC_GROUP_set_curve_GFp.3 MLINKS+= EC_GROUP_new.3 EC_get_builtin_curves.3 +MLINKS+= EC_KEY_get_enc_flags.3 EC_KEY_set_enc_flags.3 MLINKS+= EC_KEY_new.3 EC_KEY_check_key.3 MLINKS+= EC_KEY_new.3 EC_KEY_clear_flags.3 MLINKS+= EC_KEY_new.3 EC_KEY_copy.3 MLINKS+= EC_KEY_new.3 EC_KEY_dup.3 MLINKS+= EC_KEY_new.3 EC_KEY_free.3 MLINKS+= EC_KEY_new.3 EC_KEY_generate_key.3 +MLINKS+= EC_KEY_new.3 EC_KEY_get0_engine.3 MLINKS+= EC_KEY_new.3 EC_KEY_get0_group.3 MLINKS+= EC_KEY_new.3 EC_KEY_get0_private_key.3 MLINKS+= EC_KEY_new.3 EC_KEY_get0_public_key.3 MLINKS+= EC_KEY_new.3 EC_KEY_get_conv_form.3 -MLINKS+= EC_KEY_new.3 EC_KEY_get_enc_flags.3 MLINKS+= EC_KEY_new.3 EC_KEY_get_flags.3 -MLINKS+= EC_KEY_new.3 EC_KEY_get_key_method_data.3 -MLINKS+= EC_KEY_new.3 EC_KEY_insert_key_method_data.3 +MLINKS+= EC_KEY_new.3 EC_KEY_get_method.3 +MLINKS+= EC_KEY_new.3 EC_KEY_key2buf.3 MLINKS+= EC_KEY_new.3 EC_KEY_new_by_curve_name.3 +MLINKS+= EC_KEY_new.3 EC_KEY_oct2key.3 +MLINKS+= EC_KEY_new.3 EC_KEY_oct2priv.3 MLINKS+= EC_KEY_new.3 EC_KEY_precompute_mult.3 +MLINKS+= EC_KEY_new.3 EC_KEY_priv2buf.3 +MLINKS+= EC_KEY_new.3 EC_KEY_priv2oct.3 MLINKS+= EC_KEY_new.3 EC_KEY_set_asn1_flag.3 MLINKS+= EC_KEY_new.3 EC_KEY_set_conv_form.3 -MLINKS+= EC_KEY_new.3 EC_KEY_set_enc_flags.3 MLINKS+= EC_KEY_new.3 EC_KEY_set_flags.3 MLINKS+= EC_KEY_new.3 EC_KEY_set_group.3 +MLINKS+= EC_KEY_new.3 EC_KEY_set_method.3 MLINKS+= EC_KEY_new.3 EC_KEY_set_private_key.3 MLINKS+= EC_KEY_new.3 EC_KEY_set_public_key.3 MLINKS+= EC_KEY_new.3 EC_KEY_set_public_key_affine_coordinates.3 @@ -563,20 +1227,114 @@ MLINKS+= EC_POINT_new.3 EC_POINT_copy.3 MLINKS+= EC_POINT_new.3 EC_POINT_dup.3 MLINKS+= EC_POINT_new.3 EC_POINT_free.3 MLINKS+= EC_POINT_new.3 EC_POINT_get_Jprojective_coordinates_GFp.3 +MLINKS+= EC_POINT_new.3 EC_POINT_get_affine_coordinates.3 MLINKS+= EC_POINT_new.3 EC_POINT_get_affine_coordinates_GF2m.3 MLINKS+= EC_POINT_new.3 EC_POINT_get_affine_coordinates_GFp.3 MLINKS+= EC_POINT_new.3 EC_POINT_hex2point.3 MLINKS+= EC_POINT_new.3 EC_POINT_method_of.3 MLINKS+= EC_POINT_new.3 EC_POINT_oct2point.3 MLINKS+= EC_POINT_new.3 EC_POINT_point2bn.3 +MLINKS+= EC_POINT_new.3 EC_POINT_point2buf.3 MLINKS+= EC_POINT_new.3 EC_POINT_point2hex.3 MLINKS+= EC_POINT_new.3 EC_POINT_point2oct.3 -MLINKS+= EC_POINT_new.3 EC_POINT_set_Jprojective_coordinates.3 +MLINKS+= EC_POINT_new.3 EC_POINT_set_Jprojective_coordinates_GFp.3 +MLINKS+= EC_POINT_new.3 EC_POINT_set_affine_coordinates.3 MLINKS+= EC_POINT_new.3 EC_POINT_set_affine_coordinates_GF2m.3 MLINKS+= EC_POINT_new.3 EC_POINT_set_affine_coordinates_GFp.3 +MLINKS+= EC_POINT_new.3 EC_POINT_set_compressed_coordinates.3 MLINKS+= EC_POINT_new.3 EC_POINT_set_compressed_coordinates_GF2m.3 MLINKS+= EC_POINT_new.3 EC_POINT_set_compressed_coordinates_GFp.3 MLINKS+= EC_POINT_new.3 EC_POINT_set_to_infinity.3 +MLINKS+= ENGINE_add.3 ENGINE_by_id.3 +MLINKS+= ENGINE_add.3 ENGINE_cleanup.3 +MLINKS+= ENGINE_add.3 ENGINE_cmd_is_executable.3 +MLINKS+= ENGINE_add.3 ENGINE_ctrl.3 +MLINKS+= ENGINE_add.3 ENGINE_ctrl_cmd.3 +MLINKS+= ENGINE_add.3 ENGINE_ctrl_cmd_string.3 +MLINKS+= ENGINE_add.3 ENGINE_finish.3 +MLINKS+= ENGINE_add.3 ENGINE_free.3 +MLINKS+= ENGINE_add.3 ENGINE_get_DH.3 +MLINKS+= ENGINE_add.3 ENGINE_get_DSA.3 +MLINKS+= ENGINE_add.3 ENGINE_get_RAND.3 +MLINKS+= ENGINE_add.3 ENGINE_get_RSA.3 +MLINKS+= ENGINE_add.3 ENGINE_get_cipher.3 +MLINKS+= ENGINE_add.3 ENGINE_get_cipher_engine.3 +MLINKS+= ENGINE_add.3 ENGINE_get_ciphers.3 +MLINKS+= ENGINE_add.3 ENGINE_get_cmd_defns.3 +MLINKS+= ENGINE_add.3 ENGINE_get_ctrl_function.3 +MLINKS+= ENGINE_add.3 ENGINE_get_default_DH.3 +MLINKS+= ENGINE_add.3 ENGINE_get_default_DSA.3 +MLINKS+= ENGINE_add.3 ENGINE_get_default_RAND.3 +MLINKS+= ENGINE_add.3 ENGINE_get_default_RSA.3 +MLINKS+= ENGINE_add.3 ENGINE_get_destroy_function.3 +MLINKS+= ENGINE_add.3 ENGINE_get_digest.3 +MLINKS+= ENGINE_add.3 ENGINE_get_digest_engine.3 +MLINKS+= ENGINE_add.3 ENGINE_get_digests.3 +MLINKS+= ENGINE_add.3 ENGINE_get_finish_function.3 +MLINKS+= ENGINE_add.3 ENGINE_get_first.3 +MLINKS+= ENGINE_add.3 ENGINE_get_flags.3 +MLINKS+= ENGINE_add.3 ENGINE_get_id.3 +MLINKS+= ENGINE_add.3 ENGINE_get_init_function.3 +MLINKS+= ENGINE_add.3 ENGINE_get_last.3 +MLINKS+= ENGINE_add.3 ENGINE_get_load_privkey_function.3 +MLINKS+= ENGINE_add.3 ENGINE_get_load_pubkey_function.3 +MLINKS+= ENGINE_add.3 ENGINE_get_name.3 +MLINKS+= ENGINE_add.3 ENGINE_get_next.3 +MLINKS+= ENGINE_add.3 ENGINE_get_prev.3 +MLINKS+= ENGINE_add.3 ENGINE_get_table_flags.3 +MLINKS+= ENGINE_add.3 ENGINE_init.3 +MLINKS+= ENGINE_add.3 ENGINE_load_builtin_engines.3 +MLINKS+= ENGINE_add.3 ENGINE_load_private_key.3 +MLINKS+= ENGINE_add.3 ENGINE_load_public_key.3 +MLINKS+= ENGINE_add.3 ENGINE_new.3 +MLINKS+= ENGINE_add.3 ENGINE_register_DH.3 +MLINKS+= ENGINE_add.3 ENGINE_register_DSA.3 +MLINKS+= ENGINE_add.3 ENGINE_register_RAND.3 +MLINKS+= ENGINE_add.3 ENGINE_register_RSA.3 +MLINKS+= ENGINE_add.3 ENGINE_register_all_DH.3 +MLINKS+= ENGINE_add.3 ENGINE_register_all_DSA.3 +MLINKS+= ENGINE_add.3 ENGINE_register_all_RAND.3 +MLINKS+= ENGINE_add.3 ENGINE_register_all_RSA.3 +MLINKS+= ENGINE_add.3 ENGINE_register_all_ciphers.3 +MLINKS+= ENGINE_add.3 ENGINE_register_all_complete.3 +MLINKS+= ENGINE_add.3 ENGINE_register_all_digests.3 +MLINKS+= ENGINE_add.3 ENGINE_register_ciphers.3 +MLINKS+= ENGINE_add.3 ENGINE_register_complete.3 +MLINKS+= ENGINE_add.3 ENGINE_register_digests.3 +MLINKS+= ENGINE_add.3 ENGINE_remove.3 +MLINKS+= ENGINE_add.3 ENGINE_set_DH.3 +MLINKS+= ENGINE_add.3 ENGINE_set_DSA.3 +MLINKS+= ENGINE_add.3 ENGINE_set_RAND.3 +MLINKS+= ENGINE_add.3 ENGINE_set_RSA.3 +MLINKS+= ENGINE_add.3 ENGINE_set_ciphers.3 +MLINKS+= ENGINE_add.3 ENGINE_set_cmd_defns.3 +MLINKS+= ENGINE_add.3 ENGINE_set_ctrl_function.3 +MLINKS+= ENGINE_add.3 ENGINE_set_default.3 +MLINKS+= ENGINE_add.3 ENGINE_set_default_DH.3 +MLINKS+= ENGINE_add.3 ENGINE_set_default_DSA.3 +MLINKS+= ENGINE_add.3 ENGINE_set_default_RAND.3 +MLINKS+= ENGINE_add.3 ENGINE_set_default_RSA.3 +MLINKS+= ENGINE_add.3 ENGINE_set_default_ciphers.3 +MLINKS+= ENGINE_add.3 ENGINE_set_default_digests.3 +MLINKS+= ENGINE_add.3 ENGINE_set_default_string.3 +MLINKS+= ENGINE_add.3 ENGINE_set_destroy_function.3 +MLINKS+= ENGINE_add.3 ENGINE_set_digests.3 +MLINKS+= ENGINE_add.3 ENGINE_set_finish_function.3 +MLINKS+= ENGINE_add.3 ENGINE_set_flags.3 +MLINKS+= ENGINE_add.3 ENGINE_set_id.3 +MLINKS+= ENGINE_add.3 ENGINE_set_init_function.3 +MLINKS+= ENGINE_add.3 ENGINE_set_load_privkey_function.3 +MLINKS+= ENGINE_add.3 ENGINE_set_load_pubkey_function.3 +MLINKS+= ENGINE_add.3 ENGINE_set_name.3 +MLINKS+= ENGINE_add.3 ENGINE_set_table_flags.3 +MLINKS+= ENGINE_add.3 ENGINE_unregister_DH.3 +MLINKS+= ENGINE_add.3 ENGINE_unregister_DSA.3 +MLINKS+= ENGINE_add.3 ENGINE_unregister_RAND.3 +MLINKS+= ENGINE_add.3 ENGINE_unregister_RSA.3 +MLINKS+= ENGINE_add.3 ENGINE_unregister_ciphers.3 +MLINKS+= ENGINE_add.3 ENGINE_unregister_digests.3 +MLINKS+= ENGINE_add.3 ENGINE_up_ref.3 +MLINKS+= ERR_GET_LIB.3 ERR_FATAL_ERROR.3 MLINKS+= ERR_GET_LIB.3 ERR_GET_FUNC.3 MLINKS+= ERR_GET_LIB.3 ERR_GET_REASON.3 MLINKS+= ERR_error_string.3 ERR_error_string_n.3 @@ -595,67 +1353,87 @@ MLINKS+= ERR_load_crypto_strings.3 ERR_free_strings.3 MLINKS+= ERR_load_crypto_strings.3 SSL_load_error_strings.3 MLINKS+= ERR_load_strings.3 ERR_PACK.3 MLINKS+= ERR_load_strings.3 ERR_get_next_error_library.3 +MLINKS+= ERR_print_errors.3 ERR_print_errors_cb.3 MLINKS+= ERR_print_errors.3 ERR_print_errors_fp.3 MLINKS+= ERR_put_error.3 ERR_add_error_data.3 +MLINKS+= ERR_put_error.3 ERR_add_error_vdata.3 MLINKS+= ERR_remove_state.3 ERR_remove_thread_state.3 MLINKS+= ERR_set_mark.3 ERR_pop_to_mark.3 +MLINKS+= EVP_CIPHER_CTX_get_cipher_data.3 EVP_CIPHER_CTX_set_cipher_data.3 +MLINKS+= EVP_CIPHER_meth_new.3 EVP_CIPHER_meth_dup.3 +MLINKS+= EVP_CIPHER_meth_new.3 EVP_CIPHER_meth_free.3 +MLINKS+= EVP_CIPHER_meth_new.3 EVP_CIPHER_meth_get_cleanup.3 +MLINKS+= EVP_CIPHER_meth_new.3 EVP_CIPHER_meth_get_ctrl.3 +MLINKS+= EVP_CIPHER_meth_new.3 EVP_CIPHER_meth_get_do_cipher.3 +MLINKS+= EVP_CIPHER_meth_new.3 EVP_CIPHER_meth_get_get_asn1_params.3 +MLINKS+= EVP_CIPHER_meth_new.3 EVP_CIPHER_meth_get_init.3 +MLINKS+= EVP_CIPHER_meth_new.3 EVP_CIPHER_meth_get_set_asn1_params.3 +MLINKS+= EVP_CIPHER_meth_new.3 EVP_CIPHER_meth_set_cleanup.3 +MLINKS+= EVP_CIPHER_meth_new.3 EVP_CIPHER_meth_set_ctrl.3 +MLINKS+= EVP_CIPHER_meth_new.3 EVP_CIPHER_meth_set_do_cipher.3 +MLINKS+= EVP_CIPHER_meth_new.3 EVP_CIPHER_meth_set_flags.3 +MLINKS+= EVP_CIPHER_meth_new.3 EVP_CIPHER_meth_set_get_asn1_params.3 +MLINKS+= EVP_CIPHER_meth_new.3 EVP_CIPHER_meth_set_impl_ctx_size.3 +MLINKS+= EVP_CIPHER_meth_new.3 EVP_CIPHER_meth_set_init.3 +MLINKS+= EVP_CIPHER_meth_new.3 EVP_CIPHER_meth_set_iv_length.3 +MLINKS+= EVP_CIPHER_meth_new.3 EVP_CIPHER_meth_set_set_asn1_params.3 MLINKS+= EVP_DigestInit.3 EVP_DigestFinal.3 +MLINKS+= EVP_DigestInit.3 EVP_DigestFinalXOF.3 MLINKS+= EVP_DigestInit.3 EVP_DigestFinal_ex.3 MLINKS+= EVP_DigestInit.3 EVP_DigestInit_ex.3 MLINKS+= EVP_DigestInit.3 EVP_DigestUpdate.3 -MLINKS+= EVP_DigestInit.3 EVP_MAX_MD_SIZE.3 MLINKS+= EVP_DigestInit.3 EVP_MD_CTX_block_size.3 -MLINKS+= EVP_DigestInit.3 EVP_MD_CTX_cleanup.3 +MLINKS+= EVP_DigestInit.3 EVP_MD_CTX_clear_flags.3 MLINKS+= EVP_DigestInit.3 EVP_MD_CTX_copy.3 MLINKS+= EVP_DigestInit.3 EVP_MD_CTX_copy_ex.3 -MLINKS+= EVP_DigestInit.3 EVP_MD_CTX_create.3 -MLINKS+= EVP_DigestInit.3 EVP_MD_CTX_destroy.3 -MLINKS+= EVP_DigestInit.3 EVP_MD_CTX_init.3 +MLINKS+= EVP_DigestInit.3 EVP_MD_CTX_ctrl.3 +MLINKS+= EVP_DigestInit.3 EVP_MD_CTX_free.3 MLINKS+= EVP_DigestInit.3 EVP_MD_CTX_md.3 +MLINKS+= EVP_DigestInit.3 EVP_MD_CTX_md_data.3 +MLINKS+= EVP_DigestInit.3 EVP_MD_CTX_new.3 +MLINKS+= EVP_DigestInit.3 EVP_MD_CTX_reset.3 +MLINKS+= EVP_DigestInit.3 EVP_MD_CTX_set_flags.3 +MLINKS+= EVP_DigestInit.3 EVP_MD_CTX_set_pkey_ctx.3 MLINKS+= EVP_DigestInit.3 EVP_MD_CTX_size.3 +MLINKS+= EVP_DigestInit.3 EVP_MD_CTX_test_flags.3 MLINKS+= EVP_DigestInit.3 EVP_MD_CTX_type.3 MLINKS+= EVP_DigestInit.3 EVP_MD_block_size.3 MLINKS+= EVP_DigestInit.3 EVP_MD_pkey_type.3 MLINKS+= EVP_DigestInit.3 EVP_MD_size.3 MLINKS+= EVP_DigestInit.3 EVP_MD_type.3 -MLINKS+= EVP_DigestInit.3 EVP_dss.3 -MLINKS+= EVP_DigestInit.3 EVP_dss1.3 MLINKS+= EVP_DigestInit.3 EVP_get_digestbyname.3 MLINKS+= EVP_DigestInit.3 EVP_get_digestbynid.3 MLINKS+= EVP_DigestInit.3 EVP_get_digestbyobj.3 -MLINKS+= EVP_DigestInit.3 EVP_md2.3 -MLINKS+= EVP_DigestInit.3 EVP_md5.3 MLINKS+= EVP_DigestInit.3 EVP_md_null.3 -MLINKS+= EVP_DigestInit.3 EVP_mdc2.3 -MLINKS+= EVP_DigestInit.3 EVP_ripemd160.3 -MLINKS+= EVP_DigestInit.3 EVP_sha.3 -MLINKS+= EVP_DigestInit.3 EVP_sha1.3 -MLINKS+= EVP_DigestInit.3 EVP_sha224.3 -MLINKS+= EVP_DigestInit.3 EVP_sha256.3 -MLINKS+= EVP_DigestInit.3 EVP_sha384.3 -MLINKS+= EVP_DigestInit.3 EVP_sha512.3 +MLINKS+= EVP_DigestSignInit.3 EVP_DigestSign.3 MLINKS+= EVP_DigestSignInit.3 EVP_DigestSignFinal.3 MLINKS+= EVP_DigestSignInit.3 EVP_DigestSignUpdate.3 +MLINKS+= EVP_DigestVerifyInit.3 EVP_DigestVerify.3 MLINKS+= EVP_DigestVerifyInit.3 EVP_DigestVerifyFinal.3 MLINKS+= EVP_DigestVerifyInit.3 EVP_DigestVerifyUpdate.3 MLINKS+= EVP_EncodeInit.3 EVP_DecodeBlock.3 MLINKS+= EVP_EncodeInit.3 EVP_DecodeFinal.3 MLINKS+= EVP_EncodeInit.3 EVP_DecodeInit.3 MLINKS+= EVP_EncodeInit.3 EVP_DecodeUpdate.3 +MLINKS+= EVP_EncodeInit.3 EVP_ENCODE_CTX_copy.3 +MLINKS+= EVP_EncodeInit.3 EVP_ENCODE_CTX_free.3 +MLINKS+= EVP_EncodeInit.3 EVP_ENCODE_CTX_new.3 +MLINKS+= EVP_EncodeInit.3 EVP_ENCODE_CTX_num.3 MLINKS+= EVP_EncodeInit.3 EVP_EncodeBlock.3 MLINKS+= EVP_EncodeInit.3 EVP_EncodeFinal.3 MLINKS+= EVP_EncodeInit.3 EVP_EncodeUpdate.3 MLINKS+= EVP_EncryptInit.3 EVP_CIPHER_CTX_block_size.3 MLINKS+= EVP_EncryptInit.3 EVP_CIPHER_CTX_cipher.3 -MLINKS+= EVP_EncryptInit.3 EVP_CIPHER_CTX_cleanup.3 MLINKS+= EVP_EncryptInit.3 EVP_CIPHER_CTX_ctrl.3 MLINKS+= EVP_EncryptInit.3 EVP_CIPHER_CTX_flags.3 +MLINKS+= EVP_EncryptInit.3 EVP_CIPHER_CTX_free.3 MLINKS+= EVP_EncryptInit.3 EVP_CIPHER_CTX_get_app_data.3 -MLINKS+= EVP_EncryptInit.3 EVP_CIPHER_CTX_init.3 MLINKS+= EVP_EncryptInit.3 EVP_CIPHER_CTX_iv_length.3 MLINKS+= EVP_EncryptInit.3 EVP_CIPHER_CTX_key_length.3 MLINKS+= EVP_EncryptInit.3 EVP_CIPHER_CTX_mode.3 +MLINKS+= EVP_EncryptInit.3 EVP_CIPHER_CTX_new.3 MLINKS+= EVP_EncryptInit.3 EVP_CIPHER_CTX_nid.3 +MLINKS+= EVP_EncryptInit.3 EVP_CIPHER_CTX_reset.3 MLINKS+= EVP_EncryptInit.3 EVP_CIPHER_CTX_set_app_data.3 MLINKS+= EVP_EncryptInit.3 EVP_CIPHER_CTX_set_key_length.3 MLINKS+= EVP_EncryptInit.3 EVP_CIPHER_CTX_set_padding.3 @@ -683,73 +1461,92 @@ MLINKS+= EVP_EncryptInit.3 EVP_EncryptFinal.3 MLINKS+= EVP_EncryptInit.3 EVP_EncryptFinal_ex.3 MLINKS+= EVP_EncryptInit.3 EVP_EncryptInit_ex.3 MLINKS+= EVP_EncryptInit.3 EVP_EncryptUpdate.3 -MLINKS+= EVP_EncryptInit.3 EVP_aes_128_cbc_hmac_sha1.3 -MLINKS+= EVP_EncryptInit.3 EVP_aes_128_cbc_hmac_sha256.3 -MLINKS+= EVP_EncryptInit.3 EVP_aes_128_ccm.3 -MLINKS+= EVP_EncryptInit.3 EVP_aes_128_gcm.3 -MLINKS+= EVP_EncryptInit.3 EVP_aes_192_ccm.3 -MLINKS+= EVP_EncryptInit.3 EVP_aes_192_gcm.3 -MLINKS+= EVP_EncryptInit.3 EVP_aes_256_cbc_hmac_sha1.3 -MLINKS+= EVP_EncryptInit.3 EVP_aes_256_cbc_hmac_sha256.3 -MLINKS+= EVP_EncryptInit.3 EVP_aes_256_ccm.3 -MLINKS+= EVP_EncryptInit.3 EVP_aes_256_gcm.3 -MLINKS+= EVP_EncryptInit.3 EVP_bf_cbc.3 -MLINKS+= EVP_EncryptInit.3 EVP_bf_cfb.3 -MLINKS+= EVP_EncryptInit.3 EVP_bf_ecb.3 -MLINKS+= EVP_EncryptInit.3 EVP_bf_ofb.3 -MLINKS+= EVP_EncryptInit.3 EVP_cast5_cbc.3 -MLINKS+= EVP_EncryptInit.3 EVP_cast5_cfb.3 -MLINKS+= EVP_EncryptInit.3 EVP_cast5_ecb.3 -MLINKS+= EVP_EncryptInit.3 EVP_cast5_ofb.3 -MLINKS+= EVP_EncryptInit.3 EVP_des_cbc.3 -MLINKS+= EVP_EncryptInit.3 EVP_des_cfb.3 -MLINKS+= EVP_EncryptInit.3 EVP_des_ecb.3 -MLINKS+= EVP_EncryptInit.3 EVP_des_ede.3 -MLINKS+= EVP_EncryptInit.3 EVP_des_ede3.3 -MLINKS+= EVP_EncryptInit.3 EVP_des_ede3_cbc.3 -MLINKS+= EVP_EncryptInit.3 EVP_des_ede3_cfb.3 -MLINKS+= EVP_EncryptInit.3 EVP_des_ede3_ofb.3 -MLINKS+= EVP_EncryptInit.3 EVP_des_ede_cbc.3 -MLINKS+= EVP_EncryptInit.3 EVP_des_ede_cfb.3 -MLINKS+= EVP_EncryptInit.3 EVP_des_ede_ofb.3 -MLINKS+= EVP_EncryptInit.3 EVP_des_ofb.3 -MLINKS+= EVP_EncryptInit.3 EVP_desx_cbc.3 MLINKS+= EVP_EncryptInit.3 EVP_enc_null.3 MLINKS+= EVP_EncryptInit.3 EVP_get_cipherbyname.3 MLINKS+= EVP_EncryptInit.3 EVP_get_cipherbynid.3 MLINKS+= EVP_EncryptInit.3 EVP_get_cipherbyobj.3 -MLINKS+= EVP_EncryptInit.3 EVP_idea_cbc.3 -MLINKS+= EVP_EncryptInit.3 EVP_idea_cfb.3 -MLINKS+= EVP_EncryptInit.3 EVP_idea_ecb.3 -MLINKS+= EVP_EncryptInit.3 EVP_idea_ofb.3 -MLINKS+= EVP_EncryptInit.3 EVP_rc2_40_cbc.3 -MLINKS+= EVP_EncryptInit.3 EVP_rc2_64_cbc.3 -MLINKS+= EVP_EncryptInit.3 EVP_rc2_cbc.3 -MLINKS+= EVP_EncryptInit.3 EVP_rc2_cfb.3 -MLINKS+= EVP_EncryptInit.3 EVP_rc2_ecb.3 -MLINKS+= EVP_EncryptInit.3 EVP_rc2_ofb.3 -MLINKS+= EVP_EncryptInit.3 EVP_rc4.3 -MLINKS+= EVP_EncryptInit.3 EVP_rc4_40.3 -MLINKS+= EVP_EncryptInit.3 EVP_rc4_hmac_md5.3 -MLINKS+= EVP_EncryptInit.3 EVP_rc5_32_12_16_cbc.3 -MLINKS+= EVP_EncryptInit.3 EVP_rc5_32_12_16_cfb.3 -MLINKS+= EVP_EncryptInit.3 EVP_rc5_32_12_16_ecb.3 -MLINKS+= EVP_EncryptInit.3 EVP_rc5_32_12_16_ofb.3 +MLINKS+= EVP_MD_meth_new.3 EVP_MD_meth_dup.3 +MLINKS+= EVP_MD_meth_new.3 EVP_MD_meth_free.3 +MLINKS+= EVP_MD_meth_new.3 EVP_MD_meth_get_app_datasize.3 +MLINKS+= EVP_MD_meth_new.3 EVP_MD_meth_get_cleanup.3 +MLINKS+= EVP_MD_meth_new.3 EVP_MD_meth_get_copy.3 +MLINKS+= EVP_MD_meth_new.3 EVP_MD_meth_get_ctrl.3 +MLINKS+= EVP_MD_meth_new.3 EVP_MD_meth_get_final.3 +MLINKS+= EVP_MD_meth_new.3 EVP_MD_meth_get_flags.3 +MLINKS+= EVP_MD_meth_new.3 EVP_MD_meth_get_init.3 +MLINKS+= EVP_MD_meth_new.3 EVP_MD_meth_get_input_blocksize.3 +MLINKS+= EVP_MD_meth_new.3 EVP_MD_meth_get_result_size.3 +MLINKS+= EVP_MD_meth_new.3 EVP_MD_meth_get_update.3 +MLINKS+= EVP_MD_meth_new.3 EVP_MD_meth_set_app_datasize.3 +MLINKS+= EVP_MD_meth_new.3 EVP_MD_meth_set_cleanup.3 +MLINKS+= EVP_MD_meth_new.3 EVP_MD_meth_set_copy.3 +MLINKS+= EVP_MD_meth_new.3 EVP_MD_meth_set_ctrl.3 +MLINKS+= EVP_MD_meth_new.3 EVP_MD_meth_set_final.3 +MLINKS+= EVP_MD_meth_new.3 EVP_MD_meth_set_flags.3 +MLINKS+= EVP_MD_meth_new.3 EVP_MD_meth_set_init.3 +MLINKS+= EVP_MD_meth_new.3 EVP_MD_meth_set_input_blocksize.3 +MLINKS+= EVP_MD_meth_new.3 EVP_MD_meth_set_result_size.3 +MLINKS+= EVP_MD_meth_new.3 EVP_MD_meth_set_update.3 MLINKS+= EVP_OpenInit.3 EVP_OpenFinal.3 MLINKS+= EVP_OpenInit.3 EVP_OpenUpdate.3 +MLINKS+= EVP_PKEY_ASN1_METHOD.3 EVP_PKEY_asn1_add0.3 +MLINKS+= EVP_PKEY_ASN1_METHOD.3 EVP_PKEY_asn1_add_alias.3 +MLINKS+= EVP_PKEY_ASN1_METHOD.3 EVP_PKEY_asn1_copy.3 +MLINKS+= EVP_PKEY_ASN1_METHOD.3 EVP_PKEY_asn1_free.3 +MLINKS+= EVP_PKEY_ASN1_METHOD.3 EVP_PKEY_asn1_new.3 +MLINKS+= EVP_PKEY_ASN1_METHOD.3 EVP_PKEY_asn1_set_check.3 +MLINKS+= EVP_PKEY_ASN1_METHOD.3 EVP_PKEY_asn1_set_ctrl.3 +MLINKS+= EVP_PKEY_ASN1_METHOD.3 EVP_PKEY_asn1_set_free.3 +MLINKS+= EVP_PKEY_ASN1_METHOD.3 EVP_PKEY_asn1_set_get_priv_key.3 +MLINKS+= EVP_PKEY_ASN1_METHOD.3 EVP_PKEY_asn1_set_get_pub_key.3 +MLINKS+= EVP_PKEY_ASN1_METHOD.3 EVP_PKEY_asn1_set_item.3 +MLINKS+= EVP_PKEY_ASN1_METHOD.3 EVP_PKEY_asn1_set_param.3 +MLINKS+= EVP_PKEY_ASN1_METHOD.3 EVP_PKEY_asn1_set_param_check.3 +MLINKS+= EVP_PKEY_ASN1_METHOD.3 EVP_PKEY_asn1_set_private.3 +MLINKS+= EVP_PKEY_ASN1_METHOD.3 EVP_PKEY_asn1_set_public.3 +MLINKS+= EVP_PKEY_ASN1_METHOD.3 EVP_PKEY_asn1_set_public_check.3 +MLINKS+= EVP_PKEY_ASN1_METHOD.3 EVP_PKEY_asn1_set_security_bits.3 +MLINKS+= EVP_PKEY_ASN1_METHOD.3 EVP_PKEY_asn1_set_set_priv_key.3 +MLINKS+= EVP_PKEY_ASN1_METHOD.3 EVP_PKEY_asn1_set_set_pub_key.3 +MLINKS+= EVP_PKEY_ASN1_METHOD.3 EVP_PKEY_asn1_set_siginf.3 +MLINKS+= EVP_PKEY_ASN1_METHOD.3 EVP_PKEY_get0_asn1.3 MLINKS+= EVP_PKEY_CTX_ctrl.3 EVP_PKEY_CTX_ctrl_str.3 +MLINKS+= EVP_PKEY_CTX_ctrl.3 EVP_PKEY_CTX_get1_id.3 +MLINKS+= EVP_PKEY_CTX_ctrl.3 EVP_PKEY_CTX_get1_id_len.3 +MLINKS+= EVP_PKEY_CTX_ctrl.3 EVP_PKEY_CTX_get_signature_md.3 +MLINKS+= EVP_PKEY_CTX_ctrl.3 EVP_PKEY_CTX_set1_id.3 +MLINKS+= EVP_PKEY_CTX_ctrl.3 EVP_PKEY_CTX_set_dh_nid.3 +MLINKS+= EVP_PKEY_CTX_ctrl.3 EVP_PKEY_CTX_set_dh_pad.3 MLINKS+= EVP_PKEY_CTX_ctrl.3 EVP_PKEY_CTX_set_dh_paramgen_generator.3 MLINKS+= EVP_PKEY_CTX_ctrl.3 EVP_PKEY_CTX_set_dh_paramgen_prime_len.3 MLINKS+= EVP_PKEY_CTX_ctrl.3 EVP_PKEY_CTX_set_dsa_paramgen_bits.3 +MLINKS+= EVP_PKEY_CTX_ctrl.3 EVP_PKEY_CTX_set_ec_param_enc.3 MLINKS+= EVP_PKEY_CTX_ctrl.3 EVP_PKEY_CTX_set_ec_paramgen_curve_nid.3 +MLINKS+= EVP_PKEY_CTX_ctrl.3 EVP_PKEY_CTX_set_mac_key.3 +MLINKS+= EVP_PKEY_CTX_ctrl.3 EVP_PKEY_CTX_set_rsa_keygen_bits.3 MLINKS+= EVP_PKEY_CTX_ctrl.3 EVP_PKEY_CTX_set_rsa_keygen_pubexp.3 MLINKS+= EVP_PKEY_CTX_ctrl.3 EVP_PKEY_CTX_set_rsa_padding.3 MLINKS+= EVP_PKEY_CTX_ctrl.3 EVP_PKEY_CTX_set_rsa_pss_saltlen.3 -MLINKS+= EVP_PKEY_CTX_ctrl.3 EVP_PKEY_CTX_set_rsa_rsa_keygen_bits.3 MLINKS+= EVP_PKEY_CTX_ctrl.3 EVP_PKEY_CTX_set_signature_md.3 MLINKS+= EVP_PKEY_CTX_new.3 EVP_PKEY_CTX_dup.3 MLINKS+= EVP_PKEY_CTX_new.3 EVP_PKEY_CTX_free.3 MLINKS+= EVP_PKEY_CTX_new.3 EVP_PKEY_CTX_new_id.3 +MLINKS+= EVP_PKEY_CTX_set_hkdf_md.3 EVP_PKEY_CTX_add1_hkdf_info.3 +MLINKS+= EVP_PKEY_CTX_set_hkdf_md.3 EVP_PKEY_CTX_hkdf_mode.3 +MLINKS+= EVP_PKEY_CTX_set_hkdf_md.3 EVP_PKEY_CTX_set1_hkdf_key.3 +MLINKS+= EVP_PKEY_CTX_set_hkdf_md.3 EVP_PKEY_CTX_set1_hkdf_salt.3 +MLINKS+= EVP_PKEY_CTX_set_rsa_pss_keygen_md.3 EVP_PKEY_CTX_set_rsa_pss_keygen_mgf1_md.3 +MLINKS+= EVP_PKEY_CTX_set_rsa_pss_keygen_md.3 EVP_PKEY_CTX_set_rsa_pss_keygen_saltlen.3 +MLINKS+= EVP_PKEY_CTX_set_scrypt_N.3 EVP_PKEY_CTX_set1_scrypt_salt.3 +MLINKS+= EVP_PKEY_CTX_set_scrypt_N.3 EVP_PKEY_CTX_set_scrypt_maxmem_bytes.3 +MLINKS+= EVP_PKEY_CTX_set_scrypt_N.3 EVP_PKEY_CTX_set_scrypt_p.3 +MLINKS+= EVP_PKEY_CTX_set_scrypt_N.3 EVP_PKEY_CTX_set_scrypt_r.3 +MLINKS+= EVP_PKEY_CTX_set_tls1_prf_md.3 EVP_PKEY_CTX_add1_tls1_prf_seed.3 +MLINKS+= EVP_PKEY_CTX_set_tls1_prf_md.3 EVP_PKEY_CTX_set1_tls1_prf_secret.3 +MLINKS+= EVP_PKEY_asn1_get_count.3 EVP_PKEY_asn1_find.3 +MLINKS+= EVP_PKEY_asn1_get_count.3 EVP_PKEY_asn1_find_str.3 +MLINKS+= EVP_PKEY_asn1_get_count.3 EVP_PKEY_asn1_get0.3 +MLINKS+= EVP_PKEY_asn1_get_count.3 EVP_PKEY_asn1_get0_info.3 MLINKS+= EVP_PKEY_cmp.3 EVP_PKEY_cmp_parameters.3 MLINKS+= EVP_PKEY_cmp.3 EVP_PKEY_copy_parameters.3 MLINKS+= EVP_PKEY_cmp.3 EVP_PKEY_missing_parameters.3 @@ -757,77 +1554,282 @@ MLINKS+= EVP_PKEY_decrypt.3 EVP_PKEY_decrypt_init.3 MLINKS+= EVP_PKEY_derive.3 EVP_PKEY_derive_init.3 MLINKS+= EVP_PKEY_derive.3 EVP_PKEY_derive_set_peer.3 MLINKS+= EVP_PKEY_encrypt.3 EVP_PKEY_encrypt_init.3 -MLINKS+= EVP_PKEY_get_default_digest.3 EVP_PKEY_get_default_digest_nid.3 -MLINKS+= EVP_PKEY_keygen.3 EVP_PKEVP_PKEY_CTX_set_app_data.3 MLINKS+= EVP_PKEY_keygen.3 EVP_PKEY_CTX_get_app_data.3 MLINKS+= EVP_PKEY_keygen.3 EVP_PKEY_CTX_get_cb.3 MLINKS+= EVP_PKEY_keygen.3 EVP_PKEY_CTX_get_keygen_info.3 +MLINKS+= EVP_PKEY_keygen.3 EVP_PKEY_CTX_set_app_data.3 MLINKS+= EVP_PKEY_keygen.3 EVP_PKEY_CTX_set_cb.3 +MLINKS+= EVP_PKEY_keygen.3 EVP_PKEY_check.3 +MLINKS+= EVP_PKEY_keygen.3 EVP_PKEY_gen_cb.3 MLINKS+= EVP_PKEY_keygen.3 EVP_PKEY_keygen_init.3 +MLINKS+= EVP_PKEY_keygen.3 EVP_PKEY_param_check.3 MLINKS+= EVP_PKEY_keygen.3 EVP_PKEY_paramgen.3 MLINKS+= EVP_PKEY_keygen.3 EVP_PKEY_paramgen_init.3 +MLINKS+= EVP_PKEY_keygen.3 EVP_PKEY_public_check.3 +MLINKS+= EVP_PKEY_meth_get_count.3 EVP_PKEY_meth_get0.3 +MLINKS+= EVP_PKEY_meth_get_count.3 EVP_PKEY_meth_get0_info.3 MLINKS+= EVP_PKEY_meth_new.3 EVP_PKEY_METHOD.3 MLINKS+= EVP_PKEY_meth_new.3 EVP_PKEY_meth_add0.3 MLINKS+= EVP_PKEY_meth_new.3 EVP_PKEY_meth_copy.3 MLINKS+= EVP_PKEY_meth_new.3 EVP_PKEY_meth_find.3 MLINKS+= EVP_PKEY_meth_new.3 EVP_PKEY_meth_free.3 +MLINKS+= EVP_PKEY_meth_new.3 EVP_PKEY_meth_get_check.3 MLINKS+= EVP_PKEY_meth_new.3 EVP_PKEY_meth_get_cleanup.3 MLINKS+= EVP_PKEY_meth_new.3 EVP_PKEY_meth_get_copy.3 MLINKS+= EVP_PKEY_meth_new.3 EVP_PKEY_meth_get_ctrl.3 MLINKS+= EVP_PKEY_meth_new.3 EVP_PKEY_meth_get_decrypt.3 MLINKS+= EVP_PKEY_meth_new.3 EVP_PKEY_meth_get_derive.3 +MLINKS+= EVP_PKEY_meth_new.3 EVP_PKEY_meth_get_digest_custom.3 MLINKS+= EVP_PKEY_meth_new.3 EVP_PKEY_meth_get_encrypt.3 MLINKS+= EVP_PKEY_meth_new.3 EVP_PKEY_meth_get_init.3 MLINKS+= EVP_PKEY_meth_new.3 EVP_PKEY_meth_get_keygen.3 +MLINKS+= EVP_PKEY_meth_new.3 EVP_PKEY_meth_get_param_check.3 MLINKS+= EVP_PKEY_meth_new.3 EVP_PKEY_meth_get_paramgen.3 +MLINKS+= EVP_PKEY_meth_new.3 EVP_PKEY_meth_get_public_check.3 MLINKS+= EVP_PKEY_meth_new.3 EVP_PKEY_meth_get_sign.3 MLINKS+= EVP_PKEY_meth_new.3 EVP_PKEY_meth_get_signctx.3 MLINKS+= EVP_PKEY_meth_new.3 EVP_PKEY_meth_get_verify.3 MLINKS+= EVP_PKEY_meth_new.3 EVP_PKEY_meth_get_verify_recover.3 MLINKS+= EVP_PKEY_meth_new.3 EVP_PKEY_meth_get_verifyctx.3 +MLINKS+= EVP_PKEY_meth_new.3 EVP_PKEY_meth_remove.3 +MLINKS+= EVP_PKEY_meth_new.3 EVP_PKEY_meth_set_check.3 MLINKS+= EVP_PKEY_meth_new.3 EVP_PKEY_meth_set_cleanup.3 MLINKS+= EVP_PKEY_meth_new.3 EVP_PKEY_meth_set_copy.3 MLINKS+= EVP_PKEY_meth_new.3 EVP_PKEY_meth_set_ctrl.3 MLINKS+= EVP_PKEY_meth_new.3 EVP_PKEY_meth_set_decrypt.3 MLINKS+= EVP_PKEY_meth_new.3 EVP_PKEY_meth_set_derive.3 +MLINKS+= EVP_PKEY_meth_new.3 EVP_PKEY_meth_set_digest_custom.3 MLINKS+= EVP_PKEY_meth_new.3 EVP_PKEY_meth_set_encrypt.3 MLINKS+= EVP_PKEY_meth_new.3 EVP_PKEY_meth_set_init.3 MLINKS+= EVP_PKEY_meth_new.3 EVP_PKEY_meth_set_keygen.3 +MLINKS+= EVP_PKEY_meth_new.3 EVP_PKEY_meth_set_param_check.3 MLINKS+= EVP_PKEY_meth_new.3 EVP_PKEY_meth_set_paramgen.3 +MLINKS+= EVP_PKEY_meth_new.3 EVP_PKEY_meth_set_public_check.3 MLINKS+= EVP_PKEY_meth_new.3 EVP_PKEY_meth_set_sign.3 MLINKS+= EVP_PKEY_meth_new.3 EVP_PKEY_meth_set_signctx.3 MLINKS+= EVP_PKEY_meth_new.3 EVP_PKEY_meth_set_verify.3 MLINKS+= EVP_PKEY_meth_new.3 EVP_PKEY_meth_set_verify_recover.3 MLINKS+= EVP_PKEY_meth_new.3 EVP_PKEY_meth_set_verifyctx.3 MLINKS+= EVP_PKEY_new.3 EVP_PKEY_free.3 +MLINKS+= EVP_PKEY_new.3 EVP_PKEY_get_raw_private_key.3 +MLINKS+= EVP_PKEY_new.3 EVP_PKEY_get_raw_public_key.3 +MLINKS+= EVP_PKEY_new.3 EVP_PKEY_new_CMAC_key.3 +MLINKS+= EVP_PKEY_new.3 EVP_PKEY_new_mac_key.3 +MLINKS+= EVP_PKEY_new.3 EVP_PKEY_new_raw_private_key.3 +MLINKS+= EVP_PKEY_new.3 EVP_PKEY_new_raw_public_key.3 +MLINKS+= EVP_PKEY_new.3 EVP_PKEY_up_ref.3 MLINKS+= EVP_PKEY_print_private.3 EVP_PKEY_print_params.3 MLINKS+= EVP_PKEY_print_private.3 EVP_PKEY_print_public.3 MLINKS+= EVP_PKEY_set1_RSA.3 EVP_PKEY_assign_DH.3 MLINKS+= EVP_PKEY_set1_RSA.3 EVP_PKEY_assign_DSA.3 MLINKS+= EVP_PKEY_set1_RSA.3 EVP_PKEY_assign_EC_KEY.3 MLINKS+= EVP_PKEY_set1_RSA.3 EVP_PKEY_assign_RSA.3 +MLINKS+= EVP_PKEY_set1_RSA.3 EVP_PKEY_base_id.3 +MLINKS+= EVP_PKEY_set1_RSA.3 EVP_PKEY_get0_DH.3 +MLINKS+= EVP_PKEY_set1_RSA.3 EVP_PKEY_get0_DSA.3 +MLINKS+= EVP_PKEY_set1_RSA.3 EVP_PKEY_get0_EC_KEY.3 +MLINKS+= EVP_PKEY_set1_RSA.3 EVP_PKEY_get0_RSA.3 +MLINKS+= EVP_PKEY_set1_RSA.3 EVP_PKEY_get0_hmac.3 MLINKS+= EVP_PKEY_set1_RSA.3 EVP_PKEY_get1_DH.3 MLINKS+= EVP_PKEY_set1_RSA.3 EVP_PKEY_get1_DSA.3 MLINKS+= EVP_PKEY_set1_RSA.3 EVP_PKEY_get1_EC_KEY.3 MLINKS+= EVP_PKEY_set1_RSA.3 EVP_PKEY_get1_RSA.3 +MLINKS+= EVP_PKEY_set1_RSA.3 EVP_PKEY_id.3 MLINKS+= EVP_PKEY_set1_RSA.3 EVP_PKEY_set1_DH.3 MLINKS+= EVP_PKEY_set1_RSA.3 EVP_PKEY_set1_DSA.3 MLINKS+= EVP_PKEY_set1_RSA.3 EVP_PKEY_set1_EC_KEY.3 +MLINKS+= EVP_PKEY_set1_RSA.3 EVP_PKEY_set1_engine.3 +MLINKS+= EVP_PKEY_set1_RSA.3 EVP_PKEY_set_alias_type.3 MLINKS+= EVP_PKEY_set1_RSA.3 EVP_PKEY_type.3 MLINKS+= EVP_PKEY_sign.3 EVP_PKEY_sign_init.3 MLINKS+= EVP_PKEY_verify.3 EVP_PKEY_verify_init.3 MLINKS+= EVP_PKEY_verify_recover.3 EVP_PKEY_verify_recover_init.3 MLINKS+= EVP_SealInit.3 EVP_SealFinal.3 MLINKS+= EVP_SealInit.3 EVP_SealUpdate.3 +MLINKS+= EVP_SignInit.3 EVP_PKEY_security_bits.3 +MLINKS+= EVP_SignInit.3 EVP_PKEY_size.3 MLINKS+= EVP_SignInit.3 EVP_SignFinal.3 MLINKS+= EVP_SignInit.3 EVP_SignInit_ex.3 MLINKS+= EVP_SignInit.3 EVP_SignUpdate.3 MLINKS+= EVP_VerifyInit.3 EVP_VerifyFinal.3 +MLINKS+= EVP_VerifyInit.3 EVP_VerifyInit_ex.3 MLINKS+= EVP_VerifyInit.3 EVP_VerifyUpdate.3 +MLINKS+= EVP_aes.3 EVP_aes_128_cbc.3 +MLINKS+= EVP_aes.3 EVP_aes_128_cbc_hmac_sha1.3 +MLINKS+= EVP_aes.3 EVP_aes_128_cbc_hmac_sha256.3 +MLINKS+= EVP_aes.3 EVP_aes_128_ccm.3 +MLINKS+= EVP_aes.3 EVP_aes_128_cfb.3 +MLINKS+= EVP_aes.3 EVP_aes_128_cfb1.3 +MLINKS+= EVP_aes.3 EVP_aes_128_cfb8.3 +MLINKS+= EVP_aes.3 EVP_aes_128_ctr.3 +MLINKS+= EVP_aes.3 EVP_aes_128_ecb.3 +MLINKS+= EVP_aes.3 EVP_aes_128_gcm.3 +MLINKS+= EVP_aes.3 EVP_aes_128_ocb.3 +MLINKS+= EVP_aes.3 EVP_aes_128_ofb.3 +MLINKS+= EVP_aes.3 EVP_aes_128_wrap.3 +MLINKS+= EVP_aes.3 EVP_aes_128_wrap_pad.3 +MLINKS+= EVP_aes.3 EVP_aes_128_xts.3 +MLINKS+= EVP_aes.3 EVP_aes_192_cbc.3 +MLINKS+= EVP_aes.3 EVP_aes_192_ccm.3 +MLINKS+= EVP_aes.3 EVP_aes_192_cfb.3 +MLINKS+= EVP_aes.3 EVP_aes_192_cfb1.3 +MLINKS+= EVP_aes.3 EVP_aes_192_cfb8.3 +MLINKS+= EVP_aes.3 EVP_aes_192_ctr.3 +MLINKS+= EVP_aes.3 EVP_aes_192_ecb.3 +MLINKS+= EVP_aes.3 EVP_aes_192_gcm.3 +MLINKS+= EVP_aes.3 EVP_aes_192_ocb.3 +MLINKS+= EVP_aes.3 EVP_aes_192_ofb.3 +MLINKS+= EVP_aes.3 EVP_aes_192_wrap.3 +MLINKS+= EVP_aes.3 EVP_aes_192_wrap_pad.3 +MLINKS+= EVP_aes.3 EVP_aes_256_cbc.3 +MLINKS+= EVP_aes.3 EVP_aes_256_cbc_hmac_sha1.3 +MLINKS+= EVP_aes.3 EVP_aes_256_cbc_hmac_sha256.3 +MLINKS+= EVP_aes.3 EVP_aes_256_ccm.3 +MLINKS+= EVP_aes.3 EVP_aes_256_cfb.3 +MLINKS+= EVP_aes.3 EVP_aes_256_cfb1.3 +MLINKS+= EVP_aes.3 EVP_aes_256_cfb8.3 +MLINKS+= EVP_aes.3 EVP_aes_256_ctr.3 +MLINKS+= EVP_aes.3 EVP_aes_256_ecb.3 +MLINKS+= EVP_aes.3 EVP_aes_256_gcm.3 +MLINKS+= EVP_aes.3 EVP_aes_256_ocb.3 +MLINKS+= EVP_aes.3 EVP_aes_256_ofb.3 +MLINKS+= EVP_aes.3 EVP_aes_256_wrap.3 +MLINKS+= EVP_aes.3 EVP_aes_256_wrap_pad.3 +MLINKS+= EVP_aes.3 EVP_aes_256_xts.3 +MLINKS+= EVP_aria.3 EVP_aria_128_cbc.3 +MLINKS+= EVP_aria.3 EVP_aria_128_ccm.3 +MLINKS+= EVP_aria.3 EVP_aria_128_cfb.3 +MLINKS+= EVP_aria.3 EVP_aria_128_cfb1.3 +MLINKS+= EVP_aria.3 EVP_aria_128_cfb8.3 +MLINKS+= EVP_aria.3 EVP_aria_128_ctr.3 +MLINKS+= EVP_aria.3 EVP_aria_128_ecb.3 +MLINKS+= EVP_aria.3 EVP_aria_128_gcm.3 +MLINKS+= EVP_aria.3 EVP_aria_128_ofb.3 +MLINKS+= EVP_aria.3 EVP_aria_192_cbc.3 +MLINKS+= EVP_aria.3 EVP_aria_192_ccm.3 +MLINKS+= EVP_aria.3 EVP_aria_192_cfb.3 +MLINKS+= EVP_aria.3 EVP_aria_192_cfb1.3 +MLINKS+= EVP_aria.3 EVP_aria_192_cfb8.3 +MLINKS+= EVP_aria.3 EVP_aria_192_ctr.3 +MLINKS+= EVP_aria.3 EVP_aria_192_ecb.3 +MLINKS+= EVP_aria.3 EVP_aria_192_gcm.3 +MLINKS+= EVP_aria.3 EVP_aria_192_ofb.3 +MLINKS+= EVP_aria.3 EVP_aria_256_cbc.3 +MLINKS+= EVP_aria.3 EVP_aria_256_ccm.3 +MLINKS+= EVP_aria.3 EVP_aria_256_cfb.3 +MLINKS+= EVP_aria.3 EVP_aria_256_cfb1.3 +MLINKS+= EVP_aria.3 EVP_aria_256_cfb8.3 +MLINKS+= EVP_aria.3 EVP_aria_256_ctr.3 +MLINKS+= EVP_aria.3 EVP_aria_256_ecb.3 +MLINKS+= EVP_aria.3 EVP_aria_256_gcm.3 +MLINKS+= EVP_aria.3 EVP_aria_256_ofb.3 +MLINKS+= EVP_bf_cbc.3 EVP_bf_cfb.3 +MLINKS+= EVP_bf_cbc.3 EVP_bf_ecb.3 +MLINKS+= EVP_bf_cbc.3 EVP_bf_ofb.3 +MLINKS+= EVP_blake2b512.3 EVP_blake2s256.3 +MLINKS+= EVP_camellia.3 EVP_camellia_128_cbc.3 +MLINKS+= EVP_camellia.3 EVP_camellia_128_cfb.3 +MLINKS+= EVP_camellia.3 EVP_camellia_128_cfb1.3 +MLINKS+= EVP_camellia.3 EVP_camellia_128_cfb8.3 +MLINKS+= EVP_camellia.3 EVP_camellia_128_ctr.3 +MLINKS+= EVP_camellia.3 EVP_camellia_128_ecb.3 +MLINKS+= EVP_camellia.3 EVP_camellia_128_ofb.3 +MLINKS+= EVP_camellia.3 EVP_camellia_192_cbc.3 +MLINKS+= EVP_camellia.3 EVP_camellia_192_cfb.3 +MLINKS+= EVP_camellia.3 EVP_camellia_192_cfb1.3 +MLINKS+= EVP_camellia.3 EVP_camellia_192_cfb8.3 +MLINKS+= EVP_camellia.3 EVP_camellia_192_ctr.3 +MLINKS+= EVP_camellia.3 EVP_camellia_192_ecb.3 +MLINKS+= EVP_camellia.3 EVP_camellia_192_ofb.3 +MLINKS+= EVP_camellia.3 EVP_camellia_256_cbc.3 +MLINKS+= EVP_camellia.3 EVP_camellia_256_cfb.3 +MLINKS+= EVP_camellia.3 EVP_camellia_256_cfb1.3 +MLINKS+= EVP_camellia.3 EVP_camellia_256_cfb8.3 +MLINKS+= EVP_camellia.3 EVP_camellia_256_ctr.3 +MLINKS+= EVP_camellia.3 EVP_camellia_256_ecb.3 +MLINKS+= EVP_camellia.3 EVP_camellia_256_ofb.3 +MLINKS+= EVP_cast5_cbc.3 EVP_cast5_cfb.3 +MLINKS+= EVP_cast5_cbc.3 EVP_cast5_ecb.3 +MLINKS+= EVP_cast5_cbc.3 EVP_cast5_ofb.3 +MLINKS+= EVP_chacha20.3 EVP_chacha20_poly1305.3 +MLINKS+= EVP_des.3 EVP_des_cbc.3 +MLINKS+= EVP_des.3 EVP_des_cfb.3 +MLINKS+= EVP_des.3 EVP_des_cfb1.3 +MLINKS+= EVP_des.3 EVP_des_cfb8.3 +MLINKS+= EVP_des.3 EVP_des_ecb.3 +MLINKS+= EVP_des.3 EVP_des_ede.3 +MLINKS+= EVP_des.3 EVP_des_ede3.3 +MLINKS+= EVP_des.3 EVP_des_ede3_cbc.3 +MLINKS+= EVP_des.3 EVP_des_ede3_cfb.3 +MLINKS+= EVP_des.3 EVP_des_ede3_cfb1.3 +MLINKS+= EVP_des.3 EVP_des_ede3_cfb8.3 +MLINKS+= EVP_des.3 EVP_des_ede3_ofb.3 +MLINKS+= EVP_des.3 EVP_des_ede3_wrap.3 +MLINKS+= EVP_des.3 EVP_des_ede_cbc.3 +MLINKS+= EVP_des.3 EVP_des_ede_cfb.3 +MLINKS+= EVP_des.3 EVP_des_ede_ofb.3 +MLINKS+= EVP_des.3 EVP_des_ofb.3 +MLINKS+= EVP_idea_cbc.3 EVP_idea_cfb.3 +MLINKS+= EVP_idea_cbc.3 EVP_idea_ecb.3 +MLINKS+= EVP_idea_cbc.3 EVP_idea_ofb.3 +MLINKS+= EVP_rc2_cbc.3 EVP_rc2_40_cbc.3 +MLINKS+= EVP_rc2_cbc.3 EVP_rc2_64_cbc.3 +MLINKS+= EVP_rc2_cbc.3 EVP_rc2_cfb.3 +MLINKS+= EVP_rc2_cbc.3 EVP_rc2_ecb.3 +MLINKS+= EVP_rc2_cbc.3 EVP_rc2_ofb.3 +MLINKS+= EVP_rc4.3 EVP_rc4_40.3 +MLINKS+= EVP_rc4.3 EVP_rc4_hmac_md5.3 +MLINKS+= EVP_rc5_32_12_16_cbc.3 EVP_rc5_32_12_16_cfb.3 +MLINKS+= EVP_rc5_32_12_16_cbc.3 EVP_rc5_32_12_16_ecb.3 +MLINKS+= EVP_rc5_32_12_16_cbc.3 EVP_rc5_32_12_16_ofb.3 +MLINKS+= EVP_seed_cbc.3 EVP_seed_cfb.3 +MLINKS+= EVP_seed_cbc.3 EVP_seed_ecb.3 +MLINKS+= EVP_seed_cbc.3 EVP_seed_ofb.3 +MLINKS+= EVP_sha224.3 EVP_sha256.3 +MLINKS+= EVP_sha224.3 EVP_sha384.3 +MLINKS+= EVP_sha224.3 EVP_sha512.3 +MLINKS+= EVP_sha224.3 EVP_sha512_224.3 +MLINKS+= EVP_sha224.3 EVP_sha512_256.3 +MLINKS+= EVP_sha3_224.3 EVP_sha3_256.3 +MLINKS+= EVP_sha3_224.3 EVP_sha3_384.3 +MLINKS+= EVP_sha3_224.3 EVP_sha3_512.3 +MLINKS+= EVP_sha3_224.3 EVP_shake128.3 +MLINKS+= EVP_sha3_224.3 EVP_shake256.3 +MLINKS+= EVP_sm4_cbc.3 EVP_sm4_cfb.3 +MLINKS+= EVP_sm4_cbc.3 EVP_sm4_ctr.3 +MLINKS+= EVP_sm4_cbc.3 EVP_sm4_ecb.3 +MLINKS+= EVP_sm4_cbc.3 EVP_sm4_ofb.3 +MLINKS+= HMAC.3 HMAC_CTX_copy.3 +MLINKS+= HMAC.3 HMAC_CTX_free.3 +MLINKS+= HMAC.3 HMAC_CTX_get_md.3 +MLINKS+= HMAC.3 HMAC_CTX_new.3 +MLINKS+= HMAC.3 HMAC_CTX_reset.3 +MLINKS+= HMAC.3 HMAC_CTX_set_flags.3 +MLINKS+= HMAC.3 HMAC_Final.3 +MLINKS+= HMAC.3 HMAC_Init.3 +MLINKS+= HMAC.3 HMAC_Init_ex.3 +MLINKS+= HMAC.3 HMAC_Update.3 +MLINKS+= HMAC.3 HMAC_size.3 +MLINKS+= MD5.3 MD2.3 +MLINKS+= MD5.3 MD2_Final.3 +MLINKS+= MD5.3 MD2_Init.3 +MLINKS+= MD5.3 MD2_Update.3 +MLINKS+= MD5.3 MD4.3 +MLINKS+= MD5.3 MD4_Final.3 +MLINKS+= MD5.3 MD4_Init.3 +MLINKS+= MD5.3 MD4_Update.3 +MLINKS+= MD5.3 MD5_Final.3 +MLINKS+= MD5.3 MD5_Init.3 +MLINKS+= MD5.3 MD5_Update.3 +MLINKS+= MDC2_Init.3 MDC2.3 +MLINKS+= MDC2_Init.3 MDC2_Final.3 +MLINKS+= MDC2_Init.3 MDC2_Update.3 MLINKS+= OBJ_nid2obj.3 OBJ_cleanup.3 MLINKS+= OBJ_nid2obj.3 OBJ_cmp.3 MLINKS+= OBJ_nid2obj.3 OBJ_create.3 MLINKS+= OBJ_nid2obj.3 OBJ_dup.3 +MLINKS+= OBJ_nid2obj.3 OBJ_get0_data.3 +MLINKS+= OBJ_nid2obj.3 OBJ_length.3 MLINKS+= OBJ_nid2obj.3 OBJ_ln2nid.3 MLINKS+= OBJ_nid2obj.3 OBJ_nid2ln.3 MLINKS+= OBJ_nid2obj.3 OBJ_nid2sn.3 @@ -836,32 +1838,400 @@ MLINKS+= OBJ_nid2obj.3 OBJ_obj2txt.3 MLINKS+= OBJ_nid2obj.3 OBJ_sn2nid.3 MLINKS+= OBJ_nid2obj.3 OBJ_txt2nid.3 MLINKS+= OBJ_nid2obj.3 OBJ_txt2obj.3 -MLINKS+= OPENSSL_VERSION_NUMBER.3 SSLeay.3 -MLINKS+= OPENSSL_VERSION_NUMBER.3 SSLeay_version.3 +MLINKS+= OBJ_nid2obj.3 i2t_ASN1_OBJECT.3 +MLINKS+= OCSP_REQUEST_new.3 OCSP_REQUEST_free.3 +MLINKS+= OCSP_REQUEST_new.3 OCSP_request_add0_id.3 +MLINKS+= OCSP_REQUEST_new.3 OCSP_request_add1_cert.3 +MLINKS+= OCSP_REQUEST_new.3 OCSP_request_onereq_count.3 +MLINKS+= OCSP_REQUEST_new.3 OCSP_request_onereq_get0.3 +MLINKS+= OCSP_REQUEST_new.3 OCSP_request_sign.3 +MLINKS+= OCSP_cert_to_id.3 OCSP_CERTID_free.3 +MLINKS+= OCSP_cert_to_id.3 OCSP_cert_id_new.3 +MLINKS+= OCSP_cert_to_id.3 OCSP_id_cmp.3 +MLINKS+= OCSP_cert_to_id.3 OCSP_id_get0_info.3 +MLINKS+= OCSP_cert_to_id.3 OCSP_id_issuer_cmp.3 +MLINKS+= OCSP_request_add1_nonce.3 OCSP_basic_add1_nonce.3 +MLINKS+= OCSP_request_add1_nonce.3 OCSP_check_nonce.3 +MLINKS+= OCSP_request_add1_nonce.3 OCSP_copy_nonce.3 +MLINKS+= OCSP_resp_find_status.3 OCSP_basic_verify.3 +MLINKS+= OCSP_resp_find_status.3 OCSP_check_validity.3 +MLINKS+= OCSP_resp_find_status.3 OCSP_resp_count.3 +MLINKS+= OCSP_resp_find_status.3 OCSP_resp_find.3 +MLINKS+= OCSP_resp_find_status.3 OCSP_resp_get0.3 +MLINKS+= OCSP_resp_find_status.3 OCSP_resp_get0_certs.3 +MLINKS+= OCSP_resp_find_status.3 OCSP_resp_get0_id.3 +MLINKS+= OCSP_resp_find_status.3 OCSP_resp_get0_produced_at.3 +MLINKS+= OCSP_resp_find_status.3 OCSP_resp_get0_respdata.3 +MLINKS+= OCSP_resp_find_status.3 OCSP_resp_get0_signature.3 +MLINKS+= OCSP_resp_find_status.3 OCSP_resp_get0_signer.3 +MLINKS+= OCSP_resp_find_status.3 OCSP_resp_get0_tbs_sigalg.3 +MLINKS+= OCSP_resp_find_status.3 OCSP_resp_get1_id.3 +MLINKS+= OCSP_resp_find_status.3 OCSP_single_get0_status.3 +MLINKS+= OCSP_response_status.3 OCSP_RESPID_match.3 +MLINKS+= OCSP_response_status.3 OCSP_RESPID_set_by_key.3 +MLINKS+= OCSP_response_status.3 OCSP_RESPID_set_by_name.3 +MLINKS+= OCSP_response_status.3 OCSP_RESPONSE_free.3 +MLINKS+= OCSP_response_status.3 OCSP_basic_sign.3 +MLINKS+= OCSP_response_status.3 OCSP_basic_sign_ctx.3 +MLINKS+= OCSP_response_status.3 OCSP_response_create.3 +MLINKS+= OCSP_response_status.3 OCSP_response_get1_basic.3 +MLINKS+= OCSP_sendreq_new.3 OCSP_REQ_CTX_add1_header.3 +MLINKS+= OCSP_sendreq_new.3 OCSP_REQ_CTX_free.3 +MLINKS+= OCSP_sendreq_new.3 OCSP_REQ_CTX_set1_req.3 +MLINKS+= OCSP_sendreq_new.3 OCSP_sendreq_bio.3 +MLINKS+= OCSP_sendreq_new.3 OCSP_sendreq_nbio.3 +MLINKS+= OCSP_sendreq_new.3 OCSP_set_max_response_length.3 +MLINKS+= OPENSSL_LH_COMPFUNC.3 DECLARE_LHASH_OF.3 +MLINKS+= OPENSSL_LH_COMPFUNC.3 IMPLEMENT_LHASH_COMP_FN.3 +MLINKS+= OPENSSL_LH_COMPFUNC.3 IMPLEMENT_LHASH_HASH_FN.3 +MLINKS+= OPENSSL_LH_COMPFUNC.3 LHASH.3 +MLINKS+= OPENSSL_LH_COMPFUNC.3 LHASH_DOALL_ARG_FN_TYPE.3 +MLINKS+= OPENSSL_LH_COMPFUNC.3 OPENSSL_LH_DOALL_FUNC.3 +MLINKS+= OPENSSL_LH_COMPFUNC.3 OPENSSL_LH_HASHFUNC.3 +MLINKS+= OPENSSL_LH_COMPFUNC.3 lh_TYPE_delete.3 +MLINKS+= OPENSSL_LH_COMPFUNC.3 lh_TYPE_doall.3 +MLINKS+= OPENSSL_LH_COMPFUNC.3 lh_TYPE_doall_arg.3 +MLINKS+= OPENSSL_LH_COMPFUNC.3 lh_TYPE_error.3 +MLINKS+= OPENSSL_LH_COMPFUNC.3 lh_TYPE_free.3 +MLINKS+= OPENSSL_LH_COMPFUNC.3 lh_TYPE_insert.3 +MLINKS+= OPENSSL_LH_COMPFUNC.3 lh_TYPE_new.3 +MLINKS+= OPENSSL_LH_COMPFUNC.3 lh_TYPE_retrieve.3 +MLINKS+= OPENSSL_LH_stats.3 OPENSSL_LH_node_stats.3 +MLINKS+= OPENSSL_LH_stats.3 OPENSSL_LH_node_stats_bio.3 +MLINKS+= OPENSSL_LH_stats.3 OPENSSL_LH_node_usage_stats.3 +MLINKS+= OPENSSL_LH_stats.3 OPENSSL_LH_node_usage_stats_bio.3 +MLINKS+= OPENSSL_LH_stats.3 OPENSSL_LH_stats_bio.3 +MLINKS+= OPENSSL_VERSION_NUMBER.3 OpenSSL_version.3 +MLINKS+= OPENSSL_VERSION_NUMBER.3 OpenSSL_version_num.3 MLINKS+= OPENSSL_config.3 OPENSSL_no_config.3 -MLINKS+= OPENSSL_ia32cap.3 OPENSSL_ia32cap_loc.3 +MLINKS+= OPENSSL_fork_prepare.3 OPENSSL_fork_child.3 +MLINKS+= OPENSSL_fork_prepare.3 OPENSSL_fork_parent.3 +MLINKS+= OPENSSL_init_crypto.3 OPENSSL_INIT_free.3 +MLINKS+= OPENSSL_init_crypto.3 OPENSSL_INIT_new.3 +MLINKS+= OPENSSL_init_crypto.3 OPENSSL_INIT_set_config_appname.3 +MLINKS+= OPENSSL_init_crypto.3 OPENSSL_atexit.3 +MLINKS+= OPENSSL_init_crypto.3 OPENSSL_cleanup.3 +MLINKS+= OPENSSL_init_crypto.3 OPENSSL_thread_stop.3 MLINKS+= OPENSSL_instrument_bus.3 OPENSSL_instrument_bus2.3 MLINKS+= OPENSSL_load_builtin_modules.3 ASN1_add_oid_module.3 MLINKS+= OPENSSL_load_builtin_modules.3 ENGINE_add_conf_module.3 +MLINKS+= OPENSSL_malloc.3 CRYPTO_clear_free.3 +MLINKS+= OPENSSL_malloc.3 CRYPTO_clear_realloc.3 +MLINKS+= OPENSSL_malloc.3 CRYPTO_free.3 +MLINKS+= OPENSSL_malloc.3 CRYPTO_get_alloc_counts.3 +MLINKS+= OPENSSL_malloc.3 CRYPTO_get_mem_functions.3 +MLINKS+= OPENSSL_malloc.3 CRYPTO_malloc.3 +MLINKS+= OPENSSL_malloc.3 CRYPTO_mem_ctrl.3 +MLINKS+= OPENSSL_malloc.3 CRYPTO_mem_debug_pop.3 +MLINKS+= OPENSSL_malloc.3 CRYPTO_mem_debug_push.3 +MLINKS+= OPENSSL_malloc.3 CRYPTO_mem_leaks.3 +MLINKS+= OPENSSL_malloc.3 CRYPTO_mem_leaks_cb.3 +MLINKS+= OPENSSL_malloc.3 CRYPTO_mem_leaks_fp.3 +MLINKS+= OPENSSL_malloc.3 CRYPTO_realloc.3 +MLINKS+= OPENSSL_malloc.3 CRYPTO_set_mem_debug.3 +MLINKS+= OPENSSL_malloc.3 CRYPTO_set_mem_functions.3 +MLINKS+= OPENSSL_malloc.3 CRYPTO_strdup.3 +MLINKS+= OPENSSL_malloc.3 CRYPTO_strndup.3 +MLINKS+= OPENSSL_malloc.3 CRYPTO_zalloc.3 +MLINKS+= OPENSSL_malloc.3 OPENSSL_MALLOC_FAILURES.3 +MLINKS+= OPENSSL_malloc.3 OPENSSL_MALLOC_FD.3 +MLINKS+= OPENSSL_malloc.3 OPENSSL_buf2hexstr.3 +MLINKS+= OPENSSL_malloc.3 OPENSSL_cleanse.3 +MLINKS+= OPENSSL_malloc.3 OPENSSL_clear_free.3 +MLINKS+= OPENSSL_malloc.3 OPENSSL_clear_realloc.3 +MLINKS+= OPENSSL_malloc.3 OPENSSL_free.3 +MLINKS+= OPENSSL_malloc.3 OPENSSL_hexchar2int.3 +MLINKS+= OPENSSL_malloc.3 OPENSSL_hexstr2buf.3 +MLINKS+= OPENSSL_malloc.3 OPENSSL_malloc_init.3 +MLINKS+= OPENSSL_malloc.3 OPENSSL_mem_debug_pop.3 +MLINKS+= OPENSSL_malloc.3 OPENSSL_mem_debug_push.3 +MLINKS+= OPENSSL_malloc.3 OPENSSL_memdup.3 +MLINKS+= OPENSSL_malloc.3 OPENSSL_realloc.3 +MLINKS+= OPENSSL_malloc.3 OPENSSL_strdup.3 +MLINKS+= OPENSSL_malloc.3 OPENSSL_strlcat.3 +MLINKS+= OPENSSL_malloc.3 OPENSSL_strlcpy.3 +MLINKS+= OPENSSL_malloc.3 OPENSSL_strndup.3 +MLINKS+= OPENSSL_malloc.3 OPENSSL_zalloc.3 +MLINKS+= OPENSSL_secure_malloc.3 CRYPTO_secure_clear_free.3 +MLINKS+= OPENSSL_secure_malloc.3 CRYPTO_secure_free.3 +MLINKS+= OPENSSL_secure_malloc.3 CRYPTO_secure_malloc.3 +MLINKS+= OPENSSL_secure_malloc.3 CRYPTO_secure_malloc_done.3 +MLINKS+= OPENSSL_secure_malloc.3 CRYPTO_secure_malloc_init.3 +MLINKS+= OPENSSL_secure_malloc.3 CRYPTO_secure_malloc_initialized.3 +MLINKS+= OPENSSL_secure_malloc.3 CRYPTO_secure_used.3 +MLINKS+= OPENSSL_secure_malloc.3 CRYPTO_secure_zalloc.3 +MLINKS+= OPENSSL_secure_malloc.3 OPENSSL_secure_actual_size.3 +MLINKS+= OPENSSL_secure_malloc.3 OPENSSL_secure_clear_free.3 +MLINKS+= OPENSSL_secure_malloc.3 OPENSSL_secure_free.3 +MLINKS+= OPENSSL_secure_malloc.3 OPENSSL_secure_zalloc.3 +MLINKS+= OSSL_STORE_INFO.3 OSSL_STORE_INFO_free.3 +MLINKS+= OSSL_STORE_INFO.3 OSSL_STORE_INFO_get0_CERT.3 +MLINKS+= OSSL_STORE_INFO.3 OSSL_STORE_INFO_get0_CRL.3 +MLINKS+= OSSL_STORE_INFO.3 OSSL_STORE_INFO_get0_NAME.3 +MLINKS+= OSSL_STORE_INFO.3 OSSL_STORE_INFO_get0_NAME_description.3 +MLINKS+= OSSL_STORE_INFO.3 OSSL_STORE_INFO_get0_PARAMS.3 +MLINKS+= OSSL_STORE_INFO.3 OSSL_STORE_INFO_get0_PKEY.3 +MLINKS+= OSSL_STORE_INFO.3 OSSL_STORE_INFO_get1_CERT.3 +MLINKS+= OSSL_STORE_INFO.3 OSSL_STORE_INFO_get1_CRL.3 +MLINKS+= OSSL_STORE_INFO.3 OSSL_STORE_INFO_get1_NAME.3 +MLINKS+= OSSL_STORE_INFO.3 OSSL_STORE_INFO_get1_NAME_description.3 +MLINKS+= OSSL_STORE_INFO.3 OSSL_STORE_INFO_get1_PARAMS.3 +MLINKS+= OSSL_STORE_INFO.3 OSSL_STORE_INFO_get1_PKEY.3 +MLINKS+= OSSL_STORE_INFO.3 OSSL_STORE_INFO_get_type.3 +MLINKS+= OSSL_STORE_INFO.3 OSSL_STORE_INFO_new_CERT.3 +MLINKS+= OSSL_STORE_INFO.3 OSSL_STORE_INFO_new_CRL.3 +MLINKS+= OSSL_STORE_INFO.3 OSSL_STORE_INFO_new_NAME.3 +MLINKS+= OSSL_STORE_INFO.3 OSSL_STORE_INFO_new_PARAMS.3 +MLINKS+= OSSL_STORE_INFO.3 OSSL_STORE_INFO_new_PKEY.3 +MLINKS+= OSSL_STORE_INFO.3 OSSL_STORE_INFO_set0_NAME_description.3 +MLINKS+= OSSL_STORE_INFO.3 OSSL_STORE_INFO_type_string.3 +MLINKS+= OSSL_STORE_LOADER.3 OSSL_STORE_LOADER_CTX.3 +MLINKS+= OSSL_STORE_LOADER.3 OSSL_STORE_LOADER_free.3 +MLINKS+= OSSL_STORE_LOADER.3 OSSL_STORE_LOADER_get0_engine.3 +MLINKS+= OSSL_STORE_LOADER.3 OSSL_STORE_LOADER_get0_scheme.3 +MLINKS+= OSSL_STORE_LOADER.3 OSSL_STORE_LOADER_new.3 +MLINKS+= OSSL_STORE_LOADER.3 OSSL_STORE_LOADER_set_close.3 +MLINKS+= OSSL_STORE_LOADER.3 OSSL_STORE_LOADER_set_ctrl.3 +MLINKS+= OSSL_STORE_LOADER.3 OSSL_STORE_LOADER_set_eof.3 +MLINKS+= OSSL_STORE_LOADER.3 OSSL_STORE_LOADER_set_error.3 +MLINKS+= OSSL_STORE_LOADER.3 OSSL_STORE_LOADER_set_expect.3 +MLINKS+= OSSL_STORE_LOADER.3 OSSL_STORE_LOADER_set_find.3 +MLINKS+= OSSL_STORE_LOADER.3 OSSL_STORE_LOADER_set_load.3 +MLINKS+= OSSL_STORE_LOADER.3 OSSL_STORE_LOADER_set_open.3 +MLINKS+= OSSL_STORE_LOADER.3 OSSL_STORE_close_fn.3 +MLINKS+= OSSL_STORE_LOADER.3 OSSL_STORE_ctrl_fn.3 +MLINKS+= OSSL_STORE_LOADER.3 OSSL_STORE_eof_fn.3 +MLINKS+= OSSL_STORE_LOADER.3 OSSL_STORE_error_fn.3 +MLINKS+= OSSL_STORE_LOADER.3 OSSL_STORE_expect_fn.3 +MLINKS+= OSSL_STORE_LOADER.3 OSSL_STORE_find_fn.3 +MLINKS+= OSSL_STORE_LOADER.3 OSSL_STORE_load_fn.3 +MLINKS+= OSSL_STORE_LOADER.3 OSSL_STORE_open_fn.3 +MLINKS+= OSSL_STORE_LOADER.3 OSSL_STORE_register_loader.3 +MLINKS+= OSSL_STORE_LOADER.3 OSSL_STORE_unregister_loader.3 +MLINKS+= OSSL_STORE_SEARCH.3 OSSL_STORE_SEARCH_by_alias.3 +MLINKS+= OSSL_STORE_SEARCH.3 OSSL_STORE_SEARCH_by_issuer_serial.3 +MLINKS+= OSSL_STORE_SEARCH.3 OSSL_STORE_SEARCH_by_key_fingerprint.3 +MLINKS+= OSSL_STORE_SEARCH.3 OSSL_STORE_SEARCH_by_name.3 +MLINKS+= OSSL_STORE_SEARCH.3 OSSL_STORE_SEARCH_free.3 +MLINKS+= OSSL_STORE_SEARCH.3 OSSL_STORE_SEARCH_get0_bytes.3 +MLINKS+= OSSL_STORE_SEARCH.3 OSSL_STORE_SEARCH_get0_digest.3 +MLINKS+= OSSL_STORE_SEARCH.3 OSSL_STORE_SEARCH_get0_name.3 +MLINKS+= OSSL_STORE_SEARCH.3 OSSL_STORE_SEARCH_get0_serial.3 +MLINKS+= OSSL_STORE_SEARCH.3 OSSL_STORE_SEARCH_get0_string.3 +MLINKS+= OSSL_STORE_SEARCH.3 OSSL_STORE_SEARCH_get_type.3 +MLINKS+= OSSL_STORE_expect.3 OSSL_STORE_find.3 +MLINKS+= OSSL_STORE_expect.3 OSSL_STORE_supports_search.3 +MLINKS+= OSSL_STORE_open.3 OSSL_STORE_CTX.3 +MLINKS+= OSSL_STORE_open.3 OSSL_STORE_close.3 +MLINKS+= OSSL_STORE_open.3 OSSL_STORE_ctrl.3 +MLINKS+= OSSL_STORE_open.3 OSSL_STORE_eof.3 +MLINKS+= OSSL_STORE_open.3 OSSL_STORE_error.3 +MLINKS+= OSSL_STORE_open.3 OSSL_STORE_load.3 +MLINKS+= OSSL_STORE_open.3 OSSL_STORE_post_process_info_fn.3 MLINKS+= OpenSSL_add_all_algorithms.3 EVP_cleanup.3 MLINKS+= OpenSSL_add_all_algorithms.3 OpenSSL_add_all_ciphers.3 MLINKS+= OpenSSL_add_all_algorithms.3 OpenSSL_add_all_digests.3 +MLINKS+= PEM_bytes_read_bio.3 PEM_bytes_read_bio_secmem.3 +MLINKS+= PEM_read.3 PEM_do_header.3 +MLINKS+= PEM_read.3 PEM_get_EVP_CIPHER_INFO.3 +MLINKS+= PEM_read.3 PEM_read_bio.3 +MLINKS+= PEM_read.3 PEM_write.3 +MLINKS+= PEM_read.3 PEM_write_bio.3 +MLINKS+= PEM_read_CMS.3 DECLARE_PEM_rw.3 +MLINKS+= PEM_read_CMS.3 PEM_read_ECPKParameters.3 +MLINKS+= PEM_read_CMS.3 PEM_read_ECPrivateKey.3 +MLINKS+= PEM_read_CMS.3 PEM_read_EC_PUBKEY.3 +MLINKS+= PEM_read_CMS.3 PEM_read_NETSCAPE_CERT_SEQUENCE.3 +MLINKS+= PEM_read_CMS.3 PEM_read_PKCS8.3 +MLINKS+= PEM_read_CMS.3 PEM_read_PKCS8_PRIV_KEY_INFO.3 +MLINKS+= PEM_read_CMS.3 PEM_read_SSL_SESSION.3 +MLINKS+= PEM_read_CMS.3 PEM_read_bio_CMS.3 +MLINKS+= PEM_read_CMS.3 PEM_read_bio_ECPKParameters.3 +MLINKS+= PEM_read_CMS.3 PEM_read_bio_EC_PUBKEY.3 +MLINKS+= PEM_read_CMS.3 PEM_read_bio_NETSCAPE_CERT_SEQUENCE.3 +MLINKS+= PEM_read_CMS.3 PEM_read_bio_PKCS8.3 +MLINKS+= PEM_read_CMS.3 PEM_read_bio_PKCS8_PRIV_KEY_INFO.3 +MLINKS+= PEM_read_CMS.3 PEM_read_bio_SSL_SESSION.3 +MLINKS+= PEM_read_CMS.3 PEM_write_CMS.3 +MLINKS+= PEM_read_CMS.3 PEM_write_DHxparams.3 +MLINKS+= PEM_read_CMS.3 PEM_write_ECPKParameters.3 +MLINKS+= PEM_read_CMS.3 PEM_write_ECPrivateKey.3 +MLINKS+= PEM_read_CMS.3 PEM_write_EC_PUBKEY.3 +MLINKS+= PEM_read_CMS.3 PEM_write_NETSCAPE_CERT_SEQUENCE.3 +MLINKS+= PEM_read_CMS.3 PEM_write_PKCS8.3 +MLINKS+= PEM_read_CMS.3 PEM_write_PKCS8_PRIV_KEY_INFO.3 +MLINKS+= PEM_read_CMS.3 PEM_write_SSL_SESSION.3 +MLINKS+= PEM_read_CMS.3 PEM_write_bio_CMS.3 +MLINKS+= PEM_read_CMS.3 PEM_write_bio_DHxparams.3 +MLINKS+= PEM_read_CMS.3 PEM_write_bio_ECPKParameters.3 +MLINKS+= PEM_read_CMS.3 PEM_write_bio_ECPrivateKey.3 +MLINKS+= PEM_read_CMS.3 PEM_write_bio_EC_PUBKEY.3 +MLINKS+= PEM_read_CMS.3 PEM_write_bio_NETSCAPE_CERT_SEQUENCE.3 +MLINKS+= PEM_read_CMS.3 PEM_write_bio_PKCS8.3 +MLINKS+= PEM_read_CMS.3 PEM_write_bio_PKCS8_PRIV_KEY_INFO.3 +MLINKS+= PEM_read_CMS.3 PEM_write_bio_SSL_SESSION.3 +MLINKS+= PEM_read_bio_PrivateKey.3 PEM_read_DHparams.3 +MLINKS+= PEM_read_bio_PrivateKey.3 PEM_read_DSAPrivateKey.3 +MLINKS+= PEM_read_bio_PrivateKey.3 PEM_read_DSA_PUBKEY.3 +MLINKS+= PEM_read_bio_PrivateKey.3 PEM_read_DSAparams.3 +MLINKS+= PEM_read_bio_PrivateKey.3 PEM_read_PKCS7.3 +MLINKS+= PEM_read_bio_PrivateKey.3 PEM_read_PUBKEY.3 +MLINKS+= PEM_read_bio_PrivateKey.3 PEM_read_PrivateKey.3 +MLINKS+= PEM_read_bio_PrivateKey.3 PEM_read_RSAPrivateKey.3 +MLINKS+= PEM_read_bio_PrivateKey.3 PEM_read_RSAPublicKey.3 +MLINKS+= PEM_read_bio_PrivateKey.3 PEM_read_RSA_PUBKEY.3 +MLINKS+= PEM_read_bio_PrivateKey.3 PEM_read_X509.3 +MLINKS+= PEM_read_bio_PrivateKey.3 PEM_read_X509_AUX.3 +MLINKS+= PEM_read_bio_PrivateKey.3 PEM_read_X509_CRL.3 +MLINKS+= PEM_read_bio_PrivateKey.3 PEM_read_X509_REQ.3 +MLINKS+= PEM_read_bio_PrivateKey.3 PEM_read_bio_DHparams.3 +MLINKS+= PEM_read_bio_PrivateKey.3 PEM_read_bio_DSAPrivateKey.3 +MLINKS+= PEM_read_bio_PrivateKey.3 PEM_read_bio_DSA_PUBKEY.3 +MLINKS+= PEM_read_bio_PrivateKey.3 PEM_read_bio_DSAparams.3 +MLINKS+= PEM_read_bio_PrivateKey.3 PEM_read_bio_PKCS7.3 +MLINKS+= PEM_read_bio_PrivateKey.3 PEM_read_bio_PUBKEY.3 +MLINKS+= PEM_read_bio_PrivateKey.3 PEM_read_bio_RSAPrivateKey.3 +MLINKS+= PEM_read_bio_PrivateKey.3 PEM_read_bio_RSAPublicKey.3 +MLINKS+= PEM_read_bio_PrivateKey.3 PEM_read_bio_RSA_PUBKEY.3 +MLINKS+= PEM_read_bio_PrivateKey.3 PEM_read_bio_X509.3 +MLINKS+= PEM_read_bio_PrivateKey.3 PEM_read_bio_X509_AUX.3 +MLINKS+= PEM_read_bio_PrivateKey.3 PEM_read_bio_X509_CRL.3 +MLINKS+= PEM_read_bio_PrivateKey.3 PEM_read_bio_X509_REQ.3 +MLINKS+= PEM_read_bio_PrivateKey.3 PEM_write_DHparams.3 +MLINKS+= PEM_read_bio_PrivateKey.3 PEM_write_DSAPrivateKey.3 +MLINKS+= PEM_read_bio_PrivateKey.3 PEM_write_DSA_PUBKEY.3 +MLINKS+= PEM_read_bio_PrivateKey.3 PEM_write_DSAparams.3 +MLINKS+= PEM_read_bio_PrivateKey.3 PEM_write_PKCS7.3 +MLINKS+= PEM_read_bio_PrivateKey.3 PEM_write_PKCS8PrivateKey.3 +MLINKS+= PEM_read_bio_PrivateKey.3 PEM_write_PKCS8PrivateKey_nid.3 +MLINKS+= PEM_read_bio_PrivateKey.3 PEM_write_PUBKEY.3 +MLINKS+= PEM_read_bio_PrivateKey.3 PEM_write_PrivateKey.3 +MLINKS+= PEM_read_bio_PrivateKey.3 PEM_write_RSAPrivateKey.3 +MLINKS+= PEM_read_bio_PrivateKey.3 PEM_write_RSAPublicKey.3 +MLINKS+= PEM_read_bio_PrivateKey.3 PEM_write_RSA_PUBKEY.3 +MLINKS+= PEM_read_bio_PrivateKey.3 PEM_write_X509.3 +MLINKS+= PEM_read_bio_PrivateKey.3 PEM_write_X509_AUX.3 +MLINKS+= PEM_read_bio_PrivateKey.3 PEM_write_X509_CRL.3 +MLINKS+= PEM_read_bio_PrivateKey.3 PEM_write_X509_REQ.3 +MLINKS+= PEM_read_bio_PrivateKey.3 PEM_write_X509_REQ_NEW.3 +MLINKS+= PEM_read_bio_PrivateKey.3 PEM_write_bio_DHparams.3 +MLINKS+= PEM_read_bio_PrivateKey.3 PEM_write_bio_DSAPrivateKey.3 +MLINKS+= PEM_read_bio_PrivateKey.3 PEM_write_bio_DSA_PUBKEY.3 +MLINKS+= PEM_read_bio_PrivateKey.3 PEM_write_bio_DSAparams.3 +MLINKS+= PEM_read_bio_PrivateKey.3 PEM_write_bio_PKCS7.3 +MLINKS+= PEM_read_bio_PrivateKey.3 PEM_write_bio_PKCS8PrivateKey.3 +MLINKS+= PEM_read_bio_PrivateKey.3 PEM_write_bio_PKCS8PrivateKey_nid.3 +MLINKS+= PEM_read_bio_PrivateKey.3 PEM_write_bio_PUBKEY.3 +MLINKS+= PEM_read_bio_PrivateKey.3 PEM_write_bio_PrivateKey.3 +MLINKS+= PEM_read_bio_PrivateKey.3 PEM_write_bio_PrivateKey_traditional.3 +MLINKS+= PEM_read_bio_PrivateKey.3 PEM_write_bio_RSAPrivateKey.3 +MLINKS+= PEM_read_bio_PrivateKey.3 PEM_write_bio_RSAPublicKey.3 +MLINKS+= PEM_read_bio_PrivateKey.3 PEM_write_bio_RSA_PUBKEY.3 +MLINKS+= PEM_read_bio_PrivateKey.3 PEM_write_bio_X509.3 +MLINKS+= PEM_read_bio_PrivateKey.3 PEM_write_bio_X509_AUX.3 +MLINKS+= PEM_read_bio_PrivateKey.3 PEM_write_bio_X509_CRL.3 +MLINKS+= PEM_read_bio_PrivateKey.3 PEM_write_bio_X509_REQ.3 +MLINKS+= PEM_read_bio_PrivateKey.3 PEM_write_bio_X509_REQ_NEW.3 +MLINKS+= PEM_read_bio_PrivateKey.3 pem_password_cb.3 +MLINKS+= PEM_read_bio_ex.3 PEM_FLAG_EAY_COMPATIBLE.3 +MLINKS+= PEM_read_bio_ex.3 PEM_FLAG_ONLY_B64.3 +MLINKS+= PEM_read_bio_ex.3 PEM_FLAG_SECURE.3 +MLINKS+= PKCS5_PBKDF2_HMAC.3 PKCS5_PBKDF2_HMAC_SHA1.3 MLINKS+= PKCS7_verify.3 PKCS7_get0_signers.3 +MLINKS+= RAND_DRBG_generate.3 RAND_DRBG_bytes.3 +MLINKS+= RAND_DRBG_get0_master.3 RAND_DRBG_get0_private.3 +MLINKS+= RAND_DRBG_get0_master.3 RAND_DRBG_get0_public.3 +MLINKS+= RAND_DRBG_new.3 RAND_DRBG_free.3 +MLINKS+= RAND_DRBG_new.3 RAND_DRBG_instantiate.3 +MLINKS+= RAND_DRBG_new.3 RAND_DRBG_secure_new.3 +MLINKS+= RAND_DRBG_new.3 RAND_DRBG_set.3 +MLINKS+= RAND_DRBG_new.3 RAND_DRBG_set_defaults.3 +MLINKS+= RAND_DRBG_new.3 RAND_DRBG_uninstantiate.3 +MLINKS+= RAND_DRBG_reseed.3 RAND_DRBG_set_reseed_defaults.3 +MLINKS+= RAND_DRBG_reseed.3 RAND_DRBG_set_reseed_interval.3 +MLINKS+= RAND_DRBG_reseed.3 RAND_DRBG_set_reseed_time_interval.3 +MLINKS+= RAND_DRBG_set_callbacks.3 RAND_DRBG_cleanup_entropy_fn.3 +MLINKS+= RAND_DRBG_set_callbacks.3 RAND_DRBG_cleanup_nonce_fn.3 +MLINKS+= RAND_DRBG_set_callbacks.3 RAND_DRBG_get_entropy_fn.3 +MLINKS+= RAND_DRBG_set_callbacks.3 RAND_DRBG_get_nonce_fn.3 +MLINKS+= RAND_DRBG_set_ex_data.3 RAND_DRBG_get_ex_data.3 +MLINKS+= RAND_DRBG_set_ex_data.3 RAND_DRBG_get_ex_new_index.3 MLINKS+= RAND_add.3 RAND_event.3 +MLINKS+= RAND_add.3 RAND_keep_random_devices_open.3 +MLINKS+= RAND_add.3 RAND_poll.3 MLINKS+= RAND_add.3 RAND_screen.3 MLINKS+= RAND_add.3 RAND_seed.3 MLINKS+= RAND_add.3 RAND_status.3 +MLINKS+= RAND_bytes.3 RAND_priv_bytes.3 MLINKS+= RAND_bytes.3 RAND_pseudo_bytes.3 MLINKS+= RAND_egd.3 RAND_egd_bytes.3 MLINKS+= RAND_egd.3 RAND_query_egd_bytes.3 MLINKS+= RAND_load_file.3 RAND_file_name.3 MLINKS+= RAND_load_file.3 RAND_write_file.3 -MLINKS+= RAND_set_rand_method.3 RAND_SSLeay.3 +MLINKS+= RAND_set_rand_method.3 RAND_OpenSSL.3 MLINKS+= RAND_set_rand_method.3 RAND_get_rand_method.3 +MLINKS+= RC4_set_key.3 RC4.3 +MLINKS+= RIPEMD160_Init.3 RIPEMD160.3 +MLINKS+= RIPEMD160_Init.3 RIPEMD160_Final.3 +MLINKS+= RIPEMD160_Init.3 RIPEMD160_Update.3 MLINKS+= RSA_blinding_on.3 RSA_blinding_off.3 +MLINKS+= RSA_check_key.3 RSA_check_key_ex.3 MLINKS+= RSA_generate_key.3 RSA_generate_key_ex.3 -MLINKS+= RSA_get_ex_new_index.3 RSA_get_ex_data.3 -MLINKS+= RSA_get_ex_new_index.3 RSA_set_ex_data.3 +MLINKS+= RSA_generate_key.3 RSA_generate_multi_prime_key.3 +MLINKS+= RSA_get0_key.3 RSA_clear_flags.3 +MLINKS+= RSA_get0_key.3 RSA_get0_crt_params.3 +MLINKS+= RSA_get0_key.3 RSA_get0_d.3 +MLINKS+= RSA_get0_key.3 RSA_get0_dmp1.3 +MLINKS+= RSA_get0_key.3 RSA_get0_dmq1.3 +MLINKS+= RSA_get0_key.3 RSA_get0_e.3 +MLINKS+= RSA_get0_key.3 RSA_get0_engine.3 +MLINKS+= RSA_get0_key.3 RSA_get0_factors.3 +MLINKS+= RSA_get0_key.3 RSA_get0_iqmp.3 +MLINKS+= RSA_get0_key.3 RSA_get0_multi_prime_crt_params.3 +MLINKS+= RSA_get0_key.3 RSA_get0_multi_prime_factors.3 +MLINKS+= RSA_get0_key.3 RSA_get0_n.3 +MLINKS+= RSA_get0_key.3 RSA_get0_p.3 +MLINKS+= RSA_get0_key.3 RSA_get0_q.3 +MLINKS+= RSA_get0_key.3 RSA_get_multi_prime_extra_count.3 +MLINKS+= RSA_get0_key.3 RSA_get_version.3 +MLINKS+= RSA_get0_key.3 RSA_set0_crt_params.3 +MLINKS+= RSA_get0_key.3 RSA_set0_factors.3 +MLINKS+= RSA_get0_key.3 RSA_set0_key.3 +MLINKS+= RSA_get0_key.3 RSA_set0_multi_prime_params.3 +MLINKS+= RSA_get0_key.3 RSA_set_flags.3 +MLINKS+= RSA_get0_key.3 RSA_test_flags.3 +MLINKS+= RSA_meth_new.3 RSA_meth_dup.3 +MLINKS+= RSA_meth_new.3 RSA_meth_free.3 +MLINKS+= RSA_meth_new.3 RSA_meth_get0_app_data.3 +MLINKS+= RSA_meth_new.3 RSA_meth_get0_name.3 +MLINKS+= RSA_meth_new.3 RSA_meth_get_bn_mod_exp.3 +MLINKS+= RSA_meth_new.3 RSA_meth_get_finish.3 +MLINKS+= RSA_meth_new.3 RSA_meth_get_flags.3 +MLINKS+= RSA_meth_new.3 RSA_meth_get_init.3 +MLINKS+= RSA_meth_new.3 RSA_meth_get_keygen.3 +MLINKS+= RSA_meth_new.3 RSA_meth_get_mod_exp.3 +MLINKS+= RSA_meth_new.3 RSA_meth_get_multi_prime_keygen.3 +MLINKS+= RSA_meth_new.3 RSA_meth_get_priv_dec.3 +MLINKS+= RSA_meth_new.3 RSA_meth_get_priv_enc.3 +MLINKS+= RSA_meth_new.3 RSA_meth_get_pub_dec.3 +MLINKS+= RSA_meth_new.3 RSA_meth_get_pub_enc.3 +MLINKS+= RSA_meth_new.3 RSA_meth_get_sign.3 +MLINKS+= RSA_meth_new.3 RSA_meth_get_verify.3 +MLINKS+= RSA_meth_new.3 RSA_meth_set0_app_data.3 +MLINKS+= RSA_meth_new.3 RSA_meth_set1_name.3 +MLINKS+= RSA_meth_new.3 RSA_meth_set_bn_mod_exp.3 +MLINKS+= RSA_meth_new.3 RSA_meth_set_finish.3 +MLINKS+= RSA_meth_new.3 RSA_meth_set_flags.3 +MLINKS+= RSA_meth_new.3 RSA_meth_set_init.3 +MLINKS+= RSA_meth_new.3 RSA_meth_set_keygen.3 +MLINKS+= RSA_meth_new.3 RSA_meth_set_mod_exp.3 +MLINKS+= RSA_meth_new.3 RSA_meth_set_multi_prime_keygen.3 +MLINKS+= RSA_meth_new.3 RSA_meth_set_priv_dec.3 +MLINKS+= RSA_meth_new.3 RSA_meth_set_priv_enc.3 +MLINKS+= RSA_meth_new.3 RSA_meth_set_pub_dec.3 +MLINKS+= RSA_meth_new.3 RSA_meth_set_pub_enc.3 +MLINKS+= RSA_meth_new.3 RSA_meth_set_sign.3 +MLINKS+= RSA_meth_new.3 RSA_meth_set_verify.3 MLINKS+= RSA_new.3 RSA_free.3 MLINKS+= RSA_padding_add_PKCS1_type_1.3 RSA_padding_add_PKCS1_OAEP.3 MLINKS+= RSA_padding_add_PKCS1_type_1.3 RSA_padding_add_PKCS1_type_2.3 @@ -881,15 +2251,628 @@ MLINKS+= RSA_print.3 DSAparams_print_fp.3 MLINKS+= RSA_print.3 RSA_print_fp.3 MLINKS+= RSA_private_encrypt.3 RSA_public_decrypt.3 MLINKS+= RSA_public_encrypt.3 RSA_private_decrypt.3 -MLINKS+= RSA_set_method.3 RSA_PKCS1_SSLeay.3 +MLINKS+= RSA_set_method.3 RSA_PKCS1_OpenSSL.3 MLINKS+= RSA_set_method.3 RSA_flags.3 MLINKS+= RSA_set_method.3 RSA_get_default_method.3 MLINKS+= RSA_set_method.3 RSA_get_method.3 MLINKS+= RSA_set_method.3 RSA_new_method.3 -MLINKS+= RSA_set_method.3 RSA_null_method.3 MLINKS+= RSA_set_method.3 RSA_set_default_method.3 MLINKS+= RSA_sign.3 RSA_verify.3 MLINKS+= RSA_sign_ASN1_OCTET_STRING.3 RSA_verify_ASN1_OCTET_STRING.3 +MLINKS+= RSA_size.3 RSA_bits.3 +MLINKS+= RSA_size.3 RSA_security_bits.3 +MLINKS+= SCT_new.3 SCT_LIST_free.3 +MLINKS+= SCT_new.3 SCT_free.3 +MLINKS+= SCT_new.3 SCT_get0_extensions.3 +MLINKS+= SCT_new.3 SCT_get0_log_id.3 +MLINKS+= SCT_new.3 SCT_get0_signature.3 +MLINKS+= SCT_new.3 SCT_get_log_entry_type.3 +MLINKS+= SCT_new.3 SCT_get_signature_nid.3 +MLINKS+= SCT_new.3 SCT_get_source.3 +MLINKS+= SCT_new.3 SCT_get_timestamp.3 +MLINKS+= SCT_new.3 SCT_get_version.3 +MLINKS+= SCT_new.3 SCT_new_from_base64.3 +MLINKS+= SCT_new.3 SCT_set0_extensions.3 +MLINKS+= SCT_new.3 SCT_set0_log_id.3 +MLINKS+= SCT_new.3 SCT_set0_signature.3 +MLINKS+= SCT_new.3 SCT_set1_extensions.3 +MLINKS+= SCT_new.3 SCT_set1_log_id.3 +MLINKS+= SCT_new.3 SCT_set1_signature.3 +MLINKS+= SCT_new.3 SCT_set_log_entry_type.3 +MLINKS+= SCT_new.3 SCT_set_signature_nid.3 +MLINKS+= SCT_new.3 SCT_set_source.3 +MLINKS+= SCT_new.3 SCT_set_timestamp.3 +MLINKS+= SCT_new.3 SCT_set_version.3 +MLINKS+= SCT_print.3 SCT_LIST_print.3 +MLINKS+= SCT_print.3 SCT_validation_status_string.3 +MLINKS+= SCT_validate.3 SCT_LIST_validate.3 +MLINKS+= SCT_validate.3 SCT_get_validation_status.3 +MLINKS+= SHA256_Init.3 SHA1.3 +MLINKS+= SHA256_Init.3 SHA1_Final.3 +MLINKS+= SHA256_Init.3 SHA1_Init.3 +MLINKS+= SHA256_Init.3 SHA1_Update.3 +MLINKS+= SHA256_Init.3 SHA224.3 +MLINKS+= SHA256_Init.3 SHA224_Final.3 +MLINKS+= SHA256_Init.3 SHA224_Init.3 +MLINKS+= SHA256_Init.3 SHA224_Update.3 +MLINKS+= SHA256_Init.3 SHA256.3 +MLINKS+= SHA256_Init.3 SHA256_Final.3 +MLINKS+= SHA256_Init.3 SHA256_Update.3 +MLINKS+= SHA256_Init.3 SHA384.3 +MLINKS+= SHA256_Init.3 SHA384_Final.3 +MLINKS+= SHA256_Init.3 SHA384_Init.3 +MLINKS+= SHA256_Init.3 SHA384_Update.3 +MLINKS+= SHA256_Init.3 SHA512.3 +MLINKS+= SHA256_Init.3 SHA512_Final.3 +MLINKS+= SHA256_Init.3 SHA512_Init.3 +MLINKS+= SHA256_Init.3 SHA512_Update.3 +MLINKS+= SSL_CIPHER_get_name.3 OPENSSL_cipher_name.3 +MLINKS+= SSL_CIPHER_get_name.3 SSL_CIPHER_description.3 +MLINKS+= SSL_CIPHER_get_name.3 SSL_CIPHER_find.3 +MLINKS+= SSL_CIPHER_get_name.3 SSL_CIPHER_get_auth_nid.3 +MLINKS+= SSL_CIPHER_get_name.3 SSL_CIPHER_get_bits.3 +MLINKS+= SSL_CIPHER_get_name.3 SSL_CIPHER_get_cipher_nid.3 +MLINKS+= SSL_CIPHER_get_name.3 SSL_CIPHER_get_digest_nid.3 +MLINKS+= SSL_CIPHER_get_name.3 SSL_CIPHER_get_handshake_digest.3 +MLINKS+= SSL_CIPHER_get_name.3 SSL_CIPHER_get_id.3 +MLINKS+= SSL_CIPHER_get_name.3 SSL_CIPHER_get_kx_nid.3 +MLINKS+= SSL_CIPHER_get_name.3 SSL_CIPHER_get_protocol_id.3 +MLINKS+= SSL_CIPHER_get_name.3 SSL_CIPHER_get_version.3 +MLINKS+= SSL_CIPHER_get_name.3 SSL_CIPHER_is_aead.3 +MLINKS+= SSL_CIPHER_get_name.3 SSL_CIPHER_standard_name.3 +MLINKS+= SSL_COMP_add_compression_method.3 SSL_COMP_free_compression_methods.3 +MLINKS+= SSL_COMP_add_compression_method.3 SSL_COMP_get0_name.3 +MLINKS+= SSL_COMP_add_compression_method.3 SSL_COMP_get_compression_methods.3 +MLINKS+= SSL_COMP_add_compression_method.3 SSL_COMP_get_id.3 +MLINKS+= SSL_CONF_CTX_new.3 SSL_CONF_CTX_free.3 +MLINKS+= SSL_CONF_CTX_set_flags.3 SSL_CONF_CTX_clear_flags.3 +MLINKS+= SSL_CONF_CTX_set_ssl_ctx.3 SSL_CONF_CTX_set_ssl.3 +MLINKS+= SSL_CONF_cmd.3 SSL_CONF_cmd_value_type.3 +MLINKS+= SSL_CTX_add1_chain_cert.3 SSL_CTX_add0_chain_cert.3 +MLINKS+= SSL_CTX_add1_chain_cert.3 SSL_CTX_build_cert_chain.3 +MLINKS+= SSL_CTX_add1_chain_cert.3 SSL_CTX_clear_chain_certs.3 +MLINKS+= SSL_CTX_add1_chain_cert.3 SSL_CTX_get0_chain_certs.3 +MLINKS+= SSL_CTX_add1_chain_cert.3 SSL_CTX_select_current_cert.3 +MLINKS+= SSL_CTX_add1_chain_cert.3 SSL_CTX_set0_chain.3 +MLINKS+= SSL_CTX_add1_chain_cert.3 SSL_CTX_set1_chain.3 +MLINKS+= SSL_CTX_add1_chain_cert.3 SSL_CTX_set_current_cert.3 +MLINKS+= SSL_CTX_add1_chain_cert.3 SSL_add0_chain_cert.3 +MLINKS+= SSL_CTX_add1_chain_cert.3 SSL_add1_chain_cert.3 +MLINKS+= SSL_CTX_add1_chain_cert.3 SSL_build_cert_chain.3 +MLINKS+= SSL_CTX_add1_chain_cert.3 SSL_clear_chain_certs.3 +MLINKS+= SSL_CTX_add1_chain_cert.3 SSL_get0_chain_certs.3 +MLINKS+= SSL_CTX_add1_chain_cert.3 SSL_select_current_cert.3 +MLINKS+= SSL_CTX_add1_chain_cert.3 SSL_set0_chain.3 +MLINKS+= SSL_CTX_add1_chain_cert.3 SSL_set1_chain.3 +MLINKS+= SSL_CTX_add1_chain_cert.3 SSL_set_current_cert.3 +MLINKS+= SSL_CTX_add_extra_chain_cert.3 SSL_CTX_clear_extra_chain_certs.3 +MLINKS+= SSL_CTX_add_session.3 SSL_CTX_remove_session.3 +MLINKS+= SSL_CTX_config.3 SSL_config.3 +MLINKS+= SSL_CTX_ctrl.3 SSL_CTX_callback_ctrl.3 +MLINKS+= SSL_CTX_ctrl.3 SSL_callback_ctrl.3 +MLINKS+= SSL_CTX_ctrl.3 SSL_ctrl.3 +MLINKS+= SSL_CTX_dane_enable.3 SSL_CTX_dane_clear_flags.3 +MLINKS+= SSL_CTX_dane_enable.3 SSL_CTX_dane_mtype_set.3 +MLINKS+= SSL_CTX_dane_enable.3 SSL_CTX_dane_set_flags.3 +MLINKS+= SSL_CTX_dane_enable.3 SSL_dane_clear_flags.3 +MLINKS+= SSL_CTX_dane_enable.3 SSL_dane_enable.3 +MLINKS+= SSL_CTX_dane_enable.3 SSL_dane_set_flags.3 +MLINKS+= SSL_CTX_dane_enable.3 SSL_dane_tlsa_add.3 +MLINKS+= SSL_CTX_dane_enable.3 SSL_get0_dane_authority.3 +MLINKS+= SSL_CTX_dane_enable.3 SSL_get0_dane_tlsa.3 +MLINKS+= SSL_CTX_get0_param.3 SSL_CTX_set1_param.3 +MLINKS+= SSL_CTX_get0_param.3 SSL_get0_param.3 +MLINKS+= SSL_CTX_get0_param.3 SSL_set1_param.3 +MLINKS+= SSL_CTX_get_verify_mode.3 SSL_CTX_get_verify_callback.3 +MLINKS+= SSL_CTX_get_verify_mode.3 SSL_CTX_get_verify_depth.3 +MLINKS+= SSL_CTX_get_verify_mode.3 SSL_get_verify_callback.3 +MLINKS+= SSL_CTX_get_verify_mode.3 SSL_get_verify_depth.3 +MLINKS+= SSL_CTX_get_verify_mode.3 SSL_get_verify_mode.3 +MLINKS+= SSL_CTX_load_verify_locations.3 SSL_CTX_set_default_verify_dir.3 +MLINKS+= SSL_CTX_load_verify_locations.3 SSL_CTX_set_default_verify_file.3 +MLINKS+= SSL_CTX_load_verify_locations.3 SSL_CTX_set_default_verify_paths.3 +MLINKS+= SSL_CTX_new.3 DTLS_client_method.3 +MLINKS+= SSL_CTX_new.3 DTLS_method.3 +MLINKS+= SSL_CTX_new.3 DTLS_server_method.3 +MLINKS+= SSL_CTX_new.3 DTLSv1_2_client_method.3 +MLINKS+= SSL_CTX_new.3 DTLSv1_2_method.3 +MLINKS+= SSL_CTX_new.3 DTLSv1_2_server_method.3 +MLINKS+= SSL_CTX_new.3 DTLSv1_client_method.3 +MLINKS+= SSL_CTX_new.3 DTLSv1_method.3 +MLINKS+= SSL_CTX_new.3 DTLSv1_server_method.3 +MLINKS+= SSL_CTX_new.3 SSL_CTX_up_ref.3 +MLINKS+= SSL_CTX_new.3 SSLv23_client_method.3 +MLINKS+= SSL_CTX_new.3 SSLv23_method.3 +MLINKS+= SSL_CTX_new.3 SSLv23_server_method.3 +MLINKS+= SSL_CTX_new.3 SSLv3_client_method.3 +MLINKS+= SSL_CTX_new.3 SSLv3_method.3 +MLINKS+= SSL_CTX_new.3 SSLv3_server_method.3 +MLINKS+= SSL_CTX_new.3 TLS_client_method.3 +MLINKS+= SSL_CTX_new.3 TLS_method.3 +MLINKS+= SSL_CTX_new.3 TLS_server_method.3 +MLINKS+= SSL_CTX_new.3 TLSv1_1_client_method.3 +MLINKS+= SSL_CTX_new.3 TLSv1_1_method.3 +MLINKS+= SSL_CTX_new.3 TLSv1_1_server_method.3 +MLINKS+= SSL_CTX_new.3 TLSv1_2_client_method.3 +MLINKS+= SSL_CTX_new.3 TLSv1_2_method.3 +MLINKS+= SSL_CTX_new.3 TLSv1_2_server_method.3 +MLINKS+= SSL_CTX_new.3 TLSv1_client_method.3 +MLINKS+= SSL_CTX_new.3 TLSv1_method.3 +MLINKS+= SSL_CTX_new.3 TLSv1_server_method.3 +MLINKS+= SSL_CTX_sess_number.3 SSL_CTX_sess_accept.3 +MLINKS+= SSL_CTX_sess_number.3 SSL_CTX_sess_accept_good.3 +MLINKS+= SSL_CTX_sess_number.3 SSL_CTX_sess_accept_renegotiate.3 +MLINKS+= SSL_CTX_sess_number.3 SSL_CTX_sess_cache_full.3 +MLINKS+= SSL_CTX_sess_number.3 SSL_CTX_sess_cb_hits.3 +MLINKS+= SSL_CTX_sess_number.3 SSL_CTX_sess_connect.3 +MLINKS+= SSL_CTX_sess_number.3 SSL_CTX_sess_connect_good.3 +MLINKS+= SSL_CTX_sess_number.3 SSL_CTX_sess_connect_renegotiate.3 +MLINKS+= SSL_CTX_sess_number.3 SSL_CTX_sess_hits.3 +MLINKS+= SSL_CTX_sess_number.3 SSL_CTX_sess_misses.3 +MLINKS+= SSL_CTX_sess_number.3 SSL_CTX_sess_timeouts.3 +MLINKS+= SSL_CTX_sess_set_cache_size.3 SSL_CTX_sess_get_cache_size.3 +MLINKS+= SSL_CTX_sess_set_get_cb.3 SSL_CTX_sess_get_get_cb.3 +MLINKS+= SSL_CTX_sess_set_get_cb.3 SSL_CTX_sess_get_new_cb.3 +MLINKS+= SSL_CTX_sess_set_get_cb.3 SSL_CTX_sess_get_remove_cb.3 +MLINKS+= SSL_CTX_sess_set_get_cb.3 SSL_CTX_sess_set_new_cb.3 +MLINKS+= SSL_CTX_sess_set_get_cb.3 SSL_CTX_sess_set_remove_cb.3 +MLINKS+= SSL_CTX_set0_CA_list.3 SSL_CTX_add1_to_CA_list.3 +MLINKS+= SSL_CTX_set0_CA_list.3 SSL_CTX_get0_CA_list.3 +MLINKS+= SSL_CTX_set0_CA_list.3 SSL_add1_to_CA_list.3 +MLINKS+= SSL_CTX_set0_CA_list.3 SSL_get0_CA_list.3 +MLINKS+= SSL_CTX_set0_CA_list.3 SSL_get0_peer_CA_list.3 +MLINKS+= SSL_CTX_set0_CA_list.3 SSL_set0_CA_list.3 +MLINKS+= SSL_CTX_set1_curves.3 SSL_CTX_set1_curves_list.3 +MLINKS+= SSL_CTX_set1_curves.3 SSL_CTX_set1_groups.3 +MLINKS+= SSL_CTX_set1_curves.3 SSL_CTX_set1_groups_list.3 +MLINKS+= SSL_CTX_set1_curves.3 SSL_get1_curves.3 +MLINKS+= SSL_CTX_set1_curves.3 SSL_get1_groups.3 +MLINKS+= SSL_CTX_set1_curves.3 SSL_get_shared_curve.3 +MLINKS+= SSL_CTX_set1_curves.3 SSL_get_shared_group.3 +MLINKS+= SSL_CTX_set1_curves.3 SSL_set1_curves.3 +MLINKS+= SSL_CTX_set1_curves.3 SSL_set1_curves_list.3 +MLINKS+= SSL_CTX_set1_curves.3 SSL_set1_groups.3 +MLINKS+= SSL_CTX_set1_curves.3 SSL_set1_groups_list.3 +MLINKS+= SSL_CTX_set1_sigalgs.3 SSL_CTX_set1_client_sigalgs.3 +MLINKS+= SSL_CTX_set1_sigalgs.3 SSL_CTX_set1_client_sigalgs_list.3 +MLINKS+= SSL_CTX_set1_sigalgs.3 SSL_CTX_set1_sigalgs_list.3 +MLINKS+= SSL_CTX_set1_sigalgs.3 SSL_set1_client_sigalgs.3 +MLINKS+= SSL_CTX_set1_sigalgs.3 SSL_set1_client_sigalgs_list.3 +MLINKS+= SSL_CTX_set1_sigalgs.3 SSL_set1_sigalgs.3 +MLINKS+= SSL_CTX_set1_sigalgs.3 SSL_set1_sigalgs_list.3 +MLINKS+= SSL_CTX_set1_verify_cert_store.3 SSL_CTX_set0_chain_cert_store.3 +MLINKS+= SSL_CTX_set1_verify_cert_store.3 SSL_CTX_set0_verify_cert_store.3 +MLINKS+= SSL_CTX_set1_verify_cert_store.3 SSL_CTX_set1_chain_cert_store.3 +MLINKS+= SSL_CTX_set1_verify_cert_store.3 SSL_set0_chain_cert_store.3 +MLINKS+= SSL_CTX_set1_verify_cert_store.3 SSL_set0_verify_cert_store.3 +MLINKS+= SSL_CTX_set1_verify_cert_store.3 SSL_set1_chain_cert_store.3 +MLINKS+= SSL_CTX_set1_verify_cert_store.3 SSL_set1_verify_cert_store.3 +MLINKS+= SSL_CTX_set_alpn_select_cb.3 SSL_CTX_set_alpn_protos.3 +MLINKS+= SSL_CTX_set_alpn_select_cb.3 SSL_CTX_set_next_proto_select_cb.3 +MLINKS+= SSL_CTX_set_alpn_select_cb.3 SSL_CTX_set_next_protos_advertised_cb.3 +MLINKS+= SSL_CTX_set_alpn_select_cb.3 SSL_get0_alpn_selected.3 +MLINKS+= SSL_CTX_set_alpn_select_cb.3 SSL_get0_next_proto_negotiated.3 +MLINKS+= SSL_CTX_set_alpn_select_cb.3 SSL_select_next_proto.3 +MLINKS+= SSL_CTX_set_alpn_select_cb.3 SSL_set_alpn_protos.3 +MLINKS+= SSL_CTX_set_cert_cb.3 SSL_set_cert_cb.3 +MLINKS+= SSL_CTX_set_cert_store.3 SSL_CTX_get_cert_store.3 +MLINKS+= SSL_CTX_set_cert_store.3 SSL_CTX_set1_cert_store.3 +MLINKS+= SSL_CTX_set_cipher_list.3 SSL_CTX_set_ciphersuites.3 +MLINKS+= SSL_CTX_set_cipher_list.3 SSL_set_cipher_list.3 +MLINKS+= SSL_CTX_set_cipher_list.3 SSL_set_ciphersuites.3 +MLINKS+= SSL_CTX_set_client_CA_list.3 SSL_CTX_add_client_CA.3 +MLINKS+= SSL_CTX_set_client_CA_list.3 SSL_add_client_CA.3 +MLINKS+= SSL_CTX_set_client_CA_list.3 SSL_set_client_CA_list.3 +MLINKS+= SSL_CTX_set_client_cert_cb.3 SSL_CTX_get_client_cert_cb.3 +MLINKS+= SSL_CTX_set_client_hello_cb.3 SSL_client_hello_cb_fn.3 +MLINKS+= SSL_CTX_set_client_hello_cb.3 SSL_client_hello_get0_ciphers.3 +MLINKS+= SSL_CTX_set_client_hello_cb.3 SSL_client_hello_get0_compression_methods.3 +MLINKS+= SSL_CTX_set_client_hello_cb.3 SSL_client_hello_get0_ext.3 +MLINKS+= SSL_CTX_set_client_hello_cb.3 SSL_client_hello_get0_legacy_version.3 +MLINKS+= SSL_CTX_set_client_hello_cb.3 SSL_client_hello_get0_random.3 +MLINKS+= SSL_CTX_set_client_hello_cb.3 SSL_client_hello_get0_session_id.3 +MLINKS+= SSL_CTX_set_client_hello_cb.3 SSL_client_hello_get1_extensions_present.3 +MLINKS+= SSL_CTX_set_client_hello_cb.3 SSL_client_hello_isv2.3 +MLINKS+= SSL_CTX_set_ct_validation_callback.3 SSL_CTX_ct_is_enabled.3 +MLINKS+= SSL_CTX_set_ct_validation_callback.3 SSL_CTX_disable_ct.3 +MLINKS+= SSL_CTX_set_ct_validation_callback.3 SSL_CTX_enable_ct.3 +MLINKS+= SSL_CTX_set_ct_validation_callback.3 SSL_ct_is_enabled.3 +MLINKS+= SSL_CTX_set_ct_validation_callback.3 SSL_disable_ct.3 +MLINKS+= SSL_CTX_set_ct_validation_callback.3 SSL_enable_ct.3 +MLINKS+= SSL_CTX_set_ct_validation_callback.3 SSL_set_ct_validation_callback.3 +MLINKS+= SSL_CTX_set_ct_validation_callback.3 ssl_ct_validation_cb.3 +MLINKS+= SSL_CTX_set_ctlog_list_file.3 SSL_CTX_set_default_ctlog_list_file.3 +MLINKS+= SSL_CTX_set_default_passwd_cb.3 SSL_CTX_get_default_passwd_cb.3 +MLINKS+= SSL_CTX_set_default_passwd_cb.3 SSL_CTX_get_default_passwd_cb_userdata.3 +MLINKS+= SSL_CTX_set_default_passwd_cb.3 SSL_CTX_set_default_passwd_cb_userdata.3 +MLINKS+= SSL_CTX_set_default_passwd_cb.3 SSL_get_default_passwd_cb.3 +MLINKS+= SSL_CTX_set_default_passwd_cb.3 SSL_get_default_passwd_cb_userdata.3 +MLINKS+= SSL_CTX_set_default_passwd_cb.3 SSL_set_default_passwd_cb.3 +MLINKS+= SSL_CTX_set_default_passwd_cb.3 SSL_set_default_passwd_cb_userdata.3 +MLINKS+= SSL_CTX_set_ex_data.3 SSL_CTX_get_ex_data.3 +MLINKS+= SSL_CTX_set_ex_data.3 SSL_get_ex_data.3 +MLINKS+= SSL_CTX_set_ex_data.3 SSL_set_ex_data.3 +MLINKS+= SSL_CTX_set_generate_session_id.3 GEN_SESSION_CB.3 +MLINKS+= SSL_CTX_set_generate_session_id.3 SSL_has_matching_session_id.3 +MLINKS+= SSL_CTX_set_generate_session_id.3 SSL_set_generate_session_id.3 +MLINKS+= SSL_CTX_set_info_callback.3 SSL_CTX_get_info_callback.3 +MLINKS+= SSL_CTX_set_info_callback.3 SSL_get_info_callback.3 +MLINKS+= SSL_CTX_set_info_callback.3 SSL_set_info_callback.3 +MLINKS+= SSL_CTX_set_keylog_callback.3 SSL_CTX_get_keylog_callback.3 +MLINKS+= SSL_CTX_set_keylog_callback.3 SSL_CTX_keylog_cb_func.3 +MLINKS+= SSL_CTX_set_max_cert_list.3 SSL_CTX_get_max_cert_list.3 +MLINKS+= SSL_CTX_set_max_cert_list.3 SSL_get_max_cert_list.3 +MLINKS+= SSL_CTX_set_max_cert_list.3 SSL_set_max_cert_list.3 +MLINKS+= SSL_CTX_set_min_proto_version.3 SSL_CTX_get_max_proto_version.3 +MLINKS+= SSL_CTX_set_min_proto_version.3 SSL_CTX_get_min_proto_version.3 +MLINKS+= SSL_CTX_set_min_proto_version.3 SSL_CTX_set_max_proto_version.3 +MLINKS+= SSL_CTX_set_min_proto_version.3 SSL_get_max_proto_version.3 +MLINKS+= SSL_CTX_set_min_proto_version.3 SSL_get_min_proto_version.3 +MLINKS+= SSL_CTX_set_min_proto_version.3 SSL_set_max_proto_version.3 +MLINKS+= SSL_CTX_set_min_proto_version.3 SSL_set_min_proto_version.3 +MLINKS+= SSL_CTX_set_mode.3 SSL_CTX_clear_mode.3 +MLINKS+= SSL_CTX_set_mode.3 SSL_CTX_get_mode.3 +MLINKS+= SSL_CTX_set_mode.3 SSL_clear_mode.3 +MLINKS+= SSL_CTX_set_mode.3 SSL_get_mode.3 +MLINKS+= SSL_CTX_set_mode.3 SSL_set_mode.3 +MLINKS+= SSL_CTX_set_msg_callback.3 SSL_CTX_set_msg_callback_arg.3 +MLINKS+= SSL_CTX_set_msg_callback.3 SSL_set_msg_callback.3 +MLINKS+= SSL_CTX_set_msg_callback.3 SSL_set_msg_callback_arg.3 +MLINKS+= SSL_CTX_set_num_tickets.3 SSL_CTX_get_num_tickets.3 +MLINKS+= SSL_CTX_set_num_tickets.3 SSL_get_num_tickets.3 +MLINKS+= SSL_CTX_set_num_tickets.3 SSL_set_num_tickets.3 +MLINKS+= SSL_CTX_set_options.3 SSL_CTX_clear_options.3 +MLINKS+= SSL_CTX_set_options.3 SSL_CTX_get_options.3 +MLINKS+= SSL_CTX_set_options.3 SSL_clear_options.3 +MLINKS+= SSL_CTX_set_options.3 SSL_get_options.3 +MLINKS+= SSL_CTX_set_options.3 SSL_get_secure_renegotiation_support.3 +MLINKS+= SSL_CTX_set_options.3 SSL_set_options.3 +MLINKS+= SSL_CTX_set_psk_client_callback.3 SSL_CTX_set_psk_use_session_callback.3 +MLINKS+= SSL_CTX_set_psk_client_callback.3 SSL_psk_client_cb_func.3 +MLINKS+= SSL_CTX_set_psk_client_callback.3 SSL_psk_use_session_cb_func.3 +MLINKS+= SSL_CTX_set_psk_client_callback.3 SSL_set_psk_client_callback.3 +MLINKS+= SSL_CTX_set_psk_client_callback.3 SSL_set_psk_use_session_callback.3 +MLINKS+= SSL_CTX_set_quiet_shutdown.3 SSL_CTX_get_quiet_shutdown.3 +MLINKS+= SSL_CTX_set_quiet_shutdown.3 SSL_get_quiet_shutdown.3 +MLINKS+= SSL_CTX_set_quiet_shutdown.3 SSL_set_quiet_shutdown.3 +MLINKS+= SSL_CTX_set_read_ahead.3 SSL_CTX_get_default_read_ahead.3 +MLINKS+= SSL_CTX_set_read_ahead.3 SSL_CTX_get_read_ahead.3 +MLINKS+= SSL_CTX_set_read_ahead.3 SSL_get_read_ahead.3 +MLINKS+= SSL_CTX_set_read_ahead.3 SSL_set_read_ahead.3 +MLINKS+= SSL_CTX_set_record_padding_callback.3 SSL_CTX_get_record_padding_callback_arg.3 +MLINKS+= SSL_CTX_set_record_padding_callback.3 SSL_CTX_set_block_padding.3 +MLINKS+= SSL_CTX_set_record_padding_callback.3 SSL_CTX_set_record_padding_callback_arg.3 +MLINKS+= SSL_CTX_set_record_padding_callback.3 SSL_get_record_padding_callback_arg.3 +MLINKS+= SSL_CTX_set_record_padding_callback.3 SSL_set_block_padding.3 +MLINKS+= SSL_CTX_set_record_padding_callback.3 SSL_set_record_padding_callback.3 +MLINKS+= SSL_CTX_set_record_padding_callback.3 SSL_set_record_padding_callback_arg.3 +MLINKS+= SSL_CTX_set_security_level.3 SSL_CTX_get0_security_ex_data.3 +MLINKS+= SSL_CTX_set_security_level.3 SSL_CTX_get_security_callback.3 +MLINKS+= SSL_CTX_set_security_level.3 SSL_CTX_get_security_level.3 +MLINKS+= SSL_CTX_set_security_level.3 SSL_CTX_set0_security_ex_data.3 +MLINKS+= SSL_CTX_set_security_level.3 SSL_CTX_set_security_callback.3 +MLINKS+= SSL_CTX_set_security_level.3 SSL_get0_security_ex_data.3 +MLINKS+= SSL_CTX_set_security_level.3 SSL_get_security_callback.3 +MLINKS+= SSL_CTX_set_security_level.3 SSL_get_security_level.3 +MLINKS+= SSL_CTX_set_security_level.3 SSL_set0_security_ex_data.3 +MLINKS+= SSL_CTX_set_security_level.3 SSL_set_security_callback.3 +MLINKS+= SSL_CTX_set_security_level.3 SSL_set_security_level.3 +MLINKS+= SSL_CTX_set_session_cache_mode.3 SSL_CTX_get_session_cache_mode.3 +MLINKS+= SSL_CTX_set_session_id_context.3 SSL_set_session_id_context.3 +MLINKS+= SSL_CTX_set_session_ticket_cb.3 SSL_CTX_decrypt_session_ticket_fn.3 +MLINKS+= SSL_CTX_set_session_ticket_cb.3 SSL_CTX_generate_session_ticket_fn.3 +MLINKS+= SSL_CTX_set_session_ticket_cb.3 SSL_SESSION_get0_ticket_appdata.3 +MLINKS+= SSL_CTX_set_session_ticket_cb.3 SSL_SESSION_set1_ticket_appdata.3 +MLINKS+= SSL_CTX_set_split_send_fragment.3 SSL_CTX_set_default_read_buffer_len.3 +MLINKS+= SSL_CTX_set_split_send_fragment.3 SSL_CTX_set_max_pipelines.3 +MLINKS+= SSL_CTX_set_split_send_fragment.3 SSL_CTX_set_max_send_fragment.3 +MLINKS+= SSL_CTX_set_split_send_fragment.3 SSL_CTX_set_tlsext_max_fragment_length.3 +MLINKS+= SSL_CTX_set_split_send_fragment.3 SSL_SESSION_get_max_fragment_length.3 +MLINKS+= SSL_CTX_set_split_send_fragment.3 SSL_set_default_read_buffer_len.3 +MLINKS+= SSL_CTX_set_split_send_fragment.3 SSL_set_max_pipelines.3 +MLINKS+= SSL_CTX_set_split_send_fragment.3 SSL_set_max_send_fragment.3 +MLINKS+= SSL_CTX_set_split_send_fragment.3 SSL_set_split_send_fragment.3 +MLINKS+= SSL_CTX_set_split_send_fragment.3 SSL_set_tlsext_max_fragment_length.3 +MLINKS+= SSL_CTX_set_ssl_version.3 SSL_get_ssl_method.3 +MLINKS+= SSL_CTX_set_ssl_version.3 SSL_set_ssl_method.3 +MLINKS+= SSL_CTX_set_stateless_cookie_generate_cb.3 SSL_CTX_set_stateless_cookie_verify_cb.3 +MLINKS+= SSL_CTX_set_timeout.3 SSL_CTX_get_timeout.3 +MLINKS+= SSL_CTX_set_tlsext_servername_callback.3 SSL_CTX_set_tlsext_servername_arg.3 +MLINKS+= SSL_CTX_set_tlsext_servername_callback.3 SSL_get_servername.3 +MLINKS+= SSL_CTX_set_tlsext_servername_callback.3 SSL_get_servername_type.3 +MLINKS+= SSL_CTX_set_tlsext_servername_callback.3 SSL_set_tlsext_host_name.3 +MLINKS+= SSL_CTX_set_tlsext_status_cb.3 SSL_CTX_get_tlsext_status_arg.3 +MLINKS+= SSL_CTX_set_tlsext_status_cb.3 SSL_CTX_get_tlsext_status_cb.3 +MLINKS+= SSL_CTX_set_tlsext_status_cb.3 SSL_CTX_get_tlsext_status_type.3 +MLINKS+= SSL_CTX_set_tlsext_status_cb.3 SSL_CTX_set_tlsext_status_arg.3 +MLINKS+= SSL_CTX_set_tlsext_status_cb.3 SSL_CTX_set_tlsext_status_type.3 +MLINKS+= SSL_CTX_set_tlsext_status_cb.3 SSL_get_tlsext_status_ocsp_resp.3 +MLINKS+= SSL_CTX_set_tlsext_status_cb.3 SSL_get_tlsext_status_type.3 +MLINKS+= SSL_CTX_set_tlsext_status_cb.3 SSL_set_tlsext_status_ocsp_resp.3 +MLINKS+= SSL_CTX_set_tlsext_status_cb.3 SSL_set_tlsext_status_type.3 +MLINKS+= SSL_CTX_set_tlsext_use_srtp.3 SSL_get_selected_srtp_profile.3 +MLINKS+= SSL_CTX_set_tlsext_use_srtp.3 SSL_get_srtp_profiles.3 +MLINKS+= SSL_CTX_set_tlsext_use_srtp.3 SSL_set_tlsext_use_srtp.3 +MLINKS+= SSL_CTX_set_tmp_dh_callback.3 SSL_CTX_set_tmp_dh.3 +MLINKS+= SSL_CTX_set_tmp_dh_callback.3 SSL_set_tmp_dh.3 +MLINKS+= SSL_CTX_set_tmp_dh_callback.3 SSL_set_tmp_dh_callback.3 +MLINKS+= SSL_CTX_set_verify.3 SSL_CTX_set_post_handshake_auth.3 +MLINKS+= SSL_CTX_set_verify.3 SSL_CTX_set_verify_depth.3 +MLINKS+= SSL_CTX_set_verify.3 SSL_get_ex_data_X509_STORE_CTX_idx.3 +MLINKS+= SSL_CTX_set_verify.3 SSL_set_post_handshake_auth.3 +MLINKS+= SSL_CTX_set_verify.3 SSL_set_verify.3 +MLINKS+= SSL_CTX_set_verify.3 SSL_set_verify_depth.3 +MLINKS+= SSL_CTX_set_verify.3 SSL_verify_cb.3 +MLINKS+= SSL_CTX_set_verify.3 SSL_verify_client_post_handshake.3 +MLINKS+= SSL_CTX_use_certificate.3 SSL_CTX_check_private_key.3 +MLINKS+= SSL_CTX_use_certificate.3 SSL_CTX_use_PrivateKey.3 +MLINKS+= SSL_CTX_use_certificate.3 SSL_CTX_use_PrivateKey_ASN1.3 +MLINKS+= SSL_CTX_use_certificate.3 SSL_CTX_use_PrivateKey_file.3 +MLINKS+= SSL_CTX_use_certificate.3 SSL_CTX_use_RSAPrivateKey.3 +MLINKS+= SSL_CTX_use_certificate.3 SSL_CTX_use_RSAPrivateKey_ASN1.3 +MLINKS+= SSL_CTX_use_certificate.3 SSL_CTX_use_RSAPrivateKey_file.3 +MLINKS+= SSL_CTX_use_certificate.3 SSL_CTX_use_cert_and_key.3 +MLINKS+= SSL_CTX_use_certificate.3 SSL_CTX_use_certificate_ASN1.3 +MLINKS+= SSL_CTX_use_certificate.3 SSL_CTX_use_certificate_chain_file.3 +MLINKS+= SSL_CTX_use_certificate.3 SSL_CTX_use_certificate_file.3 +MLINKS+= SSL_CTX_use_certificate.3 SSL_check_private_key.3 +MLINKS+= SSL_CTX_use_certificate.3 SSL_use_PrivateKey.3 +MLINKS+= SSL_CTX_use_certificate.3 SSL_use_PrivateKey_ASN1.3 +MLINKS+= SSL_CTX_use_certificate.3 SSL_use_PrivateKey_file.3 +MLINKS+= SSL_CTX_use_certificate.3 SSL_use_RSAPrivateKey.3 +MLINKS+= SSL_CTX_use_certificate.3 SSL_use_RSAPrivateKey_ASN1.3 +MLINKS+= SSL_CTX_use_certificate.3 SSL_use_RSAPrivateKey_file.3 +MLINKS+= SSL_CTX_use_certificate.3 SSL_use_cert_and_key.3 +MLINKS+= SSL_CTX_use_certificate.3 SSL_use_certificate.3 +MLINKS+= SSL_CTX_use_certificate.3 SSL_use_certificate_ASN1.3 +MLINKS+= SSL_CTX_use_certificate.3 SSL_use_certificate_chain_file.3 +MLINKS+= SSL_CTX_use_certificate.3 SSL_use_certificate_file.3 +MLINKS+= SSL_CTX_use_psk_identity_hint.3 SSL_CTX_set_psk_find_session_callback.3 +MLINKS+= SSL_CTX_use_psk_identity_hint.3 SSL_CTX_set_psk_server_callback.3 +MLINKS+= SSL_CTX_use_psk_identity_hint.3 SSL_psk_find_session_cb_func.3 +MLINKS+= SSL_CTX_use_psk_identity_hint.3 SSL_psk_server_cb_func.3 +MLINKS+= SSL_CTX_use_psk_identity_hint.3 SSL_set_psk_find_session_callback.3 +MLINKS+= SSL_CTX_use_psk_identity_hint.3 SSL_set_psk_server_callback.3 +MLINKS+= SSL_CTX_use_psk_identity_hint.3 SSL_use_psk_identity_hint.3 +MLINKS+= SSL_CTX_use_serverinfo.3 SSL_CTX_use_serverinfo_ex.3 +MLINKS+= SSL_CTX_use_serverinfo.3 SSL_CTX_use_serverinfo_file.3 +MLINKS+= SSL_SESSION_free.3 SSL_SESSION_dup.3 +MLINKS+= SSL_SESSION_free.3 SSL_SESSION_new.3 +MLINKS+= SSL_SESSION_free.3 SSL_SESSION_up_ref.3 +MLINKS+= SSL_SESSION_get0_cipher.3 SSL_SESSION_set_cipher.3 +MLINKS+= SSL_SESSION_get0_hostname.3 SSL_SESSION_get0_alpn_selected.3 +MLINKS+= SSL_SESSION_get0_hostname.3 SSL_SESSION_set1_alpn_selected.3 +MLINKS+= SSL_SESSION_get0_hostname.3 SSL_SESSION_set1_hostname.3 +MLINKS+= SSL_SESSION_get0_id_context.3 SSL_SESSION_set1_id_context.3 +MLINKS+= SSL_SESSION_get_ex_data.3 SSL_SESSION_set_ex_data.3 +MLINKS+= SSL_SESSION_get_protocol_version.3 SSL_SESSION_set_protocol_version.3 +MLINKS+= SSL_SESSION_get_time.3 SSL_SESSION_get_timeout.3 +MLINKS+= SSL_SESSION_get_time.3 SSL_SESSION_set_time.3 +MLINKS+= SSL_SESSION_get_time.3 SSL_SESSION_set_timeout.3 +MLINKS+= SSL_SESSION_get_time.3 SSL_get_time.3 +MLINKS+= SSL_SESSION_get_time.3 SSL_get_timeout.3 +MLINKS+= SSL_SESSION_get_time.3 SSL_set_time.3 +MLINKS+= SSL_SESSION_get_time.3 SSL_set_timeout.3 +MLINKS+= SSL_SESSION_has_ticket.3 SSL_SESSION_get0_ticket.3 +MLINKS+= SSL_SESSION_has_ticket.3 SSL_SESSION_get_ticket_lifetime_hint.3 +MLINKS+= SSL_SESSION_print.3 SSL_SESSION_print_fp.3 +MLINKS+= SSL_SESSION_print.3 SSL_SESSION_print_keylog.3 +MLINKS+= SSL_SESSION_set1_id.3 SSL_SESSION_get_id.3 +MLINKS+= SSL_alert_type_string.3 SSL_alert_desc_string.3 +MLINKS+= SSL_alert_type_string.3 SSL_alert_desc_string_long.3 +MLINKS+= SSL_alert_type_string.3 SSL_alert_type_string_long.3 +MLINKS+= SSL_alloc_buffers.3 SSL_free_buffers.3 +MLINKS+= SSL_export_keying_material.3 SSL_export_keying_material_early.3 +MLINKS+= SSL_extension_supported.3 SSL_CTX_add_client_custom_ext.3 +MLINKS+= SSL_extension_supported.3 SSL_CTX_add_custom_ext.3 +MLINKS+= SSL_extension_supported.3 SSL_CTX_add_server_custom_ext.3 +MLINKS+= SSL_extension_supported.3 custom_ext_add_cb.3 +MLINKS+= SSL_extension_supported.3 custom_ext_free_cb.3 +MLINKS+= SSL_extension_supported.3 custom_ext_parse_cb.3 +MLINKS+= SSL_get_all_async_fds.3 SSL_get_changed_async_fds.3 +MLINKS+= SSL_get_all_async_fds.3 SSL_waiting_for_async.3 +MLINKS+= SSL_get_ciphers.3 SSL_CTX_get_ciphers.3 +MLINKS+= SSL_get_ciphers.3 SSL_bytes_to_cipher_list.3 +MLINKS+= SSL_get_ciphers.3 SSL_get1_supported_ciphers.3 +MLINKS+= SSL_get_ciphers.3 SSL_get_cipher_list.3 +MLINKS+= SSL_get_ciphers.3 SSL_get_client_ciphers.3 +MLINKS+= SSL_get_ciphers.3 SSL_get_shared_ciphers.3 +MLINKS+= SSL_get_client_CA_list.3 SSL_CTX_get_client_CA_list.3 +MLINKS+= SSL_get_client_random.3 SSL_SESSION_get_master_key.3 +MLINKS+= SSL_get_client_random.3 SSL_SESSION_set1_master_key.3 +MLINKS+= SSL_get_client_random.3 SSL_get_server_random.3 +MLINKS+= SSL_get_current_cipher.3 SSL_get_cipher.3 +MLINKS+= SSL_get_current_cipher.3 SSL_get_cipher_bits.3 +MLINKS+= SSL_get_current_cipher.3 SSL_get_cipher_name.3 +MLINKS+= SSL_get_current_cipher.3 SSL_get_cipher_version.3 +MLINKS+= SSL_get_current_cipher.3 SSL_get_pending_cipher.3 +MLINKS+= SSL_get_fd.3 SSL_get_rfd.3 +MLINKS+= SSL_get_fd.3 SSL_get_wfd.3 +MLINKS+= SSL_get_peer_cert_chain.3 SSL_get0_verified_chain.3 +MLINKS+= SSL_get_peer_signature_nid.3 SSL_get_peer_signature_type_nid.3 +MLINKS+= SSL_get_psk_identity.3 SSL_get_psk_identity_hint.3 +MLINKS+= SSL_get_rbio.3 SSL_get_wbio.3 +MLINKS+= SSL_get_session.3 SSL_get0_session.3 +MLINKS+= SSL_get_session.3 SSL_get1_session.3 +MLINKS+= SSL_get_shared_sigalgs.3 SSL_get_sigalgs.3 +MLINKS+= SSL_get_version.3 SSL_client_version.3 +MLINKS+= SSL_get_version.3 SSL_is_dtls.3 +MLINKS+= SSL_get_version.3 SSL_version.3 +MLINKS+= SSL_in_init.3 SSL_get_state.3 +MLINKS+= SSL_in_init.3 SSL_in_accept_init.3 +MLINKS+= SSL_in_init.3 SSL_in_before.3 +MLINKS+= SSL_in_init.3 SSL_in_connect_init.3 +MLINKS+= SSL_in_init.3 SSL_is_init_finished.3 +MLINKS+= SSL_key_update.3 SSL_get_key_update_type.3 +MLINKS+= SSL_key_update.3 SSL_renegotiate.3 +MLINKS+= SSL_key_update.3 SSL_renegotiate_abbreviated.3 +MLINKS+= SSL_key_update.3 SSL_renegotiate_pending.3 +MLINKS+= SSL_library_init.3 OpenSSL_add_ssl_algorithms.3 +MLINKS+= SSL_new.3 SSL_dup.3 +MLINKS+= SSL_new.3 SSL_up_ref.3 +MLINKS+= SSL_pending.3 SSL_has_pending.3 +MLINKS+= SSL_read.3 SSL_peek.3 +MLINKS+= SSL_read.3 SSL_peek_ex.3 +MLINKS+= SSL_read.3 SSL_read_ex.3 +MLINKS+= SSL_read_early_data.3 SSL_CTX_get_max_early_data.3 +MLINKS+= SSL_read_early_data.3 SSL_CTX_get_recv_max_early_data.3 +MLINKS+= SSL_read_early_data.3 SSL_CTX_set_allow_early_data_cb.3 +MLINKS+= SSL_read_early_data.3 SSL_CTX_set_max_early_data.3 +MLINKS+= SSL_read_early_data.3 SSL_CTX_set_recv_max_early_data.3 +MLINKS+= SSL_read_early_data.3 SSL_SESSION_get_max_early_data.3 +MLINKS+= SSL_read_early_data.3 SSL_SESSION_set_max_early_data.3 +MLINKS+= SSL_read_early_data.3 SSL_allow_early_data_cb_fn.3 +MLINKS+= SSL_read_early_data.3 SSL_get_early_data_status.3 +MLINKS+= SSL_read_early_data.3 SSL_get_max_early_data.3 +MLINKS+= SSL_read_early_data.3 SSL_get_recv_max_early_data.3 +MLINKS+= SSL_read_early_data.3 SSL_set_allow_early_data_cb.3 +MLINKS+= SSL_read_early_data.3 SSL_set_max_early_data.3 +MLINKS+= SSL_read_early_data.3 SSL_set_recv_max_early_data.3 +MLINKS+= SSL_read_early_data.3 SSL_write_early_data.3 +MLINKS+= SSL_rstate_string.3 SSL_rstate_string_long.3 +MLINKS+= SSL_set1_host.3 SSL_add1_host.3 +MLINKS+= SSL_set1_host.3 SSL_get0_peername.3 +MLINKS+= SSL_set1_host.3 SSL_set_hostflags.3 +MLINKS+= SSL_set_bio.3 SSL_set0_rbio.3 +MLINKS+= SSL_set_bio.3 SSL_set0_wbio.3 +MLINKS+= SSL_set_connect_state.3 SSL_is_server.3 +MLINKS+= SSL_set_connect_state.3 SSL_set_accept_state.3 +MLINKS+= SSL_set_fd.3 SSL_set_rfd.3 +MLINKS+= SSL_set_fd.3 SSL_set_wfd.3 +MLINKS+= SSL_set_shutdown.3 SSL_get_shutdown.3 +MLINKS+= SSL_state_string.3 SSL_state_string_long.3 +MLINKS+= SSL_want.3 SSL_want_async.3 +MLINKS+= SSL_want.3 SSL_want_async_job.3 +MLINKS+= SSL_want.3 SSL_want_client_hello_cb.3 +MLINKS+= SSL_want.3 SSL_want_nothing.3 +MLINKS+= SSL_want.3 SSL_want_read.3 +MLINKS+= SSL_want.3 SSL_want_write.3 +MLINKS+= SSL_want.3 SSL_want_x509_lookup.3 +MLINKS+= SSL_write.3 SSL_write_ex.3 +MLINKS+= UI_STRING.3 UI_get0_action_string.3 +MLINKS+= UI_STRING.3 UI_get0_output_string.3 +MLINKS+= UI_STRING.3 UI_get0_result_string.3 +MLINKS+= UI_STRING.3 UI_get0_test_string.3 +MLINKS+= UI_STRING.3 UI_get_input_flags.3 +MLINKS+= UI_STRING.3 UI_get_result_maxsize.3 +MLINKS+= UI_STRING.3 UI_get_result_minsize.3 +MLINKS+= UI_STRING.3 UI_get_result_string_length.3 +MLINKS+= UI_STRING.3 UI_get_string_type.3 +MLINKS+= UI_STRING.3 UI_set_result.3 +MLINKS+= UI_STRING.3 UI_set_result_ex.3 +MLINKS+= UI_STRING.3 UI_string_types.3 +MLINKS+= UI_UTIL_read_pw.3 UI_UTIL_read_pw_string.3 +MLINKS+= UI_UTIL_read_pw.3 UI_UTIL_wrap_read_pem_callback.3 +MLINKS+= UI_create_method.3 UI_METHOD.3 +MLINKS+= UI_create_method.3 UI_destroy_method.3 +MLINKS+= UI_create_method.3 UI_method_get_closer.3 +MLINKS+= UI_create_method.3 UI_method_get_data_destructor.3 +MLINKS+= UI_create_method.3 UI_method_get_data_duplicator.3 +MLINKS+= UI_create_method.3 UI_method_get_ex_data.3 +MLINKS+= UI_create_method.3 UI_method_get_flusher.3 +MLINKS+= UI_create_method.3 UI_method_get_opener.3 +MLINKS+= UI_create_method.3 UI_method_get_prompt_constructor.3 +MLINKS+= UI_create_method.3 UI_method_get_reader.3 +MLINKS+= UI_create_method.3 UI_method_get_writer.3 +MLINKS+= UI_create_method.3 UI_method_set_closer.3 +MLINKS+= UI_create_method.3 UI_method_set_data_duplicator.3 +MLINKS+= UI_create_method.3 UI_method_set_ex_data.3 +MLINKS+= UI_create_method.3 UI_method_set_flusher.3 +MLINKS+= UI_create_method.3 UI_method_set_opener.3 +MLINKS+= UI_create_method.3 UI_method_set_prompt_constructor.3 +MLINKS+= UI_create_method.3 UI_method_set_reader.3 +MLINKS+= UI_create_method.3 UI_method_set_writer.3 +MLINKS+= UI_new.3 UI.3 +MLINKS+= UI_new.3 UI_OpenSSL.3 +MLINKS+= UI_new.3 UI_add_error_string.3 +MLINKS+= UI_new.3 UI_add_info_string.3 +MLINKS+= UI_new.3 UI_add_input_boolean.3 +MLINKS+= UI_new.3 UI_add_input_string.3 +MLINKS+= UI_new.3 UI_add_user_data.3 +MLINKS+= UI_new.3 UI_add_verify_string.3 +MLINKS+= UI_new.3 UI_construct_prompt.3 +MLINKS+= UI_new.3 UI_ctrl.3 +MLINKS+= UI_new.3 UI_dup_error_string.3 +MLINKS+= UI_new.3 UI_dup_info_string.3 +MLINKS+= UI_new.3 UI_dup_input_boolean.3 +MLINKS+= UI_new.3 UI_dup_input_string.3 +MLINKS+= UI_new.3 UI_dup_user_data.3 +MLINKS+= UI_new.3 UI_dup_verify_string.3 +MLINKS+= UI_new.3 UI_free.3 +MLINKS+= UI_new.3 UI_get0_result.3 +MLINKS+= UI_new.3 UI_get0_user_data.3 +MLINKS+= UI_new.3 UI_get_default_method.3 +MLINKS+= UI_new.3 UI_get_method.3 +MLINKS+= UI_new.3 UI_get_result_length.3 +MLINKS+= UI_new.3 UI_new_method.3 +MLINKS+= UI_new.3 UI_null.3 +MLINKS+= UI_new.3 UI_process.3 +MLINKS+= UI_new.3 UI_set_default_method.3 +MLINKS+= UI_new.3 UI_set_method.3 +MLINKS+= X509V3_get_d2i.3 X509V3_EXT_d2i.3 +MLINKS+= X509V3_get_d2i.3 X509V3_EXT_i2d.3 +MLINKS+= X509V3_get_d2i.3 X509V3_add1_i2d.3 +MLINKS+= X509V3_get_d2i.3 X509_CRL_add1_ext_i2d.3 +MLINKS+= X509V3_get_d2i.3 X509_CRL_get0_extensions.3 +MLINKS+= X509V3_get_d2i.3 X509_CRL_get_ext_d2i.3 +MLINKS+= X509V3_get_d2i.3 X509_REVOKED_add1_ext_i2d.3 +MLINKS+= X509V3_get_d2i.3 X509_REVOKED_get0_extensions.3 +MLINKS+= X509V3_get_d2i.3 X509_REVOKED_get_ext_d2i.3 +MLINKS+= X509V3_get_d2i.3 X509_add1_ext_i2d.3 +MLINKS+= X509V3_get_d2i.3 X509_get0_extensions.3 +MLINKS+= X509V3_get_d2i.3 X509_get_ext_d2i.3 +MLINKS+= X509_ALGOR_dup.3 X509_ALGOR_cmp.3 +MLINKS+= X509_ALGOR_dup.3 X509_ALGOR_get0.3 +MLINKS+= X509_ALGOR_dup.3 X509_ALGOR_set0.3 +MLINKS+= X509_ALGOR_dup.3 X509_ALGOR_set_md.3 +MLINKS+= X509_CRL_get0_by_serial.3 X509_CRL_add0_revoked.3 +MLINKS+= X509_CRL_get0_by_serial.3 X509_CRL_get0_by_cert.3 +MLINKS+= X509_CRL_get0_by_serial.3 X509_CRL_get_REVOKED.3 +MLINKS+= X509_CRL_get0_by_serial.3 X509_CRL_sort.3 +MLINKS+= X509_CRL_get0_by_serial.3 X509_REVOKED_get0_revocationDate.3 +MLINKS+= X509_CRL_get0_by_serial.3 X509_REVOKED_get0_serialNumber.3 +MLINKS+= X509_CRL_get0_by_serial.3 X509_REVOKED_set_revocationDate.3 +MLINKS+= X509_CRL_get0_by_serial.3 X509_REVOKED_set_serialNumber.3 +MLINKS+= X509_EXTENSION_set_object.3 X509_EXTENSION_create_by_NID.3 +MLINKS+= X509_EXTENSION_set_object.3 X509_EXTENSION_create_by_OBJ.3 +MLINKS+= X509_EXTENSION_set_object.3 X509_EXTENSION_get_critical.3 +MLINKS+= X509_EXTENSION_set_object.3 X509_EXTENSION_get_data.3 +MLINKS+= X509_EXTENSION_set_object.3 X509_EXTENSION_get_object.3 +MLINKS+= X509_EXTENSION_set_object.3 X509_EXTENSION_set_critical.3 +MLINKS+= X509_EXTENSION_set_object.3 X509_EXTENSION_set_data.3 +MLINKS+= X509_LOOKUP_hash_dir.3 X509_LOOKUP_file.3 +MLINKS+= X509_LOOKUP_hash_dir.3 X509_load_cert_crl_file.3 +MLINKS+= X509_LOOKUP_hash_dir.3 X509_load_cert_file.3 +MLINKS+= X509_LOOKUP_hash_dir.3 X509_load_crl_file.3 +MLINKS+= X509_LOOKUP_meth_new.3 X509_LOOKUP_ctrl_fn.3 +MLINKS+= X509_LOOKUP_meth_new.3 X509_LOOKUP_get_by_alias_fn.3 +MLINKS+= X509_LOOKUP_meth_new.3 X509_LOOKUP_get_by_fingerprint_fn.3 +MLINKS+= X509_LOOKUP_meth_new.3 X509_LOOKUP_get_by_issuer_serial_fn.3 +MLINKS+= X509_LOOKUP_meth_new.3 X509_LOOKUP_get_by_subject_fn.3 +MLINKS+= X509_LOOKUP_meth_new.3 X509_LOOKUP_get_method_data.3 +MLINKS+= X509_LOOKUP_meth_new.3 X509_LOOKUP_get_store.3 +MLINKS+= X509_LOOKUP_meth_new.3 X509_LOOKUP_meth_free.3 +MLINKS+= X509_LOOKUP_meth_new.3 X509_LOOKUP_meth_get_ctrl.3 +MLINKS+= X509_LOOKUP_meth_new.3 X509_LOOKUP_meth_get_free.3 +MLINKS+= X509_LOOKUP_meth_new.3 X509_LOOKUP_meth_get_get_by_alias.3 +MLINKS+= X509_LOOKUP_meth_new.3 X509_LOOKUP_meth_get_get_by_fingerprint.3 +MLINKS+= X509_LOOKUP_meth_new.3 X509_LOOKUP_meth_get_get_by_issuer_serial.3 +MLINKS+= X509_LOOKUP_meth_new.3 X509_LOOKUP_meth_get_get_by_subject.3 +MLINKS+= X509_LOOKUP_meth_new.3 X509_LOOKUP_meth_get_init.3 +MLINKS+= X509_LOOKUP_meth_new.3 X509_LOOKUP_meth_get_new_item.3 +MLINKS+= X509_LOOKUP_meth_new.3 X509_LOOKUP_meth_get_shutdown.3 +MLINKS+= X509_LOOKUP_meth_new.3 X509_LOOKUP_meth_set_ctrl.3 +MLINKS+= X509_LOOKUP_meth_new.3 X509_LOOKUP_meth_set_free.3 +MLINKS+= X509_LOOKUP_meth_new.3 X509_LOOKUP_meth_set_get_by_alias.3 +MLINKS+= X509_LOOKUP_meth_new.3 X509_LOOKUP_meth_set_get_by_fingerprint.3 +MLINKS+= X509_LOOKUP_meth_new.3 X509_LOOKUP_meth_set_get_by_issuer_serial.3 +MLINKS+= X509_LOOKUP_meth_new.3 X509_LOOKUP_meth_set_get_by_subject.3 +MLINKS+= X509_LOOKUP_meth_new.3 X509_LOOKUP_meth_set_init.3 +MLINKS+= X509_LOOKUP_meth_new.3 X509_LOOKUP_meth_set_new_item.3 +MLINKS+= X509_LOOKUP_meth_new.3 X509_LOOKUP_meth_set_shutdown.3 +MLINKS+= X509_LOOKUP_meth_new.3 X509_LOOKUP_set_method_data.3 +MLINKS+= X509_LOOKUP_meth_new.3 X509_OBJECT_set1_X509.3 +MLINKS+= X509_LOOKUP_meth_new.3 X509_OBJECT_set1_X509_CRL.3 MLINKS+= X509_NAME_ENTRY_get_object.3 X509_NAME_ENTRY_create_by_NID.3 MLINKS+= X509_NAME_ENTRY_get_object.3 X509_NAME_ENTRY_create_by_OBJ.3 MLINKS+= X509_NAME_ENTRY_get_object.3 X509_NAME_ENTRY_create_by_txt.3 @@ -908,37 +2891,123 @@ MLINKS+= X509_NAME_get_index_by_NID.3 X509_NAME_get_text_by_OBJ.3 MLINKS+= X509_NAME_print_ex.3 X509_NAME_oneline.3 MLINKS+= X509_NAME_print_ex.3 X509_NAME_print.3 MLINKS+= X509_NAME_print_ex.3 X509_NAME_print_ex_fp.3 +MLINKS+= X509_PUBKEY_new.3 X509_PUBKEY_free.3 +MLINKS+= X509_PUBKEY_new.3 X509_PUBKEY_get.3 +MLINKS+= X509_PUBKEY_new.3 X509_PUBKEY_get0.3 +MLINKS+= X509_PUBKEY_new.3 X509_PUBKEY_get0_param.3 +MLINKS+= X509_PUBKEY_new.3 X509_PUBKEY_set.3 +MLINKS+= X509_PUBKEY_new.3 X509_PUBKEY_set0_param.3 +MLINKS+= X509_PUBKEY_new.3 d2i_PUBKEY.3 +MLINKS+= X509_PUBKEY_new.3 d2i_PUBKEY_bio.3 +MLINKS+= X509_PUBKEY_new.3 d2i_PUBKEY_fp.3 +MLINKS+= X509_PUBKEY_new.3 i2d_PUBKEY.3 +MLINKS+= X509_PUBKEY_new.3 i2d_PUBKEY_bio.3 +MLINKS+= X509_PUBKEY_new.3 i2d_PUBKEY_fp.3 +MLINKS+= X509_SIG_get0.3 X509_SIG_getm.3 +MLINKS+= X509_STORE_CTX_get_error.3 X509_STORE_CTX_get0_cert.3 MLINKS+= X509_STORE_CTX_get_error.3 X509_STORE_CTX_get1_chain.3 MLINKS+= X509_STORE_CTX_get_error.3 X509_STORE_CTX_get_current_cert.3 MLINKS+= X509_STORE_CTX_get_error.3 X509_STORE_CTX_get_error_depth.3 +MLINKS+= X509_STORE_CTX_get_error.3 X509_STORE_CTX_set_current_cert.3 MLINKS+= X509_STORE_CTX_get_error.3 X509_STORE_CTX_set_error.3 +MLINKS+= X509_STORE_CTX_get_error.3 X509_STORE_CTX_set_error_depth.3 MLINKS+= X509_STORE_CTX_get_error.3 X509_verify_cert_error_string.3 -MLINKS+= X509_STORE_CTX_get_ex_new_index.3 X509_STORE_CTX_get_ex_data.3 -MLINKS+= X509_STORE_CTX_get_ex_new_index.3 X509_STORE_CTX_set_ex_data.3 MLINKS+= X509_STORE_CTX_new.3 X509_STORE_CTX_cleanup.3 MLINKS+= X509_STORE_CTX_new.3 X509_STORE_CTX_free.3 +MLINKS+= X509_STORE_CTX_new.3 X509_STORE_CTX_get0_chain.3 MLINKS+= X509_STORE_CTX_new.3 X509_STORE_CTX_get0_param.3 +MLINKS+= X509_STORE_CTX_new.3 X509_STORE_CTX_get0_untrusted.3 +MLINKS+= X509_STORE_CTX_new.3 X509_STORE_CTX_get_num_untrusted.3 MLINKS+= X509_STORE_CTX_new.3 X509_STORE_CTX_init.3 MLINKS+= X509_STORE_CTX_new.3 X509_STORE_CTX_set0_crls.3 MLINKS+= X509_STORE_CTX_new.3 X509_STORE_CTX_set0_param.3 +MLINKS+= X509_STORE_CTX_new.3 X509_STORE_CTX_set0_trusted_stack.3 +MLINKS+= X509_STORE_CTX_new.3 X509_STORE_CTX_set0_untrusted.3 +MLINKS+= X509_STORE_CTX_new.3 X509_STORE_CTX_set0_verified_chain.3 MLINKS+= X509_STORE_CTX_new.3 X509_STORE_CTX_set_cert.3 -MLINKS+= X509_STORE_CTX_new.3 X509_STORE_CTX_set_chain.3 MLINKS+= X509_STORE_CTX_new.3 X509_STORE_CTX_set_default.3 -MLINKS+= X509_STORE_CTX_new.3 X509_STORE_CTX_trusted_stack.3 +MLINKS+= X509_STORE_CTX_new.3 X509_STORE_CTX_set_verify.3 +MLINKS+= X509_STORE_CTX_new.3 X509_STORE_CTX_verify_fn.3 +MLINKS+= X509_STORE_CTX_set_verify_cb.3 X509_STORE_CTX_get_cert_crl.3 +MLINKS+= X509_STORE_CTX_set_verify_cb.3 X509_STORE_CTX_get_check_crl.3 +MLINKS+= X509_STORE_CTX_set_verify_cb.3 X509_STORE_CTX_get_check_issued.3 +MLINKS+= X509_STORE_CTX_set_verify_cb.3 X509_STORE_CTX_get_check_policy.3 +MLINKS+= X509_STORE_CTX_set_verify_cb.3 X509_STORE_CTX_get_check_revocation.3 +MLINKS+= X509_STORE_CTX_set_verify_cb.3 X509_STORE_CTX_get_cleanup.3 +MLINKS+= X509_STORE_CTX_set_verify_cb.3 X509_STORE_CTX_get_get_crl.3 +MLINKS+= X509_STORE_CTX_set_verify_cb.3 X509_STORE_CTX_get_get_issuer.3 +MLINKS+= X509_STORE_CTX_set_verify_cb.3 X509_STORE_CTX_get_lookup_certs.3 +MLINKS+= X509_STORE_CTX_set_verify_cb.3 X509_STORE_CTX_get_lookup_crls.3 +MLINKS+= X509_STORE_CTX_set_verify_cb.3 X509_STORE_CTX_get_verify_cb.3 +MLINKS+= X509_STORE_CTX_set_verify_cb.3 X509_STORE_CTX_verify_cb.3 +MLINKS+= X509_STORE_add_cert.3 X509_STORE_add_crl.3 +MLINKS+= X509_STORE_add_cert.3 X509_STORE_load_locations.3 +MLINKS+= X509_STORE_add_cert.3 X509_STORE_set_default_paths.3 +MLINKS+= X509_STORE_add_cert.3 X509_STORE_set_depth.3 +MLINKS+= X509_STORE_add_cert.3 X509_STORE_set_flags.3 +MLINKS+= X509_STORE_add_cert.3 X509_STORE_set_purpose.3 +MLINKS+= X509_STORE_add_cert.3 X509_STORE_set_trust.3 +MLINKS+= X509_STORE_get0_param.3 X509_STORE_get0_objects.3 +MLINKS+= X509_STORE_get0_param.3 X509_STORE_set1_param.3 +MLINKS+= X509_STORE_new.3 X509_STORE_free.3 +MLINKS+= X509_STORE_new.3 X509_STORE_lock.3 +MLINKS+= X509_STORE_new.3 X509_STORE_unlock.3 +MLINKS+= X509_STORE_new.3 X509_STORE_up_ref.3 +MLINKS+= X509_STORE_set_verify_cb_func.3 X509_STORE_CTX_cert_crl_fn.3 +MLINKS+= X509_STORE_set_verify_cb_func.3 X509_STORE_CTX_check_crl_fn.3 +MLINKS+= X509_STORE_set_verify_cb_func.3 X509_STORE_CTX_check_issued_fn.3 +MLINKS+= X509_STORE_set_verify_cb_func.3 X509_STORE_CTX_check_policy_fn.3 +MLINKS+= X509_STORE_set_verify_cb_func.3 X509_STORE_CTX_check_revocation_fn.3 +MLINKS+= X509_STORE_set_verify_cb_func.3 X509_STORE_CTX_cleanup_fn.3 +MLINKS+= X509_STORE_set_verify_cb_func.3 X509_STORE_CTX_get_crl_fn.3 +MLINKS+= X509_STORE_set_verify_cb_func.3 X509_STORE_CTX_get_issuer_fn.3 +MLINKS+= X509_STORE_set_verify_cb_func.3 X509_STORE_CTX_get_verify.3 +MLINKS+= X509_STORE_set_verify_cb_func.3 X509_STORE_CTX_lookup_certs_fn.3 +MLINKS+= X509_STORE_set_verify_cb_func.3 X509_STORE_CTX_lookup_crls_fn.3 +MLINKS+= X509_STORE_set_verify_cb_func.3 X509_STORE_get_cert_crl.3 +MLINKS+= X509_STORE_set_verify_cb_func.3 X509_STORE_get_check_crl.3 +MLINKS+= X509_STORE_set_verify_cb_func.3 X509_STORE_get_check_issued.3 +MLINKS+= X509_STORE_set_verify_cb_func.3 X509_STORE_get_check_policy.3 +MLINKS+= X509_STORE_set_verify_cb_func.3 X509_STORE_get_check_revocation.3 +MLINKS+= X509_STORE_set_verify_cb_func.3 X509_STORE_get_cleanup.3 +MLINKS+= X509_STORE_set_verify_cb_func.3 X509_STORE_get_get_crl.3 +MLINKS+= X509_STORE_set_verify_cb_func.3 X509_STORE_get_get_issuer.3 +MLINKS+= X509_STORE_set_verify_cb_func.3 X509_STORE_get_lookup_certs.3 +MLINKS+= X509_STORE_set_verify_cb_func.3 X509_STORE_get_lookup_crls.3 +MLINKS+= X509_STORE_set_verify_cb_func.3 X509_STORE_get_verify_cb.3 +MLINKS+= X509_STORE_set_verify_cb_func.3 X509_STORE_set_cert_crl.3 +MLINKS+= X509_STORE_set_verify_cb_func.3 X509_STORE_set_check_crl.3 +MLINKS+= X509_STORE_set_verify_cb_func.3 X509_STORE_set_check_issued.3 +MLINKS+= X509_STORE_set_verify_cb_func.3 X509_STORE_set_check_policy.3 +MLINKS+= X509_STORE_set_verify_cb_func.3 X509_STORE_set_check_revocation.3 +MLINKS+= X509_STORE_set_verify_cb_func.3 X509_STORE_set_cleanup.3 +MLINKS+= X509_STORE_set_verify_cb_func.3 X509_STORE_set_get_crl.3 +MLINKS+= X509_STORE_set_verify_cb_func.3 X509_STORE_set_get_issuer.3 +MLINKS+= X509_STORE_set_verify_cb_func.3 X509_STORE_set_lookup_certs.3 +MLINKS+= X509_STORE_set_verify_cb_func.3 X509_STORE_set_lookup_crls.3 +MLINKS+= X509_STORE_set_verify_cb_func.3 X509_STORE_set_lookup_crls_cb.3 +MLINKS+= X509_STORE_set_verify_cb_func.3 X509_STORE_set_verify.3 MLINKS+= X509_STORE_set_verify_cb_func.3 X509_STORE_set_verify_cb.3 +MLINKS+= X509_STORE_set_verify_cb_func.3 X509_STORE_set_verify_func.3 MLINKS+= X509_VERIFY_PARAM_set_flags.3 X509_VERIFY_PARAM_add0_policy.3 MLINKS+= X509_VERIFY_PARAM_set_flags.3 X509_VERIFY_PARAM_add1_host.3 MLINKS+= X509_VERIFY_PARAM_set_flags.3 X509_VERIFY_PARAM_clear_flags.3 MLINKS+= X509_VERIFY_PARAM_set_flags.3 X509_VERIFY_PARAM_get0_peername.3 +MLINKS+= X509_VERIFY_PARAM_set_flags.3 X509_VERIFY_PARAM_get_auth_level.3 MLINKS+= X509_VERIFY_PARAM_set_flags.3 X509_VERIFY_PARAM_get_depth.3 MLINKS+= X509_VERIFY_PARAM_set_flags.3 X509_VERIFY_PARAM_get_flags.3 +MLINKS+= X509_VERIFY_PARAM_set_flags.3 X509_VERIFY_PARAM_get_hostflags.3 +MLINKS+= X509_VERIFY_PARAM_set_flags.3 X509_VERIFY_PARAM_get_inh_flags.3 +MLINKS+= X509_VERIFY_PARAM_set_flags.3 X509_VERIFY_PARAM_get_time.3 MLINKS+= X509_VERIFY_PARAM_set_flags.3 X509_VERIFY_PARAM_set1_email.3 MLINKS+= X509_VERIFY_PARAM_set_flags.3 X509_VERIFY_PARAM_set1_host.3 MLINKS+= X509_VERIFY_PARAM_set_flags.3 X509_VERIFY_PARAM_set1_ip.3 MLINKS+= X509_VERIFY_PARAM_set_flags.3 X509_VERIFY_PARAM_set1_ip_asc.3 MLINKS+= X509_VERIFY_PARAM_set_flags.3 X509_VERIFY_PARAM_set1_policies.3 +MLINKS+= X509_VERIFY_PARAM_set_flags.3 X509_VERIFY_PARAM_set_auth_level.3 MLINKS+= X509_VERIFY_PARAM_set_flags.3 X509_VERIFY_PARAM_set_depth.3 MLINKS+= X509_VERIFY_PARAM_set_flags.3 X509_VERIFY_PARAM_set_hostflags.3 +MLINKS+= X509_VERIFY_PARAM_set_flags.3 X509_VERIFY_PARAM_set_inh_flags.3 MLINKS+= X509_VERIFY_PARAM_set_flags.3 X509_VERIFY_PARAM_set_purpose.3 MLINKS+= X509_VERIFY_PARAM_set_flags.3 X509_VERIFY_PARAM_set_time.3 MLINKS+= X509_VERIFY_PARAM_set_flags.3 X509_VERIFY_PARAM_set_trust.3 @@ -946,322 +3015,711 @@ MLINKS+= X509_check_host.3 X509_check_email.3 MLINKS+= X509_check_host.3 X509_check_ip.3 MLINKS+= X509_check_host.3 X509_check_ip_asc.3 MLINKS+= X509_check_private_key.3 X509_REQ_check_private_key.3 +MLINKS+= X509_cmp_time.3 X509_cmp_current_time.3 +MLINKS+= X509_cmp_time.3 X509_time_adj.3 +MLINKS+= X509_cmp_time.3 X509_time_adj_ex.3 +MLINKS+= X509_digest.3 PKCS7_ISSUER_AND_SERIAL_digest.3 +MLINKS+= X509_digest.3 X509_CRL_digest.3 +MLINKS+= X509_digest.3 X509_NAME_digest.3 +MLINKS+= X509_digest.3 X509_REQ_digest.3 +MLINKS+= X509_digest.3 X509_pubkey_digest.3 +MLINKS+= X509_dup.3 ACCESS_DESCRIPTION_free.3 +MLINKS+= X509_dup.3 ACCESS_DESCRIPTION_new.3 +MLINKS+= X509_dup.3 ADMISSIONS_free.3 +MLINKS+= X509_dup.3 ADMISSIONS_new.3 +MLINKS+= X509_dup.3 ADMISSION_SYNTAX_free.3 +MLINKS+= X509_dup.3 ADMISSION_SYNTAX_new.3 +MLINKS+= X509_dup.3 ASIdOrRange_free.3 +MLINKS+= X509_dup.3 ASIdOrRange_new.3 +MLINKS+= X509_dup.3 ASIdentifierChoice_free.3 +MLINKS+= X509_dup.3 ASIdentifierChoice_new.3 +MLINKS+= X509_dup.3 ASIdentifiers_free.3 +MLINKS+= X509_dup.3 ASIdentifiers_new.3 +MLINKS+= X509_dup.3 ASN1_ITEM.3 +MLINKS+= X509_dup.3 ASRange_free.3 +MLINKS+= X509_dup.3 ASRange_new.3 +MLINKS+= X509_dup.3 AUTHORITY_INFO_ACCESS_free.3 +MLINKS+= X509_dup.3 AUTHORITY_INFO_ACCESS_new.3 +MLINKS+= X509_dup.3 AUTHORITY_KEYID_free.3 +MLINKS+= X509_dup.3 AUTHORITY_KEYID_new.3 +MLINKS+= X509_dup.3 BASIC_CONSTRAINTS_free.3 +MLINKS+= X509_dup.3 BASIC_CONSTRAINTS_new.3 +MLINKS+= X509_dup.3 CERTIFICATEPOLICIES_free.3 +MLINKS+= X509_dup.3 CERTIFICATEPOLICIES_new.3 +MLINKS+= X509_dup.3 CMS_ContentInfo_free.3 +MLINKS+= X509_dup.3 CMS_ContentInfo_new.3 +MLINKS+= X509_dup.3 CMS_ContentInfo_print_ctx.3 +MLINKS+= X509_dup.3 CMS_ReceiptRequest_free.3 +MLINKS+= X509_dup.3 CMS_ReceiptRequest_new.3 +MLINKS+= X509_dup.3 CRL_DIST_POINTS_free.3 +MLINKS+= X509_dup.3 CRL_DIST_POINTS_new.3 +MLINKS+= X509_dup.3 DECLARE_ASN1_FUNCTIONS.3 +MLINKS+= X509_dup.3 DIRECTORYSTRING_free.3 +MLINKS+= X509_dup.3 DIRECTORYSTRING_new.3 +MLINKS+= X509_dup.3 DISPLAYTEXT_free.3 +MLINKS+= X509_dup.3 DISPLAYTEXT_new.3 +MLINKS+= X509_dup.3 DIST_POINT_NAME_free.3 +MLINKS+= X509_dup.3 DIST_POINT_NAME_new.3 +MLINKS+= X509_dup.3 DIST_POINT_free.3 +MLINKS+= X509_dup.3 DIST_POINT_new.3 +MLINKS+= X509_dup.3 DSAparams_dup.3 +MLINKS+= X509_dup.3 ECPARAMETERS_free.3 +MLINKS+= X509_dup.3 ECPARAMETERS_new.3 +MLINKS+= X509_dup.3 ECPKPARAMETERS_free.3 +MLINKS+= X509_dup.3 ECPKPARAMETERS_new.3 +MLINKS+= X509_dup.3 EDIPARTYNAME_free.3 +MLINKS+= X509_dup.3 EDIPARTYNAME_new.3 +MLINKS+= X509_dup.3 ESS_CERT_ID_dup.3 +MLINKS+= X509_dup.3 ESS_CERT_ID_free.3 +MLINKS+= X509_dup.3 ESS_CERT_ID_new.3 +MLINKS+= X509_dup.3 ESS_ISSUER_SERIAL_dup.3 +MLINKS+= X509_dup.3 ESS_ISSUER_SERIAL_free.3 +MLINKS+= X509_dup.3 ESS_ISSUER_SERIAL_new.3 +MLINKS+= X509_dup.3 ESS_SIGNING_CERT_dup.3 +MLINKS+= X509_dup.3 ESS_SIGNING_CERT_free.3 +MLINKS+= X509_dup.3 ESS_SIGNING_CERT_new.3 +MLINKS+= X509_dup.3 EXTENDED_KEY_USAGE_free.3 +MLINKS+= X509_dup.3 EXTENDED_KEY_USAGE_new.3 +MLINKS+= X509_dup.3 GENERAL_NAMES_free.3 +MLINKS+= X509_dup.3 GENERAL_NAMES_new.3 +MLINKS+= X509_dup.3 GENERAL_NAME_dup.3 +MLINKS+= X509_dup.3 GENERAL_NAME_free.3 +MLINKS+= X509_dup.3 GENERAL_NAME_new.3 +MLINKS+= X509_dup.3 GENERAL_SUBTREE_free.3 +MLINKS+= X509_dup.3 GENERAL_SUBTREE_new.3 +MLINKS+= X509_dup.3 IMPLEMENT_ASN1_FUNCTIONS.3 +MLINKS+= X509_dup.3 IPAddressChoice_free.3 +MLINKS+= X509_dup.3 IPAddressChoice_new.3 +MLINKS+= X509_dup.3 IPAddressFamily_free.3 +MLINKS+= X509_dup.3 IPAddressFamily_new.3 +MLINKS+= X509_dup.3 IPAddressOrRange_free.3 +MLINKS+= X509_dup.3 IPAddressOrRange_new.3 +MLINKS+= X509_dup.3 IPAddressRange_free.3 +MLINKS+= X509_dup.3 IPAddressRange_new.3 +MLINKS+= X509_dup.3 ISSUING_DIST_POINT_free.3 +MLINKS+= X509_dup.3 ISSUING_DIST_POINT_new.3 +MLINKS+= X509_dup.3 NAME_CONSTRAINTS_free.3 +MLINKS+= X509_dup.3 NAME_CONSTRAINTS_new.3 +MLINKS+= X509_dup.3 NAMING_AUTHORITY_free.3 +MLINKS+= X509_dup.3 NAMING_AUTHORITY_new.3 +MLINKS+= X509_dup.3 NETSCAPE_CERT_SEQUENCE_free.3 +MLINKS+= X509_dup.3 NETSCAPE_CERT_SEQUENCE_new.3 +MLINKS+= X509_dup.3 NETSCAPE_SPKAC_free.3 +MLINKS+= X509_dup.3 NETSCAPE_SPKAC_new.3 +MLINKS+= X509_dup.3 NETSCAPE_SPKI_free.3 +MLINKS+= X509_dup.3 NETSCAPE_SPKI_new.3 +MLINKS+= X509_dup.3 NOTICEREF_free.3 +MLINKS+= X509_dup.3 NOTICEREF_new.3 +MLINKS+= X509_dup.3 OCSP_BASICRESP_free.3 +MLINKS+= X509_dup.3 OCSP_BASICRESP_new.3 +MLINKS+= X509_dup.3 OCSP_CERTID_dup.3 +MLINKS+= X509_dup.3 OCSP_CERTID_new.3 +MLINKS+= X509_dup.3 OCSP_CERTSTATUS_free.3 +MLINKS+= X509_dup.3 OCSP_CERTSTATUS_new.3 +MLINKS+= X509_dup.3 OCSP_CRLID_free.3 +MLINKS+= X509_dup.3 OCSP_CRLID_new.3 +MLINKS+= X509_dup.3 OCSP_ONEREQ_free.3 +MLINKS+= X509_dup.3 OCSP_ONEREQ_new.3 +MLINKS+= X509_dup.3 OCSP_REQINFO_free.3 +MLINKS+= X509_dup.3 OCSP_REQINFO_new.3 +MLINKS+= X509_dup.3 OCSP_RESPBYTES_free.3 +MLINKS+= X509_dup.3 OCSP_RESPBYTES_new.3 +MLINKS+= X509_dup.3 OCSP_RESPDATA_free.3 +MLINKS+= X509_dup.3 OCSP_RESPDATA_new.3 +MLINKS+= X509_dup.3 OCSP_RESPID_free.3 +MLINKS+= X509_dup.3 OCSP_RESPID_new.3 +MLINKS+= X509_dup.3 OCSP_RESPONSE_new.3 +MLINKS+= X509_dup.3 OCSP_REVOKEDINFO_free.3 +MLINKS+= X509_dup.3 OCSP_REVOKEDINFO_new.3 +MLINKS+= X509_dup.3 OCSP_SERVICELOC_free.3 +MLINKS+= X509_dup.3 OCSP_SERVICELOC_new.3 +MLINKS+= X509_dup.3 OCSP_SIGNATURE_free.3 +MLINKS+= X509_dup.3 OCSP_SIGNATURE_new.3 +MLINKS+= X509_dup.3 OCSP_SINGLERESP_free.3 +MLINKS+= X509_dup.3 OCSP_SINGLERESP_new.3 +MLINKS+= X509_dup.3 OTHERNAME_free.3 +MLINKS+= X509_dup.3 OTHERNAME_new.3 +MLINKS+= X509_dup.3 PBE2PARAM_free.3 +MLINKS+= X509_dup.3 PBE2PARAM_new.3 +MLINKS+= X509_dup.3 PBEPARAM_free.3 +MLINKS+= X509_dup.3 PBEPARAM_new.3 +MLINKS+= X509_dup.3 PBKDF2PARAM_free.3 +MLINKS+= X509_dup.3 PBKDF2PARAM_new.3 +MLINKS+= X509_dup.3 PKCS12_BAGS_free.3 +MLINKS+= X509_dup.3 PKCS12_BAGS_new.3 +MLINKS+= X509_dup.3 PKCS12_MAC_DATA_free.3 +MLINKS+= X509_dup.3 PKCS12_MAC_DATA_new.3 +MLINKS+= X509_dup.3 PKCS12_SAFEBAG_free.3 +MLINKS+= X509_dup.3 PKCS12_SAFEBAG_new.3 +MLINKS+= X509_dup.3 PKCS12_free.3 +MLINKS+= X509_dup.3 PKCS12_new.3 +MLINKS+= X509_dup.3 PKCS7_DIGEST_free.3 +MLINKS+= X509_dup.3 PKCS7_DIGEST_new.3 +MLINKS+= X509_dup.3 PKCS7_ENCRYPT_free.3 +MLINKS+= X509_dup.3 PKCS7_ENCRYPT_new.3 +MLINKS+= X509_dup.3 PKCS7_ENC_CONTENT_free.3 +MLINKS+= X509_dup.3 PKCS7_ENC_CONTENT_new.3 +MLINKS+= X509_dup.3 PKCS7_ENVELOPE_free.3 +MLINKS+= X509_dup.3 PKCS7_ENVELOPE_new.3 +MLINKS+= X509_dup.3 PKCS7_ISSUER_AND_SERIAL_free.3 +MLINKS+= X509_dup.3 PKCS7_ISSUER_AND_SERIAL_new.3 +MLINKS+= X509_dup.3 PKCS7_RECIP_INFO_free.3 +MLINKS+= X509_dup.3 PKCS7_RECIP_INFO_new.3 +MLINKS+= X509_dup.3 PKCS7_SIGNED_free.3 +MLINKS+= X509_dup.3 PKCS7_SIGNED_new.3 +MLINKS+= X509_dup.3 PKCS7_SIGNER_INFO_free.3 +MLINKS+= X509_dup.3 PKCS7_SIGNER_INFO_new.3 +MLINKS+= X509_dup.3 PKCS7_SIGN_ENVELOPE_free.3 +MLINKS+= X509_dup.3 PKCS7_SIGN_ENVELOPE_new.3 +MLINKS+= X509_dup.3 PKCS7_dup.3 +MLINKS+= X509_dup.3 PKCS7_free.3 +MLINKS+= X509_dup.3 PKCS7_new.3 +MLINKS+= X509_dup.3 PKCS7_print_ctx.3 +MLINKS+= X509_dup.3 PKCS8_PRIV_KEY_INFO_free.3 +MLINKS+= X509_dup.3 PKCS8_PRIV_KEY_INFO_new.3 +MLINKS+= X509_dup.3 PKEY_USAGE_PERIOD_free.3 +MLINKS+= X509_dup.3 PKEY_USAGE_PERIOD_new.3 +MLINKS+= X509_dup.3 POLICYINFO_free.3 +MLINKS+= X509_dup.3 POLICYINFO_new.3 +MLINKS+= X509_dup.3 POLICYQUALINFO_free.3 +MLINKS+= X509_dup.3 POLICYQUALINFO_new.3 +MLINKS+= X509_dup.3 POLICY_CONSTRAINTS_free.3 +MLINKS+= X509_dup.3 POLICY_CONSTRAINTS_new.3 +MLINKS+= X509_dup.3 POLICY_MAPPING_free.3 +MLINKS+= X509_dup.3 POLICY_MAPPING_new.3 +MLINKS+= X509_dup.3 PROFESSION_INFOS_free.3 +MLINKS+= X509_dup.3 PROFESSION_INFOS_new.3 +MLINKS+= X509_dup.3 PROFESSION_INFO_free.3 +MLINKS+= X509_dup.3 PROFESSION_INFO_new.3 +MLINKS+= X509_dup.3 PROXY_CERT_INFO_EXTENSION_free.3 +MLINKS+= X509_dup.3 PROXY_CERT_INFO_EXTENSION_new.3 +MLINKS+= X509_dup.3 PROXY_POLICY_free.3 +MLINKS+= X509_dup.3 PROXY_POLICY_new.3 +MLINKS+= X509_dup.3 RSAPrivateKey_dup.3 +MLINKS+= X509_dup.3 RSAPublicKey_dup.3 +MLINKS+= X509_dup.3 RSA_OAEP_PARAMS_free.3 +MLINKS+= X509_dup.3 RSA_OAEP_PARAMS_new.3 +MLINKS+= X509_dup.3 RSA_PSS_PARAMS_free.3 +MLINKS+= X509_dup.3 RSA_PSS_PARAMS_new.3 +MLINKS+= X509_dup.3 SCRYPT_PARAMS_free.3 +MLINKS+= X509_dup.3 SCRYPT_PARAMS_new.3 +MLINKS+= X509_dup.3 SXNETID_free.3 +MLINKS+= X509_dup.3 SXNETID_new.3 +MLINKS+= X509_dup.3 SXNET_free.3 +MLINKS+= X509_dup.3 SXNET_new.3 +MLINKS+= X509_dup.3 TLS_FEATURE_free.3 +MLINKS+= X509_dup.3 TLS_FEATURE_new.3 +MLINKS+= X509_dup.3 TS_ACCURACY_dup.3 +MLINKS+= X509_dup.3 TS_ACCURACY_free.3 +MLINKS+= X509_dup.3 TS_ACCURACY_new.3 +MLINKS+= X509_dup.3 TS_MSG_IMPRINT_dup.3 +MLINKS+= X509_dup.3 TS_MSG_IMPRINT_free.3 +MLINKS+= X509_dup.3 TS_MSG_IMPRINT_new.3 +MLINKS+= X509_dup.3 TS_REQ_dup.3 +MLINKS+= X509_dup.3 TS_REQ_free.3 +MLINKS+= X509_dup.3 TS_REQ_new.3 +MLINKS+= X509_dup.3 TS_RESP_dup.3 +MLINKS+= X509_dup.3 TS_RESP_free.3 +MLINKS+= X509_dup.3 TS_RESP_new.3 +MLINKS+= X509_dup.3 TS_STATUS_INFO_dup.3 +MLINKS+= X509_dup.3 TS_STATUS_INFO_free.3 +MLINKS+= X509_dup.3 TS_STATUS_INFO_new.3 +MLINKS+= X509_dup.3 TS_TST_INFO_dup.3 +MLINKS+= X509_dup.3 TS_TST_INFO_free.3 +MLINKS+= X509_dup.3 TS_TST_INFO_new.3 +MLINKS+= X509_dup.3 USERNOTICE_free.3 +MLINKS+= X509_dup.3 USERNOTICE_new.3 +MLINKS+= X509_dup.3 X509_ALGOR_free.3 +MLINKS+= X509_dup.3 X509_ALGOR_new.3 +MLINKS+= X509_dup.3 X509_ATTRIBUTE_dup.3 +MLINKS+= X509_dup.3 X509_ATTRIBUTE_free.3 +MLINKS+= X509_dup.3 X509_ATTRIBUTE_new.3 +MLINKS+= X509_dup.3 X509_CERT_AUX_free.3 +MLINKS+= X509_dup.3 X509_CERT_AUX_new.3 +MLINKS+= X509_dup.3 X509_CINF_free.3 +MLINKS+= X509_dup.3 X509_CINF_new.3 +MLINKS+= X509_dup.3 X509_CRL_INFO_free.3 +MLINKS+= X509_dup.3 X509_CRL_INFO_new.3 +MLINKS+= X509_dup.3 X509_CRL_dup.3 +MLINKS+= X509_dup.3 X509_CRL_free.3 +MLINKS+= X509_dup.3 X509_CRL_new.3 +MLINKS+= X509_dup.3 X509_EXTENSION_dup.3 +MLINKS+= X509_dup.3 X509_EXTENSION_free.3 +MLINKS+= X509_dup.3 X509_EXTENSION_new.3 +MLINKS+= X509_dup.3 X509_NAME_ENTRY_dup.3 +MLINKS+= X509_dup.3 X509_NAME_ENTRY_free.3 +MLINKS+= X509_dup.3 X509_NAME_ENTRY_new.3 +MLINKS+= X509_dup.3 X509_NAME_dup.3 +MLINKS+= X509_dup.3 X509_NAME_free.3 +MLINKS+= X509_dup.3 X509_NAME_new.3 +MLINKS+= X509_dup.3 X509_REQ_INFO_free.3 +MLINKS+= X509_dup.3 X509_REQ_INFO_new.3 +MLINKS+= X509_dup.3 X509_REQ_dup.3 +MLINKS+= X509_dup.3 X509_REQ_free.3 +MLINKS+= X509_dup.3 X509_REQ_new.3 +MLINKS+= X509_dup.3 X509_REVOKED_dup.3 +MLINKS+= X509_dup.3 X509_REVOKED_free.3 +MLINKS+= X509_dup.3 X509_REVOKED_new.3 +MLINKS+= X509_dup.3 X509_SIG_free.3 +MLINKS+= X509_dup.3 X509_SIG_new.3 +MLINKS+= X509_dup.3 X509_VAL_free.3 +MLINKS+= X509_dup.3 X509_VAL_new.3 +MLINKS+= X509_get0_notBefore.3 X509_CRL_get0_lastUpdate.3 +MLINKS+= X509_get0_notBefore.3 X509_CRL_get0_nextUpdate.3 +MLINKS+= X509_get0_notBefore.3 X509_CRL_set1_lastUpdate.3 +MLINKS+= X509_get0_notBefore.3 X509_CRL_set1_nextUpdate.3 +MLINKS+= X509_get0_notBefore.3 X509_get0_notAfter.3 +MLINKS+= X509_get0_notBefore.3 X509_getm_notAfter.3 +MLINKS+= X509_get0_notBefore.3 X509_getm_notBefore.3 +MLINKS+= X509_get0_notBefore.3 X509_set1_notAfter.3 +MLINKS+= X509_get0_notBefore.3 X509_set1_notBefore.3 +MLINKS+= X509_get0_signature.3 X509_CRL_get0_signature.3 +MLINKS+= X509_get0_signature.3 X509_CRL_get_signature_nid.3 +MLINKS+= X509_get0_signature.3 X509_REQ_get0_signature.3 +MLINKS+= X509_get0_signature.3 X509_REQ_get_signature_nid.3 +MLINKS+= X509_get0_signature.3 X509_SIG_INFO_get.3 +MLINKS+= X509_get0_signature.3 X509_SIG_INFO_set.3 +MLINKS+= X509_get0_signature.3 X509_get0_tbs_sigalg.3 +MLINKS+= X509_get0_signature.3 X509_get_signature_info.3 +MLINKS+= X509_get0_signature.3 X509_get_signature_nid.3 +MLINKS+= X509_get_extension_flags.3 X509_get0_authority_key_id.3 +MLINKS+= X509_get_extension_flags.3 X509_get0_subject_key_id.3 +MLINKS+= X509_get_extension_flags.3 X509_get_extended_key_usage.3 +MLINKS+= X509_get_extension_flags.3 X509_get_key_usage.3 +MLINKS+= X509_get_extension_flags.3 X509_get_pathlen.3 +MLINKS+= X509_get_extension_flags.3 X509_get_proxy_pathlen.3 +MLINKS+= X509_get_extension_flags.3 X509_set_proxy_flag.3 +MLINKS+= X509_get_extension_flags.3 X509_set_proxy_pathlen.3 +MLINKS+= X509_get_pubkey.3 X509_REQ_get0_pubkey.3 +MLINKS+= X509_get_pubkey.3 X509_REQ_get_X509_PUBKEY.3 +MLINKS+= X509_get_pubkey.3 X509_REQ_get_pubkey.3 +MLINKS+= X509_get_pubkey.3 X509_REQ_set_pubkey.3 +MLINKS+= X509_get_pubkey.3 X509_get0_pubkey.3 +MLINKS+= X509_get_pubkey.3 X509_get_X509_PUBKEY.3 +MLINKS+= X509_get_pubkey.3 X509_set_pubkey.3 +MLINKS+= X509_get_serialNumber.3 X509_get0_serialNumber.3 +MLINKS+= X509_get_serialNumber.3 X509_set_serialNumber.3 +MLINKS+= X509_get_subject_name.3 X509_CRL_get_issuer.3 +MLINKS+= X509_get_subject_name.3 X509_CRL_set_issuer_name.3 +MLINKS+= X509_get_subject_name.3 X509_REQ_get_subject_name.3 +MLINKS+= X509_get_subject_name.3 X509_REQ_set_subject_name.3 +MLINKS+= X509_get_subject_name.3 X509_get_issuer_name.3 +MLINKS+= X509_get_subject_name.3 X509_set_issuer_name.3 +MLINKS+= X509_get_subject_name.3 X509_set_subject_name.3 +MLINKS+= X509_get_version.3 X509_CRL_get_version.3 +MLINKS+= X509_get_version.3 X509_CRL_set_version.3 +MLINKS+= X509_get_version.3 X509_REQ_get_version.3 +MLINKS+= X509_get_version.3 X509_REQ_set_version.3 +MLINKS+= X509_get_version.3 X509_set_version.3 +MLINKS+= X509_new.3 X509_chain_up_ref.3 MLINKS+= X509_new.3 X509_free.3 -MLINKS+= blowfish.3 BF_cbc_encrypt.3 -MLINKS+= blowfish.3 BF_cfb64_encrypt.3 -MLINKS+= blowfish.3 BF_decrypt.3 -MLINKS+= blowfish.3 BF_ecb_encrypt.3 -MLINKS+= blowfish.3 BF_encrypt.3 -MLINKS+= blowfish.3 BF_ofb64_encrypt.3 -MLINKS+= blowfish.3 BF_options.3 -MLINKS+= blowfish.3 BF_set_key.3 -MLINKS+= bn_internal.3 bn_add_words.3 -MLINKS+= bn_internal.3 bn_check_top.3 -MLINKS+= bn_internal.3 bn_cmp_words.3 -MLINKS+= bn_internal.3 bn_div_words.3 -MLINKS+= bn_internal.3 bn_dump.3 -MLINKS+= bn_internal.3 bn_expand.3 -MLINKS+= bn_internal.3 bn_expand2.3 -MLINKS+= bn_internal.3 bn_fix_top.3 -MLINKS+= bn_internal.3 bn_mul_add_words.3 -MLINKS+= bn_internal.3 bn_mul_comba4.3 -MLINKS+= bn_internal.3 bn_mul_comba8.3 -MLINKS+= bn_internal.3 bn_mul_high.3 -MLINKS+= bn_internal.3 bn_mul_low_normal.3 -MLINKS+= bn_internal.3 bn_mul_low_recursive.3 -MLINKS+= bn_internal.3 bn_mul_normal.3 -MLINKS+= bn_internal.3 bn_mul_part_recursive.3 -MLINKS+= bn_internal.3 bn_mul_recursive.3 -MLINKS+= bn_internal.3 bn_mul_words.3 -MLINKS+= bn_internal.3 bn_print.3 -MLINKS+= bn_internal.3 bn_set_high.3 -MLINKS+= bn_internal.3 bn_set_low.3 -MLINKS+= bn_internal.3 bn_set_max.3 -MLINKS+= bn_internal.3 bn_sqr_comba4.3 -MLINKS+= bn_internal.3 bn_sqr_comba8.3 -MLINKS+= bn_internal.3 bn_sqr_normal.3 -MLINKS+= bn_internal.3 bn_sqr_recursive.3 -MLINKS+= bn_internal.3 bn_sqr_words.3 -MLINKS+= bn_internal.3 bn_sub_words.3 -MLINKS+= bn_internal.3 bn_wexpand.3 -MLINKS+= buffer.3 BUF_MEM_free.3 -MLINKS+= buffer.3 BUF_MEM_grow.3 -MLINKS+= buffer.3 BUF_MEM_new.3 -MLINKS+= buffer.3 BUF_MEM_new_ex.3 -MLINKS+= buffer.3 BUF_memdup.3 -MLINKS+= buffer.3 BUF_strdup.3 -MLINKS+= buffer.3 BUF_strlcat.3 -MLINKS+= buffer.3 BUF_strlcpy.3 -MLINKS+= buffer.3 BUF_strndup.3 -MLINKS+= d2i_ASN1_OBJECT.3 i2d_ASN1_OBJECT.3 -MLINKS+= d2i_CMS_ContentInfo.3 i2d_CMS_ContentInfo.3 +MLINKS+= X509_new.3 X509_up_ref.3 +MLINKS+= X509_sign.3 X509_CRL_sign.3 +MLINKS+= X509_sign.3 X509_CRL_sign_ctx.3 +MLINKS+= X509_sign.3 X509_CRL_verify.3 +MLINKS+= X509_sign.3 X509_REQ_sign.3 +MLINKS+= X509_sign.3 X509_REQ_sign_ctx.3 +MLINKS+= X509_sign.3 X509_REQ_verify.3 +MLINKS+= X509_sign.3 X509_sign_ctx.3 +MLINKS+= X509_sign.3 X509_verify.3 +MLINKS+= X509v3_get_ext_by_NID.3 X509_CRL_add_ext.3 +MLINKS+= X509v3_get_ext_by_NID.3 X509_CRL_delete_ext.3 +MLINKS+= X509v3_get_ext_by_NID.3 X509_CRL_get_ext.3 +MLINKS+= X509v3_get_ext_by_NID.3 X509_CRL_get_ext_by_NID.3 +MLINKS+= X509v3_get_ext_by_NID.3 X509_CRL_get_ext_by_OBJ.3 +MLINKS+= X509v3_get_ext_by_NID.3 X509_CRL_get_ext_by_critical.3 +MLINKS+= X509v3_get_ext_by_NID.3 X509_CRL_get_ext_count.3 +MLINKS+= X509v3_get_ext_by_NID.3 X509_REVOKED_add_ext.3 +MLINKS+= X509v3_get_ext_by_NID.3 X509_REVOKED_delete_ext.3 +MLINKS+= X509v3_get_ext_by_NID.3 X509_REVOKED_get_ext.3 +MLINKS+= X509v3_get_ext_by_NID.3 X509_REVOKED_get_ext_by_NID.3 +MLINKS+= X509v3_get_ext_by_NID.3 X509_REVOKED_get_ext_by_OBJ.3 +MLINKS+= X509v3_get_ext_by_NID.3 X509_REVOKED_get_ext_by_critical.3 +MLINKS+= X509v3_get_ext_by_NID.3 X509_REVOKED_get_ext_count.3 +MLINKS+= X509v3_get_ext_by_NID.3 X509_add_ext.3 +MLINKS+= X509v3_get_ext_by_NID.3 X509_delete_ext.3 +MLINKS+= X509v3_get_ext_by_NID.3 X509_get_ext.3 +MLINKS+= X509v3_get_ext_by_NID.3 X509_get_ext_by_NID.3 +MLINKS+= X509v3_get_ext_by_NID.3 X509_get_ext_by_OBJ.3 +MLINKS+= X509v3_get_ext_by_NID.3 X509_get_ext_by_critical.3 +MLINKS+= X509v3_get_ext_by_NID.3 X509_get_ext_count.3 +MLINKS+= X509v3_get_ext_by_NID.3 X509v3_add_ext.3 +MLINKS+= X509v3_get_ext_by_NID.3 X509v3_delete_ext.3 +MLINKS+= X509v3_get_ext_by_NID.3 X509v3_get_ext.3 +MLINKS+= X509v3_get_ext_by_NID.3 X509v3_get_ext_by_OBJ.3 +MLINKS+= X509v3_get_ext_by_NID.3 X509v3_get_ext_by_critical.3 +MLINKS+= X509v3_get_ext_by_NID.3 X509v3_get_ext_count.3 MLINKS+= d2i_DHparams.3 i2d_DHparams.3 -MLINKS+= d2i_DSAPublicKey.3 d2i_DSAPrivateKey.3 -MLINKS+= d2i_DSAPublicKey.3 d2i_DSA_PUBKEY.3 -MLINKS+= d2i_DSAPublicKey.3 d2i_DSA_SIG.3 -MLINKS+= d2i_DSAPublicKey.3 d2i_DSAparams.3 -MLINKS+= d2i_DSAPublicKey.3 i2d_DSAPrivateKey.3 -MLINKS+= d2i_DSAPublicKey.3 i2d_DSAPublicKey.3 -MLINKS+= d2i_DSAPublicKey.3 i2d_DSA_PUBKEY.3 -MLINKS+= d2i_DSAPublicKey.3 i2d_DSA_SIG.3 -MLINKS+= d2i_DSAPublicKey.3 i2d_DSAparams.3 -MLINKS+= d2i_ECPKParameters.3 ECPKParameters_print.3 -MLINKS+= d2i_ECPKParameters.3 ECPKParameters_print_fp.3 -MLINKS+= d2i_ECPKParameters.3 d2i_ECPKParameters_bio.3 -MLINKS+= d2i_ECPKParameters.3 d2i_ECPKParameters_fp.3 -MLINKS+= d2i_ECPKParameters.3 i2d_ECPKParameters.3 -MLINKS+= d2i_ECPKParameters.3 i2d_ECPKParameters_bio.3 -MLINKS+= d2i_ECPKParameters.3 i2d_ECPKParameters_fp.3 -MLINKS+= d2i_ECPrivateKey.3 d2i_ECPrivate_key.3 -MLINKS+= d2i_ECPrivateKey.3 i2d_ECPrivateKey.3 -MLINKS+= d2i_PKCS8PrivateKey.3 d2i_PKCS8PrivateKey_bio.3 -MLINKS+= d2i_PKCS8PrivateKey.3 d2i_PKCS8PrivateKey_fp.3 -MLINKS+= d2i_PKCS8PrivateKey.3 i2d_PKCS8PrivateKey_bio.3 -MLINKS+= d2i_PKCS8PrivateKey.3 i2d_PKCS8PrivateKey_fp.3 -MLINKS+= d2i_PKCS8PrivateKey.3 i2d_PKCS8PrivateKey_nid_bio.3 -MLINKS+= d2i_PKCS8PrivateKey.3 i2d_PKCS8PrivateKey_nid_fp.3 +MLINKS+= d2i_PKCS8PrivateKey_bio.3 d2i_PKCS8PrivateKey_fp.3 +MLINKS+= d2i_PKCS8PrivateKey_bio.3 i2d_PKCS8PrivateKey_bio.3 +MLINKS+= d2i_PKCS8PrivateKey_bio.3 i2d_PKCS8PrivateKey_fp.3 +MLINKS+= d2i_PKCS8PrivateKey_bio.3 i2d_PKCS8PrivateKey_nid_bio.3 +MLINKS+= d2i_PKCS8PrivateKey_bio.3 i2d_PKCS8PrivateKey_nid_fp.3 MLINKS+= d2i_PrivateKey.3 d2i_AutoPrivateKey.3 -MLINKS+= d2i_PrivateKey.3 d2i_Private_key.3 +MLINKS+= d2i_PrivateKey.3 d2i_PrivateKey_bio.3 +MLINKS+= d2i_PrivateKey.3 d2i_PrivateKey_fp.3 +MLINKS+= d2i_PrivateKey.3 d2i_PublicKey.3 MLINKS+= d2i_PrivateKey.3 i2d_PrivateKey.3 -MLINKS+= d2i_RSAPublicKey.3 d2i_Netscape_RSA.3 -MLINKS+= d2i_RSAPublicKey.3 d2i_RSAPrivateKey.3 -MLINKS+= d2i_RSAPublicKey.3 d2i_RSA_PUBKEY.3 -MLINKS+= d2i_RSAPublicKey.3 i2d_Netscape_RSA.3 -MLINKS+= d2i_RSAPublicKey.3 i2d_RSAPrivateKey.3 -MLINKS+= d2i_RSAPublicKey.3 i2d_RSAPublicKey.3 -MLINKS+= d2i_RSAPublicKey.3 i2d_RSA_PUBKEY.3 -MLINKS+= d2i_X509.3 d2i_X509_bio.3 -MLINKS+= d2i_X509.3 d2i_X509_fp.3 +MLINKS+= d2i_PrivateKey.3 i2d_PublicKey.3 +MLINKS+= d2i_SSL_SESSION.3 i2d_SSL_SESSION.3 +MLINKS+= d2i_X509.3 d2i_ACCESS_DESCRIPTION.3 +MLINKS+= d2i_X509.3 d2i_ADMISSIONS.3 +MLINKS+= d2i_X509.3 d2i_ADMISSION_SYNTAX.3 +MLINKS+= d2i_X509.3 d2i_ASIdOrRange.3 +MLINKS+= d2i_X509.3 d2i_ASIdentifierChoice.3 +MLINKS+= d2i_X509.3 d2i_ASIdentifiers.3 +MLINKS+= d2i_X509.3 d2i_ASN1_BIT_STRING.3 +MLINKS+= d2i_X509.3 d2i_ASN1_BMPSTRING.3 +MLINKS+= d2i_X509.3 d2i_ASN1_ENUMERATED.3 +MLINKS+= d2i_X509.3 d2i_ASN1_GENERALIZEDTIME.3 +MLINKS+= d2i_X509.3 d2i_ASN1_GENERALSTRING.3 +MLINKS+= d2i_X509.3 d2i_ASN1_IA5STRING.3 +MLINKS+= d2i_X509.3 d2i_ASN1_INTEGER.3 +MLINKS+= d2i_X509.3 d2i_ASN1_NULL.3 +MLINKS+= d2i_X509.3 d2i_ASN1_OBJECT.3 +MLINKS+= d2i_X509.3 d2i_ASN1_OCTET_STRING.3 +MLINKS+= d2i_X509.3 d2i_ASN1_PRINTABLE.3 +MLINKS+= d2i_X509.3 d2i_ASN1_PRINTABLESTRING.3 +MLINKS+= d2i_X509.3 d2i_ASN1_SEQUENCE_ANY.3 +MLINKS+= d2i_X509.3 d2i_ASN1_SET_ANY.3 +MLINKS+= d2i_X509.3 d2i_ASN1_T61STRING.3 +MLINKS+= d2i_X509.3 d2i_ASN1_TIME.3 +MLINKS+= d2i_X509.3 d2i_ASN1_TYPE.3 +MLINKS+= d2i_X509.3 d2i_ASN1_UINTEGER.3 +MLINKS+= d2i_X509.3 d2i_ASN1_UNIVERSALSTRING.3 +MLINKS+= d2i_X509.3 d2i_ASN1_UTCTIME.3 +MLINKS+= d2i_X509.3 d2i_ASN1_UTF8STRING.3 +MLINKS+= d2i_X509.3 d2i_ASN1_VISIBLESTRING.3 +MLINKS+= d2i_X509.3 d2i_ASRange.3 +MLINKS+= d2i_X509.3 d2i_AUTHORITY_INFO_ACCESS.3 +MLINKS+= d2i_X509.3 d2i_AUTHORITY_KEYID.3 +MLINKS+= d2i_X509.3 d2i_BASIC_CONSTRAINTS.3 +MLINKS+= d2i_X509.3 d2i_CERTIFICATEPOLICIES.3 +MLINKS+= d2i_X509.3 d2i_CMS_ContentInfo.3 +MLINKS+= d2i_X509.3 d2i_CMS_ReceiptRequest.3 +MLINKS+= d2i_X509.3 d2i_CMS_bio.3 +MLINKS+= d2i_X509.3 d2i_CRL_DIST_POINTS.3 +MLINKS+= d2i_X509.3 d2i_DHxparams.3 +MLINKS+= d2i_X509.3 d2i_DIRECTORYSTRING.3 +MLINKS+= d2i_X509.3 d2i_DISPLAYTEXT.3 +MLINKS+= d2i_X509.3 d2i_DIST_POINT.3 +MLINKS+= d2i_X509.3 d2i_DIST_POINT_NAME.3 +MLINKS+= d2i_X509.3 d2i_DSAPrivateKey.3 +MLINKS+= d2i_X509.3 d2i_DSAPrivateKey_bio.3 +MLINKS+= d2i_X509.3 d2i_DSAPrivateKey_fp.3 +MLINKS+= d2i_X509.3 d2i_DSAPublicKey.3 +MLINKS+= d2i_X509.3 d2i_DSA_PUBKEY.3 +MLINKS+= d2i_X509.3 d2i_DSA_PUBKEY_bio.3 +MLINKS+= d2i_X509.3 d2i_DSA_PUBKEY_fp.3 +MLINKS+= d2i_X509.3 d2i_DSA_SIG.3 +MLINKS+= d2i_X509.3 d2i_DSAparams.3 +MLINKS+= d2i_X509.3 d2i_ECPKParameters.3 +MLINKS+= d2i_X509.3 d2i_ECParameters.3 +MLINKS+= d2i_X509.3 d2i_ECPrivateKey.3 +MLINKS+= d2i_X509.3 d2i_ECPrivateKey_bio.3 +MLINKS+= d2i_X509.3 d2i_ECPrivateKey_fp.3 +MLINKS+= d2i_X509.3 d2i_EC_PUBKEY.3 +MLINKS+= d2i_X509.3 d2i_EC_PUBKEY_bio.3 +MLINKS+= d2i_X509.3 d2i_EC_PUBKEY_fp.3 +MLINKS+= d2i_X509.3 d2i_EDIPARTYNAME.3 +MLINKS+= d2i_X509.3 d2i_ESS_CERT_ID.3 +MLINKS+= d2i_X509.3 d2i_ESS_ISSUER_SERIAL.3 +MLINKS+= d2i_X509.3 d2i_ESS_SIGNING_CERT.3 +MLINKS+= d2i_X509.3 d2i_EXTENDED_KEY_USAGE.3 +MLINKS+= d2i_X509.3 d2i_GENERAL_NAME.3 +MLINKS+= d2i_X509.3 d2i_GENERAL_NAMES.3 +MLINKS+= d2i_X509.3 d2i_IPAddressChoice.3 +MLINKS+= d2i_X509.3 d2i_IPAddressFamily.3 +MLINKS+= d2i_X509.3 d2i_IPAddressOrRange.3 +MLINKS+= d2i_X509.3 d2i_IPAddressRange.3 +MLINKS+= d2i_X509.3 d2i_ISSUING_DIST_POINT.3 +MLINKS+= d2i_X509.3 d2i_NAMING_AUTHORITY.3 +MLINKS+= d2i_X509.3 d2i_NETSCAPE_CERT_SEQUENCE.3 +MLINKS+= d2i_X509.3 d2i_NETSCAPE_SPKAC.3 +MLINKS+= d2i_X509.3 d2i_NETSCAPE_SPKI.3 +MLINKS+= d2i_X509.3 d2i_NOTICEREF.3 +MLINKS+= d2i_X509.3 d2i_OCSP_BASICRESP.3 +MLINKS+= d2i_X509.3 d2i_OCSP_CERTID.3 +MLINKS+= d2i_X509.3 d2i_OCSP_CERTSTATUS.3 +MLINKS+= d2i_X509.3 d2i_OCSP_CRLID.3 +MLINKS+= d2i_X509.3 d2i_OCSP_ONEREQ.3 +MLINKS+= d2i_X509.3 d2i_OCSP_REQINFO.3 +MLINKS+= d2i_X509.3 d2i_OCSP_REQUEST.3 +MLINKS+= d2i_X509.3 d2i_OCSP_RESPBYTES.3 +MLINKS+= d2i_X509.3 d2i_OCSP_RESPDATA.3 +MLINKS+= d2i_X509.3 d2i_OCSP_RESPID.3 +MLINKS+= d2i_X509.3 d2i_OCSP_RESPONSE.3 +MLINKS+= d2i_X509.3 d2i_OCSP_REVOKEDINFO.3 +MLINKS+= d2i_X509.3 d2i_OCSP_SERVICELOC.3 +MLINKS+= d2i_X509.3 d2i_OCSP_SIGNATURE.3 +MLINKS+= d2i_X509.3 d2i_OCSP_SINGLERESP.3 +MLINKS+= d2i_X509.3 d2i_OTHERNAME.3 +MLINKS+= d2i_X509.3 d2i_PBE2PARAM.3 +MLINKS+= d2i_X509.3 d2i_PBEPARAM.3 +MLINKS+= d2i_X509.3 d2i_PBKDF2PARAM.3 +MLINKS+= d2i_X509.3 d2i_PKCS12.3 +MLINKS+= d2i_X509.3 d2i_PKCS12_BAGS.3 +MLINKS+= d2i_X509.3 d2i_PKCS12_MAC_DATA.3 +MLINKS+= d2i_X509.3 d2i_PKCS12_SAFEBAG.3 +MLINKS+= d2i_X509.3 d2i_PKCS12_bio.3 +MLINKS+= d2i_X509.3 d2i_PKCS12_fp.3 +MLINKS+= d2i_X509.3 d2i_PKCS7.3 +MLINKS+= d2i_X509.3 d2i_PKCS7_DIGEST.3 +MLINKS+= d2i_X509.3 d2i_PKCS7_ENCRYPT.3 +MLINKS+= d2i_X509.3 d2i_PKCS7_ENC_CONTENT.3 +MLINKS+= d2i_X509.3 d2i_PKCS7_ENVELOPE.3 +MLINKS+= d2i_X509.3 d2i_PKCS7_ISSUER_AND_SERIAL.3 +MLINKS+= d2i_X509.3 d2i_PKCS7_RECIP_INFO.3 +MLINKS+= d2i_X509.3 d2i_PKCS7_SIGNED.3 +MLINKS+= d2i_X509.3 d2i_PKCS7_SIGNER_INFO.3 +MLINKS+= d2i_X509.3 d2i_PKCS7_SIGN_ENVELOPE.3 +MLINKS+= d2i_X509.3 d2i_PKCS7_bio.3 +MLINKS+= d2i_X509.3 d2i_PKCS7_fp.3 +MLINKS+= d2i_X509.3 d2i_PKCS8_PRIV_KEY_INFO.3 +MLINKS+= d2i_X509.3 d2i_PKCS8_PRIV_KEY_INFO_bio.3 +MLINKS+= d2i_X509.3 d2i_PKCS8_PRIV_KEY_INFO_fp.3 +MLINKS+= d2i_X509.3 d2i_PKCS8_bio.3 +MLINKS+= d2i_X509.3 d2i_PKCS8_fp.3 +MLINKS+= d2i_X509.3 d2i_PKEY_USAGE_PERIOD.3 +MLINKS+= d2i_X509.3 d2i_POLICYINFO.3 +MLINKS+= d2i_X509.3 d2i_POLICYQUALINFO.3 +MLINKS+= d2i_X509.3 d2i_PROFESSION_INFO.3 +MLINKS+= d2i_X509.3 d2i_PROXY_CERT_INFO_EXTENSION.3 +MLINKS+= d2i_X509.3 d2i_PROXY_POLICY.3 +MLINKS+= d2i_X509.3 d2i_RSAPrivateKey.3 +MLINKS+= d2i_X509.3 d2i_RSAPrivateKey_bio.3 +MLINKS+= d2i_X509.3 d2i_RSAPrivateKey_fp.3 +MLINKS+= d2i_X509.3 d2i_RSAPublicKey.3 +MLINKS+= d2i_X509.3 d2i_RSAPublicKey_bio.3 +MLINKS+= d2i_X509.3 d2i_RSAPublicKey_fp.3 +MLINKS+= d2i_X509.3 d2i_RSA_OAEP_PARAMS.3 +MLINKS+= d2i_X509.3 d2i_RSA_PSS_PARAMS.3 +MLINKS+= d2i_X509.3 d2i_RSA_PUBKEY.3 +MLINKS+= d2i_X509.3 d2i_RSA_PUBKEY_bio.3 +MLINKS+= d2i_X509.3 d2i_RSA_PUBKEY_fp.3 +MLINKS+= d2i_X509.3 d2i_SCRYPT_PARAMS.3 +MLINKS+= d2i_X509.3 d2i_SCT_LIST.3 +MLINKS+= d2i_X509.3 d2i_SXNET.3 +MLINKS+= d2i_X509.3 d2i_SXNETID.3 +MLINKS+= d2i_X509.3 d2i_TS_ACCURACY.3 +MLINKS+= d2i_X509.3 d2i_TS_MSG_IMPRINT.3 +MLINKS+= d2i_X509.3 d2i_TS_MSG_IMPRINT_bio.3 +MLINKS+= d2i_X509.3 d2i_TS_MSG_IMPRINT_fp.3 +MLINKS+= d2i_X509.3 d2i_TS_REQ.3 +MLINKS+= d2i_X509.3 d2i_TS_REQ_bio.3 +MLINKS+= d2i_X509.3 d2i_TS_REQ_fp.3 +MLINKS+= d2i_X509.3 d2i_TS_RESP.3 +MLINKS+= d2i_X509.3 d2i_TS_RESP_bio.3 +MLINKS+= d2i_X509.3 d2i_TS_RESP_fp.3 +MLINKS+= d2i_X509.3 d2i_TS_STATUS_INFO.3 +MLINKS+= d2i_X509.3 d2i_TS_TST_INFO.3 +MLINKS+= d2i_X509.3 d2i_TS_TST_INFO_bio.3 +MLINKS+= d2i_X509.3 d2i_TS_TST_INFO_fp.3 +MLINKS+= d2i_X509.3 d2i_USERNOTICE.3 +MLINKS+= d2i_X509.3 d2i_X509_ALGOR.3 +MLINKS+= d2i_X509.3 d2i_X509_ALGORS.3 +MLINKS+= d2i_X509.3 d2i_X509_ATTRIBUTE.3 +MLINKS+= d2i_X509.3 d2i_X509_CERT_AUX.3 +MLINKS+= d2i_X509.3 d2i_X509_CINF.3 +MLINKS+= d2i_X509.3 d2i_X509_CRL.3 +MLINKS+= d2i_X509.3 d2i_X509_CRL_INFO.3 +MLINKS+= d2i_X509.3 d2i_X509_CRL_bio.3 +MLINKS+= d2i_X509.3 d2i_X509_CRL_fp.3 +MLINKS+= d2i_X509.3 d2i_X509_EXTENSION.3 +MLINKS+= d2i_X509.3 d2i_X509_EXTENSIONS.3 +MLINKS+= d2i_X509.3 d2i_X509_NAME.3 +MLINKS+= d2i_X509.3 d2i_X509_NAME_ENTRY.3 +MLINKS+= d2i_X509.3 d2i_X509_PUBKEY.3 +MLINKS+= d2i_X509.3 d2i_X509_REQ.3 +MLINKS+= d2i_X509.3 d2i_X509_REQ_INFO.3 +MLINKS+= d2i_X509.3 d2i_X509_REQ_bio.3 +MLINKS+= d2i_X509.3 d2i_X509_REQ_fp.3 +MLINKS+= d2i_X509.3 d2i_X509_REVOKED.3 +MLINKS+= d2i_X509.3 d2i_X509_SIG.3 +MLINKS+= d2i_X509.3 d2i_X509_VAL.3 +MLINKS+= d2i_X509.3 i2d_ACCESS_DESCRIPTION.3 +MLINKS+= d2i_X509.3 i2d_ADMISSIONS.3 +MLINKS+= d2i_X509.3 i2d_ADMISSION_SYNTAX.3 +MLINKS+= d2i_X509.3 i2d_ASIdOrRange.3 +MLINKS+= d2i_X509.3 i2d_ASIdentifierChoice.3 +MLINKS+= d2i_X509.3 i2d_ASIdentifiers.3 +MLINKS+= d2i_X509.3 i2d_ASN1_BIT_STRING.3 +MLINKS+= d2i_X509.3 i2d_ASN1_BMPSTRING.3 +MLINKS+= d2i_X509.3 i2d_ASN1_ENUMERATED.3 +MLINKS+= d2i_X509.3 i2d_ASN1_GENERALIZEDTIME.3 +MLINKS+= d2i_X509.3 i2d_ASN1_GENERALSTRING.3 +MLINKS+= d2i_X509.3 i2d_ASN1_IA5STRING.3 +MLINKS+= d2i_X509.3 i2d_ASN1_INTEGER.3 +MLINKS+= d2i_X509.3 i2d_ASN1_NULL.3 +MLINKS+= d2i_X509.3 i2d_ASN1_OBJECT.3 +MLINKS+= d2i_X509.3 i2d_ASN1_OCTET_STRING.3 +MLINKS+= d2i_X509.3 i2d_ASN1_PRINTABLE.3 +MLINKS+= d2i_X509.3 i2d_ASN1_PRINTABLESTRING.3 +MLINKS+= d2i_X509.3 i2d_ASN1_SEQUENCE_ANY.3 +MLINKS+= d2i_X509.3 i2d_ASN1_SET_ANY.3 +MLINKS+= d2i_X509.3 i2d_ASN1_T61STRING.3 +MLINKS+= d2i_X509.3 i2d_ASN1_TIME.3 +MLINKS+= d2i_X509.3 i2d_ASN1_TYPE.3 +MLINKS+= d2i_X509.3 i2d_ASN1_UNIVERSALSTRING.3 +MLINKS+= d2i_X509.3 i2d_ASN1_UTCTIME.3 +MLINKS+= d2i_X509.3 i2d_ASN1_UTF8STRING.3 +MLINKS+= d2i_X509.3 i2d_ASN1_VISIBLESTRING.3 +MLINKS+= d2i_X509.3 i2d_ASN1_bio_stream.3 +MLINKS+= d2i_X509.3 i2d_ASRange.3 +MLINKS+= d2i_X509.3 i2d_AUTHORITY_INFO_ACCESS.3 +MLINKS+= d2i_X509.3 i2d_AUTHORITY_KEYID.3 +MLINKS+= d2i_X509.3 i2d_BASIC_CONSTRAINTS.3 +MLINKS+= d2i_X509.3 i2d_CERTIFICATEPOLICIES.3 +MLINKS+= d2i_X509.3 i2d_CMS_ContentInfo.3 +MLINKS+= d2i_X509.3 i2d_CMS_ReceiptRequest.3 +MLINKS+= d2i_X509.3 i2d_CMS_bio.3 +MLINKS+= d2i_X509.3 i2d_CRL_DIST_POINTS.3 +MLINKS+= d2i_X509.3 i2d_DHxparams.3 +MLINKS+= d2i_X509.3 i2d_DIRECTORYSTRING.3 +MLINKS+= d2i_X509.3 i2d_DISPLAYTEXT.3 +MLINKS+= d2i_X509.3 i2d_DIST_POINT.3 +MLINKS+= d2i_X509.3 i2d_DIST_POINT_NAME.3 +MLINKS+= d2i_X509.3 i2d_DSAPrivateKey.3 +MLINKS+= d2i_X509.3 i2d_DSAPrivateKey_bio.3 +MLINKS+= d2i_X509.3 i2d_DSAPrivateKey_fp.3 +MLINKS+= d2i_X509.3 i2d_DSAPublicKey.3 +MLINKS+= d2i_X509.3 i2d_DSA_PUBKEY.3 +MLINKS+= d2i_X509.3 i2d_DSA_PUBKEY_bio.3 +MLINKS+= d2i_X509.3 i2d_DSA_PUBKEY_fp.3 +MLINKS+= d2i_X509.3 i2d_DSA_SIG.3 +MLINKS+= d2i_X509.3 i2d_DSAparams.3 +MLINKS+= d2i_X509.3 i2d_ECPKParameters.3 +MLINKS+= d2i_X509.3 i2d_ECParameters.3 +MLINKS+= d2i_X509.3 i2d_ECPrivateKey.3 +MLINKS+= d2i_X509.3 i2d_ECPrivateKey_bio.3 +MLINKS+= d2i_X509.3 i2d_ECPrivateKey_fp.3 +MLINKS+= d2i_X509.3 i2d_EC_PUBKEY.3 +MLINKS+= d2i_X509.3 i2d_EC_PUBKEY_bio.3 +MLINKS+= d2i_X509.3 i2d_EC_PUBKEY_fp.3 +MLINKS+= d2i_X509.3 i2d_EDIPARTYNAME.3 +MLINKS+= d2i_X509.3 i2d_ESS_CERT_ID.3 +MLINKS+= d2i_X509.3 i2d_ESS_ISSUER_SERIAL.3 +MLINKS+= d2i_X509.3 i2d_ESS_SIGNING_CERT.3 +MLINKS+= d2i_X509.3 i2d_EXTENDED_KEY_USAGE.3 +MLINKS+= d2i_X509.3 i2d_GENERAL_NAME.3 +MLINKS+= d2i_X509.3 i2d_GENERAL_NAMES.3 +MLINKS+= d2i_X509.3 i2d_IPAddressChoice.3 +MLINKS+= d2i_X509.3 i2d_IPAddressFamily.3 +MLINKS+= d2i_X509.3 i2d_IPAddressOrRange.3 +MLINKS+= d2i_X509.3 i2d_IPAddressRange.3 +MLINKS+= d2i_X509.3 i2d_ISSUING_DIST_POINT.3 +MLINKS+= d2i_X509.3 i2d_NAMING_AUTHORITY.3 +MLINKS+= d2i_X509.3 i2d_NETSCAPE_CERT_SEQUENCE.3 +MLINKS+= d2i_X509.3 i2d_NETSCAPE_SPKAC.3 +MLINKS+= d2i_X509.3 i2d_NETSCAPE_SPKI.3 +MLINKS+= d2i_X509.3 i2d_NOTICEREF.3 +MLINKS+= d2i_X509.3 i2d_OCSP_BASICRESP.3 +MLINKS+= d2i_X509.3 i2d_OCSP_CERTID.3 +MLINKS+= d2i_X509.3 i2d_OCSP_CERTSTATUS.3 +MLINKS+= d2i_X509.3 i2d_OCSP_CRLID.3 +MLINKS+= d2i_X509.3 i2d_OCSP_ONEREQ.3 +MLINKS+= d2i_X509.3 i2d_OCSP_REQINFO.3 +MLINKS+= d2i_X509.3 i2d_OCSP_REQUEST.3 +MLINKS+= d2i_X509.3 i2d_OCSP_RESPBYTES.3 +MLINKS+= d2i_X509.3 i2d_OCSP_RESPDATA.3 +MLINKS+= d2i_X509.3 i2d_OCSP_RESPID.3 +MLINKS+= d2i_X509.3 i2d_OCSP_RESPONSE.3 +MLINKS+= d2i_X509.3 i2d_OCSP_REVOKEDINFO.3 +MLINKS+= d2i_X509.3 i2d_OCSP_SERVICELOC.3 +MLINKS+= d2i_X509.3 i2d_OCSP_SIGNATURE.3 +MLINKS+= d2i_X509.3 i2d_OCSP_SINGLERESP.3 +MLINKS+= d2i_X509.3 i2d_OTHERNAME.3 +MLINKS+= d2i_X509.3 i2d_PBE2PARAM.3 +MLINKS+= d2i_X509.3 i2d_PBEPARAM.3 +MLINKS+= d2i_X509.3 i2d_PBKDF2PARAM.3 +MLINKS+= d2i_X509.3 i2d_PKCS12.3 +MLINKS+= d2i_X509.3 i2d_PKCS12_BAGS.3 +MLINKS+= d2i_X509.3 i2d_PKCS12_MAC_DATA.3 +MLINKS+= d2i_X509.3 i2d_PKCS12_SAFEBAG.3 +MLINKS+= d2i_X509.3 i2d_PKCS12_bio.3 +MLINKS+= d2i_X509.3 i2d_PKCS12_fp.3 +MLINKS+= d2i_X509.3 i2d_PKCS7.3 +MLINKS+= d2i_X509.3 i2d_PKCS7_DIGEST.3 +MLINKS+= d2i_X509.3 i2d_PKCS7_ENCRYPT.3 +MLINKS+= d2i_X509.3 i2d_PKCS7_ENC_CONTENT.3 +MLINKS+= d2i_X509.3 i2d_PKCS7_ENVELOPE.3 +MLINKS+= d2i_X509.3 i2d_PKCS7_ISSUER_AND_SERIAL.3 +MLINKS+= d2i_X509.3 i2d_PKCS7_NDEF.3 +MLINKS+= d2i_X509.3 i2d_PKCS7_RECIP_INFO.3 +MLINKS+= d2i_X509.3 i2d_PKCS7_SIGNED.3 +MLINKS+= d2i_X509.3 i2d_PKCS7_SIGNER_INFO.3 +MLINKS+= d2i_X509.3 i2d_PKCS7_SIGN_ENVELOPE.3 +MLINKS+= d2i_X509.3 i2d_PKCS7_bio.3 +MLINKS+= d2i_X509.3 i2d_PKCS7_fp.3 +MLINKS+= d2i_X509.3 i2d_PKCS8PrivateKeyInfo_bio.3 +MLINKS+= d2i_X509.3 i2d_PKCS8PrivateKeyInfo_fp.3 +MLINKS+= d2i_X509.3 i2d_PKCS8_PRIV_KEY_INFO.3 +MLINKS+= d2i_X509.3 i2d_PKCS8_PRIV_KEY_INFO_bio.3 +MLINKS+= d2i_X509.3 i2d_PKCS8_PRIV_KEY_INFO_fp.3 +MLINKS+= d2i_X509.3 i2d_PKCS8_bio.3 +MLINKS+= d2i_X509.3 i2d_PKCS8_fp.3 +MLINKS+= d2i_X509.3 i2d_PKEY_USAGE_PERIOD.3 +MLINKS+= d2i_X509.3 i2d_POLICYINFO.3 +MLINKS+= d2i_X509.3 i2d_POLICYQUALINFO.3 +MLINKS+= d2i_X509.3 i2d_PROFESSION_INFO.3 +MLINKS+= d2i_X509.3 i2d_PROXY_CERT_INFO_EXTENSION.3 +MLINKS+= d2i_X509.3 i2d_PROXY_POLICY.3 +MLINKS+= d2i_X509.3 i2d_RSAPrivateKey.3 +MLINKS+= d2i_X509.3 i2d_RSAPrivateKey_bio.3 +MLINKS+= d2i_X509.3 i2d_RSAPrivateKey_fp.3 +MLINKS+= d2i_X509.3 i2d_RSAPublicKey.3 +MLINKS+= d2i_X509.3 i2d_RSAPublicKey_bio.3 +MLINKS+= d2i_X509.3 i2d_RSAPublicKey_fp.3 +MLINKS+= d2i_X509.3 i2d_RSA_OAEP_PARAMS.3 +MLINKS+= d2i_X509.3 i2d_RSA_PSS_PARAMS.3 +MLINKS+= d2i_X509.3 i2d_RSA_PUBKEY.3 +MLINKS+= d2i_X509.3 i2d_RSA_PUBKEY_bio.3 +MLINKS+= d2i_X509.3 i2d_RSA_PUBKEY_fp.3 +MLINKS+= d2i_X509.3 i2d_SCRYPT_PARAMS.3 +MLINKS+= d2i_X509.3 i2d_SCT_LIST.3 +MLINKS+= d2i_X509.3 i2d_SXNET.3 +MLINKS+= d2i_X509.3 i2d_SXNETID.3 +MLINKS+= d2i_X509.3 i2d_TS_ACCURACY.3 +MLINKS+= d2i_X509.3 i2d_TS_MSG_IMPRINT.3 +MLINKS+= d2i_X509.3 i2d_TS_MSG_IMPRINT_bio.3 +MLINKS+= d2i_X509.3 i2d_TS_MSG_IMPRINT_fp.3 +MLINKS+= d2i_X509.3 i2d_TS_REQ.3 +MLINKS+= d2i_X509.3 i2d_TS_REQ_bio.3 +MLINKS+= d2i_X509.3 i2d_TS_REQ_fp.3 +MLINKS+= d2i_X509.3 i2d_TS_RESP.3 +MLINKS+= d2i_X509.3 i2d_TS_RESP_bio.3 +MLINKS+= d2i_X509.3 i2d_TS_RESP_fp.3 +MLINKS+= d2i_X509.3 i2d_TS_STATUS_INFO.3 +MLINKS+= d2i_X509.3 i2d_TS_TST_INFO.3 +MLINKS+= d2i_X509.3 i2d_TS_TST_INFO_bio.3 +MLINKS+= d2i_X509.3 i2d_TS_TST_INFO_fp.3 +MLINKS+= d2i_X509.3 i2d_USERNOTICE.3 MLINKS+= d2i_X509.3 i2d_X509.3 -MLINKS+= d2i_X509.3 i2d_X509_bio.3 -MLINKS+= d2i_X509.3 i2d_X509_fp.3 -MLINKS+= d2i_X509_ALGOR.3 i2d_X509_ALGOR.3 -MLINKS+= d2i_X509_CRL.3 d2i_X509_CRL_bio.3 -MLINKS+= d2i_X509_CRL.3 d2i_X509_CRL_fp.3 -MLINKS+= d2i_X509_CRL.3 i2d_X509_CRL.3 -MLINKS+= d2i_X509_CRL.3 i2d_X509_CRL_bio.3 -MLINKS+= d2i_X509_CRL.3 i2d_X509_CRL_fp.3 -MLINKS+= d2i_X509_NAME.3 i2d_X509_NAME.3 -MLINKS+= d2i_X509_REQ.3 d2i_X509_REQ_bio.3 -MLINKS+= d2i_X509_REQ.3 d2i_X509_REQ_fp.3 -MLINKS+= d2i_X509_REQ.3 i2d_X509_REQ.3 -MLINKS+= d2i_X509_REQ.3 i2d_X509_REQ_bio.3 -MLINKS+= d2i_X509_REQ.3 i2d_X509_REQ_fp.3 -MLINKS+= d2i_X509_SIG.3 i2d_X509_SIG.3 -MLINKS+= des.3 DES_cbc_cksum.3 -MLINKS+= des.3 DES_cfb64_encrypt.3 -MLINKS+= des.3 DES_cfb_encrypt.3 -MLINKS+= des.3 DES_crypt.3 -MLINKS+= des.3 DES_ecb2_encrypt.3 -MLINKS+= des.3 DES_ecb3_encrypt.3 -MLINKS+= des.3 DES_ecb_encrypt.3 -MLINKS+= des.3 DES_ede2_cbc_encrypt.3 -MLINKS+= des.3 DES_ede2_cfb64_encrypt.3 -MLINKS+= des.3 DES_ede2_ofb64_encrypt.3 -MLINKS+= des.3 DES_ede3_cbc_encrypt.3 -MLINKS+= des.3 DES_ede3_cbcm_encrypt.3 -MLINKS+= des.3 DES_ede3_cfb64_encrypt.3 -MLINKS+= des.3 DES_ede3_ofb64_encrypt.3 -MLINKS+= des.3 DES_enc_read.3 -MLINKS+= des.3 DES_enc_write.3 -MLINKS+= des.3 DES_fcrypt.3 -MLINKS+= des.3 DES_is_weak_key.3 -MLINKS+= des.3 DES_key_sched.3 -MLINKS+= des.3 DES_ncbc_encrypt.3 -MLINKS+= des.3 DES_ofb64_encrypt.3 -MLINKS+= des.3 DES_ofb_encrypt.3 -MLINKS+= des.3 DES_pcbc_encrypt.3 -MLINKS+= des.3 DES_quad_cksum.3 -MLINKS+= des.3 DES_random_key.3 -MLINKS+= des.3 DES_set_key.3 -MLINKS+= des.3 DES_set_key_checked.3 -MLINKS+= des.3 DES_set_key_unchecked.3 -MLINKS+= des.3 DES_set_odd_parity.3 -MLINKS+= des.3 DES_string_to_2keys.3 -MLINKS+= des.3 DES_string_to_key.3 -MLINKS+= des.3 DES_xcbc_encrypt.3 -MLINKS+= ecdsa.3 ECDSA_SIG_free.3 -MLINKS+= ecdsa.3 ECDSA_SIG_new.3 -MLINKS+= ecdsa.3 ECDSA_do_sign.3 -MLINKS+= ecdsa.3 ECDSA_do_sign_ex.3 -MLINKS+= ecdsa.3 ECDSA_do_verify.3 -MLINKS+= ecdsa.3 ECDSA_sign.3 -MLINKS+= ecdsa.3 ECDSA_sign_ex.3 -MLINKS+= ecdsa.3 ECDSA_sign_setup.3 -MLINKS+= ecdsa.3 ECDSA_size.3 -MLINKS+= ecdsa.3 ECDSA_verify.3 -MLINKS+= ecdsa.3 d2i_ECDSA_SIG.3 -MLINKS+= ecdsa.3 i2d_ECDSA_SIG.3 -MLINKS+= hmac.3 HMAC.3 -MLINKS+= hmac.3 HMAC_CTX_cleanup.3 -MLINKS+= hmac.3 HMAC_CTX_init.3 -MLINKS+= hmac.3 HMAC_Final.3 -MLINKS+= hmac.3 HMAC_Init.3 -MLINKS+= hmac.3 HMAC_Init_ex.3 -MLINKS+= hmac.3 HMAC_Update.3 -MLINKS+= hmac.3 HMAC_cleanup.3 -MLINKS+= lh_stats.3 lh_node_stats.3 -MLINKS+= lh_stats.3 lh_node_stats_bio.3 -MLINKS+= lh_stats.3 lh_node_usage_stats.3 -MLINKS+= lh_stats.3 lh_node_usage_stats_bio.3 -MLINKS+= lh_stats.3 lh_stats_bio.3 -MLINKS+= lhash.3 lh_delete.3 -MLINKS+= lhash.3 lh_doall.3 -MLINKS+= lhash.3 lh_doall_arg.3 -MLINKS+= lhash.3 lh_error.3 -MLINKS+= lhash.3 lh_free.3 -MLINKS+= lhash.3 lh_insert.3 -MLINKS+= lhash.3 lh_new.3 -MLINKS+= lhash.3 lh_retrieve.3 -MLINKS+= md5.3 MD2.3 -MLINKS+= md5.3 MD2_Final.3 -MLINKS+= md5.3 MD2_Init.3 -MLINKS+= md5.3 MD2_Update.3 -MLINKS+= md5.3 MD4.3 -MLINKS+= md5.3 MD4_Final.3 -MLINKS+= md5.3 MD4_Init.3 -MLINKS+= md5.3 MD4_Update.3 -MLINKS+= md5.3 MD5.3 -MLINKS+= md5.3 MD5_Final.3 -MLINKS+= md5.3 MD5_Init.3 -MLINKS+= md5.3 MD5_Update.3 -MLINKS+= mdc2.3 MDC2.3 -MLINKS+= mdc2.3 MDC2_Final.3 -MLINKS+= mdc2.3 MDC2_Init.3 -MLINKS+= mdc2.3 MDC2_Update.3 -MLINKS+= pem.3 PEM.3 -MLINKS+= pem.3 PEM_read_DHparams.3 -MLINKS+= pem.3 PEM_read_DSAPrivateKey.3 -MLINKS+= pem.3 PEM_read_DSA_PUBKEY.3 -MLINKS+= pem.3 PEM_read_DSAparams.3 -MLINKS+= pem.3 PEM_read_NETSCAPE_CERT_SEQUENCE.3 -MLINKS+= pem.3 PEM_read_PKCS7.3 -MLINKS+= pem.3 PEM_read_PUBKEY.3 -MLINKS+= pem.3 PEM_read_PrivateKey.3 -MLINKS+= pem.3 PEM_read_RSAPrivateKey.3 -MLINKS+= pem.3 PEM_read_RSAPublicKey.3 -MLINKS+= pem.3 PEM_read_RSA_PUBKEY.3 -MLINKS+= pem.3 PEM_read_X509.3 -MLINKS+= pem.3 PEM_read_X509_AUX.3 -MLINKS+= pem.3 PEM_read_X509_CRL.3 -MLINKS+= pem.3 PEM_read_X509_REQ.3 -MLINKS+= pem.3 PEM_read_bio_DHparams.3 -MLINKS+= pem.3 PEM_read_bio_DSAPrivateKey.3 -MLINKS+= pem.3 PEM_read_bio_DSA_PUBKEY.3 -MLINKS+= pem.3 PEM_read_bio_DSAparams.3 -MLINKS+= pem.3 PEM_read_bio_NETSCAPE_CERT_SEQUENCE.3 -MLINKS+= pem.3 PEM_read_bio_PKCS7.3 -MLINKS+= pem.3 PEM_read_bio_PUBKEY.3 -MLINKS+= pem.3 PEM_read_bio_PrivateKey.3 -MLINKS+= pem.3 PEM_read_bio_RSAPrivateKey.3 -MLINKS+= pem.3 PEM_read_bio_RSAPublicKey.3 -MLINKS+= pem.3 PEM_read_bio_RSA_PUBKEY.3 -MLINKS+= pem.3 PEM_read_bio_X509.3 -MLINKS+= pem.3 PEM_read_bio_X509_AUX.3 -MLINKS+= pem.3 PEM_read_bio_X509_CRL.3 -MLINKS+= pem.3 PEM_read_bio_X509_REQ.3 -MLINKS+= pem.3 PEM_write_DHparams.3 -MLINKS+= pem.3 PEM_write_DSAPrivateKey.3 -MLINKS+= pem.3 PEM_write_DSA_PUBKEY.3 -MLINKS+= pem.3 PEM_write_DSAparams.3 -MLINKS+= pem.3 PEM_write_NETSCAPE_CERT_SEQUENCE.3 -MLINKS+= pem.3 PEM_write_PKCS7.3 -MLINKS+= pem.3 PEM_write_PKCS8PrivateKey.3 -MLINKS+= pem.3 PEM_write_PKCS8PrivateKey_nid.3 -MLINKS+= pem.3 PEM_write_PUBKEY.3 -MLINKS+= pem.3 PEM_write_PrivateKey.3 -MLINKS+= pem.3 PEM_write_RSAPrivateKey.3 -MLINKS+= pem.3 PEM_write_RSAPublicKey.3 -MLINKS+= pem.3 PEM_write_RSA_PUBKEY.3 -MLINKS+= pem.3 PEM_write_X509.3 -MLINKS+= pem.3 PEM_write_X509_AUX.3 -MLINKS+= pem.3 PEM_write_X509_CRL.3 -MLINKS+= pem.3 PEM_write_X509_REQ.3 -MLINKS+= pem.3 PEM_write_X509_REQ_NEW.3 -MLINKS+= pem.3 PEM_write_bio_DHparams.3 -MLINKS+= pem.3 PEM_write_bio_DSAPrivateKey.3 -MLINKS+= pem.3 PEM_write_bio_DSA_PUBKEY.3 -MLINKS+= pem.3 PEM_write_bio_DSAparams.3 -MLINKS+= pem.3 PEM_write_bio_NETSCAPE_CERT_SEQUENCE.3 -MLINKS+= pem.3 PEM_write_bio_PKCS7.3 -MLINKS+= pem.3 PEM_write_bio_PKCS8PrivateKey.3 -MLINKS+= pem.3 PEM_write_bio_PKCS8PrivateKey_nid.3 -MLINKS+= pem.3 PEM_write_bio_PUBKEY.3 -MLINKS+= pem.3 PEM_write_bio_PrivateKey.3 -MLINKS+= pem.3 PEM_write_bio_RSAPrivateKey.3 -MLINKS+= pem.3 PEM_write_bio_RSAPublicKey.3 -MLINKS+= pem.3 PEM_write_bio_RSA_PUBKEY.3 -MLINKS+= pem.3 PEM_write_bio_X509.3 -MLINKS+= pem.3 PEM_write_bio_X509_AUX.3 -MLINKS+= pem.3 PEM_write_bio_X509_CRL.3 -MLINKS+= pem.3 PEM_write_bio_X509_REQ.3 -MLINKS+= pem.3 PEM_write_bio_X509_REQ_NEW.3 -MLINKS+= rc4.3 RC4.3 -MLINKS+= rc4.3 RC4_set_key.3 -MLINKS+= ripemd.3 RIPEMD160.3 -MLINKS+= ripemd.3 RIPEMD160_Final.3 -MLINKS+= ripemd.3 RIPEMD160_Init.3 -MLINKS+= ripemd.3 RIPEMD160_Update.3 -MLINKS+= sha.3 SHA1.3 -MLINKS+= sha.3 SHA1_Final.3 -MLINKS+= sha.3 SHA1_Init.3 -MLINKS+= sha.3 SHA1_Update.3 -MLINKS+= sha.3 SHA224.3 -MLINKS+= sha.3 SHA224_Final.3 -MLINKS+= sha.3 SHA224_Init.3 -MLINKS+= sha.3 SHA224_Update.3 -MLINKS+= sha.3 SHA256.3 -MLINKS+= sha.3 SHA256_Final.3 -MLINKS+= sha.3 SHA256_Init.3 -MLINKS+= sha.3 SHA256_Update.3 -MLINKS+= sha.3 SHA384.3 -MLINKS+= sha.3 SHA384_Final.3 -MLINKS+= sha.3 SHA384_Init.3 -MLINKS+= sha.3 SHA384_Update.3 -MLINKS+= sha.3 SHA512.3 -MLINKS+= sha.3 SHA512_Final.3 -MLINKS+= sha.3 SHA512_Init.3 -MLINKS+= sha.3 SHA512_Update.3 -MLINKS+= threads.3 CRYPTO_THREADID_cmp.3 -MLINKS+= threads.3 CRYPTO_THREADID_cpy.3 -MLINKS+= threads.3 CRYPTO_THREADID_current.3 -MLINKS+= threads.3 CRYPTO_THREADID_get_callback.3 -MLINKS+= threads.3 CRYPTO_THREADID_hash.3 -MLINKS+= threads.3 CRYPTO_THREADID_set_callback.3 -MLINKS+= threads.3 CRYPTO_destroy_dynlockid.3 -MLINKS+= threads.3 CRYPTO_get_new_dynlockid.3 -MLINKS+= threads.3 CRYPTO_lock.3 -MLINKS+= threads.3 CRYPTO_num_locks.3 -MLINKS+= threads.3 CRYPTO_set_dynlock_create_callback.3 -MLINKS+= threads.3 CRYPTO_set_dynlock_destroy_callback.3 -MLINKS+= threads.3 CRYPTO_set_dynlock_lock_callback.3 -MLINKS+= threads.3 CRYPTO_set_locking_callback.3 -MLINKS+= ui.3 ERR_load_UI_strings.3 -MLINKS+= ui.3 UI_OpenSSL.3 -MLINKS+= ui.3 UI_add_error_string.3 -MLINKS+= ui.3 UI_add_info_string.3 -MLINKS+= ui.3 UI_add_input_boolean.3 -MLINKS+= ui.3 UI_add_input_string.3 -MLINKS+= ui.3 UI_add_user_data.3 -MLINKS+= ui.3 UI_add_verify_string.3 -MLINKS+= ui.3 UI_construct_prompt.3 -MLINKS+= ui.3 UI_ctrl.3 -MLINKS+= ui.3 UI_dup_error_string.3 -MLINKS+= ui.3 UI_dup_info_string.3 -MLINKS+= ui.3 UI_dup_input_boolean.3 -MLINKS+= ui.3 UI_dup_input_string.3 -MLINKS+= ui.3 UI_dup_verify_string.3 -MLINKS+= ui.3 UI_free.3 -MLINKS+= ui.3 UI_get0_result.3 -MLINKS+= ui.3 UI_get0_user_data.3 -MLINKS+= ui.3 UI_get_default_method.3 -MLINKS+= ui.3 UI_get_method.3 -MLINKS+= ui.3 UI_new.3 -MLINKS+= ui.3 UI_new_method.3 -MLINKS+= ui.3 UI_process.3 -MLINKS+= ui.3 UI_set_default_method.3 -MLINKS+= ui.3 UI_set_method.3 -MLINKS+= ui_compat.3 des_read_2passwords.3 -MLINKS+= ui_compat.3 des_read_password.3 -MLINKS+= ui_compat.3 des_read_pw.3 -MLINKS+= ui_compat.3 des_read_pw_string.3 +MLINKS+= d2i_X509.3 i2d_X509_ALGOR.3 +MLINKS+= d2i_X509.3 i2d_X509_ALGORS.3 +MLINKS+= d2i_X509.3 i2d_X509_ATTRIBUTE.3 +MLINKS+= d2i_X509.3 i2d_X509_CERT_AUX.3 +MLINKS+= d2i_X509.3 i2d_X509_CINF.3 +MLINKS+= d2i_X509.3 i2d_X509_CRL.3 +MLINKS+= d2i_X509.3 i2d_X509_CRL_INFO.3 +MLINKS+= d2i_X509.3 i2d_X509_CRL_bio.3 +MLINKS+= d2i_X509.3 i2d_X509_CRL_fp.3 +MLINKS+= d2i_X509.3 i2d_X509_EXTENSION.3 +MLINKS+= d2i_X509.3 i2d_X509_EXTENSIONS.3 +MLINKS+= d2i_X509.3 i2d_X509_NAME.3 +MLINKS+= d2i_X509.3 i2d_X509_NAME_ENTRY.3 +MLINKS+= d2i_X509.3 i2d_X509_PUBKEY.3 +MLINKS+= d2i_X509.3 i2d_X509_REQ.3 +MLINKS+= d2i_X509.3 i2d_X509_REQ_INFO.3 +MLINKS+= d2i_X509.3 i2d_X509_REQ_bio.3 +MLINKS+= d2i_X509.3 i2d_X509_REQ_fp.3 +MLINKS+= d2i_X509.3 i2d_X509_REVOKED.3 +MLINKS+= d2i_X509.3 i2d_X509_SIG.3 +MLINKS+= d2i_X509.3 i2d_X509_VAL.3 +MLINKS+= i2d_re_X509_tbs.3 d2i_X509_AUX.3 +MLINKS+= i2d_re_X509_tbs.3 i2d_X509_AUX.3 +MLINKS+= i2d_re_X509_tbs.3 i2d_re_X509_CRL_tbs.3 +MLINKS+= i2d_re_X509_tbs.3 i2d_re_X509_REQ_tbs.3 +MLINKS+= o2i_SCT_LIST.3 i2o_SCT.3 +MLINKS+= o2i_SCT_LIST.3 i2o_SCT_LIST.3 +MLINKS+= o2i_SCT_LIST.3 o2i_SCT.3 diff --git a/secure/lib/libcrypto/man/ADMISSIONS.3 b/secure/lib/libcrypto/man/ADMISSIONS.3 new file mode 100644 index 000000000000..aaeb6031febe --- /dev/null +++ b/secure/lib/libcrypto/man/ADMISSIONS.3 @@ -0,0 +1,276 @@ +.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35) +.\" +.\" Standard preamble: +.\" ======================================================================== +.de Sp \" Vertical space (when we can't use .PP) +.if t .sp .5v +.if n .sp +.. +.de Vb \" Begin verbatim text +.ft CW +.nf +.ne \\$1 +.. +.de Ve \" End verbatim text +.ft R +.fi +.. +.\" Set up some character translations and predefined strings. \*(-- will +.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left +.\" double quote, and \*(R" will give a right double quote. \*(C+ will +.\" give a nicer C++. Capital omega is used to do unbreakable dashes and +.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, +.\" nothing in troff, for use with C<>. +.tr \(*W- +.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' +.ie n \{\ +. ds -- \(*W- +. ds PI pi +. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch +. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch +. ds L" "" +. ds R" "" +. ds C` "" +. ds C' "" +'br\} +.el\{\ +. ds -- \|\(em\| +. ds PI \(*p +. ds L" `` +. ds R" '' +. ds C` +. ds C' +'br\} +.\" +.\" Escape single quotes in literal strings from groff's Unicode transform. +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" +.\" If the F register is >0, we'll generate index entries on stderr for +.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index +.\" entries marked with X<> in POD. Of course, you'll have to process the +.\" output yourself in some meaningful fashion. +.\" +.\" Avoid warning from groff about undefined register 'F'. +.de IX +.. +.if !\nF .nr F 0 +.if \nF>0 \{\ +. de IX +. tm Index:\\$1\t\\n%\t"\\$2" +.. +. if !\nF==2 \{\ +. nr % 0 +. nr F 2 +. \} +.\} +.\" +.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). +.\" Fear. Run. Save yourself. No user-serviceable parts. +. \" fudge factors for nroff and troff +.if n \{\ +. ds #H 0 +. ds #V .8m +. ds #F .3m +. ds #[ \f1 +. ds #] \fP +.\} +.if t \{\ +. ds #H ((1u-(\\\\n(.fu%2u))*.13m) +. ds #V .6m +. ds #F 0 +. ds #[ \& +. ds #] \& +.\} +. \" simple accents for nroff and troff +.if n \{\ +. ds ' \& +. ds ` \& +. ds ^ \& +. ds , \& +. ds ~ ~ +. ds / +.\} +.if t \{\ +. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" +. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' +. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' +. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' +. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' +. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' +.\} +. \" troff and (daisy-wheel) nroff accents +.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' +.ds 8 \h'\*(#H'\(*b\h'-\*(#H' +.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] +.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' +.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' +.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] +.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] +.ds ae a\h'-(\w'a'u*4/10)'e +.ds Ae A\h'-(\w'A'u*4/10)'E +. \" corrections for vroff +.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' +.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' +. \" for low resolution devices (crt and lpr) +.if \n(.H>23 .if \n(.V>19 \ +\{\ +. ds : e +. ds 8 ss +. ds o a +. ds d- d\h'-1'\(ga +. ds D- D\h'-1'\(hy +. ds th \o'bp' +. ds Th \o'LP' +. ds ae ae +. ds Ae AE +.\} +.rm #[ #] #H #V #F C +.\" ======================================================================== +.\" +.IX Title "ADMISSIONS 3" +.TH ADMISSIONS 3 "2018-09-11" "1.1.1" "OpenSSL" +.\" For nroff, turn off justification. Always turn off hyphenation; it makes +.\" way too many mistakes in technical documents. +.if n .ad l +.nh +.SH "NAME" +ADMISSIONS, ADMISSIONS_get0_admissionAuthority, ADMISSIONS_get0_namingAuthority, ADMISSIONS_get0_professionInfos, ADMISSIONS_set0_admissionAuthority, ADMISSIONS_set0_namingAuthority, ADMISSIONS_set0_professionInfos, ADMISSION_SYNTAX, ADMISSION_SYNTAX_get0_admissionAuthority, ADMISSION_SYNTAX_get0_contentsOfAdmissions, ADMISSION_SYNTAX_set0_admissionAuthority, ADMISSION_SYNTAX_set0_contentsOfAdmissions, NAMING_AUTHORITY, NAMING_AUTHORITY_get0_authorityId, NAMING_AUTHORITY_get0_authorityURL, NAMING_AUTHORITY_get0_authorityText, NAMING_AUTHORITY_set0_authorityId, NAMING_AUTHORITY_set0_authorityURL, NAMING_AUTHORITY_set0_authorityText, PROFESSION_INFO, PROFESSION_INFOS, PROFESSION_INFO_get0_addProfessionInfo, PROFESSION_INFO_get0_namingAuthority, PROFESSION_INFO_get0_professionItems, PROFESSION_INFO_get0_professionOIDs, PROFESSION_INFO_get0_registrationNumber, PROFESSION_INFO_set0_addProfessionInfo, PROFESSION_INFO_set0_namingAuthority, PROFESSION_INFO_set0_professionItems, PROFESSION_INFO_set0_professionOIDs, PROFESSION_INFO_set0_registrationNumber \&\- Accessors and settors for ADMISSION_SYNTAX +.SH "SYNOPSIS" +.IX Header "SYNOPSIS" +.Vb 5 +\& typedef struct NamingAuthority_st NAMING_AUTHORITY; +\& typedef struct ProfessionInfo_st PROFESSION_INFO; +\& typedef STACK_OF(PROFESSION_INFO) PROFESSION_INFOS; +\& typedef struct Admissions_st ADMISSIONS; +\& typedef struct AdmissionSyntax_st ADMISSION_SYNTAX; +\& +\& const ASN1_OBJECT *NAMING_AUTHORITY_get0_authorityId( +\& const NAMING_AUTHORITY *n); +\& void NAMING_AUTHORITY_set0_authorityId(NAMING_AUTHORITY *n, +\& ASN1_OBJECT* namingAuthorityId); +\& const ASN1_IA5STRING *NAMING_AUTHORITY_get0_authorityURL( +\& const NAMING_AUTHORITY *n); +\& void NAMING_AUTHORITY_set0_authorityURL(NAMING_AUTHORITY *n, +\& ASN1_IA5STRING* namingAuthorityUrl); +\& const ASN1_STRING *NAMING_AUTHORITY_get0_authorityText( +\& const NAMING_AUTHORITY *n); +\& void NAMING_AUTHORITY_set0_authorityText(NAMING_AUTHORITY *n, +\& ASN1_STRING* namingAuthorityText); +\& +\& const GENERAL_NAME *ADMISSION_SYNTAX_get0_admissionAuthority( +\& const ADMISSION_SYNTAX *as); +\& void ADMISSION_SYNTAX_set0_admissionAuthority( +\& ADMISSION_SYNTAX *as, GENERAL_NAME *aa); +\& const STACK_OF(ADMISSIONS) *ADMISSION_SYNTAX_get0_contentsOfAdmissions( +\& const ADMISSION_SYNTAX *as); +\& void ADMISSION_SYNTAX_set0_contentsOfAdmissions( +\& ADMISSION_SYNTAX *as, STACK_OF(ADMISSIONS) *a); +\& +\& const GENERAL_NAME *ADMISSIONS_get0_admissionAuthority(const ADMISSIONS *a); +\& void ADMISSIONS_set0_admissionAuthority(ADMISSIONS *a, GENERAL_NAME *aa); +\& const NAMING_AUTHORITY *ADMISSIONS_get0_namingAuthority(const ADMISSIONS *a); +\& void ADMISSIONS_set0_namingAuthority(ADMISSIONS *a, NAMING_AUTHORITY *na); +\& const PROFESSION_INFOS *ADMISSIONS_get0_professionInfos(const ADMISSIONS *a); +\& void ADMISSIONS_set0_professionInfos(ADMISSIONS *a, PROFESSION_INFOS *pi); +\& +\& const ASN1_OCTET_STRING *PROFESSION_INFO_get0_addProfessionInfo( +\& const PROFESSION_INFO *pi); +\& void PROFESSION_INFO_set0_addProfessionInfo( +\& PROFESSION_INFO *pi, ASN1_OCTET_STRING *aos); +\& const NAMING_AUTHORITY *PROFESSION_INFO_get0_namingAuthority( +\& const PROFESSION_INFO *pi); +\& void PROFESSION_INFO_set0_namingAuthority( +\& PROFESSION_INFO *pi, NAMING_AUTHORITY *na); +\& const STACK_OF(ASN1_STRING) *PROFESSION_INFO_get0_professionItems( +\& const PROFESSION_INFO *pi); +\& void PROFESSION_INFO_set0_professionItems( +\& PROFESSION_INFO *pi, STACK_OF(ASN1_STRING) *as); +\& const STACK_OF(ASN1_OBJECT) *PROFESSION_INFO_get0_professionOIDs( +\& const PROFESSION_INFO *pi); +\& void PROFESSION_INFO_set0_professionOIDs( +\& PROFESSION_INFO *pi, STACK_OF(ASN1_OBJECT) *po); +\& const ASN1_PRINTABLESTRING *PROFESSION_INFO_get0_registrationNumber( +\& const PROFESSION_INFO *pi); +\& void PROFESSION_INFO_set0_registrationNumber( +\& PROFESSION_INFO *pi, ASN1_PRINTABLESTRING *rn); +.Ve +.SH "DESCRIPTION" +.IX Header "DESCRIPTION" +The \fB\s-1PROFESSION_INFOS\s0\fR, \fB\s-1ADMISSION_SYNTAX\s0\fR, \fB\s-1ADMISSIONS\s0\fR, and +\&\fB\s-1PROFESSION_INFO\s0\fR types are opaque structures representing the +analogous types defined in the Common \s-1PKI\s0 Specification published +by . +Knowledge of those structures and their semantics is assumed. +.PP +The conventional routines to convert between \s-1DER\s0 and the local format +are described in \fId2i_X509\fR\|(3). +The conventional routines to allocate and free the types are defined +in \fIX509_dup\fR\|(3). +.PP +The \fB\s-1PROFESSION_INFOS\s0\fR type is a stack of \fB\s-1PROFESSION_INFO\s0\fR; see +\&\s-1\fIDEFINE_STACK_OF\s0\fR\|(3) for details. +.PP +The \fB\s-1NAMING_AUTHORITY\s0\fR type has an authority \s-1ID\s0 and \s-1URL,\s0 and text fields. +The \fINAMING_AUTHORITY_get0_authorityId()\fR, +\&\fINAMING_AUTHORITY_get0_get0_authorityURL()\fR, and +\&\fINAMING_AUTHORITY_get0_get0_authorityText()\fR, functions return pointers +to those values within the object. +The \fINAMING_AUTHORITY_set0_authorityId()\fR, +\&\fINAMING_AUTHORITY_set0_get0_authorityURL()\fR, and +\&\fINAMING_AUTHORITY_set0_get0_authorityText()\fR, +functions free any existing value and set the pointer to the specified value. +.PP +The \fB\s-1ADMISSION_SYNTAX\s0\fR type has an authority name and a stack of +\&\fB\s-1ADMISSION\s0\fR objects. +The \fIADMISSION_SYNTAX_get0_admissionAuthority()\fR +and \fIADMISSION_SYNTAX_get0_contentsOfAdmissions()\fR functions return pointers +to those values within the object. +The +\&\fIADMISSION_SYNTAX_set0_admissionAuthority()\fR and +\&\fIADMISSION_SYNTAX_set0_contentsOfAdmissions()\fR +functions free any existing value and set the pointer to the specified value. +.PP +The \fB\s-1ADMISSION\s0\fR type has an authority name, authority object, and a +stack of \fB\s-1PROFSSION_INFO\s0\fR items. +The \fIADMISSIONS_get0_admissionAuthority()\fR, \fIADMISSIONS_get0_namingAuthority()\fR, +and \fIADMISSIONS_get0_professionInfos()\fR +functions return pointers to those values within the object. +The +\&\fIADMISSIONS_set0_admissionAuthority()\fR, +\&\fIADMISSIONS_set0_namingAuthority()\fR, and +\&\fIADMISSIONS_set0_professionInfos()\fR +functions free any existing value and set the pointer to the specified value. +.PP +The \fB\s-1PROFESSION_INFO\s0\fR type has a name authority, stacks of +profession Items and OIDs, a registration number, and additional +profession info. +The functions \fIPROFESSION_INFO_get0_addProfessionInfo()\fR, +\&\fIPROFESSION_INFO_get0_namingAuthority()\fR, \fIPROFESSION_INFO_get0_professionItems()\fR, +\&\fIPROFESSION_INFO_get0_professionOIDs()\fR, and +\&\fIPROFESSION_INFO_get0_registrationNumber()\fR +functions return pointers to those values within the object. +The +\&\fIPROFESSION_INFO_set0_addProfessionInfo()\fR, +\&\fIPROFESSION_INFO_set0_namingAuthority()\fR, +\&\fIPROFESSION_INFO_set0_professionItems()\fR, +\&\fIPROFESSION_INFO_set0_professionOIDs()\fR, and +\&\fIPROFESSION_INFO_set0_registrationNumber()\fR +functions free any existing value and set the pointer to the specified value. +.SH "RETURN VALUES" +.IX Header "RETURN VALUES" +Described above. +Note that all of the \fIget0\fR functions return a pointer to the internal data +structure and must not be freed. +.SH "SEE ALSO" +.IX Header "SEE ALSO" +\&\fIX509_dup\fR\|(3), +\&\fId2i_X509\fR\|(3), +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2017\-2018 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/ASN1_INTEGER_get_int64.3 b/secure/lib/libcrypto/man/ASN1_INTEGER_get_int64.3 new file mode 100644 index 000000000000..9a3f910feb82 --- /dev/null +++ b/secure/lib/libcrypto/man/ASN1_INTEGER_get_int64.3 @@ -0,0 +1,256 @@ +.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35) +.\" +.\" Standard preamble: +.\" ======================================================================== +.de Sp \" Vertical space (when we can't use .PP) +.if t .sp .5v +.if n .sp +.. +.de Vb \" Begin verbatim text +.ft CW +.nf +.ne \\$1 +.. +.de Ve \" End verbatim text +.ft R +.fi +.. +.\" Set up some character translations and predefined strings. \*(-- will +.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left +.\" double quote, and \*(R" will give a right double quote. \*(C+ will +.\" give a nicer C++. Capital omega is used to do unbreakable dashes and +.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, +.\" nothing in troff, for use with C<>. +.tr \(*W- +.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' +.ie n \{\ +. ds -- \(*W- +. ds PI pi +. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch +. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch +. ds L" "" +. ds R" "" +. ds C` "" +. ds C' "" +'br\} +.el\{\ +. ds -- \|\(em\| +. ds PI \(*p +. ds L" `` +. ds R" '' +. ds C` +. ds C' +'br\} +.\" +.\" Escape single quotes in literal strings from groff's Unicode transform. +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" +.\" If the F register is >0, we'll generate index entries on stderr for +.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index +.\" entries marked with X<> in POD. Of course, you'll have to process the +.\" output yourself in some meaningful fashion. +.\" +.\" Avoid warning from groff about undefined register 'F'. +.de IX +.. +.if !\nF .nr F 0 +.if \nF>0 \{\ +. de IX +. tm Index:\\$1\t\\n%\t"\\$2" +.. +. if !\nF==2 \{\ +. nr % 0 +. nr F 2 +. \} +.\} +.\" +.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). +.\" Fear. Run. Save yourself. No user-serviceable parts. +. \" fudge factors for nroff and troff +.if n \{\ +. ds #H 0 +. ds #V .8m +. ds #F .3m +. ds #[ \f1 +. ds #] \fP +.\} +.if t \{\ +. ds #H ((1u-(\\\\n(.fu%2u))*.13m) +. ds #V .6m +. ds #F 0 +. ds #[ \& +. ds #] \& +.\} +. \" simple accents for nroff and troff +.if n \{\ +. ds ' \& +. ds ` \& +. ds ^ \& +. ds , \& +. ds ~ ~ +. ds / +.\} +.if t \{\ +. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" +. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' +. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' +. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' +. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' +. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' +.\} +. \" troff and (daisy-wheel) nroff accents +.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' +.ds 8 \h'\*(#H'\(*b\h'-\*(#H' +.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] +.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' +.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' +.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] +.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] +.ds ae a\h'-(\w'a'u*4/10)'e +.ds Ae A\h'-(\w'A'u*4/10)'E +. \" corrections for vroff +.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' +.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' +. \" for low resolution devices (crt and lpr) +.if \n(.H>23 .if \n(.V>19 \ +\{\ +. ds : e +. ds 8 ss +. ds o a +. ds d- d\h'-1'\(ga +. ds D- D\h'-1'\(hy +. ds th \o'bp' +. ds Th \o'LP' +. ds ae ae +. ds Ae AE +.\} +.rm #[ #] #H #V #F C +.\" ======================================================================== +.\" +.IX Title "ASN1_INTEGER_GET_INT64 3" +.TH ASN1_INTEGER_GET_INT64 3 "2018-09-11" "1.1.1" "OpenSSL" +.\" For nroff, turn off justification. Always turn off hyphenation; it makes +.\" way too many mistakes in technical documents. +.if n .ad l +.nh +.SH "NAME" +ASN1_INTEGER_get_uint64, ASN1_INTEGER_set_uint64, ASN1_INTEGER_get_int64, ASN1_INTEGER_get, ASN1_INTEGER_set_int64, ASN1_INTEGER_set, BN_to_ASN1_INTEGER, ASN1_INTEGER_to_BN, ASN1_ENUMERATED_get_int64, ASN1_ENUMERATED_get, ASN1_ENUMERATED_set_int64, ASN1_ENUMERATED_set, BN_to_ASN1_ENUMERATED, ASN1_ENUMERATED_to_BN \&\- ASN.1 INTEGER and ENUMERATED utilities +.SH "SYNOPSIS" +.IX Header "SYNOPSIS" +.Vb 1 +\& #include +\& +\& int ASN1_INTEGER_get_int64(int64_t *pr, const ASN1_INTEGER *a); +\& long ASN1_INTEGER_get(const ASN1_INTEGER *a); +\& +\& int ASN1_INTEGER_set_int64(ASN1_INTEGER *a, int64_t r); +\& int ASN1_INTEGER_set(const ASN1_INTEGER *a, long v); +\& +\& int ASN1_INTEGER_get_uint64(uint64_t *pr, const ASN1_INTEGER *a); +\& int ASN1_INTEGER_set_uint64(ASN1_INTEGER *a, uint64_t r); +\& +\& ASN1_INTEGER *BN_to_ASN1_INTEGER(const BIGNUM *bn, ASN1_INTEGER *ai); +\& BIGNUM *ASN1_INTEGER_to_BN(const ASN1_INTEGER *ai, BIGNUM *bn); +\& +\& int ASN1_ENUMERATED_get_int64(int64_t *pr, const ASN1_INTEGER *a); +\& long ASN1_ENUMERATED_get(const ASN1_ENUMERATED *a); +\& +\& int ASN1_ENUMERATED_set_int64(ASN1_INTEGER *a, int64_t r); +\& int ASN1_ENUMERATED_set(ASN1_ENUMERATED *a, long v); +\& +\& ASN1_ENUMERATED *BN_to_ASN1_ENUMERATED(BIGNUM *bn, ASN1_ENUMERATED *ai); +\& BIGNUM *ASN1_ENUMERATED_to_BN(ASN1_ENUMERATED *ai, BIGNUM *bn); +.Ve +.SH "DESCRIPTION" +.IX Header "DESCRIPTION" +These functions convert to and from \fB\s-1ASN1_INTEGER\s0\fR and \fB\s-1ASN1_ENUMERATED\s0\fR +structures. +.PP +\&\fIASN1_INTEGER_get_int64()\fR converts an \fB\s-1ASN1_INTEGER\s0\fR into an \fBint64_t\fR type +If successful it returns 1 and sets \fB*pr\fR to the value of \fBa\fR. If it fails +(due to invalid type or the value being too big to fit into an \fBint64_t\fR type) +it returns 0. +.PP +\&\fIASN1_INTEGER_get_uint64()\fR is similar to \fIASN1_INTEGER_get_int64_t()\fR except it +converts to a \fBuint64_t\fR type and an error is returned if the passed integer +is negative. +.PP +\&\fIASN1_INTEGER_get()\fR also returns the value of \fBa\fR but it returns 0 if \fBa\fR is +\&\s-1NULL\s0 and \-1 on error (which is ambiguous because \-1 is a legitimate value for +an \fB\s-1ASN1_INTEGER\s0\fR). New applications should use \fIASN1_INTEGER_get_int64()\fR +instead. +.PP +\&\fIASN1_INTEGER_set_int64()\fR sets the value of \fB\s-1ASN1_INTEGER\s0\fR \fBa\fR to the +\&\fBint64_t\fR value \fBr\fR. +.PP +\&\fIASN1_INTEGER_set_uint64()\fR sets the value of \fB\s-1ASN1_INTEGER\s0\fR \fBa\fR to the +\&\fBuint64_t\fR value \fBr\fR. +.PP +\&\fIASN1_INTEGER_set()\fR sets the value of \fB\s-1ASN1_INTEGER\s0\fR \fBa\fR to the \fBlong\fR value +\&\fBv\fR. +.PP +\&\fIBN_to_ASN1_INTEGER()\fR converts \fB\s-1BIGNUM\s0\fR \fBbn\fR to an \fB\s-1ASN1_INTEGER\s0\fR. If \fBai\fR +is \s-1NULL\s0 a new \fB\s-1ASN1_INTEGER\s0\fR structure is returned. If \fBai\fR is not \s-1NULL\s0 then +the existing structure will be used instead. +.PP +\&\fIASN1_INTEGER_to_BN()\fR converts \s-1ASN1_INTEGER\s0 \fBai\fR into a \fB\s-1BIGNUM\s0\fR. If \fBbn\fR is +\&\s-1NULL\s0 a new \fB\s-1BIGNUM\s0\fR structure is returned. If \fBbn\fR is not \s-1NULL\s0 then the +existing structure will be used instead. +.PP +\&\fIASN1_ENUMERATED_get_int64()\fR, \fIASN1_ENUMERATED_set_int64()\fR, +\&\fIASN1_ENUMERATED_set()\fR, \fIBN_to_ASN1_ENUMERATED()\fR and \fIASN1_ENUMERATED_to_BN()\fR +behave in an identical way to their \s-1ASN1_INTEGER\s0 counterparts except they +operate on an \fB\s-1ASN1_ENUMERATED\s0\fR value. +.PP +\&\fIASN1_ENUMERATED_get()\fR returns the value of \fBa\fR in a similar way to +\&\fIASN1_INTEGER_get()\fR but it returns \fB0xffffffffL\fR if the value of \fBa\fR will not +fit in a long type. New applications should use \fIASN1_ENUMERATED_get_int64()\fR +instead. +.SH "NOTES" +.IX Header "NOTES" +In general an \fB\s-1ASN1_INTEGER\s0\fR or \fB\s-1ASN1_ENUMERATED\s0\fR type can contain an +integer of almost arbitrary size and so cannot always be represented by a C +\&\fBint64_t\fR type. However in many cases (for example version numbers) they +represent small integers which can be more easily manipulated if converted to +an appropriate C integer type. +.SH "BUGS" +.IX Header "BUGS" +The ambiguous return values of \fIASN1_INTEGER_get()\fR and \fIASN1_ENUMERATED_get()\fR +mean these functions should be avoided if possible. They are retained for +compatibility. Normally the ambiguous return values are not legitimate +values for the fields they represent. +.SH "RETURN VALUES" +.IX Header "RETURN VALUES" +\&\fIASN1_INTEGER_set_int64()\fR, \fIASN1_INTEGER_set()\fR, \fIASN1_ENUMERATED_set_int64()\fR and +\&\fIASN1_ENUMERATED_set()\fR return 1 for success and 0 for failure. They will only +fail if a memory allocation error occurs. +.PP +\&\fIASN1_INTEGER_get_int64()\fR and \fIASN1_ENUMERATED_get_int64()\fR return 1 for success +and 0 for failure. They will fail if the passed type is incorrect (this will +only happen if there is a programming error) or if the value exceeds the range +of an \fBint64_t\fR type. +.PP +\&\fIBN_to_ASN1_INTEGER()\fR and \fIBN_to_ASN1_ENUMERATED()\fR return an \fB\s-1ASN1_INTEGER\s0\fR or +\&\fB\s-1ASN1_ENUMERATED\s0\fR structure respectively or \s-1NULL\s0 if an error occurs. They will +only fail due to a memory allocation error. +.PP +\&\fIASN1_INTEGER_to_BN()\fR and \fIASN1_ENUMERATED_to_BN()\fR return a \fB\s-1BIGNUM\s0\fR structure +of \s-1NULL\s0 if an error occurs. They can fail if the passed type is incorrect +(due to programming error) or due to a memory allocation failure. +.SH "SEE ALSO" +.IX Header "SEE ALSO" +\&\fIERR_get_error\fR\|(3) +.SH "HISTORY" +.IX Header "HISTORY" +\&\fIASN1_INTEGER_set_int64()\fR, \fIASN1_INTEGER_get_int64()\fR, +\&\fIASN1_ENUMERATED_set_int64()\fR and \fIASN1_ENUMERATED_get_int64()\fR +were added to OpenSSL 1.1.0. +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2015\-2018 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/ASN1_ITEM_lookup.3 b/secure/lib/libcrypto/man/ASN1_ITEM_lookup.3 new file mode 100644 index 000000000000..96cc5d413490 --- /dev/null +++ b/secure/lib/libcrypto/man/ASN1_ITEM_lookup.3 @@ -0,0 +1,167 @@ +.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35) +.\" +.\" Standard preamble: +.\" ======================================================================== +.de Sp \" Vertical space (when we can't use .PP) +.if t .sp .5v +.if n .sp +.. +.de Vb \" Begin verbatim text +.ft CW +.nf +.ne \\$1 +.. +.de Ve \" End verbatim text +.ft R +.fi +.. +.\" Set up some character translations and predefined strings. \*(-- will +.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left +.\" double quote, and \*(R" will give a right double quote. \*(C+ will +.\" give a nicer C++. Capital omega is used to do unbreakable dashes and +.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, +.\" nothing in troff, for use with C<>. +.tr \(*W- +.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' +.ie n \{\ +. ds -- \(*W- +. ds PI pi +. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch +. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch +. ds L" "" +. ds R" "" +. ds C` "" +. ds C' "" +'br\} +.el\{\ +. ds -- \|\(em\| +. ds PI \(*p +. ds L" `` +. ds R" '' +. ds C` +. ds C' +'br\} +.\" +.\" Escape single quotes in literal strings from groff's Unicode transform. +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" +.\" If the F register is >0, we'll generate index entries on stderr for +.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index +.\" entries marked with X<> in POD. Of course, you'll have to process the +.\" output yourself in some meaningful fashion. +.\" +.\" Avoid warning from groff about undefined register 'F'. +.de IX +.. +.if !\nF .nr F 0 +.if \nF>0 \{\ +. de IX +. tm Index:\\$1\t\\n%\t"\\$2" +.. +. if !\nF==2 \{\ +. nr % 0 +. nr F 2 +. \} +.\} +.\" +.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). +.\" Fear. Run. Save yourself. No user-serviceable parts. +. \" fudge factors for nroff and troff +.if n \{\ +. ds #H 0 +. ds #V .8m +. ds #F .3m +. ds #[ \f1 +. ds #] \fP +.\} +.if t \{\ +. ds #H ((1u-(\\\\n(.fu%2u))*.13m) +. ds #V .6m +. ds #F 0 +. ds #[ \& +. ds #] \& +.\} +. \" simple accents for nroff and troff +.if n \{\ +. ds ' \& +. ds ` \& +. ds ^ \& +. ds , \& +. ds ~ ~ +. ds / +.\} +.if t \{\ +. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" +. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' +. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' +. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' +. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' +. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' +.\} +. \" troff and (daisy-wheel) nroff accents +.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' +.ds 8 \h'\*(#H'\(*b\h'-\*(#H' +.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] +.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' +.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' +.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] +.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] +.ds ae a\h'-(\w'a'u*4/10)'e +.ds Ae A\h'-(\w'A'u*4/10)'E +. \" corrections for vroff +.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' +.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' +. \" for low resolution devices (crt and lpr) +.if \n(.H>23 .if \n(.V>19 \ +\{\ +. ds : e +. ds 8 ss +. ds o a +. ds d- d\h'-1'\(ga +. ds D- D\h'-1'\(hy +. ds th \o'bp' +. ds Th \o'LP' +. ds ae ae +. ds Ae AE +.\} +.rm #[ #] #H #V #F C +.\" ======================================================================== +.\" +.IX Title "ASN1_ITEM_LOOKUP 3" +.TH ASN1_ITEM_LOOKUP 3 "2018-09-11" "1.1.1" "OpenSSL" +.\" For nroff, turn off justification. Always turn off hyphenation; it makes +.\" way too many mistakes in technical documents. +.if n .ad l +.nh +.SH "NAME" +ASN1_ITEM_lookup, ASN1_ITEM_get \- lookup ASN.1 structures +.SH "SYNOPSIS" +.IX Header "SYNOPSIS" +.Vb 1 +\& #include +\& +\& const ASN1_ITEM *ASN1_ITEM_lookup(const char *name); +\& const ASN1_ITEM *ASN1_ITEM_get(size_t i); +.Ve +.SH "DESCRIPTION" +.IX Header "DESCRIPTION" +\&\fIASN1_ITEM_lookup()\fR returns the \fB\s-1ASN1_ITEM\s0 name\fR. +.PP +\&\fIASN1_ITEM_get()\fR returns the \fB\s-1ASN1_ITEM\s0\fR with index \fBi\fR. This function +returns \fB\s-1NULL\s0\fR if the index \fBi\fR is out of range. +.SH "RETURN VALUES" +.IX Header "RETURN VALUES" +\&\fIASN1_ITEM_lookup()\fR and \fIASN1_ITEM_get()\fR return a valid \fB\s-1ASN1_ITEM\s0\fR structure +or \fB\s-1NULL\s0\fR if an error occurred. +.SH "SEE ALSO" +.IX Header "SEE ALSO" +\&\fIERR_get_error\fR\|(3) +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2016 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/ASN1_OBJECT_new.3 b/secure/lib/libcrypto/man/ASN1_OBJECT_new.3 index d43f1b2c89fd..ec50615f6955 100644 --- a/secure/lib/libcrypto/man/ASN1_OBJECT_new.3 +++ b/secure/lib/libcrypto/man/ASN1_OBJECT_new.3 @@ -128,14 +128,14 @@ .rm #[ #] #H #V #F C .\" ======================================================================== .\" -.IX Title "ASN1_OBJECT_new 3" -.TH ASN1_OBJECT_new 3 "2018-08-14" "1.0.2p" "OpenSSL" +.IX Title "ASN1_OBJECT_NEW 3" +.TH ASN1_OBJECT_NEW 3 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" -ASN1_OBJECT_new, ASN1_OBJECT_free, \- object allocation functions +ASN1_OBJECT_new, ASN1_OBJECT_free \- object allocation functions .SH "SYNOPSIS" .IX Header "SYNOPSIS" .Vb 1 @@ -149,9 +149,10 @@ ASN1_OBJECT_new, ASN1_OBJECT_free, \- object allocation functions The \s-1ASN1_OBJECT\s0 allocation routines, allocate and free an \&\s-1ASN1_OBJECT\s0 structure, which represents an \s-1ASN1 OBJECT IDENTIFIER.\s0 .PP -\&\fIASN1_OBJECT_new()\fR allocates and initializes a \s-1ASN1_OBJECT\s0 structure. +\&\fIASN1_OBJECT_new()\fR allocates and initializes an \s-1ASN1_OBJECT\s0 structure. .PP \&\fIASN1_OBJECT_free()\fR frees up the \fB\s-1ASN1_OBJECT\s0\fR structure \fBa\fR. +If \fBa\fR is \s-1NULL,\s0 nothing is done. .SH "NOTES" .IX Header "NOTES" Although \fIASN1_OBJECT_new()\fR allocates a new \s-1ASN1_OBJECT\s0 structure it @@ -167,6 +168,11 @@ Otherwise it returns a pointer to the newly allocated structure. .SH "SEE ALSO" .IX Header "SEE ALSO" \&\fIERR_get_error\fR\|(3), \fId2i_ASN1_OBJECT\fR\|(3) -.SH "HISTORY" -.IX Header "HISTORY" -\&\fIASN1_OBJECT_new()\fR and \fIASN1_OBJECT_free()\fR are available in all versions of SSLeay and OpenSSL. +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2002\-2016 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/ASN1_STRING_TABLE_add.3 b/secure/lib/libcrypto/man/ASN1_STRING_TABLE_add.3 new file mode 100644 index 000000000000..519a6efd39fd --- /dev/null +++ b/secure/lib/libcrypto/man/ASN1_STRING_TABLE_add.3 @@ -0,0 +1,191 @@ +.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35) +.\" +.\" Standard preamble: +.\" ======================================================================== +.de Sp \" Vertical space (when we can't use .PP) +.if t .sp .5v +.if n .sp +.. +.de Vb \" Begin verbatim text +.ft CW +.nf +.ne \\$1 +.. +.de Ve \" End verbatim text +.ft R +.fi +.. +.\" Set up some character translations and predefined strings. \*(-- will +.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left +.\" double quote, and \*(R" will give a right double quote. \*(C+ will +.\" give a nicer C++. Capital omega is used to do unbreakable dashes and +.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, +.\" nothing in troff, for use with C<>. +.tr \(*W- +.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' +.ie n \{\ +. ds -- \(*W- +. ds PI pi +. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch +. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch +. ds L" "" +. ds R" "" +. ds C` "" +. ds C' "" +'br\} +.el\{\ +. ds -- \|\(em\| +. ds PI \(*p +. ds L" `` +. ds R" '' +. ds C` +. ds C' +'br\} +.\" +.\" Escape single quotes in literal strings from groff's Unicode transform. +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" +.\" If the F register is >0, we'll generate index entries on stderr for +.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index +.\" entries marked with X<> in POD. Of course, you'll have to process the +.\" output yourself in some meaningful fashion. +.\" +.\" Avoid warning from groff about undefined register 'F'. +.de IX +.. +.if !\nF .nr F 0 +.if \nF>0 \{\ +. de IX +. tm Index:\\$1\t\\n%\t"\\$2" +.. +. if !\nF==2 \{\ +. nr % 0 +. nr F 2 +. \} +.\} +.\" +.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). +.\" Fear. Run. Save yourself. No user-serviceable parts. +. \" fudge factors for nroff and troff +.if n \{\ +. ds #H 0 +. ds #V .8m +. ds #F .3m +. ds #[ \f1 +. ds #] \fP +.\} +.if t \{\ +. ds #H ((1u-(\\\\n(.fu%2u))*.13m) +. ds #V .6m +. ds #F 0 +. ds #[ \& +. ds #] \& +.\} +. \" simple accents for nroff and troff +.if n \{\ +. ds ' \& +. ds ` \& +. ds ^ \& +. ds , \& +. ds ~ ~ +. ds / +.\} +.if t \{\ +. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" +. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' +. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' +. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' +. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' +. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' +.\} +. \" troff and (daisy-wheel) nroff accents +.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' +.ds 8 \h'\*(#H'\(*b\h'-\*(#H' +.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] +.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' +.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' +.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] +.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] +.ds ae a\h'-(\w'a'u*4/10)'e +.ds Ae A\h'-(\w'A'u*4/10)'E +. \" corrections for vroff +.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' +.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' +. \" for low resolution devices (crt and lpr) +.if \n(.H>23 .if \n(.V>19 \ +\{\ +. ds : e +. ds 8 ss +. ds o a +. ds d- d\h'-1'\(ga +. ds D- D\h'-1'\(hy +. ds th \o'bp' +. ds Th \o'LP' +. ds ae ae +. ds Ae AE +.\} +.rm #[ #] #H #V #F C +.\" ======================================================================== +.\" +.IX Title "ASN1_STRING_TABLE_ADD 3" +.TH ASN1_STRING_TABLE_ADD 3 "2018-09-11" "1.1.1" "OpenSSL" +.\" For nroff, turn off justification. Always turn off hyphenation; it makes +.\" way too many mistakes in technical documents. +.if n .ad l +.nh +.SH "NAME" +ASN1_STRING_TABLE, ASN1_STRING_TABLE_add, ASN1_STRING_TABLE_get, ASN1_STRING_TABLE_cleanup \- ASN1_STRING_TABLE manipulation functions +.SH "SYNOPSIS" +.IX Header "SYNOPSIS" +.Vb 1 +\& #include +\& +\& typedef struct asn1_string_table_st ASN1_STRING_TABLE; +\& +\& int ASN1_STRING_TABLE_add(int nid, long minsize, long maxsize, +\& unsigned long mask, unsigned long flags); +\& ASN1_STRING_TABLE * ASN1_STRING_TABLE_get(int nid); +\& void ASN1_STRING_TABLE_cleanup(void); +.Ve +.SH "DESCRIPTION" +.IX Header "DESCRIPTION" +.SS "Types" +.IX Subsection "Types" +\&\fB\s-1ASN1_STRING_TABLE\s0\fR is a table which holds string information +(basically minimum size, maximum size, type and etc) for a \s-1NID\s0 object. +.SS "Functions" +.IX Subsection "Functions" +\&\fIASN1_STRING_TABLE_add()\fR adds a new \fB\s-1ASN1_STRING_TABLE\s0\fR item into the +local \s-1ASN1\s0 string table based on the \fBnid\fR along with other parameters. +.PP +If the item is already in the table, fields of \fB\s-1ASN1_STRING_TABLE\s0\fR are +updated (depending on the values of those parameters, e.g., \fBminsize\fR +and \fBmaxsize\fR >= 0, \fBmask\fR and \fBflags\fR != 0). If the \fBnid\fR is standard, +a copy of the standard \fB\s-1ASN1_STRING_TABLE\s0\fR is created and updated with +other parameters. +.PP +\&\fIASN1_STRING_TABLE_get()\fR searches for an \fB\s-1ASN1_STRING_TABLE\s0\fR item based +on \fBnid\fR. It will search the local table first, then the standard one. +.PP +\&\fIASN1_STRING_TABLE_cleanup()\fR frees all \fB\s-1ASN1_STRING_TABLE\s0\fR items added +by \fIASN1_STRING_TABLE_add()\fR. +.SH "RETURN VALUES" +.IX Header "RETURN VALUES" +\&\fIASN1_STRING_TABLE_add()\fR returns 1 on success, 0 if an error occurred. +.PP +\&\fIASN1_STRING_TABLE_get()\fR returns a valid \fB\s-1ASN1_STRING_TABLE\s0\fR structure +or \fB\s-1NULL\s0\fR if nothing is found. +.PP +\&\fIASN1_STRING_TABLE_cleanup()\fR does not return a value. +.SH "SEE ALSO" +.IX Header "SEE ALSO" +\&\fIERR_get_error\fR\|(3) +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2017 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/ASN1_STRING_length.3 b/secure/lib/libcrypto/man/ASN1_STRING_length.3 index e5d15efe0fce..f33855999fcc 100644 --- a/secure/lib/libcrypto/man/ASN1_STRING_length.3 +++ b/secure/lib/libcrypto/man/ASN1_STRING_length.3 @@ -128,22 +128,21 @@ .rm #[ #] #H #V #F C .\" ======================================================================== .\" -.IX Title "ASN1_STRING_length 3" -.TH ASN1_STRING_length 3 "2018-08-14" "1.0.2p" "OpenSSL" +.IX Title "ASN1_STRING_LENGTH 3" +.TH ASN1_STRING_LENGTH 3 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" -ASN1_STRING_dup, ASN1_STRING_cmp, ASN1_STRING_set, ASN1_STRING_length, -ASN1_STRING_length_set, ASN1_STRING_type, ASN1_STRING_data, ASN1_STRING_to_UTF8 \- -ASN1_STRING utility functions +ASN1_STRING_dup, ASN1_STRING_cmp, ASN1_STRING_set, ASN1_STRING_length, ASN1_STRING_type, ASN1_STRING_get0_data, ASN1_STRING_data, ASN1_STRING_to_UTF8 \- ASN1_STRING utility functions .SH "SYNOPSIS" .IX Header "SYNOPSIS" .Vb 1 \& #include \& \& int ASN1_STRING_length(ASN1_STRING *x); +\& const unsigned char * ASN1_STRING_get0_data(const ASN1_STRING *x); \& unsigned char * ASN1_STRING_data(ASN1_STRING *x); \& \& ASN1_STRING * ASN1_STRING_dup(ASN1_STRING *a); @@ -152,9 +151,9 @@ ASN1_STRING utility functions \& \& int ASN1_STRING_set(ASN1_STRING *str, const void *data, int len); \& -\& int ASN1_STRING_type(ASN1_STRING *x); +\& int ASN1_STRING_type(const ASN1_STRING *x); \& -\& int ASN1_STRING_to_UTF8(unsigned char **out, ASN1_STRING *in); +\& int ASN1_STRING_to_UTF8(unsigned char **out, const ASN1_STRING *in); .Ve .SH "DESCRIPTION" .IX Header "DESCRIPTION" @@ -162,10 +161,14 @@ These functions allow an \fB\s-1ASN1_STRING\s0\fR structure to be manipulated. .PP \&\fIASN1_STRING_length()\fR returns the length of the content of \fBx\fR. .PP -\&\fIASN1_STRING_data()\fR returns an internal pointer to the data of \fBx\fR. +\&\fIASN1_STRING_get0_data()\fR returns an internal pointer to the data of \fBx\fR. Since this is an internal pointer it should \fBnot\fR be freed or modified in any way. .PP +\&\fIASN1_STRING_data()\fR is similar to \fIASN1_STRING_get0_data()\fR except the +returned value is not constant. This function is deprecated: +applications should use \fIASN1_STRING_get0_data()\fR instead. +.PP \&\fIASN1_STRING_dup()\fR returns a copy of the structure \fBa\fR. .PP \&\fIASN1_STRING_cmp()\fR compares \fBa\fR and \fBb\fR returning 0 if the two @@ -181,11 +184,11 @@ such as \fBV_ASN1_OCTET_STRING\fR. \&\fIASN1_STRING_to_UTF8()\fR converts the string \fBin\fR to \s-1UTF8\s0 format, the converted data is allocated in a buffer in \fB*out\fR. The length of \&\fBout\fR is returned or a negative error code. The buffer \fB*out\fR -should be free using \fIOPENSSL_free()\fR. +should be freed using \fIOPENSSL_free()\fR. .SH "NOTES" .IX Header "NOTES" Almost all \s-1ASN1\s0 types in OpenSSL are represented as an \fB\s-1ASN1_STRING\s0\fR -structure. Other types such as \fB\s-1ASN1_OCTET_STRING\s0\fR are simply typedefed +structure. Other types such as \fB\s-1ASN1_OCTET_STRING\s0\fR are simply typedef'ed to \fB\s-1ASN1_STRING\s0\fR and the functions call the \fB\s-1ASN1_STRING\s0\fR equivalents. \&\fB\s-1ASN1_STRING\s0\fR is also used for some \fB\s-1CHOICE\s0\fR types which consist entirely of primitive string types such as \fBDirectoryString\fR and @@ -205,8 +208,31 @@ Similar care should be take to ensure the data is in the correct format when calling \fIASN1_STRING_set()\fR. .SH "RETURN VALUES" .IX Header "RETURN VALUES" +\&\fIASN1_STRING_length()\fR returns the length of the content of \fBx\fR. +.PP +\&\fIASN1_STRING_get0_data()\fR and \fIASN1_STRING_data()\fR return an internal pointer to +the data of \fBx\fR. +.PP +\&\fIASN1_STRING_dup()\fR returns a valid \fB\s-1ASN1_STRING\s0\fR structure or \fB\s-1NULL\s0\fR if an +error occurred. +.PP +\&\fIASN1_STRING_cmp()\fR returns an integer greater than, equal to, or less than 0, +according to whether \fBa\fR is greater than, equal to, or less than \fBb\fR. +.PP +\&\fIASN1_STRING_set()\fR returns 1 on success or 0 on error. +.PP +\&\fIASN1_STRING_type()\fR returns the type of \fBx\fR. +.PP +\&\fIASN1_STRING_to_UTF8()\fR returns the number of bytes in output string \fBout\fR or a +negative value if an error occurred. .SH "SEE ALSO" .IX Header "SEE ALSO" \&\fIERR_get_error\fR\|(3) -.SH "HISTORY" -.IX Header "HISTORY" +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2002\-2018 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/ASN1_STRING_new.3 b/secure/lib/libcrypto/man/ASN1_STRING_new.3 index b4bac8a706f4..af959985f97c 100644 --- a/secure/lib/libcrypto/man/ASN1_STRING_new.3 +++ b/secure/lib/libcrypto/man/ASN1_STRING_new.3 @@ -128,15 +128,14 @@ .rm #[ #] #H #V #F C .\" ======================================================================== .\" -.IX Title "ASN1_STRING_new 3" -.TH ASN1_STRING_new 3 "2018-08-14" "1.0.2p" "OpenSSL" +.IX Title "ASN1_STRING_NEW 3" +.TH ASN1_STRING_NEW 3 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" -ASN1_STRING_new, ASN1_STRING_type_new, ASN1_STRING_free \- -ASN1_STRING allocation functions +ASN1_STRING_new, ASN1_STRING_type_new, ASN1_STRING_free \- ASN1_STRING allocation functions .SH "SYNOPSIS" .IX Header "SYNOPSIS" .Vb 1 @@ -155,6 +154,7 @@ is undefined. type \fBtype\fR. .PP \&\fIASN1_STRING_free()\fR frees up \fBa\fR. +If \fBa\fR is \s-1NULL\s0 nothing is done. .SH "NOTES" .IX Header "NOTES" Other string types call the \fB\s-1ASN1_STRING\s0\fR functions. For example @@ -168,6 +168,11 @@ Other string types call the \fB\s-1ASN1_STRING\s0\fR functions. For example .SH "SEE ALSO" .IX Header "SEE ALSO" \&\fIERR_get_error\fR\|(3) -.SH "HISTORY" -.IX Header "HISTORY" -\&\s-1TBA\s0 +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2002\-2016 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/ASN1_STRING_print_ex.3 b/secure/lib/libcrypto/man/ASN1_STRING_print_ex.3 index 76a6b29f6947..6684262df88b 100644 --- a/secure/lib/libcrypto/man/ASN1_STRING_print_ex.3 +++ b/secure/lib/libcrypto/man/ASN1_STRING_print_ex.3 @@ -128,22 +128,24 @@ .rm #[ #] #H #V #F C .\" ======================================================================== .\" -.IX Title "ASN1_STRING_print_ex 3" -.TH ASN1_STRING_print_ex 3 "2018-08-14" "1.0.2p" "OpenSSL" +.IX Title "ASN1_STRING_PRINT_EX 3" +.TH ASN1_STRING_PRINT_EX 3 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" -ASN1_STRING_print_ex, ASN1_STRING_print_ex_fp, ASN1_STRING_print \- ASN1_STRING output routines. +ASN1_tag2str, ASN1_STRING_print_ex, ASN1_STRING_print_ex_fp, ASN1_STRING_print \&\- ASN1_STRING output routines .SH "SYNOPSIS" .IX Header "SYNOPSIS" .Vb 1 \& #include \& -\& int ASN1_STRING_print_ex(BIO *out, ASN1_STRING *str, unsigned long flags); -\& int ASN1_STRING_print_ex_fp(FILE *fp, ASN1_STRING *str, unsigned long flags); -\& int ASN1_STRING_print(BIO *out, ASN1_STRING *str); +\& int ASN1_STRING_print_ex(BIO *out, const ASN1_STRING *str, unsigned long flags); +\& int ASN1_STRING_print_ex_fp(FILE *fp, const ASN1_STRING *str, unsigned long flags); +\& int ASN1_STRING_print(BIO *out, const ASN1_STRING *str); +\& +\& const char *ASN1_tag2str(int tag); .Ve .SH "DESCRIPTION" .IX Header "DESCRIPTION" @@ -157,11 +159,14 @@ to \fBfp\fR instead. \&\fIASN1_STRING_print()\fR prints \fBstr\fR to \fBout\fR but using a different format to \&\fIASN1_STRING_print_ex()\fR. It replaces unprintable characters (other than \s-1CR, LF\s0) with '.'. +.PP +\&\fIASN1_tag2str()\fR returns a human-readable name of the specified \s-1ASN.1\s0 \fBtag\fR. .SH "NOTES" .IX Header "NOTES" -\&\fIASN1_STRING_print()\fR is a legacy function which should be avoided in new applications. +\&\fIASN1_STRING_print()\fR is a deprecated function which should be avoided; use +\&\fIASN1_STRING_print_ex()\fR instead. .PP -Although there are a large number of options frequently \fB\s-1ASN1_STRFLGS_RFC2253\s0\fR is +Although there are a large number of options frequently \fB\s-1ASN1_STRFLGS_RFC2253\s0\fR is suitable, or on \s-1UTF8\s0 terminals \fB\s-1ASN1_STRFLGS_RFC2253 &\s0 ~ASN1_STRFLGS_ESC_MSB\fR. .PP The complete set of supported options for \fBflags\fR is listed below. @@ -206,7 +211,7 @@ Normally non character string types (such as \s-1OCTET STRING\s0) are assumed to one byte per character, if \fB\s-1ASN1_STRFLGS_DUMP_UNKNOWN\s0\fR is set then they will be dumped instead. .PP -When a type is dumped normally just the content octets are printed, if +When a type is dumped normally just the content octets are printed, if \&\fB\s-1ASN1_STRFLGS_DUMP_DER\s0\fR is set then the complete encoding is dumped instead (including tag and length octets). .PP @@ -214,10 +219,23 @@ instead (including tag and length octets). equivalent to: \s-1ASN1_STRFLGS_ESC_2253\s0 | \s-1ASN1_STRFLGS_ESC_CTRL\s0 | \s-1ASN1_STRFLGS_ESC_MSB\s0 | \s-1ASN1_STRFLGS_UTF8_CONVERT\s0 | \s-1ASN1_STRFLGS_DUMP_UNKNOWN ASN1_STRFLGS_DUMP_DER\s0 +.SH "RETURN VALUES" +.IX Header "RETURN VALUES" +\&\fIASN1_STRING_print_ex()\fR and \fIASN1_STRING_print_ex_fp()\fR return the number of +characters written or \-1 if an error occurred. +.PP +\&\fIASN1_STRING_print()\fR returns 1 on success or 0 on error. +.PP +\&\fIASN1_tag2str()\fR returns a human-readable name of the specified \s-1ASN.1\s0 \fBtag\fR. .SH "SEE ALSO" .IX Header "SEE ALSO" \&\fIX509_NAME_print_ex\fR\|(3), \&\fIASN1_tag2str\fR\|(3) -.SH "HISTORY" -.IX Header "HISTORY" -\&\s-1TBA\s0 +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2002\-2018 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/ASN1_TIME_set.3 b/secure/lib/libcrypto/man/ASN1_TIME_set.3 index e9dc9c2b77e2..bc75640881fd 100644 --- a/secure/lib/libcrypto/man/ASN1_TIME_set.3 +++ b/secure/lib/libcrypto/man/ASN1_TIME_set.3 @@ -128,52 +128,110 @@ .rm #[ #] #H #V #F C .\" ======================================================================== .\" -.IX Title "ASN1_TIME_set 3" -.TH ASN1_TIME_set 3 "2018-08-14" "1.0.2p" "OpenSSL" +.IX Title "ASN1_TIME_SET 3" +.TH ASN1_TIME_SET 3 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" -ASN1_TIME_set, ASN1_TIME_adj, ASN1_TIME_check, ASN1_TIME_set_string, -ASN1_TIME_print, ASN1_TIME_diff \- ASN.1 Time functions. +ASN1_TIME_set, ASN1_UTCTIME_set, ASN1_GENERALIZEDTIME_set, ASN1_TIME_adj, ASN1_UTCTIME_adj, ASN1_GENERALIZEDTIME_adj, ASN1_TIME_check, ASN1_UTCTIME_check, ASN1_GENERALIZEDTIME_check, ASN1_TIME_set_string, ASN1_UTCTIME_set_string, ASN1_GENERALIZEDTIME_set_string, ASN1_TIME_set_string_X509, ASN1_TIME_normalize, ASN1_TIME_to_tm, ASN1_TIME_print, ASN1_UTCTIME_print, ASN1_GENERALIZEDTIME_print, ASN1_TIME_diff, ASN1_TIME_cmp_time_t, ASN1_UTCTIME_cmp_time_t, ASN1_TIME_compare, ASN1_TIME_to_generalizedtime \- ASN.1 Time functions .SH "SYNOPSIS" .IX Header "SYNOPSIS" -.Vb 6 +.Vb 4 \& ASN1_TIME *ASN1_TIME_set(ASN1_TIME *s, time_t t); -\& ASN1_TIME *ASN1_TIME_adj(ASN1_TIME *s, time_t t, -\& int offset_day, long offset_sec); -\& int ASN1_TIME_set_string(ASN1_TIME *s, const char *str); -\& int ASN1_TIME_check(const ASN1_TIME *t); -\& int ASN1_TIME_print(BIO *b, const ASN1_TIME *s); +\& ASN1_UTCTIME *ASN1_UTCTIME_set(ASN1_UTCTIME *s, time_t t); +\& ASN1_GENERALIZEDTIME *ASN1_GENERALIZEDTIME_set(ASN1_GENERALIZEDTIME *s, +\& time_t t); \& -\& int ASN1_TIME_diff(int *pday, int *psec, -\& const ASN1_TIME *from, const ASN1_TIME *to); +\& ASN1_TIME *ASN1_TIME_adj(ASN1_TIME *s, time_t t, int offset_day, +\& long offset_sec); +\& ASN1_UTCTIME *ASN1_UTCTIME_adj(ASN1_UTCTIME *s, time_t t, +\& int offset_day, long offset_sec); +\& ASN1_GENERALIZEDTIME *ASN1_GENERALIZEDTIME_adj(ASN1_GENERALIZEDTIME *s, +\& time_t t, int offset_day, +\& long offset_sec); +\& +\& int ASN1_TIME_set_string(ASN1_TIME *s, const char *str); +\& int ASN1_TIME_set_string_X509(ASN1_TIME *s, const char *str); +\& int ASN1_UTCTIME_set_string(ASN1_UTCTIME *s, const char *str); +\& int ASN1_GENERALIZEDTIME_set_string(ASN1_GENERALIZEDTIME *s, +\& const char *str); +\& +\& int ASN1_TIME_normalize(ASN1_TIME *s); +\& +\& int ASN1_TIME_check(const ASN1_TIME *t); +\& int ASN1_UTCTIME_check(const ASN1_UTCTIME *t); +\& int ASN1_GENERALIZEDTIME_check(const ASN1_GENERALIZEDTIME *t); +\& +\& int ASN1_TIME_print(BIO *b, const ASN1_TIME *s); +\& int ASN1_UTCTIME_print(BIO *b, const ASN1_UTCTIME *s); +\& int ASN1_GENERALIZEDTIME_print(BIO *b, const ASN1_GENERALIZEDTIME *s); +\& +\& int ASN1_TIME_to_tm(const ASN1_TIME *s, struct tm *tm); +\& int ASN1_TIME_diff(int *pday, int *psec, const ASN1_TIME *from, +\& const ASN1_TIME *to); +\& +\& int ASN1_TIME_cmp_time_t(const ASN1_TIME *s, time_t t); +\& int ASN1_UTCTIME_cmp_time_t(const ASN1_UTCTIME *s, time_t t); +\& +\& int ASN1_TIME_compare(const ASN1_TIME *a, const ASN1_TIME *b); +\& +\& ASN1_GENERALIZEDTIME *ASN1_TIME_to_generalizedtime(ASN1_TIME *t, +\& ASN1_GENERALIZEDTIME **out); .Ve .SH "DESCRIPTION" .IX Header "DESCRIPTION" -The function \fIASN1_TIME_set()\fR sets the \s-1ASN1_TIME\s0 structure \fBs\fR to the -time represented by the time_t value \fBt\fR. If \fBs\fR is \s-1NULL\s0 a new \s-1ASN1_TIME\s0 -structure is allocated and returned. +The \fIASN1_TIME_set()\fR, \fIASN1_UTCTIME_set()\fR and \fIASN1_GENERALIZEDTIME_set()\fR +functions set the structure \fBs\fR to the time represented by the time_t +value \fBt\fR. If \fBs\fR is \s-1NULL\s0 a new time structure is allocated and returned. .PP -\&\fIASN1_TIME_adj()\fR sets the \s-1ASN1_TIME\s0 structure \fBs\fR to the time represented +The \fIASN1_TIME_adj()\fR, \fIASN1_UTCTIME_adj()\fR and \fIASN1_GENERALIZEDTIME_adj()\fR +functions set the time structure \fBs\fR to the time represented by the time \fBoffset_day\fR and \fBoffset_sec\fR after the time_t value \fBt\fR. The values of \fBoffset_day\fR or \fBoffset_sec\fR can be negative to set a time before \fBt\fR. The \fBoffset_sec\fR value can also exceed the number of -seconds in a day. If \fBs\fR is \s-1NULL\s0 a new \s-1ASN1_TIME\s0 structure is allocated +seconds in a day. If \fBs\fR is \s-1NULL\s0 a new structure is allocated and returned. .PP -\&\fIASN1_TIME_set_string()\fR sets \s-1ASN1_TIME\s0 structure \fBs\fR to the time -represented by string \fBstr\fR which must be in appropriate \s-1ASN.1\s0 time -format (for example \s-1YYMMDDHHMMSSZ\s0 or \s-1YYYYMMDDHHMMSSZ\s0). +The \fIASN1_TIME_set_string()\fR, \fIASN1_UTCTIME_set_string()\fR and +\&\fIASN1_GENERALIZEDTIME_set_string()\fR functions set the time structure \fBs\fR +to the time represented by string \fBstr\fR which must be in appropriate \s-1ASN.1\s0 +time format (for example \s-1YYMMDDHHMMSSZ\s0 or \s-1YYYYMMDDHHMMSSZ\s0). If \fBs\fR is \s-1NULL\s0 +this function performs a format check on \fBstr\fR only. The string \fBstr\fR +is copied into \fBs\fR. .PP -\&\fIASN1_TIME_check()\fR checks the syntax of \s-1ASN1_TIME\s0 structure \fBs\fR. +\&\fIASN1_TIME_set_string_X509()\fR sets \s-1ASN1_TIME\s0 structure \fBs\fR to the time +represented by string \fBstr\fR which must be in appropriate time format +that \s-1RFC 5280\s0 requires, which means it only allows \s-1YYMMDDHHMMSSZ\s0 and +\&\s-1YYYYMMDDHHMMSSZ\s0 (leap second is rejected), all other \s-1ASN.1\s0 time format +are not allowed. If \fBs\fR is \s-1NULL\s0 this function performs a format check +on \fBstr\fR only. .PP -\&\fIASN1_TIME_print()\fR prints out the time \fBs\fR to \s-1BIO\s0 \fBb\fR in human readable +The \fIASN1_TIME_normalize()\fR function converts an \s-1ASN1_GENERALIZEDTIME\s0 or +\&\s-1ASN1_UTCTIME\s0 into a time value that can be used in a certificate. It +should be used after the \fIASN1_TIME_set_string()\fR functions and before +\&\fIASN1_TIME_print()\fR functions to get consistent (i.e. \s-1GMT\s0) results. +.PP +The \fIASN1_TIME_check()\fR, \fIASN1_UTCTIME_check()\fR and \fIASN1_GENERALIZEDTIME_check()\fR +functions check the syntax of the time structure \fBs\fR. +.PP +The \fIASN1_TIME_print()\fR, \fIASN1_UTCTIME_print()\fR and \fIASN1_GENERALIZEDTIME_print()\fR +functions print the time structure \fBs\fR to \s-1BIO\s0 \fBb\fR in human readable format. It will be of the format \s-1MMM DD HH:MM:SS YYYY\s0 [\s-1GMT\s0], for example \&\*(L"Feb 3 00:55:52 2015 \s-1GMT\*(R"\s0 it does not include a newline. If the time structure has invalid format it prints out \*(L"Bad time value\*(R" and returns -an error. +an error. The output for generalized time may include a fractional part +following the second. +.PP +\&\fIASN1_TIME_to_tm()\fR converts the time \fBs\fR to the standard \fBtm\fR structure. +If \fBs\fR is \s-1NULL,\s0 then the current time is converted. The output time is \s-1GMT.\s0 +The \fBtm_sec\fR, \fBtm_min\fR, \fBtm_hour\fR, \fBtm_mday\fR, \fBtm_wday\fR, \fBtm_yday\fR, +\&\fBtm_mon\fR and \fBtm_year\fR fields of \fBtm\fR structure are set to proper values, +whereas all other fields are set to 0. If \fBtm\fR is \s-1NULL\s0 this function performs +a format check on \fBs\fR only. If \fBs\fR is in Generalized format with fractional +seconds, e.g. \s-1YYYYMMDDHHMMSS.SSSZ,\s0 the fractional seconds will be lost while +converting \fBs\fR to \fBtm\fR structure. .PP \&\fIASN1_TIME_diff()\fR sets \fB*pday\fR and \fB*psec\fR to the time difference between \&\fBfrom\fR and \fBto\fR. If \fBto\fR represents a time later than \fBfrom\fR then @@ -184,6 +242,16 @@ represent the same time then \fB*pday\fR and \fB*psec\fR will both be zero. If both \fB*pday\fR and \fB*psec\fR are non-zero they will always have the same sign. The value of \fB*psec\fR will always be less than the number of seconds in a day. If \fBfrom\fR or \fBto\fR is \s-1NULL\s0 the current time is used. +.PP +The \fIASN1_TIME_cmp_time_t()\fR and \fIASN1_UTCTIME_cmp_time_t()\fR functions compare +the two times represented by the time structure \fBs\fR and the time_t \fBt\fR. +.PP +The \fIASN1_TIME_compare()\fR function compares the two times represented by the +time structures \fBa\fR and \fBb\fR. +.PP +The \fIASN1_TIME_to_generalizedtime()\fR function converts an \s-1ASN1_TIME\s0 to an +\&\s-1ASN1_GENERALIZEDTIME,\s0 regardless of year. If either \fBout\fR or +\&\fB*out\fR are \s-1NULL,\s0 then a new object is allocated and must be freed after use. .SH "NOTES" .IX Header "NOTES" The \s-1ASN1_TIME\s0 structure corresponds to the \s-1ASN.1\s0 structure \fBTime\fR @@ -191,34 +259,51 @@ defined in \s-1RFC5280\s0 et al. The time setting functions obey the rules outli in \s-1RFC5280:\s0 if the date can be represented by UTCTime it is used, else GeneralizedTime is used. .PP -The \s-1ASN1_TIME\s0 structure is represented as an \s-1ASN1_STRING\s0 internally and can -be freed up using \fIASN1_STRING_free()\fR. +The \s-1ASN1_TIME, ASN1_UTCTIME\s0 and \s-1ASN1_GENERALIZEDTIME\s0 structures are represented +as an \s-1ASN1_STRING\s0 internally and can be freed up using \fIASN1_STRING_free()\fR. .PP The \s-1ASN1_TIME\s0 structure can represent years from 0000 to 9999 but no attempt is made to correct ancient calendar changes (for example from Julian to Gregorian calendars). .PP +\&\s-1ASN1_UTCTIME\s0 is limited to a year range of 1950 through 2049. +.PP Some applications add offset times directly to a time_t value and pass the results to \fIASN1_TIME_set()\fR (or equivalent). This can cause problems as the time_t value can overflow on some systems resulting in unexpected results. New applications should use \fIASN1_TIME_adj()\fR instead and pass the offset value in the \fBoffset_sec\fR and \fBoffset_day\fR parameters instead of directly manipulating a time_t value. +.PP +\&\fIASN1_TIME_adj()\fR may change the type from \s-1ASN1_GENERALIZEDTIME\s0 to \s-1ASN1_UTCTIME,\s0 +or vice versa, based on the resulting year. The \fIASN1_GENERALIZEDTIME_adj()\fR and +\&\fIASN1_UTCTIME_adj()\fR functions will not modify the type of the return structure. +.PP +It is recommended that functions starting with \s-1ASN1_TIME\s0 be used instead of +those starting with \s-1ASN1_UTCTIME\s0 or \s-1ASN1_GENERALIZEDTIME.\s0 The functions +starting with \s-1ASN1_UTCTIME\s0 and \s-1ASN1_GENERALIZEDTIME\s0 act only on that specific +time format. The functions starting with \s-1ASN1_TIME\s0 will operate on either +format. .SH "BUGS" .IX Header "BUGS" -\&\fIASN1_TIME_print()\fR currently does not print out the time zone: it either prints -out \*(L"\s-1GMT\*(R"\s0 or nothing. But all certificates complying with \s-1RFC5280\s0 et al use \s-1GMT\s0 -anyway. +\&\fIASN1_TIME_print()\fR, \fIASN1_UTCTIME_print()\fR and \fIASN1_GENERALIZEDTIME_print()\fR +do not print out the time zone: it either prints out \*(L"\s-1GMT\*(R"\s0 or nothing. But all +certificates complying with \s-1RFC5280\s0 et al use \s-1GMT\s0 anyway. +.PP +Use the \fIASN1_TIME_normalize()\fR function to normalize the time value before +printing to get \s-1GMT\s0 results. .SH "EXAMPLES" .IX Header "EXAMPLES" Set a time structure to one hour after the current time and print it out: .PP -.Vb 11 +.Vb 2 \& #include \& #include +\& \& ASN1_TIME *tm; \& time_t t; \& BIO *b; +\& \& t = time(NULL); \& tm = ASN1_TIME_adj(NULL, t, 0, 60 * 60); \& b = BIO_new_fp(stdout, BIO_NOCLOSE); @@ -233,28 +318,59 @@ Determine if one time is later or sooner than the current time: \& int day, sec; \& \& if (!ASN1_TIME_diff(&day, &sec, NULL, to)) -\& /* Invalid time format */ +\& /* Invalid time format */ \& \& if (day > 0 || sec > 0) -\& printf("Later\en"); +\& printf("Later\en"); \& else if (day < 0 || sec < 0) -\& printf("Sooner\en"); +\& printf("Sooner\en"); \& else -\& printf("Same\en"); +\& printf("Same\en"); .Ve .SH "RETURN VALUES" .IX Header "RETURN VALUES" -\&\fIASN1_TIME_set()\fR and \fIASN1_TIME_adj()\fR return a pointer to an \s-1ASN1_TIME\s0 structure +\&\fIASN1_TIME_set()\fR, \fIASN1_UTCTIME_set()\fR, \fIASN1_GENERALIZEDTIME_set()\fR, \fIASN1_TIME_adj()\fR, +ASN1_UTCTIME_adj and ASN1_GENERALIZEDTIME_set return a pointer to a time structure or \s-1NULL\s0 if an error occurred. .PP -\&\fIASN1_TIME_set_string()\fR returns 1 if the time value is successfully set and -0 otherwise. +\&\fIASN1_TIME_set_string()\fR, \fIASN1_UTCTIME_set_string()\fR, \fIASN1_GENERALIZEDTIME_set_string()\fR +\&\fIASN1_TIME_set_string_X509()\fR return 1 if the time value is successfully set and 0 otherwise. .PP -\&\fIASN1_TIME_check()\fR returns 1 if the structure is syntactically correct and 0 -otherwise. +\&\fIASN1_TIME_normalize()\fR returns 1 on success, and 0 on error. .PP -\&\fIASN1_TIME_print()\fR returns 1 if the time is successfully printed out and 0 if -an error occurred (I/O error or invalid time format). +\&\fIASN1_TIME_check()\fR, ASN1_UTCTIME_check and \fIASN1_GENERALIZEDTIME_check()\fR return 1 +if the structure is syntactically correct and 0 otherwise. .PP -\&\fIASN1_TIME_diff()\fR returns 1 for sucess and 0 for failure. It can fail if the -pass \s-1ASN1_TIME\s0 structure has invalid syntax for example. +\&\fIASN1_TIME_print()\fR, \fIASN1_UTCTIME_print()\fR and \fIASN1_GENERALIZEDTIME_print()\fR return 1 +if the time is successfully printed out and 0 if an error occurred (I/O error or +invalid time format). +.PP +\&\fIASN1_TIME_to_tm()\fR returns 1 if the time is successfully parsed and 0 if an +error occurred (invalid time format). +.PP +\&\fIASN1_TIME_diff()\fR returns 1 for success and 0 for failure. It can fail if the +passed-in time structure has invalid syntax, for example. +.PP +\&\fIASN1_TIME_cmp_time_t()\fR and \fIASN1_UTCTIME_cmp_time_t()\fR return \-1 if \fBs\fR is +before \fBt\fR, 0 if \fBs\fR equals \fBt\fR, or 1 if \fBs\fR is after \fBt\fR. \-2 is returned +on error. +.PP +\&\fIASN1_TIME_compare()\fR returns \-1 if \fBa\fR is before \fBb\fR, 0 if \fBa\fR equals \fBb\fR, or 1 if \fBa\fR is after \fBb\fR. \-2 is returned on error. +.PP +\&\fIASN1_TIME_to_generalizedtime()\fR returns a pointer to +the appropriate time structure on success or \s-1NULL\s0 if an error occurred. +.SH "HISTORY" +.IX Header "HISTORY" +The \fIASN1_TIME_to_tm()\fR function was added in OpenSSL 1.1.1. +The \fIASN1_TIME_set_string_X509()\fR function was added in OpenSSL 1.1.1. +The \fIASN1_TIME_normalize()\fR function was added in OpenSSL 1.1.1. +The \fIASN1_TIME_cmp_time_t()\fR function was added in OpenSSL 1.1.1. +The \fIASN1_TIME_compare()\fR function was added in OpenSSL 1.1.1. +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2015\-2018 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/ASN1_TYPE_get.3 b/secure/lib/libcrypto/man/ASN1_TYPE_get.3 new file mode 100644 index 000000000000..20f8be910001 --- /dev/null +++ b/secure/lib/libcrypto/man/ASN1_TYPE_get.3 @@ -0,0 +1,227 @@ +.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35) +.\" +.\" Standard preamble: +.\" ======================================================================== +.de Sp \" Vertical space (when we can't use .PP) +.if t .sp .5v +.if n .sp +.. +.de Vb \" Begin verbatim text +.ft CW +.nf +.ne \\$1 +.. +.de Ve \" End verbatim text +.ft R +.fi +.. +.\" Set up some character translations and predefined strings. \*(-- will +.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left +.\" double quote, and \*(R" will give a right double quote. \*(C+ will +.\" give a nicer C++. Capital omega is used to do unbreakable dashes and +.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, +.\" nothing in troff, for use with C<>. +.tr \(*W- +.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' +.ie n \{\ +. ds -- \(*W- +. ds PI pi +. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch +. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch +. ds L" "" +. ds R" "" +. ds C` "" +. ds C' "" +'br\} +.el\{\ +. ds -- \|\(em\| +. ds PI \(*p +. ds L" `` +. ds R" '' +. ds C` +. ds C' +'br\} +.\" +.\" Escape single quotes in literal strings from groff's Unicode transform. +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" +.\" If the F register is >0, we'll generate index entries on stderr for +.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index +.\" entries marked with X<> in POD. Of course, you'll have to process the +.\" output yourself in some meaningful fashion. +.\" +.\" Avoid warning from groff about undefined register 'F'. +.de IX +.. +.if !\nF .nr F 0 +.if \nF>0 \{\ +. de IX +. tm Index:\\$1\t\\n%\t"\\$2" +.. +. if !\nF==2 \{\ +. nr % 0 +. nr F 2 +. \} +.\} +.\" +.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). +.\" Fear. Run. Save yourself. No user-serviceable parts. +. \" fudge factors for nroff and troff +.if n \{\ +. ds #H 0 +. ds #V .8m +. ds #F .3m +. ds #[ \f1 +. ds #] \fP +.\} +.if t \{\ +. ds #H ((1u-(\\\\n(.fu%2u))*.13m) +. ds #V .6m +. ds #F 0 +. ds #[ \& +. ds #] \& +.\} +. \" simple accents for nroff and troff +.if n \{\ +. ds ' \& +. ds ` \& +. ds ^ \& +. ds , \& +. ds ~ ~ +. ds / +.\} +.if t \{\ +. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" +. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' +. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' +. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' +. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' +. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' +.\} +. \" troff and (daisy-wheel) nroff accents +.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' +.ds 8 \h'\*(#H'\(*b\h'-\*(#H' +.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] +.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' +.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' +.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] +.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] +.ds ae a\h'-(\w'a'u*4/10)'e +.ds Ae A\h'-(\w'A'u*4/10)'E +. \" corrections for vroff +.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' +.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' +. \" for low resolution devices (crt and lpr) +.if \n(.H>23 .if \n(.V>19 \ +\{\ +. ds : e +. ds 8 ss +. ds o a +. ds d- d\h'-1'\(ga +. ds D- D\h'-1'\(hy +. ds th \o'bp' +. ds Th \o'LP' +. ds ae ae +. ds Ae AE +.\} +.rm #[ #] #H #V #F C +.\" ======================================================================== +.\" +.IX Title "ASN1_TYPE_GET 3" +.TH ASN1_TYPE_GET 3 "2018-09-11" "1.1.1" "OpenSSL" +.\" For nroff, turn off justification. Always turn off hyphenation; it makes +.\" way too many mistakes in technical documents. +.if n .ad l +.nh +.SH "NAME" +ASN1_TYPE_get, ASN1_TYPE_set, ASN1_TYPE_set1, ASN1_TYPE_cmp, ASN1_TYPE_unpack_sequence, ASN1_TYPE_pack_sequence \- ASN1_TYPE utility functions +.SH "SYNOPSIS" +.IX Header "SYNOPSIS" +.Vb 1 +\& #include +\& +\& int ASN1_TYPE_get(const ASN1_TYPE *a); +\& void ASN1_TYPE_set(ASN1_TYPE *a, int type, void *value); +\& int ASN1_TYPE_set1(ASN1_TYPE *a, int type, const void *value); +\& int ASN1_TYPE_cmp(const ASN1_TYPE *a, const ASN1_TYPE *b); +\& +\& void *ASN1_TYPE_unpack_sequence(const ASN1_ITEM *it, const ASN1_TYPE *t); +\& ASN1_TYPE *ASN1_TYPE_pack_sequence(const ASN1_ITEM *it, void *s, +\& ASN1_TYPE **t); +.Ve +.SH "DESCRIPTION" +.IX Header "DESCRIPTION" +These functions allow an \s-1ASN1_TYPE\s0 structure to be manipulated. The +\&\s-1ASN1_TYPE\s0 structure can contain any \s-1ASN.1\s0 type or constructed type +such as a \s-1SEQUENCE:\s0 it is effectively equivalent to the \s-1ASN.1 ANY\s0 type. +.PP +\&\fIASN1_TYPE_get()\fR returns the type of \fBa\fR. +.PP +\&\fIASN1_TYPE_set()\fR sets the value of \fBa\fR to \fBtype\fR and \fBvalue\fR. This +function uses the pointer \fBvalue\fR internally so it must \fBnot\fR be freed +up after the call. +.PP +\&\fIASN1_TYPE_set1()\fR sets the value of \fBa\fR to \fBtype\fR a copy of \fBvalue\fR. +.PP +\&\fIASN1_TYPE_cmp()\fR compares \s-1ASN.1\s0 types \fBa\fR and \fBb\fR and returns 0 if +they are identical and non-zero otherwise. +.PP +\&\fIASN1_TYPE_unpack_sequence()\fR attempts to parse the \s-1SEQUENCE\s0 present in +\&\fBt\fR using the \s-1ASN.1\s0 structure \fBit\fR. If successful it returns a pointer +to the \s-1ASN.1\s0 structure corresponding to \fBit\fR which must be freed by the +caller. If it fails it return \s-1NULL.\s0 +.PP +\&\fIASN1_TYPE_pack_sequence()\fR attempts to encode the \s-1ASN.1\s0 structure \fBs\fR +corresponding to \fBit\fR into an \s-1ASN1_TYPE.\s0 If successful the encoded +\&\s-1ASN1_TYPE\s0 is returned. If \fBt\fR and \fB*t\fR are not \s-1NULL\s0 the encoded type +is written to \fBt\fR overwriting any existing data. If \fBt\fR is not \s-1NULL\s0 +but \fB*t\fR is \s-1NULL\s0 the returned \s-1ASN1_TYPE\s0 is written to \fB*t\fR. +.SH "NOTES" +.IX Header "NOTES" +The type and meaning of the \fBvalue\fR parameter for \fIASN1_TYPE_set()\fR and +\&\fIASN1_TYPE_set1()\fR is determined by the \fBtype\fR parameter. +If \fBtype\fR is V_ASN1_NULL \fBvalue\fR is ignored. If \fBtype\fR is V_ASN1_BOOLEAN +then the boolean is set to \s-1TRUE\s0 if \fBvalue\fR is not \s-1NULL.\s0 If \fBtype\fR is +V_ASN1_OBJECT then value is an \s-1ASN1_OBJECT\s0 structure. Otherwise \fBtype\fR +is and \s-1ASN1_STRING\s0 structure. If \fBtype\fR corresponds to a primitive type +(or a string type) then the contents of the \s-1ASN1_STRING\s0 contain the content +octets of the type. If \fBtype\fR corresponds to a constructed type or +a tagged type (V_ASN1_SEQUENCE, V_ASN1_SET or V_ASN1_OTHER) then the +\&\s-1ASN1_STRING\s0 contains the entire \s-1ASN.1\s0 encoding verbatim (including tag and +length octets). +.PP +\&\fIASN1_TYPE_cmp()\fR may not return zero if two types are equivalent but have +different encodings. For example the single content octet of the boolean \s-1TRUE\s0 +value under \s-1BER\s0 can have any non-zero encoding but \fIASN1_TYPE_cmp()\fR will +only return zero if the values are the same. +.PP +If either or both of the parameters passed to \fIASN1_TYPE_cmp()\fR is \s-1NULL\s0 the +return value is non-zero. Technically if both parameters are \s-1NULL\s0 the two +types could be absent \s-1OPTIONAL\s0 fields and so should match, however passing +\&\s-1NULL\s0 values could also indicate a programming error (for example an +unparseable type which returns \s-1NULL\s0) for types which do \fBnot\fR match. So +applications should handle the case of two absent values separately. +.SH "RETURN VALUES" +.IX Header "RETURN VALUES" +\&\fIASN1_TYPE_get()\fR returns the type of the \s-1ASN1_TYPE\s0 argument. +.PP +\&\fIASN1_TYPE_set()\fR does not return a value. +.PP +\&\fIASN1_TYPE_set1()\fR returns 1 for success and 0 for failure. +.PP +\&\fIASN1_TYPE_cmp()\fR returns 0 if the types are identical and non-zero otherwise. +.PP +\&\fIASN1_TYPE_unpack_sequence()\fR returns a pointer to an \s-1ASN.1\s0 structure or +\&\s-1NULL\s0 on failure. +.PP +\&\fIASN1_TYPE_pack_sequence()\fR return an \s-1ASN1_TYPE\s0 structure if it succeeds or +\&\s-1NULL\s0 on failure. +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2015\-2016 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/ASN1_generate_nconf.3 b/secure/lib/libcrypto/man/ASN1_generate_nconf.3 index d0bf6ab5d2b4..192463e9dbcc 100644 --- a/secure/lib/libcrypto/man/ASN1_generate_nconf.3 +++ b/secure/lib/libcrypto/man/ASN1_generate_nconf.3 @@ -128,8 +128,8 @@ .rm #[ #] #H #V #F C .\" ======================================================================== .\" -.IX Title "ASN1_generate_nconf 3" -.TH ASN1_generate_nconf 3 "2018-08-14" "1.0.2p" "OpenSSL" +.IX Title "ASN1_GENERATE_NCONF 3" +.TH ASN1_GENERATE_NCONF 3 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -141,8 +141,8 @@ ASN1_generate_nconf, ASN1_generate_v3 \- ASN1 generation functions .Vb 1 \& #include \& -\& ASN1_TYPE *ASN1_generate_nconf(char *str, CONF *nconf); -\& ASN1_TYPE *ASN1_generate_v3(char *str, X509V3_CTX *cnf); +\& ASN1_TYPE *ASN1_generate_nconf(const char *str, CONF *nconf); +\& ASN1_TYPE *ASN1_generate_v3(const char *str, X509V3_CTX *cnf); .Ve .SH "DESCRIPTION" .IX Header "DESCRIPTION" @@ -152,7 +152,7 @@ in an \fB\s-1ASN1_TYPE\s0\fR structure. \&\fBstr\fR contains the string to encode \fBnconf\fR or \fBcnf\fR contains the optional configuration information where additional strings will be read from. \fBnconf\fR will typically come from a config -file wherease \fBcnf\fR is obtained from an \fBX509V3_CTX\fR structure +file whereas \fBcnf\fR is obtained from an \fBX509V3_CTX\fR structure which will typically be used by X509 v3 certificate extension functions. \fBcnf\fR or \fBnconf\fR can be set to \fB\s-1NULL\s0\fR if no additional configuration will be used. @@ -161,53 +161,53 @@ configuration will be used. The actual data encoded is determined by the string \fBstr\fR and the configuration information. The general format of the string is: -.IP "\fB[modifier,]type[:value]\fR" 2 +.IP "\fB[modifier,]type[:value]\fR" 4 .IX Item "[modifier,]type[:value]" .PP That is zero or more comma separated modifiers followed by a type followed by an optional colon and a value. The formats of \fBtype\fR, \&\fBvalue\fR and \fBmodifier\fR are explained below. -.SS "\s-1SUPPORTED TYPES\s0" -.IX Subsection "SUPPORTED TYPES" +.SS "Supported Types" +.IX Subsection "Supported Types" The supported types are listed below. Unless otherwise specified only the \fB\s-1ASCII\s0\fR format is permissible. -.IP "\fB\s-1BOOLEAN\s0\fR, \fB\s-1BOOL\s0\fR" 2 +.IP "\fB\s-1BOOLEAN\s0\fR, \fB\s-1BOOL\s0\fR" 4 .IX Item "BOOLEAN, BOOL" This encodes a boolean type. The \fBvalue\fR string is mandatory and should be \fB\s-1TRUE\s0\fR or \fB\s-1FALSE\s0\fR. Additionally \fB\s-1TRUE\s0\fR, \fBtrue\fR, \fBY\fR, \&\fBy\fR, \fB\s-1YES\s0\fR, \fByes\fR, \fB\s-1FALSE\s0\fR, \fBfalse\fR, \fBN\fR, \fBn\fR, \fB\s-1NO\s0\fR and \fBno\fR are acceptable. -.IP "\fB\s-1NULL\s0\fR" 2 +.IP "\fB\s-1NULL\s0\fR" 4 .IX Item "NULL" Encode the \fB\s-1NULL\s0\fR type, the \fBvalue\fR string must not be present. -.IP "\fB\s-1INTEGER\s0\fR, \fB\s-1INT\s0\fR" 2 +.IP "\fB\s-1INTEGER\s0\fR, \fB\s-1INT\s0\fR" 4 .IX Item "INTEGER, INT" Encodes an \s-1ASN1\s0 \fB\s-1INTEGER\s0\fR type. The \fBvalue\fR string represents the value of the integer, it can be prefaced by a minus sign and is normally interpreted as a decimal value unless the prefix \fB0x\fR is included. -.IP "\fB\s-1ENUMERATED\s0\fR, \fB\s-1ENUM\s0\fR" 2 +.IP "\fB\s-1ENUMERATED\s0\fR, \fB\s-1ENUM\s0\fR" 4 .IX Item "ENUMERATED, ENUM" Encodes the \s-1ASN1\s0 \fB\s-1ENUMERATED\s0\fR type, it is otherwise identical to \&\fB\s-1INTEGER\s0\fR. -.IP "\fB\s-1OBJECT\s0\fR, \fB\s-1OID\s0\fR" 2 +.IP "\fB\s-1OBJECT\s0\fR, \fB\s-1OID\s0\fR" 4 .IX Item "OBJECT, OID" Encodes an \s-1ASN1\s0 \fB\s-1OBJECT IDENTIFIER\s0\fR, the \fBvalue\fR string can be a short name, a long name or numerical format. -.IP "\fB\s-1UTCTIME\s0\fR, \fB\s-1UTC\s0\fR" 2 +.IP "\fB\s-1UTCTIME\s0\fR, \fB\s-1UTC\s0\fR" 4 .IX Item "UTCTIME, UTC" Encodes an \s-1ASN1\s0 \fBUTCTime\fR structure, the value should be in the format \fB\s-1YYMMDDHHMMSSZ\s0\fR. -.IP "\fB\s-1GENERALIZEDTIME\s0\fR, \fB\s-1GENTIME\s0\fR" 2 +.IP "\fB\s-1GENERALIZEDTIME\s0\fR, \fB\s-1GENTIME\s0\fR" 4 .IX Item "GENERALIZEDTIME, GENTIME" Encodes an \s-1ASN1\s0 \fBGeneralizedTime\fR structure, the value should be in the format \fB\s-1YYYYMMDDHHMMSSZ\s0\fR. -.IP "\fB\s-1OCTETSTRING\s0\fR, \fB\s-1OCT\s0\fR" 2 +.IP "\fB\s-1OCTETSTRING\s0\fR, \fB\s-1OCT\s0\fR" 4 .IX Item "OCTETSTRING, OCT" Encodes an \s-1ASN1\s0 \fB\s-1OCTET STRING\s0\fR. \fBvalue\fR represents the contents of this structure, the format strings \fB\s-1ASCII\s0\fR and \fB\s-1HEX\s0\fR can be used to specify the format of \fBvalue\fR. -.IP "\fB\s-1BITSTRING\s0\fR, \fB\s-1BITSTR\s0\fR" 2 +.IP "\fB\s-1BITSTRING\s0\fR, \fB\s-1BITSTR\s0\fR" 4 .IX Item "BITSTRING, BITSTR" Encodes an \s-1ASN1\s0 \fB\s-1BIT STRING\s0\fR. \fBvalue\fR represents the contents of this structure, the format strings \fB\s-1ASCII\s0\fR, \fB\s-1HEX\s0\fR and \fB\s-1BITLIST\s0\fR @@ -215,24 +215,24 @@ can be used to specify the format of \fBvalue\fR. .Sp If the format is anything other than \fB\s-1BITLIST\s0\fR the number of unused bits is set to zero. -.IP "\fB\s-1UNIVERSALSTRING\s0\fR, \fB\s-1UNIV\s0\fR, \fB\s-1IA5\s0\fR, \fB\s-1IA5STRING\s0\fR, \fB\s-1UTF8\s0\fR, \fBUTF8String\fR, \fB\s-1BMP\s0\fR, \fB\s-1BMPSTRING\s0\fR, \fB\s-1VISIBLESTRING\s0\fR, \fB\s-1VISIBLE\s0\fR, \fB\s-1PRINTABLESTRING\s0\fR, \fB\s-1PRINTABLE\s0\fR, \fBT61\fR, \fBT61STRING\fR, \fB\s-1TELETEXSTRING\s0\fR, \fBGeneralString\fR, \fB\s-1NUMERICSTRING\s0\fR, \fB\s-1NUMERIC\s0\fR" 2 +.IP "\fB\s-1UNIVERSALSTRING\s0\fR, \fB\s-1UNIV\s0\fR, \fB\s-1IA5\s0\fR, \fB\s-1IA5STRING\s0\fR, \fB\s-1UTF8\s0\fR, \fBUTF8String\fR, \fB\s-1BMP\s0\fR, \fB\s-1BMPSTRING\s0\fR, \fB\s-1VISIBLESTRING\s0\fR, \fB\s-1VISIBLE\s0\fR, \fB\s-1PRINTABLESTRING\s0\fR, \fB\s-1PRINTABLE\s0\fR, \fBT61\fR, \fBT61STRING\fR, \fB\s-1TELETEXSTRING\s0\fR, \fBGeneralString\fR, \fB\s-1NUMERICSTRING\s0\fR, \fB\s-1NUMERIC\s0\fR" 4 .IX Item "UNIVERSALSTRING, UNIV, IA5, IA5STRING, UTF8, UTF8String, BMP, BMPSTRING, VISIBLESTRING, VISIBLE, PRINTABLESTRING, PRINTABLE, T61, T61STRING, TELETEXSTRING, GeneralString, NUMERICSTRING, NUMERIC" These encode the corresponding string types. \fBvalue\fR represents the contents of this structure. The format can be \fB\s-1ASCII\s0\fR or \fB\s-1UTF8\s0\fR. -.IP "\fB\s-1SEQUENCE\s0\fR, \fB\s-1SEQ\s0\fR, \fB\s-1SET\s0\fR" 2 +.IP "\fB\s-1SEQUENCE\s0\fR, \fB\s-1SEQ\s0\fR, \fB\s-1SET\s0\fR" 4 .IX Item "SEQUENCE, SEQ, SET" Formats the result as an \s-1ASN1\s0 \fB\s-1SEQUENCE\s0\fR or \fB\s-1SET\s0\fR type. \fBvalue\fR should be a section name which will contain the contents. The field names in the section are ignored and the values are in the generated string format. If \fBvalue\fR is absent then an empty \s-1SEQUENCE\s0 will be encoded. -.SS "\s-1MODIFIERS\s0" -.IX Subsection "MODIFIERS" +.SS "Modifiers" +.IX Subsection "Modifiers" Modifiers affect the following structure, they can be used to add \s-1EXPLICIT\s0 or \s-1IMPLICIT\s0 tagging, add wrappers or to change the string format of the final type and value. The supported formats are documented below. -.IP "\fB\s-1EXPLICIT\s0\fR, \fB\s-1EXP\s0\fR" 2 +.IP "\fB\s-1EXPLICIT\s0\fR, \fB\s-1EXP\s0\fR" 4 .IX Item "EXPLICIT, EXP" Add an explicit tag to the following structure. This string should be followed by a colon and the tag value to use as a @@ -241,16 +241,16 @@ decimal value. By following the number with \fBU\fR, \fBA\fR, \fBP\fR or \fBC\fR \s-1UNIVERSAL, APPLICATION, PRIVATE\s0 or \s-1CONTEXT SPECIFIC\s0 tagging can be used, the default is \s-1CONTEXT SPECIFIC.\s0 -.IP "\fB\s-1IMPLICIT\s0\fR, \fB\s-1IMP\s0\fR" 2 +.IP "\fB\s-1IMPLICIT\s0\fR, \fB\s-1IMP\s0\fR" 4 .IX Item "IMPLICIT, IMP" This is the same as \fB\s-1EXPLICIT\s0\fR except \s-1IMPLICIT\s0 tagging is used instead. -.IP "\fB\s-1OCTWRAP\s0\fR, \fB\s-1SEQWRAP\s0\fR, \fB\s-1SETWRAP\s0\fR, \fB\s-1BITWRAP\s0\fR" 2 +.IP "\fB\s-1OCTWRAP\s0\fR, \fB\s-1SEQWRAP\s0\fR, \fB\s-1SETWRAP\s0\fR, \fB\s-1BITWRAP\s0\fR" 4 .IX Item "OCTWRAP, SEQWRAP, SETWRAP, BITWRAP" The following structure is surrounded by an \s-1OCTET STRING,\s0 a \s-1SEQUENCE,\s0 a \s-1SET\s0 or a \s-1BIT STRING\s0 respectively. For a \s-1BIT STRING\s0 the number of unused bits is set to zero. -.IP "\fB\s-1FORMAT\s0\fR" 2 +.IP "\fB\s-1FORMAT\s0\fR" 4 .IX Item "FORMAT" This specifies the format of the ultimate value. It should be followed by a colon and one of the strings \fB\s-1ASCII\s0\fR, \fB\s-1UTF8\s0\fR, \fB\s-1HEX\s0\fR or \fB\s-1BITLIST\s0\fR. @@ -287,7 +287,7 @@ A \s-1BITSTRING\s0 with bits 1 and 5 set and all others zero: .Ve .PP A more complex example using a config file to produce a -\&\s-1SEQUENCE\s0 consiting of a \s-1BOOL\s0 an \s-1OID\s0 and a UTF8String: +\&\s-1SEQUENCE\s0 consisting of a \s-1BOOL\s0 an \s-1OID\s0 and a UTF8String: .PP .Vb 1 \& asn1 = SEQUENCE:seq_section @@ -367,6 +367,11 @@ The error codes that can be obtained by \fIERR_get_error\fR\|(3). .SH "SEE ALSO" .IX Header "SEE ALSO" \&\fIERR_get_error\fR\|(3) -.SH "HISTORY" -.IX Header "HISTORY" -\&\fIASN1_generate_nconf()\fR and \fIASN1_generate_v3()\fR were added to OpenSSL 0.9.8 +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2002\-2016 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/ASYNC_WAIT_CTX_new.3 b/secure/lib/libcrypto/man/ASYNC_WAIT_CTX_new.3 new file mode 100644 index 000000000000..3c4d63ec93d7 --- /dev/null +++ b/secure/lib/libcrypto/man/ASYNC_WAIT_CTX_new.3 @@ -0,0 +1,266 @@ +.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35) +.\" +.\" Standard preamble: +.\" ======================================================================== +.de Sp \" Vertical space (when we can't use .PP) +.if t .sp .5v +.if n .sp +.. +.de Vb \" Begin verbatim text +.ft CW +.nf +.ne \\$1 +.. +.de Ve \" End verbatim text +.ft R +.fi +.. +.\" Set up some character translations and predefined strings. \*(-- will +.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left +.\" double quote, and \*(R" will give a right double quote. \*(C+ will +.\" give a nicer C++. Capital omega is used to do unbreakable dashes and +.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, +.\" nothing in troff, for use with C<>. +.tr \(*W- +.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' +.ie n \{\ +. ds -- \(*W- +. ds PI pi +. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch +. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch +. ds L" "" +. ds R" "" +. ds C` "" +. ds C' "" +'br\} +.el\{\ +. ds -- \|\(em\| +. ds PI \(*p +. ds L" `` +. ds R" '' +. ds C` +. ds C' +'br\} +.\" +.\" Escape single quotes in literal strings from groff's Unicode transform. +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" +.\" If the F register is >0, we'll generate index entries on stderr for +.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index +.\" entries marked with X<> in POD. Of course, you'll have to process the +.\" output yourself in some meaningful fashion. +.\" +.\" Avoid warning from groff about undefined register 'F'. +.de IX +.. +.if !\nF .nr F 0 +.if \nF>0 \{\ +. de IX +. tm Index:\\$1\t\\n%\t"\\$2" +.. +. if !\nF==2 \{\ +. nr % 0 +. nr F 2 +. \} +.\} +.\" +.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). +.\" Fear. Run. Save yourself. No user-serviceable parts. +. \" fudge factors for nroff and troff +.if n \{\ +. ds #H 0 +. ds #V .8m +. ds #F .3m +. ds #[ \f1 +. ds #] \fP +.\} +.if t \{\ +. ds #H ((1u-(\\\\n(.fu%2u))*.13m) +. ds #V .6m +. ds #F 0 +. ds #[ \& +. ds #] \& +.\} +. \" simple accents for nroff and troff +.if n \{\ +. ds ' \& +. ds ` \& +. ds ^ \& +. ds , \& +. ds ~ ~ +. ds / +.\} +.if t \{\ +. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" +. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' +. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' +. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' +. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' +. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' +.\} +. \" troff and (daisy-wheel) nroff accents +.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' +.ds 8 \h'\*(#H'\(*b\h'-\*(#H' +.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] +.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' +.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' +.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] +.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] +.ds ae a\h'-(\w'a'u*4/10)'e +.ds Ae A\h'-(\w'A'u*4/10)'E +. \" corrections for vroff +.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' +.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' +. \" for low resolution devices (crt and lpr) +.if \n(.H>23 .if \n(.V>19 \ +\{\ +. ds : e +. ds 8 ss +. ds o a +. ds d- d\h'-1'\(ga +. ds D- D\h'-1'\(hy +. ds th \o'bp' +. ds Th \o'LP' +. ds ae ae +. ds Ae AE +.\} +.rm #[ #] #H #V #F C +.\" ======================================================================== +.\" +.IX Title "ASYNC_WAIT_CTX_NEW 3" +.TH ASYNC_WAIT_CTX_NEW 3 "2018-09-11" "1.1.1" "OpenSSL" +.\" For nroff, turn off justification. Always turn off hyphenation; it makes +.\" way too many mistakes in technical documents. +.if n .ad l +.nh +.SH "NAME" +ASYNC_WAIT_CTX_new, ASYNC_WAIT_CTX_free, ASYNC_WAIT_CTX_set_wait_fd, ASYNC_WAIT_CTX_get_fd, ASYNC_WAIT_CTX_get_all_fds, ASYNC_WAIT_CTX_get_changed_fds, ASYNC_WAIT_CTX_clear_fd \- functions to manage waiting for asynchronous jobs to complete +.SH "SYNOPSIS" +.IX Header "SYNOPSIS" +.Vb 1 +\& #include +\& +\& ASYNC_WAIT_CTX *ASYNC_WAIT_CTX_new(void); +\& void ASYNC_WAIT_CTX_free(ASYNC_WAIT_CTX *ctx); +\& int ASYNC_WAIT_CTX_set_wait_fd(ASYNC_WAIT_CTX *ctx, const void *key, +\& OSSL_ASYNC_FD fd, +\& void *custom_data, +\& void (*cleanup)(ASYNC_WAIT_CTX *, const void *, +\& OSSL_ASYNC_FD, void *)); +\& int ASYNC_WAIT_CTX_get_fd(ASYNC_WAIT_CTX *ctx, const void *key, +\& OSSL_ASYNC_FD *fd, void **custom_data); +\& int ASYNC_WAIT_CTX_get_all_fds(ASYNC_WAIT_CTX *ctx, OSSL_ASYNC_FD *fd, +\& size_t *numfds); +\& int ASYNC_WAIT_CTX_get_changed_fds(ASYNC_WAIT_CTX *ctx, OSSL_ASYNC_FD *addfd, +\& size_t *numaddfds, OSSL_ASYNC_FD *delfd, +\& size_t *numdelfds); +\& int ASYNC_WAIT_CTX_clear_fd(ASYNC_WAIT_CTX *ctx, const void *key); +.Ve +.SH "DESCRIPTION" +.IX Header "DESCRIPTION" +For an overview of how asynchronous operations are implemented in OpenSSL see +\&\fIASYNC_start_job\fR\|(3). An \s-1ASYNC_WAIT_CTX\s0 object represents an asynchronous +\&\*(L"session\*(R", i.e. a related set of crypto operations. For example in \s-1SSL\s0 terms +this would have a one-to-one correspondence with an \s-1SSL\s0 connection. +.PP +Application code must create an \s-1ASYNC_WAIT_CTX\s0 using the \fIASYNC_WAIT_CTX_new()\fR +function prior to calling \fIASYNC_start_job()\fR (see \fIASYNC_start_job\fR\|(3)). When +the job is started it is associated with the \s-1ASYNC_WAIT_CTX\s0 for the duration of +that job. An \s-1ASYNC_WAIT_CTX\s0 should only be used for one \s-1ASYNC_JOB\s0 at any one +time, but can be reused after an \s-1ASYNC_JOB\s0 has finished for a subsequent +\&\s-1ASYNC_JOB.\s0 When the session is complete (e.g. the \s-1SSL\s0 connection is closed), +application code cleans up with \fIASYNC_WAIT_CTX_free()\fR. +.PP +ASYNC_WAIT_CTXs can have \*(L"wait\*(R" file descriptors associated with them. Calling +\&\fIASYNC_WAIT_CTX_get_all_fds()\fR and passing in a pointer to an \s-1ASYNC_WAIT_CTX\s0 in +the \fBctx\fR parameter will return the wait file descriptors associated with that +job in \fB*fd\fR. The number of file descriptors returned will be stored in +\&\fB*numfds\fR. It is the caller's responsibility to ensure that sufficient memory +has been allocated in \fB*fd\fR to receive all the file descriptors. Calling +\&\fIASYNC_WAIT_CTX_get_all_fds()\fR with a \s-1NULL\s0 \fBfd\fR value will return no file +descriptors but will still populate \fB*numfds\fR. Therefore application code is +typically expected to call this function twice: once to get the number of fds, +and then again when sufficient memory has been allocated. If only one +asynchronous engine is being used then normally this call will only ever return +one fd. If multiple asynchronous engines are being used then more could be +returned. +.PP +The function \fIASYNC_WAIT_CTX_get_changed_fds()\fR can be used to detect if any fds +have changed since the last call time \fIASYNC_start_job()\fR returned an \s-1ASYNC_PAUSE\s0 +result (or since the \s-1ASYNC_WAIT_CTX\s0 was created if no \s-1ASYNC_PAUSE\s0 result has +been received). The \fBnumaddfds\fR and \fBnumdelfds\fR parameters will be populated +with the number of fds added or deleted respectively. \fB*addfd\fR and \fB*delfd\fR +will be populated with the list of added and deleted fds respectively. Similarly +to \fIASYNC_WAIT_CTX_get_all_fds()\fR either of these can be \s-1NULL,\s0 but if they are not +\&\s-1NULL\s0 then the caller is responsible for ensuring sufficient memory is allocated. +.PP +Implementors of async aware code (e.g. engines) are encouraged to return a +stable fd for the lifetime of the \s-1ASYNC_WAIT_CTX\s0 in order to reduce the \*(L"churn\*(R" +of regularly changing fds \- although no guarantees of this are provided to +applications. +.PP +Applications can wait for the file descriptor to be ready for \*(L"read\*(R" using a +system function call such as select or poll (being ready for \*(L"read\*(R" indicates +that the job should be resumed). If no file descriptor is made available then an +application will have to periodically \*(L"poll\*(R" the job by attempting to restart it +to see if it is ready to continue. +.PP +Async aware code (e.g. engines) can get the current \s-1ASYNC_WAIT_CTX\s0 from the job +via \fIASYNC_get_wait_ctx\fR\|(3) and provide a file descriptor to use for waiting +on by calling \fIASYNC_WAIT_CTX_set_wait_fd()\fR. Typically this would be done by an +engine immediately prior to calling \fIASYNC_pause_job()\fR and not by end user code. +An existing association with a file descriptor can be obtained using +\&\fIASYNC_WAIT_CTX_get_fd()\fR and cleared using \fIASYNC_WAIT_CTX_clear_fd()\fR. Both of +these functions requires a \fBkey\fR value which is unique to the async aware +code. This could be any unique value but a good candidate might be the +\&\fB\s-1ENGINE\s0 *\fR for the engine. The \fBcustom_data\fR parameter can be any value, and +will be returned in a subsequent call to \fIASYNC_WAIT_CTX_get_fd()\fR. The +\&\fIASYNC_WAIT_CTX_set_wait_fd()\fR function also expects a pointer to a \*(L"cleanup\*(R" +routine. This can be \s-1NULL\s0 but if provided will automatically get called when +the \s-1ASYNC_WAIT_CTX\s0 is freed, and gives the engine the opportunity to close the +fd or any other resources. Note: The \*(L"cleanup\*(R" routine does not get called if +the fd is cleared directly via a call to \fIASYNC_WAIT_CTX_clear_fd()\fR. +.PP +An example of typical usage might be an async capable engine. User code would +initiate cryptographic operations. The engine would initiate those operations +asynchronously and then call \fIASYNC_WAIT_CTX_set_wait_fd()\fR followed by +\&\fIASYNC_pause_job()\fR to return control to the user code. The user code can then +perform other tasks or wait for the job to be ready by calling \*(L"select\*(R" or other +similar function on the wait file descriptor. The engine can signal to the user +code that the job should be resumed by making the wait file descriptor +\&\*(L"readable\*(R". Once resumed the engine should clear the wake signal on the wait +file descriptor. +.SH "RETURN VALUES" +.IX Header "RETURN VALUES" +\&\fIASYNC_WAIT_CTX_new()\fR returns a pointer to the newly allocated \s-1ASYNC_WAIT_CTX\s0 or +\&\s-1NULL\s0 on error. +.PP +ASYNC_WAIT_CTX_set_wait_fd, ASYNC_WAIT_CTX_get_fd, ASYNC_WAIT_CTX_get_all_fds, +ASYNC_WAIT_CTX_get_changed_fds and ASYNC_WAIT_CTX_clear_fd all return 1 on +success or 0 on error. +.SH "NOTES" +.IX Header "NOTES" +On Windows platforms the openssl/async.h header is dependent on some +of the types customarily made available by including windows.h. The +application developer is likely to require control over when the latter +is included, commonly as one of the first included headers. Therefore +it is defined as an application developer's responsibility to include +windows.h prior to async.h. +.SH "SEE ALSO" +.IX Header "SEE ALSO" +\&\fIcrypto\fR\|(7), \fIASYNC_start_job\fR\|(3) +.SH "HISTORY" +.IX Header "HISTORY" +ASYNC_WAIT_CTX_new, ASYNC_WAIT_CTX_free, ASYNC_WAIT_CTX_set_wait_fd, +ASYNC_WAIT_CTX_get_fd, ASYNC_WAIT_CTX_get_all_fds, +ASYNC_WAIT_CTX_get_changed_fds, ASYNC_WAIT_CTX_clear_fd were first added to +OpenSSL 1.1.0. +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2016 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/ASYNC_start_job.3 b/secure/lib/libcrypto/man/ASYNC_start_job.3 new file mode 100644 index 000000000000..e788935f7746 --- /dev/null +++ b/secure/lib/libcrypto/man/ASYNC_start_job.3 @@ -0,0 +1,449 @@ +.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35) +.\" +.\" Standard preamble: +.\" ======================================================================== +.de Sp \" Vertical space (when we can't use .PP) +.if t .sp .5v +.if n .sp +.. +.de Vb \" Begin verbatim text +.ft CW +.nf +.ne \\$1 +.. +.de Ve \" End verbatim text +.ft R +.fi +.. +.\" Set up some character translations and predefined strings. \*(-- will +.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left +.\" double quote, and \*(R" will give a right double quote. \*(C+ will +.\" give a nicer C++. Capital omega is used to do unbreakable dashes and +.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, +.\" nothing in troff, for use with C<>. +.tr \(*W- +.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' +.ie n \{\ +. ds -- \(*W- +. ds PI pi +. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch +. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch +. ds L" "" +. ds R" "" +. ds C` "" +. ds C' "" +'br\} +.el\{\ +. ds -- \|\(em\| +. ds PI \(*p +. ds L" `` +. ds R" '' +. ds C` +. ds C' +'br\} +.\" +.\" Escape single quotes in literal strings from groff's Unicode transform. +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" +.\" If the F register is >0, we'll generate index entries on stderr for +.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index +.\" entries marked with X<> in POD. Of course, you'll have to process the +.\" output yourself in some meaningful fashion. +.\" +.\" Avoid warning from groff about undefined register 'F'. +.de IX +.. +.if !\nF .nr F 0 +.if \nF>0 \{\ +. de IX +. tm Index:\\$1\t\\n%\t"\\$2" +.. +. if !\nF==2 \{\ +. nr % 0 +. nr F 2 +. \} +.\} +.\" +.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). +.\" Fear. Run. Save yourself. No user-serviceable parts. +. \" fudge factors for nroff and troff +.if n \{\ +. ds #H 0 +. ds #V .8m +. ds #F .3m +. ds #[ \f1 +. ds #] \fP +.\} +.if t \{\ +. ds #H ((1u-(\\\\n(.fu%2u))*.13m) +. ds #V .6m +. ds #F 0 +. ds #[ \& +. ds #] \& +.\} +. \" simple accents for nroff and troff +.if n \{\ +. ds ' \& +. ds ` \& +. ds ^ \& +. ds , \& +. ds ~ ~ +. ds / +.\} +.if t \{\ +. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" +. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' +. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' +. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' +. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' +. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' +.\} +. \" troff and (daisy-wheel) nroff accents +.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' +.ds 8 \h'\*(#H'\(*b\h'-\*(#H' +.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] +.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' +.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' +.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] +.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] +.ds ae a\h'-(\w'a'u*4/10)'e +.ds Ae A\h'-(\w'A'u*4/10)'E +. \" corrections for vroff +.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' +.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' +. \" for low resolution devices (crt and lpr) +.if \n(.H>23 .if \n(.V>19 \ +\{\ +. ds : e +. ds 8 ss +. ds o a +. ds d- d\h'-1'\(ga +. ds D- D\h'-1'\(hy +. ds th \o'bp' +. ds Th \o'LP' +. ds ae ae +. ds Ae AE +.\} +.rm #[ #] #H #V #F C +.\" ======================================================================== +.\" +.IX Title "ASYNC_START_JOB 3" +.TH ASYNC_START_JOB 3 "2018-09-11" "1.1.1" "OpenSSL" +.\" For nroff, turn off justification. Always turn off hyphenation; it makes +.\" way too many mistakes in technical documents. +.if n .ad l +.nh +.SH "NAME" +ASYNC_get_wait_ctx, ASYNC_init_thread, ASYNC_cleanup_thread, ASYNC_start_job, ASYNC_pause_job, ASYNC_get_current_job, ASYNC_block_pause, ASYNC_unblock_pause, ASYNC_is_capable \&\- asynchronous job management functions +.SH "SYNOPSIS" +.IX Header "SYNOPSIS" +.Vb 1 +\& #include +\& +\& int ASYNC_init_thread(size_t max_size, size_t init_size); +\& void ASYNC_cleanup_thread(void); +\& +\& int ASYNC_start_job(ASYNC_JOB **job, ASYNC_WAIT_CTX *ctx, int *ret, +\& int (*func)(void *), void *args, size_t size); +\& int ASYNC_pause_job(void); +\& +\& ASYNC_JOB *ASYNC_get_current_job(void); +\& ASYNC_WAIT_CTX *ASYNC_get_wait_ctx(ASYNC_JOB *job); +\& void ASYNC_block_pause(void); +\& void ASYNC_unblock_pause(void); +\& +\& int ASYNC_is_capable(void); +.Ve +.SH "DESCRIPTION" +.IX Header "DESCRIPTION" +OpenSSL implements asynchronous capabilities through an \s-1ASYNC_JOB.\s0 This +represents code that can be started and executes until some event occurs. At +that point the code can be paused and control returns to user code until some +subsequent event indicates that the job can be resumed. +.PP +The creation of an \s-1ASYNC_JOB\s0 is a relatively expensive operation. Therefore, for +efficiency reasons, jobs can be created up front and reused many times. They are +held in a pool until they are needed, at which point they are removed from the +pool, used, and then returned to the pool when the job completes. If the user +application is multi-threaded, then \fIASYNC_init_thread()\fR may be called for each +thread that will initiate asynchronous jobs. Before +user code exits per-thread resources need to be cleaned up. This will normally +occur automatically (see \fIOPENSSL_init_crypto\fR\|(3)) but may be explicitly +initiated by using \fIASYNC_cleanup_thread()\fR. No asynchronous jobs must be +outstanding for the thread when \fIASYNC_cleanup_thread()\fR is called. Failing to +ensure this will result in memory leaks. +.PP +The \fBmax_size\fR argument limits the number of ASYNC_JOBs that will be held in +the pool. If \fBmax_size\fR is set to 0 then no upper limit is set. When an +\&\s-1ASYNC_JOB\s0 is needed but there are none available in the pool already then one +will be automatically created, as long as the total of ASYNC_JOBs managed by the +pool does not exceed \fBmax_size\fR. When the pool is first initialised +\&\fBinit_size\fR ASYNC_JOBs will be created immediately. If \fIASYNC_init_thread()\fR is +not called before the pool is first used then it will be called automatically +with a \fBmax_size\fR of 0 (no upper limit) and an \fBinit_size\fR of 0 (no ASYNC_JOBs +created up front). +.PP +An asynchronous job is started by calling the \fIASYNC_start_job()\fR function. +Initially \fB*job\fR should be \s-1NULL.\s0 \fBctx\fR should point to an \s-1ASYNC_WAIT_CTX\s0 +object created through the \fIASYNC_WAIT_CTX_new\fR\|(3) function. \fBret\fR should +point to a location where the return value of the asynchronous function should +be stored on completion of the job. \fBfunc\fR represents the function that should +be started asynchronously. The data pointed to by \fBargs\fR and of size \fBsize\fR +will be copied and then passed as an argument to \fBfunc\fR when the job starts. +ASYNC_start_job will return one of the following values: +.IP "\fB\s-1ASYNC_ERR\s0\fR" 4 +.IX Item "ASYNC_ERR" +An error occurred trying to start the job. Check the OpenSSL error queue (e.g. +see \fIERR_print_errors\fR\|(3)) for more details. +.IP "\fB\s-1ASYNC_NO_JOBS\s0\fR" 4 +.IX Item "ASYNC_NO_JOBS" +There are no jobs currently available in the pool. This call can be retried +again at a later time. +.IP "\fB\s-1ASYNC_PAUSE\s0\fR" 4 +.IX Item "ASYNC_PAUSE" +The job was successfully started but was \*(L"paused\*(R" before it completed (see +\&\fIASYNC_pause_job()\fR below). A handle to the job is placed in \fB*job\fR. Other work +can be performed (if desired) and the job restarted at a later time. To restart +a job call \fIASYNC_start_job()\fR again passing the job handle in \fB*job\fR. The +\&\fBfunc\fR, \fBargs\fR and \fBsize\fR parameters will be ignored when restarting a job. +When restarting a job \fIASYNC_start_job()\fR \fBmust\fR be called from the same thread +that the job was originally started from. +.IP "\fB\s-1ASYNC_FINISH\s0\fR" 4 +.IX Item "ASYNC_FINISH" +The job completed. \fB*job\fR will be \s-1NULL\s0 and the return value from \fBfunc\fR will +be placed in \fB*ret\fR. +.PP +At any one time there can be a maximum of one job actively running per thread +(you can have many that are paused). \fIASYNC_get_current_job()\fR can be used to get +a pointer to the currently executing \s-1ASYNC_JOB.\s0 If no job is currently executing +then this will return \s-1NULL.\s0 +.PP +If executing within the context of a job (i.e. having been called directly or +indirectly by the function \*(L"func\*(R" passed as an argument to \fIASYNC_start_job()\fR) +then \fIASYNC_pause_job()\fR will immediately return control to the calling +application with \s-1ASYNC_PAUSE\s0 returned from the \fIASYNC_start_job()\fR call. A +subsequent call to ASYNC_start_job passing in the relevant \s-1ASYNC_JOB\s0 in the +\&\fB*job\fR parameter will resume execution from the \fIASYNC_pause_job()\fR call. If +\&\fIASYNC_pause_job()\fR is called whilst not within the context of a job then no +action is taken and \fIASYNC_pause_job()\fR returns immediately. +.PP +\&\fIASYNC_get_wait_ctx()\fR can be used to get a pointer to the \s-1ASYNC_WAIT_CTX\s0 +for the \fBjob\fR. ASYNC_WAIT_CTXs can have a \*(L"wait\*(R" file descriptor associated +with them. Applications can wait for the file descriptor to be ready for \*(L"read\*(R" +using a system function call such as select or poll (being ready for \*(L"read\*(R" +indicates that the job should be resumed). If no file descriptor is made +available then an application will have to periodically \*(L"poll\*(R" the job by +attempting to restart it to see if it is ready to continue. +.PP +An example of typical usage might be an async capable engine. User code would +initiate cryptographic operations. The engine would initiate those operations +asynchronously and then call \fIASYNC_WAIT_CTX_set_wait_fd\fR\|(3) followed by +\&\fIASYNC_pause_job()\fR to return control to the user code. The user code can then +perform other tasks or wait for the job to be ready by calling \*(L"select\*(R" or other +similar function on the wait file descriptor. The engine can signal to the user +code that the job should be resumed by making the wait file descriptor +\&\*(L"readable\*(R". Once resumed the engine should clear the wake signal on the wait +file descriptor. +.PP +The \fIASYNC_block_pause()\fR function will prevent the currently active job from +pausing. The block will remain in place until a subsequent call to +\&\fIASYNC_unblock_pause()\fR. These functions can be nested, e.g. if you call +\&\fIASYNC_block_pause()\fR twice then you must call \fIASYNC_unblock_pause()\fR twice in +order to re-enable pausing. If these functions are called while there is no +currently active job then they have no effect. This functionality can be useful +to avoid deadlock scenarios. For example during the execution of an \s-1ASYNC_JOB\s0 an +application acquires a lock. It then calls some cryptographic function which +invokes \fIASYNC_pause_job()\fR. This returns control back to the code that created +the \s-1ASYNC_JOB.\s0 If that code then attempts to acquire the same lock before +resuming the original job then a deadlock can occur. By calling +\&\fIASYNC_block_pause()\fR immediately after acquiring the lock and +\&\fIASYNC_unblock_pause()\fR immediately before releasing it then this situation cannot +occur. +.PP +Some platforms cannot support async operations. The \fIASYNC_is_capable()\fR function +can be used to detect whether the current platform is async capable or not. +.SH "RETURN VALUES" +.IX Header "RETURN VALUES" +ASYNC_init_thread returns 1 on success or 0 otherwise. +.PP +ASYNC_start_job returns one of \s-1ASYNC_ERR, ASYNC_NO_JOBS, ASYNC_PAUSE\s0 or +\&\s-1ASYNC_FINISH\s0 as described above. +.PP +ASYNC_pause_job returns 0 if an error occurred or 1 on success. If called when +not within the context of an \s-1ASYNC_JOB\s0 then this is counted as success so 1 is +returned. +.PP +ASYNC_get_current_job returns a pointer to the currently executing \s-1ASYNC_JOB\s0 or +\&\s-1NULL\s0 if not within the context of a job. +.PP +\&\fIASYNC_get_wait_ctx()\fR returns a pointer to the \s-1ASYNC_WAIT_CTX\s0 for the job. +.PP +\&\fIASYNC_is_capable()\fR returns 1 if the current platform is async capable or 0 +otherwise. +.SH "NOTES" +.IX Header "NOTES" +On Windows platforms the openssl/async.h header is dependent on some +of the types customarily made available by including windows.h. The +application developer is likely to require control over when the latter +is included, commonly as one of the first included headers. Therefore +it is defined as an application developer's responsibility to include +windows.h prior to async.h. +.SH "EXAMPLE" +.IX Header "EXAMPLE" +The following example demonstrates how to use most of the core async APIs: +.PP +.Vb 7 +\& #ifdef _WIN32 +\& # include +\& #endif +\& #include +\& #include +\& #include +\& #include +\& +\& int unique = 0; +\& +\& void cleanup(ASYNC_WAIT_CTX *ctx, const void *key, OSSL_ASYNC_FD r, void *vw) +\& { +\& OSSL_ASYNC_FD *w = (OSSL_ASYNC_FD *)vw; +\& +\& close(r); +\& close(*w); +\& OPENSSL_free(w); +\& } +\& +\& int jobfunc(void *arg) +\& { +\& ASYNC_JOB *currjob; +\& unsigned char *msg; +\& int pipefds[2] = {0, 0}; +\& OSSL_ASYNC_FD *wptr; +\& char buf = \*(AqX\*(Aq; +\& +\& currjob = ASYNC_get_current_job(); +\& if (currjob != NULL) { +\& printf("Executing within a job\en"); +\& } else { +\& printf("Not executing within a job \- should not happen\en"); +\& return 0; +\& } +\& +\& msg = (unsigned char *)arg; +\& printf("Passed in message is: %s\en", msg); +\& +\& if (pipe(pipefds) != 0) { +\& printf("Failed to create pipe\en"); +\& return 0; +\& } +\& wptr = OPENSSL_malloc(sizeof(OSSL_ASYNC_FD)); +\& if (wptr == NULL) { +\& printf("Failed to malloc\en"); +\& return 0; +\& } +\& *wptr = pipefds[1]; +\& ASYNC_WAIT_CTX_set_wait_fd(ASYNC_get_wait_ctx(currjob), &unique, +\& pipefds[0], wptr, cleanup); +\& +\& /* +\& * Normally some external event would cause this to happen at some +\& * later point \- but we do it here for demo purposes, i.e. +\& * immediately signalling that the job is ready to be woken up after +\& * we return to main via ASYNC_pause_job(). +\& */ +\& write(pipefds[1], &buf, 1); +\& +\& /* Return control back to main */ +\& ASYNC_pause_job(); +\& +\& /* Clear the wake signal */ +\& read(pipefds[0], &buf, 1); +\& +\& printf ("Resumed the job after a pause\en"); +\& +\& return 1; +\& } +\& +\& int main(void) +\& { +\& ASYNC_JOB *job = NULL; +\& ASYNC_WAIT_CTX *ctx = NULL; +\& int ret; +\& OSSL_ASYNC_FD waitfd; +\& fd_set waitfdset; +\& size_t numfds; +\& unsigned char msg[13] = "Hello world!"; +\& +\& printf("Starting...\en"); +\& +\& ctx = ASYNC_WAIT_CTX_new(); +\& if (ctx == NULL) { +\& printf("Failed to create ASYNC_WAIT_CTX\en"); +\& abort(); +\& } +\& +\& for (;;) { +\& switch (ASYNC_start_job(&job, ctx, &ret, jobfunc, msg, sizeof(msg))) { +\& case ASYNC_ERR: +\& case ASYNC_NO_JOBS: +\& printf("An error occurred\en"); +\& goto end; +\& case ASYNC_PAUSE: +\& printf("Job was paused\en"); +\& break; +\& case ASYNC_FINISH: +\& printf("Job finished with return value %d\en", ret); +\& goto end; +\& } +\& +\& /* Wait for the job to be woken */ +\& printf("Waiting for the job to be woken up\en"); +\& +\& if (!ASYNC_WAIT_CTX_get_all_fds(ctx, NULL, &numfds) +\& || numfds > 1) { +\& printf("Unexpected number of fds\en"); +\& abort(); +\& } +\& ASYNC_WAIT_CTX_get_all_fds(ctx, &waitfd, &numfds); +\& FD_ZERO(&waitfdset); +\& FD_SET(waitfd, &waitfdset); +\& select(waitfd + 1, &waitfdset, NULL, NULL, NULL); +\& } +\& +\& end: +\& ASYNC_WAIT_CTX_free(ctx); +\& printf("Finishing\en"); +\& +\& return 0; +\& } +.Ve +.PP +The expected output from executing the above example program is: +.PP +.Vb 8 +\& Starting... +\& Executing within a job +\& Passed in message is: Hello world! +\& Job was paused +\& Waiting for the job to be woken up +\& Resumed the job after a pause +\& Job finished with return value 1 +\& Finishing +.Ve +.SH "SEE ALSO" +.IX Header "SEE ALSO" +\&\fIcrypto\fR\|(7), \fIERR_print_errors\fR\|(3) +.SH "HISTORY" +.IX Header "HISTORY" +ASYNC_init_thread, ASYNC_cleanup_thread, +ASYNC_start_job, ASYNC_pause_job, ASYNC_get_current_job, \fIASYNC_get_wait_ctx()\fR, +\&\fIASYNC_block_pause()\fR, \fIASYNC_unblock_pause()\fR and \fIASYNC_is_capable()\fR were first +added to OpenSSL 1.1.0. +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2015\-2016 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/blowfish.3 b/secure/lib/libcrypto/man/BF_encrypt.3 similarity index 87% rename from secure/lib/libcrypto/man/blowfish.3 rename to secure/lib/libcrypto/man/BF_encrypt.3 index 4b52bb890a9a..ac2d3421a013 100644 --- a/secure/lib/libcrypto/man/blowfish.3 +++ b/secure/lib/libcrypto/man/BF_encrypt.3 @@ -128,15 +128,14 @@ .rm #[ #] #H #V #F C .\" ======================================================================== .\" -.IX Title "blowfish 3" -.TH blowfish 3 "2018-08-14" "1.0.2p" "OpenSSL" +.IX Title "BF_ENCRYPT 3" +.TH BF_ENCRYPT 3 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" -blowfish, BF_set_key, BF_encrypt, BF_decrypt, BF_ecb_encrypt, BF_cbc_encrypt, -BF_cfb64_encrypt, BF_ofb64_encrypt, BF_options \- Blowfish encryption +BF_set_key, BF_encrypt, BF_decrypt, BF_ecb_encrypt, BF_cbc_encrypt, BF_cfb64_encrypt, BF_ofb64_encrypt, BF_options \- Blowfish encryption .SH "SYNOPSIS" .IX Header "SYNOPSIS" .Vb 1 @@ -145,18 +144,20 @@ BF_cfb64_encrypt, BF_ofb64_encrypt, BF_options \- Blowfish encryption \& void BF_set_key(BF_KEY *key, int len, const unsigned char *data); \& \& void BF_ecb_encrypt(const unsigned char *in, unsigned char *out, -\& BF_KEY *key, int enc); +\& BF_KEY *key, int enc); \& void BF_cbc_encrypt(const unsigned char *in, unsigned char *out, -\& long length, BF_KEY *schedule, unsigned char *ivec, int enc); +\& long length, BF_KEY *schedule, +\& unsigned char *ivec, int enc); \& void BF_cfb64_encrypt(const unsigned char *in, unsigned char *out, -\& long length, BF_KEY *schedule, unsigned char *ivec, int *num, -\& int enc); +\& long length, BF_KEY *schedule, +\& unsigned char *ivec, int *num, int enc); \& void BF_ofb64_encrypt(const unsigned char *in, unsigned char *out, -\& long length, BF_KEY *schedule, unsigned char *ivec, int *num); +\& long length, BF_KEY *schedule, +\& unsigned char *ivec, int *num); \& const char *BF_options(void); \& -\& void BF_encrypt(BF_LONG *data,const BF_KEY *key); -\& void BF_decrypt(BF_LONG *data,const BF_KEY *key); +\& void BF_encrypt(BF_LONG *data, const BF_KEY *key); +\& void BF_decrypt(BF_LONG *data, const BF_KEY *key); .Ve .SH "DESCRIPTION" .IX Header "DESCRIPTION" @@ -185,7 +186,7 @@ everything after the first 64 bits is ignored. .PP The mode functions \fIBF_cbc_encrypt()\fR, \fIBF_cfb64_encrypt()\fR and \fIBF_ofb64_encrypt()\fR all operate on variable length data. They all take an initialization vector -\&\fBivec\fR which needs to be passed along into the next call of the same function +\&\fBivec\fR which needs to be passed along into the next call of the same function for the same message. \fBivec\fR may be initialized with anything, but the recipient needs to know what it was initialized with, or it won't be able to decrypt. Some programs and protocols simplify this, like \s-1SSH,\s0 where @@ -228,11 +229,17 @@ None of the functions presented here return any value. .SH "NOTE" .IX Header "NOTE" Applications should use the higher level functions -\&\fIEVP_EncryptInit\fR\|(3) etc. instead of calling the -blowfish functions directly. +\&\fIEVP_EncryptInit\fR\|(3) etc. instead of calling these +functions directly. .SH "SEE ALSO" .IX Header "SEE ALSO" +\&\fIEVP_EncryptInit\fR\|(3), \&\fIdes_modes\fR\|(7) -.SH "HISTORY" -.IX Header "HISTORY" -The Blowfish functions are available in all versions of SSLeay and OpenSSL. +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2000\-2016 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/BIO_ADDR.3 b/secure/lib/libcrypto/man/BIO_ADDR.3 new file mode 100644 index 000000000000..3e647d7283bf --- /dev/null +++ b/secure/lib/libcrypto/man/BIO_ADDR.3 @@ -0,0 +1,249 @@ +.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35) +.\" +.\" Standard preamble: +.\" ======================================================================== +.de Sp \" Vertical space (when we can't use .PP) +.if t .sp .5v +.if n .sp +.. +.de Vb \" Begin verbatim text +.ft CW +.nf +.ne \\$1 +.. +.de Ve \" End verbatim text +.ft R +.fi +.. +.\" Set up some character translations and predefined strings. \*(-- will +.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left +.\" double quote, and \*(R" will give a right double quote. \*(C+ will +.\" give a nicer C++. Capital omega is used to do unbreakable dashes and +.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, +.\" nothing in troff, for use with C<>. +.tr \(*W- +.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' +.ie n \{\ +. ds -- \(*W- +. ds PI pi +. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch +. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch +. ds L" "" +. ds R" "" +. ds C` "" +. ds C' "" +'br\} +.el\{\ +. ds -- \|\(em\| +. ds PI \(*p +. ds L" `` +. ds R" '' +. ds C` +. ds C' +'br\} +.\" +.\" Escape single quotes in literal strings from groff's Unicode transform. +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" +.\" If the F register is >0, we'll generate index entries on stderr for +.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index +.\" entries marked with X<> in POD. Of course, you'll have to process the +.\" output yourself in some meaningful fashion. +.\" +.\" Avoid warning from groff about undefined register 'F'. +.de IX +.. +.if !\nF .nr F 0 +.if \nF>0 \{\ +. de IX +. tm Index:\\$1\t\\n%\t"\\$2" +.. +. if !\nF==2 \{\ +. nr % 0 +. nr F 2 +. \} +.\} +.\" +.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). +.\" Fear. Run. Save yourself. No user-serviceable parts. +. \" fudge factors for nroff and troff +.if n \{\ +. ds #H 0 +. ds #V .8m +. ds #F .3m +. ds #[ \f1 +. ds #] \fP +.\} +.if t \{\ +. ds #H ((1u-(\\\\n(.fu%2u))*.13m) +. ds #V .6m +. ds #F 0 +. ds #[ \& +. ds #] \& +.\} +. \" simple accents for nroff and troff +.if n \{\ +. ds ' \& +. ds ` \& +. ds ^ \& +. ds , \& +. ds ~ ~ +. ds / +.\} +.if t \{\ +. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" +. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' +. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' +. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' +. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' +. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' +.\} +. \" troff and (daisy-wheel) nroff accents +.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' +.ds 8 \h'\*(#H'\(*b\h'-\*(#H' +.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] +.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' +.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' +.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] +.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] +.ds ae a\h'-(\w'a'u*4/10)'e +.ds Ae A\h'-(\w'A'u*4/10)'E +. \" corrections for vroff +.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' +.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' +. \" for low resolution devices (crt and lpr) +.if \n(.H>23 .if \n(.V>19 \ +\{\ +. ds : e +. ds 8 ss +. ds o a +. ds d- d\h'-1'\(ga +. ds D- D\h'-1'\(hy +. ds th \o'bp' +. ds Th \o'LP' +. ds ae ae +. ds Ae AE +.\} +.rm #[ #] #H #V #F C +.\" ======================================================================== +.\" +.IX Title "BIO_ADDR 3" +.TH BIO_ADDR 3 "2018-09-11" "1.1.1" "OpenSSL" +.\" For nroff, turn off justification. Always turn off hyphenation; it makes +.\" way too many mistakes in technical documents. +.if n .ad l +.nh +.SH "NAME" +BIO_ADDR, BIO_ADDR_new, BIO_ADDR_clear, BIO_ADDR_free, BIO_ADDR_rawmake, BIO_ADDR_family, BIO_ADDR_rawaddress, BIO_ADDR_rawport, BIO_ADDR_hostname_string, BIO_ADDR_service_string, BIO_ADDR_path_string \- BIO_ADDR routines +.SH "SYNOPSIS" +.IX Header "SYNOPSIS" +.Vb 2 +\& #include +\& #include +\& +\& typedef union bio_addr_st BIO_ADDR; +\& +\& BIO_ADDR *BIO_ADDR_new(void); +\& void BIO_ADDR_free(BIO_ADDR *); +\& void BIO_ADDR_clear(BIO_ADDR *ap); +\& int BIO_ADDR_rawmake(BIO_ADDR *ap, int family, +\& const void *where, size_t wherelen, unsigned short port); +\& int BIO_ADDR_family(const BIO_ADDR *ap); +\& int BIO_ADDR_rawaddress(const BIO_ADDR *ap, void *p, size_t *l); +\& unsigned short BIO_ADDR_rawport(const BIO_ADDR *ap); +\& char *BIO_ADDR_hostname_string(const BIO_ADDR *ap, int numeric); +\& char *BIO_ADDR_service_string(const BIO_ADDR *ap, int numeric); +\& char *BIO_ADDR_path_string(const BIO_ADDR *ap); +.Ve +.SH "DESCRIPTION" +.IX Header "DESCRIPTION" +The \fB\s-1BIO_ADDR\s0\fR type is a wrapper around all types of socket +addresses that OpenSSL deals with, currently transparently +supporting \s-1AF_INET, AF_INET6\s0 and \s-1AF_UNIX\s0 according to what's +available on the platform at hand. +.PP +\&\fIBIO_ADDR_new()\fR creates a new unfilled \fB\s-1BIO_ADDR\s0\fR, to be used +with routines that will fill it with information, such as +\&\fIBIO_accept_ex()\fR. +.PP +\&\fIBIO_ADDR_free()\fR frees a \fB\s-1BIO_ADDR\s0\fR created with \fIBIO_ADDR_new()\fR. +.PP +\&\fIBIO_ADDR_clear()\fR clears any data held within the provided \fB\s-1BIO_ADDR\s0\fR and sets +it back to an uninitialised state. +.PP +\&\fIBIO_ADDR_rawmake()\fR takes a protocol \fBfamily\fR, an byte array of +size \fBwherelen\fR with an address in network byte order pointed at +by \fBwhere\fR and a port number in network byte order in \fBport\fR (except +for the \fB\s-1AF_UNIX\s0\fR protocol family, where \fBport\fR is meaningless and +therefore ignored) and populates the given \fB\s-1BIO_ADDR\s0\fR with them. +In case this creates a \fB\s-1AF_UNIX\s0\fR \fB\s-1BIO_ADDR\s0\fR, \fBwherelen\fR is expected +to be the length of the path string (not including the terminating +\&\s-1NUL,\s0 such as the result of a call to \fIstrlen()\fR). +\&\fIRead on about the addresses in \*(L"\s-1RAW ADDRESSES\*(R"\s0 below\fR. +.PP +\&\fIBIO_ADDR_family()\fR returns the protocol family of the given +\&\fB\s-1BIO_ADDR\s0\fR. The possible non-error results are one of the +constants \s-1AF_INET, AF_INET6\s0 and \s-1AF_UNIX.\s0 It will also return \s-1AF_UNSPEC\s0 if the +\&\s-1BIO_ADDR\s0 has not been initialised. +.PP +\&\fIBIO_ADDR_rawaddress()\fR will write the raw address of the given +\&\fB\s-1BIO_ADDR\s0\fR in the area pointed at by \fBp\fR if \fBp\fR is non-NULL, +and will set \fB*l\fR to be the amount of bytes the raw address +takes up if \fBl\fR is non-NULL. +A technique to only find out the size of the address is a call +with \fBp\fR set to \fB\s-1NULL\s0\fR. The raw address will be in network byte +order, most significant byte first. +In case this is a \fB\s-1AF_UNIX\s0\fR \fB\s-1BIO_ADDR\s0\fR, \fBl\fR gets the length of the +path string (not including the terminating \s-1NUL,\s0 such as the result of +a call to \fIstrlen()\fR). +\&\fIRead on about the addresses in \*(L"\s-1RAW ADDRESSES\*(R"\s0 below\fR. +.PP +\&\fIBIO_ADDR_rawport()\fR returns the raw port of the given \fB\s-1BIO_ADDR\s0\fR. +The raw port will be in network byte order. +.PP +\&\fIBIO_ADDR_hostname_string()\fR returns a character string with the +hostname of the given \fB\s-1BIO_ADDR\s0\fR. If \fBnumeric\fR is 1, the string +will contain the numerical form of the address. This only works for +\&\fB\s-1BIO_ADDR\s0\fR of the protocol families \s-1AF_INET\s0 and \s-1AF_INET6.\s0 The +returned string has been allocated on the heap and must be freed +with \fIOPENSSL_free()\fR. +.PP +\&\fIBIO_ADDR_service_string()\fR returns a character string with the +service name of the port of the given \fB\s-1BIO_ADDR\s0\fR. If \fBnumeric\fR +is 1, the string will contain the port number. This only works +for \fB\s-1BIO_ADDR\s0\fR of the protocol families \s-1AF_INET\s0 and \s-1AF_INET6.\s0 The +returned string has been allocated on the heap and must be freed +with \fIOPENSSL_free()\fR. +.PP +\&\fIBIO_ADDR_path_string()\fR returns a character string with the path +of the given \fB\s-1BIO_ADDR\s0\fR. This only works for \fB\s-1BIO_ADDR\s0\fR of the +protocol family \s-1AF_UNIX.\s0 The returned string has been allocated +on the heap and must be freed with \fIOPENSSL_free()\fR. +.SH "RAW ADDRESSES" +.IX Header "RAW ADDRESSES" +Both \fIBIO_ADDR_rawmake()\fR and \fIBIO_ADDR_rawaddress()\fR take a pointer to a +network byte order address of a specific site. Internally, those are +treated as a pointer to \fBstruct in_addr\fR (for \fB\s-1AF_INET\s0\fR), \fBstruct +in6_addr\fR (for \fB\s-1AF_INET6\s0\fR) or \fBchar *\fR (for \fB\s-1AF_UNIX\s0\fR), all +depending on the protocol family the address is for. +.SH "RETURN VALUES" +.IX Header "RETURN VALUES" +The string producing functions \fIBIO_ADDR_hostname_string()\fR, +\&\fIBIO_ADDR_service_string()\fR and \fIBIO_ADDR_path_string()\fR will +return \fB\s-1NULL\s0\fR on error and leave an error indication on the +OpenSSL error stack. +.PP +All other functions described here return 0 or \fB\s-1NULL\s0\fR when the +information they should return isn't available. +.SH "SEE ALSO" +.IX Header "SEE ALSO" +\&\fIBIO_connect\fR\|(3), \fIBIO_s_connect\fR\|(3) +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2016 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/BIO_ADDRINFO.3 b/secure/lib/libcrypto/man/BIO_ADDRINFO.3 new file mode 100644 index 000000000000..86b1ddc224c6 --- /dev/null +++ b/secure/lib/libcrypto/man/BIO_ADDRINFO.3 @@ -0,0 +1,235 @@ +.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35) +.\" +.\" Standard preamble: +.\" ======================================================================== +.de Sp \" Vertical space (when we can't use .PP) +.if t .sp .5v +.if n .sp +.. +.de Vb \" Begin verbatim text +.ft CW +.nf +.ne \\$1 +.. +.de Ve \" End verbatim text +.ft R +.fi +.. +.\" Set up some character translations and predefined strings. \*(-- will +.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left +.\" double quote, and \*(R" will give a right double quote. \*(C+ will +.\" give a nicer C++. Capital omega is used to do unbreakable dashes and +.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, +.\" nothing in troff, for use with C<>. +.tr \(*W- +.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' +.ie n \{\ +. ds -- \(*W- +. ds PI pi +. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch +. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch +. ds L" "" +. ds R" "" +. ds C` "" +. ds C' "" +'br\} +.el\{\ +. ds -- \|\(em\| +. ds PI \(*p +. ds L" `` +. ds R" '' +. ds C` +. ds C' +'br\} +.\" +.\" Escape single quotes in literal strings from groff's Unicode transform. +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" +.\" If the F register is >0, we'll generate index entries on stderr for +.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index +.\" entries marked with X<> in POD. Of course, you'll have to process the +.\" output yourself in some meaningful fashion. +.\" +.\" Avoid warning from groff about undefined register 'F'. +.de IX +.. +.if !\nF .nr F 0 +.if \nF>0 \{\ +. de IX +. tm Index:\\$1\t\\n%\t"\\$2" +.. +. if !\nF==2 \{\ +. nr % 0 +. nr F 2 +. \} +.\} +.\" +.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). +.\" Fear. Run. Save yourself. No user-serviceable parts. +. \" fudge factors for nroff and troff +.if n \{\ +. ds #H 0 +. ds #V .8m +. ds #F .3m +. ds #[ \f1 +. ds #] \fP +.\} +.if t \{\ +. ds #H ((1u-(\\\\n(.fu%2u))*.13m) +. ds #V .6m +. ds #F 0 +. ds #[ \& +. ds #] \& +.\} +. \" simple accents for nroff and troff +.if n \{\ +. ds ' \& +. ds ` \& +. ds ^ \& +. ds , \& +. ds ~ ~ +. ds / +.\} +.if t \{\ +. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" +. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' +. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' +. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' +. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' +. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' +.\} +. \" troff and (daisy-wheel) nroff accents +.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' +.ds 8 \h'\*(#H'\(*b\h'-\*(#H' +.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] +.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' +.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' +.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] +.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] +.ds ae a\h'-(\w'a'u*4/10)'e +.ds Ae A\h'-(\w'A'u*4/10)'E +. \" corrections for vroff +.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' +.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' +. \" for low resolution devices (crt and lpr) +.if \n(.H>23 .if \n(.V>19 \ +\{\ +. ds : e +. ds 8 ss +. ds o a +. ds d- d\h'-1'\(ga +. ds D- D\h'-1'\(hy +. ds th \o'bp' +. ds Th \o'LP' +. ds ae ae +. ds Ae AE +.\} +.rm #[ #] #H #V #F C +.\" ======================================================================== +.\" +.IX Title "BIO_ADDRINFO 3" +.TH BIO_ADDRINFO 3 "2018-09-11" "1.1.1" "OpenSSL" +.\" For nroff, turn off justification. Always turn off hyphenation; it makes +.\" way too many mistakes in technical documents. +.if n .ad l +.nh +.SH "NAME" +BIO_lookup_type, BIO_ADDRINFO, BIO_ADDRINFO_next, BIO_ADDRINFO_free, BIO_ADDRINFO_family, BIO_ADDRINFO_socktype, BIO_ADDRINFO_protocol, BIO_ADDRINFO_address, BIO_lookup_ex, BIO_lookup \&\- BIO_ADDRINFO type and routines +.SH "SYNOPSIS" +.IX Header "SYNOPSIS" +.Vb 2 +\& #include +\& #include +\& +\& typedef union bio_addrinfo_st BIO_ADDRINFO; +\& +\& enum BIO_lookup_type { +\& BIO_LOOKUP_CLIENT, BIO_LOOKUP_SERVER +\& }; +\& +\& int BIO_lookup_ex(const char *host, const char *service, int lookup_type, +\& int family, int socktype, int protocol, BIO_ADDRINFO **res); +\& int BIO_lookup(const char *node, const char *service, +\& enum BIO_lookup_type lookup_type, +\& int family, int socktype, BIO_ADDRINFO **res); +\& +\& const BIO_ADDRINFO *BIO_ADDRINFO_next(const BIO_ADDRINFO *bai); +\& int BIO_ADDRINFO_family(const BIO_ADDRINFO *bai); +\& int BIO_ADDRINFO_socktype(const BIO_ADDRINFO *bai); +\& int BIO_ADDRINFO_protocol(const BIO_ADDRINFO *bai); +\& const BIO_ADDR *BIO_ADDRINFO_address(const BIO_ADDRINFO *bai); +\& void BIO_ADDRINFO_free(BIO_ADDRINFO *bai); +.Ve +.SH "DESCRIPTION" +.IX Header "DESCRIPTION" +The \fB\s-1BIO_ADDRINFO\s0\fR type is a wrapper for address information +types provided on your platform. +.PP +\&\fB\s-1BIO_ADDRINFO\s0\fR normally forms a chain of several that can be +picked at one by one. +.PP +\&\fIBIO_lookup_ex()\fR looks up a specified \fBhost\fR and \fBservice\fR, and +uses \fBlookup_type\fR to determine what the default address should +be if \fBhost\fR is \fB\s-1NULL\s0\fR. \fBfamily\fR, \fBsocktype\fR and \fBprotocol\fR are used to +determine what protocol family, socket type and protocol should be used for +the lookup. \fBfamily\fR can be any of \s-1AF_INET, AF_INET6, AF_UNIX\s0 and +\&\s-1AF_UNSPEC.\s0 \fBsocktype\fR can be \s-1SOCK_STREAM, SOCK_DGRAM\s0 or 0. Specifying 0 +indicates that any type can be used. \fBprotocol\fR specifies a protocol such as +\&\s-1IPPROTO_TCP, IPPROTO_UDP\s0 or \s-1IPPORTO_SCTP.\s0 If set to 0 than any protocol can be +used. \fBres\fR points at a pointer to hold the start of a \fB\s-1BIO_ADDRINFO\s0\fR +chain. +.PP +For the family \fB\s-1AF_UNIX\s0\fR, \fIBIO_lookup_ex()\fR will ignore the \fBservice\fR +parameter and expects the \fBnode\fR parameter to hold the path to the +socket file. +.PP +\&\fIBIO_lookup()\fR does the same as \fIBIO_lookup_ex()\fR but does not provide the ability +to select based on the protocol (any protocol may be returned). +.PP +\&\fIBIO_ADDRINFO_family()\fR returns the family of the given +\&\fB\s-1BIO_ADDRINFO\s0\fR. The result will be one of the constants +\&\s-1AF_INET, AF_INET6\s0 and \s-1AF_UNIX.\s0 +.PP +\&\fIBIO_ADDRINFO_socktype()\fR returns the socket type of the given +\&\fB\s-1BIO_ADDRINFO\s0\fR. The result will be one of the constants +\&\s-1SOCK_STREAM\s0 and \s-1SOCK_DGRAM.\s0 +.PP +\&\fIBIO_ADDRINFO_protocol()\fR returns the protocol id of the given +\&\fB\s-1BIO_ADDRINFO\s0\fR. The result will be one of the constants +\&\s-1IPPROTO_TCP\s0 and \s-1IPPROTO_UDP.\s0 +.PP +\&\fIBIO_ADDRINFO_address()\fR returns the underlying \fB\s-1BIO_ADDR\s0\fR +of the given \fB\s-1BIO_ADDRINFO\s0\fR. +.PP +\&\fIBIO_ADDRINFO_next()\fR returns the next \fB\s-1BIO_ADDRINFO\s0\fR in the chain +from the given one. +.PP +\&\fIBIO_ADDRINFO_free()\fR frees the chain of \fB\s-1BIO_ADDRINFO\s0\fR starting +with the given one. +.SH "RETURN VALUES" +.IX Header "RETURN VALUES" +\&\fIBIO_lookup_ex()\fR and \fIBIO_lookup()\fR return 1 on success and 0 when an error +occurred, and will leave an error indication on the OpenSSL error stack in that +case. +.PP +All other functions described here return 0 or \fB\s-1NULL\s0\fR when the +information they should return isn't available. +.SH "NOTES" +.IX Header "NOTES" +The \fIBIO_lookup_ex()\fR implementation uses the platform provided \fIgetaddrinfo()\fR +function. On Linux it is known that specifying 0 for the protocol will not +return any \s-1SCTP\s0 based addresses when calling \fIgetaddrinfo()\fR. Therefore if an \s-1SCTP\s0 +address is required then the \fBprotocol\fR parameter to \fIBIO_lookup_ex()\fR should be +explicitly set to \s-1IPPROTO_SCTP.\s0 The same may be true on other platforms. +.SH "HISTORY" +.IX Header "HISTORY" +The \fIBIO_lookup_ex()\fR function was added in OpenSSL 1.1.1. +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2016\-2017 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/BIO_connect.3 b/secure/lib/libcrypto/man/BIO_connect.3 new file mode 100644 index 000000000000..07ce276e19f6 --- /dev/null +++ b/secure/lib/libcrypto/man/BIO_connect.3 @@ -0,0 +1,236 @@ +.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35) +.\" +.\" Standard preamble: +.\" ======================================================================== +.de Sp \" Vertical space (when we can't use .PP) +.if t .sp .5v +.if n .sp +.. +.de Vb \" Begin verbatim text +.ft CW +.nf +.ne \\$1 +.. +.de Ve \" End verbatim text +.ft R +.fi +.. +.\" Set up some character translations and predefined strings. \*(-- will +.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left +.\" double quote, and \*(R" will give a right double quote. \*(C+ will +.\" give a nicer C++. Capital omega is used to do unbreakable dashes and +.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, +.\" nothing in troff, for use with C<>. +.tr \(*W- +.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' +.ie n \{\ +. ds -- \(*W- +. ds PI pi +. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch +. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch +. ds L" "" +. ds R" "" +. ds C` "" +. ds C' "" +'br\} +.el\{\ +. ds -- \|\(em\| +. ds PI \(*p +. ds L" `` +. ds R" '' +. ds C` +. ds C' +'br\} +.\" +.\" Escape single quotes in literal strings from groff's Unicode transform. +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" +.\" If the F register is >0, we'll generate index entries on stderr for +.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index +.\" entries marked with X<> in POD. Of course, you'll have to process the +.\" output yourself in some meaningful fashion. +.\" +.\" Avoid warning from groff about undefined register 'F'. +.de IX +.. +.if !\nF .nr F 0 +.if \nF>0 \{\ +. de IX +. tm Index:\\$1\t\\n%\t"\\$2" +.. +. if !\nF==2 \{\ +. nr % 0 +. nr F 2 +. \} +.\} +.\" +.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). +.\" Fear. Run. Save yourself. No user-serviceable parts. +. \" fudge factors for nroff and troff +.if n \{\ +. ds #H 0 +. ds #V .8m +. ds #F .3m +. ds #[ \f1 +. ds #] \fP +.\} +.if t \{\ +. ds #H ((1u-(\\\\n(.fu%2u))*.13m) +. ds #V .6m +. ds #F 0 +. ds #[ \& +. ds #] \& +.\} +. \" simple accents for nroff and troff +.if n \{\ +. ds ' \& +. ds ` \& +. ds ^ \& +. ds , \& +. ds ~ ~ +. ds / +.\} +.if t \{\ +. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" +. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' +. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' +. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' +. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' +. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' +.\} +. \" troff and (daisy-wheel) nroff accents +.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' +.ds 8 \h'\*(#H'\(*b\h'-\*(#H' +.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] +.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' +.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' +.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] +.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] +.ds ae a\h'-(\w'a'u*4/10)'e +.ds Ae A\h'-(\w'A'u*4/10)'E +. \" corrections for vroff +.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' +.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' +. \" for low resolution devices (crt and lpr) +.if \n(.H>23 .if \n(.V>19 \ +\{\ +. ds : e +. ds 8 ss +. ds o a +. ds d- d\h'-1'\(ga +. ds D- D\h'-1'\(hy +. ds th \o'bp' +. ds Th \o'LP' +. ds ae ae +. ds Ae AE +.\} +.rm #[ #] #H #V #F C +.\" ======================================================================== +.\" +.IX Title "BIO_CONNECT 3" +.TH BIO_CONNECT 3 "2018-09-11" "1.1.1" "OpenSSL" +.\" For nroff, turn off justification. Always turn off hyphenation; it makes +.\" way too many mistakes in technical documents. +.if n .ad l +.nh +.SH "NAME" +BIO_socket, BIO_bind, BIO_connect, BIO_listen, BIO_accept_ex, BIO_closesocket \- BIO socket communication setup routines +.SH "SYNOPSIS" +.IX Header "SYNOPSIS" +.Vb 1 +\& #include +\& +\& int BIO_socket(int domain, int socktype, int protocol, int options); +\& int BIO_bind(int sock, const BIO_ADDR *addr, int options); +\& int BIO_connect(int sock, const BIO_ADDR *addr, int options); +\& int BIO_listen(int sock, const BIO_ADDR *addr, int options); +\& int BIO_accept_ex(int accept_sock, BIO_ADDR *peer, int options); +\& int BIO_closesocket(int sock); +.Ve +.SH "DESCRIPTION" +.IX Header "DESCRIPTION" +\&\fIBIO_socket()\fR creates a socket in the domain \fBdomain\fR, of type +\&\fBsocktype\fR and \fBprotocol\fR. Socket \fBoptions\fR are currently unused, +but is present for future use. +.PP +\&\fIBIO_bind()\fR binds the source address and service to a socket and +may be useful before calling \fIBIO_connect()\fR. The options may include +\&\fB\s-1BIO_SOCK_REUSADDR\s0\fR, which is described in \*(L"\s-1FLAGS\*(R"\s0 below. +.PP +\&\fIBIO_connect()\fR connects \fBsock\fR to the address and service given by +\&\fBaddr\fR. Connection \fBoptions\fR may be zero or any combination of +\&\fB\s-1BIO_SOCK_KEEPALIVE\s0\fR, \fB\s-1BIO_SOCK_NONBLOCK\s0\fR and \fB\s-1BIO_SOCK_NODELAY\s0\fR. +The flags are described in \*(L"\s-1FLAGS\*(R"\s0 below. +.PP +\&\fIBIO_listen()\fR has \fBsock\fR start listening on the address and service +given by \fBaddr\fR. Connection \fBoptions\fR may be zero or any +combination of \fB\s-1BIO_SOCK_KEEPALIVE\s0\fR, \fB\s-1BIO_SOCK_NONBLOCK\s0\fR, +\&\fB\s-1BIO_SOCK_NODELAY\s0\fR, \fB\s-1BIO_SOCK_REUSEADDR\s0\fR and \fB\s-1BIO_SOCK_V6_ONLY\s0\fR. +The flags are described in \*(L"\s-1FLAGS\*(R"\s0 below. +.PP +\&\fIBIO_accept_ex()\fR waits for an incoming connections on the given +socket \fBaccept_sock\fR. When it gets a connection, the address and +port of the peer gets stored in \fBpeer\fR if that one is non-NULL. +Accept \fBoptions\fR may be zero or \fB\s-1BIO_SOCK_NONBLOCK\s0\fR, and is applied +on the accepted socket. The flags are described in \*(L"\s-1FLAGS\*(R"\s0 below. +.PP +\&\fIBIO_closesocket()\fR closes \fBsock\fR. +.SH "FLAGS" +.IX Header "FLAGS" +.IP "\s-1BIO_SOCK_KEEPALIVE\s0" 4 +.IX Item "BIO_SOCK_KEEPALIVE" +Enables regular sending of keep-alive messages. +.IP "\s-1BIO_SOCK_NONBLOCK\s0" 4 +.IX Item "BIO_SOCK_NONBLOCK" +Sets the socket to non-blocking mode. +.IP "\s-1BIO_SOCK_NODELAY\s0" 4 +.IX Item "BIO_SOCK_NODELAY" +Corresponds to \fB\s-1TCP_NODELAY\s0\fR, and disables the Nagle algorithm. With +this set, any data will be sent as soon as possible instead of being +buffered until there's enough for the socket to send out in one go. +.IP "\s-1BIO_SOCK_REUSEADDR\s0" 4 +.IX Item "BIO_SOCK_REUSEADDR" +Try to reuse the address and port combination for a recently closed +port. +.IP "\s-1BIO_SOCK_V6_ONLY\s0" 4 +.IX Item "BIO_SOCK_V6_ONLY" +When creating an IPv6 socket, make it only listen for IPv6 addresses +and not IPv4 addresses mapped to IPv6. +.PP +These flags are bit flags, so they are to be combined with the +\&\f(CW\*(C`|\*(C'\fR operator, for example: +.PP +.Vb 1 +\& BIO_connect(sock, addr, BIO_SOCK_KEEPALIVE | BIO_SOCK_NONBLOCK); +.Ve +.SH "RETURN VALUES" +.IX Header "RETURN VALUES" +\&\fIBIO_socket()\fR returns the socket number on success or \fB\s-1INVALID_SOCKET\s0\fR +(\-1) on error. When an error has occurred, the OpenSSL error stack +will hold the error data and errno has the system error. +.PP +\&\fIBIO_bind()\fR, \fIBIO_connect()\fR and \fIBIO_listen()\fR return 1 on success or 0 on error. +When an error has occurred, the OpenSSL error stack will hold the error +data and errno has the system error. +.PP +\&\fIBIO_accept_ex()\fR returns the accepted socket on success or +\&\fB\s-1INVALID_SOCKET\s0\fR (\-1) on error. When an error has occurred, the +OpenSSL error stack will hold the error data and errno has the system +error. +.SH "HISTORY" +.IX Header "HISTORY" +\&\fIBIO_gethostname()\fR, \fIBIO_get_port()\fR, \fIBIO_get_host_ip()\fR, +\&\fIBIO_get_accept_socket()\fR and \fIBIO_accept()\fR were deprecated in +OpenSSL 1.1.0. Use the functions described above instead. +.SH "SEE ALSO" +.IX Header "SEE ALSO" +\&\s-1\fIBIO_ADDR\s0\fR\|(3) +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2016\-2018 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/BIO_ctrl.3 b/secure/lib/libcrypto/man/BIO_ctrl.3 index 6c502a16120f..6ecb3024c4d4 100644 --- a/secure/lib/libcrypto/man/BIO_ctrl.3 +++ b/secure/lib/libcrypto/man/BIO_ctrl.3 @@ -128,43 +128,40 @@ .rm #[ #] #H #V #F C .\" ======================================================================== .\" -.IX Title "BIO_ctrl 3" -.TH BIO_ctrl 3 "2018-08-14" "1.0.2p" "OpenSSL" +.IX Title "BIO_CTRL 3" +.TH BIO_CTRL 3 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" -BIO_ctrl, BIO_callback_ctrl, BIO_ptr_ctrl, BIO_int_ctrl, BIO_reset, -BIO_seek, BIO_tell, BIO_flush, BIO_eof, BIO_set_close, BIO_get_close, -BIO_pending, BIO_wpending, BIO_ctrl_pending, BIO_ctrl_wpending, -BIO_get_info_callback, BIO_set_info_callback \- BIO control operations +BIO_ctrl, BIO_callback_ctrl, BIO_ptr_ctrl, BIO_int_ctrl, BIO_reset, BIO_seek, BIO_tell, BIO_flush, BIO_eof, BIO_set_close, BIO_get_close, BIO_pending, BIO_wpending, BIO_ctrl_pending, BIO_ctrl_wpending, BIO_get_info_callback, BIO_set_info_callback, BIO_info_cb \&\- BIO control operations .SH "SYNOPSIS" .IX Header "SYNOPSIS" .Vb 1 \& #include \& -\& long BIO_ctrl(BIO *bp,int cmd,long larg,void *parg); -\& long BIO_callback_ctrl(BIO *b, int cmd, void (*fp)(struct bio_st *, int, const char *, int, long, long)); -\& char * BIO_ptr_ctrl(BIO *bp,int cmd,long larg); -\& long BIO_int_ctrl(BIO *bp,int cmd,long larg,int iarg); +\& typedef int BIO_info_cb(BIO *b, int state, int res); +\& +\& long BIO_ctrl(BIO *bp, int cmd, long larg, void *parg); +\& long BIO_callback_ctrl(BIO *b, int cmd, BIO_info_cb *cb); +\& char *BIO_ptr_ctrl(BIO *bp, int cmd, long larg); +\& long BIO_int_ctrl(BIO *bp, int cmd, long larg, int iarg); \& \& int BIO_reset(BIO *b); \& int BIO_seek(BIO *b, int ofs); \& int BIO_tell(BIO *b); \& int BIO_flush(BIO *b); \& int BIO_eof(BIO *b); -\& int BIO_set_close(BIO *b,long flag); +\& int BIO_set_close(BIO *b, long flag); \& int BIO_get_close(BIO *b); \& int BIO_pending(BIO *b); \& int BIO_wpending(BIO *b); \& size_t BIO_ctrl_pending(BIO *b); \& size_t BIO_ctrl_wpending(BIO *b); \& -\& int BIO_get_info_callback(BIO *b,bio_info_cb **cbp); -\& int BIO_set_info_callback(BIO *b,bio_info_cb *cb); -\& -\& typedef void bio_info_cb(BIO *b, int oper, const char *ptr, int arg1, long arg2, long arg3); +\& int BIO_get_info_callback(BIO *b, BIO_info_cb **cbp); +\& int BIO_set_info_callback(BIO *b, BIO_info_cb *cb); .Ve .SH "DESCRIPTION" .IX Header "DESCRIPTION" @@ -225,7 +222,7 @@ return the amount of pending data. .SH "NOTES" .IX Header "NOTES" \&\fIBIO_flush()\fR, because it can write data may return 0 or \-1 indicating -that the call should be retried later in a similar manner to \fIBIO_write()\fR. +that the call should be retried later in a similar manner to \fIBIO_write_ex()\fR. The \fIBIO_should_retry()\fR call should be used and appropriate action taken is the call fails. .PP @@ -252,6 +249,11 @@ Some of the return values are ambiguous and care should be taken. In particular a return value of 0 can be returned if an operation is not supported, if an error occurred, if \s-1EOF\s0 has not been reached and in the case of \fIBIO_seek()\fR on a file \s-1BIO\s0 for a successful operation. -.SH "SEE ALSO" -.IX Header "SEE ALSO" -\&\s-1TBA\s0 +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2000\-2016 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/BIO_f_base64.3 b/secure/lib/libcrypto/man/BIO_f_base64.3 index 730aaa3fb524..450f1e15b2a7 100644 --- a/secure/lib/libcrypto/man/BIO_f_base64.3 +++ b/secure/lib/libcrypto/man/BIO_f_base64.3 @@ -128,8 +128,8 @@ .rm #[ #] #H #V #F C .\" ======================================================================== .\" -.IX Title "BIO_f_base64 3" -.TH BIO_f_base64 3 "2018-08-14" "1.0.2p" "OpenSSL" +.IX Title "BIO_F_BASE64 3" +.TH BIO_F_BASE64 3 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -142,7 +142,7 @@ BIO_f_base64 \- base64 BIO filter \& #include \& #include \& -\& BIO_METHOD * BIO_f_base64(void); +\& const BIO_METHOD *BIO_f_base64(void); .Ve .SH "DESCRIPTION" .IX Header "DESCRIPTION" @@ -196,8 +196,8 @@ data to standard output: \& bio = BIO_new_fp(stdin, BIO_NOCLOSE); \& bio_out = BIO_new_fp(stdout, BIO_NOCLOSE); \& BIO_push(b64, bio); -\& while((inlen = BIO_read(b64, inbuf, 512)) > 0) -\& BIO_write(bio_out, inbuf, inlen); +\& while ((inlen = BIO_read(b64, inbuf, 512)) > 0) +\& BIO_write(bio_out, inbuf, inlen); \& \& BIO_flush(bio_out); \& BIO_free_all(b64); @@ -209,6 +209,11 @@ data following the base64 encoded block to be misinterpreted. .PP There should be some way of specifying a test that the \s-1BIO\s0 can perform to reliably determine \s-1EOF\s0 (for example a \s-1MIME\s0 boundary). -.SH "SEE ALSO" -.IX Header "SEE ALSO" -\&\s-1TBA\s0 +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2000\-2016 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/BIO_f_buffer.3 b/secure/lib/libcrypto/man/BIO_f_buffer.3 index bac5af9b3ba2..ecb04e40adf0 100644 --- a/secure/lib/libcrypto/man/BIO_f_buffer.3 +++ b/secure/lib/libcrypto/man/BIO_f_buffer.3 @@ -128,26 +128,26 @@ .rm #[ #] #H #V #F C .\" ======================================================================== .\" -.IX Title "BIO_f_buffer 3" -.TH BIO_f_buffer 3 "2018-08-14" "1.0.2p" "OpenSSL" +.IX Title "BIO_F_BUFFER 3" +.TH BIO_F_BUFFER 3 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" -BIO_f_buffer \- buffering BIO +BIO_get_buffer_num_lines, BIO_set_read_buffer_size, BIO_set_write_buffer_size, BIO_set_buffer_size, BIO_set_buffer_read_data, BIO_f_buffer \&\- buffering BIO .SH "SYNOPSIS" .IX Header "SYNOPSIS" .Vb 1 \& #include \& -\& BIO_METHOD * BIO_f_buffer(void); +\& const BIO_METHOD *BIO_f_buffer(void); \& -\& #define BIO_get_buffer_num_lines(b) BIO_ctrl(b,BIO_C_GET_BUFF_NUM_LINES,0,NULL) -\& #define BIO_set_read_buffer_size(b,size) BIO_int_ctrl(b,BIO_C_SET_BUFF_SIZE,size,0) -\& #define BIO_set_write_buffer_size(b,size) BIO_int_ctrl(b,BIO_C_SET_BUFF_SIZE,size,1) -\& #define BIO_set_buffer_size(b,size) BIO_ctrl(b,BIO_C_SET_BUFF_SIZE,size,NULL) -\& #define BIO_set_buffer_read_data(b,buf,num) BIO_ctrl(b,BIO_C_SET_BUFF_READ_DATA,num,buf) +\& long BIO_get_buffer_num_lines(BIO *b); +\& long BIO_set_read_buffer_size(BIO *b, long size); +\& long BIO_set_write_buffer_size(BIO *b, long size); +\& long BIO_set_buffer_size(BIO *b, long size); +\& long BIO_set_buffer_read_data(BIO *b, void *buf, long num); .Ve .SH "DESCRIPTION" .IX Header "DESCRIPTION" @@ -173,7 +173,9 @@ bytes of \fBbuf\fR. If \fBnum\fR is larger than the current buffer size the buff is expanded. .SH "NOTES" .IX Header "NOTES" -Buffering BIOs implement \fIBIO_gets()\fR by using \fIBIO_read()\fR operations on the +These functions, other than \fIBIO_f_buffer()\fR, are implemented as macros. +.PP +Buffering BIOs implement \fIBIO_gets()\fR by using \fIBIO_read_ex()\fR operations on the next \s-1BIO\s0 in the chain. By prepending a buffering \s-1BIO\s0 to a chain it is therefore possible to provide \fIBIO_gets()\fR functionality if the following BIOs do not support it (for example \s-1SSL\s0 BIOs). @@ -196,9 +198,16 @@ return 1 if the buffer was successfully resized or 0 for failure. there was an error. .SH "SEE ALSO" .IX Header "SEE ALSO" -\&\s-1\fIBIO\s0\fR\|(3), +\&\fIbio\fR\|(7), \&\fIBIO_reset\fR\|(3), \&\fIBIO_flush\fR\|(3), \&\fIBIO_pop\fR\|(3), -\&\fIBIO_ctrl\fR\|(3), -\&\fIBIO_int_ctrl\fR\|(3) +\&\fIBIO_ctrl\fR\|(3). +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2000\-2016 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/BIO_f_cipher.3 b/secure/lib/libcrypto/man/BIO_f_cipher.3 index b210f5192471..858b3280f2fd 100644 --- a/secure/lib/libcrypto/man/BIO_f_cipher.3 +++ b/secure/lib/libcrypto/man/BIO_f_cipher.3 @@ -128,8 +128,8 @@ .rm #[ #] #H #V #F C .\" ======================================================================== .\" -.IX Title "BIO_f_cipher 3" -.TH BIO_f_cipher 3 "2018-08-14" "1.0.2p" "OpenSSL" +.IX Title "BIO_F_CIPHER 3" +.TH BIO_F_CIPHER 3 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -142,9 +142,9 @@ BIO_f_cipher, BIO_set_cipher, BIO_get_cipher_status, BIO_get_cipher_ctx \- ciphe \& #include \& #include \& -\& BIO_METHOD * BIO_f_cipher(void); -\& void BIO_set_cipher(BIO *b,const EVP_CIPHER *cipher, -\& unsigned char *key, unsigned char *iv, int enc); +\& const BIO_METHOD *BIO_f_cipher(void); +\& void BIO_set_cipher(BIO *b, const EVP_CIPHER *cipher, +\& unsigned char *key, unsigned char *iv, int enc); \& int BIO_get_cipher_status(BIO *b) \& int BIO_get_cipher_ctx(BIO *b, EVP_CIPHER_CTX **pctx) .Ve @@ -180,7 +180,7 @@ When encrypting \fIBIO_flush()\fR \fBmust\fR be called to flush the final block through the \s-1BIO.\s0 If it is not then the final block will fail a subsequent decrypt. .PP -When decrypting an error on the final block is signalled by a zero +When decrypting an error on the final block is signaled by a zero return value from the read operation. A successful decrypt followed by \s-1EOF\s0 will also return zero for the final read. \fIBIO_get_cipher_status()\fR should be called to determine if the decrypt was successful. @@ -197,9 +197,11 @@ be achieved by preceding the cipher \s-1BIO\s0 with a buffering \s-1BIO.\s0 for failure. .PP \&\fIBIO_get_cipher_ctx()\fR currently always returns 1. -.SH "EXAMPLES" -.IX Header "EXAMPLES" -\&\s-1TBA\s0 -.SH "SEE ALSO" -.IX Header "SEE ALSO" -\&\s-1TBA\s0 +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2000\-2016 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/BIO_f_md.3 b/secure/lib/libcrypto/man/BIO_f_md.3 index 03440d513956..73f5fccb51e4 100644 --- a/secure/lib/libcrypto/man/BIO_f_md.3 +++ b/secure/lib/libcrypto/man/BIO_f_md.3 @@ -128,8 +128,8 @@ .rm #[ #] #H #V #F C .\" ======================================================================== .\" -.IX Title "BIO_f_md 3" -.TH BIO_f_md 3 "2018-08-14" "1.0.2p" "OpenSSL" +.IX Title "BIO_F_MD 3" +.TH BIO_F_MD 3 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -142,10 +142,10 @@ BIO_f_md, BIO_set_md, BIO_get_md, BIO_get_md_ctx \- message digest BIO filter \& #include \& #include \& -\& BIO_METHOD * BIO_f_md(void); -\& int BIO_set_md(BIO *b,EVP_MD *md); -\& int BIO_get_md(BIO *b,EVP_MD **mdp); -\& int BIO_get_md_ctx(BIO *b,EVP_MD_CTX **mdcp); +\& const BIO_METHOD *BIO_f_md(void); +\& int BIO_set_md(BIO *b, EVP_MD *md); +\& int BIO_get_md(BIO *b, EVP_MD **mdp); +\& int BIO_get_md_ctx(BIO *b, EVP_MD_CTX **mdcp); .Ve .SH "DESCRIPTION" .IX Header "DESCRIPTION" @@ -154,8 +154,8 @@ BIO_f_md, BIO_set_md, BIO_get_md, BIO_get_md_ctx \- message digest BIO filter for the digest routines \fIEVP_DigestInit()\fR, \fIEVP_DigestUpdate()\fR and \fIEVP_DigestFinal()\fR. .PP -Any data written or read through a digest \s-1BIO\s0 using \fIBIO_read()\fR and -\&\fIBIO_write()\fR is digested. +Any data written or read through a digest \s-1BIO\s0 using \fIBIO_read_ex()\fR and +\&\fIBIO_write_ex()\fR is digested. .PP \&\fIBIO_gets()\fR, if its \fBsize\fR parameter is large enough finishes the digest calculation and returns the digest value. \fIBIO_puts()\fR is @@ -190,10 +190,8 @@ If an application needs to call \fIBIO_gets()\fR or \fIBIO_puts()\fR through a chain containing digest BIOs then this can be done by prepending a buffering \s-1BIO.\s0 .PP -Before OpenSSL 1.0.0 the call to \fIBIO_get_md_ctx()\fR would only work if the \s-1BIO\s0 -had been initialized for example by calling \fIBIO_set_md()\fR ). In OpenSSL -1.0.0 and later the context is always returned and the \s-1BIO\s0 is state is set -to initialized. This allows applications to initialize the context externally +Calling \fIBIO_get_md_ctx()\fR will return the context and initialize the \s-1BIO\s0 +state. This allows applications to initialize the context externally if the standard calls such as \fIBIO_set_md()\fR are not sufficiently flexible. .SH "RETURN VALUES" .IX Header "RETURN VALUES" @@ -207,13 +205,15 @@ The following example creates a \s-1BIO\s0 chain containing an \s-1SHA1\s0 and \ digest \s-1BIO\s0 and passes the string \*(L"Hello World\*(R" through it. Error checking has been omitted for clarity. .PP -.Vb 10 +.Vb 2 \& BIO *bio, *mdtmp; \& char message[] = "Hello World"; +\& \& bio = BIO_new(BIO_s_null()); \& mdtmp = BIO_new(BIO_f_md()); \& BIO_set_md(mdtmp, EVP_sha1()); -\& /* For BIO_push() we want to append the sink BIO and keep a note of +\& /* +\& * For BIO_push() we want to append the sink BIO and keep a note of \& * the start of the chain. \& */ \& bio = BIO_push(mdtmp, bio); @@ -226,10 +226,11 @@ checking has been omitted for clarity. .PP The next example digests data by reading through a chain instead: .PP -.Vb 10 +.Vb 3 \& BIO *bio, *mdtmp; \& char buf[1024]; \& int rdlen; +\& \& bio = BIO_new_file(file, "rb"); \& mdtmp = BIO_new(BIO_f_md()); \& BIO_set_md(mdtmp, EVP_sha1()); @@ -238,31 +239,34 @@ The next example digests data by reading through a chain instead: \& BIO_set_md(mdtmp, EVP_md5()); \& bio = BIO_push(mdtmp, bio); \& do { -\& rdlen = BIO_read(bio, buf, sizeof(buf)); -\& /* Might want to do something with the data here */ -\& } while(rdlen > 0); +\& rdlen = BIO_read(bio, buf, sizeof(buf)); +\& /* Might want to do something with the data here */ +\& } while (rdlen > 0); .Ve .PP This next example retrieves the message digests from a \s-1BIO\s0 chain and outputs them. This could be used with the examples above. .PP -.Vb 10 +.Vb 4 \& BIO *mdtmp; \& unsigned char mdbuf[EVP_MAX_MD_SIZE]; \& int mdlen; \& int i; +\& \& mdtmp = bio; /* Assume bio has previously been set up */ \& do { -\& EVP_MD *md; -\& mdtmp = BIO_find_type(mdtmp, BIO_TYPE_MD); -\& if(!mdtmp) break; -\& BIO_get_md(mdtmp, &md); -\& printf("%s digest", OBJ_nid2sn(EVP_MD_type(md))); -\& mdlen = BIO_gets(mdtmp, mdbuf, EVP_MAX_MD_SIZE); -\& for(i = 0; i < mdlen; i++) printf(":%02X", mdbuf[i]); -\& printf("\en"); -\& mdtmp = BIO_next(mdtmp); -\& } while(mdtmp); +\& EVP_MD *md; +\& +\& mdtmp = BIO_find_type(mdtmp, BIO_TYPE_MD); +\& if (!mdtmp) +\& break; +\& BIO_get_md(mdtmp, &md); +\& printf("%s digest", OBJ_nid2sn(EVP_MD_type(md))); +\& mdlen = BIO_gets(mdtmp, mdbuf, EVP_MAX_MD_SIZE); +\& for (i = 0; i < mdlen; i++) printf(":%02X", mdbuf[i]); +\& printf("\en"); +\& mdtmp = BIO_next(mdtmp); +\& } while (mdtmp); \& \& BIO_free_all(bio); .Ve @@ -273,6 +277,15 @@ The lack of support for \fIBIO_puts()\fR and the non standard behaviour of and \fIBIO_puts()\fR should be passed to the next \s-1BIO\s0 in the chain and digest the data passed through and that digests should be retrieved using a separate \fIBIO_ctrl()\fR call. -.SH "SEE ALSO" -.IX Header "SEE ALSO" -\&\s-1TBA\s0 +.SH "HISTORY" +.IX Header "HISTORY" +Before OpenSSL 1.0.0., the call to \fIBIO_get_md_ctx()\fR would only work if the +\&\s-1BIO\s0 was initialized first. +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2000\-2016 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/BIO_f_null.3 b/secure/lib/libcrypto/man/BIO_f_null.3 index 45c7d004d54c..912c7bcb57cd 100644 --- a/secure/lib/libcrypto/man/BIO_f_null.3 +++ b/secure/lib/libcrypto/man/BIO_f_null.3 @@ -128,8 +128,8 @@ .rm #[ #] #H #V #F C .\" ======================================================================== .\" -.IX Title "BIO_f_null 3" -.TH BIO_f_null 3 "2018-08-14" "1.0.2p" "OpenSSL" +.IX Title "BIO_F_NULL 3" +.TH BIO_F_NULL 3 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -141,7 +141,7 @@ BIO_f_null \- null filter .Vb 1 \& #include \& -\& BIO_METHOD * BIO_f_null(void); +\& const BIO_METHOD *BIO_f_null(void); .Ve .SH "DESCRIPTION" .IX Header "DESCRIPTION" @@ -157,6 +157,11 @@ As may be apparent a null filter \s-1BIO\s0 is not particularly useful. .SH "RETURN VALUES" .IX Header "RETURN VALUES" \&\fIBIO_f_null()\fR returns the null filter \s-1BIO\s0 method. -.SH "SEE ALSO" -.IX Header "SEE ALSO" -\&\s-1TBA\s0 +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2000\-2016 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/BIO_f_ssl.3 b/secure/lib/libcrypto/man/BIO_f_ssl.3 index bc8580b6cfb4..0713da633b63 100644 --- a/secure/lib/libcrypto/man/BIO_f_ssl.3 +++ b/secure/lib/libcrypto/man/BIO_f_ssl.3 @@ -128,42 +128,36 @@ .rm #[ #] #H #V #F C .\" ======================================================================== .\" -.IX Title "BIO_f_ssl 3" -.TH BIO_f_ssl 3 "2018-08-14" "1.0.2p" "OpenSSL" +.IX Title "BIO_F_SSL 3" +.TH BIO_F_SSL 3 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" -BIO_f_ssl, BIO_set_ssl, BIO_get_ssl, BIO_set_ssl_mode, BIO_set_ssl_renegotiate_bytes, -BIO_get_num_renegotiates, BIO_set_ssl_renegotiate_timeout, BIO_new_ssl, -BIO_new_ssl_connect, BIO_new_buffer_ssl_connect, BIO_ssl_copy_session_id, -BIO_ssl_shutdown \- SSL BIO +BIO_do_handshake, BIO_f_ssl, BIO_set_ssl, BIO_get_ssl, BIO_set_ssl_mode, BIO_set_ssl_renegotiate_bytes, BIO_get_num_renegotiates, BIO_set_ssl_renegotiate_timeout, BIO_new_ssl, BIO_new_ssl_connect, BIO_new_buffer_ssl_connect, BIO_ssl_copy_session_id, BIO_ssl_shutdown \- SSL BIO .SH "SYNOPSIS" .IX Header "SYNOPSIS" .Vb 2 \& #include \& #include \& -\& BIO_METHOD *BIO_f_ssl(void); +\& const BIO_METHOD *BIO_f_ssl(void); \& -\& #define BIO_set_ssl(b,ssl,c) BIO_ctrl(b,BIO_C_SET_SSL,c,(char *)ssl) -\& #define BIO_get_ssl(b,sslp) BIO_ctrl(b,BIO_C_GET_SSL,0,(char *)sslp) -\& #define BIO_set_ssl_mode(b,client) BIO_ctrl(b,BIO_C_SSL_MODE,client,NULL) -\& #define BIO_set_ssl_renegotiate_bytes(b,num) \e -\& BIO_ctrl(b,BIO_C_SET_SSL_RENEGOTIATE_BYTES,num,NULL); -\& #define BIO_set_ssl_renegotiate_timeout(b,seconds) \e -\& BIO_ctrl(b,BIO_C_SET_SSL_RENEGOTIATE_TIMEOUT,seconds,NULL); -\& #define BIO_get_num_renegotiates(b) \e -\& BIO_ctrl(b,BIO_C_SET_SSL_NUM_RENEGOTIATES,0,NULL); +\& long BIO_set_ssl(BIO *b, SSL *ssl, long c); +\& long BIO_get_ssl(BIO *b, SSL **sslp); +\& long BIO_set_ssl_mode(BIO *b, long client); +\& long BIO_set_ssl_renegotiate_bytes(BIO *b, long num); +\& long BIO_set_ssl_renegotiate_timeout(BIO *b, long seconds); +\& long BIO_get_num_renegotiates(BIO *b); \& -\& BIO *BIO_new_ssl(SSL_CTX *ctx,int client); +\& BIO *BIO_new_ssl(SSL_CTX *ctx, int client); \& BIO *BIO_new_ssl_connect(SSL_CTX *ctx); \& BIO *BIO_new_buffer_ssl_connect(SSL_CTX *ctx); -\& int BIO_ssl_copy_session_id(BIO *to,BIO *from); +\& int BIO_ssl_copy_session_id(BIO *to, BIO *from); \& void BIO_ssl_shutdown(BIO *bio); \& -\& #define BIO_do_handshake(b) BIO_ctrl(b,BIO_C_DO_STATE_MACHINE,0,NULL) +\& long BIO_do_handshake(BIO *b); .Ve .SH "DESCRIPTION" .IX Header "DESCRIPTION" @@ -196,7 +190,7 @@ manipulated using the standard \s-1SSL\s0 library functions. is 1 client mode is set. If \fBclient\fR is 0 server mode is set. .PP \&\fIBIO_set_ssl_renegotiate_bytes()\fR sets the renegotiate byte count -to \fBnum\fR. When set after every \fBnum\fR bytes of I/O (read and write) +to \fBnum\fR. When set after every \fBnum\fR bytes of I/O (read and write) the \s-1SSL\s0 session is automatically renegotiated. \fBnum\fR must be at least 512 bytes. .PP @@ -217,7 +211,7 @@ client mode if \fBclient\fR is non zero. of a buffering \s-1BIO,\s0 an \s-1SSL BIO\s0 (using \fBctx\fR) and a connect \&\s-1BIO.\s0 .PP -\&\fIBIO_ssl_copy_session_id()\fR copies an \s-1SSL\s0 session id between +\&\fIBIO_ssl_copy_session_id()\fR copies an \s-1SSL\s0 session id between \&\s-1BIO\s0 chains \fBfrom\fR and \fBto\fR. It does this by locating the \&\s-1SSL\s0 BIOs in each chain and calling \fISSL_copy_session_id()\fR on the internal \s-1SSL\s0 pointer. @@ -239,10 +233,10 @@ already been established this call has no effect. \&\s-1SSL\s0 BIOs are exceptional in that if the underlying transport is non blocking they can still request a retry in exceptional circumstances. Specifically this will happen if a session -renegotiation takes place during a \fIBIO_read()\fR operation, one +renegotiation takes place during a \fIBIO_read_ex()\fR operation, one case where this happens is when step up occurs. .PP -In OpenSSL 0.9.6 and later the \s-1SSL\s0 flag \s-1SSL_AUTO_RETRY\s0 can be +The \s-1SSL\s0 flag \s-1SSL_AUTO_RETRY\s0 can be set to disable this behaviour. That is when this flag is set an \s-1SSL BIO\s0 using a blocking transport will never request a retry. @@ -255,9 +249,10 @@ to locate the connect \s-1BIO\s0 first. Applications do not have to call \fIBIO_do_handshake()\fR but may wish to do so to separate the handshake process from other I/O processing. -.SH "RETURN VALUES" -.IX Header "RETURN VALUES" -\&\s-1TBA\s0 +.PP +\&\fIBIO_set_ssl()\fR, \fIBIO_get_ssl()\fR, \fIBIO_set_ssl_mode()\fR, +\&\fIBIO_set_ssl_renegotiate_bytes()\fR, \fIBIO_set_ssl_renegotiate_timeout()\fR, +\&\fIBIO_get_num_renegotiates()\fR, and \fIBIO_do_handshake()\fR are implemented as macros. .SH "EXAMPLE" .IX Header "EXAMPLE" This \s-1SSL/TLS\s0 client example, attempts to retrieve a page from an @@ -271,57 +266,48 @@ unencrypted example in \fIBIO_s_connect\fR\|(3). \& SSL_CTX *ctx; \& SSL *ssl; \& -\& ERR_load_crypto_strings(); -\& ERR_load_SSL_strings(); -\& OpenSSL_add_all_algorithms(); +\& /* XXX Seed the PRNG if needed. */ \& -\& /* We would seed the PRNG here if the platform didn\*(Aqt -\& * do it automatically -\& */ +\& ctx = SSL_CTX_new(TLS_client_method()); \& -\& ctx = SSL_CTX_new(SSLv23_client_method()); -\& -\& /* We\*(Aqd normally set some stuff like the verify paths and -\& * mode here because as things stand this will connect to -\& * any server whose certificate is signed by any CA. -\& */ +\& /* XXX Set verify paths and mode here. */ \& \& sbio = BIO_new_ssl_connect(ctx); -\& \& BIO_get_ssl(sbio, &ssl); -\& -\& if(!ssl) { -\& fprintf(stderr, "Can\*(Aqt locate SSL pointer\en"); -\& /* whatever ... */ +\& if (ssl == NULL) { +\& fprintf(stderr, "Can\*(Aqt locate SSL pointer\en"); +\& ERR_print_errors_fp(stderr); +\& exit(1); \& } \& \& /* Don\*(Aqt want any retries */ \& SSL_set_mode(ssl, SSL_MODE_AUTO_RETRY); \& -\& /* We might want to do other things with ssl here */ +\& /* XXX We might want to do other things with ssl here */ \& -\& BIO_set_conn_hostname(sbio, "localhost:https"); +\& /* An empty host part means the loopback address */ +\& BIO_set_conn_hostname(sbio, ":https"); \& \& out = BIO_new_fp(stdout, BIO_NOCLOSE); -\& if(BIO_do_connect(sbio) <= 0) { -\& fprintf(stderr, "Error connecting to server\en"); -\& ERR_print_errors_fp(stderr); -\& /* whatever ... */ +\& if (BIO_do_connect(sbio) <= 0) { +\& fprintf(stderr, "Error connecting to server\en"); +\& ERR_print_errors_fp(stderr); +\& exit(1); +\& } +\& if (BIO_do_handshake(sbio) <= 0) { +\& fprintf(stderr, "Error establishing SSL connection\en"); +\& ERR_print_errors_fp(stderr); +\& exit(1); \& } \& -\& if(BIO_do_handshake(sbio) <= 0) { -\& fprintf(stderr, "Error establishing SSL connection\en"); -\& ERR_print_errors_fp(stderr); -\& /* whatever ... */ -\& } -\& -\& /* Could examine ssl here to get connection info */ +\& /* XXX Could examine ssl here to get connection info */ \& \& BIO_puts(sbio, "GET / HTTP/1.0\en\en"); -\& for(;;) { -\& len = BIO_read(sbio, tmpbuf, 1024); -\& if(len <= 0) break; -\& BIO_write(out, tmpbuf, len); +\& for (;;) { +\& len = BIO_read(sbio, tmpbuf, 1024); +\& if (len <= 0) +\& break; +\& BIO_write(out, tmpbuf, len); \& } \& BIO_free_all(sbio); \& BIO_free(out); @@ -339,116 +325,107 @@ a client and also echoes the request to standard output. \& SSL_CTX *ctx; \& SSL *ssl; \& -\& ERR_load_crypto_strings(); -\& ERR_load_SSL_strings(); -\& OpenSSL_add_all_algorithms(); +\& /* XXX Seed the PRNG if needed. */ \& -\& /* Might seed PRNG here */ -\& -\& ctx = SSL_CTX_new(SSLv23_server_method()); -\& -\& if (!SSL_CTX_use_certificate_file(ctx,"server.pem",SSL_FILETYPE_PEM) -\& || !SSL_CTX_use_PrivateKey_file(ctx,"server.pem",SSL_FILETYPE_PEM) -\& || !SSL_CTX_check_private_key(ctx)) { -\& -\& fprintf(stderr, "Error setting up SSL_CTX\en"); -\& ERR_print_errors_fp(stderr); -\& return 0; +\& ctx = SSL_CTX_new(TLS_server_method()); +\& if (!SSL_CTX_use_certificate_file(ctx, "server.pem", SSL_FILETYPE_PEM) +\& || !SSL_CTX_use_PrivateKey_file(ctx, "server.pem", SSL_FILETYPE_PEM) +\& || !SSL_CTX_check_private_key(ctx)) { +\& fprintf(stderr, "Error setting up SSL_CTX\en"); +\& ERR_print_errors_fp(stderr); +\& exit(1); \& } \& -\& /* Might do other things here like setting verify locations and -\& * DH and/or RSA temporary key callbacks -\& */ +\& /* XXX Other things like set verify locations, EDH temp callbacks. */ \& \& /* New SSL BIO setup as server */ -\& sbio=BIO_new_ssl(ctx,0); -\& +\& sbio = BIO_new_ssl(ctx, 0); \& BIO_get_ssl(sbio, &ssl); -\& -\& if(!ssl) { -\& fprintf(stderr, "Can\*(Aqt locate SSL pointer\en"); -\& /* whatever ... */ +\& if (ssl == NULL) { +\& fprintf(stderr, "Can\*(Aqt locate SSL pointer\en"); +\& ERR_print_errors_fp(stderr); +\& exit(1); \& } \& -\& /* Don\*(Aqt want any retries */ \& SSL_set_mode(ssl, SSL_MODE_AUTO_RETRY); -\& -\& /* Create the buffering BIO */ -\& \& bbio = BIO_new(BIO_f_buffer()); -\& -\& /* Add to chain */ \& sbio = BIO_push(bbio, sbio); +\& acpt = BIO_new_accept("4433"); \& -\& acpt=BIO_new_accept("4433"); -\& -\& /* By doing this when a new connection is established +\& /* +\& * By doing this when a new connection is established \& * we automatically have sbio inserted into it. The \& * BIO chain is now \*(Aqswallowed\*(Aq by the accept BIO and -\& * will be freed when the accept BIO is freed. +\& * will be freed when the accept BIO is freed. \& */ -\& -\& BIO_set_accept_bios(acpt,sbio); -\& +\& BIO_set_accept_bios(acpt, sbio); \& out = BIO_new_fp(stdout, BIO_NOCLOSE); \& \& /* Setup accept BIO */ -\& if(BIO_do_accept(acpt) <= 0) { -\& fprintf(stderr, "Error setting up accept BIO\en"); -\& ERR_print_errors_fp(stderr); -\& return 0; +\& if (BIO_do_accept(acpt) <= 0) { +\& fprintf(stderr, "Error setting up accept BIO\en"); +\& ERR_print_errors_fp(stderr); +\& exit(1); \& } \& -\& /* Now wait for incoming connection */ -\& if(BIO_do_accept(acpt) <= 0) { -\& fprintf(stderr, "Error in connection\en"); -\& ERR_print_errors_fp(stderr); -\& return 0; -\& } -\& -\& /* We only want one connection so remove and free -\& * accept BIO -\& */ -\& +\& /* We only want one connection so remove and free accept BIO */ \& sbio = BIO_pop(acpt); -\& \& BIO_free_all(acpt); \& -\& if(BIO_do_handshake(sbio) <= 0) { -\& fprintf(stderr, "Error in SSL handshake\en"); -\& ERR_print_errors_fp(stderr); -\& return 0; +\& if (BIO_do_handshake(sbio) <= 0) { +\& fprintf(stderr, "Error in SSL handshake\en"); +\& ERR_print_errors_fp(stderr); +\& exit(1); \& } \& \& BIO_puts(sbio, "HTTP/1.0 200 OK\er\enContent\-type: text/plain\er\en\er\en"); \& BIO_puts(sbio, "\er\enConnection Established\er\enRequest headers:\er\en"); \& BIO_puts(sbio, "\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\er\en"); \& -\& for(;;) { -\& len = BIO_gets(sbio, tmpbuf, 1024); -\& if(len <= 0) break; -\& BIO_write(sbio, tmpbuf, len); -\& BIO_write(out, tmpbuf, len); -\& /* Look for blank line signifying end of headers*/ -\& if((tmpbuf[0] == \*(Aq\er\*(Aq) || (tmpbuf[0] == \*(Aq\en\*(Aq)) break; +\& for (;;) { +\& len = BIO_gets(sbio, tmpbuf, 1024); +\& if (len <= 0) +\& break; +\& BIO_write(sbio, tmpbuf, len); +\& BIO_write(out, tmpbuf, len); +\& /* Look for blank line signifying end of headers*/ +\& if (tmpbuf[0] == \*(Aq\er\*(Aq || tmpbuf[0] == \*(Aq\en\*(Aq) +\& break; \& } \& \& BIO_puts(sbio, "\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\er\en"); \& BIO_puts(sbio, "\er\en"); -\& -\& /* Since there is a buffering BIO present we had better flush it */ \& BIO_flush(sbio); -\& \& BIO_free_all(sbio); .Ve -.SH "BUGS" -.IX Header "BUGS" -In OpenSSL versions before 1.0.0 the \fIBIO_pop()\fR call was handled incorrectly, +.SH "RETURN VALUES" +.IX Header "RETURN VALUES" +\&\fIBIO_f_ssl()\fR returns the \s-1SSL\s0 \fB\s-1BIO_METHOD\s0\fR structure. +.PP +\&\fIBIO_set_ssl()\fR, \fIBIO_get_ssl()\fR, \fIBIO_set_ssl_mode()\fR, \fIBIO_set_ssl_renegotiate_bytes()\fR, +\&\fIBIO_set_ssl_renegotiate_timeout()\fR and \fIBIO_get_num_renegotiates()\fR return 1 on +success or a value which is less than or equal to 0 if an error occurred. +.PP +\&\fIBIO_new_ssl()\fR, \fIBIO_new_ssl_connect()\fR and \fIBIO_new_buffer_ssl_connect()\fR return +a valid \fB\s-1BIO\s0\fR structure on success or \fB\s-1NULL\s0\fR if an error occurred. +.PP +\&\fIBIO_ssl_copy_session_id()\fR returns 1 on success or 0 on error. +.PP +\&\fIBIO_do_handshake()\fR returns 1 if the connection was established successfully. +A zero or negative value is returned if the connection could not be established. +.SH "HISTORY" +.IX Header "HISTORY" +In OpenSSL before 1.0.0 the \fIBIO_pop()\fR call was handled incorrectly, the I/O \s-1BIO\s0 reference count was incorrectly incremented (instead of decremented) and dissociated with the \s-1SSL BIO\s0 even if the \s-1SSL BIO\s0 was not explicitly being popped (e.g. a pop higher up the chain). Applications which included workarounds for this bug (e.g. freeing BIOs more than once) should be modified to handle this fix or they may free up an already freed \s-1BIO.\s0 -.SH "SEE ALSO" -.IX Header "SEE ALSO" -\&\s-1TBA\s0 +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2000\-2018 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/BIO_find_type.3 b/secure/lib/libcrypto/man/BIO_find_type.3 index 1b732e5858e0..20e5092079e9 100644 --- a/secure/lib/libcrypto/man/BIO_find_type.3 +++ b/secure/lib/libcrypto/man/BIO_find_type.3 @@ -128,8 +128,8 @@ .rm #[ #] #H #V #F C .\" ======================================================================== .\" -.IX Title "BIO_find_type 3" -.TH BIO_find_type 3 "2018-08-14" "1.0.2p" "OpenSSL" +.IX Title "BIO_FIND_TYPE 3" +.TH BIO_FIND_TYPE 3 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -141,46 +141,23 @@ BIO_find_type, BIO_next, BIO_method_type \- BIO chain traversal .Vb 1 \& #include \& -\& BIO * BIO_find_type(BIO *b,int bio_type); -\& BIO * BIO_next(BIO *b); -\& -\& #define BIO_method_type(b) ((b)\->method\->type) -\& -\& #define BIO_TYPE_NONE 0 -\& #define BIO_TYPE_MEM (1|0x0400) -\& #define BIO_TYPE_FILE (2|0x0400) -\& -\& #define BIO_TYPE_FD (4|0x0400|0x0100) -\& #define BIO_TYPE_SOCKET (5|0x0400|0x0100) -\& #define BIO_TYPE_NULL (6|0x0400) -\& #define BIO_TYPE_SSL (7|0x0200) -\& #define BIO_TYPE_MD (8|0x0200) -\& #define BIO_TYPE_BUFFER (9|0x0200) -\& #define BIO_TYPE_CIPHER (10|0x0200) -\& #define BIO_TYPE_BASE64 (11|0x0200) -\& #define BIO_TYPE_CONNECT (12|0x0400|0x0100) -\& #define BIO_TYPE_ACCEPT (13|0x0400|0x0100) -\& #define BIO_TYPE_PROXY_CLIENT (14|0x0200) -\& #define BIO_TYPE_PROXY_SERVER (15|0x0200) -\& #define BIO_TYPE_NBIO_TEST (16|0x0200) -\& #define BIO_TYPE_NULL_FILTER (17|0x0200) -\& #define BIO_TYPE_BER (18|0x0200) -\& #define BIO_TYPE_BIO (19|0x0400) -\& -\& #define BIO_TYPE_DESCRIPTOR 0x0100 -\& #define BIO_TYPE_FILTER 0x0200 -\& #define BIO_TYPE_SOURCE_SINK 0x0400 +\& BIO *BIO_find_type(BIO *b, int bio_type); +\& BIO *BIO_next(BIO *b); +\& int BIO_method_type(const BIO *b); .Ve .SH "DESCRIPTION" .IX Header "DESCRIPTION" The \fIBIO_find_type()\fR searches for a \s-1BIO\s0 of a given type in a chain, starting -at \s-1BIO\s0 \fBb\fR. If \fBtype\fR is a specific type (such as \s-1BIO_TYPE_MEM\s0) then a search +at \s-1BIO\s0 \fBb\fR. If \fBtype\fR is a specific type (such as \fB\s-1BIO_TYPE_MEM\s0\fR) then a search is made for a \s-1BIO\s0 of that type. If \fBtype\fR is a general type (such as \&\fB\s-1BIO_TYPE_SOURCE_SINK\s0\fR) then the next matching \s-1BIO\s0 of the given general type is searched for. \fIBIO_find_type()\fR returns the next matching \s-1BIO\s0 or \s-1NULL\s0 if none is found. .PP -Note: not all the \fBBIO_TYPE_*\fR types above have corresponding \s-1BIO\s0 implementations. +The following general types are defined: +\&\fB\s-1BIO_TYPE_DESCRIPTOR\s0\fR, \fB\s-1BIO_TYPE_FILTER\s0\fR, and \fB\s-1BIO_TYPE_SOURCE_SINK\s0\fR. +.PP +For a list of the specific types, see the \fBopenssl/bio.h\fR header file. .PP \&\fIBIO_next()\fR returns the next \s-1BIO\s0 in a chain. It can be used to traverse all BIOs in a chain or used in conjunction with \fIBIO_find_type()\fR to find all BIOs of a @@ -194,36 +171,29 @@ certain type. \&\fIBIO_next()\fR returns the next \s-1BIO\s0 in a chain. .PP \&\fIBIO_method_type()\fR returns the type of the \s-1BIO\s0 \fBb\fR. -.SH "NOTES" -.IX Header "NOTES" -\&\fIBIO_next()\fR was added to OpenSSL 0.9.6 to provide a 'clean' way to traverse a \s-1BIO\s0 -chain or find multiple matches using \fIBIO_find_type()\fR. Previous versions had to -use: -.PP -.Vb 1 -\& next = bio\->next_bio; -.Ve -.SH "BUGS" -.IX Header "BUGS" -\&\fIBIO_find_type()\fR in OpenSSL 0.9.5a and earlier could not be safely passed a -\&\s-1NULL\s0 pointer for the \fBb\fR argument. .SH "EXAMPLE" .IX Header "EXAMPLE" Traverse a chain looking for digest BIOs: .PP -.Vb 2 +.Vb 1 \& BIO *btmp; +\& \& btmp = in_bio; /* in_bio is chain to search through */ -\& \& do { -\& btmp = BIO_find_type(btmp, BIO_TYPE_MD); -\& if(btmp == NULL) break; /* Not found */ -\& /* btmp is a digest BIO, do something with it ...*/ -\& ... +\& btmp = BIO_find_type(btmp, BIO_TYPE_MD); +\& if (btmp == NULL) +\& break; /* Not found */ +\& /* btmp is a digest BIO, do something with it ...*/ +\& ... \& -\& btmp = BIO_next(btmp); -\& } while(btmp); +\& btmp = BIO_next(btmp); +\& } while (btmp); .Ve -.SH "SEE ALSO" -.IX Header "SEE ALSO" -\&\s-1TBA\s0 +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2000\-2016 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/BIO_get_data.3 b/secure/lib/libcrypto/man/BIO_get_data.3 new file mode 100644 index 000000000000..406720865988 --- /dev/null +++ b/secure/lib/libcrypto/man/BIO_get_data.3 @@ -0,0 +1,191 @@ +.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35) +.\" +.\" Standard preamble: +.\" ======================================================================== +.de Sp \" Vertical space (when we can't use .PP) +.if t .sp .5v +.if n .sp +.. +.de Vb \" Begin verbatim text +.ft CW +.nf +.ne \\$1 +.. +.de Ve \" End verbatim text +.ft R +.fi +.. +.\" Set up some character translations and predefined strings. \*(-- will +.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left +.\" double quote, and \*(R" will give a right double quote. \*(C+ will +.\" give a nicer C++. Capital omega is used to do unbreakable dashes and +.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, +.\" nothing in troff, for use with C<>. +.tr \(*W- +.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' +.ie n \{\ +. ds -- \(*W- +. ds PI pi +. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch +. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch +. ds L" "" +. ds R" "" +. ds C` "" +. ds C' "" +'br\} +.el\{\ +. ds -- \|\(em\| +. ds PI \(*p +. ds L" `` +. ds R" '' +. ds C` +. ds C' +'br\} +.\" +.\" Escape single quotes in literal strings from groff's Unicode transform. +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" +.\" If the F register is >0, we'll generate index entries on stderr for +.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index +.\" entries marked with X<> in POD. Of course, you'll have to process the +.\" output yourself in some meaningful fashion. +.\" +.\" Avoid warning from groff about undefined register 'F'. +.de IX +.. +.if !\nF .nr F 0 +.if \nF>0 \{\ +. de IX +. tm Index:\\$1\t\\n%\t"\\$2" +.. +. if !\nF==2 \{\ +. nr % 0 +. nr F 2 +. \} +.\} +.\" +.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). +.\" Fear. Run. Save yourself. No user-serviceable parts. +. \" fudge factors for nroff and troff +.if n \{\ +. ds #H 0 +. ds #V .8m +. ds #F .3m +. ds #[ \f1 +. ds #] \fP +.\} +.if t \{\ +. ds #H ((1u-(\\\\n(.fu%2u))*.13m) +. ds #V .6m +. ds #F 0 +. ds #[ \& +. ds #] \& +.\} +. \" simple accents for nroff and troff +.if n \{\ +. ds ' \& +. ds ` \& +. ds ^ \& +. ds , \& +. ds ~ ~ +. ds / +.\} +.if t \{\ +. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" +. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' +. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' +. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' +. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' +. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' +.\} +. \" troff and (daisy-wheel) nroff accents +.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' +.ds 8 \h'\*(#H'\(*b\h'-\*(#H' +.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] +.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' +.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' +.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] +.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] +.ds ae a\h'-(\w'a'u*4/10)'e +.ds Ae A\h'-(\w'A'u*4/10)'E +. \" corrections for vroff +.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' +.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' +. \" for low resolution devices (crt and lpr) +.if \n(.H>23 .if \n(.V>19 \ +\{\ +. ds : e +. ds 8 ss +. ds o a +. ds d- d\h'-1'\(ga +. ds D- D\h'-1'\(hy +. ds th \o'bp' +. ds Th \o'LP' +. ds ae ae +. ds Ae AE +.\} +.rm #[ #] #H #V #F C +.\" ======================================================================== +.\" +.IX Title "BIO_GET_DATA 3" +.TH BIO_GET_DATA 3 "2018-09-11" "1.1.1" "OpenSSL" +.\" For nroff, turn off justification. Always turn off hyphenation; it makes +.\" way too many mistakes in technical documents. +.if n .ad l +.nh +.SH "NAME" +BIO_set_data, BIO_get_data, BIO_set_init, BIO_get_init, BIO_set_shutdown, BIO_get_shutdown \- functions for managing BIO state information +.SH "SYNOPSIS" +.IX Header "SYNOPSIS" +.Vb 1 +\& #include +\& +\& void BIO_set_data(BIO *a, void *ptr); +\& void *BIO_get_data(BIO *a); +\& void BIO_set_init(BIO *a, int init); +\& int BIO_get_init(BIO *a); +\& void BIO_set_shutdown(BIO *a, int shut); +\& int BIO_get_shutdown(BIO *a); +.Ve +.SH "DESCRIPTION" +.IX Header "DESCRIPTION" +These functions are mainly useful when implementing a custom \s-1BIO.\s0 +.PP +The \fIBIO_set_data()\fR function associates the custom data pointed to by \fBptr\fR with +the \s-1BIO.\s0 This data can subsequently be retrieved via a call to \fIBIO_get_data()\fR. +This can be used by custom BIOs for storing implementation specific information. +.PP +The \fIBIO_set_init()\fR function sets the value of the \s-1BIO\s0's \*(L"init\*(R" flag to indicate +whether initialisation has been completed for this \s-1BIO\s0 or not. A non-zero value +indicates that initialisation is complete, whilst zero indicates that it is not. +Often initialisation will complete during initial construction of the \s-1BIO.\s0 For +some BIOs however, initialisation may not complete until after additional steps +have occurred (for example through calling custom ctrls). The \fIBIO_get_init()\fR +function returns the value of the \*(L"init\*(R" flag. +.PP +The \fIBIO_set_shutdown()\fR and \fIBIO_get_shutdown()\fR functions set and get the state of +this \s-1BIO\s0's shutdown (i.e. \s-1BIO_CLOSE\s0) flag. If set then the underlying resource +is also closed when the \s-1BIO\s0 is freed. +.SH "RETURN VALUES" +.IX Header "RETURN VALUES" +\&\fIBIO_get_data()\fR returns a pointer to the implementation specific custom data +associated with this \s-1BIO,\s0 or \s-1NULL\s0 if none has been set. +.PP +\&\fIBIO_get_init()\fR returns the state of the \s-1BIO\s0's init flag. +.PP +\&\fIBIO_get_shutdown()\fR returns the stat of the \s-1BIO\s0's shutdown (i.e. \s-1BIO_CLOSE\s0) flag. +.SH "SEE ALSO" +.IX Header "SEE ALSO" +bio, BIO_meth_new +.SH "HISTORY" +.IX Header "HISTORY" +The functions described here were added in OpenSSL 1.1.0. +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2016 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/BIO_get_ex_new_index.3 b/secure/lib/libcrypto/man/BIO_get_ex_new_index.3 new file mode 100644 index 000000000000..382a809a05f7 --- /dev/null +++ b/secure/lib/libcrypto/man/BIO_get_ex_new_index.3 @@ -0,0 +1,187 @@ +.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35) +.\" +.\" Standard preamble: +.\" ======================================================================== +.de Sp \" Vertical space (when we can't use .PP) +.if t .sp .5v +.if n .sp +.. +.de Vb \" Begin verbatim text +.ft CW +.nf +.ne \\$1 +.. +.de Ve \" End verbatim text +.ft R +.fi +.. +.\" Set up some character translations and predefined strings. \*(-- will +.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left +.\" double quote, and \*(R" will give a right double quote. \*(C+ will +.\" give a nicer C++. Capital omega is used to do unbreakable dashes and +.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, +.\" nothing in troff, for use with C<>. +.tr \(*W- +.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' +.ie n \{\ +. ds -- \(*W- +. ds PI pi +. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch +. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch +. ds L" "" +. ds R" "" +. ds C` "" +. ds C' "" +'br\} +.el\{\ +. ds -- \|\(em\| +. ds PI \(*p +. ds L" `` +. ds R" '' +. ds C` +. ds C' +'br\} +.\" +.\" Escape single quotes in literal strings from groff's Unicode transform. +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" +.\" If the F register is >0, we'll generate index entries on stderr for +.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index +.\" entries marked with X<> in POD. Of course, you'll have to process the +.\" output yourself in some meaningful fashion. +.\" +.\" Avoid warning from groff about undefined register 'F'. +.de IX +.. +.if !\nF .nr F 0 +.if \nF>0 \{\ +. de IX +. tm Index:\\$1\t\\n%\t"\\$2" +.. +. if !\nF==2 \{\ +. nr % 0 +. nr F 2 +. \} +.\} +.\" +.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). +.\" Fear. Run. Save yourself. No user-serviceable parts. +. \" fudge factors for nroff and troff +.if n \{\ +. ds #H 0 +. ds #V .8m +. ds #F .3m +. ds #[ \f1 +. ds #] \fP +.\} +.if t \{\ +. ds #H ((1u-(\\\\n(.fu%2u))*.13m) +. ds #V .6m +. ds #F 0 +. ds #[ \& +. ds #] \& +.\} +. \" simple accents for nroff and troff +.if n \{\ +. ds ' \& +. ds ` \& +. ds ^ \& +. ds , \& +. ds ~ ~ +. ds / +.\} +.if t \{\ +. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" +. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' +. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' +. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' +. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' +. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' +.\} +. \" troff and (daisy-wheel) nroff accents +.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' +.ds 8 \h'\*(#H'\(*b\h'-\*(#H' +.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] +.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' +.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' +.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] +.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] +.ds ae a\h'-(\w'a'u*4/10)'e +.ds Ae A\h'-(\w'A'u*4/10)'E +. \" corrections for vroff +.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' +.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' +. \" for low resolution devices (crt and lpr) +.if \n(.H>23 .if \n(.V>19 \ +\{\ +. ds : e +. ds 8 ss +. ds o a +. ds d- d\h'-1'\(ga +. ds D- D\h'-1'\(hy +. ds th \o'bp' +. ds Th \o'LP' +. ds ae ae +. ds Ae AE +.\} +.rm #[ #] #H #V #F C +.\" ======================================================================== +.\" +.IX Title "BIO_GET_EX_NEW_INDEX 3" +.TH BIO_GET_EX_NEW_INDEX 3 "2018-09-11" "1.1.1" "OpenSSL" +.\" For nroff, turn off justification. Always turn off hyphenation; it makes +.\" way too many mistakes in technical documents. +.if n .ad l +.nh +.SH "NAME" +BIO_get_ex_new_index, BIO_set_ex_data, BIO_get_ex_data, ENGINE_get_ex_new_index, ENGINE_set_ex_data, ENGINE_get_ex_data, UI_get_ex_new_index, UI_set_ex_data, UI_get_ex_data, X509_get_ex_new_index, X509_set_ex_data, X509_get_ex_data, X509_STORE_get_ex_new_index, X509_STORE_set_ex_data, X509_STORE_get_ex_data, X509_STORE_CTX_get_ex_new_index, X509_STORE_CTX_set_ex_data, X509_STORE_CTX_get_ex_data, DH_get_ex_new_index, DH_set_ex_data, DH_get_ex_data, DSA_get_ex_new_index, DSA_set_ex_data, DSA_get_ex_data, ECDH_get_ex_new_index, ECDH_set_ex_data, ECDH_get_ex_data, EC_KEY_get_ex_new_index, EC_KEY_set_ex_data, EC_KEY_get_ex_data, RSA_get_ex_new_index, RSA_set_ex_data, RSA_get_ex_data \&\- application\-specific data +.SH "SYNOPSIS" +.IX Header "SYNOPSIS" +.Vb 1 +\& #include +\& +\& int TYPE_get_ex_new_index(long argl, void *argp, +\& CRYPTO_EX_new *new_func, +\& CRYPTO_EX_dup *dup_func, +\& CRYPTO_EX_free *free_func); +\& +\& int TYPE_set_ex_data(TYPE *d, int idx, void *arg); +\& +\& void *TYPE_get_ex_data(TYPE *d, int idx); +.Ve +.SH "DESCRIPTION" +.IX Header "DESCRIPTION" +In the description here, \fI\s-1TYPE\s0\fR is used a placeholder +for any of the OpenSSL datatypes listed in +\&\fICRYPTO_get_ex_new_index\fR\|(3). +.PP +These functions handle application-specific data for OpenSSL data +structures. +.PP +\&\fITYPE_get_new_ex_index()\fR is a macro that calls \fICRYPTO_get_ex_new_index()\fR +with the correct \fBindex\fR value. +.PP +\&\fITYPE_set_ex_data()\fR is a function that calls \fICRYPTO_set_ex_data()\fR with +an offset into the opaque exdata part of the \s-1TYPE\s0 object. +.PP +\&\fITYPE_get_ex_data()\fR is a function that calls \fICRYPTO_get_ex_data()\fR with +an offset into the opaque exdata part of the \s-1TYPE\s0 object. +.SH "RETURN VALUES" +.IX Header "RETURN VALUES" +\&\fITYPE_get_new_ex_index()\fR returns a new index on success or \-1 on error. +.PP +\&\fITYPE_set_ex_data()\fR returns 1 on success or 0 on error. +.PP +\&\fITYPE_get_ex_data()\fR returns the application data or \s-1NULL\s0 if an error occurred. +.SH "SEE ALSO" +.IX Header "SEE ALSO" +\&\fICRYPTO_get_ex_new_index\fR\|(3). +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2015\-2018 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/BIO_meth_new.3 b/secure/lib/libcrypto/man/BIO_meth_new.3 new file mode 100644 index 000000000000..04f5328dfe20 --- /dev/null +++ b/secure/lib/libcrypto/man/BIO_meth_new.3 @@ -0,0 +1,284 @@ +.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35) +.\" +.\" Standard preamble: +.\" ======================================================================== +.de Sp \" Vertical space (when we can't use .PP) +.if t .sp .5v +.if n .sp +.. +.de Vb \" Begin verbatim text +.ft CW +.nf +.ne \\$1 +.. +.de Ve \" End verbatim text +.ft R +.fi +.. +.\" Set up some character translations and predefined strings. \*(-- will +.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left +.\" double quote, and \*(R" will give a right double quote. \*(C+ will +.\" give a nicer C++. Capital omega is used to do unbreakable dashes and +.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, +.\" nothing in troff, for use with C<>. +.tr \(*W- +.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' +.ie n \{\ +. ds -- \(*W- +. ds PI pi +. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch +. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch +. ds L" "" +. ds R" "" +. ds C` "" +. ds C' "" +'br\} +.el\{\ +. ds -- \|\(em\| +. ds PI \(*p +. ds L" `` +. ds R" '' +. ds C` +. ds C' +'br\} +.\" +.\" Escape single quotes in literal strings from groff's Unicode transform. +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" +.\" If the F register is >0, we'll generate index entries on stderr for +.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index +.\" entries marked with X<> in POD. Of course, you'll have to process the +.\" output yourself in some meaningful fashion. +.\" +.\" Avoid warning from groff about undefined register 'F'. +.de IX +.. +.if !\nF .nr F 0 +.if \nF>0 \{\ +. de IX +. tm Index:\\$1\t\\n%\t"\\$2" +.. +. if !\nF==2 \{\ +. nr % 0 +. nr F 2 +. \} +.\} +.\" +.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). +.\" Fear. Run. Save yourself. No user-serviceable parts. +. \" fudge factors for nroff and troff +.if n \{\ +. ds #H 0 +. ds #V .8m +. ds #F .3m +. ds #[ \f1 +. ds #] \fP +.\} +.if t \{\ +. ds #H ((1u-(\\\\n(.fu%2u))*.13m) +. ds #V .6m +. ds #F 0 +. ds #[ \& +. ds #] \& +.\} +. \" simple accents for nroff and troff +.if n \{\ +. ds ' \& +. ds ` \& +. ds ^ \& +. ds , \& +. ds ~ ~ +. ds / +.\} +.if t \{\ +. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" +. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' +. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' +. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' +. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' +. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' +.\} +. \" troff and (daisy-wheel) nroff accents +.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' +.ds 8 \h'\*(#H'\(*b\h'-\*(#H' +.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] +.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' +.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' +.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] +.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] +.ds ae a\h'-(\w'a'u*4/10)'e +.ds Ae A\h'-(\w'A'u*4/10)'E +. \" corrections for vroff +.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' +.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' +. \" for low resolution devices (crt and lpr) +.if \n(.H>23 .if \n(.V>19 \ +\{\ +. ds : e +. ds 8 ss +. ds o a +. ds d- d\h'-1'\(ga +. ds D- D\h'-1'\(hy +. ds th \o'bp' +. ds Th \o'LP' +. ds ae ae +. ds Ae AE +.\} +.rm #[ #] #H #V #F C +.\" ======================================================================== +.\" +.IX Title "BIO_METH_NEW 3" +.TH BIO_METH_NEW 3 "2018-09-11" "1.1.1" "OpenSSL" +.\" For nroff, turn off justification. Always turn off hyphenation; it makes +.\" way too many mistakes in technical documents. +.if n .ad l +.nh +.SH "NAME" +BIO_get_new_index, BIO_meth_new, BIO_meth_free, BIO_meth_get_read_ex, BIO_meth_set_read_ex, BIO_meth_get_write_ex, BIO_meth_set_write_ex, BIO_meth_get_write, BIO_meth_set_write, BIO_meth_get_read, BIO_meth_set_read, BIO_meth_get_puts, BIO_meth_set_puts, BIO_meth_get_gets, BIO_meth_set_gets, BIO_meth_get_ctrl, BIO_meth_set_ctrl, BIO_meth_get_create, BIO_meth_set_create, BIO_meth_get_destroy, BIO_meth_set_destroy, BIO_meth_get_callback_ctrl, BIO_meth_set_callback_ctrl \- Routines to build up BIO methods +.SH "SYNOPSIS" +.IX Header "SYNOPSIS" +.Vb 1 +\& #include +\& +\& int BIO_get_new_index(void); +\& +\& BIO_METHOD *BIO_meth_new(int type, const char *name); +\& +\& void BIO_meth_free(BIO_METHOD *biom); +\& +\& int (*BIO_meth_get_write_ex(const BIO_METHOD *biom))(BIO *, const char *, size_t, +\& size_t *); +\& int (*BIO_meth_get_write(const BIO_METHOD *biom))(BIO *, const char *, int); +\& int BIO_meth_set_write_ex(BIO_METHOD *biom, +\& int (*bwrite)(BIO *, const char *, size_t, size_t *)); +\& int BIO_meth_set_write(BIO_METHOD *biom, +\& int (*write)(BIO *, const char *, int)); +\& +\& int (*BIO_meth_get_read_ex(const BIO_METHOD *biom))(BIO *, char *, size_t, size_t *); +\& int (*BIO_meth_get_read(const BIO_METHOD *biom))(BIO *, char *, int); +\& int BIO_meth_set_read_ex(BIO_METHOD *biom, +\& int (*bread)(BIO *, char *, size_t, size_t *)); +\& int BIO_meth_set_read(BIO_METHOD *biom, int (*read)(BIO *, char *, int)); +\& +\& int (*BIO_meth_get_puts(const BIO_METHOD *biom))(BIO *, const char *); +\& int BIO_meth_set_puts(BIO_METHOD *biom, int (*puts)(BIO *, const char *)); +\& +\& int (*BIO_meth_get_gets(const BIO_METHOD *biom))(BIO *, char *, int); +\& int BIO_meth_set_gets(BIO_METHOD *biom, +\& int (*gets)(BIO *, char *, int)); +\& +\& long (*BIO_meth_get_ctrl(const BIO_METHOD *biom))(BIO *, int, long, void *); +\& int BIO_meth_set_ctrl(BIO_METHOD *biom, +\& long (*ctrl)(BIO *, int, long, void *)); +\& +\& int (*BIO_meth_get_create(const BIO_METHOD *bion))(BIO *); +\& int BIO_meth_set_create(BIO_METHOD *biom, int (*create)(BIO *)); +\& +\& int (*BIO_meth_get_destroy(const BIO_METHOD *biom))(BIO *); +\& int BIO_meth_set_destroy(BIO_METHOD *biom, int (*destroy)(BIO *)); +\& +\& long (*BIO_meth_get_callback_ctrl(const BIO_METHOD *biom))(BIO *, int, BIO_info_cb *); +\& int BIO_meth_set_callback_ctrl(BIO_METHOD *biom, +\& long (*callback_ctrl)(BIO *, int, BIO_info_cb *)); +.Ve +.SH "DESCRIPTION" +.IX Header "DESCRIPTION" +The \fB\s-1BIO_METHOD\s0\fR type is a structure used for the implementation of new \s-1BIO\s0 +types. It provides a set of functions used by OpenSSL for the implementation +of the various \s-1BIO\s0 capabilities. See the bio page for more information. +.PP +\&\fIBIO_meth_new()\fR creates a new \fB\s-1BIO_METHOD\s0\fR structure. It should be given a +unique integer \fBtype\fR and a string that represents its \fBname\fR. +Use \fIBIO_get_new_index()\fR to get the value for \fBtype\fR. +.PP +The set of +standard OpenSSL provided \s-1BIO\s0 types is provided in \fBbio.h\fR. Some examples +include \fB\s-1BIO_TYPE_BUFFER\s0\fR and \fB\s-1BIO_TYPE_CIPHER\s0\fR. Filter BIOs should have a +type which have the \*(L"filter\*(R" bit set (\fB\s-1BIO_TYPE_FILTER\s0\fR). Source/sink BIOs +should have the \*(L"source/sink\*(R" bit set (\fB\s-1BIO_TYPE_SOURCE_SINK\s0\fR). File descriptor +based BIOs (e.g. socket, fd, connect, accept etc) should additionally have the +\&\*(L"descriptor\*(R" bit set (\fB\s-1BIO_TYPE_DESCRIPTOR\s0\fR). See the BIO_find_type page for +more information. +.PP +\&\fIBIO_meth_free()\fR destroys a \fB\s-1BIO_METHOD\s0\fR structure and frees up any memory +associated with it. +.PP +\&\fIBIO_meth_get_write_ex()\fR and \fIBIO_meth_set_write_ex()\fR get and set the function +used for writing arbitrary length data to the \s-1BIO\s0 respectively. This function +will be called in response to the application calling \fIBIO_write_ex()\fR or +\&\fIBIO_write()\fR. The parameters for the function have the same meaning as for +\&\fIBIO_write_ex()\fR. Older code may call \fIBIO_meth_get_write()\fR and +\&\fIBIO_meth_set_write()\fR instead. Applications should not call both +\&\fIBIO_meth_set_write_ex()\fR and \fIBIO_meth_set_write()\fR or call \fIBIO_meth_get_write()\fR +when the function was set with \fIBIO_meth_set_write_ex()\fR. +.PP +\&\fIBIO_meth_get_read_ex()\fR and \fIBIO_meth_set_read_ex()\fR get and set the function used +for reading arbitrary length data from the \s-1BIO\s0 respectively. This function will +be called in response to the application calling \fIBIO_read_ex()\fR or \fIBIO_read()\fR. +The parameters for the function have the same meaning as for \fIBIO_read_ex()\fR. +Older code may call \fIBIO_meth_get_read()\fR and \fIBIO_meth_set_read()\fR instead. +Applications should not call both \fIBIO_meth_set_read_ex()\fR and \fIBIO_meth_set_read()\fR +or call \fIBIO_meth_get_read()\fR when the function was set with +\&\fIBIO_meth_set_read_ex()\fR. +.PP +\&\fIBIO_meth_get_puts()\fR and \fIBIO_meth_set_puts()\fR get and set the function used for +writing a \s-1NULL\s0 terminated string to the \s-1BIO\s0 respectively. This function will be +called in response to the application calling \fIBIO_puts()\fR. The parameters for +the function have the same meaning as for \fIBIO_puts()\fR. +.PP +\&\fIBIO_meth_get_gets()\fR and \fIBIO_meth_set_gets()\fR get and set the function typically +used for reading a line of data from the \s-1BIO\s0 respectively (see the \fIBIO_gets\fR\|(3) +page for more information). This function will be called in response to the +application calling \fIBIO_gets()\fR. The parameters for the function have the same +meaning as for \fIBIO_gets()\fR. +.PP +\&\fIBIO_meth_get_ctrl()\fR and \fIBIO_meth_set_ctrl()\fR get and set the function used for +processing ctrl messages in the \s-1BIO\s0 respectively. See the BIO_ctrl page for +more information. This function will be called in response to the application +calling \fIBIO_ctrl()\fR. The parameters for the function have the same meaning as for +\&\fIBIO_ctrl()\fR. +.PP +\&\fIBIO_meth_get_create()\fR and \fIBIO_meth_set_create()\fR get and set the function used +for creating a new instance of the \s-1BIO\s0 respectively. This function will be +called in response to the application calling \fIBIO_new()\fR and passing +in a pointer to the current \s-1BIO_METHOD.\s0 The \fIBIO_new()\fR function will allocate the +memory for the new \s-1BIO,\s0 and a pointer to this newly allocated structure will +be passed as a parameter to the function. +.PP +\&\fIBIO_meth_get_destroy()\fR and \fIBIO_meth_set_destroy()\fR get and set the function used +for destroying an instance of a \s-1BIO\s0 respectively. This function will be +called in response to the application calling \fIBIO_free()\fR. A pointer to the \s-1BIO\s0 +to be destroyed is passed as a parameter. The destroy function should be used +for \s-1BIO\s0 specific clean up. The memory for the \s-1BIO\s0 itself should not be freed by +this function. +.PP +\&\fIBIO_meth_get_callback_ctrl()\fR and \fIBIO_meth_set_callback_ctrl()\fR get and set the +function used for processing callback ctrl messages in the \s-1BIO\s0 respectively. See +the \fIBIO_callback_ctrl\fR\|(3) page for more information. This function will be called +in response to the application calling \fIBIO_callback_ctrl()\fR. The parameters for +the function have the same meaning as for \fIBIO_callback_ctrl()\fR. +.SH "RETURN VALUES" +.IX Header "RETURN VALUES" +\&\fIBIO_get_new_index()\fR returns the new \s-1BIO\s0 type value or \-1 if an error occurred. +.PP +BIO_meth_new(int type, const char *name) returns a valid \fB\s-1BIO_METHOD\s0\fR or \s-1NULL\s0 +if an error occurred. +.PP +The \fBBIO_meth_set\fR functions return 1 on success or 0 on error. +.PP +The \fBBIO_meth_get\fR functions return the corresponding function pointers. +.SH "SEE ALSO" +.IX Header "SEE ALSO" +bio, BIO_find_type, BIO_ctrl, BIO_read_ex, BIO_new +.SH "HISTORY" +.IX Header "HISTORY" +The functions described here were added in OpenSSL 1.1.0. +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2016\-2018 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/BIO_new.3 b/secure/lib/libcrypto/man/BIO_new.3 index c45e27d26f2a..349814e78bc1 100644 --- a/secure/lib/libcrypto/man/BIO_new.3 +++ b/secure/lib/libcrypto/man/BIO_new.3 @@ -128,21 +128,21 @@ .rm #[ #] #H #V #F C .\" ======================================================================== .\" -.IX Title "BIO_new 3" -.TH BIO_new 3 "2018-08-14" "1.0.2p" "OpenSSL" +.IX Title "BIO_NEW 3" +.TH BIO_NEW 3 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" -BIO_new, BIO_set, BIO_free, BIO_vfree, BIO_free_all \- BIO allocation and freeing functions +BIO_new, BIO_up_ref, BIO_free, BIO_vfree, BIO_free_all \&\- BIO allocation and freeing functions .SH "SYNOPSIS" .IX Header "SYNOPSIS" .Vb 1 \& #include \& -\& BIO * BIO_new(BIO_METHOD *type); -\& int BIO_set(BIO *a,BIO_METHOD *type); +\& BIO * BIO_new(const BIO_METHOD *type); +\& int BIO_up_ref(BIO *a); \& int BIO_free(BIO *a); \& void BIO_vfree(BIO *a); \& void BIO_free_all(BIO *a); @@ -151,39 +151,36 @@ BIO_new, BIO_set, BIO_free, BIO_vfree, BIO_free_all \- BIO allocation and freein .IX Header "DESCRIPTION" The \fIBIO_new()\fR function returns a new \s-1BIO\s0 using method \fBtype\fR. .PP -\&\fIBIO_set()\fR sets the method of an already existing \s-1BIO.\s0 +\&\fIBIO_up_ref()\fR increments the reference count associated with the \s-1BIO\s0 object. .PP \&\fIBIO_free()\fR frees up a single \s-1BIO,\s0 \fIBIO_vfree()\fR also frees up a single \s-1BIO\s0 -but it does not return a value. Calling \fIBIO_free()\fR may also have some effect +but it does not return a value. +If \fBa\fR is \s-1NULL\s0 nothing is done. +Calling \fIBIO_free()\fR may also have some effect on the underlying I/O structure, for example it may close the file being referred to under certain circumstances. For more details see the individual \&\s-1BIO_METHOD\s0 descriptions. .PP \&\fIBIO_free_all()\fR frees up an entire \s-1BIO\s0 chain, it does not halt if an error occurs freeing up an individual \s-1BIO\s0 in the chain. +If \fBa\fR is \s-1NULL\s0 nothing is done. .SH "RETURN VALUES" .IX Header "RETURN VALUES" \&\fIBIO_new()\fR returns a newly created \s-1BIO\s0 or \s-1NULL\s0 if the call fails. .PP -\&\fIBIO_set()\fR, \fIBIO_free()\fR return 1 for success and 0 for failure. +\&\fIBIO_up_ref()\fR and \fIBIO_free()\fR return 1 for success and 0 for failure. .PP \&\fIBIO_free_all()\fR and \fIBIO_vfree()\fR do not return values. .SH "NOTES" .IX Header "NOTES" -Some BIOs (such as memory BIOs) can be used immediately after calling -\&\fIBIO_new()\fR. Others (such as file BIOs) need some additional initialization, -and frequently a utility function exists to create and initialize such BIOs. -.PP If \fIBIO_free()\fR is called on a \s-1BIO\s0 chain it will only free one \s-1BIO\s0 resulting in a memory leak. .PP -Calling \fIBIO_free_all()\fR a single \s-1BIO\s0 has the same effect as calling \fIBIO_free()\fR +Calling \fIBIO_free_all()\fR on a single \s-1BIO\s0 has the same effect as calling \fIBIO_free()\fR on it other than the discarded return value. -.PP -Normally the \fBtype\fR argument is supplied by a function which returns a -pointer to a \s-1BIO_METHOD.\s0 There is a naming convention for such functions: -a source/sink \s-1BIO\s0 is normally called BIO_s_*() and a filter \s-1BIO\s0 -BIO_f_*(); +.SH "HISTORY" +.IX Header "HISTORY" +\&\fIBIO_set()\fR was removed in OpenSSL 1.1.0 as \s-1BIO\s0 type is now opaque. .SH "EXAMPLE" .IX Header "EXAMPLE" Create a memory \s-1BIO:\s0 @@ -191,6 +188,11 @@ Create a memory \s-1BIO:\s0 .Vb 1 \& BIO *mem = BIO_new(BIO_s_mem()); .Ve -.SH "SEE ALSO" -.IX Header "SEE ALSO" -\&\s-1TBA\s0 +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2000\-2016 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/BIO_new_CMS.3 b/secure/lib/libcrypto/man/BIO_new_CMS.3 index 06bab9601782..9dd871a24ea4 100644 --- a/secure/lib/libcrypto/man/BIO_new_CMS.3 +++ b/secure/lib/libcrypto/man/BIO_new_CMS.3 @@ -128,16 +128,14 @@ .rm #[ #] #H #V #F C .\" ======================================================================== .\" -.IX Title "BIO_new_CMS 3" -.TH BIO_new_CMS 3 "2018-08-14" "1.0.2p" "OpenSSL" +.IX Title "BIO_NEW_CMS 3" +.TH BIO_NEW_CMS 3 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" -.Vb 1 -\& BIO_new_CMS \- CMS streaming filter BIO -.Ve +BIO_new_CMS \- CMS streaming filter BIO .SH "SYNOPSIS" .IX Header "SYNOPSIS" .Vb 1 @@ -192,3 +190,11 @@ occurred. The error can be obtained from \fIERR_get_error\fR\|(3). .SH "HISTORY" .IX Header "HISTORY" \&\fIBIO_new_CMS()\fR was added to OpenSSL 1.0.0 +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2008\-2016 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/BIO_parse_hostserv.3 b/secure/lib/libcrypto/man/BIO_parse_hostserv.3 new file mode 100644 index 000000000000..a90e96f3bbe0 --- /dev/null +++ b/secure/lib/libcrypto/man/BIO_parse_hostserv.3 @@ -0,0 +1,208 @@ +.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35) +.\" +.\" Standard preamble: +.\" ======================================================================== +.de Sp \" Vertical space (when we can't use .PP) +.if t .sp .5v +.if n .sp +.. +.de Vb \" Begin verbatim text +.ft CW +.nf +.ne \\$1 +.. +.de Ve \" End verbatim text +.ft R +.fi +.. +.\" Set up some character translations and predefined strings. \*(-- will +.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left +.\" double quote, and \*(R" will give a right double quote. \*(C+ will +.\" give a nicer C++. Capital omega is used to do unbreakable dashes and +.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, +.\" nothing in troff, for use with C<>. +.tr \(*W- +.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' +.ie n \{\ +. ds -- \(*W- +. ds PI pi +. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch +. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch +. ds L" "" +. ds R" "" +. ds C` "" +. ds C' "" +'br\} +.el\{\ +. ds -- \|\(em\| +. ds PI \(*p +. ds L" `` +. ds R" '' +. ds C` +. ds C' +'br\} +.\" +.\" Escape single quotes in literal strings from groff's Unicode transform. +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" +.\" If the F register is >0, we'll generate index entries on stderr for +.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index +.\" entries marked with X<> in POD. Of course, you'll have to process the +.\" output yourself in some meaningful fashion. +.\" +.\" Avoid warning from groff about undefined register 'F'. +.de IX +.. +.if !\nF .nr F 0 +.if \nF>0 \{\ +. de IX +. tm Index:\\$1\t\\n%\t"\\$2" +.. +. if !\nF==2 \{\ +. nr % 0 +. nr F 2 +. \} +.\} +.\" +.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). +.\" Fear. Run. Save yourself. No user-serviceable parts. +. \" fudge factors for nroff and troff +.if n \{\ +. ds #H 0 +. ds #V .8m +. ds #F .3m +. ds #[ \f1 +. ds #] \fP +.\} +.if t \{\ +. ds #H ((1u-(\\\\n(.fu%2u))*.13m) +. ds #V .6m +. ds #F 0 +. ds #[ \& +. ds #] \& +.\} +. \" simple accents for nroff and troff +.if n \{\ +. ds ' \& +. ds ` \& +. ds ^ \& +. ds , \& +. ds ~ ~ +. ds / +.\} +.if t \{\ +. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" +. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' +. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' +. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' +. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' +. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' +.\} +. \" troff and (daisy-wheel) nroff accents +.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' +.ds 8 \h'\*(#H'\(*b\h'-\*(#H' +.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] +.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' +.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' +.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] +.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] +.ds ae a\h'-(\w'a'u*4/10)'e +.ds Ae A\h'-(\w'A'u*4/10)'E +. \" corrections for vroff +.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' +.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' +. \" for low resolution devices (crt and lpr) +.if \n(.H>23 .if \n(.V>19 \ +\{\ +. ds : e +. ds 8 ss +. ds o a +. ds d- d\h'-1'\(ga +. ds D- D\h'-1'\(hy +. ds th \o'bp' +. ds Th \o'LP' +. ds ae ae +. ds Ae AE +.\} +.rm #[ #] #H #V #F C +.\" ======================================================================== +.\" +.IX Title "BIO_PARSE_HOSTSERV 3" +.TH BIO_PARSE_HOSTSERV 3 "2018-09-11" "1.1.1" "OpenSSL" +.\" For nroff, turn off justification. Always turn off hyphenation; it makes +.\" way too many mistakes in technical documents. +.if n .ad l +.nh +.SH "NAME" +BIO_hostserv_priorities, BIO_parse_hostserv \&\- utility routines to parse a standard host and service string +.SH "SYNOPSIS" +.IX Header "SYNOPSIS" +.Vb 1 +\& #include +\& +\& enum BIO_hostserv_priorities { +\& BIO_PARSE_PRIO_HOST, BIO_PARSE_PRIO_SERV +\& }; +\& int BIO_parse_hostserv(const char *hostserv, char **host, char **service, +\& enum BIO_hostserv_priorities hostserv_prio); +.Ve +.SH "DESCRIPTION" +.IX Header "DESCRIPTION" +\&\fIBIO_parse_hostserv()\fR will parse the information given in \fBhostserv\fR, +create strings with the host name and service name and give those +back via \fBhost\fR and \fBservice\fR. Those will need to be freed after +they are used. \fBhostserv_prio\fR helps determine if \fBhostserv\fR shall +be interpreted primarily as a host name or a service name in ambiguous +cases. +.PP +The syntax the \fIBIO_parse_hostserv()\fR recognises is: +.PP +.Vb 7 +\& host + \*(Aq:\*(Aq + service +\& host + \*(Aq:\*(Aq + \*(Aq*\*(Aq +\& host + \*(Aq:\*(Aq +\& \*(Aq:\*(Aq + service +\& \*(Aq*\*(Aq + \*(Aq:\*(Aq + service +\& host +\& service +.Ve +.PP +The host part can be a name or an \s-1IP\s0 address. If it's a IPv6 +address, it \s-1MUST\s0 be enclosed in brackets, such as '[::1]'. +.PP +The service part can be a service name or its port number. +.PP +The returned values will depend on the given \fBhostserv\fR string +and \fBhostserv_prio\fR, as follows: +.PP +.Vb 5 +\& host + \*(Aq:\*(Aq + service => *host = "host", *service = "service" +\& host + \*(Aq:\*(Aq + \*(Aq*\*(Aq => *host = "host", *service = NULL +\& host + \*(Aq:\*(Aq => *host = "host", *service = NULL +\& \*(Aq:\*(Aq + service => *host = NULL, *service = "service" +\& \*(Aq*\*(Aq + \*(Aq:\*(Aq + service => *host = NULL, *service = "service" +\& +\& in case no \*(Aq:\*(Aq is present in the string, the result depends on +\& hostserv_prio, as follows: +\& +\& when hostserv_prio == BIO_PARSE_PRIO_HOST +\& host => *host = "host", *service untouched +\& +\& when hostserv_prio == BIO_PARSE_PRIO_SERV +\& service => *host untouched, *service = "service" +.Ve +.SH "RETURN VALUES" +.IX Header "RETURN VALUES" +\&\fIBIO_parse_hostserv()\fR returns 1 on success or 0 on error. +.SH "SEE ALSO" +.IX Header "SEE ALSO" +\&\s-1\fIBIO_ADDRINFO\s0\fR\|(3) +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2016\-2018 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/BIO_printf.3 b/secure/lib/libcrypto/man/BIO_printf.3 new file mode 100644 index 000000000000..07a41d73ad75 --- /dev/null +++ b/secure/lib/libcrypto/man/BIO_printf.3 @@ -0,0 +1,178 @@ +.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35) +.\" +.\" Standard preamble: +.\" ======================================================================== +.de Sp \" Vertical space (when we can't use .PP) +.if t .sp .5v +.if n .sp +.. +.de Vb \" Begin verbatim text +.ft CW +.nf +.ne \\$1 +.. +.de Ve \" End verbatim text +.ft R +.fi +.. +.\" Set up some character translations and predefined strings. \*(-- will +.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left +.\" double quote, and \*(R" will give a right double quote. \*(C+ will +.\" give a nicer C++. Capital omega is used to do unbreakable dashes and +.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, +.\" nothing in troff, for use with C<>. +.tr \(*W- +.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' +.ie n \{\ +. ds -- \(*W- +. ds PI pi +. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch +. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch +. ds L" "" +. ds R" "" +. ds C` "" +. ds C' "" +'br\} +.el\{\ +. ds -- \|\(em\| +. ds PI \(*p +. ds L" `` +. ds R" '' +. ds C` +. ds C' +'br\} +.\" +.\" Escape single quotes in literal strings from groff's Unicode transform. +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" +.\" If the F register is >0, we'll generate index entries on stderr for +.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index +.\" entries marked with X<> in POD. Of course, you'll have to process the +.\" output yourself in some meaningful fashion. +.\" +.\" Avoid warning from groff about undefined register 'F'. +.de IX +.. +.if !\nF .nr F 0 +.if \nF>0 \{\ +. de IX +. tm Index:\\$1\t\\n%\t"\\$2" +.. +. if !\nF==2 \{\ +. nr % 0 +. nr F 2 +. \} +.\} +.\" +.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). +.\" Fear. Run. Save yourself. No user-serviceable parts. +. \" fudge factors for nroff and troff +.if n \{\ +. ds #H 0 +. ds #V .8m +. ds #F .3m +. ds #[ \f1 +. ds #] \fP +.\} +.if t \{\ +. ds #H ((1u-(\\\\n(.fu%2u))*.13m) +. ds #V .6m +. ds #F 0 +. ds #[ \& +. ds #] \& +.\} +. \" simple accents for nroff and troff +.if n \{\ +. ds ' \& +. ds ` \& +. ds ^ \& +. ds , \& +. ds ~ ~ +. ds / +.\} +.if t \{\ +. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" +. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' +. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' +. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' +. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' +. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' +.\} +. \" troff and (daisy-wheel) nroff accents +.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' +.ds 8 \h'\*(#H'\(*b\h'-\*(#H' +.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] +.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' +.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' +.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] +.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] +.ds ae a\h'-(\w'a'u*4/10)'e +.ds Ae A\h'-(\w'A'u*4/10)'E +. \" corrections for vroff +.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' +.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' +. \" for low resolution devices (crt and lpr) +.if \n(.H>23 .if \n(.V>19 \ +\{\ +. ds : e +. ds 8 ss +. ds o a +. ds d- d\h'-1'\(ga +. ds D- D\h'-1'\(hy +. ds th \o'bp' +. ds Th \o'LP' +. ds ae ae +. ds Ae AE +.\} +.rm #[ #] #H #V #F C +.\" ======================================================================== +.\" +.IX Title "BIO_PRINTF 3" +.TH BIO_PRINTF 3 "2018-09-11" "1.1.1" "OpenSSL" +.\" For nroff, turn off justification. Always turn off hyphenation; it makes +.\" way too many mistakes in technical documents. +.if n .ad l +.nh +.SH "NAME" +BIO_printf, BIO_vprintf, BIO_snprintf, BIO_vsnprintf \&\- formatted output to a BIO +.SH "SYNOPSIS" +.IX Header "SYNOPSIS" +.Vb 1 +\& #include +\& +\& int BIO_printf(BIO *bio, const char *format, ...) +\& int BIO_vprintf(BIO *bio, const char *format, va_list args) +\& +\& int BIO_snprintf(char *buf, size_t n, const char *format, ...) +\& int BIO_vsnprintf(char *buf, size_t n, const char *format, va_list args) +.Ve +.SH "DESCRIPTION" +.IX Header "DESCRIPTION" +\&\fIBIO_printf()\fR is similar to the standard C \fIprintf()\fR function, except that +the output is sent to the specified \s-1BIO,\s0 \fBbio\fR, rather than standard +output. All common format specifiers are supported. +.PP +\&\fIBIO_vprintf()\fR is similar to the \fIvprintf()\fR function found on many platforms, +the output is sent to the specified \s-1BIO,\s0 \fBbio\fR, rather than standard +output. All common format specifiers are supported. The argument +list \fBargs\fR is a stdarg argument list. +.PP +\&\fIBIO_snprintf()\fR is for platforms that do not have the common \fIsnprintf()\fR +function. It is like \fIsprintf()\fR except that the size parameter, \fBn\fR, +specifies the size of the output buffer. +.PP +\&\fIBIO_vsnprintf()\fR is to \fIBIO_snprintf()\fR as \fIBIO_vprintf()\fR is to \fIBIO_printf()\fR. +.SH "RETURN VALUES" +.IX Header "RETURN VALUES" +All functions return the number of bytes written, or \-1 on error. +For \fIBIO_snprintf()\fR and \fIBIO_vsnprintf()\fR this includes when the output +buffer is too small. +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2017 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/BIO_push.3 b/secure/lib/libcrypto/man/BIO_push.3 index a866109054a1..fa927ad7ad54 100644 --- a/secure/lib/libcrypto/man/BIO_push.3 +++ b/secure/lib/libcrypto/man/BIO_push.3 @@ -128,21 +128,22 @@ .rm #[ #] #H #V #F C .\" ======================================================================== .\" -.IX Title "BIO_push 3" -.TH BIO_push 3 "2018-08-14" "1.0.2p" "OpenSSL" +.IX Title "BIO_PUSH 3" +.TH BIO_PUSH 3 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" -BIO_push, BIO_pop \- add and remove BIOs from a chain. +BIO_push, BIO_pop, BIO_set_next \- add and remove BIOs from a chain .SH "SYNOPSIS" .IX Header "SYNOPSIS" .Vb 1 \& #include \& -\& BIO * BIO_push(BIO *b,BIO *append); -\& BIO * BIO_pop(BIO *b); +\& BIO *BIO_push(BIO *b, BIO *append); +\& BIO *BIO_pop(BIO *b); +\& void BIO_set_next(BIO *b, BIO *next); .Ve .SH "DESCRIPTION" .IX Header "DESCRIPTION" @@ -153,6 +154,10 @@ The \fIBIO_push()\fR function appends the \s-1BIO\s0 \fBappend\fR to \fBb\fR, it in the chain, or \s-1NULL\s0 if there is no next \s-1BIO.\s0 The removed \s-1BIO\s0 then becomes a single \s-1BIO\s0 with no association with the original chain, it can thus be freed or attached to a different chain. +.PP +\&\fIBIO_set_next()\fR replaces the existing next \s-1BIO\s0 in a chain with the \s-1BIO\s0 pointed to +by \fBnext\fR. The new chain may include some of the same BIOs from the old chain +or it may be completely different. .SH "NOTES" .IX Header "NOTES" The names of these functions are perhaps a little misleading. \fIBIO_push()\fR @@ -201,4 +206,15 @@ be written to \fBmd1\fR as before. \&\s-1BIO.\s0 .SH "SEE ALSO" .IX Header "SEE ALSO" -\&\s-1TBA\s0 +bio +.SH "HISTORY" +.IX Header "HISTORY" +The \fIBIO_set_next()\fR function was added in OpenSSL 1.1.0. +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2000\-2016 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/BIO_read.3 b/secure/lib/libcrypto/man/BIO_read.3 index 90efdf3c0c8e..0f08129151f2 100644 --- a/secure/lib/libcrypto/man/BIO_read.3 +++ b/secure/lib/libcrypto/man/BIO_read.3 @@ -128,44 +128,60 @@ .rm #[ #] #H #V #F C .\" ======================================================================== .\" -.IX Title "BIO_read 3" -.TH BIO_read 3 "2018-08-14" "1.0.2p" "OpenSSL" +.IX Title "BIO_READ 3" +.TH BIO_READ 3 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" -BIO_read, BIO_write, BIO_gets, BIO_puts \- BIO I/O functions +BIO_read_ex, BIO_write_ex, BIO_read, BIO_write, BIO_gets, BIO_puts \&\- BIO I/O functions .SH "SYNOPSIS" .IX Header "SYNOPSIS" .Vb 1 \& #include \& -\& int BIO_read(BIO *b, void *buf, int len); -\& int BIO_gets(BIO *b, char *buf, int size); -\& int BIO_write(BIO *b, const void *buf, int len); -\& int BIO_puts(BIO *b, const char *buf); +\& int BIO_read_ex(BIO *b, void *data, size_t dlen, size_t *readbytes); +\& int BIO_write_ex(BIO *b, const void *data, size_t dlen, size_t *written); +\& +\& int BIO_read(BIO *b, void *data, int dlen); +\& int BIO_gets(BIO *b, char *buf, int size); +\& int BIO_write(BIO *b, const void *data, int dlen); +\& int BIO_puts(BIO *b, const char *buf); .Ve .SH "DESCRIPTION" .IX Header "DESCRIPTION" +\&\fIBIO_read_ex()\fR attempts to read \fBdlen\fR bytes from \s-1BIO\s0 \fBb\fR and places the data +in \fBdata\fR. If any bytes were successfully read then the number of bytes read is +stored in \fB*readbytes\fR. +.PP +\&\fIBIO_write_ex()\fR attempts to write \fBdlen\fR bytes from \fBdata\fR to \s-1BIO\s0 \fBb\fR. If +successful then the number of bytes written is stored in \fB*written\fR. +.PP \&\fIBIO_read()\fR attempts to read \fBlen\fR bytes from \s-1BIO\s0 \fBb\fR and places the data in \fBbuf\fR. .PP \&\fIBIO_gets()\fR performs the BIOs \*(L"gets\*(R" operation and places the data in \fBbuf\fR. Usually this operation will attempt to read a line of data -from the \s-1BIO\s0 of maximum length \fBlen\fR. There are exceptions to this -however, for example \fIBIO_gets()\fR on a digest \s-1BIO\s0 will calculate and +from the \s-1BIO\s0 of maximum length \fBsize\-1\fR. There are exceptions to this, +however; for example, \fIBIO_gets()\fR on a digest \s-1BIO\s0 will calculate and return the digest and other BIOs may not support \fIBIO_gets()\fR at all. +The returned string is always NUL-terminated and the '\en' is preserved +if present in the input data. .PP \&\fIBIO_write()\fR attempts to write \fBlen\fR bytes from \fBbuf\fR to \s-1BIO\s0 \fBb\fR. .PP -\&\fIBIO_puts()\fR attempts to write a null terminated string \fBbuf\fR to \s-1BIO\s0 \fBb\fR. +\&\fIBIO_puts()\fR attempts to write a NUL-terminated string \fBbuf\fR to \s-1BIO\s0 \fBb\fR. .SH "RETURN VALUES" .IX Header "RETURN VALUES" -All these functions return either the amount of data successfully read or +\&\fIBIO_read_ex()\fR and \fIBIO_write_ex()\fR return 1 if data was successfully read or +written, and 0 otherwise. +.PP +All other functions return either the amount of data successfully read or written (if the return value is positive) or that no data was successfully read or written if the result is 0 or \-1. If the return value is \-2 then -the operation is not implemented in the specific \s-1BIO\s0 type. +the operation is not implemented in the specific \s-1BIO\s0 type. The trailing +\&\s-1NUL\s0 is not included in the length returned by \fIBIO_gets()\fR. .SH "NOTES" .IX Header "NOTES" A 0 or \-1 return is not necessarily an indication of an error. In @@ -192,5 +208,15 @@ to the chain. .SH "SEE ALSO" .IX Header "SEE ALSO" \&\fIBIO_should_retry\fR\|(3) +.SH "HISTORY" +.IX Header "HISTORY" +\&\fIBIO_gets()\fR on 1.1.0 and older when called on \fIBIO_fd()\fR based \s-1BIO\s0 does not +keep the '\en' at the end of the line in the buffer. +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2000\-2016 The OpenSSL Project Authors. All Rights Reserved. .PP -\&\s-1TBA\s0 +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/BIO_s_accept.3 b/secure/lib/libcrypto/man/BIO_s_accept.3 index 3cc7f81b5eb8..0821758edc4f 100644 --- a/secure/lib/libcrypto/man/BIO_s_accept.3 +++ b/secure/lib/libcrypto/man/BIO_s_accept.3 @@ -128,24 +128,25 @@ .rm #[ #] #H #V #F C .\" ======================================================================== .\" -.IX Title "BIO_s_accept 3" -.TH BIO_s_accept 3 "2018-08-14" "1.0.2p" "OpenSSL" +.IX Title "BIO_S_ACCEPT 3" +.TH BIO_S_ACCEPT 3 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" -BIO_s_accept, BIO_set_accept_port, BIO_get_accept_port, BIO_new_accept, -BIO_set_nbio_accept, BIO_set_accept_bios, BIO_set_bind_mode, -BIO_get_bind_mode, BIO_do_accept \- accept BIO +BIO_s_accept, BIO_set_accept_name, BIO_set_accept_port, BIO_get_accept_name, BIO_get_accept_port, BIO_new_accept, BIO_set_nbio_accept, BIO_set_accept_bios, BIO_get_peer_name, BIO_get_peer_port, BIO_get_accept_ip_family, BIO_set_accept_ip_family, BIO_set_bind_mode, BIO_get_bind_mode, BIO_do_accept \- accept BIO .SH "SYNOPSIS" .IX Header "SYNOPSIS" .Vb 1 \& #include \& -\& BIO_METHOD *BIO_s_accept(void); +\& const BIO_METHOD *BIO_s_accept(void); \& -\& long BIO_set_accept_port(BIO *b, char *name); +\& long BIO_set_accept_name(BIO *b, char *name); +\& char *BIO_get_accept_name(BIO *b); +\& +\& long BIO_set_accept_port(BIO *b, char *port); \& char *BIO_get_accept_port(BIO *b); \& \& BIO *BIO_new_accept(char *host_port); @@ -153,12 +154,13 @@ BIO_get_bind_mode, BIO_do_accept \- accept BIO \& long BIO_set_nbio_accept(BIO *b, int n); \& long BIO_set_accept_bios(BIO *b, char *bio); \& -\& long BIO_set_bind_mode(BIO *b, long mode); -\& long BIO_get_bind_mode(BIO *b, long dummy); +\& char *BIO_get_peer_name(BIO *b); +\& char *BIO_get_peer_port(BIO *b); +\& long BIO_get_accept_ip_family(BIO *b); +\& long BIO_set_accept_ip_family(BIO *b, long family); \& -\& #define BIO_BIND_NORMAL 0 -\& #define BIO_BIND_REUSEADDR_IF_UNUSED 1 -\& #define BIO_BIND_REUSEADDR 2 +\& long BIO_set_bind_mode(BIO *b, long mode); +\& long BIO_get_bind_mode(BIO *b); \& \& int BIO_do_accept(BIO *b); .Ve @@ -182,23 +184,30 @@ If the close flag is set on an accept \s-1BIO\s0 then any active connection on that chain is shutdown and the socket closed when the \s-1BIO\s0 is freed. .PP -Calling \fIBIO_reset()\fR on a accept \s-1BIO\s0 will close any active +Calling \fIBIO_reset()\fR on an accept \s-1BIO\s0 will close any active connection and reset the \s-1BIO\s0 into a state where it awaits another incoming connection. .PP \&\fIBIO_get_fd()\fR and \fIBIO_set_fd()\fR can be called to retrieve or set the accept socket. See \fIBIO_s_fd\fR\|(3) .PP -\&\fIBIO_set_accept_port()\fR uses the string \fBname\fR to set the accept -port. The port is represented as a string of the form \*(L"host:port\*(R", +\&\fIBIO_set_accept_name()\fR uses the string \fBname\fR to set the accept +name. The name is represented as a string of the form \*(L"host:port\*(R", where \*(L"host\*(R" is the interface to use and \*(L"port\*(R" is the port. -The host can be can be \*(L"*\*(R" which is interpreted as meaning -any interface; \*(L"port\*(R" has the same syntax -as the port specified in \fIBIO_set_conn_port()\fR for connect BIOs, -that is it can be a numerical port string or a string to lookup -using \fIgetservbyname()\fR and a string table. +The host can be \*(L"*\*(R" or empty which is interpreted as meaning +any interface. If the host is an IPv6 address, it has to be +enclosed in brackets, for example \*(L"[::1]:https\*(R". \*(L"port\*(R" has the +same syntax as the port specified in \fIBIO_set_conn_port()\fR for +connect BIOs, that is it can be a numerical port string or a +string to lookup using \fIgetservbyname()\fR and a string table. .PP -\&\fIBIO_new_accept()\fR combines \fIBIO_new()\fR and \fIBIO_set_accept_port()\fR into +\&\fIBIO_set_accept_port()\fR uses the string \fBport\fR to set the accept +port. \*(L"port\*(R" has the same syntax as the port specified in +\&\fIBIO_set_conn_port()\fR for connect BIOs, that is it can be a numerical +port string or a string to lookup using \fIgetservbyname()\fR and a string +table. +.PP +\&\fIBIO_new_accept()\fR combines \fIBIO_new()\fR and \fIBIO_set_accept_name()\fR into a single call: that is it creates a new accept \s-1BIO\s0 with port \&\fBhost_port\fR. .PP @@ -207,19 +216,19 @@ a single call: that is it creates a new accept \s-1BIO\s0 with port .PP \&\fIBIO_set_accept_bios()\fR can be used to set a chain of BIOs which will be duplicated and prepended to the chain when an incoming -connection is received. This is useful if, for example, a +connection is received. This is useful if, for example, a buffering or \s-1SSL BIO\s0 is required for each connection. The chain of BIOs must not be freed after this call, they will be automatically freed when the accept \s-1BIO\s0 is freed. .PP \&\fIBIO_set_bind_mode()\fR and \fIBIO_get_bind_mode()\fR set and retrieve -the current bind mode. If \s-1BIO_BIND_NORMAL\s0 (the default) is set +the current bind mode. If \fB\s-1BIO_BIND_NORMAL\s0\fR (the default) is set then another socket cannot be bound to the same port. If -\&\s-1BIO_BIND_REUSEADDR\s0 is set then other sockets can bind to the -same port. If \s-1BIO_BIND_REUSEADDR_IF_UNUSED\s0 is set then and +\&\fB\s-1BIO_BIND_REUSEADDR\s0\fR is set then other sockets can bind to the +same port. If \fB\s-1BIO_BIND_REUSEADDR_IF_UNUSED\s0\fR is set then and attempt is first made to use \s-1BIO_BIN_NORMAL,\s0 if this fails and the port is not in use then a second attempt is made -using \s-1BIO_BIND_REUSEADDR.\s0 +using \fB\s-1BIO_BIND_REUSEADDR\s0\fR. .PP \&\fIBIO_do_accept()\fR serves two functions. When it is first called, after the accept \s-1BIO\s0 has been setup, it will attempt @@ -271,47 +280,65 @@ then it is an indication that an accept attempt would block: the application should take appropriate action to wait until the underlying socket has accepted a connection and retry the call. .PP -\&\fIBIO_set_accept_port()\fR, \fIBIO_get_accept_port()\fR, \fIBIO_set_nbio_accept()\fR, -\&\fIBIO_set_accept_bios()\fR, \fIBIO_set_bind_mode()\fR, \fIBIO_get_bind_mode()\fR and -\&\fIBIO_do_accept()\fR are macros. +\&\fIBIO_set_accept_name()\fR, \fIBIO_get_accept_name()\fR, \fIBIO_set_accept_port()\fR, +\&\fIBIO_get_accept_port()\fR, \fIBIO_set_nbio_accept()\fR, \fIBIO_set_accept_bios()\fR, +\&\fIBIO_get_peer_name()\fR, \fIBIO_get_peer_port()\fR, +\&\fIBIO_get_accept_ip_family()\fR, \fIBIO_set_accept_ip_family()\fR, +\&\fIBIO_set_bind_mode()\fR, \fIBIO_get_bind_mode()\fR and \fIBIO_do_accept()\fR are macros. .SH "RETURN VALUES" .IX Header "RETURN VALUES" -\&\s-1TBA\s0 +\&\fIBIO_do_accept()\fR, +\&\fIBIO_set_accept_name()\fR, \fIBIO_set_accept_port()\fR, \fIBIO_set_nbio_accept()\fR, +\&\fIBIO_set_accept_bios()\fR, \fIBIO_set_accept_ip_family()\fR, and \fIBIO_set_bind_mode()\fR +return 1 for success and 0 or \-1 for failure. +.PP +\&\fIBIO_get_accept_name()\fR returns the accept name or \s-1NULL\s0 on error. +\&\fIBIO_get_peer_name()\fR returns the peer name or \s-1NULL\s0 on error. +.PP +\&\fIBIO_get_accept_port()\fR returns the accept port as a string or \s-1NULL\s0 on error. +\&\fIBIO_get_peer_port()\fR returns the peer port as a string or \s-1NULL\s0 on error. +\&\fIBIO_get_accept_ip_family()\fR returns the \s-1IP\s0 family or \-1 on error. +.PP +\&\fIBIO_get_bind_mode()\fR returns the set of \fB\s-1BIO_BIND\s0\fR flags, or \-1 on failure. +.PP +\&\fIBIO_new_accept()\fR returns a \s-1BIO\s0 or \s-1NULL\s0 on error. .SH "EXAMPLE" .IX Header "EXAMPLE" This example accepts two connections on port 4444, sends messages down each and finally closes both down. .PP -.Vb 3 +.Vb 1 \& BIO *abio, *cbio, *cbio2; -\& ERR_load_crypto_strings(); -\& abio = BIO_new_accept("4444"); \& \& /* First call to BIO_accept() sets up accept BIO */ -\& if(BIO_do_accept(abio) <= 0) { -\& fprintf(stderr, "Error setting up accept\en"); -\& ERR_print_errors_fp(stderr); -\& exit(0); +\& abio = BIO_new_accept("4444"); +\& if (BIO_do_accept(abio) <= 0) { +\& fprintf(stderr, "Error setting up accept\en"); +\& ERR_print_errors_fp(stderr); +\& exit(1); \& } \& \& /* Wait for incoming connection */ -\& if(BIO_do_accept(abio) <= 0) { -\& fprintf(stderr, "Error accepting connection\en"); -\& ERR_print_errors_fp(stderr); -\& exit(0); +\& if (BIO_do_accept(abio) <= 0) { +\& fprintf(stderr, "Error accepting connection\en"); +\& ERR_print_errors_fp(stderr); +\& exit(1); \& } \& fprintf(stderr, "Connection 1 established\en"); +\& \& /* Retrieve BIO for connection */ \& cbio = BIO_pop(abio); \& BIO_puts(cbio, "Connection 1: Sending out Data on initial connection\en"); \& fprintf(stderr, "Sent out data on connection 1\en"); +\& \& /* Wait for another connection */ -\& if(BIO_do_accept(abio) <= 0) { -\& fprintf(stderr, "Error accepting connection\en"); -\& ERR_print_errors_fp(stderr); -\& exit(0); +\& if (BIO_do_accept(abio) <= 0) { +\& fprintf(stderr, "Error accepting connection\en"); +\& ERR_print_errors_fp(stderr); +\& exit(1); \& } \& fprintf(stderr, "Connection 2 established\en"); +\& \& /* Close accept BIO to refuse further connections */ \& cbio2 = BIO_pop(abio); \& BIO_free(abio); @@ -319,10 +346,16 @@ down each and finally closes both down. \& fprintf(stderr, "Sent out data on connection 2\en"); \& \& BIO_puts(cbio, "Connection 1: Second connection established\en"); +\& \& /* Close the two established connections */ \& BIO_free(cbio); \& BIO_free(cbio2); .Ve -.SH "SEE ALSO" -.IX Header "SEE ALSO" -\&\s-1TBA\s0 +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2000\-2018 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/BIO_s_bio.3 b/secure/lib/libcrypto/man/BIO_s_bio.3 index 68732cc44e87..e9a186b7693f 100644 --- a/secure/lib/libcrypto/man/BIO_s_bio.3 +++ b/secure/lib/libcrypto/man/BIO_s_bio.3 @@ -128,40 +128,34 @@ .rm #[ #] #H #V #F C .\" ======================================================================== .\" -.IX Title "BIO_s_bio 3" -.TH BIO_s_bio 3 "2018-08-14" "1.0.2p" "OpenSSL" +.IX Title "BIO_S_BIO 3" +.TH BIO_S_BIO 3 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" -BIO_s_bio, BIO_make_bio_pair, BIO_destroy_bio_pair, BIO_shutdown_wr, -BIO_set_write_buf_size, BIO_get_write_buf_size, BIO_new_bio_pair, -BIO_get_write_guarantee, BIO_ctrl_get_write_guarantee, BIO_get_read_request, -BIO_ctrl_get_read_request, BIO_ctrl_reset_read_request \- BIO pair BIO +BIO_s_bio, BIO_make_bio_pair, BIO_destroy_bio_pair, BIO_shutdown_wr, BIO_set_write_buf_size, BIO_get_write_buf_size, BIO_new_bio_pair, BIO_get_write_guarantee, BIO_ctrl_get_write_guarantee, BIO_get_read_request, BIO_ctrl_get_read_request, BIO_ctrl_reset_read_request \- BIO pair BIO .SH "SYNOPSIS" .IX Header "SYNOPSIS" .Vb 1 \& #include \& -\& BIO_METHOD *BIO_s_bio(void); +\& const BIO_METHOD *BIO_s_bio(void); \& -\& #define BIO_make_bio_pair(b1,b2) (int)BIO_ctrl(b1,BIO_C_MAKE_BIO_PAIR,0,b2) -\& #define BIO_destroy_bio_pair(b) (int)BIO_ctrl(b,BIO_C_DESTROY_BIO_PAIR,0,NULL) +\& int BIO_make_bio_pair(BIO *b1, BIO *b2); +\& int BIO_destroy_bio_pair(BIO *b); +\& int BIO_shutdown_wr(BIO *b); \& -\& #define BIO_shutdown_wr(b) (int)BIO_ctrl(b, BIO_C_SHUTDOWN_WR, 0, NULL) -\& -\& #define BIO_set_write_buf_size(b,size) (int)BIO_ctrl(b,BIO_C_SET_WRITE_BUF_SIZE,size,NULL) -\& #define BIO_get_write_buf_size(b,size) (size_t)BIO_ctrl(b,BIO_C_GET_WRITE_BUF_SIZE,size,NULL) +\& int BIO_set_write_buf_size(BIO *b, long size); +\& size_t BIO_get_write_buf_size(BIO *b, long size); \& \& int BIO_new_bio_pair(BIO **bio1, size_t writebuf1, BIO **bio2, size_t writebuf2); \& -\& #define BIO_get_write_guarantee(b) (int)BIO_ctrl(b,BIO_C_GET_WRITE_GUARANTEE,0,NULL) +\& int BIO_get_write_guarantee(BIO *b); \& size_t BIO_ctrl_get_write_guarantee(BIO *b); -\& -\& #define BIO_get_read_request(b) (int)BIO_ctrl(b,BIO_C_GET_READ_REQUEST,0,NULL) +\& int BIO_get_read_request(BIO *b); \& size_t BIO_ctrl_get_read_request(BIO *b); -\& \& int BIO_ctrl_reset_read_request(BIO *b); .Ve .SH "DESCRIPTION" @@ -179,10 +173,10 @@ One typical use of \s-1BIO\s0 pairs is to place \s-1TLS/SSL I/O\s0 under applica can be used when the application wishes to use a non standard transport for \&\s-1TLS/SSL\s0 or the normal socket routines are inappropriate. .PP -Calls to \fIBIO_read()\fR will read data from the buffer or request a retry if no +Calls to \fIBIO_read_ex()\fR will read data from the buffer or request a retry if no data is available. .PP -Calls to \fIBIO_write()\fR will place data in the buffer or request a retry if the +Calls to \fIBIO_write_ex()\fR will place data in the buffer or request a retry if the buffer is full. .PP The standard calls \fIBIO_ctrl_pending()\fR and \fIBIO_ctrl_wpending()\fR can be used to @@ -215,9 +209,9 @@ zero then the default size is used. \fIBIO_new_bio_pair()\fR does not check whe .PP \&\fIBIO_get_write_guarantee()\fR and \fIBIO_ctrl_get_write_guarantee()\fR return the maximum length of data that can be currently written to the \s-1BIO.\s0 Writes larger than this -value will return a value from \fIBIO_write()\fR less than the amount requested or if the -buffer is full request a retry. \fIBIO_ctrl_get_write_guarantee()\fR is a function -whereas \fIBIO_get_write_guarantee()\fR is a macro. +value will return a value from \fIBIO_write_ex()\fR less than the amount requested or +if the buffer is full request a retry. \fIBIO_ctrl_get_write_guarantee()\fR is a +function whereas \fIBIO_get_write_guarantee()\fR is a macro. .PP \&\fIBIO_get_read_request()\fR and \fIBIO_ctrl_get_read_request()\fR return the amount of data requested, or the buffer size if it is less, if the @@ -245,15 +239,20 @@ it to the underlying transport. This must be done before any normal processing (such as calling \fIselect()\fR ) due to a request and \fIBIO_should_read()\fR being true. .PP To see why this is important consider a case where a request is sent using -\&\fIBIO_write()\fR and a response read with \fIBIO_read()\fR, this can occur during an -\&\s-1TLS/SSL\s0 handshake for example. \fIBIO_write()\fR will succeed and place data in the write -buffer. \fIBIO_read()\fR will initially fail and \fIBIO_should_read()\fR will be true. If -the application then waits for data to be available on the underlying transport -before flushing the write buffer it will never succeed because the request was -never sent! +\&\fIBIO_write_ex()\fR and a response read with \fIBIO_read_ex()\fR, this can occur during an +\&\s-1TLS/SSL\s0 handshake for example. \fIBIO_write_ex()\fR will succeed and place data in the +write buffer. \fIBIO_read_ex()\fR will initially fail and \fIBIO_should_read()\fR will be +true. If the application then waits for data to be available on the underlying +transport before flushing the write buffer it will never succeed because the +request was never sent! .PP \&\fIBIO_eof()\fR is true if no data is in the peer \s-1BIO\s0 and the peer \s-1BIO\s0 has been shutdown. +.PP +\&\fIBIO_make_bio_pair()\fR, \fIBIO_destroy_bio_pair()\fR, \fIBIO_shutdown_wr()\fR, +\&\fIBIO_set_write_buf_size()\fR, \fIBIO_get_write_buf_size()\fR, +\&\fIBIO_get_write_guarantee()\fR, and \fIBIO_get_read_request()\fR are implemented +as macros. .SH "RETURN VALUES" .IX Header "RETURN VALUES" \&\fIBIO_new_bio_pair()\fR returns 1 on success, with the new BIOs available in @@ -267,12 +266,13 @@ The \s-1BIO\s0 pair can be used to have full control over the network access of application. The application can call \fIselect()\fR on the socket as required without having to go through the SSL-interface. .PP -.Vb 6 +.Vb 1 \& BIO *internal_bio, *network_bio; +\& \& ... -\& BIO_new_bio_pair(internal_bio, 0, network_bio, 0); +\& BIO_new_bio_pair(&internal_bio, 0, &network_bio, 0); \& SSL_set_bio(ssl, internal_bio, internal_bio); -\& SSL_operations(); +\& SSL_operations(); /* e.g SSL_read and SSL_write */ \& ... \& \& application | TLS\-engine @@ -281,9 +281,13 @@ without having to go through the SSL-interface. \& | /\e || \& | || \e/ \& | BIO\-pair (internal_bio) -\& +\-\-\-\-\-\-\-\-\-\-< BIO\-pair (network_bio) +\& | BIO\-pair (network_bio) +\& | || /\e +\& | \e/ || +\& +\-\-\-\-\-\-\-\-\-\-\-< BIO_operations() \& | | -\& socket | +\& | | +\& socket \& \& ... \& SSL_free(ssl); /* implicitly frees internal_bio */ @@ -297,17 +301,25 @@ buffer is full or the read buffer is drained. Then the application has to flush the write buffer and/or fill the read buffer. .PP Use the \fIBIO_ctrl_pending()\fR, to find out whether data is buffered in the \s-1BIO\s0 -and must be transfered to the network. Use \fIBIO_ctrl_get_read_request()\fR to +and must be transferred to the network. Use \fIBIO_ctrl_get_read_request()\fR to find out, how many bytes must be written into the buffer before the \&\fISSL_operation()\fR can successfully be continued. .SH "WARNING" .IX Header "WARNING" -As the data is buffered, \fISSL_operation()\fR may return with a \s-1ERROR_SSL_WANT_READ\s0 +As the data is buffered, \fISSL_operation()\fR may return with an \s-1ERROR_SSL_WANT_READ\s0 condition, but there is still data in the write buffer. An application must not rely on the error value of \fISSL_operation()\fR but must assure that the write buffer is always flushed first. Otherwise a deadlock may occur as the peer might be waiting for the data before being able to continue. .SH "SEE ALSO" .IX Header "SEE ALSO" -\&\fISSL_set_bio\fR\|(3), \fIssl\fR\|(3), \fIbio\fR\|(3), -\&\fIBIO_should_retry\fR\|(3), \fIBIO_read\fR\|(3) +\&\fISSL_set_bio\fR\|(3), \fIssl\fR\|(7), \fIbio\fR\|(7), +\&\fIBIO_should_retry\fR\|(3), \fIBIO_read_ex\fR\|(3) +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2000\-2016 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/BIO_s_connect.3 b/secure/lib/libcrypto/man/BIO_s_connect.3 index bc361071e98d..39a6f1842f68 100644 --- a/secure/lib/libcrypto/man/BIO_s_connect.3 +++ b/secure/lib/libcrypto/man/BIO_s_connect.3 @@ -128,34 +128,31 @@ .rm #[ #] #H #V #F C .\" ======================================================================== .\" -.IX Title "BIO_s_connect 3" -.TH BIO_s_connect 3 "2018-08-14" "1.0.2p" "OpenSSL" +.IX Title "BIO_S_CONNECT 3" +.TH BIO_S_CONNECT 3 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" -BIO_s_connect, BIO_new_connect, BIO_set_conn_hostname, BIO_set_conn_port, -BIO_set_conn_ip, BIO_set_conn_int_port, BIO_get_conn_hostname, -BIO_get_conn_port, BIO_get_conn_ip, BIO_get_conn_int_port, -BIO_set_nbio, BIO_do_connect \- connect BIO +BIO_set_conn_address, BIO_get_conn_address, BIO_s_connect, BIO_new_connect, BIO_set_conn_hostname, BIO_set_conn_port, BIO_set_conn_ip_family, BIO_get_conn_ip_family, BIO_get_conn_hostname, BIO_get_conn_port, BIO_set_nbio, BIO_do_connect \- connect BIO .SH "SYNOPSIS" .IX Header "SYNOPSIS" .Vb 1 \& #include \& -\& BIO_METHOD * BIO_s_connect(void); +\& const BIO_METHOD * BIO_s_connect(void); \& \& BIO *BIO_new_connect(char *name); \& \& long BIO_set_conn_hostname(BIO *b, char *name); \& long BIO_set_conn_port(BIO *b, char *port); -\& long BIO_set_conn_ip(BIO *b, char *ip); -\& long BIO_set_conn_int_port(BIO *b, char *port); -\& char *BIO_get_conn_hostname(BIO *b); -\& char *BIO_get_conn_port(BIO *b); -\& char *BIO_get_conn_ip(BIO *b); -\& long BIO_get_conn_int_port(BIO *b); +\& long BIO_set_conn_address(BIO *b, BIO_ADDR *addr); +\& long BIO_set_conn_ip_family(BIO *b, long family); +\& const char *BIO_get_conn_hostname(BIO *b); +\& const char *BIO_get_conn_port(BIO *b); +\& const BIO_ADDR *BIO_get_conn_address(BIO *b); +\& const long BIO_get_conn_ip_family(BIO *b); \& \& long BIO_set_nbio(BIO *b, long n); \& @@ -190,36 +187,37 @@ it also returns the socket . If \fBc\fR is not \s-1NULL\s0 it should be of type (int *). .PP \&\fIBIO_set_conn_hostname()\fR uses the string \fBname\fR to set the hostname. -The hostname can be an \s-1IP\s0 address. The hostname can also include the -port in the form hostname:port . It is also acceptable to use the -form \*(L"hostname/any/other/path\*(R" or \*(L"hostname:port/any/other/path\*(R". +The hostname can be an \s-1IP\s0 address; if the address is an IPv6 one, it +must be enclosed with brackets. The hostname can also include the +port in the form hostname:port. .PP \&\fIBIO_set_conn_port()\fR sets the port to \fBport\fR. \fBport\fR can be the numerical form or a string such as \*(L"http\*(R". A string will be looked up first using \fIgetservbyname()\fR on the host platform but if that -fails a standard table of port names will be used. Currently the -list is http, telnet, socks, https, ssl, ftp, gopher and wais. +fails a standard table of port names will be used. This internal +list is http, telnet, socks, https, ssl, ftp, and gopher. .PP -\&\fIBIO_set_conn_ip()\fR sets the \s-1IP\s0 address to \fBip\fR using binary form, -that is four bytes specifying the \s-1IP\s0 address in big-endian form. +\&\fIBIO_set_conn_address()\fR sets the address and port information using +a \s-1\fIBIO_ADDR\s0\fR\|(3ssl). .PP -\&\fIBIO_set_conn_int_port()\fR sets the port using \fBport\fR. \fBport\fR should -be of type (int *). +\&\fIBIO_set_conn_ip_family()\fR sets the \s-1IP\s0 family. .PP \&\fIBIO_get_conn_hostname()\fR returns the hostname of the connect \s-1BIO\s0 or \&\s-1NULL\s0 if the \s-1BIO\s0 is initialized but no hostname is set. This return value is an internal pointer which should not be modified. .PP \&\fIBIO_get_conn_port()\fR returns the port as a string. +This return value is an internal pointer which should not be modified. .PP -\&\fIBIO_get_conn_ip()\fR returns the \s-1IP\s0 address in binary form. +\&\fIBIO_get_conn_address()\fR returns the address information as a \s-1BIO_ADDR.\s0 +This return value is an internal pointer which should not be modified. .PP -\&\fIBIO_get_conn_int_port()\fR returns the port as an int. +\&\fIBIO_get_conn_ip_family()\fR returns the \s-1IP\s0 family of the connect \s-1BIO.\s0 .PP \&\fIBIO_set_nbio()\fR sets the non blocking I/O flag to \fBn\fR. If \fBn\fR is zero then blocking I/O is set. If \fBn\fR is 1 then non blocking I/O is set. Blocking I/O is the default. The call to \fIBIO_set_nbio()\fR -should be made before the connection is established because +should be made before the connection is established because non blocking I/O is set during the connect process. .PP \&\fIBIO_new_connect()\fR combines \fIBIO_new()\fR and \fIBIO_set_conn_hostname()\fR into @@ -243,10 +241,10 @@ ports. This can be avoided by checking for the presence of the ':' character in the passed hostname and either indicating an error or truncating the string at that point. .PP -The values returned by \fIBIO_get_conn_hostname()\fR, \fIBIO_get_conn_port()\fR, -\&\fIBIO_get_conn_ip()\fR and \fIBIO_get_conn_int_port()\fR are updated when a -connection attempt is made. Before any connection attempt the values -returned are those set by the application itself. +The values returned by \fIBIO_get_conn_hostname()\fR, \fIBIO_get_conn_address()\fR, +and \fIBIO_get_conn_port()\fR are updated when a connection attempt is made. +Before any connection attempt the values returned are those set by the +application itself. .PP Applications do not have to call \fIBIO_do_connect()\fR but may wish to do so to separate the connection process from other I/O processing. @@ -260,10 +258,10 @@ then this is an indication that a connection attempt would block, the application should then take appropriate action to wait until the underlying socket has connected and retry the call. .PP -\&\fIBIO_set_conn_hostname()\fR, \fIBIO_set_conn_port()\fR, \fIBIO_set_conn_ip()\fR, -\&\fIBIO_set_conn_int_port()\fR, \fIBIO_get_conn_hostname()\fR, \fIBIO_get_conn_port()\fR, -\&\fIBIO_get_conn_ip()\fR, \fIBIO_get_conn_int_port()\fR, \fIBIO_set_nbio()\fR and -\&\fIBIO_do_connect()\fR are macros. +\&\fIBIO_set_conn_hostname()\fR, \fIBIO_set_conn_port()\fR, \fIBIO_get_conn_hostname()\fR, +\&\fIBIO_set_conn_address()\fR, \fIBIO_get_conn_port()\fR, \fIBIO_get_conn_address()\fR, +\&\fIBIO_set_conn_ip_family()\fR, \fIBIO_get_conn_ip_family()\fR, +\&\fIBIO_set_nbio()\fR, and \fIBIO_do_connect()\fR are macros. .SH "RETURN VALUES" .IX Header "RETURN VALUES" \&\fIBIO_s_connect()\fR returns the connect \s-1BIO\s0 method. @@ -271,21 +269,22 @@ the underlying socket has connected and retry the call. \&\fIBIO_get_fd()\fR returns the socket or \-1 if the \s-1BIO\s0 has not been initialized. .PP -\&\fIBIO_set_conn_hostname()\fR, \fIBIO_set_conn_port()\fR, \fIBIO_set_conn_ip()\fR and -\&\fIBIO_set_conn_int_port()\fR always return 1. +\&\fIBIO_set_conn_address()\fR, \fIBIO_set_conn_port()\fR, and \fIBIO_set_conn_ip_family()\fR +always return 1. .PP -\&\fIBIO_get_conn_hostname()\fR returns the connected hostname or \s-1NULL\s0 is +\&\fIBIO_set_conn_hostname()\fR returns 1 on success and 0 on failure. +.PP +\&\fIBIO_get_conn_address()\fR returns the address information or \s-1NULL\s0 if none +was set. +.PP +\&\fIBIO_get_conn_hostname()\fR returns the connected hostname or \s-1NULL\s0 if none was set. .PP +\&\fIBIO_get_conn_ip_family()\fR returns the address family or \-1 if none was set. +.PP \&\fIBIO_get_conn_port()\fR returns a string representing the connected port or \s-1NULL\s0 if not set. .PP -\&\fIBIO_get_conn_ip()\fR returns a pointer to the connected \s-1IP\s0 address in -binary form or all zeros if not set. -.PP -\&\fIBIO_get_conn_int_port()\fR returns the connected port or 0 if none was -set. -.PP \&\fIBIO_set_nbio()\fR always returns 1. .PP \&\fIBIO_do_connect()\fR returns 1 if the connection was successfully @@ -295,27 +294,41 @@ established and 0 or \-1 if the connection failed. This is example connects to a webserver on the local host and attempts to retrieve a page and copy the result to standard output. .PP -.Vb 10 +.Vb 3 \& BIO *cbio, *out; \& int len; \& char tmpbuf[1024]; -\& ERR_load_crypto_strings(); +\& \& cbio = BIO_new_connect("localhost:http"); \& out = BIO_new_fp(stdout, BIO_NOCLOSE); -\& if(BIO_do_connect(cbio) <= 0) { -\& fprintf(stderr, "Error connecting to server\en"); -\& ERR_print_errors_fp(stderr); -\& /* whatever ... */ -\& } +\& if (BIO_do_connect(cbio) <= 0) { +\& fprintf(stderr, "Error connecting to server\en"); +\& ERR_print_errors_fp(stderr); +\& exit(1); +\& } \& BIO_puts(cbio, "GET / HTTP/1.0\en\en"); -\& for(;;) { -\& len = BIO_read(cbio, tmpbuf, 1024); -\& if(len <= 0) break; -\& BIO_write(out, tmpbuf, len); +\& for (;;) { +\& len = BIO_read(cbio, tmpbuf, 1024); +\& if (len <= 0) +\& break; +\& BIO_write(out, tmpbuf, len); \& } \& BIO_free(cbio); \& BIO_free(out); .Ve .SH "SEE ALSO" .IX Header "SEE ALSO" -\&\s-1TBA\s0 +\&\s-1\fIBIO_ADDR\s0\fR\|(3) +.SH "HISTORY" +.IX Header "HISTORY" +\&\fIBIO_set_conn_int_port()\fR, \fIBIO_get_conn_int_port()\fR, \fIBIO_set_conn_ip()\fR, and \fIBIO_get_conn_ip()\fR +were removed in OpenSSL 1.1.0. +Use \fIBIO_set_conn_address()\fR and \fIBIO_get_conn_address()\fR instead. +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2000\-2018 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/BIO_s_fd.3 b/secure/lib/libcrypto/man/BIO_s_fd.3 index 7b84c4939cf9..1bffafc6ffc1 100644 --- a/secure/lib/libcrypto/man/BIO_s_fd.3 +++ b/secure/lib/libcrypto/man/BIO_s_fd.3 @@ -128,8 +128,8 @@ .rm #[ #] #H #V #F C .\" ======================================================================== .\" -.IX Title "BIO_s_fd 3" -.TH BIO_s_fd 3 "2018-08-14" "1.0.2p" "OpenSSL" +.IX Title "BIO_S_FD 3" +.TH BIO_S_FD 3 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -141,10 +141,10 @@ BIO_s_fd, BIO_set_fd, BIO_get_fd, BIO_new_fd \- file descriptor BIO .Vb 1 \& #include \& -\& BIO_METHOD * BIO_s_fd(void); +\& const BIO_METHOD *BIO_s_fd(void); \& -\& #define BIO_set_fd(b,fd,c) BIO_int_ctrl(b,BIO_C_SET_FD,c,fd) -\& #define BIO_get_fd(b,c) BIO_ctrl(b,BIO_C_GET_FD,0,(char *)c) +\& int BIO_set_fd(BIO *b, int fd, int c); +\& int BIO_get_fd(BIO *b, int *c); \& \& BIO *BIO_new_fd(int fd, int close_flag); .Ve @@ -153,47 +153,44 @@ BIO_s_fd, BIO_set_fd, BIO_get_fd, BIO_new_fd \- file descriptor BIO \&\fIBIO_s_fd()\fR returns the file descriptor \s-1BIO\s0 method. This is a wrapper round the platforms file descriptor routines such as \fIread()\fR and \fIwrite()\fR. .PP -\&\fIBIO_read()\fR and \fIBIO_write()\fR read or write the underlying descriptor. +\&\fIBIO_read_ex()\fR and \fIBIO_write_ex()\fR read or write the underlying descriptor. \&\fIBIO_puts()\fR is supported but \fIBIO_gets()\fR is not. .PP -If the close flag is set then then \fIclose()\fR is called on the underlying +If the close flag is set then \fIclose()\fR is called on the underlying file descriptor when the \s-1BIO\s0 is freed. .PP \&\fIBIO_reset()\fR attempts to change the file pointer to the start of file -using lseek(fd, 0, 0). +such as by using \fBlseek(fd, 0, 0)\fR. .PP \&\fIBIO_seek()\fR sets the file pointer to position \fBofs\fR from start of file -using lseek(fd, ofs, 0). +such as by using \fBlseek(fd, ofs, 0)\fR. .PP -\&\fIBIO_tell()\fR returns the current file position by calling lseek(fd, 0, 1). +\&\fIBIO_tell()\fR returns the current file position such as by calling +\&\fBlseek(fd, 0, 1)\fR. .PP \&\fIBIO_set_fd()\fR sets the file descriptor of \s-1BIO\s0 \fBb\fR to \fBfd\fR and the close flag to \fBc\fR. .PP \&\fIBIO_get_fd()\fR places the file descriptor in \fBc\fR if it is not \s-1NULL,\s0 it also -returns the file descriptor. If \fBc\fR is not \s-1NULL\s0 it should be of type -(int *). +returns the file descriptor. .PP \&\fIBIO_new_fd()\fR returns a file descriptor \s-1BIO\s0 using \fBfd\fR and \fBclose_flag\fR. .SH "NOTES" .IX Header "NOTES" -The behaviour of \fIBIO_read()\fR and \fIBIO_write()\fR depends on the behavior of the -platforms \fIread()\fR and \fIwrite()\fR calls on the descriptor. If the underlying +The behaviour of \fIBIO_read_ex()\fR and \fIBIO_write_ex()\fR depends on the behavior of the +platforms \fIread()\fR and \fIwrite()\fR calls on the descriptor. If the underlying file descriptor is in a non blocking mode then the \s-1BIO\s0 will behave in the -manner described in the \fIBIO_read\fR\|(3) and \fIBIO_should_retry\fR\|(3) +manner described in the \fIBIO_read_ex\fR\|(3) and \fIBIO_should_retry\fR\|(3) manual pages. .PP File descriptor BIOs should not be used for socket I/O. Use socket BIOs instead. +.PP +\&\fIBIO_set_fd()\fR and \fIBIO_get_fd()\fR are implemented as macros. .SH "RETURN VALUES" .IX Header "RETURN VALUES" \&\fIBIO_s_fd()\fR returns the file descriptor \s-1BIO\s0 method. .PP -\&\fIBIO_reset()\fR returns zero for success and \-1 if an error occurred. -\&\fIBIO_seek()\fR and \fIBIO_tell()\fR return the current file position or \-1 -if an error occurred. These values reflect the underlying \fIlseek()\fR -behaviour. -.PP \&\fIBIO_set_fd()\fR always returns 1. .PP \&\fIBIO_get_fd()\fR returns the file descriptor or \-1 if the \s-1BIO\s0 has not @@ -205,8 +202,9 @@ occurred. .IX Header "EXAMPLE" This is a file descriptor \s-1BIO\s0 version of \*(L"Hello World\*(R": .PP -.Vb 4 +.Vb 1 \& BIO *out; +\& \& out = BIO_new_fd(fileno(stdout), BIO_NOCLOSE); \& BIO_printf(out, "Hello World\en"); \& BIO_free(out); @@ -214,7 +212,15 @@ This is a file descriptor \s-1BIO\s0 version of \*(L"Hello World\*(R": .SH "SEE ALSO" .IX Header "SEE ALSO" \&\fIBIO_seek\fR\|(3), \fIBIO_tell\fR\|(3), -\&\fIBIO_reset\fR\|(3), \fIBIO_read\fR\|(3), -\&\fIBIO_write\fR\|(3), \fIBIO_puts\fR\|(3), +\&\fIBIO_reset\fR\|(3), \fIBIO_read_ex\fR\|(3), +\&\fIBIO_write_ex\fR\|(3), \fIBIO_puts\fR\|(3), \&\fIBIO_gets\fR\|(3), \fIBIO_printf\fR\|(3), \&\fIBIO_set_close\fR\|(3), \fIBIO_get_close\fR\|(3) +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2000\-2016 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/BIO_s_file.3 b/secure/lib/libcrypto/man/BIO_s_file.3 index f0612d794146..8aca1b90e520 100644 --- a/secure/lib/libcrypto/man/BIO_s_file.3 +++ b/secure/lib/libcrypto/man/BIO_s_file.3 @@ -128,27 +128,25 @@ .rm #[ #] #H #V #F C .\" ======================================================================== .\" -.IX Title "BIO_s_file 3" -.TH BIO_s_file 3 "2018-08-14" "1.0.2p" "OpenSSL" +.IX Title "BIO_S_FILE 3" +.TH BIO_S_FILE 3 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" -BIO_s_file, BIO_new_file, BIO_new_fp, BIO_set_fp, BIO_get_fp, -BIO_read_filename, BIO_write_filename, BIO_append_filename, -BIO_rw_filename \- FILE bio +BIO_s_file, BIO_new_file, BIO_new_fp, BIO_set_fp, BIO_get_fp, BIO_read_filename, BIO_write_filename, BIO_append_filename, BIO_rw_filename \- FILE bio .SH "SYNOPSIS" .IX Header "SYNOPSIS" .Vb 1 \& #include \& -\& BIO_METHOD * BIO_s_file(void); +\& const BIO_METHOD *BIO_s_file(void); \& BIO *BIO_new_file(const char *filename, const char *mode); \& BIO *BIO_new_fp(FILE *stream, int flags); \& -\& BIO_set_fp(BIO *b,FILE *fp, int flags); -\& BIO_get_fp(BIO *b,FILE **fpp); +\& BIO_set_fp(BIO *b, FILE *fp, int flags); +\& BIO_get_fp(BIO *b, FILE **fpp); \& \& int BIO_read_filename(BIO *b, char *name) \& int BIO_write_filename(BIO *b, char *name) @@ -161,7 +159,7 @@ BIO_rw_filename \- FILE bio is a wrapper round the stdio \s-1FILE\s0 structure and it is a source/sink \s-1BIO.\s0 .PP -Calls to \fIBIO_read()\fR and \fIBIO_write()\fR read and write data to the +Calls to \fIBIO_read_ex()\fR and \fIBIO_write_ex()\fR read and write data to the underlying stream. \fIBIO_gets()\fR and \fIBIO_puts()\fR are supported on file BIOs. .PP \&\fIBIO_flush()\fR on a file \s-1BIO\s0 calls the \fIfflush()\fR function on the wrapped @@ -187,7 +185,7 @@ flag is set on the returned \s-1BIO.\s0 stream to text mode, default is binary: this only has any effect under Win32). .PP -\&\fIBIO_set_fp()\fR set the fp of a file \s-1BIO\s0 to \fBfp\fR. \fBflags\fR has the same +\&\fIBIO_set_fp()\fR sets the fp of a file \s-1BIO\s0 to \fBfp\fR. \fBflags\fR has the same meaning as in \fIBIO_new_fp()\fR, it is a macro. .PP \&\fIBIO_get_fp()\fR retrieves the fp of a file \s-1BIO,\s0 it is a macro. @@ -215,39 +213,48 @@ lingual environment, encode file names in \s-1UTF\-8.\s0 .IX Header "EXAMPLES" File \s-1BIO\s0 \*(L"hello world\*(R": .PP -.Vb 3 +.Vb 1 \& BIO *bio_out; +\& \& bio_out = BIO_new_fp(stdout, BIO_NOCLOSE); \& BIO_printf(bio_out, "Hello World\en"); .Ve .PP Alternative technique: .PP -.Vb 5 +.Vb 1 \& BIO *bio_out; +\& \& bio_out = BIO_new(BIO_s_file()); -\& if(bio_out == NULL) /* Error ... */ -\& if(!BIO_set_fp(bio_out, stdout, BIO_NOCLOSE)) /* Error ... */ +\& if (bio_out == NULL) +\& /* Error */ +\& if (!BIO_set_fp(bio_out, stdout, BIO_NOCLOSE)) +\& /* Error */ \& BIO_printf(bio_out, "Hello World\en"); .Ve .PP Write to a file: .PP -.Vb 5 +.Vb 1 \& BIO *out; +\& \& out = BIO_new_file("filename.txt", "w"); -\& if(!out) /* Error occurred */ +\& if (!out) +\& /* Error */ \& BIO_printf(out, "Hello World\en"); \& BIO_free(out); .Ve .PP Alternative technique: .PP -.Vb 6 +.Vb 1 \& BIO *out; +\& \& out = BIO_new(BIO_s_file()); -\& if(out == NULL) /* Error ... */ -\& if(!BIO_write_filename(out, "filename.txt")) /* Error ... */ +\& if (out == NULL) +\& /* Error */ +\& if (!BIO_write_filename(out, "filename.txt")) +\& /* Error */ \& BIO_printf(out, "Hello World\en"); \& BIO_free(out); .Ve @@ -266,7 +273,7 @@ occurred. .PP \&\fIBIO_tell()\fR returns the current file position. .PP -\&\fIBIO_read_filename()\fR, \fIBIO_write_filename()\fR, \fIBIO_append_filename()\fR and +\&\fIBIO_read_filename()\fR, \fIBIO_write_filename()\fR, \fIBIO_append_filename()\fR and \&\fIBIO_rw_filename()\fR return 1 for success or 0 for failure. .SH "BUGS" .IX Header "BUGS" @@ -278,7 +285,15 @@ occurred this differs from other types of \s-1BIO\s0 which will typically return .IX Header "SEE ALSO" \&\fIBIO_seek\fR\|(3), \fIBIO_tell\fR\|(3), \&\fIBIO_reset\fR\|(3), \fIBIO_flush\fR\|(3), -\&\fIBIO_read\fR\|(3), -\&\fIBIO_write\fR\|(3), \fIBIO_puts\fR\|(3), +\&\fIBIO_read_ex\fR\|(3), +\&\fIBIO_write_ex\fR\|(3), \fIBIO_puts\fR\|(3), \&\fIBIO_gets\fR\|(3), \fIBIO_printf\fR\|(3), \&\fIBIO_set_close\fR\|(3), \fIBIO_get_close\fR\|(3) +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2000\-2018 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/BIO_s_mem.3 b/secure/lib/libcrypto/man/BIO_s_mem.3 index 9486ceb89f85..21bdd95faecd 100644 --- a/secure/lib/libcrypto/man/BIO_s_mem.3 +++ b/secure/lib/libcrypto/man/BIO_s_mem.3 @@ -128,37 +128,40 @@ .rm #[ #] #H #V #F C .\" ======================================================================== .\" -.IX Title "BIO_s_mem 3" -.TH BIO_s_mem 3 "2018-08-14" "1.0.2p" "OpenSSL" +.IX Title "BIO_S_MEM 3" +.TH BIO_S_MEM 3 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" -BIO_s_mem, BIO_set_mem_eof_return, BIO_get_mem_data, BIO_set_mem_buf, -BIO_get_mem_ptr, BIO_new_mem_buf \- memory BIO +BIO_s_secmem, BIO_s_mem, BIO_set_mem_eof_return, BIO_get_mem_data, BIO_set_mem_buf, BIO_get_mem_ptr, BIO_new_mem_buf \- memory BIO .SH "SYNOPSIS" .IX Header "SYNOPSIS" .Vb 1 \& #include \& -\& BIO_METHOD * BIO_s_mem(void); +\& const BIO_METHOD *BIO_s_mem(void); +\& const BIO_METHOD *BIO_s_secmem(void); \& -\& BIO_set_mem_eof_return(BIO *b,int v) +\& BIO_set_mem_eof_return(BIO *b, int v) \& long BIO_get_mem_data(BIO *b, char **pp) -\& BIO_set_mem_buf(BIO *b,BUF_MEM *bm,int c) -\& BIO_get_mem_ptr(BIO *b,BUF_MEM **pp) +\& BIO_set_mem_buf(BIO *b, BUF_MEM *bm, int c) +\& BIO_get_mem_ptr(BIO *b, BUF_MEM **pp) \& \& BIO *BIO_new_mem_buf(const void *buf, int len); .Ve .SH "DESCRIPTION" .IX Header "DESCRIPTION" -\&\fIBIO_s_mem()\fR return the memory \s-1BIO\s0 method function. +\&\fIBIO_s_mem()\fR returns the memory \s-1BIO\s0 method function. .PP A memory \s-1BIO\s0 is a source/sink \s-1BIO\s0 which uses memory for its I/O. Data written to a memory \s-1BIO\s0 is stored in a \s-1BUF_MEM\s0 structure which is extended as appropriate to accommodate the stored data. .PP +\&\fIBIO_s_secmem()\fR is like \fIBIO_s_mem()\fR except that the secure heap is used +for buffer storage. +.PP Any data written to a memory \s-1BIO\s0 can be recalled by reading from it. Unless the memory \s-1BIO\s0 is read only any data read from it is deleted from the \s-1BIO.\s0 @@ -168,9 +171,10 @@ Memory BIOs support \fIBIO_gets()\fR and \fIBIO_puts()\fR. If the \s-1BIO_CLOSE\s0 flag is set when a memory \s-1BIO\s0 is freed then the underlying \&\s-1BUF_MEM\s0 structure is also freed. .PP -Calling \fIBIO_reset()\fR on a read write memory \s-1BIO\s0 clears any data in it. On a -read only \s-1BIO\s0 it restores the \s-1BIO\s0 to its original state and the read only -data can be read again. +Calling \fIBIO_reset()\fR on a read write memory \s-1BIO\s0 clears any data in it if the +flag \s-1BIO_FLAGS_NONCLEAR_RST\s0 is not set. On a read only \s-1BIO\s0 or if the flag +\&\s-1BIO_FLAGS_NONCLEAR_RST\s0 is set it restores the \s-1BIO\s0 to its original state and +the data can be read again. .PP \&\fIBIO_eof()\fR is true if no data is in the \s-1BIO.\s0 .PP @@ -210,40 +214,51 @@ an internal copy operation, if a \s-1BIO\s0 contains a lot of data and it is read in small chunks the operation can be very slow. The use of a read only memory \s-1BIO\s0 avoids this problem. If the \s-1BIO\s0 must be read write then adding a buffering \s-1BIO\s0 to the chain will speed up the process. +.PP +Calling \fIBIO_set_mem_buf()\fR on a \s-1BIO\s0 created with \fIBIO_new_secmem()\fR will +give undefined results, including perhaps a program crash. .SH "BUGS" .IX Header "BUGS" There should be an option to set the maximum size of a memory \s-1BIO.\s0 -.PP -There should be a way to \*(L"rewind\*(R" a read write \s-1BIO\s0 without destroying -its contents. -.PP -The copying operation should not occur after every small read of a large \s-1BIO\s0 -to improve efficiency. .SH "EXAMPLE" .IX Header "EXAMPLE" Create a memory \s-1BIO\s0 and write some data to it: .PP -.Vb 2 +.Vb 1 \& BIO *mem = BIO_new(BIO_s_mem()); +\& \& BIO_puts(mem, "Hello World\en"); .Ve .PP Create a read only memory \s-1BIO:\s0 .PP -.Vb 3 +.Vb 2 \& char data[] = "Hello World"; -\& BIO *mem; -\& mem = BIO_new_mem_buf(data, \-1); +\& BIO *mem = BIO_new_mem_buf(data, \-1); .Ve .PP Extract the \s-1BUF_MEM\s0 structure from a memory \s-1BIO\s0 and then free up the \s-1BIO:\s0 .PP -.Vb 4 +.Vb 1 \& BUF_MEM *bptr; +\& \& BIO_get_mem_ptr(mem, &bptr); \& BIO_set_close(mem, BIO_NOCLOSE); /* So BIO_free() leaves BUF_MEM alone */ \& BIO_free(mem); .Ve -.SH "SEE ALSO" -.IX Header "SEE ALSO" -\&\s-1TBA\s0 +.SH "RETURN VALUES" +.IX Header "RETURN VALUES" +\&\fIBIO_s_mem()\fR and \fIBIO_s_secmem()\fR return a valid memory \fB\s-1BIO_METHOD\s0\fR structure. +.PP +\&\fIBIO_set_mem_eof_return()\fR, \fIBIO_get_mem_data()\fR, \fIBIO_set_mem_buf()\fR and \fIBIO_get_mem_ptr()\fR +return 1 on success or a value which is less than or equal to 0 if an error occurred. +.PP +\&\fIBIO_new_mem_buf()\fR returns a valid \fB\s-1BIO\s0\fR structure on success or \s-1NULL\s0 on error. +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2000\-2018 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/BIO_s_null.3 b/secure/lib/libcrypto/man/BIO_s_null.3 index c80aad1fb761..a8ca782dbe22 100644 --- a/secure/lib/libcrypto/man/BIO_s_null.3 +++ b/secure/lib/libcrypto/man/BIO_s_null.3 @@ -128,8 +128,8 @@ .rm #[ #] #H #V #F C .\" ======================================================================== .\" -.IX Title "BIO_s_null 3" -.TH BIO_s_null 3 "2018-08-14" "1.0.2p" "OpenSSL" +.IX Title "BIO_S_NULL 3" +.TH BIO_S_NULL 3 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -141,7 +141,7 @@ BIO_s_null \- null data sink .Vb 1 \& #include \& -\& BIO_METHOD * BIO_s_null(void); +\& const BIO_METHOD *BIO_s_null(void); .Ve .SH "DESCRIPTION" .IX Header "DESCRIPTION" @@ -162,6 +162,11 @@ by adding a null sink \s-1BIO\s0 to the end of the chain .SH "RETURN VALUES" .IX Header "RETURN VALUES" \&\fIBIO_s_null()\fR returns the null sink \s-1BIO\s0 method. -.SH "SEE ALSO" -.IX Header "SEE ALSO" -\&\s-1TBA\s0 +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2000\-2016 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/BIO_s_socket.3 b/secure/lib/libcrypto/man/BIO_s_socket.3 index 4e173d688048..368ee4941f5e 100644 --- a/secure/lib/libcrypto/man/BIO_s_socket.3 +++ b/secure/lib/libcrypto/man/BIO_s_socket.3 @@ -128,8 +128,8 @@ .rm #[ #] #H #V #F C .\" ======================================================================== .\" -.IX Title "BIO_s_socket 3" -.TH BIO_s_socket 3 "2018-08-14" "1.0.2p" "OpenSSL" +.IX Title "BIO_S_SOCKET 3" +.TH BIO_S_SOCKET 3 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -141,10 +141,7 @@ BIO_s_socket, BIO_new_socket \- socket BIO .Vb 1 \& #include \& -\& BIO_METHOD *BIO_s_socket(void); -\& -\& long BIO_set_fd(BIO *b, int fd, long close_flag); -\& long BIO_get_fd(BIO *b, int *c); +\& const BIO_METHOD *BIO_s_socket(void); \& \& BIO *BIO_new_socket(int sock, int close_flag); .Ve @@ -153,18 +150,12 @@ BIO_s_socket, BIO_new_socket \- socket BIO \&\fIBIO_s_socket()\fR returns the socket \s-1BIO\s0 method. This is a wrapper round the platform's socket routines. .PP -\&\fIBIO_read()\fR and \fIBIO_write()\fR read or write the underlying socket. +\&\fIBIO_read_ex()\fR and \fIBIO_write_ex()\fR read or write the underlying socket. \&\fIBIO_puts()\fR is supported but \fIBIO_gets()\fR is not. .PP If the close flag is set then the socket is shut down and closed when the \s-1BIO\s0 is freed. .PP -\&\fIBIO_set_fd()\fR sets the socket of \s-1BIO\s0 \fBb\fR to \fBfd\fR and the close -flag to \fBclose_flag\fR. -.PP -\&\fIBIO_get_fd()\fR places the socket in \fBc\fR if it is not \s-1NULL,\s0 it also -returns the socket. If \fBc\fR is not \s-1NULL\s0 it should be of type (int *). -.PP \&\fIBIO_new_socket()\fR returns a socket \s-1BIO\s0 using \fBsock\fR and \fBclose_flag\fR. .SH "NOTES" .IX Header "NOTES" @@ -175,19 +166,17 @@ The reason for having separate file descriptor and socket BIOs is that on some platforms sockets are not file descriptors and use distinct I/O routines, Windows is one such platform. Any code mixing the two will not work on all platforms. -.PP -\&\fIBIO_set_fd()\fR and \fIBIO_get_fd()\fR are macros. .SH "RETURN VALUES" .IX Header "RETURN VALUES" \&\fIBIO_s_socket()\fR returns the socket \s-1BIO\s0 method. .PP -\&\fIBIO_set_fd()\fR always returns 1. -.PP -\&\fIBIO_get_fd()\fR returns the socket or \-1 if the \s-1BIO\s0 has not been -initialized. -.PP \&\fIBIO_new_socket()\fR returns the newly allocated \s-1BIO\s0 or \s-1NULL\s0 is an error occurred. -.SH "SEE ALSO" -.IX Header "SEE ALSO" -\&\s-1TBA\s0 +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2000\-2016 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/BIO_set_callback.3 b/secure/lib/libcrypto/man/BIO_set_callback.3 index 5619a14cbb51..965e80ba7902 100644 --- a/secure/lib/libcrypto/man/BIO_set_callback.3 +++ b/secure/lib/libcrypto/man/BIO_set_callback.3 @@ -128,102 +128,261 @@ .rm #[ #] #H #V #F C .\" ======================================================================== .\" -.IX Title "BIO_set_callback 3" -.TH BIO_set_callback 3 "2018-08-14" "1.0.2p" "OpenSSL" +.IX Title "BIO_SET_CALLBACK 3" +.TH BIO_SET_CALLBACK 3 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" -BIO_set_callback, BIO_get_callback, BIO_set_callback_arg, BIO_get_callback_arg, -BIO_debug_callback \- BIO callback functions +BIO_set_callback_ex, BIO_get_callback_ex, BIO_set_callback, BIO_get_callback, BIO_set_callback_arg, BIO_get_callback_arg, BIO_debug_callback, BIO_callback_fn_ex, BIO_callback_fn \&\- BIO callback functions .SH "SYNOPSIS" .IX Header "SYNOPSIS" .Vb 1 \& #include \& -\& #define BIO_set_callback(b,cb) ((b)\->callback=(cb)) -\& #define BIO_get_callback(b) ((b)\->callback) -\& #define BIO_set_callback_arg(b,arg) ((b)\->cb_arg=(char *)(arg)) -\& #define BIO_get_callback_arg(b) ((b)\->cb_arg) +\& typedef long (*BIO_callback_fn_ex)(BIO *b, int oper, const char *argp, +\& size_t len, int argi, +\& long argl, int ret, size_t *processed); +\& typedef long (*BIO_callback_fn)(BIO *b, int oper, const char *argp, int argi, +\& long argl, long ret); \& -\& long BIO_debug_callback(BIO *bio,int cmd,const char *argp,int argi, -\& long argl,long ret); +\& void BIO_set_callback_ex(BIO *b, BIO_callback_fn_ex callback); +\& BIO_callback_fn_ex BIO_get_callback_ex(const BIO *b); \& -\& typedef long (*callback)(BIO *b, int oper, const char *argp, -\& int argi, long argl, long retvalue); +\& void BIO_set_callback(BIO *b, BIO_callback_fn cb); +\& BIO_callback_fn BIO_get_callback(BIO *b); +\& void BIO_set_callback_arg(BIO *b, char *arg); +\& char *BIO_get_callback_arg(const BIO *b); +\& +\& long BIO_debug_callback(BIO *bio, int cmd, const char *argp, int argi, +\& long argl, long ret); .Ve .SH "DESCRIPTION" .IX Header "DESCRIPTION" -\&\fIBIO_set_callback()\fR and \fIBIO_get_callback()\fR set and retrieve the \s-1BIO\s0 callback, -they are both macros. The callback is called during most high level \s-1BIO\s0 -operations. It can be used for debugging purposes to trace operations on -a \s-1BIO\s0 or to modify its operation. +\&\fIBIO_set_callback_ex()\fR and \fIBIO_get_callback_ex()\fR set and retrieve the \s-1BIO\s0 +callback. The callback is called during most high level \s-1BIO\s0 operations. It can +be used for debugging purposes to trace operations on a \s-1BIO\s0 or to modify its +operation. +.PP +\&\fIBIO_set_callback()\fR and \fIBIO_get_callback()\fR set and retrieve the old format \s-1BIO\s0 +callback. New code should not use these functions, but they are retained for +backwards compatibility. Any callback set via \fIBIO_set_callback_ex()\fR will get +called in preference to any set by \fIBIO_set_callback()\fR. .PP \&\fIBIO_set_callback_arg()\fR and \fIBIO_get_callback_arg()\fR are macros which can be used to set and retrieve an argument for use in the callback. .PP \&\fIBIO_debug_callback()\fR is a standard debugging callback which prints out information relating to each \s-1BIO\s0 operation. If the callback -argument is set if is interpreted as a \s-1BIO\s0 to send the information +argument is set it is interpreted as a \s-1BIO\s0 to send the information to, otherwise stderr is used. .PP -\&\fIcallback()\fR is the callback function itself. The meaning of each -argument is described below. -.PP +\&\fIBIO_callback_fn_ex()\fR is the type of the callback function and \fIBIO_callback_fn()\fR +is the type of the old format callback function. The meaning of each argument +is described below: +.IP "\fBb\fR" 4 +.IX Item "b" The \s-1BIO\s0 the callback is attached to is passed in \fBb\fR. -.PP +.IP "\fBoper\fR" 4 +.IX Item "oper" \&\fBoper\fR is set to the operation being performed. For some operations the callback is called twice, once before and once after the actual operation, the latter case has \fBoper\fR or'ed with \s-1BIO_CB_RETURN.\s0 -.PP +.IP "\fBlen\fR" 4 +.IX Item "len" +The length of the data requested to be read or written. This is only useful if +\&\fBoper\fR is \s-1BIO_CB_READ, BIO_CB_WRITE\s0 or \s-1BIO_CB_GETS.\s0 +.IP "\fBargp\fR \fBargi\fR \fBargl\fR" 4 +.IX Item "argp argi argl" The meaning of the arguments \fBargp\fR, \fBargi\fR and \fBargl\fR depends on the value of \fBoper\fR, that is the operation being performed. -.PP -\&\fBretvalue\fR is the return value that would be returned to the +.IP "\fBprocessed\fR" 4 +.IX Item "processed" +\&\fBprocessed\fR is a pointer to a location which will be updated with the amount of +data that was actually read or written. Only used for \s-1BIO_CB_READ, BIO_CB_WRITE, +BIO_CB_GETS\s0 and \s-1BIO_CB_PUTS.\s0 +.IP "\fBret\fR" 4 +.IX Item "ret" +\&\fBret\fR is the return value that would be returned to the application if no callback were present. The actual value returned is the return value of the callback itself. In the case of callbacks -called before the actual \s-1BIO\s0 operation 1 is placed in retvalue, if +called before the actual \s-1BIO\s0 operation 1 is placed in \fBret\fR, if the return value is not positive it will be immediately returned to the application and the \s-1BIO\s0 operation will not be performed. .PP -The callback should normally simply return \fBretvalue\fR when it has -finished processing, unless if specifically wishes to modify the +The callback should normally simply return \fBret\fR when it has +finished processing, unless it specifically wishes to modify the value returned to the application. .SH "CALLBACK OPERATIONS" .IX Header "CALLBACK OPERATIONS" +In the notes below, \fBcallback\fR defers to the actual callback +function that is called. .IP "\fBBIO_free(b)\fR" 4 .IX Item "BIO_free(b)" -callback(b, \s-1BIO_CB_FREE, NULL, 0L, 0L, 1L\s0) is called before the -free operation. -.IP "\fBBIO_read(b, out, outl)\fR" 4 -.IX Item "BIO_read(b, out, outl)" -callback(b, \s-1BIO_CB_READ,\s0 out, outl, 0L, 1L) is called before -the read and callback(b, BIO_CB_READ|BIO_CB_RETURN, out, outl, 0L, retvalue) +.Vb 1 +\& callback_ex(b, BIO_CB_FREE, NULL, 0, 0, 0L, 1L, NULL) +.Ve +.Sp +or +.Sp +.Vb 1 +\& callback(b, BIO_CB_FREE, NULL, 0L, 0L, 1L) +.Ve +.Sp +is called before the free operation. +.IP "\fBBIO_read_ex(b, data, dlen, readbytes)\fR" 4 +.IX Item "BIO_read_ex(b, data, dlen, readbytes)" +.Vb 1 +\& callback_ex(b, BIO_CB_READ, data, dlen, 0, 0L, 1L, NULL) +.Ve +.Sp +or +.Sp +.Vb 1 +\& callback(b, BIO_CB_READ, data, dlen, 0L, 1L) +.Ve +.Sp +is called before the read and +.Sp +.Vb 2 +\& callback_ex(b, BIO_CB_READ | BIO_CB_RETURN, data, dlen, 0, 0L, retvalue, +\& &readbytes) +.Ve +.Sp +or +.Sp +.Vb 1 +\& callback(b, BIO_CB_READ|BIO_CB_RETURN, data, dlen, 0L, retvalue) +.Ve +.Sp after. -.IP "\fBBIO_write(b, in, inl)\fR" 4 -.IX Item "BIO_write(b, in, inl)" -callback(b, \s-1BIO_CB_WRITE,\s0 in, inl, 0L, 1L) is called before -the write and callback(b, BIO_CB_WRITE|BIO_CB_RETURN, in, inl, 0L, retvalue) +.IP "\fBBIO_write(b, data, dlen, written)\fR" 4 +.IX Item "BIO_write(b, data, dlen, written)" +.Vb 1 +\& callback_ex(b, BIO_CB_WRITE, data, dlen, 0, 0L, 1L, NULL) +.Ve +.Sp +or +.Sp +.Vb 1 +\& callback(b, BIO_CB_WRITE, datat, dlen, 0L, 1L) +.Ve +.Sp +is called before the write and +.Sp +.Vb 2 +\& callback_ex(b, BIO_CB_WRITE | BIO_CB_RETURN, data, dlen, 0, 0L, retvalue, +\& &written) +.Ve +.Sp +or +.Sp +.Vb 1 +\& callback(b, BIO_CB_WRITE|BIO_CB_RETURN, data, dlen, 0L, retvalue) +.Ve +.Sp after. -.IP "\fBBIO_gets(b, out, outl)\fR" 4 -.IX Item "BIO_gets(b, out, outl)" -callback(b, \s-1BIO_CB_GETS,\s0 out, outl, 0L, 1L) is called before -the operation and callback(b, BIO_CB_GETS|BIO_CB_RETURN, out, outl, 0L, retvalue) +.IP "\fBBIO_gets(b, buf, size)\fR" 4 +.IX Item "BIO_gets(b, buf, size)" +.Vb 1 +\& callback_ex(b, BIO_CB_GETS, buf, size, 0, 0L, 1, NULL, NULL) +.Ve +.Sp +or +.Sp +.Vb 1 +\& callback(b, BIO_CB_GETS, buf, size, 0L, 1L) +.Ve +.Sp +is called before the operation and +.Sp +.Vb 2 +\& callback_ex(b, BIO_CB_GETS | BIO_CB_RETURN, buf, size, 0, 0L, retvalue, +\& &readbytes) +.Ve +.Sp +or +.Sp +.Vb 1 +\& callback(b, BIO_CB_GETS|BIO_CB_RETURN, buf, size, 0L, retvalue) +.Ve +.Sp after. -.IP "\fBBIO_puts(b, in)\fR" 4 -.IX Item "BIO_puts(b, in)" -callback(b, \s-1BIO_CB_WRITE,\s0 in, 0, 0L, 1L) is called before -the operation and callback(b, BIO_CB_WRITE|BIO_CB_RETURN, in, 0, 0L, retvalue) +.IP "\fBBIO_puts(b, buf)\fR" 4 +.IX Item "BIO_puts(b, buf)" +.Vb 1 +\& callback_ex(b, BIO_CB_PUTS, buf, 0, 0, 0L, 1L, NULL); +.Ve +.Sp +or +.Sp +.Vb 1 +\& callback(b, BIO_CB_PUTS, buf, 0, 0L, 1L) +.Ve +.Sp +is called before the operation and +.Sp +.Vb 1 +\& callback_ex(b, BIO_CB_PUTS | BIO_CB_RETURN, buf, 0, 0, 0L, retvalue, &written) +.Ve +.Sp +or +.Sp +.Vb 1 +\& callback(b, BIO_CB_PUTS|BIO_CB_RETURN, buf, 0, 0L, retvalue) +.Ve +.Sp after. .IP "\fBBIO_ctrl(\s-1BIO\s0 *b, int cmd, long larg, void *parg)\fR" 4 .IX Item "BIO_ctrl(BIO *b, int cmd, long larg, void *parg)" -callback(b,BIO_CB_CTRL,parg,cmd,larg,1L) is called before the call and -callback(b,BIO_CB_CTRL|BIO_CB_RETURN,parg,cmd, larg,ret) after. +.Vb 1 +\& callback_ex(b, BIO_CB_CTRL, parg, 0, cmd, larg, 1L, NULL) +.Ve +.Sp +or +.Sp +.Vb 1 +\& callback(b, BIO_CB_CTRL, parg, cmd, larg, 1L) +.Ve +.Sp +is called before the call and +.Sp +.Vb 1 +\& callback_ex(b, BIO_CB_CTRL | BIO_CB_RETURN, parg, 0, cmd, larg, ret, NULL) +.Ve +.Sp +or +.Sp +.Vb 1 +\& callback(b, BIO_CB_CTRL|BIO_CB_RETURN, parg, cmd, larg, ret) +.Ve +.Sp +after. +.Sp +Note: \fBcmd\fR == \fB\s-1BIO_CTRL_SET_CALLBACK\s0\fR is special, because \fBparg\fR is not the +argument of type \fBBIO_info_cb\fR itself. In this case \fBparg\fR is a pointer to +the actual call parameter, see \fBBIO_callback_ctrl\fR. .SH "EXAMPLE" .IX Header "EXAMPLE" The \fIBIO_debug_callback()\fR function is a good example, its source is in crypto/bio/bio_cb.c -.SH "SEE ALSO" -.IX Header "SEE ALSO" -\&\s-1TBA\s0 +.SH "RETURN VALUES" +.IX Header "RETURN VALUES" +\&\fIBIO_get_callback_ex()\fR and \fIBIO_get_callback()\fR return the callback function +previously set by a call to \fIBIO_set_callback_ex()\fR and \fIBIO_set_callback()\fR +respectively. +.PP +\&\fIBIO_get_callback_arg()\fR returns a \fBchar\fR pointer to the value previously set +via a call to \fIBIO_set_callback_arg()\fR. +.PP +\&\fIBIO_debug_callback()\fR returns 1 or \fBret\fR if it's called after specific \s-1BIO\s0 +operations. +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2000\-2018 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/BIO_should_retry.3 b/secure/lib/libcrypto/man/BIO_should_retry.3 index 826fd35a4422..e107c5c4605c 100644 --- a/secure/lib/libcrypto/man/BIO_should_retry.3 +++ b/secure/lib/libcrypto/man/BIO_should_retry.3 @@ -128,40 +128,33 @@ .rm #[ #] #H #V #F C .\" ======================================================================== .\" -.IX Title "BIO_should_retry 3" -.TH BIO_should_retry 3 "2018-08-14" "1.0.2p" "OpenSSL" +.IX Title "BIO_SHOULD_RETRY 3" +.TH BIO_SHOULD_RETRY 3 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" -BIO_should_retry, BIO_should_read, BIO_should_write, -BIO_should_io_special, BIO_retry_type, BIO_should_retry, -BIO_get_retry_BIO, BIO_get_retry_reason \- BIO retry functions +BIO_should_read, BIO_should_write, BIO_should_io_special, BIO_retry_type, BIO_should_retry, BIO_get_retry_BIO, BIO_get_retry_reason, BIO_set_retry_reason \- BIO retry functions .SH "SYNOPSIS" .IX Header "SYNOPSIS" .Vb 1 \& #include \& -\& #define BIO_should_read(a) ((a)\->flags & BIO_FLAGS_READ) -\& #define BIO_should_write(a) ((a)\->flags & BIO_FLAGS_WRITE) -\& #define BIO_should_io_special(a) ((a)\->flags & BIO_FLAGS_IO_SPECIAL) -\& #define BIO_retry_type(a) ((a)\->flags & BIO_FLAGS_RWS) -\& #define BIO_should_retry(a) ((a)\->flags & BIO_FLAGS_SHOULD_RETRY) +\& int BIO_should_read(BIO *b); +\& int BIO_should_write(BIO *b); +\& int BIO_should_io_special(iBIO *b); +\& int BIO_retry_type(BIO *b); +\& int BIO_should_retry(BIO *b); \& -\& #define BIO_FLAGS_READ 0x01 -\& #define BIO_FLAGS_WRITE 0x02 -\& #define BIO_FLAGS_IO_SPECIAL 0x04 -\& #define BIO_FLAGS_RWS (BIO_FLAGS_READ|BIO_FLAGS_WRITE|BIO_FLAGS_IO_SPECIAL) -\& #define BIO_FLAGS_SHOULD_RETRY 0x08 -\& -\& BIO * BIO_get_retry_BIO(BIO *bio, int *reason); -\& int BIO_get_retry_reason(BIO *bio); +\& BIO *BIO_get_retry_BIO(BIO *bio, int *reason); +\& int BIO_get_retry_reason(BIO *bio); +\& void BIO_set_retry_reason(BIO *bio, int reason); .Ve .SH "DESCRIPTION" .IX Header "DESCRIPTION" These functions determine why a \s-1BIO\s0 is not able to read or write data. -They will typically be called after a failed \fIBIO_read()\fR or \fIBIO_write()\fR +They will typically be called after a failed \fIBIO_read_ex()\fR or \fIBIO_write_ex()\fR call. .PP \&\fIBIO_should_retry()\fR is true if the call that produced this condition @@ -169,11 +162,13 @@ should then be retried at a later time. .PP If \fIBIO_should_retry()\fR is false then the cause is an error condition. .PP -\&\fIBIO_should_read()\fR is true if the cause of the condition is that a \s-1BIO\s0 -needs to read data. +\&\fIBIO_should_read()\fR is true if the cause of the condition is that the \s-1BIO\s0 +has insufficient data to return. Check for readability and/or retry the +last operation. .PP -\&\fIBIO_should_write()\fR is true if the cause of the condition is that a \s-1BIO\s0 -needs to read data. +\&\fIBIO_should_write()\fR is true if the cause of the condition is that the \s-1BIO\s0 +has pending data to write. Check for writability and/or retry the +last operation. .PP \&\fIBIO_should_io_special()\fR is true if some \*(L"special\*(R" condition, that is a reason other than reading or writing is the cause of the condition. @@ -184,18 +179,24 @@ consisting of the values \fB\s-1BIO_FLAGS_READ\s0\fR, \fB\s-1BIO_FLAGS_WRITE\s0\ these. .PP \&\fIBIO_get_retry_BIO()\fR determines the precise reason for the special -condition, it returns the \s-1BIO\s0 that caused this condition and if +condition, it returns the \s-1BIO\s0 that caused this condition and if \&\fBreason\fR is not \s-1NULL\s0 it contains the reason code. The meaning of the reason code and the action that should be taken depends on the type of \s-1BIO\s0 that resulted in this condition. .PP \&\fIBIO_get_retry_reason()\fR returns the reason for a special condition if passed the relevant \s-1BIO,\s0 for example as returned by \fIBIO_get_retry_BIO()\fR. +.PP +\&\fIBIO_set_retry_reason()\fR sets the retry reason for a special condition for a given +\&\s-1BIO.\s0 This would usually only be called by \s-1BIO\s0 implementations. .SH "NOTES" .IX Header "NOTES" +\&\fIBIO_should_read()\fR, \fIBIO_should_write()\fR, \fIBIO_should_io_special()\fR, +\&\fIBIO_retry_type()\fR, and \fIBIO_should_retry()\fR, are implemented as macros. +.PP If \fIBIO_should_retry()\fR returns false then the precise \*(L"error condition\*(R" depends on the \s-1BIO\s0 type that caused it and the return code of the \s-1BIO\s0 -operation. For example if a call to \fIBIO_read()\fR on a socket \s-1BIO\s0 returns +operation. For example if a call to \fIBIO_read_ex()\fR on a socket \s-1BIO\s0 returns 0 and \fIBIO_should_retry()\fR is false then the cause will be that the connection closed. A similar condition on a file \s-1BIO\s0 will mean that it has reached \s-1EOF.\s0 Some \s-1BIO\s0 types may place additional information on @@ -239,6 +240,30 @@ The OpenSSL \s-1ASN1\s0 functions cannot gracefully deal with non blocking I/O: that is they cannot retry after a partial read or write. This is usually worked around by only passing the relevant data to \s-1ASN1\s0 functions when the entire structure can be read or written. +.SH "RETURN VALUES" +.IX Header "RETURN VALUES" +\&\fIBIO_should_read()\fR, \fIBIO_should_write()\fR, \fIBIO_should_io_special()\fR, and +\&\fIBIO_should_retry()\fR return either 1 or 0 based on the actual conditions +of the \fB\s-1BIO\s0\fR. +.PP +\&\fIBIO_retry_type()\fR returns a flag combination presenting the cause of a retry +condition or false if there is no retry condition. +.PP +\&\fIBIO_get_retry_BIO()\fR returns a valid \fB\s-1BIO\s0\fR structure. +.PP +\&\fIBIO_get_retry_reason()\fR returns the reason for a special condition. .SH "SEE ALSO" .IX Header "SEE ALSO" -\&\s-1TBA\s0 +bio +.SH "HISTORY" +.IX Header "HISTORY" +The \fIBIO_get_retry_reason()\fR and \fIBIO_set_retry_reason()\fR functions were added in +OpenSSL 1.1.0. +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2000\-2018 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/BN_BLINDING_new.3 b/secure/lib/libcrypto/man/BN_BLINDING_new.3 index 967bc0857d46..6bdbf13691b7 100644 --- a/secure/lib/libcrypto/man/BN_BLINDING_new.3 +++ b/secure/lib/libcrypto/man/BN_BLINDING_new.3 @@ -128,45 +128,44 @@ .rm #[ #] #H #V #F C .\" ======================================================================== .\" -.IX Title "BN_BLINDING_new 3" -.TH BN_BLINDING_new 3 "2018-08-14" "1.0.2p" "OpenSSL" +.IX Title "BN_BLINDING_NEW 3" +.TH BN_BLINDING_NEW 3 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" -BN_BLINDING_new, BN_BLINDING_free, BN_BLINDING_update, BN_BLINDING_convert, -BN_BLINDING_invert, BN_BLINDING_convert_ex, BN_BLINDING_invert_ex, -BN_BLINDING_get_thread_id, BN_BLINDING_set_thread_id, BN_BLINDING_thread_id, BN_BLINDING_get_flags, -BN_BLINDING_set_flags, BN_BLINDING_create_param \- blinding related BIGNUM -functions. +BN_BLINDING_new, BN_BLINDING_free, BN_BLINDING_update, BN_BLINDING_convert, BN_BLINDING_invert, BN_BLINDING_convert_ex, BN_BLINDING_invert_ex, BN_BLINDING_is_current_thread, BN_BLINDING_set_current_thread, BN_BLINDING_lock, BN_BLINDING_unlock, BN_BLINDING_get_flags, BN_BLINDING_set_flags, BN_BLINDING_create_param \- blinding related BIGNUM functions .SH "SYNOPSIS" .IX Header "SYNOPSIS" .Vb 1 \& #include \& \& BN_BLINDING *BN_BLINDING_new(const BIGNUM *A, const BIGNUM *Ai, -\& BIGNUM *mod); +\& BIGNUM *mod); \& void BN_BLINDING_free(BN_BLINDING *b); -\& int BN_BLINDING_update(BN_BLINDING *b,BN_CTX *ctx); +\& int BN_BLINDING_update(BN_BLINDING *b, BN_CTX *ctx); \& int BN_BLINDING_convert(BIGNUM *n, BN_BLINDING *b, BN_CTX *ctx); \& int BN_BLINDING_invert(BIGNUM *n, BN_BLINDING *b, BN_CTX *ctx); \& int BN_BLINDING_convert_ex(BIGNUM *n, BIGNUM *r, BN_BLINDING *b, -\& BN_CTX *ctx); +\& BN_CTX *ctx); \& int BN_BLINDING_invert_ex(BIGNUM *n, const BIGNUM *r, BN_BLINDING *b, -\& BN_CTX *ctx); -\& #ifndef OPENSSL_NO_DEPRECATED -\& unsigned long BN_BLINDING_get_thread_id(const BN_BLINDING *); -\& void BN_BLINDING_set_thread_id(BN_BLINDING *, unsigned long); -\& #endif -\& CRYPTO_THREADID *BN_BLINDING_thread_id(BN_BLINDING *); +\& BN_CTX *ctx); +\& int BN_BLINDING_is_current_thread(BN_BLINDING *b); +\& void BN_BLINDING_set_current_thread(BN_BLINDING *b); +\& int BN_BLINDING_lock(BN_BLINDING *b); +\& int BN_BLINDING_unlock(BN_BLINDING *b); \& unsigned long BN_BLINDING_get_flags(const BN_BLINDING *); \& void BN_BLINDING_set_flags(BN_BLINDING *, unsigned long); \& BN_BLINDING *BN_BLINDING_create_param(BN_BLINDING *b, -\& const BIGNUM *e, BIGNUM *m, BN_CTX *ctx, -\& int (*bn_mod_exp)(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, -\& const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx), -\& BN_MONT_CTX *m_ctx); +\& const BIGNUM *e, BIGNUM *m, BN_CTX *ctx, +\& int (*bn_mod_exp)(BIGNUM *r, +\& const BIGNUM *a, +\& const BIGNUM *p, +\& const BIGNUM *m, +\& BN_CTX *ctx, +\& BN_MONT_CTX *m_ctx), +\& BN_MONT_CTX *m_ctx); .Ve .SH "DESCRIPTION" .IX Header "DESCRIPTION" @@ -174,6 +173,7 @@ functions. the \fBA\fR and \fBAi\fR values into the newly created \fB\s-1BN_BLINDING\s0\fR object. .PP \&\fIBN_BLINDING_free()\fR frees the \fB\s-1BN_BLINDING\s0\fR structure. +If \fBb\fR is \s-1NULL,\s0 nothing is done. .PP \&\fIBN_BLINDING_update()\fR updates the \fB\s-1BN_BLINDING\s0\fR parameters by squaring the \fBA\fR and \fBAi\fR or, after specific number of uses and if the @@ -190,11 +190,16 @@ the inverse blinding. functions for \fIBN_BLINDING_convert_ex()\fR and \fIBN_BLINDING_invert_ex()\fR with \fBr\fR set to \s-1NULL.\s0 .PP -\&\fIBN_BLINDING_thread_id()\fR provides access to the \fB\s-1CRYPTO_THREADID\s0\fR -object within the \fB\s-1BN_BLINDING\s0\fR structure. This is to help users -provide proper locking if needed for multi-threaded use. The \*(L"thread -id\*(R" object of a newly allocated \fB\s-1BN_BLINDING\s0\fR structure is -initialised to the thread id in which \fIBN_BLINDING_new()\fR was called. +\&\fIBN_BLINDING_is_current_thread()\fR returns whether the \fB\s-1BN_BLINDING\s0\fR +structure is owned by the current thread. This is to help users +provide proper locking if needed for multi-threaded use. +.PP +\&\fIBN_BLINDING_set_current_thread()\fR sets the current thread as the +owner of the \fB\s-1BN_BLINDING\s0\fR structure. +.PP +\&\fIBN_BLINDING_lock()\fR locks the \fB\s-1BN_BLINDING\s0\fR structure. +.PP +\&\fIBN_BLINDING_unlock()\fR unlocks the \fB\s-1BN_BLINDING\s0\fR structure. .PP \&\fIBN_BLINDING_get_flags()\fR returns the \s-1BN_BLINDING\s0 flags. Currently there are two supported flags: \fB\s-1BN_BLINDING_NO_UPDATE\s0\fR and @@ -218,25 +223,28 @@ or \s-1NULL\s0 in case of an error. \&\fIBN_BLINDING_convert_ex()\fR and \fIBN_BLINDING_invert_ex()\fR return 1 on success and 0 if an error occurred. .PP -\&\fIBN_BLINDING_thread_id()\fR returns a pointer to the thread id object -within a \fB\s-1BN_BLINDING\s0\fR object. +\&\fIBN_BLINDING_is_current_thread()\fR returns 1 if the current thread owns +the \fB\s-1BN_BLINDING\s0\fR object, 0 otherwise. +.PP +\&\fIBN_BLINDING_set_current_thread()\fR doesn't return anything. +.PP +\&\fIBN_BLINDING_lock()\fR, \fIBN_BLINDING_unlock()\fR return 1 if the operation +succeeded or 0 on error. .PP \&\fIBN_BLINDING_get_flags()\fR returns the currently set \fB\s-1BN_BLINDING\s0\fR flags (a \fBunsigned long\fR value). .PP -\&\fIBN_BLINDING_create_param()\fR returns the newly created \fB\s-1BN_BLINDING\s0\fR +\&\fIBN_BLINDING_create_param()\fR returns the newly created \fB\s-1BN_BLINDING\s0\fR parameters or \s-1NULL\s0 on error. -.SH "SEE ALSO" -.IX Header "SEE ALSO" -\&\fIbn\fR\|(3) .SH "HISTORY" .IX Header "HISTORY" -BN_BLINDING_thread_id was first introduced in OpenSSL 1.0.0, and it -deprecates BN_BLINDING_set_thread_id and BN_BLINDING_get_thread_id. +\&\fIBN_BLINDING_thread_id()\fR was first introduced in OpenSSL 1.0.0, and it +deprecates \fIBN_BLINDING_set_thread_id()\fR and \fIBN_BLINDING_get_thread_id()\fR. +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2005\-2017 The OpenSSL Project Authors. All Rights Reserved. .PP -BN_BLINDING_convert_ex, BN_BLINDIND_invert_ex, BN_BLINDING_get_thread_id, -BN_BLINDING_set_thread_id, BN_BLINDING_set_flags, BN_BLINDING_get_flags -and BN_BLINDING_create_param were first introduced in OpenSSL 0.9.8 -.SH "AUTHOR" -.IX Header "AUTHOR" -Nils Larsch for the OpenSSL project (http://www.openssl.org). +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/BN_CTX_new.3 b/secure/lib/libcrypto/man/BN_CTX_new.3 index b34c8a3f16a5..c4827f416e8d 100644 --- a/secure/lib/libcrypto/man/BN_CTX_new.3 +++ b/secure/lib/libcrypto/man/BN_CTX_new.3 @@ -128,14 +128,14 @@ .rm #[ #] #H #V #F C .\" ======================================================================== .\" -.IX Title "BN_CTX_new 3" -.TH BN_CTX_new 3 "2018-08-14" "1.0.2p" "OpenSSL" +.IX Title "BN_CTX_NEW 3" +.TH BN_CTX_NEW 3 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" -BN_CTX_new, BN_CTX_init, BN_CTX_free \- allocate and free BN_CTX structures +BN_CTX_new, BN_CTX_secure_new, BN_CTX_free \- allocate and free BN_CTX structures .SH "SYNOPSIS" .IX Header "SYNOPSIS" .Vb 1 @@ -143,14 +143,10 @@ BN_CTX_new, BN_CTX_init, BN_CTX_free \- allocate and free BN_CTX structures \& \& BN_CTX *BN_CTX_new(void); \& +\& BN_CTX *BN_CTX_secure_new(void); +\& \& void BN_CTX_free(BN_CTX *c); .Ve -.PP -Deprecated: -.PP -.Vb 1 -\& void BN_CTX_init(BN_CTX *c); -.Ve .SH "DESCRIPTION" .IX Header "DESCRIPTION" A \fB\s-1BN_CTX\s0\fR is a structure that holds \fB\s-1BIGNUM\s0\fR temporary variables used by @@ -158,29 +154,56 @@ library functions. Since dynamic memory allocation to create \fB\s-1BIGNUM\s0\fR is rather expensive when used in conjunction with repeated subroutine calls, the \fB\s-1BN_CTX\s0\fR structure is used. .PP -\&\fIBN_CTX_new()\fR allocates and initializes a \fB\s-1BN_CTX\s0\fR -structure. +\&\fIBN_CTX_new()\fR allocates and initializes a \fB\s-1BN_CTX\s0\fR structure. +\&\fIBN_CTX_secure_new()\fR allocates and initializes a \fB\s-1BN_CTX\s0\fR structure +but uses the secure heap (see \fICRYPTO_secure_malloc\fR\|(3)) to hold the +\&\fB\s-1BIGNUM\s0\fRs. .PP -\&\fIBN_CTX_free()\fR frees the components of the \fB\s-1BN_CTX\s0\fR, and if it was -created by \fIBN_CTX_new()\fR, also the structure itself. -If \fIBN_CTX_start\fR\|(3) has been used on the \fB\s-1BN_CTX\s0\fR, -\&\fIBN_CTX_end\fR\|(3) must be called before the \fB\s-1BN_CTX\s0\fR -may be freed by \fIBN_CTX_free()\fR. +\&\fIBN_CTX_free()\fR frees the components of the \fB\s-1BN_CTX\s0\fR and the structure itself. +Since \fIBN_CTX_start()\fR is required in order to obtain \fB\s-1BIGNUM\s0\fRs from the +\&\fB\s-1BN_CTX\s0\fR, in most cases \fIBN_CTX_end()\fR must be called before the \fB\s-1BN_CTX\s0\fR may +be freed by \fIBN_CTX_free()\fR. If \fBc\fR is \s-1NULL,\s0 nothing is done. .PP -\&\fIBN_CTX_init()\fR (deprecated) initializes an existing uninitialized \fB\s-1BN_CTX\s0\fR. -This should not be used for new programs. Use \fIBN_CTX_new()\fR instead. +A given \fB\s-1BN_CTX\s0\fR must only be used by a single thread of execution. No +locking is performed, and the internal pool allocator will not properly handle +multiple threads of execution. .SH "RETURN VALUES" .IX Header "RETURN VALUES" -\&\fIBN_CTX_new()\fR returns a pointer to the \fB\s-1BN_CTX\s0\fR. If the allocation fails, -it returns \fB\s-1NULL\s0\fR and sets an error code that can be obtained by +\&\fIBN_CTX_new()\fR and \fIBN_CTX_secure_new()\fR return a pointer to the \fB\s-1BN_CTX\s0\fR. +If the allocation fails, +they return \fB\s-1NULL\s0\fR and sets an error code that can be obtained by \&\fIERR_get_error\fR\|(3). .PP -\&\fIBN_CTX_init()\fR and \fIBN_CTX_free()\fR have no return values. +\&\fIBN_CTX_free()\fR has no return values. +.SH "REMOVED FUNCTIONALITY" +.IX Header "REMOVED FUNCTIONALITY" +.Vb 1 +\& void BN_CTX_init(BN_CTX *c); +.Ve +.PP +\&\fIBN_CTX_init()\fR is no longer available as of OpenSSL 1.1.0. Applications should +replace use of BN_CTX_init with BN_CTX_new instead: +.PP +.Vb 6 +\& BN_CTX *ctx; +\& ctx = BN_CTX_new(); +\& if (!ctx) +\& /* error */ +\& ... +\& BN_CTX_free(ctx); +.Ve .SH "SEE ALSO" .IX Header "SEE ALSO" -\&\fIbn\fR\|(3), \fIERR_get_error\fR\|(3), \fIBN_add\fR\|(3), +\&\fIERR_get_error\fR\|(3), \fIBN_add\fR\|(3), \&\fIBN_CTX_start\fR\|(3) .SH "HISTORY" .IX Header "HISTORY" -\&\fIBN_CTX_new()\fR and \fIBN_CTX_free()\fR are available in all versions on SSLeay -and OpenSSL. \fIBN_CTX_init()\fR was added in SSLeay 0.9.1b. +\&\fIBN_CTX_init()\fR was removed in OpenSSL 1.1.0. +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2000\-2017 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/BN_CTX_start.3 b/secure/lib/libcrypto/man/BN_CTX_start.3 index df7c39bf83f9..89397f4d2b34 100644 --- a/secure/lib/libcrypto/man/BN_CTX_start.3 +++ b/secure/lib/libcrypto/man/BN_CTX_start.3 @@ -128,8 +128,8 @@ .rm #[ #] #H #V #F C .\" ======================================================================== .\" -.IX Title "BN_CTX_start 3" -.TH BN_CTX_start 3 "2018-08-14" "1.0.2p" "OpenSSL" +.IX Title "BN_CTX_START 3" +.TH BN_CTX_START 3 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -174,6 +174,11 @@ can be obtained by \fIERR_get_error\fR\|(3). .SH "SEE ALSO" .IX Header "SEE ALSO" \&\fIBN_CTX_new\fR\|(3) -.SH "HISTORY" -.IX Header "HISTORY" -\&\fIBN_CTX_start()\fR, \fIBN_CTX_get()\fR and \fIBN_CTX_end()\fR were added in OpenSSL 0.9.5. +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2000\-2016 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/BN_add.3 b/secure/lib/libcrypto/man/BN_add.3 index 9396447a55f1..b92fd09daec3 100644 --- a/secure/lib/libcrypto/man/BN_add.3 +++ b/secure/lib/libcrypto/man/BN_add.3 @@ -128,16 +128,14 @@ .rm #[ #] #H #V #F C .\" ======================================================================== .\" -.IX Title "BN_add 3" -.TH BN_add 3 "2018-08-14" "1.0.2p" "OpenSSL" +.IX Title "BN_ADD 3" +.TH BN_ADD 3 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" -BN_add, BN_sub, BN_mul, BN_sqr, BN_div, BN_mod, BN_nnmod, BN_mod_add, -BN_mod_sub, BN_mod_mul, BN_mod_sqr, BN_exp, BN_mod_exp, BN_gcd \- -arithmetic operations on BIGNUMs +BN_add, BN_sub, BN_mul, BN_sqr, BN_div, BN_mod, BN_nnmod, BN_mod_add, BN_mod_sub, BN_mod_mul, BN_mod_sqr, BN_exp, BN_mod_exp, BN_gcd \- arithmetic operations on BIGNUMs .SH "SYNOPSIS" .IX Header "SYNOPSIS" .Vb 1 @@ -152,27 +150,27 @@ arithmetic operations on BIGNUMs \& int BN_sqr(BIGNUM *r, BIGNUM *a, BN_CTX *ctx); \& \& int BN_div(BIGNUM *dv, BIGNUM *rem, const BIGNUM *a, const BIGNUM *d, -\& BN_CTX *ctx); +\& BN_CTX *ctx); \& \& int BN_mod(BIGNUM *rem, const BIGNUM *a, const BIGNUM *m, BN_CTX *ctx); \& \& int BN_nnmod(BIGNUM *r, const BIGNUM *a, const BIGNUM *m, BN_CTX *ctx); \& \& int BN_mod_add(BIGNUM *r, BIGNUM *a, BIGNUM *b, const BIGNUM *m, -\& BN_CTX *ctx); +\& BN_CTX *ctx); \& \& int BN_mod_sub(BIGNUM *r, BIGNUM *a, BIGNUM *b, const BIGNUM *m, -\& BN_CTX *ctx); +\& BN_CTX *ctx); \& \& int BN_mod_mul(BIGNUM *r, BIGNUM *a, BIGNUM *b, const BIGNUM *m, -\& BN_CTX *ctx); +\& BN_CTX *ctx); \& \& int BN_mod_sqr(BIGNUM *r, BIGNUM *a, const BIGNUM *m, BN_CTX *ctx); \& \& int BN_exp(BIGNUM *r, BIGNUM *a, BIGNUM *p, BN_CTX *ctx); \& \& int BN_mod_exp(BIGNUM *r, BIGNUM *a, const BIGNUM *p, -\& const BIGNUM *m, BN_CTX *ctx); +\& const BIGNUM *m, BN_CTX *ctx); \& \& int BN_gcd(BIGNUM *r, BIGNUM *a, BIGNUM *b, BN_CTX *ctx); .Ve @@ -182,6 +180,7 @@ arithmetic operations on BIGNUMs \&\fIr\fR may be the same \fB\s-1BIGNUM\s0\fR as \fIa\fR or \fIb\fR. .PP \&\fIBN_sub()\fR subtracts \fIb\fR from \fIa\fR and places the result in \fIr\fR (\f(CW\*(C`r=a\-b\*(C'\fR). +\&\fIr\fR may be the same \fB\s-1BIGNUM\s0\fR as \fIa\fR or \fIb\fR. .PP \&\fIBN_mul()\fR multiplies \fIa\fR and \fIb\fR and places the result in \fIr\fR (\f(CW\*(C`r=a*b\*(C'\fR). \&\fIr\fR may be the same \fB\s-1BIGNUM\s0\fR as \fIa\fR or \fIb\fR. @@ -244,13 +243,13 @@ value should always be checked (e.g., \f(CW\*(C`if (!BN_add(r,a,b)) goto err;\*( The error codes can be obtained by \fIERR_get_error\fR\|(3). .SH "SEE ALSO" .IX Header "SEE ALSO" -\&\fIbn\fR\|(3), \fIERR_get_error\fR\|(3), \fIBN_CTX_new\fR\|(3), +\&\fIERR_get_error\fR\|(3), \fIBN_CTX_new\fR\|(3), \&\fIBN_add_word\fR\|(3), \fIBN_set_bit\fR\|(3) -.SH "HISTORY" -.IX Header "HISTORY" -\&\fIBN_add()\fR, \fIBN_sub()\fR, \fIBN_sqr()\fR, \fIBN_div()\fR, \fIBN_mod()\fR, \fIBN_mod_mul()\fR, -\&\fIBN_mod_exp()\fR and \fIBN_gcd()\fR are available in all versions of SSLeay and -OpenSSL. The \fIctx\fR argument to \fIBN_mul()\fR was added in SSLeay -0.9.1b. \fIBN_exp()\fR appeared in SSLeay 0.9.0. -\&\fIBN_nnmod()\fR, \fIBN_mod_add()\fR, \fIBN_mod_sub()\fR, and \fIBN_mod_sqr()\fR were added in -OpenSSL 0.9.7. +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2000\-2018 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/BN_add_word.3 b/secure/lib/libcrypto/man/BN_add_word.3 index 471cfb9abcbb..18e1677cffe3 100644 --- a/secure/lib/libcrypto/man/BN_add_word.3 +++ b/secure/lib/libcrypto/man/BN_add_word.3 @@ -128,15 +128,14 @@ .rm #[ #] #H #V #F C .\" ======================================================================== .\" -.IX Title "BN_add_word 3" -.TH BN_add_word 3 "2018-08-14" "1.0.2p" "OpenSSL" +.IX Title "BN_ADD_WORD 3" +.TH BN_ADD_WORD 3 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" -BN_add_word, BN_sub_word, BN_mul_word, BN_div_word, BN_mod_word \- arithmetic -functions on BIGNUMs with integers +BN_add_word, BN_sub_word, BN_mul_word, BN_div_word, BN_mod_word \- arithmetic functions on BIGNUMs with integers .SH "SYNOPSIS" .IX Header "SYNOPSIS" .Vb 1 @@ -178,12 +177,12 @@ on error. The error codes can be obtained by \fIERR_get_error\fR\|(3). \&\fB(\s-1BN_ULONG\s0)\-1\fR if an error occurred. .SH "SEE ALSO" .IX Header "SEE ALSO" -\&\fIbn\fR\|(3), \fIERR_get_error\fR\|(3), \fIBN_add\fR\|(3) -.SH "HISTORY" -.IX Header "HISTORY" -\&\fIBN_add_word()\fR and \fIBN_mod_word()\fR are available in all versions of -SSLeay and OpenSSL. \fIBN_div_word()\fR was added in SSLeay 0.8, and -\&\fIBN_sub_word()\fR and \fIBN_mul_word()\fR in SSLeay 0.9.0. +\&\fIERR_get_error\fR\|(3), \fIBN_add\fR\|(3) +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2000\-2017 The OpenSSL Project Authors. All Rights Reserved. .PP -Before 0.9.8a the return value for \fIBN_div_word()\fR and \fIBN_mod_word()\fR -in case of an error was 0. +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/BN_bn2bin.3 b/secure/lib/libcrypto/man/BN_bn2bin.3 index ad666c6de492..36c461a90526 100644 --- a/secure/lib/libcrypto/man/BN_bn2bin.3 +++ b/secure/lib/libcrypto/man/BN_bn2bin.3 @@ -128,23 +128,26 @@ .rm #[ #] #H #V #F C .\" ======================================================================== .\" -.IX Title "BN_bn2bin 3" -.TH BN_bn2bin 3 "2018-08-14" "1.0.2p" "OpenSSL" +.IX Title "BN_BN2BIN 3" +.TH BN_BN2BIN 3 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" -BN_bn2bin, BN_bin2bn, BN_bn2hex, BN_bn2dec, BN_hex2bn, BN_dec2bn, -BN_print, BN_print_fp, BN_bn2mpi, BN_mpi2bn \- format conversions +BN_bn2binpad, BN_bn2bin, BN_bin2bn, BN_bn2lebinpad, BN_lebin2bn, BN_bn2hex, BN_bn2dec, BN_hex2bn, BN_dec2bn, BN_print, BN_print_fp, BN_bn2mpi, BN_mpi2bn \- format conversions .SH "SYNOPSIS" .IX Header "SYNOPSIS" .Vb 1 \& #include \& \& int BN_bn2bin(const BIGNUM *a, unsigned char *to); +\& int BN_bn2binpad(const BIGNUM *a, unsigned char *to, int tolen); \& BIGNUM *BN_bin2bn(const unsigned char *s, int len, BIGNUM *ret); \& +\& int BN_bn2lebinpad(const BIGNUM *a, unsigned char *to, int tolen); +\& BIGNUM *BN_lebin2bn(const unsigned char *s, int len, BIGNUM *ret); +\& \& char *BN_bn2hex(const BIGNUM *a); \& char *BN_bn2dec(const BIGNUM *a); \& int BN_hex2bn(BIGNUM **a, const char *str); @@ -162,20 +165,28 @@ BN_print, BN_print_fp, BN_bn2mpi, BN_mpi2bn \- format conversions and stores it at \fBto\fR. \fBto\fR must point to BN_num_bytes(\fBa\fR) bytes of memory. .PP +\&\fIBN_bn2binpad()\fR also converts the absolute value of \fBa\fR into big-endian form +and stores it at \fBto\fR. \fBtolen\fR indicates the length of the output buffer +\&\fBto\fR. The result is padded with zeroes if necessary. If \fBtolen\fR is less than +BN_num_bytes(\fBa\fR) an error is returned. +.PP \&\fIBN_bin2bn()\fR converts the positive integer in big-endian form of length \&\fBlen\fR at \fBs\fR into a \fB\s-1BIGNUM\s0\fR and places it in \fBret\fR. If \fBret\fR is \&\s-1NULL,\s0 a new \fB\s-1BIGNUM\s0\fR is created. .PP +\&\fIBN_bn2lebinpad()\fR and \fIBN_lebin2bn()\fR are identical to \fIBN_bn2binpad()\fR and +\&\fIBN_bin2bn()\fR except the buffer is in little-endian format. +.PP \&\fIBN_bn2hex()\fR and \fIBN_bn2dec()\fR return printable strings containing the hexadecimal and decimal encoding of \fBa\fR respectively. For negative numbers, the string is prefaced with a leading '\-'. The string must be freed later using \fIOPENSSL_free()\fR. .PP -\&\fIBN_hex2bn()\fR converts the string \fBstr\fR containing a hexadecimal number -to a \fB\s-1BIGNUM\s0\fR and stores it in **\fBa\fR. If *\fBa\fR is \s-1NULL,\s0 a new -\&\fB\s-1BIGNUM\s0\fR is created. If \fBa\fR is \s-1NULL,\s0 it only computes the number's -length in hexadecimal digits. If the string starts with '\-', the -number is negative. +\&\fIBN_hex2bn()\fR takes as many characters as possible from the string \fBstr\fR, +including the leading character '\-' which means negative, to form a valid +hexadecimal number representation and converts them to a \fB\s-1BIGNUM\s0\fR and +stores it in **\fBa\fR. If *\fBa\fR is \s-1NULL,\s0 a new \fB\s-1BIGNUM\s0\fR is created. If +\&\fBa\fR is \s-1NULL,\s0 it only computes the length of valid representation. A \*(L"negative zero\*(R" is converted to zero. \&\fIBN_dec2bn()\fR is the same using the decimal system. .PP @@ -201,6 +212,9 @@ if \fBret\fR is \s-1NULL.\s0 \&\fIBN_bn2bin()\fR returns the length of the big-endian number placed at \fBto\fR. \&\fIBN_bin2bn()\fR returns the \fB\s-1BIGNUM\s0\fR, \s-1NULL\s0 on error. .PP +\&\fIBN_bn2binpad()\fR returns the number of bytes written or \-1 if the supplied +buffer is too small. +.PP \&\fIBN_bn2hex()\fR and \fIBN_bn2dec()\fR return a null-terminated string, or \s-1NULL\s0 on error. \fIBN_hex2bn()\fR and \fIBN_dec2bn()\fR return the number of characters used in parsing, or 0 on error, in which @@ -214,13 +228,14 @@ returns the \fB\s-1BIGNUM\s0\fR, and \s-1NULL\s0 on error. The error codes can be obtained by \fIERR_get_error\fR\|(3). .SH "SEE ALSO" .IX Header "SEE ALSO" -\&\fIbn\fR\|(3), \fIERR_get_error\fR\|(3), \fIBN_zero\fR\|(3), +\&\fIERR_get_error\fR\|(3), \fIBN_zero\fR\|(3), \&\fIASN1_INTEGER_to_BN\fR\|(3), \&\fIBN_num_bytes\fR\|(3) -.SH "HISTORY" -.IX Header "HISTORY" -\&\fIBN_bn2bin()\fR, \fIBN_bin2bn()\fR, \fIBN_print_fp()\fR and \fIBN_print()\fR are available -in all versions of SSLeay and OpenSSL. +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2000\-2018 The OpenSSL Project Authors. All Rights Reserved. .PP -\&\fIBN_bn2hex()\fR, \fIBN_bn2dec()\fR, \fIBN_hex2bn()\fR, \fIBN_dec2bn()\fR, \fIBN_bn2mpi()\fR and -\&\fIBN_mpi2bn()\fR were added in SSLeay 0.9.0. +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/BN_cmp.3 b/secure/lib/libcrypto/man/BN_cmp.3 index 12f2df0325e8..d47db6d83780 100644 --- a/secure/lib/libcrypto/man/BN_cmp.3 +++ b/secure/lib/libcrypto/man/BN_cmp.3 @@ -128,8 +128,8 @@ .rm #[ #] #H #V #F C .\" ======================================================================== .\" -.IX Title "BN_cmp 3" -.TH BN_cmp 3 "2018-08-14" "1.0.2p" "OpenSSL" +.IX Title "BN_CMP 3" +.TH BN_CMP 3 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -166,11 +166,11 @@ of \fBa\fR and \fBb\fR. .PP \&\fIBN_is_zero()\fR, \fIBN_is_one()\fR \fIBN_is_word()\fR and \fIBN_is_odd()\fR return 1 if the condition is true, 0 otherwise. -.SH "SEE ALSO" -.IX Header "SEE ALSO" -\&\fIbn\fR\|(3) -.SH "HISTORY" -.IX Header "HISTORY" -\&\fIBN_cmp()\fR, \fIBN_ucmp()\fR, \fIBN_is_zero()\fR, \fIBN_is_one()\fR and \fIBN_is_word()\fR are -available in all versions of SSLeay and OpenSSL. -\&\fIBN_is_odd()\fR was added in SSLeay 0.8. +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2000\-2017 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/BN_copy.3 b/secure/lib/libcrypto/man/BN_copy.3 index 8cdabc632454..353be4ecd49a 100644 --- a/secure/lib/libcrypto/man/BN_copy.3 +++ b/secure/lib/libcrypto/man/BN_copy.3 @@ -128,14 +128,14 @@ .rm #[ #] #H #V #F C .\" ======================================================================== .\" -.IX Title "BN_copy 3" -.TH BN_copy 3 "2018-08-14" "1.0.2p" "OpenSSL" +.IX Title "BN_COPY 3" +.TH BN_COPY 3 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" -BN_copy, BN_dup \- copy BIGNUMs +BN_copy, BN_dup, BN_with_flags \- copy BIGNUMs .SH "SYNOPSIS" .IX Header "SYNOPSIS" .Vb 1 @@ -144,11 +144,31 @@ BN_copy, BN_dup \- copy BIGNUMs \& BIGNUM *BN_copy(BIGNUM *to, const BIGNUM *from); \& \& BIGNUM *BN_dup(const BIGNUM *from); +\& +\& void BN_with_flags(BIGNUM *dest, const BIGNUM *b, int flags); .Ve .SH "DESCRIPTION" .IX Header "DESCRIPTION" \&\fIBN_copy()\fR copies \fBfrom\fR to \fBto\fR. \fIBN_dup()\fR creates a new \fB\s-1BIGNUM\s0\fR containing the value \fBfrom\fR. +.PP +BN_with_flags creates a \fBtemporary\fR shallow copy of \fBb\fR in \fBdest\fR. It places +significant restrictions on the copied data. Applications that do no adhere to +these restrictions may encounter unexpected side effects or crashes. For that +reason use of this function is discouraged. Any flags provided in \fBflags\fR will +be set in \fBdest\fR in addition to any flags already set in \fBb\fR. For example this +might commonly be used to create a temporary copy of a \s-1BIGNUM\s0 with the +\&\fB\s-1BN_FLG_CONSTTIME\s0\fR flag set for constant time operations. The temporary copy in +\&\fBdest\fR will share some internal state with \fBb\fR. For this reason the following +restrictions apply to the use of \fBdest\fR: +.IP "\(bu" 2 +\&\fBdest\fR should be a newly allocated \s-1BIGNUM\s0 obtained via a call to \fIBN_new()\fR. It +should not have been used for other purposes or initialised in any way. +.IP "\(bu" 2 +\&\fBdest\fR must only be used in \*(L"read-only\*(R" operations, i.e. typically those +functions where the relevant parameter is declared \*(L"const\*(R". +.IP "\(bu" 2 +\&\fBdest\fR must be used and freed before any further subsequent use of \fBb\fR .SH "RETURN VALUES" .IX Header "RETURN VALUES" \&\fIBN_copy()\fR returns \fBto\fR on success, \s-1NULL\s0 on error. \fIBN_dup()\fR returns @@ -156,7 +176,12 @@ the new \fB\s-1BIGNUM\s0\fR, and \s-1NULL\s0 on error. The error codes can be ob by \fIERR_get_error\fR\|(3). .SH "SEE ALSO" .IX Header "SEE ALSO" -\&\fIbn\fR\|(3), \fIERR_get_error\fR\|(3) -.SH "HISTORY" -.IX Header "HISTORY" -\&\fIBN_copy()\fR and \fIBN_dup()\fR are available in all versions of SSLeay and OpenSSL. +\&\fIERR_get_error\fR\|(3) +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2000\-2017 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/BN_generate_prime.3 b/secure/lib/libcrypto/man/BN_generate_prime.3 index 843860e1b36f..bc73c105e8dc 100644 --- a/secure/lib/libcrypto/man/BN_generate_prime.3 +++ b/secure/lib/libcrypto/man/BN_generate_prime.3 @@ -128,64 +128,76 @@ .rm #[ #] #H #V #F C .\" ======================================================================== .\" -.IX Title "BN_generate_prime 3" -.TH BN_generate_prime 3 "2018-08-14" "1.0.2p" "OpenSSL" +.IX Title "BN_GENERATE_PRIME 3" +.TH BN_GENERATE_PRIME 3 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" -BN_generate_prime_ex, BN_is_prime_ex, BN_is_prime_fasttest_ex, BN_GENCB_call, -BN_GENCB_set_old, BN_GENCB_set, BN_generate_prime, BN_is_prime, -BN_is_prime_fasttest \- generate primes and test for primality +BN_generate_prime_ex, BN_is_prime_ex, BN_is_prime_fasttest_ex, BN_GENCB_call, BN_GENCB_new, BN_GENCB_free, BN_GENCB_set_old, BN_GENCB_set, BN_GENCB_get_arg, BN_generate_prime, BN_is_prime, BN_is_prime_fasttest \- generate primes and test for primality .SH "SYNOPSIS" .IX Header "SYNOPSIS" .Vb 1 \& #include \& -\& int BN_generate_prime_ex(BIGNUM *ret,int bits,int safe, const BIGNUM *add, -\& const BIGNUM *rem, BN_GENCB *cb); +\& int BN_generate_prime_ex(BIGNUM *ret, int bits, int safe, const BIGNUM *add, +\& const BIGNUM *rem, BN_GENCB *cb); \& -\& int BN_is_prime_ex(const BIGNUM *p,int nchecks, BN_CTX *ctx, BN_GENCB *cb); +\& int BN_is_prime_ex(const BIGNUM *p, int nchecks, BN_CTX *ctx, BN_GENCB *cb); \& -\& int BN_is_prime_fasttest_ex(const BIGNUM *p,int nchecks, BN_CTX *ctx, -\& int do_trial_division, BN_GENCB *cb); +\& int BN_is_prime_fasttest_ex(const BIGNUM *p, int nchecks, BN_CTX *ctx, +\& int do_trial_division, BN_GENCB *cb); \& \& int BN_GENCB_call(BN_GENCB *cb, int a, int b); \& -\& #define BN_GENCB_set_old(gencb, callback, cb_arg) ... +\& BN_GENCB *BN_GENCB_new(void); \& -\& #define BN_GENCB_set(gencb, callback, cb_arg) ... +\& void BN_GENCB_free(BN_GENCB *cb); +\& +\& void BN_GENCB_set_old(BN_GENCB *gencb, +\& void (*callback)(int, int, void *), void *cb_arg); +\& +\& void BN_GENCB_set(BN_GENCB *gencb, +\& int (*callback)(int, int, BN_GENCB *), void *cb_arg); +\& +\& void *BN_GENCB_get_arg(BN_GENCB *cb); .Ve .PP Deprecated: .PP -.Vb 2 +.Vb 4 +\& #if OPENSSL_API_COMPAT < 0x00908000L \& BIGNUM *BN_generate_prime(BIGNUM *ret, int num, int safe, BIGNUM *add, -\& BIGNUM *rem, void (*callback)(int, int, void *), void *cb_arg); +\& BIGNUM *rem, void (*callback)(int, int, void *), +\& void *cb_arg); \& -\& int BN_is_prime(const BIGNUM *a, int checks, void (*callback)(int, int, -\& void *), BN_CTX *ctx, void *cb_arg); +\& int BN_is_prime(const BIGNUM *a, int checks, +\& void (*callback)(int, int, void *), BN_CTX *ctx, void *cb_arg); \& \& int BN_is_prime_fasttest(const BIGNUM *a, int checks, -\& void (*callback)(int, int, void *), BN_CTX *ctx, void *cb_arg, -\& int do_trial_division); +\& void (*callback)(int, int, void *), BN_CTX *ctx, +\& void *cb_arg, int do_trial_division); +\& #endif .Ve .SH "DESCRIPTION" .IX Header "DESCRIPTION" \&\fIBN_generate_prime_ex()\fR generates a pseudo-random prime number of -bit length \fBbits\fR. +at least bit length \fBbits\fR. If \fBret\fR is not \fB\s-1NULL\s0\fR, it will be used to store the number. .PP If \fBcb\fR is not \fB\s-1NULL\s0\fR, it is used as follows: -.IP "\(bu" 4 +.IP "\(bu" 2 \&\fBBN_GENCB_call(cb, 0, i)\fR is called after generating the i\-th potential prime number. -.IP "\(bu" 4 +.IP "\(bu" 2 While the number is being tested for primality, \&\fBBN_GENCB_call(cb, 1, j)\fR is called as described below. -.IP "\(bu" 4 +.IP "\(bu" 2 When a prime has been found, \fBBN_GENCB_call(cb, 2, i)\fR is called. +.IP "\(bu" 2 +The callers of \fIBN_generate_prime_ex()\fR may call \fBBN_GENCB_call(cb, i, j)\fR with +other values as described in their respective man pages; see \*(L"\s-1SEE ALSO\*(R"\s0. .PP The prime may have to fulfill additional requirements for use in Diffie-Hellman key exchange: @@ -231,29 +243,35 @@ after the j\-th iteration (j = 0, 1, ...). \fBctx\fR is a pre-allocated \fB\s-1BN_CTX\s0\fR (to save the overhead of allocating and freeing the structure in a loop), or \fB\s-1NULL\s0\fR. .PP -BN_GENCB_call calls the callback function held in the \fB\s-1BN_GENCB\s0\fR structure +\&\fIBN_GENCB_call()\fR calls the callback function held in the \fB\s-1BN_GENCB\s0\fR structure and passes the ints \fBa\fR and \fBb\fR as arguments. There are two types of \&\fB\s-1BN_GENCB\s0\fR structure that are supported: \*(L"new\*(R" style and \*(L"old\*(R" style. New programs should prefer the \*(L"new\*(R" style, whilst the \*(L"old\*(R" style is provided for backwards compatibility purposes. .PP +A \fB\s-1BN_GENCB\s0\fR structure should be created through a call to \fIBN_GENCB_new()\fR, +and freed through a call to \fIBN_GENCB_free()\fR. +.PP For \*(L"new\*(R" style callbacks a \s-1BN_GENCB\s0 structure should be initialised with a -call to BN_GENCB_set, where \fBgencb\fR is a \fB\s-1BN_GENCB\s0 *\fR, \fBcallback\fR is of +call to \fIBN_GENCB_set()\fR, where \fBgencb\fR is a \fB\s-1BN_GENCB\s0 *\fR, \fBcallback\fR is of type \fBint (*callback)(int, int, \s-1BN_GENCB\s0 *)\fR and \fBcb_arg\fR is a \fBvoid *\fR. \&\*(L"Old\*(R" style callbacks are the same except they are initialised with a call -to BN_GENCB_set_old and \fBcallback\fR is of type +to \fIBN_GENCB_set_old()\fR and \fBcallback\fR is of type \&\fBvoid (*callback)(int, int, void *)\fR. .PP A callback is invoked through a call to \fBBN_GENCB_call\fR. This will check the type of the callback and will invoke \fBcallback(a, b, gencb)\fR for new style callbacks or \fBcallback(a, b, cb_arg)\fR for old style. .PP -BN_generate_prime (deprecated) works in the same way as -BN_generate_prime_ex but expects an old style callback function +It is possible to obtain the argument associated with a \s-1BN_GENCB\s0 structure +(set via a call to BN_GENCB_set or BN_GENCB_set_old) using BN_GENCB_get_arg. +.PP +\&\fIBN_generate_prime()\fR (deprecated) works in the same way as +\&\fIBN_generate_prime_ex()\fR but expects an old-style callback function directly in the \fBcallback\fR parameter, and an argument to pass to it in -the \fBcb_arg\fR. Similarly BN_is_prime and BN_is_prime_fasttest are -deprecated and can be compared to BN_is_prime_ex and -BN_is_prime_fasttest_ex respectively. +the \fBcb_arg\fR. \fIBN_is_prime()\fR and \fIBN_is_prime_fasttest()\fR +can similarly be compared to \fIBN_is_prime_ex()\fR and +\&\fIBN_is_prime_fasttest_ex()\fR, respectively. .SH "RETURN VALUES" .IX Header "RETURN VALUES" \&\fIBN_generate_prime_ex()\fR return 1 on success or 0 on error. @@ -265,15 +283,47 @@ prime with an error probability of less than 0.25^\fBnchecks\fR, and .PP \&\fIBN_generate_prime()\fR returns the prime number on success, \fB\s-1NULL\s0\fR otherwise. .PP +BN_GENCB_new returns a pointer to a \s-1BN_GENCB\s0 structure on success, or \fB\s-1NULL\s0\fR +otherwise. +.PP +BN_GENCB_get_arg returns the argument previously associated with a \s-1BN_GENCB\s0 +structure. +.PP Callback functions should return 1 on success or 0 on error. .PP The error codes can be obtained by \fIERR_get_error\fR\|(3). +.SH "REMOVED FUNCTIONALITY" +.IX Header "REMOVED FUNCTIONALITY" +As of OpenSSL 1.1.0 it is no longer possible to create a \s-1BN_GENCB\s0 structure +directly, as in: +.PP +.Vb 1 +\& BN_GENCB callback; +.Ve +.PP +Instead applications should create a \s-1BN_GENCB\s0 structure using BN_GENCB_new: +.PP +.Vb 6 +\& BN_GENCB *callback; +\& callback = BN_GENCB_new(); +\& if (!callback) +\& /* error */ +\& ... +\& BN_GENCB_free(callback); +.Ve .SH "SEE ALSO" .IX Header "SEE ALSO" -\&\fIbn\fR\|(3), \fIERR_get_error\fR\|(3), \fIrand\fR\|(3) +\&\fIDH_generate_parameters\fR\|(3), \fIDSA_generate_parameters\fR\|(3), +\&\fIRSA_generate_key\fR\|(3), \fIERR_get_error\fR\|(3), \fIRAND_bytes\fR\|(3) .SH "HISTORY" .IX Header "HISTORY" -The \fBcb_arg\fR arguments to \fIBN_generate_prime()\fR and to \fIBN_is_prime()\fR -were added in SSLeay 0.9.0. The \fBret\fR argument to \fIBN_generate_prime()\fR -was added in SSLeay 0.9.1. -\&\fIBN_is_prime_fasttest()\fR was added in OpenSSL 0.9.5. +\&\fIBN_GENCB_new()\fR, \fIBN_GENCB_free()\fR, +and \fIBN_GENCB_get_arg()\fR were added in OpenSSL 1.1.0 +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2000\-2018 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/BN_mod_inverse.3 b/secure/lib/libcrypto/man/BN_mod_inverse.3 index 24fc1c4928d2..3d04fb8b72a5 100644 --- a/secure/lib/libcrypto/man/BN_mod_inverse.3 +++ b/secure/lib/libcrypto/man/BN_mod_inverse.3 @@ -128,8 +128,8 @@ .rm #[ #] #H #V #F C .\" ======================================================================== .\" -.IX Title "BN_mod_inverse 3" -.TH BN_mod_inverse 3 "2018-08-14" "1.0.2p" "OpenSSL" +.IX Title "BN_MOD_INVERSE 3" +.TH BN_MOD_INVERSE 3 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -142,7 +142,7 @@ BN_mod_inverse \- compute inverse modulo n \& #include \& \& BIGNUM *BN_mod_inverse(BIGNUM *r, BIGNUM *a, const BIGNUM *n, -\& BN_CTX *ctx); +\& BN_CTX *ctx); .Ve .SH "DESCRIPTION" .IX Header "DESCRIPTION" @@ -158,7 +158,12 @@ variables. \fBr\fR may be the same \fB\s-1BIGNUM\s0\fR as \fBa\fR or \fBn\fR. \&\s-1NULL\s0 on error. The error codes can be obtained by \fIERR_get_error\fR\|(3). .SH "SEE ALSO" .IX Header "SEE ALSO" -\&\fIbn\fR\|(3), \fIERR_get_error\fR\|(3), \fIBN_add\fR\|(3) -.SH "HISTORY" -.IX Header "HISTORY" -\&\fIBN_mod_inverse()\fR is available in all versions of SSLeay and OpenSSL. +\&\fIERR_get_error\fR\|(3), \fIBN_add\fR\|(3) +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2000\-2017 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/BN_mod_mul_montgomery.3 b/secure/lib/libcrypto/man/BN_mod_mul_montgomery.3 index fa413e5fd521..c6bd62cf6af0 100644 --- a/secure/lib/libcrypto/man/BN_mod_mul_montgomery.3 +++ b/secure/lib/libcrypto/man/BN_mod_mul_montgomery.3 @@ -128,36 +128,33 @@ .rm #[ #] #H #V #F C .\" ======================================================================== .\" -.IX Title "BN_mod_mul_montgomery 3" -.TH BN_mod_mul_montgomery 3 "2018-08-14" "1.0.2p" "OpenSSL" +.IX Title "BN_MOD_MUL_MONTGOMERY 3" +.TH BN_MOD_MUL_MONTGOMERY 3 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" -BN_mod_mul_montgomery, BN_MONT_CTX_new, BN_MONT_CTX_init, -BN_MONT_CTX_free, BN_MONT_CTX_set, BN_MONT_CTX_copy, -BN_from_montgomery, BN_to_montgomery \- Montgomery multiplication +BN_mod_mul_montgomery, BN_MONT_CTX_new, BN_MONT_CTX_free, BN_MONT_CTX_set, BN_MONT_CTX_copy, BN_from_montgomery, BN_to_montgomery \- Montgomery multiplication .SH "SYNOPSIS" .IX Header "SYNOPSIS" .Vb 1 \& #include \& \& BN_MONT_CTX *BN_MONT_CTX_new(void); -\& void BN_MONT_CTX_init(BN_MONT_CTX *ctx); \& void BN_MONT_CTX_free(BN_MONT_CTX *mont); \& \& int BN_MONT_CTX_set(BN_MONT_CTX *mont, const BIGNUM *m, BN_CTX *ctx); \& BN_MONT_CTX *BN_MONT_CTX_copy(BN_MONT_CTX *to, BN_MONT_CTX *from); \& \& int BN_mod_mul_montgomery(BIGNUM *r, BIGNUM *a, BIGNUM *b, -\& BN_MONT_CTX *mont, BN_CTX *ctx); +\& BN_MONT_CTX *mont, BN_CTX *ctx); \& \& int BN_from_montgomery(BIGNUM *r, BIGNUM *a, BN_MONT_CTX *mont, -\& BN_CTX *ctx); +\& BN_CTX *ctx); \& \& int BN_to_montgomery(BIGNUM *r, BIGNUM *a, BN_MONT_CTX *mont, -\& BN_CTX *ctx); +\& BN_CTX *ctx); .Ve .SH "DESCRIPTION" .IX Header "DESCRIPTION" @@ -167,7 +164,6 @@ but they may be useful when several operations are to be performed using the same modulus. .PP \&\fIBN_MONT_CTX_new()\fR allocates and initializes a \fB\s-1BN_MONT_CTX\s0\fR structure. -\&\fIBN_MONT_CTX_init()\fR initializes an existing uninitialized \fB\s-1BN_MONT_CTX\s0\fR. .PP \&\fIBN_MONT_CTX_set()\fR sets up the \fImont\fR structure from the modulus \fIm\fR by precomputing its inverse and a value R. @@ -176,6 +172,7 @@ by precomputing its inverse and a value R. .PP \&\fIBN_MONT_CTX_free()\fR frees the components of the \fB\s-1BN_MONT_CTX\s0\fR, and, if it was created by \fIBN_MONT_CTX_new()\fR, also the structure itself. +If \fBmont\fR is \s-1NULL,\s0 nothing is done. .PP \&\fIBN_mod_mul_montgomery()\fR computes Mont(\fIa\fR,\fIb\fR):=\fIa\fR*\fIb\fR*R^\-1 and places the result in \fIr\fR. @@ -187,29 +184,12 @@ Note that \fIa\fR must be non-negative and smaller than the modulus. .PP For all functions, \fIctx\fR is a previously allocated \fB\s-1BN_CTX\s0\fR used for temporary variables. -.PP -The \fB\s-1BN_MONT_CTX\s0\fR structure is defined as follows: -.PP -.Vb 10 -\& typedef struct bn_mont_ctx_st -\& { -\& int ri; /* number of bits in R */ -\& BIGNUM RR; /* R^2 (used to convert to Montgomery form) */ -\& BIGNUM N; /* The modulus */ -\& BIGNUM Ni; /* R*(1/R mod N) \- N*Ni = 1 -\& * (Ni is only stored for bignum algorithm) */ -\& BN_ULONG n0; /* least significant word of Ni */ -\& int flags; -\& } BN_MONT_CTX; -.Ve -.PP -\&\fIBN_to_montgomery()\fR is a macro. .SH "RETURN VALUES" .IX Header "RETURN VALUES" \&\fIBN_MONT_CTX_new()\fR returns the newly allocated \fB\s-1BN_MONT_CTX\s0\fR, and \s-1NULL\s0 on error. .PP -\&\fIBN_MONT_CTX_init()\fR and \fIBN_MONT_CTX_free()\fR have no return values. +\&\fIBN_MONT_CTX_free()\fR has no return value. .PP For the other functions, 1 is returned for success, 0 on error. The error codes can be obtained by \fIERR_get_error\fR\|(3). @@ -219,12 +199,16 @@ The inputs must be reduced modulo \fBm\fR, otherwise the result will be outside the expected range. .SH "SEE ALSO" .IX Header "SEE ALSO" -\&\fIbn\fR\|(3), \fIERR_get_error\fR\|(3), \fIBN_add\fR\|(3), +\&\fIERR_get_error\fR\|(3), \fIBN_add\fR\|(3), \&\fIBN_CTX_new\fR\|(3) .SH "HISTORY" .IX Header "HISTORY" -\&\fIBN_MONT_CTX_new()\fR, \fIBN_MONT_CTX_free()\fR, \fIBN_MONT_CTX_set()\fR, -\&\fIBN_mod_mul_montgomery()\fR, \fIBN_from_montgomery()\fR and \fIBN_to_montgomery()\fR -are available in all versions of SSLeay and OpenSSL. +\&\fIBN_MONT_CTX_init()\fR was removed in OpenSSL 1.1.0 +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2000\-2017 The OpenSSL Project Authors. All Rights Reserved. .PP -\&\fIBN_MONT_CTX_init()\fR and \fIBN_MONT_CTX_copy()\fR were added in SSLeay 0.9.1b. +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/BN_mod_mul_reciprocal.3 b/secure/lib/libcrypto/man/BN_mod_mul_reciprocal.3 index 86387ce0b4cd..8d177927867b 100644 --- a/secure/lib/libcrypto/man/BN_mod_mul_reciprocal.3 +++ b/secure/lib/libcrypto/man/BN_mod_mul_reciprocal.3 @@ -128,32 +128,29 @@ .rm #[ #] #H #V #F C .\" ======================================================================== .\" -.IX Title "BN_mod_mul_reciprocal 3" -.TH BN_mod_mul_reciprocal 3 "2018-08-14" "1.0.2p" "OpenSSL" +.IX Title "BN_MOD_MUL_RECIPROCAL 3" +.TH BN_MOD_MUL_RECIPROCAL 3 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" -BN_mod_mul_reciprocal, BN_div_recp, BN_RECP_CTX_new, BN_RECP_CTX_init, -BN_RECP_CTX_free, BN_RECP_CTX_set \- modular multiplication using -reciprocal +BN_mod_mul_reciprocal, BN_div_recp, BN_RECP_CTX_new, BN_RECP_CTX_free, BN_RECP_CTX_set \- modular multiplication using reciprocal .SH "SYNOPSIS" .IX Header "SYNOPSIS" .Vb 1 \& #include \& \& BN_RECP_CTX *BN_RECP_CTX_new(void); -\& void BN_RECP_CTX_init(BN_RECP_CTX *recp); \& void BN_RECP_CTX_free(BN_RECP_CTX *recp); \& \& int BN_RECP_CTX_set(BN_RECP_CTX *recp, const BIGNUM *m, BN_CTX *ctx); \& \& int BN_div_recp(BIGNUM *dv, BIGNUM *rem, BIGNUM *a, BN_RECP_CTX *recp, -\& BN_CTX *ctx); +\& BN_CTX *ctx); \& \& int BN_mod_mul_reciprocal(BIGNUM *r, BIGNUM *a, BIGNUM *b, -\& BN_RECP_CTX *recp, BN_CTX *ctx); +\& BN_RECP_CTX *recp, BN_CTX *ctx); .Ve .SH "DESCRIPTION" .IX Header "DESCRIPTION" @@ -164,10 +161,10 @@ using \fBrecp\fR=1/\fBm\fR, which is set as described below. \fBctx\fR is a previously allocated \fB\s-1BN_CTX\s0\fR used for temporary variables. .PP \&\fIBN_RECP_CTX_new()\fR allocates and initializes a \fB\s-1BN_RECP\s0\fR structure. -\&\fIBN_RECP_CTX_init()\fR initializes an existing uninitialized \fB\s-1BN_RECP\s0\fR. .PP \&\fIBN_RECP_CTX_free()\fR frees the components of the \fB\s-1BN_RECP\s0\fR, and, if it was created by \fIBN_RECP_CTX_new()\fR, also the structure itself. +If \fBrecp\fR is \s-1NULL,\s0 nothing is done. .PP \&\fIBN_RECP_CTX_set()\fR stores \fBm\fR in \fBrecp\fR and sets it up for computing 1/\fBm\fR and shifting it left by BN_num_bits(\fBm\fR)+1 to make it an @@ -177,35 +174,28 @@ later be stored in \fBrecp\fR. \&\fIBN_div_recp()\fR divides \fBa\fR by \fBm\fR using \fBrecp\fR. It places the quotient in \fBdv\fR and the remainder in \fBrem\fR. .PP -The \fB\s-1BN_RECP_CTX\s0\fR structure is defined as follows: -.PP -.Vb 8 -\& typedef struct bn_recp_ctx_st -\& { -\& BIGNUM N; /* the divisor */ -\& BIGNUM Nr; /* the reciprocal */ -\& int num_bits; -\& int shift; -\& int flags; -\& } BN_RECP_CTX; -.Ve -.PP -It cannot be shared between threads. +The \fB\s-1BN_RECP_CTX\s0\fR structure cannot be shared between threads. .SH "RETURN VALUES" .IX Header "RETURN VALUES" \&\fIBN_RECP_CTX_new()\fR returns the newly allocated \fB\s-1BN_RECP_CTX\s0\fR, and \s-1NULL\s0 on error. .PP -\&\fIBN_RECP_CTX_init()\fR and \fIBN_RECP_CTX_free()\fR have no return values. +\&\fIBN_RECP_CTX_free()\fR has no return value. .PP For the other functions, 1 is returned for success, 0 on error. The error codes can be obtained by \fIERR_get_error\fR\|(3). .SH "SEE ALSO" .IX Header "SEE ALSO" -\&\fIbn\fR\|(3), \fIERR_get_error\fR\|(3), \fIBN_add\fR\|(3), +\&\fIERR_get_error\fR\|(3), \fIBN_add\fR\|(3), \&\fIBN_CTX_new\fR\|(3) .SH "HISTORY" .IX Header "HISTORY" -\&\fB\s-1BN_RECP_CTX\s0\fR was added in SSLeay 0.9.0. Before that, the function -\&\fIBN_reciprocal()\fR was used instead, and the \fIBN_mod_mul_reciprocal()\fR -arguments were different. +\&\fIBN_RECP_CTX_init()\fR was removed in OpenSSL 1.1.0 +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2000\-2017 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/BN_new.3 b/secure/lib/libcrypto/man/BN_new.3 index c5a5012da3f4..289666c85f51 100644 --- a/secure/lib/libcrypto/man/BN_new.3 +++ b/secure/lib/libcrypto/man/BN_new.3 @@ -128,14 +128,14 @@ .rm #[ #] #H #V #F C .\" ======================================================================== .\" -.IX Title "BN_new 3" -.TH BN_new 3 "2018-08-14" "1.0.2p" "OpenSSL" +.IX Title "BN_NEW 3" +.TH BN_NEW 3 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" -BN_new, BN_init, BN_clear, BN_free, BN_clear_free \- allocate and free BIGNUMs +BN_new, BN_secure_new, BN_clear, BN_free, BN_clear_free \- allocate and free BIGNUMs .SH "SYNOPSIS" .IX Header "SYNOPSIS" .Vb 1 @@ -143,7 +143,7 @@ BN_new, BN_init, BN_clear, BN_free, BN_clear_free \- allocate and free BIGNUMs \& \& BIGNUM *BN_new(void); \& -\& void BN_init(BIGNUM *); +\& BIGNUM *BN_secure_new(void); \& \& void BN_clear(BIGNUM *a); \& @@ -153,8 +153,9 @@ BN_new, BN_init, BN_clear, BN_free, BN_clear_free \- allocate and free BIGNUMs .Ve .SH "DESCRIPTION" .IX Header "DESCRIPTION" -\&\fIBN_new()\fR allocates and initializes a \fB\s-1BIGNUM\s0\fR structure. \fIBN_init()\fR -initializes an existing uninitialized \fB\s-1BIGNUM\s0\fR. +\&\fIBN_new()\fR allocates and initializes a \fB\s-1BIGNUM\s0\fR structure. +\&\fIBN_secure_new()\fR does the same except that the secure heap +\&\fIOPENSSL_secure_malloc\fR\|(3) is used to store the value. .PP \&\fIBN_clear()\fR is used to destroy sensitive data such as keys when they are no longer needed. It erases the memory used by \fBa\fR and sets it @@ -166,18 +167,24 @@ overwrites the data before the memory is returned to the system. If \fBa\fR is \s-1NULL,\s0 nothing is done. .SH "RETURN VALUES" .IX Header "RETURN VALUES" -\&\fIBN_new()\fR returns a pointer to the \fB\s-1BIGNUM\s0\fR initialised to the value 0. +\&\fIBN_new()\fR and \fIBN_secure_new()\fR +return a pointer to the \fB\s-1BIGNUM\s0\fR initialised to the value 0. If the allocation fails, -it returns \fB\s-1NULL\s0\fR and sets an error code that can be obtained +they return \fB\s-1NULL\s0\fR and set an error code that can be obtained by \fIERR_get_error\fR\|(3). .PP -\&\fIBN_init()\fR, \fIBN_clear()\fR, \fIBN_free()\fR and \fIBN_clear_free()\fR have no return -values. +\&\fIBN_clear()\fR, \fIBN_free()\fR and \fIBN_clear_free()\fR have no return values. .SH "SEE ALSO" .IX Header "SEE ALSO" -\&\fIbn\fR\|(3), \fIERR_get_error\fR\|(3) +\&\fIERR_get_error\fR\|(3) .SH "HISTORY" .IX Header "HISTORY" -\&\fIBN_new()\fR, \fIBN_clear()\fR, \fIBN_free()\fR and \fIBN_clear_free()\fR are available in -all versions on SSLeay and OpenSSL. \fIBN_init()\fR was added in SSLeay -0.9.1b. +\&\fIBN_init()\fR was removed in OpenSSL 1.1.0; use \fIBN_new()\fR instead. +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2000\-2017 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/BN_num_bytes.3 b/secure/lib/libcrypto/man/BN_num_bytes.3 index 839a1f008b45..426cb8d00625 100644 --- a/secure/lib/libcrypto/man/BN_num_bytes.3 +++ b/secure/lib/libcrypto/man/BN_num_bytes.3 @@ -128,8 +128,8 @@ .rm #[ #] #H #V #F C .\" ======================================================================== .\" -.IX Title "BN_num_bytes 3" -.TH BN_num_bytes 3 "2018-08-14" "1.0.2p" "OpenSSL" +.IX Title "BN_NUM_BYTES 3" +.TH BN_NUM_BYTES 3 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -176,9 +176,13 @@ there's no real guarantee that will match the \*(L"key size\*(R", just a lot more probability). .SH "SEE ALSO" .IX Header "SEE ALSO" -\&\fIbn\fR\|(3), \fIDH_size\fR\|(3), \fIDSA_size\fR\|(3), +\&\fIDH_size\fR\|(3), \fIDSA_size\fR\|(3), \&\fIRSA_size\fR\|(3) -.SH "HISTORY" -.IX Header "HISTORY" -\&\fIBN_num_bytes()\fR, \fIBN_num_bits()\fR and \fIBN_num_bits_word()\fR are available in -all versions of SSLeay and OpenSSL. +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2000\-2017 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/BN_rand.3 b/secure/lib/libcrypto/man/BN_rand.3 index cc8ec3a51f7f..d6b01e9d2c47 100644 --- a/secure/lib/libcrypto/man/BN_rand.3 +++ b/secure/lib/libcrypto/man/BN_rand.3 @@ -128,14 +128,14 @@ .rm #[ #] #H #V #F C .\" ======================================================================== .\" -.IX Title "BN_rand 3" -.TH BN_rand 3 "2018-08-14" "1.0.2p" "OpenSSL" +.IX Title "BN_RAND 3" +.TH BN_RAND 3 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" -BN_rand, BN_pseudo_rand, BN_rand_range, BN_pseudo_rand_range \- generate pseudo\-random number +BN_rand, BN_priv_rand, BN_pseudo_rand, BN_rand_range, BN_priv_rand_range, BN_pseudo_rand_range \&\- generate pseudo\-random number .SH "SYNOPSIS" .IX Header "SYNOPSIS" .Vb 1 @@ -143,10 +143,14 @@ BN_rand, BN_pseudo_rand, BN_rand_range, BN_pseudo_rand_range \- generate pseudo\ \& \& int BN_rand(BIGNUM *rnd, int bits, int top, int bottom); \& +\& int BN_priv_rand(BIGNUM *rnd, int bits, int top, int bottom); +\& \& int BN_pseudo_rand(BIGNUM *rnd, int bits, int top, int bottom); \& \& int BN_rand_range(BIGNUM *rnd, BIGNUM *range); \& +\& int BN_priv_rand_range(BIGNUM *rnd, BIGNUM *range); +\& \& int BN_pseudo_rand_range(BIGNUM *rnd, BIGNUM *range); .Ve .SH "DESCRIPTION" @@ -154,38 +158,58 @@ BN_rand, BN_pseudo_rand, BN_rand_range, BN_pseudo_rand_range \- generate pseudo\ \&\fIBN_rand()\fR generates a cryptographically strong pseudo-random number of \&\fBbits\fR in length and stores it in \fBrnd\fR. If \fBbits\fR is less than zero, or too small to -accomodate the requirements specified by the \fBtop\fR and \fBbottom\fR +accommodate the requirements specified by the \fBtop\fR and \fBbottom\fR parameters, an error is returned. -If \fBtop\fR is \-1, the -most significant bit of the random number can be zero. If \fBtop\fR is 0, -it is set to 1, and if \fBtop\fR is 1, the two most significant bits of +The \fBtop\fR parameters specifies +requirements on the most significant bit of the generated number. +If it is \fB\s-1BN_RAND_TOP_ANY\s0\fR, there is no constraint. +If it is \fB\s-1BN_RAND_TOP_ONE\s0\fR, the top bit must be one. +If it is \fB\s-1BN_RAND_TOP_TWO\s0\fR, the two most significant bits of the number will be set to 1, so that the product of two such random -numbers will always have 2*\fBbits\fR length. If \fBbottom\fR is true, the -number will be odd. The value of \fBbits\fR must be zero or greater. If \fBbits\fR is -1 then \fBtop\fR cannot also be 1. -.PP -\&\fIBN_pseudo_rand()\fR does the same, but pseudo-random numbers generated by -this function are not necessarily unpredictable. They can be used for -non-cryptographic purposes and for certain purposes in cryptographic -protocols, but usually not for key generation etc. +numbers will always have 2*\fBbits\fR length. +If \fBbottom\fR is \fB\s-1BN_RAND_BOTTOM_ODD\s0\fR, the number will be odd; if it +is \fB\s-1BN_RAND_BOTTOM_ANY\s0\fR it can be odd or even. +If \fBbits\fR is 1 then \fBtop\fR cannot also be \fB\s-1BN_RAND_FLG_TOPTWO\s0\fR. .PP \&\fIBN_rand_range()\fR generates a cryptographically strong pseudo-random number \fBrnd\fR in the range 0 <= \fBrnd\fR < \fBrange\fR. -\&\fIBN_pseudo_rand_range()\fR does the same, but is based on \fIBN_pseudo_rand()\fR, -and hence numbers generated by it are not necessarily unpredictable. .PP -The \s-1PRNG\s0 must be seeded prior to calling \fIBN_rand()\fR or \fIBN_rand_range()\fR. +\&\fIBN_priv_rand()\fR and \fIBN_priv_rand_range()\fR have the same semantics as +\&\fIBN_rand()\fR and \fIBN_rand_range()\fR respectively. They are intended to be +used for generating values that should remain private, and mirror the +same difference between \fIRAND_bytes\fR\|(3) and \fIRAND_priv_bytes\fR\|(3). +.SH "NOTES" +.IX Header "NOTES" +Always check the error return value of these functions and do not take +randomness for granted: an error occurs if the \s-1CSPRNG\s0 has not been +seeded with enough randomness to ensure an unpredictable byte sequence. .SH "RETURN VALUES" .IX Header "RETURN VALUES" The functions return 1 on success, 0 on error. The error codes can be obtained by \fIERR_get_error\fR\|(3). -.SH "SEE ALSO" -.IX Header "SEE ALSO" -\&\fIbn\fR\|(3), \fIERR_get_error\fR\|(3), \fIrand\fR\|(3), -\&\fIRAND_add\fR\|(3), \fIRAND_bytes\fR\|(3) .SH "HISTORY" .IX Header "HISTORY" -\&\fIBN_rand()\fR is available in all versions of SSLeay and OpenSSL. -\&\fIBN_pseudo_rand()\fR was added in OpenSSL 0.9.5. The \fBtop\fR == \-1 case -and the function \fIBN_rand_range()\fR were added in OpenSSL 0.9.6a. -\&\fIBN_pseudo_rand_range()\fR was added in OpenSSL 0.9.6c. +.IP "\(bu" 2 +Starting with OpenSSL release 1.1.0, \fIBN_pseudo_rand()\fR has been identical +to \fIBN_rand()\fR and \fIBN_pseudo_rand_range()\fR has been identical to +\&\fIBN_rand_range()\fR. +The \*(L"pseudo\*(R" functions should not be used and may be deprecated in +a future release. +.IP "\(bu" 2 +\&\fIBN_priv_rand()\fR and \fIBN_priv_rand_range()\fR were added in OpenSSL 1.1.1. +.SH "SEE ALSO" +.IX Header "SEE ALSO" +\&\fIERR_get_error\fR\|(3), +\&\fIRAND_add\fR\|(3), +\&\fIRAND_bytes\fR\|(3), +\&\fIRAND_priv_bytes\fR\|(3), +\&\s-1\fIRAND\s0\fR\|(7), +\&\s-1\fIRAND_DRBG\s0\fR\|(7) +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2000\-2018 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/X509_STORE_CTX_get_ex_new_index.3 b/secure/lib/libcrypto/man/BN_security_bits.3 similarity index 71% rename from secure/lib/libcrypto/man/X509_STORE_CTX_get_ex_new_index.3 rename to secure/lib/libcrypto/man/BN_security_bits.3 index f87a6636ba87..4b7ee981531a 100644 --- a/secure/lib/libcrypto/man/X509_STORE_CTX_get_ex_new_index.3 +++ b/secure/lib/libcrypto/man/BN_security_bits.3 @@ -128,42 +128,50 @@ .rm #[ #] #H #V #F C .\" ======================================================================== .\" -.IX Title "X509_STORE_CTX_get_ex_new_index 3" -.TH X509_STORE_CTX_get_ex_new_index 3 "2018-08-14" "1.0.2p" "OpenSSL" +.IX Title "BN_SECURITY_BITS 3" +.TH BN_SECURITY_BITS 3 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" -X509_STORE_CTX_get_ex_new_index, X509_STORE_CTX_set_ex_data, X509_STORE_CTX_get_ex_data \- add application specific data to X509_STORE_CTX structures +BN_security_bits \- returns bits of security based on given numbers .SH "SYNOPSIS" .IX Header "SYNOPSIS" .Vb 1 -\& #include +\& #include \& -\& int X509_STORE_CTX_get_ex_new_index(long argl, void *argp, -\& CRYPTO_EX_new *new_func, -\& CRYPTO_EX_dup *dup_func, -\& CRYPTO_EX_free *free_func); -\& -\& int X509_STORE_CTX_set_ex_data(X509_STORE_CTX *d, int idx, void *arg); -\& -\& void *X509_STORE_CTX_get_ex_data(X509_STORE_CTX *d, int idx); +\& int BN_security_bits(int L, int N); .Ve .SH "DESCRIPTION" .IX Header "DESCRIPTION" -These functions handle application specific data in X509_STORE_CTX structures. -Their usage is identical to that of \fIRSA_get_ex_new_index()\fR, \fIRSA_set_ex_data()\fR -and \fIRSA_get_ex_data()\fR as described in \fIRSA_get_ex_new_index\fR\|(3). +\&\fIBN_security_bits()\fR returns the number of bits of security provided by a +specific algorithm and a particular key size. The bits of security is +defined in \s-1NIST SP800\-57.\s0 Currently, \fIBN_security_bits()\fR support two types +of asymmetric algorithms: the \s-1FFC\s0 (Finite Field Cryptography) and \s-1IFC\s0 +(Integer Factorization Cryptography). For \s-1FFC,\s0 e.g., \s-1DSA\s0 and \s-1DH,\s0 both +parameters \fBL\fR and \fBN\fR are used to decide the bits of security, where +\&\fBL\fR is the size of the public key and \fBN\fR is the size of the private +key. For \s-1IFC,\s0 e.g., \s-1RSA,\s0 only \fBL\fR is used and it's commonly considered +to be the key size (modulus). +.SH "RETURN VALUES" +.IX Header "RETURN VALUES" +Number of security bits. .SH "NOTES" .IX Header "NOTES" -This mechanism is used internally by the \fBssl\fR library to store the \fB\s-1SSL\s0\fR -structure associated with a verification operation in an \fBX509_STORE_CTX\fR -structure. -.SH "SEE ALSO" -.IX Header "SEE ALSO" -\&\fIRSA_get_ex_new_index\fR\|(3) +\&\s-1ECC\s0 (Elliptic Curve Cryptography) is not covered by the \fIBN_security_bits()\fR +function. The symmetric algorithms are not covered neither. .SH "HISTORY" .IX Header "HISTORY" -\&\fIX509_STORE_CTX_get_ex_new_index()\fR, \fIX509_STORE_CTX_set_ex_data()\fR and -\&\fIX509_STORE_CTX_get_ex_data()\fR are available since OpenSSL 0.9.5. +\&\fIBN_security_bits()\fR was added in OpenSSL 1.1.0. +.SH "SEE ALSO" +.IX Header "SEE ALSO" +\&\fIDH_security_bits\fR\|(3), \fIDSA_security_bits\fR\|(3), \fIRSA_security_bits\fR\|(3) +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2017 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/BN_set_bit.3 b/secure/lib/libcrypto/man/BN_set_bit.3 index 6a953f4329f6..b7b7274bd4ee 100644 --- a/secure/lib/libcrypto/man/BN_set_bit.3 +++ b/secure/lib/libcrypto/man/BN_set_bit.3 @@ -128,15 +128,14 @@ .rm #[ #] #H #V #F C .\" ======================================================================== .\" -.IX Title "BN_set_bit 3" -.TH BN_set_bit 3 "2018-08-14" "1.0.2p" "OpenSSL" +.IX Title "BN_SET_BIT 3" +.TH BN_SET_BIT 3 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" -BN_set_bit, BN_clear_bit, BN_is_bit_set, BN_mask_bits, BN_lshift, -BN_lshift1, BN_rshift, BN_rshift1 \- bit operations on BIGNUMs +BN_set_bit, BN_clear_bit, BN_is_bit_set, BN_mask_bits, BN_lshift, BN_lshift1, BN_rshift, BN_rshift1 \- bit operations on BIGNUMs .SH "SYNOPSIS" .IX Header "SYNOPSIS" .Vb 1 @@ -186,9 +185,12 @@ All other functions return 1 for success, 0 on error. The error codes can be obtained by \fIERR_get_error\fR\|(3). .SH "SEE ALSO" .IX Header "SEE ALSO" -\&\fIbn\fR\|(3), \fIBN_num_bytes\fR\|(3), \fIBN_add\fR\|(3) -.SH "HISTORY" -.IX Header "HISTORY" -\&\fIBN_set_bit()\fR, \fIBN_clear_bit()\fR, \fIBN_is_bit_set()\fR, \fIBN_mask_bits()\fR, -\&\fIBN_lshift()\fR, \fIBN_lshift1()\fR, \fIBN_rshift()\fR, and \fIBN_rshift1()\fR are available -in all versions of SSLeay and OpenSSL. +\&\fIBN_num_bytes\fR\|(3), \fIBN_add\fR\|(3) +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2000\-2017 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/BN_swap.3 b/secure/lib/libcrypto/man/BN_swap.3 index ed2f836fc40c..ad59f046804f 100644 --- a/secure/lib/libcrypto/man/BN_swap.3 +++ b/secure/lib/libcrypto/man/BN_swap.3 @@ -128,8 +128,8 @@ .rm #[ #] #H #V #F C .\" ======================================================================== .\" -.IX Title "BN_swap 3" -.TH BN_swap 3 "2018-08-14" "1.0.2p" "OpenSSL" +.IX Title "BN_SWAP 3" +.TH BN_SWAP 3 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -146,8 +146,14 @@ BN_swap \- exchange BIGNUMs .SH "DESCRIPTION" .IX Header "DESCRIPTION" \&\fIBN_swap()\fR exchanges the values of \fIa\fR and \fIb\fR. +.SH "RETURN VALUES" +.IX Header "RETURN VALUES" +\&\fIBN_swap()\fR does not return a value. +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2000\-2018 The OpenSSL Project Authors. All Rights Reserved. .PP -\&\fIbn\fR\|(3) -.SH "HISTORY" -.IX Header "HISTORY" -BN_swap was added in OpenSSL 0.9.7. +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/BN_zero.3 b/secure/lib/libcrypto/man/BN_zero.3 index 0a21d419acdd..7d966edeb068 100644 --- a/secure/lib/libcrypto/man/BN_zero.3 +++ b/secure/lib/libcrypto/man/BN_zero.3 @@ -128,31 +128,30 @@ .rm #[ #] #H #V #F C .\" ======================================================================== .\" -.IX Title "BN_zero 3" -.TH BN_zero 3 "2018-08-14" "1.0.2p" "OpenSSL" +.IX Title "BN_ZERO 3" +.TH BN_ZERO 3 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" -BN_zero, BN_one, BN_value_one, BN_set_word, BN_get_word \- BIGNUM assignment -operations +BN_zero, BN_one, BN_value_one, BN_set_word, BN_get_word \- BIGNUM assignment operations .SH "SYNOPSIS" .IX Header "SYNOPSIS" .Vb 1 \& #include \& -\& int BN_zero(BIGNUM *a); +\& void BN_zero(BIGNUM *a); \& int BN_one(BIGNUM *a); \& \& const BIGNUM *BN_value_one(void); \& \& int BN_set_word(BIGNUM *a, BN_ULONG w); -\& BN_ULONG BN_get_word(BIGNUM *a); +\& unsigned BN_ULONG BN_get_word(BIGNUM *a); .Ve .SH "DESCRIPTION" .IX Header "DESCRIPTION" -\&\fB\s-1BN_ULONG\s0\fR is a macro that will be an unsigned integral type optimied +\&\fB\s-1BN_ULONG\s0\fR is a macro that will be an unsigned integral type optimized for the most efficient implementation on the local platform. .PP \&\fIBN_zero()\fR, \fIBN_one()\fR and \fIBN_set_word()\fR set \fBa\fR to the values 0, 1 and @@ -165,10 +164,11 @@ is useful for use in comparisons and assignment. .SH "RETURN VALUES" .IX Header "RETURN VALUES" \&\fIBN_get_word()\fR returns the value \fBa\fR, or all-bits-set if \fBa\fR cannot -be represented as a \fB\s-1BN_ULONG\s0\fR. +be represented as a single integer. .PP -\&\fIBN_zero()\fR, \fIBN_one()\fR and \fIBN_set_word()\fR return 1 on success, 0 otherwise. +\&\fIBN_one()\fR and \fIBN_set_word()\fR return 1 on success, 0 otherwise. \&\fIBN_value_one()\fR returns the constant. +\&\fIBN_zero()\fR never fails and returns no value. .SH "BUGS" .IX Header "BUGS" If a \fB\s-1BIGNUM\s0\fR is equal to the value of all-bits-set, it will collide @@ -178,12 +178,16 @@ as an error value. \&\fB\s-1BN_ULONG\s0\fR should probably be a typedef. .SH "SEE ALSO" .IX Header "SEE ALSO" -\&\fIbn\fR\|(3), \fIBN_bn2bin\fR\|(3) +\&\fIBN_bn2bin\fR\|(3) .SH "HISTORY" .IX Header "HISTORY" -\&\fIBN_zero()\fR, \fIBN_one()\fR and \fIBN_set_word()\fR are available in all versions of -SSLeay and OpenSSL. \fIBN_value_one()\fR and \fIBN_get_word()\fR were added in -SSLeay 0.8. +In OpenSSL 0.9.8, \fIBN_zero()\fR was changed to not return a value; previous +versions returned an int. +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2000\-2018 The OpenSSL Project Authors. All Rights Reserved. .PP -\&\fIBN_value_one()\fR was changed to return a true const \s-1BIGNUM\s0 * in OpenSSL -0.9.7. +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/buffer.3 b/secure/lib/libcrypto/man/BUF_MEM_new.3 similarity index 75% rename from secure/lib/libcrypto/man/buffer.3 rename to secure/lib/libcrypto/man/BUF_MEM_new.3 index 338599dbbb63..385da3c98fcb 100644 --- a/secure/lib/libcrypto/man/buffer.3 +++ b/secure/lib/libcrypto/man/BUF_MEM_new.3 @@ -128,18 +128,14 @@ .rm #[ #] #H #V #F C .\" ======================================================================== .\" -.IX Title "buffer 3" -.TH buffer 3 "2018-08-14" "1.0.2p" "OpenSSL" +.IX Title "BUF_MEM_NEW 3" +.TH BUF_MEM_NEW 3 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" -BUF_MEM_new, BUF_MEM_new_ex, BUF_MEM_free, BUF_MEM_grow \- simple -character array structure -.PP -BUF_strdup, BUF_strndup, BUF_memdup, BUF_strlcpy, BUF_strlcat \- -standard C library equivalents +BUF_MEM_new, BUF_MEM_new_ex, BUF_MEM_free, BUF_MEM_grow, BUF_MEM_grow_clean, BUF_reverse \&\- simple character array structure .SH "SYNOPSIS" .IX Header "SYNOPSIS" .Vb 1 @@ -147,21 +143,14 @@ standard C library equivalents \& \& BUF_MEM *BUF_MEM_new(void); \& -\& void BUF_MEM_free(BUF_MEM *a); +\& BUF_MEM *BUF_MEM_new_ex(unsigned long flags); \& -\& int BUF_MEM_grow(BUF_MEM *str, int len); +\& void BUF_MEM_free(BUF_MEM *a); \& -\& char *BUF_strdup(const char *str); +\& int BUF_MEM_grow(BUF_MEM *str, int len); +\& size_t BUF_MEM_grow_clean(BUF_MEM *str, size_t len); \& -\& char *BUF_strndup(const char *str, size_t siz); -\& -\& void *BUF_memdup(const void *data, size_t siz); -\& -\& size_t BUF_strlcpy(char *dst, const char *src, size_t size); -\& -\& size_t BUF_strlcat(char *dst, const char *src, size_t size); -\& -\& size_t BUF_strnlen(const char *str, size_t maxlen); +\& void BUF_reverse(unsigned char *out, const unsigned char *in, size_t size); .Ve .SH "DESCRIPTION" .IX Header "DESCRIPTION" @@ -170,6 +159,10 @@ various purposes in the library, most notably memory BIOs. .PP \&\fIBUF_MEM_new()\fR allocates a new buffer of zero size. .PP +\&\fIBUF_MEM_new_ex()\fR allocates a buffer with the specified flags. +The flag \fB\s-1BUF_MEM_FLAG_SECURE\s0\fR specifies that the \fBdata\fR pointer +should be allocated on the secure heap; see \fICRYPTO_secure_malloc\fR\|(3). +.PP \&\fIBUF_MEM_free()\fR frees up an already existing buffer. The data is zeroed before freeing up in case the buffer contains sensitive data. .PP @@ -177,28 +170,31 @@ before freeing up in case the buffer contains sensitive data. \&\fBlen\fR. Any data already in the buffer is preserved if it increases in size. .PP -\&\fIBUF_strdup()\fR, \fIBUF_strndup()\fR, \fIBUF_memdup()\fR, \fIBUF_strlcpy()\fR, -\&\fIBUF_strlcat()\fR and BUF_strnlen are equivalents of the standard C -library functions. The \fIdup()\fR functions use \fIOPENSSL_malloc()\fR underneath -and so should be used in preference to the standard library for memory -leak checking or replacing the \fImalloc()\fR function. +\&\fIBUF_MEM_grow_clean()\fR is similar to \fIBUF_MEM_grow()\fR but it sets any free'd +or additionally-allocated memory to zero. .PP -Memory allocated from these functions should be freed up using the -\&\fIOPENSSL_free()\fR function. -.PP -BUF_strndup makes the explicit guarantee that it will never read past -the first \fBsiz\fR bytes of \fBstr\fR. +\&\fIBUF_reverse()\fR reverses \fBsize\fR bytes at \fBin\fR into \fBout\fR. If \fBin\fR +is \s-1NULL,\s0 the array is reversed in-place. .SH "RETURN VALUES" .IX Header "RETURN VALUES" \&\fIBUF_MEM_new()\fR returns the buffer or \s-1NULL\s0 on error. .PP \&\fIBUF_MEM_free()\fR has no return value. .PP -\&\fIBUF_MEM_grow()\fR returns zero on error or the new size (i.e. \fBlen\fR). +\&\fIBUF_MEM_grow()\fR and \fIBUF_MEM_grow_clean()\fR return +zero on error or the new size (i.e., \fBlen\fR). .SH "SEE ALSO" .IX Header "SEE ALSO" -\&\fIbio\fR\|(3) +\&\fIbio\fR\|(7), +\&\fICRYPTO_secure_malloc\fR\|(3). .SH "HISTORY" .IX Header "HISTORY" -\&\fIBUF_MEM_new()\fR, \fIBUF_MEM_free()\fR and \fIBUF_MEM_grow()\fR are available in all -versions of SSLeay and OpenSSL. \fIBUF_strdup()\fR was added in SSLeay 0.8. +\&\fIBUF_MEM_new_ex()\fR was added in OpenSSL 1.1.0. +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2000\-2018 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/CMS_add0_cert.3 b/secure/lib/libcrypto/man/CMS_add0_cert.3 index a76f55efe2d2..6bfa10e30f8a 100644 --- a/secure/lib/libcrypto/man/CMS_add0_cert.3 +++ b/secure/lib/libcrypto/man/CMS_add0_cert.3 @@ -128,14 +128,14 @@ .rm #[ #] #H #V #F C .\" ======================================================================== .\" -.IX Title "CMS_add0_cert 3" -.TH CMS_add0_cert 3 "2018-08-14" "1.0.2p" "OpenSSL" +.IX Title "CMS_ADD0_CERT 3" +.TH CMS_ADD0_CERT 3 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" -CMS_add0_cert, CMS_add1_cert, CMS_get1_certs, CMS_add0_crl, CMS_add1_crl, CMS_get1_crls, \- CMS certificate and CRL utility functions +CMS_add0_cert, CMS_add1_cert, CMS_get1_certs, CMS_add0_crl, CMS_add1_crl, CMS_get1_crls \&\- CMS certificate and CRL utility functions .SH "SYNOPSIS" .IX Header "SYNOPSIS" .Vb 1 @@ -186,7 +186,11 @@ in practice is if the \fBcms\fR type is invalid. \&\fIERR_get_error\fR\|(3), \&\fICMS_sign\fR\|(3), \&\fICMS_encrypt\fR\|(3) -.SH "HISTORY" -.IX Header "HISTORY" -\&\fICMS_add0_cert()\fR, \fICMS_add1_cert()\fR, \fICMS_get1_certs()\fR, \fICMS_add0_crl()\fR -and \fICMS_get1_crls()\fR were all first added to OpenSSL 0.9.8 +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2008\-2016 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/CMS_add1_recipient_cert.3 b/secure/lib/libcrypto/man/CMS_add1_recipient_cert.3 index 25df564cf32b..6e759c494ed3 100644 --- a/secure/lib/libcrypto/man/CMS_add1_recipient_cert.3 +++ b/secure/lib/libcrypto/man/CMS_add1_recipient_cert.3 @@ -128,24 +128,28 @@ .rm #[ #] #H #V #F C .\" ======================================================================== .\" -.IX Title "CMS_add1_recipient_cert 3" -.TH CMS_add1_recipient_cert 3 "2018-08-14" "1.0.2p" "OpenSSL" +.IX Title "CMS_ADD1_RECIPIENT_CERT 3" +.TH CMS_ADD1_RECIPIENT_CERT 3 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" -.Vb 1 -\& CMS_add1_recipient_cert, CMS_add0_recipient_key \- add recipients to a CMS enveloped data structure -.Ve +CMS_add1_recipient_cert, CMS_add0_recipient_key \- add recipients to a CMS enveloped data structure .SH "SYNOPSIS" .IX Header "SYNOPSIS" .Vb 1 \& #include \& -\& CMS_RecipientInfo *CMS_add1_recipient_cert(CMS_ContentInfo *cms, X509 *recip, unsigned int flags); +\& CMS_RecipientInfo *CMS_add1_recipient_cert(CMS_ContentInfo *cms, +\& X509 *recip, unsigned int flags); \& -\& CMS_RecipientInfo *CMS_add0_recipient_key(CMS_ContentInfo *cms, int nid, unsigned char *key, size_t keylen, unsigned char *id, size_t idlen, ASN1_GENERALIZEDTIME *date, ASN1_OBJECT *otherTypeId, ASN1_TYPE *otherType); +\& CMS_RecipientInfo *CMS_add0_recipient_key(CMS_ContentInfo *cms, int nid, +\& unsigned char *key, size_t keylen, +\& unsigned char *id, size_t idlen, +\& ASN1_GENERALIZEDTIME *date, +\& ASN1_OBJECT *otherTypeId, +\& ASN1_TYPE *otherType); .Ve .SH "DESCRIPTION" .IX Header "DESCRIPTION" @@ -185,7 +189,11 @@ occurs. .IX Header "SEE ALSO" \&\fIERR_get_error\fR\|(3), \fICMS_decrypt\fR\|(3), \&\fICMS_final\fR\|(3), -.SH "HISTORY" -.IX Header "HISTORY" -\&\fICMS_add1_recipient_cert()\fR and \fICMS_add0_recipient_key()\fR were added to OpenSSL -0.9.8 +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2008\-2016 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/CMS_add1_signer.3 b/secure/lib/libcrypto/man/CMS_add1_signer.3 index 877bce98cd25..51727a5f2421 100644 --- a/secure/lib/libcrypto/man/CMS_add1_signer.3 +++ b/secure/lib/libcrypto/man/CMS_add1_signer.3 @@ -128,22 +128,22 @@ .rm #[ #] #H #V #F C .\" ======================================================================== .\" -.IX Title "CMS_add1_signer 3" -.TH CMS_add1_signer 3 "2018-08-14" "1.0.2p" "OpenSSL" +.IX Title "CMS_ADD1_SIGNER 3" +.TH CMS_ADD1_SIGNER 3 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" -.Vb 1 -\& CMS_add1_signer, CMS_SignerInfo_sign \- add a signer to a CMS_ContentInfo signed data structure. -.Ve +CMS_add1_signer, CMS_SignerInfo_sign \- add a signer to a CMS_ContentInfo signed data structure .SH "SYNOPSIS" .IX Header "SYNOPSIS" .Vb 1 \& #include \& -\& CMS_SignerInfo *CMS_add1_signer(CMS_ContentInfo *cms, X509 *signcert, EVP_PKEY *pkey, const EVP_MD *md, unsigned int flags); +\& CMS_SignerInfo *CMS_add1_signer(CMS_ContentInfo *cms, X509 *signcert, +\& EVP_PKEY *pkey, const EVP_MD *md, +\& unsigned int flags); \& \& int CMS_SignerInfo_sign(CMS_SignerInfo *si); .Ve @@ -185,7 +185,7 @@ structure. An error occurs if a matching digest value cannot be found to copy. The returned CMS_ContentInfo structure will be valid and finalized when this flag is set. .PP -If \fB\s-1CMS_PARTIAL\s0\fR is set in addition to \fB\s-1CMS_REUSE_DIGEST\s0\fR then the +If \fB\s-1CMS_PARTIAL\s0\fR is set in addition to \fB\s-1CMS_REUSE_DIGEST\s0\fR then the CMS_SignerInfo structure will not be finalized so additional attributes can be added. In this case an explicit call to \fICMS_SignerInfo_sign()\fR is needed to finalize it. @@ -214,7 +214,7 @@ If any of these algorithms is not available then it will not be included: for ex not loaded. .PP \&\fICMS_add1_signer()\fR returns an internal pointer to the CMS_SignerInfo -structure just added, this can be used to set additional attributes +structure just added, this can be used to set additional attributes before it is finalized. .SH "RETURN VALUES" .IX Header "RETURN VALUES" @@ -224,6 +224,11 @@ structure just added or \s-1NULL\s0 if an error occurs. .IX Header "SEE ALSO" \&\fIERR_get_error\fR\|(3), \fICMS_sign\fR\|(3), \&\fICMS_final\fR\|(3), -.SH "HISTORY" -.IX Header "HISTORY" -\&\fICMS_add1_signer()\fR was added to OpenSSL 0.9.8 +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2014\-2016 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/CMS_compress.3 b/secure/lib/libcrypto/man/CMS_compress.3 index 895efd52df06..5c1f38b3209f 100644 --- a/secure/lib/libcrypto/man/CMS_compress.3 +++ b/secure/lib/libcrypto/man/CMS_compress.3 @@ -128,8 +128,8 @@ .rm #[ #] #H #V #F C .\" ======================================================================== .\" -.IX Title "CMS_compress 3" -.TH CMS_compress 3 "2018-08-14" "1.0.2p" "OpenSSL" +.IX Title "CMS_COMPRESS 3" +.TH CMS_COMPRESS 3 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -195,5 +195,12 @@ occurred. The error can be obtained from \fIERR_get_error\fR\|(3). \&\fIERR_get_error\fR\|(3), \fICMS_uncompress\fR\|(3) .SH "HISTORY" .IX Header "HISTORY" -\&\fICMS_compress()\fR was added to OpenSSL 0.9.8 -The \fB\s-1CMS_STREAM\s0\fR flag was first supported in OpenSSL 1.0.0. +The \fB\s-1CMS_STREAM\s0\fR flag was added in OpenSSL 1.0.0. +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2008\-2016 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/CMS_decrypt.3 b/secure/lib/libcrypto/man/CMS_decrypt.3 index a9247fb5065c..313e83718586 100644 --- a/secure/lib/libcrypto/man/CMS_decrypt.3 +++ b/secure/lib/libcrypto/man/CMS_decrypt.3 @@ -128,22 +128,21 @@ .rm #[ #] #H #V #F C .\" ======================================================================== .\" -.IX Title "CMS_decrypt 3" -.TH CMS_decrypt 3 "2018-08-14" "1.0.2p" "OpenSSL" +.IX Title "CMS_DECRYPT 3" +.TH CMS_DECRYPT 3 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" -.Vb 1 -\& CMS_decrypt \- decrypt content from a CMS envelopedData structure -.Ve +CMS_decrypt \- decrypt content from a CMS envelopedData structure .SH "SYNOPSIS" .IX Header "SYNOPSIS" .Vb 1 \& #include \& -\& int CMS_decrypt(CMS_ContentInfo *cms, EVP_PKEY *pkey, X509 *cert, BIO *dcont, BIO *out, unsigned int flags); +\& int CMS_decrypt(CMS_ContentInfo *cms, EVP_PKEY *pkey, X509 *cert, +\& BIO *dcont, BIO *out, unsigned int flags); .Ve .SH "DESCRIPTION" .IX Header "DESCRIPTION" @@ -156,9 +155,6 @@ The \fBdcont\fR parameter is used in the rare case where the encrypted content is detached. It will normally be set to \s-1NULL.\s0 .SH "NOTES" .IX Header "NOTES" -\&\fIOpenSSL_add_all_algorithms()\fR (or equivalent) should be called before using this -function or errors about unknown algorithms will occur. -.PP Although the recipients certificate is not needed to decrypt the data it is needed to locate the appropriate (of possible several) recipients in the \s-1CMS\s0 structure. @@ -183,7 +179,7 @@ in advance using the \s-1CMS\s0 utility functions such as \fICMS_set1_pkey()\fR. case both \fBcert\fR and \fBpkey\fR should be set to \s-1NULL.\s0 .PP To process KEKRecipientInfo types \fICMS_set1_key()\fR or \fICMS_RecipientInfo_set0_key()\fR -and \fICMS_ReceipientInfo_decrypt()\fR should be called before \fICMS_decrypt()\fR and +and \fICMS_RecipientInfo_decrypt()\fR should be called before \fICMS_decrypt()\fR and \&\fBcert\fR and \fBpkey\fR set to \s-1NULL.\s0 .PP The following flags can be passed in the \fBflags\fR parameter. @@ -202,6 +198,11 @@ mentioned in \fICMS_verify()\fR also applies to \fICMS_decrypt()\fR. .SH "SEE ALSO" .IX Header "SEE ALSO" \&\fIERR_get_error\fR\|(3), \fICMS_encrypt\fR\|(3) -.SH "HISTORY" -.IX Header "HISTORY" -\&\fICMS_decrypt()\fR was added to OpenSSL 0.9.8 +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2008\-2016 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/CMS_encrypt.3 b/secure/lib/libcrypto/man/CMS_encrypt.3 index 157c2b6d8bce..4f5d22722930 100644 --- a/secure/lib/libcrypto/man/CMS_encrypt.3 +++ b/secure/lib/libcrypto/man/CMS_encrypt.3 @@ -128,22 +128,21 @@ .rm #[ #] #H #V #F C .\" ======================================================================== .\" -.IX Title "CMS_encrypt 3" -.TH CMS_encrypt 3 "2018-08-14" "1.0.2p" "OpenSSL" +.IX Title "CMS_ENCRYPT 3" +.TH CMS_ENCRYPT 3 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" -.Vb 1 -\& CMS_encrypt \- create a CMS envelopedData structure -.Ve +CMS_encrypt \- create a CMS envelopedData structure .SH "SYNOPSIS" .IX Header "SYNOPSIS" .Vb 1 \& #include \& -\& CMS_ContentInfo *CMS_encrypt(STACK_OF(X509) *certs, BIO *in, const EVP_CIPHER *cipher, unsigned int flags); +\& CMS_ContentInfo *CMS_encrypt(STACK_OF(X509) *certs, BIO *in, +\& const EVP_CIPHER *cipher, unsigned int flags); .Ve .SH "DESCRIPTION" .IX Header "DESCRIPTION" @@ -219,5 +218,12 @@ occurred. The error can be obtained from \fIERR_get_error\fR\|(3). \&\fIERR_get_error\fR\|(3), \fICMS_decrypt\fR\|(3) .SH "HISTORY" .IX Header "HISTORY" -\&\fICMS_decrypt()\fR was added to OpenSSL 0.9.8 The \fB\s-1CMS_STREAM\s0\fR flag was first supported in OpenSSL 1.0.0. +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2008\-2018 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/CMS_final.3 b/secure/lib/libcrypto/man/CMS_final.3 index 7c461fb7e2ee..dcb86d2d92be 100644 --- a/secure/lib/libcrypto/man/CMS_final.3 +++ b/secure/lib/libcrypto/man/CMS_final.3 @@ -128,16 +128,14 @@ .rm #[ #] #H #V #F C .\" ======================================================================== .\" -.IX Title "CMS_final 3" -.TH CMS_final 3 "2018-08-14" "1.0.2p" "OpenSSL" +.IX Title "CMS_FINAL 3" +.TH CMS_FINAL 3 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" -.Vb 1 -\& CMS_final \- finalise a CMS_ContentInfo structure -.Ve +CMS_final \- finalise a CMS_ContentInfo structure .SH "SYNOPSIS" .IX Header "SYNOPSIS" .Vb 1 @@ -149,7 +147,7 @@ .IX Header "DESCRIPTION" \&\fICMS_final()\fR finalises the structure \fBcms\fR. It's purpose is to perform any operations necessary on \fBcms\fR (digest computation for example) and set the -appropriate fields. The parameter \fBdata\fR contains the content to be +appropriate fields. The parameter \fBdata\fR contains the content to be processed. The \fBdcont\fR parameter contains a \s-1BIO\s0 to write content to after processing: this is only used with detached data and will usually be set to \&\s-1NULL.\s0 @@ -165,6 +163,11 @@ I/O functions perform finalisation operations internally. .IX Header "SEE ALSO" \&\fIERR_get_error\fR\|(3), \fICMS_sign\fR\|(3), \&\fICMS_encrypt\fR\|(3) -.SH "HISTORY" -.IX Header "HISTORY" -\&\fICMS_final()\fR was added to OpenSSL 0.9.8 +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2008\-2016 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/CMS_get0_RecipientInfos.3 b/secure/lib/libcrypto/man/CMS_get0_RecipientInfos.3 index f48f64a4fd78..0feae24c893d 100644 --- a/secure/lib/libcrypto/man/CMS_get0_RecipientInfos.3 +++ b/secure/lib/libcrypto/man/CMS_get0_RecipientInfos.3 @@ -128,14 +128,14 @@ .rm #[ #] #H #V #F C .\" ======================================================================== .\" -.IX Title "CMS_get0_RecipientInfos 3" -.TH CMS_get0_RecipientInfos 3 "2018-08-14" "1.0.2p" "OpenSSL" +.IX Title "CMS_GET0_RECIPIENTINFOS 3" +.TH CMS_GET0_RECIPIENTINFOS 3 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" -CMS_get0_RecipientInfos, CMS_RecipientInfo_type, CMS_RecipientInfo_ktri_get0_signer_id,CMS_RecipientInfo_ktri_cert_cmp, CMS_RecipientInfo_set0_pkey, CMS_RecipientInfo_kekri_get0_id, CMS_RecipientInfo_kekri_id_cmp, CMS_RecipientInfo_set0_key, CMS_RecipientInfo_decrypt, CMS_RecipientInfo_encrypt \- CMS envelopedData RecipientInfo routines +CMS_get0_RecipientInfos, CMS_RecipientInfo_type, CMS_RecipientInfo_ktri_get0_signer_id, CMS_RecipientInfo_ktri_cert_cmp, CMS_RecipientInfo_set0_pkey, CMS_RecipientInfo_kekri_get0_id, CMS_RecipientInfo_kekri_id_cmp, CMS_RecipientInfo_set0_key, CMS_RecipientInfo_decrypt, CMS_RecipientInfo_encrypt \&\- CMS envelopedData RecipientInfo routines .SH "SYNOPSIS" .IX Header "SYNOPSIS" .Vb 1 @@ -144,13 +144,22 @@ CMS_get0_RecipientInfos, CMS_RecipientInfo_type, CMS_RecipientInfo_ktri_get0_sig \& STACK_OF(CMS_RecipientInfo) *CMS_get0_RecipientInfos(CMS_ContentInfo *cms); \& int CMS_RecipientInfo_type(CMS_RecipientInfo *ri); \& -\& int CMS_RecipientInfo_ktri_get0_signer_id(CMS_RecipientInfo *ri, ASN1_OCTET_STRING **keyid, X509_NAME **issuer, ASN1_INTEGER **sno); +\& int CMS_RecipientInfo_ktri_get0_signer_id(CMS_RecipientInfo *ri, +\& ASN1_OCTET_STRING **keyid, +\& X509_NAME **issuer, +\& ASN1_INTEGER **sno); \& int CMS_RecipientInfo_ktri_cert_cmp(CMS_RecipientInfo *ri, X509 *cert); \& int CMS_RecipientInfo_set0_pkey(CMS_RecipientInfo *ri, EVP_PKEY *pkey); \& -\& int CMS_RecipientInfo_kekri_get0_id(CMS_RecipientInfo *ri, X509_ALGOR **palg, ASN1_OCTET_STRING **pid, ASN1_GENERALIZEDTIME **pdate, ASN1_OBJECT **potherid, ASN1_TYPE **pothertype); -\& int CMS_RecipientInfo_kekri_id_cmp(CMS_RecipientInfo *ri, const unsigned char *id, size_t idlen); -\& int CMS_RecipientInfo_set0_key(CMS_RecipientInfo *ri, unsigned char *key, size_t keylen); +\& int CMS_RecipientInfo_kekri_get0_id(CMS_RecipientInfo *ri, X509_ALGOR **palg, +\& ASN1_OCTET_STRING **pid, +\& ASN1_GENERALIZEDTIME **pdate, +\& ASN1_OBJECT **potherid, +\& ASN1_TYPE **pothertype); +\& int CMS_RecipientInfo_kekri_id_cmp(CMS_RecipientInfo *ri, +\& const unsigned char *id, size_t idlen); +\& int CMS_RecipientInfo_set0_key(CMS_RecipientInfo *ri, +\& unsigned char *key, size_t keylen); \& \& int CMS_RecipientInfo_decrypt(CMS_ContentInfo *cms, CMS_RecipientInfo *ri); \& int CMS_RecipientInfo_encrypt(CMS_ContentInfo *cms, CMS_RecipientInfo *ri); @@ -212,11 +221,11 @@ of \fICMS_decrypt()\fR is not appropriate. .PP In typical usage and application will retrieve all CMS_RecipientInfo structures using \fICMS_get0_RecipientInfos()\fR and check the type of each using -\&\fICMS_RecpientInfo_type()\fR. Depending on the type the CMS_RecipientInfo structure +\&\fICMS_RecipientInfo_type()\fR. Depending on the type the CMS_RecipientInfo structure can be ignored or its key identifier data retrieved using an appropriate function. Then if the corresponding secret or private key can be obtained by any appropriate means it can then associated with the structure and -\&\fICMS_RecpientInfo_decrypt()\fR called. If successful \fICMS_decrypt()\fR can be called +\&\fICMS_RecipientInfo_decrypt()\fR called. If successful \fICMS_decrypt()\fR can be called with a \s-1NULL\s0 key to decrypt the enveloped content. .PP The \fICMS_RecipientInfo_encrypt()\fR can be used to add a new recipient to an @@ -242,6 +251,11 @@ Any error can be obtained from \fIERR_get_error\fR\|(3). .SH "SEE ALSO" .IX Header "SEE ALSO" \&\fIERR_get_error\fR\|(3), \fICMS_decrypt\fR\|(3) -.SH "HISTORY" -.IX Header "HISTORY" -These functions were first was added to OpenSSL 0.9.8 +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2008\-2016 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/CMS_get0_SignerInfos.3 b/secure/lib/libcrypto/man/CMS_get0_SignerInfos.3 index e8e479ceb212..5fecf14927d8 100644 --- a/secure/lib/libcrypto/man/CMS_get0_SignerInfos.3 +++ b/secure/lib/libcrypto/man/CMS_get0_SignerInfos.3 @@ -128,14 +128,14 @@ .rm #[ #] #H #V #F C .\" ======================================================================== .\" -.IX Title "CMS_get0_SignerInfos 3" -.TH CMS_get0_SignerInfos 3 "2018-08-14" "1.0.2p" "OpenSSL" +.IX Title "CMS_GET0_SIGNERINFOS 3" +.TH CMS_GET0_SIGNERINFOS 3 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" -CMS_get0_SignerInfos, CMS_SignerInfo_get0_signer_id, CMS_SignerInfo_get0_signature, CMS_SignerInfo_cert_cmp, CMS_set1_signer_cert \- CMS signedData signer functions. +CMS_SignerInfo_set1_signer_cert, CMS_get0_SignerInfos, CMS_SignerInfo_get0_signer_id, CMS_SignerInfo_get0_signature, CMS_SignerInfo_cert_cmp \&\- CMS signedData signer functions .SH "SYNOPSIS" .IX Header "SYNOPSIS" .Vb 1 @@ -143,7 +143,8 @@ CMS_get0_SignerInfos, CMS_SignerInfo_get0_signer_id, CMS_SignerInfo_get0_signatu \& \& STACK_OF(CMS_SignerInfo) *CMS_get0_SignerInfos(CMS_ContentInfo *cms); \& -\& int CMS_SignerInfo_get0_signer_id(CMS_SignerInfo *si, ASN1_OCTET_STRING **keyid, X509_NAME **issuer, ASN1_INTEGER **sno); +\& int CMS_SignerInfo_get0_signer_id(CMS_SignerInfo *si, ASN1_OCTET_STRING **keyid, +\& X509_NAME **issuer, ASN1_INTEGER **sno); \& ASN1_OCTET_STRING *CMS_SignerInfo_get0_signature(CMS_SignerInfo *si); \& int CMS_SignerInfo_cert_cmp(CMS_SignerInfo *si, X509 *cert); \& void CMS_SignerInfo_set1_signer_cert(CMS_SignerInfo *si, X509 *signer); @@ -158,7 +159,7 @@ associated with a specific CMS_SignerInfo structure \fBsi\fR. Either the keyidentifier will be set in \fBkeyid\fR or \fBboth\fR issuer name and serial number in \fBissuer\fR and \fBsno\fR. .PP -\&\fICMS_SignerInfo_get0_signature()\fR retrieves the signature associated with +\&\fICMS_SignerInfo_get0_signature()\fR retrieves the signature associated with \&\fBsi\fR in a pointer to an \s-1ASN1_OCTET_STRING\s0 structure. This pointer returned corresponds to the internal signature value if \fBsi\fR so it may be read or modified. @@ -203,6 +204,11 @@ Any error can be obtained from \fIERR_get_error\fR\|(3) .SH "SEE ALSO" .IX Header "SEE ALSO" \&\fIERR_get_error\fR\|(3), \fICMS_verify\fR\|(3) -.SH "HISTORY" -.IX Header "HISTORY" -These functions were first was added to OpenSSL 0.9.8 +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2008\-2018 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/CMS_get0_type.3 b/secure/lib/libcrypto/man/CMS_get0_type.3 index d5bfa5916bd2..528913a3c47e 100644 --- a/secure/lib/libcrypto/man/CMS_get0_type.3 +++ b/secure/lib/libcrypto/man/CMS_get0_type.3 @@ -128,22 +128,20 @@ .rm #[ #] #H #V #F C .\" ======================================================================== .\" -.IX Title "CMS_get0_type 3" -.TH CMS_get0_type 3 "2018-08-14" "1.0.2p" "OpenSSL" +.IX Title "CMS_GET0_TYPE 3" +.TH CMS_GET0_TYPE 3 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" -.Vb 1 -\& CMS_get0_type, CMS_set1_eContentType, CMS_get0_eContentType, CMS_get0_content \- get and set CMS content types and content -.Ve +CMS_get0_type, CMS_set1_eContentType, CMS_get0_eContentType, CMS_get0_content \- get and set CMS content types and content .SH "SYNOPSIS" .IX Header "SYNOPSIS" .Vb 1 \& #include \& -\& const ASN1_OBJECT *CMS_get0_type(CMS_ContentInfo *cms); +\& const ASN1_OBJECT *CMS_get0_type(const CMS_ContentInfo *cms); \& int CMS_set1_eContentType(CMS_ContentInfo *cms, const ASN1_OBJECT *oid); \& const ASN1_OBJECT *CMS_get0_eContentType(CMS_ContentInfo *cms); \& ASN1_OCTET_STRING **CMS_get0_content(CMS_ContentInfo *cms); @@ -204,7 +202,11 @@ error can be obtained from \fIERR_get_error\fR\|(3). .SH "SEE ALSO" .IX Header "SEE ALSO" \&\fIERR_get_error\fR\|(3) -.SH "HISTORY" -.IX Header "HISTORY" -\&\fICMS_get0_type()\fR, \fICMS_set1_eContentType()\fR and \fICMS_get0_eContentType()\fR were all -first added to OpenSSL 0.9.8 +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2008\-2016 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/CMS_get1_ReceiptRequest.3 b/secure/lib/libcrypto/man/CMS_get1_ReceiptRequest.3 index 3c03f3ecc626..629cc28b3118 100644 --- a/secure/lib/libcrypto/man/CMS_get1_ReceiptRequest.3 +++ b/secure/lib/libcrypto/man/CMS_get1_ReceiptRequest.3 @@ -128,25 +128,29 @@ .rm #[ #] #H #V #F C .\" ======================================================================== .\" -.IX Title "CMS_get1_ReceiptRequest 3" -.TH CMS_get1_ReceiptRequest 3 "2018-08-14" "1.0.2p" "OpenSSL" +.IX Title "CMS_GET1_RECEIPTREQUEST 3" +.TH CMS_GET1_RECEIPTREQUEST 3 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" -.Vb 1 -\& CMS_ReceiptRequest_create0, CMS_add1_ReceiptRequest, CMS_get1_ReceiptRequest, CMS_ReceiptRequest_get0_values \- CMS signed receipt request functions. -.Ve +CMS_ReceiptRequest_create0, CMS_add1_ReceiptRequest, CMS_get1_ReceiptRequest, CMS_ReceiptRequest_get0_values \- CMS signed receipt request functions .SH "SYNOPSIS" .IX Header "SYNOPSIS" .Vb 1 \& #include \& -\& CMS_ReceiptRequest *CMS_ReceiptRequest_create0(unsigned char *id, int idlen, int allorfirst, STACK_OF(GENERAL_NAMES) *receiptList, STACK_OF(GENERAL_NAMES) *receiptsTo); +\& CMS_ReceiptRequest *CMS_ReceiptRequest_create0(unsigned char *id, int idlen, +\& int allorfirst, +\& STACK_OF(GENERAL_NAMES) *receiptList, +\& STACK_OF(GENERAL_NAMES) *receiptsTo); \& int CMS_add1_ReceiptRequest(CMS_SignerInfo *si, CMS_ReceiptRequest *rr); \& int CMS_get1_ReceiptRequest(CMS_SignerInfo *si, CMS_ReceiptRequest **prr); -\& void CMS_ReceiptRequest_get0_values(CMS_ReceiptRequest *rr, ASN1_STRING **pcid, int *pallorfirst, STACK_OF(GENERAL_NAMES) **plist, STACK_OF(GENERAL_NAMES) **prto); +\& void CMS_ReceiptRequest_get0_values(CMS_ReceiptRequest *rr, ASN1_STRING **pcid, +\& int *pallorfirst, +\& STACK_OF(GENERAL_NAMES) **plist, +\& STACK_OF(GENERAL_NAMES) **prto); .Ve .SH "DESCRIPTION" .IX Header "DESCRIPTION" @@ -178,7 +182,7 @@ corresponding CMS_ContentInfo structure can be successfully verified using \&\fICMS_verify()\fR. .SH "RETURN VALUES" .IX Header "RETURN VALUES" -\&\fICMS_ReceiptRequest_create0()\fR returns a signed receipt request structure or +\&\fICMS_ReceiptRequest_create0()\fR returns a signed receipt request structure or \&\s-1NULL\s0 if an error occurred. .PP \&\fICMS_add1_ReceiptRequest()\fR returns 1 for success or 0 if an error occurred. @@ -191,8 +195,11 @@ it is present but malformed. \&\fIERR_get_error\fR\|(3), \fICMS_sign\fR\|(3), \&\fICMS_sign_receipt\fR\|(3), \fICMS_verify\fR\|(3) \&\fICMS_verify_receipt\fR\|(3) -.SH "HISTORY" -.IX Header "HISTORY" -\&\fICMS_ReceiptRequest_create0()\fR, \fICMS_add1_ReceiptRequest()\fR, -\&\fICMS_get1_ReceiptRequest()\fR and \fICMS_ReceiptRequest_get0_values()\fR were added to -OpenSSL 0.9.8 +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2008\-2018 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/CMS_sign.3 b/secure/lib/libcrypto/man/CMS_sign.3 index 981859d5bf2e..cbe3beca41f0 100644 --- a/secure/lib/libcrypto/man/CMS_sign.3 +++ b/secure/lib/libcrypto/man/CMS_sign.3 @@ -128,22 +128,21 @@ .rm #[ #] #H #V #F C .\" ======================================================================== .\" -.IX Title "CMS_sign 3" -.TH CMS_sign 3 "2018-08-14" "1.0.2p" "OpenSSL" +.IX Title "CMS_SIGN 3" +.TH CMS_SIGN 3 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" -.Vb 1 -\& CMS_sign \- create a CMS SignedData structure -.Ve +CMS_sign \- create a CMS SignedData structure .SH "SYNOPSIS" .IX Header "SYNOPSIS" .Vb 1 \& #include \& -\& CMS_ContentInfo *CMS_sign(X509 *signcert, EVP_PKEY *pkey, STACK_OF(X509) *certs, BIO *data, unsigned int flags); +\& CMS_ContentInfo *CMS_sign(X509 *signcert, EVP_PKEY *pkey, STACK_OF(X509) *certs, +\& BIO *data, unsigned int flags); .Ve .SH "DESCRIPTION" .IX Header "DESCRIPTION" @@ -229,7 +228,7 @@ suitable for many purposes. For finer control of the output format the \&\fBcerts\fR, \fBsigncert\fR and \fBpkey\fR parameters can all be \fB\s-1NULL\s0\fR and the \&\fB\s-1CMS_PARTIAL\s0\fR flag set. Then one or more signers can be added using the function \fICMS_sign_add1_signer()\fR, non default digests can be used and custom -attributes added. \fB\f(BICMS_final()\fB\fR must then be called to finalize the +attributes added. \fICMS_final()\fR must then be called to finalize the structure if streaming is not enabled. .SH "BUGS" .IX Header "BUGS" @@ -243,7 +242,13 @@ occurred. The error can be obtained from \fIERR_get_error\fR\|(3). \&\fIERR_get_error\fR\|(3), \fICMS_verify\fR\|(3) .SH "HISTORY" .IX Header "HISTORY" -\&\fICMS_sign()\fR was added to OpenSSL 0.9.8 -.PP The \fB\s-1CMS_STREAM\s0\fR flag is only supported for detached data in OpenSSL 0.9.8, it is supported for embedded data in OpenSSL 1.0.0 and later. +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2008\-2016 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/CMS_sign_receipt.3 b/secure/lib/libcrypto/man/CMS_sign_receipt.3 index 4c6acbc03400..787017df9298 100644 --- a/secure/lib/libcrypto/man/CMS_sign_receipt.3 +++ b/secure/lib/libcrypto/man/CMS_sign_receipt.3 @@ -128,22 +128,22 @@ .rm #[ #] #H #V #F C .\" ======================================================================== .\" -.IX Title "CMS_sign_receipt 3" -.TH CMS_sign_receipt 3 "2018-08-14" "1.0.2p" "OpenSSL" +.IX Title "CMS_SIGN_RECEIPT 3" +.TH CMS_SIGN_RECEIPT 3 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" -.Vb 1 -\& CMS_sign_receipt \- create a CMS signed receipt -.Ve +CMS_sign_receipt \- create a CMS signed receipt .SH "SYNOPSIS" .IX Header "SYNOPSIS" .Vb 1 \& #include \& -\& CMS_ContentInfo *CMS_sign_receipt(CMS_SignerInfo *si, X509 *signcert, EVP_PKEY *pkey, STACK_OF(X509) *certs, unsigned int flags); +\& CMS_ContentInfo *CMS_sign_receipt(CMS_SignerInfo *si, X509 *signcert, +\& EVP_PKEY *pkey, STACK_OF(X509) *certs, +\& unsigned int flags); .Ve .SH "DESCRIPTION" .IX Header "DESCRIPTION" @@ -169,6 +169,11 @@ an error occurred. The error can be obtained from \fIERR_get_error\fR\|(3). \&\fIERR_get_error\fR\|(3), \&\fICMS_verify_receipt\fR\|(3), \&\fICMS_sign\fR\|(3) -.SH "HISTORY" -.IX Header "HISTORY" -\&\fICMS_sign_receipt()\fR was added to OpenSSL 0.9.8 +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2008\-2016 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/CMS_uncompress.3 b/secure/lib/libcrypto/man/CMS_uncompress.3 index cf2ff08e2b3f..8aba27c6a0d9 100644 --- a/secure/lib/libcrypto/man/CMS_uncompress.3 +++ b/secure/lib/libcrypto/man/CMS_uncompress.3 @@ -128,16 +128,14 @@ .rm #[ #] #H #V #F C .\" ======================================================================== .\" -.IX Title "CMS_uncompress 3" -.TH CMS_uncompress 3 "2018-08-14" "1.0.2p" "OpenSSL" +.IX Title "CMS_UNCOMPRESS 3" +.TH CMS_UNCOMPRESS 3 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" -.Vb 1 -\& CMS_uncompress \- uncompress a CMS CompressedData structure -.Ve +CMS_uncompress \- uncompress a CMS CompressedData structure .SH "SYNOPSIS" .IX Header "SYNOPSIS" .Vb 1 @@ -177,6 +175,11 @@ mentioned in \fICMS_verify()\fR also applies to \fICMS_decompress()\fR. .SH "SEE ALSO" .IX Header "SEE ALSO" \&\fIERR_get_error\fR\|(3), \fICMS_compress\fR\|(3) -.SH "HISTORY" -.IX Header "HISTORY" -\&\fICMS_uncompress()\fR was added to OpenSSL 0.9.8 +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2008\-2016 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/CMS_verify.3 b/secure/lib/libcrypto/man/CMS_verify.3 index fc67fc5beea2..3a1113d4a579 100644 --- a/secure/lib/libcrypto/man/CMS_verify.3 +++ b/secure/lib/libcrypto/man/CMS_verify.3 @@ -128,8 +128,8 @@ .rm #[ #] #H #V #F C .\" ======================================================================== .\" -.IX Title "CMS_verify 3" -.TH CMS_verify 3 "2018-08-14" "1.0.2p" "OpenSSL" +.IX Title "CMS_VERIFY 3" +.TH CMS_VERIFY 3 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -141,7 +141,8 @@ CMS_verify, CMS_get0_signers \- verify a CMS SignedData structure .Vb 1 \& #include \& -\& int CMS_verify(CMS_ContentInfo *cms, STACK_OF(X509) *certs, X509_STORE *store, BIO *indata, BIO *out, unsigned int flags); +\& int CMS_verify(CMS_ContentInfo *cms, STACK_OF(X509) *certs, X509_STORE *store, +\& BIO *indata, BIO *out, unsigned int flags); \& \& STACK_OF(X509) *CMS_get0_signers(CMS_ContentInfo *cms); .Ve @@ -199,7 +200,7 @@ returned. If \fB\s-1CMS_NO_SIGNER_CERT_VERIFY\s0\fR is set the signing certificates are not verified. .PP -If \fB\s-1CMS_NO_ATTR_VERIFY\s0\fR is set the signed attributes signature is not +If \fB\s-1CMS_NO_ATTR_VERIFY\s0\fR is set the signed attributes signature is not verified. .PP If \fB\s-1CMS_NO_CONTENT_VERIFY\s0\fR is set then the content digest is not checked. @@ -212,13 +213,13 @@ certificates supplied in \fBcerts\fR then the verify will fail because the signer cannot be found. .PP In some cases the standard techniques for looking up and validating -certificates are not appropriate: for example an application may wish to +certificates are not appropriate: for example an application may wish to lookup certificates in a database or perform customised verification. This -can be achieved by setting and verifying the signers certificates manually +can be achieved by setting and verifying the signers certificates manually using the signed data utility functions. .PP Care should be taken when modifying the default verify behaviour, for example -setting \fB\s-1CMS_NO_CONTENT_VERIFY\s0\fR will totally disable all content verification +setting \fB\s-1CMS_NO_CONTENT_VERIFY\s0\fR will totally disable all content verification and any modified content will be considered valid. This combination is however useful if one merely wishes to write the content to \fBout\fR and its validity is not considered important. @@ -246,6 +247,11 @@ be held in memory if it is not detached. .SH "SEE ALSO" .IX Header "SEE ALSO" \&\fIERR_get_error\fR\|(3), \fICMS_sign\fR\|(3) -.SH "HISTORY" -.IX Header "HISTORY" -\&\fICMS_verify()\fR was added to OpenSSL 0.9.8 +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2008\-2016 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/CMS_verify_receipt.3 b/secure/lib/libcrypto/man/CMS_verify_receipt.3 index 78c7f25365c9..505655e0bf8e 100644 --- a/secure/lib/libcrypto/man/CMS_verify_receipt.3 +++ b/secure/lib/libcrypto/man/CMS_verify_receipt.3 @@ -128,22 +128,22 @@ .rm #[ #] #H #V #F C .\" ======================================================================== .\" -.IX Title "CMS_verify_receipt 3" -.TH CMS_verify_receipt 3 "2018-08-14" "1.0.2p" "OpenSSL" +.IX Title "CMS_VERIFY_RECEIPT 3" +.TH CMS_VERIFY_RECEIPT 3 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" -.Vb 1 -\& CMS_verify_receipt \- verify a CMS signed receipt -.Ve +CMS_verify_receipt \- verify a CMS signed receipt .SH "SYNOPSIS" .IX Header "SYNOPSIS" .Vb 1 \& #include \& -\& int CMS_verify_receipt(CMS_ContentInfo *rcms, CMS_ContentInfo *ocms, STACK_OF(X509) *certs, X509_STORE *store, unsigned int flags); +\& int CMS_verify_receipt(CMS_ContentInfo *rcms, CMS_ContentInfo *ocms, +\& STACK_OF(X509) *certs, X509_STORE *store, +\& unsigned int flags); .Ve .SH "DESCRIPTION" .IX Header "DESCRIPTION" @@ -171,6 +171,11 @@ The error can be obtained from \fIERR_get_error\fR\|(3) \&\fIERR_get_error\fR\|(3), \&\fICMS_sign_receipt\fR\|(3), \&\fICMS_verify\fR\|(3), -.SH "HISTORY" -.IX Header "HISTORY" -\&\fICMS_verify_receipt()\fR was added to OpenSSL 0.9.8 +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2008\-2016 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/CONF_modules_free.3 b/secure/lib/libcrypto/man/CONF_modules_free.3 index 48fb403c986a..1e1de651ccd2 100644 --- a/secure/lib/libcrypto/man/CONF_modules_free.3 +++ b/secure/lib/libcrypto/man/CONF_modules_free.3 @@ -128,30 +128,36 @@ .rm #[ #] #H #V #F C .\" ======================================================================== .\" -.IX Title "CONF_modules_free 3" -.TH CONF_modules_free 3 "2018-08-14" "1.0.2p" "OpenSSL" +.IX Title "CONF_MODULES_FREE 3" +.TH CONF_MODULES_FREE 3 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" -.Vb 2 -\& CONF_modules_free, CONF_modules_finish, CONF_modules_unload \- -\& OpenSSL configuration cleanup functions -.Ve +CONF_modules_free, CONF_modules_finish, CONF_modules_unload \- OpenSSL configuration cleanup functions .SH "SYNOPSIS" .IX Header "SYNOPSIS" .Vb 1 \& #include \& -\& void CONF_modules_free(void); \& void CONF_modules_finish(void); \& void CONF_modules_unload(int all); .Ve +.PP +Deprecated: +.PP +.Vb 3 +\& #if OPENSSL_API_COMPAT < 0x10100000L +\& void CONF_modules_free(void) +\& #endif +.Ve .SH "DESCRIPTION" .IX Header "DESCRIPTION" \&\fICONF_modules_free()\fR closes down and frees up all memory allocated by all -configuration modules. +configuration modules. Normally, in versions of OpenSSL prior to 1.1.0, +applications called +\&\fICONF_modules_free()\fR at exit to tidy up any configuration performed. .PP \&\fICONF_modules_finish()\fR calls each configuration modules \fBfinish\fR handler to free up any configuration that module may have performed. @@ -159,18 +165,22 @@ to free up any configuration that module may have performed. \&\fICONF_modules_unload()\fR finishes and unloads configuration modules. If \&\fBall\fR is set to \fB0\fR only modules loaded from DSOs will be unloads. If \&\fBall\fR is \fB1\fR all modules, including builtin modules will be unloaded. -.SH "NOTES" -.IX Header "NOTES" -Normally applications will only call \fICONF_modules_free()\fR at application to -tidy up any configuration performed. -.SH "RETURN VALUE" -.IX Header "RETURN VALUE" +.SH "RETURN VALUES" +.IX Header "RETURN VALUES" None of the functions return a value. .SH "SEE ALSO" .IX Header "SEE ALSO" -\&\fIconf\fR\|(5), \fIOPENSSL_config\fR\|(3), +\&\fIconfig\fR\|(5), \fIOPENSSL_config\fR\|(3), \&\fICONF_modules_load_file\fR\|(3) .SH "HISTORY" .IX Header "HISTORY" -\&\fICONF_modules_free()\fR, \fICONF_modules_unload()\fR, and \fICONF_modules_finish()\fR -first appeared in OpenSSL 0.9.7. +\&\fICONF_modules_free()\fR was deprecated in OpenSSL 1.1.0; do not use it. +For more information see \fIOPENSSL_init_crypto\fR\|(3). +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2004\-2018 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/CONF_modules_load_file.3 b/secure/lib/libcrypto/man/CONF_modules_load_file.3 index 0181f473dd18..8d027239349c 100644 --- a/secure/lib/libcrypto/man/CONF_modules_load_file.3 +++ b/secure/lib/libcrypto/man/CONF_modules_load_file.3 @@ -128,25 +128,23 @@ .rm #[ #] #H #V #F C .\" ======================================================================== .\" -.IX Title "CONF_modules_load_file 3" -.TH CONF_modules_load_file 3 "2018-08-14" "1.0.2p" "OpenSSL" +.IX Title "CONF_MODULES_LOAD_FILE 3" +.TH CONF_MODULES_LOAD_FILE 3 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" -.Vb 1 -\& CONF_modules_load_file, CONF_modules_load \- OpenSSL configuration functions -.Ve +CONF_modules_load_file, CONF_modules_load \- OpenSSL configuration functions .SH "SYNOPSIS" .IX Header "SYNOPSIS" .Vb 1 \& #include \& \& int CONF_modules_load_file(const char *filename, const char *appname, -\& unsigned long flags); +\& unsigned long flags); \& int CONF_modules_load(const CONF *cnf, const char *appname, -\& unsigned long flags); +\& unsigned long flags); .Ve .SH "DESCRIPTION" .IX Header "DESCRIPTION" @@ -154,9 +152,9 @@ The function \fICONF_modules_load_file()\fR configures OpenSSL using file \&\fBfilename\fR and application name \fBappname\fR. If \fBfilename\fR is \s-1NULL\s0 the standard OpenSSL configuration file is used. If \fBappname\fR is \&\s-1NULL\s0 the standard OpenSSL application name \fBopenssl_conf\fR is used. -The behaviour can be cutomized using \fBflags\fR. +The behaviour can be customized using \fBflags\fR. .PP -\&\fICONF_modules_load()\fR is idential to \fICONF_modules_load_file()\fR except it +\&\fICONF_modules_load()\fR is identical to \fICONF_modules_load_file()\fR except it reads configuration information from \fBcnf\fR. .SH "NOTES" .IX Header "NOTES" @@ -179,12 +177,6 @@ return an error. \&\fB\s-1CONF_MFLAGS_DEFAULT_SECTION\s0\fR if set and \fBappname\fR is not \s-1NULL\s0 will use the default section pointed to by \fBopenssl_conf\fR if \fBappname\fR does not exist. .PP -Applications should call these functions after loading builtin modules using -\&\fIOPENSSL_load_builtin_modules()\fR, any ENGINEs for example using -\&\fIENGINE_load_builtin_engines()\fR, any algorithms for example -\&\fIOPENSSL_add_all_algorithms()\fR and (if the application uses libssl) -\&\fISSL_library_init()\fR. -.PP By using \fICONF_modules_load_file()\fR with appropriate flags an application can customise application configuration to best suit its needs. In some cases the use of a configuration file is optional and its absence is not an error: in @@ -205,9 +197,9 @@ considered fatal): .PP .Vb 5 \& if (CONF_modules_load_file(NULL, NULL, 0) <= 0) { -\& fprintf(stderr, "FATAL: error loading configuration file\en"); -\& ERR_print_errors_fp(stderr); -\& exit(1); +\& fprintf(stderr, "FATAL: error loading configuration file\en"); +\& ERR_print_errors_fp(stderr); +\& exit(1); \& } .Ve .PP @@ -217,9 +209,9 @@ tolerate missing files, but exit on other errors: .Vb 6 \& if (CONF_modules_load_file(NULL, "myapp", \& CONF_MFLAGS_IGNORE_MISSING_FILE) <= 0) { -\& fprintf(stderr, "FATAL: error loading configuration file\en"); -\& ERR_print_errors_fp(stderr); -\& exit(1); +\& fprintf(stderr, "FATAL: error loading configuration file\en"); +\& ERR_print_errors_fp(stderr); +\& exit(1); \& } .Ve .PP @@ -229,35 +221,36 @@ missing configuration file ignored: .Vb 5 \& if (CONF_modules_load_file("/something/app.cnf", "myapp", \& CONF_MFLAGS_IGNORE_MISSING_FILE) <= 0) { -\& fprintf(stderr, "WARNING: error loading configuration file\en"); -\& ERR_print_errors_fp(stderr); +\& fprintf(stderr, "WARNING: error loading configuration file\en"); +\& ERR_print_errors_fp(stderr); \& } .Ve .PP Load and parse configuration file manually, custom error handling: .PP -.Vb 10 +.Vb 3 \& FILE *fp; \& CONF *cnf = NULL; \& long eline; +\& \& fp = fopen("/somepath/app.cnf", "r"); \& if (fp == NULL) { -\& fprintf(stderr, "Error opening configuration file\en"); -\& /* Other missing configuration file behaviour */ +\& fprintf(stderr, "Error opening configuration file\en"); +\& /* Other missing configuration file behaviour */ \& } else { -\& cnf = NCONF_new(NULL); -\& if (NCONF_load_fp(cnf, fp, &eline) == 0) { -\& fprintf(stderr, "Error on line %ld of configuration file\en", eline); -\& ERR_print_errors_fp(stderr); -\& /* Other malformed configuration file behaviour */ -\& } else if (CONF_modules_load(cnf, "appname", 0) <= 0) { -\& fprintf(stderr, "Error configuring application\en"); -\& ERR_print_errors_fp(stderr); -\& /* Other configuration error behaviour */ -\& } -\& fclose(fp); -\& NCONF_free(cnf); -\& } +\& cnf = NCONF_new(NULL); +\& if (NCONF_load_fp(cnf, fp, &eline) == 0) { +\& fprintf(stderr, "Error on line %ld of configuration file\en", eline); +\& ERR_print_errors_fp(stderr); +\& /* Other malformed configuration file behaviour */ +\& } else if (CONF_modules_load(cnf, "appname", 0) <= 0) { +\& fprintf(stderr, "Error configuring application\en"); +\& ERR_print_errors_fp(stderr); +\& /* Other configuration error behaviour */ +\& } +\& fclose(fp); +\& NCONF_free(cnf); +\& } .Ve .SH "RETURN VALUES" .IX Header "RETURN VALUES" @@ -266,8 +259,12 @@ failure. If module errors are not ignored the return code will reflect the return value of the failing module (this will always be zero or negative). .SH "SEE ALSO" .IX Header "SEE ALSO" -\&\fIconf\fR\|(5), \fIOPENSSL_config\fR\|(3), -\&\fICONF_free\fR\|(3), \fIerr\fR\|(3) -.SH "HISTORY" -.IX Header "HISTORY" -CONF_modules_load_file and CONF_modules_load first appeared in OpenSSL 0.9.7. +\&\fIconfig\fR\|(5), \fIOPENSSL_config\fR\|(3) +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2004\-2017 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/CRYPTO_THREAD_run_once.3 b/secure/lib/libcrypto/man/CRYPTO_THREAD_run_once.3 new file mode 100644 index 000000000000..9d3700ed3ce0 --- /dev/null +++ b/secure/lib/libcrypto/man/CRYPTO_THREAD_run_once.3 @@ -0,0 +1,279 @@ +.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35) +.\" +.\" Standard preamble: +.\" ======================================================================== +.de Sp \" Vertical space (when we can't use .PP) +.if t .sp .5v +.if n .sp +.. +.de Vb \" Begin verbatim text +.ft CW +.nf +.ne \\$1 +.. +.de Ve \" End verbatim text +.ft R +.fi +.. +.\" Set up some character translations and predefined strings. \*(-- will +.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left +.\" double quote, and \*(R" will give a right double quote. \*(C+ will +.\" give a nicer C++. Capital omega is used to do unbreakable dashes and +.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, +.\" nothing in troff, for use with C<>. +.tr \(*W- +.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' +.ie n \{\ +. ds -- \(*W- +. ds PI pi +. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch +. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch +. ds L" "" +. ds R" "" +. ds C` "" +. ds C' "" +'br\} +.el\{\ +. ds -- \|\(em\| +. ds PI \(*p +. ds L" `` +. ds R" '' +. ds C` +. ds C' +'br\} +.\" +.\" Escape single quotes in literal strings from groff's Unicode transform. +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" +.\" If the F register is >0, we'll generate index entries on stderr for +.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index +.\" entries marked with X<> in POD. Of course, you'll have to process the +.\" output yourself in some meaningful fashion. +.\" +.\" Avoid warning from groff about undefined register 'F'. +.de IX +.. +.if !\nF .nr F 0 +.if \nF>0 \{\ +. de IX +. tm Index:\\$1\t\\n%\t"\\$2" +.. +. if !\nF==2 \{\ +. nr % 0 +. nr F 2 +. \} +.\} +.\" +.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). +.\" Fear. Run. Save yourself. No user-serviceable parts. +. \" fudge factors for nroff and troff +.if n \{\ +. ds #H 0 +. ds #V .8m +. ds #F .3m +. ds #[ \f1 +. ds #] \fP +.\} +.if t \{\ +. ds #H ((1u-(\\\\n(.fu%2u))*.13m) +. ds #V .6m +. ds #F 0 +. ds #[ \& +. ds #] \& +.\} +. \" simple accents for nroff and troff +.if n \{\ +. ds ' \& +. ds ` \& +. ds ^ \& +. ds , \& +. ds ~ ~ +. ds / +.\} +.if t \{\ +. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" +. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' +. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' +. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' +. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' +. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' +.\} +. \" troff and (daisy-wheel) nroff accents +.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' +.ds 8 \h'\*(#H'\(*b\h'-\*(#H' +.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] +.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' +.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' +.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] +.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] +.ds ae a\h'-(\w'a'u*4/10)'e +.ds Ae A\h'-(\w'A'u*4/10)'E +. \" corrections for vroff +.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' +.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' +. \" for low resolution devices (crt and lpr) +.if \n(.H>23 .if \n(.V>19 \ +\{\ +. ds : e +. ds 8 ss +. ds o a +. ds d- d\h'-1'\(ga +. ds D- D\h'-1'\(hy +. ds th \o'bp' +. ds Th \o'LP' +. ds ae ae +. ds Ae AE +.\} +.rm #[ #] #H #V #F C +.\" ======================================================================== +.\" +.IX Title "CRYPTO_THREAD_RUN_ONCE 3" +.TH CRYPTO_THREAD_RUN_ONCE 3 "2018-09-11" "1.1.1" "OpenSSL" +.\" For nroff, turn off justification. Always turn off hyphenation; it makes +.\" way too many mistakes in technical documents. +.if n .ad l +.nh +.SH "NAME" +CRYPTO_THREAD_run_once, CRYPTO_THREAD_lock_new, CRYPTO_THREAD_read_lock, CRYPTO_THREAD_write_lock, CRYPTO_THREAD_unlock, CRYPTO_THREAD_lock_free, CRYPTO_atomic_add \- OpenSSL thread support +.SH "SYNOPSIS" +.IX Header "SYNOPSIS" +.Vb 1 +\& #include +\& +\& CRYPTO_ONCE CRYPTO_ONCE_STATIC_INIT; +\& int CRYPTO_THREAD_run_once(CRYPTO_ONCE *once, void (*init)(void)); +\& +\& CRYPTO_RWLOCK *CRYPTO_THREAD_lock_new(void); +\& int CRYPTO_THREAD_read_lock(CRYPTO_RWLOCK *lock); +\& int CRYPTO_THREAD_write_lock(CRYPTO_RWLOCK *lock); +\& int CRYPTO_THREAD_unlock(CRYPTO_RWLOCK *lock); +\& void CRYPTO_THREAD_lock_free(CRYPTO_RWLOCK *lock); +\& +\& int CRYPTO_atomic_add(int *val, int amount, int *ret, CRYPTO_RWLOCK *lock); +.Ve +.SH "DESCRIPTION" +.IX Header "DESCRIPTION" +OpenSSL can be safely used in multi-threaded applications provided that +support for the underlying \s-1OS\s0 threading \s-1API\s0 is built-in. Currently, OpenSSL +supports the pthread and Windows APIs. OpenSSL can also be built without +any multi-threading support, for example on platforms that don't provide +any threading support or that provide a threading \s-1API\s0 that is not yet +supported by OpenSSL. +.PP +The following multi-threading function are provided: +.IP "\(bu" 2 +\&\fICRYPTO_THREAD_run_once()\fR can be used to perform one-time initialization. +The \fBonce\fR argument must be a pointer to a static object of type +\&\fB\s-1CRYPTO_ONCE\s0\fR that was statically initialized to the value +\&\fB\s-1CRYPTO_ONCE_STATIC_INIT\s0\fR. +The \fBinit\fR argument is a pointer to a function that performs the desired +exactly once initialization. +In particular, this can be used to allocate locks in a thread-safe manner, +which can then be used with the locking functions below. +.IP "\(bu" 2 +\&\fICRYPTO_THREAD_lock_new()\fR allocates, initializes and returns a new read/write +lock. +.IP "\(bu" 2 +\&\fICRYPTO_THREAD_read_lock()\fR locks the provided \fBlock\fR for reading. +.IP "\(bu" 2 +\&\fICRYPTO_THREAD_write_lock()\fR locks the provided \fBlock\fR for writing. +.IP "\(bu" 2 +\&\fICRYPTO_THREAD_unlock()\fR unlocks the previously locked \fBlock\fR. +.IP "\(bu" 2 +\&\fICRYPTO_THREAD_lock_free()\fR frees the provided \fBlock\fR. +.IP "\(bu" 2 +\&\fICRYPTO_atomic_add()\fR atomically adds \fBamount\fR to \fBval\fR and returns the +result of the operation in \fBret\fR. \fBlock\fR will be locked, unless atomic +operations are supported on the specific platform. Because of this, if a +variable is modified by \fICRYPTO_atomic_add()\fR then \fICRYPTO_atomic_add()\fR must +be the only way that the variable is modified. +.SH "RETURN VALUES" +.IX Header "RETURN VALUES" +\&\fICRYPTO_THREAD_run_once()\fR returns 1 on success, or 0 on error. +.PP +\&\fICRYPTO_THREAD_lock_new()\fR returns the allocated lock, or \s-1NULL\s0 on error. +.PP +\&\fICRYPTO_THREAD_lock_free()\fR returns no value. +.PP +The other functions return 1 on success, or 0 on error. +.SH "NOTES" +.IX Header "NOTES" +On Windows platforms the CRYPTO_THREAD_* types and functions in the +openssl/crypto.h header are dependent on some of the types customarily +made available by including windows.h. The application developer is +likely to require control over when the latter is included, commonly as +one of the first included headers. Therefore it is defined as an +application developer's responsibility to include windows.h prior to +crypto.h where use of CRYPTO_THREAD_* types and functions is required. +.SH "EXAMPLE" +.IX Header "EXAMPLE" +This example safely initializes and uses a lock. +.PP +.Vb 4 +\& #ifdef _WIN32 +\& # include +\& #endif +\& #include +\& +\& static CRYPTO_ONCE once = CRYPTO_ONCE_STATIC_INIT; +\& static CRYPTO_RWLOCK *lock; +\& +\& static void myinit(void) +\& { +\& lock = CRYPTO_THREAD_lock_new(); +\& } +\& +\& static int mylock(void) +\& { +\& if (!CRYPTO_THREAD_run_once(&once, void init) || lock == NULL) +\& return 0; +\& return CRYPTO_THREAD_write_lock(lock); +\& } +\& +\& static int myunlock(void) +\& { +\& return CRYPTO_THREAD_unlock(lock); +\& } +\& +\& int serialized(void) +\& { +\& int ret = 0; +\& +\& if (mylock()) { +\& /* Your code here, do not return without releasing the lock! */ +\& ret = ... ; +\& } +\& myunlock(); +\& return ret; +\& } +.Ve +.PP +Finalization of locks is an advanced topic, not covered in this example. +This can only be done at process exit or when a dynamically loaded library is +no longer in use and is unloaded. +The simplest solution is to just \*(L"leak\*(R" the lock in applications and not +repeatedly load/unload shared libraries that allocate locks. +.SH "NOTES" +.IX Header "NOTES" +You can find out if OpenSSL was configured with thread support: +.PP +.Vb 6 +\& #include +\& #if defined(OPENSSL_THREADS) +\& /* thread support enabled */ +\& #else +\& /* no thread support */ +\& #endif +.Ve +.SH "SEE ALSO" +.IX Header "SEE ALSO" +\&\fIcrypto\fR\|(7) +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2000\-2018 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/CRYPTO_get_ex_new_index.3 b/secure/lib/libcrypto/man/CRYPTO_get_ex_new_index.3 new file mode 100644 index 000000000000..104edc5b044a --- /dev/null +++ b/secure/lib/libcrypto/man/CRYPTO_get_ex_new_index.3 @@ -0,0 +1,294 @@ +.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35) +.\" +.\" Standard preamble: +.\" ======================================================================== +.de Sp \" Vertical space (when we can't use .PP) +.if t .sp .5v +.if n .sp +.. +.de Vb \" Begin verbatim text +.ft CW +.nf +.ne \\$1 +.. +.de Ve \" End verbatim text +.ft R +.fi +.. +.\" Set up some character translations and predefined strings. \*(-- will +.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left +.\" double quote, and \*(R" will give a right double quote. \*(C+ will +.\" give a nicer C++. Capital omega is used to do unbreakable dashes and +.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, +.\" nothing in troff, for use with C<>. +.tr \(*W- +.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' +.ie n \{\ +. ds -- \(*W- +. ds PI pi +. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch +. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch +. ds L" "" +. ds R" "" +. ds C` "" +. ds C' "" +'br\} +.el\{\ +. ds -- \|\(em\| +. ds PI \(*p +. ds L" `` +. ds R" '' +. ds C` +. ds C' +'br\} +.\" +.\" Escape single quotes in literal strings from groff's Unicode transform. +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" +.\" If the F register is >0, we'll generate index entries on stderr for +.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index +.\" entries marked with X<> in POD. Of course, you'll have to process the +.\" output yourself in some meaningful fashion. +.\" +.\" Avoid warning from groff about undefined register 'F'. +.de IX +.. +.if !\nF .nr F 0 +.if \nF>0 \{\ +. de IX +. tm Index:\\$1\t\\n%\t"\\$2" +.. +. if !\nF==2 \{\ +. nr % 0 +. nr F 2 +. \} +.\} +.\" +.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). +.\" Fear. Run. Save yourself. No user-serviceable parts. +. \" fudge factors for nroff and troff +.if n \{\ +. ds #H 0 +. ds #V .8m +. ds #F .3m +. ds #[ \f1 +. ds #] \fP +.\} +.if t \{\ +. ds #H ((1u-(\\\\n(.fu%2u))*.13m) +. ds #V .6m +. ds #F 0 +. ds #[ \& +. ds #] \& +.\} +. \" simple accents for nroff and troff +.if n \{\ +. ds ' \& +. ds ` \& +. ds ^ \& +. ds , \& +. ds ~ ~ +. ds / +.\} +.if t \{\ +. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" +. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' +. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' +. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' +. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' +. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' +.\} +. \" troff and (daisy-wheel) nroff accents +.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' +.ds 8 \h'\*(#H'\(*b\h'-\*(#H' +.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] +.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' +.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' +.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] +.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] +.ds ae a\h'-(\w'a'u*4/10)'e +.ds Ae A\h'-(\w'A'u*4/10)'E +. \" corrections for vroff +.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' +.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' +. \" for low resolution devices (crt and lpr) +.if \n(.H>23 .if \n(.V>19 \ +\{\ +. ds : e +. ds 8 ss +. ds o a +. ds d- d\h'-1'\(ga +. ds D- D\h'-1'\(hy +. ds th \o'bp' +. ds Th \o'LP' +. ds ae ae +. ds Ae AE +.\} +.rm #[ #] #H #V #F C +.\" ======================================================================== +.\" +.IX Title "CRYPTO_GET_EX_NEW_INDEX 3" +.TH CRYPTO_GET_EX_NEW_INDEX 3 "2018-09-11" "1.1.1" "OpenSSL" +.\" For nroff, turn off justification. Always turn off hyphenation; it makes +.\" way too many mistakes in technical documents. +.if n .ad l +.nh +.SH "NAME" +CRYPTO_EX_new, CRYPTO_EX_free, CRYPTO_EX_dup, CRYPTO_free_ex_index, CRYPTO_get_ex_new_index, CRYPTO_set_ex_data, CRYPTO_get_ex_data, CRYPTO_free_ex_data, CRYPTO_new_ex_data \&\- functions supporting application\-specific data +.SH "SYNOPSIS" +.IX Header "SYNOPSIS" +.Vb 1 +\& #include +\& +\& int CRYPTO_get_ex_new_index(int class_index, +\& long argl, void *argp, +\& CRYPTO_EX_new *new_func, +\& CRYPTO_EX_dup *dup_func, +\& CRYPTO_EX_free *free_func); +\& +\& typedef void CRYPTO_EX_new(void *parent, void *ptr, CRYPTO_EX_DATA *ad, +\& int idx, long argl, void *argp); +\& typedef void CRYPTO_EX_free(void *parent, void *ptr, CRYPTO_EX_DATA *ad, +\& int idx, long argl, void *argp); +\& typedef int CRYPTO_EX_dup(CRYPTO_EX_DATA *to, const CRYPTO_EX_DATA *from, +\& void *from_d, int idx, long argl, void *argp); +\& +\& int CRYPTO_new_ex_data(int class_index, void *obj, CRYPTO_EX_DATA *ad) +\& +\& int CRYPTO_set_ex_data(CRYPTO_EX_DATA *r, int idx, void *arg); +\& +\& void *CRYPTO_get_ex_data(CRYPTO_EX_DATA *r, int idx); +\& +\& void CRYPTO_free_ex_data(int class_index, void *obj, CRYPTO_EX_DATA *r); +\& +\& int CRYPTO_free_ex_index(int class_index, int idx); +.Ve +.SH "DESCRIPTION" +.IX Header "DESCRIPTION" +Several OpenSSL structures can have application-specific data attached to them, +known as \*(L"exdata.\*(R" +The specific structures are: +.PP +.Vb 10 +\& APP +\& BIO +\& DH +\& DRBG +\& DSA +\& EC_KEY +\& ENGINE +\& RSA +\& SSL +\& SSL_CTX +\& SSL_SESSION +\& UI +\& UI_METHOD +\& X509 +\& X509_STORE +\& X509_STORE_CTX +.Ve +.PP +Each is identified by an \fBCRYPTO_EX_INDEX_xxx\fR define in the \fBcrypto.h\fR +header file. In addition, \fB\s-1CRYPTO_EX_INDEX_APP\s0\fR is reserved for +applications to use this facility for their own structures. +.PP +The \s-1API\s0 described here is used by OpenSSL to manipulate exdata for specific +structures. Since the application data can be anything at all it is passed +and retrieved as a \fBvoid *\fR type. +.PP +The \fB\s-1CRYPTO_EX_DATA\s0\fR type is opaque. To initialize the exdata part of +a structure, call \fICRYPTO_new_ex_data()\fR. This is only necessary for +\&\fB\s-1CRYPTO_EX_INDEX_APP\s0\fR objects. +.PP +Exdata types are identified by an \fBindex\fR, an integer guaranteed to be +unique within structures for the lifetime of the program. Applications +using exdata typically call \fBCRYPTO_get_ex_new_index\fR at startup, and +store the result in a global variable, or write a wrapper function to +provide lazy evaluation. The \fBclass_index\fR should be one of the +\&\fBCRYPTO_EX_INDEX_xxx\fR values. The \fBargl\fR and \fBargp\fR parameters are saved +to be passed to the callbacks but are otherwise not used. In order to +transparently manipulate exdata, three callbacks must be provided. The +semantics of those callbacks are described below. +.PP +When copying or releasing objects with exdata, the callback functions +are called in increasing order of their \fBindex\fR value. +.PP +If a dynamic library can be unloaded, it should call \fICRYPTO_free_ex_index()\fR +when this is done. +This will replace the callbacks with no-ops +so that applications don't crash. Any existing exdata will be leaked. +.PP +To set or get the exdata on an object, the appropriate type-specific +routine must be used. This is because the containing structure is opaque +and the \fB\s-1CRYPTO_EX_DATA\s0\fR field is not accessible. In both \s-1API\s0's, the +\&\fBidx\fR parameter should be an already-created index value. +.PP +When setting exdata, the pointer specified with a particular index is saved, +and returned on a subsequent \*(L"get\*(R" call. If the application is going to +release the data, it must make sure to set a \fB\s-1NULL\s0\fR value at the index, +to avoid likely double-free crashes. +.PP +The function \fBCRYPTO_free_ex_data\fR is used to free all exdata attached +to a structure. The appropriate type-specific routine must be used. +The \fBclass_index\fR identifies the structure type, the \fBobj\fR is +be the pointer to the actual structure, and \fBr\fR is a pointer to the +structure's exdata field. +.SS "Callback Functions" +.IX Subsection "Callback Functions" +This section describes how the callback functions are used. Applications +that are defining their own exdata using \fB\s-1CYPRTO_EX_INDEX_APP\s0\fR must +call them as described here. +.PP +When a structure is initially allocated (such as \fIRSA_new()\fR) then the +\&\fInew_func()\fR is called for every defined index. There is no requirement +that the entire parent, or containing, structure has been set up. +The \fInew_func()\fR is typically used only to allocate memory to store the +exdata, and perhaps an \*(L"initialized\*(R" flag within that memory. +The exdata value should be set by calling \fICRYPTO_set_ex_data()\fR. +.PP +When a structure is free'd (such as \fISSL_CTX_free()\fR) then the +\&\fIfree_func()\fR is called for every defined index. Again, the state of the +parent structure is not guaranteed. The \fIfree_func()\fR may be called with a +\&\s-1NULL\s0 pointer. +.PP +Both \fInew_func()\fR and \fIfree_func()\fR take the same parameters. +The \fBparent\fR is the pointer to the structure that contains the exdata. +The \fBptr\fR is the current exdata item; for \fInew_func()\fR this will typically +be \s-1NULL.\s0 The \fBr\fR parameter is a pointer to the exdata field of the object. +The \fBidx\fR is the index and is the value returned when the callbacks were +initially registered via \fICRYPTO_get_ex_new_index()\fR and can be used if +the same callback handles different types of exdata. +.PP +\&\fIdup_func()\fR is called when a structure is being copied. This is only done +for \fB\s-1SSL\s0\fR, \fB\s-1SSL_SESSION\s0\fR, \fB\s-1EC_KEY\s0\fR objects and \fB\s-1BIO\s0\fR chains via +\&\fIBIO_dup_chain()\fR. The \fBto\fR and \fBfrom\fR parameters +are pointers to the destination and source \fB\s-1CRYPTO_EX_DATA\s0\fR structures, +respectively. The \fBfrom_d\fR parameter needs to be cast to a \fBvoid **pptr\fR +as the \s-1API\s0 has currently the wrong signature; that will be changed in a +future version. The \fB*pptr\fR is a pointer to the source exdata. +When the \fIdup_func()\fR returns, the value in \fB*pptr\fR is copied to the +destination ex_data. If the pointer contained in \fB*pptr\fR is not modified +by the \fIdup_func()\fR, then both \fBto\fR and \fBfrom\fR will point to the same data. +The \fBidx\fR, \fBargl\fR and \fBargp\fR parameters are as described for the other +two callbacks. If the \fIdup_func()\fR returns \fB0\fR the whole \fICRYPTO_dup_ex_data()\fR +will fail. +.SH "RETURN VALUES" +.IX Header "RETURN VALUES" +\&\fICRYPTO_get_ex_new_index()\fR returns a new index or \-1 on failure. +.PP +\&\fICRYPTO_free_ex_index()\fR and +\&\fICRYPTO_set_ex_data()\fR return 1 on success or 0 on failure. +.PP +\&\fICRYPTO_get_ex_data()\fR returns the application data or \s-1NULL\s0 on failure; +note that \s-1NULL\s0 may be a valid value. +.PP +\&\fIdup_func()\fR should return 0 for failure and 1 for success. +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2015\-2018 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/CTLOG_STORE_get0_log_by_id.3 b/secure/lib/libcrypto/man/CTLOG_STORE_get0_log_by_id.3 new file mode 100644 index 000000000000..d1bc970fbe93 --- /dev/null +++ b/secure/lib/libcrypto/man/CTLOG_STORE_get0_log_by_id.3 @@ -0,0 +1,175 @@ +.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35) +.\" +.\" Standard preamble: +.\" ======================================================================== +.de Sp \" Vertical space (when we can't use .PP) +.if t .sp .5v +.if n .sp +.. +.de Vb \" Begin verbatim text +.ft CW +.nf +.ne \\$1 +.. +.de Ve \" End verbatim text +.ft R +.fi +.. +.\" Set up some character translations and predefined strings. \*(-- will +.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left +.\" double quote, and \*(R" will give a right double quote. \*(C+ will +.\" give a nicer C++. Capital omega is used to do unbreakable dashes and +.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, +.\" nothing in troff, for use with C<>. +.tr \(*W- +.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' +.ie n \{\ +. ds -- \(*W- +. ds PI pi +. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch +. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch +. ds L" "" +. ds R" "" +. ds C` "" +. ds C' "" +'br\} +.el\{\ +. ds -- \|\(em\| +. ds PI \(*p +. ds L" `` +. ds R" '' +. ds C` +. ds C' +'br\} +.\" +.\" Escape single quotes in literal strings from groff's Unicode transform. +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" +.\" If the F register is >0, we'll generate index entries on stderr for +.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index +.\" entries marked with X<> in POD. Of course, you'll have to process the +.\" output yourself in some meaningful fashion. +.\" +.\" Avoid warning from groff about undefined register 'F'. +.de IX +.. +.if !\nF .nr F 0 +.if \nF>0 \{\ +. de IX +. tm Index:\\$1\t\\n%\t"\\$2" +.. +. if !\nF==2 \{\ +. nr % 0 +. nr F 2 +. \} +.\} +.\" +.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). +.\" Fear. Run. Save yourself. No user-serviceable parts. +. \" fudge factors for nroff and troff +.if n \{\ +. ds #H 0 +. ds #V .8m +. ds #F .3m +. ds #[ \f1 +. ds #] \fP +.\} +.if t \{\ +. ds #H ((1u-(\\\\n(.fu%2u))*.13m) +. ds #V .6m +. ds #F 0 +. ds #[ \& +. ds #] \& +.\} +. \" simple accents for nroff and troff +.if n \{\ +. ds ' \& +. ds ` \& +. ds ^ \& +. ds , \& +. ds ~ ~ +. ds / +.\} +.if t \{\ +. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" +. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' +. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' +. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' +. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' +. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' +.\} +. \" troff and (daisy-wheel) nroff accents +.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' +.ds 8 \h'\*(#H'\(*b\h'-\*(#H' +.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] +.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' +.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' +.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] +.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] +.ds ae a\h'-(\w'a'u*4/10)'e +.ds Ae A\h'-(\w'A'u*4/10)'E +. \" corrections for vroff +.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' +.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' +. \" for low resolution devices (crt and lpr) +.if \n(.H>23 .if \n(.V>19 \ +\{\ +. ds : e +. ds 8 ss +. ds o a +. ds d- d\h'-1'\(ga +. ds D- D\h'-1'\(hy +. ds th \o'bp' +. ds Th \o'LP' +. ds ae ae +. ds Ae AE +.\} +.rm #[ #] #H #V #F C +.\" ======================================================================== +.\" +.IX Title "CTLOG_STORE_GET0_LOG_BY_ID 3" +.TH CTLOG_STORE_GET0_LOG_BY_ID 3 "2018-09-11" "1.1.1" "OpenSSL" +.\" For nroff, turn off justification. Always turn off hyphenation; it makes +.\" way too many mistakes in technical documents. +.if n .ad l +.nh +.SH "NAME" +CTLOG_STORE_get0_log_by_id \- Get a Certificate Transparency log from a CTLOG_STORE +.SH "SYNOPSIS" +.IX Header "SYNOPSIS" +.Vb 1 +\& #include +\& +\& const CTLOG *CTLOG_STORE_get0_log_by_id(const CTLOG_STORE *store, +\& const uint8_t *log_id, +\& size_t log_id_len); +.Ve +.SH "DESCRIPTION" +.IX Header "DESCRIPTION" +A Signed Certificate Timestamp (\s-1SCT\s0) identifies the Certificate Transparency +(\s-1CT\s0) log that issued it using the log's LogID (see \s-1RFC 6962,\s0 Section 3.2). +Therefore, it is useful to be able to look up more information about a log +(e.g. its public key) using this LogID. +.PP +\&\fICTLOG_STORE_get0_log_by_id()\fR provides a way to do this. It will find a \s-1CTLOG\s0 +in a \s-1CTLOG_STORE\s0 that has a given LogID. +.SH "RETURN VALUES" +.IX Header "RETURN VALUES" +\&\fBCTLOG_STORE_get0_log_by_id\fR returns a \s-1CTLOG\s0 with the given LogID, if it +exists in the given \s-1CTLOG_STORE,\s0 otherwise it returns \s-1NULL.\s0 +.SH "SEE ALSO" +.IX Header "SEE ALSO" +\&\fIct\fR\|(7), +\&\fICTLOG_STORE_new\fR\|(3) +.SH "HISTORY" +.IX Header "HISTORY" +This function was added in OpenSSL 1.1.0. +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2016 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/CTLOG_STORE_new.3 b/secure/lib/libcrypto/man/CTLOG_STORE_new.3 new file mode 100644 index 000000000000..2ad7914d1c59 --- /dev/null +++ b/secure/lib/libcrypto/man/CTLOG_STORE_new.3 @@ -0,0 +1,205 @@ +.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35) +.\" +.\" Standard preamble: +.\" ======================================================================== +.de Sp \" Vertical space (when we can't use .PP) +.if t .sp .5v +.if n .sp +.. +.de Vb \" Begin verbatim text +.ft CW +.nf +.ne \\$1 +.. +.de Ve \" End verbatim text +.ft R +.fi +.. +.\" Set up some character translations and predefined strings. \*(-- will +.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left +.\" double quote, and \*(R" will give a right double quote. \*(C+ will +.\" give a nicer C++. Capital omega is used to do unbreakable dashes and +.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, +.\" nothing in troff, for use with C<>. +.tr \(*W- +.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' +.ie n \{\ +. ds -- \(*W- +. ds PI pi +. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch +. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch +. ds L" "" +. ds R" "" +. ds C` "" +. ds C' "" +'br\} +.el\{\ +. ds -- \|\(em\| +. ds PI \(*p +. ds L" `` +. ds R" '' +. ds C` +. ds C' +'br\} +.\" +.\" Escape single quotes in literal strings from groff's Unicode transform. +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" +.\" If the F register is >0, we'll generate index entries on stderr for +.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index +.\" entries marked with X<> in POD. Of course, you'll have to process the +.\" output yourself in some meaningful fashion. +.\" +.\" Avoid warning from groff about undefined register 'F'. +.de IX +.. +.if !\nF .nr F 0 +.if \nF>0 \{\ +. de IX +. tm Index:\\$1\t\\n%\t"\\$2" +.. +. if !\nF==2 \{\ +. nr % 0 +. nr F 2 +. \} +.\} +.\" +.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). +.\" Fear. Run. Save yourself. No user-serviceable parts. +. \" fudge factors for nroff and troff +.if n \{\ +. ds #H 0 +. ds #V .8m +. ds #F .3m +. ds #[ \f1 +. ds #] \fP +.\} +.if t \{\ +. ds #H ((1u-(\\\\n(.fu%2u))*.13m) +. ds #V .6m +. ds #F 0 +. ds #[ \& +. ds #] \& +.\} +. \" simple accents for nroff and troff +.if n \{\ +. ds ' \& +. ds ` \& +. ds ^ \& +. ds , \& +. ds ~ ~ +. ds / +.\} +.if t \{\ +. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" +. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' +. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' +. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' +. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' +. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' +.\} +. \" troff and (daisy-wheel) nroff accents +.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' +.ds 8 \h'\*(#H'\(*b\h'-\*(#H' +.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] +.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' +.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' +.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] +.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] +.ds ae a\h'-(\w'a'u*4/10)'e +.ds Ae A\h'-(\w'A'u*4/10)'E +. \" corrections for vroff +.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' +.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' +. \" for low resolution devices (crt and lpr) +.if \n(.H>23 .if \n(.V>19 \ +\{\ +. ds : e +. ds 8 ss +. ds o a +. ds d- d\h'-1'\(ga +. ds D- D\h'-1'\(hy +. ds th \o'bp' +. ds Th \o'LP' +. ds ae ae +. ds Ae AE +.\} +.rm #[ #] #H #V #F C +.\" ======================================================================== +.\" +.IX Title "CTLOG_STORE_NEW 3" +.TH CTLOG_STORE_NEW 3 "2018-09-11" "1.1.1" "OpenSSL" +.\" For nroff, turn off justification. Always turn off hyphenation; it makes +.\" way too many mistakes in technical documents. +.if n .ad l +.nh +.SH "NAME" +CTLOG_STORE_new, CTLOG_STORE_free, CTLOG_STORE_load_default_file, CTLOG_STORE_load_file \- Create and populate a Certificate Transparency log list +.SH "SYNOPSIS" +.IX Header "SYNOPSIS" +.Vb 1 +\& #include +\& +\& CTLOG_STORE *CTLOG_STORE_new(void); +\& void CTLOG_STORE_free(CTLOG_STORE *store); +\& +\& int CTLOG_STORE_load_default_file(CTLOG_STORE *store); +\& int CTLOG_STORE_load_file(CTLOG_STORE *store, const char *file); +.Ve +.SH "DESCRIPTION" +.IX Header "DESCRIPTION" +A \s-1CTLOG_STORE\s0 is a container for a list of CTLOGs (Certificate Transparency +logs). The list can be loaded from one or more files and then searched by LogID +(see \s-1RFC 6962,\s0 Section 3.2, for the definition of a LogID). +.PP +\&\fICTLOG_STORE_new()\fR creates an empty list of \s-1CT\s0 logs. This is then populated +by \fICTLOG_STORE_load_default_file()\fR or \fICTLOG_STORE_load_file()\fR. +\&\fICTLOG_STORE_load_default_file()\fR loads from the default file, which is named +\&\*(L"ct_log_list.cnf\*(R" in \s-1OPENSSLDIR\s0 (see the output of version). This can be +overridden using an environment variable named \*(L"\s-1CTLOG_FILE\*(R".\s0 +\&\fICTLOG_STORE_load_file()\fR loads from a caller-specified file path instead. +Both of these functions append any loaded \s-1CT\s0 logs to the \s-1CTLOG_STORE.\s0 +.PP +The expected format of the file is: +.PP +.Vb 1 +\& enabled_logs=foo,bar +\& +\& [foo] +\& description = Log 1 +\& key = +\& +\& [bar] +\& description = Log 2 +\& key = +.Ve +.PP +Once a \s-1CTLOG_STORE\s0 is no longer required, it should be passed to +\&\fICTLOG_STORE_free()\fR. This will delete all of the CTLOGs stored within, along +with the \s-1CTLOG_STORE\s0 itself. +.SH "NOTES" +.IX Header "NOTES" +If there are any invalid \s-1CT\s0 logs in a file, they are skipped and the remaining +valid logs will still be added to the \s-1CTLOG_STORE. A CT\s0 log will be considered +invalid if it is missing a \*(L"key\*(R" or \*(L"description\*(R" field. +.SH "RETURN VALUES" +.IX Header "RETURN VALUES" +Both \fBCTLOG_STORE_load_default_file\fR and \fBCTLOG_STORE_load_file\fR return 1 if +all \s-1CT\s0 logs in the file are successfully parsed and loaded, 0 otherwise. +.SH "SEE ALSO" +.IX Header "SEE ALSO" +\&\fIct\fR\|(7), +\&\fICTLOG_STORE_get0_log_by_id\fR\|(3), +\&\fISSL_CTX_set_ctlog_list_file\fR\|(3) +.SH "HISTORY" +.IX Header "HISTORY" +These functions were added in OpenSSL 1.1.0. +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2016 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/CTLOG_new.3 b/secure/lib/libcrypto/man/CTLOG_new.3 new file mode 100644 index 000000000000..23f715a3b54d --- /dev/null +++ b/secure/lib/libcrypto/man/CTLOG_new.3 @@ -0,0 +1,197 @@ +.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35) +.\" +.\" Standard preamble: +.\" ======================================================================== +.de Sp \" Vertical space (when we can't use .PP) +.if t .sp .5v +.if n .sp +.. +.de Vb \" Begin verbatim text +.ft CW +.nf +.ne \\$1 +.. +.de Ve \" End verbatim text +.ft R +.fi +.. +.\" Set up some character translations and predefined strings. \*(-- will +.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left +.\" double quote, and \*(R" will give a right double quote. \*(C+ will +.\" give a nicer C++. Capital omega is used to do unbreakable dashes and +.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, +.\" nothing in troff, for use with C<>. +.tr \(*W- +.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' +.ie n \{\ +. ds -- \(*W- +. ds PI pi +. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch +. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch +. ds L" "" +. ds R" "" +. ds C` "" +. ds C' "" +'br\} +.el\{\ +. ds -- \|\(em\| +. ds PI \(*p +. ds L" `` +. ds R" '' +. ds C` +. ds C' +'br\} +.\" +.\" Escape single quotes in literal strings from groff's Unicode transform. +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" +.\" If the F register is >0, we'll generate index entries on stderr for +.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index +.\" entries marked with X<> in POD. Of course, you'll have to process the +.\" output yourself in some meaningful fashion. +.\" +.\" Avoid warning from groff about undefined register 'F'. +.de IX +.. +.if !\nF .nr F 0 +.if \nF>0 \{\ +. de IX +. tm Index:\\$1\t\\n%\t"\\$2" +.. +. if !\nF==2 \{\ +. nr % 0 +. nr F 2 +. \} +.\} +.\" +.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). +.\" Fear. Run. Save yourself. No user-serviceable parts. +. \" fudge factors for nroff and troff +.if n \{\ +. ds #H 0 +. ds #V .8m +. ds #F .3m +. ds #[ \f1 +. ds #] \fP +.\} +.if t \{\ +. ds #H ((1u-(\\\\n(.fu%2u))*.13m) +. ds #V .6m +. ds #F 0 +. ds #[ \& +. ds #] \& +.\} +. \" simple accents for nroff and troff +.if n \{\ +. ds ' \& +. ds ` \& +. ds ^ \& +. ds , \& +. ds ~ ~ +. ds / +.\} +.if t \{\ +. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" +. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' +. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' +. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' +. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' +. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' +.\} +. \" troff and (daisy-wheel) nroff accents +.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' +.ds 8 \h'\*(#H'\(*b\h'-\*(#H' +.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] +.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' +.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' +.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] +.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] +.ds ae a\h'-(\w'a'u*4/10)'e +.ds Ae A\h'-(\w'A'u*4/10)'E +. \" corrections for vroff +.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' +.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' +. \" for low resolution devices (crt and lpr) +.if \n(.H>23 .if \n(.V>19 \ +\{\ +. ds : e +. ds 8 ss +. ds o a +. ds d- d\h'-1'\(ga +. ds D- D\h'-1'\(hy +. ds th \o'bp' +. ds Th \o'LP' +. ds ae ae +. ds Ae AE +.\} +.rm #[ #] #H #V #F C +.\" ======================================================================== +.\" +.IX Title "CTLOG_NEW 3" +.TH CTLOG_NEW 3 "2018-09-11" "1.1.1" "OpenSSL" +.\" For nroff, turn off justification. Always turn off hyphenation; it makes +.\" way too many mistakes in technical documents. +.if n .ad l +.nh +.SH "NAME" +CTLOG_new, CTLOG_new_from_base64, CTLOG_free, CTLOG_get0_name, CTLOG_get0_log_id, CTLOG_get0_public_key \- encapsulates information about a Certificate Transparency log +.SH "SYNOPSIS" +.IX Header "SYNOPSIS" +.Vb 1 +\& #include +\& +\& CTLOG *CTLOG_new(EVP_PKEY *public_key, const char *name); +\& int CTLOG_new_from_base64(CTLOG ** ct_log, +\& const char *pkey_base64, const char *name); +\& void CTLOG_free(CTLOG *log); +\& const char *CTLOG_get0_name(const CTLOG *log); +\& void CTLOG_get0_log_id(const CTLOG *log, const uint8_t **log_id, +\& size_t *log_id_len); +\& EVP_PKEY *CTLOG_get0_public_key(const CTLOG *log); +.Ve +.SH "DESCRIPTION" +.IX Header "DESCRIPTION" +\&\fICTLOG_new()\fR returns a new \s-1CTLOG\s0 that represents the Certificate Transparency +(\s-1CT\s0) log with the given public key. A name must also be provided that can be +used to help users identify this log. Ownership of the public key is +transferred. +.PP +\&\fICTLOG_new_from_base64()\fR also creates a new \s-1CTLOG,\s0 but takes the public key in +base64\-encoded \s-1DER\s0 form and sets the ct_log pointer to point to the new \s-1CTLOG.\s0 +The base64 will be decoded and the public key parsed. +.PP +Regardless of whether \fICTLOG_new()\fR or \fICTLOG_new_from_base64()\fR is used, it is the +caller's responsibility to pass the \s-1CTLOG\s0 to \fICTLOG_free()\fR once it is no longer +needed. This will delete it and, if created by \fICTLOG_new()\fR, the \s-1EVP_PKEY\s0 that +was passed to it. +.PP +\&\fICTLOG_get0_name()\fR returns the name of the log, as provided when the \s-1CTLOG\s0 was +created. Ownership of the string remains with the \s-1CTLOG.\s0 +.PP +\&\fICTLOG_get0_log_id()\fR sets *log_id to point to a string containing that log's +LogID (see \s-1RFC 6962\s0). It sets *log_id_len to the length of that LogID. For a +v1 \s-1CT\s0 log, the LogID will be a \s-1SHA\-256\s0 hash (i.e. 32 bytes long). Ownership of +the string remains with the \s-1CTLOG.\s0 +.PP +\&\fICTLOG_get0_public_key()\fR returns the public key of the \s-1CT\s0 log. Ownership of the +\&\s-1EVP_PKEY\s0 remains with the \s-1CTLOG.\s0 +.SH "RETURN VALUES" +.IX Header "RETURN VALUES" +\&\fICTLOG_new()\fR will return \s-1NULL\s0 if an error occurs. +.PP +\&\fICTLOG_new_from_base64()\fR will return 1 on success, 0 otherwise. +.SH "SEE ALSO" +.IX Header "SEE ALSO" +\&\fIct\fR\|(7) +.SH "HISTORY" +.IX Header "HISTORY" +These functions were added in OpenSSL 1.1.0. +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2016 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/CT_POLICY_EVAL_CTX_new.3 b/secure/lib/libcrypto/man/CT_POLICY_EVAL_CTX_new.3 new file mode 100644 index 000000000000..0ecc1f823975 --- /dev/null +++ b/secure/lib/libcrypto/man/CT_POLICY_EVAL_CTX_new.3 @@ -0,0 +1,225 @@ +.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35) +.\" +.\" Standard preamble: +.\" ======================================================================== +.de Sp \" Vertical space (when we can't use .PP) +.if t .sp .5v +.if n .sp +.. +.de Vb \" Begin verbatim text +.ft CW +.nf +.ne \\$1 +.. +.de Ve \" End verbatim text +.ft R +.fi +.. +.\" Set up some character translations and predefined strings. \*(-- will +.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left +.\" double quote, and \*(R" will give a right double quote. \*(C+ will +.\" give a nicer C++. Capital omega is used to do unbreakable dashes and +.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, +.\" nothing in troff, for use with C<>. +.tr \(*W- +.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' +.ie n \{\ +. ds -- \(*W- +. ds PI pi +. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch +. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch +. ds L" "" +. ds R" "" +. ds C` "" +. ds C' "" +'br\} +.el\{\ +. ds -- \|\(em\| +. ds PI \(*p +. ds L" `` +. ds R" '' +. ds C` +. ds C' +'br\} +.\" +.\" Escape single quotes in literal strings from groff's Unicode transform. +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" +.\" If the F register is >0, we'll generate index entries on stderr for +.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index +.\" entries marked with X<> in POD. Of course, you'll have to process the +.\" output yourself in some meaningful fashion. +.\" +.\" Avoid warning from groff about undefined register 'F'. +.de IX +.. +.if !\nF .nr F 0 +.if \nF>0 \{\ +. de IX +. tm Index:\\$1\t\\n%\t"\\$2" +.. +. if !\nF==2 \{\ +. nr % 0 +. nr F 2 +. \} +.\} +.\" +.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). +.\" Fear. Run. Save yourself. No user-serviceable parts. +. \" fudge factors for nroff and troff +.if n \{\ +. ds #H 0 +. ds #V .8m +. ds #F .3m +. ds #[ \f1 +. ds #] \fP +.\} +.if t \{\ +. ds #H ((1u-(\\\\n(.fu%2u))*.13m) +. ds #V .6m +. ds #F 0 +. ds #[ \& +. ds #] \& +.\} +. \" simple accents for nroff and troff +.if n \{\ +. ds ' \& +. ds ` \& +. ds ^ \& +. ds , \& +. ds ~ ~ +. ds / +.\} +.if t \{\ +. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" +. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' +. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' +. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' +. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' +. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' +.\} +. \" troff and (daisy-wheel) nroff accents +.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' +.ds 8 \h'\*(#H'\(*b\h'-\*(#H' +.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] +.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' +.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' +.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] +.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] +.ds ae a\h'-(\w'a'u*4/10)'e +.ds Ae A\h'-(\w'A'u*4/10)'E +. \" corrections for vroff +.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' +.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' +. \" for low resolution devices (crt and lpr) +.if \n(.H>23 .if \n(.V>19 \ +\{\ +. ds : e +. ds 8 ss +. ds o a +. ds d- d\h'-1'\(ga +. ds D- D\h'-1'\(hy +. ds th \o'bp' +. ds Th \o'LP' +. ds ae ae +. ds Ae AE +.\} +.rm #[ #] #H #V #F C +.\" ======================================================================== +.\" +.IX Title "CT_POLICY_EVAL_CTX_NEW 3" +.TH CT_POLICY_EVAL_CTX_NEW 3 "2018-09-11" "1.1.1" "OpenSSL" +.\" For nroff, turn off justification. Always turn off hyphenation; it makes +.\" way too many mistakes in technical documents. +.if n .ad l +.nh +.SH "NAME" +CT_POLICY_EVAL_CTX_new, CT_POLICY_EVAL_CTX_free, CT_POLICY_EVAL_CTX_get0_cert, CT_POLICY_EVAL_CTX_set1_cert, CT_POLICY_EVAL_CTX_get0_issuer, CT_POLICY_EVAL_CTX_set1_issuer, CT_POLICY_EVAL_CTX_get0_log_store, CT_POLICY_EVAL_CTX_set_shared_CTLOG_STORE, CT_POLICY_EVAL_CTX_get_time, CT_POLICY_EVAL_CTX_set_time \- Encapsulates the data required to evaluate whether SCTs meet a Certificate Transparency policy +.SH "SYNOPSIS" +.IX Header "SYNOPSIS" +.Vb 1 +\& #include +\& +\& CT_POLICY_EVAL_CTX *CT_POLICY_EVAL_CTX_new(void); +\& void CT_POLICY_EVAL_CTX_free(CT_POLICY_EVAL_CTX *ctx); +\& X509* CT_POLICY_EVAL_CTX_get0_cert(const CT_POLICY_EVAL_CTX *ctx); +\& int CT_POLICY_EVAL_CTX_set1_cert(CT_POLICY_EVAL_CTX *ctx, X509 *cert); +\& X509* CT_POLICY_EVAL_CTX_get0_issuer(const CT_POLICY_EVAL_CTX *ctx); +\& int CT_POLICY_EVAL_CTX_set1_issuer(CT_POLICY_EVAL_CTX *ctx, X509 *issuer); +\& const CTLOG_STORE *CT_POLICY_EVAL_CTX_get0_log_store(const CT_POLICY_EVAL_CTX *ctx); +\& void CT_POLICY_EVAL_CTX_set_shared_CTLOG_STORE(CT_POLICY_EVAL_CTX *ctx, +\& CTLOG_STORE *log_store); +\& uint64_t CT_POLICY_EVAL_CTX_get_time(const CT_POLICY_EVAL_CTX *ctx); +\& void CT_POLICY_EVAL_CTX_set_time(CT_POLICY_EVAL_CTX *ctx, uint64_t time_in_ms); +.Ve +.SH "DESCRIPTION" +.IX Header "DESCRIPTION" +A \fB\s-1CT_POLICY_EVAL_CTX\s0\fR is used by functions that evaluate whether Signed +Certificate Timestamps (SCTs) fulfil a Certificate Transparency (\s-1CT\s0) policy. +This policy may be, for example, that at least one valid \s-1SCT\s0 is available. To +determine this, an \s-1SCT\s0's timestamp and signature must be verified. +This requires: +.IP "\(bu" 2 +the public key of the log that issued the \s-1SCT\s0 +.IP "\(bu" 2 +the certificate that the \s-1SCT\s0 was issued for +.IP "\(bu" 2 +the issuer certificate (if the \s-1SCT\s0 was issued for a pre-certificate) +.IP "\(bu" 2 +the current time +.PP +The above requirements are met using the setters described below. +.PP +\&\fICT_POLICY_EVAL_CTX_new()\fR creates an empty policy evaluation context. This +should then be populated using: +.IP "\(bu" 2 +\&\fICT_POLICY_EVAL_CTX_set1_cert()\fR to provide the certificate the SCTs were issued for +.Sp +Increments the reference count of the certificate. +.IP "\(bu" 2 +\&\fICT_POLICY_EVAL_CTX_set1_issuer()\fR to provide the issuer certificate +.Sp +Increments the reference count of the certificate. +.IP "\(bu" 2 +\&\fICT_POLICY_EVAL_CTX_set_shared_CTLOG_STORE()\fR to provide a list of logs that are trusted as sources of SCTs +.Sp +Holds a pointer to the \s-1CTLOG_STORE,\s0 so the \s-1CTLOG_STORE\s0 must outlive the +\&\s-1CT_POLICY_EVAL_CTX.\s0 +.IP "\(bu" 2 +\&\fICT_POLICY_EVAL_CTX_set_time()\fR to set the time SCTs should be compared with to determine if they are valid +.Sp +The \s-1SCT\s0 timestamp will be compared to this time to check whether the \s-1SCT\s0 was +issued in the future. \s-1RFC6962\s0 states that \*(L"\s-1TLS\s0 clients \s-1MUST\s0 reject SCTs whose +timestamp is in the future\*(R". By default, this will be set to 5 minutes in the +future (e.g. (\fItime()\fR + 300) * 1000), to allow for clock drift. +.Sp +The time should be in milliseconds since the Unix epoch. +.PP +Each setter has a matching getter for accessing the current value. +.PP +When no longer required, the \fB\s-1CT_POLICY_EVAL_CTX\s0\fR should be passed to +\&\fICT_POLICY_EVAL_CTX_free()\fR to delete it. +.SH "NOTES" +.IX Header "NOTES" +The issuer certificate only needs to be provided if at least one of the SCTs +was issued for a pre-certificate. This will be the case for SCTs embedded in a +certificate (i.e. those in an X.509 extension), but may not be the case for SCTs +found in the \s-1TLS SCT\s0 extension or \s-1OCSP\s0 response. +.SH "RETURN VALUES" +.IX Header "RETURN VALUES" +\&\fICT_POLICY_EVAL_CTX_new()\fR will return \s-1NULL\s0 if malloc fails. +.SH "SEE ALSO" +.IX Header "SEE ALSO" +\&\fIct\fR\|(7) +.SH "HISTORY" +.IX Header "HISTORY" +These functions were added in OpenSSL 1.1.0. +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2016 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/DEFINE_STACK_OF.3 b/secure/lib/libcrypto/man/DEFINE_STACK_OF.3 new file mode 100644 index 000000000000..d0106afd8f26 --- /dev/null +++ b/secure/lib/libcrypto/man/DEFINE_STACK_OF.3 @@ -0,0 +1,400 @@ +.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35) +.\" +.\" Standard preamble: +.\" ======================================================================== +.de Sp \" Vertical space (when we can't use .PP) +.if t .sp .5v +.if n .sp +.. +.de Vb \" Begin verbatim text +.ft CW +.nf +.ne \\$1 +.. +.de Ve \" End verbatim text +.ft R +.fi +.. +.\" Set up some character translations and predefined strings. \*(-- will +.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left +.\" double quote, and \*(R" will give a right double quote. \*(C+ will +.\" give a nicer C++. Capital omega is used to do unbreakable dashes and +.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, +.\" nothing in troff, for use with C<>. +.tr \(*W- +.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' +.ie n \{\ +. ds -- \(*W- +. ds PI pi +. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch +. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch +. ds L" "" +. ds R" "" +. ds C` "" +. ds C' "" +'br\} +.el\{\ +. ds -- \|\(em\| +. ds PI \(*p +. ds L" `` +. ds R" '' +. ds C` +. ds C' +'br\} +.\" +.\" Escape single quotes in literal strings from groff's Unicode transform. +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" +.\" If the F register is >0, we'll generate index entries on stderr for +.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index +.\" entries marked with X<> in POD. Of course, you'll have to process the +.\" output yourself in some meaningful fashion. +.\" +.\" Avoid warning from groff about undefined register 'F'. +.de IX +.. +.if !\nF .nr F 0 +.if \nF>0 \{\ +. de IX +. tm Index:\\$1\t\\n%\t"\\$2" +.. +. if !\nF==2 \{\ +. nr % 0 +. nr F 2 +. \} +.\} +.\" +.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). +.\" Fear. Run. Save yourself. No user-serviceable parts. +. \" fudge factors for nroff and troff +.if n \{\ +. ds #H 0 +. ds #V .8m +. ds #F .3m +. ds #[ \f1 +. ds #] \fP +.\} +.if t \{\ +. ds #H ((1u-(\\\\n(.fu%2u))*.13m) +. ds #V .6m +. ds #F 0 +. ds #[ \& +. ds #] \& +.\} +. \" simple accents for nroff and troff +.if n \{\ +. ds ' \& +. ds ` \& +. ds ^ \& +. ds , \& +. ds ~ ~ +. ds / +.\} +.if t \{\ +. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" +. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' +. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' +. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' +. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' +. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' +.\} +. \" troff and (daisy-wheel) nroff accents +.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' +.ds 8 \h'\*(#H'\(*b\h'-\*(#H' +.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] +.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' +.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' +.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] +.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] +.ds ae a\h'-(\w'a'u*4/10)'e +.ds Ae A\h'-(\w'A'u*4/10)'E +. \" corrections for vroff +.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' +.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' +. \" for low resolution devices (crt and lpr) +.if \n(.H>23 .if \n(.V>19 \ +\{\ +. ds : e +. ds 8 ss +. ds o a +. ds d- d\h'-1'\(ga +. ds D- D\h'-1'\(hy +. ds th \o'bp' +. ds Th \o'LP' +. ds ae ae +. ds Ae AE +.\} +.rm #[ #] #H #V #F C +.\" ======================================================================== +.\" +.IX Title "DEFINE_STACK_OF 3" +.TH DEFINE_STACK_OF 3 "2018-09-11" "1.1.1" "OpenSSL" +.\" For nroff, turn off justification. Always turn off hyphenation; it makes +.\" way too many mistakes in technical documents. +.if n .ad l +.nh +.SH "NAME" +DEFINE_STACK_OF, DEFINE_STACK_OF_CONST, DEFINE_SPECIAL_STACK_OF, DEFINE_SPECIAL_STACK_OF_CONST, sk_TYPE_num, sk_TYPE_value, sk_TYPE_new, sk_TYPE_new_null, sk_TYPE_reserve, sk_TYPE_free, sk_TYPE_zero, sk_TYPE_delete, sk_TYPE_delete_ptr, sk_TYPE_push, sk_TYPE_unshift, sk_TYPE_pop, sk_TYPE_shift, sk_TYPE_pop_free, sk_TYPE_insert, sk_TYPE_set, sk_TYPE_find, sk_TYPE_find_ex, sk_TYPE_sort, sk_TYPE_is_sorted, sk_TYPE_dup, sk_TYPE_deep_copy, sk_TYPE_set_cmp_func, sk_TYPE_new_reserve \&\- stack container +.SH "SYNOPSIS" +.IX Header "SYNOPSIS" +.Vb 1 +\& #include +\& +\& STACK_OF(TYPE) +\& DEFINE_STACK_OF(TYPE) +\& DEFINE_STACK_OF_CONST(TYPE) +\& DEFINE_SPECIAL_STACK_OF(FUNCTYPE, TYPE) +\& DEFINE_SPECIAL_STACK_OF_CONST(FUNCTYPE, TYPE) +\& +\& typedef int (*sk_TYPE_compfunc)(const TYPE *const *a, const TYPE *const *b); +\& typedef TYPE * (*sk_TYPE_copyfunc)(const TYPE *a); +\& typedef void (*sk_TYPE_freefunc)(TYPE *a); +\& +\& int sk_TYPE_num(const STACK_OF(TYPE) *sk); +\& TYPE *sk_TYPE_value(const STACK_OF(TYPE) *sk, int idx); +\& STACK_OF(TYPE) *sk_TYPE_new(sk_TYPE_compfunc compare); +\& STACK_OF(TYPE) *sk_TYPE_new_null(void); +\& int sk_TYPE_reserve(STACK_OF(TYPE) *sk, int n); +\& void sk_TYPE_free(const STACK_OF(TYPE) *sk); +\& void sk_TYPE_zero(const STACK_OF(TYPE) *sk); +\& TYPE *sk_TYPE_delete(STACK_OF(TYPE) *sk, int i); +\& TYPE *sk_TYPE_delete_ptr(STACK_OF(TYPE) *sk, TYPE *ptr); +\& int sk_TYPE_push(STACK_OF(TYPE) *sk, const TYPE *ptr); +\& int sk_TYPE_unshift(STACK_OF(TYPE) *sk, const TYPE *ptr); +\& TYPE *sk_TYPE_pop(STACK_OF(TYPE) *sk); +\& TYPE *sk_TYPE_shift(STACK_OF(TYPE) *sk); +\& void sk_TYPE_pop_free(STACK_OF(TYPE) *sk, sk_TYPE_freefunc freefunc); +\& int sk_TYPE_insert(STACK_OF(TYPE) *sk, TYPE *ptr, int idx); +\& TYPE *sk_TYPE_set(STACK_OF(TYPE) *sk, int idx, const TYPE *ptr); +\& int sk_TYPE_find(STACK_OF(TYPE) *sk, TYPE *ptr); +\& int sk_TYPE_find_ex(STACK_OF(TYPE) *sk, TYPE *ptr); +\& void sk_TYPE_sort(const STACK_OF(TYPE) *sk); +\& int sk_TYPE_is_sorted(const STACK_OF(TYPE) *sk); +\& STACK_OF(TYPE) *sk_TYPE_dup(const STACK_OF(TYPE) *sk); +\& STACK_OF(TYPE) *sk_TYPE_deep_copy(const STACK_OF(TYPE) *sk, +\& sk_TYPE_copyfunc copyfunc, +\& sk_TYPE_freefunc freefunc); +\& sk_TYPE_compfunc (*sk_TYPE_set_cmp_func(STACK_OF(TYPE) *sk, +\& sk_TYPE_compfunc compare)); +\& STACK_OF(TYPE) *sk_TYPE_new_reserve(sk_TYPE_compfunc compare, int n); +.Ve +.SH "DESCRIPTION" +.IX Header "DESCRIPTION" +Applications can create and use their own stacks by placing any of the macros +described below in a header file. These macros define typesafe inline +functions that wrap around the utility \fBOPENSSL_sk_\fR \s-1API.\s0 +In the description here, \fI\s-1TYPE\s0\fR is used +as a placeholder for any of the OpenSSL datatypes, such as \fIX509\fR. +.PP +\&\s-1\fISTACK_OF\s0()\fR returns the name for a stack of the specified \fB\s-1TYPE\s0\fR. +\&\s-1\fIDEFINE_STACK_OF\s0()\fR creates set of functions for a stack of \fB\s-1TYPE\s0\fR. This +will mean that type \fB\s-1TYPE\s0\fR is stored in each stack, the type is referenced by +\&\s-1STACK_OF\s0(\s-1TYPE\s0) and each function name begins with \fIsk_TYPE_\fR. For example: +.PP +.Vb 1 +\& TYPE *sk_TYPE_value(STACK_OF(TYPE) *sk, int idx); +.Ve +.PP +\&\s-1\fIDEFINE_STACK_OF_CONST\s0()\fR is identical to \s-1\fIDEFINE_STACK_OF\s0()\fR except +each element is constant. For example: +.PP +.Vb 1 +\& const TYPE *sk_TYPE_value(STACK_OF(TYPE) *sk, int idx); +.Ve +.PP +\&\s-1\fIDEFINE_SPECIAL_STACK_OF\s0()\fR defines a stack of \fB\s-1TYPE\s0\fR but +each function uses \fB\s-1FUNCNAME\s0\fR in the function name. For example: +.PP +.Vb 1 +\& TYPE *sk_FUNCNAME_value(STACK_OF(TYPE) *sk, int idx); +.Ve +.PP +\&\s-1\fIDEFINE_SPECIAL_STACK_OF_CONST\s0()\fR is similar except that each element is +constant: +.PP +.Vb 1 +\& const TYPE *sk_FUNCNAME_value(STACK_OF(TYPE) *sk, int idx); +.Ve +.PP +\&\fIsk_TYPE_num()\fR returns the number of elements in \fBsk\fR or \-1 if \fBsk\fR is +\&\fB\s-1NULL\s0\fR. +.PP +\&\fIsk_TYPE_value()\fR returns element \fBidx\fR in \fBsk\fR, where \fBidx\fR starts at +zero. If \fBidx\fR is out of range then \fB\s-1NULL\s0\fR is returned. +.PP +\&\fIsk_TYPE_new()\fR allocates a new empty stack using comparison function \fBcompare\fR. +If \fBcompare\fR is \fB\s-1NULL\s0\fR then no comparison function is used. This function is +equivalent to sk_TYPE_new_reserve(compare, 0). +.PP +\&\fIsk_TYPE_new_null()\fR allocates a new empty stack with no comparison function. This +function is equivalent to sk_TYPE_new_reserve(\s-1NULL, 0\s0). +.PP +\&\fIsk_TYPE_reserve()\fR allocates additional memory in the \fBsk\fR structure +such that the next \fBn\fR calls to \fIsk_TYPE_insert()\fR, \fIsk_TYPE_push()\fR +or \fIsk_TYPE_unshift()\fR will not fail or cause memory to be allocated +or reallocated. If \fBn\fR is zero, any excess space allocated in the +\&\fBsk\fR structure is freed. On error \fBsk\fR is unchanged. +.PP +\&\fIsk_TYPE_new_reserve()\fR allocates a new stack. The new stack will have additional +memory allocated to hold \fBn\fR elements if \fBn\fR is positive. The next \fBn\fR calls +to \fIsk_TYPE_insert()\fR, \fIsk_TYPE_push()\fR or \fIsk_TYPE_unshift()\fR will not fail or cause +memory to be allocated or reallocated. If \fBn\fR is zero or less than zero, no +memory is allocated. \fIsk_TYPE_new_reserve()\fR also sets the comparison function +\&\fBcompare\fR to the newly created stack. If \fBcompare\fR is \fB\s-1NULL\s0\fR then no +comparison function is used. +.PP +\&\fIsk_TYPE_set_cmp_func()\fR sets the comparison function of \fBsk\fR to \fBcompare\fR. +The previous comparison function is returned or \fB\s-1NULL\s0\fR if there was +no previous comparison function. +.PP +\&\fIsk_TYPE_free()\fR frees up the \fBsk\fR structure. It does \fBnot\fR free up any +elements of \fBsk\fR. After this call \fBsk\fR is no longer valid. +.PP +\&\fIsk_TYPE_zero()\fR sets the number of elements in \fBsk\fR to zero. It does not free +\&\fBsk\fR so after this call \fBsk\fR is still valid. +.PP +\&\fIsk_TYPE_pop_free()\fR frees up all elements of \fBsk\fR and \fBsk\fR itself. The +free function \fIfreefunc()\fR is called on each element to free it. +.PP +\&\fIsk_TYPE_delete()\fR deletes element \fBi\fR from \fBsk\fR. It returns the deleted +element or \fB\s-1NULL\s0\fR if \fBi\fR is out of range. +.PP +\&\fIsk_TYPE_delete_ptr()\fR deletes element matching \fBptr\fR from \fBsk\fR. It returns +the deleted element or \fB\s-1NULL\s0\fR if no element matching \fBptr\fR was found. +.PP +\&\fIsk_TYPE_insert()\fR inserts \fBptr\fR into \fBsk\fR at position \fBidx\fR. Any existing +elements at or after \fBidx\fR are moved downwards. If \fBidx\fR is out of range +the new element is appended to \fBsk\fR. \fIsk_TYPE_insert()\fR either returns the +number of elements in \fBsk\fR after the new element is inserted or zero if +an error (such as memory allocation failure) occurred. +.PP +\&\fIsk_TYPE_push()\fR appends \fBptr\fR to \fBsk\fR it is equivalent to: +.PP +.Vb 1 +\& sk_TYPE_insert(sk, ptr, \-1); +.Ve +.PP +\&\fIsk_TYPE_unshift()\fR inserts \fBptr\fR at the start of \fBsk\fR it is equivalent to: +.PP +.Vb 1 +\& sk_TYPE_insert(sk, ptr, 0); +.Ve +.PP +\&\fIsk_TYPE_pop()\fR returns and removes the last element from \fBsk\fR. +.PP +\&\fIsk_TYPE_shift()\fR returns and removes the first element from \fBsk\fR. +.PP +\&\fIsk_TYPE_set()\fR sets element \fBidx\fR of \fBsk\fR to \fBptr\fR replacing the current +element. The new element value is returned or \fB\s-1NULL\s0\fR if an error occurred: +this will only happen if \fBsk\fR is \fB\s-1NULL\s0\fR or \fBidx\fR is out of range. +.PP +\&\fIsk_TYPE_find()\fR searches \fBsk\fR for the element \fBptr\fR. In the case +where no comparison function has been specified, the function performs +a linear search for a pointer equal to \fBptr\fR. The index of the first +matching element is returned or \fB\-1\fR if there is no match. In the case +where a comparison function has been specified, \fBsk\fR is sorted then +\&\fIsk_TYPE_find()\fR returns the index of a matching element or \fB\-1\fR if there +is no match. Note that, in this case, the matching element returned is +not guaranteed to be the first; the comparison function will usually +compare the values pointed to rather than the pointers themselves and +the order of elements in \fBsk\fR could change. +.PP +\&\fIsk_TYPE_find_ex()\fR operates like \fIsk_TYPE_find()\fR except when a comparison +function has been specified and no matching element is found. Instead +of returning \fB\-1\fR, \fIsk_TYPE_find_ex()\fR returns the index of the element +either before or after the location where \fBptr\fR would be if it were +present in \fBsk\fR. +.PP +\&\fIsk_TYPE_sort()\fR sorts \fBsk\fR using the supplied comparison function. +.PP +\&\fIsk_TYPE_is_sorted()\fR returns \fB1\fR if \fBsk\fR is sorted and \fB0\fR otherwise. +.PP +\&\fIsk_TYPE_dup()\fR returns a copy of \fBsk\fR. Note the pointers in the copy +are identical to the original. +.PP +\&\fIsk_TYPE_deep_copy()\fR returns a new stack where each element has been copied. +Copying is performed by the supplied \fIcopyfunc()\fR and freeing by \fIfreefunc()\fR. The +function \fIfreefunc()\fR is only called if an error occurs. +.SH "NOTES" +.IX Header "NOTES" +Care should be taken when accessing stacks in multi-threaded environments. +Any operation which increases the size of a stack such as \fIsk_TYPE_insert()\fR or +\&\fIsk_push()\fR can \*(L"grow\*(R" the size of an internal array and cause race conditions +if the same stack is accessed in a different thread. Operations such as +\&\fIsk_find()\fR and \fIsk_sort()\fR can also reorder the stack. +.PP +Any comparison function supplied should use a metric suitable +for use in a binary search operation. That is it should return zero, a +positive or negative value if \fBa\fR is equal to, greater than +or less than \fBb\fR respectively. +.PP +Care should be taken when checking the return values of the functions +\&\fIsk_TYPE_find()\fR and \fIsk_TYPE_find_ex()\fR. They return an index to the +matching element. In particular \fB0\fR indicates a matching first element. +A failed search is indicated by a \fB\-1\fR return value. +.PP +\&\s-1\fISTACK_OF\s0()\fR, \s-1\fIDEFINE_STACK_OF\s0()\fR, \s-1\fIDEFINE_STACK_OF_CONST\s0()\fR, and +\&\s-1\fIDEFINE_SPECIAL_STACK_OF\s0()\fR are implemented as macros. +.PP +The underlying utility \fBOPENSSL_sk_\fR \s-1API\s0 should not be used directly. +It defines these functions: \fIOPENSSL_sk_deep_copy()\fR, +\&\fIOPENSSL_sk_delete()\fR, \fIOPENSSL_sk_delete_ptr()\fR, \fIOPENSSL_sk_dup()\fR, +\&\fIOPENSSL_sk_find()\fR, \fIOPENSSL_sk_find_ex()\fR, \fIOPENSSL_sk_free()\fR, +\&\fIOPENSSL_sk_insert()\fR, \fIOPENSSL_sk_is_sorted()\fR, \fIOPENSSL_sk_new()\fR, +\&\fIOPENSSL_sk_new_null()\fR, \fIOPENSSL_sk_num()\fR, \fIOPENSSL_sk_pop()\fR, +\&\fIOPENSSL_sk_pop_free()\fR, \fIOPENSSL_sk_push()\fR, \fIOPENSSL_sk_reserve()\fR, +\&\fIOPENSSL_sk_set()\fR, \fIOPENSSL_sk_set_cmp_func()\fR, \fIOPENSSL_sk_shift()\fR, +\&\fIOPENSSL_sk_sort()\fR, \fIOPENSSL_sk_unshift()\fR, \fIOPENSSL_sk_value()\fR, +\&\fIOPENSSL_sk_zero()\fR. +.SH "RETURN VALUES" +.IX Header "RETURN VALUES" +\&\fIsk_TYPE_num()\fR returns the number of elements in the stack or \fB\-1\fR if the +passed stack is \fB\s-1NULL\s0\fR. +.PP +\&\fIsk_TYPE_value()\fR returns a pointer to a stack element or \fB\s-1NULL\s0\fR if the +index is out of range. +.PP +\&\fIsk_TYPE_new()\fR, \fIsk_TYPE_new_null()\fR and \fIsk_TYPE_new_reserve()\fR return an empty +stack or \fB\s-1NULL\s0\fR if an error occurs. +.PP +\&\fIsk_TYPE_reserve()\fR returns \fB1\fR on successful allocation of the required memory +or \fB0\fR on error. +.PP +\&\fIsk_TYPE_set_cmp_func()\fR returns the old comparison function or \fB\s-1NULL\s0\fR if +there was no old comparison function. +.PP +\&\fIsk_TYPE_free()\fR, \fIsk_TYPE_zero()\fR, \fIsk_TYPE_pop_free()\fR and \fIsk_TYPE_sort()\fR do +not return values. +.PP +\&\fIsk_TYPE_pop()\fR, \fIsk_TYPE_shift()\fR, \fIsk_TYPE_delete()\fR and \fIsk_TYPE_delete_ptr()\fR +return a pointer to the deleted element or \fB\s-1NULL\s0\fR on error. +.PP +\&\fIsk_TYPE_insert()\fR, \fIsk_TYPE_push()\fR and \fIsk_TYPE_unshift()\fR return the total +number of elements in the stack and 0 if an error occurred. +.PP +\&\fIsk_TYPE_set()\fR returns a pointer to the replacement element or \fB\s-1NULL\s0\fR on +error. +.PP +\&\fIsk_TYPE_find()\fR and \fIsk_TYPE_find_ex()\fR return an index to the found element +or \fB\-1\fR on error. +.PP +\&\fIsk_TYPE_is_sorted()\fR returns \fB1\fR if the stack is sorted and \fB0\fR if it is +not. +.PP +\&\fIsk_TYPE_dup()\fR and \fIsk_TYPE_deep_copy()\fR return a pointer to the copy of the +stack. +.SH "HISTORY" +.IX Header "HISTORY" +Before OpenSSL 1.1.0, this was implemented via macros and not inline functions +and was not a public \s-1API.\s0 +.PP +\&\fIsk_TYPE_reserve()\fR and \fIsk_TYPE_new_reserve()\fR were added in OpenSSL 1.1.1. +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2000\-2017 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/des.3 b/secure/lib/libcrypto/man/DES_random_key.3 similarity index 69% rename from secure/lib/libcrypto/man/des.3 rename to secure/lib/libcrypto/man/DES_random_key.3 index 60de174e177f..c50c95bbd8b6 100644 --- a/secure/lib/libcrypto/man/des.3 +++ b/secure/lib/libcrypto/man/DES_random_key.3 @@ -128,22 +128,14 @@ .rm #[ #] #H #V #F C .\" ======================================================================== .\" -.IX Title "des 3" -.TH des 3 "2018-08-14" "1.0.2p" "OpenSSL" +.IX Title "DES_RANDOM_KEY 3" +.TH DES_RANDOM_KEY 3 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" -DES_random_key, DES_set_key, DES_key_sched, DES_set_key_checked, -DES_set_key_unchecked, DES_set_odd_parity, DES_is_weak_key, -DES_ecb_encrypt, DES_ecb2_encrypt, DES_ecb3_encrypt, DES_ncbc_encrypt, -DES_cfb_encrypt, DES_ofb_encrypt, DES_pcbc_encrypt, DES_cfb64_encrypt, -DES_ofb64_encrypt, DES_xcbc_encrypt, DES_ede2_cbc_encrypt, -DES_ede2_cfb64_encrypt, DES_ede2_ofb64_encrypt, DES_ede3_cbc_encrypt, -DES_ede3_cbcm_encrypt, DES_ede3_cfb64_encrypt, DES_ede3_ofb64_encrypt, -DES_cbc_cksum, DES_quad_cksum, DES_string_to_key, DES_string_to_2keys, -DES_fcrypt, DES_crypt, DES_enc_read, DES_enc_write \- DES encryption +DES_random_key, DES_set_key, DES_key_sched, DES_set_key_checked, DES_set_key_unchecked, DES_set_odd_parity, DES_is_weak_key, DES_ecb_encrypt, DES_ecb2_encrypt, DES_ecb3_encrypt, DES_ncbc_encrypt, DES_cfb_encrypt, DES_ofb_encrypt, DES_pcbc_encrypt, DES_cfb64_encrypt, DES_ofb64_encrypt, DES_xcbc_encrypt, DES_ede2_cbc_encrypt, DES_ede2_cfb64_encrypt, DES_ede2_ofb64_encrypt, DES_ede3_cbc_encrypt, DES_ede3_cfb64_encrypt, DES_ede3_ofb64_encrypt, DES_cbc_cksum, DES_quad_cksum, DES_string_to_key, DES_string_to_2keys, DES_fcrypt, DES_crypt \- DES encryption .SH "SYNOPSIS" .IX Header "SYNOPSIS" .Vb 1 @@ -153,87 +145,77 @@ DES_fcrypt, DES_crypt, DES_enc_read, DES_enc_write \- DES encryption \& \& int DES_set_key(const_DES_cblock *key, DES_key_schedule *schedule); \& int DES_key_sched(const_DES_cblock *key, DES_key_schedule *schedule); -\& int DES_set_key_checked(const_DES_cblock *key, -\& DES_key_schedule *schedule); -\& void DES_set_key_unchecked(const_DES_cblock *key, -\& DES_key_schedule *schedule); +\& int DES_set_key_checked(const_DES_cblock *key, DES_key_schedule *schedule); +\& void DES_set_key_unchecked(const_DES_cblock *key, DES_key_schedule *schedule); \& \& void DES_set_odd_parity(DES_cblock *key); \& int DES_is_weak_key(const_DES_cblock *key); \& -\& void DES_ecb_encrypt(const_DES_cblock *input, DES_cblock *output, -\& DES_key_schedule *ks, int enc); -\& void DES_ecb2_encrypt(const_DES_cblock *input, DES_cblock *output, -\& DES_key_schedule *ks1, DES_key_schedule *ks2, int enc); -\& void DES_ecb3_encrypt(const_DES_cblock *input, DES_cblock *output, -\& DES_key_schedule *ks1, DES_key_schedule *ks2, -\& DES_key_schedule *ks3, int enc); +\& void DES_ecb_encrypt(const_DES_cblock *input, DES_cblock *output, +\& DES_key_schedule *ks, int enc); +\& void DES_ecb2_encrypt(const_DES_cblock *input, DES_cblock *output, +\& DES_key_schedule *ks1, DES_key_schedule *ks2, int enc); +\& void DES_ecb3_encrypt(const_DES_cblock *input, DES_cblock *output, +\& DES_key_schedule *ks1, DES_key_schedule *ks2, +\& DES_key_schedule *ks3, int enc); \& -\& void DES_ncbc_encrypt(const unsigned char *input, unsigned char *output, -\& long length, DES_key_schedule *schedule, DES_cblock *ivec, -\& int enc); +\& void DES_ncbc_encrypt(const unsigned char *input, unsigned char *output, +\& long length, DES_key_schedule *schedule, DES_cblock *ivec, +\& int enc); \& void DES_cfb_encrypt(const unsigned char *in, unsigned char *out, -\& int numbits, long length, DES_key_schedule *schedule, -\& DES_cblock *ivec, int enc); +\& int numbits, long length, DES_key_schedule *schedule, +\& DES_cblock *ivec, int enc); \& void DES_ofb_encrypt(const unsigned char *in, unsigned char *out, -\& int numbits, long length, DES_key_schedule *schedule, -\& DES_cblock *ivec); -\& void DES_pcbc_encrypt(const unsigned char *input, unsigned char *output, -\& long length, DES_key_schedule *schedule, DES_cblock *ivec, -\& int enc); +\& int numbits, long length, DES_key_schedule *schedule, +\& DES_cblock *ivec); +\& void DES_pcbc_encrypt(const unsigned char *input, unsigned char *output, +\& long length, DES_key_schedule *schedule, DES_cblock *ivec, +\& int enc); \& void DES_cfb64_encrypt(const unsigned char *in, unsigned char *out, -\& long length, DES_key_schedule *schedule, DES_cblock *ivec, -\& int *num, int enc); +\& long length, DES_key_schedule *schedule, DES_cblock *ivec, +\& int *num, int enc); \& void DES_ofb64_encrypt(const unsigned char *in, unsigned char *out, -\& long length, DES_key_schedule *schedule, DES_cblock *ivec, -\& int *num); +\& long length, DES_key_schedule *schedule, DES_cblock *ivec, +\& int *num); \& -\& void DES_xcbc_encrypt(const unsigned char *input, unsigned char *output, -\& long length, DES_key_schedule *schedule, DES_cblock *ivec, -\& const_DES_cblock *inw, const_DES_cblock *outw, int enc); +\& void DES_xcbc_encrypt(const unsigned char *input, unsigned char *output, +\& long length, DES_key_schedule *schedule, DES_cblock *ivec, +\& const_DES_cblock *inw, const_DES_cblock *outw, int enc); \& -\& void DES_ede2_cbc_encrypt(const unsigned char *input, -\& unsigned char *output, long length, DES_key_schedule *ks1, -\& DES_key_schedule *ks2, DES_cblock *ivec, int enc); -\& void DES_ede2_cfb64_encrypt(const unsigned char *in, -\& unsigned char *out, long length, DES_key_schedule *ks1, -\& DES_key_schedule *ks2, DES_cblock *ivec, int *num, int enc); -\& void DES_ede2_ofb64_encrypt(const unsigned char *in, -\& unsigned char *out, long length, DES_key_schedule *ks1, -\& DES_key_schedule *ks2, DES_cblock *ivec, int *num); +\& void DES_ede2_cbc_encrypt(const unsigned char *input, unsigned char *output, +\& long length, DES_key_schedule *ks1, +\& DES_key_schedule *ks2, DES_cblock *ivec, int enc); +\& void DES_ede2_cfb64_encrypt(const unsigned char *in, unsigned char *out, +\& long length, DES_key_schedule *ks1, +\& DES_key_schedule *ks2, DES_cblock *ivec, +\& int *num, int enc); +\& void DES_ede2_ofb64_encrypt(const unsigned char *in, unsigned char *out, +\& long length, DES_key_schedule *ks1, +\& DES_key_schedule *ks2, DES_cblock *ivec, int *num); \& -\& void DES_ede3_cbc_encrypt(const unsigned char *input, -\& unsigned char *output, long length, DES_key_schedule *ks1, -\& DES_key_schedule *ks2, DES_key_schedule *ks3, DES_cblock *ivec, -\& int enc); -\& void DES_ede3_cbcm_encrypt(const unsigned char *in, unsigned char *out, -\& long length, DES_key_schedule *ks1, DES_key_schedule *ks2, -\& DES_key_schedule *ks3, DES_cblock *ivec1, DES_cblock *ivec2, -\& int enc); -\& void DES_ede3_cfb64_encrypt(const unsigned char *in, unsigned char *out, -\& long length, DES_key_schedule *ks1, DES_key_schedule *ks2, -\& DES_key_schedule *ks3, DES_cblock *ivec, int *num, int enc); -\& void DES_ede3_ofb64_encrypt(const unsigned char *in, unsigned char *out, -\& long length, DES_key_schedule *ks1, -\& DES_key_schedule *ks2, DES_key_schedule *ks3, -\& DES_cblock *ivec, int *num); +\& void DES_ede3_cbc_encrypt(const unsigned char *input, unsigned char *output, +\& long length, DES_key_schedule *ks1, +\& DES_key_schedule *ks2, DES_key_schedule *ks3, +\& DES_cblock *ivec, int enc); +\& void DES_ede3_cfb64_encrypt(const unsigned char *in, unsigned char *out, +\& long length, DES_key_schedule *ks1, +\& DES_key_schedule *ks2, DES_key_schedule *ks3, +\& DES_cblock *ivec, int *num, int enc); +\& void DES_ede3_ofb64_encrypt(const unsigned char *in, unsigned char *out, +\& long length, DES_key_schedule *ks1, +\& DES_key_schedule *ks2, DES_key_schedule *ks3, +\& DES_cblock *ivec, int *num); \& -\& DES_LONG DES_cbc_cksum(const unsigned char *input, DES_cblock *output, -\& long length, DES_key_schedule *schedule, -\& const_DES_cblock *ivec); -\& DES_LONG DES_quad_cksum(const unsigned char *input, DES_cblock output[], -\& long length, int out_count, DES_cblock *seed); +\& DES_LONG DES_cbc_cksum(const unsigned char *input, DES_cblock *output, +\& long length, DES_key_schedule *schedule, +\& const_DES_cblock *ivec); +\& DES_LONG DES_quad_cksum(const unsigned char *input, DES_cblock output[], +\& long length, int out_count, DES_cblock *seed); \& void DES_string_to_key(const char *str, DES_cblock *key); -\& void DES_string_to_2keys(const char *str, DES_cblock *key1, -\& DES_cblock *key2); +\& void DES_string_to_2keys(const char *str, DES_cblock *key1, DES_cblock *key2); \& \& char *DES_fcrypt(const char *buf, const char *salt, char *ret); \& char *DES_crypt(const char *buf, const char *salt); -\& -\& int DES_enc_read(int fd, void *buf, int len, DES_key_schedule *sched, -\& DES_cblock *iv); -\& int DES_enc_write(int fd, const void *buf, int len, -\& DES_key_schedule *sched, DES_cblock *iv); .Ve .SH "DESCRIPTION" .IX Header "DESCRIPTION" @@ -248,7 +230,7 @@ each byte is the parity bit. The key schedule is an expanded form of the key; it is used to speed the encryption process. .PP \&\fIDES_random_key()\fR generates a random key. The \s-1PRNG\s0 must be seeded -prior to using this function (see \fIrand\fR\|(3)). If the \s-1PRNG\s0 +prior to using this function (see \fIRAND_bytes\fR\|(3)). If the \s-1PRNG\s0 could not generate a secure key, 0 is returned. .PP Before a \s-1DES\s0 key can be used, it must be converted into the @@ -382,8 +364,12 @@ is thread safe, unlike the normal crypt. .PP \&\fIDES_crypt()\fR is a faster replacement for the normal system \fIcrypt()\fR. This function calls \fIDES_fcrypt()\fR with a static array passed as the -third parameter. This emulates the normal non-thread safe semantics +third parameter. This mostly emulates the normal non-thread-safe semantics of \fIcrypt\fR\|(3). +The \fBsalt\fR must be two \s-1ASCII\s0 characters. +.PP +The values returned by \fIDES_fcrypt()\fR and \fIDES_crypt()\fR are terminated by \s-1NUL\s0 +character. .PP \&\fIDES_enc_write()\fR writes \fIlen\fR bytes to file descriptor \fIfd\fR from buffer \fIbuf\fR. The data is encrypted via \fIpcbc_encrypt\fR (default) @@ -392,35 +378,8 @@ data send down \fIfd\fR consists of 4 bytes (in network byte order) containing the length of the following encrypted data. The encrypted data then follows, padded with random data out to a multiple of 8 bytes. -.PP -\&\fIDES_enc_read()\fR is used to read \fIlen\fR bytes from file descriptor -\&\fIfd\fR into buffer \fIbuf\fR. The data being read from \fIfd\fR is assumed to -have come from \fIDES_enc_write()\fR and is decrypted using \fIsched\fR for -the key schedule and \fIiv\fR for the initial vector. -.PP -\&\fBWarning:\fR The data format used by \fIDES_enc_write()\fR and \fIDES_enc_read()\fR -has a cryptographic weakness: When asked to write more than \s-1MAXWRITE\s0 -bytes, \fIDES_enc_write()\fR will split the data into several chunks that -are all encrypted using the same \s-1IV.\s0 So don't use these functions -unless you are sure you know what you do (in which case you might not -want to use them anyway). They cannot handle non-blocking sockets. -\&\fIDES_enc_read()\fR uses an internal state and thus cannot be used on -multiple files. -.PP -\&\fIDES_rw_mode\fR is used to specify the encryption mode to use with -\&\fIDES_enc_read()\fR and \fIDES_end_write()\fR. If set to \fI\s-1DES_PCBC_MODE\s0\fR (the -default), DES_pcbc_encrypt is used. If set to \fI\s-1DES_CBC_MODE\s0\fR -DES_cbc_encrypt is used. -.SH "NOTES" -.IX Header "NOTES" -Single-key \s-1DES\s0 is insecure due to its short key size. \s-1ECB\s0 mode is -not suitable for most applications; see \fIdes_modes\fR\|(7). -.PP -The \fIevp\fR\|(3) library provides higher-level encryption functions. .SH "BUGS" .IX Header "BUGS" -\&\fIDES_3cbc_encrypt()\fR is flawed and must not be used in applications. -.PP \&\fIDES_cbc_encrypt()\fR does not modify \fBivec\fR; use \fIDES_ncbc_encrypt()\fR instead. .PP @@ -437,46 +396,43 @@ get ugly! \&\fIDES_string_to_key()\fR is available for backward compatibility with the \&\s-1MIT\s0 library. New applications should use a cryptographic hash function. The same applies for \fIDES_string_to_2key()\fR. -.SH "CONFORMING TO" -.IX Header "CONFORMING TO" -\&\s-1ANSI X3.106\s0 -.PP +.SH "NOTES" +.IX Header "NOTES" The \fBdes\fR library was written to be source code compatible with the \s-1MIT\s0 Kerberos library. -.SH "SEE ALSO" -.IX Header "SEE ALSO" -\&\fIcrypt\fR\|(3), \fIdes_modes\fR\|(7), \fIevp\fR\|(3), \fIrand\fR\|(3) +.PP +Applications should use the higher level functions +\&\fIEVP_EncryptInit\fR\|(3) etc. instead of calling these +functions directly. +.PP +Single-key \s-1DES\s0 is insecure due to its short key size. \s-1ECB\s0 mode is +not suitable for most applications; see \fIdes_modes\fR\|(7). +.SH "RETURN VALUES" +.IX Header "RETURN VALUES" +\&\fIDES_set_key()\fR, \fIDES_key_sched()\fR, \fIDES_set_key_checked()\fR and \fIDES_is_weak_key()\fR +return 0 on success or negative values on error. +.PP +\&\fIDES_cbc_cksum()\fR and \fIDES_quad_cksum()\fR return 4\-byte integer representing the +last 4 bytes of the checksum of the input. +.PP +\&\fIDES_fcrypt()\fR returns a pointer to the caller-provided buffer and \fIDES_crypt()\fR \- +to a static buffer on success; otherwise they return \s-1NULL.\s0 .SH "HISTORY" .IX Header "HISTORY" -In OpenSSL 0.9.7, all des_ functions were renamed to \s-1DES_\s0 to avoid -clashes with older versions of libdes. Compatibility des_ functions -are provided for a short while, as well as \fIcrypt()\fR. -Declarations for these are in . There is no \s-1DES_\s0 -variant for \fIdes_random_seed()\fR. -This will happen to other functions -as well if they are deemed redundant (\fIdes_random_seed()\fR just calls -\&\fIRAND_seed()\fR and is present for backward compatibility only), buggy or -already scheduled for removal. +The requirement that the \fBsalt\fR parameter to \fIDES_crypt()\fR and \fIDES_fcrypt()\fR +be two \s-1ASCII\s0 characters was first enforced in +OpenSSL 1.1.0. Previous versions tried to use the letter uppercase \fBA\fR +if both character were not present, and could crash when given non-ASCII +on some platforms. +.SH "SEE ALSO" +.IX Header "SEE ALSO" +\&\fIdes_modes\fR\|(7), +\&\fIEVP_EncryptInit\fR\|(3) +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2000\-2018 The OpenSSL Project Authors. All Rights Reserved. .PP -\&\fIdes_cbc_cksum()\fR, \fIdes_cbc_encrypt()\fR, \fIdes_ecb_encrypt()\fR, -\&\fIdes_is_weak_key()\fR, \fIdes_key_sched()\fR, \fIdes_pcbc_encrypt()\fR, -\&\fIdes_quad_cksum()\fR, \fIdes_random_key()\fR and \fIdes_string_to_key()\fR -are available in the \s-1MIT\s0 Kerberos library; -\&\fIdes_check_key_parity()\fR, \fIdes_fixup_key_parity()\fR and \fIdes_is_weak_key()\fR -are available in newer versions of that library. -.PP -\&\fIdes_set_key_checked()\fR and \fIdes_set_key_unchecked()\fR were added in -OpenSSL 0.9.5. -.PP -\&\fIdes_generate_random_block()\fR, \fIdes_init_random_number_generator()\fR, -\&\fIdes_new_random_key()\fR, \fIdes_set_random_generator_seed()\fR and -\&\fIdes_set_sequence_number()\fR and \fIdes_rand_data()\fR are used in newer -versions of Kerberos but are not implemented here. -.PP -\&\fIdes_random_key()\fR generated cryptographically weak random data in -SSLeay and in OpenSSL prior version 0.9.5, as well as in the original -\&\s-1MIT\s0 library. -.SH "AUTHOR" -.IX Header "AUTHOR" -Eric Young (eay@cryptsoft.com). Modified for the OpenSSL project -(http://www.openssl.org). +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/DH_generate_key.3 b/secure/lib/libcrypto/man/DH_generate_key.3 index b6f67a2c159e..562ce6045f53 100644 --- a/secure/lib/libcrypto/man/DH_generate_key.3 +++ b/secure/lib/libcrypto/man/DH_generate_key.3 @@ -128,8 +128,8 @@ .rm #[ #] #H #V #F C .\" ======================================================================== .\" -.IX Title "DH_generate_key 3" -.TH DH_generate_key 3 "2018-08-14" "1.0.2p" "OpenSSL" +.IX Title "DH_GENERATE_KEY 3" +.TH DH_GENERATE_KEY 3 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -171,8 +171,12 @@ on error. The error codes can be obtained by \fIERR_get_error\fR\|(3). .SH "SEE ALSO" .IX Header "SEE ALSO" -\&\fIdh\fR\|(3), \fIERR_get_error\fR\|(3), \fIrand\fR\|(3), \fIDH_size\fR\|(3) -.SH "HISTORY" -.IX Header "HISTORY" -\&\fIDH_generate_key()\fR and \fIDH_compute_key()\fR are available in all versions -of SSLeay and OpenSSL. +\&\fIDH_new\fR\|(3), \fIERR_get_error\fR\|(3), \fIRAND_bytes\fR\|(3), \fIDH_size\fR\|(3) +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2000\-2016 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/DH_generate_parameters.3 b/secure/lib/libcrypto/man/DH_generate_parameters.3 index f8d2fc499e1f..e260c1915754 100644 --- a/secure/lib/libcrypto/man/DH_generate_parameters.3 +++ b/secure/lib/libcrypto/man/DH_generate_parameters.3 @@ -128,37 +128,45 @@ .rm #[ #] #H #V #F C .\" ======================================================================== .\" -.IX Title "DH_generate_parameters 3" -.TH DH_generate_parameters 3 "2018-08-14" "1.0.2p" "OpenSSL" +.IX Title "DH_GENERATE_PARAMETERS 3" +.TH DH_GENERATE_PARAMETERS 3 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" -DH_generate_parameters_ex, DH_generate_parameters, -DH_check \- generate and check Diffie\-Hellman parameters +DH_generate_parameters_ex, DH_generate_parameters, DH_check, DH_check_params, DH_check_ex, DH_check_params_ex, DH_check_pub_key_ex \&\- generate and check Diffie\-Hellman parameters .SH "SYNOPSIS" .IX Header "SYNOPSIS" .Vb 1 \& #include \& -\& int DH_generate_parameters_ex(DH *dh, int prime_len,int generator, BN_GENCB *cb); +\& int DH_generate_parameters_ex(DH *dh, int prime_len, int generator, BN_GENCB *cb); \& \& int DH_check(DH *dh, int *codes); +\& int DH_check_params(DH *dh, int *codes); +\& +\& int DH_check_ex(const DH *dh); +\& int DH_check_params_ex(const DH *dh); +\& int DH_check_pub_key_ex(const DH *dh, const BIGNUM *pub_key); .Ve .PP Deprecated: .PP -.Vb 2 +.Vb 4 +\& #if OPENSSL_API_COMPAT < 0x00908000L \& DH *DH_generate_parameters(int prime_len, int generator, -\& void (*callback)(int, int, void *), void *cb_arg); +\& void (*callback)(int, int, void *), void *cb_arg); +\& #endif .Ve .SH "DESCRIPTION" .IX Header "DESCRIPTION" \&\fIDH_generate_parameters_ex()\fR generates Diffie-Hellman parameters that can be shared among a group of users, and stores them in the provided \fB\s-1DH\s0\fR structure. The pseudo-random number generator must be -seeded prior to calling \fIDH_generate_parameters()\fR. +seeded before calling it. +The parameters generated by \fIDH_generate_parameters_ex()\fR should not be used in +signature schemes. .PP \&\fBprime_len\fR is the length in bits of the safe prime to be generated. \&\fBgenerator\fR is a small number > 1, typically 2 or 5. @@ -167,43 +175,85 @@ A callback function may be used to provide feedback about the progress of the key generation. If \fBcb\fR is not \fB\s-1NULL\s0\fR, it will be called as described in \fIBN_generate_prime\fR\|(3) while a random prime number is generated, and when a prime has been found, \fBBN_GENCB_call(cb, 3, 0)\fR -is called. See \fIBN_generate_prime\fR\|(3) for information on +is called. See \fIBN_generate_prime_ex\fR\|(3) for information on the \fIBN_GENCB_call()\fR function. .PP -\&\fIDH_check()\fR validates Diffie-Hellman parameters. It checks that \fBp\fR is -a safe prime, and that \fBg\fR is a suitable generator. In the case of an -error, the bit flags \s-1DH_CHECK_P_NOT_SAFE_PRIME\s0 or -\&\s-1DH_NOT_SUITABLE_GENERATOR\s0 are set in \fB*codes\fR. -\&\s-1DH_UNABLE_TO_CHECK_GENERATOR\s0 is set if the generator cannot be -checked, i.e. it does not equal 2 or 5. +\&\fIDH_generate_parameters()\fR is similar to \fIDH_generate_prime_ex()\fR but +expects an old-style callback function; see +\&\fIBN_generate_prime\fR\|(3) for information on the old-style callback. +.PP +\&\fIDH_check_params()\fR confirms that the \fBp\fR and \fBg\fR are likely enough to +be valid. +This is a lightweight check, if a more thorough check is needed, use +\&\fIDH_check()\fR. +The value of \fB*codes\fR is updated with any problems found. +If \fB*codes\fR is zero then no problems were found, otherwise the +following bits may be set: +.IP "\s-1DH_CHECK_P_NOT_PRIME\s0" 4 +.IX Item "DH_CHECK_P_NOT_PRIME" +The parameter \fBp\fR has been determined to not being an odd prime. +Note that the lack of this bit doesn't guarantee that \fBp\fR is a +prime. +.IP "\s-1DH_NOT_SUITABLE_GENERATOR\s0" 4 +.IX Item "DH_NOT_SUITABLE_GENERATOR" +The generator \fBg\fR is not suitable. +Note that the lack of this bit doesn't guarantee that \fBg\fR is +suitable, unless \fBp\fR is known to be a strong prime. +.PP +\&\fIDH_check()\fR confirms that the Diffie-Hellman parameters \fBdh\fR are valid. The +value of \fB*codes\fR is updated with any problems found. If \fB*codes\fR is zero then +no problems were found, otherwise the following bits may be set: +.IP "\s-1DH_CHECK_P_NOT_PRIME\s0" 4 +.IX Item "DH_CHECK_P_NOT_PRIME" +The parameter \fBp\fR is not prime. +.IP "\s-1DH_CHECK_P_NOT_SAFE_PRIME\s0" 4 +.IX Item "DH_CHECK_P_NOT_SAFE_PRIME" +The parameter \fBp\fR is not a safe prime and no \fBq\fR value is present. +.IP "\s-1DH_UNABLE_TO_CHECK_GENERATOR\s0" 4 +.IX Item "DH_UNABLE_TO_CHECK_GENERATOR" +The generator \fBg\fR cannot be checked for suitability. +.IP "\s-1DH_NOT_SUITABLE_GENERATOR\s0" 4 +.IX Item "DH_NOT_SUITABLE_GENERATOR" +The generator \fBg\fR is not suitable. +.IP "\s-1DH_CHECK_Q_NOT_PRIME\s0" 4 +.IX Item "DH_CHECK_Q_NOT_PRIME" +The parameter \fBq\fR is not prime. +.IP "\s-1DH_CHECK_INVALID_Q_VALUE\s0" 4 +.IX Item "DH_CHECK_INVALID_Q_VALUE" +The parameter \fBq\fR is invalid. +.IP "\s-1DH_CHECK_INVALID_J_VALUE\s0" 4 +.IX Item "DH_CHECK_INVALID_J_VALUE" +The parameter \fBj\fR is invalid. +.PP +\&\fIDH_check_ex()\fR, \fIDH_check_params()\fR and \fIDH_check_pub_key_ex()\fR are similar to +\&\fIDH_check()\fR and \fIDH_check_params()\fR respectively, but the error reasons are added +to the thread's error queue instead of provided as return values from the +function. .SH "RETURN VALUES" .IX Header "RETURN VALUES" -\&\fIDH_generate_parameters_ex()\fR and \fIDH_check()\fR return 1 if the check could be -performed, 0 otherwise. +\&\fIDH_generate_parameters_ex()\fR, \fIDH_check()\fR and \fIDH_check_params()\fR return 1 +if the check could be performed, 0 otherwise. .PP -\&\fIDH_generate_parameters()\fR (deprecated) returns a pointer to the \s-1DH\s0 structure, or -\&\s-1NULL\s0 if the parameter generation fails. +\&\fIDH_generate_parameters()\fR returns a pointer to the \s-1DH\s0 structure or \s-1NULL\s0 if +the parameter generation fails. +.PP +\&\fIDH_check_ex()\fR, \fIDH_check_params()\fR and \fIDH_check_pub_key_ex()\fR return 1 if the +check is successful, 0 for failed. .PP The error codes can be obtained by \fIERR_get_error\fR\|(3). -.SH "NOTES" -.IX Header "NOTES" -\&\fIDH_generate_parameters_ex()\fR and \fIDH_generate_parameters()\fR may run for several -hours before finding a suitable prime. -.PP -The parameters generated by \fIDH_generate_parameters_ex()\fR and \fIDH_generate_parameters()\fR -are not to be used in signature schemes. -.SH "BUGS" -.IX Header "BUGS" -If \fBgenerator\fR is not 2 or 5, \fBdh\->g\fR=\fBgenerator\fR is not -a usable generator. .SH "SEE ALSO" .IX Header "SEE ALSO" -\&\fIdh\fR\|(3), \fIERR_get_error\fR\|(3), \fIrand\fR\|(3), +\&\fIDH_new\fR\|(3), \fIERR_get_error\fR\|(3), \fIRAND_bytes\fR\|(3), \&\fIDH_free\fR\|(3) .SH "HISTORY" .IX Header "HISTORY" -\&\fIDH_check()\fR is available in all versions of SSLeay and OpenSSL. -The \fBcb_arg\fR argument to \fIDH_generate_parameters()\fR was added in SSLeay 0.9.0. +\&\fIDH_generate_parameters()\fR was deprecated in OpenSSL 0.9.8; use +\&\fIDH_generate_parameters_ex()\fR instead. +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2000\-2018 The OpenSSL Project Authors. All Rights Reserved. .PP -In versions before OpenSSL 0.9.5, \s-1DH_CHECK_P_NOT_STRONG_PRIME\s0 is used -instead of \s-1DH_CHECK_P_NOT_SAFE_PRIME.\s0 +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/DH_get0_pqg.3 b/secure/lib/libcrypto/man/DH_get0_pqg.3 new file mode 100644 index 000000000000..ea0bb61b1a0c --- /dev/null +++ b/secure/lib/libcrypto/man/DH_get0_pqg.3 @@ -0,0 +1,250 @@ +.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35) +.\" +.\" Standard preamble: +.\" ======================================================================== +.de Sp \" Vertical space (when we can't use .PP) +.if t .sp .5v +.if n .sp +.. +.de Vb \" Begin verbatim text +.ft CW +.nf +.ne \\$1 +.. +.de Ve \" End verbatim text +.ft R +.fi +.. +.\" Set up some character translations and predefined strings. \*(-- will +.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left +.\" double quote, and \*(R" will give a right double quote. \*(C+ will +.\" give a nicer C++. Capital omega is used to do unbreakable dashes and +.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, +.\" nothing in troff, for use with C<>. +.tr \(*W- +.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' +.ie n \{\ +. ds -- \(*W- +. ds PI pi +. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch +. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch +. ds L" "" +. ds R" "" +. ds C` "" +. ds C' "" +'br\} +.el\{\ +. ds -- \|\(em\| +. ds PI \(*p +. ds L" `` +. ds R" '' +. ds C` +. ds C' +'br\} +.\" +.\" Escape single quotes in literal strings from groff's Unicode transform. +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" +.\" If the F register is >0, we'll generate index entries on stderr for +.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index +.\" entries marked with X<> in POD. Of course, you'll have to process the +.\" output yourself in some meaningful fashion. +.\" +.\" Avoid warning from groff about undefined register 'F'. +.de IX +.. +.if !\nF .nr F 0 +.if \nF>0 \{\ +. de IX +. tm Index:\\$1\t\\n%\t"\\$2" +.. +. if !\nF==2 \{\ +. nr % 0 +. nr F 2 +. \} +.\} +.\" +.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). +.\" Fear. Run. Save yourself. No user-serviceable parts. +. \" fudge factors for nroff and troff +.if n \{\ +. ds #H 0 +. ds #V .8m +. ds #F .3m +. ds #[ \f1 +. ds #] \fP +.\} +.if t \{\ +. ds #H ((1u-(\\\\n(.fu%2u))*.13m) +. ds #V .6m +. ds #F 0 +. ds #[ \& +. ds #] \& +.\} +. \" simple accents for nroff and troff +.if n \{\ +. ds ' \& +. ds ` \& +. ds ^ \& +. ds , \& +. ds ~ ~ +. ds / +.\} +.if t \{\ +. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" +. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' +. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' +. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' +. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' +. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' +.\} +. \" troff and (daisy-wheel) nroff accents +.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' +.ds 8 \h'\*(#H'\(*b\h'-\*(#H' +.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] +.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' +.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' +.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] +.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] +.ds ae a\h'-(\w'a'u*4/10)'e +.ds Ae A\h'-(\w'A'u*4/10)'E +. \" corrections for vroff +.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' +.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' +. \" for low resolution devices (crt and lpr) +.if \n(.H>23 .if \n(.V>19 \ +\{\ +. ds : e +. ds 8 ss +. ds o a +. ds d- d\h'-1'\(ga +. ds D- D\h'-1'\(hy +. ds th \o'bp' +. ds Th \o'LP' +. ds ae ae +. ds Ae AE +.\} +.rm #[ #] #H #V #F C +.\" ======================================================================== +.\" +.IX Title "DH_GET0_PQG 3" +.TH DH_GET0_PQG 3 "2018-09-11" "1.1.1" "OpenSSL" +.\" For nroff, turn off justification. Always turn off hyphenation; it makes +.\" way too many mistakes in technical documents. +.if n .ad l +.nh +.SH "NAME" +DH_get0_pqg, DH_set0_pqg, DH_get0_key, DH_set0_key, DH_get0_p, DH_get0_q, DH_get0_g, DH_get0_priv_key, DH_get0_pub_key, DH_clear_flags, DH_test_flags, DH_set_flags, DH_get0_engine, DH_get_length, DH_set_length \- Routines for getting and setting data in a DH object +.SH "SYNOPSIS" +.IX Header "SYNOPSIS" +.Vb 1 +\& #include +\& +\& void DH_get0_pqg(const DH *dh, +\& const BIGNUM **p, const BIGNUM **q, const BIGNUM **g); +\& int DH_set0_pqg(DH *dh, BIGNUM *p, BIGNUM *q, BIGNUM *g); +\& void DH_get0_key(const DH *dh, +\& const BIGNUM **pub_key, const BIGNUM **priv_key); +\& int DH_set0_key(DH *dh, BIGNUM *pub_key, BIGNUM *priv_key); +\& const BIGNUM *DH_get0_p(const DH *dh); +\& const BIGNUM *DH_get0_q(const DH *dh); +\& const BIGNUM *DH_get0_g(const DH *dh); +\& const BIGNUM *DH_get0_priv_key(const DH *dh); +\& const BIGNUM *DH_get0_pub_key(const DH *dh); +\& void DH_clear_flags(DH *dh, int flags); +\& int DH_test_flags(const DH *dh, int flags); +\& void DH_set_flags(DH *dh, int flags); +\& ENGINE *DH_get0_engine(DH *d); +\& long DH_get_length(const DH *dh); +\& int DH_set_length(DH *dh, long length); +.Ve +.SH "DESCRIPTION" +.IX Header "DESCRIPTION" +A \s-1DH\s0 object contains the parameters \fBp\fR, \fBq\fR and \fBg\fR. Note that the \fBq\fR +parameter is optional. It also contains a public key (\fBpub_key\fR) and +(optionally) a private key (\fBpriv_key\fR). +.PP +The \fBp\fR, \fBq\fR and \fBg\fR parameters can be obtained by calling \fIDH_get0_pqg()\fR. +If the parameters have not yet been set then \fB*p\fR, \fB*q\fR and \fB*g\fR will be set +to \s-1NULL.\s0 Otherwise they are set to pointers to their respective values. These +point directly to the internal representations of the values and therefore +should not be freed directly. +Any of the out parameters \fBp\fR, \fBq\fR, and \fBg\fR can be \s-1NULL,\s0 in which case no +value will be returned for that parameter. +.PP +The \fBp\fR, \fBq\fR and \fBg\fR values can be set by calling \fIDH_set0_pqg()\fR and passing +the new values for \fBp\fR, \fBq\fR and \fBg\fR as parameters to the function. Calling +this function transfers the memory management of the values to the \s-1DH\s0 object, +and therefore the values that have been passed in should not be freed directly +after this function has been called. The \fBq\fR parameter may be \s-1NULL.\s0 +.PP +To get the public and private key values use the \fIDH_get0_key()\fR function. A +pointer to the public key will be stored in \fB*pub_key\fR, and a pointer to the +private key will be stored in \fB*priv_key\fR. Either may be \s-1NULL\s0 if they have not +been set yet, although if the private key has been set then the public key must +be. The values point to the internal representation of the public key and +private key values. This memory should not be freed directly. +Any of the out parameters \fBpub_key\fR and \fBpriv_key\fR can be \s-1NULL,\s0 in which case +no value will be returned for that parameter. +.PP +The public and private key values can be set using \fIDH_set0_key()\fR. Either +parameter may be \s-1NULL,\s0 which means the corresponding \s-1DH\s0 field is left +untouched. As with \fIDH_set0_pqg()\fR this function transfers the memory management +of the key values to the \s-1DH\s0 object, and therefore they should not be freed +directly after this function has been called. +.PP +Any of the values \fBp\fR, \fBq\fR, \fBg\fR, \fBpriv_key\fR, and \fBpub_key\fR can also be +retrieved separately by the corresponding function \fIDH_get0_p()\fR, \fIDH_get0_q()\fR, +\&\fIDH_get0_g()\fR, \fIDH_get0_priv_key()\fR, and \fIDH_get0_pub_key()\fR, respectively. +.PP +\&\fIDH_set_flags()\fR sets the flags in the \fBflags\fR parameter on the \s-1DH\s0 object. +Multiple flags can be passed in one go (bitwise ORed together). Any flags that +are already set are left set. \fIDH_test_flags()\fR tests to see whether the flags +passed in the \fBflags\fR parameter are currently set in the \s-1DH\s0 object. Multiple +flags can be tested in one go. All flags that are currently set are returned, or +zero if none of the flags are set. \fIDH_clear_flags()\fR clears the specified flags +within the \s-1DH\s0 object. +.PP +\&\fIDH_get0_engine()\fR returns a handle to the \s-1ENGINE\s0 that has been set for this \s-1DH\s0 +object, or \s-1NULL\s0 if no such \s-1ENGINE\s0 has been set. +.PP +The \fIDH_get_length()\fR and \fIDH_set_length()\fR functions get and set the optional +length parameter associated with this \s-1DH\s0 object. If the length is non-zero then +it is used, otherwise it is ignored. The \fBlength\fR parameter indicates the +length of the secret exponent (private key) in bits. +.SH "NOTES" +.IX Header "NOTES" +Values retrieved with \fIDH_get0_key()\fR are owned by the \s-1DH\s0 object used +in the call and may therefore \fInot\fR be passed to \fIDH_set0_key()\fR. If +needed, duplicate the received value using \fIBN_dup()\fR and pass the +duplicate. The same applies to \fIDH_get0_pqg()\fR and \fIDH_set0_pqg()\fR. +.SH "RETURN VALUES" +.IX Header "RETURN VALUES" +\&\fIDH_set0_pqg()\fR and \fIDH_set0_key()\fR return 1 on success or 0 on failure. +.PP +\&\fIDH_get0_p()\fR, \fIDH_get0_q()\fR, \fIDH_get0_g()\fR, \fIDH_get0_priv_key()\fR, and \fIDH_get0_pub_key()\fR +return the respective value, or \s-1NULL\s0 if it is unset. +.PP +\&\fIDH_test_flags()\fR returns the current state of the flags in the \s-1DH\s0 object. +.PP +\&\fIDH_get0_engine()\fR returns the \s-1ENGINE\s0 set for the \s-1DH\s0 object or \s-1NULL\s0 if no \s-1ENGINE\s0 +has been set. +.PP +\&\fIDH_get_length()\fR returns the length of the secret exponent (private key) in bits, +or zero if no such length has been explicitly set. +.SH "SEE ALSO" +.IX Header "SEE ALSO" +\&\fIDH_new\fR\|(3), \fIDH_new\fR\|(3), \fIDH_generate_parameters\fR\|(3), \fIDH_generate_key\fR\|(3), +\&\fIDH_set_method\fR\|(3), \fIDH_size\fR\|(3), \fIDH_meth_new\fR\|(3) +.SH "HISTORY" +.IX Header "HISTORY" +The functions described here were added in OpenSSL 1.1.0. +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2016\-2018 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/DH_get_1024_160.3 b/secure/lib/libcrypto/man/DH_get_1024_160.3 new file mode 100644 index 000000000000..645af1f6be2e --- /dev/null +++ b/secure/lib/libcrypto/man/DH_get_1024_160.3 @@ -0,0 +1,187 @@ +.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35) +.\" +.\" Standard preamble: +.\" ======================================================================== +.de Sp \" Vertical space (when we can't use .PP) +.if t .sp .5v +.if n .sp +.. +.de Vb \" Begin verbatim text +.ft CW +.nf +.ne \\$1 +.. +.de Ve \" End verbatim text +.ft R +.fi +.. +.\" Set up some character translations and predefined strings. \*(-- will +.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left +.\" double quote, and \*(R" will give a right double quote. \*(C+ will +.\" give a nicer C++. Capital omega is used to do unbreakable dashes and +.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, +.\" nothing in troff, for use with C<>. +.tr \(*W- +.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' +.ie n \{\ +. ds -- \(*W- +. ds PI pi +. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch +. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch +. ds L" "" +. ds R" "" +. ds C` "" +. ds C' "" +'br\} +.el\{\ +. ds -- \|\(em\| +. ds PI \(*p +. ds L" `` +. ds R" '' +. ds C` +. ds C' +'br\} +.\" +.\" Escape single quotes in literal strings from groff's Unicode transform. +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" +.\" If the F register is >0, we'll generate index entries on stderr for +.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index +.\" entries marked with X<> in POD. Of course, you'll have to process the +.\" output yourself in some meaningful fashion. +.\" +.\" Avoid warning from groff about undefined register 'F'. +.de IX +.. +.if !\nF .nr F 0 +.if \nF>0 \{\ +. de IX +. tm Index:\\$1\t\\n%\t"\\$2" +.. +. if !\nF==2 \{\ +. nr % 0 +. nr F 2 +. \} +.\} +.\" +.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). +.\" Fear. Run. Save yourself. No user-serviceable parts. +. \" fudge factors for nroff and troff +.if n \{\ +. ds #H 0 +. ds #V .8m +. ds #F .3m +. ds #[ \f1 +. ds #] \fP +.\} +.if t \{\ +. ds #H ((1u-(\\\\n(.fu%2u))*.13m) +. ds #V .6m +. ds #F 0 +. ds #[ \& +. ds #] \& +.\} +. \" simple accents for nroff and troff +.if n \{\ +. ds ' \& +. ds ` \& +. ds ^ \& +. ds , \& +. ds ~ ~ +. ds / +.\} +.if t \{\ +. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" +. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' +. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' +. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' +. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' +. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' +.\} +. \" troff and (daisy-wheel) nroff accents +.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' +.ds 8 \h'\*(#H'\(*b\h'-\*(#H' +.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] +.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' +.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' +.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] +.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] +.ds ae a\h'-(\w'a'u*4/10)'e +.ds Ae A\h'-(\w'A'u*4/10)'E +. \" corrections for vroff +.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' +.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' +. \" for low resolution devices (crt and lpr) +.if \n(.H>23 .if \n(.V>19 \ +\{\ +. ds : e +. ds 8 ss +. ds o a +. ds d- d\h'-1'\(ga +. ds D- D\h'-1'\(hy +. ds th \o'bp' +. ds Th \o'LP' +. ds ae ae +. ds Ae AE +.\} +.rm #[ #] #H #V #F C +.\" ======================================================================== +.\" +.IX Title "DH_GET_1024_160 3" +.TH DH_GET_1024_160 3 "2018-09-11" "1.1.1" "OpenSSL" +.\" For nroff, turn off justification. Always turn off hyphenation; it makes +.\" way too many mistakes in technical documents. +.if n .ad l +.nh +.SH "NAME" +DH_get_1024_160, DH_get_2048_224, DH_get_2048_256, BN_get0_nist_prime_192, BN_get0_nist_prime_224, BN_get0_nist_prime_256, BN_get0_nist_prime_384, BN_get0_nist_prime_521, BN_get_rfc2409_prime_768, BN_get_rfc2409_prime_1024, BN_get_rfc3526_prime_1536, BN_get_rfc3526_prime_2048, BN_get_rfc3526_prime_3072, BN_get_rfc3526_prime_4096, BN_get_rfc3526_prime_6144, BN_get_rfc3526_prime_8192 \&\- Create standardized public primes or DH pairs +.SH "SYNOPSIS" +.IX Header "SYNOPSIS" +.Vb 4 +\& #include +\& DH *DH_get_1024_160(void) +\& DH *DH_get_2048_224(void) +\& DH *DH_get_2048_256(void) +\& +\& const BIGNUM *BN_get0_nist_prime_192(void) +\& const BIGNUM *BN_get0_nist_prime_224(void) +\& const BIGNUM *BN_get0_nist_prime_256(void) +\& const BIGNUM *BN_get0_nist_prime_384(void) +\& const BIGNUM *BN_get0_nist_prime_521(void) +\& +\& BIGNUM *BN_get_rfc2409_prime_768(BIGNUM *bn) +\& BIGNUM *BN_get_rfc2409_prime_1024(BIGNUM *bn) +\& BIGNUM *BN_get_rfc3526_prime_1536(BIGNUM *bn) +\& BIGNUM *BN_get_rfc3526_prime_2048(BIGNUM *bn) +\& BIGNUM *BN_get_rfc3526_prime_3072(BIGNUM *bn) +\& BIGNUM *BN_get_rfc3526_prime_4096(BIGNUM *bn) +\& BIGNUM *BN_get_rfc3526_prime_6144(BIGNUM *bn) +\& BIGNUM *BN_get_rfc3526_prime_8192(BIGNUM *bn) +.Ve +.SH "DESCRIPTION" +.IX Header "DESCRIPTION" +\&\fIDH_get_1024_160()\fR, \fIDH_get_2048_224()\fR, and \fIDH_get_2048_256()\fR each return +a \s-1DH\s0 object for the \s-1IETF RFC 5114\s0 value. +.PP +\&\fIBN_get0_nist_prime_192()\fR, \fIBN_get0_nist_prime_224()\fR, \fIBN_get0_nist_prime_256()\fR, +\&\fIBN_get0_nist_prime_384()\fR, and \fIBN_get0_nist_prime_521()\fR functions return +a \s-1BIGNUM\s0 for the specific \s-1NIST\s0 prime curve (e.g., P\-256). +.PP +\&\fIBN_get_rfc2409_prime_768()\fR, \fIBN_get_rfc2409_prime_1024()\fR, +\&\fIBN_get_rfc3526_prime_1536()\fR, \fIBN_get_rfc3526_prime_2048()\fR, +\&\fIBN_get_rfc3526_prime_3072()\fR, \fIBN_get_rfc3526_prime_4096()\fR, +\&\fIBN_get_rfc3526_prime_6144()\fR, and \fIBN_get_rfc3526_prime_8192()\fR functions +return a \s-1BIGNUM\s0 for the specified size from \s-1IETF RFC 2409.\s0 If \fBbn\fR +is not \s-1NULL,\s0 the \s-1BIGNUM\s0 will be set into that location as well. +.SH "RETURN VALUES" +.IX Header "RETURN VALUES" +Defined above. +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2016 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/DH_meth_new.3 b/secure/lib/libcrypto/man/DH_meth_new.3 new file mode 100644 index 000000000000..6e878da60030 --- /dev/null +++ b/secure/lib/libcrypto/man/DH_meth_new.3 @@ -0,0 +1,290 @@ +.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35) +.\" +.\" Standard preamble: +.\" ======================================================================== +.de Sp \" Vertical space (when we can't use .PP) +.if t .sp .5v +.if n .sp +.. +.de Vb \" Begin verbatim text +.ft CW +.nf +.ne \\$1 +.. +.de Ve \" End verbatim text +.ft R +.fi +.. +.\" Set up some character translations and predefined strings. \*(-- will +.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left +.\" double quote, and \*(R" will give a right double quote. \*(C+ will +.\" give a nicer C++. Capital omega is used to do unbreakable dashes and +.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, +.\" nothing in troff, for use with C<>. +.tr \(*W- +.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' +.ie n \{\ +. ds -- \(*W- +. ds PI pi +. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch +. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch +. ds L" "" +. ds R" "" +. ds C` "" +. ds C' "" +'br\} +.el\{\ +. ds -- \|\(em\| +. ds PI \(*p +. ds L" `` +. ds R" '' +. ds C` +. ds C' +'br\} +.\" +.\" Escape single quotes in literal strings from groff's Unicode transform. +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" +.\" If the F register is >0, we'll generate index entries on stderr for +.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index +.\" entries marked with X<> in POD. Of course, you'll have to process the +.\" output yourself in some meaningful fashion. +.\" +.\" Avoid warning from groff about undefined register 'F'. +.de IX +.. +.if !\nF .nr F 0 +.if \nF>0 \{\ +. de IX +. tm Index:\\$1\t\\n%\t"\\$2" +.. +. if !\nF==2 \{\ +. nr % 0 +. nr F 2 +. \} +.\} +.\" +.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). +.\" Fear. Run. Save yourself. No user-serviceable parts. +. \" fudge factors for nroff and troff +.if n \{\ +. ds #H 0 +. ds #V .8m +. ds #F .3m +. ds #[ \f1 +. ds #] \fP +.\} +.if t \{\ +. ds #H ((1u-(\\\\n(.fu%2u))*.13m) +. ds #V .6m +. ds #F 0 +. ds #[ \& +. ds #] \& +.\} +. \" simple accents for nroff and troff +.if n \{\ +. ds ' \& +. ds ` \& +. ds ^ \& +. ds , \& +. ds ~ ~ +. ds / +.\} +.if t \{\ +. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" +. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' +. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' +. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' +. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' +. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' +.\} +. \" troff and (daisy-wheel) nroff accents +.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' +.ds 8 \h'\*(#H'\(*b\h'-\*(#H' +.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] +.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' +.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' +.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] +.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] +.ds ae a\h'-(\w'a'u*4/10)'e +.ds Ae A\h'-(\w'A'u*4/10)'E +. \" corrections for vroff +.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' +.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' +. \" for low resolution devices (crt and lpr) +.if \n(.H>23 .if \n(.V>19 \ +\{\ +. ds : e +. ds 8 ss +. ds o a +. ds d- d\h'-1'\(ga +. ds D- D\h'-1'\(hy +. ds th \o'bp' +. ds Th \o'LP' +. ds ae ae +. ds Ae AE +.\} +.rm #[ #] #H #V #F C +.\" ======================================================================== +.\" +.IX Title "DH_METH_NEW 3" +.TH DH_METH_NEW 3 "2018-09-11" "1.1.1" "OpenSSL" +.\" For nroff, turn off justification. Always turn off hyphenation; it makes +.\" way too many mistakes in technical documents. +.if n .ad l +.nh +.SH "NAME" +DH_meth_new, DH_meth_free, DH_meth_dup, DH_meth_get0_name, DH_meth_set1_name, DH_meth_get_flags, DH_meth_set_flags, DH_meth_get0_app_data, DH_meth_set0_app_data, DH_meth_get_generate_key, DH_meth_set_generate_key, DH_meth_get_compute_key, DH_meth_set_compute_key, DH_meth_get_bn_mod_exp, DH_meth_set_bn_mod_exp, DH_meth_get_init, DH_meth_set_init, DH_meth_get_finish, DH_meth_set_finish, DH_meth_get_generate_params, DH_meth_set_generate_params \- Routines to build up DH methods +.SH "SYNOPSIS" +.IX Header "SYNOPSIS" +.Vb 1 +\& #include +\& +\& DH_METHOD *DH_meth_new(const char *name, int flags); +\& +\& void DH_meth_free(DH_METHOD *dhm); +\& +\& DH_METHOD *DH_meth_dup(const DH_METHOD *dhm); +\& +\& const char *DH_meth_get0_name(const DH_METHOD *dhm); +\& int DH_meth_set1_name(DH_METHOD *dhm, const char *name); +\& +\& int DH_meth_get_flags(const DH_METHOD *dhm); +\& int DH_meth_set_flags(DH_METHOD *dhm, int flags); +\& +\& void *DH_meth_get0_app_data(const DH_METHOD *dhm); +\& int DH_meth_set0_app_data(DH_METHOD *dhm, void *app_data); +\& +\& int (*DH_meth_get_generate_key(const DH_METHOD *dhm))(DH *); +\& int DH_meth_set_generate_key(DH_METHOD *dhm, int (*generate_key)(DH *)); +\& +\& int (*DH_meth_get_compute_key(const DH_METHOD *dhm)) +\& (unsigned char *key, const BIGNUM *pub_key, DH *dh); +\& int DH_meth_set_compute_key(DH_METHOD *dhm, +\& int (*compute_key)(unsigned char *key, const BIGNUM *pub_key, DH *dh)); +\& +\& int (*DH_meth_get_bn_mod_exp(const DH_METHOD *dhm)) +\& (const DH *dh, BIGNUM *r, const BIGNUM *a, const BIGNUM *p, +\& const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx); +\& int DH_meth_set_bn_mod_exp(DH_METHOD *dhm, +\& int (*bn_mod_exp)(const DH *dh, BIGNUM *r, const BIGNUM *a, +\& const BIGNUM *p, const BIGNUM *m, BN_CTX *ctx, +\& BN_MONT_CTX *m_ctx)); +\& +\& int (*DH_meth_get_init(const DH_METHOD *dhm))(DH *); +\& int DH_meth_set_init(DH_METHOD *dhm, int (*init)(DH *)); +\& +\& int (*DH_meth_get_finish(const DH_METHOD *dhm))(DH *); +\& int DH_meth_set_finish(DH_METHOD *dhm, int (*finish)(DH *)); +\& +\& int (*DH_meth_get_generate_params(const DH_METHOD *dhm)) +\& (DH *, int, int, BN_GENCB *); +\& int DH_meth_set_generate_params(DH_METHOD *dhm, +\& int (*generate_params)(DH *, int, int, BN_GENCB *)); +.Ve +.SH "DESCRIPTION" +.IX Header "DESCRIPTION" +The \fB\s-1DH_METHOD\s0\fR type is a structure used for the provision of custom \s-1DH\s0 +implementations. It provides a set of functions used by OpenSSL for the +implementation of the various \s-1DH\s0 capabilities. +.PP +\&\fIDH_meth_new()\fR creates a new \fB\s-1DH_METHOD\s0\fR structure. It should be given a +unique \fBname\fR and a set of \fBflags\fR. The \fBname\fR should be a \s-1NULL\s0 terminated +string, which will be duplicated and stored in the \fB\s-1DH_METHOD\s0\fR object. It is +the callers responsibility to free the original string. The flags will be used +during the construction of a new \fB\s-1DH\s0\fR object based on this \fB\s-1DH_METHOD\s0\fR. Any +new \fB\s-1DH\s0\fR object will have those flags set by default. +.PP +\&\fIDH_meth_dup()\fR creates a duplicate copy of the \fB\s-1DH_METHOD\s0\fR object passed as a +parameter. This might be useful for creating a new \fB\s-1DH_METHOD\s0\fR based on an +existing one, but with some differences. +.PP +\&\fIDH_meth_free()\fR destroys a \fB\s-1DH_METHOD\s0\fR structure and frees up any memory +associated with it. +.PP +\&\fIDH_meth_get0_name()\fR will return a pointer to the name of this \s-1DH_METHOD.\s0 This +is a pointer to the internal name string and so should not be freed by the +caller. \fIDH_meth_set1_name()\fR sets the name of the \s-1DH_METHOD\s0 to \fBname\fR. The +string is duplicated and the copy is stored in the \s-1DH_METHOD\s0 structure, so the +caller remains responsible for freeing the memory associated with the name. +.PP +\&\fIDH_meth_get_flags()\fR returns the current value of the flags associated with this +\&\s-1DH_METHOD.\s0 \fIDH_meth_set_flags()\fR provides the ability to set these flags. +.PP +The functions \fIDH_meth_get0_app_data()\fR and \fIDH_meth_set0_app_data()\fR provide the +ability to associate implementation specific data with the \s-1DH_METHOD.\s0 It is +the application's responsibility to free this data before the \s-1DH_METHOD\s0 is +freed via a call to \fIDH_meth_free()\fR. +.PP +\&\fIDH_meth_get_generate_key()\fR and \fIDH_meth_set_generate_key()\fR get and set the +function used for generating a new \s-1DH\s0 key pair respectively. This function will +be called in response to the application calling \fIDH_generate_key()\fR. The +parameter for the function has the same meaning as for \fIDH_generate_key()\fR. +.PP +\&\fIDH_meth_get_compute_key()\fR and \fIDH_meth_set_compute_key()\fR get and set the +function used for computing a new \s-1DH\s0 shared secret respectively. This function +will be called in response to the application calling \fIDH_compute_key()\fR. The +parameters for the function have the same meaning as for \fIDH_compute_key()\fR. +.PP +\&\fIDH_meth_get_bn_mod_exp()\fR and \fIDH_meth_set_bn_mod_exp()\fR get and set the function +used for computing the following value: +.PP +.Vb 1 +\& r = a ^ p mod m +.Ve +.PP +This function will be called by the default OpenSSL function for +\&\fIDH_generate_key()\fR. The result is stored in the \fBr\fR parameter. This function +may be \s-1NULL\s0 unless using the default generate key function, in which case it +must be present. +.PP +\&\fIDH_meth_get_init()\fR and \fIDH_meth_set_init()\fR get and set the function used +for creating a new \s-1DH\s0 instance respectively. This function will be +called in response to the application calling \fIDH_new()\fR (if the current default +\&\s-1DH_METHOD\s0 is this one) or \fIDH_new_method()\fR. The \fIDH_new()\fR and \fIDH_new_method()\fR +functions will allocate the memory for the new \s-1DH\s0 object, and a pointer to this +newly allocated structure will be passed as a parameter to the function. This +function may be \s-1NULL.\s0 +.PP +\&\fIDH_meth_get_finish()\fR and \fIDH_meth_set_finish()\fR get and set the function used +for destroying an instance of a \s-1DH\s0 object respectively. This function will be +called in response to the application calling \fIDH_free()\fR. A pointer to the \s-1DH\s0 +to be destroyed is passed as a parameter. The destroy function should be used +for \s-1DH\s0 implementation specific clean up. The memory for the \s-1DH\s0 itself should +not be freed by this function. This function may be \s-1NULL.\s0 +.PP +\&\fIDH_meth_get_generate_params()\fR and \fIDH_meth_set_generate_params()\fR get and set the +function used for generating \s-1DH\s0 parameters respectively. This function will be +called in response to the application calling \fIDH_generate_parameters_ex()\fR (or +\&\fIDH_generate_parameters()\fR). The parameters for the function have the same +meaning as for \fIDH_generate_parameters_ex()\fR. This function may be \s-1NULL.\s0 +.SH "RETURN VALUES" +.IX Header "RETURN VALUES" +\&\fIDH_meth_new()\fR and \fIDH_meth_dup()\fR return the newly allocated \s-1DH_METHOD\s0 object +or \s-1NULL\s0 on failure. +.PP +\&\fIDH_meth_get0_name()\fR and \fIDH_meth_get_flags()\fR return the name and flags +associated with the \s-1DH_METHOD\s0 respectively. +.PP +All other DH_meth_get_*() functions return the appropriate function pointer +that has been set in the \s-1DH_METHOD,\s0 or \s-1NULL\s0 if no such pointer has yet been +set. +.PP +\&\fIDH_meth_set1_name()\fR and all DH_meth_set_*() functions return 1 on success or +0 on failure. +.SH "SEE ALSO" +.IX Header "SEE ALSO" +\&\fIDH_new\fR\|(3), \fIDH_new\fR\|(3), \fIDH_generate_parameters\fR\|(3), \fIDH_generate_key\fR\|(3), +\&\fIDH_set_method\fR\|(3), \fIDH_size\fR\|(3), \fIDH_get0_pqg\fR\|(3) +.SH "HISTORY" +.IX Header "HISTORY" +The functions described here were added in OpenSSL 1.1.0. +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2016\-2018 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/DH_new.3 b/secure/lib/libcrypto/man/DH_new.3 index 94bd304bfcde..4ca5899affa1 100644 --- a/secure/lib/libcrypto/man/DH_new.3 +++ b/secure/lib/libcrypto/man/DH_new.3 @@ -128,8 +128,8 @@ .rm #[ #] #H #V #F C .\" ======================================================================== .\" -.IX Title "DH_new 3" -.TH DH_new 3 "2018-08-14" "1.0.2p" "OpenSSL" +.IX Title "DH_NEW 3" +.TH DH_NEW 3 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -151,6 +151,7 @@ DH_new, DH_free \- allocate and free DH objects .PP \&\fIDH_free()\fR frees the \fB\s-1DH\s0\fR structure and its components. The values are erased before the memory is returned to the system. +If \fBdh\fR is \s-1NULL\s0 nothing is done. .SH "RETURN VALUES" .IX Header "RETURN VALUES" If the allocation fails, \fIDH_new()\fR returns \fB\s-1NULL\s0\fR and sets an error @@ -160,9 +161,14 @@ a pointer to the newly allocated structure. \&\fIDH_free()\fR returns no value. .SH "SEE ALSO" .IX Header "SEE ALSO" -\&\fIdh\fR\|(3), \fIERR_get_error\fR\|(3), +\&\fIDH_new\fR\|(3), \fIERR_get_error\fR\|(3), \&\fIDH_generate_parameters\fR\|(3), \&\fIDH_generate_key\fR\|(3) -.SH "HISTORY" -.IX Header "HISTORY" -\&\fIDH_new()\fR and \fIDH_free()\fR are available in all versions of SSLeay and OpenSSL. +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2000\-2016 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/DH_new_by_nid.3 b/secure/lib/libcrypto/man/DH_new_by_nid.3 new file mode 100644 index 000000000000..a545178ead83 --- /dev/null +++ b/secure/lib/libcrypto/man/DH_new_by_nid.3 @@ -0,0 +1,168 @@ +.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35) +.\" +.\" Standard preamble: +.\" ======================================================================== +.de Sp \" Vertical space (when we can't use .PP) +.if t .sp .5v +.if n .sp +.. +.de Vb \" Begin verbatim text +.ft CW +.nf +.ne \\$1 +.. +.de Ve \" End verbatim text +.ft R +.fi +.. +.\" Set up some character translations and predefined strings. \*(-- will +.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left +.\" double quote, and \*(R" will give a right double quote. \*(C+ will +.\" give a nicer C++. Capital omega is used to do unbreakable dashes and +.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, +.\" nothing in troff, for use with C<>. +.tr \(*W- +.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' +.ie n \{\ +. ds -- \(*W- +. ds PI pi +. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch +. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch +. ds L" "" +. ds R" "" +. ds C` "" +. ds C' "" +'br\} +.el\{\ +. ds -- \|\(em\| +. ds PI \(*p +. ds L" `` +. ds R" '' +. ds C` +. ds C' +'br\} +.\" +.\" Escape single quotes in literal strings from groff's Unicode transform. +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" +.\" If the F register is >0, we'll generate index entries on stderr for +.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index +.\" entries marked with X<> in POD. Of course, you'll have to process the +.\" output yourself in some meaningful fashion. +.\" +.\" Avoid warning from groff about undefined register 'F'. +.de IX +.. +.if !\nF .nr F 0 +.if \nF>0 \{\ +. de IX +. tm Index:\\$1\t\\n%\t"\\$2" +.. +. if !\nF==2 \{\ +. nr % 0 +. nr F 2 +. \} +.\} +.\" +.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). +.\" Fear. Run. Save yourself. No user-serviceable parts. +. \" fudge factors for nroff and troff +.if n \{\ +. ds #H 0 +. ds #V .8m +. ds #F .3m +. ds #[ \f1 +. ds #] \fP +.\} +.if t \{\ +. ds #H ((1u-(\\\\n(.fu%2u))*.13m) +. ds #V .6m +. ds #F 0 +. ds #[ \& +. ds #] \& +.\} +. \" simple accents for nroff and troff +.if n \{\ +. ds ' \& +. ds ` \& +. ds ^ \& +. ds , \& +. ds ~ ~ +. ds / +.\} +.if t \{\ +. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" +. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' +. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' +. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' +. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' +. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' +.\} +. \" troff and (daisy-wheel) nroff accents +.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' +.ds 8 \h'\*(#H'\(*b\h'-\*(#H' +.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] +.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' +.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' +.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] +.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] +.ds ae a\h'-(\w'a'u*4/10)'e +.ds Ae A\h'-(\w'A'u*4/10)'E +. \" corrections for vroff +.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' +.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' +. \" for low resolution devices (crt and lpr) +.if \n(.H>23 .if \n(.V>19 \ +\{\ +. ds : e +. ds 8 ss +. ds o a +. ds d- d\h'-1'\(ga +. ds D- D\h'-1'\(hy +. ds th \o'bp' +. ds Th \o'LP' +. ds ae ae +. ds Ae AE +.\} +.rm #[ #] #H #V #F C +.\" ======================================================================== +.\" +.IX Title "DH_NEW_BY_NID 3" +.TH DH_NEW_BY_NID 3 "2018-09-11" "1.1.1" "OpenSSL" +.\" For nroff, turn off justification. Always turn off hyphenation; it makes +.\" way too many mistakes in technical documents. +.if n .ad l +.nh +.SH "NAME" +DH_new_by_nid, DH_get_nid \- get or find DH named parameters +.SH "SYNOPSIS" +.IX Header "SYNOPSIS" +.Vb 3 +\& #include +\& DH *DH_new_by_nid(int nid); +\& int *DH_get_nid(const DH *dh); +.Ve +.SH "DESCRIPTION" +.IX Header "DESCRIPTION" +\&\fIDH_new_by_nid()\fR creates and returns a \s-1DH\s0 structure containing named parameters +\&\fBnid\fR. Currently \fBnid\fR must be \fBNID_ffdhe2048\fR, \fBNID_ffdhe3072\fR, +\&\fBNID_ffdhe4096\fR, \fBNID_ffdhe6144\fR or \fBNID_ffdhe8192\fR. +.PP +\&\fIDH_get_nid()\fR determines if the parameters contained in \fBdh\fR match +any named set. It returns the \s-1NID\s0 corresponding to the matching parameters or +\&\fBNID_undef\fR if there is no match. +.SH "RETURN VALUES" +.IX Header "RETURN VALUES" +\&\fIDH_new_by_nid()\fR returns a set of \s-1DH\s0 parameters or \fB\s-1NULL\s0\fR if an error occurred. +.PP +\&\fIDH_get_nid()\fR returns the \s-1NID\s0 of the matching set of parameters or +\&\fBNID_undef\fR if there is no match. +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2017 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/DH_set_method.3 b/secure/lib/libcrypto/man/DH_set_method.3 index 1b0ceefc8f52..5ec83fad3bf3 100644 --- a/secure/lib/libcrypto/man/DH_set_method.3 +++ b/secure/lib/libcrypto/man/DH_set_method.3 @@ -128,20 +128,18 @@ .rm #[ #] #H #V #F C .\" ======================================================================== .\" -.IX Title "DH_set_method 3" -.TH DH_set_method 3 "2018-08-14" "1.0.2p" "OpenSSL" +.IX Title "DH_SET_METHOD 3" +.TH DH_SET_METHOD 3 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" -DH_set_default_method, DH_get_default_method, -DH_set_method, DH_new_method, DH_OpenSSL \- select DH method +DH_set_default_method, DH_get_default_method, DH_set_method, DH_new_method, DH_OpenSSL \- select DH method .SH "SYNOPSIS" .IX Header "SYNOPSIS" -.Vb 2 +.Vb 1 \& #include -\& #include \& \& void DH_set_default_method(const DH_METHOD *meth); \& @@ -165,8 +163,11 @@ Initially, the default \s-1DH_METHOD\s0 is the OpenSSL internal implementation, returned by \fIDH_OpenSSL()\fR. .PP \&\fIDH_set_default_method()\fR makes \fBmeth\fR the default method for all \s-1DH\s0 -structures created later. \fB\s-1NB\s0\fR: This is true only whilst no \s-1ENGINE\s0 has been set +structures created later. +\&\fB\s-1NB\s0\fR: This is true only whilst no \s-1ENGINE\s0 has been set as a default for \s-1DH,\s0 so this function is no longer recommended. +This function is not thread-safe and should not be called at the same time +as other OpenSSL functions. .PP \&\fIDH_get_default_method()\fR returns a pointer to the current default \s-1DH_METHOD.\s0 However, the meaningfulness of this result is dependent on whether the \s-1ENGINE @@ -184,37 +185,9 @@ for the key can have unexpected results. be used for the \s-1DH\s0 operations. If \fBengine\fR is \s-1NULL,\s0 the default \s-1ENGINE\s0 for \s-1DH\s0 operations is used, and if no default \s-1ENGINE\s0 is set, the \s-1DH_METHOD\s0 controlled by \&\fIDH_set_default_method()\fR is used. -.SH "THE DH_METHOD STRUCTURE" -.IX Header "THE DH_METHOD STRUCTURE" -.Vb 4 -\& typedef struct dh_meth_st -\& { -\& /* name of the implementation */ -\& const char *name; -\& -\& /* generate private and public DH values for key agreement */ -\& int (*generate_key)(DH *dh); -\& -\& /* compute shared secret */ -\& int (*compute_key)(unsigned char *key, BIGNUM *pub_key, DH *dh); -\& -\& /* compute r = a ^ p mod m (May be NULL for some implementations) */ -\& int (*bn_mod_exp)(DH *dh, BIGNUM *r, BIGNUM *a, const BIGNUM *p, -\& const BIGNUM *m, BN_CTX *ctx, -\& BN_MONT_CTX *m_ctx); -\& -\& /* called at DH_new */ -\& int (*init)(DH *dh); -\& -\& /* called at DH_free */ -\& int (*finish)(DH *dh); -\& -\& int flags; -\& -\& char *app_data; /* ?? */ -\& -\& } DH_METHOD; -.Ve +.PP +A new \s-1DH_METHOD\s0 object may be constructed using \fIDH_meth_new()\fR (see +\&\fIDH_meth_new\fR\|(3)). .SH "RETURN VALUES" .IX Header "RETURN VALUES" \&\fIDH_OpenSSL()\fR and \fIDH_get_default_method()\fR return pointers to the respective @@ -229,29 +202,14 @@ method was supplied by an \s-1ENGINE\s0). \&\fIDH_new_method()\fR returns \s-1NULL\s0 and sets an error code that can be obtained by \&\fIERR_get_error\fR\|(3) if the allocation fails. Otherwise it returns a pointer to the newly allocated structure. -.SH "NOTES" -.IX Header "NOTES" -As of version 0.9.7, \s-1DH_METHOD\s0 implementations are grouped together with other -algorithmic APIs (eg. \s-1RSA_METHOD, EVP_CIPHER,\s0 etc) in \fB\s-1ENGINE\s0\fR modules. If a -default \s-1ENGINE\s0 is specified for \s-1DH\s0 functionality using an \s-1ENGINE API\s0 function, -that will override any \s-1DH\s0 defaults set using the \s-1DH API\s0 (ie. -\&\fIDH_set_default_method()\fR). For this reason, the \s-1ENGINE API\s0 is the recommended way -to control default implementations for use in \s-1DH\s0 and other cryptographic -algorithms. .SH "SEE ALSO" .IX Header "SEE ALSO" -\&\fIdh\fR\|(3), \fIDH_new\fR\|(3) -.SH "HISTORY" -.IX Header "HISTORY" -\&\fIDH_set_default_method()\fR, \fIDH_get_default_method()\fR, \fIDH_set_method()\fR, -\&\fIDH_new_method()\fR and \fIDH_OpenSSL()\fR were added in OpenSSL 0.9.4. +\&\fIDH_new\fR\|(3), \fIDH_new\fR\|(3), \fIDH_meth_new\fR\|(3) +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2000\-2016 The OpenSSL Project Authors. All Rights Reserved. .PP -\&\fIDH_set_default_openssl_method()\fR and \fIDH_get_default_openssl_method()\fR replaced -\&\fIDH_set_default_method()\fR and \fIDH_get_default_method()\fR respectively, and -\&\fIDH_set_method()\fR and \fIDH_new_method()\fR were altered to use \fB\s-1ENGINE\s0\fRs rather than -\&\fB\s-1DH_METHOD\s0\fRs during development of the engine version of OpenSSL 0.9.6. For -0.9.7, the handling of defaults in the \s-1ENGINE API\s0 was restructured so that this -change was reversed, and behaviour of the other functions resembled more closely -the previous behaviour. The behaviour of defaults in the \s-1ENGINE API\s0 now -transparently overrides the behaviour of defaults in the \s-1DH API\s0 without -requiring changing these function prototypes. +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/DH_size.3 b/secure/lib/libcrypto/man/DH_size.3 index 39b03838e86b..d06b79948868 100644 --- a/secure/lib/libcrypto/man/DH_size.3 +++ b/secure/lib/libcrypto/man/DH_size.3 @@ -128,34 +128,56 @@ .rm #[ #] #H #V #F C .\" ======================================================================== .\" -.IX Title "DH_size 3" -.TH DH_size 3 "2018-08-14" "1.0.2p" "OpenSSL" +.IX Title "DH_SIZE 3" +.TH DH_SIZE 3 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" -DH_size \- get Diffie\-Hellman prime size +DH_size, DH_bits, DH_security_bits \- get Diffie\-Hellman prime size and security bits .SH "SYNOPSIS" .IX Header "SYNOPSIS" .Vb 1 \& #include \& -\& int DH_size(DH *dh); +\& int DH_size(const DH *dh); +\& +\& int DH_bits(const DH *dh); +\& +\& int DH_security_bits(const DH *dh); .Ve .SH "DESCRIPTION" .IX Header "DESCRIPTION" -This function returns the Diffie-Hellman size in bytes. It can be used +\&\fIDH_size()\fR returns the Diffie-Hellman prime size in bytes. It can be used to determine how much memory must be allocated for the shared secret -computed by \fIDH_compute_key()\fR. +computed by \fIDH_compute_key\fR\|(3). .PP -\&\fBdh\->p\fR must not be \fB\s-1NULL\s0\fR. -.SH "RETURN VALUE" -.IX Header "RETURN VALUE" -The size in bytes. +\&\fIDH_bits()\fR returns the number of significant bits. +.PP +\&\fBdh\fR and \fBdh\->p\fR must not be \fB\s-1NULL\s0\fR. +.PP +\&\fIDH_security_bits()\fR returns the number of security bits of the given \fBdh\fR +key. See \fIBN_security_bits\fR\|(3). +.SH "RETURN VALUES" +.IX Header "RETURN VALUES" +\&\fIDH_size()\fR returns the prime size of Diffie-Hellman in bytes. +.PP +\&\fIDH_bits()\fR returns the number of bits in the key. +.PP +\&\fIDH_security_bits()\fR returns the number of security bits. .SH "SEE ALSO" .IX Header "SEE ALSO" -\&\fIdh\fR\|(3), \fIDH_generate_key\fR\|(3) +\&\fIDH_new\fR\|(3), \fIDH_generate_key\fR\|(3), +\&\fIBN_num_bits\fR\|(3) .SH "HISTORY" .IX Header "HISTORY" -\&\fIDH_size()\fR is available in all versions of SSLeay and OpenSSL. +\&\fIDH_bits()\fR was added in OpenSSL 1.1.0. +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2000\-2018 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/DSA_SIG_new.3 b/secure/lib/libcrypto/man/DSA_SIG_new.3 index a6919a1b0d37..dd3388fb69c8 100644 --- a/secure/lib/libcrypto/man/DSA_SIG_new.3 +++ b/secure/lib/libcrypto/man/DSA_SIG_new.3 @@ -128,29 +128,39 @@ .rm #[ #] #H #V #F C .\" ======================================================================== .\" -.IX Title "DSA_SIG_new 3" -.TH DSA_SIG_new 3 "2018-08-14" "1.0.2p" "OpenSSL" +.IX Title "DSA_SIG_NEW 3" +.TH DSA_SIG_NEW 3 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" -DSA_SIG_new, DSA_SIG_free \- allocate and free DSA signature objects +DSA_SIG_get0, DSA_SIG_set0, DSA_SIG_new, DSA_SIG_free \- allocate and free DSA signature objects .SH "SYNOPSIS" .IX Header "SYNOPSIS" .Vb 1 \& #include \& \& DSA_SIG *DSA_SIG_new(void); -\& -\& void DSA_SIG_free(DSA_SIG *a); +\& void DSA_SIG_free(DSA_SIG *a); +\& void DSA_SIG_get0(const DSA_SIG *sig, const BIGNUM **pr, const BIGNUM **ps); +\& int DSA_SIG_set0(DSA_SIG *sig, BIGNUM *r, BIGNUM *s); .Ve .SH "DESCRIPTION" .IX Header "DESCRIPTION" -\&\fIDSA_SIG_new()\fR allocates and initializes a \fB\s-1DSA_SIG\s0\fR structure. +\&\fIDSA_SIG_new()\fR allocates an empty \fB\s-1DSA_SIG\s0\fR structure. .PP \&\fIDSA_SIG_free()\fR frees the \fB\s-1DSA_SIG\s0\fR structure and its components. The values are erased before the memory is returned to the system. +.PP +\&\fIDSA_SIG_get0()\fR returns internal pointers to the \fBr\fR and \fBs\fR values contained +in \fBsig\fR. +.PP +The \fBr\fR and \fBs\fR values can be set by calling \fIDSA_SIG_set0()\fR and passing the +new values for \fBr\fR and \fBs\fR as parameters to the function. Calling this +function transfers the memory management of the values to the \s-1DSA_SIG\s0 object, +and therefore the values that have been passed in should not be freed directly +after this function has been called. .SH "RETURN VALUES" .IX Header "RETURN VALUES" If the allocation fails, \fIDSA_SIG_new()\fR returns \fB\s-1NULL\s0\fR and sets an @@ -159,10 +169,17 @@ error code that can be obtained by to the newly allocated structure. .PP \&\fIDSA_SIG_free()\fR returns no value. +.PP +\&\fIDSA_SIG_set0()\fR returns 1 on success or 0 on failure. .SH "SEE ALSO" .IX Header "SEE ALSO" -\&\fIdsa\fR\|(3), \fIERR_get_error\fR\|(3), +\&\fIDSA_new\fR\|(3), \fIERR_get_error\fR\|(3), \&\fIDSA_do_sign\fR\|(3) -.SH "HISTORY" -.IX Header "HISTORY" -\&\fIDSA_SIG_new()\fR and \fIDSA_SIG_free()\fR were added in OpenSSL 0.9.3. +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2000\-2016 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/DSA_do_sign.3 b/secure/lib/libcrypto/man/DSA_do_sign.3 index a233a9b0a54f..edd789070dc9 100644 --- a/secure/lib/libcrypto/man/DSA_do_sign.3 +++ b/secure/lib/libcrypto/man/DSA_do_sign.3 @@ -128,8 +128,8 @@ .rm #[ #] #H #V #F C .\" ======================================================================== .\" -.IX Title "DSA_do_sign 3" -.TH DSA_do_sign 3 "2018-08-14" "1.0.2p" "OpenSSL" +.IX Title "DSA_DO_SIGN 3" +.TH DSA_DO_SIGN 3 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -144,7 +144,7 @@ DSA_do_sign, DSA_do_verify \- raw DSA signature operations \& DSA_SIG *DSA_do_sign(const unsigned char *dgst, int dlen, DSA *dsa); \& \& int DSA_do_verify(const unsigned char *dgst, int dgst_len, -\& DSA_SIG *sig, DSA *dsa); +\& DSA_SIG *sig, DSA *dsa); .Ve .SH "DESCRIPTION" .IX Header "DESCRIPTION" @@ -153,8 +153,8 @@ digest \fBdgst\fR using the private key \fBdsa\fR and returns it in a newly allocated \fB\s-1DSA_SIG\s0\fR structure. .PP \&\fIDSA_sign_setup\fR\|(3) may be used to precompute part -of the signing operation for each signature in case signature generation -is time-critical. +of the signing operation in case signature generation is +time-critical. .PP \&\fIDSA_do_verify()\fR verifies that the signature \fBsig\fR matches a given message digest \fBdgst\fR of size \fBlen\fR. \fBdsa\fR is the signer's public @@ -167,9 +167,14 @@ on error. The error codes can be obtained by \&\fIERR_get_error\fR\|(3). .SH "SEE ALSO" .IX Header "SEE ALSO" -\&\fIdsa\fR\|(3), \fIERR_get_error\fR\|(3), \fIrand\fR\|(3), +\&\fIDSA_new\fR\|(3), \fIERR_get_error\fR\|(3), \fIRAND_bytes\fR\|(3), \&\fIDSA_SIG_new\fR\|(3), \&\fIDSA_sign\fR\|(3) -.SH "HISTORY" -.IX Header "HISTORY" -\&\fIDSA_do_sign()\fR and \fIDSA_do_verify()\fR were added in OpenSSL 0.9.3. +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2000\-2016 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/DSA_dup_DH.3 b/secure/lib/libcrypto/man/DSA_dup_DH.3 index 7ceebd89f55b..81fc0ead1f3d 100644 --- a/secure/lib/libcrypto/man/DSA_dup_DH.3 +++ b/secure/lib/libcrypto/man/DSA_dup_DH.3 @@ -128,8 +128,8 @@ .rm #[ #] #H #V #F C .\" ======================================================================== .\" -.IX Title "DSA_dup_DH 3" -.TH DSA_dup_DH 3 "2018-08-14" "1.0.2p" "OpenSSL" +.IX Title "DSA_DUP_DH 3" +.TH DSA_DUP_DH 3 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -141,15 +141,15 @@ DSA_dup_DH \- create a DH structure out of DSA structure .Vb 1 \& #include \& -\& DH * DSA_dup_DH(const DSA *r); +\& DH *DSA_dup_DH(const DSA *r); .Ve .SH "DESCRIPTION" .IX Header "DESCRIPTION" \&\fIDSA_dup_DH()\fR duplicates \s-1DSA\s0 parameters/keys as \s-1DH\s0 parameters/keys. q is lost during that conversion, but the resulting \s-1DH\s0 parameters contain its length. -.SH "RETURN VALUE" -.IX Header "RETURN VALUE" +.SH "RETURN VALUES" +.IX Header "RETURN VALUES" \&\fIDSA_dup_DH()\fR returns the new \fB\s-1DH\s0\fR structure, and \s-1NULL\s0 on error. The error codes can be obtained by \fIERR_get_error\fR\|(3). .SH "NOTE" @@ -157,7 +157,12 @@ error codes can be obtained by \fIERR_get_error\fR\|(3). Be careful to avoid small subgroup attacks when using this. .SH "SEE ALSO" .IX Header "SEE ALSO" -\&\fIdh\fR\|(3), \fIdsa\fR\|(3), \fIERR_get_error\fR\|(3) -.SH "HISTORY" -.IX Header "HISTORY" -\&\fIDSA_dup_DH()\fR was added in OpenSSL 0.9.4. +\&\fIDH_new\fR\|(3), \fIDSA_new\fR\|(3), \fIERR_get_error\fR\|(3) +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2000\-2018 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/DSA_generate_key.3 b/secure/lib/libcrypto/man/DSA_generate_key.3 index 148e6b5374ea..9374da3c9d08 100644 --- a/secure/lib/libcrypto/man/DSA_generate_key.3 +++ b/secure/lib/libcrypto/man/DSA_generate_key.3 @@ -128,8 +128,8 @@ .rm #[ #] #H #V #F C .\" ======================================================================== .\" -.IX Title "DSA_generate_key 3" -.TH DSA_generate_key 3 "2018-08-14" "1.0.2p" "OpenSSL" +.IX Title "DSA_GENERATE_KEY 3" +.TH DSA_GENERATE_KEY 3 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -149,14 +149,19 @@ DSA_generate_key \- generate DSA key pair a new key pair and stores it in \fBa\->pub_key\fR and \fBa\->priv_key\fR. .PP The \s-1PRNG\s0 must be seeded prior to calling \fIDSA_generate_key()\fR. -.SH "RETURN VALUE" -.IX Header "RETURN VALUE" +.SH "RETURN VALUES" +.IX Header "RETURN VALUES" \&\fIDSA_generate_key()\fR returns 1 on success, 0 otherwise. The error codes can be obtained by \fIERR_get_error\fR\|(3). .SH "SEE ALSO" .IX Header "SEE ALSO" -\&\fIdsa\fR\|(3), \fIERR_get_error\fR\|(3), \fIrand\fR\|(3), -\&\fIDSA_generate_parameters\fR\|(3) -.SH "HISTORY" -.IX Header "HISTORY" -\&\fIDSA_generate_key()\fR is available since SSLeay 0.8. +\&\fIDSA_new\fR\|(3), \fIERR_get_error\fR\|(3), \fIRAND_bytes\fR\|(3), +\&\fIDSA_generate_parameters_ex\fR\|(3) +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2000\-2018 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/DSA_generate_parameters.3 b/secure/lib/libcrypto/man/DSA_generate_parameters.3 index ec685ab0b0a8..856365229e71 100644 --- a/secure/lib/libcrypto/man/DSA_generate_parameters.3 +++ b/secure/lib/libcrypto/man/DSA_generate_parameters.3 @@ -128,8 +128,8 @@ .rm #[ #] #H #V #F C .\" ======================================================================== .\" -.IX Title "DSA_generate_parameters 3" -.TH DSA_generate_parameters 3 "2018-08-14" "1.0.2p" "OpenSSL" +.IX Title "DSA_GENERATE_PARAMETERS 3" +.TH DSA_GENERATE_PARAMETERS 3 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -142,29 +142,31 @@ DSA_generate_parameters_ex, DSA_generate_parameters \- generate DSA parameters \& #include \& \& int DSA_generate_parameters_ex(DSA *dsa, int bits, -\& const unsigned char *seed,int seed_len, -\& int *counter_ret, unsigned long *h_ret, BN_GENCB *cb); +\& const unsigned char *seed, int seed_len, +\& int *counter_ret, unsigned long *h_ret, +\& BN_GENCB *cb); .Ve .PP Deprecated: .PP -.Vb 3 -\& DSA *DSA_generate_parameters(int bits, unsigned char *seed, -\& int seed_len, int *counter_ret, unsigned long *h_ret, -\& void (*callback)(int, int, void *), void *cb_arg); +.Vb 5 +\& #if OPENSSL_API_COMPAT < 0x00908000L +\& DSA *DSA_generate_parameters(int bits, unsigned char *seed, int seed_len, +\& int *counter_ret, unsigned long *h_ret, +\& void (*callback)(int, int, void *), void *cb_arg); +\& #endif .Ve .SH "DESCRIPTION" .IX Header "DESCRIPTION" \&\fIDSA_generate_parameters_ex()\fR generates primes p and q and a generator g for use in the \s-1DSA\s0 and stores the result in \fBdsa\fR. .PP -\&\fBbits\fR is the length of the prime to be generated; the \s-1DSS\s0 allows a -maximum of 1024 bits. +\&\fBbits\fR is the length of the prime p to be generated. +For lengths under 2048 bits, the length of q is 160 bits; for lengths +greater than or equal to 2048 bits, the length of q is set to 256 bits. .PP -If \fBseed\fR is \fB\s-1NULL\s0\fR or \fBseed_len\fR < 20, the primes will be -generated at random. Otherwise, the seed is used to generate -them. If the given seed does not yield a prime q, a new random -seed is chosen. +If \fBseed\fR is \s-1NULL,\s0 the primes will be generated at random. +If \fBseed_len\fR is less than the length of q, an error is returned. .PP \&\fIDSA_generate_parameters_ex()\fR places the iteration count in *\fBcounter_ret\fR and a counter used for finding a generator in @@ -175,59 +177,60 @@ of the key generation. If \fBcb\fR is not \fB\s-1NULL\s0\fR, it will be called as shown below. For information on the \s-1BN_GENCB\s0 structure and the BN_GENCB_call function discussed below, refer to \&\fIBN_generate_prime\fR\|(3). -.IP "\(bu" 4 +.PP +\&\fIDSA_generate_prime()\fR is similar to \fIDSA_generate_prime_ex()\fR but +expects an old-style callback function; see +\&\fIBN_generate_prime\fR\|(3) for information on the old-style callback. +.IP "\(bu" 2 When a candidate for q is generated, \fBBN_GENCB_call(cb, 0, m++)\fR is called (m is 0 for the first candidate). -.IP "\(bu" 4 +.IP "\(bu" 2 When a candidate for q has passed a test by trial division, \&\fBBN_GENCB_call(cb, 1, \-1)\fR is called. While a candidate for q is tested by Miller-Rabin primality tests, \&\fBBN_GENCB_call(cb, 1, i)\fR is called in the outer loop (once for each witness that confirms that the candidate may be prime); i is the loop counter (starting at 0). -.IP "\(bu" 4 +.IP "\(bu" 2 When a prime q has been found, \fBBN_GENCB_call(cb, 2, 0)\fR and \&\fBBN_GENCB_call(cb, 3, 0)\fR are called. -.IP "\(bu" 4 +.IP "\(bu" 2 Before a candidate for p (other than the first) is generated and tested, \&\fBBN_GENCB_call(cb, 0, counter)\fR is called. -.IP "\(bu" 4 +.IP "\(bu" 2 When a candidate for p has passed the test by trial division, \&\fBBN_GENCB_call(cb, 1, \-1)\fR is called. While it is tested by the Miller-Rabin primality test, \&\fBBN_GENCB_call(cb, 1, i)\fR is called in the outer loop (once for each witness that confirms that the candidate may be prime). i is the loop counter (starting at 0). -.IP "\(bu" 4 +.IP "\(bu" 2 When p has been found, \fBBN_GENCB_call(cb, 2, 1)\fR is called. -.IP "\(bu" 4 +.IP "\(bu" 2 When the generator has been found, \fBBN_GENCB_call(cb, 3, 1)\fR is called. -.PP -\&\fIDSA_generate_parameters()\fR (deprecated) works in much the same way as for DSA_generate_parameters_ex, except that no \fBdsa\fR parameter is passed and -instead a newly allocated \fB\s-1DSA\s0\fR structure is returned. Additionally \*(L"old -style\*(R" callbacks are used instead of the newer \s-1BN_GENCB\s0 based approach. -Refer to \fIBN_generate_prime\fR\|(3) for further information. -.SH "RETURN VALUE" -.IX Header "RETURN VALUE" +.SH "RETURN VALUES" +.IX Header "RETURN VALUES" \&\fIDSA_generate_parameters_ex()\fR returns a 1 on success, or 0 otherwise. -.PP -\&\fIDSA_generate_parameters()\fR returns a pointer to the \s-1DSA\s0 structure, or -\&\fB\s-1NULL\s0\fR if the parameter generation fails. -.PP The error codes can be obtained by \fIERR_get_error\fR\|(3). +.PP +\&\fIDSA_generate_parameters()\fR returns a pointer to the \s-1DSA\s0 structure or +\&\fB\s-1NULL\s0\fR if the parameter generation fails. .SH "BUGS" .IX Header "BUGS" -Seed lengths > 20 are not supported. +Seed lengths greater than 20 are not supported. .SH "SEE ALSO" .IX Header "SEE ALSO" -\&\fIdsa\fR\|(3), \fIERR_get_error\fR\|(3), \fIrand\fR\|(3), +\&\fIDSA_new\fR\|(3), \fIERR_get_error\fR\|(3), \fIRAND_bytes\fR\|(3), \&\fIDSA_free\fR\|(3), \fIBN_generate_prime\fR\|(3) .SH "HISTORY" .IX Header "HISTORY" -\&\fIDSA_generate_parameters()\fR appeared in SSLeay 0.8. The \fBcb_arg\fR -argument was added in SSLeay 0.9.0. -In versions up to OpenSSL 0.9.4, \fBcallback(1, ...)\fR was called -in the inner loop of the Miller-Rabin test whenever it reached the -squaring step (the parameters to \fBcallback\fR did not reveal how many -witnesses had been tested); since OpenSSL 0.9.5, \fBcallback(1, ...)\fR -is called as in \fIBN_is_prime\fR\|(3), i.e. once for each witness. +\&\fIDSA_generate_parameters()\fR was deprecated in OpenSSL 0.9.8; use +\&\fIDSA_generate_parameters_ex()\fR instead. +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2000\-2018 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/DSA_get0_pqg.3 b/secure/lib/libcrypto/man/DSA_get0_pqg.3 new file mode 100644 index 000000000000..f47b09da1769 --- /dev/null +++ b/secure/lib/libcrypto/man/DSA_get0_pqg.3 @@ -0,0 +1,235 @@ +.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35) +.\" +.\" Standard preamble: +.\" ======================================================================== +.de Sp \" Vertical space (when we can't use .PP) +.if t .sp .5v +.if n .sp +.. +.de Vb \" Begin verbatim text +.ft CW +.nf +.ne \\$1 +.. +.de Ve \" End verbatim text +.ft R +.fi +.. +.\" Set up some character translations and predefined strings. \*(-- will +.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left +.\" double quote, and \*(R" will give a right double quote. \*(C+ will +.\" give a nicer C++. Capital omega is used to do unbreakable dashes and +.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, +.\" nothing in troff, for use with C<>. +.tr \(*W- +.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' +.ie n \{\ +. ds -- \(*W- +. ds PI pi +. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch +. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch +. ds L" "" +. ds R" "" +. ds C` "" +. ds C' "" +'br\} +.el\{\ +. ds -- \|\(em\| +. ds PI \(*p +. ds L" `` +. ds R" '' +. ds C` +. ds C' +'br\} +.\" +.\" Escape single quotes in literal strings from groff's Unicode transform. +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" +.\" If the F register is >0, we'll generate index entries on stderr for +.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index +.\" entries marked with X<> in POD. Of course, you'll have to process the +.\" output yourself in some meaningful fashion. +.\" +.\" Avoid warning from groff about undefined register 'F'. +.de IX +.. +.if !\nF .nr F 0 +.if \nF>0 \{\ +. de IX +. tm Index:\\$1\t\\n%\t"\\$2" +.. +. if !\nF==2 \{\ +. nr % 0 +. nr F 2 +. \} +.\} +.\" +.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). +.\" Fear. Run. Save yourself. No user-serviceable parts. +. \" fudge factors for nroff and troff +.if n \{\ +. ds #H 0 +. ds #V .8m +. ds #F .3m +. ds #[ \f1 +. ds #] \fP +.\} +.if t \{\ +. ds #H ((1u-(\\\\n(.fu%2u))*.13m) +. ds #V .6m +. ds #F 0 +. ds #[ \& +. ds #] \& +.\} +. \" simple accents for nroff and troff +.if n \{\ +. ds ' \& +. ds ` \& +. ds ^ \& +. ds , \& +. ds ~ ~ +. ds / +.\} +.if t \{\ +. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" +. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' +. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' +. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' +. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' +. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' +.\} +. \" troff and (daisy-wheel) nroff accents +.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' +.ds 8 \h'\*(#H'\(*b\h'-\*(#H' +.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] +.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' +.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' +.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] +.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] +.ds ae a\h'-(\w'a'u*4/10)'e +.ds Ae A\h'-(\w'A'u*4/10)'E +. \" corrections for vroff +.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' +.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' +. \" for low resolution devices (crt and lpr) +.if \n(.H>23 .if \n(.V>19 \ +\{\ +. ds : e +. ds 8 ss +. ds o a +. ds d- d\h'-1'\(ga +. ds D- D\h'-1'\(hy +. ds th \o'bp' +. ds Th \o'LP' +. ds ae ae +. ds Ae AE +.\} +.rm #[ #] #H #V #F C +.\" ======================================================================== +.\" +.IX Title "DSA_GET0_PQG 3" +.TH DSA_GET0_PQG 3 "2018-09-11" "1.1.1" "OpenSSL" +.\" For nroff, turn off justification. Always turn off hyphenation; it makes +.\" way too many mistakes in technical documents. +.if n .ad l +.nh +.SH "NAME" +DSA_get0_pqg, DSA_set0_pqg, DSA_get0_key, DSA_set0_key, DSA_get0_p, DSA_get0_q, DSA_get0_g, DSA_get0_pub_key, DSA_get0_priv_key, DSA_clear_flags, DSA_test_flags, DSA_set_flags, DSA_get0_engine \- Routines for getting and setting data in a DSA object +.SH "SYNOPSIS" +.IX Header "SYNOPSIS" +.Vb 1 +\& #include +\& +\& void DSA_get0_pqg(const DSA *d, +\& const BIGNUM **p, const BIGNUM **q, const BIGNUM **g); +\& int DSA_set0_pqg(DSA *d, BIGNUM *p, BIGNUM *q, BIGNUM *g); +\& void DSA_get0_key(const DSA *d, +\& const BIGNUM **pub_key, const BIGNUM **priv_key); +\& int DSA_set0_key(DSA *d, BIGNUM *pub_key, BIGNUM *priv_key); +\& const BIGNUM *DSA_get0_p(const DSA *d); +\& const BIGNUM *DSA_get0_q(const DSA *d); +\& const BIGNUM *DSA_get0_g(const DSA *d); +\& const BIGNUM *DSA_get0_pub_key(const DSA *d); +\& const BIGNUM *DSA_get0_priv_key(const DSA *d); +\& void DSA_clear_flags(DSA *d, int flags); +\& int DSA_test_flags(const DSA *d, int flags); +\& void DSA_set_flags(DSA *d, int flags); +\& ENGINE *DSA_get0_engine(DSA *d); +.Ve +.SH "DESCRIPTION" +.IX Header "DESCRIPTION" +A \s-1DSA\s0 object contains the parameters \fBp\fR, \fBq\fR and \fBg\fR. It also contains a +public key (\fBpub_key\fR) and (optionally) a private key (\fBpriv_key\fR). +.PP +The \fBp\fR, \fBq\fR and \fBg\fR parameters can be obtained by calling \fIDSA_get0_pqg()\fR. +If the parameters have not yet been set then \fB*p\fR, \fB*q\fR and \fB*g\fR will be set +to \s-1NULL.\s0 Otherwise they are set to pointers to their respective values. These +point directly to the internal representations of the values and therefore +should not be freed directly. +.PP +The \fBp\fR, \fBq\fR and \fBg\fR values can be set by calling \fIDSA_set0_pqg()\fR and passing +the new values for \fBp\fR, \fBq\fR and \fBg\fR as parameters to the function. Calling +this function transfers the memory management of the values to the \s-1DSA\s0 object, +and therefore the values that have been passed in should not be freed directly +after this function has been called. +.PP +To get the public and private key values use the \fIDSA_get0_key()\fR function. A +pointer to the public key will be stored in \fB*pub_key\fR, and a pointer to the +private key will be stored in \fB*priv_key\fR. Either may be \s-1NULL\s0 if they have not +been set yet, although if the private key has been set then the public key must +be. The values point to the internal representation of the public key and +private key values. This memory should not be freed directly. +.PP +The public and private key values can be set using \fIDSA_set0_key()\fR. The public +key must be non-NULL the first time this function is called on a given \s-1DSA\s0 +object. The private key may be \s-1NULL.\s0 On subsequent calls, either may be \s-1NULL,\s0 +which means the corresponding \s-1DSA\s0 field is left untouched. As for \fIDSA_set0_pqg()\fR +this function transfers the memory management of the key values to the \s-1DSA\s0 +object, and therefore they should not be freed directly after this function has +been called. +.PP +Any of the values \fBp\fR, \fBq\fR, \fBg\fR, \fBpriv_key\fR, and \fBpub_key\fR can also be +retrieved separately by the corresponding function \fIDSA_get0_p()\fR, \fIDSA_get0_q()\fR, +\&\fIDSA_get0_g()\fR, \fIDSA_get0_priv_key()\fR, and \fIDSA_get0_pub_key()\fR, respectively. +.PP +\&\fIDSA_set_flags()\fR sets the flags in the \fBflags\fR parameter on the \s-1DSA\s0 object. +Multiple flags can be passed in one go (bitwise ORed together). Any flags that +are already set are left set. \fIDSA_test_flags()\fR tests to see whether the flags +passed in the \fBflags\fR parameter are currently set in the \s-1DSA\s0 object. Multiple +flags can be tested in one go. All flags that are currently set are returned, or +zero if none of the flags are set. \fIDSA_clear_flags()\fR clears the specified flags +within the \s-1DSA\s0 object. +.PP +\&\fIDSA_get0_engine()\fR returns a handle to the \s-1ENGINE\s0 that has been set for this \s-1DSA\s0 +object, or \s-1NULL\s0 if no such \s-1ENGINE\s0 has been set. +.SH "NOTES" +.IX Header "NOTES" +Values retrieved with \fIDSA_get0_key()\fR are owned by the \s-1DSA\s0 object used +in the call and may therefore \fInot\fR be passed to \fIDSA_set0_key()\fR. If +needed, duplicate the received value using \fIBN_dup()\fR and pass the +duplicate. The same applies to \fIDSA_get0_pqg()\fR and \fIDSA_set0_pqg()\fR. +.SH "RETURN VALUES" +.IX Header "RETURN VALUES" +\&\fIDSA_set0_pqg()\fR and \fIDSA_set0_key()\fR return 1 on success or 0 on failure. +.PP +\&\fIDSA_test_flags()\fR returns the current state of the flags in the \s-1DSA\s0 object. +.PP +\&\fIDSA_get0_engine()\fR returns the \s-1ENGINE\s0 set for the \s-1DSA\s0 object or \s-1NULL\s0 if no \s-1ENGINE\s0 +has been set. +.SH "SEE ALSO" +.IX Header "SEE ALSO" +\&\fIDSA_new\fR\|(3), \fIDSA_new\fR\|(3), \fIDSA_generate_parameters\fR\|(3), \fIDSA_generate_key\fR\|(3), +\&\fIDSA_dup_DH\fR\|(3), \fIDSA_do_sign\fR\|(3), \fIDSA_set_method\fR\|(3), \fIDSA_SIG_new\fR\|(3), +\&\fIDSA_sign\fR\|(3), \fIDSA_size\fR\|(3), \fIDSA_meth_new\fR\|(3) +.SH "HISTORY" +.IX Header "HISTORY" +The functions described here were added in OpenSSL 1.1.0. +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2016\-2018 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/DSA_get_ex_new_index.3 b/secure/lib/libcrypto/man/DSA_get_ex_new_index.3 deleted file mode 100644 index d4c6f647820b..000000000000 --- a/secure/lib/libcrypto/man/DSA_get_ex_new_index.3 +++ /dev/null @@ -1,165 +0,0 @@ -.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35) -.\" -.\" Standard preamble: -.\" ======================================================================== -.de Sp \" Vertical space (when we can't use .PP) -.if t .sp .5v -.if n .sp -.. -.de Vb \" Begin verbatim text -.ft CW -.nf -.ne \\$1 -.. -.de Ve \" End verbatim text -.ft R -.fi -.. -.\" Set up some character translations and predefined strings. \*(-- will -.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left -.\" double quote, and \*(R" will give a right double quote. \*(C+ will -.\" give a nicer C++. Capital omega is used to do unbreakable dashes and -.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, -.\" nothing in troff, for use with C<>. -.tr \(*W- -.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' -.ie n \{\ -. ds -- \(*W- -. ds PI pi -. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch -. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch -. ds L" "" -. ds R" "" -. ds C` "" -. ds C' "" -'br\} -.el\{\ -. ds -- \|\(em\| -. ds PI \(*p -. ds L" `` -. ds R" '' -. ds C` -. ds C' -'br\} -.\" -.\" Escape single quotes in literal strings from groff's Unicode transform. -.ie \n(.g .ds Aq \(aq -.el .ds Aq ' -.\" -.\" If the F register is >0, we'll generate index entries on stderr for -.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index -.\" entries marked with X<> in POD. Of course, you'll have to process the -.\" output yourself in some meaningful fashion. -.\" -.\" Avoid warning from groff about undefined register 'F'. -.de IX -.. -.if !\nF .nr F 0 -.if \nF>0 \{\ -. de IX -. tm Index:\\$1\t\\n%\t"\\$2" -.. -. if !\nF==2 \{\ -. nr % 0 -. nr F 2 -. \} -.\} -.\" -.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). -.\" Fear. Run. Save yourself. No user-serviceable parts. -. \" fudge factors for nroff and troff -.if n \{\ -. ds #H 0 -. ds #V .8m -. ds #F .3m -. ds #[ \f1 -. ds #] \fP -.\} -.if t \{\ -. ds #H ((1u-(\\\\n(.fu%2u))*.13m) -. ds #V .6m -. ds #F 0 -. ds #[ \& -. ds #] \& -.\} -. \" simple accents for nroff and troff -.if n \{\ -. ds ' \& -. ds ` \& -. ds ^ \& -. ds , \& -. ds ~ ~ -. ds / -.\} -.if t \{\ -. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" -. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' -. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' -. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' -. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' -. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' -.\} -. \" troff and (daisy-wheel) nroff accents -.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' -.ds 8 \h'\*(#H'\(*b\h'-\*(#H' -.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] -.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' -.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' -.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] -.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] -.ds ae a\h'-(\w'a'u*4/10)'e -.ds Ae A\h'-(\w'A'u*4/10)'E -. \" corrections for vroff -.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' -.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' -. \" for low resolution devices (crt and lpr) -.if \n(.H>23 .if \n(.V>19 \ -\{\ -. ds : e -. ds 8 ss -. ds o a -. ds d- d\h'-1'\(ga -. ds D- D\h'-1'\(hy -. ds th \o'bp' -. ds Th \o'LP' -. ds ae ae -. ds Ae AE -.\} -.rm #[ #] #H #V #F C -.\" ======================================================================== -.\" -.IX Title "DSA_get_ex_new_index 3" -.TH DSA_get_ex_new_index 3 "2018-08-14" "1.0.2p" "OpenSSL" -.\" For nroff, turn off justification. Always turn off hyphenation; it makes -.\" way too many mistakes in technical documents. -.if n .ad l -.nh -.SH "NAME" -DSA_get_ex_new_index, DSA_set_ex_data, DSA_get_ex_data \- add application specific data to DSA structures -.SH "SYNOPSIS" -.IX Header "SYNOPSIS" -.Vb 1 -\& #include -\& -\& int DSA_get_ex_new_index(long argl, void *argp, -\& CRYPTO_EX_new *new_func, -\& CRYPTO_EX_dup *dup_func, -\& CRYPTO_EX_free *free_func); -\& -\& int DSA_set_ex_data(DSA *d, int idx, void *arg); -\& -\& char *DSA_get_ex_data(DSA *d, int idx); -.Ve -.SH "DESCRIPTION" -.IX Header "DESCRIPTION" -These functions handle application specific data in \s-1DSA\s0 -structures. Their usage is identical to that of -\&\fIRSA_get_ex_new_index()\fR, \fIRSA_set_ex_data()\fR and \fIRSA_get_ex_data()\fR -as described in \fIRSA_get_ex_new_index\fR\|(3). -.SH "SEE ALSO" -.IX Header "SEE ALSO" -\&\fIRSA_get_ex_new_index\fR\|(3), \fIdsa\fR\|(3) -.SH "HISTORY" -.IX Header "HISTORY" -\&\fIDSA_get_ex_new_index()\fR, \fIDSA_set_ex_data()\fR and \fIDSA_get_ex_data()\fR are -available since OpenSSL 0.9.5. diff --git a/secure/lib/libcrypto/man/DSA_meth_new.3 b/secure/lib/libcrypto/man/DSA_meth_new.3 new file mode 100644 index 000000000000..b07278844dca --- /dev/null +++ b/secure/lib/libcrypto/man/DSA_meth_new.3 @@ -0,0 +1,338 @@ +.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35) +.\" +.\" Standard preamble: +.\" ======================================================================== +.de Sp \" Vertical space (when we can't use .PP) +.if t .sp .5v +.if n .sp +.. +.de Vb \" Begin verbatim text +.ft CW +.nf +.ne \\$1 +.. +.de Ve \" End verbatim text +.ft R +.fi +.. +.\" Set up some character translations and predefined strings. \*(-- will +.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left +.\" double quote, and \*(R" will give a right double quote. \*(C+ will +.\" give a nicer C++. Capital omega is used to do unbreakable dashes and +.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, +.\" nothing in troff, for use with C<>. +.tr \(*W- +.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' +.ie n \{\ +. ds -- \(*W- +. ds PI pi +. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch +. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch +. ds L" "" +. ds R" "" +. ds C` "" +. ds C' "" +'br\} +.el\{\ +. ds -- \|\(em\| +. ds PI \(*p +. ds L" `` +. ds R" '' +. ds C` +. ds C' +'br\} +.\" +.\" Escape single quotes in literal strings from groff's Unicode transform. +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" +.\" If the F register is >0, we'll generate index entries on stderr for +.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index +.\" entries marked with X<> in POD. Of course, you'll have to process the +.\" output yourself in some meaningful fashion. +.\" +.\" Avoid warning from groff about undefined register 'F'. +.de IX +.. +.if !\nF .nr F 0 +.if \nF>0 \{\ +. de IX +. tm Index:\\$1\t\\n%\t"\\$2" +.. +. if !\nF==2 \{\ +. nr % 0 +. nr F 2 +. \} +.\} +.\" +.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). +.\" Fear. Run. Save yourself. No user-serviceable parts. +. \" fudge factors for nroff and troff +.if n \{\ +. ds #H 0 +. ds #V .8m +. ds #F .3m +. ds #[ \f1 +. ds #] \fP +.\} +.if t \{\ +. ds #H ((1u-(\\\\n(.fu%2u))*.13m) +. ds #V .6m +. ds #F 0 +. ds #[ \& +. ds #] \& +.\} +. \" simple accents for nroff and troff +.if n \{\ +. ds ' \& +. ds ` \& +. ds ^ \& +. ds , \& +. ds ~ ~ +. ds / +.\} +.if t \{\ +. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" +. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' +. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' +. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' +. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' +. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' +.\} +. \" troff and (daisy-wheel) nroff accents +.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' +.ds 8 \h'\*(#H'\(*b\h'-\*(#H' +.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] +.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' +.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' +.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] +.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] +.ds ae a\h'-(\w'a'u*4/10)'e +.ds Ae A\h'-(\w'A'u*4/10)'E +. \" corrections for vroff +.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' +.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' +. \" for low resolution devices (crt and lpr) +.if \n(.H>23 .if \n(.V>19 \ +\{\ +. ds : e +. ds 8 ss +. ds o a +. ds d- d\h'-1'\(ga +. ds D- D\h'-1'\(hy +. ds th \o'bp' +. ds Th \o'LP' +. ds ae ae +. ds Ae AE +.\} +.rm #[ #] #H #V #F C +.\" ======================================================================== +.\" +.IX Title "DSA_METH_NEW 3" +.TH DSA_METH_NEW 3 "2018-09-11" "1.1.1" "OpenSSL" +.\" For nroff, turn off justification. Always turn off hyphenation; it makes +.\" way too many mistakes in technical documents. +.if n .ad l +.nh +.SH "NAME" +DSA_meth_new, DSA_meth_free, DSA_meth_dup, DSA_meth_get0_name, DSA_meth_set1_name, DSA_meth_get_flags, DSA_meth_set_flags, DSA_meth_get0_app_data, DSA_meth_set0_app_data, DSA_meth_get_sign, DSA_meth_set_sign, DSA_meth_get_sign_setup, DSA_meth_set_sign_setup, DSA_meth_get_verify, DSA_meth_set_verify, DSA_meth_get_mod_exp, DSA_meth_set_mod_exp, DSA_meth_get_bn_mod_exp, DSA_meth_set_bn_mod_exp, DSA_meth_get_init, DSA_meth_set_init, DSA_meth_get_finish, DSA_meth_set_finish, DSA_meth_get_paramgen, DSA_meth_set_paramgen, DSA_meth_get_keygen, DSA_meth_set_keygen \- Routines to build up DSA methods +.SH "SYNOPSIS" +.IX Header "SYNOPSIS" +.Vb 1 +\& #include +\& +\& DSA_METHOD *DSA_meth_new(const char *name, int flags); +\& +\& void DSA_meth_free(DSA_METHOD *dsam); +\& +\& DSA_METHOD *DSA_meth_dup(const DSA_METHOD *meth); +\& +\& const char *DSA_meth_get0_name(const DSA_METHOD *dsam); +\& int DSA_meth_set1_name(DSA_METHOD *dsam, const char *name); +\& +\& int DSA_meth_get_flags(const DSA_METHOD *dsam); +\& int DSA_meth_set_flags(DSA_METHOD *dsam, int flags); +\& +\& void *DSA_meth_get0_app_data(const DSA_METHOD *dsam); +\& int DSA_meth_set0_app_data(DSA_METHOD *dsam, void *app_data); +\& +\& DSA_SIG *(*DSA_meth_get_sign(const DSA_METHOD *dsam))(const unsigned char *, +\& int, DSA *); +\& int DSA_meth_set_sign(DSA_METHOD *dsam, DSA_SIG *(*sign)(const unsigned char *, +\& int, DSA *)); +\& +\& int (*DSA_meth_get_sign_setup(const DSA_METHOD *dsam))(DSA *, BN_CTX *,$ +\& BIGNUM **, BIGNUM **); +\& int DSA_meth_set_sign_setup(DSA_METHOD *dsam, int (*sign_setup)(DSA *, BN_CTX *, +\& BIGNUM **, BIGNUM **)); +\& +\& int (*DSA_meth_get_verify(const DSA_METHOD *dsam))(const unsigned char *, +\& int, DSA_SIG *, DSA *); +\& int DSA_meth_set_verify(DSA_METHOD *dsam, int (*verify)(const unsigned char *, +\& int, DSA_SIG *, DSA *)); +\& +\& int (*DSA_meth_get_mod_exp(const DSA_METHOD *dsam))(DSA *dsa, BIGNUM *rr, BIGNUM *a1, +\& BIGNUM *p1, BIGNUM *a2, BIGNUM *p2, +\& BIGNUM *m, BN_CTX *ctx, +\& BN_MONT_CTX *in_mont); +\& int DSA_meth_set_mod_exp(DSA_METHOD *dsam, int (*mod_exp)(DSA *dsa, BIGNUM *rr, +\& BIGNUM *a1, BIGNUM *p1, +\& BIGNUM *a2, BIGNUM *p2, +\& BIGNUM *m, BN_CTX *ctx, +\& BN_MONT_CTX *mont)); +\& +\& int (*DSA_meth_get_bn_mod_exp(const DSA_METHOD *dsam))(DSA *dsa, BIGNUM *r, BIGNUM *a, +\& const BIGNUM *p, const BIGNUM *m, +\& BN_CTX *ctx, BN_MONT_CTX *mont); +\& int DSA_meth_set_bn_mod_exp(DSA_METHOD *dsam, int (*bn_mod_exp)(DSA *dsa, +\& BIGNUM *r, +\& BIGNUM *a, +\& const BIGNUM *p, +\& const BIGNUM *m, +\& BN_CTX *ctx, +\& BN_MONT_CTX *mont)); +\& +\& int (*DSA_meth_get_init(const DSA_METHOD *dsam))(DSA *); +\& int DSA_meth_set_init(DSA_METHOD *dsam, int (*init)(DSA *)); +\& +\& int (*DSA_meth_get_finish(const DSA_METHOD *dsam))(DSA *); +\& int DSA_meth_set_finish(DSA_METHOD *dsam, int (*finish)(DSA *)); +\& +\& int (*DSA_meth_get_paramgen(const DSA_METHOD *dsam))(DSA *, int, +\& const unsigned char *, +\& int, int *, unsigned long *, +\& BN_GENCB *); +\& int DSA_meth_set_paramgen(DSA_METHOD *dsam, +\& int (*paramgen)(DSA *, int, const unsigned char *, +\& int, int *, unsigned long *, BN_GENCB *)); +\& +\& int (*DSA_meth_get_keygen(const DSA_METHOD *dsam))(DSA *); +\& int DSA_meth_set_keygen(DSA_METHOD *dsam, int (*keygen)(DSA *)); +.Ve +.SH "DESCRIPTION" +.IX Header "DESCRIPTION" +The \fB\s-1DSA_METHOD\s0\fR type is a structure used for the provision of custom \s-1DSA\s0 +implementations. It provides a set of functions used by OpenSSL for the +implementation of the various \s-1DSA\s0 capabilities. See the dsa page for more +information. +.PP +\&\fIDSA_meth_new()\fR creates a new \fB\s-1DSA_METHOD\s0\fR structure. It should be given a +unique \fBname\fR and a set of \fBflags\fR. The \fBname\fR should be a \s-1NULL\s0 terminated +string, which will be duplicated and stored in the \fB\s-1DSA_METHOD\s0\fR object. It is +the callers responsibility to free the original string. The flags will be used +during the construction of a new \fB\s-1DSA\s0\fR object based on this \fB\s-1DSA_METHOD\s0\fR. Any +new \fB\s-1DSA\s0\fR object will have those flags set by default. +.PP +\&\fIDSA_meth_dup()\fR creates a duplicate copy of the \fB\s-1DSA_METHOD\s0\fR object passed as a +parameter. This might be useful for creating a new \fB\s-1DSA_METHOD\s0\fR based on an +existing one, but with some differences. +.PP +\&\fIDSA_meth_free()\fR destroys a \fB\s-1DSA_METHOD\s0\fR structure and frees up any memory +associated with it. +.PP +\&\fIDSA_meth_get0_name()\fR will return a pointer to the name of this \s-1DSA_METHOD.\s0 This +is a pointer to the internal name string and so should not be freed by the +caller. \fIDSA_meth_set1_name()\fR sets the name of the \s-1DSA_METHOD\s0 to \fBname\fR. The +string is duplicated and the copy is stored in the \s-1DSA_METHOD\s0 structure, so the +caller remains responsible for freeing the memory associated with the name. +.PP +\&\fIDSA_meth_get_flags()\fR returns the current value of the flags associated with this +\&\s-1DSA_METHOD.\s0 \fIDSA_meth_set_flags()\fR provides the ability to set these flags. +.PP +The functions \fIDSA_meth_get0_app_data()\fR and \fIDSA_meth_set0_app_data()\fR provide the +ability to associate implementation specific data with the \s-1DSA_METHOD.\s0 It is +the application's responsibility to free this data before the \s-1DSA_METHOD\s0 is +freed via a call to \fIDSA_meth_free()\fR. +.PP +\&\fIDSA_meth_get_sign()\fR and \fIDSA_meth_set_sign()\fR get and set the function used for +creating a \s-1DSA\s0 signature respectively. This function will be +called in response to the application calling \fIDSA_do_sign()\fR (or \fIDSA_sign()\fR). The +parameters for the function have the same meaning as for \fIDSA_do_sign()\fR. +.PP +\&\fIDSA_meth_get_sign_setup()\fR and \fIDSA_meth_set_sign_setup()\fR get and set the function +used for precalculating the \s-1DSA\s0 signature values \fBk^\-1\fR and \fBr\fR. This function +will be called in response to the application calling \fIDSA_sign_setup()\fR. The +parameters for the function have the same meaning as for \fIDSA_sign_setup()\fR. +.PP +\&\fIDSA_meth_get_verify()\fR and \fIDSA_meth_set_verify()\fR get and set the function used +for verifying a \s-1DSA\s0 signature respectively. This function will be called in +response to the application calling \fIDSA_do_verify()\fR (or \fIDSA_verify()\fR). The +parameters for the function have the same meaning as for \fIDSA_do_verify()\fR. +.PP +\&\fIDSA_meth_get_mod_exp()\fR and \fIDSA_meth_set_mod_exp()\fR get and set the function used +for computing the following value: +.PP +.Vb 1 +\& rr = a1^p1 * a2^p2 mod m +.Ve +.PP +This function will be called by the default OpenSSL method during verification +of a \s-1DSA\s0 signature. The result is stored in the \fBrr\fR parameter. This function +may be \s-1NULL.\s0 +.PP +\&\fIDSA_meth_get_bn_mod_exp()\fR and \fIDSA_meth_set_bn_mod_exp()\fR get and set the function +used for computing the following value: +.PP +.Vb 1 +\& r = a ^ p mod m +.Ve +.PP +This function will be called by the default OpenSSL function for +\&\fIDSA_sign_setup()\fR. The result is stored in the \fBr\fR parameter. This function +may be \s-1NULL.\s0 +.PP +\&\fIDSA_meth_get_init()\fR and \fIDSA_meth_set_init()\fR get and set the function used +for creating a new \s-1DSA\s0 instance respectively. This function will be +called in response to the application calling \fIDSA_new()\fR (if the current default +\&\s-1DSA_METHOD\s0 is this one) or \fIDSA_new_method()\fR. The \fIDSA_new()\fR and \fIDSA_new_method()\fR +functions will allocate the memory for the new \s-1DSA\s0 object, and a pointer to this +newly allocated structure will be passed as a parameter to the function. This +function may be \s-1NULL.\s0 +.PP +\&\fIDSA_meth_get_finish()\fR and \fIDSA_meth_set_finish()\fR get and set the function used +for destroying an instance of a \s-1DSA\s0 object respectively. This function will be +called in response to the application calling \fIDSA_free()\fR. A pointer to the \s-1DSA\s0 +to be destroyed is passed as a parameter. The destroy function should be used +for \s-1DSA\s0 implementation specific clean up. The memory for the \s-1DSA\s0 itself should +not be freed by this function. This function may be \s-1NULL.\s0 +.PP +\&\fIDSA_meth_get_paramgen()\fR and \fIDSA_meth_set_paramgen()\fR get and set the function +used for generating \s-1DSA\s0 parameters respectively. This function will be called in +response to the application calling \fIDSA_generate_parameters_ex()\fR (or +\&\fIDSA_generate_parameters()\fR). The parameters for the function have the same +meaning as for \fIDSA_generate_parameters_ex()\fR. +.PP +\&\fIDSA_meth_get_keygen()\fR and \fIDSA_meth_set_keygen()\fR get and set the function +used for generating a new \s-1DSA\s0 key pair respectively. This function will be +called in response to the application calling \fIDSA_generate_key()\fR. The parameter +for the function has the same meaning as for \fIDSA_generate_key()\fR. +.SH "RETURN VALUES" +.IX Header "RETURN VALUES" +\&\fIDSA_meth_new()\fR and \fIDSA_meth_dup()\fR return the newly allocated \s-1DSA_METHOD\s0 object +or \s-1NULL\s0 on failure. +.PP +\&\fIDSA_meth_get0_name()\fR and \fIDSA_meth_get_flags()\fR return the name and flags +associated with the \s-1DSA_METHOD\s0 respectively. +.PP +All other DSA_meth_get_*() functions return the appropriate function pointer +that has been set in the \s-1DSA_METHOD,\s0 or \s-1NULL\s0 if no such pointer has yet been +set. +.PP +\&\fIDSA_meth_set1_name()\fR and all DSA_meth_set_*() functions return 1 on success or +0 on failure. +.SH "SEE ALSO" +.IX Header "SEE ALSO" +\&\fIDSA_new\fR\|(3), \fIDSA_new\fR\|(3), \fIDSA_generate_parameters\fR\|(3), \fIDSA_generate_key\fR\|(3), +\&\fIDSA_dup_DH\fR\|(3), \fIDSA_do_sign\fR\|(3), \fIDSA_set_method\fR\|(3), \fIDSA_SIG_new\fR\|(3), +\&\fIDSA_sign\fR\|(3), \fIDSA_size\fR\|(3), \fIDSA_get0_pqg\fR\|(3) +.SH "HISTORY" +.IX Header "HISTORY" +The functions described here were added in OpenSSL 1.1.0. +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2016\-2018 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/DSA_new.3 b/secure/lib/libcrypto/man/DSA_new.3 index 3c5542a8cff2..7990c39ce56a 100644 --- a/secure/lib/libcrypto/man/DSA_new.3 +++ b/secure/lib/libcrypto/man/DSA_new.3 @@ -128,8 +128,8 @@ .rm #[ #] #H #V #F C .\" ======================================================================== .\" -.IX Title "DSA_new 3" -.TH DSA_new 3 "2018-08-14" "1.0.2p" "OpenSSL" +.IX Title "DSA_NEW 3" +.TH DSA_NEW 3 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -152,6 +152,7 @@ calling DSA_new_method(\s-1NULL\s0). .PP \&\fIDSA_free()\fR frees the \fB\s-1DSA\s0\fR structure and its components. The values are erased before the memory is returned to the system. +If \fBdsa\fR is \s-1NULL\s0 nothing is done. .SH "RETURN VALUES" .IX Header "RETURN VALUES" If the allocation fails, \fIDSA_new()\fR returns \fB\s-1NULL\s0\fR and sets an error @@ -162,9 +163,14 @@ to the newly allocated structure. \&\fIDSA_free()\fR returns no value. .SH "SEE ALSO" .IX Header "SEE ALSO" -\&\fIdsa\fR\|(3), \fIERR_get_error\fR\|(3), +\&\fIDSA_new\fR\|(3), \fIERR_get_error\fR\|(3), \&\fIDSA_generate_parameters\fR\|(3), \&\fIDSA_generate_key\fR\|(3) -.SH "HISTORY" -.IX Header "HISTORY" -\&\fIDSA_new()\fR and \fIDSA_free()\fR are available in all versions of SSLeay and OpenSSL. +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2000\-2016 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/DSA_set_method.3 b/secure/lib/libcrypto/man/DSA_set_method.3 index a734e6d44c18..f6cbc9a02be8 100644 --- a/secure/lib/libcrypto/man/DSA_set_method.3 +++ b/secure/lib/libcrypto/man/DSA_set_method.3 @@ -128,20 +128,18 @@ .rm #[ #] #H #V #F C .\" ======================================================================== .\" -.IX Title "DSA_set_method 3" -.TH DSA_set_method 3 "2018-08-14" "1.0.2p" "OpenSSL" +.IX Title "DSA_SET_METHOD 3" +.TH DSA_SET_METHOD 3 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" -DSA_set_default_method, DSA_get_default_method, -DSA_set_method, DSA_new_method, DSA_OpenSSL \- select DSA method +DSA_set_default_method, DSA_get_default_method, DSA_set_method, DSA_new_method, DSA_OpenSSL \- select DSA method .SH "SYNOPSIS" .IX Header "SYNOPSIS" -.Vb 2 +.Vb 1 \& #include -\& #include \& \& void DSA_set_default_method(const DSA_METHOD *meth); \& @@ -165,12 +163,15 @@ Initially, the default \s-1DSA_METHOD\s0 is the OpenSSL internal implementation, as returned by \fIDSA_OpenSSL()\fR. .PP \&\fIDSA_set_default_method()\fR makes \fBmeth\fR the default method for all \s-1DSA\s0 -structures created later. \fB\s-1NB\s0\fR: This is true only whilst no \s-1ENGINE\s0 has +structures created later. +\&\fB\s-1NB\s0\fR: This is true only whilst no \s-1ENGINE\s0 has been set as a default for \s-1DSA,\s0 so this function is no longer recommended. +This function is not thread-safe and should not be called at the same time +as other OpenSSL functions. .PP \&\fIDSA_get_default_method()\fR returns a pointer to the current default \&\s-1DSA_METHOD.\s0 However, the meaningfulness of this result is dependent on -whether the \s-1ENGINE API\s0 is being used, so this function is no longer +whether the \s-1ENGINE API\s0 is being used, so this function is no longer recommended. .PP \&\fIDSA_set_method()\fR selects \fBmeth\fR to perform all operations using the key @@ -180,55 +181,13 @@ be released during the change. It is possible to have \s-1DSA\s0 keys that only work with certain \s-1DSA_METHOD\s0 implementations (eg. from an \s-1ENGINE\s0 module that supports embedded hardware-protected keys), and in such cases attempting to change the \s-1DSA_METHOD\s0 for the key can have unexpected -results. +results. See DSA_meth_new for information on constructing custom \s-1DSA_METHOD\s0 +objects; .PP \&\fIDSA_new_method()\fR allocates and initializes a \s-1DSA\s0 structure so that \fBengine\fR will be used for the \s-1DSA\s0 operations. If \fBengine\fR is \s-1NULL,\s0 the default engine for \s-1DSA\s0 operations is used, and if no default \s-1ENGINE\s0 is set, the \s-1DSA_METHOD\s0 controlled by \fIDSA_set_default_method()\fR is used. -.SH "THE DSA_METHOD STRUCTURE" -.IX Header "THE DSA_METHOD STRUCTURE" -struct - { - /* name of the implementation */ - const char *name; -.PP -.Vb 3 -\& /* sign */ -\& DSA_SIG *(*dsa_do_sign)(const unsigned char *dgst, int dlen, -\& DSA *dsa); -\& -\& /* pre\-compute k^\-1 and r */ -\& int (*dsa_sign_setup)(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, -\& BIGNUM **rp); -\& -\& /* verify */ -\& int (*dsa_do_verify)(const unsigned char *dgst, int dgst_len, -\& DSA_SIG *sig, DSA *dsa); -\& -\& /* compute rr = a1^p1 * a2^p2 mod m (May be NULL for some -\& implementations) */ -\& int (*dsa_mod_exp)(DSA *dsa, BIGNUM *rr, BIGNUM *a1, BIGNUM *p1, -\& BIGNUM *a2, BIGNUM *p2, BIGNUM *m, -\& BN_CTX *ctx, BN_MONT_CTX *in_mont); -\& -\& /* compute r = a ^ p mod m (May be NULL for some implementations) */ -\& int (*bn_mod_exp)(DSA *dsa, BIGNUM *r, BIGNUM *a, -\& const BIGNUM *p, const BIGNUM *m, -\& BN_CTX *ctx, BN_MONT_CTX *m_ctx); -\& -\& /* called at DSA_new */ -\& int (*init)(DSA *DSA); -\& -\& /* called at DSA_free */ -\& int (*finish)(DSA *DSA); -\& -\& int flags; -\& -\& char *app_data; /* ?? */ -\& -\& } DSA_METHOD; -.Ve .SH "RETURN VALUES" .IX Header "RETURN VALUES" \&\fIDSA_OpenSSL()\fR and \fIDSA_get_default_method()\fR return pointers to the respective @@ -243,29 +202,14 @@ method was supplied by an \s-1ENGINE\s0). \&\fIDSA_new_method()\fR returns \s-1NULL\s0 and sets an error code that can be obtained by \fIERR_get_error\fR\|(3) if the allocation fails. Otherwise it returns a pointer to the newly allocated structure. -.SH "NOTES" -.IX Header "NOTES" -As of version 0.9.7, \s-1DSA_METHOD\s0 implementations are grouped together with other -algorithmic APIs (eg. \s-1RSA_METHOD, EVP_CIPHER,\s0 etc) in \fB\s-1ENGINE\s0\fR modules. If a -default \s-1ENGINE\s0 is specified for \s-1DSA\s0 functionality using an \s-1ENGINE API\s0 function, -that will override any \s-1DSA\s0 defaults set using the \s-1DSA API\s0 (ie. -\&\fIDSA_set_default_method()\fR). For this reason, the \s-1ENGINE API\s0 is the recommended way -to control default implementations for use in \s-1DSA\s0 and other cryptographic -algorithms. .SH "SEE ALSO" .IX Header "SEE ALSO" -\&\fIdsa\fR\|(3), \fIDSA_new\fR\|(3) -.SH "HISTORY" -.IX Header "HISTORY" -\&\fIDSA_set_default_method()\fR, \fIDSA_get_default_method()\fR, \fIDSA_set_method()\fR, -\&\fIDSA_new_method()\fR and \fIDSA_OpenSSL()\fR were added in OpenSSL 0.9.4. +\&\fIDSA_new\fR\|(3), \fIDSA_new\fR\|(3), \fIDSA_meth_new\fR\|(3) +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2000\-2016 The OpenSSL Project Authors. All Rights Reserved. .PP -\&\fIDSA_set_default_openssl_method()\fR and \fIDSA_get_default_openssl_method()\fR replaced -\&\fIDSA_set_default_method()\fR and \fIDSA_get_default_method()\fR respectively, and -\&\fIDSA_set_method()\fR and \fIDSA_new_method()\fR were altered to use \fB\s-1ENGINE\s0\fRs rather than -\&\fB\s-1DSA_METHOD\s0\fRs during development of the engine version of OpenSSL 0.9.6. For -0.9.7, the handling of defaults in the \s-1ENGINE API\s0 was restructured so that this -change was reversed, and behaviour of the other functions resembled more closely -the previous behaviour. The behaviour of defaults in the \s-1ENGINE API\s0 now -transparently overrides the behaviour of defaults in the \s-1DSA API\s0 without -requiring changing these function prototypes. +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/DSA_sign.3 b/secure/lib/libcrypto/man/DSA_sign.3 index 4f6298307b6d..120a1a325fe7 100644 --- a/secure/lib/libcrypto/man/DSA_sign.3 +++ b/secure/lib/libcrypto/man/DSA_sign.3 @@ -128,8 +128,8 @@ .rm #[ #] #H #V #F C .\" ======================================================================== .\" -.IX Title "DSA_sign 3" -.TH DSA_sign 3 "2018-08-14" "1.0.2p" "OpenSSL" +.IX Title "DSA_SIGN 3" +.TH DSA_SIGN 3 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -141,13 +141,12 @@ DSA_sign, DSA_sign_setup, DSA_verify \- DSA signatures .Vb 1 \& #include \& -\& int DSA_sign(int type, const unsigned char *dgst, int len, -\& unsigned char *sigret, unsigned int *siglen, DSA *dsa); +\& int DSA_sign(int type, const unsigned char *dgst, int len, +\& unsigned char *sigret, unsigned int *siglen, DSA *dsa); \& -\& int DSA_sign_setup(DSA *dsa, BN_CTX *ctx, BIGNUM **kinvp, -\& BIGNUM **rp); +\& int DSA_sign_setup(DSA *dsa, BN_CTX *ctx, BIGNUM **kinvp, BIGNUM **rp); \& -\& int DSA_verify(int type, const unsigned char *dgst, int len, +\& int DSA_verify(int type, const unsigned char *dgst, int len, \& unsigned char *sigbuf, int siglen, DSA *dsa); .Ve .SH "DESCRIPTION" @@ -157,17 +156,12 @@ digest \fBdgst\fR using the private key \fBdsa\fR and places its \s-1ASN.1 DER\s encoding at \fBsigret\fR. The length of the signature is places in *\fBsiglen\fR. \fBsigret\fR must point to DSA_size(\fBdsa\fR) bytes of memory. .PP -\&\fIDSA_sign_setup()\fR may be used to precompute part of the signing -operation in case signature generation is time-critical. It expects -\&\fBdsa\fR to contain \s-1DSA\s0 parameters. It places the precomputed values -in newly allocated \fB\s-1BIGNUM\s0\fRs at *\fBkinvp\fR and *\fBrp\fR, after freeing -the old ones unless *\fBkinvp\fR and *\fBrp\fR are \s-1NULL.\s0 These values may -be passed to \fIDSA_sign()\fR in \fBdsa\->kinv\fR and \fBdsa\->r\fR. -\&\fBctx\fR is a pre-allocated \fB\s-1BN_CTX\s0\fR or \s-1NULL.\s0 -The precomputed values from \fIDSA_sign_setup()\fR \fB\s-1MUST NOT\s0 be used\fR for -more than one signature: using the same \fBdsa\->kinv\fR and -\&\fBdsa\->r\fR pair twice under the same private key on different -plaintexts will result in permanently exposing the \s-1DSA\s0 private key. +\&\fIDSA_sign_setup()\fR is defined only for backward binary compatibility and +should not be used. +Since OpenSSL 1.1.0 the \s-1DSA\s0 type is opaque and the output of +\&\fIDSA_sign_setup()\fR cannot be used anyway: calling this function will only +cause overhead, and does not affect the actual signature +(pre\-)computation. .PP \&\fIDSA_verify()\fR verifies that the signature \fBsigbuf\fR of size \fBsiglen\fR matches a given message digest \fBdgst\fR of size \fBlen\fR. @@ -189,9 +183,13 @@ signature and \-1 on error. The error codes can be obtained by Standard, \s-1DSS\s0), \s-1ANSI X9.30\s0 .SH "SEE ALSO" .IX Header "SEE ALSO" -\&\fIdsa\fR\|(3), \fIERR_get_error\fR\|(3), \fIrand\fR\|(3), +\&\fIDSA_new\fR\|(3), \fIERR_get_error\fR\|(3), \fIRAND_bytes\fR\|(3), \&\fIDSA_do_sign\fR\|(3) -.SH "HISTORY" -.IX Header "HISTORY" -\&\fIDSA_sign()\fR and \fIDSA_verify()\fR are available in all versions of SSLeay. -\&\fIDSA_sign_setup()\fR was added in SSLeay 0.8. +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2000\-2018 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/DSA_size.3 b/secure/lib/libcrypto/man/DSA_size.3 index e2e2bcc80d5e..de014387bb05 100644 --- a/secure/lib/libcrypto/man/DSA_size.3 +++ b/secure/lib/libcrypto/man/DSA_size.3 @@ -128,34 +128,49 @@ .rm #[ #] #H #V #F C .\" ======================================================================== .\" -.IX Title "DSA_size 3" -.TH DSA_size 3 "2018-08-14" "1.0.2p" "OpenSSL" +.IX Title "DSA_SIZE 3" +.TH DSA_SIZE 3 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" -DSA_size \- get DSA signature size +DSA_size, DSA_bits, DSA_security_bits \- get DSA signature size, key bits or security bits .SH "SYNOPSIS" .IX Header "SYNOPSIS" .Vb 1 \& #include \& \& int DSA_size(const DSA *dsa); +\& int DSA_bits(const DSA *dsa); +\& int DSA_security_bits(const DSA *dsa); .Ve .SH "DESCRIPTION" .IX Header "DESCRIPTION" -This function returns the size of an \s-1ASN.1\s0 encoded \s-1DSA\s0 signature in -bytes. It can be used to determine how much memory must be allocated -for a \s-1DSA\s0 signature. +\&\fIDSA_size()\fR returns the maximum size of an \s-1ASN.1\s0 encoded \s-1DSA\s0 signature +for key \fBdsa\fR in bytes. It can be used to determine how much memory must +be allocated for a \s-1DSA\s0 signature. .PP \&\fBdsa\->q\fR must not be \fB\s-1NULL\s0\fR. -.SH "RETURN VALUE" -.IX Header "RETURN VALUE" -The size in bytes. +.PP +\&\fIDSA_bits()\fR returns the number of bits in key \fBdsa\fR: this is the number +of bits in the \fBp\fR parameter. +.PP +\&\fIDSA_security_bits()\fR returns the number of security bits of the given \fBdsa\fR +key. See \fIBN_security_bits\fR\|(3). +.SH "RETURN VALUES" +.IX Header "RETURN VALUES" +\&\fIDSA_size()\fR returns the signature size in bytes. +.PP +\&\fIDSA_bits()\fR returns the number of bits in the key. .SH "SEE ALSO" .IX Header "SEE ALSO" -\&\fIdsa\fR\|(3), \fIDSA_sign\fR\|(3) -.SH "HISTORY" -.IX Header "HISTORY" -\&\fIDSA_size()\fR is available in all versions of SSLeay and OpenSSL. +\&\fIDSA_new\fR\|(3), \fIDSA_sign\fR\|(3) +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2000\-2018 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/d2i_X509_ALGOR.3 b/secure/lib/libcrypto/man/DTLS_get_data_mtu.3 similarity index 80% rename from secure/lib/libcrypto/man/d2i_X509_ALGOR.3 rename to secure/lib/libcrypto/man/DTLS_get_data_mtu.3 index abcba7eeca99..dc70d4f7b943 100644 --- a/secure/lib/libcrypto/man/d2i_X509_ALGOR.3 +++ b/secure/lib/libcrypto/man/DTLS_get_data_mtu.3 @@ -128,32 +128,37 @@ .rm #[ #] #H #V #F C .\" ======================================================================== .\" -.IX Title "d2i_X509_ALGOR 3" -.TH d2i_X509_ALGOR 3 "2018-08-14" "1.0.2p" "OpenSSL" +.IX Title "DTLS_GET_DATA_MTU 3" +.TH DTLS_GET_DATA_MTU 3 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" -d2i_X509_ALGOR, i2d_X509_ALGOR \- AlgorithmIdentifier functions. +DTLS_get_data_mtu \- Get maximum data payload size .SH "SYNOPSIS" .IX Header "SYNOPSIS" .Vb 1 -\& #include +\& #include \& -\& X509_ALGOR *d2i_X509_ALGOR(X509_ALGOR **a, unsigned char **pp, long length); -\& int i2d_X509_ALGOR(X509_ALGOR *a, unsigned char **pp); +\& size_t DTLS_get_data_mtu(const SSL *ssl); .Ve .SH "DESCRIPTION" .IX Header "DESCRIPTION" -These functions decode and encode an \fBX509_ALGOR\fR structure which is -equivalent to the \fBAlgorithmIdentifier\fR structure. -.PP -Othewise these behave in a similar way to \fId2i_X509()\fR and \fIi2d_X509()\fR -described in the \fId2i_X509\fR\|(3) manual page. -.SH "SEE ALSO" -.IX Header "SEE ALSO" -\&\fId2i_X509\fR\|(3) +This function obtains the maximum data payload size for the established +\&\s-1DTLS\s0 connection \fBssl\fR, based on the \s-1DTLS\s0 record \s-1MTU\s0 and the overhead +of the \s-1DTLS\s0 record header, encryption and authentication currently in use. +.SH "RETURN VALUES" +.IX Header "RETURN VALUES" +Returns the maximum data payload size on success, or 0 on failure. .SH "HISTORY" .IX Header "HISTORY" -\&\s-1TBA\s0 +This function was added in OpenSSL 1.1.1 +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2016 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/d2i_X509_REQ.3 b/secure/lib/libcrypto/man/DTLS_set_timer_cb.3 similarity index 79% rename from secure/lib/libcrypto/man/d2i_X509_REQ.3 rename to secure/lib/libcrypto/man/DTLS_set_timer_cb.3 index 3e6a38645643..95652604dbcf 100644 --- a/secure/lib/libcrypto/man/d2i_X509_REQ.3 +++ b/secure/lib/libcrypto/man/DTLS_set_timer_cb.3 @@ -128,38 +128,39 @@ .rm #[ #] #H #V #F C .\" ======================================================================== .\" -.IX Title "d2i_X509_REQ 3" -.TH d2i_X509_REQ 3 "2018-08-14" "1.0.2p" "OpenSSL" +.IX Title "DTLS_SET_TIMER_CB 3" +.TH DTLS_SET_TIMER_CB 3 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" -d2i_X509_REQ, i2d_X509_REQ, d2i_X509_REQ_bio, d2i_X509_REQ_fp, -i2d_X509_REQ_bio, i2d_X509_REQ_fp \- PKCS#10 certificate request functions. +DTLS_timer_cb, DTLS_set_timer_cb \&\- Set callback for controlling DTLS timer duration .SH "SYNOPSIS" .IX Header "SYNOPSIS" .Vb 1 -\& #include +\& #include \& -\& X509_REQ *d2i_X509_REQ(X509_REQ **a, const unsigned char **pp, long length); -\& int i2d_X509_REQ(X509_REQ *a, unsigned char **pp); +\& typedef unsigned int (*DTLS_timer_cb)(SSL *s, unsigned int timer_us); \& -\& X509_REQ *d2i_X509_REQ_bio(BIO *bp, X509_REQ **x); -\& X509_REQ *d2i_X509_REQ_fp(FILE *fp, X509_REQ **x); -\& -\& int i2d_X509_REQ_bio(BIO *bp, X509_REQ *x); -\& int i2d_X509_REQ_fp(FILE *fp, X509_REQ *x); +\& void DTLS_set_timer_cb(SSL *s, DTLS_timer_cb cb); .Ve .SH "DESCRIPTION" .IX Header "DESCRIPTION" -These functions decode and encode a PKCS#10 certificate request. -.PP -Othewise these behave in a similar way to \fId2i_X509()\fR and \fIi2d_X509()\fR -described in the \fId2i_X509\fR\|(3) manual page. -.SH "SEE ALSO" -.IX Header "SEE ALSO" -\&\fId2i_X509\fR\|(3) +This function sets an optional callback function for controlling the +timeout interval on the \s-1DTLS\s0 protocol. The callback function will be +called by \s-1DTLS\s0 for every new \s-1DTLS\s0 packet that is sent. +.SH "RETURN VALUES" +.IX Header "RETURN VALUES" +Returns void. .SH "HISTORY" .IX Header "HISTORY" -\&\s-1TBA\s0 +This function was added in OpenSSL 1.1.1 +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2017 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/DTLSv1_listen.3 b/secure/lib/libcrypto/man/DTLSv1_listen.3 new file mode 100644 index 000000000000..28e594647325 --- /dev/null +++ b/secure/lib/libcrypto/man/DTLSv1_listen.3 @@ -0,0 +1,258 @@ +.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35) +.\" +.\" Standard preamble: +.\" ======================================================================== +.de Sp \" Vertical space (when we can't use .PP) +.if t .sp .5v +.if n .sp +.. +.de Vb \" Begin verbatim text +.ft CW +.nf +.ne \\$1 +.. +.de Ve \" End verbatim text +.ft R +.fi +.. +.\" Set up some character translations and predefined strings. \*(-- will +.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left +.\" double quote, and \*(R" will give a right double quote. \*(C+ will +.\" give a nicer C++. Capital omega is used to do unbreakable dashes and +.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, +.\" nothing in troff, for use with C<>. +.tr \(*W- +.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' +.ie n \{\ +. ds -- \(*W- +. ds PI pi +. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch +. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch +. ds L" "" +. ds R" "" +. ds C` "" +. ds C' "" +'br\} +.el\{\ +. ds -- \|\(em\| +. ds PI \(*p +. ds L" `` +. ds R" '' +. ds C` +. ds C' +'br\} +.\" +.\" Escape single quotes in literal strings from groff's Unicode transform. +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" +.\" If the F register is >0, we'll generate index entries on stderr for +.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index +.\" entries marked with X<> in POD. Of course, you'll have to process the +.\" output yourself in some meaningful fashion. +.\" +.\" Avoid warning from groff about undefined register 'F'. +.de IX +.. +.if !\nF .nr F 0 +.if \nF>0 \{\ +. de IX +. tm Index:\\$1\t\\n%\t"\\$2" +.. +. if !\nF==2 \{\ +. nr % 0 +. nr F 2 +. \} +.\} +.\" +.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). +.\" Fear. Run. Save yourself. No user-serviceable parts. +. \" fudge factors for nroff and troff +.if n \{\ +. ds #H 0 +. ds #V .8m +. ds #F .3m +. ds #[ \f1 +. ds #] \fP +.\} +.if t \{\ +. ds #H ((1u-(\\\\n(.fu%2u))*.13m) +. ds #V .6m +. ds #F 0 +. ds #[ \& +. ds #] \& +.\} +. \" simple accents for nroff and troff +.if n \{\ +. ds ' \& +. ds ` \& +. ds ^ \& +. ds , \& +. ds ~ ~ +. ds / +.\} +.if t \{\ +. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" +. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' +. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' +. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' +. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' +. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' +.\} +. \" troff and (daisy-wheel) nroff accents +.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' +.ds 8 \h'\*(#H'\(*b\h'-\*(#H' +.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] +.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' +.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' +.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] +.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] +.ds ae a\h'-(\w'a'u*4/10)'e +.ds Ae A\h'-(\w'A'u*4/10)'E +. \" corrections for vroff +.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' +.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' +. \" for low resolution devices (crt and lpr) +.if \n(.H>23 .if \n(.V>19 \ +\{\ +. ds : e +. ds 8 ss +. ds o a +. ds d- d\h'-1'\(ga +. ds D- D\h'-1'\(hy +. ds th \o'bp' +. ds Th \o'LP' +. ds ae ae +. ds Ae AE +.\} +.rm #[ #] #H #V #F C +.\" ======================================================================== +.\" +.IX Title "DTLSV1_LISTEN 3" +.TH DTLSV1_LISTEN 3 "2018-09-11" "1.1.1" "OpenSSL" +.\" For nroff, turn off justification. Always turn off hyphenation; it makes +.\" way too many mistakes in technical documents. +.if n .ad l +.nh +.SH "NAME" +SSL_stateless, DTLSv1_listen \&\- Statelessly listen for incoming connections +.SH "SYNOPSIS" +.IX Header "SYNOPSIS" +.Vb 1 +\& #include +\& +\& int SSL_stateless(SSL *s); +\& int DTLSv1_listen(SSL *ssl, BIO_ADDR *peer); +.Ve +.SH "DESCRIPTION" +.IX Header "DESCRIPTION" +\&\fISSL_stateless()\fR statelessly listens for new incoming TLSv1.3 connections. +\&\fIDTLSv1_listen()\fR statelessly listens for new incoming \s-1DTLS\s0 connections. If a +ClientHello is received that does not contain a cookie, then they respond with a +request for a new ClientHello that does contain a cookie. If a ClientHello is +received with a cookie that is verified then the function returns in order to +enable the handshake to be completed (for example by using \fISSL_accept()\fR). +.SH "NOTES" +.IX Header "NOTES" +Some transport protocols (such as \s-1UDP\s0) can be susceptible to amplification +attacks. Unlike \s-1TCP\s0 there is no initial connection setup in \s-1UDP\s0 that +validates that the client can actually receive messages on its advertised source +address. An attacker could forge its source \s-1IP\s0 address and then send handshake +initiation messages to the server. The server would then send its response to +the forged source \s-1IP.\s0 If the response messages are larger than the original +message then the amplification attack has succeeded. +.PP +If \s-1DTLS\s0 is used over \s-1UDP\s0 (or any datagram based protocol that does not validate +the source \s-1IP\s0) then it is susceptible to this type of attack. TLSv1.3 is +designed to operate over a stream-based transport protocol (such as \s-1TCP\s0). +If \s-1TCP\s0 is being used then there is no need to use \fISSL_stateless()\fR. However some +stream-based transport protocols (e.g. \s-1QUIC\s0) may not validate the source +address. In this case a TLSv1.3 application would be susceptible to this attack. +.PP +As a countermeasure to this issue TLSv1.3 and \s-1DTLS\s0 include a stateless cookie +mechanism. The idea is that when a client attempts to connect to a server it +sends a ClientHello message. The server responds with a HelloRetryRequest (in +TLSv1.3) or a HelloVerifyRequest (in \s-1DTLS\s0) which contains a unique cookie. The +client then resends the ClientHello, but this time includes the cookie in the +message thus proving that the client is capable of receiving messages sent to +that address. All of this can be done by the server without allocating any +state, and thus without consuming expensive resources. +.PP +OpenSSL implements this capability via the \fISSL_stateless()\fR and \fIDTLSv1_listen()\fR +functions. The \fBssl\fR parameter should be a newly allocated \s-1SSL\s0 object with its +read and write BIOs set, in the same way as might be done for a call to +\&\fISSL_accept()\fR. Typically, for \s-1DTLS,\s0 the read \s-1BIO\s0 will be in an \*(L"unconnected\*(R" +state and thus capable of receiving messages from any peer. +.PP +When a ClientHello is received that contains a cookie that has been verified, +then these functions will return with the \fBssl\fR parameter updated into a state +where the handshake can be continued by a call to (for example) \fISSL_accept()\fR. +Additionally, for \fIDTLSv1_listen()\fR, the \fB\s-1BIO_ADDR\s0\fR pointed to by \fBpeer\fR will be +filled in with details of the peer that sent the ClientHello. If the underlying +\&\s-1BIO\s0 is unable to obtain the \fB\s-1BIO_ADDR\s0\fR of the peer (for example because the \s-1BIO\s0 +does not support this), then \fB*peer\fR will be cleared and the family set to +\&\s-1AF_UNSPEC.\s0 Typically user code is expected to \*(L"connect\*(R" the underlying socket to +the peer and continue the handshake in a connected state. +.PP +Prior to calling \fIDTLSv1_listen()\fR user code must ensure that cookie generation +and verification callbacks have been set up using +\&\fISSL_CTX_set_cookie_generate_cb()\fR and \fISSL_CTX_set_cookie_verify_cb()\fR +respectively. For \fISSL_stateless()\fR, \fISSL_CTX_set_stateless_cookie_generate_cb()\fR +and \fISSL_CTX_set_stateless_cookie_verify_cb()\fR must be used instead. +.PP +Since \fIDTLSv1_listen()\fR operates entirely statelessly whilst processing incoming +ClientHellos it is unable to process fragmented messages (since this would +require the allocation of state). An implication of this is that \fIDTLSv1_listen()\fR +\&\fBonly\fR supports ClientHellos that fit inside a single datagram. +.PP +For \fISSL_stateless()\fR if an entire ClientHello message cannot be read without the +\&\*(L"read\*(R" \s-1BIO\s0 becoming empty then the \fISSL_stateless()\fR call will fail. It is the +application's responsibility to ensure that data read from the \*(L"read\*(R" \s-1BIO\s0 during +a single \fISSL_stateless()\fR call is all from the same peer. +.PP +\&\fISSL_stateless()\fR will fail (with a 0 return value) if some \s-1TLS\s0 version less than +TLSv1.3 is used. +.PP +Both \fISSL_stateless()\fR and \fIDTLSv1_listen()\fR will clear the error queue when they +start. +.SH "RETURN VALUES" +.IX Header "RETURN VALUES" +For \fISSL_stateless()\fR a return value of 1 indicates success and the \fBssl\fR object +will be set up ready to continue the handshake. A return value of 0 or \-1 +indicates failure. If the value is 0 then a HelloRetryRequest was sent. A value +of \-1 indicates any other error. User code may retry the \fISSL_stateless()\fR call. +.PP +For \fIDTLSv1_listen()\fR a return value of >= 1 indicates success. The \fBssl\fR object +will be set up ready to continue the handshake. the \fBpeer\fR value will also be +filled in. +.PP +A return value of 0 indicates a non-fatal error. This could (for +example) be because of non-blocking \s-1IO,\s0 or some invalid message having been +received from a peer. Errors may be placed on the OpenSSL error queue with +further information if appropriate. Typically user code is expected to retry the +call to \fIDTLSv1_listen()\fR in the event of a non-fatal error. +.PP +A return value of <0 indicates a fatal error. This could (for example) be +because of a failure to allocate sufficient memory for the operation. +.PP +For \fIDTLSv1_listen()\fR, prior to OpenSSL 1.1.0, fatal and non-fatal errors both +produce return codes <= 0 (in typical implementations user code treats all +errors as non-fatal), whilst return codes >0 indicate success. +.SH "SEE ALSO" +.IX Header "SEE ALSO" +\&\fISSL_get_error\fR\|(3), \fISSL_accept\fR\|(3), +\&\fIssl\fR\|(7), \fIbio\fR\|(7) +.SH "HISTORY" +.IX Header "HISTORY" +\&\fISSL_stateless()\fR was first added in OpenSSL 1.1.1. +.PP +\&\fIDTLSv1_listen()\fR return codes were clarified in OpenSSL 1.1.0. The type of \*(L"peer\*(R" +also changed in OpenSSL 1.1.0. +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2015\-2018 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/ECDSA_SIG_new.3 b/secure/lib/libcrypto/man/ECDSA_SIG_new.3 new file mode 100644 index 000000000000..9ea98f64626e --- /dev/null +++ b/secure/lib/libcrypto/man/ECDSA_SIG_new.3 @@ -0,0 +1,350 @@ +.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35) +.\" +.\" Standard preamble: +.\" ======================================================================== +.de Sp \" Vertical space (when we can't use .PP) +.if t .sp .5v +.if n .sp +.. +.de Vb \" Begin verbatim text +.ft CW +.nf +.ne \\$1 +.. +.de Ve \" End verbatim text +.ft R +.fi +.. +.\" Set up some character translations and predefined strings. \*(-- will +.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left +.\" double quote, and \*(R" will give a right double quote. \*(C+ will +.\" give a nicer C++. Capital omega is used to do unbreakable dashes and +.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, +.\" nothing in troff, for use with C<>. +.tr \(*W- +.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' +.ie n \{\ +. ds -- \(*W- +. ds PI pi +. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch +. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch +. ds L" "" +. ds R" "" +. ds C` "" +. ds C' "" +'br\} +.el\{\ +. ds -- \|\(em\| +. ds PI \(*p +. ds L" `` +. ds R" '' +. ds C` +. ds C' +'br\} +.\" +.\" Escape single quotes in literal strings from groff's Unicode transform. +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" +.\" If the F register is >0, we'll generate index entries on stderr for +.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index +.\" entries marked with X<> in POD. Of course, you'll have to process the +.\" output yourself in some meaningful fashion. +.\" +.\" Avoid warning from groff about undefined register 'F'. +.de IX +.. +.if !\nF .nr F 0 +.if \nF>0 \{\ +. de IX +. tm Index:\\$1\t\\n%\t"\\$2" +.. +. if !\nF==2 \{\ +. nr % 0 +. nr F 2 +. \} +.\} +.\" +.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). +.\" Fear. Run. Save yourself. No user-serviceable parts. +. \" fudge factors for nroff and troff +.if n \{\ +. ds #H 0 +. ds #V .8m +. ds #F .3m +. ds #[ \f1 +. ds #] \fP +.\} +.if t \{\ +. ds #H ((1u-(\\\\n(.fu%2u))*.13m) +. ds #V .6m +. ds #F 0 +. ds #[ \& +. ds #] \& +.\} +. \" simple accents for nroff and troff +.if n \{\ +. ds ' \& +. ds ` \& +. ds ^ \& +. ds , \& +. ds ~ ~ +. ds / +.\} +.if t \{\ +. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" +. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' +. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' +. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' +. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' +. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' +.\} +. \" troff and (daisy-wheel) nroff accents +.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' +.ds 8 \h'\*(#H'\(*b\h'-\*(#H' +.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] +.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' +.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' +.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] +.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] +.ds ae a\h'-(\w'a'u*4/10)'e +.ds Ae A\h'-(\w'A'u*4/10)'E +. \" corrections for vroff +.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' +.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' +. \" for low resolution devices (crt and lpr) +.if \n(.H>23 .if \n(.V>19 \ +\{\ +. ds : e +. ds 8 ss +. ds o a +. ds d- d\h'-1'\(ga +. ds D- D\h'-1'\(hy +. ds th \o'bp' +. ds Th \o'LP' +. ds ae ae +. ds Ae AE +.\} +.rm #[ #] #H #V #F C +.\" ======================================================================== +.\" +.IX Title "ECDSA_SIG_NEW 3" +.TH ECDSA_SIG_NEW 3 "2018-09-11" "1.1.1" "OpenSSL" +.\" For nroff, turn off justification. Always turn off hyphenation; it makes +.\" way too many mistakes in technical documents. +.if n .ad l +.nh +.SH "NAME" +ECDSA_SIG_get0, ECDSA_SIG_get0_r, ECDSA_SIG_get0_s, ECDSA_SIG_set0, ECDSA_SIG_new, ECDSA_SIG_free, i2d_ECDSA_SIG, d2i_ECDSA_SIG, ECDSA_size, ECDSA_sign, ECDSA_do_sign, ECDSA_verify, ECDSA_do_verify, ECDSA_sign_setup, ECDSA_sign_ex, ECDSA_do_sign_ex \- low level elliptic curve digital signature algorithm (ECDSA) functions +.SH "SYNOPSIS" +.IX Header "SYNOPSIS" +.Vb 1 +\& #include +\& +\& ECDSA_SIG *ECDSA_SIG_new(void); +\& void ECDSA_SIG_free(ECDSA_SIG *sig); +\& void ECDSA_SIG_get0(const ECDSA_SIG *sig, const BIGNUM **pr, const BIGNUM **ps); +\& const BIGNUM *ECDSA_SIG_get0_r(const ECDSA_SIG *sig); +\& const BIGNUM *ECDSA_SIG_get0_s(const ECDSA_SIG *sig); +\& int ECDSA_SIG_set0(ECDSA_SIG *sig, BIGNUM *r, BIGNUM *s); +\& int i2d_ECDSA_SIG(const ECDSA_SIG *sig, unsigned char **pp); +\& ECDSA_SIG *d2i_ECDSA_SIG(ECDSA_SIG **sig, const unsigned char **pp, long len); +\& int ECDSA_size(const EC_KEY *eckey); +\& +\& int ECDSA_sign(int type, const unsigned char *dgst, int dgstlen, +\& unsigned char *sig, unsigned int *siglen, EC_KEY *eckey); +\& ECDSA_SIG *ECDSA_do_sign(const unsigned char *dgst, int dgst_len, +\& EC_KEY *eckey); +\& +\& int ECDSA_verify(int type, const unsigned char *dgst, int dgstlen, +\& const unsigned char *sig, int siglen, EC_KEY *eckey); +\& int ECDSA_do_verify(const unsigned char *dgst, int dgst_len, +\& const ECDSA_SIG *sig, EC_KEY* eckey); +\& +\& ECDSA_SIG *ECDSA_do_sign_ex(const unsigned char *dgst, int dgstlen, +\& const BIGNUM *kinv, const BIGNUM *rp, +\& EC_KEY *eckey); +\& int ECDSA_sign_setup(EC_KEY *eckey, BN_CTX *ctx, BIGNUM **kinv, BIGNUM **rp); +\& int ECDSA_sign_ex(int type, const unsigned char *dgst, int dgstlen, +\& unsigned char *sig, unsigned int *siglen, +\& const BIGNUM *kinv, const BIGNUM *rp, EC_KEY *eckey); +.Ve +.SH "DESCRIPTION" +.IX Header "DESCRIPTION" +Note: these functions provide a low level interface to \s-1ECDSA.\s0 Most +applications should use the higher level \fB\s-1EVP\s0\fR interface such as +\&\fIEVP_DigestSignInit\fR\|(3) or \fIEVP_DigestVerifyInit\fR\|(3) instead. +.PP +\&\fB\s-1ECDSA_SIG\s0\fR is an opaque structure consisting of two BIGNUMs for the +\&\fBr\fR and \fBs\fR value of an \s-1ECDSA\s0 signature (see X9.62 or \s-1FIPS 186\-2\s0). +.PP +\&\fIECDSA_SIG_new()\fR allocates an empty \fB\s-1ECDSA_SIG\s0\fR structure. Note: before +OpenSSL 1.1.0 the: the \fBr\fR and \fBs\fR components were initialised. +.PP +\&\fIECDSA_SIG_free()\fR frees the \fB\s-1ECDSA_SIG\s0\fR structure \fBsig\fR. +.PP +\&\fIECDSA_SIG_get0()\fR returns internal pointers the \fBr\fR and \fBs\fR values contained +in \fBsig\fR and stores them in \fB*pr\fR and \fB*ps\fR, respectively. +The pointer \fBpr\fR or \fBps\fR can be \s-1NULL,\s0 in which case the corresponding value +is not returned. +.PP +The values \fBr\fR, \fBs\fR can also be retrieved separately by the corresponding +function \fIECDSA_SIG_get0_r()\fR and \fIECDSA_SIG_get0_s()\fR, respectively. +.PP +The \fBr\fR and \fBs\fR values can be set by calling \fIECDSA_SIG_set0()\fR and passing the +new values for \fBr\fR and \fBs\fR as parameters to the function. Calling this +function transfers the memory management of the values to the \s-1ECDSA_SIG\s0 object, +and therefore the values that have been passed in should not be freed directly +after this function has been called. +.PP +\&\fIi2d_ECDSA_SIG()\fR creates the \s-1DER\s0 encoding of the \s-1ECDSA\s0 signature \fBsig\fR and +writes the encoded signature to \fB*pp\fR (note: if \fBpp\fR is \s-1NULL\s0 \fIi2d_ECDSA_SIG()\fR +returns the expected length in bytes of the \s-1DER\s0 encoded signature). +\&\fIi2d_ECDSA_SIG()\fR returns the length of the \s-1DER\s0 encoded signature (or 0 on +error). +.PP +\&\fId2i_ECDSA_SIG()\fR decodes a \s-1DER\s0 encoded \s-1ECDSA\s0 signature and returns the decoded +signature in a newly allocated \fB\s-1ECDSA_SIG\s0\fR structure. \fB*sig\fR points to the +buffer containing the \s-1DER\s0 encoded signature of size \fBlen\fR. +.PP +\&\fIECDSA_size()\fR returns the maximum length of a \s-1DER\s0 encoded \s-1ECDSA\s0 signature +created with the private \s-1EC\s0 key \fBeckey\fR. +.PP +\&\fIECDSA_sign()\fR computes a digital signature of the \fBdgstlen\fR bytes hash value +\&\fBdgst\fR using the private \s-1EC\s0 key \fBeckey\fR. The \s-1DER\s0 encoded signatures is +stored in \fBsig\fR and its length is returned in \fBsig_len\fR. Note: \fBsig\fR must +point to ECDSA_size(eckey) bytes of memory. The parameter \fBtype\fR is currently +ignored. \fIECDSA_sign()\fR is wrapper function for \fIECDSA_sign_ex()\fR with \fBkinv\fR +and \fBrp\fR set to \s-1NULL.\s0 +.PP +\&\fIECDSA_do_sign()\fR is similar to \fIECDSA_sign()\fR except the signature is returned +as a newly allocated \fB\s-1ECDSA_SIG\s0\fR structure (or \s-1NULL\s0 on error). \fIECDSA_do_sign()\fR +is a wrapper function for \fIECDSA_do_sign_ex()\fR with \fBkinv\fR and \fBrp\fR set to +\&\s-1NULL.\s0 +.PP +\&\fIECDSA_verify()\fR verifies that the signature in \fBsig\fR of size \fBsiglen\fR is a +valid \s-1ECDSA\s0 signature of the hash value \fBdgst\fR of size \fBdgstlen\fR using the +public key \fBeckey\fR. The parameter \fBtype\fR is ignored. +.PP +\&\fIECDSA_do_verify()\fR is similar to \fIECDSA_verify()\fR except the signature is +presented in the form of a pointer to an \fB\s-1ECDSA_SIG\s0\fR structure. +.PP +The remaining functions utilise the internal \fBkinv\fR and \fBr\fR values used +during signature computation. Most applications will never need to call these +and some external \s-1ECDSA ENGINE\s0 implementations may not support them at all if +either \fBkinv\fR or \fBr\fR is not \fB\s-1NULL\s0\fR. +.PP +\&\fIECDSA_sign_setup()\fR may be used to precompute parts of the signing operation. +\&\fBeckey\fR is the private \s-1EC\s0 key and \fBctx\fR is a pointer to \fB\s-1BN_CTX\s0\fR structure +(or \s-1NULL\s0). The precomputed values or returned in \fBkinv\fR and \fBrp\fR and can be +used in a later call to \fIECDSA_sign_ex()\fR or \fIECDSA_do_sign_ex()\fR. +.PP +\&\fIECDSA_sign_ex()\fR computes a digital signature of the \fBdgstlen\fR bytes hash value +\&\fBdgst\fR using the private \s-1EC\s0 key \fBeckey\fR and the optional pre-computed values +\&\fBkinv\fR and \fBrp\fR. The \s-1DER\s0 encoded signature is stored in \fBsig\fR and its +length is returned in \fBsig_len\fR. Note: \fBsig\fR must point to ECDSA_size(eckey) +bytes of memory. The parameter \fBtype\fR is ignored. +.PP +\&\fIECDSA_do_sign_ex()\fR is similar to \fIECDSA_sign_ex()\fR except the signature is +returned as a newly allocated \fB\s-1ECDSA_SIG\s0\fR structure (or \s-1NULL\s0 on error). +.SH "RETURN VALUES" +.IX Header "RETURN VALUES" +\&\fIECDSA_SIG_new()\fR returns \s-1NULL\s0 if the allocation fails. +.PP +\&\fIECDSA_SIG_set0()\fR returns 1 on success or 0 on failure. +.PP +\&\fIECDSA_SIG_get0_r()\fR and \fIECDSA_SIG_get0_s()\fR return the corresponding value, +or \s-1NULL\s0 if it is unset. +.PP +\&\fIECDSA_size()\fR returns the maximum length signature or 0 on error. +.PP +\&\fIECDSA_sign()\fR, \fIECDSA_sign_ex()\fR and \fIECDSA_sign_setup()\fR return 1 if successful +or 0 on error. +.PP +\&\fIECDSA_do_sign()\fR and \fIECDSA_do_sign_ex()\fR return a pointer to an allocated +\&\fB\s-1ECDSA_SIG\s0\fR structure or \s-1NULL\s0 on error. +.PP +\&\fIECDSA_verify()\fR and \fIECDSA_do_verify()\fR return 1 for a valid +signature, 0 for an invalid signature and \-1 on error. +The error codes can be obtained by \fIERR_get_error\fR\|(3). +.SH "EXAMPLES" +.IX Header "EXAMPLES" +Creating an \s-1ECDSA\s0 signature of a given \s-1SHA\-256\s0 hash value using the +named curve prime256v1 (aka P\-256). +.PP +First step: create an \s-1EC_KEY\s0 object (note: this part is \fBnot\fR \s-1ECDSA\s0 +specific) +.PP +.Vb 3 +\& int ret; +\& ECDSA_SIG *sig; +\& EC_KEY *eckey; +\& +\& eckey = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1); +\& if (eckey == NULL) +\& /* error */ +\& if (EC_KEY_generate_key(eckey) == 0) +\& /* error */ +.Ve +.PP +Second step: compute the \s-1ECDSA\s0 signature of a \s-1SHA\-256\s0 hash value +using \fIECDSA_do_sign()\fR: +.PP +.Vb 3 +\& sig = ECDSA_do_sign(digest, 32, eckey); +\& if (sig == NULL) +\& /* error */ +.Ve +.PP +or using \fIECDSA_sign()\fR: +.PP +.Vb 2 +\& unsigned char *buffer, *pp; +\& int buf_len; +\& +\& buf_len = ECDSA_size(eckey); +\& buffer = OPENSSL_malloc(buf_len); +\& pp = buffer; +\& if (ECDSA_sign(0, dgst, dgstlen, pp, &buf_len, eckey) == 0) +\& /* error */ +.Ve +.PP +Third step: verify the created \s-1ECDSA\s0 signature using \fIECDSA_do_verify()\fR: +.PP +.Vb 1 +\& ret = ECDSA_do_verify(digest, 32, sig, eckey); +.Ve +.PP +or using \fIECDSA_verify()\fR: +.PP +.Vb 1 +\& ret = ECDSA_verify(0, digest, 32, buffer, buf_len, eckey); +.Ve +.PP +and finally evaluate the return value: +.PP +.Vb 6 +\& if (ret == 1) +\& /* signature ok */ +\& else if (ret == 0) +\& /* incorrect signature */ +\& else +\& /* error */ +.Ve +.SH "CONFORMING TO" +.IX Header "CONFORMING TO" +\&\s-1ANSI X9.62, US\s0 Federal Information Processing Standard \s-1FIPS 186\-2\s0 +(Digital Signature Standard, \s-1DSS\s0) +.SH "SEE ALSO" +.IX Header "SEE ALSO" +\&\fIDSA_new\fR\|(3), +\&\fIEVP_DigestSignInit\fR\|(3), +\&\fIEVP_DigestVerifyInit\fR\|(3) +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2004\-2018 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libssl/man/SSL_get_current_cipher.3 b/secure/lib/libcrypto/man/ECPKParameters_print.3 similarity index 74% rename from secure/lib/libssl/man/SSL_get_current_cipher.3 rename to secure/lib/libcrypto/man/ECPKParameters_print.3 index 9646d25d9a85..8d117a063ed9 100644 --- a/secure/lib/libssl/man/SSL_get_current_cipher.3 +++ b/secure/lib/libcrypto/man/ECPKParameters_print.3 @@ -128,45 +128,44 @@ .rm #[ #] #H #V #F C .\" ======================================================================== .\" -.IX Title "SSL_get_current_cipher 3" -.TH SSL_get_current_cipher 3 "2018-08-14" "1.0.2p" "OpenSSL" +.IX Title "ECPKPARAMETERS_PRINT 3" +.TH ECPKPARAMETERS_PRINT 3 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" -SSL_get_current_cipher, SSL_get_cipher, SSL_get_cipher_name, -SSL_get_cipher_bits, SSL_get_cipher_version \- get SSL_CIPHER of a connection +ECPKParameters_print, ECPKParameters_print_fp \- Functions for decoding and encoding ASN1 representations of elliptic curve entities .SH "SYNOPSIS" .IX Header "SYNOPSIS" .Vb 1 -\& #include +\& #include \& -\& SSL_CIPHER *SSL_get_current_cipher(const SSL *ssl); -\& #define SSL_get_cipher(s) \e -\& SSL_CIPHER_get_name(SSL_get_current_cipher(s)) -\& #define SSL_get_cipher_name(s) \e -\& SSL_CIPHER_get_name(SSL_get_current_cipher(s)) -\& #define SSL_get_cipher_bits(s,np) \e -\& SSL_CIPHER_get_bits(SSL_get_current_cipher(s),np) -\& #define SSL_get_cipher_version(s) \e -\& SSL_CIPHER_get_version(SSL_get_current_cipher(s)) +\& int ECPKParameters_print(BIO *bp, const EC_GROUP *x, int off); +\& int ECPKParameters_print_fp(FILE *fp, const EC_GROUP *x, int off); .Ve .SH "DESCRIPTION" .IX Header "DESCRIPTION" -\&\fISSL_get_current_cipher()\fR returns a pointer to an \s-1SSL_CIPHER\s0 object containing -the description of the actually used cipher of a connection established with -the \fBssl\fR object. +The ECPKParameters represent the public parameters for an +\&\fB\s-1EC_GROUP\s0\fR structure, which represents a curve. .PP -\&\fISSL_get_cipher()\fR and \fISSL_get_cipher_name()\fR are identical macros to obtain the -name of the currently used cipher. \fISSL_get_cipher_bits()\fR is a -macro to obtain the number of secret/algorithm bits used and -\&\fISSL_get_cipher_version()\fR returns the protocol name. -See \fISSL_CIPHER_get_name\fR\|(3) for more details. +The \fIECPKParameters_print()\fR and \fIECPKParameters_print_fp()\fR functions print +a human-readable output of the public parameters of the \s-1EC_GROUP\s0 to \fBbp\fR +or \fBfp\fR. The output lines are indented by \fBoff\fR spaces. .SH "RETURN VALUES" .IX Header "RETURN VALUES" -\&\fISSL_get_current_cipher()\fR returns the cipher actually used or \s-1NULL,\s0 when -no session has been established. +\&\fIECPKParameters_print()\fR and \fIECPKParameters_print_fp()\fR +return 1 for success and 0 if an error occurs. .SH "SEE ALSO" .IX Header "SEE ALSO" -\&\fIssl\fR\|(3), \fISSL_CIPHER_get_name\fR\|(3) +\&\fIcrypto\fR\|(7), \fIEC_GROUP_new\fR\|(3), \fIEC_GROUP_copy\fR\|(3), +\&\fIEC_POINT_new\fR\|(3), \fIEC_POINT_add\fR\|(3), \fIEC_KEY_new\fR\|(3), +\&\fIEC_GFp_simple_method\fR\|(3), +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2013\-2017 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/EC_GFp_simple_method.3 b/secure/lib/libcrypto/man/EC_GFp_simple_method.3 index ad85fa44cabb..026e99773418 100644 --- a/secure/lib/libcrypto/man/EC_GFp_simple_method.3 +++ b/secure/lib/libcrypto/man/EC_GFp_simple_method.3 @@ -128,14 +128,14 @@ .rm #[ #] #H #V #F C .\" ======================================================================== .\" -.IX Title "EC_GFp_simple_method 3" -.TH EC_GFp_simple_method 3 "2018-08-14" "1.0.2p" "OpenSSL" +.IX Title "EC_GFP_SIMPLE_METHOD 3" +.TH EC_GFP_SIMPLE_METHOD 3 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" -EC_GFp_simple_method, EC_GFp_mont_method, EC_GFp_nist_method, EC_GFp_nistp224_method, EC_GFp_nistp256_method, EC_GFp_nistp521_method, EC_GF2m_simple_method, EC_METHOD_get_field_type \- Functions for obtaining EC_METHOD objects. +EC_GFp_simple_method, EC_GFp_mont_method, EC_GFp_nist_method, EC_GFp_nistp224_method, EC_GFp_nistp256_method, EC_GFp_nistp521_method, EC_GF2m_simple_method, EC_METHOD_get_field_type \- Functions for obtaining EC_METHOD objects .SH "SYNOPSIS" .IX Header "SYNOPSIS" .Vb 1 @@ -183,7 +183,15 @@ All EC_GFp* functions and EC_GF2m_simple_method always return a const pointer to EC_METHOD_get_field_type returns an integer that identifies the type of field the \s-1EC_METHOD\s0 structure supports. .SH "SEE ALSO" .IX Header "SEE ALSO" -\&\fIcrypto\fR\|(3), \fIec\fR\|(3), \fIEC_GROUP_new\fR\|(3), \fIEC_GROUP_copy\fR\|(3), +\&\fIcrypto\fR\|(7), \fIEC_GROUP_new\fR\|(3), \fIEC_GROUP_copy\fR\|(3), \&\fIEC_POINT_new\fR\|(3), \fIEC_POINT_add\fR\|(3), \fIEC_KEY_new\fR\|(3), \&\fId2i_ECPKParameters\fR\|(3), \&\fIBN_mod_mul_montgomery\fR\|(3) +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2013\-2017 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/EC_GROUP_copy.3 b/secure/lib/libcrypto/man/EC_GROUP_copy.3 index 6c0acaed965b..1db7af0c54e2 100644 --- a/secure/lib/libcrypto/man/EC_GROUP_copy.3 +++ b/secure/lib/libcrypto/man/EC_GROUP_copy.3 @@ -128,30 +128,33 @@ .rm #[ #] #H #V #F C .\" ======================================================================== .\" -.IX Title "EC_GROUP_copy 3" -.TH EC_GROUP_copy 3 "2018-08-14" "1.0.2p" "OpenSSL" +.IX Title "EC_GROUP_COPY 3" +.TH EC_GROUP_COPY 3 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" -EC_GROUP_copy, EC_GROUP_dup, EC_GROUP_method_of, EC_GROUP_set_generator, EC_GROUP_get0_generator, EC_GROUP_get_order, EC_GROUP_get_cofactor, EC_GROUP_set_curve_name, EC_GROUP_get_curve_name, EC_GROUP_set_asn1_flag, EC_GROUP_get_asn1_flag, EC_GROUP_set_point_conversion_form, EC_GROUP_get_point_conversion_form, EC_GROUP_get0_seed, EC_GROUP_get_seed_len, EC_GROUP_set_seed, EC_GROUP_get_degree, EC_GROUP_check, EC_GROUP_check_discriminant, EC_GROUP_cmp, EC_GROUP_get_basis_type, EC_GROUP_get_trinomial_basis, EC_GROUP_get_pentanomial_basis \- Functions for manipulating EC_GROUP objects. +EC_GROUP_get0_order, EC_GROUP_order_bits, EC_GROUP_get0_cofactor, EC_GROUP_copy, EC_GROUP_dup, EC_GROUP_method_of, EC_GROUP_set_generator, EC_GROUP_get0_generator, EC_GROUP_get_order, EC_GROUP_get_cofactor, EC_GROUP_set_curve_name, EC_GROUP_get_curve_name, EC_GROUP_set_asn1_flag, EC_GROUP_get_asn1_flag, EC_GROUP_set_point_conversion_form, EC_GROUP_get_point_conversion_form, EC_GROUP_get0_seed, EC_GROUP_get_seed_len, EC_GROUP_set_seed, EC_GROUP_get_degree, EC_GROUP_check, EC_GROUP_check_discriminant, EC_GROUP_cmp, EC_GROUP_get_basis_type, EC_GROUP_get_trinomial_basis, EC_GROUP_get_pentanomial_basis \&\- Functions for manipulating EC_GROUP objects .SH "SYNOPSIS" .IX Header "SYNOPSIS" -.Vb 2 +.Vb 1 \& #include -\& #include \& \& int EC_GROUP_copy(EC_GROUP *dst, const EC_GROUP *src); \& EC_GROUP *EC_GROUP_dup(const EC_GROUP *src); \& \& const EC_METHOD *EC_GROUP_method_of(const EC_GROUP *group); \& -\& int EC_GROUP_set_generator(EC_GROUP *group, const EC_POINT *generator, const BIGNUM *order, const BIGNUM *cofactor); +\& int EC_GROUP_set_generator(EC_GROUP *group, const EC_POINT *generator, +\& const BIGNUM *order, const BIGNUM *cofactor); \& const EC_POINT *EC_GROUP_get0_generator(const EC_GROUP *group); \& \& int EC_GROUP_get_order(const EC_GROUP *group, BIGNUM *order, BN_CTX *ctx); +\& const BIGNUM *EC_GROUP_get0_order(const EC_GROUP *group); +\& int EC_GROUP_order_bits(const EC_GROUP *group); \& int EC_GROUP_get_cofactor(const EC_GROUP *group, BIGNUM *cofactor, BN_CTX *ctx); +\& const BIGNUM *EC_GROUP_get0_cofactor(const EC_GROUP *group); \& \& void EC_GROUP_set_curve_name(EC_GROUP *group, int nid); \& int EC_GROUP_get_curve_name(const EC_GROUP *group); @@ -176,8 +179,8 @@ EC_GROUP_copy, EC_GROUP_dup, EC_GROUP_method_of, EC_GROUP_set_generator, EC_GROU \& \& int EC_GROUP_get_basis_type(const EC_GROUP *); \& int EC_GROUP_get_trinomial_basis(const EC_GROUP *, unsigned int *k); -\& int EC_GROUP_get_pentanomial_basis(const EC_GROUP *, unsigned int *k1, -\& unsigned int *k2, unsigned int *k3); +\& int EC_GROUP_get_pentanomial_basis(const EC_GROUP *, unsigned int *k1, +\& unsigned int *k2, unsigned int *k3); .Ve .SH "DESCRIPTION" .IX Header "DESCRIPTION" @@ -188,10 +191,10 @@ EC_GROUP_dup creates a new \s-1EC_GROUP\s0 object and copies the content from \f .PP EC_GROUP_method_of obtains the \s-1EC_METHOD\s0 of \fBgroup\fR. .PP -EC_GROUP_set_generator sets curve paramaters that must be agreed by all participants using the curve. These -paramaters include the \fBgenerator\fR, the \fBorder\fR and the \fBcofactor\fR. The \fBgenerator\fR is a well defined point on the +EC_GROUP_set_generator sets curve parameters that must be agreed by all participants using the curve. These +parameters include the \fBgenerator\fR, the \fBorder\fR and the \fBcofactor\fR. The \fBgenerator\fR is a well defined point on the curve chosen for cryptographic operations. Integers used for point multiplications will be between 0 and -n\-1 where n is the \fBorder\fR. The \fBorder\fR multipied by the \fBcofactor\fR gives the number of points on the curve. +n\-1 where n is the \fBorder\fR. The \fBorder\fR multiplied by the \fBcofactor\fR gives the number of points on the curve. .PP EC_GROUP_get0_generator returns the generator for the identified \fBgroup\fR. .PP @@ -202,20 +205,28 @@ The functions EC_GROUP_set_curve_name and EC_GROUP_get_curve_name, set and get t (see \fIEC_GROUP_new\fR\|(3)). If a curve does not have a \s-1NID\s0 associated with it, then EC_GROUP_get_curve_name will return 0. .PP -The asn1_flag value on a curve is used to determine whether there is a specific \s-1ASN1 OID\s0 to describe the curve or not. -If the asn1_flag is 1 then this is a named curve with an associated \s-1ASN1 OID.\s0 If not then asn1_flag is 0. The functions -EC_GROUP_get_asn1_flag and EC_GROUP_set_asn1_flag get and set the status of the asn1_flag for the curve. If set then -the curve_name must also be set. +The asn1_flag value is used to determine whether the curve encoding uses +explicit parameters or a named curve using an \s-1ASN1 OID:\s0 many applications only +support the latter form. If asn1_flag is \fB\s-1OPENSSL_EC_NAMED_CURVE\s0\fR then the +named curve form is used and the parameters must have a corresponding +named curve \s-1NID\s0 set. If asn1_flags is \fB\s-1OPENSSL_EC_EXPLICIT_CURVE\s0\fR the +parameters are explicitly encoded. The functions EC_GROUP_get_asn1_flag and +EC_GROUP_set_asn1_flag get and set the status of the asn1_flag for the curve. +Note: \fB\s-1OPENSSL_EC_EXPLICIT_CURVE\s0\fR was first added to OpenSSL 1.1.0, for +previous versions of OpenSSL the value 0 must be used instead. Before OpenSSL +1.1.0 the default form was to use explicit parameters (meaning that +applications would have to explicitly set the named curve form) in OpenSSL +1.1.0 and later the named curve form is the default. .PP -The point_coversion_form for a curve controls how \s-1EC_POINT\s0 data is encoded as \s-1ASN1\s0 as defined in X9.62 (\s-1ECDSA\s0). +The point_conversion_form for a curve controls how \s-1EC_POINT\s0 data is encoded as \s-1ASN1\s0 as defined in X9.62 (\s-1ECDSA\s0). point_conversion_form_t is an enum defined as follows: .PP .Vb 10 \& typedef enum { -\& /** the point is encoded as z||x, where the octet z specifies +\& /** the point is encoded as z||x, where the octet z specifies \& * which solution of the quadratic equation y is */ \& POINT_CONVERSION_COMPRESSED = 2, -\& /** the point is encoded as z||x||y, where z is the octet 0x02 */ +\& /** the point is encoded as z||x||y, where z is the octet 0x04 */ \& POINT_CONVERSION_UNCOMPRESSED = 4, \& /** the point is encoded as z||x||y, where the octet z specifies \& * which solution of the quadratic equation y is */ @@ -269,7 +280,7 @@ or a pentanomial of the form: f(x) = x^m + x^k3 + x^k2 + x^k1 + 1 with m > k3 > k2 > k1 >= 1 .PP The function EC_GROUP_get_basis_type returns a \s-1NID\s0 identifying whether a trinomial or pentanomial is in use for the field. The -function EC_GROUP_get_trinomial_basis must only be called where f(x) is of the trinomial form, and returns the value of \fBk\fR. Similary +function EC_GROUP_get_trinomial_basis must only be called where f(x) is of the trinomial form, and returns the value of \fBk\fR. Similarly the function EC_GROUP_get_pentanomial_basis must only be called where f(x) is of the pentanomial form, and returns the values of \fBk1\fR, \&\fBk2\fR and \fBk3\fR respectively. .SH "RETURN VALUES" @@ -287,6 +298,10 @@ EC_GROUP_get_order, EC_GROUP_get_cofactor, EC_GROUP_get_curve_name, EC_GROUP_get and EC_GROUP_get_degree return the order, cofactor, curve name (\s-1NID\s0), \s-1ASN1\s0 flag, point_conversion_form and degree for the specified curve respectively. If there is no curve name associated with a curve then EC_GROUP_get_curve_name will return 0. .PP +\&\fIEC_GROUP_get0_order()\fR returns an internal pointer to the group order. +\&\fIEC_GROUP_get_order_bits()\fR returns the number of bits in the group order. +\&\fIEC_GROUP_get0_cofactor()\fR returns an internal pointer to the group cofactor. +.PP EC_GROUP_get0_seed returns a pointer to the seed that was used to generate the parameter b, or \s-1NULL\s0 if the seed is not specified. EC_GROUP_get_seed_len returns the length of the seed or 0 if the seed is not specified. .PP @@ -299,6 +314,14 @@ EC_GROUP_get_basis_type returns the values NID_X9_62_tpBasis or NID_X9_62_ppBasi trinomial or pentanomial respectively. Alternatively in the event of an error a 0 is returned. .SH "SEE ALSO" .IX Header "SEE ALSO" -\&\fIcrypto\fR\|(3), \fIec\fR\|(3), \fIEC_GROUP_new\fR\|(3), +\&\fIcrypto\fR\|(7), \fIEC_GROUP_new\fR\|(3), \&\fIEC_POINT_new\fR\|(3), \fIEC_POINT_add\fR\|(3), \fIEC_KEY_new\fR\|(3), \&\fIEC_GFp_simple_method\fR\|(3), \fId2i_ECPKParameters\fR\|(3) +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2013\-2017 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/EC_GROUP_new.3 b/secure/lib/libcrypto/man/EC_GROUP_new.3 index 829a654e0738..2194aecb3105 100644 --- a/secure/lib/libcrypto/man/EC_GROUP_new.3 +++ b/secure/lib/libcrypto/man/EC_GROUP_new.3 @@ -128,32 +128,46 @@ .rm #[ #] #H #V #F C .\" ======================================================================== .\" -.IX Title "EC_GROUP_new 3" -.TH EC_GROUP_new 3 "2018-08-14" "1.0.2p" "OpenSSL" +.IX Title "EC_GROUP_NEW 3" +.TH EC_GROUP_NEW 3 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" -EC_GROUP_new, EC_GROUP_free, EC_GROUP_clear_free, EC_GROUP_new_curve_GFp, EC_GROUP_new_curve_GF2m, EC_GROUP_new_by_curve_name, EC_GROUP_set_curve_GFp, EC_GROUP_get_curve_GFp, EC_GROUP_set_curve_GF2m, EC_GROUP_get_curve_GF2m, EC_get_builtin_curves \- Functions for creating and destroying EC_GROUP objects. +EC_GROUP_get_ecparameters, EC_GROUP_get_ecpkparameters, EC_GROUP_new, EC_GROUP_new_from_ecparameters, EC_GROUP_new_from_ecpkparameters, EC_GROUP_free, EC_GROUP_clear_free, EC_GROUP_new_curve_GFp, EC_GROUP_new_curve_GF2m, EC_GROUP_new_by_curve_name, EC_GROUP_set_curve, EC_GROUP_get_curve, EC_GROUP_set_curve_GFp, EC_GROUP_get_curve_GFp, EC_GROUP_set_curve_GF2m, EC_GROUP_get_curve_GF2m, EC_get_builtin_curves \- Functions for creating and destroying EC_GROUP objects .SH "SYNOPSIS" .IX Header "SYNOPSIS" -.Vb 2 +.Vb 1 \& #include -\& #include \& \& EC_GROUP *EC_GROUP_new(const EC_METHOD *meth); +\& EC_GROUP *EC_GROUP_new_from_ecparameters(const ECPARAMETERS *params) +\& EC_GROUP *EC_GROUP_new_from_ecpkparameters(const ECPKPARAMETERS *params) \& void EC_GROUP_free(EC_GROUP *group); \& void EC_GROUP_clear_free(EC_GROUP *group); \& -\& EC_GROUP *EC_GROUP_new_curve_GFp(const BIGNUM *p, const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx); -\& EC_GROUP *EC_GROUP_new_curve_GF2m(const BIGNUM *p, const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx); +\& EC_GROUP *EC_GROUP_new_curve_GFp(const BIGNUM *p, const BIGNUM *a, +\& const BIGNUM *b, BN_CTX *ctx); +\& EC_GROUP *EC_GROUP_new_curve_GF2m(const BIGNUM *p, const BIGNUM *a, +\& const BIGNUM *b, BN_CTX *ctx); \& EC_GROUP *EC_GROUP_new_by_curve_name(int nid); \& -\& int EC_GROUP_set_curve_GFp(EC_GROUP *group, const BIGNUM *p, const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx); -\& int EC_GROUP_get_curve_GFp(const EC_GROUP *group, BIGNUM *p, BIGNUM *a, BIGNUM *b, BN_CTX *ctx); -\& int EC_GROUP_set_curve_GF2m(EC_GROUP *group, const BIGNUM *p, const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx); -\& int EC_GROUP_get_curve_GF2m(const EC_GROUP *group, BIGNUM *p, BIGNUM *a, BIGNUM *b, BN_CTX *ctx); +\& int EC_GROUP_set_curve(EC_GROUP *group, const BIGNUM *p, const BIGNUM *a, +\& const BIGNUM *b, BN_CTX *ctx); +\& int EC_GROUP_get_curve(const EC_GROUP *group, BIGNUM *p, BIGNUM *a, BIGNUM *b, +\& BN_CTX *ctx); +\& int EC_GROUP_set_curve_GFp(EC_GROUP *group, const BIGNUM *p, +\& const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx); +\& int EC_GROUP_get_curve_GFp(const EC_GROUP *group, BIGNUM *p, +\& BIGNUM *a, BIGNUM *b, BN_CTX *ctx); +\& int EC_GROUP_set_curve_GF2m(EC_GROUP *group, const BIGNUM *p, +\& const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx); +\& int EC_GROUP_get_curve_GF2m(const EC_GROUP *group, BIGNUM *p, +\& BIGNUM *a, BIGNUM *b, BN_CTX *ctx); +\& +\& ECPARAMETERS *EC_GROUP_get_ecparameters(const EC_GROUP *group, ECPARAMETERS *params) +\& ECPKPARAMETERS *EC_GROUP_get_ecpkparameters(const EC_GROUP *group, ECPKPARAMETERS *params) \& \& size_t EC_get_builtin_curves(EC_builtin_curve *r, size_t nitems); .Ve @@ -174,19 +188,26 @@ Operations in a binary field are performed relative to an \fBirreducible polynom use a trinomial or a pentanomial for this parameter. .PP A new curve can be constructed by calling EC_GROUP_new, using the implementation provided by \fBmeth\fR (see -\&\fIEC_GFp_simple_method\fR\|(3)). It is then necessary to call either EC_GROUP_set_curve_GFp or -EC_GROUP_set_curve_GF2m as appropriate to create a curve defined over Fp or over F2^m respectively. +\&\fIEC_GFp_simple_method\fR\|(3)). It is then necessary to call \fIEC_GROUP_set_curve()\fR to set the curve parameters. +\&\fIEC_GROUP_new_from_ecparameters()\fR will create a group from the +specified \fBparams\fR and +\&\fIEC_GROUP_new_from_ecpkparameters()\fR will create a group from the specific \s-1PK\s0 \fBparams\fR. .PP -EC_GROUP_set_curve_GFp sets the curve parameters \fBp\fR, \fBa\fR and \fBb\fR for a curve over Fp stored in \fBgroup\fR. -EC_group_get_curve_GFp obtains the previously set curve parameters. +\&\fIEC_GROUP_set_curve()\fR sets the curve parameters \fBp\fR, \fBa\fR and \fBb\fR. For a curve over Fp \fBb\fR +is the prime for the field. For a curve over F2^m \fBp\fR represents the irreducible polynomial \- each bit +represents a term in the polynomial. Therefore there will either be three or five bits set dependent on whether +the polynomial is a trinomial or a pentanomial. .PP -EC_GROUP_set_curve_GF2m sets the equivalent curve parameters for a curve over F2^m. In this case \fBp\fR represents -the irreducible polybnomial \- each bit represents a term in the polynomial. Therefore there will either be three -or five bits set dependant on whether the polynomial is a trinomial or a pentanomial. -EC_group_get_curve_GF2m obtains the previously set curve parameters. +\&\fIEC_group_get_curve()\fR obtains the previously set curve parameters. .PP -The functions EC_GROUP_new_curve_GFp and EC_GROUP_new_curve_GF2m are shortcuts for calling EC_GROUP_new and the -appropriate EC_group_set_curve function. An appropriate default implementation method will be used. +\&\fIEC_GROUP_set_curve_GFp()\fR and \fIEC_GROUP_set_curve_GF2m()\fR are synonyms for \fIEC_GROUP_set_curve()\fR. They are defined for +backwards compatibility only and should not be used. +.PP +\&\fIEC_GROUP_get_curve_GFp()\fR and \fIEC_GROUP_get_curve_GF2m()\fR are synonyms for \fIEC_GROUP_get_curve()\fR. They are defined for +backwards compatibility only and should not be used. +.PP +The functions EC_GROUP_new_curve_GFp and EC_GROUP_new_curve_GF2m are shortcuts for calling EC_GROUP_new and then the +EC_GROUP_set_curve function. An appropriate default implementation method will be used. .PP Whilst the library can be used to create any curve using the functions described above, there are also a number of predefined curves that are available. In order to obtain a list of all of the predefined curves, call the function @@ -198,7 +219,7 @@ not). Passing a \s-1NULL\s0 \fBr\fR, or setting \fBnitems\fR to 0 will do nothin The EC_builtin_curve structure is defined as follows: .PP .Vb 4 -\& typedef struct { +\& typedef struct { \& int nid; \& const char *comment; \& } EC_builtin_curve; @@ -210,8 +231,10 @@ In order to construct a builtin curve use the function EC_GROUP_new_by_curve_nam be constructed. .PP EC_GROUP_free frees the memory associated with the \s-1EC_GROUP.\s0 +If \fBgroup\fR is \s-1NULL\s0 nothing is done. .PP EC_GROUP_clear_free destroys any sensitive data held within the \s-1EC_GROUP\s0 and then frees its memory. +If \fBgroup\fR is \s-1NULL\s0 nothing is done. .SH "RETURN VALUES" .IX Header "RETURN VALUES" All EC_GROUP_new* functions return a pointer to the newly constructed group, or \s-1NULL\s0 on error. @@ -221,6 +244,14 @@ EC_get_builtin_curves returns the number of builtin curves that are available. EC_GROUP_set_curve_GFp, EC_GROUP_get_curve_GFp, EC_GROUP_set_curve_GF2m, EC_GROUP_get_curve_GF2m return 1 on success or 0 on error. .SH "SEE ALSO" .IX Header "SEE ALSO" -\&\fIcrypto\fR\|(3), \fIec\fR\|(3), \fIEC_GROUP_copy\fR\|(3), +\&\fIcrypto\fR\|(7), \fIEC_GROUP_copy\fR\|(3), \&\fIEC_POINT_new\fR\|(3), \fIEC_POINT_add\fR\|(3), \fIEC_KEY_new\fR\|(3), \&\fIEC_GFp_simple_method\fR\|(3), \fId2i_ECPKParameters\fR\|(3) +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2013\-2018 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/d2i_ECPrivateKey.3 b/secure/lib/libcrypto/man/EC_KEY_get_enc_flags.3 similarity index 77% rename from secure/lib/libcrypto/man/d2i_ECPrivateKey.3 rename to secure/lib/libcrypto/man/EC_KEY_get_enc_flags.3 index 2e4fe5a1afa8..3ad6fca1932b 100644 --- a/secure/lib/libcrypto/man/d2i_ECPrivateKey.3 +++ b/secure/lib/libcrypto/man/EC_KEY_get_enc_flags.3 @@ -128,69 +128,59 @@ .rm #[ #] #H #V #F C .\" ======================================================================== .\" -.IX Title "d2i_ECPrivateKey 3" -.TH d2i_ECPrivateKey 3 "2018-08-14" "1.0.2p" "OpenSSL" +.IX Title "EC_KEY_GET_ENC_FLAGS 3" +.TH EC_KEY_GET_ENC_FLAGS 3 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" -i2d_ECPrivateKey, d2i_ECPrivate_key \- Encode and decode functions for saving and -reading EC_KEY structures +EC_KEY_get_enc_flags, EC_KEY_set_enc_flags \&\- Get and set flags for encoding EC_KEY structures .SH "SYNOPSIS" .IX Header "SYNOPSIS" .Vb 1 \& #include \& -\& EC_KEY *d2i_ECPrivateKey(EC_KEY **key, const unsigned char **in, long len); -\& int i2d_ECPrivateKey(EC_KEY *key, unsigned char **out); -\& \& unsigned int EC_KEY_get_enc_flags(const EC_KEY *key); \& void EC_KEY_set_enc_flags(EC_KEY *eckey, unsigned int flags); .Ve .SH "DESCRIPTION" .IX Header "DESCRIPTION" -The ECPrivateKey encode and decode routines encode and parse an -\&\fB\s-1EC_KEY\s0\fR structure into a binary format (\s-1ASN.1 DER\s0) and back again. -.PP -These functions are similar to the \fId2i_X509()\fR functions, and you should refer to -that page for a detailed description (see \fId2i_X509\fR\|(3)). -.PP The format of the external representation of the public key written by -i2d_ECPrivateKey (such as whether it is stored in a compressed form or not) is +\&\fIi2d_ECPrivateKey()\fR (such as whether it is stored in a compressed form or not) is described by the point_conversion_form. See \fIEC_GROUP_copy\fR\|(3) for a description of point_conversion_form. .PP When reading a private key encoded without an associated public key (e.g. if -\&\s-1EC_PKEY_NO_PUBKEY\s0 has been used \- see below), then d2i_ECPrivateKey generates +\&\s-1EC_PKEY_NO_PUBKEY\s0 has been used \- see below), then \fId2i_ECPrivateKey()\fR generates the missing public key automatically. Private keys encoded without parameters (e.g. if \s-1EC_PKEY_NO_PARAMETERS\s0 has been used \- see below) cannot be loaded using -d2i_ECPrivateKey. +\&\fId2i_ECPrivateKey()\fR. .PP -The functions EC_KEY_get_enc_flags and EC_KEY_set_enc_flags get and set the +The functions \fIEC_KEY_get_enc_flags()\fR and \fIEC_KEY_set_enc_flags()\fR get and set the value of the encoding flags for the \fBkey\fR. There are two encoding flags currently defined \- \s-1EC_PKEY_NO_PARAMETERS\s0 and \s-1EC_PKEY_NO_PUBKEY.\s0 These flags define the behaviour of how the \fBkey\fR is converted into \s-1ASN1\s0 in a call to -i2d_ECPrivateKey. If \s-1EC_PKEY_NO_PARAMETERS\s0 is set then the public parameters for +\&\fIi2d_ECPrivateKey()\fR. If \s-1EC_PKEY_NO_PARAMETERS\s0 is set then the public parameters for the curve are not encoded along with the private key. If \s-1EC_PKEY_NO_PUBKEY\s0 is set then the public key is not encoded along with the private key. .SH "RETURN VALUES" .IX Header "RETURN VALUES" -\&\fId2i_ECPrivateKey()\fR returns a valid \fB\s-1EC_KEY\s0\fR structure or \fB\s-1NULL\s0\fR if an error -occurs. The error code that can be obtained by -\&\fIERR_get_error\fR\|(3). -.PP -\&\fIi2d_ECPrivateKey()\fR returns the number of bytes successfully encoded or a -negative value if an error occurs. The error code can be obtained by -\&\fIERR_get_error\fR\|(3). -.PP -EC_KEY_get_enc_flags returns the value of the current encoding flags for the +\&\fIEC_KEY_get_enc_flags()\fR returns the value of the current encoding flags for the \&\s-1EC_KEY.\s0 .SH "SEE ALSO" .IX Header "SEE ALSO" -\&\fIcrypto\fR\|(3), \fIec\fR\|(3), \fIEC_GROUP_new\fR\|(3), +\&\fIcrypto\fR\|(7), \fIEC_GROUP_new\fR\|(3), \&\fIEC_GROUP_copy\fR\|(3), \fIEC_POINT_new\fR\|(3), \&\fIEC_POINT_add\fR\|(3), \&\fIEC_GFp_simple_method\fR\|(3), \&\fId2i_ECPKParameters\fR\|(3), \&\fId2i_ECPrivateKey\fR\|(3) +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2015\-2017 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/EC_KEY_new.3 b/secure/lib/libcrypto/man/EC_KEY_new.3 index 57b633882c5d..f29cb4da5b4f 100644 --- a/secure/lib/libcrypto/man/EC_KEY_new.3 +++ b/secure/lib/libcrypto/man/EC_KEY_new.3 @@ -128,19 +128,18 @@ .rm #[ #] #H #V #F C .\" ======================================================================== .\" -.IX Title "EC_KEY_new 3" -.TH EC_KEY_new 3 "2018-08-14" "1.0.2p" "OpenSSL" +.IX Title "EC_KEY_NEW 3" +.TH EC_KEY_NEW 3 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" -EC_KEY_new, EC_KEY_get_flags, EC_KEY_set_flags, EC_KEY_clear_flags, EC_KEY_new_by_curve_name, EC_KEY_free, EC_KEY_copy, EC_KEY_dup, EC_KEY_up_ref, EC_KEY_get0_group, EC_KEY_set_group, EC_KEY_get0_private_key, EC_KEY_set_private_key, EC_KEY_get0_public_key, EC_KEY_set_public_key, EC_KEY_get_enc_flags, EC_KEY_set_enc_flags, EC_KEY_get_conv_form, EC_KEY_set_conv_form, EC_KEY_get_key_method_data, EC_KEY_insert_key_method_data, EC_KEY_set_asn1_flag, EC_KEY_precompute_mult, EC_KEY_generate_key, EC_KEY_check_key, EC_KEY_set_public_key_affine_coordinates \- Functions for creating, destroying and manipulating EC_KEY objects. +EC_KEY_get_method, EC_KEY_set_method, EC_KEY_new, EC_KEY_get_flags, EC_KEY_set_flags, EC_KEY_clear_flags, EC_KEY_new_by_curve_name, EC_KEY_free, EC_KEY_copy, EC_KEY_dup, EC_KEY_up_ref, EC_KEY_get0_engine, EC_KEY_get0_group, EC_KEY_set_group, EC_KEY_get0_private_key, EC_KEY_set_private_key, EC_KEY_get0_public_key, EC_KEY_set_public_key, EC_KEY_get_conv_form, EC_KEY_set_conv_form, EC_KEY_set_asn1_flag, EC_KEY_precompute_mult, EC_KEY_generate_key, EC_KEY_check_key, EC_KEY_set_public_key_affine_coordinates, EC_KEY_oct2key, EC_KEY_key2buf, EC_KEY_oct2priv, EC_KEY_priv2oct, EC_KEY_priv2buf \- Functions for creating, destroying and manipulating EC_KEY objects .SH "SYNOPSIS" .IX Header "SYNOPSIS" -.Vb 2 +.Vb 1 \& #include -\& #include \& \& EC_KEY *EC_KEY_new(void); \& int EC_KEY_get_flags(const EC_KEY *key); @@ -151,6 +150,7 @@ EC_KEY_new, EC_KEY_get_flags, EC_KEY_set_flags, EC_KEY_clear_flags, EC_KEY_new_b \& EC_KEY *EC_KEY_copy(EC_KEY *dst, const EC_KEY *src); \& EC_KEY *EC_KEY_dup(const EC_KEY *src); \& int EC_KEY_up_ref(EC_KEY *key); +\& ENGINE *EC_KEY_get0_engine(const EC_KEY *eckey); \& const EC_GROUP *EC_KEY_get0_group(const EC_KEY *key); \& int EC_KEY_set_group(EC_KEY *key, const EC_GROUP *group); \& const BIGNUM *EC_KEY_get0_private_key(const EC_KEY *key); @@ -159,77 +159,147 @@ EC_KEY_new, EC_KEY_get_flags, EC_KEY_set_flags, EC_KEY_clear_flags, EC_KEY_new_b \& int EC_KEY_set_public_key(EC_KEY *key, const EC_POINT *pub); \& point_conversion_form_t EC_KEY_get_conv_form(const EC_KEY *key); \& void EC_KEY_set_conv_form(EC_KEY *eckey, point_conversion_form_t cform); -\& void *EC_KEY_get_key_method_data(EC_KEY *key, -\& void *(*dup_func)(void *), void (*free_func)(void *), void (*clear_free_func)(void *)); -\& void EC_KEY_insert_key_method_data(EC_KEY *key, void *data, -\& void *(*dup_func)(void *), void (*free_func)(void *), void (*clear_free_func)(void *)); \& void EC_KEY_set_asn1_flag(EC_KEY *eckey, int asn1_flag); \& int EC_KEY_precompute_mult(EC_KEY *key, BN_CTX *ctx); \& int EC_KEY_generate_key(EC_KEY *key); \& int EC_KEY_check_key(const EC_KEY *key); \& int EC_KEY_set_public_key_affine_coordinates(EC_KEY *key, BIGNUM *x, BIGNUM *y); +\& const EC_KEY_METHOD *EC_KEY_get_method(const EC_KEY *key); +\& int EC_KEY_set_method(EC_KEY *key, const EC_KEY_METHOD *meth); +\& +\& int EC_KEY_oct2key(EC_KEY *eckey, const unsigned char *buf, size_t len, BN_CTX *ctx); +\& size_t EC_KEY_key2buf(const EC_KEY *eckey, point_conversion_form_t form, +\& unsigned char **pbuf, BN_CTX *ctx); +\& +\& int EC_KEY_oct2priv(EC_KEY *eckey, const unsigned char *buf, size_t len); +\& size_t EC_KEY_priv2oct(const EC_KEY *eckey, unsigned char *buf, size_t len); +\& +\& size_t EC_KEY_priv2buf(const EC_KEY *eckey, unsigned char **pbuf); .Ve .SH "DESCRIPTION" .IX Header "DESCRIPTION" -An \s-1EC_KEY\s0 represents a public key and (optionaly) an associated private key. A new \s-1EC_KEY\s0 (with no associated curve) can be constructed by calling EC_KEY_new. -The reference count for the newly created \s-1EC_KEY\s0 is initially set to 1. A curve can be associated with the \s-1EC_KEY\s0 by calling -EC_KEY_set_group. +An \s-1EC_KEY\s0 represents a public key and, optionally, the associated private +key. A new \s-1EC_KEY\s0 with no associated curve can be constructed by calling +\&\fIEC_KEY_new()\fR. The reference count for the newly created \s-1EC_KEY\s0 is initially +set to 1. A curve can be associated with the \s-1EC_KEY\s0 by calling +\&\fIEC_KEY_set_group()\fR. .PP -Alternatively a new \s-1EC_KEY\s0 can be constructed by calling EC_KEY_new_by_curve_name and supplying the nid of the associated curve. Refer to \fIEC_GROUP_new\fR\|(3) for a description of curve names. This function simply wraps calls to EC_KEY_new and -EC_GROUP_new_by_curve_name. +Alternatively a new \s-1EC_KEY\s0 can be constructed by calling +\&\fIEC_KEY_new_by_curve_name()\fR and supplying the nid of the associated curve. See +\&\fIEC_GROUP_new\fR\|(3) for a description of curve names. This function simply +wraps calls to \fIEC_KEY_new()\fR and \fIEC_GROUP_new_by_curve_name()\fR. .PP -Calling EC_KEY_free decrements the reference count for the \s-1EC_KEY\s0 object, and if it has dropped to zero then frees the memory associated -with it. +Calling \fIEC_KEY_free()\fR decrements the reference count for the \s-1EC_KEY\s0 object, +and if it has dropped to zero then frees the memory associated with it. If +\&\fBkey\fR is \s-1NULL\s0 nothing is done. .PP -EC_KEY_copy copies the contents of the \s-1EC_KEY\s0 in \fBsrc\fR into \fBdest\fR. +\&\fIEC_KEY_copy()\fR copies the contents of the \s-1EC_KEY\s0 in \fBsrc\fR into \fBdest\fR. .PP -EC_KEY_dup creates a new \s-1EC_KEY\s0 object and copies \fBec_key\fR into it. +\&\fIEC_KEY_dup()\fR creates a new \s-1EC_KEY\s0 object and copies \fBec_key\fR into it. .PP -EC_KEY_up_ref increments the reference count associated with the \s-1EC_KEY\s0 object. +\&\fIEC_KEY_up_ref()\fR increments the reference count associated with the \s-1EC_KEY\s0 +object. .PP -EC_KEY_generate_key generates a new public and private key for the supplied \fBeckey\fR object. \fBeckey\fR must have an \s-1EC_GROUP\s0 object -associated with it before calling this function. The private key is a random integer (0 < priv_key < order, where order is the order -of the \s-1EC_GROUP\s0 object). The public key is an \s-1EC_POINT\s0 on the curve calculated by multiplying the generator for the curve by the -private key. +\&\fIEC_KEY_get0_engine()\fR returns a handle to the \s-1ENGINE\s0 that has been set for +this \s-1EC_KEY\s0 object. .PP -EC_KEY_check_key performs various sanity checks on the \s-1EC_KEY\s0 object to confirm that it is valid. +\&\fIEC_KEY_generate_key()\fR generates a new public and private key for the supplied +\&\fBeckey\fR object. \fBeckey\fR must have an \s-1EC_GROUP\s0 object associated with it +before calling this function. The private key is a random integer (0 < priv_key +< order, where \fIorder\fR is the order of the \s-1EC_GROUP\s0 object). The public key is +an \s-1EC_POINT\s0 on the curve calculated by multiplying the generator for the +curve by the private key. .PP -EC_KEY_set_public_key_affine_coordinates sets the public key for \fBkey\fR based on its affine co-ordinates, i.e. it constructs an \s-1EC_POINT\s0 -object based on the supplied \fBx\fR and \fBy\fR values and sets the public key to be this \s-1EC_POINT.\s0 It will also performs certain sanity checks -on the key to confirm that it is valid. +\&\fIEC_KEY_check_key()\fR performs various sanity checks on the \s-1EC_KEY\s0 object to +confirm that it is valid. .PP -The functions EC_KEY_get0_group, EC_KEY_set_group, EC_KEY_get0_private_key, EC_KEY_set_private_key, EC_KEY_get0_public_key, and EC_KEY_set_public_key get and set the \s-1EC_GROUP\s0 object, the private key and the \s-1EC_POINT\s0 public key for the \fBkey\fR respectively. +\&\fIEC_KEY_set_public_key_affine_coordinates()\fR sets the public key for \fBkey\fR based +on its affine co-ordinates; i.e., it constructs an \s-1EC_POINT\s0 object based on +the supplied \fBx\fR and \fBy\fR values and sets the public key to be this +\&\s-1EC_POINT.\s0 It also performs certain sanity checks on the key to confirm +that it is valid. .PP -The functions EC_KEY_get_conv_form and EC_KEY_set_conv_form get and set the point_conversion_form for the \fBkey\fR. For a description -of point_conversion_forms please refer to \fIEC_POINT_new\fR\|(3). +The functions \fIEC_KEY_get0_group()\fR, \fIEC_KEY_set_group()\fR, +\&\fIEC_KEY_get0_private_key()\fR, \fIEC_KEY_set_private_key()\fR, \fIEC_KEY_get0_public_key()\fR, +and \fIEC_KEY_set_public_key()\fR get and set the \s-1EC_GROUP\s0 object, the private key, +and the \s-1EC_POINT\s0 public key for the \fBkey\fR respectively. .PP -EC_KEY_insert_key_method_data and EC_KEY_get_key_method_data enable the caller to associate arbitrary additional data specific to the -elliptic curve scheme being used with the \s-1EC_KEY\s0 object. This data is treated as a \*(L"black box\*(R" by the ec library. The data to be stored by EC_KEY_insert_key_method_data is provided in the \fBdata\fR parameter, which must have associated functions for duplicating, freeing and \*(L"clear_freeing\*(R" the data item. If a subsequent EC_KEY_get_key_method_data call is issued, the functions for duplicating, freeing and \*(L"clear_freeing\*(R" the data item must be provided again, and they must be the same as they were when the data item was inserted. +The functions \fIEC_KEY_get_conv_form()\fR and \fIEC_KEY_set_conv_form()\fR get and set the +point_conversion_form for the \fBkey\fR. For a description of +point_conversion_forms please see \fIEC_POINT_new\fR\|(3). .PP -EC_KEY_set_flags sets the flags in the \fBflags\fR parameter on the \s-1EC_KEY\s0 object. Any flags that are already set are left set. The currently defined standard flags are \s-1EC_FLAG_NON_FIPS_ALLOW\s0 and \s-1EC_FLAG_FIPS_CHECKED.\s0 In addition there is the flag \s-1EC_FLAG_COFACTOR_ECDH\s0 which is specific to \s-1ECDH\s0 and is defined in ecdh.h. EC_KEY_get_flags returns the current flags that are set for this \s-1EC_KEY.\s0 EC_KEY_clear_flags clears the flags indicated by the \fBflags\fR parameter. All other flags are left in their existing state. +\&\fIEC_KEY_set_flags()\fR sets the flags in the \fBflags\fR parameter on the \s-1EC_KEY\s0 +object. Any flags that are already set are left set. The flags currently +defined are \s-1EC_FLAG_NON_FIPS_ALLOW\s0 and \s-1EC_FLAG_FIPS_CHECKED.\s0 In +addition there is the flag \s-1EC_FLAG_COFACTOR_ECDH\s0 which is specific to \s-1ECDH.\s0 +\&\fIEC_KEY_get_flags()\fR returns the current flags that are set for this \s-1EC_KEY.\s0 +\&\fIEC_KEY_clear_flags()\fR clears the flags indicated by the \fBflags\fR parameter; all +other flags are left in their existing state. .PP -EC_KEY_set_asn1_flag sets the asn1_flag on the underlying \s-1EC_GROUP\s0 object (if set). Refer to \fIEC_GROUP_copy\fR\|(3) for further information on the asn1_flag. +\&\fIEC_KEY_set_asn1_flag()\fR sets the asn1_flag on the underlying \s-1EC_GROUP\s0 object +(if set). Refer to \fIEC_GROUP_copy\fR\|(3) for further information on the +asn1_flag. .PP -EC_KEY_precompute_mult stores multiples of the underlying \s-1EC_GROUP\s0 generator for faster point multiplication. See also \fIEC_POINT_add\fR\|(3). +\&\fIEC_KEY_precompute_mult()\fR stores multiples of the underlying \s-1EC_GROUP\s0 generator +for faster point multiplication. See also \fIEC_POINT_add\fR\|(3). +.PP +\&\fIEC_KEY_oct2key()\fR and \fIEC_KEY_key2buf()\fR are identical to the functions +\&\fIEC_POINT_oct2point()\fR and \fIEC_KEY_point2buf()\fR except they use the public key +\&\s-1EC_POINT\s0 in \fBeckey\fR. +.PP +\&\fIEC_KEY_oct2priv()\fR and \fIEC_KEY_priv2oct()\fR convert between the private key +component of \fBeckey\fR and octet form. The octet form consists of the content +octets of the \fBprivateKey\fR \s-1OCTET STRING\s0 in an \fBECPrivateKey\fR \s-1ASN.1\s0 structure. +.PP +The function \fIEC_KEY_priv2oct()\fR must be supplied with a buffer long enough to +store the octet form. The return value provides the number of octets stored. +Calling the function with a \s-1NULL\s0 buffer will not perform the conversion but +will just return the required buffer length. +.PP +The function \fIEC_KEY_priv2buf()\fR allocates a buffer of suitable length and writes +an \s-1EC_KEY\s0 to it in octet format. The allocated buffer is written to \fB*pbuf\fR +and its length is returned. The caller must free up the allocated buffer with a +call to \fIOPENSSL_free()\fR. Since the allocated buffer value is written to \fB*pbuf\fR +the \fBpbuf\fR parameter \fB\s-1MUST NOT\s0\fR be \fB\s-1NULL\s0\fR. +.PP +\&\fIEC_KEY_priv2buf()\fR converts an \s-1EC_KEY\s0 private key into an allocated buffer. .SH "RETURN VALUES" .IX Header "RETURN VALUES" -EC_KEY_new, EC_KEY_new_by_curve_name and EC_KEY_dup return a pointer to the newly created \s-1EC_KEY\s0 object, or \s-1NULL\s0 on error. +\&\fIEC_KEY_new()\fR, \fIEC_KEY_new_by_curve_name()\fR and \fIEC_KEY_dup()\fR return a pointer to +the newly created \s-1EC_KEY\s0 object, or \s-1NULL\s0 on error. .PP -EC_KEY_get_flags returns the flags associated with the \s-1EC_KEY\s0 object as an integer. +\&\fIEC_KEY_get_flags()\fR returns the flags associated with the \s-1EC_KEY\s0 object as an +integer. .PP -EC_KEY_copy returns a pointer to the destination key, or \s-1NULL\s0 on error. +\&\fIEC_KEY_copy()\fR returns a pointer to the destination key, or \s-1NULL\s0 on error. .PP -EC_KEY_up_ref, EC_KEY_set_group, EC_KEY_set_private_key, EC_KEY_set_public_key, EC_KEY_precompute_mult, EC_KEY_generate_key, EC_KEY_check_key and EC_KEY_set_public_key_affine_coordinates return 1 on success or 0 on error. +\&\fIEC_KEY_get0_engine()\fR returns a pointer to an \s-1ENGINE,\s0 or \s-1NULL\s0 if it wasn't set. .PP -EC_KEY_get0_group returns the \s-1EC_GROUP\s0 associated with the \s-1EC_KEY.\s0 +\&\fIEC_KEY_up_ref()\fR, \fIEC_KEY_set_group()\fR, \fIEC_KEY_set_private_key()\fR, +\&\fIEC_KEY_set_public_key()\fR, \fIEC_KEY_precompute_mult()\fR, \fIEC_KEY_generate_key()\fR, +\&\fIEC_KEY_check_key()\fR, \fIEC_KEY_set_public_key_affine_coordinates()\fR, +\&\fIEC_KEY_oct2key()\fR and \fIEC_KEY_oct2priv()\fR return 1 on success or 0 on error. .PP -EC_KEY_get0_private_key returns the private key associated with the \s-1EC_KEY.\s0 +\&\fIEC_KEY_get0_group()\fR returns the \s-1EC_GROUP\s0 associated with the \s-1EC_KEY.\s0 .PP -EC_KEY_get_conv_form return the point_conversion_form for the \s-1EC_KEY.\s0 +\&\fIEC_KEY_get0_private_key()\fR returns the private key associated with the \s-1EC_KEY.\s0 +.PP +\&\fIEC_KEY_get_conv_form()\fR return the point_conversion_form for the \s-1EC_KEY.\s0 +.PP +\&\fIEC_KEY_key2buf()\fR, \fIEC_KEY_priv2oct()\fR and \fIEC_KEY_priv2buf()\fR return the length +of the buffer or 0 on error. .SH "SEE ALSO" .IX Header "SEE ALSO" -\&\fIcrypto\fR\|(3), \fIec\fR\|(3), \fIEC_GROUP_new\fR\|(3), +\&\fIcrypto\fR\|(7), \fIEC_GROUP_new\fR\|(3), \&\fIEC_GROUP_copy\fR\|(3), \fIEC_POINT_new\fR\|(3), \&\fIEC_POINT_add\fR\|(3), \&\fIEC_GFp_simple_method\fR\|(3), \&\fId2i_ECPKParameters\fR\|(3) +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2013\-2017 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/EC_POINT_add.3 b/secure/lib/libcrypto/man/EC_POINT_add.3 index 55f1eaa08cce..4f2217de44f3 100644 --- a/secure/lib/libcrypto/man/EC_POINT_add.3 +++ b/secure/lib/libcrypto/man/EC_POINT_add.3 @@ -128,30 +128,33 @@ .rm #[ #] #H #V #F C .\" ======================================================================== .\" -.IX Title "EC_POINT_add 3" -.TH EC_POINT_add 3 "2018-08-14" "1.0.2p" "OpenSSL" +.IX Title "EC_POINT_ADD 3" +.TH EC_POINT_ADD 3 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" -EC_POINT_add, EC_POINT_dbl, EC_POINT_invert, EC_POINT_is_at_infinity, EC_POINT_is_on_curve, EC_POINT_cmp, EC_POINT_make_affine, EC_POINTs_make_affine, EC_POINTs_mul, EC_POINT_mul, EC_GROUP_precompute_mult, EC_GROUP_have_precompute_mult \- Functions for performing mathematical operations and tests on EC_POINT objects. +EC_POINT_add, EC_POINT_dbl, EC_POINT_invert, EC_POINT_is_at_infinity, EC_POINT_is_on_curve, EC_POINT_cmp, EC_POINT_make_affine, EC_POINTs_make_affine, EC_POINTs_mul, EC_POINT_mul, EC_GROUP_precompute_mult, EC_GROUP_have_precompute_mult \- Functions for performing mathematical operations and tests on EC_POINT objects .SH "SYNOPSIS" .IX Header "SYNOPSIS" -.Vb 2 +.Vb 1 \& #include -\& #include \& -\& int EC_POINT_add(const EC_GROUP *group, EC_POINT *r, const EC_POINT *a, const EC_POINT *b, BN_CTX *ctx); +\& int EC_POINT_add(const EC_GROUP *group, EC_POINT *r, const EC_POINT *a, +\& const EC_POINT *b, BN_CTX *ctx); \& int EC_POINT_dbl(const EC_GROUP *group, EC_POINT *r, const EC_POINT *a, BN_CTX *ctx); \& int EC_POINT_invert(const EC_GROUP *group, EC_POINT *a, BN_CTX *ctx); \& int EC_POINT_is_at_infinity(const EC_GROUP *group, const EC_POINT *p); \& int EC_POINT_is_on_curve(const EC_GROUP *group, const EC_POINT *point, BN_CTX *ctx); \& int EC_POINT_cmp(const EC_GROUP *group, const EC_POINT *a, const EC_POINT *b, BN_CTX *ctx); \& int EC_POINT_make_affine(const EC_GROUP *group, EC_POINT *point, BN_CTX *ctx); -\& int EC_POINTs_make_affine(const EC_GROUP *group, size_t num, EC_POINT *points[], BN_CTX *ctx); -\& int EC_POINTs_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *n, size_t num, const EC_POINT *p[], const BIGNUM *m[], BN_CTX *ctx); -\& int EC_POINT_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *n, const EC_POINT *q, const BIGNUM *m, BN_CTX *ctx); +\& int EC_POINTs_make_affine(const EC_GROUP *group, size_t num, +\& EC_POINT *points[], BN_CTX *ctx); +\& int EC_POINTs_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *n, size_t num, +\& const EC_POINT *p[], const BIGNUM *m[], BN_CTX *ctx); +\& int EC_POINT_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *n, +\& const EC_POINT *q, const BIGNUM *m, BN_CTX *ctx); \& int EC_GROUP_precompute_mult(EC_GROUP *group, BN_CTX *ctx); \& int EC_GROUP_have_precompute_mult(const EC_GROUP *group); .Ve @@ -172,10 +175,12 @@ The functions EC_POINT_make_affine and EC_POINTs_make_affine force the internal co-ordinate system. In the case of EC_POINTs_make_affine the value \fBnum\fR provides the number of points in the array \fBpoints\fR to be forced. .PP -EC_POINT_mul calculates the value generator * \fBn\fR + \fBq\fR * \fBm\fR and stores the result in \fBr\fR. The value \fBn\fR may be \s-1NULL\s0 in which case the result is just \fBq\fR * \fBm\fR. +EC_POINT_mul is a convenient interface to EC_POINTs_mul: it calculates the value generator * \fBn\fR + \fBq\fR * \fBm\fR and stores the result in \fBr\fR. +The value \fBn\fR may be \s-1NULL\s0 in which case the result is just \fBq\fR * \fBm\fR (variable point multiplication). Alternatively, both \fBq\fR and \fBm\fR may be \s-1NULL,\s0 and \fBn\fR non-NULL, in which case the result is just generator * \fBn\fR (fixed point multiplication). +When performing a single fixed or variable point multiplication, the underlying implementation uses a constant time algorithm, when the input scalar (either \fBn\fR or \fBm\fR) is in the range [0, ec_group_order). .PP -EC_POINTs_mul calculates the value generator * \fBn\fR + \fBq[0]\fR * \fBm[0]\fR + ... + \fBq[num\-1]\fR * \fBm[num\-1]\fR. As for EC_POINT_mul the value -\&\fBn\fR may be \s-1NULL.\s0 +EC_POINTs_mul calculates the value generator * \fBn\fR + \fBq[0]\fR * \fBm[0]\fR + ... + \fBq[num\-1]\fR * \fBm[num\-1]\fR. As for EC_POINT_mul the value \fBn\fR may be \s-1NULL\s0 or \fBnum\fR may be zero. +When performing a fixed point multiplication (\fBn\fR is non-NULL and \fBnum\fR is 0) or a variable point multiplication (\fBn\fR is \s-1NULL\s0 and \fBnum\fR is 1), the underlying implementation uses a constant time algorithm, when the input scalar (either \fBn\fR or \fBm[0]\fR) is in the range [0, ec_group_order). .PP The function EC_GROUP_precompute_mult stores multiples of the generator for faster point multiplication, whilst EC_GROUP_have_precompute_mult tests whether precomputation has already been done. See \fIEC_GROUP_copy\fR\|(3) for information @@ -194,6 +199,14 @@ EC_POINT_cmp returns 1 if the points are not equal, 0 if they are, or \-1 on err EC_GROUP_have_precompute_mult return 1 if a precomputation has been done, or 0 if not. .SH "SEE ALSO" .IX Header "SEE ALSO" -\&\fIcrypto\fR\|(3), \fIec\fR\|(3), \fIEC_GROUP_new\fR\|(3), \fIEC_GROUP_copy\fR\|(3), +\&\fIcrypto\fR\|(7), \fIEC_GROUP_new\fR\|(3), \fIEC_GROUP_copy\fR\|(3), \&\fIEC_POINT_new\fR\|(3), \fIEC_KEY_new\fR\|(3), \&\fIEC_GFp_simple_method\fR\|(3), \fId2i_ECPKParameters\fR\|(3) +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2013\-2018 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/EC_POINT_new.3 b/secure/lib/libcrypto/man/EC_POINT_new.3 index d9e5be60515e..8fbf2daf71e5 100644 --- a/secure/lib/libcrypto/man/EC_POINT_new.3 +++ b/secure/lib/libcrypto/man/EC_POINT_new.3 @@ -128,19 +128,18 @@ .rm #[ #] #H #V #F C .\" ======================================================================== .\" -.IX Title "EC_POINT_new 3" -.TH EC_POINT_new 3 "2018-08-14" "1.0.2p" "OpenSSL" +.IX Title "EC_POINT_NEW 3" +.TH EC_POINT_NEW 3 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" -EC_POINT_new, EC_POINT_free, EC_POINT_clear_free, EC_POINT_copy, EC_POINT_dup, EC_POINT_method_of, EC_POINT_set_to_infinity, EC_POINT_set_Jprojective_coordinates, EC_POINT_get_Jprojective_coordinates_GFp, EC_POINT_set_affine_coordinates_GFp, EC_POINT_get_affine_coordinates_GFp, EC_POINT_set_compressed_coordinates_GFp, EC_POINT_set_affine_coordinates_GF2m, EC_POINT_get_affine_coordinates_GF2m, EC_POINT_set_compressed_coordinates_GF2m, EC_POINT_point2oct, EC_POINT_oct2point, EC_POINT_point2bn, EC_POINT_bn2point, EC_POINT_point2hex, EC_POINT_hex2point \- Functions for creating, destroying and manipulating EC_POINT objects. +EC_POINT_set_Jprojective_coordinates_GFp, EC_POINT_point2buf, EC_POINT_new, EC_POINT_free, EC_POINT_clear_free, EC_POINT_copy, EC_POINT_dup, EC_POINT_method_of, EC_POINT_set_to_infinity, EC_POINT_get_Jprojective_coordinates_GFp, EC_POINT_set_affine_coordinates, EC_POINT_get_affine_coordinates, EC_POINT_set_compressed_coordinates, EC_POINT_set_affine_coordinates_GFp, EC_POINT_get_affine_coordinates_GFp, EC_POINT_set_compressed_coordinates_GFp, EC_POINT_set_affine_coordinates_GF2m, EC_POINT_get_affine_coordinates_GF2m, EC_POINT_set_compressed_coordinates_GF2m, EC_POINT_point2oct, EC_POINT_oct2point, EC_POINT_point2bn, EC_POINT_bn2point, EC_POINT_point2hex, EC_POINT_hex2point \&\- Functions for creating, destroying and manipulating EC_POINT objects .SH "SYNOPSIS" .IX Header "SYNOPSIS" -.Vb 2 +.Vb 1 \& #include -\& #include \& \& EC_POINT *EC_POINT_new(const EC_GROUP *group); \& void EC_POINT_free(EC_POINT *point); @@ -149,108 +148,188 @@ EC_POINT_new, EC_POINT_free, EC_POINT_clear_free, EC_POINT_copy, EC_POINT_dup, E \& EC_POINT *EC_POINT_dup(const EC_POINT *src, const EC_GROUP *group); \& const EC_METHOD *EC_POINT_method_of(const EC_POINT *point); \& int EC_POINT_set_to_infinity(const EC_GROUP *group, EC_POINT *point); -\& int EC_POINT_set_Jprojective_coordinates_GFp(const EC_GROUP *group, EC_POINT *p, -\& const BIGNUM *x, const BIGNUM *y, const BIGNUM *z, BN_CTX *ctx); +\& int EC_POINT_set_Jprojective_coordinates_GFp(const EC_GROUP *group, +\& EC_POINT *p, +\& const BIGNUM *x, const BIGNUM *y, +\& const BIGNUM *z, BN_CTX *ctx); \& int EC_POINT_get_Jprojective_coordinates_GFp(const EC_GROUP *group, -\& const EC_POINT *p, BIGNUM *x, BIGNUM *y, BIGNUM *z, BN_CTX *ctx); +\& const EC_POINT *p, +\& BIGNUM *x, BIGNUM *y, BIGNUM *z, +\& BN_CTX *ctx); +\& int EC_POINT_set_affine_coordinates(const EC_GROUP *group, EC_POINT *p, +\& const BIGNUM *x, const BIGNUM *y, +\& BN_CTX *ctx); +\& int EC_POINT_get_affine_coordinates(const EC_GROUP *group, const EC_POINT *p, +\& BIGNUM *x, BIGNUM *y, BN_CTX *ctx); +\& int EC_POINT_set_compressed_coordinates(const EC_GROUP *group, EC_POINT *p, +\& const BIGNUM *x, int y_bit, +\& BN_CTX *ctx); \& int EC_POINT_set_affine_coordinates_GFp(const EC_GROUP *group, EC_POINT *p, -\& const BIGNUM *x, const BIGNUM *y, BN_CTX *ctx); +\& const BIGNUM *x, const BIGNUM *y, +\& BN_CTX *ctx); \& int EC_POINT_get_affine_coordinates_GFp(const EC_GROUP *group, -\& const EC_POINT *p, BIGNUM *x, BIGNUM *y, BN_CTX *ctx); -\& int EC_POINT_set_compressed_coordinates_GFp(const EC_GROUP *group, EC_POINT *p, -\& const BIGNUM *x, int y_bit, BN_CTX *ctx); +\& const EC_POINT *p, +\& BIGNUM *x, BIGNUM *y, BN_CTX *ctx); +\& int EC_POINT_set_compressed_coordinates_GFp(const EC_GROUP *group, +\& EC_POINT *p, +\& const BIGNUM *x, int y_bit, +\& BN_CTX *ctx); \& int EC_POINT_set_affine_coordinates_GF2m(const EC_GROUP *group, EC_POINT *p, -\& const BIGNUM *x, const BIGNUM *y, BN_CTX *ctx); +\& const BIGNUM *x, const BIGNUM *y, +\& BN_CTX *ctx); \& int EC_POINT_get_affine_coordinates_GF2m(const EC_GROUP *group, -\& const EC_POINT *p, BIGNUM *x, BIGNUM *y, BN_CTX *ctx); -\& int EC_POINT_set_compressed_coordinates_GF2m(const EC_GROUP *group, EC_POINT *p, -\& const BIGNUM *x, int y_bit, BN_CTX *ctx); +\& const EC_POINT *p, +\& BIGNUM *x, BIGNUM *y, BN_CTX *ctx); +\& int EC_POINT_set_compressed_coordinates_GF2m(const EC_GROUP *group, +\& EC_POINT *p, +\& const BIGNUM *x, int y_bit, +\& BN_CTX *ctx); \& size_t EC_POINT_point2oct(const EC_GROUP *group, const EC_POINT *p, -\& point_conversion_form_t form, -\& unsigned char *buf, size_t len, BN_CTX *ctx); +\& point_conversion_form_t form, +\& unsigned char *buf, size_t len, BN_CTX *ctx); +\& size_t EC_POINT_point2buf(const EC_GROUP *group, const EC_POINT *point, +\& point_conversion_form_t form, +\& unsigned char **pbuf, BN_CTX *ctx); \& int EC_POINT_oct2point(const EC_GROUP *group, EC_POINT *p, -\& const unsigned char *buf, size_t len, BN_CTX *ctx); -\& BIGNUM *EC_POINT_point2bn(const EC_GROUP *, const EC_POINT *, -\& point_conversion_form_t form, BIGNUM *, BN_CTX *); -\& EC_POINT *EC_POINT_bn2point(const EC_GROUP *, const BIGNUM *, -\& EC_POINT *, BN_CTX *); -\& char *EC_POINT_point2hex(const EC_GROUP *, const EC_POINT *, -\& point_conversion_form_t form, BN_CTX *); -\& EC_POINT *EC_POINT_hex2point(const EC_GROUP *, const char *, -\& EC_POINT *, BN_CTX *); +\& const unsigned char *buf, size_t len, BN_CTX *ctx); +\& BIGNUM *EC_POINT_point2bn(const EC_GROUP *group, const EC_POINT *p, +\& point_conversion_form_t form, BIGNUM *bn, +\& BN_CTX *ctx); +\& EC_POINT *EC_POINT_bn2point(const EC_GROUP *group, const BIGNUM *bn, +\& EC_POINT *p, BN_CTX *ctx); +\& char *EC_POINT_point2hex(const EC_GROUP *group, const EC_POINT *p, +\& point_conversion_form_t form, BN_CTX *ctx); +\& EC_POINT *EC_POINT_hex2point(const EC_GROUP *group, const char *hex, +\& EC_POINT *p, BN_CTX *ctx); .Ve .SH "DESCRIPTION" .IX Header "DESCRIPTION" -An \s-1EC_POINT\s0 represents a point on a curve. A new point is constructed by calling the function EC_POINT_new and providing the \fBgroup\fR -object that the point relates to. +An \fB\s-1EC_POINT\s0\fR structure represents a point on a curve. A new point is +constructed by calling the function \fIEC_POINT_new()\fR and providing the +\&\fBgroup\fR object that the point relates to. .PP -EC_POINT_free frees the memory associated with the \s-1EC_POINT.\s0 +\&\fIEC_POINT_free()\fR frees the memory associated with the \fB\s-1EC_POINT\s0\fR. +if \fBpoint\fR is \s-1NULL\s0 nothing is done. .PP -EC_POINT_clear_free destroys any sensitive data held within the \s-1EC_POINT\s0 and then frees its memory. +\&\fIEC_POINT_clear_free()\fR destroys any sensitive data held within the \s-1EC_POINT\s0 and +then frees its memory. If \fBpoint\fR is \s-1NULL\s0 nothing is done. .PP -EC_POINT_copy copies the point \fBsrc\fR into \fBdst\fR. Both \fBsrc\fR and \fBdst\fR must use the same \s-1EC_METHOD.\s0 +\&\fIEC_POINT_copy()\fR copies the point \fBsrc\fR into \fBdst\fR. Both \fBsrc\fR and \fBdst\fR +must use the same \fB\s-1EC_METHOD\s0\fR. .PP -EC_POINT_dup creates a new \s-1EC_POINT\s0 object and copies the content from \fBsrc\fR to the newly created -\&\s-1EC_POINT\s0 object. +\&\fIEC_POINT_dup()\fR creates a new \fB\s-1EC_POINT\s0\fR object and copies the content from +\&\fBsrc\fR to the newly created \fB\s-1EC_POINT\s0\fR object. .PP -EC_POINT_method_of obtains the \s-1EC_METHOD\s0 associated with \fBpoint\fR. +\&\fIEC_POINT_method_of()\fR obtains the \fB\s-1EC_METHOD\s0\fR associated with \fBpoint\fR. .PP -A valid point on a curve is the special point at infinity. A point is set to be at infinity by calling EC_POINT_set_to_infinity. +A valid point on a curve is the special point at infinity. A point is set to +be at infinity by calling \fIEC_POINT_set_to_infinity()\fR. .PP -The affine co-ordinates for a point describe a point in terms of its x and y position. The functions -EC_POINT_set_affine_coordinates_GFp and EC_POINT_set_affine_coordinates_GF2m set the \fBx\fR and \fBy\fR co-ordinates for the point -\&\fBp\fR defined over the curve given in \fBgroup\fR. +The affine co-ordinates for a point describe a point in terms of its x and y +position. The function \fIEC_POINT_set_affine_coordinates()\fR sets the \fBx\fR and \fBy\fR +co-ordinates for the point \fBp\fR defined over the curve given in \fBgroup\fR. The +function \fIEC_POINT_get_affine_coordinates()\fR sets \fBx\fR and \fBy\fR, either of which +may be \s-1NULL,\s0 to the corresponding coordinates of \fBp\fR. .PP -As well as the affine co-ordinates, a point can alternatively be described in terms of its Jacobian -projective co-ordinates (for Fp curves only). Jacobian projective co-ordinates are expressed as three values x, y and z. Working in -this co-ordinate system provides more efficient point multiplication operations. -A mapping exists between Jacobian projective co-ordinates and affine co-ordinates. A Jacobian projective co-ordinate (x, y, z) can be written as an affine co-ordinate as (x/(z^2), y/(z^3)). Conversion to Jacobian projective to affine co-ordinates is simple. The co-ordinate (x, y) is -mapped to (x, y, 1). To set or get the projective co-ordinates use EC_POINT_set_Jprojective_coordinates_GFp and -EC_POINT_get_Jprojective_coordinates_GFp respectively. +The functions \fIEC_POINT_set_affine_coordinates_GFp()\fR and +\&\fIEC_POINT_set_affine_coordinates_GF2m()\fR are synonyms for +\&\fIEC_POINT_set_affine_coordinates()\fR. They are defined for backwards compatibility +only and should not be used. .PP -Points can also be described in terms of their compressed co-ordinates. For a point (x, y), for any given value for x such that the point is -on the curve there will only ever be two possible values for y. Therefore a point can be set using the EC_POINT_set_compressed_coordinates_GFp -and EC_POINT_set_compressed_coordinates_GF2m functions where \fBx\fR is the x co-ordinate and \fBy_bit\fR is a value 0 or 1 to identify which of -the two possible values for y should be used. +The functions \fIEC_POINT_get_affine_coordinates_GFp()\fR and +\&\fIEC_POINT_get_affine_coordinates_GF2m()\fR are synonyms for +\&\fIEC_POINT_get_affine_coordinates()\fR. They are defined for backwards compatibility +only and should not be used. .PP -In addition EC_POINTs can be converted to and from various external -representations. Supported representations are octet strings, BIGNUMs and -hexadecimal. Octet strings are stored in a buffer along with an associated -buffer length. A point held in a \s-1BIGNUM\s0 is calculated by converting the point to -an octet string and then converting that octet string into a \s-1BIGNUM\s0 integer. -Points in hexadecimal format are stored in a \s-1NULL\s0 terminated character string -where each character is one of the printable values 0\-9 or A\-F (or a\-f). +As well as the affine co-ordinates, a point can alternatively be described in +terms of its Jacobian projective co-ordinates (for Fp curves only). Jacobian +projective co-ordinates are expressed as three values x, y and z. Working in +this co-ordinate system provides more efficient point multiplication +operations. A mapping exists between Jacobian projective co-ordinates and +affine co-ordinates. A Jacobian projective co-ordinate (x, y, z) can be written +as an affine co-ordinate as (x/(z^2), y/(z^3)). Conversion to Jacobian +projective from affine co-ordinates is simple. The co-ordinate (x, y) is mapped +to (x, y, 1). To set or get the projective co-ordinates use +\&\fIEC_POINT_set_Jprojective_coordinates_GFp()\fR and +\&\fIEC_POINT_get_Jprojective_coordinates_GFp()\fR respectively. .PP -The functions EC_POINT_point2oct, EC_POINT_oct2point, EC_POINT_point2bn, EC_POINT_bn2point, EC_POINT_point2hex and EC_POINT_hex2point convert -from and to EC_POINTs for the formats: octet string, \s-1BIGNUM\s0 and hexadecimal respectively. +Points can also be described in terms of their compressed co-ordinates. For a +point (x, y), for any given value for x such that the point is on the curve +there will only ever be two possible values for y. Therefore a point can be set +using the \fIEC_POINT_set_compressed_coordinates()\fR function where \fBx\fR is the x +co-ordinate and \fBy_bit\fR is a value 0 or 1 to identify which of the two +possible values for y should be used. .PP -The function EC_POINT_point2oct must be supplied with a buffer long enough to store the octet string. The return value provides the number of -octets stored. Calling the function with a \s-1NULL\s0 buffer will not perform the conversion but will still return the required buffer length. +The functions \fIEC_POINT_set_compressed_coordinates_GFp()\fR and +\&\fIEC_POINT_set_compressed_coordinates_GF2m()\fR are synonyms for +\&\fIEC_POINT_set_compressed_coordinates()\fR. They are defined for backwards +compatibility only and should not be used. .PP -The function EC_POINT_point2hex will allocate sufficient memory to store the hexadecimal string. It is the caller's responsibility to free -this memory with a subsequent call to \fIOPENSSL_free()\fR. +In addition \fB\s-1EC_POINT\s0\fR can be converted to and from various external +representations. The octet form is the binary encoding of the \fBECPoint\fR +structure (as defined in \s-1RFC5480\s0 and used in certificates and \s-1TLS\s0 records): +only the content octets are present, the \fB\s-1OCTET STRING\s0\fR tag and length are +not included. \fB\s-1BIGNUM\s0\fR form is the octet form interpreted as a big endian +integer converted to a \fB\s-1BIGNUM\s0\fR structure. Hexadecimal form is the octet +form converted to a \s-1NULL\s0 terminated character string where each character +is one of the printable values 0\-9 or A\-F (or a\-f). +.PP +The functions \fIEC_POINT_point2oct()\fR, \fIEC_POINT_oct2point()\fR, \fIEC_POINT_point2bn()\fR, +\&\fIEC_POINT_bn2point()\fR, \fIEC_POINT_point2hex()\fR and \fIEC_POINT_hex2point()\fR convert from +and to EC_POINTs for the formats: octet, \s-1BIGNUM\s0 and hexadecimal respectively. +.PP +The function \fIEC_POINT_point2oct()\fR must be supplied with a buffer long enough to +store the octet form. The return value provides the number of octets stored. +Calling the function with a \s-1NULL\s0 buffer will not perform the conversion but +will still return the required buffer length. +.PP +The function \fIEC_POINT_point2buf()\fR allocates a buffer of suitable length and +writes an \s-1EC_POINT\s0 to it in octet format. The allocated buffer is written to +\&\fB*pbuf\fR and its length is returned. The caller must free up the allocated +buffer with a call to \fIOPENSSL_free()\fR. Since the allocated buffer value is +written to \fB*pbuf\fR the \fBpbuf\fR parameter \fB\s-1MUST NOT\s0\fR be \fB\s-1NULL\s0\fR. +.PP +The function \fIEC_POINT_point2hex()\fR will allocate sufficient memory to store the +hexadecimal string. It is the caller's responsibility to free this memory with +a subsequent call to \fIOPENSSL_free()\fR. .SH "RETURN VALUES" .IX Header "RETURN VALUES" -EC_POINT_new and EC_POINT_dup return the newly allocated \s-1EC_POINT\s0 or \s-1NULL\s0 on error. +\&\fIEC_POINT_new()\fR and \fIEC_POINT_dup()\fR return the newly allocated \s-1EC_POINT\s0 or \s-1NULL\s0 +on error. .PP -The following functions return 1 on success or 0 on error: EC_POINT_copy, EC_POINT_set_to_infinity, EC_POINT_set_Jprojective_coordinates_GFp, -EC_POINT_get_Jprojective_coordinates_GFp, EC_POINT_set_affine_coordinates_GFp, EC_POINT_get_affine_coordinates_GFp, -EC_POINT_set_compressed_coordinates_GFp, EC_POINT_set_affine_coordinates_GF2m, EC_POINT_get_affine_coordinates_GF2m, -EC_POINT_set_compressed_coordinates_GF2m and EC_POINT_oct2point. +The following functions return 1 on success or 0 on error: \fIEC_POINT_copy()\fR, +\&\fIEC_POINT_set_to_infinity()\fR, \fIEC_POINT_set_Jprojective_coordinates_GFp()\fR, +\&\fIEC_POINT_get_Jprojective_coordinates_GFp()\fR, +\&\fIEC_POINT_set_affine_coordinates_GFp()\fR, \fIEC_POINT_get_affine_coordinates_GFp()\fR, +\&\fIEC_POINT_set_compressed_coordinates_GFp()\fR, +\&\fIEC_POINT_set_affine_coordinates_GF2m()\fR, \fIEC_POINT_get_affine_coordinates_GF2m()\fR, +\&\fIEC_POINT_set_compressed_coordinates_GF2m()\fR and \fIEC_POINT_oct2point()\fR. .PP EC_POINT_method_of returns the \s-1EC_METHOD\s0 associated with the supplied \s-1EC_POINT.\s0 .PP -EC_POINT_point2oct returns the length of the required buffer, or 0 on error. +\&\fIEC_POINT_point2oct()\fR and \fIEC_POINT_point2buf()\fR return the length of the required +buffer or 0 on error. .PP -EC_POINT_point2bn returns the pointer to the \s-1BIGNUM\s0 supplied, or \s-1NULL\s0 on error. +\&\fIEC_POINT_point2bn()\fR returns the pointer to the \s-1BIGNUM\s0 supplied, or \s-1NULL\s0 on +error. .PP -EC_POINT_bn2point returns the pointer to the \s-1EC_POINT\s0 supplied, or \s-1NULL\s0 on error. +\&\fIEC_POINT_bn2point()\fR returns the pointer to the \s-1EC_POINT\s0 supplied, or \s-1NULL\s0 on +error. .PP -EC_POINT_point2hex returns a pointer to the hex string, or \s-1NULL\s0 on error. +\&\fIEC_POINT_point2hex()\fR returns a pointer to the hex string, or \s-1NULL\s0 on error. .PP -EC_POINT_hex2point returns the pointer to the \s-1EC_POINT\s0 supplied, or \s-1NULL\s0 on error. +\&\fIEC_POINT_hex2point()\fR returns the pointer to the \s-1EC_POINT\s0 supplied, or \s-1NULL\s0 on +error. .SH "SEE ALSO" .IX Header "SEE ALSO" -\&\fIcrypto\fR\|(3), \fIec\fR\|(3), \fIEC_GROUP_new\fR\|(3), \fIEC_GROUP_copy\fR\|(3), +\&\fIcrypto\fR\|(7), \fIEC_GROUP_new\fR\|(3), \fIEC_GROUP_copy\fR\|(3), \&\fIEC_POINT_add\fR\|(3), \fIEC_KEY_new\fR\|(3), \&\fIEC_GFp_simple_method\fR\|(3), \fId2i_ECPKParameters\fR\|(3) +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2013\-2018 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/engine.3 b/secure/lib/libcrypto/man/ENGINE_add.3 similarity index 78% rename from secure/lib/libcrypto/man/engine.3 rename to secure/lib/libcrypto/man/ENGINE_add.3 index 9652beecf443..961dde3845ff 100644 --- a/secure/lib/libcrypto/man/engine.3 +++ b/secure/lib/libcrypto/man/ENGINE_add.3 @@ -128,14 +128,14 @@ .rm #[ #] #H #V #F C .\" ======================================================================== .\" -.IX Title "engine 3" -.TH engine 3 "2018-08-14" "1.0.2p" "OpenSSL" +.IX Title "ENGINE_ADD 3" +.TH ENGINE_ADD 3 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" -engine \- ENGINE cryptographic module support +ENGINE_get_DH, ENGINE_get_DSA, ENGINE_by_id, ENGINE_get_cipher_engine, ENGINE_get_default_DH, ENGINE_get_default_DSA, ENGINE_get_default_RAND, ENGINE_get_default_RSA, ENGINE_get_digest_engine, ENGINE_get_first, ENGINE_get_last, ENGINE_get_next, ENGINE_get_prev, ENGINE_new, ENGINE_get_ciphers, ENGINE_get_ctrl_function, ENGINE_get_digests, ENGINE_get_destroy_function, ENGINE_get_finish_function, ENGINE_get_init_function, ENGINE_get_load_privkey_function, ENGINE_get_load_pubkey_function, ENGINE_load_private_key, ENGINE_load_public_key, ENGINE_get_RAND, ENGINE_get_RSA, ENGINE_get_id, ENGINE_get_name, ENGINE_get_cmd_defns, ENGINE_get_cipher, ENGINE_get_digest, ENGINE_add, ENGINE_cmd_is_executable, ENGINE_ctrl, ENGINE_ctrl_cmd, ENGINE_ctrl_cmd_string, ENGINE_finish, ENGINE_free, ENGINE_get_flags, ENGINE_init, ENGINE_register_DH, ENGINE_register_DSA, ENGINE_register_RAND, ENGINE_register_RSA, ENGINE_register_all_complete, ENGINE_register_ciphers, ENGINE_register_complete, ENGINE_register_digests, ENGINE_remove, ENGINE_set_DH, ENGINE_set_DSA, ENGINE_set_RAND, ENGINE_set_RSA, ENGINE_set_ciphers, ENGINE_set_cmd_defns, ENGINE_set_ctrl_function, ENGINE_set_default, ENGINE_set_default_DH, ENGINE_set_default_DSA, ENGINE_set_default_RAND, ENGINE_set_default_RSA, ENGINE_set_default_ciphers, ENGINE_set_default_digests, ENGINE_set_default_string, ENGINE_set_destroy_function, ENGINE_set_digests, ENGINE_set_finish_function, ENGINE_set_flags, ENGINE_set_id, ENGINE_set_init_function, ENGINE_set_load_privkey_function, ENGINE_set_load_pubkey_function, ENGINE_set_name, ENGINE_up_ref, ENGINE_get_table_flags, ENGINE_cleanup, ENGINE_load_builtin_engines, ENGINE_register_all_DH, ENGINE_register_all_DSA, ENGINE_register_all_RAND, ENGINE_register_all_RSA, ENGINE_register_all_ciphers, ENGINE_register_all_digests, ENGINE_set_table_flags, ENGINE_unregister_DH, ENGINE_unregister_DSA, ENGINE_unregister_RAND, ENGINE_unregister_RSA, ENGINE_unregister_ciphers, ENGINE_unregister_digests \&\- ENGINE cryptographic module support .SH "SYNOPSIS" .IX Header "SYNOPSIS" .Vb 1 @@ -154,28 +154,10 @@ engine \- ENGINE cryptographic module support \& int ENGINE_init(ENGINE *e); \& int ENGINE_finish(ENGINE *e); \& -\& void ENGINE_load_openssl(void); -\& void ENGINE_load_dynamic(void); -\& #ifndef OPENSSL_NO_STATIC_ENGINE -\& void ENGINE_load_4758cca(void); -\& void ENGINE_load_aep(void); -\& void ENGINE_load_atalla(void); -\& void ENGINE_load_chil(void); -\& void ENGINE_load_cswift(void); -\& void ENGINE_load_gmp(void); -\& void ENGINE_load_nuron(void); -\& void ENGINE_load_sureware(void); -\& void ENGINE_load_ubsec(void); -\& #endif -\& void ENGINE_load_cryptodev(void); \& void ENGINE_load_builtin_engines(void); \& -\& void ENGINE_cleanup(void); -\& \& ENGINE *ENGINE_get_default_RSA(void); \& ENGINE *ENGINE_get_default_DSA(void); -\& ENGINE *ENGINE_get_default_ECDH(void); -\& ENGINE *ENGINE_get_default_ECDSA(void); \& ENGINE *ENGINE_get_default_DH(void); \& ENGINE *ENGINE_get_default_RAND(void); \& ENGINE *ENGINE_get_cipher_engine(int nid); @@ -183,8 +165,6 @@ engine \- ENGINE cryptographic module support \& \& int ENGINE_set_default_RSA(ENGINE *e); \& int ENGINE_set_default_DSA(ENGINE *e); -\& int ENGINE_set_default_ECDH(ENGINE *e); -\& int ENGINE_set_default_ECDSA(ENGINE *e); \& int ENGINE_set_default_DH(ENGINE *e); \& int ENGINE_set_default_RAND(ENGINE *e); \& int ENGINE_set_default_ciphers(ENGINE *e); @@ -202,21 +182,12 @@ engine \- ENGINE cryptographic module support \& int ENGINE_register_DSA(ENGINE *e); \& void ENGINE_unregister_DSA(ENGINE *e); \& void ENGINE_register_all_DSA(void); -\& int ENGINE_register_ECDH(ENGINE *e); -\& void ENGINE_unregister_ECDH(ENGINE *e); -\& void ENGINE_register_all_ECDH(void); -\& int ENGINE_register_ECDSA(ENGINE *e); -\& void ENGINE_unregister_ECDSA(ENGINE *e); -\& void ENGINE_register_all_ECDSA(void); \& int ENGINE_register_DH(ENGINE *e); \& void ENGINE_unregister_DH(ENGINE *e); \& void ENGINE_register_all_DH(void); \& int ENGINE_register_RAND(ENGINE *e); \& void ENGINE_unregister_RAND(ENGINE *e); \& void ENGINE_register_all_RAND(void); -\& int ENGINE_register_STORE(ENGINE *e); -\& void ENGINE_unregister_STORE(ENGINE *e); -\& void ENGINE_register_all_STORE(void); \& int ENGINE_register_ciphers(ENGINE *e); \& void ENGINE_unregister_ciphers(ENGINE *e); \& void ENGINE_register_all_ciphers(void); @@ -229,15 +200,9 @@ engine \- ENGINE cryptographic module support \& int ENGINE_ctrl(ENGINE *e, int cmd, long i, void *p, void (*f)(void)); \& int ENGINE_cmd_is_executable(ENGINE *e, int cmd); \& int ENGINE_ctrl_cmd(ENGINE *e, const char *cmd_name, -\& long i, void *p, void (*f)(void), int cmd_optional); +\& long i, void *p, void (*f)(void), int cmd_optional); \& int ENGINE_ctrl_cmd_string(ENGINE *e, const char *cmd_name, const char *arg, -\& int cmd_optional); -\& -\& int ENGINE_set_ex_data(ENGINE *e, int idx, void *arg); -\& void *ENGINE_get_ex_data(const ENGINE *e, int idx); -\& -\& int ENGINE_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func, -\& CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func); +\& int cmd_optional); \& \& ENGINE *ENGINE_new(void); \& int ENGINE_free(ENGINE *e); @@ -247,11 +212,8 @@ engine \- ENGINE cryptographic module support \& int ENGINE_set_name(ENGINE *e, const char *name); \& int ENGINE_set_RSA(ENGINE *e, const RSA_METHOD *rsa_meth); \& int ENGINE_set_DSA(ENGINE *e, const DSA_METHOD *dsa_meth); -\& int ENGINE_set_ECDH(ENGINE *e, const ECDH_METHOD *dh_meth); -\& int ENGINE_set_ECDSA(ENGINE *e, const ECDSA_METHOD *dh_meth); \& int ENGINE_set_DH(ENGINE *e, const DH_METHOD *dh_meth); \& int ENGINE_set_RAND(ENGINE *e, const RAND_METHOD *rand_meth); -\& int ENGINE_set_STORE(ENGINE *e, const STORE_METHOD *rand_meth); \& int ENGINE_set_destroy_function(ENGINE *e, ENGINE_GEN_INT_FUNC_PTR destroy_f); \& int ENGINE_set_init_function(ENGINE *e, ENGINE_GEN_INT_FUNC_PTR init_f); \& int ENGINE_set_finish_function(ENGINE *e, ENGINE_GEN_INT_FUNC_PTR finish_f); @@ -267,11 +229,8 @@ engine \- ENGINE cryptographic module support \& const char *ENGINE_get_name(const ENGINE *e); \& const RSA_METHOD *ENGINE_get_RSA(const ENGINE *e); \& const DSA_METHOD *ENGINE_get_DSA(const ENGINE *e); -\& const ECDH_METHOD *ENGINE_get_ECDH(const ENGINE *e); -\& const ECDSA_METHOD *ENGINE_get_ECDSA(const ENGINE *e); \& const DH_METHOD *ENGINE_get_DH(const ENGINE *e); \& const RAND_METHOD *ENGINE_get_RAND(const ENGINE *e); -\& const STORE_METHOD *ENGINE_get_STORE(const ENGINE *e); \& ENGINE_GEN_INT_FUNC_PTR ENGINE_get_destroy_function(const ENGINE *e); \& ENGINE_GEN_INT_FUNC_PTR ENGINE_get_init_function(const ENGINE *e); \& ENGINE_GEN_INT_FUNC_PTR ENGINE_get_finish_function(const ENGINE *e); @@ -286,11 +245,17 @@ engine \- ENGINE cryptographic module support \& const ENGINE_CMD_DEFN *ENGINE_get_cmd_defns(const ENGINE *e); \& \& EVP_PKEY *ENGINE_load_private_key(ENGINE *e, const char *key_id, -\& UI_METHOD *ui_method, void *callback_data); +\& UI_METHOD *ui_method, void *callback_data); \& EVP_PKEY *ENGINE_load_public_key(ENGINE *e, const char *key_id, -\& UI_METHOD *ui_method, void *callback_data); -\& -\& void ENGINE_add_conf_module(void); +\& UI_METHOD *ui_method, void *callback_data); +.Ve +.PP +Deprecated: +.PP +.Vb 3 +\& #if OPENSSL_API_COMPAT < 0x10100000L +\& void ENGINE_cleanup(void) +\& #endif .Ve .SH "DESCRIPTION" .IX Header "DESCRIPTION" @@ -306,7 +271,7 @@ implementation includes the following abstractions; .Vb 6 \& RSA_METHOD \- for providing alternative RSA implementations \& DSA_METHOD, DH_METHOD, RAND_METHOD, ECDH_METHOD, ECDSA_METHOD, -\& STORE_METHOD \- similarly for other OpenSSL APIs +\& \- similarly for other OpenSSL APIs \& EVP_CIPHER \- potentially multiple cipher algorithms (indexed by \*(Aqnid\*(Aq) \& EVP_DIGEST \- potentially multiple hash algorithms (indexed by \*(Aqnid\*(Aq) \& key\-loading \- loading public and/or private EVP_PKEY keys @@ -450,42 +415,7 @@ it uses static linking against openssl, then the resulting application binary will not contain any alternative \s-1ENGINE\s0 code at all. So the first consideration is whether any/all available \s-1ENGINE\s0 implementations should be made visible to OpenSSL \- this is controlled by calling the various \*(L"load\*(R" -functions, eg. -.PP -.Vb 9 -\& /* Make the "dynamic" ENGINE available */ -\& void ENGINE_load_dynamic(void); -\& /* Make the CryptoSwift hardware acceleration support available */ -\& void ENGINE_load_cswift(void); -\& /* Make support for nCipher\*(Aqs "CHIL" hardware available */ -\& void ENGINE_load_chil(void); -\& ... -\& /* Make ALL ENGINE implementations bundled with OpenSSL available */ -\& void ENGINE_load_builtin_engines(void); -.Ve -.PP -Having called any of these functions, \s-1ENGINE\s0 objects would have been -dynamically allocated and populated with these implementations and linked -into OpenSSL's internal linked list. At this point it is important to -mention an important \s-1API\s0 function; -.PP -.Vb 1 -\& void ENGINE_cleanup(void); -.Ve -.PP -If no \s-1ENGINE API\s0 functions are called at all in an application, then there -are no inherent memory leaks to worry about from the \s-1ENGINE\s0 functionality, -however if any ENGINEs are loaded, even if they are never registered or -used, it is necessary to use the \fIENGINE_cleanup()\fR function to -correspondingly cleanup before program exit, if the caller wishes to avoid -memory leaks. This mechanism uses an internal callback registration table -so that any \s-1ENGINE API\s0 functionality that knows it requires cleanup can -register its cleanup details to be called during \fIENGINE_cleanup()\fR. This -approach allows \fIENGINE_cleanup()\fR to clean up after any \s-1ENGINE\s0 functionality -at all that your program uses, yet doesn't automatically create linker -dependencies to all possible \s-1ENGINE\s0 functionality \- only the cleanup -callbacks required by the functionality you do use will be required by the -linker. +functions. .PP The fact that ENGINEs are made visible to OpenSSL (and thus are linked into the program and loaded into memory at run-time) does not mean they are @@ -501,6 +431,11 @@ things, so we will simply illustrate the consequences as they apply to a couple of simple cases and leave developers to consider these and the source code to openssl's builtin utilities as guides. .PP +If no \s-1ENGINE API\s0 functions are called within an application, then OpenSSL +will not allocate any internal resources. Prior to OpenSSL 1.1.0, however, +if any ENGINEs are loaded, even if not registered or used, it was necessary to +call \fIENGINE_cleanup()\fR before the program exits. +.PP \&\fIUsing a specific \s-1ENGINE\s0 implementation\fR .PP Here we'll assume an application has been configured by its user or admin @@ -515,17 +450,19 @@ illustrates how to approach this; \& const char *engine_id = "ACME"; \& ENGINE_load_builtin_engines(); \& e = ENGINE_by_id(engine_id); -\& if(!e) +\& if (!e) \& /* the engine isn\*(Aqt available */ \& return; -\& if(!ENGINE_init(e)) { +\& if (!ENGINE_init(e)) { \& /* the engine couldn\*(Aqt initialise, release \*(Aqe\*(Aq */ \& ENGINE_free(e); \& return; \& } -\& if(!ENGINE_set_default_RSA(e)) -\& /* This should only happen when \*(Aqe\*(Aq can\*(Aqt initialise, but the previous -\& * statement suggests it did. */ +\& if (!ENGINE_set_default_RSA(e)) +\& /* +\& * This should only happen when \*(Aqe\*(Aq can\*(Aqt initialise, but the previous +\& * statement suggests it did. +\& */ \& abort(); \& ENGINE_set_default_DSA(e); \& ENGINE_set_default_ciphers(e); @@ -605,28 +542,30 @@ boolean success or failure. \& const char **post_cmds, int post_num) \& { \& ENGINE *e = ENGINE_by_id(engine_id); -\& if(!e) return 0; -\& while(pre_num\-\-) { -\& if(!ENGINE_ctrl_cmd_string(e, pre_cmds[0], pre_cmds[1], 0)) { +\& if (!e) return 0; +\& while (pre_num\-\-) { +\& if (!ENGINE_ctrl_cmd_string(e, pre_cmds[0], pre_cmds[1], 0)) { \& fprintf(stderr, "Failed command (%s \- %s:%s)\en", engine_id, -\& pre_cmds[0], pre_cmds[1] ? pre_cmds[1] : "(NULL)"); +\& pre_cmds[0], pre_cmds[1] ? pre_cmds[1] : "(NULL)"); \& ENGINE_free(e); \& return 0; \& } \& pre_cmds += 2; \& } -\& if(!ENGINE_init(e)) { +\& if (!ENGINE_init(e)) { \& fprintf(stderr, "Failed initialisation\en"); \& ENGINE_free(e); \& return 0; \& } -\& /* ENGINE_init() returned a functional reference, so free the structural -\& * reference from ENGINE_by_id(). */ +\& /* +\& * ENGINE_init() returned a functional reference, so free the structural +\& * reference from ENGINE_by_id(). +\& */ \& ENGINE_free(e); -\& while(post_num\-\-) { -\& if(!ENGINE_ctrl_cmd_string(e, post_cmds[0], post_cmds[1], 0)) { +\& while (post_num\-\-) { +\& if (!ENGINE_ctrl_cmd_string(e, post_cmds[0], post_cmds[1], 0)) { \& fprintf(stderr, "Failed command (%s \- %s:%s)\en", engine_id, -\& post_cmds[0], post_cmds[1] ? post_cmds[1] : "(NULL)"); +\& post_cmds[0], post_cmds[1] ? post_cmds[1] : "(NULL)"); \& ENGINE_finish(e); \& return 0; \& } @@ -659,18 +598,18 @@ this symbol is considered a \*(L"generic\*(R" command is handled directly by the OpenSSL core routines. .PP It is using these \*(L"core\*(R" control commands that one can discover the control -commands implemented by a given \s-1ENGINE,\s0 specifically the commands; +commands implemented by a given \s-1ENGINE,\s0 specifically the commands: .PP .Vb 9 -\& #define ENGINE_HAS_CTRL_FUNCTION 10 -\& #define ENGINE_CTRL_GET_FIRST_CMD_TYPE 11 -\& #define ENGINE_CTRL_GET_NEXT_CMD_TYPE 12 -\& #define ENGINE_CTRL_GET_CMD_FROM_NAME 13 -\& #define ENGINE_CTRL_GET_NAME_LEN_FROM_CMD 14 -\& #define ENGINE_CTRL_GET_NAME_FROM_CMD 15 -\& #define ENGINE_CTRL_GET_DESC_LEN_FROM_CMD 16 -\& #define ENGINE_CTRL_GET_DESC_FROM_CMD 17 -\& #define ENGINE_CTRL_GET_CMD_FLAGS 18 +\& ENGINE_HAS_CTRL_FUNCTION +\& ENGINE_CTRL_GET_FIRST_CMD_TYPE +\& ENGINE_CTRL_GET_NEXT_CMD_TYPE +\& ENGINE_CTRL_GET_CMD_FROM_NAME +\& ENGINE_CTRL_GET_NAME_LEN_FROM_CMD +\& ENGINE_CTRL_GET_NAME_FROM_CMD +\& ENGINE_CTRL_GET_DESC_LEN_FROM_CMD +\& ENGINE_CTRL_GET_DESC_FROM_CMD +\& ENGINE_CTRL_GET_CMD_FLAGS .Ve .PP Whilst these commands are automatically processed by the OpenSSL framework code, @@ -682,7 +621,7 @@ If an \s-1ENGINE\s0 specifies the \s-1ENGINE_FLAGS_MANUAL_CMD_CTRL\s0 flag, then simply pass all these \*(L"core\*(R" control commands directly to the \s-1ENGINE\s0's \fIctrl()\fR handler (and thus, it must have supplied one), so it is up to the \s-1ENGINE\s0 to reply to these \*(L"discovery\*(R" commands itself. If that flag is not set, then the -OpenSSL framework code will work with the following rules; +OpenSSL framework code will work with the following rules: .PP .Vb 9 \& if no ctrl() handler supplied; @@ -707,13 +646,13 @@ return properties of the corresponding commands. All except \&\s-1ENGINE_CTRL_GET_FLAGS\s0 return the string length of a command name or description, or populate a supplied character buffer with a copy of the command name or description. \s-1ENGINE_CTRL_GET_FLAGS\s0 returns a bitwise-OR'd mask of the following -possible values; +possible values: .PP .Vb 4 -\& #define ENGINE_CMD_FLAG_NUMERIC (unsigned int)0x0001 -\& #define ENGINE_CMD_FLAG_STRING (unsigned int)0x0002 -\& #define ENGINE_CMD_FLAG_NO_INPUT (unsigned int)0x0004 -\& #define ENGINE_CMD_FLAG_INTERNAL (unsigned int)0x0008 +\& ENGINE_CMD_FLAG_NUMERIC +\& ENGINE_CMD_FLAG_STRING +\& ENGINE_CMD_FLAG_NO_INPUT +\& ENGINE_CMD_FLAG_INTERNAL .Ve .PP If the \s-1ENGINE_CMD_FLAG_INTERNAL\s0 flag is set, then any other flags are purely @@ -723,20 +662,102 @@ for any higher-level \s-1ENGINE\s0 functions such as \fIENGINE_ctrl_cmd_string() by applications, administrations, users, etc. These can support arbitrary operations via \fIENGINE_ctrl()\fR, including passing to and/or from the control commands data of any arbitrary type. These commands are supported in the -discovery mechanisms simply to allow applications determinie if an \s-1ENGINE\s0 +discovery mechanisms simply to allow applications to determine if an \s-1ENGINE\s0 supports certain specific commands it might want to use (eg. application \*(L"foo\*(R" might query various ENGINEs to see if they implement \*(L"\s-1FOO_GET_VENDOR_LOGO_GIF\*(R"\s0 \- and \s-1ENGINE\s0 could therefore decide whether or not to support this \*(L"foo\*(R"\-specific extension). -.SS "Future developments" -.IX Subsection "Future developments" -The \s-1ENGINE API\s0 and internal architecture is currently being reviewed. Slated for -possible release in 0.9.8 is support for transparent loading of \*(L"dynamic\*(R" -ENGINEs (built as self-contained shared-libraries). This would allow \s-1ENGINE\s0 -implementations to be provided independently of OpenSSL libraries and/or -OpenSSL-based applications, and would also remove any requirement for -applications to explicitly use the \*(L"dynamic\*(R" \s-1ENGINE\s0 to bind to shared-library -implementations. +.SH "ENVIRONMENT" +.IX Header "ENVIRONMENT" +.IP "\fB\s-1OPENSSL_ENGINES\s0\fR" 4 +.IX Item "OPENSSL_ENGINES" +The path to the engines directory. +Ignored in set-user-ID and set-group-ID programs. +.SH "RETURN VALUES" +.IX Header "RETURN VALUES" +\&\fIENGINE_get_first()\fR, \fIENGINE_get_last()\fR, \fIENGINE_get_next()\fR and \fIENGINE_get_prev()\fR +return a valid \fB\s-1ENGINE\s0\fR structure or \s-1NULL\s0 if an error occurred. +.PP +\&\fIENGINE_add()\fR and \fIENGINE_remove()\fR return 1 on success or 0 on error. +.PP +\&\fIENGINE_by_id()\fR returns a valid \fB\s-1ENGINE\s0\fR structure or \s-1NULL\s0 if an error occurred. +.PP +\&\fIENGINE_init()\fR and \fIENGINE_finish()\fR return 1 on success or 0 on error. +.PP +All \fIENGINE_get_default_TYPE()\fR functions, \fIENGINE_get_cipher_engine()\fR and +\&\fIENGINE_get_digest_engine()\fR return a valid \fB\s-1ENGINE\s0\fR structure on success or \s-1NULL\s0 +if an error occurred. +.PP +All \fIENGINE_set_default_TYPE()\fR functions return 1 on success or 0 on error. +.PP +\&\fIENGINE_set_default()\fR returns 1 on success or 0 on error. +.PP +\&\fIENGINE_get_table_flags()\fR returns an unsigned integer value representing the +global table flags which are used to control the registration behaviour of +\&\fB\s-1ENGINE\s0\fR implementations. +.PP +All \fIENGINE_register_TYPE()\fR functions return 1 on success or 0 on error. +.PP +\&\fIENGINE_register_complete()\fR and \fIENGINE_register_all_complete()\fR return 1 on success +or 0 on error. +.PP +\&\fIENGINE_ctrl()\fR returns a positive value on success or others on error. +.PP +\&\fIENGINE_cmd_is_executable()\fR returns 1 if \fBcmd\fR is executable or 0 otherwise. +.PP +\&\fIENGINE_ctrl_cmd()\fR and \fIENGINE_ctrl_cmd_string()\fR return 1 on success or 0 on error. +.PP +\&\fIENGINE_new()\fR returns a valid \fB\s-1ENGINE\s0\fR structure on success or \s-1NULL\s0 if an error +occurred. +.PP +\&\fIENGINE_free()\fR returns 1 on success or 0 on error. +.PP +\&\fIENGINE_up_ref()\fR returns 1 on success or 0 on error. +.PP +\&\fIENGINE_set_id()\fR and \fIENGINE_set_name()\fR return 1 on success or 0 on error. +.PP +All other \fBENGINE_set_*\fR functions return 1 on success or 0 on error. +.PP +\&\fIENGINE_get_id()\fR and \fIENGINE_get_name()\fR return a string representing the identifier +and the name of the \s-1ENGINE\s0 \fBe\fR respectively. +.PP +\&\fIENGINE_get_RSA()\fR, \fIENGINE_get_DSA()\fR, \fIENGINE_get_DH()\fR and \fIENGINE_get_RAND()\fR +return corresponding method structures for each algorithms. +.PP +\&\fIENGINE_get_destroy_function()\fR, \fIENGINE_get_init_function()\fR, +\&\fIENGINE_get_finish_function()\fR, \fIENGINE_get_ctrl_function()\fR, +\&\fIENGINE_get_load_privkey_function()\fR, \fIENGINE_get_load_pubkey_function()\fR, +\&\fIENGINE_get_ciphers()\fR and \fIENGINE_get_digests()\fR return corresponding function +pointers of the callbacks. +.PP +\&\fIENGINE_get_cipher()\fR returns a valid \fB\s-1EVP_CIPHER\s0\fR structure on success or \s-1NULL\s0 +if an error occurred. +.PP +\&\fIENGINE_get_digest()\fR returns a valid \fB\s-1EVP_MD\s0\fR structure on success or \s-1NULL\s0 if an +error occurred. +.PP +\&\fIENGINE_get_flags()\fR returns an integer representing the \s-1ENGINE\s0 flags which are +used to control various behaviours of an \s-1ENGINE.\s0 +.PP +\&\fIENGINE_get_cmd_defns()\fR returns an \fB\s-1ENGINE_CMD_DEFN\s0\fR structure or \s-1NULL\s0 if it's +not set. +.PP +\&\fIENGINE_load_private_key()\fR and \fIENGINE_load_public_key()\fR return a valid \fB\s-1EVP_PKEY\s0\fR +structure on success or \s-1NULL\s0 if an error occurred. .SH "SEE ALSO" .IX Header "SEE ALSO" -\&\fIrsa\fR\|(3), \fIdsa\fR\|(3), \fIdh\fR\|(3), \fIrand\fR\|(3) +\&\fIOPENSSL_init_crypto\fR\|(3), \fIRSA_new_method\fR\|(3), \fIDSA_new\fR\|(3), \fIDH_new\fR\|(3), +\&\fIRAND_bytes\fR\|(3), \fIconfig\fR\|(5) +.SH "HISTORY" +.IX Header "HISTORY" +\&\fIENGINE_cleanup()\fR was deprecated in OpenSSL 1.1.0 by the automatic cleanup +done by \fIOPENSSL_cleanup()\fR +and should not be used. +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2002\-2018 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/ERR_GET_LIB.3 b/secure/lib/libcrypto/man/ERR_GET_LIB.3 index 82c58c7eee97..bb8a0230f506 100644 --- a/secure/lib/libcrypto/man/ERR_GET_LIB.3 +++ b/secure/lib/libcrypto/man/ERR_GET_LIB.3 @@ -129,14 +129,13 @@ .\" ======================================================================== .\" .IX Title "ERR_GET_LIB 3" -.TH ERR_GET_LIB 3 "2018-08-14" "1.0.2p" "OpenSSL" +.TH ERR_GET_LIB 3 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" -ERR_GET_LIB, ERR_GET_FUNC, ERR_GET_REASON \- get library, function and -reason code +ERR_GET_LIB, ERR_GET_FUNC, ERR_GET_REASON, ERR_FATAL_ERROR \&\- get information from error codes .SH "SYNOPSIS" .IX Header "SYNOPSIS" .Vb 1 @@ -147,6 +146,8 @@ reason code \& int ERR_GET_FUNC(unsigned long e); \& \& int ERR_GET_REASON(unsigned long e); +\& +\& int ERR_FATAL_ERROR(unsigned long e); .Ve .SH "DESCRIPTION" .IX Header "DESCRIPTION" @@ -154,6 +155,8 @@ The error code returned by \fIERR_get_error()\fR consists of a library number, function code and reason code. \s-1\fIERR_GET_LIB\s0()\fR, \s-1\fIERR_GET_FUNC\s0()\fR and \s-1\fIERR_GET_REASON\s0()\fR can be used to extract these. .PP +\&\s-1\fIERR_FATAL_ERROR\s0()\fR indicates whether a given error code is a fatal error. +.PP The library number and function code describe where the error occurred, the reason code is the information about what went wrong. .PP @@ -166,14 +169,24 @@ reasons. unique. However, when checking for sub-library specific reason codes, be sure to also compare the library number. .PP -\&\s-1\fIERR_GET_LIB\s0()\fR, \s-1\fIERR_GET_FUNC\s0()\fR and \s-1\fIERR_GET_REASON\s0()\fR are macros. +\&\s-1\fIERR_GET_LIB\s0()\fR, \s-1\fIERR_GET_FUNC\s0()\fR, \s-1\fIERR_GET_REASON\s0()\fR, and \s-1\fIERR_FATAL_ERROR\s0()\fR + are macros. .SH "RETURN VALUES" .IX Header "RETURN VALUES" -The library number, function code and reason code respectively. +The library number, function code, reason code, and whether the error +is fatal, respectively. .SH "SEE ALSO" .IX Header "SEE ALSO" -\&\fIerr\fR\|(3), \fIERR_get_error\fR\|(3) +\&\fIERR_get_error\fR\|(3) .SH "HISTORY" .IX Header "HISTORY" \&\s-1\fIERR_GET_LIB\s0()\fR, \s-1\fIERR_GET_FUNC\s0()\fR and \s-1\fIERR_GET_REASON\s0()\fR are available in -all versions of SSLeay and OpenSSL. +all versions of OpenSSL. +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2000\-2017 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/ERR_clear_error.3 b/secure/lib/libcrypto/man/ERR_clear_error.3 index cbe87960ea73..76403d7e43f4 100644 --- a/secure/lib/libcrypto/man/ERR_clear_error.3 +++ b/secure/lib/libcrypto/man/ERR_clear_error.3 @@ -128,8 +128,8 @@ .rm #[ #] #H #V #F C .\" ======================================================================== .\" -.IX Title "ERR_clear_error 3" -.TH ERR_clear_error 3 "2018-08-14" "1.0.2p" "OpenSSL" +.IX Title "ERR_CLEAR_ERROR 3" +.TH ERR_CLEAR_ERROR 3 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -151,7 +151,12 @@ ERR_clear_error \- clear the error queue \&\fIERR_clear_error()\fR has no return value. .SH "SEE ALSO" .IX Header "SEE ALSO" -\&\fIerr\fR\|(3), \fIERR_get_error\fR\|(3) -.SH "HISTORY" -.IX Header "HISTORY" -\&\fIERR_clear_error()\fR is available in all versions of SSLeay and OpenSSL. +\&\fIERR_get_error\fR\|(3) +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2000\-2017 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/ERR_error_string.3 b/secure/lib/libcrypto/man/ERR_error_string.3 index cbffd3ba477c..b4eb84dd69dd 100644 --- a/secure/lib/libcrypto/man/ERR_error_string.3 +++ b/secure/lib/libcrypto/man/ERR_error_string.3 @@ -128,16 +128,14 @@ .rm #[ #] #H #V #F C .\" ======================================================================== .\" -.IX Title "ERR_error_string 3" -.TH ERR_error_string 3 "2018-08-14" "1.0.2p" "OpenSSL" +.IX Title "ERR_ERROR_STRING 3" +.TH ERR_ERROR_STRING 3 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" -ERR_error_string, ERR_error_string_n, ERR_lib_error_string, -ERR_func_error_string, ERR_reason_error_string \- obtain human\-readable -error message +ERR_error_string, ERR_error_string_n, ERR_lib_error_string, ERR_func_error_string, ERR_reason_error_string \- obtain human\-readable error message .SH "SYNOPSIS" .IX Header "SYNOPSIS" .Vb 1 @@ -153,9 +151,12 @@ error message .SH "DESCRIPTION" .IX Header "DESCRIPTION" \&\fIERR_error_string()\fR generates a human-readable string representing the -error code \fIe\fR, and places it at \fIbuf\fR. \fIbuf\fR must be at least 120 +error code \fIe\fR, and places it at \fIbuf\fR. \fIbuf\fR must be at least 256 bytes long. If \fIbuf\fR is \fB\s-1NULL\s0\fR, the error string is placed in a static buffer. +Note that this function is not thread-safe and does no checks on the size +of the buffer; use \fIERR_error_string_n()\fR instead. +.PP \&\fIERR_error_string_n()\fR is a variant of \fIERR_error_string()\fR that writes at most \fIlen\fR characters (including the terminating 0) and truncates the string if necessary. @@ -174,10 +175,6 @@ The string will have the following format: \&\fIERR_reason_error_string()\fR return the library name, function name and reason string respectively. .PP -The OpenSSL error strings should be loaded by calling -\&\fIERR_load_crypto_strings\fR\|(3) or, for \s-1SSL\s0 -applications, \fISSL_load_error_strings\fR\|(3) -first. If there is no text string registered for the given error code, the error string will contain the numeric code. .PP @@ -193,11 +190,13 @@ string if \fIbuf\fR \fB== \s-1NULL\s0\fR, \fIbuf\fR otherwise. none is registered for the error code. .SH "SEE ALSO" .IX Header "SEE ALSO" -\&\fIerr\fR\|(3), \fIERR_get_error\fR\|(3), -\&\fIERR_load_crypto_strings\fR\|(3), -\&\fISSL_load_error_strings\fR\|(3) +\&\fIERR_get_error\fR\|(3), \&\fIERR_print_errors\fR\|(3) -.SH "HISTORY" -.IX Header "HISTORY" -\&\fIERR_error_string()\fR is available in all versions of SSLeay and OpenSSL. -\&\fIERR_error_string_n()\fR was added in OpenSSL 0.9.6. +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2000\-2017 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/ERR_get_error.3 b/secure/lib/libcrypto/man/ERR_get_error.3 index e442d10f82e6..fa2cdf983b60 100644 --- a/secure/lib/libcrypto/man/ERR_get_error.3 +++ b/secure/lib/libcrypto/man/ERR_get_error.3 @@ -128,17 +128,14 @@ .rm #[ #] #H #V #F C .\" ======================================================================== .\" -.IX Title "ERR_get_error 3" -.TH ERR_get_error 3 "2018-08-14" "1.0.2p" "OpenSSL" +.IX Title "ERR_GET_ERROR 3" +.TH ERR_GET_ERROR 3 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" -ERR_get_error, ERR_peek_error, ERR_peek_last_error, -ERR_get_error_line, ERR_peek_error_line, ERR_peek_last_error_line, -ERR_get_error_line_data, ERR_peek_error_line_data, -ERR_peek_last_error_line_data \- obtain error code and data +ERR_get_error, ERR_peek_error, ERR_peek_last_error, ERR_get_error_line, ERR_peek_error_line, ERR_peek_last_error_line, ERR_get_error_line_data, ERR_peek_error_line_data, ERR_peek_last_error_line_data \- obtain error code and data .SH "SYNOPSIS" .IX Header "SYNOPSIS" .Vb 1 @@ -153,11 +150,11 @@ ERR_peek_last_error_line_data \- obtain error code and data \& unsigned long ERR_peek_last_error_line(const char **file, int *line); \& \& unsigned long ERR_get_error_line_data(const char **file, int *line, -\& const char **data, int *flags); +\& const char **data, int *flags); \& unsigned long ERR_peek_error_line_data(const char **file, int *line, -\& const char **data, int *flags); +\& const char **data, int *flags); \& unsigned long ERR_peek_last_error_line_data(const char **file, int *line, -\& const char **data, int *flags); +\& const char **data, int *flags); .Ve .SH "DESCRIPTION" .IX Header "DESCRIPTION" @@ -195,13 +192,13 @@ automatically by the error library. The error code, or 0 if there is no error in the queue. .SH "SEE ALSO" .IX Header "SEE ALSO" -\&\fIerr\fR\|(3), \fIERR_error_string\fR\|(3), +\&\fIERR_error_string\fR\|(3), \&\s-1\fIERR_GET_LIB\s0\fR\|(3) -.SH "HISTORY" -.IX Header "HISTORY" -\&\fIERR_get_error()\fR, \fIERR_peek_error()\fR, \fIERR_get_error_line()\fR and -\&\fIERR_peek_error_line()\fR are available in all versions of SSLeay and -OpenSSL. \fIERR_get_error_line_data()\fR and \fIERR_peek_error_line_data()\fR -were added in SSLeay 0.9.0. -\&\fIERR_peek_last_error()\fR, \fIERR_peek_last_error_line()\fR and -\&\fIERR_peek_last_error_line_data()\fR were added in OpenSSL 0.9.7. +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2000\-2017 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/ERR_load_crypto_strings.3 b/secure/lib/libcrypto/man/ERR_load_crypto_strings.3 index be3eb65a635f..b10e29f5f556 100644 --- a/secure/lib/libcrypto/man/ERR_load_crypto_strings.3 +++ b/secure/lib/libcrypto/man/ERR_load_crypto_strings.3 @@ -128,26 +128,31 @@ .rm #[ #] #H #V #F C .\" ======================================================================== .\" -.IX Title "ERR_load_crypto_strings 3" -.TH ERR_load_crypto_strings 3 "2018-08-14" "1.0.2p" "OpenSSL" +.IX Title "ERR_LOAD_CRYPTO_STRINGS 3" +.TH ERR_LOAD_CRYPTO_STRINGS 3 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" -ERR_load_crypto_strings, SSL_load_error_strings, ERR_free_strings \- -load and free error strings +ERR_load_crypto_strings, SSL_load_error_strings, ERR_free_strings \- load and free error strings .SH "SYNOPSIS" .IX Header "SYNOPSIS" +Deprecated: +.PP .Vb 1 \& #include \& +\& #if OPENSSL_API_COMPAT < 0x10100000L \& void ERR_load_crypto_strings(void); \& void ERR_free_strings(void); +\& #endif \& \& #include \& +\& #if OPENSSL_API_COMPAT < 0x10100000L \& void SSL_load_error_strings(void); +\& #endif .Ve .SH "DESCRIPTION" .IX Header "DESCRIPTION" @@ -155,20 +160,25 @@ load and free error strings \&\fBlibcrypto\fR functions. \fISSL_load_error_strings()\fR does the same, but also registers the \fBlibssl\fR error strings. .PP -One of these functions should be called before generating -textual error messages. However, this is not required when memory -usage is an issue. -.PP -\&\fIERR_free_strings()\fR frees all previously loaded error strings. +In versions prior to OpenSSL 1.1.0, +\&\fIERR_free_strings()\fR releases any resources created by the above functions. .SH "RETURN VALUES" .IX Header "RETURN VALUES" \&\fIERR_load_crypto_strings()\fR, \fISSL_load_error_strings()\fR and \&\fIERR_free_strings()\fR return no values. .SH "SEE ALSO" .IX Header "SEE ALSO" -\&\fIerr\fR\|(3), \fIERR_error_string\fR\|(3) +\&\fIERR_error_string\fR\|(3) .SH "HISTORY" .IX Header "HISTORY" -\&\fIERR_load_error_strings()\fR, \fISSL_load_error_strings()\fR and -\&\fIERR_free_strings()\fR are available in all versions of SSLeay and -OpenSSL. +The \fIERR_load_crypto_strings()\fR, \fISSL_load_error_strings()\fR, and +\&\fIERR_free_strings()\fR functions were deprecated in OpenSSL 1.1.0 by +\&\fIOPENSSL_init_crypto()\fR and \fIOPENSSL_init_ssl()\fR and should not be used. +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2000\-2017 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/ERR_load_strings.3 b/secure/lib/libcrypto/man/ERR_load_strings.3 index 0dc04fa20fc4..48621256e895 100644 --- a/secure/lib/libcrypto/man/ERR_load_strings.3 +++ b/secure/lib/libcrypto/man/ERR_load_strings.3 @@ -128,15 +128,14 @@ .rm #[ #] #H #V #F C .\" ======================================================================== .\" -.IX Title "ERR_load_strings 3" -.TH ERR_load_strings 3 "2018-08-14" "1.0.2p" "OpenSSL" +.IX Title "ERR_LOAD_STRINGS 3" +.TH ERR_LOAD_STRINGS 3 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" -ERR_load_strings, ERR_PACK, ERR_get_next_error_library \- load -arbitrary error strings +ERR_load_strings, ERR_PACK, ERR_get_next_error_library \- load arbitrary error strings .SH "SYNOPSIS" .IX Header "SYNOPSIS" .Vb 1 @@ -157,8 +156,8 @@ arbitrary error strings .Vb 5 \& typedef struct ERR_string_data_st \& { -\& unsigned long error; -\& char *string; +\& unsigned long error; +\& char *string; \& } ERR_STRING_DATA; .Ve .PP @@ -170,15 +169,19 @@ The last entry in the array is {0,0}. .PP \&\fIERR_get_next_error_library()\fR can be used to assign library numbers to user libraries at runtime. -.SH "RETURN VALUE" -.IX Header "RETURN VALUE" +.SH "RETURN VALUES" +.IX Header "RETURN VALUES" \&\fIERR_load_strings()\fR returns no value. \s-1\fIERR_PACK\s0()\fR return the error code. -\&\fIERR_get_next_error_library()\fR returns a new library number. +\&\fIERR_get_next_error_library()\fR returns zero on failure, otherwise a new +library number. .SH "SEE ALSO" .IX Header "SEE ALSO" -\&\fIerr\fR\|(3), \fIERR_load_strings\fR\|(3) -.SH "HISTORY" -.IX Header "HISTORY" -\&\fIERR_load_error_strings()\fR and \s-1\fIERR_PACK\s0()\fR are available in all versions -of SSLeay and OpenSSL. \fIERR_get_next_error_library()\fR was added in -SSLeay 0.9.0. +\&\fIERR_load_strings\fR\|(3) +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2000\-2018 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/ERR_print_errors.3 b/secure/lib/libcrypto/man/ERR_print_errors.3 index 34c5e7a2cd7e..228d0ee736b1 100644 --- a/secure/lib/libcrypto/man/ERR_print_errors.3 +++ b/secure/lib/libcrypto/man/ERR_print_errors.3 @@ -128,14 +128,14 @@ .rm #[ #] #H #V #F C .\" ======================================================================== .\" -.IX Title "ERR_print_errors 3" -.TH ERR_print_errors 3 "2018-08-14" "1.0.2p" "OpenSSL" +.IX Title "ERR_PRINT_ERRORS 3" +.TH ERR_PRINT_ERRORS 3 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" -ERR_print_errors, ERR_print_errors_fp \- print error messages +ERR_print_errors, ERR_print_errors_fp, ERR_print_errors_cb \&\- print error messages .SH "SYNOPSIS" .IX Header "SYNOPSIS" .Vb 1 @@ -143,6 +143,7 @@ ERR_print_errors, ERR_print_errors_fp \- print error messages \& \& void ERR_print_errors(BIO *bp); \& void ERR_print_errors_fp(FILE *fp); +\& void ERR_print_errors_cb(int (*cb)(const char *str, size_t len, void *u), void *u) .Ve .SH "DESCRIPTION" .IX Header "DESCRIPTION" @@ -153,6 +154,10 @@ emptying the error queue. \&\fIERR_print_errors_fp()\fR is the same, except that the output goes to a \&\fB\s-1FILE\s0\fR. .PP +\&\fIERR_print_errors_cb()\fR is the same, except that the callback function, +\&\fBcb\fR, is called for each error line with the string, length, and userdata +\&\fBu\fR as the callback parameters. +.PP The error strings will have the following format: .PP .Vb 1 @@ -170,11 +175,13 @@ the error string will contain the numeric code. \&\fIERR_print_errors()\fR and \fIERR_print_errors_fp()\fR return no values. .SH "SEE ALSO" .IX Header "SEE ALSO" -\&\fIerr\fR\|(3), \fIERR_error_string\fR\|(3), -\&\fIERR_get_error\fR\|(3), -\&\fIERR_load_crypto_strings\fR\|(3), -\&\fISSL_load_error_strings\fR\|(3) -.SH "HISTORY" -.IX Header "HISTORY" -\&\fIERR_print_errors()\fR and \fIERR_print_errors_fp()\fR -are available in all versions of SSLeay and OpenSSL. +\&\fIERR_error_string\fR\|(3), +\&\fIERR_get_error\fR\|(3) +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2000\-2017 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/ERR_put_error.3 b/secure/lib/libcrypto/man/ERR_put_error.3 index 521e69d5dfb5..b2acd60dfdc8 100644 --- a/secure/lib/libcrypto/man/ERR_put_error.3 +++ b/secure/lib/libcrypto/man/ERR_put_error.3 @@ -128,23 +128,23 @@ .rm #[ #] #H #V #F C .\" ======================================================================== .\" -.IX Title "ERR_put_error 3" -.TH ERR_put_error 3 "2018-08-14" "1.0.2p" "OpenSSL" +.IX Title "ERR_PUT_ERROR 3" +.TH ERR_PUT_ERROR 3 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" -ERR_put_error, ERR_add_error_data \- record an error +ERR_put_error, ERR_add_error_data, ERR_add_error_vdata \- record an error .SH "SYNOPSIS" .IX Header "SYNOPSIS" .Vb 1 \& #include \& -\& void ERR_put_error(int lib, int func, int reason, const char *file, -\& int line); +\& void ERR_put_error(int lib, int func, int reason, const char *file, int line); \& \& void ERR_add_error_data(int num, ...); +\& void ERR_add_error_vdata(int num, va_list arg); .Ve .SH "DESCRIPTION" .IX Header "DESCRIPTION" @@ -155,18 +155,49 @@ This function is usually called by a macro. .PP \&\fIERR_add_error_data()\fR associates the concatenation of its \fBnum\fR string arguments with the error code added last. +\&\fIERR_add_error_vdata()\fR is similar except the argument is a \fBva_list\fR. .PP \&\fIERR_load_strings\fR\|(3) can be used to register error strings so that the application can a generate human-readable error messages for the error code. +.SS "Reporting errors" +.IX Subsection "Reporting errors" +Each sub-library has a specific macro \fIXXXerr()\fR that is used to report +errors. Its first argument is a function code \fB\s-1XXX_F_...\s0\fR, the second +argument is a reason code \fB\s-1XXX_R_...\s0\fR. Function codes are derived +from the function names; reason codes consist of textual error +descriptions. For example, the function \fIssl3_read_bytes()\fR reports a +\&\*(L"handshake failure\*(R" as follows: +.PP +.Vb 1 +\& SSLerr(SSL_F_SSL3_READ_BYTES, SSL_R_SSL_HANDSHAKE_FAILURE); +.Ve +.PP +Function and reason codes should consist of upper case characters, +numbers and underscores only. The error file generation script translates +function codes into function names by looking in the header files +for an appropriate function name, if none is found it just uses +the capitalized form such as \*(L"\s-1SSL3_READ_BYTES\*(R"\s0 in the above example. +.PP +The trailing section of a reason code (after the \*(L"_R_\*(R") is translated +into lower case and underscores changed to spaces. +.PP +Although a library will normally report errors using its own specific +XXXerr macro, another library's macro can be used. This is normally +only done when a library wants to include \s-1ASN1\s0 code which must use +the \fIASN1err()\fR macro. .SH "RETURN VALUES" .IX Header "RETURN VALUES" \&\fIERR_put_error()\fR and \fIERR_add_error_data()\fR return no values. .SH "SEE ALSO" .IX Header "SEE ALSO" -\&\fIerr\fR\|(3), \fIERR_load_strings\fR\|(3) -.SH "HISTORY" -.IX Header "HISTORY" -\&\fIERR_put_error()\fR is available in all versions of SSLeay and OpenSSL. -\&\fIERR_add_error_data()\fR was added in SSLeay 0.9.0. +\&\fIERR_load_strings\fR\|(3) +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2000\-2017 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/ERR_remove_state.3 b/secure/lib/libcrypto/man/ERR_remove_state.3 index ee76319e84a6..0a24d8f61af1 100644 --- a/secure/lib/libcrypto/man/ERR_remove_state.3 +++ b/secure/lib/libcrypto/man/ERR_remove_state.3 @@ -128,48 +128,49 @@ .rm #[ #] #H #V #F C .\" ======================================================================== .\" -.IX Title "ERR_remove_state 3" -.TH ERR_remove_state 3 "2018-08-14" "1.0.2p" "OpenSSL" +.IX Title "ERR_REMOVE_STATE 3" +.TH ERR_REMOVE_STATE 3 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" -ERR_remove_thread_state, ERR_remove_state \- free a thread's error queue +ERR_remove_thread_state, ERR_remove_state \- DEPRECATED .SH "SYNOPSIS" .IX Header "SYNOPSIS" -.Vb 1 -\& #include -\& -\& void ERR_remove_thread_state(const CRYPTO_THREADID *tid); -.Ve -.PP Deprecated: .PP -.Vb 1 -\& void ERR_remove_state(unsigned long pid); +.Vb 3 +\& #if OPENSSL_API_COMPAT < 0x10000000L +\& void ERR_remove_state(unsigned long tid); +\& #endif +\& +\& #if OPENSSL_API_COMPAT < 0x10100000L +\& void ERR_remove_thread_state(void *tid); +\& #endif .Ve .SH "DESCRIPTION" .IX Header "DESCRIPTION" -\&\fIERR_remove_thread_state()\fR frees the error queue associated with thread \fBtid\fR. -If \fBtid\fR == \fB\s-1NULL\s0\fR, the current thread will have its error queue removed. -.PP -Since error queue data structures are allocated automatically for new -threads, they must be freed when threads are terminated in order to -avoid memory leaks. -.PP -ERR_remove_state is deprecated and has been replaced by -ERR_remove_thread_state. Since threads in OpenSSL are no longer identified -by unsigned long values any argument to this function is ignored. Calling -ERR_remove_state is equivalent to \fBERR_remove_thread_state(\s-1NULL\s0)\fR. -.SH "RETURN VALUE" -.IX Header "RETURN VALUE" -ERR_remove_thread_state and \fIERR_remove_state()\fR return no value. +\&\fIERR_remove_state()\fR frees the error queue associated with the specified +thread, identified by \fBtid\fR. +\&\fIERR_remove_thread_state()\fR does the same thing, except the identifier is +an opaque pointer. +.SH "RETURN VALUES" +.IX Header "RETURN VALUES" +\&\fIERR_remove_state()\fR and \fIERR_remove_thread_state()\fR return no value. .SH "SEE ALSO" .IX Header "SEE ALSO" -\&\fIerr\fR\|(3) +L\fIOPENSSL_init_crypto\fR\|(3) .SH "HISTORY" .IX Header "HISTORY" -\&\fIERR_remove_state()\fR is available in all versions of SSLeay and OpenSSL. It -was deprecated in OpenSSL 1.0.0 when ERR_remove_thread_state was introduced -and thread IDs were introduced to identify threads instead of 'unsigned long'. +\&\fIERR_remove_state()\fR was deprecated in OpenSSL 1.0.0 and +\&\fIERR_remove_thread_state()\fR was deprecated in OpenSSL 1.1.0; these functions +and should not be used. +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2000\-2018 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/ERR_set_mark.3 b/secure/lib/libcrypto/man/ERR_set_mark.3 index 4e46468a9d54..15afc061abae 100644 --- a/secure/lib/libcrypto/man/ERR_set_mark.3 +++ b/secure/lib/libcrypto/man/ERR_set_mark.3 @@ -128,8 +128,8 @@ .rm #[ #] #H #V #F C .\" ======================================================================== .\" -.IX Title "ERR_set_mark 3" -.TH ERR_set_mark 3 "2018-08-14" "1.0.2p" "OpenSSL" +.IX Title "ERR_SET_MARK 3" +.TH ERR_SET_MARK 3 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -158,9 +158,11 @@ The mark is then removed. If there is no mark, the whole stack is removed. .PP \&\fIERR_pop_to_mark()\fR returns 0 if there was no mark in the error stack, which implies that the stack became empty, otherwise 1. -.SH "SEE ALSO" -.IX Header "SEE ALSO" -\&\fIerr\fR\|(3) -.SH "HISTORY" -.IX Header "HISTORY" -\&\fIERR_set_mark()\fR and \fIERR_pop_to_mark()\fR were added in OpenSSL 0.9.8. +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2003\-2017 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/EVP_BytesToKey.3 b/secure/lib/libcrypto/man/EVP_BytesToKey.3 index 24695c2b3a0f..0966cdd096dd 100644 --- a/secure/lib/libcrypto/man/EVP_BytesToKey.3 +++ b/secure/lib/libcrypto/man/EVP_BytesToKey.3 @@ -128,8 +128,8 @@ .rm #[ #] #H #V #F C .\" ======================================================================== .\" -.IX Title "EVP_BytesToKey 3" -.TH EVP_BytesToKey 3 "2018-08-14" "1.0.2p" "OpenSSL" +.IX Title "EVP_BYTESTOKEY 3" +.TH EVP_BYTESTOKEY 3 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -141,10 +141,10 @@ EVP_BytesToKey \- password based encryption routine .Vb 1 \& #include \& -\& int EVP_BytesToKey(const EVP_CIPHER *type,const EVP_MD *md, -\& const unsigned char *salt, -\& const unsigned char *data, int datal, int count, -\& unsigned char *key,unsigned char *iv); +\& int EVP_BytesToKey(const EVP_CIPHER *type, const EVP_MD *md, +\& const unsigned char *salt, +\& const unsigned char *data, int datal, int count, +\& unsigned char *key, unsigned char *iv); .Ve .SH "DESCRIPTION" .IX Header "DESCRIPTION" @@ -161,7 +161,7 @@ A typical application of this function is to derive keying material for an encryption algorithm from a password in the \fBdata\fR parameter. .PP Increasing the \fBcount\fR parameter slows down the algorithm which makes it -harder for an attacker to peform a brute force attack using a large number +harder for an attacker to perform a brute force attack using a large number of candidate passwords. .PP If the total key and \s-1IV\s0 length is less than the digest length and @@ -179,7 +179,7 @@ enough data is available for the key and \s-1IV.\s0 D_i is defined as: \& D_i = HASH^count(D_(i\-1) || data || salt) .Ve .PP -where || denotes concatentaion, D_0 is empty, \s-1HASH\s0 is the digest +where || denotes concatenation, D_0 is empty, \s-1HASH\s0 is the digest algorithm in use, HASH^1(data) is simply \s-1HASH\s0(data), HASH^2(data) is \s-1HASH\s0(\s-1HASH\s0(data)) and so on. .PP @@ -193,7 +193,14 @@ Otherwise, \fIEVP_BytesToKey()\fR returns the size of the derived key in bytes, or 0 on error. .SH "SEE ALSO" .IX Header "SEE ALSO" -\&\fIevp\fR\|(3), \fIrand\fR\|(3), +\&\fIevp\fR\|(7), \fIRAND_bytes\fR\|(3), +\&\s-1\fIPKCS5_PBKDF2_HMAC\s0\fR\|(3), \&\fIEVP_EncryptInit\fR\|(3) -.SH "HISTORY" -.IX Header "HISTORY" +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2001\-2016 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/EVP_CIPHER_CTX_get_cipher_data.3 b/secure/lib/libcrypto/man/EVP_CIPHER_CTX_get_cipher_data.3 new file mode 100644 index 000000000000..edabe4f6cb8b --- /dev/null +++ b/secure/lib/libcrypto/man/EVP_CIPHER_CTX_get_cipher_data.3 @@ -0,0 +1,178 @@ +.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35) +.\" +.\" Standard preamble: +.\" ======================================================================== +.de Sp \" Vertical space (when we can't use .PP) +.if t .sp .5v +.if n .sp +.. +.de Vb \" Begin verbatim text +.ft CW +.nf +.ne \\$1 +.. +.de Ve \" End verbatim text +.ft R +.fi +.. +.\" Set up some character translations and predefined strings. \*(-- will +.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left +.\" double quote, and \*(R" will give a right double quote. \*(C+ will +.\" give a nicer C++. Capital omega is used to do unbreakable dashes and +.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, +.\" nothing in troff, for use with C<>. +.tr \(*W- +.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' +.ie n \{\ +. ds -- \(*W- +. ds PI pi +. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch +. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch +. ds L" "" +. ds R" "" +. ds C` "" +. ds C' "" +'br\} +.el\{\ +. ds -- \|\(em\| +. ds PI \(*p +. ds L" `` +. ds R" '' +. ds C` +. ds C' +'br\} +.\" +.\" Escape single quotes in literal strings from groff's Unicode transform. +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" +.\" If the F register is >0, we'll generate index entries on stderr for +.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index +.\" entries marked with X<> in POD. Of course, you'll have to process the +.\" output yourself in some meaningful fashion. +.\" +.\" Avoid warning from groff about undefined register 'F'. +.de IX +.. +.if !\nF .nr F 0 +.if \nF>0 \{\ +. de IX +. tm Index:\\$1\t\\n%\t"\\$2" +.. +. if !\nF==2 \{\ +. nr % 0 +. nr F 2 +. \} +.\} +.\" +.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). +.\" Fear. Run. Save yourself. No user-serviceable parts. +. \" fudge factors for nroff and troff +.if n \{\ +. ds #H 0 +. ds #V .8m +. ds #F .3m +. ds #[ \f1 +. ds #] \fP +.\} +.if t \{\ +. ds #H ((1u-(\\\\n(.fu%2u))*.13m) +. ds #V .6m +. ds #F 0 +. ds #[ \& +. ds #] \& +.\} +. \" simple accents for nroff and troff +.if n \{\ +. ds ' \& +. ds ` \& +. ds ^ \& +. ds , \& +. ds ~ ~ +. ds / +.\} +.if t \{\ +. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" +. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' +. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' +. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' +. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' +. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' +.\} +. \" troff and (daisy-wheel) nroff accents +.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' +.ds 8 \h'\*(#H'\(*b\h'-\*(#H' +.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] +.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' +.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' +.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] +.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] +.ds ae a\h'-(\w'a'u*4/10)'e +.ds Ae A\h'-(\w'A'u*4/10)'E +. \" corrections for vroff +.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' +.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' +. \" for low resolution devices (crt and lpr) +.if \n(.H>23 .if \n(.V>19 \ +\{\ +. ds : e +. ds 8 ss +. ds o a +. ds d- d\h'-1'\(ga +. ds D- D\h'-1'\(hy +. ds th \o'bp' +. ds Th \o'LP' +. ds ae ae +. ds Ae AE +.\} +.rm #[ #] #H #V #F C +.\" ======================================================================== +.\" +.IX Title "EVP_CIPHER_CTX_GET_CIPHER_DATA 3" +.TH EVP_CIPHER_CTX_GET_CIPHER_DATA 3 "2018-09-11" "1.1.1" "OpenSSL" +.\" For nroff, turn off justification. Always turn off hyphenation; it makes +.\" way too many mistakes in technical documents. +.if n .ad l +.nh +.SH "NAME" +EVP_CIPHER_CTX_get_cipher_data, EVP_CIPHER_CTX_set_cipher_data \- Routines to inspect and modify EVP_CIPHER_CTX objects +.SH "SYNOPSIS" +.IX Header "SYNOPSIS" +.Vb 1 +\& #include +\& +\& void *EVP_CIPHER_CTX_get_cipher_data(const EVP_CIPHER_CTX *ctx); +\& void *EVP_CIPHER_CTX_set_cipher_data(EVP_CIPHER_CTX *ctx, void *cipher_data); +.Ve +.SH "DESCRIPTION" +.IX Header "DESCRIPTION" +The \fIEVP_CIPHER_CTX_get_cipher_data()\fR function returns a pointer to the cipher +data relevant to \s-1EVP_CIPHER_CTX.\s0 The contents of this data is specific to the +particular implementation of the cipher. For example this data can be used by +engines to store engine specific information. The data is automatically +allocated and freed by OpenSSL, so applications and engines should not normally +free this directly (but see below). +.PP +The \fIEVP_CIPHER_CTX_set_cipher_data()\fR function allows an application or engine to +replace the cipher data with new data. A pointer to any existing cipher data is +returned from this function. If the old data is no longer required then it +should be freed through a call to \fIOPENSSL_free()\fR. +.SH "RETURN VALUES" +.IX Header "RETURN VALUES" +The \fIEVP_CIPHER_CTX_get_cipher_data()\fR function returns a pointer to the current +cipher data for the \s-1EVP_CIPHER_CTX.\s0 +.PP +The \fIEVP_CIPHER_CTX_set_cipher_data()\fR function returns a pointer to the old +cipher data for the \s-1EVP_CIPHER_CTX.\s0 +.SH "HISTORY" +.IX Header "HISTORY" +The \fIEVP_CIPHER_CTX_get_cipher_data()\fR and \fIEVP_CIPHER_CTX_set_cipher_data()\fR +functions were added in OpenSSL 1.1.0. +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2016 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/EVP_CIPHER_meth_new.3 b/secure/lib/libcrypto/man/EVP_CIPHER_meth_new.3 new file mode 100644 index 000000000000..7b4244b0a7fc --- /dev/null +++ b/secure/lib/libcrypto/man/EVP_CIPHER_meth_new.3 @@ -0,0 +1,339 @@ +.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35) +.\" +.\" Standard preamble: +.\" ======================================================================== +.de Sp \" Vertical space (when we can't use .PP) +.if t .sp .5v +.if n .sp +.. +.de Vb \" Begin verbatim text +.ft CW +.nf +.ne \\$1 +.. +.de Ve \" End verbatim text +.ft R +.fi +.. +.\" Set up some character translations and predefined strings. \*(-- will +.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left +.\" double quote, and \*(R" will give a right double quote. \*(C+ will +.\" give a nicer C++. Capital omega is used to do unbreakable dashes and +.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, +.\" nothing in troff, for use with C<>. +.tr \(*W- +.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' +.ie n \{\ +. ds -- \(*W- +. ds PI pi +. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch +. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch +. ds L" "" +. ds R" "" +. ds C` "" +. ds C' "" +'br\} +.el\{\ +. ds -- \|\(em\| +. ds PI \(*p +. ds L" `` +. ds R" '' +. ds C` +. ds C' +'br\} +.\" +.\" Escape single quotes in literal strings from groff's Unicode transform. +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" +.\" If the F register is >0, we'll generate index entries on stderr for +.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index +.\" entries marked with X<> in POD. Of course, you'll have to process the +.\" output yourself in some meaningful fashion. +.\" +.\" Avoid warning from groff about undefined register 'F'. +.de IX +.. +.if !\nF .nr F 0 +.if \nF>0 \{\ +. de IX +. tm Index:\\$1\t\\n%\t"\\$2" +.. +. if !\nF==2 \{\ +. nr % 0 +. nr F 2 +. \} +.\} +.\" +.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). +.\" Fear. Run. Save yourself. No user-serviceable parts. +. \" fudge factors for nroff and troff +.if n \{\ +. ds #H 0 +. ds #V .8m +. ds #F .3m +. ds #[ \f1 +. ds #] \fP +.\} +.if t \{\ +. ds #H ((1u-(\\\\n(.fu%2u))*.13m) +. ds #V .6m +. ds #F 0 +. ds #[ \& +. ds #] \& +.\} +. \" simple accents for nroff and troff +.if n \{\ +. ds ' \& +. ds ` \& +. ds ^ \& +. ds , \& +. ds ~ ~ +. ds / +.\} +.if t \{\ +. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" +. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' +. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' +. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' +. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' +. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' +.\} +. \" troff and (daisy-wheel) nroff accents +.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' +.ds 8 \h'\*(#H'\(*b\h'-\*(#H' +.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] +.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' +.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' +.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] +.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] +.ds ae a\h'-(\w'a'u*4/10)'e +.ds Ae A\h'-(\w'A'u*4/10)'E +. \" corrections for vroff +.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' +.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' +. \" for low resolution devices (crt and lpr) +.if \n(.H>23 .if \n(.V>19 \ +\{\ +. ds : e +. ds 8 ss +. ds o a +. ds d- d\h'-1'\(ga +. ds D- D\h'-1'\(hy +. ds th \o'bp' +. ds Th \o'LP' +. ds ae ae +. ds Ae AE +.\} +.rm #[ #] #H #V #F C +.\" ======================================================================== +.\" +.IX Title "EVP_CIPHER_METH_NEW 3" +.TH EVP_CIPHER_METH_NEW 3 "2018-09-11" "1.1.1" "OpenSSL" +.\" For nroff, turn off justification. Always turn off hyphenation; it makes +.\" way too many mistakes in technical documents. +.if n .ad l +.nh +.SH "NAME" +EVP_CIPHER_meth_new, EVP_CIPHER_meth_dup, EVP_CIPHER_meth_free, EVP_CIPHER_meth_set_iv_length, EVP_CIPHER_meth_set_flags, EVP_CIPHER_meth_set_impl_ctx_size, EVP_CIPHER_meth_set_init, EVP_CIPHER_meth_set_do_cipher, EVP_CIPHER_meth_set_cleanup, EVP_CIPHER_meth_set_set_asn1_params, EVP_CIPHER_meth_set_get_asn1_params, EVP_CIPHER_meth_set_ctrl, EVP_CIPHER_meth_get_init, EVP_CIPHER_meth_get_do_cipher, EVP_CIPHER_meth_get_cleanup, EVP_CIPHER_meth_get_set_asn1_params, EVP_CIPHER_meth_get_get_asn1_params, EVP_CIPHER_meth_get_ctrl \- Routines to build up EVP_CIPHER methods +.SH "SYNOPSIS" +.IX Header "SYNOPSIS" +.Vb 1 +\& #include +\& +\& EVP_CIPHER *EVP_CIPHER_meth_new(int cipher_type, int block_size, int key_len); +\& EVP_CIPHER *EVP_CIPHER_meth_dup(const EVP_CIPHER *cipher); +\& void EVP_CIPHER_meth_free(EVP_CIPHER *cipher); +\& +\& int EVP_CIPHER_meth_set_iv_length(EVP_CIPHER *cipher, int iv_len); +\& int EVP_CIPHER_meth_set_flags(EVP_CIPHER *cipher, unsigned long flags); +\& int EVP_CIPHER_meth_set_impl_ctx_size(EVP_CIPHER *cipher, int ctx_size); +\& int EVP_CIPHER_meth_set_init(EVP_CIPHER *cipher, +\& int (*init)(EVP_CIPHER_CTX *ctx, +\& const unsigned char *key, +\& const unsigned char *iv, +\& int enc)); +\& int EVP_CIPHER_meth_set_do_cipher(EVP_CIPHER *cipher, +\& int (*do_cipher)(EVP_CIPHER_CTX *ctx, +\& unsigned char *out, +\& const unsigned char *in, +\& size_t inl)); +\& int EVP_CIPHER_meth_set_cleanup(EVP_CIPHER *cipher, +\& int (*cleanup)(EVP_CIPHER_CTX *)); +\& int EVP_CIPHER_meth_set_set_asn1_params(EVP_CIPHER *cipher, +\& int (*set_asn1_parameters)(EVP_CIPHER_CTX *, +\& ASN1_TYPE *)); +\& int EVP_CIPHER_meth_set_get_asn1_params(EVP_CIPHER *cipher, +\& int (*get_asn1_parameters)(EVP_CIPHER_CTX *, +\& ASN1_TYPE *)); +\& int EVP_CIPHER_meth_set_ctrl(EVP_CIPHER *cipher, +\& int (*ctrl)(EVP_CIPHER_CTX *, int type, +\& int arg, void *ptr)); +\& +\& int (*EVP_CIPHER_meth_get_init(const EVP_CIPHER *cipher))(EVP_CIPHER_CTX *ctx, +\& const unsigned char *key, +\& const unsigned char *iv, +\& int enc); +\& int (*EVP_CIPHER_meth_get_do_cipher(const EVP_CIPHER *cipher))(EVP_CIPHER_CTX *ctx, +\& unsigned char *out, +\& const unsigned char *in, +\& size_t inl); +\& int (*EVP_CIPHER_meth_get_cleanup(const EVP_CIPHER *cipher))(EVP_CIPHER_CTX *); +\& int (*EVP_CIPHER_meth_get_set_asn1_params(const EVP_CIPHER *cipher))(EVP_CIPHER_CTX *, +\& ASN1_TYPE *); +\& int (*EVP_CIPHER_meth_get_get_asn1_params(const EVP_CIPHER *cipher))(EVP_CIPHER_CTX *, +\& ASN1_TYPE *); +\& int (*EVP_CIPHER_meth_get_ctrl(const EVP_CIPHER *cipher))(EVP_CIPHER_CTX *, +\& int type, int arg, +\& void *ptr); +.Ve +.SH "DESCRIPTION" +.IX Header "DESCRIPTION" +The \fB\s-1EVP_CIPHER\s0\fR type is a structure for symmetric cipher method +implementation. +.PP +\&\fIEVP_CIPHER_meth_new()\fR creates a new \fB\s-1EVP_CIPHER\s0\fR structure. +.PP +\&\fIEVP_CIPHER_meth_dup()\fR creates a copy of \fBcipher\fR. +.PP +\&\fIEVP_CIPHER_meth_free()\fR destroys a \fB\s-1EVP_CIPHER\s0\fR structure. +.PP +\&\fIEVP_CIPHER_meth_set_iv_length()\fR sets the length of the \s-1IV.\s0 +This is only needed when the implemented cipher mode requires it. +.PP +\&\fIEVP_CIPHER_meth_set_flags()\fR sets the flags to describe optional +behaviours in the particular \fBcipher\fR. +With the exception of cipher modes, of which only one may be present, +several flags can be or'd together. +The available flags are: +.IP "\s-1EVP_CIPH_STREAM_CIPHER, EVP_CIPH_ECB_MODE EVP_CIPH_CBC_MODE, EVP_CIPH_CFB_MODE, EVP_CIPH_OFB_MODE, EVP_CIPH_CTR_MODE, EVP_CIPH_GCM_MODE, EVP_CIPH_CCM_MODE, EVP_CIPH_XTS_MODE, EVP_CIPH_WRAP_MODE, EVP_CIPH_OCB_MODE\s0" 4 +.IX Item "EVP_CIPH_STREAM_CIPHER, EVP_CIPH_ECB_MODE EVP_CIPH_CBC_MODE, EVP_CIPH_CFB_MODE, EVP_CIPH_OFB_MODE, EVP_CIPH_CTR_MODE, EVP_CIPH_GCM_MODE, EVP_CIPH_CCM_MODE, EVP_CIPH_XTS_MODE, EVP_CIPH_WRAP_MODE, EVP_CIPH_OCB_MODE" +The cipher mode. +.IP "\s-1EVP_CIPH_VARIABLE_LENGTH\s0" 4 +.IX Item "EVP_CIPH_VARIABLE_LENGTH" +This cipher is of variable length. +.IP "\s-1EVP_CIPH_CUSTOM_IV\s0" 4 +.IX Item "EVP_CIPH_CUSTOM_IV" +Storing and initialising the \s-1IV\s0 is left entirely to the +implementation. +.IP "\s-1EVP_CIPH_ALWAYS_CALL_INIT\s0" 4 +.IX Item "EVP_CIPH_ALWAYS_CALL_INIT" +Set this if the implementation's \fIinit()\fR function should be called even +if \fBkey\fR is \fB\s-1NULL\s0\fR. +.IP "\s-1EVP_CIPH_CTRL_INIT\s0" 4 +.IX Item "EVP_CIPH_CTRL_INIT" +Set this to have the implementation's \fIctrl()\fR function called with +command code \fB\s-1EVP_CTRL_INIT\s0\fR early in its setup. +.IP "\s-1EVP_CIPH_CUSTOM_KEY_LENGTH\s0" 4 +.IX Item "EVP_CIPH_CUSTOM_KEY_LENGTH" +Checking and setting the key length after creating the \fB\s-1EVP_CIPHER\s0\fR +is left to the implementation. +Whenever someone uses \fIEVP_CIPHER_CTX_set_key_length()\fR on a +\&\fB\s-1EVP_CIPHER\s0\fR with this flag set, the implementation's \fIctrl()\fR function +will be called with the control code \fB\s-1EVP_CTRL_SET_KEY_LENGTH\s0\fR and +the key length in \fBarg\fR. +.IP "\s-1EVP_CIPH_NO_PADDING\s0" 4 +.IX Item "EVP_CIPH_NO_PADDING" +Don't use standard block padding. +.IP "\s-1EVP_CIPH_RAND_KEY\s0" 4 +.IX Item "EVP_CIPH_RAND_KEY" +Making a key with random content is left to the implementation. +This is done by calling the implementation's \fIctrl()\fR function with the +control code \fB\s-1EVP_CTRL_RAND_KEY\s0\fR and the pointer to the key memory +storage in \fBptr\fR. +.IP "\s-1EVP_CIPH_CUSTOM_COPY\s0" 4 +.IX Item "EVP_CIPH_CUSTOM_COPY" +Set this to have the implementation's \fIctrl()\fR function called with +command code \fB\s-1EVP_CTRL_COPY\s0\fR at the end of \fIEVP_CIPHER_CTX_copy()\fR. +The intended use is for further things to deal with after the +implementation specific data block has been copied. +The destination \fB\s-1EVP_CIPHER_CTX\s0\fR is passed to the control with the +\&\fBptr\fR parameter. +The implementation specific data block is reached with +\&\fIEVP_CIPHER_CTX_get_cipher_data()\fR. +.IP "\s-1EVP_CIPH_FLAG_DEFAULT_ASN1\s0" 4 +.IX Item "EVP_CIPH_FLAG_DEFAULT_ASN1" +Use the default \s-1EVP\s0 routines to pass \s-1IV\s0 to and from \s-1ASN.1.\s0 +.IP "\s-1EVP_CIPH_FLAG_LENGTH_BITS\s0" 4 +.IX Item "EVP_CIPH_FLAG_LENGTH_BITS" +Signals that the length of the input buffer for encryption / +decryption is to be understood as the number of bits instead of +bytes for this implementation. +This is only useful for \s-1CFB1\s0 ciphers. +.IP "\s-1EVP_CIPH_FLAG_CUSTOM_CIPHER\s0" 4 +.IX Item "EVP_CIPH_FLAG_CUSTOM_CIPHER" +This indicates that the implementation takes care of everything, +including padding, buffering and finalization. +The \s-1EVP\s0 routines will simply give them control and do nothing more. +.IP "\s-1EVP_CIPH_FLAG_AEAD_CIPHER\s0" 4 +.IX Item "EVP_CIPH_FLAG_AEAD_CIPHER" +This indicates that this is an \s-1AEAD\s0 cipher implementation. +.IP "\s-1EVP_CIPH_FLAG_TLS1_1_MULTIBLOCK\s0" 4 +.IX Item "EVP_CIPH_FLAG_TLS1_1_MULTIBLOCK" +Allow interleaving of crypto blocks, a particular optimization only applicable +to certain \s-1TLS\s0 ciphers. +.PP +\&\fIEVP_CIPHER_meth_set_impl_ctx_size()\fR sets the size of the \s-1EVP_CIPHER\s0's +implementation context so that it can be automatically allocated. +.PP +\&\fIEVP_CIPHER_meth_set_init()\fR sets the cipher init function for +\&\fBcipher\fR. +The cipher init function is called by \fIEVP_CipherInit()\fR, +\&\fIEVP_CipherInit_ex()\fR, \fIEVP_EncryptInit()\fR, \fIEVP_EncryptInit_ex()\fR, +\&\fIEVP_DecryptInit()\fR, \fIEVP_DecryptInit_ex()\fR. +.PP +\&\fIEVP_CIPHER_meth_set_do_cipher()\fR sets the cipher function for +\&\fBcipher\fR. +The cipher function is called by \fIEVP_CipherUpdate()\fR, +\&\fIEVP_EncryptUpdate()\fR, \fIEVP_DecryptUpdate()\fR, \fIEVP_CipherFinal()\fR, +\&\fIEVP_EncryptFinal()\fR, \fIEVP_EncryptFinal_ex()\fR, \fIEVP_DecryptFinal()\fR and +\&\fIEVP_DecryptFinal_ex()\fR. +.PP +\&\fIEVP_CIPHER_meth_set_cleanup()\fR sets the function for \fBcipher\fR to do +extra cleanup before the method's private data structure is cleaned +out and freed. +Note that the cleanup function is passed a \fB\s-1EVP_CIPHER_CTX\s0 *\fR, the +private data structure is then available with +\&\fIEVP_CIPHER_CTX_get_cipher_data()\fR. +This cleanup function is called by \fIEVP_CIPHER_CTX_reset()\fR and +\&\fIEVP_CIPHER_CTX_free()\fR. +.PP +\&\fIEVP_CIPHER_meth_set_set_asn1_params()\fR sets the function for \fBcipher\fR +to set the AlgorithmIdentifier \*(L"parameter\*(R" based on the passed cipher. +This function is called by \fIEVP_CIPHER_param_to_asn1()\fR. +\&\fIEVP_CIPHER_meth_set_get_asn1_params()\fR sets the function for \fBcipher\fR +that sets the cipher parameters based on an \s-1ASN.1\s0 AlgorithmIdentifier +\&\*(L"parameter\*(R". +Both these functions are needed when there is a need for custom data +(more or other than the cipher \s-1IV\s0). +They are called by \fIEVP_CIPHER_param_to_asn1()\fR and +\&\fIEVP_CIPHER_asn1_to_param()\fR respectively if defined. +.PP +\&\fIEVP_CIPHER_meth_set_ctrl()\fR sets the control function for \fBcipher\fR. +.PP +\&\fIEVP_CIPHER_meth_get_init()\fR, \fIEVP_CIPHER_meth_get_do_cipher()\fR, +\&\fIEVP_CIPHER_meth_get_cleanup()\fR, \fIEVP_CIPHER_meth_get_set_asn1_params()\fR, +\&\fIEVP_CIPHER_meth_get_get_asn1_params()\fR and \fIEVP_CIPHER_meth_get_ctrl()\fR +are all used to retrieve the method data given with the +EVP_CIPHER_meth_set_*() functions above. +.SH "RETURN VALUES" +.IX Header "RETURN VALUES" +\&\fIEVP_CIPHER_meth_new()\fR and \fIEVP_CIPHER_meth_dup()\fR return a pointer to a +newly created \fB\s-1EVP_CIPHER\s0\fR, or \s-1NULL\s0 on failure. +All EVP_CIPHER_meth_set_*() functions return 1. +All EVP_CIPHER_meth_get_*() functions return pointers to their +respective \fBcipher\fR function. +.SH "SEE ALSO" +.IX Header "SEE ALSO" +EVP_EncryptInit +.SH "HISTORY" +.IX Header "HISTORY" +The functions described here were added in OpenSSL 1.1.0. +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2016\-2018 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/EVP_DigestInit.3 b/secure/lib/libcrypto/man/EVP_DigestInit.3 index ce0d30c3791b..b8b392b953d9 100644 --- a/secure/lib/libcrypto/man/EVP_DigestInit.3 +++ b/secure/lib/libcrypto/man/EVP_DigestInit.3 @@ -128,188 +128,216 @@ .rm #[ #] #H #V #F C .\" ======================================================================== .\" -.IX Title "EVP_DigestInit 3" -.TH EVP_DigestInit 3 "2018-08-14" "1.0.2p" "OpenSSL" +.IX Title "EVP_DIGESTINIT 3" +.TH EVP_DIGESTINIT 3 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" -EVP_MD_CTX_init, EVP_MD_CTX_create, EVP_DigestInit_ex, EVP_DigestUpdate, -EVP_DigestFinal_ex, EVP_MD_CTX_cleanup, EVP_MD_CTX_destroy, EVP_MAX_MD_SIZE, -EVP_MD_CTX_copy_ex, EVP_DigestInit, EVP_DigestFinal, EVP_MD_CTX_copy, EVP_MD_type, -EVP_MD_pkey_type, EVP_MD_size, EVP_MD_block_size, EVP_MD_CTX_md, EVP_MD_CTX_size, -EVP_MD_CTX_block_size, EVP_MD_CTX_type, EVP_md_null, EVP_md2, EVP_md5, EVP_sha, EVP_sha1, -EVP_sha224, EVP_sha256, EVP_sha384, EVP_sha512, EVP_dss, EVP_dss1, EVP_mdc2, -EVP_ripemd160, EVP_get_digestbyname, EVP_get_digestbynid, EVP_get_digestbyobj \- -EVP digest routines +EVP_MD_CTX_new, EVP_MD_CTX_reset, EVP_MD_CTX_free, EVP_MD_CTX_copy_ex, EVP_MD_CTX_ctrl, EVP_MD_CTX_set_flags, EVP_MD_CTX_clear_flags, EVP_MD_CTX_test_flags, EVP_DigestInit_ex, EVP_DigestInit, EVP_DigestUpdate, EVP_DigestFinal_ex, EVP_DigestFinalXOF, EVP_DigestFinal, EVP_MD_CTX_copy, EVP_MD_type, EVP_MD_pkey_type, EVP_MD_size, EVP_MD_block_size, EVP_MD_CTX_md, EVP_MD_CTX_size, EVP_MD_CTX_block_size, EVP_MD_CTX_type, EVP_MD_CTX_md_data, EVP_md_null, EVP_get_digestbyname, EVP_get_digestbynid, EVP_get_digestbyobj, EVP_MD_CTX_set_pkey_ctx \- EVP digest routines .SH "SYNOPSIS" .IX Header "SYNOPSIS" .Vb 1 \& #include \& -\& void EVP_MD_CTX_init(EVP_MD_CTX *ctx); -\& EVP_MD_CTX *EVP_MD_CTX_create(void); +\& EVP_MD_CTX *EVP_MD_CTX_new(void); +\& int EVP_MD_CTX_reset(EVP_MD_CTX *ctx); +\& void EVP_MD_CTX_free(EVP_MD_CTX *ctx); +\& void EVP_MD_CTX_ctrl(EVP_MD_CTX *ctx, int cmd, int p1, void* p2); +\& void EVP_MD_CTX_set_flags(EVP_MD_CTX *ctx, int flags); +\& void EVP_MD_CTX_clear_flags(EVP_MD_CTX *ctx, int flags); +\& int EVP_MD_CTX_test_flags(const EVP_MD_CTX *ctx, int flags); \& \& int EVP_DigestInit_ex(EVP_MD_CTX *ctx, const EVP_MD *type, ENGINE *impl); \& int EVP_DigestUpdate(EVP_MD_CTX *ctx, const void *d, size_t cnt); -\& int EVP_DigestFinal_ex(EVP_MD_CTX *ctx, unsigned char *md, -\& unsigned int *s); +\& int EVP_DigestFinal_ex(EVP_MD_CTX *ctx, unsigned char *md, unsigned int *s); +\& int EVP_DigestFinalXOF(EVP_MD_CTX *ctx, unsigned char *md, size_t len); \& -\& int EVP_MD_CTX_cleanup(EVP_MD_CTX *ctx); -\& void EVP_MD_CTX_destroy(EVP_MD_CTX *ctx); -\& -\& int EVP_MD_CTX_copy_ex(EVP_MD_CTX *out,const EVP_MD_CTX *in); +\& int EVP_MD_CTX_copy_ex(EVP_MD_CTX *out, const EVP_MD_CTX *in); \& \& int EVP_DigestInit(EVP_MD_CTX *ctx, const EVP_MD *type); -\& int EVP_DigestFinal(EVP_MD_CTX *ctx, unsigned char *md, -\& unsigned int *s); +\& int EVP_DigestFinal(EVP_MD_CTX *ctx, unsigned char *md, unsigned int *s); \& -\& int EVP_MD_CTX_copy(EVP_MD_CTX *out,EVP_MD_CTX *in); -\& -\& #define EVP_MAX_MD_SIZE 64 /* SHA512 */ +\& int EVP_MD_CTX_copy(EVP_MD_CTX *out, EVP_MD_CTX *in); \& \& int EVP_MD_type(const EVP_MD *md); -\& int EVP_MD_pkey_type(const EVP_MD *md); +\& int EVP_MD_pkey_type(const EVP_MD *md); \& int EVP_MD_size(const EVP_MD *md); \& int EVP_MD_block_size(const EVP_MD *md); \& \& const EVP_MD *EVP_MD_CTX_md(const EVP_MD_CTX *ctx); -\& #define EVP_MD_CTX_size(e) EVP_MD_size(EVP_MD_CTX_md(e)) -\& #define EVP_MD_CTX_block_size(e) EVP_MD_block_size((e)\->digest) -\& #define EVP_MD_CTX_type(e) EVP_MD_type((e)\->digest) +\& int EVP_MD_CTX_size(const EVP_MD *ctx); +\& int EVP_MD_CTX_block_size(const EVP_MD *ctx); +\& int EVP_MD_CTX_type(const EVP_MD *ctx); +\& void *EVP_MD_CTX_md_data(const EVP_MD_CTX *ctx); \& \& const EVP_MD *EVP_md_null(void); -\& const EVP_MD *EVP_md2(void); -\& const EVP_MD *EVP_md5(void); -\& const EVP_MD *EVP_sha(void); -\& const EVP_MD *EVP_sha1(void); -\& const EVP_MD *EVP_dss(void); -\& const EVP_MD *EVP_dss1(void); -\& const EVP_MD *EVP_mdc2(void); -\& const EVP_MD *EVP_ripemd160(void); -\& -\& const EVP_MD *EVP_sha224(void); -\& const EVP_MD *EVP_sha256(void); -\& const EVP_MD *EVP_sha384(void); -\& const EVP_MD *EVP_sha512(void); \& \& const EVP_MD *EVP_get_digestbyname(const char *name); -\& #define EVP_get_digestbynid(a) EVP_get_digestbyname(OBJ_nid2sn(a)) -\& #define EVP_get_digestbyobj(a) EVP_get_digestbynid(OBJ_obj2nid(a)) +\& const EVP_MD *EVP_get_digestbynid(int type); +\& const EVP_MD *EVP_get_digestbyobj(const ASN1_OBJECT *o); +\& +\& void EVP_MD_CTX_set_pkey_ctx(EVP_MD_CTX *ctx, EVP_PKEY_CTX *pctx); .Ve .SH "DESCRIPTION" .IX Header "DESCRIPTION" -The \s-1EVP\s0 digest routines are a high level interface to message digests. -.PP -\&\fIEVP_MD_CTX_init()\fR initializes digest context \fBctx\fR. -.PP -\&\fIEVP_MD_CTX_create()\fR allocates, initializes and returns a digest context. -.PP -\&\fIEVP_DigestInit_ex()\fR sets up digest context \fBctx\fR to use a digest -\&\fBtype\fR from \s-1ENGINE\s0 \fBimpl\fR. \fBctx\fR must be initialized before calling this -function. \fBtype\fR will typically be supplied by a functionsuch as \fIEVP_sha1()\fR. -If \fBimpl\fR is \s-1NULL\s0 then the default implementation of digest \fBtype\fR is used. -.PP -\&\fIEVP_DigestUpdate()\fR hashes \fBcnt\fR bytes of data at \fBd\fR into the -digest context \fBctx\fR. This function can be called several times on the -same \fBctx\fR to hash additional data. -.PP -\&\fIEVP_DigestFinal_ex()\fR retrieves the digest value from \fBctx\fR and places -it in \fBmd\fR. If the \fBs\fR parameter is not \s-1NULL\s0 then the number of -bytes of data written (i.e. the length of the digest) will be written -to the integer at \fBs\fR, at most \fB\s-1EVP_MAX_MD_SIZE\s0\fR bytes will be written. -After calling \fIEVP_DigestFinal_ex()\fR no additional calls to \fIEVP_DigestUpdate()\fR -can be made, but \fIEVP_DigestInit_ex()\fR can be called to initialize a new -digest operation. -.PP -\&\fIEVP_MD_CTX_cleanup()\fR cleans up digest context \fBctx\fR, it should be called -after a digest context is no longer needed. -.PP -\&\fIEVP_MD_CTX_destroy()\fR cleans up digest context \fBctx\fR and frees up the -space allocated to it, it should be called only on a context created -using \fIEVP_MD_CTX_create()\fR. -.PP -\&\fIEVP_MD_CTX_copy_ex()\fR can be used to copy the message digest state from -\&\fBin\fR to \fBout\fR. This is useful if large amounts of data are to be -hashed which only differ in the last few bytes. \fBout\fR must be initialized -before calling this function. -.PP -\&\fIEVP_DigestInit()\fR behaves in the same way as \fIEVP_DigestInit_ex()\fR except -the passed context \fBctx\fR does not have to be initialized, and it always -uses the default digest implementation. -.PP -\&\fIEVP_DigestFinal()\fR is similar to \fIEVP_DigestFinal_ex()\fR except the digest -context \fBctx\fR is automatically cleaned up. -.PP -\&\fIEVP_MD_CTX_copy()\fR is similar to \fIEVP_MD_CTX_copy_ex()\fR except the destination -\&\fBout\fR does not have to be initialized. -.PP -\&\fIEVP_MD_size()\fR and \fIEVP_MD_CTX_size()\fR return the size of the message digest -when passed an \fB\s-1EVP_MD\s0\fR or an \fB\s-1EVP_MD_CTX\s0\fR structure, i.e. the size of the -hash. -.PP -\&\fIEVP_MD_block_size()\fR and \fIEVP_MD_CTX_block_size()\fR return the block size of the -message digest when passed an \fB\s-1EVP_MD\s0\fR or an \fB\s-1EVP_MD_CTX\s0\fR structure. -.PP -\&\fIEVP_MD_type()\fR and \fIEVP_MD_CTX_type()\fR return the \s-1NID\s0 of the \s-1OBJECT IDENTIFIER\s0 -representing the given message digest when passed an \fB\s-1EVP_MD\s0\fR structure. -For example EVP_MD_type(\fIEVP_sha1()\fR) returns \fBNID_sha1\fR. This function is -normally used when setting \s-1ASN1\s0 OIDs. -.PP -\&\fIEVP_MD_CTX_md()\fR returns the \fB\s-1EVP_MD\s0\fR structure corresponding to the passed -\&\fB\s-1EVP_MD_CTX\s0\fR. -.PP -\&\fIEVP_MD_pkey_type()\fR returns the \s-1NID\s0 of the public key signing algorithm associated -with this digest. For example \fIEVP_sha1()\fR is associated with \s-1RSA\s0 so this will -return \fBNID_sha1WithRSAEncryption\fR. Since digests and signature algorithms -are no longer linked this function is only retained for compatibility -reasons. -.PP -\&\fIEVP_md2()\fR, \fIEVP_md5()\fR, \fIEVP_sha()\fR, \fIEVP_sha1()\fR, \fIEVP_sha224()\fR, \fIEVP_sha256()\fR, -\&\fIEVP_sha384()\fR, \fIEVP_sha512()\fR, \fIEVP_mdc2()\fR and \fIEVP_ripemd160()\fR return \fB\s-1EVP_MD\s0\fR -structures for the \s-1MD2, MD5, SHA, SHA1, SHA224, SHA256, SHA384, SHA512, MDC2\s0 -and \s-1RIPEMD160\s0 digest algorithms respectively. -.PP -\&\fIEVP_dss()\fR and \fIEVP_dss1()\fR return \fB\s-1EVP_MD\s0\fR structures for \s-1SHA\s0 and \s-1SHA1\s0 digest -algorithms but using \s-1DSS\s0 (\s-1DSA\s0) for the signature algorithm. Note: there is -no need to use these pseudo-digests in OpenSSL 1.0.0 and later, they are -however retained for compatibility. -.PP -\&\fIEVP_md_null()\fR is a \*(L"null\*(R" message digest that does nothing: i.e. the hash it -returns is of zero length. -.PP -\&\fIEVP_get_digestbyname()\fR, \fIEVP_get_digestbynid()\fR and \fIEVP_get_digestbyobj()\fR -return an \fB\s-1EVP_MD\s0\fR structure when passed a digest name, a digest \s-1NID\s0 or -an \s-1ASN1_OBJECT\s0 structure respectively. The digest table must be initialized -using, for example, \fIOpenSSL_add_all_digests()\fR for these functions to work. +The \s-1EVP\s0 digest routines are a high level interface to message digests, +and should be used instead of the cipher-specific functions. +.IP "\fIEVP_MD_CTX_new()\fR" 4 +.IX Item "EVP_MD_CTX_new()" +Allocates and returns a digest context. +.IP "\fIEVP_MD_CTX_reset()\fR" 4 +.IX Item "EVP_MD_CTX_reset()" +Resets the digest context \fBctx\fR. This can be used to reuse an already +existing context. +.IP "\fIEVP_MD_CTX_free()\fR" 4 +.IX Item "EVP_MD_CTX_free()" +Cleans up digest context \fBctx\fR and frees up the space allocated to it. +.IP "\fIEVP_MD_CTX_ctrl()\fR" 4 +.IX Item "EVP_MD_CTX_ctrl()" +Performs digest-specific control actions on context \fBctx\fR. +.IP "\fIEVP_MD_CTX_set_flags()\fR, \fIEVP_MD_CTX_clear_flags()\fR, \fIEVP_MD_CTX_test_flags()\fR" 4 +.IX Item "EVP_MD_CTX_set_flags(), EVP_MD_CTX_clear_flags(), EVP_MD_CTX_test_flags()" +Sets, clears and tests \fBctx\fR flags. See \*(L"\s-1FLAGS\*(R"\s0 below for more information. +.IP "\fIEVP_DigestInit_ex()\fR" 4 +.IX Item "EVP_DigestInit_ex()" +Sets up digest context \fBctx\fR to use a digest \fBtype\fR from \s-1ENGINE\s0 \fBimpl\fR. +\&\fBtype\fR will typically be supplied by a function such as \fIEVP_sha1()\fR. If +\&\fBimpl\fR is \s-1NULL\s0 then the default implementation of digest \fBtype\fR is used. +.IP "\fIEVP_DigestUpdate()\fR" 4 +.IX Item "EVP_DigestUpdate()" +Hashes \fBcnt\fR bytes of data at \fBd\fR into the digest context \fBctx\fR. This +function can be called several times on the same \fBctx\fR to hash additional +data. +.IP "\fIEVP_DigestFinal_ex()\fR" 4 +.IX Item "EVP_DigestFinal_ex()" +Retrieves the digest value from \fBctx\fR and places it in \fBmd\fR. If the \fBs\fR +parameter is not \s-1NULL\s0 then the number of bytes of data written (i.e. the +length of the digest) will be written to the integer at \fBs\fR, at most +\&\fB\s-1EVP_MAX_MD_SIZE\s0\fR bytes will be written. After calling \fIEVP_DigestFinal_ex()\fR +no additional calls to \fIEVP_DigestUpdate()\fR can be made, but +\&\fIEVP_DigestInit_ex()\fR can be called to initialize a new digest operation. +.IP "\fIEVP_DigestFinalXOF()\fR" 4 +.IX Item "EVP_DigestFinalXOF()" +Interfaces to extendable-output functions, XOFs, such as \s-1SHAKE128\s0 and \s-1SHAKE256.\s0 +It retrieves the digest value from \fBctx\fR and places it in \fBlen\fR\-sized md. +After calling this function no additional calls to \fIEVP_DigestUpdate()\fR can be +made, but \fIEVP_DigestInit_ex()\fR can be called to initialize a new operation. +.IP "\fIEVP_MD_CTX_copy_ex()\fR" 4 +.IX Item "EVP_MD_CTX_copy_ex()" +Can be used to copy the message digest state from \fBin\fR to \fBout\fR. This is +useful if large amounts of data are to be hashed which only differ in the last +few bytes. +.IP "\fIEVP_DigestInit()\fR" 4 +.IX Item "EVP_DigestInit()" +Behaves in the same way as \fIEVP_DigestInit_ex()\fR except it always uses the +default digest implementation. +.IP "\fIEVP_DigestFinal()\fR" 4 +.IX Item "EVP_DigestFinal()" +Similar to \fIEVP_DigestFinal_ex()\fR except the digest context \fBctx\fR is +automatically cleaned up. +.IP "\fIEVP_MD_CTX_copy()\fR" 4 +.IX Item "EVP_MD_CTX_copy()" +Similar to \fIEVP_MD_CTX_copy_ex()\fR except the destination \fBout\fR does not have to +be initialized. +.IP "\fIEVP_MD_size()\fR, \fIEVP_MD_CTX_size()\fR" 4 +.IX Item "EVP_MD_size(), EVP_MD_CTX_size()" +Return the size of the message digest when passed an \fB\s-1EVP_MD\s0\fR or an +\&\fB\s-1EVP_MD_CTX\s0\fR structure, i.e. the size of the hash. +.IP "\fIEVP_MD_block_size()\fR, \fIEVP_MD_CTX_block_size()\fR" 4 +.IX Item "EVP_MD_block_size(), EVP_MD_CTX_block_size()" +Return the block size of the message digest when passed an \fB\s-1EVP_MD\s0\fR or an +\&\fB\s-1EVP_MD_CTX\s0\fR structure. +.IP "\fIEVP_MD_type()\fR, \fIEVP_MD_CTX_type()\fR" 4 +.IX Item "EVP_MD_type(), EVP_MD_CTX_type()" +Return the \s-1NID\s0 of the \s-1OBJECT IDENTIFIER\s0 representing the given message digest +when passed an \fB\s-1EVP_MD\s0\fR structure. For example, \f(CW\*(C`EVP_MD_type(EVP_sha1())\*(C'\fR +returns \fBNID_sha1\fR. This function is normally used when setting \s-1ASN1\s0 OIDs. +.IP "\fIEVP_MD_CTX_md_data()\fR" 4 +.IX Item "EVP_MD_CTX_md_data()" +Return the digest method private data for the passed \fB\s-1EVP_MD_CTX\s0\fR. +The space is allocated by OpenSSL and has the size originally set with +\&\fIEVP_MD_meth_set_app_datasize()\fR. +.IP "\fIEVP_MD_CTX_md()\fR" 4 +.IX Item "EVP_MD_CTX_md()" +Returns the \fB\s-1EVP_MD\s0\fR structure corresponding to the passed \fB\s-1EVP_MD_CTX\s0\fR. +.IP "\fIEVP_MD_pkey_type()\fR" 4 +.IX Item "EVP_MD_pkey_type()" +Returns the \s-1NID\s0 of the public key signing algorithm associated with this +digest. For example \fIEVP_sha1()\fR is associated with \s-1RSA\s0 so this will return +\&\fBNID_sha1WithRSAEncryption\fR. Since digests and signature algorithms are no +longer linked this function is only retained for compatibility reasons. +.IP "\fIEVP_md_null()\fR" 4 +.IX Item "EVP_md_null()" +A \*(L"null\*(R" message digest that does nothing: i.e. the hash it returns is of zero +length. +.IP "\fIEVP_get_digestbyname()\fR, \fIEVP_get_digestbynid()\fR, \fIEVP_get_digestbyobj()\fR" 4 +.IX Item "EVP_get_digestbyname(), EVP_get_digestbynid(), EVP_get_digestbyobj()" +Returns an \fB\s-1EVP_MD\s0\fR structure when passed a digest name, a digest \fB\s-1NID\s0\fR or an +\&\fB\s-1ASN1_OBJECT\s0\fR structure respectively. +.IP "\fIEVP_MD_CTX_set_pkey_ctx()\fR" 4 +.IX Item "EVP_MD_CTX_set_pkey_ctx()" +Assigns an \fB\s-1EVP_PKEY_CTX\s0\fR to \fB\s-1EVP_MD_CTX\s0\fR. This is usually used to provide +a customzied \fB\s-1EVP_PKEY_CTX\s0\fR to \fIEVP_DigestSignInit\fR\|(3) or +\&\fIEVP_DigestVerifyInit\fR\|(3). The \fBpctx\fR passed to this function should be freed +by the caller. A \s-1NULL\s0 \fBpctx\fR pointer is also allowed to clear the \fB\s-1EVP_PKEY_CTX\s0\fR +assigned to \fBctx\fR. In such case, freeing the cleared \fB\s-1EVP_PKEY_CTX\s0\fR or not +depends on how the \fB\s-1EVP_PKEY_CTX\s0\fR is created. +.SH "FLAGS" +.IX Header "FLAGS" +\&\fIEVP_MD_CTX_set_flags()\fR, \fIEVP_MD_CTX_clear_flags()\fR and \fIEVP_MD_CTX_test_flags()\fR +can be used the manipulate and test these \fB\s-1EVP_MD_CTX\s0\fR flags: +.IP "\s-1EVP_MD_CTX_FLAG_ONESHOT\s0" 4 +.IX Item "EVP_MD_CTX_FLAG_ONESHOT" +This flag instructs the digest to optimize for one update only, if possible. +.IP "\s-1EVP_MD_CTX_FLAG_NO_INIT\s0" 4 +.IX Item "EVP_MD_CTX_FLAG_NO_INIT" +This flag instructs \fIEVP_DigestInit()\fR and similar not to initialise the +implementation specific data. +.IP "\s-1EVP_MD_CTX_FLAG_FINALISE\s0" 4 +.IX Item "EVP_MD_CTX_FLAG_FINALISE" +Some functions such as EVP_DigestSign only finalise copies of internal +contexts so additional data can be included after the finalisation call. +This is inefficient if this functionality is not required, and can be +disabled with this flag. .SH "RETURN VALUES" .IX Header "RETURN VALUES" -\&\fIEVP_DigestInit_ex()\fR, \fIEVP_DigestUpdate()\fR and \fIEVP_DigestFinal_ex()\fR return 1 for +.IP "\fIEVP_DigestInit_ex()\fR, \fIEVP_DigestUpdate()\fR, \fIEVP_DigestFinal_ex()\fR" 4 +.IX Item "EVP_DigestInit_ex(), EVP_DigestUpdate(), EVP_DigestFinal_ex()" +Returns 1 for success and 0 for failure. -.PP -\&\fIEVP_MD_CTX_copy_ex()\fR returns 1 if successful or 0 for failure. -.PP -\&\fIEVP_MD_type()\fR, \fIEVP_MD_pkey_type()\fR and \fIEVP_MD_type()\fR return the \s-1NID\s0 of the -corresponding \s-1OBJECT IDENTIFIER\s0 or NID_undef if none exists. -.PP -\&\fIEVP_MD_size()\fR, \fIEVP_MD_block_size()\fR, \fIEVP_MD_CTX_size()\fR and -\&\fIEVP_MD_CTX_block_size()\fR return the digest or block size in bytes. -.PP -\&\fIEVP_md_null()\fR, \fIEVP_md2()\fR, \fIEVP_md5()\fR, \fIEVP_sha()\fR, \fIEVP_sha1()\fR, \fIEVP_dss()\fR, -\&\fIEVP_dss1()\fR, \fIEVP_mdc2()\fR and \fIEVP_ripemd160()\fR return pointers to the -corresponding \s-1EVP_MD\s0 structures. -.PP -\&\fIEVP_get_digestbyname()\fR, \fIEVP_get_digestbynid()\fR and \fIEVP_get_digestbyobj()\fR -return either an \fB\s-1EVP_MD\s0\fR structure or \s-1NULL\s0 if an error occurs. +.IP "\fIEVP_MD_CTX_ctrl()\fR" 4 +.IX Item "EVP_MD_CTX_ctrl()" +Returns 1 if successful or 0 for failure. +.IP "\fIEVP_MD_CTX_copy_ex()\fR" 4 +.IX Item "EVP_MD_CTX_copy_ex()" +Returns 1 if successful or 0 for failure. +.IP "\fIEVP_MD_type()\fR, \fIEVP_MD_pkey_type()\fR, \fIEVP_MD_type()\fR" 4 +.IX Item "EVP_MD_type(), EVP_MD_pkey_type(), EVP_MD_type()" +Returns the \s-1NID\s0 of the corresponding \s-1OBJECT IDENTIFIER\s0 or NID_undef if none +exists. +.IP "\fIEVP_MD_size()\fR, \fIEVP_MD_block_size()\fR, \fIEVP_MD_CTX_size()\fR, \fIEVP_MD_CTX_block_size()\fR" 4 +.IX Item "EVP_MD_size(), EVP_MD_block_size(), EVP_MD_CTX_size(), EVP_MD_CTX_block_size()" +Returns the digest or block size in bytes. +.IP "\fIEVP_md_null()\fR" 4 +.IX Item "EVP_md_null()" +Returns a pointer to the \fB\s-1EVP_MD\s0\fR structure of the \*(L"null\*(R" message digest. +.IP "\fIEVP_get_digestbyname()\fR, \fIEVP_get_digestbynid()\fR, \fIEVP_get_digestbyobj()\fR" 4 +.IX Item "EVP_get_digestbyname(), EVP_get_digestbynid(), EVP_get_digestbyobj()" +Returns either an \fB\s-1EVP_MD\s0\fR structure or \s-1NULL\s0 if an error occurs. +.IP "\fIEVP_MD_CTX_set_pkey_ctx()\fR" 4 +.IX Item "EVP_MD_CTX_set_pkey_ctx()" +This function has no return value. .SH "NOTES" .IX Header "NOTES" The \fB\s-1EVP\s0\fR interface to message digests should almost always be used in preference to the low level interfaces. This is because the code then becomes transparent to the digest used and much more flexible. .PP -New applications should use the \s-1SHA2\s0 digest algorithms such as \s-1SHA256.\s0 -The other digest algorithms are still in common use. +New applications should use the \s-1SHA\-2\s0 (such as \fIEVP_sha256\fR\|(3)) or the \s-1SHA\-3\s0 +digest algorithms (such as \fIEVP_sha3_512\fR\|(3)). The other digest algorithms +are still in common use. .PP For most applications the \fBimpl\fR parameter to \fIEVP_DigestInit_ex()\fR will be set to \s-1NULL\s0 to use the default digest implementation. @@ -321,24 +349,15 @@ applications should use \fIEVP_DigestInit_ex()\fR, \fIEVP_DigestFinal_ex()\fR an instead of initializing and cleaning it up on each call and allow non default implementations of digests to be specified. .PP -In OpenSSL 0.9.7 and later if digest contexts are not cleaned up after use +If digest contexts are not cleaned up after use, memory leaks will occur. .PP -Stack allocation of \s-1EVP_MD_CTX\s0 structures is common, for example: +\&\fIEVP_MD_CTX_size()\fR, \fIEVP_MD_CTX_block_size()\fR, \fIEVP_MD_CTX_type()\fR, +\&\fIEVP_get_digestbynid()\fR and \fIEVP_get_digestbyobj()\fR are defined as +macros. .PP -.Vb 2 -\& EVP_MD_CTX mctx; -\& EVP_MD_CTX_init(&mctx); -.Ve -.PP -This will cause binary compatibility issues if the size of \s-1EVP_MD_CTX\s0 -structure changes (this will only happen with a major release of OpenSSL). -Applications wishing to avoid this should use \fIEVP_MD_CTX_create()\fR instead: -.PP -.Vb 2 -\& EVP_MD_CTX *mctx; -\& mctx = EVP_MD_CTX_create(); -.Ve +\&\fIEVP_MD_CTX_ctrl()\fR sends commands to message digests for additional configuration +or control. .SH "EXAMPLE" .IX Header "EXAMPLE" This example digests the data \*(L"Test Message\en\*(R" and \*(L"Hello World\en\*(R", using the @@ -350,64 +369,73 @@ digest name passed on the command line. \& \& main(int argc, char *argv[]) \& { -\& EVP_MD_CTX *mdctx; -\& const EVP_MD *md; -\& char mess1[] = "Test Message\en"; -\& char mess2[] = "Hello World\en"; -\& unsigned char md_value[EVP_MAX_MD_SIZE]; -\& int md_len, i; +\& EVP_MD_CTX *mdctx; +\& const EVP_MD *md; +\& char mess1[] = "Test Message\en"; +\& char mess2[] = "Hello World\en"; +\& unsigned char md_value[EVP_MAX_MD_SIZE]; +\& int md_len, i; \& -\& OpenSSL_add_all_digests(); +\& if (argv[1] == NULL) { +\& printf("Usage: mdtest digestname\en"); +\& exit(1); +\& } \& -\& if(!argv[1]) { -\& printf("Usage: mdtest digestname\en"); -\& exit(1); -\& } +\& md = EVP_get_digestbyname(argv[1]); +\& if (md == NULL) { +\& printf("Unknown message digest %s\en", argv[1]); +\& exit(1); +\& } \& -\& md = EVP_get_digestbyname(argv[1]); +\& mdctx = EVP_MD_CTX_new(); +\& EVP_DigestInit_ex(mdctx, md, NULL); +\& EVP_DigestUpdate(mdctx, mess1, strlen(mess1)); +\& EVP_DigestUpdate(mdctx, mess2, strlen(mess2)); +\& EVP_DigestFinal_ex(mdctx, md_value, &md_len); +\& EVP_MD_CTX_free(mdctx); \& -\& if(!md) { -\& printf("Unknown message digest %s\en", argv[1]); -\& exit(1); -\& } +\& printf("Digest is: "); +\& for (i = 0; i < md_len; i++) +\& printf("%02x", md_value[i]); +\& printf("\en"); \& -\& mdctx = EVP_MD_CTX_create(); -\& EVP_DigestInit_ex(mdctx, md, NULL); -\& EVP_DigestUpdate(mdctx, mess1, strlen(mess1)); -\& EVP_DigestUpdate(mdctx, mess2, strlen(mess2)); -\& EVP_DigestFinal_ex(mdctx, md_value, &md_len); -\& EVP_MD_CTX_destroy(mdctx); -\& -\& printf("Digest is: "); -\& for(i = 0; i < md_len; i++) -\& printf("%02x", md_value[i]); -\& printf("\en"); -\& -\& /* Call this once before exit. */ -\& EVP_cleanup(); -\& exit(0); +\& exit(0); \& } .Ve .SH "SEE ALSO" .IX Header "SEE ALSO" \&\fIdgst\fR\|(1), -\&\fIevp\fR\|(3) +\&\fIevp\fR\|(7) +.PP +The full list of digest algorithms are provided below. +.PP +\&\fIEVP_blake2b512\fR\|(3), +\&\fIEVP_md2\fR\|(3), +\&\fIEVP_md4\fR\|(3), +\&\fIEVP_md5\fR\|(3), +\&\fIEVP_mdc2\fR\|(3), +\&\fIEVP_ripemd160\fR\|(3), +\&\fIEVP_sha1\fR\|(3), +\&\fIEVP_sha224\fR\|(3), +\&\fIEVP_sha3_224\fR\|(3), +\&\fIEVP_sm3\fR\|(3), +\&\fIEVP_whirlpool\fR\|(3) .SH "HISTORY" .IX Header "HISTORY" -\&\fIEVP_DigestInit()\fR, \fIEVP_DigestUpdate()\fR and \fIEVP_DigestFinal()\fR are -available in all versions of SSLeay and OpenSSL. -.PP -\&\fIEVP_MD_CTX_init()\fR, \fIEVP_MD_CTX_create()\fR, \fIEVP_MD_CTX_copy_ex()\fR, -\&\fIEVP_MD_CTX_cleanup()\fR, \fIEVP_MD_CTX_destroy()\fR, \fIEVP_DigestInit_ex()\fR -and \fIEVP_DigestFinal_ex()\fR were added in OpenSSL 0.9.7. -.PP -\&\fIEVP_md_null()\fR, \fIEVP_md2()\fR, \fIEVP_md5()\fR, \fIEVP_sha()\fR, \fIEVP_sha1()\fR, -\&\fIEVP_dss()\fR, \fIEVP_dss1()\fR, \fIEVP_mdc2()\fR and \fIEVP_ripemd160()\fR were -changed to return truly const \s-1EVP_MD\s0 * in OpenSSL 0.9.7. +\&\fIEVP_MD_CTX_create()\fR and \fIEVP_MD_CTX_destroy()\fR were renamed to +\&\fIEVP_MD_CTX_new()\fR and \fIEVP_MD_CTX_free()\fR in OpenSSL 1.1.0. .PP The link between digests and signing algorithms was fixed in OpenSSL 1.0 and -later, so now \fIEVP_sha1()\fR can be used with \s-1RSA\s0 and \s-1DSA\s0; there is no need to -use \fIEVP_dss1()\fR any more. +later, so now \fIEVP_sha1()\fR can be used with \s-1RSA\s0 and \s-1DSA.\s0 .PP -OpenSSL 1.0 and later does not include the \s-1MD2\s0 digest algorithm in the -default configuration due to its security weaknesses. +\&\fIEVP_dss1()\fR was removed in OpenSSL 1.1.0. +.PP +\&\fIEVP_MD_CTX_set_pkey_ctx()\fR was added in 1.1.1. +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2000\-2018 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/EVP_DigestSignInit.3 b/secure/lib/libcrypto/man/EVP_DigestSignInit.3 index 177139449e1b..b7eb419593b5 100644 --- a/secure/lib/libcrypto/man/EVP_DigestSignInit.3 +++ b/secure/lib/libcrypto/man/EVP_DigestSignInit.3 @@ -128,14 +128,14 @@ .rm #[ #] #H #V #F C .\" ======================================================================== .\" -.IX Title "EVP_DigestSignInit 3" -.TH EVP_DigestSignInit 3 "2018-08-14" "1.0.2p" "OpenSSL" +.IX Title "EVP_DIGESTSIGNINIT 3" +.TH EVP_DIGESTSIGNINIT 3 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" -EVP_DigestSignInit, EVP_DigestSignUpdate, EVP_DigestSignFinal \- EVP signing functions +EVP_DigestSignInit, EVP_DigestSignUpdate, EVP_DigestSignFinal, EVP_DigestSign \- EVP signing functions .SH "SYNOPSIS" .IX Header "SYNOPSIS" .Vb 1 @@ -145,34 +145,86 @@ EVP_DigestSignInit, EVP_DigestSignUpdate, EVP_DigestSignFinal \- EVP signing fun \& const EVP_MD *type, ENGINE *e, EVP_PKEY *pkey); \& int EVP_DigestSignUpdate(EVP_MD_CTX *ctx, const void *d, size_t cnt); \& int EVP_DigestSignFinal(EVP_MD_CTX *ctx, unsigned char *sig, size_t *siglen); +\& +\& int EVP_DigestSign(EVP_MD_CTX *ctx, unsigned char *sigret, +\& size_t *siglen, const unsigned char *tbs, +\& size_t tbslen); .Ve .SH "DESCRIPTION" .IX Header "DESCRIPTION" The \s-1EVP\s0 signature routines are a high level interface to digital signatures. .PP \&\fIEVP_DigestSignInit()\fR sets up signing context \fBctx\fR to use digest \fBtype\fR from -\&\s-1ENGINE\s0 \fBimpl\fR and private key \fBpkey\fR. \fBctx\fR must be initialized with -\&\fIEVP_MD_CTX_init()\fR before calling this function. If \fBpctx\fR is not \s-1NULL\s0 the +\&\s-1ENGINE\s0 \fBe\fR and private key \fBpkey\fR. \fBctx\fR must be created with +\&\fIEVP_MD_CTX_new()\fR before calling this function. If \fBpctx\fR is not \s-1NULL,\s0 the \&\s-1EVP_PKEY_CTX\s0 of the signing operation will be written to \fB*pctx\fR: this can -be used to set alternative signing options. +be used to set alternative signing options. Note that any existing value in +\&\fB*pctx\fR is overwritten. The \s-1EVP_PKEY_CTX\s0 value returned must not be freed +directly by the application if \fBctx\fR is not assigned an \s-1EVP_PKEY_CTX\s0 value before +being passed to \fIEVP_DigestSignInit()\fR (which means the \s-1EVP_PKEY_CTX\s0 is created +inside \fIEVP_DigestSignInit()\fR and it will be freed automatically when the +\&\s-1EVP_MD_CTX\s0 is freed). +.PP +The digest \fBtype\fR may be \s-1NULL\s0 if the signing algorithm supports it. +.PP +No \fB\s-1EVP_PKEY_CTX\s0\fR will be created by \fIEVP_DigsetSignInit()\fR if the passed \fBctx\fR +has already been assigned one via \fIEVP_MD_CTX_set_ctx\fR\|(3). See also \s-1\fISM2\s0\fR\|(7). +.PP +Only \s-1EVP_PKEY\s0 types that support signing can be used with these functions. This +includes \s-1MAC\s0 algorithms where the \s-1MAC\s0 generation is considered as a form of +\&\*(L"signing\*(R". Built-in \s-1EVP_PKEY\s0 types supported by these functions are \s-1CMAC,\s0 +Poly1305, \s-1DSA, ECDSA, HMAC, RSA,\s0 SipHash, Ed25519 and Ed448. +.PP +Not all digests can be used for all key types. The following combinations apply. +.IP "\s-1DSA\s0" 4 +.IX Item "DSA" +Supports \s-1SHA1, SHA224, SHA256, SHA384\s0 and \s-1SHA512\s0 +.IP "\s-1ECDSA\s0" 4 +.IX Item "ECDSA" +Supports \s-1SHA1, SHA224, SHA256, SHA384, SHA512\s0 and \s-1SM3\s0 +.IP "\s-1RSA\s0 with no padding" 4 +.IX Item "RSA with no padding" +Supports no digests (the digest \fBtype\fR must be \s-1NULL\s0) +.IP "\s-1RSA\s0 with X931 padding" 4 +.IX Item "RSA with X931 padding" +Supports \s-1SHA1, SHA256, SHA384\s0 and \s-1SHA512\s0 +.IP "All other \s-1RSA\s0 padding types" 4 +.IX Item "All other RSA padding types" +Support \s-1SHA1, SHA224, SHA256, SHA384, SHA512, MD5, MD5_SHA1, MD2, MD4, MDC2, +SHA3\-224, SHA3\-256, SHA3\-384, SHA3\-512\s0 +.IP "Ed25519 and Ed448" 4 +.IX Item "Ed25519 and Ed448" +Support no digests (the digest \fBtype\fR must be \s-1NULL\s0) +.IP "\s-1HMAC\s0" 4 +.IX Item "HMAC" +Supports any digest +.IP "\s-1CMAC,\s0 Poly1305 and SipHash" 4 +.IX Item "CMAC, Poly1305 and SipHash" +Will ignore any digest provided. +.PP +If RSA-PSS is used and restrictions apply then the digest must match. .PP \&\fIEVP_DigestSignUpdate()\fR hashes \fBcnt\fR bytes of data at \fBd\fR into the signature context \fBctx\fR. This function can be called several times on the same \fBctx\fR to include additional data. This function is currently implemented -usig a macro. +using a macro. .PP -\&\fIEVP_DigestSignFinal()\fR signs the data in \fBctx\fR places the signature in \fBsig\fR. +\&\fIEVP_DigestSignFinal()\fR signs the data in \fBctx\fR and places the signature in \fBsig\fR. If \fBsig\fR is \fB\s-1NULL\s0\fR then the maximum size of the output buffer is written to the \fBsiglen\fR parameter. If \fBsig\fR is not \fB\s-1NULL\s0\fR then before the call the -\&\fBsiglen\fR parameter should contain the length of the \fBsig\fR buffer, if the +\&\fBsiglen\fR parameter should contain the length of the \fBsig\fR buffer. If the call is successful the signature is written to \fBsig\fR and the amount of data written to \fBsiglen\fR. +.PP +\&\fIEVP_DigestSign()\fR signs \fBtbslen\fR bytes of data at \fBtbs\fR and places the +signature in \fBsig\fR and its length in \fBsiglen\fR in a similar way to +\&\fIEVP_DigestSignFinal()\fR. .SH "RETURN VALUES" .IX Header "RETURN VALUES" -\&\fIEVP_DigestSignInit()\fR \fIEVP_DigestSignUpdate()\fR and \fIEVP_DigestSignaFinal()\fR return -1 for success and 0 or a negative value for failure. In particular a return -value of \-2 indicates the operation is not supported by the public key -algorithm. +\&\fIEVP_DigestSignInit()\fR, \fIEVP_DigestSignUpdate()\fR, \fIEVP_DigestSignaFinal()\fR and +\&\fIEVP_DigestSign()\fR return 1 for success and 0 or a negative value for failure. In +particular, a return value of \-2 indicates the operation is not supported by the +public key algorithm. .PP The error codes can be obtained from \fIERR_get_error\fR\|(3). .SH "NOTES" @@ -181,6 +233,11 @@ The \fB\s-1EVP\s0\fR interface to digital signatures should almost always be use preference to the low level interfaces. This is because the code then becomes transparent to the algorithm used and much more flexible. .PP +\&\fIEVP_DigestSign()\fR is a one shot operation which signs a single block of data +in one function. For algorithms that support streaming it is equivalent to +calling \fIEVP_DigestSignUpdate()\fR and \fIEVP_DigestSignFinal()\fR. For algorithms which +do not support streaming (e.g. PureEdDSA) it is the only way to sign data. +.PP In previous versions of OpenSSL there was a link between message digest types and public key algorithms. This meant that \*(L"clone\*(R" digests such as \fIEVP_dss1()\fR needed to be used to sign using \s-1SHA1\s0 and \s-1DSA.\s0 This is no longer necessary and @@ -193,8 +250,8 @@ The call to \fIEVP_DigestSignFinal()\fR internally finalizes a copy of the diges context. This means that calls to \fIEVP_DigestSignUpdate()\fR and \&\fIEVP_DigestSignFinal()\fR can be called later to digest and sign additional data. .PP -Since only a copy of the digest context is ever finalized the context must -be cleaned up after use by calling \fIEVP_MD_CTX_cleanup()\fR or a memory leak +Since only a copy of the digest context is ever finalized, the context must +be cleaned up after use by calling \fIEVP_MD_CTX_free()\fR or a memory leak will occur. .PP The use of \fIEVP_PKEY_size()\fR with these functions is discouraged because some @@ -204,11 +261,19 @@ which indicates the maximum possible signature for any set of parameters. .SH "SEE ALSO" .IX Header "SEE ALSO" \&\fIEVP_DigestVerifyInit\fR\|(3), -\&\fIEVP_DigestInit\fR\|(3), \fIerr\fR\|(3), -\&\fIevp\fR\|(3), \fIhmac\fR\|(3), \fImd2\fR\|(3), -\&\fImd5\fR\|(3), \fImdc2\fR\|(3), \fIripemd\fR\|(3), -\&\fIsha\fR\|(3), \fIdgst\fR\|(1) +\&\fIEVP_DigestInit\fR\|(3), +\&\fIevp\fR\|(7), \s-1\fIHMAC\s0\fR\|(3), \s-1\fIMD2\s0\fR\|(3), +\&\s-1\fIMD5\s0\fR\|(3), \s-1\fIMDC2\s0\fR\|(3), \s-1\fIRIPEMD160\s0\fR\|(3), +\&\s-1\fISHA1\s0\fR\|(3), \fIdgst\fR\|(1) .SH "HISTORY" .IX Header "HISTORY" -\&\fIEVP_DigestSignInit()\fR, \fIEVP_DigestSignUpdate()\fR and \fIEVP_DigestSignFinal()\fR +\&\fIEVP_DigestSignInit()\fR, \fIEVP_DigestSignUpdate()\fR and \fIEVP_DigestSignFinal()\fR were first added to OpenSSL 1.0.0. +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2006\-2018 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/EVP_DigestVerifyInit.3 b/secure/lib/libcrypto/man/EVP_DigestVerifyInit.3 index 1e5e356b5e4e..720de6b09fe5 100644 --- a/secure/lib/libcrypto/man/EVP_DigestVerifyInit.3 +++ b/secure/lib/libcrypto/man/EVP_DigestVerifyInit.3 @@ -128,33 +128,44 @@ .rm #[ #] #H #V #F C .\" ======================================================================== .\" -.IX Title "EVP_DigestVerifyInit 3" -.TH EVP_DigestVerifyInit 3 "2018-08-14" "1.0.2p" "OpenSSL" +.IX Title "EVP_DIGESTVERIFYINIT 3" +.TH EVP_DIGESTVERIFYINIT 3 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" -EVP_DigestVerifyInit, EVP_DigestVerifyUpdate, EVP_DigestVerifyFinal \- EVP signature verification functions +EVP_DigestVerifyInit, EVP_DigestVerifyUpdate, EVP_DigestVerifyFinal, EVP_DigestVerify \- EVP signature verification functions .SH "SYNOPSIS" .IX Header "SYNOPSIS" .Vb 1 \& #include \& \& int EVP_DigestVerifyInit(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx, -\& const EVP_MD *type, ENGINE *e, EVP_PKEY *pkey); +\& const EVP_MD *type, ENGINE *e, EVP_PKEY *pkey); \& int EVP_DigestVerifyUpdate(EVP_MD_CTX *ctx, const void *d, size_t cnt); -\& int EVP_DigestVerifyFinal(EVP_MD_CTX *ctx, const unsigned char *sig, size_t siglen); +\& int EVP_DigestVerifyFinal(EVP_MD_CTX *ctx, const unsigned char *sig, +\& size_t siglen); +\& int EVP_DigestVerify(EVP_MD_CTX *ctx, const unsigned char *sigret, +\& size_t siglen, const unsigned char *tbs, size_t tbslen); .Ve .SH "DESCRIPTION" .IX Header "DESCRIPTION" The \s-1EVP\s0 signature routines are a high level interface to digital signatures. .PP \&\fIEVP_DigestVerifyInit()\fR sets up verification context \fBctx\fR to use digest -\&\fBtype\fR from \s-1ENGINE\s0 \fBimpl\fR and public key \fBpkey\fR. \fBctx\fR must be initialized -with \fIEVP_MD_CTX_init()\fR before calling this function. If \fBpctx\fR is not \s-1NULL\s0 the +\&\fBtype\fR from \s-1ENGINE\s0 \fBe\fR and public key \fBpkey\fR. \fBctx\fR must be created +with \fIEVP_MD_CTX_new()\fR before calling this function. If \fBpctx\fR is not \s-1NULL,\s0 the \&\s-1EVP_PKEY_CTX\s0 of the verification operation will be written to \fB*pctx\fR: this -can be used to set alternative verification options. +can be used to set alternative verification options. Note that any existing +value in \fB*pctx\fR is overwritten. The \s-1EVP_PKEY_CTX\s0 value returned must not be freed +directly by the application if \fBctx\fR is not assigned an \s-1EVP_PKEY_CTX\s0 value before +being passed to \fIEVP_DigestSignInit()\fR (which means the \s-1EVP_PKEY_CTX\s0 is created +inside \fIEVP_DigestSignInit()\fR and it will be freed automatically when the +\&\s-1EVP_MD_CTX\s0 is freed). +.PP +No \fB\s-1EVP_PKEY_CTX\s0\fR will be created by \fIEVP_DigsetSignInit()\fR if the passed \fBctx\fR +has already been assigned one via \fIEVP_MD_CTX_set_ctx\fR\|(3). See also \s-1\fISM2\s0\fR\|(7). .PP \&\fIEVP_DigestVerifyUpdate()\fR hashes \fBcnt\fR bytes of data at \fBd\fR into the verification context \fBctx\fR. This function can be called several times on the @@ -163,17 +174,19 @@ using a macro. .PP \&\fIEVP_DigestVerifyFinal()\fR verifies the data in \fBctx\fR against the signature in \&\fBsig\fR of length \fBsiglen\fR. +.PP +\&\fIEVP_DigestVerify()\fR verifies \fBtbslen\fR bytes at \fBtbs\fR against the signature +in \fBsig\fR of length \fBsiglen\fR. .SH "RETURN VALUES" .IX Header "RETURN VALUES" \&\fIEVP_DigestVerifyInit()\fR and \fIEVP_DigestVerifyUpdate()\fR return 1 for success and 0 -or a negative value for failure. In particular a return value of \-2 indicates -the operation is not supported by the public key algorithm. +for failure. .PP -\&\fIEVP_DigestVerifyFinal()\fR returns 1 for success; any other value indicates -failure. A return value of zero indicates that the signature did not verify -successfully (that is, tbs did not match the original data or the signature had -an invalid form), while other values indicate a more serious error (and -sometimes also indicate an invalid signature form). +\&\fIEVP_DigestVerifyFinal()\fR and \fIEVP_DigestVerify()\fR return 1 for success; any other +value indicates failure. A return value of zero indicates that the signature +did not verify successfully (that is, \fBtbs\fR did not match the original data or +the signature had an invalid form), while other values indicate a more serious +error (and sometimes also indicate an invalid signature form). .PP The error codes can be obtained from \fIERR_get_error\fR\|(3). .SH "NOTES" @@ -182,6 +195,12 @@ The \fB\s-1EVP\s0\fR interface to digital signatures should almost always be use preference to the low level interfaces. This is because the code then becomes transparent to the algorithm used and much more flexible. .PP +\&\fIEVP_DigestVerify()\fR is a one shot operation which verifies a single block of +data in one function. For algorithms that support streaming it is equivalent +to calling \fIEVP_DigestVerifyUpdate()\fR and \fIEVP_DigestVerifyFinal()\fR. For +algorithms which do not support streaming (e.g. PureEdDSA) it is the only way +to verify data. +.PP In previous versions of OpenSSL there was a link between message digest types and public key algorithms. This meant that \*(L"clone\*(R" digests such as \fIEVP_dss1()\fR needed to be used to sign using \s-1SHA1\s0 and \s-1DSA.\s0 This is no longer necessary and @@ -194,17 +213,25 @@ The call to \fIEVP_DigestVerifyFinal()\fR internally finalizes a copy of the dig context. This means that \fIEVP_VerifyUpdate()\fR and \fIEVP_VerifyFinal()\fR can be called later to digest and verify additional data. .PP -Since only a copy of the digest context is ever finalized the context must -be cleaned up after use by calling \fIEVP_MD_CTX_cleanup()\fR or a memory leak +Since only a copy of the digest context is ever finalized, the context must +be cleaned up after use by calling \fIEVP_MD_CTX_free()\fR or a memory leak will occur. .SH "SEE ALSO" .IX Header "SEE ALSO" \&\fIEVP_DigestSignInit\fR\|(3), -\&\fIEVP_DigestInit\fR\|(3), \fIerr\fR\|(3), -\&\fIevp\fR\|(3), \fIhmac\fR\|(3), \fImd2\fR\|(3), -\&\fImd5\fR\|(3), \fImdc2\fR\|(3), \fIripemd\fR\|(3), -\&\fIsha\fR\|(3), \fIdgst\fR\|(1) +\&\fIEVP_DigestInit\fR\|(3), +\&\fIevp\fR\|(7), \s-1\fIHMAC\s0\fR\|(3), \s-1\fIMD2\s0\fR\|(3), +\&\s-1\fIMD5\s0\fR\|(3), \s-1\fIMDC2\s0\fR\|(3), \s-1\fIRIPEMD160\s0\fR\|(3), +\&\s-1\fISHA1\s0\fR\|(3), \fIdgst\fR\|(1) .SH "HISTORY" .IX Header "HISTORY" -\&\fIEVP_DigestVerifyInit()\fR, \fIEVP_DigestVerifyUpdate()\fR and \fIEVP_DigestVerifyFinal()\fR +\&\fIEVP_DigestVerifyInit()\fR, \fIEVP_DigestVerifyUpdate()\fR and \fIEVP_DigestVerifyFinal()\fR were first added to OpenSSL 1.0.0. +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2006\-2018 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/EVP_EncodeInit.3 b/secure/lib/libcrypto/man/EVP_EncodeInit.3 index 97a84fe6e9f7..291f2d2137cc 100644 --- a/secure/lib/libcrypto/man/EVP_EncodeInit.3 +++ b/secure/lib/libcrypto/man/EVP_EncodeInit.3 @@ -128,32 +128,33 @@ .rm #[ #] #H #V #F C .\" ======================================================================== .\" -.IX Title "EVP_EncodeInit 3" -.TH EVP_EncodeInit 3 "2018-08-14" "1.0.2p" "OpenSSL" +.IX Title "EVP_ENCODEINIT 3" +.TH EVP_ENCODEINIT 3 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" -EVP_EncodeInit, EVP_EncodeUpdate, EVP_EncodeFinal, EVP_EncodeBlock, -EVP_DecodeInit, EVP_DecodeUpdate, EVP_DecodeFinal, EVP_DecodeBlock \- EVP base 64 -encode/decode routines +EVP_ENCODE_CTX_new, EVP_ENCODE_CTX_free, EVP_ENCODE_CTX_copy, EVP_ENCODE_CTX_num, EVP_EncodeInit, EVP_EncodeUpdate, EVP_EncodeFinal, EVP_EncodeBlock, EVP_DecodeInit, EVP_DecodeUpdate, EVP_DecodeFinal, EVP_DecodeBlock \- EVP base 64 encode/decode routines .SH "SYNOPSIS" .IX Header "SYNOPSIS" .Vb 1 \& #include \& +\& EVP_ENCODE_CTX *EVP_ENCODE_CTX_new(void); +\& void EVP_ENCODE_CTX_free(EVP_ENCODE_CTX *ctx); +\& int EVP_ENCODE_CTX_copy(EVP_ENCODE_CTX *dctx, EVP_ENCODE_CTX *sctx); +\& int EVP_ENCODE_CTX_num(EVP_ENCODE_CTX *ctx); \& void EVP_EncodeInit(EVP_ENCODE_CTX *ctx); -\& void EVP_EncodeUpdate(EVP_ENCODE_CTX *ctx, unsigned char *out, int *outl, -\& const unsigned char *in, int inl); +\& int EVP_EncodeUpdate(EVP_ENCODE_CTX *ctx, unsigned char *out, int *outl, +\& const unsigned char *in, int inl); \& void EVP_EncodeFinal(EVP_ENCODE_CTX *ctx, unsigned char *out, int *outl); \& int EVP_EncodeBlock(unsigned char *t, const unsigned char *f, int n); \& \& void EVP_DecodeInit(EVP_ENCODE_CTX *ctx); \& int EVP_DecodeUpdate(EVP_ENCODE_CTX *ctx, unsigned char *out, int *outl, \& const unsigned char *in, int inl); -\& int EVP_DecodeFinal(EVP_ENCODE_CTX *ctx, unsigned -\& char *out, int *outl); +\& int EVP_DecodeFinal(EVP_ENCODE_CTX *ctx, unsigned char *out, int *outl); \& int EVP_DecodeBlock(unsigned char *t, const unsigned char *f, int n); .Ve .SH "DESCRIPTION" @@ -166,6 +167,12 @@ plus some occasional newlines (see below). If the input data length is not a multiple of 3 then the output data will be padded at the end using the \*(L"=\*(R" character. .PP +\&\fIEVP_ENCODE_CTX_new()\fR allocates, initializes and returns a context to be used for +the encode/decode functions. +.PP +\&\fIEVP_ENCODE_CTX_free()\fR cleans up an encode/decode context \fBctx\fR and frees up the +space allocated to it. +.PP Encoding of binary data is performed in blocks of 48 input bytes (or less for the final block). For each 48 byte input block encoded 64 bytes of base 64 data is output plus an additional newline character (i.e. 65 bytes in total). The @@ -189,7 +196,8 @@ any remainder). This gives the number of blocks of data that will be processed. Ensure the output buffer contains 65 bytes of storage for each block, plus an additional byte for a \s-1NUL\s0 terminator. \fIEVP_EncodeUpdate()\fR may be called repeatedly to process large amounts of input data. In the event of an error -\&\fIEVP_EncodeUpdate()\fR will set \fB*outl\fR to 0. +\&\fIEVP_EncodeUpdate()\fR will set \fB*outl\fR to 0 and return 0. On success 1 will be +returned. .PP \&\fIEVP_EncodeFinal()\fR must be called at the end of an encoding operation. It will process any partial block of data remaining in the \fBctx\fR object. The output @@ -198,6 +206,12 @@ in \fB*outl\fR. It is the caller's responsibility to ensure that \fBout\fR is sufficiently large to accommodate the output data which will never be more than 65 bytes plus an additional \s-1NUL\s0 terminator (i.e. 66 bytes in total). .PP +\&\fIEVP_ENCODE_CTX_copy()\fR can be used to copy a context \fBsctx\fR to a context +\&\fBdctx\fR. \fBdctx\fR must be initialized before calling this function. +.PP +\&\fIEVP_ENCODE_CTX_num()\fR will return the number of as yet unprocessed bytes still to +be encoded or decoded that are pending in the \fBctx\fR object. +.PP \&\fIEVP_EncodeBlock()\fR encodes a full block of input data in \fBf\fR and of length \&\fBdlen\fR and stores it in \fBt\fR. For every 3 bytes of input provided 4 bytes of output data will be produced. If \fBdlen\fR is not divisible by 3 then the block is @@ -235,13 +249,21 @@ in this case. Otherwise the function returns 1 on success. \&\fIEVP_DecodeBlock()\fR will decode the block of \fBn\fR characters of base 64 data contained in \fBf\fR and store the result in \fBt\fR. Any leading whitespace will be trimmed as will any trailing whitespace, newlines, carriage returns or \s-1EOF\s0 -characters. After such trimming the length of the data in \fBf\fR must be divisbile +characters. After such trimming the length of the data in \fBf\fR must be divisible by 4. For every 4 input bytes exactly 3 output bytes will be produced. The output will be padded with 0 bits if necessary to ensure that the output is always 3 bytes for every 4 input bytes. This function will return the length of the data decoded or \-1 on error. .SH "RETURN VALUES" .IX Header "RETURN VALUES" +\&\fIEVP_ENCODE_CTX_new()\fR returns a pointer to the newly allocated \s-1EVP_ENCODE_CTX\s0 +object or \s-1NULL\s0 on error. +.PP +\&\fIEVP_ENCODE_CTX_num()\fR returns the number of bytes pending encoding or decoding in +\&\fBctx\fR. +.PP +\&\fIEVP_EncodeUpdate()\fR returns 0 on error or 1 on success. +.PP \&\fIEVP_EncodeBlock()\fR returns the number of bytes encoded excluding the \s-1NUL\s0 terminator. .PP @@ -253,4 +275,12 @@ then no more non-padding base 64 characters are expected. \&\fIEVP_DecodeBlock()\fR returns the length of the data decoded or \-1 on error. .SH "SEE ALSO" .IX Header "SEE ALSO" -\&\fIevp\fR\|(3) +\&\fIevp\fR\|(7) +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2016 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/EVP_EncryptInit.3 b/secure/lib/libcrypto/man/EVP_EncryptInit.3 index a98c5b7d6771..34335291b1b0 100644 --- a/secure/lib/libcrypto/man/EVP_EncryptInit.3 +++ b/secure/lib/libcrypto/man/EVP_EncryptInit.3 @@ -128,111 +128,79 @@ .rm #[ #] #H #V #F C .\" ======================================================================== .\" -.IX Title "EVP_EncryptInit 3" -.TH EVP_EncryptInit 3 "2018-08-14" "1.0.2p" "OpenSSL" +.IX Title "EVP_ENCRYPTINIT 3" +.TH EVP_ENCRYPTINIT 3 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" -EVP_CIPHER_CTX_init, EVP_EncryptInit_ex, EVP_EncryptUpdate, -EVP_EncryptFinal_ex, EVP_DecryptInit_ex, EVP_DecryptUpdate, -EVP_DecryptFinal_ex, EVP_CipherInit_ex, EVP_CipherUpdate, -EVP_CipherFinal_ex, EVP_CIPHER_CTX_set_key_length, -EVP_CIPHER_CTX_ctrl, EVP_CIPHER_CTX_cleanup, EVP_EncryptInit, -EVP_EncryptFinal, EVP_DecryptInit, EVP_DecryptFinal, -EVP_CipherInit, EVP_CipherFinal, EVP_get_cipherbyname, -EVP_get_cipherbynid, EVP_get_cipherbyobj, EVP_CIPHER_nid, -EVP_CIPHER_block_size, EVP_CIPHER_key_length, EVP_CIPHER_iv_length, -EVP_CIPHER_flags, EVP_CIPHER_mode, EVP_CIPHER_type, EVP_CIPHER_CTX_cipher, -EVP_CIPHER_CTX_nid, EVP_CIPHER_CTX_block_size, EVP_CIPHER_CTX_key_length, -EVP_CIPHER_CTX_iv_length, EVP_CIPHER_CTX_get_app_data, -EVP_CIPHER_CTX_set_app_data, EVP_CIPHER_CTX_type, EVP_CIPHER_CTX_flags, -EVP_CIPHER_CTX_mode, EVP_CIPHER_param_to_asn1, EVP_CIPHER_asn1_to_param, -EVP_CIPHER_CTX_set_padding, EVP_enc_null, EVP_des_cbc, EVP_des_ecb, -EVP_des_cfb, EVP_des_ofb, EVP_des_ede_cbc, EVP_des_ede, EVP_des_ede_ofb, -EVP_des_ede_cfb, EVP_des_ede3_cbc, EVP_des_ede3, EVP_des_ede3_ofb, -EVP_des_ede3_cfb, EVP_desx_cbc, EVP_rc4, EVP_rc4_40, EVP_rc4_hmac_md5, -EVP_idea_cbc, EVP_idea_ecb, EVP_idea_cfb, EVP_idea_ofb, EVP_rc2_cbc, -EVP_rc2_ecb, EVP_rc2_cfb, EVP_rc2_ofb, EVP_rc2_40_cbc, EVP_rc2_64_cbc, -EVP_bf_cbc, EVP_bf_ecb, EVP_bf_cfb, EVP_bf_ofb, EVP_cast5_cbc, -EVP_cast5_ecb, EVP_cast5_cfb, EVP_cast5_ofb, EVP_rc5_32_12_16_cbc, -EVP_rc5_32_12_16_ecb, EVP_rc5_32_12_16_cfb, EVP_rc5_32_12_16_ofb, -EVP_aes_128_gcm, EVP_aes_192_gcm, EVP_aes_256_gcm, EVP_aes_128_ccm, -EVP_aes_192_ccm, EVP_aes_256_ccm, -EVP_aes_128_cbc_hmac_sha1, EVP_aes_256_cbc_hmac_sha1, -EVP_aes_128_cbc_hmac_sha256, EVP_aes_256_cbc_hmac_sha256 -\&\- EVP cipher routines +EVP_CIPHER_CTX_new, EVP_CIPHER_CTX_reset, EVP_CIPHER_CTX_free, EVP_EncryptInit_ex, EVP_EncryptUpdate, EVP_EncryptFinal_ex, EVP_DecryptInit_ex, EVP_DecryptUpdate, EVP_DecryptFinal_ex, EVP_CipherInit_ex, EVP_CipherUpdate, EVP_CipherFinal_ex, EVP_CIPHER_CTX_set_key_length, EVP_CIPHER_CTX_ctrl, EVP_EncryptInit, EVP_EncryptFinal, EVP_DecryptInit, EVP_DecryptFinal, EVP_CipherInit, EVP_CipherFinal, EVP_get_cipherbyname, EVP_get_cipherbynid, EVP_get_cipherbyobj, EVP_CIPHER_nid, EVP_CIPHER_block_size, EVP_CIPHER_key_length, EVP_CIPHER_iv_length, EVP_CIPHER_flags, EVP_CIPHER_mode, EVP_CIPHER_type, EVP_CIPHER_CTX_cipher, EVP_CIPHER_CTX_nid, EVP_CIPHER_CTX_block_size, EVP_CIPHER_CTX_key_length, EVP_CIPHER_CTX_iv_length, EVP_CIPHER_CTX_get_app_data, EVP_CIPHER_CTX_set_app_data, EVP_CIPHER_CTX_type, EVP_CIPHER_CTX_flags, EVP_CIPHER_CTX_mode, EVP_CIPHER_param_to_asn1, EVP_CIPHER_asn1_to_param, EVP_CIPHER_CTX_set_padding, EVP_enc_null \&\- EVP cipher routines .SH "SYNOPSIS" .IX Header "SYNOPSIS" .Vb 1 \& #include \& -\& void EVP_CIPHER_CTX_init(EVP_CIPHER_CTX *a); +\& EVP_CIPHER_CTX *EVP_CIPHER_CTX_new(void); +\& int EVP_CIPHER_CTX_reset(EVP_CIPHER_CTX *ctx); +\& void EVP_CIPHER_CTX_free(EVP_CIPHER_CTX *ctx); \& \& int EVP_EncryptInit_ex(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *type, -\& ENGINE *impl, const unsigned char *key, const unsigned char *iv); +\& ENGINE *impl, const unsigned char *key, const unsigned char *iv); \& int EVP_EncryptUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out, -\& int *outl, const unsigned char *in, int inl); -\& int EVP_EncryptFinal_ex(EVP_CIPHER_CTX *ctx, unsigned char *out, -\& int *outl); +\& int *outl, const unsigned char *in, int inl); +\& int EVP_EncryptFinal_ex(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl); \& \& int EVP_DecryptInit_ex(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *type, -\& ENGINE *impl, const unsigned char *key, const unsigned char *iv); +\& ENGINE *impl, const unsigned char *key, const unsigned char *iv); \& int EVP_DecryptUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out, -\& int *outl, const unsigned char *in, int inl); -\& int EVP_DecryptFinal_ex(EVP_CIPHER_CTX *ctx, unsigned char *outm, -\& int *outl); +\& int *outl, const unsigned char *in, int inl); +\& int EVP_DecryptFinal_ex(EVP_CIPHER_CTX *ctx, unsigned char *outm, int *outl); \& \& int EVP_CipherInit_ex(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *type, -\& ENGINE *impl, const unsigned char *key, const unsigned char *iv, int enc); +\& ENGINE *impl, const unsigned char *key, const unsigned char *iv, int enc); \& int EVP_CipherUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out, -\& int *outl, const unsigned char *in, int inl); -\& int EVP_CipherFinal_ex(EVP_CIPHER_CTX *ctx, unsigned char *outm, -\& int *outl); +\& int *outl, const unsigned char *in, int inl); +\& int EVP_CipherFinal_ex(EVP_CIPHER_CTX *ctx, unsigned char *outm, int *outl); \& \& int EVP_EncryptInit(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *type, -\& const unsigned char *key, const unsigned char *iv); -\& int EVP_EncryptFinal(EVP_CIPHER_CTX *ctx, unsigned char *out, -\& int *outl); +\& const unsigned char *key, const unsigned char *iv); +\& int EVP_EncryptFinal(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl); \& \& int EVP_DecryptInit(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *type, -\& const unsigned char *key, const unsigned char *iv); -\& int EVP_DecryptFinal(EVP_CIPHER_CTX *ctx, unsigned char *outm, -\& int *outl); +\& const unsigned char *key, const unsigned char *iv); +\& int EVP_DecryptFinal(EVP_CIPHER_CTX *ctx, unsigned char *outm, int *outl); \& \& int EVP_CipherInit(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *type, -\& const unsigned char *key, const unsigned char *iv, int enc); -\& int EVP_CipherFinal(EVP_CIPHER_CTX *ctx, unsigned char *outm, -\& int *outl); +\& const unsigned char *key, const unsigned char *iv, int enc); +\& int EVP_CipherFinal(EVP_CIPHER_CTX *ctx, unsigned char *outm, int *outl); \& \& int EVP_CIPHER_CTX_set_padding(EVP_CIPHER_CTX *x, int padding); \& int EVP_CIPHER_CTX_set_key_length(EVP_CIPHER_CTX *x, int keylen); \& int EVP_CIPHER_CTX_ctrl(EVP_CIPHER_CTX *ctx, int type, int arg, void *ptr); -\& int EVP_CIPHER_CTX_cleanup(EVP_CIPHER_CTX *a); +\& int EVP_CIPHER_CTX_rand_key(EVP_CIPHER_CTX *ctx, unsigned char *key); \& \& const EVP_CIPHER *EVP_get_cipherbyname(const char *name); -\& #define EVP_get_cipherbynid(a) EVP_get_cipherbyname(OBJ_nid2sn(a)) -\& #define EVP_get_cipherbyobj(a) EVP_get_cipherbynid(OBJ_obj2nid(a)) +\& const EVP_CIPHER *EVP_get_cipherbynid(int nid); +\& const EVP_CIPHER *EVP_get_cipherbyobj(const ASN1_OBJECT *a); \& -\& #define EVP_CIPHER_nid(e) ((e)\->nid) -\& #define EVP_CIPHER_block_size(e) ((e)\->block_size) -\& #define EVP_CIPHER_key_length(e) ((e)\->key_len) -\& #define EVP_CIPHER_iv_length(e) ((e)\->iv_len) -\& #define EVP_CIPHER_flags(e) ((e)\->flags) -\& #define EVP_CIPHER_mode(e) ((e)\->flags) & EVP_CIPH_MODE) +\& int EVP_CIPHER_nid(const EVP_CIPHER *e); +\& int EVP_CIPHER_block_size(const EVP_CIPHER *e); +\& int EVP_CIPHER_key_length(const EVP_CIPHER *e); +\& int EVP_CIPHER_iv_length(const EVP_CIPHER *e); +\& unsigned long EVP_CIPHER_flags(const EVP_CIPHER *e); +\& unsigned long EVP_CIPHER_mode(const EVP_CIPHER *e); \& int EVP_CIPHER_type(const EVP_CIPHER *ctx); \& -\& #define EVP_CIPHER_CTX_cipher(e) ((e)\->cipher) -\& #define EVP_CIPHER_CTX_nid(e) ((e)\->cipher\->nid) -\& #define EVP_CIPHER_CTX_block_size(e) ((e)\->cipher\->block_size) -\& #define EVP_CIPHER_CTX_key_length(e) ((e)\->key_len) -\& #define EVP_CIPHER_CTX_iv_length(e) ((e)\->cipher\->iv_len) -\& #define EVP_CIPHER_CTX_get_app_data(e) ((e)\->app_data) -\& #define EVP_CIPHER_CTX_set_app_data(e,d) ((e)\->app_data=(char *)(d)) -\& #define EVP_CIPHER_CTX_type(c) EVP_CIPHER_type(EVP_CIPHER_CTX_cipher(c)) -\& #define EVP_CIPHER_CTX_flags(e) ((e)\->cipher\->flags) -\& #define EVP_CIPHER_CTX_mode(e) ((e)\->cipher\->flags & EVP_CIPH_MODE) +\& const EVP_CIPHER *EVP_CIPHER_CTX_cipher(const EVP_CIPHER_CTX *ctx); +\& int EVP_CIPHER_CTX_nid(const EVP_CIPHER_CTX *ctx); +\& int EVP_CIPHER_CTX_block_size(const EVP_CIPHER_CTX *ctx); +\& int EVP_CIPHER_CTX_key_length(const EVP_CIPHER_CTX *ctx); +\& int EVP_CIPHER_CTX_iv_length(const EVP_CIPHER_CTX *ctx); +\& void *EVP_CIPHER_CTX_get_app_data(const EVP_CIPHER_CTX *ctx); +\& void EVP_CIPHER_CTX_set_app_data(const EVP_CIPHER_CTX *ctx, void *data); +\& int EVP_CIPHER_CTX_type(const EVP_CIPHER_CTX *ctx); +\& int EVP_CIPHER_CTX_mode(const EVP_CIPHER_CTX *ctx); \& \& int EVP_CIPHER_param_to_asn1(EVP_CIPHER_CTX *c, ASN1_TYPE *type); \& int EVP_CIPHER_asn1_to_param(EVP_CIPHER_CTX *c, ASN1_TYPE *type); @@ -242,10 +210,16 @@ EVP_aes_128_cbc_hmac_sha256, EVP_aes_256_cbc_hmac_sha256 The \s-1EVP\s0 cipher routines are a high level interface to certain symmetric ciphers. .PP -\&\fIEVP_CIPHER_CTX_init()\fR initializes cipher contex \fBctx\fR. +\&\fIEVP_CIPHER_CTX_new()\fR creates a cipher context. +.PP +\&\fIEVP_CIPHER_CTX_free()\fR clears all information from a cipher context +and free up any allocated memory associate with it, including \fBctx\fR +itself. This function should be called after all operations using a +cipher are complete so sensitive information does not remain in +memory. .PP \&\fIEVP_EncryptInit_ex()\fR sets up cipher context \fBctx\fR for encryption -with cipher \fBtype\fR from \s-1ENGINE\s0 \fBimpl\fR. \fBctx\fR must be initialized +with cipher \fBtype\fR from \s-1ENGINE\s0 \fBimpl\fR. \fBctx\fR must be created before calling this function. \fBtype\fR is normally supplied by a function such as \fIEVP_aes_256_cbc()\fR. If \fBimpl\fR is \s-1NULL\s0 then the default implementation is used. \fBkey\fR is the symmetric key to use @@ -262,11 +236,14 @@ multiple times to encrypt successive blocks of data. The amount of data written depends on the block alignment of the encrypted data: as a result the amount of data written may be anything from zero bytes to (inl + cipher_block_size \- 1) so \fBout\fR should contain sufficient -room. The actual number of bytes written is placed in \fBoutl\fR. +room. The actual number of bytes written is placed in \fBoutl\fR. It also +checks if \fBin\fR and \fBout\fR are partially overlapping, and if they are +0 is returned to indicate failure. .PP If padding is enabled (the default) then \fIEVP_EncryptFinal_ex()\fR encrypts the \*(L"final\*(R" data, that is any data that remains in a partial block. -It uses standard block padding (aka \s-1PKCS\s0 padding). The encrypted +It uses standard block padding (aka \s-1PKCS\s0 padding) as described in +the \s-1NOTES\s0 section, below. The encrypted final data is written to \fBout\fR which should have sufficient space for one cipher block. The number of bytes written is placed in \fBoutl\fR. After this function is called the encryption operation is finished and no further @@ -291,15 +268,15 @@ performed depends on the value of the \fBenc\fR parameter. It should be set to 1 for encryption, 0 for decryption and \-1 to leave the value unchanged (the actual value of 'enc' being supplied in a previous call). .PP -\&\fIEVP_CIPHER_CTX_cleanup()\fR clears all information from a cipher context -and free up any allocated memory associate with it. It should be called -after all operations using a cipher are complete so sensitive information -does not remain in memory. +\&\fIEVP_CIPHER_CTX_reset()\fR clears all information from a cipher context +and free up any allocated memory associate with it, except the \fBctx\fR +itself. This function should be called anytime \fBctx\fR is to be reused +for another \fIEVP_CipherInit()\fR / \fIEVP_CipherUpdate()\fR / \fIEVP_CipherFinal()\fR +series of calls. .PP \&\fIEVP_EncryptInit()\fR, \fIEVP_DecryptInit()\fR and \fIEVP_CipherInit()\fR behave in a -similar way to \fIEVP_EncryptInit_ex()\fR, EVP_DecryptInit_ex and -\&\fIEVP_CipherInit_ex()\fR except the \fBctx\fR parameter does not need to be -initialized and they always use the default cipher implementation. +similar way to \fIEVP_EncryptInit_ex()\fR, \fIEVP_DecryptInit_ex()\fR and +\&\fIEVP_CipherInit_ex()\fR except they always use the default cipher implementation. .PP \&\fIEVP_EncryptFinal()\fR, \fIEVP_DecryptFinal()\fR and \fIEVP_CipherFinal()\fR are identical to \fIEVP_EncryptFinal_ex()\fR, \fIEVP_DecryptFinal_ex()\fR and @@ -316,12 +293,14 @@ passed an \fB\s-1EVP_CIPHER\s0\fR or \fB\s-1EVP_CIPHER_CTX\s0\fR structure. The value is an internal value which may not have a corresponding \s-1OBJECT IDENTIFIER.\s0 .PP -\&\fIEVP_CIPHER_CTX_set_padding()\fR enables or disables padding. By default -encryption operations are padded using standard block padding and the -padding is checked and removed when decrypting. If the \fBpad\fR parameter -is zero then no padding is performed, the total amount of data encrypted -or decrypted must then be a multiple of the block size or an error will -occur. +\&\fIEVP_CIPHER_CTX_set_padding()\fR enables or disables padding. This +function should be called after the context is set up for encryption +or decryption with \fIEVP_EncryptInit_ex()\fR, \fIEVP_DecryptInit_ex()\fR or +\&\fIEVP_CipherInit_ex()\fR. By default encryption operations are padded using +standard block padding and the padding is checked and removed when +decrypting. If the \fBpad\fR parameter is zero then no padding is +performed, the total amount of data encrypted or decrypted must then +be a multiple of the block size or an error will occur. .PP \&\fIEVP_CIPHER_key_length()\fR and \fIEVP_CIPHER_CTX_key_length()\fR return the key length of a cipher when passed an \fB\s-1EVP_CIPHER\s0\fR or \fB\s-1EVP_CIPHER_CTX\s0\fR @@ -341,7 +320,7 @@ It will return zero if the cipher does not use an \s-1IV.\s0 The constant .PP \&\fIEVP_CIPHER_block_size()\fR and \fIEVP_CIPHER_CTX_block_size()\fR return the block size of a cipher when passed an \fB\s-1EVP_CIPHER\s0\fR or \fB\s-1EVP_CIPHER_CTX\s0\fR -structure. The constant \fB\s-1EVP_MAX_IV_LENGTH\s0\fR is also the maximum block +structure. The constant \fB\s-1EVP_MAX_BLOCK_LENGTH\s0\fR is also the maximum block length for all ciphers. .PP \&\fIEVP_CIPHER_type()\fR and \fIEVP_CIPHER_CTX_type()\fR return the type of the passed @@ -355,8 +334,9 @@ identifier or does not have \s-1ASN1\s0 support this function will return an \fB\s-1EVP_CIPHER_CTX\s0\fR structure. .PP \&\fIEVP_CIPHER_mode()\fR and \fIEVP_CIPHER_CTX_mode()\fR return the block cipher mode: -\&\s-1EVP_CIPH_ECB_MODE, EVP_CIPH_CBC_MODE, EVP_CIPH_CFB_MODE\s0 or -\&\s-1EVP_CIPH_OFB_MODE.\s0 If the cipher is a stream cipher then +\&\s-1EVP_CIPH_ECB_MODE, EVP_CIPH_CBC_MODE, EVP_CIPH_CFB_MODE, EVP_CIPH_OFB_MODE, +EVP_CIPH_CTR_MODE, EVP_CIPH_GCM_MODE, EVP_CIPH_CCM_MODE, EVP_CIPH_XTS_MODE, +EVP_CIPH_WRAP_MODE\s0 or \s-1EVP_CIPH_OCB_MODE.\s0 If the cipher is a stream cipher then \&\s-1EVP_CIPH_STREAM_CIPHER\s0 is returned. .PP \&\fIEVP_CIPHER_param_to_asn1()\fR sets the AlgorithmIdentifier \*(L"parameter\*(R" based @@ -379,8 +359,16 @@ is not supported. .PP \&\fIEVP_CIPHER_CTX_ctrl()\fR allows various cipher specific parameters to be determined and set. +.PP +\&\fIEVP_CIPHER_CTX_rand_key()\fR generates a random key of the appropriate length +based on the cipher context. The \s-1EVP_CIPHER\s0 can provide its own random key +generation routine to support keys of a specific form. \fBKey\fR must point to a +buffer at least as big as the value returned by \fIEVP_CIPHER_CTX_key_length()\fR. .SH "RETURN VALUES" .IX Header "RETURN VALUES" +\&\fIEVP_CIPHER_CTX_new()\fR returns a pointer to a newly created +\&\fB\s-1EVP_CIPHER_CTX\s0\fR for success and \fB\s-1NULL\s0\fR for failure. +.PP \&\fIEVP_EncryptInit_ex()\fR, \fIEVP_EncryptUpdate()\fR and \fIEVP_EncryptFinal_ex()\fR return 1 for success and 0 for failure. .PP @@ -390,7 +378,7 @@ return 1 for success and 0 for failure. \&\fIEVP_CipherInit_ex()\fR and \fIEVP_CipherUpdate()\fR return 1 for success and 0 for failure. \&\fIEVP_CipherFinal_ex()\fR returns 0 for a decryption failure or 1 for success. .PP -\&\fIEVP_CIPHER_CTX_cleanup()\fR returns 1 for success and 0 for failure. +\&\fIEVP_CIPHER_CTX_reset()\fR returns 1 for success and 0 for failure. .PP \&\fIEVP_get_cipherbyname()\fR, \fIEVP_get_cipherbynid()\fR and \fIEVP_get_cipherbyobj()\fR return an \fB\s-1EVP_CIPHER\s0\fR structure or \s-1NULL\s0 on error. @@ -413,142 +401,115 @@ length or zero if the cipher does not use an \s-1IV.\s0 .PP \&\fIEVP_CIPHER_CTX_cipher()\fR returns an \fB\s-1EVP_CIPHER\s0\fR structure. .PP -\&\fIEVP_CIPHER_param_to_asn1()\fR and \fIEVP_CIPHER_asn1_to_param()\fR return 1 for -success or zero for failure. +\&\fIEVP_CIPHER_param_to_asn1()\fR and \fIEVP_CIPHER_asn1_to_param()\fR return greater +than zero for success and zero or a negative number on failure. +.PP +\&\fIEVP_CIPHER_CTX_rand_key()\fR returns 1 for success. .SH "CIPHER LISTING" .IX Header "CIPHER LISTING" All algorithms have a fixed key length unless otherwise stated. +.PP +Refer to \*(L"\s-1SEE ALSO\*(R"\s0 for the full list of ciphers available through the \s-1EVP\s0 +interface. .IP "\fIEVP_enc_null()\fR" 4 .IX Item "EVP_enc_null()" Null cipher: does nothing. -.IP "EVP_des_cbc(void), EVP_des_ecb(void), EVP_des_cfb(void), EVP_des_ofb(void)" 4 -.IX Item "EVP_des_cbc(void), EVP_des_ecb(void), EVP_des_cfb(void), EVP_des_ofb(void)" -\&\s-1DES\s0 in \s-1CBC, ECB, CFB\s0 and \s-1OFB\s0 modes respectively. -.IP "EVP_des_ede_cbc(void), \fIEVP_des_ede()\fR, EVP_des_ede_ofb(void), EVP_des_ede_cfb(void)" 4 -.IX Item "EVP_des_ede_cbc(void), EVP_des_ede(), EVP_des_ede_ofb(void), EVP_des_ede_cfb(void)" -Two key triple \s-1DES\s0 in \s-1CBC, ECB, CFB\s0 and \s-1OFB\s0 modes respectively. -.IP "EVP_des_ede3_cbc(void), \fIEVP_des_ede3()\fR, EVP_des_ede3_ofb(void), EVP_des_ede3_cfb(void)" 4 -.IX Item "EVP_des_ede3_cbc(void), EVP_des_ede3(), EVP_des_ede3_ofb(void), EVP_des_ede3_cfb(void)" -Three key triple \s-1DES\s0 in \s-1CBC, ECB, CFB\s0 and \s-1OFB\s0 modes respectively. -.IP "EVP_desx_cbc(void)" 4 -.IX Item "EVP_desx_cbc(void)" -\&\s-1DESX\s0 algorithm in \s-1CBC\s0 mode. -.IP "EVP_rc4(void)" 4 -.IX Item "EVP_rc4(void)" -\&\s-1RC4\s0 stream cipher. This is a variable key length cipher with default key length 128 bits. -.IP "EVP_rc4_40(void)" 4 -.IX Item "EVP_rc4_40(void)" -\&\s-1RC4\s0 stream cipher with 40 bit key length. This is obsolete and new code should use \fIEVP_rc4()\fR -and the \fIEVP_CIPHER_CTX_set_key_length()\fR function. -.IP "\fIEVP_idea_cbc()\fR EVP_idea_ecb(void), EVP_idea_cfb(void), EVP_idea_ofb(void)" 4 -.IX Item "EVP_idea_cbc() EVP_idea_ecb(void), EVP_idea_cfb(void), EVP_idea_ofb(void)" -\&\s-1IDEA\s0 encryption algorithm in \s-1CBC, ECB, CFB\s0 and \s-1OFB\s0 modes respectively. -.IP "EVP_rc2_cbc(void), EVP_rc2_ecb(void), EVP_rc2_cfb(void), EVP_rc2_ofb(void)" 4 -.IX Item "EVP_rc2_cbc(void), EVP_rc2_ecb(void), EVP_rc2_cfb(void), EVP_rc2_ofb(void)" -\&\s-1RC2\s0 encryption algorithm in \s-1CBC, ECB, CFB\s0 and \s-1OFB\s0 modes respectively. This is a variable key -length cipher with an additional parameter called \*(L"effective key bits\*(R" or \*(L"effective key length\*(R". -By default both are set to 128 bits. -.IP "EVP_rc2_40_cbc(void), EVP_rc2_64_cbc(void)" 4 -.IX Item "EVP_rc2_40_cbc(void), EVP_rc2_64_cbc(void)" -\&\s-1RC2\s0 algorithm in \s-1CBC\s0 mode with a default key length and effective key length of 40 and 64 bits. -These are obsolete and new code should use \fIEVP_rc2_cbc()\fR, \fIEVP_CIPHER_CTX_set_key_length()\fR and -\&\fIEVP_CIPHER_CTX_ctrl()\fR to set the key length and effective key length. -.IP "EVP_bf_cbc(void), EVP_bf_ecb(void), EVP_bf_cfb(void), EVP_bf_ofb(void);" 4 -.IX Item "EVP_bf_cbc(void), EVP_bf_ecb(void), EVP_bf_cfb(void), EVP_bf_ofb(void);" -Blowfish encryption algorithm in \s-1CBC, ECB, CFB\s0 and \s-1OFB\s0 modes respectively. This is a variable key -length cipher. -.IP "EVP_cast5_cbc(void), EVP_cast5_ecb(void), EVP_cast5_cfb(void), EVP_cast5_ofb(void)" 4 -.IX Item "EVP_cast5_cbc(void), EVP_cast5_ecb(void), EVP_cast5_cfb(void), EVP_cast5_ofb(void)" -\&\s-1CAST\s0 encryption algorithm in \s-1CBC, ECB, CFB\s0 and \s-1OFB\s0 modes respectively. This is a variable key -length cipher. -.IP "EVP_rc5_32_12_16_cbc(void), EVP_rc5_32_12_16_ecb(void), EVP_rc5_32_12_16_cfb(void), EVP_rc5_32_12_16_ofb(void)" 4 -.IX Item "EVP_rc5_32_12_16_cbc(void), EVP_rc5_32_12_16_ecb(void), EVP_rc5_32_12_16_cfb(void), EVP_rc5_32_12_16_ofb(void)" -\&\s-1RC5\s0 encryption algorithm in \s-1CBC, ECB, CFB\s0 and \s-1OFB\s0 modes respectively. This is a variable key length -cipher with an additional \*(L"number of rounds\*(R" parameter. By default the key length is set to 128 -bits and 12 rounds. -.IP "EVP_aes_128_gcm(void), EVP_aes_192_gcm(void), EVP_aes_256_gcm(void)" 4 -.IX Item "EVP_aes_128_gcm(void), EVP_aes_192_gcm(void), EVP_aes_256_gcm(void)" -\&\s-1AES\s0 Galois Counter Mode (\s-1GCM\s0) for 128, 192 and 256 bit keys respectively. -These ciphers require additional control operations to function correctly: see -\&\*(L"\s-1GCM\s0 mode\*(R" section below for details. -.IP "EVP_aes_128_ccm(void), EVP_aes_192_ccm(void), EVP_aes_256_ccm(void)" 4 -.IX Item "EVP_aes_128_ccm(void), EVP_aes_192_ccm(void), EVP_aes_256_ccm(void)" -\&\s-1AES\s0 Counter with CBC-MAC Mode (\s-1CCM\s0) for 128, 192 and 256 bit keys respectively. -These ciphers require additional control operations to function correctly: see -\&\s-1CCM\s0 mode section below for details. -.SH "GCM Mode" -.IX Header "GCM Mode" -For \s-1GCM\s0 mode ciphers the behaviour of the \s-1EVP\s0 interface is subtly altered and -several \s-1GCM\s0 specific ctrl operations are supported. +.SH "AEAD Interface" +.IX Header "AEAD Interface" +The \s-1EVP\s0 interface for Authenticated Encryption with Associated Data (\s-1AEAD\s0) +modes are subtly altered and several additional \fIctrl\fR operations are supported +depending on the mode specified. .PP -To specify any additional authenticated data (\s-1AAD\s0) a call to \fIEVP_CipherUpdate()\fR, -\&\fIEVP_EncryptUpdate()\fR or \fIEVP_DecryptUpdate()\fR should be made with the output +To specify additional authenticated data (\s-1AAD\s0), a call to \fIEVP_CipherUpdate()\fR, +\&\fIEVP_EncryptUpdate()\fR or \fIEVP_DecryptUpdate()\fR should be made with the output parameter \fBout\fR set to \fB\s-1NULL\s0\fR. .PP -When decrypting the return value of \fIEVP_DecryptFinal()\fR or \fIEVP_CipherFinal()\fR -indicates if the operation was successful. If it does not indicate success -the authentication operation has failed and any output data \fB\s-1MUST NOT\s0\fR -be used as it is corrupted. -.PP -The following ctrls are supported in \s-1GCM\s0 mode: -.PP -.Vb 1 -\& EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_GCM_SET_IVLEN, ivlen, NULL); -.Ve -.PP -Sets the \s-1GCM IV\s0 length: this call can only be made before specifying an \s-1IV.\s0 If -not called a default \s-1IV\s0 length is used (96 bits for \s-1AES\s0). -.PP -.Vb 1 -\& EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_GCM_GET_TAG, taglen, tag); -.Ve -.PP -Writes \fBtaglen\fR bytes of the tag value to the buffer indicated by \fBtag\fR. +When decrypting, the return value of \fIEVP_DecryptFinal()\fR or \fIEVP_CipherFinal()\fR +indicates whether the operation was successful. If it does not indicate success, +the authentication operation has failed and any output data \fB\s-1MUST NOT\s0\fR be used +as it is corrupted. +.SS "\s-1GCM\s0 and \s-1OCB\s0 Modes" +.IX Subsection "GCM and OCB Modes" +The following \fIctrl\fRs are supported in \s-1GCM\s0 and \s-1OCB\s0 modes. +.IP "EVP_CIPHER_CTX_ctrl(ctx, \s-1EVP_CTRL_AEAD_SET_IVLEN,\s0 ivlen, \s-1NULL\s0)" 4 +.IX Item "EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_IVLEN, ivlen, NULL)" +Sets the \s-1IV\s0 length. This call can only be made before specifying an \s-1IV.\s0 If +not called a default \s-1IV\s0 length is used. +.Sp +For \s-1GCM AES\s0 and \s-1OCB AES\s0 the default is 12 (i.e. 96 bits). For \s-1OCB\s0 mode the +maximum is 15. +.IP "EVP_CIPHER_CTX_ctrl(ctx, \s-1EVP_CTRL_AEAD_GET_TAG,\s0 taglen, tag)" 4 +.IX Item "EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_GET_TAG, taglen, tag)" +Writes \f(CW\*(C`taglen\*(C'\fR bytes of the tag value to the buffer indicated by \f(CW\*(C`tag\*(C'\fR. This call can only be made when encrypting data and \fBafter\fR all data has been processed (e.g. after an \fIEVP_EncryptFinal()\fR call). +.Sp +For \s-1OCB,\s0 \f(CW\*(C`taglen\*(C'\fR must either be 16 or the value previously set via +\&\fB\s-1EVP_CTRL_AEAD_SET_TAG\s0\fR. +.IP "EVP_CIPHER_CTX_ctrl(ctx, \s-1EVP_CTRL_AEAD_SET_TAG,\s0 taglen, tag)" 4 +.IX Item "EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_TAG, taglen, tag)" +Sets the expected tag to \f(CW\*(C`taglen\*(C'\fR bytes from \f(CW\*(C`tag\*(C'\fR. +The tag length can only be set before specifying an \s-1IV.\s0 +\&\f(CW\*(C`taglen\*(C'\fR must be between 1 and 16 inclusive. +.Sp +For \s-1GCM,\s0 this call is only valid when decrypting data. +.Sp +For \s-1OCB,\s0 this call is valid when decrypting data to set the expected tag, +and before encryption to set the desired tag length. +.Sp +In \s-1OCB\s0 mode, calling this before encryption with \f(CW\*(C`tag\*(C'\fR set to \f(CW\*(C`NULL\*(C'\fR sets the +tag length. If this is not called prior to encryption, a default tag length is +used. +.Sp +For \s-1OCB AES,\s0 the default tag length is 16 (i.e. 128 bits). It is also the +maximum tag length for \s-1OCB.\s0 +.SS "\s-1CCM\s0 Mode" +.IX Subsection "CCM Mode" +The \s-1EVP\s0 interface for \s-1CCM\s0 mode is similar to that of the \s-1GCM\s0 mode but with a +few additional requirements and different \fIctrl\fR values. .PP -.Vb 1 -\& EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_GCM_SET_TAG, taglen, tag); -.Ve -.PP -Sets the expected tag to \fBtaglen\fR bytes from \fBtag\fR. This call is only legal -when decrypting data. -.SH "CCM Mode" -.IX Header "CCM Mode" -The behaviour of \s-1CCM\s0 mode ciphers is similar to \s-1CCM\s0 mode but with a few -additional requirements and different ctrl values. -.PP -Like \s-1GCM\s0 mode any additional authenticated data (\s-1AAD\s0) is passed by calling -\&\fIEVP_CipherUpdate()\fR, \fIEVP_EncryptUpdate()\fR or \fIEVP_DecryptUpdate()\fR with the output -parameter \fBout\fR set to \fB\s-1NULL\s0\fR. Additionally the total plaintext or ciphertext -length \fB\s-1MUST\s0\fR be passed to \fIEVP_CipherUpdate()\fR, \fIEVP_EncryptUpdate()\fR or -\&\fIEVP_DecryptUpdate()\fR with the output and input parameters (\fBin\fR and \fBout\fR) -set to \fB\s-1NULL\s0\fR and the length passed in the \fBinl\fR parameter. -.PP -The following ctrls are supported in \s-1CCM\s0 mode: -.PP -.Vb 1 -\& EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_CCM_SET_TAG, taglen, tag); -.Ve +For \s-1CCM\s0 mode, the total plaintext or ciphertext length \fB\s-1MUST\s0\fR be passed to +\&\fIEVP_CipherUpdate()\fR, \fIEVP_EncryptUpdate()\fR or \fIEVP_DecryptUpdate()\fR with the output +and input parameters (\fBin\fR and \fBout\fR) set to \fB\s-1NULL\s0\fR and the length passed in +the \fBinl\fR parameter. .PP +The following \fIctrl\fRs are supported in \s-1CCM\s0 mode. +.IP "EVP_CIPHER_CTX_ctrl(ctx, \s-1EVP_CTRL_AEAD_SET_TAG,\s0 taglen, tag)" 4 +.IX Item "EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_TAG, taglen, tag)" This call is made to set the expected \fB\s-1CCM\s0\fR tag value when decrypting or -the length of the tag (with the \fBtag\fR parameter set to \s-1NULL\s0) when encrypting. +the length of the tag (with the \f(CW\*(C`tag\*(C'\fR parameter set to \s-1NULL\s0) when encrypting. The tag length is often referred to as \fBM\fR. If not set a default value is used (12 for \s-1AES\s0). -.PP -.Vb 1 -\& EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_CCM_SET_L, ivlen, NULL); -.Ve -.PP +.IP "EVP_CIPHER_CTX_ctrl(ctx, \s-1EVP_CTRL_CCM_SET_L,\s0 ivlen, \s-1NULL\s0)" 4 +.IX Item "EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_CCM_SET_L, ivlen, NULL)" Sets the \s-1CCM\s0 \fBL\fR value. If not set a default is used (8 for \s-1AES\s0). -.PP -.Vb 1 -\& EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_CCM_SET_IVLEN, ivlen, NULL); -.Ve -.PP -Sets the \s-1CCM\s0 nonce (\s-1IV\s0) length: this call can only be made before specifying -an nonce value. The nonce length is given by \fB15 \- L\fR so it is 7 by default -for \s-1AES.\s0 +.IP "EVP_CIPHER_CTX_ctrl(ctx, \s-1EVP_CTRL_AEAD_SET_IVLEN,\s0 ivlen, \s-1NULL\s0)" 4 +.IX Item "EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_IVLEN, ivlen, NULL)" +Sets the \s-1CCM\s0 nonce (\s-1IV\s0) length. This call can only be made before specifying an +nonce value. The nonce length is given by \fB15 \- L\fR so it is 7 by default for +\&\s-1AES.\s0 +.SS "ChaCha20\-Poly1305" +.IX Subsection "ChaCha20-Poly1305" +The following \fIctrl\fRs are supported for the ChaCha20\-Poly1305 \s-1AEAD\s0 algorithm. +.IP "EVP_CIPHER_CTX_ctrl(ctx, \s-1EVP_CTRL_AEAD_SET_IVLEN,\s0 ivlen, \s-1NULL\s0)" 4 +.IX Item "EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_IVLEN, ivlen, NULL)" +Sets the nonce length. This call can only be made before specifying the nonce. +If not called a default nonce length of 12 (i.e. 96 bits) is used. The maximum +nonce length is 16 (\fB\s-1CHACHA_CTR_SIZE\s0\fR, i.e. 128\-bits). +.IP "EVP_CIPHER_CTX_ctrl(ctx, \s-1EVP_CTRL_AEAD_GET_TAG,\s0 taglen, tag)" 4 +.IX Item "EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_GET_TAG, taglen, tag)" +Writes \f(CW\*(C`taglen\*(C'\fR bytes of the tag value to the buffer indicated by \f(CW\*(C`tag\*(C'\fR. +This call can only be made when encrypting data and \fBafter\fR all data has been +processed (e.g. after an \fIEVP_EncryptFinal()\fR call). +.Sp +\&\f(CW\*(C`taglen\*(C'\fR specified here must be 16 (\fB\s-1POLY1305_BLOCK_SIZE\s0\fR, i.e. 128\-bits) or +less. +.IP "EVP_CIPHER_CTX_ctrl(ctx, \s-1EVP_CTRL_AEAD_SET_TAG,\s0 taglen, tag)" 4 +.IX Item "EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_TAG, taglen, tag)" +Sets the expected tag to \f(CW\*(C`taglen\*(C'\fR bytes from \f(CW\*(C`tag\*(C'\fR. +The tag length can only be set before specifying an \s-1IV.\s0 +\&\f(CW\*(C`taglen\*(C'\fR must be between 1 and 16 (\fB\s-1POLY1305_BLOCK_SIZE\s0\fR) inclusive. +This call is only valid when decrypting data. .SH "NOTES" .IX Header "NOTES" Where possible the \fB\s-1EVP\s0\fR interface to symmetric ciphers should be used in @@ -558,7 +519,7 @@ transparent to the cipher used and much more flexible. Additionally, the acceleration such as AES-NI (the low level interfaces do not provide the guarantee). .PP -\&\s-1PKCS\s0 padding works by adding \fBn\fR padding bytes of value \fBn\fR to make the total +\&\s-1PKCS\s0 padding works by adding \fBn\fR padding bytes of value \fBn\fR to make the total length of the encrypted data a multiple of the block size. Padding is always added so if the data is already a multiple of the block size \fBn\fR will equal the block size. For example if the block size is 8 and 11 bytes are to be @@ -580,15 +541,15 @@ compatibility with existing code. New code should use \fIEVP_EncryptInit_ex()\fR \&\fIEVP_EncryptFinal_ex()\fR, \fIEVP_DecryptInit_ex()\fR, \fIEVP_DecryptFinal_ex()\fR, \&\fIEVP_CipherInit_ex()\fR and \fIEVP_CipherFinal_ex()\fR because they can reuse an existing context without allocating and freeing it up on each call. +.PP +\&\fIEVP_get_cipherbynid()\fR, and \fIEVP_get_cipherbyobj()\fR are implemented as macros. .SH "BUGS" .IX Header "BUGS" -For \s-1RC5\s0 the number of rounds can currently only be set to 8, 12 or 16. This is -a limitation of the current \s-1RC5\s0 code rather than the \s-1EVP\s0 interface. -.PP -\&\s-1EVP_MAX_KEY_LENGTH\s0 and \s-1EVP_MAX_IV_LENGTH\s0 only refer to the internal ciphers with -default key lengths. If custom ciphers exceed these values the results are -unpredictable. This is because it has become standard practice to define a -generic key as a fixed unsigned char array containing \s-1EVP_MAX_KEY_LENGTH\s0 bytes. +\&\fB\s-1EVP_MAX_KEY_LENGTH\s0\fR and \fB\s-1EVP_MAX_IV_LENGTH\s0\fR only refer to the internal +ciphers with default key lengths. If custom ciphers exceed these values the +results are unpredictable. This is because it has become standard practice to +define a generic key as a fixed unsigned char array containing +\&\fB\s-1EVP_MAX_KEY_LENGTH\s0\fR bytes. .PP The \s-1ASN1\s0 code is incomplete (and sometimes inaccurate) it has only been tested for certain common S/MIME ciphers (\s-1RC2, DES,\s0 triple \s-1DES\s0) in \s-1CBC\s0 mode. @@ -596,117 +557,147 @@ for certain common S/MIME ciphers (\s-1RC2, DES,\s0 triple \s-1DES\s0) in \s-1CB .IX Header "EXAMPLES" Encrypt a string using \s-1IDEA:\s0 .PP -.Vb 12 +.Vb 10 \& int do_crypt(char *outfile) -\& { -\& unsigned char outbuf[1024]; -\& int outlen, tmplen; -\& /* Bogus key and IV: we\*(Aqd normally set these from -\& * another source. -\& */ -\& unsigned char key[] = {0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15}; -\& unsigned char iv[] = {1,2,3,4,5,6,7,8}; -\& char intext[] = "Some Crypto Text"; -\& EVP_CIPHER_CTX ctx; -\& FILE *out; +\& { +\& unsigned char outbuf[1024]; +\& int outlen, tmplen; +\& /* +\& * Bogus key and IV: we\*(Aqd normally set these from +\& * another source. +\& */ +\& unsigned char key[] = {0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15}; +\& unsigned char iv[] = {1,2,3,4,5,6,7,8}; +\& char intext[] = "Some Crypto Text"; +\& EVP_CIPHER_CTX *ctx; +\& FILE *out; \& -\& EVP_CIPHER_CTX_init(&ctx); -\& EVP_EncryptInit_ex(&ctx, EVP_idea_cbc(), NULL, key, iv); +\& ctx = EVP_CIPHER_CTX_new(); +\& EVP_EncryptInit_ex(ctx, EVP_idea_cbc(), NULL, key, iv); \& -\& if(!EVP_EncryptUpdate(&ctx, outbuf, &outlen, intext, strlen(intext))) -\& { -\& /* Error */ -\& return 0; -\& } -\& /* Buffer passed to EVP_EncryptFinal() must be after data just -\& * encrypted to avoid overwriting it. -\& */ -\& if(!EVP_EncryptFinal_ex(&ctx, outbuf + outlen, &tmplen)) -\& { -\& /* Error */ -\& return 0; -\& } -\& outlen += tmplen; -\& EVP_CIPHER_CTX_cleanup(&ctx); -\& /* Need binary mode for fopen because encrypted data is -\& * binary data. Also cannot use strlen() on it because -\& * it wont be null terminated and may contain embedded -\& * nulls. -\& */ -\& out = fopen(outfile, "wb"); -\& fwrite(outbuf, 1, outlen, out); -\& fclose(out); -\& return 1; -\& } +\& if (!EVP_EncryptUpdate(ctx, outbuf, &outlen, intext, strlen(intext))) { +\& /* Error */ +\& EVP_CIPHER_CTX_free(ctx); +\& return 0; +\& } +\& /* +\& * Buffer passed to EVP_EncryptFinal() must be after data just +\& * encrypted to avoid overwriting it. +\& */ +\& if (!EVP_EncryptFinal_ex(ctx, outbuf + outlen, &tmplen)) { +\& /* Error */ +\& EVP_CIPHER_CTX_free(ctx); +\& return 0; +\& } +\& outlen += tmplen; +\& EVP_CIPHER_CTX_free(ctx); +\& /* +\& * Need binary mode for fopen because encrypted data is +\& * binary data. Also cannot use strlen() on it because +\& * it won\*(Aqt be NUL terminated and may contain embedded +\& * NULs. +\& */ +\& out = fopen(outfile, "wb"); +\& if (out == NULL) { +\& /* Error */ +\& return 0; +\& } +\& fwrite(outbuf, 1, outlen, out); +\& fclose(out); +\& return 1; +\& } .Ve .PP The ciphertext from the above example can be decrypted using the \fBopenssl\fR utility with the command line (shown on two lines for clarity): .PP .Vb 2 -\& openssl idea \-d . diff --git a/secure/lib/libcrypto/man/EVP_MD_meth_new.3 b/secure/lib/libcrypto/man/EVP_MD_meth_new.3 new file mode 100644 index 000000000000..dbc88b68a83d --- /dev/null +++ b/secure/lib/libcrypto/man/EVP_MD_meth_new.3 @@ -0,0 +1,288 @@ +.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35) +.\" +.\" Standard preamble: +.\" ======================================================================== +.de Sp \" Vertical space (when we can't use .PP) +.if t .sp .5v +.if n .sp +.. +.de Vb \" Begin verbatim text +.ft CW +.nf +.ne \\$1 +.. +.de Ve \" End verbatim text +.ft R +.fi +.. +.\" Set up some character translations and predefined strings. \*(-- will +.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left +.\" double quote, and \*(R" will give a right double quote. \*(C+ will +.\" give a nicer C++. Capital omega is used to do unbreakable dashes and +.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, +.\" nothing in troff, for use with C<>. +.tr \(*W- +.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' +.ie n \{\ +. ds -- \(*W- +. ds PI pi +. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch +. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch +. ds L" "" +. ds R" "" +. ds C` "" +. ds C' "" +'br\} +.el\{\ +. ds -- \|\(em\| +. ds PI \(*p +. ds L" `` +. ds R" '' +. ds C` +. ds C' +'br\} +.\" +.\" Escape single quotes in literal strings from groff's Unicode transform. +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" +.\" If the F register is >0, we'll generate index entries on stderr for +.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index +.\" entries marked with X<> in POD. Of course, you'll have to process the +.\" output yourself in some meaningful fashion. +.\" +.\" Avoid warning from groff about undefined register 'F'. +.de IX +.. +.if !\nF .nr F 0 +.if \nF>0 \{\ +. de IX +. tm Index:\\$1\t\\n%\t"\\$2" +.. +. if !\nF==2 \{\ +. nr % 0 +. nr F 2 +. \} +.\} +.\" +.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). +.\" Fear. Run. Save yourself. No user-serviceable parts. +. \" fudge factors for nroff and troff +.if n \{\ +. ds #H 0 +. ds #V .8m +. ds #F .3m +. ds #[ \f1 +. ds #] \fP +.\} +.if t \{\ +. ds #H ((1u-(\\\\n(.fu%2u))*.13m) +. ds #V .6m +. ds #F 0 +. ds #[ \& +. ds #] \& +.\} +. \" simple accents for nroff and troff +.if n \{\ +. ds ' \& +. ds ` \& +. ds ^ \& +. ds , \& +. ds ~ ~ +. ds / +.\} +.if t \{\ +. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" +. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' +. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' +. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' +. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' +. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' +.\} +. \" troff and (daisy-wheel) nroff accents +.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' +.ds 8 \h'\*(#H'\(*b\h'-\*(#H' +.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] +.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' +.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' +.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] +.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] +.ds ae a\h'-(\w'a'u*4/10)'e +.ds Ae A\h'-(\w'A'u*4/10)'E +. \" corrections for vroff +.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' +.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' +. \" for low resolution devices (crt and lpr) +.if \n(.H>23 .if \n(.V>19 \ +\{\ +. ds : e +. ds 8 ss +. ds o a +. ds d- d\h'-1'\(ga +. ds D- D\h'-1'\(hy +. ds th \o'bp' +. ds Th \o'LP' +. ds ae ae +. ds Ae AE +.\} +.rm #[ #] #H #V #F C +.\" ======================================================================== +.\" +.IX Title "EVP_MD_METH_NEW 3" +.TH EVP_MD_METH_NEW 3 "2018-09-11" "1.1.1" "OpenSSL" +.\" For nroff, turn off justification. Always turn off hyphenation; it makes +.\" way too many mistakes in technical documents. +.if n .ad l +.nh +.SH "NAME" +EVP_MD_meth_dup, EVP_MD_meth_new, EVP_MD_meth_free, EVP_MD_meth_set_input_blocksize, EVP_MD_meth_set_result_size, EVP_MD_meth_set_app_datasize, EVP_MD_meth_set_flags, EVP_MD_meth_set_init, EVP_MD_meth_set_update, EVP_MD_meth_set_final, EVP_MD_meth_set_copy, EVP_MD_meth_set_cleanup, EVP_MD_meth_set_ctrl, EVP_MD_meth_get_input_blocksize, EVP_MD_meth_get_result_size, EVP_MD_meth_get_app_datasize, EVP_MD_meth_get_flags, EVP_MD_meth_get_init, EVP_MD_meth_get_update, EVP_MD_meth_get_final, EVP_MD_meth_get_copy, EVP_MD_meth_get_cleanup, EVP_MD_meth_get_ctrl \&\- Routines to build up EVP_MD methods +.SH "SYNOPSIS" +.IX Header "SYNOPSIS" +.Vb 1 +\& #include +\& +\& EVP_MD *EVP_MD_meth_new(int md_type, int pkey_type); +\& void EVP_MD_meth_free(EVP_MD *md); +\& EVP_MD *EVP_MD_meth_dup(const EVP_MD *md); +\& +\& int EVP_MD_meth_set_input_blocksize(EVP_MD *md, int blocksize); +\& int EVP_MD_meth_set_result_size(EVP_MD *md, int resultsize); +\& int EVP_MD_meth_set_app_datasize(EVP_MD *md, int datasize); +\& int EVP_MD_meth_set_flags(EVP_MD *md, unsigned long flags); +\& int EVP_MD_meth_set_init(EVP_MD *md, int (*init)(EVP_MD_CTX *ctx)); +\& int EVP_MD_meth_set_update(EVP_MD *md, int (*update)(EVP_MD_CTX *ctx, +\& const void *data, +\& size_t count)); +\& int EVP_MD_meth_set_final(EVP_MD *md, int (*final)(EVP_MD_CTX *ctx, +\& unsigned char *md)); +\& int EVP_MD_meth_set_copy(EVP_MD *md, int (*copy)(EVP_MD_CTX *to, +\& const EVP_MD_CTX *from)); +\& int EVP_MD_meth_set_cleanup(EVP_MD *md, int (*cleanup)(EVP_MD_CTX *ctx)); +\& int EVP_MD_meth_set_ctrl(EVP_MD *md, int (*ctrl)(EVP_MD_CTX *ctx, int cmd, +\& int p1, void *p2)); +\& +\& int EVP_MD_meth_get_input_blocksize(const EVP_MD *md); +\& int EVP_MD_meth_get_result_size(const EVP_MD *md); +\& int EVP_MD_meth_get_app_datasize(const EVP_MD *md); +\& unsigned long EVP_MD_meth_get_flags(const EVP_MD *md); +\& int (*EVP_MD_meth_get_init(const EVP_MD *md))(EVP_MD_CTX *ctx); +\& int (*EVP_MD_meth_get_update(const EVP_MD *md))(EVP_MD_CTX *ctx, +\& const void *data, +\& size_t count); +\& int (*EVP_MD_meth_get_final(const EVP_MD *md))(EVP_MD_CTX *ctx, +\& unsigned char *md); +\& int (*EVP_MD_meth_get_copy(const EVP_MD *md))(EVP_MD_CTX *to, +\& const EVP_MD_CTX *from); +\& int (*EVP_MD_meth_get_cleanup(const EVP_MD *md))(EVP_MD_CTX *ctx); +\& int (*EVP_MD_meth_get_ctrl(const EVP_MD *md))(EVP_MD_CTX *ctx, int cmd, +\& int p1, void *p2); +.Ve +.SH "DESCRIPTION" +.IX Header "DESCRIPTION" +The \fB\s-1EVP_MD\s0\fR type is a structure for digest method implementation. +It can also have associated public/private key signing and verifying +routines. +.PP +\&\fIEVP_MD_meth_new()\fR creates a new \fB\s-1EVP_MD\s0\fR structure. +.PP +\&\fIEVP_MD_meth_dup()\fR creates a copy of \fBmd\fR. +.PP +\&\fIEVP_MD_meth_free()\fR destroys a \fB\s-1EVP_MD\s0\fR structure. +.PP +\&\fIEVP_MD_meth_set_input_blocksize()\fR sets the internal input block size +for the method \fBmd\fR to \fBblocksize\fR bytes. +.PP +\&\fIEVP_MD_meth_set_result_size()\fR sets the size of the result that the +digest method in \fBmd\fR is expected to produce to \fBresultsize\fR bytes. +.PP +The digest method may have its own private data, which OpenSSL will +allocate for it. \fIEVP_MD_meth_set_app_datasize()\fR should be used to +set the size for it to \fBdatasize\fR. +.PP +\&\fIEVP_MD_meth_set_flags()\fR sets the flags to describe optional +behaviours in the particular \fBmd\fR. Several flags can be or'd +together. The available flags are: +.IP "\s-1EVP_MD_FLAG_ONESHOT\s0" 4 +.IX Item "EVP_MD_FLAG_ONESHOT" +This digest method can only handles one block of input. +.IP "\s-1EVP_MD_FLAG_DIGALGID_NULL\s0" 4 +.IX Item "EVP_MD_FLAG_DIGALGID_NULL" +When setting up a DigestAlgorithmIdentifier, this flag will have the +parameter set to \s-1NULL\s0 by default. Use this for PKCS#1. \fINote: if +combined with \s-1EVP_MD_FLAG_DIGALGID_ABSENT,\s0 the latter will override.\fR +.IP "\s-1EVP_MD_FLAG_DIGALGID_ABSENT\s0" 4 +.IX Item "EVP_MD_FLAG_DIGALGID_ABSENT" +When setting up a DigestAlgorithmIdentifier, this flag will have the +parameter be left absent by default. \fINote: if combined with +\&\s-1EVP_MD_FLAG_DIGALGID_NULL,\s0 the latter will be overridden.\fR +.IP "\s-1EVP_MD_FLAG_DIGALGID_CUSTOM\s0" 4 +.IX Item "EVP_MD_FLAG_DIGALGID_CUSTOM" +Custom DigestAlgorithmIdentifier handling via ctrl, with +\&\fB\s-1EVP_MD_FLAG_DIGALGID_ABSENT\s0\fR as default. \fINote: if combined with +\&\s-1EVP_MD_FLAG_DIGALGID_NULL,\s0 the latter will be overridden.\fR +Currently unused. +.PP +\&\fIEVP_MD_meth_set_init()\fR sets the digest init function for \fBmd\fR. +The digest init function is called by \fIEVP_DigestInit()\fR, +\&\fIEVP_DigestInit_ex()\fR, EVP_SignInit, \fIEVP_SignInit_ex()\fR, \fIEVP_VerifyInit()\fR +and \fIEVP_VerifyInit_ex()\fR. +.PP +\&\fIEVP_MD_meth_set_update()\fR sets the digest update function for \fBmd\fR. +The digest update function is called by \fIEVP_DigestUpdate()\fR, +\&\fIEVP_SignUpdate()\fR. +.PP +\&\fIEVP_MD_meth_set_final()\fR sets the digest final function for \fBmd\fR. +The digest final function is called by \fIEVP_DigestFinal()\fR, +\&\fIEVP_DigestFinal_ex()\fR, \fIEVP_SignFinal()\fR and \fIEVP_VerifyFinal()\fR. +.PP +\&\fIEVP_MD_meth_set_copy()\fR sets the function for \fBmd\fR to do extra +computations after the method's private data structure has been copied +from one \fB\s-1EVP_MD_CTX\s0\fR to another. If all that's needed is to copy +the data, there is no need for this copy function. +Note that the copy function is passed two \fB\s-1EVP_MD_CTX\s0 *\fR, the private +data structure is then available with \fIEVP_MD_CTX_md_data()\fR. +This copy function is called by \fIEVP_MD_CTX_copy()\fR and +\&\fIEVP_MD_CTX_copy_ex()\fR. +.PP +\&\fIEVP_MD_meth_set_cleanup()\fR sets the function for \fBmd\fR to do extra +cleanup before the method's private data structure is cleaned out and +freed. +Note that the cleanup function is passed a \fB\s-1EVP_MD_CTX\s0 *\fR, the +private data structure is then available with \fIEVP_MD_CTX_md_data()\fR. +This cleanup function is called by \fIEVP_MD_CTX_reset()\fR and +\&\fIEVP_MD_CTX_free()\fR. +.PP +\&\fIEVP_MD_meth_set_ctrl()\fR sets the control function for \fBmd\fR. +.PP +\&\fIEVP_MD_meth_get_input_blocksize()\fR, \fIEVP_MD_meth_get_result_size()\fR, +\&\fIEVP_MD_meth_get_app_datasize()\fR, \fIEVP_MD_meth_get_flags()\fR, +\&\fIEVP_MD_meth_get_init()\fR, \fIEVP_MD_meth_get_update()\fR, +\&\fIEVP_MD_meth_get_final()\fR, \fIEVP_MD_meth_get_copy()\fR, +\&\fIEVP_MD_meth_get_cleanup()\fR and \fIEVP_MD_meth_get_ctrl()\fR are all used +to retrieve the method data given with the EVP_MD_meth_set_*() +functions above. +.SH "RETURN VALUES" +.IX Header "RETURN VALUES" +\&\fIEVP_MD_meth_new()\fR and \fIEVP_MD_meth_dup()\fR return a pointer to a newly +created \fB\s-1EVP_MD\s0\fR, or \s-1NULL\s0 on failure. +All EVP_MD_meth_set_*() functions return 1. +\&\fIEVP_MD_get_input_blocksize()\fR, \fIEVP_MD_meth_get_result_size()\fR, +\&\fIEVP_MD_meth_get_app_datasize()\fR and \fIEVP_MD_meth_get_flags()\fR return the +indicated sizes or flags. +All other EVP_CIPHER_meth_get_*() functions return pointers to their +respective \fBmd\fR function. +.SH "SEE ALSO" +.IX Header "SEE ALSO" +\&\fIEVP_DigestInit\fR\|(3), \fIEVP_SignInit\fR\|(3), \fIEVP_VerifyInit\fR\|(3) +.SH "HISTORY" +.IX Header "HISTORY" +The \fB\s-1EVP_MD\s0\fR structure was openly available in OpenSSL before version +1.1. The functions described here were added in OpenSSL 1.1. +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2015\-2017 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/EVP_OpenInit.3 b/secure/lib/libcrypto/man/EVP_OpenInit.3 index a881b68f8df3..782f48de42a5 100644 --- a/secure/lib/libcrypto/man/EVP_OpenInit.3 +++ b/secure/lib/libcrypto/man/EVP_OpenInit.3 @@ -128,8 +128,8 @@ .rm #[ #] #H #V #F C .\" ======================================================================== .\" -.IX Title "EVP_OpenInit 3" -.TH EVP_OpenInit 3 "2018-08-14" "1.0.2p" "OpenSSL" +.IX Title "EVP_OPENINIT 3" +.TH EVP_OPENINIT 3 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -141,12 +141,11 @@ EVP_OpenInit, EVP_OpenUpdate, EVP_OpenFinal \- EVP envelope decryption .Vb 1 \& #include \& -\& int EVP_OpenInit(EVP_CIPHER_CTX *ctx,EVP_CIPHER *type,unsigned char *ek, -\& int ekl,unsigned char *iv,EVP_PKEY *priv); +\& int EVP_OpenInit(EVP_CIPHER_CTX *ctx, EVP_CIPHER *type, unsigned char *ek, +\& int ekl, unsigned char *iv, EVP_PKEY *priv); \& int EVP_OpenUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out, -\& int *outl, unsigned char *in, int inl); -\& int EVP_OpenFinal(EVP_CIPHER_CTX *ctx, unsigned char *out, -\& int *outl); +\& int *outl, unsigned char *in, int inl); +\& int EVP_OpenFinal(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl); .Ve .SH "DESCRIPTION" .IX Header "DESCRIPTION" @@ -160,7 +159,7 @@ with cipher \fBtype\fR. It decrypts the encrypted symmetric key of length The \s-1IV\s0 is supplied in the \fBiv\fR parameter. .PP \&\fIEVP_OpenUpdate()\fR and \fIEVP_OpenFinal()\fR have exactly the same properties -as the \fIEVP_DecryptUpdate()\fR and \fIEVP_DecryptFinal()\fR routines, as +as the \fIEVP_DecryptUpdate()\fR and \fIEVP_DecryptFinal()\fR routines, as documented on the \fIEVP_EncryptInit\fR\|(3) manual page. .SH "NOTES" @@ -184,8 +183,14 @@ recovered secret key size) if successful. \&\fIEVP_OpenFinal()\fR returns 0 if the decrypt failed or 1 for success. .SH "SEE ALSO" .IX Header "SEE ALSO" -\&\fIevp\fR\|(3), \fIrand\fR\|(3), +\&\fIevp\fR\|(7), \fIRAND_bytes\fR\|(3), \&\fIEVP_EncryptInit\fR\|(3), \&\fIEVP_SealInit\fR\|(3) -.SH "HISTORY" -.IX Header "HISTORY" +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2000\-2016 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/EVP_PKEY_ASN1_METHOD.3 b/secure/lib/libcrypto/man/EVP_PKEY_ASN1_METHOD.3 new file mode 100644 index 000000000000..c239dcd2812a --- /dev/null +++ b/secure/lib/libcrypto/man/EVP_PKEY_ASN1_METHOD.3 @@ -0,0 +1,549 @@ +.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35) +.\" +.\" Standard preamble: +.\" ======================================================================== +.de Sp \" Vertical space (when we can't use .PP) +.if t .sp .5v +.if n .sp +.. +.de Vb \" Begin verbatim text +.ft CW +.nf +.ne \\$1 +.. +.de Ve \" End verbatim text +.ft R +.fi +.. +.\" Set up some character translations and predefined strings. \*(-- will +.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left +.\" double quote, and \*(R" will give a right double quote. \*(C+ will +.\" give a nicer C++. Capital omega is used to do unbreakable dashes and +.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, +.\" nothing in troff, for use with C<>. +.tr \(*W- +.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' +.ie n \{\ +. ds -- \(*W- +. ds PI pi +. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch +. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch +. ds L" "" +. ds R" "" +. ds C` "" +. ds C' "" +'br\} +.el\{\ +. ds -- \|\(em\| +. ds PI \(*p +. ds L" `` +. ds R" '' +. ds C` +. ds C' +'br\} +.\" +.\" Escape single quotes in literal strings from groff's Unicode transform. +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" +.\" If the F register is >0, we'll generate index entries on stderr for +.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index +.\" entries marked with X<> in POD. Of course, you'll have to process the +.\" output yourself in some meaningful fashion. +.\" +.\" Avoid warning from groff about undefined register 'F'. +.de IX +.. +.if !\nF .nr F 0 +.if \nF>0 \{\ +. de IX +. tm Index:\\$1\t\\n%\t"\\$2" +.. +. if !\nF==2 \{\ +. nr % 0 +. nr F 2 +. \} +.\} +.\" +.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). +.\" Fear. Run. Save yourself. No user-serviceable parts. +. \" fudge factors for nroff and troff +.if n \{\ +. ds #H 0 +. ds #V .8m +. ds #F .3m +. ds #[ \f1 +. ds #] \fP +.\} +.if t \{\ +. ds #H ((1u-(\\\\n(.fu%2u))*.13m) +. ds #V .6m +. ds #F 0 +. ds #[ \& +. ds #] \& +.\} +. \" simple accents for nroff and troff +.if n \{\ +. ds ' \& +. ds ` \& +. ds ^ \& +. ds , \& +. ds ~ ~ +. ds / +.\} +.if t \{\ +. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" +. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' +. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' +. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' +. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' +. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' +.\} +. \" troff and (daisy-wheel) nroff accents +.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' +.ds 8 \h'\*(#H'\(*b\h'-\*(#H' +.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] +.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' +.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' +.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] +.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] +.ds ae a\h'-(\w'a'u*4/10)'e +.ds Ae A\h'-(\w'A'u*4/10)'E +. \" corrections for vroff +.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' +.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' +. \" for low resolution devices (crt and lpr) +.if \n(.H>23 .if \n(.V>19 \ +\{\ +. ds : e +. ds 8 ss +. ds o a +. ds d- d\h'-1'\(ga +. ds D- D\h'-1'\(hy +. ds th \o'bp' +. ds Th \o'LP' +. ds ae ae +. ds Ae AE +.\} +.rm #[ #] #H #V #F C +.\" ======================================================================== +.\" +.IX Title "EVP_PKEY_ASN1_METHOD 3" +.TH EVP_PKEY_ASN1_METHOD 3 "2018-09-11" "1.1.1" "OpenSSL" +.\" For nroff, turn off justification. Always turn off hyphenation; it makes +.\" way too many mistakes in technical documents. +.if n .ad l +.nh +.SH "NAME" +EVP_PKEY_ASN1_METHOD, EVP_PKEY_asn1_new, EVP_PKEY_asn1_copy, EVP_PKEY_asn1_free, EVP_PKEY_asn1_add0, EVP_PKEY_asn1_add_alias, EVP_PKEY_asn1_set_public, EVP_PKEY_asn1_set_private, EVP_PKEY_asn1_set_param, EVP_PKEY_asn1_set_free, EVP_PKEY_asn1_set_ctrl, EVP_PKEY_asn1_set_item, EVP_PKEY_asn1_set_siginf, EVP_PKEY_asn1_set_check, EVP_PKEY_asn1_set_public_check, EVP_PKEY_asn1_set_param_check, EVP_PKEY_asn1_set_security_bits, EVP_PKEY_asn1_set_set_priv_key, EVP_PKEY_asn1_set_set_pub_key, EVP_PKEY_asn1_set_get_priv_key, EVP_PKEY_asn1_set_get_pub_key, EVP_PKEY_get0_asn1 \&\- manipulating and registering EVP_PKEY_ASN1_METHOD structure +.SH "SYNOPSIS" +.IX Header "SYNOPSIS" +.Vb 1 +\& #include +\& +\& typedef struct evp_pkey_asn1_method_st EVP_PKEY_ASN1_METHOD; +\& +\& EVP_PKEY_ASN1_METHOD *EVP_PKEY_asn1_new(int id, int flags, +\& const char *pem_str, +\& const char *info); +\& void EVP_PKEY_asn1_copy(EVP_PKEY_ASN1_METHOD *dst, +\& const EVP_PKEY_ASN1_METHOD *src); +\& void EVP_PKEY_asn1_free(EVP_PKEY_ASN1_METHOD *ameth); +\& int EVP_PKEY_asn1_add0(const EVP_PKEY_ASN1_METHOD *ameth); +\& int EVP_PKEY_asn1_add_alias(int to, int from); +\& +\& void EVP_PKEY_asn1_set_public(EVP_PKEY_ASN1_METHOD *ameth, +\& int (*pub_decode) (EVP_PKEY *pk, +\& X509_PUBKEY *pub), +\& int (*pub_encode) (X509_PUBKEY *pub, +\& const EVP_PKEY *pk), +\& int (*pub_cmp) (const EVP_PKEY *a, +\& const EVP_PKEY *b), +\& int (*pub_print) (BIO *out, +\& const EVP_PKEY *pkey, +\& int indent, ASN1_PCTX *pctx), +\& int (*pkey_size) (const EVP_PKEY *pk), +\& int (*pkey_bits) (const EVP_PKEY *pk)); +\& void EVP_PKEY_asn1_set_private(EVP_PKEY_ASN1_METHOD *ameth, +\& int (*priv_decode) (EVP_PKEY *pk, +\& const PKCS8_PRIV_KEY_INFO +\& *p8inf), +\& int (*priv_encode) (PKCS8_PRIV_KEY_INFO *p8, +\& const EVP_PKEY *pk), +\& int (*priv_print) (BIO *out, +\& const EVP_PKEY *pkey, +\& int indent, +\& ASN1_PCTX *pctx)); +\& void EVP_PKEY_asn1_set_param(EVP_PKEY_ASN1_METHOD *ameth, +\& int (*param_decode) (EVP_PKEY *pkey, +\& const unsigned char **pder, +\& int derlen), +\& int (*param_encode) (const EVP_PKEY *pkey, +\& unsigned char **pder), +\& int (*param_missing) (const EVP_PKEY *pk), +\& int (*param_copy) (EVP_PKEY *to, +\& const EVP_PKEY *from), +\& int (*param_cmp) (const EVP_PKEY *a, +\& const EVP_PKEY *b), +\& int (*param_print) (BIO *out, +\& const EVP_PKEY *pkey, +\& int indent, +\& ASN1_PCTX *pctx)); +\& +\& void EVP_PKEY_asn1_set_free(EVP_PKEY_ASN1_METHOD *ameth, +\& void (*pkey_free) (EVP_PKEY *pkey)); +\& void EVP_PKEY_asn1_set_ctrl(EVP_PKEY_ASN1_METHOD *ameth, +\& int (*pkey_ctrl) (EVP_PKEY *pkey, int op, +\& long arg1, void *arg2)); +\& void EVP_PKEY_asn1_set_item(EVP_PKEY_ASN1_METHOD *ameth, +\& int (*item_verify) (EVP_MD_CTX *ctx, +\& const ASN1_ITEM *it, +\& void *asn, +\& X509_ALGOR *a, +\& ASN1_BIT_STRING *sig, +\& EVP_PKEY *pkey), +\& int (*item_sign) (EVP_MD_CTX *ctx, +\& const ASN1_ITEM *it, +\& void *asn, +\& X509_ALGOR *alg1, +\& X509_ALGOR *alg2, +\& ASN1_BIT_STRING *sig)); +\& +\& void EVP_PKEY_asn1_set_siginf(EVP_PKEY_ASN1_METHOD *ameth, +\& int (*siginf_set) (X509_SIG_INFO *siginf, +\& const X509_ALGOR *alg, +\& const ASN1_STRING *sig)); +\& +\& void EVP_PKEY_asn1_set_check(EVP_PKEY_ASN1_METHOD *ameth, +\& int (*pkey_check) (const EVP_PKEY *pk)); +\& +\& void EVP_PKEY_asn1_set_public_check(EVP_PKEY_ASN1_METHOD *ameth, +\& int (*pkey_pub_check) (const EVP_PKEY *pk)); +\& +\& void EVP_PKEY_asn1_set_param_check(EVP_PKEY_ASN1_METHOD *ameth, +\& int (*pkey_param_check) (const EVP_PKEY *pk)); +\& +\& void EVP_PKEY_asn1_set_security_bits(EVP_PKEY_ASN1_METHOD *ameth, +\& int (*pkey_security_bits) (const EVP_PKEY +\& *pk)); +\& +\& void EVP_PKEY_asn1_set_set_priv_key(EVP_PKEY_ASN1_METHOD *ameth, +\& int (*set_priv_key) (EVP_PKEY *pk, +\& const unsigned char +\& *priv, +\& size_t len)); +\& +\& void EVP_PKEY_asn1_set_set_pub_key(EVP_PKEY_ASN1_METHOD *ameth, +\& int (*set_pub_key) (EVP_PKEY *pk, +\& const unsigned char *pub, +\& size_t len)); +\& +\& void EVP_PKEY_asn1_set_get_priv_key(EVP_PKEY_ASN1_METHOD *ameth, +\& int (*get_priv_key) (const EVP_PKEY *pk, +\& unsigned char *priv, +\& size_t *len)); +\& +\& void EVP_PKEY_asn1_set_get_pub_key(EVP_PKEY_ASN1_METHOD *ameth, +\& int (*get_pub_key) (const EVP_PKEY *pk, +\& unsigned char *pub, +\& size_t *len)); +\& +\& const EVP_PKEY_ASN1_METHOD *EVP_PKEY_get0_asn1(const EVP_PKEY *pkey); +.Ve +.SH "DESCRIPTION" +.IX Header "DESCRIPTION" +\&\fB\s-1EVP_PKEY_ASN1_METHOD\s0\fR is a structure which holds a set of \s-1ASN.1\s0 +conversion, printing and information methods for a specific public key +algorithm. +.PP +There are two places where the \fB\s-1EVP_PKEY_ASN1_METHOD\s0\fR objects are +stored: one is a built-in array representing the standard methods for +different algorithms, and the other one is a stack of user-defined +application-specific methods, which can be manipulated by using +\&\fIEVP_PKEY_asn1_add0\fR\|(3). +.SS "Methods" +.IX Subsection "Methods" +The methods are the underlying implementations of a particular public +key algorithm present by the \fB\s-1EVP_PKEY\s0\fR object. +.PP +.Vb 5 +\& int (*pub_decode) (EVP_PKEY *pk, X509_PUBKEY *pub); +\& int (*pub_encode) (X509_PUBKEY *pub, const EVP_PKEY *pk); +\& int (*pub_cmp) (const EVP_PKEY *a, const EVP_PKEY *b); +\& int (*pub_print) (BIO *out, const EVP_PKEY *pkey, int indent, +\& ASN1_PCTX *pctx); +.Ve +.PP +The \fIpub_decode()\fR and \fIpub_encode()\fR methods are called to decode / +encode \fBX509_PUBKEY\fR \s-1ASN.1\s0 parameters to / from \fBpk\fR. +They \s-1MUST\s0 return 0 on error, 1 on success. +They're called by \fIX509_PUBKEY_get0\fR\|(3) and \fIX509_PUBKEY_set\fR\|(3). +.PP +The \fIpub_cmp()\fR method is called when two public keys are to be +compared. +It \s-1MUST\s0 return 1 when the keys are equal, 0 otherwise. +It's called by \fIEVP_PKEY_cmp\fR\|(3). +.PP +The \fIpub_print()\fR method is called to print a public key in humanly +readable text to \fBout\fR, indented \fBindent\fR spaces. +It \s-1MUST\s0 return 0 on error, 1 on success. +It's called by \fIEVP_PKEY_print_public\fR\|(3). +.PP +.Vb 4 +\& int (*priv_decode) (EVP_PKEY *pk, const PKCS8_PRIV_KEY_INFO *p8inf); +\& int (*priv_encode) (PKCS8_PRIV_KEY_INFO *p8, const EVP_PKEY *pk); +\& int (*priv_print) (BIO *out, const EVP_PKEY *pkey, int indent, +\& ASN1_PCTX *pctx); +.Ve +.PP +The \fIpriv_decode()\fR and \fIpriv_encode()\fR methods are called to decode / +encode \fB\s-1PKCS8_PRIV_KEY_INFO\s0\fR form private key to / from \fBpk\fR. +They \s-1MUST\s0 return 0 on error, 1 on success. +They're called by \s-1\fIEVP_PKCS82PKEY\s0\fR\|(3) and \s-1\fIEVP_PKEY2PKCS8\s0\fR\|(3). +.PP +The \fIpriv_print()\fR method is called to print a private key in humanly +readable text to \fBout\fR, indented \fBindent\fR spaces. +It \s-1MUST\s0 return 0 on error, 1 on success. +It's called by \fIEVP_PKEY_print_private\fR\|(3). +.PP +.Vb 3 +\& int (*pkey_size) (const EVP_PKEY *pk); +\& int (*pkey_bits) (const EVP_PKEY *pk); +\& int (*pkey_security_bits) (const EVP_PKEY *pk); +.Ve +.PP +The \fIpkey_size()\fR method returns the key size in bytes. +It's called by \fIEVP_PKEY_size\fR\|(3). +.PP +The \fIpkey_bits()\fR method returns the key size in bits. +It's called by \fIEVP_PKEY_bits\fR\|(3). +.PP +.Vb 8 +\& int (*param_decode) (EVP_PKEY *pkey, +\& const unsigned char **pder, int derlen); +\& int (*param_encode) (const EVP_PKEY *pkey, unsigned char **pder); +\& int (*param_missing) (const EVP_PKEY *pk); +\& int (*param_copy) (EVP_PKEY *to, const EVP_PKEY *from); +\& int (*param_cmp) (const EVP_PKEY *a, const EVP_PKEY *b); +\& int (*param_print) (BIO *out, const EVP_PKEY *pkey, int indent, +\& ASN1_PCTX *pctx); +.Ve +.PP +The \fIparam_decode()\fR and \fIparam_encode()\fR methods are called to decode / +encode \s-1DER\s0 formatted parameters to / from \fBpk\fR. +They \s-1MUST\s0 return 0 on error, 1 on success. +They're called by \fIPEM_read_bio_Parameters\fR\|(3) and the \fBfile:\fR +\&\s-1\fIOSSL_STORE_LOADER\s0\fR\|(3). +.PP +The \fIparam_missing()\fR method returns 0 if a key parameter is missing, +otherwise 1. +It's called by \fIEVP_PKEY_missing_parameters\fR\|(3). +.PP +The \fIparam_copy()\fR method copies key parameters from \fBfrom\fR to \fBto\fR. +It \s-1MUST\s0 return 0 on error, 1 on success. +It's called by \fIEVP_PKEY_copy_parameters\fR\|(3). +.PP +The \fIparam_cmp()\fR method compares the parameters of keys \fBa\fR and \fBb\fR. +It \s-1MUST\s0 return 1 when the keys are equal, 0 when not equal, or a +negative number on error. +It's called by \fIEVP_PKEY_cmp_parameters\fR\|(3). +.PP +The \fIparam_print()\fR method prints the private key parameters in humanly +readable text to \fBout\fR, indented \fBindent\fR spaces. +It \s-1MUST\s0 return 0 on error, 1 on success. +It's called by \fIEVP_PKEY_print_params\fR\|(3). +.PP +.Vb 3 +\& int (*sig_print) (BIO *out, +\& const X509_ALGOR *sigalg, const ASN1_STRING *sig, +\& int indent, ASN1_PCTX *pctx); +.Ve +.PP +The \fIsig_print()\fR method prints a signature in humanly readable text to +\&\fBout\fR, indented \fBindent\fR spaces. +\&\fBsigalg\fR contains the exact signature algorithm. +If the signature in \fBsig\fR doesn't correspond to what this method +expects, \fIX509_signature_dump()\fR must be used as a last resort. +It \s-1MUST\s0 return 0 on error, 1 on success. +It's called by \fIX509_signature_print\fR\|(3). +.PP +.Vb 1 +\& void (*pkey_free) (EVP_PKEY *pkey); +.Ve +.PP +The \fIpkey_free()\fR method helps freeing the internals of \fBpkey\fR. +It's called by \fIEVP_PKEY_free\fR\|(3), \fIEVP_PKEY_set_type\fR\|(3), +\&\fIEVP_PKEY_set_type_str\fR\|(3), and \fIEVP_PKEY_assign\fR\|(3). +.PP +.Vb 1 +\& int (*pkey_ctrl) (EVP_PKEY *pkey, int op, long arg1, void *arg2); +.Ve +.PP +The \fIpkey_ctrl()\fR method adds extra algorithm specific control. +It's called by \fIEVP_PKEY_get_default_digest_nid\fR\|(3), +\&\fIEVP_PKEY_set1_tls_encodedpoint\fR\|(3), +\&\fIEVP_PKEY_get1_tls_encodedpoint\fR\|(3), \fIPKCS7_SIGNER_INFO_set\fR\|(3), +\&\fIPKCS7_RECIP_INFO_set\fR\|(3), ... +.PP +.Vb 3 +\& int (*old_priv_decode) (EVP_PKEY *pkey, +\& const unsigned char **pder, int derlen); +\& int (*old_priv_encode) (const EVP_PKEY *pkey, unsigned char **pder); +.Ve +.PP +The \fIold_priv_decode()\fR and \fIold_priv_encode()\fR methods decode / encode +they private key \fBpkey\fR from / to a \s-1DER\s0 formatted array. +These are exclusively used to help decoding / encoding older (pre +PKCS#8) \s-1PEM\s0 formatted encrypted private keys. +\&\fIold_priv_decode()\fR \s-1MUST\s0 return 0 on error, 1 on success. +\&\fIold_priv_encode()\fR \s-1MUST\s0 the return same kind of values as +\&\fIi2d_PrivateKey()\fR. +They're called by \fId2i_PrivateKey\fR\|(3) and \fIi2d_PrivateKey\fR\|(3). +.PP +.Vb 5 +\& int (*item_verify) (EVP_MD_CTX *ctx, const ASN1_ITEM *it, void *asn, +\& X509_ALGOR *a, ASN1_BIT_STRING *sig, EVP_PKEY *pkey); +\& int (*item_sign) (EVP_MD_CTX *ctx, const ASN1_ITEM *it, void *asn, +\& X509_ALGOR *alg1, X509_ALGOR *alg2, +\& ASN1_BIT_STRING *sig); +.Ve +.PP +The \fIitem_sign()\fR and \fIitem_verify()\fR methods make it possible to have +algorithm specific signatures and verification of them. +.PP +\&\fIitem_sign()\fR \s-1MUST\s0 return one of: +.IP "<=0" 4 +.IX Item "<=0" +error +.IP "1" 4 +.IX Item "1" +\&\fIitem_sign()\fR did everything, OpenSSL internals just needs to pass the +signature length back. +.IP "2" 4 +.IX Item "2" +\&\fIitem_sign()\fR did nothing, OpenSSL internal standard routines are +expected to continue with the default signature production. +.IP "3" 4 +.IX Item "3" +\&\fIitem_sign()\fR set the algorithm identifier \fBalgor1\fR and \fBalgor2\fR, +OpenSSL internals should just sign using those algorithms. +.PP +\&\fIitem_verify()\fR \s-1MUST\s0 return one of: +.IP "<=0" 4 +.IX Item "<=0" +error +.IP "1" 4 +.IX Item "1" +\&\fIitem_sign()\fR did everything, OpenSSL internals just needs to pass the +signature length back. +.IP "2" 4 +.IX Item "2" +\&\fIitem_sign()\fR did nothing, OpenSSL internal standard routines are +expected to continue with the default signature production. +.PP +\&\fIitem_verify()\fR and \fIitem_sign()\fR are called by \fIASN1_item_verify\fR\|(3) and +\&\fIASN1_item_sign\fR\|(3), and by extension, \fIX509_verify\fR\|(3), +\&\fIX509_REQ_verify\fR\|(3), \fIX509_sign\fR\|(3), \fIX509_REQ_sign\fR\|(3), ... +.PP +.Vb 2 +\& int (*siginf_set) (X509_SIG_INFO *siginf, const X509_ALGOR *alg, +\& const ASN1_STRING *sig); +.Ve +.PP +The \fIsiginf_set()\fR method is used to set custom \fBX509_SIG_INFO\fR +parameters. +It \s-1MUST\s0 return 0 on error, or 1 on success. +It's called as part of \fIX509_check_purpose\fR\|(3), \fIX509_check_ca\fR\|(3) +and \fIX509_check_issued\fR\|(3). +.PP +.Vb 3 +\& int (*pkey_check) (const EVP_PKEY *pk); +\& int (*pkey_public_check) (const EVP_PKEY *pk); +\& int (*pkey_param_check) (const EVP_PKEY *pk); +.Ve +.PP +The \fIpkey_check()\fR, \fIpkey_public_check()\fR and \fIpkey_param_check()\fR methods are used +to check the validity of \fBpk\fR for key-pair, public component and parameters, +respectively. +They \s-1MUST\s0 return 0 for an invalid key, or 1 for a valid key. +They are called by \fIEVP_PKEY_check\fR\|(3), \fIEVP_PKEY_public_check\fR\|(3) and +\&\fIEVP_PKEY_param_check\fR\|(3) respectively. +.PP +.Vb 2 +\& int (*set_priv_key) (EVP_PKEY *pk, const unsigned char *priv, size_t len); +\& int (*set_pub_key) (EVP_PKEY *pk, const unsigned char *pub, size_t len); +.Ve +.PP +The \fIset_priv_key()\fR and \fIset_pub_key()\fR methods are used to set the raw private and +public key data for an \s-1EVP_PKEY.\s0 They \s-1MUST\s0 return 0 on error, or 1 on success. +They are called by \fIEVP_PKEY_new_raw_private_key\fR\|(3), and +\&\fIEVP_PKEY_new_raw_public_key\fR\|(3) respectively. +.SS "Functions" +.IX Subsection "Functions" +\&\fIEVP_PKEY_asn1_new()\fR creates and returns a new \fB\s-1EVP_PKEY_ASN1_METHOD\s0\fR +object, and associates the given \fBid\fR, \fBflags\fR, \fBpem_str\fR and +\&\fBinfo\fR. +\&\fBid\fR is a \s-1NID,\s0 \fBpem_str\fR is the \s-1PEM\s0 type string, \fBinfo\fR is a +descriptive string. +The following \fBflags\fR are supported: +.PP +.Vb 1 +\& ASN1_PKEY_SIGPARAM_NULL +.Ve +.PP +If \fB\s-1ASN1_PKEY_SIGPARAM_NULL\s0\fR is set, then the signature algorithm +parameters are given the type \fBV_ASN1_NULL\fR by default, otherwise +they will be given the type \fBV_ASN1_UNDEF\fR (i.e. the parameter is +omitted). +See \fIX509_ALGOR_set0\fR\|(3) for more information. +.PP +\&\fIEVP_PKEY_asn1_copy()\fR copies an \fB\s-1EVP_PKEY_ASN1_METHOD\s0\fR object from +\&\fBsrc\fR to \fBdst\fR. +This function is not thread safe, it's recommended to only use this +when initializing the application. +.PP +\&\fIEVP_PKEY_asn1_free()\fR frees an existing \fB\s-1EVP_PKEY_ASN1_METHOD\s0\fR pointed +by \fBameth\fR. +.PP +\&\fIEVP_PKEY_asn1_add0()\fR adds \fBameth\fR to the user defined stack of +methods unless another \fB\s-1EVP_PKEY_ASN1_METHOD\s0\fR with the same \s-1NID\s0 is +already there. +This function is not thread safe, it's recommended to only use this +when initializing the application. +.PP +\&\fIEVP_PKEY_asn1_add_alias()\fR creates an alias with the \s-1NID\s0 \fBto\fR for the +\&\fB\s-1EVP_PKEY_ASN1_METHOD\s0\fR with \s-1NID\s0 \fBfrom\fR unless another +\&\fB\s-1EVP_PKEY_ASN1_METHOD\s0\fR with the same \s-1NID\s0 is already added. +This function is not thread safe, it's recommended to only use this +when initializing the application. +.PP +\&\fIEVP_PKEY_asn1_set_public()\fR, \fIEVP_PKEY_asn1_set_private()\fR, +\&\fIEVP_PKEY_asn1_set_param()\fR, \fIEVP_PKEY_asn1_set_free()\fR, +\&\fIEVP_PKEY_asn1_set_ctrl()\fR, \fIEVP_PKEY_asn1_set_item()\fR, +\&\fIEVP_PKEY_asn1_set_siginf()\fR, \fIEVP_PKEY_asn1_set_check()\fR, +\&\fIEVP_PKEY_asn1_set_public_check()\fR, \fIEVP_PKEY_asn1_set_param_check()\fR, +\&\fIEVP_PKEY_asn1_set_security_bits()\fR, \fIEVP_PKEY_asn1_set_set_priv_key()\fR, +\&\fIEVP_PKEY_asn1_set_set_pub_key()\fR, \fIEVP_PKEY_asn1_set_get_priv_key()\fR and +\&\fIEVP_PKEY_asn1_set_get_pub_key()\fR set the diverse methods of the given +\&\fB\s-1EVP_PKEY_ASN1_METHOD\s0\fR object. +.PP +\&\fIEVP_PKEY_get0_asn1()\fR finds the \fB\s-1EVP_PKEY_ASN1_METHOD\s0\fR associated +with the key \fBpkey\fR. +.SH "RETURN VALUES" +.IX Header "RETURN VALUES" +\&\fIEVP_PKEY_asn1_new()\fR returns \s-1NULL\s0 on error, or a pointer to an +\&\fB\s-1EVP_PKEY_ASN1_METHOD\s0\fR object otherwise. +.PP +\&\fIEVP_PKEY_asn1_add0()\fR and \fIEVP_PKEY_asn1_add_alias()\fR return 0 on error, +or 1 on success. +.PP +\&\fIEVP_PKEY_get0_asn1()\fR returns \s-1NULL\s0 on error, or a pointer to a constant +\&\fB\s-1EVP_PKEY_ASN1_METHOD\s0\fR object otherwise. +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2017\-2018 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/EVP_PKEY_CTX_ctrl.3 b/secure/lib/libcrypto/man/EVP_PKEY_CTX_ctrl.3 index 6232b44c385e..908aed63fefc 100644 --- a/secure/lib/libcrypto/man/EVP_PKEY_CTX_ctrl.3 +++ b/secure/lib/libcrypto/man/EVP_PKEY_CTX_ctrl.3 @@ -128,37 +128,34 @@ .rm #[ #] #H #V #F C .\" ======================================================================== .\" -.IX Title "EVP_PKEY_CTX_ctrl 3" -.TH EVP_PKEY_CTX_ctrl 3 "2018-08-14" "1.0.2p" "OpenSSL" +.IX Title "EVP_PKEY_CTX_CTRL 3" +.TH EVP_PKEY_CTX_CTRL 3 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" -EVP_PKEY_CTX_ctrl, EVP_PKEY_CTX_ctrl_str, -EVP_PKEY_CTX_set_signature_md, EVP_PKEY_CTX_set_rsa_padding, -EVP_PKEY_CTX_set_rsa_pss_saltlen, EVP_PKEY_CTX_set_rsa_rsa_keygen_bits, -EVP_PKEY_CTX_set_rsa_keygen_pubexp, EVP_PKEY_CTX_set_dsa_paramgen_bits, -EVP_PKEY_CTX_set_dh_paramgen_prime_len, -EVP_PKEY_CTX_set_dh_paramgen_generator, -EVP_PKEY_CTX_set_ec_paramgen_curve_nid \- algorithm specific control operations +EVP_PKEY_CTX_ctrl, EVP_PKEY_CTX_ctrl_str, EVP_PKEY_CTX_set_signature_md, EVP_PKEY_CTX_get_signature_md, EVP_PKEY_CTX_set_mac_key, EVP_PKEY_CTX_set_rsa_padding, EVP_PKEY_CTX_set_rsa_pss_saltlen, EVP_PKEY_CTX_set_rsa_keygen_bits, EVP_PKEY_CTX_set_rsa_keygen_pubexp, EVP_PKEY_CTX_set_dsa_paramgen_bits, EVP_PKEY_CTX_set_dh_paramgen_prime_len, EVP_PKEY_CTX_set_dh_paramgen_generator, EVP_PKEY_CTX_set_dh_pad, EVP_PKEY_CTX_set_dh_nid, EVP_PKEY_CTX_set_ec_paramgen_curve_nid, EVP_PKEY_CTX_set_ec_param_enc, EVP_PKEY_CTX_set1_id, EVP_PKEY_CTX_get1_id, EVP_PKEY_CTX_get1_id_len \&\- algorithm specific control operations .SH "SYNOPSIS" .IX Header "SYNOPSIS" .Vb 1 \& #include \& \& int EVP_PKEY_CTX_ctrl(EVP_PKEY_CTX *ctx, int keytype, int optype, -\& int cmd, int p1, void *p2); +\& int cmd, int p1, void *p2); \& int EVP_PKEY_CTX_ctrl_str(EVP_PKEY_CTX *ctx, const char *type, -\& const char *value); +\& const char *value); +\& +\& int EVP_PKEY_CTX_set_signature_md(EVP_PKEY_CTX *ctx, const EVP_MD *md); +\& int EVP_PKEY_CTX_get_signature_md(EVP_PKEY_CTX *ctx, const EVP_MD **pmd); +\& +\& int EVP_PKEY_CTX_set_mac_key(EVP_PKEY_CTX *ctx, unsigned char *key, int len); \& \& #include \& -\& int EVP_PKEY_CTX_set_signature_md(EVP_PKEY_CTX *ctx, const EVP_MD *md); -\& \& int EVP_PKEY_CTX_set_rsa_padding(EVP_PKEY_CTX *ctx, int pad); \& int EVP_PKEY_CTX_set_rsa_pss_saltlen(EVP_PKEY_CTX *ctx, int len); -\& int EVP_PKEY_CTX_set_rsa_rsa_keygen_bits(EVP_PKEY_CTX *ctx, int mbits); +\& int EVP_PKEY_CTX_set_rsa_keygen_bits(EVP_PKEY_CTX *ctx, int mbits); \& int EVP_PKEY_CTX_set_rsa_keygen_pubexp(EVP_PKEY_CTX *ctx, BIGNUM *pubexp); \& \& #include @@ -167,9 +164,16 @@ EVP_PKEY_CTX_set_ec_paramgen_curve_nid \- algorithm specific control operations \& #include \& int EVP_PKEY_CTX_set_dh_paramgen_prime_len(EVP_PKEY_CTX *ctx, int len); \& int EVP_PKEY_CTX_set_dh_paramgen_generator(EVP_PKEY_CTX *ctx, int gen); +\& int EVP_PKEY_CTX_set_dh_pad(EVP_PKEY_CTX *ctx, int pad); +\& int EVP_PKEY_CTX_set_dh_nid(EVP_PKEY_CTX *ctx, int nid); \& \& #include \& int EVP_PKEY_CTX_set_ec_paramgen_curve_nid(EVP_PKEY_CTX *ctx, int nid); +\& int EVP_PKEY_CTX_set_ec_param_enc(EVP_PKEY_CTX *ctx, int param_enc); +\& +\& int EVP_PKEY_CTX_set1_id(EVP_PKEY_CTX *ctx, void *id, size_t id_len); +\& int EVP_PKEY_CTX_get1_id(EVP_PKEY_CTX *ctx, void *id); +\& int EVP_PKEY_CTX_get1_id_len(EVP_PKEY_CTX *ctx, size_t *id_len); .Ve .SH "DESCRIPTION" .IX Header "DESCRIPTION" @@ -179,6 +183,9 @@ The function \fIEVP_PKEY_CTX_ctrl()\fR sends a control operation to the context The control command is indicated in \fBcmd\fR and any additional arguments in \&\fBp1\fR and \fBp2\fR. .PP +For \fBcmd\fR = \fB\s-1EVP_PKEY_CTRL_SET_MAC_KEY\s0\fR, \fBp1\fR is the length of the \s-1MAC\s0 key, +and \fBp2\fR is \s-1MAC\s0 key. This is used by Poly1305, SipHash, \s-1HMAC\s0 and \s-1CMAC.\s0 +.PP Applications will not normally call \fIEVP_PKEY_CTX_ctrl()\fR directly but will instead call one of the algorithm specific macros below. .PP @@ -192,14 +199,27 @@ command line pages for the option \fB\-pkeyopt\fR which is supported by the All the remaining \*(L"functions\*(R" are implemented as macros. .PP The \fIEVP_PKEY_CTX_set_signature_md()\fR macro sets the message digest type used -in a signature. It can be used with any public key algorithm supporting -signature operations. +in a signature. It can be used in the \s-1RSA, DSA\s0 and \s-1ECDSA\s0 algorithms. +.PP +The \fIEVP_PKEY_CTX_get_signature_md()\fR macro gets the message digest type used in a +signature. It can be used in the \s-1RSA, DSA\s0 and \s-1ECDSA\s0 algorithms. +.PP +Key generation typically involves setting up parameters to be used and +generating the private and public key data. Some algorithm implementations +allow private key data to be set explicitly using the \fIEVP_PKEY_CTX_set_mac_key()\fR +macro. In this case key generation is simply the process of setting up the +parameters for the key and then setting the raw key data to the value explicitly +provided by that macro. Normally applications would call +\&\fIEVP_PKEY_new_raw_private_key\fR\|(3) or similar functions instead of this macro. +.PP +The \fIEVP_PKEY_CTX_set_mac_key()\fR macro can be used with any of the algorithms +supported by the \fIEVP_PKEY_new_raw_private_key\fR\|(3) function. .PP The macro \fIEVP_PKEY_CTX_set_rsa_padding()\fR sets the \s-1RSA\s0 padding mode for \fBctx\fR. The \fBpad\fR parameter can take the value \s-1RSA_PKCS1_PADDING\s0 for PKCS#1 padding, \&\s-1RSA_SSLV23_PADDING\s0 for SSLv23 padding, \s-1RSA_NO_PADDING\s0 for no padding, \&\s-1RSA_PKCS1_OAEP_PADDING\s0 for \s-1OAEP\s0 padding (encrypt and decrypt only), -\&\s-1RSA_X931_PADDING\s0 for X9.31 padding (signature operations only) and +\&\s-1RSA_X931_PADDING\s0 for X9.31 padding (signature operations only) and \&\s-1RSA_PKCS1_PSS_PADDING\s0 (sign and verify only). .PP Two \s-1RSA\s0 padding modes behave differently if \fIEVP_PKEY_CTX_set_signature_md()\fR @@ -209,22 +229,24 @@ to PKCS#1 when signing and this structure is expected (and stripped off) when verifying. If this control is not used with \s-1RSA\s0 and PKCS#1 padding then the supplied data is used directly and not encapsulated. In the case of X9.31 padding for \s-1RSA\s0 the algorithm identifier byte is added or checked and removed -if this control is called. If it is not called then the first byte of the plaintext buffer is expected to be the algorithm identifier byte. +if this control is called. If it is not called then the first byte of the plaintext +buffer is expected to be the algorithm identifier byte. .PP The \fIEVP_PKEY_CTX_set_rsa_pss_saltlen()\fR macro sets the \s-1RSA PSS\s0 salt length to -\&\fBlen\fR as its name implies it is only supported for \s-1PSS\s0 padding. Two special -values are supported: \-1 sets the salt length to the digest length. When -signing \-2 sets the salt length to the maximum permissible value. When -verifying \-2 causes the salt length to be automatically determined based on the -\&\fB\s-1PSS\s0\fR block structure. If this macro is not called a salt length value of \-2 -is used by default. +\&\fBlen\fR as its name implies it is only supported for \s-1PSS\s0 padding. Three special +values are supported: \s-1RSA_PSS_SALTLEN_DIGEST\s0 sets the salt length to the +digest length, \s-1RSA_PSS_SALTLEN_MAX\s0 sets the salt length to the maximum +permissible value. When verifying \s-1RSA_PSS_SALTLEN_AUTO\s0 causes the salt length +to be automatically determined based on the \fB\s-1PSS\s0\fR block structure. If this +macro is not called maximum salt length is used when signing and auto detection +when verifying is used by default. .PP -The \fIEVP_PKEY_CTX_set_rsa_rsa_keygen_bits()\fR macro sets the \s-1RSA\s0 key length for -\&\s-1RSA\s0 key genration to \fBbits\fR. If not specified 1024 bits is used. +The \fIEVP_PKEY_CTX_set_rsa_keygen_bits()\fR macro sets the \s-1RSA\s0 key length for +\&\s-1RSA\s0 key generation to \fBbits\fR. If not specified 1024 bits is used. .PP The \fIEVP_PKEY_CTX_set_rsa_keygen_pubexp()\fR macro sets the public exponent value for \s-1RSA\s0 key generation to \fBpubexp\fR currently it should be an odd integer. The -\&\fBpubexp\fR pointer is used internally by this function so it should not be +\&\fBpubexp\fR pointer is used internally by this function so it should not be modified or free after the call. If this macro is not called then 65537 is used. .PP The macro \fIEVP_PKEY_CTX_set_dsa_paramgen_bits()\fR sets the number of bits used @@ -237,9 +259,39 @@ then 1024 is used. The \fIEVP_PKEY_CTX_set_dh_paramgen_generator()\fR macro sets \s-1DH\s0 generator to \fBgen\fR for \s-1DH\s0 parameter generation. If not specified 2 is used. .PP +The \fIEVP_PKEY_CTX_set_dh_pad()\fR macro sets the \s-1DH\s0 padding mode. If \fBpad\fR is +1 the shared secret is padded with zeroes up to the size of the \s-1DH\s0 prime \fBp\fR. +If \fBpad\fR is zero (the default) then no padding is performed. +.PP +\&\fIEVP_PKEY_CTX_set_dh_nid()\fR sets the \s-1DH\s0 parameters to values corresponding to +\&\fBnid\fR. The \fBnid\fR parameter must be \fBNID_ffdhe2048\fR, \fBNID_ffdhe3072\fR, +\&\fBNID_ffdhe4096\fR, \fBNID_ffdhe6144\fR or \fBNID_ffdhe8192\fR. This macro can be +called during parameter or key generation. +.PP The \fIEVP_PKEY_CTX_set_ec_paramgen_curve_nid()\fR sets the \s-1EC\s0 curve for \s-1EC\s0 parameter generation to \fBnid\fR. For \s-1EC\s0 parameter generation this macro must be called or an error occurs because there is no default curve. +This function can also be called to set the curve explicitly when +generating an \s-1EC\s0 key. +.PP +The \fIEVP_PKEY_CTX_set_ec_param_enc()\fR sets the \s-1EC\s0 parameter encoding to +\&\fBparam_enc\fR when generating \s-1EC\s0 parameters or an \s-1EC\s0 key. The encoding can be +\&\fB\s-1OPENSSL_EC_EXPLICIT_CURVE\s0\fR for explicit parameters (the default in versions +of OpenSSL before 1.1.0) or \fB\s-1OPENSSL_EC_NAMED_CURVE\s0\fR to use named curve form. +For maximum compatibility the named curve form should be used. Note: the +\&\fB\s-1OPENSSL_EC_NAMED_CURVE\s0\fR value was only added to OpenSSL 1.1.0; previous +versions should use 0 instead. +.PP +The \fIEVP_PKEY_CTX_set1_id()\fR, \fIEVP_PKEY_CTX_get1_id()\fR and \fIEVP_PKEY_CTX_get1_id_len()\fR +macros are used to manipulate the special identifier field for specific signature +algorithms such as \s-1SM2.\s0 The \fIEVP_PKEY_CTX_set1_id()\fR sets an \s-1ID\s0 pointed by \fBid\fR with +the length \fBid_len\fR to the library. The library takes a copy of the id so that +the caller can safely free the original memory pointed to by \fBid\fR. The +\&\fIEVP_PKEY_CTX_get1_id_len()\fR macro returns the length of the \s-1ID\s0 set via a previous +call to \fIEVP_PKEY_CTX_set1_id()\fR. The length is usually used to allocate adequate +memory for further calls to \fIEVP_PKEY_CTX_get1_id()\fR. The \fIEVP_PKEY_CTX_get1_id()\fR +macro returns the previously set \s-1ID\s0 value to caller in \fBid\fR. The caller should +allocate adequate memory space for the \fBid\fR before calling \fIEVP_PKEY_CTX_get1_id()\fR. .SH "RETURN VALUES" .IX Header "RETURN VALUES" \&\fIEVP_PKEY_CTX_ctrl()\fR and its macros return a positive value for success and 0 @@ -253,8 +305,17 @@ indicates the operation is not supported by the public key algorithm. \&\fIEVP_PKEY_sign\fR\|(3), \&\fIEVP_PKEY_verify\fR\|(3), \&\fIEVP_PKEY_verify_recover\fR\|(3), -\&\fIEVP_PKEY_derive\fR\|(3) +\&\fIEVP_PKEY_derive\fR\|(3) \&\fIEVP_PKEY_keygen\fR\|(3) .SH "HISTORY" .IX Header "HISTORY" -These functions were first added to OpenSSL 1.0.0. +\&\fIEVP_PKEY_CTX_set1_id()\fR, \fIEVP_PKEY_CTX_get1_id()\fR and \fIEVP_PKEY_CTX_get1_id_len()\fR +macros were added in 1.1.1, other functions were first added to OpenSSL 1.0.0. +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2006\-2018 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/EVP_PKEY_CTX_new.3 b/secure/lib/libcrypto/man/EVP_PKEY_CTX_new.3 index 6b4b4381dad8..a9f5ab713e02 100644 --- a/secure/lib/libcrypto/man/EVP_PKEY_CTX_new.3 +++ b/secure/lib/libcrypto/man/EVP_PKEY_CTX_new.3 @@ -128,14 +128,14 @@ .rm #[ #] #H #V #F C .\" ======================================================================== .\" -.IX Title "EVP_PKEY_CTX_new 3" -.TH EVP_PKEY_CTX_new 3 "2018-08-14" "1.0.2p" "OpenSSL" +.IX Title "EVP_PKEY_CTX_NEW 3" +.TH EVP_PKEY_CTX_NEW 3 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" -EVP_PKEY_CTX_new, EVP_PKEY_CTX_new_id, EVP_PKEY_CTX_dup, EVP_PKEY_CTX_free \- public key algorithm context functions. +EVP_PKEY_CTX_new, EVP_PKEY_CTX_new_id, EVP_PKEY_CTX_dup, EVP_PKEY_CTX_free \- public key algorithm context functions .SH "SYNOPSIS" .IX Header "SYNOPSIS" .Vb 1 @@ -154,11 +154,12 @@ the algorithm specified in \fBpkey\fR and \s-1ENGINE\s0 \fBe\fR. The \fIEVP_PKEY_CTX_new_id()\fR function allocates public key algorithm context using the algorithm specified by \fBid\fR and \s-1ENGINE\s0 \fBe\fR. It is normally used when no \fB\s-1EVP_PKEY\s0\fR structure is associated with the operations, for example -during parameter generation of key genration for some algorithms. +during parameter generation of key generation for some algorithms. .PP \&\fIEVP_PKEY_CTX_dup()\fR duplicates the context \fBctx\fR. .PP \&\fIEVP_PKEY_CTX_free()\fR frees up the context \fBctx\fR. +If \fBctx\fR is \s-1NULL,\s0 nothing is done. .SH "NOTES" .IX Header "NOTES" The \fB\s-1EVP_PKEY_CTX\s0\fR structure is an opaque public key algorithm context used @@ -177,3 +178,11 @@ the newly allocated \fB\s-1EVP_PKEY_CTX\s0\fR structure of \fB\s-1NULL\s0\fR if .SH "HISTORY" .IX Header "HISTORY" These functions were first added to OpenSSL 1.0.0. +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2006\-2016 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/EVP_PKEY_CTX_set1_pbe_pass.3 b/secure/lib/libcrypto/man/EVP_PKEY_CTX_set1_pbe_pass.3 new file mode 100644 index 000000000000..64afd6f84e19 --- /dev/null +++ b/secure/lib/libcrypto/man/EVP_PKEY_CTX_set1_pbe_pass.3 @@ -0,0 +1,179 @@ +.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35) +.\" +.\" Standard preamble: +.\" ======================================================================== +.de Sp \" Vertical space (when we can't use .PP) +.if t .sp .5v +.if n .sp +.. +.de Vb \" Begin verbatim text +.ft CW +.nf +.ne \\$1 +.. +.de Ve \" End verbatim text +.ft R +.fi +.. +.\" Set up some character translations and predefined strings. \*(-- will +.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left +.\" double quote, and \*(R" will give a right double quote. \*(C+ will +.\" give a nicer C++. Capital omega is used to do unbreakable dashes and +.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, +.\" nothing in troff, for use with C<>. +.tr \(*W- +.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' +.ie n \{\ +. ds -- \(*W- +. ds PI pi +. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch +. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch +. ds L" "" +. ds R" "" +. ds C` "" +. ds C' "" +'br\} +.el\{\ +. ds -- \|\(em\| +. ds PI \(*p +. ds L" `` +. ds R" '' +. ds C` +. ds C' +'br\} +.\" +.\" Escape single quotes in literal strings from groff's Unicode transform. +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" +.\" If the F register is >0, we'll generate index entries on stderr for +.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index +.\" entries marked with X<> in POD. Of course, you'll have to process the +.\" output yourself in some meaningful fashion. +.\" +.\" Avoid warning from groff about undefined register 'F'. +.de IX +.. +.if !\nF .nr F 0 +.if \nF>0 \{\ +. de IX +. tm Index:\\$1\t\\n%\t"\\$2" +.. +. if !\nF==2 \{\ +. nr % 0 +. nr F 2 +. \} +.\} +.\" +.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). +.\" Fear. Run. Save yourself. No user-serviceable parts. +. \" fudge factors for nroff and troff +.if n \{\ +. ds #H 0 +. ds #V .8m +. ds #F .3m +. ds #[ \f1 +. ds #] \fP +.\} +.if t \{\ +. ds #H ((1u-(\\\\n(.fu%2u))*.13m) +. ds #V .6m +. ds #F 0 +. ds #[ \& +. ds #] \& +.\} +. \" simple accents for nroff and troff +.if n \{\ +. ds ' \& +. ds ` \& +. ds ^ \& +. ds , \& +. ds ~ ~ +. ds / +.\} +.if t \{\ +. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" +. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' +. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' +. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' +. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' +. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' +.\} +. \" troff and (daisy-wheel) nroff accents +.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' +.ds 8 \h'\*(#H'\(*b\h'-\*(#H' +.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] +.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' +.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' +.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] +.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] +.ds ae a\h'-(\w'a'u*4/10)'e +.ds Ae A\h'-(\w'A'u*4/10)'E +. \" corrections for vroff +.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' +.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' +. \" for low resolution devices (crt and lpr) +.if \n(.H>23 .if \n(.V>19 \ +\{\ +. ds : e +. ds 8 ss +. ds o a +. ds d- d\h'-1'\(ga +. ds D- D\h'-1'\(hy +. ds th \o'bp' +. ds Th \o'LP' +. ds ae ae +. ds Ae AE +.\} +.rm #[ #] #H #V #F C +.\" ======================================================================== +.\" +.IX Title "EVP_PKEY_CTX_SET1_PBE_PASS 3" +.TH EVP_PKEY_CTX_SET1_PBE_PASS 3 "2018-09-11" "1.1.1" "OpenSSL" +.\" For nroff, turn off justification. Always turn off hyphenation; it makes +.\" way too many mistakes in technical documents. +.if n .ad l +.nh +.SH "NAME" +EVP_PKEY_CTX_set1_pbe_pass \&\- generic KDF support functions +.SH "SYNOPSIS" +.IX Header "SYNOPSIS" +.Vb 1 +\& #include +\& +\& int EVP_PKEY_CTX_set1_pbe_pass(EVP_PKEY_CTX *pctx, unsigned char *pass, +\& int passlen); +.Ve +.SH "DESCRIPTION" +.IX Header "DESCRIPTION" +These functions are generic support functions for all \s-1KDF\s0 algorithms. +.PP +\&\fIEVP_PKEY_CTX_set1_pbe_pass()\fR sets the password to the \fBpasslen\fR first +bytes from \fBpass\fR. +.SH "STRING CTRLS" +.IX Header "STRING CTRLS" +There is also support for string based control operations via +\&\fIEVP_PKEY_CTX_ctrl_str\fR\|(3). +The \fBpassword\fR can be directly specified using the \fBtype\fR parameter +\&\*(L"pass\*(R" or given in hex encoding using the \*(L"hexpass\*(R" parameter. +.SH "NOTES" +.IX Header "NOTES" +All these functions are implemented as macros. +.SH "RETURN VALUES" +.IX Header "RETURN VALUES" +All these functions return 1 for success and 0 or a negative value for failure. +In particular a return value of \-2 indicates the operation is not supported by +the public key algorithm. +.SH "SEE ALSO" +.IX Header "SEE ALSO" +\&\fIEVP_PKEY_CTX_new\fR\|(3), +\&\fIEVP_PKEY_CTX_ctrl_str\fR\|(3), +\&\fIEVP_PKEY_derive\fR\|(3) +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2018 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/EVP_PKEY_CTX_set_hkdf_md.3 b/secure/lib/libcrypto/man/EVP_PKEY_CTX_set_hkdf_md.3 new file mode 100644 index 000000000000..db926c1d28a7 --- /dev/null +++ b/secure/lib/libcrypto/man/EVP_PKEY_CTX_set_hkdf_md.3 @@ -0,0 +1,284 @@ +.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35) +.\" +.\" Standard preamble: +.\" ======================================================================== +.de Sp \" Vertical space (when we can't use .PP) +.if t .sp .5v +.if n .sp +.. +.de Vb \" Begin verbatim text +.ft CW +.nf +.ne \\$1 +.. +.de Ve \" End verbatim text +.ft R +.fi +.. +.\" Set up some character translations and predefined strings. \*(-- will +.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left +.\" double quote, and \*(R" will give a right double quote. \*(C+ will +.\" give a nicer C++. Capital omega is used to do unbreakable dashes and +.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, +.\" nothing in troff, for use with C<>. +.tr \(*W- +.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' +.ie n \{\ +. ds -- \(*W- +. ds PI pi +. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch +. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch +. ds L" "" +. ds R" "" +. ds C` "" +. ds C' "" +'br\} +.el\{\ +. ds -- \|\(em\| +. ds PI \(*p +. ds L" `` +. ds R" '' +. ds C` +. ds C' +'br\} +.\" +.\" Escape single quotes in literal strings from groff's Unicode transform. +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" +.\" If the F register is >0, we'll generate index entries on stderr for +.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index +.\" entries marked with X<> in POD. Of course, you'll have to process the +.\" output yourself in some meaningful fashion. +.\" +.\" Avoid warning from groff about undefined register 'F'. +.de IX +.. +.if !\nF .nr F 0 +.if \nF>0 \{\ +. de IX +. tm Index:\\$1\t\\n%\t"\\$2" +.. +. if !\nF==2 \{\ +. nr % 0 +. nr F 2 +. \} +.\} +.\" +.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). +.\" Fear. Run. Save yourself. No user-serviceable parts. +. \" fudge factors for nroff and troff +.if n \{\ +. ds #H 0 +. ds #V .8m +. ds #F .3m +. ds #[ \f1 +. ds #] \fP +.\} +.if t \{\ +. ds #H ((1u-(\\\\n(.fu%2u))*.13m) +. ds #V .6m +. ds #F 0 +. ds #[ \& +. ds #] \& +.\} +. \" simple accents for nroff and troff +.if n \{\ +. ds ' \& +. ds ` \& +. ds ^ \& +. ds , \& +. ds ~ ~ +. ds / +.\} +.if t \{\ +. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" +. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' +. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' +. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' +. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' +. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' +.\} +. \" troff and (daisy-wheel) nroff accents +.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' +.ds 8 \h'\*(#H'\(*b\h'-\*(#H' +.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] +.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' +.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' +.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] +.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] +.ds ae a\h'-(\w'a'u*4/10)'e +.ds Ae A\h'-(\w'A'u*4/10)'E +. \" corrections for vroff +.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' +.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' +. \" for low resolution devices (crt and lpr) +.if \n(.H>23 .if \n(.V>19 \ +\{\ +. ds : e +. ds 8 ss +. ds o a +. ds d- d\h'-1'\(ga +. ds D- D\h'-1'\(hy +. ds th \o'bp' +. ds Th \o'LP' +. ds ae ae +. ds Ae AE +.\} +.rm #[ #] #H #V #F C +.\" ======================================================================== +.\" +.IX Title "EVP_PKEY_CTX_SET_HKDF_MD 3" +.TH EVP_PKEY_CTX_SET_HKDF_MD 3 "2018-09-11" "1.1.1" "OpenSSL" +.\" For nroff, turn off justification. Always turn off hyphenation; it makes +.\" way too many mistakes in technical documents. +.if n .ad l +.nh +.SH "NAME" +EVP_PKEY_CTX_set_hkdf_md, EVP_PKEY_CTX_set1_hkdf_salt, EVP_PKEY_CTX_set1_hkdf_key, EVP_PKEY_CTX_add1_hkdf_info, EVP_PKEY_CTX_hkdf_mode \- HMAC\-based Extract\-and\-Expand key derivation algorithm +.SH "SYNOPSIS" +.IX Header "SYNOPSIS" +.Vb 1 +\& #include +\& +\& int EVP_PKEY_CTX_hkdf_mode(EVP_PKEY_CTX *pctx, int mode); +\& +\& int EVP_PKEY_CTX_set_hkdf_md(EVP_PKEY_CTX *pctx, const EVP_MD *md); +\& +\& int EVP_PKEY_CTX_set1_hkdf_salt(EVP_PKEY_CTX *pctx, unsigned char *salt, +\& int saltlen); +\& +\& int EVP_PKEY_CTX_set1_hkdf_key(EVP_PKEY_CTX *pctx, unsigned char *key, +\& int keylen); +\& +\& int EVP_PKEY_CTX_add1_hkdf_info(EVP_PKEY_CTX *pctx, unsigned char *info, +\& int infolen); +.Ve +.SH "DESCRIPTION" +.IX Header "DESCRIPTION" +The \s-1EVP_PKEY_HKDF\s0 algorithm implements the \s-1HKDF\s0 key derivation function. +\&\s-1HKDF\s0 follows the \*(L"extract-then-expand\*(R" paradigm, where the \s-1KDF\s0 logically +consists of two modules. The first stage takes the input keying material +and \*(L"extracts\*(R" from it a fixed-length pseudorandom key K. The second stage +\&\*(L"expands\*(R" the key K into several additional pseudorandom keys (the output +of the \s-1KDF\s0). +.PP +\&\fIEVP_PKEY_CTX_hkdf_mode()\fR sets the mode for the \s-1HKDF\s0 operation. There are three +modes that are currently defined: +.IP "\s-1EVP_PKEY_HKDEF_MODE_EXTRACT_AND_EXPAND\s0" 4 +.IX Item "EVP_PKEY_HKDEF_MODE_EXTRACT_AND_EXPAND" +This is the default mode. Calling \fIEVP_PKEY_derive\fR\|(3) on an \s-1EVP_PKEY_CTX\s0 set +up for \s-1HKDF\s0 will perform an extract followed by an expand operation in one go. +The derived key returned will be the result after the expand operation. The +intermediate fixed-length pseudorandom key K is not returned. +.Sp +In this mode the digest, key, salt and info values must be set before a key is +derived or an error occurs. +.IP "\s-1EVP_PKEY_HKDEF_MODE_EXTRACT_ONLY\s0" 4 +.IX Item "EVP_PKEY_HKDEF_MODE_EXTRACT_ONLY" +In this mode calling \fIEVP_PKEY_derive\fR\|(3) will just perform the extract +operation. The value returned will be the intermediate fixed-length pseudorandom +key K. +.Sp +The digest, key and salt values must be set before a key is derived or an +error occurs. +.IP "\s-1EVP_PKEY_HKDEF_MODE_EXPAND_ONLY\s0" 4 +.IX Item "EVP_PKEY_HKDEF_MODE_EXPAND_ONLY" +In this mode calling \fIEVP_PKEY_derive\fR\|(3) will just perform the expand +operation. The input key should be set to the intermediate fixed-length +pseudorandom key K returned from a previous extract operation. +.Sp +The digest, key and info values must be set before a key is derived or an +error occurs. +.PP +\&\fIEVP_PKEY_set_hkdf_md()\fR sets the message digest associated with the \s-1HKDF.\s0 +.PP +\&\fIEVP_PKEY_CTX_set1_hkdf_salt()\fR sets the salt to \fBsaltlen\fR bytes of the +buffer \fBsalt\fR. Any existing value is replaced. +.PP +\&\fIEVP_PKEY_CTX_set_hkdf_key()\fR sets the key to \fBkeylen\fR bytes of the buffer +\&\fBkey\fR. Any existing value is replaced. +.PP +\&\fIEVP_PKEY_CTX_add1_hkdf_info()\fR sets the info value to \fBinfolen\fR bytes of the +buffer \fBinfo\fR. If a value is already set, it is appended to the existing +value. +.SH "STRING CTRLS" +.IX Header "STRING CTRLS" +\&\s-1HKDF\s0 also supports string based control operations via +\&\fIEVP_PKEY_CTX_ctrl_str\fR\|(3). +The \fBtype\fR parameter \*(L"md\*(R" uses the supplied \fBvalue\fR as the name of the digest +algorithm to use. +The \fBtype\fR parameter \*(L"mode\*(R" uses the values \*(L"\s-1EXTRACT_AND_EXPAND\*(R", +\&\*(L"EXTRACT_ONLY\*(R"\s0 and \*(L"\s-1EXPAND_ONLY\*(R"\s0 to determine the mode to use. +The \fBtype\fR parameters \*(L"salt\*(R", \*(L"key\*(R" and \*(L"info\*(R" use the supplied \fBvalue\fR +parameter as a \fBseed\fR, \fBkey\fR or \fBinfo\fR value. +The names \*(L"hexsalt\*(R", \*(L"hexkey\*(R" and \*(L"hexinfo\*(R" are similar except they take a hex +string which is converted to binary. +.SH "NOTES" +.IX Header "NOTES" +All these functions are implemented as macros. +.PP +A context for \s-1HKDF\s0 can be obtained by calling: +.PP +.Vb 1 +\& EVP_PKEY_CTX *pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_HKDF, NULL); +.Ve +.PP +The total length of the info buffer cannot exceed 1024 bytes in length: this +should be more than enough for any normal use of \s-1HKDF.\s0 +.PP +The output length of an \s-1HKDF\s0 expand operation is specified via the length +parameter to the \fIEVP_PKEY_derive\fR\|(3) function. +Since the \s-1HKDF\s0 output length is variable, passing a \fB\s-1NULL\s0\fR buffer as a means +to obtain the requisite length is not meaningful with \s-1HKDF\s0 in any mode that +performs an expand operation. Instead, the caller must allocate a buffer of the +desired length, and pass that buffer to \fIEVP_PKEY_derive\fR\|(3) along with (a +pointer initialized to) the desired length. Passing a \fB\s-1NULL\s0\fR buffer to obtain +the length is allowed when using \s-1EVP_PKEY_HKDEF_MODE_EXTRACT_ONLY.\s0 +.PP +Optimised versions of \s-1HKDF\s0 can be implemented in an \s-1ENGINE.\s0 +.SH "RETURN VALUES" +.IX Header "RETURN VALUES" +All these functions return 1 for success and 0 or a negative value for failure. +In particular a return value of \-2 indicates the operation is not supported by +the public key algorithm. +.SH "EXAMPLE" +.IX Header "EXAMPLE" +This example derives 10 bytes using \s-1SHA\-256\s0 with the secret key \*(L"secret\*(R", +salt value \*(L"salt\*(R" and info value \*(L"label\*(R": +.PP +.Vb 4 +\& EVP_PKEY_CTX *pctx; +\& unsigned char out[10]; +\& size_t outlen = sizeof(out); +\& pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_HKDF, NULL); +\& +\& if (EVP_PKEY_derive_init(pctx) <= 0) +\& /* Error */ +\& if (EVP_PKEY_CTX_set_hkdf_md(pctx, EVP_sha256()) <= 0) +\& /* Error */ +\& if (EVP_PKEY_CTX_set1_hkdf_salt(pctx, "salt", 4) <= 0) +\& /* Error */ +\& if (EVP_PKEY_CTX_set1_hkdf_key(pctx, "secret", 6) <= 0) +\& /* Error */ +\& if (EVP_PKEY_CTX_add1_hkdf_info(pctx, "label", 5) <= 0) +\& /* Error */ +\& if (EVP_PKEY_derive(pctx, out, &outlen) <= 0) +\& /* Error */ +.Ve +.SH "CONFORMING TO" +.IX Header "CONFORMING TO" +\&\s-1RFC 5869\s0 +.SH "SEE ALSO" +.IX Header "SEE ALSO" +\&\fIEVP_PKEY_CTX_new\fR\|(3), +\&\fIEVP_PKEY_CTX_ctrl_str\fR\|(3), +\&\fIEVP_PKEY_derive\fR\|(3) +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2016\-2018 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/EVP_PKEY_CTX_set_rsa_pss_keygen_md.3 b/secure/lib/libcrypto/man/EVP_PKEY_CTX_set_rsa_pss_keygen_md.3 new file mode 100644 index 000000000000..8c58dcd5ba0f --- /dev/null +++ b/secure/lib/libcrypto/man/EVP_PKEY_CTX_set_rsa_pss_keygen_md.3 @@ -0,0 +1,218 @@ +.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35) +.\" +.\" Standard preamble: +.\" ======================================================================== +.de Sp \" Vertical space (when we can't use .PP) +.if t .sp .5v +.if n .sp +.. +.de Vb \" Begin verbatim text +.ft CW +.nf +.ne \\$1 +.. +.de Ve \" End verbatim text +.ft R +.fi +.. +.\" Set up some character translations and predefined strings. \*(-- will +.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left +.\" double quote, and \*(R" will give a right double quote. \*(C+ will +.\" give a nicer C++. Capital omega is used to do unbreakable dashes and +.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, +.\" nothing in troff, for use with C<>. +.tr \(*W- +.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' +.ie n \{\ +. ds -- \(*W- +. ds PI pi +. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch +. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch +. ds L" "" +. ds R" "" +. ds C` "" +. ds C' "" +'br\} +.el\{\ +. ds -- \|\(em\| +. ds PI \(*p +. ds L" `` +. ds R" '' +. ds C` +. ds C' +'br\} +.\" +.\" Escape single quotes in literal strings from groff's Unicode transform. +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" +.\" If the F register is >0, we'll generate index entries on stderr for +.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index +.\" entries marked with X<> in POD. Of course, you'll have to process the +.\" output yourself in some meaningful fashion. +.\" +.\" Avoid warning from groff about undefined register 'F'. +.de IX +.. +.if !\nF .nr F 0 +.if \nF>0 \{\ +. de IX +. tm Index:\\$1\t\\n%\t"\\$2" +.. +. if !\nF==2 \{\ +. nr % 0 +. nr F 2 +. \} +.\} +.\" +.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). +.\" Fear. Run. Save yourself. No user-serviceable parts. +. \" fudge factors for nroff and troff +.if n \{\ +. ds #H 0 +. ds #V .8m +. ds #F .3m +. ds #[ \f1 +. ds #] \fP +.\} +.if t \{\ +. ds #H ((1u-(\\\\n(.fu%2u))*.13m) +. ds #V .6m +. ds #F 0 +. ds #[ \& +. ds #] \& +.\} +. \" simple accents for nroff and troff +.if n \{\ +. ds ' \& +. ds ` \& +. ds ^ \& +. ds , \& +. ds ~ ~ +. ds / +.\} +.if t \{\ +. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" +. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' +. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' +. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' +. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' +. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' +.\} +. \" troff and (daisy-wheel) nroff accents +.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' +.ds 8 \h'\*(#H'\(*b\h'-\*(#H' +.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] +.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' +.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' +.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] +.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] +.ds ae a\h'-(\w'a'u*4/10)'e +.ds Ae A\h'-(\w'A'u*4/10)'E +. \" corrections for vroff +.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' +.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' +. \" for low resolution devices (crt and lpr) +.if \n(.H>23 .if \n(.V>19 \ +\{\ +. ds : e +. ds 8 ss +. ds o a +. ds d- d\h'-1'\(ga +. ds D- D\h'-1'\(hy +. ds th \o'bp' +. ds Th \o'LP' +. ds ae ae +. ds Ae AE +.\} +.rm #[ #] #H #V #F C +.\" ======================================================================== +.\" +.IX Title "EVP_PKEY_CTX_SET_RSA_PSS_KEYGEN_MD 3" +.TH EVP_PKEY_CTX_SET_RSA_PSS_KEYGEN_MD 3 "2018-09-11" "1.1.1" "OpenSSL" +.\" For nroff, turn off justification. Always turn off hyphenation; it makes +.\" way too many mistakes in technical documents. +.if n .ad l +.nh +.SH "NAME" +EVP_PKEY_CTX_set_rsa_pss_keygen_md, EVP_PKEY_CTX_set_rsa_pss_keygen_mgf1_md, EVP_PKEY_CTX_set_rsa_pss_keygen_saltlen \&\- EVP_PKEY RSA\-PSS algorithm support functions +.SH "SYNOPSIS" +.IX Header "SYNOPSIS" +.Vb 1 +\& #include +\& +\& int EVP_PKEY_CTX_set_rsa_pss_keygen_md(EVP_PKEY_CTX *pctx, +\& const EVP_MD *md); +\& int EVP_PKEY_CTX_set_rsa_pss_keygen_mgf1_md(EVP_PKEY_CTX *pctx, +\& const EVP_MD *md); +\& int EVP_PKEY_CTX_set_rsa_pss_keygen_saltlen(EVP_PKEY_CTX *pctx, +\& int saltlen); +.Ve +.SH "DESCRIPTION" +.IX Header "DESCRIPTION" +These are the functions that implement \s-1\fIRSA\-PSS\s0\fR\|(7). +.SS "Signing and Verification" +.IX Subsection "Signing and Verification" +The macro \fIEVP_PKEY_CTX_set_rsa_padding()\fR is supported but an error is +returned if an attempt is made to set the padding mode to anything other +than \fB\s-1PSS\s0\fR. It is otherwise similar to the \fB\s-1RSA\s0\fR version. +.PP +The \fIEVP_PKEY_CTX_set_rsa_pss_saltlen()\fR macro is used to set the salt length. +If the key has usage restrictions then an error is returned if an attempt is +made to set the salt length below the minimum value. It is otherwise similar +to the \fB\s-1RSA\s0\fR operation except detection of the salt length (using +\&\s-1RSA_PSS_SALTLEN_AUTO\s0 is not supported for verification if the key has +usage restrictions. +.PP +The \fIEVP_PKEY_CTX_set_signature_md()\fR and \fIEVP_PKEY_CTX_set_rsa_mgf1_md()\fR macros +are used to set the digest and \s-1MGF1\s0 algorithms respectively. If the key has +usage restrictions then an error is returned if an attempt is made to set the +digest to anything other than the restricted value. Otherwise these are +similar to the \fB\s-1RSA\s0\fR versions. +.SS "Key Generation" +.IX Subsection "Key Generation" +As with \s-1RSA\s0 key generation the \fIEVP_PKEY_CTX_set_rsa_rsa_keygen_bits()\fR +and \fIEVP_PKEY_CTX_set_rsa_keygen_pubexp()\fR macros are supported for RSA-PSS: +they have exactly the same meaning as for the \s-1RSA\s0 algorithm. +.PP +Optional parameter restrictions can be specified when generating a \s-1PSS\s0 key. +If any restrictions are set (using the macros described below) then \fBall\fR +parameters are restricted. For example, setting a minimum salt length also +restricts the digest and \s-1MGF1\s0 algorithms. If any restrictions are in place +then they are reflected in the corresponding parameters of the public key +when (for example) a certificate request is signed. +.PP +\&\fIEVP_PKEY_CTX_set_rsa_pss_keygen_md()\fR restricts the digest algorithm the +generated key can use to \fBmd\fR. +.PP +\&\fIEVP_PKEY_CTX_set_rsa_pss_keygen_mgf1_md()\fR restricts the \s-1MGF1\s0 algorithm the +generated key can use to \fBmd\fR. +.PP +\&\fIEVP_PKEY_CTX_set_rsa_pss_keygen_saltlen()\fR restricts the minimum salt length +to \fBsaltlen\fR. +.SH "NOTES" +.IX Header "NOTES" +A context for the \fBRSA-PSS\fR algorithm can be obtained by calling: +.PP +.Vb 1 +\& EVP_PKEY_CTX *pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_RSA_PSS, NULL); +.Ve +.SH "RETURN VALUES" +.IX Header "RETURN VALUES" +All these functions return 1 for success and 0 or a negative value for failure. +In particular a return value of \-2 indicates the operation is not supported by +the public key algorithm. +.SH "SEE ALSO" +.IX Header "SEE ALSO" +\&\s-1\fIRSA\-PSS\s0\fR\|(7), +\&\fIEVP_PKEY_CTX_new\fR\|(3), +\&\fIEVP_PKEY_CTX_ctrl_str\fR\|(3), +\&\fIEVP_PKEY_derive\fR\|(3) +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2017\-2018 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/EVP_PKEY_CTX_set_scrypt_N.3 b/secure/lib/libcrypto/man/EVP_PKEY_CTX_set_scrypt_N.3 new file mode 100644 index 000000000000..c51b7c6a431a --- /dev/null +++ b/secure/lib/libcrypto/man/EVP_PKEY_CTX_set_scrypt_N.3 @@ -0,0 +1,207 @@ +.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35) +.\" +.\" Standard preamble: +.\" ======================================================================== +.de Sp \" Vertical space (when we can't use .PP) +.if t .sp .5v +.if n .sp +.. +.de Vb \" Begin verbatim text +.ft CW +.nf +.ne \\$1 +.. +.de Ve \" End verbatim text +.ft R +.fi +.. +.\" Set up some character translations and predefined strings. \*(-- will +.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left +.\" double quote, and \*(R" will give a right double quote. \*(C+ will +.\" give a nicer C++. Capital omega is used to do unbreakable dashes and +.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, +.\" nothing in troff, for use with C<>. +.tr \(*W- +.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' +.ie n \{\ +. ds -- \(*W- +. ds PI pi +. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch +. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch +. ds L" "" +. ds R" "" +. ds C` "" +. ds C' "" +'br\} +.el\{\ +. ds -- \|\(em\| +. ds PI \(*p +. ds L" `` +. ds R" '' +. ds C` +. ds C' +'br\} +.\" +.\" Escape single quotes in literal strings from groff's Unicode transform. +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" +.\" If the F register is >0, we'll generate index entries on stderr for +.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index +.\" entries marked with X<> in POD. Of course, you'll have to process the +.\" output yourself in some meaningful fashion. +.\" +.\" Avoid warning from groff about undefined register 'F'. +.de IX +.. +.if !\nF .nr F 0 +.if \nF>0 \{\ +. de IX +. tm Index:\\$1\t\\n%\t"\\$2" +.. +. if !\nF==2 \{\ +. nr % 0 +. nr F 2 +. \} +.\} +.\" +.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). +.\" Fear. Run. Save yourself. No user-serviceable parts. +. \" fudge factors for nroff and troff +.if n \{\ +. ds #H 0 +. ds #V .8m +. ds #F .3m +. ds #[ \f1 +. ds #] \fP +.\} +.if t \{\ +. ds #H ((1u-(\\\\n(.fu%2u))*.13m) +. ds #V .6m +. ds #F 0 +. ds #[ \& +. ds #] \& +.\} +. \" simple accents for nroff and troff +.if n \{\ +. ds ' \& +. ds ` \& +. ds ^ \& +. ds , \& +. ds ~ ~ +. ds / +.\} +.if t \{\ +. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" +. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' +. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' +. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' +. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' +. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' +.\} +. \" troff and (daisy-wheel) nroff accents +.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' +.ds 8 \h'\*(#H'\(*b\h'-\*(#H' +.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] +.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' +.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' +.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] +.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] +.ds ae a\h'-(\w'a'u*4/10)'e +.ds Ae A\h'-(\w'A'u*4/10)'E +. \" corrections for vroff +.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' +.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' +. \" for low resolution devices (crt and lpr) +.if \n(.H>23 .if \n(.V>19 \ +\{\ +. ds : e +. ds 8 ss +. ds o a +. ds d- d\h'-1'\(ga +. ds D- D\h'-1'\(hy +. ds th \o'bp' +. ds Th \o'LP' +. ds ae ae +. ds Ae AE +.\} +.rm #[ #] #H #V #F C +.\" ======================================================================== +.\" +.IX Title "EVP_PKEY_CTX_SET_SCRYPT_N 3" +.TH EVP_PKEY_CTX_SET_SCRYPT_N 3 "2018-09-11" "1.1.1" "OpenSSL" +.\" For nroff, turn off justification. Always turn off hyphenation; it makes +.\" way too many mistakes in technical documents. +.if n .ad l +.nh +.SH "NAME" +EVP_PKEY_CTX_set1_scrypt_salt, EVP_PKEY_CTX_set_scrypt_N, EVP_PKEY_CTX_set_scrypt_r, EVP_PKEY_CTX_set_scrypt_p, EVP_PKEY_CTX_set_scrypt_maxmem_bytes \&\- EVP_PKEY scrypt KDF support functions +.SH "SYNOPSIS" +.IX Header "SYNOPSIS" +.Vb 1 +\& #include +\& +\& int EVP_PKEY_CTX_set1_scrypt_salt(EVP_PKEY_CTX *pctx, unsigned char *salt, +\& int saltlen); +\& +\& int EVP_PKEY_CTX_set_scrypt_N(EVP_PKEY_CTX *pctx, uint64_t N); +\& +\& int EVP_PKEY_CTX_set_scrypt_r(EVP_PKEY_CTX *pctx, uint64_t r); +\& +\& int EVP_PKEY_CTX_set_scrypt_p(EVP_PKEY_CTX *pctx, uint64_t p); +\& +\& int EVP_PKEY_CTX_set_scrypt_maxmem_bytes(EVP_PKEY_CTX *pctx, +\& uint64_t maxmem); +.Ve +.SH "DESCRIPTION" +.IX Header "DESCRIPTION" +These functions are used to set up the necessary data to use the +scrypt \s-1KDF.\s0 +For more information on scrypt, see \fIscrypt\fR\|(7). +.PP +\&\fIEVP_PKEY_CTX_set1_scrypt_salt()\fR sets the \fBsaltlen\fR bytes long salt +value. +.PP +\&\fIEVP_PKEY_CTX_set_scrypt_N()\fR, \fIEVP_PKEY_CTX_set_scrypt_r()\fR and +\&\fIEVP_PKEY_CTX_set_scrypt_p()\fR configure the work factors N, r and p. +.PP +\&\fIEVP_PKEY_CTX_set_scrypt_maxmem_bytes()\fR sets how much \s-1RAM\s0 key +derivation may maximally use, given in bytes. +If \s-1RAM\s0 is exceeded because the load factors are chosen too high, the +key derivation will fail. +.SH "STRING CTRLS" +.IX Header "STRING CTRLS" +scrypt also supports string based control operations via +\&\fIEVP_PKEY_CTX_ctrl_str\fR\|(3). +Similarly, the \fBsalt\fR can either be specified using the \fBtype\fR +parameter \*(L"salt\*(R" or in hex encoding by using the \*(L"hexsalt\*(R" parameter. +The work factors \fBN\fR, \fBr\fR and \fBp\fR as well as \fBmaxmem_bytes\fR can be +set by using the parameters \*(L"N\*(R", \*(L"r\*(R", \*(L"p\*(R" and \*(L"maxmem_bytes\*(R", +respectively. +.SH "NOTES" +.IX Header "NOTES" +The scrypt \s-1KDF\s0 also uses \fIEVP_PKEY_CTX_set1_pbe_pass()\fR as well as +the value from the string controls \*(L"pass\*(R" and \*(L"hexpass\*(R". +See \fIEVP_PKEY_CTX_set1_pbe_pass\fR\|(3). +.PP +All the functions described here are implemented as macros. +.SH "RETURN VALUES" +.IX Header "RETURN VALUES" +All these functions return 1 for success and 0 or a negative value for +failure. +In particular a return value of \-2 indicates the operation is not +supported by the public key algorithm. +.SH "SEE ALSO" +.IX Header "SEE ALSO" +\&\fIscrypt\fR\|(7), +\&\fIEVP_PKEY_CTX_new\fR\|(3), +\&\fIEVP_PKEY_CTX_ctrl_str\fR\|(3), +\&\fIEVP_PKEY_derive\fR\|(3) +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2017\-2018 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/EVP_PKEY_CTX_set_tls1_prf_md.3 b/secure/lib/libcrypto/man/EVP_PKEY_CTX_set_tls1_prf_md.3 new file mode 100644 index 000000000000..3115d636d28c --- /dev/null +++ b/secure/lib/libcrypto/man/EVP_PKEY_CTX_set_tls1_prf_md.3 @@ -0,0 +1,236 @@ +.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35) +.\" +.\" Standard preamble: +.\" ======================================================================== +.de Sp \" Vertical space (when we can't use .PP) +.if t .sp .5v +.if n .sp +.. +.de Vb \" Begin verbatim text +.ft CW +.nf +.ne \\$1 +.. +.de Ve \" End verbatim text +.ft R +.fi +.. +.\" Set up some character translations and predefined strings. \*(-- will +.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left +.\" double quote, and \*(R" will give a right double quote. \*(C+ will +.\" give a nicer C++. Capital omega is used to do unbreakable dashes and +.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, +.\" nothing in troff, for use with C<>. +.tr \(*W- +.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' +.ie n \{\ +. ds -- \(*W- +. ds PI pi +. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch +. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch +. ds L" "" +. ds R" "" +. ds C` "" +. ds C' "" +'br\} +.el\{\ +. ds -- \|\(em\| +. ds PI \(*p +. ds L" `` +. ds R" '' +. ds C` +. ds C' +'br\} +.\" +.\" Escape single quotes in literal strings from groff's Unicode transform. +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" +.\" If the F register is >0, we'll generate index entries on stderr for +.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index +.\" entries marked with X<> in POD. Of course, you'll have to process the +.\" output yourself in some meaningful fashion. +.\" +.\" Avoid warning from groff about undefined register 'F'. +.de IX +.. +.if !\nF .nr F 0 +.if \nF>0 \{\ +. de IX +. tm Index:\\$1\t\\n%\t"\\$2" +.. +. if !\nF==2 \{\ +. nr % 0 +. nr F 2 +. \} +.\} +.\" +.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). +.\" Fear. Run. Save yourself. No user-serviceable parts. +. \" fudge factors for nroff and troff +.if n \{\ +. ds #H 0 +. ds #V .8m +. ds #F .3m +. ds #[ \f1 +. ds #] \fP +.\} +.if t \{\ +. ds #H ((1u-(\\\\n(.fu%2u))*.13m) +. ds #V .6m +. ds #F 0 +. ds #[ \& +. ds #] \& +.\} +. \" simple accents for nroff and troff +.if n \{\ +. ds ' \& +. ds ` \& +. ds ^ \& +. ds , \& +. ds ~ ~ +. ds / +.\} +.if t \{\ +. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" +. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' +. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' +. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' +. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' +. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' +.\} +. \" troff and (daisy-wheel) nroff accents +.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' +.ds 8 \h'\*(#H'\(*b\h'-\*(#H' +.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] +.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' +.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' +.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] +.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] +.ds ae a\h'-(\w'a'u*4/10)'e +.ds Ae A\h'-(\w'A'u*4/10)'E +. \" corrections for vroff +.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' +.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' +. \" for low resolution devices (crt and lpr) +.if \n(.H>23 .if \n(.V>19 \ +\{\ +. ds : e +. ds 8 ss +. ds o a +. ds d- d\h'-1'\(ga +. ds D- D\h'-1'\(hy +. ds th \o'bp' +. ds Th \o'LP' +. ds ae ae +. ds Ae AE +.\} +.rm #[ #] #H #V #F C +.\" ======================================================================== +.\" +.IX Title "EVP_PKEY_CTX_SET_TLS1_PRF_MD 3" +.TH EVP_PKEY_CTX_SET_TLS1_PRF_MD 3 "2018-09-11" "1.1.1" "OpenSSL" +.\" For nroff, turn off justification. Always turn off hyphenation; it makes +.\" way too many mistakes in technical documents. +.if n .ad l +.nh +.SH "NAME" +EVP_PKEY_CTX_set_tls1_prf_md, EVP_PKEY_CTX_set1_tls1_prf_secret, EVP_PKEY_CTX_add1_tls1_prf_seed \- TLS PRF key derivation algorithm +.SH "SYNOPSIS" +.IX Header "SYNOPSIS" +.Vb 1 +\& #include +\& +\& int EVP_PKEY_CTX_set_tls1_prf_md(EVP_PKEY_CTX *pctx, const EVP_MD *md); +\& int EVP_PKEY_CTX_set1_tls1_prf_secret(EVP_PKEY_CTX *pctx, +\& unsigned char *sec, int seclen); +\& int EVP_PKEY_CTX_add1_tls1_prf_seed(EVP_PKEY_CTX *pctx, +\& unsigned char *seed, int seedlen); +.Ve +.SH "DESCRIPTION" +.IX Header "DESCRIPTION" +The \fB\s-1EVP_PKEY_TLS1_PRF\s0\fR algorithm implements the \s-1PRF\s0 key derivation function for +\&\s-1TLS.\s0 It has no associated private key and only implements key derivation +using \fIEVP_PKEY_derive\fR\|(3). +.PP +\&\fIEVP_PKEY_set_tls1_prf_md()\fR sets the message digest associated with the +\&\s-1TLS PRF.\s0 \fIEVP_md5_sha1()\fR is treated as a special case which uses the \s-1PRF\s0 +algorithm using both \fB\s-1MD5\s0\fR and \fB\s-1SHA1\s0\fR as used in \s-1TLS 1.0\s0 and 1.1. +.PP +\&\fIEVP_PKEY_CTX_set_tls1_prf_secret()\fR sets the secret value of the \s-1TLS PRF\s0 +to \fBseclen\fR bytes of the buffer \fBsec\fR. Any existing secret value is replaced +and any seed is reset. +.PP +\&\fIEVP_PKEY_CTX_add1_tls1_prf_seed()\fR sets the seed to \fBseedlen\fR bytes of \fBseed\fR. +If a seed is already set it is appended to the existing value. +.SH "STRING CTRLS" +.IX Header "STRING CTRLS" +The \s-1TLS PRF\s0 also supports string based control operations using +\&\fIEVP_PKEY_CTX_ctrl_str\fR\|(3). +The \fBtype\fR parameter \*(L"md\*(R" uses the supplied \fBvalue\fR as the name of the digest +algorithm to use. +The \fBtype\fR parameters \*(L"secret\*(R" and \*(L"seed\*(R" use the supplied \fBvalue\fR parameter +as a secret or seed value. +The names \*(L"hexsecret\*(R" and \*(L"hexseed\*(R" are similar except they take a hex string +which is converted to binary. +.SH "NOTES" +.IX Header "NOTES" +All these functions are implemented as macros. +.PP +A context for the \s-1TLS PRF\s0 can be obtained by calling: +.PP +.Vb 1 +\& EVP_PKEY_CTX *pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_TLS1_PRF, NULL); +.Ve +.PP +The digest, secret value and seed must be set before a key is derived or an +error occurs. +.PP +The total length of all seeds cannot exceed 1024 bytes in length: this should +be more than enough for any normal use of the \s-1TLS PRF.\s0 +.PP +The output length of the \s-1PRF\s0 is specified by the length parameter in the +\&\fIEVP_PKEY_derive()\fR function. Since the output length is variable, setting +the buffer to \fB\s-1NULL\s0\fR is not meaningful for the \s-1TLS PRF.\s0 +.PP +Optimised versions of the \s-1TLS PRF\s0 can be implemented in an \s-1ENGINE.\s0 +.SH "RETURN VALUES" +.IX Header "RETURN VALUES" +All these functions return 1 for success and 0 or a negative value for failure. +In particular a return value of \-2 indicates the operation is not supported by +the public key algorithm. +.SH "EXAMPLE" +.IX Header "EXAMPLE" +This example derives 10 bytes using \s-1SHA\-256\s0 with the secret key \*(L"secret\*(R" +and seed value \*(L"seed\*(R": +.PP +.Vb 3 +\& EVP_PKEY_CTX *pctx; +\& unsigned char out[10]; +\& size_t outlen = sizeof(out); +\& +\& pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_TLS1_PRF, NULL); +\& if (EVP_PKEY_derive_init(pctx) <= 0) +\& /* Error */ +\& if (EVP_PKEY_CTX_set_tls1_prf_md(pctx, EVP_sha256()) <= 0) +\& /* Error */ +\& if (EVP_PKEY_CTX_set1_tls1_prf_secret(pctx, "secret", 6) <= 0) +\& /* Error */ +\& if (EVP_PKEY_CTX_add1_tls1_prf_seed(pctx, "seed", 4) <= 0) +\& /* Error */ +\& if (EVP_PKEY_derive(pctx, out, &outlen) <= 0) +\& /* Error */ +.Ve +.SH "SEE ALSO" +.IX Header "SEE ALSO" +\&\fIEVP_PKEY_CTX_new\fR\|(3), +\&\fIEVP_PKEY_CTX_ctrl_str\fR\|(3), +\&\fIEVP_PKEY_derive\fR\|(3) +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2016 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/EVP_PKEY_asn1_get_count.3 b/secure/lib/libcrypto/man/EVP_PKEY_asn1_get_count.3 new file mode 100644 index 000000000000..b1f6c8b27128 --- /dev/null +++ b/secure/lib/libcrypto/man/EVP_PKEY_asn1_get_count.3 @@ -0,0 +1,203 @@ +.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35) +.\" +.\" Standard preamble: +.\" ======================================================================== +.de Sp \" Vertical space (when we can't use .PP) +.if t .sp .5v +.if n .sp +.. +.de Vb \" Begin verbatim text +.ft CW +.nf +.ne \\$1 +.. +.de Ve \" End verbatim text +.ft R +.fi +.. +.\" Set up some character translations and predefined strings. \*(-- will +.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left +.\" double quote, and \*(R" will give a right double quote. \*(C+ will +.\" give a nicer C++. Capital omega is used to do unbreakable dashes and +.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, +.\" nothing in troff, for use with C<>. +.tr \(*W- +.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' +.ie n \{\ +. ds -- \(*W- +. ds PI pi +. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch +. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch +. ds L" "" +. ds R" "" +. ds C` "" +. ds C' "" +'br\} +.el\{\ +. ds -- \|\(em\| +. ds PI \(*p +. ds L" `` +. ds R" '' +. ds C` +. ds C' +'br\} +.\" +.\" Escape single quotes in literal strings from groff's Unicode transform. +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" +.\" If the F register is >0, we'll generate index entries on stderr for +.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index +.\" entries marked with X<> in POD. Of course, you'll have to process the +.\" output yourself in some meaningful fashion. +.\" +.\" Avoid warning from groff about undefined register 'F'. +.de IX +.. +.if !\nF .nr F 0 +.if \nF>0 \{\ +. de IX +. tm Index:\\$1\t\\n%\t"\\$2" +.. +. if !\nF==2 \{\ +. nr % 0 +. nr F 2 +. \} +.\} +.\" +.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). +.\" Fear. Run. Save yourself. No user-serviceable parts. +. \" fudge factors for nroff and troff +.if n \{\ +. ds #H 0 +. ds #V .8m +. ds #F .3m +. ds #[ \f1 +. ds #] \fP +.\} +.if t \{\ +. ds #H ((1u-(\\\\n(.fu%2u))*.13m) +. ds #V .6m +. ds #F 0 +. ds #[ \& +. ds #] \& +.\} +. \" simple accents for nroff and troff +.if n \{\ +. ds ' \& +. ds ` \& +. ds ^ \& +. ds , \& +. ds ~ ~ +. ds / +.\} +.if t \{\ +. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" +. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' +. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' +. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' +. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' +. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' +.\} +. \" troff and (daisy-wheel) nroff accents +.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' +.ds 8 \h'\*(#H'\(*b\h'-\*(#H' +.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] +.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' +.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' +.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] +.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] +.ds ae a\h'-(\w'a'u*4/10)'e +.ds Ae A\h'-(\w'A'u*4/10)'E +. \" corrections for vroff +.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' +.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' +. \" for low resolution devices (crt and lpr) +.if \n(.H>23 .if \n(.V>19 \ +\{\ +. ds : e +. ds 8 ss +. ds o a +. ds d- d\h'-1'\(ga +. ds D- D\h'-1'\(hy +. ds th \o'bp' +. ds Th \o'LP' +. ds ae ae +. ds Ae AE +.\} +.rm #[ #] #H #V #F C +.\" ======================================================================== +.\" +.IX Title "EVP_PKEY_ASN1_GET_COUNT 3" +.TH EVP_PKEY_ASN1_GET_COUNT 3 "2018-09-11" "1.1.1" "OpenSSL" +.\" For nroff, turn off justification. Always turn off hyphenation; it makes +.\" way too many mistakes in technical documents. +.if n .ad l +.nh +.SH "NAME" +EVP_PKEY_asn1_find, EVP_PKEY_asn1_find_str, EVP_PKEY_asn1_get_count, EVP_PKEY_asn1_get0, EVP_PKEY_asn1_get0_info \&\- enumerate public key ASN.1 methods +.SH "SYNOPSIS" +.IX Header "SYNOPSIS" +.Vb 1 +\& #include +\& +\& int EVP_PKEY_asn1_get_count(void); +\& const EVP_PKEY_ASN1_METHOD *EVP_PKEY_asn1_get0(int idx); +\& const EVP_PKEY_ASN1_METHOD *EVP_PKEY_asn1_find(ENGINE **pe, int type); +\& const EVP_PKEY_ASN1_METHOD *EVP_PKEY_asn1_find_str(ENGINE **pe, +\& const char *str, int len); +\& int EVP_PKEY_asn1_get0_info(int *ppkey_id, int *pkey_base_id, +\& int *ppkey_flags, const char **pinfo, +\& const char **ppem_str, +\& const EVP_PKEY_ASN1_METHOD *ameth); +.Ve +.SH "DESCRIPTION" +.IX Header "DESCRIPTION" +\&\fIEVP_PKEY_asn1_count()\fR returns a count of the number of public key +\&\s-1ASN.1\s0 methods available: it includes standard methods and any methods +added by the application. +.PP +\&\fIEVP_PKEY_asn1_get0()\fR returns the public key \s-1ASN.1\s0 method \fBidx\fR. +The value of \fBidx\fR must be between zero and \fIEVP_PKEY_asn1_get_count()\fR +\&\- 1. +.PP +\&\fIEVP_PKEY_asn1_find()\fR looks up the \fB\s-1EVP_PKEY_ASN1_METHOD\s0\fR with \s-1NID\s0 +\&\fBtype\fR. +If \fBpe\fR isn't \fB\s-1NULL\s0\fR, then it will look up an engine implementing a +\&\fB\s-1EVP_PKEY_ASN1_METHOD\s0\fR for the \s-1NID\s0 \fBtype\fR and return that instead, +and also set \fB*pe\fR to point at the engine that implements it. +.PP +\&\fIEVP_PKEY_asn1_find_str()\fR looks up the \fB\s-1EVP_PKEY_ASN1_METHOD\s0\fR with \s-1PEM\s0 +type string \fBstr\fR. +Just like \fIEVP_PKEY_asn1_find()\fR, if \fBpe\fR isn't \fB\s-1NULL\s0\fR, then it will +look up an engine implementing a \fB\s-1EVP_PKEY_ASN1_METHOD\s0\fR for the \s-1NID\s0 +\&\fBtype\fR and return that instead, and also set \fB*pe\fR to point at the +engine that implements it. +.PP +\&\fIEVP_PKEY_asn1_get0_info()\fR returns the public key \s-1ID,\s0 base public key +\&\s-1ID\s0 (both NIDs), any flags, the method description and \s-1PEM\s0 type string +associated with the public key \s-1ASN.1\s0 method \fB*ameth\fR. +.PP +\&\fIEVP_PKEY_asn1_count()\fR, \fIEVP_PKEY_asn1_get0()\fR, \fIEVP_PKEY_asn1_find()\fR and +\&\fIEVP_PKEY_asn1_find_str()\fR are not thread safe, but as long as all +\&\fB\s-1EVP_PKEY_ASN1_METHOD\s0\fR objects are added before the application gets +threaded, using them is safe. See \fIEVP_PKEY_asn1_add0\fR\|(3). +.SH "RETURN VALUES" +.IX Header "RETURN VALUES" +\&\fIEVP_PKEY_asn1_count()\fR returns the number of available public key methods. +.PP +\&\fIEVP_PKEY_asn1_get0()\fR return a public key method or \fB\s-1NULL\s0\fR if \fBidx\fR is +out of range. +.PP +\&\fIEVP_PKEY_asn1_get0_info()\fR returns 0 on failure, 1 on success. +.SH "SEE ALSO" +.IX Header "SEE ALSO" +\&\fIEVP_PKEY_asn1_new\fR\|(3), \fIEVP_PKEY_asn1_add0\fR\|(3) +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2017 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/EVP_PKEY_cmp.3 b/secure/lib/libcrypto/man/EVP_PKEY_cmp.3 index 0f666fbca10a..ca8ff8dadeeb 100644 --- a/secure/lib/libcrypto/man/EVP_PKEY_cmp.3 +++ b/secure/lib/libcrypto/man/EVP_PKEY_cmp.3 @@ -128,8 +128,8 @@ .rm #[ #] #H #V #F C .\" ======================================================================== .\" -.IX Title "EVP_PKEY_cmp 3" -.TH EVP_PKEY_cmp 3 "2018-08-14" "1.0.2p" "OpenSSL" +.IX Title "EVP_PKEY_CMP 3" +.TH EVP_PKEY_CMP 3 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -161,7 +161,7 @@ in \fBfrom\fR and \fBto\fR are both present and match this function has no effec The function \fIEVP_PKEY_cmp_parameters()\fR compares the parameters of keys \&\fBa\fR and \fBb\fR. .PP -The function \fIEVP_PKEY_cmp()\fR compares the public key components and paramters +The function \fIEVP_PKEY_cmp()\fR compares the public key components and parameters (if present) of keys \fBa\fR and \fBb\fR. .SH "NOTES" .IX Header "NOTES" @@ -189,3 +189,11 @@ keys match, 0 if they don't match, \-1 if the key types are different and .IX Header "SEE ALSO" \&\fIEVP_PKEY_CTX_new\fR\|(3), \&\fIEVP_PKEY_keygen\fR\|(3) +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2006\-2016 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/EVP_PKEY_decrypt.3 b/secure/lib/libcrypto/man/EVP_PKEY_decrypt.3 index b58f78d4e1c6..5a0b2d563da7 100644 --- a/secure/lib/libcrypto/man/EVP_PKEY_decrypt.3 +++ b/secure/lib/libcrypto/man/EVP_PKEY_decrypt.3 @@ -128,8 +128,8 @@ .rm #[ #] #H #V #F C .\" ======================================================================== .\" -.IX Title "EVP_PKEY_decrypt 3" -.TH EVP_PKEY_decrypt 3 "2018-08-14" "1.0.2p" "OpenSSL" +.IX Title "EVP_PKEY_DECRYPT 3" +.TH EVP_PKEY_DECRYPT 3 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -143,8 +143,8 @@ EVP_PKEY_decrypt_init, EVP_PKEY_decrypt \- decrypt using a public key algorithm \& \& int EVP_PKEY_decrypt_init(EVP_PKEY_CTX *ctx); \& int EVP_PKEY_decrypt(EVP_PKEY_CTX *ctx, -\& unsigned char *out, size_t *outlen, -\& const unsigned char *in, size_t inlen); +\& unsigned char *out, size_t *outlen, +\& const unsigned char *in, size_t inlen); .Ve .SH "DESCRIPTION" .IX Header "DESCRIPTION" @@ -180,31 +180,34 @@ Decrypt data using \s-1OAEP\s0 (for \s-1RSA\s0 keys): \& #include \& \& EVP_PKEY_CTX *ctx; +\& ENGINE *eng; \& unsigned char *out, *in; -\& size_t outlen, inlen; +\& size_t outlen, inlen; \& EVP_PKEY *key; -\& /* NB: assumes key in, inlen are already set up +\& +\& /* +\& * NB: assumes key, eng, in, inlen are already set up \& * and that key is an RSA private key \& */ -\& ctx = EVP_PKEY_CTX_new(key); +\& ctx = EVP_PKEY_CTX_new(key, eng); \& if (!ctx) -\& /* Error occurred */ +\& /* Error occurred */ \& if (EVP_PKEY_decrypt_init(ctx) <= 0) -\& /* Error */ +\& /* Error */ \& if (EVP_PKEY_CTX_set_rsa_padding(ctx, RSA_OAEP_PADDING) <= 0) -\& /* Error */ +\& /* Error */ \& \& /* Determine buffer length */ \& if (EVP_PKEY_decrypt(ctx, NULL, &outlen, in, inlen) <= 0) -\& /* Error */ +\& /* Error */ \& \& out = OPENSSL_malloc(outlen); \& \& if (!out) -\& /* malloc failure */ -\& +\& /* malloc failure */ +\& \& if (EVP_PKEY_decrypt(ctx, out, &outlen, in, inlen) <= 0) -\& /* Error */ +\& /* Error */ \& \& /* Decrypted data is outlen bytes written to buffer out */ .Ve @@ -219,3 +222,11 @@ Decrypt data using \s-1OAEP\s0 (for \s-1RSA\s0 keys): .SH "HISTORY" .IX Header "HISTORY" These functions were first added to OpenSSL 1.0.0. +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2006\-2018 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/EVP_PKEY_derive.3 b/secure/lib/libcrypto/man/EVP_PKEY_derive.3 index 644e48fe9fc5..105031f266d3 100644 --- a/secure/lib/libcrypto/man/EVP_PKEY_derive.3 +++ b/secure/lib/libcrypto/man/EVP_PKEY_derive.3 @@ -128,14 +128,14 @@ .rm #[ #] #H #V #F C .\" ======================================================================== .\" -.IX Title "EVP_PKEY_derive 3" -.TH EVP_PKEY_derive 3 "2018-08-14" "1.0.2p" "OpenSSL" +.IX Title "EVP_PKEY_DERIVE 3" +.TH EVP_PKEY_DERIVE 3 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" -EVP_PKEY_derive_init, EVP_PKEY_derive_set_peer, EVP_PKEY_derive \- derive public key algorithm shared secret. +EVP_PKEY_derive_init, EVP_PKEY_derive_set_peer, EVP_PKEY_derive \- derive public key algorithm shared secret .SH "SYNOPSIS" .IX Header "SYNOPSIS" .Vb 1 @@ -181,30 +181,31 @@ Derive shared secret (for example \s-1DH\s0 or \s-1EC\s0 keys): \& #include \& \& EVP_PKEY_CTX *ctx; +\& ENGINE *eng; \& unsigned char *skey; \& size_t skeylen; \& EVP_PKEY *pkey, *peerkey; -\& /* NB: assumes pkey, peerkey have been already set up */ +\& /* NB: assumes pkey, eng, peerkey have been already set up */ \& -\& ctx = EVP_PKEY_CTX_new(pkey); +\& ctx = EVP_PKEY_CTX_new(pkey, eng); \& if (!ctx) -\& /* Error occurred */ +\& /* Error occurred */ \& if (EVP_PKEY_derive_init(ctx) <= 0) -\& /* Error */ +\& /* Error */ \& if (EVP_PKEY_derive_set_peer(ctx, peerkey) <= 0) -\& /* Error */ +\& /* Error */ \& \& /* Determine buffer length */ \& if (EVP_PKEY_derive(ctx, NULL, &skeylen) <= 0) -\& /* Error */ +\& /* Error */ \& \& skey = OPENSSL_malloc(skeylen); \& \& if (!skey) -\& /* malloc failure */ -\& +\& /* malloc failure */ +\& \& if (EVP_PKEY_derive(ctx, skey, &skeylen) <= 0) -\& /* Error */ +\& /* Error */ \& \& /* Shared secret is skey bytes written to buffer skey */ .Ve @@ -219,3 +220,11 @@ Derive shared secret (for example \s-1DH\s0 or \s-1EC\s0 keys): .SH "HISTORY" .IX Header "HISTORY" These functions were first added to OpenSSL 1.0.0. +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2006\-2018 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/EVP_PKEY_encrypt.3 b/secure/lib/libcrypto/man/EVP_PKEY_encrypt.3 index e495e7f9b04a..7e30e8705912 100644 --- a/secure/lib/libcrypto/man/EVP_PKEY_encrypt.3 +++ b/secure/lib/libcrypto/man/EVP_PKEY_encrypt.3 @@ -128,8 +128,8 @@ .rm #[ #] #H #V #F C .\" ======================================================================== .\" -.IX Title "EVP_PKEY_encrypt 3" -.TH EVP_PKEY_encrypt 3 "2018-08-14" "1.0.2p" "OpenSSL" +.IX Title "EVP_PKEY_ENCRYPT 3" +.TH EVP_PKEY_ENCRYPT 3 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -143,8 +143,8 @@ EVP_PKEY_encrypt_init, EVP_PKEY_encrypt \- encrypt using a public key algorithm \& \& int EVP_PKEY_encrypt_init(EVP_PKEY_CTX *ctx); \& int EVP_PKEY_encrypt(EVP_PKEY_CTX *ctx, -\& unsigned char *out, size_t *outlen, -\& const unsigned char *in, size_t inlen); +\& unsigned char *out, size_t *outlen, +\& const unsigned char *in, size_t inlen); .Ve .SH "DESCRIPTION" .IX Header "DESCRIPTION" @@ -185,37 +185,39 @@ set 'eng = \s-1NULL\s0;' to start with the default OpenSSL \s-1RSA\s0 implementa \& EVP_PKEY_CTX *ctx; \& ENGINE *eng; \& unsigned char *out, *in; -\& size_t outlen, inlen; +\& size_t outlen, inlen; \& EVP_PKEY *key; -\& /* NB: assumes eng, key, in, inlen are already set up, +\& +\& /* +\& * NB: assumes eng, key, in, inlen are already set up, \& * and that key is an RSA public key \& */ -\& ctx = EVP_PKEY_CTX_new(key,eng); +\& ctx = EVP_PKEY_CTX_new(key, eng); \& if (!ctx) -\& /* Error occurred */ +\& /* Error occurred */ \& if (EVP_PKEY_encrypt_init(ctx) <= 0) -\& /* Error */ +\& /* Error */ \& if (EVP_PKEY_CTX_set_rsa_padding(ctx, RSA_OAEP_PADDING) <= 0) -\& /* Error */ +\& /* Error */ \& \& /* Determine buffer length */ \& if (EVP_PKEY_encrypt(ctx, NULL, &outlen, in, inlen) <= 0) -\& /* Error */ +\& /* Error */ \& \& out = OPENSSL_malloc(outlen); \& \& if (!out) -\& /* malloc failure */ -\& +\& /* malloc failure */ +\& \& if (EVP_PKEY_encrypt(ctx, out, &outlen, in, inlen) <= 0) -\& /* Error */ +\& /* Error */ \& \& /* Encrypted data is outlen bytes written to buffer out */ .Ve .SH "SEE ALSO" .IX Header "SEE ALSO" \&\fId2i_X509\fR\|(3), -\&\fIengine\fR\|(3), +\&\fIENGINE_by_id\fR\|(3), \&\fIEVP_PKEY_CTX_new\fR\|(3), \&\fIEVP_PKEY_decrypt\fR\|(3), \&\fIEVP_PKEY_sign\fR\|(3), @@ -225,3 +227,11 @@ set 'eng = \s-1NULL\s0;' to start with the default OpenSSL \s-1RSA\s0 implementa .SH "HISTORY" .IX Header "HISTORY" These functions were first added to OpenSSL 1.0.0. +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2006\-2016 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/EVP_PKEY_get_default_digest.3 b/secure/lib/libcrypto/man/EVP_PKEY_get_default_digest_nid.3 similarity index 88% rename from secure/lib/libcrypto/man/EVP_PKEY_get_default_digest.3 rename to secure/lib/libcrypto/man/EVP_PKEY_get_default_digest_nid.3 index 2cac1d3c8ffc..dab05522fc7d 100644 --- a/secure/lib/libcrypto/man/EVP_PKEY_get_default_digest.3 +++ b/secure/lib/libcrypto/man/EVP_PKEY_get_default_digest_nid.3 @@ -128,8 +128,8 @@ .rm #[ #] #H #V #F C .\" ======================================================================== .\" -.IX Title "EVP_PKEY_get_default_digest 3" -.TH EVP_PKEY_get_default_digest 3 "2018-08-14" "1.0.2p" "OpenSSL" +.IX Title "EVP_PKEY_GET_DEFAULT_DIGEST_NID 3" +.TH EVP_PKEY_GET_DEFAULT_DIGEST_NID 3 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -146,7 +146,8 @@ EVP_PKEY_get_default_digest_nid \- get default signature digest .IX Header "DESCRIPTION" The \fIEVP_PKEY_get_default_digest_nid()\fR function sets \fBpnid\fR to the default message digest \s-1NID\s0 for the public key signature operations associated with key -\&\fBpkey\fR. +\&\fBpkey\fR. Note that some signature algorithms (i.e. Ed25519 and Ed448) do not use +a digest during signing. In this case \fBpnid\fR will be set to NID_undef. .SH "NOTES" .IX Header "NOTES" For all current standard OpenSSL public key algorithms \s-1SHA1\s0 is returned. @@ -166,3 +167,11 @@ public key algorithm. .SH "HISTORY" .IX Header "HISTORY" This function was first added to OpenSSL 1.0.0. +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2006\-2018 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/EVP_PKEY_keygen.3 b/secure/lib/libcrypto/man/EVP_PKEY_keygen.3 index c73fbacd822e..514e36383f5a 100644 --- a/secure/lib/libcrypto/man/EVP_PKEY_keygen.3 +++ b/secure/lib/libcrypto/man/EVP_PKEY_keygen.3 @@ -128,14 +128,14 @@ .rm #[ #] #H #V #F C .\" ======================================================================== .\" -.IX Title "EVP_PKEY_keygen 3" -.TH EVP_PKEY_keygen 3 "2018-08-14" "1.0.2p" "OpenSSL" +.IX Title "EVP_PKEY_KEYGEN 3" +.TH EVP_PKEY_KEYGEN 3 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" -EVP_PKEY_keygen_init, EVP_PKEY_keygen, EVP_PKEY_paramgen_init, EVP_PKEY_paramgen, EVP_PKEY_CTX_set_cb, EVP_PKEY_CTX_get_cb, EVP_PKEY_CTX_get_keygen_info, EVP_PKEVP_PKEY_CTX_set_app_data, EVP_PKEY_CTX_get_app_data \- key and parameter generation functions +EVP_PKEY_keygen_init, EVP_PKEY_keygen, EVP_PKEY_paramgen_init, EVP_PKEY_paramgen, EVP_PKEY_CTX_set_cb, EVP_PKEY_CTX_get_cb, EVP_PKEY_CTX_get_keygen_info, EVP_PKEY_CTX_set_app_data, EVP_PKEY_CTX_get_app_data, EVP_PKEY_gen_cb, EVP_PKEY_check, EVP_PKEY_public_check, EVP_PKEY_param_check \&\- key and parameter generation and check functions .SH "SYNOPSIS" .IX Header "SYNOPSIS" .Vb 1 @@ -155,13 +155,17 @@ EVP_PKEY_keygen_init, EVP_PKEY_keygen, EVP_PKEY_paramgen_init, EVP_PKEY_paramgen \& \& void EVP_PKEY_CTX_set_app_data(EVP_PKEY_CTX *ctx, void *data); \& void *EVP_PKEY_CTX_get_app_data(EVP_PKEY_CTX *ctx); +\& +\& int EVP_PKEY_check(EVP_PKEY_CTX *ctx); +\& int EVP_PKEY_public_check(EVP_PKEY_CTX *ctx); +\& int EVP_PKEY_param_check(EVP_PKEY_CTX *ctx); .Ve .SH "DESCRIPTION" .IX Header "DESCRIPTION" The \fIEVP_PKEY_keygen_init()\fR function initializes a public key algorithm -context using key \fBpkey\fR for a key genration operation. +context using key \fBpkey\fR for a key generation operation. .PP -The \fIEVP_PKEY_keygen()\fR function performs a key generation operation, the +The \fIEVP_PKEY_keygen()\fR function performs a key generation operation, the generated key is written to \fBppkey\fR. .PP The functions \fIEVP_PKEY_paramgen_init()\fR and \fIEVP_PKEY_paramgen()\fR are similar @@ -177,7 +181,7 @@ parameters available is returned. Any non negative value returns the value of that parameter. \fIEVP_PKEY_CTX_gen_keygen_info()\fR with a non-negative value for \&\fBidx\fR should only be called within the generation callback. .PP -If the callback returns 0 then the key genration operation is aborted and an +If the callback returns 0 then the key generation operation is aborted and an error occurs. This might occur during a time consuming operation where a user clicks on a \*(L"cancel\*(R" button. .PP @@ -185,6 +189,18 @@ The functions \fIEVP_PKEY_CTX_set_app_data()\fR and \fIEVP_PKEY_CTX_get_app_data and retrieve an opaque pointer. This can be used to set some application defined value which can be retrieved in the callback: for example a handle which is used to update a \*(L"progress dialog\*(R". +.PP +\&\fIEVP_PKEY_check()\fR validates the key-pair given by \fBctx\fR. This function first tries +to use customized key check method in \fB\s-1EVP_PKEY_METHOD\s0\fR if it's present; otherwise +it calls a default one defined in \fB\s-1EVP_PKEY_ASN1_METHOD\s0\fR. +.PP +\&\fIEVP_PKEY_public_check()\fR validates the public component of the key-pair given by \fBctx\fR. +This function first tries to use customized key check method in \fB\s-1EVP_PKEY_METHOD\s0\fR +if it's present; otherwise it calls a default one defined in \fB\s-1EVP_PKEY_ASN1_METHOD\s0\fR. +.PP +\&\fIEVP_PKEY_param_check()\fR validates the algorithm parameters of the key-pair given by \fBctx\fR. +This function first tries to use customized key check method in \fB\s-1EVP_PKEY_METHOD\s0\fR +if it's present; otherwise it calls a default one defined in \fB\s-1EVP_PKEY_ASN1_METHOD\s0\fR. .SH "NOTES" .IX Header "NOTES" After the call to \fIEVP_PKEY_keygen_init()\fR or \fIEVP_PKEY_paramgen_init()\fR algorithm @@ -196,7 +212,7 @@ once on the same context if several operations are performed using the same parameters. .PP The meaning of the parameters passed to the callback will depend on the -algorithm and the specifiic implementation of the algorithm. Some might not +algorithm and the specific implementation of the algorithm. Some might not give any useful information at all during key or parameter generation. Others might not even call the callback. .PP @@ -214,6 +230,10 @@ in functions which require the use of a public key or parameters. \&\fIEVP_PKEY_paramgen()\fR return 1 for success and 0 or a negative value for failure. In particular a return value of \-2 indicates the operation is not supported by the public key algorithm. +.PP +\&\fIEVP_PKEY_check()\fR, \fIEVP_PKEY_public_check()\fR and \fIEVP_PKEY_param_check()\fR return 1 +for success or others for failure. They return \-2 if the operation is not supported +for the specific algorithm. .SH "EXAMPLES" .IX Header "EXAMPLES" Generate a 2048 bit \s-1RSA\s0 key: @@ -224,17 +244,18 @@ Generate a 2048 bit \s-1RSA\s0 key: \& \& EVP_PKEY_CTX *ctx; \& EVP_PKEY *pkey = NULL; +\& \& ctx = EVP_PKEY_CTX_new_id(EVP_PKEY_RSA, NULL); \& if (!ctx) -\& /* Error occurred */ +\& /* Error occurred */ \& if (EVP_PKEY_keygen_init(ctx) <= 0) -\& /* Error */ +\& /* Error */ \& if (EVP_PKEY_CTX_set_rsa_keygen_bits(ctx, 2048) <= 0) -\& /* Error */ +\& /* Error */ \& \& /* Generate key */ \& if (EVP_PKEY_keygen(ctx, &pkey) <= 0) -\& /* Error */ +\& /* Error */ .Ve .PP Generate a key from a set of parameters: @@ -244,17 +265,19 @@ Generate a key from a set of parameters: \& #include \& \& EVP_PKEY_CTX *ctx; +\& ENGINE *eng; \& EVP_PKEY *pkey = NULL, *param; -\& /* Assumed param is set up already */ -\& ctx = EVP_PKEY_CTX_new(param); +\& +\& /* Assumed param, eng are set up already */ +\& ctx = EVP_PKEY_CTX_new(param, eng); \& if (!ctx) -\& /* Error occurred */ +\& /* Error occurred */ \& if (EVP_PKEY_keygen_init(ctx) <= 0) -\& /* Error */ +\& /* Error */ \& \& /* Generate key */ \& if (EVP_PKEY_keygen(ctx, &pkey) <= 0) -\& /* Error */ +\& /* Error */ .Ve .PP Example of generation callback for OpenSSL public key implementations: @@ -265,19 +288,23 @@ Example of generation callback for OpenSSL public key implementations: \& EVP_PKEY_CTX_set_app_data(ctx, status_bio); \& \& static int genpkey_cb(EVP_PKEY_CTX *ctx) -\& { -\& char c=\*(Aq*\*(Aq; -\& BIO *b = EVP_PKEY_CTX_get_app_data(ctx); -\& int p; -\& p = EVP_PKEY_CTX_get_keygen_info(ctx, 0); -\& if (p == 0) c=\*(Aq.\*(Aq; -\& if (p == 1) c=\*(Aq+\*(Aq; -\& if (p == 2) c=\*(Aq*\*(Aq; -\& if (p == 3) c=\*(Aq\en\*(Aq; -\& BIO_write(b,&c,1); -\& (void)BIO_flush(b); -\& return 1; -\& } +\& { +\& char c = \*(Aq*\*(Aq; +\& BIO *b = EVP_PKEY_CTX_get_app_data(ctx); +\& int p = EVP_PKEY_CTX_get_keygen_info(ctx, 0); +\& +\& if (p == 0) +\& c = \*(Aq.\*(Aq; +\& if (p == 1) +\& c = \*(Aq+\*(Aq; +\& if (p == 2) +\& c = \*(Aq*\*(Aq; +\& if (p == 3) +\& c = \*(Aq\en\*(Aq; +\& BIO_write(b, &c, 1); +\& (void)BIO_flush(b); +\& return 1; +\& } .Ve .SH "SEE ALSO" .IX Header "SEE ALSO" @@ -291,3 +318,14 @@ Example of generation callback for OpenSSL public key implementations: .SH "HISTORY" .IX Header "HISTORY" These functions were first added to OpenSSL 1.0.0. +.PP +\&\fIEVP_PKEY_check()\fR, \fIEVP_PKEY_public_check()\fR and \fIEVP_PKEY_param_check()\fR were added +in OpenSSL 1.1.1. +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2006\-2018 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/EVP_PKEY_meth_get_count.3 b/secure/lib/libcrypto/man/EVP_PKEY_meth_get_count.3 new file mode 100644 index 000000000000..3b8b36fcbd26 --- /dev/null +++ b/secure/lib/libcrypto/man/EVP_PKEY_meth_get_count.3 @@ -0,0 +1,178 @@ +.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35) +.\" +.\" Standard preamble: +.\" ======================================================================== +.de Sp \" Vertical space (when we can't use .PP) +.if t .sp .5v +.if n .sp +.. +.de Vb \" Begin verbatim text +.ft CW +.nf +.ne \\$1 +.. +.de Ve \" End verbatim text +.ft R +.fi +.. +.\" Set up some character translations and predefined strings. \*(-- will +.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left +.\" double quote, and \*(R" will give a right double quote. \*(C+ will +.\" give a nicer C++. Capital omega is used to do unbreakable dashes and +.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, +.\" nothing in troff, for use with C<>. +.tr \(*W- +.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' +.ie n \{\ +. ds -- \(*W- +. ds PI pi +. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch +. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch +. ds L" "" +. ds R" "" +. ds C` "" +. ds C' "" +'br\} +.el\{\ +. ds -- \|\(em\| +. ds PI \(*p +. ds L" `` +. ds R" '' +. ds C` +. ds C' +'br\} +.\" +.\" Escape single quotes in literal strings from groff's Unicode transform. +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" +.\" If the F register is >0, we'll generate index entries on stderr for +.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index +.\" entries marked with X<> in POD. Of course, you'll have to process the +.\" output yourself in some meaningful fashion. +.\" +.\" Avoid warning from groff about undefined register 'F'. +.de IX +.. +.if !\nF .nr F 0 +.if \nF>0 \{\ +. de IX +. tm Index:\\$1\t\\n%\t"\\$2" +.. +. if !\nF==2 \{\ +. nr % 0 +. nr F 2 +. \} +.\} +.\" +.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). +.\" Fear. Run. Save yourself. No user-serviceable parts. +. \" fudge factors for nroff and troff +.if n \{\ +. ds #H 0 +. ds #V .8m +. ds #F .3m +. ds #[ \f1 +. ds #] \fP +.\} +.if t \{\ +. ds #H ((1u-(\\\\n(.fu%2u))*.13m) +. ds #V .6m +. ds #F 0 +. ds #[ \& +. ds #] \& +.\} +. \" simple accents for nroff and troff +.if n \{\ +. ds ' \& +. ds ` \& +. ds ^ \& +. ds , \& +. ds ~ ~ +. ds / +.\} +.if t \{\ +. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" +. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' +. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' +. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' +. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' +. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' +.\} +. \" troff and (daisy-wheel) nroff accents +.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' +.ds 8 \h'\*(#H'\(*b\h'-\*(#H' +.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] +.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' +.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' +.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] +.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] +.ds ae a\h'-(\w'a'u*4/10)'e +.ds Ae A\h'-(\w'A'u*4/10)'E +. \" corrections for vroff +.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' +.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' +. \" for low resolution devices (crt and lpr) +.if \n(.H>23 .if \n(.V>19 \ +\{\ +. ds : e +. ds 8 ss +. ds o a +. ds d- d\h'-1'\(ga +. ds D- D\h'-1'\(hy +. ds th \o'bp' +. ds Th \o'LP' +. ds ae ae +. ds Ae AE +.\} +.rm #[ #] #H #V #F C +.\" ======================================================================== +.\" +.IX Title "EVP_PKEY_METH_GET_COUNT 3" +.TH EVP_PKEY_METH_GET_COUNT 3 "2018-09-11" "1.1.1" "OpenSSL" +.\" For nroff, turn off justification. Always turn off hyphenation; it makes +.\" way too many mistakes in technical documents. +.if n .ad l +.nh +.SH "NAME" +EVP_PKEY_meth_get_count, EVP_PKEY_meth_get0, EVP_PKEY_meth_get0_info \- enumerate public key methods +.SH "SYNOPSIS" +.IX Header "SYNOPSIS" +.Vb 1 +\& #include +\& +\& size_t EVP_PKEY_meth_get_count(void); +\& const EVP_PKEY_METHOD *EVP_PKEY_meth_get0(size_t idx); +\& void EVP_PKEY_meth_get0_info(int *ppkey_id, int *pflags, +\& const EVP_PKEY_METHOD *meth); +.Ve +.SH "DESCRIPTION" +.IX Header "DESCRIPTION" +\&\fIEVP_PKEY_meth_count()\fR returns a count of the number of public key methods +available: it includes standard methods and any methods added by the +application. +.PP +\&\fIEVP_PKEY_meth_get0()\fR returns the public key method \fBidx\fR. The value of \fBidx\fR +must be between zero and \fIEVP_PKEY_meth_get_count()\fR \- 1. +.PP +\&\fIEVP_PKEY_meth_get0_info()\fR returns the public key \s-1ID\s0 (a \s-1NID\s0) and any flags +associated with the public key method \fB*meth\fR. +.SH "RETURN VALUES" +.IX Header "RETURN VALUES" +\&\fIEVP_PKEY_meth_count()\fR returns the number of available public key methods. +.PP +\&\fIEVP_PKEY_meth_get0()\fR return a public key method or \fB\s-1NULL\s0\fR if \fBidx\fR is +out of range. +.PP +\&\fIEVP_PKEY_meth_get0_info()\fR does not return a value. +.SH "SEE ALSO" +.IX Header "SEE ALSO" +\&\fIEVP_PKEY_new\fR\|(3) +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2002\-2017 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/EVP_PKEY_meth_new.3 b/secure/lib/libcrypto/man/EVP_PKEY_meth_new.3 index 397647ccf55c..17c7e82c8ca9 100644 --- a/secure/lib/libcrypto/man/EVP_PKEY_meth_new.3 +++ b/secure/lib/libcrypto/man/EVP_PKEY_meth_new.3 @@ -128,26 +128,14 @@ .rm #[ #] #H #V #F C .\" ======================================================================== .\" -.IX Title "EVP_PKEY_meth_new 3" -.TH EVP_PKEY_meth_new 3 "2018-08-14" "1.0.2p" "OpenSSL" +.IX Title "EVP_PKEY_METH_NEW 3" +.TH EVP_PKEY_METH_NEW 3 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" -EVP_PKEY_meth_new, EVP_PKEY_meth_free, EVP_PKEY_meth_copy, EVP_PKEY_meth_find, -EVP_PKEY_meth_add0, EVP_PKEY_METHOD, -EVP_PKEY_meth_set_init, EVP_PKEY_meth_set_copy, EVP_PKEY_meth_set_cleanup, -EVP_PKEY_meth_set_paramgen, EVP_PKEY_meth_set_keygen, EVP_PKEY_meth_set_sign, -EVP_PKEY_meth_set_verify, EVP_PKEY_meth_set_verify_recover, EVP_PKEY_meth_set_signctx, -EVP_PKEY_meth_set_verifyctx, EVP_PKEY_meth_set_encrypt, EVP_PKEY_meth_set_decrypt, -EVP_PKEY_meth_set_derive, EVP_PKEY_meth_set_ctrl, -EVP_PKEY_meth_get_init, EVP_PKEY_meth_get_copy, EVP_PKEY_meth_get_cleanup, -EVP_PKEY_meth_get_paramgen, EVP_PKEY_meth_get_keygen, EVP_PKEY_meth_get_sign, -EVP_PKEY_meth_get_verify, EVP_PKEY_meth_get_verify_recover, EVP_PKEY_meth_get_signctx, -EVP_PKEY_meth_get_verifyctx, EVP_PKEY_meth_get_encrypt, EVP_PKEY_meth_get_decrypt, -EVP_PKEY_meth_get_derive, EVP_PKEY_meth_get_ctrl -\&\- manipulating EVP_PKEY_METHOD structure +EVP_PKEY_meth_new, EVP_PKEY_meth_free, EVP_PKEY_meth_copy, EVP_PKEY_meth_find, EVP_PKEY_meth_add0, EVP_PKEY_METHOD, EVP_PKEY_meth_set_init, EVP_PKEY_meth_set_copy, EVP_PKEY_meth_set_cleanup, EVP_PKEY_meth_set_paramgen, EVP_PKEY_meth_set_keygen, EVP_PKEY_meth_set_sign, EVP_PKEY_meth_set_verify, EVP_PKEY_meth_set_verify_recover, EVP_PKEY_meth_set_signctx, EVP_PKEY_meth_set_verifyctx, EVP_PKEY_meth_set_encrypt, EVP_PKEY_meth_set_decrypt, EVP_PKEY_meth_set_derive, EVP_PKEY_meth_set_ctrl, EVP_PKEY_meth_set_check, EVP_PKEY_meth_set_public_check, EVP_PKEY_meth_set_param_check, EVP_PKEY_meth_set_digest_custom, EVP_PKEY_meth_get_init, EVP_PKEY_meth_get_copy, EVP_PKEY_meth_get_cleanup, EVP_PKEY_meth_get_paramgen, EVP_PKEY_meth_get_keygen, EVP_PKEY_meth_get_sign, EVP_PKEY_meth_get_verify, EVP_PKEY_meth_get_verify_recover, EVP_PKEY_meth_get_signctx, EVP_PKEY_meth_get_verifyctx, EVP_PKEY_meth_get_encrypt, EVP_PKEY_meth_get_decrypt, EVP_PKEY_meth_get_derive, EVP_PKEY_meth_get_ctrl, EVP_PKEY_meth_get_check, EVP_PKEY_meth_get_public_check, EVP_PKEY_meth_get_param_check, EVP_PKEY_meth_get_digest_custom, EVP_PKEY_meth_remove \&\- manipulating EVP_PKEY_METHOD structure .SH "SYNOPSIS" .IX Header "SYNOPSIS" .Vb 1 @@ -160,6 +148,7 @@ EVP_PKEY_meth_get_derive, EVP_PKEY_meth_get_ctrl \& void EVP_PKEY_meth_copy(EVP_PKEY_METHOD *dst, const EVP_PKEY_METHOD *src); \& const EVP_PKEY_METHOD *EVP_PKEY_meth_find(int type); \& int EVP_PKEY_meth_add0(const EVP_PKEY_METHOD *pmeth); +\& int EVP_PKEY_meth_remove(const EVP_PKEY_METHOD *pmeth); \& \& void EVP_PKEY_meth_set_init(EVP_PKEY_METHOD *pmeth, \& int (*init) (EVP_PKEY_CTX *ctx)); @@ -239,36 +228,45 @@ EVP_PKEY_meth_get_derive, EVP_PKEY_meth_get_ctrl \& int (*ctrl_str) (EVP_PKEY_CTX *ctx, \& const char *type, \& const char *value)); +\& void EVP_PKEY_meth_set_check(EVP_PKEY_METHOD *pmeth, +\& int (*check) (EVP_PKEY *pkey)); +\& void EVP_PKEY_meth_set_public_check(EVP_PKEY_METHOD *pmeth, +\& int (*check) (EVP_PKEY *pkey)); +\& void EVP_PKEY_meth_set_param_check(EVP_PKEY_METHOD *pmeth, +\& int (*check) (EVP_PKEY *pkey)); +\& void EVP_PKEY_meth_set_digest_custom(EVP_PKEY_METHOD *pmeth, +\& int (*digest_custom) (EVP_PKEY_CTX *ctx, +\& EVP_MD_CTX *mctx)); \& -\& void EVP_PKEY_meth_get_init(EVP_PKEY_METHOD *pmeth, +\& void EVP_PKEY_meth_get_init(const EVP_PKEY_METHOD *pmeth, \& int (**pinit) (EVP_PKEY_CTX *ctx)); -\& void EVP_PKEY_meth_get_copy(EVP_PKEY_METHOD *pmeth, +\& void EVP_PKEY_meth_get_copy(const EVP_PKEY_METHOD *pmeth, \& int (**pcopy) (EVP_PKEY_CTX *dst, \& EVP_PKEY_CTX *src)); -\& void EVP_PKEY_meth_get_cleanup(EVP_PKEY_METHOD *pmeth, +\& void EVP_PKEY_meth_get_cleanup(const EVP_PKEY_METHOD *pmeth, \& void (**pcleanup) (EVP_PKEY_CTX *ctx)); -\& void EVP_PKEY_meth_get_paramgen(EVP_PKEY_METHOD *pmeth, +\& void EVP_PKEY_meth_get_paramgen(const EVP_PKEY_METHOD *pmeth, \& int (**pparamgen_init) (EVP_PKEY_CTX *ctx), \& int (**pparamgen) (EVP_PKEY_CTX *ctx, \& EVP_PKEY *pkey)); -\& void EVP_PKEY_meth_get_keygen(EVP_PKEY_METHOD *pmeth, +\& void EVP_PKEY_meth_get_keygen(const EVP_PKEY_METHOD *pmeth, \& int (**pkeygen_init) (EVP_PKEY_CTX *ctx), \& int (**pkeygen) (EVP_PKEY_CTX *ctx, \& EVP_PKEY *pkey)); -\& void EVP_PKEY_meth_get_sign(EVP_PKEY_METHOD *pmeth, +\& void EVP_PKEY_meth_get_sign(const EVP_PKEY_METHOD *pmeth, \& int (**psign_init) (EVP_PKEY_CTX *ctx), \& int (**psign) (EVP_PKEY_CTX *ctx, \& unsigned char *sig, size_t *siglen, \& const unsigned char *tbs, \& size_t tbslen)); -\& void EVP_PKEY_meth_get_verify(EVP_PKEY_METHOD *pmeth, +\& void EVP_PKEY_meth_get_verify(const EVP_PKEY_METHOD *pmeth, \& int (**pverify_init) (EVP_PKEY_CTX *ctx), \& int (**pverify) (EVP_PKEY_CTX *ctx, \& const unsigned char *sig, \& size_t siglen, \& const unsigned char *tbs, \& size_t tbslen)); -\& void EVP_PKEY_meth_get_verify_recover(EVP_PKEY_METHOD *pmeth, +\& void EVP_PKEY_meth_get_verify_recover(const EVP_PKEY_METHOD *pmeth, \& int (**pverify_recover_init) (EVP_PKEY_CTX \& *ctx), \& int (**pverify_recover) (EVP_PKEY_CTX @@ -279,45 +277,54 @@ EVP_PKEY_meth_get_derive, EVP_PKEY_meth_get_ctrl \& const unsigned \& char *tbs, \& size_t tbslen)); -\& void EVP_PKEY_meth_get_signctx(EVP_PKEY_METHOD *pmeth, +\& void EVP_PKEY_meth_get_signctx(const EVP_PKEY_METHOD *pmeth, \& int (**psignctx_init) (EVP_PKEY_CTX *ctx, \& EVP_MD_CTX *mctx), \& int (**psignctx) (EVP_PKEY_CTX *ctx, \& unsigned char *sig, \& size_t *siglen, \& EVP_MD_CTX *mctx)); -\& void EVP_PKEY_meth_get_verifyctx(EVP_PKEY_METHOD *pmeth, +\& void EVP_PKEY_meth_get_verifyctx(const EVP_PKEY_METHOD *pmeth, \& int (**pverifyctx_init) (EVP_PKEY_CTX *ctx, \& EVP_MD_CTX *mctx), \& int (**pverifyctx) (EVP_PKEY_CTX *ctx, \& const unsigned char *sig, \& int siglen, \& EVP_MD_CTX *mctx)); -\& void EVP_PKEY_meth_get_encrypt(EVP_PKEY_METHOD *pmeth, +\& void EVP_PKEY_meth_get_encrypt(const EVP_PKEY_METHOD *pmeth, \& int (**pencrypt_init) (EVP_PKEY_CTX *ctx), \& int (**pencryptfn) (EVP_PKEY_CTX *ctx, \& unsigned char *out, \& size_t *outlen, \& const unsigned char *in, \& size_t inlen)); -\& void EVP_PKEY_meth_get_decrypt(EVP_PKEY_METHOD *pmeth, +\& void EVP_PKEY_meth_get_decrypt(const EVP_PKEY_METHOD *pmeth, \& int (**pdecrypt_init) (EVP_PKEY_CTX *ctx), \& int (**pdecrypt) (EVP_PKEY_CTX *ctx, \& unsigned char *out, \& size_t *outlen, \& const unsigned char *in, \& size_t inlen)); -\& void EVP_PKEY_meth_get_derive(EVP_PKEY_METHOD *pmeth, +\& void EVP_PKEY_meth_get_derive(const EVP_PKEY_METHOD *pmeth, \& int (**pderive_init) (EVP_PKEY_CTX *ctx), \& int (**pderive) (EVP_PKEY_CTX *ctx, \& unsigned char *key, \& size_t *keylen)); -\& void EVP_PKEY_meth_get_ctrl(EVP_PKEY_METHOD *pmeth, +\& void EVP_PKEY_meth_get_ctrl(const EVP_PKEY_METHOD *pmeth, \& int (**pctrl) (EVP_PKEY_CTX *ctx, int type, int p1, \& void *p2), \& int (**pctrl_str) (EVP_PKEY_CTX *ctx, \& const char *type, \& const char *value)); +\& void EVP_PKEY_meth_get_check(const EVP_PKEY_METHOD *pmeth, +\& int (**pcheck) (EVP_PKEY *pkey)); +\& void EVP_PKEY_meth_get_public_check(const EVP_PKEY_METHOD *pmeth, +\& int (**pcheck) (EVP_PKEY *pkey)); +\& void EVP_PKEY_meth_get_param_check(const EVP_PKEY_METHOD *pmeth, +\& int (**pcheck) (EVP_PKEY *pkey)); +\& void EVP_PKEY_meth_get_digest_custom(EVP_PKEY_METHOD *pmeth, +\& int (**pdigest_custom) (EVP_PKEY_CTX *ctx, +\& EVP_MD_CTX *mctx)); .Ve .SH "DESCRIPTION" .IX Header "DESCRIPTION" @@ -466,6 +473,28 @@ settings. See \fIEVP_PKEY_CTX_ctrl\fR\|(3) and related functions for detail. The \fIdigestsign()\fR and \fIdigestverify()\fR methods are used to generate or verify a signature in a one-shot mode. They could be called by \fIEVP_DigetSign\fR\|(3) and \fIEVP_DigestVerify\fR\|(3). +.PP +.Vb 3 +\& int (*check) (EVP_PKEY *pkey); +\& int (*public_check) (EVP_PKEY *pkey); +\& int (*param_check) (EVP_PKEY *pkey); +.Ve +.PP +The \fIcheck()\fR, \fIpublic_check()\fR and \fIparam_check()\fR methods are used to validate a +key-pair, the public component and parameters respectively for a given \fBpkey\fR. +They could be called by \fIEVP_PKEY_check\fR\|(3), \fIEVP_PKEY_public_check\fR\|(3) and +\&\fIEVP_PKEY_param_check\fR\|(3) respectively. +.PP +.Vb 1 +\& int (*digest_custom) (EVP_PKEY_CTX *ctx, EVP_MD_CTX *mctx); +.Ve +.PP +The \fIdigest_custom()\fR method is used to generate customized digest content before +the real message is passed to functions like \fIEVP_DigestSignUpdate\fR\|(3) or +\&\fIEVP_DigestVerifyInit\fR\|(3). This is usually required by some public key +signature algorithms like \s-1SM2\s0 which requires a hashed prefix to the message to +be signed. The \fIdigest_custom()\fR function will be called by \fIEVP_DigestSignInit\fR\|(3) +and \fIEVP_DigestVerifyInit\fR\|(3). .SS "Functions" .IX Subsection "Functions" \&\fIEVP_PKEY_meth_new()\fR creates and returns a new \fB\s-1EVP_PKEY_METHOD\s0\fR object, @@ -500,6 +529,9 @@ then the built-in objects. .PP \&\fIEVP_PKEY_meth_add0()\fR adds \fBpmeth\fR to the user defined stack of methods. .PP +\&\fIEVP_PKEY_meth_remove()\fR removes an \fB\s-1EVP_PKEY_METHOD\s0\fR object added by +\&\fIEVP_PKEY_meth_add0()\fR. +.PP The EVP_PKEY_meth_set functions set the corresponding fields of \&\fB\s-1EVP_PKEY_METHOD\s0\fR structure with the arguments passed. .PP @@ -518,12 +550,15 @@ object or returns \s-1NULL\s0 if not found. \&\fIEVP_PKEY_meth_add0()\fR returns 1 if method is added successfully or 0 if an error occurred. .PP +\&\fIEVP_PKEY_meth_remove()\fR returns 1 if method is removed successfully or +0 if an error occurred. +.PP All EVP_PKEY_meth_set and EVP_PKEY_meth_get functions have no return values. For the 'get' functions, function pointers are returned by arguments. .SH "COPYRIGHT" .IX Header "COPYRIGHT" -Copyright 2017 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2017\-2018 The OpenSSL Project Authors. All Rights Reserved. .PP Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/secure/lib/libcrypto/man/EVP_PKEY_new.3 b/secure/lib/libcrypto/man/EVP_PKEY_new.3 index 2fb880c92969..3c7a5b22262e 100644 --- a/secure/lib/libcrypto/man/EVP_PKEY_new.3 +++ b/secure/lib/libcrypto/man/EVP_PKEY_new.3 @@ -128,46 +128,123 @@ .rm #[ #] #H #V #F C .\" ======================================================================== .\" -.IX Title "EVP_PKEY_new 3" -.TH EVP_PKEY_new 3 "2018-08-14" "1.0.2p" "OpenSSL" +.IX Title "EVP_PKEY_NEW 3" +.TH EVP_PKEY_NEW 3 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" -EVP_PKEY_new, EVP_PKEY_free \- private key allocation functions. +EVP_PKEY_new, EVP_PKEY_up_ref, EVP_PKEY_free, EVP_PKEY_new_raw_private_key, EVP_PKEY_new_raw_public_key, EVP_PKEY_new_CMAC_key, EVP_PKEY_new_mac_key, EVP_PKEY_get_raw_private_key, EVP_PKEY_get_raw_public_key \&\- public/private key allocation and raw key handling functions .SH "SYNOPSIS" .IX Header "SYNOPSIS" .Vb 1 \& #include \& \& EVP_PKEY *EVP_PKEY_new(void); +\& int EVP_PKEY_up_ref(EVP_PKEY *key); \& void EVP_PKEY_free(EVP_PKEY *key); +\& +\& EVP_PKEY *EVP_PKEY_new_raw_private_key(int type, ENGINE *e, +\& const unsigned char *key, size_t keylen); +\& EVP_PKEY *EVP_PKEY_new_raw_public_key(int type, ENGINE *e, +\& const unsigned char *key, size_t keylen); +\& EVP_PKEY *EVP_PKEY_new_CMAC_key(ENGINE *e, const unsigned char *priv, +\& size_t len, const EVP_CIPHER *cipher); +\& EVP_PKEY *EVP_PKEY_new_mac_key(int type, ENGINE *e, const unsigned char *key, +\& int keylen); +\& +\& int EVP_PKEY_get_raw_private_key(const EVP_PKEY *pkey, unsigned char *priv, +\& size_t *len); +\& int EVP_PKEY_get_raw_public_key(const EVP_PKEY *pkey, unsigned char *pub, +\& size_t *len); .Ve .SH "DESCRIPTION" .IX Header "DESCRIPTION" -The \fIEVP_PKEY_new()\fR function allocates an empty \fB\s-1EVP_PKEY\s0\fR -structure which is used by OpenSSL to store private keys. +The \fIEVP_PKEY_new()\fR function allocates an empty \fB\s-1EVP_PKEY\s0\fR structure which is +used by OpenSSL to store public and private keys. The reference count is set to +\&\fB1\fR. .PP -\&\fIEVP_PKEY_free()\fR frees up the private key \fBkey\fR. +\&\fIEVP_PKEY_up_ref()\fR increments the reference count of \fBkey\fR. +.PP +\&\fIEVP_PKEY_free()\fR decrements the reference count of \fBkey\fR and, if the reference +count is zero, frees it up. If \fBkey\fR is \s-1NULL,\s0 nothing is done. +.PP +\&\fIEVP_PKEY_new_raw_private_key()\fR allocates a new \fB\s-1EVP_PKEY\s0\fR. If \fBe\fR is non-NULL +then the new \fB\s-1EVP_PKEY\s0\fR structure is associated with the engine \fBe\fR. The +\&\fBtype\fR argument indicates what kind of key this is. The value should be a \s-1NID\s0 +for a public key algorithm that supports raw private keys, i.e. one of +\&\fB\s-1EVP_PKEY_HMAC\s0\fR, \fB\s-1EVP_PKEY_POLY1305\s0\fR, \fB\s-1EVP_PKEY_SIPHASH\s0\fR, \fB\s-1EVP_PKEY_X25519\s0\fR, +\&\fB\s-1EVP_PKEY_ED25519\s0\fR, \fB\s-1EVP_PKEY_X448\s0\fR or \fB\s-1EVP_PKEY_ED448\s0\fR. \fBkey\fR points to the +raw private key data for this \fB\s-1EVP_PKEY\s0\fR which should be of length \fBkeylen\fR. +The length should be appropriate for the type of the key. The public key data +will be automatically derived from the given private key data (if appropriate +for the algorithm type). +.PP +\&\fIEVP_PKEY_new_raw_public_key()\fR works in the same way as +\&\fIEVP_PKEY_new_raw_private_key()\fR except that \fBkey\fR points to the raw public key +data. The \fB\s-1EVP_PKEY\s0\fR structure will be initialised without any private key +information. Algorithm types that support raw public keys are +\&\fB\s-1EVP_PKEY_X25519\s0\fR, \fB\s-1EVP_PKEY_ED25519\s0\fR, \fB\s-1EVP_PKEY_X448\s0\fR or \fB\s-1EVP_PKEY_ED448\s0\fR. +.PP +\&\fIEVP_PKEY_new_CMAC_key()\fR works in the same way as \fIEVP_PKEY_new_raw_private_key()\fR +except it is only for the \fB\s-1EVP_PKEY_CMAC\s0\fR algorithm type. In addition to the +raw private key data, it also takes a cipher algorithm to be used during +creation of a \s-1CMAC\s0 in the \fBcipher\fR argument. +.PP +\&\fIEVP_PKEY_new_mac_key()\fR works in the same way as \fIEVP_PKEY_new_raw_private_key()\fR. +New applications should use \fIEVP_PKEY_new_raw_private_key()\fR instead. +.PP +\&\fIEVP_PKEY_get_raw_private_key()\fR fills the buffer provided by \fBpriv\fR with raw +private key data. The number of bytes written is populated in \fB*len\fR. If the +buffer \fBpriv\fR is \s-1NULL\s0 then \fB*len\fR is populated with the number of bytes +required to hold the key. The calling application is responsible for ensuring +that the buffer is large enough to receive the private key data. This function +only works for algorithms that support raw private keys. Currently this is: +\&\fB\s-1EVP_PKEY_HMAC\s0\fR, \fB\s-1EVP_PKEY_POLY1305\s0\fR, \fB\s-1EVP_PKEY_SIPHASH\s0\fR, \fB\s-1EVP_PKEY_X25519\s0\fR, +\&\fB\s-1EVP_PKEY_ED25519\s0\fR, \fB\s-1EVP_PKEY_X448\s0\fR or \fB\s-1EVP_PKEY_ED448\s0\fR. +.PP +\&\fIEVP_PKEY_get_raw_public_key()\fR fills the buffer provided by \fBpub\fR with raw +public key data. The number of bytes written is populated in \fB*len\fR. If the +buffer \fBpub\fR is \s-1NULL\s0 then \fB*len\fR is populated with the number of bytes +required to hold the key. The calling application is responsible for ensuring +that the buffer is large enough to receive the public key data. This function +only works for algorithms that support raw public keys. Currently this is: +\&\fB\s-1EVP_PKEY_X25519\s0\fR, \fB\s-1EVP_PKEY_ED25519\s0\fR, \fB\s-1EVP_PKEY_X448\s0\fR or \fB\s-1EVP_PKEY_ED448\s0\fR. .SH "NOTES" .IX Header "NOTES" -The \fB\s-1EVP_PKEY\s0\fR structure is used by various OpenSSL functions -which require a general private key without reference to any -particular algorithm. +The \fB\s-1EVP_PKEY\s0\fR structure is used by various OpenSSL functions which require a +general private key without reference to any particular algorithm. .PP -The structure returned by \fIEVP_PKEY_new()\fR is empty. To add a -private key to this empty structure the functions described in -\&\fIEVP_PKEY_set1_RSA\fR\|(3) should be used. +The structure returned by \fIEVP_PKEY_new()\fR is empty. To add a private or public +key to this empty structure use the appropriate functions described in +\&\fIEVP_PKEY_set1_RSA\fR\|(3), EVP_PKEY_set1_DSA, EVP_PKEY_set1_DH or +EVP_PKEY_set1_EC_KEY. .SH "RETURN VALUES" .IX Header "RETURN VALUES" -\&\fIEVP_PKEY_new()\fR returns either the newly allocated \fB\s-1EVP_PKEY\s0\fR -structure of \fB\s-1NULL\s0\fR if an error occurred. +\&\fIEVP_PKEY_new()\fR, \fIEVP_PKEY_new_raw_private_key()\fR, \fIEVP_PKEY_new_raw_public_key()\fR, +\&\fIEVP_PKEY_new_CMAC_key()\fR and \fIEVP_PKEY_new_mac_key()\fR return either the newly +allocated \fB\s-1EVP_PKEY\s0\fR structure or \fB\s-1NULL\s0\fR if an error occurred. .PP -\&\fIEVP_PKEY_free()\fR does not return a value. +\&\fIEVP_PKEY_up_ref()\fR, \fIEVP_PKEY_get_raw_private_key()\fR and +\&\fIEVP_PKEY_get_raw_public_key()\fR return 1 for success and 0 for failure. .SH "SEE ALSO" .IX Header "SEE ALSO" -\&\fIEVP_PKEY_set1_RSA\fR\|(3) +\&\fIEVP_PKEY_set1_RSA\fR\|(3), EVP_PKEY_set1_DSA, EVP_PKEY_set1_DH or +EVP_PKEY_set1_EC_KEY .SH "HISTORY" .IX Header "HISTORY" -\&\s-1TBA\s0 +\&\fIEVP_PKEY_new()\fR and \fIEVP_PKEY_free()\fR exist in all versions of OpenSSL. +.PP +\&\fIEVP_PKEY_up_ref()\fR was first added to OpenSSL 1.1.0. +\&\fIEVP_PKEY_new_raw_private_key()\fR, \fIEVP_PKEY_new_raw_public_key()\fR, +\&\fIEVP_PKEY_new_CMAC_key()\fR, \fIEVP_PKEY_new_raw_private_key()\fR and +\&\fIEVP_PKEY_get_raw_public_key()\fR were first added to OpenSSL 1.1.1. +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2002\-2018 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/EVP_PKEY_print_private.3 b/secure/lib/libcrypto/man/EVP_PKEY_print_private.3 index 8e1bb91319f7..f12e7a725de9 100644 --- a/secure/lib/libcrypto/man/EVP_PKEY_print_private.3 +++ b/secure/lib/libcrypto/man/EVP_PKEY_print_private.3 @@ -128,25 +128,25 @@ .rm #[ #] #H #V #F C .\" ======================================================================== .\" -.IX Title "EVP_PKEY_print_private 3" -.TH EVP_PKEY_print_private 3 "2018-08-14" "1.0.2p" "OpenSSL" +.IX Title "EVP_PKEY_PRINT_PRIVATE 3" +.TH EVP_PKEY_PRINT_PRIVATE 3 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" -EVP_PKEY_print_public, EVP_PKEY_print_private, EVP_PKEY_print_params \- public key algorithm printing routines. +EVP_PKEY_print_public, EVP_PKEY_print_private, EVP_PKEY_print_params \- public key algorithm printing routines .SH "SYNOPSIS" .IX Header "SYNOPSIS" .Vb 1 \& #include \& \& int EVP_PKEY_print_public(BIO *out, const EVP_PKEY *pkey, -\& int indent, ASN1_PCTX *pctx); +\& int indent, ASN1_PCTX *pctx); \& int EVP_PKEY_print_private(BIO *out, const EVP_PKEY *pkey, -\& int indent, ASN1_PCTX *pctx); +\& int indent, ASN1_PCTX *pctx); \& int EVP_PKEY_print_params(BIO *out, const EVP_PKEY *pkey, -\& int indent, ASN1_PCTX *pctx); +\& int indent, ASN1_PCTX *pctx); .Ve .SH "DESCRIPTION" .IX Header "DESCRIPTION" @@ -160,8 +160,7 @@ The \fBpctx\fR parameter allows the print output to be finely tuned by using be used. .SH "NOTES" .IX Header "NOTES" -Currently no public key algorithms include any options in the \fBpctx\fR parameter -parameter. +Currently no public key algorithms include any options in the \fBpctx\fR parameter. .PP If the key does not include all the components indicated by the function then only those contained in the key will be printed. For example passing a public @@ -178,3 +177,11 @@ the public key algorithm. .SH "HISTORY" .IX Header "HISTORY" These functions were first added to OpenSSL 1.0.0. +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2006\-2017 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/EVP_PKEY_set1_RSA.3 b/secure/lib/libcrypto/man/EVP_PKEY_set1_RSA.3 index 59ae38da0d83..dd99916bfdcf 100644 --- a/secure/lib/libcrypto/man/EVP_PKEY_set1_RSA.3 +++ b/secure/lib/libcrypto/man/EVP_PKEY_set1_RSA.3 @@ -128,38 +128,46 @@ .rm #[ #] #H #V #F C .\" ======================================================================== .\" -.IX Title "EVP_PKEY_set1_RSA 3" -.TH EVP_PKEY_set1_RSA 3 "2018-08-14" "1.0.2p" "OpenSSL" +.IX Title "EVP_PKEY_SET1_RSA 3" +.TH EVP_PKEY_SET1_RSA 3 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" -EVP_PKEY_set1_RSA, EVP_PKEY_set1_DSA, EVP_PKEY_set1_DH, EVP_PKEY_set1_EC_KEY, -EVP_PKEY_get1_RSA, EVP_PKEY_get1_DSA, EVP_PKEY_get1_DH, EVP_PKEY_get1_EC_KEY, -EVP_PKEY_assign_RSA, EVP_PKEY_assign_DSA, EVP_PKEY_assign_DH, EVP_PKEY_assign_EC_KEY, -EVP_PKEY_type \- EVP_PKEY assignment functions. +EVP_PKEY_set1_RSA, EVP_PKEY_set1_DSA, EVP_PKEY_set1_DH, EVP_PKEY_set1_EC_KEY, EVP_PKEY_get1_RSA, EVP_PKEY_get1_DSA, EVP_PKEY_get1_DH, EVP_PKEY_get1_EC_KEY, EVP_PKEY_get0_RSA, EVP_PKEY_get0_DSA, EVP_PKEY_get0_DH, EVP_PKEY_get0_EC_KEY, EVP_PKEY_assign_RSA, EVP_PKEY_assign_DSA, EVP_PKEY_assign_DH, EVP_PKEY_assign_EC_KEY, EVP_PKEY_get0_hmac, EVP_PKEY_type, EVP_PKEY_id, EVP_PKEY_base_id, EVP_PKEY_set_alias_type, EVP_PKEY_set1_engine \- EVP_PKEY assignment functions .SH "SYNOPSIS" .IX Header "SYNOPSIS" .Vb 1 \& #include \& -\& int EVP_PKEY_set1_RSA(EVP_PKEY *pkey,RSA *key); -\& int EVP_PKEY_set1_DSA(EVP_PKEY *pkey,DSA *key); -\& int EVP_PKEY_set1_DH(EVP_PKEY *pkey,DH *key); -\& int EVP_PKEY_set1_EC_KEY(EVP_PKEY *pkey,EC_KEY *key); +\& int EVP_PKEY_set1_RSA(EVP_PKEY *pkey, RSA *key); +\& int EVP_PKEY_set1_DSA(EVP_PKEY *pkey, DSA *key); +\& int EVP_PKEY_set1_DH(EVP_PKEY *pkey, DH *key); +\& int EVP_PKEY_set1_EC_KEY(EVP_PKEY *pkey, EC_KEY *key); \& \& RSA *EVP_PKEY_get1_RSA(EVP_PKEY *pkey); \& DSA *EVP_PKEY_get1_DSA(EVP_PKEY *pkey); \& DH *EVP_PKEY_get1_DH(EVP_PKEY *pkey); \& EC_KEY *EVP_PKEY_get1_EC_KEY(EVP_PKEY *pkey); \& -\& int EVP_PKEY_assign_RSA(EVP_PKEY *pkey,RSA *key); -\& int EVP_PKEY_assign_DSA(EVP_PKEY *pkey,DSA *key); -\& int EVP_PKEY_assign_DH(EVP_PKEY *pkey,DH *key); -\& int EVP_PKEY_assign_EC_KEY(EVP_PKEY *pkey,EC_KEY *key); +\& const unsigned char *EVP_PKEY_get0_hmac(const EVP_PKEY *pkey, size_t *len); +\& RSA *EVP_PKEY_get0_RSA(EVP_PKEY *pkey); +\& DSA *EVP_PKEY_get0_DSA(EVP_PKEY *pkey); +\& DH *EVP_PKEY_get0_DH(EVP_PKEY *pkey); +\& EC_KEY *EVP_PKEY_get0_EC_KEY(EVP_PKEY *pkey); \& +\& int EVP_PKEY_assign_RSA(EVP_PKEY *pkey, RSA *key); +\& int EVP_PKEY_assign_DSA(EVP_PKEY *pkey, DSA *key); +\& int EVP_PKEY_assign_DH(EVP_PKEY *pkey, DH *key); +\& int EVP_PKEY_assign_EC_KEY(EVP_PKEY *pkey, EC_KEY *key); +\& +\& int EVP_PKEY_id(const EVP_PKEY *pkey); +\& int EVP_PKEY_base_id(const EVP_PKEY *pkey); \& int EVP_PKEY_type(int type); +\& int EVP_PKEY_set_alias_type(EVP_PKEY *pkey, int type); +\& +\& int EVP_PKEY_set1_engine(EVP_PKEY *pkey, ENGINE *engine); .Ve .SH "DESCRIPTION" .IX Header "DESCRIPTION" @@ -170,16 +178,38 @@ EVP_PKEY_type \- EVP_PKEY assignment functions. \&\fIEVP_PKEY_get1_EC_KEY()\fR return the referenced key in \fBpkey\fR or \&\fB\s-1NULL\s0\fR if the key is not of the correct type. .PP +\&\fIEVP_PKEY_get0_hmac()\fR, \fIEVP_PKEY_get0_RSA()\fR, \fIEVP_PKEY_get0_DSA()\fR, +\&\fIEVP_PKEY_get0_DH()\fR and \fIEVP_PKEY_get0_EC_KEY()\fR also return the +referenced key in \fBpkey\fR or \fB\s-1NULL\s0\fR if the key is not of the +correct type but the reference count of the returned key is +\&\fBnot\fR incremented and so must not be freed up after use. +.PP \&\fIEVP_PKEY_assign_RSA()\fR, \fIEVP_PKEY_assign_DSA()\fR, \fIEVP_PKEY_assign_DH()\fR and \fIEVP_PKEY_assign_EC_KEY()\fR also set the referenced key to \fBkey\fR however these use the supplied \fBkey\fR internally and so \fBkey\fR will be freed when the parent \fBpkey\fR is freed. .PP -\&\fIEVP_PKEY_type()\fR returns the type of key corresponding to the value -\&\fBtype\fR. The type of a key can be obtained with -EVP_PKEY_type(pkey\->type). The return value will be \s-1EVP_PKEY_RSA, -EVP_PKEY_DSA, EVP_PKEY_DH\s0 or \s-1EVP_PKEY_EC\s0 for the corresponding -key types or NID_undef if the key type is unassigned. +\&\fIEVP_PKEY_base_id()\fR returns the type of \fBpkey\fR. For example +an \s-1RSA\s0 key will return \fB\s-1EVP_PKEY_RSA\s0\fR. +.PP +\&\fIEVP_PKEY_id()\fR returns the actual \s-1OID\s0 associated with \fBpkey\fR. Historically keys +using the same algorithm could use different OIDs. For example an \s-1RSA\s0 key could +use the OIDs corresponding to the NIDs \fBNID_rsaEncryption\fR (equivalent to +\&\fB\s-1EVP_PKEY_RSA\s0\fR) or \fBNID_rsa\fR (equivalent to \fB\s-1EVP_PKEY_RSA2\s0\fR). The use of +alternative non-standard OIDs is now rare so \fB\s-1EVP_PKEY_RSA2\s0\fR et al are not +often seen in practice. +.PP +\&\fIEVP_PKEY_type()\fR returns the underlying type of the \s-1NID\s0 \fBtype\fR. For example +EVP_PKEY_type(\s-1EVP_PKEY_RSA2\s0) will return \fB\s-1EVP_PKEY_RSA\s0\fR. +.PP +\&\fIEVP_PKEY_set1_engine()\fR sets the \s-1ENGINE\s0 handling \fBpkey\fR to \fBengine\fR. It +must be called after the key algorithm and components are set up. +If \fBengine\fR does not include an \fB\s-1EVP_PKEY_METHOD\s0\fR for \fBpkey\fR an +error occurs. +.PP +\&\fIEVP_PKEY_set_alias_type()\fR allows modifying a \s-1EVP_PKEY\s0 to use a +different set of algorithms than the default. This is currently used +to support \s-1SM2\s0 keys, which use an identical encoding to \s-1ECDSA.\s0 .SH "NOTES" .IX Header "NOTES" In accordance with the OpenSSL naming convention the key obtained @@ -188,20 +218,51 @@ freed as well as \fBpkey\fR. .PP \&\fIEVP_PKEY_assign_RSA()\fR, \fIEVP_PKEY_assign_DSA()\fR, \fIEVP_PKEY_assign_DH()\fR and \fIEVP_PKEY_assign_EC_KEY()\fR are implemented as macros. +.PP +Most applications wishing to know a key type will simply call +\&\fIEVP_PKEY_base_id()\fR and will not care about the actual type: +which will be identical in almost all cases. +.PP +Previous versions of this document suggested using EVP_PKEY_type(pkey\->type) +to determine the type of a key. Since \fB\s-1EVP_PKEY\s0\fR is now opaque this +is no longer possible: the equivalent is EVP_PKEY_base_id(pkey). +.PP +\&\fIEVP_PKEY_set1_engine()\fR is typically used by an \s-1ENGINE\s0 returning an \s-1HSM\s0 +key as part of its routine to load a private key. +.SH "EXAMPLES" +.IX Header "EXAMPLES" +After loading an \s-1ECC\s0 key, it is possible to convert it to using \s-1SM2\s0 +algorithms with EVP_PKEY_set_alias_type: +.PP +.Vb 1 +\& EVP_PKEY_set_alias_type(pkey, EVP_PKEY_SM2); +.Ve .SH "RETURN VALUES" .IX Header "RETURN VALUES" \&\fIEVP_PKEY_set1_RSA()\fR, \fIEVP_PKEY_set1_DSA()\fR, \fIEVP_PKEY_set1_DH()\fR and \&\fIEVP_PKEY_set1_EC_KEY()\fR return 1 for success or 0 for failure. .PP \&\fIEVP_PKEY_get1_RSA()\fR, \fIEVP_PKEY_get1_DSA()\fR, \fIEVP_PKEY_get1_DH()\fR and -\&\fIEVP_PKEY_get1_EC_KEY()\fR return the referenced key or \fB\s-1NULL\s0\fR if +\&\fIEVP_PKEY_get1_EC_KEY()\fR return the referenced key or \fB\s-1NULL\s0\fR if an error occurred. .PP \&\fIEVP_PKEY_assign_RSA()\fR, \fIEVP_PKEY_assign_DSA()\fR, \fIEVP_PKEY_assign_DH()\fR and \fIEVP_PKEY_assign_EC_KEY()\fR return 1 for success and 0 for failure. +.PP +\&\fIEVP_PKEY_base_id()\fR, \fIEVP_PKEY_id()\fR and \fIEVP_PKEY_type()\fR return a key +type or \fBNID_undef\fR (equivalently \fB\s-1EVP_PKEY_NONE\s0\fR) on error. +.PP +\&\fIEVP_PKEY_set1_engine()\fR returns 1 for success and 0 for failure. +.PP +\&\fIEVP_PKEY_set_alias_type()\fR returns 1 for success and 0 for error. .SH "SEE ALSO" .IX Header "SEE ALSO" \&\fIEVP_PKEY_new\fR\|(3) -.SH "HISTORY" -.IX Header "HISTORY" -\&\s-1TBA\s0 +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2002\-2018 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/EVP_PKEY_sign.3 b/secure/lib/libcrypto/man/EVP_PKEY_sign.3 index c480c716ffc4..8987c991bf02 100644 --- a/secure/lib/libcrypto/man/EVP_PKEY_sign.3 +++ b/secure/lib/libcrypto/man/EVP_PKEY_sign.3 @@ -128,8 +128,8 @@ .rm #[ #] #H #V #F C .\" ======================================================================== .\" -.IX Title "EVP_PKEY_sign 3" -.TH EVP_PKEY_sign 3 "2018-08-14" "1.0.2p" "OpenSSL" +.IX Title "EVP_PKEY_SIGN 3" +.TH EVP_PKEY_SIGN 3 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -143,8 +143,8 @@ EVP_PKEY_sign_init, EVP_PKEY_sign \- sign using a public key algorithm \& \& int EVP_PKEY_sign_init(EVP_PKEY_CTX *ctx); \& int EVP_PKEY_sign(EVP_PKEY_CTX *ctx, -\& unsigned char *sig, size_t *siglen, -\& const unsigned char *tbs, size_t tbslen); +\& unsigned char *sig, size_t *siglen, +\& const unsigned char *tbs, size_t tbslen); .Ve .SH "DESCRIPTION" .IX Header "DESCRIPTION" @@ -197,25 +197,25 @@ Sign data using \s-1RSA\s0 with PKCS#1 padding and \s-1SHA256\s0 digest: \& */ \& ctx = EVP_PKEY_CTX_new(signing_key, NULL /* no engine */); \& if (!ctx) -\& /* Error occurred */ +\& /* Error occurred */ \& if (EVP_PKEY_sign_init(ctx) <= 0) -\& /* Error */ +\& /* Error */ \& if (EVP_PKEY_CTX_set_rsa_padding(ctx, RSA_PKCS1_PADDING) <= 0) -\& /* Error */ +\& /* Error */ \& if (EVP_PKEY_CTX_set_signature_md(ctx, EVP_sha256()) <= 0) -\& /* Error */ +\& /* Error */ \& \& /* Determine buffer length */ \& if (EVP_PKEY_sign(ctx, NULL, &siglen, md, mdlen) <= 0) -\& /* Error */ +\& /* Error */ \& \& sig = OPENSSL_malloc(siglen); \& \& if (!sig) -\& /* malloc failure */ -\& +\& /* malloc failure */ +\& \& if (EVP_PKEY_sign(ctx, sig, &siglen, md, mdlen) <= 0) -\& /* Error */ +\& /* Error */ \& \& /* Signature is siglen bytes written to buffer sig */ .Ve @@ -231,3 +231,11 @@ Sign data using \s-1RSA\s0 with PKCS#1 padding and \s-1SHA256\s0 digest: .SH "HISTORY" .IX Header "HISTORY" These functions were first added to OpenSSL 1.0.0. +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2006\-2016 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/EVP_PKEY_verify.3 b/secure/lib/libcrypto/man/EVP_PKEY_verify.3 index a9c98448252e..fe54b9e74672 100644 --- a/secure/lib/libcrypto/man/EVP_PKEY_verify.3 +++ b/secure/lib/libcrypto/man/EVP_PKEY_verify.3 @@ -128,8 +128,8 @@ .rm #[ #] #H #V #F C .\" ======================================================================== .\" -.IX Title "EVP_PKEY_verify 3" -.TH EVP_PKEY_verify 3 "2018-08-14" "1.0.2p" "OpenSSL" +.IX Title "EVP_PKEY_VERIFY 3" +.TH EVP_PKEY_VERIFY 3 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -143,8 +143,8 @@ EVP_PKEY_verify_init, EVP_PKEY_verify \- signature verification using a public k \& \& int EVP_PKEY_verify_init(EVP_PKEY_CTX *ctx); \& int EVP_PKEY_verify(EVP_PKEY_CTX *ctx, -\& const unsigned char *sig, size_t siglen, -\& const unsigned char *tbs, size_t tbslen); +\& const unsigned char *sig, size_t siglen, +\& const unsigned char *tbs, size_t tbslen); .Ve .SH "DESCRIPTION" .IX Header "DESCRIPTION" @@ -167,7 +167,7 @@ context if several operations are performed using the same parameters. .IX Header "RETURN VALUES" \&\fIEVP_PKEY_verify_init()\fR and \fIEVP_PKEY_verify()\fR return 1 if the verification was successful and 0 if it failed. Unlike other functions the return value 0 from -\&\fIEVP_PKEY_verify()\fR only indicates that the signature did not not verify +\&\fIEVP_PKEY_verify()\fR only indicates that the signature did not verify successfully (that is tbs did not match the original data or the signature was of invalid form) it is not an indication of a more serious error. .PP @@ -184,25 +184,28 @@ Verify signature using PKCS#1 and \s-1SHA256\s0 digest: \& \& EVP_PKEY_CTX *ctx; \& unsigned char *md, *sig; -\& size_t mdlen, siglen; +\& size_t mdlen, siglen; \& EVP_PKEY *verify_key; -\& /* NB: assumes verify_key, sig, siglen md and mdlen are already set up +\& +\& /* +\& * NB: assumes verify_key, sig, siglen md and mdlen are already set up \& * and that verify_key is an RSA public key \& */ -\& ctx = EVP_PKEY_CTX_new(verify_key); +\& ctx = EVP_PKEY_CTX_new(verify_key, NULL /* no engine */); \& if (!ctx) -\& /* Error occurred */ +\& /* Error occurred */ \& if (EVP_PKEY_verify_init(ctx) <= 0) -\& /* Error */ +\& /* Error */ \& if (EVP_PKEY_CTX_set_rsa_padding(ctx, RSA_PKCS1_PADDING) <= 0) -\& /* Error */ +\& /* Error */ \& if (EVP_PKEY_CTX_set_signature_md(ctx, EVP_sha256()) <= 0) -\& /* Error */ +\& /* Error */ \& \& /* Perform operation */ \& ret = EVP_PKEY_verify(ctx, sig, siglen, md, mdlen); \& -\& /* ret == 1 indicates success, 0 verify failure and < 0 for some +\& /* +\& * ret == 1 indicates success, 0 verify failure and < 0 for some \& * other error. \& */ .Ve @@ -217,3 +220,11 @@ Verify signature using PKCS#1 and \s-1SHA256\s0 digest: .SH "HISTORY" .IX Header "HISTORY" These functions were first added to OpenSSL 1.0.0. +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2006\-2018 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/EVP_PKEY_verify_recover.3 b/secure/lib/libcrypto/man/EVP_PKEY_verify_recover.3 index 15eea9ab74c4..68810fd51fbf 100644 --- a/secure/lib/libcrypto/man/EVP_PKEY_verify_recover.3 +++ b/secure/lib/libcrypto/man/EVP_PKEY_verify_recover.3 @@ -128,8 +128,8 @@ .rm #[ #] #H #V #F C .\" ======================================================================== .\" -.IX Title "EVP_PKEY_verify_recover 3" -.TH EVP_PKEY_verify_recover 3 "2018-08-14" "1.0.2p" "OpenSSL" +.IX Title "EVP_PKEY_VERIFY_RECOVER 3" +.TH EVP_PKEY_VERIFY_RECOVER 3 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -143,8 +143,8 @@ EVP_PKEY_verify_recover_init, EVP_PKEY_verify_recover \- recover signature using \& \& int EVP_PKEY_verify_recover_init(EVP_PKEY_CTX *ctx); \& int EVP_PKEY_verify_recover(EVP_PKEY_CTX *ctx, -\& unsigned char *rout, size_t *routlen, -\& const unsigned char *sig, size_t siglen); +\& unsigned char *rout, size_t *routlen, +\& const unsigned char *sig, size_t siglen); .Ve .SH "DESCRIPTION" .IX Header "DESCRIPTION" @@ -161,7 +161,7 @@ before the call the \fBroutlen\fR parameter should contain the length of the .SH "NOTES" .IX Header "NOTES" Normally an application is only interested in whether a signature verification -operation is successful in those cases the \fIEVP_verify()\fR function should be +operation is successful in those cases the \fIEVP_verify()\fR function should be used. .PP Sometimes however it is useful to obtain the data originally signed using a @@ -189,32 +189,34 @@ Recover digest originally signed using PKCS#1 and \s-1SHA256\s0 digest: \& \& EVP_PKEY_CTX *ctx; \& unsigned char *rout, *sig; -\& size_t routlen, siglen; +\& size_t routlen, siglen; \& EVP_PKEY *verify_key; -\& /* NB: assumes verify_key, sig and siglen are already set up +\& +\& /* +\& * NB: assumes verify_key, sig and siglen are already set up \& * and that verify_key is an RSA public key \& */ -\& ctx = EVP_PKEY_CTX_new(verify_key); +\& ctx = EVP_PKEY_CTX_new(verify_key, NULL /* no engine */); \& if (!ctx) -\& /* Error occurred */ +\& /* Error occurred */ \& if (EVP_PKEY_verify_recover_init(ctx) <= 0) -\& /* Error */ +\& /* Error */ \& if (EVP_PKEY_CTX_set_rsa_padding(ctx, RSA_PKCS1_PADDING) <= 0) -\& /* Error */ +\& /* Error */ \& if (EVP_PKEY_CTX_set_signature_md(ctx, EVP_sha256()) <= 0) -\& /* Error */ +\& /* Error */ \& \& /* Determine buffer length */ \& if (EVP_PKEY_verify_recover(ctx, NULL, &routlen, sig, siglen) <= 0) -\& /* Error */ +\& /* Error */ \& \& rout = OPENSSL_malloc(routlen); \& \& if (!rout) -\& /* malloc failure */ -\& +\& /* malloc failure */ +\& \& if (EVP_PKEY_verify_recover(ctx, rout, &routlen, sig, siglen) <= 0) -\& /* Error */ +\& /* Error */ \& \& /* Recovered data is routlen bytes written to buffer rout */ .Ve @@ -229,3 +231,11 @@ Recover digest originally signed using PKCS#1 and \s-1SHA256\s0 digest: .SH "HISTORY" .IX Header "HISTORY" These functions were first added to OpenSSL 1.0.0. +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2013\-2018 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/EVP_SealInit.3 b/secure/lib/libcrypto/man/EVP_SealInit.3 index 35e66f2c6a57..506530ee4a67 100644 --- a/secure/lib/libcrypto/man/EVP_SealInit.3 +++ b/secure/lib/libcrypto/man/EVP_SealInit.3 @@ -128,8 +128,8 @@ .rm #[ #] #H #V #F C .\" ======================================================================== .\" -.IX Title "EVP_SealInit 3" -.TH EVP_SealInit 3 "2018-08-14" "1.0.2p" "OpenSSL" +.IX Title "EVP_SEALINIT 3" +.TH EVP_SEALINIT 3 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -145,9 +145,8 @@ EVP_SealInit, EVP_SealUpdate, EVP_SealFinal \- EVP envelope encryption \& unsigned char **ek, int *ekl, unsigned char *iv, \& EVP_PKEY **pubk, int npubk); \& int EVP_SealUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out, -\& int *outl, unsigned char *in, int inl); -\& int EVP_SealFinal(EVP_CIPHER_CTX *ctx, unsigned char *out, -\& int *outl); +\& int *outl, unsigned char *in, int inl); +\& int EVP_SealFinal(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl); .Ve .SH "DESCRIPTION" .IX Header "DESCRIPTION" @@ -175,7 +174,7 @@ If the cipher does not require an \s-1IV\s0 then the \fBiv\fR parameter is ignor and can be \fB\s-1NULL\s0\fR. .PP \&\fIEVP_SealUpdate()\fR and \fIEVP_SealFinal()\fR have exactly the same properties -as the \fIEVP_EncryptUpdate()\fR and \fIEVP_EncryptFinal()\fR routines, as +as the \fIEVP_EncryptUpdate()\fR and \fIEVP_EncryptFinal()\fR routines, as documented on the \fIEVP_EncryptInit\fR\|(3) manual page. .SH "RETURN VALUES" @@ -204,9 +203,14 @@ and (after setting any cipher parameters) it should be called again with \fBtype\fR set to \s-1NULL.\s0 .SH "SEE ALSO" .IX Header "SEE ALSO" -\&\fIevp\fR\|(3), \fIrand\fR\|(3), +\&\fIevp\fR\|(7), \fIRAND_bytes\fR\|(3), \&\fIEVP_EncryptInit\fR\|(3), \&\fIEVP_OpenInit\fR\|(3) -.SH "HISTORY" -.IX Header "HISTORY" -\&\fIEVP_SealFinal()\fR did not return a value before OpenSSL 0.9.7. +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2000\-2016 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/EVP_SignInit.3 b/secure/lib/libcrypto/man/EVP_SignInit.3 index 6c0ea2a0e0f1..9bc01c072a55 100644 --- a/secure/lib/libcrypto/man/EVP_SignInit.3 +++ b/secure/lib/libcrypto/man/EVP_SignInit.3 @@ -128,15 +128,14 @@ .rm #[ #] #H #V #F C .\" ======================================================================== .\" -.IX Title "EVP_SignInit 3" -.TH EVP_SignInit 3 "2018-08-14" "1.0.2p" "OpenSSL" +.IX Title "EVP_SIGNINIT 3" +.TH EVP_SIGNINIT 3 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" -EVP_SignInit, EVP_SignInit_ex, EVP_SignUpdate, EVP_SignFinal \- EVP signing -functions +EVP_PKEY_size, EVP_SignInit, EVP_SignInit_ex, EVP_SignUpdate, EVP_SignFinal, EVP_PKEY_security_bits \- EVP signing functions .SH "SYNOPSIS" .IX Header "SYNOPSIS" .Vb 1 @@ -144,11 +143,12 @@ functions \& \& int EVP_SignInit_ex(EVP_MD_CTX *ctx, const EVP_MD *type, ENGINE *impl); \& int EVP_SignUpdate(EVP_MD_CTX *ctx, const void *d, unsigned int cnt); -\& int EVP_SignFinal(EVP_MD_CTX *ctx,unsigned char *sig,unsigned int *s, EVP_PKEY *pkey); +\& int EVP_SignFinal(EVP_MD_CTX *ctx, unsigned char *sig, unsigned int *s, EVP_PKEY *pkey); \& \& void EVP_SignInit(EVP_MD_CTX *ctx, const EVP_MD *type); \& \& int EVP_PKEY_size(EVP_PKEY *pkey); +\& int EVP_PKEY_security_bits(const EVP_PKEY *pkey); .Ve .SH "DESCRIPTION" .IX Header "DESCRIPTION" @@ -156,8 +156,8 @@ The \s-1EVP\s0 signature routines are a high level interface to digital signatures. .PP \&\fIEVP_SignInit_ex()\fR sets up signing context \fBctx\fR to use digest -\&\fBtype\fR from \s-1ENGINE\s0 \fBimpl\fR. \fBctx\fR must be initialized with -\&\fIEVP_MD_CTX_init()\fR before calling this function. +\&\fBtype\fR from \s-1ENGINE\s0 \fBimpl\fR. \fBctx\fR must be created with +\&\fIEVP_MD_CTX_new()\fR before calling this function. .PP \&\fIEVP_SignUpdate()\fR hashes \fBcnt\fR bytes of data at \fBd\fR into the signature context \fBctx\fR. This function can be called several times on the @@ -165,7 +165,7 @@ same \fBctx\fR to include additional data. .PP \&\fIEVP_SignFinal()\fR signs the data in \fBctx\fR using the private key \fBpkey\fR and places the signature in \fBsig\fR. \fBsig\fR must be at least EVP_PKEY_size(pkey) -bytes in size. \fBs\fR is an \s-1OUT\s0 paramter, and not used as an \s-1IN\s0 parameter. +bytes in size. \fBs\fR is an \s-1OUT\s0 parameter, and not used as an \s-1IN\s0 parameter. The number of bytes of data written (i.e. the length of the signature) will be written to the integer at \fBs\fR, at most EVP_PKEY_size(pkey) bytes will be written. @@ -175,6 +175,9 @@ implementation of digest \fBtype\fR. .PP \&\fIEVP_PKEY_size()\fR returns the maximum size of a signature in bytes. The actual signature returned by \fIEVP_SignFinal()\fR may be smaller. +.PP +\&\fIEVP_PKEY_security_bits()\fR returns the number of security bits of the given \fBpkey\fR, +bits of security is defined in \s-1NIST SP800\-57.\s0 .SH "RETURN VALUES" .IX Header "RETURN VALUES" \&\fIEVP_SignInit_ex()\fR, \fIEVP_SignUpdate()\fR and \fIEVP_SignFinal()\fR return 1 @@ -183,17 +186,14 @@ for success and 0 for failure. \&\fIEVP_PKEY_size()\fR returns the maximum size of a signature in bytes. .PP The error codes can be obtained by \fIERR_get_error\fR\|(3). +.PP +\&\fIEVP_PKEY_security_bits()\fR returns the number of security bits. .SH "NOTES" .IX Header "NOTES" The \fB\s-1EVP\s0\fR interface to digital signatures should almost always be used in preference to the low level interfaces. This is because the code then becomes transparent to the algorithm used and much more flexible. .PP -Due to the link between message digests and public key algorithms the correct -digest algorithm must be used with the correct public key type. A list of -algorithms and associated public key algorithms appears in -\&\fIEVP_DigestInit\fR\|(3). -.PP When signing with \s-1DSA\s0 private keys the random number generator must be seeded or the operation will fail. The random number generator does not need to be seeded for \s-1RSA\s0 signatures. @@ -203,11 +203,11 @@ This means that calls to \fIEVP_SignUpdate()\fR and \fIEVP_SignFinal()\fR can be later to digest and sign additional data. .PP Since only a copy of the digest context is ever finalized the context must -be cleaned up after use by calling \fIEVP_MD_CTX_cleanup()\fR or a memory leak +be cleaned up after use by calling \fIEVP_MD_CTX_free()\fR or a memory leak will occur. .SH "BUGS" .IX Header "BUGS" -Older versions of this documentation wrongly stated that calls to +Older versions of this documentation wrongly stated that calls to \&\fIEVP_SignUpdate()\fR could not be made after calling \fIEVP_SignFinal()\fR. .PP Since the private key is passed in the call to \fIEVP_SignFinal()\fR any error @@ -221,13 +221,15 @@ The previous two bugs are fixed in the newer EVP_SignDigest*() function. .SH "SEE ALSO" .IX Header "SEE ALSO" \&\fIEVP_VerifyInit\fR\|(3), -\&\fIEVP_DigestInit\fR\|(3), \fIerr\fR\|(3), -\&\fIevp\fR\|(3), \fIhmac\fR\|(3), \fImd2\fR\|(3), -\&\fImd5\fR\|(3), \fImdc2\fR\|(3), \fIripemd\fR\|(3), -\&\fIsha\fR\|(3), \fIdgst\fR\|(1) -.SH "HISTORY" -.IX Header "HISTORY" -\&\fIEVP_SignInit()\fR, \fIEVP_SignUpdate()\fR and \fIEVP_SignFinal()\fR are -available in all versions of SSLeay and OpenSSL. +\&\fIEVP_DigestInit\fR\|(3), +\&\fIevp\fR\|(7), \s-1\fIHMAC\s0\fR\|(3), \s-1\fIMD2\s0\fR\|(3), +\&\s-1\fIMD5\s0\fR\|(3), \s-1\fIMDC2\s0\fR\|(3), \s-1\fIRIPEMD160\s0\fR\|(3), +\&\s-1\fISHA1\s0\fR\|(3), \fIdgst\fR\|(1) +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2000\-2018 The OpenSSL Project Authors. All Rights Reserved. .PP -\&\fIEVP_SignInit_ex()\fR was added in OpenSSL 0.9.7. +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/EVP_VerifyInit.3 b/secure/lib/libcrypto/man/EVP_VerifyInit.3 index 72856d52ea6d..5069af1ce809 100644 --- a/secure/lib/libcrypto/man/EVP_VerifyInit.3 +++ b/secure/lib/libcrypto/man/EVP_VerifyInit.3 @@ -128,14 +128,14 @@ .rm #[ #] #H #V #F C .\" ======================================================================== .\" -.IX Title "EVP_VerifyInit 3" -.TH EVP_VerifyInit 3 "2018-08-14" "1.0.2p" "OpenSSL" +.IX Title "EVP_VERIFYINIT 3" +.TH EVP_VERIFYINIT 3 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" -EVP_VerifyInit, EVP_VerifyUpdate, EVP_VerifyFinal \- EVP signature verification functions +EVP_VerifyInit_ex, EVP_VerifyInit, EVP_VerifyUpdate, EVP_VerifyFinal \&\- EVP signature verification functions .SH "SYNOPSIS" .IX Header "SYNOPSIS" .Vb 1 @@ -143,7 +143,8 @@ EVP_VerifyInit, EVP_VerifyUpdate, EVP_VerifyFinal \- EVP signature verification \& \& int EVP_VerifyInit_ex(EVP_MD_CTX *ctx, const EVP_MD *type, ENGINE *impl); \& int EVP_VerifyUpdate(EVP_MD_CTX *ctx, const void *d, unsigned int cnt); -\& int EVP_VerifyFinal(EVP_MD_CTX *ctx,unsigned char *sigbuf, unsigned int siglen,EVP_PKEY *pkey); +\& int EVP_VerifyFinal(EVP_MD_CTX *ctx, unsigned char *sigbuf, unsigned int siglen, +\& EVP_PKEY *pkey); \& \& int EVP_VerifyInit(EVP_MD_CTX *ctx, const EVP_MD *type); .Ve @@ -153,8 +154,8 @@ The \s-1EVP\s0 signature verification routines are a high level interface to dig signatures. .PP \&\fIEVP_VerifyInit_ex()\fR sets up verification context \fBctx\fR to use digest -\&\fBtype\fR from \s-1ENGINE\s0 \fBimpl\fR. \fBctx\fR must be initialized by calling -\&\fIEVP_MD_CTX_init()\fR before calling this function. +\&\fBtype\fR from \s-1ENGINE\s0 \fBimpl\fR. \fBctx\fR must be created by calling +\&\fIEVP_MD_CTX_new()\fR before calling this function. .PP \&\fIEVP_VerifyUpdate()\fR hashes \fBcnt\fR bytes of data at \fBd\fR into the verification context \fBctx\fR. This function can be called several times on the @@ -180,21 +181,16 @@ The \fB\s-1EVP\s0\fR interface to digital signatures should almost always be use preference to the low level interfaces. This is because the code then becomes transparent to the algorithm used and much more flexible. .PP -Due to the link between message digests and public key algorithms the correct -digest algorithm must be used with the correct public key type. A list of -algorithms and associated public key algorithms appears in -\&\fIEVP_DigestInit\fR\|(3). -.PP The call to \fIEVP_VerifyFinal()\fR internally finalizes a copy of the digest context. This means that calls to \fIEVP_VerifyUpdate()\fR and \fIEVP_VerifyFinal()\fR can be called later to digest and verify additional data. .PP Since only a copy of the digest context is ever finalized the context must -be cleaned up after use by calling \fIEVP_MD_CTX_cleanup()\fR or a memory leak +be cleaned up after use by calling \fIEVP_MD_CTX_free()\fR or a memory leak will occur. .SH "BUGS" .IX Header "BUGS" -Older versions of this documentation wrongly stated that calls to +Older versions of this documentation wrongly stated that calls to \&\fIEVP_VerifyUpdate()\fR could not be made after calling \fIEVP_VerifyFinal()\fR. .PP Since the public key is passed in the call to \fIEVP_SignFinal()\fR any error @@ -207,15 +203,17 @@ It is not possible to change the signing parameters using these function. The previous two bugs are fixed in the newer EVP_VerifyDigest*() function. .SH "SEE ALSO" .IX Header "SEE ALSO" -\&\fIevp\fR\|(3), +\&\fIevp\fR\|(7), \&\fIEVP_SignInit\fR\|(3), -\&\fIEVP_DigestInit\fR\|(3), \fIerr\fR\|(3), -\&\fIevp\fR\|(3), \fIhmac\fR\|(3), \fImd2\fR\|(3), -\&\fImd5\fR\|(3), \fImdc2\fR\|(3), \fIripemd\fR\|(3), -\&\fIsha\fR\|(3), \fIdgst\fR\|(1) -.SH "HISTORY" -.IX Header "HISTORY" -\&\fIEVP_VerifyInit()\fR, \fIEVP_VerifyUpdate()\fR and \fIEVP_VerifyFinal()\fR are -available in all versions of SSLeay and OpenSSL. +\&\fIEVP_DigestInit\fR\|(3), +\&\fIevp\fR\|(7), \s-1\fIHMAC\s0\fR\|(3), \s-1\fIMD2\s0\fR\|(3), +\&\s-1\fIMD5\s0\fR\|(3), \s-1\fIMDC2\s0\fR\|(3), \s-1\fIRIPEMD160\s0\fR\|(3), +\&\s-1\fISHA1\s0\fR\|(3), \fIdgst\fR\|(1) +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2000\-2018 The OpenSSL Project Authors. All Rights Reserved. .PP -\&\fIEVP_VerifyInit_ex()\fR was added in OpenSSL 0.9.7 +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/EVP_aes.3 b/secure/lib/libcrypto/man/EVP_aes.3 new file mode 100644 index 000000000000..c33fa870a788 --- /dev/null +++ b/secure/lib/libcrypto/man/EVP_aes.3 @@ -0,0 +1,212 @@ +.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35) +.\" +.\" Standard preamble: +.\" ======================================================================== +.de Sp \" Vertical space (when we can't use .PP) +.if t .sp .5v +.if n .sp +.. +.de Vb \" Begin verbatim text +.ft CW +.nf +.ne \\$1 +.. +.de Ve \" End verbatim text +.ft R +.fi +.. +.\" Set up some character translations and predefined strings. \*(-- will +.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left +.\" double quote, and \*(R" will give a right double quote. \*(C+ will +.\" give a nicer C++. Capital omega is used to do unbreakable dashes and +.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, +.\" nothing in troff, for use with C<>. +.tr \(*W- +.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' +.ie n \{\ +. ds -- \(*W- +. ds PI pi +. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch +. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch +. ds L" "" +. ds R" "" +. ds C` "" +. ds C' "" +'br\} +.el\{\ +. ds -- \|\(em\| +. ds PI \(*p +. ds L" `` +. ds R" '' +. ds C` +. ds C' +'br\} +.\" +.\" Escape single quotes in literal strings from groff's Unicode transform. +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" +.\" If the F register is >0, we'll generate index entries on stderr for +.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index +.\" entries marked with X<> in POD. Of course, you'll have to process the +.\" output yourself in some meaningful fashion. +.\" +.\" Avoid warning from groff about undefined register 'F'. +.de IX +.. +.if !\nF .nr F 0 +.if \nF>0 \{\ +. de IX +. tm Index:\\$1\t\\n%\t"\\$2" +.. +. if !\nF==2 \{\ +. nr % 0 +. nr F 2 +. \} +.\} +.\" +.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). +.\" Fear. Run. Save yourself. No user-serviceable parts. +. \" fudge factors for nroff and troff +.if n \{\ +. ds #H 0 +. ds #V .8m +. ds #F .3m +. ds #[ \f1 +. ds #] \fP +.\} +.if t \{\ +. ds #H ((1u-(\\\\n(.fu%2u))*.13m) +. ds #V .6m +. ds #F 0 +. ds #[ \& +. ds #] \& +.\} +. \" simple accents for nroff and troff +.if n \{\ +. ds ' \& +. ds ` \& +. ds ^ \& +. ds , \& +. ds ~ ~ +. ds / +.\} +.if t \{\ +. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" +. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' +. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' +. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' +. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' +. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' +.\} +. \" troff and (daisy-wheel) nroff accents +.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' +.ds 8 \h'\*(#H'\(*b\h'-\*(#H' +.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] +.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' +.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' +.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] +.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] +.ds ae a\h'-(\w'a'u*4/10)'e +.ds Ae A\h'-(\w'A'u*4/10)'E +. \" corrections for vroff +.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' +.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' +. \" for low resolution devices (crt and lpr) +.if \n(.H>23 .if \n(.V>19 \ +\{\ +. ds : e +. ds 8 ss +. ds o a +. ds d- d\h'-1'\(ga +. ds D- D\h'-1'\(hy +. ds th \o'bp' +. ds Th \o'LP' +. ds ae ae +. ds Ae AE +.\} +.rm #[ #] #H #V #F C +.\" ======================================================================== +.\" +.IX Title "EVP_AES 3" +.TH EVP_AES 3 "2018-09-11" "1.1.1" "OpenSSL" +.\" For nroff, turn off justification. Always turn off hyphenation; it makes +.\" way too many mistakes in technical documents. +.if n .ad l +.nh +.SH "NAME" +EVP_aes_128_cbc, EVP_aes_192_cbc, EVP_aes_256_cbc, EVP_aes_128_cfb, EVP_aes_192_cfb, EVP_aes_256_cfb, EVP_aes_128_cfb1, EVP_aes_192_cfb1, EVP_aes_256_cfb1, EVP_aes_128_cfb8, EVP_aes_192_cfb8, EVP_aes_256_cfb8, EVP_aes_128_ctr, EVP_aes_192_ctr, EVP_aes_256_ctr, EVP_aes_128_ecb, EVP_aes_192_ecb, EVP_aes_256_ecb, EVP_aes_128_ofb, EVP_aes_192_ofb, EVP_aes_256_ofb, EVP_aes_128_cbc_hmac_sha1, EVP_aes_256_cbc_hmac_sha1, EVP_aes_128_cbc_hmac_sha256, EVP_aes_256_cbc_hmac_sha256, EVP_aes_128_ccm, EVP_aes_192_ccm, EVP_aes_256_ccm, EVP_aes_128_gcm, EVP_aes_192_gcm, EVP_aes_256_gcm, EVP_aes_128_ocb, EVP_aes_192_ocb, EVP_aes_256_ocb, EVP_aes_128_wrap, EVP_aes_192_wrap, EVP_aes_256_wrap, EVP_aes_128_wrap_pad, EVP_aes_192_wrap_pad, EVP_aes_256_wrap_pad, EVP_aes_128_xts, EVP_aes_256_xts \&\- EVP AES cipher +.SH "SYNOPSIS" +.IX Header "SYNOPSIS" +.Vb 1 +\& #include +\& +\& const EVP_CIPHER *EVP_ciphername(void) +.Ve +.PP +\&\fIEVP_ciphername\fR is used a placeholder for any of the described cipher +functions, such as \fIEVP_aes_128_cbc\fR. +.SH "DESCRIPTION" +.IX Header "DESCRIPTION" +The \s-1AES\s0 encryption algorithm for \s-1EVP.\s0 +.IP "\fIEVP_aes_128_cbc()\fR, \fIEVP_aes_192_cbc()\fR, \fIEVP_aes_256_cbc()\fR, \fIEVP_aes_128_cfb()\fR, \fIEVP_aes_192_cfb()\fR, \fIEVP_aes_256_cfb()\fR, \fIEVP_aes_128_cfb1()\fR, \fIEVP_aes_192_cfb1()\fR, \fIEVP_aes_256_cfb1()\fR, \fIEVP_aes_128_cfb8()\fR, \fIEVP_aes_192_cfb8()\fR, \fIEVP_aes_256_cfb8()\fR, \fIEVP_aes_128_ctr()\fR, \fIEVP_aes_192_ctr()\fR, \fIEVP_aes_256_ctr()\fR, \fIEVP_aes_128_ecb()\fR, \fIEVP_aes_192_ecb()\fR, \fIEVP_aes_256_ecb()\fR, \fIEVP_aes_128_ofb()\fR, \fIEVP_aes_192_ofb()\fR, \fIEVP_aes_256_ofb()\fR" 4 +.IX Item "EVP_aes_128_cbc(), EVP_aes_192_cbc(), EVP_aes_256_cbc(), EVP_aes_128_cfb(), EVP_aes_192_cfb(), EVP_aes_256_cfb(), EVP_aes_128_cfb1(), EVP_aes_192_cfb1(), EVP_aes_256_cfb1(), EVP_aes_128_cfb8(), EVP_aes_192_cfb8(), EVP_aes_256_cfb8(), EVP_aes_128_ctr(), EVP_aes_192_ctr(), EVP_aes_256_ctr(), EVP_aes_128_ecb(), EVP_aes_192_ecb(), EVP_aes_256_ecb(), EVP_aes_128_ofb(), EVP_aes_192_ofb(), EVP_aes_256_ofb()" +\&\s-1AES\s0 for 128, 192 and 256 bit keys in the following modes: \s-1CBC, CFB\s0 with 128\-bit +shift, \s-1CFB\s0 with 1\-bit shift, \s-1CFB\s0 with 8\-bit shift, \s-1CTR, ECB,\s0 and \s-1OFB.\s0 +.IP "\fIEVP_aes_128_cbc_hmac_sha1()\fR, \fIEVP_aes_256_cbc_hmac_sha1()\fR" 4 +.IX Item "EVP_aes_128_cbc_hmac_sha1(), EVP_aes_256_cbc_hmac_sha1()" +Authenticated encryption with \s-1AES\s0 in \s-1CBC\s0 mode using \s-1SHA\-1\s0 as \s-1HMAC,\s0 with keys of +128 and 256 bits length respectively. The authentication tag is 160 bits long. +.Sp +\&\s-1WARNING:\s0 this is not intended for usage outside of \s-1TLS\s0 and requires calling of +some undocumented ctrl functions. These ciphers do not conform to the \s-1EVP AEAD\s0 +interface. +.IP "\fIEVP_aes_128_cbc_hmac_sha256()\fR, \fIEVP_aes_256_cbc_hmac_sha256()\fR" 4 +.IX Item "EVP_aes_128_cbc_hmac_sha256(), EVP_aes_256_cbc_hmac_sha256()" +Authenticated encryption with \s-1AES\s0 in \s-1CBC\s0 mode using \s-1SHA256\s0 (\s-1SHA\-2,\s0 256\-bits) as +\&\s-1HMAC,\s0 with keys of 128 and 256 bits length respectively. The authentication tag +is 256 bits long. +.Sp +\&\s-1WARNING:\s0 this is not intended for usage outside of \s-1TLS\s0 and requires calling of +some undocumented ctrl functions. These ciphers do not conform to the \s-1EVP AEAD\s0 +interface. +.IP "\fIEVP_aes_128_ccm()\fR, \fIEVP_aes_192_ccm()\fR, \fIEVP_aes_256_ccm()\fR, \fIEVP_aes_128_gcm()\fR, \fIEVP_aes_192_gcm()\fR, \fIEVP_aes_256_gcm()\fR, \fIEVP_aes_128_ocb()\fR, \fIEVP_aes_192_ocb()\fR, \fIEVP_aes_256_ocb()\fR" 4 +.IX Item "EVP_aes_128_ccm(), EVP_aes_192_ccm(), EVP_aes_256_ccm(), EVP_aes_128_gcm(), EVP_aes_192_gcm(), EVP_aes_256_gcm(), EVP_aes_128_ocb(), EVP_aes_192_ocb(), EVP_aes_256_ocb()" +\&\s-1AES\s0 for 128, 192 and 256 bit keys in CBC-MAC Mode (\s-1CCM\s0), Galois Counter Mode +(\s-1GCM\s0) and \s-1OCB\s0 Mode respectively. These ciphers require additional control +operations to function correctly, see the \*(L"\s-1AEAD\s0 Interface\*(R" in \fIEVP_EncryptInit\fR\|(3) +section for details. +.IP "\fIEVP_aes_128_wrap()\fR, \fIEVP_aes_192_wrap()\fR, \fIEVP_aes_256_wrap()\fR, \fIEVP_aes_128_wrap_pad()\fR, \fIEVP_aes_128_wrap()\fR, \fIEVP_aes_192_wrap()\fR, \fIEVP_aes_256_wrap()\fR, \fIEVP_aes_192_wrap_pad()\fR, \fIEVP_aes_128_wrap()\fR, \fIEVP_aes_192_wrap()\fR, \fIEVP_aes_256_wrap()\fR, \fIEVP_aes_256_wrap_pad()\fR" 4 +.IX Item "EVP_aes_128_wrap(), EVP_aes_192_wrap(), EVP_aes_256_wrap(), EVP_aes_128_wrap_pad(), EVP_aes_128_wrap(), EVP_aes_192_wrap(), EVP_aes_256_wrap(), EVP_aes_192_wrap_pad(), EVP_aes_128_wrap(), EVP_aes_192_wrap(), EVP_aes_256_wrap(), EVP_aes_256_wrap_pad()" +\&\s-1AES\s0 key wrap with 128, 192 and 256 bit keys, as according to \s-1RFC 3394\s0 section +2.2.1 (\*(L"wrap\*(R") and \s-1RFC 5649\s0 section 4.1 (\*(L"wrap with padding\*(R") respectively. +.IP "\fIEVP_aes_128_xts()\fR, \fIEVP_aes_256_xts()\fR" 4 +.IX Item "EVP_aes_128_xts(), EVP_aes_256_xts()" +\&\s-1AES XTS\s0 mode (XTS-AES) is standardized in \s-1IEEE\s0 Std. 1619\-2007 and described in \s-1NIST +SP 800\-38E.\s0 The \s-1XTS\s0 (XEX-based tweaked-codebook mode with ciphertext stealing) +mode was designed by Prof. Phillip Rogaway of University of California, Davis, +intended for encrypting data on a storage device. +.Sp +XTS-AES provides confidentiality but not authentication of data. It also +requires a key of double-length for protection of a certain key size. +In particular, \s-1XTS\-AES\-128\s0 (\fBEVP_aes_128_xts\fR) takes input of a 256\-bit key to +achieve \s-1AES\s0 128\-bit security, and \s-1XTS\-AES\-256\s0 (\fBEVP_aes_256_xts\fR) takes input +of a 512\-bit key to achieve \s-1AES\s0 256\-bit security. +.SH "RETURN VALUES" +.IX Header "RETURN VALUES" +These functions return an \fB\s-1EVP_CIPHER\s0\fR structure that contains the +implementation of the symmetric cipher. See \fIEVP_CIPHER_meth_new\fR\|(3) for +details of the \fB\s-1EVP_CIPHER\s0\fR structure. +.SH "SEE ALSO" +.IX Header "SEE ALSO" +\&\fIevp\fR\|(7), +\&\fIEVP_EncryptInit\fR\|(3), +\&\fIEVP_CIPHER_meth_new\fR\|(3) +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2017 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/EVP_aria.3 b/secure/lib/libcrypto/man/EVP_aria.3 new file mode 100644 index 000000000000..515e937eed18 --- /dev/null +++ b/secure/lib/libcrypto/man/EVP_aria.3 @@ -0,0 +1,178 @@ +.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35) +.\" +.\" Standard preamble: +.\" ======================================================================== +.de Sp \" Vertical space (when we can't use .PP) +.if t .sp .5v +.if n .sp +.. +.de Vb \" Begin verbatim text +.ft CW +.nf +.ne \\$1 +.. +.de Ve \" End verbatim text +.ft R +.fi +.. +.\" Set up some character translations and predefined strings. \*(-- will +.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left +.\" double quote, and \*(R" will give a right double quote. \*(C+ will +.\" give a nicer C++. Capital omega is used to do unbreakable dashes and +.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, +.\" nothing in troff, for use with C<>. +.tr \(*W- +.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' +.ie n \{\ +. ds -- \(*W- +. ds PI pi +. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch +. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch +. ds L" "" +. ds R" "" +. ds C` "" +. ds C' "" +'br\} +.el\{\ +. ds -- \|\(em\| +. ds PI \(*p +. ds L" `` +. ds R" '' +. ds C` +. ds C' +'br\} +.\" +.\" Escape single quotes in literal strings from groff's Unicode transform. +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" +.\" If the F register is >0, we'll generate index entries on stderr for +.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index +.\" entries marked with X<> in POD. Of course, you'll have to process the +.\" output yourself in some meaningful fashion. +.\" +.\" Avoid warning from groff about undefined register 'F'. +.de IX +.. +.if !\nF .nr F 0 +.if \nF>0 \{\ +. de IX +. tm Index:\\$1\t\\n%\t"\\$2" +.. +. if !\nF==2 \{\ +. nr % 0 +. nr F 2 +. \} +.\} +.\" +.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). +.\" Fear. Run. Save yourself. No user-serviceable parts. +. \" fudge factors for nroff and troff +.if n \{\ +. ds #H 0 +. ds #V .8m +. ds #F .3m +. ds #[ \f1 +. ds #] \fP +.\} +.if t \{\ +. ds #H ((1u-(\\\\n(.fu%2u))*.13m) +. ds #V .6m +. ds #F 0 +. ds #[ \& +. ds #] \& +.\} +. \" simple accents for nroff and troff +.if n \{\ +. ds ' \& +. ds ` \& +. ds ^ \& +. ds , \& +. ds ~ ~ +. ds / +.\} +.if t \{\ +. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" +. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' +. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' +. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' +. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' +. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' +.\} +. \" troff and (daisy-wheel) nroff accents +.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' +.ds 8 \h'\*(#H'\(*b\h'-\*(#H' +.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] +.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' +.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' +.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] +.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] +.ds ae a\h'-(\w'a'u*4/10)'e +.ds Ae A\h'-(\w'A'u*4/10)'E +. \" corrections for vroff +.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' +.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' +. \" for low resolution devices (crt and lpr) +.if \n(.H>23 .if \n(.V>19 \ +\{\ +. ds : e +. ds 8 ss +. ds o a +. ds d- d\h'-1'\(ga +. ds D- D\h'-1'\(hy +. ds th \o'bp' +. ds Th \o'LP' +. ds ae ae +. ds Ae AE +.\} +.rm #[ #] #H #V #F C +.\" ======================================================================== +.\" +.IX Title "EVP_ARIA 3" +.TH EVP_ARIA 3 "2018-09-11" "1.1.1" "OpenSSL" +.\" For nroff, turn off justification. Always turn off hyphenation; it makes +.\" way too many mistakes in technical documents. +.if n .ad l +.nh +.SH "NAME" +EVP_aria_128_cbc, EVP_aria_192_cbc, EVP_aria_256_cbc, EVP_aria_128_cfb, EVP_aria_192_cfb, EVP_aria_256_cfb, EVP_aria_128_cfb1, EVP_aria_192_cfb1, EVP_aria_256_cfb1, EVP_aria_128_cfb8, EVP_aria_192_cfb8, EVP_aria_256_cfb8, EVP_aria_128_ctr, EVP_aria_192_ctr, EVP_aria_256_ctr, EVP_aria_128_ecb, EVP_aria_192_ecb, EVP_aria_256_ecb, EVP_aria_128_ofb, EVP_aria_192_ofb, EVP_aria_256_ofb, EVP_aria_128_ccm, EVP_aria_192_ccm, EVP_aria_256_ccm, EVP_aria_128_gcm, EVP_aria_192_gcm, EVP_aria_256_gcm, \&\- EVP AES cipher +.SH "SYNOPSIS" +.IX Header "SYNOPSIS" +.Vb 1 +\& #include +\& +\& const EVP_CIPHER *EVP_ciphername(void) +.Ve +.PP +\&\fIEVP_ciphername\fR is used a placeholder for any of the described cipher +functions, such as \fIEVP_aria_128_cbc\fR. +.SH "DESCRIPTION" +.IX Header "DESCRIPTION" +The \s-1ARIA\s0 encryption algorithm for \s-1EVP.\s0 +.IP "\fIEVP_aria_128_cbc()\fR, \fIEVP_aria_192_cbc()\fR, \fIEVP_aria_256_cbc()\fR, \fIEVP_aria_128_cfb()\fR, \fIEVP_aria_192_cfb()\fR, \fIEVP_aria_256_cfb()\fR, \fIEVP_aria_128_cfb1()\fR, \fIEVP_aria_192_cfb1()\fR, \fIEVP_aria_256_cfb1()\fR, \fIEVP_aria_128_cfb8()\fR, \fIEVP_aria_192_cfb8()\fR, \fIEVP_aria_256_cfb8()\fR, \fIEVP_aria_128_ctr()\fR, \fIEVP_aria_192_ctr()\fR, \fIEVP_aria_256_ctr()\fR, \fIEVP_aria_128_ecb()\fR, \fIEVP_aria_192_ecb()\fR, \fIEVP_aria_256_ecb()\fR, \fIEVP_aria_128_ofb()\fR, \fIEVP_aria_192_ofb()\fR, \fIEVP_aria_256_ofb()\fR" 4 +.IX Item "EVP_aria_128_cbc(), EVP_aria_192_cbc(), EVP_aria_256_cbc(), EVP_aria_128_cfb(), EVP_aria_192_cfb(), EVP_aria_256_cfb(), EVP_aria_128_cfb1(), EVP_aria_192_cfb1(), EVP_aria_256_cfb1(), EVP_aria_128_cfb8(), EVP_aria_192_cfb8(), EVP_aria_256_cfb8(), EVP_aria_128_ctr(), EVP_aria_192_ctr(), EVP_aria_256_ctr(), EVP_aria_128_ecb(), EVP_aria_192_ecb(), EVP_aria_256_ecb(), EVP_aria_128_ofb(), EVP_aria_192_ofb(), EVP_aria_256_ofb()" +\&\s-1ARIA\s0 for 128, 192 and 256 bit keys in the following modes: \s-1CBC, CFB\s0 with +128\-bit shift, \s-1CFB\s0 with 1\-bit shift, \s-1CFB\s0 with 8\-bit shift, \s-1CTR, ECB\s0 and \s-1OFB.\s0 +.IP "\fIEVP_aria_128_ccm()\fR, \fIEVP_aria_192_ccm()\fR, \fIEVP_aria_256_ccm()\fR, \fIEVP_aria_128_gcm()\fR, \fIEVP_aria_192_gcm()\fR, \fIEVP_aria_256_gcm()\fR," 4 +.IX Item "EVP_aria_128_ccm(), EVP_aria_192_ccm(), EVP_aria_256_ccm(), EVP_aria_128_gcm(), EVP_aria_192_gcm(), EVP_aria_256_gcm()," +\&\s-1ARIA\s0 for 128, 192 and 256 bit keys in CBC-MAC Mode (\s-1CCM\s0) and Galois Counter +Mode (\s-1GCM\s0). These ciphers require additional control operations to function +correctly, see the \*(L"\s-1AEAD\s0 Interface\*(R" in \fIEVP_EncryptInit\fR\|(3) section for details. +.SH "RETURN VALUES" +.IX Header "RETURN VALUES" +These functions return an \fB\s-1EVP_CIPHER\s0\fR structure that contains the +implementation of the symmetric cipher. See \fIEVP_CIPHER_meth_new\fR\|(3) for +details of the \fB\s-1EVP_CIPHER\s0\fR structure. +.SH "SEE ALSO" +.IX Header "SEE ALSO" +\&\fIevp\fR\|(7), +\&\fIEVP_EncryptInit\fR\|(3), +\&\fIEVP_CIPHER_meth_new\fR\|(3) +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2017 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/EVP_bf_cbc.3 b/secure/lib/libcrypto/man/EVP_bf_cbc.3 new file mode 100644 index 000000000000..035c677922da --- /dev/null +++ b/secure/lib/libcrypto/man/EVP_bf_cbc.3 @@ -0,0 +1,174 @@ +.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35) +.\" +.\" Standard preamble: +.\" ======================================================================== +.de Sp \" Vertical space (when we can't use .PP) +.if t .sp .5v +.if n .sp +.. +.de Vb \" Begin verbatim text +.ft CW +.nf +.ne \\$1 +.. +.de Ve \" End verbatim text +.ft R +.fi +.. +.\" Set up some character translations and predefined strings. \*(-- will +.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left +.\" double quote, and \*(R" will give a right double quote. \*(C+ will +.\" give a nicer C++. Capital omega is used to do unbreakable dashes and +.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, +.\" nothing in troff, for use with C<>. +.tr \(*W- +.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' +.ie n \{\ +. ds -- \(*W- +. ds PI pi +. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch +. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch +. ds L" "" +. ds R" "" +. ds C` "" +. ds C' "" +'br\} +.el\{\ +. ds -- \|\(em\| +. ds PI \(*p +. ds L" `` +. ds R" '' +. ds C` +. ds C' +'br\} +.\" +.\" Escape single quotes in literal strings from groff's Unicode transform. +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" +.\" If the F register is >0, we'll generate index entries on stderr for +.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index +.\" entries marked with X<> in POD. Of course, you'll have to process the +.\" output yourself in some meaningful fashion. +.\" +.\" Avoid warning from groff about undefined register 'F'. +.de IX +.. +.if !\nF .nr F 0 +.if \nF>0 \{\ +. de IX +. tm Index:\\$1\t\\n%\t"\\$2" +.. +. if !\nF==2 \{\ +. nr % 0 +. nr F 2 +. \} +.\} +.\" +.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). +.\" Fear. Run. Save yourself. No user-serviceable parts. +. \" fudge factors for nroff and troff +.if n \{\ +. ds #H 0 +. ds #V .8m +. ds #F .3m +. ds #[ \f1 +. ds #] \fP +.\} +.if t \{\ +. ds #H ((1u-(\\\\n(.fu%2u))*.13m) +. ds #V .6m +. ds #F 0 +. ds #[ \& +. ds #] \& +.\} +. \" simple accents for nroff and troff +.if n \{\ +. ds ' \& +. ds ` \& +. ds ^ \& +. ds , \& +. ds ~ ~ +. ds / +.\} +.if t \{\ +. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" +. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' +. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' +. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' +. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' +. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' +.\} +. \" troff and (daisy-wheel) nroff accents +.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' +.ds 8 \h'\*(#H'\(*b\h'-\*(#H' +.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] +.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' +.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' +.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] +.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] +.ds ae a\h'-(\w'a'u*4/10)'e +.ds Ae A\h'-(\w'A'u*4/10)'E +. \" corrections for vroff +.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' +.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' +. \" for low resolution devices (crt and lpr) +.if \n(.H>23 .if \n(.V>19 \ +\{\ +. ds : e +. ds 8 ss +. ds o a +. ds d- d\h'-1'\(ga +. ds D- D\h'-1'\(hy +. ds th \o'bp' +. ds Th \o'LP' +. ds ae ae +. ds Ae AE +.\} +.rm #[ #] #H #V #F C +.\" ======================================================================== +.\" +.IX Title "EVP_BF_CBC 3" +.TH EVP_BF_CBC 3 "2018-09-11" "1.1.1" "OpenSSL" +.\" For nroff, turn off justification. Always turn off hyphenation; it makes +.\" way too many mistakes in technical documents. +.if n .ad l +.nh +.SH "NAME" +EVP_bf_cbc, EVP_bf_cfb, EVP_bf_ecb, EVP_bf_ofb \&\- EVP Blowfish cipher +.SH "SYNOPSIS" +.IX Header "SYNOPSIS" +.Vb 1 +\& #include +\& +\& const EVP_CIPHER *EVP_bf_cbc(void) +\& const EVP_CIPHER *EVP_bf_cfb(void) +\& const EVP_CIPHER *EVP_bf_ecb(void) +\& const EVP_CIPHER *EVP_bf_ofb(void) +.Ve +.SH "DESCRIPTION" +.IX Header "DESCRIPTION" +The Blowfish encryption algorithm for \s-1EVP.\s0 +.PP +This is a variable key length cipher. +.IP "\fIEVP_bf_cbc()\fR, \fIEVP_bf_cfb()\fR, \fIEVP_bf_ecb()\fR, \fIEVP_bf_ofb()\fR" 4 +.IX Item "EVP_bf_cbc(), EVP_bf_cfb(), EVP_bf_ecb(), EVP_bf_ofb()" +Blowfish encryption algorithm in \s-1CBC, CFB, ECB\s0 and \s-1OFB\s0 modes respectively. +.SH "RETURN VALUES" +.IX Header "RETURN VALUES" +These functions return an \fB\s-1EVP_CIPHER\s0\fR structure that contains the +implementation of the symmetric cipher. See \fIEVP_CIPHER_meth_new\fR\|(3) for +details of the \fB\s-1EVP_CIPHER\s0\fR structure. +.SH "SEE ALSO" +.IX Header "SEE ALSO" +\&\fIevp\fR\|(7), +\&\fIEVP_EncryptInit\fR\|(3), +\&\fIEVP_CIPHER_meth_new\fR\|(3) +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2017 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/EVP_blake2b512.3 b/secure/lib/libcrypto/man/EVP_blake2b512.3 new file mode 100644 index 000000000000..b689ff5f04ae --- /dev/null +++ b/secure/lib/libcrypto/man/EVP_blake2b512.3 @@ -0,0 +1,182 @@ +.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35) +.\" +.\" Standard preamble: +.\" ======================================================================== +.de Sp \" Vertical space (when we can't use .PP) +.if t .sp .5v +.if n .sp +.. +.de Vb \" Begin verbatim text +.ft CW +.nf +.ne \\$1 +.. +.de Ve \" End verbatim text +.ft R +.fi +.. +.\" Set up some character translations and predefined strings. \*(-- will +.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left +.\" double quote, and \*(R" will give a right double quote. \*(C+ will +.\" give a nicer C++. Capital omega is used to do unbreakable dashes and +.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, +.\" nothing in troff, for use with C<>. +.tr \(*W- +.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' +.ie n \{\ +. ds -- \(*W- +. ds PI pi +. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch +. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch +. ds L" "" +. ds R" "" +. ds C` "" +. ds C' "" +'br\} +.el\{\ +. ds -- \|\(em\| +. ds PI \(*p +. ds L" `` +. ds R" '' +. ds C` +. ds C' +'br\} +.\" +.\" Escape single quotes in literal strings from groff's Unicode transform. +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" +.\" If the F register is >0, we'll generate index entries on stderr for +.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index +.\" entries marked with X<> in POD. Of course, you'll have to process the +.\" output yourself in some meaningful fashion. +.\" +.\" Avoid warning from groff about undefined register 'F'. +.de IX +.. +.if !\nF .nr F 0 +.if \nF>0 \{\ +. de IX +. tm Index:\\$1\t\\n%\t"\\$2" +.. +. if !\nF==2 \{\ +. nr % 0 +. nr F 2 +. \} +.\} +.\" +.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). +.\" Fear. Run. Save yourself. No user-serviceable parts. +. \" fudge factors for nroff and troff +.if n \{\ +. ds #H 0 +. ds #V .8m +. ds #F .3m +. ds #[ \f1 +. ds #] \fP +.\} +.if t \{\ +. ds #H ((1u-(\\\\n(.fu%2u))*.13m) +. ds #V .6m +. ds #F 0 +. ds #[ \& +. ds #] \& +.\} +. \" simple accents for nroff and troff +.if n \{\ +. ds ' \& +. ds ` \& +. ds ^ \& +. ds , \& +. ds ~ ~ +. ds / +.\} +.if t \{\ +. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" +. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' +. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' +. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' +. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' +. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' +.\} +. \" troff and (daisy-wheel) nroff accents +.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' +.ds 8 \h'\*(#H'\(*b\h'-\*(#H' +.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] +.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' +.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' +.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] +.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] +.ds ae a\h'-(\w'a'u*4/10)'e +.ds Ae A\h'-(\w'A'u*4/10)'E +. \" corrections for vroff +.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' +.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' +. \" for low resolution devices (crt and lpr) +.if \n(.H>23 .if \n(.V>19 \ +\{\ +. ds : e +. ds 8 ss +. ds o a +. ds d- d\h'-1'\(ga +. ds D- D\h'-1'\(hy +. ds th \o'bp' +. ds Th \o'LP' +. ds ae ae +. ds Ae AE +.\} +.rm #[ #] #H #V #F C +.\" ======================================================================== +.\" +.IX Title "EVP_BLAKE2B512 3" +.TH EVP_BLAKE2B512 3 "2018-09-11" "1.1.1" "OpenSSL" +.\" For nroff, turn off justification. Always turn off hyphenation; it makes +.\" way too many mistakes in technical documents. +.if n .ad l +.nh +.SH "NAME" +EVP_blake2b512, EVP_blake2s256 \&\- BLAKE2 For EVP +.SH "SYNOPSIS" +.IX Header "SYNOPSIS" +.Vb 1 +\& #include +\& +\& const EVP_MD *EVP_blake2b512(void); +\& const EVP_MD *EVP_blake2s256(void); +.Ve +.SH "DESCRIPTION" +.IX Header "DESCRIPTION" +\&\s-1BLAKE2\s0 is an improved version of \s-1BLAKE,\s0 which was submitted to the \s-1NIST SHA\-3\s0 +algorithm competition. The BLAKE2s and BLAKE2b algorithms are described in +\&\s-1RFC 7693.\s0 +.IP "\fIEVP_blake2s256()\fR" 4 +.IX Item "EVP_blake2s256()" +The BLAKE2s algorithm that produces a 256\-bit output from a given input. +.IP "\fIEVP_blake2b512()\fR" 4 +.IX Item "EVP_blake2b512()" +The BLAKE2b algorithm that produces a 512\-bit output from a given input. +.SH "RETURN VALUES" +.IX Header "RETURN VALUES" +These functions return a \fB\s-1EVP_MD\s0\fR structure that contains the +implementation of the symmetric cipher. See \fIEVP_MD_meth_new\fR\|(3) for +details of the \fB\s-1EVP_MD\s0\fR structure. +.SH "CONFORMING TO" +.IX Header "CONFORMING TO" +\&\s-1RFC 7693.\s0 +.SH "NOTES" +.IX Header "NOTES" +While the BLAKE2b and BLAKE2s algorithms supports a variable length digest, +this implementation outputs a digest of a fixed length (the maximum length +supported), which is 512\-bits for BLAKE2b and 256\-bits for BLAKE2s. +.SH "SEE ALSO" +.IX Header "SEE ALSO" +\&\fIevp\fR\|(7), +\&\fIEVP_DigestInit\fR\|(3) +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2017 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/EVP_camellia.3 b/secure/lib/libcrypto/man/EVP_camellia.3 new file mode 100644 index 000000000000..f228152a27df --- /dev/null +++ b/secure/lib/libcrypto/man/EVP_camellia.3 @@ -0,0 +1,173 @@ +.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35) +.\" +.\" Standard preamble: +.\" ======================================================================== +.de Sp \" Vertical space (when we can't use .PP) +.if t .sp .5v +.if n .sp +.. +.de Vb \" Begin verbatim text +.ft CW +.nf +.ne \\$1 +.. +.de Ve \" End verbatim text +.ft R +.fi +.. +.\" Set up some character translations and predefined strings. \*(-- will +.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left +.\" double quote, and \*(R" will give a right double quote. \*(C+ will +.\" give a nicer C++. Capital omega is used to do unbreakable dashes and +.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, +.\" nothing in troff, for use with C<>. +.tr \(*W- +.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' +.ie n \{\ +. ds -- \(*W- +. ds PI pi +. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch +. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch +. ds L" "" +. ds R" "" +. ds C` "" +. ds C' "" +'br\} +.el\{\ +. ds -- \|\(em\| +. ds PI \(*p +. ds L" `` +. ds R" '' +. ds C` +. ds C' +'br\} +.\" +.\" Escape single quotes in literal strings from groff's Unicode transform. +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" +.\" If the F register is >0, we'll generate index entries on stderr for +.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index +.\" entries marked with X<> in POD. Of course, you'll have to process the +.\" output yourself in some meaningful fashion. +.\" +.\" Avoid warning from groff about undefined register 'F'. +.de IX +.. +.if !\nF .nr F 0 +.if \nF>0 \{\ +. de IX +. tm Index:\\$1\t\\n%\t"\\$2" +.. +. if !\nF==2 \{\ +. nr % 0 +. nr F 2 +. \} +.\} +.\" +.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). +.\" Fear. Run. Save yourself. No user-serviceable parts. +. \" fudge factors for nroff and troff +.if n \{\ +. ds #H 0 +. ds #V .8m +. ds #F .3m +. ds #[ \f1 +. ds #] \fP +.\} +.if t \{\ +. ds #H ((1u-(\\\\n(.fu%2u))*.13m) +. ds #V .6m +. ds #F 0 +. ds #[ \& +. ds #] \& +.\} +. \" simple accents for nroff and troff +.if n \{\ +. ds ' \& +. ds ` \& +. ds ^ \& +. ds , \& +. ds ~ ~ +. ds / +.\} +.if t \{\ +. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" +. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' +. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' +. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' +. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' +. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' +.\} +. \" troff and (daisy-wheel) nroff accents +.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' +.ds 8 \h'\*(#H'\(*b\h'-\*(#H' +.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] +.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' +.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' +.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] +.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] +.ds ae a\h'-(\w'a'u*4/10)'e +.ds Ae A\h'-(\w'A'u*4/10)'E +. \" corrections for vroff +.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' +.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' +. \" for low resolution devices (crt and lpr) +.if \n(.H>23 .if \n(.V>19 \ +\{\ +. ds : e +. ds 8 ss +. ds o a +. ds d- d\h'-1'\(ga +. ds D- D\h'-1'\(hy +. ds th \o'bp' +. ds Th \o'LP' +. ds ae ae +. ds Ae AE +.\} +.rm #[ #] #H #V #F C +.\" ======================================================================== +.\" +.IX Title "EVP_CAMELLIA 3" +.TH EVP_CAMELLIA 3 "2018-09-11" "1.1.1" "OpenSSL" +.\" For nroff, turn off justification. Always turn off hyphenation; it makes +.\" way too many mistakes in technical documents. +.if n .ad l +.nh +.SH "NAME" +EVP_camellia_128_cbc, EVP_camellia_192_cbc, EVP_camellia_256_cbc, EVP_camellia_128_cfb, EVP_camellia_192_cfb, EVP_camellia_256_cfb, EVP_camellia_128_cfb1, EVP_camellia_192_cfb1, EVP_camellia_256_cfb1, EVP_camellia_128_cfb8, EVP_camellia_192_cfb8, EVP_camellia_256_cfb8, EVP_camellia_128_ctr, EVP_camellia_192_ctr, EVP_camellia_256_ctr, EVP_camellia_128_ecb, EVP_camellia_192_ecb, EVP_camellia_256_ecb, EVP_camellia_128_ofb, EVP_camellia_192_ofb, EVP_camellia_256_ofb \&\- EVP Camellia cipher +.SH "SYNOPSIS" +.IX Header "SYNOPSIS" +.Vb 1 +\& #include +\& +\& const EVP_CIPHER *EVP_ciphername(void) +.Ve +.PP +\&\fIEVP_ciphername\fR is used a placeholder for any of the described cipher +functions, such as \fIEVP_camellia_128_cbc\fR. +.SH "DESCRIPTION" +.IX Header "DESCRIPTION" +The Camellia encryption algorithm for \s-1EVP.\s0 +.IP "\fIEVP_camellia_128_cbc()\fR, \fIEVP_camellia_192_cbc()\fR, \fIEVP_camellia_256_cbc()\fR, \fIEVP_camellia_128_cfb()\fR, \fIEVP_camellia_192_cfb()\fR, \fIEVP_camellia_256_cfb()\fR, \fIEVP_camellia_128_cfb1()\fR, \fIEVP_camellia_192_cfb1()\fR, \fIEVP_camellia_256_cfb1()\fR, \fIEVP_camellia_128_cfb8()\fR, \fIEVP_camellia_192_cfb8()\fR, \fIEVP_camellia_256_cfb8()\fR, \fIEVP_camellia_128_ctr()\fR, \fIEVP_camellia_192_ctr()\fR, \fIEVP_camellia_256_ctr()\fR, \fIEVP_camellia_128_ecb()\fR, \fIEVP_camellia_192_ecb()\fR, \fIEVP_camellia_256_ecb()\fR, \fIEVP_camellia_128_ofb()\fR, \fIEVP_camellia_192_ofb()\fR, \fIEVP_camellia_256_ofb()\fR" 4 +.IX Item "EVP_camellia_128_cbc(), EVP_camellia_192_cbc(), EVP_camellia_256_cbc(), EVP_camellia_128_cfb(), EVP_camellia_192_cfb(), EVP_camellia_256_cfb(), EVP_camellia_128_cfb1(), EVP_camellia_192_cfb1(), EVP_camellia_256_cfb1(), EVP_camellia_128_cfb8(), EVP_camellia_192_cfb8(), EVP_camellia_256_cfb8(), EVP_camellia_128_ctr(), EVP_camellia_192_ctr(), EVP_camellia_256_ctr(), EVP_camellia_128_ecb(), EVP_camellia_192_ecb(), EVP_camellia_256_ecb(), EVP_camellia_128_ofb(), EVP_camellia_192_ofb(), EVP_camellia_256_ofb()" +Camellia for 128, 192 and 256 bit keys in the following modes: \s-1CBC, CFB\s0 with +128\-bit shift, \s-1CFB\s0 with 1\-bit shift, \s-1CFB\s0 with 8\-bit shift, \s-1CTR, ECB\s0 and \s-1OFB.\s0 +.SH "RETURN VALUES" +.IX Header "RETURN VALUES" +These functions return an \fB\s-1EVP_CIPHER\s0\fR structure that contains the +implementation of the symmetric cipher. See \fIEVP_CIPHER_meth_new\fR\|(3) for +details of the \fB\s-1EVP_CIPHER\s0\fR structure. +.SH "SEE ALSO" +.IX Header "SEE ALSO" +\&\fIevp\fR\|(7), +\&\fIEVP_EncryptInit\fR\|(3), +\&\fIEVP_CIPHER_meth_new\fR\|(3) +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2017 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/EVP_cast5_cbc.3 b/secure/lib/libcrypto/man/EVP_cast5_cbc.3 new file mode 100644 index 000000000000..e7f98d94cf06 --- /dev/null +++ b/secure/lib/libcrypto/man/EVP_cast5_cbc.3 @@ -0,0 +1,174 @@ +.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35) +.\" +.\" Standard preamble: +.\" ======================================================================== +.de Sp \" Vertical space (when we can't use .PP) +.if t .sp .5v +.if n .sp +.. +.de Vb \" Begin verbatim text +.ft CW +.nf +.ne \\$1 +.. +.de Ve \" End verbatim text +.ft R +.fi +.. +.\" Set up some character translations and predefined strings. \*(-- will +.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left +.\" double quote, and \*(R" will give a right double quote. \*(C+ will +.\" give a nicer C++. Capital omega is used to do unbreakable dashes and +.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, +.\" nothing in troff, for use with C<>. +.tr \(*W- +.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' +.ie n \{\ +. ds -- \(*W- +. ds PI pi +. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch +. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch +. ds L" "" +. ds R" "" +. ds C` "" +. ds C' "" +'br\} +.el\{\ +. ds -- \|\(em\| +. ds PI \(*p +. ds L" `` +. ds R" '' +. ds C` +. ds C' +'br\} +.\" +.\" Escape single quotes in literal strings from groff's Unicode transform. +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" +.\" If the F register is >0, we'll generate index entries on stderr for +.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index +.\" entries marked with X<> in POD. Of course, you'll have to process the +.\" output yourself in some meaningful fashion. +.\" +.\" Avoid warning from groff about undefined register 'F'. +.de IX +.. +.if !\nF .nr F 0 +.if \nF>0 \{\ +. de IX +. tm Index:\\$1\t\\n%\t"\\$2" +.. +. if !\nF==2 \{\ +. nr % 0 +. nr F 2 +. \} +.\} +.\" +.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). +.\" Fear. Run. Save yourself. No user-serviceable parts. +. \" fudge factors for nroff and troff +.if n \{\ +. ds #H 0 +. ds #V .8m +. ds #F .3m +. ds #[ \f1 +. ds #] \fP +.\} +.if t \{\ +. ds #H ((1u-(\\\\n(.fu%2u))*.13m) +. ds #V .6m +. ds #F 0 +. ds #[ \& +. ds #] \& +.\} +. \" simple accents for nroff and troff +.if n \{\ +. ds ' \& +. ds ` \& +. ds ^ \& +. ds , \& +. ds ~ ~ +. ds / +.\} +.if t \{\ +. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" +. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' +. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' +. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' +. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' +. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' +.\} +. \" troff and (daisy-wheel) nroff accents +.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' +.ds 8 \h'\*(#H'\(*b\h'-\*(#H' +.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] +.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' +.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' +.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] +.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] +.ds ae a\h'-(\w'a'u*4/10)'e +.ds Ae A\h'-(\w'A'u*4/10)'E +. \" corrections for vroff +.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' +.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' +. \" for low resolution devices (crt and lpr) +.if \n(.H>23 .if \n(.V>19 \ +\{\ +. ds : e +. ds 8 ss +. ds o a +. ds d- d\h'-1'\(ga +. ds D- D\h'-1'\(hy +. ds th \o'bp' +. ds Th \o'LP' +. ds ae ae +. ds Ae AE +.\} +.rm #[ #] #H #V #F C +.\" ======================================================================== +.\" +.IX Title "EVP_CAST5_CBC 3" +.TH EVP_CAST5_CBC 3 "2018-09-11" "1.1.1" "OpenSSL" +.\" For nroff, turn off justification. Always turn off hyphenation; it makes +.\" way too many mistakes in technical documents. +.if n .ad l +.nh +.SH "NAME" +EVP_cast5_cbc, EVP_cast5_cfb, EVP_cast5_ecb, EVP_cast5_ofb \&\- EVP CAST cipher +.SH "SYNOPSIS" +.IX Header "SYNOPSIS" +.Vb 1 +\& #include +\& +\& const EVP_CIPHER *EVP_cast5_cbc(void) +\& const EVP_CIPHER *EVP_cast5_cfb(void) +\& const EVP_CIPHER *EVP_cast5_ecb(void) +\& const EVP_CIPHER *EVP_cast5_ofb(void) +.Ve +.SH "DESCRIPTION" +.IX Header "DESCRIPTION" +The \s-1CAST\s0 encryption algorithm for \s-1EVP.\s0 +.PP +This is a variable key length cipher. +.IP "\fIEVP_cast5_cbc()\fR, \fIEVP_cast5_ecb()\fR, \fIEVP_cast5_cfb()\fR, \fIEVP_cast5_ofb()\fR" 4 +.IX Item "EVP_cast5_cbc(), EVP_cast5_ecb(), EVP_cast5_cfb(), EVP_cast5_ofb()" +\&\s-1CAST\s0 encryption algorithm in \s-1CBC, ECB, CFB\s0 and \s-1OFB\s0 modes respectively. +.SH "RETURN VALUES" +.IX Header "RETURN VALUES" +These functions return an \fB\s-1EVP_CIPHER\s0\fR structure that contains the +implementation of the symmetric cipher. See \fIEVP_CIPHER_meth_new\fR\|(3) for +details of the \fB\s-1EVP_CIPHER\s0\fR structure. +.SH "SEE ALSO" +.IX Header "SEE ALSO" +\&\fIevp\fR\|(7), +\&\fIEVP_EncryptInit\fR\|(3), +\&\fIEVP_CIPHER_meth_new\fR\|(3) +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2017 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/EVP_chacha20.3 b/secure/lib/libcrypto/man/EVP_chacha20.3 new file mode 100644 index 000000000000..bce6118a27c1 --- /dev/null +++ b/secure/lib/libcrypto/man/EVP_chacha20.3 @@ -0,0 +1,176 @@ +.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35) +.\" +.\" Standard preamble: +.\" ======================================================================== +.de Sp \" Vertical space (when we can't use .PP) +.if t .sp .5v +.if n .sp +.. +.de Vb \" Begin verbatim text +.ft CW +.nf +.ne \\$1 +.. +.de Ve \" End verbatim text +.ft R +.fi +.. +.\" Set up some character translations and predefined strings. \*(-- will +.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left +.\" double quote, and \*(R" will give a right double quote. \*(C+ will +.\" give a nicer C++. Capital omega is used to do unbreakable dashes and +.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, +.\" nothing in troff, for use with C<>. +.tr \(*W- +.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' +.ie n \{\ +. ds -- \(*W- +. ds PI pi +. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch +. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch +. ds L" "" +. ds R" "" +. ds C` "" +. ds C' "" +'br\} +.el\{\ +. ds -- \|\(em\| +. ds PI \(*p +. ds L" `` +. ds R" '' +. ds C` +. ds C' +'br\} +.\" +.\" Escape single quotes in literal strings from groff's Unicode transform. +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" +.\" If the F register is >0, we'll generate index entries on stderr for +.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index +.\" entries marked with X<> in POD. Of course, you'll have to process the +.\" output yourself in some meaningful fashion. +.\" +.\" Avoid warning from groff about undefined register 'F'. +.de IX +.. +.if !\nF .nr F 0 +.if \nF>0 \{\ +. de IX +. tm Index:\\$1\t\\n%\t"\\$2" +.. +. if !\nF==2 \{\ +. nr % 0 +. nr F 2 +. \} +.\} +.\" +.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). +.\" Fear. Run. Save yourself. No user-serviceable parts. +. \" fudge factors for nroff and troff +.if n \{\ +. ds #H 0 +. ds #V .8m +. ds #F .3m +. ds #[ \f1 +. ds #] \fP +.\} +.if t \{\ +. ds #H ((1u-(\\\\n(.fu%2u))*.13m) +. ds #V .6m +. ds #F 0 +. ds #[ \& +. ds #] \& +.\} +. \" simple accents for nroff and troff +.if n \{\ +. ds ' \& +. ds ` \& +. ds ^ \& +. ds , \& +. ds ~ ~ +. ds / +.\} +.if t \{\ +. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" +. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' +. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' +. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' +. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' +. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' +.\} +. \" troff and (daisy-wheel) nroff accents +.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' +.ds 8 \h'\*(#H'\(*b\h'-\*(#H' +.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] +.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' +.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' +.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] +.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] +.ds ae a\h'-(\w'a'u*4/10)'e +.ds Ae A\h'-(\w'A'u*4/10)'E +. \" corrections for vroff +.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' +.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' +. \" for low resolution devices (crt and lpr) +.if \n(.H>23 .if \n(.V>19 \ +\{\ +. ds : e +. ds 8 ss +. ds o a +. ds d- d\h'-1'\(ga +. ds D- D\h'-1'\(hy +. ds th \o'bp' +. ds Th \o'LP' +. ds ae ae +. ds Ae AE +.\} +.rm #[ #] #H #V #F C +.\" ======================================================================== +.\" +.IX Title "EVP_CHACHA20 3" +.TH EVP_CHACHA20 3 "2018-09-11" "1.1.1" "OpenSSL" +.\" For nroff, turn off justification. Always turn off hyphenation; it makes +.\" way too many mistakes in technical documents. +.if n .ad l +.nh +.SH "NAME" +EVP_chacha20, EVP_chacha20_poly1305 \&\- EVP ChaCha20 stream cipher +.SH "SYNOPSIS" +.IX Header "SYNOPSIS" +.Vb 1 +\& #include +\& +\& const EVP_CIPHER *EVP_chacha20(void) +\& const EVP_CIPHER *EVP_chacha20_poly1305(void) +.Ve +.SH "DESCRIPTION" +.IX Header "DESCRIPTION" +The ChaCha20 stream cipher for \s-1EVP.\s0 +.IP "\fIEVP_chacha20()\fR" 4 +.IX Item "EVP_chacha20()" +The ChaCha20 stream cipher. The key length is 256 bits, the \s-1IV\s0 is 96 bits long. +.IP "\fIEVP_chacha20_poly1305()\fR" 4 +.IX Item "EVP_chacha20_poly1305()" +Authenticated encryption with ChaCha20\-Poly1305. Like \fIEVP_chacha20()\fR, the key +is 256 bits and the \s-1IV\s0 is 96 bits. This supports additional authenticated data +(\s-1AAD\s0) and produces a 128\-bit authentication tag. See the +\&\*(L"\s-1AEAD\s0 Interface\*(R" in \fIEVP_EncryptInit\fR\|(3) section for more information. +.SH "RETURN VALUES" +.IX Header "RETURN VALUES" +These functions return an \fB\s-1EVP_CIPHER\s0\fR structure that contains the +implementation of the symmetric cipher. See \fIEVP_CIPHER_meth_new\fR\|(3) for +details of the \fB\s-1EVP_CIPHER\s0\fR structure. +.SH "SEE ALSO" +.IX Header "SEE ALSO" +\&\fIevp\fR\|(7), +\&\fIEVP_EncryptInit\fR\|(3), +\&\fIEVP_CIPHER_meth_new\fR\|(3) +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2017 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/EVP_des.3 b/secure/lib/libcrypto/man/EVP_des.3 new file mode 100644 index 000000000000..ba5e8793a7cd --- /dev/null +++ b/secure/lib/libcrypto/man/EVP_des.3 @@ -0,0 +1,183 @@ +.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35) +.\" +.\" Standard preamble: +.\" ======================================================================== +.de Sp \" Vertical space (when we can't use .PP) +.if t .sp .5v +.if n .sp +.. +.de Vb \" Begin verbatim text +.ft CW +.nf +.ne \\$1 +.. +.de Ve \" End verbatim text +.ft R +.fi +.. +.\" Set up some character translations and predefined strings. \*(-- will +.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left +.\" double quote, and \*(R" will give a right double quote. \*(C+ will +.\" give a nicer C++. Capital omega is used to do unbreakable dashes and +.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, +.\" nothing in troff, for use with C<>. +.tr \(*W- +.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' +.ie n \{\ +. ds -- \(*W- +. ds PI pi +. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch +. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch +. ds L" "" +. ds R" "" +. ds C` "" +. ds C' "" +'br\} +.el\{\ +. ds -- \|\(em\| +. ds PI \(*p +. ds L" `` +. ds R" '' +. ds C` +. ds C' +'br\} +.\" +.\" Escape single quotes in literal strings from groff's Unicode transform. +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" +.\" If the F register is >0, we'll generate index entries on stderr for +.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index +.\" entries marked with X<> in POD. Of course, you'll have to process the +.\" output yourself in some meaningful fashion. +.\" +.\" Avoid warning from groff about undefined register 'F'. +.de IX +.. +.if !\nF .nr F 0 +.if \nF>0 \{\ +. de IX +. tm Index:\\$1\t\\n%\t"\\$2" +.. +. if !\nF==2 \{\ +. nr % 0 +. nr F 2 +. \} +.\} +.\" +.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). +.\" Fear. Run. Save yourself. No user-serviceable parts. +. \" fudge factors for nroff and troff +.if n \{\ +. ds #H 0 +. ds #V .8m +. ds #F .3m +. ds #[ \f1 +. ds #] \fP +.\} +.if t \{\ +. ds #H ((1u-(\\\\n(.fu%2u))*.13m) +. ds #V .6m +. ds #F 0 +. ds #[ \& +. ds #] \& +.\} +. \" simple accents for nroff and troff +.if n \{\ +. ds ' \& +. ds ` \& +. ds ^ \& +. ds , \& +. ds ~ ~ +. ds / +.\} +.if t \{\ +. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" +. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' +. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' +. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' +. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' +. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' +.\} +. \" troff and (daisy-wheel) nroff accents +.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' +.ds 8 \h'\*(#H'\(*b\h'-\*(#H' +.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] +.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' +.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' +.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] +.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] +.ds ae a\h'-(\w'a'u*4/10)'e +.ds Ae A\h'-(\w'A'u*4/10)'E +. \" corrections for vroff +.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' +.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' +. \" for low resolution devices (crt and lpr) +.if \n(.H>23 .if \n(.V>19 \ +\{\ +. ds : e +. ds 8 ss +. ds o a +. ds d- d\h'-1'\(ga +. ds D- D\h'-1'\(hy +. ds th \o'bp' +. ds Th \o'LP' +. ds ae ae +. ds Ae AE +.\} +.rm #[ #] #H #V #F C +.\" ======================================================================== +.\" +.IX Title "EVP_DES 3" +.TH EVP_DES 3 "2018-09-11" "1.1.1" "OpenSSL" +.\" For nroff, turn off justification. Always turn off hyphenation; it makes +.\" way too many mistakes in technical documents. +.if n .ad l +.nh +.SH "NAME" +EVP_des_cbc, EVP_des_cfb, EVP_des_cfb1, EVP_des_cfb8, EVP_des_ecb, EVP_des_ede, EVP_des_ede_cfb, EVP_des_ede_ofb, EVP_des_ofb, EVP_des_ede3, EVP_des_ede3_cbc, EVP_des_ede3_cfb, EVP_des_ede3_cfb1, EVP_des_ede3_cfb8, EVP_des_ede3_ofb, EVP_des_ede3_wrap, EVP_des_ede_cbc \&\- EVP DES cipher +.SH "SYNOPSIS" +.IX Header "SYNOPSIS" +.Vb 1 +\& #include +\& +\& const EVP_CIPHER *EVP_ciphername(void) +.Ve +.PP +\&\fIEVP_ciphername\fR is used a placeholder for any of the described cipher +functions, such as \fIEVP_des_cbc\fR. +.SH "DESCRIPTION" +.IX Header "DESCRIPTION" +The \s-1DES\s0 encryption algorithm for \s-1EVP.\s0 +.IP "\fIEVP_des_cbc()\fR, \fIEVP_des_ecb()\fR, \fIEVP_des_cfb()\fR, \fIEVP_des_cfb1()\fR, \fIEVP_des_cfb8()\fR, \fIEVP_des_ofb()\fR" 4 +.IX Item "EVP_des_cbc(), EVP_des_ecb(), EVP_des_cfb(), EVP_des_cfb1(), EVP_des_cfb8(), EVP_des_ofb()" +\&\s-1DES\s0 in \s-1CBC, ECB, CFB\s0 with 128\-bit shift, \s-1CFB\s0 with 1\-bit shift, \s-1CFB\s0 with 8\-bit +shift and \s-1OFB\s0 modes respectively. +.IP "\fIEVP_des_ede()\fR, \fIEVP_des_ede_cbc()\fR, \fIEVP_des_ede_ofb()\fR, \fIEVP_des_ede_cfb()\fR" 4 +.IX Item "EVP_des_ede(), EVP_des_ede_cbc(), EVP_des_ede_ofb(), EVP_des_ede_cfb()" +Two key triple \s-1DES\s0 in \s-1ECB, CBC, CFB\s0 and \s-1OFB\s0 modes respectively. +.IP "\fIEVP_des_ede3()\fR, \fIEVP_des_ede3_cbc()\fR, \fIEVP_des_ede3_cfb()\fR, \fIEVP_des_ede3_cfb1()\fR, \fIEVP_des_ede3_cfb8()\fR, \fIEVP_des_ede3_ofb()\fR" 4 +.IX Item "EVP_des_ede3(), EVP_des_ede3_cbc(), EVP_des_ede3_cfb(), EVP_des_ede3_cfb1(), EVP_des_ede3_cfb8(), EVP_des_ede3_ofb()" +Three-key triple \s-1DES\s0 in \s-1ECB, CBC, CFB\s0 with 128\-bit shift, \s-1CFB\s0 with 1\-bit shift, +\&\s-1CFB\s0 with 8\-bit shift and \s-1OFB\s0 modes respectively. +.IP "\fIEVP_des_ede3_wrap()\fR" 4 +.IX Item "EVP_des_ede3_wrap()" +Triple-DES key wrap according to \s-1RFC 3217\s0 Section 3. +.SH "RETURN VALUES" +.IX Header "RETURN VALUES" +These functions return an \fB\s-1EVP_CIPHER\s0\fR structure that contains the +implementation of the symmetric cipher. See \fIEVP_CIPHER_meth_new\fR\|(3) for +details of the \fB\s-1EVP_CIPHER\s0\fR structure. +.SH "SEE ALSO" +.IX Header "SEE ALSO" +\&\fIevp\fR\|(7), +\&\fIEVP_EncryptInit\fR\|(3), +\&\fIEVP_CIPHER_meth_new\fR\|(3) +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2017 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/EVP_desx_cbc.3 b/secure/lib/libcrypto/man/EVP_desx_cbc.3 new file mode 100644 index 000000000000..7f3a3f57197b --- /dev/null +++ b/secure/lib/libcrypto/man/EVP_desx_cbc.3 @@ -0,0 +1,171 @@ +.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35) +.\" +.\" Standard preamble: +.\" ======================================================================== +.de Sp \" Vertical space (when we can't use .PP) +.if t .sp .5v +.if n .sp +.. +.de Vb \" Begin verbatim text +.ft CW +.nf +.ne \\$1 +.. +.de Ve \" End verbatim text +.ft R +.fi +.. +.\" Set up some character translations and predefined strings. \*(-- will +.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left +.\" double quote, and \*(R" will give a right double quote. \*(C+ will +.\" give a nicer C++. Capital omega is used to do unbreakable dashes and +.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, +.\" nothing in troff, for use with C<>. +.tr \(*W- +.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' +.ie n \{\ +. ds -- \(*W- +. ds PI pi +. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch +. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch +. ds L" "" +. ds R" "" +. ds C` "" +. ds C' "" +'br\} +.el\{\ +. ds -- \|\(em\| +. ds PI \(*p +. ds L" `` +. ds R" '' +. ds C` +. ds C' +'br\} +.\" +.\" Escape single quotes in literal strings from groff's Unicode transform. +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" +.\" If the F register is >0, we'll generate index entries on stderr for +.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index +.\" entries marked with X<> in POD. Of course, you'll have to process the +.\" output yourself in some meaningful fashion. +.\" +.\" Avoid warning from groff about undefined register 'F'. +.de IX +.. +.if !\nF .nr F 0 +.if \nF>0 \{\ +. de IX +. tm Index:\\$1\t\\n%\t"\\$2" +.. +. if !\nF==2 \{\ +. nr % 0 +. nr F 2 +. \} +.\} +.\" +.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). +.\" Fear. Run. Save yourself. No user-serviceable parts. +. \" fudge factors for nroff and troff +.if n \{\ +. ds #H 0 +. ds #V .8m +. ds #F .3m +. ds #[ \f1 +. ds #] \fP +.\} +.if t \{\ +. ds #H ((1u-(\\\\n(.fu%2u))*.13m) +. ds #V .6m +. ds #F 0 +. ds #[ \& +. ds #] \& +.\} +. \" simple accents for nroff and troff +.if n \{\ +. ds ' \& +. ds ` \& +. ds ^ \& +. ds , \& +. ds ~ ~ +. ds / +.\} +.if t \{\ +. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" +. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' +. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' +. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' +. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' +. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' +.\} +. \" troff and (daisy-wheel) nroff accents +.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' +.ds 8 \h'\*(#H'\(*b\h'-\*(#H' +.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] +.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' +.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' +.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] +.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] +.ds ae a\h'-(\w'a'u*4/10)'e +.ds Ae A\h'-(\w'A'u*4/10)'E +. \" corrections for vroff +.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' +.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' +. \" for low resolution devices (crt and lpr) +.if \n(.H>23 .if \n(.V>19 \ +\{\ +. ds : e +. ds 8 ss +. ds o a +. ds d- d\h'-1'\(ga +. ds D- D\h'-1'\(hy +. ds th \o'bp' +. ds Th \o'LP' +. ds ae ae +. ds Ae AE +.\} +.rm #[ #] #H #V #F C +.\" ======================================================================== +.\" +.IX Title "EVP_DESX_CBC 3" +.TH EVP_DESX_CBC 3 "2018-09-11" "1.1.1" "OpenSSL" +.\" For nroff, turn off justification. Always turn off hyphenation; it makes +.\" way too many mistakes in technical documents. +.if n .ad l +.nh +.SH "NAME" +EVP_desx_cbc \&\- EVP DES\-X cipher +.SH "SYNOPSIS" +.IX Header "SYNOPSIS" +.Vb 1 +\& #include +\& +\& const EVP_CIPHER *EVP_desx_cbc(void) +.Ve +.SH "DESCRIPTION" +.IX Header "DESCRIPTION" +The DES-X encryption algorithm for \s-1EVP.\s0 +.PP +All modes below use a key length of 128 bits and acts on blocks of 128\-bits. +.IP "\fIEVP_desx_cbc()\fR" 4 +.IX Item "EVP_desx_cbc()" +The DES-X algorithm in \s-1CBC\s0 mode. +.SH "RETURN VALUES" +.IX Header "RETURN VALUES" +These functions return an \fB\s-1EVP_CIPHER\s0\fR structure that contains the +implementation of the symmetric cipher. See \fIEVP_CIPHER_meth_new\fR\|(3) for +details of the \fB\s-1EVP_CIPHER\s0\fR structure. +.SH "SEE ALSO" +.IX Header "SEE ALSO" +\&\fIevp\fR\|(7), +\&\fIEVP_EncryptInit\fR\|(3), +\&\fIEVP_CIPHER_meth_new\fR\|(3) +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2017 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/EVP_idea_cbc.3 b/secure/lib/libcrypto/man/EVP_idea_cbc.3 new file mode 100644 index 000000000000..c5d21f18f07f --- /dev/null +++ b/secure/lib/libcrypto/man/EVP_idea_cbc.3 @@ -0,0 +1,172 @@ +.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35) +.\" +.\" Standard preamble: +.\" ======================================================================== +.de Sp \" Vertical space (when we can't use .PP) +.if t .sp .5v +.if n .sp +.. +.de Vb \" Begin verbatim text +.ft CW +.nf +.ne \\$1 +.. +.de Ve \" End verbatim text +.ft R +.fi +.. +.\" Set up some character translations and predefined strings. \*(-- will +.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left +.\" double quote, and \*(R" will give a right double quote. \*(C+ will +.\" give a nicer C++. Capital omega is used to do unbreakable dashes and +.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, +.\" nothing in troff, for use with C<>. +.tr \(*W- +.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' +.ie n \{\ +. ds -- \(*W- +. ds PI pi +. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch +. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch +. ds L" "" +. ds R" "" +. ds C` "" +. ds C' "" +'br\} +.el\{\ +. ds -- \|\(em\| +. ds PI \(*p +. ds L" `` +. ds R" '' +. ds C` +. ds C' +'br\} +.\" +.\" Escape single quotes in literal strings from groff's Unicode transform. +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" +.\" If the F register is >0, we'll generate index entries on stderr for +.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index +.\" entries marked with X<> in POD. Of course, you'll have to process the +.\" output yourself in some meaningful fashion. +.\" +.\" Avoid warning from groff about undefined register 'F'. +.de IX +.. +.if !\nF .nr F 0 +.if \nF>0 \{\ +. de IX +. tm Index:\\$1\t\\n%\t"\\$2" +.. +. if !\nF==2 \{\ +. nr % 0 +. nr F 2 +. \} +.\} +.\" +.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). +.\" Fear. Run. Save yourself. No user-serviceable parts. +. \" fudge factors for nroff and troff +.if n \{\ +. ds #H 0 +. ds #V .8m +. ds #F .3m +. ds #[ \f1 +. ds #] \fP +.\} +.if t \{\ +. ds #H ((1u-(\\\\n(.fu%2u))*.13m) +. ds #V .6m +. ds #F 0 +. ds #[ \& +. ds #] \& +.\} +. \" simple accents for nroff and troff +.if n \{\ +. ds ' \& +. ds ` \& +. ds ^ \& +. ds , \& +. ds ~ ~ +. ds / +.\} +.if t \{\ +. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" +. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' +. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' +. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' +. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' +. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' +.\} +. \" troff and (daisy-wheel) nroff accents +.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' +.ds 8 \h'\*(#H'\(*b\h'-\*(#H' +.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] +.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' +.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' +.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] +.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] +.ds ae a\h'-(\w'a'u*4/10)'e +.ds Ae A\h'-(\w'A'u*4/10)'E +. \" corrections for vroff +.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' +.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' +. \" for low resolution devices (crt and lpr) +.if \n(.H>23 .if \n(.V>19 \ +\{\ +. ds : e +. ds 8 ss +. ds o a +. ds d- d\h'-1'\(ga +. ds D- D\h'-1'\(hy +. ds th \o'bp' +. ds Th \o'LP' +. ds ae ae +. ds Ae AE +.\} +.rm #[ #] #H #V #F C +.\" ======================================================================== +.\" +.IX Title "EVP_IDEA_CBC 3" +.TH EVP_IDEA_CBC 3 "2018-09-11" "1.1.1" "OpenSSL" +.\" For nroff, turn off justification. Always turn off hyphenation; it makes +.\" way too many mistakes in technical documents. +.if n .ad l +.nh +.SH "NAME" +EVP_idea_cbc, EVP_idea_cfb, EVP_idea_ecb, EVP_idea_ofb \&\- EVP IDEA cipher +.SH "SYNOPSIS" +.IX Header "SYNOPSIS" +.Vb 1 +\& #include +\& +\& const EVP_CIPHER *EVP_idea_cbc(void) +\& const EVP_CIPHER *EVP_idea_cfb(void) +\& const EVP_CIPHER *EVP_idea_ecb(void) +\& const EVP_CIPHER *EVP_idea_ofb(void) +.Ve +.SH "DESCRIPTION" +.IX Header "DESCRIPTION" +The \s-1IDEA\s0 encryption algorithm for \s-1EVP.\s0 +.IP "\fIEVP_idea_cbc()\fR, \fIEVP_idea_cfb()\fR, \fIEVP_idea_ecb()\fR, \fIEVP_idea_ofb()\fR" 4 +.IX Item "EVP_idea_cbc(), EVP_idea_cfb(), EVP_idea_ecb(), EVP_idea_ofb()" +The \s-1IDEA\s0 encryption algorithm in \s-1CBC, CFB, ECB\s0 and \s-1OFB\s0 modes respectively. +.SH "RETURN VALUES" +.IX Header "RETURN VALUES" +These functions return an \fB\s-1EVP_CIPHER\s0\fR structure that contains the +implementation of the symmetric cipher. See \fIEVP_CIPHER_meth_new\fR\|(3) for +details of the \fB\s-1EVP_CIPHER\s0\fR structure. +.SH "SEE ALSO" +.IX Header "SEE ALSO" +\&\fIevp\fR\|(7), +\&\fIEVP_EncryptInit\fR\|(3), +\&\fIEVP_CIPHER_meth_new\fR\|(3) +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2017 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/EVP_md2.3 b/secure/lib/libcrypto/man/EVP_md2.3 new file mode 100644 index 000000000000..410b7f6cc945 --- /dev/null +++ b/secure/lib/libcrypto/man/EVP_md2.3 @@ -0,0 +1,172 @@ +.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35) +.\" +.\" Standard preamble: +.\" ======================================================================== +.de Sp \" Vertical space (when we can't use .PP) +.if t .sp .5v +.if n .sp +.. +.de Vb \" Begin verbatim text +.ft CW +.nf +.ne \\$1 +.. +.de Ve \" End verbatim text +.ft R +.fi +.. +.\" Set up some character translations and predefined strings. \*(-- will +.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left +.\" double quote, and \*(R" will give a right double quote. \*(C+ will +.\" give a nicer C++. Capital omega is used to do unbreakable dashes and +.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, +.\" nothing in troff, for use with C<>. +.tr \(*W- +.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' +.ie n \{\ +. ds -- \(*W- +. ds PI pi +. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch +. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch +. ds L" "" +. ds R" "" +. ds C` "" +. ds C' "" +'br\} +.el\{\ +. ds -- \|\(em\| +. ds PI \(*p +. ds L" `` +. ds R" '' +. ds C` +. ds C' +'br\} +.\" +.\" Escape single quotes in literal strings from groff's Unicode transform. +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" +.\" If the F register is >0, we'll generate index entries on stderr for +.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index +.\" entries marked with X<> in POD. Of course, you'll have to process the +.\" output yourself in some meaningful fashion. +.\" +.\" Avoid warning from groff about undefined register 'F'. +.de IX +.. +.if !\nF .nr F 0 +.if \nF>0 \{\ +. de IX +. tm Index:\\$1\t\\n%\t"\\$2" +.. +. if !\nF==2 \{\ +. nr % 0 +. nr F 2 +. \} +.\} +.\" +.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). +.\" Fear. Run. Save yourself. No user-serviceable parts. +. \" fudge factors for nroff and troff +.if n \{\ +. ds #H 0 +. ds #V .8m +. ds #F .3m +. ds #[ \f1 +. ds #] \fP +.\} +.if t \{\ +. ds #H ((1u-(\\\\n(.fu%2u))*.13m) +. ds #V .6m +. ds #F 0 +. ds #[ \& +. ds #] \& +.\} +. \" simple accents for nroff and troff +.if n \{\ +. ds ' \& +. ds ` \& +. ds ^ \& +. ds , \& +. ds ~ ~ +. ds / +.\} +.if t \{\ +. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" +. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' +. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' +. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' +. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' +. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' +.\} +. \" troff and (daisy-wheel) nroff accents +.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' +.ds 8 \h'\*(#H'\(*b\h'-\*(#H' +.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] +.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' +.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' +.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] +.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] +.ds ae a\h'-(\w'a'u*4/10)'e +.ds Ae A\h'-(\w'A'u*4/10)'E +. \" corrections for vroff +.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' +.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' +. \" for low resolution devices (crt and lpr) +.if \n(.H>23 .if \n(.V>19 \ +\{\ +. ds : e +. ds 8 ss +. ds o a +. ds d- d\h'-1'\(ga +. ds D- D\h'-1'\(hy +. ds th \o'bp' +. ds Th \o'LP' +. ds ae ae +. ds Ae AE +.\} +.rm #[ #] #H #V #F C +.\" ======================================================================== +.\" +.IX Title "EVP_MD2 3" +.TH EVP_MD2 3 "2018-09-11" "1.1.1" "OpenSSL" +.\" For nroff, turn off justification. Always turn off hyphenation; it makes +.\" way too many mistakes in technical documents. +.if n .ad l +.nh +.SH "NAME" +EVP_md2 \&\- MD2 For EVP +.SH "SYNOPSIS" +.IX Header "SYNOPSIS" +.Vb 1 +\& #include +\& +\& const EVP_MD *EVP_md2(void); +.Ve +.SH "DESCRIPTION" +.IX Header "DESCRIPTION" +\&\s-1MD2\s0 is a cryptographic hash function standardized in \s-1RFC 1319\s0 and designed by +Ronald Rivest. +.IP "\fIEVP_md2()\fR" 4 +.IX Item "EVP_md2()" +The \s-1MD2\s0 algorithm which produces a 128\-bit output from a given input. +.SH "RETURN VALUES" +.IX Header "RETURN VALUES" +These functions return a \fB\s-1EVP_MD\s0\fR structure that contains the +implementation of the symmetric cipher. See \fIEVP_MD_meth_new\fR\|(3) for +details of the \fB\s-1EVP_MD\s0\fR structure. +.SH "CONFORMING TO" +.IX Header "CONFORMING TO" +\&\s-1IETF RFC 1319.\s0 +.SH "SEE ALSO" +.IX Header "SEE ALSO" +\&\fIevp\fR\|(7), +\&\fIEVP_DigestInit\fR\|(3) +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2017 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libssl/man/SSL_pending.3 b/secure/lib/libcrypto/man/EVP_md4.3 similarity index 77% rename from secure/lib/libssl/man/SSL_pending.3 rename to secure/lib/libcrypto/man/EVP_md4.3 index 688f7d4e6b68..f878923eba59 100644 --- a/secure/lib/libssl/man/SSL_pending.3 +++ b/secure/lib/libcrypto/man/EVP_md4.3 @@ -128,45 +128,45 @@ .rm #[ #] #H #V #F C .\" ======================================================================== .\" -.IX Title "SSL_pending 3" -.TH SSL_pending 3 "2018-08-14" "1.0.2p" "OpenSSL" +.IX Title "EVP_MD4 3" +.TH EVP_MD4 3 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" -SSL_pending \- obtain number of readable bytes buffered in an SSL object +EVP_md4 \&\- MD4 For EVP .SH "SYNOPSIS" .IX Header "SYNOPSIS" .Vb 1 -\& #include +\& #include \& -\& int SSL_pending(const SSL *ssl); +\& const EVP_MD *EVP_md4(void); .Ve .SH "DESCRIPTION" .IX Header "DESCRIPTION" -\&\fISSL_pending()\fR returns the number of bytes which are available inside -\&\fBssl\fR for immediate read. -.SH "NOTES" -.IX Header "NOTES" -Data are received in blocks from the peer. Therefore data can be buffered -inside \fBssl\fR and are ready for immediate retrieval with -\&\fISSL_read\fR\|(3). +\&\s-1MD4\s0 is a cryptographic hash function standardized in \s-1RFC 1320\s0 and designed by +Ronald Rivest, first published in 1990. +.IP "\fIEVP_md4()\fR" 4 +.IX Item "EVP_md4()" +The \s-1MD4\s0 algorithm which produces a 128\-bit output from a given input. .SH "RETURN VALUES" .IX Header "RETURN VALUES" -The number of bytes pending is returned. -.SH "BUGS" -.IX Header "BUGS" -\&\fISSL_pending()\fR takes into account only bytes from the \s-1TLS/SSL\s0 record -that is currently being processed (if any). If the \fB\s-1SSL\s0\fR object's -\&\fIread_ahead\fR flag is set (see -\&\fISSL_CTX_set_read_ahead\fR\|(3)), additional protocol -bytes may have been read containing more \s-1TLS/SSL\s0 records; these are ignored by -\&\fISSL_pending()\fR. -.PP -Up to OpenSSL 0.9.6, \fISSL_pending()\fR does not check if the record type -of pending data is application data. +These functions return a \fB\s-1EVP_MD\s0\fR structure that contains the +implementation of the symmetric cipher. See \fIEVP_MD_meth_new\fR\|(3) for +details of the \fB\s-1EVP_MD\s0\fR structure. +.SH "CONFORMING TO" +.IX Header "CONFORMING TO" +\&\s-1IETF RFC 1320.\s0 .SH "SEE ALSO" .IX Header "SEE ALSO" -\&\fISSL_read\fR\|(3), -\&\fISSL_CTX_set_read_ahead\fR\|(3), \fIssl\fR\|(3) +\&\fIevp\fR\|(7), +\&\fIEVP_DigestInit\fR\|(3) +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2017 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/EVP_md5.3 b/secure/lib/libcrypto/man/EVP_md5.3 new file mode 100644 index 000000000000..44cb188eea05 --- /dev/null +++ b/secure/lib/libcrypto/man/EVP_md5.3 @@ -0,0 +1,181 @@ +.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35) +.\" +.\" Standard preamble: +.\" ======================================================================== +.de Sp \" Vertical space (when we can't use .PP) +.if t .sp .5v +.if n .sp +.. +.de Vb \" Begin verbatim text +.ft CW +.nf +.ne \\$1 +.. +.de Ve \" End verbatim text +.ft R +.fi +.. +.\" Set up some character translations and predefined strings. \*(-- will +.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left +.\" double quote, and \*(R" will give a right double quote. \*(C+ will +.\" give a nicer C++. Capital omega is used to do unbreakable dashes and +.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, +.\" nothing in troff, for use with C<>. +.tr \(*W- +.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' +.ie n \{\ +. ds -- \(*W- +. ds PI pi +. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch +. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch +. ds L" "" +. ds R" "" +. ds C` "" +. ds C' "" +'br\} +.el\{\ +. ds -- \|\(em\| +. ds PI \(*p +. ds L" `` +. ds R" '' +. ds C` +. ds C' +'br\} +.\" +.\" Escape single quotes in literal strings from groff's Unicode transform. +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" +.\" If the F register is >0, we'll generate index entries on stderr for +.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index +.\" entries marked with X<> in POD. Of course, you'll have to process the +.\" output yourself in some meaningful fashion. +.\" +.\" Avoid warning from groff about undefined register 'F'. +.de IX +.. +.if !\nF .nr F 0 +.if \nF>0 \{\ +. de IX +. tm Index:\\$1\t\\n%\t"\\$2" +.. +. if !\nF==2 \{\ +. nr % 0 +. nr F 2 +. \} +.\} +.\" +.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). +.\" Fear. Run. Save yourself. No user-serviceable parts. +. \" fudge factors for nroff and troff +.if n \{\ +. ds #H 0 +. ds #V .8m +. ds #F .3m +. ds #[ \f1 +. ds #] \fP +.\} +.if t \{\ +. ds #H ((1u-(\\\\n(.fu%2u))*.13m) +. ds #V .6m +. ds #F 0 +. ds #[ \& +. ds #] \& +.\} +. \" simple accents for nroff and troff +.if n \{\ +. ds ' \& +. ds ` \& +. ds ^ \& +. ds , \& +. ds ~ ~ +. ds / +.\} +.if t \{\ +. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" +. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' +. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' +. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' +. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' +. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' +.\} +. \" troff and (daisy-wheel) nroff accents +.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' +.ds 8 \h'\*(#H'\(*b\h'-\*(#H' +.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] +.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' +.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' +.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] +.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] +.ds ae a\h'-(\w'a'u*4/10)'e +.ds Ae A\h'-(\w'A'u*4/10)'E +. \" corrections for vroff +.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' +.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' +. \" for low resolution devices (crt and lpr) +.if \n(.H>23 .if \n(.V>19 \ +\{\ +. ds : e +. ds 8 ss +. ds o a +. ds d- d\h'-1'\(ga +. ds D- D\h'-1'\(hy +. ds th \o'bp' +. ds Th \o'LP' +. ds ae ae +. ds Ae AE +.\} +.rm #[ #] #H #V #F C +.\" ======================================================================== +.\" +.IX Title "EVP_MD5 3" +.TH EVP_MD5 3 "2018-09-11" "1.1.1" "OpenSSL" +.\" For nroff, turn off justification. Always turn off hyphenation; it makes +.\" way too many mistakes in technical documents. +.if n .ad l +.nh +.SH "NAME" +EVP_md5 \&\- MD5 For EVP +.SH "SYNOPSIS" +.IX Header "SYNOPSIS" +.Vb 1 +\& #include +\& +\& const EVP_MD *EVP_md5(void); +.Ve +.SH "DESCRIPTION" +.IX Header "DESCRIPTION" +\&\s-1MD5\s0 is a cryptographic hash function standardized in \s-1RFC 1321\s0 and designed by +Ronald Rivest. +.PP +The \s-1CMU\s0 Software Engineering Institute considers \s-1MD5\s0 unsuitable for further +use since its security has been severely compromised. +.IP "\fIEVP_md5()\fR" 4 +.IX Item "EVP_md5()" +The \s-1MD5\s0 algorithm which produces a 128\-bit output from a given input. +.IP "\fIEVP_md5_sha1()\fR" 4 +.IX Item "EVP_md5_sha1()" +A hash algorithm of \s-1SSL\s0 v3 that combines \s-1MD5\s0 with \s-1SHA\-1\s0 as decirbed in \s-1RFC +6101.\s0 +.Sp +\&\s-1WARNING:\s0 this algorithm is not intended for non-SSL usage. +.SH "RETURN VALUES" +.IX Header "RETURN VALUES" +These functions return a \fB\s-1EVP_MD\s0\fR structure that contains the +implementation of the symmetric cipher. See \fIEVP_MD_meth_new\fR\|(3) for +details of the \fB\s-1EVP_MD\s0\fR structure. +.SH "CONFORMING TO" +.IX Header "CONFORMING TO" +\&\s-1IETF RFC 1321.\s0 +.SH "SEE ALSO" +.IX Header "SEE ALSO" +\&\fIevp\fR\|(7), +\&\fIEVP_DigestInit\fR\|(3) +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2017\-2018 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/EVP_mdc2.3 b/secure/lib/libcrypto/man/EVP_mdc2.3 new file mode 100644 index 000000000000..01b22948af5a --- /dev/null +++ b/secure/lib/libcrypto/man/EVP_mdc2.3 @@ -0,0 +1,173 @@ +.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35) +.\" +.\" Standard preamble: +.\" ======================================================================== +.de Sp \" Vertical space (when we can't use .PP) +.if t .sp .5v +.if n .sp +.. +.de Vb \" Begin verbatim text +.ft CW +.nf +.ne \\$1 +.. +.de Ve \" End verbatim text +.ft R +.fi +.. +.\" Set up some character translations and predefined strings. \*(-- will +.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left +.\" double quote, and \*(R" will give a right double quote. \*(C+ will +.\" give a nicer C++. Capital omega is used to do unbreakable dashes and +.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, +.\" nothing in troff, for use with C<>. +.tr \(*W- +.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' +.ie n \{\ +. ds -- \(*W- +. ds PI pi +. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch +. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch +. ds L" "" +. ds R" "" +. ds C` "" +. ds C' "" +'br\} +.el\{\ +. ds -- \|\(em\| +. ds PI \(*p +. ds L" `` +. ds R" '' +. ds C` +. ds C' +'br\} +.\" +.\" Escape single quotes in literal strings from groff's Unicode transform. +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" +.\" If the F register is >0, we'll generate index entries on stderr for +.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index +.\" entries marked with X<> in POD. Of course, you'll have to process the +.\" output yourself in some meaningful fashion. +.\" +.\" Avoid warning from groff about undefined register 'F'. +.de IX +.. +.if !\nF .nr F 0 +.if \nF>0 \{\ +. de IX +. tm Index:\\$1\t\\n%\t"\\$2" +.. +. if !\nF==2 \{\ +. nr % 0 +. nr F 2 +. \} +.\} +.\" +.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). +.\" Fear. Run. Save yourself. No user-serviceable parts. +. \" fudge factors for nroff and troff +.if n \{\ +. ds #H 0 +. ds #V .8m +. ds #F .3m +. ds #[ \f1 +. ds #] \fP +.\} +.if t \{\ +. ds #H ((1u-(\\\\n(.fu%2u))*.13m) +. ds #V .6m +. ds #F 0 +. ds #[ \& +. ds #] \& +.\} +. \" simple accents for nroff and troff +.if n \{\ +. ds ' \& +. ds ` \& +. ds ^ \& +. ds , \& +. ds ~ ~ +. ds / +.\} +.if t \{\ +. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" +. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' +. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' +. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' +. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' +. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' +.\} +. \" troff and (daisy-wheel) nroff accents +.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' +.ds 8 \h'\*(#H'\(*b\h'-\*(#H' +.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] +.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' +.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' +.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] +.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] +.ds ae a\h'-(\w'a'u*4/10)'e +.ds Ae A\h'-(\w'A'u*4/10)'E +. \" corrections for vroff +.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' +.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' +. \" for low resolution devices (crt and lpr) +.if \n(.H>23 .if \n(.V>19 \ +\{\ +. ds : e +. ds 8 ss +. ds o a +. ds d- d\h'-1'\(ga +. ds D- D\h'-1'\(hy +. ds th \o'bp' +. ds Th \o'LP' +. ds ae ae +. ds Ae AE +.\} +.rm #[ #] #H #V #F C +.\" ======================================================================== +.\" +.IX Title "EVP_MDC2 3" +.TH EVP_MDC2 3 "2018-09-11" "1.1.1" "OpenSSL" +.\" For nroff, turn off justification. Always turn off hyphenation; it makes +.\" way too many mistakes in technical documents. +.if n .ad l +.nh +.SH "NAME" +EVP_mdc2 \&\- MDC\-2 For EVP +.SH "SYNOPSIS" +.IX Header "SYNOPSIS" +.Vb 1 +\& #include +\& +\& const EVP_MD *EVP_mdc2(void); +.Ve +.SH "DESCRIPTION" +.IX Header "DESCRIPTION" +\&\s-1MDC\-2\s0 (Modification Detection Code 2 or Meyer-Schilling) is a cryptographic +hash function based on a block cipher. +.IP "\fIEVP_mdc2()\fR" 4 +.IX Item "EVP_mdc2()" +The \s-1MDC\-2DES\s0 algorithm of using \s-1MDC\-2\s0 with the \s-1DES\s0 block cipher. It produces a +128\-bit output from a given input. +.SH "RETURN VALUES" +.IX Header "RETURN VALUES" +These functions return a \fB\s-1EVP_MD\s0\fR structure that contains the +implementation of the symmetric cipher. See \fIEVP_MD_meth_new\fR\|(3) for +details of the \fB\s-1EVP_MD\s0\fR structure. +.SH "CONFORMING TO" +.IX Header "CONFORMING TO" +\&\s-1ISO/IEC 10118\-2:2000\s0 Hash-Function 2, with \s-1DES\s0 as the underlying block cipher. +.SH "SEE ALSO" +.IX Header "SEE ALSO" +\&\fIevp\fR\|(7), +\&\fIEVP_DigestInit\fR\|(3) +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2017 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/EVP_rc2_cbc.3 b/secure/lib/libcrypto/man/EVP_rc2_cbc.3 new file mode 100644 index 000000000000..9170d5209041 --- /dev/null +++ b/secure/lib/libcrypto/man/EVP_rc2_cbc.3 @@ -0,0 +1,184 @@ +.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35) +.\" +.\" Standard preamble: +.\" ======================================================================== +.de Sp \" Vertical space (when we can't use .PP) +.if t .sp .5v +.if n .sp +.. +.de Vb \" Begin verbatim text +.ft CW +.nf +.ne \\$1 +.. +.de Ve \" End verbatim text +.ft R +.fi +.. +.\" Set up some character translations and predefined strings. \*(-- will +.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left +.\" double quote, and \*(R" will give a right double quote. \*(C+ will +.\" give a nicer C++. Capital omega is used to do unbreakable dashes and +.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, +.\" nothing in troff, for use with C<>. +.tr \(*W- +.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' +.ie n \{\ +. ds -- \(*W- +. ds PI pi +. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch +. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch +. ds L" "" +. ds R" "" +. ds C` "" +. ds C' "" +'br\} +.el\{\ +. ds -- \|\(em\| +. ds PI \(*p +. ds L" `` +. ds R" '' +. ds C` +. ds C' +'br\} +.\" +.\" Escape single quotes in literal strings from groff's Unicode transform. +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" +.\" If the F register is >0, we'll generate index entries on stderr for +.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index +.\" entries marked with X<> in POD. Of course, you'll have to process the +.\" output yourself in some meaningful fashion. +.\" +.\" Avoid warning from groff about undefined register 'F'. +.de IX +.. +.if !\nF .nr F 0 +.if \nF>0 \{\ +. de IX +. tm Index:\\$1\t\\n%\t"\\$2" +.. +. if !\nF==2 \{\ +. nr % 0 +. nr F 2 +. \} +.\} +.\" +.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). +.\" Fear. Run. Save yourself. No user-serviceable parts. +. \" fudge factors for nroff and troff +.if n \{\ +. ds #H 0 +. ds #V .8m +. ds #F .3m +. ds #[ \f1 +. ds #] \fP +.\} +.if t \{\ +. ds #H ((1u-(\\\\n(.fu%2u))*.13m) +. ds #V .6m +. ds #F 0 +. ds #[ \& +. ds #] \& +.\} +. \" simple accents for nroff and troff +.if n \{\ +. ds ' \& +. ds ` \& +. ds ^ \& +. ds , \& +. ds ~ ~ +. ds / +.\} +.if t \{\ +. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" +. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' +. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' +. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' +. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' +. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' +.\} +. \" troff and (daisy-wheel) nroff accents +.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' +.ds 8 \h'\*(#H'\(*b\h'-\*(#H' +.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] +.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' +.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' +.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] +.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] +.ds ae a\h'-(\w'a'u*4/10)'e +.ds Ae A\h'-(\w'A'u*4/10)'E +. \" corrections for vroff +.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' +.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' +. \" for low resolution devices (crt and lpr) +.if \n(.H>23 .if \n(.V>19 \ +\{\ +. ds : e +. ds 8 ss +. ds o a +. ds d- d\h'-1'\(ga +. ds D- D\h'-1'\(hy +. ds th \o'bp' +. ds Th \o'LP' +. ds ae ae +. ds Ae AE +.\} +.rm #[ #] #H #V #F C +.\" ======================================================================== +.\" +.IX Title "EVP_RC2_CBC 3" +.TH EVP_RC2_CBC 3 "2018-09-11" "1.1.1" "OpenSSL" +.\" For nroff, turn off justification. Always turn off hyphenation; it makes +.\" way too many mistakes in technical documents. +.if n .ad l +.nh +.SH "NAME" +EVP_rc2_cbc, EVP_rc2_cfb, EVP_rc2_ecb, EVP_rc2_ofb, EVP_rc2_40_cbc, EVP_rc2_64_cbc \&\- EVP RC2 cipher +.SH "SYNOPSIS" +.IX Header "SYNOPSIS" +.Vb 1 +\& #include +\& +\& const EVP_CIPHER *EVP_rc2_cbc(void) +\& const EVP_CIPHER *EVP_rc2_cfb(void) +\& const EVP_CIPHER *EVP_rc2_ecb(void) +\& const EVP_CIPHER *EVP_rc2_ofb(void) +\& const EVP_CIPHER *EVP_rc2_40_cbc(void) +\& const EVP_CIPHER *EVP_rc2_64_cbc(void) +.Ve +.SH "DESCRIPTION" +.IX Header "DESCRIPTION" +The \s-1RC2\s0 encryption algorithm for \s-1EVP.\s0 +.IP "\fIEVP_rc2_cbc()\fR, \fIEVP_rc2_cfb()\fR, \fIEVP_rc2_ecb()\fR, \fIEVP_rc2_ofb()\fR" 4 +.IX Item "EVP_rc2_cbc(), EVP_rc2_cfb(), EVP_rc2_ecb(), EVP_rc2_ofb()" +\&\s-1RC2\s0 encryption algorithm in \s-1CBC, CFB, ECB\s0 and \s-1OFB\s0 modes respectively. This is a +variable key length cipher with an additional parameter called \*(L"effective key +bits\*(R" or \*(L"effective key length\*(R". By default both are set to 128 bits. +.IP "\fIEVP_rc2_40_cbc()\fR, \fIEVP_rc2_64_cbc()\fR" 4 +.IX Item "EVP_rc2_40_cbc(), EVP_rc2_64_cbc()" +\&\s-1RC2\s0 algorithm in \s-1CBC\s0 mode with a default key length and effective key length of +40 and 64 bits. +.Sp +\&\s-1WARNING:\s0 these functions are obsolete. Their usage should be replaced with the +\&\fIEVP_rc2_cbc()\fR, \fIEVP_CIPHER_CTX_set_key_length()\fR and \fIEVP_CIPHER_CTX_ctrl()\fR +functions to set the key length and effective key length. +.SH "RETURN VALUES" +.IX Header "RETURN VALUES" +These functions return an \fB\s-1EVP_CIPHER\s0\fR structure that contains the +implementation of the symmetric cipher. See \fIEVP_CIPHER_meth_new\fR\|(3) for +details of the \fB\s-1EVP_CIPHER\s0\fR structure. +.SH "SEE ALSO" +.IX Header "SEE ALSO" +\&\fIevp\fR\|(7), +\&\fIEVP_EncryptInit\fR\|(3), +\&\fIEVP_CIPHER_meth_new\fR\|(3) +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2017 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/EVP_rc4.3 b/secure/lib/libcrypto/man/EVP_rc4.3 new file mode 100644 index 000000000000..733982c50b4f --- /dev/null +++ b/secure/lib/libcrypto/man/EVP_rc4.3 @@ -0,0 +1,185 @@ +.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35) +.\" +.\" Standard preamble: +.\" ======================================================================== +.de Sp \" Vertical space (when we can't use .PP) +.if t .sp .5v +.if n .sp +.. +.de Vb \" Begin verbatim text +.ft CW +.nf +.ne \\$1 +.. +.de Ve \" End verbatim text +.ft R +.fi +.. +.\" Set up some character translations and predefined strings. \*(-- will +.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left +.\" double quote, and \*(R" will give a right double quote. \*(C+ will +.\" give a nicer C++. Capital omega is used to do unbreakable dashes and +.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, +.\" nothing in troff, for use with C<>. +.tr \(*W- +.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' +.ie n \{\ +. ds -- \(*W- +. ds PI pi +. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch +. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch +. ds L" "" +. ds R" "" +. ds C` "" +. ds C' "" +'br\} +.el\{\ +. ds -- \|\(em\| +. ds PI \(*p +. ds L" `` +. ds R" '' +. ds C` +. ds C' +'br\} +.\" +.\" Escape single quotes in literal strings from groff's Unicode transform. +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" +.\" If the F register is >0, we'll generate index entries on stderr for +.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index +.\" entries marked with X<> in POD. Of course, you'll have to process the +.\" output yourself in some meaningful fashion. +.\" +.\" Avoid warning from groff about undefined register 'F'. +.de IX +.. +.if !\nF .nr F 0 +.if \nF>0 \{\ +. de IX +. tm Index:\\$1\t\\n%\t"\\$2" +.. +. if !\nF==2 \{\ +. nr % 0 +. nr F 2 +. \} +.\} +.\" +.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). +.\" Fear. Run. Save yourself. No user-serviceable parts. +. \" fudge factors for nroff and troff +.if n \{\ +. ds #H 0 +. ds #V .8m +. ds #F .3m +. ds #[ \f1 +. ds #] \fP +.\} +.if t \{\ +. ds #H ((1u-(\\\\n(.fu%2u))*.13m) +. ds #V .6m +. ds #F 0 +. ds #[ \& +. ds #] \& +.\} +. \" simple accents for nroff and troff +.if n \{\ +. ds ' \& +. ds ` \& +. ds ^ \& +. ds , \& +. ds ~ ~ +. ds / +.\} +.if t \{\ +. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" +. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' +. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' +. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' +. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' +. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' +.\} +. \" troff and (daisy-wheel) nroff accents +.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' +.ds 8 \h'\*(#H'\(*b\h'-\*(#H' +.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] +.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' +.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' +.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] +.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] +.ds ae a\h'-(\w'a'u*4/10)'e +.ds Ae A\h'-(\w'A'u*4/10)'E +. \" corrections for vroff +.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' +.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' +. \" for low resolution devices (crt and lpr) +.if \n(.H>23 .if \n(.V>19 \ +\{\ +. ds : e +. ds 8 ss +. ds o a +. ds d- d\h'-1'\(ga +. ds D- D\h'-1'\(hy +. ds th \o'bp' +. ds Th \o'LP' +. ds ae ae +. ds Ae AE +.\} +.rm #[ #] #H #V #F C +.\" ======================================================================== +.\" +.IX Title "EVP_RC4 3" +.TH EVP_RC4 3 "2018-09-11" "1.1.1" "OpenSSL" +.\" For nroff, turn off justification. Always turn off hyphenation; it makes +.\" way too many mistakes in technical documents. +.if n .ad l +.nh +.SH "NAME" +EVP_rc4, EVP_rc4_40, EVP_rc4_hmac_md5 \&\- EVP RC4 stream cipher +.SH "SYNOPSIS" +.IX Header "SYNOPSIS" +.Vb 1 +\& #include +\& +\& const EVP_CIPHER *EVP_rc4(void) +\& const EVP_CIPHER *EVP_rc4_40(void) +\& const EVP_CIPHER *EVP_rc4_hmac_md5(void) +.Ve +.SH "DESCRIPTION" +.IX Header "DESCRIPTION" +The \s-1RC4\s0 stream cipher for \s-1EVP.\s0 +.IP "\fIEVP_rc4()\fR" 4 +.IX Item "EVP_rc4()" +\&\s-1RC4\s0 stream cipher. This is a variable key length cipher with a default key +length of 128 bits. +.IP "\fIEVP_rc4_40()\fR" 4 +.IX Item "EVP_rc4_40()" +\&\s-1RC4\s0 stream cipher with 40 bit key length. +.Sp +\&\s-1WARNING:\s0 this function is obsolete. Its usage should be replaced with the +\&\fIEVP_rc4()\fR and the \fIEVP_CIPHER_CTX_set_key_length()\fR functions. +.IP "\fIEVP_rc4_hmac_md5()\fR" 4 +.IX Item "EVP_rc4_hmac_md5()" +Authenticated encryption with the \s-1RC4\s0 stream cipher with \s-1MD5\s0 as \s-1HMAC.\s0 +.Sp +\&\s-1WARNING:\s0 this is not intended for usage outside of \s-1TLS\s0 and requires calling of +some undocumented ctrl functions. These ciphers do not conform to the \s-1EVP AEAD\s0 +interface. +.SH "RETURN VALUES" +.IX Header "RETURN VALUES" +These functions return an \fB\s-1EVP_CIPHER\s0\fR structure that contains the +implementation of the symmetric cipher. See \fIEVP_CIPHER_meth_new\fR\|(3) for +details of the \fB\s-1EVP_CIPHER\s0\fR structure. +.SH "SEE ALSO" +.IX Header "SEE ALSO" +\&\fIevp\fR\|(7), +\&\fIEVP_EncryptInit\fR\|(3), +\&\fIEVP_CIPHER_meth_new\fR\|(3) +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2017 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/EVP_rc5_32_12_16_cbc.3 b/secure/lib/libcrypto/man/EVP_rc5_32_12_16_cbc.3 new file mode 100644 index 000000000000..47b103be323a --- /dev/null +++ b/secure/lib/libcrypto/man/EVP_rc5_32_12_16_cbc.3 @@ -0,0 +1,178 @@ +.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35) +.\" +.\" Standard preamble: +.\" ======================================================================== +.de Sp \" Vertical space (when we can't use .PP) +.if t .sp .5v +.if n .sp +.. +.de Vb \" Begin verbatim text +.ft CW +.nf +.ne \\$1 +.. +.de Ve \" End verbatim text +.ft R +.fi +.. +.\" Set up some character translations and predefined strings. \*(-- will +.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left +.\" double quote, and \*(R" will give a right double quote. \*(C+ will +.\" give a nicer C++. Capital omega is used to do unbreakable dashes and +.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, +.\" nothing in troff, for use with C<>. +.tr \(*W- +.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' +.ie n \{\ +. ds -- \(*W- +. ds PI pi +. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch +. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch +. ds L" "" +. ds R" "" +. ds C` "" +. ds C' "" +'br\} +.el\{\ +. ds -- \|\(em\| +. ds PI \(*p +. ds L" `` +. ds R" '' +. ds C` +. ds C' +'br\} +.\" +.\" Escape single quotes in literal strings from groff's Unicode transform. +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" +.\" If the F register is >0, we'll generate index entries on stderr for +.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index +.\" entries marked with X<> in POD. Of course, you'll have to process the +.\" output yourself in some meaningful fashion. +.\" +.\" Avoid warning from groff about undefined register 'F'. +.de IX +.. +.if !\nF .nr F 0 +.if \nF>0 \{\ +. de IX +. tm Index:\\$1\t\\n%\t"\\$2" +.. +. if !\nF==2 \{\ +. nr % 0 +. nr F 2 +. \} +.\} +.\" +.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). +.\" Fear. Run. Save yourself. No user-serviceable parts. +. \" fudge factors for nroff and troff +.if n \{\ +. ds #H 0 +. ds #V .8m +. ds #F .3m +. ds #[ \f1 +. ds #] \fP +.\} +.if t \{\ +. ds #H ((1u-(\\\\n(.fu%2u))*.13m) +. ds #V .6m +. ds #F 0 +. ds #[ \& +. ds #] \& +.\} +. \" simple accents for nroff and troff +.if n \{\ +. ds ' \& +. ds ` \& +. ds ^ \& +. ds , \& +. ds ~ ~ +. ds / +.\} +.if t \{\ +. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" +. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' +. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' +. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' +. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' +. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' +.\} +. \" troff and (daisy-wheel) nroff accents +.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' +.ds 8 \h'\*(#H'\(*b\h'-\*(#H' +.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] +.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' +.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' +.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] +.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] +.ds ae a\h'-(\w'a'u*4/10)'e +.ds Ae A\h'-(\w'A'u*4/10)'E +. \" corrections for vroff +.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' +.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' +. \" for low resolution devices (crt and lpr) +.if \n(.H>23 .if \n(.V>19 \ +\{\ +. ds : e +. ds 8 ss +. ds o a +. ds d- d\h'-1'\(ga +. ds D- D\h'-1'\(hy +. ds th \o'bp' +. ds Th \o'LP' +. ds ae ae +. ds Ae AE +.\} +.rm #[ #] #H #V #F C +.\" ======================================================================== +.\" +.IX Title "EVP_RC5_32_12_16_CBC 3" +.TH EVP_RC5_32_12_16_CBC 3 "2018-09-11" "1.1.1" "OpenSSL" +.\" For nroff, turn off justification. Always turn off hyphenation; it makes +.\" way too many mistakes in technical documents. +.if n .ad l +.nh +.SH "NAME" +EVP_rc5_32_12_16_cbc, EVP_rc5_32_12_16_cfb, EVP_rc5_32_12_16_ecb, EVP_rc5_32_12_16_ofb \&\- EVP RC5 cipher +.SH "SYNOPSIS" +.IX Header "SYNOPSIS" +.Vb 1 +\& #include +\& +\& const EVP_CIPHER *EVP_rc5_32_12_16_cbc(void) +\& const EVP_CIPHER *EVP_rc5_32_12_16_cfb(void) +\& const EVP_CIPHER *EVP_rc5_32_12_16_ecb(void) +\& const EVP_CIPHER *EVP_rc5_32_12_16_ofb(void) +.Ve +.SH "DESCRIPTION" +.IX Header "DESCRIPTION" +The \s-1RC5\s0 encryption algorithm for \s-1EVP.\s0 +.IP "\fIEVP_rc5_32_12_16_cbc()\fR, \fIEVP_rc5_32_12_16_cfb()\fR, \fIEVP_rc5_32_12_16_ecb()\fR, \fIEVP_rc5_32_12_16_ofb()\fR" 4 +.IX Item "EVP_rc5_32_12_16_cbc(), EVP_rc5_32_12_16_cfb(), EVP_rc5_32_12_16_ecb(), EVP_rc5_32_12_16_ofb()" +\&\s-1RC5\s0 encryption algorithm in \s-1CBC, CFB, ECB\s0 and \s-1OFB\s0 modes respectively. This is a +variable key length cipher with an additional \*(L"number of rounds\*(R" parameter. By +default the key length is set to 128 bits and 12 rounds. +.SH "RETURN VALUES" +.IX Header "RETURN VALUES" +These functions return an \fB\s-1EVP_CIPHER\s0\fR structure that contains the +implementation of the symmetric cipher. See \fIEVP_CIPHER_meth_new\fR\|(3) for +details of the \fB\s-1EVP_CIPHER\s0\fR structure. +.SH "BUGS" +.IX Header "BUGS" +Currently the number of rounds in \s-1RC5\s0 can only be set to 8, 12 or 16. +This is a limitation of the current \s-1RC5\s0 code rather than the \s-1EVP\s0 interface. +.SH "SEE ALSO" +.IX Header "SEE ALSO" +\&\fIevp\fR\|(7), +\&\fIEVP_EncryptInit\fR\|(3), +\&\fIEVP_CIPHER_meth_new\fR\|(3) +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2017 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/EVP_ripemd160.3 b/secure/lib/libcrypto/man/EVP_ripemd160.3 new file mode 100644 index 000000000000..ad936f5a4eb6 --- /dev/null +++ b/secure/lib/libcrypto/man/EVP_ripemd160.3 @@ -0,0 +1,172 @@ +.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35) +.\" +.\" Standard preamble: +.\" ======================================================================== +.de Sp \" Vertical space (when we can't use .PP) +.if t .sp .5v +.if n .sp +.. +.de Vb \" Begin verbatim text +.ft CW +.nf +.ne \\$1 +.. +.de Ve \" End verbatim text +.ft R +.fi +.. +.\" Set up some character translations and predefined strings. \*(-- will +.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left +.\" double quote, and \*(R" will give a right double quote. \*(C+ will +.\" give a nicer C++. Capital omega is used to do unbreakable dashes and +.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, +.\" nothing in troff, for use with C<>. +.tr \(*W- +.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' +.ie n \{\ +. ds -- \(*W- +. ds PI pi +. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch +. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch +. ds L" "" +. ds R" "" +. ds C` "" +. ds C' "" +'br\} +.el\{\ +. ds -- \|\(em\| +. ds PI \(*p +. ds L" `` +. ds R" '' +. ds C` +. ds C' +'br\} +.\" +.\" Escape single quotes in literal strings from groff's Unicode transform. +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" +.\" If the F register is >0, we'll generate index entries on stderr for +.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index +.\" entries marked with X<> in POD. Of course, you'll have to process the +.\" output yourself in some meaningful fashion. +.\" +.\" Avoid warning from groff about undefined register 'F'. +.de IX +.. +.if !\nF .nr F 0 +.if \nF>0 \{\ +. de IX +. tm Index:\\$1\t\\n%\t"\\$2" +.. +. if !\nF==2 \{\ +. nr % 0 +. nr F 2 +. \} +.\} +.\" +.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). +.\" Fear. Run. Save yourself. No user-serviceable parts. +. \" fudge factors for nroff and troff +.if n \{\ +. ds #H 0 +. ds #V .8m +. ds #F .3m +. ds #[ \f1 +. ds #] \fP +.\} +.if t \{\ +. ds #H ((1u-(\\\\n(.fu%2u))*.13m) +. ds #V .6m +. ds #F 0 +. ds #[ \& +. ds #] \& +.\} +. \" simple accents for nroff and troff +.if n \{\ +. ds ' \& +. ds ` \& +. ds ^ \& +. ds , \& +. ds ~ ~ +. ds / +.\} +.if t \{\ +. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" +. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' +. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' +. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' +. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' +. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' +.\} +. \" troff and (daisy-wheel) nroff accents +.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' +.ds 8 \h'\*(#H'\(*b\h'-\*(#H' +.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] +.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' +.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' +.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] +.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] +.ds ae a\h'-(\w'a'u*4/10)'e +.ds Ae A\h'-(\w'A'u*4/10)'E +. \" corrections for vroff +.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' +.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' +. \" for low resolution devices (crt and lpr) +.if \n(.H>23 .if \n(.V>19 \ +\{\ +. ds : e +. ds 8 ss +. ds o a +. ds d- d\h'-1'\(ga +. ds D- D\h'-1'\(hy +. ds th \o'bp' +. ds Th \o'LP' +. ds ae ae +. ds Ae AE +.\} +.rm #[ #] #H #V #F C +.\" ======================================================================== +.\" +.IX Title "EVP_RIPEMD160 3" +.TH EVP_RIPEMD160 3 "2018-09-11" "1.1.1" "OpenSSL" +.\" For nroff, turn off justification. Always turn off hyphenation; it makes +.\" way too many mistakes in technical documents. +.if n .ad l +.nh +.SH "NAME" +EVP_ripemd160 \&\- RIPEMD160 For EVP +.SH "SYNOPSIS" +.IX Header "SYNOPSIS" +.Vb 1 +\& #include +\& +\& const EVP_MD *EVP_ripemd160(void); +.Ve +.SH "DESCRIPTION" +.IX Header "DESCRIPTION" +\&\s-1RIPEMD\-160\s0 is a cryptographic hash function first published in 1996 belonging +to the \s-1RIPEMD\s0 family (\s-1RACE\s0 Integrity Primitives Evaluation Message Digest). +.IP "\fIEVP_ripemd160()\fR" 4 +.IX Item "EVP_ripemd160()" +The \s-1RIPEMD\-160\s0 algorithm which produces a 160\-bit output from a given input. +.SH "RETURN VALUES" +.IX Header "RETURN VALUES" +These functions return a \fB\s-1EVP_MD\s0\fR structure that contains the +implementation of the symmetric cipher. See \fIEVP_MD_meth_new\fR\|(3) for +details of the \fB\s-1EVP_MD\s0\fR structure. +.SH "CONFORMING TO" +.IX Header "CONFORMING TO" +\&\s-1ISO/IEC 10118\-3:2016\s0 Dedicated Hash-Function 1 (\s-1RIPEMD\-160\s0). +.SH "SEE ALSO" +.IX Header "SEE ALSO" +\&\fIevp\fR\|(7), +\&\fIEVP_DigestInit\fR\|(3) +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2017 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/EVP_seed_cbc.3 b/secure/lib/libcrypto/man/EVP_seed_cbc.3 new file mode 100644 index 000000000000..9ecf5e424811 --- /dev/null +++ b/secure/lib/libcrypto/man/EVP_seed_cbc.3 @@ -0,0 +1,174 @@ +.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35) +.\" +.\" Standard preamble: +.\" ======================================================================== +.de Sp \" Vertical space (when we can't use .PP) +.if t .sp .5v +.if n .sp +.. +.de Vb \" Begin verbatim text +.ft CW +.nf +.ne \\$1 +.. +.de Ve \" End verbatim text +.ft R +.fi +.. +.\" Set up some character translations and predefined strings. \*(-- will +.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left +.\" double quote, and \*(R" will give a right double quote. \*(C+ will +.\" give a nicer C++. Capital omega is used to do unbreakable dashes and +.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, +.\" nothing in troff, for use with C<>. +.tr \(*W- +.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' +.ie n \{\ +. ds -- \(*W- +. ds PI pi +. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch +. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch +. ds L" "" +. ds R" "" +. ds C` "" +. ds C' "" +'br\} +.el\{\ +. ds -- \|\(em\| +. ds PI \(*p +. ds L" `` +. ds R" '' +. ds C` +. ds C' +'br\} +.\" +.\" Escape single quotes in literal strings from groff's Unicode transform. +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" +.\" If the F register is >0, we'll generate index entries on stderr for +.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index +.\" entries marked with X<> in POD. Of course, you'll have to process the +.\" output yourself in some meaningful fashion. +.\" +.\" Avoid warning from groff about undefined register 'F'. +.de IX +.. +.if !\nF .nr F 0 +.if \nF>0 \{\ +. de IX +. tm Index:\\$1\t\\n%\t"\\$2" +.. +. if !\nF==2 \{\ +. nr % 0 +. nr F 2 +. \} +.\} +.\" +.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). +.\" Fear. Run. Save yourself. No user-serviceable parts. +. \" fudge factors for nroff and troff +.if n \{\ +. ds #H 0 +. ds #V .8m +. ds #F .3m +. ds #[ \f1 +. ds #] \fP +.\} +.if t \{\ +. ds #H ((1u-(\\\\n(.fu%2u))*.13m) +. ds #V .6m +. ds #F 0 +. ds #[ \& +. ds #] \& +.\} +. \" simple accents for nroff and troff +.if n \{\ +. ds ' \& +. ds ` \& +. ds ^ \& +. ds , \& +. ds ~ ~ +. ds / +.\} +.if t \{\ +. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" +. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' +. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' +. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' +. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' +. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' +.\} +. \" troff and (daisy-wheel) nroff accents +.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' +.ds 8 \h'\*(#H'\(*b\h'-\*(#H' +.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] +.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' +.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' +.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] +.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] +.ds ae a\h'-(\w'a'u*4/10)'e +.ds Ae A\h'-(\w'A'u*4/10)'E +. \" corrections for vroff +.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' +.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' +. \" for low resolution devices (crt and lpr) +.if \n(.H>23 .if \n(.V>19 \ +\{\ +. ds : e +. ds 8 ss +. ds o a +. ds d- d\h'-1'\(ga +. ds D- D\h'-1'\(hy +. ds th \o'bp' +. ds Th \o'LP' +. ds ae ae +. ds Ae AE +.\} +.rm #[ #] #H #V #F C +.\" ======================================================================== +.\" +.IX Title "EVP_SEED_CBC 3" +.TH EVP_SEED_CBC 3 "2018-09-11" "1.1.1" "OpenSSL" +.\" For nroff, turn off justification. Always turn off hyphenation; it makes +.\" way too many mistakes in technical documents. +.if n .ad l +.nh +.SH "NAME" +EVP_seed_cbc, EVP_seed_cfb, EVP_seed_ecb, EVP_seed_ofb \&\- EVP SEED cipher +.SH "SYNOPSIS" +.IX Header "SYNOPSIS" +.Vb 1 +\& #include +\& +\& const EVP_CIPHER *EVP_seed_cbc(void) +\& const EVP_CIPHER *EVP_seed_cfb(void) +\& const EVP_CIPHER *EVP_seed_ecb(void) +\& const EVP_CIPHER *EVP_seed_ofb(void) +.Ve +.SH "DESCRIPTION" +.IX Header "DESCRIPTION" +The \s-1SEED\s0 encryption algorithm for \s-1EVP.\s0 +.PP +All modes below use a key length of 128 bits and acts on blocks of 128\-bits. +.IP "\fIEVP_seed_cbc()\fR, \fIEVP_seed_cfb()\fR, \fIEVP_seed_ecb()\fR, \fIEVP_seed_ofb()\fR" 4 +.IX Item "EVP_seed_cbc(), EVP_seed_cfb(), EVP_seed_ecb(), EVP_seed_ofb()" +The \s-1SEED\s0 encryption algorithm in \s-1CBC, CFB, ECB\s0 and \s-1OFB\s0 modes respectively. +.SH "RETURN VALUES" +.IX Header "RETURN VALUES" +These functions return an \fB\s-1EVP_CIPHER\s0\fR structure that contains the +implementation of the symmetric cipher. See \fIEVP_CIPHER_meth_new\fR\|(3) for +details of the \fB\s-1EVP_CIPHER\s0\fR structure. +.SH "SEE ALSO" +.IX Header "SEE ALSO" +\&\fIevp\fR\|(7), +\&\fIEVP_EncryptInit\fR\|(3), +\&\fIEVP_CIPHER_meth_new\fR\|(3) +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2017 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/EVP_sha1.3 b/secure/lib/libcrypto/man/EVP_sha1.3 new file mode 100644 index 000000000000..8b5dbd5544cb --- /dev/null +++ b/secure/lib/libcrypto/man/EVP_sha1.3 @@ -0,0 +1,173 @@ +.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35) +.\" +.\" Standard preamble: +.\" ======================================================================== +.de Sp \" Vertical space (when we can't use .PP) +.if t .sp .5v +.if n .sp +.. +.de Vb \" Begin verbatim text +.ft CW +.nf +.ne \\$1 +.. +.de Ve \" End verbatim text +.ft R +.fi +.. +.\" Set up some character translations and predefined strings. \*(-- will +.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left +.\" double quote, and \*(R" will give a right double quote. \*(C+ will +.\" give a nicer C++. Capital omega is used to do unbreakable dashes and +.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, +.\" nothing in troff, for use with C<>. +.tr \(*W- +.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' +.ie n \{\ +. ds -- \(*W- +. ds PI pi +. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch +. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch +. ds L" "" +. ds R" "" +. ds C` "" +. ds C' "" +'br\} +.el\{\ +. ds -- \|\(em\| +. ds PI \(*p +. ds L" `` +. ds R" '' +. ds C` +. ds C' +'br\} +.\" +.\" Escape single quotes in literal strings from groff's Unicode transform. +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" +.\" If the F register is >0, we'll generate index entries on stderr for +.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index +.\" entries marked with X<> in POD. Of course, you'll have to process the +.\" output yourself in some meaningful fashion. +.\" +.\" Avoid warning from groff about undefined register 'F'. +.de IX +.. +.if !\nF .nr F 0 +.if \nF>0 \{\ +. de IX +. tm Index:\\$1\t\\n%\t"\\$2" +.. +. if !\nF==2 \{\ +. nr % 0 +. nr F 2 +. \} +.\} +.\" +.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). +.\" Fear. Run. Save yourself. No user-serviceable parts. +. \" fudge factors for nroff and troff +.if n \{\ +. ds #H 0 +. ds #V .8m +. ds #F .3m +. ds #[ \f1 +. ds #] \fP +.\} +.if t \{\ +. ds #H ((1u-(\\\\n(.fu%2u))*.13m) +. ds #V .6m +. ds #F 0 +. ds #[ \& +. ds #] \& +.\} +. \" simple accents for nroff and troff +.if n \{\ +. ds ' \& +. ds ` \& +. ds ^ \& +. ds , \& +. ds ~ ~ +. ds / +.\} +.if t \{\ +. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" +. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' +. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' +. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' +. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' +. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' +.\} +. \" troff and (daisy-wheel) nroff accents +.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' +.ds 8 \h'\*(#H'\(*b\h'-\*(#H' +.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] +.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' +.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' +.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] +.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] +.ds ae a\h'-(\w'a'u*4/10)'e +.ds Ae A\h'-(\w'A'u*4/10)'E +. \" corrections for vroff +.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' +.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' +. \" for low resolution devices (crt and lpr) +.if \n(.H>23 .if \n(.V>19 \ +\{\ +. ds : e +. ds 8 ss +. ds o a +. ds d- d\h'-1'\(ga +. ds D- D\h'-1'\(hy +. ds th \o'bp' +. ds Th \o'LP' +. ds ae ae +. ds Ae AE +.\} +.rm #[ #] #H #V #F C +.\" ======================================================================== +.\" +.IX Title "EVP_SHA1 3" +.TH EVP_SHA1 3 "2018-09-11" "1.1.1" "OpenSSL" +.\" For nroff, turn off justification. Always turn off hyphenation; it makes +.\" way too many mistakes in technical documents. +.if n .ad l +.nh +.SH "NAME" +EVP_sha1 \&\- SHA\-1 For EVP +.SH "SYNOPSIS" +.IX Header "SYNOPSIS" +.Vb 1 +\& #include +\& +\& const EVP_MD *EVP_sha1(void); +.Ve +.SH "DESCRIPTION" +.IX Header "DESCRIPTION" +\&\s-1SHA\-1\s0 (Secure Hash Algorithm 1) is a cryptographic hash function standardized +in \s-1NIST FIPS 180\-4.\s0 The algorithm was designed by the United States National +Security Agency and initially published in 1995. +.IP "\fIEVP_sha1()\fR" 4 +.IX Item "EVP_sha1()" +The \s-1SHA\-1\s0 algorithm which produces a 160\-bit output from a given input. +.SH "RETURN VALUES" +.IX Header "RETURN VALUES" +These functions return a \fB\s-1EVP_MD\s0\fR structure that contains the +implementation of the symmetric cipher. See \fIEVP_MD_meth_new\fR\|(3) for +details of the \fB\s-1EVP_MD\s0\fR structure. +.SH "CONFORMING TO" +.IX Header "CONFORMING TO" +\&\s-1NIST FIPS 180\-4.\s0 +.SH "SEE ALSO" +.IX Header "SEE ALSO" +\&\fIevp\fR\|(7), +\&\fIEVP_DigestInit\fR\|(3) +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2017 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/EVP_sha224.3 b/secure/lib/libcrypto/man/EVP_sha224.3 new file mode 100644 index 000000000000..bc0cd633a711 --- /dev/null +++ b/secure/lib/libcrypto/man/EVP_sha224.3 @@ -0,0 +1,183 @@ +.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35) +.\" +.\" Standard preamble: +.\" ======================================================================== +.de Sp \" Vertical space (when we can't use .PP) +.if t .sp .5v +.if n .sp +.. +.de Vb \" Begin verbatim text +.ft CW +.nf +.ne \\$1 +.. +.de Ve \" End verbatim text +.ft R +.fi +.. +.\" Set up some character translations and predefined strings. \*(-- will +.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left +.\" double quote, and \*(R" will give a right double quote. \*(C+ will +.\" give a nicer C++. Capital omega is used to do unbreakable dashes and +.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, +.\" nothing in troff, for use with C<>. +.tr \(*W- +.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' +.ie n \{\ +. ds -- \(*W- +. ds PI pi +. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch +. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch +. ds L" "" +. ds R" "" +. ds C` "" +. ds C' "" +'br\} +.el\{\ +. ds -- \|\(em\| +. ds PI \(*p +. ds L" `` +. ds R" '' +. ds C` +. ds C' +'br\} +.\" +.\" Escape single quotes in literal strings from groff's Unicode transform. +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" +.\" If the F register is >0, we'll generate index entries on stderr for +.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index +.\" entries marked with X<> in POD. Of course, you'll have to process the +.\" output yourself in some meaningful fashion. +.\" +.\" Avoid warning from groff about undefined register 'F'. +.de IX +.. +.if !\nF .nr F 0 +.if \nF>0 \{\ +. de IX +. tm Index:\\$1\t\\n%\t"\\$2" +.. +. if !\nF==2 \{\ +. nr % 0 +. nr F 2 +. \} +.\} +.\" +.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). +.\" Fear. Run. Save yourself. No user-serviceable parts. +. \" fudge factors for nroff and troff +.if n \{\ +. ds #H 0 +. ds #V .8m +. ds #F .3m +. ds #[ \f1 +. ds #] \fP +.\} +.if t \{\ +. ds #H ((1u-(\\\\n(.fu%2u))*.13m) +. ds #V .6m +. ds #F 0 +. ds #[ \& +. ds #] \& +.\} +. \" simple accents for nroff and troff +.if n \{\ +. ds ' \& +. ds ` \& +. ds ^ \& +. ds , \& +. ds ~ ~ +. ds / +.\} +.if t \{\ +. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" +. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' +. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' +. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' +. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' +. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' +.\} +. \" troff and (daisy-wheel) nroff accents +.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' +.ds 8 \h'\*(#H'\(*b\h'-\*(#H' +.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] +.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' +.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' +.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] +.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] +.ds ae a\h'-(\w'a'u*4/10)'e +.ds Ae A\h'-(\w'A'u*4/10)'E +. \" corrections for vroff +.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' +.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' +. \" for low resolution devices (crt and lpr) +.if \n(.H>23 .if \n(.V>19 \ +\{\ +. ds : e +. ds 8 ss +. ds o a +. ds d- d\h'-1'\(ga +. ds D- D\h'-1'\(hy +. ds th \o'bp' +. ds Th \o'LP' +. ds ae ae +. ds Ae AE +.\} +.rm #[ #] #H #V #F C +.\" ======================================================================== +.\" +.IX Title "EVP_SHA224 3" +.TH EVP_SHA224 3 "2018-09-11" "1.1.1" "OpenSSL" +.\" For nroff, turn off justification. Always turn off hyphenation; it makes +.\" way too many mistakes in technical documents. +.if n .ad l +.nh +.SH "NAME" +EVP_sha224, EVP_sha256, EVP_sha512_224, EVP_sha512_256, EVP_sha384, EVP_sha512 \&\- SHA\-2 For EVP +.SH "SYNOPSIS" +.IX Header "SYNOPSIS" +.Vb 1 +\& #include +\& +\& const EVP_MD *EVP_sha224(void); +\& const EVP_MD *EVP_sha256(void); +\& const EVP_MD *EVP_sha512_224(void); +\& const EVP_MD *EVP_sha512_256(void); +\& const EVP_MD *EVP_sha384(void); +\& const EVP_MD *EVP_sha512(void); +.Ve +.SH "DESCRIPTION" +.IX Header "DESCRIPTION" +\&\s-1SHA\-2\s0 (Secure Hash Algorithm 2) is a family of cryptographic hash functions +standardized in \s-1NIST FIPS 180\-4,\s0 first published in 2001. +.IP "\fIEVP_sha224()\fR, \fIEVP_sha256()\fR, EVP_sha512_224, EVP_sha512_256, \fIEVP_sha384()\fR, \fIEVP_sha512()\fR" 4 +.IX Item "EVP_sha224(), EVP_sha256(), EVP_sha512_224, EVP_sha512_256, EVP_sha384(), EVP_sha512()" +The \s-1SHA\-2 SHA\-224, SHA\-256, SHA\-512/224, SHA512/256, SHA\-384\s0 and \s-1SHA\-512\s0 +algorithms, which generate 224, 256, 224, 256, 384 and 512 bits +respectively of output from a given input. +.Sp +The two algorithms: \s-1SHA\-512/224\s0 and \s-1SHA512/256\s0 are truncated forms of the +\&\s-1SHA\-512\s0 algorithm. They are distinct from \s-1SHA\-224\s0 and \s-1SHA\-256\s0 even though +their outputs are of the same size. +.SH "RETURN VALUES" +.IX Header "RETURN VALUES" +These functions return a \fB\s-1EVP_MD\s0\fR structure that contains the +implementation of the symmetric cipher. See \fIEVP_MD_meth_new\fR\|(3) for +details of the \fB\s-1EVP_MD\s0\fR structure. +.SH "CONFORMING TO" +.IX Header "CONFORMING TO" +\&\s-1NIST FIPS 180\-4.\s0 +.SH "SEE ALSO" +.IX Header "SEE ALSO" +\&\fIevp\fR\|(7), +\&\fIEVP_DigestInit\fR\|(3) +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2017\-2018 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/EVP_sha3_224.3 b/secure/lib/libcrypto/man/EVP_sha3_224.3 new file mode 100644 index 000000000000..f06aeb33ec86 --- /dev/null +++ b/secure/lib/libcrypto/man/EVP_sha3_224.3 @@ -0,0 +1,188 @@ +.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35) +.\" +.\" Standard preamble: +.\" ======================================================================== +.de Sp \" Vertical space (when we can't use .PP) +.if t .sp .5v +.if n .sp +.. +.de Vb \" Begin verbatim text +.ft CW +.nf +.ne \\$1 +.. +.de Ve \" End verbatim text +.ft R +.fi +.. +.\" Set up some character translations and predefined strings. \*(-- will +.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left +.\" double quote, and \*(R" will give a right double quote. \*(C+ will +.\" give a nicer C++. Capital omega is used to do unbreakable dashes and +.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, +.\" nothing in troff, for use with C<>. +.tr \(*W- +.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' +.ie n \{\ +. ds -- \(*W- +. ds PI pi +. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch +. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch +. ds L" "" +. ds R" "" +. ds C` "" +. ds C' "" +'br\} +.el\{\ +. ds -- \|\(em\| +. ds PI \(*p +. ds L" `` +. ds R" '' +. ds C` +. ds C' +'br\} +.\" +.\" Escape single quotes in literal strings from groff's Unicode transform. +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" +.\" If the F register is >0, we'll generate index entries on stderr for +.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index +.\" entries marked with X<> in POD. Of course, you'll have to process the +.\" output yourself in some meaningful fashion. +.\" +.\" Avoid warning from groff about undefined register 'F'. +.de IX +.. +.if !\nF .nr F 0 +.if \nF>0 \{\ +. de IX +. tm Index:\\$1\t\\n%\t"\\$2" +.. +. if !\nF==2 \{\ +. nr % 0 +. nr F 2 +. \} +.\} +.\" +.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). +.\" Fear. Run. Save yourself. No user-serviceable parts. +. \" fudge factors for nroff and troff +.if n \{\ +. ds #H 0 +. ds #V .8m +. ds #F .3m +. ds #[ \f1 +. ds #] \fP +.\} +.if t \{\ +. ds #H ((1u-(\\\\n(.fu%2u))*.13m) +. ds #V .6m +. ds #F 0 +. ds #[ \& +. ds #] \& +.\} +. \" simple accents for nroff and troff +.if n \{\ +. ds ' \& +. ds ` \& +. ds ^ \& +. ds , \& +. ds ~ ~ +. ds / +.\} +.if t \{\ +. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" +. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' +. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' +. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' +. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' +. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' +.\} +. \" troff and (daisy-wheel) nroff accents +.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' +.ds 8 \h'\*(#H'\(*b\h'-\*(#H' +.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] +.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' +.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' +.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] +.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] +.ds ae a\h'-(\w'a'u*4/10)'e +.ds Ae A\h'-(\w'A'u*4/10)'E +. \" corrections for vroff +.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' +.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' +. \" for low resolution devices (crt and lpr) +.if \n(.H>23 .if \n(.V>19 \ +\{\ +. ds : e +. ds 8 ss +. ds o a +. ds d- d\h'-1'\(ga +. ds D- D\h'-1'\(hy +. ds th \o'bp' +. ds Th \o'LP' +. ds ae ae +. ds Ae AE +.\} +.rm #[ #] #H #V #F C +.\" ======================================================================== +.\" +.IX Title "EVP_SHA3_224 3" +.TH EVP_SHA3_224 3 "2018-09-11" "1.1.1" "OpenSSL" +.\" For nroff, turn off justification. Always turn off hyphenation; it makes +.\" way too many mistakes in technical documents. +.if n .ad l +.nh +.SH "NAME" +EVP_sha3_224, EVP_sha3_256, EVP_sha3_384, EVP_sha3_512, EVP_shake128, EVP_shake256 \&\- SHA\-3 For EVP +.SH "SYNOPSIS" +.IX Header "SYNOPSIS" +.Vb 1 +\& #include +\& +\& const EVP_MD *EVP_sha3_224(void); +\& const EVP_MD *EVP_sha3_256(void); +\& const EVP_MD *EVP_sha3_384(void); +\& const EVP_MD *EVP_sha3_512(void); +\& +\& const EVP_MD *EVP_shake128(void); +\& const EVP_MD *EVP_shake256(void); +.Ve +.SH "DESCRIPTION" +.IX Header "DESCRIPTION" +\&\s-1SHA\-3\s0 (Secure Hash Algorithm 3) is a family of cryptographic hash functions +standardized in \s-1NIST FIPS 202,\s0 first published in 2015. It is based on the +Keccak algorithm. +.IP "\fIEVP_sha3_224()\fR, \fIEVP_sha3_256()\fR, \fIEVP_sha3_384()\fR, \fIEVP_sha3_512()\fR" 4 +.IX Item "EVP_sha3_224(), EVP_sha3_256(), EVP_sha3_384(), EVP_sha3_512()" +The \s-1SHA\-3 SHA\-3\-224, SHA\-3\-256, SHA\-3\-384,\s0 and \s-1SHA\-3\-512\s0 algorithms +respectively. They produce 224, 256, 384 and 512 bits of output from a given +input. +.IP "\fIEVP_shake128()\fR, \fIEVP_shake256()\fR" 4 +.IX Item "EVP_shake128(), EVP_shake256()" +The \s-1SHAKE\-128\s0 and \s-1SHAKE\-256\s0 Extendable Output Functions (\s-1XOF\s0) that can generate +a variable hash length. +.Sp +Specifically, \fBEVP_shake128\fR provides an overall security of 128 bits, while +\&\fBEVP_shake256\fR provides that of 256 bits. +.SH "RETURN VALUES" +.IX Header "RETURN VALUES" +These functions return a \fB\s-1EVP_MD\s0\fR structure that contains the +implementation of the symmetric cipher. See \fIEVP_MD_meth_new\fR\|(3) for +details of the \fB\s-1EVP_MD\s0\fR structure. +.SH "CONFORMING TO" +.IX Header "CONFORMING TO" +\&\s-1NIST FIPS 202.\s0 +.SH "SEE ALSO" +.IX Header "SEE ALSO" +\&\fIevp\fR\|(7), +\&\fIEVP_DigestInit\fR\|(3) +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2017 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/EVP_sm3.3 b/secure/lib/libcrypto/man/EVP_sm3.3 new file mode 100644 index 000000000000..de51a7ee3cea --- /dev/null +++ b/secure/lib/libcrypto/man/EVP_sm3.3 @@ -0,0 +1,173 @@ +.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35) +.\" +.\" Standard preamble: +.\" ======================================================================== +.de Sp \" Vertical space (when we can't use .PP) +.if t .sp .5v +.if n .sp +.. +.de Vb \" Begin verbatim text +.ft CW +.nf +.ne \\$1 +.. +.de Ve \" End verbatim text +.ft R +.fi +.. +.\" Set up some character translations and predefined strings. \*(-- will +.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left +.\" double quote, and \*(R" will give a right double quote. \*(C+ will +.\" give a nicer C++. Capital omega is used to do unbreakable dashes and +.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, +.\" nothing in troff, for use with C<>. +.tr \(*W- +.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' +.ie n \{\ +. ds -- \(*W- +. ds PI pi +. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch +. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch +. ds L" "" +. ds R" "" +. ds C` "" +. ds C' "" +'br\} +.el\{\ +. ds -- \|\(em\| +. ds PI \(*p +. ds L" `` +. ds R" '' +. ds C` +. ds C' +'br\} +.\" +.\" Escape single quotes in literal strings from groff's Unicode transform. +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" +.\" If the F register is >0, we'll generate index entries on stderr for +.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index +.\" entries marked with X<> in POD. Of course, you'll have to process the +.\" output yourself in some meaningful fashion. +.\" +.\" Avoid warning from groff about undefined register 'F'. +.de IX +.. +.if !\nF .nr F 0 +.if \nF>0 \{\ +. de IX +. tm Index:\\$1\t\\n%\t"\\$2" +.. +. if !\nF==2 \{\ +. nr % 0 +. nr F 2 +. \} +.\} +.\" +.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). +.\" Fear. Run. Save yourself. No user-serviceable parts. +. \" fudge factors for nroff and troff +.if n \{\ +. ds #H 0 +. ds #V .8m +. ds #F .3m +. ds #[ \f1 +. ds #] \fP +.\} +.if t \{\ +. ds #H ((1u-(\\\\n(.fu%2u))*.13m) +. ds #V .6m +. ds #F 0 +. ds #[ \& +. ds #] \& +.\} +. \" simple accents for nroff and troff +.if n \{\ +. ds ' \& +. ds ` \& +. ds ^ \& +. ds , \& +. ds ~ ~ +. ds / +.\} +.if t \{\ +. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" +. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' +. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' +. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' +. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' +. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' +.\} +. \" troff and (daisy-wheel) nroff accents +.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' +.ds 8 \h'\*(#H'\(*b\h'-\*(#H' +.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] +.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' +.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' +.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] +.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] +.ds ae a\h'-(\w'a'u*4/10)'e +.ds Ae A\h'-(\w'A'u*4/10)'E +. \" corrections for vroff +.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' +.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' +. \" for low resolution devices (crt and lpr) +.if \n(.H>23 .if \n(.V>19 \ +\{\ +. ds : e +. ds 8 ss +. ds o a +. ds d- d\h'-1'\(ga +. ds D- D\h'-1'\(hy +. ds th \o'bp' +. ds Th \o'LP' +. ds ae ae +. ds Ae AE +.\} +.rm #[ #] #H #V #F C +.\" ======================================================================== +.\" +.IX Title "EVP_SM3 3" +.TH EVP_SM3 3 "2018-09-11" "1.1.1" "OpenSSL" +.\" For nroff, turn off justification. Always turn off hyphenation; it makes +.\" way too many mistakes in technical documents. +.if n .ad l +.nh +.SH "NAME" +EVP_sm3 \&\- SM3 for EVP +.SH "SYNOPSIS" +.IX Header "SYNOPSIS" +.Vb 1 +\& #include +\& +\& const EVP_MD *EVP_sm3(void); +.Ve +.SH "DESCRIPTION" +.IX Header "DESCRIPTION" +\&\s-1SM3\s0 is a cryptographic hash function with a 256\-bit output, defined in \s-1GB/T +32905\-2016.\s0 +.IP "\fIEVP_sm3()\fR" 4 +.IX Item "EVP_sm3()" +The \s-1SM3\s0 hash function. +.SH "RETURN VALUES" +.IX Header "RETURN VALUES" +These functions return a \fB\s-1EVP_MD\s0\fR structure that contains the +implementation of the symmetric cipher. See \fIEVP_MD_meth_new\fR\|(3) for +details of the \fB\s-1EVP_MD\s0\fR structure. +.SH "CONFORMING TO" +.IX Header "CONFORMING TO" +\&\s-1GB/T 32905\-2016\s0 and \s-1GM/T 0004\-2012.\s0 +.SH "SEE ALSO" +.IX Header "SEE ALSO" +\&\fIevp\fR\|(7), +\&\fIEVP_DigestInit\fR\|(3) +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2017\-2018 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2017 Ribose Inc. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/EVP_sm4_cbc.3 b/secure/lib/libcrypto/man/EVP_sm4_cbc.3 new file mode 100644 index 000000000000..c229751c2567 --- /dev/null +++ b/secure/lib/libcrypto/man/EVP_sm4_cbc.3 @@ -0,0 +1,177 @@ +.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35) +.\" +.\" Standard preamble: +.\" ======================================================================== +.de Sp \" Vertical space (when we can't use .PP) +.if t .sp .5v +.if n .sp +.. +.de Vb \" Begin verbatim text +.ft CW +.nf +.ne \\$1 +.. +.de Ve \" End verbatim text +.ft R +.fi +.. +.\" Set up some character translations and predefined strings. \*(-- will +.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left +.\" double quote, and \*(R" will give a right double quote. \*(C+ will +.\" give a nicer C++. Capital omega is used to do unbreakable dashes and +.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, +.\" nothing in troff, for use with C<>. +.tr \(*W- +.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' +.ie n \{\ +. ds -- \(*W- +. ds PI pi +. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch +. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch +. ds L" "" +. ds R" "" +. ds C` "" +. ds C' "" +'br\} +.el\{\ +. ds -- \|\(em\| +. ds PI \(*p +. ds L" `` +. ds R" '' +. ds C` +. ds C' +'br\} +.\" +.\" Escape single quotes in literal strings from groff's Unicode transform. +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" +.\" If the F register is >0, we'll generate index entries on stderr for +.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index +.\" entries marked with X<> in POD. Of course, you'll have to process the +.\" output yourself in some meaningful fashion. +.\" +.\" Avoid warning from groff about undefined register 'F'. +.de IX +.. +.if !\nF .nr F 0 +.if \nF>0 \{\ +. de IX +. tm Index:\\$1\t\\n%\t"\\$2" +.. +. if !\nF==2 \{\ +. nr % 0 +. nr F 2 +. \} +.\} +.\" +.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). +.\" Fear. Run. Save yourself. No user-serviceable parts. +. \" fudge factors for nroff and troff +.if n \{\ +. ds #H 0 +. ds #V .8m +. ds #F .3m +. ds #[ \f1 +. ds #] \fP +.\} +.if t \{\ +. ds #H ((1u-(\\\\n(.fu%2u))*.13m) +. ds #V .6m +. ds #F 0 +. ds #[ \& +. ds #] \& +.\} +. \" simple accents for nroff and troff +.if n \{\ +. ds ' \& +. ds ` \& +. ds ^ \& +. ds , \& +. ds ~ ~ +. ds / +.\} +.if t \{\ +. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" +. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' +. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' +. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' +. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' +. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' +.\} +. \" troff and (daisy-wheel) nroff accents +.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' +.ds 8 \h'\*(#H'\(*b\h'-\*(#H' +.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] +.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' +.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' +.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] +.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] +.ds ae a\h'-(\w'a'u*4/10)'e +.ds Ae A\h'-(\w'A'u*4/10)'E +. \" corrections for vroff +.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' +.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' +. \" for low resolution devices (crt and lpr) +.if \n(.H>23 .if \n(.V>19 \ +\{\ +. ds : e +. ds 8 ss +. ds o a +. ds d- d\h'-1'\(ga +. ds D- D\h'-1'\(hy +. ds th \o'bp' +. ds Th \o'LP' +. ds ae ae +. ds Ae AE +.\} +.rm #[ #] #H #V #F C +.\" ======================================================================== +.\" +.IX Title "EVP_SM4_CBC 3" +.TH EVP_SM4_CBC 3 "2018-09-11" "1.1.1" "OpenSSL" +.\" For nroff, turn off justification. Always turn off hyphenation; it makes +.\" way too many mistakes in technical documents. +.if n .ad l +.nh +.SH "NAME" +EVP_sm4_cbc, EVP_sm4_ecb, EVP_sm4_cfb, EVP_sm4_ofb, EVP_sm4_ctr \&\- EVP SM4 cipher +.SH "SYNOPSIS" +.IX Header "SYNOPSIS" +.Vb 1 +\& #include +\& +\& const EVP_CIPHER *EVP_sm4_cbc(void); +\& const EVP_CIPHER *EVP_sm4_ecb(void); +\& const EVP_CIPHER *EVP_sm4_cfb(void); +\& const EVP_CIPHER *EVP_sm4_ofb(void); +\& const EVP_CIPHER *EVP_sm4_ctr(void); +.Ve +.SH "DESCRIPTION" +.IX Header "DESCRIPTION" +The \s-1SM4\s0 blockcipher (\s-1GB/T 32907\-2016\s0) for \s-1EVP.\s0 +.PP +All modes below use a key length of 128 bits and acts on blocks of 128 bits. +.IP "\fIEVP_sm4_cbc()\fR, \fIEVP_sm4_ecb()\fR, \fIEVP_sm4_cfb()\fR, \fIEVP_sm4_ofb()\fR, \fIEVP_sm4_ctr()\fR" 4 +.IX Item "EVP_sm4_cbc(), EVP_sm4_ecb(), EVP_sm4_cfb(), EVP_sm4_ofb(), EVP_sm4_ctr()" +The \s-1SM4\s0 blockcipher with a 128\-bit key in \s-1CBC, ECB, CFB, OFB\s0 and \s-1CTR\s0 modes +respectively. +.SH "RETURN VALUES" +.IX Header "RETURN VALUES" +These functions return a \fB\s-1EVP_CIPHER\s0\fR structure that contains the +implementation of the symmetric cipher. See \fIEVP_CIPHER_meth_new\fR\|(3) for +details of the \fB\s-1EVP_CIPHER\s0\fR structure. +.SH "SEE ALSO" +.IX Header "SEE ALSO" +\&\fIevp\fR\|(7), +\&\fIEVP_EncryptInit\fR\|(3), +\&\fIEVP_CIPHER_meth_new\fR\|(3) +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2017\-2018 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2017 Ribose Inc. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/EVP_whirlpool.3 b/secure/lib/libcrypto/man/EVP_whirlpool.3 new file mode 100644 index 000000000000..a2252f7ae2ae --- /dev/null +++ b/secure/lib/libcrypto/man/EVP_whirlpool.3 @@ -0,0 +1,173 @@ +.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35) +.\" +.\" Standard preamble: +.\" ======================================================================== +.de Sp \" Vertical space (when we can't use .PP) +.if t .sp .5v +.if n .sp +.. +.de Vb \" Begin verbatim text +.ft CW +.nf +.ne \\$1 +.. +.de Ve \" End verbatim text +.ft R +.fi +.. +.\" Set up some character translations and predefined strings. \*(-- will +.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left +.\" double quote, and \*(R" will give a right double quote. \*(C+ will +.\" give a nicer C++. Capital omega is used to do unbreakable dashes and +.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, +.\" nothing in troff, for use with C<>. +.tr \(*W- +.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' +.ie n \{\ +. ds -- \(*W- +. ds PI pi +. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch +. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch +. ds L" "" +. ds R" "" +. ds C` "" +. ds C' "" +'br\} +.el\{\ +. ds -- \|\(em\| +. ds PI \(*p +. ds L" `` +. ds R" '' +. ds C` +. ds C' +'br\} +.\" +.\" Escape single quotes in literal strings from groff's Unicode transform. +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" +.\" If the F register is >0, we'll generate index entries on stderr for +.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index +.\" entries marked with X<> in POD. Of course, you'll have to process the +.\" output yourself in some meaningful fashion. +.\" +.\" Avoid warning from groff about undefined register 'F'. +.de IX +.. +.if !\nF .nr F 0 +.if \nF>0 \{\ +. de IX +. tm Index:\\$1\t\\n%\t"\\$2" +.. +. if !\nF==2 \{\ +. nr % 0 +. nr F 2 +. \} +.\} +.\" +.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). +.\" Fear. Run. Save yourself. No user-serviceable parts. +. \" fudge factors for nroff and troff +.if n \{\ +. ds #H 0 +. ds #V .8m +. ds #F .3m +. ds #[ \f1 +. ds #] \fP +.\} +.if t \{\ +. ds #H ((1u-(\\\\n(.fu%2u))*.13m) +. ds #V .6m +. ds #F 0 +. ds #[ \& +. ds #] \& +.\} +. \" simple accents for nroff and troff +.if n \{\ +. ds ' \& +. ds ` \& +. ds ^ \& +. ds , \& +. ds ~ ~ +. ds / +.\} +.if t \{\ +. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" +. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' +. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' +. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' +. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' +. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' +.\} +. \" troff and (daisy-wheel) nroff accents +.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' +.ds 8 \h'\*(#H'\(*b\h'-\*(#H' +.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] +.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' +.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' +.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] +.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] +.ds ae a\h'-(\w'a'u*4/10)'e +.ds Ae A\h'-(\w'A'u*4/10)'E +. \" corrections for vroff +.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' +.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' +. \" for low resolution devices (crt and lpr) +.if \n(.H>23 .if \n(.V>19 \ +\{\ +. ds : e +. ds 8 ss +. ds o a +. ds d- d\h'-1'\(ga +. ds D- D\h'-1'\(hy +. ds th \o'bp' +. ds Th \o'LP' +. ds ae ae +. ds Ae AE +.\} +.rm #[ #] #H #V #F C +.\" ======================================================================== +.\" +.IX Title "EVP_WHIRLPOOL 3" +.TH EVP_WHIRLPOOL 3 "2018-09-11" "1.1.1" "OpenSSL" +.\" For nroff, turn off justification. Always turn off hyphenation; it makes +.\" way too many mistakes in technical documents. +.if n .ad l +.nh +.SH "NAME" +EVP_whirlpool \&\- WHIRLPOOL For EVP +.SH "SYNOPSIS" +.IX Header "SYNOPSIS" +.Vb 1 +\& #include +\& +\& const EVP_MD *EVP_whirlpool(void); +.Ve +.SH "DESCRIPTION" +.IX Header "DESCRIPTION" +\&\s-1WHIRLPOOL\s0 is a cryptographic hash function standardized in \s-1ISO/IEC 10118\-3:2004\s0 +designed by Vincent Rijmen and Paulo S. L. M. Barreto. +.IP "\fIEVP_whirlpool()\fR" 4 +.IX Item "EVP_whirlpool()" +The \s-1WHIRLPOOL\s0 algorithm that produces a message digest of 512\-bits from a given +input. +.SH "RETURN VALUES" +.IX Header "RETURN VALUES" +These functions return a \fB\s-1EVP_MD\s0\fR structure that contains the +implementation of the symmetric cipher. See \fIEVP_MD_meth_new\fR\|(3) for +details of the \fB\s-1EVP_MD\s0\fR structure. +.SH "CONFORMING TO" +.IX Header "CONFORMING TO" +\&\s-1ISO/IEC 10118\-3:2004.\s0 +.SH "SEE ALSO" +.IX Header "SEE ALSO" +\&\fIevp\fR\|(7), +\&\fIEVP_DigestInit\fR\|(3) +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2017 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/hmac.3 b/secure/lib/libcrypto/man/HMAC.3 similarity index 65% rename from secure/lib/libcrypto/man/hmac.3 rename to secure/lib/libcrypto/man/HMAC.3 index 22a1792c6aa6..9adae29614f4 100644 --- a/secure/lib/libcrypto/man/hmac.3 +++ b/secure/lib/libcrypto/man/HMAC.3 @@ -128,35 +128,47 @@ .rm #[ #] #H #V #F C .\" ======================================================================== .\" -.IX Title "hmac 3" -.TH hmac 3 "2018-08-14" "1.0.2p" "OpenSSL" +.IX Title "HMAC 3" +.TH HMAC 3 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" -HMAC, HMAC_CTX_init, HMAC_Init, HMAC_Init_ex, HMAC_Update, HMAC_Final, HMAC_CTX_cleanup, -HMAC_cleanup \- HMAC message authentication code +HMAC, HMAC_CTX_new, HMAC_CTX_reset, HMAC_CTX_free, HMAC_Init, HMAC_Init_ex, HMAC_Update, HMAC_Final, HMAC_CTX_copy, HMAC_CTX_set_flags, HMAC_CTX_get_md, HMAC_size \&\- HMAC message authentication code .SH "SYNOPSIS" .IX Header "SYNOPSIS" .Vb 1 \& #include \& \& unsigned char *HMAC(const EVP_MD *evp_md, const void *key, -\& int key_len, const unsigned char *d, int n, -\& unsigned char *md, unsigned int *md_len); +\& int key_len, const unsigned char *d, int n, +\& unsigned char *md, unsigned int *md_len); \& -\& void HMAC_CTX_init(HMAC_CTX *ctx); +\& HMAC_CTX *HMAC_CTX_new(void); +\& int HMAC_CTX_reset(HMAC_CTX *ctx); \& -\& int HMAC_Init(HMAC_CTX *ctx, const void *key, int key_len, -\& const EVP_MD *md); \& int HMAC_Init_ex(HMAC_CTX *ctx, const void *key, int key_len, -\& const EVP_MD *md, ENGINE *impl); +\& const EVP_MD *md, ENGINE *impl); \& int HMAC_Update(HMAC_CTX *ctx, const unsigned char *data, int len); \& int HMAC_Final(HMAC_CTX *ctx, unsigned char *md, unsigned int *len); \& -\& void HMAC_CTX_cleanup(HMAC_CTX *ctx); -\& void HMAC_cleanup(HMAC_CTX *ctx); +\& void HMAC_CTX_free(HMAC_CTX *ctx); +\& +\& int HMAC_CTX_copy(HMAC_CTX *dctx, HMAC_CTX *sctx); +\& void HMAC_CTX_set_flags(HMAC_CTX *ctx, unsigned long flags); +\& const EVP_MD *HMAC_CTX_get_md(const HMAC_CTX *ctx); +\& +\& size_t HMAC_size(const HMAC_CTX *e); +.Ve +.PP +Deprecated: +.PP +.Vb 4 +\& #if OPENSSL_API_COMPAT < 0x10100000L +\& int HMAC_Init(HMAC_CTX *ctx, const void *key, int key_len, +\& const EVP_MD *md); +\& #endif .Ve .SH "DESCRIPTION" .IX Header "DESCRIPTION" @@ -176,63 +188,86 @@ value for \fBmd\fR to use the static array is not thread safe. .PP \&\fBevp_md\fR can be \fIEVP_sha1()\fR, \fIEVP_ripemd160()\fR etc. .PP -\&\fIHMAC_CTX_init()\fR initialises a \fB\s-1HMAC_CTX\s0\fR before first use. It must be -called. +\&\fIHMAC_CTX_new()\fR creates a new \s-1HMAC_CTX\s0 in heap memory. .PP -\&\fIHMAC_CTX_cleanup()\fR erases the key and other data from the \fB\s-1HMAC_CTX\s0\fR -and releases any associated resources. It must be called when an -\&\fB\s-1HMAC_CTX\s0\fR is no longer required. +\&\fIHMAC_CTX_reset()\fR zeroes an existing \fB\s-1HMAC_CTX\s0\fR and associated +resources, making it suitable for new computations as if it was newly +created with \fIHMAC_CTX_new()\fR. .PP -\&\fIHMAC_cleanup()\fR is an alias for \fIHMAC_CTX_cleanup()\fR included for back -compatibility with 0.9.6b, it is deprecated. +\&\fIHMAC_CTX_free()\fR erases the key and other data from the \fB\s-1HMAC_CTX\s0\fR, +releases any associated resources and finally frees the \fB\s-1HMAC_CTX\s0\fR +itself. .PP The following functions may be used if the message is not completely stored in memory: .PP +\&\fIHMAC_Init_ex()\fR initializes or reuses a \fB\s-1HMAC_CTX\s0\fR structure to use the hash +function \fBevp_md\fR and key \fBkey\fR. If both are \s-1NULL,\s0 or if \fBkey\fR is \s-1NULL\s0 +and \fBevp_md\fR is the same as the previous call, then the +existing key is +reused. \fBctx\fR must have been created with \fIHMAC_CTX_new()\fR before the first use +of an \fB\s-1HMAC_CTX\s0\fR in this function. +.PP +If \fIHMAC_Init_ex()\fR is called with \fBkey\fR \s-1NULL\s0 and \fBevp_md\fR is not the +same as the previous digest used by \fBctx\fR then an error is returned +because reuse of an existing key with a different digest is not supported. +.PP \&\fIHMAC_Init()\fR initializes a \fB\s-1HMAC_CTX\s0\fR structure to use the hash function \fBevp_md\fR and the key \fBkey\fR which is \fBkey_len\fR bytes -long. It is deprecated and only included for backward compatibility -with OpenSSL 0.9.6b. -.PP -\&\fIHMAC_Init_ex()\fR initializes or reuses a \fB\s-1HMAC_CTX\s0\fR structure to use the hash -function \fBevp_md\fR and key \fBkey\fR. If both are \s-1NULL\s0 (or \fBevp_md\fR is the same -as the previous digest used by \fBctx\fR and \fBkey\fR is \s-1NULL\s0) the existing key is -reused. \fBctx\fR must have been created with \fIHMAC_CTX_new()\fR before the first use -of an \fB\s-1HMAC_CTX\s0\fR in this function. \fBN.B. \f(BIHMAC_Init()\fB had this undocumented -behaviour in previous versions of OpenSSL \- failure to switch to \f(BIHMAC_Init_ex()\fB -in programs that expect it will cause them to stop working\fR. -.PP -\&\fB\s-1NB:\s0 if \f(BIHMAC_Init_ex()\fB is called with \fBkey\fB \s-1NULL\s0 and \fBevp_md\fB is not the -same as the previous digest used by \fBctx\fB then an error is returned -because reuse of an existing key with a different digest is not supported.\fR +long. .PP \&\fIHMAC_Update()\fR can be called repeatedly with chunks of the message to be authenticated (\fBlen\fR bytes at \fBdata\fR). .PP \&\fIHMAC_Final()\fR places the message authentication code in \fBmd\fR, which must have space for the hash function output. +.PP +\&\fIHMAC_CTX_copy()\fR copies all of the internal state from \fBsctx\fR into \fBdctx\fR. +.PP +\&\fIHMAC_CTX_set_flags()\fR applies the specified flags to the internal EVP_MD_CTXs. +These flags have the same meaning as for \fIEVP_MD_CTX_set_flags\fR\|(3). +.PP +\&\fIHMAC_CTX_get_md()\fR returns the \s-1EVP_MD\s0 that has previously been set for the +supplied \s-1HMAC_CTX.\s0 +.PP +\&\fIHMAC_size()\fR returns the length in bytes of the underlying hash function output. .SH "RETURN VALUES" .IX Header "RETURN VALUES" \&\s-1\fIHMAC\s0()\fR returns a pointer to the message authentication code or \s-1NULL\s0 if an error occurred. .PP -\&\fIHMAC_Init_ex()\fR, \fIHMAC_Update()\fR and \fIHMAC_Final()\fR return 1 for success or 0 if -an error occurred. +\&\fIHMAC_CTX_new()\fR returns a pointer to a new \fB\s-1HMAC_CTX\s0\fR on success or +\&\fB\s-1NULL\s0\fR if an error occurred. .PP -\&\fIHMAC_CTX_init()\fR and \fIHMAC_CTX_cleanup()\fR do not return values. +\&\fIHMAC_CTX_reset()\fR, \fIHMAC_Init_ex()\fR, \fIHMAC_Update()\fR, \fIHMAC_Final()\fR and +\&\fIHMAC_CTX_copy()\fR return 1 for success or 0 if an error occurred. +.PP +\&\fIHMAC_CTX_get_md()\fR return the \s-1EVP_MD\s0 previously set for the supplied \s-1HMAC_CTX\s0 or +\&\s-1NULL\s0 if no \s-1EVP_MD\s0 has been set. +.PP +\&\fIHMAC_size()\fR returns the length in bytes of the underlying hash function output +or zero on error. .SH "CONFORMING TO" .IX Header "CONFORMING TO" \&\s-1RFC 2104\s0 .SH "SEE ALSO" .IX Header "SEE ALSO" -\&\fIsha\fR\|(3), \fIevp\fR\|(3) +\&\s-1\fISHA1\s0\fR\|(3), \fIevp\fR\|(7) .SH "HISTORY" .IX Header "HISTORY" -\&\s-1\fIHMAC\s0()\fR, \fIHMAC_Init()\fR, \fIHMAC_Update()\fR, \fIHMAC_Final()\fR and \fIHMAC_cleanup()\fR -are available since SSLeay 0.9.0. +\&\fIHMAC_CTX_init()\fR was replaced with \fIHMAC_CTX_reset()\fR in OpenSSL 1.1.0. .PP -\&\fIHMAC_CTX_init()\fR, \fIHMAC_Init_ex()\fR and \fIHMAC_CTX_cleanup()\fR are available -since OpenSSL 0.9.7. +\&\fIHMAC_CTX_cleanup()\fR existed in OpenSSL before version 1.1.0. +.PP +\&\fIHMAC_CTX_new()\fR, \fIHMAC_CTX_free()\fR and \fIHMAC_CTX_get_md()\fR are new in OpenSSL 1.1.0. .PP \&\fIHMAC_Init_ex()\fR, \fIHMAC_Update()\fR and \fIHMAC_Final()\fR did not return values in -versions of OpenSSL before 1.0.0. +OpenSSL before version 1.0.0. +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2000\-2016 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/md5.3 b/secure/lib/libcrypto/man/MD5.3 similarity index 84% rename from secure/lib/libcrypto/man/md5.3 rename to secure/lib/libcrypto/man/MD5.3 index 20d9f408889e..7631af9ffc5f 100644 --- a/secure/lib/libcrypto/man/md5.3 +++ b/secure/lib/libcrypto/man/MD5.3 @@ -128,48 +128,41 @@ .rm #[ #] #H #V #F C .\" ======================================================================== .\" -.IX Title "md5 3" -.TH md5 3 "2018-08-14" "1.0.2p" "OpenSSL" +.IX Title "MD5 3" +.TH MD5 3 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" -MD2, MD4, MD5, MD2_Init, MD2_Update, MD2_Final, MD4_Init, MD4_Update, -MD4_Final, MD5_Init, MD5_Update, MD5_Final \- MD2, MD4, and MD5 hash functions +MD2, MD4, MD5, MD2_Init, MD2_Update, MD2_Final, MD4_Init, MD4_Update, MD4_Final, MD5_Init, MD5_Update, MD5_Final \- MD2, MD4, and MD5 hash functions .SH "SYNOPSIS" .IX Header "SYNOPSIS" .Vb 1 \& #include \& -\& unsigned char *MD2(const unsigned char *d, unsigned long n, -\& unsigned char *md); +\& unsigned char *MD2(const unsigned char *d, unsigned long n, unsigned char *md); \& \& int MD2_Init(MD2_CTX *c); -\& int MD2_Update(MD2_CTX *c, const unsigned char *data, -\& unsigned long len); +\& int MD2_Update(MD2_CTX *c, const unsigned char *data, unsigned long len); \& int MD2_Final(unsigned char *md, MD2_CTX *c); \& \& \& #include \& -\& unsigned char *MD4(const unsigned char *d, unsigned long n, -\& unsigned char *md); +\& unsigned char *MD4(const unsigned char *d, unsigned long n, unsigned char *md); \& \& int MD4_Init(MD4_CTX *c); -\& int MD4_Update(MD4_CTX *c, const void *data, -\& unsigned long len); +\& int MD4_Update(MD4_CTX *c, const void *data, unsigned long len); \& int MD4_Final(unsigned char *md, MD4_CTX *c); \& \& \& #include \& -\& unsigned char *MD5(const unsigned char *d, unsigned long n, -\& unsigned char *md); +\& unsigned char *MD5(const unsigned char *d, unsigned long n, unsigned char *md); \& \& int MD5_Init(MD5_CTX *c); -\& int MD5_Update(MD5_CTX *c, const void *data, -\& unsigned long len); +\& int MD5_Update(MD5_CTX *c, const void *data, unsigned long len); \& int MD5_Final(unsigned char *md, MD5_CTX *c); .Ve .SH "DESCRIPTION" @@ -216,12 +209,12 @@ success, 0 otherwise. \&\s-1RFC 1319, RFC 1320, RFC 1321\s0 .SH "SEE ALSO" .IX Header "SEE ALSO" -\&\fIsha\fR\|(3), \fIripemd\fR\|(3), \fIEVP_DigestInit\fR\|(3) -.SH "HISTORY" -.IX Header "HISTORY" -\&\s-1\fIMD2\s0()\fR, \fIMD2_Init()\fR, \fIMD2_Update()\fR \fIMD2_Final()\fR, \s-1\fIMD5\s0()\fR, \fIMD5_Init()\fR, -\&\fIMD5_Update()\fR and \fIMD5_Final()\fR are available in all versions of SSLeay -and OpenSSL. +\&\fIEVP_DigestInit\fR\|(3) +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2000\-2016 The OpenSSL Project Authors. All Rights Reserved. .PP -\&\s-1\fIMD4\s0()\fR, \fIMD4_Init()\fR, and \fIMD4_Update()\fR are available in OpenSSL 0.9.6 and -above. +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/mdc2.3 b/secure/lib/libcrypto/man/MDC2_Init.3 similarity index 89% rename from secure/lib/libcrypto/man/mdc2.3 rename to secure/lib/libcrypto/man/MDC2_Init.3 index 6f8044832ee9..119712899d7e 100644 --- a/secure/lib/libcrypto/man/mdc2.3 +++ b/secure/lib/libcrypto/man/MDC2_Init.3 @@ -128,8 +128,8 @@ .rm #[ #] #H #V #F C .\" ======================================================================== .\" -.IX Title "mdc2 3" -.TH mdc2 3 "2018-08-14" "1.0.2p" "OpenSSL" +.IX Title "MDC2_INIT 3" +.TH MDC2_INIT 3 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -142,11 +142,11 @@ MDC2, MDC2_Init, MDC2_Update, MDC2_Final \- MDC2 hash function \& #include \& \& unsigned char *MDC2(const unsigned char *d, unsigned long n, -\& unsigned char *md); +\& unsigned char *md); \& \& int MDC2_Init(MDC2_CTX *c); \& int MDC2_Update(MDC2_CTX *c, const unsigned char *data, -\& unsigned long len); +\& unsigned long len); \& int MDC2_Final(unsigned char *md, MDC2_CTX *c); .Ve .SH "DESCRIPTION" @@ -181,11 +181,15 @@ hash functions directly. \&\fIMDC2_Init()\fR, \fIMDC2_Update()\fR and \fIMDC2_Final()\fR return 1 for success, 0 otherwise. .SH "CONFORMING TO" .IX Header "CONFORMING TO" -\&\s-1ISO/IEC 10118\-2,\s0 with \s-1DES\s0 +\&\s-1ISO/IEC 10118\-2:2000\s0 Hash-Function 2, with \s-1DES\s0 as the underlying block cipher. .SH "SEE ALSO" .IX Header "SEE ALSO" -\&\fIsha\fR\|(3), \fIEVP_DigestInit\fR\|(3) -.SH "HISTORY" -.IX Header "HISTORY" -\&\s-1\fIMDC2\s0()\fR, \fIMDC2_Init()\fR, \fIMDC2_Update()\fR and \fIMDC2_Final()\fR are available since -SSLeay 0.8. +\&\fIEVP_DigestInit\fR\|(3) +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2000\-2017 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/OBJ_nid2obj.3 b/secure/lib/libcrypto/man/OBJ_nid2obj.3 index e91c10fd057b..a54cae475539 100644 --- a/secure/lib/libcrypto/man/OBJ_nid2obj.3 +++ b/secure/lib/libcrypto/man/OBJ_nid2obj.3 @@ -128,24 +128,22 @@ .rm #[ #] #H #V #F C .\" ======================================================================== .\" -.IX Title "OBJ_nid2obj 3" -.TH OBJ_nid2obj 3 "2018-08-14" "1.0.2p" "OpenSSL" +.IX Title "OBJ_NID2OBJ 3" +.TH OBJ_NID2OBJ 3 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" -OBJ_nid2obj, OBJ_nid2ln, OBJ_nid2sn, OBJ_obj2nid, OBJ_txt2nid, OBJ_ln2nid, OBJ_sn2nid, -OBJ_cmp, OBJ_dup, OBJ_txt2obj, OBJ_obj2txt, OBJ_create, OBJ_cleanup \- ASN1 object utility -functions +i2t_ASN1_OBJECT, OBJ_length, OBJ_get0_data, OBJ_nid2obj, OBJ_nid2ln, OBJ_nid2sn, OBJ_obj2nid, OBJ_txt2nid, OBJ_ln2nid, OBJ_sn2nid, OBJ_cmp, OBJ_dup, OBJ_txt2obj, OBJ_obj2txt, OBJ_create, OBJ_cleanup \&\- ASN1 object utility functions .SH "SYNOPSIS" .IX Header "SYNOPSIS" .Vb 1 \& #include \& -\& ASN1_OBJECT * OBJ_nid2obj(int n); -\& const char * OBJ_nid2ln(int n); -\& const char * OBJ_nid2sn(int n); +\& ASN1_OBJECT *OBJ_nid2obj(int n); +\& const char *OBJ_nid2ln(int n); +\& const char *OBJ_nid2sn(int n); \& \& int OBJ_obj2nid(const ASN1_OBJECT *o); \& int OBJ_ln2nid(const char *ln); @@ -153,14 +151,26 @@ functions \& \& int OBJ_txt2nid(const char *s); \& -\& ASN1_OBJECT * OBJ_txt2obj(const char *s, int no_name); +\& ASN1_OBJECT *OBJ_txt2obj(const char *s, int no_name); \& int OBJ_obj2txt(char *buf, int buf_len, const ASN1_OBJECT *a, int no_name); \& -\& int OBJ_cmp(const ASN1_OBJECT *a,const ASN1_OBJECT *b); -\& ASN1_OBJECT * OBJ_dup(const ASN1_OBJECT *o); +\& int i2t_ASN1_OBJECT(char *buf, int buf_len, const ASN1_OBJECT *a); \& -\& int OBJ_create(const char *oid,const char *sn,const char *ln); -\& void OBJ_cleanup(void); +\& int OBJ_cmp(const ASN1_OBJECT *a, const ASN1_OBJECT *b); +\& ASN1_OBJECT *OBJ_dup(const ASN1_OBJECT *o); +\& +\& int OBJ_create(const char *oid, const char *sn, const char *ln); +\& +\& size_t OBJ_length(const ASN1_OBJECT *obj); +\& const unsigned char *OBJ_get0_data(const ASN1_OBJECT *obj); +.Ve +.PP +Deprecated: +.PP +.Vb 3 +\& #if OPENSSL_API_COMPAT < 0x10100000L +\& void OBJ_cleanup(void) +\& #endif .Ve .SH "DESCRIPTION" .IX Header "DESCRIPTION" @@ -173,7 +183,7 @@ are available as defined constants. For the functions below, application code should treat all returned values \*(-- OIDs, NIDs, or names \*(-- as constants. .PP -\&\fIOBJ_nid2obj()\fR, \fIOBJ_nid2ln()\fR and \fIOBJ_nid2sn()\fR convert the \s-1NID\s0 \fBn\fR to +\&\fIOBJ_nid2obj()\fR, \fIOBJ_nid2ln()\fR and \fIOBJ_nid2sn()\fR convert the \s-1NID\s0 \fBn\fR to an \s-1ASN1_OBJECT\s0 structure, its long name and its short name respectively, or \fB\s-1NULL\s0\fR if an error occurred. .PP @@ -182,7 +192,7 @@ for the object \fBo\fR, the long name or the short name respectively or NID_undef if an error occurred. .PP \&\fIOBJ_txt2nid()\fR returns \s-1NID\s0 corresponding to text string . \fBs\fR can be -a long name, a short name or the numerical respresentation of an object. +a long name, a short name or the numerical representation of an object. .PP \&\fIOBJ_txt2obj()\fR converts the text string \fBs\fR into an \s-1ASN1_OBJECT\s0 structure. If \fBno_name\fR is 0 then long names and short names will be interpreted @@ -197,17 +207,23 @@ if the object has a long or short name then that will be used, otherwise the numerical form will be used. If \fBno_name\fR is 1 then the numerical form will always be used. .PP +\&\fIi2t_ASN1_OBJECT()\fR is the same as \fIOBJ_obj2txt()\fR with the \fBno_name\fR set to zero. +.PP \&\fIOBJ_cmp()\fR compares \fBa\fR to \fBb\fR. If the two are identical 0 is returned. .PP \&\fIOBJ_dup()\fR returns a copy of \fBo\fR. .PP -\&\fIOBJ_create()\fR adds a new object to the internal table. \fBoid\fR is the +\&\fIOBJ_create()\fR adds a new object to the internal table. \fBoid\fR is the numerical form of the object, \fBsn\fR the short name and \fBln\fR the -long name. A new \s-1NID\s0 is returned for the created object. +long name. A new \s-1NID\s0 is returned for the created object in case of +success and NID_undef in case of failure. .PP -\&\fIOBJ_cleanup()\fR cleans up OpenSSLs internal object table: this should -be called before an application exits if any new objects were added -using \fIOBJ_create()\fR. +\&\fIOBJ_length()\fR returns the size of the content octets of \fBobj\fR. +.PP +\&\fIOBJ_get0_data()\fR returns a pointer to the content octets of \fBobj\fR. +The returned pointer is an internal pointer which \fBmust not\fR be freed. +.PP +\&\fIOBJ_cleanup()\fR releases any resources allocated by creating new objects. .SH "NOTES" .IX Header "NOTES" Objects in OpenSSL can have a short name, a long name and a numerical @@ -249,27 +265,22 @@ The latter cannot be constant because it needs to be freed after use. .IX Header "EXAMPLES" Create an object for \fBcommonName\fR: .PP -.Vb 2 -\& ASN1_OBJECT *o; -\& o = OBJ_nid2obj(NID_commonName); +.Vb 1 +\& ASN1_OBJECT *o = OBJ_nid2obj(NID_commonName); .Ve .PP Check if an object is \fBcommonName\fR .PP .Vb 2 \& if (OBJ_obj2nid(obj) == NID_commonName) -\& /* Do something */ +\& /* Do something */ .Ve .PP Create a new \s-1NID\s0 and initialize an object from it: .PP .Vb 2 -\& int new_nid; -\& ASN1_OBJECT *obj; -\& -\& new_nid = OBJ_create("1.2.3.4", "NewOID", "New Object Identifier"); -\& -\& obj = OBJ_nid2obj(new_nid); +\& int new_nid = OBJ_create("1.2.3.4", "NewOID", "New Object Identifier"); +\& ASN1_OBJECT *obj = OBJ_nid2obj(new_nid); .Ve .PP Create a new object directly: @@ -279,7 +290,7 @@ Create a new object directly: .Ve .SH "BUGS" .IX Header "BUGS" -\&\fIOBJ_obj2txt()\fR is awkward and messy to use: it doesn't follow the +\&\fIOBJ_obj2txt()\fR is awkward and messy to use: it doesn't follow the convention of other OpenSSL functions where the buffer can be set to \fB\s-1NULL\s0\fR to determine the amount of data that should be written. Instead \fBbuf\fR must point to a valid buffer and \fBbuf_len\fR should @@ -289,8 +300,6 @@ than enough to handle any \s-1OID\s0 encountered in practice. .IX Header "RETURN VALUES" \&\fIOBJ_nid2obj()\fR returns an \fB\s-1ASN1_OBJECT\s0\fR structure or \fB\s-1NULL\s0\fR is an error occurred. -It returns a pointer to an internal table and does not -allocate memory; \fIASN1_OBJECT_free()\fR will have no effect. .PP \&\fIOBJ_nid2ln()\fR and \fIOBJ_nid2sn()\fR returns a valid string or \fB\s-1NULL\s0\fR on error. @@ -302,4 +311,13 @@ a \s-1NID\s0 or \fBNID_undef\fR on error. \&\fIERR_get_error\fR\|(3) .SH "HISTORY" .IX Header "HISTORY" -\&\s-1TBA\s0 +\&\fIOBJ_cleanup()\fR was deprecated in OpenSSL 1.1.0 by \fIOPENSSL_init_crypto\fR\|(3) +and should not be used. +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2002\-2018 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/OCSP_REQUEST_new.3 b/secure/lib/libcrypto/man/OCSP_REQUEST_new.3 new file mode 100644 index 000000000000..620533683fb9 --- /dev/null +++ b/secure/lib/libcrypto/man/OCSP_REQUEST_new.3 @@ -0,0 +1,244 @@ +.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35) +.\" +.\" Standard preamble: +.\" ======================================================================== +.de Sp \" Vertical space (when we can't use .PP) +.if t .sp .5v +.if n .sp +.. +.de Vb \" Begin verbatim text +.ft CW +.nf +.ne \\$1 +.. +.de Ve \" End verbatim text +.ft R +.fi +.. +.\" Set up some character translations and predefined strings. \*(-- will +.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left +.\" double quote, and \*(R" will give a right double quote. \*(C+ will +.\" give a nicer C++. Capital omega is used to do unbreakable dashes and +.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, +.\" nothing in troff, for use with C<>. +.tr \(*W- +.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' +.ie n \{\ +. ds -- \(*W- +. ds PI pi +. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch +. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch +. ds L" "" +. ds R" "" +. ds C` "" +. ds C' "" +'br\} +.el\{\ +. ds -- \|\(em\| +. ds PI \(*p +. ds L" `` +. ds R" '' +. ds C` +. ds C' +'br\} +.\" +.\" Escape single quotes in literal strings from groff's Unicode transform. +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" +.\" If the F register is >0, we'll generate index entries on stderr for +.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index +.\" entries marked with X<> in POD. Of course, you'll have to process the +.\" output yourself in some meaningful fashion. +.\" +.\" Avoid warning from groff about undefined register 'F'. +.de IX +.. +.if !\nF .nr F 0 +.if \nF>0 \{\ +. de IX +. tm Index:\\$1\t\\n%\t"\\$2" +.. +. if !\nF==2 \{\ +. nr % 0 +. nr F 2 +. \} +.\} +.\" +.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). +.\" Fear. Run. Save yourself. No user-serviceable parts. +. \" fudge factors for nroff and troff +.if n \{\ +. ds #H 0 +. ds #V .8m +. ds #F .3m +. ds #[ \f1 +. ds #] \fP +.\} +.if t \{\ +. ds #H ((1u-(\\\\n(.fu%2u))*.13m) +. ds #V .6m +. ds #F 0 +. ds #[ \& +. ds #] \& +.\} +. \" simple accents for nroff and troff +.if n \{\ +. ds ' \& +. ds ` \& +. ds ^ \& +. ds , \& +. ds ~ ~ +. ds / +.\} +.if t \{\ +. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" +. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' +. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' +. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' +. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' +. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' +.\} +. \" troff and (daisy-wheel) nroff accents +.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' +.ds 8 \h'\*(#H'\(*b\h'-\*(#H' +.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] +.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' +.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' +.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] +.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] +.ds ae a\h'-(\w'a'u*4/10)'e +.ds Ae A\h'-(\w'A'u*4/10)'E +. \" corrections for vroff +.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' +.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' +. \" for low resolution devices (crt and lpr) +.if \n(.H>23 .if \n(.V>19 \ +\{\ +. ds : e +. ds 8 ss +. ds o a +. ds d- d\h'-1'\(ga +. ds D- D\h'-1'\(hy +. ds th \o'bp' +. ds Th \o'LP' +. ds ae ae +. ds Ae AE +.\} +.rm #[ #] #H #V #F C +.\" ======================================================================== +.\" +.IX Title "OCSP_REQUEST_NEW 3" +.TH OCSP_REQUEST_NEW 3 "2018-09-11" "1.1.1" "OpenSSL" +.\" For nroff, turn off justification. Always turn off hyphenation; it makes +.\" way too many mistakes in technical documents. +.if n .ad l +.nh +.SH "NAME" +OCSP_REQUEST_new, OCSP_REQUEST_free, OCSP_request_add0_id, OCSP_request_sign, OCSP_request_add1_cert, OCSP_request_onereq_count, OCSP_request_onereq_get0 \- OCSP request functions +.SH "SYNOPSIS" +.IX Header "SYNOPSIS" +.Vb 1 +\& #include +\& +\& OCSP_REQUEST *OCSP_REQUEST_new(void); +\& void OCSP_REQUEST_free(OCSP_REQUEST *req); +\& +\& OCSP_ONEREQ *OCSP_request_add0_id(OCSP_REQUEST *req, OCSP_CERTID *cid); +\& +\& int OCSP_request_sign(OCSP_REQUEST *req, +\& X509 *signer, EVP_PKEY *key, const EVP_MD *dgst, +\& STACK_OF(X509) *certs, unsigned long flags); +\& +\& int OCSP_request_add1_cert(OCSP_REQUEST *req, X509 *cert); +\& +\& int OCSP_request_onereq_count(OCSP_REQUEST *req); +\& OCSP_ONEREQ *OCSP_request_onereq_get0(OCSP_REQUEST *req, int i); +.Ve +.SH "DESCRIPTION" +.IX Header "DESCRIPTION" +\&\fIOCSP_REQUEST_new()\fR allocates and returns an empty \fB\s-1OCSP_REQUEST\s0\fR structure. +.PP +\&\fIOCSP_REQUEST_free()\fR frees up the request structure \fBreq\fR. +.PP +\&\fIOCSP_request_add0_id()\fR adds certificate \s-1ID\s0 \fBcid\fR to \fBreq\fR. It returns +the \fB\s-1OCSP_ONEREQ\s0\fR structure added so an application can add additional +extensions to the request. The \fBid\fR parameter \fB\s-1MUST NOT\s0\fR be freed up after +the operation. +.PP +\&\fIOCSP_request_sign()\fR signs \s-1OCSP\s0 request \fBreq\fR using certificate +\&\fBsigner\fR, private key \fBkey\fR, digest \fBdgst\fR and additional certificates +\&\fBcerts\fR. If the \fBflags\fR option \fB\s-1OCSP_NOCERTS\s0\fR is set then no certificates +will be included in the request. +.PP +\&\fIOCSP_request_add1_cert()\fR adds certificate \fBcert\fR to request \fBreq\fR. The +application is responsible for freeing up \fBcert\fR after use. +.PP +\&\fIOCSP_request_onereq_count()\fR returns the total number of \fB\s-1OCSP_ONEREQ\s0\fR +structures in \fBreq\fR. +.PP +\&\fIOCSP_request_onereq_get0()\fR returns an internal pointer to the \fB\s-1OCSP_ONEREQ\s0\fR +contained in \fBreq\fR of index \fBi\fR. The index value \fBi\fR runs from 0 to +OCSP_request_onereq_count(req) \- 1. +.SH "RETURN VALUES" +.IX Header "RETURN VALUES" +\&\fIOCSP_REQUEST_new()\fR returns an empty \fB\s-1OCSP_REQUEST\s0\fR structure or \fB\s-1NULL\s0\fR if +an error occurred. +.PP +\&\fIOCSP_request_add0_id()\fR returns the \fB\s-1OCSP_ONEREQ\s0\fR structure containing \fBcid\fR +or \fB\s-1NULL\s0\fR if an error occurred. +.PP +\&\fIOCSP_request_sign()\fR and \fIOCSP_request_add1_cert()\fR return 1 for success and 0 +for failure. +.PP +\&\fIOCSP_request_onereq_count()\fR returns the total number of \fB\s-1OCSP_ONEREQ\s0\fR +structures in \fBreq\fR. +.PP +\&\fIOCSP_request_onereq_get0()\fR returns a pointer to an \fB\s-1OCSP_ONEREQ\s0\fR structure +or \fB\s-1NULL\s0\fR if the index value is out or range. +.SH "NOTES" +.IX Header "NOTES" +An \s-1OCSP\s0 request structure contains one or more \fB\s-1OCSP_ONEREQ\s0\fR structures +corresponding to each certificate. +.PP +\&\fIOCSP_request_onereq_count()\fR and \fIOCSP_request_onereq_get0()\fR are mainly used by +\&\s-1OCSP\s0 responders. +.SH "EXAMPLE" +.IX Header "EXAMPLE" +Create an \fB\s-1OCSP_REQUEST\s0\fR structure for certificate \fBcert\fR with issuer +\&\fBissuer\fR: +.PP +.Vb 2 +\& OCSP_REQUEST *req; +\& OCSP_ID *cid; +\& +\& req = OCSP_REQUEST_new(); +\& if (req == NULL) +\& /* error */ +\& cid = OCSP_cert_to_id(EVP_sha1(), cert, issuer); +\& if (cid == NULL) +\& /* error */ +\& +\& if (OCSP_REQUEST_add0_id(req, cid) == NULL) +\& /* error */ +\& +\& /* Do something with req, e.g. query responder */ +\& +\& OCSP_REQUEST_free(req); +.Ve +.SH "SEE ALSO" +.IX Header "SEE ALSO" +\&\fIcrypto\fR\|(7), +\&\fIOCSP_cert_to_id\fR\|(3), +\&\fIOCSP_request_add1_nonce\fR\|(3), +\&\fIOCSP_resp_find_status\fR\|(3), +\&\fIOCSP_response_status\fR\|(3), +\&\fIOCSP_sendreq_new\fR\|(3) +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2015\-2016 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libssl/man/d2i_SSL_SESSION.3 b/secure/lib/libcrypto/man/OCSP_cert_to_id.3 similarity index 55% rename from secure/lib/libssl/man/d2i_SSL_SESSION.3 rename to secure/lib/libcrypto/man/OCSP_cert_to_id.3 index c9bf415f30d2..4e4ac66e164f 100644 --- a/secure/lib/libssl/man/d2i_SSL_SESSION.3 +++ b/secure/lib/libcrypto/man/OCSP_cert_to_id.3 @@ -128,77 +128,87 @@ .rm #[ #] #H #V #F C .\" ======================================================================== .\" -.IX Title "d2i_SSL_SESSION 3" -.TH d2i_SSL_SESSION 3 "2018-08-14" "1.0.2p" "OpenSSL" +.IX Title "OCSP_CERT_TO_ID 3" +.TH OCSP_CERT_TO_ID 3 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" -d2i_SSL_SESSION, i2d_SSL_SESSION \- convert SSL_SESSION object from/to ASN1 representation +OCSP_cert_to_id, OCSP_cert_id_new, OCSP_CERTID_free, OCSP_id_issuer_cmp, OCSP_id_cmp, OCSP_id_get0_info \- OCSP certificate ID utility functions .SH "SYNOPSIS" .IX Header "SYNOPSIS" .Vb 1 -\& #include +\& #include \& -\& SSL_SESSION *d2i_SSL_SESSION(SSL_SESSION **a, const unsigned char **pp, long length); -\& int i2d_SSL_SESSION(SSL_SESSION *in, unsigned char **pp); +\& OCSP_CERTID *OCSP_cert_to_id(const EVP_MD *dgst, +\& X509 *subject, X509 *issuer); +\& +\& OCSP_CERTID *OCSP_cert_id_new(const EVP_MD *dgst, +\& X509_NAME *issuerName, +\& ASN1_BIT_STRING *issuerKey, +\& ASN1_INTEGER *serialNumber); +\& +\& void OCSP_CERTID_free(OCSP_CERTID *id); +\& +\& int OCSP_id_issuer_cmp(OCSP_CERTID *a, OCSP_CERTID *b); +\& int OCSP_id_cmp(OCSP_CERTID *a, OCSP_CERTID *b); +\& +\& int OCSP_id_get0_info(ASN1_OCTET_STRING **piNameHash, ASN1_OBJECT **pmd, +\& ASN1_OCTET_STRING **pikeyHash, +\& ASN1_INTEGER **pserial, OCSP_CERTID *cid); .Ve .SH "DESCRIPTION" .IX Header "DESCRIPTION" -\&\fId2i_SSL_SESSION()\fR transforms the external \s-1ASN1\s0 representation of an \s-1SSL/TLS\s0 -session, stored as binary data at location \fBpp\fR with length \fBlength\fR, into -an \s-1SSL_SESSION\s0 object. +\&\fIOCSP_cert_to_id()\fR creates and returns a new \fB\s-1OCSP_CERTID\s0\fR structure using +message digest \fBdgst\fR for certificate \fBsubject\fR with issuer \fBissuer\fR. If +\&\fBdgst\fR is \fB\s-1NULL\s0\fR then \s-1SHA1\s0 is used. .PP -\&\fIi2d_SSL_SESSION()\fR transforms the \s-1SSL_SESSION\s0 object \fBin\fR into the \s-1ASN1\s0 -representation and stores it into the memory location pointed to by \fBpp\fR. -The length of the resulting \s-1ASN1\s0 representation is returned. If \fBpp\fR is -the \s-1NULL\s0 pointer, only the length is calculated and returned. -.SH "NOTES" -.IX Header "NOTES" -The \s-1SSL_SESSION\s0 object is built from several \fImalloc()\fRed parts, it can -therefore not be moved, copied or stored directly. In order to store -session data on disk or into a database, it must be transformed into -a binary \s-1ASN1\s0 representation. +\&\fIOCSP_cert_id_new()\fR creates and returns a new \fB\s-1OCSP_CERTID\s0\fR using \fBdgst\fR and +issuer name \fBissuerName\fR, issuer key hash \fBissuerKey\fR and serial number +\&\fBserialNumber\fR. .PP -When using \fId2i_SSL_SESSION()\fR, the \s-1SSL_SESSION\s0 object is automatically -allocated. The reference count is 1, so that the session must be -explicitly removed using \fISSL_SESSION_free\fR\|(3), -unless the \s-1SSL_SESSION\s0 object is completely taken over, when being called -inside the \fIget_session_cb()\fR (see -\&\fISSL_CTX_sess_set_get_cb\fR\|(3)). +\&\fIOCSP_CERTID_free()\fR frees up \fBid\fR. .PP -\&\s-1SSL_SESSION\s0 objects keep internal link information about the session cache -list, when being inserted into one \s-1SSL_CTX\s0 object's session cache. -One \s-1SSL_SESSION\s0 object, regardless of its reference count, must therefore -only be used with one \s-1SSL_CTX\s0 object (and the \s-1SSL\s0 objects created -from this \s-1SSL_CTX\s0 object). +\&\fIOCSP_id_cmp()\fR compares \fB\s-1OCSP_CERTID\s0\fR \fBa\fR and \fBb\fR. .PP -When using \fIi2d_SSL_SESSION()\fR, the memory location pointed to by \fBpp\fR must be -large enough to hold the binary representation of the session. There is no -known limit on the size of the created \s-1ASN1\s0 representation, so the necessary -amount of space should be obtained by first calling \fIi2d_SSL_SESSION()\fR with -\&\fBpp=NULL\fR, and obtain the size needed, then allocate the memory and -call \fIi2d_SSL_SESSION()\fR again. -Note that this will advance the value contained in \fB*pp\fR so it is necessary -to save a copy of the original allocation. -For example: - int i,j; - char *p, *temp; - i = i2d_SSL_SESSION(sess, \s-1NULL\s0); - p = temp = malloc(i); - j = i2d_SSL_SESSION(sess, &temp); - assert(i == j); - assert(p+i == temp); +\&\fIOCSP_id_issuer_cmp()\fR compares only the issuer name of \fB\s-1OCSP_CERTID\s0\fR \fBa\fR and \fBb\fR. +.PP +\&\fIOCSP_id_get0_info()\fR returns the issuer name hash, hash \s-1OID,\s0 issuer key hash and +serial number contained in \fBcid\fR. If any of the values are not required the +corresponding parameter can be set to \fB\s-1NULL\s0\fR. .SH "RETURN VALUES" .IX Header "RETURN VALUES" -\&\fId2i_SSL_SESSION()\fR returns a pointer to the newly allocated \s-1SSL_SESSION\s0 -object. In case of failure the NULL-pointer is returned and the error message -can be retrieved from the error stack. +\&\fIOCSP_cert_to_id()\fR and \fIOCSP_cert_id_new()\fR return either a pointer to a valid +\&\fB\s-1OCSP_CERTID\s0\fR structure or \fB\s-1NULL\s0\fR if an error occurred. .PP -\&\fIi2d_SSL_SESSION()\fR returns the size of the \s-1ASN1\s0 representation in bytes. -When the session is not valid, \fB0\fR is returned and no operation is performed. +\&\fIOCSP_id_cmp()\fR and \fIOCSP_id_issuer_cmp()\fR returns zero for a match and non-zero +otherwise. +.PP +\&\fIOCSP_CERTID_free()\fR does not return a value. +.PP +\&\fIOCSP_id_get0_info()\fR returns 1 for success and 0 for failure. +.SH "NOTES" +.IX Header "NOTES" +\&\s-1OCSP\s0 clients will typically only use \fIOCSP_cert_to_id()\fR or \fIOCSP_cert_id_new()\fR: +the other functions are used by responder applications. +.PP +The values returned by \fIOCSP_id_get0_info()\fR are internal pointers and \fB\s-1MUST +NOT\s0\fR be freed up by an application: they will be freed when the corresponding +\&\fB\s-1OCSP_CERTID\s0\fR structure is freed. .SH "SEE ALSO" .IX Header "SEE ALSO" -\&\fIssl\fR\|(3), \fISSL_SESSION_free\fR\|(3), -\&\fISSL_CTX_sess_set_get_cb\fR\|(3) +\&\fIcrypto\fR\|(7), +\&\fIOCSP_request_add1_nonce\fR\|(3), +\&\fIOCSP_REQUEST_new\fR\|(3), +\&\fIOCSP_resp_find_status\fR\|(3), +\&\fIOCSP_response_status\fR\|(3), +\&\fIOCSP_sendreq_new\fR\|(3) +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2015\-2016 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/OCSP_request_add1_nonce.3 b/secure/lib/libcrypto/man/OCSP_request_add1_nonce.3 new file mode 100644 index 000000000000..9ff3a02a3a0d --- /dev/null +++ b/secure/lib/libcrypto/man/OCSP_request_add1_nonce.3 @@ -0,0 +1,211 @@ +.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35) +.\" +.\" Standard preamble: +.\" ======================================================================== +.de Sp \" Vertical space (when we can't use .PP) +.if t .sp .5v +.if n .sp +.. +.de Vb \" Begin verbatim text +.ft CW +.nf +.ne \\$1 +.. +.de Ve \" End verbatim text +.ft R +.fi +.. +.\" Set up some character translations and predefined strings. \*(-- will +.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left +.\" double quote, and \*(R" will give a right double quote. \*(C+ will +.\" give a nicer C++. Capital omega is used to do unbreakable dashes and +.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, +.\" nothing in troff, for use with C<>. +.tr \(*W- +.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' +.ie n \{\ +. ds -- \(*W- +. ds PI pi +. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch +. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch +. ds L" "" +. ds R" "" +. ds C` "" +. ds C' "" +'br\} +.el\{\ +. ds -- \|\(em\| +. ds PI \(*p +. ds L" `` +. ds R" '' +. ds C` +. ds C' +'br\} +.\" +.\" Escape single quotes in literal strings from groff's Unicode transform. +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" +.\" If the F register is >0, we'll generate index entries on stderr for +.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index +.\" entries marked with X<> in POD. Of course, you'll have to process the +.\" output yourself in some meaningful fashion. +.\" +.\" Avoid warning from groff about undefined register 'F'. +.de IX +.. +.if !\nF .nr F 0 +.if \nF>0 \{\ +. de IX +. tm Index:\\$1\t\\n%\t"\\$2" +.. +. if !\nF==2 \{\ +. nr % 0 +. nr F 2 +. \} +.\} +.\" +.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). +.\" Fear. Run. Save yourself. No user-serviceable parts. +. \" fudge factors for nroff and troff +.if n \{\ +. ds #H 0 +. ds #V .8m +. ds #F .3m +. ds #[ \f1 +. ds #] \fP +.\} +.if t \{\ +. ds #H ((1u-(\\\\n(.fu%2u))*.13m) +. ds #V .6m +. ds #F 0 +. ds #[ \& +. ds #] \& +.\} +. \" simple accents for nroff and troff +.if n \{\ +. ds ' \& +. ds ` \& +. ds ^ \& +. ds , \& +. ds ~ ~ +. ds / +.\} +.if t \{\ +. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" +. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' +. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' +. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' +. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' +. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' +.\} +. \" troff and (daisy-wheel) nroff accents +.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' +.ds 8 \h'\*(#H'\(*b\h'-\*(#H' +.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] +.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' +.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' +.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] +.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] +.ds ae a\h'-(\w'a'u*4/10)'e +.ds Ae A\h'-(\w'A'u*4/10)'E +. \" corrections for vroff +.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' +.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' +. \" for low resolution devices (crt and lpr) +.if \n(.H>23 .if \n(.V>19 \ +\{\ +. ds : e +. ds 8 ss +. ds o a +. ds d- d\h'-1'\(ga +. ds D- D\h'-1'\(hy +. ds th \o'bp' +. ds Th \o'LP' +. ds ae ae +. ds Ae AE +.\} +.rm #[ #] #H #V #F C +.\" ======================================================================== +.\" +.IX Title "OCSP_REQUEST_ADD1_NONCE 3" +.TH OCSP_REQUEST_ADD1_NONCE 3 "2018-09-11" "1.1.1" "OpenSSL" +.\" For nroff, turn off justification. Always turn off hyphenation; it makes +.\" way too many mistakes in technical documents. +.if n .ad l +.nh +.SH "NAME" +OCSP_request_add1_nonce, OCSP_basic_add1_nonce, OCSP_check_nonce, OCSP_copy_nonce \- OCSP nonce functions +.SH "SYNOPSIS" +.IX Header "SYNOPSIS" +.Vb 1 +\& #include +\& +\& int OCSP_request_add1_nonce(OCSP_REQUEST *req, unsigned char *val, int len); +\& int OCSP_basic_add1_nonce(OCSP_BASICRESP *resp, unsigned char *val, int len); +\& int OCSP_copy_nonce(OCSP_BASICRESP *resp, OCSP_REQUEST *req); +\& int OCSP_check_nonce(OCSP_REQUEST *req, OCSP_BASICRESP *resp); +.Ve +.SH "DESCRIPTION" +.IX Header "DESCRIPTION" +\&\fIOCSP_request_add1_nonce()\fR adds a nonce of value \fBval\fR and length \fBlen\fR to +\&\s-1OCSP\s0 request \fBreq\fR. If \fBval\fR is \fB\s-1NULL\s0\fR a random nonce is used. If \fBlen\fR +is zero or negative a default length will be used (currently 16 bytes). +.PP +\&\fIOCSP_basic_add1_nonce()\fR is identical to \fIOCSP_request_add1_nonce()\fR except +it adds a nonce to \s-1OCSP\s0 basic response \fBresp\fR. +.PP +\&\fIOCSP_check_nonce()\fR compares the nonce value in \fBreq\fR and \fBresp\fR. +.PP +\&\fIOCSP_copy_nonce()\fR copys any nonce value present in \fBreq\fR to \fBresp\fR. +.SH "RETURN VALUES" +.IX Header "RETURN VALUES" +\&\fIOCSP_request_add1_nonce()\fR and \fIOCSP_basic_add1_nonce()\fR return 1 for success +and 0 for failure. +.PP +\&\fIOCSP_copy_nonce()\fR returns 1 if a nonce was successfully copied, 2 if no nonce +was present in \fBreq\fR and 0 if an error occurred. +.PP +\&\fIOCSP_check_nonce()\fR returns the result of the nonce comparison between \fBreq\fR +and \fBresp\fR. The return value indicates the result of the comparison. If +nonces are present and equal 1 is returned. If the nonces are absent 2 is +returned. If a nonce is present in the response only 3 is returned. If nonces +are present and unequal 0 is returned. If the nonce is present in the request +only then \-1 is returned. +.SH "NOTES" +.IX Header "NOTES" +For most purposes the nonce value in a request is set to a random value so +the \fBval\fR parameter in \fIOCSP_request_add1_nonce()\fR is usually \s-1NULL.\s0 +.PP +An \s-1OCSP\s0 nonce is typically added to an \s-1OCSP\s0 request to thwart replay attacks +by checking the same nonce value appears in the response. +.PP +Some responders may include a nonce in all responses even if one is not +supplied. +.PP +Some responders cache \s-1OCSP\s0 responses and do not sign each response for +performance reasons. As a result they do not support nonces. +.PP +The return values of \fIOCSP_check_nonce()\fR can be checked to cover each case. A +positive return value effectively indicates success: nonces are both present +and match, both absent or present in the response only. A non-zero return +additionally covers the case where the nonce is present in the request only: +this will happen if the responder doesn't support nonces. A zero return value +indicates present and mismatched nonces: this should be treated as an error +condition. +.SH "SEE ALSO" +.IX Header "SEE ALSO" +\&\fIcrypto\fR\|(7), +\&\fIOCSP_cert_to_id\fR\|(3), +\&\fIOCSP_REQUEST_new\fR\|(3), +\&\fIOCSP_resp_find_status\fR\|(3), +\&\fIOCSP_response_status\fR\|(3), +\&\fIOCSP_sendreq_new\fR\|(3) +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2015\-2016 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/OCSP_resp_find_status.3 b/secure/lib/libcrypto/man/OCSP_resp_find_status.3 new file mode 100644 index 000000000000..19a51f9edad2 --- /dev/null +++ b/secure/lib/libcrypto/man/OCSP_resp_find_status.3 @@ -0,0 +1,315 @@ +.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35) +.\" +.\" Standard preamble: +.\" ======================================================================== +.de Sp \" Vertical space (when we can't use .PP) +.if t .sp .5v +.if n .sp +.. +.de Vb \" Begin verbatim text +.ft CW +.nf +.ne \\$1 +.. +.de Ve \" End verbatim text +.ft R +.fi +.. +.\" Set up some character translations and predefined strings. \*(-- will +.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left +.\" double quote, and \*(R" will give a right double quote. \*(C+ will +.\" give a nicer C++. Capital omega is used to do unbreakable dashes and +.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, +.\" nothing in troff, for use with C<>. +.tr \(*W- +.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' +.ie n \{\ +. ds -- \(*W- +. ds PI pi +. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch +. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch +. ds L" "" +. ds R" "" +. ds C` "" +. ds C' "" +'br\} +.el\{\ +. ds -- \|\(em\| +. ds PI \(*p +. ds L" `` +. ds R" '' +. ds C` +. ds C' +'br\} +.\" +.\" Escape single quotes in literal strings from groff's Unicode transform. +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" +.\" If the F register is >0, we'll generate index entries on stderr for +.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index +.\" entries marked with X<> in POD. Of course, you'll have to process the +.\" output yourself in some meaningful fashion. +.\" +.\" Avoid warning from groff about undefined register 'F'. +.de IX +.. +.if !\nF .nr F 0 +.if \nF>0 \{\ +. de IX +. tm Index:\\$1\t\\n%\t"\\$2" +.. +. if !\nF==2 \{\ +. nr % 0 +. nr F 2 +. \} +.\} +.\" +.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). +.\" Fear. Run. Save yourself. No user-serviceable parts. +. \" fudge factors for nroff and troff +.if n \{\ +. ds #H 0 +. ds #V .8m +. ds #F .3m +. ds #[ \f1 +. ds #] \fP +.\} +.if t \{\ +. ds #H ((1u-(\\\\n(.fu%2u))*.13m) +. ds #V .6m +. ds #F 0 +. ds #[ \& +. ds #] \& +.\} +. \" simple accents for nroff and troff +.if n \{\ +. ds ' \& +. ds ` \& +. ds ^ \& +. ds , \& +. ds ~ ~ +. ds / +.\} +.if t \{\ +. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" +. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' +. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' +. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' +. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' +. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' +.\} +. \" troff and (daisy-wheel) nroff accents +.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' +.ds 8 \h'\*(#H'\(*b\h'-\*(#H' +.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] +.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' +.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' +.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] +.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] +.ds ae a\h'-(\w'a'u*4/10)'e +.ds Ae A\h'-(\w'A'u*4/10)'E +. \" corrections for vroff +.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' +.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' +. \" for low resolution devices (crt and lpr) +.if \n(.H>23 .if \n(.V>19 \ +\{\ +. ds : e +. ds 8 ss +. ds o a +. ds d- d\h'-1'\(ga +. ds D- D\h'-1'\(hy +. ds th \o'bp' +. ds Th \o'LP' +. ds ae ae +. ds Ae AE +.\} +.rm #[ #] #H #V #F C +.\" ======================================================================== +.\" +.IX Title "OCSP_RESP_FIND_STATUS 3" +.TH OCSP_RESP_FIND_STATUS 3 "2018-09-11" "1.1.1" "OpenSSL" +.\" For nroff, turn off justification. Always turn off hyphenation; it makes +.\" way too many mistakes in technical documents. +.if n .ad l +.nh +.SH "NAME" +OCSP_resp_get0_certs, OCSP_resp_get0_signer, OCSP_resp_get0_id, OCSP_resp_get1_id, OCSP_resp_get0_produced_at, OCSP_resp_get0_signature, OCSP_resp_get0_tbs_sigalg, OCSP_resp_get0_respdata, OCSP_resp_find_status, OCSP_resp_count, OCSP_resp_get0, OCSP_resp_find, OCSP_single_get0_status, OCSP_check_validity, OCSP_basic_verify \&\- OCSP response utility functions +.SH "SYNOPSIS" +.IX Header "SYNOPSIS" +.Vb 1 +\& #include +\& +\& int OCSP_resp_find_status(OCSP_BASICRESP *bs, OCSP_CERTID *id, int *status, +\& int *reason, +\& ASN1_GENERALIZEDTIME **revtime, +\& ASN1_GENERALIZEDTIME **thisupd, +\& ASN1_GENERALIZEDTIME **nextupd); +\& +\& int OCSP_resp_count(OCSP_BASICRESP *bs); +\& OCSP_SINGLERESP *OCSP_resp_get0(OCSP_BASICRESP *bs, int idx); +\& int OCSP_resp_find(OCSP_BASICRESP *bs, OCSP_CERTID *id, int last); +\& int OCSP_single_get0_status(OCSP_SINGLERESP *single, int *reason, +\& ASN1_GENERALIZEDTIME **revtime, +\& ASN1_GENERALIZEDTIME **thisupd, +\& ASN1_GENERALIZEDTIME **nextupd); +\& +\& const ASN1_GENERALIZEDTIME *OCSP_resp_get0_produced_at( +\& const OCSP_BASICRESP* single); +\& +\& const ASN1_OCTET_STRING *OCSP_resp_get0_signature(const OCSP_BASICRESP *bs); +\& const X509_ALGOR *OCSP_resp_get0_tbs_sigalg(const OCSP_BASICRESP *bs); +\& const OCSP_RESPDATA *OCSP_resp_get0_respdata(const OCSP_BASICRESP *bs); +\& const STACK_OF(X509) *OCSP_resp_get0_certs(const OCSP_BASICRESP *bs); +\& +\& int OCSP_resp_get0_signer(OCSP_BASICRESP *bs, X509 **signer, +\& STACK_OF(X509) *extra_certs); +\& +\& int OCSP_resp_get0_id(const OCSP_BASICRESP *bs, +\& const ASN1_OCTET_STRING **pid, +\& const X509_NAME **pname); +\& int OCSP_resp_get1_id(const OCSP_BASICRESP *bs, +\& ASN1_OCTET_STRING **pid, +\& X509_NAME **pname); +\& +\& int OCSP_check_validity(ASN1_GENERALIZEDTIME *thisupd, +\& ASN1_GENERALIZEDTIME *nextupd, +\& long sec, long maxsec); +\& +\& int OCSP_basic_verify(OCSP_BASICRESP *bs, STACK_OF(X509) *certs, +\& X509_STORE *st, unsigned long flags); +.Ve +.SH "DESCRIPTION" +.IX Header "DESCRIPTION" +\&\fIOCSP_resp_find_status()\fR searches \fBbs\fR for an \s-1OCSP\s0 response for \fBid\fR. If it is +successful the fields of the response are returned in \fB*status\fR, \fB*reason\fR, +\&\fB*revtime\fR, \fB*thisupd\fR and \fB*nextupd\fR. The \fB*status\fR value will be one of +\&\fBV_OCSP_CERTSTATUS_GOOD\fR, \fBV_OCSP_CERTSTATUS_REVOKED\fR or +\&\fBV_OCSP_CERTSTATUS_UNKNOWN\fR. The \fB*reason\fR and \fB*revtime\fR fields are only +set if the status is \fBV_OCSP_CERTSTATUS_REVOKED\fR. If set the \fB*reason\fR field +will be set to the revocation reason which will be one of +\&\fB\s-1OCSP_REVOKED_STATUS_NOSTATUS\s0\fR, \fB\s-1OCSP_REVOKED_STATUS_UNSPECIFIED\s0\fR, +\&\fB\s-1OCSP_REVOKED_STATUS_KEYCOMPROMISE\s0\fR, \fB\s-1OCSP_REVOKED_STATUS_CACOMPROMISE\s0\fR, +\&\fB\s-1OCSP_REVOKED_STATUS_AFFILIATIONCHANGED\s0\fR, \fB\s-1OCSP_REVOKED_STATUS_SUPERSEDED\s0\fR, +\&\fB\s-1OCSP_REVOKED_STATUS_CESSATIONOFOPERATION\s0\fR, +\&\fB\s-1OCSP_REVOKED_STATUS_CERTIFICATEHOLD\s0\fR or \fB\s-1OCSP_REVOKED_STATUS_REMOVEFROMCRL\s0\fR. +.PP +\&\fIOCSP_resp_count()\fR returns the number of \fB\s-1OCSP_SINGLERESP\s0\fR structures in \fBbs\fR. +.PP +\&\fIOCSP_resp_get0()\fR returns the \fB\s-1OCSP_SINGLERESP\s0\fR structure in \fBbs\fR +corresponding to index \fBidx\fR. Where \fBidx\fR runs from 0 to +OCSP_resp_count(bs) \- 1. +.PP +\&\fIOCSP_resp_find()\fR searches \fBbs\fR for \fBid\fR and returns the index of the first +matching entry after \fBlast\fR or starting from the beginning if \fBlast\fR is \-1. +.PP +\&\fIOCSP_single_get0_status()\fR extracts the fields of \fBsingle\fR in \fB*reason\fR, +\&\fB*revtime\fR, \fB*thisupd\fR and \fB*nextupd\fR. +.PP +\&\fIOCSP_resp_get0_produced_at()\fR extracts the \fBproducedAt\fR field from the +single response \fBbs\fR. +.PP +\&\fIOCSP_resp_get0_signature()\fR returns the signature from \fBbs\fR. +.PP +\&\fIOCSP_resp_get0_tbs_sigalg()\fR returns the \fBsignatureAlgorithm\fR from \fBbs\fR. +.PP +\&\fIOCSP_resp_get0_respdata()\fR returns the \fBtbsResponseData\fR from \fBbs\fR. +.PP +\&\fIOCSP_resp_get0_certs()\fR returns any certificates included in \fBbs\fR. +.PP +\&\fIOCSP_resp_get0_signer()\fR attempts to retrieve the certificate that directly +signed \fBbs\fR. The \s-1OCSP\s0 protocol does not require that this certificate +is included in the \fBcerts\fR field of the response, so additional certificates +can be supplied in \fBextra_certs\fR if the certificates that may have +signed the response are known via some out-of-band mechanism. +.PP +\&\fIOCSP_resp_get0_id()\fR gets the responder id of \fBbs\fR. If the responder \s-1ID\s0 is +a name then <*pname> is set to the name and \fB*pid\fR is set to \s-1NULL.\s0 If the +responder \s-1ID\s0 is by key \s-1ID\s0 then \fB*pid\fR is set to the key \s-1ID\s0 and \fB*pname\fR +is set to \s-1NULL.\s0 \fIOCSP_resp_get1_id()\fR leaves ownership of \fB*pid\fR and \fB*pname\fR +with the caller, who is responsible for freeing them. Both functions return 1 +in case of success and 0 in case of failure. If \fIOCSP_resp_get1_id()\fR returns 0, +no freeing of the results is necessary. +.PP +\&\fIOCSP_check_validity()\fR checks the validity of \fBthisupd\fR and \fBnextupd\fR values +which will be typically obtained from \fIOCSP_resp_find_status()\fR or +\&\fIOCSP_single_get0_status()\fR. If \fBsec\fR is non-zero it indicates how many seconds +leeway should be allowed in the check. If \fBmaxsec\fR is positive it indicates +the maximum age of \fBthisupd\fR in seconds. +.PP +\&\fIOCSP_basic_verify()\fR checks that the basic response message \fBbs\fR is correctly +signed and that the signer certificate can be validated. It takes \fBst\fR as +the trusted store and \fBcerts\fR as a set of untrusted intermediate certificates. +The function first tries to find the signer certificate of the response +in . It also searches the certificates the responder may have included +in \fBbs\fR unless the \fBflags\fR contain \fB\s-1OCSP_NOINTERN\s0\fR. +It fails if the signer certificate cannot be found. +Next, the function checks the signature of \fBbs\fR and fails on error +unless the \fBflags\fR contain \fB\s-1OCSP_NOSIGS\s0\fR. Then the function already returns +success if the \fBflags\fR contain \fB\s-1OCSP_NOVERIFY\s0\fR or if the signer certificate +was found in \fBcerts\fR and the \fBflags\fR contain \fB\s-1OCSP_TRUSTOTHER\s0\fR. +Otherwise the function continues by validating the signer certificate. +To this end, all certificates in \fBcert\fR and in \fBbs\fR are considered as +untrusted certificates for the construction of the validation path for the +signer certificate unless the \fB\s-1OCSP_NOCHAIN\s0\fR flag is set. After successful path +validation the function returns success if the \fB\s-1OCSP_NOCHECKS\s0\fR flag is set. +Otherwise it verifies that the signer certificate meets the \s-1OCSP\s0 issuer +criteria including potential delegation. If this does not succeed and the +\&\fBflags\fR do not contain \fB\s-1OCSP_NOEXPLICIT\s0\fR the function checks for explicit +trust for \s-1OCSP\s0 signing in the root \s-1CA\s0 certificate. +.SH "RETURN VALUES" +.IX Header "RETURN VALUES" +\&\fIOCSP_resp_find_status()\fR returns 1 if \fBid\fR is found in \fBbs\fR and 0 otherwise. +.PP +\&\fIOCSP_resp_count()\fR returns the total number of \fB\s-1OCSP_SINGLERESP\s0\fR fields in +\&\fBbs\fR. +.PP +\&\fIOCSP_resp_get0()\fR returns a pointer to an \fB\s-1OCSP_SINGLERESP\s0\fR structure or +\&\fB\s-1NULL\s0\fR if \fBidx\fR is out of range. +.PP +\&\fIOCSP_resp_find()\fR returns the index of \fBid\fR in \fBbs\fR (which may be 0) or \-1 if +\&\fBid\fR was not found. +.PP +\&\fIOCSP_single_get0_status()\fR returns the status of \fBsingle\fR or \-1 if an error +occurred. +.PP +\&\fIOCSP_resp_get0_signer()\fR returns 1 if the signing certificate was located, +or 0 on error. +.PP +\&\fIOCSP_basic_verify()\fR returns 1 on success, 0 on error, or \-1 on fatal error such +as malloc failure. +.SH "NOTES" +.IX Header "NOTES" +Applications will typically call \fIOCSP_resp_find_status()\fR using the certificate +\&\s-1ID\s0 of interest and then check its validity using \fIOCSP_check_validity()\fR. They +can then take appropriate action based on the status of the certificate. +.PP +An \s-1OCSP\s0 response for a certificate contains \fBthisUpdate\fR and \fBnextUpdate\fR +fields. Normally the current time should be between these two values. To +account for clock skew the \fBmaxsec\fR field can be set to non-zero in +\&\fIOCSP_check_validity()\fR. Some responders do not set the \fBnextUpdate\fR field, this +would otherwise mean an ancient response would be considered valid: the +\&\fBmaxsec\fR parameter to \fIOCSP_check_validity()\fR can be used to limit the permitted +age of responses. +.PP +The values written to \fB*revtime\fR, \fB*thisupd\fR and \fB*nextupd\fR by +\&\fIOCSP_resp_find_status()\fR and \fIOCSP_single_get0_status()\fR are internal pointers +which \fB\s-1MUST NOT\s0\fR be freed up by the calling application. Any or all of these +parameters can be set to \s-1NULL\s0 if their value is not required. +.SH "SEE ALSO" +.IX Header "SEE ALSO" +\&\fIcrypto\fR\|(7), +\&\fIOCSP_cert_to_id\fR\|(3), +\&\fIOCSP_request_add1_nonce\fR\|(3), +\&\fIOCSP_REQUEST_new\fR\|(3), +\&\fIOCSP_response_status\fR\|(3), +\&\fIOCSP_sendreq_new\fR\|(3) +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2015\-2018 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/OCSP_response_status.3 b/secure/lib/libcrypto/man/OCSP_response_status.3 new file mode 100644 index 000000000000..04eea9e08cc3 --- /dev/null +++ b/secure/lib/libcrypto/man/OCSP_response_status.3 @@ -0,0 +1,240 @@ +.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35) +.\" +.\" Standard preamble: +.\" ======================================================================== +.de Sp \" Vertical space (when we can't use .PP) +.if t .sp .5v +.if n .sp +.. +.de Vb \" Begin verbatim text +.ft CW +.nf +.ne \\$1 +.. +.de Ve \" End verbatim text +.ft R +.fi +.. +.\" Set up some character translations and predefined strings. \*(-- will +.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left +.\" double quote, and \*(R" will give a right double quote. \*(C+ will +.\" give a nicer C++. Capital omega is used to do unbreakable dashes and +.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, +.\" nothing in troff, for use with C<>. +.tr \(*W- +.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' +.ie n \{\ +. ds -- \(*W- +. ds PI pi +. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch +. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch +. ds L" "" +. ds R" "" +. ds C` "" +. ds C' "" +'br\} +.el\{\ +. ds -- \|\(em\| +. ds PI \(*p +. ds L" `` +. ds R" '' +. ds C` +. ds C' +'br\} +.\" +.\" Escape single quotes in literal strings from groff's Unicode transform. +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" +.\" If the F register is >0, we'll generate index entries on stderr for +.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index +.\" entries marked with X<> in POD. Of course, you'll have to process the +.\" output yourself in some meaningful fashion. +.\" +.\" Avoid warning from groff about undefined register 'F'. +.de IX +.. +.if !\nF .nr F 0 +.if \nF>0 \{\ +. de IX +. tm Index:\\$1\t\\n%\t"\\$2" +.. +. if !\nF==2 \{\ +. nr % 0 +. nr F 2 +. \} +.\} +.\" +.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). +.\" Fear. Run. Save yourself. No user-serviceable parts. +. \" fudge factors for nroff and troff +.if n \{\ +. ds #H 0 +. ds #V .8m +. ds #F .3m +. ds #[ \f1 +. ds #] \fP +.\} +.if t \{\ +. ds #H ((1u-(\\\\n(.fu%2u))*.13m) +. ds #V .6m +. ds #F 0 +. ds #[ \& +. ds #] \& +.\} +. \" simple accents for nroff and troff +.if n \{\ +. ds ' \& +. ds ` \& +. ds ^ \& +. ds , \& +. ds ~ ~ +. ds / +.\} +.if t \{\ +. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" +. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' +. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' +. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' +. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' +. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' +.\} +. \" troff and (daisy-wheel) nroff accents +.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' +.ds 8 \h'\*(#H'\(*b\h'-\*(#H' +.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] +.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' +.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' +.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] +.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] +.ds ae a\h'-(\w'a'u*4/10)'e +.ds Ae A\h'-(\w'A'u*4/10)'E +. \" corrections for vroff +.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' +.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' +. \" for low resolution devices (crt and lpr) +.if \n(.H>23 .if \n(.V>19 \ +\{\ +. ds : e +. ds 8 ss +. ds o a +. ds d- d\h'-1'\(ga +. ds D- D\h'-1'\(hy +. ds th \o'bp' +. ds Th \o'LP' +. ds ae ae +. ds Ae AE +.\} +.rm #[ #] #H #V #F C +.\" ======================================================================== +.\" +.IX Title "OCSP_RESPONSE_STATUS 3" +.TH OCSP_RESPONSE_STATUS 3 "2018-09-11" "1.1.1" "OpenSSL" +.\" For nroff, turn off justification. Always turn off hyphenation; it makes +.\" way too many mistakes in technical documents. +.if n .ad l +.nh +.SH "NAME" +OCSP_response_status, OCSP_response_get1_basic, OCSP_response_create, OCSP_RESPONSE_free, OCSP_RESPID_set_by_name, OCSP_RESPID_set_by_key, OCSP_RESPID_match, OCSP_basic_sign, OCSP_basic_sign_ctx \- OCSP response functions +.SH "SYNOPSIS" +.IX Header "SYNOPSIS" +.Vb 1 +\& #include +\& +\& int OCSP_response_status(OCSP_RESPONSE *resp); +\& OCSP_BASICRESP *OCSP_response_get1_basic(OCSP_RESPONSE *resp); +\& OCSP_RESPONSE *OCSP_response_create(int status, OCSP_BASICRESP *bs); +\& void OCSP_RESPONSE_free(OCSP_RESPONSE *resp); +\& +\& int OCSP_RESPID_set_by_name(OCSP_RESPID *respid, X509 *cert); +\& int OCSP_RESPID_set_by_key(OCSP_RESPID *respid, X509 *cert); +\& int OCSP_RESPID_match(OCSP_RESPID *respid, X509 *cert); +\& +\& int OCSP_basic_sign(OCSP_BASICRESP *brsp, X509 *signer, EVP_PKEY *key, +\& const EVP_MD *dgst, STACK_OF(X509) *certs, +\& unsigned long flags); +\& int OCSP_basic_sign_ctx(OCSP_BASICRESP *brsp, X509 *signer, EVP_MD_CTX *ctx, +\& STACK_OF(X509) *certs, unsigned long flags); +.Ve +.SH "DESCRIPTION" +.IX Header "DESCRIPTION" +\&\fIOCSP_response_status()\fR returns the \s-1OCSP\s0 response status of \fBresp\fR. It returns +one of the values: \fB\s-1OCSP_RESPONSE_STATUS_SUCCESSFUL\s0\fR, +\&\fB\s-1OCSP_RESPONSE_STATUS_MALFORMEDREQUEST\s0\fR, +\&\fB\s-1OCSP_RESPONSE_STATUS_INTERNALERROR\s0\fR, \fB\s-1OCSP_RESPONSE_STATUS_TRYLATER\s0\fR +\&\fB\s-1OCSP_RESPONSE_STATUS_SIGREQUIRED\s0\fR, or \fB\s-1OCSP_RESPONSE_STATUS_UNAUTHORIZED\s0\fR. +.PP +\&\fIOCSP_response_get1_basic()\fR decodes and returns the \fB\s-1OCSP_BASICRESP\s0\fR structure +contained in \fBresp\fR. +.PP +\&\fIOCSP_response_create()\fR creates and returns an \fB\s-1OCSP_RESPONSE\s0\fR structure for +\&\fBstatus\fR and optionally including basic response \fBbs\fR. +.PP +\&\fIOCSP_RESPONSE_free()\fR frees up \s-1OCSP\s0 response \fBresp\fR. +.PP +\&\fIOCSP_RESPID_set_by_name()\fR sets the name of the \s-1OCSP_RESPID\s0 to be the same as the +subject name in the supplied X509 certificate \fBcert\fR for the \s-1OCSP\s0 responder. +.PP +\&\fIOCSP_RESPID_set_by_key()\fR sets the key of the \s-1OCSP_RESPID\s0 to be the same as the +key in the supplied X509 certificate \fBcert\fR for the \s-1OCSP\s0 responder. The key is +stored as a \s-1SHA1\s0 hash. +.PP +Note that an \s-1OCSP_RESPID\s0 can only have one of the name, or the key set. Calling +\&\fIOCSP_RESPID_set_by_name()\fR or \fIOCSP_RESPID_set_by_key()\fR will clear any existing +setting. +.PP +\&\fIOCSP_RESPID_match()\fR tests whether the \s-1OCSP_RESPID\s0 given in \fBrespid\fR matches +with the X509 certificate \fBcert\fR. +.PP +\&\fIOCSP_basic_sign()\fR signs \s-1OCSP\s0 response \fBbrsp\fR using certificate \fBsigner\fR, private key +\&\fBkey\fR, digest \fBdgst\fR and additional certificates \fBcerts\fR. If the \fBflags\fR option +\&\fB\s-1OCSP_NOCERTS\s0\fR is set then no certificates will be included in the request. If the +\&\fBflags\fR option \fB\s-1OCSP_RESPID_KEY\s0\fR is set then the responder is identified by key \s-1ID\s0 +rather than by name. \fIOCSP_basic_sign_ctx()\fR also signs \s-1OCSP\s0 response \fBbrsp\fR but +uses the parameters contained in digest context \fBctx\fR. +.SH "RETURN VALUES" +.IX Header "RETURN VALUES" +\&\fIOCSP_RESPONSE_status()\fR returns a status value. +.PP +\&\fIOCSP_response_get1_basic()\fR returns an \fB\s-1OCSP_BASICRESP\s0\fR structure pointer or +\&\fB\s-1NULL\s0\fR if an error occurred. +.PP +\&\fIOCSP_response_create()\fR returns an \fB\s-1OCSP_RESPONSE\s0\fR structure pointer or \fB\s-1NULL\s0\fR +if an error occurred. +.PP +\&\fIOCSP_RESPONSE_free()\fR does not return a value. +.PP +\&\fIOCSP_RESPID_set_by_name()\fR, \fIOCSP_RESPID_set_by_key()\fR, \fIOCSP_basic_sign()\fR, and +\&\fIOCSP_basic_sign_ctx()\fR return 1 on success or 0 +on failure. +.PP +\&\fIOCSP_RESPID_match()\fR returns 1 if the \s-1OCSP_RESPID\s0 and the X509 certificate match +or 0 otherwise. +.SH "NOTES" +.IX Header "NOTES" +\&\fIOCSP_response_get1_basic()\fR is only called if the status of a response is +\&\fB\s-1OCSP_RESPONSE_STATUS_SUCCESSFUL\s0\fR. +.SH "SEE ALSO" +.IX Header "SEE ALSO" +\&\fIcrypto\fR\|(7) +\&\fIOCSP_cert_to_id\fR\|(3) +\&\fIOCSP_request_add1_nonce\fR\|(3) +\&\fIOCSP_REQUEST_new\fR\|(3) +\&\fIOCSP_resp_find_status\fR\|(3) +\&\fIOCSP_sendreq_new\fR\|(3) +\&\fIOCSP_RESPID_new\fR\|(3) +\&\fIOCSP_RESPID_free\fR\|(3) +.SH "HISTORY" +.IX Header "HISTORY" +The \fIOCSP_RESPID_set_by_name()\fR, \fIOCSP_RESPID_set_by_key()\fR and \fIOCSP_RESPID_match()\fR +functions were added in OpenSSL 1.1.0a. +.PP +The \fIOCSP_basic_sign_ctx()\fR function was added in OpenSSL 1.1.1. +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2015\-2018 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/OCSP_sendreq_new.3 b/secure/lib/libcrypto/man/OCSP_sendreq_new.3 new file mode 100644 index 000000000000..6c0f4a29a598 --- /dev/null +++ b/secure/lib/libcrypto/man/OCSP_sendreq_new.3 @@ -0,0 +1,249 @@ +.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35) +.\" +.\" Standard preamble: +.\" ======================================================================== +.de Sp \" Vertical space (when we can't use .PP) +.if t .sp .5v +.if n .sp +.. +.de Vb \" Begin verbatim text +.ft CW +.nf +.ne \\$1 +.. +.de Ve \" End verbatim text +.ft R +.fi +.. +.\" Set up some character translations and predefined strings. \*(-- will +.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left +.\" double quote, and \*(R" will give a right double quote. \*(C+ will +.\" give a nicer C++. Capital omega is used to do unbreakable dashes and +.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, +.\" nothing in troff, for use with C<>. +.tr \(*W- +.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' +.ie n \{\ +. ds -- \(*W- +. ds PI pi +. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch +. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch +. ds L" "" +. ds R" "" +. ds C` "" +. ds C' "" +'br\} +.el\{\ +. ds -- \|\(em\| +. ds PI \(*p +. ds L" `` +. ds R" '' +. ds C` +. ds C' +'br\} +.\" +.\" Escape single quotes in literal strings from groff's Unicode transform. +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" +.\" If the F register is >0, we'll generate index entries on stderr for +.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index +.\" entries marked with X<> in POD. Of course, you'll have to process the +.\" output yourself in some meaningful fashion. +.\" +.\" Avoid warning from groff about undefined register 'F'. +.de IX +.. +.if !\nF .nr F 0 +.if \nF>0 \{\ +. de IX +. tm Index:\\$1\t\\n%\t"\\$2" +.. +. if !\nF==2 \{\ +. nr % 0 +. nr F 2 +. \} +.\} +.\" +.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). +.\" Fear. Run. Save yourself. No user-serviceable parts. +. \" fudge factors for nroff and troff +.if n \{\ +. ds #H 0 +. ds #V .8m +. ds #F .3m +. ds #[ \f1 +. ds #] \fP +.\} +.if t \{\ +. ds #H ((1u-(\\\\n(.fu%2u))*.13m) +. ds #V .6m +. ds #F 0 +. ds #[ \& +. ds #] \& +.\} +. \" simple accents for nroff and troff +.if n \{\ +. ds ' \& +. ds ` \& +. ds ^ \& +. ds , \& +. ds ~ ~ +. ds / +.\} +.if t \{\ +. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" +. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' +. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' +. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' +. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' +. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' +.\} +. \" troff and (daisy-wheel) nroff accents +.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' +.ds 8 \h'\*(#H'\(*b\h'-\*(#H' +.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] +.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' +.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' +.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] +.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] +.ds ae a\h'-(\w'a'u*4/10)'e +.ds Ae A\h'-(\w'A'u*4/10)'E +. \" corrections for vroff +.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' +.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' +. \" for low resolution devices (crt and lpr) +.if \n(.H>23 .if \n(.V>19 \ +\{\ +. ds : e +. ds 8 ss +. ds o a +. ds d- d\h'-1'\(ga +. ds D- D\h'-1'\(hy +. ds th \o'bp' +. ds Th \o'LP' +. ds ae ae +. ds Ae AE +.\} +.rm #[ #] #H #V #F C +.\" ======================================================================== +.\" +.IX Title "OCSP_SENDREQ_NEW 3" +.TH OCSP_SENDREQ_NEW 3 "2018-09-11" "1.1.1" "OpenSSL" +.\" For nroff, turn off justification. Always turn off hyphenation; it makes +.\" way too many mistakes in technical documents. +.if n .ad l +.nh +.SH "NAME" +OCSP_sendreq_new, OCSP_sendreq_nbio, OCSP_REQ_CTX_free, OCSP_set_max_response_length, OCSP_REQ_CTX_add1_header, OCSP_REQ_CTX_set1_req, OCSP_sendreq_bio \- OCSP responder query functions +.SH "SYNOPSIS" +.IX Header "SYNOPSIS" +.Vb 1 +\& #include +\& +\& OCSP_REQ_CTX *OCSP_sendreq_new(BIO *io, const char *path, OCSP_REQUEST *req, +\& int maxline); +\& +\& int OCSP_sendreq_nbio(OCSP_RESPONSE **presp, OCSP_REQ_CTX *rctx); +\& +\& void OCSP_REQ_CTX_free(OCSP_REQ_CTX *rctx); +\& +\& void OCSP_set_max_response_length(OCSP_REQ_CTX *rctx, unsigned long len); +\& +\& int OCSP_REQ_CTX_add1_header(OCSP_REQ_CTX *rctx, +\& const char *name, const char *value); +\& +\& int OCSP_REQ_CTX_set1_req(OCSP_REQ_CTX *rctx, OCSP_REQUEST *req); +\& +\& OCSP_RESPONSE *OCSP_sendreq_bio(BIO *io, const char *path, OCSP_REQUEST *req, +\& int maxline); +.Ve +.SH "DESCRIPTION" +.IX Header "DESCRIPTION" +The function \fIOCSP_sendreq_new()\fR returns an \fB\s-1OCSP_CTX\s0\fR structure using the +responder \fBio\fR, the \s-1URL\s0 path \fBpath\fR, the \s-1OCSP\s0 request \fBreq\fR and with a +response header maximum line length of \fBmaxline\fR. If \fBmaxline\fR is zero a +default value of 4k is used. The \s-1OCSP\s0 request \fBreq\fR may be set to \fB\s-1NULL\s0\fR +and provided later if required. +.PP +\&\fIOCSP_sendreq_nbio()\fR performs non-blocking I/O on the \s-1OCSP\s0 request context +\&\fBrctx\fR. When the operation is complete it returns the response in \fB*presp\fR. +.PP +\&\fIOCSP_REQ_CTX_free()\fR frees up the \s-1OCSP\s0 context \fBrctx\fR. +.PP +\&\fIOCSP_set_max_response_length()\fR sets the maximum response length for \fBrctx\fR +to \fBlen\fR. If the response exceeds this length an error occurs. If not +set a default value of 100k is used. +.PP +\&\fIOCSP_REQ_CTX_add1_header()\fR adds header \fBname\fR with value \fBvalue\fR to the +context \fBrctx\fR. It can be called more than once to add multiple headers. +It \fB\s-1MUST\s0\fR be called before any calls to \fIOCSP_sendreq_nbio()\fR. The \fBreq\fR +parameter in the initial to \fIOCSP_sendreq_new()\fR call \s-1MUST\s0 be set to \fB\s-1NULL\s0\fR if +additional headers are set. +.PP +\&\fIOCSP_REQ_CTX_set1_req()\fR sets the \s-1OCSP\s0 request in \fBrctx\fR to \fBreq\fR. This +function should be called after any calls to \fIOCSP_REQ_CTX_add1_header()\fR. +.PP +\&\fIOCSP_sendreq_bio()\fR performs an \s-1OCSP\s0 request using the responder \fBio\fR, the \s-1URL\s0 +path \fBpath\fR, the \s-1OCSP\s0 request \fBreq\fR and with a response header maximum line +length of \fBmaxline\fR. If \fBmaxline\fR is zero a default value of 4k is used. +.SH "RETURN VALUES" +.IX Header "RETURN VALUES" +\&\fIOCSP_sendreq_new()\fR returns a valid \fB\s-1OCSP_REQ_CTX\s0\fR structure or \fB\s-1NULL\s0\fR if +an error occurred. +.PP +\&\fIOCSP_sendreq_nbio()\fR returns \fB1\fR if the operation was completed successfully, +\&\fB\-1\fR if the operation should be retried and \fB0\fR if an error occurred. +.PP +\&\fIOCSP_REQ_CTX_add1_header()\fR and \fIOCSP_REQ_CTX_set1_req()\fR return \fB1\fR for success +and \fB0\fR for failure. +.PP +\&\fIOCSP_sendreq_bio()\fR returns the \fB\s-1OCSP_RESPONSE\s0\fR structure sent by the +responder or \fB\s-1NULL\s0\fR if an error occurred. +.PP +\&\fIOCSP_REQ_CTX_free()\fR and \fIOCSP_set_max_response_length()\fR do not return values. +.SH "NOTES" +.IX Header "NOTES" +These functions only perform a minimal \s-1HTTP\s0 query to a responder. If an +application wishes to support more advanced features it should use an +alternative more complete \s-1HTTP\s0 library. +.PP +Currently only \s-1HTTP POST\s0 queries to responders are supported. +.PP +The arguments to \fIOCSP_sendreq_new()\fR correspond to the components of the \s-1URL.\s0 +For example if the responder \s-1URL\s0 is \fBhttp://ocsp.com/ocspreq\fR the \s-1BIO\s0 +\&\fBio\fR should be connected to host \fBocsp.com\fR on port 80 and \fBpath\fR +should be set to \fB\*(L"/ocspreq\*(R"\fR +.PP +The headers added with \fIOCSP_REQ_CTX_add1_header()\fR are of the form +"\fBname\fR: \fBvalue\fR\*(L" or just \*(R"\fBname\fR" if \fBvalue\fR is \fB\s-1NULL\s0\fR. So to add +a Host header for \fBocsp.com\fR you would call: +.PP +.Vb 1 +\& OCSP_REQ_CTX_add1_header(ctx, "Host", "ocsp.com"); +.Ve +.PP +If \fIOCSP_sendreq_nbio()\fR indicates an operation should be retried the +corresponding \s-1BIO\s0 can be examined to determine which operation (read or +write) should be retried and appropriate action taken (for example a \fIselect()\fR +call on the underlying socket). +.PP +\&\fIOCSP_sendreq_bio()\fR does not support retries and so cannot handle non-blocking +I/O efficiently. It is retained for compatibility and its use in new +applications is not recommended. +.SH "SEE ALSO" +.IX Header "SEE ALSO" +\&\fIcrypto\fR\|(7), +\&\fIOCSP_cert_to_id\fR\|(3), +\&\fIOCSP_request_add1_nonce\fR\|(3), +\&\fIOCSP_REQUEST_new\fR\|(3), +\&\fIOCSP_resp_find_status\fR\|(3), +\&\fIOCSP_response_status\fR\|(3) +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2015\-2016 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/OPENSSL_Applink.3 b/secure/lib/libcrypto/man/OPENSSL_Applink.3 index 69df9f5785b5..290f073e3d65 100644 --- a/secure/lib/libcrypto/man/OPENSSL_Applink.3 +++ b/secure/lib/libcrypto/man/OPENSSL_Applink.3 @@ -128,8 +128,8 @@ .rm #[ #] #H #V #F C .\" ======================================================================== .\" -.IX Title "OPENSSL_Applink 3" -.TH OPENSSL_Applink 3 "2018-08-14" "1.0.2p" "OpenSSL" +.IX Title "OPENSSL_APPLINK 3" +.TH OPENSSL_APPLINK 3 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -149,4 +149,16 @@ Even though it appears at application side, it's essentially OpenSSL private interface. For this reason application developers are not expected to implement it, but to compile provided module with compiler of their choice and link it into the target application. -The referred module is available as /ms/applink.c. +The referred module is available as \fIapplink.c\fR, located alongside +the public header files (only on the platforms where applicable). +.SH "RETURN VALUES" +.IX Header "RETURN VALUES" +Not available. +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2004\-2018 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/OPENSSL_LH_COMPFUNC.3 b/secure/lib/libcrypto/man/OPENSSL_LH_COMPFUNC.3 new file mode 100644 index 000000000000..6a7afab98199 --- /dev/null +++ b/secure/lib/libcrypto/man/OPENSSL_LH_COMPFUNC.3 @@ -0,0 +1,365 @@ +.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35) +.\" +.\" Standard preamble: +.\" ======================================================================== +.de Sp \" Vertical space (when we can't use .PP) +.if t .sp .5v +.if n .sp +.. +.de Vb \" Begin verbatim text +.ft CW +.nf +.ne \\$1 +.. +.de Ve \" End verbatim text +.ft R +.fi +.. +.\" Set up some character translations and predefined strings. \*(-- will +.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left +.\" double quote, and \*(R" will give a right double quote. \*(C+ will +.\" give a nicer C++. Capital omega is used to do unbreakable dashes and +.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, +.\" nothing in troff, for use with C<>. +.tr \(*W- +.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' +.ie n \{\ +. ds -- \(*W- +. ds PI pi +. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch +. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch +. ds L" "" +. ds R" "" +. ds C` "" +. ds C' "" +'br\} +.el\{\ +. ds -- \|\(em\| +. ds PI \(*p +. ds L" `` +. ds R" '' +. ds C` +. ds C' +'br\} +.\" +.\" Escape single quotes in literal strings from groff's Unicode transform. +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" +.\" If the F register is >0, we'll generate index entries on stderr for +.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index +.\" entries marked with X<> in POD. Of course, you'll have to process the +.\" output yourself in some meaningful fashion. +.\" +.\" Avoid warning from groff about undefined register 'F'. +.de IX +.. +.if !\nF .nr F 0 +.if \nF>0 \{\ +. de IX +. tm Index:\\$1\t\\n%\t"\\$2" +.. +. if !\nF==2 \{\ +. nr % 0 +. nr F 2 +. \} +.\} +.\" +.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). +.\" Fear. Run. Save yourself. No user-serviceable parts. +. \" fudge factors for nroff and troff +.if n \{\ +. ds #H 0 +. ds #V .8m +. ds #F .3m +. ds #[ \f1 +. ds #] \fP +.\} +.if t \{\ +. ds #H ((1u-(\\\\n(.fu%2u))*.13m) +. ds #V .6m +. ds #F 0 +. ds #[ \& +. ds #] \& +.\} +. \" simple accents for nroff and troff +.if n \{\ +. ds ' \& +. ds ` \& +. ds ^ \& +. ds , \& +. ds ~ ~ +. ds / +.\} +.if t \{\ +. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" +. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' +. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' +. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' +. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' +. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' +.\} +. \" troff and (daisy-wheel) nroff accents +.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' +.ds 8 \h'\*(#H'\(*b\h'-\*(#H' +.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] +.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' +.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' +.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] +.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] +.ds ae a\h'-(\w'a'u*4/10)'e +.ds Ae A\h'-(\w'A'u*4/10)'E +. \" corrections for vroff +.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' +.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' +. \" for low resolution devices (crt and lpr) +.if \n(.H>23 .if \n(.V>19 \ +\{\ +. ds : e +. ds 8 ss +. ds o a +. ds d- d\h'-1'\(ga +. ds D- D\h'-1'\(hy +. ds th \o'bp' +. ds Th \o'LP' +. ds ae ae +. ds Ae AE +.\} +.rm #[ #] #H #V #F C +.\" ======================================================================== +.\" +.IX Title "OPENSSL_LH_COMPFUNC 3" +.TH OPENSSL_LH_COMPFUNC 3 "2018-09-11" "1.1.1" "OpenSSL" +.\" For nroff, turn off justification. Always turn off hyphenation; it makes +.\" way too many mistakes in technical documents. +.if n .ad l +.nh +.SH "NAME" +LHASH, DECLARE_LHASH_OF, OPENSSL_LH_COMPFUNC, OPENSSL_LH_HASHFUNC, OPENSSL_LH_DOALL_FUNC, LHASH_DOALL_ARG_FN_TYPE, IMPLEMENT_LHASH_HASH_FN, IMPLEMENT_LHASH_COMP_FN, lh_TYPE_new, lh_TYPE_free, lh_TYPE_insert, lh_TYPE_delete, lh_TYPE_retrieve, lh_TYPE_doall, lh_TYPE_doall_arg, lh_TYPE_error \- dynamic hash table +.SH "SYNOPSIS" +.IX Header "SYNOPSIS" +.Vb 1 +\& #include +\& +\& DECLARE_LHASH_OF(TYPE); +\& +\& LHASH *lh_TYPE_new(OPENSSL_LH_HASHFUNC hash, OPENSSL_LH_COMPFUNC compare); +\& void lh_TYPE_free(LHASH_OF(TYPE) *table); +\& +\& TYPE *lh_TYPE_insert(LHASH_OF(TYPE) *table, TYPE *data); +\& TYPE *lh_TYPE_delete(LHASH_OF(TYPE) *table, TYPE *data); +\& TYPE *lh_retrieve(LHASH_OF(TYPE) *table, TYPE *data); +\& +\& void lh_TYPE_doall(LHASH_OF(TYPE) *table, OPENSSL_LH_DOALL_FUNC func); +\& void lh_TYPE_doall_arg(LHASH_OF(TYPE) *table, OPENSSL_LH_DOALL_FUNCARG func, +\& TYPE *arg); +\& +\& int lh_TYPE_error(LHASH_OF(TYPE) *table); +\& +\& typedef int (*OPENSSL_LH_COMPFUNC)(const void *, const void *); +\& typedef unsigned long (*OPENSSL_LH_HASHFUNC)(const void *); +\& typedef void (*OPENSSL_LH_DOALL_FUNC)(const void *); +\& typedef void (*LHASH_DOALL_ARG_FN_TYPE)(const void *, const void *); +.Ve +.SH "DESCRIPTION" +.IX Header "DESCRIPTION" +This library implements type-checked dynamic hash tables. The hash +table entries can be arbitrary structures. Usually they consist of key +and value fields. In the description here, \fI\s-1TYPE\s0\fR is used a placeholder +for any of the OpenSSL datatypes, such as \fI\s-1SSL_SESSION\s0\fR. +.PP +\&\fIlh_TYPE_new()\fR creates a new \fB\s-1LHASH_OF\s0(\s-1TYPE\s0)\fR structure to store +arbitrary data entries, and specifies the 'hash' and 'compare' +callbacks to be used in organising the table's entries. The \fBhash\fR +callback takes a pointer to a table entry as its argument and returns +an unsigned long hash value for its key field. The hash value is +normally truncated to a power of 2, so make sure that your hash +function returns well mixed low order bits. The \fBcompare\fR callback +takes two arguments (pointers to two hash table entries), and returns +0 if their keys are equal, non-zero otherwise. +.PP +If your hash table +will contain items of some particular type and the \fBhash\fR and +\&\fBcompare\fR callbacks hash/compare these types, then the +\&\fB\s-1IMPLEMENT_LHASH_HASH_FN\s0\fR and \fB\s-1IMPLEMENT_LHASH_COMP_FN\s0\fR macros can be +used to create callback wrappers of the prototypes required by +\&\fIlh_TYPE_new()\fR as shown in this example: +.PP +.Vb 11 +\& /* +\& * Implement the hash and compare functions; "stuff" can be any word. +\& */ +\& static unsigned long stuff_hash(const TYPE *a) +\& { +\& ... +\& } +\& static int stuff_cmp(const TYPE *a, const TYPE *b) +\& { +\& ... +\& } +\& +\& /* +\& * Implement the wrapper functions. +\& */ +\& static IMPLEMENT_LHASH_HASH_FN(stuff, TYPE) +\& static IMPLEMENT_LHASH_COMP_FN(stuff, TYPE) +.Ve +.PP +If the type is going to be used in several places, the following macros +can be used in a common header file to declare the function wrappers: +.PP +.Vb 2 +\& DECLARE_LHASH_HASH_FN(stuff, TYPE) +\& DECLARE_LHASH_COMP_FN(stuff, TYPE) +.Ve +.PP +Then a hash table of \s-1TYPE\s0 objects can be created using this: +.PP +.Vb 1 +\& LHASH_OF(TYPE) *htable; +\& +\& htable = lh_TYPE_new(LHASH_HASH_FN(stuff), LHASH_COMP_FN(stuff)); +.Ve +.PP +\&\fIlh_TYPE_free()\fR frees the \fB\s-1LHASH_OF\s0(\s-1TYPE\s0)\fR structure +\&\fBtable\fR. Allocated hash table entries will not be freed; consider +using \fIlh_TYPE_doall()\fR to deallocate any remaining entries in the +hash table (see below). +.PP +\&\fIlh_TYPE_insert()\fR inserts the structure pointed to by \fBdata\fR into +\&\fBtable\fR. If there already is an entry with the same key, the old +value is replaced. Note that \fIlh_TYPE_insert()\fR stores pointers, the +data are not copied. +.PP +\&\fIlh_TYPE_delete()\fR deletes an entry from \fBtable\fR. +.PP +\&\fIlh_TYPE_retrieve()\fR looks up an entry in \fBtable\fR. Normally, \fBdata\fR +is a structure with the key field(s) set; the function will return a +pointer to a fully populated structure. +.PP +\&\fIlh_TYPE_doall()\fR will, for every entry in the hash table, call +\&\fBfunc\fR with the data item as its parameter. +For example: +.PP +.Vb 2 +\& /* Cleans up resources belonging to \*(Aqa\*(Aq (this is implemented elsewhere) */ +\& void TYPE_cleanup_doall(TYPE *a); +\& +\& /* Implement a prototype\-compatible wrapper for "TYPE_cleanup" */ +\& IMPLEMENT_LHASH_DOALL_FN(TYPE_cleanup, TYPE) +\& +\& /* Call "TYPE_cleanup" against all items in a hash table. */ +\& lh_TYPE_doall(hashtable, LHASH_DOALL_FN(TYPE_cleanup)); +\& +\& /* Then the hash table itself can be deallocated */ +\& lh_TYPE_free(hashtable); +.Ve +.PP +When doing this, be careful if you delete entries from the hash table +in your callbacks: the table may decrease in size, moving the item +that you are currently on down lower in the hash table \- this could +cause some entries to be skipped during the iteration. The second +best solution to this problem is to set hash\->down_load=0 before +you start (which will stop the hash table ever decreasing in size). +The best solution is probably to avoid deleting items from the hash +table inside a \*(L"doall\*(R" callback! +.PP +\&\fIlh_TYPE_doall_arg()\fR is the same as \fIlh_TYPE_doall()\fR except that +\&\fBfunc\fR will be called with \fBarg\fR as the second argument and \fBfunc\fR +should be of type \fB\s-1LHASH_DOALL_ARG_FN_TYPE\s0\fR (a callback prototype +that is passed both the table entry and an extra argument). As with +\&\fIlh_doall()\fR, you can instead choose to declare your callback with a +prototype matching the types you are dealing with and use the +declare/implement macros to create compatible wrappers that cast +variables before calling your type-specific callbacks. An example of +this is demonstrated here (printing all hash table entries to a \s-1BIO\s0 +that is provided by the caller): +.PP +.Vb 2 +\& /* Prints item \*(Aqa\*(Aq to \*(Aqoutput_bio\*(Aq (this is implemented elsewhere) */ +\& void TYPE_print_doall_arg(const TYPE *a, BIO *output_bio); +\& +\& /* Implement a prototype\-compatible wrapper for "TYPE_print" */ +\& static IMPLEMENT_LHASH_DOALL_ARG_FN(TYPE, const TYPE, BIO) +\& +\& /* Print out the entire hashtable to a particular BIO */ +\& lh_TYPE_doall_arg(hashtable, LHASH_DOALL_ARG_FN(TYPE_print), BIO, +\& logging_bio); +.Ve +.PP +\&\fIlh_TYPE_error()\fR can be used to determine if an error occurred in the last +operation. +.SH "RETURN VALUES" +.IX Header "RETURN VALUES" +\&\fIlh_TYPE_new()\fR returns \fB\s-1NULL\s0\fR on error, otherwise a pointer to the new +\&\fB\s-1LHASH\s0\fR structure. +.PP +When a hash table entry is replaced, \fIlh_TYPE_insert()\fR returns the value +being replaced. \fB\s-1NULL\s0\fR is returned on normal operation and on error. +.PP +\&\fIlh_TYPE_delete()\fR returns the entry being deleted. \fB\s-1NULL\s0\fR is returned if +there is no such value in the hash table. +.PP +\&\fIlh_TYPE_retrieve()\fR returns the hash table entry if it has been found, +\&\fB\s-1NULL\s0\fR otherwise. +.PP +\&\fIlh_TYPE_error()\fR returns 1 if an error occurred in the last operation, 0 +otherwise. It's meaningful only after non-retrieve operations. +.PP +\&\fIlh_TYPE_free()\fR, \fIlh_TYPE_doall()\fR and \fIlh_TYPE_doall_arg()\fR return no values. +.SH "NOTE" +.IX Header "NOTE" +The \s-1LHASH\s0 code is not thread safe. All updating operations, as well as +lh_TYPE_error call must be performed under a write lock. All retrieve +operations should be performed under a read lock, \fIunless\fR accurate +usage statistics are desired. In which case, a write lock should be used +for retrieve operations as well. For output of the usage statistics, +using the functions from \fIOPENSSL_LH_stats\fR\|(3), a read lock suffices. +.PP +The \s-1LHASH\s0 code regards table entries as constant data. As such, it +internally represents \fIlh_insert()\fR'd items with a \*(L"const void *\*(R" +pointer type. This is why callbacks such as those used by \fIlh_doall()\fR +and \fIlh_doall_arg()\fR declare their prototypes with \*(L"const\*(R", even for the +parameters that pass back the table items' data pointers \- for +consistency, user-provided data is \*(L"const\*(R" at all times as far as the +\&\s-1LHASH\s0 code is concerned. However, as callers are themselves providing +these pointers, they can choose whether they too should be treating +all such parameters as constant. +.PP +As an example, a hash table may be maintained by code that, for +reasons of encapsulation, has only \*(L"const\*(R" access to the data being +indexed in the hash table (ie. it is returned as \*(L"const\*(R" from +elsewhere in their code) \- in this case the \s-1LHASH\s0 prototypes are +appropriate as-is. Conversely, if the caller is responsible for the +life-time of the data in question, then they may well wish to make +modifications to table item passed back in the \fIlh_doall()\fR or +\&\fIlh_doall_arg()\fR callbacks (see the \*(L"TYPE_cleanup\*(R" example above). If +so, the caller can either cast the \*(L"const\*(R" away (if they're providing +the raw callbacks themselves) or use the macros to declare/implement +the wrapper functions without \*(L"const\*(R" types. +.PP +Callers that only have \*(L"const\*(R" access to data they're indexing in a +table, yet declare callbacks without constant types (or cast the +\&\*(L"const\*(R" away themselves), are therefore creating their own risks/bugs +without being encouraged to do so by the \s-1API.\s0 On a related note, +those auditing code should pay special attention to any instances of +DECLARE/IMPLEMENT_LHASH_DOALL_[\s-1ARG_\s0]_FN macros that provide types +without any \*(L"const\*(R" qualifiers. +.SH "BUGS" +.IX Header "BUGS" +\&\fIlh_TYPE_insert()\fR returns \fB\s-1NULL\s0\fR both for success and error. +.SH "SEE ALSO" +.IX Header "SEE ALSO" +\&\fIOPENSSL_LH_stats\fR\|(3) +.SH "HISTORY" +.IX Header "HISTORY" +In OpenSSL 1.0.0, the lhash interface was revamped for better +type checking. +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2000\-2018 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/lh_stats.3 b/secure/lib/libcrypto/man/OPENSSL_LH_stats.3 similarity index 74% rename from secure/lib/libcrypto/man/lh_stats.3 rename to secure/lib/libcrypto/man/OPENSSL_LH_stats.3 index 62dd42f62f06..046ed77c40e2 100644 --- a/secure/lib/libcrypto/man/lh_stats.3 +++ b/secure/lib/libcrypto/man/OPENSSL_LH_stats.3 @@ -128,43 +128,40 @@ .rm #[ #] #H #V #F C .\" ======================================================================== .\" -.IX Title "lh_stats 3" -.TH lh_stats 3 "2018-08-14" "1.0.2p" "OpenSSL" +.IX Title "OPENSSL_LH_STATS 3" +.TH OPENSSL_LH_STATS 3 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" -lh_stats, lh_node_stats, lh_node_usage_stats, lh_stats_bio, -lh_node_stats_bio, lh_node_usage_stats_bio \- LHASH statistics +OPENSSL_LH_stats, OPENSSL_LH_node_stats, OPENSSL_LH_node_usage_stats, OPENSSL_LH_stats_bio, OPENSSL_LH_node_stats_bio, OPENSSL_LH_node_usage_stats_bio \- LHASH statistics .SH "SYNOPSIS" .IX Header "SYNOPSIS" .Vb 1 \& #include \& -\& void lh_stats(LHASH *table, FILE *out); -\& void lh_node_stats(LHASH *table, FILE *out); -\& void lh_node_usage_stats(LHASH *table, FILE *out); +\& void OPENSSL_LH_stats(LHASH *table, FILE *out); +\& void OPENSSL_LH_node_stats(LHASH *table, FILE *out); +\& void OPENSSL_LH_node_usage_stats(LHASH *table, FILE *out); \& -\& void lh_stats_bio(LHASH *table, BIO *out); -\& void lh_node_stats_bio(LHASH *table, BIO *out); -\& void lh_node_usage_stats_bio(LHASH *table, BIO *out); +\& void OPENSSL_LH_stats_bio(LHASH *table, BIO *out); +\& void OPENSSL_LH_node_stats_bio(LHASH *table, BIO *out); +\& void OPENSSL_LH_node_usage_stats_bio(LHASH *table, BIO *out); .Ve .SH "DESCRIPTION" .IX Header "DESCRIPTION" The \fB\s-1LHASH\s0\fR structure records statistics about most aspects of -accessing the hash table. This is mostly a legacy of Eric Young -writing this library for the reasons of implementing what looked like -a nice algorithm rather than for a particular software product. +accessing the hash table. .PP -\&\fIlh_stats()\fR prints out statistics on the size of the hash table, how +\&\fIOPENSSL_LH_stats()\fR prints out statistics on the size of the hash table, how many entries are in it, and the number and result of calls to the routines in this library. .PP -\&\fIlh_node_stats()\fR prints the number of entries for each 'bucket' in the +\&\fIOPENSSL_LH_node_stats()\fR prints the number of entries for each 'bucket' in the hash table. .PP -\&\fIlh_node_usage_stats()\fR prints out a short summary of the state of the +\&\fIOPENSSL_LH_node_usage_stats()\fR prints out a short summary of the state of the hash table. It prints the 'load' and the 'actual load'. The load is the average number of data items per 'bucket' in the hash table. The \&'actual load' is the average number of items per 'bucket', but only @@ -173,16 +170,24 @@ average number of searches that will need to find an item in the hash table, while the 'load' is the average number that will be done to record a miss. .PP -\&\fIlh_stats_bio()\fR, \fIlh_node_stats_bio()\fR and \fIlh_node_usage_stats_bio()\fR +\&\fIOPENSSL_LH_stats_bio()\fR, \fIOPENSSL_LH_node_stats_bio()\fR and \fIOPENSSL_LH_node_usage_stats_bio()\fR are the same as the above, except that the output goes to a \fB\s-1BIO\s0\fR. .SH "RETURN VALUES" .IX Header "RETURN VALUES" These functions do not return values. +.SH "NOTE" +.IX Header "NOTE" +These calls should be made under a read lock. Refer to +\&\*(L"\s-1NOTE\*(R"\s0 in \s-1\fIOPENSSL_LH_COMPFUNC\s0\fR\|(3) for more details about the locks required +when using the \s-1LHASH\s0 data structure. .SH "SEE ALSO" .IX Header "SEE ALSO" -\&\fIbio\fR\|(3), \fIlhash\fR\|(3) -.SH "HISTORY" -.IX Header "HISTORY" -These functions are available in all versions of SSLeay and OpenSSL. +\&\fIbio\fR\|(7), \s-1\fIOPENSSL_LH_COMPFUNC\s0\fR\|(3) +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2000\-2017 The OpenSSL Project Authors. All Rights Reserved. .PP -This manpage is derived from the SSLeay documentation. +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/OPENSSL_VERSION_NUMBER.3 b/secure/lib/libcrypto/man/OPENSSL_VERSION_NUMBER.3 index a6b7c7e0b247..15dd9bb41305 100644 --- a/secure/lib/libcrypto/man/OPENSSL_VERSION_NUMBER.3 +++ b/secure/lib/libcrypto/man/OPENSSL_VERSION_NUMBER.3 @@ -129,13 +129,13 @@ .\" ======================================================================== .\" .IX Title "OPENSSL_VERSION_NUMBER 3" -.TH OPENSSL_VERSION_NUMBER 3 "2018-08-14" "1.0.2p" "OpenSSL" +.TH OPENSSL_VERSION_NUMBER 3 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" -OPENSSL_VERSION_NUMBER, SSLeay, SSLeay_version \- get OpenSSL version number +OPENSSL_VERSION_NUMBER, OpenSSL_version, OpenSSL_version_num \- get OpenSSL version number .SH "SYNOPSIS" .IX Header "SYNOPSIS" .Vb 2 @@ -143,8 +143,9 @@ OPENSSL_VERSION_NUMBER, SSLeay, SSLeay_version \- get OpenSSL version number \& #define OPENSSL_VERSION_NUMBER 0xnnnnnnnnnL \& \& #include -\& long SSLeay(void); -\& const char *SSLeay_version(int t); +\& +\& unsigned long OpenSSL_version_num(); +\& const char *OpenSSL_version(int t); .Ve .SH "DESCRIPTION" .IX Header "DESCRIPTION" @@ -184,44 +185,49 @@ Version 0.9.5a had an interim interpretation that is like the current one, except the patch level got the highest bit set, to keep continuity. The number was therefore 0x0090581f. .PP -For backward compatibility, \s-1SSLEAY_VERSION_NUMBER\s0 is also defined. +\&\fIOpenSSL_version_num()\fR returns the version number. .PP -\&\fISSLeay()\fR returns this number. The return value can be compared to the -macro to make sure that the correct version of the library has been -loaded, especially when using DLLs on Windows systems. -.PP -\&\fISSLeay_version()\fR returns different strings depending on \fBt\fR: -.IP "\s-1SSLEAY_VERSION\s0" 4 -.IX Item "SSLEAY_VERSION" +\&\fIOpenSSL_version()\fR returns different strings depending on \fBt\fR: +.IP "\s-1OPENSSL_VERSION\s0" 4 +.IX Item "OPENSSL_VERSION" The text variant of the version number and the release date. For example, -\&\*(L"OpenSSL 0.9.5a 1 Apr 2000\*(R". -.IP "\s-1SSLEAY_CFLAGS\s0" 4 -.IX Item "SSLEAY_CFLAGS" +\&\*(L"OpenSSL 1.0.1a 15 Oct 2015\*(R". +.IP "\s-1OPENSSL_CFLAGS\s0" 4 +.IX Item "OPENSSL_CFLAGS" The compiler flags set for the compilation process in the form \&\*(L"compiler: ...\*(R" if available or \*(L"compiler: information not available\*(R" otherwise. -.IP "\s-1SSLEAY_BUILT_ON\s0" 4 -.IX Item "SSLEAY_BUILT_ON" +.IP "\s-1OPENSSL_BUILT_ON\s0" 4 +.IX Item "OPENSSL_BUILT_ON" The date of the build process in the form \*(L"built on: ...\*(R" if available or \*(L"built on: date not available\*(R" otherwise. -.IP "\s-1SSLEAY_PLATFORM\s0" 4 -.IX Item "SSLEAY_PLATFORM" +.IP "\s-1OPENSSL_PLATFORM\s0" 4 +.IX Item "OPENSSL_PLATFORM" The \*(L"Configure\*(R" target of the library build in the form \*(L"platform: ...\*(R" if available or \*(L"platform: information not available\*(R" otherwise. -.IP "\s-1SSLEAY_DIR\s0" 4 -.IX Item "SSLEAY_DIR" +.IP "\s-1OPENSSL_DIR\s0" 4 +.IX Item "OPENSSL_DIR" The \*(L"\s-1OPENSSLDIR\*(R"\s0 setting of the library build in the form \*(L"\s-1OPENSSLDIR: \*(R"..."\*(L"\s0 if available or \*(R"\s-1OPENSSLDIR: N/A"\s0 otherwise. +.IP "\s-1OPENSSL_ENGINES_DIR\s0" 4 +.IX Item "OPENSSL_ENGINES_DIR" +The \*(L"\s-1ENGINESDIR\*(R"\s0 setting of the library build in the form \*(L"\s-1ENGINESDIR: \*(R"..."\*(L"\s0 +if available or \*(R"\s-1ENGINESDIR: N/A"\s0 otherwise. .PP For an unknown \fBt\fR, the text \*(L"not available\*(R" is returned. -.SH "RETURN VALUE" -.IX Header "RETURN VALUE" -The version number. +.SH "RETURN VALUES" +.IX Header "RETURN VALUES" +\&\fIOpenSSL_version_num()\fR returns the version number. +.PP +\&\fIOpenSSL_version()\fR returns requested version strings. .SH "SEE ALSO" .IX Header "SEE ALSO" -\&\fIcrypto\fR\|(3) -.SH "HISTORY" -.IX Header "HISTORY" -\&\fISSLeay()\fR and \s-1SSLEAY_VERSION_NUMBER\s0 are available in all versions of SSLeay and OpenSSL. -\&\s-1OPENSSL_VERSION_NUMBER\s0 is available in all versions of OpenSSL. -\&\fB\s-1SSLEAY_DIR\s0\fR was added in OpenSSL 0.9.7. +\&\fIcrypto\fR\|(7) +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2000\-2018 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/OPENSSL_config.3 b/secure/lib/libcrypto/man/OPENSSL_config.3 index 7d7fab2e6264..1e204d2513ee 100644 --- a/secure/lib/libcrypto/man/OPENSSL_config.3 +++ b/secure/lib/libcrypto/man/OPENSSL_config.3 @@ -128,8 +128,8 @@ .rm #[ #] #H #V #F C .\" ======================================================================== .\" -.IX Title "OPENSSL_config 3" -.TH OPENSSL_config 3 "2018-08-14" "1.0.2p" "OpenSSL" +.IX Title "OPENSSL_CONFIG 3" +.TH OPENSSL_CONFIG 3 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -141,8 +141,10 @@ OPENSSL_config, OPENSSL_no_config \- simple OpenSSL configuration functions .Vb 1 \& #include \& +\& #if OPENSSL_API_COMPAT < 0x10100000L \& void OPENSSL_config(const char *appname); \& void OPENSSL_no_config(void); +\& #endif .Ve .SH "DESCRIPTION" .IX Header "DESCRIPTION" @@ -154,6 +156,10 @@ Multiple calls have no effect. .PP \&\fIOPENSSL_no_config()\fR disables configuration. If called before \fIOPENSSL_config()\fR no configuration takes place. +.PP +If the application is built with \fB\s-1OPENSSL_LOAD_CONF\s0\fR defined, then a +call to \fIOpenSSL_add_all_algorithms()\fR will implicitly call \fIOPENSSL_config()\fR +first. .SH "NOTES" .IX Header "NOTES" The \fIOPENSSL_config()\fR function is designed to be a very simple \*(L"call it and @@ -166,25 +172,35 @@ Applications should instead call \fICONF_modules_load()\fR during initialization (that is before starting any threads). .PP There are several reasons why calling the OpenSSL configuration routines is -advisable. For example new \s-1ENGINE\s0 functionality was added to OpenSSL 0.9.7. -In OpenSSL 0.9.7 control functions can be supported by ENGINEs, this can be -used (among other things) to load dynamic ENGINEs from shared libraries (DSOs). +advisable. For example, to load dynamic ENGINEs from shared libraries (DSOs). However very few applications currently support the control interface and so very few can load and use dynamic ENGINEs. Equally in future more sophisticated ENGINEs will require certain control operations to customize them. If an application calls \fIOPENSSL_config()\fR it doesn't need to know or care about \&\s-1ENGINE\s0 control operations because they can be performed by editing a configuration file. -.PP -Applications should free up configuration at application closedown by calling -\&\fICONF_modules_free()\fR. +.SH "ENVIRONMENT" +.IX Header "ENVIRONMENT" +.IP "\fB\s-1OPENSSL_CONF\s0\fR" 4 +.IX Item "OPENSSL_CONF" +The path to the config file. +Ignored in set-user-ID and set-group-ID programs. .SH "RETURN VALUES" .IX Header "RETURN VALUES" Neither \fIOPENSSL_config()\fR nor \fIOPENSSL_no_config()\fR return a value. .SH "SEE ALSO" .IX Header "SEE ALSO" -\&\fIconf\fR\|(5), \fICONF_load_modules_file\fR\|(3), -\&\fICONF_modules_free\fR\|(3) +\&\fIconfig\fR\|(5), +\&\fICONF_modules_load_file\fR\|(3) .SH "HISTORY" .IX Header "HISTORY" -\&\fIOPENSSL_config()\fR and \fIOPENSSL_no_config()\fR first appeared in OpenSSL 0.9.7 +The \fIOPENSSL_no_config()\fR and \fIOPENSSL_config()\fR functions were +deprecated in OpenSSL 1.1.0 by \fIOPENSSL_init_crypto()\fR. +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2004\-2018 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/OPENSSL_fork_prepare.3 b/secure/lib/libcrypto/man/OPENSSL_fork_prepare.3 new file mode 100644 index 000000000000..0394250a3492 --- /dev/null +++ b/secure/lib/libcrypto/man/OPENSSL_fork_prepare.3 @@ -0,0 +1,187 @@ +.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35) +.\" +.\" Standard preamble: +.\" ======================================================================== +.de Sp \" Vertical space (when we can't use .PP) +.if t .sp .5v +.if n .sp +.. +.de Vb \" Begin verbatim text +.ft CW +.nf +.ne \\$1 +.. +.de Ve \" End verbatim text +.ft R +.fi +.. +.\" Set up some character translations and predefined strings. \*(-- will +.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left +.\" double quote, and \*(R" will give a right double quote. \*(C+ will +.\" give a nicer C++. Capital omega is used to do unbreakable dashes and +.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, +.\" nothing in troff, for use with C<>. +.tr \(*W- +.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' +.ie n \{\ +. ds -- \(*W- +. ds PI pi +. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch +. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch +. ds L" "" +. ds R" "" +. ds C` "" +. ds C' "" +'br\} +.el\{\ +. ds -- \|\(em\| +. ds PI \(*p +. ds L" `` +. ds R" '' +. ds C` +. ds C' +'br\} +.\" +.\" Escape single quotes in literal strings from groff's Unicode transform. +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" +.\" If the F register is >0, we'll generate index entries on stderr for +.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index +.\" entries marked with X<> in POD. Of course, you'll have to process the +.\" output yourself in some meaningful fashion. +.\" +.\" Avoid warning from groff about undefined register 'F'. +.de IX +.. +.if !\nF .nr F 0 +.if \nF>0 \{\ +. de IX +. tm Index:\\$1\t\\n%\t"\\$2" +.. +. if !\nF==2 \{\ +. nr % 0 +. nr F 2 +. \} +.\} +.\" +.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). +.\" Fear. Run. Save yourself. No user-serviceable parts. +. \" fudge factors for nroff and troff +.if n \{\ +. ds #H 0 +. ds #V .8m +. ds #F .3m +. ds #[ \f1 +. ds #] \fP +.\} +.if t \{\ +. ds #H ((1u-(\\\\n(.fu%2u))*.13m) +. ds #V .6m +. ds #F 0 +. ds #[ \& +. ds #] \& +.\} +. \" simple accents for nroff and troff +.if n \{\ +. ds ' \& +. ds ` \& +. ds ^ \& +. ds , \& +. ds ~ ~ +. ds / +.\} +.if t \{\ +. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" +. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' +. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' +. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' +. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' +. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' +.\} +. \" troff and (daisy-wheel) nroff accents +.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' +.ds 8 \h'\*(#H'\(*b\h'-\*(#H' +.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] +.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' +.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' +.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] +.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] +.ds ae a\h'-(\w'a'u*4/10)'e +.ds Ae A\h'-(\w'A'u*4/10)'E +. \" corrections for vroff +.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' +.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' +. \" for low resolution devices (crt and lpr) +.if \n(.H>23 .if \n(.V>19 \ +\{\ +. ds : e +. ds 8 ss +. ds o a +. ds d- d\h'-1'\(ga +. ds D- D\h'-1'\(hy +. ds th \o'bp' +. ds Th \o'LP' +. ds ae ae +. ds Ae AE +.\} +.rm #[ #] #H #V #F C +.\" ======================================================================== +.\" +.IX Title "OPENSSL_FORK_PREPARE 3" +.TH OPENSSL_FORK_PREPARE 3 "2018-09-11" "1.1.1" "OpenSSL" +.\" For nroff, turn off justification. Always turn off hyphenation; it makes +.\" way too many mistakes in technical documents. +.if n .ad l +.nh +.SH "NAME" +OPENSSL_fork_prepare, OPENSSL_fork_parent, OPENSSL_fork_child \&\- OpenSSL fork handlers +.SH "SYNOPSIS" +.IX Header "SYNOPSIS" +.Vb 1 +\& #include +\& +\& void OPENSSL_fork_prepare(void); +\& void OPENSSL_fork_parent(void); +\& void OPENSSL_fork_child(void); +.Ve +.SH "DESCRIPTION" +.IX Header "DESCRIPTION" +OpenSSL has state that should be reset when a process forks. For example, +the entropy pool used to generate random numbers (and therefore encryption +keys) should not be shared across multiple programs. +The \fIOPENSSL_fork_prepare()\fR, \fIOPENSSL_fork_parent()\fR, and \fIOPENSSL_fork_child()\fR +functions are used to reset this internal state. +.PP +Platforms without \fIfork\fR\|(2) will probably not need to use these functions. +Platforms with \fIfork\fR\|(2) but without \fIpthreads_atfork\fR\|(3) will probably need +to call them manually, as described in the following paragraph. Platforms +such as Linux that have both functions will normally not need to call these +functions as the OpenSSL library will do so automatically. +.PP +\&\fIOPENSSL_init_crypto\fR\|(3) will register these functions with the appropriate +handler, when the \fB\s-1OPENSSL_INIT_ATFORK\s0\fR flag is used. For other +applications, these functions can be called directly. They should be used +according to the calling sequence described by the \fIpthreads_atfork\fR\|(3) +documentation, which is summarized here. \fIOPENSSL_fork_prepare()\fR should +be called before a \fIfork()\fR is done. After the \fIfork()\fR returns, the parent +process should call \fIOPENSSL_fork_parent()\fR and the child process should +call \fIOPENSSL_fork_child()\fR. +.SH "RETURN VALUES" +.IX Header "RETURN VALUES" +\&\fIOPENSSL_fork_prepare()\fR, \fIOPENSSL_fork_parent()\fR and \fIOPENSSL_fork_child()\fR do not +return values. +.SH "SEE ALSO" +.IX Header "SEE ALSO" +\&\fIOPENSSL_init_crypto\fR\|(3) +.SH "HISTORY" +.IX Header "HISTORY" +These functions were added in OpenSSL 1.1.1. +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2017\-2018 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/OPENSSL_ia32cap.3 b/secure/lib/libcrypto/man/OPENSSL_ia32cap.3 index 4bc97e2345bd..c39c75306be0 100644 --- a/secure/lib/libcrypto/man/OPENSSL_ia32cap.3 +++ b/secure/lib/libcrypto/man/OPENSSL_ia32cap.3 @@ -128,30 +128,29 @@ .rm #[ #] #H #V #F C .\" ======================================================================== .\" -.IX Title "OPENSSL_ia32cap 3" -.TH OPENSSL_ia32cap 3 "2018-08-14" "1.0.2p" "OpenSSL" +.IX Title "OPENSSL_IA32CAP 3" +.TH OPENSSL_IA32CAP 3 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" -OPENSSL_ia32cap, OPENSSL_ia32cap_loc \- the IA\-32 processor capabilities vector +OPENSSL_ia32cap \- the x86[_64] processor capabilities vector .SH "SYNOPSIS" .IX Header "SYNOPSIS" -.Vb 2 -\& unsigned long *OPENSSL_ia32cap_loc(void); -\& #define OPENSSL_ia32cap ((OPENSSL_ia32cap_loc())[0]) +.Vb 1 +\& env OPENSSL_ia32cap=... .Ve .SH "DESCRIPTION" .IX Header "DESCRIPTION" -Value returned by \fIOPENSSL_ia32cap_loc()\fR is address of a variable -containing \s-1IA\-32\s0 processor capabilities bit vector as it appears in -\&\s-1EDX:ECX\s0 register pair after executing \s-1CPUID\s0 instruction with EAX=1 -input value (see Intel Application Note #241618). Naturally it's -meaningful on x86 and x86_64 platforms only. The variable is normally -set up automatically upon toolkit initialization, but can be -manipulated afterwards to modify crypto library behaviour. For the -moment of this writing following bits are significant: +OpenSSL supports a range of x86[_64] instruction set extensions. These +extensions are denoted by individual bits in capability vector returned +by processor in \s-1EDX:ECX\s0 register pair after executing \s-1CPUID\s0 instruction +with EAX=1 input value (see Intel Application Note #241618). This vector +is copied to memory upon toolkit initialization and used to choose +between different code paths to provide optimal performance across wide +range of processors. For the moment of this writing following bits are +significant: .IP "bit #4 denoting presence of Time-Stamp Counter." 4 .IX Item "bit #4 denoting presence of Time-Stamp Counter." .PD 0 @@ -177,8 +176,12 @@ moment of this writing following bits are significant: .IX Item "bit #41 denoting SSSE3, Supplemental SSE3, support;" .IP "bit #43 denoting \s-1AMD XOP\s0 support (forced to zero on non-AMD CPUs);" 4 .IX Item "bit #43 denoting AMD XOP support (forced to zero on non-AMD CPUs);" +.IP "bit #54 denoting availability of \s-1MOVBE\s0 instruction;" 4 +.IX Item "bit #54 denoting availability of MOVBE instruction;" .IP "bit #57 denoting AES-NI instruction set extension;" 4 .IX Item "bit #57 denoting AES-NI instruction set extension;" +.IP "bit #58, \s-1XSAVE\s0 bit, lack of which in combination with \s-1MOVBE\s0 is used to identify Atom Silvermont core;" 4 +.IX Item "bit #58, XSAVE bit, lack of which in combination with MOVBE is used to identify Atom Silvermont core;" .IP "bit #59, \s-1OSXSAVE\s0 bit, denoting availability of \s-1YMM\s0 registers;" 4 .IX Item "bit #59, OSXSAVE bit, denoting availability of YMM registers;" .IP "bit #60 denoting \s-1AVX\s0 extension;" 4 @@ -187,36 +190,102 @@ moment of this writing following bits are significant: .IX Item "bit #62 denoting availability of RDRAND instruction;" .PD .PP -For example, clearing bit #26 at run-time disables high-performance -\&\s-1SSE2\s0 code present in the crypto library, while clearing bit #24 -disables \s-1SSE2\s0 code operating on 128\-bit \s-1XMM\s0 register bank. You might -have to do the latter if target OpenSSL application is executed on \s-1SSE2\s0 -capable \s-1CPU,\s0 but under control of \s-1OS\s0 that does not enable \s-1XMM\s0 -registers. Even though you can manipulate the value programmatically, -you most likely will find it more appropriate to set up an environment -variable with the same name prior starting target application, e.g. on -Intel P4 processor 'env OPENSSL_ia32cap=0x16980010 apps/openssl', or -better yet 'env OPENSSL_ia32cap=~0x1000000 apps/openssl' to achieve same -effect without modifying the application source code. Alternatively you -can reconfigure the toolkit with no\-sse2 option and recompile. +For example, in 32\-bit application context clearing bit #26 at run-time +disables high-performance \s-1SSE2\s0 code present in the crypto library, while +clearing bit #24 disables \s-1SSE2\s0 code operating on 128\-bit \s-1XMM\s0 register +bank. You might have to do the latter if target OpenSSL application is +executed on \s-1SSE2\s0 capable \s-1CPU,\s0 but under control of \s-1OS\s0 that does not +enable \s-1XMM\s0 registers. Historically address of the capability vector copy +was exposed to application through \fIOPENSSL_ia32cap_loc()\fR, but not +anymore. Now the only way to affect the capability detection is to set +OPENSSL_ia32cap environment variable prior target application start. To +give a specific example, on Intel P4 processor 'env +OPENSSL_ia32cap=0x16980010 apps/openssl', or better yet 'env +OPENSSL_ia32cap=~0x1000000 apps/openssl' would achieve the desired +effect. Alternatively you can reconfigure the toolkit with no\-sse2 +option and recompile. .PP -Less intuitive is clearing bit #28. The truth is that it's not copied -from \s-1CPUID\s0 output verbatim, but is adjusted to reflect whether or not -the data cache is actually shared between logical cores. This in turn -affects the decision on whether or not expensive countermeasures -against cache-timing attacks are applied, most notably in \s-1AES\s0 assembler -module. +Less intuitive is clearing bit #28, or ~0x10000000 in the \*(L"environment +variable\*(R" terms. The truth is that it's not copied from \s-1CPUID\s0 output +verbatim, but is adjusted to reflect whether or not the data cache is +actually shared between logical cores. This in turn affects the decision +on whether or not expensive countermeasures against cache-timing attacks +are applied, most notably in \s-1AES\s0 assembler module. .PP -The vector is further extended with \s-1EBX\s0 value returned by \s-1CPUID\s0 with -EAX=7 and ECX=0 as input. Following bits are significant: +The capability vector is further extended with \s-1EBX\s0 value returned by +\&\s-1CPUID\s0 with EAX=7 and ECX=0 as input. Following bits are significant: .IP "bit #64+3 denoting availability of \s-1BMI1\s0 instructions, e.g. \s-1ANDN\s0;" 4 .IX Item "bit #64+3 denoting availability of BMI1 instructions, e.g. ANDN;" .PD 0 .IP "bit #64+5 denoting availability of \s-1AVX2\s0 instructions;" 4 .IX Item "bit #64+5 denoting availability of AVX2 instructions;" -.IP "bit #64+8 denoting availability of \s-1BMI2\s0 instructions, e.g. \s-1MUXL\s0 and \s-1RORX\s0;" 4 -.IX Item "bit #64+8 denoting availability of BMI2 instructions, e.g. MUXL and RORX;" +.IP "bit #64+8 denoting availability of \s-1BMI2\s0 instructions, e.g. \s-1MULX\s0 and \s-1RORX\s0;" 4 +.IX Item "bit #64+8 denoting availability of BMI2 instructions, e.g. MULX and RORX;" +.IP "bit #64+16 denoting availability of \s-1AVX512F\s0 extension;" 4 +.IX Item "bit #64+16 denoting availability of AVX512F extension;" .IP "bit #64+18 denoting availability of \s-1RDSEED\s0 instruction;" 4 .IX Item "bit #64+18 denoting availability of RDSEED instruction;" .IP "bit #64+19 denoting availability of \s-1ADCX\s0 and \s-1ADOX\s0 instructions;" 4 .IX Item "bit #64+19 denoting availability of ADCX and ADOX instructions;" +.IP "bit #64+21 denoting availability of VPMADD52[\s-1LH\s0]UQ instructions, a.k.a. \s-1AVX512IFMA\s0 extension;" 4 +.IX Item "bit #64+21 denoting availability of VPMADD52[LH]UQ instructions, a.k.a. AVX512IFMA extension;" +.IP "bit #64+29 denoting availability of \s-1SHA\s0 extension;" 4 +.IX Item "bit #64+29 denoting availability of SHA extension;" +.IP "bit #64+30 denoting availability of \s-1AVX512BW\s0 extension;" 4 +.IX Item "bit #64+30 denoting availability of AVX512BW extension;" +.IP "bit #64+31 denoting availability of \s-1AVX512VL\s0 extension;" 4 +.IX Item "bit #64+31 denoting availability of AVX512VL extension;" +.IP "bit #64+41 denoting availability of \s-1VAES\s0 extension;" 4 +.IX Item "bit #64+41 denoting availability of VAES extension;" +.IP "bit #64+42 denoting availability of \s-1VPCLMULQDQ\s0 extension;" 4 +.IX Item "bit #64+42 denoting availability of VPCLMULQDQ extension;" +.PD +.PP +To control this extended capability word use ':' as delimiter when +setting up OPENSSL_ia32cap environment variable. For example assigning +\&':~0x20' would disable \s-1AVX2\s0 code paths, and ':0' \- all post-AVX +extensions. +.PP +It should be noted that whether or not some of the most \*(L"fancy\*(R" +extension code paths are actually assembled depends on current assembler +version. Base minimum of \s-1AES\-NI/PCLMULQDQ, SSSE3\s0 and \s-1SHA\s0 extension code +paths are always assembled. Apart from that, minimum assembler version +requirements are summarized in below table: +.PP +.Vb 8 +\& Extension | GNU as | nasm | llvm +\& \-\-\-\-\-\-\-\-\-\-\-\-+\-\-\-\-\-\-\-\-+\-\-\-\-\-\-\-\-+\-\-\-\-\-\-\-\- +\& AVX | 2.19 | 2.09 | 3.0 +\& AVX2 | 2.22 | 2.10 | 3.1 +\& ADCX/ADOX | 2.23 | 2.10 | 3.3 +\& AVX512 | 2.25 | 2.11.8 | see NOTES +\& AVX512IFMA | 2.26 | 2.11.8 | see NOTES +\& VAES | 2.30 | 2.13.3 | +.Ve +.SH "NOTES" +.IX Header "NOTES" +Even though \s-1AVX512\s0 support was implemented in llvm 3.6, compilation of +assembly modules apparently requires explicit \-march flag. But then +compiler generates processor-specific code, which in turn contradicts +the mere idea of run-time switch execution facilitated by the variable +in question. Till the limitation is lifted, it's possible to work around +the problem by making build procedure use following script: +.PP +.Vb 2 +\& #!/bin/sh +\& exec clang \-no\-integrated\-as "$@" +.Ve +.PP +instead of real clang. In which case it doesn't matter which clang +version is used, as it is \s-1GNU\s0 assembler version that will be checked. +.SH "RETURN VALUES" +.IX Header "RETURN VALUES" +Not available. +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2004\-2018 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/OPENSSL_init_crypto.3 b/secure/lib/libcrypto/man/OPENSSL_init_crypto.3 new file mode 100644 index 000000000000..867ecbfb99ee --- /dev/null +++ b/secure/lib/libcrypto/man/OPENSSL_init_crypto.3 @@ -0,0 +1,355 @@ +.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35) +.\" +.\" Standard preamble: +.\" ======================================================================== +.de Sp \" Vertical space (when we can't use .PP) +.if t .sp .5v +.if n .sp +.. +.de Vb \" Begin verbatim text +.ft CW +.nf +.ne \\$1 +.. +.de Ve \" End verbatim text +.ft R +.fi +.. +.\" Set up some character translations and predefined strings. \*(-- will +.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left +.\" double quote, and \*(R" will give a right double quote. \*(C+ will +.\" give a nicer C++. Capital omega is used to do unbreakable dashes and +.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, +.\" nothing in troff, for use with C<>. +.tr \(*W- +.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' +.ie n \{\ +. ds -- \(*W- +. ds PI pi +. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch +. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch +. ds L" "" +. ds R" "" +. ds C` "" +. ds C' "" +'br\} +.el\{\ +. ds -- \|\(em\| +. ds PI \(*p +. ds L" `` +. ds R" '' +. ds C` +. ds C' +'br\} +.\" +.\" Escape single quotes in literal strings from groff's Unicode transform. +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" +.\" If the F register is >0, we'll generate index entries on stderr for +.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index +.\" entries marked with X<> in POD. Of course, you'll have to process the +.\" output yourself in some meaningful fashion. +.\" +.\" Avoid warning from groff about undefined register 'F'. +.de IX +.. +.if !\nF .nr F 0 +.if \nF>0 \{\ +. de IX +. tm Index:\\$1\t\\n%\t"\\$2" +.. +. if !\nF==2 \{\ +. nr % 0 +. nr F 2 +. \} +.\} +.\" +.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). +.\" Fear. Run. Save yourself. No user-serviceable parts. +. \" fudge factors for nroff and troff +.if n \{\ +. ds #H 0 +. ds #V .8m +. ds #F .3m +. ds #[ \f1 +. ds #] \fP +.\} +.if t \{\ +. ds #H ((1u-(\\\\n(.fu%2u))*.13m) +. ds #V .6m +. ds #F 0 +. ds #[ \& +. ds #] \& +.\} +. \" simple accents for nroff and troff +.if n \{\ +. ds ' \& +. ds ` \& +. ds ^ \& +. ds , \& +. ds ~ ~ +. ds / +.\} +.if t \{\ +. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" +. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' +. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' +. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' +. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' +. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' +.\} +. \" troff and (daisy-wheel) nroff accents +.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' +.ds 8 \h'\*(#H'\(*b\h'-\*(#H' +.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] +.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' +.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' +.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] +.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] +.ds ae a\h'-(\w'a'u*4/10)'e +.ds Ae A\h'-(\w'A'u*4/10)'E +. \" corrections for vroff +.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' +.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' +. \" for low resolution devices (crt and lpr) +.if \n(.H>23 .if \n(.V>19 \ +\{\ +. ds : e +. ds 8 ss +. ds o a +. ds d- d\h'-1'\(ga +. ds D- D\h'-1'\(hy +. ds th \o'bp' +. ds Th \o'LP' +. ds ae ae +. ds Ae AE +.\} +.rm #[ #] #H #V #F C +.\" ======================================================================== +.\" +.IX Title "OPENSSL_INIT_CRYPTO 3" +.TH OPENSSL_INIT_CRYPTO 3 "2018-09-11" "1.1.1" "OpenSSL" +.\" For nroff, turn off justification. Always turn off hyphenation; it makes +.\" way too many mistakes in technical documents. +.if n .ad l +.nh +.SH "NAME" +OPENSSL_INIT_new, OPENSSL_INIT_set_config_appname, OPENSSL_INIT_free, OPENSSL_init_crypto, OPENSSL_cleanup, OPENSSL_atexit, OPENSSL_thread_stop \- OpenSSL initialisation and deinitialisation functions +.SH "SYNOPSIS" +.IX Header "SYNOPSIS" +.Vb 1 +\& #include +\& +\& void OPENSSL_cleanup(void); +\& int OPENSSL_init_crypto(uint64_t opts, const OPENSSL_INIT_SETTINGS *settings); +\& int OPENSSL_atexit(void (*handler)(void)); +\& void OPENSSL_thread_stop(void); +\& +\& OPENSSL_INIT_SETTINGS *OPENSSL_INIT_new(void); +\& int OPENSSL_INIT_set_config_appname(OPENSSL_INIT_SETTINGS *init, +\& const char* name); +\& void OPENSSL_INIT_free(OPENSSL_INIT_SETTINGS *init); +.Ve +.SH "DESCRIPTION" +.IX Header "DESCRIPTION" +During normal operation OpenSSL (libcrypto) will allocate various resources at +start up that must, subsequently, be freed on close down of the library. +Additionally some resources are allocated on a per thread basis (if the +application is multi-threaded), and these resources must be freed prior to the +thread closing. +.PP +As of version 1.1.0 OpenSSL will automatically allocate all resources that it +needs so no explicit initialisation is required. Similarly it will also +automatically deinitialise as required. +.PP +However, there way be situations when explicit initialisation is desirable or +needed, for example when some non-default initialisation is required. The +function \fIOPENSSL_init_crypto()\fR can be used for this purpose for +libcrypto (see also \fIOPENSSL_init_ssl\fR\|(3) for the libssl +equivalent). +.PP +Numerous internal OpenSSL functions call \fIOPENSSL_init_crypto()\fR. +Therefore, in order to perform non-default initialisation, +\&\fIOPENSSL_init_crypto()\fR \s-1MUST\s0 be called by application code prior to +any other OpenSSL function calls. +.PP +The \fBopts\fR parameter specifies which aspects of libcrypto should be +initialised. Valid options are: +.IP "\s-1OPENSSL_INIT_NO_LOAD_CRYPTO_STRINGS\s0" 4 +.IX Item "OPENSSL_INIT_NO_LOAD_CRYPTO_STRINGS" +Suppress automatic loading of the libcrypto error strings. This option is +not a default option. Once selected subsequent calls to +\&\fIOPENSSL_init_crypto()\fR with the option +\&\fB\s-1OPENSSL_INIT_LOAD_CRYPTO_STRINGS\s0\fR will be ignored. +.IP "\s-1OPENSSL_INIT_LOAD_CRYPTO_STRINGS\s0" 4 +.IX Item "OPENSSL_INIT_LOAD_CRYPTO_STRINGS" +Automatic loading of the libcrypto error strings. With this option the +library will automatically load the libcrypto error strings. +This option is a default option. Once selected subsequent calls to +\&\fIOPENSSL_init_crypto()\fR with the option +\&\fB\s-1OPENSSL_INIT_NO_LOAD_CRYPTO_STRINGS\s0\fR will be ignored. +.IP "\s-1OPENSSL_INIT_ADD_ALL_CIPHERS\s0" 4 +.IX Item "OPENSSL_INIT_ADD_ALL_CIPHERS" +With this option the library will automatically load and make available all +libcrypto ciphers. This option is a default option. Once selected subsequent +calls to \fIOPENSSL_init_crypto()\fR with the option +\&\fB\s-1OPENSSL_INIT_NO_ADD_ALL_CIPHERS\s0\fR will be ignored. +.IP "\s-1OPENSSL_INIT_ADD_ALL_DIGESTS\s0" 4 +.IX Item "OPENSSL_INIT_ADD_ALL_DIGESTS" +With this option the library will automatically load and make available all +libcrypto digests. This option is a default option. Once selected subsequent +calls to \fIOPENSSL_init_crypto()\fR with the option +\&\fB\s-1OPENSSL_INIT_NO_ADD_ALL_CIPHERS\s0\fR will be ignored. +.IP "\s-1OPENSSL_INIT_NO_ADD_ALL_CIPHERS\s0" 4 +.IX Item "OPENSSL_INIT_NO_ADD_ALL_CIPHERS" +With this option the library will suppress automatic loading of libcrypto +ciphers. This option is not a default option. Once selected subsequent +calls to \fIOPENSSL_init_crypto()\fR with the option +\&\fB\s-1OPENSSL_INIT_ADD_ALL_CIPHERS\s0\fR will be ignored. +.IP "\s-1OPENSSL_INIT_NO_ADD_ALL_DIGESTS\s0" 4 +.IX Item "OPENSSL_INIT_NO_ADD_ALL_DIGESTS" +With this option the library will suppress automatic loading of libcrypto +digests. This option is not a default option. Once selected subsequent +calls to \fIOPENSSL_init_crypto()\fR with the option +\&\fB\s-1OPENSSL_INIT_ADD_ALL_DIGESTS\s0\fR will be ignored. +.IP "\s-1OPENSSL_INIT_LOAD_CONFIG\s0" 4 +.IX Item "OPENSSL_INIT_LOAD_CONFIG" +With this option an OpenSSL configuration file will be automatically loaded and +used by calling \fIOPENSSL_config()\fR. This is not a default option for libcrypto. +From OpenSSL 1.1.1 this is a default option for libssl (see +\&\fIOPENSSL_init_ssl\fR\|(3) for further details about libssl initialisation). See the +description of \fIOPENSSL_INIT_new()\fR, below. +.IP "\s-1OPENSSL_INIT_NO_LOAD_CONFIG\s0" 4 +.IX Item "OPENSSL_INIT_NO_LOAD_CONFIG" +With this option the loading of OpenSSL configuration files will be suppressed. +It is the equivalent of calling \fIOPENSSL_no_config()\fR. This is not a default +option. +.IP "\s-1OPENSSL_INIT_ASYNC\s0" 4 +.IX Item "OPENSSL_INIT_ASYNC" +With this option the library with automatically initialise the libcrypto async +sub-library (see \fIASYNC_start_job\fR\|(3)). This is a default option. +.IP "\s-1OPENSSL_INIT_ENGINE_RDRAND\s0" 4 +.IX Item "OPENSSL_INIT_ENGINE_RDRAND" +With this option the library will automatically load and initialise the +\&\s-1RDRAND\s0 engine (if available). This not a default option. +.IP "\s-1OPENSSL_INIT_ENGINE_DYNAMIC\s0" 4 +.IX Item "OPENSSL_INIT_ENGINE_DYNAMIC" +With this option the library will automatically load and initialise the +dynamic engine. This not a default option. +.IP "\s-1OPENSSL_INIT_ENGINE_OPENSSL\s0" 4 +.IX Item "OPENSSL_INIT_ENGINE_OPENSSL" +With this option the library will automatically load and initialise the +openssl engine. This not a default option. +.IP "\s-1OPENSSL_INIT_ENGINE_CRYPTODEV\s0" 4 +.IX Item "OPENSSL_INIT_ENGINE_CRYPTODEV" +With this option the library will automatically load and initialise the +cryptodev engine (if available). This not a default option. +.IP "\s-1OPENSSL_INIT_ENGINE_CAPI\s0" 4 +.IX Item "OPENSSL_INIT_ENGINE_CAPI" +With this option the library will automatically load and initialise the +\&\s-1CAPI\s0 engine (if available). This not a default option. +.IP "\s-1OPENSSL_INIT_ENGINE_PADLOCK\s0" 4 +.IX Item "OPENSSL_INIT_ENGINE_PADLOCK" +With this option the library will automatically load and initialise the +padlock engine (if available). This not a default option. +.IP "\s-1OPENSSL_INIT_ENGINE_AFALG\s0" 4 +.IX Item "OPENSSL_INIT_ENGINE_AFALG" +With this option the library will automatically load and initialise the +\&\s-1AFALG\s0 engine. This not a default option. +.IP "\s-1OPENSSL_INIT_ENGINE_ALL_BUILTIN\s0" 4 +.IX Item "OPENSSL_INIT_ENGINE_ALL_BUILTIN" +With this option the library will automatically load and initialise all the +built in engines listed above with the exception of the openssl and afalg +engines. This not a default option. +.IP "\s-1OPENSSL_INIT_ATFORK\s0" 4 +.IX Item "OPENSSL_INIT_ATFORK" +With this option the library will register its fork handlers. +See \fIOPENSSL_fork_prepare\fR\|(3) for details. +.PP +Multiple options may be combined together in a single call to +\&\fIOPENSSL_init_crypto()\fR. For example: +.PP +.Vb 2 +\& OPENSSL_init_crypto(OPENSSL_INIT_NO_ADD_ALL_CIPHERS +\& | OPENSSL_INIT_NO_ADD_ALL_DIGESTS, NULL); +.Ve +.PP +The \fIOPENSSL_cleanup()\fR function deinitialises OpenSSL (both libcrypto +and libssl). All resources allocated by OpenSSL are freed. Typically there +should be no need to call this function directly as it is initiated +automatically on application exit. This is done via the standard C library +\&\fIatexit()\fR function. In the event that the application will close in a manner +that will not call the registered \fIatexit()\fR handlers then the application should +call \fIOPENSSL_cleanup()\fR directly. Developers of libraries using OpenSSL +are discouraged from calling this function and should instead, typically, rely +on auto-deinitialisation. This is to avoid error conditions where both an +application and a library it depends on both use OpenSSL, and the library +deinitialises it before the application has finished using it. +.PP +Once \fIOPENSSL_cleanup()\fR has been called the library cannot be reinitialised. +Attempts to call \fIOPENSSL_init_crypto()\fR will fail and an \s-1ERR_R_INIT_FAIL\s0 error +will be added to the error stack. Note that because initialisation has failed +OpenSSL error strings will not be available, only an error code. This code can +be put through the openssl errstr command line application to produce a human +readable error (see \fIerrstr\fR\|(1)). +.PP +The \fIOPENSSL_atexit()\fR function enables the registration of a +function to be called during \fIOPENSSL_cleanup()\fR. Stop handlers are +called after deinitialisation of resources local to a thread, but before other +process wide resources are freed. In the event that multiple stop handlers are +registered, no guarantees are made about the order of execution. +.PP +The \fIOPENSSL_thread_stop()\fR function deallocates resources associated +with the current thread. Typically this function will be called automatically by +the library when the thread exits. This should only be called directly if +resources should be freed at an earlier time, or under the circumstances +described in the \s-1NOTES\s0 section below. +.PP +The \fB\s-1OPENSSL_INIT_LOAD_CONFIG\s0\fR flag will load a default configuration +file. For optional configuration file settings, an \fB\s-1OPENSSL_INIT_SETTINGS\s0\fR +must be created and used. +The routines \fIOPENSSL_init_new()\fR and \fIOPENSSL_INIT_set_config_appname()\fR can +be used to allocate the object and set the application name, and then the +object can be released with \fIOPENSSL_INIT_free()\fR when done. +.SH "NOTES" +.IX Header "NOTES" +Resources local to a thread are deallocated automatically when the thread exits +(e.g. in a pthreads environment, when \fIpthread_exit()\fR is called). On Windows +platforms this is done in response to a \s-1DLL_THREAD_DETACH\s0 message being sent to +the libcrypto32.dll entry point. Some windows functions may cause threads to exit +without sending this message (for example \fIExitProcess()\fR). If the application +uses such functions, then the application must free up OpenSSL resources +directly via a call to \fIOPENSSL_thread_stop()\fR on each thread. Similarly this +message will also not be sent if OpenSSL is linked statically, and therefore +applications using static linking should also call \fIOPENSSL_thread_stop()\fR on each +thread. Additionally if OpenSSL is loaded dynamically via \fILoadLibrary()\fR and the +threads are not destroyed until after \fIFreeLibrary()\fR is called then each thread +should call \fIOPENSSL_thread_stop()\fR prior to the \fIFreeLibrary()\fR call. +.PP +On Linux/Unix where OpenSSL has been loaded via \fIdlopen()\fR and the application is +multi-threaded and if \fIdlclose()\fR is subsequently called prior to the threads +being destroyed then OpenSSL will not be able to deallocate resources associated +with those threads. The application should either call \fIOPENSSL_thread_stop()\fR on +each thread prior to the \fIdlclose()\fR call, or alternatively the original \fIdlopen()\fR +call should use the \s-1RTLD_NODELETE\s0 flag (where available on the platform). +.SH "RETURN VALUES" +.IX Header "RETURN VALUES" +The functions OPENSSL_init_crypto, \fIOPENSSL_atexit()\fR and +\&\fIOPENSSL_INIT_set_config_appname()\fR return 1 on success or 0 on error. +.SH "SEE ALSO" +.IX Header "SEE ALSO" +\&\fIOPENSSL_init_ssl\fR\|(3) +.SH "HISTORY" +.IX Header "HISTORY" +The \fIOPENSSL_init_crypto()\fR, \fIOPENSSL_cleanup()\fR, \fIOPENSSL_atexit()\fR, +\&\fIOPENSSL_thread_stop()\fR, \fIOPENSSL_INIT_new()\fR, \fIOPENSSL_INIT_set_config_appname()\fR +and \fIOPENSSL_INIT_free()\fR functions were added in OpenSSL 1.1.0. +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2016\-2018 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/OPENSSL_init_ssl.3 b/secure/lib/libcrypto/man/OPENSSL_init_ssl.3 new file mode 100644 index 000000000000..1773c4e32a8a --- /dev/null +++ b/secure/lib/libcrypto/man/OPENSSL_init_ssl.3 @@ -0,0 +1,205 @@ +.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35) +.\" +.\" Standard preamble: +.\" ======================================================================== +.de Sp \" Vertical space (when we can't use .PP) +.if t .sp .5v +.if n .sp +.. +.de Vb \" Begin verbatim text +.ft CW +.nf +.ne \\$1 +.. +.de Ve \" End verbatim text +.ft R +.fi +.. +.\" Set up some character translations and predefined strings. \*(-- will +.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left +.\" double quote, and \*(R" will give a right double quote. \*(C+ will +.\" give a nicer C++. Capital omega is used to do unbreakable dashes and +.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, +.\" nothing in troff, for use with C<>. +.tr \(*W- +.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' +.ie n \{\ +. ds -- \(*W- +. ds PI pi +. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch +. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch +. ds L" "" +. ds R" "" +. ds C` "" +. ds C' "" +'br\} +.el\{\ +. ds -- \|\(em\| +. ds PI \(*p +. ds L" `` +. ds R" '' +. ds C` +. ds C' +'br\} +.\" +.\" Escape single quotes in literal strings from groff's Unicode transform. +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" +.\" If the F register is >0, we'll generate index entries on stderr for +.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index +.\" entries marked with X<> in POD. Of course, you'll have to process the +.\" output yourself in some meaningful fashion. +.\" +.\" Avoid warning from groff about undefined register 'F'. +.de IX +.. +.if !\nF .nr F 0 +.if \nF>0 \{\ +. de IX +. tm Index:\\$1\t\\n%\t"\\$2" +.. +. if !\nF==2 \{\ +. nr % 0 +. nr F 2 +. \} +.\} +.\" +.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). +.\" Fear. Run. Save yourself. No user-serviceable parts. +. \" fudge factors for nroff and troff +.if n \{\ +. ds #H 0 +. ds #V .8m +. ds #F .3m +. ds #[ \f1 +. ds #] \fP +.\} +.if t \{\ +. ds #H ((1u-(\\\\n(.fu%2u))*.13m) +. ds #V .6m +. ds #F 0 +. ds #[ \& +. ds #] \& +.\} +. \" simple accents for nroff and troff +.if n \{\ +. ds ' \& +. ds ` \& +. ds ^ \& +. ds , \& +. ds ~ ~ +. ds / +.\} +.if t \{\ +. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" +. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' +. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' +. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' +. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' +. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' +.\} +. \" troff and (daisy-wheel) nroff accents +.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' +.ds 8 \h'\*(#H'\(*b\h'-\*(#H' +.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] +.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' +.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' +.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] +.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] +.ds ae a\h'-(\w'a'u*4/10)'e +.ds Ae A\h'-(\w'A'u*4/10)'E +. \" corrections for vroff +.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' +.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' +. \" for low resolution devices (crt and lpr) +.if \n(.H>23 .if \n(.V>19 \ +\{\ +. ds : e +. ds 8 ss +. ds o a +. ds d- d\h'-1'\(ga +. ds D- D\h'-1'\(hy +. ds th \o'bp' +. ds Th \o'LP' +. ds ae ae +. ds Ae AE +.\} +.rm #[ #] #H #V #F C +.\" ======================================================================== +.\" +.IX Title "OPENSSL_INIT_SSL 3" +.TH OPENSSL_INIT_SSL 3 "2018-09-11" "1.1.1" "OpenSSL" +.\" For nroff, turn off justification. Always turn off hyphenation; it makes +.\" way too many mistakes in technical documents. +.if n .ad l +.nh +.SH "NAME" +OPENSSL_init_ssl \- OpenSSL (libssl and libcrypto) initialisation +.SH "SYNOPSIS" +.IX Header "SYNOPSIS" +.Vb 1 +\& #include +\& +\& int OPENSSL_init_ssl(uint64_t opts, const OPENSSL_INIT_SETTINGS *settings); +.Ve +.SH "DESCRIPTION" +.IX Header "DESCRIPTION" +During normal operation OpenSSL (libssl and libcrypto) will allocate various +resources at start up that must, subsequently, be freed on close down of the +library. Additionally some resources are allocated on a per thread basis (if the +application is multi-threaded), and these resources must be freed prior to the +thread closing. +.PP +As of version 1.1.0 OpenSSL will automatically allocate all resources that it +needs so no explicit initialisation is required. Similarly it will also +automatically deinitialise as required. +.PP +However, there may be situations when explicit initialisation is desirable or +needed, for example when some non-default initialisation is required. The +function \fIOPENSSL_init_ssl()\fR can be used for this purpose. Calling +this function will explicitly initialise \s-1BOTH\s0 libcrypto and libssl. To +explicitly initialise \s-1ONLY\s0 libcrypto see the +\&\fIOPENSSL_init_crypto\fR\|(3) function. +.PP +Numerous internal OpenSSL functions call \fIOPENSSL_init_ssl()\fR. +Therefore, in order to perform non-default initialisation, +\&\fIOPENSSL_init_ssl()\fR \s-1MUST\s0 be called by application code prior to +any other OpenSSL function calls. +.PP +The \fBopts\fR parameter specifies which aspects of libssl and libcrypto should be +initialised. Valid options for libcrypto are described on the +\&\fIOPENSSL_init_crypto\fR\|(3) page. In addition to any libcrypto +specific option the following libssl options can also be used: +.IP "\s-1OPENSSL_INIT_NO_LOAD_SSL_STRINGS\s0" 4 +.IX Item "OPENSSL_INIT_NO_LOAD_SSL_STRINGS" +Suppress automatic loading of the libssl error strings. This option is +not a default option. Once selected subsequent calls to +\&\fIOPENSSL_init_ssl()\fR with the option +\&\fB\s-1OPENSSL_INIT_LOAD_SSL_STRINGS\s0\fR will be ignored. +.IP "\s-1OPENSSL_INIT_LOAD_SSL_STRINGS\s0" 4 +.IX Item "OPENSSL_INIT_LOAD_SSL_STRINGS" +Automatic loading of the libssl error strings. This option is a +default option. Once selected subsequent calls to +\&\fIOPENSSL_init_ssl()\fR with the option +\&\fB\s-1OPENSSL_INIT_LOAD_SSL_STRINGS\s0\fR will be ignored. +.PP +\&\fIOPENSSL_init_ssl()\fR takes a \fBsettings\fR parameter which can be used to +set parameter values. See \fIOPENSSL_init_crypto\fR\|(3) for details. +.SH "RETURN VALUES" +.IX Header "RETURN VALUES" +The function \fIOPENSSL_init_ssl()\fR returns 1 on success or 0 on error. +.SH "SEE ALSO" +.IX Header "SEE ALSO" +\&\fIOPENSSL_init_crypto\fR\|(3) +.SH "HISTORY" +.IX Header "HISTORY" +The \fIOPENSSL_init_ssl()\fR function was added in OpenSSL 1.1.0. +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2016 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/OPENSSL_instrument_bus.3 b/secure/lib/libcrypto/man/OPENSSL_instrument_bus.3 index 044de9a56782..adf2c1f98009 100644 --- a/secure/lib/libcrypto/man/OPENSSL_instrument_bus.3 +++ b/secure/lib/libcrypto/man/OPENSSL_instrument_bus.3 @@ -128,8 +128,8 @@ .rm #[ #] #H #V #F C .\" ======================================================================== .\" -.IX Title "OPENSSL_instrument_bus 3" -.TH OPENSSL_instrument_bus 3 "2018-08-14" "1.0.2p" "OpenSSL" +.IX Title "OPENSSL_INSTRUMENT_BUS 3" +.TH OPENSSL_INSTRUMENT_BUS 3 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -140,8 +140,8 @@ OPENSSL_instrument_bus, OPENSSL_instrument_bus2 \- instrument references to memo .IX Header "SYNOPSIS" .Vb 4 \& #ifdef OPENSSL_CPUID_OBJ -\& size_t OPENSSL_instrument_bus (int *vector,size_t num); -\& size_t OPENSSL_instrument_bus2(int *vector,size_t num,size_t max); +\& size_t OPENSSL_instrument_bus(int *vector, size_t num); +\& size_t OPENSSL_instrument_bus2(int *vector, size_t num, size_t max); \& #endif .Ve .SH "DESCRIPTION" @@ -149,26 +149,34 @@ OPENSSL_instrument_bus, OPENSSL_instrument_bus2 \- instrument references to memo It was empirically found that timings of references to primary memory are subject to irregular, apparently non-deterministic variations. The subroutines in question instrument these references for purposes of -gathering entropy for random number generator. In order to make it +gathering randomness for random number generator. In order to make it bus-bound a 'flush cache line' instruction is used between probes. In addition probes are added to \fBvector\fR elements in atomic or interlocked manner, which should contribute additional noise on multi-processor systems. This also means that \fBvector[num]\fR should be zeroed upon invocation (if you want to retrieve actual probe values). .PP -OPENSSL_instrument_bus performs \fBnum\fR probes and records the number of +\&\fIOPENSSL_instrument_bus()\fR performs \fBnum\fR probes and records the number of oscillator cycles every probe took. .PP -OPENSSL_instrument_bus2 on the other hand \fBaccumulates\fR consecutive +\&\fIOPENSSL_instrument_bus2()\fR on the other hand \fBaccumulates\fR consecutive probes with the same value, i.e. in a way it records duration of periods when probe values appeared deterministic. The subroutine performs at most \fBmax\fR probes in attempt to fill the \fBvector[num]\fR, with \fBmax\fR value of 0 meaning \*(L"as many as it takes.\*(R" -.SH "RETURN VALUE" -.IX Header "RETURN VALUE" +.SH "RETURN VALUES" +.IX Header "RETURN VALUES" Return value of 0 indicates that \s-1CPU\s0 is not capable of performing the benchmark, either because oscillator counter or 'flush cache line' is not available on current platform. For reference, on x86 'flush cache line' was introduced with the \s-1SSE2\s0 extensions. .PP Otherwise number of recorded values is returned. +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2011\-2018 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/OPENSSL_load_builtin_modules.3 b/secure/lib/libcrypto/man/OPENSSL_load_builtin_modules.3 index c38799cd383d..d2ee30558351 100644 --- a/secure/lib/libcrypto/man/OPENSSL_load_builtin_modules.3 +++ b/secure/lib/libcrypto/man/OPENSSL_load_builtin_modules.3 @@ -128,8 +128,8 @@ .rm #[ #] #H #V #F C .\" ======================================================================== .\" -.IX Title "OPENSSL_load_builtin_modules 3" -.TH OPENSSL_load_builtin_modules 3 "2018-08-14" "1.0.2p" "OpenSSL" +.IX Title "OPENSSL_LOAD_BUILTIN_MODULES 3" +.TH OPENSSL_LOAD_BUILTIN_MODULES 3 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -143,7 +143,7 @@ OPENSSL_load_builtin_modules, ASN1_add_oid_module, ENGINE_add_conf_module \- add \& \& void OPENSSL_load_builtin_modules(void); \& void ASN1_add_oid_module(void); -\& ENGINE_add_conf_module(); +\& void ENGINE_add_conf_module(void); .Ve .SH "DESCRIPTION" .IX Header "DESCRIPTION" @@ -156,23 +156,28 @@ OpenSSL configuration code. \&\fIENGINE_add_conf_module()\fR adds just the \s-1ENGINE\s0 configuration module. .SH "NOTES" .IX Header "NOTES" -If the simple configuration function \fIOPENSSL_config()\fR is called then +If the simple configuration function \fIOPENSSL_config()\fR is called then \&\fIOPENSSL_load_builtin_modules()\fR is called automatically. .PP Applications which use the configuration functions directly will need to -call \fIOPENSSL_load_builtin_modules()\fR themselves \fIbefore\fR any other +call \fIOPENSSL_load_builtin_modules()\fR themselves \fIbefore\fR any other configuration code. .PP Applications should call \fIOPENSSL_load_builtin_modules()\fR to load all -configuration modules instead of adding modules selectively: otherwise +configuration modules instead of adding modules selectively: otherwise functionality may be missing from the application if an when new modules are added. -.SH "RETURN VALUE" -.IX Header "RETURN VALUE" +.SH "RETURN VALUES" +.IX Header "RETURN VALUES" None of the functions return a value. .SH "SEE ALSO" .IX Header "SEE ALSO" -\&\fIconf\fR\|(3), \fIOPENSSL_config\fR\|(3) -.SH "HISTORY" -.IX Header "HISTORY" -These functions first appeared in OpenSSL 0.9.7. +\&\fIconfig\fR\|(5), \fIOPENSSL_config\fR\|(3) +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2004\-2018 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/OPENSSL_malloc.3 b/secure/lib/libcrypto/man/OPENSSL_malloc.3 new file mode 100644 index 000000000000..2b4eb737a8f4 --- /dev/null +++ b/secure/lib/libcrypto/man/OPENSSL_malloc.3 @@ -0,0 +1,369 @@ +.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35) +.\" +.\" Standard preamble: +.\" ======================================================================== +.de Sp \" Vertical space (when we can't use .PP) +.if t .sp .5v +.if n .sp +.. +.de Vb \" Begin verbatim text +.ft CW +.nf +.ne \\$1 +.. +.de Ve \" End verbatim text +.ft R +.fi +.. +.\" Set up some character translations and predefined strings. \*(-- will +.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left +.\" double quote, and \*(R" will give a right double quote. \*(C+ will +.\" give a nicer C++. Capital omega is used to do unbreakable dashes and +.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, +.\" nothing in troff, for use with C<>. +.tr \(*W- +.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' +.ie n \{\ +. ds -- \(*W- +. ds PI pi +. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch +. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch +. ds L" "" +. ds R" "" +. ds C` "" +. ds C' "" +'br\} +.el\{\ +. ds -- \|\(em\| +. ds PI \(*p +. ds L" `` +. ds R" '' +. ds C` +. ds C' +'br\} +.\" +.\" Escape single quotes in literal strings from groff's Unicode transform. +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" +.\" If the F register is >0, we'll generate index entries on stderr for +.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index +.\" entries marked with X<> in POD. Of course, you'll have to process the +.\" output yourself in some meaningful fashion. +.\" +.\" Avoid warning from groff about undefined register 'F'. +.de IX +.. +.if !\nF .nr F 0 +.if \nF>0 \{\ +. de IX +. tm Index:\\$1\t\\n%\t"\\$2" +.. +. if !\nF==2 \{\ +. nr % 0 +. nr F 2 +. \} +.\} +.\" +.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). +.\" Fear. Run. Save yourself. No user-serviceable parts. +. \" fudge factors for nroff and troff +.if n \{\ +. ds #H 0 +. ds #V .8m +. ds #F .3m +. ds #[ \f1 +. ds #] \fP +.\} +.if t \{\ +. ds #H ((1u-(\\\\n(.fu%2u))*.13m) +. ds #V .6m +. ds #F 0 +. ds #[ \& +. ds #] \& +.\} +. \" simple accents for nroff and troff +.if n \{\ +. ds ' \& +. ds ` \& +. ds ^ \& +. ds , \& +. ds ~ ~ +. ds / +.\} +.if t \{\ +. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" +. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' +. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' +. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' +. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' +. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' +.\} +. \" troff and (daisy-wheel) nroff accents +.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' +.ds 8 \h'\*(#H'\(*b\h'-\*(#H' +.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] +.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' +.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' +.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] +.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] +.ds ae a\h'-(\w'a'u*4/10)'e +.ds Ae A\h'-(\w'A'u*4/10)'E +. \" corrections for vroff +.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' +.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' +. \" for low resolution devices (crt and lpr) +.if \n(.H>23 .if \n(.V>19 \ +\{\ +. ds : e +. ds 8 ss +. ds o a +. ds d- d\h'-1'\(ga +. ds D- D\h'-1'\(hy +. ds th \o'bp' +. ds Th \o'LP' +. ds ae ae +. ds Ae AE +.\} +.rm #[ #] #H #V #F C +.\" ======================================================================== +.\" +.IX Title "OPENSSL_MALLOC 3" +.TH OPENSSL_MALLOC 3 "2018-09-11" "1.1.1" "OpenSSL" +.\" For nroff, turn off justification. Always turn off hyphenation; it makes +.\" way too many mistakes in technical documents. +.if n .ad l +.nh +.SH "NAME" +OPENSSL_malloc_init, OPENSSL_malloc, OPENSSL_zalloc, OPENSSL_realloc, OPENSSL_free, OPENSSL_clear_realloc, OPENSSL_clear_free, OPENSSL_cleanse, CRYPTO_malloc, CRYPTO_zalloc, CRYPTO_realloc, CRYPTO_free, OPENSSL_strdup, OPENSSL_strndup, OPENSSL_memdup, OPENSSL_strlcpy, OPENSSL_strlcat, OPENSSL_hexstr2buf, OPENSSL_buf2hexstr, OPENSSL_hexchar2int, CRYPTO_strdup, CRYPTO_strndup, OPENSSL_mem_debug_push, OPENSSL_mem_debug_pop, CRYPTO_mem_debug_push, CRYPTO_mem_debug_pop, CRYPTO_clear_realloc, CRYPTO_clear_free, CRYPTO_get_mem_functions, CRYPTO_set_mem_functions, CRYPTO_get_alloc_counts, CRYPTO_set_mem_debug, CRYPTO_mem_ctrl, CRYPTO_mem_leaks, CRYPTO_mem_leaks_fp, CRYPTO_mem_leaks_cb, OPENSSL_MALLOC_FAILURES, OPENSSL_MALLOC_FD \&\- Memory allocation functions +.SH "SYNOPSIS" +.IX Header "SYNOPSIS" +.Vb 1 +\& #include +\& +\& int OPENSSL_malloc_init(void) +\& +\& void *OPENSSL_malloc(size_t num) +\& void *OPENSSL_zalloc(size_t num) +\& void *OPENSSL_realloc(void *addr, size_t num) +\& void OPENSSL_free(void *addr) +\& char *OPENSSL_strdup(const char *str) +\& char *OPENSSL_strndup(const char *str, size_t s) +\& size_t OPENSSL_strlcat(char *dst, const char *src, size_t size); +\& size_t OPENSSL_strlcpy(char *dst, const char *src, size_t size); +\& void *OPENSSL_memdup(void *data, size_t s) +\& void *OPENSSL_clear_realloc(void *p, size_t old_len, size_t num) +\& void OPENSSL_clear_free(void *str, size_t num) +\& void OPENSSL_cleanse(void *ptr, size_t len); +\& +\& unsigned char *OPENSSL_hexstr2buf(const char *str, long *len); +\& char *OPENSSL_buf2hexstr(const unsigned char *buffer, long len); +\& int OPENSSL_hexchar2int(unsigned char c); +\& +\& void *CRYPTO_malloc(size_t num, const char *file, int line) +\& void *CRYPTO_zalloc(size_t num, const char *file, int line) +\& void *CRYPTO_realloc(void *p, size_t num, const char *file, int line) +\& void CRYPTO_free(void *str, const char *, int) +\& char *CRYPTO_strdup(const char *p, const char *file, int line) +\& char *CRYPTO_strndup(const char *p, size_t num, const char *file, int line) +\& void *CRYPTO_clear_realloc(void *p, size_t old_len, size_t num, +\& const char *file, int line) +\& void CRYPTO_clear_free(void *str, size_t num, const char *, int) +\& +\& void CRYPTO_get_mem_functions( +\& void *(**m)(size_t, const char *, int), +\& void *(**r)(void *, size_t, const char *, int), +\& void (**f)(void *, const char *, int)) +\& int CRYPTO_set_mem_functions( +\& void *(*m)(size_t, const char *, int), +\& void *(*r)(void *, size_t, const char *, int), +\& void (*f)(void *, const char *, int)) +\& +\& void CRYPTO_get_alloc_counts(int *m, int *r, int *f) +\& +\& int CRYPTO_set_mem_debug(int onoff) +\& +\& env OPENSSL_MALLOC_FAILURES=... +\& env OPENSSL_MALLOC_FD=... +\& +\& int CRYPTO_mem_ctrl(int mode); +\& +\& int OPENSSL_mem_debug_push(const char *info) +\& int OPENSSL_mem_debug_pop(void); +\& +\& int CRYPTO_mem_debug_push(const char *info, const char *file, int line); +\& int CRYPTO_mem_debug_pop(void); +\& +\& int CRYPTO_mem_leaks(BIO *b); +\& int CRYPTO_mem_leaks_fp(FILE *fp); +\& int CRYPTO_mem_leaks_cb(int (*cb)(const char *str, size_t len, void *u), +\& void *u); +.Ve +.SH "DESCRIPTION" +.IX Header "DESCRIPTION" +OpenSSL memory allocation is handled by the \fBOPENSSL_xxx\fR \s-1API.\s0 These are +generally macro's that add the standard C \fB_\|_FILE_\|_\fR and \fB_\|_LINE_\|_\fR +parameters and call a lower-level \fBCRYPTO_xxx\fR \s-1API.\s0 +Some functions do not add those parameters, but exist for consistency. +.PP +\&\fIOPENSSL_malloc_init()\fR sets the lower-level memory allocation functions +to their default implementation. +It is generally not necessary to call this, except perhaps in certain +shared-library situations. +.PP +\&\fIOPENSSL_malloc()\fR, \fIOPENSSL_realloc()\fR, and \fIOPENSSL_free()\fR are like the +C \fImalloc()\fR, \fIrealloc()\fR, and \fIfree()\fR functions. +\&\fIOPENSSL_zalloc()\fR calls \fImemset()\fR to zero the memory before returning. +.PP +\&\fIOPENSSL_clear_realloc()\fR and \fIOPENSSL_clear_free()\fR should be used +when the buffer at \fBaddr\fR holds sensitive information. +The old buffer is filled with zero's by calling \fIOPENSSL_cleanse()\fR +before ultimately calling \fIOPENSSL_free()\fR. +.PP +\&\fIOPENSSL_cleanse()\fR fills \fBptr\fR of size \fBlen\fR with a string of 0's. +Use \fIOPENSSL_cleanse()\fR with care if the memory is a mapping of a file. +If the storage controller uses write compression, then its possible +that sensitive tail bytes will survive zeroization because the block of +zeros will be compressed. If the storage controller uses wear leveling, +then the old sensitive data will not be overwritten; rather, a block of +0's will be written at a new physical location. +.PP +\&\fIOPENSSL_strdup()\fR, \fIOPENSSL_strndup()\fR and \fIOPENSSL_memdup()\fR are like the +equivalent C functions, except that memory is allocated by calling the +\&\fIOPENSSL_malloc()\fR and should be released by calling \fIOPENSSL_free()\fR. +.PP +\&\fIOPENSSL_strlcpy()\fR, +\&\fIOPENSSL_strlcat()\fR and \fIOPENSSL_strnlen()\fR are equivalents of the common C +library functions and are provided for portability. +.PP +\&\fIOPENSSL_hexstr2buf()\fR parses \fBstr\fR as a hex string and returns a +pointer to the parsed value. The memory is allocated by calling +\&\fIOPENSSL_malloc()\fR and should be released by calling \fIOPENSSL_free()\fR. +If \fBlen\fR is not \s-1NULL,\s0 it is filled in with the output length. +Colons between two-character hex \*(L"bytes\*(R" are ignored. +An odd number of hex digits is an error. +.PP +\&\fIOPENSSL_buf2hexstr()\fR takes the specified buffer and length, and returns +a hex string for value, or \s-1NULL\s0 on error. +\&\fBBuffer\fR cannot be \s-1NULL\s0; if \fBlen\fR is 0 an empty string is returned. +.PP +\&\fIOPENSSL_hexchar2int()\fR converts a character to the hexadecimal equivalent, +or returns \-1 on error. +.PP +If no allocations have been done, it is possible to \*(L"swap out\*(R" the default +implementations for \fIOPENSSL_malloc()\fR, OPENSSL_realloc and \fIOPENSSL_free()\fR +and replace them with alternate versions (hooks). +\&\fICRYPTO_get_mem_functions()\fR function fills in the given arguments with the +function pointers for the current implementations. +With \fICRYPTO_set_mem_functions()\fR, you can specify a different set of functions. +If any of \fBm\fR, \fBr\fR, or \fBf\fR are \s-1NULL,\s0 then the function is not changed. +.PP +The default implementation can include some debugging capability (if enabled +at build-time). +This adds some overhead by keeping a list of all memory allocations, and +removes items from the list when they are free'd. +This is most useful for identifying memory leaks. +\&\fICRYPTO_set_mem_debug()\fR turns this tracking on and off. In order to have +any effect, is must be called before any of the allocation functions +(e.g., \fICRYPTO_malloc()\fR) are called, and is therefore normally one of the +first lines of \fImain()\fR in an application. +\&\fICRYPTO_mem_ctrl()\fR provides fine-grained control of memory leak tracking. +To enable tracking call \fICRYPTO_mem_ctrl()\fR with a \fBmode\fR argument of +the \fB\s-1CRYPTO_MEM_CHECK_ON\s0\fR. +To disable tracking call \fICRYPTO_mem_ctrl()\fR with a \fBmode\fR argument of +the \fB\s-1CRYPTO_MEM_CHECK_OFF\s0\fR. +.PP +While checking memory, it can be useful to store additional context +about what is being done. +For example, identifying the field names when parsing a complicated +data structure. +\&\fIOPENSSL_mem_debug_push()\fR (which calls \fICRYPTO_mem_debug_push()\fR) +attachs an identifying string to the allocation stack. +This must be a global or other static string; it is not copied. +\&\fIOPENSSL_mem_debug_pop()\fR removes identifying state from the stack. +.PP +At the end of the program, calling \fICRYPTO_mem_leaks()\fR or +\&\fICRYPTO_mem_leaks_fp()\fR will report all \*(L"leaked\*(R" memory, writing it +to the specified \s-1BIO\s0 \fBb\fR or \s-1FILE\s0 \fBfp\fR. These functions return 1 if +there are no leaks, 0 if there are leaks and \-1 if an error occurred. +.PP +\&\fICRYPTO_mem_leaks_cb()\fR does the same as \fICRYPTO_mem_leaks()\fR, but instead +of writing to a given \s-1BIO,\s0 the callback function is called for each +output string with the string, length, and userdata \fBu\fR as the callback +parameters. +.PP +If the library is built with the \f(CW\*(C`crypto\-mdebug\*(C'\fR option, then one +function, \fICRYPTO_get_alloc_counts()\fR, and two additional environment +variables, \fB\s-1OPENSSL_MALLOC_FAILURES\s0\fR and \fB\s-1OPENSSL_MALLOC_FD\s0\fR, +are available. +.PP +The function \fICRYPTO_get_alloc_counts()\fR fills in the number of times +each of \fICRYPTO_malloc()\fR, \fICRYPTO_realloc()\fR, and \fICRYPTO_free()\fR have been +called, into the values pointed to by \fBmcount\fR, \fBrcount\fR, and \fBfcount\fR, +respectively. If a pointer is \s-1NULL,\s0 then the corresponding count is not stored. +.PP +The variable +\&\fB\s-1OPENSSL_MALLOC_FAILURES\s0\fR controls how often allocations should fail. +It is a set of fields separated by semicolons, which each field is a count +(defaulting to zero) and an optional atsign and percentage (defaulting +to 100). If the count is zero, then it lasts forever. For example, +\&\f(CW\*(C`100;@25\*(C'\fR or \f(CW\*(C`100@0;0@25\*(C'\fR means the first 100 allocations pass, then all +other allocations (until the program exits or crashes) have a 25% chance of +failing. +.PP +If the variable \fB\s-1OPENSSL_MALLOC_FD\s0\fR is parsed as a positive integer, then +it is taken as an open file descriptor, and a record of all allocations is +written to that descriptor. If an allocation will fail, and the platform +supports it, then a backtrace will be written to the descriptor. This can +be useful because a malloc may fail but not be checked, and problems will +only occur later. The following example in classic shell syntax shows how +to use this (will not work on all platforms): +.PP +.Vb 5 +\& OPENSSL_MALLOC_FAILURES=\*(Aq200;@10\*(Aq +\& export OPENSSL_MALLOC_FAILURES +\& OPENSSL_MALLOC_FD=3 +\& export OPENSSL_MALLOC_FD +\& ...app invocation... 3>/tmp/log$$ +.Ve +.SH "RETURN VALUES" +.IX Header "RETURN VALUES" +\&\fIOPENSSL_malloc_init()\fR, \fIOPENSSL_free()\fR, \fIOPENSSL_clear_free()\fR +\&\fICRYPTO_free()\fR, \fICRYPTO_clear_free()\fR and \fICRYPTO_get_mem_functions()\fR +return no value. +.PP +\&\fICRYPTO_mem_leaks()\fR, \fICRYPTO_mem_leaks_fp()\fR and \fICRYPTO_mem_leaks_cb()\fR return 1 if +there are no leaks, 0 if there are leaks and \-1 if an error occurred. +.PP +\&\fIOPENSSL_malloc()\fR, \fIOPENSSL_zalloc()\fR, \fIOPENSSL_realloc()\fR, +\&\fIOPENSSL_clear_realloc()\fR, +\&\fICRYPTO_malloc()\fR, \fICRYPTO_zalloc()\fR, \fICRYPTO_realloc()\fR, +\&\fICRYPTO_clear_realloc()\fR, +\&\fIOPENSSL_buf2hexstr()\fR, \fIOPENSSL_hexstr2buf()\fR, +\&\fIOPENSSL_strdup()\fR, and \fIOPENSSL_strndup()\fR +return a pointer to allocated memory or \s-1NULL\s0 on error. +.PP +\&\fICRYPTO_set_mem_functions()\fR and \fICRYPTO_set_mem_debug()\fR +return 1 on success or 0 on failure (almost +always because allocations have already happened). +.PP +\&\fICRYPTO_mem_ctrl()\fR returns \-1 if an error occurred, otherwise the +previous value of the mode. +.PP +\&\fIOPENSSL_mem_debug_push()\fR and \fIOPENSSL_mem_debug_pop()\fR +return 1 on success or 0 on failure. +.SH "NOTES" +.IX Header "NOTES" +While it's permitted to swap out only a few and not all the functions +with \fICRYPTO_set_mem_functions()\fR, it's recommended to swap them all out +at once. \fIThis applies specially if OpenSSL was built with the +configuration option\fR \f(CW\*(C`crypto\-mdebug\*(C'\fR \fIenabled. In case, swapping out +only, say, the \fImalloc()\fI implementation is outright dangerous.\fR +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2016\-2018 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/OPENSSL_secure_malloc.3 b/secure/lib/libcrypto/man/OPENSSL_secure_malloc.3 new file mode 100644 index 000000000000..4c4abc2dbf8d --- /dev/null +++ b/secure/lib/libcrypto/man/OPENSSL_secure_malloc.3 @@ -0,0 +1,256 @@ +.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35) +.\" +.\" Standard preamble: +.\" ======================================================================== +.de Sp \" Vertical space (when we can't use .PP) +.if t .sp .5v +.if n .sp +.. +.de Vb \" Begin verbatim text +.ft CW +.nf +.ne \\$1 +.. +.de Ve \" End verbatim text +.ft R +.fi +.. +.\" Set up some character translations and predefined strings. \*(-- will +.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left +.\" double quote, and \*(R" will give a right double quote. \*(C+ will +.\" give a nicer C++. Capital omega is used to do unbreakable dashes and +.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, +.\" nothing in troff, for use with C<>. +.tr \(*W- +.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' +.ie n \{\ +. ds -- \(*W- +. ds PI pi +. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch +. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch +. ds L" "" +. ds R" "" +. ds C` "" +. ds C' "" +'br\} +.el\{\ +. ds -- \|\(em\| +. ds PI \(*p +. ds L" `` +. ds R" '' +. ds C` +. ds C' +'br\} +.\" +.\" Escape single quotes in literal strings from groff's Unicode transform. +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" +.\" If the F register is >0, we'll generate index entries on stderr for +.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index +.\" entries marked with X<> in POD. Of course, you'll have to process the +.\" output yourself in some meaningful fashion. +.\" +.\" Avoid warning from groff about undefined register 'F'. +.de IX +.. +.if !\nF .nr F 0 +.if \nF>0 \{\ +. de IX +. tm Index:\\$1\t\\n%\t"\\$2" +.. +. if !\nF==2 \{\ +. nr % 0 +. nr F 2 +. \} +.\} +.\" +.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). +.\" Fear. Run. Save yourself. No user-serviceable parts. +. \" fudge factors for nroff and troff +.if n \{\ +. ds #H 0 +. ds #V .8m +. ds #F .3m +. ds #[ \f1 +. ds #] \fP +.\} +.if t \{\ +. ds #H ((1u-(\\\\n(.fu%2u))*.13m) +. ds #V .6m +. ds #F 0 +. ds #[ \& +. ds #] \& +.\} +. \" simple accents for nroff and troff +.if n \{\ +. ds ' \& +. ds ` \& +. ds ^ \& +. ds , \& +. ds ~ ~ +. ds / +.\} +.if t \{\ +. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" +. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' +. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' +. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' +. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' +. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' +.\} +. \" troff and (daisy-wheel) nroff accents +.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' +.ds 8 \h'\*(#H'\(*b\h'-\*(#H' +.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] +.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' +.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' +.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] +.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] +.ds ae a\h'-(\w'a'u*4/10)'e +.ds Ae A\h'-(\w'A'u*4/10)'E +. \" corrections for vroff +.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' +.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' +. \" for low resolution devices (crt and lpr) +.if \n(.H>23 .if \n(.V>19 \ +\{\ +. ds : e +. ds 8 ss +. ds o a +. ds d- d\h'-1'\(ga +. ds D- D\h'-1'\(hy +. ds th \o'bp' +. ds Th \o'LP' +. ds ae ae +. ds Ae AE +.\} +.rm #[ #] #H #V #F C +.\" ======================================================================== +.\" +.IX Title "OPENSSL_SECURE_MALLOC 3" +.TH OPENSSL_SECURE_MALLOC 3 "2018-09-11" "1.1.1" "OpenSSL" +.\" For nroff, turn off justification. Always turn off hyphenation; it makes +.\" way too many mistakes in technical documents. +.if n .ad l +.nh +.SH "NAME" +CRYPTO_secure_malloc_init, CRYPTO_secure_malloc_initialized, CRYPTO_secure_malloc_done, OPENSSL_secure_malloc, CRYPTO_secure_malloc, OPENSSL_secure_zalloc, CRYPTO_secure_zalloc, OPENSSL_secure_free, CRYPTO_secure_free, OPENSSL_secure_clear_free, CRYPTO_secure_clear_free, OPENSSL_secure_actual_size, CRYPTO_secure_used \- secure heap storage +.SH "SYNOPSIS" +.IX Header "SYNOPSIS" +.Vb 1 +\& #include +\& +\& int CRYPTO_secure_malloc_init(size_t size, int minsize); +\& +\& int CRYPTO_secure_malloc_initialized(); +\& +\& int CRYPTO_secure_malloc_done(); +\& +\& void *OPENSSL_secure_malloc(size_t num); +\& void *CRYPTO_secure_malloc(size_t num, const char *file, int line); +\& +\& void *OPENSSL_secure_zalloc(size_t num); +\& void *CRYPTO_secure_zalloc(size_t num, const char *file, int line); +\& +\& void OPENSSL_secure_free(void* ptr); +\& void CRYPTO_secure_free(void *ptr, const char *, int); +\& +\& void OPENSSL_secure_clear_free(void* ptr, size_t num); +\& void CRYPTO_secure_clear_free(void *ptr, size_t num, const char *, int); +\& +\& size_t OPENSSL_secure_actual_size(const void *ptr); +\& +\& size_t CRYPTO_secure_used(); +.Ve +.SH "DESCRIPTION" +.IX Header "DESCRIPTION" +In order to help protect applications (particularly long-running servers) +from pointer overruns or underruns that could return arbitrary data from +the program's dynamic memory area, where keys and other sensitive +information might be stored, OpenSSL supports the concept of a \*(L"secure heap.\*(R" +The level and type of security guarantees depend on the operating system. +It is a good idea to review the code and see if it addresses your +threat model and concerns. +.PP +If a secure heap is used, then private key \fB\s-1BIGNUM\s0\fR values are stored there. +This protects long-term storage of private keys, but will not necessarily +put all intermediate values and computations there. +.PP +\&\fICRYPTO_secure_malloc_init()\fR creates the secure heap, with the specified +\&\f(CW\*(C`size\*(C'\fR in bytes. The \f(CW\*(C`minsize\*(C'\fR parameter is the minimum size to +allocate from the heap. Both \f(CW\*(C`size\*(C'\fR and \f(CW\*(C`minsize\*(C'\fR must be a power +of two. +.PP +\&\fICRYPTO_secure_malloc_initialized()\fR indicates whether or not the secure +heap as been initialized and is available. +.PP +\&\fICRYPTO_secure_malloc_done()\fR releases the heap and makes the memory unavailable +to the process if all secure memory has been freed. +It can take noticeably long to complete. +.PP +\&\fIOPENSSL_secure_malloc()\fR allocates \f(CW\*(C`num\*(C'\fR bytes from the heap. +If \fICRYPTO_secure_malloc_init()\fR is not called, this is equivalent to +calling \fIOPENSSL_malloc()\fR. +It is a macro that expands to +\&\fICRYPTO_secure_malloc()\fR and adds the \f(CW\*(C`_\|_FILE_\|_\*(C'\fR and \f(CW\*(C`_\|_LINE_\|_\*(C'\fR parameters. +.PP +\&\fIOPENSSL_secure_zalloc()\fR and \fICRYPTO_secure_zalloc()\fR are like +\&\fIOPENSSL_secure_malloc()\fR and \fICRYPTO_secure_malloc()\fR, respectively, +except that they call \fImemset()\fR to zero the memory before returning. +.PP +\&\fIOPENSSL_secure_free()\fR releases the memory at \f(CW\*(C`ptr\*(C'\fR back to the heap. +It must be called with a value previously obtained from +\&\fIOPENSSL_secure_malloc()\fR. +If \fICRYPTO_secure_malloc_init()\fR is not called, this is equivalent to +calling \fIOPENSSL_free()\fR. +It exists for consistency with \fIOPENSSL_secure_malloc()\fR , and +is a macro that expands to \fICRYPTO_secure_free()\fR and adds the \f(CW\*(C`_\|_FILE_\|_\*(C'\fR +and \f(CW\*(C`_\|_LINE_\|_\*(C'\fR parameters.. +.PP +\&\fIOPENSSL_secure_clear_free()\fR is similar to \fIOPENSSL_secure_free()\fR except +that it has an additional \f(CW\*(C`num\*(C'\fR parameter which is used to clear +the memory if it was not allocated from the secure heap. +If \fICRYPTO_secure_malloc_init()\fR is not called, this is equivalent to +calling \fIOPENSSL_clear_free()\fR. +.PP +\&\fIOPENSSL_secure_actual_size()\fR tells the actual size allocated to the +pointer; implementations may allocate more space than initially +requested, in order to \*(L"round up\*(R" and reduce secure heap fragmentation. +.PP +\&\fICRYPTO_secure_used()\fR returns the number of bytes allocated in the +secure heap. +.SH "RETURN VALUES" +.IX Header "RETURN VALUES" +\&\fICRYPTO_secure_malloc_init()\fR returns 0 on failure, 1 if successful, +and 2 if successful but the heap could not be protected by memory +mapping. +.PP +\&\fICRYPTO_secure_malloc_initialized()\fR returns 1 if the secure heap is +available (that is, if \fICRYPTO_secure_malloc_init()\fR has been called, +but \fICRYPTO_secure_malloc_done()\fR has not been called or failed) or 0 if not. +.PP +\&\fIOPENSSL_secure_malloc()\fR and \fIOPENSSL_secure_zalloc()\fR return a pointer into +the secure heap of the requested size, or \f(CW\*(C`NULL\*(C'\fR if memory could not be +allocated. +.PP +\&\fICRYPTO_secure_allocated()\fR returns 1 if the pointer is in the secure heap, or 0 if not. +.PP +\&\fICRYPTO_secure_malloc_done()\fR returns 1 if the secure memory area is released, or 0 if not. +.PP +\&\fIOPENSSL_secure_free()\fR and \fIOPENSSL_secure_clear_free()\fR return no values. +.SH "SEE ALSO" +.IX Header "SEE ALSO" +\&\fIOPENSSL_malloc\fR\|(3), +\&\fIBN_new\fR\|(3) +.SH "HISTORY" +.IX Header "HISTORY" +\&\fIOPENSSL_secure_clear_free()\fR was added in OpenSSL 1.1.0g. +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2015\-2016 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/OSSL_STORE_INFO.3 b/secure/lib/libcrypto/man/OSSL_STORE_INFO.3 new file mode 100644 index 000000000000..d8122b541876 --- /dev/null +++ b/secure/lib/libcrypto/man/OSSL_STORE_INFO.3 @@ -0,0 +1,310 @@ +.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35) +.\" +.\" Standard preamble: +.\" ======================================================================== +.de Sp \" Vertical space (when we can't use .PP) +.if t .sp .5v +.if n .sp +.. +.de Vb \" Begin verbatim text +.ft CW +.nf +.ne \\$1 +.. +.de Ve \" End verbatim text +.ft R +.fi +.. +.\" Set up some character translations and predefined strings. \*(-- will +.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left +.\" double quote, and \*(R" will give a right double quote. \*(C+ will +.\" give a nicer C++. Capital omega is used to do unbreakable dashes and +.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, +.\" nothing in troff, for use with C<>. +.tr \(*W- +.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' +.ie n \{\ +. ds -- \(*W- +. ds PI pi +. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch +. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch +. ds L" "" +. ds R" "" +. ds C` "" +. ds C' "" +'br\} +.el\{\ +. ds -- \|\(em\| +. ds PI \(*p +. ds L" `` +. ds R" '' +. ds C` +. ds C' +'br\} +.\" +.\" Escape single quotes in literal strings from groff's Unicode transform. +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" +.\" If the F register is >0, we'll generate index entries on stderr for +.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index +.\" entries marked with X<> in POD. Of course, you'll have to process the +.\" output yourself in some meaningful fashion. +.\" +.\" Avoid warning from groff about undefined register 'F'. +.de IX +.. +.if !\nF .nr F 0 +.if \nF>0 \{\ +. de IX +. tm Index:\\$1\t\\n%\t"\\$2" +.. +. if !\nF==2 \{\ +. nr % 0 +. nr F 2 +. \} +.\} +.\" +.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). +.\" Fear. Run. Save yourself. No user-serviceable parts. +. \" fudge factors for nroff and troff +.if n \{\ +. ds #H 0 +. ds #V .8m +. ds #F .3m +. ds #[ \f1 +. ds #] \fP +.\} +.if t \{\ +. ds #H ((1u-(\\\\n(.fu%2u))*.13m) +. ds #V .6m +. ds #F 0 +. ds #[ \& +. ds #] \& +.\} +. \" simple accents for nroff and troff +.if n \{\ +. ds ' \& +. ds ` \& +. ds ^ \& +. ds , \& +. ds ~ ~ +. ds / +.\} +.if t \{\ +. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" +. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' +. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' +. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' +. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' +. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' +.\} +. \" troff and (daisy-wheel) nroff accents +.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' +.ds 8 \h'\*(#H'\(*b\h'-\*(#H' +.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] +.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' +.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' +.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] +.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] +.ds ae a\h'-(\w'a'u*4/10)'e +.ds Ae A\h'-(\w'A'u*4/10)'E +. \" corrections for vroff +.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' +.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' +. \" for low resolution devices (crt and lpr) +.if \n(.H>23 .if \n(.V>19 \ +\{\ +. ds : e +. ds 8 ss +. ds o a +. ds d- d\h'-1'\(ga +. ds D- D\h'-1'\(hy +. ds th \o'bp' +. ds Th \o'LP' +. ds ae ae +. ds Ae AE +.\} +.rm #[ #] #H #V #F C +.\" ======================================================================== +.\" +.IX Title "OSSL_STORE_INFO 3" +.TH OSSL_STORE_INFO 3 "2018-09-11" "1.1.1" "OpenSSL" +.\" For nroff, turn off justification. Always turn off hyphenation; it makes +.\" way too many mistakes in technical documents. +.if n .ad l +.nh +.SH "NAME" +OSSL_STORE_INFO, OSSL_STORE_INFO_get_type, OSSL_STORE_INFO_get0_NAME, OSSL_STORE_INFO_get0_NAME_description, OSSL_STORE_INFO_get0_PARAMS, OSSL_STORE_INFO_get0_PKEY, OSSL_STORE_INFO_get0_CERT, OSSL_STORE_INFO_get0_CRL, OSSL_STORE_INFO_get1_NAME, OSSL_STORE_INFO_get1_NAME_description, OSSL_STORE_INFO_get1_PARAMS, OSSL_STORE_INFO_get1_PKEY, OSSL_STORE_INFO_get1_CERT, OSSL_STORE_INFO_get1_CRL, OSSL_STORE_INFO_type_string, OSSL_STORE_INFO_free, OSSL_STORE_INFO_new_NAME, OSSL_STORE_INFO_set0_NAME_description, OSSL_STORE_INFO_new_PARAMS, OSSL_STORE_INFO_new_PKEY, OSSL_STORE_INFO_new_CERT, OSSL_STORE_INFO_new_CRL \- Functions to manipulate OSSL_STORE_INFO objects +.SH "SYNOPSIS" +.IX Header "SYNOPSIS" +.Vb 1 +\& #include +\& +\& typedef struct ossl_store_info_st OSSL_STORE_INFO; +\& +\& int OSSL_STORE_INFO_get_type(const OSSL_STORE_INFO *store_info); +\& const char *OSSL_STORE_INFO_get0_NAME(const OSSL_STORE_INFO *store_info); +\& char *OSSL_STORE_INFO_get1_NAME(const OSSL_STORE_INFO *store_info); +\& const char *OSSL_STORE_INFO_get0_NAME_description(const OSSL_STORE_INFO +\& *store_info); +\& char *OSSL_STORE_INFO_get1_NAME_description(const OSSL_STORE_INFO *store_info); +\& EVP_PKEY *OSSL_STORE_INFO_get0_PARAMS(const OSSL_STORE_INFO *store_info); +\& EVP_PKEY *OSSL_STORE_INFO_get1_PARAMS(const OSSL_STORE_INFO *store_info); +\& EVP_PKEY *OSSL_STORE_INFO_get0_PKEY(const OSSL_STORE_INFO *store_info); +\& EVP_PKEY *OSSL_STORE_INFO_get1_PKEY(const OSSL_STORE_INFO *store_info); +\& X509 *OSSL_STORE_INFO_get0_CERT(const OSSL_STORE_INFO *store_info); +\& X509 *OSSL_STORE_INFO_get1_CERT(const OSSL_STORE_INFO *store_info); +\& X509_CRL *OSSL_STORE_INFO_get0_CRL(const OSSL_STORE_INFO *store_info); +\& X509_CRL *OSSL_STORE_INFO_get1_CRL(const OSSL_STORE_INFO *store_info); +\& +\& const char *OSSL_STORE_INFO_type_string(int type); +\& +\& void OSSL_STORE_INFO_free(OSSL_STORE_INFO *store_info); +\& +\& OSSL_STORE_INFO *OSSL_STORE_INFO_new_NAME(char *name); +\& int OSSL_STORE_INFO_set0_NAME_description(OSSL_STORE_INFO *info, char *desc); +\& OSSL_STORE_INFO *OSSL_STORE_INFO_new_PARAMS(DSA *dsa_params); +\& OSSL_STORE_INFO *OSSL_STORE_INFO_new_PKEY(EVP_PKEY *pkey); +\& OSSL_STORE_INFO *OSSL_STORE_INFO_new_CERT(X509 *x509); +\& OSSL_STORE_INFO *OSSL_STORE_INFO_new_CRL(X509_CRL *crl); +.Ve +.SH "DESCRIPTION" +.IX Header "DESCRIPTION" +These functions are primarily useful for applications to retrieve +supported objects from \fB\s-1OSSL_STORE_INFO\s0\fR objects and for scheme specific +loaders to create \fB\s-1OSSL_STORE_INFO\s0\fR holders. +.SS "Types" +.IX Subsection "Types" +\&\fB\s-1OSSL_STORE_INFO\s0\fR is an opaque type that's just an intermediary holder for +the objects that have been retrieved by \fIOSSL_STORE_load()\fR and similar +functions. +Supported OpenSSL type object can be extracted using one of +\&\fISTORE_INFO_get0_TYPE()\fR. +The life time of this extracted object is as long as the life time of +the \fB\s-1OSSL_STORE_INFO\s0\fR it was extracted from, so care should be taken not +to free the latter too early. +As an alternative, \fISTORE_INFO_get1_TYPE()\fR extracts a duplicate (or the +same object with its reference count increased), which can be used +after the containing \fB\s-1OSSL_STORE_INFO\s0\fR has been freed. +The object returned by \fISTORE_INFO_get1_TYPE()\fR must be freed separately +by the caller. +See \*(L"\s-1SUPPORTED OBJECTS\*(R"\s0 for more information on the types that are +supported. +.SS "Functions" +.IX Subsection "Functions" +\&\fIOSSL_STORE_INFO_get_type()\fR takes a \fB\s-1OSSL_STORE_INFO\s0\fR and returns the \s-1STORE\s0 +type number for the object inside. +\&\fISTORE_INFO_get_type_string()\fR takes a \s-1STORE\s0 type number and returns a +short string describing it. +.PP +\&\fIOSSL_STORE_INFO_get0_NAME()\fR, \fIOSSL_STORE_INFO_get0_NAME_description()\fR, +\&\fIOSSL_STORE_INFO_get0_PARAMS()\fR, \fIOSSL_STORE_INFO_get0_PKEY()\fR, +\&\fIOSSL_STORE_INFO_get0_CERT()\fR and \fIOSSL_STORE_INFO_get0_CRL()\fR all take a +\&\fB\s-1OSSL_STORE_INFO\s0\fR and return the held object of the appropriate OpenSSL +type provided that's what's held. +.PP +\&\fIOSSL_STORE_INFO_get1_NAME()\fR, \fIOSSL_STORE_INFO_get1_NAME_description()\fR, +\&\fIOSSL_STORE_INFO_get1_PARAMS()\fR, \fIOSSL_STORE_INFO_get1_PKEY()\fR, +\&\fIOSSL_STORE_INFO_get1_CERT()\fR and \fIOSSL_STORE_INFO_get1_CRL()\fR all take a +\&\fB\s-1OSSL_STORE_INFO\s0\fR and return a duplicate of the held object of the +appropriate OpenSSL type provided that's what's held. +.PP +\&\fIOSSL_STORE_INFO_free()\fR frees a \fB\s-1OSSL_STORE_INFO\s0\fR and its contained type. +.PP +\&\fIOSSL_STORE_INFO_new_NAME()\fR , \fIOSSL_STORE_INFO_new_PARAMS()\fR, +\&\fIOSSL_STORE_INFO_new_PKEY()\fR, \fIOSSL_STORE_INFO_new_CERT()\fR and +\&\fIOSSL_STORE_INFO_new_CRL()\fR create a \fB\s-1OSSL_STORE_INFO\s0\fR +object to hold the given input object. +Additionally, for \fB\s-1OSSL_STORE_INFO_NAME\s0\fR` objects, +\&\fIOSSL_STORE_INFO_set0_NAME_description()\fR can be used to add an extra +description. +This description is meant to be human readable and should be used for +information printout. +.SH "SUPPORTED OBJECTS" +.IX Header "SUPPORTED OBJECTS" +Currently supported object types are: +.IP "\s-1OSSL_STORE_INFO_NAME\s0" 4 +.IX Item "OSSL_STORE_INFO_NAME" +A name is exactly that, a name. +It's like a name in a directory, but formatted as a complete \s-1URI.\s0 +For example, the path in \s-1URI\s0 \f(CW\*(C`file:/foo/bar/\*(C'\fR could include a file +named \f(CW\*(C`cookie.pem\*(C'\fR, and in that case, the returned \fB\s-1OSSL_STORE_INFO_NAME\s0\fR +object would have the \s-1URI\s0 \f(CW\*(C`file:/foo/bar/cookie.pem\*(C'\fR, which can be +used by the application to get the objects in that file. +This can be applied to all schemes that can somehow support a listing +of object URIs. +.Sp +For \f(CW\*(C`file:\*(C'\fR URIs that are used without the explicit scheme, the +returned name will be the path of each object, so if \f(CW\*(C`/foo/bar\*(C'\fR was +given and that path has the file \f(CW\*(C`cookie.pem\*(C'\fR, the name +\&\f(CW\*(C`/foo/bar/cookie.pem\*(C'\fR will be returned. +.Sp +The returned \s-1URI\s0 is considered canonical and must be unique and permanent +for the storage where the object (or collection of objects) resides. +Each loader is responsible for ensuring that it only returns canonical +URIs. +However, it's possible that certain schemes allow an object (or collection +thereof) to be reached with alternative URIs; just because one \s-1URI\s0 is +canonical doesn't mean that other variants can't be used. +.Sp +At the discretion of the loader that was used to get these names, an +extra description may be attached as well. +.IP "\s-1OSSL_STORE_INFO_PARAMS\s0" 4 +.IX Item "OSSL_STORE_INFO_PARAMS" +Key parameters. +.IP "\s-1OSSL_STORE_INFO_PKEY\s0" 4 +.IX Item "OSSL_STORE_INFO_PKEY" +A private/public key of some sort. +.IP "\s-1OSSL_STORE_INFO_CERT\s0" 4 +.IX Item "OSSL_STORE_INFO_CERT" +An X.509 certificate. +.IP "\s-1OSSL_STORE_INFO_CRL\s0" 4 +.IX Item "OSSL_STORE_INFO_CRL" +A X.509 certificate revocation list. +.SH "RETURN VALUES" +.IX Header "RETURN VALUES" +\&\fIOSSL_STORE_INFO_get_type()\fR returns the \s-1STORE\s0 type number of the given +\&\fB\s-1OSSL_STORE_INFO\s0\fR. +There is no error value. +.PP +\&\fIOSSL_STORE_INFO_get0_NAME()\fR, \fIOSSL_STORE_INFO_get0_NAME_description()\fR, +\&\fIOSSL_STORE_INFO_get0_PARAMS()\fR, \fIOSSL_STORE_INFO_get0_PKEY()\fR, +\&\fIOSSL_STORE_INFO_get0_CERT()\fR and \fIOSSL_STORE_INFO_get0_CRL()\fR all return +a pointer to the OpenSSL object on success, \s-1NULL\s0 otherwise. +.PP +\&\fIOSSL_STORE_INFO_get0_NAME()\fR, \fIOSSL_STORE_INFO_get0_NAME_description()\fR, +\&\fIOSSL_STORE_INFO_get0_PARAMS()\fR, \fIOSSL_STORE_INFO_get0_PKEY()\fR, +\&\fIOSSL_STORE_INFO_get0_CERT()\fR and \fIOSSL_STORE_INFO_get0_CRL()\fR all return +a pointer to a duplicate of the OpenSSL object on success, \s-1NULL\s0 otherwise. +.PP +\&\fIOSSL_STORE_INFO_type_string()\fR returns a string on success, or \fB\s-1NULL\s0\fR on +failure. +.PP +\&\fIOSSL_STORE_INFO_new_NAME()\fR, \fIOSSL_STORE_INFO_new_PARAMS()\fR, +\&\fIOSSL_STORE_INFO_new_PKEY()\fR, \fIOSSL_STORE_INFO_new_CERT()\fR and +\&\fIOSSL_STORE_INFO_new_CRL()\fR return a \fB\s-1OSSL_STORE_INFO\s0\fR +pointer on success, or \fB\s-1NULL\s0\fR on failure. +.PP +\&\fIOSSL_STORE_INFO_set0_NAME_description()\fR returns 1 on success, or 0 on +failure. +.SH "SEE ALSO" +.IX Header "SEE ALSO" +\&\fIossl_store\fR\|(7), \fIOSSL_STORE_open\fR\|(3), \fIOSSL_STORE_register_loader\fR\|(3) +.SH "HISTORY" +.IX Header "HISTORY" +\&\s-1\fIOSSL_STORE_INFO\s0()\fR, \fIOSSL_STORE_INFO_get_type()\fR, \fIOSSL_STORE_INFO_get0_NAME()\fR, +\&\fIOSSL_STORE_INFO_get0_PARAMS()\fR, \fIOSSL_STORE_INFO_get0_PKEY()\fR, +\&\fIOSSL_STORE_INFO_get0_CERT()\fR, \fIOSSL_STORE_INFO_get0_CRL()\fR, +\&\fIOSSL_STORE_INFO_type_string()\fR, \fIOSSL_STORE_INFO_free()\fR, \fIOSSL_STORE_INFO_new_NAME()\fR, +\&\fIOSSL_STORE_INFO_new_PARAMS()\fR, \fIOSSL_STORE_INFO_new_PKEY()\fR, +\&\fIOSSL_STORE_INFO_new_CERT()\fR and \fIOSSL_STORE_INFO_new_CRL()\fR +were added to OpenSSL 1.1.1. +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2016\-2017 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/OSSL_STORE_LOADER.3 b/secure/lib/libcrypto/man/OSSL_STORE_LOADER.3 new file mode 100644 index 000000000000..e9138440ed17 --- /dev/null +++ b/secure/lib/libcrypto/man/OSSL_STORE_LOADER.3 @@ -0,0 +1,358 @@ +.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35) +.\" +.\" Standard preamble: +.\" ======================================================================== +.de Sp \" Vertical space (when we can't use .PP) +.if t .sp .5v +.if n .sp +.. +.de Vb \" Begin verbatim text +.ft CW +.nf +.ne \\$1 +.. +.de Ve \" End verbatim text +.ft R +.fi +.. +.\" Set up some character translations and predefined strings. \*(-- will +.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left +.\" double quote, and \*(R" will give a right double quote. \*(C+ will +.\" give a nicer C++. Capital omega is used to do unbreakable dashes and +.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, +.\" nothing in troff, for use with C<>. +.tr \(*W- +.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' +.ie n \{\ +. ds -- \(*W- +. ds PI pi +. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch +. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch +. ds L" "" +. ds R" "" +. ds C` "" +. ds C' "" +'br\} +.el\{\ +. ds -- \|\(em\| +. ds PI \(*p +. ds L" `` +. ds R" '' +. ds C` +. ds C' +'br\} +.\" +.\" Escape single quotes in literal strings from groff's Unicode transform. +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" +.\" If the F register is >0, we'll generate index entries on stderr for +.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index +.\" entries marked with X<> in POD. Of course, you'll have to process the +.\" output yourself in some meaningful fashion. +.\" +.\" Avoid warning from groff about undefined register 'F'. +.de IX +.. +.if !\nF .nr F 0 +.if \nF>0 \{\ +. de IX +. tm Index:\\$1\t\\n%\t"\\$2" +.. +. if !\nF==2 \{\ +. nr % 0 +. nr F 2 +. \} +.\} +.\" +.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). +.\" Fear. Run. Save yourself. No user-serviceable parts. +. \" fudge factors for nroff and troff +.if n \{\ +. ds #H 0 +. ds #V .8m +. ds #F .3m +. ds #[ \f1 +. ds #] \fP +.\} +.if t \{\ +. ds #H ((1u-(\\\\n(.fu%2u))*.13m) +. ds #V .6m +. ds #F 0 +. ds #[ \& +. ds #] \& +.\} +. \" simple accents for nroff and troff +.if n \{\ +. ds ' \& +. ds ` \& +. ds ^ \& +. ds , \& +. ds ~ ~ +. ds / +.\} +.if t \{\ +. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" +. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' +. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' +. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' +. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' +. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' +.\} +. \" troff and (daisy-wheel) nroff accents +.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' +.ds 8 \h'\*(#H'\(*b\h'-\*(#H' +.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] +.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' +.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' +.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] +.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] +.ds ae a\h'-(\w'a'u*4/10)'e +.ds Ae A\h'-(\w'A'u*4/10)'E +. \" corrections for vroff +.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' +.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' +. \" for low resolution devices (crt and lpr) +.if \n(.H>23 .if \n(.V>19 \ +\{\ +. ds : e +. ds 8 ss +. ds o a +. ds d- d\h'-1'\(ga +. ds D- D\h'-1'\(hy +. ds th \o'bp' +. ds Th \o'LP' +. ds ae ae +. ds Ae AE +.\} +.rm #[ #] #H #V #F C +.\" ======================================================================== +.\" +.IX Title "OSSL_STORE_LOADER 3" +.TH OSSL_STORE_LOADER 3 "2018-09-11" "1.1.1" "OpenSSL" +.\" For nroff, turn off justification. Always turn off hyphenation; it makes +.\" way too many mistakes in technical documents. +.if n .ad l +.nh +.SH "NAME" +OSSL_STORE_LOADER, OSSL_STORE_LOADER_CTX, OSSL_STORE_LOADER_new, OSSL_STORE_LOADER_get0_engine, OSSL_STORE_LOADER_get0_scheme, OSSL_STORE_LOADER_set_open, OSSL_STORE_LOADER_set_ctrl, OSSL_STORE_LOADER_set_expect, OSSL_STORE_LOADER_set_find, OSSL_STORE_LOADER_set_load, OSSL_STORE_LOADER_set_eof, OSSL_STORE_LOADER_set_error, OSSL_STORE_LOADER_set_close, OSSL_STORE_LOADER_free, OSSL_STORE_register_loader, OSSL_STORE_unregister_loader, OSSL_STORE_open_fn, OSSL_STORE_ctrl_fn, OSSL_STORE_expect_fn, OSSL_STORE_find_fn, OSSL_STORE_load_fn, OSSL_STORE_eof_fn, OSSL_STORE_error_fn, OSSL_STORE_close_fn \- Types and functions to manipulate, register and unregister STORE loaders for different URI schemes +.SH "SYNOPSIS" +.IX Header "SYNOPSIS" +.Vb 1 +\& #include +\& +\& typedef struct ossl_store_loader_st OSSL_STORE_LOADER; +\& +\& OSSL_STORE_LOADER *OSSL_STORE_LOADER_new(ENGINE *e, const char *scheme); +\& const ENGINE *OSSL_STORE_LOADER_get0_engine(const OSSL_STORE_LOADER +\& *store_loader); +\& const char *OSSL_STORE_LOADER_get0_scheme(const OSSL_STORE_LOADER +\& *store_loader); +\& +\& /* struct ossl_store_loader_ctx_st is defined differently by each loader */ +\& typedef struct ossl_store_loader_ctx_st OSSL_STORE_LOADER_CTX; +\& +\& typedef OSSL_STORE_LOADER_CTX *(*OSSL_STORE_open_fn)(const char *uri, +\& const UI_METHOD *ui_method, +\& void *ui_data); +\& int OSSL_STORE_LOADER_set_open(OSSL_STORE_LOADER *store_loader, +\& OSSL_STORE_open_fn store_open_function); +\& typedef int (*OSSL_STORE_ctrl_fn)(OSSL_STORE_LOADER_CTX *ctx, int cmd, +\& va_list args); +\& int OSSL_STORE_LOADER_set_ctrl(OSSL_STORE_LOADER *store_loader, +\& OSSL_STORE_ctrl_fn store_ctrl_function); +\& typedef int (*OSSL_STORE_expect_fn)(OSSL_STORE_LOADER_CTX *ctx, int expected); +\& int OSSL_STORE_LOADER_set_expect(OSSL_STORE_LOADER *loader, +\& OSSL_STORE_expect_fn expect_function); +\& typedef int (*OSSL_STORE_find_fn)(OSSL_STORE_LOADER_CTX *ctx, +\& OSSL_STORE_SEARCH *criteria); +\& int OSSL_STORE_LOADER_set_find(OSSL_STORE_LOADER *loader, +\& OSSL_STORE_find_fn find_function); +\& typedef OSSL_STORE_INFO *(*OSSL_STORE_load_fn)(OSSL_STORE_LOADER_CTX *ctx, +\& UI_METHOD *ui_method, +\& void *ui_data); +\& int OSSL_STORE_LOADER_set_load(OSSL_STORE_LOADER *store_loader, +\& OSSL_STORE_load_fn store_load_function); +\& typedef int (*OSSL_STORE_eof_fn)(OSSL_STORE_LOADER_CTX *ctx); +\& int OSSL_STORE_LOADER_set_eof(OSSL_STORE_LOADER *store_loader, +\& OSSL_STORE_eof_fn store_eof_function); +\& typedef int (*OSSL_STORE_error_fn)(OSSL_STORE_LOADER_CTX *ctx); +\& int OSSL_STORE_LOADER_set_error(OSSL_STORE_LOADER *store_loader, +\& OSSL_STORE_error_fn store_error_function); +\& typedef int (*OSSL_STORE_close_fn)(OSSL_STORE_LOADER_CTX *ctx); +\& int OSSL_STORE_LOADER_set_close(OSSL_STORE_LOADER *store_loader, +\& OSSL_STORE_close_fn store_close_function); +\& void OSSL_STORE_LOADER_free(OSSL_STORE_LOADER *store_loader); +\& +\& int OSSL_STORE_register_loader(OSSL_STORE_LOADER *loader); +\& OSSL_STORE_LOADER *OSSL_STORE_unregister_loader(const char *scheme); +.Ve +.SH "DESCRIPTION" +.IX Header "DESCRIPTION" +These functions help applications and engines to create loaders for +schemes they support. +.SS "Types" +.IX Subsection "Types" +\&\fB\s-1OSSL_STORE_LOADER\s0\fR is the type to hold a loader. +It contains a scheme and the functions needed to implement +\&\fIOSSL_STORE_open()\fR, \fIOSSL_STORE_load()\fR, \fIOSSL_STORE_eof()\fR, \fIOSSL_STORE_error()\fR and +\&\fIOSSL_STORE_close()\fR for this scheme. +.PP +\&\fB\s-1OSSL_STORE_LOADER_CTX\s0\fR is a type template, to be defined by each loader +using \fBstruct ossl_store_loader_ctx_st { ... }\fR. +.PP +\&\fBOSSL_STORE_open_fn\fR, \fBOSSL_STORE_ctrl_fn\fR, \fBOSSL_STORE_expect_fn\fR, +\&\fBOSSL_STORE_find_fn\fR, \fBOSSL_STORE_load_fn\fR, \fBOSSL_STORE_eof_fn\fR, +and \fBOSSL_STORE_close_fn\fR +are the function pointer types used within a \s-1STORE\s0 loader. +The functions pointed at define the functionality of the given loader. +.IP "\fBOSSL_STORE_open_fn\fR" 4 +.IX Item "OSSL_STORE_open_fn" +This function takes a \s-1URI\s0 and is expected to interpret it in the best +manner possible according to the scheme the loader implements, it also +takes a \fB\s-1UI_METHOD\s0\fR and associated data, to be used any time +something needs to be prompted for. +Furthermore, this function is expected to initialize what needs to be +initialized, to create a privata data store (\fB\s-1OSSL_STORE_LOADER_CTX\s0\fR, see +above), and to return it. +If something goes wrong, this function is expected to return \s-1NULL.\s0 +.IP "\fBOSSL_STORE_ctrl_fn\fR" 4 +.IX Item "OSSL_STORE_ctrl_fn" +This function takes a \fB\s-1OSSL_STORE_LOADER_CTX\s0\fR pointer, a command number +\&\fBcmd\fR and a \fBva_list\fR \fBargs\fR and is used to manipulate loader +specific parameters. +.Sp +Loader specific command numbers must begin at \fB\s-1OSSL_STORE_C_CUSTOM_START\s0\fR. +Any number below that is reserved for future globally known command +numbers. +.Sp +This function is expected to return 1 on success, 0 on error. +.IP "\fBOSSL_STORE_expect_fn\fR" 4 +.IX Item "OSSL_STORE_expect_fn" +This function takes a \fB\s-1OSSL_STORE_LOADER_CTX\s0\fR pointer and a \fB\s-1OSSL_STORE_INFO\s0\fR +identity \fBexpected\fR, and is used to tell the loader what object type is +expected. +\&\fBexpected\fR may be zero to signify that no specific object type is expected. +.Sp +This function is expected to return 1 on success, 0 on error. +.IP "\fBOSSL_STORE_find_fn\fR" 4 +.IX Item "OSSL_STORE_find_fn" +This function takes a \fB\s-1OSSL_STORE_LOADER_CTX\s0\fR pointer and a +\&\fB\s-1OSSL_STORE_SEARCH\s0\fR search criterion, and is used to tell the loader what +to search for. +.Sp +When called with the loader context being \fB\s-1NULL\s0\fR, this function is expected +to return 1 if the loader supports the criterion, otherwise 0. +.Sp +When called with the loader context being something other than \fB\s-1NULL\s0\fR, this +function is expected to return 1 on success, 0 on error. +.IP "\fBOSSL_STORE_load_fn\fR" 4 +.IX Item "OSSL_STORE_load_fn" +This function takes a \fB\s-1OSSL_STORE_LOADER_CTX\s0\fR pointer and a \fB\s-1UI_METHOD\s0\fR +with associated data. +It's expected to load the next available data, mold it into a data +structure that can be wrapped in a \fB\s-1OSSL_STORE_INFO\s0\fR using one of the +\&\s-1\fIOSSL_STORE_INFO\s0\fR\|(3) functions. +If no more data is available or an error occurs, this function is +expected to return \s-1NULL.\s0 +The \fBOSSL_STORE_eof_fn\fR and \fBOSSL_STORE_error_fn\fR functions must indicate if +it was in fact the end of data or if an error occurred. +.Sp +Note that this function retrieves \fIone\fR data item only. +.IP "\fBOSSL_STORE_eof_fn\fR" 4 +.IX Item "OSSL_STORE_eof_fn" +This function takes a \fB\s-1OSSL_STORE_LOADER_CTX\s0\fR pointer and is expected to +return 1 to indicate that the end of available data has been reached. +It is otherwise expected to return 0. +.IP "\fBOSSL_STORE_error_fn\fR" 4 +.IX Item "OSSL_STORE_error_fn" +This function takes a \fB\s-1OSSL_STORE_LOADER_CTX\s0\fR pointer and is expected to +return 1 to indicate that an error occurred in a previous call to the +\&\fBOSSL_STORE_load_fn\fR function. +It is otherwise expected to return 0. +.IP "\fBOSSL_STORE_close_fn\fR" 4 +.IX Item "OSSL_STORE_close_fn" +This function takes a \fB\s-1OSSL_STORE_LOADER_CTX\s0\fR pointer and is expected to +close or shut down what needs to be closed, and finally free the +contents of the \fB\s-1OSSL_STORE_LOADER_CTX\s0\fR pointer. +It returns 1 on success and 0 on error. +.SS "Functions" +.IX Subsection "Functions" +\&\fIOSSL_STORE_LOADER_new()\fR creates a new \fB\s-1OSSL_STORE_LOADER\s0\fR. +It takes an \fB\s-1ENGINE\s0\fR \fBe\fR and a string \fBscheme\fR. +\&\fBscheme\fR must \fIalways\fR be set. +Both \fBe\fR and \fBscheme\fR are used as is and must therefore be alive as +long as the created loader is. +.PP +\&\fIOSSL_STORE_LOADER_get0_engine()\fR returns the engine of the \fBstore_loader\fR. +\&\fIOSSL_STORE_LOADER_get0_scheme()\fR returns the scheme of the \fBstore_loader\fR. +.PP +\&\fIOSSL_STORE_LOADER_set_open()\fR sets the opener function for the +\&\fBstore_loader\fR. +.PP +\&\fIOSSL_STORE_LOADER_set_ctrl()\fR sets the control function for the +\&\fBstore_loader\fR. +.PP +\&\fIOSSL_STORE_LOADER_set_expect()\fR sets the expect function for the +\&\fBstore_loader\fR. +.PP +\&\fIOSSL_STORE_LOADER_set_load()\fR sets the loader function for the +\&\fBstore_loader\fR. +.PP +\&\fIOSSL_STORE_LOADER_set_eof()\fR sets the end of file checker function for the +\&\fBstore_loader\fR. +.PP +\&\fIOSSL_STORE_LOADER_set_close()\fR sets the closing function for the +\&\fBstore_loader\fR. +.PP +\&\fIOSSL_STORE_LOADER_free()\fR frees the given \fBstore_loader\fR. +.PP +\&\fIOSSL_STORE_register_loader()\fR register the given \fBstore_loader\fR and thereby +makes it available for use with \fIOSSL_STORE_open()\fR, \fIOSSL_STORE_load()\fR, +\&\fIOSSL_STORE_eof()\fR and \fIOSSL_STORE_close()\fR. +.PP +\&\fIOSSL_STORE_unregister_loader()\fR unregister the store loader for the given +\&\fBscheme\fR. +.SH "NOTES" +.IX Header "NOTES" +The \fBfile:\fR scheme has built in support. +.SH "RETURN VALUES" +.IX Header "RETURN VALUES" +The functions with the types \fBOSSL_STORE_open_fn\fR, \fBOSSL_STORE_ctrl_fn\fR, +\&\fBOSSL_STORE_expect_fn\fR, +\&\fBOSSL_STORE_load_fn\fR, \fBOSSL_STORE_eof_fn\fR and \fBOSSL_STORE_close_fn\fR have the +same return values as \fIOSSL_STORE_open()\fR, \fIOSSL_STORE_ctrl()\fR, \fIOSSL_STORE_expect()\fR, +\&\fIOSSL_STORE_load()\fR, \fIOSSL_STORE_eof()\fR and \fIOSSL_STORE_close()\fR, respectively. +.PP +\&\fIOSSL_STORE_LOADER_new()\fR returns a pointer to a \fB\s-1OSSL_STORE_LOADER\s0\fR on success, +or \fB\s-1NULL\s0\fR on failure. +.PP +\&\fIOSSL_STORE_LOADER_set_open()\fR, \fIOSSL_STORE_LOADER_set_ctrl()\fR, +\&\fIOSSL_STORE_LOADER_set_load()\fR, \fIOSSL_STORE_LOADER_set_eof()\fR and +\&\fIOSSL_STORE_LOADER_set_close()\fR return 1 on success, or 0 on failure. +.PP +\&\fIOSSL_STORE_register_loader()\fR returns 1 on success, or 0 on failure. +.PP +\&\fIOSSL_STORE_unregister_loader()\fR returns the unregistered loader on success, +or \fB\s-1NULL\s0\fR on failure. +.SH "SEE ALSO" +.IX Header "SEE ALSO" +\&\fIossl_store\fR\|(7), \fIOSSL_STORE_open\fR\|(3) +.SH "HISTORY" +.IX Header "HISTORY" +\&\s-1\fIOSSL_STORE_LOADER\s0()\fR, \s-1\fIOSSL_STORE_LOADER_CTX\s0()\fR, \fIOSSL_STORE_LOADER_new()\fR, +\&\fIOSSL_STORE_LOADER_set0_scheme()\fR, \fIOSSL_STORE_LOADER_set_open()\fR, +\&\fIOSSL_STORE_LOADER_set_ctrl()\fR, \fIOSSL_STORE_LOADER_set_load()\fR, +\&\fIOSSL_STORE_LOADER_set_eof()\fR, \fIOSSL_STORE_LOADER_set_close()\fR, +\&\fIOSSL_STORE_LOADER_free()\fR, \fIOSSL_STORE_register_loader()\fR, +\&\fIOSSL_STORE_unregister_loader()\fR, \fIOSSL_STORE_open_fn()\fR, \fIOSSL_STORE_ctrl_fn()\fR, +\&\fIOSSL_STORE_load_fn()\fR, \fIOSSL_STORE_eof_fn()\fR and \fIOSSL_STORE_close_fn()\fR +were added to OpenSSL 1.1.1. +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2016\-2018 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/OSSL_STORE_SEARCH.3 b/secure/lib/libcrypto/man/OSSL_STORE_SEARCH.3 new file mode 100644 index 000000000000..bd1a074f9b95 --- /dev/null +++ b/secure/lib/libcrypto/man/OSSL_STORE_SEARCH.3 @@ -0,0 +1,296 @@ +.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35) +.\" +.\" Standard preamble: +.\" ======================================================================== +.de Sp \" Vertical space (when we can't use .PP) +.if t .sp .5v +.if n .sp +.. +.de Vb \" Begin verbatim text +.ft CW +.nf +.ne \\$1 +.. +.de Ve \" End verbatim text +.ft R +.fi +.. +.\" Set up some character translations and predefined strings. \*(-- will +.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left +.\" double quote, and \*(R" will give a right double quote. \*(C+ will +.\" give a nicer C++. Capital omega is used to do unbreakable dashes and +.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, +.\" nothing in troff, for use with C<>. +.tr \(*W- +.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' +.ie n \{\ +. ds -- \(*W- +. ds PI pi +. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch +. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch +. ds L" "" +. ds R" "" +. ds C` "" +. ds C' "" +'br\} +.el\{\ +. ds -- \|\(em\| +. ds PI \(*p +. ds L" `` +. ds R" '' +. ds C` +. ds C' +'br\} +.\" +.\" Escape single quotes in literal strings from groff's Unicode transform. +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" +.\" If the F register is >0, we'll generate index entries on stderr for +.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index +.\" entries marked with X<> in POD. Of course, you'll have to process the +.\" output yourself in some meaningful fashion. +.\" +.\" Avoid warning from groff about undefined register 'F'. +.de IX +.. +.if !\nF .nr F 0 +.if \nF>0 \{\ +. de IX +. tm Index:\\$1\t\\n%\t"\\$2" +.. +. if !\nF==2 \{\ +. nr % 0 +. nr F 2 +. \} +.\} +.\" +.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). +.\" Fear. Run. Save yourself. No user-serviceable parts. +. \" fudge factors for nroff and troff +.if n \{\ +. ds #H 0 +. ds #V .8m +. ds #F .3m +. ds #[ \f1 +. ds #] \fP +.\} +.if t \{\ +. ds #H ((1u-(\\\\n(.fu%2u))*.13m) +. ds #V .6m +. ds #F 0 +. ds #[ \& +. ds #] \& +.\} +. \" simple accents for nroff and troff +.if n \{\ +. ds ' \& +. ds ` \& +. ds ^ \& +. ds , \& +. ds ~ ~ +. ds / +.\} +.if t \{\ +. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" +. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' +. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' +. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' +. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' +. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' +.\} +. \" troff and (daisy-wheel) nroff accents +.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' +.ds 8 \h'\*(#H'\(*b\h'-\*(#H' +.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] +.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' +.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' +.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] +.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] +.ds ae a\h'-(\w'a'u*4/10)'e +.ds Ae A\h'-(\w'A'u*4/10)'E +. \" corrections for vroff +.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' +.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' +. \" for low resolution devices (crt and lpr) +.if \n(.H>23 .if \n(.V>19 \ +\{\ +. ds : e +. ds 8 ss +. ds o a +. ds d- d\h'-1'\(ga +. ds D- D\h'-1'\(hy +. ds th \o'bp' +. ds Th \o'LP' +. ds ae ae +. ds Ae AE +.\} +.rm #[ #] #H #V #F C +.\" ======================================================================== +.\" +.IX Title "OSSL_STORE_SEARCH 3" +.TH OSSL_STORE_SEARCH 3 "2018-09-11" "1.1.1" "OpenSSL" +.\" For nroff, turn off justification. Always turn off hyphenation; it makes +.\" way too many mistakes in technical documents. +.if n .ad l +.nh +.SH "NAME" +OSSL_STORE_SEARCH, OSSL_STORE_SEARCH_by_name, OSSL_STORE_SEARCH_by_issuer_serial, OSSL_STORE_SEARCH_by_key_fingerprint, OSSL_STORE_SEARCH_by_alias, OSSL_STORE_SEARCH_free, OSSL_STORE_SEARCH_get_type, OSSL_STORE_SEARCH_get0_name, OSSL_STORE_SEARCH_get0_serial, OSSL_STORE_SEARCH_get0_bytes, OSSL_STORE_SEARCH_get0_string, OSSL_STORE_SEARCH_get0_digest \&\- Type and functions to create OSSL_STORE search criteria +.SH "SYNOPSIS" +.IX Header "SYNOPSIS" +.Vb 1 +\& #include +\& +\& typedef struct ossl_store_search_st OSSL_STORE_SEARCH; +\& +\& OSSL_STORE_SEARCH *OSSL_STORE_SEARCH_by_name(X509_NAME *name); +\& OSSL_STORE_SEARCH *OSSL_STORE_SEARCH_by_issuer_serial(X509_NAME *name, +\& const ASN1_INTEGER +\& *serial); +\& OSSL_STORE_SEARCH *OSSL_STORE_SEARCH_by_key_fingerprint(const EVP_MD *digest, +\& const unsigned char +\& *bytes, int len); +\& OSSL_STORE_SEARCH *OSSL_STORE_SEARCH_by_alias(const char *alias); +\& +\& void OSSL_STORE_SEARCH_free(OSSL_STORE_SEARCH *search); +\& +\& int OSSL_STORE_SEARCH_get_type(const OSSL_STORE_SEARCH *criterion); +\& X509_NAME *OSSL_STORE_SEARCH_get0_name(OSSL_STORE_SEARCH *criterion); +\& const ASN1_INTEGER *OSSL_STORE_SEARCH_get0_serial(const OSSL_STORE_SEARCH +\& *criterion); +\& const unsigned char *OSSL_STORE_SEARCH_get0_bytes(const OSSL_STORE_SEARCH +\& *criterion, size_t *length); +\& const char *OSSL_STORE_SEARCH_get0_string(const OSSL_STORE_SEARCH *criterion); +\& const EVP_MD *OSSL_STORE_SEARCH_get0_digest(const OSSL_STORE_SEARCH +\& *criterion); +.Ve +.SH "DESCRIPTION" +.IX Header "DESCRIPTION" +These functions are used to specify search criteria to help search for specific +objects through other names than just the \s-1URI\s0 that's given to \fIOSSL_STORE_open()\fR. +For example, this can be useful for an application that has received a \s-1URI\s0 +and then wants to add on search criteria in a uniform and supported manner. +.SS "Types" +.IX Subsection "Types" +\&\fB\s-1OSSL_STORE_SEARCH\s0\fR is an opaque type that holds the constructed search +criterion, and that can be given to an \s-1OSSL_STORE\s0 context with +\&\fIOSSL_STORE_find()\fR. +.PP +The calling application owns the allocation of an \fB\s-1OSSL_STORE_SEARCH\s0\fR at all +times, and should therefore be careful not to deallocate it before +\&\fIOSSL_STORE_close()\fR has been called for the \s-1OSSL_STORE\s0 context it was given +to. +.SS "Application Functions" +.IX Subsection "Application Functions" +\&\fIOSSL_STORE_SEARCH_by_name()\fR, +\&\fIOSSL_STORE_SEARCH_by_issuer_serial()\fR, +\&\fIOSSL_STORE_SEARCH_by_key_fingerprint()\fR, +and \fIOSSL_STORE_SEARCH_by_alias()\fR +are used to create an \fB\s-1OSSL_STORE_SEARCH\s0\fR from a subject name, an issuer name +and serial number pair, a key fingerprint, and an alias (for example a friendly +name). +The parameters that are provided are not copied, only referred to in a +criterion, so they must have at least the same life time as the created +\&\fB\s-1OSSL_STORE_SEARCH\s0\fR. +.PP +\&\fIOSSL_STORE_SEARCH_free()\fR is used to free the \fB\s-1OSSL_STORE_SEARCH\s0\fR. +.SS "Loader Functions" +.IX Subsection "Loader Functions" +\&\fIOSSL_STORE_SEARCH_get_type()\fR returns the criterion type for the given +\&\fB\s-1OSSL_STORE_SEARCH\s0\fR. +.PP +\&\fIOSSL_STORE_SEARCH_get0_name()\fR, \fIOSSL_STORE_SEARCH_get0_serial()\fR, +\&\fIOSSL_STORE_SEARCH_get0_bytes()\fR, \fIOSSL_STORE_SEARCH_get0_string()\fR, +and \fIOSSL_STORE_SEARCH_get0_digest()\fR +are used to retrieve different data from a \fB\s-1OSSL_STORE_SEARCH\s0\fR, as +available for each type. +For more information, see \*(L"\s-1SUPPORTED CRITERION TYPES\*(R"\s0 below. +.SH "SUPPORTED CRITERION TYPES" +.IX Header "SUPPORTED CRITERION TYPES" +Currently supported criterion types are: +.IP "\s-1OSSL_STORE_SEARCH_BY_NAME\s0" 4 +.IX Item "OSSL_STORE_SEARCH_BY_NAME" +This criterion supports a search by exact match of subject name. +The subject name itself is a \fBX509_NAME\fR pointer. +A criterion of this type is created with \fIOSSL_STORE_SEARCH_by_name()\fR, +and the actual subject name is retrieved with \fIOSSL_STORE_SEARCH_get0_name()\fR. +.IP "\s-1OSSL_STORE_SEARCH_BY_ISSUER_SERIAL\s0" 4 +.IX Item "OSSL_STORE_SEARCH_BY_ISSUER_SERIAL" +This criterion supports a search by exact match of both issuer name and serial +number. +The issuer name itself is a \fBX509_NAME\fR pointer, and the serial number is +a \fB\s-1ASN1_INTEGER\s0\fR pointer. +A criterion of this type is created with \fIOSSL_STORE_SEARCH_by_issuer_serial()\fR +and the actual issuer name and serial number are retrieved with +\&\fIOSSL_STORE_SEARCH_get0_name()\fR and \fIOSSL_STORE_SEARCH_get0_serial()\fR. +.IP "\s-1OSSL_STORE_SEARCH_BY_KEY_FINGERPRINT\s0" 4 +.IX Item "OSSL_STORE_SEARCH_BY_KEY_FINGERPRINT" +This criterion supports a search by exact match of key fingerprint. +The key fingerprint in itself is a string of bytes and its length, as +well as the algorithm that was used to compute the fingerprint. +The digest may be left unspecified (\s-1NULL\s0), and in that case, the +loader has to decide on a default digest and compare fingerprints +accordingly. +A criterion of this type is created with \fIOSSL_STORE_SEARCH_by_key_fingerprint()\fR +and the actual fingerprint and its length can be retrieved with +\&\fIOSSL_STORE_SEARCH_get0_bytes()\fR. +The digest can be retrieved with \fIOSSL_STORE_SEARCH_get0_digest()\fR. +.IP "\s-1OSSL_STORE_SEARCH_BY_ALIAS\s0" 4 +.IX Item "OSSL_STORE_SEARCH_BY_ALIAS" +This criterion supports a search by match of an alias of some kind. +The alias in itself is a simple C string. +A criterion of this type is created with \fIOSSL_STORE_SEARCH_by_alias()\fR +and the actual alias is retrieved with \fIOSSL_STORE_SEARCH_get0_string()\fR. +.SH "RETURN VALUES" +.IX Header "RETURN VALUES" +\&\fIOSSL_STORE_SEARCH_by_name()\fR, +\&\fIOSSL_STORE_SEARCH_by_issuer_serial()\fR, +\&\fIOSSL_STORE_SEARCH_by_key_fingerprint()\fR, +and \fIOSSL_STORE_SEARCH_by_alias()\fR +return a \fB\s-1OSSL_STORE_SEARCH\s0\fR pointer on success, or \fB\s-1NULL\s0\fR on failure. +.PP +\&\fIOSSL_STORE_SEARCH_get_type()\fR returns the criterion type of the given +\&\fB\s-1OSSL_STORE_SEARCH\s0\fR. +There is no error value. +.PP +\&\fIOSSL_STORE_SEARCH_get0_name()\fR returns a \fBX509_NAME\fR pointer on success, +or \fB\s-1NULL\s0\fR when the given \fB\s-1OSSL_STORE_SEARCH\s0\fR was of a different type. +.PP +\&\fIOSSL_STORE_SEARCH_get0_serial()\fR returns a \fB\s-1ASN1_INTEGER\s0\fR pointer on success, +or \fB\s-1NULL\s0\fR when the given \fB\s-1OSSL_STORE_SEARCH\s0\fR was of a different type. +.PP +\&\fIOSSL_STORE_SEARCH_get0_bytes()\fR returns a \fBconst unsigned char\fR pointer and +sets \fB*length\fR to the strings length on success, or \fB\s-1NULL\s0\fR when the given +\&\fB\s-1OSSL_STORE_SEARCH\s0\fR was of a different type. +.PP +\&\fIOSSL_STORE_SEARCH_get0_string()\fR returns a \fBconst char\fR pointer on success, +or \fB\s-1NULL\s0\fR when the given \fB\s-1OSSL_STORE_SEARCH\s0\fR was of a different type. +.PP +\&\fIOSSL_STORE_SEARCH_get0_digest()\fR returns a \fBconst \s-1EVP_MD\s0\fR pointer. +\&\fB\s-1NULL\s0\fR is a valid value and means that the store loader default will +be used when applicable. +.SH "SEE ALSO" +.IX Header "SEE ALSO" +\&\fIossl_store\fR\|(7), \fIOSSL_STORE_supports_search\fR\|(3), \fIOSSL_STORE_find\fR\|(3) +.SH "HISTORY" +.IX Header "HISTORY" +\&\fB\s-1OSSL_STORE_SEARCH\s0\fR, +\&\fIOSSL_STORE_SEARCH_by_name()\fR, +\&\fIOSSL_STORE_SEARCH_by_issuer_serial()\fR, +\&\fIOSSL_STORE_SEARCH_by_key_fingerprint()\fR, +\&\fIOSSL_STORE_SEARCH_by_alias()\fR, +\&\fIOSSL_STORE_SEARCH_free()\fR, +\&\fIOSSL_STORE_SEARCH_get_type()\fR, +\&\fIOSSL_STORE_SEARCH_get0_name()\fR, +\&\fIOSSL_STORE_SEARCH_get0_serial()\fR, +\&\fIOSSL_STORE_SEARCH_get0_bytes()\fR, +and \fIOSSL_STORE_SEARCH_get0_string()\fR +were added to OpenSSL 1.1.1. +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2018 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/OSSL_STORE_expect.3 b/secure/lib/libcrypto/man/OSSL_STORE_expect.3 new file mode 100644 index 000000000000..ca66429a5a05 --- /dev/null +++ b/secure/lib/libcrypto/man/OSSL_STORE_expect.3 @@ -0,0 +1,202 @@ +.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35) +.\" +.\" Standard preamble: +.\" ======================================================================== +.de Sp \" Vertical space (when we can't use .PP) +.if t .sp .5v +.if n .sp +.. +.de Vb \" Begin verbatim text +.ft CW +.nf +.ne \\$1 +.. +.de Ve \" End verbatim text +.ft R +.fi +.. +.\" Set up some character translations and predefined strings. \*(-- will +.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left +.\" double quote, and \*(R" will give a right double quote. \*(C+ will +.\" give a nicer C++. Capital omega is used to do unbreakable dashes and +.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, +.\" nothing in troff, for use with C<>. +.tr \(*W- +.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' +.ie n \{\ +. ds -- \(*W- +. ds PI pi +. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch +. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch +. ds L" "" +. ds R" "" +. ds C` "" +. ds C' "" +'br\} +.el\{\ +. ds -- \|\(em\| +. ds PI \(*p +. ds L" `` +. ds R" '' +. ds C` +. ds C' +'br\} +.\" +.\" Escape single quotes in literal strings from groff's Unicode transform. +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" +.\" If the F register is >0, we'll generate index entries on stderr for +.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index +.\" entries marked with X<> in POD. Of course, you'll have to process the +.\" output yourself in some meaningful fashion. +.\" +.\" Avoid warning from groff about undefined register 'F'. +.de IX +.. +.if !\nF .nr F 0 +.if \nF>0 \{\ +. de IX +. tm Index:\\$1\t\\n%\t"\\$2" +.. +. if !\nF==2 \{\ +. nr % 0 +. nr F 2 +. \} +.\} +.\" +.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). +.\" Fear. Run. Save yourself. No user-serviceable parts. +. \" fudge factors for nroff and troff +.if n \{\ +. ds #H 0 +. ds #V .8m +. ds #F .3m +. ds #[ \f1 +. ds #] \fP +.\} +.if t \{\ +. ds #H ((1u-(\\\\n(.fu%2u))*.13m) +. ds #V .6m +. ds #F 0 +. ds #[ \& +. ds #] \& +.\} +. \" simple accents for nroff and troff +.if n \{\ +. ds ' \& +. ds ` \& +. ds ^ \& +. ds , \& +. ds ~ ~ +. ds / +.\} +.if t \{\ +. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" +. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' +. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' +. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' +. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' +. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' +.\} +. \" troff and (daisy-wheel) nroff accents +.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' +.ds 8 \h'\*(#H'\(*b\h'-\*(#H' +.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] +.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' +.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' +.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] +.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] +.ds ae a\h'-(\w'a'u*4/10)'e +.ds Ae A\h'-(\w'A'u*4/10)'E +. \" corrections for vroff +.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' +.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' +. \" for low resolution devices (crt and lpr) +.if \n(.H>23 .if \n(.V>19 \ +\{\ +. ds : e +. ds 8 ss +. ds o a +. ds d- d\h'-1'\(ga +. ds D- D\h'-1'\(hy +. ds th \o'bp' +. ds Th \o'LP' +. ds ae ae +. ds Ae AE +.\} +.rm #[ #] #H #V #F C +.\" ======================================================================== +.\" +.IX Title "OSSL_STORE_EXPECT 3" +.TH OSSL_STORE_EXPECT 3 "2018-09-11" "1.1.1" "OpenSSL" +.\" For nroff, turn off justification. Always turn off hyphenation; it makes +.\" way too many mistakes in technical documents. +.if n .ad l +.nh +.SH "NAME" +OSSL_STORE_expect, OSSL_STORE_supports_search, OSSL_STORE_find \&\- Specify what object type is expected +.SH "SYNOPSIS" +.IX Header "SYNOPSIS" +.Vb 1 +\& #include +\& +\& int OSSL_STORE_expect(OSSL_STORE_CTX *ctx, int expected_type); +\& +\& int OSSL_STORE_supports_search(OSSL_STORE_CTX *ctx, int criterion_type); +\& +\& int OSSL_STORE_find(OSSL_STORE_CTX *ctx, OSSL_STORE_SEARCH *search); +.Ve +.SH "DESCRIPTION" +.IX Header "DESCRIPTION" +\&\fIOSSL_STORE_expect()\fR helps applications filter what \fIOSSL_STORE_load()\fR returns +by specifying a \fB\s-1OSSL_STORE_INFO\s0\fR type. +For example, if \f(CW\*(C`file:/foo/bar/store.pem\*(C'\fR contains several different objects +and only the certificates are interesting, the application can simply say +that it expects the type \fB\s-1OSSL_STORE_INFO_CERT\s0\fR. +All known object types (see \*(L"\s-1SUPPORTED OBJECTS\*(R"\s0 in \s-1\fIOSSL_STORE_INFO\s0\fR\|(3)) +except for \fB\s-1OSSL_STORE_INFO_NAME\s0\fR are supported. +.PP +\&\fIOSSL_STORE_find()\fR helps applications specify a criterion for a more fine +grained search of objects. +.PP +\&\fIOSSL_STORE_supports_search()\fR checks if the loader of the given \s-1OSSL_STORE\s0 +context supports the given search type. +See \*(L"\s-1SUPPORED CRITERION TYPES\*(R"\s0 in \s-1OSSL_STORE_SEARCH\s0 for information on the +supported search criterion types. +.PP +\&\fIOSSL_STORE_expect()\fR and OSSL_STORE_find \fImust\fR be called before the first +\&\fIOSSL_STORE_load()\fR of a given session, or they will fail. +.SH "NOTES" +.IX Header "NOTES" +If a more elaborate filter is required by the application, a better choice +would be to use a post-processing function. +See \fIOSSL_STORE_open\fR\|(3) for more information. +.PP +However, some loaders may take advantage of the knowledge of an expected type +to make object retrieval more efficient, so if a single type is expected, this +method is usually preferable. +.SH "RETURN VALUES" +.IX Header "RETURN VALUES" +\&\fIOSSL_STORE_expect()\fR returns 1 on success, or 0 on failure. +.PP +\&\fIOSSL_STORE_supports_search()\fR returns 1 if the criterion is supported, or 0 +otherwise. +.PP +\&\fIOSSL_STORE_find()\fR returns 1 on success, or 0 on failure. +.SH "SEE ALSO" +.IX Header "SEE ALSO" +\&\fIossl_store\fR\|(7), \s-1\fIOSSL_STORE_INFO\s0\fR\|(3), \s-1\fIOSSL_STORE_SEARCH\s0\fR\|(3), +\&\fIOSSL_STORE_load\fR\|(3) +.SH "HISTORY" +.IX Header "HISTORY" +\&\fIOSSL_STORE_expect()\fR, \fIOSSL_STORE_supports_search()\fR and \fIOSSL_STORE_find()\fR +were added to OpenSSL 1.1.1. +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2018 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/OSSL_STORE_open.3 b/secure/lib/libcrypto/man/OSSL_STORE_open.3 new file mode 100644 index 000000000000..fba9b487bb23 --- /dev/null +++ b/secure/lib/libcrypto/man/OSSL_STORE_open.3 @@ -0,0 +1,277 @@ +.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35) +.\" +.\" Standard preamble: +.\" ======================================================================== +.de Sp \" Vertical space (when we can't use .PP) +.if t .sp .5v +.if n .sp +.. +.de Vb \" Begin verbatim text +.ft CW +.nf +.ne \\$1 +.. +.de Ve \" End verbatim text +.ft R +.fi +.. +.\" Set up some character translations and predefined strings. \*(-- will +.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left +.\" double quote, and \*(R" will give a right double quote. \*(C+ will +.\" give a nicer C++. Capital omega is used to do unbreakable dashes and +.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, +.\" nothing in troff, for use with C<>. +.tr \(*W- +.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' +.ie n \{\ +. ds -- \(*W- +. ds PI pi +. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch +. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch +. ds L" "" +. ds R" "" +. ds C` "" +. ds C' "" +'br\} +.el\{\ +. ds -- \|\(em\| +. ds PI \(*p +. ds L" `` +. ds R" '' +. ds C` +. ds C' +'br\} +.\" +.\" Escape single quotes in literal strings from groff's Unicode transform. +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" +.\" If the F register is >0, we'll generate index entries on stderr for +.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index +.\" entries marked with X<> in POD. Of course, you'll have to process the +.\" output yourself in some meaningful fashion. +.\" +.\" Avoid warning from groff about undefined register 'F'. +.de IX +.. +.if !\nF .nr F 0 +.if \nF>0 \{\ +. de IX +. tm Index:\\$1\t\\n%\t"\\$2" +.. +. if !\nF==2 \{\ +. nr % 0 +. nr F 2 +. \} +.\} +.\" +.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). +.\" Fear. Run. Save yourself. No user-serviceable parts. +. \" fudge factors for nroff and troff +.if n \{\ +. ds #H 0 +. ds #V .8m +. ds #F .3m +. ds #[ \f1 +. ds #] \fP +.\} +.if t \{\ +. ds #H ((1u-(\\\\n(.fu%2u))*.13m) +. ds #V .6m +. ds #F 0 +. ds #[ \& +. ds #] \& +.\} +. \" simple accents for nroff and troff +.if n \{\ +. ds ' \& +. ds ` \& +. ds ^ \& +. ds , \& +. ds ~ ~ +. ds / +.\} +.if t \{\ +. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" +. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' +. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' +. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' +. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' +. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' +.\} +. \" troff and (daisy-wheel) nroff accents +.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' +.ds 8 \h'\*(#H'\(*b\h'-\*(#H' +.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] +.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' +.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' +.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] +.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] +.ds ae a\h'-(\w'a'u*4/10)'e +.ds Ae A\h'-(\w'A'u*4/10)'E +. \" corrections for vroff +.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' +.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' +. \" for low resolution devices (crt and lpr) +.if \n(.H>23 .if \n(.V>19 \ +\{\ +. ds : e +. ds 8 ss +. ds o a +. ds d- d\h'-1'\(ga +. ds D- D\h'-1'\(hy +. ds th \o'bp' +. ds Th \o'LP' +. ds ae ae +. ds Ae AE +.\} +.rm #[ #] #H #V #F C +.\" ======================================================================== +.\" +.IX Title "OSSL_STORE_OPEN 3" +.TH OSSL_STORE_OPEN 3 "2018-09-11" "1.1.1" "OpenSSL" +.\" For nroff, turn off justification. Always turn off hyphenation; it makes +.\" way too many mistakes in technical documents. +.if n .ad l +.nh +.SH "NAME" +OSSL_STORE_CTX, OSSL_STORE_post_process_info_fn, OSSL_STORE_open, OSSL_STORE_ctrl, OSSL_STORE_load, OSSL_STORE_eof, OSSL_STORE_error, OSSL_STORE_close \- Types and functions to read objects from a URI +.SH "SYNOPSIS" +.IX Header "SYNOPSIS" +.Vb 1 +\& #include +\& +\& typedef struct ossl_store_ctx_st OSSL_STORE_CTX; +\& +\& typedef OSSL_STORE_INFO *(*OSSL_STORE_post_process_info_fn)(OSSL_STORE_INFO *, +\& void *); +\& +\& OSSL_STORE_CTX *OSSL_STORE_open(const char *uri, const UI_METHOD *ui_method, +\& void *ui_data, +\& OSSL_STORE_post_process_info_fn post_process, +\& void *post_process_data); +\& int OSSL_STORE_ctrl(OSSL_STORE_CTX *ctx, int cmd, ... /* args */); +\& OSSL_STORE_INFO *OSSL_STORE_load(OSSL_STORE_CTX *ctx); +\& int OSSL_STORE_eof(OSSL_STORE_CTX *ctx); +\& int OSSL_STORE_error(OSSL_STORE_CTX *ctx); +\& int OSSL_STORE_close(OSSL_STORE_CTX *ctx); +.Ve +.SH "DESCRIPTION" +.IX Header "DESCRIPTION" +These functions help the application to fetch supported objects (see +\&\*(L"\s-1SUPPORTED OBJECTS\*(R"\s0 in \s-1\fIOSSL_STORE_INFO\s0\fR\|(3) for information on which those are) +from a given \s-1URI\s0 (see \*(L"\s-1SUPPORTED SCHEMES\*(R"\s0 for more information on +the supported \s-1URI\s0 schemes). +The general method to do so is to \*(L"open\*(R" the \s-1URI\s0 using \fIOSSL_STORE_open()\fR, +read each available and supported object using \fIOSSL_STORE_load()\fR as long as +\&\fIOSSL_STORE_eof()\fR hasn't been reached, and finish it off with \fIOSSL_STORE_close()\fR. +.PP +The retrieved information is stored in a \fB\s-1OSSL_STORE_INFO\s0\fR, which is further +described in \s-1\fIOSSL_STORE_INFO\s0\fR\|(3). +.SS "Types" +.IX Subsection "Types" +\&\fB\s-1OSSL_STORE_CTX\s0\fR is a context variable that holds all the internal +information for \fIOSSL_STORE_open()\fR, \fIOSSL_STORE_load()\fR, \fIOSSL_STORE_eof()\fR and +\&\fIOSSL_STORE_close()\fR to work together. +.SS "Functions" +.IX Subsection "Functions" +\&\fIOSSL_STORE_open()\fR takes a uri or path \fBuri\fR, password \s-1UI\s0 method +\&\fBui_method\fR with associated data \fBui_data\fR, and post processing +callback \fBpost_process\fR with associated data \fBpost_process_data\fR, +opens a channel to the data located at that \s-1URI\s0 and returns a +\&\fB\s-1OSSL_STORE_CTX\s0\fR with all necessary internal information. +The given \fBui_method\fR and \fBui_data_data\fR will be reused by all +functions that use \fB\s-1OSSL_STORE_CTX\s0\fR when interaction is needed. +The given \fBpost_process\fR and \fBpost_process_data\fR will be reused by +\&\fIOSSL_STORE_load()\fR to manipulate or drop the value to be returned. +The \fBpost_process\fR function drops values by returning \fB\s-1NULL\s0\fR, which +will cause \fIOSSL_STORE_load()\fR to start its process over with loading +the next object, until \fBpost_process\fR returns something other than +\&\fB\s-1NULL\s0\fR, or the end of data is reached as indicated by \fIOSSL_STORE_eof()\fR. +.PP +\&\fIOSSL_STORE_ctrl()\fR takes a \fB\s-1OSSL_STORE_CTX\s0\fR, and command number \fBcmd\fR and +more arguments not specified here. +The available loader specific command numbers and arguments they each +take depends on the loader that's used and is documented together with +that loader. +.PP +There are also global controls available: +.IP "\fB\s-1OSSL_STORE_C_USE_SECMEM\s0\fR" 4 +.IX Item "OSSL_STORE_C_USE_SECMEM" +Controls if the loader should attempt to use secure memory for any +allocated \fB\s-1OSSL_STORE_INFO\s0\fR and its contents. +This control expects one argument, a pointer to an \fBint\fR that is expected to +have the value 1 (yes) or 0 (no). +Any other value is an error. +.PP +\&\fIOSSL_STORE_load()\fR takes a \fB\s-1OSSL_STORE_CTX\s0\fR, tries to load the next available +object and return it wrapped with \fB\s-1OSSL_STORE_INFO\s0\fR. +.PP +\&\fIOSSL_STORE_eof()\fR takes a \fB\s-1OSSL_STORE_CTX\s0\fR and checks if we've reached the end +of data. +.PP +\&\fIOSSL_STORE_error()\fR takes a \fB\s-1OSSL_STORE_CTX\s0\fR and checks if an error occurred in +the last \fIOSSL_STORE_load()\fR call. +Note that it may still be meaningful to try and load more objects, unless +\&\fIOSSL_STORE_eof()\fR shows that the end of data has been reached. +.PP +\&\fIOSSL_STORE_close()\fR takes a \fB\s-1OSSL_STORE_CTX\s0\fR, closes the channel that was opened +by \fIOSSL_STORE_open()\fR and frees all other information that was stored in the +\&\fB\s-1OSSL_STORE_CTX\s0\fR, as well as the \fB\s-1OSSL_STORE_CTX\s0\fR itself. +.SH "SUPPORTED SCHEMES" +.IX Header "SUPPORTED SCHEMES" +The basic supported scheme is \fBfile:\fR. +Any other scheme can be added dynamically, using +\&\fIOSSL_STORE_register_loader()\fR. +.SH "NOTES" +.IX Header "NOTES" +A string without a scheme prefix (that is, a non-URI string) is +implicitly interpreted as using the \fIfile:\fR scheme. +.PP +There are some tools that can be used together with +\&\fIOSSL_STORE_open()\fR to determine if any failure is caused by an unparsable +\&\s-1URI,\s0 or if it's a different error (such as memory allocation +failures); if the \s-1URI\s0 was parsable but the scheme unregistered, the +top error will have the reason \f(CW\*(C`OSSL_STORE_R_UNREGISTERED_SCHEME\*(C'\fR. +.PP +These functions make no direct assumption regarding the pass phrase received +from the password callback. +The loaders may make assumptions, however. +For example, the \fBfile:\fR scheme loader inherits the assumptions made by +OpenSSL functionality that handles the different file types; this is mostly +relevant for PKCS#12 objects. +See \fIpassphrase\-encoding\fR\|(7) for further information. +.SH "RETURN VALUES" +.IX Header "RETURN VALUES" +\&\fIOSSL_STORE_open()\fR returns a pointer to a \fB\s-1OSSL_STORE_CTX\s0\fR on success, or +\&\fB\s-1NULL\s0\fR on failure. +.PP +\&\fIOSSL_STORE_load()\fR returns a pointer to a \fB\s-1OSSL_STORE_INFO\s0\fR on success, or +\&\fB\s-1NULL\s0\fR on error or when end of data is reached. +Use \fIOSSL_STORE_error()\fR and \fIOSSL_STORE_eof()\fR to determine the meaning of a +returned \fB\s-1NULL\s0\fR. +.PP +\&\fIOSSL_STORE_eof()\fR returns 1 if the end of data has been reached, otherwise +0. +.PP +\&\fIOSSL_STORE_error()\fR returns 1 if an error occurred in an \fIOSSL_STORE_load()\fR call, +otherwise 0. +.PP +\&\fIOSSL_STORE_ctrl()\fR and \fIOSSL_STORE_close()\fR returns 1 on success, or 0 on failure. +.SH "SEE ALSO" +.IX Header "SEE ALSO" +\&\fIossl_store\fR\|(7), \s-1\fIOSSL_STORE_INFO\s0\fR\|(3), \fIOSSL_STORE_register_loader\fR\|(3), +\&\fIpassphrase\-encoding\fR\|(7) +.SH "HISTORY" +.IX Header "HISTORY" +\&\s-1\fIOSSL_STORE_CTX\s0()\fR, \fIOSSL_STORE_post_process_info_fn()\fR, \fIOSSL_STORE_open()\fR, +\&\fIOSSL_STORE_ctrl()\fR, \fIOSSL_STORE_load()\fR, \fIOSSL_STORE_eof()\fR and \fIOSSL_STORE_close()\fR +were added to OpenSSL 1.1.1. +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2016\-2018 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/OpenSSL_add_all_algorithms.3 b/secure/lib/libcrypto/man/OpenSSL_add_all_algorithms.3 index 2f64f902138a..0f25b2c3aa2c 100644 --- a/secure/lib/libcrypto/man/OpenSSL_add_all_algorithms.3 +++ b/secure/lib/libcrypto/man/OpenSSL_add_all_algorithms.3 @@ -128,25 +128,30 @@ .rm #[ #] #H #V #F C .\" ======================================================================== .\" -.IX Title "OpenSSL_add_all_algorithms 3" -.TH OpenSSL_add_all_algorithms 3 "2018-08-14" "1.0.2p" "OpenSSL" +.IX Title "OPENSSL_ADD_ALL_ALGORITHMS 3" +.TH OPENSSL_ADD_ALL_ALGORITHMS 3 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" -OpenSSL_add_all_algorithms, OpenSSL_add_all_ciphers, OpenSSL_add_all_digests, EVP_cleanup \- -add algorithms to internal table +OpenSSL_add_all_algorithms, OpenSSL_add_all_ciphers, OpenSSL_add_all_digests, EVP_cleanup \- add algorithms to internal table .SH "SYNOPSIS" .IX Header "SYNOPSIS" .Vb 1 \& #include -\& +.Ve +.PP +Deprecated: +.PP +.Vb 4 +\& # if OPENSSL_API_COMPAT < 0x10100000L \& void OpenSSL_add_all_algorithms(void); \& void OpenSSL_add_all_ciphers(void); \& void OpenSSL_add_all_digests(void); \& -\& void EVP_cleanup(void); +\& void EVP_cleanup(void) +\&# endif .Ve .SH "DESCRIPTION" .IX Header "DESCRIPTION" @@ -161,33 +166,26 @@ ciphers). \&\fIOpenSSL_add_all_ciphers()\fR adds all encryption algorithms to the table including password based encryption algorithms. .PP -\&\fIEVP_cleanup()\fR removes all ciphers and digests from the table. +In versions prior to 1.1.0 \fIEVP_cleanup()\fR removed all ciphers and digests from +the table. It no longer has any effect in OpenSSL 1.1.0. .SH "RETURN VALUES" .IX Header "RETURN VALUES" None of the functions return a value. -.SH "NOTES" -.IX Header "NOTES" -A typical application will call \fIOpenSSL_add_all_algorithms()\fR initially and -\&\fIEVP_cleanup()\fR before exiting. -.PP -An application does not need to add algorithms to use them explicitly, for example -by \fIEVP_sha1()\fR. It just needs to add them if it (or any of the functions it calls) -needs to lookup algorithms. -.PP -The cipher and digest lookup functions are used in many parts of the library. If -the table is not initialized several functions will misbehave and complain they -cannot find algorithms. This includes the \s-1PEM,\s0 PKCS#12, \s-1SSL\s0 and S/MIME libraries. -This is a common query in the OpenSSL mailing lists. -.PP -Calling \fIOpenSSL_add_all_algorithms()\fR links in all algorithms: as a result a -statically linked executable can be quite large. If this is important it is possible -to just add the required ciphers and digests. -.SH "BUGS" -.IX Header "BUGS" -Although the functions do not return error codes it is possible for them to fail. -This will only happen as a result of a memory allocation failure so this is not -too much of a problem in practice. .SH "SEE ALSO" .IX Header "SEE ALSO" -\&\fIevp\fR\|(3), \fIEVP_DigestInit\fR\|(3), +\&\fIevp\fR\|(7), \fIEVP_DigestInit\fR\|(3), \&\fIEVP_EncryptInit\fR\|(3) +.SH "HISTORY" +.IX Header "HISTORY" +The \fIOpenSSL_add_all_algorithms()\fR, \fIOpenSSL_add_all_ciphers()\fR, +\&\fIOpenSSL_add_all_digests()\fR, and \fIEVP_cleanup()\fR, functions +were deprecated in OpenSSL 1.1.0 by \fIOPENSSL_init_crypto()\fR and should +not be used. +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2000\-2017 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/PEM_bytes_read_bio.3 b/secure/lib/libcrypto/man/PEM_bytes_read_bio.3 new file mode 100644 index 000000000000..1932fc96895d --- /dev/null +++ b/secure/lib/libcrypto/man/PEM_bytes_read_bio.3 @@ -0,0 +1,212 @@ +.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35) +.\" +.\" Standard preamble: +.\" ======================================================================== +.de Sp \" Vertical space (when we can't use .PP) +.if t .sp .5v +.if n .sp +.. +.de Vb \" Begin verbatim text +.ft CW +.nf +.ne \\$1 +.. +.de Ve \" End verbatim text +.ft R +.fi +.. +.\" Set up some character translations and predefined strings. \*(-- will +.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left +.\" double quote, and \*(R" will give a right double quote. \*(C+ will +.\" give a nicer C++. Capital omega is used to do unbreakable dashes and +.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, +.\" nothing in troff, for use with C<>. +.tr \(*W- +.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' +.ie n \{\ +. ds -- \(*W- +. ds PI pi +. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch +. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch +. ds L" "" +. ds R" "" +. ds C` "" +. ds C' "" +'br\} +.el\{\ +. ds -- \|\(em\| +. ds PI \(*p +. ds L" `` +. ds R" '' +. ds C` +. ds C' +'br\} +.\" +.\" Escape single quotes in literal strings from groff's Unicode transform. +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" +.\" If the F register is >0, we'll generate index entries on stderr for +.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index +.\" entries marked with X<> in POD. Of course, you'll have to process the +.\" output yourself in some meaningful fashion. +.\" +.\" Avoid warning from groff about undefined register 'F'. +.de IX +.. +.if !\nF .nr F 0 +.if \nF>0 \{\ +. de IX +. tm Index:\\$1\t\\n%\t"\\$2" +.. +. if !\nF==2 \{\ +. nr % 0 +. nr F 2 +. \} +.\} +.\" +.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). +.\" Fear. Run. Save yourself. No user-serviceable parts. +. \" fudge factors for nroff and troff +.if n \{\ +. ds #H 0 +. ds #V .8m +. ds #F .3m +. ds #[ \f1 +. ds #] \fP +.\} +.if t \{\ +. ds #H ((1u-(\\\\n(.fu%2u))*.13m) +. ds #V .6m +. ds #F 0 +. ds #[ \& +. ds #] \& +.\} +. \" simple accents for nroff and troff +.if n \{\ +. ds ' \& +. ds ` \& +. ds ^ \& +. ds , \& +. ds ~ ~ +. ds / +.\} +.if t \{\ +. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" +. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' +. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' +. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' +. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' +. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' +.\} +. \" troff and (daisy-wheel) nroff accents +.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' +.ds 8 \h'\*(#H'\(*b\h'-\*(#H' +.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] +.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' +.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' +.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] +.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] +.ds ae a\h'-(\w'a'u*4/10)'e +.ds Ae A\h'-(\w'A'u*4/10)'E +. \" corrections for vroff +.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' +.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' +. \" for low resolution devices (crt and lpr) +.if \n(.H>23 .if \n(.V>19 \ +\{\ +. ds : e +. ds 8 ss +. ds o a +. ds d- d\h'-1'\(ga +. ds D- D\h'-1'\(hy +. ds th \o'bp' +. ds Th \o'LP' +. ds ae ae +. ds Ae AE +.\} +.rm #[ #] #H #V #F C +.\" ======================================================================== +.\" +.IX Title "PEM_BYTES_READ_BIO 3" +.TH PEM_BYTES_READ_BIO 3 "2018-09-11" "1.1.1" "OpenSSL" +.\" For nroff, turn off justification. Always turn off hyphenation; it makes +.\" way too many mistakes in technical documents. +.if n .ad l +.nh +.SH "NAME" +PEM_bytes_read_bio, PEM_bytes_read_bio_secmem \- read a PEM\-encoded data structure from a BIO +.SH "SYNOPSIS" +.IX Header "SYNOPSIS" +.Vb 1 +\& #include +\& +\& int PEM_bytes_read_bio(unsigned char **pdata, long *plen, char **pnm, +\& const char *name, BIO *bp, pem_password_cb *cb, +\& void *u); +\& int PEM_bytes_read_bio_secmem(unsigned char **pdata, long *plen, char **pnm, +\& const char *name, BIO *bp, pem_password_cb *cb, +\& void *u); +.Ve +.SH "DESCRIPTION" +.IX Header "DESCRIPTION" +\&\fIPEM_bytes_read_bio()\fR reads PEM-formatted (\s-1RFC 1421\s0) data from the \s-1BIO\s0 +\&\fIbp\fR for the data type given in \fIname\fR (\s-1RSA PRIVATE KEY, CERTIFICATE,\s0 +etc.). If multiple PEM-encoded data structures are present in the same +stream, \fIPEM_bytes_read_bio()\fR will skip non-matching data types and +continue reading. Non-PEM data present in the stream may cause an +error. +.PP +The \s-1PEM\s0 header may indicate that the following data is encrypted; if so, +the data will be decrypted, waiting on user input to supply a passphrase +if needed. The password callback \fIcb\fR and rock \fIu\fR are used to obtain +the decryption passphrase, if applicable. +.PP +Some data types have compatibility aliases, such as a file containing +X509 \s-1CERTIFICATE\s0 matching a request for the deprecated type \s-1CERTIFICATE.\s0 +The actual type indicated by the file is returned in \fI*pnm\fR if \fIpnm\fR is +non-NULL. The caller must free the storage pointed to by \fI*pnm\fR. +.PP +The returned data is the DER-encoded form of the requested type, in +\&\fI*pdata\fR with length \fI*plen\fR. The caller must free the storage pointed +to by \fI*pdata\fR. +.PP +\&\fIPEM_bytes_read_bio_secmem()\fR is similar to \fIPEM_bytes_read_bio()\fR, but uses +memory from the secure heap for its temporary buffers and the storage +returned in \fI*pdata\fR and \fI*pnm\fR. Accordingly, the caller must use +\&\fIOPENSSL_secure_free()\fR to free that storage. +.SH "NOTES" +.IX Header "NOTES" +\&\fIPEM_bytes_read_bio_secmem()\fR only enforces that the secure heap is used for +storage allocated within the \s-1PEM\s0 processing stack. The \s-1BIO\s0 stack from +which input is read may also use temporary buffers, which are not necessarily +allocated from the secure heap. In cases where it is desirable to ensure +that the contents of the \s-1PEM\s0 file only appears in memory from the secure heap, +care is needed in generating the \s-1BIO\s0 passed as \fIbp\fR. In particular, the +use of \fIBIO_s_file()\fR indicates the use of the operating system stdio +functionality, which includes buffering as a feature; \fIBIO_s_fd()\fR is likely +to be more appropriate in such cases. +.PP +These functions make no assumption regarding the pass phrase received from the +password callback. +It will simply be treated as a byte sequence. +.SH "RETURN VALUES" +.IX Header "RETURN VALUES" +\&\fIPEM_bytes_read_bio()\fR and \fIPEM_bytes_read_bio_secmem()\fR return 1 for success or +0 for failure. +.SH "SEE ALSO" +.IX Header "SEE ALSO" +\&\s-1\fIPEM\s0\fR\|(3), +\&\fIPEM_read_bio_ex\fR\|(3), +\&\fIpassphrase\-encoding\fR\|(7) +.SH "HISTORY" +.IX Header "HISTORY" +\&\fIPEM_bytes_read_bio_secmem()\fR was introduced in OpenSSL 1.1.1 +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2017\-2018 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/PEM_read.3 b/secure/lib/libcrypto/man/PEM_read.3 new file mode 100644 index 000000000000..06629ae79f11 --- /dev/null +++ b/secure/lib/libcrypto/man/PEM_read.3 @@ -0,0 +1,259 @@ +.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35) +.\" +.\" Standard preamble: +.\" ======================================================================== +.de Sp \" Vertical space (when we can't use .PP) +.if t .sp .5v +.if n .sp +.. +.de Vb \" Begin verbatim text +.ft CW +.nf +.ne \\$1 +.. +.de Ve \" End verbatim text +.ft R +.fi +.. +.\" Set up some character translations and predefined strings. \*(-- will +.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left +.\" double quote, and \*(R" will give a right double quote. \*(C+ will +.\" give a nicer C++. Capital omega is used to do unbreakable dashes and +.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, +.\" nothing in troff, for use with C<>. +.tr \(*W- +.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' +.ie n \{\ +. ds -- \(*W- +. ds PI pi +. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch +. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch +. ds L" "" +. ds R" "" +. ds C` "" +. ds C' "" +'br\} +.el\{\ +. ds -- \|\(em\| +. ds PI \(*p +. ds L" `` +. ds R" '' +. ds C` +. ds C' +'br\} +.\" +.\" Escape single quotes in literal strings from groff's Unicode transform. +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" +.\" If the F register is >0, we'll generate index entries on stderr for +.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index +.\" entries marked with X<> in POD. Of course, you'll have to process the +.\" output yourself in some meaningful fashion. +.\" +.\" Avoid warning from groff about undefined register 'F'. +.de IX +.. +.if !\nF .nr F 0 +.if \nF>0 \{\ +. de IX +. tm Index:\\$1\t\\n%\t"\\$2" +.. +. if !\nF==2 \{\ +. nr % 0 +. nr F 2 +. \} +.\} +.\" +.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). +.\" Fear. Run. Save yourself. No user-serviceable parts. +. \" fudge factors for nroff and troff +.if n \{\ +. ds #H 0 +. ds #V .8m +. ds #F .3m +. ds #[ \f1 +. ds #] \fP +.\} +.if t \{\ +. ds #H ((1u-(\\\\n(.fu%2u))*.13m) +. ds #V .6m +. ds #F 0 +. ds #[ \& +. ds #] \& +.\} +. \" simple accents for nroff and troff +.if n \{\ +. ds ' \& +. ds ` \& +. ds ^ \& +. ds , \& +. ds ~ ~ +. ds / +.\} +.if t \{\ +. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" +. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' +. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' +. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' +. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' +. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' +.\} +. \" troff and (daisy-wheel) nroff accents +.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' +.ds 8 \h'\*(#H'\(*b\h'-\*(#H' +.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] +.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' +.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' +.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] +.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] +.ds ae a\h'-(\w'a'u*4/10)'e +.ds Ae A\h'-(\w'A'u*4/10)'E +. \" corrections for vroff +.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' +.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' +. \" for low resolution devices (crt and lpr) +.if \n(.H>23 .if \n(.V>19 \ +\{\ +. ds : e +. ds 8 ss +. ds o a +. ds d- d\h'-1'\(ga +. ds D- D\h'-1'\(hy +. ds th \o'bp' +. ds Th \o'LP' +. ds ae ae +. ds Ae AE +.\} +.rm #[ #] #H #V #F C +.\" ======================================================================== +.\" +.IX Title "PEM_READ 3" +.TH PEM_READ 3 "2018-09-11" "1.1.1" "OpenSSL" +.\" For nroff, turn off justification. Always turn off hyphenation; it makes +.\" way too many mistakes in technical documents. +.if n .ad l +.nh +.SH "NAME" +PEM_write, PEM_write_bio, PEM_read, PEM_read_bio, PEM_do_header, PEM_get_EVP_CIPHER_INFO \&\- PEM encoding routines +.SH "SYNOPSIS" +.IX Header "SYNOPSIS" +.Vb 1 +\& #include +\& +\& int PEM_write(FILE *fp, const char *name, const char *header, +\& const unsigned char *data, long len) +\& int PEM_write_bio(BIO *bp, const char *name, const char *header, +\& const unsigned char *data, long len) +\& +\& int PEM_read(FILE *fp, char **name, char **header, +\& unsigned char **data, long *len); +\& int PEM_read_bio(BIO *bp, char **name, char **header, +\& unsigned char **data, long *len); +\& +\& int PEM_get_EVP_CIPHER_INFO(char *header, EVP_CIPHER_INFO *cinfo); +\& int PEM_do_header(EVP_CIPHER_INFO *cinfo, unsigned char *data, long *len, +\& pem_password_cb *cb, void *u); +.Ve +.SH "DESCRIPTION" +.IX Header "DESCRIPTION" +These functions read and write PEM-encoded objects, using the \s-1PEM\s0 +type \fBname\fR, any additional \fBheader\fR information, and the raw +\&\fBdata\fR of length \fBlen\fR. +.PP +\&\s-1PEM\s0 is the term used for binary content encoding first defined in \s-1IETF +RFC 1421.\s0 The content is a series of base64\-encoded lines, surrounded +by begin/end markers each on their own line. For example: +.PP +.Vb 4 +\& \-\-\-\-\-BEGIN PRIVATE KEY\-\-\-\-\- +\& MIICdg.... +\& ... bhTQ== +\& \-\-\-\-\-END PRIVATE KEY\-\-\-\-\- +.Ve +.PP +Optional header line(s) may appear after the begin line, and their +existence depends on the type of object being written or read. +.PP +\&\fIPEM_write()\fR writes to the file \fBfp\fR, while \fIPEM_write_bio()\fR writes to +the \s-1BIO\s0 \fBbp\fR. The \fBname\fR is the name to use in the marker, the +\&\fBheader\fR is the header value or \s-1NULL,\s0 and \fBdata\fR and \fBlen\fR specify +the data and its length. +.PP +The final \fBdata\fR buffer is typically an \s-1ASN.1\s0 object which can be decoded with +the \fBd2i\fR function appropriate to the type \fBname\fR; see \fId2i_X509\fR\|(3) +for examples. +.PP +\&\fIPEM_read()\fR reads from the file \fBfp\fR, while \fIPEM_read_bio()\fR reads +from the \s-1BIO\s0 \fBbp\fR. +Both skip any non-PEM data that precedes the start of the next \s-1PEM\s0 object. +When an object is successfully retrieved, the type name from the \*(L"\-\-\-\-BEGIN +\-\-\-\-\-\*(R" is returned via the \fBname\fR argument, any encapsulation headers +are returned in \fBheader\fR and the base64\-decoded content and its length are +returned via \fBdata\fR and \fBlen\fR respectively. +The \fBname\fR, \fBheader\fR and \fBdata\fR pointers are allocated via \fIOPENSSL_malloc()\fR +and should be freed by the caller via \fIOPENSSL_free()\fR when no longer needed. +.PP +\&\fIPEM_get_EVP_CIPHER_INFO()\fR can be used to determine the \fBdata\fR returned by +\&\fIPEM_read()\fR or \fIPEM_read_bio()\fR is encrypted and to retrieve the associated cipher +and \s-1IV.\s0 +The caller passes a pointer to structure of type \fB\s-1EVP_CIPHER_INFO\s0\fR via the +\&\fBcinfo\fR argument and the \fBheader\fR returned via \fIPEM_read()\fR or \fIPEM_read_bio()\fR. +If the call is successful 1 is returned and the cipher and \s-1IV\s0 are stored at the +address pointed to by \fBcinfo\fR. +When the header is malformed, or not supported or when the cipher is unknown +or some internal error happens 0 is returned. +This function is deprecated, see \fB\s-1NOTES\s0\fR below. +.PP +\&\fIPEM_do_header()\fR can then be used to decrypt the data if the header +indicates encryption. +The \fBcinfo\fR argument is a pointer to the structure initialized by the previous +call to \fIPEM_get_EVP_CIPHER_INFO()\fR. +The \fBdata\fR and \fBlen\fR arguments are those returned by the previous call to +\&\fIPEM_read()\fR or \fIPEM_read_bio()\fR. +The \fBcb\fR and \fBu\fR arguments make it possible to override the default password +prompt function as described in \fIPEM_read_PrivateKey\fR\|(3). +On successful completion the \fBdata\fR is decrypted in place, and \fBlen\fR is +updated to indicate the plaintext length. +This function is deprecated, see \fB\s-1NOTES\s0\fR below. +.PP +If the data is a priori known to not be encrypted, then neither \fIPEM_do_header()\fR +nor \fIPEM_get_EVP_CIPHER_INFO()\fR need be called. +.SH "RETURN VALUES" +.IX Header "RETURN VALUES" +\&\fIPEM_read()\fR and \fIPEM_read_bio()\fR return 1 on success and 0 on failure, the latter +includes the case when no more \s-1PEM\s0 objects remain in the input file. +To distinguish end of file from more serious errors the caller must peek at the +error stack and check for \fB\s-1PEM_R_NO_START_LINE\s0\fR, which indicates that no more +\&\s-1PEM\s0 objects were found. See \fIERR_peek_last_error\fR\|(3), \s-1\fIERR_GET_REASON\s0\fR\|(3). +.PP +\&\fIPEM_get_EVP_CIPHER_INFO()\fR and \fIPEM_do_header()\fR return 1 on success, and 0 on +failure. +The \fBdata\fR is likely meaningless if these functions fail. +.SH "NOTES" +.IX Header "NOTES" +The \fIPEM_get_EVP_CIPHER_INFO()\fR and \fIPEM_do_header()\fR functions are deprecated. +This is because the underlying \s-1PEM\s0 encryption format is obsolete, and should +be avoided. +It uses an encryption format with an OpenSSL-specific key-derivation function, +which employs \s-1MD5\s0 with an iteration count of 1! +Instead, private keys should be stored in PKCS#8 form, with a strong PKCS#5 +v2.0 \s-1PBE.\s0 +See \fIPEM_write_PrivateKey\fR\|(3) and \fId2i_PKCS8PrivateKey_bio\fR\|(3). +.PP +\&\fIPEM_do_header()\fR makes no assumption regarding the pass phrase received from the +password callback. +It will simply be treated as a byte sequence. +.SH "SEE ALSO" +.IX Header "SEE ALSO" +\&\fIERR_peek_last_error\fR\|(3), \s-1\fIERR_GET_LIB\s0\fR\|(3), +\&\fId2i_PKCS8PrivateKey_bio\fR\|(3), +\&\fIpassphrase\-encoding\fR\|(7) +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 1998\-2018 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/PEM_read_CMS.3 b/secure/lib/libcrypto/man/PEM_read_CMS.3 new file mode 100644 index 000000000000..19ddf0abf721 --- /dev/null +++ b/secure/lib/libcrypto/man/PEM_read_CMS.3 @@ -0,0 +1,195 @@ +.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35) +.\" +.\" Standard preamble: +.\" ======================================================================== +.de Sp \" Vertical space (when we can't use .PP) +.if t .sp .5v +.if n .sp +.. +.de Vb \" Begin verbatim text +.ft CW +.nf +.ne \\$1 +.. +.de Ve \" End verbatim text +.ft R +.fi +.. +.\" Set up some character translations and predefined strings. \*(-- will +.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left +.\" double quote, and \*(R" will give a right double quote. \*(C+ will +.\" give a nicer C++. Capital omega is used to do unbreakable dashes and +.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, +.\" nothing in troff, for use with C<>. +.tr \(*W- +.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' +.ie n \{\ +. ds -- \(*W- +. ds PI pi +. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch +. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch +. ds L" "" +. ds R" "" +. ds C` "" +. ds C' "" +'br\} +.el\{\ +. ds -- \|\(em\| +. ds PI \(*p +. ds L" `` +. ds R" '' +. ds C` +. ds C' +'br\} +.\" +.\" Escape single quotes in literal strings from groff's Unicode transform. +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" +.\" If the F register is >0, we'll generate index entries on stderr for +.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index +.\" entries marked with X<> in POD. Of course, you'll have to process the +.\" output yourself in some meaningful fashion. +.\" +.\" Avoid warning from groff about undefined register 'F'. +.de IX +.. +.if !\nF .nr F 0 +.if \nF>0 \{\ +. de IX +. tm Index:\\$1\t\\n%\t"\\$2" +.. +. if !\nF==2 \{\ +. nr % 0 +. nr F 2 +. \} +.\} +.\" +.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). +.\" Fear. Run. Save yourself. No user-serviceable parts. +. \" fudge factors for nroff and troff +.if n \{\ +. ds #H 0 +. ds #V .8m +. ds #F .3m +. ds #[ \f1 +. ds #] \fP +.\} +.if t \{\ +. ds #H ((1u-(\\\\n(.fu%2u))*.13m) +. ds #V .6m +. ds #F 0 +. ds #[ \& +. ds #] \& +.\} +. \" simple accents for nroff and troff +.if n \{\ +. ds ' \& +. ds ` \& +. ds ^ \& +. ds , \& +. ds ~ ~ +. ds / +.\} +.if t \{\ +. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" +. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' +. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' +. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' +. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' +. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' +.\} +. \" troff and (daisy-wheel) nroff accents +.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' +.ds 8 \h'\*(#H'\(*b\h'-\*(#H' +.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] +.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' +.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' +.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] +.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] +.ds ae a\h'-(\w'a'u*4/10)'e +.ds Ae A\h'-(\w'A'u*4/10)'E +. \" corrections for vroff +.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' +.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' +. \" for low resolution devices (crt and lpr) +.if \n(.H>23 .if \n(.V>19 \ +\{\ +. ds : e +. ds 8 ss +. ds o a +. ds d- d\h'-1'\(ga +. ds D- D\h'-1'\(hy +. ds th \o'bp' +. ds Th \o'LP' +. ds ae ae +. ds Ae AE +.\} +.rm #[ #] #H #V #F C +.\" ======================================================================== +.\" +.IX Title "PEM_READ_CMS 3" +.TH PEM_READ_CMS 3 "2018-09-11" "1.1.1" "OpenSSL" +.\" For nroff, turn off justification. Always turn off hyphenation; it makes +.\" way too many mistakes in technical documents. +.if n .ad l +.nh +.SH "NAME" +DECLARE_PEM_rw, PEM_read_CMS, PEM_read_bio_CMS, PEM_write_CMS, PEM_write_bio_CMS, PEM_write_DHxparams, PEM_write_bio_DHxparams, PEM_read_ECPKParameters, PEM_read_bio_ECPKParameters, PEM_write_ECPKParameters, PEM_write_bio_ECPKParameters, PEM_read_ECPrivateKey, PEM_write_ECPrivateKey, PEM_write_bio_ECPrivateKey, PEM_read_EC_PUBKEY, PEM_read_bio_EC_PUBKEY, PEM_write_EC_PUBKEY, PEM_write_bio_EC_PUBKEY, PEM_read_NETSCAPE_CERT_SEQUENCE, PEM_read_bio_NETSCAPE_CERT_SEQUENCE, PEM_write_NETSCAPE_CERT_SEQUENCE, PEM_write_bio_NETSCAPE_CERT_SEQUENCE, PEM_read_PKCS8, PEM_read_bio_PKCS8, PEM_write_PKCS8, PEM_write_bio_PKCS8, PEM_write_PKCS8_PRIV_KEY_INFO, PEM_read_bio_PKCS8_PRIV_KEY_INFO, PEM_read_PKCS8_PRIV_KEY_INFO, PEM_write_bio_PKCS8_PRIV_KEY_INFO, PEM_read_SSL_SESSION, PEM_read_bio_SSL_SESSION, PEM_write_SSL_SESSION, PEM_write_bio_SSL_SESSION \&\- PEM object encoding routines +.SH "SYNOPSIS" +.IX Header "SYNOPSIS" +.Vb 1 +\& #include +\& +\& DECLARE_PEM_rw(name, TYPE) +\& +\& TYPE *PEM_read_TYPE(FILE *fp, TYPE **a, pem_password_cb *cb, void *u); +\& TYPE *PEM_read_bio_TYPE(BIO *bp, TYPE **a, pem_password_cb *cb, void *u); +\& int PEM_write_TYPE(FILE *fp, const TYPE *a); +\& int PEM_write_bio_TYPE(BIO *bp, const TYPE *a); +.Ve +.SH "DESCRIPTION" +.IX Header "DESCRIPTION" +In the description below, \fI\s-1TYPE\s0\fR is used +as a placeholder for any of the OpenSSL datatypes, such as \fIX509\fR. +The macro \fBDECLARE_PEM_rw\fR expands to the set of declarations shown in +the next four lines of the synopsis. +.PP +These routines convert between local instances of \s-1ASN1\s0 datatypes and +the \s-1PEM\s0 encoding. For more information on the templates, see +\&\s-1\fIASN1_ITEM\s0\fR\|(3). For more information on the lower-level routines used +by the functions here, see \fIPEM_read\fR\|(3). +.PP +\&\fIPEM_read_TYPE()\fR reads a PEM-encoded object of \fI\s-1TYPE\s0\fR from the file \fBfp\fR +and returns it. The \fBcb\fR and \fBu\fR parameters are as described in +\&\fIpem_password_cb\fR\|(3). +.PP +\&\fIPEM_read_bio_TYPE()\fR is similar to \fIPEM_read_TYPE()\fR but reads from the \s-1BIO\s0 \fBbp\fR. +.PP +\&\fIPEM_write_TYPE()\fR writes the \s-1PEM\s0 encoding of the object \fBa\fR to the file \fBfp\fR. +.PP +\&\fIPEM_write_bio_TYPE()\fR similarly writes to the \s-1BIO\s0 \fBbp\fR. +.SH "NOTES" +.IX Header "NOTES" +These functions make no assumption regarding the pass phrase received from the +password callback. +It will simply be treated as a byte sequence. +.SH "RETURN VALUES" +.IX Header "RETURN VALUES" +\&\fIPEM_read_TYPE()\fR and \fIPEM_read_bio_TYPE()\fR return a pointer to an allocated +object, which should be released by calling \fITYPE_free()\fR, or \s-1NULL\s0 on error. +.PP +\&\fIPEM_write_TYPE()\fR and \fIPEM_write_bio_TYPE()\fR return the number of bytes written +or zero on error. +.SH "SEE ALSO" +.IX Header "SEE ALSO" +\&\fIPEM_read\fR\|(3), +\&\fIpassphrase\-encoding\fR\|(7) +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 1998\-2018 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/pem.3 b/secure/lib/libcrypto/man/PEM_read_bio_PrivateKey.3 similarity index 66% rename from secure/lib/libcrypto/man/pem.3 rename to secure/lib/libcrypto/man/PEM_read_bio_PrivateKey.3 index 43cca0f292ee..d92e16102802 100644 --- a/secure/lib/libcrypto/man/pem.3 +++ b/secure/lib/libcrypto/man/PEM_read_bio_PrivateKey.3 @@ -128,210 +128,139 @@ .rm #[ #] #H #V #F C .\" ======================================================================== .\" -.IX Title "pem 3" -.TH pem 3 "2018-08-14" "1.0.2p" "OpenSSL" +.IX Title "PEM_READ_BIO_PRIVATEKEY 3" +.TH PEM_READ_BIO_PRIVATEKEY 3 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" -PEM, PEM_read_bio_PrivateKey, PEM_read_PrivateKey, PEM_write_bio_PrivateKey, -PEM_write_PrivateKey, PEM_write_bio_PKCS8PrivateKey, PEM_write_PKCS8PrivateKey, -PEM_write_bio_PKCS8PrivateKey_nid, PEM_write_PKCS8PrivateKey_nid, -PEM_read_bio_PUBKEY, PEM_read_PUBKEY, PEM_write_bio_PUBKEY, PEM_write_PUBKEY, -PEM_read_bio_RSAPrivateKey, PEM_read_RSAPrivateKey, -PEM_write_bio_RSAPrivateKey, PEM_write_RSAPrivateKey, -PEM_read_bio_RSAPublicKey, PEM_read_RSAPublicKey, PEM_write_bio_RSAPublicKey, -PEM_write_RSAPublicKey, PEM_read_bio_RSA_PUBKEY, PEM_read_RSA_PUBKEY, -PEM_write_bio_RSA_PUBKEY, PEM_write_RSA_PUBKEY, PEM_read_bio_DSAPrivateKey, -PEM_read_DSAPrivateKey, PEM_write_bio_DSAPrivateKey, PEM_write_DSAPrivateKey, -PEM_read_bio_DSA_PUBKEY, PEM_read_DSA_PUBKEY, PEM_write_bio_DSA_PUBKEY, -PEM_write_DSA_PUBKEY, PEM_read_bio_DSAparams, PEM_read_DSAparams, -PEM_write_bio_DSAparams, PEM_write_DSAparams, PEM_read_bio_DHparams, -PEM_read_DHparams, PEM_write_bio_DHparams, PEM_write_DHparams, -PEM_read_bio_X509, PEM_read_X509, PEM_write_bio_X509, PEM_write_X509, -PEM_read_bio_X509_AUX, PEM_read_X509_AUX, PEM_write_bio_X509_AUX, -PEM_write_X509_AUX, PEM_read_bio_X509_REQ, PEM_read_X509_REQ, -PEM_write_bio_X509_REQ, PEM_write_X509_REQ, PEM_write_bio_X509_REQ_NEW, -PEM_write_X509_REQ_NEW, PEM_read_bio_X509_CRL, PEM_read_X509_CRL, -PEM_write_bio_X509_CRL, PEM_write_X509_CRL, PEM_read_bio_PKCS7, PEM_read_PKCS7, -PEM_write_bio_PKCS7, PEM_write_PKCS7, PEM_read_bio_NETSCAPE_CERT_SEQUENCE, -PEM_read_NETSCAPE_CERT_SEQUENCE, PEM_write_bio_NETSCAPE_CERT_SEQUENCE, -PEM_write_NETSCAPE_CERT_SEQUENCE \- PEM routines +pem_password_cb, PEM_read_bio_PrivateKey, PEM_read_PrivateKey, PEM_write_bio_PrivateKey, PEM_write_bio_PrivateKey_traditional, PEM_write_PrivateKey, PEM_write_bio_PKCS8PrivateKey, PEM_write_PKCS8PrivateKey, PEM_write_bio_PKCS8PrivateKey_nid, PEM_write_PKCS8PrivateKey_nid, PEM_read_bio_PUBKEY, PEM_read_PUBKEY, PEM_write_bio_PUBKEY, PEM_write_PUBKEY, PEM_read_bio_RSAPrivateKey, PEM_read_RSAPrivateKey, PEM_write_bio_RSAPrivateKey, PEM_write_RSAPrivateKey, PEM_read_bio_RSAPublicKey, PEM_read_RSAPublicKey, PEM_write_bio_RSAPublicKey, PEM_write_RSAPublicKey, PEM_read_bio_RSA_PUBKEY, PEM_read_RSA_PUBKEY, PEM_write_bio_RSA_PUBKEY, PEM_write_RSA_PUBKEY, PEM_read_bio_DSAPrivateKey, PEM_read_DSAPrivateKey, PEM_write_bio_DSAPrivateKey, PEM_write_DSAPrivateKey, PEM_read_bio_DSA_PUBKEY, PEM_read_DSA_PUBKEY, PEM_write_bio_DSA_PUBKEY, PEM_write_DSA_PUBKEY, PEM_read_bio_DSAparams, PEM_read_DSAparams, PEM_write_bio_DSAparams, PEM_write_DSAparams, PEM_read_bio_DHparams, PEM_read_DHparams, PEM_write_bio_DHparams, PEM_write_DHparams, PEM_read_bio_X509, PEM_read_X509, PEM_write_bio_X509, PEM_write_X509, PEM_read_bio_X509_AUX, PEM_read_X509_AUX, PEM_write_bio_X509_AUX, PEM_write_X509_AUX, PEM_read_bio_X509_REQ, PEM_read_X509_REQ, PEM_write_bio_X509_REQ, PEM_write_X509_REQ, PEM_write_bio_X509_REQ_NEW, PEM_write_X509_REQ_NEW, PEM_read_bio_X509_CRL, PEM_read_X509_CRL, PEM_write_bio_X509_CRL, PEM_write_X509_CRL, PEM_read_bio_PKCS7, PEM_read_PKCS7, PEM_write_bio_PKCS7, PEM_write_PKCS7 \- PEM routines .SH "SYNOPSIS" .IX Header "SYNOPSIS" .Vb 1 \& #include \& +\& typedef int pem_password_cb(char *buf, int size, int rwflag, void *u); +\& \& EVP_PKEY *PEM_read_bio_PrivateKey(BIO *bp, EVP_PKEY **x, -\& pem_password_cb *cb, void *u); -\& +\& pem_password_cb *cb, void *u); \& EVP_PKEY *PEM_read_PrivateKey(FILE *fp, EVP_PKEY **x, -\& pem_password_cb *cb, void *u); -\& +\& pem_password_cb *cb, void *u); \& int PEM_write_bio_PrivateKey(BIO *bp, EVP_PKEY *x, const EVP_CIPHER *enc, -\& unsigned char *kstr, int klen, -\& pem_password_cb *cb, void *u); -\& +\& unsigned char *kstr, int klen, +\& pem_password_cb *cb, void *u); +\& int PEM_write_bio_PrivateKey_traditional(BIO *bp, EVP_PKEY *x, +\& const EVP_CIPHER *enc, +\& unsigned char *kstr, int klen, +\& pem_password_cb *cb, void *u); \& int PEM_write_PrivateKey(FILE *fp, EVP_PKEY *x, const EVP_CIPHER *enc, -\& unsigned char *kstr, int klen, -\& pem_password_cb *cb, void *u); +\& unsigned char *kstr, int klen, +\& pem_password_cb *cb, void *u); \& \& int PEM_write_bio_PKCS8PrivateKey(BIO *bp, EVP_PKEY *x, const EVP_CIPHER *enc, -\& char *kstr, int klen, -\& pem_password_cb *cb, void *u); -\& +\& char *kstr, int klen, +\& pem_password_cb *cb, void *u); \& int PEM_write_PKCS8PrivateKey(FILE *fp, EVP_PKEY *x, const EVP_CIPHER *enc, -\& char *kstr, int klen, -\& pem_password_cb *cb, void *u); -\& +\& char *kstr, int klen, +\& pem_password_cb *cb, void *u); \& int PEM_write_bio_PKCS8PrivateKey_nid(BIO *bp, EVP_PKEY *x, int nid, -\& char *kstr, int klen, -\& pem_password_cb *cb, void *u); -\& +\& char *kstr, int klen, +\& pem_password_cb *cb, void *u); \& int PEM_write_PKCS8PrivateKey_nid(FILE *fp, EVP_PKEY *x, int nid, -\& char *kstr, int klen, -\& pem_password_cb *cb, void *u); +\& char *kstr, int klen, +\& pem_password_cb *cb, void *u); \& \& EVP_PKEY *PEM_read_bio_PUBKEY(BIO *bp, EVP_PKEY **x, -\& pem_password_cb *cb, void *u); -\& +\& pem_password_cb *cb, void *u); \& EVP_PKEY *PEM_read_PUBKEY(FILE *fp, EVP_PKEY **x, -\& pem_password_cb *cb, void *u); -\& +\& pem_password_cb *cb, void *u); \& int PEM_write_bio_PUBKEY(BIO *bp, EVP_PKEY *x); \& int PEM_write_PUBKEY(FILE *fp, EVP_PKEY *x); \& \& RSA *PEM_read_bio_RSAPrivateKey(BIO *bp, RSA **x, -\& pem_password_cb *cb, void *u); -\& +\& pem_password_cb *cb, void *u); \& RSA *PEM_read_RSAPrivateKey(FILE *fp, RSA **x, -\& pem_password_cb *cb, void *u); -\& +\& pem_password_cb *cb, void *u); \& int PEM_write_bio_RSAPrivateKey(BIO *bp, RSA *x, const EVP_CIPHER *enc, -\& unsigned char *kstr, int klen, -\& pem_password_cb *cb, void *u); -\& +\& unsigned char *kstr, int klen, +\& pem_password_cb *cb, void *u); \& int PEM_write_RSAPrivateKey(FILE *fp, RSA *x, const EVP_CIPHER *enc, -\& unsigned char *kstr, int klen, -\& pem_password_cb *cb, void *u); +\& unsigned char *kstr, int klen, +\& pem_password_cb *cb, void *u); \& \& RSA *PEM_read_bio_RSAPublicKey(BIO *bp, RSA **x, -\& pem_password_cb *cb, void *u); -\& +\& pem_password_cb *cb, void *u); \& RSA *PEM_read_RSAPublicKey(FILE *fp, RSA **x, -\& pem_password_cb *cb, void *u); -\& +\& pem_password_cb *cb, void *u); \& int PEM_write_bio_RSAPublicKey(BIO *bp, RSA *x); -\& \& int PEM_write_RSAPublicKey(FILE *fp, RSA *x); \& \& RSA *PEM_read_bio_RSA_PUBKEY(BIO *bp, RSA **x, -\& pem_password_cb *cb, void *u); -\& +\& pem_password_cb *cb, void *u); \& RSA *PEM_read_RSA_PUBKEY(FILE *fp, RSA **x, -\& pem_password_cb *cb, void *u); -\& +\& pem_password_cb *cb, void *u); \& int PEM_write_bio_RSA_PUBKEY(BIO *bp, RSA *x); -\& \& int PEM_write_RSA_PUBKEY(FILE *fp, RSA *x); \& \& DSA *PEM_read_bio_DSAPrivateKey(BIO *bp, DSA **x, -\& pem_password_cb *cb, void *u); -\& +\& pem_password_cb *cb, void *u); \& DSA *PEM_read_DSAPrivateKey(FILE *fp, DSA **x, -\& pem_password_cb *cb, void *u); -\& +\& pem_password_cb *cb, void *u); \& int PEM_write_bio_DSAPrivateKey(BIO *bp, DSA *x, const EVP_CIPHER *enc, -\& unsigned char *kstr, int klen, -\& pem_password_cb *cb, void *u); -\& +\& unsigned char *kstr, int klen, +\& pem_password_cb *cb, void *u); \& int PEM_write_DSAPrivateKey(FILE *fp, DSA *x, const EVP_CIPHER *enc, -\& unsigned char *kstr, int klen, -\& pem_password_cb *cb, void *u); +\& unsigned char *kstr, int klen, +\& pem_password_cb *cb, void *u); \& \& DSA *PEM_read_bio_DSA_PUBKEY(BIO *bp, DSA **x, -\& pem_password_cb *cb, void *u); -\& +\& pem_password_cb *cb, void *u); \& DSA *PEM_read_DSA_PUBKEY(FILE *fp, DSA **x, -\& pem_password_cb *cb, void *u); -\& +\& pem_password_cb *cb, void *u); \& int PEM_write_bio_DSA_PUBKEY(BIO *bp, DSA *x); -\& \& int PEM_write_DSA_PUBKEY(FILE *fp, DSA *x); \& \& DSA *PEM_read_bio_DSAparams(BIO *bp, DSA **x, pem_password_cb *cb, void *u); -\& \& DSA *PEM_read_DSAparams(FILE *fp, DSA **x, pem_password_cb *cb, void *u); -\& \& int PEM_write_bio_DSAparams(BIO *bp, DSA *x); -\& \& int PEM_write_DSAparams(FILE *fp, DSA *x); \& \& DH *PEM_read_bio_DHparams(BIO *bp, DH **x, pem_password_cb *cb, void *u); -\& \& DH *PEM_read_DHparams(FILE *fp, DH **x, pem_password_cb *cb, void *u); -\& \& int PEM_write_bio_DHparams(BIO *bp, DH *x); -\& \& int PEM_write_DHparams(FILE *fp, DH *x); \& \& X509 *PEM_read_bio_X509(BIO *bp, X509 **x, pem_password_cb *cb, void *u); -\& \& X509 *PEM_read_X509(FILE *fp, X509 **x, pem_password_cb *cb, void *u); -\& \& int PEM_write_bio_X509(BIO *bp, X509 *x); -\& \& int PEM_write_X509(FILE *fp, X509 *x); \& \& X509 *PEM_read_bio_X509_AUX(BIO *bp, X509 **x, pem_password_cb *cb, void *u); -\& \& X509 *PEM_read_X509_AUX(FILE *fp, X509 **x, pem_password_cb *cb, void *u); -\& \& int PEM_write_bio_X509_AUX(BIO *bp, X509 *x); -\& \& int PEM_write_X509_AUX(FILE *fp, X509 *x); \& \& X509_REQ *PEM_read_bio_X509_REQ(BIO *bp, X509_REQ **x, -\& pem_password_cb *cb, void *u); -\& +\& pem_password_cb *cb, void *u); \& X509_REQ *PEM_read_X509_REQ(FILE *fp, X509_REQ **x, -\& pem_password_cb *cb, void *u); -\& +\& pem_password_cb *cb, void *u); \& int PEM_write_bio_X509_REQ(BIO *bp, X509_REQ *x); -\& \& int PEM_write_X509_REQ(FILE *fp, X509_REQ *x); -\& \& int PEM_write_bio_X509_REQ_NEW(BIO *bp, X509_REQ *x); -\& \& int PEM_write_X509_REQ_NEW(FILE *fp, X509_REQ *x); \& \& X509_CRL *PEM_read_bio_X509_CRL(BIO *bp, X509_CRL **x, -\& pem_password_cb *cb, void *u); +\& pem_password_cb *cb, void *u); \& X509_CRL *PEM_read_X509_CRL(FILE *fp, X509_CRL **x, -\& pem_password_cb *cb, void *u); +\& pem_password_cb *cb, void *u); \& int PEM_write_bio_X509_CRL(BIO *bp, X509_CRL *x); \& int PEM_write_X509_CRL(FILE *fp, X509_CRL *x); \& \& PKCS7 *PEM_read_bio_PKCS7(BIO *bp, PKCS7 **x, pem_password_cb *cb, void *u); -\& \& PKCS7 *PEM_read_PKCS7(FILE *fp, PKCS7 **x, pem_password_cb *cb, void *u); -\& \& int PEM_write_bio_PKCS7(BIO *bp, PKCS7 *x); -\& \& int PEM_write_PKCS7(FILE *fp, PKCS7 *x); -\& -\& NETSCAPE_CERT_SEQUENCE *PEM_read_bio_NETSCAPE_CERT_SEQUENCE(BIO *bp, -\& NETSCAPE_CERT_SEQUENCE **x, -\& pem_password_cb *cb, void *u); -\& -\& NETSCAPE_CERT_SEQUENCE *PEM_read_NETSCAPE_CERT_SEQUENCE(FILE *fp, -\& NETSCAPE_CERT_SEQUENCE **x, -\& pem_password_cb *cb, void *u); -\& -\& int PEM_write_bio_NETSCAPE_CERT_SEQUENCE(BIO *bp, NETSCAPE_CERT_SEQUENCE *x); -\& -\& int PEM_write_NETSCAPE_CERT_SEQUENCE(FILE *fp, NETSCAPE_CERT_SEQUENCE *x); .Ve .SH "DESCRIPTION" .IX Header "DESCRIPTION" @@ -343,23 +272,26 @@ For more details about the meaning of arguments see the \&\fB\s-1PEM FUNCTION ARGUMENTS\s0\fR section. .PP Each operation has four functions associated with it. For -clarity the term "\fBfoobar\fR functions" will be used to collectively -refer to the \fIPEM_read_bio_foobar()\fR, \fIPEM_read_foobar()\fR, -\&\fIPEM_write_bio_foobar()\fR and \fIPEM_write_foobar()\fR functions. +brevity the term "\fB\s-1TYPE\s0\fR functions" will be used below to collectively +refer to the \fIPEM_read_bio_TYPE()\fR, \fIPEM_read_TYPE()\fR, +\&\fIPEM_write_bio_TYPE()\fR, and \fIPEM_write_TYPE()\fR functions. .PP -The \fBPrivateKey\fR functions read or write a private key in -\&\s-1PEM\s0 format using an \s-1EVP_PKEY\s0 structure. The write routines use -\&\*(L"traditional\*(R" private key format and can handle both \s-1RSA\s0 and \s-1DSA\s0 -private keys. The read functions can additionally transparently -handle PKCS#8 format encrypted and unencrypted keys too. +The \fBPrivateKey\fR functions read or write a private key in \s-1PEM\s0 format using an +\&\s-1EVP_PKEY\s0 structure. The write routines use PKCS#8 private key format and are +equivalent to \fIPEM_write_bio_PKCS8PrivateKey()\fR.The read functions transparently +handle traditional and PKCS#8 format encrypted and unencrypted keys. .PP -\&\fIPEM_write_bio_PKCS8PrivateKey()\fR and \fIPEM_write_PKCS8PrivateKey()\fR -write a private key in an \s-1EVP_PKEY\s0 structure in PKCS#8 -EncryptedPrivateKeyInfo format using PKCS#5 v2.0 password based encryption -algorithms. The \fBcipher\fR argument specifies the encryption algorithm to -use: unlike all other \s-1PEM\s0 routines the encryption is applied at the -PKCS#8 level and not in the \s-1PEM\s0 headers. If \fBcipher\fR is \s-1NULL\s0 then no -encryption is used and a PKCS#8 PrivateKeyInfo structure is used instead. +\&\fIPEM_write_bio_PrivateKey_traditional()\fR writes out a private key in the +\&\*(L"traditional\*(R" format with a simple private key marker and should only +be used for compatibility with legacy programs. +.PP +\&\fIPEM_write_bio_PKCS8PrivateKey()\fR and \fIPEM_write_PKCS8PrivateKey()\fR write a private +key in an \s-1EVP_PKEY\s0 structure in PKCS#8 EncryptedPrivateKeyInfo format using +PKCS#5 v2.0 password based encryption algorithms. The \fBcipher\fR argument +specifies the encryption algorithm to use: unlike some other \s-1PEM\s0 routines the +encryption is applied at the PKCS#8 level and not in the \s-1PEM\s0 headers. If +\&\fBcipher\fR is \s-1NULL\s0 then no encryption is used and a PKCS#8 PrivateKeyInfo +structure is used instead. .PP \&\fIPEM_write_bio_PKCS8PrivateKey_nid()\fR and \fIPEM_write_PKCS8PrivateKey_nid()\fR also write out a private key as a PKCS#8 EncryptedPrivateKeyInfo however @@ -372,7 +304,8 @@ structure. The public key is encoded as a SubjectPublicKeyInfo structure. .PP The \fBRSAPrivateKey\fR functions process an \s-1RSA\s0 private key using an -\&\s-1RSA\s0 structure. It handles the same formats as the \fBPrivateKey\fR +\&\s-1RSA\s0 structure. The write routines uses traditional format. The read +routines handles the same formats as the \fBPrivateKey\fR functions but an error occurs if the private key is not \s-1RSA.\s0 .PP The \fBRSAPublicKey\fR functions process an \s-1RSA\s0 public key using an @@ -385,7 +318,8 @@ SubjectPublicKeyInfo structure and an error occurs if the public key is not \s-1RSA.\s0 .PP The \fBDSAPrivateKey\fR functions process a \s-1DSA\s0 private key using a -\&\s-1DSA\s0 structure. It handles the same formats as the \fBPrivateKey\fR +\&\s-1DSA\s0 structure. The write routines uses traditional format. The read +routines handles the same formats as the \fBPrivateKey\fR functions but an error occurs if the private key is not \s-1DSA.\s0 .PP The \fB\s-1DSA_PUBKEY\s0\fR functions process a \s-1DSA\s0 public key using @@ -420,9 +354,6 @@ structure. .PP The \fB\s-1PKCS7\s0\fR functions process a PKCS#7 ContentInfo using a \s-1PKCS7\s0 structure. -.PP -The \fB\s-1NETSCAPE_CERT_SEQUENCE\s0\fR functions process a Netscape Certificate -Sequence using a \s-1NETSCAPE_CERT_SEQUENCE\s0 structure. .SH "PEM FUNCTION ARGUMENTS" .IX Header "PEM FUNCTION ARGUMENTS" The \s-1PEM\s0 functions have many common arguments. @@ -485,73 +416,53 @@ most of them are set to 0 or \s-1NULL.\s0 .PP Read a certificate in \s-1PEM\s0 format from a \s-1BIO:\s0 .PP -.Vb 5 +.Vb 1 \& X509 *x; +\& \& x = PEM_read_bio_X509(bp, NULL, 0, NULL); -\& if (x == NULL) { +\& if (x == NULL) \& /* Error */ -\& } .Ve .PP Alternative method: .PP -.Vb 4 +.Vb 1 \& X509 *x = NULL; -\& if (!PEM_read_bio_X509(bp, &x, 0, NULL)) { +\& +\& if (!PEM_read_bio_X509(bp, &x, 0, NULL)) \& /* Error */ -\& } .Ve .PP Write a certificate to a \s-1BIO:\s0 .PP -.Vb 3 -\& if (!PEM_write_bio_X509(bp, x)) { +.Vb 2 +\& if (!PEM_write_bio_X509(bp, x)) \& /* Error */ -\& } -.Ve -.PP -Write an unencrypted private key to a \s-1FILE\s0 pointer: -.PP -.Vb 3 -\& if (!PEM_write_PrivateKey(fp, key, NULL, NULL, 0, 0, NULL)) { -\& /* Error */ -\& } .Ve .PP Write a private key (using traditional format) to a \s-1BIO\s0 using triple \s-1DES\s0 encryption, the pass phrase is prompted for: .PP -.Vb 3 -\& if (!PEM_write_bio_PrivateKey(bp, key, EVP_des_ede3_cbc(), NULL, 0, 0, NULL)) { +.Vb 2 +\& if (!PEM_write_bio_PrivateKey(bp, key, EVP_des_ede3_cbc(), NULL, 0, 0, NULL)) \& /* Error */ -\& } .Ve .PP Write a private key (using PKCS#8 format) to a \s-1BIO\s0 using triple \&\s-1DES\s0 encryption, using the pass phrase \*(L"hello\*(R": .PP .Vb 3 -\& if (!PEM_write_bio_PKCS8PrivateKey(bp, key, EVP_des_ede3_cbc(), NULL, 0, 0, "hello")) { +\& if (!PEM_write_bio_PKCS8PrivateKey(bp, key, EVP_des_ede3_cbc(), +\& NULL, 0, 0, "hello")) \& /* Error */ -\& } -.Ve -.PP -Read a private key from a \s-1BIO\s0 using the pass phrase \*(L"hello\*(R": -.PP -.Vb 4 -\& key = PEM_read_bio_PrivateKey(bp, NULL, 0, "hello"); -\& if (key == NULL) { -\& /* Error */ -\& } .Ve .PP Read a private key from a \s-1BIO\s0 using a pass phrase callback: .PP -.Vb 4 +.Vb 3 \& key = PEM_read_bio_PrivateKey(bp, NULL, pass_cb, "My Private Key"); -\& if (key == NULL) { +\& if (key == NULL) \& /* Error */ -\& } .Ve .PP Skeleton pass phrase callback: @@ -561,7 +472,7 @@ Skeleton pass phrase callback: \& { \& \& /* We\*(Aqd probably do something else if \*(Aqrwflag\*(Aq is 1 */ -\& printf("Enter pass phrase for \e"%s\e"\en", u); +\& printf("Enter pass phrase for \e"%s\e"\en", (char *)u); \& \& /* get pass phrase, length \*(Aqlen\*(Aq into \*(Aqtmp\*(Aq */ \& char *tmp = "hello"; @@ -591,16 +502,21 @@ they handle all formats transparently. A frequent cause of problems is attempting to use the \s-1PEM\s0 routines like this: .PP -.Vb 2 +.Vb 1 \& X509 *x; +\& \& PEM_read_bio_X509(bp, &x, 0, NULL); .Ve .PP this is a bug because an attempt will be made to reuse the data at \fBx\fR which is an uninitialised pointer. +.PP +These functions make no assumption regarding the pass phrase received from the +password callback. +It will simply be treated as a byte sequence. .SH "PEM ENCRYPTION FORMAT" .IX Header "PEM ENCRYPTION FORMAT" -This old \fBPrivateKey\fR routines use a non standard technique for encryption. +These old \fBPrivateKey\fR routines use a non standard technique for encryption. .PP The private key (or other data) takes the following form: .PP @@ -613,15 +529,44 @@ The private key (or other data) takes the following form: \& \-\-\-\-\-END RSA PRIVATE KEY\-\-\-\-\- .Ve .PP -The line beginning DEK-Info contains two comma separated pieces of information: -the encryption algorithm name as used by \fIEVP_get_cipherbyname()\fR and an 8 -byte \fBsalt\fR encoded as a set of hexadecimal digits. +The line beginning with \fIProc-Type\fR contains the version and the +protection on the encapsulated data. The line beginning \fIDEK-Info\fR +contains two comma separated values: the encryption algorithm name as +used by \fIEVP_get_cipherbyname()\fR and an initialization vector used by the +cipher encoded as a set of hexadecimal digits. After those two lines is +the base64\-encoded encrypted data. .PP -After this is the base64 encoded encrypted data. +The encryption key is derived using \fIEVP_BytesToKey()\fR. The cipher's +initialization vector is passed to \fIEVP_BytesToKey()\fR as the \fBsalt\fR +parameter. Internally, \fB\s-1PKCS5_SALT_LEN\s0\fR bytes of the salt are used +(regardless of the size of the initialization vector). The user's +password is passed to \fIEVP_BytesToKey()\fR using the \fBdata\fR and \fBdatal\fR +parameters. Finally, the library uses an iteration count of 1 for +\&\fIEVP_BytesToKey()\fR. .PP -The encryption key is determined using \fIEVP_BytesToKey()\fR, using \fBsalt\fR and an -iteration count of 1. The \s-1IV\s0 used is the value of \fBsalt\fR and *not* the \s-1IV\s0 -returned by \fIEVP_BytesToKey()\fR. +The \fBkey\fR derived by \fIEVP_BytesToKey()\fR along with the original initialization +vector is then used to decrypt the encrypted data. The \fBiv\fR produced by +\&\fIEVP_BytesToKey()\fR is not utilized or needed, and \s-1NULL\s0 should be passed to +the function. +.PP +The pseudo code to derive the key would look similar to: +.PP +.Vb 2 +\& EVP_CIPHER* cipher = EVP_des_ede3_cbc(); +\& EVP_MD* md = EVP_md5(); +\& +\& unsigned int nkey = EVP_CIPHER_key_length(cipher); +\& unsigned int niv = EVP_CIPHER_iv_length(cipher); +\& unsigned char key[nkey]; +\& unsigned char iv[niv]; +\& +\& memcpy(iv, HexToBin("3F17F5316E2BAC89"), niv); +\& rc = EVP_BytesToKey(cipher, md, iv /*salt*/, pword, plen, 1, key, NULL /*iv*/); +\& if (rc != nkey) +\& /* Error */ +\& +\& /* On success, use key and iv to initialize the cipher */ +.Ve .SH "BUGS" .IX Header "BUGS" The \s-1PEM\s0 read routines in some versions of OpenSSL will not correctly reuse @@ -639,12 +584,26 @@ where \fBx\fR already contains a valid certificate, may not work, whereas: .Ve .PP is guaranteed to work. -.SH "RETURN CODES" -.IX Header "RETURN CODES" +.SH "RETURN VALUES" +.IX Header "RETURN VALUES" The read routines return either a pointer to the structure read or \s-1NULL\s0 if an error occurred. .PP The write routines return 1 for success or 0 for failure. +.SH "HISTORY" +.IX Header "HISTORY" +The old Netscape certificate sequences were no longer documented +in OpenSSL 1.1.0; applications should use the \s-1PKCS7\s0 standard instead +as they will be formally deprecated in a future releases. .SH "SEE ALSO" .IX Header "SEE ALSO" -\&\fIEVP_get_cipherbyname\fR\|(3), \fIEVP_BytesToKey\fR\|(3) +\&\fIEVP_EncryptInit\fR\|(3), \fIEVP_BytesToKey\fR\|(3), +\&\fIpassphrase\-encoding\fR\|(7) +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2001\-2018 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libssl/man/SSL_get_ciphers.3 b/secure/lib/libcrypto/man/PEM_read_bio_ex.3 similarity index 62% rename from secure/lib/libssl/man/SSL_get_ciphers.3 rename to secure/lib/libcrypto/man/PEM_read_bio_ex.3 index 9dabbf700e99..c78039d1e7b8 100644 --- a/secure/lib/libssl/man/SSL_get_ciphers.3 +++ b/secure/lib/libcrypto/man/PEM_read_bio_ex.3 @@ -128,60 +128,68 @@ .rm #[ #] #H #V #F C .\" ======================================================================== .\" -.IX Title "SSL_get_ciphers 3" -.TH SSL_get_ciphers 3 "2018-08-14" "1.0.2p" "OpenSSL" +.IX Title "PEM_READ_BIO_EX 3" +.TH PEM_READ_BIO_EX 3 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" -SSL_get_ciphers, -SSL_get_cipher_list, -SSL_get_shared_ciphers -\&\- get list of available SSL_CIPHERs +PEM_read_bio_ex, PEM_FLAG_SECURE, PEM_FLAG_EAY_COMPATIBLE, PEM_FLAG_ONLY_B64 \- read PEM format files with custom processing .SH "SYNOPSIS" .IX Header "SYNOPSIS" .Vb 1 -\& #include +\& #include \& -\& STACK_OF(SSL_CIPHER) *SSL_get_ciphers(const SSL *ssl); -\& const char *SSL_get_cipher_list(const SSL *ssl, int priority); -\& char *SSL_get_shared_ciphers(const SSL *s, char *buf, int size); +\& #define PEM_FLAG_SECURE 0x1 +\& #define PEM_FLAG_EAY_COMPATIBLE 0x2 +\& #define PEM_FLAG_ONLY_B64 0x4 +\& int PEM_read_bio_ex(BIO *in, char **name, char **header, +\& unsigned char **data, long *len, unsigned int flags); .Ve .SH "DESCRIPTION" .IX Header "DESCRIPTION" -\&\fISSL_get_ciphers()\fR returns the stack of available SSL_CIPHERs for \fBssl\fR, -sorted by preference. If \fBssl\fR is \s-1NULL\s0 or no ciphers are available, \s-1NULL\s0 -is returned. +\&\fIPEM_read_bio_ex()\fR reads in \s-1PEM\s0 formatted data from an input \s-1BIO,\s0 outputting +the name of the type of contained data, the header information regarding +the possibly encrypted data, and the binary data payload (after base64 decoding). +It should generally only be used to implement PEM_read_bio_\-family functions +for specific data types or other usage, but is exposed to allow greater flexibility +over how processing is performed, if needed. .PP -\&\fISSL_get_cipher_list()\fR returns a pointer to the name of the \s-1SSL_CIPHER\s0 -listed for \fBssl\fR with \fBpriority\fR. If \fBssl\fR is \s-1NULL,\s0 no ciphers are -available, or there are less ciphers than \fBpriority\fR available, \s-1NULL\s0 -is returned. +If \s-1PEM_FLAG_SECURE\s0 is set, the intermediate buffers used to read in lines of +input are allocated from the secure heap. .PP -\&\fISSL_get_shared_ciphers()\fR creates a colon separated and \s-1NUL\s0 terminated list of -\&\s-1SSL_CIPHER\s0 names that are available in both the client and the server. \fBbuf\fR is -the buffer that should be populated with the list of names and \fBsize\fR is the -size of that buffer. A pointer to \fBbuf\fR is returned on success or \s-1NULL\s0 on -error. If the supplied buffer is not large enough to contain the complete list -of names then a truncated list of names will be returned. Note that just because -a ciphersuite is available (i.e. it is configured in the cipher list) and shared -by both the client and the server it does not mean that it is enabled (for -example some ciphers may not be usable by a server if there is not a suitable -certificate configured). This function will return available shared ciphersuites -whether or not they are enabled. This is a server side function only and must -only be called after the completion of the initial handshake. +If \s-1PEM_FLAG_EAY_COMPATIBLE\s0 is set, a simple algorithm is used to remove whitespace +and control characters from the end of each line, so as to be compatible with +the historical behavior of \fIPEM_read_bio()\fR. +.PP +If \s-1PEM_FLAG_ONLY_B64\s0 is set, all characters are required to be valid base64 +characters (or newlines); non\-base64 characters are treated as end of input. +.PP +If neither \s-1PEM_FLAG_EAY_COMPATIBLE\s0 or \s-1PEM_FLAG_ONLY_B64\s0 is set, control characters +are ignored. +.PP +If both \s-1PEM_FLAG_EAY_COMPATIBLE\s0 and \s-1PEM_FLAG_ONLY_B64\s0 are set, an error is returned; +these options are not compatible with each other. .SH "NOTES" .IX Header "NOTES" -The details of the ciphers obtained by \fISSL_get_ciphers()\fR can be obtained using -the \fISSL_CIPHER_get_name\fR\|(3) family of functions. -.PP -Call \fISSL_get_cipher_list()\fR with \fBpriority\fR starting from 0 to obtain the -sorted list of available ciphers, until \s-1NULL\s0 is returned. +The caller must release the storage allocated for *name, *header, and *data. +If \s-1PEM_FLAG_SECURE\s0 was set, use \fIOPENSSL_secure_free()\fR; otherwise, +\&\fIOPENSSL_free()\fR is used. .SH "RETURN VALUES" .IX Header "RETURN VALUES" -See \s-1DESCRIPTION\s0 +\&\fIPEM_read_bio_ex()\fR returns 1 for success or 0 for failure. .SH "SEE ALSO" .IX Header "SEE ALSO" -\&\fIssl\fR\|(3), \fISSL_CTX_set_cipher_list\fR\|(3), -\&\fISSL_CIPHER_get_name\fR\|(3) +\&\s-1\fIPEM\s0\fR\|(3) +.SH "HISTORY" +.IX Header "HISTORY" +\&\fIPEM_read_bio_ex()\fR was added in OpenSSL 1.1.1. +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2017 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/PEM_write_bio_CMS_stream.3 b/secure/lib/libcrypto/man/PEM_write_bio_CMS_stream.3 index 582c97488ae4..505c82856e0d 100644 --- a/secure/lib/libcrypto/man/PEM_write_bio_CMS_stream.3 +++ b/secure/lib/libcrypto/man/PEM_write_bio_CMS_stream.3 @@ -128,21 +128,18 @@ .rm #[ #] #H #V #F C .\" ======================================================================== .\" -.IX Title "PEM_write_bio_CMS_stream 3" -.TH PEM_write_bio_CMS_stream 3 "2018-08-14" "1.0.2p" "OpenSSL" +.IX Title "PEM_WRITE_BIO_CMS_STREAM 3" +.TH PEM_WRITE_BIO_CMS_STREAM 3 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" -.Vb 1 -\& PEM_write_bio_CMS_stream \- output CMS_ContentInfo structure in PEM format. -.Ve +PEM_write_bio_CMS_stream \- output CMS_ContentInfo structure in PEM format .SH "SYNOPSIS" .IX Header "SYNOPSIS" -.Vb 2 +.Vb 1 \& #include -\& #include \& \& int PEM_write_bio_CMS_stream(BIO *out, CMS_ContentInfo *cms, BIO *data, int flags); .Ve @@ -163,8 +160,17 @@ streaming. \&\fIERR_get_error\fR\|(3), \fICMS_sign\fR\|(3), \&\fICMS_verify\fR\|(3), \fICMS_encrypt\fR\|(3) \&\fICMS_decrypt\fR\|(3), +\&\fIPEM_write\fR\|(3), \&\fISMIME_write_CMS\fR\|(3), \&\fIi2d_CMS_bio_stream\fR\|(3) .SH "HISTORY" .IX Header "HISTORY" \&\fIPEM_write_bio_CMS_stream()\fR was added to OpenSSL 1.0.0 +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2008\-2016 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/PEM_write_bio_PKCS7_stream.3 b/secure/lib/libcrypto/man/PEM_write_bio_PKCS7_stream.3 index 44015c0ce818..0a82dbce5e7b 100644 --- a/secure/lib/libcrypto/man/PEM_write_bio_PKCS7_stream.3 +++ b/secure/lib/libcrypto/man/PEM_write_bio_PKCS7_stream.3 @@ -128,19 +128,18 @@ .rm #[ #] #H #V #F C .\" ======================================================================== .\" -.IX Title "PEM_write_bio_PKCS7_stream 3" -.TH PEM_write_bio_PKCS7_stream 3 "2018-08-14" "1.0.2p" "OpenSSL" +.IX Title "PEM_WRITE_BIO_PKCS7_STREAM 3" +.TH PEM_WRITE_BIO_PKCS7_STREAM 3 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" -PEM_write_bio_PKCS7_stream \- output PKCS7 structure in PEM format. +PEM_write_bio_PKCS7_stream \- output PKCS7 structure in PEM format .SH "SYNOPSIS" .IX Header "SYNOPSIS" -.Vb 2 +.Vb 1 \& #include -\& #include \& \& int PEM_write_bio_PKCS7_stream(BIO *out, PKCS7 *p7, BIO *data, int flags); .Ve @@ -166,3 +165,11 @@ streaming. .SH "HISTORY" .IX Header "HISTORY" \&\fIPEM_write_bio_PKCS7_stream()\fR was added to OpenSSL 1.0.0 +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2007\-2016 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/PKCS12_create.3 b/secure/lib/libcrypto/man/PKCS12_create.3 index 0e08f8695348..7e7f2e93af3c 100644 --- a/secure/lib/libcrypto/man/PKCS12_create.3 +++ b/secure/lib/libcrypto/man/PKCS12_create.3 @@ -128,8 +128,8 @@ .rm #[ #] #H #V #F C .\" ======================================================================== .\" -.IX Title "PKCS12_create 3" -.TH PKCS12_create 3 "2018-08-14" "1.0.2p" "OpenSSL" +.IX Title "PKCS12_CREATE 3" +.TH PKCS12_CREATE 3 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -141,20 +141,22 @@ PKCS12_create \- create a PKCS#12 structure .Vb 1 \& #include \& -\& PKCS12 *PKCS12_create(char *pass, char *name, EVP_PKEY *pkey, X509 *cert, STACK_OF(X509) *ca, -\& int nid_key, int nid_cert, int iter, int mac_iter, int keytype); +\& PKCS12 *PKCS12_create(const char *pass, const char *name, EVP_PKEY *pkey, +\& X509 *cert, STACK_OF(X509) *ca, +\& int nid_key, int nid_cert, int iter, int mac_iter, int keytype); .Ve .SH "DESCRIPTION" .IX Header "DESCRIPTION" \&\fIPKCS12_create()\fR creates a PKCS#12 structure. .PP \&\fBpass\fR is the passphrase to use. \fBname\fR is the \fBfriendlyName\fR to use for -the supplied certifictate and key. \fBpkey\fR is the private key to include in +the supplied certificate and key. \fBpkey\fR is the private key to include in the structure and \fBcert\fR its corresponding certificates. \fBca\fR, if not \fB\s-1NULL\s0\fR is an optional set of certificates to also include in the structure. .PP \&\fBnid_key\fR and \fBnid_cert\fR are the encryption algorithms that should be used -for the key and certificate respectively. \fBiter\fR is the encryption algorithm +for the key and certificate respectively. The modes +\&\s-1GCM, CCM, XTS,\s0 and \s-1OCB\s0 are unsupported. \fBiter\fR is the encryption algorithm iteration count to use and \fBmac_iter\fR is the \s-1MAC\s0 iteration count to use. \&\fBkeytype\fR is the type of key. .SH "NOTES" @@ -177,26 +179,35 @@ it can be used for signing and encryption. This option was useful for old export grade software which could use signing only keys of arbitrary size but had restrictions on the permissible sizes of keys which could be used for encryption. -.SH "NEW FUNCTIONALITY IN OPENSSL 0.9.8" -.IX Header "NEW FUNCTIONALITY IN OPENSSL 0.9.8" -Some additional functionality was added to \fIPKCS12_create()\fR in OpenSSL -0.9.8. These extensions are detailed below. .PP If a certificate contains an \fBalias\fR or \fBkeyid\fR then this will be used for the corresponding \fBfriendlyName\fR or \fBlocalKeyID\fR in the \&\s-1PKCS12\s0 structure. .PP Either \fBpkey\fR, \fBcert\fR or both can be \fB\s-1NULL\s0\fR to indicate that no key or -certficate is required. In previous versions both had to be present or +certificate is required. In previous versions both had to be present or a fatal error is returned. .PP \&\fBnid_key\fR or \fBnid_cert\fR can be set to \-1 indicating that no encryption should be used. .PP \&\fBmac_iter\fR can be set to \-1 and the \s-1MAC\s0 will then be omitted entirely. +.PP +\&\fIPKCS12_create()\fR makes assumptions regarding the encoding of the given pass +phrase. +See \fIpassphrase\-encoding\fR\|(7) for more information. +.SH "RETURN VALUES" +.IX Header "RETURN VALUES" +\&\fIPKCS12_create()\fR returns a valid \fB\s-1PKCS12\s0\fR structure or \s-1NULL\s0 if an error occurred. .SH "SEE ALSO" .IX Header "SEE ALSO" -\&\fId2i_PKCS12\fR\|(3) -.SH "HISTORY" -.IX Header "HISTORY" -PKCS12_create was added in OpenSSL 0.9.3 +\&\fId2i_PKCS12\fR\|(3), +\&\fIpassphrase\-encoding\fR\|(7) +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2002\-2018 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/PKCS12_newpass.3 b/secure/lib/libcrypto/man/PKCS12_newpass.3 new file mode 100644 index 000000000000..a071f4e529dd --- /dev/null +++ b/secure/lib/libcrypto/man/PKCS12_newpass.3 @@ -0,0 +1,242 @@ +.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35) +.\" +.\" Standard preamble: +.\" ======================================================================== +.de Sp \" Vertical space (when we can't use .PP) +.if t .sp .5v +.if n .sp +.. +.de Vb \" Begin verbatim text +.ft CW +.nf +.ne \\$1 +.. +.de Ve \" End verbatim text +.ft R +.fi +.. +.\" Set up some character translations and predefined strings. \*(-- will +.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left +.\" double quote, and \*(R" will give a right double quote. \*(C+ will +.\" give a nicer C++. Capital omega is used to do unbreakable dashes and +.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, +.\" nothing in troff, for use with C<>. +.tr \(*W- +.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' +.ie n \{\ +. ds -- \(*W- +. ds PI pi +. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch +. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch +. ds L" "" +. ds R" "" +. ds C` "" +. ds C' "" +'br\} +.el\{\ +. ds -- \|\(em\| +. ds PI \(*p +. ds L" `` +. ds R" '' +. ds C` +. ds C' +'br\} +.\" +.\" Escape single quotes in literal strings from groff's Unicode transform. +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" +.\" If the F register is >0, we'll generate index entries on stderr for +.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index +.\" entries marked with X<> in POD. Of course, you'll have to process the +.\" output yourself in some meaningful fashion. +.\" +.\" Avoid warning from groff about undefined register 'F'. +.de IX +.. +.if !\nF .nr F 0 +.if \nF>0 \{\ +. de IX +. tm Index:\\$1\t\\n%\t"\\$2" +.. +. if !\nF==2 \{\ +. nr % 0 +. nr F 2 +. \} +.\} +.\" +.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). +.\" Fear. Run. Save yourself. No user-serviceable parts. +. \" fudge factors for nroff and troff +.if n \{\ +. ds #H 0 +. ds #V .8m +. ds #F .3m +. ds #[ \f1 +. ds #] \fP +.\} +.if t \{\ +. ds #H ((1u-(\\\\n(.fu%2u))*.13m) +. ds #V .6m +. ds #F 0 +. ds #[ \& +. ds #] \& +.\} +. \" simple accents for nroff and troff +.if n \{\ +. ds ' \& +. ds ` \& +. ds ^ \& +. ds , \& +. ds ~ ~ +. ds / +.\} +.if t \{\ +. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" +. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' +. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' +. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' +. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' +. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' +.\} +. \" troff and (daisy-wheel) nroff accents +.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' +.ds 8 \h'\*(#H'\(*b\h'-\*(#H' +.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] +.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' +.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' +.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] +.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] +.ds ae a\h'-(\w'a'u*4/10)'e +.ds Ae A\h'-(\w'A'u*4/10)'E +. \" corrections for vroff +.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' +.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' +. \" for low resolution devices (crt and lpr) +.if \n(.H>23 .if \n(.V>19 \ +\{\ +. ds : e +. ds 8 ss +. ds o a +. ds d- d\h'-1'\(ga +. ds D- D\h'-1'\(hy +. ds th \o'bp' +. ds Th \o'LP' +. ds ae ae +. ds Ae AE +.\} +.rm #[ #] #H #V #F C +.\" ======================================================================== +.\" +.IX Title "PKCS12_NEWPASS 3" +.TH PKCS12_NEWPASS 3 "2018-09-11" "1.1.1" "OpenSSL" +.\" For nroff, turn off justification. Always turn off hyphenation; it makes +.\" way too many mistakes in technical documents. +.if n .ad l +.nh +.SH "NAME" +PKCS12_newpass \- change the password of a PKCS12 structure +.SH "SYNOPSIS" +.IX Header "SYNOPSIS" +.Vb 1 +\& #include +\& +\& int PKCS12_newpass(PKCS12 *p12, const char *oldpass, const char *newpass); +.Ve +.SH "DESCRIPTION" +.IX Header "DESCRIPTION" +\&\fIPKCS12_newpass()\fR changes the password of a \s-1PKCS12\s0 structure. +.PP +\&\fBp12\fR is a pointer to a \s-1PKCS12\s0 structure. \fBoldpass\fR is the existing password +and \fBnewpass\fR is the new password. +.SH "NOTES" +.IX Header "NOTES" +Each of \fBoldpass\fR and \fBnewpass\fR is independently interpreted as a string in +the \s-1UTF\-8\s0 encoding. If it is not valid \s-1UTF\-8,\s0 it is assumed to be \s-1ISO8859\-1\s0 +instead. +.PP +In particular, this means that passwords in the locale character set +(or code page on Windows) must potentially be converted to \s-1UTF\-8\s0 before +use. This may include passwords from local text files, or input from +the terminal or command line. Refer to the documentation of +\&\fIUI_OpenSSL\fR\|(3), for example. +.SH "RETURN VALUES" +.IX Header "RETURN VALUES" +\&\fIPKCS12_newpass()\fR returns 1 on success or 0 on failure. Applications can +retrieve the most recent error from \fIPKCS12_newpass()\fR with \fIERR_get_error()\fR. +.SH "EXAMPLE" +.IX Header "EXAMPLE" +This example loads a PKCS#12 file, changes its password and writes out +the result to a new file. +.PP +.Vb 5 +\& #include +\& #include +\& #include +\& #include +\& #include +\& +\& int main(int argc, char **argv) +\& { +\& FILE *fp; +\& PKCS12 *p12; +\& +\& if (argc != 5) { +\& fprintf(stderr, "Usage: pkread p12file password newpass opfile\en"); +\& return 1; +\& } +\& if ((fp = fopen(argv[1], "rb")) == NULL) { +\& fprintf(stderr, "Error opening file %s\en", argv[1]); +\& return 1; +\& } +\& p12 = d2i_PKCS12_fp(fp, NULL); +\& fclose(fp); +\& if (p12 == NULL) { +\& fprintf(stderr, "Error reading PKCS#12 file\en"); +\& ERR_print_errors_fp(stderr); +\& return 1; +\& } +\& if (PKCS12_newpass(p12, argv[2], argv[3]) == 0) { +\& fprintf(stderr, "Error changing password\en"); +\& ERR_print_errors_fp(stderr); +\& PKCS12_free(p12); +\& return 1; +\& } +\& if ((fp = fopen(argv[4], "wb")) == NULL) { +\& fprintf(stderr, "Error opening file %s\en", argv[4]); +\& PKCS12_free(p12); +\& return 1; +\& } +\& i2d_PKCS12_fp(fp, p12); +\& PKCS12_free(p12); +\& fclose(fp); +\& return 0; +\& } +.Ve +.SH "NOTES" +.IX Header "NOTES" +If the PKCS#12 structure does not have a password, then you must use the empty +string "" for \fBoldpass\fR. Using \s-1NULL\s0 for \fBoldpass\fR will result in a +\&\fIPKCS12_newpass()\fR failure. +.PP +If the wrong password is used for \fBoldpass\fR then the function will fail, +with a \s-1MAC\s0 verification error. In rare cases the \s-1PKCS12\s0 structure does not +contain a \s-1MAC:\s0 in this case it will usually fail with a decryption padding +error. +.SH "BUGS" +.IX Header "BUGS" +The password format is a \s-1NULL\s0 terminated \s-1ASCII\s0 string which is converted to +Unicode form internally. As a result some passwords cannot be supplied to +this function. +.SH "SEE ALSO" +.IX Header "SEE ALSO" +\&\fIPKCS12_create\fR\|(3), \fIERR_get_error\fR\|(3), +\&\fIpassphrase\-encoding\fR\|(7) +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2016\-2018 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/PKCS12_parse.3 b/secure/lib/libcrypto/man/PKCS12_parse.3 index 1b496740e443..4c25a06bcc6b 100644 --- a/secure/lib/libcrypto/man/PKCS12_parse.3 +++ b/secure/lib/libcrypto/man/PKCS12_parse.3 @@ -128,8 +128,8 @@ .rm #[ #] #H #V #F C .\" ======================================================================== .\" -.IX Title "PKCS12_parse 3" -.TH PKCS12_parse 3 "2018-08-14" "1.0.2p" "OpenSSL" +.IX Title "PKCS12_PARSE 3" +.TH PKCS12_PARSE 3 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -160,6 +160,15 @@ valid \s-1STACK\s0 in which case additional certificates are appended to \fB*ca\ The \fBfriendlyName\fR and \fBlocalKeyID\fR attributes (if present) on each certificate will be stored in the \fBalias\fR and \fBkeyid\fR attributes of the \&\fBX509\fR structure. +.PP +The parameter \fBpass\fR is interpreted as a string in the \s-1UTF\-8\s0 encoding. If it +is not valid \s-1UTF\-8,\s0 then it is assumed to be \s-1ISO8859\-1\s0 instead. +.PP +In particular, this means that passwords in the locale character set +(or code page on Windows) must potentially be converted to \s-1UTF\-8\s0 before +use. This may include passwords from local text files, or input from +the terminal or command line. Refer to the documentation of +\&\fIUI_OpenSSL\fR\|(3), for example. .SH "RETURN VALUES" .IX Header "RETURN VALUES" \&\fIPKCS12_parse()\fR returns 1 for success and zero if an error occurred. @@ -177,7 +186,13 @@ certificates. Other attributes are discarded. Attributes currently cannot be stored in the private key \fB\s-1EVP_PKEY\s0\fR structure. .SH "SEE ALSO" .IX Header "SEE ALSO" -\&\fId2i_PKCS12\fR\|(3) -.SH "HISTORY" -.IX Header "HISTORY" -PKCS12_parse was added in OpenSSL 0.9.3 +\&\fId2i_PKCS12\fR\|(3), +\&\fIpassphrase\-encoding\fR\|(7) +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2002\-2018 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/PKCS5_PBKDF2_HMAC.3 b/secure/lib/libcrypto/man/PKCS5_PBKDF2_HMAC.3 new file mode 100644 index 000000000000..470059523945 --- /dev/null +++ b/secure/lib/libcrypto/man/PKCS5_PBKDF2_HMAC.3 @@ -0,0 +1,204 @@ +.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35) +.\" +.\" Standard preamble: +.\" ======================================================================== +.de Sp \" Vertical space (when we can't use .PP) +.if t .sp .5v +.if n .sp +.. +.de Vb \" Begin verbatim text +.ft CW +.nf +.ne \\$1 +.. +.de Ve \" End verbatim text +.ft R +.fi +.. +.\" Set up some character translations and predefined strings. \*(-- will +.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left +.\" double quote, and \*(R" will give a right double quote. \*(C+ will +.\" give a nicer C++. Capital omega is used to do unbreakable dashes and +.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, +.\" nothing in troff, for use with C<>. +.tr \(*W- +.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' +.ie n \{\ +. ds -- \(*W- +. ds PI pi +. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch +. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch +. ds L" "" +. ds R" "" +. ds C` "" +. ds C' "" +'br\} +.el\{\ +. ds -- \|\(em\| +. ds PI \(*p +. ds L" `` +. ds R" '' +. ds C` +. ds C' +'br\} +.\" +.\" Escape single quotes in literal strings from groff's Unicode transform. +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" +.\" If the F register is >0, we'll generate index entries on stderr for +.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index +.\" entries marked with X<> in POD. Of course, you'll have to process the +.\" output yourself in some meaningful fashion. +.\" +.\" Avoid warning from groff about undefined register 'F'. +.de IX +.. +.if !\nF .nr F 0 +.if \nF>0 \{\ +. de IX +. tm Index:\\$1\t\\n%\t"\\$2" +.. +. if !\nF==2 \{\ +. nr % 0 +. nr F 2 +. \} +.\} +.\" +.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). +.\" Fear. Run. Save yourself. No user-serviceable parts. +. \" fudge factors for nroff and troff +.if n \{\ +. ds #H 0 +. ds #V .8m +. ds #F .3m +. ds #[ \f1 +. ds #] \fP +.\} +.if t \{\ +. ds #H ((1u-(\\\\n(.fu%2u))*.13m) +. ds #V .6m +. ds #F 0 +. ds #[ \& +. ds #] \& +.\} +. \" simple accents for nroff and troff +.if n \{\ +. ds ' \& +. ds ` \& +. ds ^ \& +. ds , \& +. ds ~ ~ +. ds / +.\} +.if t \{\ +. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" +. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' +. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' +. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' +. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' +. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' +.\} +. \" troff and (daisy-wheel) nroff accents +.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' +.ds 8 \h'\*(#H'\(*b\h'-\*(#H' +.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] +.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' +.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' +.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] +.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] +.ds ae a\h'-(\w'a'u*4/10)'e +.ds Ae A\h'-(\w'A'u*4/10)'E +. \" corrections for vroff +.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' +.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' +. \" for low resolution devices (crt and lpr) +.if \n(.H>23 .if \n(.V>19 \ +\{\ +. ds : e +. ds 8 ss +. ds o a +. ds d- d\h'-1'\(ga +. ds D- D\h'-1'\(hy +. ds th \o'bp' +. ds Th \o'LP' +. ds ae ae +. ds Ae AE +.\} +.rm #[ #] #H #V #F C +.\" ======================================================================== +.\" +.IX Title "PKCS5_PBKDF2_HMAC 3" +.TH PKCS5_PBKDF2_HMAC 3 "2018-09-11" "1.1.1" "OpenSSL" +.\" For nroff, turn off justification. Always turn off hyphenation; it makes +.\" way too many mistakes in technical documents. +.if n .ad l +.nh +.SH "NAME" +PKCS5_PBKDF2_HMAC, PKCS5_PBKDF2_HMAC_SHA1 \- password based derivation routines with salt and iteration count +.SH "SYNOPSIS" +.IX Header "SYNOPSIS" +.Vb 1 +\& #include +\& +\& int PKCS5_PBKDF2_HMAC(const char *pass, int passlen, +\& const unsigned char *salt, int saltlen, int iter, +\& const EVP_MD *digest, +\& int keylen, unsigned char *out); +\& +\& int PKCS5_PBKDF2_HMAC_SHA1(const char *pass, int passlen, +\& const unsigned char *salt, int saltlen, int iter, +\& int keylen, unsigned char *out); +.Ve +.SH "DESCRIPTION" +.IX Header "DESCRIPTION" +\&\s-1\fIPKCS5_PBKDF2_HMAC\s0()\fR derives a key from a password using a salt and iteration count +as specified in \s-1RFC 2898.\s0 +.PP +\&\fBpass\fR is the password used in the derivation of length \fBpasslen\fR. \fBpass\fR +is an optional parameter and can be \s-1NULL.\s0 If \fBpasslen\fR is \-1, then the +function will calculate the length of \fBpass\fR using \fIstrlen()\fR. +.PP +\&\fBsalt\fR is the salt used in the derivation of length \fBsaltlen\fR. If the +\&\fBsalt\fR is \s-1NULL,\s0 then \fBsaltlen\fR must be 0. The function will not +attempt to calculate the length of the \fBsalt\fR because it is not assumed to +be \s-1NULL\s0 terminated. +.PP +\&\fBiter\fR is the iteration count and its value should be greater than or +equal to 1. \s-1RFC 2898\s0 suggests an iteration count of at least 1000. Any +\&\fBiter\fR less than 1 is treated as a single iteration. +.PP +\&\fBdigest\fR is the message digest function used in the derivation. Values include +any of the EVP_* message digests. \s-1\fIPKCS5_PBKDF2_HMAC_SHA1\s0()\fR calls +\&\s-1\fIPKCS5_PBKDF2_HMAC\s0()\fR with \fIEVP_sha1()\fR. +.PP +The derived key will be written to \fBout\fR. The size of the \fBout\fR buffer +is specified via \fBkeylen\fR. +.SH "NOTES" +.IX Header "NOTES" +A typical application of this function is to derive keying material for an +encryption algorithm from a password in the \fBpass\fR, a salt in \fBsalt\fR, +and an iteration count. +.PP +Increasing the \fBiter\fR parameter slows down the algorithm which makes it +harder for an attacker to perform a brute force attack using a large number +of candidate passwords. +.PP +These functions make no assumption regarding the given password. +It will simply be treated as a byte sequence. +.SH "RETURN VALUES" +.IX Header "RETURN VALUES" +\&\s-1\fIPKCS5_PBKDF2_HMAC\s0()\fR and \s-1\fIPBKCS5_PBKDF2_HMAC_SHA1\s0()\fR return 1 on success or 0 on error. +.SH "SEE ALSO" +.IX Header "SEE ALSO" +\&\fIevp\fR\|(7), \fIRAND_bytes\fR\|(3), +\&\fIEVP_BytesToKey\fR\|(3), +\&\fIpassphrase\-encoding\fR\|(7) +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2014\-2018 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/PKCS7_decrypt.3 b/secure/lib/libcrypto/man/PKCS7_decrypt.3 index e53f22300bda..f19550300964 100644 --- a/secure/lib/libcrypto/man/PKCS7_decrypt.3 +++ b/secure/lib/libcrypto/man/PKCS7_decrypt.3 @@ -128,8 +128,8 @@ .rm #[ #] #H #V #F C .\" ======================================================================== .\" -.IX Title "PKCS7_decrypt 3" -.TH PKCS7_decrypt 3 "2018-08-14" "1.0.2p" "OpenSSL" +.IX Title "PKCS7_DECRYPT 3" +.TH PKCS7_DECRYPT 3 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -151,9 +151,6 @@ recipients certificate, \fBdata\fR is a \s-1BIO\s0 to write the content to and \&\fBflags\fR is an optional set of flags. .SH "NOTES" .IX Header "NOTES" -\&\fIOpenSSL_add_all_algorithms()\fR (or equivalent) should be called before using this -function or errors about unknown algorithms will occur. -.PP Although the recipients certificate is not needed to decrypt the data it is needed to locate the appropriate (of possible several) recipients in the PKCS#7 structure. .PP @@ -176,6 +173,11 @@ mentioned in \fIPKCS7_sign()\fR also applies to \fIPKCS7_verify()\fR. .SH "SEE ALSO" .IX Header "SEE ALSO" \&\fIERR_get_error\fR\|(3), \fIPKCS7_encrypt\fR\|(3) -.SH "HISTORY" -.IX Header "HISTORY" -\&\fIPKCS7_decrypt()\fR was added to OpenSSL 0.9.5 +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2002\-2016 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/PKCS7_encrypt.3 b/secure/lib/libcrypto/man/PKCS7_encrypt.3 index ecc9d5f0de1f..4c9d21a377cc 100644 --- a/secure/lib/libcrypto/man/PKCS7_encrypt.3 +++ b/secure/lib/libcrypto/man/PKCS7_encrypt.3 @@ -128,8 +128,8 @@ .rm #[ #] #H #V #F C .\" ======================================================================== .\" -.IX Title "PKCS7_encrypt 3" -.TH PKCS7_encrypt 3 "2018-08-14" "1.0.2p" "OpenSSL" +.IX Title "PKCS7_ENCRYPT 3" +.TH PKCS7_ENCRYPT 3 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -141,7 +141,8 @@ PKCS7_encrypt \- create a PKCS#7 envelopedData structure .Vb 1 \& #include \& -\& PKCS7 *PKCS7_encrypt(STACK_OF(X509) *certs, BIO *in, const EVP_CIPHER *cipher, int flags); +\& PKCS7 *PKCS7_encrypt(STACK_OF(X509) *certs, BIO *in, const EVP_CIPHER *cipher, +\& int flags); .Ve .SH "DESCRIPTION" .IX Header "DESCRIPTION" @@ -186,7 +187,7 @@ suitable for streaming I/O: no data is read from the \s-1BIO\s0 \fBin\fR. .IX Header "NOTES" If the flag \fB\s-1PKCS7_STREAM\s0\fR is set the returned \fB\s-1PKCS7\s0\fR structure is \fBnot\fR complete and outputting its contents via a function that does not -properly finalize the \fB\s-1PKCS7\s0\fR structure will give unpredictable +properly finalize the \fB\s-1PKCS7\s0\fR structure will give unpredictable results. .PP Several functions including \fISMIME_write_PKCS7()\fR, \fIi2d_PKCS7_bio_stream()\fR, @@ -202,5 +203,12 @@ The error can be obtained from \fIERR_get_error\fR\|(3). \&\fIERR_get_error\fR\|(3), \fIPKCS7_decrypt\fR\|(3) .SH "HISTORY" .IX Header "HISTORY" -\&\fIPKCS7_decrypt()\fR was added to OpenSSL 0.9.5 -The \fB\s-1PKCS7_STREAM\s0\fR flag was first supported in OpenSSL 1.0.0. +The \fB\s-1PKCS7_STREAM\s0\fR flag was added in OpenSSL 1.0.0. +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2002\-2016 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/PKCS7_sign.3 b/secure/lib/libcrypto/man/PKCS7_sign.3 index da8c79aecbf9..7f5ec452c7b4 100644 --- a/secure/lib/libcrypto/man/PKCS7_sign.3 +++ b/secure/lib/libcrypto/man/PKCS7_sign.3 @@ -128,8 +128,8 @@ .rm #[ #] #H #V #F C .\" ======================================================================== .\" -.IX Title "PKCS7_sign 3" -.TH PKCS7_sign 3 "2018-08-14" "1.0.2p" "OpenSSL" +.IX Title "PKCS7_SIGN 3" +.TH PKCS7_SIGN 3 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -141,12 +141,13 @@ PKCS7_sign \- create a PKCS#7 signedData structure .Vb 1 \& #include \& -\& PKCS7 *PKCS7_sign(X509 *signcert, EVP_PKEY *pkey, STACK_OF(X509) *certs, BIO *data, int flags); +\& PKCS7 *PKCS7_sign(X509 *signcert, EVP_PKEY *pkey, STACK_OF(X509) *certs, +\& BIO *data, int flags); .Ve .SH "DESCRIPTION" .IX Header "DESCRIPTION" \&\fIPKCS7_sign()\fR creates and returns a PKCS#7 signedData structure. \fBsigncert\fR is -the certificate to sign with, \fBpkey\fR is the corresponsding private key. +the certificate to sign with, \fBpkey\fR is the corresponding private key. \&\fBcerts\fR is an optional additional set of certificates to include in the PKCS#7 structure (for example any intermediate CAs in the chain). .PP @@ -178,7 +179,7 @@ required by the S/MIME specifications) if \fB\s-1PKCS7_BINARY\s0\fR is set no tr occurs. This option should be used if the supplied data is in binary format otherwise the translation will corrupt it. .PP -The signedData structure includes several PKCS#7 autenticatedAttributes +The signedData structure includes several PKCS#7 authenticatedAttributes including the signing time, the PKCS#7 content type and the supported list of ciphers in an SMIMECapabilities attribute. If \fB\s-1PKCS7_NOATTR\s0\fR is set then no authenticatedAttributes will be used. If \fB\s-1PKCS7_NOSMIMECAP\s0\fR is set then just @@ -210,13 +211,13 @@ can be performed by obtaining the streaming \s-1ASN1\s0 \fB\s-1BIO\s0\fR directl If a signer is specified it will use the default digest for the signing algorithm. This is \fB\s-1SHA1\s0\fR for both \s-1RSA\s0 and \s-1DSA\s0 keys. .PP -In OpenSSL 1.0.0 the \fBcerts\fR, \fBsigncert\fR and \fBpkey\fR parameters can all be +The \fBcerts\fR, \fBsigncert\fR and \fBpkey\fR parameters can all be \&\fB\s-1NULL\s0\fR if the \fB\s-1PKCS7_PARTIAL\s0\fR flag is set. One or more signers can be added -using the function \fB\f(BIPKCS7_sign_add_signer()\fB\fR. \fB\f(BIPKCS7_final()\fB\fR must also be +using the function \fIPKCS7_sign_add_signer()\fR. \fIPKCS7_final()\fR must also be called to finalize the structure if streaming is not enabled. Alternative signing digests can also be specified using this method. .PP -In OpenSSL 1.0.0 if \fBsigncert\fR and \fBpkey\fR are \s-1NULL\s0 then a certificates only +If \fBsigncert\fR and \fBpkey\fR are \s-1NULL\s0 then a certificates only PKCS#7 structure is output. .PP In versions of OpenSSL before 1.0.0 the \fBsigncert\fR and \fBpkey\fR parameters must @@ -233,8 +234,15 @@ occurred. The error can be obtained from \fIERR_get_error\fR\|(3). \&\fIERR_get_error\fR\|(3), \fIPKCS7_verify\fR\|(3) .SH "HISTORY" .IX Header "HISTORY" -\&\fIPKCS7_sign()\fR was added to OpenSSL 0.9.5 -.PP -The \fB\s-1PKCS7_PARTIAL\s0\fR flag was added in OpenSSL 1.0.0 +The \fB\s-1PKCS7_PARTIAL\s0\fR flag, and the ability for \fBcerts\fR, \fBsigncert\fR, +and \fBpkey\fR parameters to be \fB\s-1NULL\s0\fR to be was added in OpenSSL 1.0.0 .PP The \fB\s-1PKCS7_STREAM\s0\fR flag was added in OpenSSL 1.0.0 +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2002\-2016 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/PKCS7_sign_add_signer.3 b/secure/lib/libcrypto/man/PKCS7_sign_add_signer.3 index 1efdcb46f386..cf409349f5eb 100644 --- a/secure/lib/libcrypto/man/PKCS7_sign_add_signer.3 +++ b/secure/lib/libcrypto/man/PKCS7_sign_add_signer.3 @@ -128,20 +128,21 @@ .rm #[ #] #H #V #F C .\" ======================================================================== .\" -.IX Title "PKCS7_sign_add_signer 3" -.TH PKCS7_sign_add_signer 3 "2018-08-14" "1.0.2p" "OpenSSL" +.IX Title "PKCS7_SIGN_ADD_SIGNER 3" +.TH PKCS7_SIGN_ADD_SIGNER 3 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" -PKCS7_sign_add_signer \- add a signer PKCS7 signed data structure. +PKCS7_sign_add_signer \- add a signer PKCS7 signed data structure .SH "SYNOPSIS" .IX Header "SYNOPSIS" .Vb 1 \& #include \& -\& PKCS7_SIGNER_INFO *PKCS7_sign_add_signer(PKCS7 *p7, X509 *signcert, EVP_PKEY *pkey, const EVP_MD *md, int flags); +\& PKCS7_SIGNER_INFO *PKCS7_sign_add_signer(PKCS7 *p7, X509 *signcert, +\& EVP_PKEY *pkey, const EVP_MD *md, int flags); .Ve .SH "DESCRIPTION" .IX Header "DESCRIPTION" @@ -170,11 +171,11 @@ Any of the following flags (ored together) can be passed in the \fBflags\fR parameter. .PP If \fB\s-1PKCS7_REUSE_DIGEST\s0\fR is set then an attempt is made to copy the content -digest value from the \s-1PKCS7\s0 struture: to add a signer to an existing structure. +digest value from the \s-1PKCS7\s0 structure: to add a signer to an existing structure. An error occurs if a matching digest value cannot be found to copy. The returned \s-1PKCS7\s0 structure will be valid and finalized when this flag is set. .PP -If \fB\s-1PKCS7_PARTIAL\s0\fR is set in addition to \fB\s-1PKCS7_REUSE_DIGEST\s0\fR then the +If \fB\s-1PKCS7_PARTIAL\s0\fR is set in addition to \fB\s-1PKCS7_REUSE_DIGEST\s0\fR then the \&\fB\s-1PKCS7_SIGNER_INO\s0\fR structure will not be finalized so additional attributes can be added. In this case an explicit call to \fIPKCS7_SIGNER_INFO_sign()\fR is needed to finalize it. @@ -185,7 +186,7 @@ If \fB\s-1PKCS7_NOCERTS\s0\fR is set the signer's certificate will not be includ signers certificate can be obtained by other means: for example a previously signed message. .PP -The signedData structure includes several PKCS#7 autenticatedAttributes +The signedData structure includes several PKCS#7 authenticatedAttributes including the signing time, the PKCS#7 content type and the supported list of ciphers in an SMIMECapabilities attribute. If \fB\s-1PKCS7_NOATTR\s0\fR is set then no authenticatedAttributes will be used. If \fB\s-1PKCS7_NOSMIMECAP\s0\fR is set then just @@ -196,7 +197,7 @@ algorithms: triple \s-1DES, 128\s0 bit \s-1RC2, 64\s0 bit \s-1RC2, DES\s0 and 40 these algorithms is disabled then it will not be included. .PP \&\fIPKCS7_sign_add_signers()\fR returns an internal pointer to the \s-1PKCS7_SIGNER_INFO\s0 -structure just added, this can be used to set additional attributes +structure just added, this can be used to set additional attributes before it is finalized. .SH "RETURN VALUES" .IX Header "RETURN VALUES" @@ -209,3 +210,11 @@ structure just added or \s-1NULL\s0 if an error occurs. .SH "HISTORY" .IX Header "HISTORY" \&\fIPPKCS7_sign_add_signer()\fR was added to OpenSSL 1.0.0 +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2007\-2016 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/PKCS7_verify.3 b/secure/lib/libcrypto/man/PKCS7_verify.3 index 7e5da4a5b2e3..232a5ce4ec52 100644 --- a/secure/lib/libcrypto/man/PKCS7_verify.3 +++ b/secure/lib/libcrypto/man/PKCS7_verify.3 @@ -128,8 +128,8 @@ .rm #[ #] #H #V #F C .\" ======================================================================== .\" -.IX Title "PKCS7_verify 3" -.TH PKCS7_verify 3 "2018-08-14" "1.0.2p" "OpenSSL" +.IX Title "PKCS7_VERIFY 3" +.TH PKCS7_VERIFY 3 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -141,7 +141,8 @@ PKCS7_verify, PKCS7_get0_signers \- verify a PKCS#7 signedData structure .Vb 1 \& #include \& -\& int PKCS7_verify(PKCS7 *p7, STACK_OF(X509) *certs, X509_STORE *store, BIO *indata, BIO *out, int flags); +\& int PKCS7_verify(PKCS7 *p7, STACK_OF(X509) *certs, X509_STORE *store, +\& BIO *indata, BIO *out, int flags); \& \& STACK_OF(X509) *PKCS7_get0_signers(PKCS7 *p7, STACK_OF(X509) *certs, int flags); .Ve @@ -149,7 +150,7 @@ PKCS7_verify, PKCS7_get0_signers \- verify a PKCS#7 signedData structure .IX Header "DESCRIPTION" \&\fIPKCS7_verify()\fR verifies a PKCS#7 signedData structure. \fBp7\fR is the \s-1PKCS7\s0 structure to verify. \fBcerts\fR is a set of certificates in which to search for -the signer's certificate. \fBstore\fR is a trusted certficate store (used for +the signer's certificate. \fBstore\fR is a trusted certificate store (used for chain verification). \fBindata\fR is the signed data if the content is not present in \fBp7\fR (that is it is detached). The content is written to \fBout\fR if it is not \s-1NULL.\s0 @@ -166,7 +167,12 @@ Normally the verify process proceeds as follows. .PP Initially some sanity checks are performed on \fBp7\fR. The type of \fBp7\fR must be signedData. There must be at least one signature on the data and if -the content is detached \fBindata\fR cannot be \fB\s-1NULL\s0\fR. +the content is detached \fBindata\fR cannot be \fB\s-1NULL\s0\fR. If the content is +not detached and \fBindata\fR is not \fB\s-1NULL\s0\fR, then the structure has both +embedded and external content. To treat this as an error, use the flag +\&\fB\s-1PKCS7_NO_DUAL_CONTENT\s0\fR. +The default behavior allows this, for compatibility with older +versions of OpenSSL. .PP An attempt is made to locate all the signer's certificates, first looking in the \fBcerts\fR parameter (if it is not \fB\s-1NULL\s0\fR) and then looking in any certificates @@ -186,7 +192,7 @@ Any of the following flags (ored together) can be passed in the \fBflags\fR para to change the default verify behaviour. Only the flag \fB\s-1PKCS7_NOINTERN\s0\fR is meaningful to \fIPKCS7_get0_signers()\fR. .PP -If \fB\s-1PKCS7_NOINTERN\s0\fR is set the certificates in the message itself are not +If \fB\s-1PKCS7_NOINTERN\s0\fR is set the certificates in the message itself are not searched when locating the signer's certificate. This means that all the signers certificates must be in the \fBcerts\fR parameter. .PP @@ -210,7 +216,7 @@ certificates supplied in \fBcerts\fR then the verify will fail because the signer cannot be found. .PP Care should be taken when modifying the default verify behaviour, for example -setting \fBPKCS7_NOVERIFY|PKCS7_NOSIGS\fR will totally disable all verification +setting \fBPKCS7_NOVERIFY|PKCS7_NOSIGS\fR will totally disable all verification and any signed message will be considered valid. This combination is however useful if one merely wishes to write the content to \fBout\fR and its validity is not considered important. @@ -238,6 +244,11 @@ mentioned in \fIPKCS7_sign()\fR also applies to \fIPKCS7_verify()\fR. .SH "SEE ALSO" .IX Header "SEE ALSO" \&\fIERR_get_error\fR\|(3), \fIPKCS7_sign\fR\|(3) -.SH "HISTORY" -.IX Header "HISTORY" -\&\fIPKCS7_verify()\fR was added to OpenSSL 0.9.5 +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2002\-2016 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/RAND_DRBG_generate.3 b/secure/lib/libcrypto/man/RAND_DRBG_generate.3 new file mode 100644 index 000000000000..dabf2b31a960 --- /dev/null +++ b/secure/lib/libcrypto/man/RAND_DRBG_generate.3 @@ -0,0 +1,210 @@ +.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35) +.\" +.\" Standard preamble: +.\" ======================================================================== +.de Sp \" Vertical space (when we can't use .PP) +.if t .sp .5v +.if n .sp +.. +.de Vb \" Begin verbatim text +.ft CW +.nf +.ne \\$1 +.. +.de Ve \" End verbatim text +.ft R +.fi +.. +.\" Set up some character translations and predefined strings. \*(-- will +.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left +.\" double quote, and \*(R" will give a right double quote. \*(C+ will +.\" give a nicer C++. Capital omega is used to do unbreakable dashes and +.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, +.\" nothing in troff, for use with C<>. +.tr \(*W- +.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' +.ie n \{\ +. ds -- \(*W- +. ds PI pi +. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch +. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch +. ds L" "" +. ds R" "" +. ds C` "" +. ds C' "" +'br\} +.el\{\ +. ds -- \|\(em\| +. ds PI \(*p +. ds L" `` +. ds R" '' +. ds C` +. ds C' +'br\} +.\" +.\" Escape single quotes in literal strings from groff's Unicode transform. +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" +.\" If the F register is >0, we'll generate index entries on stderr for +.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index +.\" entries marked with X<> in POD. Of course, you'll have to process the +.\" output yourself in some meaningful fashion. +.\" +.\" Avoid warning from groff about undefined register 'F'. +.de IX +.. +.if !\nF .nr F 0 +.if \nF>0 \{\ +. de IX +. tm Index:\\$1\t\\n%\t"\\$2" +.. +. if !\nF==2 \{\ +. nr % 0 +. nr F 2 +. \} +.\} +.\" +.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). +.\" Fear. Run. Save yourself. No user-serviceable parts. +. \" fudge factors for nroff and troff +.if n \{\ +. ds #H 0 +. ds #V .8m +. ds #F .3m +. ds #[ \f1 +. ds #] \fP +.\} +.if t \{\ +. ds #H ((1u-(\\\\n(.fu%2u))*.13m) +. ds #V .6m +. ds #F 0 +. ds #[ \& +. ds #] \& +.\} +. \" simple accents for nroff and troff +.if n \{\ +. ds ' \& +. ds ` \& +. ds ^ \& +. ds , \& +. ds ~ ~ +. ds / +.\} +.if t \{\ +. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" +. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' +. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' +. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' +. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' +. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' +.\} +. \" troff and (daisy-wheel) nroff accents +.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' +.ds 8 \h'\*(#H'\(*b\h'-\*(#H' +.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] +.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' +.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' +.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] +.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] +.ds ae a\h'-(\w'a'u*4/10)'e +.ds Ae A\h'-(\w'A'u*4/10)'E +. \" corrections for vroff +.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' +.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' +. \" for low resolution devices (crt and lpr) +.if \n(.H>23 .if \n(.V>19 \ +\{\ +. ds : e +. ds 8 ss +. ds o a +. ds d- d\h'-1'\(ga +. ds D- D\h'-1'\(hy +. ds th \o'bp' +. ds Th \o'LP' +. ds ae ae +. ds Ae AE +.\} +.rm #[ #] #H #V #F C +.\" ======================================================================== +.\" +.IX Title "RAND_DRBG_GENERATE 3" +.TH RAND_DRBG_GENERATE 3 "2018-09-11" "1.1.1" "OpenSSL" +.\" For nroff, turn off justification. Always turn off hyphenation; it makes +.\" way too many mistakes in technical documents. +.if n .ad l +.nh +.SH "NAME" +RAND_DRBG_generate, RAND_DRBG_bytes \&\- generate random bytes using the given drbg instance +.SH "SYNOPSIS" +.IX Header "SYNOPSIS" +.Vb 1 +\& #include +\& +\& int RAND_DRBG_generate(RAND_DRBG *drbg, +\& unsigned char *out, size_t outlen, +\& int prediction_resistance, +\& const unsigned char *adin, size_t adinlen); +\& +\& int RAND_DRBG_bytes(RAND_DRBG *drbg, +\& unsigned char *out, size_t outlen); +.Ve +.SH "DESCRIPTION" +.IX Header "DESCRIPTION" +\&\fIRAND_DRBG_generate()\fR generates \fBoutlen\fR random bytes using the given +\&\s-1DRBG\s0 instance \fBdrbg\fR and stores them in the buffer at \fBout\fR. +.PP +Before generating the output, the \s-1DRBG\s0 instance checks whether the maximum +number of generate requests (\fIreseed interval\fR) or the maximum timespan +(\fIreseed time interval\fR) since its last seeding have been reached. +If this is the case, the \s-1DRBG\s0 reseeds automatically. +Additionally, an immediate reseeding can be requested by setting the +\&\fBprediction_resistance\fR flag to 1. See \s-1NOTES\s0 section for more details. +.PP +The caller can optionally provide additional data to be used for reseeding +by passing a pointer \fBadin\fR to a buffer of length \fBadinlen\fR. +This additional data is mixed into the internal state of the random +generator but does not contribute to the entropy count. +The additional data can be omitted by setting \fBadin\fR to \s-1NULL\s0 and +\&\fBadinlen\fR to 0; +.PP +\&\fIRAND_DRBG_bytes()\fR generates \fBoutlen\fR random bytes using the given +\&\s-1DRBG\s0 instance \fBdrbg\fR and stores them in the buffer at \fBout\fR. +This function is a wrapper around the \fIRAND_DRBG_generate()\fR call, +which collects some additional data from low entropy sources +(e.g., a high resolution timer) and calls +RAND_DRBG_generate(drbg, out, outlen, 0, adin, adinlen). +.SH "RETURN VALUES" +.IX Header "RETURN VALUES" +\&\fIRAND_DRBG_generate()\fR and \fIRAND_DRBG_bytes()\fR return 1 on success, +and 0 on failure. +.SH "NOTES" +.IX Header "NOTES" +The \fIreseed interval\fR and \fIreseed time interval\fR of the \fBdrbg\fR are set to +reasonable default values, which in general do not have to be adjusted. +If necessary, they can be changed using \fIRAND_DRBG_set_reseed_interval\fR\|(3) +and \fIRAND_DRBG_set_reseed_time_interval\fR\|(3), respectively. +.PP +A request for prediction resistance can only be satisfied by pulling fresh +entropy from one of the approved entropy sources listed in section 5.5.2 of +[\s-1NIST SP 800\-90C\s0]. +Since the default \s-1DRBG\s0 implementation does not have access to such an approved +entropy source, a request for prediction resistance will always fail. +In other words, prediction resistance is currently not supported yet by the \s-1DRBG.\s0 +.SH "HISTORY" +.IX Header "HISTORY" +The \s-1RAND_DRBG\s0 functions were added in OpenSSL 1.1.1. +.SH "SEE ALSO" +.IX Header "SEE ALSO" +\&\fIRAND_bytes\fR\|(3), +\&\fIRAND_DRBG_set_reseed_interval\fR\|(3), +\&\fIRAND_DRBG_set_reseed_time_interval\fR\|(3), +\&\s-1\fIRAND_DRBG\s0\fR\|(7) +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2017\-2018 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/RAND_DRBG_get0_master.3 b/secure/lib/libcrypto/man/RAND_DRBG_get0_master.3 new file mode 100644 index 000000000000..c7bf5705f836 --- /dev/null +++ b/secure/lib/libcrypto/man/RAND_DRBG_get0_master.3 @@ -0,0 +1,200 @@ +.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35) +.\" +.\" Standard preamble: +.\" ======================================================================== +.de Sp \" Vertical space (when we can't use .PP) +.if t .sp .5v +.if n .sp +.. +.de Vb \" Begin verbatim text +.ft CW +.nf +.ne \\$1 +.. +.de Ve \" End verbatim text +.ft R +.fi +.. +.\" Set up some character translations and predefined strings. \*(-- will +.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left +.\" double quote, and \*(R" will give a right double quote. \*(C+ will +.\" give a nicer C++. Capital omega is used to do unbreakable dashes and +.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, +.\" nothing in troff, for use with C<>. +.tr \(*W- +.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' +.ie n \{\ +. ds -- \(*W- +. ds PI pi +. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch +. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch +. ds L" "" +. ds R" "" +. ds C` "" +. ds C' "" +'br\} +.el\{\ +. ds -- \|\(em\| +. ds PI \(*p +. ds L" `` +. ds R" '' +. ds C` +. ds C' +'br\} +.\" +.\" Escape single quotes in literal strings from groff's Unicode transform. +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" +.\" If the F register is >0, we'll generate index entries on stderr for +.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index +.\" entries marked with X<> in POD. Of course, you'll have to process the +.\" output yourself in some meaningful fashion. +.\" +.\" Avoid warning from groff about undefined register 'F'. +.de IX +.. +.if !\nF .nr F 0 +.if \nF>0 \{\ +. de IX +. tm Index:\\$1\t\\n%\t"\\$2" +.. +. if !\nF==2 \{\ +. nr % 0 +. nr F 2 +. \} +.\} +.\" +.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). +.\" Fear. Run. Save yourself. No user-serviceable parts. +. \" fudge factors for nroff and troff +.if n \{\ +. ds #H 0 +. ds #V .8m +. ds #F .3m +. ds #[ \f1 +. ds #] \fP +.\} +.if t \{\ +. ds #H ((1u-(\\\\n(.fu%2u))*.13m) +. ds #V .6m +. ds #F 0 +. ds #[ \& +. ds #] \& +.\} +. \" simple accents for nroff and troff +.if n \{\ +. ds ' \& +. ds ` \& +. ds ^ \& +. ds , \& +. ds ~ ~ +. ds / +.\} +.if t \{\ +. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" +. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' +. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' +. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' +. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' +. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' +.\} +. \" troff and (daisy-wheel) nroff accents +.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' +.ds 8 \h'\*(#H'\(*b\h'-\*(#H' +.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] +.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' +.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' +.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] +.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] +.ds ae a\h'-(\w'a'u*4/10)'e +.ds Ae A\h'-(\w'A'u*4/10)'E +. \" corrections for vroff +.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' +.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' +. \" for low resolution devices (crt and lpr) +.if \n(.H>23 .if \n(.V>19 \ +\{\ +. ds : e +. ds 8 ss +. ds o a +. ds d- d\h'-1'\(ga +. ds D- D\h'-1'\(hy +. ds th \o'bp' +. ds Th \o'LP' +. ds ae ae +. ds Ae AE +.\} +.rm #[ #] #H #V #F C +.\" ======================================================================== +.\" +.IX Title "RAND_DRBG_GET0_MASTER 3" +.TH RAND_DRBG_GET0_MASTER 3 "2018-09-11" "1.1.1" "OpenSSL" +.\" For nroff, turn off justification. Always turn off hyphenation; it makes +.\" way too many mistakes in technical documents. +.if n .ad l +.nh +.SH "NAME" +RAND_DRBG_get0_master, RAND_DRBG_get0_public, RAND_DRBG_get0_private \&\- get access to the global RAND_DRBG instances +.SH "SYNOPSIS" +.IX Header "SYNOPSIS" +.Vb 1 +\& #include +\& +\& RAND_DRBG *RAND_DRBG_get0_master(void); +\& RAND_DRBG *RAND_DRBG_get0_public(void); +\& RAND_DRBG *RAND_DRBG_get0_private(void); +.Ve +.SH "DESCRIPTION" +.IX Header "DESCRIPTION" +The default \s-1RAND API\s0 implementation (\fIRAND_OpenSSL()\fR) utilizes three +shared \s-1DRBG\s0 instances which are accessed via the \s-1RAND API:\s0 +.PP +The and \s-1DRBG\s0 are thread-local instances, which are used +by \fIRAND_bytes()\fR and \fIRAND_priv_bytes()\fR, respectively. +The \s-1DRBG\s0 is a global instance, which is not intended to be used +directly, but is used internally to reseed the other two instances. +.PP +These functions here provide access to the shared \s-1DRBG\s0 instances. +.SH "RETURN VALUES" +.IX Header "RETURN VALUES" +\&\fIRAND_DRBG_get0_master()\fR returns a pointer to the \s-1DRBG\s0 instance. +.PP +\&\fIRAND_DRBG_get0_public()\fR returns a pointer to the \s-1DRBG\s0 instance. +.PP +\&\fIRAND_DRBG_get0_private()\fR returns a pointer to the \s-1DRBG\s0 instance. +.SH "NOTES" +.IX Header "NOTES" +It is not thread-safe to access the \s-1DRBG\s0 instance. +The and \s-1DRBG\s0 instance can be accessed safely, because +they are thread-local. Note however, that changes to these two instances +apply only to the current thread. +.PP +For that reason it is recommended not to change the settings of these +three instances directly. +Instead, an application should change the default settings for new \s-1DRBG\s0 instances +at initialization time, before creating additional threads. +.PP +During initialization, it is possible to change the reseed interval +and reseed time interval. +It is also possible to exchange the reseeding callbacks entirely. +.SH "HISTORY" +.IX Header "HISTORY" +The \s-1RAND_DRBG\s0 functions were added in OpenSSL 1.1.1. +.SH "SEE ALSO" +.IX Header "SEE ALSO" +\&\fIRAND_DRBG_set_callbacks\fR\|(3), +\&\fIRAND_DRBG_set_reseed_defaults\fR\|(3), +\&\fIRAND_DRBG_set_reseed_interval\fR\|(3), +\&\fIRAND_DRBG_set_reseed_time_interval\fR\|(3), +\&\fIRAND_DRBG_set_callbacks\fR\|(3), +\&\fIRAND_DRBG_generate\fR\|(3), +\&\s-1\fIRAND_DRBG\s0\fR\|(7) +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2017\-2018 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/RAND_DRBG_new.3 b/secure/lib/libcrypto/man/RAND_DRBG_new.3 new file mode 100644 index 000000000000..6ec4442a0055 --- /dev/null +++ b/secure/lib/libcrypto/man/RAND_DRBG_new.3 @@ -0,0 +1,243 @@ +.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35) +.\" +.\" Standard preamble: +.\" ======================================================================== +.de Sp \" Vertical space (when we can't use .PP) +.if t .sp .5v +.if n .sp +.. +.de Vb \" Begin verbatim text +.ft CW +.nf +.ne \\$1 +.. +.de Ve \" End verbatim text +.ft R +.fi +.. +.\" Set up some character translations and predefined strings. \*(-- will +.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left +.\" double quote, and \*(R" will give a right double quote. \*(C+ will +.\" give a nicer C++. Capital omega is used to do unbreakable dashes and +.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, +.\" nothing in troff, for use with C<>. +.tr \(*W- +.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' +.ie n \{\ +. ds -- \(*W- +. ds PI pi +. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch +. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch +. ds L" "" +. ds R" "" +. ds C` "" +. ds C' "" +'br\} +.el\{\ +. ds -- \|\(em\| +. ds PI \(*p +. ds L" `` +. ds R" '' +. ds C` +. ds C' +'br\} +.\" +.\" Escape single quotes in literal strings from groff's Unicode transform. +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" +.\" If the F register is >0, we'll generate index entries on stderr for +.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index +.\" entries marked with X<> in POD. Of course, you'll have to process the +.\" output yourself in some meaningful fashion. +.\" +.\" Avoid warning from groff about undefined register 'F'. +.de IX +.. +.if !\nF .nr F 0 +.if \nF>0 \{\ +. de IX +. tm Index:\\$1\t\\n%\t"\\$2" +.. +. if !\nF==2 \{\ +. nr % 0 +. nr F 2 +. \} +.\} +.\" +.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). +.\" Fear. Run. Save yourself. No user-serviceable parts. +. \" fudge factors for nroff and troff +.if n \{\ +. ds #H 0 +. ds #V .8m +. ds #F .3m +. ds #[ \f1 +. ds #] \fP +.\} +.if t \{\ +. ds #H ((1u-(\\\\n(.fu%2u))*.13m) +. ds #V .6m +. ds #F 0 +. ds #[ \& +. ds #] \& +.\} +. \" simple accents for nroff and troff +.if n \{\ +. ds ' \& +. ds ` \& +. ds ^ \& +. ds , \& +. ds ~ ~ +. ds / +.\} +.if t \{\ +. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" +. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' +. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' +. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' +. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' +. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' +.\} +. \" troff and (daisy-wheel) nroff accents +.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' +.ds 8 \h'\*(#H'\(*b\h'-\*(#H' +.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] +.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' +.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' +.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] +.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] +.ds ae a\h'-(\w'a'u*4/10)'e +.ds Ae A\h'-(\w'A'u*4/10)'E +. \" corrections for vroff +.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' +.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' +. \" for low resolution devices (crt and lpr) +.if \n(.H>23 .if \n(.V>19 \ +\{\ +. ds : e +. ds 8 ss +. ds o a +. ds d- d\h'-1'\(ga +. ds D- D\h'-1'\(hy +. ds th \o'bp' +. ds Th \o'LP' +. ds ae ae +. ds Ae AE +.\} +.rm #[ #] #H #V #F C +.\" ======================================================================== +.\" +.IX Title "RAND_DRBG_NEW 3" +.TH RAND_DRBG_NEW 3 "2018-09-11" "1.1.1" "OpenSSL" +.\" For nroff, turn off justification. Always turn off hyphenation; it makes +.\" way too many mistakes in technical documents. +.if n .ad l +.nh +.SH "NAME" +RAND_DRBG_new, RAND_DRBG_secure_new, RAND_DRBG_set, RAND_DRBG_set_defaults, RAND_DRBG_instantiate, RAND_DRBG_uninstantiate, RAND_DRBG_free \&\- initialize and cleanup a RAND_DRBG instance +.SH "SYNOPSIS" +.IX Header "SYNOPSIS" +.Vb 1 +\& #include +\& +\& +\& RAND_DRBG *RAND_DRBG_new(int type, +\& unsigned int flags, +\& RAND_DRBG *parent); +\& +\& RAND_DRBG *RAND_DRBG_secure_new(int type, +\& unsigned int flags, +\& RAND_DRBG *parent); +\& +\& int RAND_DRBG_set(RAND_DRBG *drbg, +\& int type, unsigned int flags); +\& +\& int RAND_DRBG_set_defaults(int type, unsigned int flags); +\& +\& int RAND_DRBG_instantiate(RAND_DRBG *drbg, +\& const unsigned char *pers, size_t perslen); +\& +\& int RAND_DRBG_uninstantiate(RAND_DRBG *drbg); +\& +\& void RAND_DRBG_free(RAND_DRBG *drbg); +.Ve +.SH "DESCRIPTION" +.IX Header "DESCRIPTION" +\&\fIRAND_DRBG_new()\fR and \fIRAND_DRBG_secure_new()\fR +create a new \s-1DRBG\s0 instance of the given \fBtype\fR, allocated from the heap resp. +the secure heap +(using \fIOPENSSL_zalloc()\fR resp. \fIOPENSSL_secure_zalloc()\fR). +.PP +\&\fIRAND_DRBG_set()\fR initializes the \fBdrbg\fR with the given \fBtype\fR and \fBflags\fR. +.PP +\&\fIRAND_DRBG_set_defaults()\fR sets the default \fBtype\fR and \fBflags\fR for new \s-1DRBG\s0 +instances. +.PP +Currently, all \s-1DRBG\s0 types are based on AES-CTR, so \fBtype\fR can be one of the +following values: NID_aes_128_ctr, NID_aes_192_ctr, NID_aes_256_ctr. +Before the \s-1DRBG\s0 can be used to generate random bits, it is necessary to set +its type and to instantiate it. +.PP +The optional \fBflags\fR argument specifies a set of bit flags which can be +joined using the | operator. Currently, the only flag is +\&\s-1RAND_DRBG_FLAG_CTR_NO_DF,\s0 which disables the use of a the derivation function +ctr_df. For an explanation, see [\s-1NIST SP 800\-90A\s0 Rev. 1]. +.PP +If a \fBparent\fR instance is specified then this will be used instead of +the default entropy source for reseeding the \fBdrbg\fR. It is said that the +\&\fBdrbg\fR is \fIchained\fR to its \fBparent\fR. +For more information, see the \s-1NOTES\s0 section. +.PP +\&\fIRAND_DRBG_instantiate()\fR +seeds the \fBdrbg\fR instance using random input from trusted entropy sources. +Optionally, a personalization string \fBpers\fR of length \fBperslen\fR can be +specified. +To omit the personalization string, set \fBpers\fR=NULL and \fBperslen\fR=0; +.PP +\&\fIRAND_DRBG_uninstantiate()\fR +clears the internal state of the \fBdrbg\fR and puts it back in the +uninstantiated state. +.SH "RETURN VALUES" +.IX Header "RETURN VALUES" +\&\fIRAND_DRBG_new()\fR and \fIRAND_DRBG_secure_new()\fR return a pointer to a \s-1DRBG\s0 +instance allocated on the heap, resp. secure heap. +.PP +\&\fIRAND_DRBG_set()\fR, +\&\fIRAND_DRBG_instantiate()\fR, and +\&\fIRAND_DRBG_uninstantiate()\fR +return 1 on success, and 0 on failure. +.PP +\&\fIRAND_DRBG_free()\fR does not return a value. +.SH "NOTES" +.IX Header "NOTES" +The \s-1DRBG\s0 design supports \fIchaining\fR, which means that a \s-1DRBG\s0 instance can +use another \fBparent\fR \s-1DRBG\s0 instance instead of the default entropy source +to obtain fresh random input for reseeding, provided that \fBparent\fR \s-1DRBG\s0 +instance was properly instantiated, either from a trusted entropy source, +or from yet another parent \s-1DRBG\s0 instance. +For a detailed description of the reseeding process, see \s-1\fIRAND_DRBG\s0\fR\|(7). +.PP +The default \s-1DRBG\s0 type and flags are applied only during creation of a \s-1DRBG\s0 +instance. +To ensure that they are applied to the global and thread-local \s-1DRBG\s0 instances +(, resp. and ), it is necessary to call +\&\fIRAND_DRBG_set_defaults()\fR before creating any thread and before calling any +cryptographic routines that obtain random data directly or indirectly. +.SH "HISTORY" +.IX Header "HISTORY" +The \s-1RAND_DRBG\s0 functions were added in OpenSSL 1.1.1. +.SH "SEE ALSO" +.IX Header "SEE ALSO" +\&\fIOPENSSL_zalloc\fR\|(3), +\&\fIOPENSSL_secure_zalloc\fR\|(3), +\&\fIRAND_DRBG_generate\fR\|(3), +\&\s-1\fIRAND_DRBG\s0\fR\|(7) +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2017\-2018 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/RAND_DRBG_reseed.3 b/secure/lib/libcrypto/man/RAND_DRBG_reseed.3 new file mode 100644 index 000000000000..9051034cb74e --- /dev/null +++ b/secure/lib/libcrypto/man/RAND_DRBG_reseed.3 @@ -0,0 +1,230 @@ +.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35) +.\" +.\" Standard preamble: +.\" ======================================================================== +.de Sp \" Vertical space (when we can't use .PP) +.if t .sp .5v +.if n .sp +.. +.de Vb \" Begin verbatim text +.ft CW +.nf +.ne \\$1 +.. +.de Ve \" End verbatim text +.ft R +.fi +.. +.\" Set up some character translations and predefined strings. \*(-- will +.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left +.\" double quote, and \*(R" will give a right double quote. \*(C+ will +.\" give a nicer C++. Capital omega is used to do unbreakable dashes and +.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, +.\" nothing in troff, for use with C<>. +.tr \(*W- +.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' +.ie n \{\ +. ds -- \(*W- +. ds PI pi +. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch +. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch +. ds L" "" +. ds R" "" +. ds C` "" +. ds C' "" +'br\} +.el\{\ +. ds -- \|\(em\| +. ds PI \(*p +. ds L" `` +. ds R" '' +. ds C` +. ds C' +'br\} +.\" +.\" Escape single quotes in literal strings from groff's Unicode transform. +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" +.\" If the F register is >0, we'll generate index entries on stderr for +.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index +.\" entries marked with X<> in POD. Of course, you'll have to process the +.\" output yourself in some meaningful fashion. +.\" +.\" Avoid warning from groff about undefined register 'F'. +.de IX +.. +.if !\nF .nr F 0 +.if \nF>0 \{\ +. de IX +. tm Index:\\$1\t\\n%\t"\\$2" +.. +. if !\nF==2 \{\ +. nr % 0 +. nr F 2 +. \} +.\} +.\" +.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). +.\" Fear. Run. Save yourself. No user-serviceable parts. +. \" fudge factors for nroff and troff +.if n \{\ +. ds #H 0 +. ds #V .8m +. ds #F .3m +. ds #[ \f1 +. ds #] \fP +.\} +.if t \{\ +. ds #H ((1u-(\\\\n(.fu%2u))*.13m) +. ds #V .6m +. ds #F 0 +. ds #[ \& +. ds #] \& +.\} +. \" simple accents for nroff and troff +.if n \{\ +. ds ' \& +. ds ` \& +. ds ^ \& +. ds , \& +. ds ~ ~ +. ds / +.\} +.if t \{\ +. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" +. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' +. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' +. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' +. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' +. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' +.\} +. \" troff and (daisy-wheel) nroff accents +.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' +.ds 8 \h'\*(#H'\(*b\h'-\*(#H' +.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] +.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' +.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' +.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] +.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] +.ds ae a\h'-(\w'a'u*4/10)'e +.ds Ae A\h'-(\w'A'u*4/10)'E +. \" corrections for vroff +.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' +.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' +. \" for low resolution devices (crt and lpr) +.if \n(.H>23 .if \n(.V>19 \ +\{\ +. ds : e +. ds 8 ss +. ds o a +. ds d- d\h'-1'\(ga +. ds D- D\h'-1'\(hy +. ds th \o'bp' +. ds Th \o'LP' +. ds ae ae +. ds Ae AE +.\} +.rm #[ #] #H #V #F C +.\" ======================================================================== +.\" +.IX Title "RAND_DRBG_RESEED 3" +.TH RAND_DRBG_RESEED 3 "2018-09-11" "1.1.1" "OpenSSL" +.\" For nroff, turn off justification. Always turn off hyphenation; it makes +.\" way too many mistakes in technical documents. +.if n .ad l +.nh +.SH "NAME" +RAND_DRBG_reseed, RAND_DRBG_set_reseed_interval, RAND_DRBG_set_reseed_time_interval, RAND_DRBG_set_reseed_defaults \&\- reseed a RAND_DRBG instance +.SH "SYNOPSIS" +.IX Header "SYNOPSIS" +.Vb 1 +\& #include +\& +\& int RAND_DRBG_reseed(RAND_DRBG *drbg, +\& const unsigned char *adin, size_t adinlen); +\& +\& int RAND_DRBG_set_reseed_interval(RAND_DRBG *drbg, +\& unsigned int interval); +\& +\& int RAND_DRBG_set_reseed_time_interval(RAND_DRBG *drbg, +\& time_t interval); +\& +\& int RAND_DRBG_set_reseed_defaults( +\& unsigned int master_reseed_interval, +\& unsigned int slave_reseed_interval, +\& time_t master_reseed_time_interval, +\& time_t slave_reseed_time_interval +\& ); +.Ve +.SH "DESCRIPTION" +.IX Header "DESCRIPTION" +\&\fIRAND_DRBG_reseed()\fR +reseeds the given \fBdrbg\fR, obtaining entropy input from its entropy source +and mixing in the specified additional data provided in the buffer \fBadin\fR +of length \fBadinlen\fR. +The additional data can be omitted by setting \fBadin\fR to \s-1NULL\s0 and \fBadinlen\fR +to 0. +.PP +\&\fIRAND_DRBG_set_reseed_interval()\fR +sets the reseed interval of the \fBdrbg\fR, which is the maximum allowed number +of generate requests between consecutive reseedings. +If \fBinterval\fR > 0, then the \fBdrbg\fR will reseed automatically whenever the +number of generate requests since its last seeding exceeds the given reseed +interval. +If \fBinterval\fR == 0, then this feature is disabled. +.PP +\&\fIRAND_DRBG_set_reseed_time_interval()\fR +sets the reseed time interval of the \fBdrbg\fR, which is the maximum allowed +number of seconds between consecutive reseedings. +If \fBinterval\fR > 0, then the \fBdrbg\fR will reseed automatically whenever the +elapsed time since its last reseeding exceeds the given reseed time interval. +If \fBinterval\fR == 0, then this feature is disabled. +.PP +\&\fIRAND_DRBG_set_reseed_defaults()\fR sets the default values for the reseed interval +(\fBmaster_reseed_interval\fR and \fBslave_reseed_interval\fR) +and the reseed time interval +(\fBmaster_reseed_time_interval\fR and \fBslave_reseed_tme_interval\fR) +of \s-1DRBG\s0 instances. +The default values are set independently for master \s-1DRBG\s0 instances (which don't +have a parent) and slave \s-1DRBG\s0 instances (which are chained to a parent \s-1DRBG\s0). +.SH "RETURN VALUES" +.IX Header "RETURN VALUES" +\&\fIRAND_DRBG_reseed()\fR, +\&\fIRAND_DRBG_set_reseed_interval()\fR, and +\&\fIRAND_DRBG_set_reseed_time_interval()\fR, +return 1 on success, 0 on failure. +.SH "NOTES" +.IX Header "NOTES" +The default OpenSSL random generator is already set up for automatic reseeding, +so in general it is not necessary to reseed it explicitly, or to modify +its reseeding thresholds. +.PP +Normally, the entropy input for seeding a \s-1DRBG\s0 is either obtained from a +trusted os entropy source or from a parent \s-1DRBG\s0 instance, which was seeded +(directly or indirectly) from a trusted os entropy source. +In exceptional cases it is possible to replace the reseeding mechanism entirely +by providing application defined callbacks using \fIRAND_DRBG_set_callbacks()\fR. +.PP +The reseeding default values are applied only during creation of a \s-1DRBG\s0 instance. +To ensure that they are applied to the global and thread-local \s-1DRBG\s0 instances +(, resp. and ), it is necessary to call +\&\fIRAND_DRBG_set_reseed_defaults()\fR before creating any thread and before calling any + cryptographic routines that obtain random data directly or indirectly. +.SH "HISTORY" +.IX Header "HISTORY" +The \s-1RAND_DRBG\s0 functions were added in OpenSSL 1.1.1. +.SH "SEE ALSO" +.IX Header "SEE ALSO" +\&\fIRAND_DRBG_generate\fR\|(3), +\&\fIRAND_DRBG_bytes\fR\|(3), +\&\fIRAND_DRBG_set_callbacks\fR\|(3). +\&\s-1\fIRAND_DRBG\s0\fR\|(7) +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2017\-2018 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/RAND_DRBG_set_callbacks.3 b/secure/lib/libcrypto/man/RAND_DRBG_set_callbacks.3 new file mode 100644 index 000000000000..72ea7fe627d8 --- /dev/null +++ b/secure/lib/libcrypto/man/RAND_DRBG_set_callbacks.3 @@ -0,0 +1,264 @@ +.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35) +.\" +.\" Standard preamble: +.\" ======================================================================== +.de Sp \" Vertical space (when we can't use .PP) +.if t .sp .5v +.if n .sp +.. +.de Vb \" Begin verbatim text +.ft CW +.nf +.ne \\$1 +.. +.de Ve \" End verbatim text +.ft R +.fi +.. +.\" Set up some character translations and predefined strings. \*(-- will +.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left +.\" double quote, and \*(R" will give a right double quote. \*(C+ will +.\" give a nicer C++. Capital omega is used to do unbreakable dashes and +.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, +.\" nothing in troff, for use with C<>. +.tr \(*W- +.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' +.ie n \{\ +. ds -- \(*W- +. ds PI pi +. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch +. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch +. ds L" "" +. ds R" "" +. ds C` "" +. ds C' "" +'br\} +.el\{\ +. ds -- \|\(em\| +. ds PI \(*p +. ds L" `` +. ds R" '' +. ds C` +. ds C' +'br\} +.\" +.\" Escape single quotes in literal strings from groff's Unicode transform. +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" +.\" If the F register is >0, we'll generate index entries on stderr for +.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index +.\" entries marked with X<> in POD. Of course, you'll have to process the +.\" output yourself in some meaningful fashion. +.\" +.\" Avoid warning from groff about undefined register 'F'. +.de IX +.. +.if !\nF .nr F 0 +.if \nF>0 \{\ +. de IX +. tm Index:\\$1\t\\n%\t"\\$2" +.. +. if !\nF==2 \{\ +. nr % 0 +. nr F 2 +. \} +.\} +.\" +.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). +.\" Fear. Run. Save yourself. No user-serviceable parts. +. \" fudge factors for nroff and troff +.if n \{\ +. ds #H 0 +. ds #V .8m +. ds #F .3m +. ds #[ \f1 +. ds #] \fP +.\} +.if t \{\ +. ds #H ((1u-(\\\\n(.fu%2u))*.13m) +. ds #V .6m +. ds #F 0 +. ds #[ \& +. ds #] \& +.\} +. \" simple accents for nroff and troff +.if n \{\ +. ds ' \& +. ds ` \& +. ds ^ \& +. ds , \& +. ds ~ ~ +. ds / +.\} +.if t \{\ +. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" +. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' +. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' +. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' +. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' +. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' +.\} +. \" troff and (daisy-wheel) nroff accents +.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' +.ds 8 \h'\*(#H'\(*b\h'-\*(#H' +.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] +.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' +.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' +.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] +.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] +.ds ae a\h'-(\w'a'u*4/10)'e +.ds Ae A\h'-(\w'A'u*4/10)'E +. \" corrections for vroff +.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' +.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' +. \" for low resolution devices (crt and lpr) +.if \n(.H>23 .if \n(.V>19 \ +\{\ +. ds : e +. ds 8 ss +. ds o a +. ds d- d\h'-1'\(ga +. ds D- D\h'-1'\(hy +. ds th \o'bp' +. ds Th \o'LP' +. ds ae ae +. ds Ae AE +.\} +.rm #[ #] #H #V #F C +.\" ======================================================================== +.\" +.IX Title "RAND_DRBG_SET_CALLBACKS 3" +.TH RAND_DRBG_SET_CALLBACKS 3 "2018-09-11" "1.1.1" "OpenSSL" +.\" For nroff, turn off justification. Always turn off hyphenation; it makes +.\" way too many mistakes in technical documents. +.if n .ad l +.nh +.SH "NAME" +RAND_DRBG_set_callbacks, RAND_DRBG_get_entropy_fn, RAND_DRBG_cleanup_entropy_fn, RAND_DRBG_get_nonce_fn, RAND_DRBG_cleanup_nonce_fn \&\- set callbacks for reseeding +.SH "SYNOPSIS" +.IX Header "SYNOPSIS" +.Vb 1 +\& #include +\& +\& +\& int RAND_DRBG_set_callbacks(RAND_DRBG *drbg, +\& RAND_DRBG_get_entropy_fn get_entropy, +\& RAND_DRBG_cleanup_entropy_fn cleanup_entropy, +\& RAND_DRBG_get_nonce_fn get_nonce, +\& RAND_DRBG_cleanup_nonce_fn cleanup_nonce); +.Ve +.SS "Callback Functions" +.IX Subsection "Callback Functions" +.Vb 6 +\& typedef size_t (*RAND_DRBG_get_entropy_fn)( +\& RAND_DRBG *drbg, +\& unsigned char **pout, +\& int entropy, +\& size_t min_len, size_t max_len, +\& int prediction_resistance); +\& +\& typedef void (*RAND_DRBG_cleanup_entropy_fn)( +\& RAND_DRBG *drbg, +\& unsigned char *out, size_t outlen); +\& +\& typedef size_t (*RAND_DRBG_get_nonce_fn)( +\& RAND_DRBG *drbg, +\& unsigned char **pout, +\& int entropy, +\& size_t min_len, size_t max_len); +\& +\& typedef void (*RAND_DRBG_cleanup_nonce_fn)( +\& RAND_DRBG *drbg, +\& unsigned char *out, size_t outlen); +.Ve +.SH "DESCRIPTION" +.IX Header "DESCRIPTION" +\&\fIRAND_DRBG_set_callbacks()\fR sets the callbacks for obtaining fresh entropy and +the nonce when reseeding the given \fBdrbg\fR. +The callback functions are implemented and provided by the caller. +Their parameter lists need to match the function prototypes above. +.PP +Setting the callbacks is allowed only if the \s-1DRBG\s0 has not been initialized yet. +Otherwise, the operation will fail. +To change the settings for one of the three shared DRBGs it is necessary to call +\&\fIRAND_DRBG_uninstantiate()\fR first. +.PP +The \fBget_entropy\fR() callback is called by the \fBdrbg\fR when it requests fresh +random input. +It is expected that the callback allocates and fills a random buffer of size +\&\fBmin_len\fR <= size <= \fBmax_len\fR (in bytes) which contains at least \fBentropy\fR +bits of randomness. +The \fBprediction_resistance\fR flag indicates whether the reseeding was +triggered by a prediction resistance request. +.PP +The buffer's address is to be returned in *\fBpout\fR and the number of collected +randomness bytes as return value. +.PP +If the callback fails to acquire at least \fBentropy\fR bits of randomness, +it must indicate an error by returning a buffer length of 0. +.PP +If \fBprediction_resistance\fR was requested and the random source of the \s-1DRBG\s0 +does not satisfy the conditions requested by [\s-1NIST SP 800\-90C\s0], then +it must also indicate an error by returning a buffer length of 0. +See \s-1NOTES\s0 section for more details. +.PP +The \fBcleanup_entropy\fR() callback is called from the \fBdrbg\fR to to clear and +free the buffer allocated previously by \fIget_entropy()\fR. +The values \fBout\fR and \fBoutlen\fR are the random buffer's address and length, +as returned by the \fIget_entropy()\fR callback. +.PP +The \fBget_nonce\fR() and \fBcleanup_nonce\fR() callbacks are used to obtain a nonce +and free it again. A nonce is only required for instantiation (not for reseeding) +and only in the case where the \s-1DRBG\s0 uses a derivation function. +The callbacks are analogous to \fIget_entropy()\fR and \fIcleanup_entropy()\fR, +except for the missing prediction_resistance flag. +.PP +If the derivation function is disabled, then no nonce is used for instantiation, +and the \fBget_nonce\fR() and \fBcleanup_nonce\fR() callbacks can be omitted by +setting them to \s-1NULL.\s0 +.SH "RETURN VALUES" +.IX Header "RETURN VALUES" +\&\fIRAND_DRBG_set_callbacks()\fR return 1 on success, and 0 on failure +.SH "NOTES" +.IX Header "NOTES" +It is important that \fBcleanup_entropy\fR() and \fBcleanup_nonce\fR() clear the buffer +contents safely before freeing it, in order not to leave sensitive information +about the \s-1DRBG\s0's state in memory. +.PP +A request for prediction resistance can only be satisfied by pulling fresh +entropy from one of the approved entropy sources listed in section 5.5.2 of +[\s-1NIST SP 800\-90C\s0]. +Since the default implementation of the get_entropy callback does not have access +to such an approved entropy source, a request for prediction resistance will +always fail. +In other words, prediction resistance is currently not supported yet by the \s-1DRBG.\s0 +.PP +The derivation function is disabled during initialization by calling the +\&\fIRAND_DRBG_set()\fR function with the \s-1RAND_DRBG_FLAG_CTR_NO_DF\s0 flag. +For more information on the derivation function and when it can be omitted, +see [\s-1NIST SP 800\-90A\s0 Rev. 1]. Roughly speeking it can be omitted if the random +source has \*(L"full entropy\*(R", i.e., contains 8 bits of entropy per byte. +.PP +Even if a nonce is required, the \fBget_nonce\fR() and \fBcleanup_nonce\fR() +callbacks can be omitted by setting them to \s-1NULL.\s0 +In this case the \s-1DRBG\s0 will automatically request an extra amount of entropy +(using the \fBget_entropy\fR() and \fBcleanup_entropy\fR() callbacks) which it will +utilize for the nonce, following the recommendations of [\s-1NIST SP 800\-90A\s0 Rev. 1], +section 8.6.7. +.SH "HISTORY" +.IX Header "HISTORY" +The \s-1RAND_DRBG\s0 functions were added in OpenSSL 1.1.1. +.SH "SEE ALSO" +.IX Header "SEE ALSO" +\&\fIRAND_DRBG_new\fR\|(3), +\&\fIRAND_DRBG_reseed\fR\|(3), +\&\s-1\fIRAND_DRBG\s0\fR\|(7) +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2017\-2018 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libssl/man/SSL_get_ex_data_X509_STORE_CTX_idx.3 b/secure/lib/libcrypto/man/RAND_DRBG_set_ex_data.3 similarity index 65% rename from secure/lib/libssl/man/SSL_get_ex_data_X509_STORE_CTX_idx.3 rename to secure/lib/libcrypto/man/RAND_DRBG_set_ex_data.3 index a5b7dfc559eb..8c8ffe3c8835 100644 --- a/secure/lib/libssl/man/SSL_get_ex_data_X509_STORE_CTX_idx.3 +++ b/secure/lib/libcrypto/man/RAND_DRBG_set_ex_data.3 @@ -128,56 +128,62 @@ .rm #[ #] #H #V #F C .\" ======================================================================== .\" -.IX Title "SSL_get_ex_data_X509_STORE_CTX_idx 3" -.TH SSL_get_ex_data_X509_STORE_CTX_idx 3 "2018-08-14" "1.0.2p" "OpenSSL" +.IX Title "RAND_DRBG_SET_EX_DATA 3" +.TH RAND_DRBG_SET_EX_DATA 3 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" -SSL_get_ex_data_X509_STORE_CTX_idx \- get ex_data index to access SSL structure -from X509_STORE_CTX +RAND_DRBG_set_ex_data, RAND_DRBG_get_ex_data, RAND_DRBG_get_ex_new_index \&\- store and retrieve extra data from the DRBG instance .SH "SYNOPSIS" .IX Header "SYNOPSIS" .Vb 1 -\& #include +\& #include \& -\& int SSL_get_ex_data_X509_STORE_CTX_idx(void); +\& int RAND_DRBG_set_ex_data(RAND_DRBG *drbg, int idx, void *data); +\& +\& void *RAND_DRBG_get_ex_data(const RAND_DRBG *drbg, int idx); +\& +\& int RAND_DRBG_get_ex_new_index(long argl, void *argp, +\& CRYPTO_EX_new *new_func, +\& CRYPTO_EX_dup *dup_func, +\& CRYPTO_EX_free *free_func); .Ve .SH "DESCRIPTION" .IX Header "DESCRIPTION" -\&\fISSL_get_ex_data_X509_STORE_CTX_idx()\fR returns the index number under which -the pointer to the \s-1SSL\s0 object is stored into the X509_STORE_CTX object. -.SH "NOTES" -.IX Header "NOTES" -Whenever a X509_STORE_CTX object is created for the verification of the -peers certificate during a handshake, a pointer to the \s-1SSL\s0 object is -stored into the X509_STORE_CTX object to identify the connection affected. -To retrieve this pointer the \fIX509_STORE_CTX_get_ex_data()\fR function can -be used with the correct index. This index is globally the same for all -X509_STORE_CTX objects and can be retrieved using -\&\fISSL_get_ex_data_X509_STORE_CTX_idx()\fR. The index value is set when -\&\fISSL_get_ex_data_X509_STORE_CTX_idx()\fR is first called either by the application -program directly or indirectly during other \s-1SSL\s0 setup functions or during -the handshake. +\&\fIRAND_DRBG_set_ex_data()\fR enables an application to store arbitrary application +specific data \fBdata\fR in a \s-1RAND_DRBG\s0 instance \fBdrbg\fR. The index \fBidx\fR should +be a value previously returned from a call to \fIRAND_DRBG_get_ex_new_index()\fR. .PP -The value depends on other index values defined for X509_STORE_CTX objects -before the \s-1SSL\s0 index is created. +\&\fIRAND_DRBG_get_ex_data()\fR retrieves application specific data previously stored +in an \s-1RAND_DRBG\s0 instance \fBdrbg\fR. The \fBidx\fR value should be the same as that +used when originally storing the data. +.PP +For more detailed information see \fICRYPTO_get_ex_data\fR\|(3) and +\&\fICRYPTO_set_ex_data\fR\|(3) which implement these functions and +\&\fICRYPTO_get_ex_new_index\fR\|(3) for generating a unique index. .SH "RETURN VALUES" .IX Header "RETURN VALUES" -.IP ">=0" 4 -.IX Item ">=0" -The index value to access the pointer. -.IP "<0" 4 -.IX Item "<0" -An error occurred, check the error stack for a detailed error message. -.SH "EXAMPLES" -.IX Header "EXAMPLES" -The index returned from \fISSL_get_ex_data_X509_STORE_CTX_idx()\fR allows to -access the \s-1SSL\s0 object for the connection to be accessed during the -\&\fIverify_callback()\fR when checking the peers certificate. Please check -the example in \fISSL_CTX_set_verify\fR\|(3), +\&\fIRAND_DRBG_set_ex_data()\fR returns 1 for success or 0 for failure. +.PP +\&\fIRAND_DRBG_get_ex_data()\fR returns the previously stored value or \s-1NULL\s0 on +failure. \s-1NULL\s0 may also be a valid value. +.SH "NOTES" +.IX Header "NOTES" +RAND_DRBG_get_ex_new_index(...) is implemented as a macro and equivalent to +CRYPTO_get_ex_new_index(\s-1CRYPTO_EX_INDEX_DRBG,...\s0). .SH "SEE ALSO" .IX Header "SEE ALSO" -\&\fIssl\fR\|(3), \fISSL_CTX_set_verify\fR\|(3), -\&\fICRYPTO_set_ex_data\fR\|(3) +\&\fICRYPTO_get_ex_data\fR\|(3), +\&\fICRYPTO_set_ex_data\fR\|(3), +\&\fICRYPTO_get_ex_new_index\fR\|(3), +\&\s-1\fIRAND_DRBG\s0\fR\|(7) +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2017\-2018 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/RAND_add.3 b/secure/lib/libcrypto/man/RAND_add.3 index 325e937992bf..4e83e27e56c2 100644 --- a/secure/lib/libcrypto/man/RAND_add.3 +++ b/secure/lib/libcrypto/man/RAND_add.3 @@ -128,78 +128,104 @@ .rm #[ #] #H #V #F C .\" ======================================================================== .\" -.IX Title "RAND_add 3" -.TH RAND_add 3 "2018-08-14" "1.0.2p" "OpenSSL" +.IX Title "RAND_ADD 3" +.TH RAND_ADD 3 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" -RAND_add, RAND_seed, RAND_status, RAND_event, RAND_screen \- add -entropy to the PRNG +RAND_add, RAND_poll, RAND_seed, RAND_status, RAND_event, RAND_screen, RAND_keep_random_devices_open \&\- add randomness to the PRNG or get its status .SH "SYNOPSIS" .IX Header "SYNOPSIS" .Vb 1 \& #include \& +\& int RAND_status(void); +\& int RAND_poll(); +\& +\& void RAND_add(const void *buf, int num, double randomness); \& void RAND_seed(const void *buf, int num); \& -\& void RAND_add(const void *buf, int num, double entropy); -\& -\& int RAND_status(void); -\& -\& int RAND_event(UINT iMsg, WPARAM wParam, LPARAM lParam); +\& void RAND_keep_random_devices_open(int keep); +.Ve +.PP +Deprecated: +.PP +.Vb 4 +\& #if OPENSSL_API_COMPAT < 0x10100000L +\& int RAND_event(UINT iMsg, WPARAM wParam, LPARAM lParam); \& void RAND_screen(void); +\& #endif .Ve .SH "DESCRIPTION" .IX Header "DESCRIPTION" -\&\fIRAND_add()\fR mixes the \fBnum\fR bytes at \fBbuf\fR into the \s-1PRNG\s0 state. Thus, -if the data at \fBbuf\fR are unpredictable to an adversary, this -increases the uncertainty about the state and makes the \s-1PRNG\s0 output -less predictable. Suitable input comes from user interaction (random -key presses, mouse movements) and certain hardware events. The -\&\fBentropy\fR argument is (the lower bound of) an estimate of how much -randomness is contained in \fBbuf\fR, measured in bytes. Details about -sources of randomness and how to estimate their entropy can be found -in the literature, e.g. \s-1RFC 1750.\s0 +These functions can be used to seed the random generator and to check its +seeded state. +In general, manual (re\-)seeding of the default OpenSSL random generator +(\fIRAND_OpenSSL\fR\|(3)) is not necessary (but allowed), since it does (re\-)seed +itself automatically using trusted system entropy sources. +This holds unless the default \s-1RAND_METHOD\s0 has been replaced or OpenSSL was +built with automatic reseeding disabled, see \s-1\fIRAND\s0\fR\|(7) for more details. .PP -\&\fIRAND_add()\fR may be called with sensitive data such as user entered -passwords. The seed values cannot be recovered from the \s-1PRNG\s0 output. +\&\fIRAND_status()\fR indicates whether or not the random generator has been sufficiently +seeded. If not, functions such as \fIRAND_bytes\fR\|(3) will fail. .PP -OpenSSL makes sure that the \s-1PRNG\s0 state is unique for each thread. On -systems that provide \f(CW\*(C`/dev/urandom\*(C'\fR, the randomness device is used -to seed the \s-1PRNG\s0 transparently. However, on all other systems, the -application is responsible for seeding the \s-1PRNG\s0 by calling \fIRAND_add()\fR, -\&\fIRAND_egd\fR\|(3) -or \fIRAND_load_file\fR\|(3). +\&\fIRAND_poll()\fR uses the system's capabilities to seed the random generator using +random input obtained from polling various trusted entropy sources. +The default choice of the entropy source can be modified at build time, +see \s-1\fIRAND\s0\fR\|(7) for more details. .PP -\&\fIRAND_seed()\fR is equivalent to \fIRAND_add()\fR when \fBnum == entropy\fR. +\&\fIRAND_add()\fR mixes the \fBnum\fR bytes at \fBbuf\fR into the internal state +of the random generator. +This function will not normally be needed, as mentioned above. +The \fBrandomness\fR argument is an estimate of how much randomness is +contained in +\&\fBbuf\fR, in bytes, and should be a number between zero and \fBnum\fR. +Details about sources of randomness and how to estimate their randomness +can be found in the literature; for example [\s-1NIST SP 800\-90B\s0]. +The content of \fBbuf\fR cannot be recovered from subsequent random generator output. +Applications that intend to save and restore random state in an external file +should consider using \fIRAND_load_file\fR\|(3) instead. .PP -\&\fIRAND_event()\fR collects the entropy from Windows events such as mouse -movements and other user interaction. It should be called with the -\&\fBiMsg\fR, \fBwParam\fR and \fBlParam\fR arguments of \fIall\fR messages sent to -the window procedure. It will estimate the entropy contained in the -event message (if any), and add it to the \s-1PRNG.\s0 The program can then -process the messages as usual. +\&\fIRAND_seed()\fR is equivalent to \fIRAND_add()\fR with \fBrandomness\fR set to \fBnum\fR. .PP -The \fIRAND_screen()\fR function is available for the convenience of Windows -programmers. It adds the current contents of the screen to the \s-1PRNG.\s0 -For applications that can catch Windows events, seeding the \s-1PRNG\s0 by -calling \fIRAND_event()\fR is a significantly better source of -randomness. It should be noted that both methods cannot be used on -servers that run without user interaction. +\&\fIRAND_keep_random_devices_open()\fR is used to control file descriptor +usage by the random seed sources. Some seed sources maintain open file +descriptors by default, which allows such sources to operate in a +\&\fIchroot\fR\|(2) jail without the associated device nodes being available. When +the \fBkeep\fR argument is zero, this call disables the retention of file +descriptors. Conversely, a non-zero argument enables the retention of +file descriptors. This function is usually called during initialization +and it takes effect immediately. +.PP +\&\fIRAND_event()\fR and \fIRAND_screen()\fR are equivalent to \fIRAND_poll()\fR and exist +for compatibility reasons only. See \s-1HISTORY\s0 section below. .SH "RETURN VALUES" .IX Header "RETURN VALUES" -\&\fIRAND_status()\fR and \fIRAND_event()\fR return 1 if the \s-1PRNG\s0 has been seeded +\&\fIRAND_status()\fR returns 1 if the random generator has been seeded with enough data, 0 otherwise. .PP +\&\fIRAND_poll()\fR returns 1 if it generated seed data, 0 otherwise. +.PP +\&\fIRAND_event()\fR returns \fIRAND_status()\fR. +.PP The other functions do not return values. -.SH "SEE ALSO" -.IX Header "SEE ALSO" -\&\fIrand\fR\|(3), \fIRAND_egd\fR\|(3), -\&\fIRAND_load_file\fR\|(3), \fIRAND_cleanup\fR\|(3) .SH "HISTORY" .IX Header "HISTORY" -\&\fIRAND_seed()\fR and \fIRAND_screen()\fR are available in all versions of SSLeay -and OpenSSL. \fIRAND_add()\fR and \fIRAND_status()\fR have been added in OpenSSL -0.9.5, \fIRAND_event()\fR in OpenSSL 0.9.5a. +\&\fIRAND_event()\fR and \fIRAND_screen()\fR were deprecated in OpenSSL 1.1.0 and should +not be used. +.SH "SEE ALSO" +.IX Header "SEE ALSO" +\&\fIRAND_bytes\fR\|(3), +\&\fIRAND_egd\fR\|(3), +\&\fIRAND_load_file\fR\|(3), +\&\s-1\fIRAND\s0\fR\|(7) +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2000\-2018 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/RAND_bytes.3 b/secure/lib/libcrypto/man/RAND_bytes.3 index 4316b507579a..31d105e41d25 100644 --- a/secure/lib/libcrypto/man/RAND_bytes.3 +++ b/secure/lib/libcrypto/man/RAND_bytes.3 @@ -128,51 +128,72 @@ .rm #[ #] #H #V #F C .\" ======================================================================== .\" -.IX Title "RAND_bytes 3" -.TH RAND_bytes 3 "2018-08-14" "1.0.2p" "OpenSSL" +.IX Title "RAND_BYTES 3" +.TH RAND_BYTES 3 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" -RAND_bytes, RAND_pseudo_bytes \- generate random data +RAND_bytes, RAND_priv_bytes, RAND_pseudo_bytes \- generate random data .SH "SYNOPSIS" .IX Header "SYNOPSIS" .Vb 1 \& #include \& \& int RAND_bytes(unsigned char *buf, int num); -\& +\& int RAND_priv_bytes(unsigned char *buf, int num); +.Ve +.PP +Deprecated: +.PP +.Vb 3 +\& #if OPENSSL_API_COMPAT < 0x10100000L \& int RAND_pseudo_bytes(unsigned char *buf, int num); +\& #endif .Ve .SH "DESCRIPTION" .IX Header "DESCRIPTION" \&\fIRAND_bytes()\fR puts \fBnum\fR cryptographically strong pseudo-random bytes -into \fBbuf\fR. An error occurs if the \s-1PRNG\s0 has not been seeded with -enough randomness to ensure an unpredictable byte sequence. +into \fBbuf\fR. .PP -\&\fIRAND_pseudo_bytes()\fR puts \fBnum\fR pseudo-random bytes into \fBbuf\fR. -Pseudo-random byte sequences generated by \fIRAND_pseudo_bytes()\fR will be -unique if they are of sufficient length, but are not necessarily -unpredictable. They can be used for non-cryptographic purposes and for -certain purposes in cryptographic protocols, but usually not for key -generation etc. -.PP -The contents of \fBbuf\fR is mixed into the entropy pool before retrieving -the new pseudo-random bytes unless disabled at compile time (see \s-1FAQ\s0). +\&\fIRAND_priv_bytes()\fR has the same semantics as \fIRAND_bytes()\fR. It is intended to +be used for generating values that should remain private. If using the +default \s-1RAND_METHOD,\s0 this function uses a separate \*(L"private\*(R" \s-1PRNG\s0 +instance so that a compromise of the \*(L"public\*(R" \s-1PRNG\s0 instance will not +affect the secrecy of these private values, as described in \s-1\fIRAND\s0\fR\|(7) +and \s-1\fIRAND_DRBG\s0\fR\|(7). +.SH "NOTES" +.IX Header "NOTES" +Always check the error return value of \fIRAND_bytes()\fR and +\&\fIRAND_priv_bytes()\fR and do not take randomness for granted: an error occurs +if the \s-1CSPRNG\s0 has not been seeded with enough randomness to ensure an +unpredictable byte sequence. .SH "RETURN VALUES" .IX Header "RETURN VALUES" -\&\fIRAND_bytes()\fR returns 1 on success, 0 otherwise. The error code can be -obtained by \fIERR_get_error\fR\|(3). \fIRAND_pseudo_bytes()\fR returns 1 if the -bytes generated are cryptographically strong, 0 otherwise. Both -functions return \-1 if they are not supported by the current \s-1RAND\s0 -method. -.SH "SEE ALSO" -.IX Header "SEE ALSO" -\&\fIrand\fR\|(3), \fIERR_get_error\fR\|(3), -\&\fIRAND_add\fR\|(3) +\&\fIRAND_bytes()\fR and \fIRAND_priv_bytes()\fR +return 1 on success, \-1 if not supported by the current +\&\s-1RAND\s0 method, or 0 on other failure. The error code can be +obtained by \fIERR_get_error\fR\|(3). .SH "HISTORY" .IX Header "HISTORY" -\&\fIRAND_bytes()\fR is available in all versions of SSLeay and OpenSSL. It -has a return value since OpenSSL 0.9.5. \fIRAND_pseudo_bytes()\fR was added -in OpenSSL 0.9.5. +.IP "\(bu" 2 +\&\fIRAND_pseudo_bytes()\fR was deprecated in OpenSSL 1.1.0; use \fIRAND_bytes()\fR instead. +.IP "\(bu" 2 +\&\fIRAND_priv_bytes()\fR was added in OpenSSL 1.1.1. +.SH "SEE ALSO" +.IX Header "SEE ALSO" +\&\fIRAND_add\fR\|(3), +\&\fIRAND_bytes\fR\|(3), +\&\fIRAND_priv_bytes\fR\|(3), +\&\fIERR_get_error\fR\|(3), +\&\s-1\fIRAND\s0\fR\|(7), +\&\s-1\fIRAND_DRBG\s0\fR\|(7) +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2000\-2018 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/RAND_cleanup.3 b/secure/lib/libcrypto/man/RAND_cleanup.3 index ac866e9ad589..4eb523011e9d 100644 --- a/secure/lib/libcrypto/man/RAND_cleanup.3 +++ b/secure/lib/libcrypto/man/RAND_cleanup.3 @@ -128,8 +128,8 @@ .rm #[ #] #H #V #F C .\" ======================================================================== .\" -.IX Title "RAND_cleanup 3" -.TH RAND_cleanup 3 "2018-08-14" "1.0.2p" "OpenSSL" +.IX Title "RAND_CLEANUP 3" +.TH RAND_CLEANUP 3 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -141,17 +141,31 @@ RAND_cleanup \- erase the PRNG state .Vb 1 \& #include \& -\& void RAND_cleanup(void); +\& #if OPENSSL_API_COMPAT < 0x10100000L +\& void RAND_cleanup(void) +\& #endif .Ve .SH "DESCRIPTION" .IX Header "DESCRIPTION" -\&\fIRAND_cleanup()\fR erases the memory used by the \s-1PRNG.\s0 -.SH "RETURN VALUE" -.IX Header "RETURN VALUE" +Prior to OpenSSL 1.1.0, \fIRAND_cleanup()\fR released all resources used by +the \s-1PRNG.\s0 As of version 1.1.0, it does nothing and should not be called, +since no explicit initialisation or de-initialisation is necessary. See +\&\fIOPENSSL_init_crypto\fR\|(3). +.SH "RETURN VALUES" +.IX Header "RETURN VALUES" \&\fIRAND_cleanup()\fR returns no value. -.SH "SEE ALSO" -.IX Header "SEE ALSO" -\&\fIrand\fR\|(3) .SH "HISTORY" .IX Header "HISTORY" -\&\fIRAND_cleanup()\fR is available in all versions of SSLeay and OpenSSL. +\&\fIRAND_cleanup()\fR was deprecated in OpenSSL 1.1.0; do not use it. +See \fIOPENSSL_init_crypto\fR\|(3) +.SH "SEE ALSO" +.IX Header "SEE ALSO" +\&\s-1\fIRAND\s0\fR\|(7) +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2000\-2018 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/RAND_egd.3 b/secure/lib/libcrypto/man/RAND_egd.3 index cd4d91a80d6c..15971f5edd22 100644 --- a/secure/lib/libcrypto/man/RAND_egd.3 +++ b/secure/lib/libcrypto/man/RAND_egd.3 @@ -128,8 +128,8 @@ .rm #[ #] #H #V #F C .\" ======================================================================== .\" -.IX Title "RAND_egd 3" -.TH RAND_egd 3 "2018-08-14" "1.0.2p" "OpenSSL" +.IX Title "RAND_EGD 3" +.TH RAND_EGD 3 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -141,75 +141,49 @@ RAND_egd, RAND_egd_bytes, RAND_query_egd_bytes \- query entropy gathering daemon .Vb 1 \& #include \& +\& int RAND_egd_bytes(const char *path, int num); \& int RAND_egd(const char *path); -\& int RAND_egd_bytes(const char *path, int bytes); \& -\& int RAND_query_egd_bytes(const char *path, unsigned char *buf, int bytes); +\& int RAND_query_egd_bytes(const char *path, unsigned char *buf, int num); .Ve .SH "DESCRIPTION" .IX Header "DESCRIPTION" -\&\fIRAND_egd()\fR queries the entropy gathering daemon \s-1EGD\s0 on socket \fBpath\fR. -It queries 255 bytes and uses \fIRAND_add\fR\|(3) to seed the -OpenSSL built-in \s-1PRNG.\s0 RAND_egd(path) is a wrapper for -RAND_egd_bytes(path, 255); +On older platforms without a good source of randomness such as \f(CW\*(C`/dev/urandom\*(C'\fR, +it is possible to query an Entropy Gathering Daemon (\s-1EGD\s0) over a local +socket to obtain randomness and seed the OpenSSL \s-1RNG.\s0 +The protocol used is defined by the EGDs available at + or . .PP -\&\fIRAND_egd_bytes()\fR queries the entropy gathering daemon \s-1EGD\s0 on socket \fBpath\fR. -It queries \fBbytes\fR bytes and uses \fIRAND_add\fR\|(3) to seed the -OpenSSL built-in \s-1PRNG.\s0 -This function is more flexible than \fIRAND_egd()\fR. -When only one secret key must -be generated, it is not necessary to request the full amount 255 bytes from -the \s-1EGD\s0 socket. This can be advantageous, since the amount of entropy -that can be retrieved from \s-1EGD\s0 over time is limited. +\&\fIRAND_egd_bytes()\fR requests \fBnum\fR bytes of randomness from an \s-1EGD\s0 at the +specified socket \fBpath\fR, and passes the data it receives into \fIRAND_add()\fR. +\&\fIRAND_egd()\fR is equivalent to \fIRAND_egd_bytes()\fR with \fBnum\fR set to 255. .PP -\&\fIRAND_query_egd_bytes()\fR performs the actual query of the \s-1EGD\s0 daemon on socket -\&\fBpath\fR. If \fBbuf\fR is given, \fBbytes\fR bytes are queried and written into -\&\fBbuf\fR. If \fBbuf\fR is \s-1NULL,\s0 \fBbytes\fR bytes are queried and used to seed the -OpenSSL built-in \s-1PRNG\s0 using \fIRAND_add\fR\|(3). -.SH "NOTES" -.IX Header "NOTES" -On systems without /dev/*random devices providing entropy from the kernel, -the \s-1EGD\s0 entropy gathering daemon can be used to collect entropy. It provides -a socket interface through which entropy can be gathered in chunks up to -255 bytes. Several chunks can be queried during one connection. +\&\fIRAND_query_egd_bytes()\fR requests \fBnum\fR bytes of randomness from an \s-1EGD\s0 at +the specified socket \fBpath\fR, where \fBnum\fR must be less than 256. +If \fBbuf\fR is \fB\s-1NULL\s0\fR, it is equivalent to \fIRAND_egd_bytes()\fR. +If \fBbuf\fR is not \fB\s-1NULL\s0\fR, then the data is copied to the buffer and +\&\fIRAND_add()\fR is not called. .PP -\&\s-1EGD\s0 is available from http://www.lothar.com/tech/crypto/ (\f(CW\*(C`perl -Makefile.PL; make; make install\*(C'\fR to install). It is run as \fBegd\fR -\&\fIpath\fR, where \fIpath\fR is an absolute path designating a socket. When -\&\fIRAND_egd()\fR is called with that path as an argument, it tries to read -random bytes that \s-1EGD\s0 has collected. \fIRAND_egd()\fR retrieves entropy from the -daemon using the daemon's \*(L"non-blocking read\*(R" command which shall -be answered immediately by the daemon without waiting for additional -entropy to be collected. The write and read socket operations in the -communication are blocking. -.PP -Alternatively, the EGD-interface compatible daemon \s-1PRNGD\s0 can be used. It is -available from -http://prngd.sourceforge.net/ . -\&\s-1PRNGD\s0 does employ an internal \s-1PRNG\s0 itself and can therefore never run -out of entropy. -.PP -OpenSSL automatically queries \s-1EGD\s0 when entropy is requested via \fIRAND_bytes()\fR -or the status is checked via \fIRAND_status()\fR for the first time, if the socket -is located at /var/run/egd\-pool, /dev/egd\-pool or /etc/egd\-pool. -.SH "RETURN VALUE" -.IX Header "RETURN VALUE" +OpenSSL can be configured at build time to try to use the \s-1EGD\s0 for seeding +automatically. +.SH "RETURN VALUES" +.IX Header "RETURN VALUES" \&\fIRAND_egd()\fR and \fIRAND_egd_bytes()\fR return the number of bytes read from the -daemon on success, and \-1 if the connection failed or the daemon did not +daemon on success, or \-1 if the connection failed or the daemon did not return enough data to fully seed the \s-1PRNG.\s0 .PP \&\fIRAND_query_egd_bytes()\fR returns the number of bytes read from the daemon on -success, and \-1 if the connection failed. The \s-1PRNG\s0 state is not considered. +success, or \-1 if the connection failed. .SH "SEE ALSO" .IX Header "SEE ALSO" -\&\fIrand\fR\|(3), \fIRAND_add\fR\|(3), -\&\fIRAND_cleanup\fR\|(3) -.SH "HISTORY" -.IX Header "HISTORY" -\&\fIRAND_egd()\fR is available since OpenSSL 0.9.5. +\&\fIRAND_add\fR\|(3), +\&\fIRAND_bytes\fR\|(3), +\&\s-1\fIRAND\s0\fR\|(7) +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2000\-2018 The OpenSSL Project Authors. All Rights Reserved. .PP -\&\fIRAND_egd_bytes()\fR is available since OpenSSL 0.9.6. -.PP -\&\fIRAND_query_egd_bytes()\fR is available since OpenSSL 0.9.7. -.PP -The automatic query of /var/run/egd\-pool et al was added in OpenSSL 0.9.7. +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/RAND_load_file.3 b/secure/lib/libcrypto/man/RAND_load_file.3 index b99e2f78282d..aa464b4a3b12 100644 --- a/secure/lib/libcrypto/man/RAND_load_file.3 +++ b/secure/lib/libcrypto/man/RAND_load_file.3 @@ -128,8 +128,8 @@ .rm #[ #] #H #V #F C .\" ======================================================================== .\" -.IX Title "RAND_load_file 3" -.TH RAND_load_file 3 "2018-08-14" "1.0.2p" "OpenSSL" +.IX Title "RAND_LOAD_FILE 3" +.TH RAND_LOAD_FILE 3 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -141,41 +141,74 @@ RAND_load_file, RAND_write_file, RAND_file_name \- PRNG seed file .Vb 1 \& #include \& -\& const char *RAND_file_name(char *buf, size_t num); -\& \& int RAND_load_file(const char *filename, long max_bytes); \& \& int RAND_write_file(const char *filename); +\& +\& const char *RAND_file_name(char *buf, size_t num); .Ve .SH "DESCRIPTION" .IX Header "DESCRIPTION" -\&\fIRAND_file_name()\fR generates a default path for the random seed -file. \fBbuf\fR points to a buffer of size \fBnum\fR in which to store the -filename. The seed file is \f(CW$RANDFILE\fR if that environment variable is -set, \f(CW$HOME\fR/.rnd otherwise. If \f(CW$HOME\fR is not set either, or \fBnum\fR is -too small for the path name, an error occurs. -.PP \&\fIRAND_load_file()\fR reads a number of bytes from file \fBfilename\fR and adds them to the \s-1PRNG.\s0 If \fBmax_bytes\fR is non-negative, -up to to \fBmax_bytes\fR are read; starting with OpenSSL 0.9.5, +up to \fBmax_bytes\fR are read; if \fBmax_bytes\fR is \-1, the complete file is read. +Do not load the same file multiple times unless its contents have +been updated by \fIRAND_write_file()\fR between reads. +Also, note that \fBfilename\fR should be adequately protected so that an +attacker cannot replace or examine the contents. +If \fBfilename\fR is not a regular file, then user is considered to be +responsible for any side effects, e.g. non-anticipated blocking or +capture of controlling terminal. .PP -\&\fIRAND_write_file()\fR writes a number of random bytes (currently 1024) to +\&\fIRAND_write_file()\fR writes a number of random bytes (currently 128) to file \fBfilename\fR which can be used to initialize the \s-1PRNG\s0 by calling \&\fIRAND_load_file()\fR in a later session. +.PP +\&\fIRAND_file_name()\fR generates a default path for the random seed +file. \fBbuf\fR points to a buffer of size \fBnum\fR in which to store the +filename. +.PP +On all systems, if the environment variable \fB\s-1RANDFILE\s0\fR is set, its +value will be used as the seed file name. +Otherwise, the file is called \f(CW\*(C`.rnd\*(C'\fR, found in platform dependent locations: +.IP "On Windows (in order of preference)" 4 +.IX Item "On Windows (in order of preference)" +.Vb 1 +\& %HOME%, %USERPROFILE%, %SYSTEMROOT%, C:\e +.Ve +.IP "On \s-1VMS\s0" 4 +.IX Item "On VMS" +.Vb 1 +\& SYS$LOGIN: +.Ve +.IP "On all other systems" 4 +.IX Item "On all other systems" +.Vb 1 +\& $HOME +.Ve +.PP +If \f(CW$HOME\fR (on non-Windows and non-VMS system) is not set either, or +\&\fBnum\fR is too small for the path name, an error occurs. .SH "RETURN VALUES" .IX Header "RETURN VALUES" -\&\fIRAND_load_file()\fR returns the number of bytes read. +\&\fIRAND_load_file()\fR returns the number of bytes read or \-1 on error. .PP -\&\fIRAND_write_file()\fR returns the number of bytes written, and \-1 if the -bytes written were generated without appropriate seed. +\&\fIRAND_write_file()\fR returns the number of bytes written, or \-1 if the +bytes written were generated without appropriate seeding. .PP \&\fIRAND_file_name()\fR returns a pointer to \fBbuf\fR on success, and \s-1NULL\s0 on error. .SH "SEE ALSO" .IX Header "SEE ALSO" -\&\fIrand\fR\|(3), \fIRAND_add\fR\|(3), \fIRAND_cleanup\fR\|(3) -.SH "HISTORY" -.IX Header "HISTORY" -\&\fIRAND_load_file()\fR, \fIRAND_write_file()\fR and \fIRAND_file_name()\fR are available in -all versions of SSLeay and OpenSSL. +\&\fIRAND_add\fR\|(3), +\&\fIRAND_bytes\fR\|(3), +\&\s-1\fIRAND\s0\fR\|(7) +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2000\-2018 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/RAND_set_rand_method.3 b/secure/lib/libcrypto/man/RAND_set_rand_method.3 index a91cfad32f44..6f9519751fb8 100644 --- a/secure/lib/libcrypto/man/RAND_set_rand_method.3 +++ b/secure/lib/libcrypto/man/RAND_set_rand_method.3 @@ -128,84 +128,71 @@ .rm #[ #] #H #V #F C .\" ======================================================================== .\" -.IX Title "RAND_set_rand_method 3" -.TH RAND_set_rand_method 3 "2018-08-14" "1.0.2p" "OpenSSL" +.IX Title "RAND_SET_RAND_METHOD 3" +.TH RAND_SET_RAND_METHOD 3 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" -RAND_set_rand_method, RAND_get_rand_method, RAND_SSLeay \- select RAND method +RAND_set_rand_method, RAND_get_rand_method, RAND_OpenSSL \- select RAND method .SH "SYNOPSIS" .IX Header "SYNOPSIS" .Vb 1 \& #include \& +\& RAND_METHOD *RAND_OpenSSL(void); +\& \& void RAND_set_rand_method(const RAND_METHOD *meth); \& \& const RAND_METHOD *RAND_get_rand_method(void); -\& -\& RAND_METHOD *RAND_SSLeay(void); .Ve .SH "DESCRIPTION" .IX Header "DESCRIPTION" A \fB\s-1RAND_METHOD\s0\fR specifies the functions that OpenSSL uses for random number -generation. By modifying the method, alternative implementations such as -hardware RNGs may be used. \s-1IMPORTANT:\s0 See the \s-1NOTES\s0 section for important -information about how these \s-1RAND API\s0 functions are affected by the use of -\&\fB\s-1ENGINE\s0\fR \s-1API\s0 calls. +generation. .PP -Initially, the default \s-1RAND_METHOD\s0 is the OpenSSL internal implementation, as -returned by \fIRAND_SSLeay()\fR. +\&\fIRAND_OpenSSL()\fR returns the default \fB\s-1RAND_METHOD\s0\fR implementation by OpenSSL. +This implementation ensures that the \s-1PRNG\s0 state is unique for each thread. .PP -\&\fIRAND_set_default_method()\fR makes \fBmeth\fR the method for \s-1PRNG\s0 use. \fB\s-1NB\s0\fR: This is -true only whilst no \s-1ENGINE\s0 has been set as a default for \s-1RAND,\s0 so this function -is no longer recommended. +If an \fB\s-1ENGINE\s0\fR is loaded that provides the \s-1RAND API,\s0 however, it will +be used instead of the method returned by \fIRAND_OpenSSL()\fR. .PP -\&\fIRAND_get_default_method()\fR returns a pointer to the current \s-1RAND_METHOD.\s0 -However, the meaningfulness of this result is dependent on whether the \s-1ENGINE -API\s0 is being used, so this function is no longer recommended. +\&\fIRAND_set_rand_method()\fR makes \fBmeth\fR the method for \s-1PRNG\s0 use. If an +\&\s-1ENGINE\s0 was providing the method, it will be released first. +.PP +\&\fIRAND_get_rand_method()\fR returns a pointer to the current \fB\s-1RAND_METHOD\s0\fR. .SH "THE RAND_METHOD STRUCTURE" .IX Header "THE RAND_METHOD STRUCTURE" -.Vb 9 -\& typedef struct rand_meth_st -\& { -\& void (*seed)(const void *buf, int num); -\& int (*bytes)(unsigned char *buf, int num); -\& void (*cleanup)(void); -\& void (*add)(const void *buf, int num, int entropy); -\& int (*pseudorand)(unsigned char *buf, int num); -\& int (*status)(void); +.Vb 8 +\& typedef struct rand_meth_st { +\& void (*seed)(const void *buf, int num); +\& int (*bytes)(unsigned char *buf, int num); +\& void (*cleanup)(void); +\& void (*add)(const void *buf, int num, int randomness); +\& int (*pseudorand)(unsigned char *buf, int num); +\& int (*status)(void); \& } RAND_METHOD; .Ve .PP -The components point to the implementation of \fIRAND_seed()\fR, -\&\fIRAND_bytes()\fR, \fIRAND_cleanup()\fR, \fIRAND_add()\fR, \fIRAND_pseudo_rand()\fR +The fields point to functions that are used by, in order, +\&\fIRAND_seed()\fR, \fIRAND_bytes()\fR, internal \s-1RAND\s0 cleanup, \fIRAND_add()\fR, \fIRAND_pseudo_rand()\fR and \fIRAND_status()\fR. -Each component may be \s-1NULL\s0 if the function is not implemented. +Each pointer may be \s-1NULL\s0 if the function is not implemented. .SH "RETURN VALUES" .IX Header "RETURN VALUES" \&\fIRAND_set_rand_method()\fR returns no value. \fIRAND_get_rand_method()\fR and -\&\fIRAND_SSLeay()\fR return pointers to the respective methods. -.SH "NOTES" -.IX Header "NOTES" -As of version 0.9.7, \s-1RAND_METHOD\s0 implementations are grouped together with other -algorithmic APIs (eg. \s-1RSA_METHOD, EVP_CIPHER,\s0 etc) in \fB\s-1ENGINE\s0\fR modules. If a -default \s-1ENGINE\s0 is specified for \s-1RAND\s0 functionality using an \s-1ENGINE API\s0 function, -that will override any \s-1RAND\s0 defaults set using the \s-1RAND API\s0 (ie. -\&\fIRAND_set_rand_method()\fR). For this reason, the \s-1ENGINE API\s0 is the recommended way -to control default implementations for use in \s-1RAND\s0 and other cryptographic -algorithms. +\&\fIRAND_OpenSSL()\fR return pointers to the respective methods. .SH "SEE ALSO" .IX Header "SEE ALSO" -\&\fIrand\fR\|(3), \fIengine\fR\|(3) -.SH "HISTORY" -.IX Header "HISTORY" -\&\fIRAND_set_rand_method()\fR, \fIRAND_get_rand_method()\fR and \fIRAND_SSLeay()\fR are -available in all versions of OpenSSL. +\&\fIRAND_bytes\fR\|(3), +\&\fIENGINE_by_id\fR\|(3), +\&\s-1\fIRAND\s0\fR\|(7) +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2000\-2018 The OpenSSL Project Authors. All Rights Reserved. .PP -In the engine version of version 0.9.6, \fIRAND_set_rand_method()\fR was altered to -take an \s-1ENGINE\s0 pointer as its argument. As of version 0.9.7, that has been -reverted as the \s-1ENGINE API\s0 transparently overrides \s-1RAND\s0 defaults if used, -otherwise \s-1RAND API\s0 functions work as before. \fIRAND_set_rand_engine()\fR was also -introduced in version 0.9.7. +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/rc4.3 b/secure/lib/libcrypto/man/RC4_set_key.3 similarity index 89% rename from secure/lib/libcrypto/man/rc4.3 rename to secure/lib/libcrypto/man/RC4_set_key.3 index ca4d86785496..fd2ffe802b9d 100644 --- a/secure/lib/libcrypto/man/rc4.3 +++ b/secure/lib/libcrypto/man/RC4_set_key.3 @@ -128,8 +128,8 @@ .rm #[ #] #H #V #F C .\" ======================================================================== .\" -.IX Title "rc4 3" -.TH rc4 3 "2018-08-14" "1.0.2p" "OpenSSL" +.IX Title "RC4_SET_KEY 3" +.TH RC4_SET_KEY 3 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -169,21 +169,25 @@ the same \fBkey\fR yield a continuous key stream. Since \s-1RC4\s0 is a stream cipher (the input is XORed with a pseudo-random key stream to produce the output), decryption uses the same function calls as encryption. -.PP -Applications should use the higher level functions -\&\fIEVP_EncryptInit\fR\|(3) -etc. instead of calling the \s-1RC4\s0 functions directly. .SH "RETURN VALUES" .IX Header "RETURN VALUES" \&\fIRC4_set_key()\fR and \s-1\fIRC4\s0()\fR do not return values. .SH "NOTE" .IX Header "NOTE" -Certain conditions have to be observed to securely use stream ciphers. -It is not permissible to perform multiple encryptions using the same -key stream. +Applications should use the higher level functions +\&\fIEVP_EncryptInit\fR\|(3) etc. instead of calling these +functions directly. +.PP +It is difficult to securely use stream ciphers. For example, do not perform +multiple encryptions using the same key stream. .SH "SEE ALSO" .IX Header "SEE ALSO" -\&\fIblowfish\fR\|(3), \fIdes\fR\|(3), \fIrc2\fR\|(3) -.SH "HISTORY" -.IX Header "HISTORY" -\&\fIRC4_set_key()\fR and \s-1\fIRC4\s0()\fR are available in all versions of SSLeay and OpenSSL. +\&\fIEVP_EncryptInit\fR\|(3) +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2000\-2016 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/ripemd.3 b/secure/lib/libcrypto/man/RIPEMD160_Init.3 similarity index 86% rename from secure/lib/libcrypto/man/ripemd.3 rename to secure/lib/libcrypto/man/RIPEMD160_Init.3 index 3a0a195c192d..6bc90df40ef0 100644 --- a/secure/lib/libcrypto/man/ripemd.3 +++ b/secure/lib/libcrypto/man/RIPEMD160_Init.3 @@ -128,26 +128,24 @@ .rm #[ #] #H #V #F C .\" ======================================================================== .\" -.IX Title "ripemd 3" -.TH ripemd 3 "2018-08-14" "1.0.2p" "OpenSSL" +.IX Title "RIPEMD160_INIT 3" +.TH RIPEMD160_INIT 3 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" -RIPEMD160, RIPEMD160_Init, RIPEMD160_Update, RIPEMD160_Final \- -RIPEMD\-160 hash function +RIPEMD160, RIPEMD160_Init, RIPEMD160_Update, RIPEMD160_Final \- RIPEMD\-160 hash function .SH "SYNOPSIS" .IX Header "SYNOPSIS" .Vb 1 \& #include \& \& unsigned char *RIPEMD160(const unsigned char *d, unsigned long n, -\& unsigned char *md); +\& unsigned char *md); \& \& int RIPEMD160_Init(RIPEMD160_CTX *c); -\& int RIPEMD160_Update(RIPEMD_CTX *c, const void *data, -\& unsigned long len); +\& int RIPEMD160_Update(RIPEMD_CTX *c, const void *data, unsigned long len); \& int RIPEMD160_Final(unsigned char *md, RIPEMD160_CTX *c); .Ve .SH "DESCRIPTION" @@ -171,23 +169,28 @@ be hashed (\fBlen\fR bytes at \fBdata\fR). \&\fIRIPEMD160_Final()\fR places the message digest in \fBmd\fR, which must have space for \s-1RIPEMD160_DIGEST_LENGTH\s0 == 20 bytes of output, and erases the \fB\s-1RIPEMD160_CTX\s0\fR. -.PP -Applications should use the higher level functions -\&\fIEVP_DigestInit\fR\|(3) etc. instead of calling the -hash functions directly. .SH "RETURN VALUES" .IX Header "RETURN VALUES" \&\s-1\fIRIPEMD160\s0()\fR returns a pointer to the hash value. .PP \&\fIRIPEMD160_Init()\fR, \fIRIPEMD160_Update()\fR and \fIRIPEMD160_Final()\fR return 1 for success, 0 otherwise. +.SH "NOTE" +.IX Header "NOTE" +Applications should use the higher level functions +\&\fIEVP_DigestInit\fR\|(3) etc. instead of calling these +functions directly. .SH "CONFORMING TO" .IX Header "CONFORMING TO" -\&\s-1ISO/IEC 10118\-3\s0 (draft) (??) +\&\s-1ISO/IEC 10118\-3:2016\s0 Dedicated Hash-Function 1 (\s-1RIPEMD\-160\s0). .SH "SEE ALSO" .IX Header "SEE ALSO" -\&\fIsha\fR\|(3), \fIhmac\fR\|(3), \fIEVP_DigestInit\fR\|(3) -.SH "HISTORY" -.IX Header "HISTORY" -\&\s-1\fIRIPEMD160\s0()\fR, \fIRIPEMD160_Init()\fR, \fIRIPEMD160_Update()\fR and -\&\fIRIPEMD160_Final()\fR are available since SSLeay 0.9.0. +\&\fIEVP_DigestInit\fR\|(3) +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2000\-2017 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/RSA_blinding_on.3 b/secure/lib/libcrypto/man/RSA_blinding_on.3 index 540e99b2fb7c..585d04b217ca 100644 --- a/secure/lib/libcrypto/man/RSA_blinding_on.3 +++ b/secure/lib/libcrypto/man/RSA_blinding_on.3 @@ -128,8 +128,8 @@ .rm #[ #] #H #V #F C .\" ======================================================================== .\" -.IX Title "RSA_blinding_on 3" -.TH RSA_blinding_on 3 "2018-08-14" "1.0.2p" "OpenSSL" +.IX Title "RSA_BLINDING_ON 3" +.TH RSA_BLINDING_ON 3 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -163,9 +163,11 @@ the blinding factor. \&\fIRSA_blinding_on()\fR returns 1 on success, and 0 if an error occurred. .PP \&\fIRSA_blinding_off()\fR returns no value. -.SH "SEE ALSO" -.IX Header "SEE ALSO" -\&\fIrsa\fR\|(3), \fIrand\fR\|(3) -.SH "HISTORY" -.IX Header "HISTORY" -\&\fIRSA_blinding_on()\fR and \fIRSA_blinding_off()\fR appeared in SSLeay 0.9.0. +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2000\-2016 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/RSA_check_key.3 b/secure/lib/libcrypto/man/RSA_check_key.3 index 020ea4736e74..fa672b34c02d 100644 --- a/secure/lib/libcrypto/man/RSA_check_key.3 +++ b/secure/lib/libcrypto/man/RSA_check_key.3 @@ -128,46 +128,53 @@ .rm #[ #] #H #V #F C .\" ======================================================================== .\" -.IX Title "RSA_check_key 3" -.TH RSA_check_key 3 "2018-08-14" "1.0.2p" "OpenSSL" +.IX Title "RSA_CHECK_KEY 3" +.TH RSA_CHECK_KEY 3 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" -RSA_check_key \- validate private RSA keys +RSA_check_key_ex, RSA_check_key \- validate private RSA keys .SH "SYNOPSIS" .IX Header "SYNOPSIS" .Vb 1 \& #include \& +\& int RSA_check_key_ex(RSA *rsa, BN_GENCB *cb); +\& \& int RSA_check_key(RSA *rsa); .Ve .SH "DESCRIPTION" .IX Header "DESCRIPTION" -This function validates \s-1RSA\s0 keys. It checks that \fBp\fR and \fBq\fR are +\&\fIRSA_check_key_ex()\fR function validates \s-1RSA\s0 keys. +It checks that \fBp\fR and \fBq\fR are in fact prime, and that \fBn = p*q\fR. .PP +It does not work on \s-1RSA\s0 public keys that have only the modulus +and public exponent elements populated. It also checks that \fBd*e = 1 mod (p\-1*q\-1)\fR, and that \fBdmp1\fR, \fBdmq1\fR and \fBiqmp\fR are set correctly or are \fB\s-1NULL\s0\fR. +It performs integrity checks on all +the \s-1RSA\s0 key material, so the \s-1RSA\s0 key structure must contain all the private +key data too. +Therefore, it cannot be used with any arbitrary \s-1RSA\s0 key object, +even if it is otherwise fit for regular \s-1RSA\s0 operation. .PP -As such, this function can not be used with any arbitrary \s-1RSA\s0 key object, -even if it is otherwise fit for regular \s-1RSA\s0 operation. See \fB\s-1NOTES\s0\fR for more -information. -.SH "RETURN VALUE" -.IX Header "RETURN VALUE" -\&\fIRSA_check_key()\fR returns 1 if \fBrsa\fR is a valid \s-1RSA\s0 key, and 0 otherwise. -\&\-1 is returned if an error occurs while checking the key. +The \fBcb\fR parameter is a callback that will be invoked in the same +manner as \fIBN_is_prime_ex\fR\|(3). +.PP +\&\fIRSA_check_key()\fR is equivalent to \fIRSA_check_key_ex()\fR with a \s-1NULL\s0 \fBcb\fR. +.SH "RETURN VALUES" +.IX Header "RETURN VALUES" +\&\fIRSA_check_key_ex()\fR and \fIRSA_check_key()\fR +return 1 if \fBrsa\fR is a valid \s-1RSA\s0 key, and 0 otherwise. +They return \-1 if an error occurs while checking the key. .PP If the key is invalid or an error occurred, the reason code can be obtained using \fIERR_get_error\fR\|(3). .SH "NOTES" .IX Header "NOTES" -This function does not work on \s-1RSA\s0 public keys that have only the modulus -and public exponent elements populated. It performs integrity checks on all -the \s-1RSA\s0 key material, so the \s-1RSA\s0 key structure must contain all the private -key data too. -.PP Unlike most other \s-1RSA\s0 functions, this function does \fBnot\fR work transparently with any underlying \s-1ENGINE\s0 implementation because it uses the key data in the \s-1RSA\s0 structure directly. An \s-1ENGINE\s0 implementation can @@ -187,7 +194,16 @@ The best fix will probably be to introduce a \*(L"\fIcheck_key()\fR\*(R" handler provide their own verifiers. .SH "SEE ALSO" .IX Header "SEE ALSO" -\&\fIrsa\fR\|(3), \fIERR_get_error\fR\|(3) +\&\fIBN_is_prime_ex\fR\|(3), +\&\fIERR_get_error\fR\|(3) .SH "HISTORY" .IX Header "HISTORY" -\&\fIRSA_check_key()\fR appeared in OpenSSL 0.9.4. +\&\fIRSA_check_key_ex()\fR appeared after OpenSSL 1.0.2. +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2000\-2018 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/RSA_generate_key.3 b/secure/lib/libcrypto/man/RSA_generate_key.3 index 5a5eb1eac768..318f71f0f621 100644 --- a/secure/lib/libcrypto/man/RSA_generate_key.3 +++ b/secure/lib/libcrypto/man/RSA_generate_key.3 @@ -128,72 +128,99 @@ .rm #[ #] #H #V #F C .\" ======================================================================== .\" -.IX Title "RSA_generate_key 3" -.TH RSA_generate_key 3 "2018-08-14" "1.0.2p" "OpenSSL" +.IX Title "RSA_GENERATE_KEY 3" +.TH RSA_GENERATE_KEY 3 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" -RSA_generate_key_ex, RSA_generate_key \- generate RSA key pair +RSA_generate_key_ex, RSA_generate_key, RSA_generate_multi_prime_key \- generate RSA key pair .SH "SYNOPSIS" .IX Header "SYNOPSIS" .Vb 1 \& #include \& \& int RSA_generate_key_ex(RSA *rsa, int bits, BIGNUM *e, BN_GENCB *cb); +\& int RSA_generate_multi_prime_key(RSA *rsa, int bits, int primes, BIGNUM *e, BN_GENCB *cb); .Ve .PP Deprecated: .PP -.Vb 2 +.Vb 4 +\& #if OPENSSL_API_COMPAT < 0x00908000L \& RSA *RSA_generate_key(int num, unsigned long e, -\& void (*callback)(int,int,void *), void *cb_arg); +\& void (*callback)(int, int, void *), void *cb_arg); +\& #endif .Ve .SH "DESCRIPTION" .IX Header "DESCRIPTION" -\&\fIRSA_generate_key_ex()\fR generates a key pair and stores it in the \fB\s-1RSA\s0\fR -structure provided in \fBrsa\fR. The pseudo-random number generator must +\&\fIRSA_generate_key_ex()\fR generates a 2\-prime \s-1RSA\s0 key pair and stores it in the +\&\fB\s-1RSA\s0\fR structure provided in \fBrsa\fR. The pseudo-random number generator must be seeded prior to calling \fIRSA_generate_key_ex()\fR. .PP -The modulus size will be of length \fBbits\fR, and the public exponent will be -\&\fBe\fR. Key sizes with \fBnum\fR < 1024 should be considered insecure. -The exponent is an odd number, typically 3, 17 or 65537. +\&\fIRSA_generate_multi_prime_key()\fR generates a multi-prime \s-1RSA\s0 key pair and stores +it in the \fB\s-1RSA\s0\fR structure provided in \fBrsa\fR. The number of primes is given by +the \fBprimes\fR parameter. The pseudo-random number generator must be seeded prior +to calling \fIRSA_generate_multi_prime_key()\fR. +.PP +The modulus size will be of length \fBbits\fR, the number of primes to form the +modulus will be \fBprimes\fR, and the public exponent will be \fBe\fR. Key sizes +with \fBnum\fR < 1024 should be considered insecure. The exponent is an odd +number, typically 3, 17 or 65537. +.PP +In order to maintain adequate security level, the maximum number of permitted +\&\fBprimes\fR depends on modulus bit length: +.PP +.Vb 3 +\& <1024 | >=1024 | >=4096 | >=8192 +\& \-\-\-\-\-\-+\-\-\-\-\-\-\-\-+\-\-\-\-\-\-\-\-+\-\-\-\-\-\-\- +\& 2 | 3 | 4 | 5 +.Ve .PP A callback function may be used to provide feedback about the progress of the key generation. If \fBcb\fR is not \fB\s-1NULL\s0\fR, it will be called as follows using the \fIBN_GENCB_call()\fR function described on the \fIBN_generate_prime\fR\|(3) page. -.IP "\(bu" 4 +.PP +\&\fIRSA_generate_prime()\fR is similar to \fIRSA_generate_prime_ex()\fR but +expects an old-style callback function; see +\&\fIBN_generate_prime\fR\|(3) for information on the old-style callback. +.IP "\(bu" 2 While a random prime number is generated, it is called as described in \fIBN_generate_prime\fR\|(3). -.IP "\(bu" 4 +.IP "\(bu" 2 When the n\-th randomly generated prime is rejected as not suitable for the key, \fBBN_GENCB_call(cb, 2, n)\fR is called. -.IP "\(bu" 4 +.IP "\(bu" 2 When a random p has been found with p\-1 relatively prime to \fBe\fR, it is called as \fBBN_GENCB_call(cb, 3, 0)\fR. .PP -The process is then repeated for prime q with \fBBN_GENCB_call(cb, 3, 1)\fR. -.PP -RSA_generate_key is deprecated (new applications should use -RSA_generate_key_ex instead). RSA_generate_key works in the same way as -RSA_generate_key_ex except it uses \*(L"old style\*(R" call backs. See -\&\fIBN_generate_prime\fR\|(3) for further details. -.SH "RETURN VALUE" -.IX Header "RETURN VALUE" -If key generation fails, \fIRSA_generate_key()\fR returns \fB\s-1NULL\s0\fR. -.PP +The process is then repeated for prime q and other primes (if any) +with \fBBN_GENCB_call(cb, 3, i)\fR where \fBi\fR indicates the i\-th prime. +.SH "RETURN VALUES" +.IX Header "RETURN VALUES" +\&\fIRSA_generate_multi_prime_key()\fR returns 1 on success or 0 on error. +\&\fIRSA_generate_key_ex()\fR returns 1 on success or 0 on error. The error codes can be obtained by \fIERR_get_error\fR\|(3). +.PP +\&\fIRSA_generate_key()\fR returns a pointer to the \s-1RSA\s0 structure or +\&\fB\s-1NULL\s0\fR if the key generation fails. .SH "BUGS" .IX Header "BUGS" \&\fBBN_GENCB_call(cb, 2, x)\fR is used with two different meanings. -.PP -\&\fIRSA_generate_key()\fR goes into an infinite loop for illegal input values. .SH "SEE ALSO" .IX Header "SEE ALSO" -\&\fIERR_get_error\fR\|(3), \fIrand\fR\|(3), \fIrsa\fR\|(3), -\&\fIRSA_free\fR\|(3), \fIBN_generate_prime\fR\|(3) +\&\fIERR_get_error\fR\|(3), \fIRAND_bytes\fR\|(3), \fIBN_generate_prime\fR\|(3) .SH "HISTORY" .IX Header "HISTORY" -The \fBcb_arg\fR argument was added in SSLeay 0.9.0. +\&\fIRSA_generate_key()\fR was deprecated in OpenSSL 0.9.8; use +\&\fIRSA_generate_key_ex()\fR instead. +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2000\-2018 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/RSA_get0_key.3 b/secure/lib/libcrypto/man/RSA_get0_key.3 new file mode 100644 index 000000000000..606759847089 --- /dev/null +++ b/secure/lib/libcrypto/man/RSA_get0_key.3 @@ -0,0 +1,293 @@ +.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35) +.\" +.\" Standard preamble: +.\" ======================================================================== +.de Sp \" Vertical space (when we can't use .PP) +.if t .sp .5v +.if n .sp +.. +.de Vb \" Begin verbatim text +.ft CW +.nf +.ne \\$1 +.. +.de Ve \" End verbatim text +.ft R +.fi +.. +.\" Set up some character translations and predefined strings. \*(-- will +.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left +.\" double quote, and \*(R" will give a right double quote. \*(C+ will +.\" give a nicer C++. Capital omega is used to do unbreakable dashes and +.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, +.\" nothing in troff, for use with C<>. +.tr \(*W- +.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' +.ie n \{\ +. ds -- \(*W- +. ds PI pi +. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch +. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch +. ds L" "" +. ds R" "" +. ds C` "" +. ds C' "" +'br\} +.el\{\ +. ds -- \|\(em\| +. ds PI \(*p +. ds L" `` +. ds R" '' +. ds C` +. ds C' +'br\} +.\" +.\" Escape single quotes in literal strings from groff's Unicode transform. +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" +.\" If the F register is >0, we'll generate index entries on stderr for +.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index +.\" entries marked with X<> in POD. Of course, you'll have to process the +.\" output yourself in some meaningful fashion. +.\" +.\" Avoid warning from groff about undefined register 'F'. +.de IX +.. +.if !\nF .nr F 0 +.if \nF>0 \{\ +. de IX +. tm Index:\\$1\t\\n%\t"\\$2" +.. +. if !\nF==2 \{\ +. nr % 0 +. nr F 2 +. \} +.\} +.\" +.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). +.\" Fear. Run. Save yourself. No user-serviceable parts. +. \" fudge factors for nroff and troff +.if n \{\ +. ds #H 0 +. ds #V .8m +. ds #F .3m +. ds #[ \f1 +. ds #] \fP +.\} +.if t \{\ +. ds #H ((1u-(\\\\n(.fu%2u))*.13m) +. ds #V .6m +. ds #F 0 +. ds #[ \& +. ds #] \& +.\} +. \" simple accents for nroff and troff +.if n \{\ +. ds ' \& +. ds ` \& +. ds ^ \& +. ds , \& +. ds ~ ~ +. ds / +.\} +.if t \{\ +. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" +. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' +. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' +. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' +. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' +. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' +.\} +. \" troff and (daisy-wheel) nroff accents +.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' +.ds 8 \h'\*(#H'\(*b\h'-\*(#H' +.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] +.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' +.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' +.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] +.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] +.ds ae a\h'-(\w'a'u*4/10)'e +.ds Ae A\h'-(\w'A'u*4/10)'E +. \" corrections for vroff +.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' +.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' +. \" for low resolution devices (crt and lpr) +.if \n(.H>23 .if \n(.V>19 \ +\{\ +. ds : e +. ds 8 ss +. ds o a +. ds d- d\h'-1'\(ga +. ds D- D\h'-1'\(hy +. ds th \o'bp' +. ds Th \o'LP' +. ds ae ae +. ds Ae AE +.\} +.rm #[ #] #H #V #F C +.\" ======================================================================== +.\" +.IX Title "RSA_GET0_KEY 3" +.TH RSA_GET0_KEY 3 "2018-09-11" "1.1.1" "OpenSSL" +.\" For nroff, turn off justification. Always turn off hyphenation; it makes +.\" way too many mistakes in technical documents. +.if n .ad l +.nh +.SH "NAME" +RSA_set0_key, RSA_set0_factors, RSA_set0_crt_params, RSA_get0_key, RSA_get0_factors, RSA_get0_crt_params, RSA_get0_n, RSA_get0_e, RSA_get0_d, RSA_get0_p, RSA_get0_q, RSA_get0_dmp1, RSA_get0_dmq1, RSA_get0_iqmp, RSA_clear_flags, RSA_test_flags, RSA_set_flags, RSA_get0_engine, RSA_get_multi_prime_extra_count, RSA_get0_multi_prime_factors, RSA_get0_multi_prime_crt_params, RSA_set0_multi_prime_params, RSA_get_version \&\- Routines for getting and setting data in an RSA object +.SH "SYNOPSIS" +.IX Header "SYNOPSIS" +.Vb 1 +\& #include +\& +\& int RSA_set0_key(RSA *r, BIGNUM *n, BIGNUM *e, BIGNUM *d); +\& int RSA_set0_factors(RSA *r, BIGNUM *p, BIGNUM *q); +\& int RSA_set0_crt_params(RSA *r, BIGNUM *dmp1, BIGNUM *dmq1, BIGNUM *iqmp); +\& void RSA_get0_key(const RSA *r, +\& const BIGNUM **n, const BIGNUM **e, const BIGNUM **d); +\& void RSA_get0_factors(const RSA *r, const BIGNUM **p, const BIGNUM **q); +\& void RSA_get0_crt_params(const RSA *r, +\& const BIGNUM **dmp1, const BIGNUM **dmq1, +\& const BIGNUM **iqmp); +\& const BIGNUM *RSA_get0_n(const RSA *d); +\& const BIGNUM *RSA_get0_e(const RSA *d); +\& const BIGNUM *RSA_get0_d(const RSA *d); +\& const BIGNUM *RSA_get0_p(const RSA *d); +\& const BIGNUM *RSA_get0_q(const RSA *d); +\& const BIGNUM *RSA_get0_dmp1(const RSA *r); +\& const BIGNUM *RSA_get0_dmq1(const RSA *r); +\& const BIGNUM *RSA_get0_iqmp(const RSA *r); +\& void RSA_clear_flags(RSA *r, int flags); +\& int RSA_test_flags(const RSA *r, int flags); +\& void RSA_set_flags(RSA *r, int flags); +\& ENGINE *RSA_get0_engine(RSA *r); +\& int RSA_get_multi_prime_extra_count(const RSA *r); +\& int RSA_get0_multi_prime_factors(const RSA *r, const BIGNUM *primes[]); +\& int RSA_get0_multi_prime_crt_params(const RSA *r, const BIGNUM *exps[], +\& const BIGNUM *coeffs[]); +\& int RSA_set0_multi_prime_params(RSA *r, BIGNUM *primes[], BIGNUM *exps[], +\& BIGNUM *coeffs[], int pnum); +\& int RSA_get_version(RSA *r); +.Ve +.SH "DESCRIPTION" +.IX Header "DESCRIPTION" +An \s-1RSA\s0 object contains the components for the public and private key, +\&\fBn\fR, \fBe\fR, \fBd\fR, \fBp\fR, \fBq\fR, \fBdmp1\fR, \fBdmq1\fR and \fBiqmp\fR. \fBn\fR is +the modulus common to both public and private key, \fBe\fR is the public +exponent and \fBd\fR is the private exponent. \fBp\fR, \fBq\fR, \fBdmp1\fR, +\&\fBdmq1\fR and \fBiqmp\fR are the factors for the second representation of a +private key (see PKCS#1 section 3 Key Types), where \fBp\fR and \fBq\fR are +the first and second factor of \fBn\fR and \fBdmp1\fR, \fBdmq1\fR and \fBiqmp\fR +are the exponents and coefficient for \s-1CRT\s0 calculations. +.PP +For multi-prime \s-1RSA\s0 (defined in \s-1RFC 8017\s0), there are also one or more +\&'triplet' in an \s-1RSA\s0 object. A triplet contains three members, \fBr\fR, \fBd\fR +and \fBt\fR. \fBr\fR is the additional prime besides \fBp\fR and \fBq\fR. \fBd\fR and +\&\fBt\fR are the exponent and coefficient for \s-1CRT\s0 calculations. +.PP +The \fBn\fR, \fBe\fR and \fBd\fR parameters can be obtained by calling +\&\fIRSA_get0_key()\fR. If they have not been set yet, then \fB*n\fR, \fB*e\fR and +\&\fB*d\fR will be set to \s-1NULL.\s0 Otherwise, they are set to pointers to +their respective values. These point directly to the internal +representations of the values and therefore should not be freed +by the caller. +.PP +The \fBn\fR, \fBe\fR and \fBd\fR parameter values can be set by calling +\&\fIRSA_set0_key()\fR and passing the new values for \fBn\fR, \fBe\fR and \fBd\fR as +parameters to the function. The values \fBn\fR and \fBe\fR must be non-NULL +the first time this function is called on a given \s-1RSA\s0 object. The +value \fBd\fR may be \s-1NULL.\s0 On subsequent calls any of these values may be +\&\s-1NULL\s0 which means the corresponding \s-1RSA\s0 field is left untouched. +Calling this function transfers the memory management of the values to +the \s-1RSA\s0 object, and therefore the values that have been passed in +should not be freed by the caller after this function has been called. +.PP +In a similar fashion, the \fBp\fR and \fBq\fR parameters can be obtained and +set with \fIRSA_get0_factors()\fR and \fIRSA_set0_factors()\fR, and the \fBdmp1\fR, +\&\fBdmq1\fR and \fBiqmp\fR parameters can be obtained and set with +\&\fIRSA_get0_crt_params()\fR and \fIRSA_set0_crt_params()\fR. +.PP +For \fIRSA_get0_key()\fR, \fIRSA_get0_factors()\fR, and \fIRSA_get0_crt_params()\fR, +\&\s-1NULL\s0 value \s-1BIGNUM\s0 ** output parameters are permitted. The functions +ignore \s-1NULL\s0 parameters but return values for other, non-NULL, parameters. +.PP +For multi-prime \s-1RSA,\s0 \fIRSA_get0_multi_prime_factors()\fR and \fIRSA_get0_multi_prime_params()\fR +can be used to obtain other primes and related \s-1CRT\s0 parameters. The +return values are stored in an array of \fB\s-1BIGNUM\s0 *\fR. \fIRSA_set0_multi_prime_params()\fR +sets a collect of multi-prime 'triplet' members (prime, exponent and coefficient) +into an \s-1RSA\s0 object. +.PP +Any of the values \fBn\fR, \fBe\fR, \fBd\fR, \fBp\fR, \fBq\fR, \fBdmp1\fR, \fBdmq1\fR, and \fBiqmp\fR can also be +retrieved separately by the corresponding function +\&\fIRSA_get0_n()\fR, \fIRSA_get0_e()\fR, \fIRSA_get0_d()\fR, \fIRSA_get0_p()\fR, \fIRSA_get0_q()\fR, +\&\fIRSA_get0_dmp1()\fR, \fIRSA_get0_dmq1()\fR, and \fIRSA_get0_iqmp()\fR, respectively. +.PP +\&\fIRSA_set_flags()\fR sets the flags in the \fBflags\fR parameter on the \s-1RSA\s0 +object. Multiple flags can be passed in one go (bitwise ORed together). +Any flags that are already set are left set. \fIRSA_test_flags()\fR tests to +see whether the flags passed in the \fBflags\fR parameter are currently +set in the \s-1RSA\s0 object. Multiple flags can be tested in one go. All +flags that are currently set are returned, or zero if none of the +flags are set. \fIRSA_clear_flags()\fR clears the specified flags within the +\&\s-1RSA\s0 object. +.PP +\&\fIRSA_get0_engine()\fR returns a handle to the \s-1ENGINE\s0 that has been set for +this \s-1RSA\s0 object, or \s-1NULL\s0 if no such \s-1ENGINE\s0 has been set. +.PP +\&\fIRSA_get_version()\fR returns the version of an \s-1RSA\s0 object \fBr\fR. +.SH "NOTES" +.IX Header "NOTES" +Values retrieved with \fIRSA_get0_key()\fR are owned by the \s-1RSA\s0 object used +in the call and may therefore \fInot\fR be passed to \fIRSA_set0_key()\fR. If +needed, duplicate the received value using \fIBN_dup()\fR and pass the +duplicate. The same applies to \fIRSA_get0_factors()\fR and \fIRSA_set0_factors()\fR +as well as \fIRSA_get0_crt_params()\fR and \fIRSA_set0_crt_params()\fR. +.PP +The caller should obtain the size by calling \fIRSA_get_multi_prime_extra_count()\fR +in advance and allocate sufficient buffer to store the return values before +calling \fIRSA_get0_multi_prime_factors()\fR and \fIRSA_get0_multi_prime_params()\fR. +.PP +\&\fIRSA_set0_multi_prime_params()\fR always clears the original multi-prime +triplets in \s-1RSA\s0 object \fBr\fR and assign the new set of triplets into it. +.SH "RETURN VALUES" +.IX Header "RETURN VALUES" +\&\fIRSA_set0_key()\fR, \fIRSA_set0_factors()\fR, \fIRSA_set0_crt_params()\fR and +\&\fIRSA_set0_multi_prime_params()\fR return 1 on success or 0 on failure. +.PP +\&\fIRSA_get0_n()\fR, \fIRSA_get0_e()\fR, \fIRSA_get0_d()\fR, \fIRSA_get0_p()\fR, \fIRSA_get0_q()\fR, +\&\fIRSA_get0_dmp1()\fR, \fIRSA_get0_dmq1()\fR, and \fIRSA_get0_iqmp()\fR +return the respective value. +.PP +\&\fIRSA_get0_multi_prime_factors()\fR and \fIRSA_get0_multi_prime_crt_params()\fR return +1 on success or 0 on failure. +.PP +\&\fIRSA_get_multi_prime_extra_count()\fR returns two less than the number of primes +in use, which is 0 for traditional \s-1RSA\s0 and the number of extra primes for +multi-prime \s-1RSA.\s0 +.PP +\&\fIRSA_get_version()\fR returns \fB\s-1RSA_ASN1_VERSION_MULTI\s0\fR for multi-prime \s-1RSA\s0 and +\&\fB\s-1RSA_ASN1_VERSION_DEFAULT\s0\fR for normal two-prime \s-1RSA,\s0 as defined in \s-1RFC 8017.\s0 +.PP +\&\fIRSA_test_flags()\fR returns the current state of the flags in the \s-1RSA\s0 object. +.PP +\&\fIRSA_get0_engine()\fR returns the \s-1ENGINE\s0 set for the \s-1RSA\s0 object or \s-1NULL\s0 if no +\&\s-1ENGINE\s0 has been set. +.SH "SEE ALSO" +.IX Header "SEE ALSO" +\&\fIRSA_new\fR\|(3), \fIRSA_size\fR\|(3) +.SH "HISTORY" +.IX Header "HISTORY" +\&\fIRSA_get_multi_prime_extra_count()\fR, \fIRSA_get0_multi_prime_factors()\fR, +\&\fIRSA_get0_multi_prime_crt_params()\fR, \fIRSA_set0_multi_prime_params()\fR, +and \fIRSA_get_version()\fR functions were added in OpenSSL 1.1.1. +.PP +Other functions described here were added in OpenSSL 1.1.0. +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2016\-2018 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/RSA_get_ex_new_index.3 b/secure/lib/libcrypto/man/RSA_get_ex_new_index.3 deleted file mode 100644 index 615065da7eeb..000000000000 --- a/secure/lib/libcrypto/man/RSA_get_ex_new_index.3 +++ /dev/null @@ -1,247 +0,0 @@ -.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35) -.\" -.\" Standard preamble: -.\" ======================================================================== -.de Sp \" Vertical space (when we can't use .PP) -.if t .sp .5v -.if n .sp -.. -.de Vb \" Begin verbatim text -.ft CW -.nf -.ne \\$1 -.. -.de Ve \" End verbatim text -.ft R -.fi -.. -.\" Set up some character translations and predefined strings. \*(-- will -.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left -.\" double quote, and \*(R" will give a right double quote. \*(C+ will -.\" give a nicer C++. Capital omega is used to do unbreakable dashes and -.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, -.\" nothing in troff, for use with C<>. -.tr \(*W- -.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' -.ie n \{\ -. ds -- \(*W- -. ds PI pi -. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch -. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch -. ds L" "" -. ds R" "" -. ds C` "" -. ds C' "" -'br\} -.el\{\ -. ds -- \|\(em\| -. ds PI \(*p -. ds L" `` -. ds R" '' -. ds C` -. ds C' -'br\} -.\" -.\" Escape single quotes in literal strings from groff's Unicode transform. -.ie \n(.g .ds Aq \(aq -.el .ds Aq ' -.\" -.\" If the F register is >0, we'll generate index entries on stderr for -.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index -.\" entries marked with X<> in POD. Of course, you'll have to process the -.\" output yourself in some meaningful fashion. -.\" -.\" Avoid warning from groff about undefined register 'F'. -.de IX -.. -.if !\nF .nr F 0 -.if \nF>0 \{\ -. de IX -. tm Index:\\$1\t\\n%\t"\\$2" -.. -. if !\nF==2 \{\ -. nr % 0 -. nr F 2 -. \} -.\} -.\" -.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). -.\" Fear. Run. Save yourself. No user-serviceable parts. -. \" fudge factors for nroff and troff -.if n \{\ -. ds #H 0 -. ds #V .8m -. ds #F .3m -. ds #[ \f1 -. ds #] \fP -.\} -.if t \{\ -. ds #H ((1u-(\\\\n(.fu%2u))*.13m) -. ds #V .6m -. ds #F 0 -. ds #[ \& -. ds #] \& -.\} -. \" simple accents for nroff and troff -.if n \{\ -. ds ' \& -. ds ` \& -. ds ^ \& -. ds , \& -. ds ~ ~ -. ds / -.\} -.if t \{\ -. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" -. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' -. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' -. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' -. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' -. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' -.\} -. \" troff and (daisy-wheel) nroff accents -.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' -.ds 8 \h'\*(#H'\(*b\h'-\*(#H' -.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] -.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' -.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' -.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] -.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] -.ds ae a\h'-(\w'a'u*4/10)'e -.ds Ae A\h'-(\w'A'u*4/10)'E -. \" corrections for vroff -.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' -.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' -. \" for low resolution devices (crt and lpr) -.if \n(.H>23 .if \n(.V>19 \ -\{\ -. ds : e -. ds 8 ss -. ds o a -. ds d- d\h'-1'\(ga -. ds D- D\h'-1'\(hy -. ds th \o'bp' -. ds Th \o'LP' -. ds ae ae -. ds Ae AE -.\} -.rm #[ #] #H #V #F C -.\" ======================================================================== -.\" -.IX Title "RSA_get_ex_new_index 3" -.TH RSA_get_ex_new_index 3 "2018-08-14" "1.0.2p" "OpenSSL" -.\" For nroff, turn off justification. Always turn off hyphenation; it makes -.\" way too many mistakes in technical documents. -.if n .ad l -.nh -.SH "NAME" -RSA_get_ex_new_index, RSA_set_ex_data, RSA_get_ex_data \- add application specific data to RSA structures -.SH "SYNOPSIS" -.IX Header "SYNOPSIS" -.Vb 1 -\& #include -\& -\& int RSA_get_ex_new_index(long argl, void *argp, -\& CRYPTO_EX_new *new_func, -\& CRYPTO_EX_dup *dup_func, -\& CRYPTO_EX_free *free_func); -\& -\& int RSA_set_ex_data(RSA *r, int idx, void *arg); -\& -\& void *RSA_get_ex_data(RSA *r, int idx); -\& -\& typedef int CRYPTO_EX_new(void *parent, void *ptr, CRYPTO_EX_DATA *ad, -\& int idx, long argl, void *argp); -\& typedef void CRYPTO_EX_free(void *parent, void *ptr, CRYPTO_EX_DATA *ad, -\& int idx, long argl, void *argp); -\& typedef int CRYPTO_EX_dup(CRYPTO_EX_DATA *to, CRYPTO_EX_DATA *from, void *from_d, -\& int idx, long argl, void *argp); -.Ve -.SH "DESCRIPTION" -.IX Header "DESCRIPTION" -Several OpenSSL structures can have application specific data attached to them. -This has several potential uses, it can be used to cache data associated with -a structure (for example the hash of some part of the structure) or some -additional data (for example a handle to the data in an external library). -.PP -Since the application data can be anything at all it is passed and retrieved -as a \fBvoid *\fR type. -.PP -The \fB\f(BIRSA_get_ex_new_index()\fB\fR function is initially called to \*(L"register\*(R" some -new application specific data. It takes three optional function pointers which -are called when the parent structure (in this case an \s-1RSA\s0 structure) is -initially created, when it is copied and when it is freed up. If any or all of -these function pointer arguments are not used they should be set to \s-1NULL.\s0 The -precise manner in which these function pointers are called is described in more -detail below. \fB\f(BIRSA_get_ex_new_index()\fB\fR also takes additional long and pointer -parameters which will be passed to the supplied functions but which otherwise -have no special meaning. It returns an \fBindex\fR which should be stored -(typically in a static variable) and passed used in the \fBidx\fR parameter in -the remaining functions. Each successful call to \fB\f(BIRSA_get_ex_new_index()\fB\fR -will return an index greater than any previously returned, this is important -because the optional functions are called in order of increasing index value. -.PP -\&\fB\f(BIRSA_set_ex_data()\fB\fR is used to set application specific data, the data is -supplied in the \fBarg\fR parameter and its precise meaning is up to the -application. -.PP -\&\fB\f(BIRSA_get_ex_data()\fB\fR is used to retrieve application specific data. The data -is returned to the application, this will be the same value as supplied to -a previous \fB\f(BIRSA_set_ex_data()\fB\fR call. -.PP -\&\fB\f(BInew_func()\fB\fR is called when a structure is initially allocated (for example -with \fB\f(BIRSA_new()\fB\fR. The parent structure members will not have any meaningful -values at this point. This function will typically be used to allocate any -application specific structure. -.PP -\&\fB\f(BIfree_func()\fB\fR is called when a structure is being freed up. The dynamic parent -structure members should not be accessed because they will be freed up when -this function is called. -.PP -\&\fB\f(BInew_func()\fB\fR and \fB\f(BIfree_func()\fB\fR take the same parameters. \fBparent\fR is a -pointer to the parent \s-1RSA\s0 structure. \fBptr\fR is a the application specific data -(this wont be of much use in \fB\f(BInew_func()\fB\fR. \fBad\fR is a pointer to the -\&\fB\s-1CRYPTO_EX_DATA\s0\fR structure from the parent \s-1RSA\s0 structure: the functions -\&\fB\f(BICRYPTO_get_ex_data()\fB\fR and \fB\f(BICRYPTO_set_ex_data()\fB\fR can be called to manipulate -it. The \fBidx\fR parameter is the index: this will be the same value returned by -\&\fB\f(BIRSA_get_ex_new_index()\fB\fR when the functions were initially registered. Finally -the \fBargl\fR and \fBargp\fR parameters are the values originally passed to the same -corresponding parameters when \fB\f(BIRSA_get_ex_new_index()\fB\fR was called. -.PP -\&\fB\f(BIdup_func()\fB\fR is called when a structure is being copied. Pointers to the -destination and source \fB\s-1CRYPTO_EX_DATA\s0\fR structures are passed in the \fBto\fR and -\&\fBfrom\fR parameters respectively. The \fBfrom_d\fR parameter is passed a pointer to -the source application data when the function is called, when the function returns -the value is copied to the destination: the application can thus modify the data -pointed to by \fBfrom_d\fR and have different values in the source and destination. -The \fBidx\fR, \fBargl\fR and \fBargp\fR parameters are the same as those in \fB\f(BInew_func()\fB\fR -and \fB\f(BIfree_func()\fB\fR. -.SH "RETURN VALUES" -.IX Header "RETURN VALUES" -\&\fB\f(BIRSA_get_ex_new_index()\fB\fR returns a new index or \-1 on failure (note 0 is a valid -index value). -.PP -\&\fB\f(BIRSA_set_ex_data()\fB\fR returns 1 on success or 0 on failure. -.PP -\&\fB\f(BIRSA_get_ex_data()\fB\fR returns the application data or 0 on failure. 0 may also -be valid application data but currently it can only fail if given an invalid \fBidx\fR -parameter. -.PP -\&\fB\f(BInew_func()\fB\fR and \fB\f(BIdup_func()\fB\fR should return 0 for failure and 1 for success. -.PP -On failure an error code can be obtained from \fIERR_get_error\fR\|(3). -.SH "BUGS" -.IX Header "BUGS" -\&\fB\f(BIdup_func()\fB\fR is currently never called. -.PP -The return value of \fB\f(BInew_func()\fB\fR is ignored. -.PP -The \fB\f(BInew_func()\fB\fR function isn't very useful because no meaningful values are -present in the parent \s-1RSA\s0 structure when it is called. -.SH "SEE ALSO" -.IX Header "SEE ALSO" -\&\fIrsa\fR\|(3), \fICRYPTO_set_ex_data\fR\|(3) -.SH "HISTORY" -.IX Header "HISTORY" -\&\fIRSA_get_ex_new_index()\fR, \fIRSA_set_ex_data()\fR and \fIRSA_get_ex_data()\fR are -available since SSLeay 0.9.0. diff --git a/secure/lib/libcrypto/man/RSA_meth_new.3 b/secure/lib/libcrypto/man/RSA_meth_new.3 new file mode 100644 index 000000000000..b5e3cf95bd8d --- /dev/null +++ b/secure/lib/libcrypto/man/RSA_meth_new.3 @@ -0,0 +1,378 @@ +.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35) +.\" +.\" Standard preamble: +.\" ======================================================================== +.de Sp \" Vertical space (when we can't use .PP) +.if t .sp .5v +.if n .sp +.. +.de Vb \" Begin verbatim text +.ft CW +.nf +.ne \\$1 +.. +.de Ve \" End verbatim text +.ft R +.fi +.. +.\" Set up some character translations and predefined strings. \*(-- will +.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left +.\" double quote, and \*(R" will give a right double quote. \*(C+ will +.\" give a nicer C++. Capital omega is used to do unbreakable dashes and +.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, +.\" nothing in troff, for use with C<>. +.tr \(*W- +.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' +.ie n \{\ +. ds -- \(*W- +. ds PI pi +. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch +. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch +. ds L" "" +. ds R" "" +. ds C` "" +. ds C' "" +'br\} +.el\{\ +. ds -- \|\(em\| +. ds PI \(*p +. ds L" `` +. ds R" '' +. ds C` +. ds C' +'br\} +.\" +.\" Escape single quotes in literal strings from groff's Unicode transform. +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" +.\" If the F register is >0, we'll generate index entries on stderr for +.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index +.\" entries marked with X<> in POD. Of course, you'll have to process the +.\" output yourself in some meaningful fashion. +.\" +.\" Avoid warning from groff about undefined register 'F'. +.de IX +.. +.if !\nF .nr F 0 +.if \nF>0 \{\ +. de IX +. tm Index:\\$1\t\\n%\t"\\$2" +.. +. if !\nF==2 \{\ +. nr % 0 +. nr F 2 +. \} +.\} +.\" +.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). +.\" Fear. Run. Save yourself. No user-serviceable parts. +. \" fudge factors for nroff and troff +.if n \{\ +. ds #H 0 +. ds #V .8m +. ds #F .3m +. ds #[ \f1 +. ds #] \fP +.\} +.if t \{\ +. ds #H ((1u-(\\\\n(.fu%2u))*.13m) +. ds #V .6m +. ds #F 0 +. ds #[ \& +. ds #] \& +.\} +. \" simple accents for nroff and troff +.if n \{\ +. ds ' \& +. ds ` \& +. ds ^ \& +. ds , \& +. ds ~ ~ +. ds / +.\} +.if t \{\ +. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" +. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' +. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' +. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' +. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' +. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' +.\} +. \" troff and (daisy-wheel) nroff accents +.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' +.ds 8 \h'\*(#H'\(*b\h'-\*(#H' +.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] +.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' +.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' +.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] +.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] +.ds ae a\h'-(\w'a'u*4/10)'e +.ds Ae A\h'-(\w'A'u*4/10)'E +. \" corrections for vroff +.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' +.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' +. \" for low resolution devices (crt and lpr) +.if \n(.H>23 .if \n(.V>19 \ +\{\ +. ds : e +. ds 8 ss +. ds o a +. ds d- d\h'-1'\(ga +. ds D- D\h'-1'\(hy +. ds th \o'bp' +. ds Th \o'LP' +. ds ae ae +. ds Ae AE +.\} +.rm #[ #] #H #V #F C +.\" ======================================================================== +.\" +.IX Title "RSA_METH_NEW 3" +.TH RSA_METH_NEW 3 "2018-09-11" "1.1.1" "OpenSSL" +.\" For nroff, turn off justification. Always turn off hyphenation; it makes +.\" way too many mistakes in technical documents. +.if n .ad l +.nh +.SH "NAME" +RSA_meth_get0_app_data, RSA_meth_set0_app_data, RSA_meth_new, RSA_meth_free, RSA_meth_dup, RSA_meth_get0_name, RSA_meth_set1_name, RSA_meth_get_flags, RSA_meth_set_flags, RSA_meth_get_pub_enc, RSA_meth_set_pub_enc, RSA_meth_get_pub_dec, RSA_meth_set_pub_dec, RSA_meth_get_priv_enc, RSA_meth_set_priv_enc, RSA_meth_get_priv_dec, RSA_meth_set_priv_dec, RSA_meth_get_mod_exp, RSA_meth_set_mod_exp, RSA_meth_get_bn_mod_exp, RSA_meth_set_bn_mod_exp, RSA_meth_get_init, RSA_meth_set_init, RSA_meth_get_finish, RSA_meth_set_finish, RSA_meth_get_sign, RSA_meth_set_sign, RSA_meth_get_verify, RSA_meth_set_verify, RSA_meth_get_keygen, RSA_meth_set_keygen, RSA_meth_get_multi_prime_keygen, RSA_meth_set_multi_prime_keygen \&\- Routines to build up RSA methods +.SH "SYNOPSIS" +.IX Header "SYNOPSIS" +.Vb 1 +\& #include +\& +\& RSA_METHOD *RSA_meth_new(const char *name, int flags); +\& void RSA_meth_free(RSA_METHOD *meth); +\& +\& RSA_METHOD *RSA_meth_dup(const RSA_METHOD *meth); +\& +\& const char *RSA_meth_get0_name(const RSA_METHOD *meth); +\& int RSA_meth_set1_name(RSA_METHOD *meth, const char *name); +\& +\& int RSA_meth_get_flags(const RSA_METHOD *meth); +\& int RSA_meth_set_flags(RSA_METHOD *meth, int flags); +\& +\& void *RSA_meth_get0_app_data(const RSA_METHOD *meth); +\& int RSA_meth_set0_app_data(RSA_METHOD *meth, void *app_data); +\& +\& int (*RSA_meth_get_pub_enc(const RSA_METHOD *meth))(int flen, const unsigned char *from, +\& unsigned char *to, RSA *rsa, int padding); +\& int RSA_meth_set_pub_enc(RSA_METHOD *rsa, +\& int (*pub_enc)(int flen, const unsigned char *from, +\& unsigned char *to, RSA *rsa, +\& int padding)); +\& +\& int (*RSA_meth_get_pub_dec(const RSA_METHOD *meth)) +\& (int flen, const unsigned char *from, +\& unsigned char *to, RSA *rsa, int padding); +\& int RSA_meth_set_pub_dec(RSA_METHOD *rsa, +\& int (*pub_dec)(int flen, const unsigned char *from, +\& unsigned char *to, RSA *rsa, +\& int padding)); +\& +\& int (*RSA_meth_get_priv_enc(const RSA_METHOD *meth))(int flen, const unsigned char *from, +\& unsigned char *to, RSA *rsa, +\& int padding); +\& int RSA_meth_set_priv_enc(RSA_METHOD *rsa, +\& int (*priv_enc)(int flen, const unsigned char *from, +\& unsigned char *to, RSA *rsa, int padding)); +\& +\& int (*RSA_meth_get_priv_dec(const RSA_METHOD *meth))(int flen, const unsigned char *from, +\& unsigned char *to, RSA *rsa, +\& int padding); +\& int RSA_meth_set_priv_dec(RSA_METHOD *rsa, +\& int (*priv_dec)(int flen, const unsigned char *from, +\& unsigned char *to, RSA *rsa, int padding)); +\& +\& /* Can be null */ +\& int (*RSA_meth_get_mod_exp(const RSA_METHOD *meth))(BIGNUM *r0, const BIGNUM *I, +\& RSA *rsa, BN_CTX *ctx); +\& int RSA_meth_set_mod_exp(RSA_METHOD *rsa, +\& int (*mod_exp)(BIGNUM *r0, const BIGNUM *I, RSA *rsa, +\& BN_CTX *ctx)); +\& +\& /* Can be null */ +\& int (*RSA_meth_get_bn_mod_exp(const RSA_METHOD *meth))(BIGNUM *r, const BIGNUM *a, +\& const BIGNUM *p, const BIGNUM *m, +\& BN_CTX *ctx, BN_MONT_CTX *m_ctx); +\& int RSA_meth_set_bn_mod_exp(RSA_METHOD *rsa, +\& int (*bn_mod_exp)(BIGNUM *r, const BIGNUM *a, +\& const BIGNUM *p, const BIGNUM *m, +\& BN_CTX *ctx, BN_MONT_CTX *m_ctx)); +\& +\& /* called at new */ +\& int (*RSA_meth_get_init(const RSA_METHOD *meth) (RSA *rsa); +\& int RSA_meth_set_init(RSA_METHOD *rsa, int (*init (RSA *rsa)); +\& +\& /* called at free */ +\& int (*RSA_meth_get_finish(const RSA_METHOD *meth))(RSA *rsa); +\& int RSA_meth_set_finish(RSA_METHOD *rsa, int (*finish)(RSA *rsa)); +\& +\& int (*RSA_meth_get_sign(const RSA_METHOD *meth))(int type, const unsigned char *m, +\& unsigned int m_length, +\& unsigned char *sigret, +\& unsigned int *siglen, const RSA *rsa); +\& int RSA_meth_set_sign(RSA_METHOD *rsa, +\& int (*sign)(int type, const unsigned char *m, +\& unsigned int m_length, unsigned char *sigret, +\& unsigned int *siglen, const RSA *rsa)); +\& +\& int (*RSA_meth_get_verify(const RSA_METHOD *meth))(int dtype, const unsigned char *m, +\& unsigned int m_length, +\& const unsigned char *sigbuf, +\& unsigned int siglen, const RSA *rsa); +\& int RSA_meth_set_verify(RSA_METHOD *rsa, +\& int (*verify)(int dtype, const unsigned char *m, +\& unsigned int m_length, +\& const unsigned char *sigbuf, +\& unsigned int siglen, const RSA *rsa)); +\& +\& int (*RSA_meth_get_keygen(const RSA_METHOD *meth))(RSA *rsa, int bits, BIGNUM *e, +\& BN_GENCB *cb); +\& int RSA_meth_set_keygen(RSA_METHOD *rsa, +\& int (*keygen)(RSA *rsa, int bits, BIGNUM *e, +\& BN_GENCB *cb)); +\& +\& int (*RSA_meth_get_multi_prime_keygen(const RSA_METHOD *meth))(RSA *rsa, int bits, +\& int primes, BIGNUM *e, +\& BN_GENCB *cb); +\& +\& int RSA_meth_set_multi_prime_keygen(RSA_METHOD *meth, +\& int (*keygen) (RSA *rsa, int bits, +\& int primes, BIGNUM *e, +\& BN_GENCB *cb)); +.Ve +.SH "DESCRIPTION" +.IX Header "DESCRIPTION" +The \fB\s-1RSA_METHOD\s0\fR type is a structure used for the provision of custom +\&\s-1RSA\s0 implementations. It provides a set of functions used by OpenSSL +for the implementation of the various \s-1RSA\s0 capabilities. See the rsa +page for more information. +.PP +\&\fIRSA_meth_new()\fR creates a new \fB\s-1RSA_METHOD\s0\fR structure. It should be +given a unique \fBname\fR and a set of \fBflags\fR. The \fBname\fR should be a +\&\s-1NULL\s0 terminated string, which will be duplicated and stored in the +\&\fB\s-1RSA_METHOD\s0\fR object. It is the callers responsibility to free the +original string. The flags will be used during the construction of a +new \fB\s-1RSA\s0\fR object based on this \fB\s-1RSA_METHOD\s0\fR. Any new \fB\s-1RSA\s0\fR object +will have those flags set by default. +.PP +\&\fIRSA_meth_dup()\fR creates a duplicate copy of the \fB\s-1RSA_METHOD\s0\fR object +passed as a parameter. This might be useful for creating a new +\&\fB\s-1RSA_METHOD\s0\fR based on an existing one, but with some differences. +.PP +\&\fIRSA_meth_free()\fR destroys an \fB\s-1RSA_METHOD\s0\fR structure and frees up any +memory associated with it. +.PP +\&\fIRSA_meth_get0_name()\fR will return a pointer to the name of this +\&\s-1RSA_METHOD.\s0 This is a pointer to the internal name string and so +should not be freed by the caller. \fIRSA_meth_set1_name()\fR sets the name +of the \s-1RSA_METHOD\s0 to \fBname\fR. The string is duplicated and the copy is +stored in the \s-1RSA_METHOD\s0 structure, so the caller remains responsible +for freeing the memory associated with the name. +.PP +\&\fIRSA_meth_get_flags()\fR returns the current value of the flags associated +with this \s-1RSA_METHOD.\s0 \fIRSA_meth_set_flags()\fR provides the ability to set +these flags. +.PP +The functions \fIRSA_meth_get0_app_data()\fR and \fIRSA_meth_set0_app_data()\fR +provide the ability to associate implementation specific data with the +\&\s-1RSA_METHOD.\s0 It is the application's responsibility to free this data +before the \s-1RSA_METHOD\s0 is freed via a call to \fIRSA_meth_free()\fR. +.PP +\&\fIRSA_meth_get_sign()\fR and \fIRSA_meth_set_sign()\fR get and set the function +used for creating an \s-1RSA\s0 signature respectively. This function will be +called in response to the application calling \fIRSA_sign()\fR. The +parameters for the function have the same meaning as for \fIRSA_sign()\fR. +.PP +\&\fIRSA_meth_get_verify()\fR and \fIRSA_meth_set_verify()\fR get and set the +function used for verifying an \s-1RSA\s0 signature respectively. This +function will be called in response to the application calling +\&\fIRSA_verify()\fR. The parameters for the function have the same meaning as +for \fIRSA_verify()\fR. +.PP +\&\fIRSA_meth_get_mod_exp()\fR and \fIRSA_meth_set_mod_exp()\fR get and set the +function used for \s-1CRT\s0 computations. +.PP +\&\fIRSA_meth_get_bn_mod_exp()\fR and \fIRSA_meth_set_bn_mod_exp()\fR get and set +the function used for \s-1CRT\s0 computations, specifically the following +value: +.PP +.Vb 1 +\& r = a ^ p mod m +.Ve +.PP +Both the \fImod_exp()\fR and \fIbn_mod_exp()\fR functions are called by the +default OpenSSL method during encryption, decryption, signing and +verification. +.PP +\&\fIRSA_meth_get_init()\fR and \fIRSA_meth_set_init()\fR get and set the function +used for creating a new \s-1RSA\s0 instance respectively. This function will +be called in response to the application calling \fIRSA_new()\fR (if the +current default \s-1RSA_METHOD\s0 is this one) or \fIRSA_new_method()\fR. The +\&\fIRSA_new()\fR and \fIRSA_new_method()\fR functions will allocate the memory for +the new \s-1RSA\s0 object, and a pointer to this newly allocated structure +will be passed as a parameter to the function. This function may be +\&\s-1NULL.\s0 +.PP +\&\fIRSA_meth_get_finish()\fR and \fIRSA_meth_set_finish()\fR get and set the +function used for destroying an instance of an \s-1RSA\s0 object respectively. +This function will be called in response to the application calling +\&\fIRSA_free()\fR. A pointer to the \s-1RSA\s0 to be destroyed is passed as a +parameter. The destroy function should be used for \s-1RSA\s0 implementation +specific clean up. The memory for the \s-1RSA\s0 itself should not be freed +by this function. This function may be \s-1NULL.\s0 +.PP +\&\fIRSA_meth_get_keygen()\fR and \fIRSA_meth_set_keygen()\fR get and set the +function used for generating a new \s-1RSA\s0 key pair respectively. This +function will be called in response to the application calling +\&\fIRSA_generate_key_ex()\fR. The parameter for the function has the same +meaning as for \fIRSA_generate_key_ex()\fR. +.PP +\&\fIRSA_meth_get_multi_prime_keygen()\fR and \fIRSA_meth_set_multi_prime_keygen()\fR get +and set the function used for generating a new multi-prime \s-1RSA\s0 key pair +respectively. This function will be called in response to the application calling +\&\fIRSA_generate_multi_prime_key()\fR. The parameter for the function has the same +meaning as for \fIRSA_generate_multi_prime_key()\fR. +.PP +\&\fIRSA_meth_get_pub_enc()\fR, \fIRSA_meth_set_pub_enc()\fR, +\&\fIRSA_meth_get_pub_dec()\fR, \fIRSA_meth_set_pub_dec()\fR, +\&\fIRSA_meth_get_priv_enc()\fR, \fIRSA_meth_set_priv_enc()\fR, +\&\fIRSA_meth_get_priv_dec()\fR, \fIRSA_meth_set_priv_dec()\fR get and set the +functions used for public and private key encryption and decryption. +These functions will be called in response to the application calling +\&\fIRSA_public_encrypt()\fR, \fIRSA_private_decrypt()\fR, \fIRSA_private_encrypt()\fR and +\&\fIRSA_public_decrypt()\fR and take the same parameters as those. +.SH "RETURN VALUES" +.IX Header "RETURN VALUES" +\&\fIRSA_meth_new()\fR and \fIRSA_meth_dup()\fR return the newly allocated +\&\s-1RSA_METHOD\s0 object or \s-1NULL\s0 on failure. +.PP +\&\fIRSA_meth_get0_name()\fR and \fIRSA_meth_get_flags()\fR return the name and +flags associated with the \s-1RSA_METHOD\s0 respectively. +.PP +All other RSA_meth_get_*() functions return the appropriate function +pointer that has been set in the \s-1RSA_METHOD,\s0 or \s-1NULL\s0 if no such +pointer has yet been set. +.PP +RSA_meth_set1_name and all RSA_meth_set_*() functions return 1 on +success or 0 on failure. +.SH "SEE ALSO" +.IX Header "SEE ALSO" +\&\fIRSA_new\fR\|(3), \fIRSA_generate_key_ex\fR\|(3), \fIRSA_sign\fR\|(3), +\&\fIRSA_set_method\fR\|(3), \fIRSA_size\fR\|(3), \fIRSA_get0_key\fR\|(3), +\&\fIRSA_generate_multi_prime_key\fR\|(3) +.SH "HISTORY" +.IX Header "HISTORY" +\&\fIRSA_meth_get_multi_prime_keygen()\fR and \fIRSA_meth_set_multi_prime_keygen()\fR were +added in OpenSSL 1.1.1. +.PP +Other functions described here were added in OpenSSL 1.1.0. +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2016\-2018 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/RSA_new.3 b/secure/lib/libcrypto/man/RSA_new.3 index 1e2137a54019..7acaf4648323 100644 --- a/secure/lib/libcrypto/man/RSA_new.3 +++ b/secure/lib/libcrypto/man/RSA_new.3 @@ -128,8 +128,8 @@ .rm #[ #] #H #V #F C .\" ======================================================================== .\" -.IX Title "RSA_new 3" -.TH RSA_new 3 "2018-08-14" "1.0.2p" "OpenSSL" +.IX Title "RSA_NEW 3" +.TH RSA_NEW 3 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -141,7 +141,7 @@ RSA_new, RSA_free \- allocate and free RSA objects .Vb 1 \& #include \& -\& RSA * RSA_new(void); +\& RSA *RSA_new(void); \& \& void RSA_free(RSA *rsa); .Ve @@ -152,6 +152,7 @@ calling RSA_new_method(\s-1NULL\s0). .PP \&\fIRSA_free()\fR frees the \fB\s-1RSA\s0\fR structure and its components. The key is erased before the memory is returned to the system. +If \fBrsa\fR is \s-1NULL\s0 nothing is done. .SH "RETURN VALUES" .IX Header "RETURN VALUES" If the allocation fails, \fIRSA_new()\fR returns \fB\s-1NULL\s0\fR and sets an error @@ -161,9 +162,14 @@ a pointer to the newly allocated structure. \&\fIRSA_free()\fR returns no value. .SH "SEE ALSO" .IX Header "SEE ALSO" -\&\fIERR_get_error\fR\|(3), \fIrsa\fR\|(3), +\&\fIERR_get_error\fR\|(3), \&\fIRSA_generate_key\fR\|(3), \&\fIRSA_new_method\fR\|(3) -.SH "HISTORY" -.IX Header "HISTORY" -\&\fIRSA_new()\fR and \fIRSA_free()\fR are available in all versions of SSLeay and OpenSSL. +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2000\-2016 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/RSA_padding_add_PKCS1_type_1.3 b/secure/lib/libcrypto/man/RSA_padding_add_PKCS1_type_1.3 index a89b86c6e240..b1367e10a0fd 100644 --- a/secure/lib/libcrypto/man/RSA_padding_add_PKCS1_type_1.3 +++ b/secure/lib/libcrypto/man/RSA_padding_add_PKCS1_type_1.3 @@ -128,53 +128,49 @@ .rm #[ #] #H #V #F C .\" ======================================================================== .\" -.IX Title "RSA_padding_add_PKCS1_type_1 3" -.TH RSA_padding_add_PKCS1_type_1 3 "2018-08-14" "1.0.2p" "OpenSSL" +.IX Title "RSA_PADDING_ADD_PKCS1_TYPE_1 3" +.TH RSA_PADDING_ADD_PKCS1_TYPE_1 3 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" -RSA_padding_add_PKCS1_type_1, RSA_padding_check_PKCS1_type_1, -RSA_padding_add_PKCS1_type_2, RSA_padding_check_PKCS1_type_2, -RSA_padding_add_PKCS1_OAEP, RSA_padding_check_PKCS1_OAEP, -RSA_padding_add_SSLv23, RSA_padding_check_SSLv23, -RSA_padding_add_none, RSA_padding_check_none \- asymmetric encryption -padding +RSA_padding_add_PKCS1_type_1, RSA_padding_check_PKCS1_type_1, RSA_padding_add_PKCS1_type_2, RSA_padding_check_PKCS1_type_2, RSA_padding_add_PKCS1_OAEP, RSA_padding_check_PKCS1_OAEP, RSA_padding_add_SSLv23, RSA_padding_check_SSLv23, RSA_padding_add_none, RSA_padding_check_none \- asymmetric encryption padding .SH "SYNOPSIS" .IX Header "SYNOPSIS" .Vb 1 \& #include \& \& int RSA_padding_add_PKCS1_type_1(unsigned char *to, int tlen, -\& unsigned char *f, int fl); +\& unsigned char *f, int fl); \& \& int RSA_padding_check_PKCS1_type_1(unsigned char *to, int tlen, -\& unsigned char *f, int fl, int rsa_len); +\& unsigned char *f, int fl, int rsa_len); \& \& int RSA_padding_add_PKCS1_type_2(unsigned char *to, int tlen, -\& unsigned char *f, int fl); +\& unsigned char *f, int fl); \& \& int RSA_padding_check_PKCS1_type_2(unsigned char *to, int tlen, -\& unsigned char *f, int fl, int rsa_len); +\& unsigned char *f, int fl, int rsa_len); \& \& int RSA_padding_add_PKCS1_OAEP(unsigned char *to, int tlen, -\& unsigned char *f, int fl, unsigned char *p, int pl); +\& unsigned char *f, int fl, unsigned char *p, int pl); \& \& int RSA_padding_check_PKCS1_OAEP(unsigned char *to, int tlen, -\& unsigned char *f, int fl, int rsa_len, unsigned char *p, int pl); +\& unsigned char *f, int fl, int rsa_len, +\& unsigned char *p, int pl); \& \& int RSA_padding_add_SSLv23(unsigned char *to, int tlen, -\& unsigned char *f, int fl); +\& unsigned char *f, int fl); \& \& int RSA_padding_check_SSLv23(unsigned char *to, int tlen, -\& unsigned char *f, int fl, int rsa_len); +\& unsigned char *f, int fl, int rsa_len); \& \& int RSA_padding_add_none(unsigned char *to, int tlen, -\& unsigned char *f, int fl); +\& unsigned char *f, int fl); \& \& int RSA_padding_check_none(unsigned char *to, int tlen, -\& unsigned char *f, int fl, int rsa_len); +\& unsigned char *f, int fl, int rsa_len); .Ve .SH "DESCRIPTION" .IX Header "DESCRIPTION" @@ -237,13 +233,11 @@ v1.5 padding design. Prefer \s-1PKCS1_OAEP\s0 padding. \&\fIRSA_public_encrypt\fR\|(3), \&\fIRSA_private_decrypt\fR\|(3), \&\fIRSA_sign\fR\|(3), \fIRSA_verify\fR\|(3) -.SH "HISTORY" -.IX Header "HISTORY" -\&\fIRSA_padding_add_PKCS1_type_1()\fR, \fIRSA_padding_check_PKCS1_type_1()\fR, -\&\fIRSA_padding_add_PKCS1_type_2()\fR, \fIRSA_padding_check_PKCS1_type_2()\fR, -\&\fIRSA_padding_add_SSLv23()\fR, \fIRSA_padding_check_SSLv23()\fR, -\&\fIRSA_padding_add_none()\fR and \fIRSA_padding_check_none()\fR appeared in -SSLeay 0.9.0. +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2000\-2016 The OpenSSL Project Authors. All Rights Reserved. .PP -\&\fIRSA_padding_add_PKCS1_OAEP()\fR and \fIRSA_padding_check_PKCS1_OAEP()\fR were -added in OpenSSL 0.9.2b. +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/RSA_print.3 b/secure/lib/libcrypto/man/RSA_print.3 index f2b0a3196ce3..2c3eeb18729a 100644 --- a/secure/lib/libcrypto/man/RSA_print.3 +++ b/secure/lib/libcrypto/man/RSA_print.3 @@ -128,16 +128,14 @@ .rm #[ #] #H #V #F C .\" ======================================================================== .\" -.IX Title "RSA_print 3" -.TH RSA_print 3 "2018-08-14" "1.0.2p" "OpenSSL" +.IX Title "RSA_PRINT 3" +.TH RSA_PRINT 3 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" -RSA_print, RSA_print_fp, -DSAparams_print, DSAparams_print_fp, DSA_print, DSA_print_fp, -DHparams_print, DHparams_print_fp \- print cryptographic parameters +RSA_print, RSA_print_fp, DSAparams_print, DSAparams_print_fp, DSA_print, DSA_print_fp, DHparams_print, DHparams_print_fp \- print cryptographic parameters .SH "SYNOPSIS" .IX Header "SYNOPSIS" .Vb 1 @@ -169,9 +167,12 @@ The output lines are indented by \fBoffset\fR spaces. These functions return 1 on success, 0 on error. .SH "SEE ALSO" .IX Header "SEE ALSO" -\&\fIdh\fR\|(3), \fIdsa\fR\|(3), \fIrsa\fR\|(3), \fIBN_bn2bin\fR\|(3) -.SH "HISTORY" -.IX Header "HISTORY" -\&\fIRSA_print()\fR, \fIRSA_print_fp()\fR, \fIDSA_print()\fR, \fIDSA_print_fp()\fR, \fIDH_print()\fR, -\&\fIDH_print_fp()\fR are available in all versions of SSLeay and OpenSSL. -\&\fIDSAparams_print()\fR and \fIDSAparams_print_fp()\fR were added in SSLeay 0.8. +\&\fIBN_bn2bin\fR\|(3) +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2000\-2016 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/RSA_private_encrypt.3 b/secure/lib/libcrypto/man/RSA_private_encrypt.3 index 5c2a4628e496..76cbc67fefad 100644 --- a/secure/lib/libcrypto/man/RSA_private_encrypt.3 +++ b/secure/lib/libcrypto/man/RSA_private_encrypt.3 @@ -128,8 +128,8 @@ .rm #[ #] #H #V #F C .\" ======================================================================== .\" -.IX Title "RSA_private_encrypt 3" -.TH RSA_private_encrypt 3 "2018-08-14" "1.0.2p" "OpenSSL" +.IX Title "RSA_PRIVATE_ENCRYPT 3" +.TH RSA_PRIVATE_ENCRYPT 3 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -141,11 +141,11 @@ RSA_private_encrypt, RSA_public_decrypt \- low level signature operations .Vb 1 \& #include \& -\& int RSA_private_encrypt(int flen, const unsigned char *from, -\& unsigned char *to, RSA *rsa, int padding); +\& int RSA_private_encrypt(int flen, unsigned char *from, +\& unsigned char *to, RSA *rsa, int padding); \& -\& int RSA_public_decrypt(int flen, const unsigned char *from, -\& unsigned char *to, RSA *rsa, int padding); +\& int RSA_public_decrypt(int flen, unsigned char *from, +\& unsigned char *to, RSA *rsa, int padding); .Ve .SH "DESCRIPTION" .IX Header "DESCRIPTION" @@ -184,9 +184,13 @@ On error, \-1 is returned; the error codes can be obtained by \fIERR_get_error\fR\|(3). .SH "SEE ALSO" .IX Header "SEE ALSO" -\&\fIERR_get_error\fR\|(3), \fIrsa\fR\|(3), +\&\fIERR_get_error\fR\|(3), \&\fIRSA_sign\fR\|(3), \fIRSA_verify\fR\|(3) -.SH "HISTORY" -.IX Header "HISTORY" -The \fBpadding\fR argument was added in SSLeay 0.8. \s-1RSA_NO_PADDING\s0 is -available since SSLeay 0.9.0. +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2000\-2016 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/RSA_public_encrypt.3 b/secure/lib/libcrypto/man/RSA_public_encrypt.3 index fa8a6a3eee75..7cc0df4a73f9 100644 --- a/secure/lib/libcrypto/man/RSA_public_encrypt.3 +++ b/secure/lib/libcrypto/man/RSA_public_encrypt.3 @@ -128,8 +128,8 @@ .rm #[ #] #H #V #F C .\" ======================================================================== .\" -.IX Title "RSA_public_encrypt 3" -.TH RSA_public_encrypt 3 "2018-08-14" "1.0.2p" "OpenSSL" +.IX Title "RSA_PUBLIC_ENCRYPT 3" +.TH RSA_PUBLIC_ENCRYPT 3 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -141,11 +141,11 @@ RSA_public_encrypt, RSA_private_decrypt \- RSA public key cryptography .Vb 1 \& #include \& -\& int RSA_public_encrypt(int flen, const unsigned char *from, -\& unsigned char *to, RSA *rsa, int padding); +\& int RSA_public_encrypt(int flen, unsigned char *from, +\& unsigned char *to, RSA *rsa, int padding); \& -\& int RSA_private_decrypt(int flen, const unsigned char *from, -\& unsigned char *to, RSA *rsa, int padding); +\& int RSA_private_decrypt(int flen, unsigned char *from, +\& unsigned char *to, RSA *rsa, int padding); .Ve .SH "DESCRIPTION" .IX Header "DESCRIPTION" @@ -201,9 +201,13 @@ design. Prefer \s-1RSA_PKCS1_OAEP_PADDING.\s0 \&\s-1SSL, PKCS\s0 #1 v2.0 .SH "SEE ALSO" .IX Header "SEE ALSO" -\&\fIERR_get_error\fR\|(3), \fIrand\fR\|(3), \fIrsa\fR\|(3), +\&\fIERR_get_error\fR\|(3), \fIRAND_bytes\fR\|(3), \&\fIRSA_size\fR\|(3) -.SH "HISTORY" -.IX Header "HISTORY" -The \fBpadding\fR argument was added in SSLeay 0.8. \s-1RSA_NO_PADDING\s0 is -available since SSLeay 0.9.0, \s-1OAEP\s0 was added in OpenSSL 0.9.2b. +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2000\-2016 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/RSA_set_method.3 b/secure/lib/libcrypto/man/RSA_set_method.3 index aa897d199570..296566a07d0d 100644 --- a/secure/lib/libcrypto/man/RSA_set_method.3 +++ b/secure/lib/libcrypto/man/RSA_set_method.3 @@ -128,16 +128,14 @@ .rm #[ #] #H #V #F C .\" ======================================================================== .\" -.IX Title "RSA_set_method 3" -.TH RSA_set_method 3 "2018-08-14" "1.0.2p" "OpenSSL" +.IX Title "RSA_SET_METHOD 3" +.TH RSA_SET_METHOD 3 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" -RSA_set_default_method, RSA_get_default_method, RSA_set_method, -RSA_get_method, RSA_PKCS1_SSLeay, RSA_null_method, RSA_flags, -RSA_new_method \- select RSA method +RSA_set_default_method, RSA_get_default_method, RSA_set_method, RSA_get_method, RSA_PKCS1_OpenSSL, RSA_flags, RSA_new_method \- select RSA method .SH "SYNOPSIS" .IX Header "SYNOPSIS" .Vb 1 @@ -151,13 +149,11 @@ RSA_new_method \- select RSA method \& \& RSA_METHOD *RSA_get_method(const RSA *rsa); \& -\& RSA_METHOD *RSA_PKCS1_SSLeay(void); -\& -\& RSA_METHOD *RSA_null_method(void); +\& RSA_METHOD *RSA_PKCS1_OpenSSL(void); \& \& int RSA_flags(const RSA *rsa); \& -\& RSA *RSA_new_method(RSA_METHOD *method); +\& RSA *RSA_new_method(ENGINE *engine); .Ve .SH "DESCRIPTION" .IX Header "DESCRIPTION" @@ -168,15 +164,18 @@ important information about how these \s-1RSA API\s0 functions are affected by t use of \fB\s-1ENGINE\s0\fR \s-1API\s0 calls. .PP Initially, the default \s-1RSA_METHOD\s0 is the OpenSSL internal implementation, -as returned by \fIRSA_PKCS1_SSLeay()\fR. +as returned by \fIRSA_PKCS1_OpenSSL()\fR. .PP \&\fIRSA_set_default_method()\fR makes \fBmeth\fR the default method for all \s-1RSA\s0 -structures created later. \fB\s-1NB\s0\fR: This is true only whilst no \s-1ENGINE\s0 has +structures created later. +\&\fB\s-1NB\s0\fR: This is true only whilst no \s-1ENGINE\s0 has been set as a default for \s-1RSA,\s0 so this function is no longer recommended. +This function is not thread-safe and should not be called at the same time +as other OpenSSL functions. .PP \&\fIRSA_get_default_method()\fR returns a pointer to the current default \&\s-1RSA_METHOD.\s0 However, the meaningfulness of this result is dependent on -whether the \s-1ENGINE API\s0 is being used, so this function is no longer +whether the \s-1ENGINE API\s0 is being used, so this function is no longer recommended. .PP \&\fIRSA_set_method()\fR selects \fBmeth\fR to perform all operations using the key @@ -213,69 +212,62 @@ the default method is used. \& typedef struct rsa_meth_st \& { \& /* name of the implementation */ -\& const char *name; +\& const char *name; \& \& /* encrypt */ -\& int (*rsa_pub_enc)(int flen, unsigned char *from, -\& unsigned char *to, RSA *rsa, int padding); +\& int (*rsa_pub_enc)(int flen, unsigned char *from, +\& unsigned char *to, RSA *rsa, int padding); \& \& /* verify arbitrary data */ -\& int (*rsa_pub_dec)(int flen, unsigned char *from, -\& unsigned char *to, RSA *rsa, int padding); +\& int (*rsa_pub_dec)(int flen, unsigned char *from, +\& unsigned char *to, RSA *rsa, int padding); \& \& /* sign arbitrary data */ -\& int (*rsa_priv_enc)(int flen, unsigned char *from, -\& unsigned char *to, RSA *rsa, int padding); +\& int (*rsa_priv_enc)(int flen, unsigned char *from, +\& unsigned char *to, RSA *rsa, int padding); \& \& /* decrypt */ -\& int (*rsa_priv_dec)(int flen, unsigned char *from, -\& unsigned char *to, RSA *rsa, int padding); +\& int (*rsa_priv_dec)(int flen, unsigned char *from, +\& unsigned char *to, RSA *rsa, int padding); \& -\& /* compute r0 = r0 ^ I mod rsa\->n (May be NULL for some -\& implementations) */ -\& int (*rsa_mod_exp)(BIGNUM *r0, BIGNUM *I, RSA *rsa); +\& /* compute r0 = r0 ^ I mod rsa\->n (May be NULL for some implementations) */ +\& int (*rsa_mod_exp)(BIGNUM *r0, BIGNUM *I, RSA *rsa); \& \& /* compute r = a ^ p mod m (May be NULL for some implementations) */ -\& int (*bn_mod_exp)(BIGNUM *r, BIGNUM *a, const BIGNUM *p, -\& const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx); +\& int (*bn_mod_exp)(BIGNUM *r, BIGNUM *a, const BIGNUM *p, +\& const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx); \& \& /* called at RSA_new */ -\& int (*init)(RSA *rsa); +\& int (*init)(RSA *rsa); \& \& /* called at RSA_free */ -\& int (*finish)(RSA *rsa); +\& int (*finish)(RSA *rsa); \& -\& /* RSA_FLAG_EXT_PKEY \- rsa_mod_exp is called for private key +\& /* +\& * RSA_FLAG_EXT_PKEY \- rsa_mod_exp is called for private key \& * operations, even if p,q,dmp1,dmq1,iqmp \& * are NULL -\& * RSA_FLAG_SIGN_VER \- enable rsa_sign and rsa_verify \& * RSA_METHOD_FLAG_NO_CHECK \- don\*(Aqt check pub/private match \& */ -\& int flags; +\& int flags; \& -\& char *app_data; /* ?? */ +\& char *app_data; /* ?? */ \& -\& /* sign. For backward compatibility, this is used only -\& * if (flags & RSA_FLAG_SIGN_VER) -\& */ -\& int (*rsa_sign)(int type, -\& const unsigned char *m, unsigned int m_length, -\& unsigned char *sigret, unsigned int *siglen, const RSA *rsa); -\& /* verify. For backward compatibility, this is used only -\& * if (flags & RSA_FLAG_SIGN_VER) -\& */ -\& int (*rsa_verify)(int dtype, -\& const unsigned char *m, unsigned int m_length, -\& const unsigned char *sigbuf, unsigned int siglen, -\& const RSA *rsa); +\& int (*rsa_sign)(int type, +\& const unsigned char *m, unsigned int m_length, +\& unsigned char *sigret, unsigned int *siglen, const RSA *rsa); +\& int (*rsa_verify)(int dtype, +\& const unsigned char *m, unsigned int m_length, +\& const unsigned char *sigbuf, unsigned int siglen, +\& const RSA *rsa); \& /* keygen. If NULL builtin RSA key generation will be used */ -\& int (*rsa_keygen)(RSA *rsa, int bits, BIGNUM *e, BN_GENCB *cb); +\& int (*rsa_keygen)(RSA *rsa, int bits, BIGNUM *e, BN_GENCB *cb); \& \& } RSA_METHOD; .Ve .SH "RETURN VALUES" .IX Header "RETURN VALUES" -\&\fIRSA_PKCS1_SSLeay()\fR, \fIRSA_PKCS1_null_method()\fR, \fIRSA_get_default_method()\fR +\&\fIRSA_PKCS1_OpenSSL()\fR, \fIRSA_PKCS1_null_method()\fR, \fIRSA_get_default_method()\fR and \fIRSA_get_method()\fR return pointers to the respective RSA_METHODs. .PP \&\fIRSA_set_default_method()\fR returns no value. @@ -291,15 +283,6 @@ declaration in a future release. \&\fIRSA_new_method()\fR returns \s-1NULL\s0 and sets an error code that can be obtained by \fIERR_get_error\fR\|(3) if the allocation fails. Otherwise it returns a pointer to the newly allocated structure. -.SH "NOTES" -.IX Header "NOTES" -As of version 0.9.7, \s-1RSA_METHOD\s0 implementations are grouped together with -other algorithmic APIs (eg. \s-1DSA_METHOD, EVP_CIPHER,\s0 etc) into \fB\s-1ENGINE\s0\fR -modules. If a default \s-1ENGINE\s0 is specified for \s-1RSA\s0 functionality using an -\&\s-1ENGINE API\s0 function, that will override any \s-1RSA\s0 defaults set using the \s-1RSA -API\s0 (ie. \fIRSA_set_default_method()\fR). For this reason, the \s-1ENGINE API\s0 is the -recommended way to control default implementations for use in \s-1RSA\s0 and other -cryptographic algorithms. .SH "BUGS" .IX Header "BUGS" The behaviour of \fIRSA_flags()\fR is a mis-feature that is left as-is for now @@ -313,21 +296,16 @@ be reflected in the return value of the \fIRSA_flags()\fR function \- in effect not currently exist). .SH "SEE ALSO" .IX Header "SEE ALSO" -\&\fIrsa\fR\|(3), \fIRSA_new\fR\|(3) +\&\fIRSA_new\fR\|(3) .SH "HISTORY" .IX Header "HISTORY" -\&\fIRSA_new_method()\fR and \fIRSA_set_default_method()\fR appeared in SSLeay 0.8. -\&\fIRSA_get_default_method()\fR, \fIRSA_set_method()\fR and \fIRSA_get_method()\fR as -well as the rsa_sign and rsa_verify components of \s-1RSA_METHOD\s0 were -added in OpenSSL 0.9.4. +The \fIRSA_null_method()\fR, which was a partial attempt to avoid patent issues, +was replaced to always return \s-1NULL\s0 in OpenSSL 1.1.1. +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2000\-2016 The OpenSSL Project Authors. All Rights Reserved. .PP -\&\fIRSA_set_default_openssl_method()\fR and \fIRSA_get_default_openssl_method()\fR -replaced \fIRSA_set_default_method()\fR and \fIRSA_get_default_method()\fR -respectively, and \fIRSA_set_method()\fR and \fIRSA_new_method()\fR were altered to use -\&\fB\s-1ENGINE\s0\fRs rather than \fB\s-1RSA_METHOD\s0\fRs during development of the engine -version of OpenSSL 0.9.6. For 0.9.7, the handling of defaults in the \s-1ENGINE -API\s0 was restructured so that this change was reversed, and behaviour of the -other functions resembled more closely the previous behaviour. The -behaviour of defaults in the \s-1ENGINE API\s0 now transparently overrides the -behaviour of defaults in the \s-1RSA API\s0 without requiring changing these -function prototypes. +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/RSA_sign.3 b/secure/lib/libcrypto/man/RSA_sign.3 index 9acb4c58777b..be0e26fbbd0f 100644 --- a/secure/lib/libcrypto/man/RSA_sign.3 +++ b/secure/lib/libcrypto/man/RSA_sign.3 @@ -128,8 +128,8 @@ .rm #[ #] #H #V #F C .\" ======================================================================== .\" -.IX Title "RSA_sign 3" -.TH RSA_sign 3 "2018-08-14" "1.0.2p" "OpenSSL" +.IX Title "RSA_SIGN 3" +.TH RSA_SIGN 3 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -142,25 +142,25 @@ RSA_sign, RSA_verify \- RSA signatures \& #include \& \& int RSA_sign(int type, const unsigned char *m, unsigned int m_len, -\& unsigned char *sigret, unsigned int *siglen, RSA *rsa); +\& unsigned char *sigret, unsigned int *siglen, RSA *rsa); \& \& int RSA_verify(int type, const unsigned char *m, unsigned int m_len, -\& unsigned char *sigbuf, unsigned int siglen, RSA *rsa); +\& unsigned char *sigbuf, unsigned int siglen, RSA *rsa); .Ve .SH "DESCRIPTION" .IX Header "DESCRIPTION" \&\fIRSA_sign()\fR signs the message digest \fBm\fR of size \fBm_len\fR using the -private key \fBrsa\fR as specified in \s-1PKCS\s0 #1 v2.0. It stores the -signature in \fBsigret\fR and the signature size in \fBsiglen\fR. \fBsigret\fR -must point to RSA_size(\fBrsa\fR) bytes of memory. +private key \fBrsa\fR using RSASSA\-PKCS1\-v1_5 as specified in \s-1RFC 3447.\s0 It +stores the signature in \fBsigret\fR and the signature size in \fBsiglen\fR. +\&\fBsigret\fR must point to RSA_size(\fBrsa\fR) bytes of memory. Note that \s-1PKCS\s0 #1 adds meta-data, placing limits on the size of the key that can be used. See \fIRSA_private_encrypt\fR\|(3) for lower-level operations. .PP \&\fBtype\fR denotes the message digest algorithm that was used to generate -\&\fBm\fR. It usually is one of \fBNID_sha1\fR, \fBNID_ripemd160\fR and \fBNID_md5\fR; -see \fIobjects\fR\|(3) for details. If \fBtype\fR is \fBNID_md5_sha1\fR, +\&\fBm\fR. +If \fBtype\fR is \fBNID_md5_sha1\fR, an \s-1SSL\s0 signature (\s-1MD5\s0 and \s-1SHA1\s0 message digests with \s-1PKCS\s0 #1 padding and no algorithm identifier) is created. .PP @@ -170,23 +170,23 @@ the message digest algorithm that was used to generate the signature. \&\fBrsa\fR is the signer's public key. .SH "RETURN VALUES" .IX Header "RETURN VALUES" -\&\fIRSA_sign()\fR returns 1 on success, 0 otherwise. \fIRSA_verify()\fR returns 1 -on successful verification, 0 otherwise. +\&\fIRSA_sign()\fR returns 1 on success. +\&\fIRSA_verify()\fR returns 1 on successful verification. .PP The error codes can be obtained by \fIERR_get_error\fR\|(3). -.SH "BUGS" -.IX Header "BUGS" -Certain signatures with an improper algorithm identifier are accepted -for compatibility with SSLeay 0.4.5 :\-) .SH "CONFORMING TO" .IX Header "CONFORMING TO" \&\s-1SSL, PKCS\s0 #1 v2.0 .SH "SEE ALSO" .IX Header "SEE ALSO" -\&\fIERR_get_error\fR\|(3), \fIobjects\fR\|(3), -\&\fIrsa\fR\|(3), \fIRSA_private_encrypt\fR\|(3), +\&\fIERR_get_error\fR\|(3), +\&\fIRSA_private_encrypt\fR\|(3), \&\fIRSA_public_decrypt\fR\|(3) -.SH "HISTORY" -.IX Header "HISTORY" -\&\fIRSA_sign()\fR and \fIRSA_verify()\fR are available in all versions of SSLeay -and OpenSSL. +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2000\-2016 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/RSA_sign_ASN1_OCTET_STRING.3 b/secure/lib/libcrypto/man/RSA_sign_ASN1_OCTET_STRING.3 index 144e54461e2b..214f1666b1ea 100644 --- a/secure/lib/libcrypto/man/RSA_sign_ASN1_OCTET_STRING.3 +++ b/secure/lib/libcrypto/man/RSA_sign_ASN1_OCTET_STRING.3 @@ -128,8 +128,8 @@ .rm #[ #] #H #V #F C .\" ======================================================================== .\" -.IX Title "RSA_sign_ASN1_OCTET_STRING 3" -.TH RSA_sign_ASN1_OCTET_STRING 3 "2018-08-14" "1.0.2p" "OpenSSL" +.IX Title "RSA_SIGN_ASN1_OCTET_STRING 3" +.TH RSA_SIGN_ASN1_OCTET_STRING 3 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -142,12 +142,12 @@ RSA_sign_ASN1_OCTET_STRING, RSA_verify_ASN1_OCTET_STRING \- RSA signatures \& #include \& \& int RSA_sign_ASN1_OCTET_STRING(int dummy, unsigned char *m, -\& unsigned int m_len, unsigned char *sigret, unsigned int *siglen, -\& RSA *rsa); +\& unsigned int m_len, unsigned char *sigret, +\& unsigned int *siglen, RSA *rsa); \& \& int RSA_verify_ASN1_OCTET_STRING(int dummy, unsigned char *m, -\& unsigned int m_len, unsigned char *sigbuf, unsigned int siglen, -\& RSA *rsa); +\& unsigned int m_len, unsigned char *sigbuf, +\& unsigned int siglen, RSA *rsa); .Ve .SH "DESCRIPTION" .IX Header "DESCRIPTION" @@ -177,10 +177,14 @@ The error codes can be obtained by \fIERR_get_error\fR\|(3). These functions serve no recognizable purpose. .SH "SEE ALSO" .IX Header "SEE ALSO" -\&\fIERR_get_error\fR\|(3), \fIobjects\fR\|(3), -\&\fIrand\fR\|(3), \fIrsa\fR\|(3), \fIRSA_sign\fR\|(3), +\&\fIERR_get_error\fR\|(3), +\&\fIRAND_bytes\fR\|(3), \fIRSA_sign\fR\|(3), \&\fIRSA_verify\fR\|(3) -.SH "HISTORY" -.IX Header "HISTORY" -\&\fIRSA_sign_ASN1_OCTET_STRING()\fR and \fIRSA_verify_ASN1_OCTET_STRING()\fR were -added in SSLeay 0.8. +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2000\-2016 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/RSA_size.3 b/secure/lib/libcrypto/man/RSA_size.3 index 8e7b22871a0d..3cd8cce07433 100644 --- a/secure/lib/libcrypto/man/RSA_size.3 +++ b/secure/lib/libcrypto/man/RSA_size.3 @@ -128,34 +128,55 @@ .rm #[ #] #H #V #F C .\" ======================================================================== .\" -.IX Title "RSA_size 3" -.TH RSA_size 3 "2018-08-14" "1.0.2p" "OpenSSL" +.IX Title "RSA_SIZE 3" +.TH RSA_SIZE 3 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" -RSA_size \- get RSA modulus size +RSA_size, RSA_bits, RSA_security_bits \- get RSA modulus size or security bits .SH "SYNOPSIS" .IX Header "SYNOPSIS" .Vb 1 \& #include \& \& int RSA_size(const RSA *rsa); +\& +\& int RSA_bits(const RSA *rsa); +\& +\& int RSA_security_bits(const RSA *rsa) .Ve .SH "DESCRIPTION" .IX Header "DESCRIPTION" -This function returns the \s-1RSA\s0 modulus size in bytes. It can be used to +\&\fIRSA_size()\fR returns the \s-1RSA\s0 modulus size in bytes. It can be used to determine how much memory must be allocated for an \s-1RSA\s0 encrypted value. .PP -\&\fBrsa\->n\fR must not be \fB\s-1NULL\s0\fR. -.SH "RETURN VALUE" -.IX Header "RETURN VALUE" -The size in bytes. +\&\fIRSA_bits()\fR returns the number of significant bits. +.PP +\&\fBrsa\fR and \fBrsa\->n\fR must not be \fB\s-1NULL\s0\fR. +.PP +\&\fIRSA_security_bits()\fR returns the number of security bits of the given \fBrsa\fR +key. See \fIBN_security_bits\fR\|(3). +.SH "RETURN VALUES" +.IX Header "RETURN VALUES" +\&\fIRSA_size()\fR returns the size of modulus in bytes. +.PP +\&\fIDSA_bits()\fR returns the number of bits in the key. +.PP +\&\fIRSA_security_bits()\fR returns the number of security bits. .SH "SEE ALSO" .IX Header "SEE ALSO" -\&\fIrsa\fR\|(3) +\&\fIBN_num_bits\fR\|(3) .SH "HISTORY" .IX Header "HISTORY" -\&\fIRSA_size()\fR is available in all versions of SSLeay and OpenSSL. +\&\fIRSA_bits()\fR was added in OpenSSL 1.1.0. +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2000\-2018 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/SCT_new.3 b/secure/lib/libcrypto/man/SCT_new.3 new file mode 100644 index 000000000000..0f6978ec860f --- /dev/null +++ b/secure/lib/libcrypto/man/SCT_new.3 @@ -0,0 +1,302 @@ +.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35) +.\" +.\" Standard preamble: +.\" ======================================================================== +.de Sp \" Vertical space (when we can't use .PP) +.if t .sp .5v +.if n .sp +.. +.de Vb \" Begin verbatim text +.ft CW +.nf +.ne \\$1 +.. +.de Ve \" End verbatim text +.ft R +.fi +.. +.\" Set up some character translations and predefined strings. \*(-- will +.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left +.\" double quote, and \*(R" will give a right double quote. \*(C+ will +.\" give a nicer C++. Capital omega is used to do unbreakable dashes and +.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, +.\" nothing in troff, for use with C<>. +.tr \(*W- +.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' +.ie n \{\ +. ds -- \(*W- +. ds PI pi +. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch +. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch +. ds L" "" +. ds R" "" +. ds C` "" +. ds C' "" +'br\} +.el\{\ +. ds -- \|\(em\| +. ds PI \(*p +. ds L" `` +. ds R" '' +. ds C` +. ds C' +'br\} +.\" +.\" Escape single quotes in literal strings from groff's Unicode transform. +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" +.\" If the F register is >0, we'll generate index entries on stderr for +.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index +.\" entries marked with X<> in POD. Of course, you'll have to process the +.\" output yourself in some meaningful fashion. +.\" +.\" Avoid warning from groff about undefined register 'F'. +.de IX +.. +.if !\nF .nr F 0 +.if \nF>0 \{\ +. de IX +. tm Index:\\$1\t\\n%\t"\\$2" +.. +. if !\nF==2 \{\ +. nr % 0 +. nr F 2 +. \} +.\} +.\" +.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). +.\" Fear. Run. Save yourself. No user-serviceable parts. +. \" fudge factors for nroff and troff +.if n \{\ +. ds #H 0 +. ds #V .8m +. ds #F .3m +. ds #[ \f1 +. ds #] \fP +.\} +.if t \{\ +. ds #H ((1u-(\\\\n(.fu%2u))*.13m) +. ds #V .6m +. ds #F 0 +. ds #[ \& +. ds #] \& +.\} +. \" simple accents for nroff and troff +.if n \{\ +. ds ' \& +. ds ` \& +. ds ^ \& +. ds , \& +. ds ~ ~ +. ds / +.\} +.if t \{\ +. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" +. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' +. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' +. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' +. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' +. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' +.\} +. \" troff and (daisy-wheel) nroff accents +.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' +.ds 8 \h'\*(#H'\(*b\h'-\*(#H' +.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] +.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' +.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' +.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] +.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] +.ds ae a\h'-(\w'a'u*4/10)'e +.ds Ae A\h'-(\w'A'u*4/10)'E +. \" corrections for vroff +.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' +.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' +. \" for low resolution devices (crt and lpr) +.if \n(.H>23 .if \n(.V>19 \ +\{\ +. ds : e +. ds 8 ss +. ds o a +. ds d- d\h'-1'\(ga +. ds D- D\h'-1'\(hy +. ds th \o'bp' +. ds Th \o'LP' +. ds ae ae +. ds Ae AE +.\} +.rm #[ #] #H #V #F C +.\" ======================================================================== +.\" +.IX Title "SCT_NEW 3" +.TH SCT_NEW 3 "2018-09-11" "1.1.1" "OpenSSL" +.\" For nroff, turn off justification. Always turn off hyphenation; it makes +.\" way too many mistakes in technical documents. +.if n .ad l +.nh +.SH "NAME" +SCT_new, SCT_new_from_base64, SCT_free, SCT_LIST_free, SCT_get_version, SCT_set_version, SCT_get_log_entry_type, SCT_set_log_entry_type, SCT_get0_log_id, SCT_set0_log_id, SCT_set1_log_id, SCT_get_timestamp, SCT_set_timestamp, SCT_get_signature_nid, SCT_set_signature_nid, SCT_get0_signature, SCT_set0_signature, SCT_set1_signature, SCT_get0_extensions, SCT_set0_extensions, SCT_set1_extensions, SCT_get_source, SCT_set_source \&\- A Certificate Transparency Signed Certificate Timestamp +.SH "SYNOPSIS" +.IX Header "SYNOPSIS" +.Vb 1 +\& #include +\& +\& typedef enum { +\& CT_LOG_ENTRY_TYPE_NOT_SET = \-1, +\& CT_LOG_ENTRY_TYPE_X509 = 0, +\& CT_LOG_ENTRY_TYPE_PRECERT = 1 +\& } ct_log_entry_type_t; +\& +\& typedef enum { +\& SCT_VERSION_NOT_SET = \-1, +\& SCT_VERSION_V1 = 0 +\& } sct_version_t; +\& +\& typedef enum { +\& SCT_SOURCE_UNKNOWN, +\& SCT_SOURCE_TLS_EXTENSION, +\& SCT_SOURCE_X509V3_EXTENSION, +\& SCT_SOURCE_OCSP_STAPLED_RESPONSE +\& } sct_source_t; +\& +\& SCT *SCT_new(void); +\& SCT *SCT_new_from_base64(unsigned char version, +\& const char *logid_base64, +\& ct_log_entry_type_t entry_type, +\& uint64_t timestamp, +\& const char *extensions_base64, +\& const char *signature_base64); +\& +\& void SCT_free(SCT *sct); +\& void SCT_LIST_free(STACK_OF(SCT) *a); +\& +\& sct_version_t SCT_get_version(const SCT *sct); +\& int SCT_set_version(SCT *sct, sct_version_t version); +\& +\& ct_log_entry_type_t SCT_get_log_entry_type(const SCT *sct); +\& int SCT_set_log_entry_type(SCT *sct, ct_log_entry_type_t entry_type); +\& +\& size_t SCT_get0_log_id(const SCT *sct, unsigned char **log_id); +\& int SCT_set0_log_id(SCT *sct, unsigned char *log_id, size_t log_id_len); +\& int SCT_set1_log_id(SCT *sct, const unsigned char *log_id, size_t log_id_len); +\& +\& uint64_t SCT_get_timestamp(const SCT *sct); +\& void SCT_set_timestamp(SCT *sct, uint64_t timestamp); +\& +\& int SCT_get_signature_nid(const SCT *sct); +\& int SCT_set_signature_nid(SCT *sct, int nid); +\& +\& size_t SCT_get0_signature(const SCT *sct, unsigned char **sig); +\& void SCT_set0_signature(SCT *sct, unsigned char *sig, size_t sig_len); +\& int SCT_set1_signature(SCT *sct, const unsigned char *sig, size_t sig_len); +\& +\& size_t SCT_get0_extensions(const SCT *sct, unsigned char **ext); +\& void SCT_set0_extensions(SCT *sct, unsigned char *ext, size_t ext_len); +\& int SCT_set1_extensions(SCT *sct, const unsigned char *ext, size_t ext_len); +\& +\& sct_source_t SCT_get_source(const SCT *sct); +\& int SCT_set_source(SCT *sct, sct_source_t source); +.Ve +.SH "DESCRIPTION" +.IX Header "DESCRIPTION" +Signed Certificate Timestamps (SCTs) are defined by \s-1RFC 6962,\s0 Section 3.2. +They constitute a promise by a Certificate Transparency (\s-1CT\s0) log to publicly +record a certificate. By cryptographically verifying that a log did indeed issue +an \s-1SCT,\s0 some confidence can be gained that the certificate is publicly known. +.PP +An internal representation of an \s-1SCT\s0 can be created in one of two ways. +The first option is to create a blank \s-1SCT,\s0 using \fISCT_new()\fR, and then populate +it using: +.IP "\(bu" 2 +\&\fISCT_set_version()\fR to set the \s-1SCT\s0 version. +.Sp +Only \s-1SCT_VERSION_V1\s0 is currently supported. +.IP "\(bu" 2 +\&\fISCT_set_log_entry_type()\fR to set the type of certificate the \s-1SCT\s0 was issued for: +.Sp +\&\fB\s-1CT_LOG_ENTRY_TYPE_X509\s0\fR for a normal certificate. +\&\fB\s-1CT_LOG_ENTRY_TYPE_PRECERT\s0\fR for a pre-certificate. +.IP "\(bu" 2 +\&\fISCT_set0_log_id()\fR or \fISCT_set1_log_id()\fR to set the LogID of the \s-1CT\s0 log that the \s-1SCT\s0 came from. +.Sp +The former takes ownership, whereas the latter makes a copy. +See \s-1RFC 6962,\s0 Section 3.2 for the definition of LogID. +.IP "\(bu" 2 +\&\fISCT_set_timestamp()\fR to set the time the \s-1SCT\s0 was issued (epoch time in milliseconds). +.IP "\(bu" 2 +\&\fISCT_set_signature_nid()\fR to set the \s-1NID\s0 of the signature. +.IP "\(bu" 2 +\&\fISCT_set0_signature()\fR or \fISCT_set1_signature()\fR to set the raw signature value. +.Sp +The former takes ownership, whereas the latter makes a copy. +.IP "\(bu" 2 +\&\fISCT_set0_extensions()\fR or \fBSCT_set1_extensions\fR to provide \s-1SCT\s0 extensions. +.Sp +The former takes ownership, whereas the latter makes a copy. +.PP +Alternatively, the \s-1SCT\s0 can be pre-populated from the following data using +\&\fISCT_new_from_base64()\fR: +.IP "\(bu" 2 +The \s-1SCT\s0 version (only \s-1SCT_VERSION_V1\s0 is currently supported). +.IP "\(bu" 2 +The LogID (see \s-1RFC 6962,\s0 Section 3.2), base64 encoded. +.IP "\(bu" 2 +The type of certificate the \s-1SCT\s0 was issued for: +\&\fB\s-1CT_LOG_ENTRY_TYPE_X509\s0\fR for a normal certificate. +\&\fB\s-1CT_LOG_ENTRY_TYPE_PRECERT\s0\fR for a pre-certificate. +.IP "\(bu" 2 +The time that the \s-1SCT\s0 was issued (epoch time in milliseconds). +.IP "\(bu" 2 +The \s-1SCT\s0 extensions, base64 encoded. +.IP "\(bu" 2 +The \s-1SCT\s0 signature, base64 encoded. +.PP +\&\fISCT_set_source()\fR can be used to record where the \s-1SCT\s0 was found +(\s-1TLS\s0 extension, X.509 certificate extension or \s-1OCSP\s0 response). This is not +required for verifying the \s-1SCT.\s0 +.SH "NOTES" +.IX Header "NOTES" +Some of the setters return int, instead of void. These will all return 1 on +success, 0 on failure. They will not make changes on failure. +.PP +All of the setters will reset the validation status of the \s-1SCT\s0 to +\&\s-1SCT_VALIDATION_STATUS_NOT_SET\s0 (see \fISCT_validate\fR\|(3)). +.PP +\&\fISCT_set_source()\fR will call \fISCT_set_log_entry_type()\fR if the type of +certificate the \s-1SCT\s0 was issued for can be inferred from where the \s-1SCT\s0 was found. +For example, an \s-1SCT\s0 found in an X.509 extension must have been issued for a pre\- +certificate. +.PP +\&\fISCT_set_source()\fR will not refuse unknown values. +.SH "RETURN VALUES" +.IX Header "RETURN VALUES" +\&\fISCT_set_version()\fR returns 1 if the specified version is supported, 0 otherwise. +.PP +\&\fISCT_set_log_entry_type()\fR returns 1 if the specified log entry type is supported, 0 otherwise. +.PP +\&\fISCT_set0_log_id()\fR and \fBSCT_set1_log_id\fR return 1 if the specified LogID is a +valid \s-1SHA\-256\s0 hash, 0 otherwise. Additionally, \fBSCT_set1_log_id\fR returns 0 if +malloc fails. +.PP +\&\fBSCT_set_signature_nid\fR returns 1 if the specified \s-1NID\s0 is supported, 0 otherwise. +.PP +\&\fBSCT_set1_extensions\fR and \fBSCT_set1_signature\fR return 1 if the supplied buffer +is copied successfully, 0 otherwise (i.e. if malloc fails). +.PP +\&\fBSCT_set_source\fR returns 1 on success, 0 otherwise. +.SH "SEE ALSO" +.IX Header "SEE ALSO" +\&\fIct\fR\|(7), +\&\fISCT_validate\fR\|(3), +\&\fIOBJ_nid2obj\fR\|(3) +.SH "HISTORY" +.IX Header "HISTORY" +These functions were added in OpenSSL 1.1.0. +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2016\-2017 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/SCT_print.3 b/secure/lib/libcrypto/man/SCT_print.3 new file mode 100644 index 000000000000..f8b44dfe440b --- /dev/null +++ b/secure/lib/libcrypto/man/SCT_print.3 @@ -0,0 +1,183 @@ +.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35) +.\" +.\" Standard preamble: +.\" ======================================================================== +.de Sp \" Vertical space (when we can't use .PP) +.if t .sp .5v +.if n .sp +.. +.de Vb \" Begin verbatim text +.ft CW +.nf +.ne \\$1 +.. +.de Ve \" End verbatim text +.ft R +.fi +.. +.\" Set up some character translations and predefined strings. \*(-- will +.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left +.\" double quote, and \*(R" will give a right double quote. \*(C+ will +.\" give a nicer C++. Capital omega is used to do unbreakable dashes and +.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, +.\" nothing in troff, for use with C<>. +.tr \(*W- +.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' +.ie n \{\ +. ds -- \(*W- +. ds PI pi +. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch +. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch +. ds L" "" +. ds R" "" +. ds C` "" +. ds C' "" +'br\} +.el\{\ +. ds -- \|\(em\| +. ds PI \(*p +. ds L" `` +. ds R" '' +. ds C` +. ds C' +'br\} +.\" +.\" Escape single quotes in literal strings from groff's Unicode transform. +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" +.\" If the F register is >0, we'll generate index entries on stderr for +.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index +.\" entries marked with X<> in POD. Of course, you'll have to process the +.\" output yourself in some meaningful fashion. +.\" +.\" Avoid warning from groff about undefined register 'F'. +.de IX +.. +.if !\nF .nr F 0 +.if \nF>0 \{\ +. de IX +. tm Index:\\$1\t\\n%\t"\\$2" +.. +. if !\nF==2 \{\ +. nr % 0 +. nr F 2 +. \} +.\} +.\" +.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). +.\" Fear. Run. Save yourself. No user-serviceable parts. +. \" fudge factors for nroff and troff +.if n \{\ +. ds #H 0 +. ds #V .8m +. ds #F .3m +. ds #[ \f1 +. ds #] \fP +.\} +.if t \{\ +. ds #H ((1u-(\\\\n(.fu%2u))*.13m) +. ds #V .6m +. ds #F 0 +. ds #[ \& +. ds #] \& +.\} +. \" simple accents for nroff and troff +.if n \{\ +. ds ' \& +. ds ` \& +. ds ^ \& +. ds , \& +. ds ~ ~ +. ds / +.\} +.if t \{\ +. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" +. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' +. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' +. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' +. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' +. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' +.\} +. \" troff and (daisy-wheel) nroff accents +.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' +.ds 8 \h'\*(#H'\(*b\h'-\*(#H' +.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] +.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' +.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' +.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] +.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] +.ds ae a\h'-(\w'a'u*4/10)'e +.ds Ae A\h'-(\w'A'u*4/10)'E +. \" corrections for vroff +.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' +.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' +. \" for low resolution devices (crt and lpr) +.if \n(.H>23 .if \n(.V>19 \ +\{\ +. ds : e +. ds 8 ss +. ds o a +. ds d- d\h'-1'\(ga +. ds D- D\h'-1'\(hy +. ds th \o'bp' +. ds Th \o'LP' +. ds ae ae +. ds Ae AE +.\} +.rm #[ #] #H #V #F C +.\" ======================================================================== +.\" +.IX Title "SCT_PRINT 3" +.TH SCT_PRINT 3 "2018-09-11" "1.1.1" "OpenSSL" +.\" For nroff, turn off justification. Always turn off hyphenation; it makes +.\" way too many mistakes in technical documents. +.if n .ad l +.nh +.SH "NAME" +SCT_print, SCT_LIST_print, SCT_validation_status_string \- Prints Signed Certificate Timestamps in a human\-readable way +.SH "SYNOPSIS" +.IX Header "SYNOPSIS" +.Vb 1 +\& #include +\& +\& void SCT_print(const SCT *sct, BIO *out, int indent, const CTLOG_STORE *logs); +\& void SCT_LIST_print(const STACK_OF(SCT) *sct_list, BIO *out, int indent, +\& const char *separator, const CTLOG_STORE *logs); +\& const char *SCT_validation_status_string(const SCT *sct); +.Ve +.SH "DESCRIPTION" +.IX Header "DESCRIPTION" +\&\fISCT_print()\fR prints a single Signed Certificate Timestamp (\s-1SCT\s0) to a bio in +a human-readable format. \fISCT_LIST_print()\fR prints an entire list of SCTs in a +similar way. A separator can be specified to delimit each \s-1SCT\s0 in the output. +.PP +The output can be indented by a specified number of spaces. If a \fB\s-1CTLOG_STORE\s0\fR +is provided, it will be used to print the description of the \s-1CT\s0 log that issued +each \s-1SCT\s0 (if that log is in the \s-1CTLOG_STORE\s0). Alternatively, \s-1NULL\s0 can be passed +as the \s-1CTLOG_STORE\s0 parameter to disable this feature. +.PP +\&\fISCT_validation_status_string()\fR will return the validation status of an \s-1SCT\s0 as +a human-readable string. Call \fISCT_validate()\fR or \fISCT_LIST_validate()\fR +beforehand in order to set the validation status of an \s-1SCT\s0 first. +.SH "RETURN VALUES" +.IX Header "RETURN VALUES" +\&\fISCT_validation_status_string()\fR returns a null-terminated string representing +the validation status of an \fB\s-1SCT\s0\fR object. +.SH "SEE ALSO" +.IX Header "SEE ALSO" +\&\fIct\fR\|(7), +\&\fIbio\fR\|(7), +\&\fICTLOG_STORE_new\fR\|(3), +\&\fISCT_validate\fR\|(3) +.SH "HISTORY" +.IX Header "HISTORY" +These functions were added in OpenSSL 1.1.0. +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2016\-2018 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/SCT_validate.3 b/secure/lib/libcrypto/man/SCT_validate.3 new file mode 100644 index 000000000000..ef0676f1c543 --- /dev/null +++ b/secure/lib/libcrypto/man/SCT_validate.3 @@ -0,0 +1,219 @@ +.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35) +.\" +.\" Standard preamble: +.\" ======================================================================== +.de Sp \" Vertical space (when we can't use .PP) +.if t .sp .5v +.if n .sp +.. +.de Vb \" Begin verbatim text +.ft CW +.nf +.ne \\$1 +.. +.de Ve \" End verbatim text +.ft R +.fi +.. +.\" Set up some character translations and predefined strings. \*(-- will +.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left +.\" double quote, and \*(R" will give a right double quote. \*(C+ will +.\" give a nicer C++. Capital omega is used to do unbreakable dashes and +.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, +.\" nothing in troff, for use with C<>. +.tr \(*W- +.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' +.ie n \{\ +. ds -- \(*W- +. ds PI pi +. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch +. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch +. ds L" "" +. ds R" "" +. ds C` "" +. ds C' "" +'br\} +.el\{\ +. ds -- \|\(em\| +. ds PI \(*p +. ds L" `` +. ds R" '' +. ds C` +. ds C' +'br\} +.\" +.\" Escape single quotes in literal strings from groff's Unicode transform. +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" +.\" If the F register is >0, we'll generate index entries on stderr for +.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index +.\" entries marked with X<> in POD. Of course, you'll have to process the +.\" output yourself in some meaningful fashion. +.\" +.\" Avoid warning from groff about undefined register 'F'. +.de IX +.. +.if !\nF .nr F 0 +.if \nF>0 \{\ +. de IX +. tm Index:\\$1\t\\n%\t"\\$2" +.. +. if !\nF==2 \{\ +. nr % 0 +. nr F 2 +. \} +.\} +.\" +.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). +.\" Fear. Run. Save yourself. No user-serviceable parts. +. \" fudge factors for nroff and troff +.if n \{\ +. ds #H 0 +. ds #V .8m +. ds #F .3m +. ds #[ \f1 +. ds #] \fP +.\} +.if t \{\ +. ds #H ((1u-(\\\\n(.fu%2u))*.13m) +. ds #V .6m +. ds #F 0 +. ds #[ \& +. ds #] \& +.\} +. \" simple accents for nroff and troff +.if n \{\ +. ds ' \& +. ds ` \& +. ds ^ \& +. ds , \& +. ds ~ ~ +. ds / +.\} +.if t \{\ +. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" +. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' +. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' +. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' +. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' +. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' +.\} +. \" troff and (daisy-wheel) nroff accents +.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' +.ds 8 \h'\*(#H'\(*b\h'-\*(#H' +.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] +.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' +.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' +.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] +.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] +.ds ae a\h'-(\w'a'u*4/10)'e +.ds Ae A\h'-(\w'A'u*4/10)'E +. \" corrections for vroff +.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' +.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' +. \" for low resolution devices (crt and lpr) +.if \n(.H>23 .if \n(.V>19 \ +\{\ +. ds : e +. ds 8 ss +. ds o a +. ds d- d\h'-1'\(ga +. ds D- D\h'-1'\(hy +. ds th \o'bp' +. ds Th \o'LP' +. ds ae ae +. ds Ae AE +.\} +.rm #[ #] #H #V #F C +.\" ======================================================================== +.\" +.IX Title "SCT_VALIDATE 3" +.TH SCT_VALIDATE 3 "2018-09-11" "1.1.1" "OpenSSL" +.\" For nroff, turn off justification. Always turn off hyphenation; it makes +.\" way too many mistakes in technical documents. +.if n .ad l +.nh +.SH "NAME" +SCT_validate, SCT_LIST_validate, SCT_get_validation_status \- checks Signed Certificate Timestamps (SCTs) are valid +.SH "SYNOPSIS" +.IX Header "SYNOPSIS" +.Vb 1 +\& #include +\& +\& typedef enum { +\& SCT_VALIDATION_STATUS_NOT_SET, +\& SCT_VALIDATION_STATUS_UNKNOWN_LOG, +\& SCT_VALIDATION_STATUS_VALID, +\& SCT_VALIDATION_STATUS_INVALID, +\& SCT_VALIDATION_STATUS_UNVERIFIED, +\& SCT_VALIDATION_STATUS_UNKNOWN_VERSION +\& } sct_validation_status_t; +\& +\& int SCT_validate(SCT *sct, const CT_POLICY_EVAL_CTX *ctx); +\& int SCT_LIST_validate(const STACK_OF(SCT) *scts, CT_POLICY_EVAL_CTX *ctx); +\& sct_validation_status_t SCT_get_validation_status(const SCT *sct); +.Ve +.SH "DESCRIPTION" +.IX Header "DESCRIPTION" +\&\fISCT_validate()\fR will check that an \s-1SCT\s0 is valid and verify its signature. +\&\fISCT_LIST_validate()\fR performs the same checks on an entire stack of SCTs. +The result of the validation checks can be obtained by passing the \s-1SCT\s0 to +\&\fISCT_get_validation_status()\fR. +.PP +A \s-1CT_POLICY_EVAL_CTX\s0 must be provided that specifies: +.IP "\(bu" 2 +The certificate the \s-1SCT\s0 was issued for. +.Sp +Failure to provide the certificate will result in the validation status being +\&\s-1SCT_VALIDATION_STATUS_UNVERIFIED.\s0 +.IP "\(bu" 2 +The issuer of that certificate. +.Sp +This is only required if the \s-1SCT\s0 was issued for a pre-certificate +(see \s-1RFC 6962\s0). If it is required but not provided, the validation status will +be \s-1SCT_VALIDATION_STATUS_UNVERIFIED.\s0 +.IP "\(bu" 2 +A \s-1CTLOG_STORE\s0 that contains the \s-1CT\s0 log that issued this \s-1SCT.\s0 +.Sp +If the \s-1SCT\s0 was issued by a log that is not in this \s-1CTLOG_STORE,\s0 the validation +status will be \s-1SCT_VALIDATION_STATUS_UNKNOWN_LOG.\s0 +.PP +If the \s-1SCT\s0 is of an unsupported version (only v1 is currently supported), the +validation status will be \s-1SCT_VALIDATION_STATUS_UNKNOWN_VERSION.\s0 +.PP +If the \s-1SCT\s0's signature is incorrect, its timestamp is in the future (relative to +the time in \s-1CT_POLICY_EVAL_CTX\s0), or if it is otherwise invalid, the validation +status will be \s-1SCT_VALIDATION_STATUS_INVALID.\s0 +.PP +If all checks pass, the validation status will be \s-1SCT_VALIDATION_STATUS_VALID.\s0 +.SH "NOTES" +.IX Header "NOTES" +A return value of 0 from \fISCT_LIST_validate()\fR should not be interpreted as a +failure. At a minimum, only one valid \s-1SCT\s0 may provide sufficient confidence +that a certificate has been publicly logged. +.SH "RETURN VALUES" +.IX Header "RETURN VALUES" +\&\fISCT_validate()\fR returns a negative integer if an internal error occurs, 0 if the +\&\s-1SCT\s0 fails validation, or 1 if the \s-1SCT\s0 passes validation. +.PP +\&\fISCT_LIST_validate()\fR returns a negative integer if an internal error occurs, 0 +if any of SCTs fails validation, or 1 if they all pass validation. +.PP +\&\fISCT_get_validation_status()\fR returns the validation status of the \s-1SCT.\s0 +If \fISCT_validate()\fR or \fISCT_LIST_validate()\fR have not been passed that \s-1SCT,\s0 the +returned value will be \s-1SCT_VALIDATION_STATUS_NOT_SET.\s0 +.SH "SEE ALSO" +.IX Header "SEE ALSO" +\&\fIct\fR\|(7) +.SH "HISTORY" +.IX Header "HISTORY" +These functions were added in OpenSSL 1.1.0. +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2016 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/sha.3 b/secure/lib/libcrypto/man/SHA256_Init.3 similarity index 89% rename from secure/lib/libcrypto/man/sha.3 rename to secure/lib/libcrypto/man/SHA256_Init.3 index 3c634647581b..4e6ab489dcc4 100644 --- a/secure/lib/libcrypto/man/sha.3 +++ b/secure/lib/libcrypto/man/SHA256_Init.3 @@ -128,17 +128,14 @@ .rm #[ #] #H #V #F C .\" ======================================================================== .\" -.IX Title "sha 3" -.TH sha 3 "2018-08-14" "1.0.2p" "OpenSSL" +.IX Title "SHA256_INIT 3" +.TH SHA256_INIT 3 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" -SHA1, SHA1_Init, SHA1_Update, SHA1_Final, SHA224, SHA224_Init, SHA224_Update, -SHA224_Final, SHA256, SHA256_Init, SHA256_Update, SHA256_Final, SHA384, -SHA384_Init, SHA384_Update, SHA384_Final, SHA512, SHA512_Init, SHA512_Update, -SHA512_Final \- Secure Hash Algorithm +SHA1, SHA1_Init, SHA1_Update, SHA1_Final, SHA224, SHA224_Init, SHA224_Update, SHA224_Final, SHA256, SHA256_Init, SHA256_Update, SHA256_Final, SHA384, SHA384_Init, SHA384_Update, SHA384_Final, SHA512, SHA512_Init, SHA512_Update, SHA512_Final \- Secure Hash Algorithm .SH "SYNOPSIS" .IX Header "SYNOPSIS" .Vb 1 @@ -148,31 +145,31 @@ SHA512_Final \- Secure Hash Algorithm \& int SHA1_Update(SHA_CTX *c, const void *data, size_t len); \& int SHA1_Final(unsigned char *md, SHA_CTX *c); \& unsigned char *SHA1(const unsigned char *d, size_t n, -\& unsigned char *md); +\& unsigned char *md); \& \& int SHA224_Init(SHA256_CTX *c); \& int SHA224_Update(SHA256_CTX *c, const void *data, size_t len); \& int SHA224_Final(unsigned char *md, SHA256_CTX *c); \& unsigned char *SHA224(const unsigned char *d, size_t n, -\& unsigned char *md); +\& unsigned char *md); \& \& int SHA256_Init(SHA256_CTX *c); \& int SHA256_Update(SHA256_CTX *c, const void *data, size_t len); \& int SHA256_Final(unsigned char *md, SHA256_CTX *c); \& unsigned char *SHA256(const unsigned char *d, size_t n, -\& unsigned char *md); +\& unsigned char *md); \& \& int SHA384_Init(SHA512_CTX *c); \& int SHA384_Update(SHA512_CTX *c, const void *data, size_t len); \& int SHA384_Final(unsigned char *md, SHA512_CTX *c); \& unsigned char *SHA384(const unsigned char *d, size_t n, -\& unsigned char *md); +\& unsigned char *md); \& \& int SHA512_Init(SHA512_CTX *c); \& int SHA512_Update(SHA512_CTX *c, const void *data, size_t len); \& int SHA512_Final(unsigned char *md, SHA512_CTX *c); \& unsigned char *SHA512(const unsigned char *d, size_t n, -\& unsigned char *md); +\& unsigned char *md); .Ve .SH "DESCRIPTION" .IX Header "DESCRIPTION" @@ -224,8 +221,12 @@ Standard), \&\s-1ANSI X9.30\s0 .SH "SEE ALSO" .IX Header "SEE ALSO" -\&\fIripemd\fR\|(3), \fIhmac\fR\|(3), \fIEVP_DigestInit\fR\|(3) -.SH "HISTORY" -.IX Header "HISTORY" -\&\s-1\fISHA1\s0()\fR, \fISHA1_Init()\fR, \fISHA1_Update()\fR and \fISHA1_Final()\fR are available in all -versions of SSLeay and OpenSSL. +\&\fIEVP_DigestInit\fR\|(3) +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2000\-2016 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/SMIME_read_CMS.3 b/secure/lib/libcrypto/man/SMIME_read_CMS.3 index 5cd707020612..560d5b2d1aeb 100644 --- a/secure/lib/libcrypto/man/SMIME_read_CMS.3 +++ b/secure/lib/libcrypto/man/SMIME_read_CMS.3 @@ -128,16 +128,14 @@ .rm #[ #] #H #V #F C .\" ======================================================================== .\" -.IX Title "SMIME_read_CMS 3" -.TH SMIME_read_CMS 3 "2018-08-14" "1.0.2p" "OpenSSL" +.IX Title "SMIME_READ_CMS 3" +.TH SMIME_READ_CMS 3 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" -.Vb 1 -\& SMIME_read_CMS \- parse S/MIME message. -.Ve +SMIME_read_CMS \- parse S/MIME message .SH "SYNOPSIS" .IX Header "SYNOPSIS" .Vb 1 @@ -191,10 +189,15 @@ should be available. if an error occurred. The error can be obtained from \fIERR_get_error\fR\|(3). .SH "SEE ALSO" .IX Header "SEE ALSO" -\&\fIERR_get_error\fR\|(3), \fICMS_type\fR\|(3) +\&\fIERR_get_error\fR\|(3), \fICMS_type\fR\|(3), \&\fISMIME_read_CMS\fR\|(3), \fICMS_sign\fR\|(3), -\&\fICMS_verify\fR\|(3), \fICMS_encrypt\fR\|(3) +\&\fICMS_verify\fR\|(3), \fICMS_encrypt\fR\|(3), \&\fICMS_decrypt\fR\|(3) -.SH "HISTORY" -.IX Header "HISTORY" -\&\fISMIME_read_CMS()\fR was added to OpenSSL 0.9.8 +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2008\-2016 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/SMIME_read_PKCS7.3 b/secure/lib/libcrypto/man/SMIME_read_PKCS7.3 index 3f461ae9a5c5..3df09a1d1326 100644 --- a/secure/lib/libcrypto/man/SMIME_read_PKCS7.3 +++ b/secure/lib/libcrypto/man/SMIME_read_PKCS7.3 @@ -128,14 +128,14 @@ .rm #[ #] #H #V #F C .\" ======================================================================== .\" -.IX Title "SMIME_read_PKCS7 3" -.TH SMIME_read_PKCS7 3 "2018-08-14" "1.0.2p" "OpenSSL" +.IX Title "SMIME_READ_PKCS7 3" +.TH SMIME_READ_PKCS7 3 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" -SMIME_read_PKCS7 \- parse S/MIME message. +SMIME_read_PKCS7 \- parse S/MIME message .SH "SYNOPSIS" .IX Header "SYNOPSIS" .Vb 1 @@ -162,7 +162,7 @@ signed. \fB*bcont\fR can then be passed to \fIPKCS7_verify()\fR with the \fB\s-1PKCS7_DETACHED\s0\fR flag set. .PP Otherwise the type of the returned structure can be determined -using \fIPKCS7_type()\fR. +using \fIPKCS7_type_is_enveloped()\fR, etc. .PP To support future functionality if \fBbcont\fR is not \fB\s-1NULL\s0\fR \&\fB*bcont\fR should be initialized to \fB\s-1NULL\s0\fR. For example: @@ -192,10 +192,15 @@ streaming single pass option should be available. if an error occurred. The error can be obtained from \fIERR_get_error\fR\|(3). .SH "SEE ALSO" .IX Header "SEE ALSO" -\&\fIERR_get_error\fR\|(3), \fIPKCS7_type\fR\|(3) +\&\fIERR_get_error\fR\|(3), \&\fISMIME_read_PKCS7\fR\|(3), \fIPKCS7_sign\fR\|(3), \&\fIPKCS7_verify\fR\|(3), \fIPKCS7_encrypt\fR\|(3) \&\fIPKCS7_decrypt\fR\|(3) -.SH "HISTORY" -.IX Header "HISTORY" -\&\fISMIME_read_PKCS7()\fR was added to OpenSSL 0.9.5 +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2002\-2018 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/SMIME_write_CMS.3 b/secure/lib/libcrypto/man/SMIME_write_CMS.3 index ab5ce7ff2918..062bbf08405b 100644 --- a/secure/lib/libcrypto/man/SMIME_write_CMS.3 +++ b/secure/lib/libcrypto/man/SMIME_write_CMS.3 @@ -128,16 +128,14 @@ .rm #[ #] #H #V #F C .\" ======================================================================== .\" -.IX Title "SMIME_write_CMS 3" -.TH SMIME_write_CMS 3 "2018-08-14" "1.0.2p" "OpenSSL" +.IX Title "SMIME_WRITE_CMS 3" +.TH SMIME_WRITE_CMS 3 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" -.Vb 1 -\& SMIME_write_CMS \- convert CMS structure to S/MIME format. -.Ve +SMIME_write_CMS \- convert CMS structure to S/MIME format .SH "SYNOPSIS" .IX Header "SYNOPSIS" .Vb 1 @@ -187,6 +185,11 @@ option to disable this. \&\fIERR_get_error\fR\|(3), \fICMS_sign\fR\|(3), \&\fICMS_verify\fR\|(3), \fICMS_encrypt\fR\|(3) \&\fICMS_decrypt\fR\|(3) -.SH "HISTORY" -.IX Header "HISTORY" -\&\fISMIME_write_CMS()\fR was added to OpenSSL 0.9.8 +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2008\-2016 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/SMIME_write_PKCS7.3 b/secure/lib/libcrypto/man/SMIME_write_PKCS7.3 index 6d3b2e00a7c3..71d3fecdd42c 100644 --- a/secure/lib/libcrypto/man/SMIME_write_PKCS7.3 +++ b/secure/lib/libcrypto/man/SMIME_write_PKCS7.3 @@ -128,14 +128,14 @@ .rm #[ #] #H #V #F C .\" ======================================================================== .\" -.IX Title "SMIME_write_PKCS7 3" -.TH SMIME_write_PKCS7 3 "2018-08-14" "1.0.2p" "OpenSSL" +.IX Title "SMIME_WRITE_PKCS7 3" +.TH SMIME_WRITE_PKCS7 3 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" -SMIME_write_PKCS7 \- convert PKCS#7 structure to S/MIME format. +SMIME_write_PKCS7 \- convert PKCS#7 structure to S/MIME format .SH "SYNOPSIS" .IX Header "SYNOPSIS" .Vb 1 @@ -165,14 +165,14 @@ is also set. .PP If the \fB\s-1PKCS7_STREAM\s0\fR flag is set streaming is performed. This flag should only be set if \fB\s-1PKCS7_STREAM\s0\fR was also set in the previous call to -\&\fIPKCS7_sign()\fR or \fB\f(BIPKCS7_encrypt()\fB\fR. +\&\fIPKCS7_sign()\fR or \fIPKCS7_encrypt()\fR. .PP If cleartext signing is being used and \fB\s-1PKCS7_STREAM\s0\fR not set then the data must be read twice: once to compute the signature in \fIPKCS7_sign()\fR and once to output the S/MIME message. .PP If streaming is performed the content is output in \s-1BER\s0 format using indefinite -length constructuted encoding except in the case of signed data with detached +length constructed encoding except in the case of signed data with detached content where the content is absent and \s-1DER\s0 format is used. .SH "BUGS" .IX Header "BUGS" @@ -186,6 +186,11 @@ should be an option to disable this. \&\fIERR_get_error\fR\|(3), \fIPKCS7_sign\fR\|(3), \&\fIPKCS7_verify\fR\|(3), \fIPKCS7_encrypt\fR\|(3) \&\fIPKCS7_decrypt\fR\|(3) -.SH "HISTORY" -.IX Header "HISTORY" -\&\fISMIME_write_PKCS7()\fR was added to OpenSSL 0.9.5 +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2002\-2016 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/SSL_CIPHER_get_name.3 b/secure/lib/libcrypto/man/SSL_CIPHER_get_name.3 new file mode 100644 index 000000000000..e9dd4e26e91b --- /dev/null +++ b/secure/lib/libcrypto/man/SSL_CIPHER_get_name.3 @@ -0,0 +1,318 @@ +.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35) +.\" +.\" Standard preamble: +.\" ======================================================================== +.de Sp \" Vertical space (when we can't use .PP) +.if t .sp .5v +.if n .sp +.. +.de Vb \" Begin verbatim text +.ft CW +.nf +.ne \\$1 +.. +.de Ve \" End verbatim text +.ft R +.fi +.. +.\" Set up some character translations and predefined strings. \*(-- will +.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left +.\" double quote, and \*(R" will give a right double quote. \*(C+ will +.\" give a nicer C++. Capital omega is used to do unbreakable dashes and +.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, +.\" nothing in troff, for use with C<>. +.tr \(*W- +.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' +.ie n \{\ +. ds -- \(*W- +. ds PI pi +. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch +. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch +. ds L" "" +. ds R" "" +. ds C` "" +. ds C' "" +'br\} +.el\{\ +. ds -- \|\(em\| +. ds PI \(*p +. ds L" `` +. ds R" '' +. ds C` +. ds C' +'br\} +.\" +.\" Escape single quotes in literal strings from groff's Unicode transform. +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" +.\" If the F register is >0, we'll generate index entries on stderr for +.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index +.\" entries marked with X<> in POD. Of course, you'll have to process the +.\" output yourself in some meaningful fashion. +.\" +.\" Avoid warning from groff about undefined register 'F'. +.de IX +.. +.if !\nF .nr F 0 +.if \nF>0 \{\ +. de IX +. tm Index:\\$1\t\\n%\t"\\$2" +.. +. if !\nF==2 \{\ +. nr % 0 +. nr F 2 +. \} +.\} +.\" +.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). +.\" Fear. Run. Save yourself. No user-serviceable parts. +. \" fudge factors for nroff and troff +.if n \{\ +. ds #H 0 +. ds #V .8m +. ds #F .3m +. ds #[ \f1 +. ds #] \fP +.\} +.if t \{\ +. ds #H ((1u-(\\\\n(.fu%2u))*.13m) +. ds #V .6m +. ds #F 0 +. ds #[ \& +. ds #] \& +.\} +. \" simple accents for nroff and troff +.if n \{\ +. ds ' \& +. ds ` \& +. ds ^ \& +. ds , \& +. ds ~ ~ +. ds / +.\} +.if t \{\ +. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" +. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' +. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' +. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' +. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' +. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' +.\} +. \" troff and (daisy-wheel) nroff accents +.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' +.ds 8 \h'\*(#H'\(*b\h'-\*(#H' +.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] +.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' +.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' +.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] +.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] +.ds ae a\h'-(\w'a'u*4/10)'e +.ds Ae A\h'-(\w'A'u*4/10)'E +. \" corrections for vroff +.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' +.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' +. \" for low resolution devices (crt and lpr) +.if \n(.H>23 .if \n(.V>19 \ +\{\ +. ds : e +. ds 8 ss +. ds o a +. ds d- d\h'-1'\(ga +. ds D- D\h'-1'\(hy +. ds th \o'bp' +. ds Th \o'LP' +. ds ae ae +. ds Ae AE +.\} +.rm #[ #] #H #V #F C +.\" ======================================================================== +.\" +.IX Title "SSL_CIPHER_GET_NAME 3" +.TH SSL_CIPHER_GET_NAME 3 "2018-09-11" "1.1.1" "OpenSSL" +.\" For nroff, turn off justification. Always turn off hyphenation; it makes +.\" way too many mistakes in technical documents. +.if n .ad l +.nh +.SH "NAME" +SSL_CIPHER_get_name, SSL_CIPHER_standard_name, OPENSSL_cipher_name, SSL_CIPHER_get_bits, SSL_CIPHER_get_version, SSL_CIPHER_description, SSL_CIPHER_get_cipher_nid, SSL_CIPHER_get_digest_nid, SSL_CIPHER_get_handshake_digest, SSL_CIPHER_get_kx_nid, SSL_CIPHER_get_auth_nid, SSL_CIPHER_is_aead, SSL_CIPHER_find, SSL_CIPHER_get_id, SSL_CIPHER_get_protocol_id \&\- get SSL_CIPHER properties +.SH "SYNOPSIS" +.IX Header "SYNOPSIS" +.Vb 1 +\& #include +\& +\& const char *SSL_CIPHER_get_name(const SSL_CIPHER *cipher); +\& const char *SSL_CIPHER_standard_name(const SSL_CIPHER *cipher); +\& const char *OPENSSL_cipher_name(const char *stdname); +\& int SSL_CIPHER_get_bits(const SSL_CIPHER *cipher, int *alg_bits); +\& char *SSL_CIPHER_get_version(const SSL_CIPHER *cipher); +\& char *SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int size); +\& int SSL_CIPHER_get_cipher_nid(const SSL_CIPHER *c); +\& int SSL_CIPHER_get_digest_nid(const SSL_CIPHER *c); +\& const EVP_MD *SSL_CIPHER_get_handshake_digest(const SSL_CIPHER *c); +\& int SSL_CIPHER_get_kx_nid(const SSL_CIPHER *c); +\& int SSL_CIPHER_get_auth_nid(const SSL_CIPHER *c); +\& int SSL_CIPHER_is_aead(const SSL_CIPHER *c); +\& const SSL_CIPHER *SSL_CIPHER_find(SSL *ssl, const unsigned char *ptr); +\& uint32_t SSL_CIPHER_get_id(const SSL_CIPHER *c); +\& uint32_t SSL_CIPHER_get_protocol_id(const SSL_CIPHER *c); +.Ve +.SH "DESCRIPTION" +.IX Header "DESCRIPTION" +\&\fISSL_CIPHER_get_name()\fR returns a pointer to the name of \fBcipher\fR. If the +\&\fBcipher\fR is \s-1NULL,\s0 it returns \*(L"(\s-1NONE\s0)\*(R". +.PP +\&\fISSL_CIPHER_standard_name()\fR returns a pointer to the standard \s-1RFC\s0 name of +\&\fBcipher\fR. If the \fBcipher\fR is \s-1NULL,\s0 it returns \*(L"(\s-1NONE\s0)\*(R". If the \fBcipher\fR +has no standard name, it returns \fB\s-1NULL\s0\fR. If \fBcipher\fR was defined in both +SSLv3 and \s-1TLS,\s0 it returns the \s-1TLS\s0 name. +.PP +\&\fIOPENSSL_cipher_name()\fR returns a pointer to the OpenSSL name of \fBstdname\fR. +If the \fBstdname\fR is \s-1NULL,\s0 or \fBstdname\fR has no corresponding OpenSSL name, +it returns \*(L"(\s-1NONE\s0)\*(R". Where both exist, \fBstdname\fR should be the \s-1TLS\s0 name rather +than the SSLv3 name. +.PP +\&\fISSL_CIPHER_get_bits()\fR returns the number of secret bits used for \fBcipher\fR. +If \fBcipher\fR is \s-1NULL, 0\s0 is returned. +.PP +\&\fISSL_CIPHER_get_version()\fR returns string which indicates the \s-1SSL/TLS\s0 protocol +version that first defined the cipher. It returns \*(L"(\s-1NONE\s0)\*(R" if \fBcipher\fR is \s-1NULL.\s0 +.PP +\&\fISSL_CIPHER_get_cipher_nid()\fR returns the cipher \s-1NID\s0 corresponding to \fBc\fR. +If there is no cipher (e.g. for cipher suites with no encryption) then +\&\fBNID_undef\fR is returned. +.PP +\&\fISSL_CIPHER_get_digest_nid()\fR returns the digest \s-1NID\s0 corresponding to the \s-1MAC\s0 +used by \fBc\fR during record encryption/decryption. If there is no digest (e.g. +for \s-1AEAD\s0 cipher suites) then \fBNID_undef\fR is returned. +.PP +\&\fISSL_CIPHER_get_handshake_digest()\fR returns an \s-1EVP_MD\s0 for the digest used during +the \s-1SSL/TLS\s0 handshake when using the \s-1SSL_CIPHER\s0 \fBc\fR. Note that this may be +different to the digest used to calculate the \s-1MAC\s0 for encrypted records. +.PP +\&\fISSL_CIPHER_get_kx_nid()\fR returns the key exchange \s-1NID\s0 corresponding to the method +used by \fBc\fR. If there is no key exchange, then \fBNID_undef\fR is returned. +If any appropriate key exchange algorithm can be used (as in the case of \s-1TLS 1.3\s0 +cipher suites) \fBNID_kx_any\fR is returned. Examples (not comprehensive): +.PP +.Vb 4 +\& NID_kx_rsa +\& NID_kx_ecdhe +\& NID_kx_dhe +\& NID_kx_psk +.Ve +.PP +\&\fISSL_CIPHER_get_auth_nid()\fR returns the authentication \s-1NID\s0 corresponding to the method +used by \fBc\fR. If there is no authentication, then \fBNID_undef\fR is returned. +If any appropriate authentication algorithm can be used (as in the case of +\&\s-1TLS 1.3\s0 cipher suites) \fBNID_auth_any\fR is returned. Examples (not comprehensive): +.PP +.Vb 3 +\& NID_auth_rsa +\& NID_auth_ecdsa +\& NID_auth_psk +.Ve +.PP +\&\fISSL_CIPHER_is_aead()\fR returns 1 if the cipher \fBc\fR is \s-1AEAD\s0 (e.g. \s-1GCM\s0 or +ChaCha20/Poly1305), and 0 if it is not \s-1AEAD.\s0 +.PP +\&\fISSL_CIPHER_find()\fR returns a \fB\s-1SSL_CIPHER\s0\fR structure which has the cipher \s-1ID\s0 stored +in \fBptr\fR. The \fBptr\fR parameter is a two element array of \fBchar\fR, which stores the +two-byte \s-1TLS\s0 cipher \s-1ID\s0 (as allocated by \s-1IANA\s0) in network byte order. This parameter +is usually retrieved from a \s-1TLS\s0 packet by using functions like +\&\fISSL_client_hello_get0_ciphers\fR\|(3). \fISSL_CIPHER_find()\fR returns \s-1NULL\s0 if an +error occurs or the indicated cipher is not found. +.PP +\&\fISSL_CIPHER_get_id()\fR returns the OpenSSL-specific \s-1ID\s0 of the given cipher \fBc\fR. That \s-1ID\s0 is +not the same as the IANA-specific \s-1ID.\s0 +.PP +\&\fISSL_CIPHER_get_protocol_id()\fR returns the two-byte \s-1ID\s0 used in the \s-1TLS\s0 protocol of the given +cipher \fBc\fR. +.PP +\&\fISSL_CIPHER_description()\fR returns a textual description of the cipher used +into the buffer \fBbuf\fR of length \fBlen\fR provided. If \fBbuf\fR is provided, it +must be at least 128 bytes, otherwise a buffer will be allocated using +\&\fIOPENSSL_malloc()\fR. If the provided buffer is too small, or the allocation fails, +\&\fB\s-1NULL\s0\fR is returned. +.PP +The string returned by \fISSL_CIPHER_description()\fR consists of several fields +separated by whitespace: +.IP "" 4 +.IX Item "" +Textual representation of the cipher name. +.IP "" 4 +.IX Item "" +Protocol version, such as \fBTLSv1.2\fR, when the cipher was first defined. +.IP "Kx=" 4 +.IX Item "Kx=" +Key exchange method such as \fB\s-1RSA\s0\fR, \fB\s-1ECDHE\s0\fR, etc. +.IP "Au=" 4 +.IX Item "Au=" +Authentication method such as \fB\s-1RSA\s0\fR, \fBNone\fR, etc.. None is the +representation of anonymous ciphers. +.IP "Enc=" 4 +.IX Item "Enc=" +Encryption method, with number of secret bits, such as \fB\s-1AESGCM\s0(128)\fR. +.IP "Mac=" 4 +.IX Item "Mac=" +Message digest, such as \fB\s-1SHA256\s0\fR. +.PP +Some examples for the output of \fISSL_CIPHER_description()\fR: +.PP +.Vb 2 +\& ECDHE\-RSA\-AES256\-GCM\-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(256) Mac=AEAD +\& RSA\-PSK\-AES256\-CBC\-SHA384 TLSv1.0 Kx=RSAPSK Au=RSA Enc=AES(256) Mac=SHA384 +.Ve +.SH "RETURN VALUES" +.IX Header "RETURN VALUES" +\&\fISSL_CIPHER_get_name()\fR, \fISSL_CIPHER_standard_name()\fR, \fIOPENSSL_cipher_name()\fR, +\&\fISSL_CIPHER_get_version()\fR and \fISSL_CIPHER_description()\fR return the corresponding +value in a null-terminated string for a specific cipher or \*(L"(\s-1NONE\s0)\*(R" +if the cipher is not found. +.PP +\&\fISSL_CIPHER_get_bits()\fR returns a positive integer representing the number of +secret bits or 0 if an error occurred. +.PP +\&\fISSL_CIPHER_get_cipher_nid()\fR, \fISSL_CIPHER_get_digest_nid()\fR, +\&\fISSL_CIPHER_get_kx_nid()\fR and \fISSL_CIPHER_get_auth_nid()\fR return the \s-1NID\s0 value or +\&\fBNID_undef\fR if an error occurred. +.PP +\&\fISSL_CIPHER_get_handshake_digest()\fR returns a valid \fB\s-1EVP_MD\s0\fR structure or \s-1NULL\s0 +if an error occurred. +.PP +\&\fISSL_CIPHER_is_aead()\fR returns 1 if the cipher is \s-1AEAD\s0 or 0 otherwise. +.PP +\&\fISSL_CIPHER_find()\fR returns a valid \fB\s-1SSL_CIPHER\s0\fR structure or \s-1NULL\s0 if an error +occurred. +.PP +\&\fISSL_CIPHER_get_id()\fR returns a 4\-byte integer representing the OpenSSL-specific \s-1ID.\s0 +.PP +\&\fISSL_CIPHER_get_protocol_id()\fR returns a 2\-byte integer representing the \s-1TLS\s0 +protocol-specific \s-1ID.\s0 +.SH "HISTORY" +.IX Header "HISTORY" +\&\fISSL_CIPHER_get_version()\fR was updated to always return the correct protocol +string in OpenSSL 1.1.0. +.PP +\&\fISSL_CIPHER_description()\fR was changed to return \fB\s-1NULL\s0\fR on error, +rather than a fixed string, in OpenSSL 1.1.0. +.PP +\&\fISSL_CIPHER_get_handshake_digest()\fR was added in OpenSSL 1.1.1. +.PP +\&\fISSL_CIPHER_standard_name()\fR was globally available in OpenSSL 1.1.1. Before +OpenSSL 1.1.1, tracing (\fBenable-ssl-trace\fR argument to Configure) was +required to enable this function. +.PP +\&\fIOPENSSL_cipher_name()\fR was added in OpenSSL 1.1.1. +.SH "SEE ALSO" +.IX Header "SEE ALSO" +\&\fIssl\fR\|(7), \fISSL_get_current_cipher\fR\|(3), +\&\fISSL_get_ciphers\fR\|(3), \fIciphers\fR\|(1) +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2000\-2018 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libssl/man/SSL_COMP_add_compression_method.3 b/secure/lib/libcrypto/man/SSL_COMP_add_compression_method.3 similarity index 75% rename from secure/lib/libssl/man/SSL_COMP_add_compression_method.3 rename to secure/lib/libcrypto/man/SSL_COMP_add_compression_method.3 index 3d7126ae5e89..0b887ecf51de 100644 --- a/secure/lib/libssl/man/SSL_COMP_add_compression_method.3 +++ b/secure/lib/libcrypto/man/SSL_COMP_add_compression_method.3 @@ -128,22 +128,31 @@ .rm #[ #] #H #V #F C .\" ======================================================================== .\" -.IX Title "SSL_COMP_add_compression_method 3" -.TH SSL_COMP_add_compression_method 3 "2018-08-14" "1.0.2p" "OpenSSL" +.IX Title "SSL_COMP_ADD_COMPRESSION_METHOD 3" +.TH SSL_COMP_ADD_COMPRESSION_METHOD 3 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" -SSL_COMP_add_compression_method, SSL_COMP_free_compression_methods \- handle SSL/TLS integrated compression methods +SSL_COMP_add_compression_method, SSL_COMP_get_compression_methods, SSL_COMP_get0_name, SSL_COMP_get_id, SSL_COMP_free_compression_methods \&\- handle SSL/TLS integrated compression methods .SH "SYNOPSIS" .IX Header "SYNOPSIS" .Vb 1 \& #include \& \& int SSL_COMP_add_compression_method(int id, COMP_METHOD *cm); -\& -\& +void SSL_COMP_free_compression_methods(void); +\& STACK_OF(SSL_COMP) *SSL_COMP_get_compression_methods(void); +\& const char *SSL_COMP_get0_name(const SSL_COMP *comp); +\& int SSL_COMP_get_id(const SSL_COMP *comp); +.Ve +.PP +Deprecated: +.PP +.Vb 3 +\& #if OPENSSL_API_COMPAT < 0x10100000L +\& void SSL_COMP_free_compression_methods(void) +\& #endif .Ve .SH "DESCRIPTION" .IX Header "DESCRIPTION" @@ -152,9 +161,15 @@ the identifier \fBid\fR to the list of available compression methods. This list is globally maintained for all \s-1SSL\s0 operations within this application. It cannot be set for specific \s-1SSL_CTX\s0 or \s-1SSL\s0 objects. .PP -\&\fISSL_COMP_free_compression_methods()\fR frees the internal table of -compression methods that were built internally, and possibly -augmented by adding \fISSL_COMP_add_compression_method()\fR. +\&\fISSL_COMP_get_compression_methods()\fR returns a stack of all of the available +compression methods or \s-1NULL\s0 on error. +.PP +\&\fISSL_COMP_get0_name()\fR returns the name of the compression method \fBcomp\fR. +.PP +\&\fISSL_COMP_get_id()\fR returns the id of the compression method \fBcomp\fR. +.PP +\&\fISSL_COMP_free_compression_methods()\fR releases any resources acquired to +maintain the internal table of compression methods. .SH "NOTES" .IX Header "NOTES" The \s-1TLS\s0 standard (or SSLv3) allows the integration of compression methods @@ -178,11 +193,6 @@ of compression methods supported on a per connection basis. .PP If enabled during compilation, the OpenSSL library will have the \&\fICOMP_zlib()\fR compression method available. -.SH "WARNINGS" -.IX Header "WARNINGS" -Once the identities of the compression methods for the \s-1TLS\s0 protocol have -been standardized, the compression \s-1API\s0 will most likely be changed. Using -it in the current state is not recommended. .SH "RETURN VALUES" .IX Header "RETURN VALUES" \&\fISSL_COMP_add_compression_method()\fR may return the following values: @@ -191,6 +201,26 @@ The operation succeeded. .IP "1" 4 .IX Item "1" The operation failed. Check the error queue to find out the reason. +.PP +\&\fISSL_COMP_get_compression_methods()\fR returns the stack of compressions methods or +\&\s-1NULL\s0 on error. +.PP +\&\fISSL_COMP_get0_name()\fR returns the name of the compression method or \s-1NULL\s0 on error. +.PP +\&\fISSL_COMP_get_id()\fR returns the name of the compression method or \-1 on error. .SH "SEE ALSO" .IX Header "SEE ALSO" -\&\fIssl\fR\|(3) +\&\fIssl\fR\|(7) +.SH "HISTORY" +.IX Header "HISTORY" +\&\fISSL_COMP_free_compression_methods()\fR was deprecated in OpenSSL 1.1.0; +do not use it. +\&\fISSL_COMP_get0_name()\fR and \fISSL_comp_get_id()\fR were added in OpenSSL 1.1.0d. +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2001\-2016 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libssl/man/SSL_CONF_CTX_new.3 b/secure/lib/libcrypto/man/SSL_CONF_CTX_new.3 similarity index 90% rename from secure/lib/libssl/man/SSL_CONF_CTX_new.3 rename to secure/lib/libcrypto/man/SSL_CONF_CTX_new.3 index 946df6798f40..2b4699141b5d 100644 --- a/secure/lib/libssl/man/SSL_CONF_CTX_new.3 +++ b/secure/lib/libcrypto/man/SSL_CONF_CTX_new.3 @@ -128,8 +128,8 @@ .rm #[ #] #H #V #F C .\" ======================================================================== .\" -.IX Title "SSL_CONF_CTX_new 3" -.TH SSL_CONF_CTX_new 3 "2018-08-14" "1.0.2p" "OpenSSL" +.IX Title "SSL_CONF_CTX_NEW 3" +.TH SSL_CONF_CTX_NEW 3 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -150,6 +150,7 @@ The function \fISSL_CONF_CTX_new()\fR allocates and initialises an \fB\s-1SSL_CO structure for use with the \s-1SSL_CONF\s0 functions. .PP The function \fISSL_CONF_CTX_free()\fR frees up the context \fBcctx\fR. +If \fBcctx\fR is \s-1NULL\s0 nothing is done. .SH "RETURN VALUES" .IX Header "RETURN VALUES" \&\fISSL_CONF_CTX_new()\fR returns either the newly allocated \fB\s-1SSL_CONF_CTX\s0\fR structure @@ -166,3 +167,11 @@ or \fB\s-1NULL\s0\fR if an error occurs. .SH "HISTORY" .IX Header "HISTORY" These functions were first added to OpenSSL 1.0.2 +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2012\-2016 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libssl/man/SSL_CONF_CTX_set1_prefix.3 b/secure/lib/libcrypto/man/SSL_CONF_CTX_set1_prefix.3 similarity index 91% rename from secure/lib/libssl/man/SSL_CONF_CTX_set1_prefix.3 rename to secure/lib/libcrypto/man/SSL_CONF_CTX_set1_prefix.3 index 0e4ee71660f5..11e63ea14e7a 100644 --- a/secure/lib/libssl/man/SSL_CONF_CTX_set1_prefix.3 +++ b/secure/lib/libcrypto/man/SSL_CONF_CTX_set1_prefix.3 @@ -128,8 +128,8 @@ .rm #[ #] #H #V #F C .\" ======================================================================== .\" -.IX Title "SSL_CONF_CTX_set1_prefix 3" -.TH SSL_CONF_CTX_set1_prefix 3 "2018-08-14" "1.0.2p" "OpenSSL" +.IX Title "SSL_CONF_CTX_SET1_PREFIX 3" +.TH SSL_CONF_CTX_SET1_PREFIX 3 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -149,10 +149,10 @@ The function \fISSL_CONF_CTX_set1_prefix()\fR sets the command prefix of \fBcctx to \fBprefix\fR. If \fBprefix\fR is \fB\s-1NULL\s0\fR it is restored to the default value. .SH "NOTES" .IX Header "NOTES" -Command prefixes alter the commands recognised by subsequent \fISSL_CTX_cmd()\fR +Command prefixes alter the commands recognised by subsequent \fISSL_CONF_cmd()\fR calls. For example for files, if the prefix \*(L"\s-1SSL\*(R"\s0 is set then command names such as \*(L"SSLProtocol\*(R", \*(L"SSLOptions\*(R" etc. are recognised instead of \*(L"Protocol\*(R" -and \*(L"Options\*(R". Similarly for command lines if the prefix is \*(L"\-\-ssl\-\*(R" then +and \*(L"Options\*(R". Similarly for command lines if the prefix is \*(L"\-\-ssl\-\*(R" then \&\*(L"\-\-ssl\-no_tls1_2\*(R" is recognised instead of \*(L"\-no_tls1_2\*(R". .PP If the \fB\s-1SSL_CONF_FLAG_CMDLINE\s0\fR flag is set then prefix checks are case @@ -174,3 +174,11 @@ insensitive and no prefix is the default. .SH "HISTORY" .IX Header "HISTORY" These functions were first added to OpenSSL 1.0.2 +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2012\-2016 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libssl/man/SSL_CONF_CTX_set_flags.3 b/secure/lib/libcrypto/man/SSL_CONF_CTX_set_flags.3 similarity index 87% rename from secure/lib/libssl/man/SSL_CONF_CTX_set_flags.3 rename to secure/lib/libcrypto/man/SSL_CONF_CTX_set_flags.3 index 8ced6e9c2ea2..2cdf6f4c54a5 100644 --- a/secure/lib/libssl/man/SSL_CONF_CTX_set_flags.3 +++ b/secure/lib/libcrypto/man/SSL_CONF_CTX_set_flags.3 @@ -128,14 +128,14 @@ .rm #[ #] #H #V #F C .\" ======================================================================== .\" -.IX Title "SSL_CONF_CTX_set_flags 3" -.TH SSL_CONF_CTX_set_flags 3 "2018-08-14" "1.0.2p" "OpenSSL" +.IX Title "SSL_CONF_CTX_SET_FLAGS 3" +.TH SSL_CONF_CTX_SET_FLAGS 3 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" -SSL_CONF_CTX_set_flags, SSL_CONF_CTX_clear_flags \- Set of clear SSL configuration context flags +SSL_CONF_CTX_set_flags, SSL_CONF_CTX_clear_flags \- Set or clear SSL configuration context flags .SH "SYNOPSIS" .IX Header "SYNOPSIS" .Vb 1 @@ -166,6 +166,12 @@ both of these flags must be set. .IP "\s-1SSL_CONF_FLAG_CERTIFICATE\s0" 4 .IX Item "SSL_CONF_FLAG_CERTIFICATE" recognise certificate and private key options. +.IP "\s-1SSL_CONF_FLAG_REQUIRE_PRIVATE\s0" 4 +.IX Item "SSL_CONF_FLAG_REQUIRE_PRIVATE" +If this option is set then if a private key is not specified for a certificate +it will attempt to load a private key from the certificate file when +\&\fISSL_CONF_CTX_finish()\fR is called. If a key cannot be loaded from the certificate +file an error occurs. .IP "\s-1SSL_CONF_FLAG_SHOW_ERRORS\s0" 4 .IX Item "SSL_CONF_FLAG_SHOW_ERRORS" indicate errors relating to unrecognised options or missing arguments in @@ -185,3 +191,11 @@ value after setting or clearing flags. .SH "HISTORY" .IX Header "HISTORY" These functions were first added to OpenSSL 1.0.2 +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2012\-2016 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libssl/man/SSL_CONF_CTX_set_ssl_ctx.3 b/secure/lib/libcrypto/man/SSL_CONF_CTX_set_ssl_ctx.3 similarity index 91% rename from secure/lib/libssl/man/SSL_CONF_CTX_set_ssl_ctx.3 rename to secure/lib/libcrypto/man/SSL_CONF_CTX_set_ssl_ctx.3 index 0724893149e4..6aa4cc6c4de2 100644 --- a/secure/lib/libssl/man/SSL_CONF_CTX_set_ssl_ctx.3 +++ b/secure/lib/libcrypto/man/SSL_CONF_CTX_set_ssl_ctx.3 @@ -128,8 +128,8 @@ .rm #[ #] #H #V #F C .\" ======================================================================== .\" -.IX Title "SSL_CONF_CTX_set_ssl_ctx 3" -.TH SSL_CONF_CTX_set_ssl_ctx 3 "2018-08-14" "1.0.2p" "OpenSSL" +.IX Title "SSL_CONF_CTX_SET_SSL_CTX 3" +.TH SSL_CONF_CTX_SET_SSL_CTX 3 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -172,3 +172,11 @@ syntax checking of commands is performed, where possible. .SH "HISTORY" .IX Header "HISTORY" These functions were first added to OpenSSL 1.0.2 +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2012\-2016 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/SSL_CONF_cmd.3 b/secure/lib/libcrypto/man/SSL_CONF_cmd.3 new file mode 100644 index 000000000000..13cfaf4df528 --- /dev/null +++ b/secure/lib/libcrypto/man/SSL_CONF_cmd.3 @@ -0,0 +1,774 @@ +.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35) +.\" +.\" Standard preamble: +.\" ======================================================================== +.de Sp \" Vertical space (when we can't use .PP) +.if t .sp .5v +.if n .sp +.. +.de Vb \" Begin verbatim text +.ft CW +.nf +.ne \\$1 +.. +.de Ve \" End verbatim text +.ft R +.fi +.. +.\" Set up some character translations and predefined strings. \*(-- will +.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left +.\" double quote, and \*(R" will give a right double quote. \*(C+ will +.\" give a nicer C++. Capital omega is used to do unbreakable dashes and +.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, +.\" nothing in troff, for use with C<>. +.tr \(*W- +.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' +.ie n \{\ +. ds -- \(*W- +. ds PI pi +. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch +. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch +. ds L" "" +. ds R" "" +. ds C` "" +. ds C' "" +'br\} +.el\{\ +. ds -- \|\(em\| +. ds PI \(*p +. ds L" `` +. ds R" '' +. ds C` +. ds C' +'br\} +.\" +.\" Escape single quotes in literal strings from groff's Unicode transform. +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" +.\" If the F register is >0, we'll generate index entries on stderr for +.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index +.\" entries marked with X<> in POD. Of course, you'll have to process the +.\" output yourself in some meaningful fashion. +.\" +.\" Avoid warning from groff about undefined register 'F'. +.de IX +.. +.if !\nF .nr F 0 +.if \nF>0 \{\ +. de IX +. tm Index:\\$1\t\\n%\t"\\$2" +.. +. if !\nF==2 \{\ +. nr % 0 +. nr F 2 +. \} +.\} +.\" +.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). +.\" Fear. Run. Save yourself. No user-serviceable parts. +. \" fudge factors for nroff and troff +.if n \{\ +. ds #H 0 +. ds #V .8m +. ds #F .3m +. ds #[ \f1 +. ds #] \fP +.\} +.if t \{\ +. ds #H ((1u-(\\\\n(.fu%2u))*.13m) +. ds #V .6m +. ds #F 0 +. ds #[ \& +. ds #] \& +.\} +. \" simple accents for nroff and troff +.if n \{\ +. ds ' \& +. ds ` \& +. ds ^ \& +. ds , \& +. ds ~ ~ +. ds / +.\} +.if t \{\ +. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" +. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' +. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' +. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' +. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' +. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' +.\} +. \" troff and (daisy-wheel) nroff accents +.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' +.ds 8 \h'\*(#H'\(*b\h'-\*(#H' +.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] +.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' +.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' +.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] +.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] +.ds ae a\h'-(\w'a'u*4/10)'e +.ds Ae A\h'-(\w'A'u*4/10)'E +. \" corrections for vroff +.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' +.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' +. \" for low resolution devices (crt and lpr) +.if \n(.H>23 .if \n(.V>19 \ +\{\ +. ds : e +. ds 8 ss +. ds o a +. ds d- d\h'-1'\(ga +. ds D- D\h'-1'\(hy +. ds th \o'bp' +. ds Th \o'LP' +. ds ae ae +. ds Ae AE +.\} +.rm #[ #] #H #V #F C +.\" ======================================================================== +.\" +.IX Title "SSL_CONF_CMD 3" +.TH SSL_CONF_CMD 3 "2018-09-11" "1.1.1" "OpenSSL" +.\" For nroff, turn off justification. Always turn off hyphenation; it makes +.\" way too many mistakes in technical documents. +.if n .ad l +.nh +.SH "NAME" +SSL_CONF_cmd_value_type, SSL_CONF_cmd \- send configuration command +.SH "SYNOPSIS" +.IX Header "SYNOPSIS" +.Vb 1 +\& #include +\& +\& int SSL_CONF_cmd(SSL_CONF_CTX *cctx, const char *cmd, const char *value); +\& int SSL_CONF_cmd_value_type(SSL_CONF_CTX *cctx, const char *cmd); +.Ve +.SH "DESCRIPTION" +.IX Header "DESCRIPTION" +The function \fISSL_CONF_cmd()\fR performs configuration operation \fBcmd\fR with +optional parameter \fBvalue\fR on \fBctx\fR. Its purpose is to simplify application +configuration of \fB\s-1SSL_CTX\s0\fR or \fB\s-1SSL\s0\fR structures by providing a common +framework for command line options or configuration files. +.PP +\&\fISSL_CONF_cmd_value_type()\fR returns the type of value that \fBcmd\fR refers to. +.SH "SUPPORTED COMMAND LINE COMMANDS" +.IX Header "SUPPORTED COMMAND LINE COMMANDS" +Currently supported \fBcmd\fR names for command lines (i.e. when the +flag \fB\s-1SSL_CONF_CMDLINE\s0\fR is set) are listed below. Note: all \fBcmd\fR names +are case sensitive. Unless otherwise stated commands can be used by +both clients and servers and the \fBvalue\fR parameter is not used. The default +prefix for command line commands is \fB\-\fR and that is reflected below. +.IP "\fB\-sigalgs\fR" 4 +.IX Item "-sigalgs" +This sets the supported signature algorithms for TLSv1.2 and TLSv1.3. +For clients this +value is used directly for the supported signature algorithms extension. For +servers it is used to determine which signature algorithms to support. +.Sp +The \fBvalue\fR argument should be a colon separated list of signature algorithms +in order of decreasing preference of the form \fBalgorithm+hash\fR or +\&\fBsignature_scheme\fR. \fBalgorithm\fR +is one of \fB\s-1RSA\s0\fR, \fB\s-1DSA\s0\fR or \fB\s-1ECDSA\s0\fR and \fBhash\fR is a supported algorithm +\&\s-1OID\s0 short name such as \fB\s-1SHA1\s0\fR, \fB\s-1SHA224\s0\fR, \fB\s-1SHA256\s0\fR, \fB\s-1SHA384\s0\fR of \fB\s-1SHA512\s0\fR. +Note: algorithm and hash names are case sensitive. +\&\fBsignature_scheme\fR is one of the signature schemes defined in TLSv1.3, +specified using the \s-1IETF\s0 name, e.g., \fBecdsa_secp256r1_sha256\fR, \fBed25519\fR, +or \fBrsa_pss_pss_sha256\fR. +.Sp +If this option is not set then all signature algorithms supported by the +OpenSSL library are permissible. +.Sp +Note: algorithms which specify a PKCS#1 v1.5 signature scheme (either by +using \fB\s-1RSA\s0\fR as the \fBalgorithm\fR or by using one of the \fBrsa_pkcs1_*\fR +identifiers) are ignored in TLSv1.3 and will not be negotiated. +.IP "\fB\-client_sigalgs\fR" 4 +.IX Item "-client_sigalgs" +This sets the supported signature algorithms associated with client +authentication for TLSv1.2 and TLSv1.3. +For servers the value is used in the +\&\fBsignature_algorithms\fR field of a \fBCertificateRequest\fR message. +For clients it is +used to determine which signature algorithm to use with the client certificate. +If a server does not request a certificate this option has no effect. +.Sp +The syntax of \fBvalue\fR is identical to \fB\-sigalgs\fR. If not set then +the value set for \fB\-sigalgs\fR will be used instead. +.IP "\fB\-groups\fR" 4 +.IX Item "-groups" +This sets the supported groups. For clients, the groups are +sent using the supported groups extension. For servers, it is used +to determine which group to use. This setting affects groups used for +signatures (in TLSv1.2 and earlier) and key exchange. The first group listed +will also be used for the \fBkey_share\fR sent by a client in a TLSv1.3 +\&\fBClientHello\fR. +.Sp +The \fBvalue\fR argument is a colon separated list of groups. The group can be +either the \fB\s-1NIST\s0\fR name (e.g. \fBP\-256\fR), some other commonly used name where +applicable (e.g. \fBX25519\fR) or an OpenSSL \s-1OID\s0 name (e.g \fBprime256v1\fR). Group +names are case sensitive. The list should be in order of preference with the +most preferred group first. +.IP "\fB\-curves\fR" 4 +.IX Item "-curves" +This is a synonym for the \*(L"\-groups\*(R" command. +.IP "\fB\-named_curve\fR" 4 +.IX Item "-named_curve" +This sets the temporary curve used for ephemeral \s-1ECDH\s0 modes. Only used by +servers +.Sp +The \fBvalue\fR argument is a curve name or the special value \fBauto\fR which +picks an appropriate curve based on client and server preferences. The curve +can be either the \fB\s-1NIST\s0\fR name (e.g. \fBP\-256\fR) or an OpenSSL \s-1OID\s0 name +(e.g \fBprime256v1\fR). Curve names are case sensitive. +.IP "\fB\-cipher\fR" 4 +.IX Item "-cipher" +Sets the TLSv1.2 and below ciphersuite list to \fBvalue\fR. This list will be +combined with any configured TLSv1.3 ciphersuites. Note: syntax checking +of \fBvalue\fR is currently not performed unless a \fB\s-1SSL\s0\fR or \fB\s-1SSL_CTX\s0\fR structure is +associated with \fBcctx\fR. +.IP "\fB\-ciphersuites\fR" 4 +.IX Item "-ciphersuites" +Sets the available ciphersuites for TLSv1.3 to value. This is a simple colon +(\*(L":\*(R") separated list of TLSv1.3 ciphersuite names in order of preference. This +list will be combined any configured TLSv1.2 and below ciphersuites. +See \fIciphers\fR\|(1) for more information. +.IP "\fB\-cert\fR" 4 +.IX Item "-cert" +Attempts to use the file \fBvalue\fR as the certificate for the appropriate +context. It currently uses \fISSL_CTX_use_certificate_chain_file()\fR if an \fB\s-1SSL_CTX\s0\fR +structure is set or \fISSL_use_certificate_file()\fR with filetype \s-1PEM\s0 if an \fB\s-1SSL\s0\fR +structure is set. This option is only supported if certificate operations +are permitted. +.IP "\fB\-key\fR" 4 +.IX Item "-key" +Attempts to use the file \fBvalue\fR as the private key for the appropriate +context. This option is only supported if certificate operations +are permitted. Note: if no \fB\-key\fR option is set then a private key is +not loaded unless the flag \fB\s-1SSL_CONF_FLAG_REQUIRE_PRIVATE\s0\fR is set. +.IP "\fB\-dhparam\fR" 4 +.IX Item "-dhparam" +Attempts to use the file \fBvalue\fR as the set of temporary \s-1DH\s0 parameters for +the appropriate context. This option is only supported if certificate +operations are permitted. +.IP "\fB\-record_padding\fR" 4 +.IX Item "-record_padding" +Attempts to pad TLSv1.3 records so that they are a multiple of \fBvalue\fR in +length on send. A \fBvalue\fR of 0 or 1 turns off padding. Otherwise, the +\&\fBvalue\fR must be >1 or <=16384. +.IP "\fB\-no_renegotiation\fR" 4 +.IX Item "-no_renegotiation" +Disables all attempts at renegotiation in TLSv1.2 and earlier, same as setting +\&\fB\s-1SSL_OP_NO_RENEGOTIATION\s0\fR. +.IP "\fB\-min_protocol\fR, \fB\-max_protocol\fR" 4 +.IX Item "-min_protocol, -max_protocol" +Sets the minimum and maximum supported protocol. +Currently supported protocol values are \fBSSLv3\fR, \fBTLSv1\fR, +\&\fBTLSv1.1\fR, \fBTLSv1.2\fR, \fBTLSv1.3\fR for \s-1TLS\s0 and \fBDTLSv1\fR, \fBDTLSv1.2\fR for \s-1DTLS,\s0 +and \fBNone\fR for no limit. +If either bound is not specified then only the other bound applies, +if specified. +To restrict the supported protocol versions use these commands rather +than the deprecated alternative commands below. +.IP "\fB\-no_ssl3\fR, \fB\-no_tls1\fR, \fB\-no_tls1_1\fR, \fB\-no_tls1_2\fR, \fB\-no_tls1_3\fR" 4 +.IX Item "-no_ssl3, -no_tls1, -no_tls1_1, -no_tls1_2, -no_tls1_3" +Disables protocol support for SSLv3, TLSv1.0, TLSv1.1, TLSv1.2 or TLSv1.3 by +setting the corresponding options \fBSSL_OP_NO_SSLv3\fR, \fBSSL_OP_NO_TLSv1\fR, +\&\fBSSL_OP_NO_TLSv1_1\fR, \fBSSL_OP_NO_TLSv1_2\fR and \fBSSL_OP_NO_TLSv1_3\fR +respectively. These options are deprecated, instead use \fB\-min_protocol\fR and +\&\fB\-max_protocol\fR. +.IP "\fB\-bugs\fR" 4 +.IX Item "-bugs" +Various bug workarounds are set, same as setting \fB\s-1SSL_OP_ALL\s0\fR. +.IP "\fB\-comp\fR" 4 +.IX Item "-comp" +Enables support for \s-1SSL/TLS\s0 compression, same as clearing +\&\fB\s-1SSL_OP_NO_COMPRESSION\s0\fR. +This command was introduced in OpenSSL 1.1.0. +As of OpenSSL 1.1.0, compression is off by default. +.IP "\fB\-no_comp\fR" 4 +.IX Item "-no_comp" +Disables support for \s-1SSL/TLS\s0 compression, same as setting +\&\fB\s-1SSL_OP_NO_COMPRESSION\s0\fR. +As of OpenSSL 1.1.0, compression is off by default. +.IP "\fB\-no_ticket\fR" 4 +.IX Item "-no_ticket" +Disables support for session tickets, same as setting \fB\s-1SSL_OP_NO_TICKET\s0\fR. +.IP "\fB\-serverpref\fR" 4 +.IX Item "-serverpref" +Use server and not client preference order when determining which cipher suite, +signature algorithm or elliptic curve to use for an incoming connection. +Equivalent to \fB\s-1SSL_OP_CIPHER_SERVER_PREFERENCE\s0\fR. Only used by servers. +.IP "\fB\-prioritize_chacha\fR" 4 +.IX Item "-prioritize_chacha" +Prioritize ChaCha ciphers when the client has a ChaCha20 cipher at the top of +its preference list. This usually indicates a client without \s-1AES\s0 hardware +acceleration (e.g. mobile) is in use. Equivalent to \fB\s-1SSL_OP_PRIORITIZE_CHACHA\s0\fR. +Only used by servers. Requires \fB\-serverpref\fR. +.IP "\fB\-no_resumption_on_reneg\fR" 4 +.IX Item "-no_resumption_on_reneg" +set \s-1SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION\s0 flag. Only used by servers. +.IP "\fB\-legacyrenegotiation\fR" 4 +.IX Item "-legacyrenegotiation" +permits the use of unsafe legacy renegotiation. Equivalent to setting +\&\fB\s-1SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION\s0\fR. +.IP "\fB\-legacy_server_connect\fR, \fB\-no_legacy_server_connect\fR" 4 +.IX Item "-legacy_server_connect, -no_legacy_server_connect" +permits or prohibits the use of unsafe legacy renegotiation for OpenSSL +clients only. Equivalent to setting or clearing \fB\s-1SSL_OP_LEGACY_SERVER_CONNECT\s0\fR. +Set by default. +.IP "\fB\-allow_no_dhe_kex\fR" 4 +.IX Item "-allow_no_dhe_kex" +In TLSv1.3 allow a non\-(ec)dhe based key exchange mode on resumption. This means +that there will be no forward secrecy for the resumed session. +.IP "\fB\-strict\fR" 4 +.IX Item "-strict" +enables strict mode protocol handling. Equivalent to setting +\&\fB\s-1SSL_CERT_FLAG_TLS_STRICT\s0\fR. +.IP "\fB\-anti_replay\fR, \fB\-no_anti_replay\fR" 4 +.IX Item "-anti_replay, -no_anti_replay" +Switches replay protection, on or off respectively. With replay protection on, +OpenSSL will automatically detect if a session ticket has been used more than +once, TLSv1.3 has been negotiated, and early data is enabled on the server. A +full handshake is forced if a session ticket is used a second or subsequent +time. Anti-Replay is on by default unless overridden by a configuration file and +is only used by servers. Anti-replay measures are required for compliance with +the TLSv1.3 specification. Some applications may be able to mitigate the replay +risks in other ways and in such cases the built-in OpenSSL functionality is not +required. Switching off anti-replay is equivalent to \fB\s-1SSL_OP_NO_ANTI_REPLAY\s0\fR. +.SH "SUPPORTED CONFIGURATION FILE COMMANDS" +.IX Header "SUPPORTED CONFIGURATION FILE COMMANDS" +Currently supported \fBcmd\fR names for configuration files (i.e. when the +flag \fB\s-1SSL_CONF_FLAG_FILE\s0\fR is set) are listed below. All configuration file +\&\fBcmd\fR names are case insensitive so \fBsignaturealgorithms\fR is recognised +as well as \fBSignatureAlgorithms\fR. Unless otherwise stated the \fBvalue\fR names +are also case insensitive. +.PP +Note: the command prefix (if set) alters the recognised \fBcmd\fR values. +.IP "\fBCipherString\fR" 4 +.IX Item "CipherString" +Sets the ciphersuite list for TLSv1.2 and below to \fBvalue\fR. This list will be +combined with any configured TLSv1.3 ciphersuites. Note: syntax +checking of \fBvalue\fR is currently not performed unless an \fB\s-1SSL\s0\fR or \fB\s-1SSL_CTX\s0\fR +structure is associated with \fBcctx\fR. +.IP "\fBCiphersuites\fR" 4 +.IX Item "Ciphersuites" +Sets the available ciphersuites for TLSv1.3 to \fBvalue\fR. This is a simple colon +(\*(L":\*(R") separated list of TLSv1.3 ciphersuite names in order of preference. This +list will be combined any configured TLSv1.2 and below ciphersuites. +See \fIciphers\fR\|(1) for more information. +.IP "\fBCertificate\fR" 4 +.IX Item "Certificate" +Attempts to use the file \fBvalue\fR as the certificate for the appropriate +context. It currently uses \fISSL_CTX_use_certificate_chain_file()\fR if an \fB\s-1SSL_CTX\s0\fR +structure is set or \fISSL_use_certificate_file()\fR with filetype \s-1PEM\s0 if an \fB\s-1SSL\s0\fR +structure is set. This option is only supported if certificate operations +are permitted. +.IP "\fBPrivateKey\fR" 4 +.IX Item "PrivateKey" +Attempts to use the file \fBvalue\fR as the private key for the appropriate +context. This option is only supported if certificate operations +are permitted. Note: if no \fBPrivateKey\fR option is set then a private key is +not loaded unless the \fB\s-1SSL_CONF_FLAG_REQUIRE_PRIVATE\s0\fR is set. +.IP "\fBChainCAFile\fR, \fBChainCAPath\fR, \fBVerifyCAFile\fR, \fBVerifyCAPath\fR" 4 +.IX Item "ChainCAFile, ChainCAPath, VerifyCAFile, VerifyCAPath" +These options indicate a file or directory used for building certificate +chains or verifying certificate chains. These options are only supported +if certificate operations are permitted. +.IP "\fBRequestCAFile\fR" 4 +.IX Item "RequestCAFile" +This option indicates a file containing a set of certificates in \s-1PEM\s0 form. +The subject names of the certificates are sent to the peer in the +\&\fBcertificate_authorities\fR extension for \s-1TLS 1.3\s0 (in ClientHello or +CertificateRequest) or in a certificate request for previous versions or +\&\s-1TLS.\s0 +.IP "\fBServerInfoFile\fR" 4 +.IX Item "ServerInfoFile" +Attempts to use the file \fBvalue\fR in the \*(L"serverinfo\*(R" extension using the +function SSL_CTX_use_serverinfo_file. +.IP "\fBDHParameters\fR" 4 +.IX Item "DHParameters" +Attempts to use the file \fBvalue\fR as the set of temporary \s-1DH\s0 parameters for +the appropriate context. This option is only supported if certificate +operations are permitted. +.IP "\fBRecordPadding\fR" 4 +.IX Item "RecordPadding" +Attempts to pad TLSv1.3 records so that they are a multiple of \fBvalue\fR in +length on send. A \fBvalue\fR of 0 or 1 turns off padding. Otherwise, the +\&\fBvalue\fR must be >1 or <=16384. +.IP "\fBNoRenegotiation\fR" 4 +.IX Item "NoRenegotiation" +Disables all attempts at renegotiation in TLSv1.2 and earlier, same as setting +\&\fB\s-1SSL_OP_NO_RENEGOTIATION\s0\fR. +.IP "\fBSignatureAlgorithms\fR" 4 +.IX Item "SignatureAlgorithms" +This sets the supported signature algorithms for TLSv1.2 and TLSv1.3. +For clients this +value is used directly for the supported signature algorithms extension. For +servers it is used to determine which signature algorithms to support. +.Sp +The \fBvalue\fR argument should be a colon separated list of signature algorithms +in order of decreasing preference of the form \fBalgorithm+hash\fR or +\&\fBsignature_scheme\fR. \fBalgorithm\fR +is one of \fB\s-1RSA\s0\fR, \fB\s-1DSA\s0\fR or \fB\s-1ECDSA\s0\fR and \fBhash\fR is a supported algorithm +\&\s-1OID\s0 short name such as \fB\s-1SHA1\s0\fR, \fB\s-1SHA224\s0\fR, \fB\s-1SHA256\s0\fR, \fB\s-1SHA384\s0\fR of \fB\s-1SHA512\s0\fR. +Note: algorithm and hash names are case sensitive. +\&\fBsignature_scheme\fR is one of the signature schemes defined in TLSv1.3, +specified using the \s-1IETF\s0 name, e.g., \fBecdsa_secp256r1_sha256\fR, \fBed25519\fR, +or \fBrsa_pss_pss_sha256\fR. +.Sp +If this option is not set then all signature algorithms supported by the +OpenSSL library are permissible. +.Sp +Note: algorithms which specify a PKCS#1 v1.5 signature scheme (either by +using \fB\s-1RSA\s0\fR as the \fBalgorithm\fR or by using one of the \fBrsa_pkcs1_*\fR +identifiers) are ignored in TLSv1.3 and will not be negotiated. +.IP "\fBClientSignatureAlgorithms\fR" 4 +.IX Item "ClientSignatureAlgorithms" +This sets the supported signature algorithms associated with client +authentication for TLSv1.2 and TLSv1.3. +For servers the value is used in the +\&\fBsignature_algorithms\fR field of a \fBCertificateRequest\fR message. +For clients it is +used to determine which signature algorithm to use with the client certificate. +If a server does not request a certificate this option has no effect. +.Sp +The syntax of \fBvalue\fR is identical to \fBSignatureAlgorithms\fR. If not set then +the value set for \fBSignatureAlgorithms\fR will be used instead. +.IP "\fBGroups\fR" 4 +.IX Item "Groups" +This sets the supported groups. For clients, the groups are +sent using the supported groups extension. For servers, it is used +to determine which group to use. This setting affects groups used for +signatures (in TLSv1.2 and earlier) and key exchange. The first group listed +will also be used for the \fBkey_share\fR sent by a client in a TLSv1.3 +\&\fBClientHello\fR. +.Sp +The \fBvalue\fR argument is a colon separated list of groups. The group can be +either the \fB\s-1NIST\s0\fR name (e.g. \fBP\-256\fR), some other commonly used name where +applicable (e.g. \fBX25519\fR) or an OpenSSL \s-1OID\s0 name (e.g \fBprime256v1\fR). Group +names are case sensitive. The list should be in order of preference with the +most preferred group first. +.IP "\fBCurves\fR" 4 +.IX Item "Curves" +This is a synonym for the \*(L"Groups\*(R" command. +.IP "\fBMinProtocol\fR" 4 +.IX Item "MinProtocol" +This sets the minimum supported \s-1SSL, TLS\s0 or \s-1DTLS\s0 version. +.Sp +Currently supported protocol values are \fBSSLv3\fR, \fBTLSv1\fR, \fBTLSv1.1\fR, +\&\fBTLSv1.2\fR, \fBTLSv1.3\fR, \fBDTLSv1\fR and \fBDTLSv1.2\fR. +The value \fBNone\fR will disable the limit. +.IP "\fBMaxProtocol\fR" 4 +.IX Item "MaxProtocol" +This sets the maximum supported \s-1SSL, TLS\s0 or \s-1DTLS\s0 version. +.Sp +Currently supported protocol values are \fBSSLv3\fR, \fBTLSv1\fR, \fBTLSv1.1\fR, +\&\fBTLSv1.2\fR, \fBTLSv1.3\fR, \fBDTLSv1\fR and \fBDTLSv1.2\fR. +The value \fBNone\fR will disable the limit. +.IP "\fBProtocol\fR" 4 +.IX Item "Protocol" +This can be used to enable or disable certain versions of the \s-1SSL, +TLS\s0 or \s-1DTLS\s0 protocol. +.Sp +The \fBvalue\fR argument is a comma separated list of supported protocols +to enable or disable. +If a protocol is preceded by \fB\-\fR that version is disabled. +.Sp +All protocol versions are enabled by default. +You need to disable at least one protocol version for this setting have any +effect. +Only enabling some protocol versions does not disable the other protocol +versions. +.Sp +Currently supported protocol values are \fBSSLv3\fR, \fBTLSv1\fR, \fBTLSv1.1\fR, +\&\fBTLSv1.2\fR, \fBTLSv1.3\fR, \fBDTLSv1\fR and \fBDTLSv1.2\fR. +The special value \fB\s-1ALL\s0\fR refers to all supported versions. +.Sp +This can't enable protocols that are disabled using \fBMinProtocol\fR +or \fBMaxProtocol\fR, but can disable protocols that are still allowed +by them. +.Sp +The \fBProtocol\fR command is fragile and deprecated; do not use it. +Use \fBMinProtocol\fR and \fBMaxProtocol\fR instead. +If you do use \fBProtocol\fR, make sure that the resulting range of enabled +protocols has no \*(L"holes\*(R", e.g. if \s-1TLS 1.0\s0 and \s-1TLS 1.2\s0 are both enabled, make +sure to also leave \s-1TLS 1.1\s0 enabled. +.IP "\fBOptions\fR" 4 +.IX Item "Options" +The \fBvalue\fR argument is a comma separated list of various flags to set. +If a flag string is preceded \fB\-\fR it is disabled. +See the \fISSL_CTX_set_options\fR\|(3) function for more details of +individual options. +.Sp +Each option is listed below. Where an operation is enabled by default +the \fB\-flag\fR syntax is needed to disable it. +.Sp +\&\fBSessionTicket\fR: session ticket support, enabled by default. Inverse of +\&\fB\s-1SSL_OP_NO_TICKET\s0\fR: that is \fB\-SessionTicket\fR is the same as setting +\&\fB\s-1SSL_OP_NO_TICKET\s0\fR. +.Sp +\&\fBCompression\fR: \s-1SSL/TLS\s0 compression support, enabled by default. Inverse +of \fB\s-1SSL_OP_NO_COMPRESSION\s0\fR. +.Sp +\&\fBEmptyFragments\fR: use empty fragments as a countermeasure against a +\&\s-1SSL 3.0/TLS 1.0\s0 protocol vulnerability affecting \s-1CBC\s0 ciphers. It +is set by default. Inverse of \fB\s-1SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS\s0\fR. +.Sp +\&\fBBugs\fR: enable various bug workarounds. Same as \fB\s-1SSL_OP_ALL\s0\fR. +.Sp +\&\fBDHSingle\fR: enable single use \s-1DH\s0 keys, set by default. Inverse of +\&\fB\s-1SSL_OP_DH_SINGLE\s0\fR. Only used by servers. +.Sp +\&\fBECDHSingle\fR: enable single use \s-1ECDH\s0 keys, set by default. Inverse of +\&\fB\s-1SSL_OP_ECDH_SINGLE\s0\fR. Only used by servers. +.Sp +\&\fBServerPreference\fR: use server and not client preference order when +determining which cipher suite, signature algorithm or elliptic curve +to use for an incoming connection. Equivalent to +\&\fB\s-1SSL_OP_CIPHER_SERVER_PREFERENCE\s0\fR. Only used by servers. +.Sp +\&\fBPrioritizeChaCha\fR: prioritizes ChaCha ciphers when the client has a +ChaCha20 cipher at the top of its preference list. This usually indicates +a mobile client is in use. Equivalent to \fB\s-1SSL_OP_PRIORITIZE_CHACHA\s0\fR. +Only used by servers. +.Sp +\&\fBNoResumptionOnRenegotiation\fR: set +\&\fB\s-1SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION\s0\fR flag. Only used by servers. +.Sp +\&\fBUnsafeLegacyRenegotiation\fR: permits the use of unsafe legacy renegotiation. +Equivalent to \fB\s-1SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION\s0\fR. +.Sp +\&\fBUnsafeLegacyServerConnect\fR: permits the use of unsafe legacy renegotiation +for OpenSSL clients only. Equivalent to \fB\s-1SSL_OP_LEGACY_SERVER_CONNECT\s0\fR. +Set by default. +.Sp +\&\fBEncryptThenMac\fR: use encrypt-then-mac extension, enabled by +default. Inverse of \fB\s-1SSL_OP_NO_ENCRYPT_THEN_MAC\s0\fR: that is, +\&\fB\-EncryptThenMac\fR is the same as setting \fB\s-1SSL_OP_NO_ENCRYPT_THEN_MAC\s0\fR. +.Sp +\&\fBAllowNoDHEKEX\fR: In TLSv1.3 allow a non\-(ec)dhe based key exchange mode on +resumption. This means that there will be no forward secrecy for the resumed +session. Equivalent to \fB\s-1SSL_OP_ALLOW_NO_DHE_KEX\s0\fR. +.Sp +\&\fBMiddleboxCompat\fR: If set then dummy Change Cipher Spec (\s-1CCS\s0) messages are sent +in TLSv1.3. This has the effect of making TLSv1.3 look more like TLSv1.2 so that +middleboxes that do not understand TLSv1.3 will not drop the connection. This +option is set by default. A future version of OpenSSL may not set this by +default. Equivalent to \fB\s-1SSL_OP_ENABLE_MIDDLEBOX_COMPAT\s0\fR. +.Sp +\&\fBAntiReplay\fR: If set then OpenSSL will automatically detect if a session ticket +has been used more than once, TLSv1.3 has been negotiated, and early data is +enabled on the server. A full handshake is forced if a session ticket is used a +second or subsequent time. This option is set by default and is only used by +servers. Anti-replay measures are required to comply with the TLSv1.3 +specification. Some applications may be able to mitigate the replay risks in +other ways and in such cases the built-in OpenSSL functionality is not required. +Disabling anti-replay is equivalent to setting \fB\s-1SSL_OP_NO_ANTI_REPLAY\s0\fR. +.IP "\fBVerifyMode\fR" 4 +.IX Item "VerifyMode" +The \fBvalue\fR argument is a comma separated list of flags to set. +.Sp +\&\fBPeer\fR enables peer verification: for clients only. +.Sp +\&\fBRequest\fR requests but does not require a certificate from the client. +Servers only. +.Sp +\&\fBRequire\fR requests and requires a certificate from the client: an error +occurs if the client does not present a certificate. Servers only. +.Sp +\&\fBOnce\fR requests a certificate from a client only on the initial connection: +not when renegotiating. Servers only. +.Sp +\&\fBRequestPostHandshake\fR configures the connection to support requests but does +not require a certificate from the client post-handshake. A certificate will +not be requested during the initial handshake. The server application must +provide a mechanism to request a certificate post-handshake. Servers only. +TLSv1.3 only. +.Sp +\&\fBRequiresPostHandshake\fR configures the connection to support requests and +requires a certificate from the client post-handshake: an error occurs if the +client does not present a certificate. A certificate will not be requested +during the initial handshake. The server application must provide a mechanism +to request a certificate post-handshake. Servers only. TLSv1.3 only. +.IP "\fBClientCAFile\fR, \fBClientCAPath\fR" 4 +.IX Item "ClientCAFile, ClientCAPath" +A file or directory of certificates in \s-1PEM\s0 format whose names are used as the +set of acceptable names for client CAs. Servers only. This option is only +supported if certificate operations are permitted. +.SH "SUPPORTED COMMAND TYPES" +.IX Header "SUPPORTED COMMAND TYPES" +The function \fISSL_CONF_cmd_value_type()\fR currently returns one of the following +types: +.IP "\fB\s-1SSL_CONF_TYPE_UNKNOWN\s0\fR" 4 +.IX Item "SSL_CONF_TYPE_UNKNOWN" +The \fBcmd\fR string is unrecognised, this return value can be use to flag +syntax errors. +.IP "\fB\s-1SSL_CONF_TYPE_STRING\s0\fR" 4 +.IX Item "SSL_CONF_TYPE_STRING" +The value is a string without any specific structure. +.IP "\fB\s-1SSL_CONF_TYPE_FILE\s0\fR" 4 +.IX Item "SSL_CONF_TYPE_FILE" +The value is a file name. +.IP "\fB\s-1SSL_CONF_TYPE_DIR\s0\fR" 4 +.IX Item "SSL_CONF_TYPE_DIR" +The value is a directory name. +.IP "\fB\s-1SSL_CONF_TYPE_NONE\s0\fR" 4 +.IX Item "SSL_CONF_TYPE_NONE" +The value string is not used e.g. a command line option which doesn't take an +argument. +.SH "NOTES" +.IX Header "NOTES" +The order of operations is significant. This can be used to set either defaults +or values which cannot be overridden. For example if an application calls: +.PP +.Vb 2 +\& SSL_CONF_cmd(ctx, "Protocol", "\-SSLv3"); +\& SSL_CONF_cmd(ctx, userparam, uservalue); +.Ve +.PP +it will disable SSLv3 support by default but the user can override it. If +however the call sequence is: +.PP +.Vb 2 +\& SSL_CONF_cmd(ctx, userparam, uservalue); +\& SSL_CONF_cmd(ctx, "Protocol", "\-SSLv3"); +.Ve +.PP +SSLv3 is \fBalways\fR disabled and attempt to override this by the user are +ignored. +.PP +By checking the return code of \fISSL_CONF_cmd()\fR it is possible to query if a +given \fBcmd\fR is recognised, this is useful if \fISSL_CONF_cmd()\fR values are +mixed with additional application specific operations. +.PP +For example an application might call \fISSL_CONF_cmd()\fR and if it returns +\&\-2 (unrecognised command) continue with processing of application specific +commands. +.PP +Applications can also use \fISSL_CONF_cmd()\fR to process command lines though the +utility function \fISSL_CONF_cmd_argv()\fR is normally used instead. One way +to do this is to set the prefix to an appropriate value using +\&\fISSL_CONF_CTX_set1_prefix()\fR, pass the current argument to \fBcmd\fR and the +following argument to \fBvalue\fR (which may be \s-1NULL\s0). +.PP +In this case if the return value is positive then it is used to skip that +number of arguments as they have been processed by \fISSL_CONF_cmd()\fR. If \-2 is +returned then \fBcmd\fR is not recognised and application specific arguments +can be checked instead. If \-3 is returned a required argument is missing +and an error is indicated. If 0 is returned some other error occurred and +this can be reported back to the user. +.PP +The function \fISSL_CONF_cmd_value_type()\fR can be used by applications to +check for the existence of a command or to perform additional syntax +checking or translation of the command value. For example if the return +value is \fB\s-1SSL_CONF_TYPE_FILE\s0\fR an application could translate a relative +pathname to an absolute pathname. +.SH "EXAMPLES" +.IX Header "EXAMPLES" +Set supported signature algorithms: +.PP +.Vb 1 +\& SSL_CONF_cmd(ctx, "SignatureAlgorithms", "ECDSA+SHA256:RSA+SHA256:DSA+SHA256"); +.Ve +.PP +There are various ways to select the supported protocols. +.PP +This set the minimum protocol version to TLSv1, and so disables SSLv3. +This is the recommended way to disable protocols. +.PP +.Vb 1 +\& SSL_CONF_cmd(ctx, "MinProtocol", "TLSv1"); +.Ve +.PP +The following also disables SSLv3: +.PP +.Vb 1 +\& SSL_CONF_cmd(ctx, "Protocol", "\-SSLv3"); +.Ve +.PP +The following will first enable all protocols, and then disable +SSLv3. +If no protocol versions were disabled before this has the same effect as +\&\*(L"\-SSLv3\*(R", but if some versions were disables this will re-enable them before +disabling SSLv3. +.PP +.Vb 1 +\& SSL_CONF_cmd(ctx, "Protocol", "ALL,\-SSLv3"); +.Ve +.PP +Only enable TLSv1.2: +.PP +.Vb 2 +\& SSL_CONF_cmd(ctx, "MinProtocol", "TLSv1.2"); +\& SSL_CONF_cmd(ctx, "MaxProtocol", "TLSv1.2"); +.Ve +.PP +This also only enables TLSv1.2: +.PP +.Vb 1 +\& SSL_CONF_cmd(ctx, "Protocol", "\-ALL,TLSv1.2"); +.Ve +.PP +Disable \s-1TLS\s0 session tickets: +.PP +.Vb 1 +\& SSL_CONF_cmd(ctx, "Options", "\-SessionTicket"); +.Ve +.PP +Enable compression: +.PP +.Vb 1 +\& SSL_CONF_cmd(ctx, "Options", "Compression"); +.Ve +.PP +Set supported curves to P\-256, P\-384: +.PP +.Vb 1 +\& SSL_CONF_cmd(ctx, "Curves", "P\-256:P\-384"); +.Ve +.SH "RETURN VALUES" +.IX Header "RETURN VALUES" +\&\fISSL_CONF_cmd()\fR returns 1 if the value of \fBcmd\fR is recognised and \fBvalue\fR is +\&\fB\s-1NOT\s0\fR used and 2 if both \fBcmd\fR and \fBvalue\fR are used. In other words it +returns the number of arguments processed. This is useful when processing +command lines. +.PP +A return value of \-2 means \fBcmd\fR is not recognised. +.PP +A return value of \-3 means \fBcmd\fR is recognised and the command requires a +value but \fBvalue\fR is \s-1NULL.\s0 +.PP +A return code of 0 indicates that both \fBcmd\fR and \fBvalue\fR are valid but an +error occurred attempting to perform the operation: for example due to an +error in the syntax of \fBvalue\fR in this case the error queue may provide +additional information. +.SH "SEE ALSO" +.IX Header "SEE ALSO" +\&\fISSL_CONF_CTX_new\fR\|(3), +\&\fISSL_CONF_CTX_set_flags\fR\|(3), +\&\fISSL_CONF_CTX_set1_prefix\fR\|(3), +\&\fISSL_CONF_CTX_set_ssl_ctx\fR\|(3), +\&\fISSL_CONF_cmd_argv\fR\|(3), +\&\fISSL_CTX_set_options\fR\|(3) +.SH "HISTORY" +.IX Header "HISTORY" +\&\fISSL_CONF_cmd()\fR was first added to OpenSSL 1.0.2 +.PP +\&\fB\s-1SSL_OP_NO_SSL2\s0\fR doesn't have effect since 1.1.0, but the macro is retained +for backwards compatibility. +.PP +\&\fB\s-1SSL_CONF_TYPE_NONE\s0\fR was first added to OpenSSL 1.1.0. In earlier versions of +OpenSSL passing a command which didn't take an argument would return +\&\fB\s-1SSL_CONF_TYPE_UNKNOWN\s0\fR. +.PP +\&\fBMinProtocol\fR and \fBMaxProtocol\fR where added in OpenSSL 1.1.0. +.PP +\&\fBAllowNoDHEKEX\fR and \fBPrioritizeChaCha\fR were added in OpenSSL 1.1.1. +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2012\-2018 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libssl/man/SSL_CONF_cmd_argv.3 b/secure/lib/libcrypto/man/SSL_CONF_cmd_argv.3 similarity index 89% rename from secure/lib/libssl/man/SSL_CONF_cmd_argv.3 rename to secure/lib/libcrypto/man/SSL_CONF_cmd_argv.3 index 3d8441d99d49..2f7e743c6bc2 100644 --- a/secure/lib/libssl/man/SSL_CONF_cmd_argv.3 +++ b/secure/lib/libcrypto/man/SSL_CONF_cmd_argv.3 @@ -128,14 +128,14 @@ .rm #[ #] #H #V #F C .\" ======================================================================== .\" -.IX Title "SSL_CONF_cmd_argv 3" -.TH SSL_CONF_cmd_argv 3 "2018-08-14" "1.0.2p" "OpenSSL" +.IX Title "SSL_CONF_CMD_ARGV 3" +.TH SSL_CONF_CMD_ARGV 3 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" -SSL_CONF_cmd_argv \- SSL configuration command line processing. +SSL_CONF_cmd_argv \- SSL configuration command line processing .SH "SYNOPSIS" .IX Header "SYNOPSIS" .Vb 1 @@ -148,7 +148,7 @@ SSL_CONF_cmd_argv \- SSL configuration command line processing. The function \fISSL_CONF_cmd_argv()\fR processes at most two command line arguments from \fBpargv\fR and \fBpargc\fR. The values of \fBpargv\fR and \fBpargc\fR are updated to reflect the number of command options processed. The \fBpargc\fR -argument can be set to \fB\s-1NULL\s0\fR is it is not used. +argument can be set to \fB\s-1NULL\s0\fR if it is not used. .SH "RETURN VALUES" .IX Header "RETURN VALUES" \&\fISSL_CONF_cmd_argv()\fR returns the number of command arguments processed: 0, 1, 2 @@ -168,3 +168,11 @@ to an error: for example a syntax error in the argument. .SH "HISTORY" .IX Header "HISTORY" These functions were first added to OpenSSL 1.0.2 +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2012\-2016 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libssl/man/SSL_CTX_add1_chain_cert.3 b/secure/lib/libcrypto/man/SSL_CTX_add1_chain_cert.3 similarity index 91% rename from secure/lib/libssl/man/SSL_CTX_add1_chain_cert.3 rename to secure/lib/libcrypto/man/SSL_CTX_add1_chain_cert.3 index cdea1166e020..7fbcfcd53b59 100644 --- a/secure/lib/libssl/man/SSL_CTX_add1_chain_cert.3 +++ b/secure/lib/libcrypto/man/SSL_CTX_add1_chain_cert.3 @@ -128,20 +128,14 @@ .rm #[ #] #H #V #F C .\" ======================================================================== .\" -.IX Title "SSL_CTX_add1_chain_cert 3" -.TH SSL_CTX_add1_chain_cert 3 "2018-08-14" "1.0.2p" "OpenSSL" +.IX Title "SSL_CTX_ADD1_CHAIN_CERT 3" +.TH SSL_CTX_ADD1_CHAIN_CERT 3 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" -SSL_CTX_set0_chain, SSL_CTX_set1_chain, SSL_CTX_add0_chain_cert, -SSL_CTX_add1_chain_cert, SSL_CTX_get0_chain_certs, SSL_CTX_clear_chain_certs, -SSL_set0_chain, SSL_set1_chain, SSL_add0_chain_cert, SSL_add1_chain_cert, -SSL_get0_chain_certs, SSL_clear_chain_certs, SSL_CTX_build_cert_chain, -SSL_build_cert_chain, SSL_CTX_select_current_cert, -SSL_select_current_cert, SSL_CTX_set_current_cert, SSL_set_current_cert \- extra -chain certificate processing +SSL_CTX_set0_chain, SSL_CTX_set1_chain, SSL_CTX_add0_chain_cert, SSL_CTX_add1_chain_cert, SSL_CTX_get0_chain_certs, SSL_CTX_clear_chain_certs, SSL_set0_chain, SSL_set1_chain, SSL_add0_chain_cert, SSL_add1_chain_cert, SSL_get0_chain_certs, SSL_clear_chain_certs, SSL_CTX_build_cert_chain, SSL_build_cert_chain, SSL_CTX_select_current_cert, SSL_select_current_cert, SSL_CTX_set_current_cert, SSL_set_current_cert \- extra chain certificate processing .SH "SYNOPSIS" .IX Header "SYNOPSIS" .Vb 1 @@ -219,7 +213,7 @@ used to iterate over all certificates in an \fB\s-1SSL_CTX\s0\fR structure. \&\fISSL_set_current_cert()\fR also supports the option \fB\s-1SSL_CERT_SET_SERVER\s0\fR. If \fBssl\fR is a server and has sent a certificate to a connected client this option sets that certificate to the current certificate and returns 1. -If the negotiated ciphersuite is anonymous (and thus no certificate will +If the negotiated cipher suite is anonymous (and thus no certificate will be sent) 2 is returned and the current certificate is unchanged. If \fBssl\fR is not a server or a certificate has not been sent 0 is returned and the current certificate is unchanged. @@ -260,7 +254,7 @@ using \fISSL_CTX_add_extra_chain_cert()\fR will be used. .SH "RETURN VALUES" .IX Header "RETURN VALUES" \&\fISSL_set_current_cert()\fR with \fB\s-1SSL_CERT_SET_SERVER\s0\fR return 1 for success, 2 if -no server certificate is used because the ciphersuites is anonymous and 0 +no server certificate is used because the cipher suites is anonymous and 0 for failure. .PP \&\fISSL_CTX_build_cert_chain()\fR and \fISSL_build_cert_chain()\fR return 1 for success @@ -274,3 +268,11 @@ All other functions return 1 for success and 0 for failure. .SH "HISTORY" .IX Header "HISTORY" These functions were first added to OpenSSL 1.0.2. +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2013\-2016 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libssl/man/SSL_CTX_add_extra_chain_cert.3 b/secure/lib/libcrypto/man/SSL_CTX_add_extra_chain_cert.3 similarity index 92% rename from secure/lib/libssl/man/SSL_CTX_add_extra_chain_cert.3 rename to secure/lib/libcrypto/man/SSL_CTX_add_extra_chain_cert.3 index c2c27f69b85b..55f3385ed928 100644 --- a/secure/lib/libssl/man/SSL_CTX_add_extra_chain_cert.3 +++ b/secure/lib/libcrypto/man/SSL_CTX_add_extra_chain_cert.3 @@ -128,15 +128,14 @@ .rm #[ #] #H #V #F C .\" ======================================================================== .\" -.IX Title "SSL_CTX_add_extra_chain_cert 3" -.TH SSL_CTX_add_extra_chain_cert 3 "2018-08-14" "1.0.2p" "OpenSSL" +.IX Title "SSL_CTX_ADD_EXTRA_CHAIN_CERT 3" +.TH SSL_CTX_ADD_EXTRA_CHAIN_CERT 3 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" -SSL_CTX_add_extra_chain_cert, SSL_CTX_clear_extra_chain_certs \- add or clear -extra chain certificates +SSL_CTX_add_extra_chain_cert, SSL_CTX_clear_extra_chain_certs \- add or clear extra chain certificates .SH "SYNOPSIS" .IX Header "SYNOPSIS" .Vb 1 @@ -182,7 +181,7 @@ be used instead. reason for failure. .SH "SEE ALSO" .IX Header "SEE ALSO" -\&\fIssl\fR\|(3), +\&\fIssl\fR\|(7), \&\fISSL_CTX_use_certificate\fR\|(3), \&\fISSL_CTX_set_client_cert_cb\fR\|(3), \&\fISSL_CTX_load_verify_locations\fR\|(3) @@ -196,3 +195,11 @@ reason for failure. \&\fISSL_add1_chain_cert\fR\|(3) \&\fISSL_CTX_build_cert_chain\fR\|(3) \&\fISSL_build_cert_chain\fR\|(3) +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2000\-2016 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libssl/man/SSL_CTX_add_session.3 b/secure/lib/libcrypto/man/SSL_CTX_add_session.3 similarity index 86% rename from secure/lib/libssl/man/SSL_CTX_add_session.3 rename to secure/lib/libcrypto/man/SSL_CTX_add_session.3 index 8458a65c858f..dc84e47bec6d 100644 --- a/secure/lib/libssl/man/SSL_CTX_add_session.3 +++ b/secure/lib/libcrypto/man/SSL_CTX_add_session.3 @@ -128,24 +128,22 @@ .rm #[ #] #H #V #F C .\" ======================================================================== .\" -.IX Title "SSL_CTX_add_session 3" -.TH SSL_CTX_add_session 3 "2018-08-14" "1.0.2p" "OpenSSL" +.IX Title "SSL_CTX_ADD_SESSION 3" +.TH SSL_CTX_ADD_SESSION 3 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" -SSL_CTX_add_session, SSL_add_session, SSL_CTX_remove_session, SSL_remove_session \- manipulate session cache +SSL_CTX_add_session, SSL_CTX_remove_session \- manipulate session cache .SH "SYNOPSIS" .IX Header "SYNOPSIS" .Vb 1 \& #include \& \& int SSL_CTX_add_session(SSL_CTX *ctx, SSL_SESSION *c); -\& int SSL_add_session(SSL_CTX *ctx, SSL_SESSION *c); \& \& int SSL_CTX_remove_session(SSL_CTX *ctx, SSL_SESSION *c); -\& int SSL_remove_session(SSL_CTX *ctx, SSL_SESSION *c); .Ve .SH "DESCRIPTION" .IX Header "DESCRIPTION" @@ -154,11 +152,8 @@ reference count for session \fBc\fR is incremented by 1. If a session with the same session id already exists, the old session is removed by calling \&\fISSL_SESSION_free\fR\|(3). .PP -\&\fISSL_CTX_remove_session()\fR removes the session \fBc\fR from the context \fBctx\fR. -\&\fISSL_SESSION_free\fR\|(3) is called once for \fBc\fR. -.PP -\&\fISSL_add_session()\fR and \fISSL_remove_session()\fR are synonyms for their -SSL_CTX_*() counterparts. +\&\fISSL_CTX_remove_session()\fR removes the session \fBc\fR from the context \fBctx\fR and +marks it as non-resumable. \fISSL_SESSION_free\fR\|(3) is called once for \fBc\fR. .SH "NOTES" .IX Header "NOTES" When adding a new session to the internal session cache, it is examined @@ -180,18 +175,22 @@ over the sessions that can be resumed if desired. .IX Header "RETURN VALUES" The following values are returned by all functions: .IP "0" 4 -.Vb 3 -\& The operation failed. In case of the add operation, it was tried to add -\& the same (identical) session twice. In case of the remove operation, the -\& session was not found in the cache. -.Ve +The operation failed. In case of the add operation, it was tried to add +the same (identical) session twice. In case of the remove operation, the +session was not found in the cache. .IP "1" 4 .IX Item "1" -.Vb 1 -\& The operation succeeded. -.Ve +The operation succeeded. .SH "SEE ALSO" .IX Header "SEE ALSO" -\&\fIssl\fR\|(3), +\&\fIssl\fR\|(7), \&\fISSL_CTX_set_session_cache_mode\fR\|(3), \&\fISSL_SESSION_free\fR\|(3) +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2001\-2016 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/SSL_CTX_config.3 b/secure/lib/libcrypto/man/SSL_CTX_config.3 new file mode 100644 index 000000000000..a91b29fa7895 --- /dev/null +++ b/secure/lib/libcrypto/man/SSL_CTX_config.3 @@ -0,0 +1,220 @@ +.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35) +.\" +.\" Standard preamble: +.\" ======================================================================== +.de Sp \" Vertical space (when we can't use .PP) +.if t .sp .5v +.if n .sp +.. +.de Vb \" Begin verbatim text +.ft CW +.nf +.ne \\$1 +.. +.de Ve \" End verbatim text +.ft R +.fi +.. +.\" Set up some character translations and predefined strings. \*(-- will +.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left +.\" double quote, and \*(R" will give a right double quote. \*(C+ will +.\" give a nicer C++. Capital omega is used to do unbreakable dashes and +.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, +.\" nothing in troff, for use with C<>. +.tr \(*W- +.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' +.ie n \{\ +. ds -- \(*W- +. ds PI pi +. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch +. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch +. ds L" "" +. ds R" "" +. ds C` "" +. ds C' "" +'br\} +.el\{\ +. ds -- \|\(em\| +. ds PI \(*p +. ds L" `` +. ds R" '' +. ds C` +. ds C' +'br\} +.\" +.\" Escape single quotes in literal strings from groff's Unicode transform. +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" +.\" If the F register is >0, we'll generate index entries on stderr for +.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index +.\" entries marked with X<> in POD. Of course, you'll have to process the +.\" output yourself in some meaningful fashion. +.\" +.\" Avoid warning from groff about undefined register 'F'. +.de IX +.. +.if !\nF .nr F 0 +.if \nF>0 \{\ +. de IX +. tm Index:\\$1\t\\n%\t"\\$2" +.. +. if !\nF==2 \{\ +. nr % 0 +. nr F 2 +. \} +.\} +.\" +.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). +.\" Fear. Run. Save yourself. No user-serviceable parts. +. \" fudge factors for nroff and troff +.if n \{\ +. ds #H 0 +. ds #V .8m +. ds #F .3m +. ds #[ \f1 +. ds #] \fP +.\} +.if t \{\ +. ds #H ((1u-(\\\\n(.fu%2u))*.13m) +. ds #V .6m +. ds #F 0 +. ds #[ \& +. ds #] \& +.\} +. \" simple accents for nroff and troff +.if n \{\ +. ds ' \& +. ds ` \& +. ds ^ \& +. ds , \& +. ds ~ ~ +. ds / +.\} +.if t \{\ +. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" +. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' +. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' +. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' +. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' +. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' +.\} +. \" troff and (daisy-wheel) nroff accents +.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' +.ds 8 \h'\*(#H'\(*b\h'-\*(#H' +.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] +.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' +.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' +.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] +.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] +.ds ae a\h'-(\w'a'u*4/10)'e +.ds Ae A\h'-(\w'A'u*4/10)'E +. \" corrections for vroff +.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' +.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' +. \" for low resolution devices (crt and lpr) +.if \n(.H>23 .if \n(.V>19 \ +\{\ +. ds : e +. ds 8 ss +. ds o a +. ds d- d\h'-1'\(ga +. ds D- D\h'-1'\(hy +. ds th \o'bp' +. ds Th \o'LP' +. ds ae ae +. ds Ae AE +.\} +.rm #[ #] #H #V #F C +.\" ======================================================================== +.\" +.IX Title "SSL_CTX_CONFIG 3" +.TH SSL_CTX_CONFIG 3 "2018-09-11" "1.1.1" "OpenSSL" +.\" For nroff, turn off justification. Always turn off hyphenation; it makes +.\" way too many mistakes in technical documents. +.if n .ad l +.nh +.SH "NAME" +SSL_CTX_config, SSL_config \- configure SSL_CTX or SSL structure +.SH "SYNOPSIS" +.IX Header "SYNOPSIS" +.Vb 1 +\& #include +\& +\& int SSL_CTX_config(SSL_CTX *ctx, const char *name); +\& int SSL_config(SSL *s, const char *name); +.Ve +.SH "DESCRIPTION" +.IX Header "DESCRIPTION" +The functions \fISSL_CTX_config()\fR and \fISSL_config()\fR configure an \fB\s-1SSL_CTX\s0\fR or +\&\fB\s-1SSL\s0\fR structure using the configuration \fBname\fR. +.SH "NOTES" +.IX Header "NOTES" +By calling \fISSL_CTX_config()\fR or \fISSL_config()\fR an application can perform many +complex tasks based on the contents of the configuration file: greatly +simplifying application configuration code. A degree of future proofing +can also be achieved: an application can support configuration features +in newer versions of OpenSSL automatically. +.PP +A configuration file must have been previously loaded, for example using +\&\fICONF_modules_load_file()\fR. See \fIconfig\fR\|(5) for details of the configuration +file syntax. +.SH "RETURN VALUES" +.IX Header "RETURN VALUES" +\&\fISSL_CTX_config()\fR and \fISSL_config()\fR return 1 for success or 0 if an error +occurred. +.SH "EXAMPLE" +.IX Header "EXAMPLE" +If the file \*(L"config.cnf\*(R" contains the following: +.PP +.Vb 1 +\& testapp = test_sect +\& +\& [test_sect] +\& # list of configuration modules +\& +\& ssl_conf = ssl_sect +\& +\& [ssl_sect] +\& server = server_section +\& +\& [server_section] +\& RSA.Certificate = server\-rsa.pem +\& ECDSA.Certificate = server\-ecdsa.pem +\& Ciphers = ALL:!RC4 +.Ve +.PP +An application could call: +.PP +.Vb 4 +\& if (CONF_modules_load_file("config.cnf", "testapp", 0) <= 0) { +\& fprintf(stderr, "Error processing config file\en"); +\& goto err; +\& } +\& +\& ctx = SSL_CTX_new(TLS_server_method()); +\& +\& if (SSL_CTX_config(ctx, "server") == 0) { +\& fprintf(stderr, "Error configuring server.\en"); +\& goto err; +\& } +.Ve +.PP +In this example two certificates and the cipher list are configured without +the need for any additional application code. +.SH "SEE ALSO" +.IX Header "SEE ALSO" +\&\fIconfig\fR\|(5), +\&\fISSL_CONF_cmd\fR\|(3), +\&\fICONF_modules_load_file\fR\|(3) +.SH "HISTORY" +.IX Header "HISTORY" +\&\fISSL_CTX_config()\fR and \fISSL_config()\fR were first added to OpenSSL 1.1.0 +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2015\-2016 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libssl/man/SSL_CTX_ctrl.3 b/secure/lib/libcrypto/man/SSL_CTX_ctrl.3 similarity index 91% rename from secure/lib/libssl/man/SSL_CTX_ctrl.3 rename to secure/lib/libcrypto/man/SSL_CTX_ctrl.3 index 90dc89fe19a9..7828110afdd5 100644 --- a/secure/lib/libssl/man/SSL_CTX_ctrl.3 +++ b/secure/lib/libcrypto/man/SSL_CTX_ctrl.3 @@ -128,8 +128,8 @@ .rm #[ #] #H #V #F C .\" ======================================================================== .\" -.IX Title "SSL_CTX_ctrl 3" -.TH SSL_CTX_ctrl 3 "2018-08-14" "1.0.2p" "OpenSSL" +.IX Title "SSL_CTX_CTRL 3" +.TH SSL_CTX_CTRL 3 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -160,4 +160,12 @@ The return values of the SSL*\fI_ctrl()\fR functions depend on the command supplied via the \fBcmd\fR parameter. .SH "SEE ALSO" .IX Header "SEE ALSO" -\&\fIssl\fR\|(3) +\&\fIssl\fR\|(7) +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2001\-2016 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/SSL_CTX_dane_enable.3 b/secure/lib/libcrypto/man/SSL_CTX_dane_enable.3 new file mode 100644 index 000000000000..6d202193c53b --- /dev/null +++ b/secure/lib/libcrypto/man/SSL_CTX_dane_enable.3 @@ -0,0 +1,504 @@ +.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35) +.\" +.\" Standard preamble: +.\" ======================================================================== +.de Sp \" Vertical space (when we can't use .PP) +.if t .sp .5v +.if n .sp +.. +.de Vb \" Begin verbatim text +.ft CW +.nf +.ne \\$1 +.. +.de Ve \" End verbatim text +.ft R +.fi +.. +.\" Set up some character translations and predefined strings. \*(-- will +.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left +.\" double quote, and \*(R" will give a right double quote. \*(C+ will +.\" give a nicer C++. Capital omega is used to do unbreakable dashes and +.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, +.\" nothing in troff, for use with C<>. +.tr \(*W- +.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' +.ie n \{\ +. ds -- \(*W- +. ds PI pi +. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch +. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch +. ds L" "" +. ds R" "" +. ds C` "" +. ds C' "" +'br\} +.el\{\ +. ds -- \|\(em\| +. ds PI \(*p +. ds L" `` +. ds R" '' +. ds C` +. ds C' +'br\} +.\" +.\" Escape single quotes in literal strings from groff's Unicode transform. +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" +.\" If the F register is >0, we'll generate index entries on stderr for +.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index +.\" entries marked with X<> in POD. Of course, you'll have to process the +.\" output yourself in some meaningful fashion. +.\" +.\" Avoid warning from groff about undefined register 'F'. +.de IX +.. +.if !\nF .nr F 0 +.if \nF>0 \{\ +. de IX +. tm Index:\\$1\t\\n%\t"\\$2" +.. +. if !\nF==2 \{\ +. nr % 0 +. nr F 2 +. \} +.\} +.\" +.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). +.\" Fear. Run. Save yourself. No user-serviceable parts. +. \" fudge factors for nroff and troff +.if n \{\ +. ds #H 0 +. ds #V .8m +. ds #F .3m +. ds #[ \f1 +. ds #] \fP +.\} +.if t \{\ +. ds #H ((1u-(\\\\n(.fu%2u))*.13m) +. ds #V .6m +. ds #F 0 +. ds #[ \& +. ds #] \& +.\} +. \" simple accents for nroff and troff +.if n \{\ +. ds ' \& +. ds ` \& +. ds ^ \& +. ds , \& +. ds ~ ~ +. ds / +.\} +.if t \{\ +. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" +. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' +. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' +. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' +. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' +. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' +.\} +. \" troff and (daisy-wheel) nroff accents +.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' +.ds 8 \h'\*(#H'\(*b\h'-\*(#H' +.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] +.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' +.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' +.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] +.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] +.ds ae a\h'-(\w'a'u*4/10)'e +.ds Ae A\h'-(\w'A'u*4/10)'E +. \" corrections for vroff +.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' +.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' +. \" for low resolution devices (crt and lpr) +.if \n(.H>23 .if \n(.V>19 \ +\{\ +. ds : e +. ds 8 ss +. ds o a +. ds d- d\h'-1'\(ga +. ds D- D\h'-1'\(hy +. ds th \o'bp' +. ds Th \o'LP' +. ds ae ae +. ds Ae AE +.\} +.rm #[ #] #H #V #F C +.\" ======================================================================== +.\" +.IX Title "SSL_CTX_DANE_ENABLE 3" +.TH SSL_CTX_DANE_ENABLE 3 "2018-09-11" "1.1.1" "OpenSSL" +.\" For nroff, turn off justification. Always turn off hyphenation; it makes +.\" way too many mistakes in technical documents. +.if n .ad l +.nh +.SH "NAME" +SSL_CTX_dane_enable, SSL_CTX_dane_mtype_set, SSL_dane_enable, SSL_dane_tlsa_add, SSL_get0_dane_authority, SSL_get0_dane_tlsa, SSL_CTX_dane_set_flags, SSL_CTX_dane_clear_flags, SSL_dane_set_flags, SSL_dane_clear_flags \&\- enable DANE TLS authentication of the remote TLS server in the local TLS client +.SH "SYNOPSIS" +.IX Header "SYNOPSIS" +.Vb 1 +\& #include +\& +\& int SSL_CTX_dane_enable(SSL_CTX *ctx); +\& int SSL_CTX_dane_mtype_set(SSL_CTX *ctx, const EVP_MD *md, +\& uint8_t mtype, uint8_t ord); +\& int SSL_dane_enable(SSL *s, const char *basedomain); +\& int SSL_dane_tlsa_add(SSL *s, uint8_t usage, uint8_t selector, +\& uint8_t mtype, unsigned const char *data, size_t dlen); +\& int SSL_get0_dane_authority(SSL *s, X509 **mcert, EVP_PKEY **mspki); +\& int SSL_get0_dane_tlsa(SSL *s, uint8_t *usage, uint8_t *selector, +\& uint8_t *mtype, unsigned const char **data, +\& size_t *dlen); +\& unsigned long SSL_CTX_dane_set_flags(SSL_CTX *ctx, unsigned long flags); +\& unsigned long SSL_CTX_dane_clear_flags(SSL_CTX *ctx, unsigned long flags); +\& unsigned long SSL_dane_set_flags(SSL *ssl, unsigned long flags); +\& unsigned long SSL_dane_clear_flags(SSL *ssl, unsigned long flags); +.Ve +.SH "DESCRIPTION" +.IX Header "DESCRIPTION" +These functions implement support for \s-1DANE TLSA\s0 (\s-1RFC6698\s0 and \s-1RFC7671\s0) +peer authentication. +.PP +\&\fISSL_CTX_dane_enable()\fR must be called first to initialize the shared state +required for \s-1DANE\s0 support. +Individual connections associated with the context can then enable +per-connection \s-1DANE\s0 support as appropriate. +\&\s-1DANE\s0 authentication is implemented in the \fIX509_verify_cert\fR\|(3) function, and +applications that override \fIX509_verify_cert\fR\|(3) via +\&\fISSL_CTX_set_cert_verify_callback\fR\|(3) are responsible to authenticate the peer +chain in whatever manner they see fit. +.PP +\&\fISSL_CTX_dane_mtype_set()\fR may then be called zero or more times to adjust the +supported digest algorithms. +This must be done before any \s-1SSL\s0 handles are created for the context. +.PP +The \fBmtype\fR argument specifies a \s-1DANE TLSA\s0 matching type and the \fBmd\fR +argument specifies the associated digest algorithm handle. +The \fBord\fR argument specifies a strength ordinal. +Algorithms with a larger strength ordinal are considered more secure. +Strength ordinals are used to implement \s-1RFC7671\s0 digest algorithm agility. +Specifying a \fB\s-1NULL\s0\fR digest algorithm for a matching type disables +support for that matching type. +Matching type \fIFull\fR\|(0) cannot be modified or disabled. +.PP +By default, matching type \f(CW\*(C`SHA2\-256(1)\*(C'\fR (see \s-1RFC7218\s0 for definitions +of the \s-1DANE TLSA\s0 parameter acronyms) is mapped to \f(CW\*(C`EVP_sha256()\*(C'\fR +with a strength ordinal of \f(CW1\fR and matching type \f(CW\*(C`SHA2\-512(2)\*(C'\fR +is mapped to \f(CW\*(C`EVP_sha512()\*(C'\fR with a strength ordinal of \f(CW2\fR. +.PP +\&\fISSL_dane_enable()\fR must be called before the \s-1SSL\s0 handshake is initiated with +\&\fISSL_connect\fR\|(3) if (and only if) you want to enable \s-1DANE\s0 for that connection. +(The connection must be associated with a DANE-enabled \s-1SSL\s0 context). +The \fBbasedomain\fR argument specifies the \s-1RFC7671 TLSA\s0 base domain, +which will be the primary peer reference identifier for certificate +name checks. +Additional server names can be specified via \fISSL_add1_host\fR\|(3). +The \fBbasedomain\fR is used as the default \s-1SNI\s0 hint if none has yet been +specified via \fISSL_set_tlsext_host_name\fR\|(3). +.PP +\&\fISSL_dane_tlsa_add()\fR may then be called one or more times, to load each of the +\&\s-1TLSA\s0 records that apply to the remote \s-1TLS\s0 peer. +(This too must be done prior to the beginning of the \s-1SSL\s0 handshake). +The arguments specify the fields of the \s-1TLSA\s0 record. +The \fBdata\fR field is provided in binary (wire \s-1RDATA\s0) form, not the hexadecimal +\&\s-1ASCII\s0 presentation form, with an explicit length passed via \fBdlen\fR. +The library takes a copy of the \fBdata\fR buffer contents and the caller may +free the original \fBdata\fR buffer when convenient. +A return value of 0 indicates that \*(L"unusable\*(R" \s-1TLSA\s0 records (with invalid or +unsupported parameters) were provided. +A negative return value indicates an internal error in processing the record. +.PP +The caller is expected to check the return value of each \fISSL_dane_tlsa_add()\fR +call and take appropriate action if none are usable or an internal error +is encountered in processing some records. +.PP +If no \s-1TLSA\s0 records are added successfully, \s-1DANE\s0 authentication is not enabled, +and authentication will be based on any configured traditional trust-anchors; +authentication success in this case does not mean that the peer was +DANE-authenticated. +.PP +\&\fISSL_get0_dane_authority()\fR can be used to get more detailed information about +the matched \s-1DANE\s0 trust-anchor after successful connection completion. +The return value is negative if \s-1DANE\s0 verification failed (or was not enabled), +0 if an \s-1EE TLSA\s0 record directly matched the leaf certificate, or a positive +number indicating the depth at which a \s-1TA\s0 record matched an issuer certificate. +The complete verified chain can be retrieved via \fISSL_get0_verified_chain\fR\|(3). +The return value is an index into this verified chain, rather than the list of +certificates sent by the peer as returned by \fISSL_get_peer_cert_chain\fR\|(3). +.PP +If the \fBmcert\fR argument is not \fB\s-1NULL\s0\fR and a \s-1TLSA\s0 record matched a chain +certificate, a pointer to the matching certificate is returned via \fBmcert\fR. +The returned address is a short-term internal reference to the certificate and +must not be freed by the application. +Applications that want to retain access to the certificate can call +\&\fIX509_up_ref\fR\|(3) to obtain a long-term reference which must then be freed via +\&\fIX509_free\fR\|(3) once no longer needed. +.PP +If no \s-1TLSA\s0 records directly matched any elements of the certificate chain, but +a \s-1\fIDANE\-TA\s0\fR\|(2) \s-1\fISPKI\s0\fR\|(1) \fIFull\fR\|(0) record provided the public key that signed an +element of the chain, then that key is returned via \fBmspki\fR argument (if not +\&\s-1NULL\s0). +In this case the return value is the depth of the top-most element of the +validated certificate chain. +As with \fBmcert\fR this is a short-term internal reference, and +\&\fIEVP_PKEY_up_ref\fR\|(3) and \fIEVP_PKEY_free\fR\|(3) can be used to acquire and +release long-term references respectively. +.PP +\&\fISSL_get0_dane_tlsa()\fR can be used to retrieve the fields of the \s-1TLSA\s0 record that +matched the peer certificate chain. +The return value indicates the match depth or failure to match just as with +\&\fISSL_get0_dane_authority()\fR. +When the return value is non-negative, the storage pointed to by the \fBusage\fR, +\&\fBselector\fR, \fBmtype\fR and \fBdata\fR parameters is updated to the corresponding +\&\s-1TLSA\s0 record fields. +The \fBdata\fR field is in binary wire form, and is therefore not NUL-terminated, +its length is returned via the \fBdlen\fR parameter. +If any of these parameters is \s-1NULL,\s0 the corresponding field is not returned. +The \fBdata\fR parameter is set to a short-term internal-copy of the associated +data field and must not be freed by the application. +Applications that need long-term access to this field need to copy the content. +.PP +\&\fISSL_CTX_dane_set_flags()\fR and \fISSL_dane_set_flags()\fR can be used to enable +optional \s-1DANE\s0 verification features. +\&\fISSL_CTX_dane_clear_flags()\fR and \fISSL_dane_clear_flags()\fR can be used to disable +the same features. +The \fBflags\fR argument is a bitmask of the features to enable or disable. +The \fBflags\fR set for an \fB\s-1SSL_CTX\s0\fR context are copied to each \fB\s-1SSL\s0\fR handle +associated with that context at the time the handle is created. +Subsequent changes in the context's \fBflags\fR have no effect on the \fBflags\fR set +for the handle. +.PP +At present, the only available option is \fB\s-1DANE_FLAG_NO_DANE_EE_NAMECHECKS\s0\fR +which can be used to disable server name checks when authenticating via +\&\s-1\fIDANE\-EE\s0\fR\|(3) \s-1TLSA\s0 records. +For some applications, primarily web browsers, it is not safe to disable name +checks due to \*(L"unknown key share\*(R" attacks, in which a malicious server can +convince a client that a connection to a victim server is instead a secure +connection to the malicious server. +The malicious server may then be able to violate cross-origin scripting +restrictions. +Thus, despite the text of \s-1RFC7671,\s0 name checks are by default enabled for +\&\s-1\fIDANE\-EE\s0\fR\|(3) \s-1TLSA\s0 records, and can be disabled in applications where it is safe +to do so. +In particular, \s-1SMTP\s0 and \s-1XMPP\s0 clients should set this option as \s-1SRV\s0 and \s-1MX\s0 +records already make it possible for a remote domain to redirect client +connections to any server of its choice, and in any case \s-1SMTP\s0 and \s-1XMPP\s0 clients +do not execute scripts downloaded from remote servers. +.SH "RETURN VALUES" +.IX Header "RETURN VALUES" +The functions \fISSL_CTX_dane_enable()\fR, \fISSL_CTX_dane_mtype_set()\fR, +\&\fISSL_dane_enable()\fR and \fISSL_dane_tlsa_add()\fR return a positive value on success. +Negative return values indicate resource problems (out of memory, etc.) in the +\&\s-1SSL\s0 library, while a return value of \fB0\fR indicates incorrect usage or invalid +input, such as an unsupported \s-1TLSA\s0 record certificate usage, selector or +matching type. +Invalid input also includes malformed data, either a digest length that does +not match the digest algorithm, or a \f(CWFull(0)\fR (binary \s-1ASN.1 DER\s0 form) +certificate or a public key that fails to parse. +.PP +The functions \fISSL_get0_dane_authority()\fR and \fISSL_get0_dane_tlsa()\fR return a +negative value when \s-1DANE\s0 authentication failed or was not enabled, a +non-negative value indicates the chain depth at which the \s-1TLSA\s0 record matched a +chain certificate, or the depth of the top-most certificate, when the \s-1TLSA\s0 +record is a full public key that is its signer. +.PP +The functions \fISSL_CTX_dane_set_flags()\fR, \fISSL_CTX_dane_clear_flags()\fR, +\&\fISSL_dane_set_flags()\fR and \fISSL_dane_clear_flags()\fR return the \fBflags\fR in effect +before they were called. +.SH "EXAMPLE" +.IX Header "EXAMPLE" +Suppose \*(L"smtp.example.com\*(R" is the \s-1MX\s0 host of the domain \*(L"example.com\*(R", and has +DNSSEC-validated \s-1TLSA\s0 records. +The calls below will perform \s-1DANE\s0 authentication and arrange to match either +the \s-1MX\s0 hostname or the destination domain name in the \s-1SMTP\s0 server certificate. +Wildcards are supported, but must match the entire label. +The actual name matched in the certificate (which might be a wildcard) is +retrieved, and must be copied by the application if it is to be retained beyond +the lifetime of the \s-1SSL\s0 connection. +.PP +.Vb 7 +\& SSL_CTX *ctx; +\& SSL *ssl; +\& int (*verify_cb)(int ok, X509_STORE_CTX *sctx) = NULL; +\& int num_usable = 0; +\& const char *nexthop_domain = "example.com"; +\& const char *dane_tlsa_domain = "smtp.example.com"; +\& uint8_t usage, selector, mtype; +\& +\& if ((ctx = SSL_CTX_new(TLS_client_method())) == NULL) +\& /* error */ +\& if (SSL_CTX_dane_enable(ctx) <= 0) +\& /* error */ +\& if ((ssl = SSL_new(ctx)) == NULL) +\& /* error */ +\& if (SSL_dane_enable(ssl, dane_tlsa_domain) <= 0) +\& /* error */ +\& +\& /* +\& * For many applications it is safe to skip DANE\-EE(3) namechecks. Do not +\& * disable the checks unless "unknown key share" attacks pose no risk for +\& * your application. +\& */ +\& SSL_dane_set_flags(ssl, DANE_FLAG_NO_DANE_EE_NAMECHECKS); +\& +\& if (!SSL_add1_host(ssl, nexthop_domain)) +\& /* error */ +\& SSL_set_hostflags(ssl, X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS); +\& +\& for (... each TLSA record ...) { +\& unsigned char *data; +\& size_t len; +\& int ret; +\& +\& /* set usage, selector, mtype, data, len */ +\& +\& /* +\& * Opportunistic DANE TLS clients support only DANE\-TA(2) or DANE\-EE(3). +\& * They treat all other certificate usages, and in particular PKIX\-TA(0) +\& * and PKIX\-EE(1), as unusable. +\& */ +\& switch (usage) { +\& default: +\& case 0: /* PKIX\-TA(0) */ +\& case 1: /* PKIX\-EE(1) */ +\& continue; +\& case 2: /* DANE\-TA(2) */ +\& case 3: /* DANE\-EE(3) */ +\& break; +\& } +\& +\& ret = SSL_dane_tlsa_add(ssl, usage, selector, mtype, data, len); +\& /* free data as appropriate */ +\& +\& if (ret < 0) +\& /* handle SSL library internal error */ +\& else if (ret == 0) +\& /* handle unusable TLSA record */ +\& else +\& ++num_usable; +\& } +\& +\& /* +\& * At this point, the verification mode is still the default SSL_VERIFY_NONE. +\& * Opportunistic DANE clients use unauthenticated TLS when all TLSA records +\& * are unusable, so continue the handshake even if authentication fails. +\& */ +\& if (num_usable == 0) { +\& /* Log all records unusable? */ +\& +\& /* Optionally set verify_cb to a suitable non\-NULL callback. */ +\& SSL_set_verify(ssl, SSL_VERIFY_NONE, verify_cb); +\& } else { +\& /* At least one usable record. We expect to verify the peer */ +\& +\& /* Optionally set verify_cb to a suitable non\-NULL callback. */ +\& +\& /* +\& * Below we elect to fail the handshake when peer verification fails. +\& * Alternatively, use the permissive SSL_VERIFY_NONE verification mode, +\& * complete the handshake, check the verification status, and if not +\& * verified disconnect gracefully at the application layer, especially if +\& * application protocol supports informing the server that authentication +\& * failed. +\& */ +\& SSL_set_verify(ssl, SSL_VERIFY_PEER, verify_cb); +\& } +\& +\& /* +\& * Load any saved session for resumption, making sure that the previous +\& * session applied the same security and authentication requirements that +\& * would be expected of a fresh connection. +\& */ +\& +\& /* Perform SSL_connect() handshake and handle errors here */ +\& +\& if (SSL_session_reused(ssl)) { +\& if (SSL_get_verify_result(ssl) == X509_V_OK) { +\& /* +\& * Resumed session was originally verified, this connection is +\& * authenticated. +\& */ +\& } else { +\& /* +\& * Resumed session was not originally verified, this connection is not +\& * authenticated. +\& */ +\& } +\& } else if (SSL_get_verify_result(ssl) == X509_V_OK) { +\& const char *peername = SSL_get0_peername(ssl); +\& EVP_PKEY *mspki = NULL; +\& +\& int depth = SSL_get0_dane_authority(ssl, NULL, &mspki); +\& if (depth >= 0) { +\& (void) SSL_get0_dane_tlsa(ssl, &usage, &selector, &mtype, NULL, NULL); +\& printf("DANE TLSA %d %d %d %s at depth %d\en", usage, selector, mtype, +\& (mspki != NULL) ? "TA public key verified certificate" : +\& depth ? "matched TA certificate" : "matched EE certificate", +\& depth); +\& } +\& if (peername != NULL) { +\& /* Name checks were in scope and matched the peername */ +\& printf("Verified peername: %s\en", peername); +\& } +\& } else { +\& /* +\& * Not authenticated, presumably all TLSA rrs unusable, but possibly a +\& * callback suppressed connection termination despite the presence of +\& * usable TLSA RRs none of which matched. Do whatever is appropriate for +\& * fresh unauthenticated connections. +\& */ +\& } +.Ve +.SH "NOTES" +.IX Header "NOTES" +It is expected that the majority of clients employing \s-1DANE TLS\s0 will be doing +\&\*(L"opportunistic \s-1DANE TLS\*(R"\s0 in the sense of \s-1RFC7672\s0 and \s-1RFC7435.\s0 +That is, they will use \s-1DANE\s0 authentication when DNSSEC-validated \s-1TLSA\s0 records +are published for a given peer, and otherwise will use unauthenticated \s-1TLS\s0 or +even cleartext. +.PP +Such applications should generally treat any \s-1TLSA\s0 records published by the peer +with usages \s-1\fIPKIX\-TA\s0\fR\|(0) and \s-1\fIPKIX\-EE\s0\fR\|(1) as \*(L"unusable\*(R", and should not include +them among the \s-1TLSA\s0 records used to authenticate peer connections. +In addition, some \s-1TLSA\s0 records with supported usages may be \*(L"unusable\*(R" as a +result of invalid or unsupported parameters. +.PP +When a peer has \s-1TLSA\s0 records, but none are \*(L"usable\*(R", an opportunistic +application must avoid cleartext, but cannot authenticate the peer, +and so should generally proceed with an unauthenticated connection. +Opportunistic applications need to note the return value of each +call to \fISSL_dane_tlsa_add()\fR, and if all return 0 (due to invalid +or unsupported parameters) disable peer authentication by calling +\&\fISSL_set_verify\fR\|(3) with \fBmode\fR equal to \fB\s-1SSL_VERIFY_NONE\s0\fR. +.SH "SEE ALSO" +.IX Header "SEE ALSO" +\&\fISSL_new\fR\|(3), +\&\fISSL_add1_host\fR\|(3), +\&\fISSL_set_hostflags\fR\|(3), +\&\fISSL_set_tlsext_host_name\fR\|(3), +\&\fISSL_set_verify\fR\|(3), +\&\fISSL_CTX_set_cert_verify_callback\fR\|(3), +\&\fISSL_get0_verified_chain\fR\|(3), +\&\fISSL_get_peer_cert_chain\fR\|(3), +\&\fISSL_get_verify_result\fR\|(3), +\&\fISSL_connect\fR\|(3), +\&\fISSL_get0_peername\fR\|(3), +\&\fIX509_verify_cert\fR\|(3), +\&\fIX509_up_ref\fR\|(3), +\&\fIX509_free\fR\|(3), +\&\fIEVP_get_digestbyname\fR\|(3), +\&\fIEVP_PKEY_up_ref\fR\|(3), +\&\fIEVP_PKEY_free\fR\|(3) +.SH "HISTORY" +.IX Header "HISTORY" +These functions were first added to OpenSSL 1.1.0. +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2016\-2018 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libssl/man/SSL_CTX_flush_sessions.3 b/secure/lib/libcrypto/man/SSL_CTX_flush_sessions.3 similarity index 88% rename from secure/lib/libssl/man/SSL_CTX_flush_sessions.3 rename to secure/lib/libcrypto/man/SSL_CTX_flush_sessions.3 index 24ce6bece32e..801f3a5c1052 100644 --- a/secure/lib/libssl/man/SSL_CTX_flush_sessions.3 +++ b/secure/lib/libcrypto/man/SSL_CTX_flush_sessions.3 @@ -128,35 +128,32 @@ .rm #[ #] #H #V #F C .\" ======================================================================== .\" -.IX Title "SSL_CTX_flush_sessions 3" -.TH SSL_CTX_flush_sessions 3 "2018-08-14" "1.0.2p" "OpenSSL" +.IX Title "SSL_CTX_FLUSH_SESSIONS 3" +.TH SSL_CTX_FLUSH_SESSIONS 3 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" -SSL_CTX_flush_sessions, SSL_flush_sessions \- remove expired sessions +SSL_CTX_flush_sessions \- remove expired sessions .SH "SYNOPSIS" .IX Header "SYNOPSIS" .Vb 1 \& #include \& \& void SSL_CTX_flush_sessions(SSL_CTX *ctx, long tm); -\& void SSL_flush_sessions(SSL_CTX *ctx, long tm); .Ve .SH "DESCRIPTION" .IX Header "DESCRIPTION" \&\fISSL_CTX_flush_sessions()\fR causes a run through the session cache of \&\fBctx\fR to remove sessions expired at time \fBtm\fR. -.PP -\&\fISSL_flush_sessions()\fR is a synonym for \fISSL_CTX_flush_sessions()\fR. .SH "NOTES" .IX Header "NOTES" If enabled, the internal session cache will collect all sessions established up to the specified maximum number (see \fISSL_CTX_sess_set_cache_size()\fR). As sessions will not be reused ones they are expired, they should be removed from the cache to save resources. This can either be done - automatically whenever 255 new sessions were established (see +automatically whenever 255 new sessions were established (see \&\fISSL_CTX_set_session_cache_mode\fR\|(3)) or manually by calling \fISSL_CTX_flush_sessions()\fR. .PP @@ -170,9 +167,18 @@ called to synchronize with the external cache (see \&\fISSL_CTX_sess_set_get_cb\fR\|(3)). .SH "RETURN VALUES" .IX Header "RETURN VALUES" +\&\fISSL_CTX_flush_sessions()\fR does not return a value. .SH "SEE ALSO" .IX Header "SEE ALSO" -\&\fIssl\fR\|(3), +\&\fIssl\fR\|(7), \&\fISSL_CTX_set_session_cache_mode\fR\|(3), \&\fISSL_CTX_set_timeout\fR\|(3), \&\fISSL_CTX_sess_set_get_cb\fR\|(3) +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2001\-2018 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libssl/man/SSL_CTX_free.3 b/secure/lib/libcrypto/man/SSL_CTX_free.3 similarity index 89% rename from secure/lib/libssl/man/SSL_CTX_free.3 rename to secure/lib/libcrypto/man/SSL_CTX_free.3 index c260f1055a28..6ee95bb2f406 100644 --- a/secure/lib/libssl/man/SSL_CTX_free.3 +++ b/secure/lib/libcrypto/man/SSL_CTX_free.3 @@ -128,8 +128,8 @@ .rm #[ #] #H #V #F C .\" ======================================================================== .\" -.IX Title "SSL_CTX_free 3" -.TH SSL_CTX_free 3 "2018-08-14" "1.0.2p" "OpenSSL" +.IX Title "SSL_CTX_FREE 3" +.TH SSL_CTX_FREE 3 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -146,12 +146,13 @@ SSL_CTX_free \- free an allocated SSL_CTX object .SH "DESCRIPTION" .IX Header "DESCRIPTION" \&\fISSL_CTX_free()\fR decrements the reference count of \fBctx\fR, and removes the -\&\s-1SSL_CTX\s0 object pointed to by \fBctx\fR and frees up the allocated memory if the -the reference count has reached 0. +\&\s-1SSL_CTX\s0 object pointed to by \fBctx\fR and frees up the allocated memory if the reference count has reached 0. .PP It also calls the \fIfree()\fRing procedures for indirectly affected items, if applicable: the session cache, the list of ciphers, the list of Client CAs, the certificates and keys. +.PP +If \fBctx\fR is \s-1NULL\s0 nothing is done. .SH "WARNINGS" .IX Header "WARNINGS" If a session-remove callback is set (\fISSL_CTX_sess_set_remove_cb()\fR), this @@ -165,5 +166,13 @@ SSL_CTX_sess_set_remove_cb(\fBctx\fR, \s-1NULL\s0) prior to calling \fISSL_CTX_f \&\fISSL_CTX_free()\fR does not provide diagnostic information. .SH "SEE ALSO" .IX Header "SEE ALSO" -\&\fISSL_CTX_new\fR\|(3), \fIssl\fR\|(3), +\&\fISSL_CTX_new\fR\|(3), \fIssl\fR\|(7), \&\fISSL_CTX_sess_set_get_cb\fR\|(3) +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2000\-2016 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libssl/man/SSL_CTX_get0_param.3 b/secure/lib/libcrypto/man/SSL_CTX_get0_param.3 similarity index 91% rename from secure/lib/libssl/man/SSL_CTX_get0_param.3 rename to secure/lib/libcrypto/man/SSL_CTX_get0_param.3 index 3704b6cac12b..4c432b051d2c 100644 --- a/secure/lib/libssl/man/SSL_CTX_get0_param.3 +++ b/secure/lib/libcrypto/man/SSL_CTX_get0_param.3 @@ -128,15 +128,14 @@ .rm #[ #] #H #V #F C .\" ======================================================================== .\" -.IX Title "SSL_CTX_get0_param 3" -.TH SSL_CTX_get0_param 3 "2018-08-14" "1.0.2p" "OpenSSL" +.IX Title "SSL_CTX_GET0_PARAM 3" +.TH SSL_CTX_GET0_PARAM 3 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" -SSL_CTX_get0_param, SSL_get0_param, SSL_CTX_set1_param, SSL_set1_param \- -get and set verification parameters +SSL_CTX_get0_param, SSL_get0_param, SSL_CTX_set1_param, SSL_set1_param \- get and set verification parameters .SH "SYNOPSIS" .IX Header "SYNOPSIS" .Vb 1 @@ -181,3 +180,11 @@ for failure. .SH "HISTORY" .IX Header "HISTORY" These functions were first added to OpenSSL 1.0.2. +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2015\-2016 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libssl/man/SSL_CTX_get_verify_mode.3 b/secure/lib/libcrypto/man/SSL_CTX_get_verify_mode.3 similarity index 91% rename from secure/lib/libssl/man/SSL_CTX_get_verify_mode.3 rename to secure/lib/libcrypto/man/SSL_CTX_get_verify_mode.3 index 1709214b8847..58712af30ebe 100644 --- a/secure/lib/libssl/man/SSL_CTX_get_verify_mode.3 +++ b/secure/lib/libcrypto/man/SSL_CTX_get_verify_mode.3 @@ -128,8 +128,8 @@ .rm #[ #] #H #V #F C .\" ======================================================================== .\" -.IX Title "SSL_CTX_get_verify_mode 3" -.TH SSL_CTX_get_verify_mode 3 "2018-08-14" "1.0.2p" "OpenSSL" +.IX Title "SSL_CTX_GET_VERIFY_MODE 3" +.TH SSL_CTX_GET_VERIFY_MODE 3 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -176,4 +176,12 @@ callback currently set in \fBssl\fR. If no callback was explicitly set, the See \s-1DESCRIPTION\s0 .SH "SEE ALSO" .IX Header "SEE ALSO" -\&\fIssl\fR\|(3), \fISSL_CTX_set_verify\fR\|(3) +\&\fIssl\fR\|(7), \fISSL_CTX_set_verify\fR\|(3) +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2000\-2016 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libssl/man/SSL_set_bio.3 b/secure/lib/libcrypto/man/SSL_CTX_has_client_custom_ext.3 similarity index 81% rename from secure/lib/libssl/man/SSL_set_bio.3 rename to secure/lib/libcrypto/man/SSL_CTX_has_client_custom_ext.3 index 1f7fba072ed9..4919f7c677b2 100644 --- a/secure/lib/libssl/man/SSL_set_bio.3 +++ b/secure/lib/libcrypto/man/SSL_CTX_has_client_custom_ext.3 @@ -128,36 +128,37 @@ .rm #[ #] #H #V #F C .\" ======================================================================== .\" -.IX Title "SSL_set_bio 3" -.TH SSL_set_bio 3 "2018-08-14" "1.0.2p" "OpenSSL" +.IX Title "SSL_CTX_HAS_CLIENT_CUSTOM_EXT 3" +.TH SSL_CTX_HAS_CLIENT_CUSTOM_EXT 3 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" -SSL_set_bio \- connect the SSL object with a BIO +SSL_CTX_has_client_custom_ext \- check whether a handler exists for a particular client extension type .SH "SYNOPSIS" .IX Header "SYNOPSIS" .Vb 1 \& #include \& -\& void SSL_set_bio(SSL *ssl, BIO *rbio, BIO *wbio); +\& int SSL_CTX_has_client_custom_ext(const SSL_CTX *ctx, unsigned int ext_type); .Ve .SH "DESCRIPTION" .IX Header "DESCRIPTION" -\&\fISSL_set_bio()\fR connects the BIOs \fBrbio\fR and \fBwbio\fR for the read and write -operations of the \s-1TLS/SSL\s0 (encrypted) side of \fBssl\fR. -.PP -The \s-1SSL\s0 engine inherits the behaviour of \fBrbio\fR and \fBwbio\fR, respectively. -If a \s-1BIO\s0 is non-blocking, the \fBssl\fR will also have non-blocking behaviour. -.PP -If there was already a \s-1BIO\s0 connected to \fBssl\fR, \fIBIO_free()\fR will be called -(for both the reading and writing side, if different). +\&\fISSL_CTX_has_client_custom_ext()\fR checks whether a handler has been set for a +client extension of type \fBext_type\fR using \fISSL_CTX_add_client_custom_ext()\fR. .SH "RETURN VALUES" .IX Header "RETURN VALUES" -\&\fISSL_set_bio()\fR cannot fail. +Returns 1 if a handler has been set, 0 otherwise. .SH "SEE ALSO" .IX Header "SEE ALSO" -\&\fISSL_get_rbio\fR\|(3), -\&\fISSL_connect\fR\|(3), \fISSL_accept\fR\|(3), -\&\fISSL_shutdown\fR\|(3), \fIssl\fR\|(3), \fIbio\fR\|(3) +\&\fIssl\fR\|(7), +\&\fISSL_CTX_add_client_custom_ext\fR\|(3) +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2016 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libssl/man/SSL_CTX_load_verify_locations.3 b/secure/lib/libcrypto/man/SSL_CTX_load_verify_locations.3 similarity index 78% rename from secure/lib/libssl/man/SSL_CTX_load_verify_locations.3 rename to secure/lib/libcrypto/man/SSL_CTX_load_verify_locations.3 index ad256ddb736d..84ce4a7a06c2 100644 --- a/secure/lib/libssl/man/SSL_CTX_load_verify_locations.3 +++ b/secure/lib/libcrypto/man/SSL_CTX_load_verify_locations.3 @@ -128,15 +128,14 @@ .rm #[ #] #H #V #F C .\" ======================================================================== .\" -.IX Title "SSL_CTX_load_verify_locations 3" -.TH SSL_CTX_load_verify_locations 3 "2018-08-14" "1.0.2p" "OpenSSL" +.IX Title "SSL_CTX_LOAD_VERIFY_LOCATIONS 3" +.TH SSL_CTX_LOAD_VERIFY_LOCATIONS 3 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" -SSL_CTX_load_verify_locations \- set default locations for trusted CA -certificates +SSL_CTX_load_verify_locations, SSL_CTX_set_default_verify_paths, SSL_CTX_set_default_verify_dir, SSL_CTX_set_default_verify_file \- set default locations for trusted CA certificates .SH "SYNOPSIS" .IX Header "SYNOPSIS" .Vb 1 @@ -144,12 +143,34 @@ certificates \& \& int SSL_CTX_load_verify_locations(SSL_CTX *ctx, const char *CAfile, \& const char *CApath); +\& +\& int SSL_CTX_set_default_verify_paths(SSL_CTX *ctx); +\& +\& int SSL_CTX_set_default_verify_dir(SSL_CTX *ctx); +\& +\& int SSL_CTX_set_default_verify_file(SSL_CTX *ctx); .Ve .SH "DESCRIPTION" .IX Header "DESCRIPTION" \&\fISSL_CTX_load_verify_locations()\fR specifies the locations for \fBctx\fR, at which \s-1CA\s0 certificates for verification purposes are located. The certificates available via \fBCAfile\fR and \fBCApath\fR are trusted. +.PP +\&\fISSL_CTX_set_default_verify_paths()\fR specifies that the default locations from +which \s-1CA\s0 certificates are loaded should be used. There is one default directory +and one default file. The default \s-1CA\s0 certificates directory is called \*(L"certs\*(R" in +the default OpenSSL directory. Alternatively the \s-1SSL_CERT_DIR\s0 environment +variable can be defined to override this location. The default \s-1CA\s0 certificates +file is called \*(L"cert.pem\*(R" in the default OpenSSL directory. Alternatively the +\&\s-1SSL_CERT_FILE\s0 environment variable can be defined to override this location. +.PP +\&\fISSL_CTX_set_default_verify_dir()\fR is similar to +\&\fISSL_CTX_set_default_verify_paths()\fR except that just the default directory is +used. +.PP +\&\fISSL_CTX_set_default_verify_file()\fR is similar to +\&\fISSL_CTX_set_default_verify_paths()\fR except that just the default file is +used. .SH "NOTES" .IX Header "NOTES" If \fBCAfile\fR is not \s-1NULL,\s0 it points to a file of \s-1CA\s0 certificates in \s-1PEM\s0 @@ -218,7 +239,7 @@ ca1.pem ca2.pem ca3.pem: \& #!/bin/sh \& rm CAfile.pem \& for i in ca1.pem ca2.pem ca3.pem ; do -\& openssl x509 \-in $i \-text >> CAfile.pem +\& openssl x509 \-in $i \-text >> CAfile.pem \& done .Ve .PP @@ -231,7 +252,7 @@ for use as \fBCApath\fR: .Ve .SH "RETURN VALUES" .IX Header "RETURN VALUES" -The following return values can occur: +For SSL_CTX_load_verify_locations the following return values can occur: .IP "0" 4 The operation failed because \fBCAfile\fR and \fBCApath\fR are \s-1NULL\s0 or the processing at one of the locations specified failed. Check the error @@ -239,11 +260,24 @@ stack to find out the reason. .IP "1" 4 .IX Item "1" The operation succeeded. +.PP +\&\fISSL_CTX_set_default_verify_paths()\fR, \fISSL_CTX_set_default_verify_dir()\fR and +\&\fISSL_CTX_set_default_verify_file()\fR all return 1 on success or 0 on failure. A +missing default location is still treated as a success. .SH "SEE ALSO" .IX Header "SEE ALSO" -\&\fIssl\fR\|(3), +\&\fIssl\fR\|(7), \&\fISSL_CTX_set_client_CA_list\fR\|(3), \&\fISSL_get_client_CA_list\fR\|(3), \&\fISSL_CTX_use_certificate\fR\|(3), \&\fISSL_CTX_add_extra_chain_cert\fR\|(3), -\&\fISSL_CTX_set_cert_store\fR\|(3) +\&\fISSL_CTX_set_cert_store\fR\|(3), +\&\fISSL_CTX_set_client_CA_list\fR\|(3) +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2000\-2016 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libssl/man/SSL_CTX_new.3 b/secure/lib/libcrypto/man/SSL_CTX_new.3 similarity index 60% rename from secure/lib/libssl/man/SSL_CTX_new.3 rename to secure/lib/libcrypto/man/SSL_CTX_new.3 index 0d64929318c5..1c19dfefeda1 100644 --- a/secure/lib/libssl/man/SSL_CTX_new.3 +++ b/secure/lib/libcrypto/man/SSL_CTX_new.3 @@ -128,135 +128,119 @@ .rm #[ #] #H #V #F C .\" ======================================================================== .\" -.IX Title "SSL_CTX_new 3" -.TH SSL_CTX_new 3 "2018-08-14" "1.0.2p" "OpenSSL" +.IX Title "SSL_CTX_NEW 3" +.TH SSL_CTX_NEW 3 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" -SSL_CTX_new, -SSLv23_method, SSLv23_server_method, SSLv23_client_method, -TLSv1_2_method, TLSv1_2_server_method, TLSv1_2_client_method, -TLSv1_1_method, TLSv1_1_server_method, TLSv1_1_client_method, -TLSv1_method, TLSv1_server_method, TLSv1_client_method, -SSLv3_method, SSLv3_server_method, SSLv3_client_method, -SSLv2_method, SSLv2_server_method, SSLv2_client_method, -DTLS_method, DTLS_server_method, DTLS_client_method, -DTLSv1_2_method, DTLSv1_2_server_method, DTLSv1_2_client_method, -DTLSv1_method, DTLSv1_server_method, DTLSv1_client_method \- -create a new SSL_CTX object as framework for TLS/SSL enabled functions +TLSv1_2_method, TLSv1_2_server_method, TLSv1_2_client_method, SSL_CTX_new, SSL_CTX_up_ref, SSLv3_method, SSLv3_server_method, SSLv3_client_method, TLSv1_method, TLSv1_server_method, TLSv1_client_method, TLSv1_1_method, TLSv1_1_server_method, TLSv1_1_client_method, TLS_method, TLS_server_method, TLS_client_method, SSLv23_method, SSLv23_server_method, SSLv23_client_method, DTLS_method, DTLS_server_method, DTLS_client_method, DTLSv1_method, DTLSv1_server_method, DTLSv1_client_method, DTLSv1_2_method, DTLSv1_2_server_method, DTLSv1_2_client_method \&\- create a new SSL_CTX object as framework for TLS/SSL or DTLS enabled functions .SH "SYNOPSIS" .IX Header "SYNOPSIS" .Vb 1 \& #include \& \& SSL_CTX *SSL_CTX_new(const SSL_METHOD *method); +\& int SSL_CTX_up_ref(SSL_CTX *ctx); +\& +\& const SSL_METHOD *TLS_method(void); +\& const SSL_METHOD *TLS_server_method(void); +\& const SSL_METHOD *TLS_client_method(void); +\& \& const SSL_METHOD *SSLv23_method(void); \& const SSL_METHOD *SSLv23_server_method(void); \& const SSL_METHOD *SSLv23_client_method(void); -\& const SSL_METHOD *TLSv1_2_method(void); -\& const SSL_METHOD *TLSv1_2_server_method(void); -\& const SSL_METHOD *TLSv1_2_client_method(void); -\& const SSL_METHOD *TLSv1_1_method(void); -\& const SSL_METHOD *TLSv1_1_server_method(void); -\& const SSL_METHOD *TLSv1_1_client_method(void); -\& const SSL_METHOD *TLSv1_method(void); -\& const SSL_METHOD *TLSv1_server_method(void); -\& const SSL_METHOD *TLSv1_client_method(void); +\& \& #ifndef OPENSSL_NO_SSL3_METHOD \& const SSL_METHOD *SSLv3_method(void); \& const SSL_METHOD *SSLv3_server_method(void); \& const SSL_METHOD *SSLv3_client_method(void); \& #endif -\& #ifndef OPENSSL_NO_SSL2 -\& const SSL_METHOD *SSLv2_method(void); -\& const SSL_METHOD *SSLv2_server_method(void); -\& const SSL_METHOD *SSLv2_client_method(void); +\& +\& #ifndef OPENSSL_NO_TLS1_METHOD +\& const SSL_METHOD *TLSv1_method(void); +\& const SSL_METHOD *TLSv1_server_method(void); +\& const SSL_METHOD *TLSv1_client_method(void); +\& #endif +\& +\& #ifndef OPENSSL_NO_TLS1_1_METHOD +\& const SSL_METHOD *TLSv1_1_method(void); +\& const SSL_METHOD *TLSv1_1_server_method(void); +\& const SSL_METHOD *TLSv1_1_client_method(void); +\& #endif +\& +\& #ifndef OPENSSL_NO_TLS1_2_METHOD +\& const SSL_METHOD *TLSv1_2_method(void); +\& const SSL_METHOD *TLSv1_2_server_method(void); +\& const SSL_METHOD *TLSv1_2_client_method(void); \& #endif \& \& const SSL_METHOD *DTLS_method(void); \& const SSL_METHOD *DTLS_server_method(void); \& const SSL_METHOD *DTLS_client_method(void); -\& const SSL_METHOD *DTLSv1_2_method(void); -\& const SSL_METHOD *DTLSv1_2_server_method(void); -\& const SSL_METHOD *DTLSv1_2_client_method(void); +\& +\& #ifndef OPENSSL_NO_DTLS1_METHOD \& const SSL_METHOD *DTLSv1_method(void); \& const SSL_METHOD *DTLSv1_server_method(void); \& const SSL_METHOD *DTLSv1_client_method(void); +\& #endif +\& +\& #ifndef OPENSSL_NO_DTLS1_2_METHOD +\& const SSL_METHOD *DTLSv1_2_method(void); +\& const SSL_METHOD *DTLSv1_2_server_method(void); +\& const SSL_METHOD *DTLSv1_2_client_method(void); +\& #endif .Ve .SH "DESCRIPTION" .IX Header "DESCRIPTION" -\&\fISSL_CTX_new()\fR creates a new \fB\s-1SSL_CTX\s0\fR object as framework to establish -\&\s-1TLS/SSL\s0 enabled connections. +\&\fISSL_CTX_new()\fR creates a new \fB\s-1SSL_CTX\s0\fR object as framework to +establish \s-1TLS/SSL\s0 or \s-1DTLS\s0 enabled connections. An \fB\s-1SSL_CTX\s0\fR object is +reference counted. Creating an \fB\s-1SSL_CTX\s0\fR object for the first time increments +the reference count. Freeing it (using SSL_CTX_free) decrements it. When the +reference count drops to zero, any memory or resources allocated to the +\&\fB\s-1SSL_CTX\s0\fR object are freed. \fISSL_CTX_up_ref()\fR increments the reference count for +an existing \fB\s-1SSL_CTX\s0\fR structure. .SH "NOTES" .IX Header "NOTES" -The \s-1SSL_CTX\s0 object uses \fBmethod\fR as connection method. The methods exist -in a generic type (for client and server use), a server only type, and a -client only type. \fBmethod\fR can be of the following types: -.IP "\fISSLv23_method()\fR, \fISSLv23_server_method()\fR, \fISSLv23_client_method()\fR" 4 -.IX Item "SSLv23_method(), SSLv23_server_method(), SSLv23_client_method()" +The \s-1SSL_CTX\s0 object uses \fBmethod\fR as connection method. +The methods exist in a generic type (for client and server use), a server only +type, and a client only type. +\&\fBmethod\fR can be of the following types: +.IP "\fITLS_method()\fR, \fITLS_server_method()\fR, \fITLS_client_method()\fR" 4 +.IX Item "TLS_method(), TLS_server_method(), TLS_client_method()" These are the general-purpose \fIversion-flexible\fR \s-1SSL/TLS\s0 methods. The actual protocol version used will be negotiated to the highest version mutually supported by the client and the server. -The supported protocols are SSLv2, SSLv3, TLSv1, TLSv1.1 and TLSv1.2. -Most applications should use these method, and avoid the version specific +The supported protocols are SSLv3, TLSv1, TLSv1.1, TLSv1.2 and TLSv1.3. +Applications should use these methods, and avoid the version-specific methods described below. -.Sp -The list of protocols available can be further limited using the -\&\fBSSL_OP_NO_SSLv2\fR, \fBSSL_OP_NO_SSLv3\fR, \fBSSL_OP_NO_TLSv1\fR, -\&\fBSSL_OP_NO_TLSv1_1\fR and \fBSSL_OP_NO_TLSv1_2\fR options of the -\&\fISSL_CTX_set_options\fR\|(3) or \fISSL_set_options\fR\|(3) functions. -Clients should avoid creating \*(L"holes\*(R" in the set of protocols they support, -when disabling a protocol, make sure that you also disable either all previous -or all subsequent protocol versions. -In clients, when a protocol version is disabled without disabling \fIall\fR -previous protocol versions, the effect is to also disable all subsequent -protocol versions. -.Sp -The SSLv2 and SSLv3 protocols are deprecated and should generally not be used. -Applications should typically use \fISSL_CTX_set_options\fR\|(3) in combination with -the \fBSSL_OP_NO_SSLv3\fR flag to disable negotiation of SSLv3 via the above -\&\fIversion-flexible\fR \s-1SSL/TLS\s0 methods. -The \fBSSL_OP_NO_SSLv2\fR option is set by default, and would need to be cleared -via \fISSL_CTX_clear_options\fR\|(3) in order to enable negotiation of SSLv2. +.IP "\fISSLv23_method()\fR, \fISSLv23_server_method()\fR, \fISSLv23_client_method()\fR" 4 +.IX Item "SSLv23_method(), SSLv23_server_method(), SSLv23_client_method()" +Use of these functions is deprecated. They have been replaced with the above +\&\fITLS_method()\fR, \fITLS_server_method()\fR and \fITLS_client_method()\fR respectively. New +code should use those functions instead. .IP "\fITLSv1_2_method()\fR, \fITLSv1_2_server_method()\fR, \fITLSv1_2_client_method()\fR" 4 .IX Item "TLSv1_2_method(), TLSv1_2_server_method(), TLSv1_2_client_method()" A \s-1TLS/SSL\s0 connection established with these methods will only understand the -TLSv1.2 protocol. A client will send out TLSv1.2 client hello messages and -will also indicate that it only understand TLSv1.2. A server will only -understand TLSv1.2 client hello messages. +TLSv1.2 protocol. .IP "\fITLSv1_1_method()\fR, \fITLSv1_1_server_method()\fR, \fITLSv1_1_client_method()\fR" 4 .IX Item "TLSv1_1_method(), TLSv1_1_server_method(), TLSv1_1_client_method()" A \s-1TLS/SSL\s0 connection established with these methods will only understand the -TLSv1.1 protocol. A client will send out TLSv1.1 client hello messages and -will also indicate that it only understand TLSv1.1. A server will only -understand TLSv1.1 client hello messages. +TLSv1.1 protocol. .IP "\fITLSv1_method()\fR, \fITLSv1_server_method()\fR, \fITLSv1_client_method()\fR" 4 .IX Item "TLSv1_method(), TLSv1_server_method(), TLSv1_client_method()" A \s-1TLS/SSL\s0 connection established with these methods will only understand the -TLSv1 protocol. A client will send out TLSv1 client hello messages and will -indicate that it only understands TLSv1. A server will only understand TLSv1 -client hello messages. +TLSv1 protocol. .IP "\fISSLv3_method()\fR, \fISSLv3_server_method()\fR, \fISSLv3_client_method()\fR" 4 .IX Item "SSLv3_method(), SSLv3_server_method(), SSLv3_client_method()" A \s-1TLS/SSL\s0 connection established with these methods will only understand the -SSLv3 protocol. A client will send out SSLv3 client hello messages and will -indicate that it only understands SSLv3. A server will only understand SSLv3 -client hello messages. The SSLv3 protocol is deprecated and should not be -used. -.IP "\fISSLv2_method()\fR, \fISSLv2_server_method()\fR, \fISSLv2_client_method()\fR" 4 -.IX Item "SSLv2_method(), SSLv2_server_method(), SSLv2_client_method()" -A \s-1TLS/SSL\s0 connection established with these methods will only understand the -SSLv2 protocol. A client will send out SSLv2 client hello messages and will -also indicate that it only understand SSLv2. A server will only understand -SSLv2 client hello messages. The SSLv2 protocol offers little to no security -and should not be used. -As of OpenSSL 1.0.2g, \s-1EXPORT\s0 ciphers and 56\-bit \s-1DES\s0 are no longer available -with SSLv2. +SSLv3 protocol. +The SSLv3 protocol is deprecated and should not be used. .IP "\fIDTLS_method()\fR, \fIDTLS_server_method()\fR, \fIDTLS_client_method()\fR" 4 .IX Item "DTLS_method(), DTLS_server_method(), DTLS_client_method()" These are the version-flexible \s-1DTLS\s0 methods. +Currently supported protocols are \s-1DTLS 1.0\s0 and \s-1DTLS 1.2.\s0 .IP "\fIDTLSv1_2_method()\fR, \fIDTLSv1_2_server_method()\fR, \fIDTLSv1_2_client_method()\fR" 4 .IX Item "DTLSv1_2_method(), DTLSv1_2_server_method(), DTLSv1_2_client_method()" These are the version-specific methods for DTLSv1.2. @@ -265,7 +249,37 @@ These are the version-specific methods for DTLSv1.2. These are the version-specific methods for DTLSv1. .PP \&\fISSL_CTX_new()\fR initializes the list of ciphers, the session cache setting, the -callbacks, the keys and certificates and the options to its default values. +callbacks, the keys and certificates and the options to their default values. +.PP +\&\fITLS_method()\fR, \fITLS_server_method()\fR, \fITLS_client_method()\fR, \fIDTLS_method()\fR, +\&\fIDTLS_server_method()\fR and \fIDTLS_client_method()\fR are the \fIversion-flexible\fR +methods. +All other methods only support one specific protocol version. +Use the \fIversion-flexible\fR methods instead of the version specific methods. +.PP +If you want to limit the supported protocols for the version flexible +methods you can use \fISSL_CTX_set_min_proto_version\fR\|(3), +\&\fISSL_set_min_proto_version\fR\|(3), \fISSL_CTX_set_max_proto_version\fR\|(3) and +\&\fISSL_set_max_proto_version\fR\|(3) functions. +Using these functions it is possible to choose e.g. \fITLS_server_method()\fR +and be able to negotiate with all possible clients, but to only +allow newer protocols like \s-1TLS 1.0, TLS 1.1, TLS 1.2\s0 or \s-1TLS 1.3.\s0 +.PP +The list of protocols available can also be limited using the +\&\fBSSL_OP_NO_SSLv3\fR, \fBSSL_OP_NO_TLSv1\fR, \fBSSL_OP_NO_TLSv1_1\fR, +\&\fBSSL_OP_NO_TLSv1_3\fR, \fBSSL_OP_NO_TLSv1_2\fR and \fBSSL_OP_NO_TLSv1_3\fR +options of the +\&\fISSL_CTX_set_options\fR\|(3) or \fISSL_set_options\fR\|(3) functions, but this approach +is not recommended. Clients should avoid creating \*(L"holes\*(R" in the set of +protocols they support. When disabling a protocol, make sure that you also +disable either all previous or all subsequent protocol versions. +In clients, when a protocol version is disabled without disabling \fIall\fR +previous protocol versions, the effect is to also disable all subsequent +protocol versions. +.PP +The SSLv3 protocol is deprecated and should generally not be used. +Applications should typically use \fISSL_CTX_set_min_proto_version\fR\|(3) to set +the minimum protocol to at least \fB\s-1TLS1_VERSION\s0\fR. .SH "RETURN VALUES" .IX Header "RETURN VALUES" The following return values can occur: @@ -276,8 +290,28 @@ the reason. .IP "Pointer to an \s-1SSL_CTX\s0 object" 4 .IX Item "Pointer to an SSL_CTX object" The return value points to an allocated \s-1SSL_CTX\s0 object. +.Sp +\&\fISSL_CTX_up_ref()\fR returns 1 for success and 0 for failure. +.SH "HISTORY" +.IX Header "HISTORY" +Support for SSLv2 and the corresponding \fISSLv2_method()\fR, +\&\fISSLv2_server_method()\fR and \fISSLv2_client_method()\fR functions where +removed in OpenSSL 1.1.0. +.PP +\&\fISSLv23_method()\fR, \fISSLv23_server_method()\fR and \fISSLv23_client_method()\fR +were deprecated and the preferred \fITLS_method()\fR, \fITLS_server_method()\fR +and \fITLS_client_method()\fR functions were introduced in OpenSSL 1.1.0. +.PP +All version-specific methods were deprecated in OpenSSL 1.1.0. .SH "SEE ALSO" .IX Header "SEE ALSO" -\&\fISSL_CTX_set_options\fR\|(3), \fISSL_CTX_clear_options\fR\|(3), \fISSL_set_options\fR\|(3), -\&\fISSL_CTX_free\fR\|(3), \fISSL_accept\fR\|(3), -\&\fIssl\fR\|(3), \fISSL_set_connect_state\fR\|(3) +\&\fISSL_CTX_set_options\fR\|(3), \fISSL_CTX_free\fR\|(3), \fISSL_accept\fR\|(3), +\&\fISSL_CTX_set_min_proto_version\fR\|(3), \fIssl\fR\|(7), \fISSL_set_connect_state\fR\|(3) +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2000\-2018 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libssl/man/SSL_CTX_sess_number.3 b/secure/lib/libcrypto/man/SSL_CTX_sess_number.3 similarity index 92% rename from secure/lib/libssl/man/SSL_CTX_sess_number.3 rename to secure/lib/libcrypto/man/SSL_CTX_sess_number.3 index c2f87feaf5fd..fa42c623dfcf 100644 --- a/secure/lib/libssl/man/SSL_CTX_sess_number.3 +++ b/secure/lib/libcrypto/man/SSL_CTX_sess_number.3 @@ -128,8 +128,8 @@ .rm #[ #] #H #V #F C .\" ======================================================================== .\" -.IX Title "SSL_CTX_sess_number 3" -.TH SSL_CTX_sess_number 3 "2018-08-14" "1.0.2p" "OpenSSL" +.IX Title "SSL_CTX_SESS_NUMBER 3" +.TH SSL_CTX_SESS_NUMBER 3 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -165,7 +165,7 @@ client mode. \&\fISSL_CTX_sess_connect_good()\fR returns the number of successfully established \&\s-1SSL/TLS\s0 sessions in client mode. .PP -\&\fISSL_CTX_sess_connect_renegotiate()\fR returns the number of start renegotiations +\&\fISSL_CTX_sess_connect_renegotiate()\fR returns the number of started renegotiations in client mode. .PP \&\fISSL_CTX_sess_accept()\fR returns the number of started \s-1SSL/TLS\s0 handshakes in @@ -174,7 +174,7 @@ server mode. \&\fISSL_CTX_sess_accept_good()\fR returns the number of successfully established \&\s-1SSL/TLS\s0 sessions in server mode. .PP -\&\fISSL_CTX_sess_accept_renegotiate()\fR returns the number of start renegotiations +\&\fISSL_CTX_sess_accept_renegotiate()\fR returns the number of started renegotiations in server mode. .PP \&\fISSL_CTX_sess_hits()\fR returns the number of successfully reused sessions. @@ -200,6 +200,14 @@ because the maximum session cache size was exceeded. The functions return the values indicated in the \s-1DESCRIPTION\s0 section. .SH "SEE ALSO" .IX Header "SEE ALSO" -\&\fIssl\fR\|(3), \fISSL_set_session\fR\|(3), +\&\fIssl\fR\|(7), \fISSL_set_session\fR\|(3), \&\fISSL_CTX_set_session_cache_mode\fR\|(3) \&\fISSL_CTX_sess_set_cache_size\fR\|(3) +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2001\-2016 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libssl/man/SSL_CTX_sess_set_cache_size.3 b/secure/lib/libcrypto/man/SSL_CTX_sess_set_cache_size.3 similarity index 91% rename from secure/lib/libssl/man/SSL_CTX_sess_set_cache_size.3 rename to secure/lib/libcrypto/man/SSL_CTX_sess_set_cache_size.3 index b9a59a167da6..73c3082d128e 100644 --- a/secure/lib/libssl/man/SSL_CTX_sess_set_cache_size.3 +++ b/secure/lib/libcrypto/man/SSL_CTX_sess_set_cache_size.3 @@ -128,8 +128,8 @@ .rm #[ #] #H #V #F C .\" ======================================================================== .\" -.IX Title "SSL_CTX_sess_set_cache_size 3" -.TH SSL_CTX_sess_set_cache_size 3 "2018-08-14" "1.0.2p" "OpenSSL" +.IX Title "SSL_CTX_SESS_SET_CACHE_SIZE 3" +.TH SSL_CTX_SESS_SET_CACHE_SIZE 3 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -175,7 +175,15 @@ expiration of sessions. \&\fISSL_CTX_sess_get_cache_size()\fR returns the currently valid size. .SH "SEE ALSO" .IX Header "SEE ALSO" -\&\fIssl\fR\|(3), +\&\fIssl\fR\|(7), \&\fISSL_CTX_set_session_cache_mode\fR\|(3), \&\fISSL_CTX_sess_number\fR\|(3), \&\fISSL_CTX_flush_sessions\fR\|(3) +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2001\-2016 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libssl/man/SSL_CTX_sess_set_get_cb.3 b/secure/lib/libcrypto/man/SSL_CTX_sess_set_get_cb.3 similarity index 74% rename from secure/lib/libssl/man/SSL_CTX_sess_set_get_cb.3 rename to secure/lib/libcrypto/man/SSL_CTX_sess_set_get_cb.3 index f5d88b2615c9..d316e9dbd1b0 100644 --- a/secure/lib/libssl/man/SSL_CTX_sess_set_get_cb.3 +++ b/secure/lib/libcrypto/man/SSL_CTX_sess_set_get_cb.3 @@ -128,8 +128,8 @@ .rm #[ #] #H #V #F C .\" ======================================================================== .\" -.IX Title "SSL_CTX_sess_set_get_cb 3" -.TH SSL_CTX_sess_set_get_cb 3 "2018-08-14" "1.0.2p" "OpenSSL" +.IX Title "SSL_CTX_SESS_SET_GET_CB 3" +.TH SSL_CTX_SESS_SET_GET_CB 3 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -144,18 +144,20 @@ SSL_CTX_sess_set_new_cb, SSL_CTX_sess_set_remove_cb, SSL_CTX_sess_set_get_cb, SS \& void SSL_CTX_sess_set_new_cb(SSL_CTX *ctx, \& int (*new_session_cb)(SSL *, SSL_SESSION *)); \& void SSL_CTX_sess_set_remove_cb(SSL_CTX *ctx, -\& void (*remove_session_cb)(SSL_CTX *ctx, SSL_SESSION *)); +\& void (*remove_session_cb)(SSL_CTX *ctx, +\& SSL_SESSION *)); \& void SSL_CTX_sess_set_get_cb(SSL_CTX *ctx, -\& SSL_SESSION (*get_session_cb)(SSL *, unsigned char *, int, int *)); +\& SSL_SESSION (*get_session_cb)(SSL *, +\& const unsigned char *, +\& int, int *)); \& -\& int (*SSL_CTX_sess_get_new_cb(SSL_CTX *ctx))(struct ssl_st *ssl, SSL_SESSION *sess); -\& void (*SSL_CTX_sess_get_remove_cb(SSL_CTX *ctx))(struct ssl_ctx_st *ctx, SSL_SESSION *sess); -\& SSL_SESSION *(*SSL_CTX_sess_get_get_cb(SSL_CTX *ctx))(struct ssl_st *ssl, unsigned char *data, int len, int *copy); -\& -\& int (*new_session_cb)(struct ssl_st *ssl, SSL_SESSION *sess); -\& void (*remove_session_cb)(struct ssl_ctx_st *ctx, SSL_SESSION *sess); -\& SSL_SESSION *(*get_session_cb)(struct ssl_st *ssl, unsigned char *data, -\& int len, int *copy); +\& int (*SSL_CTX_sess_get_new_cb(SSL_CTX *ctx))(struct ssl_st *ssl, +\& SSL_SESSION *sess); +\& void (*SSL_CTX_sess_get_remove_cb(SSL_CTX *ctx))(struct ssl_ctx_st *ctx, +\& SSL_SESSION *sess); +\& SSL_SESSION *(*SSL_CTX_sess_get_get_cb(SSL_CTX *ctx))(struct ssl_st *ssl, +\& const unsigned char *data, +\& int len, int *copy); .Ve .SH "DESCRIPTION" .IX Header "DESCRIPTION" @@ -174,9 +176,9 @@ could not be found in the internal session cache (see (\s-1SSL/TLS\s0 server only.) .PP \&\fISSL_CTX_sess_get_new_cb()\fR, \fISSL_CTX_sess_get_remove_cb()\fR, and -\&\fISSL_CTX_sess_get_get_cb()\fR allow to retrieve the function pointers of the -provided callback functions. If a callback function has not been set, -the \s-1NULL\s0 pointer is returned. +\&\fISSL_CTX_sess_get_get_cb()\fR retrieve the function pointers set by the +corresponding set callback functions. If a callback function has not been +set, the \s-1NULL\s0 pointer is returned. .SH "NOTES" .IX Header "NOTES" In order to allow external session caching, synchronization with the internal @@ -189,7 +191,18 @@ and session caching is enabled (see \&\fISSL_CTX_set_session_cache_mode\fR\|(3)). The \fInew_session_cb()\fR is passed the \fBssl\fR connection and the ssl session \&\fBsess\fR. If the callback returns \fB0\fR, the session will be immediately -removed again. +removed again. Note that in TLSv1.3, sessions are established after the main +handshake has completed. The server decides when to send the client the session +information and this may occur some time after the end of the handshake (or not +at all). This means that applications should expect the \fInew_session_cb()\fR +function to be invoked during the handshake (for <= TLSv1.2) or after the +handshake (for TLSv1.3). It is also possible in TLSv1.3 for multiple sessions to +be established with a single connection. In these case the \fInew_session_cb()\fR +function will be invoked multiple times. +.PP +In TLSv1.3 it is recommended that each \s-1SSL_SESSION\s0 object is only used for +resumption once. One way of enforcing that is for applications to call +\&\fISSL_CTX_remove_session\fR\|(3) after a session has been used. .PP The \fIremove_session_cb()\fR is called, whenever the \s-1SSL\s0 engine removes a session from the internal cache. This happens when the session is removed because @@ -207,10 +220,22 @@ session caching was disabled. The \fIget_session_cb()\fR is passed the Normally the reference count is not incremented and therefore the session must not be explicitly freed with \&\fISSL_SESSION_free\fR\|(3). +.SH "RETURN VALUES" +.IX Header "RETURN VALUES" +\&\fISSL_CTX_sess_get_new_cb()\fR, \fISSL_CTX_sess_get_remove_cb()\fR and \fISSL_CTX_sess_get_get_cb()\fR +return different callback function pointers respectively. .SH "SEE ALSO" .IX Header "SEE ALSO" -\&\fIssl\fR\|(3), \fId2i_SSL_SESSION\fR\|(3), +\&\fIssl\fR\|(7), \fId2i_SSL_SESSION\fR\|(3), \&\fISSL_CTX_set_session_cache_mode\fR\|(3), \&\fISSL_CTX_flush_sessions\fR\|(3), \&\fISSL_SESSION_free\fR\|(3), \&\fISSL_CTX_free\fR\|(3) +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2001\-2018 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libssl/man/SSL_CTX_sessions.3 b/secure/lib/libcrypto/man/SSL_CTX_sessions.3 similarity index 85% rename from secure/lib/libssl/man/SSL_CTX_sessions.3 rename to secure/lib/libcrypto/man/SSL_CTX_sessions.3 index 031f7f40d7e9..3b2fe65f2786 100644 --- a/secure/lib/libssl/man/SSL_CTX_sessions.3 +++ b/secure/lib/libcrypto/man/SSL_CTX_sessions.3 @@ -128,8 +128,8 @@ .rm #[ #] #H #V #F C .\" ======================================================================== .\" -.IX Title "SSL_CTX_sessions 3" -.TH SSL_CTX_sessions 3 "2018-08-14" "1.0.2p" "OpenSSL" +.IX Title "SSL_CTX_SESSIONS 3" +.TH SSL_CTX_SESSIONS 3 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -150,14 +150,25 @@ internal session cache for \fBctx\fR. .SH "NOTES" .IX Header "NOTES" The sessions in the internal session cache are kept in an -\&\fIlhash\fR\|(3) type database. It is possible to directly +\&\s-1\fILHASH\s0\fR\|(3) type database. It is possible to directly access this database e.g. for searching. In parallel, the sessions form a linked list which is maintained separately from the -\&\fIlhash\fR\|(3) operations, so that the database must not be +\&\s-1\fILHASH\s0\fR\|(3) operations, so that the database must not be modified directly but by using the \&\fISSL_CTX_add_session\fR\|(3) family of functions. +.SH "RETURN VALUES" +.IX Header "RETURN VALUES" +\&\fISSL_CTX_sessions()\fR returns a pointer to the lhash of \fB\s-1SSL_SESSION\s0\fR. .SH "SEE ALSO" .IX Header "SEE ALSO" -\&\fIssl\fR\|(3), \fIlhash\fR\|(3), +\&\fIssl\fR\|(7), \s-1\fILHASH\s0\fR\|(3), \&\fISSL_CTX_add_session\fR\|(3), \&\fISSL_CTX_set_session_cache_mode\fR\|(3) +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2001\-2018 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/SSL_CTX_set0_CA_list.3 b/secure/lib/libcrypto/man/SSL_CTX_set0_CA_list.3 new file mode 100644 index 000000000000..f27981bca0c3 --- /dev/null +++ b/secure/lib/libcrypto/man/SSL_CTX_set0_CA_list.3 @@ -0,0 +1,217 @@ +.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35) +.\" +.\" Standard preamble: +.\" ======================================================================== +.de Sp \" Vertical space (when we can't use .PP) +.if t .sp .5v +.if n .sp +.. +.de Vb \" Begin verbatim text +.ft CW +.nf +.ne \\$1 +.. +.de Ve \" End verbatim text +.ft R +.fi +.. +.\" Set up some character translations and predefined strings. \*(-- will +.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left +.\" double quote, and \*(R" will give a right double quote. \*(C+ will +.\" give a nicer C++. Capital omega is used to do unbreakable dashes and +.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, +.\" nothing in troff, for use with C<>. +.tr \(*W- +.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' +.ie n \{\ +. ds -- \(*W- +. ds PI pi +. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch +. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch +. ds L" "" +. ds R" "" +. ds C` "" +. ds C' "" +'br\} +.el\{\ +. ds -- \|\(em\| +. ds PI \(*p +. ds L" `` +. ds R" '' +. ds C` +. ds C' +'br\} +.\" +.\" Escape single quotes in literal strings from groff's Unicode transform. +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" +.\" If the F register is >0, we'll generate index entries on stderr for +.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index +.\" entries marked with X<> in POD. Of course, you'll have to process the +.\" output yourself in some meaningful fashion. +.\" +.\" Avoid warning from groff about undefined register 'F'. +.de IX +.. +.if !\nF .nr F 0 +.if \nF>0 \{\ +. de IX +. tm Index:\\$1\t\\n%\t"\\$2" +.. +. if !\nF==2 \{\ +. nr % 0 +. nr F 2 +. \} +.\} +.\" +.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). +.\" Fear. Run. Save yourself. No user-serviceable parts. +. \" fudge factors for nroff and troff +.if n \{\ +. ds #H 0 +. ds #V .8m +. ds #F .3m +. ds #[ \f1 +. ds #] \fP +.\} +.if t \{\ +. ds #H ((1u-(\\\\n(.fu%2u))*.13m) +. ds #V .6m +. ds #F 0 +. ds #[ \& +. ds #] \& +.\} +. \" simple accents for nroff and troff +.if n \{\ +. ds ' \& +. ds ` \& +. ds ^ \& +. ds , \& +. ds ~ ~ +. ds / +.\} +.if t \{\ +. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" +. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' +. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' +. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' +. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' +. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' +.\} +. \" troff and (daisy-wheel) nroff accents +.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' +.ds 8 \h'\*(#H'\(*b\h'-\*(#H' +.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] +.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' +.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' +.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] +.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] +.ds ae a\h'-(\w'a'u*4/10)'e +.ds Ae A\h'-(\w'A'u*4/10)'E +. \" corrections for vroff +.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' +.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' +. \" for low resolution devices (crt and lpr) +.if \n(.H>23 .if \n(.V>19 \ +\{\ +. ds : e +. ds 8 ss +. ds o a +. ds d- d\h'-1'\(ga +. ds D- D\h'-1'\(hy +. ds th \o'bp' +. ds Th \o'LP' +. ds ae ae +. ds Ae AE +.\} +.rm #[ #] #H #V #F C +.\" ======================================================================== +.\" +.IX Title "SSL_CTX_SET0_CA_LIST 3" +.TH SSL_CTX_SET0_CA_LIST 3 "2018-09-11" "1.1.1" "OpenSSL" +.\" For nroff, turn off justification. Always turn off hyphenation; it makes +.\" way too many mistakes in technical documents. +.if n .ad l +.nh +.SH "NAME" +SSL_set0_CA_list, SSL_CTX_set0_CA_list, SSL_get0_CA_list, SSL_CTX_get0_CA_list, SSL_add1_to_CA_list, SSL_CTX_add1_to_CA_list, SSL_get0_peer_CA_list \- get or set CA list +.SH "SYNOPSIS" +.IX Header "SYNOPSIS" +.Vb 1 +\& #include +\& +\& void SSL_CTX_set0_CA_list(SSL_CTX *ctx, STACK_OF(X509_NAME) *name_list); +\& void SSL_set0_CA_list(SSL *s, STACK_OF(X509_NAME) *name_list); +\& const STACK_OF(X509_NAME) *SSL_CTX_get0_CA_list(const SSL_CTX *ctx); +\& const STACK_OF(X509_NAME) *SSL_get0_CA_list(const SSL *s); +\& int SSL_CTX_add1_to_CA_list(SSL_CTX *ctx, const X509 *x); +\& int SSL_add1_to_CA_list(SSL *ssl, const X509 *x); +\& +\& const STACK_OF(X509_NAME) *SSL_get0_peer_CA_list(const SSL *s); +.Ve +.SH "DESCRIPTION" +.IX Header "DESCRIPTION" +\&\fISSL_CTX_set0_CA_list()\fR sets the list of CAs to be sent to the peer to +\&\fBname_list\fR. Ownership of \fBname_list\fR is transferred to \fBctx\fR and +it should not be freed by the caller. +.PP +\&\fISSL_set0_CA_list()\fR sets the list of CAs to be sent to the peer to \fBname_list\fR +overriding any list set in the parent \fB\s-1SSL_CTX\s0\fR of \fBs\fR. Ownership of +\&\fBname_list\fR is transferred to \fBs\fR and it should not be freed by the caller. +.PP +\&\fISSL_CTX_get0_CA_list()\fR retrieves any previously set list of CAs set for +\&\fBctx\fR. +.PP +\&\fISSL_CTX_get0_CA_list()\fR retrieves any previously set list of CAs set for +\&\fBs\fR or if none are set the list from the parent \fB\s-1SSL_CTX\s0\fR is retrieved. +.PP +\&\fISSL_CTX_add1_to_CA_list()\fR appends the \s-1CA\s0 subject name extracted from \fBx\fR to the +list of CAs sent to peer for \fBctx\fR. +.PP +\&\fISSL_add1_to_CA_list()\fR appends the \s-1CA\s0 subject name extracted from \fBx\fR to the +list of CAs sent to the peer for \fBs\fR, overriding the setting in the parent +\&\fB\s-1SSL_CTX\s0\fR. +.PP +\&\fISSL_get0_peer_CA_list()\fR retrieves the list of \s-1CA\s0 names (if any) the peer +has sent. +.SH "NOTES" +.IX Header "NOTES" +These functions are generalised versions of the client authentication +\&\s-1CA\s0 list functions such as \fISSL_CTX_set_client_CA_list\fR\|(3). +.PP +For \s-1TLS\s0 versions before 1.3 the list of \s-1CA\s0 names is only sent from the server +to client when requesting a client certificate. So any list of \s-1CA\s0 names set +is never sent from client to server and the list of \s-1CA\s0 names retrieved by +\&\fISSL_get0_peer_CA_list()\fR is always \fB\s-1NULL\s0\fR. +.PP +For \s-1TLS 1.3\s0 the list of \s-1CA\s0 names is sent using the \fBcertificate_authorities\fR +extension and will be sent by a client (in the ClientHello message) or by +a server (when requesting a certificate). +.SH "RETURN VALUES" +.IX Header "RETURN VALUES" +\&\fISSL_CTX_set0_CA_list()\fR and \fISSL_set0_CA_list()\fR do not return a value. +.PP +\&\fISSL_CTX_get0_CA_list()\fR and \fISSL_get0_CA_list()\fR return a stack of \s-1CA\s0 names +or \fB\s-1NULL\s0\fR is no \s-1CA\s0 names are set. +.PP +\&\fISSL_CTX_add1_to_CA_list()\fR and \fISSL_add1_to_CA_list()\fR return 1 for success and 0 +for failure. +.PP +\&\fISSL_get0_peer_CA_list()\fR returns a stack of \s-1CA\s0 names sent by the peer or +\&\fB\s-1NULL\s0\fR or an empty stack if no list was sent. +.SH "SEE ALSO" +.IX Header "SEE ALSO" +\&\fIssl\fR\|(7), +\&\fISSL_CTX_set_client_CA_list\fR\|(3), +\&\fISSL_get_client_CA_list\fR\|(3), +\&\fISSL_load_client_CA_file\fR\|(3), +\&\fISSL_CTX_load_verify_locations\fR\|(3) +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2017\-2018 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libssl/man/SSL_CTX_set1_curves.3 b/secure/lib/libcrypto/man/SSL_CTX_set1_curves.3 similarity index 63% rename from secure/lib/libssl/man/SSL_CTX_set1_curves.3 rename to secure/lib/libcrypto/man/SSL_CTX_set1_curves.3 index 0a78666c4785..ae67ceea65a4 100644 --- a/secure/lib/libssl/man/SSL_CTX_set1_curves.3 +++ b/secure/lib/libcrypto/man/SSL_CTX_set1_curves.3 @@ -128,21 +128,28 @@ .rm #[ #] #H #V #F C .\" ======================================================================== .\" -.IX Title "SSL_CTX_set1_curves 3" -.TH SSL_CTX_set1_curves 3 "2018-08-14" "1.0.2p" "OpenSSL" +.IX Title "SSL_CTX_SET1_CURVES 3" +.TH SSL_CTX_SET1_CURVES 3 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" -SSL_CTX_set1_curves, SSL_CTX_set1_curves_list, SSL_set1_curves, -SSL_set1_curves_list, SSL_get1_curves, SSL_get_shared_curve, -SSL_CTX_set_ecdh_auto, SSL_set_ecdh_auto \- EC supported curve functions +SSL_CTX_set1_groups, SSL_CTX_set1_groups_list, SSL_set1_groups, SSL_set1_groups_list, SSL_get1_groups, SSL_get_shared_group, SSL_CTX_set1_curves, SSL_CTX_set1_curves_list, SSL_set1_curves, SSL_set1_curves_list, SSL_get1_curves, SSL_get_shared_curve \&\- EC supported curve functions .SH "SYNOPSIS" .IX Header "SYNOPSIS" .Vb 1 \& #include \& +\& int SSL_CTX_set1_groups(SSL_CTX *ctx, int *glist, int glistlen); +\& int SSL_CTX_set1_groups_list(SSL_CTX *ctx, char *list); +\& +\& int SSL_set1_groups(SSL *ssl, int *glist, int glistlen); +\& int SSL_set1_groups_list(SSL *ssl, char *list); +\& +\& int SSL_get1_groups(SSL *ssl, int *groups); +\& int SSL_get_shared_group(SSL *s, int n); +\& \& int SSL_CTX_set1_curves(SSL_CTX *ctx, int *clist, int clistlen); \& int SSL_CTX_set1_curves_list(SSL_CTX *ctx, char *list); \& @@ -151,82 +158,74 @@ SSL_CTX_set_ecdh_auto, SSL_set_ecdh_auto \- EC supported curve functions \& \& int SSL_get1_curves(SSL *ssl, int *curves); \& int SSL_get_shared_curve(SSL *s, int n); -\& -\& int SSL_CTX_set_ecdh_auto(SSL_CTX *ctx, int onoff); -\& int SSL_set_ecdh_auto(SSL *s, int onoff); .Ve .SH "DESCRIPTION" .IX Header "DESCRIPTION" -\&\fISSL_CTX_set1_curves()\fR sets the supported curves for \fBctx\fR to \fBclistlen\fR -curves in the array \fBclist\fR. The array consist of all NIDs of curves in -preference order. For a \s-1TLS\s0 client the curves are used directly in the -supported curves extension. For a \s-1TLS\s0 server the curves are used to -determine the set of shared curves. +\&\fISSL_CTX_set1_groups()\fR sets the supported groups for \fBctx\fR to \fBglistlen\fR +groups in the array \fBglist\fR. The array consist of all NIDs of groups in +preference order. For a \s-1TLS\s0 client the groups are used directly in the +supported groups extension. For a \s-1TLS\s0 server the groups are used to +determine the set of shared groups. .PP -\&\fISSL_CTX_set1_curves_list()\fR sets the supported curves for \fBctx\fR to -string \fBlist\fR. The string is a colon separated list of curve NIDs or +\&\fISSL_CTX_set1_groups_list()\fR sets the supported groups for \fBctx\fR to +string \fBlist\fR. The string is a colon separated list of group NIDs or names, for example \*(L"P\-521:P\-384:P\-256\*(R". .PP -\&\fISSL_set1_curves()\fR and \fISSL_set1_curves_list()\fR are similar except they set -supported curves for the \s-1SSL\s0 structure \fBssl\fR. +\&\fISSL_set1_groups()\fR and \fISSL_set1_groups_list()\fR are similar except they set +supported groups for the \s-1SSL\s0 structure \fBssl\fR. .PP -\&\fISSL_get1_curves()\fR returns the set of supported curves sent by a client -in the supported curves extension. It returns the total number of -supported curves. The \fBcurves\fR parameter can be \fB\s-1NULL\s0\fR to simply -return the number of curves for memory allocation purposes. The -\&\fBcurves\fR array is in the form of a set of curve NIDs in preference -order. It can return zero if the client did not send a supported curves +\&\fISSL_get1_groups()\fR returns the set of supported groups sent by a client +in the supported groups extension. It returns the total number of +supported groups. The \fBgroups\fR parameter can be \fB\s-1NULL\s0\fR to simply +return the number of groups for memory allocation purposes. The +\&\fBgroups\fR array is in the form of a set of group NIDs in preference +order. It can return zero if the client did not send a supported groups extension. .PP -\&\fISSL_get_shared_curve()\fR returns shared curve \fBn\fR for a server-side -\&\s-1SSL\s0 \fBssl\fR. If \fBn\fR is \-1 then the total number of shared curves is +\&\fISSL_get_shared_group()\fR returns shared group \fBn\fR for a server-side +\&\s-1SSL\s0 \fBssl\fR. If \fBn\fR is \-1 then the total number of shared groups is returned, which may be zero. Other than for diagnostic purposes, -most applications will only be interested in the first shared curve +most applications will only be interested in the first shared group so \fBn\fR is normally set to zero. If the value \fBn\fR is out of range, NID_undef is returned. .PP -\&\fISSL_CTX_set_ecdh_auto()\fR and \fISSL_set_ecdh_auto()\fR set automatic curve -selection for server \fBctx\fR or \fBssl\fR to \fBonoff\fR. If \fBonoff\fR is 1 then -the highest preference curve is automatically used for \s-1ECDH\s0 temporary -keys used during key exchange. -.PP All these functions are implemented as macros. +.PP +The curve functions are synonyms for the equivalently named group functions and +are identical in every respect. They exist because, prior to \s-1TLS1.3,\s0 there was +only the concept of supported curves. In \s-1TLS1.3\s0 this was renamed to supported +groups, and extended to include Diffie Hellman groups. The group functions +should be used in preference. .SH "NOTES" .IX Header "NOTES" If an application wishes to make use of several of these functions for configuration purposes either on a command line or in a file it should consider using the \s-1SSL_CONF\s0 interface instead of manually parsing options. -.PP -The functions \fISSL_CTX_set_ecdh_auto()\fR and \fISSL_set_ecdh_auto()\fR can be used to -make a server always choose the most appropriate curve for a client. If set -it will override any temporary \s-1ECDH\s0 parameters set by a server. Previous -versions of OpenSSL could effectively only use a single \s-1ECDH\s0 curve set -using a function such as \fISSL_CTX_set_ecdh_tmp()\fR. Newer applications should -just call: -.PP -.Vb 1 -\& SSL_CTX_set_ecdh_auto(ctx, 1); -.Ve -.PP -and they will automatically support \s-1ECDH\s0 using the most appropriate shared -curve. .SH "RETURN VALUES" .IX Header "RETURN VALUES" -\&\fISSL_CTX_set1_curves()\fR, \fISSL_CTX_set1_curves_list()\fR, \fISSL_set1_curves()\fR, -\&\fISSL_set1_curves_list()\fR, \fISSL_CTX_set_ecdh_auto()\fR and \fISSL_set_ecdh_auto()\fR -return 1 for success and 0 for failure. +\&\fISSL_CTX_set1_groups()\fR, \fISSL_CTX_set1_groups_list()\fR, \fISSL_set1_groups()\fR and +\&\fISSL_set1_groups_list()\fR, return 1 for success and 0 for failure. .PP -\&\fISSL_get1_curves()\fR returns the number of curves, which may be zero. +\&\fISSL_get1_groups()\fR returns the number of groups, which may be zero. .PP -\&\fISSL_get_shared_curve()\fR returns the \s-1NID\s0 of shared curve \fBn\fR or NID_undef if there -is no shared curve \fBn\fR; or the total number of shared curves if \fBn\fR +\&\fISSL_get_shared_group()\fR returns the \s-1NID\s0 of shared group \fBn\fR or NID_undef if there +is no shared group \fBn\fR; or the total number of shared groups if \fBn\fR is \-1. .PP -When called on a client \fBssl\fR, \fISSL_get_shared_curve()\fR has no meaning and +When called on a client \fBssl\fR, \fISSL_get_shared_group()\fR has no meaning and returns \-1. .SH "SEE ALSO" .IX Header "SEE ALSO" \&\fISSL_CTX_add_extra_chain_cert\fR\|(3) .SH "HISTORY" .IX Header "HISTORY" -These functions were first added to OpenSSL 1.0.2. +The curve functions were first added to OpenSSL 1.0.2. The equivalent group +functions were first added to OpenSSL 1.1.1. +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2013\-2016 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/SSL_CTX_set1_sigalgs.3 b/secure/lib/libcrypto/man/SSL_CTX_set1_sigalgs.3 new file mode 100644 index 000000000000..0d4aff0ad72c --- /dev/null +++ b/secure/lib/libcrypto/man/SSL_CTX_set1_sigalgs.3 @@ -0,0 +1,245 @@ +.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35) +.\" +.\" Standard preamble: +.\" ======================================================================== +.de Sp \" Vertical space (when we can't use .PP) +.if t .sp .5v +.if n .sp +.. +.de Vb \" Begin verbatim text +.ft CW +.nf +.ne \\$1 +.. +.de Ve \" End verbatim text +.ft R +.fi +.. +.\" Set up some character translations and predefined strings. \*(-- will +.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left +.\" double quote, and \*(R" will give a right double quote. \*(C+ will +.\" give a nicer C++. Capital omega is used to do unbreakable dashes and +.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, +.\" nothing in troff, for use with C<>. +.tr \(*W- +.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' +.ie n \{\ +. ds -- \(*W- +. ds PI pi +. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch +. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch +. ds L" "" +. ds R" "" +. ds C` "" +. ds C' "" +'br\} +.el\{\ +. ds -- \|\(em\| +. ds PI \(*p +. ds L" `` +. ds R" '' +. ds C` +. ds C' +'br\} +.\" +.\" Escape single quotes in literal strings from groff's Unicode transform. +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" +.\" If the F register is >0, we'll generate index entries on stderr for +.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index +.\" entries marked with X<> in POD. Of course, you'll have to process the +.\" output yourself in some meaningful fashion. +.\" +.\" Avoid warning from groff about undefined register 'F'. +.de IX +.. +.if !\nF .nr F 0 +.if \nF>0 \{\ +. de IX +. tm Index:\\$1\t\\n%\t"\\$2" +.. +. if !\nF==2 \{\ +. nr % 0 +. nr F 2 +. \} +.\} +.\" +.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). +.\" Fear. Run. Save yourself. No user-serviceable parts. +. \" fudge factors for nroff and troff +.if n \{\ +. ds #H 0 +. ds #V .8m +. ds #F .3m +. ds #[ \f1 +. ds #] \fP +.\} +.if t \{\ +. ds #H ((1u-(\\\\n(.fu%2u))*.13m) +. ds #V .6m +. ds #F 0 +. ds #[ \& +. ds #] \& +.\} +. \" simple accents for nroff and troff +.if n \{\ +. ds ' \& +. ds ` \& +. ds ^ \& +. ds , \& +. ds ~ ~ +. ds / +.\} +.if t \{\ +. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" +. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' +. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' +. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' +. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' +. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' +.\} +. \" troff and (daisy-wheel) nroff accents +.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' +.ds 8 \h'\*(#H'\(*b\h'-\*(#H' +.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] +.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' +.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' +.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] +.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] +.ds ae a\h'-(\w'a'u*4/10)'e +.ds Ae A\h'-(\w'A'u*4/10)'E +. \" corrections for vroff +.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' +.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' +. \" for low resolution devices (crt and lpr) +.if \n(.H>23 .if \n(.V>19 \ +\{\ +. ds : e +. ds 8 ss +. ds o a +. ds d- d\h'-1'\(ga +. ds D- D\h'-1'\(hy +. ds th \o'bp' +. ds Th \o'LP' +. ds ae ae +. ds Ae AE +.\} +.rm #[ #] #H #V #F C +.\" ======================================================================== +.\" +.IX Title "SSL_CTX_SET1_SIGALGS 3" +.TH SSL_CTX_SET1_SIGALGS 3 "2018-09-11" "1.1.1" "OpenSSL" +.\" For nroff, turn off justification. Always turn off hyphenation; it makes +.\" way too many mistakes in technical documents. +.if n .ad l +.nh +.SH "NAME" +SSL_CTX_set1_sigalgs, SSL_set1_sigalgs, SSL_CTX_set1_sigalgs_list, SSL_set1_sigalgs_list, SSL_CTX_set1_client_sigalgs, SSL_set1_client_sigalgs, SSL_CTX_set1_client_sigalgs_list, SSL_set1_client_sigalgs_list \- set supported signature algorithms +.SH "SYNOPSIS" +.IX Header "SYNOPSIS" +.Vb 1 +\& #include +\& +\& long SSL_CTX_set1_sigalgs(SSL_CTX *ctx, const int *slist, long slistlen); +\& long SSL_set1_sigalgs(SSL *ssl, const int *slist, long slistlen); +\& long SSL_CTX_set1_sigalgs_list(SSL_CTX *ctx, const char *str); +\& long SSL_set1_sigalgs_list(SSL *ssl, const char *str); +\& +\& long SSL_CTX_set1_client_sigalgs(SSL_CTX *ctx, const int *slist, long slistlen); +\& long SSL_set1_client_sigalgs(SSL *ssl, const int *slist, long slistlen); +\& long SSL_CTX_set1_client_sigalgs_list(SSL_CTX *ctx, const char *str); +\& long SSL_set1_client_sigalgs_list(SSL *ssl, const char *str); +.Ve +.SH "DESCRIPTION" +.IX Header "DESCRIPTION" +\&\fISSL_CTX_set1_sigalgs()\fR and \fISSL_set1_sigalgs()\fR set the supported signature +algorithms for \fBctx\fR or \fBssl\fR. The array \fBslist\fR of length \fBslistlen\fR +must consist of pairs of NIDs corresponding to digest and public key +algorithms. +.PP +\&\fISSL_CTX_set1_sigalgs_list()\fR and \fISSL_set1_sigalgs_list()\fR set the supported +signature algorithms for \fBctx\fR or \fBssl\fR. The \fBstr\fR parameter +must be a null terminated string consisting of a colon separated list of +elements, where each element is either a combination of a public key +algorithm and a digest separated by \fB+\fR, or a \s-1TLS 1\s0.3\-style named +SignatureScheme such as rsa_pss_pss_sha256. +.PP +\&\fISSL_CTX_set1_client_sigalgs()\fR, \fISSL_set1_client_sigalgs()\fR, +\&\fISSL_CTX_set1_client_sigalgs_list()\fR and \fISSL_set1_client_sigalgs_list()\fR set +signature algorithms related to client authentication, otherwise they are +identical to \fISSL_CTX_set1_sigalgs()\fR, \fISSL_set1_sigalgs()\fR, +\&\fISSL_CTX_set1_sigalgs_list()\fR and \fISSL_set1_sigalgs_list()\fR. +.PP +All these functions are implemented as macros. The signature algorithm +parameter (integer array or string) is not freed: the application should +free it, if necessary. +.SH "NOTES" +.IX Header "NOTES" +If an application wishes to allow the setting of signature algorithms +as one of many user configurable options it should consider using the more +flexible \s-1SSL_CONF API\s0 instead. +.PP +The signature algorithms set by a client are used directly in the supported +signature algorithm in the client hello message. +.PP +The supported signature algorithms set by a server are not sent to the +client but are used to determine the set of shared signature algorithms +and (if server preferences are set with \s-1SSL_OP_CIPHER_SERVER_PREFERENCE\s0) +their order. +.PP +The client authentication signature algorithms set by a server are sent +in a certificate request message if client authentication is enabled, +otherwise they are unused. +.PP +Similarly client authentication signature algorithms set by a client are +used to determined the set of client authentication shared signature +algorithms. +.PP +Signature algorithms will neither be advertised nor used if the security level +prohibits them (for example \s-1SHA1\s0 if the security level is 4 or more). +.PP +Currently the NID_md5, NID_sha1, NID_sha224, NID_sha256, NID_sha384 and +NID_sha512 digest NIDs are supported and the public key algorithm NIDs +\&\s-1EVP_PKEY_RSA, EVP_PKEY_RSA_PSS, EVP_PKEY_DSA\s0 and \s-1EVP_PKEY_EC.\s0 +.PP +The short or long name values for digests can be used in a string (for +example \*(L"\s-1MD5\*(R", \*(L"SHA1\*(R", \*(L"SHA224\*(R", \*(L"SHA256\*(R", \*(L"SHA384\*(R", \*(L"SHA512\*(R"\s0) and +the public key algorithm strings \*(L"\s-1RSA\*(R",\s0 \*(L"RSA-PSS\*(R", \*(L"\s-1DSA\*(R"\s0 or \*(L"\s-1ECDSA\*(R".\s0 +.PP +The \s-1TLS 1.3\s0 signature scheme names (such as \*(L"rsa_pss_pss_sha256\*(R") can also +be used with the \fB_list\fR forms of the \s-1API.\s0 +.PP +The use of \s-1MD5\s0 as a digest is strongly discouraged due to security weaknesses. +.SH "EXAMPLES" +.IX Header "EXAMPLES" +Set supported signature algorithms to \s-1SHA256\s0 with \s-1ECDSA\s0 and \s-1SHA256\s0 with \s-1RSA\s0 +using an array: +.PP +.Vb 1 +\& const int slist[] = {NID_sha256, EVP_PKEY_EC, NID_sha256, EVP_PKEY_RSA}; +\& +\& SSL_CTX_set1_sigalgs(ctx, slist, 4); +.Ve +.PP +Set supported signature algorithms to \s-1SHA256\s0 with \s-1ECDSA\s0 and \s-1SHA256\s0 with \s-1RSA\s0 +using a string: +.PP +.Vb 1 +\& SSL_CTX_set1_sigalgs_list(ctx, "ECDSA+SHA256:RSA+SHA256"); +.Ve +.SH "RETURN VALUES" +.IX Header "RETURN VALUES" +All these functions return 1 for success and 0 for failure. +.SH "SEE ALSO" +.IX Header "SEE ALSO" +\&\fIssl\fR\|(7), \fISSL_get_shared_sigalgs\fR\|(3), +\&\fISSL_CONF_CTX_new\fR\|(3) +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2015\-2018 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libssl/man/SSL_CTX_set1_verify_cert_store.3 b/secure/lib/libcrypto/man/SSL_CTX_set1_verify_cert_store.3 similarity index 89% rename from secure/lib/libssl/man/SSL_CTX_set1_verify_cert_store.3 rename to secure/lib/libcrypto/man/SSL_CTX_set1_verify_cert_store.3 index 52b02fce0cd9..d73f901026e0 100644 --- a/secure/lib/libssl/man/SSL_CTX_set1_verify_cert_store.3 +++ b/secure/lib/libcrypto/man/SSL_CTX_set1_verify_cert_store.3 @@ -128,18 +128,14 @@ .rm #[ #] #H #V #F C .\" ======================================================================== .\" -.IX Title "SSL_CTX_set1_verify_cert_store 3" -.TH SSL_CTX_set1_verify_cert_store 3 "2018-08-14" "1.0.2p" "OpenSSL" +.IX Title "SSL_CTX_SET1_VERIFY_CERT_STORE 3" +.TH SSL_CTX_SET1_VERIFY_CERT_STORE 3 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" -SSL_CTX_set0_verify_cert_store, SSL_CTX_set1_verify_cert_store, -SSL_CTX_set0_chain_cert_store, SSL_CTX_set1_chain_cert_store, -SSL_set0_verify_cert_store, SSL_set1_verify_cert_store, -SSL_set0_chain_cert_store, SSL_set1_chain_cert_store \- set certificate -verification or chain store +SSL_CTX_set0_verify_cert_store, SSL_CTX_set1_verify_cert_store, SSL_CTX_set0_chain_cert_store, SSL_CTX_set1_chain_cert_store, SSL_set0_verify_cert_store, SSL_set1_verify_cert_store, SSL_set0_chain_cert_store, SSL_set1_chain_cert_store \- set certificate verification or chain store .SH "SYNOPSIS" .IX Header "SYNOPSIS" .Vb 1 @@ -186,7 +182,7 @@ any client certificate chain. The chain store is used to build the certificate chain. .PP If the mode \fB\s-1SSL_MODE_NO_AUTO_CHAIN\s0\fR is set or a certificate chain is -configured already (for example using the functions such as +configured already (for example using the functions such as \&\fISSL_CTX_add1_chain_cert\fR\|(3) or \&\fISSL_CTX_add_extra_chain_cert\fR\|(3)) then automatic chain building is disabled. @@ -216,3 +212,11 @@ All these functions return 1 for success and 0 for failure. .SH "HISTORY" .IX Header "HISTORY" These functions were first added to OpenSSL 1.0.2. +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2013\-2016 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libssl/man/SSL_CTX_set_alpn_select_cb.3 b/secure/lib/libcrypto/man/SSL_CTX_set_alpn_select_cb.3 similarity index 66% rename from secure/lib/libssl/man/SSL_CTX_set_alpn_select_cb.3 rename to secure/lib/libcrypto/man/SSL_CTX_set_alpn_select_cb.3 index e9baad15ed92..592d338f552b 100644 --- a/secure/lib/libssl/man/SSL_CTX_set_alpn_select_cb.3 +++ b/secure/lib/libcrypto/man/SSL_CTX_set_alpn_select_cb.3 @@ -128,25 +128,23 @@ .rm #[ #] #H #V #F C .\" ======================================================================== .\" -.IX Title "SSL_CTX_set_alpn_select_cb 3" -.TH SSL_CTX_set_alpn_select_cb 3 "2018-08-14" "1.0.2p" "OpenSSL" +.IX Title "SSL_CTX_SET_ALPN_SELECT_CB 3" +.TH SSL_CTX_SET_ALPN_SELECT_CB 3 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" -SSL_CTX_set_alpn_protos, SSL_set_alpn_protos, SSL_CTX_set_alpn_select_cb, -SSL_select_next_proto, SSL_get0_alpn_selected \- handle application layer -protocol negotiation (ALPN) +SSL_CTX_set_alpn_protos, SSL_set_alpn_protos, SSL_CTX_set_alpn_select_cb, SSL_CTX_set_next_proto_select_cb, SSL_CTX_set_next_protos_advertised_cb, SSL_select_next_proto, SSL_get0_alpn_selected, SSL_get0_next_proto_negotiated \&\- handle application layer protocol negotiation (ALPN) .SH "SYNOPSIS" .IX Header "SYNOPSIS" .Vb 1 \& #include \& \& int SSL_CTX_set_alpn_protos(SSL_CTX *ctx, const unsigned char *protos, -\& unsigned protos_len); +\& unsigned int protos_len); \& int SSL_set_alpn_protos(SSL *ssl, const unsigned char *protos, -\& unsigned protos_len); +\& unsigned int protos_len); \& void SSL_CTX_set_alpn_select_cb(SSL_CTX *ctx, \& int (*cb) (SSL *ssl, \& const unsigned char **out, @@ -154,13 +152,30 @@ protocol negotiation (ALPN) \& const unsigned char *in, \& unsigned int inlen, \& void *arg), void *arg); +\& void SSL_get0_alpn_selected(const SSL *ssl, const unsigned char **data, +\& unsigned int *len); +\& +\& void SSL_CTX_set_next_protos_advertised_cb(SSL_CTX *ctx, +\& int (*cb)(SSL *ssl, +\& const unsigned char **out, +\& unsigned int *outlen, +\& void *arg), +\& void *arg); +\& void SSL_CTX_set_next_proto_select_cb(SSL_CTX *ctx, +\& int (*cb)(SSL *s, +\& unsigned char **out, +\& unsigned char *outlen, +\& const unsigned char *in, +\& unsigned int inlen, +\& void *arg), +\& void *arg); \& int SSL_select_next_proto(unsigned char **out, unsigned char *outlen, \& const unsigned char *server, \& unsigned int server_len, \& const unsigned char *client, \& unsigned int client_len) -\& void SSL_get0_alpn_selected(const SSL *ssl, const unsigned char **data, -\& unsigned int *len); +\& void SSL_get0_next_proto_negotiated(const SSL *s, const unsigned char **data, +\& unsigned *len); .Ve .SH "DESCRIPTION" .IX Header "DESCRIPTION" @@ -177,7 +192,8 @@ the application callback. \&\fBcb\fR is the application defined callback. The \fBin\fR, \fBinlen\fR parameters are a vector in protocol-list format. The value of the \fBout\fR, \fBoutlen\fR vector should be set to the value of a single protocol selected from the \fBin\fR, -\&\fBinlen\fR vector. The \fBarg\fR parameter is the pointer set via +\&\fBinlen\fR vector. The \fBout\fR buffer may point directly into \fBin\fR, or to a +buffer that outlives the handshake. The \fBarg\fR parameter is the pointer set via \&\fISSL_CTX_set_alpn_select_cb()\fR. .PP \&\fISSL_select_next_proto()\fR is a helper function used to select protocols. It @@ -191,9 +207,39 @@ in \fBout\fR, \fBoutlen\fR. The \fBout\fR value will point into either \fBserver item in \fBclient\fR, \fBclient_len\fR is returned in \fBout\fR, \fBoutlen\fR. This function can also be used in the \s-1NPN\s0 callback. .PP +\&\fISSL_CTX_set_next_proto_select_cb()\fR sets a callback \fBcb\fR that is called when a +client needs to select a protocol from the server's provided list, and a +user-defined pointer argument \fBarg\fR which will be passed to this callback. +For the callback itself, \fBout\fR +must be set to point to the selected protocol (which may be within \fBin\fR). +The length of the protocol name must be written into \fBoutlen\fR. The +server's advertised protocols are provided in \fBin\fR and \fBinlen\fR. The +callback can assume that \fBin\fR is syntactically valid. The client must +select a protocol. It is fatal to the connection if this callback returns +a value other than \fB\s-1SSL_TLSEXT_ERR_OK\s0\fR. The \fBarg\fR parameter is the pointer +set via \fISSL_CTX_set_next_proto_select_cb()\fR. +.PP +\&\fISSL_CTX_set_next_protos_advertised_cb()\fR sets a callback \fBcb\fR that is called +when a \s-1TLS\s0 server needs a list of supported protocols for Next Protocol +Negotiation. The returned list must be in protocol-list format, described +below. The list is +returned by setting \fBout\fR to point to it and \fBoutlen\fR to its length. This +memory will not be modified, but the \fB\s-1SSL\s0\fR does keep a +reference to it. The callback should return \fB\s-1SSL_TLSEXT_ERR_OK\s0\fR if it +wishes to advertise. Otherwise, no such extension will be included in the +ServerHello. +.PP \&\fISSL_get0_alpn_selected()\fR returns a pointer to the selected protocol in \fBdata\fR with length \fBlen\fR. It is not NUL-terminated. \fBdata\fR is set to \s-1NULL\s0 and \fBlen\fR is set to 0 if no protocol has been selected. \fBdata\fR must not be freed. +.PP +\&\fISSL_get0_next_proto_negotiated()\fR sets \fBdata\fR and \fBlen\fR to point to the +client's requested protocol for this connection. If the client did not +request any protocol or \s-1NPN\s0 is not enabled, then \fBdata\fR is set to \s-1NULL\s0 and +\&\fBlen\fR to 0. Note that +the client can request any protocol it chooses. The value returned from +this function need not be a member of the list of supported protocols +provided by the callback. .SH "NOTES" .IX Header "NOTES" The protocol-lists must be in wire-format, which is defined as a vector of @@ -235,10 +281,30 @@ The \s-1ALPN\s0 select callback \fBcb\fR, must return one of the following: .IP "\s-1SSL_TLSEXT_ERR_OK\s0" 4 .IX Item "SSL_TLSEXT_ERR_OK" \&\s-1ALPN\s0 protocol selected. +.IP "\s-1SSL_TLSEXT_ERR_ALERT_FATAL\s0" 4 +.IX Item "SSL_TLSEXT_ERR_ALERT_FATAL" +There was no overlap between the client's supplied list and the server +configuration. .IP "\s-1SSL_TLSEXT_ERR_NOACK\s0" 4 .IX Item "SSL_TLSEXT_ERR_NOACK" -\&\s-1ALPN\s0 protocol not selected. +\&\s-1ALPN\s0 protocol not selected, e.g., because no \s-1ALPN\s0 protocols are configured for +this connection. +.PP +The callback set using \fISSL_CTX_set_next_proto_select_cb()\fR should return +\&\fB\s-1SSL_TLSEXT_ERR_OK\s0\fR if successful. Any other value is fatal to the connection. +.PP +The callback set using \fISSL_CTX_set_next_protos_advertised_cb()\fR should return +\&\fB\s-1SSL_TLSEXT_ERR_OK\s0\fR if it wishes to advertise. Otherwise, no such extension +will be included in the ServerHello. .SH "SEE ALSO" .IX Header "SEE ALSO" -\&\fIssl\fR\|(3), \fISSL_CTX_set_tlsext_servername_callback\fR\|(3), +\&\fIssl\fR\|(7), \fISSL_CTX_set_tlsext_servername_callback\fR\|(3), \&\fISSL_CTX_set_tlsext_servername_arg\fR\|(3) +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2016\-2017 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libssl/man/SSL_CTX_set_cert_cb.3 b/secure/lib/libcrypto/man/SSL_CTX_set_cert_cb.3 similarity index 85% rename from secure/lib/libssl/man/SSL_CTX_set_cert_cb.3 rename to secure/lib/libcrypto/man/SSL_CTX_set_cert_cb.3 index accf7b16c331..aa6e6f9c7096 100644 --- a/secure/lib/libssl/man/SSL_CTX_set_cert_cb.3 +++ b/secure/lib/libcrypto/man/SSL_CTX_set_cert_cb.3 @@ -128,8 +128,8 @@ .rm #[ #] #H #V #F C .\" ======================================================================== .\" -.IX Title "SSL_CTX_set_cert_cb 3" -.TH SSL_CTX_set_cert_cb 3 "2018-08-14" "1.0.2p" "OpenSSL" +.IX Title "SSL_CTX_SET_CERT_CB 3" +.TH SSL_CTX_SET_CERT_CB 3 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -141,17 +141,18 @@ SSL_CTX_set_cert_cb, SSL_set_cert_cb \- handle certificate callback function .Vb 1 \& #include \& -\& void SSL_CTX_set_cert_cb(SSL_CTX *c, int (*cert_cb)(SSL *ssl, void *arg), void *arg); +\& void SSL_CTX_set_cert_cb(SSL_CTX *c, int (*cert_cb)(SSL *ssl, void *arg), +\& void *arg); \& void SSL_set_cert_cb(SSL *s, int (*cert_cb)(SSL *ssl, void *arg), void *arg); \& \& int (*cert_cb)(SSL *ssl, void *arg); .Ve .SH "DESCRIPTION" .IX Header "DESCRIPTION" -\&\fISSL_CTX_set_cert_cb()\fR and \fISSL_set_cert_cb()\fR sets the \fB\f(BIcert_cb()\fB\fR callback, +\&\fISSL_CTX_set_cert_cb()\fR and \fISSL_set_cert_cb()\fR sets the \fIcert_cb()\fR callback, \&\fBarg\fR value is pointer which is passed to the application callback. .PP -When \fB\f(BIcert_cb()\fB\fR is \s-1NULL,\s0 no callback function is used. +When \fIcert_cb()\fR is \s-1NULL,\s0 no callback function is used. .PP \&\fIcert_cb()\fR is the application defined callback. It is called before a certificate will be used by a client or server. The callback can then inspect @@ -175,23 +176,34 @@ It can add intermediate and optionally the root \s-1CA\s0 certificates using It might also call \fISSL_certs_clear()\fR to delete any certificates associated with the \fB\s-1SSL\s0\fR object. .PP -The certificate callback functionality supercedes the (largely broken) +The certificate callback functionality supersedes the (largely broken) functionality provided by the old client certificate callback interface. It is \fBalways\fR called even is a certificate is already set so the callback can modify or delete the existing certificate. .PP A more advanced callback might examine the handshake parameters and set whatever chain is appropriate. For example a legacy client supporting only -\&\s-1TLS\s0 v1.0 might receive a certificate chain signed using \s-1SHA1\s0 whereas a -\&\s-1TLS\s0 v1.2 client which advertises support for \s-1SHA256\s0 could receive a chain -using \s-1SHA256.\s0 +TLSv1.0 might receive a certificate chain signed using \s-1SHA1\s0 whereas a +TLSv1.2 or later client which advertises support for \s-1SHA256\s0 could receive a +chain using \s-1SHA256.\s0 .PP Normal server sanity checks are performed on any certificates set by the callback. So if an \s-1EC\s0 chain is set for a curve the client does not support it will \fBnot\fR be used. +.SH "RETURN VALUES" +.IX Header "RETURN VALUES" +\&\fISSL_CTX_set_cert_cb()\fR and \fISSL_set_cert_cb()\fR do not return values. .SH "SEE ALSO" .IX Header "SEE ALSO" -\&\fIssl\fR\|(3), \fISSL_use_certificate\fR\|(3), +\&\fIssl\fR\|(7), \fISSL_use_certificate\fR\|(3), \&\fISSL_add1_chain_cert\fR\|(3), \&\fISSL_get_client_CA_list\fR\|(3), \&\fISSL_clear\fR\|(3), \fISSL_free\fR\|(3) +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2014\-2018 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libssl/man/SSL_CTX_set_cert_store.3 b/secure/lib/libcrypto/man/SSL_CTX_set_cert_store.3 similarity index 80% rename from secure/lib/libssl/man/SSL_CTX_set_cert_store.3 rename to secure/lib/libcrypto/man/SSL_CTX_set_cert_store.3 index 881931afba82..33a77e09dc5c 100644 --- a/secure/lib/libssl/man/SSL_CTX_set_cert_store.3 +++ b/secure/lib/libcrypto/man/SSL_CTX_set_cert_store.3 @@ -128,20 +128,21 @@ .rm #[ #] #H #V #F C .\" ======================================================================== .\" -.IX Title "SSL_CTX_set_cert_store 3" -.TH SSL_CTX_set_cert_store 3 "2018-08-14" "1.0.2p" "OpenSSL" +.IX Title "SSL_CTX_SET_CERT_STORE 3" +.TH SSL_CTX_SET_CERT_STORE 3 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" -SSL_CTX_set_cert_store, SSL_CTX_get_cert_store \- manipulate X509 certificate verification storage +SSL_CTX_set_cert_store, SSL_CTX_set1_cert_store, SSL_CTX_get_cert_store \- manipulate X509 certificate verification storage .SH "SYNOPSIS" .IX Header "SYNOPSIS" .Vb 1 \& #include \& \& void SSL_CTX_set_cert_store(SSL_CTX *ctx, X509_STORE *store); +\& void SSL_CTX_set1_cert_store(SSL_CTX *ctx, X509_STORE *store); \& X509_STORE *SSL_CTX_get_cert_store(const SSL_CTX *ctx); .Ve .SH "DESCRIPTION" @@ -150,6 +151,10 @@ SSL_CTX_set_cert_store, SSL_CTX_get_cert_store \- manipulate X509 certificate ve of \fBctx\fR to/with \fBstore\fR. If another X509_STORE object is currently set in \fBctx\fR, it will be \fIX509_STORE_free()\fRed. .PP +\&\fISSL_CTX_set1_cert_store()\fR sets/replaces the certificate verification storage +of \fBctx\fR to/with \fBstore\fR. The \fBstore\fR's reference count is incremented. +If another X509_STORE object is currently set in \fBctx\fR, it will be \fIX509_STORE_free()\fRed. +.PP \&\fISSL_CTX_get_cert_store()\fR returns a pointer to the current certificate verification storage. .SH "NOTES" @@ -173,19 +178,38 @@ overridden with the \fIverify_callback()\fR set via the \&\fISSL_CTX_set_verify\fR\|(3) family of functions. This document must therefore be updated when documentation about the X509_STORE object and its handling becomes available. +.PP +\&\fISSL_CTX_set_cert_store()\fR does not increment the \fBstore\fR's reference +count, so it should not be used to assign an X509_STORE that is owned +by another \s-1SSL_CTX.\s0 +.PP +To share X509_STOREs between two SSL_CTXs, use \fISSL_CTX_get_cert_store()\fR +to get the X509_STORE from the first \s-1SSL_CTX,\s0 and then use +\&\fISSL_CTX_set1_cert_store()\fR to assign to the second \s-1SSL_CTX\s0 and +increment the reference count of the X509_STORE. .SH "RESTRICTIONS" .IX Header "RESTRICTIONS" The X509_STORE structure used by an \s-1SSL_CTX\s0 is used for verifying peer certificates and building certificate chains, it is also shared by -every child \s-1SSL\s0 structure. Applications wanting finer control can use +every child \s-1SSL\s0 structure. Applications wanting finer control can use functions such as \fISSL_CTX_set1_verify_cert_store()\fR instead. .SH "RETURN VALUES" .IX Header "RETURN VALUES" \&\fISSL_CTX_set_cert_store()\fR does not return diagnostic output. .PP +\&\fISSL_CTX_set1_cert_store()\fR does not return diagnostic output. +.PP \&\fISSL_CTX_get_cert_store()\fR returns the current setting. .SH "SEE ALSO" .IX Header "SEE ALSO" -\&\fIssl\fR\|(3), +\&\fIssl\fR\|(7), \&\fISSL_CTX_load_verify_locations\fR\|(3), \&\fISSL_CTX_set_verify\fR\|(3) +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2001\-2016 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libssl/man/SSL_CTX_set_cert_verify_callback.3 b/secure/lib/libcrypto/man/SSL_CTX_set_cert_verify_callback.3 similarity index 84% rename from secure/lib/libssl/man/SSL_CTX_set_cert_verify_callback.3 rename to secure/lib/libcrypto/man/SSL_CTX_set_cert_verify_callback.3 index bd2f30df9ac2..8f4bf77068ea 100644 --- a/secure/lib/libssl/man/SSL_CTX_set_cert_verify_callback.3 +++ b/secure/lib/libcrypto/man/SSL_CTX_set_cert_verify_callback.3 @@ -128,8 +128,8 @@ .rm #[ #] #H #V #F C .\" ======================================================================== .\" -.IX Title "SSL_CTX_set_cert_verify_callback 3" -.TH SSL_CTX_set_cert_verify_callback 3 "2018-08-14" "1.0.2p" "OpenSSL" +.IX Title "SSL_CTX_SET_CERT_VERIFY_CALLBACK 3" +.TH SSL_CTX_SET_CERT_VERIFY_CALLBACK 3 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -141,7 +141,9 @@ SSL_CTX_set_cert_verify_callback \- set peer certificate verification procedure .Vb 1 \& #include \& -\& void SSL_CTX_set_cert_verify_callback(SSL_CTX *ctx, int (*callback)(X509_STORE_CTX *,void *), void *arg); +\& void SSL_CTX_set_cert_verify_callback(SSL_CTX *ctx, +\& int (*callback)(X509_STORE_CTX *, void *), +\& void *arg); .Ve .SH "DESCRIPTION" .IX Header "DESCRIPTION" @@ -158,19 +160,22 @@ If a verification callback \fIcallback\fR is specified via instead. By setting \fIcallback\fR to \s-1NULL,\s0 the default behaviour is restored. .PP When the verification must be performed, \fIcallback\fR will be called with -the arguments callback(X509_STORE_CTX *x509_store_ctx, void *arg). The +the arguments callback(X509_STORE_CTX *x509_store_ctx, void *arg). The argument \fIarg\fR is specified by the application when setting \fIcallback\fR. .PP \&\fIcallback\fR should return 1 to indicate verification success and 0 to indicate verification failure. If \s-1SSL_VERIFY_PEER\s0 is set and \fIcallback\fR returns 0, the handshake will fail. As the verification procedure may -allow to continue the connection in case of failure (by always returning 1) -the verification result must be set in any case using the \fBerror\fR -member of \fIx509_store_ctx\fR so that the calling application will be informed -about the detailed result of the verification procedure! +allow the connection to continue in the case of failure (by always +returning 1) the verification result must be set in any case using the +\&\fBerror\fR member of \fIx509_store_ctx\fR so that the calling application +will be informed about the detailed result of the verification procedure! .PP Within \fIx509_store_ctx\fR, \fIcallback\fR has access to the \fIverify_callback\fR function set using \fISSL_CTX_set_verify\fR\|(3). +.SH "RETURN VALUES" +.IX Header "RETURN VALUES" +\&\fISSL_CTX_set_cert_verify_callback()\fR does not return a value. .SH "WARNINGS" .IX Header "WARNINGS" Do not mix the verification callback described in this function with the @@ -184,18 +189,17 @@ and in most cases it should be sufficient to modify its behaviour using the \fBverify_callback\fR function. .SH "BUGS" .IX Header "BUGS" -.SH "RETURN VALUES" -.IX Header "RETURN VALUES" \&\fISSL_CTX_set_cert_verify_callback()\fR does not provide diagnostic information. .SH "SEE ALSO" .IX Header "SEE ALSO" -\&\fIssl\fR\|(3), \fISSL_CTX_set_verify\fR\|(3), +\&\fIssl\fR\|(7), \fISSL_CTX_set_verify\fR\|(3), \&\fISSL_get_verify_result\fR\|(3), \&\fISSL_CTX_load_verify_locations\fR\|(3) -.SH "HISTORY" -.IX Header "HISTORY" -Previous to OpenSSL 0.9.7, the \fIarg\fR argument to \fBSSL_CTX_set_cert_verify_callback\fR -was ignored, and \fIcallback\fR was called simply as - int (*callback)(X509_STORE_CTX *) -To compile software written for previous versions of OpenSSL, a dummy -argument will have to be added to \fIcallback\fR. +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2001\-2018 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libssl/man/SSL_CTX_set_cipher_list.3 b/secure/lib/libcrypto/man/SSL_CTX_set_cipher_list.3 similarity index 67% rename from secure/lib/libssl/man/SSL_CTX_set_cipher_list.3 rename to secure/lib/libcrypto/man/SSL_CTX_set_cipher_list.3 index 8e4aa55f877c..71b455494d1f 100644 --- a/secure/lib/libssl/man/SSL_CTX_set_cipher_list.3 +++ b/secure/lib/libcrypto/man/SSL_CTX_set_cipher_list.3 @@ -128,14 +128,14 @@ .rm #[ #] #H #V #F C .\" ======================================================================== .\" -.IX Title "SSL_CTX_set_cipher_list 3" -.TH SSL_CTX_set_cipher_list 3 "2018-08-14" "1.0.2p" "OpenSSL" +.IX Title "SSL_CTX_SET_CIPHER_LIST 3" +.TH SSL_CTX_SET_CIPHER_LIST 3 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" -SSL_CTX_set_cipher_list, SSL_set_cipher_list \- choose list of available SSL_CIPHERs +SSL_CTX_set_cipher_list, SSL_set_cipher_list, SSL_CTX_set_ciphersuites, SSL_set_ciphersuites \&\- choose list of available SSL_CIPHERs .SH "SYNOPSIS" .IX Header "SYNOPSIS" .Vb 1 @@ -143,18 +143,47 @@ SSL_CTX_set_cipher_list, SSL_set_cipher_list \- choose list of available SSL_CIP \& \& int SSL_CTX_set_cipher_list(SSL_CTX *ctx, const char *str); \& int SSL_set_cipher_list(SSL *ssl, const char *str); +\& +\& int SSL_CTX_set_ciphersuites(SSL_CTX *ctx, const char *str); +\& int SSL_set_ciphersuites(SSL *s, const char *str); .Ve .SH "DESCRIPTION" .IX Header "DESCRIPTION" -\&\fISSL_CTX_set_cipher_list()\fR sets the list of available ciphers for \fBctx\fR -using the control string \fBstr\fR. The format of the string is described +\&\fISSL_CTX_set_cipher_list()\fR sets the list of available ciphers (TLSv1.2 and below) +for \fBctx\fR using the control string \fBstr\fR. The format of the string is described in \fIciphers\fR\|(1). The list of ciphers is inherited by all -\&\fBssl\fR objects created from \fBctx\fR. +\&\fBssl\fR objects created from \fBctx\fR. This function does not impact TLSv1.3 +ciphersuites. Use \fISSL_CTX_set_ciphersuites()\fR to configure those. .PP -\&\fISSL_set_cipher_list()\fR sets the list of ciphers only for \fBssl\fR. +\&\fISSL_set_cipher_list()\fR sets the list of ciphers (TLSv1.2 and below) only for +\&\fBssl\fR. +.PP +\&\fISSL_CTX_set_ciphersuites()\fR is used to configure the available TLSv1.3 +ciphersuites for \fBctx\fR. This is a simple colon (\*(L":\*(R") separated list of TLSv1.3 +ciphersuite names in order of perference. Valid TLSv1.3 ciphersuite names are: +.IP "\s-1TLS_AES_128_GCM_SHA256\s0" 4 +.IX Item "TLS_AES_128_GCM_SHA256" +.PD 0 +.IP "\s-1TLS_AES_256_GCM_SHA384\s0" 4 +.IX Item "TLS_AES_256_GCM_SHA384" +.IP "\s-1TLS_CHACHA20_POLY1305_SHA256\s0" 4 +.IX Item "TLS_CHACHA20_POLY1305_SHA256" +.IP "\s-1TLS_AES_128_CCM_SHA256\s0" 4 +.IX Item "TLS_AES_128_CCM_SHA256" +.IP "\s-1TLS_AES_128_CCM_8_SHA256\s0" 4 +.IX Item "TLS_AES_128_CCM_8_SHA256" +.PD +.PP +An empty list is permissible. The default value for the this setting is: +.PP +\&\*(L"\s-1TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256\*(R"\s0 +.PP +\&\fISSL_set_ciphersuites()\fR is the same as \fISSL_CTX_set_ciphersuites()\fR except it +configures the ciphersuites for \fBssl\fR. .SH "NOTES" .IX Header "NOTES" -The control string \fBstr\fR should be universally usable and not depend +The control string \fBstr\fR for \fISSL_CTX_set_cipher_list()\fR and +\&\fISSL_set_cipher_list()\fR should be universally usable and not depend on details of the library configuration (ciphers compiled in). Thus no syntax checking takes place. Items that are not recognized, because the corresponding ciphers are not compiled in or because they are mistyped, @@ -163,16 +192,12 @@ at all. .PP It should be noted, that inclusion of a cipher to be used into the list is a necessary condition. On the client side, the inclusion into the list is -also sufficient. On the server side, additional restrictions apply. All ciphers -have additional requirements. \s-1ADH\s0 ciphers don't need a certificate, but -DH-parameters must have been set. All other ciphers need a corresponding -certificate and key. +also sufficient unless the security level excludes it. On the server side, +additional restrictions apply. All ciphers have additional requirements. +\&\s-1ADH\s0 ciphers don't need a certificate, but DH-parameters must have been set. +All other ciphers need a corresponding certificate and key. .PP A \s-1RSA\s0 cipher can only be chosen, when a \s-1RSA\s0 certificate is available. -\&\s-1RSA\s0 export ciphers with a keylength of 512 bits for the \s-1RSA\s0 key require -a temporary 512 bit \s-1RSA\s0 key, as typically the supplied key has a length -of 1024 bit (see -\&\fISSL_CTX_set_tmp_rsa_callback\fR\|(3)). \&\s-1RSA\s0 ciphers using \s-1DHE\s0 need a certificate and key and additional DH-parameters (see \fISSL_CTX_set_tmp_dh_callback\fR\|(3)). .PP @@ -181,22 +206,28 @@ A \s-1DSA\s0 cipher can only be chosen, when a \s-1DSA\s0 certificate is availab (see \fISSL_CTX_set_tmp_dh_callback\fR\|(3)). .PP When these conditions are not met for any cipher in the list (e.g. a -client only supports export \s-1RSA\s0 ciphers with a asymmetric key length +client only supports export \s-1RSA\s0 ciphers with an asymmetric key length of 512 bits and the server is not configured to use temporary \s-1RSA\s0 keys), the \*(L"no shared cipher\*(R" (\s-1SSL_R_NO_SHARED_CIPHER\s0) error is generated and the handshake will fail. -.PP -If the cipher list does not contain any SSLv2 cipher suites (this is the -default) then SSLv2 is effectively disabled and neither clients nor servers -will attempt to use SSLv2. .SH "RETURN VALUES" .IX Header "RETURN VALUES" \&\fISSL_CTX_set_cipher_list()\fR and \fISSL_set_cipher_list()\fR return 1 if any cipher could be selected and 0 on complete failure. +.PP +\&\fISSL_CTX_set_ciphersuites()\fR and \fISSL_set_ciphersuites()\fR return 1 if the requested +ciphersuite list was configured, and 0 otherwise. .SH "SEE ALSO" .IX Header "SEE ALSO" -\&\fIssl\fR\|(3), \fISSL_get_ciphers\fR\|(3), +\&\fIssl\fR\|(7), \fISSL_get_ciphers\fR\|(3), \&\fISSL_CTX_use_certificate\fR\|(3), -\&\fISSL_CTX_set_tmp_rsa_callback\fR\|(3), \&\fISSL_CTX_set_tmp_dh_callback\fR\|(3), \&\fIciphers\fR\|(1) +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2000\-2018 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libssl/man/SSL_CTX_set_client_CA_list.3 b/secure/lib/libcrypto/man/SSL_CTX_set_client_CA_list.3 similarity index 90% rename from secure/lib/libssl/man/SSL_CTX_set_client_CA_list.3 rename to secure/lib/libcrypto/man/SSL_CTX_set_client_CA_list.3 index 3e1cbaea8708..f9cf7a9b1350 100644 --- a/secure/lib/libssl/man/SSL_CTX_set_client_CA_list.3 +++ b/secure/lib/libcrypto/man/SSL_CTX_set_client_CA_list.3 @@ -128,21 +128,19 @@ .rm #[ #] #H #V #F C .\" ======================================================================== .\" -.IX Title "SSL_CTX_set_client_CA_list 3" -.TH SSL_CTX_set_client_CA_list 3 "2018-08-14" "1.0.2p" "OpenSSL" +.IX Title "SSL_CTX_SET_CLIENT_CA_LIST 3" +.TH SSL_CTX_SET_CLIENT_CA_LIST 3 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" -SSL_CTX_set_client_CA_list, SSL_set_client_CA_list, SSL_CTX_add_client_CA, -SSL_add_client_CA \- set list of CAs sent to the client when requesting a -client certificate +SSL_CTX_set_client_CA_list, SSL_set_client_CA_list, SSL_CTX_add_client_CA, SSL_add_client_CA \- set list of CAs sent to the client when requesting a client certificate .SH "SYNOPSIS" .IX Header "SYNOPSIS" .Vb 1 \& #include -\& +\& \& void SSL_CTX_set_client_CA_list(SSL_CTX *ctx, STACK_OF(X509_NAME) *list); \& void SSL_set_client_CA_list(SSL *s, STACK_OF(X509_NAME) *list); \& int SSL_CTX_add_client_CA(SSL_CTX *ctx, X509 *cacert); @@ -174,7 +172,7 @@ This list must explicitly be set using \fISSL_CTX_set_client_CA_list()\fR for \&\fBctx\fR and \fISSL_set_client_CA_list()\fR for the specific \fBssl\fR. The list specified overrides the previous setting. The CAs listed do not become trusted (\fBlist\fR only contains the names, not the complete certificates); use -\&\fISSL_CTX_load_verify_locations\fR\|(3) +\&\fISSL_CTX_load_verify_locations\fR\|(3) to additionally load them for verification. .PP If the list of acceptable CAs is compiled in a file, the @@ -206,11 +204,19 @@ The operation succeeded. Scan all certificates in \fBCAfile\fR and list them as acceptable CAs: .PP .Vb 1 -\& SSL_CTX_set_client_CA_list(ctx,SSL_load_client_CA_file(CAfile)); +\& SSL_CTX_set_client_CA_list(ctx, SSL_load_client_CA_file(CAfile)); .Ve .SH "SEE ALSO" .IX Header "SEE ALSO" -\&\fIssl\fR\|(3), +\&\fIssl\fR\|(7), \&\fISSL_get_client_CA_list\fR\|(3), \&\fISSL_load_client_CA_file\fR\|(3), \&\fISSL_CTX_load_verify_locations\fR\|(3) +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2000\-2016 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libssl/man/SSL_CTX_set_client_cert_cb.3 b/secure/lib/libcrypto/man/SSL_CTX_set_client_cert_cb.3 similarity index 87% rename from secure/lib/libssl/man/SSL_CTX_set_client_cert_cb.3 rename to secure/lib/libcrypto/man/SSL_CTX_set_client_cert_cb.3 index 37dac5a05d40..05aa821ad9c7 100644 --- a/secure/lib/libssl/man/SSL_CTX_set_client_cert_cb.3 +++ b/secure/lib/libcrypto/man/SSL_CTX_set_client_cert_cb.3 @@ -128,8 +128,8 @@ .rm #[ #] #H #V #F C .\" ======================================================================== .\" -.IX Title "SSL_CTX_set_client_cert_cb 3" -.TH SSL_CTX_set_client_cert_cb 3 "2018-08-14" "1.0.2p" "OpenSSL" +.IX Title "SSL_CTX_SET_CLIENT_CERT_CB 3" +.TH SSL_CTX_SET_CLIENT_CERT_CB 3 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -141,17 +141,20 @@ SSL_CTX_set_client_cert_cb, SSL_CTX_get_client_cert_cb \- handle client certific .Vb 1 \& #include \& -\& void SSL_CTX_set_client_cert_cb(SSL_CTX *ctx, int (*client_cert_cb)(SSL *ssl, X509 **x509, EVP_PKEY **pkey)); -\& int (*SSL_CTX_get_client_cert_cb(SSL_CTX *ctx))(SSL *ssl, X509 **x509, EVP_PKEY **pkey); +\& void SSL_CTX_set_client_cert_cb(SSL_CTX *ctx, +\& int (*client_cert_cb)(SSL *ssl, X509 **x509, +\& EVP_PKEY **pkey)); +\& int (*SSL_CTX_get_client_cert_cb(SSL_CTX *ctx))(SSL *ssl, X509 **x509, +\& EVP_PKEY **pkey); \& int (*client_cert_cb)(SSL *ssl, X509 **x509, EVP_PKEY **pkey); .Ve .SH "DESCRIPTION" .IX Header "DESCRIPTION" -\&\fISSL_CTX_set_client_cert_cb()\fR sets the \fB\f(BIclient_cert_cb()\fB\fR callback, that is +\&\fISSL_CTX_set_client_cert_cb()\fR sets the \fIclient_cert_cb()\fR callback, that is called when a client certificate is requested by a server and no certificate was yet set for the \s-1SSL\s0 object. .PP -When \fB\f(BIclient_cert_cb()\fB\fR is \s-1NULL,\s0 no callback function is used. +When \fIclient_cert_cb()\fR is \s-1NULL,\s0 no callback function is used. .PP \&\fISSL_CTX_get_client_cert_cb()\fR returns a pointer to the currently set callback function. @@ -191,6 +194,10 @@ Thus it will permanently install the certificate and key for this \s-1SSL\s0 object. It will not be reset by calling \fISSL_clear\fR\|(3). If the callback returns no certificate, the OpenSSL library will not send a certificate. +.SH "RETURN VALUES" +.IX Header "RETURN VALUES" +\&\fISSL_CTX_get_client_cert_cb()\fR returns function pointer of \fIclient_cert_cb()\fR or +\&\s-1NULL\s0 if the callback is not set. .SH "BUGS" .IX Header "BUGS" The \fIclient_cert_cb()\fR cannot return a complete certificate chain, it can @@ -216,7 +223,15 @@ mandatory to destroy the \s-1SSL\s0 object using \fISSL_free\fR\|(3) and create a new one to return to the previous state. .SH "SEE ALSO" .IX Header "SEE ALSO" -\&\fIssl\fR\|(3), \fISSL_CTX_use_certificate\fR\|(3), +\&\fIssl\fR\|(7), \fISSL_CTX_use_certificate\fR\|(3), \&\fISSL_CTX_add_extra_chain_cert\fR\|(3), \&\fISSL_get_client_CA_list\fR\|(3), \&\fISSL_clear\fR\|(3), \fISSL_free\fR\|(3) +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2002\-2018 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/SSL_CTX_set_client_hello_cb.3 b/secure/lib/libcrypto/man/SSL_CTX_set_client_hello_cb.3 new file mode 100644 index 000000000000..0dc09c98502d --- /dev/null +++ b/secure/lib/libcrypto/man/SSL_CTX_set_client_hello_cb.3 @@ -0,0 +1,256 @@ +.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35) +.\" +.\" Standard preamble: +.\" ======================================================================== +.de Sp \" Vertical space (when we can't use .PP) +.if t .sp .5v +.if n .sp +.. +.de Vb \" Begin verbatim text +.ft CW +.nf +.ne \\$1 +.. +.de Ve \" End verbatim text +.ft R +.fi +.. +.\" Set up some character translations and predefined strings. \*(-- will +.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left +.\" double quote, and \*(R" will give a right double quote. \*(C+ will +.\" give a nicer C++. Capital omega is used to do unbreakable dashes and +.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, +.\" nothing in troff, for use with C<>. +.tr \(*W- +.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' +.ie n \{\ +. ds -- \(*W- +. ds PI pi +. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch +. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch +. ds L" "" +. ds R" "" +. ds C` "" +. ds C' "" +'br\} +.el\{\ +. ds -- \|\(em\| +. ds PI \(*p +. ds L" `` +. ds R" '' +. ds C` +. ds C' +'br\} +.\" +.\" Escape single quotes in literal strings from groff's Unicode transform. +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" +.\" If the F register is >0, we'll generate index entries on stderr for +.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index +.\" entries marked with X<> in POD. Of course, you'll have to process the +.\" output yourself in some meaningful fashion. +.\" +.\" Avoid warning from groff about undefined register 'F'. +.de IX +.. +.if !\nF .nr F 0 +.if \nF>0 \{\ +. de IX +. tm Index:\\$1\t\\n%\t"\\$2" +.. +. if !\nF==2 \{\ +. nr % 0 +. nr F 2 +. \} +.\} +.\" +.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). +.\" Fear. Run. Save yourself. No user-serviceable parts. +. \" fudge factors for nroff and troff +.if n \{\ +. ds #H 0 +. ds #V .8m +. ds #F .3m +. ds #[ \f1 +. ds #] \fP +.\} +.if t \{\ +. ds #H ((1u-(\\\\n(.fu%2u))*.13m) +. ds #V .6m +. ds #F 0 +. ds #[ \& +. ds #] \& +.\} +. \" simple accents for nroff and troff +.if n \{\ +. ds ' \& +. ds ` \& +. ds ^ \& +. ds , \& +. ds ~ ~ +. ds / +.\} +.if t \{\ +. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" +. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' +. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' +. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' +. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' +. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' +.\} +. \" troff and (daisy-wheel) nroff accents +.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' +.ds 8 \h'\*(#H'\(*b\h'-\*(#H' +.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] +.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' +.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' +.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] +.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] +.ds ae a\h'-(\w'a'u*4/10)'e +.ds Ae A\h'-(\w'A'u*4/10)'E +. \" corrections for vroff +.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' +.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' +. \" for low resolution devices (crt and lpr) +.if \n(.H>23 .if \n(.V>19 \ +\{\ +. ds : e +. ds 8 ss +. ds o a +. ds d- d\h'-1'\(ga +. ds D- D\h'-1'\(hy +. ds th \o'bp' +. ds Th \o'LP' +. ds ae ae +. ds Ae AE +.\} +.rm #[ #] #H #V #F C +.\" ======================================================================== +.\" +.IX Title "SSL_CTX_SET_CLIENT_HELLO_CB 3" +.TH SSL_CTX_SET_CLIENT_HELLO_CB 3 "2018-09-11" "1.1.1" "OpenSSL" +.\" For nroff, turn off justification. Always turn off hyphenation; it makes +.\" way too many mistakes in technical documents. +.if n .ad l +.nh +.SH "NAME" +SSL_CTX_set_client_hello_cb, SSL_client_hello_cb_fn, SSL_client_hello_isv2, SSL_client_hello_get0_legacy_version, SSL_client_hello_get0_random, SSL_client_hello_get0_session_id, SSL_client_hello_get0_ciphers, SSL_client_hello_get0_compression_methods, SSL_client_hello_get1_extensions_present, SSL_client_hello_get0_ext \- callback functions for early server\-side ClientHello processing +.SH "SYNOPSIS" +.IX Header "SYNOPSIS" +.Vb 10 +\& typedef int (*SSL_client_hello_cb_fn)(SSL *s, int *al, void *arg); +\& void SSL_CTX_set_client_hello_cb(SSL_CTX *c, SSL_client_hello_cb_fn *f, +\& void *arg); +\& int SSL_client_hello_isv2(SSL *s); +\& unsigned int SSL_client_hello_get0_legacy_version(SSL *s); +\& size_t SSL_client_hello_get0_random(SSL *s, const unsigned char **out); +\& size_t SSL_client_hello_get0_session_id(SSL *s, const unsigned char **out); +\& size_t SSL_client_hello_get0_ciphers(SSL *s, const unsigned char **out); +\& size_t SSL_client_hello_get0_compression_methods(SSL *s, +\& const unsigned char **out); +\& int SSL_client_hello_get1_extensions_present(SSL *s, int **out, +\& size_t *outlen); +\& int SSL_client_hello_get0_ext(SSL *s, int type, const unsigned char **out, +\& size_t *outlen); +.Ve +.SH "DESCRIPTION" +.IX Header "DESCRIPTION" +\&\fISSL_CTX_set_client_hello_cb()\fR sets the callback function, which is automatically +called during the early stages of ClientHello processing on the server. +The argument supplied when setting the callback is passed back to the +callback at runtime. A callback that returns failure (0) will cause the +connection to terminate, and callbacks returning failure should indicate +what alert value is to be sent in the \fBal\fR parameter. A callback may +also return a negative value to suspend the handshake, and the handshake +function will return immediately. \fISSL_get_error\fR\|(3) will return +\&\s-1SSL_ERROR_WANT_CLIENT_HELLO_CB\s0 to indicate that the handshake was suspended. +It is the job of the ClientHello callback to store information about the state +of the last call if needed to continue. On the next call into the handshake +function, the ClientHello callback will be called again, and, if it returns +success, normal handshake processing will continue from that point. +.PP +\&\fISSL_client_hello_isv2()\fR indicates whether the ClientHello was carried in a +SSLv2 record and is in the SSLv2 format. The SSLv2 format has substantial +differences from the normal SSLv3 format, including using three bytes per +cipher suite, and not allowing extensions. Additionally, the SSLv2 format +\&'challenge' field is exposed via \fISSL_client_hello_get0_random()\fR, padded to +\&\s-1SSL3_RANDOM_SIZE\s0 bytes with zeros if needed. For SSLv2 format ClientHellos, +\&\fISSL_client_hello_get0_compression_methods()\fR returns a dummy list that only includes +the null compression method, since the SSLv2 format does not include a +mechanism by which to negotiate compression. +.PP +\&\fISSL_client_hello_get0_random()\fR, \fISSL_client_hello_get0_session_id()\fR, +\&\fISSL_client_hello_get0_ciphers()\fR, and +\&\fISSL_client_hello_get0_compression_methods()\fR provide access to the corresponding +ClientHello fields, returning the field length and optionally setting an out +pointer to the octets of that field. +.PP +Similarly, \fISSL_client_hello_get0_ext()\fR provides access to individual extensions +from the ClientHello on a per-extension basis. For the provided wire +protocol extension type value, the extension value and length are returned +in the output parameters (if present). +.PP +\&\fISSL_client_hello_get1_extensions_present()\fR can be used prior to +\&\fISSL_client_hello_get0_ext()\fR, to determine which extensions are present in the +ClientHello before querying for them. The \fBout\fR and \fBoutlen\fR parameters are +both required, and on success the caller must release the storage allocated for +\&\fB*out\fR using \fIOPENSSL_free()\fR. The contents of \fB*out\fR is an array of integers +holding the numerical value of the \s-1TLS\s0 extension types in the order they appear +in the ClientHello. \fB*outlen\fR contains the number of elements in the array. +.SH "NOTES" +.IX Header "NOTES" +The ClientHello callback provides a vast window of possibilities for application +code to affect the \s-1TLS\s0 handshake. A primary use of the callback is to +allow the server to examine the server name indication extension provided +by the client in order to select an appropriate certificate to present, +and make other configuration adjustments relevant to that server name +and its configuration. Such configuration changes can include swapping out +the associated \s-1SSL_CTX\s0 pointer, modifying the server's list of permitted \s-1TLS\s0 +versions, changing the server's cipher list in response to the client's +cipher list, etc. +.PP +It is also recommended that applications utilize a ClientHello callback and +not use a servername callback, in order to avoid unexpected behavior that +occurs due to the relative order of processing between things like session +resumption and the historical servername callback. +.PP +The SSL_client_hello_* family of functions may only be called from code executing +within a ClientHello callback. +.SH "RETURN VALUES" +.IX Header "RETURN VALUES" +The application's supplied ClientHello callback returns +\&\s-1SSL_CLIENT_HELLO_SUCCESS\s0 on success, \s-1SSL_CLIENT_HELLO_ERROR\s0 on failure, and +\&\s-1SSL_CLIENT_HELLO_RETRY\s0 to suspend processing. +.PP +\&\fISSL_client_hello_isv2()\fR returns 1 for SSLv2\-format ClientHellos and 0 otherwise. +.PP +\&\fISSL_client_hello_get0_random()\fR, \fISSL_client_hello_get0_session_id()\fR, +\&\fISSL_client_hello_get0_ciphers()\fR, and +\&\fISSL_client_hello_get0_compression_methods()\fR return the length of the +corresponding ClientHello fields. If zero is returned, the output pointer +should not be assumed to be valid. +.PP +\&\fISSL_client_hello_get0_ext()\fR returns 1 if the extension of type 'type' is present, and +0 otherwise. +.PP +\&\fISSL_client_hello_get1_extensions_present()\fR returns 1 on success and 0 on failure. +.SH "SEE ALSO" +.IX Header "SEE ALSO" +\&\fIssl\fR\|(7), \fISSL_CTX_set_tlsext_servername_callback\fR\|(3), +SSL_bytes_to_cipher_list +.SH "HISTORY" +.IX Header "HISTORY" +The \s-1SSL\s0 ClientHello callback, \fISSL_client_hello_isv2()\fR, +\&\fISSL_client_hello_get0_random()\fR, \fISSL_client_hello_get0_session_id()\fR, +\&\fISSL_client_hello_get0_ciphers()\fR, \fISSL_client_hello_get0_compression_methods()\fR, +\&\fISSL_client_hello_get0_ext()\fR, and \fISSL_client_hello_get1_extensions_present()\fR +were added in OpenSSL 1.1.1. +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2017 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/SSL_CTX_set_ct_validation_callback.3 b/secure/lib/libcrypto/man/SSL_CTX_set_ct_validation_callback.3 new file mode 100644 index 000000000000..16c7ea97037d --- /dev/null +++ b/secure/lib/libcrypto/man/SSL_CTX_set_ct_validation_callback.3 @@ -0,0 +1,267 @@ +.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35) +.\" +.\" Standard preamble: +.\" ======================================================================== +.de Sp \" Vertical space (when we can't use .PP) +.if t .sp .5v +.if n .sp +.. +.de Vb \" Begin verbatim text +.ft CW +.nf +.ne \\$1 +.. +.de Ve \" End verbatim text +.ft R +.fi +.. +.\" Set up some character translations and predefined strings. \*(-- will +.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left +.\" double quote, and \*(R" will give a right double quote. \*(C+ will +.\" give a nicer C++. Capital omega is used to do unbreakable dashes and +.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, +.\" nothing in troff, for use with C<>. +.tr \(*W- +.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' +.ie n \{\ +. ds -- \(*W- +. ds PI pi +. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch +. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch +. ds L" "" +. ds R" "" +. ds C` "" +. ds C' "" +'br\} +.el\{\ +. ds -- \|\(em\| +. ds PI \(*p +. ds L" `` +. ds R" '' +. ds C` +. ds C' +'br\} +.\" +.\" Escape single quotes in literal strings from groff's Unicode transform. +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" +.\" If the F register is >0, we'll generate index entries on stderr for +.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index +.\" entries marked with X<> in POD. Of course, you'll have to process the +.\" output yourself in some meaningful fashion. +.\" +.\" Avoid warning from groff about undefined register 'F'. +.de IX +.. +.if !\nF .nr F 0 +.if \nF>0 \{\ +. de IX +. tm Index:\\$1\t\\n%\t"\\$2" +.. +. if !\nF==2 \{\ +. nr % 0 +. nr F 2 +. \} +.\} +.\" +.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). +.\" Fear. Run. Save yourself. No user-serviceable parts. +. \" fudge factors for nroff and troff +.if n \{\ +. ds #H 0 +. ds #V .8m +. ds #F .3m +. ds #[ \f1 +. ds #] \fP +.\} +.if t \{\ +. ds #H ((1u-(\\\\n(.fu%2u))*.13m) +. ds #V .6m +. ds #F 0 +. ds #[ \& +. ds #] \& +.\} +. \" simple accents for nroff and troff +.if n \{\ +. ds ' \& +. ds ` \& +. ds ^ \& +. ds , \& +. ds ~ ~ +. ds / +.\} +.if t \{\ +. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" +. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' +. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' +. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' +. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' +. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' +.\} +. \" troff and (daisy-wheel) nroff accents +.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' +.ds 8 \h'\*(#H'\(*b\h'-\*(#H' +.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] +.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' +.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' +.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] +.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] +.ds ae a\h'-(\w'a'u*4/10)'e +.ds Ae A\h'-(\w'A'u*4/10)'E +. \" corrections for vroff +.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' +.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' +. \" for low resolution devices (crt and lpr) +.if \n(.H>23 .if \n(.V>19 \ +\{\ +. ds : e +. ds 8 ss +. ds o a +. ds d- d\h'-1'\(ga +. ds D- D\h'-1'\(hy +. ds th \o'bp' +. ds Th \o'LP' +. ds ae ae +. ds Ae AE +.\} +.rm #[ #] #H #V #F C +.\" ======================================================================== +.\" +.IX Title "SSL_CTX_SET_CT_VALIDATION_CALLBACK 3" +.TH SSL_CTX_SET_CT_VALIDATION_CALLBACK 3 "2018-09-11" "1.1.1" "OpenSSL" +.\" For nroff, turn off justification. Always turn off hyphenation; it makes +.\" way too many mistakes in technical documents. +.if n .ad l +.nh +.SH "NAME" +ssl_ct_validation_cb, SSL_enable_ct, SSL_CTX_enable_ct, SSL_disable_ct, SSL_CTX_disable_ct, SSL_set_ct_validation_callback, SSL_CTX_set_ct_validation_callback, SSL_ct_is_enabled, SSL_CTX_ct_is_enabled \- control Certificate Transparency policy +.SH "SYNOPSIS" +.IX Header "SYNOPSIS" +.Vb 1 +\& #include +\& +\& typedef int (*ssl_ct_validation_cb)(const CT_POLICY_EVAL_CTX *ctx, +\& const STACK_OF(SCT) *scts, void *arg); +\& +\& int SSL_enable_ct(SSL *s, int validation_mode); +\& int SSL_CTX_enable_ct(SSL_CTX *ctx, int validation_mode); +\& int SSL_set_ct_validation_callback(SSL *s, ssl_ct_validation_cb callback, +\& void *arg); +\& int SSL_CTX_set_ct_validation_callback(SSL_CTX *ctx, +\& ssl_ct_validation_cb callback, +\& void *arg); +\& void SSL_disable_ct(SSL *s); +\& void SSL_CTX_disable_ct(SSL_CTX *ctx); +\& int SSL_ct_is_enabled(const SSL *s); +\& int SSL_CTX_ct_is_enabled(const SSL_CTX *ctx); +.Ve +.SH "DESCRIPTION" +.IX Header "DESCRIPTION" +\&\fISSL_enable_ct()\fR and \fISSL_CTX_enable_ct()\fR enable the processing of signed +certificate timestamps (SCTs) either for a given \s-1SSL\s0 connection or for all +connections that share the given \s-1SSL\s0 context, respectively. +This is accomplished by setting a built-in \s-1CT\s0 validation callback. +The behaviour of the callback is determined by the \fBvalidation_mode\fR argument, +which can be either of \fB\s-1SSL_CT_VALIDATION_PERMISSIVE\s0\fR or +\&\fB\s-1SSL_CT_VALIDATION_STRICT\s0\fR as described below. +.PP +If \fBvalidation_mode\fR is equal to \fB\s-1SSL_CT_VALIDATION_STRICT\s0\fR, then in a full +\&\s-1TLS\s0 handshake with the verification mode set to \fB\s-1SSL_VERIFY_PEER\s0\fR, if the peer +presents no valid SCTs the handshake will be aborted. +If the verification mode is \fB\s-1SSL_VERIFY_NONE\s0\fR, the handshake will continue +despite lack of valid SCTs. +However, in that case if the verification status before the built-in callback +was \fBX509_V_OK\fR it will be set to \fBX509_V_ERR_NO_VALID_SCTS\fR after the +callback. +Applications can call \fISSL_get_verify_result\fR\|(3) to check the status at +handshake completion, even after session resumption since the verification +status is part of the saved session state. +See \fISSL_set_verify\fR\|(3), <\fISSL_get_verify_result\fR\|(3)>, \fISSL_session_reused\fR\|(3). +.PP +If \fBvalidation_mode\fR is equal to \fB\s-1SSL_CT_VALIDATION_PERMISSIVE\s0\fR, then the +handshake continues, and the verification status is not modified, regardless of +the validation status of any SCTs. +The application can still inspect the validation status of the SCTs at +handshake completion. +Note that with session resumption there will not be any SCTs presented during +the handshake. +Therefore, in applications that delay \s-1SCT\s0 policy enforcement until after +handshake completion, such delayed \s-1SCT\s0 checks should only be performed when the +session is not resumed. +.PP +\&\fISSL_set_ct_validation_callback()\fR and \fISSL_CTX_set_ct_validation_callback()\fR +register a custom callback that may implement a different policy than either of +the above. +This callback can examine the peer's SCTs and determine whether they are +sufficient to allow the connection to continue. +The \s-1TLS\s0 handshake is aborted if the verification mode is not \fB\s-1SSL_VERIFY_NONE\s0\fR +and the callback returns a non-positive result. +.PP +An arbitrary callback context argument, \fBarg\fR, can be passed in when setting +the callback. +This will be passed to the callback whenever it is invoked. +Ownership of this context remains with the caller. +.PP +If no callback is set, SCTs will not be requested and Certificate Transparency +validation will not occur. +.PP +No callback will be invoked when the peer presents no certificate, e.g. by +employing an anonymous (aNULL) cipher suite. +In that case the handshake continues as it would had no callback been +requested. +Callbacks are also not invoked when the peer certificate chain is invalid or +validated via \s-1\fIDANE\-TA\s0\fR\|(2) or \s-1\fIDANE\-EE\s0\fR\|(3) \s-1TLSA\s0 records which use a private X.509 +\&\s-1PKI,\s0 or no X.509 \s-1PKI\s0 at all, respectively. +Clients that require SCTs are expected to not have enabled any aNULL ciphers +nor to have specified server verification via \s-1\fIDANE\-TA\s0\fR\|(2) or \s-1\fIDANE\-EE\s0\fR\|(3) \s-1TLSA\s0 +records. +.PP +\&\fISSL_disable_ct()\fR and \fISSL_CTX_disable_ct()\fR turn off \s-1CT\s0 processing, whether +enabled via the built-in or the custom callbacks, by setting a \s-1NULL\s0 callback. +These may be implemented as macros. +.PP +\&\fISSL_ct_is_enabled()\fR and \fISSL_CTX_ct_is_enabled()\fR return 1 if \s-1CT\s0 processing is +enabled via either \fISSL_enable_ct()\fR or a non-null custom callback, and 0 +otherwise. +.SH "NOTES" +.IX Header "NOTES" +When \s-1SCT\s0 processing is enabled, \s-1OCSP\s0 stapling will be enabled. This is because +one possible source of SCTs is the \s-1OCSP\s0 response from a server. +.PP +The time returned by \fISSL_SESSION_get_time()\fR will be used to evaluate whether any +presented SCTs have timestamps that are in the future (and therefore invalid). +.SH "RESTRICTIONS" +.IX Header "RESTRICTIONS" +Certificate Transparency validation cannot be enabled and so a callback cannot +be set if a custom client extension handler has been registered to handle \s-1SCT\s0 +extensions (\fBTLSEXT_TYPE_signed_certificate_timestamp\fR). +.SH "RETURN VALUES" +.IX Header "RETURN VALUES" +\&\fISSL_enable_ct()\fR, \fISSL_CTX_enable_ct()\fR, \fISSL_CTX_set_ct_validation_callback()\fR and +\&\fISSL_set_ct_validation_callback()\fR return 1 if the \fBcallback\fR is successfully +set. +They return 0 if an error occurs, e.g. a custom client extension handler has +been setup to handle SCTs. +.PP +\&\fISSL_disable_ct()\fR and \fISSL_CTX_disable_ct()\fR do not return a result. +.PP +\&\fISSL_CTX_ct_is_enabled()\fR and \fISSL_ct_is_enabled()\fR return a 1 if a non-null \s-1CT\s0 +validation callback is set, or 0 if no callback (or equivalently a \s-1NULL\s0 +callback) is set. +.SH "SEE ALSO" +.IX Header "SEE ALSO" +\&\fIssl\fR\|(7), +<\fISSL_get_verify_result\fR\|(3)>, +\&\fISSL_session_reused\fR\|(3), +\&\fISSL_set_verify\fR\|(3), +\&\fISSL_CTX_set_verify\fR\|(3), +\&\fISSL_SESSION_get_time\fR\|(3) +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2016\-2017 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libssl/man/SSL_CTX_set_read_ahead.3 b/secure/lib/libcrypto/man/SSL_CTX_set_ctlog_list_file.3 similarity index 70% rename from secure/lib/libssl/man/SSL_CTX_set_read_ahead.3 rename to secure/lib/libcrypto/man/SSL_CTX_set_ctlog_list_file.3 index 6ce551b55493..a201c00dead4 100644 --- a/secure/lib/libssl/man/SSL_CTX_set_read_ahead.3 +++ b/secure/lib/libcrypto/man/SSL_CTX_set_ctlog_list_file.3 @@ -128,52 +128,52 @@ .rm #[ #] #H #V #F C .\" ======================================================================== .\" -.IX Title "SSL_CTX_set_read_ahead 3" -.TH SSL_CTX_set_read_ahead 3 "2018-08-14" "1.0.2p" "OpenSSL" +.IX Title "SSL_CTX_SET_CTLOG_LIST_FILE 3" +.TH SSL_CTX_SET_CTLOG_LIST_FILE 3 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" -SSL_CTX_set_read_ahead, SSL_CTX_set_default_read_ahead, SSL_CTX_get_read_ahead, -SSL_CTX_get_default_read_ahead, SSL_set_read_ahead, SSL_get_read_ahead -\&\- manage whether to read as many input bytes as possible +SSL_CTX_set_default_ctlog_list_file, SSL_CTX_set_ctlog_list_file \- load a Certificate Transparency log list from a file .SH "SYNOPSIS" .IX Header "SYNOPSIS" .Vb 1 \& #include \& -\& int SSL_get_read_ahead(const SSL *s); -\& void SSL_set_read_ahead(SSL *s, int yes); -\& -\& #define SSL_CTX_get_default_read_ahead(ctx) -\& #define SSL_CTX_set_default_read_ahead(ctx,m) -\& #define SSL_CTX_get_read_ahead(ctx) -\& #define SSL_CTX_set_read_ahead(ctx,m) +\& int SSL_CTX_set_default_ctlog_list_file(SSL_CTX *ctx); +\& int SSL_CTX_set_ctlog_list_file(SSL_CTX *ctx, const char *path); .Ve .SH "DESCRIPTION" .IX Header "DESCRIPTION" -\&\fISSL_CTX_set_read_ahead()\fR and \fISSL_set_read_ahead()\fR set whether we should read as -many input bytes as possible (for non-blocking reads) or not. For example if -\&\fBx\fR bytes are currently required by OpenSSL, but \fBy\fR bytes are available from -the underlying \s-1BIO\s0 (where \fBy\fR > \fBx\fR), then OpenSSL will read all \fBy\fR bytes -into its buffer (providing that the buffer is large enough) if reading ahead is -on, or \fBx\fR bytes otherwise. The parameter \fByes\fR or \fBm\fR should be 0 to ensure -reading ahead is off, or non zero otherwise. +\&\fISSL_CTX_set_default_ctlog_list_file()\fR loads a list of Certificate Transparency +(\s-1CT\s0) logs from the default file location, \*(L"ct_log_list.cnf\*(R", found in the +directory where OpenSSL is installed. .PP -SSL_CTX_set_default_read_ahead is a synonym for SSL_CTX_set_read_ahead, and -SSL_CTX_get_default_read_ahead is a synonym for SSL_CTX_get_read_ahead. -.PP -\&\fISSL_CTX_get_read_ahead()\fR and \fISSL_get_read_ahead()\fR indicate whether reading -ahead has been set or not. +\&\fISSL_CTX_set_ctlog_list_file()\fR loads a list of \s-1CT\s0 logs from a specific path. +See \fICTLOG_STORE_new\fR\|(3) for the file format. .SH "NOTES" .IX Header "NOTES" -These functions have no impact when used with \s-1DTLS.\s0 The return values for -\&\fISSL_CTX_get_read_head()\fR and \fISSL_get_read_ahead()\fR are undefined for \s-1DTLS.\s0 +These functions will not clear the existing \s-1CT\s0 log list \- it will be appended +to. To replace the existing list, use SSL_CTX_set0_ctlog_store first. +.PP +If an error occurs whilst parsing a particular log entry in the file, that log +entry will be skipped. .SH "RETURN VALUES" .IX Header "RETURN VALUES" -SSL_get_read_ahead and SSL_CTX_get_read_ahead return 0 if reading ahead is off, -and non zero otherwise. +\&\fISSL_CTX_set_default_ctlog_list_file()\fR and \fISSL_CTX_set_ctlog_list_file()\fR +return 1 if the log list is successfully loaded, and 0 if an error occurs. In +the case of an error, the log list may have been partially loaded. .SH "SEE ALSO" .IX Header "SEE ALSO" -\&\fIssl\fR\|(3) +\&\fIssl\fR\|(7), +\&\fISSL_CTX_set_ct_validation_callback\fR\|(3), +\&\fICTLOG_STORE_new\fR\|(3) +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2016 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libssl/man/SSL_CTX_set_default_passwd_cb.3 b/secure/lib/libcrypto/man/SSL_CTX_set_default_passwd_cb.3 similarity index 66% rename from secure/lib/libssl/man/SSL_CTX_set_default_passwd_cb.3 rename to secure/lib/libcrypto/man/SSL_CTX_set_default_passwd_cb.3 index 2f5385d45ff1..3dfda71dbc79 100644 --- a/secure/lib/libssl/man/SSL_CTX_set_default_passwd_cb.3 +++ b/secure/lib/libcrypto/man/SSL_CTX_set_default_passwd_cb.3 @@ -128,14 +128,14 @@ .rm #[ #] #H #V #F C .\" ======================================================================== .\" -.IX Title "SSL_CTX_set_default_passwd_cb 3" -.TH SSL_CTX_set_default_passwd_cb 3 "2018-08-14" "1.0.2p" "OpenSSL" +.IX Title "SSL_CTX_SET_DEFAULT_PASSWD_CB 3" +.TH SSL_CTX_SET_DEFAULT_PASSWD_CB 3 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" -SSL_CTX_set_default_passwd_cb, SSL_CTX_set_default_passwd_cb_userdata \- set passwd callback for encrypted PEM file handling +SSL_CTX_set_default_passwd_cb, SSL_CTX_set_default_passwd_cb_userdata, SSL_CTX_get_default_passwd_cb, SSL_CTX_get_default_passwd_cb_userdata, SSL_set_default_passwd_cb, SSL_set_default_passwd_cb_userdata, SSL_get_default_passwd_cb, SSL_get_default_passwd_cb_userdata \- set or get passwd callback for encrypted PEM file handling .SH "SYNOPSIS" .IX Header "SYNOPSIS" .Vb 1 @@ -143,36 +143,55 @@ SSL_CTX_set_default_passwd_cb, SSL_CTX_set_default_passwd_cb_userdata \- set pas \& \& void SSL_CTX_set_default_passwd_cb(SSL_CTX *ctx, pem_password_cb *cb); \& void SSL_CTX_set_default_passwd_cb_userdata(SSL_CTX *ctx, void *u); +\& pem_password_cb *SSL_CTX_get_default_passwd_cb(SSL_CTX *ctx); +\& void *SSL_CTX_get_default_passwd_cb_userdata(SSL_CTX *ctx); \& -\& int pem_passwd_cb(char *buf, int size, int rwflag, void *userdata); +\& void SSL_set_default_passwd_cb(SSL *s, pem_password_cb *cb); +\& void SSL_set_default_passwd_cb_userdata(SSL *s, void *u); +\& pem_password_cb *SSL_get_default_passwd_cb(SSL *s); +\& void *SSL_get_default_passwd_cb_userdata(SSL *s); .Ve .SH "DESCRIPTION" .IX Header "DESCRIPTION" \&\fISSL_CTX_set_default_passwd_cb()\fR sets the default password callback called when loading/storing a \s-1PEM\s0 certificate with encryption. .PP -\&\fISSL_CTX_set_default_passwd_cb_userdata()\fR sets a pointer to \fBuserdata\fR which -will be provided to the password callback on invocation. +\&\fISSL_CTX_set_default_passwd_cb_userdata()\fR sets a pointer to userdata, \fBu\fR, +which will be provided to the password callback on invocation. .PP -The \fIpem_passwd_cb()\fR, which must be provided by the application, hands back the -password to be used during decryption. On invocation a pointer to \fBuserdata\fR -is provided. The pem_passwd_cb must write the password into the provided buffer +\&\fISSL_CTX_get_default_passwd_cb()\fR returns a function pointer to the password +callback currently set in \fBctx\fR. If no callback was explicitly set, the +\&\s-1NULL\s0 pointer is returned. +.PP +\&\fISSL_CTX_get_default_passwd_cb_userdata()\fR returns a pointer to the userdata +currently set in \fBctx\fR. If no userdata was explicitly set, the \s-1NULL\s0 pointer +is returned. +.PP +\&\fISSL_set_default_passwd_cb()\fR, \fISSL_set_default_passwd_cb_userdata()\fR, +\&\fISSL_get_default_passwd_cb()\fR and \fISSL_get_default_passwd_cb_userdata()\fR perform +the same function as their \s-1SSL_CTX\s0 counterparts, but using an \s-1SSL\s0 object. +.PP +The password callback, which must be provided by the application, hands back the +password to be used during decryption. +On invocation a pointer to userdata +is provided. The function must store the password into the provided buffer \&\fBbuf\fR which is of size \fBsize\fR. The actual length of the password must be returned to the calling function. \fBrwflag\fR indicates whether the callback is used for reading/decryption (rwflag=0) or writing/encryption (rwflag=1). +For more details, see \fIpem_password_cb\fR\|(3). .SH "NOTES" .IX Header "NOTES" When loading or storing private keys, a password might be supplied to protect the private key. The way this password can be supplied may depend on the application. If only one private key is handled, it can be practical -to have \fIpem_passwd_cb()\fR handle the password dialog interactively. If several +to have the callback handle the password dialog interactively. If several keys have to be handled, it can be practical to ask for the password once, then keep it in memory and use it several times. In the last case, the -password could be stored into the \fBuserdata\fR storage and the -\&\fIpem_passwd_cb()\fR only returns the password already stored. +password could be stored into the userdata storage and the +callback only returns the password already stored. .PP -When asking for the password interactively, \fIpem_passwd_cb()\fR can use +When asking for the password interactively, the callback can use \&\fBrwflag\fR to check, whether an item shall be encrypted (rwflag=1). In this case the password dialog may ask for the same password twice for comparison in order to catch typos, that would make decryption @@ -182,24 +201,36 @@ Other items in \s-1PEM\s0 formatting (certificates) can also be encrypted, it is however not usual, as certificate information is considered public. .SH "RETURN VALUES" .IX Header "RETURN VALUES" -\&\fISSL_CTX_set_default_passwd_cb()\fR and \fISSL_CTX_set_default_passwd_cb_userdata()\fR -do not provide diagnostic information. +These functions do not provide diagnostic information. .SH "EXAMPLES" .IX Header "EXAMPLES" -The following example returns the password provided as \fBuserdata\fR to the +The following example returns the password provided as userdata to the calling function. The password is considered to be a '\e0' terminated string. If the password does not fit into the buffer, the password is truncated. .PP .Vb 6 -\& int pem_passwd_cb(char *buf, int size, int rwflag, void *password) +\& int my_cb(char *buf, int size, int rwflag, void *u) \& { -\& strncpy(buf, (char *)(password), size); -\& buf[size \- 1] = \*(Aq\e0\*(Aq; -\& return(strlen(buf)); +\& strncpy(buf, (char *)u, size); +\& buf[size \- 1] = \*(Aq\e0\*(Aq; +\& return strlen(buf); \& } .Ve +.SH "HISTORY" +.IX Header "HISTORY" +\&\fISSL_CTX_get_default_passwd_cb()\fR, \fISSL_CTX_get_default_passwd_cb_userdata()\fR, +\&\fISSL_set_default_passwd_cb()\fR and \fISSL_set_default_passwd_cb_userdata()\fR were +first added to OpenSSL 1.1.0 .SH "SEE ALSO" .IX Header "SEE ALSO" -\&\fIssl\fR\|(3), +\&\fIssl\fR\|(7), \&\fISSL_CTX_use_certificate\fR\|(3) +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2000\-2016 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/SSL_CTX_set_ex_data.3 b/secure/lib/libcrypto/man/SSL_CTX_set_ex_data.3 new file mode 100644 index 000000000000..171181250f36 --- /dev/null +++ b/secure/lib/libcrypto/man/SSL_CTX_set_ex_data.3 @@ -0,0 +1,178 @@ +.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35) +.\" +.\" Standard preamble: +.\" ======================================================================== +.de Sp \" Vertical space (when we can't use .PP) +.if t .sp .5v +.if n .sp +.. +.de Vb \" Begin verbatim text +.ft CW +.nf +.ne \\$1 +.. +.de Ve \" End verbatim text +.ft R +.fi +.. +.\" Set up some character translations and predefined strings. \*(-- will +.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left +.\" double quote, and \*(R" will give a right double quote. \*(C+ will +.\" give a nicer C++. Capital omega is used to do unbreakable dashes and +.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, +.\" nothing in troff, for use with C<>. +.tr \(*W- +.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' +.ie n \{\ +. ds -- \(*W- +. ds PI pi +. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch +. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch +. ds L" "" +. ds R" "" +. ds C` "" +. ds C' "" +'br\} +.el\{\ +. ds -- \|\(em\| +. ds PI \(*p +. ds L" `` +. ds R" '' +. ds C` +. ds C' +'br\} +.\" +.\" Escape single quotes in literal strings from groff's Unicode transform. +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" +.\" If the F register is >0, we'll generate index entries on stderr for +.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index +.\" entries marked with X<> in POD. Of course, you'll have to process the +.\" output yourself in some meaningful fashion. +.\" +.\" Avoid warning from groff about undefined register 'F'. +.de IX +.. +.if !\nF .nr F 0 +.if \nF>0 \{\ +. de IX +. tm Index:\\$1\t\\n%\t"\\$2" +.. +. if !\nF==2 \{\ +. nr % 0 +. nr F 2 +. \} +.\} +.\" +.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). +.\" Fear. Run. Save yourself. No user-serviceable parts. +. \" fudge factors for nroff and troff +.if n \{\ +. ds #H 0 +. ds #V .8m +. ds #F .3m +. ds #[ \f1 +. ds #] \fP +.\} +.if t \{\ +. ds #H ((1u-(\\\\n(.fu%2u))*.13m) +. ds #V .6m +. ds #F 0 +. ds #[ \& +. ds #] \& +.\} +. \" simple accents for nroff and troff +.if n \{\ +. ds ' \& +. ds ` \& +. ds ^ \& +. ds , \& +. ds ~ ~ +. ds / +.\} +.if t \{\ +. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" +. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' +. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' +. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' +. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' +. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' +.\} +. \" troff and (daisy-wheel) nroff accents +.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' +.ds 8 \h'\*(#H'\(*b\h'-\*(#H' +.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] +.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' +.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' +.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] +.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] +.ds ae a\h'-(\w'a'u*4/10)'e +.ds Ae A\h'-(\w'A'u*4/10)'E +. \" corrections for vroff +.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' +.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' +. \" for low resolution devices (crt and lpr) +.if \n(.H>23 .if \n(.V>19 \ +\{\ +. ds : e +. ds 8 ss +. ds o a +. ds d- d\h'-1'\(ga +. ds D- D\h'-1'\(hy +. ds th \o'bp' +. ds Th \o'LP' +. ds ae ae +. ds Ae AE +.\} +.rm #[ #] #H #V #F C +.\" ======================================================================== +.\" +.IX Title "SSL_CTX_SET_EX_DATA 3" +.TH SSL_CTX_SET_EX_DATA 3 "2018-09-11" "1.1.1" "OpenSSL" +.\" For nroff, turn off justification. Always turn off hyphenation; it makes +.\" way too many mistakes in technical documents. +.if n .ad l +.nh +.SH "NAME" +SSL_CTX_get_ex_data, SSL_CTX_set_ex_data, SSL_get_ex_data, SSL_set_ex_data \&\- Store and retrieve extra data from the SSL_CTX, SSL or SSL_SESSION +.SH "SYNOPSIS" +.IX Header "SYNOPSIS" +.Vb 1 +\& #include +\& +\& void *SSL_CTX_get_ex_data(const SSL_CTX *s, int idx); +\& +\& int SSL_CTX_set_ex_data(SSL_CTX *s, int idx, void *arg); +\& +\& void *SSL_get_ex_data(const SSL *s, int idx); +\& +\& int SSL_set_ex_data(SSL *s, int idx, void *arg); +.Ve +.SH "DESCRIPTION" +.IX Header "DESCRIPTION" +SSL*\fI_set_ex_data()\fR functions can be used to store arbitrary user data into the +\&\fB\s-1SSL_CTX\s0\fR, or \fB\s-1SSL\s0\fR object. The user must supply a unique index +which they can subsequently use to retrieve the data using SSL*\fI_get_ex_data()\fR. +.PP +For more detailed information see \fICRYPTO_get_ex_data\fR\|(3) and +\&\fICRYPTO_set_ex_data\fR\|(3) which implement these functions and +\&\fICRYPTO_get_ex_new_index\fR\|(3) for generating a unique index. +.SH "RETURN VALUES" +.IX Header "RETURN VALUES" +The SSL*\fI_set_ex_data()\fR functions return 1 if the item is successfully stored +and 0 if it is not. +The SSL*\fI_get_ex_data()\fR functions return the ex_data pointer if successful, +otherwise \s-1NULL.\s0 +.SH "SEE ALSO" +.IX Header "SEE ALSO" +\&\fICRYPTO_get_ex_data\fR\|(3), \fICRYPTO_set_ex_data\fR\|(3), +\&\fICRYPTO_get_ex_new_index\fR\|(3) +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2017 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libssl/man/SSL_CTX_set_generate_session_id.3 b/secure/lib/libcrypto/man/SSL_CTX_set_generate_session_id.3 similarity index 76% rename from secure/lib/libssl/man/SSL_CTX_set_generate_session_id.3 rename to secure/lib/libcrypto/man/SSL_CTX_set_generate_session_id.3 index e69efb583087..dd275fbe0833 100644 --- a/secure/lib/libssl/man/SSL_CTX_set_generate_session_id.3 +++ b/secure/lib/libcrypto/man/SSL_CTX_set_generate_session_id.3 @@ -128,14 +128,14 @@ .rm #[ #] #H #V #F C .\" ======================================================================== .\" -.IX Title "SSL_CTX_set_generate_session_id 3" -.TH SSL_CTX_set_generate_session_id 3 "2018-08-14" "1.0.2p" "OpenSSL" +.IX Title "SSL_CTX_SET_GENERATE_SESSION_ID 3" +.TH SSL_CTX_SET_GENERATE_SESSION_ID 3 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" -SSL_CTX_set_generate_session_id, SSL_set_generate_session_id, SSL_has_matching_session_id \- manipulate generation of SSL session IDs (server only) +SSL_CTX_set_generate_session_id, SSL_set_generate_session_id, SSL_has_matching_session_id, GEN_SESSION_CB \&\- manipulate generation of SSL session IDs (server only) .SH "SYNOPSIS" .IX Header "SYNOPSIS" .Vb 1 @@ -164,9 +164,8 @@ of the parent context of \fBssl\fR. .IX Header "NOTES" When a new session is established between client and server, the server generates a session id. The session id is an arbitrary sequence of bytes. -The length of the session id is 16 bytes for SSLv2 sessions and between -1 and 32 bytes for SSLv3/TLSv1. The session id is not security critical -but must be unique for the server. Additionally, the session id is +The length of the session id is between 1 and 32 bytes. The session id is not +security critical but must be unique for the server. Additionally, the session id is transmitted in the clear when reusing the session so it must not contain sensitive information. .PP @@ -183,21 +182,14 @@ The callback is only allowed to generate a shorter id and reduce \fBid_len\fR; the callback \fBmust never\fR increase \fBid_len\fR or write to the location \&\fBid\fR exceeding the given limit. .PP -If a SSLv2 session id is generated and \fBid_len\fR is reduced, it will be -restored after the callback has finished and the session id will be padded -with 0x00. It is not recommended to change the \fBid_len\fR for SSLv2 sessions. -The callback can use the \fISSL_get_version\fR\|(3) function -to check, whether the session is of type SSLv2. -.PP The location \fBid\fR is filled with 0x00 before the callback is called, so the callback may only fill part of the possible length and leave \fBid_len\fR untouched while maintaining reproducibility. .PP Since the sessions must be distinguished, session ids must be unique. Without the callback a random number is used, so that the probability -of generating the same session id is extremely small (2^128 possible ids -for an SSLv2 session, 2^256 for SSLv3/TLSv1). In order to assure the -uniqueness of the generated session id, the callback must call +of generating the same session id is extremely small (2^256 for SSLv3/TLSv1). +In order to assure the uniqueness of the generated session id, the callback must call \&\fISSL_has_matching_session_id()\fR and generate another id if a conflict occurs. If an id conflict is not resolved, the handshake will fail. If the application codes e.g. a unique host id, a unique process number, and @@ -217,10 +209,6 @@ Collisions can also occur when using an external session cache, since the external cache is not tested with \fISSL_has_matching_session_id()\fR and the same race condition applies. .PP -When calling \fISSL_has_matching_session_id()\fR for an SSLv2 session with -reduced \fBid_len\fR, the match operation will be performed using the -fixed length required and with a 0x00 padded id. -.PP The callback must return 0 if it cannot generate a session id for whatever reason and return 1 on success. .SH "EXAMPLES" @@ -233,32 +221,27 @@ server id given, and will fill the rest with pseudo random bytes: \& \& #define MAX_SESSION_ID_ATTEMPTS 10 \& static int generate_session_id(const SSL *ssl, unsigned char *id, -\& unsigned int *id_len) -\& { -\& unsigned int count = 0; -\& const char *version; +\& unsigned int *id_len) +\& { +\& unsigned int count = 0; \& -\& version = SSL_get_version(ssl); -\& if (!strcmp(version, "SSLv2")) -\& /* we must not change id_len */; -\& -\& do { -\& RAND_pseudo_bytes(id, *id_len); -\& /* Prefix the session_id with the required prefix. NB: If our -\& * prefix is too long, clip it \- but there will be worse effects -\& * anyway, eg. the server could only possibly create 1 session -\& * ID (ie. the prefix!) so all future session negotiations will -\& * fail due to conflicts. */ -\& memcpy(id, session_id_prefix, -\& (strlen(session_id_prefix) < *id_len) ? -\& strlen(session_id_prefix) : *id_len); -\& } -\& while(SSL_has_matching_session_id(ssl, id, *id_len) && -\& (++count < MAX_SESSION_ID_ATTEMPTS)); -\& if(count >= MAX_SESSION_ID_ATTEMPTS) -\& return 0; -\& return 1; -\& } +\& do { +\& RAND_pseudo_bytes(id, *id_len); +\& /* +\& * Prefix the session_id with the required prefix. NB: If our +\& * prefix is too long, clip it \- but there will be worse effects +\& * anyway, eg. the server could only possibly create 1 session +\& * ID (ie. the prefix!) so all future session negotiations will +\& * fail due to conflicts. +\& */ +\& memcpy(id, session_id_prefix, strlen(session_id_prefix) < *id_len ? +\& strlen(session_id_prefix) : *id_len); +\& } while (SSL_has_matching_session_id(ssl, id, *id_len) +\& && ++count < MAX_SESSION_ID_ATTEMPTS); +\& if (count >= MAX_SESSION_ID_ATTEMPTS) +\& return 0; +\& return 1; +\& } .Ve .SH "RETURN VALUES" .IX Header "RETURN VALUES" @@ -269,9 +252,12 @@ always return 1. same id is already in the cache. .SH "SEE ALSO" .IX Header "SEE ALSO" -\&\fIssl\fR\|(3), \fISSL_get_version\fR\|(3) -.SH "HISTORY" -.IX Header "HISTORY" -\&\fISSL_CTX_set_generate_session_id()\fR, \fISSL_set_generate_session_id()\fR -and \fISSL_has_matching_session_id()\fR have been introduced in -OpenSSL 0.9.7. +\&\fIssl\fR\|(7), \fISSL_get_version\fR\|(3) +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2001\-2016 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libssl/man/SSL_CTX_set_info_callback.3 b/secure/lib/libcrypto/man/SSL_CTX_set_info_callback.3 similarity index 74% rename from secure/lib/libssl/man/SSL_CTX_set_info_callback.3 rename to secure/lib/libcrypto/man/SSL_CTX_set_info_callback.3 index 4b9821efc57c..1e288996ee6c 100644 --- a/secure/lib/libssl/man/SSL_CTX_set_info_callback.3 +++ b/secure/lib/libcrypto/man/SSL_CTX_set_info_callback.3 @@ -128,14 +128,14 @@ .rm #[ #] #H #V #F C .\" ======================================================================== .\" -.IX Title "SSL_CTX_set_info_callback 3" -.TH SSL_CTX_set_info_callback 3 "2018-08-14" "1.0.2p" "OpenSSL" +.IX Title "SSL_CTX_SET_INFO_CALLBACK 3" +.TH SSL_CTX_SET_INFO_CALLBACK 3 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" -SSL_CTX_set_info_callback, SSL_CTX_get_info_callback, SSL_set_info_callback, SSL_get_info_callback \- handle information callback for SSL connections +SSL_CTX_set_info_callback, SSL_CTX_get_info_callback, SSL_set_info_callback, SSL_get_info_callback \&\- handle information callback for SSL connections .SH "SYNOPSIS" .IX Header "SYNOPSIS" .Vb 1 @@ -153,7 +153,7 @@ SSL_CTX_set_info_callback, SSL_CTX_get_info_callback, SSL_set_info_callback, SSL obtain state information for \s-1SSL\s0 objects created from \fBctx\fR during connection setup and use. The setting for \fBctx\fR is overridden from the setting for a specific \s-1SSL\s0 object, if specified. -When \fBcallback\fR is \s-1NULL,\s0 not callback function is used. +When \fBcallback\fR is \s-1NULL,\s0 no callback function is used. .PP \&\fISSL_set_info_callback()\fR sets the \fBcallback\fR function, that can be used to obtain state information for \fBssl\fR during connection setup and use. @@ -169,7 +169,8 @@ callback function for \fBssl\fR. .IX Header "NOTES" When setting up a connection and during use, it is possible to obtain state information from the \s-1SSL/TLS\s0 engine. When set, an information callback function -is called whenever the state changes, an alert appears, or an error occurs. +is called whenever a significant event occurs such as: the state changes, +an alert appears, or an error occurs. .PP The callback function is called as \fBcallback(\s-1SSL\s0 *ssl, int where, int ret)\fR. The \fBwhere\fR argument specifies information about where (in which context) @@ -180,11 +181,14 @@ information. \&\fBwhere\fR is a bitmask made up of the following bits: .IP "\s-1SSL_CB_LOOP\s0" 4 .IX Item "SSL_CB_LOOP" -Callback has been called to indicate state change inside a loop. +Callback has been called to indicate state change or some other significant +state machine event. This may mean that the callback gets invoked more than once +per state in some situations. .IP "\s-1SSL_CB_EXIT\s0" 4 .IX Item "SSL_CB_EXIT" -Callback has been called to indicate error exit of a handshake function. -(May be soft error with retry option for non-blocking setups.) +Callback has been called to indicate exit of a handshake function. This will +happen after the end of a handshake, but may happen at other times too such as +on error or when \s-1IO\s0 might otherwise block and non-blocking is being used. .IP "\s-1SSL_CB_READ\s0" 4 .IX Item "SSL_CB_READ" Callback has been called during read operation. @@ -210,10 +214,16 @@ Callback has been called due to an alert being sent or received. .IP "\s-1SSL_CB_HANDSHAKE_START\s0" 4 .IX Item "SSL_CB_HANDSHAKE_START" .PD -Callback has been called because a new handshake is started. +Callback has been called because a new handshake is started. In TLSv1.3 this is +also used for the start of post-handshake message exchanges such as for the +exchange of session tickets, or for key updates. It also occurs when resuming a +handshake following a pause to handle early data. .IP "\s-1SSL_CB_HANDSHAKE_DONE\s0 0x20" 4 .IX Item "SSL_CB_HANDSHAKE_DONE 0x20" -Callback has been called because a handshake is finished. +Callback has been called because a handshake is finished. In TLSv1.3 this is +also used at the end of an exchange of post-handshake messages such as for +session tickets or key updates. It also occurs if the handshake is paused to +allow the exchange of early data. .PP The current state information can be obtained using the \&\fISSL_state_string\fR\|(3) family of functions. @@ -232,42 +242,44 @@ about alerts being handled and error messages to the \fBbio_err\fR \s-1BIO.\s0 .PP .Vb 4 \& void apps_ssl_info_callback(SSL *s, int where, int ret) -\& { -\& const char *str; -\& int w; +\& { +\& const char *str; +\& int w = where & ~SSL_ST_MASK; \& -\& w=where& ~SSL_ST_MASK; +\& if (w & SSL_ST_CONNECT) +\& str = "SSL_connect"; +\& else if (w & SSL_ST_ACCEPT) +\& str = "SSL_accept"; +\& else +\& str = "undefined"; \& -\& if (w & SSL_ST_CONNECT) str="SSL_connect"; -\& else if (w & SSL_ST_ACCEPT) str="SSL_accept"; -\& else str="undefined"; -\& -\& if (where & SSL_CB_LOOP) -\& { -\& BIO_printf(bio_err,"%s:%s\en",str,SSL_state_string_long(s)); -\& } -\& else if (where & SSL_CB_ALERT) -\& { -\& str=(where & SSL_CB_READ)?"read":"write"; -\& BIO_printf(bio_err,"SSL3 alert %s:%s:%s\en", -\& str, -\& SSL_alert_type_string_long(ret), -\& SSL_alert_desc_string_long(ret)); -\& } -\& else if (where & SSL_CB_EXIT) -\& { -\& if (ret == 0) -\& BIO_printf(bio_err,"%s:failed in %s\en", -\& str,SSL_state_string_long(s)); -\& else if (ret < 0) -\& { -\& BIO_printf(bio_err,"%s:error in %s\en", -\& str,SSL_state_string_long(s)); -\& } -\& } -\& } +\& if (where & SSL_CB_LOOP) { +\& BIO_printf(bio_err, "%s:%s\en", str, SSL_state_string_long(s)); +\& } else if (where & SSL_CB_ALERT) { +\& str = (where & SSL_CB_READ) ? "read" : "write"; +\& BIO_printf(bio_err, "SSL3 alert %s:%s:%s\en", str, +\& SSL_alert_type_string_long(ret), +\& SSL_alert_desc_string_long(ret)); +\& } else if (where & SSL_CB_EXIT) { +\& if (ret == 0) { +\& BIO_printf(bio_err, "%s:failed in %s\en", +\& str, SSL_state_string_long(s)); +\& } else if (ret < 0) { +\& BIO_printf(bio_err, "%s:error in %s\en", +\& str, SSL_state_string_long(s)); +\& } +\& } +\& } .Ve .SH "SEE ALSO" .IX Header "SEE ALSO" -\&\fIssl\fR\|(3), \fISSL_state_string\fR\|(3), +\&\fIssl\fR\|(7), \fISSL_state_string\fR\|(3), \&\fISSL_alert_type_string\fR\|(3) +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2001\-2018 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/SSL_CTX_set_keylog_callback.3 b/secure/lib/libcrypto/man/SSL_CTX_set_keylog_callback.3 new file mode 100644 index 000000000000..7ce90e02b640 --- /dev/null +++ b/secure/lib/libcrypto/man/SSL_CTX_set_keylog_callback.3 @@ -0,0 +1,179 @@ +.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35) +.\" +.\" Standard preamble: +.\" ======================================================================== +.de Sp \" Vertical space (when we can't use .PP) +.if t .sp .5v +.if n .sp +.. +.de Vb \" Begin verbatim text +.ft CW +.nf +.ne \\$1 +.. +.de Ve \" End verbatim text +.ft R +.fi +.. +.\" Set up some character translations and predefined strings. \*(-- will +.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left +.\" double quote, and \*(R" will give a right double quote. \*(C+ will +.\" give a nicer C++. Capital omega is used to do unbreakable dashes and +.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, +.\" nothing in troff, for use with C<>. +.tr \(*W- +.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' +.ie n \{\ +. ds -- \(*W- +. ds PI pi +. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch +. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch +. ds L" "" +. ds R" "" +. ds C` "" +. ds C' "" +'br\} +.el\{\ +. ds -- \|\(em\| +. ds PI \(*p +. ds L" `` +. ds R" '' +. ds C` +. ds C' +'br\} +.\" +.\" Escape single quotes in literal strings from groff's Unicode transform. +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" +.\" If the F register is >0, we'll generate index entries on stderr for +.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index +.\" entries marked with X<> in POD. Of course, you'll have to process the +.\" output yourself in some meaningful fashion. +.\" +.\" Avoid warning from groff about undefined register 'F'. +.de IX +.. +.if !\nF .nr F 0 +.if \nF>0 \{\ +. de IX +. tm Index:\\$1\t\\n%\t"\\$2" +.. +. if !\nF==2 \{\ +. nr % 0 +. nr F 2 +. \} +.\} +.\" +.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). +.\" Fear. Run. Save yourself. No user-serviceable parts. +. \" fudge factors for nroff and troff +.if n \{\ +. ds #H 0 +. ds #V .8m +. ds #F .3m +. ds #[ \f1 +. ds #] \fP +.\} +.if t \{\ +. ds #H ((1u-(\\\\n(.fu%2u))*.13m) +. ds #V .6m +. ds #F 0 +. ds #[ \& +. ds #] \& +.\} +. \" simple accents for nroff and troff +.if n \{\ +. ds ' \& +. ds ` \& +. ds ^ \& +. ds , \& +. ds ~ ~ +. ds / +.\} +.if t \{\ +. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" +. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' +. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' +. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' +. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' +. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' +.\} +. \" troff and (daisy-wheel) nroff accents +.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' +.ds 8 \h'\*(#H'\(*b\h'-\*(#H' +.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] +.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' +.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' +.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] +.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] +.ds ae a\h'-(\w'a'u*4/10)'e +.ds Ae A\h'-(\w'A'u*4/10)'E +. \" corrections for vroff +.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' +.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' +. \" for low resolution devices (crt and lpr) +.if \n(.H>23 .if \n(.V>19 \ +\{\ +. ds : e +. ds 8 ss +. ds o a +. ds d- d\h'-1'\(ga +. ds D- D\h'-1'\(hy +. ds th \o'bp' +. ds Th \o'LP' +. ds ae ae +. ds Ae AE +.\} +.rm #[ #] #H #V #F C +.\" ======================================================================== +.\" +.IX Title "SSL_CTX_SET_KEYLOG_CALLBACK 3" +.TH SSL_CTX_SET_KEYLOG_CALLBACK 3 "2018-09-11" "1.1.1" "OpenSSL" +.\" For nroff, turn off justification. Always turn off hyphenation; it makes +.\" way too many mistakes in technical documents. +.if n .ad l +.nh +.SH "NAME" +SSL_CTX_set_keylog_callback, SSL_CTX_get_keylog_callback, SSL_CTX_keylog_cb_func \- logging TLS key material +.SH "SYNOPSIS" +.IX Header "SYNOPSIS" +.Vb 1 +\& #include +\& +\& typedef void (*SSL_CTX_keylog_cb_func)(const SSL *ssl, const char *line); +\& +\& void SSL_CTX_set_keylog_callback(SSL_CTX *ctx, SSL_CTX_keylog_cb_func cb); +\& SSL_CTX_keylog_cb_func SSL_CTX_get_keylog_callback(const SSL_CTX *ctx); +.Ve +.SH "DESCRIPTION" +.IX Header "DESCRIPTION" +\&\fISSL_CTX_set_keylog_callback()\fR sets the \s-1TLS\s0 key logging callback. This callback +is called whenever \s-1TLS\s0 key material is generated or received, in order to allow +applications to store this keying material for debugging purposes. +.PP +\&\fISSL_CTX_get_keylog_callback()\fR retrieves the previously set \s-1TLS\s0 key logging +callback. If no callback has been set, this will return \s-1NULL.\s0 When there is no +key logging callback, or if SSL_CTX_set_keylog_callback is called with \s-1NULL\s0 as +the value of cb, no logging of key material will be done. +.PP +The key logging callback is called with two items: the \fBssl\fR object associated +with the connection, and \fBline\fR, a string containing the key material in the +format used by \s-1NSS\s0 for its \fB\s-1SSLKEYLOGFILE\s0\fR debugging output. To recreate that +file, the key logging callback should log \fBline\fR, followed by a newline. +\&\fBline\fR will always be a NULL-terminated string. +.SH "RETURN VALUES" +.IX Header "RETURN VALUES" +\&\fISSL_CTX_get_keylog_callback()\fR returns a pointer to \fBSSL_CTX_keylog_cb_func\fR or +\&\s-1NULL\s0 if the callback is not set. +.SH "SEE ALSO" +.IX Header "SEE ALSO" +\&\fIssl\fR\|(7) +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2016\-2018 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libssl/man/SSL_CTX_set_max_cert_list.3 b/secure/lib/libcrypto/man/SSL_CTX_set_max_cert_list.3 similarity index 91% rename from secure/lib/libssl/man/SSL_CTX_set_max_cert_list.3 rename to secure/lib/libcrypto/man/SSL_CTX_set_max_cert_list.3 index 651033b5cedb..54e66e65095d 100644 --- a/secure/lib/libssl/man/SSL_CTX_set_max_cert_list.3 +++ b/secure/lib/libcrypto/man/SSL_CTX_set_max_cert_list.3 @@ -128,14 +128,14 @@ .rm #[ #] #H #V #F C .\" ======================================================================== .\" -.IX Title "SSL_CTX_set_max_cert_list 3" -.TH SSL_CTX_set_max_cert_list 3 "2018-08-14" "1.0.2p" "OpenSSL" +.IX Title "SSL_CTX_SET_MAX_CERT_LIST 3" +.TH SSL_CTX_SET_MAX_CERT_LIST 3 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" -SSL_CTX_set_max_cert_list, SSL_CTX_get_max_cert_list, SSL_set_max_cert_list, SSL_get_max_cert_list, \- manipulate allowed for the peer's certificate chain +SSL_CTX_set_max_cert_list, SSL_CTX_get_max_cert_list, SSL_set_max_cert_list, SSL_get_max_cert_list \- manipulate allowed size for the peer's certificate chain .SH "SYNOPSIS" .IX Header "SYNOPSIS" .Vb 1 @@ -197,8 +197,13 @@ set value. set value. .SH "SEE ALSO" .IX Header "SEE ALSO" -\&\fIssl\fR\|(3), \fISSL_new\fR\|(3), +\&\fIssl\fR\|(7), \fISSL_new\fR\|(3), \&\fISSL_CTX_set_verify\fR\|(3) -.SH "HISTORY" -.IX Header "HISTORY" -SSL*_set/\fIget_max_cert_list()\fR have been introduced in OpenSSL 0.9.7. +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2001\-2016 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/SSL_CTX_set_min_proto_version.3 b/secure/lib/libcrypto/man/SSL_CTX_set_min_proto_version.3 new file mode 100644 index 000000000000..88187d718e06 --- /dev/null +++ b/secure/lib/libcrypto/man/SSL_CTX_set_min_proto_version.3 @@ -0,0 +1,195 @@ +.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35) +.\" +.\" Standard preamble: +.\" ======================================================================== +.de Sp \" Vertical space (when we can't use .PP) +.if t .sp .5v +.if n .sp +.. +.de Vb \" Begin verbatim text +.ft CW +.nf +.ne \\$1 +.. +.de Ve \" End verbatim text +.ft R +.fi +.. +.\" Set up some character translations and predefined strings. \*(-- will +.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left +.\" double quote, and \*(R" will give a right double quote. \*(C+ will +.\" give a nicer C++. Capital omega is used to do unbreakable dashes and +.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, +.\" nothing in troff, for use with C<>. +.tr \(*W- +.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' +.ie n \{\ +. ds -- \(*W- +. ds PI pi +. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch +. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch +. ds L" "" +. ds R" "" +. ds C` "" +. ds C' "" +'br\} +.el\{\ +. ds -- \|\(em\| +. ds PI \(*p +. ds L" `` +. ds R" '' +. ds C` +. ds C' +'br\} +.\" +.\" Escape single quotes in literal strings from groff's Unicode transform. +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" +.\" If the F register is >0, we'll generate index entries on stderr for +.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index +.\" entries marked with X<> in POD. Of course, you'll have to process the +.\" output yourself in some meaningful fashion. +.\" +.\" Avoid warning from groff about undefined register 'F'. +.de IX +.. +.if !\nF .nr F 0 +.if \nF>0 \{\ +. de IX +. tm Index:\\$1\t\\n%\t"\\$2" +.. +. if !\nF==2 \{\ +. nr % 0 +. nr F 2 +. \} +.\} +.\" +.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). +.\" Fear. Run. Save yourself. No user-serviceable parts. +. \" fudge factors for nroff and troff +.if n \{\ +. ds #H 0 +. ds #V .8m +. ds #F .3m +. ds #[ \f1 +. ds #] \fP +.\} +.if t \{\ +. ds #H ((1u-(\\\\n(.fu%2u))*.13m) +. ds #V .6m +. ds #F 0 +. ds #[ \& +. ds #] \& +.\} +. \" simple accents for nroff and troff +.if n \{\ +. ds ' \& +. ds ` \& +. ds ^ \& +. ds , \& +. ds ~ ~ +. ds / +.\} +.if t \{\ +. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" +. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' +. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' +. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' +. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' +. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' +.\} +. \" troff and (daisy-wheel) nroff accents +.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' +.ds 8 \h'\*(#H'\(*b\h'-\*(#H' +.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] +.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' +.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' +.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] +.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] +.ds ae a\h'-(\w'a'u*4/10)'e +.ds Ae A\h'-(\w'A'u*4/10)'E +. \" corrections for vroff +.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' +.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' +. \" for low resolution devices (crt and lpr) +.if \n(.H>23 .if \n(.V>19 \ +\{\ +. ds : e +. ds 8 ss +. ds o a +. ds d- d\h'-1'\(ga +. ds D- D\h'-1'\(hy +. ds th \o'bp' +. ds Th \o'LP' +. ds ae ae +. ds Ae AE +.\} +.rm #[ #] #H #V #F C +.\" ======================================================================== +.\" +.IX Title "SSL_CTX_SET_MIN_PROTO_VERSION 3" +.TH SSL_CTX_SET_MIN_PROTO_VERSION 3 "2018-09-11" "1.1.1" "OpenSSL" +.\" For nroff, turn off justification. Always turn off hyphenation; it makes +.\" way too many mistakes in technical documents. +.if n .ad l +.nh +.SH "NAME" +SSL_CTX_set_min_proto_version, SSL_CTX_set_max_proto_version, SSL_CTX_get_min_proto_version, SSL_CTX_get_max_proto_version, SSL_set_min_proto_version, SSL_set_max_proto_version, SSL_get_min_proto_version, SSL_get_max_proto_version \- Get and set minimum and maximum supported protocol version +.SH "SYNOPSIS" +.IX Header "SYNOPSIS" +.Vb 1 +\& #include +\& +\& int SSL_CTX_set_min_proto_version(SSL_CTX *ctx, int version); +\& int SSL_CTX_set_max_proto_version(SSL_CTX *ctx, int version); +\& int SSL_CTX_get_min_proto_version(SSL_CTX *ctx); +\& int SSL_CTX_get_max_proto_version(SSL_CTX *ctx); +\& +\& int SSL_set_min_proto_version(SSL *ssl, int version); +\& int SSL_set_max_proto_version(SSL *ssl, int version); +\& int SSL_get_min_proto_version(SSL *ssl); +\& int SSL_get_max_proto_version(SSL *ssl); +.Ve +.SH "DESCRIPTION" +.IX Header "DESCRIPTION" +The functions get or set the minimum and maximum supported protocol versions +for the \fBctx\fR or \fBssl\fR. +This works in combination with the options set via +\&\fISSL_CTX_set_options\fR\|(3) that also make it possible to disable +specific protocol versions. +Use these functions instead of disabling specific protocol versions. +.PP +Setting the minimum or maximum version to 0, will enable protocol +versions down to the lowest version, or up to the highest version +supported by the library, respectively. +.PP +Getters return 0 in case \fBctx\fR or \fBssl\fR have been configured to +automatically use the lowest or highest version supported by the library. +.PP +Currently supported versions are \fB\s-1SSL3_VERSION\s0\fR, \fB\s-1TLS1_VERSION\s0\fR, +\&\fB\s-1TLS1_1_VERSION\s0\fR, \fB\s-1TLS1_2_VERSION\s0\fR, \fB\s-1TLS1_3_VERSION\s0\fR for \s-1TLS\s0 and +\&\fB\s-1DTLS1_VERSION\s0\fR, \fB\s-1DTLS1_2_VERSION\s0\fR for \s-1DTLS.\s0 +.SH "RETURN VALUES" +.IX Header "RETURN VALUES" +These setter functions return 1 on success and 0 on failure. The getter +functions return the configured version or 0 for auto-configuration of +lowest or highest protocol, respectively. +.SH "NOTES" +.IX Header "NOTES" +All these functions are implemented using macros. +.SH "HISTORY" +.IX Header "HISTORY" +The setter functions were added in OpenSSL 1.1.0. The getter functions +were added in OpenSSL 1.1.1. +.SH "SEE ALSO" +.IX Header "SEE ALSO" +\&\fISSL_CTX_set_options\fR\|(3), \fISSL_CONF_cmd\fR\|(3) +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2016 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libssl/man/SSL_CTX_set_mode.3 b/secure/lib/libcrypto/man/SSL_CTX_set_mode.3 similarity index 62% rename from secure/lib/libssl/man/SSL_CTX_set_mode.3 rename to secure/lib/libcrypto/man/SSL_CTX_set_mode.3 index b04d0ef094d7..13b8c7c4fde6 100644 --- a/secure/lib/libssl/man/SSL_CTX_set_mode.3 +++ b/secure/lib/libcrypto/man/SSL_CTX_set_mode.3 @@ -128,21 +128,23 @@ .rm #[ #] #H #V #F C .\" ======================================================================== .\" -.IX Title "SSL_CTX_set_mode 3" -.TH SSL_CTX_set_mode 3 "2018-08-14" "1.0.2p" "OpenSSL" +.IX Title "SSL_CTX_SET_MODE 3" +.TH SSL_CTX_SET_MODE 3 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" -SSL_CTX_set_mode, SSL_set_mode, SSL_CTX_get_mode, SSL_get_mode \- manipulate SSL engine mode +SSL_CTX_set_mode, SSL_CTX_clear_mode, SSL_set_mode, SSL_clear_mode, SSL_CTX_get_mode, SSL_get_mode \- manipulate SSL engine mode .SH "SYNOPSIS" .IX Header "SYNOPSIS" .Vb 1 \& #include \& \& long SSL_CTX_set_mode(SSL_CTX *ctx, long mode); +\& long SSL_CTX_clear_mode(SSL_CTX *ctx, long mode); \& long SSL_set_mode(SSL *ssl, long mode); +\& long SSL_clear_mode(SSL *ssl, long mode); \& \& long SSL_CTX_get_mode(SSL_CTX *ctx); \& long SSL_get_mode(SSL *ssl); @@ -151,9 +153,11 @@ SSL_CTX_set_mode, SSL_set_mode, SSL_CTX_get_mode, SSL_get_mode \- manipulate SSL .IX Header "DESCRIPTION" \&\fISSL_CTX_set_mode()\fR adds the mode set via bitmask in \fBmode\fR to \fBctx\fR. Options already set before are not cleared. +\&\fISSL_CTX_clear_mode()\fR removes the mode set via bitmask in \fBmode\fR from \fBctx\fR. .PP \&\fISSL_set_mode()\fR adds the mode set via bitmask in \fBmode\fR to \fBssl\fR. Options already set before are not cleared. +\&\fISSL_clear_mode()\fR removes the mode set via bitmask in \fBmode\fR from \fBssl\fR. .PP \&\fISSL_CTX_get_mode()\fR returns the mode set for \fBctx\fR. .PP @@ -163,37 +167,51 @@ Options already set before are not cleared. The following mode changes are available: .IP "\s-1SSL_MODE_ENABLE_PARTIAL_WRITE\s0" 4 .IX Item "SSL_MODE_ENABLE_PARTIAL_WRITE" -Allow SSL_write(..., n) to return r with 0 < r < n (i.e. report success -when just a single record has been written). When not set (the default), -\&\fISSL_write()\fR will only report success once the complete chunk was written. -Once \fISSL_write()\fR returns with r, r bytes have been successfully written -and the next call to \fISSL_write()\fR must only send the n\-r bytes left, -imitating the behaviour of \fIwrite()\fR. +Allow SSL_write_ex(..., n, &r) to return with 0 < r < n (i.e. report success +when just a single record has been written). This works in a similar way for +\&\fISSL_write()\fR. When not set (the default), \fISSL_write_ex()\fR or \fISSL_write()\fR will only +report success once the complete chunk was written. Once \fISSL_write_ex()\fR or +\&\fISSL_write()\fR returns successful, \fBr\fR bytes have been written and the next call +to \fISSL_write_ex()\fR or \fISSL_write()\fR must only send the n\-r bytes left, imitating +the behaviour of \fIwrite()\fR. .IP "\s-1SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER\s0" 4 .IX Item "SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER" -Make it possible to retry \fISSL_write()\fR with changed buffer location -(the buffer contents must stay the same). This is not the default to avoid -the misconception that non-blocking \fISSL_write()\fR behaves like +Make it possible to retry \fISSL_write_ex()\fR or \fISSL_write()\fR with changed buffer +location (the buffer contents must stay the same). This is not the default to +avoid the misconception that non-blocking \fISSL_write()\fR behaves like non-blocking \fIwrite()\fR. .IP "\s-1SSL_MODE_AUTO_RETRY\s0" 4 .IX Item "SSL_MODE_AUTO_RETRY" -Never bother the application with retries if the transport is blocking. -If a renegotiation take place during normal operation, a -\&\fISSL_read\fR\|(3) or \fISSL_write\fR\|(3) would return -with \-1 and indicate the need to retry with \s-1SSL_ERROR_WANT_READ.\s0 +During normal operations, non-application data records might need to be sent or +received that the application is not aware of. +If a non-application data record was processed, +\&\fISSL_read_ex\fR\|(3) and \fISSL_read\fR\|(3) can return with a failure and indicate the +need to retry with \fB\s-1SSL_ERROR_WANT_READ\s0\fR. +If such a non-application data record was processed, the flag +\&\fB\s-1SSL_MODE_AUTO_RETRY\s0\fR causes it to try to process the next record instead of +returning. +.Sp In a non-blocking environment applications must be prepared to handle incomplete read/write operations. +Setting \fB\s-1SSL_MODE_AUTO_RETRY\s0\fR for a non-blocking \fB\s-1BIO\s0\fR will process +non-application data records until either no more data is available or +an application data record has been processed. +.Sp In a blocking environment, applications are not always prepared to -deal with read/write operations returning without success report. The -flag \s-1SSL_MODE_AUTO_RETRY\s0 will cause read/write operations to only -return after the handshake and successful completion. +deal with the functions returning intermediate reports such as retry +requests, and setting the \fB\s-1SSL_MODE_AUTO_RETRY\s0\fR flag will cause the functions +to only return after successfully processing an application data record or a +failure. +.Sp +Turning off \fB\s-1SSL_MODE_AUTO_RETRY\s0\fR can be useful with blocking \fB\s-1BIO\s0\fRs in case +they are used in combination with something like \fIselect()\fR or \fIpoll()\fR. +Otherwise the call to \fISSL_read()\fR or \fISSL_read_ex()\fR might hang when a +non-application record was sent and no application data was sent. .IP "\s-1SSL_MODE_RELEASE_BUFFERS\s0" 4 .IX Item "SSL_MODE_RELEASE_BUFFERS" When we no longer need a read buffer or a write buffer for a given \s-1SSL,\s0 -then release the memory we were using to hold it. Released memory is -either appended to a list of unused \s-1RAM\s0 chunks on the \s-1SSL_CTX,\s0 or simply -freed if the list of unused chunks would become longer than -\&\s-1SSL_CTX\-\s0>freelist_max_len, which defaults to 32. Using this flag can +then release the memory we were using to hold it. +Using this flag can save around 34k per idle \s-1SSL\s0 connection. This flag has no effect on \s-1SSL\s0 v2 connections, or on \s-1DTLS\s0 connections. .IP "\s-1SSL_MODE_SEND_FALLBACK_SCSV\s0" 4 @@ -205,6 +223,14 @@ version; see draft\-ietf\-tls\-downgrade\-scsv\-00 for details. \&\s-1DO NOT ENABLE THIS\s0 if your application attempts a normal handshake. Only use this in explicit fallback retries, following the guidance in draft\-ietf\-tls\-downgrade\-scsv\-00. +.IP "\s-1SSL_MODE_ASYNC\s0" 4 +.IX Item "SSL_MODE_ASYNC" +Enable asynchronous processing. \s-1TLS I/O\s0 operations may indicate a retry with +\&\s-1SSL_ERROR_WANT_ASYNC\s0 with this mode set if an asynchronous capable engine is +used to perform cryptographic operations. See \fISSL_get_error\fR\|(3). +.PP +All modes are off by default except for \s-1SSL_MODE_AUTO_RETRY\s0 which is on by +default since 1.1.1. .SH "RETURN VALUES" .IX Header "RETURN VALUES" \&\fISSL_CTX_set_mode()\fR and \fISSL_set_mode()\fR return the new mode bitmask @@ -213,7 +239,16 @@ after adding \fBmode\fR. \&\fISSL_CTX_get_mode()\fR and \fISSL_get_mode()\fR return the current bitmask. .SH "SEE ALSO" .IX Header "SEE ALSO" -\&\fIssl\fR\|(3), \fISSL_read\fR\|(3), \fISSL_write\fR\|(3) +\&\fIssl\fR\|(7), \fISSL_read_ex\fR\|(3), \fISSL_read\fR\|(3), \fISSL_write_ex\fR\|(3) or +\&\fISSL_write\fR\|(3), \fISSL_get_error\fR\|(3) .SH "HISTORY" .IX Header "HISTORY" -\&\s-1SSL_MODE_AUTO_RETRY\s0 as been added in OpenSSL 0.9.6. +\&\s-1SSL_MODE_ASYNC\s0 was first added to OpenSSL 1.1.0. +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2001\-2018 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libssl/man/SSL_CTX_set_msg_callback.3 b/secure/lib/libcrypto/man/SSL_CTX_set_msg_callback.3 similarity index 65% rename from secure/lib/libssl/man/SSL_CTX_set_msg_callback.3 rename to secure/lib/libcrypto/man/SSL_CTX_set_msg_callback.3 index 1fc3819b71fa..4195640db177 100644 --- a/secure/lib/libssl/man/SSL_CTX_set_msg_callback.3 +++ b/secure/lib/libcrypto/man/SSL_CTX_set_msg_callback.3 @@ -128,23 +128,29 @@ .rm #[ #] #H #V #F C .\" ======================================================================== .\" -.IX Title "SSL_CTX_set_msg_callback 3" -.TH SSL_CTX_set_msg_callback 3 "2018-08-14" "1.0.2p" "OpenSSL" +.IX Title "SSL_CTX_SET_MSG_CALLBACK 3" +.TH SSL_CTX_SET_MSG_CALLBACK 3 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" -SSL_CTX_set_msg_callback, SSL_CTX_set_msg_callback_arg, SSL_set_msg_callback, SSL_get_msg_callback_arg \- install callback for observing protocol messages +SSL_CTX_set_msg_callback, SSL_CTX_set_msg_callback_arg, SSL_set_msg_callback, SSL_set_msg_callback_arg \&\- install callback for observing protocol messages .SH "SYNOPSIS" .IX Header "SYNOPSIS" .Vb 1 \& #include \& -\& void SSL_CTX_set_msg_callback(SSL_CTX *ctx, void (*cb)(int write_p, int version, int content_type, const void *buf, size_t len, SSL *ssl, void *arg)); +\& void SSL_CTX_set_msg_callback(SSL_CTX *ctx, +\& void (*cb)(int write_p, int version, +\& int content_type, const void *buf, +\& size_t len, SSL *ssl, void *arg)); \& void SSL_CTX_set_msg_callback_arg(SSL_CTX *ctx, void *arg); \& -\& void SSL_set_msg_callback(SSL *ssl, void (*cb)(int write_p, int version, int content_type, const void *buf, size_t len, SSL *ssl, void *arg)); +\& void SSL_set_msg_callback(SSL *ssl, +\& void (*cb)(int write_p, int version, +\& int content_type, const void *buf, +\& size_t len, SSL *ssl, void *arg)); \& void SSL_set_msg_callback_arg(SSL *ssl, void *arg); .Ve .SH "DESCRIPTION" @@ -152,7 +158,8 @@ SSL_CTX_set_msg_callback, SSL_CTX_set_msg_callback_arg, SSL_set_msg_callback, SS \&\fISSL_CTX_set_msg_callback()\fR or \fISSL_set_msg_callback()\fR can be used to define a message callback function \fIcb\fR for observing all \s-1SSL/TLS\s0 protocol messages (such as handshake messages) that are received or -sent. \fISSL_CTX_set_msg_callback_arg()\fR and \fISSL_set_msg_callback_arg()\fR +sent, as well as other events that occur during processing. +\&\fISSL_CTX_set_msg_callback_arg()\fR and \fISSL_set_msg_callback_arg()\fR can be used to set argument \fIarg\fR to the callback function, which is available for arbitrary application use. .PP @@ -160,10 +167,10 @@ available for arbitrary application use. default settings that will be copied to new \fB\s-1SSL\s0\fR objects by \&\fISSL_new\fR\|(3). \fISSL_set_msg_callback()\fR and \&\fISSL_set_msg_callback_arg()\fR modify the actual settings of an \fB\s-1SSL\s0\fR -object. Using a \fB0\fR pointer for \fIcb\fR disables the message callback. +object. Using a \fB\s-1NULL\s0\fR pointer for \fIcb\fR disables the message callback. .PP -When \fIcb\fR is called by the \s-1SSL/TLS\s0 library for a protocol message, -the function arguments have the following meaning: +When \fIcb\fR is called by the \s-1SSL/TLS\s0 library the function arguments have the +following meaning: .IP "\fIwrite_p\fR" 4 .IX Item "write_p" This flag is \fB0\fR when a protocol message has been received and \fB1\fR @@ -171,21 +178,21 @@ when a protocol message has been sent. .IP "\fIversion\fR" 4 .IX Item "version" The protocol version according to which the protocol message is -interpreted by the library. Currently, this is one of -\&\fB\s-1SSL2_VERSION\s0\fR, \fB\s-1SSL3_VERSION\s0\fR and \fB\s-1TLS1_VERSION\s0\fR (for \s-1SSL 2.0, SSL -3.0\s0 and \s-1TLS 1.0,\s0 respectively). +interpreted by the library such as \fB\s-1TLS1_3_VERSION\s0\fR, \fB\s-1TLS1_2_VERSION\s0\fR etc. +This is set to 0 for the \s-1SSL3_RT_HEADER\s0 pseudo content type (see \s-1NOTES\s0 below). .IP "\fIcontent_type\fR" 4 .IX Item "content_type" -In the case of \s-1SSL 2.0,\s0 this is always \fB0\fR. In the case of \s-1SSL 3.0\s0 -or \s-1TLS 1.0,\s0 this is one of the \fBContentType\fR values defined in the -protocol specification (\fBchange_cipher_spec(20)\fR, \fBalert(21)\fR, -\&\fBhandshake(22)\fR; but never \fBapplication_data(23)\fR because the -callback will only be called for protocol messages). +This is one of the content type values defined in the protocol specification +(\fB\s-1SSL3_RT_CHANGE_CIPHER_SPEC\s0\fR, \fB\s-1SSL3_RT_ALERT\s0\fR, \fB\s-1SSL3_RT_HANDSHAKE\s0\fR; but never +\&\fB\s-1SSL3_RT_APPLICATION_DATA\s0\fR because the callback will only be called for protocol +messages). Alternatively it may be a \*(L"pseudo\*(R" content type. These pseudo +content types are used to signal some other event in the processing of data (see +\&\s-1NOTES\s0 below). .IP "\fIbuf\fR, \fIlen\fR" 4 .IX Item "buf, len" -\&\fIbuf\fR points to a buffer containing the protocol message, which -consists of \fIlen\fR bytes. The buffer is no longer valid after the -callback function has returned. +\&\fIbuf\fR points to a buffer containing the protocol message or other data (in the +case of pseudo content types), which consists of \fIlen\fR bytes. The buffer is no +longer valid after the callback function has returned. .IP "\fIssl\fR" 4 .IX Item "ssl" The \fB\s-1SSL\s0\fR object that received or sent the message. @@ -208,10 +215,35 @@ Due to automatic protocol version negotiation, \fIversion\fR is not necessarily the protocol version used by the sender of the message: If a \s-1TLS 1.0\s0 ClientHello message is received by an \s-1SSL 3\s0.0\-only server, \&\fIversion\fR will be \fB\s-1SSL3_VERSION\s0\fR. +.PP +Pseudo content type values may be sent at various points during the processing +of data. The following pseudo content types are currently defined: +.IP "\fB\s-1SSL3_RT_HEADER\s0\fR" 4 +.IX Item "SSL3_RT_HEADER" +Used when a record is sent or received. The \fBbuf\fR contains the record header +bytes only. +.IP "\fB\s-1SSL3_RT_INNER_CONTENT_TYPE\s0\fR" 4 +.IX Item "SSL3_RT_INNER_CONTENT_TYPE" +Used when an encrypted TLSv1.3 record is sent or received. In encrypted TLSv1.3 +records the content type in the record header is always +\&\s-1SSL3_RT_APPLICATION_DATA.\s0 The real content type for the record is contained in +an \*(L"inner\*(R" content type. \fBbuf\fR contains the encoded \*(L"inner\*(R" content type byte. +.SH "RETURN VALUES" +.IX Header "RETURN VALUES" +\&\fISSL_CTX_set_msg_callback()\fR, \fISSL_CTX_set_msg_callback_arg()\fR, \fISSL_set_msg_callback()\fR +and \fISSL_set_msg_callback_arg()\fR do not return values. .SH "SEE ALSO" .IX Header "SEE ALSO" -\&\fIssl\fR\|(3), \fISSL_new\fR\|(3) +\&\fIssl\fR\|(7), \fISSL_new\fR\|(3) .SH "HISTORY" .IX Header "HISTORY" -\&\fISSL_CTX_set_msg_callback()\fR, \fISSL_CTX_set_msg_callback_arg()\fR, -\&\fISSL_set_msg_callback()\fR and \fISSL_get_msg_callback_arg()\fR were added in OpenSSL 0.9.7. +The pseudo content type \fB\s-1SSL3_RT_INNER_CONTENT_TYPE\s0\fR was added in OpenSSL +1.1.1. +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2001\-2018 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/SSL_CTX_set_num_tickets.3 b/secure/lib/libcrypto/man/SSL_CTX_set_num_tickets.3 new file mode 100644 index 000000000000..f907dd05cf0b --- /dev/null +++ b/secure/lib/libcrypto/man/SSL_CTX_set_num_tickets.3 @@ -0,0 +1,192 @@ +.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35) +.\" +.\" Standard preamble: +.\" ======================================================================== +.de Sp \" Vertical space (when we can't use .PP) +.if t .sp .5v +.if n .sp +.. +.de Vb \" Begin verbatim text +.ft CW +.nf +.ne \\$1 +.. +.de Ve \" End verbatim text +.ft R +.fi +.. +.\" Set up some character translations and predefined strings. \*(-- will +.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left +.\" double quote, and \*(R" will give a right double quote. \*(C+ will +.\" give a nicer C++. Capital omega is used to do unbreakable dashes and +.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, +.\" nothing in troff, for use with C<>. +.tr \(*W- +.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' +.ie n \{\ +. ds -- \(*W- +. ds PI pi +. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch +. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch +. ds L" "" +. ds R" "" +. ds C` "" +. ds C' "" +'br\} +.el\{\ +. ds -- \|\(em\| +. ds PI \(*p +. ds L" `` +. ds R" '' +. ds C` +. ds C' +'br\} +.\" +.\" Escape single quotes in literal strings from groff's Unicode transform. +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" +.\" If the F register is >0, we'll generate index entries on stderr for +.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index +.\" entries marked with X<> in POD. Of course, you'll have to process the +.\" output yourself in some meaningful fashion. +.\" +.\" Avoid warning from groff about undefined register 'F'. +.de IX +.. +.if !\nF .nr F 0 +.if \nF>0 \{\ +. de IX +. tm Index:\\$1\t\\n%\t"\\$2" +.. +. if !\nF==2 \{\ +. nr % 0 +. nr F 2 +. \} +.\} +.\" +.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). +.\" Fear. Run. Save yourself. No user-serviceable parts. +. \" fudge factors for nroff and troff +.if n \{\ +. ds #H 0 +. ds #V .8m +. ds #F .3m +. ds #[ \f1 +. ds #] \fP +.\} +.if t \{\ +. ds #H ((1u-(\\\\n(.fu%2u))*.13m) +. ds #V .6m +. ds #F 0 +. ds #[ \& +. ds #] \& +.\} +. \" simple accents for nroff and troff +.if n \{\ +. ds ' \& +. ds ` \& +. ds ^ \& +. ds , \& +. ds ~ ~ +. ds / +.\} +.if t \{\ +. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" +. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' +. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' +. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' +. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' +. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' +.\} +. \" troff and (daisy-wheel) nroff accents +.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' +.ds 8 \h'\*(#H'\(*b\h'-\*(#H' +.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] +.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' +.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' +.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] +.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] +.ds ae a\h'-(\w'a'u*4/10)'e +.ds Ae A\h'-(\w'A'u*4/10)'E +. \" corrections for vroff +.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' +.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' +. \" for low resolution devices (crt and lpr) +.if \n(.H>23 .if \n(.V>19 \ +\{\ +. ds : e +. ds 8 ss +. ds o a +. ds d- d\h'-1'\(ga +. ds D- D\h'-1'\(hy +. ds th \o'bp' +. ds Th \o'LP' +. ds ae ae +. ds Ae AE +.\} +.rm #[ #] #H #V #F C +.\" ======================================================================== +.\" +.IX Title "SSL_CTX_SET_NUM_TICKETS 3" +.TH SSL_CTX_SET_NUM_TICKETS 3 "2018-09-11" "1.1.1" "OpenSSL" +.\" For nroff, turn off justification. Always turn off hyphenation; it makes +.\" way too many mistakes in technical documents. +.if n .ad l +.nh +.SH "NAME" +SSL_set_num_tickets, SSL_get_num_tickets, SSL_CTX_set_num_tickets, SSL_CTX_get_num_tickets \&\- control the number of TLSv1.3 session tickets that are issued +.SH "SYNOPSIS" +.IX Header "SYNOPSIS" +.Vb 1 +\& #include +\& +\& int SSL_set_num_tickets(SSL *s, size_t num_tickets); +\& size_t SSL_get_num_tickets(SSL *s); +\& int SSL_CTX_set_num_tickets(SSL_CTX *ctx, size_t num_tickets); +\& size_t SSL_CTX_get_num_tickets(SSL_CTX *ctx); +.Ve +.SH "DESCRIPTION" +.IX Header "DESCRIPTION" +\&\fISSL_CTX_set_num_tickets()\fR and \fISSL_set_num_tickets()\fR can be called for a server +application and set the number of session tickets that will be sent to the +client after a full handshake. Set the desired value (which could be 0) in the +\&\fBnum_tickets\fR argument. Typically these functions should be called before the +start of the handshake. +.PP +The default number of tickets is 2; the default number of tickets sent following +a resumption handshake is 1 but this cannot be changed using these functions. +The number of tickets following a resumption handshake can be reduced to 0 using +custom session ticket callbacks (see \fISSL_CTX_set_session_ticket_cb\fR\|(3)). +.PP +Tickets are also issued on receipt of a post-handshake certificate from the +client following a request by the server using +\&\fISSL_verify_client_post_handshake\fR\|(3). These new tickets will be associated +with the updated client identity (i.e. including their certificate and +verification status). The number of tickets issued will normally be the same as +was used for the initial handshake. If the initial handshake was a full +handshake then \fISSL_set_num_tickets()\fR can be called again prior to calling +\&\fISSL_verify_client_post_handshake()\fR to update the number of tickets that will be +sent. +.PP +\&\fISSL_CTX_get_num_tickets()\fR and \fISSL_get_num_tickets()\fR return the number of +tickets set by a previous call to \fISSL_CTX_set_num_tickets()\fR or +\&\fISSL_set_num_tickets()\fR, or 2 if no such call has been made. +.SH "RETURN VALUES" +.IX Header "RETURN VALUES" +\&\fISSL_CTX_set_num_tickets()\fR and \fISSL_set_num_tickets()\fR return 1 on success or 0 on +failure. +.PP +\&\fISSL_CTX_get_num_tickets()\fR and \fISSL_get_num_tickets()\fR return the number of tickets +that have been previously set. +.SH "HISTORY" +.IX Header "HISTORY" +These functions were added in OpenSSL 1.1.1. +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2018 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libssl/man/SSL_CTX_set_options.3 b/secure/lib/libcrypto/man/SSL_CTX_set_options.3 similarity index 66% rename from secure/lib/libssl/man/SSL_CTX_set_options.3 rename to secure/lib/libcrypto/man/SSL_CTX_set_options.3 index 2bee9032bd59..223d2c498df3 100644 --- a/secure/lib/libssl/man/SSL_CTX_set_options.3 +++ b/secure/lib/libcrypto/man/SSL_CTX_set_options.3 @@ -128,8 +128,8 @@ .rm #[ #] #H #V #F C .\" ======================================================================== .\" -.IX Title "SSL_CTX_set_options 3" -.TH SSL_CTX_set_options 3 "2018-08-14" "1.0.2p" "OpenSSL" +.IX Title "SSL_CTX_SET_OPTIONS 3" +.TH SSL_CTX_SET_OPTIONS 3 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -154,8 +154,6 @@ SSL_CTX_set_options, SSL_set_options, SSL_CTX_clear_options, SSL_clear_options, .Ve .SH "DESCRIPTION" .IX Header "DESCRIPTION" -Note: all these functions are implemented using macros. -.PP \&\fISSL_CTX_set_options()\fR adds the options set via bitmask in \fBoptions\fR to \fBctx\fR. Options already set before are not cleared! .PP @@ -173,10 +171,11 @@ to \fBctx\fR. .PP \&\fISSL_get_secure_renegotiation_support()\fR indicates whether the peer supports secure renegotiation. +Note, this is implemented via a macro. .SH "NOTES" .IX Header "NOTES" The behaviour of the \s-1SSL\s0 library can be changed by setting several options. -The options are coded as bitmasks and can be combined by a logical \fBor\fR +The options are coded as bitmasks and can be combined by a bitwise \fBor\fR operation (|). .PP \&\fISSL_CTX_set_options()\fR and \fISSL_set_options()\fR affect the (external) @@ -190,41 +189,10 @@ option setting is copied. Changes to \fBctx\fR do not affect already created \&\s-1SSL\s0 objects. \fISSL_clear()\fR does not affect the settings. .PP The following \fBbug workaround\fR options are available: -.IP "\s-1SSL_OP_MICROSOFT_SESS_ID_BUG\s0" 4 -.IX Item "SSL_OP_MICROSOFT_SESS_ID_BUG" -www.microsoft.com \- when talking SSLv2, if session-id reuse is -performed, the session-id passed back in the server-finished message -is different from the one decided upon. -.IP "\s-1SSL_OP_NETSCAPE_CHALLENGE_BUG\s0" 4 -.IX Item "SSL_OP_NETSCAPE_CHALLENGE_BUG" -Netscape\-Commerce/1.12, when talking SSLv2, accepts a 32 byte -challenge but then appears to only use 16 bytes when generating the -encryption keys. Using 16 bytes is ok but it should be ok to use 32. -According to the SSLv3 spec, one should use 32 bytes for the challenge -when operating in SSLv2/v3 compatibility mode, but as mentioned above, -this breaks this server so 16 bytes is the way to go. -.IP "\s-1SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG\s0" 4 -.IX Item "SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG" -As of OpenSSL 0.9.8q and 1.0.0c, this option has no effect. -.IP "\s-1SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG\s0" 4 -.IX Item "SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG" -\&... -.IP "\s-1SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER\s0" 4 -.IX Item "SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER" -\&... .IP "\s-1SSL_OP_SAFARI_ECDHE_ECDSA_BUG\s0" 4 .IX Item "SSL_OP_SAFARI_ECDHE_ECDSA_BUG" Don't prefer ECDHE-ECDSA ciphers when the client appears to be Safari on \s-1OS X. OS X 10.8..10.8.3\s0 has broken support for ECDHE-ECDSA ciphers. -.IP "\s-1SSL_OP_SSLEAY_080_CLIENT_DH_BUG\s0" 4 -.IX Item "SSL_OP_SSLEAY_080_CLIENT_DH_BUG" -\&... -.IP "\s-1SSL_OP_TLS_D5_BUG\s0" 4 -.IX Item "SSL_OP_TLS_D5_BUG" -\&... -.IP "\s-1SSL_OP_TLS_BLOCK_PADDING_BUG\s0" 4 -.IX Item "SSL_OP_TLS_BLOCK_PADDING_BUG" -\&... .IP "\s-1SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS\s0" 4 .IX Item "SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS" Disables a countermeasure against a \s-1SSL 3.0/TLS 1.0\s0 protocol @@ -238,7 +206,8 @@ Adds a padding extension to ensure the ClientHello size is never between implementations. .IP "\s-1SSL_OP_ALL\s0" 4 .IX Item "SSL_OP_ALL" -All of the above bug workarounds. +All of the above bug workarounds plus \fB\s-1SSL_OP_LEGACY_SERVER_CONNECT\s0\fR as +mentioned below. .PP It is usually safe to use \fB\s-1SSL_OP_ALL\s0\fR to enable the bug workaround options if compatibility with somewhat broken implementations is @@ -256,70 +225,70 @@ the client sends a SSLv2 hello and accepts up to SSLv3.1=TLSv1, the server only understands up to SSLv3. In this case the client must still use the same SSLv3.1=TLSv1 announcement. Some clients step down to SSLv3 with respect to the server's answer and violate the version rollback protection.) -.IP "\s-1SSL_OP_SINGLE_DH_USE\s0" 4 -.IX Item "SSL_OP_SINGLE_DH_USE" -Always create a new key when using temporary/ephemeral \s-1DH\s0 parameters -(see \fISSL_CTX_set_tmp_dh_callback\fR\|(3)). -This option must be used to prevent small subgroup attacks, when -the \s-1DH\s0 parameters were not generated using \*(L"strong\*(R" primes -(e.g. when using DSA-parameters, see \fIdhparam\fR\|(1)). -If \*(L"strong\*(R" primes were used, it is not strictly necessary to generate -a new \s-1DH\s0 key during each handshake but it is also recommended. -\&\fB\s-1SSL_OP_SINGLE_DH_USE\s0\fR should therefore be enabled whenever -temporary/ephemeral \s-1DH\s0 parameters are used. -.IP "\s-1SSL_OP_EPHEMERAL_RSA\s0" 4 -.IX Item "SSL_OP_EPHEMERAL_RSA" -This option is no longer implemented and is treated as no op. .IP "\s-1SSL_OP_CIPHER_SERVER_PREFERENCE\s0" 4 .IX Item "SSL_OP_CIPHER_SERVER_PREFERENCE" When choosing a cipher, use the server's preferences instead of the client preferences. When not set, the \s-1SSL\s0 server will always follow the clients -preferences. When set, the SSLv3/TLSv1 server will choose following its -own preferences. Because of the different protocol, for SSLv2 the server -will send its list of preferences to the client and the client chooses. -.IP "\s-1SSL_OP_PKCS1_CHECK_1\s0" 4 -.IX Item "SSL_OP_PKCS1_CHECK_1" -\&... -.IP "\s-1SSL_OP_PKCS1_CHECK_2\s0" 4 -.IX Item "SSL_OP_PKCS1_CHECK_2" -\&... -.IP "\s-1SSL_OP_NETSCAPE_CA_DN_BUG\s0" 4 -.IX Item "SSL_OP_NETSCAPE_CA_DN_BUG" -If we accept a netscape connection, demand a client cert, have a -non-self-signed \s-1CA\s0 which does not have its \s-1CA\s0 in netscape, and the -browser has a cert, it will crash/hang. Works for 3.x and 4.xbeta -.IP "\s-1SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG\s0" 4 -.IX Item "SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG" -\&... -.IP "SSL_OP_NO_SSLv2" 4 -.IX Item "SSL_OP_NO_SSLv2" -Do not use the SSLv2 protocol. -As of OpenSSL 1.0.2g the \fBSSL_OP_NO_SSLv2\fR option is set by default. -.IP "SSL_OP_NO_SSLv3" 4 -.IX Item "SSL_OP_NO_SSLv3" -Do not use the SSLv3 protocol. -It is recommended that applications should set this option. -.IP "SSL_OP_NO_TLSv1" 4 -.IX Item "SSL_OP_NO_TLSv1" -Do not use the TLSv1 protocol. -.IP "SSL_OP_NO_TLSv1_1" 4 -.IX Item "SSL_OP_NO_TLSv1_1" -Do not use the TLSv1.1 protocol. -.IP "SSL_OP_NO_TLSv1_2" 4 -.IX Item "SSL_OP_NO_TLSv1_2" -Do not use the TLSv1.2 protocol. +preferences. When set, the \s-1SSL/TLS\s0 server will choose following its +own preferences. +.IP "SSL_OP_NO_SSLv3, SSL_OP_NO_TLSv1, SSL_OP_NO_TLSv1_1, SSL_OP_NO_TLSv1_2, SSL_OP_NO_TLSv1_3, SSL_OP_NO_DTLSv1, SSL_OP_NO_DTLSv1_2" 4 +.IX Item "SSL_OP_NO_SSLv3, SSL_OP_NO_TLSv1, SSL_OP_NO_TLSv1_1, SSL_OP_NO_TLSv1_2, SSL_OP_NO_TLSv1_3, SSL_OP_NO_DTLSv1, SSL_OP_NO_DTLSv1_2" +These options turn off the SSLv3, TLSv1, TLSv1.1, TLSv1.2 or TLSv1.3 protocol +versions with \s-1TLS\s0 or the DTLSv1, DTLSv1.2 versions with \s-1DTLS,\s0 +respectively. +As of OpenSSL 1.1.0, these options are deprecated, use +\&\fISSL_CTX_set_min_proto_version\fR\|(3) and +\&\fISSL_CTX_set_max_proto_version\fR\|(3) instead. .IP "\s-1SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION\s0" 4 .IX Item "SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION" When performing renegotiation as a server, always start a new session (i.e., session resumption requests are only accepted in the initial handshake). This option is not needed for clients. +.IP "\s-1SSL_OP_NO_COMPRESSION\s0" 4 +.IX Item "SSL_OP_NO_COMPRESSION" +Do not use compression even if it is supported. +.IP "\s-1SSL_OP_NO_QUERY_MTU\s0" 4 +.IX Item "SSL_OP_NO_QUERY_MTU" +Do not query the \s-1MTU.\s0 Only affects \s-1DTLS\s0 connections. +.IP "\s-1SSL_OP_COOKIE_EXCHANGE\s0" 4 +.IX Item "SSL_OP_COOKIE_EXCHANGE" +Turn on Cookie Exchange as described in \s-1RFC4347\s0 Section 4.2.1. Only affects +\&\s-1DTLS\s0 connections. .IP "\s-1SSL_OP_NO_TICKET\s0" 4 .IX Item "SSL_OP_NO_TICKET" -Normally clients and servers will, where possible, transparently make use -of RFC4507bis tickets for stateless session resumption. +\&\s-1SSL/TLS\s0 supports two mechanisms for resuming sessions: session ids and stateless +session tickets. .Sp -If this option is set this functionality is disabled and tickets will -not be used by clients or servers. +When using session ids a copy of the session information is +cached on the server and a unique id is sent to the client. When the client +wishes to resume it provides the unique id so that the server can retrieve the +session information from its cache. +.Sp +When using stateless session tickets the server uses a session ticket encryption +key to encrypt the session information. This encrypted data is sent to the +client as a \*(L"ticket\*(R". When the client wishes to resume it sends the encrypted +data back to the server. The server uses its key to decrypt the data and resume +the session. In this way the server can operate statelessly \- no session +information needs to be cached locally. +.Sp +The TLSv1.3 protocol only supports tickets and does not directly support session +ids. However OpenSSL allows two modes of ticket operation in TLSv1.3: stateful +and stateless. Stateless tickets work the same way as in TLSv1.2 and below. +Stateful tickets mimic the session id behaviour available in TLSv1.2 and below. +The session information is cached on the server and the session id is wrapped up +in a ticket and sent back to the client. When the client wishes to resume, it +presents a ticket in the same way as for stateless tickets. The server can then +extract the session id from the ticket and retrieve the session information from +its cache. +.Sp +By default OpenSSL will use stateless tickets. The \s-1SSL_OP_NO_TICKET\s0 option will +cause stateless tickets to not be issued. In TLSv1.2 and below this means no +ticket gets sent to the client at all. In TLSv1.3 a stateful ticket will be +sent. This is a server-side option only. +.Sp +In TLSv1.3 it is possible to suppress all tickets (stateful and stateless) from +being sent by calling \fISSL_CTX_set_num_tickets\fR\|(3) or +\&\fISSL_set_num_tickets\fR\|(3). .IP "\s-1SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION\s0" 4 .IX Item "SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION" Allow legacy insecure renegotiation between OpenSSL and unpatched clients or @@ -329,15 +298,86 @@ servers. See the \fB\s-1SECURE RENEGOTIATION\s0\fR section for more details. Allow legacy insecure renegotiation between OpenSSL and unpatched servers \&\fBonly\fR: this option is currently set by default. See the \&\fB\s-1SECURE RENEGOTIATION\s0\fR section for more details. +.IP "\s-1SSL_OP_NO_ENCRYPT_THEN_MAC\s0" 4 +.IX Item "SSL_OP_NO_ENCRYPT_THEN_MAC" +Normally clients and servers will transparently attempt to negotiate the +\&\s-1RFC7366\s0 Encrypt-then-MAC option on \s-1TLS\s0 and \s-1DTLS\s0 connection. +.Sp +If this option is set, Encrypt-then-MAC is disabled. Clients will not +propose, and servers will not accept the extension. +.IP "\s-1SSL_OP_NO_RENEGOTIATION\s0" 4 +.IX Item "SSL_OP_NO_RENEGOTIATION" +Disable all renegotiation in TLSv1.2 and earlier. Do not send HelloRequest +messages, and ignore renegotiation requests via ClientHello. +.IP "\s-1SSL_OP_ALLOW_NO_DHE_KEX\s0" 4 +.IX Item "SSL_OP_ALLOW_NO_DHE_KEX" +In TLSv1.3 allow a non\-(ec)dhe based key exchange mode on resumption. This means +that there will be no forward secrecy for the resumed session. +.IP "\s-1SSL_OP_PRIORITIZE_CHACHA\s0" 4 +.IX Item "SSL_OP_PRIORITIZE_CHACHA" +When \s-1SSL_OP_CIPHER_SERVER_PREFERENCE\s0 is set, temporarily reprioritize +ChaCha20\-Poly1305 ciphers to the top of the server cipher list if a +ChaCha20\-Poly1305 cipher is at the top of the client cipher list. This helps +those clients (e.g. mobile) use ChaCha20\-Poly1305 if that cipher is anywhere +in the server cipher list; but still allows other clients to use \s-1AES\s0 and other +ciphers. Requires \fB\s-1SSL_OP_CIPHER_SERVER_PREFERENCE\s0\fR. +.IP "\s-1SSL_OP_ENABLE_MIDDLEBOX_COMPAT\s0" 4 +.IX Item "SSL_OP_ENABLE_MIDDLEBOX_COMPAT" +If set then dummy Change Cipher Spec (\s-1CCS\s0) messages are sent in TLSv1.3. This +has the effect of making TLSv1.3 look more like TLSv1.2 so that middleboxes that +do not understand TLSv1.3 will not drop the connection. Regardless of whether +this option is set or not \s-1CCS\s0 messages received from the peer will always be +ignored in TLSv1.3. This option is set by default. To switch it off use +\&\fISSL_clear_options()\fR. A future version of OpenSSL may not set this by default. +.IP "\s-1SSL_OP_NO_ANTI_REPLAY\s0" 4 +.IX Item "SSL_OP_NO_ANTI_REPLAY" +By default, when a server is configured for early data (i.e., max_early_data > 0), +OpenSSL will switch on replay protection. See \fISSL_read_early_data\fR\|(3) for a +description of the replay protection feature. Anti-replay measures are required +to comply with the TLSv1.3 specification. Some applications may be able to +mitigate the replay risks in other ways and in such cases the built in OpenSSL +functionality is not required. Those applications can turn this feature off by +setting this option. This is a server-side opton only. It is ignored by +clients. +.PP +The following options no longer have any effect but their identifiers are +retained for compatibility purposes: +.IP "\s-1SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG\s0" 4 +.IX Item "SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG" +.PD 0 +.IP "\s-1SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER\s0" 4 +.IX Item "SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER" +.IP "\s-1SSL_OP_SSLEAY_080_CLIENT_DH_BUG\s0" 4 +.IX Item "SSL_OP_SSLEAY_080_CLIENT_DH_BUG" +.IP "\s-1SSL_OP_TLS_D5_BUG\s0" 4 +.IX Item "SSL_OP_TLS_D5_BUG" +.IP "\s-1SSL_OP_TLS_BLOCK_PADDING_BUG\s0" 4 +.IX Item "SSL_OP_TLS_BLOCK_PADDING_BUG" +.IP "\s-1SSL_OP_MSIE_SSLV2_RSA_PADDING\s0" 4 +.IX Item "SSL_OP_MSIE_SSLV2_RSA_PADDING" +.IP "\s-1SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG\s0" 4 +.IX Item "SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG" +.IP "\s-1SSL_OP_MICROSOFT_SESS_ID_BUG\s0" 4 +.IX Item "SSL_OP_MICROSOFT_SESS_ID_BUG" +.IP "\s-1SSL_OP_NETSCAPE_CHALLENGE_BUG\s0" 4 +.IX Item "SSL_OP_NETSCAPE_CHALLENGE_BUG" +.IP "\s-1SSL_OP_PKCS1_CHECK_1\s0" 4 +.IX Item "SSL_OP_PKCS1_CHECK_1" +.IP "\s-1SSL_OP_PKCS1_CHECK_2\s0" 4 +.IX Item "SSL_OP_PKCS1_CHECK_2" +.IP "\s-1SSL_OP_SINGLE_DH_USE\s0" 4 +.IX Item "SSL_OP_SINGLE_DH_USE" +.IP "\s-1SSL_OP_SINGLE_ECDH_USE\s0" 4 +.IX Item "SSL_OP_SINGLE_ECDH_USE" +.IP "\s-1SSL_OP_EPHEMERAL_RSA\s0" 4 +.IX Item "SSL_OP_EPHEMERAL_RSA" +.PD .SH "SECURE RENEGOTIATION" .IX Header "SECURE RENEGOTIATION" -OpenSSL 0.9.8m and later always attempts to use secure renegotiation as +OpenSSL always attempts to use secure renegotiation as described in \s-1RFC5746.\s0 This counters the prefix attack described in \&\s-1CVE\-2009\-3555\s0 and elsewhere. .PP -The deprecated and highly broken SSLv2 protocol does not support -renegotiation at all: its use is \fBstrongly\fR discouraged. -.PP This attack has far reaching consequences which application writers should be aware of. In the description below an implementation supporting secure renegotiation is referred to as \fIpatched\fR. A server not supporting secure @@ -360,14 +400,6 @@ unaware of the unpatched nature of the client. .PP If the option \fB\s-1SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION\s0\fR is set then renegotiation \fBalways\fR succeeds. -.PP -\&\fB\s-1NB:\s0\fR a bug in OpenSSL clients earlier than 0.9.8m (all of which are -unpatched) will result in the connection hanging if it receives a -\&\fBno_renegotiation\fR alert. OpenSSL versions 0.9.8m and later will regard -a \fBno_renegotiation\fR alert as fatal and respond with a fatal -\&\fBhandshake_failure\fR alert. This is because the OpenSSL \s-1API\s0 currently has -no provision to indicate to an application that a renegotiation attempt -was refused. .SS "Patched OpenSSL client and unpatched server." .IX Subsection "Patched OpenSSL client and unpatched server." If the option \fB\s-1SSL_OP_LEGACY_SERVER_CONNECT\s0\fR or @@ -414,28 +446,22 @@ after clearing \fBoptions\fR. secure renegotiation and 0 if it does not. .SH "SEE ALSO" .IX Header "SEE ALSO" -\&\fIssl\fR\|(3), \fISSL_new\fR\|(3), \fISSL_clear\fR\|(3), +\&\fIssl\fR\|(7), \fISSL_new\fR\|(3), \fISSL_clear\fR\|(3), \&\fISSL_CTX_set_tmp_dh_callback\fR\|(3), -\&\fISSL_CTX_set_tmp_rsa_callback\fR\|(3), +\&\fISSL_CTX_set_min_proto_version\fR\|(3), \&\fIdhparam\fR\|(1) .SH "HISTORY" .IX Header "HISTORY" -\&\fB\s-1SSL_OP_CIPHER_SERVER_PREFERENCE\s0\fR and -\&\fB\s-1SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION\s0\fR have been added in -OpenSSL 0.9.7. +The attempt to always try to use secure renegotiation was added in +Openssl 0.9.8m. .PP -\&\fB\s-1SSL_OP_TLS_ROLLBACK_BUG\s0\fR has been added in OpenSSL 0.9.6 and was automatically -enabled with \fB\s-1SSL_OP_ALL\s0\fR. As of 0.9.7, it is no longer included in \fB\s-1SSL_OP_ALL\s0\fR -and must be explicitly set. +\&\fB\s-1SSL_OP_PRIORITIZE_CHACHA\s0\fR and \fB\s-1SSL_OP_NO_RENEGOTIATION\s0\fR were added in +OpenSSL 1.1.1. +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2001\-2018 The OpenSSL Project Authors. All Rights Reserved. .PP -\&\fB\s-1SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS\s0\fR has been added in OpenSSL 0.9.6e. -Versions up to OpenSSL 0.9.6c do not include the countermeasure that -can be disabled with this option (in OpenSSL 0.9.6d, it was always -enabled). -.PP -\&\fISSL_CTX_clear_options()\fR and \fISSL_clear_options()\fR were first added in OpenSSL -0.9.8m. -.PP -\&\fB\s-1SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION\s0\fR, \fB\s-1SSL_OP_LEGACY_SERVER_CONNECT\s0\fR -and the function \fISSL_get_secure_renegotiation_support()\fR were first added in -OpenSSL 0.9.8m. +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/SSL_CTX_set_psk_client_callback.3 b/secure/lib/libcrypto/man/SSL_CTX_set_psk_client_callback.3 new file mode 100644 index 000000000000..5a8e887f71ef --- /dev/null +++ b/secure/lib/libcrypto/man/SSL_CTX_set_psk_client_callback.3 @@ -0,0 +1,288 @@ +.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35) +.\" +.\" Standard preamble: +.\" ======================================================================== +.de Sp \" Vertical space (when we can't use .PP) +.if t .sp .5v +.if n .sp +.. +.de Vb \" Begin verbatim text +.ft CW +.nf +.ne \\$1 +.. +.de Ve \" End verbatim text +.ft R +.fi +.. +.\" Set up some character translations and predefined strings. \*(-- will +.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left +.\" double quote, and \*(R" will give a right double quote. \*(C+ will +.\" give a nicer C++. Capital omega is used to do unbreakable dashes and +.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, +.\" nothing in troff, for use with C<>. +.tr \(*W- +.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' +.ie n \{\ +. ds -- \(*W- +. ds PI pi +. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch +. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch +. ds L" "" +. ds R" "" +. ds C` "" +. ds C' "" +'br\} +.el\{\ +. ds -- \|\(em\| +. ds PI \(*p +. ds L" `` +. ds R" '' +. ds C` +. ds C' +'br\} +.\" +.\" Escape single quotes in literal strings from groff's Unicode transform. +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" +.\" If the F register is >0, we'll generate index entries on stderr for +.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index +.\" entries marked with X<> in POD. Of course, you'll have to process the +.\" output yourself in some meaningful fashion. +.\" +.\" Avoid warning from groff about undefined register 'F'. +.de IX +.. +.if !\nF .nr F 0 +.if \nF>0 \{\ +. de IX +. tm Index:\\$1\t\\n%\t"\\$2" +.. +. if !\nF==2 \{\ +. nr % 0 +. nr F 2 +. \} +.\} +.\" +.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). +.\" Fear. Run. Save yourself. No user-serviceable parts. +. \" fudge factors for nroff and troff +.if n \{\ +. ds #H 0 +. ds #V .8m +. ds #F .3m +. ds #[ \f1 +. ds #] \fP +.\} +.if t \{\ +. ds #H ((1u-(\\\\n(.fu%2u))*.13m) +. ds #V .6m +. ds #F 0 +. ds #[ \& +. ds #] \& +.\} +. \" simple accents for nroff and troff +.if n \{\ +. ds ' \& +. ds ` \& +. ds ^ \& +. ds , \& +. ds ~ ~ +. ds / +.\} +.if t \{\ +. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" +. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' +. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' +. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' +. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' +. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' +.\} +. \" troff and (daisy-wheel) nroff accents +.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' +.ds 8 \h'\*(#H'\(*b\h'-\*(#H' +.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] +.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' +.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' +.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] +.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] +.ds ae a\h'-(\w'a'u*4/10)'e +.ds Ae A\h'-(\w'A'u*4/10)'E +. \" corrections for vroff +.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' +.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' +. \" for low resolution devices (crt and lpr) +.if \n(.H>23 .if \n(.V>19 \ +\{\ +. ds : e +. ds 8 ss +. ds o a +. ds d- d\h'-1'\(ga +. ds D- D\h'-1'\(hy +. ds th \o'bp' +. ds Th \o'LP' +. ds ae ae +. ds Ae AE +.\} +.rm #[ #] #H #V #F C +.\" ======================================================================== +.\" +.IX Title "SSL_CTX_SET_PSK_CLIENT_CALLBACK 3" +.TH SSL_CTX_SET_PSK_CLIENT_CALLBACK 3 "2018-09-11" "1.1.1" "OpenSSL" +.\" For nroff, turn off justification. Always turn off hyphenation; it makes +.\" way too many mistakes in technical documents. +.if n .ad l +.nh +.SH "NAME" +SSL_psk_client_cb_func, SSL_psk_use_session_cb_func, SSL_CTX_set_psk_client_callback, SSL_set_psk_client_callback, SSL_CTX_set_psk_use_session_callback, SSL_set_psk_use_session_callback \&\- set PSK client callback +.SH "SYNOPSIS" +.IX Header "SYNOPSIS" +.Vb 1 +\& #include +\& +\& typedef int (*SSL_psk_use_session_cb_func)(SSL *ssl, const EVP_MD *md, +\& const unsigned char **id, +\& size_t *idlen, +\& SSL_SESSION **sess); +\& +\& +\& void SSL_CTX_set_psk_use_session_callback(SSL_CTX *ctx, +\& SSL_psk_use_session_cb_func cb); +\& void SSL_set_psk_use_session_callback(SSL *s, SSL_psk_use_session_cb_func cb); +\& +\& +\& typedef unsigned int (*SSL_psk_client_cb_func)(SSL *ssl, +\& const char *hint, +\& char *identity, +\& unsigned int max_identity_len, +\& unsigned char *psk, +\& unsigned int max_psk_len); +\& +\& void SSL_CTX_set_psk_client_callback(SSL_CTX *ctx, SSL_psk_client_cb_func cb); +\& void SSL_set_psk_client_callback(SSL *ssl, SSL_psk_client_cb_func cb); +.Ve +.SH "DESCRIPTION" +.IX Header "DESCRIPTION" +A client application wishing to use TLSv1.3 PSKs should use either +\&\fISSL_CTX_set_psk_use_session_callback()\fR or \fISSL_set_psk_use_session_callback()\fR as +appropriate. These functions cannot be used for TLSv1.2 and below PSKs. +.PP +The callback function is given a pointer to the \s-1SSL\s0 connection in \fBssl\fR. +.PP +The first time the callback is called for a connection the \fBmd\fR parameter is +\&\s-1NULL.\s0 In some circumstances the callback will be called a second time. In that +case the server will have specified a ciphersuite to use already and the \s-1PSK\s0 +must be compatible with the digest for that ciphersuite. The digest will be +given in \fBmd\fR. The \s-1PSK\s0 returned by the callback is allowed to be different +between the first and second time it is called. +.PP +On successful completion the callback must store a pointer to an identifier for +the \s-1PSK\s0 in \fB*id\fR. The identifier length in bytes should be stored in \fB*idlen\fR. +The memory pointed to by \fB*id\fR remains owned by the application and should +be freed by it as required at any point after the handshake is complete. +.PP +Additionally the callback should store a pointer to an \s-1SSL_SESSION\s0 object in +\&\fB*sess\fR. This is used as the basis for the \s-1PSK,\s0 and should, at a minimum, have +the following fields set: +.IP "The master key" 4 +.IX Item "The master key" +This can be set via a call to \fISSL_SESSION_set1_master_key\fR\|(3). +.IP "A ciphersuite" 4 +.IX Item "A ciphersuite" +Only the handshake digest associated with the ciphersuite is relevant for the +\&\s-1PSK\s0 (the server may go on to negotiate any ciphersuite which is compatible with +the digest). The application can use any TLSv1.3 ciphersuite. If \fBmd\fR is +not \s-1NULL\s0 the handshake digest for the ciphersuite should be the same. +The ciphersuite can be set via a call to <\fISSL_SESSION_set_cipher\fR\|(3)>. The +handshake digest of an \s-1SSL_CIPHER\s0 object can be checked using +<\fISSL_CIPHER_get_handshake_digest\fR\|(3)>. +.IP "The protocol version" 4 +.IX Item "The protocol version" +This can be set via a call to \fISSL_SESSION_set_protocol_version\fR\|(3) and should +be \s-1TLS1_3_VERSION.\s0 +.PP +Additionally the maximum early data value should be set via a call to +\&\fISSL_SESSION_set_max_early_data\fR\|(3) if the \s-1PSK\s0 will be used for sending early +data. +.PP +Alternatively an \s-1SSL_SESSION\s0 created from a previous non-PSK handshake may also +be used as the basis for a \s-1PSK.\s0 +.PP +Ownership of the \s-1SSL_SESSION\s0 object is passed to the OpenSSL library and so it +should not be freed by the application. +.PP +It is also possible for the callback to succeed but not supply a \s-1PSK.\s0 In this +case no \s-1PSK\s0 will be sent to the server but the handshake will continue. To do +this the callback should return successfully and ensure that \fB*sess\fR is +\&\s-1NULL.\s0 The contents of \fB*id\fR and \fB*idlen\fR will be ignored. +.PP +A client application wishing to use \s-1PSK\s0 ciphersuites for TLSv1.2 and below must +provide a different callback function. This function will be called when the +client is sending the ClientKeyExchange message to the server. +.PP +The purpose of the callback function is to select the \s-1PSK\s0 identity and +the pre-shared key to use during the connection setup phase. +.PP +The callback is set using functions \fISSL_CTX_set_psk_client_callback()\fR +or \fISSL_set_psk_client_callback()\fR. The callback function is given the +connection in parameter \fBssl\fR, a \fB\s-1NULL\s0\fR\-terminated \s-1PSK\s0 identity hint +sent by the server in parameter \fBhint\fR, a buffer \fBidentity\fR of +length \fBmax_identity_len\fR bytes where the resulting +\&\fB\s-1NUL\s0\fR\-terminated identity is to be stored, and a buffer \fBpsk\fR of +length \fBmax_psk_len\fR bytes where the resulting pre-shared key is to +be stored. +.PP +The callback for use in TLSv1.2 will also work in TLSv1.3 although it is +recommended to use \fISSL_CTX_set_psk_use_session_callback()\fR +or \fISSL_set_psk_use_session_callback()\fR for this purpose instead. If TLSv1.3 has +been negotiated then OpenSSL will first check to see if a callback has been set +via \fISSL_CTX_set_psk_use_session_callback()\fR or \fISSL_set_psk_use_session_callback()\fR +and it will use that in preference. If no such callback is present then it will +check to see if a callback has been set via \fISSL_CTX_set_psk_client_callback()\fR or +\&\fISSL_set_psk_client_callback()\fR and use that. In this case the \fBhint\fR value will +always be \s-1NULL\s0 and the handshake digest will default to \s-1SHA\-256\s0 for any returned +\&\s-1PSK.\s0 +.SH "NOTES" +.IX Header "NOTES" +Note that parameter \fBhint\fR given to the callback may be \fB\s-1NULL\s0\fR. +.PP +A connection established via a TLSv1.3 \s-1PSK\s0 will appear as if session resumption +has occurred so that \fISSL_session_reused\fR\|(3) will return true. +.PP +There are no known security issues with sharing the same \s-1PSK\s0 between TLSv1.2 (or +below) and TLSv1.3. However the \s-1RFC\s0 has this note of caution: +.PP +\&\*(L"While there is no known way in which the same \s-1PSK\s0 might produce related output +in both versions, only limited analysis has been done. Implementations can +ensure safety from cross-protocol related output by not reusing PSKs between +\&\s-1TLS 1.3\s0 and \s-1TLS 1.2.\*(R"\s0 +.SH "RETURN VALUES" +.IX Header "RETURN VALUES" +Return values from the \fBSSL_psk_client_cb_func\fR callback are interpreted as +follows: +.PP +On success (callback found a \s-1PSK\s0 identity and a pre-shared key to use) +the length (> 0) of \fBpsk\fR in bytes is returned. +.PP +Otherwise or on errors the callback should return 0. In this case +the connection setup fails. +.PP +The SSL_psk_use_session_cb_func callback should return 1 on success or 0 on +failure. In the event of failure the connection setup fails. +.SH "SEE ALSO" +.IX Header "SEE ALSO" +\&\fISSL_CTX_set_psk_find_session_callback\fR\|(3), +\&\fISSL_set_psk_find_session_callback\fR\|(3) +.SH "HISTORY" +.IX Header "HISTORY" +\&\fISSL_CTX_set_psk_use_session_callback()\fR and \fISSL_set_psk_use_session_callback()\fR +were added in OpenSSL 1.1.1. +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2006\-2018 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libssl/man/SSL_CTX_set_quiet_shutdown.3 b/secure/lib/libcrypto/man/SSL_CTX_set_quiet_shutdown.3 similarity index 92% rename from secure/lib/libssl/man/SSL_CTX_set_quiet_shutdown.3 rename to secure/lib/libcrypto/man/SSL_CTX_set_quiet_shutdown.3 index 9895011cc820..c7d22107d57e 100644 --- a/secure/lib/libssl/man/SSL_CTX_set_quiet_shutdown.3 +++ b/secure/lib/libcrypto/man/SSL_CTX_set_quiet_shutdown.3 @@ -128,8 +128,8 @@ .rm #[ #] #H #V #F C .\" ======================================================================== .\" -.IX Title "SSL_CTX_set_quiet_shutdown 3" -.TH SSL_CTX_set_quiet_shutdown 3 "2018-08-14" "1.0.2p" "OpenSSL" +.IX Title "SSL_CTX_SET_QUIET_SHUTDOWN 3" +.TH SSL_CTX_SET_QUIET_SHUTDOWN 3 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -186,6 +186,14 @@ diagnostic information. setting. .SH "SEE ALSO" .IX Header "SEE ALSO" -\&\fIssl\fR\|(3), \fISSL_shutdown\fR\|(3), +\&\fIssl\fR\|(7), \fISSL_shutdown\fR\|(3), \&\fISSL_set_shutdown\fR\|(3), \fISSL_new\fR\|(3), \&\fISSL_clear\fR\|(3), \fISSL_free\fR\|(3) +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2001\-2016 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/SSL_CTX_set_read_ahead.3 b/secure/lib/libcrypto/man/SSL_CTX_set_read_ahead.3 new file mode 100644 index 000000000000..df38d918a4ae --- /dev/null +++ b/secure/lib/libcrypto/man/SSL_CTX_set_read_ahead.3 @@ -0,0 +1,198 @@ +.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35) +.\" +.\" Standard preamble: +.\" ======================================================================== +.de Sp \" Vertical space (when we can't use .PP) +.if t .sp .5v +.if n .sp +.. +.de Vb \" Begin verbatim text +.ft CW +.nf +.ne \\$1 +.. +.de Ve \" End verbatim text +.ft R +.fi +.. +.\" Set up some character translations and predefined strings. \*(-- will +.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left +.\" double quote, and \*(R" will give a right double quote. \*(C+ will +.\" give a nicer C++. Capital omega is used to do unbreakable dashes and +.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, +.\" nothing in troff, for use with C<>. +.tr \(*W- +.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' +.ie n \{\ +. ds -- \(*W- +. ds PI pi +. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch +. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch +. ds L" "" +. ds R" "" +. ds C` "" +. ds C' "" +'br\} +.el\{\ +. ds -- \|\(em\| +. ds PI \(*p +. ds L" `` +. ds R" '' +. ds C` +. ds C' +'br\} +.\" +.\" Escape single quotes in literal strings from groff's Unicode transform. +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" +.\" If the F register is >0, we'll generate index entries on stderr for +.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index +.\" entries marked with X<> in POD. Of course, you'll have to process the +.\" output yourself in some meaningful fashion. +.\" +.\" Avoid warning from groff about undefined register 'F'. +.de IX +.. +.if !\nF .nr F 0 +.if \nF>0 \{\ +. de IX +. tm Index:\\$1\t\\n%\t"\\$2" +.. +. if !\nF==2 \{\ +. nr % 0 +. nr F 2 +. \} +.\} +.\" +.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). +.\" Fear. Run. Save yourself. No user-serviceable parts. +. \" fudge factors for nroff and troff +.if n \{\ +. ds #H 0 +. ds #V .8m +. ds #F .3m +. ds #[ \f1 +. ds #] \fP +.\} +.if t \{\ +. ds #H ((1u-(\\\\n(.fu%2u))*.13m) +. ds #V .6m +. ds #F 0 +. ds #[ \& +. ds #] \& +.\} +. \" simple accents for nroff and troff +.if n \{\ +. ds ' \& +. ds ` \& +. ds ^ \& +. ds , \& +. ds ~ ~ +. ds / +.\} +.if t \{\ +. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" +. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' +. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' +. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' +. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' +. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' +.\} +. \" troff and (daisy-wheel) nroff accents +.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' +.ds 8 \h'\*(#H'\(*b\h'-\*(#H' +.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] +.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' +.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' +.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] +.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] +.ds ae a\h'-(\w'a'u*4/10)'e +.ds Ae A\h'-(\w'A'u*4/10)'E +. \" corrections for vroff +.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' +.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' +. \" for low resolution devices (crt and lpr) +.if \n(.H>23 .if \n(.V>19 \ +\{\ +. ds : e +. ds 8 ss +. ds o a +. ds d- d\h'-1'\(ga +. ds D- D\h'-1'\(hy +. ds th \o'bp' +. ds Th \o'LP' +. ds ae ae +. ds Ae AE +.\} +.rm #[ #] #H #V #F C +.\" ======================================================================== +.\" +.IX Title "SSL_CTX_SET_READ_AHEAD 3" +.TH SSL_CTX_SET_READ_AHEAD 3 "2018-09-11" "1.1.1" "OpenSSL" +.\" For nroff, turn off justification. Always turn off hyphenation; it makes +.\" way too many mistakes in technical documents. +.if n .ad l +.nh +.SH "NAME" +SSL_CTX_set_read_ahead, SSL_CTX_get_read_ahead, SSL_set_read_ahead, SSL_get_read_ahead, SSL_CTX_get_default_read_ahead \&\- manage whether to read as many input bytes as possible +.SH "SYNOPSIS" +.IX Header "SYNOPSIS" +.Vb 1 +\& #include +\& +\& void SSL_set_read_ahead(SSL *s, int yes); +\& int SSL_get_read_ahead(const SSL *s); +\& +\& SSL_CTX_set_read_ahead(SSL_CTX *ctx, int yes); +\& long SSL_CTX_get_read_ahead(SSL_CTX *ctx); +\& long SSL_CTX_get_default_read_ahead(SSL_CTX *ctx); +.Ve +.SH "DESCRIPTION" +.IX Header "DESCRIPTION" +\&\fISSL_CTX_set_read_ahead()\fR and \fISSL_set_read_ahead()\fR set whether we should read as +many input bytes as possible (for non-blocking reads) or not. For example if +\&\fBx\fR bytes are currently required by OpenSSL, but \fBy\fR bytes are available from +the underlying \s-1BIO\s0 (where \fBy\fR > \fBx\fR), then OpenSSL will read all \fBy\fR bytes +into its buffer (providing that the buffer is large enough) if reading ahead is +on, or \fBx\fR bytes otherwise. +Setting the parameter \fByes\fR to 0 turns reading ahead is off, other values turn +it on. +\&\fISSL_CTX_set_default_read_ahead()\fR is identical to \fISSL_CTX_set_read_ahead()\fR. +.PP +\&\fISSL_CTX_get_read_ahead()\fR and \fISSL_get_read_ahead()\fR indicate whether reading +ahead has been set or not. +\&\fISSL_CTX_get_default_read_ahead()\fR is identical to \fISSL_CTX_get_read_ahead()\fR. +.SH "NOTES" +.IX Header "NOTES" +These functions have no impact when used with \s-1DTLS.\s0 The return values for +\&\fISSL_CTX_get_read_head()\fR and \fISSL_get_read_ahead()\fR are undefined for \s-1DTLS.\s0 Setting +\&\fBread_ahead\fR can impact the behaviour of the \fISSL_pending()\fR function +(see \fISSL_pending\fR\|(3)). +.PP +Since \fISSL_read()\fR can return \fB\s-1SSL_ERROR_WANT_READ\s0\fR for non-application data +records, and \fISSL_has_pending()\fR can't tell the difference between processed and +unprocessed data, it's recommended that if read ahead is turned on that +\&\fB\s-1SSL_MODE_AUTO_RETRY\s0\fR is not turned off using \fISSL_CTX_clear_mode()\fR. +That will prevent getting \fB\s-1SSL_ERROR_WANT_READ\s0\fR when there is still a complete +record availale that hasn't been processed. +.PP +If the application wants to continue to use the underlying transport (e.g. \s-1TCP\s0 +connection) after the \s-1SSL\s0 connection is finished using \fISSL_shutdown()\fR reading +ahead should be turned off. +Otherwise the \s-1SSL\s0 structure might read data that it shouldn't. +.SH "RETURN VALUES" +.IX Header "RETURN VALUES" +\&\fISSL_get_read_ahead()\fR and \fISSL_CTX_get_read_ahead()\fR return 0 if reading ahead is off, +and non zero otherwise. +.SH "SEE ALSO" +.IX Header "SEE ALSO" +\&\fIssl\fR\|(7), \fISSL_pending\fR\|(3) +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2015\-2018 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/SSL_CTX_set_record_padding_callback.3 b/secure/lib/libcrypto/man/SSL_CTX_set_record_padding_callback.3 new file mode 100644 index 000000000000..ccc1aaa50886 --- /dev/null +++ b/secure/lib/libcrypto/man/SSL_CTX_set_record_padding_callback.3 @@ -0,0 +1,215 @@ +.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35) +.\" +.\" Standard preamble: +.\" ======================================================================== +.de Sp \" Vertical space (when we can't use .PP) +.if t .sp .5v +.if n .sp +.. +.de Vb \" Begin verbatim text +.ft CW +.nf +.ne \\$1 +.. +.de Ve \" End verbatim text +.ft R +.fi +.. +.\" Set up some character translations and predefined strings. \*(-- will +.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left +.\" double quote, and \*(R" will give a right double quote. \*(C+ will +.\" give a nicer C++. Capital omega is used to do unbreakable dashes and +.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, +.\" nothing in troff, for use with C<>. +.tr \(*W- +.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' +.ie n \{\ +. ds -- \(*W- +. ds PI pi +. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch +. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch +. ds L" "" +. ds R" "" +. ds C` "" +. ds C' "" +'br\} +.el\{\ +. ds -- \|\(em\| +. ds PI \(*p +. ds L" `` +. ds R" '' +. ds C` +. ds C' +'br\} +.\" +.\" Escape single quotes in literal strings from groff's Unicode transform. +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" +.\" If the F register is >0, we'll generate index entries on stderr for +.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index +.\" entries marked with X<> in POD. Of course, you'll have to process the +.\" output yourself in some meaningful fashion. +.\" +.\" Avoid warning from groff about undefined register 'F'. +.de IX +.. +.if !\nF .nr F 0 +.if \nF>0 \{\ +. de IX +. tm Index:\\$1\t\\n%\t"\\$2" +.. +. if !\nF==2 \{\ +. nr % 0 +. nr F 2 +. \} +.\} +.\" +.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). +.\" Fear. Run. Save yourself. No user-serviceable parts. +. \" fudge factors for nroff and troff +.if n \{\ +. ds #H 0 +. ds #V .8m +. ds #F .3m +. ds #[ \f1 +. ds #] \fP +.\} +.if t \{\ +. ds #H ((1u-(\\\\n(.fu%2u))*.13m) +. ds #V .6m +. ds #F 0 +. ds #[ \& +. ds #] \& +.\} +. \" simple accents for nroff and troff +.if n \{\ +. ds ' \& +. ds ` \& +. ds ^ \& +. ds , \& +. ds ~ ~ +. ds / +.\} +.if t \{\ +. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" +. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' +. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' +. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' +. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' +. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' +.\} +. \" troff and (daisy-wheel) nroff accents +.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' +.ds 8 \h'\*(#H'\(*b\h'-\*(#H' +.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] +.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' +.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' +.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] +.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] +.ds ae a\h'-(\w'a'u*4/10)'e +.ds Ae A\h'-(\w'A'u*4/10)'E +. \" corrections for vroff +.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' +.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' +. \" for low resolution devices (crt and lpr) +.if \n(.H>23 .if \n(.V>19 \ +\{\ +. ds : e +. ds 8 ss +. ds o a +. ds d- d\h'-1'\(ga +. ds D- D\h'-1'\(hy +. ds th \o'bp' +. ds Th \o'LP' +. ds ae ae +. ds Ae AE +.\} +.rm #[ #] #H #V #F C +.\" ======================================================================== +.\" +.IX Title "SSL_CTX_SET_RECORD_PADDING_CALLBACK 3" +.TH SSL_CTX_SET_RECORD_PADDING_CALLBACK 3 "2018-09-11" "1.1.1" "OpenSSL" +.\" For nroff, turn off justification. Always turn off hyphenation; it makes +.\" way too many mistakes in technical documents. +.if n .ad l +.nh +.SH "NAME" +SSL_CTX_set_record_padding_callback, SSL_set_record_padding_callback, SSL_CTX_set_record_padding_callback_arg, SSL_set_record_padding_callback_arg, SSL_CTX_get_record_padding_callback_arg, SSL_get_record_padding_callback_arg, SSL_CTX_set_block_padding, SSL_set_block_padding \- install callback to specify TLS 1.3 record padding +.SH "SYNOPSIS" +.IX Header "SYNOPSIS" +.Vb 1 +\& #include +\& +\& void SSL_CTX_set_record_padding_callback(SSL_CTX *ctx, size_t (*cb)(SSL *s, int type, size_t len, void *arg)); +\& void SSL_set_record_padding_callback(SSL *ssl, size_t (*cb)(SSL *s, int type, size_t len, void *arg)); +\& +\& void SSL_CTX_set_record_padding_callback_arg(SSL_CTX *ctx, void *arg); +\& void *SSL_CTX_get_record_padding_callback_arg(SSL_CTX *ctx); +\& +\& void SSL_set_record_padding_callback_arg(SSL *ssl, void *arg); +\& void *SSL_get_record_padding_callback_arg(SSL *ssl); +\& +\& int SSL_CTX_set_block_padding(SSL_CTX *ctx, size_t block_size); +\& int SSL_set_block_padding(SSL *ssl, size_t block_size); +.Ve +.SH "DESCRIPTION" +.IX Header "DESCRIPTION" +\&\fISSL_CTX_set_record_padding_callback()\fR or \fISSL_set_record_padding_callback()\fR +can be used to assign a callback function \fIcb\fR to specify the padding +for \s-1TLS 1.3\s0 records. The value set in \fBctx\fR is copied to a new \s-1SSL\s0 by \fISSL_new()\fR. +.PP +\&\fISSL_CTX_set_record_padding_callback_arg()\fR and \fISSL_set_record_padding_callback_arg()\fR +assign a value \fBarg\fR that is passed to the callback when it is invoked. The value +set in \fBctx\fR is copied to a new \s-1SSL\s0 by \fISSL_new()\fR. +.PP +\&\fISSL_CTX_get_record_padding_callback_arg()\fR and \fISSL_get_record_padding_callback_arg()\fR +retrieve the \fBarg\fR value that is passed to the callback. +.PP +\&\fISSL_CTX_set_block_padding()\fR and \fISSL_set_block_padding()\fR pads the record to a multiple +of the \fBblock_size\fR. A \fBblock_size\fR of 0 or 1 disables block padding. The limit of +\&\fBblock_size\fR is \s-1SSL3_RT_MAX_PLAIN_LENGTH.\s0 +.PP +The callback is invoked for every record before encryption. +The \fBtype\fR parameter is the \s-1TLS\s0 record type that is being processed; may be +one of \s-1SSL3_RT_APPLICATION_DATA, SSL3_RT_HANDSHAKE,\s0 or \s-1SSL3_RT_ALERT.\s0 +The \fBlen\fR parameter is the current plaintext length of the record before encryption. +The \fBarg\fR parameter is the value set via \fISSL_CTX_set_record_padding_callback_arg()\fR +or \fISSL_set_record_padding_callback_arg()\fR. +.SH "RETURN VALUES" +.IX Header "RETURN VALUES" +The \fISSL_CTX_get_record_padding_callback_arg()\fR and \fISSL_get_record_padding_callback_arg()\fR +functions return the \fBarg\fR value assigned in the corresponding set functions. +.PP +The \fISSL_CTX_set_block_padding()\fR and \fISSL_set_block_padding()\fR functions return 1 on success +or 0 if \fBblock_size\fR is too large. +.PP +The \fBcb\fR returns the number of padding bytes to add to the record. A return of 0 +indicates no padding will be added. A return value that causes the record to +exceed the maximum record size (\s-1SSL3_RT_MAX_PLAIN_LENGTH\s0) will pad out to the +maximum record size. +.SH "NOTES" +.IX Header "NOTES" +The default behavior is to add no padding to the record. +.PP +A user-supplied padding callback function will override the behavior set by +\&\fISSL_set_block_padding()\fR or \fISSL_CTX_set_block_padding()\fR. Setting the user-supplied +callback to \s-1NULL\s0 will restore the configured block padding behavior. +.PP +These functions only apply to \s-1TLS 1.3\s0 records being written. +.PP +Padding bytes are not added in constant-time. +.SH "SEE ALSO" +.IX Header "SEE ALSO" +\&\fIssl\fR\|(7), \fISSL_new\fR\|(3) +.SH "HISTORY" +.IX Header "HISTORY" +The record padding \s-1API\s0 was added for \s-1TLS 1.3\s0 support in OpenSSL 1.1.1. +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2017 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/SSL_CTX_set_security_level.3 b/secure/lib/libcrypto/man/SSL_CTX_set_security_level.3 new file mode 100644 index 000000000000..bf79e4c86599 --- /dev/null +++ b/secure/lib/libcrypto/man/SSL_CTX_set_security_level.3 @@ -0,0 +1,305 @@ +.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35) +.\" +.\" Standard preamble: +.\" ======================================================================== +.de Sp \" Vertical space (when we can't use .PP) +.if t .sp .5v +.if n .sp +.. +.de Vb \" Begin verbatim text +.ft CW +.nf +.ne \\$1 +.. +.de Ve \" End verbatim text +.ft R +.fi +.. +.\" Set up some character translations and predefined strings. \*(-- will +.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left +.\" double quote, and \*(R" will give a right double quote. \*(C+ will +.\" give a nicer C++. Capital omega is used to do unbreakable dashes and +.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, +.\" nothing in troff, for use with C<>. +.tr \(*W- +.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' +.ie n \{\ +. ds -- \(*W- +. ds PI pi +. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch +. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch +. ds L" "" +. ds R" "" +. ds C` "" +. ds C' "" +'br\} +.el\{\ +. ds -- \|\(em\| +. ds PI \(*p +. ds L" `` +. ds R" '' +. ds C` +. ds C' +'br\} +.\" +.\" Escape single quotes in literal strings from groff's Unicode transform. +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" +.\" If the F register is >0, we'll generate index entries on stderr for +.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index +.\" entries marked with X<> in POD. Of course, you'll have to process the +.\" output yourself in some meaningful fashion. +.\" +.\" Avoid warning from groff about undefined register 'F'. +.de IX +.. +.if !\nF .nr F 0 +.if \nF>0 \{\ +. de IX +. tm Index:\\$1\t\\n%\t"\\$2" +.. +. if !\nF==2 \{\ +. nr % 0 +. nr F 2 +. \} +.\} +.\" +.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). +.\" Fear. Run. Save yourself. No user-serviceable parts. +. \" fudge factors for nroff and troff +.if n \{\ +. ds #H 0 +. ds #V .8m +. ds #F .3m +. ds #[ \f1 +. ds #] \fP +.\} +.if t \{\ +. ds #H ((1u-(\\\\n(.fu%2u))*.13m) +. ds #V .6m +. ds #F 0 +. ds #[ \& +. ds #] \& +.\} +. \" simple accents for nroff and troff +.if n \{\ +. ds ' \& +. ds ` \& +. ds ^ \& +. ds , \& +. ds ~ ~ +. ds / +.\} +.if t \{\ +. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" +. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' +. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' +. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' +. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' +. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' +.\} +. \" troff and (daisy-wheel) nroff accents +.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' +.ds 8 \h'\*(#H'\(*b\h'-\*(#H' +.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] +.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' +.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' +.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] +.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] +.ds ae a\h'-(\w'a'u*4/10)'e +.ds Ae A\h'-(\w'A'u*4/10)'E +. \" corrections for vroff +.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' +.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' +. \" for low resolution devices (crt and lpr) +.if \n(.H>23 .if \n(.V>19 \ +\{\ +. ds : e +. ds 8 ss +. ds o a +. ds d- d\h'-1'\(ga +. ds D- D\h'-1'\(hy +. ds th \o'bp' +. ds Th \o'LP' +. ds ae ae +. ds Ae AE +.\} +.rm #[ #] #H #V #F C +.\" ======================================================================== +.\" +.IX Title "SSL_CTX_SET_SECURITY_LEVEL 3" +.TH SSL_CTX_SET_SECURITY_LEVEL 3 "2018-09-11" "1.1.1" "OpenSSL" +.\" For nroff, turn off justification. Always turn off hyphenation; it makes +.\" way too many mistakes in technical documents. +.if n .ad l +.nh +.SH "NAME" +SSL_CTX_set_security_level, SSL_set_security_level, SSL_CTX_get_security_level, SSL_get_security_level, SSL_CTX_set_security_callback, SSL_set_security_callback, SSL_CTX_get_security_callback, SSL_get_security_callback, SSL_CTX_set0_security_ex_data, SSL_set0_security_ex_data, SSL_CTX_get0_security_ex_data, SSL_get0_security_ex_data \- SSL/TLS security framework +.SH "SYNOPSIS" +.IX Header "SYNOPSIS" +.Vb 1 +\& #include +\& +\& void SSL_CTX_set_security_level(SSL_CTX *ctx, int level); +\& void SSL_set_security_level(SSL *s, int level); +\& +\& int SSL_CTX_get_security_level(const SSL_CTX *ctx); +\& int SSL_get_security_level(const SSL *s); +\& +\& void SSL_CTX_set_security_callback(SSL_CTX *ctx, +\& int (*cb)(SSL *s, SSL_CTX *ctx, int op, +\& int bits, int nid, +\& void *other, void *ex)); +\& +\& void SSL_set_security_callback(SSL *s, int (*cb)(SSL *s, SSL_CTX *ctx, int op, +\& int bits, int nid, +\& void *other, void *ex)); +\& +\& int (*SSL_CTX_get_security_callback(const SSL_CTX *ctx))(SSL *s, SSL_CTX *ctx, int op, +\& int bits, int nid, void *other, +\& void *ex); +\& int (*SSL_get_security_callback(const SSL *s))(SSL *s, SSL_CTX *ctx, int op, +\& int bits, int nid, void *other, +\& void *ex); +\& +\& void SSL_CTX_set0_security_ex_data(SSL_CTX *ctx, void *ex); +\& void SSL_set0_security_ex_data(SSL *s, void *ex); +\& +\& void *SSL_CTX_get0_security_ex_data(const SSL_CTX *ctx); +\& void *SSL_get0_security_ex_data(const SSL *s); +.Ve +.SH "DESCRIPTION" +.IX Header "DESCRIPTION" +The functions \fISSL_CTX_set_security_level()\fR and \fISSL_set_security_level()\fR set +the security level to \fBlevel\fR. If not set the library default security level +is used. +.PP +The functions \fISSL_CTX_get_security_level()\fR and \fISSL_get_security_level()\fR +retrieve the current security level. +.PP +\&\fISSL_CTX_set_security_callback()\fR, \fISSL_set_security_callback()\fR, +\&\fISSL_CTX_get_security_callback()\fR and \fISSL_get_security_callback()\fR get or set +the security callback associated with \fBctx\fR or \fBs\fR. If not set a default +security callback is used. The meaning of the parameters and the behaviour +of the default callbacks is described below. +.PP +\&\fISSL_CTX_set0_security_ex_data()\fR, \fISSL_set0_security_ex_data()\fR, +\&\fISSL_CTX_get0_security_ex_data()\fR and \fISSL_get0_security_ex_data()\fR set the +extra data pointer passed to the \fBex\fR parameter of the callback. This +value is passed to the callback verbatim and can be set to any convenient +application specific value. +.SH "DEFAULT CALLBACK BEHAVIOUR" +.IX Header "DEFAULT CALLBACK BEHAVIOUR" +If an application doesn't set its own security callback the default +callback is used. It is intended to provide sane defaults. The meaning +of each level is described below. +.IP "\fBLevel 0\fR" 4 +.IX Item "Level 0" +Everything is permitted. This retains compatibility with previous versions of +OpenSSL. +.IP "\fBLevel 1\fR" 4 +.IX Item "Level 1" +The security level corresponds to a minimum of 80 bits of security. Any +parameters offering below 80 bits of security are excluded. As a result \s-1RSA, +DSA\s0 and \s-1DH\s0 keys shorter than 1024 bits and \s-1ECC\s0 keys shorter than 160 bits +are prohibited. All export cipher suites are prohibited since they all offer +less than 80 bits of security. \s-1SSL\s0 version 2 is prohibited. Any cipher suite +using \s-1MD5\s0 for the \s-1MAC\s0 is also prohibited. +.IP "\fBLevel 2\fR" 4 +.IX Item "Level 2" +Security level set to 112 bits of security. As a result \s-1RSA, DSA\s0 and \s-1DH\s0 keys +shorter than 2048 bits and \s-1ECC\s0 keys shorter than 224 bits are prohibited. +In addition to the level 1 exclusions any cipher suite using \s-1RC4\s0 is also +prohibited. \s-1SSL\s0 version 3 is also not allowed. Compression is disabled. +.IP "\fBLevel 3\fR" 4 +.IX Item "Level 3" +Security level set to 128 bits of security. As a result \s-1RSA, DSA\s0 and \s-1DH\s0 keys +shorter than 3072 bits and \s-1ECC\s0 keys shorter than 256 bits are prohibited. +In addition to the level 2 exclusions cipher suites not offering forward +secrecy are prohibited. \s-1TLS\s0 versions below 1.1 are not permitted. Session +tickets are disabled. +.IP "\fBLevel 4\fR" 4 +.IX Item "Level 4" +Security level set to 192 bits of security. As a result \s-1RSA, DSA\s0 and +\&\s-1DH\s0 keys shorter than 7680 bits and \s-1ECC\s0 keys shorter than 384 bits are +prohibited. Cipher suites using \s-1SHA1\s0 for the \s-1MAC\s0 are prohibited. \s-1TLS\s0 +versions below 1.2 are not permitted. +.IP "\fBLevel 5\fR" 4 +.IX Item "Level 5" +Security level set to 256 bits of security. As a result \s-1RSA, DSA\s0 and \s-1DH\s0 keys +shorter than 15360 bits and \s-1ECC\s0 keys shorter than 512 bits are prohibited. +.SH "APPLICATION DEFINED SECURITY CALLBACKS" +.IX Header "APPLICATION DEFINED SECURITY CALLBACKS" +\&\fIDocumentation to be provided.\fR +.SH "NOTES" +.IX Header "NOTES" +\&\fB\s-1WARNING\s0\fR at this time setting the security level higher than 1 for +general internet use is likely to cause \fBconsiderable\fR interoperability +issues and is not recommended. This is because the \fB\s-1SHA1\s0\fR algorithm +is very widely used in certificates and will be rejected at levels +higher than 1 because it only offers 80 bits of security. +.PP +The default security level can be configured when OpenSSL is compiled by +setting \fB\-DOPENSSL_TLS_SECURITY_LEVEL=level\fR. If not set then 1 is used. +.PP +The security framework disables or reject parameters inconsistent with the +set security level. In the past this was difficult as applications had to set +a number of distinct parameters (supported ciphers, supported curves supported +signature algorithms) to achieve this end and some cases (\s-1DH\s0 parameter size +for example) could not be checked at all. +.PP +By setting an appropriate security level much of this complexity can be +avoided. +.PP +The bits of security limits affect all relevant parameters including +cipher suite encryption algorithms, supported \s-1ECC\s0 curves, supported +signature algorithms, \s-1DH\s0 parameter sizes, certificate key sizes and +signature algorithms. This limit applies no matter what other custom +settings an application has set: so if the cipher suite is set to \fB\s-1ALL\s0\fR +then only cipher suites consistent with the security level are permissible. +.PP +See \s-1SP800\-57\s0 for how the security limits are related to individual +algorithms. +.PP +Some security levels require large key sizes for non-ECC public key +algorithms which can severely degrade performance. For example 256 bits +of security requires the use of \s-1RSA\s0 keys of at least 15360 bits in size. +.PP +Some restrictions can be gracefully handled: for example cipher suites +offering insufficient security are not sent by the client and will not +be selected by the server. Other restrictions such as the peer certificate +key size or the \s-1DH\s0 parameter size will abort the handshake with a fatal +alert. +.PP +Attempts to set certificates or parameters with insufficient security are +also blocked. For example trying to set a certificate using a 512 bit \s-1RSA\s0 +key using \fISSL_CTX_use_certificate()\fR at level 1. Applications which do not +check the return values for errors will misbehave: for example it might +appear that a certificate is not set at all because it had been rejected. +.SH "RETURN VALUES" +.IX Header "RETURN VALUES" +\&\fISSL_CTX_set_security_level()\fR and \fISSL_set_security_level()\fR do not return values. +.PP +\&\fISSL_CTX_get_security_level()\fR and \fISSL_get_security_level()\fR return a integer that +represents the security level with \fB\s-1SSL_CTX\s0\fR or \fB\s-1SSL\s0\fR, respectively. +.PP +\&\fISSL_CTX_set_security_callback()\fR and \fISSL_set_security_callback()\fR do not return +values. +.PP +\&\fISSL_CTX_get_security_callback()\fR and \fISSL_get_security_callback()\fR return the pointer +to the security callback or \s-1NULL\s0 if the callback is not set. +.PP +\&\fISSL_CTX_get0_security_ex_data()\fR and \fISSL_get0_security_ex_data()\fR return the extra +data pointer or \s-1NULL\s0 if the ex data is not set. +.SH "HISTORY" +.IX Header "HISTORY" +These functions were first added to OpenSSL 1.1.0 +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2014\-2018 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libssl/man/SSL_CTX_set_session_cache_mode.3 b/secure/lib/libcrypto/man/SSL_CTX_set_session_cache_mode.3 similarity index 94% rename from secure/lib/libssl/man/SSL_CTX_set_session_cache_mode.3 rename to secure/lib/libcrypto/man/SSL_CTX_set_session_cache_mode.3 index 24e5aba183b0..311fd74333e4 100644 --- a/secure/lib/libssl/man/SSL_CTX_set_session_cache_mode.3 +++ b/secure/lib/libcrypto/man/SSL_CTX_set_session_cache_mode.3 @@ -128,8 +128,8 @@ .rm #[ #] #H #V #F C .\" ======================================================================== .\" -.IX Title "SSL_CTX_set_session_cache_mode 3" -.TH SSL_CTX_set_session_cache_mode 3 "2018-08-14" "1.0.2p" "OpenSSL" +.IX Title "SSL_CTX_SET_SESSION_CACHE_MODE 3" +.TH SSL_CTX_SET_SESSION_CACHE_MODE 3 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -158,7 +158,7 @@ The sessions can be held in memory for each \fBctx\fR, if more than one object. .PP In order to reuse a session, a client must send the session's id to the -server. It can only send exactly one id. The server then either +server. It can only send exactly one id. The server then either agrees to reuse the session or it starts a full handshake (to create a new session). .PP @@ -235,7 +235,7 @@ The default mode is \s-1SSL_SESS_CACHE_SERVER.\s0 \&\fISSL_CTX_get_session_cache_mode()\fR returns the currently set cache mode. .SH "SEE ALSO" .IX Header "SEE ALSO" -\&\fIssl\fR\|(3), \fISSL_set_session\fR\|(3), +\&\fIssl\fR\|(7), \fISSL_set_session\fR\|(3), \&\fISSL_session_reused\fR\|(3), \&\fISSL_CTX_add_session\fR\|(3), \&\fISSL_CTX_sess_number\fR\|(3), @@ -244,7 +244,11 @@ The default mode is \s-1SSL_SESS_CACHE_SERVER.\s0 \&\fISSL_CTX_set_session_id_context\fR\|(3), \&\fISSL_CTX_set_timeout\fR\|(3), \&\fISSL_CTX_flush_sessions\fR\|(3) -.SH "HISTORY" -.IX Header "HISTORY" -\&\s-1SSL_SESS_CACHE_NO_INTERNAL_STORE\s0 and \s-1SSL_SESS_CACHE_NO_INTERNAL\s0 -were introduced in OpenSSL 0.9.6h. +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2001\-2016 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libssl/man/SSL_CTX_set_session_id_context.3 b/secure/lib/libcrypto/man/SSL_CTX_set_session_id_context.3 similarity index 93% rename from secure/lib/libssl/man/SSL_CTX_set_session_id_context.3 rename to secure/lib/libcrypto/man/SSL_CTX_set_session_id_context.3 index 1c210d823736..dedebbae75ba 100644 --- a/secure/lib/libssl/man/SSL_CTX_set_session_id_context.3 +++ b/secure/lib/libcrypto/man/SSL_CTX_set_session_id_context.3 @@ -128,8 +128,8 @@ .rm #[ #] #H #V #F C .\" ======================================================================== .\" -.IX Title "SSL_CTX_set_session_id_context 3" -.TH SSL_CTX_set_session_id_context 3 "2018-08-14" "1.0.2p" "OpenSSL" +.IX Title "SSL_CTX_SET_SESSION_ID_CONTEXT 3" +.TH SSL_CTX_SET_SESSION_ID_CONTEXT 3 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -200,4 +200,12 @@ is logged to the error stack. The operation succeeded. .SH "SEE ALSO" .IX Header "SEE ALSO" -\&\fIssl\fR\|(3) +\&\fIssl\fR\|(7) +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2001\-2016 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/SSL_CTX_set_session_ticket_cb.3 b/secure/lib/libcrypto/man/SSL_CTX_set_session_ticket_cb.3 new file mode 100644 index 000000000000..e5382409fc53 --- /dev/null +++ b/secure/lib/libcrypto/man/SSL_CTX_set_session_ticket_cb.3 @@ -0,0 +1,297 @@ +.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35) +.\" +.\" Standard preamble: +.\" ======================================================================== +.de Sp \" Vertical space (when we can't use .PP) +.if t .sp .5v +.if n .sp +.. +.de Vb \" Begin verbatim text +.ft CW +.nf +.ne \\$1 +.. +.de Ve \" End verbatim text +.ft R +.fi +.. +.\" Set up some character translations and predefined strings. \*(-- will +.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left +.\" double quote, and \*(R" will give a right double quote. \*(C+ will +.\" give a nicer C++. Capital omega is used to do unbreakable dashes and +.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, +.\" nothing in troff, for use with C<>. +.tr \(*W- +.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' +.ie n \{\ +. ds -- \(*W- +. ds PI pi +. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch +. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch +. ds L" "" +. ds R" "" +. ds C` "" +. ds C' "" +'br\} +.el\{\ +. ds -- \|\(em\| +. ds PI \(*p +. ds L" `` +. ds R" '' +. ds C` +. ds C' +'br\} +.\" +.\" Escape single quotes in literal strings from groff's Unicode transform. +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" +.\" If the F register is >0, we'll generate index entries on stderr for +.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index +.\" entries marked with X<> in POD. Of course, you'll have to process the +.\" output yourself in some meaningful fashion. +.\" +.\" Avoid warning from groff about undefined register 'F'. +.de IX +.. +.if !\nF .nr F 0 +.if \nF>0 \{\ +. de IX +. tm Index:\\$1\t\\n%\t"\\$2" +.. +. if !\nF==2 \{\ +. nr % 0 +. nr F 2 +. \} +.\} +.\" +.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). +.\" Fear. Run. Save yourself. No user-serviceable parts. +. \" fudge factors for nroff and troff +.if n \{\ +. ds #H 0 +. ds #V .8m +. ds #F .3m +. ds #[ \f1 +. ds #] \fP +.\} +.if t \{\ +. ds #H ((1u-(\\\\n(.fu%2u))*.13m) +. ds #V .6m +. ds #F 0 +. ds #[ \& +. ds #] \& +.\} +. \" simple accents for nroff and troff +.if n \{\ +. ds ' \& +. ds ` \& +. ds ^ \& +. ds , \& +. ds ~ ~ +. ds / +.\} +.if t \{\ +. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" +. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' +. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' +. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' +. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' +. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' +.\} +. \" troff and (daisy-wheel) nroff accents +.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' +.ds 8 \h'\*(#H'\(*b\h'-\*(#H' +.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] +.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' +.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' +.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] +.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] +.ds ae a\h'-(\w'a'u*4/10)'e +.ds Ae A\h'-(\w'A'u*4/10)'E +. \" corrections for vroff +.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' +.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' +. \" for low resolution devices (crt and lpr) +.if \n(.H>23 .if \n(.V>19 \ +\{\ +. ds : e +. ds 8 ss +. ds o a +. ds d- d\h'-1'\(ga +. ds D- D\h'-1'\(hy +. ds th \o'bp' +. ds Th \o'LP' +. ds ae ae +. ds Ae AE +.\} +.rm #[ #] #H #V #F C +.\" ======================================================================== +.\" +.IX Title "SSL_CTX_SET_SESSION_TICKET_CB 3" +.TH SSL_CTX_SET_SESSION_TICKET_CB 3 "2018-09-11" "1.1.1" "OpenSSL" +.\" For nroff, turn off justification. Always turn off hyphenation; it makes +.\" way too many mistakes in technical documents. +.if n .ad l +.nh +.SH "NAME" +SSL_CTX_set_session_ticket_cb, SSL_SESSION_get0_ticket_appdata, SSL_SESSION_set1_ticket_appdata, SSL_CTX_generate_session_ticket_fn, SSL_CTX_decrypt_session_ticket_fn \- manage session ticket application data +.SH "SYNOPSIS" +.IX Header "SYNOPSIS" +.Vb 1 +\& #include +\& +\& typedef int (*SSL_CTX_generate_session_ticket_fn)(SSL *s, void *arg); +\& typedef SSL_TICKET_RETURN (*SSL_CTX_decrypt_session_ticket_fn)(SSL *s, SSL_SESSION *ss, +\& const unsigned char *keyname, +\& size_t keyname_len, +\& SSL_TICKET_STATUS status, +\& void *arg); +\& int SSL_CTX_set_session_ticket_cb(SSL_CTX *ctx, +\& SSL_CTX_generate_session_ticket_fn gen_cb, +\& SSL_CTX_decrypt_session_ticket_fn dec_cb, +\& void *arg); +\& int SSL_SESSION_set1_ticket_appdata(SSL_SESSION *ss, const void *data, size_t len); +\& int SSL_SESSION_get0_ticket_appdata(SSL_SESSION *ss, void **data, size_t *len); +.Ve +.SH "DESCRIPTION" +.IX Header "DESCRIPTION" +\&\fISSL_CTX_set_set_session_ticket_cb()\fR sets the application callbacks \fBgen_cb\fR +and \fBdec_cb\fR that are used by a server to set and get application data stored +with a session, and placed into a session ticket. Either callback function may +be set to \s-1NULL.\s0 The value of \fBarg\fR is passed to the callbacks. +.PP +\&\fBgen_cb\fR is the application defined callback invoked when a session ticket is +about to be created. The application can call \fISSL_SESSION_set1_ticket_appdata()\fR +at this time to add application data to the session ticket. The value of \fBarg\fR +is the same as that given to \fISSL_CTX_set_session_ticket_cb()\fR. The \fBgen_cb\fR +callback is defined as type \fBSSL_CTX_generate_session_ticket_fn\fR. +.PP +\&\fBdec_cb\fR is the application defined callback invoked after session ticket +decryption has been attempted and any session ticket application data is +available. If ticket decryption was successful then the \fBss\fR argument contains +the session data. The \fBkeyname\fR and \fBkeyname_len\fR arguments identify the key +used to decrypt the session ticket. The \fBstatus\fR argument is the result of the +ticket decryption. See the \s-1NOTES\s0 section below for further details. The value +of \fBarg\fR is the same as that given to \fISSL_CTX_set_session_ticket_cb()\fR. The +\&\fBdec_cb\fR callback is defined as type \fBSSL_CTX_decrypt_session_ticket_fn\fR. +.PP +\&\fISSL_SESSION_set1_ticket_appdata()\fR sets the application data specified by +\&\fBdata\fR and \fBlen\fR into \fBss\fR which is then placed into any generated session +tickets. It can be called at any time before a session ticket is created to +update the data placed into the session ticket. However, given that sessions +and tickets are created by the handshake, the \fBgen_cb\fR is provided to notify +the application that a session ticket is about to be generated. +.PP +\&\fISSL_SESSION_get0_ticket_appdata()\fR assigns \fBdata\fR to the session ticket +application data and assigns \fBlen\fR to the length of the session ticket +application data from \fBss\fR. The application data can be set via +\&\fISSL_SESSION_set1_ticket_appdata()\fR or by a session ticket. \s-1NULL\s0 will be assigned +to \fBdata\fR and 0 will be assigned to \fBlen\fR if there is no session ticket +application data. \fISSL_SESSION_get0_ticket_appdata()\fR can be called any time +after a session has been created. The \fBdec_cb\fR is provided to notify the +application that a session ticket has just been decrypted. +.SH "NOTES" +.IX Header "NOTES" +When the \fBdec_cb\fR callback is invoked, the \s-1SSL_SESSION\s0 \fBss\fR has not yet been +assigned to the \s-1SSL\s0 \fBs\fR. The \fBstatus\fR indicates the result of the ticket +decryption. The callback must check the \fBstatus\fR value before performing any +action, as it is called even if ticket decryption fails. +.PP +The \fBkeyname\fR and \fBkeyname_len\fR arguments to \fBdec_cb\fR may be used to identify +the key that was used to encrypt the session ticket. +.PP +The \fBstatus\fR argument can be any of these values: +.IP "\s-1SSL_TICKET_EMPTY\s0" 4 +.IX Item "SSL_TICKET_EMPTY" +Empty ticket present. No ticket data will be used and a new ticket should be +sent to the client. This only occurs in TLSv1.2 or below. In TLSv1.3 it is not +valid for a client to send an empty ticket. +.IP "\s-1SSL_TICKET_NO_DECRYPT\s0" 4 +.IX Item "SSL_TICKET_NO_DECRYPT" +The ticket couldn't be decrypted. No ticket data will be used and a new ticket +should be sent to the client. +.IP "\s-1SSL_TICKET_SUCCESS\s0" 4 +.IX Item "SSL_TICKET_SUCCESS" +A ticket was successfully decrypted, any session ticket application data should +be available. A new ticket should not be sent to the client. +.IP "\s-1SSL_TICKET_SUCCESS_RENEW\s0" 4 +.IX Item "SSL_TICKET_SUCCESS_RENEW" +Same as \fB\s-1SSL_TICKET_SUCCESS\s0\fR, but a new ticket should be sent to the client. +.PP +The return value can be any of these values: +.IP "\s-1SSL_TICKET_RETURN_ABORT\s0" 4 +.IX Item "SSL_TICKET_RETURN_ABORT" +The handshake should be aborted, either because of an error or because of some +policy. Note that in TLSv1.3 a client may send more than one ticket in a single +handshake. Therefore just because one ticket is unacceptable it does not mean +that all of them are. For this reason this option should be used with caution. +.IP "\s-1SSL_TICKET_RETURN_IGNORE\s0" 4 +.IX Item "SSL_TICKET_RETURN_IGNORE" +Do not use a ticket (if one was available). Do not send a renewed ticket to the +client. +.IP "\s-1SSL_TICKET_RETURN_IGNORE_RENEW\s0" 4 +.IX Item "SSL_TICKET_RETURN_IGNORE_RENEW" +Do not use a ticket (if one was available). Send a renewed ticket to the client. +.Sp +If the callback does not wish to change the default ticket behaviour then it +should return this value if \fBstatus\fR is \fB\s-1SSL_TICKET_EMPTY\s0\fR or +\&\fB\s-1SSL_TICKET_NO_DECRYPT\s0\fR. +.IP "\s-1SSL_TICKET_RETURN_USE\s0" 4 +.IX Item "SSL_TICKET_RETURN_USE" +Use the ticket. Do not send a renewed ticket to the client. It is an error for +the callback to return this value if \fBstatus\fR has a value other than +\&\fB\s-1SSL_TICKET_SUCCESS\s0\fR or \fB\s-1SSL_TICKET_SUCCESS_RENEW\s0\fR. +.Sp +If the callback does not wish to change the default ticket behaviour then it +should return this value if \fBstatus\fR is \fB\s-1SSL_TICKET_SUCCESS\s0\fR. +.IP "\s-1SSL_TICKET_RETURN_USE_RENEW\s0" 4 +.IX Item "SSL_TICKET_RETURN_USE_RENEW" +Use the ticket. Send a renewed ticket to the client. It is an error for the +callback to return this value if \fBstatus\fR has a value other than +\&\fB\s-1SSL_TICKET_SUCCESS\s0\fR or \fB\s-1SSL_TICKET_SUCCESS_RENEW\s0\fR. +.Sp +If the callback does not wish to change the default ticket behaviour then it +should return this value if \fBstatus\fR is \fB\s-1SSL_TICKET_SUCCESS_RENEW\s0\fR. +.PP +If \fBstatus\fR has the value \fB\s-1SSL_TICKET_EMPTY\s0\fR or \fB\s-1SSL_TICKET_NO_DECRYPT\s0\fR then +no session data will be available and the callback must not use the \fBss\fR +argument. If \fBstatus\fR has the value \fB\s-1SSL_TICKET_SUCCESS\s0\fR or +\&\fB\s-1SSL_TICKET_SUCCESS_RENEW\s0\fR then the application can call +\&\fISSL_SESSION_get0_ticket_appdata()\fR using the session provided in the \fBss\fR +argument to retrieve the application data. +.PP +When the \fBgen_cb\fR callback is invoked, the \fISSL_get_session()\fR function can be +used to retrieve the \s-1SSL_SESSION\s0 for \fISSL_SESSION_set1_ticket_appdata()\fR. +.PP +By default, in TLSv1.2 and below, a new session ticket is not issued on a +successful resumption and therefore \fBgen_cb\fR will not be called. In TLSv1.3 the +default behaviour is to always issue a new ticket on resumption. In both cases +this behaviour can be changed if a ticket key callback is in use (see +\&\fISSL_CTX_set_tlsext_ticket_key_cb\fR\|(3)). +.SH "RETURN VALUES" +.IX Header "RETURN VALUES" +The \fISSL_CTX_set_session_ticket_cb()\fR, \fISSL_SESSION_set1_ticket_appdata()\fR and +\&\fISSL_SESSION_get0_ticket_appdata()\fR functions return 1 on success and 0 on +failure. +.PP +The \fBgen_cb\fR callback must return 1 to continue the connection. A return of 0 +will terminate the connection with an \s-1INTERNAL_ERROR\s0 alert. +.PP +The \fBdec_cb\fR callback must return a value as described in \s-1NOTES\s0 above. +.SH "SEE ALSO" +.IX Header "SEE ALSO" +\&\fIssl\fR\|(7), +\&\fISSL_get_session\fR\|(3) +.SH "HISTORY" +.IX Header "HISTORY" +\&\fISSL_CTX_set_session_ticket_cb()\fR, \fISSSL_SESSION_set1_ticket_appdata()\fR and +\&\fISSL_SESSION_get_ticket_appdata()\fR were added to OpenSSL 1.1.1. +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2017\-2018 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/SSL_CTX_set_split_send_fragment.3 b/secure/lib/libcrypto/man/SSL_CTX_set_split_send_fragment.3 new file mode 100644 index 000000000000..3324a73842d3 --- /dev/null +++ b/secure/lib/libcrypto/man/SSL_CTX_set_split_send_fragment.3 @@ -0,0 +1,299 @@ +.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35) +.\" +.\" Standard preamble: +.\" ======================================================================== +.de Sp \" Vertical space (when we can't use .PP) +.if t .sp .5v +.if n .sp +.. +.de Vb \" Begin verbatim text +.ft CW +.nf +.ne \\$1 +.. +.de Ve \" End verbatim text +.ft R +.fi +.. +.\" Set up some character translations and predefined strings. \*(-- will +.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left +.\" double quote, and \*(R" will give a right double quote. \*(C+ will +.\" give a nicer C++. Capital omega is used to do unbreakable dashes and +.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, +.\" nothing in troff, for use with C<>. +.tr \(*W- +.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' +.ie n \{\ +. ds -- \(*W- +. ds PI pi +. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch +. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch +. ds L" "" +. ds R" "" +. ds C` "" +. ds C' "" +'br\} +.el\{\ +. ds -- \|\(em\| +. ds PI \(*p +. ds L" `` +. ds R" '' +. ds C` +. ds C' +'br\} +.\" +.\" Escape single quotes in literal strings from groff's Unicode transform. +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" +.\" If the F register is >0, we'll generate index entries on stderr for +.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index +.\" entries marked with X<> in POD. Of course, you'll have to process the +.\" output yourself in some meaningful fashion. +.\" +.\" Avoid warning from groff about undefined register 'F'. +.de IX +.. +.if !\nF .nr F 0 +.if \nF>0 \{\ +. de IX +. tm Index:\\$1\t\\n%\t"\\$2" +.. +. if !\nF==2 \{\ +. nr % 0 +. nr F 2 +. \} +.\} +.\" +.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). +.\" Fear. Run. Save yourself. No user-serviceable parts. +. \" fudge factors for nroff and troff +.if n \{\ +. ds #H 0 +. ds #V .8m +. ds #F .3m +. ds #[ \f1 +. ds #] \fP +.\} +.if t \{\ +. ds #H ((1u-(\\\\n(.fu%2u))*.13m) +. ds #V .6m +. ds #F 0 +. ds #[ \& +. ds #] \& +.\} +. \" simple accents for nroff and troff +.if n \{\ +. ds ' \& +. ds ` \& +. ds ^ \& +. ds , \& +. ds ~ ~ +. ds / +.\} +.if t \{\ +. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" +. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' +. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' +. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' +. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' +. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' +.\} +. \" troff and (daisy-wheel) nroff accents +.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' +.ds 8 \h'\*(#H'\(*b\h'-\*(#H' +.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] +.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' +.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' +.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] +.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] +.ds ae a\h'-(\w'a'u*4/10)'e +.ds Ae A\h'-(\w'A'u*4/10)'E +. \" corrections for vroff +.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' +.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' +. \" for low resolution devices (crt and lpr) +.if \n(.H>23 .if \n(.V>19 \ +\{\ +. ds : e +. ds 8 ss +. ds o a +. ds d- d\h'-1'\(ga +. ds D- D\h'-1'\(hy +. ds th \o'bp' +. ds Th \o'LP' +. ds ae ae +. ds Ae AE +.\} +.rm #[ #] #H #V #F C +.\" ======================================================================== +.\" +.IX Title "SSL_CTX_SET_SPLIT_SEND_FRAGMENT 3" +.TH SSL_CTX_SET_SPLIT_SEND_FRAGMENT 3 "2018-09-11" "1.1.1" "OpenSSL" +.\" For nroff, turn off justification. Always turn off hyphenation; it makes +.\" way too many mistakes in technical documents. +.if n .ad l +.nh +.SH "NAME" +SSL_CTX_set_max_send_fragment, SSL_set_max_send_fragment, SSL_CTX_set_split_send_fragment, SSL_set_split_send_fragment, SSL_CTX_set_max_pipelines, SSL_set_max_pipelines, SSL_CTX_set_default_read_buffer_len, SSL_set_default_read_buffer_len, SSL_CTX_set_tlsext_max_fragment_length, SSL_set_tlsext_max_fragment_length, SSL_SESSION_get_max_fragment_length \- Control fragment size settings and pipelining operations +.SH "SYNOPSIS" +.IX Header "SYNOPSIS" +.Vb 1 +\& #include +\& +\& long SSL_CTX_set_max_send_fragment(SSL_CTX *ctx, long); +\& long SSL_set_max_send_fragment(SSL *ssl, long m); +\& +\& long SSL_CTX_set_max_pipelines(SSL_CTX *ctx, long m); +\& long SSL_set_max_pipelines(SSL_CTX *ssl, long m); +\& +\& long SSL_CTX_set_split_send_fragment(SSL_CTX *ctx, long m); +\& long SSL_set_split_send_fragment(SSL *ssl, long m); +\& +\& void SSL_CTX_set_default_read_buffer_len(SSL_CTX *ctx, size_t len); +\& void SSL_set_default_read_buffer_len(SSL *s, size_t len); +\& +\& int SSL_CTX_set_tlsext_max_fragment_length(SSL_CTX *ctx, uint8_t mode); +\& int SSL_set_tlsext_max_fragment_length(SSL *ssl, uint8_t mode); +\& uint8_t SSL_SESSION_get_max_fragment_length(SSL_SESSION *session); +.Ve +.SH "DESCRIPTION" +.IX Header "DESCRIPTION" +Some engines are able to process multiple simultaneous crypto operations. This +capability could be utilised to parallelise the processing of a single +connection. For example a single write can be split into multiple records and +each one encrypted independently and in parallel. Note: this will only work in +\&\s-1TLS1.1+.\s0 There is no support in SSLv3, TLSv1.0 or \s-1DTLS\s0 (any version). This +capability is known as \*(L"pipelining\*(R" within OpenSSL. +.PP +In order to benefit from the pipelining capability. You need to have an engine +that provides ciphers that support this. The OpenSSL \*(L"dasync\*(R" engine provides +\&\s-1AES128\-SHA\s0 based ciphers that have this capability. However these are for +development and test purposes only. +.PP +\&\fISSL_CTX_set_max_send_fragment()\fR and \fISSL_set_max_send_fragment()\fR set the +\&\fBmax_send_fragment\fR parameter for \s-1SSL_CTX\s0 and \s-1SSL\s0 objects respectively. This +value restricts the amount of plaintext bytes that will be sent in any one +\&\s-1SSL/TLS\s0 record. By default its value is \s-1SSL3_RT_MAX_PLAIN_LENGTH\s0 (16384). These +functions will only accept a value in the range 512 \- \s-1SSL3_RT_MAX_PLAIN_LENGTH.\s0 +.PP +\&\fISSL_CTX_set_max_pipelines()\fR and \fISSL_set_max_pipelines()\fR set the maximum number +of pipelines that will be used at any one time. This value applies to both +\&\*(L"read\*(R" pipelining and \*(L"write\*(R" pipelining. By default only one pipeline will be +used (i.e. normal non-parallel operation). The number of pipelines set must be +in the range 1 \- \s-1SSL_MAX_PIPELINES\s0 (32). Setting this to a value > 1 will also +automatically turn on \*(L"read_ahead\*(R" (see \fISSL_CTX_set_read_ahead\fR\|(3)). This is +explained further below. OpenSSL will only every use more than one pipeline if +a cipher suite is negotiated that uses a pipeline capable cipher provided by an +engine. +.PP +Pipelining operates slightly differently for reading encrypted data compared to +writing encrypted data. \fISSL_CTX_set_split_send_fragment()\fR and +\&\fISSL_set_split_send_fragment()\fR define how data is split up into pipelines when +writing encrypted data. The number of pipelines used will be determined by the +amount of data provided to the \fISSL_write_ex()\fR or \fISSL_write()\fR call divided by +\&\fBsplit_send_fragment\fR. +.PP +For example if \fBsplit_send_fragment\fR is set to 2000 and \fBmax_pipelines\fR is 4 +then: +.PP +SSL_write/SSL_write_ex called with 0\-2000 bytes == 1 pipeline used +.PP +SSL_write/SSL_write_ex called with 2001\-4000 bytes == 2 pipelines used +.PP +SSL_write/SSL_write_ex called with 4001\-6000 bytes == 3 pipelines used +.PP +SSL_write/SSL_write_ex called with 6001+ bytes == 4 pipelines used +.PP +\&\fBsplit_send_fragment\fR must always be less than or equal to +\&\fBmax_send_fragment\fR. By default it is set to be equal to \fBmax_send_fragment\fR. +This will mean that the same number of records will always be created as would +have been created in the non-parallel case, although the data will be +apportioned differently. In the parallel case data will be spread equally +between the pipelines. +.PP +Read pipelining is controlled in a slightly different way than with write +pipelining. While reading we are constrained by the number of records that the +peer (and the network) can provide to us in one go. The more records we can get +in one go the more opportunity we have to parallelise the processing. As noted +above when setting \fBmax_pipelines\fR to a value greater than one, \fBread_ahead\fR +is automatically set. The \fBread_ahead\fR parameter causes OpenSSL to attempt to +read as much data into the read buffer as the network can provide and will fit +into the buffer. Without this set data is read into the read buffer one record +at a time. The more data that can be read, the more opportunity there is for +parallelising the processing at the cost of increased memory overhead per +connection. Setting \fBread_ahead\fR can impact the behaviour of the \fISSL_pending()\fR +function (see \fISSL_pending\fR\|(3)). +.PP +The \fISSL_CTX_set_default_read_buffer_len()\fR and \fISSL_set_default_read_buffer_len()\fR +functions control the size of the read buffer that will be used. The \fBlen\fR +parameter sets the size of the buffer. The value will only be used if it is +greater than the default that would have been used anyway. The normal default +value depends on a number of factors but it will be at least +\&\s-1SSL3_RT_MAX_PLAIN_LENGTH + SSL3_RT_MAX_ENCRYPTED_OVERHEAD\s0 (16704) bytes. +.PP +\&\fISSL_CTX_set_tlsext_max_fragment_length()\fR sets the default maximum fragment +length negotiation mode via value \fBmode\fR to \fBctx\fR. +This setting affects only \s-1SSL\s0 instances created after this function is called. +It affects the client-side as only its side may initiate this extension use. +.PP +\&\fISSL_set_tlsext_max_fragment_length()\fR sets the maximum fragment length +negotiation mode via value \fBmode\fR to \fBssl\fR. +This setting will be used during a handshake when extensions are exchanged +between client and server. +So it only affects \s-1SSL\s0 sessions created after this function is called. +It affects the client-side as only its side may initiate this extension use. +.PP +\&\fISSL_SESSION_get_max_fragment_length()\fR gets the maximum fragment length +negotiated in \fBsession\fR. +.SH "RETURN VALUES" +.IX Header "RETURN VALUES" +All non-void functions return 1 on success and 0 on failure. +.SH "NOTES" +.IX Header "NOTES" +The Maximum Fragment Length extension support is optional on the server side. +If the server does not support this extension then +\&\fISSL_SESSION_get_max_fragment_length()\fR will return: +TLSEXT_max_fragment_length_DISABLED. +.PP +The following modes are available: +.IP "TLSEXT_max_fragment_length_DISABLED" 4 +.IX Item "TLSEXT_max_fragment_length_DISABLED" +Disables Maximum Fragment Length Negotiation (default). +.IP "TLSEXT_max_fragment_length_512" 4 +.IX Item "TLSEXT_max_fragment_length_512" +Sets Maximum Fragment Length to 512 bytes. +.IP "TLSEXT_max_fragment_length_1024" 4 +.IX Item "TLSEXT_max_fragment_length_1024" +Sets Maximum Fragment Length to 1024. +.IP "TLSEXT_max_fragment_length_2048" 4 +.IX Item "TLSEXT_max_fragment_length_2048" +Sets Maximum Fragment Length to 2048. +.IP "TLSEXT_max_fragment_length_4096" 4 +.IX Item "TLSEXT_max_fragment_length_4096" +Sets Maximum Fragment Length to 4096. +.PP +With the exception of \fISSL_CTX_set_default_read_buffer_len()\fR +\&\fISSL_set_default_read_buffer_len()\fR, \fISSL_CTX_set_tlsext_max_fragment_length()\fR, +\&\fISSL_set_tlsext_max_fragment_length()\fR and \fISSL_SESSION_get_max_fragment_length()\fR +all these functions are implemented using macros. +.SH "HISTORY" +.IX Header "HISTORY" +The \fISSL_CTX_set_max_pipelines()\fR, \fISSL_set_max_pipelines()\fR, +\&\fISSL_CTX_set_split_send_fragment()\fR, \fISSL_set_split_send_fragment()\fR, +\&\fISSL_CTX_set_default_read_buffer_len()\fR and \fISSL_set_default_read_buffer_len()\fR +functions were added in OpenSSL 1.1.0. +.PP +\&\fISSL_CTX_set_tlsext_max_fragment_length()\fR, \fISSL_set_tlsext_max_fragment_length()\fR +and \fISSL_SESSION_get_max_fragment_length()\fR were added in OpenSSL 1.1.1. +.SH "SEE ALSO" +.IX Header "SEE ALSO" +\&\fISSL_CTX_set_read_ahead\fR\|(3), \fISSL_pending\fR\|(3) +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2016\-2017 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libssl/man/SSL_CTX_set_ssl_version.3 b/secure/lib/libcrypto/man/SSL_CTX_set_ssl_version.3 similarity index 90% rename from secure/lib/libssl/man/SSL_CTX_set_ssl_version.3 rename to secure/lib/libcrypto/man/SSL_CTX_set_ssl_version.3 index 1dd0d91c3deb..61722d0af7e5 100644 --- a/secure/lib/libssl/man/SSL_CTX_set_ssl_version.3 +++ b/secure/lib/libcrypto/man/SSL_CTX_set_ssl_version.3 @@ -128,15 +128,14 @@ .rm #[ #] #H #V #F C .\" ======================================================================== .\" -.IX Title "SSL_CTX_set_ssl_version 3" -.TH SSL_CTX_set_ssl_version 3 "2018-08-14" "1.0.2p" "OpenSSL" +.IX Title "SSL_CTX_SET_SSL_VERSION 3" +.TH SSL_CTX_SET_SSL_VERSION 3 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" -SSL_CTX_set_ssl_version, SSL_set_ssl_method, SSL_get_ssl_method -\&\- choose a new TLS/SSL method +SSL_CTX_set_ssl_version, SSL_set_ssl_method, SSL_get_ssl_method \&\- choose a new TLS/SSL method .SH "SYNOPSIS" .IX Header "SYNOPSIS" .Vb 1 @@ -178,5 +177,13 @@ The operation succeeded. .SH "SEE ALSO" .IX Header "SEE ALSO" \&\fISSL_CTX_new\fR\|(3), \fISSL_new\fR\|(3), -\&\fISSL_clear\fR\|(3), \fIssl\fR\|(3), +\&\fISSL_clear\fR\|(3), \fIssl\fR\|(7), \&\fISSL_set_connect_state\fR\|(3) +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2000\-2016 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/SSL_CTX_set_stateless_cookie_generate_cb.3 b/secure/lib/libcrypto/man/SSL_CTX_set_stateless_cookie_generate_cb.3 new file mode 100644 index 000000000000..66c969aceb79 --- /dev/null +++ b/secure/lib/libcrypto/man/SSL_CTX_set_stateless_cookie_generate_cb.3 @@ -0,0 +1,184 @@ +.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35) +.\" +.\" Standard preamble: +.\" ======================================================================== +.de Sp \" Vertical space (when we can't use .PP) +.if t .sp .5v +.if n .sp +.. +.de Vb \" Begin verbatim text +.ft CW +.nf +.ne \\$1 +.. +.de Ve \" End verbatim text +.ft R +.fi +.. +.\" Set up some character translations and predefined strings. \*(-- will +.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left +.\" double quote, and \*(R" will give a right double quote. \*(C+ will +.\" give a nicer C++. Capital omega is used to do unbreakable dashes and +.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, +.\" nothing in troff, for use with C<>. +.tr \(*W- +.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' +.ie n \{\ +. ds -- \(*W- +. ds PI pi +. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch +. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch +. ds L" "" +. ds R" "" +. ds C` "" +. ds C' "" +'br\} +.el\{\ +. ds -- \|\(em\| +. ds PI \(*p +. ds L" `` +. ds R" '' +. ds C` +. ds C' +'br\} +.\" +.\" Escape single quotes in literal strings from groff's Unicode transform. +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" +.\" If the F register is >0, we'll generate index entries on stderr for +.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index +.\" entries marked with X<> in POD. Of course, you'll have to process the +.\" output yourself in some meaningful fashion. +.\" +.\" Avoid warning from groff about undefined register 'F'. +.de IX +.. +.if !\nF .nr F 0 +.if \nF>0 \{\ +. de IX +. tm Index:\\$1\t\\n%\t"\\$2" +.. +. if !\nF==2 \{\ +. nr % 0 +. nr F 2 +. \} +.\} +.\" +.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). +.\" Fear. Run. Save yourself. No user-serviceable parts. +. \" fudge factors for nroff and troff +.if n \{\ +. ds #H 0 +. ds #V .8m +. ds #F .3m +. ds #[ \f1 +. ds #] \fP +.\} +.if t \{\ +. ds #H ((1u-(\\\\n(.fu%2u))*.13m) +. ds #V .6m +. ds #F 0 +. ds #[ \& +. ds #] \& +.\} +. \" simple accents for nroff and troff +.if n \{\ +. ds ' \& +. ds ` \& +. ds ^ \& +. ds , \& +. ds ~ ~ +. ds / +.\} +.if t \{\ +. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" +. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' +. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' +. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' +. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' +. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' +.\} +. \" troff and (daisy-wheel) nroff accents +.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' +.ds 8 \h'\*(#H'\(*b\h'-\*(#H' +.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] +.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' +.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' +.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] +.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] +.ds ae a\h'-(\w'a'u*4/10)'e +.ds Ae A\h'-(\w'A'u*4/10)'E +. \" corrections for vroff +.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' +.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' +. \" for low resolution devices (crt and lpr) +.if \n(.H>23 .if \n(.V>19 \ +\{\ +. ds : e +. ds 8 ss +. ds o a +. ds d- d\h'-1'\(ga +. ds D- D\h'-1'\(hy +. ds th \o'bp' +. ds Th \o'LP' +. ds ae ae +. ds Ae AE +.\} +.rm #[ #] #H #V #F C +.\" ======================================================================== +.\" +.IX Title "SSL_CTX_SET_STATELESS_COOKIE_GENERATE_CB 3" +.TH SSL_CTX_SET_STATELESS_COOKIE_GENERATE_CB 3 "2018-09-11" "1.1.1" "OpenSSL" +.\" For nroff, turn off justification. Always turn off hyphenation; it makes +.\" way too many mistakes in technical documents. +.if n .ad l +.nh +.SH "NAME" +SSL_CTX_set_stateless_cookie_generate_cb, SSL_CTX_set_stateless_cookie_verify_cb \&\- Callback functions for stateless TLS1.3 cookies +.SH "SYNOPSIS" +.IX Header "SYNOPSIS" +.Vb 1 +\& #include +\& +\& void SSL_CTX_set_stateless_cookie_generate_cb( +\& SSL_CTX *ctx, +\& int (*gen_stateless_cookie_cb) (SSL *ssl, +\& unsigned char *cookie, +\& size_t *cookie_len)); +\& void SSL_CTX_set_stateless_cookie_verify_cb( +\& SSL_CTX *ctx, +\& int (*verify_stateless_cookie_cb) (SSL *ssl, +\& const unsigned char *cookie, +\& size_t cookie_len)); +.Ve +.SH "DESCRIPTION" +.IX Header "DESCRIPTION" +\&\fISSL_CTX_set_cookie_generate_cb()\fR sets the callback used by \fISSL_stateless\fR\|(3) +to generate the application-controlled portion of the cookie provided to clients +in the HelloRetryRequest transmitted as a response to a ClientHello with a +missing or invalid cookie. \fIgen_stateless_cookie_cb()\fR must write at most +\&\s-1SSL_COOKIE_LENGTH\s0 bytes into \fBcookie\fR, and must write the number of bytes +written to \fBcookie_len\fR. If a cookie cannot be generated, a zero return value +can be used to abort the handshake. +.PP +\&\fISSL_CTX_set_cookie_verify_cb()\fR sets the callback used by \fISSL_stateless\fR\|(3) to +determine whether the application-controlled portion of a ClientHello cookie is +valid. A nonzero return value from \fIapp_verify_cookie_cb()\fR communicates that the +cookie is valid. The integrity of the entire cookie, including the +application-controlled portion, is automatically verified by \s-1HMAC\s0 before +\&\fIverify_stateless_cookie_cb()\fR is called. +.SH "RETURN VALUES" +.IX Header "RETURN VALUES" +Neither function returns a value. +.SH "SEE ALSO" +.IX Header "SEE ALSO" +\&\fISSL_stateless\fR\|(3) +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2018 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libssl/man/SSL_CTX_set_timeout.3 b/secure/lib/libcrypto/man/SSL_CTX_set_timeout.3 similarity index 92% rename from secure/lib/libssl/man/SSL_CTX_set_timeout.3 rename to secure/lib/libcrypto/man/SSL_CTX_set_timeout.3 index 998e2ea1f269..2d2bd9a8b440 100644 --- a/secure/lib/libssl/man/SSL_CTX_set_timeout.3 +++ b/secure/lib/libcrypto/man/SSL_CTX_set_timeout.3 @@ -128,8 +128,8 @@ .rm #[ #] #H #V #F C .\" ======================================================================== .\" -.IX Title "SSL_CTX_set_timeout 3" -.TH SSL_CTX_set_timeout 3 "2018-08-14" "1.0.2p" "OpenSSL" +.IX Title "SSL_CTX_SET_TIMEOUT 3" +.TH SSL_CTX_SET_TIMEOUT 3 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -180,8 +180,16 @@ of 300 seconds. \&\fISSL_CTX_get_timeout()\fR returns the currently set timeout value. .SH "SEE ALSO" .IX Header "SEE ALSO" -\&\fIssl\fR\|(3), +\&\fIssl\fR\|(7), \&\fISSL_CTX_set_session_cache_mode\fR\|(3), \&\fISSL_SESSION_get_time\fR\|(3), \&\fISSL_CTX_flush_sessions\fR\|(3), \&\fISSL_get_default_timeout\fR\|(3) +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2001\-2016 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libssl/man/SSL_CTX_set_tlsext_servername_callback.3 b/secure/lib/libcrypto/man/SSL_CTX_set_tlsext_servername_callback.3 similarity index 81% rename from secure/lib/libssl/man/SSL_CTX_set_tlsext_servername_callback.3 rename to secure/lib/libcrypto/man/SSL_CTX_set_tlsext_servername_callback.3 index 74cdf5e1332d..d77411f6c1a1 100644 --- a/secure/lib/libssl/man/SSL_CTX_set_tlsext_servername_callback.3 +++ b/secure/lib/libcrypto/man/SSL_CTX_set_tlsext_servername_callback.3 @@ -128,16 +128,14 @@ .rm #[ #] #H #V #F C .\" ======================================================================== .\" -.IX Title "SSL_CTX_set_tlsext_servername_callback 3" -.TH SSL_CTX_set_tlsext_servername_callback 3 "2018-08-14" "1.0.2p" "OpenSSL" +.IX Title "SSL_CTX_SET_TLSEXT_SERVERNAME_CALLBACK 3" +.TH SSL_CTX_SET_TLSEXT_SERVERNAME_CALLBACK 3 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" -SSL_CTX_set_tlsext_servername_callback, SSL_CTX_set_tlsext_servername_arg, -SSL_get_servername_type, SSL_get_servername \- handle server name indication -(SNI) +SSL_CTX_set_tlsext_servername_callback, SSL_CTX_set_tlsext_servername_arg, SSL_get_servername_type, SSL_get_servername, SSL_set_tlsext_host_name \- handle server name indication (SNI) .SH "SYNOPSIS" .IX Header "SYNOPSIS" .Vb 1 @@ -149,9 +147,15 @@ SSL_get_servername_type, SSL_get_servername \- handle server name indication \& \& const char *SSL_get_servername(const SSL *s, const int type); \& int SSL_get_servername_type(const SSL *s); +\& +\& int SSL_set_tlsext_host_name(const SSL *s, const char *name); .Ve .SH "DESCRIPTION" .IX Header "DESCRIPTION" +The functionality provided by the servername callback is superseded by the +ClientHello callback, which can be set using \fISSL_CTX_set_client_hello_cb()\fR. +The servername callback is retained for historical compatibility. +.PP \&\fISSL_CTX_set_tlsext_servername_callback()\fR sets the application callback \fBcb\fR used by a server to perform any actions or configuration required based on the servername extension received in the incoming connection. When \fBcb\fR @@ -167,18 +171,27 @@ type if provided in the Client Hello or \s-1NULL.\s0 \&\fISSL_get_servername_type()\fR returns the servername type or \-1 if no servername is present. Currently the only supported type (defined in \s-1RFC3546\s0) is \&\fBTLSEXT_NAMETYPE_host_name\fR. +.PP +\&\fISSL_set_tlsext_host_name()\fR sets the server name indication ClientHello extension +to contain the value \fBname\fR. The type of server name indication extension is set +to \fBTLSEXT_NAMETYPE_host_name\fR (defined in \s-1RFC3546\s0). .SH "NOTES" .IX Header "NOTES" -The \s-1ALPN\s0 and \s-1SNI\s0 callbacks are both executed during Client Hello processing. -The servername callback is executed first, followed by the \s-1ALPN\s0 callback. +Several callbacks are executed during ClientHello processing, including +the ClientHello, \s-1ALPN,\s0 and servername callbacks. The ClientHello callback is +executed first, then the servername callback, followed by the \s-1ALPN\s0 callback. +.PP +The \fISSL_set_tlsext_host_name()\fR function should only be called on \s-1SSL\s0 objects +that will act as clients; otherwise the configured \fBname\fR will be ignored. .SH "RETURN VALUES" .IX Header "RETURN VALUES" \&\fISSL_CTX_set_tlsext_servername_callback()\fR and \&\fISSL_CTX_set_tlsext_servername_arg()\fR both always return 1 indicating success. +\&\fISSL_set_tlsext_host_name()\fR returns 1 on success, 0 in case of error. .SH "SEE ALSO" .IX Header "SEE ALSO" \&\fIssl\fR\|(7), \fISSL_CTX_set_alpn_select_cb\fR\|(3), -\&\fISSL_get0_alpn_selected\fR\|(3) +\&\fISSL_get0_alpn_selected\fR\|(3), \fISSL_CTX_set_client_hello_cb\fR\|(3) .SH "COPYRIGHT" .IX Header "COPYRIGHT" Copyright 2017 The OpenSSL Project Authors. All Rights Reserved. diff --git a/secure/lib/libssl/man/SSL_CTX_set_tlsext_status_cb.3 b/secure/lib/libcrypto/man/SSL_CTX_set_tlsext_status_cb.3 similarity index 63% rename from secure/lib/libssl/man/SSL_CTX_set_tlsext_status_cb.3 rename to secure/lib/libcrypto/man/SSL_CTX_set_tlsext_status_cb.3 index c7ab174a177d..4582ebc7b3b3 100644 --- a/secure/lib/libssl/man/SSL_CTX_set_tlsext_status_cb.3 +++ b/secure/lib/libcrypto/man/SSL_CTX_set_tlsext_status_cb.3 @@ -128,26 +128,30 @@ .rm #[ #] #H #V #F C .\" ======================================================================== .\" -.IX Title "SSL_CTX_set_tlsext_status_cb 3" -.TH SSL_CTX_set_tlsext_status_cb 3 "2018-08-14" "1.0.2p" "OpenSSL" +.IX Title "SSL_CTX_SET_TLSEXT_STATUS_CB 3" +.TH SSL_CTX_SET_TLSEXT_STATUS_CB 3 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" -SSL_CTX_set_tlsext_status_cb, SSL_CTX_set_tlsext_status_arg, -SSL_set_tlsext_status_type, SSL_get_tlsext_status_ocsp_resp, -SSL_set_tlsext_status_ocsp_resp \- OCSP Certificate Status Request functions +SSL_CTX_set_tlsext_status_cb, SSL_CTX_get_tlsext_status_cb, SSL_CTX_set_tlsext_status_arg, SSL_CTX_get_tlsext_status_arg, SSL_CTX_set_tlsext_status_type, SSL_CTX_get_tlsext_status_type, SSL_set_tlsext_status_type, SSL_get_tlsext_status_type, SSL_get_tlsext_status_ocsp_resp, SSL_set_tlsext_status_ocsp_resp \&\- OCSP Certificate Status Request functions .SH "SYNOPSIS" .IX Header "SYNOPSIS" .Vb 1 \& #include \& -\& long SSL_CTX_set_tlsext_status_cb(SSL_CTX *ctx, -\& int (*callback)(SSL *, void *)); +\& long SSL_CTX_set_tlsext_status_cb(SSL_CTX *ctx, int (*callback)(SSL *, void *)); +\& long SSL_CTX_get_tlsext_status_cb(SSL_CTX *ctx, int (**callback)(SSL *, void *)); +\& \& long SSL_CTX_set_tlsext_status_arg(SSL_CTX *ctx, void *arg); +\& long SSL_CTX_get_tlsext_status_arg(SSL_CTX *ctx, void **arg); +\& +\& long SSL_CTX_set_tlsext_status_type(SSL_CTX *ctx, int type); +\& long SSL_CTX_get_tlsext_status_type(SSL_CTX *ctx); \& \& long SSL_set_tlsext_status_type(SSL *s, int type); +\& long SSL_get_tlsext_status_type(SSL *s); \& \& long SSL_get_tlsext_status_ocsp_resp(ssl, unsigned char **resp); \& long SSL_set_tlsext_status_ocsp_resp(ssl, unsigned char *resp, int len); @@ -156,16 +160,31 @@ SSL_set_tlsext_status_ocsp_resp \- OCSP Certificate Status Request functions .IX Header "DESCRIPTION" A client application may request that a server send back an \s-1OCSP\s0 status response (also known as \s-1OCSP\s0 stapling). To do so the client should call the -\&\fISSL_set_tlsext_status_type()\fR function prior to the start of the handshake. +\&\fISSL_CTX_set_tlsext_status_type()\fR function prior to the creation of any \s-1SSL\s0 +objects. Alternatively an application can call the \fISSL_set_tlsext_status_type()\fR +function on an individual \s-1SSL\s0 object prior to the start of the handshake. Currently the only supported type is \fBTLSEXT_STATUSTYPE_ocsp\fR. This value -should be passed in the \fBtype\fR argument. The client should additionally provide -a callback function to decide what to do with the returned \s-1OCSP\s0 response by -calling \fISSL_CTX_set_tlsext_status_cb()\fR. The callback function should determine -whether the returned \s-1OCSP\s0 response is acceptable or not. The callback will be -passed as an argument the value previously set via a call to -\&\fISSL_CTX_set_tlsext_status_arg()\fR. Note that the callback will not be called in -the event of a handshake where session resumption occurs (because there are no -Certificates exchanged in such a handshake). +should be passed in the \fBtype\fR argument. Calling +\&\fISSL_CTX_get_tlsext_status_type()\fR will return the type \fBTLSEXT_STATUSTYPE_ocsp\fR +previously set via \fISSL_CTX_set_tlsext_status_type()\fR or \-1 if not set. +.PP +The client should additionally provide a callback function to decide what to do +with the returned \s-1OCSP\s0 response by calling \fISSL_CTX_set_tlsext_status_cb()\fR. The +callback function should determine whether the returned \s-1OCSP\s0 response is +acceptable or not. The callback will be passed as an argument the value +previously set via a call to \fISSL_CTX_set_tlsext_status_arg()\fR. Note that the +callback will not be called in the event of a handshake where session resumption +occurs (because there are no Certificates exchanged in such a handshake). +The callback previously set via \fISSL_CTX_set_tlsext_status_cb()\fR can be retrieved +by calling \fISSL_CTX_get_tlsext_status_cb()\fR, and the argument by calling +\&\fISSL_CTX_get_tlsext_status_arg()\fR. +.PP +On the client side \fISSL_get_tlsext_status_type()\fR can be used to determine whether +the client has previously called \fISSL_set_tlsext_status_type()\fR. It will return +\&\fBTLSEXT_STATUSTYPE_ocsp\fR if it has been called or \-1 otherwise. On the server +side \fISSL_get_tlsext_status_type()\fR can be used to determine whether the client +requested \s-1OCSP\s0 stapling. If the client requested it then this function will +return \fBTLSEXT_STATUSTYPE_ocsp\fR, or \-1 otherwise. .PP The response returned by the server can be obtained via a call to \&\fISSL_get_tlsext_status_ocsp_resp()\fR. The value \fB*resp\fR will be updated to point @@ -196,8 +215,27 @@ returned) or \s-1SSL_TLSEXT_ERR_ALERT_FATAL\s0 (meaning that a fatal error has occurred). .PP \&\fISSL_CTX_set_tlsext_status_cb()\fR, \fISSL_CTX_set_tlsext_status_arg()\fR, -\&\fISSL_set_tlsext_status_type()\fR and \fISSL_set_tlsext_status_ocsp_resp()\fR return 0 on -error or 1 on success. +\&\fISSL_CTX_set_tlsext_status_type()\fR, \fISSL_set_tlsext_status_type()\fR and +\&\fISSL_set_tlsext_status_ocsp_resp()\fR return 0 on error or 1 on success. +.PP +\&\fISSL_CTX_get_tlsext_status_type()\fR returns the value previously set by +\&\fISSL_CTX_set_tlsext_status_type()\fR, or \-1 if not set. .PP \&\fISSL_get_tlsext_status_ocsp_resp()\fR returns the length of the \s-1OCSP\s0 response data or \-1 if there is no \s-1OCSP\s0 response data. +.PP +\&\fISSL_get_tlsext_status_type()\fR returns \fBTLSEXT_STATUSTYPE_ocsp\fR on the client +side if \fISSL_set_tlsext_status_type()\fR was previously called, or on the server +side if the client requested \s-1OCSP\s0 stapling. Otherwise \-1 is returned. +.SH "HISTORY" +.IX Header "HISTORY" +\&\fISSL_get_tlsext_status_type()\fR, \fISSL_CTX_get_tlsext_status_type()\fR and +\&\fISSL_CTX_set_tlsext_status_type()\fR were added in OpenSSL 1.1.0. +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2015\-2016 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libssl/man/SSL_CTX_set_tlsext_ticket_key_cb.3 b/secure/lib/libcrypto/man/SSL_CTX_set_tlsext_ticket_key_cb.3 similarity index 69% rename from secure/lib/libssl/man/SSL_CTX_set_tlsext_ticket_key_cb.3 rename to secure/lib/libcrypto/man/SSL_CTX_set_tlsext_ticket_key_cb.3 index b8ce770c1362..f582aa99d9d9 100644 --- a/secure/lib/libssl/man/SSL_CTX_set_tlsext_ticket_key_cb.3 +++ b/secure/lib/libcrypto/man/SSL_CTX_set_tlsext_ticket_key_cb.3 @@ -128,8 +128,8 @@ .rm #[ #] #H #V #F C .\" ======================================================================== .\" -.IX Title "SSL_CTX_set_tlsext_ticket_key_cb 3" -.TH SSL_CTX_set_tlsext_ticket_key_cb 3 "2018-08-14" "1.0.2p" "OpenSSL" +.IX Title "SSL_CTX_SET_TLSEXT_TICKET_KEY_CB 3" +.TH SSL_CTX_SET_TLSEXT_TICKET_KEY_CB 3 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -142,29 +142,26 @@ SSL_CTX_set_tlsext_ticket_key_cb \- set a callback for session ticket processing \& #include \& \& long SSL_CTX_set_tlsext_ticket_key_cb(SSL_CTX sslctx, -\& int (*cb)(SSL *s, unsigned char key_name[16], -\& unsigned char iv[EVP_MAX_IV_LENGTH], -\& EVP_CIPHER_CTX *ctx, HMAC_CTX *hctx, int enc)); +\& int (*cb)(SSL *s, unsigned char key_name[16], +\& unsigned char iv[EVP_MAX_IV_LENGTH], +\& EVP_CIPHER_CTX *ctx, HMAC_CTX *hctx, int enc)); .Ve .SH "DESCRIPTION" .IX Header "DESCRIPTION" -\&\fISSL_CTX_set_tlsext_ticket_key_cb()\fR sets a callback fuction \fIcb\fR for handling -session tickets for the ssl context \fIsslctx\fR. Session tickets, defined in +\&\fISSL_CTX_set_tlsext_ticket_key_cb()\fR sets a callback function \fIcb\fR for handling +session tickets for the ssl context \fIsslctx\fR. Session tickets, defined in \&\s-1RFC5077\s0 provide an enhanced session resumption capability where the server implementation is not required to maintain per session state. It only applies to \s-1TLS\s0 and there is no SSLv3 implementation. .PP -The callback is available when the OpenSSL library was built without -\&\fI\s-1OPENSSL_NO_TLSEXT\s0\fR being defined. -.PP The callback function \fIcb\fR will be called for every client instigated \s-1TLS\s0 session when session ticket extension is presented in the \s-1TLS\s0 hello message. It is the responsibility of this function to create or retrieve the cryptographic parameters and to maintain their state. .PP -The OpenSSL library uses your callback function to help implement a common \s-1TLS\s0 +The OpenSSL library uses your callback function to help implement a common \s-1TLS\s0 ticket construction state according to \s-1RFC5077\s0 Section 4 such that per session -state is unnecessary and a small set of cryptographic variables needs to be +state is unnecessary and a small set of cryptographic variables needs to be maintained by the callback function implementation. .PP In order to reuse a session, a \s-1TLS\s0 client must send the a session ticket @@ -173,53 +170,54 @@ The server, through the callback function, either agrees to reuse the session ticket information or it starts a full \s-1TLS\s0 handshake to create a new session ticket. .PP -Before the callback function is started \fIctx\fR and \fIhctx\fR have been +Before the callback function is started \fIctx\fR and \fIhctx\fR have been initialised with EVP_CIPHER_CTX_init and HMAC_CTX_init respectively. .PP For new sessions tickets, when the client doesn't present a session ticket, or -an attempted retreival of the ticket failed, or a renew option was indicated, +an attempted retrieval of the ticket failed, or a renew option was indicated, the callback function will be called with \fIenc\fR equal to 1. The OpenSSL -library expects that the function will set an arbitary \fIname\fR, initialize +library expects that the function will set an arbitrary \fIname\fR, initialize \&\fIiv\fR, and set the cipher context \fIctx\fR and the hash context \fIhctx\fR. .PP The \fIname\fR is 16 characters long and is used as a key identifier. .PP The \fIiv\fR length is the length of the \s-1IV\s0 of the corresponding cipher. The -maximum \s-1IV\s0 length is \s-1EVP_MAX_IV_LENGTH\s0 bytes defined in \fBevp.h\fR. +maximum \s-1IV\s0 length is \fB\s-1EVP_MAX_IV_LENGTH\s0\fR bytes defined in \fBevp.h\fR. .PP -The initialization vector \fIiv\fR should be a random value. The cipher context -\&\fIctx\fR should use the initialisation vector \fIiv\fR. The cipher context can be -set using EVP_EncryptInit_ex. The hmac context can be set using HMAC_Init_ex. +The initialization vector \fIiv\fR should be a random value. The cipher context +\&\fIctx\fR should use the initialisation vector \fIiv\fR. The cipher context can be +set using \fIEVP_EncryptInit_ex\fR\|(3). The hmac context can be set using +\&\fIHMAC_Init_ex\fR\|(3). .PP -When the client presents a session ticket, the callback function with be called -with \fIenc\fR set to 0 indicating that the \fIcb\fR function should retreive a set +When the client presents a session ticket, the callback function with be called +with \fIenc\fR set to 0 indicating that the \fIcb\fR function should retrieve a set of parameters. In this case \fIname\fR and \fIiv\fR have already been parsed out of the session ticket. The OpenSSL library expects that the \fIname\fR will be used to retrieve a cryptographic parameters and that the cryptographic context -\&\fIctx\fR will be set with the retreived parameters and the initialization vector -\&\fIiv\fR. using a function like EVP_DecryptInit_ex. The \fIhctx\fR needs to be set -using HMAC_Init_ex. +\&\fIctx\fR will be set with the retrieved parameters and the initialization vector +\&\fIiv\fR. using a function like \fIEVP_DecryptInit_ex\fR\|(3). The \fIhctx\fR needs to be +set using \fIHMAC_Init_ex\fR\|(3). .PP If the \fIname\fR is still valid but a renewal of the ticket is required the callback function should return 2. The library will call the callback again -with an arguement of enc equal to 1 to set the new ticket. +with an argument of enc equal to 1 to set the new ticket. .PP The return value of the \fIcb\fR function is used by OpenSSL to determine what further processing will occur. The following return values have meaning: .IP "2" 4 .IX Item "2" -This indicates that the \fIctx\fR and \fIhctx\fR have been set and the session can +This indicates that the \fIctx\fR and \fIhctx\fR have been set and the session can continue on those parameters. Additionally it indicates that the session ticket is in a renewal period and should be replaced. The OpenSSL library will call \fIcb\fR again with an enc argument of 1 to set the new ticket (see \s-1RFC5077 3.3\s0 paragraph 2). .IP "1" 4 .IX Item "1" -This indicates that the \fIctx\fR and \fIhctx\fR have been set and the session can +This indicates that the \fIctx\fR and \fIhctx\fR have been set and the session can continue on those parameters. .IP "0" 4 -This indicates that it was not possible to set/retrieve a session ticket and -the \s-1SSL/TLS\s0 session will continue by by negiotationing a set of cryptographic +This indicates that it was not possible to set/retrieve a session ticket and +the \s-1SSL/TLS\s0 session will continue by negotiating a set of cryptographic parameters or using the alternate \s-1SSL/TLS\s0 resumption mechanism, session ids. .Sp If called with enc equal to 0 the library will call the \fIcb\fR again to get @@ -230,83 +228,92 @@ This indicates an error. .SH "NOTES" .IX Header "NOTES" Session resumption shortcuts the \s-1TLS\s0 so that the client certificate -negiotation don't occur. It makes up for this by storing client certificate +negotiation don't occur. It makes up for this by storing client certificate an all other negotiated state information encrypted within the ticket. In a resumed session the applications will have all this state information available -exactly as if a full negiotation had occured. +exactly as if a full negotiation had occurred. .PP If an attacker can obtain the key used to encrypt a session ticket, they can obtain the master secret for any ticket using that key and decrypt any traffic -using that session: even if the ciphersuite supports forward secrecy. As +using that session: even if the cipher suite supports forward secrecy. As a result applications may wish to use multiple keys and avoid using long term keys stored in files. .PP Applications can use longer keys to maintain a consistent level of security. -For example if a ciphersuite uses 256 bit ciphers but only a 128 bit ticket key +For example if a cipher suite uses 256 bit ciphers but only a 128 bit ticket key the overall security is only 128 bits because breaking the ticket key will enable an attacker to obtain the session keys. .SH "EXAMPLES" .IX Header "EXAMPLES" -Reference Implemention: - SSL_CTX_set_tlsext_ticket_key_cb(\s-1SSL\s0,ssl_tlsext_ticket_key_cb); - .... +Reference Implementation: .PP -.Vb 6 -\& static int ssl_tlsext_ticket_key_cb(SSL *s, unsigned char key_name[16], unsigned char *iv, EVP_CIPHER_CTX *ctx, HMAC_CTX *hctx, int enc) -\& { -\& if (enc) { /* create new session */ -\& if (RAND_bytes(iv, EVP_MAX_IV_LENGTH) ) { -\& return \-1; /* insufficient random */ -\& } -\& -\& key = currentkey(); /* something that you need to implement */ -\& if ( !key ) { -\& /* current key doesn\*(Aqt exist or isn\*(Aqt valid */ -\& key = createkey(); /* something that you need to implement. -\& * createkey needs to initialise, a name, -\& * an aes_key, a hmac_key and optionally -\& * an expire time. */ -\& if ( !key ) { /* key couldn\*(Aqt be created */ -\& return 0; -\& } -\& } -\& memcpy(key_name, key\->name, 16); -\& -\& EVP_EncryptInit_ex(&ctx, EVP_aes_128_cbc(), NULL, key\->aes_key, iv); -\& HMAC_Init_ex(&hctx, key\->hmac_key, 16, EVP_sha256(), NULL); -\& -\& return 1; -\& -\& } else { /* retrieve session */ -\& key = findkey(name); -\& -\& if (!key || key\->expire < now() ) { -\& return 0; -\& } -\& -\& HMAC_Init_ex(&hctx, key\->hmac_key, 16, EVP_sha256(), NULL); -\& EVP_DecryptInit_ex(&ctx, EVP_aes_128_cbc(), NULL, key\->aes_key, iv ); +.Vb 2 +\& SSL_CTX_set_tlsext_ticket_key_cb(SSL, ssl_tlsext_ticket_key_cb); +\& ... \& -\& if (key\->expire < ( now() \- RENEW_TIME ) ) { -\& /* return 2 \- this session will get a new ticket even though the current is still valid */ -\& return 2; -\& } -\& return 1; -\& -\& } -\& } +\& static int ssl_tlsext_ticket_key_cb(SSL *s, unsigned char key_name[16], +\& unsigned char *iv, EVP_CIPHER_CTX *ctx, +\& HMAC_CTX *hctx, int enc) +\& { +\& if (enc) { /* create new session */ +\& if (RAND_bytes(iv, EVP_MAX_IV_LENGTH) <= 0) +\& return \-1; /* insufficient random */ +\& +\& key = currentkey(); /* something that you need to implement */ +\& if (key == NULL) { +\& /* current key doesn\*(Aqt exist or isn\*(Aqt valid */ +\& key = createkey(); /* +\& * Something that you need to implement. +\& * createkey needs to initialise a name, +\& * an aes_key, a hmac_key and optionally +\& * an expire time. +\& */ +\& if (key == NULL) /* key couldn\*(Aqt be created */ +\& return 0; +\& } +\& memcpy(key_name, key\->name, 16); +\& +\& EVP_EncryptInit_ex(&ctx, EVP_aes_128_cbc(), NULL, key\->aes_key, iv); +\& HMAC_Init_ex(&hctx, key\->hmac_key, 16, EVP_sha256(), NULL); +\& +\& return 1; +\& +\& } else { /* retrieve session */ +\& key = findkey(name); +\& +\& if (key == NULL || key\->expire < now()) +\& return 0; +\& +\& HMAC_Init_ex(&hctx, key\->hmac_key, 16, EVP_sha256(), NULL); +\& EVP_DecryptInit_ex(&ctx, EVP_aes_128_cbc(), NULL, key\->aes_key, iv); +\& +\& if (key\->expire < now() \- RENEW_TIME) { +\& /* +\& * return 2 \- This session will get a new ticket even though the +\& * current one is still valid. +\& */ +\& return 2; +\& } +\& return 1; +\& } +\& } .Ve .SH "RETURN VALUES" .IX Header "RETURN VALUES" returns 0 to indicate the callback function was set. .SH "SEE ALSO" .IX Header "SEE ALSO" -\&\fIssl\fR\|(3), \fISSL_set_session\fR\|(3), +\&\fIssl\fR\|(7), \fISSL_set_session\fR\|(3), \&\fISSL_session_reused\fR\|(3), \&\fISSL_CTX_add_session\fR\|(3), \&\fISSL_CTX_sess_number\fR\|(3), \&\fISSL_CTX_sess_set_get_cb\fR\|(3), \&\fISSL_CTX_set_session_id_context\fR\|(3), -.SH "HISTORY" -.IX Header "HISTORY" -This function was introduced in OpenSSL 0.9.8h +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2014\-2018 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/SSL_CTX_set_tlsext_use_srtp.3 b/secure/lib/libcrypto/man/SSL_CTX_set_tlsext_use_srtp.3 new file mode 100644 index 000000000000..477970131cef --- /dev/null +++ b/secure/lib/libcrypto/man/SSL_CTX_set_tlsext_use_srtp.3 @@ -0,0 +1,227 @@ +.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35) +.\" +.\" Standard preamble: +.\" ======================================================================== +.de Sp \" Vertical space (when we can't use .PP) +.if t .sp .5v +.if n .sp +.. +.de Vb \" Begin verbatim text +.ft CW +.nf +.ne \\$1 +.. +.de Ve \" End verbatim text +.ft R +.fi +.. +.\" Set up some character translations and predefined strings. \*(-- will +.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left +.\" double quote, and \*(R" will give a right double quote. \*(C+ will +.\" give a nicer C++. Capital omega is used to do unbreakable dashes and +.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, +.\" nothing in troff, for use with C<>. +.tr \(*W- +.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' +.ie n \{\ +. ds -- \(*W- +. ds PI pi +. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch +. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch +. ds L" "" +. ds R" "" +. ds C` "" +. ds C' "" +'br\} +.el\{\ +. ds -- \|\(em\| +. ds PI \(*p +. ds L" `` +. ds R" '' +. ds C` +. ds C' +'br\} +.\" +.\" Escape single quotes in literal strings from groff's Unicode transform. +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" +.\" If the F register is >0, we'll generate index entries on stderr for +.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index +.\" entries marked with X<> in POD. Of course, you'll have to process the +.\" output yourself in some meaningful fashion. +.\" +.\" Avoid warning from groff about undefined register 'F'. +.de IX +.. +.if !\nF .nr F 0 +.if \nF>0 \{\ +. de IX +. tm Index:\\$1\t\\n%\t"\\$2" +.. +. if !\nF==2 \{\ +. nr % 0 +. nr F 2 +. \} +.\} +.\" +.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). +.\" Fear. Run. Save yourself. No user-serviceable parts. +. \" fudge factors for nroff and troff +.if n \{\ +. ds #H 0 +. ds #V .8m +. ds #F .3m +. ds #[ \f1 +. ds #] \fP +.\} +.if t \{\ +. ds #H ((1u-(\\\\n(.fu%2u))*.13m) +. ds #V .6m +. ds #F 0 +. ds #[ \& +. ds #] \& +.\} +. \" simple accents for nroff and troff +.if n \{\ +. ds ' \& +. ds ` \& +. ds ^ \& +. ds , \& +. ds ~ ~ +. ds / +.\} +.if t \{\ +. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" +. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' +. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' +. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' +. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' +. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' +.\} +. \" troff and (daisy-wheel) nroff accents +.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' +.ds 8 \h'\*(#H'\(*b\h'-\*(#H' +.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] +.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' +.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' +.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] +.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] +.ds ae a\h'-(\w'a'u*4/10)'e +.ds Ae A\h'-(\w'A'u*4/10)'E +. \" corrections for vroff +.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' +.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' +. \" for low resolution devices (crt and lpr) +.if \n(.H>23 .if \n(.V>19 \ +\{\ +. ds : e +. ds 8 ss +. ds o a +. ds d- d\h'-1'\(ga +. ds D- D\h'-1'\(hy +. ds th \o'bp' +. ds Th \o'LP' +. ds ae ae +. ds Ae AE +.\} +.rm #[ #] #H #V #F C +.\" ======================================================================== +.\" +.IX Title "SSL_CTX_SET_TLSEXT_USE_SRTP 3" +.TH SSL_CTX_SET_TLSEXT_USE_SRTP 3 "2018-09-11" "1.1.1" "OpenSSL" +.\" For nroff, turn off justification. Always turn off hyphenation; it makes +.\" way too many mistakes in technical documents. +.if n .ad l +.nh +.SH "NAME" +SSL_CTX_set_tlsext_use_srtp, SSL_set_tlsext_use_srtp, SSL_get_srtp_profiles, SSL_get_selected_srtp_profile \&\- Configure and query SRTP support +.SH "SYNOPSIS" +.IX Header "SYNOPSIS" +.Vb 1 +\& #include +\& +\& int SSL_CTX_set_tlsext_use_srtp(SSL_CTX *ctx, const char *profiles); +\& int SSL_set_tlsext_use_srtp(SSL *ssl, const char *profiles); +\& +\& STACK_OF(SRTP_PROTECTION_PROFILE) *SSL_get_srtp_profiles(SSL *ssl); +\& SRTP_PROTECTION_PROFILE *SSL_get_selected_srtp_profile(SSL *s); +.Ve +.SH "DESCRIPTION" +.IX Header "DESCRIPTION" +\&\s-1SRTP\s0 is the Secure Real-Time Transport Protocol. OpenSSL implements support for +the \*(L"use_srtp\*(R" \s-1DTLS\s0 extension defined in \s-1RFC5764.\s0 This provides a mechanism for +establishing \s-1SRTP\s0 keying material, algorithms and parameters using \s-1DTLS.\s0 This +capability may be used as part of an implementation that conforms to \s-1RFC5763.\s0 +OpenSSL does not implement \s-1SRTP\s0 itself or \s-1RFC5763.\s0 Note that OpenSSL does not +support the use of \s-1SRTP\s0 Master Key Identifiers (MKIs). Also note that this +extension is only supported in \s-1DTLS.\s0 Any \s-1SRTP\s0 configuration will be ignored if a +\&\s-1TLS\s0 connection is attempted. +.PP +An OpenSSL client wishing to send the \*(L"use_srtp\*(R" extension should call +\&\fISSL_CTX_set_tlsext_use_srtp()\fR to set its use for all \s-1SSL\s0 objects subsequently +created from an \s-1SSL_CTX.\s0 Alternatively a client may call +\&\fISSL_set_tlsext_use_srtp()\fR to set its use for an individual \s-1SSL\s0 object. The +\&\fBprofiles\fR parameters should point to a NUL-terminated, colon delimited list of +\&\s-1SRTP\s0 protection profile names. +.PP +The currently supported protection profile names are: +.IP "\s-1SRTP_AES128_CM_SHA1_80\s0" 4 +.IX Item "SRTP_AES128_CM_SHA1_80" +This corresponds to \s-1SRTP_AES128_CM_HMAC_SHA1_80\s0 defined in \s-1RFC5764.\s0 +.IP "\s-1SRTP_AES128_CM_SHA1_32\s0" 4 +.IX Item "SRTP_AES128_CM_SHA1_32" +This corresponds to \s-1SRTP_AES128_CM_HMAC_SHA1_32\s0 defined in \s-1RFC5764.\s0 +.IP "\s-1SRTP_AEAD_AES_128_GCM\s0" 4 +.IX Item "SRTP_AEAD_AES_128_GCM" +This corresponds to the profile of the same name defined in \s-1RFC7714.\s0 +.IP "\s-1SRTP_AEAD_AES_256_GCM\s0" 4 +.IX Item "SRTP_AEAD_AES_256_GCM" +This corresponds to the profile of the same name defined in \s-1RFC7714.\s0 +.PP +Supplying an unrecognised protection profile name will result in an error. +.PP +An OpenSSL server wishing to support the \*(L"use_srtp\*(R" extension should also call +\&\fISSL_CTX_set_tlsext_use_srtp()\fR or \fISSL_set_tlsext_use_srtp()\fR to indicate the +protection profiles that it is willing to negotiate. +.PP +The currently configured list of protection profiles for either a client or a +server can be obtained by calling \fISSL_get_srtp_profiles()\fR. This returns a stack +of \s-1SRTP_PROTECTION_PROFILE\s0 objects. The memory pointed to in the return value of +this function should not be freed by the caller. +.PP +After a handshake has been completed the negotiated \s-1SRTP\s0 protection profile (if +any) can be obtained (on the client or the server) by calling +\&\fISSL_get_selected_srtp_profile()\fR. This function will return \s-1NULL\s0 if no \s-1SRTP\s0 +protection profile was negotiated. The memory returned from this function should +not be freed by the caller. +.PP +If an \s-1SRTP\s0 protection profile has been successfully negotiated then the \s-1SRTP\s0 +keying material (on both the client and server) should be obtained via a call to +\&\fISSL_export_keying_material\fR\|(3). This call should provide a label value of +\&\*(L"EXTRACTOR\-dtls_srtp\*(R" and a \s-1NULL\s0 context value (use_context is 0). The total +length of keying material obtained should be equal to two times the sum of the +master key length and the salt length as defined for the protection profile in +use. This provides the client write master key, the server write master key, the +client write master salt and the server write master salt in that order. +.SH "RETURN VALUES" +.IX Header "RETURN VALUES" +\&\fISSL_CTX_set_tlsext_use_srtp()\fR and \fISSL_set_tlsext_use_srtp()\fR return 0 on success +or 1 on error. +.PP +\&\fISSL_get_srtp_profiles()\fR returns a stack of \s-1SRTP_PROTECTION_PROFILE\s0 objects on +success or \s-1NULL\s0 on error or if no protection profiles have been configured. +.PP +\&\fISSL_get_selected_srtp_profile()\fR returns a pointer to an \s-1SRTP_PROTECTION_PROFILE\s0 +object if one has been negotiated or \s-1NULL\s0 otherwise. +.SH "SEE ALSO" +.IX Header "SEE ALSO" +\&\fISSL_export_keying_material\fR\|(3) +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2017\-2018 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libssl/man/SSL_CTX_set_tmp_dh_callback.3 b/secure/lib/libcrypto/man/SSL_CTX_set_tmp_dh_callback.3 similarity index 84% rename from secure/lib/libssl/man/SSL_CTX_set_tmp_dh_callback.3 rename to secure/lib/libcrypto/man/SSL_CTX_set_tmp_dh_callback.3 index aabf07fcc59d..61364e138f62 100644 --- a/secure/lib/libssl/man/SSL_CTX_set_tmp_dh_callback.3 +++ b/secure/lib/libcrypto/man/SSL_CTX_set_tmp_dh_callback.3 @@ -128,8 +128,8 @@ .rm #[ #] #H #V #F C .\" ======================================================================== .\" -.IX Title "SSL_CTX_set_tmp_dh_callback 3" -.TH SSL_CTX_set_tmp_dh_callback 3 "2018-08-14" "1.0.2p" "OpenSSL" +.IX Title "SSL_CTX_SET_TMP_DH_CALLBACK 3" +.TH SSL_CTX_SET_TMP_DH_CALLBACK 3 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -142,11 +142,13 @@ SSL_CTX_set_tmp_dh_callback, SSL_CTX_set_tmp_dh, SSL_set_tmp_dh_callback, SSL_se \& #include \& \& void SSL_CTX_set_tmp_dh_callback(SSL_CTX *ctx, -\& DH *(*tmp_dh_callback)(SSL *ssl, int is_export, int keylength)); +\& DH *(*tmp_dh_callback)(SSL *ssl, int is_export, +\& int keylength)); \& long SSL_CTX_set_tmp_dh(SSL_CTX *ctx, DH *dh); \& \& void SSL_set_tmp_dh_callback(SSL *ctx, -\& DH *(*tmp_dh_callback)(SSL *ssl, int is_export, int keylength)); +\& DH *(*tmp_dh_callback)(SSL *ssl, int is_export, +\& int keylength)); \& long SSL_set_tmp_dh(SSL *ssl, DH *dh) .Ve .SH "DESCRIPTION" @@ -198,16 +200,15 @@ which use safe primes and were generated verifiably pseudo-randomly. These files can be converted into C code using the \fB\-C\fR option of the \&\fIdhparam\fR\|(1) application. Generation of custom \s-1DH\s0 parameters during installation should still be preferred to stop an -attacker from specializing on a commonly used group. Files dh1024.pem -and dh512.pem contain old parameters that must not be used by -applications. +attacker from specializing on a commonly used group. File dh1024.pem +contains old parameters that must not be used by applications. .PP An application may either directly specify the \s-1DH\s0 parameters or can supply the \s-1DH\s0 parameters via a callback function. .PP Previous versions of the callback used \fBis_export\fR and \fBkeylength\fR parameters to control parameter generation for export and non-export -cipher suites. Modern servers that do not support export ciphersuites +cipher suites. Modern servers that do not support export cipher suites are advised to either use \fISSL_CTX_set_tmp_dh()\fR or alternatively, use the callback but ignore \fBkeylength\fR and \fBis_export\fR and simply supply at least 2048\-bit parameters in the callback. @@ -216,32 +217,30 @@ supply at least 2048\-bit parameters in the callback. Setup \s-1DH\s0 parameters with a key length of 2048 bits. (Error handling partly left out.) .PP -.Vb 2 -\& Command\-line parameter generation: +Command-line parameter generation: +.PP +.Vb 1 \& $ openssl dhparam \-out dh_param_2048.pem 2048 -\& -\& Code for setting up parameters during server initialization: -\& -\& ... +.Ve +.PP +Code for setting up parameters during server initialization: +.PP +.Vb 1 \& SSL_CTX ctx = SSL_CTX_new(); -\& ... \& -\& /* Set up ephemeral DH parameters. */ \& DH *dh_2048 = NULL; -\& FILE *paramfile; -\& paramfile = fopen("dh_param_2048.pem", "r"); +\& FILE *paramfile = fopen("dh_param_2048.pem", "r"); +\& \& if (paramfile) { -\& dh_2048 = PEM_read_DHparams(paramfile, NULL, NULL, NULL); -\& fclose(paramfile); +\& dh_2048 = PEM_read_DHparams(paramfile, NULL, NULL, NULL); +\& fclose(paramfile); \& } else { -\& /* Error. */ -\& } -\& if (dh_2048 == NULL) { -\& /* Error. */ -\& } -\& if (SSL_CTX_set_tmp_dh(ctx, dh_2048) != 1) { -\& /* Error. */ +\& /* Error. */ \& } +\& if (dh_2048 == NULL) +\& /* Error. */ +\& if (SSL_CTX_set_tmp_dh(ctx, dh_2048) != 1) +\& /* Error. */ \& ... .Ve .SH "RETURN VALUES" @@ -253,7 +252,14 @@ diagnostic output. on failure. Check the error queue to find out the reason of failure. .SH "SEE ALSO" .IX Header "SEE ALSO" -\&\fIssl\fR\|(3), \fISSL_CTX_set_cipher_list\fR\|(3), -\&\fISSL_CTX_set_tmp_rsa_callback\fR\|(3), +\&\fIssl\fR\|(7), \fISSL_CTX_set_cipher_list\fR\|(3), \&\fISSL_CTX_set_options\fR\|(3), \&\fIciphers\fR\|(1), \fIdhparam\fR\|(1) +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2001\-2016 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libssl/man/SSL_CTX_set_verify.3 b/secure/lib/libcrypto/man/SSL_CTX_set_verify.3 similarity index 60% rename from secure/lib/libssl/man/SSL_CTX_set_verify.3 rename to secure/lib/libcrypto/man/SSL_CTX_set_verify.3 index 56999d630d56..5418893c0cb9 100644 --- a/secure/lib/libssl/man/SSL_CTX_set_verify.3 +++ b/secure/lib/libcrypto/man/SSL_CTX_set_verify.3 @@ -128,27 +128,31 @@ .rm #[ #] #H #V #F C .\" ======================================================================== .\" -.IX Title "SSL_CTX_set_verify 3" -.TH SSL_CTX_set_verify 3 "2018-08-14" "1.0.2p" "OpenSSL" +.IX Title "SSL_CTX_SET_VERIFY 3" +.TH SSL_CTX_SET_VERIFY 3 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" -SSL_CTX_set_verify, SSL_set_verify, SSL_CTX_set_verify_depth, SSL_set_verify_depth \- set peer certificate verification parameters +SSL_get_ex_data_X509_STORE_CTX_idx, SSL_CTX_set_verify, SSL_set_verify, SSL_CTX_set_verify_depth, SSL_set_verify_depth, SSL_verify_cb, SSL_verify_client_post_handshake, SSL_set_post_handshake_auth, SSL_CTX_set_post_handshake_auth \&\- set peer certificate verification parameters .SH "SYNOPSIS" .IX Header "SYNOPSIS" .Vb 1 \& #include \& -\& void SSL_CTX_set_verify(SSL_CTX *ctx, int mode, -\& int (*verify_callback)(int, X509_STORE_CTX *)); -\& void SSL_set_verify(SSL *s, int mode, -\& int (*verify_callback)(int, X509_STORE_CTX *)); -\& void SSL_CTX_set_verify_depth(SSL_CTX *ctx,int depth); -\& void SSL_set_verify_depth(SSL *s, int depth); +\& typedef int (*SSL_verify_cb)(int preverify_ok, X509_STORE_CTX *x509_ctx); \& -\& int verify_callback(int preverify_ok, X509_STORE_CTX *x509_ctx); +\& void SSL_CTX_set_verify(SSL_CTX *ctx, int mode, SSL_verify_cb verify_callback); +\& void SSL_set_verify(SSL *ssl, int mode, SSL_verify_cb verify_callback); +\& SSL_get_ex_data_X509_STORE_CTX_idx(void); +\& +\& void SSL_CTX_set_verify_depth(SSL_CTX *ctx, int depth); +\& void SSL_set_verify_depth(SSL *ssl, int depth); +\& +\& int SSL_verify_client_post_handshake(SSL *ssl); +\& void SSL_CTX_set_post_handshake_auth(SSL_CTX *ctx, int val); +\& void SSL_set_post_handshake_auth(SSL *ssl, int val); .Ve .SH "DESCRIPTION" .IX Header "DESCRIPTION" @@ -162,13 +166,26 @@ shall be specified, the \s-1NULL\s0 pointer can be used for \fBverify_callback\f this case last \fBverify_callback\fR set specifically for this \fBssl\fR remains. If no special \fBcallback\fR was set before, the default callback for the underlying \&\fBctx\fR is used, that was valid at the time \fBssl\fR was created with -\&\fISSL_new\fR\|(3). +\&\fISSL_new\fR\|(3). Within the callback function, +\&\fBSSL_get_ex_data_X509_STORE_CTX_idx\fR can be called to get the data index +of the current \s-1SSL\s0 object that is doing the verification. .PP \&\fISSL_CTX_set_verify_depth()\fR sets the maximum \fBdepth\fR for the certificate chain -verification that shall be allowed for \fBctx\fR. (See the \s-1BUGS\s0 section.) +verification that shall be allowed for \fBctx\fR. .PP \&\fISSL_set_verify_depth()\fR sets the maximum \fBdepth\fR for the certificate chain -verification that shall be allowed for \fBssl\fR. (See the \s-1BUGS\s0 section.) +verification that shall be allowed for \fBssl\fR. +.PP +\&\fISSL_CTX_set_post_handshake_auth()\fR and \fISSL_set_post_handshake_auth()\fR enable the +Post-Handshake Authentication extension to be added to the ClientHello such that +post-handshake authentication can be requested by the server. If \fBval\fR is 0 +then the extension is not sent, otherwise it is. By default the extension is not +sent. A certificate callback will need to be set via +\&\fISSL_CTX_set_client_cert_cb()\fR if no certificate is provided at initialization. +.PP +\&\fISSL_verify_client_post_handshake()\fR causes a CertificateRequest message to be +sent by a server on the given \fBssl\fR connection. The \s-1SSL_VERIFY_PEER\s0 flag must +be set; the \s-1SSL_VERIFY_POST_HANDSHAKE\s0 flag is optional. .SH "NOTES" .IX Header "NOTES" The verification of certificates can be controlled by a set of logically @@ -191,7 +208,8 @@ fails, the \s-1TLS/SSL\s0 handshake is immediately terminated with an alert message containing the reason for the verification failure. The behaviour can be controlled by the additional -\&\s-1SSL_VERIFY_FAIL_IF_NO_PEER_CERT\s0 and \s-1SSL_VERIFY_CLIENT_ONCE\s0 flags. +\&\s-1SSL_VERIFY_FAIL_IF_NO_PEER_CERT, SSL_VERIFY_CLIENT_ONCE\s0 and +\&\s-1SSL_VERIFY_POST_HANDSHAKE\s0 flags. .Sp \&\fBClient mode:\fR the server certificate is verified. If the verification process fails, the \s-1TLS/SSL\s0 handshake is @@ -207,14 +225,25 @@ This flag must be used together with \s-1SSL_VERIFY_PEER.\s0 \&\fBClient mode:\fR ignored .IP "\s-1SSL_VERIFY_CLIENT_ONCE\s0" 4 .IX Item "SSL_VERIFY_CLIENT_ONCE" -\&\fBServer mode:\fR only request a client certificate on the initial \s-1TLS/SSL\s0 -handshake. Do not ask for a client certificate again in case of a -renegotiation. This flag must be used together with \s-1SSL_VERIFY_PEER.\s0 +\&\fBServer mode:\fR only request a client certificate once during the +connection. Do not ask for a client certificate again during +renegotiation or post-authentication if a certificate was requested +during the initial handshake. This flag must be used together with +\&\s-1SSL_VERIFY_PEER.\s0 +.Sp +\&\fBClient mode:\fR ignored +.IP "\s-1SSL_VERIFY_POST_HANDSHAKE\s0" 4 +.IX Item "SSL_VERIFY_POST_HANDSHAKE" +\&\fBServer mode:\fR the server will not send a client certificate request +during the initial handshake, but will send the request via +\&\fISSL_verify_client_post_handshake()\fR. This allows the \s-1SSL_CTX\s0 or \s-1SSL\s0 +to be configured for post-handshake peer verification before the +handshake occurs. This flag must be used together with +\&\s-1SSL_VERIFY_PEER.\s0 TLSv1.3 only; no effect on pre\-TLSv1.3 connections. .Sp \&\fBClient mode:\fR ignored .PP -Exactly one of the \fBmode\fR flags \s-1SSL_VERIFY_NONE\s0 and \s-1SSL_VERIFY_PEER\s0 must be -set at any time. +If the \fBmode\fR is \s-1SSL_VERIFY_NONE\s0 none of the other flags may be set. .PP The actual verification procedure is performed either using the built-in verification procedure or using another application provided verification @@ -225,16 +254,19 @@ application provided procedure also has access to the verify depth information and the \fIverify_callback()\fR function, but the way this information is used may be different. .PP -\&\fISSL_CTX_set_verify_depth()\fR and \fISSL_set_verify_depth()\fR set the limit up -to which depth certificates in a chain are used during the verification -procedure. If the certificate chain is longer than allowed, the certificates -above the limit are ignored. Error messages are generated as if these -certificates would not be present, most likely a -X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY will be issued. +\&\fISSL_CTX_set_verify_depth()\fR and \fISSL_set_verify_depth()\fR set a limit on the +number of certificates between the end-entity and trust-anchor certificates. +Neither the +end-entity nor the trust-anchor certificates count against \fBdepth\fR. If the +certificate chain needed to reach a trusted issuer is longer than \fBdepth+2\fR, +X509_V_ERR_CERT_CHAIN_TOO_LONG will be issued. The depth count is \*(L"level 0:peer certificate\*(R", \*(L"level 1: \s-1CA\s0 certificate\*(R", \&\*(L"level 2: higher level \s-1CA\s0 certificate\*(R", and so on. Setting the maximum -depth to 2 allows the levels 0, 1, and 2. The default depth limit is 100, -allowing for the peer certificate and additional 100 \s-1CA\s0 certificates. +depth to 2 allows the levels 0, 1, 2 and 3 (0 being the end-entity and 3 the +trust-anchor). +The default depth limit is 100, +allowing for the peer certificate, at most 100 intermediate \s-1CA\s0 certificates and +a final trust anchor certificate. .PP The \fBverify_callback\fR function is used to control the behaviour when the \&\s-1SSL_VERIFY_PEER\s0 flag is set. It must be supplied by the application and @@ -269,20 +301,33 @@ If no \fBverify_callback\fR is specified, the default callback will be used. Its return value is identical to \fBpreverify_ok\fR, so that any verification failure will lead to a termination of the \s-1TLS/SSL\s0 handshake with an alert message, if \s-1SSL_VERIFY_PEER\s0 is set. +.PP +After calling \fISSL_set_post_handshake_auth()\fR, the client will need to add a +certificate or certificate callback to its configuration before it can +successfully authenticate. This must be called before \fISSL_connect()\fR. +.PP +\&\fISSL_verify_client_post_handshake()\fR requires that verify flags have been +previously set, and that a client sent the post-handshake authentication +extension. When the client returns a certificate the verify callback will be +invoked. A write operation must take place for the Certificate Request to be +sent to the client, this can be done with \fISSL_do_handshake()\fR or \fISSL_write_ex()\fR. +Only one certificate request may be outstanding at any time. +.PP +When post-handshake authentication occurs, a refreshed NewSessionTicket +message is sent to the client. .SH "BUGS" .IX Header "BUGS" In client mode, it is not checked whether the \s-1SSL_VERIFY_PEER\s0 flag -is set, but whether \s-1SSL_VERIFY_NONE\s0 is not set. This can lead to -unexpected behaviour, if the \s-1SSL_VERIFY_PEER\s0 and \s-1SSL_VERIFY_NONE\s0 are not -used as required (exactly one must be set at any time). -.PP -The certificate verification depth set with SSL[_CTX]\fI_verify_depth()\fR -stops the verification at a certain depth. The error message produced -will be that of an incomplete certificate chain and not -X509_V_ERR_CERT_CHAIN_TOO_LONG as may be expected. +is set, but whether any flags are set. This can lead to +unexpected behaviour if \s-1SSL_VERIFY_PEER\s0 and other flags are not used as +required. .SH "RETURN VALUES" .IX Header "RETURN VALUES" The SSL*_set_verify*() functions do not provide diagnostic information. +.PP +The \fISSL_verify_client_post_handshake()\fR function returns 1 if the request +succeeded, and 0 if the request failed. The error stack can be examined +to determine the failure reason. .SH "EXAMPLES" .IX Header "EXAMPLES" The following code sequence realizes an example \fBverify_callback\fR function @@ -297,10 +342,10 @@ certificates. .PP The example makes use of the ex_data technique to store application data into/retrieve application data from the \s-1SSL\s0 structure -(see \fISSL_get_ex_new_index\fR\|(3), +(see \fICRYPTO_get_ex_new_index\fR\|(3), \&\fISSL_get_ex_data_X509_STORE_CTX_idx\fR\|(3)). .PP -.Vb 10 +.Vb 7 \& ... \& typedef struct { \& int verbose_mode; @@ -308,65 +353,63 @@ into/retrieve application data from the \s-1SSL\s0 structure \& int always_continue; \& } mydata_t; \& int mydata_index; +\& \& ... \& static int verify_callback(int preverify_ok, X509_STORE_CTX *ctx) \& { -\& char buf[256]; -\& X509 *err_cert; -\& int err, depth; -\& SSL *ssl; -\& mydata_t *mydata; +\& char buf[256]; +\& X509 *err_cert; +\& int err, depth; +\& SSL *ssl; +\& mydata_t *mydata; \& -\& err_cert = X509_STORE_CTX_get_current_cert(ctx); -\& err = X509_STORE_CTX_get_error(ctx); -\& depth = X509_STORE_CTX_get_error_depth(ctx); +\& err_cert = X509_STORE_CTX_get_current_cert(ctx); +\& err = X509_STORE_CTX_get_error(ctx); +\& depth = X509_STORE_CTX_get_error_depth(ctx); \& -\& /* -\& * Retrieve the pointer to the SSL of the connection currently treated -\& * and the application specific data stored into the SSL object. -\& */ -\& ssl = X509_STORE_CTX_get_ex_data(ctx, SSL_get_ex_data_X509_STORE_CTX_idx()); -\& mydata = SSL_get_ex_data(ssl, mydata_index); +\& /* +\& * Retrieve the pointer to the SSL of the connection currently treated +\& * and the application specific data stored into the SSL object. +\& */ +\& ssl = X509_STORE_CTX_get_ex_data(ctx, SSL_get_ex_data_X509_STORE_CTX_idx()); +\& mydata = SSL_get_ex_data(ssl, mydata_index); \& -\& X509_NAME_oneline(X509_get_subject_name(err_cert), buf, 256); +\& X509_NAME_oneline(X509_get_subject_name(err_cert), buf, 256); \& -\& /* -\& * Catch a too long certificate chain. The depth limit set using -\& * SSL_CTX_set_verify_depth() is by purpose set to "limit+1" so -\& * that whenever the "depth>verify_depth" condition is met, we -\& * have violated the limit and want to log this error condition. -\& * We must do it here, because the CHAIN_TOO_LONG error would not -\& * be found explicitly; only errors introduced by cutting off the -\& * additional certificates would be logged. -\& */ -\& if (depth > mydata\->verify_depth) { -\& preverify_ok = 0; -\& err = X509_V_ERR_CERT_CHAIN_TOO_LONG; -\& X509_STORE_CTX_set_error(ctx, err); -\& } -\& if (!preverify_ok) { -\& printf("verify error:num=%d:%s:depth=%d:%s\en", err, -\& X509_verify_cert_error_string(err), depth, buf); -\& } -\& else if (mydata\->verbose_mode) -\& { -\& printf("depth=%d:%s\en", depth, buf); -\& } +\& /* +\& * Catch a too long certificate chain. The depth limit set using +\& * SSL_CTX_set_verify_depth() is by purpose set to "limit+1" so +\& * that whenever the "depth>verify_depth" condition is met, we +\& * have violated the limit and want to log this error condition. +\& * We must do it here, because the CHAIN_TOO_LONG error would not +\& * be found explicitly; only errors introduced by cutting off the +\& * additional certificates would be logged. +\& */ +\& if (depth > mydata\->verify_depth) { +\& preverify_ok = 0; +\& err = X509_V_ERR_CERT_CHAIN_TOO_LONG; +\& X509_STORE_CTX_set_error(ctx, err); +\& } +\& if (!preverify_ok) { +\& printf("verify error:num=%d:%s:depth=%d:%s\en", err, +\& X509_verify_cert_error_string(err), depth, buf); +\& } else if (mydata\->verbose_mode) { +\& printf("depth=%d:%s\en", depth, buf); +\& } \& -\& /* -\& * At this point, err contains the last verification error. We can use -\& * it for something special -\& */ -\& if (!preverify_ok && (err == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT)) -\& { -\& X509_NAME_oneline(X509_get_issuer_name(ctx\->current_cert), buf, 256); -\& printf("issuer= %s\en", buf); -\& } +\& /* +\& * At this point, err contains the last verification error. We can use +\& * it for something special +\& */ +\& if (!preverify_ok && (err == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT)) { +\& X509_NAME_oneline(X509_get_issuer_name(err_cert), buf, 256); +\& printf("issuer= %s\en", buf); +\& } \& -\& if (mydata\->always_continue) -\& return 1; -\& else -\& return preverify_ok; +\& if (mydata\->always_continue) +\& return 1; +\& else +\& return preverify_ok; \& } \& ... \& @@ -376,7 +419,7 @@ into/retrieve application data from the \s-1SSL\s0 structure \& mydata_index = SSL_get_ex_new_index(0, "mydata index", NULL, NULL, NULL); \& \& ... -\& SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER|SSL_VERIFY_CLIENT_ONCE, +\& SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE, \& verify_callback); \& \& /* @@ -391,24 +434,35 @@ into/retrieve application data from the \s-1SSL\s0 structure \& */ \& mydata.verify_depth = verify_depth; ... \& SSL_set_ex_data(ssl, mydata_index, &mydata); -\& +\& \& ... \& SSL_accept(ssl); /* check of success left out for clarity */ -\& if (peer = SSL_get_peer_certificate(ssl)) -\& { -\& if (SSL_get_verify_result(ssl) == X509_V_OK) -\& { -\& /* The client sent a certificate which verified OK */ -\& } +\& if (peer = SSL_get_peer_certificate(ssl)) { +\& if (SSL_get_verify_result(ssl) == X509_V_OK) { +\& /* The client sent a certificate which verified OK */ +\& } \& } .Ve .SH "SEE ALSO" .IX Header "SEE ALSO" -\&\fIssl\fR\|(3), \fISSL_new\fR\|(3), +\&\fIssl\fR\|(7), \fISSL_new\fR\|(3), \&\fISSL_CTX_get_verify_mode\fR\|(3), \&\fISSL_get_verify_result\fR\|(3), \&\fISSL_CTX_load_verify_locations\fR\|(3), \&\fISSL_get_peer_certificate\fR\|(3), \&\fISSL_CTX_set_cert_verify_callback\fR\|(3), \&\fISSL_get_ex_data_X509_STORE_CTX_idx\fR\|(3), -\&\fISSL_get_ex_new_index\fR\|(3) +\&\fISSL_CTX_set_client_cert_cb\fR\|(3), +\&\fICRYPTO_get_ex_new_index\fR\|(3) +.SH "HISTORY" +.IX Header "HISTORY" +The \s-1SSL_VERIFY_POST_HANDSHAKE\s0 option, and the \fISSL_verify_client_post_handshake()\fR +and \fISSL_set_post_handshake_auth()\fR functions were added in OpenSSL 1.1.1. +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2000\-2018 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libssl/man/SSL_CTX_use_certificate.3 b/secure/lib/libcrypto/man/SSL_CTX_use_certificate.3 similarity index 81% rename from secure/lib/libssl/man/SSL_CTX_use_certificate.3 rename to secure/lib/libcrypto/man/SSL_CTX_use_certificate.3 index fd7c35f74123..1d30bbd85497 100644 --- a/secure/lib/libssl/man/SSL_CTX_use_certificate.3 +++ b/secure/lib/libcrypto/man/SSL_CTX_use_certificate.3 @@ -128,14 +128,14 @@ .rm #[ #] #H #V #F C .\" ======================================================================== .\" -.IX Title "SSL_CTX_use_certificate 3" -.TH SSL_CTX_use_certificate 3 "2018-08-14" "1.0.2p" "OpenSSL" +.IX Title "SSL_CTX_USE_CERTIFICATE 3" +.TH SSL_CTX_USE_CERTIFICATE 3 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" -SSL_CTX_use_certificate, SSL_CTX_use_certificate_ASN1, SSL_CTX_use_certificate_file, SSL_use_certificate, SSL_use_certificate_ASN1, SSL_use_certificate_file, SSL_CTX_use_certificate_chain_file, SSL_CTX_use_PrivateKey, SSL_CTX_use_PrivateKey_ASN1, SSL_CTX_use_PrivateKey_file, SSL_CTX_use_RSAPrivateKey, SSL_CTX_use_RSAPrivateKey_ASN1, SSL_CTX_use_RSAPrivateKey_file, SSL_use_PrivateKey_file, SSL_use_PrivateKey_ASN1, SSL_use_PrivateKey, SSL_use_RSAPrivateKey, SSL_use_RSAPrivateKey_ASN1, SSL_use_RSAPrivateKey_file, SSL_CTX_check_private_key, SSL_check_private_key \- load certificate and key data +SSL_CTX_use_certificate, SSL_CTX_use_certificate_ASN1, SSL_CTX_use_certificate_file, SSL_use_certificate, SSL_use_certificate_ASN1, SSL_use_certificate_file, SSL_CTX_use_certificate_chain_file, SSL_use_certificate_chain_file, SSL_CTX_use_PrivateKey, SSL_CTX_use_PrivateKey_ASN1, SSL_CTX_use_PrivateKey_file, SSL_CTX_use_RSAPrivateKey, SSL_CTX_use_RSAPrivateKey_ASN1, SSL_CTX_use_RSAPrivateKey_file, SSL_use_PrivateKey_file, SSL_use_PrivateKey_ASN1, SSL_use_PrivateKey, SSL_use_RSAPrivateKey, SSL_use_RSAPrivateKey_ASN1, SSL_use_RSAPrivateKey_file, SSL_CTX_check_private_key, SSL_check_private_key, SSL_CTX_use_cert_and_key, SSL_use_cert_and_key \&\- load certificate and key data .SH "SYNOPSIS" .IX Header "SYNOPSIS" .Vb 1 @@ -149,6 +149,7 @@ SSL_CTX_use_certificate, SSL_CTX_use_certificate_ASN1, SSL_CTX_use_certificate_f \& int SSL_use_certificate_file(SSL *ssl, const char *file, int type); \& \& int SSL_CTX_use_certificate_chain_file(SSL_CTX *ctx, const char *file); +\& int SSL_use_certificate_chain_file(SSL *ssl, const char *file); \& \& int SSL_CTX_use_PrivateKey(SSL_CTX *ctx, EVP_PKEY *pkey); \& int SSL_CTX_use_PrivateKey_ASN1(int pk, SSL_CTX *ctx, unsigned char *d, @@ -158,7 +159,7 @@ SSL_CTX_use_certificate, SSL_CTX_use_certificate_ASN1, SSL_CTX_use_certificate_f \& int SSL_CTX_use_RSAPrivateKey_ASN1(SSL_CTX *ctx, unsigned char *d, long len); \& int SSL_CTX_use_RSAPrivateKey_file(SSL_CTX *ctx, const char *file, int type); \& int SSL_use_PrivateKey(SSL *ssl, EVP_PKEY *pkey); -\& int SSL_use_PrivateKey_ASN1(int pk,SSL *ssl, unsigned char *d, long len); +\& int SSL_use_PrivateKey_ASN1(int pk, SSL *ssl, unsigned char *d, long len); \& int SSL_use_PrivateKey_file(SSL *ssl, const char *file, int type); \& int SSL_use_RSAPrivateKey(SSL *ssl, RSA *rsa); \& int SSL_use_RSAPrivateKey_ASN1(SSL *ssl, unsigned char *d, long len); @@ -166,6 +167,9 @@ SSL_CTX_use_certificate, SSL_CTX_use_certificate_ASN1, SSL_CTX_use_certificate_f \& \& int SSL_CTX_check_private_key(const SSL_CTX *ctx); \& int SSL_check_private_key(const SSL *ssl); +\& +\& int SSL_CTX_use_cert_and_key(SSL_CTX *ctx, X509 *x, EVP_PKEY *pkey, STACK_OF(X509) *chain, int override); +\& int SSL_use_cert_and_key(SSL *ssl, X509 *x, EVP_PKEY *pkey, STACK_OF(X509) *chain, int override); .Ve .SH "DESCRIPTION" .IX Header "DESCRIPTION" @@ -199,12 +203,12 @@ from the known types \s-1SSL_FILETYPE_PEM, SSL_FILETYPE_ASN1.\s0 See the \s-1NOTES\s0 section on why \fISSL_CTX_use_certificate_chain_file()\fR should be preferred. .PP -\&\fISSL_CTX_use_certificate_chain_file()\fR loads a certificate chain from +\&\fISSL_CTX_use_certificate_chain_file()\fR loads a certificate chain from \&\fBfile\fR into \fBctx\fR. The certificates must be in \s-1PEM\s0 format and must be sorted starting with the subject's certificate (actual client or server certificate), followed by intermediate \s-1CA\s0 certificates if applicable, and -ending at the highest level (root) \s-1CA.\s0 -There is no corresponding function working on a single \s-1SSL\s0 object. +ending at the highest level (root) \s-1CA.\s0 \fISSL_use_certificate_chain_file()\fR is +similar except it loads the certificate chain into \fBssl\fR. .PP \&\fISSL_CTX_use_PrivateKey()\fR adds \fBpkey\fR as private key to \fBctx\fR. \&\fISSL_CTX_use_RSAPrivateKey()\fR adds the private key \fBrsa\fR of type \s-1RSA\s0 @@ -216,6 +220,20 @@ key pair the new certificate needs to be set with \fISSL_use_certificate()\fR or \fISSL_CTX_use_certificate()\fR before setting the private key with \&\fISSL_CTX_use_PrivateKey()\fR or \fISSL_use_PrivateKey()\fR. .PP +\&\fISSL_CTX_use_cert_and_key()\fR and \fISSL_use_cert_and_key()\fR assign the X.509 +certificate \fBx\fR, private key \fBkey\fR, and certificate \fBchain\fR onto the +corresponding \fBssl\fR or \fBctx\fR. The \fBpkey\fR argument must be the private +key of the X.509 certificate \fBx\fR. If the \fBoverride\fR argument is 0, then +\&\fBx\fR, \fBpkey\fR and \fBchain\fR are set only if all were not previously set. +If \fBoverride\fR is non\-0, then the certificate, private key and chain certs +are always set. If \fBpkey\fR is \s-1NULL,\s0 then the public key of \fBx\fR is used as +the private key. This is intended to be used with hardware (via the \s-1ENGINE\s0 +interface) that stores the private key securely, such that it cannot be +accessed by OpenSSL. The reference count of the public key is incremented +(twice if there is no private key); it is not copied nor duplicated. This +allows all private key validations checks to succeed without an actual +private key being assigned via \fISSL_CTX_use_PrivateKey()\fR, etc. +.PP \&\fISSL_CTX_use_PrivateKey_ASN1()\fR adds the private key of type \fBpk\fR stored at memory location \fBd\fR (length \fBlen\fR) to \fBctx\fR. \&\fISSL_CTX_use_RSAPrivateKey_ASN1()\fR adds the private key of type \s-1RSA\s0 @@ -224,7 +242,7 @@ stored at memory location \fBd\fR (length \fBlen\fR) to \fBctx\fR. key to \fBssl\fR. .PP \&\fISSL_CTX_use_PrivateKey_file()\fR adds the first private key found in -\&\fBfile\fR to \fBctx\fR. The formatting \fBtype\fR of the certificate must be specified +\&\fBfile\fR to \fBctx\fR. The formatting \fBtype\fR of the private key must be specified from the known types \s-1SSL_FILETYPE_PEM, SSL_FILETYPE_ASN1.\s0 \&\fISSL_CTX_use_RSAPrivateKey_file()\fR adds the first private \s-1RSA\s0 key found in \&\fBfile\fR to \fBctx\fR. \fISSL_use_PrivateKey_file()\fR adds the first private key found @@ -246,7 +264,7 @@ cipher selected, see also \fISSL_CTX_set_cipher_list\fR\|(3). .PP When reading certificates and private keys from file, files of type \&\s-1SSL_FILETYPE_ASN1\s0 (also known as \fB\s-1DER\s0\fR, binary encoding) can only contain -one certificate or private key, consequently +one certificate or private key, consequently \&\fISSL_CTX_use_certificate_chain_file()\fR is only applicable to \s-1PEM\s0 formatting. Files of type \s-1SSL_FILETYPE_PEM\s0 can contain more than one item. .PP @@ -254,7 +272,7 @@ Files of type \s-1SSL_FILETYPE_PEM\s0 can contain more than one item. in the file to the certificate store. The other certificates are added to the store of chain certificates using \fISSL_CTX_add1_chain_cert\fR\|(3). Note: versions of OpenSSL before 1.0.2 only had a single certificate chain store for all certificate types, OpenSSL 1.0.2 and later -have a separate chain store for each type. \fISSL_CTX_use_certificate_chain_file()\fR +have a separate chain store for each type. \fISSL_CTX_use_certificate_chain_file()\fR should be used instead of the \fISSL_CTX_use_certificate_file()\fR function in order to allow the use of complete certificate chains even when no trusted \s-1CA\s0 storage is used or when the \s-1CA\s0 issuing the certificate shall not be added to @@ -285,14 +303,18 @@ On success, the functions return 1. Otherwise check out the error stack to find out the reason. .SH "SEE ALSO" .IX Header "SEE ALSO" -\&\fIssl\fR\|(3), \fISSL_new\fR\|(3), \fISSL_clear\fR\|(3), +\&\fIssl\fR\|(7), \fISSL_new\fR\|(3), \fISSL_clear\fR\|(3), \&\fISSL_CTX_load_verify_locations\fR\|(3), \&\fISSL_CTX_set_default_passwd_cb\fR\|(3), \&\fISSL_CTX_set_cipher_list\fR\|(3), +\&\fISSL_CTX_set_client_CA_list\fR\|(3), \&\fISSL_CTX_set_client_cert_cb\fR\|(3), \&\fISSL_CTX_add_extra_chain_cert\fR\|(3) -.SH "HISTORY" -.IX Header "HISTORY" -Support for \s-1DER\s0 encoded private keys (\s-1SSL_FILETYPE_ASN1\s0) in -\&\fISSL_CTX_use_PrivateKey_file()\fR and \fISSL_use_PrivateKey_file()\fR was added -in 0.9.8 . +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2000\-2018 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/SSL_CTX_use_psk_identity_hint.3 b/secure/lib/libcrypto/man/SSL_CTX_use_psk_identity_hint.3 new file mode 100644 index 000000000000..c5361be508f5 --- /dev/null +++ b/secure/lib/libcrypto/man/SSL_CTX_use_psk_identity_hint.3 @@ -0,0 +1,265 @@ +.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35) +.\" +.\" Standard preamble: +.\" ======================================================================== +.de Sp \" Vertical space (when we can't use .PP) +.if t .sp .5v +.if n .sp +.. +.de Vb \" Begin verbatim text +.ft CW +.nf +.ne \\$1 +.. +.de Ve \" End verbatim text +.ft R +.fi +.. +.\" Set up some character translations and predefined strings. \*(-- will +.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left +.\" double quote, and \*(R" will give a right double quote. \*(C+ will +.\" give a nicer C++. Capital omega is used to do unbreakable dashes and +.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, +.\" nothing in troff, for use with C<>. +.tr \(*W- +.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' +.ie n \{\ +. ds -- \(*W- +. ds PI pi +. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch +. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch +. ds L" "" +. ds R" "" +. ds C` "" +. ds C' "" +'br\} +.el\{\ +. ds -- \|\(em\| +. ds PI \(*p +. ds L" `` +. ds R" '' +. ds C` +. ds C' +'br\} +.\" +.\" Escape single quotes in literal strings from groff's Unicode transform. +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" +.\" If the F register is >0, we'll generate index entries on stderr for +.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index +.\" entries marked with X<> in POD. Of course, you'll have to process the +.\" output yourself in some meaningful fashion. +.\" +.\" Avoid warning from groff about undefined register 'F'. +.de IX +.. +.if !\nF .nr F 0 +.if \nF>0 \{\ +. de IX +. tm Index:\\$1\t\\n%\t"\\$2" +.. +. if !\nF==2 \{\ +. nr % 0 +. nr F 2 +. \} +.\} +.\" +.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). +.\" Fear. Run. Save yourself. No user-serviceable parts. +. \" fudge factors for nroff and troff +.if n \{\ +. ds #H 0 +. ds #V .8m +. ds #F .3m +. ds #[ \f1 +. ds #] \fP +.\} +.if t \{\ +. ds #H ((1u-(\\\\n(.fu%2u))*.13m) +. ds #V .6m +. ds #F 0 +. ds #[ \& +. ds #] \& +.\} +. \" simple accents for nroff and troff +.if n \{\ +. ds ' \& +. ds ` \& +. ds ^ \& +. ds , \& +. ds ~ ~ +. ds / +.\} +.if t \{\ +. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" +. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' +. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' +. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' +. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' +. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' +.\} +. \" troff and (daisy-wheel) nroff accents +.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' +.ds 8 \h'\*(#H'\(*b\h'-\*(#H' +.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] +.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' +.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' +.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] +.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] +.ds ae a\h'-(\w'a'u*4/10)'e +.ds Ae A\h'-(\w'A'u*4/10)'E +. \" corrections for vroff +.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' +.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' +. \" for low resolution devices (crt and lpr) +.if \n(.H>23 .if \n(.V>19 \ +\{\ +. ds : e +. ds 8 ss +. ds o a +. ds d- d\h'-1'\(ga +. ds D- D\h'-1'\(hy +. ds th \o'bp' +. ds Th \o'LP' +. ds ae ae +. ds Ae AE +.\} +.rm #[ #] #H #V #F C +.\" ======================================================================== +.\" +.IX Title "SSL_CTX_USE_PSK_IDENTITY_HINT 3" +.TH SSL_CTX_USE_PSK_IDENTITY_HINT 3 "2018-09-11" "1.1.1" "OpenSSL" +.\" For nroff, turn off justification. Always turn off hyphenation; it makes +.\" way too many mistakes in technical documents. +.if n .ad l +.nh +.SH "NAME" +SSL_psk_server_cb_func, SSL_psk_find_session_cb_func, SSL_CTX_use_psk_identity_hint, SSL_use_psk_identity_hint, SSL_CTX_set_psk_server_callback, SSL_set_psk_server_callback, SSL_CTX_set_psk_find_session_callback, SSL_set_psk_find_session_callback \&\- set PSK identity hint to use +.SH "SYNOPSIS" +.IX Header "SYNOPSIS" +.Vb 1 +\& #include +\& +\& typedef int (*SSL_psk_find_session_cb_func)(SSL *ssl, +\& const unsigned char *identity, +\& size_t identity_len, +\& SSL_SESSION **sess); +\& +\& +\& void SSL_CTX_set_psk_find_session_callback(SSL_CTX *ctx, +\& SSL_psk_find_session_cb_func cb); +\& void SSL_set_psk_find_session_callback(SSL *s, SSL_psk_find_session_cb_func cb); +\& +\& typedef unsigned int (*SSL_psk_server_cb_func)(SSL *ssl, +\& const char *identity, +\& unsigned char *psk, +\& unsigned int max_psk_len); +\& +\& int SSL_CTX_use_psk_identity_hint(SSL_CTX *ctx, const char *hint); +\& int SSL_use_psk_identity_hint(SSL *ssl, const char *hint); +\& +\& void SSL_CTX_set_psk_server_callback(SSL_CTX *ctx, SSL_psk_server_cb_func cb); +\& void SSL_set_psk_server_callback(SSL *ssl, SSL_psk_server_cb_func cb); +.Ve +.SH "DESCRIPTION" +.IX Header "DESCRIPTION" +A client application wishing to use TLSv1.3 PSKs should set a callback +using either \fISSL_CTX_set_psk_use_session_callback()\fR or +\&\fISSL_set_psk_use_session_callback()\fR as appropriate. +.PP +The callback function is given a pointer to the \s-1SSL\s0 connection in \fBssl\fR and +an identity in \fBidentity\fR of length \fBidentity_len\fR. The callback function +should identify an \s-1SSL_SESSION\s0 object that provides the \s-1PSK\s0 details and store it +in \fB*sess\fR. The \s-1SSL_SESSION\s0 object should, as a minimum, set the master key, +the ciphersuite and the protocol version. See +\&\fISSL_CTX_set_psk_use_session_callback\fR\|(3) for details. +.PP +It is also possible for the callback to succeed but not supply a \s-1PSK.\s0 In this +case no \s-1PSK\s0 will be used but the handshake will continue. To do this the +callback should return successfully and ensure that \fB*sess\fR is +\&\s-1NULL.\s0 +.PP +Identity hints are not relevant for TLSv1.3. A server application wishing to use +\&\s-1PSK\s0 ciphersuites for TLSv1.2 and below may call \fISSL_CTX_use_psk_identity_hint()\fR +to set the given \fB\s-1NUL\s0\fR\-terminated \s-1PSK\s0 identity hint \fBhint\fR for \s-1SSL\s0 context +object \fBctx\fR. \fISSL_use_psk_identity_hint()\fR sets the given \fB\s-1NUL\s0\fR\-terminated \s-1PSK\s0 +identity hint \fBhint\fR for the \s-1SSL\s0 connection object \fBssl\fR. If \fBhint\fR is +\&\fB\s-1NULL\s0\fR the current hint from \fBctx\fR or \fBssl\fR is deleted. +.PP +In the case where \s-1PSK\s0 identity hint is \fB\s-1NULL\s0\fR, the server does not send the +ServerKeyExchange message to the client. +.PP +A server application wishing to use PSKs for TLSv1.2 and below must provide a +callback function which is called when the server receives the +ClientKeyExchange message from the client. The purpose of the callback function +is to validate the received \s-1PSK\s0 identity and to fetch the pre-shared key used +during the connection setup phase. The callback is set using the functions +\&\fISSL_CTX_set_psk_server_callback()\fR or \fISSL_set_psk_server_callback()\fR. The callback +function is given the connection in parameter \fBssl\fR, \fB\s-1NUL\s0\fR\-terminated \s-1PSK\s0 +identity sent by the client in parameter \fBidentity\fR, and a buffer \fBpsk\fR of +length \fBmax_psk_len\fR bytes where the pre-shared key is to be stored. +.PP +The callback for use in TLSv1.2 will also work in TLSv1.3 although it is +recommended to use \fISSL_CTX_set_psk_find_session_callback()\fR +or \fISSL_set_psk_find_session_callback()\fR for this purpose instead. If TLSv1.3 has +been negotiated then OpenSSL will first check to see if a callback has been set +via \fISSL_CTX_set_psk_find_session_callback()\fR or \fISSL_set_psk_find_session_callback()\fR +and it will use that in preference. If no such callback is present then it will +check to see if a callback has been set via \fISSL_CTX_set_psk_server_callback()\fR or +\&\fISSL_set_psk_server_callback()\fR and use that. In this case the handshake digest +will default to \s-1SHA\-256\s0 for any returned \s-1PSK.\s0 +.SH "NOTES" +.IX Header "NOTES" +A connection established via a TLSv1.3 \s-1PSK\s0 will appear as if session resumption +has occurred so that \fISSL_session_reused\fR\|(3) will return true. +.SH "RETURN VALUES" +.IX Header "RETURN VALUES" +\&\fB\f(BISSL_CTX_use_psk_identity_hint()\fB\fR and \fB\f(BISSL_use_psk_identity_hint()\fB\fR return +1 on success, 0 otherwise. +.PP +Return values from the TLSv1.2 and below server callback are interpreted as +follows: +.IP "0" 4 +\&\s-1PSK\s0 identity was not found. An \*(L"unknown_psk_identity\*(R" alert message +will be sent and the connection setup fails. +.IP ">0" 4 +.IX Item ">0" +\&\s-1PSK\s0 identity was found and the server callback has provided the \s-1PSK\s0 +successfully in parameter \fBpsk\fR. Return value is the length of +\&\fBpsk\fR in bytes. It is an error to return a value greater than +\&\fBmax_psk_len\fR. +.Sp +If the \s-1PSK\s0 identity was not found but the callback instructs the +protocol to continue anyway, the callback must provide some random +data to \fBpsk\fR and return the length of the random data, so the +connection will fail with decryption_error before it will be finished +completely. +.PP +The \fBSSL_psk_find_session_cb_func\fR callback should return 1 on success or 0 on +failure. In the event of failure the connection setup fails. +.SH "NOTES" +.IX Header "NOTES" +There are no known security issues with sharing the same \s-1PSK\s0 between TLSv1.2 (or +below) and TLSv1.3. However the \s-1RFC\s0 has this note of caution: +.PP +\&\*(L"While there is no known way in which the same \s-1PSK\s0 might produce related output +in both versions, only limited analysis has been done. Implementations can +ensure safety from cross-protocol related output by not reusing PSKs between +\&\s-1TLS 1.3\s0 and \s-1TLS 1.2.\*(R"\s0 +.SH "SEE ALSO" +.IX Header "SEE ALSO" +\&\fISSL_CTX_set_psk_use_session_callback\fR\|(3), +\&\fISSL_set_psk_use_session_callback\fR\|(3) +.SH "HISTORY" +.IX Header "HISTORY" +\&\fISSL_CTX_set_psk_find_session_callback()\fR and \fISSL_set_psk_find_session_callback()\fR +were added in OpenSSL 1.1.1. +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2006\-2018 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libssl/man/SSL_SESSION_get_ex_new_index.3 b/secure/lib/libcrypto/man/SSL_CTX_use_serverinfo.3 similarity index 52% rename from secure/lib/libssl/man/SSL_SESSION_get_ex_new_index.3 rename to secure/lib/libcrypto/man/SSL_CTX_use_serverinfo.3 index 25b6dbd0e131..4233bc0714da 100644 --- a/secure/lib/libssl/man/SSL_SESSION_get_ex_new_index.3 +++ b/secure/lib/libcrypto/man/SSL_CTX_use_serverinfo.3 @@ -128,63 +128,84 @@ .rm #[ #] #H #V #F C .\" ======================================================================== .\" -.IX Title "SSL_SESSION_get_ex_new_index 3" -.TH SSL_SESSION_get_ex_new_index 3 "2018-08-14" "1.0.2p" "OpenSSL" +.IX Title "SSL_CTX_USE_SERVERINFO 3" +.TH SSL_CTX_USE_SERVERINFO 3 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" -SSL_SESSION_get_ex_new_index, SSL_SESSION_set_ex_data, SSL_SESSION_get_ex_data \- internal application specific data functions +SSL_CTX_use_serverinfo_ex, SSL_CTX_use_serverinfo, SSL_CTX_use_serverinfo_file \&\- use serverinfo extension .SH "SYNOPSIS" .IX Header "SYNOPSIS" .Vb 1 \& #include \& -\& int SSL_SESSION_get_ex_new_index(long argl, void *argp, -\& CRYPTO_EX_new *new_func, -\& CRYPTO_EX_dup *dup_func, -\& CRYPTO_EX_free *free_func); +\& int SSL_CTX_use_serverinfo_ex(SSL_CTX *ctx, unsigned int version, +\& const unsigned char *serverinfo, +\& size_t serverinfo_length); \& -\& int SSL_SESSION_set_ex_data(SSL_SESSION *session, int idx, void *arg); +\& int SSL_CTX_use_serverinfo(SSL_CTX *ctx, const unsigned char *serverinfo, +\& size_t serverinfo_length); \& -\& void *SSL_SESSION_get_ex_data(const SSL_SESSION *session, int idx); -\& -\& typedef int new_func(void *parent, void *ptr, CRYPTO_EX_DATA *ad, -\& int idx, long argl, void *argp); -\& typedef void free_func(void *parent, void *ptr, CRYPTO_EX_DATA *ad, -\& int idx, long argl, void *argp); -\& typedef int dup_func(CRYPTO_EX_DATA *to, CRYPTO_EX_DATA *from, void *from_d, -\& int idx, long argl, void *argp); +\& int SSL_CTX_use_serverinfo_file(SSL_CTX *ctx, const char *file); .Ve .SH "DESCRIPTION" .IX Header "DESCRIPTION" -Several OpenSSL structures can have application specific data attached to them. -These functions are used internally by OpenSSL to manipulate application -specific data attached to a specific structure. +These functions load \*(L"serverinfo\*(R" \s-1TLS\s0 extensions into the \s-1SSL_CTX. A\s0 +\&\*(L"serverinfo\*(R" extension is returned in response to an empty ClientHello +Extension. .PP -\&\fISSL_SESSION_get_ex_new_index()\fR is used to register a new index for application -specific data. +\&\fISSL_CTX_use_serverinfo_ex()\fR loads one or more serverinfo extensions from +a byte array into \fBctx\fR. The \fBversion\fR parameter specifies the format of the +byte array provided in \fB*serverinfo\fR which is of length \fBserverinfo_length\fR. .PP -\&\fISSL_SESSION_set_ex_data()\fR is used to store application data at \fBarg\fR for \fBidx\fR -into the \fBsession\fR object. +If \fBversion\fR is \fB\s-1SSL_SERVERINFOV2\s0\fR then the extensions in the array must +consist of a 4\-byte context, a 2\-byte Extension Type, a 2\-byte length, and then +length bytes of extension_data. The context and type values have the same +meaning as for \fISSL_CTX_add_custom_ext\fR\|(3). If serverinfo is being loaded for +extensions to be added to a Certificate message, then the extension will only +be added for the first certificate in the message (which is always the +end-entity certificate). .PP -\&\fISSL_SESSION_get_ex_data()\fR is used to retrieve the information for \fBidx\fR from -\&\fBsession\fR. +If \fBversion\fR is \fB\s-1SSL_SERVERINFOV1\s0\fR then the extensions in the array must +consist of a 2\-byte Extension Type, a 2\-byte length, and then length bytes of +extension_data. The type value has the same meaning as for +\&\fISSL_CTX_add_custom_ext\fR\|(3). The following default context value will be used +in this case: .PP -A detailed description for the \fB*\f(BI_get_ex_new_index()\fB\fR functionality -can be found in \fIRSA_get_ex_new_index\fR\|(3). -The \fB*\f(BI_get_ex_data()\fB\fR and \fB*\f(BI_set_ex_data()\fB\fR functionality is described in -\&\fICRYPTO_set_ex_data\fR\|(3). -.SH "WARNINGS" -.IX Header "WARNINGS" -The application data is only maintained for sessions held in memory. The -application data is not included when dumping the session with -\&\fIi2d_SSL_SESSION()\fR (and all functions indirectly calling the dump functions -like \fIPEM_write_SSL_SESSION()\fR and \fIPEM_write_bio_SSL_SESSION()\fR) and can -therefore not be restored. -.SH "SEE ALSO" -.IX Header "SEE ALSO" -\&\fIssl\fR\|(3), -\&\fIRSA_get_ex_new_index\fR\|(3), -\&\fICRYPTO_set_ex_data\fR\|(3) +.Vb 2 +\& SSL_EXT_TLS1_2_AND_BELOW_ONLY | SSL_EXT_CLIENT_HELLO +\& | SSL_EXT_TLS1_2_SERVER_HELLO | SSL_EXT_IGNORE_ON_RESUMPTION +.Ve +.PP +\&\fISSL_CTX_use_serverinfo()\fR does the same thing as \fISSL_CTX_use_serverinfo_ex()\fR +except that there is no \fBversion\fR parameter so a default version of +\&\s-1SSL_SERVERINFOV1\s0 is used instead. +.PP +\&\fISSL_CTX_use_serverinfo_file()\fR loads one or more serverinfo extensions from +\&\fBfile\fR into \fBctx\fR. The extensions must be in \s-1PEM\s0 format. Each extension +must be in a format as described above for \fISSL_CTX_use_serverinfo_ex()\fR. Each +\&\s-1PEM\s0 extension name must begin with the phrase \*(L"\s-1BEGIN SERVERINFOV2 FOR \*(R"\s0 for +\&\s-1SSL_SERVERINFOV2\s0 data or \*(L"\s-1BEGIN SERVERINFO FOR \*(R"\s0 for \s-1SSL_SERVERINFOV1\s0 data. +.PP +If more than one certificate (\s-1RSA/DSA\s0) is installed using +\&\fISSL_CTX_use_certificate()\fR, the serverinfo extension will be loaded into the +last certificate installed. If e.g. the last item was a \s-1RSA\s0 certificate, the +loaded serverinfo extension data will be loaded for that certificate. To +use the serverinfo extension for multiple certificates, +\&\fISSL_CTX_use_serverinfo()\fR needs to be called multiple times, once \fBafter\fR +each time a certificate is loaded via a call to \fISSL_CTX_use_certificate()\fR. +.SH "RETURN VALUES" +.IX Header "RETURN VALUES" +On success, the functions return 1. +On failure, the functions return 0. Check out the error stack to find out +the reason. +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2013\-2017 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libssl/man/SSL_SESSION_free.3 b/secure/lib/libcrypto/man/SSL_SESSION_free.3 similarity index 80% rename from secure/lib/libssl/man/SSL_SESSION_free.3 rename to secure/lib/libcrypto/man/SSL_SESSION_free.3 index 587ba96f8704..d6d4998a85cf 100644 --- a/secure/lib/libssl/man/SSL_SESSION_free.3 +++ b/secure/lib/libcrypto/man/SSL_SESSION_free.3 @@ -128,26 +128,39 @@ .rm #[ #] #H #V #F C .\" ======================================================================== .\" -.IX Title "SSL_SESSION_free 3" -.TH SSL_SESSION_free 3 "2018-08-14" "1.0.2p" "OpenSSL" +.IX Title "SSL_SESSION_FREE 3" +.TH SSL_SESSION_FREE 3 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" -SSL_SESSION_free \- free an allocated SSL_SESSION structure +SSL_SESSION_new, SSL_SESSION_dup, SSL_SESSION_up_ref, SSL_SESSION_free \- create, free and manage SSL_SESSION structures .SH "SYNOPSIS" .IX Header "SYNOPSIS" .Vb 1 \& #include \& +\& SSL_SESSION *SSL_SESSION_new(void); +\& SSL_SESSION *SSL_SESSION_dup(SSL_SESSION *src); +\& int SSL_SESSION_up_ref(SSL_SESSION *ses); \& void SSL_SESSION_free(SSL_SESSION *session); .Ve .SH "DESCRIPTION" .IX Header "DESCRIPTION" +\&\fISSL_SESSION_new()\fR creates a new \s-1SSL_SESSION\s0 structure and returns a pointer to +it. +.PP +\&\fISSL_SESSION_dup()\fR copies the contents of the \s-1SSL_SESSION\s0 structure in \fBsrc\fR +and returns a pointer to it. +.PP +\&\fISSL_SESSION_up_ref()\fR increments the reference count on the given \s-1SSL_SESSION\s0 +structure. +.PP \&\fISSL_SESSION_free()\fR decrements the reference count of \fBsession\fR and removes the \fB\s-1SSL_SESSION\s0\fR structure pointed to by \fBsession\fR and frees up the allocated memory, if the reference count has reached 0. +If \fBsession\fR is \s-1NULL\s0 nothing is done. .SH "NOTES" .IX Header "NOTES" \&\s-1SSL_SESSION\s0 objects are allocated, when a \s-1TLS/SSL\s0 handshake operation @@ -174,10 +187,24 @@ It must not be called on other \s-1SSL_SESSION\s0 objects, as this would cause incorrect reference counts and therefore program failures. .SH "RETURN VALUES" .IX Header "RETURN VALUES" -\&\fISSL_SESSION_free()\fR does not provide diagnostic information. +SSL_SESSION_new returns a pointer to the newly allocated \s-1SSL_SESSION\s0 structure +or \s-1NULL\s0 on error. +.PP +SSL_SESSION_up_ref returns 1 on success or 0 on error. .SH "SEE ALSO" .IX Header "SEE ALSO" -\&\fIssl\fR\|(3), \fISSL_get_session\fR\|(3), +\&\fIssl\fR\|(7), \fISSL_get_session\fR\|(3), \&\fISSL_CTX_set_session_cache_mode\fR\|(3), \&\fISSL_CTX_flush_sessions\fR\|(3), - \fId2i_SSL_SESSION\fR\|(3) +\&\fId2i_SSL_SESSION\fR\|(3) +.SH "HISTORY" +.IX Header "HISTORY" +\&\fISSL_SESSION_dup()\fR was added in OpenSSL 1.1.1. +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2000\-2016 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/d2i_X509_NAME.3 b/secure/lib/libcrypto/man/SSL_SESSION_get0_cipher.3 similarity index 69% rename from secure/lib/libcrypto/man/d2i_X509_NAME.3 rename to secure/lib/libcrypto/man/SSL_SESSION_get0_cipher.3 index 12496c211177..6883279e6863 100644 --- a/secure/lib/libcrypto/man/d2i_X509_NAME.3 +++ b/secure/lib/libcrypto/man/SSL_SESSION_get0_cipher.3 @@ -128,33 +128,56 @@ .rm #[ #] #H #V #F C .\" ======================================================================== .\" -.IX Title "d2i_X509_NAME 3" -.TH d2i_X509_NAME 3 "2018-08-14" "1.0.2p" "OpenSSL" +.IX Title "SSL_SESSION_GET0_CIPHER 3" +.TH SSL_SESSION_GET0_CIPHER 3 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" -d2i_X509_NAME, i2d_X509_NAME \- X509_NAME encoding functions +SSL_SESSION_get0_cipher, SSL_SESSION_set_cipher \&\- set and retrieve the SSL cipher associated with a session .SH "SYNOPSIS" .IX Header "SYNOPSIS" .Vb 1 -\& #include +\& #include \& -\& X509_NAME *d2i_X509_NAME(X509_NAME **a, unsigned char **pp, long length); -\& int i2d_X509_NAME(X509_NAME *a, unsigned char **pp); +\& const SSL_CIPHER *SSL_SESSION_get0_cipher(const SSL_SESSION *s); +\& int SSL_SESSION_set_cipher(SSL_SESSION *s, const SSL_CIPHER *cipher); .Ve .SH "DESCRIPTION" .IX Header "DESCRIPTION" -These functions decode and encode an \fBX509_NAME\fR structure which is the -same as the \fBName\fR type defined in \s-1RFC2459\s0 (and elsewhere) and used -for example in certificate subject and issuer names. +\&\fISSL_SESSION_get0_cipher()\fR retrieves the cipher that was used by the +connection when the session was created, or \s-1NULL\s0 if it cannot be determined. .PP -Othewise the functions behave in a similar way to \fId2i_X509()\fR and \fIi2d_X509()\fR -described in the \fId2i_X509\fR\|(3) manual page. +The value returned is a pointer to an object maintained within \fBs\fR and +should not be released. +.PP +\&\fISSL_SESSION_set_cipher()\fR can be used to set the ciphersuite associated with the +\&\s-1SSL_SESSION\s0 \fBs\fR to \fBcipher\fR. For example, this could be used to set up a +session based \s-1PSK\s0 (see \fISSL_CTX_set_psk_use_session_callback\fR\|(3)). +.SH "RETURN VALUES" +.IX Header "RETURN VALUES" +\&\fISSL_SESSION_get0_cipher()\fR returns the \s-1SSL_CIPHER\s0 associated with the \s-1SSL_SESSION\s0 +or \s-1NULL\s0 if it cannot be determined. +.PP +\&\fISSL_SESSION_set_cipher()\fR returns 1 on success or 0 on failure. .SH "SEE ALSO" .IX Header "SEE ALSO" -\&\fId2i_X509\fR\|(3) +\&\fIssl\fR\|(7), +\&\fId2i_SSL_SESSION\fR\|(3), +\&\fISSL_SESSION_get_time\fR\|(3), +\&\fISSL_SESSION_get0_hostname\fR\|(3), +\&\fISSL_SESSION_free\fR\|(3), +\&\fISSL_CTX_set_psk_use_session_callback\fR\|(3) .SH "HISTORY" .IX Header "HISTORY" -\&\s-1TBA\s0 +\&\fISSL_SESSION_get0_cipher()\fR was first added to OpenSSL 1.1.0. +\&\fISSL_SESSION_set_cipher()\fR was first added to OpenSSL 1.1.1. +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2016\-2017 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/SSL_SESSION_get0_hostname.3 b/secure/lib/libcrypto/man/SSL_SESSION_get0_hostname.3 new file mode 100644 index 000000000000..194e0c514435 --- /dev/null +++ b/secure/lib/libcrypto/man/SSL_SESSION_get0_hostname.3 @@ -0,0 +1,197 @@ +.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35) +.\" +.\" Standard preamble: +.\" ======================================================================== +.de Sp \" Vertical space (when we can't use .PP) +.if t .sp .5v +.if n .sp +.. +.de Vb \" Begin verbatim text +.ft CW +.nf +.ne \\$1 +.. +.de Ve \" End verbatim text +.ft R +.fi +.. +.\" Set up some character translations and predefined strings. \*(-- will +.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left +.\" double quote, and \*(R" will give a right double quote. \*(C+ will +.\" give a nicer C++. Capital omega is used to do unbreakable dashes and +.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, +.\" nothing in troff, for use with C<>. +.tr \(*W- +.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' +.ie n \{\ +. ds -- \(*W- +. ds PI pi +. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch +. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch +. ds L" "" +. ds R" "" +. ds C` "" +. ds C' "" +'br\} +.el\{\ +. ds -- \|\(em\| +. ds PI \(*p +. ds L" `` +. ds R" '' +. ds C` +. ds C' +'br\} +.\" +.\" Escape single quotes in literal strings from groff's Unicode transform. +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" +.\" If the F register is >0, we'll generate index entries on stderr for +.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index +.\" entries marked with X<> in POD. Of course, you'll have to process the +.\" output yourself in some meaningful fashion. +.\" +.\" Avoid warning from groff about undefined register 'F'. +.de IX +.. +.if !\nF .nr F 0 +.if \nF>0 \{\ +. de IX +. tm Index:\\$1\t\\n%\t"\\$2" +.. +. if !\nF==2 \{\ +. nr % 0 +. nr F 2 +. \} +.\} +.\" +.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). +.\" Fear. Run. Save yourself. No user-serviceable parts. +. \" fudge factors for nroff and troff +.if n \{\ +. ds #H 0 +. ds #V .8m +. ds #F .3m +. ds #[ \f1 +. ds #] \fP +.\} +.if t \{\ +. ds #H ((1u-(\\\\n(.fu%2u))*.13m) +. ds #V .6m +. ds #F 0 +. ds #[ \& +. ds #] \& +.\} +. \" simple accents for nroff and troff +.if n \{\ +. ds ' \& +. ds ` \& +. ds ^ \& +. ds , \& +. ds ~ ~ +. ds / +.\} +.if t \{\ +. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" +. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' +. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' +. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' +. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' +. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' +.\} +. \" troff and (daisy-wheel) nroff accents +.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' +.ds 8 \h'\*(#H'\(*b\h'-\*(#H' +.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] +.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' +.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' +.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] +.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] +.ds ae a\h'-(\w'a'u*4/10)'e +.ds Ae A\h'-(\w'A'u*4/10)'E +. \" corrections for vroff +.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' +.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' +. \" for low resolution devices (crt and lpr) +.if \n(.H>23 .if \n(.V>19 \ +\{\ +. ds : e +. ds 8 ss +. ds o a +. ds d- d\h'-1'\(ga +. ds D- D\h'-1'\(hy +. ds th \o'bp' +. ds Th \o'LP' +. ds ae ae +. ds Ae AE +.\} +.rm #[ #] #H #V #F C +.\" ======================================================================== +.\" +.IX Title "SSL_SESSION_GET0_HOSTNAME 3" +.TH SSL_SESSION_GET0_HOSTNAME 3 "2018-09-11" "1.1.1" "OpenSSL" +.\" For nroff, turn off justification. Always turn off hyphenation; it makes +.\" way too many mistakes in technical documents. +.if n .ad l +.nh +.SH "NAME" +SSL_SESSION_get0_hostname, SSL_SESSION_set1_hostname, SSL_SESSION_get0_alpn_selected, SSL_SESSION_set1_alpn_selected \&\- get and set SNI and ALPN data ssociated with a session +.SH "SYNOPSIS" +.IX Header "SYNOPSIS" +.Vb 1 +\& #include +\& +\& const char *SSL_SESSION_get0_hostname(const SSL_SESSION *s); +\& int SSL_SESSION_set1_hostname(SSL_SESSION *s, const char *hostname); +\& +\& void SSL_SESSION_get0_alpn_selected(const SSL_SESSION *s, +\& const unsigned char **alpn, +\& size_t *len); +\& int SSL_SESSION_set1_alpn_selected(SSL_SESSION *s, const unsigned char *alpn, +\& size_t len); +.Ve +.SH "DESCRIPTION" +.IX Header "DESCRIPTION" +\&\fISSL_SESSION_get0_hostname()\fR retrieves the \s-1SNI\s0 value that was sent by the +client when the session was created, or \s-1NULL\s0 if no value was sent. +.PP +The value returned is a pointer to memory maintained within \fBs\fR and +should not be free'd. +.PP +\&\fISSL_SESSION_set1_hostname()\fR sets the \s-1SNI\s0 value for the hostname to a copy of +the string provided in hostname. +.PP +\&\fISSL_SESSION_get0_alpn_selected()\fR retrieves the selected \s-1ALPN\s0 protocol for this +session and its associated length in bytes. The returned value of \fB*alpn\fR is a +pointer to memory maintained within \fBs\fR and should not be free'd. +.PP +\&\fISSL_SESSION_set1_alpn_selected()\fR sets the \s-1ALPN\s0 protocol for this session to the +value in \fBalpn\fR which should be of length \fBlen\fR bytes. A copy of the input +value is made, and the caller retains ownership of the memory pointed to by +\&\fBalpn\fR. +.SH "RETURN VALUES" +.IX Header "RETURN VALUES" +\&\fISSL_SESSION_get0_hostname()\fR returns either a string or \s-1NULL\s0 based on if there +is the \s-1SNI\s0 value sent by client. +.PP +\&\fISSL_SESSION_set1_hostname()\fR returns 1 on success or 0 on error. +.PP +\&\fISSL_SESSION_set1_alpn_selected()\fR returns 1 on success or 0 on error. +.SH "SEE ALSO" +.IX Header "SEE ALSO" +\&\fIssl\fR\|(7), +\&\fId2i_SSL_SESSION\fR\|(3), +\&\fISSL_SESSION_get_time\fR\|(3), +\&\fISSL_SESSION_free\fR\|(3) +.SH "HISTORY" +.IX Header "HISTORY" +\&\fISSL_SESSION_set1_hostname()\fR, \fISSL_SESSION_get0_alpn_selected()\fR and +\&\fISSL_SESSION_set1_alpn_selected()\fR were added in OpenSSL 1.1.1. +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2016\-2018 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/CRYPTO_set_ex_data.3 b/secure/lib/libcrypto/man/SSL_SESSION_get0_id_context.3 similarity index 69% rename from secure/lib/libcrypto/man/CRYPTO_set_ex_data.3 rename to secure/lib/libcrypto/man/SSL_SESSION_get0_id_context.3 index 8e27589af58b..8cad143c0b9b 100644 --- a/secure/lib/libcrypto/man/CRYPTO_set_ex_data.3 +++ b/secure/lib/libcrypto/man/SSL_SESSION_get0_id_context.3 @@ -128,54 +128,54 @@ .rm #[ #] #H #V #F C .\" ======================================================================== .\" -.IX Title "CRYPTO_set_ex_data 3" -.TH CRYPTO_set_ex_data 3 "2018-08-14" "1.0.2p" "OpenSSL" +.IX Title "SSL_SESSION_GET0_ID_CONTEXT 3" +.TH SSL_SESSION_GET0_ID_CONTEXT 3 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" -CRYPTO_set_ex_data, CRYPTO_get_ex_data \- internal application specific data functions +SSL_SESSION_get0_id_context, SSL_SESSION_set1_id_context \&\- get and set the SSL ID context associated with a session .SH "SYNOPSIS" .IX Header "SYNOPSIS" .Vb 1 -\& #include +\& #include \& -\& int CRYPTO_set_ex_data(CRYPTO_EX_DATA *r, int idx, void *arg); -\& -\& void *CRYPTO_get_ex_data(CRYPTO_EX_DATA *r, int idx); +\& const unsigned char *SSL_SESSION_get0_id_context(const SSL_SESSION *s, +\& unsigned int *len) +\& int SSL_SESSION_set1_id_context(SSL_SESSION *s, const unsigned char *sid_ctx, +\& unsigned int sid_ctx_len); .Ve .SH "DESCRIPTION" .IX Header "DESCRIPTION" -Several OpenSSL structures can have application specific data attached to them. -These functions are used internally by OpenSSL to manipulate application -specific data attached to a specific structure. +See \fISSL_CTX_set_session_id_context\fR\|(3) for further details on session \s-1ID\s0 +contexts. .PP -These functions should only be used by applications to manipulate -\&\fB\s-1CRYPTO_EX_DATA\s0\fR structures passed to the \fB\f(BInew_func()\fB\fR, \fB\f(BIfree_func()\fB\fR and -\&\fB\f(BIdup_func()\fB\fR callbacks: as passed to \fB\f(BIRSA_get_ex_new_index()\fB\fR for example. +\&\fISSL_SESSION_get0_id_context()\fR returns the \s-1ID\s0 context associated with +the \s-1SSL/TLS\s0 session \fBs\fR. The length of the \s-1ID\s0 context is written to +\&\fB*len\fR if \fBlen\fR is not \s-1NULL.\s0 .PP -\&\fB\f(BICRYPTO_set_ex_data()\fB\fR is used to set application specific data, the data is -supplied in the \fBarg\fR parameter and its precise meaning is up to the -application. +The value returned is a pointer to an object maintained within \fBs\fR and +should not be released. .PP -\&\fB\f(BICRYPTO_get_ex_data()\fB\fR is used to retrieve application specific data. The data -is returned to the application, this will be the same value as supplied to -a previous \fB\f(BICRYPTO_set_ex_data()\fB\fR call. +\&\fISSL_SESSION_set1_id_context()\fR takes a copy of the provided \s-1ID\s0 context given in +\&\fBsid_ctx\fR and associates it with the session \fBs\fR. The length of the \s-1ID\s0 context +is given by \fBsid_ctx_len\fR which must not exceed \s-1SSL_MAX_SID_CTX_LENGTH\s0 bytes. .SH "RETURN VALUES" .IX Header "RETURN VALUES" -\&\fB\f(BICRYPTO_set_ex_data()\fB\fR returns 1 on success or 0 on failure. -.PP -\&\fB\f(BICRYPTO_get_ex_data()\fB\fR returns the application data or 0 on failure. 0 may also -be valid application data but currently it can only fail if given an invalid \fBidx\fR -parameter. -.PP -On failure an error code can be obtained from \fIERR_get_error\fR\|(3). +\&\fISSL_SESSION_set1_id_context()\fR returns 1 on success or 0 on error. .SH "SEE ALSO" .IX Header "SEE ALSO" -\&\fIRSA_get_ex_new_index\fR\|(3), -\&\fIDSA_get_ex_new_index\fR\|(3), -\&\fIDH_get_ex_new_index\fR\|(3) +\&\fIssl\fR\|(7), +\&\fISSL_set_session_id_context\fR\|(3) .SH "HISTORY" .IX Header "HISTORY" -\&\fICRYPTO_set_ex_data()\fR and \fICRYPTO_get_ex_data()\fR have been available since SSLeay 0.9.0. +\&\fISSL_SESSION_get0_id_context()\fR was first added to OpenSSL 1.1.0 +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2015\-2016 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/SSL_SESSION_get0_peer.3 b/secure/lib/libcrypto/man/SSL_SESSION_get0_peer.3 new file mode 100644 index 000000000000..1454d4f56369 --- /dev/null +++ b/secure/lib/libcrypto/man/SSL_SESSION_get0_peer.3 @@ -0,0 +1,165 @@ +.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35) +.\" +.\" Standard preamble: +.\" ======================================================================== +.de Sp \" Vertical space (when we can't use .PP) +.if t .sp .5v +.if n .sp +.. +.de Vb \" Begin verbatim text +.ft CW +.nf +.ne \\$1 +.. +.de Ve \" End verbatim text +.ft R +.fi +.. +.\" Set up some character translations and predefined strings. \*(-- will +.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left +.\" double quote, and \*(R" will give a right double quote. \*(C+ will +.\" give a nicer C++. Capital omega is used to do unbreakable dashes and +.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, +.\" nothing in troff, for use with C<>. +.tr \(*W- +.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' +.ie n \{\ +. ds -- \(*W- +. ds PI pi +. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch +. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch +. ds L" "" +. ds R" "" +. ds C` "" +. ds C' "" +'br\} +.el\{\ +. ds -- \|\(em\| +. ds PI \(*p +. ds L" `` +. ds R" '' +. ds C` +. ds C' +'br\} +.\" +.\" Escape single quotes in literal strings from groff's Unicode transform. +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" +.\" If the F register is >0, we'll generate index entries on stderr for +.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index +.\" entries marked with X<> in POD. Of course, you'll have to process the +.\" output yourself in some meaningful fashion. +.\" +.\" Avoid warning from groff about undefined register 'F'. +.de IX +.. +.if !\nF .nr F 0 +.if \nF>0 \{\ +. de IX +. tm Index:\\$1\t\\n%\t"\\$2" +.. +. if !\nF==2 \{\ +. nr % 0 +. nr F 2 +. \} +.\} +.\" +.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). +.\" Fear. Run. Save yourself. No user-serviceable parts. +. \" fudge factors for nroff and troff +.if n \{\ +. ds #H 0 +. ds #V .8m +. ds #F .3m +. ds #[ \f1 +. ds #] \fP +.\} +.if t \{\ +. ds #H ((1u-(\\\\n(.fu%2u))*.13m) +. ds #V .6m +. ds #F 0 +. ds #[ \& +. ds #] \& +.\} +. \" simple accents for nroff and troff +.if n \{\ +. ds ' \& +. ds ` \& +. ds ^ \& +. ds , \& +. ds ~ ~ +. ds / +.\} +.if t \{\ +. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" +. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' +. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' +. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' +. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' +. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' +.\} +. \" troff and (daisy-wheel) nroff accents +.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' +.ds 8 \h'\*(#H'\(*b\h'-\*(#H' +.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] +.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' +.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' +.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] +.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] +.ds ae a\h'-(\w'a'u*4/10)'e +.ds Ae A\h'-(\w'A'u*4/10)'E +. \" corrections for vroff +.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' +.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' +. \" for low resolution devices (crt and lpr) +.if \n(.H>23 .if \n(.V>19 \ +\{\ +. ds : e +. ds 8 ss +. ds o a +. ds d- d\h'-1'\(ga +. ds D- D\h'-1'\(hy +. ds th \o'bp' +. ds Th \o'LP' +. ds ae ae +. ds Ae AE +.\} +.rm #[ #] #H #V #F C +.\" ======================================================================== +.\" +.IX Title "SSL_SESSION_GET0_PEER 3" +.TH SSL_SESSION_GET0_PEER 3 "2018-09-11" "1.1.1" "OpenSSL" +.\" For nroff, turn off justification. Always turn off hyphenation; it makes +.\" way too many mistakes in technical documents. +.if n .ad l +.nh +.SH "NAME" +SSL_SESSION_get0_peer \&\- get details about peer's certificate for a session +.SH "SYNOPSIS" +.IX Header "SYNOPSIS" +.Vb 1 +\& #include +\& +\& X509 *SSL_SESSION_get0_peer(SSL_SESSION *s); +.Ve +.SH "DESCRIPTION" +.IX Header "DESCRIPTION" +\&\fISSL_SESSION_get0_peer()\fR returns the peer certificate associated with the session +\&\fBs\fR or \s-1NULL\s0 if no peer certificate is available. The caller should not free the +returned value (unless \fIX509_up_ref\fR\|(3) has also been called). +.SH "RETURN VALUES" +.IX Header "RETURN VALUES" +\&\fISSL_SESSION_get0_peer()\fR returns a pointer to the peer certificate or \s-1NULL\s0 if +no peer certificate is available. +.SH "SEE ALSO" +.IX Header "SEE ALSO" +\&\fIssl\fR\|(7) +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2017 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/SSL_SESSION_get_compress_id.3 b/secure/lib/libcrypto/man/SSL_SESSION_get_compress_id.3 new file mode 100644 index 000000000000..61c990bda140 --- /dev/null +++ b/secure/lib/libcrypto/man/SSL_SESSION_get_compress_id.3 @@ -0,0 +1,166 @@ +.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35) +.\" +.\" Standard preamble: +.\" ======================================================================== +.de Sp \" Vertical space (when we can't use .PP) +.if t .sp .5v +.if n .sp +.. +.de Vb \" Begin verbatim text +.ft CW +.nf +.ne \\$1 +.. +.de Ve \" End verbatim text +.ft R +.fi +.. +.\" Set up some character translations and predefined strings. \*(-- will +.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left +.\" double quote, and \*(R" will give a right double quote. \*(C+ will +.\" give a nicer C++. Capital omega is used to do unbreakable dashes and +.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, +.\" nothing in troff, for use with C<>. +.tr \(*W- +.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' +.ie n \{\ +. ds -- \(*W- +. ds PI pi +. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch +. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch +. ds L" "" +. ds R" "" +. ds C` "" +. ds C' "" +'br\} +.el\{\ +. ds -- \|\(em\| +. ds PI \(*p +. ds L" `` +. ds R" '' +. ds C` +. ds C' +'br\} +.\" +.\" Escape single quotes in literal strings from groff's Unicode transform. +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" +.\" If the F register is >0, we'll generate index entries on stderr for +.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index +.\" entries marked with X<> in POD. Of course, you'll have to process the +.\" output yourself in some meaningful fashion. +.\" +.\" Avoid warning from groff about undefined register 'F'. +.de IX +.. +.if !\nF .nr F 0 +.if \nF>0 \{\ +. de IX +. tm Index:\\$1\t\\n%\t"\\$2" +.. +. if !\nF==2 \{\ +. nr % 0 +. nr F 2 +. \} +.\} +.\" +.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). +.\" Fear. Run. Save yourself. No user-serviceable parts. +. \" fudge factors for nroff and troff +.if n \{\ +. ds #H 0 +. ds #V .8m +. ds #F .3m +. ds #[ \f1 +. ds #] \fP +.\} +.if t \{\ +. ds #H ((1u-(\\\\n(.fu%2u))*.13m) +. ds #V .6m +. ds #F 0 +. ds #[ \& +. ds #] \& +.\} +. \" simple accents for nroff and troff +.if n \{\ +. ds ' \& +. ds ` \& +. ds ^ \& +. ds , \& +. ds ~ ~ +. ds / +.\} +.if t \{\ +. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" +. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' +. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' +. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' +. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' +. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' +.\} +. \" troff and (daisy-wheel) nroff accents +.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' +.ds 8 \h'\*(#H'\(*b\h'-\*(#H' +.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] +.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' +.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' +.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] +.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] +.ds ae a\h'-(\w'a'u*4/10)'e +.ds Ae A\h'-(\w'A'u*4/10)'E +. \" corrections for vroff +.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' +.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' +. \" for low resolution devices (crt and lpr) +.if \n(.H>23 .if \n(.V>19 \ +\{\ +. ds : e +. ds 8 ss +. ds o a +. ds d- d\h'-1'\(ga +. ds D- D\h'-1'\(hy +. ds th \o'bp' +. ds Th \o'LP' +. ds ae ae +. ds Ae AE +.\} +.rm #[ #] #H #V #F C +.\" ======================================================================== +.\" +.IX Title "SSL_SESSION_GET_COMPRESS_ID 3" +.TH SSL_SESSION_GET_COMPRESS_ID 3 "2018-09-11" "1.1.1" "OpenSSL" +.\" For nroff, turn off justification. Always turn off hyphenation; it makes +.\" way too many mistakes in technical documents. +.if n .ad l +.nh +.SH "NAME" +SSL_SESSION_get_compress_id \&\- get details about the compression associated with a session +.SH "SYNOPSIS" +.IX Header "SYNOPSIS" +.Vb 1 +\& #include +\& +\& unsigned int SSL_SESSION_get_compress_id(const SSL_SESSION *s); +.Ve +.SH "DESCRIPTION" +.IX Header "DESCRIPTION" +If compression has been negotiated for an ssl session then +\&\fISSL_SESSION_get_compress_id()\fR will return the id for the compression method or +0 otherwise. The only built-in supported compression method is zlib which has an +id of 1. +.SH "RETURN VALUES" +.IX Header "RETURN VALUES" +\&\fISSL_SESSION_get_compress_id()\fR returns the id of the compression method or 0 if +none. +.SH "SEE ALSO" +.IX Header "SEE ALSO" +\&\fIssl\fR\|(7) +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2017 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/SSL_SESSION_get_ex_data.3 b/secure/lib/libcrypto/man/SSL_SESSION_get_ex_data.3 new file mode 100644 index 000000000000..9734f458a938 --- /dev/null +++ b/secure/lib/libcrypto/man/SSL_SESSION_get_ex_data.3 @@ -0,0 +1,173 @@ +.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35) +.\" +.\" Standard preamble: +.\" ======================================================================== +.de Sp \" Vertical space (when we can't use .PP) +.if t .sp .5v +.if n .sp +.. +.de Vb \" Begin verbatim text +.ft CW +.nf +.ne \\$1 +.. +.de Ve \" End verbatim text +.ft R +.fi +.. +.\" Set up some character translations and predefined strings. \*(-- will +.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left +.\" double quote, and \*(R" will give a right double quote. \*(C+ will +.\" give a nicer C++. Capital omega is used to do unbreakable dashes and +.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, +.\" nothing in troff, for use with C<>. +.tr \(*W- +.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' +.ie n \{\ +. ds -- \(*W- +. ds PI pi +. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch +. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch +. ds L" "" +. ds R" "" +. ds C` "" +. ds C' "" +'br\} +.el\{\ +. ds -- \|\(em\| +. ds PI \(*p +. ds L" `` +. ds R" '' +. ds C` +. ds C' +'br\} +.\" +.\" Escape single quotes in literal strings from groff's Unicode transform. +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" +.\" If the F register is >0, we'll generate index entries on stderr for +.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index +.\" entries marked with X<> in POD. Of course, you'll have to process the +.\" output yourself in some meaningful fashion. +.\" +.\" Avoid warning from groff about undefined register 'F'. +.de IX +.. +.if !\nF .nr F 0 +.if \nF>0 \{\ +. de IX +. tm Index:\\$1\t\\n%\t"\\$2" +.. +. if !\nF==2 \{\ +. nr % 0 +. nr F 2 +. \} +.\} +.\" +.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). +.\" Fear. Run. Save yourself. No user-serviceable parts. +. \" fudge factors for nroff and troff +.if n \{\ +. ds #H 0 +. ds #V .8m +. ds #F .3m +. ds #[ \f1 +. ds #] \fP +.\} +.if t \{\ +. ds #H ((1u-(\\\\n(.fu%2u))*.13m) +. ds #V .6m +. ds #F 0 +. ds #[ \& +. ds #] \& +.\} +. \" simple accents for nroff and troff +.if n \{\ +. ds ' \& +. ds ` \& +. ds ^ \& +. ds , \& +. ds ~ ~ +. ds / +.\} +.if t \{\ +. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" +. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' +. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' +. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' +. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' +. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' +.\} +. \" troff and (daisy-wheel) nroff accents +.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' +.ds 8 \h'\*(#H'\(*b\h'-\*(#H' +.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] +.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' +.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' +.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] +.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] +.ds ae a\h'-(\w'a'u*4/10)'e +.ds Ae A\h'-(\w'A'u*4/10)'E +. \" corrections for vroff +.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' +.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' +. \" for low resolution devices (crt and lpr) +.if \n(.H>23 .if \n(.V>19 \ +\{\ +. ds : e +. ds 8 ss +. ds o a +. ds d- d\h'-1'\(ga +. ds D- D\h'-1'\(hy +. ds th \o'bp' +. ds Th \o'LP' +. ds ae ae +. ds Ae AE +.\} +.rm #[ #] #H #V #F C +.\" ======================================================================== +.\" +.IX Title "SSL_SESSION_GET_EX_DATA 3" +.TH SSL_SESSION_GET_EX_DATA 3 "2018-09-11" "1.1.1" "OpenSSL" +.\" For nroff, turn off justification. Always turn off hyphenation; it makes +.\" way too many mistakes in technical documents. +.if n .ad l +.nh +.SH "NAME" +SSL_SESSION_set_ex_data, SSL_SESSION_get_ex_data \&\- get and set application specific data on a session +.SH "SYNOPSIS" +.IX Header "SYNOPSIS" +.Vb 1 +\& #include +\& +\& int SSL_SESSION_set_ex_data(SSL_SESSION *ss, int idx, void *data); +\& void *SSL_SESSION_get_ex_data(const SSL_SESSION *s, int idx); +.Ve +.SH "DESCRIPTION" +.IX Header "DESCRIPTION" +\&\fISSL_SESSION_set_ex_data()\fR enables an application to store arbitrary application +specific data \fBdata\fR in an \s-1SSL_SESSION\s0 structure \fBss\fR. The index \fBidx\fR should +be a value previously returned from a call to \fICRYPTO_get_ex_new_index\fR\|(3). +.PP +\&\fISSL_SESSION_get_ex_data()\fR retrieves application specific data previously stored +in an \s-1SSL_SESSION\s0 structure \fBs\fR. The \fBidx\fR value should be the same as that +used when originally storing the data. +.SH "RETURN VALUES" +.IX Header "RETURN VALUES" +\&\fISSL_SESSION_set_ex_data()\fR returns 1 for success or 0 for failure. +.PP +\&\fISSL_SESSION_get_ex_data()\fR returns the previously stored value or \s-1NULL\s0 on +failure. \s-1NULL\s0 may also be a valid value. +.SH "SEE ALSO" +.IX Header "SEE ALSO" +\&\fIssl\fR\|(7), +\&\fICRYPTO_get_ex_new_index\fR\|(3) +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2017 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libssl/man/SSL_CTX_use_serverinfo.3 b/secure/lib/libcrypto/man/SSL_SESSION_get_protocol_version.3 similarity index 68% rename from secure/lib/libssl/man/SSL_CTX_use_serverinfo.3 rename to secure/lib/libcrypto/man/SSL_SESSION_get_protocol_version.3 index fa42e6b75d08..bc22d91fe162 100644 --- a/secure/lib/libssl/man/SSL_CTX_use_serverinfo.3 +++ b/secure/lib/libcrypto/man/SSL_SESSION_get_protocol_version.3 @@ -128,56 +128,54 @@ .rm #[ #] #H #V #F C .\" ======================================================================== .\" -.IX Title "SSL_CTX_use_serverinfo 3" -.TH SSL_CTX_use_serverinfo 3 "2018-08-14" "1.0.2p" "OpenSSL" +.IX Title "SSL_SESSION_GET_PROTOCOL_VERSION 3" +.TH SSL_SESSION_GET_PROTOCOL_VERSION 3 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" -SSL_CTX_use_serverinfo, SSL_CTX_use_serverinfo_file \- use serverinfo extension +SSL_SESSION_get_protocol_version, SSL_SESSION_set_protocol_version \&\- get and set the session protocol version .SH "SYNOPSIS" .IX Header "SYNOPSIS" .Vb 1 \& #include \& -\& int SSL_CTX_use_serverinfo(SSL_CTX *ctx, const unsigned char *serverinfo, -\& size_t serverinfo_length); -\& -\& int SSL_CTX_use_serverinfo_file(SSL_CTX *ctx, const char *file); +\& int SSL_SESSION_get_protocol_version(const SSL_SESSION *s); +\& int SSL_SESSION_set_protocol_version(SSL_SESSION *s, int version); .Ve .SH "DESCRIPTION" .IX Header "DESCRIPTION" -These functions load \*(L"serverinfo\*(R" \s-1TLS\s0 ServerHello Extensions into the \s-1SSL_CTX. -A\s0 \*(L"serverinfo\*(R" extension is returned in response to an empty ClientHello -Extension. +\&\fISSL_SESSION_get_protocol_version()\fR returns the protocol version number used +by session \fBs\fR. .PP -\&\fISSL_CTX_use_serverinfo()\fR loads one or more serverinfo extensions from -a byte array into \fBctx\fR. The extensions must be concatenated into a -sequence of bytes. Each extension must consist of a 2\-byte Extension Type, -a 2\-byte length, and then length bytes of extension_data. -.PP -\&\fISSL_CTX_use_serverinfo_file()\fR loads one or more serverinfo extensions from -\&\fBfile\fR into \fBctx\fR. The extensions must be in \s-1PEM\s0 format. Each extension -must consist of a 2\-byte Extension Type, a 2\-byte length, and then length -bytes of extension_data. Each \s-1PEM\s0 extension name must begin with the phrase -\&\*(L"\s-1BEGIN SERVERINFO FOR \*(R".\s0 -.PP -If more than one certificate (\s-1RSA/DSA\s0) is installed using -\&\fISSL_CTX_use_certificate()\fR, the serverinfo extension will be loaded into the -last certificate installed. If e.g. the last item was a \s-1RSA\s0 certificate, the -loaded serverinfo extension data will be loaded for that certificate. To -use the serverinfo extension for multiple certificates, -\&\fISSL_CTX_use_serverinfo()\fR needs to be called multiple times, once \fBafter\fR -each time a certificate is loaded. -.SH "NOTES" -.IX Header "NOTES" +\&\fISSL_SESSION_set_protocol_version()\fR sets the protocol version associated with the +\&\s-1SSL_SESSION\s0 object \fBs\fR to the value \fBversion\fR. This value should be a version +constant such as \fB\s-1TLS1_3_VERSION\s0\fR etc. For example, this could be used to set +up a session based \s-1PSK\s0 (see \fISSL_CTX_set_psk_use_session_callback\fR\|(3)). .SH "RETURN VALUES" .IX Header "RETURN VALUES" -On success, the functions return 1. -On failure, the functions return 0. Check out the error stack to find out -the reason. +\&\fISSL_SESSION_get_protocol_version()\fR returns a number indicating the protocol +version used for the session; this number matches the constants \fIe.g.\fR +\&\fB\s-1TLS1_VERSION\s0\fR, \fB\s-1TLS1_2_VERSION\s0\fR or \fB\s-1TLS1_3_VERSION\s0\fR. +.PP +Note that the \fISSL_SESSION_get_protocol_version()\fR function +does \fBnot\fR perform a null check on the provided session \fBs\fR pointer. +.PP +\&\fISSL_SESSION_set_protocol_version()\fR returns 1 on success or 0 on failure. .SH "SEE ALSO" .IX Header "SEE ALSO" +\&\fIssl\fR\|(7), +\&\fISSL_CTX_set_psk_use_session_callback\fR\|(3) .SH "HISTORY" .IX Header "HISTORY" +\&\fISSL_SESSION_get_protocol_version()\fR was first added to OpenSSL 1.1.0. +\&\fISSL_SESSION_set_protocol_version()\fR was first added to OpenSSL 1.1.1. +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2001\-2018 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libssl/man/SSL_SESSION_get_time.3 b/secure/lib/libcrypto/man/SSL_SESSION_get_time.3 similarity index 90% rename from secure/lib/libssl/man/SSL_SESSION_get_time.3 rename to secure/lib/libcrypto/man/SSL_SESSION_get_time.3 index 1e8180745ddc..e2d8a5936c82 100644 --- a/secure/lib/libssl/man/SSL_SESSION_get_time.3 +++ b/secure/lib/libcrypto/man/SSL_SESSION_get_time.3 @@ -128,14 +128,14 @@ .rm #[ #] #H #V #F C .\" ======================================================================== .\" -.IX Title "SSL_SESSION_get_time 3" -.TH SSL_SESSION_get_time 3 "2018-08-14" "1.0.2p" "OpenSSL" +.IX Title "SSL_SESSION_GET_TIME 3" +.TH SSL_SESSION_GET_TIME 3 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" -SSL_SESSION_get_time, SSL_SESSION_set_time, SSL_SESSION_get_timeout, SSL_SESSION_set_timeout \- retrieve and manipulate session time and timeout settings +SSL_SESSION_get_time, SSL_SESSION_set_time, SSL_SESSION_get_timeout, SSL_SESSION_set_timeout, SSL_get_time, SSL_set_time, SSL_get_timeout, SSL_set_timeout \&\- retrieve and manipulate session time and timeout settings .SH "SYNOPSIS" .IX Header "SYNOPSIS" .Vb 1 @@ -183,10 +183,18 @@ valid values. .PP \&\fISSL_SESSION_set_time()\fR and \fISSL_SESSION_set_timeout()\fR return 1 on success. .PP -If any of the function is passed the \s-1NULL\s0 pointer for the session \fBs\fR, +If any of the function is passed the \s-1NULL\s0 pointer for the session \fBs\fR, 0 is returned. .SH "SEE ALSO" .IX Header "SEE ALSO" -\&\fIssl\fR\|(3), +\&\fIssl\fR\|(7), \&\fISSL_CTX_set_timeout\fR\|(3), \&\fISSL_get_default_timeout\fR\|(3) +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2001\-2016 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/SSL_SESSION_has_ticket.3 b/secure/lib/libcrypto/man/SSL_SESSION_has_ticket.3 new file mode 100644 index 000000000000..20c319f67352 --- /dev/null +++ b/secure/lib/libcrypto/man/SSL_SESSION_has_ticket.3 @@ -0,0 +1,184 @@ +.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35) +.\" +.\" Standard preamble: +.\" ======================================================================== +.de Sp \" Vertical space (when we can't use .PP) +.if t .sp .5v +.if n .sp +.. +.de Vb \" Begin verbatim text +.ft CW +.nf +.ne \\$1 +.. +.de Ve \" End verbatim text +.ft R +.fi +.. +.\" Set up some character translations and predefined strings. \*(-- will +.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left +.\" double quote, and \*(R" will give a right double quote. \*(C+ will +.\" give a nicer C++. Capital omega is used to do unbreakable dashes and +.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, +.\" nothing in troff, for use with C<>. +.tr \(*W- +.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' +.ie n \{\ +. ds -- \(*W- +. ds PI pi +. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch +. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch +. ds L" "" +. ds R" "" +. ds C` "" +. ds C' "" +'br\} +.el\{\ +. ds -- \|\(em\| +. ds PI \(*p +. ds L" `` +. ds R" '' +. ds C` +. ds C' +'br\} +.\" +.\" Escape single quotes in literal strings from groff's Unicode transform. +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" +.\" If the F register is >0, we'll generate index entries on stderr for +.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index +.\" entries marked with X<> in POD. Of course, you'll have to process the +.\" output yourself in some meaningful fashion. +.\" +.\" Avoid warning from groff about undefined register 'F'. +.de IX +.. +.if !\nF .nr F 0 +.if \nF>0 \{\ +. de IX +. tm Index:\\$1\t\\n%\t"\\$2" +.. +. if !\nF==2 \{\ +. nr % 0 +. nr F 2 +. \} +.\} +.\" +.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). +.\" Fear. Run. Save yourself. No user-serviceable parts. +. \" fudge factors for nroff and troff +.if n \{\ +. ds #H 0 +. ds #V .8m +. ds #F .3m +. ds #[ \f1 +. ds #] \fP +.\} +.if t \{\ +. ds #H ((1u-(\\\\n(.fu%2u))*.13m) +. ds #V .6m +. ds #F 0 +. ds #[ \& +. ds #] \& +.\} +. \" simple accents for nroff and troff +.if n \{\ +. ds ' \& +. ds ` \& +. ds ^ \& +. ds , \& +. ds ~ ~ +. ds / +.\} +.if t \{\ +. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" +. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' +. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' +. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' +. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' +. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' +.\} +. \" troff and (daisy-wheel) nroff accents +.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' +.ds 8 \h'\*(#H'\(*b\h'-\*(#H' +.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] +.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' +.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' +.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] +.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] +.ds ae a\h'-(\w'a'u*4/10)'e +.ds Ae A\h'-(\w'A'u*4/10)'E +. \" corrections for vroff +.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' +.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' +. \" for low resolution devices (crt and lpr) +.if \n(.H>23 .if \n(.V>19 \ +\{\ +. ds : e +. ds 8 ss +. ds o a +. ds d- d\h'-1'\(ga +. ds D- D\h'-1'\(hy +. ds th \o'bp' +. ds Th \o'LP' +. ds ae ae +. ds Ae AE +.\} +.rm #[ #] #H #V #F C +.\" ======================================================================== +.\" +.IX Title "SSL_SESSION_HAS_TICKET 3" +.TH SSL_SESSION_HAS_TICKET 3 "2018-09-11" "1.1.1" "OpenSSL" +.\" For nroff, turn off justification. Always turn off hyphenation; it makes +.\" way too many mistakes in technical documents. +.if n .ad l +.nh +.SH "NAME" +SSL_SESSION_get0_ticket, SSL_SESSION_has_ticket, SSL_SESSION_get_ticket_lifetime_hint \&\- get details about the ticket associated with a session +.SH "SYNOPSIS" +.IX Header "SYNOPSIS" +.Vb 1 +\& #include +\& +\& int SSL_SESSION_has_ticket(const SSL_SESSION *s); +\& unsigned long SSL_SESSION_get_ticket_lifetime_hint(const SSL_SESSION *s); +\& void SSL_SESSION_get0_ticket(const SSL_SESSION *s, const unsigned char **tick, +\& size_t *len); +.Ve +.SH "DESCRIPTION" +.IX Header "DESCRIPTION" +\&\fISSL_SESSION_has_ticket()\fR returns 1 if there is a Session Ticket associated with +this session, and 0 otherwise. +.PP +SSL_SESSION_get_ticket_lifetime_hint returns the lifetime hint in seconds +associated with the session ticket. +.PP +SSL_SESSION_get0_ticket obtains a pointer to the ticket associated with a +session. The length of the ticket is written to \fB*len\fR. If \fBtick\fR is non +\&\s-1NULL\s0 then a pointer to the ticket is written to \fB*tick\fR. The pointer is only +valid while the connection is in use. The session (and hence the ticket pointer) +may also become invalid as a result of a call to \fISSL_CTX_flush_sessions()\fR. +.SH "RETURN VALUES" +.IX Header "RETURN VALUES" +\&\fISSL_SESSION_has_ticket()\fR returns 1 if session ticket exists or 0 otherwise. +.PP +\&\fISSL_SESSION_get_ticket_lifetime_hint()\fR returns the number of seconds. +.SH "SEE ALSO" +.IX Header "SEE ALSO" +\&\fIssl\fR\|(7), +\&\fId2i_SSL_SESSION\fR\|(3), +\&\fISSL_SESSION_get_time\fR\|(3), +\&\fISSL_SESSION_free\fR\|(3) +.SH "HISTORY" +.IX Header "HISTORY" +SSL_SESSION_has_ticket, SSL_SESSION_get_ticket_lifetime_hint and +SSL_SESSION_get0_ticket were added in OpenSSL 1.1.0. +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2015\-2018 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/SSL_SESSION_is_resumable.3 b/secure/lib/libcrypto/man/SSL_SESSION_is_resumable.3 new file mode 100644 index 000000000000..36492389f9c5 --- /dev/null +++ b/secure/lib/libcrypto/man/SSL_SESSION_is_resumable.3 @@ -0,0 +1,170 @@ +.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35) +.\" +.\" Standard preamble: +.\" ======================================================================== +.de Sp \" Vertical space (when we can't use .PP) +.if t .sp .5v +.if n .sp +.. +.de Vb \" Begin verbatim text +.ft CW +.nf +.ne \\$1 +.. +.de Ve \" End verbatim text +.ft R +.fi +.. +.\" Set up some character translations and predefined strings. \*(-- will +.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left +.\" double quote, and \*(R" will give a right double quote. \*(C+ will +.\" give a nicer C++. Capital omega is used to do unbreakable dashes and +.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, +.\" nothing in troff, for use with C<>. +.tr \(*W- +.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' +.ie n \{\ +. ds -- \(*W- +. ds PI pi +. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch +. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch +. ds L" "" +. ds R" "" +. ds C` "" +. ds C' "" +'br\} +.el\{\ +. ds -- \|\(em\| +. ds PI \(*p +. ds L" `` +. ds R" '' +. ds C` +. ds C' +'br\} +.\" +.\" Escape single quotes in literal strings from groff's Unicode transform. +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" +.\" If the F register is >0, we'll generate index entries on stderr for +.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index +.\" entries marked with X<> in POD. Of course, you'll have to process the +.\" output yourself in some meaningful fashion. +.\" +.\" Avoid warning from groff about undefined register 'F'. +.de IX +.. +.if !\nF .nr F 0 +.if \nF>0 \{\ +. de IX +. tm Index:\\$1\t\\n%\t"\\$2" +.. +. if !\nF==2 \{\ +. nr % 0 +. nr F 2 +. \} +.\} +.\" +.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). +.\" Fear. Run. Save yourself. No user-serviceable parts. +. \" fudge factors for nroff and troff +.if n \{\ +. ds #H 0 +. ds #V .8m +. ds #F .3m +. ds #[ \f1 +. ds #] \fP +.\} +.if t \{\ +. ds #H ((1u-(\\\\n(.fu%2u))*.13m) +. ds #V .6m +. ds #F 0 +. ds #[ \& +. ds #] \& +.\} +. \" simple accents for nroff and troff +.if n \{\ +. ds ' \& +. ds ` \& +. ds ^ \& +. ds , \& +. ds ~ ~ +. ds / +.\} +.if t \{\ +. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" +. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' +. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' +. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' +. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' +. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' +.\} +. \" troff and (daisy-wheel) nroff accents +.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' +.ds 8 \h'\*(#H'\(*b\h'-\*(#H' +.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] +.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' +.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' +.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] +.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] +.ds ae a\h'-(\w'a'u*4/10)'e +.ds Ae A\h'-(\w'A'u*4/10)'E +. \" corrections for vroff +.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' +.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' +. \" for low resolution devices (crt and lpr) +.if \n(.H>23 .if \n(.V>19 \ +\{\ +. ds : e +. ds 8 ss +. ds o a +. ds d- d\h'-1'\(ga +. ds D- D\h'-1'\(hy +. ds th \o'bp' +. ds Th \o'LP' +. ds ae ae +. ds Ae AE +.\} +.rm #[ #] #H #V #F C +.\" ======================================================================== +.\" +.IX Title "SSL_SESSION_IS_RESUMABLE 3" +.TH SSL_SESSION_IS_RESUMABLE 3 "2018-09-11" "1.1.1" "OpenSSL" +.\" For nroff, turn off justification. Always turn off hyphenation; it makes +.\" way too many mistakes in technical documents. +.if n .ad l +.nh +.SH "NAME" +SSL_SESSION_is_resumable \&\- determine whether an SSL_SESSION object can be used for resumption +.SH "SYNOPSIS" +.IX Header "SYNOPSIS" +.Vb 1 +\& #include +\& +\& int SSL_SESSION_is_resumable(const SSL_SESSION *s); +.Ve +.SH "DESCRIPTION" +.IX Header "DESCRIPTION" +\&\fISSL_SESSION_is_resumable()\fR determines whether an \s-1SSL_SESSION\s0 object can be used +to resume a session or not. Returns 1 if it can or 0 if not. Note that +attempting to resume with a non-resumable session will result in a full +handshake. +.SH "RETURN VALUES" +.IX Header "RETURN VALUES" +\&\fISSL_SESSION_is_resumable()\fR returns 1 if the session is resumable or 0 otherwise. +.SH "SEE ALSO" +.IX Header "SEE ALSO" +\&\fIssl\fR\|(7), +\&\fISSL_get_session\fR\|(3), +\&\fISSL_CTX_sess_set_new_cb\fR\|(3) +.SH "HISTORY" +.IX Header "HISTORY" +\&\fISSL_SESSION_is_resumable()\fR was first added to OpenSSL 1.1.1 +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2017\-2018 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/SSL_SESSION_print.3 b/secure/lib/libcrypto/man/SSL_SESSION_print.3 new file mode 100644 index 000000000000..d6b200a9ad28 --- /dev/null +++ b/secure/lib/libcrypto/man/SSL_SESSION_print.3 @@ -0,0 +1,172 @@ +.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35) +.\" +.\" Standard preamble: +.\" ======================================================================== +.de Sp \" Vertical space (when we can't use .PP) +.if t .sp .5v +.if n .sp +.. +.de Vb \" Begin verbatim text +.ft CW +.nf +.ne \\$1 +.. +.de Ve \" End verbatim text +.ft R +.fi +.. +.\" Set up some character translations and predefined strings. \*(-- will +.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left +.\" double quote, and \*(R" will give a right double quote. \*(C+ will +.\" give a nicer C++. Capital omega is used to do unbreakable dashes and +.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, +.\" nothing in troff, for use with C<>. +.tr \(*W- +.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' +.ie n \{\ +. ds -- \(*W- +. ds PI pi +. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch +. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch +. ds L" "" +. ds R" "" +. ds C` "" +. ds C' "" +'br\} +.el\{\ +. ds -- \|\(em\| +. ds PI \(*p +. ds L" `` +. ds R" '' +. ds C` +. ds C' +'br\} +.\" +.\" Escape single quotes in literal strings from groff's Unicode transform. +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" +.\" If the F register is >0, we'll generate index entries on stderr for +.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index +.\" entries marked with X<> in POD. Of course, you'll have to process the +.\" output yourself in some meaningful fashion. +.\" +.\" Avoid warning from groff about undefined register 'F'. +.de IX +.. +.if !\nF .nr F 0 +.if \nF>0 \{\ +. de IX +. tm Index:\\$1\t\\n%\t"\\$2" +.. +. if !\nF==2 \{\ +. nr % 0 +. nr F 2 +. \} +.\} +.\" +.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). +.\" Fear. Run. Save yourself. No user-serviceable parts. +. \" fudge factors for nroff and troff +.if n \{\ +. ds #H 0 +. ds #V .8m +. ds #F .3m +. ds #[ \f1 +. ds #] \fP +.\} +.if t \{\ +. ds #H ((1u-(\\\\n(.fu%2u))*.13m) +. ds #V .6m +. ds #F 0 +. ds #[ \& +. ds #] \& +.\} +. \" simple accents for nroff and troff +.if n \{\ +. ds ' \& +. ds ` \& +. ds ^ \& +. ds , \& +. ds ~ ~ +. ds / +.\} +.if t \{\ +. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" +. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' +. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' +. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' +. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' +. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' +.\} +. \" troff and (daisy-wheel) nroff accents +.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' +.ds 8 \h'\*(#H'\(*b\h'-\*(#H' +.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] +.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' +.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' +.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] +.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] +.ds ae a\h'-(\w'a'u*4/10)'e +.ds Ae A\h'-(\w'A'u*4/10)'E +. \" corrections for vroff +.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' +.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' +. \" for low resolution devices (crt and lpr) +.if \n(.H>23 .if \n(.V>19 \ +\{\ +. ds : e +. ds 8 ss +. ds o a +. ds d- d\h'-1'\(ga +. ds D- D\h'-1'\(hy +. ds th \o'bp' +. ds Th \o'LP' +. ds ae ae +. ds Ae AE +.\} +.rm #[ #] #H #V #F C +.\" ======================================================================== +.\" +.IX Title "SSL_SESSION_PRINT 3" +.TH SSL_SESSION_PRINT 3 "2018-09-11" "1.1.1" "OpenSSL" +.\" For nroff, turn off justification. Always turn off hyphenation; it makes +.\" way too many mistakes in technical documents. +.if n .ad l +.nh +.SH "NAME" +SSL_SESSION_print, SSL_SESSION_print_fp, SSL_SESSION_print_keylog \&\- printf information about a session +.SH "SYNOPSIS" +.IX Header "SYNOPSIS" +.Vb 1 +\& #include +\& +\& int SSL_SESSION_print(BIO *fp, const SSL_SESSION *ses); +\& int SSL_SESSION_print_fp(FILE *fp, const SSL_SESSION *ses); +\& int SSL_SESSION_print_keylog(BIO *bp, const SSL_SESSION *x); +.Ve +.SH "DESCRIPTION" +.IX Header "DESCRIPTION" +\&\fISSL_SESSION_print()\fR prints summary information about the session provided in +\&\fBses\fR to the \s-1BIO\s0 \fBfp\fR. +.PP +\&\fISSL_SESSION_print_fp()\fR does the same as \fISSL_SESSION_print()\fR except it prints it +to the \s-1FILE\s0 \fBfp\fR. +.PP +\&\fISSL_SESSION_print_keylog()\fR prints session information to the provided \s-1BIO\s0 +in \s-1NSS\s0 keylog format. +.SH "RETURN VALUES" +.IX Header "RETURN VALUES" +\&\fISSL_SESSION_print()\fR, \fISSL_SESSION_print_fp()\fR and SSL_SESSION_print_keylog return +1 on success or 0 on error. +.SH "SEE ALSO" +.IX Header "SEE ALSO" +\&\fIssl\fR\|(7) +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2017 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/SSL_SESSION_set1_id.3 b/secure/lib/libcrypto/man/SSL_SESSION_set1_id.3 new file mode 100644 index 000000000000..637cfab6bea5 --- /dev/null +++ b/secure/lib/libcrypto/man/SSL_SESSION_set1_id.3 @@ -0,0 +1,175 @@ +.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35) +.\" +.\" Standard preamble: +.\" ======================================================================== +.de Sp \" Vertical space (when we can't use .PP) +.if t .sp .5v +.if n .sp +.. +.de Vb \" Begin verbatim text +.ft CW +.nf +.ne \\$1 +.. +.de Ve \" End verbatim text +.ft R +.fi +.. +.\" Set up some character translations and predefined strings. \*(-- will +.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left +.\" double quote, and \*(R" will give a right double quote. \*(C+ will +.\" give a nicer C++. Capital omega is used to do unbreakable dashes and +.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, +.\" nothing in troff, for use with C<>. +.tr \(*W- +.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' +.ie n \{\ +. ds -- \(*W- +. ds PI pi +. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch +. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch +. ds L" "" +. ds R" "" +. ds C` "" +. ds C' "" +'br\} +.el\{\ +. ds -- \|\(em\| +. ds PI \(*p +. ds L" `` +. ds R" '' +. ds C` +. ds C' +'br\} +.\" +.\" Escape single quotes in literal strings from groff's Unicode transform. +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" +.\" If the F register is >0, we'll generate index entries on stderr for +.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index +.\" entries marked with X<> in POD. Of course, you'll have to process the +.\" output yourself in some meaningful fashion. +.\" +.\" Avoid warning from groff about undefined register 'F'. +.de IX +.. +.if !\nF .nr F 0 +.if \nF>0 \{\ +. de IX +. tm Index:\\$1\t\\n%\t"\\$2" +.. +. if !\nF==2 \{\ +. nr % 0 +. nr F 2 +. \} +.\} +.\" +.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). +.\" Fear. Run. Save yourself. No user-serviceable parts. +. \" fudge factors for nroff and troff +.if n \{\ +. ds #H 0 +. ds #V .8m +. ds #F .3m +. ds #[ \f1 +. ds #] \fP +.\} +.if t \{\ +. ds #H ((1u-(\\\\n(.fu%2u))*.13m) +. ds #V .6m +. ds #F 0 +. ds #[ \& +. ds #] \& +.\} +. \" simple accents for nroff and troff +.if n \{\ +. ds ' \& +. ds ` \& +. ds ^ \& +. ds , \& +. ds ~ ~ +. ds / +.\} +.if t \{\ +. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" +. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' +. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' +. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' +. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' +. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' +.\} +. \" troff and (daisy-wheel) nroff accents +.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' +.ds 8 \h'\*(#H'\(*b\h'-\*(#H' +.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] +.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' +.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' +.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] +.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] +.ds ae a\h'-(\w'a'u*4/10)'e +.ds Ae A\h'-(\w'A'u*4/10)'E +. \" corrections for vroff +.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' +.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' +. \" for low resolution devices (crt and lpr) +.if \n(.H>23 .if \n(.V>19 \ +\{\ +. ds : e +. ds 8 ss +. ds o a +. ds d- d\h'-1'\(ga +. ds D- D\h'-1'\(hy +. ds th \o'bp' +. ds Th \o'LP' +. ds ae ae +. ds Ae AE +.\} +.rm #[ #] #H #V #F C +.\" ======================================================================== +.\" +.IX Title "SSL_SESSION_SET1_ID 3" +.TH SSL_SESSION_SET1_ID 3 "2018-09-11" "1.1.1" "OpenSSL" +.\" For nroff, turn off justification. Always turn off hyphenation; it makes +.\" way too many mistakes in technical documents. +.if n .ad l +.nh +.SH "NAME" +SSL_SESSION_get_id, SSL_SESSION_set1_id \&\- get and set the SSL session ID +.SH "SYNOPSIS" +.IX Header "SYNOPSIS" +.Vb 1 +\& #include +\& +\& const unsigned char *SSL_SESSION_get_id(const SSL_SESSION *s, +\& unsigned int *len) +\& int SSL_SESSION_set1_id(SSL_SESSION *s, const unsigned char *sid, +\& unsigned int sid_len); +.Ve +.SH "DESCRIPTION" +.IX Header "DESCRIPTION" +\&\fISSL_SESSION_get_id()\fR returns a pointer to the internal session id value for the +session \fBs\fR. The length of the id in bytes is stored in \fB*len\fR. The length may +be 0. The caller should not free the returned pointer directly. +.PP +\&\fISSL_SESSION_set1_id()\fR sets the session \s-1ID\s0 for the \fBssl\fR \s-1SSL/TLS\s0 session +to \fBsid\fR of length \fBsid_len\fR. +.SH "RETURN VALUES" +.IX Header "RETURN VALUES" +\&\fISSL_SESSION_get_id()\fR returns a pointer to the session id value. +\&\fISSL_SESSION_set1_id()\fR returns 1 for success and 0 for failure, for example +if the supplied session \s-1ID\s0 length exceeds \fB\s-1SSL_MAX_SSL_SESSION_ID_LENGTH\s0\fR. +.SH "SEE ALSO" +.IX Header "SEE ALSO" +\&\fIssl\fR\|(7) +.SH "HISTORY" +.IX Header "HISTORY" +\&\fISSL_SESSION_set1_id()\fR was first added to OpenSSL 1.1.0 +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2015\-2016 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libssl/man/SSL_accept.3 b/secure/lib/libcrypto/man/SSL_accept.3 similarity index 92% rename from secure/lib/libssl/man/SSL_accept.3 rename to secure/lib/libcrypto/man/SSL_accept.3 index 11c09120d5e4..d1ad26d70337 100644 --- a/secure/lib/libssl/man/SSL_accept.3 +++ b/secure/lib/libcrypto/man/SSL_accept.3 @@ -128,8 +128,8 @@ .rm #[ #] #H #V #F C .\" ======================================================================== .\" -.IX Title "SSL_accept 3" -.TH SSL_accept 3 "2018-08-14" "1.0.2p" "OpenSSL" +.IX Title "SSL_ACCEPT 3" +.TH SSL_ACCEPT 3 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -187,7 +187,15 @@ to find out the reason. .SH "SEE ALSO" .IX Header "SEE ALSO" \&\fISSL_get_error\fR\|(3), \fISSL_connect\fR\|(3), -\&\fISSL_shutdown\fR\|(3), \fIssl\fR\|(3), \fIbio\fR\|(3), +\&\fISSL_shutdown\fR\|(3), \fIssl\fR\|(7), \fIbio\fR\|(7), \&\fISSL_set_connect_state\fR\|(3), \&\fISSL_do_handshake\fR\|(3), \&\fISSL_CTX_new\fR\|(3) +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2000\-2016 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libssl/man/SSL_alert_type_string.3 b/secure/lib/libcrypto/man/SSL_alert_type_string.3 similarity index 96% rename from secure/lib/libssl/man/SSL_alert_type_string.3 rename to secure/lib/libcrypto/man/SSL_alert_type_string.3 index 037dca60afb2..eed150a989d8 100644 --- a/secure/lib/libssl/man/SSL_alert_type_string.3 +++ b/secure/lib/libcrypto/man/SSL_alert_type_string.3 @@ -128,8 +128,8 @@ .rm #[ #] #H #V #F C .\" ======================================================================== .\" -.IX Title "SSL_alert_type_string 3" -.TH SSL_alert_type_string 3 "2018-08-14" "1.0.2p" "OpenSSL" +.IX Title "SSL_ALERT_TYPE_STRING 3" +.TH SSL_ALERT_TYPE_STRING 3 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -354,4 +354,12 @@ This indicates that no description is available for this alert type. Probably \fBvalue\fR does not contain a correct alert message. .SH "SEE ALSO" .IX Header "SEE ALSO" -\&\fIssl\fR\|(3), \fISSL_CTX_set_info_callback\fR\|(3) +\&\fIssl\fR\|(7), \fISSL_CTX_set_info_callback\fR\|(3) +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2001\-2016 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/SSL_alloc_buffers.3 b/secure/lib/libcrypto/man/SSL_alloc_buffers.3 new file mode 100644 index 000000000000..7b451ef2984a --- /dev/null +++ b/secure/lib/libcrypto/man/SSL_alloc_buffers.3 @@ -0,0 +1,189 @@ +.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35) +.\" +.\" Standard preamble: +.\" ======================================================================== +.de Sp \" Vertical space (when we can't use .PP) +.if t .sp .5v +.if n .sp +.. +.de Vb \" Begin verbatim text +.ft CW +.nf +.ne \\$1 +.. +.de Ve \" End verbatim text +.ft R +.fi +.. +.\" Set up some character translations and predefined strings. \*(-- will +.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left +.\" double quote, and \*(R" will give a right double quote. \*(C+ will +.\" give a nicer C++. Capital omega is used to do unbreakable dashes and +.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, +.\" nothing in troff, for use with C<>. +.tr \(*W- +.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' +.ie n \{\ +. ds -- \(*W- +. ds PI pi +. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch +. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch +. ds L" "" +. ds R" "" +. ds C` "" +. ds C' "" +'br\} +.el\{\ +. ds -- \|\(em\| +. ds PI \(*p +. ds L" `` +. ds R" '' +. ds C` +. ds C' +'br\} +.\" +.\" Escape single quotes in literal strings from groff's Unicode transform. +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" +.\" If the F register is >0, we'll generate index entries on stderr for +.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index +.\" entries marked with X<> in POD. Of course, you'll have to process the +.\" output yourself in some meaningful fashion. +.\" +.\" Avoid warning from groff about undefined register 'F'. +.de IX +.. +.if !\nF .nr F 0 +.if \nF>0 \{\ +. de IX +. tm Index:\\$1\t\\n%\t"\\$2" +.. +. if !\nF==2 \{\ +. nr % 0 +. nr F 2 +. \} +.\} +.\" +.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). +.\" Fear. Run. Save yourself. No user-serviceable parts. +. \" fudge factors for nroff and troff +.if n \{\ +. ds #H 0 +. ds #V .8m +. ds #F .3m +. ds #[ \f1 +. ds #] \fP +.\} +.if t \{\ +. ds #H ((1u-(\\\\n(.fu%2u))*.13m) +. ds #V .6m +. ds #F 0 +. ds #[ \& +. ds #] \& +.\} +. \" simple accents for nroff and troff +.if n \{\ +. ds ' \& +. ds ` \& +. ds ^ \& +. ds , \& +. ds ~ ~ +. ds / +.\} +.if t \{\ +. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" +. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' +. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' +. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' +. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' +. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' +.\} +. \" troff and (daisy-wheel) nroff accents +.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' +.ds 8 \h'\*(#H'\(*b\h'-\*(#H' +.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] +.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' +.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' +.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] +.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] +.ds ae a\h'-(\w'a'u*4/10)'e +.ds Ae A\h'-(\w'A'u*4/10)'E +. \" corrections for vroff +.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' +.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' +. \" for low resolution devices (crt and lpr) +.if \n(.H>23 .if \n(.V>19 \ +\{\ +. ds : e +. ds 8 ss +. ds o a +. ds d- d\h'-1'\(ga +. ds D- D\h'-1'\(hy +. ds th \o'bp' +. ds Th \o'LP' +. ds ae ae +. ds Ae AE +.\} +.rm #[ #] #H #V #F C +.\" ======================================================================== +.\" +.IX Title "SSL_ALLOC_BUFFERS 3" +.TH SSL_ALLOC_BUFFERS 3 "2018-09-11" "1.1.1" "OpenSSL" +.\" For nroff, turn off justification. Always turn off hyphenation; it makes +.\" way too many mistakes in technical documents. +.if n .ad l +.nh +.SH "NAME" +SSL_free_buffers, SSL_alloc_buffers \- manage SSL structure buffers +.SH "SYNOPSIS" +.IX Header "SYNOPSIS" +.Vb 1 +\& #include +\& +\& int SSL_free_buffers(SSL *ssl); +\& int SSL_alloc_buffers(SSL *ssl); +.Ve +.SH "DESCRIPTION" +.IX Header "DESCRIPTION" +\&\fISSL_free_buffers()\fR frees the read and write buffers of the given \fBssl\fR. +\&\fISSL_alloc_buffers()\fR allocates the read and write buffers of the given \fBssl\fR. +.PP +The \fB\s-1SSL_MODE_RELEASE_BUFFERS\s0\fR mode releases read or write buffers whenever +the buffers have been drained. These functions allow applications to manually +control when buffers are freed and allocated. +.PP +After freeing the buffers, the buffers are automatically reallocated upon a +new read or write. The \fISSL_alloc_buffers()\fR does not need to be called, but +can be used to make sure the buffers are pre-allocated. This can be used to +avoid allocation during data processing or with \fICRYPTO_set_mem_functions()\fR +to control where and how buffers are allocated. +.SH "RETURN VALUES" +.IX Header "RETURN VALUES" +The following return values can occur: +.IP "0 (Failure)" 4 +.IX Item "0 (Failure)" +The \fISSL_free_buffers()\fR function returns 0 when there is pending data to be +read or written. The \fISSL_alloc_buffers()\fR function returns 0 when there is +an allocation failure. +.IP "1 (Success)" 4 +.IX Item "1 (Success)" +The \fISSL_free_buffers()\fR function returns 1 if the buffers have been freed. This +value is also returned if the buffers had been freed before calling +\&\fISSL_free_buffers()\fR. +The \fISSL_alloc_buffers()\fR function returns 1 if the buffers have been allocated. +This value is also returned if the buffers had been allocated before calling +\&\fISSL_alloc_buffers()\fR. +.SH "SEE ALSO" +.IX Header "SEE ALSO" +\&\fISSL_free\fR\|(3), \fISSL_clear\fR\|(3), +\&\fISSL_new\fR\|(3), \fISSL_CTX_set_mode\fR\|(3), +CRYPTO_set_mem_functions +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2017 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libssl/man/SSL_check_chain.3 b/secure/lib/libcrypto/man/SSL_check_chain.3 similarity index 91% rename from secure/lib/libssl/man/SSL_check_chain.3 rename to secure/lib/libcrypto/man/SSL_check_chain.3 index 70e1c6cc8725..61f3576b3286 100644 --- a/secure/lib/libssl/man/SSL_check_chain.3 +++ b/secure/lib/libcrypto/man/SSL_check_chain.3 @@ -128,8 +128,8 @@ .rm #[ #] #H #V #F C .\" ======================================================================== .\" -.IX Title "SSL_check_chain 3" -.TH SSL_check_chain 3 "2018-08-14" "1.0.2p" "OpenSSL" +.IX Title "SSL_CHECK_CHAIN 3" +.TH SSL_CHECK_CHAIN 3 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -203,11 +203,19 @@ The validity of a chain is determined by checking if it matches a supported signature algorithm, supported curves and in the case of client authentication certificate types and issuer names. .PP -Since the supported signature algorithms extension is only used in \s-1TLS 1.2\s0 -and \s-1DTLS 1.2\s0 the results for earlier versions of \s-1TLS\s0 and \s-1DTLS\s0 may not be -very useful. Applications may wish to specify a different \*(L"legacy\*(R" chain +Since the supported signature algorithms extension is only used in \s-1TLS 1.2, +TLS 1.3\s0 and \s-1DTLS 1.2\s0 the results for earlier versions of \s-1TLS\s0 and \s-1DTLS\s0 may not +be very useful. Applications may wish to specify a different \*(L"legacy\*(R" chain for earlier versions of \s-1TLS\s0 or \s-1DTLS.\s0 .SH "SEE ALSO" .IX Header "SEE ALSO" \&\fISSL_CTX_set_cert_cb\fR\|(3), -\&\fIssl\fR\|(3) +\&\fIssl\fR\|(7) +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2015\-2018 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libssl/man/SSL_clear.3 b/secure/lib/libcrypto/man/SSL_clear.3 similarity index 91% rename from secure/lib/libssl/man/SSL_clear.3 rename to secure/lib/libcrypto/man/SSL_clear.3 index 3ecff9437704..1aaef2090e65 100644 --- a/secure/lib/libssl/man/SSL_clear.3 +++ b/secure/lib/libcrypto/man/SSL_clear.3 @@ -128,8 +128,8 @@ .rm #[ #] #H #V #F C .\" ======================================================================== .\" -.IX Title "SSL_clear 3" -.TH SSL_clear 3 "2018-08-14" "1.0.2p" "OpenSSL" +.IX Title "SSL_CLEAR 3" +.TH SSL_CLEAR 3 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -162,7 +162,7 @@ settings corresponding. This explicitly means, that e.g. the special method used during the session will be kept for the next handshake. So if the session was a TLSv1 session, a \s-1SSL\s0 client object will use a TLSv1 client method for the next handshake and a \s-1SSL\s0 server object will use a TLSv1 -server method, even if SSLv23_*_methods were chosen on startup. This +server method, even if TLS_*_methods were chosen on startup. This will might lead to connection failures (see \fISSL_new\fR\|(3)) for a description of the method's properties. .SH "WARNINGS" @@ -192,5 +192,13 @@ The \fISSL_clear()\fR operation was successful. .PP \&\fISSL_new\fR\|(3), \fISSL_free\fR\|(3), \&\fISSL_shutdown\fR\|(3), \fISSL_set_shutdown\fR\|(3), -\&\fISSL_CTX_set_options\fR\|(3), \fIssl\fR\|(3), +\&\fISSL_CTX_set_options\fR\|(3), \fIssl\fR\|(7), \&\fISSL_CTX_set_client_cert_cb\fR\|(3) +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2000\-2016 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libssl/man/SSL_connect.3 b/secure/lib/libcrypto/man/SSL_connect.3 similarity index 81% rename from secure/lib/libssl/man/SSL_connect.3 rename to secure/lib/libcrypto/man/SSL_connect.3 index 0ad7fce7b6e7..76fb22584731 100644 --- a/secure/lib/libssl/man/SSL_connect.3 +++ b/secure/lib/libcrypto/man/SSL_connect.3 @@ -128,8 +128,8 @@ .rm #[ #] #H #V #F C .\" ======================================================================== .\" -.IX Title "SSL_connect 3" -.TH SSL_connect 3 "2018-08-14" "1.0.2p" "OpenSSL" +.IX Title "SSL_CONNECT 3" +.TH SSL_CONNECT 3 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -166,6 +166,21 @@ The action depends on the underlying \s-1BIO.\s0 When using a non-blocking socke nothing is to be done, but \fIselect()\fR can be used to check for the required condition. When using a buffering \s-1BIO,\s0 like a \s-1BIO\s0 pair, data must be written into or retrieved out of the \s-1BIO\s0 before being able to continue. +.PP +Many systems implement Nagle's algorithm by default which means that it will +buffer outgoing \s-1TCP\s0 data if a \s-1TCP\s0 packet has already been sent for which no +corresponding \s-1ACK\s0 has been received yet from the peer. This can have performance +impacts after a successful TLSv1.3 handshake or a successful TLSv1.2 (or below) +resumption handshake, because the last peer to communicate in the handshake is +the client. If the client is also the first to send application data (as is +typical for many protocols) then this data could be buffered until an \s-1ACK\s0 has +been received for the final handshake message. +.PP +The \fB\s-1TCP_NODELAY\s0\fR socket option is often available to disable Nagle's +algorithm. If an application opts to disable Nagle's algorithm consideration +should be given to turning it back on again later if appropriate. The helper +function \fIBIO_set_tcp_ndelay()\fR can be used to turn on or off the \fB\s-1TCP_NODELAY\s0\fR +option. .SH "RETURN VALUES" .IX Header "RETURN VALUES" The following return values can occur: @@ -187,7 +202,15 @@ to find out the reason. .SH "SEE ALSO" .IX Header "SEE ALSO" \&\fISSL_get_error\fR\|(3), \fISSL_accept\fR\|(3), -\&\fISSL_shutdown\fR\|(3), \fIssl\fR\|(3), \fIbio\fR\|(3), +\&\fISSL_shutdown\fR\|(3), \fIssl\fR\|(7), \fIbio\fR\|(7), \&\fISSL_set_connect_state\fR\|(3), \&\fISSL_do_handshake\fR\|(3), \&\fISSL_CTX_new\fR\|(3) +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2000\-2018 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libssl/man/SSL_do_handshake.3 b/secure/lib/libcrypto/man/SSL_do_handshake.3 similarity index 92% rename from secure/lib/libssl/man/SSL_do_handshake.3 rename to secure/lib/libcrypto/man/SSL_do_handshake.3 index e5b72e316cef..61ce16e5a39d 100644 --- a/secure/lib/libssl/man/SSL_do_handshake.3 +++ b/secure/lib/libcrypto/man/SSL_do_handshake.3 @@ -128,8 +128,8 @@ .rm #[ #] #H #V #F C .\" ======================================================================== .\" -.IX Title "SSL_do_handshake 3" -.TH SSL_do_handshake 3 "2018-08-14" "1.0.2p" "OpenSSL" +.IX Title "SSL_DO_HANDSHAKE 3" +.TH SSL_DO_HANDSHAKE 3 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -188,5 +188,13 @@ to find out the reason. .SH "SEE ALSO" .IX Header "SEE ALSO" \&\fISSL_get_error\fR\|(3), \fISSL_connect\fR\|(3), -\&\fISSL_accept\fR\|(3), \fIssl\fR\|(3), \fIbio\fR\|(3), +\&\fISSL_accept\fR\|(3), \fIssl\fR\|(7), \fIbio\fR\|(7), \&\fISSL_set_connect_state\fR\|(3) +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2002\-2016 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libssl/man/SSL_export_keying_material.3 b/secure/lib/libcrypto/man/SSL_export_keying_material.3 similarity index 76% rename from secure/lib/libssl/man/SSL_export_keying_material.3 rename to secure/lib/libcrypto/man/SSL_export_keying_material.3 index 62e8c11d92a1..621e5d39d500 100644 --- a/secure/lib/libssl/man/SSL_export_keying_material.3 +++ b/secure/lib/libcrypto/man/SSL_export_keying_material.3 @@ -128,14 +128,14 @@ .rm #[ #] #H #V #F C .\" ======================================================================== .\" -.IX Title "SSL_export_keying_material 3" -.TH SSL_export_keying_material 3 "2018-08-14" "1.0.2p" "OpenSSL" +.IX Title "SSL_EXPORT_KEYING_MATERIAL 3" +.TH SSL_EXPORT_KEYING_MATERIAL 3 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" -SSL_export_keying_material \- obtain keying material for application use +SSL_export_keying_material, SSL_export_keying_material_early \&\- obtain keying material for application use .SH "SYNOPSIS" .IX Header "SYNOPSIS" .Vb 1 @@ -145,13 +145,28 @@ SSL_export_keying_material \- obtain keying material for application use \& const char *label, size_t llen, \& const unsigned char *context, \& size_t contextlen, int use_context); +\& +\& int SSL_export_keying_material_early(SSL *s, unsigned char *out, size_t olen, +\& const char *label, size_t llen, +\& const unsigned char *context, +\& size_t contextlen); .Ve .SH "DESCRIPTION" .IX Header "DESCRIPTION" During the creation of a \s-1TLS\s0 or \s-1DTLS\s0 connection shared keying material is -established between the two endpoints. The function \fISSL_export_keying_material()\fR -enables an application to use some of this keying material for its own purposes -in accordance with \s-1RFC5705.\s0 +established between the two endpoints. The functions +\&\fISSL_export_keying_material()\fR and \fISSL_export_keying_material_early()\fR enable an +application to use some of this keying material for its own purposes in +accordance with \s-1RFC5705\s0 (for TLSv1.2 and below) or \s-1RFC8446\s0 (for TLSv1.3). +.PP +\&\fISSL_export_keying_material()\fR derives keying material using +the \fIexporter_master_secret\fR established in the handshake. +.PP +\&\fISSL_export_keying_material_early()\fR is only usable with TLSv1.3, and derives +keying material using the \fIearly_exporter_master_secret\fR (as defined in the +\&\s-1TLS 1.3 RFC\s0). For the client, the \fIearly_exporter_master_secret\fR is only +available when the client attempts to send 0\-RTT data. For the server, it is +only available when the server accepts 0\-RTT data. .PP An application may need to securely establish the context within which this keying material will be used. For example this may include identifiers for the @@ -165,8 +180,10 @@ pointed to by \fBcontext\fR and should be \fBcontextlen\fR bytes long. Provision a context is optional. If the context should be omitted entirely then \&\fBuse_context\fR should be set to 0. Otherwise it should be any other value. If \&\fBuse_context\fR is 0 then the values of \fBcontext\fR and \fBcontextlen\fR are ignored. -Note that a zero length context is treated differently to no context at all, and -will result in different keying material being returned. +Note that in TLSv1.2 and below a zero length context is treated differently from +no context at all, and will result in different keying material being returned. +In TLSv1.3 a zero length context is that same as no context at all and will +result in the same keying material being returned. .PP An application specific label should be provided in the location pointed to by \&\fBlabel\fR and should be \fBllen\fR bytes long. Typically this will be a value from @@ -180,9 +197,14 @@ above. Attempting to use it in SSLv3 will result in an error. .SH "RETURN VALUES" .IX Header "RETURN VALUES" \&\fISSL_export_keying_material()\fR returns 0 or \-1 on failure or 1 on success. +.PP +\&\fISSL_export_keying_material_early()\fR returns 0 on failure or 1 on success. +.SH "HISTORY" +.IX Header "HISTORY" +\&\fISSL_export_keying_material_early()\fR was first added in OpenSSL 1.1.1. .SH "COPYRIGHT" .IX Header "COPYRIGHT" -Copyright 2017 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2017\-2018 The OpenSSL Project Authors. All Rights Reserved. .PP Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/secure/lib/libcrypto/man/SSL_extension_supported.3 b/secure/lib/libcrypto/man/SSL_extension_supported.3 new file mode 100644 index 000000000000..6e6778d9162c --- /dev/null +++ b/secure/lib/libcrypto/man/SSL_extension_supported.3 @@ -0,0 +1,395 @@ +.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35) +.\" +.\" Standard preamble: +.\" ======================================================================== +.de Sp \" Vertical space (when we can't use .PP) +.if t .sp .5v +.if n .sp +.. +.de Vb \" Begin verbatim text +.ft CW +.nf +.ne \\$1 +.. +.de Ve \" End verbatim text +.ft R +.fi +.. +.\" Set up some character translations and predefined strings. \*(-- will +.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left +.\" double quote, and \*(R" will give a right double quote. \*(C+ will +.\" give a nicer C++. Capital omega is used to do unbreakable dashes and +.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, +.\" nothing in troff, for use with C<>. +.tr \(*W- +.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' +.ie n \{\ +. ds -- \(*W- +. ds PI pi +. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch +. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch +. ds L" "" +. ds R" "" +. ds C` "" +. ds C' "" +'br\} +.el\{\ +. ds -- \|\(em\| +. ds PI \(*p +. ds L" `` +. ds R" '' +. ds C` +. ds C' +'br\} +.\" +.\" Escape single quotes in literal strings from groff's Unicode transform. +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" +.\" If the F register is >0, we'll generate index entries on stderr for +.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index +.\" entries marked with X<> in POD. Of course, you'll have to process the +.\" output yourself in some meaningful fashion. +.\" +.\" Avoid warning from groff about undefined register 'F'. +.de IX +.. +.if !\nF .nr F 0 +.if \nF>0 \{\ +. de IX +. tm Index:\\$1\t\\n%\t"\\$2" +.. +. if !\nF==2 \{\ +. nr % 0 +. nr F 2 +. \} +.\} +.\" +.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). +.\" Fear. Run. Save yourself. No user-serviceable parts. +. \" fudge factors for nroff and troff +.if n \{\ +. ds #H 0 +. ds #V .8m +. ds #F .3m +. ds #[ \f1 +. ds #] \fP +.\} +.if t \{\ +. ds #H ((1u-(\\\\n(.fu%2u))*.13m) +. ds #V .6m +. ds #F 0 +. ds #[ \& +. ds #] \& +.\} +. \" simple accents for nroff and troff +.if n \{\ +. ds ' \& +. ds ` \& +. ds ^ \& +. ds , \& +. ds ~ ~ +. ds / +.\} +.if t \{\ +. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" +. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' +. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' +. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' +. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' +. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' +.\} +. \" troff and (daisy-wheel) nroff accents +.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' +.ds 8 \h'\*(#H'\(*b\h'-\*(#H' +.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] +.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' +.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' +.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] +.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] +.ds ae a\h'-(\w'a'u*4/10)'e +.ds Ae A\h'-(\w'A'u*4/10)'E +. \" corrections for vroff +.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' +.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' +. \" for low resolution devices (crt and lpr) +.if \n(.H>23 .if \n(.V>19 \ +\{\ +. ds : e +. ds 8 ss +. ds o a +. ds d- d\h'-1'\(ga +. ds D- D\h'-1'\(hy +. ds th \o'bp' +. ds Th \o'LP' +. ds ae ae +. ds Ae AE +.\} +.rm #[ #] #H #V #F C +.\" ======================================================================== +.\" +.IX Title "SSL_EXTENSION_SUPPORTED 3" +.TH SSL_EXTENSION_SUPPORTED 3 "2018-09-11" "1.1.1" "OpenSSL" +.\" For nroff, turn off justification. Always turn off hyphenation; it makes +.\" way too many mistakes in technical documents. +.if n .ad l +.nh +.SH "NAME" +SSL_extension_supported, SSL_CTX_add_custom_ext, SSL_CTX_add_client_custom_ext, SSL_CTX_add_server_custom_ext, custom_ext_add_cb, custom_ext_free_cb, custom_ext_parse_cb \&\- custom TLS extension handling +.SH "SYNOPSIS" +.IX Header "SYNOPSIS" +.Vb 1 +\& #include +\& +\& typedef int (*SSL_custom_ext_add_cb_ex) (SSL *s, unsigned int ext_type, +\& unsigned int context, +\& const unsigned char **out, +\& size_t *outlen, X509 *x, +\& size_t chainidx, int *al, +\& void *add_arg); +\& +\& typedef void (*SSL_custom_ext_free_cb_ex) (SSL *s, unsigned int ext_type, +\& unsigned int context, +\& const unsigned char *out, +\& void *add_arg); +\& +\& typedef int (*SSL_custom_ext_parse_cb_ex) (SSL *s, unsigned int ext_type, +\& unsigned int context, +\& const unsigned char *in, +\& size_t inlen, X509 *x, +\& size_t chainidx, int *al, +\& void *parse_arg); +\& +\& int SSL_CTX_add_custom_ext(SSL_CTX *ctx, unsigned int ext_type, +\& unsigned int context, +\& SSL_custom_ext_add_cb_ex add_cb, +\& SSL_custom_ext_free_cb_ex free_cb, +\& void *add_arg, +\& SSL_custom_ext_parse_cb_ex parse_cb, +\& void *parse_arg); +\& +\& typedef int (*custom_ext_add_cb)(SSL *s, unsigned int ext_type, +\& const unsigned char **out, +\& size_t *outlen, int *al, +\& void *add_arg); +\& +\& typedef void (*custom_ext_free_cb)(SSL *s, unsigned int ext_type, +\& const unsigned char *out, +\& void *add_arg); +\& +\& typedef int (*custom_ext_parse_cb)(SSL *s, unsigned int ext_type, +\& const unsigned char *in, +\& size_t inlen, int *al, +\& void *parse_arg); +\& +\& int SSL_CTX_add_client_custom_ext(SSL_CTX *ctx, unsigned int ext_type, +\& custom_ext_add_cb add_cb, +\& custom_ext_free_cb free_cb, void *add_arg, +\& custom_ext_parse_cb parse_cb, +\& void *parse_arg); +\& +\& int SSL_CTX_add_server_custom_ext(SSL_CTX *ctx, unsigned int ext_type, +\& custom_ext_add_cb add_cb, +\& custom_ext_free_cb free_cb, void *add_arg, +\& custom_ext_parse_cb parse_cb, +\& void *parse_arg); +\& +\& int SSL_extension_supported(unsigned int ext_type); +.Ve +.SH "DESCRIPTION" +.IX Header "DESCRIPTION" +\&\fISSL_CTX_add_custom_ext()\fR adds a custom extension for a \s-1TLS/DTLS\s0 client or server +for all supported protocol versions with extension type \fBext_type\fR and +callbacks \fBadd_cb\fR, \fBfree_cb\fR and \fBparse_cb\fR (see the +\&\*(L"\s-1EXTENSION CALLBACKS\*(R"\s0 section below). The \fBcontext\fR value determines +which messages and under what conditions the extension will be added/parsed (see +the \*(L"\s-1EXTENSION CONTEXTS\*(R"\s0 section below). +.PP +\&\fISSL_CTX_add_client_custom_ext()\fR adds a custom extension for a \s-1TLS/DTLS\s0 client +with extension type \fBext_type\fR and callbacks \fBadd_cb\fR, \fBfree_cb\fR and +\&\fBparse_cb\fR. This function is similar to \fISSL_CTX_add_custom_ext()\fR except it only +applies to clients, uses the older style of callbacks, and implicitly sets the +\&\fBcontext\fR value to: +.PP +.Vb 2 +\& SSL_EXT_TLS1_2_AND_BELOW_ONLY | SSL_EXT_CLIENT_HELLO +\& | SSL_EXT_TLS1_2_SERVER_HELLO | SSL_EXT_IGNORE_ON_RESUMPTION +.Ve +.PP +\&\fISSL_CTX_add_server_custom_ext()\fR adds a custom extension for a \s-1TLS/DTLS\s0 server +with extension type \fBext_type\fR and callbacks \fBadd_cb\fR, \fBfree_cb\fR and +\&\fBparse_cb\fR. This function is similar to \fISSL_CTX_add_custom_ext()\fR except it +only applies to servers, uses the older style of callbacks, and implicitly sets +the \fBcontext\fR value to the same as for \fISSL_CTX_add_client_custom_ext()\fR above. +.PP +The \fBext_type\fR parameter corresponds to the \fBextension_type\fR field of +\&\s-1RFC5246\s0 et al. It is \fBnot\fR a \s-1NID.\s0 In all cases the extension type must not be +handled by OpenSSL internally or an error occurs. +.PP +\&\fISSL_extension_supported()\fR returns 1 if the extension \fBext_type\fR is handled +internally by OpenSSL and 0 otherwise. +.SH "EXTENSION CALLBACKS" +.IX Header "EXTENSION CALLBACKS" +The callback \fBadd_cb\fR is called to send custom extension data to be +included in various \s-1TLS\s0 messages. The \fBext_type\fR parameter is set to the +extension type which will be added and \fBadd_arg\fR to the value set when the +extension handler was added. When using the new style callbacks the \fBcontext\fR +parameter will indicate which message is currently being constructed e.g. for +the ClientHello it will be set to \fB\s-1SSL_EXT_CLIENT_HELLO\s0\fR. +.PP +If the application wishes to include the extension \fBext_type\fR it should +set \fB*out\fR to the extension data, set \fB*outlen\fR to the length of the +extension data and return 1. +.PP +If the \fBadd_cb\fR does not wish to include the extension it must return 0. +.PP +If \fBadd_cb\fR returns \-1 a fatal handshake error occurs using the \s-1TLS\s0 +alert value specified in \fB*al\fR. +.PP +When constructing the ClientHello, if \fBadd_cb\fR is set to \s-1NULL\s0 a zero length +extension is added for \fBext_type\fR. For all other messages if \fBadd_cb\fR is set +to \s-1NULL\s0 then no extension is added. +.PP +When constructing a Certificate message the callback will be called for each +certificate in the message. The \fBx\fR parameter will indicate the +current certificate and the \fBchainidx\fR parameter will indicate the position +of the certificate in the message. The first certificate is always the end +entity certificate and has a \fBchainidx\fR value of 0. The certificates are in the +order that they were received in the Certificate message. +.PP +For all messages except the ServerHello and EncryptedExtensions every +registered \fBadd_cb\fR is always called to see if the application wishes to add an +extension (as long as all requirements of the specified \fBcontext\fR are met). +.PP +For the ServerHello and EncryptedExtension messages every registered \fBadd_cb\fR +is called once if and only if the requirements of the specified \fBcontext\fR are +met and the corresponding extension was received in the ClientHello. That is, if +no corresponding extension was received in the ClientHello then \fBadd_cb\fR will +not be called. +.PP +If an extension is added (that is \fBadd_cb\fR returns 1) \fBfree_cb\fR is called +(if it is set) with the value of \fBout\fR set by the add callback. It can be +used to free up any dynamic extension data set by \fBadd_cb\fR. Since \fBout\fR is +constant (to permit use of constant data in \fBadd_cb\fR) applications may need to +cast away const to free the data. +.PP +The callback \fBparse_cb\fR receives data for \s-1TLS\s0 extensions. The callback is only +called if the extension is present and relevant for the context (see +\&\*(L"\s-1EXTENSION CONTEXTS\*(R"\s0 below). +.PP +The extension data consists of \fBinlen\fR bytes in the buffer \fBin\fR for the +extension \fBext_type\fR. +.PP +If the message being parsed is a TLSv1.3 compatible Certificate message then +\&\fBparse_cb\fR will be called for each certificate contained within the message. +The \fBx\fR parameter will indicate the current certificate and the \fBchainidx\fR +parameter will indicate the position of the certificate in the message. The +first certificate is always the end entity certificate and has a \fBchainidx\fR +value of 0. +.PP +If the \fBparse_cb\fR considers the extension data acceptable it must return +1. If it returns 0 or a negative value a fatal handshake error occurs +using the \s-1TLS\s0 alert value specified in \fB*al\fR. +.PP +The buffer \fBin\fR is a temporary internal buffer which will not be valid after +the callback returns. +.SH "EXTENSION CONTEXTS" +.IX Header "EXTENSION CONTEXTS" +An extension context defines which messages and under which conditions an +extension should be added or expected. The context is built up by performing +a bitwise \s-1OR\s0 of multiple pre-defined values together. The valid context values +are: +.IP "\s-1SSL_EXT_TLS_ONLY\s0" 4 +.IX Item "SSL_EXT_TLS_ONLY" +The extension is only allowed in \s-1TLS\s0 +.IP "\s-1SSL_EXT_DTLS_ONLY\s0" 4 +.IX Item "SSL_EXT_DTLS_ONLY" +The extension is only allowed in \s-1DTLS\s0 +.IP "\s-1SSL_EXT_TLS_IMPLEMENTATION_ONLY\s0" 4 +.IX Item "SSL_EXT_TLS_IMPLEMENTATION_ONLY" +The extension is allowed in \s-1DTLS,\s0 but there is only a \s-1TLS\s0 implementation +available (so it is ignored in \s-1DTLS\s0). +.IP "\s-1SSL_EXT_SSL3_ALLOWED\s0" 4 +.IX Item "SSL_EXT_SSL3_ALLOWED" +Extensions are not typically defined for SSLv3. Setting this value will allow +the extension in SSLv3. Applications will not typically need to use this. +.IP "\s-1SSL_EXT_TLS1_2_AND_BELOW_ONLY\s0" 4 +.IX Item "SSL_EXT_TLS1_2_AND_BELOW_ONLY" +The extension is only defined for TLSv1.2/DTLSv1.2 and below. Servers will +ignore this extension if it is present in the ClientHello and TLSv1.3 is +negotiated. +.IP "\s-1SSL_EXT_TLS1_3_ONLY\s0" 4 +.IX Item "SSL_EXT_TLS1_3_ONLY" +The extension is only defined for \s-1TLS1.3\s0 and above. Servers will ignore this +extension if it is present in the ClientHello and TLSv1.2 or below is +negotiated. +.IP "\s-1SSL_EXT_IGNORE_ON_RESUMPTION\s0" 4 +.IX Item "SSL_EXT_IGNORE_ON_RESUMPTION" +The extension will be ignored during parsing if a previous session is being +successfully resumed. +.IP "\s-1SSL_EXT_CLIENT_HELLO\s0" 4 +.IX Item "SSL_EXT_CLIENT_HELLO" +The extension may be present in the ClientHello message. +.IP "\s-1SSL_EXT_TLS1_2_SERVER_HELLO\s0" 4 +.IX Item "SSL_EXT_TLS1_2_SERVER_HELLO" +The extension may be present in a TLSv1.2 or below compatible ServerHello +message. +.IP "\s-1SSL_EXT_TLS1_3_SERVER_HELLO\s0" 4 +.IX Item "SSL_EXT_TLS1_3_SERVER_HELLO" +The extension may be present in a TLSv1.3 compatible ServerHello message. +.IP "\s-1SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS\s0" 4 +.IX Item "SSL_EXT_TLS1_3_ENCRYPTED_EXTENSIONS" +The extension may be present in an EncryptedExtensions message. +.IP "\s-1SSL_EXT_TLS1_3_HELLO_RETRY_REQUEST\s0" 4 +.IX Item "SSL_EXT_TLS1_3_HELLO_RETRY_REQUEST" +The extension may be present in a HelloRetryRequest message. +.IP "\s-1SSL_EXT_TLS1_3_CERTIFICATE\s0" 4 +.IX Item "SSL_EXT_TLS1_3_CERTIFICATE" +The extension may be present in a TLSv1.3 compatible Certificate message. +.IP "\s-1SSL_EXT_TLS1_3_NEW_SESSION_TICKET\s0" 4 +.IX Item "SSL_EXT_TLS1_3_NEW_SESSION_TICKET" +The extension may be present in a TLSv1.3 compatible NewSessionTicket message. +.IP "\s-1SSL_EXT_TLS1_3_CERTIFICATE_REQUEST\s0" 4 +.IX Item "SSL_EXT_TLS1_3_CERTIFICATE_REQUEST" +The extension may be present in a TLSv1.3 compatible CertificateRequest message. +.PP +The context must include at least one message value (otherwise the extension +will never be used). +.SH "NOTES" +.IX Header "NOTES" +The \fBadd_arg\fR and \fBparse_arg\fR parameters can be set to arbitrary values +which will be passed to the corresponding callbacks. They can, for example, +be used to store the extension data received in a convenient structure or +pass the extension data to be added or freed when adding extensions. +.PP +If the same custom extension type is received multiple times a fatal +\&\fBdecode_error\fR alert is sent and the handshake aborts. If a custom extension +is received in a ServerHello/EncryptedExtensions message which was not sent in +the ClientHello a fatal \fBunsupported_extension\fR alert is sent and the +handshake is aborted. The ServerHello/EncryptedExtensions \fBadd_cb\fR callback is +only called if the corresponding extension was received in the ClientHello. This +is compliant with the \s-1TLS\s0 specifications. This behaviour ensures that each +callback is called at most once and that an application can never send +unsolicited extensions. +.SH "RETURN VALUES" +.IX Header "RETURN VALUES" +\&\fISSL_CTX_add_custom_ext()\fR, \fISSL_CTX_add_client_custom_ext()\fR and +\&\fISSL_CTX_add_server_custom_ext()\fR return 1 for success and 0 for failure. A +failure can occur if an attempt is made to add the same \fBext_type\fR more than +once, if an attempt is made to use an extension type handled internally by +OpenSSL or if an internal error occurs (for example a memory allocation +failure). +.PP +\&\fISSL_extension_supported()\fR returns 1 if the extension \fBext_type\fR is handled +internally by OpenSSL and 0 otherwise. +.SH "HISTORY" +.IX Header "HISTORY" +The function \fISSL_CTX_add_custom_ext()\fR was added in OpenSSL 1.1.1. +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2014\-2017 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libssl/man/SSL_free.3 b/secure/lib/libcrypto/man/SSL_free.3 similarity index 91% rename from secure/lib/libssl/man/SSL_free.3 rename to secure/lib/libcrypto/man/SSL_free.3 index fa86762a84e6..cbeca9eb5a1a 100644 --- a/secure/lib/libssl/man/SSL_free.3 +++ b/secure/lib/libcrypto/man/SSL_free.3 @@ -128,8 +128,8 @@ .rm #[ #] #H #V #F C .\" ======================================================================== .\" -.IX Title "SSL_free 3" -.TH SSL_free 3 "2018-08-14" "1.0.2p" "OpenSSL" +.IX Title "SSL_FREE 3" +.TH SSL_FREE 3 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -148,6 +148,7 @@ SSL_free \- free an allocated SSL structure \&\fISSL_free()\fR decrements the reference count of \fBssl\fR, and removes the \s-1SSL\s0 structure pointed to by \fBssl\fR and frees up the allocated memory if the reference count has reached 0. +If \fBssl\fR is \s-1NULL\s0 nothing is done. .SH "NOTES" .IX Header "NOTES" \&\fISSL_free()\fR also calls the \fIfree()\fRing procedures for indirectly affected items, if @@ -170,4 +171,12 @@ from the session cache as required by \s-1RFC2246.\s0 .PP \&\fISSL_new\fR\|(3), \fISSL_clear\fR\|(3), \&\fISSL_shutdown\fR\|(3), \fISSL_set_shutdown\fR\|(3), -\&\fIssl\fR\|(3) +\&\fIssl\fR\|(7) +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2000\-2016 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libssl/man/SSL_get_peer_cert_chain.3 b/secure/lib/libcrypto/man/SSL_get0_peer_scts.3 similarity index 74% rename from secure/lib/libssl/man/SSL_get_peer_cert_chain.3 rename to secure/lib/libcrypto/man/SSL_get0_peer_scts.3 index acbed28f0631..552c75e62a7e 100644 --- a/secure/lib/libssl/man/SSL_get_peer_cert_chain.3 +++ b/secure/lib/libcrypto/man/SSL_get0_peer_scts.3 @@ -128,47 +128,45 @@ .rm #[ #] #H #V #F C .\" ======================================================================== .\" -.IX Title "SSL_get_peer_cert_chain 3" -.TH SSL_get_peer_cert_chain 3 "2018-08-14" "1.0.2p" "OpenSSL" +.IX Title "SSL_GET0_PEER_SCTS 3" +.TH SSL_GET0_PEER_SCTS 3 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" -SSL_get_peer_cert_chain \- get the X509 certificate chain of the peer +SSL_get0_peer_scts \- get SCTs received .SH "SYNOPSIS" .IX Header "SYNOPSIS" .Vb 1 \& #include \& -\& STACK_OF(X509) *SSL_get_peer_cert_chain(const SSL *ssl); +\& const STACK_OF(SCT) *SSL_get0_peer_scts(SSL *s); .Ve .SH "DESCRIPTION" .IX Header "DESCRIPTION" -\&\fISSL_get_peer_cert_chain()\fR returns a pointer to \s-1STACK_OF\s0(X509) certificates -forming the certificate chain of the peer. If called on the client side, -the stack also contains the peer's certificate; if called on the server -side, the peer's certificate must be obtained separately using -\&\fISSL_get_peer_certificate\fR\|(3). -If the peer did not present a certificate, \s-1NULL\s0 is returned. -.SH "NOTES" -.IX Header "NOTES" -The peer certificate chain is not necessarily available after reusing -a session, in which case a \s-1NULL\s0 pointer is returned. -.PP -The reference count of the \s-1STACK_OF\s0(X509) object is not incremented. -If the corresponding session is freed, the pointer must not be used -any longer. +\&\fISSL_get0_peer_scts()\fR returns the signed certificate timestamps (SCTs) that have +been received. If this is the first time that this function has been called for +a given \fB\s-1SSL\s0\fR instance, it will examine the \s-1TLS\s0 extensions, \s-1OCSP\s0 response and +the peer's certificate for SCTs. Future calls will return the same SCTs. +.SH "RESTRICTIONS" +.IX Header "RESTRICTIONS" +If no Certificate Transparency validation callback has been set (using +\&\fBSSL_CTX_set_ct_validation_callback\fR or \fBSSL_set_ct_validation_callback\fR), +this function is not guaranteed to return all of the SCTs that the peer is +capable of sending. .SH "RETURN VALUES" .IX Header "RETURN VALUES" -The following return values can occur: -.IP "\s-1NULL\s0" 4 -.IX Item "NULL" -No certificate was presented by the peer or no connection was established -or the certificate chain is no longer available when a session is reused. -.IP "Pointer to a \s-1STACK_OF\s0(X509)" 4 -.IX Item "Pointer to a STACK_OF(X509)" -The return value points to the certificate chain presented by the peer. +\&\fISSL_get0_peer_scts()\fR returns a list of SCTs found, or \s-1NULL\s0 if an error occurs. .SH "SEE ALSO" .IX Header "SEE ALSO" -\&\fIssl\fR\|(3), \fISSL_get_peer_certificate\fR\|(3) +\&\fIssl\fR\|(7), +\&\fISSL_CTX_set_ct_validation_callback\fR\|(3) +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2016 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libssl/man/SSL_get_SSL_CTX.3 b/secure/lib/libcrypto/man/SSL_get_SSL_CTX.3 similarity index 89% rename from secure/lib/libssl/man/SSL_get_SSL_CTX.3 rename to secure/lib/libcrypto/man/SSL_get_SSL_CTX.3 index 0d829d11be1c..5d119d615847 100644 --- a/secure/lib/libssl/man/SSL_get_SSL_CTX.3 +++ b/secure/lib/libcrypto/man/SSL_get_SSL_CTX.3 @@ -128,8 +128,8 @@ .rm #[ #] #H #V #F C .\" ======================================================================== .\" -.IX Title "SSL_get_SSL_CTX 3" -.TH SSL_get_SSL_CTX 3 "2018-08-14" "1.0.2p" "OpenSSL" +.IX Title "SSL_GET_SSL_CTX 3" +.TH SSL_GET_SSL_CTX 3 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -152,4 +152,12 @@ SSL_get_SSL_CTX \- get the SSL_CTX from which an SSL is created The pointer to the \s-1SSL_CTX\s0 object is returned. .SH "SEE ALSO" .IX Header "SEE ALSO" -\&\fIssl\fR\|(3), \fISSL_new\fR\|(3) +\&\fIssl\fR\|(7), \fISSL_new\fR\|(3) +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2001\-2016 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/SSL_get_all_async_fds.3 b/secure/lib/libcrypto/man/SSL_get_all_async_fds.3 new file mode 100644 index 000000000000..0b54625762f2 --- /dev/null +++ b/secure/lib/libcrypto/man/SSL_get_all_async_fds.3 @@ -0,0 +1,209 @@ +.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35) +.\" +.\" Standard preamble: +.\" ======================================================================== +.de Sp \" Vertical space (when we can't use .PP) +.if t .sp .5v +.if n .sp +.. +.de Vb \" Begin verbatim text +.ft CW +.nf +.ne \\$1 +.. +.de Ve \" End verbatim text +.ft R +.fi +.. +.\" Set up some character translations and predefined strings. \*(-- will +.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left +.\" double quote, and \*(R" will give a right double quote. \*(C+ will +.\" give a nicer C++. Capital omega is used to do unbreakable dashes and +.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, +.\" nothing in troff, for use with C<>. +.tr \(*W- +.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' +.ie n \{\ +. ds -- \(*W- +. ds PI pi +. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch +. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch +. ds L" "" +. ds R" "" +. ds C` "" +. ds C' "" +'br\} +.el\{\ +. ds -- \|\(em\| +. ds PI \(*p +. ds L" `` +. ds R" '' +. ds C` +. ds C' +'br\} +.\" +.\" Escape single quotes in literal strings from groff's Unicode transform. +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" +.\" If the F register is >0, we'll generate index entries on stderr for +.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index +.\" entries marked with X<> in POD. Of course, you'll have to process the +.\" output yourself in some meaningful fashion. +.\" +.\" Avoid warning from groff about undefined register 'F'. +.de IX +.. +.if !\nF .nr F 0 +.if \nF>0 \{\ +. de IX +. tm Index:\\$1\t\\n%\t"\\$2" +.. +. if !\nF==2 \{\ +. nr % 0 +. nr F 2 +. \} +.\} +.\" +.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). +.\" Fear. Run. Save yourself. No user-serviceable parts. +. \" fudge factors for nroff and troff +.if n \{\ +. ds #H 0 +. ds #V .8m +. ds #F .3m +. ds #[ \f1 +. ds #] \fP +.\} +.if t \{\ +. ds #H ((1u-(\\\\n(.fu%2u))*.13m) +. ds #V .6m +. ds #F 0 +. ds #[ \& +. ds #] \& +.\} +. \" simple accents for nroff and troff +.if n \{\ +. ds ' \& +. ds ` \& +. ds ^ \& +. ds , \& +. ds ~ ~ +. ds / +.\} +.if t \{\ +. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" +. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' +. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' +. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' +. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' +. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' +.\} +. \" troff and (daisy-wheel) nroff accents +.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' +.ds 8 \h'\*(#H'\(*b\h'-\*(#H' +.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] +.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' +.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' +.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] +.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] +.ds ae a\h'-(\w'a'u*4/10)'e +.ds Ae A\h'-(\w'A'u*4/10)'E +. \" corrections for vroff +.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' +.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' +. \" for low resolution devices (crt and lpr) +.if \n(.H>23 .if \n(.V>19 \ +\{\ +. ds : e +. ds 8 ss +. ds o a +. ds d- d\h'-1'\(ga +. ds D- D\h'-1'\(hy +. ds th \o'bp' +. ds Th \o'LP' +. ds ae ae +. ds Ae AE +.\} +.rm #[ #] #H #V #F C +.\" ======================================================================== +.\" +.IX Title "SSL_GET_ALL_ASYNC_FDS 3" +.TH SSL_GET_ALL_ASYNC_FDS 3 "2018-09-11" "1.1.1" "OpenSSL" +.\" For nroff, turn off justification. Always turn off hyphenation; it makes +.\" way too many mistakes in technical documents. +.if n .ad l +.nh +.SH "NAME" +SSL_waiting_for_async, SSL_get_all_async_fds, SSL_get_changed_async_fds \&\- manage asynchronous operations +.SH "SYNOPSIS" +.IX Header "SYNOPSIS" +.Vb 2 +\& #include +\& #include +\& +\& int SSL_waiting_for_async(SSL *s); +\& int SSL_get_all_async_fds(SSL *s, OSSL_ASYNC_FD *fd, size_t *numfds); +\& int SSL_get_changed_async_fds(SSL *s, OSSL_ASYNC_FD *addfd, size_t *numaddfds, +\& OSSL_ASYNC_FD *delfd, size_t *numdelfds); +.Ve +.SH "DESCRIPTION" +.IX Header "DESCRIPTION" +\&\fISSL_waiting_for_async()\fR determines whether an \s-1SSL\s0 connection is currently +waiting for asynchronous operations to complete (see the \s-1SSL_MODE_ASYNC\s0 mode in +\&\fISSL_CTX_set_mode\fR\|(3)). +.PP +\&\fISSL_get_all_async_fds()\fR returns a list of file descriptor which can be used in a +call to \fIselect()\fR or \fIpoll()\fR to determine whether the current asynchronous +operation has completed or not. A completed operation will result in data +appearing as \*(L"read ready\*(R" on the file descriptor (no actual data should be read +from the file descriptor). This function should only be called if the \s-1SSL\s0 object +is currently waiting for asynchronous work to complete (i.e. +\&\s-1SSL_ERROR_WANT_ASYNC\s0 has been received \- see \fISSL_get_error\fR\|(3)). Typically the +list will only contain one file descriptor. However if multiple asynchronous +capable engines are in use then more than one is possible. The number of file +descriptors returned is stored in \fB*numfds\fR and the file descriptors themselves +are in \fB*fds\fR. The \fBfds\fR parameter may be \s-1NULL\s0 in which case no file +descriptors are returned but \fB*numfds\fR is still populated. It is the callers +responsibility to ensure sufficient memory is allocated at \fB*fds\fR so typically +this function is called twice (once with a \s-1NULL\s0 \fBfds\fR parameter and once +without). +.PP +\&\fISSL_get_changed_async_fds()\fR returns a list of the asynchronous file descriptors +that have been added and a list that have been deleted since the last +\&\s-1SSL_ERROR_WANT_ASYNC\s0 was received (or since the \s-1SSL\s0 object was created if no +\&\s-1SSL_ERROR_WANT_ASYNC\s0 has been received). Similar to \fISSL_get_all_async_fds()\fR it +is the callers responsibility to ensure that \fB*addfd\fR and \fB*delfd\fR have +sufficient memory allocated, although they may be \s-1NULL.\s0 The number of added fds +and the number of deleted fds are stored in \fB*numaddfds\fR and \fB*numdelfds\fR +respectively. +.SH "RETURN VALUES" +.IX Header "RETURN VALUES" +\&\fISSL_waiting_for_async()\fR will return 1 if the current \s-1SSL\s0 operation is waiting +for an async operation to complete and 0 otherwise. +.PP +\&\fISSL_get_all_async_fds()\fR and \fISSL_get_changed_async_fds()\fR return 1 on success or +0 on error. +.SH "NOTES" +.IX Header "NOTES" +On Windows platforms the openssl/async.h header is dependent on some +of the types customarily made available by including windows.h. The +application developer is likely to require control over when the latter +is included, commonly as one of the first included headers. Therefore +it is defined as an application developer's responsibility to include +windows.h prior to async.h. +.SH "SEE ALSO" +.IX Header "SEE ALSO" +\&\fISSL_get_error\fR\|(3), \fISSL_CTX_set_mode\fR\|(3) +.SH "HISTORY" +.IX Header "HISTORY" +\&\fISSL_waiting_for_async()\fR, \fISSL_get_all_async_fds()\fR and \fISSL_get_changed_async_fds()\fR +were first added to OpenSSL 1.1.0. +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2016 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/SSL_get_ciphers.3 b/secure/lib/libcrypto/man/SSL_get_ciphers.3 new file mode 100644 index 000000000000..0b1a3b86a847 --- /dev/null +++ b/secure/lib/libcrypto/man/SSL_get_ciphers.3 @@ -0,0 +1,237 @@ +.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35) +.\" +.\" Standard preamble: +.\" ======================================================================== +.de Sp \" Vertical space (when we can't use .PP) +.if t .sp .5v +.if n .sp +.. +.de Vb \" Begin verbatim text +.ft CW +.nf +.ne \\$1 +.. +.de Ve \" End verbatim text +.ft R +.fi +.. +.\" Set up some character translations and predefined strings. \*(-- will +.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left +.\" double quote, and \*(R" will give a right double quote. \*(C+ will +.\" give a nicer C++. Capital omega is used to do unbreakable dashes and +.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, +.\" nothing in troff, for use with C<>. +.tr \(*W- +.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' +.ie n \{\ +. ds -- \(*W- +. ds PI pi +. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch +. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch +. ds L" "" +. ds R" "" +. ds C` "" +. ds C' "" +'br\} +.el\{\ +. ds -- \|\(em\| +. ds PI \(*p +. ds L" `` +. ds R" '' +. ds C` +. ds C' +'br\} +.\" +.\" Escape single quotes in literal strings from groff's Unicode transform. +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" +.\" If the F register is >0, we'll generate index entries on stderr for +.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index +.\" entries marked with X<> in POD. Of course, you'll have to process the +.\" output yourself in some meaningful fashion. +.\" +.\" Avoid warning from groff about undefined register 'F'. +.de IX +.. +.if !\nF .nr F 0 +.if \nF>0 \{\ +. de IX +. tm Index:\\$1\t\\n%\t"\\$2" +.. +. if !\nF==2 \{\ +. nr % 0 +. nr F 2 +. \} +.\} +.\" +.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). +.\" Fear. Run. Save yourself. No user-serviceable parts. +. \" fudge factors for nroff and troff +.if n \{\ +. ds #H 0 +. ds #V .8m +. ds #F .3m +. ds #[ \f1 +. ds #] \fP +.\} +.if t \{\ +. ds #H ((1u-(\\\\n(.fu%2u))*.13m) +. ds #V .6m +. ds #F 0 +. ds #[ \& +. ds #] \& +.\} +. \" simple accents for nroff and troff +.if n \{\ +. ds ' \& +. ds ` \& +. ds ^ \& +. ds , \& +. ds ~ ~ +. ds / +.\} +.if t \{\ +. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" +. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' +. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' +. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' +. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' +. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' +.\} +. \" troff and (daisy-wheel) nroff accents +.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' +.ds 8 \h'\*(#H'\(*b\h'-\*(#H' +.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] +.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' +.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' +.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] +.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] +.ds ae a\h'-(\w'a'u*4/10)'e +.ds Ae A\h'-(\w'A'u*4/10)'E +. \" corrections for vroff +.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' +.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' +. \" for low resolution devices (crt and lpr) +.if \n(.H>23 .if \n(.V>19 \ +\{\ +. ds : e +. ds 8 ss +. ds o a +. ds d- d\h'-1'\(ga +. ds D- D\h'-1'\(hy +. ds th \o'bp' +. ds Th \o'LP' +. ds ae ae +. ds Ae AE +.\} +.rm #[ #] #H #V #F C +.\" ======================================================================== +.\" +.IX Title "SSL_GET_CIPHERS 3" +.TH SSL_GET_CIPHERS 3 "2018-09-11" "1.1.1" "OpenSSL" +.\" For nroff, turn off justification. Always turn off hyphenation; it makes +.\" way too many mistakes in technical documents. +.if n .ad l +.nh +.SH "NAME" +SSL_get1_supported_ciphers, SSL_get_client_ciphers, SSL_get_ciphers, SSL_CTX_get_ciphers, SSL_bytes_to_cipher_list, SSL_get_cipher_list, SSL_get_shared_ciphers \&\- get list of available SSL_CIPHERs +.SH "SYNOPSIS" +.IX Header "SYNOPSIS" +.Vb 1 +\& #include +\& +\& STACK_OF(SSL_CIPHER) *SSL_get_ciphers(const SSL *ssl); +\& STACK_OF(SSL_CIPHER) *SSL_CTX_get_ciphers(const SSL_CTX *ctx); +\& STACK_OF(SSL_CIPHER) *SSL_get1_supported_ciphers(SSL *s); +\& STACK_OF(SSL_CIPHER) *SSL_get_client_ciphers(const SSL *ssl); +\& int SSL_bytes_to_cipher_list(SSL *s, const unsigned char *bytes, size_t len, +\& int isv2format, STACK_OF(SSL_CIPHER) **sk, +\& STACK_OF(SSL_CIPHER) **scsvs); +\& const char *SSL_get_cipher_list(const SSL *ssl, int priority); +\& char *SSL_get_shared_ciphers(const SSL *s, char *buf, int size); +.Ve +.SH "DESCRIPTION" +.IX Header "DESCRIPTION" +\&\fISSL_get_ciphers()\fR returns the stack of available SSL_CIPHERs for \fBssl\fR, +sorted by preference. If \fBssl\fR is \s-1NULL\s0 or no ciphers are available, \s-1NULL\s0 +is returned. +.PP +\&\fISSL_CTX_get_ciphers()\fR returns the stack of available SSL_CIPHERs for \fBctx\fR. +.PP +\&\fISSL_get1_supported_ciphers()\fR returns the stack of enabled SSL_CIPHERs for +\&\fBssl\fR as would be sent in a ClientHello (that is, sorted by preference). +The list depends on settings like the cipher list, the supported protocol +versions, the security level, and the enabled signature algorithms. +\&\s-1SRP\s0 and \s-1PSK\s0 ciphers are only enabled if the appropriate callbacks or settings +have been applied. +The list of ciphers that would be sent in a ClientHello can differ from +the list of ciphers that would be acceptable when acting as a server. +For example, additional ciphers may be usable by a server if there is +a gap in the list of supported protocols, and some ciphers may not be +usable by a server if there is not a suitable certificate configured. +If \fBssl\fR is \s-1NULL\s0 or no ciphers are available, \s-1NULL\s0 is returned. +.PP +\&\fISSL_get_client_ciphers()\fR returns the stack of available SSL_CIPHERs matching the +list received from the client on \fBssl\fR. If \fBssl\fR is \s-1NULL,\s0 no ciphers are +available, or \fBssl\fR is not operating in server mode, \s-1NULL\s0 is returned. +.PP +\&\fISSL_bytes_to_cipher_list()\fR treats the supplied \fBlen\fR octets in \fBbytes\fR +as a wire-protocol cipher suite specification (in the three-octet-per-cipher +SSLv2 wire format if \fBisv2format\fR is nonzero; otherwise the two-octet +SSLv3/TLS wire format), and parses the cipher suites supported by the library +into the returned stacks of \s-1SSL_CIPHER\s0 objects sk and Signalling Cipher-Suite +Values scsvs. Unsupported cipher suites are ignored. Returns 1 on success +and 0 on failure. +.PP +\&\fISSL_get_cipher_list()\fR returns a pointer to the name of the \s-1SSL_CIPHER\s0 +listed for \fBssl\fR with \fBpriority\fR. If \fBssl\fR is \s-1NULL,\s0 no ciphers are +available, or there are less ciphers than \fBpriority\fR available, \s-1NULL\s0 +is returned. +.PP +\&\fISSL_get_shared_ciphers()\fR creates a colon separated and \s-1NUL\s0 terminated list of +\&\s-1SSL_CIPHER\s0 names that are available in both the client and the server. \fBbuf\fR is +the buffer that should be populated with the list of names and \fBsize\fR is the +size of that buffer. A pointer to \fBbuf\fR is returned on success or \s-1NULL\s0 on +error. If the supplied buffer is not large enough to contain the complete list +of names then a truncated list of names will be returned. Note that just because +a ciphersuite is available (i.e. it is configured in the cipher list) and shared +by both the client and the server it does not mean that it is enabled (see the +description of \fISSL_get1_supported_ciphers()\fR above). This function will return +available shared ciphersuites whether or not they are enabled. This is a server +side function only and must only be called after the completion of the initial +handshake. +.SH "NOTES" +.IX Header "NOTES" +The details of the ciphers obtained by \fISSL_get_ciphers()\fR, \fISSL_CTX_get_ciphers()\fR +\&\fISSL_get1_supported_ciphers()\fR and \fISSL_get_client_ciphers()\fR can be obtained using +the \fISSL_CIPHER_get_name\fR\|(3) family of functions. +.PP +Call \fISSL_get_cipher_list()\fR with \fBpriority\fR starting from 0 to obtain the +sorted list of available ciphers, until \s-1NULL\s0 is returned. +.PP +Note: \fISSL_get_ciphers()\fR, \fISSL_CTX_get_ciphers()\fR and \fISSL_get_client_ciphers()\fR +return a pointer to an internal cipher stack, which will be freed later on when +the \s-1SSL\s0 or \s-1SSL_SESSION\s0 object is freed. Therefore, the calling code \fB\s-1MUST NOT\s0\fR +free the return value itself. +.PP +The stack returned by \fISSL_get1_supported_ciphers()\fR should be freed using +\&\fIsk_SSL_CIPHER_free()\fR. +.PP +The stacks returned by \fISSL_bytes_to_cipher_list()\fR should be freed using +\&\fIsk_SSL_CIPHER_free()\fR. +.SH "RETURN VALUES" +.IX Header "RETURN VALUES" +See \s-1DESCRIPTION\s0 +.SH "SEE ALSO" +.IX Header "SEE ALSO" +\&\fIssl\fR\|(7), \fISSL_CTX_set_cipher_list\fR\|(3), +\&\fISSL_CIPHER_get_name\fR\|(3) +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2000\-2018 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libssl/man/SSL_get_client_CA_list.3 b/secure/lib/libcrypto/man/SSL_get_client_CA_list.3 similarity index 91% rename from secure/lib/libssl/man/SSL_get_client_CA_list.3 rename to secure/lib/libcrypto/man/SSL_get_client_CA_list.3 index 38beb0437ca6..52f1ab7573a6 100644 --- a/secure/lib/libssl/man/SSL_get_client_CA_list.3 +++ b/secure/lib/libcrypto/man/SSL_get_client_CA_list.3 @@ -128,8 +128,8 @@ .rm #[ #] #H #V #F C .\" ======================================================================== .\" -.IX Title "SSL_get_client_CA_list 3" -.TH SSL_get_client_CA_list 3 "2018-08-14" "1.0.2p" "OpenSSL" +.IX Title "SSL_GET_CLIENT_CA_LIST 3" +.TH SSL_GET_CLIENT_CA_LIST 3 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -171,6 +171,14 @@ No client \s-1CA\s0 list was explicitly set (for \fBctx\fR or in server mode) or the server did not send a list of CAs (client mode). .SH "SEE ALSO" .IX Header "SEE ALSO" -\&\fIssl\fR\|(3), +\&\fIssl\fR\|(7), \&\fISSL_CTX_set_client_CA_list\fR\|(3), \&\fISSL_CTX_set_client_cert_cb\fR\|(3) +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2000\-2016 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/SSL_get_client_random.3 b/secure/lib/libcrypto/man/SSL_get_client_random.3 new file mode 100644 index 000000000000..18b4d40d9d6a --- /dev/null +++ b/secure/lib/libcrypto/man/SSL_get_client_random.3 @@ -0,0 +1,225 @@ +.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35) +.\" +.\" Standard preamble: +.\" ======================================================================== +.de Sp \" Vertical space (when we can't use .PP) +.if t .sp .5v +.if n .sp +.. +.de Vb \" Begin verbatim text +.ft CW +.nf +.ne \\$1 +.. +.de Ve \" End verbatim text +.ft R +.fi +.. +.\" Set up some character translations and predefined strings. \*(-- will +.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left +.\" double quote, and \*(R" will give a right double quote. \*(C+ will +.\" give a nicer C++. Capital omega is used to do unbreakable dashes and +.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, +.\" nothing in troff, for use with C<>. +.tr \(*W- +.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' +.ie n \{\ +. ds -- \(*W- +. ds PI pi +. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch +. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch +. ds L" "" +. ds R" "" +. ds C` "" +. ds C' "" +'br\} +.el\{\ +. ds -- \|\(em\| +. ds PI \(*p +. ds L" `` +. ds R" '' +. ds C` +. ds C' +'br\} +.\" +.\" Escape single quotes in literal strings from groff's Unicode transform. +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" +.\" If the F register is >0, we'll generate index entries on stderr for +.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index +.\" entries marked with X<> in POD. Of course, you'll have to process the +.\" output yourself in some meaningful fashion. +.\" +.\" Avoid warning from groff about undefined register 'F'. +.de IX +.. +.if !\nF .nr F 0 +.if \nF>0 \{\ +. de IX +. tm Index:\\$1\t\\n%\t"\\$2" +.. +. if !\nF==2 \{\ +. nr % 0 +. nr F 2 +. \} +.\} +.\" +.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). +.\" Fear. Run. Save yourself. No user-serviceable parts. +. \" fudge factors for nroff and troff +.if n \{\ +. ds #H 0 +. ds #V .8m +. ds #F .3m +. ds #[ \f1 +. ds #] \fP +.\} +.if t \{\ +. ds #H ((1u-(\\\\n(.fu%2u))*.13m) +. ds #V .6m +. ds #F 0 +. ds #[ \& +. ds #] \& +.\} +. \" simple accents for nroff and troff +.if n \{\ +. ds ' \& +. ds ` \& +. ds ^ \& +. ds , \& +. ds ~ ~ +. ds / +.\} +.if t \{\ +. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" +. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' +. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' +. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' +. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' +. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' +.\} +. \" troff and (daisy-wheel) nroff accents +.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' +.ds 8 \h'\*(#H'\(*b\h'-\*(#H' +.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] +.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' +.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' +.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] +.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] +.ds ae a\h'-(\w'a'u*4/10)'e +.ds Ae A\h'-(\w'A'u*4/10)'E +. \" corrections for vroff +.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' +.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' +. \" for low resolution devices (crt and lpr) +.if \n(.H>23 .if \n(.V>19 \ +\{\ +. ds : e +. ds 8 ss +. ds o a +. ds d- d\h'-1'\(ga +. ds D- D\h'-1'\(hy +. ds th \o'bp' +. ds Th \o'LP' +. ds ae ae +. ds Ae AE +.\} +.rm #[ #] #H #V #F C +.\" ======================================================================== +.\" +.IX Title "SSL_GET_CLIENT_RANDOM 3" +.TH SSL_GET_CLIENT_RANDOM 3 "2018-09-11" "1.1.1" "OpenSSL" +.\" For nroff, turn off justification. Always turn off hyphenation; it makes +.\" way too many mistakes in technical documents. +.if n .ad l +.nh +.SH "NAME" +SSL_get_client_random, SSL_get_server_random, SSL_SESSION_get_master_key, SSL_SESSION_set1_master_key \&\- get internal TLS/SSL random values and get/set master key +.SH "SYNOPSIS" +.IX Header "SYNOPSIS" +.Vb 1 +\& #include +\& +\& size_t SSL_get_client_random(const SSL *ssl, unsigned char *out, size_t outlen); +\& size_t SSL_get_server_random(const SSL *ssl, unsigned char *out, size_t outlen); +\& size_t SSL_SESSION_get_master_key(const SSL_SESSION *session, +\& unsigned char *out, size_t outlen); +\& int SSL_SESSION_set1_master_key(SSL_SESSION *sess, const unsigned char *in, +\& size_t len); +.Ve +.SH "DESCRIPTION" +.IX Header "DESCRIPTION" +\&\fISSL_get_client_random()\fR extracts the random value sent from the client +to the server during the initial \s-1SSL/TLS\s0 handshake. It copies as many +bytes as it can of this value into the buffer provided in \fBout\fR, +which must have at least \fBoutlen\fR bytes available. It returns the +total number of bytes that were actually copied. If \fBoutlen\fR is +zero, \fISSL_get_client_random()\fR copies nothing, and returns the +total size of the client_random value. +.PP +\&\fISSL_get_server_random()\fR behaves the same, but extracts the random value +sent from the server to the client during the initial \s-1SSL/TLS\s0 handshake. +.PP +\&\fISSL_SESSION_get_master_key()\fR behaves the same, but extracts the master +secret used to guarantee the security of the \s-1SSL/TLS\s0 session. This one +can be dangerous if misused; see \s-1NOTES\s0 below. +.PP +\&\fISSL_SESSION_set1_master_key()\fR sets the master key value associated with the +\&\s-1SSL_SESSION\s0 \fBsess\fR. For example, this could be used to set up a session based +\&\s-1PSK\s0 (see \fISSL_CTX_set_psk_use_session_callback\fR\|(3)). The master key of length +\&\fBlen\fR should be provided at \fBin\fR. The supplied master key is copied by the +function, so the caller is responsible for freeing and cleaning any memory +associated with \fBin\fR. The caller must ensure that the length of the key is +suitable for the ciphersuite associated with the \s-1SSL_SESSION.\s0 +.SH "NOTES" +.IX Header "NOTES" +You probably shouldn't use these functions. +.PP +These functions expose internal values from the \s-1TLS\s0 handshake, for +use in low-level protocols. You probably should not use them, unless +you are implementing something that needs access to the internal protocol +details. +.PP +Despite the names of \fISSL_get_client_random()\fR and \fISSL_get_server_random()\fR, they +\&\s-1ARE NOT\s0 random number generators. Instead, they return the mostly-random values that +were already generated and used in the \s-1TLS\s0 protocol. Using them +in place of \fIRAND_bytes()\fR would be grossly foolish. +.PP +The security of your \s-1TLS\s0 session depends on keeping the master key secret: +do not expose it, or any information about it, to anybody. +If you need to calculate another secret value that depends on the master +secret, you should probably use \fISSL_export_keying_material()\fR instead, and +forget that you ever saw these functions. +.PP +In current versions of the \s-1TLS\s0 protocols, the length of client_random +(and also server_random) is always \s-1SSL3_RANDOM_SIZE\s0 bytes. Support for +other outlen arguments to the SSL_get_*\fI_random()\fR functions is provided +in case of the unlikely event that a future version or variant of \s-1TLS\s0 +uses some other length there. +.PP +Finally, though the \*(L"client_random\*(R" and \*(L"server_random\*(R" values are called +\&\*(L"random\*(R", many \s-1TLS\s0 implementations will generate four bytes of those +values based on their view of the current time. +.SH "RETURN VALUES" +.IX Header "RETURN VALUES" +\&\fISSL_SESSION_set1_master_key()\fR returns 1 on success or 0 on failure. +.PP +For the other functions, if \fBoutlen\fR is greater than 0 then these functions +return the number of bytes actually copied, which will be less than or equal to +\&\fBoutlen\fR. If \fBoutlen\fR is 0 then these functions return the maximum number +of bytes they would copy \*(-- that is, the length of the underlying field. +.SH "SEE ALSO" +.IX Header "SEE ALSO" +\&\fIssl\fR\|(7), +\&\fIRAND_bytes\fR\|(3), +\&\fISSL_export_keying_material\fR\|(3), +\&\fISSL_CTX_set_psk_use_session_callback\fR\|(3) +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2015\-2017 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/SSL_get_current_cipher.3 b/secure/lib/libcrypto/man/SSL_get_current_cipher.3 new file mode 100644 index 000000000000..7351ca66f8a1 --- /dev/null +++ b/secure/lib/libcrypto/man/SSL_get_current_cipher.3 @@ -0,0 +1,196 @@ +.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35) +.\" +.\" Standard preamble: +.\" ======================================================================== +.de Sp \" Vertical space (when we can't use .PP) +.if t .sp .5v +.if n .sp +.. +.de Vb \" Begin verbatim text +.ft CW +.nf +.ne \\$1 +.. +.de Ve \" End verbatim text +.ft R +.fi +.. +.\" Set up some character translations and predefined strings. \*(-- will +.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left +.\" double quote, and \*(R" will give a right double quote. \*(C+ will +.\" give a nicer C++. Capital omega is used to do unbreakable dashes and +.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, +.\" nothing in troff, for use with C<>. +.tr \(*W- +.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' +.ie n \{\ +. ds -- \(*W- +. ds PI pi +. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch +. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch +. ds L" "" +. ds R" "" +. ds C` "" +. ds C' "" +'br\} +.el\{\ +. ds -- \|\(em\| +. ds PI \(*p +. ds L" `` +. ds R" '' +. ds C` +. ds C' +'br\} +.\" +.\" Escape single quotes in literal strings from groff's Unicode transform. +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" +.\" If the F register is >0, we'll generate index entries on stderr for +.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index +.\" entries marked with X<> in POD. Of course, you'll have to process the +.\" output yourself in some meaningful fashion. +.\" +.\" Avoid warning from groff about undefined register 'F'. +.de IX +.. +.if !\nF .nr F 0 +.if \nF>0 \{\ +. de IX +. tm Index:\\$1\t\\n%\t"\\$2" +.. +. if !\nF==2 \{\ +. nr % 0 +. nr F 2 +. \} +.\} +.\" +.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). +.\" Fear. Run. Save yourself. No user-serviceable parts. +. \" fudge factors for nroff and troff +.if n \{\ +. ds #H 0 +. ds #V .8m +. ds #F .3m +. ds #[ \f1 +. ds #] \fP +.\} +.if t \{\ +. ds #H ((1u-(\\\\n(.fu%2u))*.13m) +. ds #V .6m +. ds #F 0 +. ds #[ \& +. ds #] \& +.\} +. \" simple accents for nroff and troff +.if n \{\ +. ds ' \& +. ds ` \& +. ds ^ \& +. ds , \& +. ds ~ ~ +. ds / +.\} +.if t \{\ +. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" +. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' +. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' +. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' +. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' +. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' +.\} +. \" troff and (daisy-wheel) nroff accents +.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' +.ds 8 \h'\*(#H'\(*b\h'-\*(#H' +.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] +.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' +.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' +.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] +.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] +.ds ae a\h'-(\w'a'u*4/10)'e +.ds Ae A\h'-(\w'A'u*4/10)'E +. \" corrections for vroff +.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' +.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' +. \" for low resolution devices (crt and lpr) +.if \n(.H>23 .if \n(.V>19 \ +\{\ +. ds : e +. ds 8 ss +. ds o a +. ds d- d\h'-1'\(ga +. ds D- D\h'-1'\(hy +. ds th \o'bp' +. ds Th \o'LP' +. ds ae ae +. ds Ae AE +.\} +.rm #[ #] #H #V #F C +.\" ======================================================================== +.\" +.IX Title "SSL_GET_CURRENT_CIPHER 3" +.TH SSL_GET_CURRENT_CIPHER 3 "2018-09-11" "1.1.1" "OpenSSL" +.\" For nroff, turn off justification. Always turn off hyphenation; it makes +.\" way too many mistakes in technical documents. +.if n .ad l +.nh +.SH "NAME" +SSL_get_current_cipher, SSL_get_cipher_name, SSL_get_cipher, SSL_get_cipher_bits, SSL_get_cipher_version, SSL_get_pending_cipher \- get SSL_CIPHER of a connection +.SH "SYNOPSIS" +.IX Header "SYNOPSIS" +.Vb 1 +\& #include +\& +\& SSL_CIPHER *SSL_get_current_cipher(const SSL *ssl); +\& SSL_CIPHER *SSL_get_pending_cipher(const SSL *ssl); +\& +\& const char *SSL_get_cipher_name(const SSL *s); +\& const char *SSL_get_cipher(const SSL *s); +\& int SSL_get_cipher_bits(const SSL *s, int *np); +\& const char *SSL_get_cipher_version(const SSL *s); +.Ve +.SH "DESCRIPTION" +.IX Header "DESCRIPTION" +\&\fISSL_get_current_cipher()\fR returns a pointer to an \s-1SSL_CIPHER\s0 object containing +the description of the actually used cipher of a connection established with +the \fBssl\fR object. +See \fISSL_CIPHER_get_name\fR\|(3) for more details. +.PP +\&\fISSL_get_cipher_name()\fR obtains the +name of the currently used cipher. +\&\fISSL_get_cipher()\fR is identical to \fISSL_get_cipher_name()\fR. +\&\fISSL_get_cipher_bits()\fR is a +macro to obtain the number of secret/algorithm bits used and +\&\fISSL_get_cipher_version()\fR returns the protocol name. +.PP +\&\fISSL_get_pending_cipher()\fR returns a pointer to an \s-1SSL_CIPHER\s0 object containing +the description of the cipher (if any) that has been negotiated for future use +on the connection established with the \fBssl\fR object, but is not yet in use. +This may be the case during handshake processing, when control flow can be +returned to the application via any of several callback methods. The internal +sequencing of handshake processing and callback invocation is not guaranteed +to be stable from release to release, and at present only the callback set +by \fISSL_CTX_set_alpn_select_cb()\fR is guaranteed to have a non-NULL return value. +Other callbacks may be added to this list over time. +.SH "RETURN VALUES" +.IX Header "RETURN VALUES" +\&\fISSL_get_current_cipher()\fR returns the cipher actually used, or \s-1NULL\s0 if +no session has been established. +.PP +\&\fISSL_get_pending_cipher()\fR returns the cipher to be used at the next change +of cipher suite, or \s-1NULL\s0 if no such cipher is known. +.SH "NOTES" +.IX Header "NOTES" +SSL_get_cipher, SSL_get_cipher_bits, SSL_get_cipher_version, and +SSL_get_cipher_name are implemented as macros. +.SH "SEE ALSO" +.IX Header "SEE ALSO" +\&\fIssl\fR\|(7), \fISSL_CIPHER_get_name\fR\|(3) +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2000\-2018 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libssl/man/SSL_get_default_timeout.3 b/secure/lib/libcrypto/man/SSL_get_default_timeout.3 similarity index 90% rename from secure/lib/libssl/man/SSL_get_default_timeout.3 rename to secure/lib/libcrypto/man/SSL_get_default_timeout.3 index 00795e172879..063759f00a94 100644 --- a/secure/lib/libssl/man/SSL_get_default_timeout.3 +++ b/secure/lib/libcrypto/man/SSL_get_default_timeout.3 @@ -128,8 +128,8 @@ .rm #[ #] #H #V #F C .\" ======================================================================== .\" -.IX Title "SSL_get_default_timeout 3" -.TH SSL_get_default_timeout 3 "2018-08-14" "1.0.2p" "OpenSSL" +.IX Title "SSL_GET_DEFAULT_TIMEOUT 3" +.TH SSL_GET_DEFAULT_TIMEOUT 3 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -156,14 +156,22 @@ value was not explicitly set using timeout for the protocol will be used. .PP \&\fISSL_get_default_timeout()\fR return this hardcoded value, which is 300 seconds -for all currently supported protocols (SSLv2, SSLv3, and TLSv1). +for all currently supported protocols. .SH "RETURN VALUES" .IX Header "RETURN VALUES" See description. .SH "SEE ALSO" .IX Header "SEE ALSO" -\&\fIssl\fR\|(3), +\&\fIssl\fR\|(7), \&\fISSL_CTX_set_session_cache_mode\fR\|(3), \&\fISSL_SESSION_get_time\fR\|(3), \&\fISSL_CTX_flush_sessions\fR\|(3), \&\fISSL_get_default_timeout\fR\|(3) +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2001\-2016 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libssl/man/SSL_get_error.3 b/secure/lib/libcrypto/man/SSL_get_error.3 similarity index 60% rename from secure/lib/libssl/man/SSL_get_error.3 rename to secure/lib/libcrypto/man/SSL_get_error.3 index 966d4fa91fb6..07b149f766d5 100644 --- a/secure/lib/libssl/man/SSL_get_error.3 +++ b/secure/lib/libcrypto/man/SSL_get_error.3 @@ -128,8 +128,8 @@ .rm #[ #] #H #V #F C .\" ======================================================================== .\" -.IX Title "SSL_get_error 3" -.TH SSL_get_error 3 "2018-08-14" "1.0.2p" "OpenSSL" +.IX Title "SSL_GET_ERROR 3" +.TH SSL_GET_ERROR 3 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -147,9 +147,9 @@ SSL_get_error \- obtain result code for TLS/SSL I/O operation .IX Header "DESCRIPTION" \&\fISSL_get_error()\fR returns a result code (suitable for the C \*(L"switch\*(R" statement) for a preceding call to \fISSL_connect()\fR, \fISSL_accept()\fR, \fISSL_do_handshake()\fR, -\&\fISSL_read()\fR, \fISSL_peek()\fR, or \fISSL_write()\fR on \fBssl\fR. The value returned by -that \s-1TLS/SSL I/O\s0 function must be passed to \fISSL_get_error()\fR in parameter -\&\fBret\fR. +\&\fISSL_read_ex()\fR, \fISSL_read()\fR, \fISSL_peek_ex()\fR, \fISSL_peek()\fR, \fISSL_write_ex()\fR or +\&\fISSL_write()\fR on \fBssl\fR. The value returned by that \s-1TLS/SSL I/O\s0 function must be +passed to \fISSL_get_error()\fR in parameter \fBret\fR. .PP In addition to \fBssl\fR and \fBret\fR, \fISSL_get_error()\fR inspects the current thread's OpenSSL error queue. Thus, \fISSL_get_error()\fR must be @@ -166,35 +166,55 @@ The \s-1TLS/SSL I/O\s0 operation completed. This result code is returned if and only if \fBret > 0\fR. .IP "\s-1SSL_ERROR_ZERO_RETURN\s0" 4 .IX Item "SSL_ERROR_ZERO_RETURN" -The \s-1TLS/SSL\s0 connection has been closed. -If the protocol version is \s-1SSL 3.0\s0 or higher, this result code is returned only -if a closure alert has occurred in the protocol, i.e. if the connection has been -closed cleanly. -Note that in this case \fB\s-1SSL_ERROR_ZERO_RETURN\s0\fR does not necessarily +The \s-1TLS/SSL\s0 peer has closed the connection for writing by sending the +\&\*(L"close notify\*(R" alert. +No more data can be read. +Note that \fB\s-1SSL_ERROR_ZERO_RETURN\s0\fR does not necessarily indicate that the underlying transport has been closed. .IP "\s-1SSL_ERROR_WANT_READ, SSL_ERROR_WANT_WRITE\s0" 4 .IX Item "SSL_ERROR_WANT_READ, SSL_ERROR_WANT_WRITE" -The operation did not complete; the same \s-1TLS/SSL I/O\s0 function should be -called again later. If, by then, the underlying \fB\s-1BIO\s0\fR has data -available for reading (if the result code is \fB\s-1SSL_ERROR_WANT_READ\s0\fR) -or allows writing data (\fB\s-1SSL_ERROR_WANT_WRITE\s0\fR), then some \s-1TLS/SSL\s0 -protocol progress will take place, i.e. at least part of an \s-1TLS/SSL\s0 -record will be read or written. Note that the retry may again lead to -a \fB\s-1SSL_ERROR_WANT_READ\s0\fR or \fB\s-1SSL_ERROR_WANT_WRITE\s0\fR condition. +The operation did not complete and can be retried later. +.Sp +\&\fB\s-1SSL_ERROR_WANT_READ\s0\fR is returned when the last operation was a read +operation from a non-blocking \fB\s-1BIO\s0\fR. +It means that not enough data was available at this time to complete the +operation. +If at a later time the underlying \fB\s-1BIO\s0\fR has data available for reading the same +function can be called again. +.Sp +\&\fISSL_read()\fR and \fISSL_read_ex()\fR can also set \fB\s-1SSL_ERROR_WANT_READ\s0\fR when there is +still unprocessed data available at either the \fB\s-1SSL\s0\fR or the \fB\s-1BIO\s0\fR layer, even +for a blocking \fB\s-1BIO\s0\fR. +See \fISSL_read\fR\|(3) for more information. +.Sp +\&\fB\s-1SSL_ERROR_WANT_WRITE\s0\fR is returned when the last operation was a write +to a non-blocking \fB\s-1BIO\s0\fR and it was unable to sent all data to the \fB\s-1BIO\s0\fR. +When the \fB\s-1BIO\s0\fR is writeable again, the same function can be called again. +.Sp +Note that the retry may again lead to an \fB\s-1SSL_ERROR_WANT_READ\s0\fR or +\&\fB\s-1SSL_ERROR_WANT_WRITE\s0\fR condition. There is no fixed upper limit for the number of iterations that may be necessary until progress becomes visible at application protocol level. .Sp +It is safe to call \fISSL_read()\fR or \fISSL_read_ex()\fR when more data is available +even when the call that set this error was an \fISSL_write()\fR or \fISSL_write_ex()\fR. +However if the call was an \fISSL_write()\fR or \fISSL_write_ex()\fR, it should be called +again to continue sending the application data. +.Sp For socket \fB\s-1BIO\s0\fRs (e.g. when \fISSL_set_fd()\fR was used), \fIselect()\fR or \&\fIpoll()\fR on the underlying socket can be used to find out when the \&\s-1TLS/SSL I/O\s0 function should be retried. .Sp Caveat: Any \s-1TLS/SSL I/O\s0 function can lead to either of -\&\fB\s-1SSL_ERROR_WANT_READ\s0\fR and \fB\s-1SSL_ERROR_WANT_WRITE\s0\fR. In particular, -\&\fISSL_read()\fR or \fISSL_peek()\fR may want to write data and \fISSL_write()\fR may want -to read data. This is mainly because \s-1TLS/SSL\s0 handshakes may occur at any -time during the protocol (initiated by either the client or the server); -\&\fISSL_read()\fR, \fISSL_peek()\fR, and \fISSL_write()\fR will handle any pending handshakes. +\&\fB\s-1SSL_ERROR_WANT_READ\s0\fR and \fB\s-1SSL_ERROR_WANT_WRITE\s0\fR. +In particular, +\&\fISSL_read_ex()\fR, \fISSL_read()\fR, \fISSL_peek_ex()\fR, or \fISSL_peek()\fR may want to write data +and \fISSL_write()\fR or \fISSL_write_ex()\fR may want to read data. +This is mainly because +\&\s-1TLS/SSL\s0 handshakes may occur at any time during the protocol (initiated by +either the client or the server); \fISSL_read_ex()\fR, \fISSL_read()\fR, \fISSL_peek_ex()\fR, +\&\fISSL_peek()\fR, \fISSL_write_ex()\fR, and \fISSL_write()\fR will handle any pending handshakes. .IP "\s-1SSL_ERROR_WANT_CONNECT, SSL_ERROR_WANT_ACCEPT\s0" 4 .IX Item "SSL_ERROR_WANT_CONNECT, SSL_ERROR_WANT_ACCEPT" The operation did not complete; the same \s-1TLS/SSL I/O\s0 function should be @@ -211,18 +231,56 @@ The operation did not complete because an application callback set by \&\fISSL_CTX_set_client_cert_cb()\fR has asked to be called again. The \s-1TLS/SSL I/O\s0 function should be called again later. Details depend on the application. +.IP "\s-1SSL_ERROR_WANT_ASYNC\s0" 4 +.IX Item "SSL_ERROR_WANT_ASYNC" +The operation did not complete because an asynchronous engine is still +processing data. This will only occur if the mode has been set to \s-1SSL_MODE_ASYNC\s0 +using \fISSL_CTX_set_mode\fR\|(3) or \fISSL_set_mode\fR\|(3) and an asynchronous capable +engine is being used. An application can determine whether the engine has +completed its processing using \fIselect()\fR or \fIpoll()\fR on the asynchronous wait file +descriptor. This file descriptor is available by calling +\&\fISSL_get_all_async_fds\fR\|(3) or \fISSL_get_changed_async_fds\fR\|(3). The \s-1TLS/SSL I/O\s0 +function should be called again later. The function \fBmust\fR be called from the +same thread that the original call was made from. +.IP "\s-1SSL_ERROR_WANT_ASYNC_JOB\s0" 4 +.IX Item "SSL_ERROR_WANT_ASYNC_JOB" +The asynchronous job could not be started because there were no async jobs +available in the pool (see \fIASYNC_init_thread\fR\|(3)). This will only occur if the +mode has been set to \s-1SSL_MODE_ASYNC\s0 using \fISSL_CTX_set_mode\fR\|(3) or +\&\fISSL_set_mode\fR\|(3) and a maximum limit has been set on the async job pool +through a call to \fIASYNC_init_thread\fR\|(3). The application should retry the +operation after a currently executing asynchronous operation for the current +thread has completed. +.IP "\s-1SSL_ERROR_WANT_CLIENT_HELLO_CB\s0" 4 +.IX Item "SSL_ERROR_WANT_CLIENT_HELLO_CB" +The operation did not complete because an application callback set by +\&\fISSL_CTX_set_client_hello_cb()\fR has asked to be called again. +The \s-1TLS/SSL I/O\s0 function should be called again later. +Details depend on the application. .IP "\s-1SSL_ERROR_SYSCALL\s0" 4 .IX Item "SSL_ERROR_SYSCALL" Some non-recoverable I/O error occurred. The OpenSSL error queue may contain more information on the error. For socket I/O on Unix systems, consult \fBerrno\fR for details. +.Sp +This value can also be returned for other errors, check the error queue for +details. .IP "\s-1SSL_ERROR_SSL\s0" 4 .IX Item "SSL_ERROR_SSL" A failure in the \s-1SSL\s0 library occurred, usually a protocol error. The OpenSSL error queue contains more information on the error. .SH "SEE ALSO" .IX Header "SEE ALSO" -\&\fIssl\fR\|(3), \fIerr\fR\|(3) +\&\fIssl\fR\|(7) .SH "HISTORY" .IX Header "HISTORY" -\&\fISSL_get_error()\fR was added in SSLeay 0.8. +\&\s-1SSL_ERROR_WANT_ASYNC\s0 was added in OpenSSL 1.1.0. +\&\s-1SSL_ERROR_WANT_CLIENT_HELLO_CB\s0 was added in OpenSSL 1.1.1. +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2000\-2018 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libssl/man/SSL_get_version.3 b/secure/lib/libcrypto/man/SSL_get_extms_support.3 similarity index 80% rename from secure/lib/libssl/man/SSL_get_version.3 rename to secure/lib/libcrypto/man/SSL_get_extms_support.3 index 41f325315123..270bdd67c9e6 100644 --- a/secure/lib/libssl/man/SSL_get_version.3 +++ b/secure/lib/libcrypto/man/SSL_get_extms_support.3 @@ -128,48 +128,41 @@ .rm #[ #] #H #V #F C .\" ======================================================================== .\" -.IX Title "SSL_get_version 3" -.TH SSL_get_version 3 "2018-08-14" "1.0.2p" "OpenSSL" +.IX Title "SSL_GET_EXTMS_SUPPORT 3" +.TH SSL_GET_EXTMS_SUPPORT 3 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" -SSL_get_version \- get the protocol version of a connection. +SSL_get_extms_support \- extended master secret support .SH "SYNOPSIS" .IX Header "SYNOPSIS" .Vb 1 \& #include \& -\& const char *SSL_get_version(const SSL *ssl); +\& int SSL_get_extms_support(SSL *ssl); .Ve .SH "DESCRIPTION" .IX Header "DESCRIPTION" -\&\fISSL_get_version()\fR returns the name of the protocol used for the -connection \fBssl\fR. It should only be called after the initial handshake has been -completed. Prior to that the results returned from this function may be -unreliable. +\&\fISSL_get_extms_support()\fR indicates whether the current session used extended +master secret. +.PP +This function is implemented as a macro. .SH "RETURN VALUES" .IX Header "RETURN VALUES" -The following strings can be returned: -.IP "SSLv2" 4 -.IX Item "SSLv2" -The connection uses the SSLv2 protocol. -.IP "SSLv3" 4 -.IX Item "SSLv3" -The connection uses the SSLv3 protocol. -.IP "TLSv1" 4 -.IX Item "TLSv1" -The connection uses the TLSv1.0 protocol. -.IP "TLSv1.1" 4 -.IX Item "TLSv1.1" -The connection uses the TLSv1.1 protocol. -.IP "TLSv1.2" 4 -.IX Item "TLSv1.2" -The connection uses the TLSv1.2 protocol. -.IP "unknown" 4 -.IX Item "unknown" -This indicates an unknown protocol version. +\&\fISSL_get_extms_support()\fR returns 1 if the current session used extended +master secret, 0 if it did not and \-1 if a handshake is currently in +progress i.e. it is not possible to determine if extended master secret +was used. .SH "SEE ALSO" .IX Header "SEE ALSO" -\&\fIssl\fR\|(3) +\&\fIssl\fR\|(7) +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2015\-2016 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libssl/man/SSL_get_fd.3 b/secure/lib/libcrypto/man/SSL_get_fd.3 similarity index 88% rename from secure/lib/libssl/man/SSL_get_fd.3 rename to secure/lib/libcrypto/man/SSL_get_fd.3 index cc725cb6f48b..f1b2864d97ea 100644 --- a/secure/lib/libssl/man/SSL_get_fd.3 +++ b/secure/lib/libcrypto/man/SSL_get_fd.3 @@ -128,14 +128,14 @@ .rm #[ #] #H #V #F C .\" ======================================================================== .\" -.IX Title "SSL_get_fd 3" -.TH SSL_get_fd 3 "2018-08-14" "1.0.2p" "OpenSSL" +.IX Title "SSL_GET_FD 3" +.TH SSL_GET_FD 3 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" -SSL_get_fd \- get file descriptor linked to an SSL object +SSL_get_fd, SSL_get_rfd, SSL_get_wfd \- get file descriptor linked to an SSL object .SH "SYNOPSIS" .IX Header "SYNOPSIS" .Vb 1 @@ -164,4 +164,12 @@ The operation failed, because the underlying \s-1BIO\s0 is not of the correct ty The file descriptor linked to \fBssl\fR. .SH "SEE ALSO" .IX Header "SEE ALSO" -\&\fISSL_set_fd\fR\|(3), \fIssl\fR\|(3) , \fIbio\fR\|(3) +\&\fISSL_set_fd\fR\|(3), \fIssl\fR\|(7) , \fIbio\fR\|(7) +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2000\-2016 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/SSL_get_peer_cert_chain.3 b/secure/lib/libcrypto/man/SSL_get_peer_cert_chain.3 new file mode 100644 index 000000000000..e0063a6252a9 --- /dev/null +++ b/secure/lib/libcrypto/man/SSL_get_peer_cert_chain.3 @@ -0,0 +1,197 @@ +.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35) +.\" +.\" Standard preamble: +.\" ======================================================================== +.de Sp \" Vertical space (when we can't use .PP) +.if t .sp .5v +.if n .sp +.. +.de Vb \" Begin verbatim text +.ft CW +.nf +.ne \\$1 +.. +.de Ve \" End verbatim text +.ft R +.fi +.. +.\" Set up some character translations and predefined strings. \*(-- will +.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left +.\" double quote, and \*(R" will give a right double quote. \*(C+ will +.\" give a nicer C++. Capital omega is used to do unbreakable dashes and +.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, +.\" nothing in troff, for use with C<>. +.tr \(*W- +.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' +.ie n \{\ +. ds -- \(*W- +. ds PI pi +. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch +. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch +. ds L" "" +. ds R" "" +. ds C` "" +. ds C' "" +'br\} +.el\{\ +. ds -- \|\(em\| +. ds PI \(*p +. ds L" `` +. ds R" '' +. ds C` +. ds C' +'br\} +.\" +.\" Escape single quotes in literal strings from groff's Unicode transform. +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" +.\" If the F register is >0, we'll generate index entries on stderr for +.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index +.\" entries marked with X<> in POD. Of course, you'll have to process the +.\" output yourself in some meaningful fashion. +.\" +.\" Avoid warning from groff about undefined register 'F'. +.de IX +.. +.if !\nF .nr F 0 +.if \nF>0 \{\ +. de IX +. tm Index:\\$1\t\\n%\t"\\$2" +.. +. if !\nF==2 \{\ +. nr % 0 +. nr F 2 +. \} +.\} +.\" +.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). +.\" Fear. Run. Save yourself. No user-serviceable parts. +. \" fudge factors for nroff and troff +.if n \{\ +. ds #H 0 +. ds #V .8m +. ds #F .3m +. ds #[ \f1 +. ds #] \fP +.\} +.if t \{\ +. ds #H ((1u-(\\\\n(.fu%2u))*.13m) +. ds #V .6m +. ds #F 0 +. ds #[ \& +. ds #] \& +.\} +. \" simple accents for nroff and troff +.if n \{\ +. ds ' \& +. ds ` \& +. ds ^ \& +. ds , \& +. ds ~ ~ +. ds / +.\} +.if t \{\ +. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" +. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' +. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' +. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' +. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' +. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' +.\} +. \" troff and (daisy-wheel) nroff accents +.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' +.ds 8 \h'\*(#H'\(*b\h'-\*(#H' +.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] +.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' +.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' +.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] +.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] +.ds ae a\h'-(\w'a'u*4/10)'e +.ds Ae A\h'-(\w'A'u*4/10)'E +. \" corrections for vroff +.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' +.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' +. \" for low resolution devices (crt and lpr) +.if \n(.H>23 .if \n(.V>19 \ +\{\ +. ds : e +. ds 8 ss +. ds o a +. ds d- d\h'-1'\(ga +. ds D- D\h'-1'\(hy +. ds th \o'bp' +. ds Th \o'LP' +. ds ae ae +. ds Ae AE +.\} +.rm #[ #] #H #V #F C +.\" ======================================================================== +.\" +.IX Title "SSL_GET_PEER_CERT_CHAIN 3" +.TH SSL_GET_PEER_CERT_CHAIN 3 "2018-09-11" "1.1.1" "OpenSSL" +.\" For nroff, turn off justification. Always turn off hyphenation; it makes +.\" way too many mistakes in technical documents. +.if n .ad l +.nh +.SH "NAME" +SSL_get_peer_cert_chain, SSL_get0_verified_chain \- get the X509 certificate chain of the peer +.SH "SYNOPSIS" +.IX Header "SYNOPSIS" +.Vb 1 +\& #include +\& +\& STACK_OF(X509) *SSL_get_peer_cert_chain(const SSL *ssl); +\& STACK_OF(X509) *SSL_get0_verified_chain(const SSL *ssl); +.Ve +.SH "DESCRIPTION" +.IX Header "DESCRIPTION" +\&\fISSL_get_peer_cert_chain()\fR returns a pointer to \s-1STACK_OF\s0(X509) certificates +forming the certificate chain sent by the peer. If called on the client side, +the stack also contains the peer's certificate; if called on the server +side, the peer's certificate must be obtained separately using +\&\fISSL_get_peer_certificate\fR\|(3). +If the peer did not present a certificate, \s-1NULL\s0 is returned. +.PP +\&\s-1NB:\s0 \fISSL_get_peer_cert_chain()\fR returns the peer chain as sent by the peer: it +only consists of certificates the peer has sent (in the order the peer +has sent them) it is \fBnot\fR a verified chain. +.PP +\&\fISSL_get0_verified_chain()\fR returns the \fBverified\fR certificate chain +of the peer including the peer's end entity certificate. It must be called +after a session has been successfully established. If peer verification was +not successful (as indicated by \fISSL_get_verify_result()\fR not returning +X509_V_OK) the chain may be incomplete or invalid. +.SH "NOTES" +.IX Header "NOTES" +If the session is resumed peers do not send certificates so a \s-1NULL\s0 pointer +is returned by these functions. Applications can call \fISSL_session_reused()\fR +to determine whether a session is resumed. +.PP +The reference count of each certificate in the returned \s-1STACK_OF\s0(X509) object +is not incremented and the returned stack may be invalidated by renegotiation. +If applications wish to use any certificates in the returned chain +indefinitely they must increase the reference counts using \fIX509_up_ref()\fR or +obtain a copy of the whole chain with \fIX509_chain_up_ref()\fR. +.SH "RETURN VALUES" +.IX Header "RETURN VALUES" +The following return values can occur: +.IP "\s-1NULL\s0" 4 +.IX Item "NULL" +No certificate was presented by the peer or no connection was established +or the certificate chain is no longer available when a session is reused. +.IP "Pointer to a \s-1STACK_OF\s0(X509)" 4 +.IX Item "Pointer to a STACK_OF(X509)" +The return value points to the certificate chain presented by the peer. +.SH "SEE ALSO" +.IX Header "SEE ALSO" +\&\fIssl\fR\|(7), \fISSL_get_peer_certificate\fR\|(3), \fIX509_up_ref\fR\|(3), +\&\fIX509_chain_up_ref\fR\|(3) +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2000\-2016 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libssl/man/SSL_get_peer_certificate.3 b/secure/lib/libcrypto/man/SSL_get_peer_certificate.3 similarity index 91% rename from secure/lib/libssl/man/SSL_get_peer_certificate.3 rename to secure/lib/libcrypto/man/SSL_get_peer_certificate.3 index 9ae89f9d9e52..bfd55e6df930 100644 --- a/secure/lib/libssl/man/SSL_get_peer_certificate.3 +++ b/secure/lib/libcrypto/man/SSL_get_peer_certificate.3 @@ -128,8 +128,8 @@ .rm #[ #] #H #V #F C .\" ======================================================================== .\" -.IX Title "SSL_get_peer_certificate 3" -.TH SSL_get_peer_certificate 3 "2018-08-14" "1.0.2p" "OpenSSL" +.IX Title "SSL_GET_PEER_CERTIFICATE 3" +.TH SSL_GET_PEER_CERTIFICATE 3 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -173,5 +173,13 @@ No certificate was presented by the peer or no connection was established. The return value points to the certificate presented by the peer. .SH "SEE ALSO" .IX Header "SEE ALSO" -\&\fIssl\fR\|(3), \fISSL_get_verify_result\fR\|(3), +\&\fIssl\fR\|(7), \fISSL_get_verify_result\fR\|(3), \&\fISSL_CTX_set_verify\fR\|(3) +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2000\-2016 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/SSL_get_peer_signature_nid.3 b/secure/lib/libcrypto/man/SSL_get_peer_signature_nid.3 new file mode 100644 index 000000000000..c7a75c2d65cd --- /dev/null +++ b/secure/lib/libcrypto/man/SSL_get_peer_signature_nid.3 @@ -0,0 +1,174 @@ +.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35) +.\" +.\" Standard preamble: +.\" ======================================================================== +.de Sp \" Vertical space (when we can't use .PP) +.if t .sp .5v +.if n .sp +.. +.de Vb \" Begin verbatim text +.ft CW +.nf +.ne \\$1 +.. +.de Ve \" End verbatim text +.ft R +.fi +.. +.\" Set up some character translations and predefined strings. \*(-- will +.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left +.\" double quote, and \*(R" will give a right double quote. \*(C+ will +.\" give a nicer C++. Capital omega is used to do unbreakable dashes and +.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, +.\" nothing in troff, for use with C<>. +.tr \(*W- +.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' +.ie n \{\ +. ds -- \(*W- +. ds PI pi +. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch +. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch +. ds L" "" +. ds R" "" +. ds C` "" +. ds C' "" +'br\} +.el\{\ +. ds -- \|\(em\| +. ds PI \(*p +. ds L" `` +. ds R" '' +. ds C` +. ds C' +'br\} +.\" +.\" Escape single quotes in literal strings from groff's Unicode transform. +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" +.\" If the F register is >0, we'll generate index entries on stderr for +.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index +.\" entries marked with X<> in POD. Of course, you'll have to process the +.\" output yourself in some meaningful fashion. +.\" +.\" Avoid warning from groff about undefined register 'F'. +.de IX +.. +.if !\nF .nr F 0 +.if \nF>0 \{\ +. de IX +. tm Index:\\$1\t\\n%\t"\\$2" +.. +. if !\nF==2 \{\ +. nr % 0 +. nr F 2 +. \} +.\} +.\" +.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). +.\" Fear. Run. Save yourself. No user-serviceable parts. +. \" fudge factors for nroff and troff +.if n \{\ +. ds #H 0 +. ds #V .8m +. ds #F .3m +. ds #[ \f1 +. ds #] \fP +.\} +.if t \{\ +. ds #H ((1u-(\\\\n(.fu%2u))*.13m) +. ds #V .6m +. ds #F 0 +. ds #[ \& +. ds #] \& +.\} +. \" simple accents for nroff and troff +.if n \{\ +. ds ' \& +. ds ` \& +. ds ^ \& +. ds , \& +. ds ~ ~ +. ds / +.\} +.if t \{\ +. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" +. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' +. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' +. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' +. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' +. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' +.\} +. \" troff and (daisy-wheel) nroff accents +.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' +.ds 8 \h'\*(#H'\(*b\h'-\*(#H' +.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] +.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' +.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' +.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] +.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] +.ds ae a\h'-(\w'a'u*4/10)'e +.ds Ae A\h'-(\w'A'u*4/10)'E +. \" corrections for vroff +.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' +.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' +. \" for low resolution devices (crt and lpr) +.if \n(.H>23 .if \n(.V>19 \ +\{\ +. ds : e +. ds 8 ss +. ds o a +. ds d- d\h'-1'\(ga +. ds D- D\h'-1'\(hy +. ds th \o'bp' +. ds Th \o'LP' +. ds ae ae +. ds Ae AE +.\} +.rm #[ #] #H #V #F C +.\" ======================================================================== +.\" +.IX Title "SSL_GET_PEER_SIGNATURE_NID 3" +.TH SSL_GET_PEER_SIGNATURE_NID 3 "2018-09-11" "1.1.1" "OpenSSL" +.\" For nroff, turn off justification. Always turn off hyphenation; it makes +.\" way too many mistakes in technical documents. +.if n .ad l +.nh +.SH "NAME" +SSL_get_peer_signature_nid, SSL_get_peer_signature_type_nid \- get TLS message signing types +.SH "SYNOPSIS" +.IX Header "SYNOPSIS" +.Vb 1 +\& #include +\& +\& int SSL_get_peer_signature_nid(SSL *ssl, int *psig_nid); +\& int SSL_get_peer_signature_type_nid(const SSL *ssl, int *psigtype_nid); +.Ve +.SH "DESCRIPTION" +.IX Header "DESCRIPTION" +\&\fISSL_get_peer_signature_nid()\fR sets \fB*psig_nid\fR to the \s-1NID\s0 of the digest used +by the peer to sign \s-1TLS\s0 messages. It is implemented as a macro. +.PP +\&\fISSL_get_peer_signature_type_nid()\fR sets \fB*psigtype_nid\fR to the signature +type used by the peer to sign \s-1TLS\s0 messages. Currently the signature type +is the \s-1NID\s0 of the public key type used for signing except for \s-1PSS\s0 signing +where it is \fB\s-1EVP_PKEY_RSA_PSS\s0\fR. To differentiate between +\&\fBrsa_pss_rsae_*\fR and \fBrsa_pss_pss_*\fR signatures, it's necessary to check +the type of public key in the peer's certificate. +.SH "RETURN VALUES" +.IX Header "RETURN VALUES" +These functions return 1 for success and 0 for failure. There are several +possible reasons for failure: the cipher suite has no signature (e.g. it +uses \s-1RSA\s0 key exchange or is anonymous), the \s-1TLS\s0 version is below 1.2 or +the functions were called before the peer signed a message. +.SH "SEE ALSO" +.IX Header "SEE ALSO" +\&\fIssl\fR\|(7), \fISSL_get_peer_certificate\fR\|(3), +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2017\-2018 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libssl/man/SSL_get_psk_identity.3 b/secure/lib/libcrypto/man/SSL_get_psk_identity.3 similarity index 91% rename from secure/lib/libssl/man/SSL_get_psk_identity.3 rename to secure/lib/libcrypto/man/SSL_get_psk_identity.3 index cd6f8b23740d..490a6bc98a8e 100644 --- a/secure/lib/libssl/man/SSL_get_psk_identity.3 +++ b/secure/lib/libcrypto/man/SSL_get_psk_identity.3 @@ -128,8 +128,8 @@ .rm #[ #] #H #V #F C .\" ======================================================================== .\" -.IX Title "SSL_get_psk_identity 3" -.TH SSL_get_psk_identity 3 "2018-08-14" "1.0.2p" "OpenSSL" +.IX Title "SSL_GET_PSK_IDENTITY 3" +.TH SSL_GET_PSK_IDENTITY 3 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -159,3 +159,11 @@ no \s-1PSK\s0 identity hint was used during the connection setup. .PP Note that the return value is valid only during the lifetime of the \&\s-1SSL\s0 object \fBssl\fR. +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2006\-2016 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libssl/man/SSL_get_rbio.3 b/secure/lib/libcrypto/man/SSL_get_rbio.3 similarity index 88% rename from secure/lib/libssl/man/SSL_get_rbio.3 rename to secure/lib/libcrypto/man/SSL_get_rbio.3 index f6b94cf7b746..baa19ab6adbe 100644 --- a/secure/lib/libssl/man/SSL_get_rbio.3 +++ b/secure/lib/libcrypto/man/SSL_get_rbio.3 @@ -128,14 +128,14 @@ .rm #[ #] #H #V #F C .\" ======================================================================== .\" -.IX Title "SSL_get_rbio 3" -.TH SSL_get_rbio 3 "2018-08-14" "1.0.2p" "OpenSSL" +.IX Title "SSL_GET_RBIO 3" +.TH SSL_GET_RBIO 3 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" -SSL_get_rbio \- get BIO linked to an SSL object +SSL_get_rbio, SSL_get_wbio \- get BIO linked to an SSL object .SH "SYNOPSIS" .IX Header "SYNOPSIS" .Vb 1 @@ -160,4 +160,12 @@ No \s-1BIO\s0 was connected to the \s-1SSL\s0 object The \s-1BIO\s0 linked to \fBssl\fR. .SH "SEE ALSO" .IX Header "SEE ALSO" -\&\fISSL_set_bio\fR\|(3), \fIssl\fR\|(3) , \fIbio\fR\|(3) +\&\fISSL_set_bio\fR\|(3), \fIssl\fR\|(7) , \fIbio\fR\|(7) +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2000\-2016 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/SSL_get_server_tmp_key.3 b/secure/lib/libcrypto/man/SSL_get_server_tmp_key.3 new file mode 100644 index 000000000000..691c2ab678fd --- /dev/null +++ b/secure/lib/libcrypto/man/SSL_get_server_tmp_key.3 @@ -0,0 +1,169 @@ +.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35) +.\" +.\" Standard preamble: +.\" ======================================================================== +.de Sp \" Vertical space (when we can't use .PP) +.if t .sp .5v +.if n .sp +.. +.de Vb \" Begin verbatim text +.ft CW +.nf +.ne \\$1 +.. +.de Ve \" End verbatim text +.ft R +.fi +.. +.\" Set up some character translations and predefined strings. \*(-- will +.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left +.\" double quote, and \*(R" will give a right double quote. \*(C+ will +.\" give a nicer C++. Capital omega is used to do unbreakable dashes and +.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, +.\" nothing in troff, for use with C<>. +.tr \(*W- +.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' +.ie n \{\ +. ds -- \(*W- +. ds PI pi +. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch +. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch +. ds L" "" +. ds R" "" +. ds C` "" +. ds C' "" +'br\} +.el\{\ +. ds -- \|\(em\| +. ds PI \(*p +. ds L" `` +. ds R" '' +. ds C` +. ds C' +'br\} +.\" +.\" Escape single quotes in literal strings from groff's Unicode transform. +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" +.\" If the F register is >0, we'll generate index entries on stderr for +.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index +.\" entries marked with X<> in POD. Of course, you'll have to process the +.\" output yourself in some meaningful fashion. +.\" +.\" Avoid warning from groff about undefined register 'F'. +.de IX +.. +.if !\nF .nr F 0 +.if \nF>0 \{\ +. de IX +. tm Index:\\$1\t\\n%\t"\\$2" +.. +. if !\nF==2 \{\ +. nr % 0 +. nr F 2 +. \} +.\} +.\" +.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). +.\" Fear. Run. Save yourself. No user-serviceable parts. +. \" fudge factors for nroff and troff +.if n \{\ +. ds #H 0 +. ds #V .8m +. ds #F .3m +. ds #[ \f1 +. ds #] \fP +.\} +.if t \{\ +. ds #H ((1u-(\\\\n(.fu%2u))*.13m) +. ds #V .6m +. ds #F 0 +. ds #[ \& +. ds #] \& +.\} +. \" simple accents for nroff and troff +.if n \{\ +. ds ' \& +. ds ` \& +. ds ^ \& +. ds , \& +. ds ~ ~ +. ds / +.\} +.if t \{\ +. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" +. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' +. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' +. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' +. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' +. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' +.\} +. \" troff and (daisy-wheel) nroff accents +.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' +.ds 8 \h'\*(#H'\(*b\h'-\*(#H' +.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] +.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' +.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' +.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] +.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] +.ds ae a\h'-(\w'a'u*4/10)'e +.ds Ae A\h'-(\w'A'u*4/10)'E +. \" corrections for vroff +.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' +.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' +. \" for low resolution devices (crt and lpr) +.if \n(.H>23 .if \n(.V>19 \ +\{\ +. ds : e +. ds 8 ss +. ds o a +. ds d- d\h'-1'\(ga +. ds D- D\h'-1'\(hy +. ds th \o'bp' +. ds Th \o'LP' +. ds ae ae +. ds Ae AE +.\} +.rm #[ #] #H #V #F C +.\" ======================================================================== +.\" +.IX Title "SSL_GET_SERVER_TMP_KEY 3" +.TH SSL_GET_SERVER_TMP_KEY 3 "2018-09-11" "1.1.1" "OpenSSL" +.\" For nroff, turn off justification. Always turn off hyphenation; it makes +.\" way too many mistakes in technical documents. +.if n .ad l +.nh +.SH "NAME" +SSL_get_server_tmp_key \- get information about the server's temporary key used during a handshake +.SH "SYNOPSIS" +.IX Header "SYNOPSIS" +.Vb 1 +\& #include +\& +\& long SSL_get_server_tmp_key(SSL *ssl, EVP_PKEY **key); +.Ve +.SH "DESCRIPTION" +.IX Header "DESCRIPTION" +\&\fISSL_get_server_tmp_key()\fR returns the temporary key provided by the server and +used during key exchange. For example, if \s-1ECDHE\s0 is in use, then this represents +the server's public \s-1ECDHE\s0 key. On success a pointer to the key is stored in +\&\fB*key\fR. It is the caller's responsibility to free this key after use using +\&\fIEVP_PKEY_free\fR\|(3). This function may only be called by the client. +.SH "RETURN VALUES" +.IX Header "RETURN VALUES" +\&\fISSL_get_server_tmp_key()\fR returns 1 on success or 0 otherwise. +.SH "NOTES" +.IX Header "NOTES" +This function is implemented as a macro. +.SH "SEE ALSO" +.IX Header "SEE ALSO" +\&\fIssl\fR\|(7), \fIEVP_PKEY_free\fR\|(3) +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2017 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libssl/man/SSL_get_session.3 b/secure/lib/libcrypto/man/SSL_get_session.3 similarity index 74% rename from secure/lib/libssl/man/SSL_get_session.3 rename to secure/lib/libcrypto/man/SSL_get_session.3 index 92ea05c491a6..b02b4c5c4fc6 100644 --- a/secure/lib/libssl/man/SSL_get_session.3 +++ b/secure/lib/libcrypto/man/SSL_get_session.3 @@ -128,14 +128,14 @@ .rm #[ #] #H #V #F C .\" ======================================================================== .\" -.IX Title "SSL_get_session 3" -.TH SSL_get_session 3 "2018-08-14" "1.0.2p" "OpenSSL" +.IX Title "SSL_GET_SESSION 3" +.TH SSL_GET_SESSION 3 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" -SSL_get_session \- retrieve TLS/SSL session data +SSL_get_session, SSL_get0_session, SSL_get1_session \- retrieve TLS/SSL session data .SH "SYNOPSIS" .IX Header "SYNOPSIS" .Vb 1 @@ -158,13 +158,36 @@ count of the \fB\s-1SSL_SESSION\s0\fR is incremented by one. .SH "NOTES" .IX Header "NOTES" The ssl session contains all information required to re-establish the -connection without a new handshake. +connection without a full handshake for \s-1SSL\s0 versions up to and including +TLSv1.2. In TLSv1.3 the same is true, but sessions are established after the +main handshake has occurred. The server will send the session information to the +client at a time of its choosing, which may be some while after the initial +connection is established (or never). Calling these functions on the client side +in TLSv1.3 before the session has been established will still return an +\&\s-1SSL_SESSION\s0 object but that object cannot be used for resuming the session. See +\&\fISSL_SESSION_is_resumable\fR\|(3) for information on how to determine whether an +\&\s-1SSL_SESSION\s0 object can be used for resumption or not. +.PP +Additionally, in TLSv1.3, a server can send multiple messages that establish a +session for a single connection. In that case the above functions will only +return information on the last session that was received. +.PP +The preferred way for applications to obtain a resumable \s-1SSL_SESSION\s0 object is +to use a new session callback as described in \fISSL_CTX_sess_set_new_cb\fR\|(3). +The new session callback is only invoked when a session is actually established, +so this avoids the problem described above where an application obtains an +\&\s-1SSL_SESSION\s0 object that cannot be used for resumption in TLSv1.3. It also +enables applications to obtain information about all sessions sent by the +server. .PP A session will be automatically removed from the session cache and marked as non-resumable if the connection is not closed down cleanly, e.g. if a fatal error occurs on the connection or \fISSL_shutdown\fR\|(3) is not called prior to \&\fISSL_free\fR\|(3). .PP +In TLSv1.3 it is recommended that each \s-1SSL_SESSION\s0 object is only used for +resumption once. +.PP \&\fISSL_get0_session()\fR returns a pointer to the actual session. As the reference counter is not incremented, the pointer is only valid while the connection is in use. If \fISSL_clear\fR\|(3) or @@ -190,11 +213,19 @@ The following return values can occur: .IP "\s-1NULL\s0" 4 .IX Item "NULL" There is no session available in \fBssl\fR. -.IP "Pointer to an \s-1SSL\s0" 4 -.IX Item "Pointer to an SSL" +.IP "Pointer to an \s-1SSL_SESSION\s0" 4 +.IX Item "Pointer to an SSL_SESSION" The return value points to the data of an \s-1SSL\s0 session. .SH "SEE ALSO" .IX Header "SEE ALSO" -\&\fIssl\fR\|(3), \fISSL_free\fR\|(3), +\&\fIssl\fR\|(7), \fISSL_free\fR\|(3), \&\fISSL_clear\fR\|(3), \&\fISSL_SESSION_free\fR\|(3) +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2000\-2018 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/SSL_get_shared_sigalgs.3 b/secure/lib/libcrypto/man/SSL_get_shared_sigalgs.3 new file mode 100644 index 000000000000..2cd31de2fa8d --- /dev/null +++ b/secure/lib/libcrypto/man/SSL_get_shared_sigalgs.3 @@ -0,0 +1,215 @@ +.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35) +.\" +.\" Standard preamble: +.\" ======================================================================== +.de Sp \" Vertical space (when we can't use .PP) +.if t .sp .5v +.if n .sp +.. +.de Vb \" Begin verbatim text +.ft CW +.nf +.ne \\$1 +.. +.de Ve \" End verbatim text +.ft R +.fi +.. +.\" Set up some character translations and predefined strings. \*(-- will +.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left +.\" double quote, and \*(R" will give a right double quote. \*(C+ will +.\" give a nicer C++. Capital omega is used to do unbreakable dashes and +.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, +.\" nothing in troff, for use with C<>. +.tr \(*W- +.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' +.ie n \{\ +. ds -- \(*W- +. ds PI pi +. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch +. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch +. ds L" "" +. ds R" "" +. ds C` "" +. ds C' "" +'br\} +.el\{\ +. ds -- \|\(em\| +. ds PI \(*p +. ds L" `` +. ds R" '' +. ds C` +. ds C' +'br\} +.\" +.\" Escape single quotes in literal strings from groff's Unicode transform. +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" +.\" If the F register is >0, we'll generate index entries on stderr for +.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index +.\" entries marked with X<> in POD. Of course, you'll have to process the +.\" output yourself in some meaningful fashion. +.\" +.\" Avoid warning from groff about undefined register 'F'. +.de IX +.. +.if !\nF .nr F 0 +.if \nF>0 \{\ +. de IX +. tm Index:\\$1\t\\n%\t"\\$2" +.. +. if !\nF==2 \{\ +. nr % 0 +. nr F 2 +. \} +.\} +.\" +.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). +.\" Fear. Run. Save yourself. No user-serviceable parts. +. \" fudge factors for nroff and troff +.if n \{\ +. ds #H 0 +. ds #V .8m +. ds #F .3m +. ds #[ \f1 +. ds #] \fP +.\} +.if t \{\ +. ds #H ((1u-(\\\\n(.fu%2u))*.13m) +. ds #V .6m +. ds #F 0 +. ds #[ \& +. ds #] \& +.\} +. \" simple accents for nroff and troff +.if n \{\ +. ds ' \& +. ds ` \& +. ds ^ \& +. ds , \& +. ds ~ ~ +. ds / +.\} +.if t \{\ +. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" +. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' +. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' +. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' +. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' +. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' +.\} +. \" troff and (daisy-wheel) nroff accents +.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' +.ds 8 \h'\*(#H'\(*b\h'-\*(#H' +.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] +.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' +.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' +.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] +.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] +.ds ae a\h'-(\w'a'u*4/10)'e +.ds Ae A\h'-(\w'A'u*4/10)'E +. \" corrections for vroff +.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' +.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' +. \" for low resolution devices (crt and lpr) +.if \n(.H>23 .if \n(.V>19 \ +\{\ +. ds : e +. ds 8 ss +. ds o a +. ds d- d\h'-1'\(ga +. ds D- D\h'-1'\(hy +. ds th \o'bp' +. ds Th \o'LP' +. ds ae ae +. ds Ae AE +.\} +.rm #[ #] #H #V #F C +.\" ======================================================================== +.\" +.IX Title "SSL_GET_SHARED_SIGALGS 3" +.TH SSL_GET_SHARED_SIGALGS 3 "2018-09-11" "1.1.1" "OpenSSL" +.\" For nroff, turn off justification. Always turn off hyphenation; it makes +.\" way too many mistakes in technical documents. +.if n .ad l +.nh +.SH "NAME" +SSL_get_shared_sigalgs, SSL_get_sigalgs \- get supported signature algorithms +.SH "SYNOPSIS" +.IX Header "SYNOPSIS" +.Vb 1 +\& #include +\& +\& int SSL_get_shared_sigalgs(SSL *s, int idx, +\& int *psign, int *phash, int *psignhash, +\& unsigned char *rsig, unsigned char *rhash); +\& +\& int SSL_get_sigalgs(SSL *s, int idx, +\& int *psign, int *phash, int *psignhash, +\& unsigned char *rsig, unsigned char *rhash); +.Ve +.SH "DESCRIPTION" +.IX Header "DESCRIPTION" +\&\fISSL_get_shared_sigalgs()\fR returns information about the shared signature +algorithms supported by peer \fBs\fR. The parameter \fBidx\fR indicates the index +of the shared signature algorithm to return starting from zero. The signature +algorithm \s-1NID\s0 is written to \fB*psign\fR, the hash \s-1NID\s0 to \fB*phash\fR and the +sign and hash \s-1NID\s0 to \fB*psignhash\fR. The raw signature and hash values +are written to \fB*rsig\fR and \fB*rhash\fR. +.PP +\&\fISSL_get_sigalgs()\fR is similar to \fISSL_get_shared_sigalgs()\fR except it returns +information about all signature algorithms supported by \fBs\fR in the order +they were sent by the peer. +.SH "RETURN VALUES" +.IX Header "RETURN VALUES" +\&\fISSL_get_shared_sigalgs()\fR and \fISSL_get_sigalgs()\fR return the number of +signature algorithms or \fB0\fR if the \fBidx\fR parameter is out of range. +.SH "NOTES" +.IX Header "NOTES" +These functions are typically called for debugging purposes (to report +the peer's preferences) or where an application wants finer control over +certificate selection. Most applications will rely on internal handling +and will not need to call them. +.PP +If an application is only interested in the highest preference shared +signature algorithm it can just set \fBidx\fR to zero. +.PP +Any or all of the parameters \fBpsign\fR, \fBphash\fR, \fBpsignhash\fR, \fBrsig\fR or +\&\fBrhash\fR can be set to \fB\s-1NULL\s0\fR if the value is not required. By setting +them all to \fB\s-1NULL\s0\fR and setting \fBidx\fR to zero the total number of +signature algorithms can be determined: which can be zero. +.PP +These functions must be called after the peer has sent a list of supported +signature algorithms: after a client hello (for servers) or a certificate +request (for clients). They can (for example) be called in the certificate +callback. +.PP +Only \s-1TLS 1.2, TLS 1.3\s0 and \s-1DTLS 1.2\s0 currently support signature algorithms. +If these +functions are called on an earlier version of \s-1TLS\s0 or \s-1DTLS\s0 zero is returned. +.PP +The shared signature algorithms returned by \fISSL_get_shared_sigalgs()\fR are +ordered according to configuration and peer preferences. +.PP +The raw values correspond to the on the wire form as defined by \s-1RFC5246\s0 et al. +The NIDs are OpenSSL equivalents. For example if the peer sent \fIsha256\fR\|(4) and +\&\fIrsa\fR\|(1) then \fB*rhash\fR would be 4, \fB*rsign\fR 1, \fB*phash\fR NID_sha256, \fB*psig\fR +NID_rsaEncryption and \fB*psighash\fR NID_sha256WithRSAEncryption. +.PP +If a signature algorithm is not recognised the corresponding NIDs +will be set to \fBNID_undef\fR. This may be because the value is not supported, +is not an appropriate combination (for example \s-1MD5\s0 and \s-1DSA\s0) or the +signature algorithm does not use a hash (for example Ed25519). +.SH "SEE ALSO" +.IX Header "SEE ALSO" +\&\fISSL_CTX_set_cert_cb\fR\|(3), +\&\fIssl\fR\|(7) +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2015\-2018 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libssl/man/SSL_get_verify_result.3 b/secure/lib/libcrypto/man/SSL_get_verify_result.3 similarity index 91% rename from secure/lib/libssl/man/SSL_get_verify_result.3 rename to secure/lib/libcrypto/man/SSL_get_verify_result.3 index 9e4bfcd949f6..720517831714 100644 --- a/secure/lib/libssl/man/SSL_get_verify_result.3 +++ b/secure/lib/libcrypto/man/SSL_get_verify_result.3 @@ -128,8 +128,8 @@ .rm #[ #] #H #V #F C .\" ======================================================================== .\" -.IX Title "SSL_get_verify_result 3" -.TH SSL_get_verify_result 3 "2018-08-14" "1.0.2p" "OpenSSL" +.IX Title "SSL_GET_VERIFY_RESULT 3" +.TH SSL_GET_VERIFY_RESULT 3 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -173,6 +173,14 @@ The verification succeeded or no peer certificate was presented. Documented in \fIverify\fR\|(1). .SH "SEE ALSO" .IX Header "SEE ALSO" -\&\fIssl\fR\|(3), \fISSL_set_verify_result\fR\|(3), +\&\fIssl\fR\|(7), \fISSL_set_verify_result\fR\|(3), \&\fISSL_get_peer_certificate\fR\|(3), \&\fIverify\fR\|(1) +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2000\-2016 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/SSL_get_version.3 b/secure/lib/libcrypto/man/SSL_get_version.3 new file mode 100644 index 000000000000..415bd277852d --- /dev/null +++ b/secure/lib/libcrypto/man/SSL_get_version.3 @@ -0,0 +1,217 @@ +.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35) +.\" +.\" Standard preamble: +.\" ======================================================================== +.de Sp \" Vertical space (when we can't use .PP) +.if t .sp .5v +.if n .sp +.. +.de Vb \" Begin verbatim text +.ft CW +.nf +.ne \\$1 +.. +.de Ve \" End verbatim text +.ft R +.fi +.. +.\" Set up some character translations and predefined strings. \*(-- will +.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left +.\" double quote, and \*(R" will give a right double quote. \*(C+ will +.\" give a nicer C++. Capital omega is used to do unbreakable dashes and +.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, +.\" nothing in troff, for use with C<>. +.tr \(*W- +.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' +.ie n \{\ +. ds -- \(*W- +. ds PI pi +. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch +. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch +. ds L" "" +. ds R" "" +. ds C` "" +. ds C' "" +'br\} +.el\{\ +. ds -- \|\(em\| +. ds PI \(*p +. ds L" `` +. ds R" '' +. ds C` +. ds C' +'br\} +.\" +.\" Escape single quotes in literal strings from groff's Unicode transform. +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" +.\" If the F register is >0, we'll generate index entries on stderr for +.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index +.\" entries marked with X<> in POD. Of course, you'll have to process the +.\" output yourself in some meaningful fashion. +.\" +.\" Avoid warning from groff about undefined register 'F'. +.de IX +.. +.if !\nF .nr F 0 +.if \nF>0 \{\ +. de IX +. tm Index:\\$1\t\\n%\t"\\$2" +.. +. if !\nF==2 \{\ +. nr % 0 +. nr F 2 +. \} +.\} +.\" +.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). +.\" Fear. Run. Save yourself. No user-serviceable parts. +. \" fudge factors for nroff and troff +.if n \{\ +. ds #H 0 +. ds #V .8m +. ds #F .3m +. ds #[ \f1 +. ds #] \fP +.\} +.if t \{\ +. ds #H ((1u-(\\\\n(.fu%2u))*.13m) +. ds #V .6m +. ds #F 0 +. ds #[ \& +. ds #] \& +.\} +. \" simple accents for nroff and troff +.if n \{\ +. ds ' \& +. ds ` \& +. ds ^ \& +. ds , \& +. ds ~ ~ +. ds / +.\} +.if t \{\ +. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" +. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' +. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' +. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' +. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' +. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' +.\} +. \" troff and (daisy-wheel) nroff accents +.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' +.ds 8 \h'\*(#H'\(*b\h'-\*(#H' +.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] +.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' +.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' +.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] +.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] +.ds ae a\h'-(\w'a'u*4/10)'e +.ds Ae A\h'-(\w'A'u*4/10)'E +. \" corrections for vroff +.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' +.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' +. \" for low resolution devices (crt and lpr) +.if \n(.H>23 .if \n(.V>19 \ +\{\ +. ds : e +. ds 8 ss +. ds o a +. ds d- d\h'-1'\(ga +. ds D- D\h'-1'\(hy +. ds th \o'bp' +. ds Th \o'LP' +. ds ae ae +. ds Ae AE +.\} +.rm #[ #] #H #V #F C +.\" ======================================================================== +.\" +.IX Title "SSL_GET_VERSION 3" +.TH SSL_GET_VERSION 3 "2018-09-11" "1.1.1" "OpenSSL" +.\" For nroff, turn off justification. Always turn off hyphenation; it makes +.\" way too many mistakes in technical documents. +.if n .ad l +.nh +.SH "NAME" +SSL_client_version, SSL_get_version, SSL_is_dtls, SSL_version \- get the protocol information of a connection +.SH "SYNOPSIS" +.IX Header "SYNOPSIS" +.Vb 1 +\& #include +\& +\& int SSL_client_version(const SSL *s); +\& +\& const char *SSL_get_version(const SSL *ssl); +\& +\& int SSL_is_dtls(const SSL *ssl); +\& +\& int SSL_version(const SSL *s); +.Ve +.SH "DESCRIPTION" +.IX Header "DESCRIPTION" +\&\fISSL_client_version()\fR returns the numeric protocol version advertised by the +client in the legacy_version field of the ClientHello when initiating the +connection. Note that, for \s-1TLS,\s0 this value will never indicate a version greater +than TLSv1.2 even if TLSv1.3 is subsequently negotiated. \fISSL_get_version()\fR +returns the name of the protocol used for the connection. \fISSL_version()\fR returns +the numeric protocol version used for the connection. They should only be called +after the initial handshake has been completed. Prior to that the results +returned from these functions may be unreliable. +.PP +\&\fISSL_is_dtls()\fR returns one if the connection is using \s-1DTLS,\s0 zero if not. +.SH "RETURN VALUES" +.IX Header "RETURN VALUES" +\&\fISSL_get_version()\fR returns one of the following strings: +.IP "SSLv3" 4 +.IX Item "SSLv3" +The connection uses the SSLv3 protocol. +.IP "TLSv1" 4 +.IX Item "TLSv1" +The connection uses the TLSv1.0 protocol. +.IP "TLSv1.1" 4 +.IX Item "TLSv1.1" +The connection uses the TLSv1.1 protocol. +.IP "TLSv1.2" 4 +.IX Item "TLSv1.2" +The connection uses the TLSv1.2 protocol. +.IP "TLSv1.3" 4 +.IX Item "TLSv1.3" +The connection uses the TLSv1.3 protocol. +.IP "unknown" 4 +.IX Item "unknown" +This indicates an unknown protocol version. +.PP +\&\fISSL_version()\fR and \fISSL_client_version()\fR return an integer which could include any +of the following: +.IP "\s-1SSL3_VERSION\s0" 4 +.IX Item "SSL3_VERSION" +The connection uses the SSLv3 protocol. +.IP "\s-1TLS1_VERSION\s0" 4 +.IX Item "TLS1_VERSION" +The connection uses the TLSv1.0 protocol. +.IP "\s-1TLS1_1_VERSION\s0" 4 +.IX Item "TLS1_1_VERSION" +The connection uses the TLSv1.1 protocol. +.IP "\s-1TLS1_2_VERSION\s0" 4 +.IX Item "TLS1_2_VERSION" +The connection uses the TLSv1.2 protocol. +.IP "\s-1TLS1_3_VERSION\s0" 4 +.IX Item "TLS1_3_VERSION" +The connection uses the TLSv1.3 protocol (never returned for +\&\fISSL_client_version()\fR). +.SH "SEE ALSO" +.IX Header "SEE ALSO" +\&\fIssl\fR\|(7) +.SH "HISTORY" +.IX Header "HISTORY" +\&\fISSL_is_dtls()\fR was added in OpenSSL 1.1.0. +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2001\-2018 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/SSL_in_init.3 b/secure/lib/libcrypto/man/SSL_in_init.3 new file mode 100644 index 000000000000..32e5b194378a --- /dev/null +++ b/secure/lib/libcrypto/man/SSL_in_init.3 @@ -0,0 +1,223 @@ +.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35) +.\" +.\" Standard preamble: +.\" ======================================================================== +.de Sp \" Vertical space (when we can't use .PP) +.if t .sp .5v +.if n .sp +.. +.de Vb \" Begin verbatim text +.ft CW +.nf +.ne \\$1 +.. +.de Ve \" End verbatim text +.ft R +.fi +.. +.\" Set up some character translations and predefined strings. \*(-- will +.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left +.\" double quote, and \*(R" will give a right double quote. \*(C+ will +.\" give a nicer C++. Capital omega is used to do unbreakable dashes and +.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, +.\" nothing in troff, for use with C<>. +.tr \(*W- +.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' +.ie n \{\ +. ds -- \(*W- +. ds PI pi +. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch +. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch +. ds L" "" +. ds R" "" +. ds C` "" +. ds C' "" +'br\} +.el\{\ +. ds -- \|\(em\| +. ds PI \(*p +. ds L" `` +. ds R" '' +. ds C` +. ds C' +'br\} +.\" +.\" Escape single quotes in literal strings from groff's Unicode transform. +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" +.\" If the F register is >0, we'll generate index entries on stderr for +.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index +.\" entries marked with X<> in POD. Of course, you'll have to process the +.\" output yourself in some meaningful fashion. +.\" +.\" Avoid warning from groff about undefined register 'F'. +.de IX +.. +.if !\nF .nr F 0 +.if \nF>0 \{\ +. de IX +. tm Index:\\$1\t\\n%\t"\\$2" +.. +. if !\nF==2 \{\ +. nr % 0 +. nr F 2 +. \} +.\} +.\" +.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). +.\" Fear. Run. Save yourself. No user-serviceable parts. +. \" fudge factors for nroff and troff +.if n \{\ +. ds #H 0 +. ds #V .8m +. ds #F .3m +. ds #[ \f1 +. ds #] \fP +.\} +.if t \{\ +. ds #H ((1u-(\\\\n(.fu%2u))*.13m) +. ds #V .6m +. ds #F 0 +. ds #[ \& +. ds #] \& +.\} +. \" simple accents for nroff and troff +.if n \{\ +. ds ' \& +. ds ` \& +. ds ^ \& +. ds , \& +. ds ~ ~ +. ds / +.\} +.if t \{\ +. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" +. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' +. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' +. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' +. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' +. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' +.\} +. \" troff and (daisy-wheel) nroff accents +.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' +.ds 8 \h'\*(#H'\(*b\h'-\*(#H' +.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] +.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' +.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' +.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] +.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] +.ds ae a\h'-(\w'a'u*4/10)'e +.ds Ae A\h'-(\w'A'u*4/10)'E +. \" corrections for vroff +.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' +.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' +. \" for low resolution devices (crt and lpr) +.if \n(.H>23 .if \n(.V>19 \ +\{\ +. ds : e +. ds 8 ss +. ds o a +. ds d- d\h'-1'\(ga +. ds D- D\h'-1'\(hy +. ds th \o'bp' +. ds Th \o'LP' +. ds ae ae +. ds Ae AE +.\} +.rm #[ #] #H #V #F C +.\" ======================================================================== +.\" +.IX Title "SSL_IN_INIT 3" +.TH SSL_IN_INIT 3 "2018-09-11" "1.1.1" "OpenSSL" +.\" For nroff, turn off justification. Always turn off hyphenation; it makes +.\" way too many mistakes in technical documents. +.if n .ad l +.nh +.SH "NAME" +SSL_in_before, SSL_in_init, SSL_is_init_finished, SSL_in_connect_init, SSL_in_accept_init, SSL_get_state \&\- retrieve information about the handshake state machine +.SH "SYNOPSIS" +.IX Header "SYNOPSIS" +.Vb 1 +\& #include +\& +\& int SSL_in_init(const SSL *s); +\& int SSL_in_before(const SSL *s); +\& int SSL_is_init_finished(const SSL *s); +\& +\& int SSL_in_connect_init(SSL *s); +\& int SSL_in_accept_init(SSL *s); +\& +\& OSSL_HANDSHAKE_STATE SSL_get_state(const SSL *ssl); +.Ve +.SH "DESCRIPTION" +.IX Header "DESCRIPTION" +\&\fISSL_in_init()\fR returns 1 if the \s-1SSL/TLS\s0 state machine is currently processing or +awaiting handshake messages, or 0 otherwise. +.PP +\&\fISSL_in_before()\fR returns 1 if no \s-1SSL/TLS\s0 handshake has yet been initiated, or 0 +otherwise. +.PP +\&\fISSL_is_init_finished()\fR returns 1 if the \s-1SSL/TLS\s0 connection is in a state where +fully protected application data can be transferred or 0 otherwise. +.PP +Note that in some circumstances (such as when early data is being transferred) +\&\fISSL_in_init()\fR, \fISSL_in_before()\fR and \fISSL_is_init_finished()\fR can all return 0. +.PP +\&\fISSL_in_connect_init()\fR returns 1 if \fBs\fR is acting as a client and \fISSL_in_init()\fR +would return 1, or 0 otherwise. +.PP +\&\fISSL_in_accept_init()\fR returns 1 if \fBs\fR is acting as a server and \fISSL_in_init()\fR +would return 1, or 0 otherwise. +.PP +\&\fISSL_in_connect_init()\fR and \fISSL_in_accept_init()\fR are implemented as macros. +.PP +\&\fISSL_get_state()\fR returns a value indicating the current state of the handshake +state machine. \s-1OSSL_HANDSHAKE_STATE\s0 is an enumerated type where each value +indicates a discrete state machine state. Note that future versions of OpenSSL +may define more states so applications should expect to receive unrecognised +state values. The naming format is made up of a number of elements as follows: +.PP +\&\fBprotocol\fR_ST_\fBrole\fR_\fBmessage\fR +.PP +\&\fBprotocol\fR is one of \s-1TLS\s0 or \s-1DTLS. DTLS\s0 is used where a state is specific to the +\&\s-1DTLS\s0 protocol. Otherwise \s-1TLS\s0 is used. +.PP +\&\fBrole\fR is one of \s-1CR, CW, SR\s0 or \s-1SW\s0 to indicate \*(L"client reading\*(R", +\&\*(L"client writing\*(R", \*(L"server reading\*(R" or \*(L"server writing\*(R" respectively. +.PP +\&\fBmessage\fR is the name of a handshake message that is being or has been sent, or +is being or has been processed. +.PP +Additionally there are some special states that do not conform to the above +format. These are: +.IP "\s-1TLS_ST_BEFORE\s0" 4 +.IX Item "TLS_ST_BEFORE" +No handshake messages have yet been been sent or received. +.IP "\s-1TLS_ST_OK\s0" 4 +.IX Item "TLS_ST_OK" +Handshake message sending/processing has completed. +.IP "\s-1TLS_ST_EARLY_DATA\s0" 4 +.IX Item "TLS_ST_EARLY_DATA" +Early data is being processed +.IP "\s-1TLS_ST_PENDING_EARLY_DATA_END\s0" 4 +.IX Item "TLS_ST_PENDING_EARLY_DATA_END" +Awaiting the end of early data processing +.SH "RETURN VALUES" +.IX Header "RETURN VALUES" +\&\fISSL_in_init()\fR, \fISSL_in_before()\fR, \fISSL_is_init_finished()\fR, \fISSL_in_connect_init()\fR +and \fISSL_in_accept_init()\fR return values as indicated above. +.PP +\&\fISSL_get_state()\fR returns the current handshake state. +.SH "SEE ALSO" +.IX Header "SEE ALSO" +\&\fIssl\fR\|(7), +\&\fISSL_read_early_data\fR\|(3) +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2017\-2018 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/SSL_key_update.3 b/secure/lib/libcrypto/man/SSL_key_update.3 new file mode 100644 index 000000000000..d1a367f248fa --- /dev/null +++ b/secure/lib/libcrypto/man/SSL_key_update.3 @@ -0,0 +1,232 @@ +.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35) +.\" +.\" Standard preamble: +.\" ======================================================================== +.de Sp \" Vertical space (when we can't use .PP) +.if t .sp .5v +.if n .sp +.. +.de Vb \" Begin verbatim text +.ft CW +.nf +.ne \\$1 +.. +.de Ve \" End verbatim text +.ft R +.fi +.. +.\" Set up some character translations and predefined strings. \*(-- will +.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left +.\" double quote, and \*(R" will give a right double quote. \*(C+ will +.\" give a nicer C++. Capital omega is used to do unbreakable dashes and +.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, +.\" nothing in troff, for use with C<>. +.tr \(*W- +.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' +.ie n \{\ +. ds -- \(*W- +. ds PI pi +. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch +. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch +. ds L" "" +. ds R" "" +. ds C` "" +. ds C' "" +'br\} +.el\{\ +. ds -- \|\(em\| +. ds PI \(*p +. ds L" `` +. ds R" '' +. ds C` +. ds C' +'br\} +.\" +.\" Escape single quotes in literal strings from groff's Unicode transform. +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" +.\" If the F register is >0, we'll generate index entries on stderr for +.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index +.\" entries marked with X<> in POD. Of course, you'll have to process the +.\" output yourself in some meaningful fashion. +.\" +.\" Avoid warning from groff about undefined register 'F'. +.de IX +.. +.if !\nF .nr F 0 +.if \nF>0 \{\ +. de IX +. tm Index:\\$1\t\\n%\t"\\$2" +.. +. if !\nF==2 \{\ +. nr % 0 +. nr F 2 +. \} +.\} +.\" +.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). +.\" Fear. Run. Save yourself. No user-serviceable parts. +. \" fudge factors for nroff and troff +.if n \{\ +. ds #H 0 +. ds #V .8m +. ds #F .3m +. ds #[ \f1 +. ds #] \fP +.\} +.if t \{\ +. ds #H ((1u-(\\\\n(.fu%2u))*.13m) +. ds #V .6m +. ds #F 0 +. ds #[ \& +. ds #] \& +.\} +. \" simple accents for nroff and troff +.if n \{\ +. ds ' \& +. ds ` \& +. ds ^ \& +. ds , \& +. ds ~ ~ +. ds / +.\} +.if t \{\ +. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" +. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' +. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' +. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' +. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' +. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' +.\} +. \" troff and (daisy-wheel) nroff accents +.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' +.ds 8 \h'\*(#H'\(*b\h'-\*(#H' +.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] +.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' +.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' +.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] +.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] +.ds ae a\h'-(\w'a'u*4/10)'e +.ds Ae A\h'-(\w'A'u*4/10)'E +. \" corrections for vroff +.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' +.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' +. \" for low resolution devices (crt and lpr) +.if \n(.H>23 .if \n(.V>19 \ +\{\ +. ds : e +. ds 8 ss +. ds o a +. ds d- d\h'-1'\(ga +. ds D- D\h'-1'\(hy +. ds th \o'bp' +. ds Th \o'LP' +. ds ae ae +. ds Ae AE +.\} +.rm #[ #] #H #V #F C +.\" ======================================================================== +.\" +.IX Title "SSL_KEY_UPDATE 3" +.TH SSL_KEY_UPDATE 3 "2018-09-11" "1.1.1" "OpenSSL" +.\" For nroff, turn off justification. Always turn off hyphenation; it makes +.\" way too many mistakes in technical documents. +.if n .ad l +.nh +.SH "NAME" +SSL_key_update, SSL_get_key_update_type, SSL_renegotiate, SSL_renegotiate_abbreviated, SSL_renegotiate_pending \&\- initiate and obtain information about updating connection keys +.SH "SYNOPSIS" +.IX Header "SYNOPSIS" +.Vb 1 +\& #include +\& +\& int SSL_key_update(SSL *s, int updatetype); +\& int SSL_get_key_update_type(SSL *s); +\& +\& int SSL_renegotiate(SSL *s); +\& int SSL_renegotiate_abbreviated(SSL *s); +\& int SSL_renegotiate_pending(SSL *s); +.Ve +.SH "DESCRIPTION" +.IX Header "DESCRIPTION" +\&\fISSL_key_update()\fR schedules an update of the keys for the current \s-1TLS\s0 connection. +If the \fBupdatetype\fR parameter is set to \fB\s-1SSL_KEY_UPDATE_NOT_REQUESTED\s0\fR then +the sending keys for this connection will be updated and the peer will be +informed of the change. If the \fBupdatetype\fR parameter is set to +\&\fB\s-1SSL_KEY_UPDATE_REQUESTED\s0\fR then the sending keys for this connection will be +updated and the peer will be informed of the change along with a request for the +peer to additionally update its sending keys. It is an error if \fBupdatetype\fR is +set to \fB\s-1SSL_KEY_UPDATE_NONE\s0\fR. +.PP +\&\fISSL_key_update()\fR must only be called after the initial handshake has been +completed and TLSv1.3 has been negotiated. The key update will not take place +until the next time an \s-1IO\s0 operation such as \fISSL_read_ex()\fR or \fISSL_write_ex()\fR +takes place on the connection. Alternatively \fISSL_do_handshake()\fR can be called to +force the update to take place immediately. +.PP +\&\fISSL_get_key_update_type()\fR can be used to determine whether a key update +operation has been scheduled but not yet performed. The type of the pending key +update operation will be returned if there is one, or \s-1SSL_KEY_UPDATE_NONE\s0 +otherwise. +.PP +\&\fISSL_renegotiate()\fR and \fISSL_renegotiate_abbreviated()\fR should only be called for +connections that have negotiated TLSv1.2 or less. Calling them on any other +connection will result in an error. +.PP +When called from the client side, \fISSL_renegotiate()\fR schedules a completely new +handshake over an existing \s-1SSL/TLS\s0 connection. The next time an \s-1IO\s0 operation +such as \fISSL_read_ex()\fR or \fISSL_write_ex()\fR takes place on the connection a check +will be performed to confirm that it is a suitable time to start a +renegotiation. If so, then it will be initiated immediately. OpenSSL will not +attempt to resume any session associated with the connection in the new +handshake. +.PP +When called from the client side, \fISSL_renegotiate_abbreviated()\fR works in the +same was as \fISSL_renegotiate()\fR except that OpenSSL will attempt to resume the +session associated with the current connection in the new handshake. +.PP +When called from the server side, \fISSL_renegotiate()\fR and +\&\fISSL_renegotiate_abbreviated()\fR behave identically. They both schedule a request +for a new handshake to be sent to the client. The next time an \s-1IO\s0 operation is +performed then the same checks as on the client side are performed and then, if +appropriate, the request is sent. The client may or may not respond with a new +handshake and it may or may not attempt to resume an existing session. If +a new handshake is started then this will be handled transparently by calling +any OpenSSL \s-1IO\s0 function. +.PP +If an OpenSSL client receives a renegotiation request from a server then again +this will be handled transparently through calling any OpenSSL \s-1IO\s0 function. For +a \s-1TLS\s0 connection the client will attempt to resume the current session in the +new handshake. For historical reasons, \s-1DTLS\s0 clients will not attempt to resume +the session in the new handshake. +.PP +The \fISSL_renegotiate_pending()\fR function returns 1 if a renegotiation or +renegotiation request has been scheduled but not yet acted on, or 0 otherwise. +.SH "RETURN VALUES" +.IX Header "RETURN VALUES" +\&\fISSL_key_update()\fR, \fISSL_renegotiate()\fR and \fISSL_renegotiate_abbreviated()\fR return 1 +on success or 0 on error. +.PP +\&\fISSL_get_key_update_type()\fR returns the update type of the pending key update +operation or \s-1SSL_KEY_UPDATE_NONE\s0 if there is none. +.PP +\&\fISSL_renegotiate_pending()\fR returns 1 if a renegotiation or renegotiation request +has been scheduled but not yet acted on, or 0 otherwise. +.SH "SEE ALSO" +.IX Header "SEE ALSO" +\&\fIssl\fR\|(7), \fISSL_read_ex\fR\|(3), +\&\fISSL_write_ex\fR\|(3), +\&\fISSL_do_handshake\fR\|(3) +.SH "HISTORY" +.IX Header "HISTORY" +The \fISSL_key_update()\fR and \fISSL_get_key_update_type()\fR functions were added in +OpenSSL 1.1.1. +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2017 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libssl/man/SSL_library_init.3 b/secure/lib/libcrypto/man/SSL_library_init.3 similarity index 80% rename from secure/lib/libssl/man/SSL_library_init.3 rename to secure/lib/libcrypto/man/SSL_library_init.3 index 05cf16761df7..ebd515ae8483 100644 --- a/secure/lib/libssl/man/SSL_library_init.3 +++ b/secure/lib/libcrypto/man/SSL_library_init.3 @@ -128,30 +128,29 @@ .rm #[ #] #H #V #F C .\" ======================================================================== .\" -.IX Title "SSL_library_init 3" -.TH SSL_library_init 3 "2018-08-14" "1.0.2p" "OpenSSL" +.IX Title "SSL_LIBRARY_INIT 3" +.TH SSL_LIBRARY_INIT 3 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" -SSL_library_init, OpenSSL_add_ssl_algorithms, SSLeay_add_ssl_algorithms -\&\- initialize SSL library by registering algorithms +SSL_library_init, OpenSSL_add_ssl_algorithms \&\- initialize SSL library by registering algorithms .SH "SYNOPSIS" .IX Header "SYNOPSIS" .Vb 1 \& #include \& \& int SSL_library_init(void); -\& #define OpenSSL_add_ssl_algorithms() SSL_library_init() -\& #define SSLeay_add_ssl_algorithms() SSL_library_init() +\& +\& int OpenSSL_add_ssl_algorithms(void); .Ve .SH "DESCRIPTION" .IX Header "DESCRIPTION" \&\fISSL_library_init()\fR registers the available \s-1SSL/TLS\s0 ciphers and digests. .PP -\&\fIOpenSSL_add_ssl_algorithms()\fR and \fISSLeay_add_ssl_algorithms()\fR are synonyms -for \fISSL_library_init()\fR. +\&\fIOpenSSL_add_ssl_algorithms()\fR is a synonym for \fISSL_library_init()\fR and is +implemented as a macro. .SH "NOTES" .IX Header "NOTES" \&\fISSL_library_init()\fR must be called before any other action takes place. @@ -160,25 +159,23 @@ for \fISSL_library_init()\fR. .IX Header "WARNING" \&\fISSL_library_init()\fR adds ciphers and digests used directly and indirectly by \&\s-1SSL/TLS.\s0 -.SH "EXAMPLES" -.IX Header "EXAMPLES" -A typical \s-1TLS/SSL\s0 application will start with the library initialization, -and provide readable error messages. -.PP -.Vb 2 -\& SSL_load_error_strings(); /* readable error messages */ -\& SSL_library_init(); /* initialize library */ -.Ve .SH "RETURN VALUES" .IX Header "RETURN VALUES" \&\fISSL_library_init()\fR always returns \*(L"1\*(R", so it is safe to discard the return value. -.SH "NOTES" -.IX Header "NOTES" -OpenSSL 0.9.8o and 1.0.0a and later added \s-1SHA2\s0 algorithms to \fISSL_library_init()\fR. -Applications which need to use \s-1SHA2\s0 in earlier versions of OpenSSL should call -\&\fIOpenSSL_add_all_algorithms()\fR as well. .SH "SEE ALSO" .IX Header "SEE ALSO" -\&\fIssl\fR\|(3), \fISSL_load_error_strings\fR\|(3), +\&\fIssl\fR\|(7), \&\fIRAND_add\fR\|(3) +.SH "HISTORY" +.IX Header "HISTORY" +The \fISSL_library_init()\fR and \fIOpenSSL_add_ssl_algorithms()\fR functions were +deprecated in OpenSSL 1.1.0 by \fIOPENSSL_init_ssl()\fR. +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2000\-2016 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libssl/man/SSL_load_client_CA_file.3 b/secure/lib/libcrypto/man/SSL_load_client_CA_file.3 similarity index 90% rename from secure/lib/libssl/man/SSL_load_client_CA_file.3 rename to secure/lib/libcrypto/man/SSL_load_client_CA_file.3 index 86d4a4b838b1..f275bce51be0 100644 --- a/secure/lib/libssl/man/SSL_load_client_CA_file.3 +++ b/secure/lib/libcrypto/man/SSL_load_client_CA_file.3 @@ -128,8 +128,8 @@ .rm #[ #] #H #V #F C .\" ======================================================================== .\" -.IX Title "SSL_load_client_CA_file 3" -.TH SSL_load_client_CA_file 3 "2018-08-14" "1.0.2p" "OpenSSL" +.IX Title "SSL_LOAD_CLIENT_CA_FILE 3" +.TH SSL_LOAD_CLIENT_CA_FILE 3 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -162,12 +162,12 @@ Load names of CAs from file and use it as a client \s-1CA\s0 list: \& SSL_CTX *ctx; \& STACK_OF(X509_NAME) *cert_names; \& -\& ... +\& ... \& cert_names = SSL_load_client_CA_file("/path/to/CAfile.pem"); \& if (cert_names != NULL) -\& SSL_CTX_set_client_CA_list(ctx, cert_names); +\& SSL_CTX_set_client_CA_list(ctx, cert_names); \& else -\& error_handling(); +\& /* error */ \& ... .Ve .SH "RETURN VALUES" @@ -181,5 +181,13 @@ The operation failed, check out the error stack for the reason. Pointer to the subject names of the successfully read certificates. .SH "SEE ALSO" .IX Header "SEE ALSO" -\&\fIssl\fR\|(3), +\&\fIssl\fR\|(7), \&\fISSL_CTX_set_client_CA_list\fR\|(3) +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2000\-2016 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libssl/man/SSL_new.3 b/secure/lib/libcrypto/man/SSL_new.3 similarity index 75% rename from secure/lib/libssl/man/SSL_new.3 rename to secure/lib/libcrypto/man/SSL_new.3 index d2cde832c5c7..2ce4a4ca89b9 100644 --- a/secure/lib/libssl/man/SSL_new.3 +++ b/secure/lib/libcrypto/man/SSL_new.3 @@ -128,27 +128,41 @@ .rm #[ #] #H #V #F C .\" ======================================================================== .\" -.IX Title "SSL_new 3" -.TH SSL_new 3 "2018-08-14" "1.0.2p" "OpenSSL" +.IX Title "SSL_NEW 3" +.TH SSL_NEW 3 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" -SSL_new \- create a new SSL structure for a connection +SSL_dup, SSL_new, SSL_up_ref \- create an SSL structure for a connection .SH "SYNOPSIS" .IX Header "SYNOPSIS" .Vb 1 \& #include \& +\& SSL *SSL_dup(SSL *s); \& SSL *SSL_new(SSL_CTX *ctx); +\& int SSL_up_ref(SSL *s); .Ve .SH "DESCRIPTION" .IX Header "DESCRIPTION" \&\fISSL_new()\fR creates a new \fB\s-1SSL\s0\fR structure which is needed to hold the data for a \s-1TLS/SSL\s0 connection. The new structure inherits the settings -of the underlying context \fBctx\fR: connection method (SSLv2/v3/TLSv1), -options, verification settings, timeout settings. +of the underlying context \fBctx\fR: connection method, +options, verification settings, timeout settings. An \fB\s-1SSL\s0\fR structure is +reference counted. Creating an \fB\s-1SSL\s0\fR structure for the first time increments +the reference count. Freeing it (using SSL_free) decrements it. When the +reference count drops to zero, any memory or resources allocated to the \fB\s-1SSL\s0\fR +structure are freed. +.PP +\&\fISSL_up_ref()\fR increments the reference count for an +existing \fB\s-1SSL\s0\fR structure. +.PP +\&\fISSL_dup()\fR duplicates an existing \fB\s-1SSL\s0\fR structure into a new allocated one. All +settings are inherited from the original \fB\s-1SSL\s0\fR structure. Dynamic data (i.e. +existing connection details) are not copied, the new \fB\s-1SSL\s0\fR is set into an +initial accept (server) or connect (client) state. .SH "RETURN VALUES" .IX Header "RETURN VALUES" The following return values can occur: @@ -159,9 +173,19 @@ find out the reason. .IP "Pointer to an \s-1SSL\s0 structure" 4 .IX Item "Pointer to an SSL structure" The return value points to an allocated \s-1SSL\s0 structure. +.Sp +\&\fISSL_up_ref()\fR returns 1 for success and 0 for failure. .SH "SEE ALSO" .IX Header "SEE ALSO" \&\fISSL_free\fR\|(3), \fISSL_clear\fR\|(3), \&\fISSL_CTX_set_options\fR\|(3), \&\fISSL_get_SSL_CTX\fR\|(3), -\&\fIssl\fR\|(3) +\&\fIssl\fR\|(7) +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2000\-2017 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/SSL_pending.3 b/secure/lib/libcrypto/man/SSL_pending.3 new file mode 100644 index 000000000000..ec5f32fc46c2 --- /dev/null +++ b/secure/lib/libcrypto/man/SSL_pending.3 @@ -0,0 +1,195 @@ +.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35) +.\" +.\" Standard preamble: +.\" ======================================================================== +.de Sp \" Vertical space (when we can't use .PP) +.if t .sp .5v +.if n .sp +.. +.de Vb \" Begin verbatim text +.ft CW +.nf +.ne \\$1 +.. +.de Ve \" End verbatim text +.ft R +.fi +.. +.\" Set up some character translations and predefined strings. \*(-- will +.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left +.\" double quote, and \*(R" will give a right double quote. \*(C+ will +.\" give a nicer C++. Capital omega is used to do unbreakable dashes and +.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, +.\" nothing in troff, for use with C<>. +.tr \(*W- +.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' +.ie n \{\ +. ds -- \(*W- +. ds PI pi +. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch +. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch +. ds L" "" +. ds R" "" +. ds C` "" +. ds C' "" +'br\} +.el\{\ +. ds -- \|\(em\| +. ds PI \(*p +. ds L" `` +. ds R" '' +. ds C` +. ds C' +'br\} +.\" +.\" Escape single quotes in literal strings from groff's Unicode transform. +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" +.\" If the F register is >0, we'll generate index entries on stderr for +.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index +.\" entries marked with X<> in POD. Of course, you'll have to process the +.\" output yourself in some meaningful fashion. +.\" +.\" Avoid warning from groff about undefined register 'F'. +.de IX +.. +.if !\nF .nr F 0 +.if \nF>0 \{\ +. de IX +. tm Index:\\$1\t\\n%\t"\\$2" +.. +. if !\nF==2 \{\ +. nr % 0 +. nr F 2 +. \} +.\} +.\" +.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). +.\" Fear. Run. Save yourself. No user-serviceable parts. +. \" fudge factors for nroff and troff +.if n \{\ +. ds #H 0 +. ds #V .8m +. ds #F .3m +. ds #[ \f1 +. ds #] \fP +.\} +.if t \{\ +. ds #H ((1u-(\\\\n(.fu%2u))*.13m) +. ds #V .6m +. ds #F 0 +. ds #[ \& +. ds #] \& +.\} +. \" simple accents for nroff and troff +.if n \{\ +. ds ' \& +. ds ` \& +. ds ^ \& +. ds , \& +. ds ~ ~ +. ds / +.\} +.if t \{\ +. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" +. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' +. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' +. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' +. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' +. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' +.\} +. \" troff and (daisy-wheel) nroff accents +.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' +.ds 8 \h'\*(#H'\(*b\h'-\*(#H' +.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] +.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' +.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' +.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] +.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] +.ds ae a\h'-(\w'a'u*4/10)'e +.ds Ae A\h'-(\w'A'u*4/10)'E +. \" corrections for vroff +.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' +.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' +. \" for low resolution devices (crt and lpr) +.if \n(.H>23 .if \n(.V>19 \ +\{\ +. ds : e +. ds 8 ss +. ds o a +. ds d- d\h'-1'\(ga +. ds D- D\h'-1'\(hy +. ds th \o'bp' +. ds Th \o'LP' +. ds ae ae +. ds Ae AE +.\} +.rm #[ #] #H #V #F C +.\" ======================================================================== +.\" +.IX Title "SSL_PENDING 3" +.TH SSL_PENDING 3 "2018-09-11" "1.1.1" "OpenSSL" +.\" For nroff, turn off justification. Always turn off hyphenation; it makes +.\" way too many mistakes in technical documents. +.if n .ad l +.nh +.SH "NAME" +SSL_pending, SSL_has_pending \- check for readable bytes buffered in an SSL object +.SH "SYNOPSIS" +.IX Header "SYNOPSIS" +.Vb 1 +\& #include +\& +\& int SSL_pending(const SSL *ssl); +\& int SSL_has_pending(const SSL *s); +.Ve +.SH "DESCRIPTION" +.IX Header "DESCRIPTION" +Data is received in whole blocks known as records from the peer. A whole record +is processed (e.g. decrypted) in one go and is buffered by OpenSSL until it is +read by the application via a call to \fISSL_read_ex\fR\|(3) or \fISSL_read\fR\|(3). +.PP +\&\fISSL_pending()\fR returns the number of bytes which have been processed, buffered +and are available inside \fBssl\fR for immediate read. +.PP +If the \fB\s-1SSL\s0\fR object's \fIread_ahead\fR flag is set (see +\&\fISSL_CTX_set_read_ahead\fR\|(3)), additional protocol bytes (beyond the current +record) may have been read containing more \s-1TLS/SSL\s0 records. This also applies to +\&\s-1DTLS\s0 and pipelining (see \fISSL_CTX_set_split_send_fragment\fR\|(3)). These +additional bytes will be buffered by OpenSSL but will remain unprocessed until +they are needed. As these bytes are still in an unprocessed state \fISSL_pending()\fR +will ignore them. Therefore it is possible for no more bytes to be readable from +the underlying \s-1BIO\s0 (because OpenSSL has already read them) and for \fISSL_pending()\fR +to return 0, even though readable application data bytes are available (because +the data is in unprocessed buffered records). +.PP +\&\fISSL_has_pending()\fR returns 1 if \fBs\fR has buffered data (whether processed or +unprocessed) and 0 otherwise. Note that it is possible for \fISSL_has_pending()\fR to +return 1, and then a subsequent call to \fISSL_read_ex()\fR or \fISSL_read()\fR to return no +data because the unprocessed buffered data when processed yielded no application +data (for example this can happen during renegotiation). It is also possible in +this scenario for \fISSL_has_pending()\fR to continue to return 1 even after an +\&\fISSL_read_ex()\fR or \fISSL_read()\fR call because the buffered and unprocessed data is +not yet processable (e.g. because OpenSSL has only received a partial record so +far). +.SH "RETURN VALUES" +.IX Header "RETURN VALUES" +\&\fISSL_pending()\fR returns the number of buffered and processed application data +bytes that are pending and are available for immediate read. \fISSL_has_pending()\fR +returns 1 if there is buffered record data in the \s-1SSL\s0 object and 0 otherwise. +.SH "SEE ALSO" +.IX Header "SEE ALSO" +\&\fISSL_read_ex\fR\|(3), \fISSL_read\fR\|(3), \fISSL_CTX_set_read_ahead\fR\|(3), +\&\fISSL_CTX_set_split_send_fragment\fR\|(3), \fIssl\fR\|(7) +.SH "HISTORY" +.IX Header "HISTORY" +The \fISSL_has_pending()\fR function was added in OpenSSL 1.1.0. +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2000\-2016 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/SSL_read.3 b/secure/lib/libcrypto/man/SSL_read.3 new file mode 100644 index 000000000000..32519b574dae --- /dev/null +++ b/secure/lib/libcrypto/man/SSL_read.3 @@ -0,0 +1,271 @@ +.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35) +.\" +.\" Standard preamble: +.\" ======================================================================== +.de Sp \" Vertical space (when we can't use .PP) +.if t .sp .5v +.if n .sp +.. +.de Vb \" Begin verbatim text +.ft CW +.nf +.ne \\$1 +.. +.de Ve \" End verbatim text +.ft R +.fi +.. +.\" Set up some character translations and predefined strings. \*(-- will +.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left +.\" double quote, and \*(R" will give a right double quote. \*(C+ will +.\" give a nicer C++. Capital omega is used to do unbreakable dashes and +.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, +.\" nothing in troff, for use with C<>. +.tr \(*W- +.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' +.ie n \{\ +. ds -- \(*W- +. ds PI pi +. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch +. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch +. ds L" "" +. ds R" "" +. ds C` "" +. ds C' "" +'br\} +.el\{\ +. ds -- \|\(em\| +. ds PI \(*p +. ds L" `` +. ds R" '' +. ds C` +. ds C' +'br\} +.\" +.\" Escape single quotes in literal strings from groff's Unicode transform. +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" +.\" If the F register is >0, we'll generate index entries on stderr for +.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index +.\" entries marked with X<> in POD. Of course, you'll have to process the +.\" output yourself in some meaningful fashion. +.\" +.\" Avoid warning from groff about undefined register 'F'. +.de IX +.. +.if !\nF .nr F 0 +.if \nF>0 \{\ +. de IX +. tm Index:\\$1\t\\n%\t"\\$2" +.. +. if !\nF==2 \{\ +. nr % 0 +. nr F 2 +. \} +.\} +.\" +.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). +.\" Fear. Run. Save yourself. No user-serviceable parts. +. \" fudge factors for nroff and troff +.if n \{\ +. ds #H 0 +. ds #V .8m +. ds #F .3m +. ds #[ \f1 +. ds #] \fP +.\} +.if t \{\ +. ds #H ((1u-(\\\\n(.fu%2u))*.13m) +. ds #V .6m +. ds #F 0 +. ds #[ \& +. ds #] \& +.\} +. \" simple accents for nroff and troff +.if n \{\ +. ds ' \& +. ds ` \& +. ds ^ \& +. ds , \& +. ds ~ ~ +. ds / +.\} +.if t \{\ +. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" +. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' +. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' +. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' +. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' +. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' +.\} +. \" troff and (daisy-wheel) nroff accents +.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' +.ds 8 \h'\*(#H'\(*b\h'-\*(#H' +.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] +.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' +.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' +.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] +.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] +.ds ae a\h'-(\w'a'u*4/10)'e +.ds Ae A\h'-(\w'A'u*4/10)'E +. \" corrections for vroff +.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' +.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' +. \" for low resolution devices (crt and lpr) +.if \n(.H>23 .if \n(.V>19 \ +\{\ +. ds : e +. ds 8 ss +. ds o a +. ds d- d\h'-1'\(ga +. ds D- D\h'-1'\(hy +. ds th \o'bp' +. ds Th \o'LP' +. ds ae ae +. ds Ae AE +.\} +.rm #[ #] #H #V #F C +.\" ======================================================================== +.\" +.IX Title "SSL_READ 3" +.TH SSL_READ 3 "2018-09-11" "1.1.1" "OpenSSL" +.\" For nroff, turn off justification. Always turn off hyphenation; it makes +.\" way too many mistakes in technical documents. +.if n .ad l +.nh +.SH "NAME" +SSL_read_ex, SSL_read, SSL_peek_ex, SSL_peek \&\- read bytes from a TLS/SSL connection +.SH "SYNOPSIS" +.IX Header "SYNOPSIS" +.Vb 1 +\& #include +\& +\& int SSL_read_ex(SSL *ssl, void *buf, size_t num, size_t *readbytes); +\& int SSL_read(SSL *ssl, void *buf, int num); +\& +\& int SSL_peek_ex(SSL *ssl, void *buf, size_t num, size_t *readbytes); +\& int SSL_peek(SSL *ssl, void *buf, int num); +.Ve +.SH "DESCRIPTION" +.IX Header "DESCRIPTION" +\&\fISSL_read_ex()\fR and \fISSL_read()\fR try to read \fBnum\fR bytes from the specified \fBssl\fR +into the buffer \fBbuf\fR. On success \fISSL_read_ex()\fR will store the number of bytes +actually read in \fB*readbytes\fR. +.PP +\&\fISSL_peek_ex()\fR and \fISSL_peek()\fR are identical to \fISSL_read_ex()\fR and \fISSL_read()\fR +respectively except no bytes are actually removed from the underlying \s-1BIO\s0 during +the read, so that a subsequent call to \fISSL_read_ex()\fR or \fISSL_read()\fR will yield +at least the same bytes. +.SH "NOTES" +.IX Header "NOTES" +In the paragraphs below a \*(L"read function\*(R" is defined as one of \fISSL_read_ex()\fR, +\&\fISSL_read()\fR, \fISSL_peek_ex()\fR or \fISSL_peek()\fR. +.PP +If necessary, a read function will negotiate a \s-1TLS/SSL\s0 session, if not already +explicitly performed by \fISSL_connect\fR\|(3) or \fISSL_accept\fR\|(3). If the +peer requests a re-negotiation, it will be performed transparently during +the read function operation. The behaviour of the read functions depends on the +underlying \s-1BIO.\s0 +.PP +For the transparent negotiation to succeed, the \fBssl\fR must have been +initialized to client or server mode. This is being done by calling +\&\fISSL_set_connect_state\fR\|(3) or \fISSL_set_accept_state()\fR before the first +invocation of a read function. +.PP +The read functions work based on the \s-1SSL/TLS\s0 records. The data are received in +records (with a maximum record size of 16kB). Only when a record has been +completely received, can it be processed (decryption and check of integrity). +Therefore data that was not retrieved at the last read call can still be +buffered inside the \s-1SSL\s0 layer and will be retrieved on the next read +call. If \fBnum\fR is higher than the number of bytes buffered then the read +functions will return with the bytes buffered. If no more bytes are in the +buffer, the read functions will trigger the processing of the next record. +Only when the record has been received and processed completely will the read +functions return reporting success. At most the contents of one record will +be returned. As the size of an \s-1SSL/TLS\s0 record may exceed the maximum packet size +of the underlying transport (e.g. \s-1TCP\s0), it may be necessary to read several +packets from the transport layer before the record is complete and the read call +can succeed. +.PP +If \fB\s-1SSL_MODE_AUTO_RETRY\s0\fR has been switched off and a non-application data +record has been processed, the read function can return and set the error to +\&\fB\s-1SSL_ERROR_WANT_READ\s0\fR. +In this case there might still be unprocessed data available in the \fB\s-1BIO\s0\fR. +If read ahead was set using \fISSL_CTX_set_read_ahead\fR\|(3), there might also still +be unprocessed data available in the \fB\s-1SSL\s0\fR. +This behaviour can be controlled using the \fISSL_CTX_set_mode\fR\|(3) call. +.PP +If the underlying \s-1BIO\s0 is \fBblocking\fR, a read function will only return once the +read operation has been finished or an error occurred, except when a +non-application data record has been processed and \fB\s-1SSL_MODE_AUTO_RETRY\s0\fR is +not set. +Note that if \fB\s-1SSL_MODE_AUTO_RETRY\s0\fR is set and only non-application data is +available the call will hang. +.PP +If the underlying \s-1BIO\s0 is \fBnon-blocking\fR, a read function will also return when +the underlying \s-1BIO\s0 could not satisfy the needs of the function to continue the +operation. +In this case a call to \fISSL_get_error\fR\|(3) with the +return value of the read function will yield \fB\s-1SSL_ERROR_WANT_READ\s0\fR or +\&\fB\s-1SSL_ERROR_WANT_WRITE\s0\fR. +As at any time it's possible that non-application data needs to be sent, +a read function can also cause write operations. +The calling process then must repeat the call after taking appropriate action +to satisfy the needs of the read function. +The action depends on the underlying \s-1BIO.\s0 +When using a non-blocking socket, nothing is to be done, but \fIselect()\fR can be +used to check for the required condition. +When using a buffering \s-1BIO,\s0 like a \s-1BIO\s0 pair, data must be written into or +retrieved out of the \s-1BIO\s0 before being able to continue. +.PP +\&\fISSL_pending\fR\|(3) can be used to find out whether there +are buffered bytes available for immediate retrieval. +In this case the read function can be called without blocking or actually +receiving new data from the underlying socket. +.SH "RETURN VALUES" +.IX Header "RETURN VALUES" +\&\fISSL_read_ex()\fR and \fISSL_peek_ex()\fR will return 1 for success or 0 for failure. +Success means that 1 or more application data bytes have been read from the \s-1SSL\s0 +connection. +Failure means that no bytes could be read from the \s-1SSL\s0 connection. +Failures can be retryable (e.g. we are waiting for more bytes to +be delivered by the network) or non-retryable (e.g. a fatal network error). +In the event of a failure call \fISSL_get_error\fR\|(3) to find out the reason which +indicates whether the call is retryable or not. +.PP +For \fISSL_read()\fR and \fISSL_peek()\fR the following return values can occur: +.IP "> 0" 4 +.IX Item "> 0" +The read operation was successful. +The return value is the number of bytes actually read from the \s-1TLS/SSL\s0 +connection. +.IP "<= 0" 4 +.IX Item "<= 0" +The read operation was not successful, because either the connection was closed, +an error occurred or action must be taken by the calling process. +Call \fISSL_get_error\fR\|(3) with the return value \fBret\fR to find out the reason. +.Sp +Old documentation indicated a difference between 0 and \-1, and that \-1 was +retryable. +You should instead call \fISSL_get_error()\fR to find out if it's retryable. +.SH "HISTORY" +.IX Header "HISTORY" +\&\fISSL_read_ex()\fR and \fISSL_peek_ex()\fR were added in OpenSSL 1.1.1. +.SH "SEE ALSO" +.IX Header "SEE ALSO" +\&\fISSL_get_error\fR\|(3), \fISSL_write_ex\fR\|(3), +\&\fISSL_CTX_set_mode\fR\|(3), \fISSL_CTX_new\fR\|(3), +\&\fISSL_connect\fR\|(3), \fISSL_accept\fR\|(3) +\&\fISSL_set_connect_state\fR\|(3), +\&\fISSL_pending\fR\|(3), +\&\fISSL_shutdown\fR\|(3), \fISSL_set_shutdown\fR\|(3), +\&\fIssl\fR\|(7), \fIbio\fR\|(7) +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2000\-2018 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/SSL_read_early_data.3 b/secure/lib/libcrypto/man/SSL_read_early_data.3 new file mode 100644 index 000000000000..e97e46ef0abf --- /dev/null +++ b/secure/lib/libcrypto/man/SSL_read_early_data.3 @@ -0,0 +1,476 @@ +.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35) +.\" +.\" Standard preamble: +.\" ======================================================================== +.de Sp \" Vertical space (when we can't use .PP) +.if t .sp .5v +.if n .sp +.. +.de Vb \" Begin verbatim text +.ft CW +.nf +.ne \\$1 +.. +.de Ve \" End verbatim text +.ft R +.fi +.. +.\" Set up some character translations and predefined strings. \*(-- will +.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left +.\" double quote, and \*(R" will give a right double quote. \*(C+ will +.\" give a nicer C++. Capital omega is used to do unbreakable dashes and +.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, +.\" nothing in troff, for use with C<>. +.tr \(*W- +.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' +.ie n \{\ +. ds -- \(*W- +. ds PI pi +. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch +. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch +. ds L" "" +. ds R" "" +. ds C` "" +. ds C' "" +'br\} +.el\{\ +. ds -- \|\(em\| +. ds PI \(*p +. ds L" `` +. ds R" '' +. ds C` +. ds C' +'br\} +.\" +.\" Escape single quotes in literal strings from groff's Unicode transform. +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" +.\" If the F register is >0, we'll generate index entries on stderr for +.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index +.\" entries marked with X<> in POD. Of course, you'll have to process the +.\" output yourself in some meaningful fashion. +.\" +.\" Avoid warning from groff about undefined register 'F'. +.de IX +.. +.if !\nF .nr F 0 +.if \nF>0 \{\ +. de IX +. tm Index:\\$1\t\\n%\t"\\$2" +.. +. if !\nF==2 \{\ +. nr % 0 +. nr F 2 +. \} +.\} +.\" +.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). +.\" Fear. Run. Save yourself. No user-serviceable parts. +. \" fudge factors for nroff and troff +.if n \{\ +. ds #H 0 +. ds #V .8m +. ds #F .3m +. ds #[ \f1 +. ds #] \fP +.\} +.if t \{\ +. ds #H ((1u-(\\\\n(.fu%2u))*.13m) +. ds #V .6m +. ds #F 0 +. ds #[ \& +. ds #] \& +.\} +. \" simple accents for nroff and troff +.if n \{\ +. ds ' \& +. ds ` \& +. ds ^ \& +. ds , \& +. ds ~ ~ +. ds / +.\} +.if t \{\ +. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" +. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' +. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' +. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' +. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' +. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' +.\} +. \" troff and (daisy-wheel) nroff accents +.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' +.ds 8 \h'\*(#H'\(*b\h'-\*(#H' +.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] +.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' +.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' +.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] +.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] +.ds ae a\h'-(\w'a'u*4/10)'e +.ds Ae A\h'-(\w'A'u*4/10)'E +. \" corrections for vroff +.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' +.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' +. \" for low resolution devices (crt and lpr) +.if \n(.H>23 .if \n(.V>19 \ +\{\ +. ds : e +. ds 8 ss +. ds o a +. ds d- d\h'-1'\(ga +. ds D- D\h'-1'\(hy +. ds th \o'bp' +. ds Th \o'LP' +. ds ae ae +. ds Ae AE +.\} +.rm #[ #] #H #V #F C +.\" ======================================================================== +.\" +.IX Title "SSL_READ_EARLY_DATA 3" +.TH SSL_READ_EARLY_DATA 3 "2018-09-11" "1.1.1" "OpenSSL" +.\" For nroff, turn off justification. Always turn off hyphenation; it makes +.\" way too many mistakes in technical documents. +.if n .ad l +.nh +.SH "NAME" +SSL_set_max_early_data, SSL_CTX_set_max_early_data, SSL_get_max_early_data, SSL_CTX_get_max_early_data, SSL_set_recv_max_early_data, SSL_CTX_set_recv_max_early_data, SSL_get_recv_max_early_data, SSL_CTX_get_recv_max_early_data, SSL_SESSION_get_max_early_data, SSL_SESSION_set_max_early_data, SSL_write_early_data, SSL_read_early_data, SSL_get_early_data_status, SSL_allow_early_data_cb_fn, SSL_CTX_set_allow_early_data_cb, SSL_set_allow_early_data_cb \&\- functions for sending and receiving early data +.SH "SYNOPSIS" +.IX Header "SYNOPSIS" +.Vb 1 +\& #include +\& +\& int SSL_CTX_set_max_early_data(SSL_CTX *ctx, uint32_t max_early_data); +\& uint32_t SSL_CTX_get_max_early_data(const SSL_CTX *ctx); +\& int SSL_set_max_early_data(SSL *s, uint32_t max_early_data); +\& uint32_t SSL_get_max_early_data(const SSL *s); +\& +\& int SSL_CTX_set_recv_max_early_data(SSL_CTX *ctx, uint32_t recv_max_early_data); +\& uint32_t SSL_CTX_get_recv_max_early_data(const SSL_CTX *ctx); +\& int SSL_set_recv_max_early_data(SSL *s, uint32_t recv_max_early_data); +\& uint32_t SSL_get_recv_max_early_data(const SSL *s); +\& +\& uint32_t SSL_SESSION_get_max_early_data(const SSL_SESSION *s); +\& int SSL_SESSION_set_max_early_data(SSL_SESSION *s, uint32_t max_early_data); +\& +\& int SSL_write_early_data(SSL *s, const void *buf, size_t num, size_t *written); +\& +\& int SSL_read_early_data(SSL *s, void *buf, size_t num, size_t *readbytes); +\& +\& int SSL_get_early_data_status(const SSL *s); +\& +\& +\& typedef int (*SSL_allow_early_data_cb_fn)(SSL *s, void *arg); +\& +\& void SSL_CTX_set_allow_early_data_cb(SSL_CTX *ctx, +\& SSL_allow_early_data_cb_fn cb, +\& void *arg); +\& void SSL_set_allow_early_data_cb(SSL *s, +\& SSL_allow_early_data_cb_fn cb, +\& void *arg); +.Ve +.SH "DESCRIPTION" +.IX Header "DESCRIPTION" +These functions are used to send and receive early data where TLSv1.3 has been +negotiated. Early data can be sent by the client immediately after its initial +ClientHello without having to wait for the server to complete the handshake. +Early data can only be sent if a session has previously been established with +the server, and the server is known to support it. Additionally these functions +can be used to send data from the server to the client when the client has not +yet completed the authentication stage of the handshake. +.PP +Early data has weaker security properties than other data sent over an \s-1SSL/TLS\s0 +connection. In particular the data does not have forward secrecy. There are also +additional considerations around replay attacks (see \*(L"\s-1REPLAY PROTECTION\*(R"\s0 +below). For these reasons extreme care should be exercised when using early +data. For specific details, consult the \s-1TLS 1.3\s0 specification. +.PP +When a server receives early data it may opt to immediately respond by sending +application data back to the client. Data sent by the server at this stage is +done before the full handshake has been completed. Specifically the client's +authentication messages have not yet been received, i.e. the client is +unauthenticated at this point and care should be taken when using this +capability. +.PP +A server or client can determine whether the full handshake has been completed +or not by calling \fISSL_is_init_finished\fR\|(3). +.PP +On the client side, the function \fISSL_SESSION_get_max_early_data()\fR can be used to +determine if a session established with a server can be used to send early data. +If the session cannot be used then this function will return 0. Otherwise it +will return the maximum number of early data bytes that can be sent. +.PP +The function \fISSL_SESSION_set_max_early_data()\fR sets the maximum number of early +data bytes that can be sent for a session. This would typically be used when +creating a \s-1PSK\s0 session file (see \fISSL_CTX_set_psk_use_session_callback\fR\|(3)). If +using a ticket based \s-1PSK\s0 then this is set automatically to the value provided by +the server. +.PP +A client uses the function \fISSL_write_early_data()\fR to send early data. This +function is similar to the \fISSL_write_ex\fR\|(3) function, but with the following +differences. See \fISSL_write_ex\fR\|(3) for information on how to write bytes to +the underlying connection, and how to handle any errors that may arise. This +page describes the differences between \fISSL_write_early_data()\fR and +\&\fISSL_write_ex\fR\|(3). +.PP +When called by a client, \fISSL_write_early_data()\fR must be the first \s-1IO\s0 function +called on a new connection, i.e. it must occur before any calls to +\&\fISSL_write_ex\fR\|(3), \fISSL_read_ex\fR\|(3), \fISSL_connect\fR\|(3), \fISSL_do_handshake\fR\|(3) +or other similar functions. It may be called multiple times to stream data to +the server, but the total number of bytes written must not exceed the value +returned from \fISSL_SESSION_get_max_early_data()\fR. Once the initial +\&\fISSL_write_early_data()\fR call has completed successfully the client may interleave +calls to \fISSL_read_ex\fR\|(3) and \fISSL_read\fR\|(3) with calls to +\&\fISSL_write_early_data()\fR as required. +.PP +If \fISSL_write_early_data()\fR fails you should call \fISSL_get_error\fR\|(3) to determine +the correct course of action, as for \fISSL_write_ex\fR\|(3). +.PP +When the client no longer wishes to send any more early data then it should +complete the handshake by calling a function such as \fISSL_connect\fR\|(3) or +\&\fISSL_do_handshake\fR\|(3). Alternatively you can call a standard write function +such as \fISSL_write_ex\fR\|(3), which will transparently complete the connection and +write the requested data. +.PP +A server may choose to ignore early data that has been sent to it. Once the +connection has been completed you can determine whether the server accepted or +rejected the early data by calling \fISSL_get_early_data_status()\fR. This will return +\&\s-1SSL_EARLY_DATA_ACCEPTED\s0 if the data was accepted, \s-1SSL_EARLY_DATA_REJECTED\s0 if it +was rejected or \s-1SSL_EARLY_DATA_NOT_SENT\s0 if no early data was sent. This function +may be called by either the client or the server. +.PP +A server uses the \fISSL_read_early_data()\fR function to receive early data on a +connection for which early data has been enabled using +\&\fISSL_CTX_set_max_early_data()\fR or \fISSL_set_max_early_data()\fR. As for +\&\fISSL_write_early_data()\fR, this must be the first \s-1IO\s0 function +called on a connection, i.e. it must occur before any calls to +\&\fISSL_write_ex\fR\|(3), \fISSL_read_ex\fR\|(3), \fISSL_accept\fR\|(3), \fISSL_do_handshake\fR\|(3), +or other similar functions. +.PP +\&\fISSL_read_early_data()\fR is similar to \fISSL_read_ex\fR\|(3) with the following +differences. Refer to \fISSL_read_ex\fR\|(3) for full details. +.PP +\&\fISSL_read_early_data()\fR may return 3 possible values: +.IP "\s-1SSL_READ_EARLY_DATA_ERROR\s0" 4 +.IX Item "SSL_READ_EARLY_DATA_ERROR" +This indicates an \s-1IO\s0 or some other error occurred. This should be treated in the +same way as a 0 return value from \fISSL_read_ex\fR\|(3). +.IP "\s-1SSL_READ_EARLY_DATA_SUCCESS\s0" 4 +.IX Item "SSL_READ_EARLY_DATA_SUCCESS" +This indicates that early data was successfully read. This should be treated in +the same way as a 1 return value from \fISSL_read_ex\fR\|(3). You should continue to +call \fISSL_read_early_data()\fR to read more data. +.IP "\s-1SSL_READ_EARLY_DATA_FINISH\s0" 4 +.IX Item "SSL_READ_EARLY_DATA_FINISH" +This indicates that no more early data can be read. It may be returned on the +first call to \fISSL_read_early_data()\fR if the client has not sent any early data, +or if the early data was rejected. +.PP +Once the initial \fISSL_read_early_data()\fR call has completed successfully (i.e. it +has returned \s-1SSL_READ_EARLY_DATA_SUCCESS\s0 or \s-1SSL_READ_EARLY_DATA_FINISH\s0) then the +server may choose to write data immediately to the unauthenticated client using +\&\fISSL_write_early_data()\fR. If \fISSL_read_early_data()\fR returned +\&\s-1SSL_READ_EARLY_DATA_FINISH\s0 then in some situations (e.g. if the client only +supports TLSv1.2) the handshake may have already been completed and calls +to \fISSL_write_early_data()\fR are not allowed. Call \fISSL_is_init_finished\fR\|(3) to +determine whether the handshake has completed or not. If the handshake is still +in progress then the server may interleave calls to \fISSL_write_early_data()\fR with +calls to \fISSL_read_early_data()\fR as required. +.PP +Servers must not call \fISSL_read_ex\fR\|(3), \fISSL_read\fR\|(3), \fISSL_write_ex\fR\|(3) or +\&\fISSL_write\fR\|(3) until \fISSL_read_early_data()\fR has returned with +\&\s-1SSL_READ_EARLY_DATA_FINISH.\s0 Once it has done so the connection to the client +still needs to be completed. Complete the connection by calling a function such +as \fISSL_accept\fR\|(3) or \fISSL_do_handshake\fR\|(3). Alternatively you can call a +standard read function such as \fISSL_read_ex\fR\|(3), which will transparently +complete the connection and read the requested data. Note that it is an error to +attempt to complete the connection before \fISSL_read_early_data()\fR has returned +\&\s-1SSL_READ_EARLY_DATA_FINISH.\s0 +.PP +Only servers may call \fISSL_read_early_data()\fR. +.PP +Calls to \fISSL_read_early_data()\fR may, in certain circumstances, complete the +connection immediately without further need to call a function such as +\&\fISSL_accept\fR\|(3). This can happen if the client is using a protocol version less +than TLSv1.3. Applications can test for this by calling +\&\fISSL_is_init_finished\fR\|(3). Alternatively, applications may choose to call +\&\fISSL_accept\fR\|(3) anyway. Such a call will successfully return immediately with no +further action taken. +.PP +When a session is created between a server and a client the server will specify +the maximum amount of any early data that it will accept on any future +connection attempt. By default the server does not accept early data; a +server may indicate support for early data by calling +\&\fISSL_CTX_set_max_early_data()\fR or +\&\fISSL_set_max_early_data()\fR to set it for the whole \s-1SSL_CTX\s0 or an individual \s-1SSL\s0 +object respectively. The \fBmax_early_data\fR parameter specifies the maximum +amount of early data in bytes that is permitted to be sent on a single +connection. Similarly the \fISSL_CTX_get_max_early_data()\fR and +\&\fISSL_get_max_early_data()\fR functions can be used to obtain the current maximum +early data settings for the \s-1SSL_CTX\s0 and \s-1SSL\s0 objects respectively. Generally a +server application will either use both of \fISSL_read_early_data()\fR and +\&\fISSL_CTX_set_max_early_data()\fR (or \fISSL_set_max_early_data()\fR), or neither of them, +since there is no practical benefit from using only one of them. If the maximum +early data setting for a server is non-zero then replay protection is +automatically enabled (see \*(L"\s-1REPLAY PROTECTION\*(R"\s0 below). +.PP +If the server rejects the early data sent by a client then it will skip over +the data that is sent. The maximum amount of received early data that is skipped +is controlled by the recv_max_early_data setting. If a client sends more than +this then the connection will abort. This value can be set by calling +\&\fISSL_CTX_set_recv_max_early_data()\fR or \fISSL_set_recv_max_early_data()\fR. The current +value for this setting can be obtained by calling +\&\fISSL_CTX_get_recv_max_early_data()\fR or \fISSL_get_recv_max_early_data()\fR. The default +value for this setting is 16,384 bytes. +.PP +The recv_max_early_data value also has an impact on early data that is accepted. +The amount of data that is accepted will always be the lower of the +max_early_data for the session and the recv_max_early_data setting for the +server. If a client sends more data than this then the connection will abort. +.PP +The configured value for max_early_data on a server may change over time as +required. However clients may have tickets containing the previously configured +max_early_data value. The recv_max_early_data should always be equal to or +higher than any recently configured max_early_data value in order to avoid +aborted connections. The recv_max_early_data should never be set to less than +the current configured max_early_data value. +.PP +Some server applications may wish to have more control over whether early data +is accepted or not, for example to mitigate replay risks (see \*(L"\s-1REPLAY PROTECTION\*(R"\s0 +below) or to decline early_data when the server is heavily loaded. The functions +\&\fISSL_CTX_set_allow_early_data_cb()\fR and \fISSL_set_allow_early_data_cb()\fR set a +callback which is called at a point in the handshake immediately before a +decision is made to accept or reject early data. The callback is provided with a +pointer to the user data argument that was provided when the callback was first +set. Returning 1 from the callback will allow early data and returning 0 will +reject it. Note that the OpenSSL library may reject early data for other reasons +in which case this callback will not get called. Notably, the built-in replay +protection feature will still be used even if a callback is present unless it +has been explicitly disabled using the \s-1SSL_OP_NO_ANTI_REPLAY\s0 option. See +\&\*(L"\s-1REPLAY PROTECTION\*(R"\s0 below. +.SH "NOTES" +.IX Header "NOTES" +The whole purpose of early data is to enable a client to start sending data to +the server before a full round trip of network traffic has occurred. Application +developers should ensure they consider optimisation of the underlying \s-1TCP\s0 socket +to obtain a performant solution. For example Nagle's algorithm is commonly used +by operating systems in an attempt to avoid lots of small \s-1TCP\s0 packets. In many +scenarios this is beneficial for performance, but it does not work well with the +early data solution as implemented in OpenSSL. In Nagle's algorithm the \s-1OS\s0 will +buffer outgoing \s-1TCP\s0 data if a \s-1TCP\s0 packet has already been sent which we have not +yet received an \s-1ACK\s0 for from the peer. The buffered data will only be +transmitted if enough data to fill an entire \s-1TCP\s0 packet is accumulated, or if +the \s-1ACK\s0 is received from the peer. The initial ClientHello will be sent in the +first \s-1TCP\s0 packet along with any data from the first call to +\&\fISSL_write_early_data()\fR. If the amount of data written will exceed the size of a +single \s-1TCP\s0 packet, or if there are more calls to \fISSL_write_early_data()\fR then +that additional data will be sent in subsequent \s-1TCP\s0 packets which will be +buffered by the \s-1OS\s0 and not sent until an \s-1ACK\s0 is received for the first packet +containing the ClientHello. This means the early data is not actually +sent until a complete round trip with the server has occurred which defeats the +objective of early data. +.PP +In many operating systems the \s-1TCP_NODELAY\s0 socket option is available to disable +Nagle's algorithm. If an application opts to disable Nagle's algorithm +consideration should be given to turning it back on again after the handshake is +complete if appropriate. +.PP +In rare circumstances, it may be possible for a client to have a session that +reports a max early data value greater than 0, but where the server does not +support this. For example, this can occur if a server has had its configuration +changed to accept a lower max early data value such as by calling +\&\fISSL_CTX_set_recv_max_early_data()\fR. Another example is if a server used to +support TLSv1.3 but was later downgraded to TLSv1.2. Sending early data to such +a server will cause the connection to abort. Clients that encounter an aborted +connection while sending early data may want to retry the connection without +sending early data as this does not happen automatically. A client will have to +establish a new transport layer connection to the server and attempt the \s-1SSL/TLS\s0 +connection again but without sending early data. Note that it is inadvisable to +retry with a lower maximum protocol version. +.SH "REPLAY PROTECTION" +.IX Header "REPLAY PROTECTION" +When early data is in use the \s-1TLS\s0 protocol provides no security guarantees that +the same early data was not replayed across multiple connections. As a +mitigation for this issue OpenSSL automatically enables replay protection if the +server is configured with a non-zero max early data value. With replay +protection enabled sessions are forced to be single use only. If a client +attempts to reuse a session ticket more than once, then the second and +subsequent attempts will fall back to a full handshake (and any early data that +was submitted will be ignored). Note that single use tickets are enforced even +if a client does not send any early data. +.PP +The replay protection mechanism relies on the internal OpenSSL server session +cache (see \fISSL_CTX_set_session_cache_mode\fR\|(3)). When replay protection is +being used the server will operate as if the \s-1SSL_OP_NO_TICKET\s0 option had been +selected (see \fISSL_CTX_set_options\fR\|(3)). Sessions will be added to the cache +whenever a session ticket is issued. When a client attempts to resume the +session, OpenSSL will check for its presence in the internal cache. If it exists +then the resumption is allowed and the session is removed from the cache. If it +does not exist then the resumption is not allowed and a full handshake will +occur. +.PP +Note that some applications may maintain an external cache of sessions (see +\&\fISSL_CTX_sess_set_new_cb\fR\|(3) and similar functions). It is the application's +responsibility to ensure that any sessions in the external cache are also +populated in the internal cache and that once removed from the internal cache +they are similarly removed from the external cache. Failing to do this could +result in an application becoming vulnerable to replay attacks. Note that +OpenSSL will lock the internal cache while a session is removed but that lock is +not held when the remove session callback (see \fISSL_CTX_sess_set_remove_cb\fR\|(3)) +is called. This could result in a small amount of time where the session has +been removed from the internal cache but is still available in the external +cache. Applications should be designed with this in mind in order to minimise +the possibility of replay attacks. +.PP +The OpenSSL replay protection does not apply to external Pre Shared Keys (PSKs) +(e.g. see \fISSL_CTX_set_psk_find_session_callback\fR\|(3)). Therefore extreme caution +should be applied when combining external PSKs with early data. +.PP +Some applications may mitigate the replay risks in other ways. For those +applications it is possible to turn off the built-in replay protection feature +using the \fB\s-1SSL_OP_NO_ANTI_REPLAY\s0\fR option. See \fISSL_CTX_set_options\fR\|(3) for +details. Applications can also set a callback to make decisions about accepting +early data or not. See \fISSL_CTX_set_allow_early_data_cb()\fR above for details. +.SH "RETURN VALUES" +.IX Header "RETURN VALUES" +\&\fISSL_write_early_data()\fR returns 1 for success or 0 for failure. In the event of a +failure call \fISSL_get_error\fR\|(3) to determine the correct course of action. +.PP +\&\fISSL_read_early_data()\fR returns \s-1SSL_READ_EARLY_DATA_ERROR\s0 for failure, +\&\s-1SSL_READ_EARLY_DATA_SUCCESS\s0 for success with more data to read and +\&\s-1SSL_READ_EARLY_DATA_FINISH\s0 for success with no more to data be read. In the +event of a failure call \fISSL_get_error\fR\|(3) to determine the correct course of +action. +.PP +\&\fISSL_get_max_early_data()\fR, \fISSL_CTX_get_max_early_data()\fR and +\&\fISSL_SESSION_get_max_early_data()\fR return the maximum number of early data bytes +that may be sent. +.PP +\&\fISSL_set_max_early_data()\fR, \fISSL_CTX_set_max_early_data()\fR and +\&\fISSL_SESSION_set_max_early_data()\fR return 1 for success or 0 for failure. +.PP +\&\fISSL_get_early_data_status()\fR returns \s-1SSL_EARLY_DATA_ACCEPTED\s0 if early data was +accepted by the server, \s-1SSL_EARLY_DATA_REJECTED\s0 if early data was rejected by +the server, or \s-1SSL_EARLY_DATA_NOT_SENT\s0 if no early data was sent. +.SH "SEE ALSO" +.IX Header "SEE ALSO" +\&\fISSL_get_error\fR\|(3), +\&\fISSL_write_ex\fR\|(3), +\&\fISSL_read_ex\fR\|(3), +\&\fISSL_connect\fR\|(3), +\&\fISSL_accept\fR\|(3), +\&\fISSL_do_handshake\fR\|(3), +\&\fISSL_CTX_set_psk_use_session_callback\fR\|(3), +\&\fIssl\fR\|(7) +.SH "HISTORY" +.IX Header "HISTORY" +All of the functions described above were added in OpenSSL 1.1.1. +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2017\-2018 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libssl/man/SSL_rstate_string.3 b/secure/lib/libcrypto/man/SSL_rstate_string.3 similarity index 92% rename from secure/lib/libssl/man/SSL_rstate_string.3 rename to secure/lib/libcrypto/man/SSL_rstate_string.3 index b39fb8fde4f4..aea9c6fc2a8d 100644 --- a/secure/lib/libssl/man/SSL_rstate_string.3 +++ b/secure/lib/libcrypto/man/SSL_rstate_string.3 @@ -128,8 +128,8 @@ .rm #[ #] #H #V #F C .\" ======================================================================== .\" -.IX Title "SSL_rstate_string 3" -.TH SSL_rstate_string 3 "2018-08-14" "1.0.2p" "OpenSSL" +.IX Title "SSL_RSTATE_STRING 3" +.TH SSL_RSTATE_STRING 3 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -180,4 +180,12 @@ The record has been completely processed. The read state is unknown. This should never happen. .SH "SEE ALSO" .IX Header "SEE ALSO" -\&\fIssl\fR\|(3) +\&\fIssl\fR\|(7) +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2001\-2016 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libssl/man/SSL_session_reused.3 b/secure/lib/libcrypto/man/SSL_session_reused.3 similarity index 90% rename from secure/lib/libssl/man/SSL_session_reused.3 rename to secure/lib/libcrypto/man/SSL_session_reused.3 index 59bf2418e903..03db6f6a4b09 100644 --- a/secure/lib/libssl/man/SSL_session_reused.3 +++ b/secure/lib/libcrypto/man/SSL_session_reused.3 @@ -128,8 +128,8 @@ .rm #[ #] #H #V #F C .\" ======================================================================== .\" -.IX Title "SSL_session_reused 3" -.TH SSL_session_reused 3 "2018-08-14" "1.0.2p" "OpenSSL" +.IX Title "SSL_SESSION_REUSED 3" +.TH SSL_SESSION_REUSED 3 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -162,5 +162,13 @@ A new session was negotiated. A session was reused. .SH "SEE ALSO" .IX Header "SEE ALSO" -\&\fIssl\fR\|(3), \fISSL_set_session\fR\|(3), +\&\fIssl\fR\|(7), \fISSL_set_session\fR\|(3), \&\fISSL_CTX_set_session_cache_mode\fR\|(3) +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2001\-2016 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/SSL_set1_host.3 b/secure/lib/libcrypto/man/SSL_set1_host.3 new file mode 100644 index 000000000000..164345ae46e8 --- /dev/null +++ b/secure/lib/libcrypto/man/SSL_set1_host.3 @@ -0,0 +1,245 @@ +.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35) +.\" +.\" Standard preamble: +.\" ======================================================================== +.de Sp \" Vertical space (when we can't use .PP) +.if t .sp .5v +.if n .sp +.. +.de Vb \" Begin verbatim text +.ft CW +.nf +.ne \\$1 +.. +.de Ve \" End verbatim text +.ft R +.fi +.. +.\" Set up some character translations and predefined strings. \*(-- will +.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left +.\" double quote, and \*(R" will give a right double quote. \*(C+ will +.\" give a nicer C++. Capital omega is used to do unbreakable dashes and +.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, +.\" nothing in troff, for use with C<>. +.tr \(*W- +.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' +.ie n \{\ +. ds -- \(*W- +. ds PI pi +. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch +. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch +. ds L" "" +. ds R" "" +. ds C` "" +. ds C' "" +'br\} +.el\{\ +. ds -- \|\(em\| +. ds PI \(*p +. ds L" `` +. ds R" '' +. ds C` +. ds C' +'br\} +.\" +.\" Escape single quotes in literal strings from groff's Unicode transform. +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" +.\" If the F register is >0, we'll generate index entries on stderr for +.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index +.\" entries marked with X<> in POD. Of course, you'll have to process the +.\" output yourself in some meaningful fashion. +.\" +.\" Avoid warning from groff about undefined register 'F'. +.de IX +.. +.if !\nF .nr F 0 +.if \nF>0 \{\ +. de IX +. tm Index:\\$1\t\\n%\t"\\$2" +.. +. if !\nF==2 \{\ +. nr % 0 +. nr F 2 +. \} +.\} +.\" +.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). +.\" Fear. Run. Save yourself. No user-serviceable parts. +. \" fudge factors for nroff and troff +.if n \{\ +. ds #H 0 +. ds #V .8m +. ds #F .3m +. ds #[ \f1 +. ds #] \fP +.\} +.if t \{\ +. ds #H ((1u-(\\\\n(.fu%2u))*.13m) +. ds #V .6m +. ds #F 0 +. ds #[ \& +. ds #] \& +.\} +. \" simple accents for nroff and troff +.if n \{\ +. ds ' \& +. ds ` \& +. ds ^ \& +. ds , \& +. ds ~ ~ +. ds / +.\} +.if t \{\ +. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" +. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' +. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' +. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' +. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' +. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' +.\} +. \" troff and (daisy-wheel) nroff accents +.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' +.ds 8 \h'\*(#H'\(*b\h'-\*(#H' +.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] +.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' +.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' +.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] +.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] +.ds ae a\h'-(\w'a'u*4/10)'e +.ds Ae A\h'-(\w'A'u*4/10)'E +. \" corrections for vroff +.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' +.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' +. \" for low resolution devices (crt and lpr) +.if \n(.H>23 .if \n(.V>19 \ +\{\ +. ds : e +. ds 8 ss +. ds o a +. ds d- d\h'-1'\(ga +. ds D- D\h'-1'\(hy +. ds th \o'bp' +. ds Th \o'LP' +. ds ae ae +. ds Ae AE +.\} +.rm #[ #] #H #V #F C +.\" ======================================================================== +.\" +.IX Title "SSL_SET1_HOST 3" +.TH SSL_SET1_HOST 3 "2018-09-11" "1.1.1" "OpenSSL" +.\" For nroff, turn off justification. Always turn off hyphenation; it makes +.\" way too many mistakes in technical documents. +.if n .ad l +.nh +.SH "NAME" +SSL_set1_host, SSL_add1_host, SSL_set_hostflags, SSL_get0_peername \- SSL server verification parameters +.SH "SYNOPSIS" +.IX Header "SYNOPSIS" +.Vb 1 +\& #include +\& +\& int SSL_set1_host(SSL *s, const char *hostname); +\& int SSL_add1_host(SSL *s, const char *hostname); +\& void SSL_set_hostflags(SSL *s, unsigned int flags); +\& const char *SSL_get0_peername(SSL *s); +.Ve +.SH "DESCRIPTION" +.IX Header "DESCRIPTION" +These functions configure server hostname checks in the \s-1SSL\s0 client. +.PP +\&\fISSL_set1_host()\fR sets the expected \s-1DNS\s0 hostname to \fBname\fR clearing +any previously specified host name or names. If \fBname\fR is \s-1NULL,\s0 +or the empty string the list of hostnames is cleared, and name +checks are not performed on the peer certificate. When a non-empty +\&\fBname\fR is specified, certificate verification automatically checks +the peer hostname via \fIX509_check_host\fR\|(3) with \fBflags\fR as specified +via \fISSL_set_hostflags()\fR. Clients that enable \s-1DANE TLSA\s0 authentication +via \fISSL_dane_enable\fR\|(3) should leave it to that function to set +the primary reference identifier of the peer, and should not call +\&\fISSL_set1_host()\fR. +.PP +\&\fISSL_add1_host()\fR adds \fBname\fR as an additional reference identifier +that can match the peer's certificate. Any previous names set via +\&\fISSL_set1_host()\fR or \fISSL_add1_host()\fR are retained, no change is made +if \fBname\fR is \s-1NULL\s0 or empty. When multiple names are configured, +the peer is considered verified when any name matches. This function +is required for \s-1DANE TLSA\s0 in the presence of service name indirection +via \s-1CNAME, MX\s0 or \s-1SRV\s0 records as specified in \s-1RFC7671, RFC7672\s0 or +\&\s-1RFC7673.\s0 +.PP +\&\fISSL_set_hostflags()\fR sets the \fBflags\fR that will be passed to +\&\fIX509_check_host\fR\|(3) when name checks are applicable, by default +the \fBflags\fR value is 0. See \fIX509_check_host\fR\|(3) for the list +of available flags and their meaning. +.PP +\&\fISSL_get0_peername()\fR returns the \s-1DNS\s0 hostname or subject CommonName +from the peer certificate that matched one of the reference +identifiers. When wildcard matching is not disabled, the name +matched in the peer certificate may be a wildcard name. When one +of the reference identifiers configured via \fISSL_set1_host()\fR or +\&\fISSL_add1_host()\fR starts with \*(L".\*(R", which indicates a parent domain prefix +rather than a fixed name, the matched peer name may be a sub-domain +of the reference identifier. The returned string is allocated by +the library and is no longer valid once the associated \fBssl\fR handle +is cleared or freed, or a renegotiation takes place. Applications +must not free the return value. +.PP +\&\s-1SSL\s0 clients are advised to use these functions in preference to +explicitly calling \fIX509_check_host\fR\|(3). Hostname checks may be out +of scope with the \s-1RFC7671 \fIDANE\-EE\s0\fR\|(3) certificate usage, and the +internal check will be suppressed as appropriate when \s-1DANE\s0 is +enabled. +.SH "RETURN VALUES" +.IX Header "RETURN VALUES" +\&\fISSL_set1_host()\fR and \fISSL_add1_host()\fR return 1 for success and 0 for +failure. +.PP +\&\fISSL_get0_peername()\fR returns \s-1NULL\s0 if peername verification is not +applicable (as with \s-1RFC7671 \fIDANE\-EE\s0\fR\|(3)), or no trusted peername was +matched. Otherwise, it returns the matched peername. To determine +whether verification succeeded call \fISSL_get_verify_result\fR\|(3). +.SH "EXAMPLE" +.IX Header "EXAMPLE" +Suppose \*(L"smtp.example.com\*(R" is the \s-1MX\s0 host of the domain \*(L"example.com\*(R". +The calls below will arrange to match either the \s-1MX\s0 hostname or the +destination domain name in the \s-1SMTP\s0 server certificate. Wildcards +are supported, but must match the entire label. The actual name +matched in the certificate (which might be a wildcard) is retrieved, +and must be copied by the application if it is to be retained beyond +the lifetime of the \s-1SSL\s0 connection. +.PP +.Vb 5 +\& SSL_set_hostflags(ssl, X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS); +\& if (!SSL_set1_host(ssl, "smtp.example.com")) +\& /* error */ +\& if (!SSL_add1_host(ssl, "example.com")) +\& /* error */ +\& +\& /* XXX: Perform SSL_connect() handshake and handle errors here */ +\& +\& if (SSL_get_verify_result(ssl) == X509_V_OK) { +\& const char *peername = SSL_get0_peername(ssl); +\& +\& if (peername != NULL) +\& /* Name checks were in scope and matched the peername */ +\& } +.Ve +.SH "SEE ALSO" +.IX Header "SEE ALSO" +\&\fIX509_check_host\fR\|(3), +\&\fISSL_get_verify_result\fR\|(3). +\&\fISSL_dane_enable\fR\|(3). +.SH "HISTORY" +.IX Header "HISTORY" +These functions were first added to OpenSSL 1.1.0. +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2016\-2018 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/SSL_set_bio.3 b/secure/lib/libcrypto/man/SSL_set_bio.3 new file mode 100644 index 000000000000..1fdcb5909602 --- /dev/null +++ b/secure/lib/libcrypto/man/SSL_set_bio.3 @@ -0,0 +1,223 @@ +.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35) +.\" +.\" Standard preamble: +.\" ======================================================================== +.de Sp \" Vertical space (when we can't use .PP) +.if t .sp .5v +.if n .sp +.. +.de Vb \" Begin verbatim text +.ft CW +.nf +.ne \\$1 +.. +.de Ve \" End verbatim text +.ft R +.fi +.. +.\" Set up some character translations and predefined strings. \*(-- will +.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left +.\" double quote, and \*(R" will give a right double quote. \*(C+ will +.\" give a nicer C++. Capital omega is used to do unbreakable dashes and +.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, +.\" nothing in troff, for use with C<>. +.tr \(*W- +.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' +.ie n \{\ +. ds -- \(*W- +. ds PI pi +. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch +. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch +. ds L" "" +. ds R" "" +. ds C` "" +. ds C' "" +'br\} +.el\{\ +. ds -- \|\(em\| +. ds PI \(*p +. ds L" `` +. ds R" '' +. ds C` +. ds C' +'br\} +.\" +.\" Escape single quotes in literal strings from groff's Unicode transform. +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" +.\" If the F register is >0, we'll generate index entries on stderr for +.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index +.\" entries marked with X<> in POD. Of course, you'll have to process the +.\" output yourself in some meaningful fashion. +.\" +.\" Avoid warning from groff about undefined register 'F'. +.de IX +.. +.if !\nF .nr F 0 +.if \nF>0 \{\ +. de IX +. tm Index:\\$1\t\\n%\t"\\$2" +.. +. if !\nF==2 \{\ +. nr % 0 +. nr F 2 +. \} +.\} +.\" +.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). +.\" Fear. Run. Save yourself. No user-serviceable parts. +. \" fudge factors for nroff and troff +.if n \{\ +. ds #H 0 +. ds #V .8m +. ds #F .3m +. ds #[ \f1 +. ds #] \fP +.\} +.if t \{\ +. ds #H ((1u-(\\\\n(.fu%2u))*.13m) +. ds #V .6m +. ds #F 0 +. ds #[ \& +. ds #] \& +.\} +. \" simple accents for nroff and troff +.if n \{\ +. ds ' \& +. ds ` \& +. ds ^ \& +. ds , \& +. ds ~ ~ +. ds / +.\} +.if t \{\ +. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" +. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' +. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' +. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' +. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' +. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' +.\} +. \" troff and (daisy-wheel) nroff accents +.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' +.ds 8 \h'\*(#H'\(*b\h'-\*(#H' +.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] +.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' +.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' +.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] +.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] +.ds ae a\h'-(\w'a'u*4/10)'e +.ds Ae A\h'-(\w'A'u*4/10)'E +. \" corrections for vroff +.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' +.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' +. \" for low resolution devices (crt and lpr) +.if \n(.H>23 .if \n(.V>19 \ +\{\ +. ds : e +. ds 8 ss +. ds o a +. ds d- d\h'-1'\(ga +. ds D- D\h'-1'\(hy +. ds th \o'bp' +. ds Th \o'LP' +. ds ae ae +. ds Ae AE +.\} +.rm #[ #] #H #V #F C +.\" ======================================================================== +.\" +.IX Title "SSL_SET_BIO 3" +.TH SSL_SET_BIO 3 "2018-09-11" "1.1.1" "OpenSSL" +.\" For nroff, turn off justification. Always turn off hyphenation; it makes +.\" way too many mistakes in technical documents. +.if n .ad l +.nh +.SH "NAME" +SSL_set_bio, SSL_set0_rbio, SSL_set0_wbio \- connect the SSL object with a BIO +.SH "SYNOPSIS" +.IX Header "SYNOPSIS" +.Vb 1 +\& #include +\& +\& void SSL_set_bio(SSL *ssl, BIO *rbio, BIO *wbio); +\& void SSL_set0_rbio(SSL *s, BIO *rbio); +\& void SSL_set0_wbio(SSL *s, BIO *wbio); +.Ve +.SH "DESCRIPTION" +.IX Header "DESCRIPTION" +\&\fISSL_set0_rbio()\fR connects the \s-1BIO\s0 \fBrbio\fR for the read operations of the \fBssl\fR +object. The \s-1SSL\s0 engine inherits the behaviour of \fBrbio\fR. If the \s-1BIO\s0 is +non-blocking then the \fBssl\fR object will also have non-blocking behaviour. This +function transfers ownership of \fBrbio\fR to \fBssl\fR. It will be automatically +freed using \fIBIO_free_all\fR\|(3) when the \fBssl\fR is freed. On calling this +function, any existing \fBrbio\fR that was previously set will also be freed via a +call to \fIBIO_free_all\fR\|(3) (this includes the case where the \fBrbio\fR is set to +the same value as previously). +.PP +\&\fISSL_set0_wbio()\fR works in the same as \fISSL_set0_rbio()\fR except that it connects +the \s-1BIO\s0 \fBwbio\fR for the write operations of the \fBssl\fR object. Note that if the +rbio and wbio are the same then \fISSL_set0_rbio()\fR and \fISSL_set0_wbio()\fR each take +ownership of one reference. Therefore it may be necessary to increment the +number of references available using \fIBIO_up_ref\fR\|(3) before calling the set0 +functions. +.PP +\&\fISSL_set_bio()\fR is similar to \fISSL_set0_rbio()\fR and \fISSL_set0_wbio()\fR except +that it connects both the \fBrbio\fR and the \fBwbio\fR at the same time, and +transfers the ownership of \fBrbio\fR and \fBwbio\fR to \fBssl\fR according to +the following set of rules: +.IP "\(bu" 2 +If neither the \fBrbio\fR or \fBwbio\fR have changed from their previous values +then nothing is done. +.IP "\(bu" 2 +If the \fBrbio\fR and \fBwbio\fR parameters are different and both are different +to their +previously set values then one reference is consumed for the rbio and one +reference is consumed for the wbio. +.IP "\(bu" 2 +If the \fBrbio\fR and \fBwbio\fR parameters are the same and the \fBrbio\fR is not +the same as the previously set value then one reference is consumed. +.IP "\(bu" 2 +If the \fBrbio\fR and \fBwbio\fR parameters are the same and the \fBrbio\fR is the +same as the previously set value, then no additional references are consumed. +.IP "\(bu" 2 +If the \fBrbio\fR and \fBwbio\fR parameters are different and the \fBrbio\fR is the +same as the +previously set value then one reference is consumed for the \fBwbio\fR and no +references are consumed for the \fBrbio\fR. +.IP "\(bu" 2 +If the \fBrbio\fR and \fBwbio\fR parameters are different and the \fBwbio\fR is the +same as the previously set value and the old \fBrbio\fR and \fBwbio\fR values +were the same as each other then one reference is consumed for the \fBrbio\fR +and no references are consumed for the \fBwbio\fR. +.IP "\(bu" 2 +If the \fBrbio\fR and \fBwbio\fR parameters are different and the \fBwbio\fR +is the same as the +previously set value and the old \fBrbio\fR and \fBwbio\fR values were different +to each +other then one reference is consumed for the \fBrbio\fR and one reference +is consumed +for the \fBwbio\fR. +.PP +Because of this complexity, this function should be avoided; +use \fISSL_set0_rbio()\fR and \fISSL_set0_wbio()\fR instead. +.SH "RETURN VALUES" +.IX Header "RETURN VALUES" +\&\fISSL_set_bio()\fR, \fISSL_set_rbio()\fR and \fISSL_set_wbio()\fR cannot fail. +.SH "SEE ALSO" +.IX Header "SEE ALSO" +\&\fISSL_get_rbio\fR\|(3), +\&\fISSL_connect\fR\|(3), \fISSL_accept\fR\|(3), +\&\fISSL_shutdown\fR\|(3), \fIssl\fR\|(7), \fIbio\fR\|(7) +.SH "HISTORY" +.IX Header "HISTORY" +\&\fISSL_set0_rbio()\fR and \fISSL_set0_wbio()\fR were added in OpenSSL 1.1.0. +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2000\-2017 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libssl/man/SSL_set_connect_state.3 b/secure/lib/libcrypto/man/SSL_set_connect_state.3 similarity index 77% rename from secure/lib/libssl/man/SSL_set_connect_state.3 rename to secure/lib/libcrypto/man/SSL_set_connect_state.3 index 3ea6a058e99b..8553289d929d 100644 --- a/secure/lib/libssl/man/SSL_set_connect_state.3 +++ b/secure/lib/libcrypto/man/SSL_set_connect_state.3 @@ -128,14 +128,14 @@ .rm #[ #] #H #V #F C .\" ======================================================================== .\" -.IX Title "SSL_set_connect_state 3" -.TH SSL_set_connect_state 3 "2018-08-14" "1.0.2p" "OpenSSL" +.IX Title "SSL_SET_CONNECT_STATE 3" +.TH SSL_SET_CONNECT_STATE 3 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" -SSL_set_connect_state, SSL_get_accept_state \- prepare SSL object to work in client or server mode +SSL_set_connect_state, SSL_set_accept_state, SSL_is_server \&\- functions for manipulating and examining the client or server mode of an SSL object .SH "SYNOPSIS" .IX Header "SYNOPSIS" .Vb 1 @@ -144,12 +144,16 @@ SSL_set_connect_state, SSL_get_accept_state \- prepare SSL object to work in cli \& void SSL_set_connect_state(SSL *ssl); \& \& void SSL_set_accept_state(SSL *ssl); +\& +\& int SSL_is_server(const SSL *ssl); .Ve .SH "DESCRIPTION" .IX Header "DESCRIPTION" \&\fISSL_set_connect_state()\fR sets \fBssl\fR to work in client mode. .PP \&\fISSL_set_accept_state()\fR sets \fBssl\fR to work in server mode. +.PP +\&\fISSL_is_server()\fR checks if \fBssl\fR is working in server mode. .SH "NOTES" .IX Header "NOTES" When the \s-1SSL_CTX\s0 object was created with \fISSL_CTX_new\fR\|(3), @@ -167,17 +171,33 @@ requested, the handshake routines must be explicitly set. When using the \fISSL_connect\fR\|(3) or \&\fISSL_accept\fR\|(3) routines, the correct handshake routines are automatically set. When performing a transparent negotiation -using \fISSL_write\fR\|(3) or \fISSL_read\fR\|(3), the -handshake routines must be explicitly set in advance using either +using \fISSL_write_ex\fR\|(3), \fISSL_write\fR\|(3), \fISSL_read_ex\fR\|(3), or \fISSL_read\fR\|(3), +the handshake routines must be explicitly set in advance using either \&\fISSL_set_connect_state()\fR or \fISSL_set_accept_state()\fR. +.PP +If \fISSL_is_server()\fR is called before \fISSL_set_connect_state()\fR or +\&\fISSL_set_accept_state()\fR is called (either automatically or explicitly), +the result depends on what method was used when \s-1SSL_CTX\s0 was created with +\&\fISSL_CTX_new\fR\|(3). If a generic method or a dedicated server method was +passed to \fISSL_CTX_new\fR\|(3), \fISSL_is_server()\fR returns 1; otherwise, it returns 0. .SH "RETURN VALUES" .IX Header "RETURN VALUES" \&\fISSL_set_connect_state()\fR and \fISSL_set_accept_state()\fR do not return diagnostic information. +.PP +\&\fISSL_is_server()\fR returns 1 if \fBssl\fR is working in server mode or 0 for client mode. .SH "SEE ALSO" .IX Header "SEE ALSO" -\&\fIssl\fR\|(3), \fISSL_new\fR\|(3), \fISSL_CTX_new\fR\|(3), +\&\fIssl\fR\|(7), \fISSL_new\fR\|(3), \fISSL_CTX_new\fR\|(3), \&\fISSL_connect\fR\|(3), \fISSL_accept\fR\|(3), -\&\fISSL_write\fR\|(3), \fISSL_read\fR\|(3), +\&\fISSL_write_ex\fR\|(3), \fISSL_write\fR\|(3), \fISSL_read_ex\fR\|(3), \fISSL_read\fR\|(3), \&\fISSL_do_handshake\fR\|(3), \&\fISSL_CTX_set_ssl_version\fR\|(3) +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2001\-2017 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libssl/man/SSL_set_fd.3 b/secure/lib/libcrypto/man/SSL_set_fd.3 similarity index 89% rename from secure/lib/libssl/man/SSL_set_fd.3 rename to secure/lib/libcrypto/man/SSL_set_fd.3 index ebd43303cdb8..5f560b18f83b 100644 --- a/secure/lib/libssl/man/SSL_set_fd.3 +++ b/secure/lib/libcrypto/man/SSL_set_fd.3 @@ -128,14 +128,14 @@ .rm #[ #] #H #V #F C .\" ======================================================================== .\" -.IX Title "SSL_set_fd 3" -.TH SSL_set_fd 3 "2018-08-14" "1.0.2p" "OpenSSL" +.IX Title "SSL_SET_FD 3" +.TH SSL_SET_FD 3 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" -SSL_set_fd \- connect the SSL object with a file descriptor +SSL_set_fd, SSL_set_rfd, SSL_set_wfd \- connect the SSL object with a file descriptor .SH "SYNOPSIS" .IX Header "SYNOPSIS" .Vb 1 @@ -173,4 +173,12 @@ The operation succeeded. .IX Header "SEE ALSO" \&\fISSL_get_fd\fR\|(3), \fISSL_set_bio\fR\|(3), \&\fISSL_connect\fR\|(3), \fISSL_accept\fR\|(3), -\&\fISSL_shutdown\fR\|(3), \fIssl\fR\|(3) , \fIbio\fR\|(3) +\&\fISSL_shutdown\fR\|(3), \fIssl\fR\|(7) , \fIbio\fR\|(7) +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2000\-2016 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libssl/man/SSL_set_session.3 b/secure/lib/libcrypto/man/SSL_set_session.3 similarity index 87% rename from secure/lib/libssl/man/SSL_set_session.3 rename to secure/lib/libcrypto/man/SSL_set_session.3 index 72648fe41365..a8e531fba47c 100644 --- a/secure/lib/libssl/man/SSL_set_session.3 +++ b/secure/lib/libcrypto/man/SSL_set_session.3 @@ -128,8 +128,8 @@ .rm #[ #] #H #V #F C .\" ======================================================================== .\" -.IX Title "SSL_set_session 3" -.TH SSL_set_session 3 "2018-08-14" "1.0.2p" "OpenSSL" +.IX Title "SSL_SET_SESSION 3" +.TH SSL_SET_SESSION 3 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -154,7 +154,11 @@ with the \fISSL_session_reused\fR\|(3) call. .PP If there is already a session set inside \fBssl\fR (because it was set with \&\fISSL_set_session()\fR before or because the same \fBssl\fR was already used for -a connection), \fISSL_SESSION_free()\fR will be called for that session. +a connection), \fISSL_SESSION_free()\fR will be called for that session. If that old +session is still \fBopen\fR, it is considered bad and will be removed from the +session cache (if used). A session is considered open, if \fISSL_shutdown\fR\|(3) was +not called for the connection (or at least \fISSL_set_shutdown\fR\|(3) was used to +set the \s-1SSL_SENT_SHUTDOWN\s0 state). .SH "NOTES" .IX Header "NOTES" \&\s-1SSL_SESSION\s0 objects keep internal link information about the session cache @@ -172,7 +176,15 @@ The operation failed; check the error stack to find out the reason. The operation succeeded. .SH "SEE ALSO" .IX Header "SEE ALSO" -\&\fIssl\fR\|(3), \fISSL_SESSION_free\fR\|(3), +\&\fIssl\fR\|(7), \fISSL_SESSION_free\fR\|(3), \&\fISSL_get_session\fR\|(3), \&\fISSL_session_reused\fR\|(3), \&\fISSL_CTX_set_session_cache_mode\fR\|(3) +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2000\-2016 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libssl/man/SSL_set_shutdown.3 b/secure/lib/libcrypto/man/SSL_set_shutdown.3 similarity index 92% rename from secure/lib/libssl/man/SSL_set_shutdown.3 rename to secure/lib/libcrypto/man/SSL_set_shutdown.3 index be4320da5325..de9cd3e9001e 100644 --- a/secure/lib/libssl/man/SSL_set_shutdown.3 +++ b/secure/lib/libcrypto/man/SSL_set_shutdown.3 @@ -128,8 +128,8 @@ .rm #[ #] #H #V #F C .\" ======================================================================== .\" -.IX Title "SSL_set_shutdown 3" -.TH SSL_set_shutdown 3 "2018-08-14" "1.0.2p" "OpenSSL" +.IX Title "SSL_SET_SHUTDOWN 3" +.TH SSL_SET_SHUTDOWN 3 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -187,6 +187,14 @@ for setting \s-1SSL_SENT_SHUTDOWN\s0 the application must however still call \&\fISSL_get_shutdown()\fR returns the current setting. .SH "SEE ALSO" .IX Header "SEE ALSO" -\&\fIssl\fR\|(3), \fISSL_shutdown\fR\|(3), +\&\fIssl\fR\|(7), \fISSL_shutdown\fR\|(3), \&\fISSL_CTX_set_quiet_shutdown\fR\|(3), \&\fISSL_clear\fR\|(3), \fISSL_free\fR\|(3) +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2001\-2016 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libssl/man/SSL_set_verify_result.3 b/secure/lib/libcrypto/man/SSL_set_verify_result.3 similarity index 90% rename from secure/lib/libssl/man/SSL_set_verify_result.3 rename to secure/lib/libcrypto/man/SSL_set_verify_result.3 index f407cec3ff7a..f410b2282665 100644 --- a/secure/lib/libssl/man/SSL_set_verify_result.3 +++ b/secure/lib/libcrypto/man/SSL_set_verify_result.3 @@ -128,8 +128,8 @@ .rm #[ #] #H #V #F C .\" ======================================================================== .\" -.IX Title "SSL_set_verify_result 3" -.TH SSL_set_verify_result 3 "2018-08-14" "1.0.2p" "OpenSSL" +.IX Title "SSL_SET_VERIFY_RESULT 3" +.TH SSL_SET_VERIFY_RESULT 3 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -161,6 +161,14 @@ The valid codes for \fBverify_result\fR are documented in \fIverify\fR\|(1). \&\fISSL_set_verify_result()\fR does not provide a return value. .SH "SEE ALSO" .IX Header "SEE ALSO" -\&\fIssl\fR\|(3), \fISSL_get_verify_result\fR\|(3), +\&\fIssl\fR\|(7), \fISSL_get_verify_result\fR\|(3), \&\fISSL_get_peer_certificate\fR\|(3), \&\fIverify\fR\|(1) +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2000\-2016 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libssl/man/SSL_shutdown.3 b/secure/lib/libcrypto/man/SSL_shutdown.3 similarity index 62% rename from secure/lib/libssl/man/SSL_shutdown.3 rename to secure/lib/libcrypto/man/SSL_shutdown.3 index e81075efd4a7..eea343e7370c 100644 --- a/secure/lib/libssl/man/SSL_shutdown.3 +++ b/secure/lib/libcrypto/man/SSL_shutdown.3 @@ -128,8 +128,8 @@ .rm #[ #] #H #V #F C .\" ======================================================================== .\" -.IX Title "SSL_shutdown 3" -.TH SSL_shutdown 3 "2018-08-14" "1.0.2p" "OpenSSL" +.IX Title "SSL_SHUTDOWN 3" +.TH SSL_SHUTDOWN 3 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -145,7 +145,7 @@ SSL_shutdown \- shut down a TLS/SSL connection .Ve .SH "DESCRIPTION" .IX Header "DESCRIPTION" -\&\fISSL_shutdown()\fR shuts down an active \s-1TLS/SSL\s0 connection. It sends the +\&\fISSL_shutdown()\fR shuts down an active \s-1TLS/SSL\s0 connection. It sends the \&\*(L"close notify\*(R" shutdown alert to the peer. .SH "NOTES" .IX Header "NOTES" @@ -166,23 +166,50 @@ performed, so that the peers stay synchronized. .PP \&\fISSL_shutdown()\fR supports both uni\- and bidirectional shutdown by its 2 step behaviour. -.ie n .IP "When the application is the first party to send the ""close notify"" alert, \fISSL_shutdown()\fR will only send the alert and then set the \s-1SSL_SENT_SHUTDOWN\s0 flag (so that the session is considered good and will be kept in cache). \fISSL_shutdown()\fR will then return with 0. If a unidirectional shutdown is enough (the underlying connection shall be closed anyway), this first call to \fISSL_shutdown()\fR is sufficient. In order to complete the bidirectional shutdown handshake, \fISSL_shutdown()\fR must be called again. The second call will make \fISSL_shutdown()\fR wait for the peer's ""close notify"" shutdown alert. On success, the second call to \fISSL_shutdown()\fR will return with 1." 4 -.el .IP "When the application is the first party to send the ``close notify'' alert, \fISSL_shutdown()\fR will only send the alert and then set the \s-1SSL_SENT_SHUTDOWN\s0 flag (so that the session is considered good and will be kept in cache). \fISSL_shutdown()\fR will then return with 0. If a unidirectional shutdown is enough (the underlying connection shall be closed anyway), this first call to \fISSL_shutdown()\fR is sufficient. In order to complete the bidirectional shutdown handshake, \fISSL_shutdown()\fR must be called again. The second call will make \fISSL_shutdown()\fR wait for the peer's ``close notify'' shutdown alert. On success, the second call to \fISSL_shutdown()\fR will return with 1." 4 -.IX Item "When the application is the first party to send the close notify alert, SSL_shutdown() will only send the alert and then set the SSL_SENT_SHUTDOWN flag (so that the session is considered good and will be kept in cache). SSL_shutdown() will then return with 0. If a unidirectional shutdown is enough (the underlying connection shall be closed anyway), this first call to SSL_shutdown() is sufficient. In order to complete the bidirectional shutdown handshake, SSL_shutdown() must be called again. The second call will make SSL_shutdown() wait for the peer's close notify shutdown alert. On success, the second call to SSL_shutdown() will return with 1." -.PD 0 -.ie n .IP "If the peer already sent the ""close notify"" alert \fBand\fR it was already processed implicitly inside another function (\fISSL_read\fR\|(3)), the \s-1SSL_RECEIVED_SHUTDOWN\s0 flag is set. \fISSL_shutdown()\fR will send the ""close notify"" alert, set the \s-1SSL_SENT_SHUTDOWN\s0 flag and will immediately return with 1. Whether \s-1SSL_RECEIVED_SHUTDOWN\s0 is already set can be checked using the \fISSL_get_shutdown()\fR (see also \fISSL_set_shutdown\fR\|(3) call." 4 -.el .IP "If the peer already sent the ``close notify'' alert \fBand\fR it was already processed implicitly inside another function (\fISSL_read\fR\|(3)), the \s-1SSL_RECEIVED_SHUTDOWN\s0 flag is set. \fISSL_shutdown()\fR will send the ``close notify'' alert, set the \s-1SSL_SENT_SHUTDOWN\s0 flag and will immediately return with 1. Whether \s-1SSL_RECEIVED_SHUTDOWN\s0 is already set can be checked using the \fISSL_get_shutdown()\fR (see also \fISSL_set_shutdown\fR\|(3) call." 4 -.IX Item "If the peer already sent the close notify alert and it was already processed implicitly inside another function (SSL_read), the SSL_RECEIVED_SHUTDOWN flag is set. SSL_shutdown() will send the close notify alert, set the SSL_SENT_SHUTDOWN flag and will immediately return with 1. Whether SSL_RECEIVED_SHUTDOWN is already set can be checked using the SSL_get_shutdown() (see also SSL_set_shutdown call." -.PD .PP -It is therefore recommended, to check the return value of \fISSL_shutdown()\fR -and call \fISSL_shutdown()\fR again, if the bidirectional shutdown is not yet -complete (return value of the first call is 0). As the shutdown is not -specially handled in the SSLv2 protocol, \fISSL_shutdown()\fR will succeed on -the first call. +\&\fISSL_shutdown()\fR only closes the write direction. +It is not possible to call \fISSL_write()\fR after calling \fISSL_shutdown()\fR. +The read direction is closed by the peer. +.SS "First to close the connection" +.IX Subsection "First to close the connection" +When the application is the first party to send the \*(L"close notify\*(R" +alert, \fISSL_shutdown()\fR will only send the alert and then set the +\&\s-1SSL_SENT_SHUTDOWN\s0 flag (so that the session is considered good and will +be kept in the cache). +\&\fISSL_shutdown()\fR will then return with 0. +If a unidirectional shutdown is enough (the underlying connection shall be +closed anyway), this first call to \fISSL_shutdown()\fR is sufficient. +.PP +In order to complete the bidirectional shutdown handshake, the peer needs +to send back a \*(L"close notify\*(R" alert. +The \s-1SSL_RECEIVED_SHUTDOWN\s0 flag will be set after receiving and processing +it. +\&\fISSL_shutdown()\fR will return 1 when it has been received. +.PP +The peer is still allowed to send data after receiving the \*(L"close notify\*(R" +event. +If the peer did send data it needs to be processed by calling \fISSL_read()\fR +before calling \fISSL_shutdown()\fR a second time. +\&\fISSL_read()\fR will indicate the end of the peer data by returning <= 0 +and \fISSL_get_error()\fR returning \s-1SSL_ERROR_ZERO_RETURN.\s0 +It is recommended to call \fISSL_read()\fR between \fISSL_shutdown()\fR calls. +.SS "Peer closes the connection" +.IX Subsection "Peer closes the connection" +If the peer already sent the \*(L"close notify\*(R" alert \fBand\fR it was +already processed implicitly inside another function +(\fISSL_read\fR\|(3)), the \s-1SSL_RECEIVED_SHUTDOWN\s0 flag is set. +\&\fISSL_read()\fR will return <= 0 in that case, and \fISSL_get_error()\fR will return +\&\s-1SSL_ERROR_ZERO_RETURN.\s0 +\&\fISSL_shutdown()\fR will send the \*(L"close notify\*(R" alert, set the \s-1SSL_SENT_SHUTDOWN\s0 +flag and will immediately return with 1. +Whether \s-1SSL_RECEIVED_SHUTDOWN\s0 is already set can be checked using the +\&\fISSL_get_shutdown()\fR (see also \fISSL_set_shutdown\fR\|(3) call. +.SH "NOTES" +.IX Header "NOTES" +It is recommended to do a bidirectional shutdown by checking the return value +of \fISSL_shutdown()\fR and call it again until it returns 1 or a fatal error. .PP The behaviour of \fISSL_shutdown()\fR additionally depends on the underlying \s-1BIO.\s0 -.PP If the underlying \s-1BIO\s0 is \fBblocking\fR, \fISSL_shutdown()\fR will only return once the handshake step has been finished or an error occurred. .PP @@ -206,8 +233,9 @@ and return 1. .IX Header "RETURN VALUES" The following return values can occur: .IP "0" 4 -The shutdown is not yet finished. Call \fISSL_shutdown()\fR for a second time, -if a bidirectional shutdown shall be performed. +The shutdown is not yet finished: the \*(L"close notify\*(R" was send but the peer +did not send it back yet. +Call \fISSL_shutdown()\fR again to do a bidirectional shutdown. The output of \fISSL_get_error\fR\|(3) may be misleading, as an erroneous \s-1SSL_ERROR_SYSCALL\s0 may be flagged even though no error occurred. .IP "1" 4 @@ -216,15 +244,24 @@ The shutdown was successfully completed. The \*(L"close notify\*(R" alert was se and the peer's \*(L"close notify\*(R" alert was received. .IP "<0" 4 .IX Item "<0" -The shutdown was not successful because a fatal error occurred either -at the protocol level or a connection failure occurred. It can also occur if -action is need to continue the operation for non-blocking BIOs. -Call \fISSL_get_error\fR\|(3) with the return value \fBret\fR -to find out the reason. +The shutdown was not successful. +Call \fISSL_get_error\fR\|(3) with the return value \fBret\fR to find out the reason. +It can occur if an action is needed to continue the operation for non-blocking +BIOs. +.Sp +It can also occur when not all data was read using \fISSL_read()\fR. .SH "SEE ALSO" .IX Header "SEE ALSO" \&\fISSL_get_error\fR\|(3), \fISSL_connect\fR\|(3), \&\fISSL_accept\fR\|(3), \fISSL_set_shutdown\fR\|(3), \&\fISSL_CTX_set_quiet_shutdown\fR\|(3), \&\fISSL_clear\fR\|(3), \fISSL_free\fR\|(3), -\&\fIssl\fR\|(3), \fIbio\fR\|(3) +\&\fIssl\fR\|(7), \fIbio\fR\|(7) +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2000\-2018 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libssl/man/SSL_state_string.3 b/secure/lib/libcrypto/man/SSL_state_string.3 similarity index 91% rename from secure/lib/libssl/man/SSL_state_string.3 rename to secure/lib/libcrypto/man/SSL_state_string.3 index ccafe5df56ed..443e0ab29a8b 100644 --- a/secure/lib/libssl/man/SSL_state_string.3 +++ b/secure/lib/libcrypto/man/SSL_state_string.3 @@ -128,8 +128,8 @@ .rm #[ #] #H #V #F C .\" ======================================================================== .\" -.IX Title "SSL_state_string 3" -.TH SSL_state_string 3 "2018-08-14" "1.0.2p" "OpenSSL" +.IX Title "SSL_STATE_STRING 3" +.TH SSL_STATE_STRING 3 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -170,4 +170,12 @@ can be used within the info_callback function set with the Detailed description of possible states to be included later. .SH "SEE ALSO" .IX Header "SEE ALSO" -\&\fIssl\fR\|(3), \fISSL_CTX_set_info_callback\fR\|(3) +\&\fIssl\fR\|(7), \fISSL_CTX_set_info_callback\fR\|(3) +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2001\-2016 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libssl/man/SSL_want.3 b/secure/lib/libcrypto/man/SSL_want.3 similarity index 76% rename from secure/lib/libssl/man/SSL_want.3 rename to secure/lib/libcrypto/man/SSL_want.3 index c9477ba8b85a..138ffcc82939 100644 --- a/secure/lib/libssl/man/SSL_want.3 +++ b/secure/lib/libcrypto/man/SSL_want.3 @@ -128,14 +128,14 @@ .rm #[ #] #H #V #F C .\" ======================================================================== .\" -.IX Title "SSL_want 3" -.TH SSL_want 3 "2018-08-14" "1.0.2p" "OpenSSL" +.IX Title "SSL_WANT 3" +.TH SSL_WANT 3 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" -SSL_want, SSL_want_nothing, SSL_want_read, SSL_want_write, SSL_want_x509_lookup \- obtain state information TLS/SSL I/O operation +SSL_want, SSL_want_nothing, SSL_want_read, SSL_want_write, SSL_want_x509_lookup, SSL_want_async, SSL_want_async_job, SSL_want_client_hello_cb \- obtain state information TLS/SSL I/O operation .SH "SYNOPSIS" .IX Header "SYNOPSIS" .Vb 1 @@ -146,6 +146,9 @@ SSL_want, SSL_want_nothing, SSL_want_read, SSL_want_write, SSL_want_x509_lookup \& int SSL_want_read(const SSL *ssl); \& int SSL_want_write(const SSL *ssl); \& int SSL_want_x509_lookup(const SSL *ssl); +\& int SSL_want_async(const SSL *ssl); +\& int SSL_want_async_job(const SSL *ssl); +\& int SSL_want_client_hello_cb(const SSL *ssl); .Ve .SH "DESCRIPTION" .IX Header "DESCRIPTION" @@ -189,9 +192,37 @@ The operation did not complete because an application callback set by \&\fISSL_CTX_set_client_cert_cb()\fR has asked to be called again. A call to \fISSL_get_error\fR\|(3) should return \&\s-1SSL_ERROR_WANT_X509_LOOKUP.\s0 +.IP "\s-1SSL_ASYNC_PAUSED\s0" 4 +.IX Item "SSL_ASYNC_PAUSED" +An asynchronous operation partially completed and was then paused. See +\&\fISSL_get_all_async_fds\fR\|(3). A call to \fISSL_get_error\fR\|(3) should return +\&\s-1SSL_ERROR_WANT_ASYNC.\s0 +.IP "\s-1SSL_ASYNC_NO_JOBS\s0" 4 +.IX Item "SSL_ASYNC_NO_JOBS" +The asynchronous job could not be started because there were no async jobs +available in the pool (see \fIASYNC_init_thread\fR\|(3)). A call to \fISSL_get_error\fR\|(3) +should return \s-1SSL_ERROR_WANT_ASYNC_JOB.\s0 +.IP "\s-1SSL_CLIENT_HELLO_CB\s0" 4 +.IX Item "SSL_CLIENT_HELLO_CB" +The operation did not complete because an application callback set by +\&\fISSL_CTX_set_client_hello_cb()\fR has asked to be called again. +A call to \fISSL_get_error\fR\|(3) should return +\&\s-1SSL_ERROR_WANT_CLIENT_HELLO_CB.\s0 .PP -\&\fISSL_want_nothing()\fR, \fISSL_want_read()\fR, \fISSL_want_write()\fR, \fISSL_want_x509_lookup()\fR -return 1, when the corresponding condition is true or 0 otherwise. +\&\fISSL_want_nothing()\fR, \fISSL_want_read()\fR, \fISSL_want_write()\fR, \fISSL_want_x509_lookup()\fR, +\&\fISSL_want_async()\fR, \fISSL_want_async_job()\fR, and \fISSL_want_client_hello_cb()\fR return +1, when the corresponding condition is true or 0 otherwise. .SH "SEE ALSO" .IX Header "SEE ALSO" -\&\fIssl\fR\|(3), \fIerr\fR\|(3), \fISSL_get_error\fR\|(3) +\&\fIssl\fR\|(7), \fISSL_get_error\fR\|(3) +.SH "HISTORY" +.IX Header "HISTORY" +\&\fISSL_want_client_hello_cb()\fR and \s-1SSL_CLIENT_HELLO_CB\s0 were added in OpenSSL 1.1.1. +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2001\-2017 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libssl/man/SSL_write.3 b/secure/lib/libcrypto/man/SSL_write.3 similarity index 55% rename from secure/lib/libssl/man/SSL_write.3 rename to secure/lib/libcrypto/man/SSL_write.3 index b57f9dcd5727..8a1edb850137 100644 --- a/secure/lib/libssl/man/SSL_write.3 +++ b/secure/lib/libcrypto/man/SSL_write.3 @@ -128,79 +128,92 @@ .rm #[ #] #H #V #F C .\" ======================================================================== .\" -.IX Title "SSL_write 3" -.TH SSL_write 3 "2018-08-14" "1.0.2p" "OpenSSL" +.IX Title "SSL_WRITE 3" +.TH SSL_WRITE 3 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" -SSL_write \- write bytes to a TLS/SSL connection. +SSL_write_ex, SSL_write \- write bytes to a TLS/SSL connection .SH "SYNOPSIS" .IX Header "SYNOPSIS" .Vb 1 \& #include \& +\& int SSL_write_ex(SSL *s, const void *buf, size_t num, size_t *written); \& int SSL_write(SSL *ssl, const void *buf, int num); .Ve .SH "DESCRIPTION" .IX Header "DESCRIPTION" -\&\fISSL_write()\fR writes \fBnum\fR bytes from the buffer \fBbuf\fR into the specified -\&\fBssl\fR connection. +\&\fISSL_write_ex()\fR and \fISSL_write()\fR write \fBnum\fR bytes from the buffer \fBbuf\fR into +the specified \fBssl\fR connection. On success \fISSL_write_ex()\fR will store the number +of bytes written in \fB*written\fR. .SH "NOTES" .IX Header "NOTES" -If necessary, \fISSL_write()\fR will negotiate a \s-1TLS/SSL\s0 session, if -not already explicitly performed by \fISSL_connect\fR\|(3) or -\&\fISSL_accept\fR\|(3). If the -peer requests a re-negotiation, it will be performed transparently during -the \fISSL_write()\fR operation. The behaviour of \fISSL_write()\fR depends on the +In the paragraphs below a \*(L"write function\*(R" is defined as one of either +\&\fISSL_write_ex()\fR, or \fISSL_write()\fR. +.PP +If necessary, a write function will negotiate a \s-1TLS/SSL\s0 session, if not already +explicitly performed by \fISSL_connect\fR\|(3) or \fISSL_accept\fR\|(3). If the peer +requests a re-negotiation, it will be performed transparently during +the write function operation. The behaviour of the write functions depends on the underlying \s-1BIO.\s0 .PP For the transparent negotiation to succeed, the \fBssl\fR must have been initialized to client or server mode. This is being done by calling \&\fISSL_set_connect_state\fR\|(3) or \fISSL_set_accept_state()\fR -before the first call to an \fISSL_read\fR\|(3) or \fISSL_write()\fR function. +before the first call to a write function. .PP -If the underlying \s-1BIO\s0 is \fBblocking\fR, \fISSL_write()\fR will only return, once the -write operation has been finished or an error occurred, except when a -renegotiation take place, in which case a \s-1SSL_ERROR_WANT_READ\s0 may occur. -This behaviour can be controlled with the \s-1SSL_MODE_AUTO_RETRY\s0 flag of the -\&\fISSL_CTX_set_mode\fR\|(3) call. +If the underlying \s-1BIO\s0 is \fBblocking\fR, the write functions will only return, once +the write operation has been finished or an error occurred. .PP -If the underlying \s-1BIO\s0 is \fBnon-blocking\fR, \fISSL_write()\fR will also return, -when the underlying \s-1BIO\s0 could not satisfy the needs of \fISSL_write()\fR -to continue the operation. In this case a call to -\&\fISSL_get_error\fR\|(3) with the -return value of \fISSL_write()\fR will yield \fB\s-1SSL_ERROR_WANT_READ\s0\fR or -\&\fB\s-1SSL_ERROR_WANT_WRITE\s0\fR. As at any time a re-negotiation is possible, a -call to \fISSL_write()\fR can also cause read operations! The calling process -then must repeat the call after taking appropriate action to satisfy the -needs of \fISSL_write()\fR. The action depends on the underlying \s-1BIO.\s0 When using a +If the underlying \s-1BIO\s0 is \fBnon-blocking\fR the write functions will also return +when the underlying \s-1BIO\s0 could not satisfy the needs of the function to continue +the operation. In this case a call to \fISSL_get_error\fR\|(3) with the +return value of the write function will yield \fB\s-1SSL_ERROR_WANT_READ\s0\fR +or \fB\s-1SSL_ERROR_WANT_WRITE\s0\fR. As at any time a re-negotiation is possible, a +call to a write function can also cause read operations! The calling process +then must repeat the call after taking appropriate action to satisfy the needs +of the write function. The action depends on the underlying \s-1BIO.\s0 When using a non-blocking socket, nothing is to be done, but \fIselect()\fR can be used to check for the required condition. When using a buffering \s-1BIO,\s0 like a \s-1BIO\s0 pair, data must be written into or retrieved out of the \s-1BIO\s0 before being able to continue. .PP -\&\fISSL_write()\fR will only return with success, when the complete contents -of \fBbuf\fR of length \fBnum\fR has been written. This default behaviour -can be changed with the \s-1SSL_MODE_ENABLE_PARTIAL_WRITE\s0 option of -\&\fISSL_CTX_set_mode\fR\|(3). When this flag is set, -\&\fISSL_write()\fR will also return with success, when a partial write has been -successfully completed. In this case the \fISSL_write()\fR operation is considered -completed. The bytes are sent and a new \fISSL_write()\fR operation with a new -buffer (with the already sent bytes removed) must be started. -A partial write is performed with the size of a message block, which is -16kB for SSLv3/TLSv1. +The write functions will only return with success when the complete contents of +\&\fBbuf\fR of length \fBnum\fR has been written. This default behaviour can be changed +with the \s-1SSL_MODE_ENABLE_PARTIAL_WRITE\s0 option of \fISSL_CTX_set_mode\fR\|(3). When +this flag is set the write functions will also return with success when a +partial write has been successfully completed. In this case the write function +operation is considered completed. The bytes are sent and a new write call with +a new buffer (with the already sent bytes removed) must be started. A partial +write is performed with the size of a message block, which is 16kB. .SH "WARNING" .IX Header "WARNING" -When an \fISSL_write()\fR operation has to be repeated because of -\&\fB\s-1SSL_ERROR_WANT_READ\s0\fR or \fB\s-1SSL_ERROR_WANT_WRITE\s0\fR, it must be repeated +When a write function call has to be repeated because \fISSL_get_error\fR\|(3) +returned \fB\s-1SSL_ERROR_WANT_READ\s0\fR or \fB\s-1SSL_ERROR_WANT_WRITE\s0\fR, it must be repeated with the same arguments. +The data that was passed might have been partially processed. +When \fB\s-1SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER\s0\fR was set using \fISSL_CTX_set_mode\fR\|(3) +the pointer can be different, but the data and length should still be the same. .PP -When calling \fISSL_write()\fR with num=0 bytes to be sent the behaviour is -undefined. +You should not call \fISSL_write()\fR with num=0, it will return an error. +\&\fISSL_write_ex()\fR can be called with num=0, but will not send application data to +the peer. .SH "RETURN VALUES" .IX Header "RETURN VALUES" -The following return values can occur: +\&\fISSL_write_ex()\fR will return 1 for success or 0 for failure. Success means that +all requested application data bytes have been written to the \s-1SSL\s0 connection or, +if \s-1SSL_MODE_ENABLE_PARTIAL_WRITE\s0 is in use, at least 1 application data byte has +been written to the \s-1SSL\s0 connection. Failure means that not all the requested +bytes have been written yet (if \s-1SSL_MODE_ENABLE_PARTIAL_WRITE\s0 is not in use) or +no bytes could be written to the \s-1SSL\s0 connection (if +\&\s-1SSL_MODE_ENABLE_PARTIAL_WRITE\s0 is in use). Failures can be retryable (e.g. the +network write buffer has temporarily filled up) or non-retryable (e.g. a fatal +network error). In the event of a failure call \fISSL_get_error\fR\|(3) to find out +the reason which indicates whether the call is retryable or not. +.PP +For \fISSL_write()\fR the following return values can occur: .IP "> 0" 4 .IX Item "> 0" The write operation was successful, the return value is the number of @@ -211,17 +224,24 @@ The write operation was not successful, because either the connection was closed, an error occurred or action must be taken by the calling process. Call \fISSL_get_error()\fR with the return value \fBret\fR to find out the reason. .Sp -SSLv2 (deprecated) does not support a shutdown alert protocol, so it can -only be detected, whether the underlying connection was closed. It cannot -be checked, why the closure happened. -.Sp Old documentation indicated a difference between 0 and \-1, and that \-1 was retryable. You should instead call \fISSL_get_error()\fR to find out if it's retryable. +.SH "HISTORY" +.IX Header "HISTORY" +\&\fISSL_write_ex()\fR was added in OpenSSL 1.1.1. .SH "SEE ALSO" .IX Header "SEE ALSO" -\&\fISSL_get_error\fR\|(3), \fISSL_read\fR\|(3), +\&\fISSL_get_error\fR\|(3), \fISSL_read_ex\fR\|(3), \fISSL_read\fR\|(3) \&\fISSL_CTX_set_mode\fR\|(3), \fISSL_CTX_new\fR\|(3), \&\fISSL_connect\fR\|(3), \fISSL_accept\fR\|(3) \&\fISSL_set_connect_state\fR\|(3), -\&\fIssl\fR\|(3), \fIbio\fR\|(3) +\&\fIssl\fR\|(7), \fIbio\fR\|(7) +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2000\-2018 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/UI_STRING.3 b/secure/lib/libcrypto/man/UI_STRING.3 new file mode 100644 index 000000000000..07bb3a5dd1a2 --- /dev/null +++ b/secure/lib/libcrypto/man/UI_STRING.3 @@ -0,0 +1,270 @@ +.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35) +.\" +.\" Standard preamble: +.\" ======================================================================== +.de Sp \" Vertical space (when we can't use .PP) +.if t .sp .5v +.if n .sp +.. +.de Vb \" Begin verbatim text +.ft CW +.nf +.ne \\$1 +.. +.de Ve \" End verbatim text +.ft R +.fi +.. +.\" Set up some character translations and predefined strings. \*(-- will +.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left +.\" double quote, and \*(R" will give a right double quote. \*(C+ will +.\" give a nicer C++. Capital omega is used to do unbreakable dashes and +.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, +.\" nothing in troff, for use with C<>. +.tr \(*W- +.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' +.ie n \{\ +. ds -- \(*W- +. ds PI pi +. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch +. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch +. ds L" "" +. ds R" "" +. ds C` "" +. ds C' "" +'br\} +.el\{\ +. ds -- \|\(em\| +. ds PI \(*p +. ds L" `` +. ds R" '' +. ds C` +. ds C' +'br\} +.\" +.\" Escape single quotes in literal strings from groff's Unicode transform. +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" +.\" If the F register is >0, we'll generate index entries on stderr for +.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index +.\" entries marked with X<> in POD. Of course, you'll have to process the +.\" output yourself in some meaningful fashion. +.\" +.\" Avoid warning from groff about undefined register 'F'. +.de IX +.. +.if !\nF .nr F 0 +.if \nF>0 \{\ +. de IX +. tm Index:\\$1\t\\n%\t"\\$2" +.. +. if !\nF==2 \{\ +. nr % 0 +. nr F 2 +. \} +.\} +.\" +.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). +.\" Fear. Run. Save yourself. No user-serviceable parts. +. \" fudge factors for nroff and troff +.if n \{\ +. ds #H 0 +. ds #V .8m +. ds #F .3m +. ds #[ \f1 +. ds #] \fP +.\} +.if t \{\ +. ds #H ((1u-(\\\\n(.fu%2u))*.13m) +. ds #V .6m +. ds #F 0 +. ds #[ \& +. ds #] \& +.\} +. \" simple accents for nroff and troff +.if n \{\ +. ds ' \& +. ds ` \& +. ds ^ \& +. ds , \& +. ds ~ ~ +. ds / +.\} +.if t \{\ +. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" +. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' +. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' +. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' +. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' +. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' +.\} +. \" troff and (daisy-wheel) nroff accents +.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' +.ds 8 \h'\*(#H'\(*b\h'-\*(#H' +.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] +.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' +.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' +.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] +.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] +.ds ae a\h'-(\w'a'u*4/10)'e +.ds Ae A\h'-(\w'A'u*4/10)'E +. \" corrections for vroff +.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' +.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' +. \" for low resolution devices (crt and lpr) +.if \n(.H>23 .if \n(.V>19 \ +\{\ +. ds : e +. ds 8 ss +. ds o a +. ds d- d\h'-1'\(ga +. ds D- D\h'-1'\(hy +. ds th \o'bp' +. ds Th \o'LP' +. ds ae ae +. ds Ae AE +.\} +.rm #[ #] #H #V #F C +.\" ======================================================================== +.\" +.IX Title "UI_STRING 3" +.TH UI_STRING 3 "2018-09-11" "1.1.1" "OpenSSL" +.\" For nroff, turn off justification. Always turn off hyphenation; it makes +.\" way too many mistakes in technical documents. +.if n .ad l +.nh +.SH "NAME" +UI_STRING, UI_string_types, UI_get_string_type, UI_get_input_flags, UI_get0_output_string, UI_get0_action_string, UI_get0_result_string, UI_get_result_string_length, UI_get0_test_string, UI_get_result_minsize, UI_get_result_maxsize, UI_set_result, UI_set_result_ex \&\- User interface string parsing +.SH "SYNOPSIS" +.IX Header "SYNOPSIS" +.Vb 1 +\& #include +\& +\& typedef struct ui_string_st UI_STRING; +\& +\& enum UI_string_types { +\& UIT_NONE = 0, +\& UIT_PROMPT, /* Prompt for a string */ +\& UIT_VERIFY, /* Prompt for a string and verify */ +\& UIT_BOOLEAN, /* Prompt for a yes/no response */ +\& UIT_INFO, /* Send info to the user */ +\& UIT_ERROR /* Send an error message to the user */ +\& }; +\& +\& enum UI_string_types UI_get_string_type(UI_STRING *uis); +\& int UI_get_input_flags(UI_STRING *uis); +\& const char *UI_get0_output_string(UI_STRING *uis); +\& const char *UI_get0_action_string(UI_STRING *uis); +\& const char *UI_get0_result_string(UI_STRING *uis); +\& int UI_get_result_string_length(UI_STRING *uis); +\& const char *UI_get0_test_string(UI_STRING *uis); +\& int UI_get_result_minsize(UI_STRING *uis); +\& int UI_get_result_maxsize(UI_STRING *uis); +\& int UI_set_result(UI *ui, UI_STRING *uis, const char *result); +\& int UI_set_result_ex(UI *ui, UI_STRING *uis, const char *result, int len); +.Ve +.SH "DESCRIPTION" +.IX Header "DESCRIPTION" +The \fB\s-1UI_STRING\s0\fR gets created internally and added to a \fB\s-1UI\s0\fR whenever +one of the functions \fIUI_add_input_string()\fR, \fIUI_dup_input_string()\fR, +\&\fIUI_add_verify_string()\fR, \fIUI_dup_verify_string()\fR, +\&\fIUI_add_input_boolean()\fR, \fIUI_dup_input_boolean()\fR, \fIUI_add_info_string()\fR, +\&\fIUI_dup_info_string()\fR, \fIUI_add_error_string()\fR or \fIUI_dup_error_string()\fR +is called. +For a \fB\s-1UI_METHOD\s0\fR user, there's no need to know more. +For a \fB\s-1UI_METHOD\s0\fR creator, it is of interest to fetch text from these +\&\fB\s-1UI_STRING\s0\fR objects as well as adding results to some of them. +.PP +\&\fIUI_get_string_type()\fR is used to retrieve the type of the given +\&\fB\s-1UI_STRING\s0\fR. +.PP +\&\fIUI_get_input_flags()\fR is used to retrieve the flags associated with the +given \fB\s-1UI_STRING\s0\fR. +.PP +\&\fIUI_get0_output_string()\fR is used to retrieve the actual string to +output (prompt, info, error, ...). +.PP +\&\fIUI_get0_action_string()\fR is used to retrieve the action description +associated with a \fB\s-1UIT_BOOLEAN\s0\fR type \fB\s-1UI_STRING\s0\fR. +For all other \fB\s-1UI_STRING\s0\fR types, \s-1NULL\s0 is returned. +See \fIUI_add_input_boolean\fR\|(3). +.PP +\&\fIUI_get0_result_string()\fR and \fIUI_get_result_string_length()\fR are used to +retrieve the result of a prompt and its length. +This is only useful for \fB\s-1UIT_PROMPT\s0\fR and \fB\s-1UIT_VERIFY\s0\fR type strings. +For all other \fB\s-1UI_STRING\s0\fR types, \fIUI_get0_result_string()\fR returns \s-1NULL\s0 +and \fIUI_get_result_string_length()\fR returns \-1. +.PP +\&\fIUI_get0_test_string()\fR is used to retrieve the string to compare the +prompt result with. +This is only useful for \fB\s-1UIT_VERIFY\s0\fR type strings. +For all other \fB\s-1UI_STRING\s0\fR types, \s-1NULL\s0 is returned. +.PP +\&\fIUI_get_result_minsize()\fR and \fIUI_get_result_maxsize()\fR are used to +retrieve the minimum and maximum required size of the result. +This is only useful for \fB\s-1UIT_PROMPT\s0\fR and \fB\s-1UIT_VERIFY\s0\fR type strings. +For all other \fB\s-1UI_STRING\s0\fR types, \-1 is returned. +.PP +\&\fIUI_set_result_ex()\fR is used to set the result value of a prompt and its length. +For \fB\s-1UIT_PROMPT\s0\fR and \fB\s-1UIT_VERIFY\s0\fR type \s-1UI\s0 strings, this sets the +result retrievable with \fIUI_get0_result_string()\fR by copying the +contents of \fBresult\fR if its length fits the minimum and maximum size +requirements. +For \fB\s-1UIT_BOOLEAN\s0\fR type \s-1UI\s0 strings, this sets the first character of +the result retrievable with \fIUI_get0_result_string()\fR to the first +\&\fBok_char\fR given with \fIUI_add_input_boolean()\fR or \fIUI_dup_input_boolean()\fR +if the \fBresult\fR matched any of them, or the first of the +\&\fBcancel_chars\fR if the \fBresult\fR matched any of them, otherwise it's +set to the \s-1NUL\s0 char \f(CW\*(C`\e0\*(C'\fR. +See \fIUI_add_input_boolean\fR\|(3) for more information on \fBok_chars\fR and +\&\fBcancel_chars\fR. +.PP +\&\fIUI_set_result()\fR does the same thing as \fIUI_set_result_ex()\fR, but calculates +its length internally. +It expects the string to be terminated with a \s-1NUL\s0 byte, and is therefore +only useful with normal C strings. +.SH "RETURN VALUES" +.IX Header "RETURN VALUES" +\&\fIUI_get_string_type()\fR returns the \s-1UI\s0 string type. +.PP +\&\fIUI_get_input_flags()\fR returns the \s-1UI\s0 string flags. +.PP +\&\fIUI_get0_output_string()\fR returns the \s-1UI\s0 string output string. +.PP +\&\fIUI_get0_action_string()\fR returns the \s-1UI\s0 string action description +string for \fB\s-1UIT_BOOLEAN\s0\fR type \s-1UI\s0 strings, \s-1NULL\s0 for any other type. +.PP +\&\fIUI_get0_result_string()\fR returns the \s-1UI\s0 string result buffer for +\&\fB\s-1UIT_PROMPT\s0\fR and \fB\s-1UIT_VERIFY\s0\fR type \s-1UI\s0 strings, \s-1NULL\s0 for any other +type. +.PP +\&\fIUI_get_result_string_length()\fR returns the \s-1UI\s0 string result buffer's +content length for \fB\s-1UIT_PROMPT\s0\fR and \fB\s-1UIT_VERIFY\s0\fR type \s-1UI\s0 strings, +\&\-1 for any other type. +.PP +\&\fIUI_get0_test_string()\fR returns the \s-1UI\s0 string action description +string for \fB\s-1UIT_VERIFY\s0\fR type \s-1UI\s0 strings, \s-1NULL\s0 for any other type. +.PP +\&\fIUI_get_result_minsize()\fR returns the minimum allowed result size for +the \s-1UI\s0 string for \fB\s-1UIT_PROMPT\s0\fR and \fB\s-1UIT_VERIFY\s0\fR type strings, +\&\-1 for any other type. +.PP +\&\fIUI_get_result_maxsize()\fR returns the minimum allowed result size for +the \s-1UI\s0 string for \fB\s-1UIT_PROMPT\s0\fR and \fB\s-1UIT_VERIFY\s0\fR type strings, +\&\-1 for any other type. +.PP +\&\fIUI_set_result()\fR returns 0 on success or when the \s-1UI\s0 string is of any +type other than \fB\s-1UIT_PROMPT\s0\fR, \fB\s-1UIT_VERIFY\s0\fR or \fB\s-1UIT_BOOLEAN\s0\fR, \-1 on +error. +.SH "SEE ALSO" +.IX Header "SEE ALSO" +\&\s-1\fIUI\s0\fR\|(3) +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2001\-2018 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/UI_UTIL_read_pw.3 b/secure/lib/libcrypto/man/UI_UTIL_read_pw.3 new file mode 100644 index 000000000000..cbcb9c48bd6b --- /dev/null +++ b/secure/lib/libcrypto/man/UI_UTIL_read_pw.3 @@ -0,0 +1,198 @@ +.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35) +.\" +.\" Standard preamble: +.\" ======================================================================== +.de Sp \" Vertical space (when we can't use .PP) +.if t .sp .5v +.if n .sp +.. +.de Vb \" Begin verbatim text +.ft CW +.nf +.ne \\$1 +.. +.de Ve \" End verbatim text +.ft R +.fi +.. +.\" Set up some character translations and predefined strings. \*(-- will +.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left +.\" double quote, and \*(R" will give a right double quote. \*(C+ will +.\" give a nicer C++. Capital omega is used to do unbreakable dashes and +.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, +.\" nothing in troff, for use with C<>. +.tr \(*W- +.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' +.ie n \{\ +. ds -- \(*W- +. ds PI pi +. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch +. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch +. ds L" "" +. ds R" "" +. ds C` "" +. ds C' "" +'br\} +.el\{\ +. ds -- \|\(em\| +. ds PI \(*p +. ds L" `` +. ds R" '' +. ds C` +. ds C' +'br\} +.\" +.\" Escape single quotes in literal strings from groff's Unicode transform. +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" +.\" If the F register is >0, we'll generate index entries on stderr for +.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index +.\" entries marked with X<> in POD. Of course, you'll have to process the +.\" output yourself in some meaningful fashion. +.\" +.\" Avoid warning from groff about undefined register 'F'. +.de IX +.. +.if !\nF .nr F 0 +.if \nF>0 \{\ +. de IX +. tm Index:\\$1\t\\n%\t"\\$2" +.. +. if !\nF==2 \{\ +. nr % 0 +. nr F 2 +. \} +.\} +.\" +.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). +.\" Fear. Run. Save yourself. No user-serviceable parts. +. \" fudge factors for nroff and troff +.if n \{\ +. ds #H 0 +. ds #V .8m +. ds #F .3m +. ds #[ \f1 +. ds #] \fP +.\} +.if t \{\ +. ds #H ((1u-(\\\\n(.fu%2u))*.13m) +. ds #V .6m +. ds #F 0 +. ds #[ \& +. ds #] \& +.\} +. \" simple accents for nroff and troff +.if n \{\ +. ds ' \& +. ds ` \& +. ds ^ \& +. ds , \& +. ds ~ ~ +. ds / +.\} +.if t \{\ +. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" +. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' +. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' +. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' +. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' +. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' +.\} +. \" troff and (daisy-wheel) nroff accents +.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' +.ds 8 \h'\*(#H'\(*b\h'-\*(#H' +.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] +.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' +.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' +.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] +.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] +.ds ae a\h'-(\w'a'u*4/10)'e +.ds Ae A\h'-(\w'A'u*4/10)'E +. \" corrections for vroff +.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' +.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' +. \" for low resolution devices (crt and lpr) +.if \n(.H>23 .if \n(.V>19 \ +\{\ +. ds : e +. ds 8 ss +. ds o a +. ds d- d\h'-1'\(ga +. ds D- D\h'-1'\(hy +. ds th \o'bp' +. ds Th \o'LP' +. ds ae ae +. ds Ae AE +.\} +.rm #[ #] #H #V #F C +.\" ======================================================================== +.\" +.IX Title "UI_UTIL_READ_PW 3" +.TH UI_UTIL_READ_PW 3 "2018-09-11" "1.1.1" "OpenSSL" +.\" For nroff, turn off justification. Always turn off hyphenation; it makes +.\" way too many mistakes in technical documents. +.if n .ad l +.nh +.SH "NAME" +UI_UTIL_read_pw_string, UI_UTIL_read_pw, UI_UTIL_wrap_read_pem_callback \- user interface utilities +.SH "SYNOPSIS" +.IX Header "SYNOPSIS" +.Vb 1 +\& #include +\& +\& int UI_UTIL_read_pw_string(char *buf, int length, const char *prompt, +\& int verify); +\& int UI_UTIL_read_pw(char *buf, char *buff, int size, const char *prompt, +\& int verify); +\& UI_METHOD *UI_UTIL_wrap_read_pem_callback(pem_password_cb *cb, int rwflag); +.Ve +.SH "DESCRIPTION" +.IX Header "DESCRIPTION" +\&\fIUI_UTIL_read_pw_string()\fR asks for a passphrase, using \fBprompt\fR as a +prompt, and stores it in \fBbuf\fR. +The maximum allowed size is given with \fBlength\fR, including the +terminating \s-1NUL\s0 byte. +If \fBverify\fR is non-zero, the password will be verified as well. +.PP +\&\fIUI_UTIL_read_pw()\fR does the same as \fIUI_UTIL_read_pw_string()\fR, the +difference is that you can give it an external buffer \fBbuff\fR for the +verification passphrase. +.PP +\&\fIUI_UTIL_wrap_read_pem_callback()\fR can be used to create a temporary +\&\fB\s-1UI_METHOD\s0\fR that wraps a given \s-1PEM\s0 password callback \fBcb\fR. +\&\fBrwflag\fR is used to specify if this method will be used for +passphrase entry without (0) or with (1) verification. +When not used any more, the returned method should be freed with +\&\fIUI_destroy_method()\fR. +.SH "NOTES" +.IX Header "NOTES" +\&\fIUI_UTIL_read_pw_string()\fR and \fIUI_UTIL_read_pw()\fR use default +\&\fB\s-1UI_METHOD\s0\fR. +See \fIUI_get_default_method\fR\|(3) and friends for more information. +.PP +The result from the \fB\s-1UI_METHOD\s0\fR created by +\&\fIUI_UTIL_wrap_read_pem_callback()\fR will generate password strings in the +encoding that the given password callback generates. +The default password prompting functions (apart from +\&\fIUI_UTIL_read_pw_string()\fR and \fIUI_UTIL_read_pw()\fR, there is +\&\fIPEM_def_callback()\fR, \fIEVP_read_pw_string()\fR and \fIEVP_read_pw_string_min()\fR) +all use the default \fB\s-1UI_METHOD\s0\fR. +.SH "RETURN VALUES" +.IX Header "RETURN VALUES" +\&\fIUI_UTIL_read_pw_string()\fR and \fIUI_UTIL_read_pw()\fR return 0 on success or a negative +value on error. +.PP +\&\fIUI_UTIL_wrap_read_pem_callback()\fR returns a valid \fB\s-1UI_METHOD\s0\fR structure or \s-1NULL\s0 +if an error occurred. +.SH "SEE ALSO" +.IX Header "SEE ALSO" +\&\fIUI_get_default_method\fR\|(3) +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2001\-2018 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/UI_create_method.3 b/secure/lib/libcrypto/man/UI_create_method.3 new file mode 100644 index 000000000000..a5055ce5be0e --- /dev/null +++ b/secure/lib/libcrypto/man/UI_create_method.3 @@ -0,0 +1,316 @@ +.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35) +.\" +.\" Standard preamble: +.\" ======================================================================== +.de Sp \" Vertical space (when we can't use .PP) +.if t .sp .5v +.if n .sp +.. +.de Vb \" Begin verbatim text +.ft CW +.nf +.ne \\$1 +.. +.de Ve \" End verbatim text +.ft R +.fi +.. +.\" Set up some character translations and predefined strings. \*(-- will +.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left +.\" double quote, and \*(R" will give a right double quote. \*(C+ will +.\" give a nicer C++. Capital omega is used to do unbreakable dashes and +.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, +.\" nothing in troff, for use with C<>. +.tr \(*W- +.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' +.ie n \{\ +. ds -- \(*W- +. ds PI pi +. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch +. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch +. ds L" "" +. ds R" "" +. ds C` "" +. ds C' "" +'br\} +.el\{\ +. ds -- \|\(em\| +. ds PI \(*p +. ds L" `` +. ds R" '' +. ds C` +. ds C' +'br\} +.\" +.\" Escape single quotes in literal strings from groff's Unicode transform. +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" +.\" If the F register is >0, we'll generate index entries on stderr for +.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index +.\" entries marked with X<> in POD. Of course, you'll have to process the +.\" output yourself in some meaningful fashion. +.\" +.\" Avoid warning from groff about undefined register 'F'. +.de IX +.. +.if !\nF .nr F 0 +.if \nF>0 \{\ +. de IX +. tm Index:\\$1\t\\n%\t"\\$2" +.. +. if !\nF==2 \{\ +. nr % 0 +. nr F 2 +. \} +.\} +.\" +.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). +.\" Fear. Run. Save yourself. No user-serviceable parts. +. \" fudge factors for nroff and troff +.if n \{\ +. ds #H 0 +. ds #V .8m +. ds #F .3m +. ds #[ \f1 +. ds #] \fP +.\} +.if t \{\ +. ds #H ((1u-(\\\\n(.fu%2u))*.13m) +. ds #V .6m +. ds #F 0 +. ds #[ \& +. ds #] \& +.\} +. \" simple accents for nroff and troff +.if n \{\ +. ds ' \& +. ds ` \& +. ds ^ \& +. ds , \& +. ds ~ ~ +. ds / +.\} +.if t \{\ +. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" +. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' +. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' +. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' +. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' +. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' +.\} +. \" troff and (daisy-wheel) nroff accents +.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' +.ds 8 \h'\*(#H'\(*b\h'-\*(#H' +.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] +.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' +.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' +.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] +.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] +.ds ae a\h'-(\w'a'u*4/10)'e +.ds Ae A\h'-(\w'A'u*4/10)'E +. \" corrections for vroff +.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' +.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' +. \" for low resolution devices (crt and lpr) +.if \n(.H>23 .if \n(.V>19 \ +\{\ +. ds : e +. ds 8 ss +. ds o a +. ds d- d\h'-1'\(ga +. ds D- D\h'-1'\(hy +. ds th \o'bp' +. ds Th \o'LP' +. ds ae ae +. ds Ae AE +.\} +.rm #[ #] #H #V #F C +.\" ======================================================================== +.\" +.IX Title "UI_CREATE_METHOD 3" +.TH UI_CREATE_METHOD 3 "2018-09-11" "1.1.1" "OpenSSL" +.\" For nroff, turn off justification. Always turn off hyphenation; it makes +.\" way too many mistakes in technical documents. +.if n .ad l +.nh +.SH "NAME" +UI_METHOD, UI_create_method, UI_destroy_method, UI_method_set_opener, UI_method_set_writer, UI_method_set_flusher, UI_method_set_reader, UI_method_set_closer, UI_method_set_data_duplicator, UI_method_set_prompt_constructor, UI_method_set_ex_data, UI_method_get_opener, UI_method_get_writer, UI_method_get_flusher, UI_method_get_reader, UI_method_get_closer, UI_method_get_data_duplicator, UI_method_get_data_destructor, UI_method_get_prompt_constructor, UI_method_get_ex_data \- user interface method creation and destruction +.SH "SYNOPSIS" +.IX Header "SYNOPSIS" +.Vb 1 +\& #include +\& +\& typedef struct ui_method_st UI_METHOD; +\& +\& UI_METHOD *UI_create_method(const char *name); +\& void UI_destroy_method(UI_METHOD *ui_method); +\& int UI_method_set_opener(UI_METHOD *method, int (*opener) (UI *ui)); +\& int UI_method_set_writer(UI_METHOD *method, +\& int (*writer) (UI *ui, UI_STRING *uis)); +\& int UI_method_set_flusher(UI_METHOD *method, int (*flusher) (UI *ui)); +\& int UI_method_set_reader(UI_METHOD *method, +\& int (*reader) (UI *ui, UI_STRING *uis)); +\& int UI_method_set_closer(UI_METHOD *method, int (*closer) (UI *ui)); +\& int UI_method_set_data_duplicator(UI_METHOD *method, +\& void *(*duplicator) (UI *ui, void *ui_data), +\& void (*destructor)(UI *ui, void *ui_data)); +\& int UI_method_set_prompt_constructor(UI_METHOD *method, +\& char *(*prompt_constructor) (UI *ui, +\& const char +\& *object_desc, +\& const char +\& *object_name)); +\& int UI_method_set_ex_data(UI_METHOD *method, int idx, void *data); +\& int (*UI_method_get_opener(const UI_METHOD *method)) (UI *); +\& int (*UI_method_get_writer(const UI_METHOD *method)) (UI *, UI_STRING *); +\& int (*UI_method_get_flusher(const UI_METHOD *method)) (UI *); +\& int (*UI_method_get_reader(const UI_METHOD *method)) (UI *, UI_STRING *); +\& int (*UI_method_get_closer(const UI_METHOD *method)) (UI *); +\& char *(*UI_method_get_prompt_constructor(const UI_METHOD *method)) +\& (UI *, const char *, const char *); +\& void *(*UI_method_get_data_duplicator(const UI_METHOD *method)) (UI *, void *); +\& void (*UI_method_get_data_destructor(const UI_METHOD *method)) (UI *, void *); +\& const void *UI_method_get_ex_data(const UI_METHOD *method, int idx); +.Ve +.SH "DESCRIPTION" +.IX Header "DESCRIPTION" +A method contains a few functions that implement the low level of the +User Interface. +These functions are: +.IP "an opener" 4 +.IX Item "an opener" +This function takes a reference to a \s-1UI\s0 and starts a session, for +example by opening a channel to a tty, or by creating a dialog box. +.IP "a writer" 4 +.IX Item "a writer" +This function takes a reference to a \s-1UI\s0 and a \s-1UI\s0 String, and writes +the string where appropriate, maybe to the tty, maybe added as a field +label in a dialog box. +Note that this gets fed all strings associated with a \s-1UI,\s0 one after +the other, so care must be taken which ones it actually uses. +.IP "a flusher" 4 +.IX Item "a flusher" +This function takes a reference to a \s-1UI,\s0 and flushes everything that +has been output so far. +For example, if the method builds up a dialog box, this can be used to +actually display it and accepting input ended with a pressed button. +.IP "a reader" 4 +.IX Item "a reader" +This function takes a reference to a \s-1UI\s0 and a \s-1UI\s0 string and reads off +the given prompt, maybe from the tty, maybe from a field in a dialog +box. +Note that this gets fed all strings associated with a \s-1UI,\s0 one after +the other, so care must be taken which ones it actually uses. +.IP "a closer" 4 +.IX Item "a closer" +This function takes a reference to a \s-1UI,\s0 and closes the session, maybe +by closing the channel to the tty, maybe by destroying a dialog box. +.PP +All of these functions are expected to return 0 on error, 1 on +success, or \-1 on out-off-band events, for example if some prompting +has been cancelled (by pressing Ctrl-C, for example). +Only the flusher or the reader are expected to return \-1. +If returned by another of the functions, it's treated as if 0 was +returned. +.PP +Regarding the writer and the reader, don't assume the former should +only write and don't assume the latter should only read. +This depends on the needs of the method. +.PP +For example, a typical tty reader wouldn't write the prompts in the +write, but would rather do so in the reader, because of the sequential +nature of prompting on a tty. +This is how the \fIUI_OpenSSL()\fR method does it. +.PP +In contrast, a method that builds up a dialog box would add all prompt +text in the writer, have all input read in the flusher and store the +results in some temporary buffer, and finally have the reader just +fetch those results. +.PP +The central function that uses these method functions is \fIUI_process()\fR, +and it does it in five steps: +.IP "1." 4 +Open the session using the opener function if that one's defined. +If an error occurs, jump to 5. +.IP "2." 4 +For every \s-1UI\s0 String associated with the \s-1UI,\s0 call the writer function +if that one's defined. +If an error occurs, jump to 5. +.IP "3." 4 +Flush everything using the flusher function if that one's defined. +If an error occurs, jump to 5. +.IP "4." 4 +For every \s-1UI\s0 String associated with the \s-1UI,\s0 call the reader function +if that one's defined. +If an error occurs, jump to 5. +.IP "5." 4 +Close the session using the closer function if that one's defined. +.PP +\&\fIUI_create_method()\fR creates a new \s-1UI\s0 method with a given \fBname\fR. +.PP +\&\fIUI_destroy_method()\fR destroys the given \s-1UI\s0 method \fBui_method\fR. +.PP +\&\fIUI_method_set_opener()\fR, \fIUI_method_set_writer()\fR, +\&\fIUI_method_set_flusher()\fR, \fIUI_method_set_reader()\fR and +\&\fIUI_method_set_closer()\fR set the five main method function to the given +function pointer. +.PP +\&\fIUI_method_set_data_duplicator()\fR sets the user data duplicator and destructor. +See \fIUI_dup_user_data\fR\|(3). +.PP +\&\fIUI_method_set_prompt_constructor()\fR sets the prompt constructor. +See \fIUI_construct_prompt\fR\|(3). +.PP +\&\fIUI_method_set_ex_data()\fR sets application specific data with a given +\&\s-1EX_DATA\s0 index. +See \fICRYPTO_get_ex_new_index\fR\|(3) for general information on how to +get that index. +.PP +\&\fIUI_method_get_opener()\fR, \fIUI_method_get_writer()\fR, +\&\fIUI_method_get_flusher()\fR, \fIUI_method_get_reader()\fR, +\&\fIUI_method_get_closer()\fR, \fIUI_method_get_data_duplicator()\fR, +\&\fIUI_method_get_data_destructor()\fR and \fIUI_method_get_prompt_constructor()\fR +return the different method functions. +.PP +\&\fIUI_method_get_ex_data()\fR returns the application data previously stored +with \fIUI_method_set_ex_data()\fR. +.SH "RETURN VALUES" +.IX Header "RETURN VALUES" +\&\fIUI_create_method()\fR returns a \s-1UI_METHOD\s0 pointer on success, \s-1NULL\s0 on +error. +.PP +\&\fIUI_method_set_opener()\fR, \fIUI_method_set_writer()\fR, +\&\fIUI_method_set_flusher()\fR, \fIUI_method_set_reader()\fR, +\&\fIUI_method_set_closer()\fR, \fIUI_method_set_data_duplicator()\fR and +\&\fIUI_method_set_prompt_constructor()\fR +return 0 on success, \-1 if the given \fBmethod\fR is \s-1NULL.\s0 +.PP +\&\fIUI_method_set_ex_data()\fR returns 1 on success and 0 on error (because +\&\fICRYPTO_set_ex_data()\fR does so). +.PP +\&\fIUI_method_get_opener()\fR, \fIUI_method_get_writer()\fR, +\&\fIUI_method_get_flusher()\fR, \fIUI_method_get_reader()\fR, +\&\fIUI_method_get_closer()\fR, \fIUI_method_get_data_duplicator()\fR, +\&\fIUI_method_get_data_destructor()\fR and \fIUI_method_get_prompt_constructor()\fR +return the requested function pointer if it's set in the method, +otherwise \s-1NULL.\s0 +.PP +\&\fIUI_method_get_ex_data()\fR returns a pointer to the application specific +data associated with the method. +.SH "SEE ALSO" +.IX Header "SEE ALSO" +\&\s-1\fIUI\s0\fR\|(3), \fICRYPTO_get_ex_data\fR\|(3), \s-1\fIUI_STRING\s0\fR\|(3) +.SH "HISTORY" +.IX Header "HISTORY" +\&\fIUI_method_set_data_duplicator()\fR, \fIUI_method_get_data_duplicator()\fR and +\&\fIUI_method_get_data_destructor()\fR +were added in OpenSSL 1.1.1. +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2001\-2016 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/ui.3 b/secure/lib/libcrypto/man/UI_new.3 similarity index 63% rename from secure/lib/libcrypto/man/ui.3 rename to secure/lib/libcrypto/man/UI_new.3 index b8b962acd65d..d46b65e58a86 100644 --- a/secure/lib/libcrypto/man/ui.3 +++ b/secure/lib/libcrypto/man/UI_new.3 @@ -128,68 +128,59 @@ .rm #[ #] #H #V #F C .\" ======================================================================== .\" -.IX Title "ui 3" -.TH ui 3 "2018-08-14" "1.0.2p" "OpenSSL" +.IX Title "UI_NEW 3" +.TH UI_NEW 3 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" -UI_new, UI_new_method, UI_free, UI_add_input_string, UI_dup_input_string, -UI_add_verify_string, UI_dup_verify_string, UI_add_input_boolean, -UI_dup_input_boolean, UI_add_info_string, UI_dup_info_string, -UI_add_error_string, UI_dup_error_string, UI_construct_prompt, -UI_add_user_data, UI_get0_user_data, UI_get0_result, UI_process, -UI_ctrl, UI_set_default_method, UI_get_default_method, UI_get_method, -UI_set_method, UI_OpenSSL, ERR_load_UI_strings \- New User Interface +UI, UI_new, UI_new_method, UI_free, UI_add_input_string, UI_dup_input_string, UI_add_verify_string, UI_dup_verify_string, UI_add_input_boolean, UI_dup_input_boolean, UI_add_info_string, UI_dup_info_string, UI_add_error_string, UI_dup_error_string, UI_construct_prompt, UI_add_user_data, UI_dup_user_data, UI_get0_user_data, UI_get0_result, UI_get_result_length, UI_process, UI_ctrl, UI_set_default_method, UI_get_default_method, UI_get_method, UI_set_method, UI_OpenSSL, UI_null \- user interface .SH "SYNOPSIS" .IX Header "SYNOPSIS" .Vb 1 \& #include \& \& typedef struct ui_st UI; -\& typedef struct ui_method_st UI_METHOD; \& \& UI *UI_new(void); \& UI *UI_new_method(const UI_METHOD *method); \& void UI_free(UI *ui); \& \& int UI_add_input_string(UI *ui, const char *prompt, int flags, -\& char *result_buf, int minsize, int maxsize); +\& char *result_buf, int minsize, int maxsize); \& int UI_dup_input_string(UI *ui, const char *prompt, int flags, -\& char *result_buf, int minsize, int maxsize); +\& char *result_buf, int minsize, int maxsize); \& int UI_add_verify_string(UI *ui, const char *prompt, int flags, -\& char *result_buf, int minsize, int maxsize, const char *test_buf); +\& char *result_buf, int minsize, int maxsize, +\& const char *test_buf); \& int UI_dup_verify_string(UI *ui, const char *prompt, int flags, -\& char *result_buf, int minsize, int maxsize, const char *test_buf); +\& char *result_buf, int minsize, int maxsize, +\& const char *test_buf); \& int UI_add_input_boolean(UI *ui, const char *prompt, const char *action_desc, -\& const char *ok_chars, const char *cancel_chars, -\& int flags, char *result_buf); +\& const char *ok_chars, const char *cancel_chars, +\& int flags, char *result_buf); \& int UI_dup_input_boolean(UI *ui, const char *prompt, const char *action_desc, -\& const char *ok_chars, const char *cancel_chars, -\& int flags, char *result_buf); +\& const char *ok_chars, const char *cancel_chars, +\& int flags, char *result_buf); \& int UI_add_info_string(UI *ui, const char *text); \& int UI_dup_info_string(UI *ui, const char *text); \& int UI_add_error_string(UI *ui, const char *text); \& int UI_dup_error_string(UI *ui, const char *text); \& -\& /* These are the possible flags. They can be or\*(Aqed together. */ -\& #define UI_INPUT_FLAG_ECHO 0x01 -\& #define UI_INPUT_FLAG_DEFAULT_PWD 0x02 -\& \& char *UI_construct_prompt(UI *ui_method, \& const char *object_desc, const char *object_name); \& \& void *UI_add_user_data(UI *ui, void *user_data); +\& int UI_dup_user_data(UI *ui, void *user_data); \& void *UI_get0_user_data(UI *ui); \& \& const char *UI_get0_result(UI *ui, int i); +\& int UI_get_result_length(UI *ui, int i); \& \& int UI_process(UI *ui); \& \& int UI_ctrl(UI *ui, int cmd, long i, void *p, void (*f)()); -\& #define UI_CTRL_PRINT_ERRORS 1 -\& #define UI_CTRL_IS_REDOABLE 2 \& \& void UI_set_default_method(const UI_METHOD *meth); \& const UI_METHOD *UI_get_default_method(void); @@ -197,12 +188,13 @@ UI_set_method, UI_OpenSSL, ERR_load_UI_strings \- New User Interface \& const UI_METHOD *UI_set_method(UI *ui, const UI_METHOD *meth); \& \& UI_METHOD *UI_OpenSSL(void); +\& const UI_METHOD *UI_null(void); .Ve .SH "DESCRIPTION" .IX Header "DESCRIPTION" \&\s-1UI\s0 stands for User Interface, and is general purpose set of routines to prompt the user for text-based information. Through user-written methods -(see \fIui_create\fR\|(3)), prompting can be done in any way +(see \fIUI_create_method\fR\|(3)), prompting can be done in any way imaginable, be it plain text prompting, through dialog boxes or from a cell phone. .PP @@ -214,15 +206,18 @@ carry out the actual prompting. The first thing to do is to create a \s-1UI\s0 with \fIUI_new()\fR or \fIUI_new_method()\fR, then add information to it with the UI_add or UI_dup functions. Also, user-defined random data can be passed down to the underlying method -through calls to UI_add_user_data. The default \s-1UI\s0 method doesn't care -about these data, but other methods might. Finally, use \fIUI_process()\fR -to actually perform the prompting and \fIUI_get0_result()\fR to find the result -to the prompt. +through calls to \fIUI_add_user_data()\fR or \fIUI_dup_user_data()\fR. The default +\&\s-1UI\s0 method doesn't care about these data, but other methods might. Finally, +use \fIUI_process()\fR to actually perform the prompting and \fIUI_get0_result()\fR +and \fIUI_get_result_length()\fR to find the result to the prompt and its length. .PP A \s-1UI\s0 can contain more than one prompt, which are performed in the given sequence. Each prompt gets an index number which is returned by the UI_add and UI_dup functions, and has to be used to get the corresponding -result with \fIUI_get0_result()\fR. +result with \fIUI_get0_result()\fR and \fIUI_get_result_length()\fR. +.PP +\&\fIUI_process()\fR can be called more than once on the same \s-1UI,\s0 thereby allowing +a \s-1UI\s0 to have a long lifetime, but can just as well have a short lifetime. .PP The functions are as follows: .PP @@ -232,13 +227,17 @@ this \s-1UI,\s0 it should be freed using \fIUI_free()\fR. \&\fIUI_new_method()\fR creates a new \s-1UI\s0 using the given \s-1UI\s0 method. When done with this \s-1UI,\s0 it should be freed using \fIUI_free()\fR. .PP -\&\fIUI_OpenSSL()\fR returns the built-in \s-1UI\s0 method (note: not the default one, -since the default can be changed. See further on). This method is the -most machine/OS dependent part of OpenSSL and normally generates the -most problems when porting. +\&\fIUI_OpenSSL()\fR returns the built-in \s-1UI\s0 method (note: not necessarily the +default one, since the default can be changed. See further on). This +method is the most machine/OS dependent part of OpenSSL and normally +generates the most problems when porting. +.PP +\&\fIUI_null()\fR returns a \s-1UI\s0 method that does nothing. Its use is to avoid +getting internal defaults for passed \s-1UI_METHOD\s0 pointers. .PP \&\fIUI_free()\fR removes a \s-1UI\s0 from memory, along with all other pieces of memory that's connected to it, like duplicated input strings, results and others. +If \fBui\fR is \s-1NULL\s0 nothing is done. .PP \&\fIUI_add_input_string()\fR and \fIUI_add_verify_string()\fR add a prompt to the \s-1UI,\s0 as well as flags and a result buffer and the desired minimum and maximum @@ -262,10 +261,10 @@ The difference between the two is only conceptual. With the builtin method, there's no technical difference between them. Other methods may make a difference between them, however. .PP -The flags currently supported are \s-1UI_INPUT_FLAG_ECHO,\s0 which is relevant for +The flags currently supported are \fB\s-1UI_INPUT_FLAG_ECHO\s0\fR, which is relevant for \&\fIUI_add_input_string()\fR and will have the users response be echoed (when prompting for a password, this flag should obviously not be used, and -\&\s-1UI_INPUT_FLAG_DEFAULT_PWD,\s0 which means that a default password of some +\&\fB\s-1UI_INPUT_FLAG_DEFAULT_PWD\s0\fR, which means that a default password of some sort will be used (completely depending on the application and the \s-1UI\s0 method). .PP @@ -283,40 +282,92 @@ description \*(R"pass phrase\*(L" and the file name \*(R"foo.key\*(L", that beco string and may include encodings that will be processed by the other method functions. .PP -\&\fIUI_add_user_data()\fR adds a piece of memory for the method to use at any +\&\fIUI_add_user_data()\fR adds a user data pointer for the method to use at any time. The builtin \s-1UI\s0 method doesn't care about this info. Note that several calls to this function doesn't add data, it replaces the previous blob with the one given as argument. .PP +\&\fIUI_dup_user_data()\fR duplicates the user data and works as an alternative +to \fIUI_add_user_data()\fR when the user data needs to be preserved for a longer +duration, perhaps even the lifetime of the application. The \s-1UI\s0 object takes +ownership of this duplicate and will free it whenever it gets replaced or +the \s-1UI\s0 is destroyed. \fIUI_dup_user_data()\fR returns 0 on success, or \-1 on memory +allocation failure or if the method doesn't have a duplicator function. +.PP \&\fIUI_get0_user_data()\fR retrieves the data that has last been given to the -\&\s-1UI\s0 with \fIUI_add_user_data()\fR. +\&\s-1UI\s0 with \fIUI_add_user_data()\fR or UI_dup_user_data. .PP \&\fIUI_get0_result()\fR returns a pointer to the result buffer associated with the information indexed by \fIi\fR. .PP +\&\fIUI_get_result_length()\fR returns the length of the result buffer associated with +the information indexed by \fIi\fR. +.PP \&\fIUI_process()\fR goes through the information given so far, does all the printing -and prompting and returns. +and prompting and returns the final status, which is \-2 on out-of-band events +(Interrupt, Cancel, ...), \-1 on error and 0 on success. .PP \&\fIUI_ctrl()\fR adds extra control for the application author. For now, it -understands two commands: \s-1UI_CTRL_PRINT_ERRORS,\s0 which makes \fIUI_process()\fR +understands two commands: \fB\s-1UI_CTRL_PRINT_ERRORS\s0\fR, which makes \fIUI_process()\fR print the OpenSSL error stack as part of processing the \s-1UI,\s0 and -\&\s-1UI_CTRL_IS_REDOABLE,\s0 which returns a flag saying if the used \s-1UI\s0 can +\&\fB\s-1UI_CTRL_IS_REDOABLE\s0\fR, which returns a flag saying if the used \s-1UI\s0 can be used again or not. .PP \&\fIUI_set_default_method()\fR changes the default \s-1UI\s0 method to the one given. +This function is not thread-safe and should not be called at the same time +as other OpenSSL functions. .PP \&\fIUI_get_default_method()\fR returns a pointer to the current default \s-1UI\s0 method. .PP \&\fIUI_get_method()\fR returns the \s-1UI\s0 method associated with a given \s-1UI.\s0 .PP \&\fIUI_set_method()\fR changes the \s-1UI\s0 method associated with a given \s-1UI.\s0 -.SH "SEE ALSO" -.IX Header "SEE ALSO" -\&\fIui_create\fR\|(3), \fIui_compat\fR\|(3) +.SH "NOTES" +.IX Header "NOTES" +The resulting strings that the built in method \fIUI_OpenSSL()\fR generate +are assumed to be encoded according to the current locale or (for +Windows) code page. +For applications having different demands, these strings need to be +converted appropriately by the caller. +For Windows, if the \s-1OPENSSL_WIN32_UTF8\s0 environment variable is set, +the built-in method \fIUI_OpenSSL()\fR will produce \s-1UTF\-8\s0 encoded strings +instead. +.SH "RETURN VALUES" +.IX Header "RETURN VALUES" +\&\fIUI_new()\fR and \fIUI_new_method()\fR return a valid \fB\s-1UI\s0\fR structure or \s-1NULL\s0 if an error +occurred. +.PP +\&\fIUI_add_input_string()\fR, \fIUI_dup_input_string()\fR, \fIUI_add_verify_string()\fR, +\&\fIUI_dup_verify_string()\fR, \fIUI_add_input_boolean()\fR, \fIUI_dup_input_boolean()\fR, +\&\fIUI_add_info_string()\fR, \fIUI_dup_info_string()\fR, \fIUI_add_error_string()\fR +and \fIUI_dup_error_string()\fR return a positive number on success or a value which +is less than or equal to 0 otherwise. +.PP +\&\fIUI_construct_prompt()\fR returns a string or \s-1NULL\s0 if an error occurred. +.PP +\&\fIUI_dup_user_data()\fR returns 0 on success or \-1 on error. +.PP +\&\fIUI_get0_result()\fR returns a string or \s-1NULL\s0 on error. +.PP +\&\fIUI_get_result_length()\fR returns a positive integer or 0 on success; otherwise it +returns \-1 on error. +.PP +\&\fIUI_process()\fR returns 0 on success or a negative value on error. +.PP +\&\fIUI_ctrl()\fR returns a mask on success or \-1 on error. +.PP +\&\fIUI_get_default_method()\fR, \fIUI_get_method()\fR, \fIUI_Openssl()\fR, \fIUI_null()\fR and +\&\fIUI_set_method()\fR return either a valid \fB\s-1UI_METHOD\s0\fR structure or \s-1NULL\s0 +respectively. .SH "HISTORY" .IX Header "HISTORY" -The \s-1UI\s0 section was first introduced in OpenSSL 0.9.7. -.SH "AUTHOR" -.IX Header "AUTHOR" -Richard Levitte (richard@levitte.org) for the OpenSSL project -(http://www.openssl.org). +\&\fIUI_dup_user_data()\fR +was added in OpenSSL 1.1.1. +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2001\-2018 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/X509V3_get_d2i.3 b/secure/lib/libcrypto/man/X509V3_get_d2i.3 new file mode 100644 index 000000000000..542542b9bb2e --- /dev/null +++ b/secure/lib/libcrypto/man/X509V3_get_d2i.3 @@ -0,0 +1,371 @@ +.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35) +.\" +.\" Standard preamble: +.\" ======================================================================== +.de Sp \" Vertical space (when we can't use .PP) +.if t .sp .5v +.if n .sp +.. +.de Vb \" Begin verbatim text +.ft CW +.nf +.ne \\$1 +.. +.de Ve \" End verbatim text +.ft R +.fi +.. +.\" Set up some character translations and predefined strings. \*(-- will +.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left +.\" double quote, and \*(R" will give a right double quote. \*(C+ will +.\" give a nicer C++. Capital omega is used to do unbreakable dashes and +.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, +.\" nothing in troff, for use with C<>. +.tr \(*W- +.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' +.ie n \{\ +. ds -- \(*W- +. ds PI pi +. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch +. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch +. ds L" "" +. ds R" "" +. ds C` "" +. ds C' "" +'br\} +.el\{\ +. ds -- \|\(em\| +. ds PI \(*p +. ds L" `` +. ds R" '' +. ds C` +. ds C' +'br\} +.\" +.\" Escape single quotes in literal strings from groff's Unicode transform. +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" +.\" If the F register is >0, we'll generate index entries on stderr for +.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index +.\" entries marked with X<> in POD. Of course, you'll have to process the +.\" output yourself in some meaningful fashion. +.\" +.\" Avoid warning from groff about undefined register 'F'. +.de IX +.. +.if !\nF .nr F 0 +.if \nF>0 \{\ +. de IX +. tm Index:\\$1\t\\n%\t"\\$2" +.. +. if !\nF==2 \{\ +. nr % 0 +. nr F 2 +. \} +.\} +.\" +.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). +.\" Fear. Run. Save yourself. No user-serviceable parts. +. \" fudge factors for nroff and troff +.if n \{\ +. ds #H 0 +. ds #V .8m +. ds #F .3m +. ds #[ \f1 +. ds #] \fP +.\} +.if t \{\ +. ds #H ((1u-(\\\\n(.fu%2u))*.13m) +. ds #V .6m +. ds #F 0 +. ds #[ \& +. ds #] \& +.\} +. \" simple accents for nroff and troff +.if n \{\ +. ds ' \& +. ds ` \& +. ds ^ \& +. ds , \& +. ds ~ ~ +. ds / +.\} +.if t \{\ +. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" +. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' +. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' +. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' +. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' +. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' +.\} +. \" troff and (daisy-wheel) nroff accents +.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' +.ds 8 \h'\*(#H'\(*b\h'-\*(#H' +.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] +.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' +.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' +.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] +.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] +.ds ae a\h'-(\w'a'u*4/10)'e +.ds Ae A\h'-(\w'A'u*4/10)'E +. \" corrections for vroff +.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' +.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' +. \" for low resolution devices (crt and lpr) +.if \n(.H>23 .if \n(.V>19 \ +\{\ +. ds : e +. ds 8 ss +. ds o a +. ds d- d\h'-1'\(ga +. ds D- D\h'-1'\(hy +. ds th \o'bp' +. ds Th \o'LP' +. ds ae ae +. ds Ae AE +.\} +.rm #[ #] #H #V #F C +.\" ======================================================================== +.\" +.IX Title "X509V3_GET_D2I 3" +.TH X509V3_GET_D2I 3 "2018-09-11" "1.1.1" "OpenSSL" +.\" For nroff, turn off justification. Always turn off hyphenation; it makes +.\" way too many mistakes in technical documents. +.if n .ad l +.nh +.SH "NAME" +X509_get0_extensions, X509_CRL_get0_extensions, X509_REVOKED_get0_extensions, X509V3_get_d2i, X509V3_add1_i2d, X509V3_EXT_d2i, X509V3_EXT_i2d, X509_get_ext_d2i, X509_add1_ext_i2d, X509_CRL_get_ext_d2i, X509_CRL_add1_ext_i2d, X509_REVOKED_get_ext_d2i, X509_REVOKED_add1_ext_i2d \- X509 extension decode and encode functions +.SH "SYNOPSIS" +.IX Header "SYNOPSIS" +.Vb 1 +\& #include +\& +\& void *X509V3_get_d2i(const STACK_OF(X509_EXTENSION) *x, int nid, int *crit, +\& int *idx); +\& int X509V3_add1_i2d(STACK_OF(X509_EXTENSION) **x, int nid, void *value, +\& int crit, unsigned long flags); +\& +\& void *X509V3_EXT_d2i(X509_EXTENSION *ext); +\& X509_EXTENSION *X509V3_EXT_i2d(int ext_nid, int crit, void *ext); +\& +\& void *X509_get_ext_d2i(const X509 *x, int nid, int *crit, int *idx); +\& int X509_add1_ext_i2d(X509 *x, int nid, void *value, int crit, +\& unsigned long flags); +\& +\& void *X509_CRL_get_ext_d2i(const X509_CRL *crl, int nid, int *crit, int *idx); +\& int X509_CRL_add1_ext_i2d(X509_CRL *crl, int nid, void *value, int crit, +\& unsigned long flags); +\& +\& void *X509_REVOKED_get_ext_d2i(const X509_REVOKED *r, int nid, int *crit, int *idx); +\& int X509_REVOKED_add1_ext_i2d(X509_REVOKED *r, int nid, void *value, int crit, +\& unsigned long flags); +\& +\& const STACK_OF(X509_EXTENSION) *X509_get0_extensions(const X509 *x); +\& const STACK_OF(X509_EXTENSION) *X509_CRL_get0_extensions(const X509_CRL *crl); +\& const STACK_OF(X509_EXTENSION) *X509_REVOKED_get0_extensions(const X509_REVOKED *r); +.Ve +.SH "DESCRIPTION" +.IX Header "DESCRIPTION" +\&\fIX509V3_get_ext_d2i()\fR looks for an extension with \s-1OID\s0 \fBnid\fR in the extensions +\&\fBx\fR and, if found, decodes it. If \fBidx\fR is \fB\s-1NULL\s0\fR then only one +occurrence of an extension is permissible otherwise the first extension after +index \fB*idx\fR is returned and \fB*idx\fR updated to the location of the extension. +If \fBcrit\fR is not \fB\s-1NULL\s0\fR then \fB*crit\fR is set to a status value: \-2 if the +extension occurs multiple times (this is only returned if \fBidx\fR is \fB\s-1NULL\s0\fR), +\&\-1 if the extension could not be found, 0 if the extension is found and is +not critical and 1 if critical. A pointer to an extension specific structure +or \fB\s-1NULL\s0\fR is returned. +.PP +\&\fIX509V3_add1_i2d()\fR adds extension \fBvalue\fR to \s-1STACK\s0 \fB*x\fR (allocating a new +\&\s-1STACK\s0 if necessary) using \s-1OID\s0 \fBnid\fR and criticality \fBcrit\fR according +to \fBflags\fR. +.PP +\&\fIX509V3_EXT_d2i()\fR attempts to decode the \s-1ASN.1\s0 data contained in extension +\&\fBext\fR and returns a pointer to an extension specific structure or \fB\s-1NULL\s0\fR +if the extension could not be decoded (invalid syntax or not supported). +.PP +\&\fIX509V3_EXT_i2d()\fR encodes the extension specific structure \fBext\fR +with \s-1OID\s0 \fBext_nid\fR and criticality \fBcrit\fR. +.PP +\&\fIX509_get_ext_d2i()\fR and \fIX509_add1_ext_i2d()\fR operate on the extensions of +certificate \fBx\fR, they are otherwise identical to \fIX509V3_get_d2i()\fR and +\&\fIX509V3_add_i2d()\fR. +.PP +\&\fIX509_CRL_get_ext_d2i()\fR and \fIX509_CRL_add1_ext_i2d()\fR operate on the extensions +of \s-1CRL\s0 \fBcrl\fR, they are otherwise identical to \fIX509V3_get_d2i()\fR and +\&\fIX509V3_add_i2d()\fR. +.PP +\&\fIX509_REVOKED_get_ext_d2i()\fR and \fIX509_REVOKED_add1_ext_i2d()\fR operate on the +extensions of \fBX509_REVOKED\fR structure \fBr\fR (i.e for \s-1CRL\s0 entry extensions), +they are otherwise identical to \fIX509V3_get_d2i()\fR and \fIX509V3_add_i2d()\fR. +.PP +\&\fIX509_get0_extensions()\fR, \fIX509_CRL_get0_extensions()\fR and +\&\fIX509_REVOKED_get0_extensions()\fR return a stack of all the extensions +of a certificate a \s-1CRL\s0 or a \s-1CRL\s0 entry respectively. +.SH "NOTES" +.IX Header "NOTES" +In almost all cases an extension can occur at most once and multiple +occurrences is an error. Therefore the \fBidx\fR parameter is usually \fB\s-1NULL\s0\fR. +.PP +The \fBflags\fR parameter may be one of the following values. +.PP +\&\fBX509V3_ADD_DEFAULT\fR appends a new extension only if the extension does +not already exist. An error is returned if the extension does already +exist. +.PP +\&\fBX509V3_ADD_APPEND\fR appends a new extension, ignoring whether the extension +already exists. +.PP +\&\fBX509V3_ADD_REPLACE\fR replaces an extension if it exists otherwise appends +a new extension. +.PP +\&\fBX509V3_ADD_REPLACE_EXISTING\fR replaces an existing extension if it exists +otherwise returns an error. +.PP +\&\fBX509V3_ADD_KEEP_EXISTING\fR appends a new extension only if the extension does +not already exist. An error \fBis not\fR returned if the extension does already +exist. +.PP +\&\fBX509V3_ADD_DELETE\fR extension \fBnid\fR is deleted: no new extension is added. +.PP +If \fBX509V3_ADD_SILENT\fR is ored with \fBflags\fR: any error returned will not +be added to the error queue. +.PP +The function \fIX509V3_get_d2i()\fR will return \fB\s-1NULL\s0\fR if the extension is not +found, occurs multiple times or cannot be decoded. It is possible to +determine the precise reason by checking the value of \fB*crit\fR. +.SH "SUPPORTED EXTENSIONS" +.IX Header "SUPPORTED EXTENSIONS" +The following sections contain a list of all supported extensions +including their name and \s-1NID.\s0 +.SS "\s-1PKIX\s0 Certificate Extensions" +.IX Subsection "PKIX Certificate Extensions" +The following certificate extensions are defined in \s-1PKIX\s0 standards such as +\&\s-1RFC5280.\s0 +.PP +.Vb 3 +\& Basic Constraints NID_basic_constraints +\& Key Usage NID_key_usage +\& Extended Key Usage NID_ext_key_usage +\& +\& Subject Key Identifier NID_subject_key_identifier +\& Authority Key Identifier NID_authority_key_identifier +\& +\& Private Key Usage Period NID_private_key_usage_period +\& +\& Subject Alternative Name NID_subject_alt_name +\& Issuer Alternative Name NID_issuer_alt_name +\& +\& Authority Information Access NID_info_access +\& Subject Information Access NID_sinfo_access +\& +\& Name Constraints NID_name_constraints +\& +\& Certificate Policies NID_certificate_policies +\& Policy Mappings NID_policy_mappings +\& Policy Constraints NID_policy_constraints +\& Inhibit Any Policy NID_inhibit_any_policy +\& +\& TLS Feature NID_tlsfeature +.Ve +.SS "Netscape Certificate Extensions" +.IX Subsection "Netscape Certificate Extensions" +The following are (largely obsolete) Netscape certificate extensions. +.PP +.Vb 8 +\& Netscape Cert Type NID_netscape_cert_type +\& Netscape Base Url NID_netscape_base_url +\& Netscape Revocation Url NID_netscape_revocation_url +\& Netscape CA Revocation Url NID_netscape_ca_revocation_url +\& Netscape Renewal Url NID_netscape_renewal_url +\& Netscape CA Policy Url NID_netscape_ca_policy_url +\& Netscape SSL Server Name NID_netscape_ssl_server_name +\& Netscape Comment NID_netscape_comment +.Ve +.SS "Miscellaneous Certificate Extensions" +.IX Subsection "Miscellaneous Certificate Extensions" +.Vb 2 +\& Strong Extranet ID NID_sxnet +\& Proxy Certificate Information NID_proxyCertInfo +.Ve +.SS "\s-1PKIX CRL\s0 Extensions" +.IX Subsection "PKIX CRL Extensions" +The following are \s-1CRL\s0 extensions from \s-1PKIX\s0 standards such as \s-1RFC5280.\s0 +.PP +.Vb 6 +\& CRL Number NID_crl_number +\& CRL Distribution Points NID_crl_distribution_points +\& Delta CRL Indicator NID_delta_crl +\& Freshest CRL NID_freshest_crl +\& Invalidity Date NID_invalidity_date +\& Issuing Distribution Point NID_issuing_distribution_point +.Ve +.PP +The following are \s-1CRL\s0 entry extensions from \s-1PKIX\s0 standards such as \s-1RFC5280.\s0 +.PP +.Vb 2 +\& CRL Reason Code NID_crl_reason +\& Certificate Issuer NID_certificate_issuer +.Ve +.SS "\s-1OCSP\s0 Extensions" +.IX Subsection "OCSP Extensions" +.Vb 7 +\& OCSP Nonce NID_id_pkix_OCSP_Nonce +\& OCSP CRL ID NID_id_pkix_OCSP_CrlID +\& Acceptable OCSP Responses NID_id_pkix_OCSP_acceptableResponses +\& OCSP No Check NID_id_pkix_OCSP_noCheck +\& OCSP Archive Cutoff NID_id_pkix_OCSP_archiveCutoff +\& OCSP Service Locator NID_id_pkix_OCSP_serviceLocator +\& Hold Instruction Code NID_hold_instruction_code +.Ve +.SS "Certificate Transparency Extensions" +.IX Subsection "Certificate Transparency Extensions" +The following extensions are used by certificate transparency, \s-1RFC6962\s0 +.PP +.Vb 2 +\& CT Precertificate SCTs NID_ct_precert_scts +\& CT Certificate SCTs NID_ct_cert_scts +.Ve +.SH "RETURN VALUES" +.IX Header "RETURN VALUES" +\&\fIX509V3_EXT_d2i()\fR and *\fIX509V3_get_d2i()\fR return a pointer to an extension +specific structure of \fB\s-1NULL\s0\fR if an error occurs. +.PP +\&\fIX509V3_EXT_i2d()\fR returns a pointer to an \fBX509_EXTENSION\fR structure +or \fB\s-1NULL\s0\fR if an error occurs. +.PP +\&\fIX509V3_add1_i2d()\fR returns 1 if the operation is successful and 0 if it +fails due to a non-fatal error (extension not found, already exists, +cannot be encoded) or \-1 due to a fatal error such as a memory allocation +failure. +.PP +\&\fIX509_get0_extensions()\fR, \fIX509_CRL_get0_extensions()\fR and +\&\fIX509_REVOKED_get0_extensions()\fR return a stack of extensions. They return +\&\s-1NULL\s0 if no extensions are present. +.SH "SEE ALSO" +.IX Header "SEE ALSO" +\&\fId2i_X509\fR\|(3), +\&\fIERR_get_error\fR\|(3), +\&\fIX509_CRL_get0_by_serial\fR\|(3), +\&\fIX509_get0_signature\fR\|(3), +\&\fIX509_get_ext_d2i\fR\|(3), +\&\fIX509_get_extension_flags\fR\|(3), +\&\fIX509_get_pubkey\fR\|(3), +\&\fIX509_get_subject_name\fR\|(3), +\&\fIX509_get_version\fR\|(3), +\&\fIX509_NAME_add_entry_by_txt\fR\|(3), +\&\fIX509_NAME_ENTRY_get_object\fR\|(3), +\&\fIX509_NAME_get_index_by_NID\fR\|(3), +\&\fIX509_NAME_print_ex\fR\|(3), +\&\fIX509_new\fR\|(3), +\&\fIX509_sign\fR\|(3), +\&\fIX509_verify_cert\fR\|(3) +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2015\-2016 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/X509_ALGOR_dup.3 b/secure/lib/libcrypto/man/X509_ALGOR_dup.3 new file mode 100644 index 000000000000..70a3dce599b5 --- /dev/null +++ b/secure/lib/libcrypto/man/X509_ALGOR_dup.3 @@ -0,0 +1,189 @@ +.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35) +.\" +.\" Standard preamble: +.\" ======================================================================== +.de Sp \" Vertical space (when we can't use .PP) +.if t .sp .5v +.if n .sp +.. +.de Vb \" Begin verbatim text +.ft CW +.nf +.ne \\$1 +.. +.de Ve \" End verbatim text +.ft R +.fi +.. +.\" Set up some character translations and predefined strings. \*(-- will +.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left +.\" double quote, and \*(R" will give a right double quote. \*(C+ will +.\" give a nicer C++. Capital omega is used to do unbreakable dashes and +.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, +.\" nothing in troff, for use with C<>. +.tr \(*W- +.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' +.ie n \{\ +. ds -- \(*W- +. ds PI pi +. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch +. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch +. ds L" "" +. ds R" "" +. ds C` "" +. ds C' "" +'br\} +.el\{\ +. ds -- \|\(em\| +. ds PI \(*p +. ds L" `` +. ds R" '' +. ds C` +. ds C' +'br\} +.\" +.\" Escape single quotes in literal strings from groff's Unicode transform. +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" +.\" If the F register is >0, we'll generate index entries on stderr for +.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index +.\" entries marked with X<> in POD. Of course, you'll have to process the +.\" output yourself in some meaningful fashion. +.\" +.\" Avoid warning from groff about undefined register 'F'. +.de IX +.. +.if !\nF .nr F 0 +.if \nF>0 \{\ +. de IX +. tm Index:\\$1\t\\n%\t"\\$2" +.. +. if !\nF==2 \{\ +. nr % 0 +. nr F 2 +. \} +.\} +.\" +.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). +.\" Fear. Run. Save yourself. No user-serviceable parts. +. \" fudge factors for nroff and troff +.if n \{\ +. ds #H 0 +. ds #V .8m +. ds #F .3m +. ds #[ \f1 +. ds #] \fP +.\} +.if t \{\ +. ds #H ((1u-(\\\\n(.fu%2u))*.13m) +. ds #V .6m +. ds #F 0 +. ds #[ \& +. ds #] \& +.\} +. \" simple accents for nroff and troff +.if n \{\ +. ds ' \& +. ds ` \& +. ds ^ \& +. ds , \& +. ds ~ ~ +. ds / +.\} +.if t \{\ +. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" +. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' +. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' +. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' +. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' +. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' +.\} +. \" troff and (daisy-wheel) nroff accents +.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' +.ds 8 \h'\*(#H'\(*b\h'-\*(#H' +.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] +.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' +.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' +.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] +.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] +.ds ae a\h'-(\w'a'u*4/10)'e +.ds Ae A\h'-(\w'A'u*4/10)'E +. \" corrections for vroff +.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' +.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' +. \" for low resolution devices (crt and lpr) +.if \n(.H>23 .if \n(.V>19 \ +\{\ +. ds : e +. ds 8 ss +. ds o a +. ds d- d\h'-1'\(ga +. ds D- D\h'-1'\(hy +. ds th \o'bp' +. ds Th \o'LP' +. ds ae ae +. ds Ae AE +.\} +.rm #[ #] #H #V #F C +.\" ======================================================================== +.\" +.IX Title "X509_ALGOR_DUP 3" +.TH X509_ALGOR_DUP 3 "2018-09-11" "1.1.1" "OpenSSL" +.\" For nroff, turn off justification. Always turn off hyphenation; it makes +.\" way too many mistakes in technical documents. +.if n .ad l +.nh +.SH "NAME" +X509_ALGOR_dup, X509_ALGOR_set0, X509_ALGOR_get0, X509_ALGOR_set_md, X509_ALGOR_cmp \- AlgorithmIdentifier functions +.SH "SYNOPSIS" +.IX Header "SYNOPSIS" +.Vb 1 +\& #include +\& +\& X509_ALGOR *X509_ALGOR_dup(X509_ALGOR *alg); +\& int X509_ALGOR_set0(X509_ALGOR *alg, ASN1_OBJECT *aobj, int ptype, void *pval); +\& void X509_ALGOR_get0(const ASN1_OBJECT **paobj, int *pptype, +\& const void **ppval, const X509_ALGOR *alg); +\& void X509_ALGOR_set_md(X509_ALGOR *alg, const EVP_MD *md); +\& int X509_ALGOR_cmp(const X509_ALGOR *a, const X509_ALGOR *b); +.Ve +.SH "DESCRIPTION" +.IX Header "DESCRIPTION" +\&\fIX509_ALGOR_dup()\fR returns a copy of \fBalg\fR. +.PP +\&\fIX509_ALGOR_set0()\fR sets the algorithm \s-1OID\s0 of \fBalg\fR to \fBaobj\fR and the +associated parameter type to \fBptype\fR with value \fBpval\fR. If \fBptype\fR is +\&\fBV_ASN1_UNDEF\fR the parameter is omitted, otherwise \fBptype\fR and \fBpval\fR have +the same meaning as the \fBtype\fR and \fBvalue\fR parameters to \fIASN1_TYPE_set()\fR. +All the supplied parameters are used internally so must \fB\s-1NOT\s0\fR be freed after +this call. +.PP +\&\fIX509_ALGOR_get0()\fR is the inverse of \fIX509_ALGOR_set0()\fR: it returns the +algorithm \s-1OID\s0 in \fB*paobj\fR and the associated parameter in \fB*pptype\fR +and \fB*ppval\fR from the \fBAlgorithmIdentifier\fR \fBalg\fR. +.PP +\&\fIX509_ALGOR_set_md()\fR sets the \fBAlgorithmIdentifier\fR \fBalg\fR to appropriate +values for the message digest \fBmd\fR. +.PP +\&\fIX509_ALGOR_cmp()\fR compares \fBa\fR and \fBb\fR and returns 0 if they have identical +encodings and non-zero otherwise. +.SH "RETURN VALUES" +.IX Header "RETURN VALUES" +\&\fIX509_ALGOR_dup()\fR returns a valid \fBX509_ALGOR\fR structure or \s-1NULL\s0 if an error +occurred. +.PP +\&\fIX509_ALGOR_set0()\fR returns 1 on success or 0 on error. +.PP +\&\fIX509_ALGOR_get0()\fR and \fIX509_ALGOR_set_md()\fR return no values. +.PP +\&\fIX509_ALGOR_cmp()\fR returns 0 if the two parameters have identical encodings and +non-zero otherwise. +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2002\-2018 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/X509_CRL_get0_by_serial.3 b/secure/lib/libcrypto/man/X509_CRL_get0_by_serial.3 new file mode 100644 index 000000000000..42068c46adb7 --- /dev/null +++ b/secure/lib/libcrypto/man/X509_CRL_get0_by_serial.3 @@ -0,0 +1,238 @@ +.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35) +.\" +.\" Standard preamble: +.\" ======================================================================== +.de Sp \" Vertical space (when we can't use .PP) +.if t .sp .5v +.if n .sp +.. +.de Vb \" Begin verbatim text +.ft CW +.nf +.ne \\$1 +.. +.de Ve \" End verbatim text +.ft R +.fi +.. +.\" Set up some character translations and predefined strings. \*(-- will +.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left +.\" double quote, and \*(R" will give a right double quote. \*(C+ will +.\" give a nicer C++. Capital omega is used to do unbreakable dashes and +.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, +.\" nothing in troff, for use with C<>. +.tr \(*W- +.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' +.ie n \{\ +. ds -- \(*W- +. ds PI pi +. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch +. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch +. ds L" "" +. ds R" "" +. ds C` "" +. ds C' "" +'br\} +.el\{\ +. ds -- \|\(em\| +. ds PI \(*p +. ds L" `` +. ds R" '' +. ds C` +. ds C' +'br\} +.\" +.\" Escape single quotes in literal strings from groff's Unicode transform. +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" +.\" If the F register is >0, we'll generate index entries on stderr for +.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index +.\" entries marked with X<> in POD. Of course, you'll have to process the +.\" output yourself in some meaningful fashion. +.\" +.\" Avoid warning from groff about undefined register 'F'. +.de IX +.. +.if !\nF .nr F 0 +.if \nF>0 \{\ +. de IX +. tm Index:\\$1\t\\n%\t"\\$2" +.. +. if !\nF==2 \{\ +. nr % 0 +. nr F 2 +. \} +.\} +.\" +.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). +.\" Fear. Run. Save yourself. No user-serviceable parts. +. \" fudge factors for nroff and troff +.if n \{\ +. ds #H 0 +. ds #V .8m +. ds #F .3m +. ds #[ \f1 +. ds #] \fP +.\} +.if t \{\ +. ds #H ((1u-(\\\\n(.fu%2u))*.13m) +. ds #V .6m +. ds #F 0 +. ds #[ \& +. ds #] \& +.\} +. \" simple accents for nroff and troff +.if n \{\ +. ds ' \& +. ds ` \& +. ds ^ \& +. ds , \& +. ds ~ ~ +. ds / +.\} +.if t \{\ +. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" +. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' +. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' +. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' +. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' +. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' +.\} +. \" troff and (daisy-wheel) nroff accents +.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' +.ds 8 \h'\*(#H'\(*b\h'-\*(#H' +.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] +.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' +.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' +.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] +.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] +.ds ae a\h'-(\w'a'u*4/10)'e +.ds Ae A\h'-(\w'A'u*4/10)'E +. \" corrections for vroff +.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' +.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' +. \" for low resolution devices (crt and lpr) +.if \n(.H>23 .if \n(.V>19 \ +\{\ +. ds : e +. ds 8 ss +. ds o a +. ds d- d\h'-1'\(ga +. ds D- D\h'-1'\(hy +. ds th \o'bp' +. ds Th \o'LP' +. ds ae ae +. ds Ae AE +.\} +.rm #[ #] #H #V #F C +.\" ======================================================================== +.\" +.IX Title "X509_CRL_GET0_BY_SERIAL 3" +.TH X509_CRL_GET0_BY_SERIAL 3 "2018-09-11" "1.1.1" "OpenSSL" +.\" For nroff, turn off justification. Always turn off hyphenation; it makes +.\" way too many mistakes in technical documents. +.if n .ad l +.nh +.SH "NAME" +X509_CRL_get0_by_serial, X509_CRL_get0_by_cert, X509_CRL_get_REVOKED, X509_REVOKED_get0_serialNumber, X509_REVOKED_get0_revocationDate, X509_REVOKED_set_serialNumber, X509_REVOKED_set_revocationDate, X509_CRL_add0_revoked, X509_CRL_sort \- CRL revoked entry utility functions +.SH "SYNOPSIS" +.IX Header "SYNOPSIS" +.Vb 1 +\& #include +\& +\& int X509_CRL_get0_by_serial(X509_CRL *crl, +\& X509_REVOKED **ret, ASN1_INTEGER *serial); +\& int X509_CRL_get0_by_cert(X509_CRL *crl, X509_REVOKED **ret, X509 *x); +\& +\& STACK_OF(X509_REVOKED) *X509_CRL_get_REVOKED(X509_CRL *crl); +\& +\& const ASN1_INTEGER *X509_REVOKED_get0_serialNumber(const X509_REVOKED *r); +\& const ASN1_TIME *X509_REVOKED_get0_revocationDate(const X509_REVOKED *r); +\& +\& int X509_REVOKED_set_serialNumber(X509_REVOKED *r, ASN1_INTEGER *serial); +\& int X509_REVOKED_set_revocationDate(X509_REVOKED *r, ASN1_TIME *tm); +\& +\& int X509_CRL_add0_revoked(X509_CRL *crl, X509_REVOKED *rev); +\& +\& int X509_CRL_sort(X509_CRL *crl); +.Ve +.SH "DESCRIPTION" +.IX Header "DESCRIPTION" +\&\fIX509_CRL_get0_by_serial()\fR attempts to find a revoked entry in \fBcrl\fR for +serial number \fBserial\fR. If it is successful it sets \fB*ret\fR to the internal +pointer of the matching entry, as a result \fB*ret\fR must not be freed up +after the call. +.PP +\&\fIX509_CRL_get0_by_cert()\fR is similar to \fIX509_get0_by_serial()\fR except it +looks for a revoked entry using the serial number of certificate \fBx\fR. +.PP +\&\fIX509_CRL_get_REVOKED()\fR returns an internal pointer to a stack of all +revoked entries for \fBcrl\fR. +.PP +\&\fIX509_REVOKED_get0_serialNumber()\fR returns an internal pointer to the +serial number of \fBr\fR. +.PP +\&\fIX509_REVOKED_get0_revocationDate()\fR returns an internal pointer to the +revocation date of \fBr\fR. +.PP +\&\fIX509_REVOKED_set_serialNumber()\fR sets the serial number of \fBr\fR to \fBserial\fR. +The supplied \fBserial\fR pointer is not used internally so it should be +freed up after use. +.PP +\&\fIX509_REVOKED_set_revocationDate()\fR sets the revocation date of \fBr\fR to +\&\fBtm\fR. The supplied \fBtm\fR pointer is not used internally so it should be +freed up after use. +.PP +\&\fIX509_CRL_add0_revoked()\fR appends revoked entry \fBrev\fR to \s-1CRL\s0 \fBcrl\fR. The +pointer \fBrev\fR is used internally so it must not be freed up after the call: +it is freed when the parent \s-1CRL\s0 is freed. +.PP +\&\fIX509_CRL_sort()\fR sorts the revoked entries of \fBcrl\fR into ascending serial +number order. +.SH "NOTES" +.IX Header "NOTES" +Applications can determine the number of revoked entries returned by +\&\fIX509_CRL_get_revoked()\fR using \fIsk_X509_REVOKED_num()\fR and examine each one +in turn using \fIsk_X509_REVOKED_value()\fR. +.SH "RETURN VALUES" +.IX Header "RETURN VALUES" +\&\fIX509_CRL_get0_by_serial()\fR and \fIX509_CRL_get0_by_cert()\fR return 0 for failure, +1 on success except if the revoked entry has the reason \f(CW\*(C`removeFromCRL\*(C'\fR (8), +in which case 2 is returned. +.PP +\&\fIX509_REVOKED_set_serialNumber()\fR, \fIX509_REVOKED_set_revocationDate()\fR, +\&\fIX509_CRL_add0_revoked()\fR and \fIX509_CRL_sort()\fR return 1 for success and 0 for +failure. +.PP +\&\fIX509_REVOKED_get0_serialNumber()\fR returns an \fB\s-1ASN1_INTEGER\s0\fR pointer. +.PP +\&\fIX509_REVOKED_get0_revocationDate()\fR returns an \fB\s-1ASN1_TIME\s0\fR value. +.PP +\&\fIX509_CRL_get_REVOKED()\fR returns a \s-1STACK\s0 of revoked entries. +.SH "SEE ALSO" +.IX Header "SEE ALSO" +\&\fId2i_X509\fR\|(3), +\&\fIERR_get_error\fR\|(3), +\&\fIX509_get0_signature\fR\|(3), +\&\fIX509_get_ext_d2i\fR\|(3), +\&\fIX509_get_extension_flags\fR\|(3), +\&\fIX509_get_pubkey\fR\|(3), +\&\fIX509_get_subject_name\fR\|(3), +\&\fIX509_get_version\fR\|(3), +\&\fIX509_NAME_add_entry_by_txt\fR\|(3), +\&\fIX509_NAME_ENTRY_get_object\fR\|(3), +\&\fIX509_NAME_get_index_by_NID\fR\|(3), +\&\fIX509_NAME_print_ex\fR\|(3), +\&\fIX509_new\fR\|(3), +\&\fIX509_sign\fR\|(3), +\&\fIX509V3_get_d2i\fR\|(3), +\&\fIX509_verify_cert\fR\|(3) +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2015\-2016 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/X509_EXTENSION_set_object.3 b/secure/lib/libcrypto/man/X509_EXTENSION_set_object.3 new file mode 100644 index 000000000000..e497abc0e8c4 --- /dev/null +++ b/secure/lib/libcrypto/man/X509_EXTENSION_set_object.3 @@ -0,0 +1,219 @@ +.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35) +.\" +.\" Standard preamble: +.\" ======================================================================== +.de Sp \" Vertical space (when we can't use .PP) +.if t .sp .5v +.if n .sp +.. +.de Vb \" Begin verbatim text +.ft CW +.nf +.ne \\$1 +.. +.de Ve \" End verbatim text +.ft R +.fi +.. +.\" Set up some character translations and predefined strings. \*(-- will +.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left +.\" double quote, and \*(R" will give a right double quote. \*(C+ will +.\" give a nicer C++. Capital omega is used to do unbreakable dashes and +.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, +.\" nothing in troff, for use with C<>. +.tr \(*W- +.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' +.ie n \{\ +. ds -- \(*W- +. ds PI pi +. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch +. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch +. ds L" "" +. ds R" "" +. ds C` "" +. ds C' "" +'br\} +.el\{\ +. ds -- \|\(em\| +. ds PI \(*p +. ds L" `` +. ds R" '' +. ds C` +. ds C' +'br\} +.\" +.\" Escape single quotes in literal strings from groff's Unicode transform. +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" +.\" If the F register is >0, we'll generate index entries on stderr for +.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index +.\" entries marked with X<> in POD. Of course, you'll have to process the +.\" output yourself in some meaningful fashion. +.\" +.\" Avoid warning from groff about undefined register 'F'. +.de IX +.. +.if !\nF .nr F 0 +.if \nF>0 \{\ +. de IX +. tm Index:\\$1\t\\n%\t"\\$2" +.. +. if !\nF==2 \{\ +. nr % 0 +. nr F 2 +. \} +.\} +.\" +.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). +.\" Fear. Run. Save yourself. No user-serviceable parts. +. \" fudge factors for nroff and troff +.if n \{\ +. ds #H 0 +. ds #V .8m +. ds #F .3m +. ds #[ \f1 +. ds #] \fP +.\} +.if t \{\ +. ds #H ((1u-(\\\\n(.fu%2u))*.13m) +. ds #V .6m +. ds #F 0 +. ds #[ \& +. ds #] \& +.\} +. \" simple accents for nroff and troff +.if n \{\ +. ds ' \& +. ds ` \& +. ds ^ \& +. ds , \& +. ds ~ ~ +. ds / +.\} +.if t \{\ +. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" +. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' +. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' +. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' +. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' +. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' +.\} +. \" troff and (daisy-wheel) nroff accents +.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' +.ds 8 \h'\*(#H'\(*b\h'-\*(#H' +.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] +.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' +.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' +.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] +.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] +.ds ae a\h'-(\w'a'u*4/10)'e +.ds Ae A\h'-(\w'A'u*4/10)'E +. \" corrections for vroff +.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' +.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' +. \" for low resolution devices (crt and lpr) +.if \n(.H>23 .if \n(.V>19 \ +\{\ +. ds : e +. ds 8 ss +. ds o a +. ds d- d\h'-1'\(ga +. ds D- D\h'-1'\(hy +. ds th \o'bp' +. ds Th \o'LP' +. ds ae ae +. ds Ae AE +.\} +.rm #[ #] #H #V #F C +.\" ======================================================================== +.\" +.IX Title "X509_EXTENSION_SET_OBJECT 3" +.TH X509_EXTENSION_SET_OBJECT 3 "2018-09-11" "1.1.1" "OpenSSL" +.\" For nroff, turn off justification. Always turn off hyphenation; it makes +.\" way too many mistakes in technical documents. +.if n .ad l +.nh +.SH "NAME" +X509_EXTENSION_set_object, X509_EXTENSION_set_critical, X509_EXTENSION_set_data, X509_EXTENSION_create_by_NID, X509_EXTENSION_create_by_OBJ, X509_EXTENSION_get_object, X509_EXTENSION_get_critical, X509_EXTENSION_get_data \- extension utility functions +.SH "SYNOPSIS" +.IX Header "SYNOPSIS" +.Vb 3 +\& int X509_EXTENSION_set_object(X509_EXTENSION *ex, const ASN1_OBJECT *obj); +\& int X509_EXTENSION_set_critical(X509_EXTENSION *ex, int crit); +\& int X509_EXTENSION_set_data(X509_EXTENSION *ex, ASN1_OCTET_STRING *data); +\& +\& X509_EXTENSION *X509_EXTENSION_create_by_NID(X509_EXTENSION **ex, +\& int nid, int crit, +\& ASN1_OCTET_STRING *data); +\& X509_EXTENSION *X509_EXTENSION_create_by_OBJ(X509_EXTENSION **ex, +\& const ASN1_OBJECT *obj, int crit, +\& ASN1_OCTET_STRING *data); +\& +\& ASN1_OBJECT *X509_EXTENSION_get_object(X509_EXTENSION *ex); +\& int X509_EXTENSION_get_critical(const X509_EXTENSION *ex); +\& ASN1_OCTET_STRING *X509_EXTENSION_get_data(X509_EXTENSION *ne); +.Ve +.SH "DESCRIPTION" +.IX Header "DESCRIPTION" +\&\fIX509_EXTENSION_set_object()\fR sets the extension type of \fBex\fR to \fBobj\fR. The +\&\fBobj\fR pointer is duplicated internally so \fBobj\fR should be freed up after use. +.PP +\&\fIX509_EXTENSION_set_critical()\fR sets the criticality of \fBex\fR to \fBcrit\fR. If +\&\fBcrit\fR is zero the extension in non-critical otherwise it is critical. +.PP +\&\fIX509_EXTENSION_set_data()\fR sets the data in extension \fBex\fR to \fBdata\fR. The +\&\fBdata\fR pointer is duplicated internally. +.PP +\&\fIX509_EXTENSION_create_by_NID()\fR creates an extension of type \fBnid\fR, +criticality \fBcrit\fR using data \fBdata\fR. The created extension is returned and +written to \fB*ex\fR reusing or allocating a new extension if necessary so \fB*ex\fR +should either be \fB\s-1NULL\s0\fR or a valid \fBX509_EXTENSION\fR structure it must +\&\fBnot\fR be an uninitialised pointer. +.PP +\&\fIX509_EXTENSION_create_by_OBJ()\fR is identical to \fIX509_EXTENSION_create_by_NID()\fR +except it creates and extension using \fBobj\fR instead of a \s-1NID.\s0 +.PP +\&\fIX509_EXTENSION_get_object()\fR returns the extension type of \fBex\fR as an +\&\fB\s-1ASN1_OBJECT\s0\fR pointer. The returned pointer is an internal value which must +not be freed up. +.PP +\&\fIX509_EXTENSION_get_critical()\fR returns the criticality of extension \fBex\fR it +returns \fB1\fR for critical and \fB0\fR for non-critical. +.PP +\&\fIX509_EXTENSION_get_data()\fR returns the data of extension \fBex\fR. The returned +pointer is an internal value which must not be freed up. +.SH "NOTES" +.IX Header "NOTES" +These functions manipulate the contents of an extension directly. Most +applications will want to parse or encode and add an extension: they should +use the extension encode and decode functions instead such as +\&\fIX509_add1_ext_i2d()\fR and \fIX509_get_ext_d2i()\fR. +.PP +The \fBdata\fR associated with an extension is the extension encoding in an +\&\fB\s-1ASN1_OCTET_STRING\s0\fR structure. +.SH "RETURN VALUES" +.IX Header "RETURN VALUES" +\&\fIX509_EXTENSION_set_object()\fR \fIX509_EXTENSION_set_critical()\fR and +\&\fIX509_EXTENSION_set_data()\fR return \fB1\fR for success and \fB0\fR for failure. +.PP +\&\fIX509_EXTENSION_create_by_NID()\fR and \fIX509_EXTENSION_create_by_OBJ()\fR return +an \fBX509_EXTENSION\fR pointer or \fB\s-1NULL\s0\fR if an error occurs. +.PP +\&\fIX509_EXTENSION_get_object()\fR returns an \fB\s-1ASN1_OBJECT\s0\fR pointer. +.PP +\&\fIX509_EXTENSION_get_critical()\fR returns \fB0\fR for non-critical and \fB1\fR for +critical. +.PP +\&\fIX509_EXTENSION_get_data()\fR returns an \fB\s-1ASN1_OCTET_STRING\s0\fR pointer. +.SH "SEE ALSO" +.IX Header "SEE ALSO" +\&\fIX509V3_get_d2i\fR\|(3) +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2015\-2016 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/X509_LOOKUP_hash_dir.3 b/secure/lib/libcrypto/man/X509_LOOKUP_hash_dir.3 new file mode 100644 index 000000000000..e1013802f1ed --- /dev/null +++ b/secure/lib/libcrypto/man/X509_LOOKUP_hash_dir.3 @@ -0,0 +1,260 @@ +.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35) +.\" +.\" Standard preamble: +.\" ======================================================================== +.de Sp \" Vertical space (when we can't use .PP) +.if t .sp .5v +.if n .sp +.. +.de Vb \" Begin verbatim text +.ft CW +.nf +.ne \\$1 +.. +.de Ve \" End verbatim text +.ft R +.fi +.. +.\" Set up some character translations and predefined strings. \*(-- will +.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left +.\" double quote, and \*(R" will give a right double quote. \*(C+ will +.\" give a nicer C++. Capital omega is used to do unbreakable dashes and +.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, +.\" nothing in troff, for use with C<>. +.tr \(*W- +.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' +.ie n \{\ +. ds -- \(*W- +. ds PI pi +. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch +. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch +. ds L" "" +. ds R" "" +. ds C` "" +. ds C' "" +'br\} +.el\{\ +. ds -- \|\(em\| +. ds PI \(*p +. ds L" `` +. ds R" '' +. ds C` +. ds C' +'br\} +.\" +.\" Escape single quotes in literal strings from groff's Unicode transform. +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" +.\" If the F register is >0, we'll generate index entries on stderr for +.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index +.\" entries marked with X<> in POD. Of course, you'll have to process the +.\" output yourself in some meaningful fashion. +.\" +.\" Avoid warning from groff about undefined register 'F'. +.de IX +.. +.if !\nF .nr F 0 +.if \nF>0 \{\ +. de IX +. tm Index:\\$1\t\\n%\t"\\$2" +.. +. if !\nF==2 \{\ +. nr % 0 +. nr F 2 +. \} +.\} +.\" +.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). +.\" Fear. Run. Save yourself. No user-serviceable parts. +. \" fudge factors for nroff and troff +.if n \{\ +. ds #H 0 +. ds #V .8m +. ds #F .3m +. ds #[ \f1 +. ds #] \fP +.\} +.if t \{\ +. ds #H ((1u-(\\\\n(.fu%2u))*.13m) +. ds #V .6m +. ds #F 0 +. ds #[ \& +. ds #] \& +.\} +. \" simple accents for nroff and troff +.if n \{\ +. ds ' \& +. ds ` \& +. ds ^ \& +. ds , \& +. ds ~ ~ +. ds / +.\} +.if t \{\ +. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" +. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' +. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' +. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' +. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' +. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' +.\} +. \" troff and (daisy-wheel) nroff accents +.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' +.ds 8 \h'\*(#H'\(*b\h'-\*(#H' +.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] +.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' +.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' +.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] +.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] +.ds ae a\h'-(\w'a'u*4/10)'e +.ds Ae A\h'-(\w'A'u*4/10)'E +. \" corrections for vroff +.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' +.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' +. \" for low resolution devices (crt and lpr) +.if \n(.H>23 .if \n(.V>19 \ +\{\ +. ds : e +. ds 8 ss +. ds o a +. ds d- d\h'-1'\(ga +. ds D- D\h'-1'\(hy +. ds th \o'bp' +. ds Th \o'LP' +. ds ae ae +. ds Ae AE +.\} +.rm #[ #] #H #V #F C +.\" ======================================================================== +.\" +.IX Title "X509_LOOKUP_HASH_DIR 3" +.TH X509_LOOKUP_HASH_DIR 3 "2018-09-11" "1.1.1" "OpenSSL" +.\" For nroff, turn off justification. Always turn off hyphenation; it makes +.\" way too many mistakes in technical documents. +.if n .ad l +.nh +.SH "NAME" +X509_LOOKUP_hash_dir, X509_LOOKUP_file, X509_load_cert_file, X509_load_crl_file, X509_load_cert_crl_file \- Default OpenSSL certificate lookup methods +.SH "SYNOPSIS" +.IX Header "SYNOPSIS" +.Vb 1 +\& #include +\& +\& X509_LOOKUP_METHOD *X509_LOOKUP_hash_dir(void); +\& X509_LOOKUP_METHOD *X509_LOOKUP_file(void); +\& +\& int X509_load_cert_file(X509_LOOKUP *ctx, const char *file, int type); +\& int X509_load_crl_file(X509_LOOKUP *ctx, const char *file, int type); +\& int X509_load_cert_crl_file(X509_LOOKUP *ctx, const char *file, int type); +.Ve +.SH "DESCRIPTION" +.IX Header "DESCRIPTION" +\&\fBX509_LOOKUP_hash_dir\fR and \fBX509_LOOKUP_file\fR are two certificate +lookup methods to use with \fBX509_STORE\fR, provided by OpenSSL library. +.PP +Users of the library typically do not need to create instances of these +methods manually, they would be created automatically by +\&\fIX509_STORE_load_locations\fR\|(3) or +\&\fISSL_CTX_load_verify_locations\fR\|(3) +functions. +.PP +Internally loading of certificates and CRLs is implemented via functions +\&\fBX509_load_cert_crl_file\fR, \fBX509_load_cert_file\fR and +\&\fBX509_load_crl_file\fR. These functions support parameter \fItype\fR, which +can be one of constants \fB\s-1FILETYPE_PEM\s0\fR, \fB\s-1FILETYPE_ASN1\s0\fR and +\&\fB\s-1FILETYPE_DEFAULT\s0\fR. They load certificates and/or CRLs from specified +file into memory cache of \fBX509_STORE\fR objects which given \fBctx\fR +parameter is associated with. +.PP +Functions \fBX509_load_cert_file\fR and +\&\fBX509_load_crl_file\fR can load both \s-1PEM\s0 and \s-1DER\s0 formats depending of +type value. Because \s-1DER\s0 format cannot contain more than one certificate +or \s-1CRL\s0 object (while \s-1PEM\s0 can contain several concatenated \s-1PEM\s0 objects) +\&\fBX509_load_cert_crl_file\fR with \fB\s-1FILETYPE_ASN1\s0\fR is equivalent to +\&\fBX509_load_cert_file\fR. +.PP +Constant \fB\s-1FILETYPE_DEFAULT\s0\fR with \s-1NULL\s0 filename causes these functions +to load default certificate store file (see +\&\fIX509_STORE_set_default_paths\fR\|(3). +.PP +Functions return number of objects loaded from file or 0 in case of +error. +.PP +Both methods support adding several certificate locations into one +\&\fBX509_STORE\fR. +.PP +This page documents certificate store formats used by these methods and +caching policy. +.SS "File Method" +.IX Subsection "File Method" +The \fBX509_LOOKUP_file\fR method loads all the certificates or CRLs +present in a file into memory at the time the file is added as a +lookup source. +.PP +File format is \s-1ASCII\s0 text which contains concatenated \s-1PEM\s0 certificates +and CRLs. +.PP +This method should be used by applications which work with a small +set of CAs. +.SS "Hashed Directory Method" +.IX Subsection "Hashed Directory Method" +\&\fBX509_LOOKUP_hash_dir\fR is a more advanced method, which loads +certificates and CRLs on demand, and caches them in memory once +they are loaded. As of OpenSSL 1.0.0, it also checks for newer CRLs +upon each lookup, so that newer CRLs are as soon as they appear in +the directory. +.PP +The directory should contain one certificate or \s-1CRL\s0 per file in \s-1PEM\s0 format, +with a file name of the form \fIhash\fR.\fIN\fR for a certificate, or +\&\fIhash\fR.\fBr\fR\fIN\fR for a \s-1CRL.\s0 +The \fIhash\fR is the value returned by the \fIX509_NAME_hash\fR\|(3) function applied +to the subject name for certificates or issuer name for CRLs. +The hash can also be obtained via the \fB\-hash\fR option of the \fIx509\fR\|(1) or +\&\fIcrl\fR\|(1) commands. +.PP +The .\fIN\fR or .\fBr\fR\fIN\fR suffix is a sequence number that starts at zero, and is +incremented consecutively for each certificate or \s-1CRL\s0 with the same \fIhash\fR +value. +Gaps in the sequence numbers are not supported, it is assumed that there are no +more objects with the same hash beyond the first missing number in the +sequence. +.PP +Sequence numbers make it possible for the directory to contain multiple +certificates with same subject name hash value. +For example, it is possible to have in the store several certificates with same +subject or several CRLs with same issuer (and, for example, different validity +period). +.PP +When checking for new CRLs once one \s-1CRL\s0 for given hash value is +loaded, hash_dir lookup method checks only for certificates with +sequence number greater than that of the already cached \s-1CRL.\s0 +.PP +Note that the hash algorithm used for subject name hashing changed in OpenSSL +1.0.0, and all certificate stores have to be rehashed when moving from OpenSSL +0.9.8 to 1.0.0. +.PP +OpenSSL includes a \fIrehash\fR\|(1) utility which creates symlinks with correct +hashed names for all files with .pem suffix in a given directory. +.SH "RETURN VALUES" +.IX Header "RETURN VALUES" +\&\fIX509_LOOKUP_hash_dir()\fR and \fIX509_LOOKUP_file()\fR always return a valid +\&\fBX509_LOOKUP_METHOD\fR structure. +.PP +\&\fIX509_load_cert_file()\fR, \fIX509_load_crl_file()\fR and \fIX509_load_cert_crl_file()\fR return +the number of loaded objects or 0 on error. +.SH "SEE ALSO" +.IX Header "SEE ALSO" +\&\fIPEM_read_PrivateKey\fR\|(3), +\&\fIX509_STORE_load_locations\fR\|(3), +\&\fIX509_store_add_lookup\fR\|(3), +\&\fISSL_CTX_load_verify_locations\fR\|(3), +\&\fIX509_LOOKUP_meth_new\fR\|(3), +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2015\-2018 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/X509_LOOKUP_meth_new.3 b/secure/lib/libcrypto/man/X509_LOOKUP_meth_new.3 new file mode 100644 index 000000000000..5ed16761a333 --- /dev/null +++ b/secure/lib/libcrypto/man/X509_LOOKUP_meth_new.3 @@ -0,0 +1,299 @@ +.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35) +.\" +.\" Standard preamble: +.\" ======================================================================== +.de Sp \" Vertical space (when we can't use .PP) +.if t .sp .5v +.if n .sp +.. +.de Vb \" Begin verbatim text +.ft CW +.nf +.ne \\$1 +.. +.de Ve \" End verbatim text +.ft R +.fi +.. +.\" Set up some character translations and predefined strings. \*(-- will +.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left +.\" double quote, and \*(R" will give a right double quote. \*(C+ will +.\" give a nicer C++. Capital omega is used to do unbreakable dashes and +.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, +.\" nothing in troff, for use with C<>. +.tr \(*W- +.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' +.ie n \{\ +. ds -- \(*W- +. ds PI pi +. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch +. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch +. ds L" "" +. ds R" "" +. ds C` "" +. ds C' "" +'br\} +.el\{\ +. ds -- \|\(em\| +. ds PI \(*p +. ds L" `` +. ds R" '' +. ds C` +. ds C' +'br\} +.\" +.\" Escape single quotes in literal strings from groff's Unicode transform. +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" +.\" If the F register is >0, we'll generate index entries on stderr for +.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index +.\" entries marked with X<> in POD. Of course, you'll have to process the +.\" output yourself in some meaningful fashion. +.\" +.\" Avoid warning from groff about undefined register 'F'. +.de IX +.. +.if !\nF .nr F 0 +.if \nF>0 \{\ +. de IX +. tm Index:\\$1\t\\n%\t"\\$2" +.. +. if !\nF==2 \{\ +. nr % 0 +. nr F 2 +. \} +.\} +.\" +.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). +.\" Fear. Run. Save yourself. No user-serviceable parts. +. \" fudge factors for nroff and troff +.if n \{\ +. ds #H 0 +. ds #V .8m +. ds #F .3m +. ds #[ \f1 +. ds #] \fP +.\} +.if t \{\ +. ds #H ((1u-(\\\\n(.fu%2u))*.13m) +. ds #V .6m +. ds #F 0 +. ds #[ \& +. ds #] \& +.\} +. \" simple accents for nroff and troff +.if n \{\ +. ds ' \& +. ds ` \& +. ds ^ \& +. ds , \& +. ds ~ ~ +. ds / +.\} +.if t \{\ +. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" +. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' +. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' +. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' +. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' +. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' +.\} +. \" troff and (daisy-wheel) nroff accents +.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' +.ds 8 \h'\*(#H'\(*b\h'-\*(#H' +.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] +.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' +.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' +.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] +.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] +.ds ae a\h'-(\w'a'u*4/10)'e +.ds Ae A\h'-(\w'A'u*4/10)'E +. \" corrections for vroff +.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' +.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' +. \" for low resolution devices (crt and lpr) +.if \n(.H>23 .if \n(.V>19 \ +\{\ +. ds : e +. ds 8 ss +. ds o a +. ds d- d\h'-1'\(ga +. ds D- D\h'-1'\(hy +. ds th \o'bp' +. ds Th \o'LP' +. ds ae ae +. ds Ae AE +.\} +.rm #[ #] #H #V #F C +.\" ======================================================================== +.\" +.IX Title "X509_LOOKUP_METH_NEW 3" +.TH X509_LOOKUP_METH_NEW 3 "2018-09-11" "1.1.1" "OpenSSL" +.\" For nroff, turn off justification. Always turn off hyphenation; it makes +.\" way too many mistakes in technical documents. +.if n .ad l +.nh +.SH "NAME" +X509_LOOKUP_meth_new, X509_LOOKUP_meth_free, X509_LOOKUP_meth_set_new_item, X509_LOOKUP_meth_get_new_item, X509_LOOKUP_meth_set_free, X509_LOOKUP_meth_get_free, X509_LOOKUP_meth_set_init, X509_LOOKUP_meth_get_init, X509_LOOKUP_meth_set_shutdown, X509_LOOKUP_meth_get_shutdown, X509_LOOKUP_ctrl_fn, X509_LOOKUP_meth_set_ctrl, X509_LOOKUP_meth_get_ctrl, X509_LOOKUP_get_by_subject_fn, X509_LOOKUP_meth_set_get_by_subject, X509_LOOKUP_meth_get_get_by_subject, X509_LOOKUP_get_by_issuer_serial_fn, X509_LOOKUP_meth_set_get_by_issuer_serial, X509_LOOKUP_meth_get_get_by_issuer_serial, X509_LOOKUP_get_by_fingerprint_fn, X509_LOOKUP_meth_set_get_by_fingerprint, X509_LOOKUP_meth_get_get_by_fingerprint, X509_LOOKUP_get_by_alias_fn, X509_LOOKUP_meth_set_get_by_alias, X509_LOOKUP_meth_get_get_by_alias, X509_LOOKUP_set_method_data, X509_LOOKUP_get_method_data, X509_LOOKUP_get_store, X509_OBJECT_set1_X509, X509_OBJECT_set1_X509_CRL \&\- Routines to build up X509_LOOKUP methods +.SH "SYNOPSIS" +.IX Header "SYNOPSIS" +.Vb 1 +\& #include +\& +\& X509_LOOKUP_METHOD *X509_LOOKUP_meth_new(const char *name); +\& void X509_LOOKUP_meth_free(X509_LOOKUP_METHOD *method); +\& +\& int X509_LOOKUP_meth_set_new_item(X509_LOOKUP_METHOD *method, +\& int (*new_item) (X509_LOOKUP *ctx)); +\& int (*X509_LOOKUP_meth_get_new_item(const X509_LOOKUP_METHOD* method)) +\& (X509_LOOKUP *ctx); +\& +\& int X509_LOOKUP_meth_set_free(X509_LOOKUP_METHOD *method, +\& void (*free) (X509_LOOKUP *ctx)); +\& void (*X509_LOOKUP_meth_get_free(const X509_LOOKUP_METHOD* method)) +\& (X509_LOOKUP *ctx); +\& +\& int X509_LOOKUP_meth_set_init(X509_LOOKUP_METHOD *method, +\& int (*init) (X509_LOOKUP *ctx)); +\& int (*X509_LOOKUP_meth_get_init(const X509_LOOKUP_METHOD* method)) +\& (X509_LOOKUP *ctx); +\& +\& int X509_LOOKUP_meth_set_shutdown(X509_LOOKUP_METHOD *method, +\& int (*shutdown) (X509_LOOKUP *ctx)); +\& int (*X509_LOOKUP_meth_get_shutdown(const X509_LOOKUP_METHOD* method)) +\& (X509_LOOKUP *ctx); +\& +\& typedef int (*X509_LOOKUP_ctrl_fn)(X509_LOOKUP *ctx, int cmd, const char *argc, +\& long argl, char **ret); +\& int X509_LOOKUP_meth_set_ctrl(X509_LOOKUP_METHOD *method, +\& X509_LOOKUP_ctrl_fn ctrl_fn); +\& X509_LOOKUP_ctrl_fn X509_LOOKUP_meth_get_ctrl(const X509_LOOKUP_METHOD *method); +\& +\& typedef int (*X509_LOOKUP_get_by_subject_fn)(X509_LOOKUP *ctx, +\& X509_LOOKUP_TYPE type, +\& X509_NAME *name, +\& X509_OBJECT *ret); +\& int X509_LOOKUP_meth_set_get_by_subject(X509_LOOKUP_METHOD *method, +\& X509_LOOKUP_get_by_subject_fn fn); +\& X509_LOOKUP_get_by_subject_fn X509_LOOKUP_meth_get_get_by_subject( +\& const X509_LOOKUP_METHOD *method); +\& +\& typedef int (*X509_LOOKUP_get_by_issuer_serial_fn)(X509_LOOKUP *ctx, +\& X509_LOOKUP_TYPE type, +\& X509_NAME *name, +\& ASN1_INTEGER *serial, +\& X509_OBJECT *ret); +\& int X509_LOOKUP_meth_set_get_by_issuer_serial( +\& X509_LOOKUP_METHOD *method, X509_LOOKUP_get_by_issuer_serial_fn fn); +\& X509_LOOKUP_get_by_issuer_serial_fn X509_LOOKUP_meth_get_get_by_issuer_serial( +\& const X509_LOOKUP_METHOD *method); +\& +\& typedef int (*X509_LOOKUP_get_by_fingerprint_fn)(X509_LOOKUP *ctx, +\& X509_LOOKUP_TYPE type, +\& const unsigned char* bytes, +\& int len, +\& X509_OBJECT *ret); +\& int X509_LOOKUP_meth_set_get_by_fingerprint(X509_LOOKUP_METHOD *method, +\& X509_LOOKUP_get_by_fingerprint_fn fn); +\& X509_LOOKUP_get_by_fingerprint_fn X509_LOOKUP_meth_get_get_by_fingerprint( +\& const X509_LOOKUP_METHOD *method); +\& +\& typedef int (*X509_LOOKUP_get_by_alias_fn)(X509_LOOKUP *ctx, +\& X509_LOOKUP_TYPE type, +\& const char *str, +\& int len, +\& X509_OBJECT *ret); +\& int X509_LOOKUP_meth_set_get_by_alias(X509_LOOKUP_METHOD *method, +\& X509_LOOKUP_get_by_alias_fn fn); +\& X509_LOOKUP_get_by_alias_fn X509_LOOKUP_meth_get_get_by_alias( +\& const X509_LOOKUP_METHOD *method); +\& +\& int X509_LOOKUP_set_method_data(X509_LOOKUP *ctx, void *data); +\& void *X509_LOOKUP_get_method_data(const X509_LOOKUP *ctx); +\& +\& X509_STORE *X509_LOOKUP_get_store(const X509_LOOKUP *ctx); +\& +\& int X509_OBJECT_set1_X509(X509_OBJECT *a, X509 *obj); +\& int X509_OBJECT_set1_X509_CRL(X509_OBJECT *a, X509_CRL *obj); +.Ve +.SH "DESCRIPTION" +.IX Header "DESCRIPTION" +The \fBX509_LOOKUP_METHOD\fR type is a structure used for the implementation of new +X509_LOOKUP types. It provides a set of functions used by OpenSSL for the +implementation of various X509 and X509_CRL lookup capabilities. One instance +of an X509_LOOKUP_METHOD can be associated to many instantiations of an +\&\fBX509_LOOKUP\fR structure. +.PP +\&\fIX509_LOOKUP_meth_new()\fR creates a new \fBX509_LOOKUP_METHOD\fR structure. It should +be given a human-readable string containing a brief description of the lookup +method. +.PP +\&\fIX509_LOOKUP_meth_free()\fR destroys a \fBX509_LOOKUP_METHOD\fR structure. +.PP +\&\fIX509_LOOKUP_get_new_item()\fR and \fIX509_LOOKUP_set_new_item()\fR get and set the +function that is called when an \fBX509_LOOKUP\fR object is created with +\&\fIX509_LOOKUP_new()\fR. If an X509_LOOKUP_METHOD requires any per\-X509_LOOKUP +specific data, the supplied new_item function should allocate this data and +invoke \fIX509_LOOKUP_set_method_data()\fR. +.PP +\&\fIX509_LOOKUP_get_free()\fR and \fIX509_LOOKUP_set_free()\fR get and set the function +that is used to free any method data that was allocated and set from within +new_item function. +.PP +\&\fIX509_LOOKUP_meth_get_init()\fR and \fIX509_LOOKUP_meth_set_init()\fR get and set the +function that is used to initialize the method data that was set with +\&\fIX509_LOOKUP_set_method_data()\fR as part of the new_item routine. +.PP +\&\fIX509_LOOKUP_meth_get_shutdown()\fR and \fIX509_LOOKUP_meth_set_shutdown()\fR get and set +the function that is used to shut down the method data whose state was +previously initialized in the init function. +.PP +\&\fIX509_LOOKUP_meth_get_ctrl()\fR and \fIX509_LOOKUP_meth_set_ctrl()\fR get and set a +function to be used to handle arbitrary control commands issued by +\&\fIX509_LOOKUP_ctrl()\fR. The control function is given the X509_LOOKUP +\&\fBctx\fR, along with the arguments passed by X509_LOOKUP_ctrl. \fBcmd\fR is +an arbitrary integer that defines some operation. \fBargc\fR is a pointer +to an array of characters. \fBargl\fR is an integer. \fBret\fR, if set, +points to a location where any return data should be written to. How +\&\fBargc\fR and \fBargl\fR are used depends entirely on the control function. +.PP +\&\fIX509_LOOKUP_set_get_by_subject()\fR, \fIX509_LOOKUP_set_get_by_issuer_serial()\fR, +\&\fIX509_LOOKUP_set_get_by_fingerprint()\fR, \fIX509_LOOKUP_set_get_by_alias()\fR set +the functions used to retrieve an X509 or X509_CRL object by the object's +subject, issuer, fingerprint, and alias respectively. These functions are given +the X509_LOOKUP context, the type of the X509_OBJECT being requested, parameters +related to the lookup, and an X509_OBJECT that will receive the requested +object. +.PP +Implementations should use either \fIX509_OBJECT_set1_X509()\fR or +\&\fIX509_OBJECT_set1_X509_CRL()\fR to set the result. Any method data that was +created as a result of the new_item function set by +\&\fIX509_LOOKUP_meth_set_new_item()\fR can be accessed with +\&\fIX509_LOOKUP_get_method_data()\fR. The \fBX509_STORE\fR object that owns the +X509_LOOKUP may be accessed with \fIX509_LOOKUP_get_store()\fR. Successful lookups +should return 1, and unsuccessful lookups should return 0. +.PP +\&\fIX509_LOOKUP_get_get_by_subject()\fR, \fIX509_LOOKUP_get_get_by_issuer_serial()\fR, +\&\fIX509_LOOKUP_get_get_by_fingerprint()\fR, \fIX509_LOOKUP_get_get_by_alias()\fR retrieve +the function set by the corresponding setter. +.SH "RETURN VALUES" +.IX Header "RETURN VALUES" +The \fBX509_LOOKUP_meth_set\fR functions return 1 on success or 0 on error. +.PP +The \fBX509_LOOKUP_meth_get\fR functions return the corresponding function +pointers. +.SH "SEE ALSO" +.IX Header "SEE ALSO" +\&\fIX509_STORE_new\fR\|(3), \fISSL_CTX_set_cert_store\fR\|(3) +.SH "HISTORY" +.IX Header "HISTORY" +The functions described here were added in OpenSSL 1.1.0i. +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2018 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/X509_NAME_ENTRY_get_object.3 b/secure/lib/libcrypto/man/X509_NAME_ENTRY_get_object.3 index bef40f0d6a57..6457de353011 100644 --- a/secure/lib/libcrypto/man/X509_NAME_ENTRY_get_object.3 +++ b/secure/lib/libcrypto/man/X509_NAME_ENTRY_get_object.3 @@ -128,31 +128,35 @@ .rm #[ #] #H #V #F C .\" ======================================================================== .\" -.IX Title "X509_NAME_ENTRY_get_object 3" -.TH X509_NAME_ENTRY_get_object 3 "2018-08-14" "1.0.2p" "OpenSSL" +.IX Title "X509_NAME_ENTRY_GET_OBJECT 3" +.TH X509_NAME_ENTRY_GET_OBJECT 3 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" -X509_NAME_ENTRY_get_object, X509_NAME_ENTRY_get_data, -X509_NAME_ENTRY_set_object, X509_NAME_ENTRY_set_data, -X509_NAME_ENTRY_create_by_txt, X509_NAME_ENTRY_create_by_NID, -X509_NAME_ENTRY_create_by_OBJ \- X509_NAME_ENTRY utility functions +X509_NAME_ENTRY_get_object, X509_NAME_ENTRY_get_data, X509_NAME_ENTRY_set_object, X509_NAME_ENTRY_set_data, X509_NAME_ENTRY_create_by_txt, X509_NAME_ENTRY_create_by_NID, X509_NAME_ENTRY_create_by_OBJ \- X509_NAME_ENTRY utility functions .SH "SYNOPSIS" .IX Header "SYNOPSIS" .Vb 1 \& #include \& -\& ASN1_OBJECT * X509_NAME_ENTRY_get_object(X509_NAME_ENTRY *ne); -\& ASN1_STRING * X509_NAME_ENTRY_get_data(X509_NAME_ENTRY *ne); +\& ASN1_OBJECT *X509_NAME_ENTRY_get_object(const X509_NAME_ENTRY *ne); +\& ASN1_STRING *X509_NAME_ENTRY_get_data(const X509_NAME_ENTRY *ne); \& -\& int X509_NAME_ENTRY_set_object(X509_NAME_ENTRY *ne, ASN1_OBJECT *obj); -\& int X509_NAME_ENTRY_set_data(X509_NAME_ENTRY *ne, int type, const unsigned char *bytes, int len); +\& int X509_NAME_ENTRY_set_object(X509_NAME_ENTRY *ne, const ASN1_OBJECT *obj); +\& int X509_NAME_ENTRY_set_data(X509_NAME_ENTRY *ne, int type, +\& const unsigned char *bytes, int len); \& -\& X509_NAME_ENTRY *X509_NAME_ENTRY_create_by_txt(X509_NAME_ENTRY **ne, const char *field, int type, const unsigned char *bytes, int len); -\& X509_NAME_ENTRY *X509_NAME_ENTRY_create_by_NID(X509_NAME_ENTRY **ne, int nid, int type,unsigned char *bytes, int len); -\& X509_NAME_ENTRY *X509_NAME_ENTRY_create_by_OBJ(X509_NAME_ENTRY **ne, ASN1_OBJECT *obj, int type, const unsigned char *bytes, int len); +\& X509_NAME_ENTRY *X509_NAME_ENTRY_create_by_txt(X509_NAME_ENTRY **ne, const char *field, +\& int type, const unsigned char *bytes, +\& int len); +\& X509_NAME_ENTRY *X509_NAME_ENTRY_create_by_NID(X509_NAME_ENTRY **ne, int nid, +\& int type, const unsigned char *bytes, +\& int len); +\& X509_NAME_ENTRY *X509_NAME_ENTRY_create_by_OBJ(X509_NAME_ENTRY **ne, +\& const ASN1_OBJECT *obj, int type, +\& const unsigned char *bytes, int len); .Ve .SH "DESCRIPTION" .IX Header "DESCRIPTION" @@ -168,12 +172,12 @@ and \fB\s-1ASN1_STRING\s0\fR structure. \&\fBtype\fR and value determined by \fBbytes\fR and \fBlen\fR. .PP \&\fIX509_NAME_ENTRY_create_by_txt()\fR, \fIX509_NAME_ENTRY_create_by_NID()\fR -and \fIX509_NAME_ENTRY_create_by_OBJ()\fR create and return an +and \fIX509_NAME_ENTRY_create_by_OBJ()\fR create and return an \&\fBX509_NAME_ENTRY\fR structure. .SH "NOTES" .IX Header "NOTES" \&\fIX509_NAME_ENTRY_get_object()\fR and \fIX509_NAME_ENTRY_get_data()\fR can be -used to examine an \fBX509_NAME_ENTRY\fR function as returned by +used to examine an \fBX509_NAME_ENTRY\fR function as returned by \&\fIX509_NAME_get_entry()\fR for example. .PP \&\fIX509_NAME_ENTRY_create_by_txt()\fR, \fIX509_NAME_ENTRY_create_by_NID()\fR, @@ -193,10 +197,27 @@ named ones of the corresponding \fBX509_NAME\fR functions such as set first so the relevant field information can be looked up internally. .SH "RETURN VALUES" .IX Header "RETURN VALUES" +\&\fIX509_NAME_ENTRY_get_object()\fR returns a valid \fB\s-1ASN1_OBJECT\s0\fR structure if it is +set or \s-1NULL\s0 if an error occurred. +.PP +\&\fIX509_NAME_ENTRY_get_data()\fR returns a valid \fB\s-1ASN1_STRING\s0\fR structure if it is set +or \s-1NULL\s0 if an error occurred. +.PP +\&\fIX509_NAME_ENTRY_set_object()\fR and \fIX509_NAME_ENTRY_set_data()\fR return 1 on success +or 0 on error. +.PP +\&\fIX509_NAME_ENTRY_create_by_txt()\fR, \fIX509_NAME_ENTRY_create_by_NID()\fR and +\&\fIX509_NAME_ENTRY_create_by_OBJ()\fR return a valid \fBX509_NAME_ENTRY\fR on success or +\&\s-1NULL\s0 if an error occurred. .SH "SEE ALSO" .IX Header "SEE ALSO" \&\fIERR_get_error\fR\|(3), \fId2i_X509_NAME\fR\|(3), \&\fIOBJ_nid2obj\fR\|(3) -.SH "HISTORY" -.IX Header "HISTORY" -\&\s-1TBA\s0 +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2002\-2018 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/X509_NAME_add_entry_by_txt.3 b/secure/lib/libcrypto/man/X509_NAME_add_entry_by_txt.3 index 5ea00180b71f..6ea996bb5464 100644 --- a/secure/lib/libcrypto/man/X509_NAME_add_entry_by_txt.3 +++ b/secure/lib/libcrypto/man/X509_NAME_add_entry_by_txt.3 @@ -128,27 +128,29 @@ .rm #[ #] #H #V #F C .\" ======================================================================== .\" -.IX Title "X509_NAME_add_entry_by_txt 3" -.TH X509_NAME_add_entry_by_txt 3 "2018-08-14" "1.0.2p" "OpenSSL" +.IX Title "X509_NAME_ADD_ENTRY_BY_TXT 3" +.TH X509_NAME_ADD_ENTRY_BY_TXT 3 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" -X509_NAME_add_entry_by_txt, X509_NAME_add_entry_by_OBJ, X509_NAME_add_entry_by_NID, -X509_NAME_add_entry, X509_NAME_delete_entry \- X509_NAME modification functions +X509_NAME_add_entry_by_txt, X509_NAME_add_entry_by_OBJ, X509_NAME_add_entry_by_NID, X509_NAME_add_entry, X509_NAME_delete_entry \- X509_NAME modification functions .SH "SYNOPSIS" .IX Header "SYNOPSIS" .Vb 1 \& #include \& -\& int X509_NAME_add_entry_by_txt(X509_NAME *name, const char *field, int type, const unsigned char *bytes, int len, int loc, int set); +\& int X509_NAME_add_entry_by_txt(X509_NAME *name, const char *field, int type, +\& const unsigned char *bytes, int len, int loc, int set); \& -\& int X509_NAME_add_entry_by_OBJ(X509_NAME *name, ASN1_OBJECT *obj, int type, unsigned char *bytes, int len, int loc, int set); +\& int X509_NAME_add_entry_by_OBJ(X509_NAME *name, const ASN1_OBJECT *obj, int type, +\& const unsigned char *bytes, int len, int loc, int set); \& -\& int X509_NAME_add_entry_by_NID(X509_NAME *name, int nid, int type, unsigned char *bytes, int len, int loc, int set); +\& int X509_NAME_add_entry_by_NID(X509_NAME *name, int nid, int type, +\& const unsigned char *bytes, int len, int loc, int set); \& -\& int X509_NAME_add_entry(X509_NAME *name,X509_NAME_ENTRY *ne, int loc, int set); +\& int X509_NAME_add_entry(X509_NAME *name, const X509_NAME_ENTRY *ne, int loc, int set); \& \& X509_NAME_ENTRY *X509_NAME_delete_entry(X509_NAME *name, int loc); .Ve @@ -208,20 +210,21 @@ Create an \fBX509_NAME\fR structure: .PP \&\*(L"C=UK, O=Disorganized Organization, CN=Joe Bloggs\*(R" .PP -.Vb 10 +.Vb 1 \& X509_NAME *nm; +\& \& nm = X509_NAME_new(); \& if (nm == NULL) -\& /* Some error */ -\& if (!X509_NAME_add_entry_by_txt(nm, "C", MBSTRING_ASC, -\& "UK", \-1, \-1, 0)) -\& /* Error */ +\& /* Some error */ +\& if (!X509_NAME_add_entry_by_txt(nm, "C", MBSTRING_ASC, +\& "UK", \-1, \-1, 0)) +\& /* Error */ \& if (!X509_NAME_add_entry_by_txt(nm, "O", MBSTRING_ASC, -\& "Disorganized Organization", \-1, \-1, 0)) -\& /* Error */ +\& "Disorganized Organization", \-1, \-1, 0)) +\& /* Error */ \& if (!X509_NAME_add_entry_by_txt(nm, "CN", MBSTRING_ASC, -\& "Joe Bloggs", \-1, \-1, 0)) -\& /* Error */ +\& "Joe Bloggs", \-1, \-1, 0)) +\& /* Error */ .Ve .SH "RETURN VALUES" .IX Header "RETURN VALUES" @@ -240,5 +243,11 @@ can result in invalid field types its use is strongly discouraged. .SH "SEE ALSO" .IX Header "SEE ALSO" \&\fIERR_get_error\fR\|(3), \fId2i_X509_NAME\fR\|(3) -.SH "HISTORY" -.IX Header "HISTORY" +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2002\-2016 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/d2i_X509_SIG.3 b/secure/lib/libcrypto/man/X509_NAME_get0_der.3 similarity index 79% rename from secure/lib/libcrypto/man/d2i_X509_SIG.3 rename to secure/lib/libcrypto/man/X509_NAME_get0_der.3 index fdc4522884df..e1a30b8e89f9 100644 --- a/secure/lib/libcrypto/man/d2i_X509_SIG.3 +++ b/secure/lib/libcrypto/man/X509_NAME_get0_der.3 @@ -128,32 +128,40 @@ .rm #[ #] #H #V #F C .\" ======================================================================== .\" -.IX Title "d2i_X509_SIG 3" -.TH d2i_X509_SIG 3 "2018-08-14" "1.0.2p" "OpenSSL" +.IX Title "X509_NAME_GET0_DER 3" +.TH X509_NAME_GET0_DER 3 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" -d2i_X509_SIG, i2d_X509_SIG \- DigestInfo functions. +X509_NAME_get0_der \- get X509_NAME DER encoding .SH "SYNOPSIS" .IX Header "SYNOPSIS" .Vb 1 \& #include \& -\& X509_SIG *d2i_X509_SIG(X509_SIG **a, unsigned char **pp, long length); -\& int i2d_X509_SIG(X509_SIG *a, unsigned char **pp); +\& int X509_NAME_get0_der(X509_NAME *nm, const unsigned char **pder, +\& size_t *pderlen) .Ve .SH "DESCRIPTION" .IX Header "DESCRIPTION" -These functions decode and encode an X509_SIG structure which is -equivalent to the \fBDigestInfo\fR structure defined in PKCS#1 and PKCS#7. -.PP -Othewise these behave in a similar way to \fId2i_X509()\fR and \fIi2d_X509()\fR -described in the \fId2i_X509\fR\|(3) manual page. +The function \fIX509_NAME_get0_der()\fR returns an internal pointer to the +encoding of an \fBX509_NAME\fR structure in \fB*pder\fR and consisting of +\&\fB*pderlen\fR bytes. It is useful for applications that wish to examine +the encoding of an \fBX509_NAME\fR structure without copying it. +.SH "RETURN VALUES" +.IX Header "RETURN VALUES" +The function \fIX509_NAME_get0_der()\fR returns 1 for success and 0 if an error +occurred. .SH "SEE ALSO" .IX Header "SEE ALSO" \&\fId2i_X509\fR\|(3) -.SH "HISTORY" -.IX Header "HISTORY" -\&\s-1TBA\s0 +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2002\-2016 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/X509_NAME_get_index_by_NID.3 b/secure/lib/libcrypto/man/X509_NAME_get_index_by_NID.3 index 599078d6c5e1..7a9e5a0e9830 100644 --- a/secure/lib/libcrypto/man/X509_NAME_get_index_by_NID.3 +++ b/secure/lib/libcrypto/man/X509_NAME_get_index_by_NID.3 @@ -128,29 +128,27 @@ .rm #[ #] #H #V #F C .\" ======================================================================== .\" -.IX Title "X509_NAME_get_index_by_NID 3" -.TH X509_NAME_get_index_by_NID 3 "2018-08-14" "1.0.2p" "OpenSSL" +.IX Title "X509_NAME_GET_INDEX_BY_NID 3" +.TH X509_NAME_GET_INDEX_BY_NID 3 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" -X509_NAME_get_index_by_NID, X509_NAME_get_index_by_OBJ, X509_NAME_get_entry, -X509_NAME_entry_count, X509_NAME_get_text_by_NID, X509_NAME_get_text_by_OBJ \- -X509_NAME lookup and enumeration functions +X509_NAME_get_index_by_NID, X509_NAME_get_index_by_OBJ, X509_NAME_get_entry, X509_NAME_entry_count, X509_NAME_get_text_by_NID, X509_NAME_get_text_by_OBJ \- X509_NAME lookup and enumeration functions .SH "SYNOPSIS" .IX Header "SYNOPSIS" .Vb 1 \& #include \& -\& int X509_NAME_get_index_by_NID(X509_NAME *name,int nid,int lastpos); -\& int X509_NAME_get_index_by_OBJ(X509_NAME *name,ASN1_OBJECT *obj, int lastpos); +\& int X509_NAME_get_index_by_NID(X509_NAME *name, int nid, int lastpos); +\& int X509_NAME_get_index_by_OBJ(X509_NAME *name, const ASN1_OBJECT *obj, int lastpos); \& -\& int X509_NAME_entry_count(X509_NAME *name); -\& X509_NAME_ENTRY *X509_NAME_get_entry(X509_NAME *name, int loc); +\& int X509_NAME_entry_count(const X509_NAME *name); +\& X509_NAME_ENTRY *X509_NAME_get_entry(const X509_NAME *name, int loc); \& -\& int X509_NAME_get_text_by_NID(X509_NAME *name, int nid, char *buf,int len); -\& int X509_NAME_get_text_by_OBJ(X509_NAME *name, ASN1_OBJECT *obj, char *buf,int len); +\& int X509_NAME_get_text_by_NID(X509_NAME *name, int nid, char *buf, int len); +\& int X509_NAME_get_text_by_OBJ(X509_NAME *name, const ASN1_OBJECT *obj, char *buf, int len); .Ve .SH "DESCRIPTION" .IX Header "DESCRIPTION" @@ -180,11 +178,12 @@ excluding the terminating null. If \fBbuf\fR is <\s-1NULL\s0> then the amount of space needed in \fBbuf\fR (excluding the final null) is returned. .SH "NOTES" .IX Header "NOTES" -\&\fIX509_NAME_get_text_by_NID()\fR and \fIX509_NAME_get_text_by_OBJ()\fR are -legacy functions which have various limitations which make them +\&\fIX509_NAME_get_text_by_NID()\fR and \fIX509_NAME_get_text_by_OBJ()\fR should be +considered deprecated because they +have various limitations which make them of minimal use in practice. They can only find the first matching entry and will copy the contents of the field verbatim: this can -be highly confusing if the target is a muticharacter string type +be highly confusing if the target is a multicharacter string type like a BMPString or a UTF8String. .PP For a more general solution \fIX509_NAME_get_index_by_NID()\fR or @@ -207,11 +206,10 @@ Process all entries: \& int i; \& X509_NAME_ENTRY *e; \& -\& for (i = 0; i < X509_NAME_entry_count(nm); i++) -\& { -\& e = X509_NAME_get_entry(nm, i); -\& /* Do something with e */ -\& } +\& for (i = 0; i < X509_NAME_entry_count(nm); i++) { +\& e = X509_NAME_get_entry(nm, i); +\& /* Do something with e */ +\& } .Ve .PP Process all commonName entries: @@ -220,14 +218,13 @@ Process all commonName entries: \& int lastpos = \-1; \& X509_NAME_ENTRY *e; \& -\& for (;;) -\& { -\& lastpos = X509_NAME_get_index_by_NID(nm, NID_commonName, lastpos); -\& if (lastpos == \-1) -\& break; -\& e = X509_NAME_get_entry(nm, lastpos); -\& /* Do something with e */ -\& } +\& for (;;) { +\& lastpos = X509_NAME_get_index_by_NID(nm, NID_commonName, lastpos); +\& if (lastpos == \-1) +\& break; +\& e = X509_NAME_get_entry(nm, lastpos); +\& /* Do something with e */ +\& } .Ve .SH "RETURN VALUES" .IX Header "RETURN VALUES" @@ -243,6 +240,11 @@ requested entry or \fB\s-1NULL\s0\fR if the index is invalid. .SH "SEE ALSO" .IX Header "SEE ALSO" \&\fIERR_get_error\fR\|(3), \fId2i_X509_NAME\fR\|(3) -.SH "HISTORY" -.IX Header "HISTORY" -\&\s-1TBA\s0 +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2002\-2018 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/X509_NAME_print_ex.3 b/secure/lib/libcrypto/man/X509_NAME_print_ex.3 index 9b7046492bca..583894b37e75 100644 --- a/secure/lib/libcrypto/man/X509_NAME_print_ex.3 +++ b/secure/lib/libcrypto/man/X509_NAME_print_ex.3 @@ -128,24 +128,23 @@ .rm #[ #] #H #V #F C .\" ======================================================================== .\" -.IX Title "X509_NAME_print_ex 3" -.TH X509_NAME_print_ex 3 "2018-08-14" "1.0.2p" "OpenSSL" +.IX Title "X509_NAME_PRINT_EX 3" +.TH X509_NAME_PRINT_EX 3 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" -X509_NAME_print_ex, X509_NAME_print_ex_fp, X509_NAME_print, -X509_NAME_oneline \- X509_NAME printing routines. +X509_NAME_print_ex, X509_NAME_print_ex_fp, X509_NAME_print, X509_NAME_oneline \- X509_NAME printing routines .SH "SYNOPSIS" .IX Header "SYNOPSIS" .Vb 1 \& #include \& -\& int X509_NAME_print_ex(BIO *out, X509_NAME *nm, int indent, unsigned long flags); -\& int X509_NAME_print_ex_fp(FILE *fp, X509_NAME *nm, int indent, unsigned long flags); -\& char * X509_NAME_oneline(X509_NAME *a,char *buf,int size); -\& int X509_NAME_print(BIO *bp, X509_NAME *name, int obase); +\& int X509_NAME_print_ex(BIO *out, const X509_NAME *nm, int indent, unsigned long flags); +\& int X509_NAME_print_ex_fp(FILE *fp, const X509_NAME *nm, int indent, unsigned long flags); +\& char *X509_NAME_oneline(const X509_NAME *a, char *buf, int size); +\& int X509_NAME_print(BIO *bp, const X509_NAME *name, int obase); .Ve .SH "DESCRIPTION" .IX Header "DESCRIPTION" @@ -162,15 +161,16 @@ If \fBbuf\fR is \fB\s-1NULL\s0\fR then a buffer is dynamically allocated and ret Otherwise, at most \fBsize\fR bytes will be written, including the ending '\e0', and \fBbuf\fR is returned. .PP -\&\fIX509_NAME_print()\fR prints out \fBname\fR to \fBbp\fR indenting each line by \fBobase\fR +\&\fIX509_NAME_print()\fR prints out \fBname\fR to \fBbp\fR indenting each line by \fBobase\fR characters. Multiple lines are used if the output (including indent) exceeds 80 characters. .SH "NOTES" .IX Header "NOTES" -The functions \fIX509_NAME_oneline()\fR and \fIX509_NAME_print()\fR are legacy functions which +The functions \fIX509_NAME_oneline()\fR and \fIX509_NAME_print()\fR produce a non standard output form, they don't handle multi character fields and -have various quirks and inconsistencies. Their use is strongly discouraged in new -applications. +have various quirks and inconsistencies. +Their use is strongly discouraged in new applications and they could +be deprecated in a future release. .PP Although there are a large number of possible flags for most purposes \&\fB\s-1XN_FLAG_ONELINE\s0\fR, \fB\s-1XN_FLAG_MULTILINE\s0\fR or \fB\s-1XN_FLAG_RFC2253\s0\fR will suffice. @@ -210,7 +210,7 @@ printed instead of the values. If \fB\s-1XN_FLAG_FN_ALIGN\s0\fR is set then field names are padded to 20 characters: this is only of use for multiline format. .PP -Additionally all the options supported by \fIASN1_STRING_print_ex()\fR can be used to +Additionally all the options supported by \fIASN1_STRING_print_ex()\fR can be used to control how each field value is displayed. .PP In addition a number options can be set for commonly used formats. @@ -226,9 +226,23 @@ is equivalent to: \fB\s-1ASN1_STRFLGS_ESC_CTRL\s0 | \s-1ASN1_STRFLGS_ESC_MSB\s0 | \s-1XN_FLAG_SEP_MULTILINE\s0 | \s-1XN_FLAG_SPC_EQ\s0 | \s-1XN_FLAG_FN_LN\s0 | \s-1XN_FLAG_FN_ALIGN\s0\fR .PP \&\fB\s-1XN_FLAG_COMPAT\s0\fR uses a format identical to \fIX509_NAME_print()\fR: in fact it calls \fIX509_NAME_print()\fR internally. +.SH "RETURN VALUES" +.IX Header "RETURN VALUES" +\&\fIX509_NAME_oneline()\fR returns a valid string on success or \s-1NULL\s0 on error. +.PP +\&\fIX509_NAME_print()\fR returns 1 on success or 0 on error. +.PP +\&\fIX509_NAME_print_ex()\fR and \fIX509_NAME_print_ex_fp()\fR return 1 on success or 0 on error +if the \fB\s-1XN_FLAG_COMPAT\s0\fR is set, which is the same as \fIX509_NAME_print()\fR. Otherwise, +it returns \-1 on error or other values on success. .SH "SEE ALSO" .IX Header "SEE ALSO" \&\fIASN1_STRING_print_ex\fR\|(3) -.SH "HISTORY" -.IX Header "HISTORY" -\&\s-1TBA\s0 +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2002\-2018 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/X509_PUBKEY_new.3 b/secure/lib/libcrypto/man/X509_PUBKEY_new.3 new file mode 100644 index 000000000000..d502609ba53a --- /dev/null +++ b/secure/lib/libcrypto/man/X509_PUBKEY_new.3 @@ -0,0 +1,244 @@ +.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35) +.\" +.\" Standard preamble: +.\" ======================================================================== +.de Sp \" Vertical space (when we can't use .PP) +.if t .sp .5v +.if n .sp +.. +.de Vb \" Begin verbatim text +.ft CW +.nf +.ne \\$1 +.. +.de Ve \" End verbatim text +.ft R +.fi +.. +.\" Set up some character translations and predefined strings. \*(-- will +.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left +.\" double quote, and \*(R" will give a right double quote. \*(C+ will +.\" give a nicer C++. Capital omega is used to do unbreakable dashes and +.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, +.\" nothing in troff, for use with C<>. +.tr \(*W- +.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' +.ie n \{\ +. ds -- \(*W- +. ds PI pi +. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch +. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch +. ds L" "" +. ds R" "" +. ds C` "" +. ds C' "" +'br\} +.el\{\ +. ds -- \|\(em\| +. ds PI \(*p +. ds L" `` +. ds R" '' +. ds C` +. ds C' +'br\} +.\" +.\" Escape single quotes in literal strings from groff's Unicode transform. +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" +.\" If the F register is >0, we'll generate index entries on stderr for +.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index +.\" entries marked with X<> in POD. Of course, you'll have to process the +.\" output yourself in some meaningful fashion. +.\" +.\" Avoid warning from groff about undefined register 'F'. +.de IX +.. +.if !\nF .nr F 0 +.if \nF>0 \{\ +. de IX +. tm Index:\\$1\t\\n%\t"\\$2" +.. +. if !\nF==2 \{\ +. nr % 0 +. nr F 2 +. \} +.\} +.\" +.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). +.\" Fear. Run. Save yourself. No user-serviceable parts. +. \" fudge factors for nroff and troff +.if n \{\ +. ds #H 0 +. ds #V .8m +. ds #F .3m +. ds #[ \f1 +. ds #] \fP +.\} +.if t \{\ +. ds #H ((1u-(\\\\n(.fu%2u))*.13m) +. ds #V .6m +. ds #F 0 +. ds #[ \& +. ds #] \& +.\} +. \" simple accents for nroff and troff +.if n \{\ +. ds ' \& +. ds ` \& +. ds ^ \& +. ds , \& +. ds ~ ~ +. ds / +.\} +.if t \{\ +. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" +. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' +. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' +. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' +. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' +. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' +.\} +. \" troff and (daisy-wheel) nroff accents +.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' +.ds 8 \h'\*(#H'\(*b\h'-\*(#H' +.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] +.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' +.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' +.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] +.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] +.ds ae a\h'-(\w'a'u*4/10)'e +.ds Ae A\h'-(\w'A'u*4/10)'E +. \" corrections for vroff +.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' +.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' +. \" for low resolution devices (crt and lpr) +.if \n(.H>23 .if \n(.V>19 \ +\{\ +. ds : e +. ds 8 ss +. ds o a +. ds d- d\h'-1'\(ga +. ds D- D\h'-1'\(hy +. ds th \o'bp' +. ds Th \o'LP' +. ds ae ae +. ds Ae AE +.\} +.rm #[ #] #H #V #F C +.\" ======================================================================== +.\" +.IX Title "X509_PUBKEY_NEW 3" +.TH X509_PUBKEY_NEW 3 "2018-09-11" "1.1.1" "OpenSSL" +.\" For nroff, turn off justification. Always turn off hyphenation; it makes +.\" way too many mistakes in technical documents. +.if n .ad l +.nh +.SH "NAME" +X509_PUBKEY_new, X509_PUBKEY_free, X509_PUBKEY_set, X509_PUBKEY_get0, X509_PUBKEY_get, d2i_PUBKEY, i2d_PUBKEY, d2i_PUBKEY_bio, d2i_PUBKEY_fp, i2d_PUBKEY_fp, i2d_PUBKEY_bio, X509_PUBKEY_set0_param, X509_PUBKEY_get0_param \- SubjectPublicKeyInfo public key functions +.SH "SYNOPSIS" +.IX Header "SYNOPSIS" +.Vb 1 +\& #include +\& +\& X509_PUBKEY *X509_PUBKEY_new(void); +\& void X509_PUBKEY_free(X509_PUBKEY *a); +\& +\& int X509_PUBKEY_set(X509_PUBKEY **x, EVP_PKEY *pkey); +\& EVP_PKEY *X509_PUBKEY_get0(X509_PUBKEY *key); +\& EVP_PKEY *X509_PUBKEY_get(X509_PUBKEY *key); +\& +\& EVP_PKEY *d2i_PUBKEY(EVP_PKEY **a, const unsigned char **pp, long length); +\& int i2d_PUBKEY(EVP_PKEY *a, unsigned char **pp); +\& +\& EVP_PKEY *d2i_PUBKEY_bio(BIO *bp, EVP_PKEY **a); +\& EVP_PKEY *d2i_PUBKEY_fp(FILE *fp, EVP_PKEY **a); +\& +\& int i2d_PUBKEY_fp(FILE *fp, EVP_PKEY *pkey); +\& int i2d_PUBKEY_bio(BIO *bp, EVP_PKEY *pkey); +\& +\& int X509_PUBKEY_set0_param(X509_PUBKEY *pub, ASN1_OBJECT *aobj, +\& int ptype, void *pval, +\& unsigned char *penc, int penclen); +\& int X509_PUBKEY_get0_param(ASN1_OBJECT **ppkalg, +\& const unsigned char **pk, int *ppklen, +\& X509_ALGOR **pa, X509_PUBKEY *pub); +.Ve +.SH "DESCRIPTION" +.IX Header "DESCRIPTION" +The \fBX509_PUBKEY\fR structure represents the \s-1ASN.1\s0 \fBSubjectPublicKeyInfo\fR +structure defined in \s-1RFC5280\s0 and used in certificates and certificate requests. +.PP +\&\fIX509_PUBKEY_new()\fR allocates and initializes an \fBX509_PUBKEY\fR structure. +.PP +\&\fIX509_PUBKEY_free()\fR frees up \fBX509_PUBKEY\fR structure \fBa\fR. If \fBa\fR is \s-1NULL\s0 +nothing is done. +.PP +\&\fIX509_PUBKEY_set()\fR sets the public key in \fB*x\fR to the public key contained +in the \fB\s-1EVP_PKEY\s0\fR structure \fBpkey\fR. If \fB*x\fR is not \s-1NULL\s0 any existing +public key structure will be freed. +.PP +\&\fIX509_PUBKEY_get0()\fR returns the public key contained in \fBkey\fR. The returned +value is an internal pointer which \fB\s-1MUST NOT\s0\fR be freed after use. +.PP +\&\fIX509_PUBKEY_get()\fR is similar to \fIX509_PUBKEY_get0()\fR except the reference +count on the returned key is incremented so it \fB\s-1MUST\s0\fR be freed using +\&\fIEVP_PKEY_free()\fR after use. +.PP +\&\fId2i_PUBKEY()\fR and \fIi2d_PUBKEY()\fR decode and encode an \fB\s-1EVP_PKEY\s0\fR structure +using \fBSubjectPublicKeyInfo\fR format. They otherwise follow the conventions of +other \s-1ASN.1\s0 functions such as \fId2i_X509()\fR. +.PP +\&\fId2i_PUBKEY_bio()\fR, \fId2i_PUBKEY_fp()\fR, \fIi2d_PUBKEY_bio()\fR and \fIi2d_PUBKEY_fp()\fR are +similar to \fId2i_PUBKEY()\fR and \fIi2d_PUBKEY()\fR except they decode or encode using a +\&\fB\s-1BIO\s0\fR or \fB\s-1FILE\s0\fR pointer. +.PP +\&\fIX509_PUBKEY_set0_param()\fR sets the public key parameters of \fBpub\fR. The +\&\s-1OID\s0 associated with the algorithm is set to \fBaobj\fR. The type of the +algorithm parameters is set to \fBtype\fR using the structure \fBpval\fR. +The encoding of the public key itself is set to the \fBpenclen\fR +bytes contained in buffer \fBpenc\fR. On success ownership of all the supplied +parameters is passed to \fBpub\fR so they must not be freed after the +call. +.PP +\&\fIX509_PUBKEY_get0_param()\fR retrieves the public key parameters from \fBpub\fR, +\&\fB*ppkalg\fR is set to the associated \s-1OID\s0 and the encoding consists of +\&\fB*ppklen\fR bytes at \fB*pk\fR, \fB*pa\fR is set to the associated +AlgorithmIdentifier for the public key. If the value of any of these +parameters is not required it can be set to \fB\s-1NULL\s0\fR. All of the +retrieved pointers are internal and must not be freed after the +call. +.SH "NOTES" +.IX Header "NOTES" +The \fBX509_PUBKEY\fR functions can be used to encode and decode public keys +in a standard format. +.PP +In many cases applications will not call the \fBX509_PUBKEY\fR functions +directly: they will instead call wrapper functions such as \fIX509_get0_pubkey()\fR. +.SH "RETURN VALUES" +.IX Header "RETURN VALUES" +If the allocation fails, \fIX509_PUBKEY_new()\fR returns \fB\s-1NULL\s0\fR and sets an error +code that can be obtained by \fIERR_get_error\fR\|(3). +.PP +Otherwise it returns a pointer to the newly allocated structure. +.PP +\&\fIX509_PUBKEY_free()\fR does not return a value. +.PP +\&\fIX509_PUBKEY_get0()\fR and \fIX509_PUBKEY_get()\fR return a pointer to an \fB\s-1EVP_PKEY\s0\fR +structure or \fB\s-1NULL\s0\fR if an error occurs. +.PP +\&\fIX509_PUBKEY_set()\fR, \fIX509_PUBKEY_set0_param()\fR and \fIX509_PUBKEY_get0_param()\fR +return 1 for success and 0 if an error occurred. +.SH "SEE ALSO" +.IX Header "SEE ALSO" +\&\fId2i_X509\fR\|(3), +\&\fIERR_get_error\fR\|(3), +\&\fIX509_get_pubkey\fR\|(3), +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2016 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/d2i_X509_CRL.3 b/secure/lib/libcrypto/man/X509_SIG_get0.3 similarity index 78% rename from secure/lib/libcrypto/man/d2i_X509_CRL.3 rename to secure/lib/libcrypto/man/X509_SIG_get0.3 index c6c862fb7964..ec35e5f27ece 100644 --- a/secure/lib/libcrypto/man/d2i_X509_CRL.3 +++ b/secure/lib/libcrypto/man/X509_SIG_get0.3 @@ -128,39 +128,41 @@ .rm #[ #] #H #V #F C .\" ======================================================================== .\" -.IX Title "d2i_X509_CRL 3" -.TH d2i_X509_CRL 3 "2018-08-14" "1.0.2p" "OpenSSL" +.IX Title "X509_SIG_GET0 3" +.TH X509_SIG_GET0 3 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" -d2i_X509_CRL, i2d_X509_CRL, d2i_X509_CRL_bio, d2i_X509_CRL_fp, -i2d_X509_CRL_bio, i2d_X509_CRL_fp \- PKCS#10 certificate request functions. +X509_SIG_get0, X509_SIG_getm \- DigestInfo functions .SH "SYNOPSIS" .IX Header "SYNOPSIS" .Vb 1 \& #include \& -\& X509_CRL *d2i_X509_CRL(X509_CRL **a, const unsigned char **pp, long length); -\& int i2d_X509_CRL(X509_CRL *a, unsigned char **pp); -\& -\& X509_CRL *d2i_X509_CRL_bio(BIO *bp, X509_CRL **x); -\& X509_CRL *d2i_X509_CRL_fp(FILE *fp, X509_CRL **x); -\& -\& int i2d_X509_CRL_bio(BIO *bp, X509_CRL *x); -\& int i2d_X509_CRL_fp(FILE *fp, X509_CRL *x); +\& void X509_SIG_get0(const X509_SIG *sig, const X509_ALGOR **palg, +\& const ASN1_OCTET_STRING **pdigest); +\& void X509_SIG_getm(X509_SIG *sig, X509_ALGOR **palg, +\& ASN1_OCTET_STRING **pdigest, .Ve .SH "DESCRIPTION" .IX Header "DESCRIPTION" -These functions decode and encode an X509 \s-1CRL\s0 (certificate revocation -list). -.PP -Othewise the functions behave in a similar way to \fId2i_X509()\fR and \fIi2d_X509()\fR -described in the \fId2i_X509\fR\|(3) manual page. +\&\fIX509_SIG_get0()\fR returns pointers to the algorithm identifier and digest +value in \fBsig\fR. \fIX509_SIG_getm()\fR is identical to \fIX509_SIG_get0()\fR +except the pointers returned are not constant and can be modified: +for example to initialise them. +.SH "RETURN VALUES" +.IX Header "RETURN VALUES" +\&\fIX509_SIG_get0()\fR and \fIX509_SIG_getm()\fR return no values. .SH "SEE ALSO" .IX Header "SEE ALSO" \&\fId2i_X509\fR\|(3) -.SH "HISTORY" -.IX Header "HISTORY" -\&\s-1TBA\s0 +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2002\-2018 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/X509_STORE_CTX_get_error.3 b/secure/lib/libcrypto/man/X509_STORE_CTX_get_error.3 index fec1e6341fbc..cfa3d0d6a714 100644 --- a/secure/lib/libcrypto/man/X509_STORE_CTX_get_error.3 +++ b/secure/lib/libcrypto/man/X509_STORE_CTX_get_error.3 @@ -128,24 +128,26 @@ .rm #[ #] #H #V #F C .\" ======================================================================== .\" -.IX Title "X509_STORE_CTX_get_error 3" -.TH X509_STORE_CTX_get_error 3 "2018-08-14" "1.0.2p" "OpenSSL" +.IX Title "X509_STORE_CTX_GET_ERROR 3" +.TH X509_STORE_CTX_GET_ERROR 3 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" -X509_STORE_CTX_get_error, X509_STORE_CTX_set_error, X509_STORE_CTX_get_error_depth, X509_STORE_CTX_get_current_cert, X509_STORE_CTX_get1_chain, X509_verify_cert_error_string \- get or set certificate verification status information +X509_STORE_CTX_get_error, X509_STORE_CTX_set_error, X509_STORE_CTX_get_error_depth, X509_STORE_CTX_set_error_depth, X509_STORE_CTX_get_current_cert, X509_STORE_CTX_set_current_cert, X509_STORE_CTX_get0_cert, X509_STORE_CTX_get1_chain, X509_verify_cert_error_string \- get or set certificate verification status information .SH "SYNOPSIS" .IX Header "SYNOPSIS" -.Vb 2 +.Vb 1 \& #include -\& #include \& -\& int X509_STORE_CTX_get_error(X509_STORE_CTX *ctx); -\& void X509_STORE_CTX_set_error(X509_STORE_CTX *ctx,int s); -\& int X509_STORE_CTX_get_error_depth(X509_STORE_CTX *ctx); -\& X509 * X509_STORE_CTX_get_current_cert(X509_STORE_CTX *ctx); +\& int X509_STORE_CTX_get_error(X509_STORE_CTX *ctx); +\& void X509_STORE_CTX_set_error(X509_STORE_CTX *ctx, int s); +\& int X509_STORE_CTX_get_error_depth(X509_STORE_CTX *ctx); +\& void X509_STORE_CTX_set_error_depth(X509_STORE_CTX *ctx, int depth); +\& X509 *X509_STORE_CTX_get_current_cert(X509_STORE_CTX *ctx); +\& void X509_STORE_CTX_set_current_cert(X509_STORE_CTX *ctx, X509 *x); +\& X509 *X509_STORE_CTX_get0_cert(X509_STORE_CTX *ctx); \& \& STACK_OF(X509) *X509_STORE_CTX_get1_chain(X509_STORE_CTX *ctx); \& @@ -168,9 +170,28 @@ non-negative integer representing where in the certificate chain the error occurred. If it is zero it occurred in the end entity certificate, one if it is the certificate which signed the end entity certificate and so on. .PP +\&\fIX509_STORE_CTX_set_error_depth()\fR sets the error \fBdepth\fR. +This can be used in combination with \fIX509_STORE_CTX_set_error()\fR to set the +depth at which an error condition was detected. +.PP \&\fIX509_STORE_CTX_get_current_cert()\fR returns the certificate in \fBctx\fR which caused the error or \fB\s-1NULL\s0\fR if no certificate is relevant. .PP +\&\fIX509_STORE_CTX_set_current_cert()\fR sets the certificate \fBx\fR in \fBctx\fR which +caused the error. +This value is not intended to remain valid for very long, and remains owned by +the caller. +It may be examined by a verification callback invoked to handle each error +encountered during chain verification and is no longer required after such a +callback. +If a callback wishes the save the certificate for use after it returns, it +needs to increment its reference count via \fIX509_up_ref\fR\|(3). +Once such a \fIsaved\fR certificate is no longer needed it can be freed with +\&\fIX509_free\fR\|(3). +.PP +\&\fIX509_STORE_CTX_get0_cert()\fR retrieves an internal pointer to the +certificate being verified by the \fBctx\fR. +.PP \&\fIX509_STORE_CTX_get1_chain()\fR returns a complete validate chain if a previous call to \fIX509_verify_cert()\fR is successful. If the call to \fIX509_verify_cert()\fR is \fBnot\fR successful the returned chain may be incomplete or invalid. The @@ -178,7 +199,7 @@ returned chain persists after the \fBctx\fR structure is freed, when it is no longer needed it should be free up using: .PP .Vb 1 -\& sk_X509_pop_free(chain, X509_free); +\& sk_X509_pop_free(chain, X509_free); .Ve .PP \&\fIX509_verify_cert_error_string()\fR returns a human readable error string for @@ -189,7 +210,7 @@ verification error \fBn\fR. .PP \&\fIX509_STORE_CTX_get_error_depth()\fR returns a non-negative error depth. .PP -\&\fIX509_STORE_CTX_get_current_cert()\fR returns the cerificate which caused the +\&\fIX509_STORE_CTX_get_current_cert()\fR returns the certificate which caused the error or \fB\s-1NULL\s0\fR if no certificate is relevant to the error. .PP \&\fIX509_verify_cert_error_string()\fR returns a human readable error string for @@ -283,7 +304,7 @@ a \s-1CA\s0 certificate is invalid. Either it is not a \s-1CA\s0 or its extensio consistent with the supplied purpose. .IP "\fBX509_V_ERR_PATH_LENGTH_EXCEEDED: path length constraint exceeded\fR" 4 .IX Item "X509_V_ERR_PATH_LENGTH_EXCEEDED: path length constraint exceeded" -the basicConstraints pathlength parameter has been exceeded. +the basicConstraints path-length parameter has been exceeded. .IP "\fBX509_V_ERR_INVALID_PURPOSE: unsupported certificate purpose\fR" 4 .IX Item "X509_V_ERR_INVALID_PURPOSE: unsupported certificate purpose" the supplied certificate cannot be used for the specified purpose. @@ -378,7 +399,14 @@ numerical value of the unknown code is returned in a static buffer. This is not thread safe but will never happen unless an invalid code is passed. .SH "SEE ALSO" .IX Header "SEE ALSO" -\&\fIX509_verify_cert\fR\|(3) -.SH "HISTORY" -.IX Header "HISTORY" -\&\s-1TBA\s0 +\&\fIX509_verify_cert\fR\|(3), +\&\fIX509_up_ref\fR\|(3), +\&\fIX509_free\fR\|(3). +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2009\-2016 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/X509_STORE_CTX_new.3 b/secure/lib/libcrypto/man/X509_STORE_CTX_new.3 index aebd2ee84017..cf61a7d4787c 100644 --- a/secure/lib/libcrypto/man/X509_STORE_CTX_new.3 +++ b/secure/lib/libcrypto/man/X509_STORE_CTX_new.3 @@ -128,14 +128,14 @@ .rm #[ #] #H #V #F C .\" ======================================================================== .\" -.IX Title "X509_STORE_CTX_new 3" -.TH X509_STORE_CTX_new 3 "2018-08-14" "1.0.2p" "OpenSSL" +.IX Title "X509_STORE_CTX_NEW 3" +.TH X509_STORE_CTX_NEW 3 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" -X509_STORE_CTX_new, X509_STORE_CTX_cleanup, X509_STORE_CTX_free, X509_STORE_CTX_init, X509_STORE_CTX_trusted_stack, X509_STORE_CTX_set_cert, X509_STORE_CTX_set_chain, X509_STORE_CTX_set0_crls, X509_STORE_CTX_get0_param, X509_STORE_CTX_set0_param, X509_STORE_CTX_set_default \- X509_STORE_CTX initialisation +X509_STORE_CTX_new, X509_STORE_CTX_cleanup, X509_STORE_CTX_free, X509_STORE_CTX_init, X509_STORE_CTX_set0_trusted_stack, X509_STORE_CTX_set_cert, X509_STORE_CTX_set0_crls, X509_STORE_CTX_get0_chain, X509_STORE_CTX_set0_verified_chain, X509_STORE_CTX_get0_param, X509_STORE_CTX_set0_param, X509_STORE_CTX_get0_untrusted, X509_STORE_CTX_set0_untrusted, X509_STORE_CTX_get_num_untrusted, X509_STORE_CTX_set_default, X509_STORE_CTX_set_verify, X509_STORE_CTX_verify_fn \&\- X509_STORE_CTX initialisation .SH "SYNOPSIS" .IX Header "SYNOPSIS" .Vb 1 @@ -148,15 +148,24 @@ X509_STORE_CTX_new, X509_STORE_CTX_cleanup, X509_STORE_CTX_free, X509_STORE_CTX_ \& int X509_STORE_CTX_init(X509_STORE_CTX *ctx, X509_STORE *store, \& X509 *x509, STACK_OF(X509) *chain); \& -\& void X509_STORE_CTX_trusted_stack(X509_STORE_CTX *ctx, STACK_OF(X509) *sk); +\& void X509_STORE_CTX_set0_trusted_stack(X509_STORE_CTX *ctx, STACK_OF(X509) *sk); \& -\& void X509_STORE_CTX_set_cert(X509_STORE_CTX *ctx,X509 *x); -\& void X509_STORE_CTX_set_chain(X509_STORE_CTX *ctx,STACK_OF(X509) *sk); -\& void X509_STORE_CTX_set0_crls(X509_STORE_CTX *ctx, STACK_OF(X509_CRL) *sk); +\& void X509_STORE_CTX_set_cert(X509_STORE_CTX *ctx, X509 *x); +\& STACK_OF(X509) *X509_STORE_CTX_get0_chain(X609_STORE_CTX *ctx); +\& void X509_STORE_CTX_set0_verified_chain(X509_STORE_CTX *ctx, STACK_OF(X509) *chain); +\& void X509_STORE_CTX_set0_crls(X509_STORE_CTX *ctx, STACK_OF(X509_CRL) *sk); \& \& X509_VERIFY_PARAM *X509_STORE_CTX_get0_param(X509_STORE_CTX *ctx); \& void X509_STORE_CTX_set0_param(X509_STORE_CTX *ctx, X509_VERIFY_PARAM *param); \& int X509_STORE_CTX_set_default(X509_STORE_CTX *ctx, const char *name); +\& +\& STACK_OF(X509)* X509_STORE_CTX_get0_untrusted(X509_STORE_CTX *ctx); +\& void X509_STORE_CTX_set0_untrusted(X509_STORE_CTX *ctx, STACK_OF(X509) *sk); +\& +\& int X509_STORE_CTX_get_num_untrusted(X509_STORE_CTX *ctx); +\& +\& typedef int (*X509_STORE_CTX_verify_fn)(X509_STORE_CTX *); +\& void X509_STORE_CTX_set_verify(X509_STORE_CTX *ctx, X509_STORE_CTX_verify_fn verify); .Ve .SH "DESCRIPTION" .IX Header "DESCRIPTION" @@ -170,6 +179,7 @@ The context can then be reused with an new call to \fIX509_STORE_CTX_init()\fR. .PP \&\fIX509_STORE_CTX_free()\fR completely frees up \fBctx\fR. After this call \fBctx\fR is no longer valid. +If \fBctx\fR is \s-1NULL\s0 nothing is done. .PP \&\fIX509_STORE_CTX_init()\fR sets up \fBctx\fR for a subsequent verification operation. It must be called before each call to \fIX509_verify_cert()\fR, i.e. a \fBctx\fR is only @@ -182,15 +192,19 @@ certificates (which will be untrusted but may be used to build the chain) in \&\fBchain\fR. Any or all of the \fBstore\fR, \fBx509\fR and \fBchain\fR parameters can be \&\fB\s-1NULL\s0\fR. .PP -\&\fIX509_STORE_CTX_trusted_stack()\fR sets the set of trusted certificates of \fBctx\fR -to \fBsk\fR. This is an alternative way of specifying trusted certificates +\&\fIX509_STORE_CTX_set0_trusted_stack()\fR sets the set of trusted certificates of +\&\fBctx\fR to \fBsk\fR. This is an alternative way of specifying trusted certificates instead of using an \fBX509_STORE\fR. .PP -\&\fIX509_STORE_CTX_set_cert()\fR sets the certificate to be vertified in \fBctx\fR to +\&\fIX509_STORE_CTX_set_cert()\fR sets the certificate to be verified in \fBctx\fR to \&\fBx\fR. .PP -\&\fIX509_STORE_CTX_set_chain()\fR sets the additional certificate chain used by \fBctx\fR -to \fBsk\fR. +\&\fIX509_STORE_CTX_set0_verified_chain()\fR sets the validated chain used +by \fBctx\fR to be \fBchain\fR. +Ownership of the chain is transferred to \fBctx\fR and should not be +free'd by the caller. +\&\fIX509_STORE_CTX_get0_chain()\fR returns a the internal pointer used by the +\&\fBctx\fR that contains the validated chain. .PP \&\fIX509_STORE_CTX_set0_crls()\fR sets a set of CRLs to use to aid certificate verification to \fBsk\fR. These CRLs will only be used if \s-1CRL\s0 verification is @@ -198,35 +212,42 @@ enabled in the associated \fBX509_VERIFY_PARAM\fR structure. This might be used where additional \*(L"useful\*(R" CRLs are supplied as part of a protocol, for example in a PKCS#7 structure. .PP -X509_VERIFY_PARAM *\fIX509_STORE_CTX_get0_param()\fR retrieves an intenal pointer +\&\fIX509_STORE_CTX_get0_param()\fR retrieves an internal pointer to the verification parameters associated with \fBctx\fR. .PP -\&\fIX509_STORE_CTX_set0_param()\fR sets the intenal verification parameter pointer +\&\fIX509_STORE_CTX_get0_untrusted()\fR retrieves an internal pointer to the +stack of untrusted certificates associated with \fBctx\fR. +.PP +\&\fIX509_STORE_CTX_set0_untrusted()\fR sets the internal point to the stack +of untrusted certificates associated with \fBctx\fR to \fBsk\fR. +.PP +\&\fIX509_STORE_CTX_set0_param()\fR sets the internal verification parameter pointer to \fBparam\fR. After this call \fBparam\fR should not be used. .PP \&\fIX509_STORE_CTX_set_default()\fR looks up and sets the default verification method to \fBname\fR. This uses the function \fIX509_VERIFY_PARAM_lookup()\fR to find an appropriate set of parameters from \fBname\fR. +.PP +\&\fIX509_STORE_CTX_get_num_untrusted()\fR returns the number of untrusted certificates +that were used in building the chain following a call to \fIX509_verify_cert()\fR. +.PP +\&\fIX509_STORE_CTX_set_verify()\fR provides the capability for overriding the default +verify function. This function is responsible for verifying chain signatures and +expiration times. +.PP +A verify function is defined as an X509_STORE_CTX_verify type which has the +following signature: +.PP +.Vb 1 +\& int (*verify)(X509_STORE_CTX *); +.Ve +.PP +This function should receive the current X509_STORE_CTX as a parameter and +return 1 on success or 0 on failure. .SH "NOTES" .IX Header "NOTES" The certificates and CRLs in a store are used internally and should \fBnot\fR -be freed up until after the associated \fBX509_STORE_CTX\fR is freed. Legacy -applications might implicitly use an \fBX509_STORE_CTX\fR like this: -.PP -.Vb 2 -\& X509_STORE_CTX ctx; -\& X509_STORE_CTX_init(&ctx, store, cert, chain); -.Ve -.PP -this is \fBnot\fR recommended in new applications they should instead do: -.PP -.Vb 5 -\& X509_STORE_CTX *ctx; -\& ctx = X509_STORE_CTX_new(); -\& if (ctx == NULL) -\& /* Bad error */ -\& X509_STORE_CTX_init(ctx, store, cert, chain); -.Ve +be freed up until after the associated \fBX509_STORE_CTX\fR is freed. .SH "BUGS" .IX Header "BUGS" The certificates and CRLs in a context are used internally and should \fBnot\fR @@ -242,12 +263,16 @@ error occurred. \&\fIX509_STORE_CTX_get0_param()\fR returns a pointer to an \fBX509_VERIFY_PARAM\fR structure or \fB\s-1NULL\s0\fR if an error occurred. .PP -\&\fIX509_STORE_CTX_cleanup()\fR, \fIX509_STORE_CTX_free()\fR, \fIX509_STORE_CTX_trusted_stack()\fR, -\&\fIX509_STORE_CTX_set_cert()\fR, \fIX509_STORE_CTX_set_chain()\fR, +\&\fIX509_STORE_CTX_cleanup()\fR, \fIX509_STORE_CTX_free()\fR, +\&\fIX509_STORE_CTX_set0_trusted_stack()\fR, +\&\fIX509_STORE_CTX_set_cert()\fR, \&\fIX509_STORE_CTX_set0_crls()\fR and \fIX509_STORE_CTX_set0_param()\fR do not return values. .PP \&\fIX509_STORE_CTX_set_default()\fR returns 1 for success or 0 if an error occurred. +.PP +\&\fIX509_STORE_CTX_get_num_untrusted()\fR returns the number of untrusted certificates +used. .SH "SEE ALSO" .IX Header "SEE ALSO" \&\fIX509_verify_cert\fR\|(3) @@ -255,3 +280,12 @@ values. .SH "HISTORY" .IX Header "HISTORY" \&\fIX509_STORE_CTX_set0_crls()\fR was first added to OpenSSL 1.0.0 +\&\fIX509_STORE_CTX_get_num_untrusted()\fR was first added to OpenSSL 1.1.0 +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2009\-2016 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/X509_STORE_CTX_set_verify_cb.3 b/secure/lib/libcrypto/man/X509_STORE_CTX_set_verify_cb.3 index 9a6570b2ba90..ad66efab3d10 100644 --- a/secure/lib/libcrypto/man/X509_STORE_CTX_set_verify_cb.3 +++ b/secure/lib/libcrypto/man/X509_STORE_CTX_set_verify_cb.3 @@ -128,21 +128,36 @@ .rm #[ #] #H #V #F C .\" ======================================================================== .\" -.IX Title "X509_STORE_CTX_set_verify_cb 3" -.TH X509_STORE_CTX_set_verify_cb 3 "2018-08-14" "1.0.2p" "OpenSSL" +.IX Title "X509_STORE_CTX_SET_VERIFY_CB 3" +.TH X509_STORE_CTX_SET_VERIFY_CB 3 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" -X509_STORE_CTX_set_verify_cb \- set verification callback +X509_STORE_CTX_get_cleanup, X509_STORE_CTX_get_lookup_crls, X509_STORE_CTX_get_lookup_certs, X509_STORE_CTX_get_check_policy, X509_STORE_CTX_get_cert_crl, X509_STORE_CTX_get_check_crl, X509_STORE_CTX_get_get_crl, X509_STORE_CTX_get_check_revocation, X509_STORE_CTX_get_check_issued, X509_STORE_CTX_get_get_issuer, X509_STORE_CTX_get_verify_cb, X509_STORE_CTX_set_verify_cb, X509_STORE_CTX_verify_cb \&\- get and set verification callback .SH "SYNOPSIS" .IX Header "SYNOPSIS" .Vb 1 \& #include \& +\& typedef int (*X509_STORE_CTX_verify_cb)(int, X509_STORE_CTX *); +\& +\& X509_STORE_CTX_verify_cb X509_STORE_CTX_get_verify_cb(X509_STORE_CTX *ctx); +\& \& void X509_STORE_CTX_set_verify_cb(X509_STORE_CTX *ctx, -\& int (*verify_cb)(int ok, X509_STORE_CTX *ctx)); +\& X509_STORE_CTX_verify_cb verify_cb); +\& +\& X509_STORE_CTX_get_issuer_fn X509_STORE_CTX_get_get_issuer(X509_STORE_CTX *ctx); +\& X509_STORE_CTX_check_issued_fn X509_STORE_CTX_get_check_issued(X509_STORE_CTX *ctx); +\& X509_STORE_CTX_check_revocation_fn X509_STORE_CTX_get_check_revocation(X509_STORE_CTX *ctx); +\& X509_STORE_CTX_get_crl_fn X509_STORE_CTX_get_get_crl(X509_STORE_CTX *ctx); +\& X509_STORE_CTX_check_crl_fn X509_STORE_CTX_get_check_crl(X509_STORE_CTX *ctx); +\& X509_STORE_CTX_cert_crl_fn X509_STORE_CTX_get_cert_crl(X509_STORE_CTX *ctx); +\& X509_STORE_CTX_check_policy_fn X509_STORE_CTX_get_check_policy(X509_STORE_CTX *ctx); +\& X509_STORE_CTX_lookup_certs_fn X509_STORE_CTX_get_lookup_certs(X509_STORE_CTX *ctx); +\& X509_STORE_CTX_lookup_crls_fn X509_STORE_CTX_get_lookup_crls(X509_STORE_CTX *ctx); +\& X509_STORE_CTX_cleanup_fn X509_STORE_CTX_get_cleanup(X509_STORE_CTX *ctx); .Ve .SH "DESCRIPTION" .IX Header "DESCRIPTION" @@ -157,7 +172,7 @@ However a verification callback is \fBnot\fR essential and the default operation is often sufficient. .PP The \fBok\fR parameter to the callback indicates the value the callback should -return to retain the default behaviour. If it is zero then and error condition +return to retain the default behaviour. If it is zero then an error condition is indicated. If it is 1 then no error occurred. If the flag \&\fBX509_V_FLAG_NOTIFY_POLICY\fR is set then \fBok\fR is set to 2 to indicate the policy checking is complete. @@ -167,6 +182,18 @@ is performing the verification operation. A callback can examine this structure and receive additional information about the error, for example by calling \fIX509_STORE_CTX_get_current_cert()\fR. Additional application data can be passed to the callback via the \fBex_data\fR mechanism. +.PP +\&\fIX509_STORE_CTX_get_verify_cb()\fR returns the value of the current callback +for the specific \fBctx\fR. +.PP +\&\fIX509_STORE_CTX_get_get_issuer()\fR, +\&\fIX509_STORE_CTX_get_check_issued()\fR, \fIX509_STORE_CTX_get_check_revocation()\fR, +\&\fIX509_STORE_CTX_get_get_crl()\fR, \fIX509_STORE_CTX_get_check_crl()\fR, +\&\fIX509_STORE_CTX_get_cert_crl()\fR, \fIX509_STORE_CTX_get_check_policy()\fR, +\&\fIX509_STORE_CTX_get_lookup_certs()\fR, \fIX509_STORE_CTX_get_lookup_crls()\fR +and \fIX509_STORE_CTX_get_cleanup()\fR return the function pointers cached +from the corresponding \fBX509_STORE\fR, please see +\&\fIX509_STORE_set_verify\fR\|(3) for more information. .SH "WARNING" .IX Header "WARNING" In general a verification callback should \fB\s-1NOT\s0\fR unconditionally return 1 in @@ -188,42 +215,40 @@ associated \fBX509_STORE\fR. .IX Header "EXAMPLES" Default callback operation: .PP -.Vb 4 -\& int verify_callback(int ok, X509_STORE_CTX *ctx) -\& { -\& return ok; -\& } +.Vb 3 +\& int verify_callback(int ok, X509_STORE_CTX *ctx) { +\& return ok; +\& } .Ve .PP Simple example, suppose a certificate in the chain is expired and we wish to continue after this error: .PP -.Vb 8 -\& int verify_callback(int ok, X509_STORE_CTX *ctx) -\& { -\& /* Tolerate certificate expiration */ -\& if (X509_STORE_CTX_get_error(ctx) == X509_V_ERR_CERT_HAS_EXPIRED) -\& return 1; -\& /* Otherwise don\*(Aqt override */ -\& return ok; -\& } +.Vb 7 +\& int verify_callback(int ok, X509_STORE_CTX *ctx) { +\& /* Tolerate certificate expiration */ +\& if (X509_STORE_CTX_get_error(ctx) == X509_V_ERR_CERT_HAS_EXPIRED) +\& return 1; +\& /* Otherwise don\*(Aqt override */ +\& return ok; +\& } .Ve .PP More complex example, we don't wish to continue after \fBany\fR certificate has expired just one specific case: .PP -.Vb 11 +.Vb 4 \& int verify_callback(int ok, X509_STORE_CTX *ctx) -\& { -\& int err = X509_STORE_CTX_get_error(ctx); -\& X509 *err_cert = X509_STORE_CTX_get_current_cert(ctx); -\& if (err == X509_V_ERR_CERT_HAS_EXPIRED) -\& { -\& if (check_is_acceptable_expired_cert(err_cert) -\& return 1; -\& } -\& return ok; -\& } +\& { +\& int err = X509_STORE_CTX_get_error(ctx); +\& X509 *err_cert = X509_STORE_CTX_get_current_cert(ctx); +\& +\& if (err == X509_V_ERR_CERT_HAS_EXPIRED) { +\& if (check_is_acceptable_expired_cert(err_cert) +\& return 1; +\& } +\& return ok; +\& } .Ve .PP Full featured logging callback. In this case the \fBbio_err\fR is assumed to be @@ -232,56 +257,54 @@ a global logging \fB\s-1BIO\s0\fR, an alternative would to store a \s-1BIO\s0 in .PP .Vb 4 \& int verify_callback(int ok, X509_STORE_CTX *ctx) -\& { -\& X509 *err_cert; -\& int err,depth; +\& { +\& X509 *err_cert; +\& int err, depth; \& -\& err_cert = X509_STORE_CTX_get_current_cert(ctx); -\& err = X509_STORE_CTX_get_error(ctx); -\& depth = X509_STORE_CTX_get_error_depth(ctx); +\& err_cert = X509_STORE_CTX_get_current_cert(ctx); +\& err = X509_STORE_CTX_get_error(ctx); +\& depth = X509_STORE_CTX_get_error_depth(ctx); \& -\& BIO_printf(bio_err,"depth=%d ",depth); -\& if (err_cert) -\& { -\& X509_NAME_print_ex(bio_err, X509_get_subject_name(err_cert), -\& 0, XN_FLAG_ONELINE); -\& BIO_puts(bio_err, "\en"); -\& } -\& else -\& BIO_puts(bio_err, "\en"); -\& if (!ok) -\& BIO_printf(bio_err,"verify error:num=%d:%s\en",err, -\& X509_verify_cert_error_string(err)); -\& switch (err) -\& { -\& case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT: -\& BIO_puts(bio_err,"issuer= "); -\& X509_NAME_print_ex(bio_err, X509_get_issuer_name(err_cert), -\& 0, XN_FLAG_ONELINE); -\& BIO_puts(bio_err, "\en"); -\& break; -\& case X509_V_ERR_CERT_NOT_YET_VALID: -\& case X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD: -\& BIO_printf(bio_err,"notBefore="); -\& ASN1_TIME_print(bio_err,X509_get_notBefore(err_cert)); -\& BIO_printf(bio_err,"\en"); -\& break; -\& case X509_V_ERR_CERT_HAS_EXPIRED: -\& case X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD: -\& BIO_printf(bio_err,"notAfter="); -\& ASN1_TIME_print(bio_err,X509_get_notAfter(err_cert)); -\& BIO_printf(bio_err,"\en"); -\& break; -\& case X509_V_ERR_NO_EXPLICIT_POLICY: -\& policies_print(bio_err, ctx); -\& break; -\& } -\& if (err == X509_V_OK && ok == 2) -\& /* print out policies */ +\& BIO_printf(bio_err, "depth=%d ", depth); +\& if (err_cert) { +\& X509_NAME_print_ex(bio_err, X509_get_subject_name(err_cert), +\& 0, XN_FLAG_ONELINE); +\& BIO_puts(bio_err, "\en"); +\& } +\& else +\& BIO_puts(bio_err, "\en"); +\& if (!ok) +\& BIO_printf(bio_err, "verify error:num=%d:%s\en", err, +\& X509_verify_cert_error_string(err)); +\& switch (err) { +\& case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT: +\& BIO_puts(bio_err, "issuer= "); +\& X509_NAME_print_ex(bio_err, X509_get_issuer_name(err_cert), +\& 0, XN_FLAG_ONELINE); +\& BIO_puts(bio_err, "\en"); +\& break; +\& case X509_V_ERR_CERT_NOT_YET_VALID: +\& case X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD: +\& BIO_printf(bio_err, "notBefore="); +\& ASN1_TIME_print(bio_err, X509_get_notBefore(err_cert)); +\& BIO_printf(bio_err, "\en"); +\& break; +\& case X509_V_ERR_CERT_HAS_EXPIRED: +\& case X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD: +\& BIO_printf(bio_err, "notAfter="); +\& ASN1_TIME_print(bio_err, X509_get_notAfter(err_cert)); +\& BIO_printf(bio_err, "\en"); +\& break; +\& case X509_V_ERR_NO_EXPLICIT_POLICY: +\& policies_print(bio_err, ctx); +\& break; +\& } +\& if (err == X509_V_OK && ok == 2) +\& /* print out policies */ \& -\& BIO_printf(bio_err,"verify return:%d\en",ok); -\& return(ok); -\& } +\& BIO_printf(bio_err, "verify return:%d\en", ok); +\& return(ok); +\& } .Ve .SH "SEE ALSO" .IX Header "SEE ALSO" @@ -290,5 +313,17 @@ a global logging \fB\s-1BIO\s0\fR, an alternative would to store a \s-1BIO\s0 in \&\fIX509_STORE_CTX_get_ex_new_index\fR\|(3) .SH "HISTORY" .IX Header "HISTORY" -\&\fIX509_STORE_CTX_set_verify_cb()\fR is available in all versions of SSLeay and -OpenSSL. +\&\fIX509_STORE_CTX_get_get_issuer()\fR, +\&\fIX509_STORE_CTX_get_check_issued()\fR, \fIX509_STORE_CTX_get_check_revocation()\fR, +\&\fIX509_STORE_CTX_get_get_crl()\fR, \fIX509_STORE_CTX_get_check_crl()\fR, +\&\fIX509_STORE_CTX_get_cert_crl()\fR, \fIX509_STORE_CTX_get_check_policy()\fR, +\&\fIX509_STORE_CTX_get_lookup_certs()\fR, \fIX509_STORE_CTX_get_lookup_crls()\fR +and \fIX509_STORE_CTX_get_cleanup()\fR were added in OpenSSL 1.1.0. +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2009\-2016 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/X509_STORE_add_cert.3 b/secure/lib/libcrypto/man/X509_STORE_add_cert.3 new file mode 100644 index 000000000000..334ca133a962 --- /dev/null +++ b/secure/lib/libcrypto/man/X509_STORE_add_cert.3 @@ -0,0 +1,224 @@ +.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35) +.\" +.\" Standard preamble: +.\" ======================================================================== +.de Sp \" Vertical space (when we can't use .PP) +.if t .sp .5v +.if n .sp +.. +.de Vb \" Begin verbatim text +.ft CW +.nf +.ne \\$1 +.. +.de Ve \" End verbatim text +.ft R +.fi +.. +.\" Set up some character translations and predefined strings. \*(-- will +.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left +.\" double quote, and \*(R" will give a right double quote. \*(C+ will +.\" give a nicer C++. Capital omega is used to do unbreakable dashes and +.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, +.\" nothing in troff, for use with C<>. +.tr \(*W- +.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' +.ie n \{\ +. ds -- \(*W- +. ds PI pi +. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch +. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch +. ds L" "" +. ds R" "" +. ds C` "" +. ds C' "" +'br\} +.el\{\ +. ds -- \|\(em\| +. ds PI \(*p +. ds L" `` +. ds R" '' +. ds C` +. ds C' +'br\} +.\" +.\" Escape single quotes in literal strings from groff's Unicode transform. +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" +.\" If the F register is >0, we'll generate index entries on stderr for +.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index +.\" entries marked with X<> in POD. Of course, you'll have to process the +.\" output yourself in some meaningful fashion. +.\" +.\" Avoid warning from groff about undefined register 'F'. +.de IX +.. +.if !\nF .nr F 0 +.if \nF>0 \{\ +. de IX +. tm Index:\\$1\t\\n%\t"\\$2" +.. +. if !\nF==2 \{\ +. nr % 0 +. nr F 2 +. \} +.\} +.\" +.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). +.\" Fear. Run. Save yourself. No user-serviceable parts. +. \" fudge factors for nroff and troff +.if n \{\ +. ds #H 0 +. ds #V .8m +. ds #F .3m +. ds #[ \f1 +. ds #] \fP +.\} +.if t \{\ +. ds #H ((1u-(\\\\n(.fu%2u))*.13m) +. ds #V .6m +. ds #F 0 +. ds #[ \& +. ds #] \& +.\} +. \" simple accents for nroff and troff +.if n \{\ +. ds ' \& +. ds ` \& +. ds ^ \& +. ds , \& +. ds ~ ~ +. ds / +.\} +.if t \{\ +. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" +. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' +. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' +. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' +. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' +. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' +.\} +. \" troff and (daisy-wheel) nroff accents +.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' +.ds 8 \h'\*(#H'\(*b\h'-\*(#H' +.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] +.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' +.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' +.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] +.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] +.ds ae a\h'-(\w'a'u*4/10)'e +.ds Ae A\h'-(\w'A'u*4/10)'E +. \" corrections for vroff +.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' +.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' +. \" for low resolution devices (crt and lpr) +.if \n(.H>23 .if \n(.V>19 \ +\{\ +. ds : e +. ds 8 ss +. ds o a +. ds d- d\h'-1'\(ga +. ds D- D\h'-1'\(hy +. ds th \o'bp' +. ds Th \o'LP' +. ds ae ae +. ds Ae AE +.\} +.rm #[ #] #H #V #F C +.\" ======================================================================== +.\" +.IX Title "X509_STORE_ADD_CERT 3" +.TH X509_STORE_ADD_CERT 3 "2018-09-11" "1.1.1" "OpenSSL" +.\" For nroff, turn off justification. Always turn off hyphenation; it makes +.\" way too many mistakes in technical documents. +.if n .ad l +.nh +.SH "NAME" +X509_STORE_add_cert, X509_STORE_add_crl, X509_STORE_set_depth, X509_STORE_set_flags, X509_STORE_set_purpose, X509_STORE_set_trust, X509_STORE_load_locations, X509_STORE_set_default_paths \&\- X509_STORE manipulation +.SH "SYNOPSIS" +.IX Header "SYNOPSIS" +.Vb 1 +\& #include +\& +\& int X509_STORE_add_cert(X509_STORE *ctx, X509 *x); +\& int X509_STORE_add_crl(X509_STORE *ctx, X509_CRL *x); +\& int X509_STORE_set_depth(X509_STORE *store, int depth); +\& int X509_STORE_set_flags(X509_STORE *ctx, unsigned long flags); +\& int X509_STORE_set_purpose(X509_STORE *ctx, int purpose); +\& int X509_STORE_set_trust(X509_STORE *ctx, int trust); +\& +\& int X509_STORE_load_locations(X509_STORE *ctx, +\& const char *file, const char *dir); +\& int X509_STORE_set_default_paths(X509_STORE *ctx); +.Ve +.SH "DESCRIPTION" +.IX Header "DESCRIPTION" +The \fBX509_STORE\fR structure is intended to be a consolidated mechanism for +holding information about X.509 certificates and CRLs, and constructing +and validating chains of certificates terminating in trusted roots. +It admits multiple lookup mechanisms and efficient scaling performance +with large numbers of certificates, and a great deal of flexibility in +how validation and policy checks are performed. +.PP +\&\fIX509_STORE_new\fR\|(3) creates an empty \fBX509_STORE\fR structure, which contains +no information about trusted certificates or where such certificates +are located on disk, and is generally not usable. Normally, trusted +certificates will be added to the \fBX509_STORE\fR to prepare it for use, +via mechanisms such as \fIX509_STORE_add_lookup()\fR and \fIX509_LOOKUP_file()\fR, or +\&\fIPEM_read_bio_X509_AUX()\fR and \fIX509_STORE_add_cert()\fR. CRLs can also be added, +and many behaviors configured as desired. +.PP +Once the \fBX509_STORE\fR is suitably configured, \fIX509_STORE_CTX_new()\fR is +used to instantiate a single-use \fBX509_STORE_CTX\fR for each chain-building +and verification operation. That process includes providing the end-entity +certificate to be verified and an additional set of untrusted certificates +that may be used in chain-building. As such, it is expected that the +certificates included in the \fBX509_STORE\fR are certificates that represent +trusted entities such as root certificate authorities (CAs). +OpenSSL represents these trusted certificates internally as \fBX509\fR objects +with an associated \fBX509_CERT_AUX\fR, as are produced by +\&\fIPEM_read_bio_X509_AUX()\fR and similar routines that refer to X509_AUX. +The public interfaces that operate on such trusted certificates still +operate on pointers to \fBX509\fR objects, though. +.PP +\&\fIX509_STORE_add_cert()\fR and \fIX509_STORE_add_crl()\fR add the respective object +to the \fBX509_STORE\fR's local storage. Untrusted objects should not be +added in this way. +.PP +\&\fIX509_STORE_set_depth()\fR, \fIX509_STORE_set_flags()\fR, \fIX509_STORE_set_purpose()\fR, +\&\fIX509_STORE_set_trust()\fR, and \fIX509_STORE_set1_param()\fR set the default values +for the corresponding values used in certificate chain validation. Their +behavior is documented in the corresponding \fBX509_VERIFY_PARAM\fR manual +pages, e.g., \fIX509_VERIFY_PARAM_set_depth\fR\|(3). +.PP +\&\fIX509_STORE_load_locations()\fR loads trusted certificate(s) into an +\&\fBX509_STORE\fR from a given file and/or directory path. It is permitted +to specify just a file, just a directory, or both paths. The certificates +in the directory must be in hashed form, as documented in +\&\fIX509_LOOKUP_hash_dir\fR\|(3). +.PP +\&\fIX509_STORE_set_default_paths()\fR is somewhat misnamed, in that it does not +set what default paths should be used for loading certificates. Instead, +it loads certificates into the \fBX509_STORE\fR from the hardcoded default +paths. +.SH "RETURN VALUES" +.IX Header "RETURN VALUES" +\&\fIX509_STORE_add_cert()\fR, \fIX509_STORE_add_crl()\fR, \fIX509_STORE_set_depth()\fR, +\&\fIX509_STORE_set_flags()\fR, \fIX509_STORE_set_purpose()\fR, +\&\fIX509_STORE_set_trust()\fR, \fIX509_STORE_load_locations()\fR, and +\&\fIX509_STORE_set_default_paths()\fR return 1 on success or 0 on failure. +.SH "SEE ALSO" +.IX Header "SEE ALSO" +\&\fIX509_LOOKUP_hash_dir\fR\|(3). +\&\fIX509_VERIFY_PARAM_set_depth\fR\|(3). +\&\fIX509_STORE_new\fR\|(3), +\&\fIX509_STORE_get0_param\fR\|(3) +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2017\-2018 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/X509_STORE_get0_param.3 b/secure/lib/libcrypto/man/X509_STORE_get0_param.3 new file mode 100644 index 000000000000..2fa0c003dc9b --- /dev/null +++ b/secure/lib/libcrypto/man/X509_STORE_get0_param.3 @@ -0,0 +1,182 @@ +.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35) +.\" +.\" Standard preamble: +.\" ======================================================================== +.de Sp \" Vertical space (when we can't use .PP) +.if t .sp .5v +.if n .sp +.. +.de Vb \" Begin verbatim text +.ft CW +.nf +.ne \\$1 +.. +.de Ve \" End verbatim text +.ft R +.fi +.. +.\" Set up some character translations and predefined strings. \*(-- will +.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left +.\" double quote, and \*(R" will give a right double quote. \*(C+ will +.\" give a nicer C++. Capital omega is used to do unbreakable dashes and +.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, +.\" nothing in troff, for use with C<>. +.tr \(*W- +.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' +.ie n \{\ +. ds -- \(*W- +. ds PI pi +. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch +. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch +. ds L" "" +. ds R" "" +. ds C` "" +. ds C' "" +'br\} +.el\{\ +. ds -- \|\(em\| +. ds PI \(*p +. ds L" `` +. ds R" '' +. ds C` +. ds C' +'br\} +.\" +.\" Escape single quotes in literal strings from groff's Unicode transform. +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" +.\" If the F register is >0, we'll generate index entries on stderr for +.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index +.\" entries marked with X<> in POD. Of course, you'll have to process the +.\" output yourself in some meaningful fashion. +.\" +.\" Avoid warning from groff about undefined register 'F'. +.de IX +.. +.if !\nF .nr F 0 +.if \nF>0 \{\ +. de IX +. tm Index:\\$1\t\\n%\t"\\$2" +.. +. if !\nF==2 \{\ +. nr % 0 +. nr F 2 +. \} +.\} +.\" +.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). +.\" Fear. Run. Save yourself. No user-serviceable parts. +. \" fudge factors for nroff and troff +.if n \{\ +. ds #H 0 +. ds #V .8m +. ds #F .3m +. ds #[ \f1 +. ds #] \fP +.\} +.if t \{\ +. ds #H ((1u-(\\\\n(.fu%2u))*.13m) +. ds #V .6m +. ds #F 0 +. ds #[ \& +. ds #] \& +.\} +. \" simple accents for nroff and troff +.if n \{\ +. ds ' \& +. ds ` \& +. ds ^ \& +. ds , \& +. ds ~ ~ +. ds / +.\} +.if t \{\ +. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" +. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' +. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' +. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' +. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' +. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' +.\} +. \" troff and (daisy-wheel) nroff accents +.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' +.ds 8 \h'\*(#H'\(*b\h'-\*(#H' +.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] +.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' +.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' +.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] +.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] +.ds ae a\h'-(\w'a'u*4/10)'e +.ds Ae A\h'-(\w'A'u*4/10)'E +. \" corrections for vroff +.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' +.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' +. \" for low resolution devices (crt and lpr) +.if \n(.H>23 .if \n(.V>19 \ +\{\ +. ds : e +. ds 8 ss +. ds o a +. ds d- d\h'-1'\(ga +. ds D- D\h'-1'\(hy +. ds th \o'bp' +. ds Th \o'LP' +. ds ae ae +. ds Ae AE +.\} +.rm #[ #] #H #V #F C +.\" ======================================================================== +.\" +.IX Title "X509_STORE_GET0_PARAM 3" +.TH X509_STORE_GET0_PARAM 3 "2018-09-11" "1.1.1" "OpenSSL" +.\" For nroff, turn off justification. Always turn off hyphenation; it makes +.\" way too many mistakes in technical documents. +.if n .ad l +.nh +.SH "NAME" +X509_STORE_get0_param, X509_STORE_set1_param, X509_STORE_get0_objects \- X509_STORE setter and getter functions +.SH "SYNOPSIS" +.IX Header "SYNOPSIS" +.Vb 1 +\& #include +\& +\& X509_VERIFY_PARAM *X509_STORE_get0_param(X509_STORE *ctx); +\& int X509_STORE_set1_param(X509_STORE *ctx, X509_VERIFY_PARAM *pm); +\& STACK_OF(X509_OBJECT) *X509_STORE_get0_objects(X509_STORE *ctx); +.Ve +.SH "DESCRIPTION" +.IX Header "DESCRIPTION" +\&\fIX509_STORE_set1_param()\fR sets the verification parameters +to \fBpm\fR for \fBctx\fR. +.PP +\&\fIX509_STORE_get0_param()\fR retrieves an internal pointer to the verification +parameters for \fBctx\fR. The returned pointer must not be freed by the +calling application +.PP +\&\fIX509_STORE_get0_objects()\fR retrieve an internal pointer to the store's +X509 object cache. The cache contains \fBX509\fR and \fBX509_CRL\fR objects. The +returned pointer must not be freed by the calling application. +.SH "RETURN VALUES" +.IX Header "RETURN VALUES" +\&\fIX509_STORE_get0_param()\fR returns a pointer to an +\&\fBX509_VERIFY_PARAM\fR structure. +.PP +\&\fIX509_STORE_set1_param()\fR returns 1 for success and 0 for failure. +.PP +\&\fIX509_STORE_get0_objects()\fR returns a pointer to a stack of \fBX509_OBJECT\fR. +.SH "SEE ALSO" +.IX Header "SEE ALSO" +\&\fIX509_STORE_new\fR\|(3) +.SH "HISTORY" +.IX Header "HISTORY" +\&\fBX509_STORE_get0_param\fR and \fBX509_STORE_get0_objects\fR were added in +OpenSSL 1.1.0. +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2016 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/X509_STORE_new.3 b/secure/lib/libcrypto/man/X509_STORE_new.3 new file mode 100644 index 000000000000..8a64f912701d --- /dev/null +++ b/secure/lib/libcrypto/man/X509_STORE_new.3 @@ -0,0 +1,184 @@ +.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35) +.\" +.\" Standard preamble: +.\" ======================================================================== +.de Sp \" Vertical space (when we can't use .PP) +.if t .sp .5v +.if n .sp +.. +.de Vb \" Begin verbatim text +.ft CW +.nf +.ne \\$1 +.. +.de Ve \" End verbatim text +.ft R +.fi +.. +.\" Set up some character translations and predefined strings. \*(-- will +.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left +.\" double quote, and \*(R" will give a right double quote. \*(C+ will +.\" give a nicer C++. Capital omega is used to do unbreakable dashes and +.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, +.\" nothing in troff, for use with C<>. +.tr \(*W- +.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' +.ie n \{\ +. ds -- \(*W- +. ds PI pi +. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch +. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch +. ds L" "" +. ds R" "" +. ds C` "" +. ds C' "" +'br\} +.el\{\ +. ds -- \|\(em\| +. ds PI \(*p +. ds L" `` +. ds R" '' +. ds C` +. ds C' +'br\} +.\" +.\" Escape single quotes in literal strings from groff's Unicode transform. +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" +.\" If the F register is >0, we'll generate index entries on stderr for +.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index +.\" entries marked with X<> in POD. Of course, you'll have to process the +.\" output yourself in some meaningful fashion. +.\" +.\" Avoid warning from groff about undefined register 'F'. +.de IX +.. +.if !\nF .nr F 0 +.if \nF>0 \{\ +. de IX +. tm Index:\\$1\t\\n%\t"\\$2" +.. +. if !\nF==2 \{\ +. nr % 0 +. nr F 2 +. \} +.\} +.\" +.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). +.\" Fear. Run. Save yourself. No user-serviceable parts. +. \" fudge factors for nroff and troff +.if n \{\ +. ds #H 0 +. ds #V .8m +. ds #F .3m +. ds #[ \f1 +. ds #] \fP +.\} +.if t \{\ +. ds #H ((1u-(\\\\n(.fu%2u))*.13m) +. ds #V .6m +. ds #F 0 +. ds #[ \& +. ds #] \& +.\} +. \" simple accents for nroff and troff +.if n \{\ +. ds ' \& +. ds ` \& +. ds ^ \& +. ds , \& +. ds ~ ~ +. ds / +.\} +.if t \{\ +. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" +. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' +. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' +. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' +. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' +. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' +.\} +. \" troff and (daisy-wheel) nroff accents +.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' +.ds 8 \h'\*(#H'\(*b\h'-\*(#H' +.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] +.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' +.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' +.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] +.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] +.ds ae a\h'-(\w'a'u*4/10)'e +.ds Ae A\h'-(\w'A'u*4/10)'E +. \" corrections for vroff +.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' +.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' +. \" for low resolution devices (crt and lpr) +.if \n(.H>23 .if \n(.V>19 \ +\{\ +. ds : e +. ds 8 ss +. ds o a +. ds d- d\h'-1'\(ga +. ds D- D\h'-1'\(hy +. ds th \o'bp' +. ds Th \o'LP' +. ds ae ae +. ds Ae AE +.\} +.rm #[ #] #H #V #F C +.\" ======================================================================== +.\" +.IX Title "X509_STORE_NEW 3" +.TH X509_STORE_NEW 3 "2018-09-11" "1.1.1" "OpenSSL" +.\" For nroff, turn off justification. Always turn off hyphenation; it makes +.\" way too many mistakes in technical documents. +.if n .ad l +.nh +.SH "NAME" +X509_STORE_new, X509_STORE_up_ref, X509_STORE_free, X509_STORE_lock, X509_STORE_unlock \- X509_STORE allocation, freeing and locking functions +.SH "SYNOPSIS" +.IX Header "SYNOPSIS" +.Vb 1 +\& #include +\& +\& X509_STORE *X509_STORE_new(void); +\& void X509_STORE_free(X509_STORE *v); +\& int X509_STORE_lock(X509_STORE *v); +\& int X509_STORE_unlock(X509_STORE *v); +\& int X509_STORE_up_ref(X509_STORE *v); +.Ve +.SH "DESCRIPTION" +.IX Header "DESCRIPTION" +The \fIX509_STORE_new()\fR function returns a new X509_STORE. +.PP +\&\fIX509_STORE_up_ref()\fR increments the reference count associated with the +X509_STORE object. +.PP +\&\fIX509_STORE_lock()\fR locks the store from modification by other threads, +\&\fIX509_STORE_unlock()\fR locks it. +.PP +\&\fIX509_STORE_free()\fR frees up a single X509_STORE object. +.SH "RETURN VALUES" +.IX Header "RETURN VALUES" +\&\fIX509_STORE_new()\fR returns a newly created X509_STORE or \s-1NULL\s0 if the call fails. +.PP +\&\fIX509_STORE_up_ref()\fR, \fIX509_STORE_lock()\fR and \fIX509_STORE_unlock()\fR return +1 for success and 0 for failure. +.PP +\&\fIX509_STORE_free()\fR does not return values. +.SH "SEE ALSO" +.IX Header "SEE ALSO" +\&\fIX509_STORE_set_verify_cb_func\fR\|(3) +\&\fIX509_STORE_get0_param\fR\|(3) +.SH "HISTORY" +.IX Header "HISTORY" +The \fIX509_STORE_up_ref()\fR, \fIX509_STORE_lock()\fR and \fIX509_STORE_unlock()\fR +functions were added in OpenSSL 1.1.0 +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2016 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/X509_STORE_set_verify_cb_func.3 b/secure/lib/libcrypto/man/X509_STORE_set_verify_cb_func.3 index a02ac6290949..3a92af5cf370 100644 --- a/secure/lib/libcrypto/man/X509_STORE_set_verify_cb_func.3 +++ b/secure/lib/libcrypto/man/X509_STORE_set_verify_cb_func.3 @@ -128,53 +128,232 @@ .rm #[ #] #H #V #F C .\" ======================================================================== .\" -.IX Title "X509_STORE_set_verify_cb_func 3" -.TH X509_STORE_set_verify_cb_func 3 "2018-08-14" "1.0.2p" "OpenSSL" +.IX Title "X509_STORE_SET_VERIFY_CB_FUNC 3" +.TH X509_STORE_SET_VERIFY_CB_FUNC 3 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" -X509_STORE_set_verify_cb_func, X509_STORE_set_verify_cb \- set verification callback +X509_STORE_set_lookup_crls_cb, X509_STORE_set_verify_func, X509_STORE_get_cleanup, X509_STORE_set_cleanup, X509_STORE_get_lookup_crls, X509_STORE_set_lookup_crls, X509_STORE_get_lookup_certs, X509_STORE_set_lookup_certs, X509_STORE_get_check_policy, X509_STORE_set_check_policy, X509_STORE_get_cert_crl, X509_STORE_set_cert_crl, X509_STORE_get_check_crl, X509_STORE_set_check_crl, X509_STORE_get_get_crl, X509_STORE_set_get_crl, X509_STORE_get_check_revocation, X509_STORE_set_check_revocation, X509_STORE_get_check_issued, X509_STORE_set_check_issued, X509_STORE_get_get_issuer, X509_STORE_set_get_issuer, X509_STORE_CTX_get_verify, X509_STORE_set_verify, X509_STORE_get_verify_cb, X509_STORE_set_verify_cb_func, X509_STORE_set_verify_cb, X509_STORE_CTX_cert_crl_fn, X509_STORE_CTX_check_crl_fn, X509_STORE_CTX_check_issued_fn, X509_STORE_CTX_check_policy_fn, X509_STORE_CTX_check_revocation_fn, X509_STORE_CTX_cleanup_fn, X509_STORE_CTX_get_crl_fn, X509_STORE_CTX_get_issuer_fn, X509_STORE_CTX_lookup_certs_fn, X509_STORE_CTX_lookup_crls_fn \&\- set verification callback .SH "SYNOPSIS" .IX Header "SYNOPSIS" .Vb 1 \& #include \& -\& void X509_STORE_set_verify_cb(X509_STORE *st, -\& int (*verify_cb)(int ok, X509_STORE_CTX *ctx)); +\& typedef int (*X509_STORE_CTX_get_issuer_fn)(X509 **issuer, +\& X509_STORE_CTX *ctx, X509 *x); +\& typedef int (*X509_STORE_CTX_check_issued_fn)(X509_STORE_CTX *ctx, +\& X509 *x, X509 *issuer); +\& typedef int (*X509_STORE_CTX_check_revocation_fn)(X509_STORE_CTX *ctx); +\& typedef int (*X509_STORE_CTX_get_crl_fn)(X509_STORE_CTX *ctx, +\& X509_CRL **crl, X509 *x); +\& typedef int (*X509_STORE_CTX_check_crl_fn)(X509_STORE_CTX *ctx, X509_CRL *crl); +\& typedef int (*X509_STORE_CTX_cert_crl_fn)(X509_STORE_CTX *ctx, +\& X509_CRL *crl, X509 *x); +\& typedef int (*X509_STORE_CTX_check_policy_fn)(X509_STORE_CTX *ctx); +\& typedef STACK_OF(X509) *(*X509_STORE_CTX_lookup_certs_fn)(X509_STORE_CTX *ctx, +\& X509_NAME *nm); +\& typedef STACK_OF(X509_CRL) *(*X509_STORE_CTX_lookup_crls_fn)(X509_STORE_CTX *ctx, +\& X509_NAME *nm); +\& typedef int (*X509_STORE_CTX_cleanup_fn)(X509_STORE_CTX *ctx); \& +\& void X509_STORE_set_verify_cb(X509_STORE *ctx, +\& X509_STORE_CTX_verify_cb verify_cb); +\& X509_STORE_CTX_verify_cb X509_STORE_get_verify_cb(X509_STORE_CTX *ctx); +\& +\& void X509_STORE_set_verify(X509_STORE *ctx, X509_STORE_CTX_verify_fn verify); +\& X509_STORE_CTX_verify_fn X509_STORE_CTX_get_verify(X509_STORE_CTX *ctx); +\& +\& void X509_STORE_set_get_issuer(X509_STORE *ctx, +\& X509_STORE_CTX_get_issuer_fn get_issuer); +\& X509_STORE_CTX_get_issuer_fn X509_STORE_get_get_issuer(X509_STORE_CTX *ctx); +\& +\& void X509_STORE_set_check_issued(X509_STORE *ctx, +\& X509_STORE_CTX_check_issued_fn check_issued); +\& X509_STORE_CTX_check_issued_fn X509_STORE_get_check_issued(X509_STORE_CTX *ctx); +\& +\& void X509_STORE_set_check_revocation(X509_STORE *ctx, +\& X509_STORE_CTX_check_revocation_fn check_revocation); +\& X509_STORE_CTX_check_revocation_fn X509_STORE_get_check_revocation(X509_STORE_CTX *ctx); +\& +\& void X509_STORE_set_get_crl(X509_STORE *ctx, +\& X509_STORE_CTX_get_crl_fn get_crl); +\& X509_STORE_CTX_get_crl_fn X509_STORE_get_get_crl(X509_STORE_CTX *ctx); +\& +\& void X509_STORE_set_check_crl(X509_STORE *ctx, +\& X509_STORE_CTX_check_crl_fn check_crl); +\& X509_STORE_CTX_check_crl_fn X509_STORE_get_check_crl(X509_STORE_CTX *ctx); +\& +\& void X509_STORE_set_cert_crl(X509_STORE *ctx, +\& X509_STORE_CTX_cert_crl_fn cert_crl); +\& X509_STORE_CTX_cert_crl_fn X509_STORE_get_cert_crl(X509_STORE_CTX *ctx); +\& +\& void X509_STORE_set_check_policy(X509_STORE *ctx, +\& X509_STORE_CTX_check_policy_fn check_policy); +\& X509_STORE_CTX_check_policy_fn X509_STORE_get_check_policy(X509_STORE_CTX *ctx); +\& +\& void X509_STORE_set_lookup_certs(X509_STORE *ctx, +\& X509_STORE_CTX_lookup_certs_fn lookup_certs); +\& X509_STORE_CTX_lookup_certs_fn X509_STORE_get_lookup_certs(X509_STORE_CTX *ctx); +\& +\& void X509_STORE_set_lookup_crls(X509_STORE *ctx, +\& X509_STORE_CTX_lookup_crls_fn lookup_crls); +\& X509_STORE_CTX_lookup_crls_fn X509_STORE_get_lookup_crls(X509_STORE_CTX *ctx); +\& +\& void X509_STORE_set_cleanup(X509_STORE *ctx, +\& X509_STORE_CTX_cleanup_fn cleanup); +\& X509_STORE_CTX_cleanup_fn X509_STORE_get_cleanup(X509_STORE_CTX *ctx); +\& +\& /* Aliases */ \& void X509_STORE_set_verify_cb_func(X509_STORE *st, -\& int (*verify_cb)(int ok, X509_STORE_CTX *ctx)); +\& X509_STORE_CTX_verify_cb verify_cb); +\& void X509_STORE_set_verify_func(X509_STORE *ctx, +\& X509_STORE_CTX_verify_fn verify); +\& void X509_STORE_set_lookup_crls_cb(X509_STORE *ctx, +\& X509_STORE_CTX_lookup_crls_fn lookup_crls); .Ve .SH "DESCRIPTION" .IX Header "DESCRIPTION" \&\fIX509_STORE_set_verify_cb()\fR sets the verification callback of \fBctx\fR to -\&\fBverify_cb\fR overwriting any existing callback. +\&\fBverify_cb\fR overwriting the previous callback. +The callback assigned with this function becomes a default for the one +that can be assigned directly to the corresponding \fBX509_STORE_CTX\fR, +please see \fIX509_STORE_CTX_set_verify_cb\fR\|(3) for further information. .PP -\&\fIX509_STORE_set_verify_cb_func()\fR also sets the verification callback but it -is implemented as a macro. +\&\fIX509_STORE_set_verify()\fR sets the final chain verification function for +\&\fBctx\fR to \fBverify\fR. +Its purpose is to go through the chain of certificates and check that +all signatures are valid and that the current time is within the +limits of each certificate's first and last validity time. +The final chain verification functions must return 0 on failure and 1 +on success. +\&\fIIf no chain verification function is provided, the internal default +function will be used instead.\fR +.PP +\&\fIX509_STORE_set_get_issuer()\fR sets the function to get the issuer +certificate that verifies the given certificate \fBx\fR. +When found, the issuer certificate must be assigned to \fB*issuer\fR. +This function must return 0 on failure and 1 on success. +\&\fIIf no function to get the issuer is provided, the internal default +function will be used instead.\fR +.PP +\&\fIX509_STORE_set_check_issued()\fR sets the function to check that a given +certificate \fBx\fR is issued with the issuer certificate \fBissuer\fR. +This function must return 0 on failure (among others if \fBx\fR hasn't +been issued with \fBissuer\fR) and 1 on success. +\&\fIIf no function to get the issuer is provided, the internal default +function will be used instead.\fR +.PP +\&\fIX509_STORE_set_check_revocation()\fR sets the revocation checking +function. +Its purpose is to look through the final chain and check the +revocation status for each certificate. +It must return 0 on failure and 1 on success. +\&\fIIf no function to get the issuer is provided, the internal default +function will be used instead.\fR +.PP +\&\fIX509_STORE_set_get_crl()\fR sets the function to get the crl for a given +certificate \fBx\fR. +When found, the crl must be assigned to \fB*crl\fR. +This function must return 0 on failure and 1 on success. +\&\fIIf no function to get the issuer is provided, the internal default +function will be used instead.\fR +.PP +\&\fIX509_STORE_set_check_crl()\fR sets the function to check the validity of +the given \fBcrl\fR. +This function must return 0 on failure and 1 on success. +\&\fIIf no function to get the issuer is provided, the internal default +function will be used instead.\fR +.PP +\&\fIX509_STORE_set_cert_crl()\fR sets the function to check the revocation +status of the given certificate \fBx\fR against the given \fBcrl\fR. +This function must return 0 on failure and 1 on success. +\&\fIIf no function to get the issuer is provided, the internal default +function will be used instead.\fR +.PP +\&\fIX509_STORE_set_check_policy()\fR sets the function to check the policies +of all the certificates in the final chain.. +This function must return 0 on failure and 1 on success. +\&\fIIf no function to get the issuer is provided, the internal default +function will be used instead.\fR +.PP +\&\fIX509_STORE_set_lookup_certs()\fR and \fIX509_STORE_set_lookup_crls()\fR set the +functions to look up all the certs or all the CRLs that match the +given name \fBnm\fR. +These functions return \s-1NULL\s0 on failure and a pointer to a stack of +certificates (\fBX509\fR) or to a stack of CRLs (\fBX509_CRL\fR) on +success. +\&\fIIf no function to get the issuer is provided, the internal default +function will be used instead.\fR +.PP +\&\fIX509_STORE_set_cleanup()\fR sets the final cleanup function, which is +called when the context (\fBX509_STORE_CTX\fR) is being torn down. +This function doesn't return any value. +\&\fIIf no function to get the issuer is provided, the internal default +function will be used instead.\fR +.PP +\&\fIX509_STORE_get_verify_cb()\fR, \fIX509_STORE_CTX_get_verify()\fR, +\&\fIX509_STORE_get_get_issuer()\fR, \fIX509_STORE_get_check_issued()\fR, +\&\fIX509_STORE_get_check_revocation()\fR, \fIX509_STORE_get_get_crl()\fR, +\&\fIX509_STORE_get_check_crl()\fR, \fIX509_STORE_set_verify()\fR, +\&\fIX509_STORE_set_get_issuer()\fR, \fIX509_STORE_get_cert_crl()\fR, +\&\fIX509_STORE_get_check_policy()\fR, \fIX509_STORE_get_lookup_certs()\fR, +\&\fIX509_STORE_get_lookup_crls()\fR and \fIX509_STORE_get_cleanup()\fR all return +the function pointer assigned with \fIX509_STORE_set_check_issued()\fR, +\&\fIX509_STORE_set_check_revocation()\fR, \fIX509_STORE_set_get_crl()\fR, +\&\fIX509_STORE_set_check_crl()\fR, \fIX509_STORE_set_cert_crl()\fR, +\&\fIX509_STORE_set_check_policy()\fR, \fIX509_STORE_set_lookup_certs()\fR, +\&\fIX509_STORE_set_lookup_crls()\fR and \fIX509_STORE_set_cleanup()\fR, or \s-1NULL\s0 if +no assignment has been made. +.PP +\&\fIX509_STORE_set_verify_cb_func()\fR, \fIX509_STORE_set_verify_func()\fR and +\&\fIX509_STORE_set_lookup_crls_cb()\fR are aliases for +\&\fIX509_STORE_set_verify_cb()\fR, \fIX509_STORE_set_verify()\fR and +X509_STORE_set_lookup_crls, available as macros for backward +compatibility. .SH "NOTES" .IX Header "NOTES" -The verification callback from an \fBX509_STORE\fR is inherited by -the corresponding \fBX509_STORE_CTX\fR structure when it is initialized. This can -be used to set the verification callback when the \fBX509_STORE_CTX\fR is -otherwise inaccessible (for example during S/MIME verification). +All the callbacks from a \fBX509_STORE\fR are inherited by the +corresponding \fBX509_STORE_CTX\fR structure when it is initialized. +See \fIX509_STORE_CTX_set_verify_cb\fR\|(3) for further details. .SH "BUGS" .IX Header "BUGS" -The macro version of this function was the only one available before +The macro version of this function was the only one available before OpenSSL 1.0.0. .SH "RETURN VALUES" .IX Header "RETURN VALUES" -\&\fIX509_STORE_set_verify_cb()\fR and \fIX509_STORE_set_verify_cb_func()\fR do not return -a value. +The X509_STORE_set_*() functions do not return a value. +.PP +The X509_STORE_get_*() functions return a pointer of the appropriate +function type. .SH "SEE ALSO" .IX Header "SEE ALSO" -\&\fIX509_STORE_CTX_set_verify_cb\fR\|(3) +\&\fIX509_STORE_CTX_set_verify_cb\fR\|(3), \fIX509_STORE_CTX_get0_chain\fR\|(3), +\&\fIX509_STORE_CTX_verify_cb\fR\|(3), \fIX509_STORE_CTX_verify_fn\fR\|(3), \&\fICMS_verify\fR\|(3) .SH "HISTORY" .IX Header "HISTORY" -\&\fIX509_STORE_set_verify_cb_func()\fR is available in all versions of SSLeay and -OpenSSL. -.PP \&\fIX509_STORE_set_verify_cb()\fR was added to OpenSSL 1.0.0. +.PP +\&\fIX509_STORE_set_verify_cb()\fR, \fIX509_STORE_get_verify_cb()\fR, +\&\fIX509_STORE_set_verify()\fR, \fIX509_STORE_CTX_get_verify()\fR, +\&\fIX509_STORE_set_get_issuer()\fR, \fIX509_STORE_get_get_issuer()\fR, +\&\fIX509_STORE_set_check_issued()\fR, \fIX509_STORE_get_check_issued()\fR, +\&\fIX509_STORE_set_check_revocation()\fR, \fIX509_STORE_get_check_revocation()\fR, +\&\fIX509_STORE_set_get_crl()\fR, \fIX509_STORE_get_get_crl()\fR, +\&\fIX509_STORE_set_check_crl()\fR, \fIX509_STORE_get_check_crl()\fR, +\&\fIX509_STORE_set_cert_crl()\fR, \fIX509_STORE_get_cert_crl()\fR, +\&\fIX509_STORE_set_check_policy()\fR, \fIX509_STORE_get_check_policy()\fR, +\&\fIX509_STORE_set_lookup_certs()\fR, \fIX509_STORE_get_lookup_certs()\fR, +\&\fIX509_STORE_set_lookup_crls()\fR, \fIX509_STORE_get_lookup_crls()\fR, +\&\fIX509_STORE_set_cleanup()\fR and \fIX509_STORE_get_cleanup()\fR were added in +OpenSSL 1.1.0. +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2009\-2016 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/X509_VERIFY_PARAM_set_flags.3 b/secure/lib/libcrypto/man/X509_VERIFY_PARAM_set_flags.3 index 6e57c8a77809..bb6de74daef9 100644 --- a/secure/lib/libcrypto/man/X509_VERIFY_PARAM_set_flags.3 +++ b/secure/lib/libcrypto/man/X509_VERIFY_PARAM_set_flags.3 @@ -128,46 +128,57 @@ .rm #[ #] #H #V #F C .\" ======================================================================== .\" -.IX Title "X509_VERIFY_PARAM_set_flags 3" -.TH X509_VERIFY_PARAM_set_flags 3 "2018-08-14" "1.0.2p" "OpenSSL" +.IX Title "X509_VERIFY_PARAM_SET_FLAGS 3" +.TH X509_VERIFY_PARAM_SET_FLAGS 3 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" -X509_VERIFY_PARAM_set_flags, X509_VERIFY_PARAM_clear_flags, X509_VERIFY_PARAM_get_flags, X509_VERIFY_PARAM_set_purpose, X509_VERIFY_PARAM_set_trust, X509_VERIFY_PARAM_set_depth, X509_VERIFY_PARAM_get_depth, X509_VERIFY_PARAM_set_time, X509_VERIFY_PARAM_add0_policy, X509_VERIFY_PARAM_set1_policies, X509_VERIFY_PARAM_set1_host, X509_VERIFY_PARAM_add1_host, X509_VERIFY_PARAM_set_hostflags, X509_VERIFY_PARAM_get0_peername, X509_VERIFY_PARAM_set1_email, X509_VERIFY_PARAM_set1_ip, X509_VERIFY_PARAM_set1_ip_asc \- X509 verification parameters +X509_VERIFY_PARAM_set_flags, X509_VERIFY_PARAM_clear_flags, X509_VERIFY_PARAM_get_flags, X509_VERIFY_PARAM_set_purpose, X509_VERIFY_PARAM_get_inh_flags, X509_VERIFY_PARAM_set_inh_flags, X509_VERIFY_PARAM_set_trust, X509_VERIFY_PARAM_set_depth, X509_VERIFY_PARAM_get_depth, X509_VERIFY_PARAM_set_auth_level, X509_VERIFY_PARAM_get_auth_level, X509_VERIFY_PARAM_set_time, X509_VERIFY_PARAM_get_time, X509_VERIFY_PARAM_add0_policy, X509_VERIFY_PARAM_set1_policies, X509_VERIFY_PARAM_set1_host, X509_VERIFY_PARAM_add1_host, X509_VERIFY_PARAM_set_hostflags, X509_VERIFY_PARAM_get_hostflags, X509_VERIFY_PARAM_get0_peername, X509_VERIFY_PARAM_set1_email, X509_VERIFY_PARAM_set1_ip, X509_VERIFY_PARAM_set1_ip_asc \&\- X509 verification parameters .SH "SYNOPSIS" .IX Header "SYNOPSIS" .Vb 1 \& #include \& -\& int X509_VERIFY_PARAM_set_flags(X509_VERIFY_PARAM *param, unsigned long flags); +\& int X509_VERIFY_PARAM_set_flags(X509_VERIFY_PARAM *param, +\& unsigned long flags); \& int X509_VERIFY_PARAM_clear_flags(X509_VERIFY_PARAM *param, -\& unsigned long flags); +\& unsigned long flags); \& unsigned long X509_VERIFY_PARAM_get_flags(X509_VERIFY_PARAM *param); \& +\& int X509_VERIFY_PARAM_set_inh_flags(X509_VERIFY_PARAM *param, +\& uint32_t flags); +\& uint32_t X509_VERIFY_PARAM_get_inh_flags(const X509_VERIFY_PARAM *param); +\& \& int X509_VERIFY_PARAM_set_purpose(X509_VERIFY_PARAM *param, int purpose); \& int X509_VERIFY_PARAM_set_trust(X509_VERIFY_PARAM *param, int trust); \& \& void X509_VERIFY_PARAM_set_time(X509_VERIFY_PARAM *param, time_t t); +\& time_t X509_VERIFY_PARAM_get_time(const X509_VERIFY_PARAM *param); \& \& int X509_VERIFY_PARAM_add0_policy(X509_VERIFY_PARAM *param, -\& ASN1_OBJECT *policy); -\& int X509_VERIFY_PARAM_set1_policies(X509_VERIFY_PARAM *param, -\& STACK_OF(ASN1_OBJECT) *policies); +\& ASN1_OBJECT *policy); +\& int X509_VERIFY_PARAM_set1_policies(X509_VERIFY_PARAM *param, +\& STACK_OF(ASN1_OBJECT) *policies); \& \& void X509_VERIFY_PARAM_set_depth(X509_VERIFY_PARAM *param, int depth); \& int X509_VERIFY_PARAM_get_depth(const X509_VERIFY_PARAM *param); \& +\& void X509_VERIFY_PARAM_set_auth_level(X509_VERIFY_PARAM *param, +\& int auth_level); +\& int X509_VERIFY_PARAM_get_auth_level(const X509_VERIFY_PARAM *param); +\& \& int X509_VERIFY_PARAM_set1_host(X509_VERIFY_PARAM *param, \& const char *name, size_t namelen); \& int X509_VERIFY_PARAM_add1_host(X509_VERIFY_PARAM *param, \& const char *name, size_t namelen); \& void X509_VERIFY_PARAM_set_hostflags(X509_VERIFY_PARAM *param, \& unsigned int flags); +\& unsigned int X509_VERIFY_PARAM_get_hostflags(const X509_VERIFY_PARAM *param); \& char *X509_VERIFY_PARAM_get0_peername(X509_VERIFY_PARAM *param); \& int X509_VERIFY_PARAM_set1_email(X509_VERIFY_PARAM *param, -\& const char *email, size_t emaillen); +\& const char *email, size_t emaillen); \& int X509_VERIFY_PARAM_set1_ip(X509_VERIFY_PARAM *param, \& const unsigned char *ip, size_t iplen); \& int X509_VERIFY_PARAM_set1_ip_asc(X509_VERIFY_PARAM *param, const char *ipasc); @@ -183,13 +194,18 @@ description of values the \fBflags\fR parameter can take. .PP \&\fIX509_VERIFY_PARAM_get_flags()\fR returns the flags in \fBparam\fR. .PP +\&\fIX509_VERIFY_PARAM_get_inh_flags()\fR returns the inheritance flags in \fBparam\fR +which specifies how verification flags are copied from one structure to +another. \fIX509_VERIFY_PARAM_set_inh_flags()\fR sets the inheritance flags. +See the \fB\s-1INHERITANCE FLAGS\s0\fR section for a description of these bits. +.PP \&\fIX509_VERIFY_PARAM_clear_flags()\fR clears the flags \fBflags\fR in \fBparam\fR. .PP \&\fIX509_VERIFY_PARAM_set_purpose()\fR sets the verification purpose in \fBparam\fR to \fBpurpose\fR. This determines the acceptable purpose of the certificate chain, for example \s-1SSL\s0 client or \s-1SSL\s0 server. .PP -\&\fIX509_VERIFY_PARAM_set_trust()\fR sets the trust setting in \fBparam\fR to +\&\fIX509_VERIFY_PARAM_set_trust()\fR sets the trust setting in \fBparam\fR to \&\fBtrust\fR. .PP \&\fIX509_VERIFY_PARAM_set_time()\fR sets the verification time in \fBparam\fR to @@ -204,25 +220,67 @@ policy set is cleared. The \fBpolicies\fR parameter can be \fB\s-1NULL\s0\fR to an existing policy set. .PP \&\fIX509_VERIFY_PARAM_set_depth()\fR sets the maximum verification depth to \fBdepth\fR. -That is the maximum number of untrusted \s-1CA\s0 certificates that can appear in a +That is the maximum number of intermediate \s-1CA\s0 certificates that can appear in a chain. +A maximal depth chain contains 2 more certificates than the limit, since +neither the end-entity certificate nor the trust-anchor count against this +limit. +Thus a \fBdepth\fR limit of 0 only allows the end-entity certificate to be signed +directly by the trust-anchor, while with a \fBdepth\fR limit of 1 there can be one +intermediate \s-1CA\s0 certificate between the trust-anchor and the end-entity +certificate. +.PP +\&\fIX509_VERIFY_PARAM_set_auth_level()\fR sets the authentication security level to +\&\fBauth_level\fR. +The authentication security level determines the acceptable signature and public +key strength when verifying certificate chains. +For a certificate chain to validate, the public keys of all the certificates +must meet the specified security level. +The signature algorithm security level is not enforced for the chain's \fItrust +anchor\fR certificate, which is either directly trusted or validated by means other +than its signature. +See \fISSL_CTX_set_security_level\fR\|(3) for the definitions of the available +levels. +The default security level is \-1, or \*(L"not set\*(R". +At security level 0 or lower all algorithms are acceptable. +Security level 1 requires at least 80\-bit\-equivalent security and is broadly +interoperable, though it will, for example, reject \s-1MD5\s0 signatures or \s-1RSA\s0 keys +shorter than 1024 bits. .PP \&\fIX509_VERIFY_PARAM_set1_host()\fR sets the expected \s-1DNS\s0 hostname to \&\fBname\fR clearing any previously specified host name or names. If \&\fBname\fR is \s-1NULL,\s0 or empty the list of hostnames is cleared, and name checks are not performed on the peer certificate. If \fBname\fR is NUL-terminated, \fBnamelen\fR may be zero, otherwise \fBnamelen\fR -must be set to the length of \fBname\fR. When a hostname is specified, +must be set to the length of \fBname\fR. +.PP +When a hostname is specified, certificate verification automatically invokes \fIX509_check_host\fR\|(3) with flags equal to the \fBflags\fR argument given to -\&\fB\f(BIX509_VERIFY_PARAM_set_hostflags()\fB\fR (default zero). Applications +\&\fIX509_VERIFY_PARAM_set_hostflags()\fR (default zero). Applications are strongly advised to use this interface in preference to explicitly -calling \fIX509_check_host\fR\|(3), hostname checks are out of scope +calling \fIX509_check_host\fR\|(3), hostname checks may be out of scope with the \s-1\fIDANE\-EE\s0\fR\|(3) certificate usage, and the internal check will -be suppressed as appropriate when \s-1DANE\s0 support is added to OpenSSL. +be suppressed as appropriate when \s-1DANE\s0 verification is enabled. +.PP +When the subject CommonName will not be ignored, whether as a result of the +\&\fBX509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT\fR host flag, or because no \s-1DNS\s0 subject +alternative names are present in the certificate, any \s-1DNS\s0 name constraints in +issuer certificates apply to the subject CommonName as well as the subject +alternative name extension. +.PP +When the subject CommonName will be ignored, whether as a result of the +\&\fBX509_CHECK_FLAG_NEVER_CHECK_SUBJECT\fR host flag, or because some \s-1DNS\s0 subject +alternative names are present in the certificate, \s-1DNS\s0 name constraints in +issuer certificates will not be applied to the subject \s-1DN.\s0 +As described in \fIX509_check_host\fR\|(3) the \fBX509_CHECK_FLAG_NEVER_CHECK_SUBJECT\fR +flag takes precedence over the \fBX509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT\fR flag. +.PP +\&\fIX509_VERIFY_PARAM_get_hostflags()\fR returns any host flags previously set via a +call to \fIX509_VERIFY_PARAM_set_hostflags()\fR. .PP \&\fIX509_VERIFY_PARAM_add1_host()\fR adds \fBname\fR as an additional reference -identifer that can match the peer's certificate. Any previous names +identifier that can match the peer's certificate. Any previous names set via \fIX509_VERIFY_PARAM_set1_host()\fR or \fIX509_VERIFY_PARAM_add1_host()\fR are retained, no change is made if \fBname\fR is \s-1NULL\s0 or empty. When multiple names are configured, the peer is considered verified when @@ -257,19 +315,27 @@ IPv6. The condensed \*(L"::\*(R" notation is supported for IPv6 addresses. .SH "RETURN VALUES" .IX Header "RETURN VALUES" \&\fIX509_VERIFY_PARAM_set_flags()\fR, \fIX509_VERIFY_PARAM_clear_flags()\fR, +\&\fIX509_VERIFY_PARAM_set_inh_flags()\fR, \&\fIX509_VERIFY_PARAM_set_purpose()\fR, \fIX509_VERIFY_PARAM_set_trust()\fR, \&\fIX509_VERIFY_PARAM_add0_policy()\fR \fIX509_VERIFY_PARAM_set1_policies()\fR, -\&\fIX509_VERIFY_PARAM_set1_host()\fR, \fIX509_VERIFY_PARAM_set_hostflags()\fR, +\&\fIX509_VERIFY_PARAM_set1_host()\fR, \fIX509_VERIFY_PARAM_add1_host()\fR, \&\fIX509_VERIFY_PARAM_set1_email()\fR, \fIX509_VERIFY_PARAM_set1_ip()\fR and \&\fIX509_VERIFY_PARAM_set1_ip_asc()\fR return 1 for success and 0 for failure. .PP \&\fIX509_VERIFY_PARAM_get_flags()\fR returns the current verification flags. .PP +\&\fIX509_VERIFY_PARAM_get_hostflags()\fR returns any current host flags. +.PP +\&\fIX509_VERIFY_PARAM_get_inh_flags()\fR returns the current inheritance flags. +.PP \&\fIX509_VERIFY_PARAM_set_time()\fR and \fIX509_VERIFY_PARAM_set_depth()\fR do not return values. .PP \&\fIX509_VERIFY_PARAM_get_depth()\fR returns the current verification depth. +.PP +\&\fIX509_VERIFY_PARAM_get_auth_level()\fR returns the current authentication security +level. .SH "VERIFICATION FLAGS" .IX Header "VERIFICATION FLAGS" The verification flags consists of zero or more of the following flags @@ -288,13 +354,13 @@ ignored. \fB\s-1WARNING\s0\fR setting this option for anything other than debugg purposes can be a security risk. Finer control over which extensions are supported can be performed in the verification callback. .PP -THe \fBX509_V_FLAG_X509_STRICT\fR flag disables workarounds for some broken +The \fBX509_V_FLAG_X509_STRICT\fR flag disables workarounds for some broken certificates and makes the verification strictly apply \fBX509\fR rules. .PP \&\fBX509_V_FLAG_ALLOW_PROXY_CERTS\fR enables proxy certificate verification. .PP \&\fBX509_V_FLAG_POLICY_CHECK\fR enables certificate policy checking, by default -no policy checking is peformed. Additional information is sent to the +no policy checking is performed. Additional information is sent to the verification callback relating to policy checking. .PP \&\fBX509_V_FLAG_EXPLICIT_POLICY\fR, \fBX509_V_FLAG_INHIBIT_ANY\fR and @@ -312,57 +378,82 @@ By default some additional features such as indirect CRLs and CRLs signed by different keys are disabled. If \fBX509_V_FLAG_EXTENDED_CRL_SUPPORT\fR is set they are enabled. .PP -If \fBX509_V_FLAG_USE_DELTAS\fR ise set delta CRLs (if present) are used to +If \fBX509_V_FLAG_USE_DELTAS\fR is set delta CRLs (if present) are used to determine certificate status. If not set deltas are ignored. .PP \&\fBX509_V_FLAG_CHECK_SS_SIGNATURE\fR enables checking of the root \s-1CA\s0 self signed -cerificate signature. By default this check is disabled because it doesn't +certificate signature. By default this check is disabled because it doesn't add any additional security but in some cases applications might want to check the signature anyway. A side effect of not checking the root \s-1CA\s0 signature is that disabled or unsupported message digests on the root \s-1CA\s0 are not treated as fatal errors. .PP -The \fBX509_V_FLAG_CB_ISSUER_CHECK\fR flag enables debugging of certificate -issuer checks. It is \fBnot\fR needed unless you are logging certificate -verification. If this flag is set then additional status codes will be sent -to the verification callback and it \fBmust\fR be prepared to handle such cases -without assuming they are hard errors. -.PP -The \fBX509_V_FLAG_NO_ALT_CHAINS\fR flag suppresses checking for alternative -chains. By default, when building a certificate chain, if the first certificate -chain found is not trusted, then OpenSSL will continue to check to see if an -alternative chain can be found that is trusted. With this flag set the behaviour -will match that of OpenSSL versions prior to 1.0.2b. -.PP -The \fBX509_V_FLAG_TRUSTED_FIRST\fR flag causes chain construction to look for -issuers in the trust store before looking at the untrusted certificates -provided as part of the the peer chain. -Though it is not on by default in OpenSSL 1.0.2, applications should generally -set this flag. +When \fBX509_V_FLAG_TRUSTED_FIRST\fR is set, construction of the certificate chain +in \fIX509_verify_cert\fR\|(3) will search the trust store for issuer certificates +before searching the provided untrusted certificates. Local issuer certificates are often more likely to satisfy local security requirements and lead to a locally trusted root. -This is especially important When some certificates in the trust store have +This is especially important when some certificates in the trust store have explicit trust settings (see \*(L"\s-1TRUST SETTINGS\*(R"\s0 in \fIx509\fR\|(1)). +As of OpenSSL 1.1.0 this option is on by default. +.PP +The \fBX509_V_FLAG_NO_ALT_CHAINS\fR flag suppresses checking for alternative +chains. +By default, unless \fBX509_V_FLAG_TRUSTED_FIRST\fR is set, when building a +certificate chain, if the first certificate chain found is not trusted, then +OpenSSL will attempt to replace untrusted certificates supplied by the peer +with certificates from the trust store to see if an alternative chain can be +found that is trusted. +As of OpenSSL 1.1.0, with \fBX509_V_FLAG_TRUSTED_FIRST\fR always set, this option +has no effect. .PP The \fBX509_V_FLAG_PARTIAL_CHAIN\fR flag causes intermediate certificates in the trust store to be treated as trust-anchors, in the same way as the self-signed root \s-1CA\s0 certificates. This makes it possible to trust certificates issued by an intermediate \s-1CA\s0 without having to trust its ancestor root \s-1CA.\s0 -With OpenSSL 1.0.2, chain construction continues as long as there are -additional trusted issuers in the trust store, and the last trusted issuer -becomes the trust-anchor. -Thus, even when an intermediate certificate is found in the trust store, the -verified chain passed to callbacks may still be anchored by a root \s-1CA.\s0 +With OpenSSL 1.1.0 and later and set, chain +construction stops as soon as the first certificate from the trust store is +added to the chain, whether that certificate is a self-signed \*(L"root\*(R" +certificate or a not self-signed intermediate certificate. +Thus, when an intermediate certificate is found in the trust store, the +verified chain passed to callbacks may be shorter than it otherwise would +be without the \fBX509_V_FLAG_PARTIAL_CHAIN\fR flag. +.PP +The \fBX509_V_FLAG_NO_CHECK_TIME\fR flag suppresses checking the validity period +of certificates and CRLs against the current time. If \fIX509_VERIFY_PARAM_set_time()\fR +is used to specify a verification time, the check is not suppressed. +.SH "INHERITANCE FLAGS" +.IX Header "INHERITANCE FLAGS" +These flags specify how parameters are \*(L"inherited\*(R" from one structure to +another. +.PP +If \fBX509_VP_FLAG_ONCE\fR is set then the current setting is zeroed +after the next call. +.PP +If \fBX509_VP_FLAG_LOCKED\fR is set then no values are copied. This overrides +all of the following flags. +.PP +If \fBX509_VP_FLAG_DEFAULT\fR is set then anything set in the source is copied +to the destination. Effectively the values in \*(L"to\*(R" become default values +which will be used only if nothing new is set in \*(L"from\*(R". This is the +default. +.PP +If \fBX509_VP_FLAG_OVERWRITE\fR is set then all value are copied across whether +they are set or not. Flags is still Ored though. +.PP +If \fBX509_VP_FLAG_RESET_FLAGS\fR is set then the flags value is copied instead +of ORed. .SH "NOTES" .IX Header "NOTES" The above functions should be used to manipulate verification parameters -instead of legacy functions which work in specific structures such as -\&\fIX509_STORE_CTX_set_flags()\fR. +instead of functions which work in specific structures such as +\&\fIX509_STORE_CTX_set_flags()\fR which are likely to be deprecated in a future +release. .SH "BUGS" .IX Header "BUGS" Delta \s-1CRL\s0 checking is currently primitive. Only a single delta can be used and -(partly due to limitations of \fBX509_STORE\fR) constructed CRLs are not +(partly due to limitations of \fBX509_STORE\fR) constructed CRLs are not maintained. .PP If CRLs checking is enable CRLs are expected to be available in the @@ -370,15 +461,16 @@ corresponding \fBX509_STORE\fR structure. No attempt is made to download CRLs from the \s-1CRL\s0 distribution points extension. .SH "EXAMPLE" .IX Header "EXAMPLE" -Enable \s-1CRL\s0 checking when performing certificate verification during \s-1SSL\s0 +Enable \s-1CRL\s0 checking when performing certificate verification during \s-1SSL\s0 connections associated with an \fB\s-1SSL_CTX\s0\fR structure \fBctx\fR: .PP -.Vb 5 -\& X509_VERIFY_PARAM *param; -\& param = X509_VERIFY_PARAM_new(); -\& X509_VERIFY_PARAM_set_flags(param, X509_V_FLAG_CRL_CHECK); -\& SSL_CTX_set1_param(ctx, param); -\& X509_VERIFY_PARAM_free(param); +.Vb 1 +\& X509_VERIFY_PARAM *param; +\& +\& param = X509_VERIFY_PARAM_new(); +\& X509_VERIFY_PARAM_set_flags(param, X509_V_FLAG_CRL_CHECK); +\& SSL_CTX_set1_param(ctx, param); +\& X509_VERIFY_PARAM_free(param); .Ve .SH "SEE ALSO" .IX Header "SEE ALSO" @@ -389,4 +481,16 @@ connections associated with an \fB\s-1SSL_CTX\s0\fR structure \fBctx\fR: \&\fIx509\fR\|(1) .SH "HISTORY" .IX Header "HISTORY" -The \fBX509_V_FLAG_NO_ALT_CHAINS\fR flag was added in OpenSSL 1.0.2b +The \fBX509_V_FLAG_NO_ALT_CHAINS\fR flag was added in OpenSSL 1.1.0 +The flag \fBX509_V_FLAG_CB_ISSUER_CHECK\fR was deprecated in +OpenSSL 1.1.0, and has no effect. +.PP +\&\fIX509_VERIFY_PARAM_get_hostflags()\fR was added in OpenSSL 1.1.0i. +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2009\-2018 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/X509_check_ca.3 b/secure/lib/libcrypto/man/X509_check_ca.3 new file mode 100644 index 000000000000..db5796e6f56b --- /dev/null +++ b/secure/lib/libcrypto/man/X509_check_ca.3 @@ -0,0 +1,173 @@ +.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35) +.\" +.\" Standard preamble: +.\" ======================================================================== +.de Sp \" Vertical space (when we can't use .PP) +.if t .sp .5v +.if n .sp +.. +.de Vb \" Begin verbatim text +.ft CW +.nf +.ne \\$1 +.. +.de Ve \" End verbatim text +.ft R +.fi +.. +.\" Set up some character translations and predefined strings. \*(-- will +.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left +.\" double quote, and \*(R" will give a right double quote. \*(C+ will +.\" give a nicer C++. Capital omega is used to do unbreakable dashes and +.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, +.\" nothing in troff, for use with C<>. +.tr \(*W- +.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' +.ie n \{\ +. ds -- \(*W- +. ds PI pi +. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch +. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch +. ds L" "" +. ds R" "" +. ds C` "" +. ds C' "" +'br\} +.el\{\ +. ds -- \|\(em\| +. ds PI \(*p +. ds L" `` +. ds R" '' +. ds C` +. ds C' +'br\} +.\" +.\" Escape single quotes in literal strings from groff's Unicode transform. +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" +.\" If the F register is >0, we'll generate index entries on stderr for +.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index +.\" entries marked with X<> in POD. Of course, you'll have to process the +.\" output yourself in some meaningful fashion. +.\" +.\" Avoid warning from groff about undefined register 'F'. +.de IX +.. +.if !\nF .nr F 0 +.if \nF>0 \{\ +. de IX +. tm Index:\\$1\t\\n%\t"\\$2" +.. +. if !\nF==2 \{\ +. nr % 0 +. nr F 2 +. \} +.\} +.\" +.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). +.\" Fear. Run. Save yourself. No user-serviceable parts. +. \" fudge factors for nroff and troff +.if n \{\ +. ds #H 0 +. ds #V .8m +. ds #F .3m +. ds #[ \f1 +. ds #] \fP +.\} +.if t \{\ +. ds #H ((1u-(\\\\n(.fu%2u))*.13m) +. ds #V .6m +. ds #F 0 +. ds #[ \& +. ds #] \& +.\} +. \" simple accents for nroff and troff +.if n \{\ +. ds ' \& +. ds ` \& +. ds ^ \& +. ds , \& +. ds ~ ~ +. ds / +.\} +.if t \{\ +. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" +. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' +. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' +. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' +. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' +. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' +.\} +. \" troff and (daisy-wheel) nroff accents +.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' +.ds 8 \h'\*(#H'\(*b\h'-\*(#H' +.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] +.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' +.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' +.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] +.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] +.ds ae a\h'-(\w'a'u*4/10)'e +.ds Ae A\h'-(\w'A'u*4/10)'E +. \" corrections for vroff +.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' +.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' +. \" for low resolution devices (crt and lpr) +.if \n(.H>23 .if \n(.V>19 \ +\{\ +. ds : e +. ds 8 ss +. ds o a +. ds d- d\h'-1'\(ga +. ds D- D\h'-1'\(hy +. ds th \o'bp' +. ds Th \o'LP' +. ds ae ae +. ds Ae AE +.\} +.rm #[ #] #H #V #F C +.\" ======================================================================== +.\" +.IX Title "X509_CHECK_CA 3" +.TH X509_CHECK_CA 3 "2018-09-11" "1.1.1" "OpenSSL" +.\" For nroff, turn off justification. Always turn off hyphenation; it makes +.\" way too many mistakes in technical documents. +.if n .ad l +.nh +.SH "NAME" +X509_check_ca \- check if given certificate is CA certificate +.SH "SYNOPSIS" +.IX Header "SYNOPSIS" +.Vb 1 +\& #include +\& +\& int X509_check_ca(X509 *cert); +.Ve +.SH "DESCRIPTION" +.IX Header "DESCRIPTION" +This function checks if given certificate is \s-1CA\s0 certificate (can be used +to sign other certificates). +.SH "RETURN VALUES" +.IX Header "RETURN VALUES" +Function return 0, if it is not \s-1CA\s0 certificate, 1 if it is proper X509v3 +\&\s-1CA\s0 certificate with \fBbasicConstraints\fR extension \s-1CA:TRUE, +3,\s0 if it is self-signed X509 v1 certificate, 4, if it is certificate with +\&\fBkeyUsage\fR extension with bit \fBkeyCertSign\fR set, but without +\&\fBbasicConstraints\fR, and 5 if it has outdated Netscape Certificate Type +extension telling that it is \s-1CA\s0 certificate. +.PP +Actually, any non-zero value means that this certificate could have been +used to sign other certificates. +.SH "SEE ALSO" +.IX Header "SEE ALSO" +\&\fIX509_verify_cert\fR\|(3), +\&\fIX509_check_issued\fR\|(3), +\&\fIX509_check_purpose\fR\|(3) +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2015\-2018 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/X509_check_host.3 b/secure/lib/libcrypto/man/X509_check_host.3 index 80c0da6c2099..9f985d0ec6a4 100644 --- a/secure/lib/libcrypto/man/X509_check_host.3 +++ b/secure/lib/libcrypto/man/X509_check_host.3 @@ -128,8 +128,8 @@ .rm #[ #] #H #V #F C .\" ======================================================================== .\" -.IX Title "X509_check_host 3" -.TH X509_check_host 3 "2018-08-14" "1.0.2p" "OpenSSL" +.IX Title "X509_CHECK_HOST 3" +.TH X509_CHECK_HOST 3 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -139,7 +139,7 @@ X509_check_host, X509_check_email, X509_check_ip, X509_check_ip_asc \- X.509 cer .SH "SYNOPSIS" .IX Header "SYNOPSIS" .Vb 1 -\& #include +\& #include \& \& int X509_check_host(X509 *, const char *name, size_t namelen, \& unsigned int flags, char **peername); @@ -201,6 +201,8 @@ flags: .IP "\fBX509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT\fR," 4 .IX Item "X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT," .PD 0 +.IP "\fBX509_CHECK_FLAG_NEVER_CHECK_SUBJECT\fR," 4 +.IX Item "X509_CHECK_FLAG_NEVER_CHECK_SUBJECT," .IP "\fBX509_CHECK_FLAG_NO_WILDCARDS\fR," 4 .IX Item "X509_CHECK_FLAG_NO_WILDCARDS," .IP "\fBX509_CHECK_FLAG_NO_PARTIAL_WILDCARDS\fR," 4 @@ -217,12 +219,21 @@ one subject alternative name of the right type (\s-1DNS\s0 name or email address as appropriate); the default is to ignore the subject \s-1DN\s0 when at least one corresponding subject alternative names is present. .PP +The \fBX509_CHECK_FLAG_NEVER_CHECK_SUBJECT\fR flag causes the function to never +consider the subject \s-1DN\s0 even if the certificate contains no subject alternative +names of the right type (\s-1DNS\s0 name or email address as appropriate); the default +is to use the subject \s-1DN\s0 when no corresponding subject alternative names are +present. +If both \fBX509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT\fR and +\&\fBX509_CHECK_FLAG_NEVER_CHECK_SUBJECT\fR are specified, the latter takes +precedence and the subject \s-1DN\s0 is not checked for matching names. +.PP If set, \fBX509_CHECK_FLAG_NO_WILDCARDS\fR disables wildcard expansion; this only applies to \fBX509_check_host\fR. .PP If set, \fBX509_CHECK_FLAG_NO_PARTIAL_WILDCARDS\fR suppresses support for \*(L"*\*(R" as wildcard pattern in labels that have a prefix or suffix, -such as: \*(L"www*\*(R" or \*(L"*www\*(R"; this only aplies to \fBX509_check_host\fR. +such as: \*(L"www*\*(R" or \*(L"*www\*(R"; this only applies to \fBX509_check_host\fR. .PP If set, \fBX509_CHECK_FLAG_MULTI_LABEL_WILDCARDS\fR allows a \*(L"*\*(R" that constitutes the complete label of a \s-1DNS\s0 name (e.g. \*(L"*.example.com\*(R") @@ -249,9 +260,9 @@ NULs. .IX Header "NOTES" Applications are encouraged to use \fIX509_VERIFY_PARAM_set1_host()\fR rather than explicitly calling \fIX509_check_host\fR\|(3). Host name -checks are out of scope with the \s-1\fIDANE\-EE\s0\fR\|(3) certificate usage, +checks may be out of scope with the \s-1\fIDANE\-EE\s0\fR\|(3) certificate usage, and the internal checks will be suppressed as appropriate when -\&\s-1DANE\s0 support is added to OpenSSL. +\&\s-1DANE\s0 support is enabled. .SH "SEE ALSO" .IX Header "SEE ALSO" \&\fISSL_get_verify_result\fR\|(3), @@ -263,3 +274,11 @@ and the internal checks will be suppressed as appropriate when .SH "HISTORY" .IX Header "HISTORY" These functions were added in OpenSSL 1.0.2. +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2012\-2018 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/X509_check_issued.3 b/secure/lib/libcrypto/man/X509_check_issued.3 new file mode 100644 index 000000000000..5ea2f52cd009 --- /dev/null +++ b/secure/lib/libcrypto/man/X509_check_issued.3 @@ -0,0 +1,171 @@ +.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35) +.\" +.\" Standard preamble: +.\" ======================================================================== +.de Sp \" Vertical space (when we can't use .PP) +.if t .sp .5v +.if n .sp +.. +.de Vb \" Begin verbatim text +.ft CW +.nf +.ne \\$1 +.. +.de Ve \" End verbatim text +.ft R +.fi +.. +.\" Set up some character translations and predefined strings. \*(-- will +.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left +.\" double quote, and \*(R" will give a right double quote. \*(C+ will +.\" give a nicer C++. Capital omega is used to do unbreakable dashes and +.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, +.\" nothing in troff, for use with C<>. +.tr \(*W- +.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' +.ie n \{\ +. ds -- \(*W- +. ds PI pi +. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch +. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch +. ds L" "" +. ds R" "" +. ds C` "" +. ds C' "" +'br\} +.el\{\ +. ds -- \|\(em\| +. ds PI \(*p +. ds L" `` +. ds R" '' +. ds C` +. ds C' +'br\} +.\" +.\" Escape single quotes in literal strings from groff's Unicode transform. +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" +.\" If the F register is >0, we'll generate index entries on stderr for +.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index +.\" entries marked with X<> in POD. Of course, you'll have to process the +.\" output yourself in some meaningful fashion. +.\" +.\" Avoid warning from groff about undefined register 'F'. +.de IX +.. +.if !\nF .nr F 0 +.if \nF>0 \{\ +. de IX +. tm Index:\\$1\t\\n%\t"\\$2" +.. +. if !\nF==2 \{\ +. nr % 0 +. nr F 2 +. \} +.\} +.\" +.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). +.\" Fear. Run. Save yourself. No user-serviceable parts. +. \" fudge factors for nroff and troff +.if n \{\ +. ds #H 0 +. ds #V .8m +. ds #F .3m +. ds #[ \f1 +. ds #] \fP +.\} +.if t \{\ +. ds #H ((1u-(\\\\n(.fu%2u))*.13m) +. ds #V .6m +. ds #F 0 +. ds #[ \& +. ds #] \& +.\} +. \" simple accents for nroff and troff +.if n \{\ +. ds ' \& +. ds ` \& +. ds ^ \& +. ds , \& +. ds ~ ~ +. ds / +.\} +.if t \{\ +. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" +. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' +. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' +. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' +. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' +. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' +.\} +. \" troff and (daisy-wheel) nroff accents +.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' +.ds 8 \h'\*(#H'\(*b\h'-\*(#H' +.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] +.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' +.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' +.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] +.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] +.ds ae a\h'-(\w'a'u*4/10)'e +.ds Ae A\h'-(\w'A'u*4/10)'E +. \" corrections for vroff +.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' +.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' +. \" for low resolution devices (crt and lpr) +.if \n(.H>23 .if \n(.V>19 \ +\{\ +. ds : e +. ds 8 ss +. ds o a +. ds d- d\h'-1'\(ga +. ds D- D\h'-1'\(hy +. ds th \o'bp' +. ds Th \o'LP' +. ds ae ae +. ds Ae AE +.\} +.rm #[ #] #H #V #F C +.\" ======================================================================== +.\" +.IX Title "X509_CHECK_ISSUED 3" +.TH X509_CHECK_ISSUED 3 "2018-09-11" "1.1.1" "OpenSSL" +.\" For nroff, turn off justification. Always turn off hyphenation; it makes +.\" way too many mistakes in technical documents. +.if n .ad l +.nh +.SH "NAME" +X509_check_issued \- checks if certificate is issued by another certificate +.SH "SYNOPSIS" +.IX Header "SYNOPSIS" +.Vb 1 +\& #include +\& +\& int X509_check_issued(X509 *issuer, X509 *subject); +.Ve +.SH "DESCRIPTION" +.IX Header "DESCRIPTION" +This function checks if certificate \fIsubject\fR was issued using \s-1CA\s0 +certificate \fIissuer\fR. This function takes into account not only +matching of issuer field of \fIsubject\fR with subject field of \fIissuer\fR, +but also compares \fBauthorityKeyIdentifier\fR extension of \fIsubject\fR with +\&\fBsubjectKeyIdentifier\fR of \fIissuer\fR if \fBauthorityKeyIdentifier\fR +present in the \fIsubject\fR certificate and checks \fBkeyUsage\fR field of +\&\fIissuer\fR. +.SH "RETURN VALUES" +.IX Header "RETURN VALUES" +Function return \fBX509_V_OK\fR if certificate \fIsubject\fR is issued by +\&\fIissuer\fR or some \fBX509_V_ERR*\fR constant to indicate an error. +.SH "SEE ALSO" +.IX Header "SEE ALSO" +\&\fIX509_verify_cert\fR\|(3), +\&\fIX509_check_ca\fR\|(3), +\&\fIverify\fR\|(1) +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2015\-2018 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/X509_check_private_key.3 b/secure/lib/libcrypto/man/X509_check_private_key.3 index c00e27e895ba..2963dd49cbcc 100644 --- a/secure/lib/libcrypto/man/X509_check_private_key.3 +++ b/secure/lib/libcrypto/man/X509_check_private_key.3 @@ -128,16 +128,14 @@ .rm #[ #] #H #V #F C .\" ======================================================================== .\" -.IX Title "X509_check_private_key 3" -.TH X509_check_private_key 3 "2018-08-14" "1.0.2p" "OpenSSL" +.IX Title "X509_CHECK_PRIVATE_KEY 3" +.TH X509_CHECK_PRIVATE_KEY 3 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" -X509_check_private_key, X509_REQ_check_private_key \- check the consistency -of a private key with the public key in an X509 certificate or certificate -request +X509_check_private_key, X509_REQ_check_private_key \- check the consistency of a private key with the public key in an X509 certificate or certificate request .SH "SYNOPSIS" .IX Header "SYNOPSIS" .Vb 1 @@ -154,8 +152,8 @@ key \fBk\fR with the public key in \fBx\fR. .PP \&\fIX509_REQ_check_private_key()\fR is equivalent to \fIX509_check_private_key()\fR except that \fBx\fR represents a certificate request of structure \fBX509_REQ\fR. -.SH "RETURN VALUE" -.IX Header "RETURN VALUE" +.SH "RETURN VALUES" +.IX Header "RETURN VALUES" \&\fIX509_check_private_key()\fR and \fIX509_REQ_check_private_key()\fR return 1 if the keys match each other, and 0 if not. .PP @@ -173,7 +171,7 @@ return success. \&\fIERR_get_error\fR\|(3) .SH "COPYRIGHT" .IX Header "COPYRIGHT" -Copyright 2017 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2017\-2018 The OpenSSL Project Authors. All Rights Reserved. .PP Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/secure/lib/libcrypto/man/X509_cmp_time.3 b/secure/lib/libcrypto/man/X509_cmp_time.3 index 6934ffc4f4e7..f5f2d5173408 100644 --- a/secure/lib/libcrypto/man/X509_cmp_time.3 +++ b/secure/lib/libcrypto/man/X509_cmp_time.3 @@ -128,35 +128,56 @@ .rm #[ #] #H #V #F C .\" ======================================================================== .\" -.IX Title "X509_cmp_time 3" -.TH X509_cmp_time 3 "2018-08-14" "1.0.2p" "OpenSSL" +.IX Title "X509_CMP_TIME 3" +.TH X509_CMP_TIME 3 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" -X509_cmp_time \- X509 time functions +X509_cmp_time, X509_cmp_current_time, X509_time_adj, X509_time_adj_ex \&\- X509 time functions .SH "SYNOPSIS" .IX Header "SYNOPSIS" -.Vb 1 -\& X509_cmp_time(const ASN1_TIME *asn1_time, time_t *cmp_time); +.Vb 5 +\& int X509_cmp_time(const ASN1_TIME *asn1_time, time_t *in_tm); +\& int X509_cmp_current_time(const ASN1_TIME *asn1_time); +\& ASN1_TIME *X509_time_adj(ASN1_TIME *asn1_time, long offset_sec, time_t *in_tm); +\& ASN1_TIME *X509_time_adj_ex(ASN1_TIME *asn1_time, int offset_day, long +\& offset_sec, time_t *in_tm); .Ve .SH "DESCRIPTION" .IX Header "DESCRIPTION" -\&\fIX509_cmp_time()\fR compares the \s-1ASN1_TIME\s0 in \fBasn1_time\fR with the time in -. +\&\fIX509_cmp_time()\fR compares the \s-1ASN1_TIME\s0 in \fBasn1_time\fR with the time +in . \fIX509_cmp_current_time()\fR compares the \s-1ASN1_TIME\s0 in +\&\fBasn1_time\fR with the current time, expressed as time_t. \fBasn1_time\fR +must satisfy the \s-1ASN1_TIME\s0 format mandated by \s-1RFC 5280,\s0 i.e., its +format must be either \s-1YYMMDDHHMMSSZ\s0 or \s-1YYYYMMDDHHMMSSZ.\s0 .PP -\&\fBasn1_time\fR must satisfy the \s-1ASN1_TIME\s0 format mandated by \s-1RFC 5280,\s0 i.e., -its format must be either \s-1YYMMDDHHMMSSZ\s0 or \s-1YYYYMMDDHHMMSSZ.\s0 +\&\fIX509_time_adj_ex()\fR sets the \s-1ASN1_TIME\s0 structure \fBasn1_time\fR to the time +\&\fBoffset_day\fR and \fBoffset_sec\fR after \fBin_tm\fR. .PP -If \fBcmp_time\fR is \s-1NULL\s0 the current time is used. +\&\fIX509_time_adj()\fR sets the \s-1ASN1_TIME\s0 structure \fBasn1_time\fR to the time +\&\fBoffset_sec\fR after \fBin_tm\fR. This method can only handle second +offsets up to the capacity of long, so the newer \fIX509_time_adj_ex()\fR +\&\s-1API\s0 should be preferred. +.PP +In both methods, if \fBasn1_time\fR is \s-1NULL,\s0 a new \s-1ASN1_TIME\s0 structure +is allocated and returned. +.PP +In all methods, if \fBin_tm\fR is \s-1NULL,\s0 the current time, expressed as +time_t, is used. .SH "BUGS" .IX Header "BUGS" -Unlike many standard comparison functions, X509_cmp_time returns 0 on error. +Unlike many standard comparison functions, \fIX509_cmp_time()\fR and +\&\fIX509_cmp_current_time()\fR return 0 on error. .SH "RETURN VALUES" .IX Header "RETURN VALUES" -\&\fIX509_cmp_time()\fR returns \-1 if \fBasn1_time\fR is earlier than, or equal to, -\&\fBcmp_time\fR, and 1 otherwise. It returns 0 on error. +\&\fIX509_cmp_time()\fR and \fIX509_cmp_current_time()\fR return \-1 if \fBasn1_time\fR +is earlier than, or equal to, \fBcmp_time\fR (resp. current time), and 1 +otherwise. These methods return 0 on error. +.PP +\&\fIX509_time_adj()\fR and \fIX509_time_adj_ex()\fR return a pointer to the updated +\&\s-1ASN1_TIME\s0 structure, and \s-1NULL\s0 on error. .SH "COPYRIGHT" .IX Header "COPYRIGHT" Copyright 2017\-2018 The OpenSSL Project Authors. All Rights Reserved. diff --git a/secure/lib/libcrypto/man/X509_digest.3 b/secure/lib/libcrypto/man/X509_digest.3 new file mode 100644 index 000000000000..9a5e8d512e27 --- /dev/null +++ b/secure/lib/libcrypto/man/X509_digest.3 @@ -0,0 +1,190 @@ +.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35) +.\" +.\" Standard preamble: +.\" ======================================================================== +.de Sp \" Vertical space (when we can't use .PP) +.if t .sp .5v +.if n .sp +.. +.de Vb \" Begin verbatim text +.ft CW +.nf +.ne \\$1 +.. +.de Ve \" End verbatim text +.ft R +.fi +.. +.\" Set up some character translations and predefined strings. \*(-- will +.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left +.\" double quote, and \*(R" will give a right double quote. \*(C+ will +.\" give a nicer C++. Capital omega is used to do unbreakable dashes and +.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, +.\" nothing in troff, for use with C<>. +.tr \(*W- +.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' +.ie n \{\ +. ds -- \(*W- +. ds PI pi +. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch +. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch +. ds L" "" +. ds R" "" +. ds C` "" +. ds C' "" +'br\} +.el\{\ +. ds -- \|\(em\| +. ds PI \(*p +. ds L" `` +. ds R" '' +. ds C` +. ds C' +'br\} +.\" +.\" Escape single quotes in literal strings from groff's Unicode transform. +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" +.\" If the F register is >0, we'll generate index entries on stderr for +.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index +.\" entries marked with X<> in POD. Of course, you'll have to process the +.\" output yourself in some meaningful fashion. +.\" +.\" Avoid warning from groff about undefined register 'F'. +.de IX +.. +.if !\nF .nr F 0 +.if \nF>0 \{\ +. de IX +. tm Index:\\$1\t\\n%\t"\\$2" +.. +. if !\nF==2 \{\ +. nr % 0 +. nr F 2 +. \} +.\} +.\" +.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). +.\" Fear. Run. Save yourself. No user-serviceable parts. +. \" fudge factors for nroff and troff +.if n \{\ +. ds #H 0 +. ds #V .8m +. ds #F .3m +. ds #[ \f1 +. ds #] \fP +.\} +.if t \{\ +. ds #H ((1u-(\\\\n(.fu%2u))*.13m) +. ds #V .6m +. ds #F 0 +. ds #[ \& +. ds #] \& +.\} +. \" simple accents for nroff and troff +.if n \{\ +. ds ' \& +. ds ` \& +. ds ^ \& +. ds , \& +. ds ~ ~ +. ds / +.\} +.if t \{\ +. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" +. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' +. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' +. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' +. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' +. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' +.\} +. \" troff and (daisy-wheel) nroff accents +.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' +.ds 8 \h'\*(#H'\(*b\h'-\*(#H' +.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] +.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' +.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' +.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] +.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] +.ds ae a\h'-(\w'a'u*4/10)'e +.ds Ae A\h'-(\w'A'u*4/10)'E +. \" corrections for vroff +.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' +.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' +. \" for low resolution devices (crt and lpr) +.if \n(.H>23 .if \n(.V>19 \ +\{\ +. ds : e +. ds 8 ss +. ds o a +. ds d- d\h'-1'\(ga +. ds D- D\h'-1'\(hy +. ds th \o'bp' +. ds Th \o'LP' +. ds ae ae +. ds Ae AE +.\} +.rm #[ #] #H #V #F C +.\" ======================================================================== +.\" +.IX Title "X509_DIGEST 3" +.TH X509_DIGEST 3 "2018-09-11" "1.1.1" "OpenSSL" +.\" For nroff, turn off justification. Always turn off hyphenation; it makes +.\" way too many mistakes in technical documents. +.if n .ad l +.nh +.SH "NAME" +X509_digest, X509_CRL_digest, X509_pubkey_digest, X509_NAME_digest, X509_REQ_digest, PKCS7_ISSUER_AND_SERIAL_digest \&\- get digest of various objects +.SH "SYNOPSIS" +.IX Header "SYNOPSIS" +.Vb 1 +\& #include +\& +\& int X509_digest(const X509 *data, const EVP_MD *type, unsigned char *md, +\& unsigned int *len); +\& +\& int X509_CRL_digest(const X509_CRL *data, const EVP_MD *type, unsigned char *md, +\& unsigned int *len); +\& +\& int X509_pubkey_digest(const X509 *data, const EVP_MD *type, +\& unsigned char *md, unsigned int *len); +\& +\& int X509_REQ_digest(const X509_REQ *data, const EVP_MD *type, +\& unsigned char *md, unsigned int *len); +\& +\& int X509_NAME_digest(const X509_NAME *data, const EVP_MD *type, +\& unsigned char *md, unsigned int *len); +\& +\& #include +\& +\& int PKCS7_ISSUER_AND_SERIAL_digest(PKCS7_ISSUER_AND_SERIAL *data, +\& const EVP_MD *type, unsigned char *md, +\& unsigned int *len); +.Ve +.SH "DESCRIPTION" +.IX Header "DESCRIPTION" +\&\fIX509_pubkey_digest()\fR returns a digest of the \s-1DER\s0 representation of the public +key in the specified X509 \fBdata\fR object. +All other functions described here return a digest of the \s-1DER\s0 representation +of their entire \fBdata\fR objects. +.PP +The \fBtype\fR parameter specifies the digest to +be used, such as \fIEVP_sha1()\fR. The \fBmd\fR is a pointer to the buffer where the +digest will be copied and is assumed to be large enough; the constant +\&\fB\s-1EVP_MAX_MD_SIZE\s0\fR is suggested. The \fBlen\fR parameter, if not \s-1NULL,\s0 points +to a place where the digest size will be stored. +.SH "RETURN VALUES" +.IX Header "RETURN VALUES" +All functions described here return 1 for success and 0 for failure. +.SH "SEE ALSO" +.IX Header "SEE ALSO" +\&\fIEVP_sha1\fR\|(3) +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2017\-2018 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/X509_dup.3 b/secure/lib/libcrypto/man/X509_dup.3 new file mode 100644 index 000000000000..16287a55f60d --- /dev/null +++ b/secure/lib/libcrypto/man/X509_dup.3 @@ -0,0 +1,198 @@ +.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35) +.\" +.\" Standard preamble: +.\" ======================================================================== +.de Sp \" Vertical space (when we can't use .PP) +.if t .sp .5v +.if n .sp +.. +.de Vb \" Begin verbatim text +.ft CW +.nf +.ne \\$1 +.. +.de Ve \" End verbatim text +.ft R +.fi +.. +.\" Set up some character translations and predefined strings. \*(-- will +.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left +.\" double quote, and \*(R" will give a right double quote. \*(C+ will +.\" give a nicer C++. Capital omega is used to do unbreakable dashes and +.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, +.\" nothing in troff, for use with C<>. +.tr \(*W- +.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' +.ie n \{\ +. ds -- \(*W- +. ds PI pi +. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch +. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch +. ds L" "" +. ds R" "" +. ds C` "" +. ds C' "" +'br\} +.el\{\ +. ds -- \|\(em\| +. ds PI \(*p +. ds L" `` +. ds R" '' +. ds C` +. ds C' +'br\} +.\" +.\" Escape single quotes in literal strings from groff's Unicode transform. +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" +.\" If the F register is >0, we'll generate index entries on stderr for +.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index +.\" entries marked with X<> in POD. Of course, you'll have to process the +.\" output yourself in some meaningful fashion. +.\" +.\" Avoid warning from groff about undefined register 'F'. +.de IX +.. +.if !\nF .nr F 0 +.if \nF>0 \{\ +. de IX +. tm Index:\\$1\t\\n%\t"\\$2" +.. +. if !\nF==2 \{\ +. nr % 0 +. nr F 2 +. \} +.\} +.\" +.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). +.\" Fear. Run. Save yourself. No user-serviceable parts. +. \" fudge factors for nroff and troff +.if n \{\ +. ds #H 0 +. ds #V .8m +. ds #F .3m +. ds #[ \f1 +. ds #] \fP +.\} +.if t \{\ +. ds #H ((1u-(\\\\n(.fu%2u))*.13m) +. ds #V .6m +. ds #F 0 +. ds #[ \& +. ds #] \& +.\} +. \" simple accents for nroff and troff +.if n \{\ +. ds ' \& +. ds ` \& +. ds ^ \& +. ds , \& +. ds ~ ~ +. ds / +.\} +.if t \{\ +. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" +. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' +. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' +. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' +. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' +. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' +.\} +. \" troff and (daisy-wheel) nroff accents +.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' +.ds 8 \h'\*(#H'\(*b\h'-\*(#H' +.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] +.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' +.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' +.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] +.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] +.ds ae a\h'-(\w'a'u*4/10)'e +.ds Ae A\h'-(\w'A'u*4/10)'E +. \" corrections for vroff +.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' +.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' +. \" for low resolution devices (crt and lpr) +.if \n(.H>23 .if \n(.V>19 \ +\{\ +. ds : e +. ds 8 ss +. ds o a +. ds d- d\h'-1'\(ga +. ds D- D\h'-1'\(hy +. ds th \o'bp' +. ds Th \o'LP' +. ds ae ae +. ds Ae AE +.\} +.rm #[ #] #H #V #F C +.\" ======================================================================== +.\" +.IX Title "X509_DUP 3" +.TH X509_DUP 3 "2018-09-11" "1.1.1" "OpenSSL" +.\" For nroff, turn off justification. Always turn off hyphenation; it makes +.\" way too many mistakes in technical documents. +.if n .ad l +.nh +.SH "NAME" +DECLARE_ASN1_FUNCTIONS, IMPLEMENT_ASN1_FUNCTIONS, ASN1_ITEM, ACCESS_DESCRIPTION_free, ACCESS_DESCRIPTION_new, ADMISSIONS_free, ADMISSIONS_new, ADMISSION_SYNTAX_free, ADMISSION_SYNTAX_new, ASIdOrRange_free, ASIdOrRange_new, ASIdentifierChoice_free, ASIdentifierChoice_new, ASIdentifiers_free, ASIdentifiers_new, ASRange_free, ASRange_new, AUTHORITY_INFO_ACCESS_free, AUTHORITY_INFO_ACCESS_new, AUTHORITY_KEYID_free, AUTHORITY_KEYID_new, BASIC_CONSTRAINTS_free, BASIC_CONSTRAINTS_new, CERTIFICATEPOLICIES_free, CERTIFICATEPOLICIES_new, CMS_ContentInfo_free, CMS_ContentInfo_new, CMS_ContentInfo_print_ctx, CMS_ReceiptRequest_free, CMS_ReceiptRequest_new, CRL_DIST_POINTS_free, CRL_DIST_POINTS_new, DIRECTORYSTRING_free, DIRECTORYSTRING_new, DISPLAYTEXT_free, DISPLAYTEXT_new, DIST_POINT_NAME_free, DIST_POINT_NAME_new, DIST_POINT_free, DIST_POINT_new, DSAparams_dup, ECPARAMETERS_free, ECPARAMETERS_new, ECPKPARAMETERS_free, ECPKPARAMETERS_new, EDIPARTYNAME_free, EDIPARTYNAME_new, ESS_CERT_ID_dup, ESS_CERT_ID_free, ESS_CERT_ID_new, ESS_ISSUER_SERIAL_dup, ESS_ISSUER_SERIAL_free, ESS_ISSUER_SERIAL_new, ESS_SIGNING_CERT_dup, ESS_SIGNING_CERT_free, ESS_SIGNING_CERT_new, EXTENDED_KEY_USAGE_free, EXTENDED_KEY_USAGE_new, GENERAL_NAMES_free, GENERAL_NAMES_new, GENERAL_NAME_dup, GENERAL_NAME_free, GENERAL_NAME_new, GENERAL_SUBTREE_free, GENERAL_SUBTREE_new, IPAddressChoice_free, IPAddressChoice_new, IPAddressFamily_free, IPAddressFamily_new, IPAddressOrRange_free, IPAddressOrRange_new, IPAddressRange_free, IPAddressRange_new, ISSUING_DIST_POINT_free, ISSUING_DIST_POINT_new, NAME_CONSTRAINTS_free, NAME_CONSTRAINTS_new, NAMING_AUTHORITY_free, NAMING_AUTHORITY_new, NETSCAPE_CERT_SEQUENCE_free, NETSCAPE_CERT_SEQUENCE_new, NETSCAPE_SPKAC_free, NETSCAPE_SPKAC_new, NETSCAPE_SPKI_free, NETSCAPE_SPKI_new, NOTICEREF_free, NOTICEREF_new, OCSP_BASICRESP_free, OCSP_BASICRESP_new, OCSP_CERTID_dup, OCSP_CERTID_new, OCSP_CERTSTATUS_free, OCSP_CERTSTATUS_new, OCSP_CRLID_free, OCSP_CRLID_new, OCSP_ONEREQ_free, OCSP_ONEREQ_new, OCSP_REQINFO_free, OCSP_REQINFO_new, OCSP_RESPBYTES_free, OCSP_RESPBYTES_new, OCSP_RESPDATA_free, OCSP_RESPDATA_new, OCSP_RESPID_free, OCSP_RESPID_new, OCSP_RESPONSE_new, OCSP_REVOKEDINFO_free, OCSP_REVOKEDINFO_new, OCSP_SERVICELOC_free, OCSP_SERVICELOC_new, OCSP_SIGNATURE_free, OCSP_SIGNATURE_new, OCSP_SINGLERESP_free, OCSP_SINGLERESP_new, OTHERNAME_free, OTHERNAME_new, PBE2PARAM_free, PBE2PARAM_new, PBEPARAM_free, PBEPARAM_new, PBKDF2PARAM_free, PBKDF2PARAM_new, PKCS12_BAGS_free, PKCS12_BAGS_new, PKCS12_MAC_DATA_free, PKCS12_MAC_DATA_new, PKCS12_SAFEBAG_free, PKCS12_SAFEBAG_new, PKCS12_free, PKCS12_new, PKCS7_DIGEST_free, PKCS7_DIGEST_new, PKCS7_ENCRYPT_free, PKCS7_ENCRYPT_new, PKCS7_ENC_CONTENT_free, PKCS7_ENC_CONTENT_new, PKCS7_ENVELOPE_free, PKCS7_ENVELOPE_new, PKCS7_ISSUER_AND_SERIAL_free, PKCS7_ISSUER_AND_SERIAL_new, PKCS7_RECIP_INFO_free, PKCS7_RECIP_INFO_new, PKCS7_SIGNED_free, PKCS7_SIGNED_new, PKCS7_SIGNER_INFO_free, PKCS7_SIGNER_INFO_new, PKCS7_SIGN_ENVELOPE_free, PKCS7_SIGN_ENVELOPE_new, PKCS7_dup, PKCS7_free, PKCS7_new, PKCS7_print_ctx, PKCS8_PRIV_KEY_INFO_free, PKCS8_PRIV_KEY_INFO_new, PKEY_USAGE_PERIOD_free, PKEY_USAGE_PERIOD_new, POLICYINFO_free, POLICYINFO_new, POLICYQUALINFO_free, POLICYQUALINFO_new, POLICY_CONSTRAINTS_free, POLICY_CONSTRAINTS_new, POLICY_MAPPING_free, POLICY_MAPPING_new, PROFESSION_INFO_free, PROFESSION_INFO_new, PROFESSION_INFOS_free, PROFESSION_INFOS_new, PROXY_CERT_INFO_EXTENSION_free, PROXY_CERT_INFO_EXTENSION_new, PROXY_POLICY_free, PROXY_POLICY_new, RSAPrivateKey_dup, RSAPublicKey_dup, RSA_OAEP_PARAMS_free, RSA_OAEP_PARAMS_new, RSA_PSS_PARAMS_free, RSA_PSS_PARAMS_new, SCRYPT_PARAMS_free, SCRYPT_PARAMS_new, SXNETID_free, SXNETID_new, SXNET_free, SXNET_new, TLS_FEATURE_free, TLS_FEATURE_new, TS_ACCURACY_dup, TS_ACCURACY_free, TS_ACCURACY_new, TS_MSG_IMPRINT_dup, TS_MSG_IMPRINT_free, TS_MSG_IMPRINT_new, TS_REQ_dup, TS_REQ_free, TS_REQ_new, TS_RESP_dup, TS_RESP_free, TS_RESP_new, TS_STATUS_INFO_dup, TS_STATUS_INFO_free, TS_STATUS_INFO_new, TS_TST_INFO_dup, TS_TST_INFO_free, TS_TST_INFO_new, USERNOTICE_free, USERNOTICE_new, X509_ALGOR_free, X509_ALGOR_new, X509_ATTRIBUTE_dup, X509_ATTRIBUTE_free, X509_ATTRIBUTE_new, X509_CERT_AUX_free, X509_CERT_AUX_new, X509_CINF_free, X509_CINF_new, X509_CRL_INFO_free, X509_CRL_INFO_new, X509_CRL_dup, X509_CRL_free, X509_CRL_new, X509_EXTENSION_dup, X509_EXTENSION_free, X509_EXTENSION_new, X509_NAME_ENTRY_dup, X509_NAME_ENTRY_free, X509_NAME_ENTRY_new, X509_NAME_dup, X509_NAME_free, X509_NAME_new, X509_REQ_INFO_free, X509_REQ_INFO_new, X509_REQ_dup, X509_REQ_free, X509_REQ_new, X509_REVOKED_dup, X509_REVOKED_free, X509_REVOKED_new, X509_SIG_free, X509_SIG_new, X509_VAL_free, X509_VAL_new, X509_dup, \&\- ASN1 object utilities +.SH "SYNOPSIS" +.IX Header "SYNOPSIS" +.Vb 1 +\& #include +\& +\& DECLARE_ASN1_FUNCTIONS(type) +\& IMPLEMENT_ASN1_FUNCTIONS(stname) +\& +\& typedef struct ASN1_ITEM_st ASN1_ITEM; +\& +\& extern const ASN1_ITEM TYPE_it; +\& TYPE *TYPE_new(void); +\& TYPE *TYPE_dup(TYPE *a); +\& void TYPE_free(TYPE *a); +\& int TYPE_print_ctx(BIO *out, TYPE *a, int indent, const ASN1_PCTX *pctx); +.Ve +.SH "DESCRIPTION" +.IX Header "DESCRIPTION" +In the description below, \fI\s-1TYPE\s0\fR is used +as a placeholder for any of the OpenSSL datatypes, such as \fIX509\fR. +.PP +The OpenSSL \s-1ASN1\s0 parsing library templates are like a data-driven bytecode +interpreter. +Every \s-1ASN1\s0 object as a global variable, TYPE_it, that describes the item +such as its fields. (On systems which cannot export variables from shared +libraries, the global is instead a function which returns a pointer to a +static variable. +.PP +The macro \s-1\fIDECLARE_ASN1_FUNCTIONS\s0()\fR is typically used in header files +to generate the function declarations. +.PP +The macro \s-1\fIIMPLEMENT_ASN1_FUNCTIONS\s0()\fR is used once in a source file +to generate the function bodies. +.PP +\&\fITYPE_new()\fR allocates an empty object of the indicated type. +The object returned must be released by calling \fITYPE_free()\fR. +.PP +\&\fITYPE_dup()\fR copies an existing object. +.PP +\&\fITYPE_free()\fR releases the object and all pointers and sub-objects +within it. +.PP +\&\fITYPE_print_ctx()\fR prints the object \fBa\fR on the specified \s-1BIO\s0 \fBout\fR. +Each line will be prefixed with \fBindent\fR spaces. +The \fBpctx\fR specifies the printing context and is for internal +use; use \s-1NULL\s0 to get the default behavior. If a print function is +user-defined, then pass in any \fBpctx\fR down to any nested calls. +.SH "RETURN VALUES" +.IX Header "RETURN VALUES" +\&\fITYPE_new()\fR and \fITYPE_dup()\fR return a pointer to the object or \s-1NULL\s0 on failure. +.PP +\&\fITYPE_print_ctx()\fR returns 1 on success or zero on failure. +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2016\-2018 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/X509_get0_notBefore.3 b/secure/lib/libcrypto/man/X509_get0_notBefore.3 new file mode 100644 index 000000000000..f878ca6fb527 --- /dev/null +++ b/secure/lib/libcrypto/man/X509_get0_notBefore.3 @@ -0,0 +1,227 @@ +.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35) +.\" +.\" Standard preamble: +.\" ======================================================================== +.de Sp \" Vertical space (when we can't use .PP) +.if t .sp .5v +.if n .sp +.. +.de Vb \" Begin verbatim text +.ft CW +.nf +.ne \\$1 +.. +.de Ve \" End verbatim text +.ft R +.fi +.. +.\" Set up some character translations and predefined strings. \*(-- will +.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left +.\" double quote, and \*(R" will give a right double quote. \*(C+ will +.\" give a nicer C++. Capital omega is used to do unbreakable dashes and +.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, +.\" nothing in troff, for use with C<>. +.tr \(*W- +.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' +.ie n \{\ +. ds -- \(*W- +. ds PI pi +. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch +. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch +. ds L" "" +. ds R" "" +. ds C` "" +. ds C' "" +'br\} +.el\{\ +. ds -- \|\(em\| +. ds PI \(*p +. ds L" `` +. ds R" '' +. ds C` +. ds C' +'br\} +.\" +.\" Escape single quotes in literal strings from groff's Unicode transform. +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" +.\" If the F register is >0, we'll generate index entries on stderr for +.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index +.\" entries marked with X<> in POD. Of course, you'll have to process the +.\" output yourself in some meaningful fashion. +.\" +.\" Avoid warning from groff about undefined register 'F'. +.de IX +.. +.if !\nF .nr F 0 +.if \nF>0 \{\ +. de IX +. tm Index:\\$1\t\\n%\t"\\$2" +.. +. if !\nF==2 \{\ +. nr % 0 +. nr F 2 +. \} +.\} +.\" +.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). +.\" Fear. Run. Save yourself. No user-serviceable parts. +. \" fudge factors for nroff and troff +.if n \{\ +. ds #H 0 +. ds #V .8m +. ds #F .3m +. ds #[ \f1 +. ds #] \fP +.\} +.if t \{\ +. ds #H ((1u-(\\\\n(.fu%2u))*.13m) +. ds #V .6m +. ds #F 0 +. ds #[ \& +. ds #] \& +.\} +. \" simple accents for nroff and troff +.if n \{\ +. ds ' \& +. ds ` \& +. ds ^ \& +. ds , \& +. ds ~ ~ +. ds / +.\} +.if t \{\ +. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" +. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' +. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' +. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' +. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' +. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' +.\} +. \" troff and (daisy-wheel) nroff accents +.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' +.ds 8 \h'\*(#H'\(*b\h'-\*(#H' +.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] +.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' +.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' +.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] +.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] +.ds ae a\h'-(\w'a'u*4/10)'e +.ds Ae A\h'-(\w'A'u*4/10)'E +. \" corrections for vroff +.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' +.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' +. \" for low resolution devices (crt and lpr) +.if \n(.H>23 .if \n(.V>19 \ +\{\ +. ds : e +. ds 8 ss +. ds o a +. ds d- d\h'-1'\(ga +. ds D- D\h'-1'\(hy +. ds th \o'bp' +. ds Th \o'LP' +. ds ae ae +. ds Ae AE +.\} +.rm #[ #] #H #V #F C +.\" ======================================================================== +.\" +.IX Title "X509_GET0_NOTBEFORE 3" +.TH X509_GET0_NOTBEFORE 3 "2018-09-11" "1.1.1" "OpenSSL" +.\" For nroff, turn off justification. Always turn off hyphenation; it makes +.\" way too many mistakes in technical documents. +.if n .ad l +.nh +.SH "NAME" +X509_get0_notBefore, X509_getm_notBefore, X509_get0_notAfter, X509_getm_notAfter, X509_set1_notBefore, X509_set1_notAfter, X509_CRL_get0_lastUpdate, X509_CRL_get0_nextUpdate, X509_CRL_set1_lastUpdate, X509_CRL_set1_nextUpdate \- get or set certificate or CRL dates +.SH "SYNOPSIS" +.IX Header "SYNOPSIS" +.Vb 1 +\& #include +\& +\& const ASN1_TIME *X509_get0_notBefore(const X509 *x); +\& const ASN1_TIME *X509_get0_notAfter(const X509 *x); +\& +\& ASN1_TIME *X509_getm_notBefore(const X509 *x); +\& ASN1_TIME *X509_getm_notAfter(const X509 *x); +\& +\& int X509_set1_notBefore(X509 *x, const ASN1_TIME *tm); +\& int X509_set1_notAfter(X509 *x, const ASN1_TIME *tm); +\& +\& const ASN1_TIME *X509_CRL_get0_lastUpdate(const X509_CRL *crl); +\& const ASN1_TIME *X509_CRL_get0_nextUpdate(const X509_CRL *crl); +\& +\& int X509_CRL_set1_lastUpdate(X509_CRL *x, const ASN1_TIME *tm); +\& int X509_CRL_set1_nextUpdate(X509_CRL *x, const ASN1_TIME *tm); +.Ve +.SH "DESCRIPTION" +.IX Header "DESCRIPTION" +\&\fIX509_get0_notBefore()\fR and \fIX509_get0_notAfter()\fR return the \fBnotBefore\fR +and \fBnotAfter\fR fields of certificate \fBx\fR respectively. The value +returned is an internal pointer which must not be freed up after +the call. +.PP +\&\fIX509_getm_notBefore()\fR and \fIX509_getm_notAfter()\fR are similar to +\&\fIX509_get0_notBefore()\fR and \fIX509_get0_notAfter()\fR except they return +non-constant mutable references to the associated date field of +the certificate. +.PP +\&\fIX509_set1_notBefore()\fR and \fIX509_set1_notAfter()\fR set the \fBnotBefore\fR +and \fBnotAfter\fR fields of \fBx\fR to \fBtm\fR. Ownership of the passed +parameter \fBtm\fR is not transferred by these functions so it must +be freed up after the call. +.PP +\&\fIX509_CRL_get0_lastUpdate()\fR and \fIX509_CRL_get0_nextUpdate()\fR return the +\&\fBlastUpdate\fR and \fBnextUpdate\fR fields of \fBcrl\fR. The value +returned is an internal pointer which must not be freed up after +the call. If the \fBnextUpdate\fR field is absent from \fBcrl\fR then +\&\fB\s-1NULL\s0\fR is returned. +.PP +\&\fIX509_CRL_set1_lastUpdate()\fR and \fIX509_CRL_set1_nextUpdate()\fR set the \fBlastUpdate\fR +and \fBnextUpdate\fR fields of \fBcrl\fR to \fBtm\fR. Ownership of the passed parameter +\&\fBtm\fR is not transferred by these functions so it must be freed up after the +call. +.SH "RETURN VALUES" +.IX Header "RETURN VALUES" +\&\fIX509_get0_notBefore()\fR, \fIX509_get0_notAfter()\fR and \fIX509_CRL_get0_lastUpdate()\fR +return a pointer to an \fB\s-1ASN1_TIME\s0\fR structure. +.PP +\&\fIX509_CRL_get0_lastUpdate()\fR return a pointer to an \fB\s-1ASN1_TIME\s0\fR structure +or \s-1NULL\s0 if the \fBlastUpdate\fR field is absent. +.PP +\&\fIX509_set1_notBefore()\fR, \fIX509_set1_notAfter()\fR, \fIX509_CRL_set1_lastUpdate()\fR and +\&\fIX509_CRL_set1_nextUpdate()\fR return 1 for success or 0 for failure. +.SH "SEE ALSO" +.IX Header "SEE ALSO" +\&\fId2i_X509\fR\|(3), +\&\fIERR_get_error\fR\|(3), +\&\fIX509_CRL_get0_by_serial\fR\|(3), +\&\fIX509_get0_signature\fR\|(3), +\&\fIX509_get_ext_d2i\fR\|(3), +\&\fIX509_get_extension_flags\fR\|(3), +\&\fIX509_get_pubkey\fR\|(3), +\&\fIX509_get_subject_name\fR\|(3), +\&\fIX509_NAME_add_entry_by_txt\fR\|(3), +\&\fIX509_NAME_ENTRY_get_object\fR\|(3), +\&\fIX509_NAME_get_index_by_NID\fR\|(3), +\&\fIX509_NAME_print_ex\fR\|(3), +\&\fIX509_new\fR\|(3), +\&\fIX509_sign\fR\|(3), +\&\fIX509V3_get_d2i\fR\|(3), +\&\fIX509_verify_cert\fR\|(3) +.SH "HISTORY" +.IX Header "HISTORY" +These functions are available in all versions of OpenSSL. +.PP +\&\fIX509_get_notBefore()\fR and \fIX509_get_notAfter()\fR were deprecated in OpenSSL +1.1.0 +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2016 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/X509_get0_signature.3 b/secure/lib/libcrypto/man/X509_get0_signature.3 new file mode 100644 index 000000000000..e20c0b0b5637 --- /dev/null +++ b/secure/lib/libcrypto/man/X509_get0_signature.3 @@ -0,0 +1,251 @@ +.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35) +.\" +.\" Standard preamble: +.\" ======================================================================== +.de Sp \" Vertical space (when we can't use .PP) +.if t .sp .5v +.if n .sp +.. +.de Vb \" Begin verbatim text +.ft CW +.nf +.ne \\$1 +.. +.de Ve \" End verbatim text +.ft R +.fi +.. +.\" Set up some character translations and predefined strings. \*(-- will +.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left +.\" double quote, and \*(R" will give a right double quote. \*(C+ will +.\" give a nicer C++. Capital omega is used to do unbreakable dashes and +.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, +.\" nothing in troff, for use with C<>. +.tr \(*W- +.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' +.ie n \{\ +. ds -- \(*W- +. ds PI pi +. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch +. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch +. ds L" "" +. ds R" "" +. ds C` "" +. ds C' "" +'br\} +.el\{\ +. ds -- \|\(em\| +. ds PI \(*p +. ds L" `` +. ds R" '' +. ds C` +. ds C' +'br\} +.\" +.\" Escape single quotes in literal strings from groff's Unicode transform. +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" +.\" If the F register is >0, we'll generate index entries on stderr for +.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index +.\" entries marked with X<> in POD. Of course, you'll have to process the +.\" output yourself in some meaningful fashion. +.\" +.\" Avoid warning from groff about undefined register 'F'. +.de IX +.. +.if !\nF .nr F 0 +.if \nF>0 \{\ +. de IX +. tm Index:\\$1\t\\n%\t"\\$2" +.. +. if !\nF==2 \{\ +. nr % 0 +. nr F 2 +. \} +.\} +.\" +.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). +.\" Fear. Run. Save yourself. No user-serviceable parts. +. \" fudge factors for nroff and troff +.if n \{\ +. ds #H 0 +. ds #V .8m +. ds #F .3m +. ds #[ \f1 +. ds #] \fP +.\} +.if t \{\ +. ds #H ((1u-(\\\\n(.fu%2u))*.13m) +. ds #V .6m +. ds #F 0 +. ds #[ \& +. ds #] \& +.\} +. \" simple accents for nroff and troff +.if n \{\ +. ds ' \& +. ds ` \& +. ds ^ \& +. ds , \& +. ds ~ ~ +. ds / +.\} +.if t \{\ +. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" +. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' +. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' +. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' +. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' +. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' +.\} +. \" troff and (daisy-wheel) nroff accents +.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' +.ds 8 \h'\*(#H'\(*b\h'-\*(#H' +.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] +.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' +.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' +.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] +.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] +.ds ae a\h'-(\w'a'u*4/10)'e +.ds Ae A\h'-(\w'A'u*4/10)'E +. \" corrections for vroff +.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' +.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' +. \" for low resolution devices (crt and lpr) +.if \n(.H>23 .if \n(.V>19 \ +\{\ +. ds : e +. ds 8 ss +. ds o a +. ds d- d\h'-1'\(ga +. ds D- D\h'-1'\(hy +. ds th \o'bp' +. ds Th \o'LP' +. ds ae ae +. ds Ae AE +.\} +.rm #[ #] #H #V #F C +.\" ======================================================================== +.\" +.IX Title "X509_GET0_SIGNATURE 3" +.TH X509_GET0_SIGNATURE 3 "2018-09-11" "1.1.1" "OpenSSL" +.\" For nroff, turn off justification. Always turn off hyphenation; it makes +.\" way too many mistakes in technical documents. +.if n .ad l +.nh +.SH "NAME" +X509_get0_signature, X509_get_signature_nid, X509_get0_tbs_sigalg, X509_REQ_get0_signature, X509_REQ_get_signature_nid, X509_CRL_get0_signature, X509_CRL_get_signature_nid, X509_get_signature_info, X509_SIG_INFO_get, X509_SIG_INFO_set \- signature information +.SH "SYNOPSIS" +.IX Header "SYNOPSIS" +.Vb 1 +\& #include +\& +\& void X509_get0_signature(const ASN1_BIT_STRING **psig, +\& const X509_ALGOR **palg, +\& const X509 *x); +\& int X509_get_signature_nid(const X509 *x); +\& const X509_ALGOR *X509_get0_tbs_sigalg(const X509 *x); +\& +\& void X509_REQ_get0_signature(const X509_REQ *crl, +\& const ASN1_BIT_STRING **psig, +\& const X509_ALGOR **palg); +\& int X509_REQ_get_signature_nid(const X509_REQ *crl); +\& +\& void X509_CRL_get0_signature(const X509_CRL *crl, +\& const ASN1_BIT_STRING **psig, +\& const X509_ALGOR **palg); +\& int X509_CRL_get_signature_nid(const X509_CRL *crl); +\& +\& int X509_get_signature_info(X509 *x, int *mdnid, int *pknid, int *secbits, +\& uint32_t *flags); +\& +\& int X509_SIG_INFO_get(const X509_SIG_INFO *siginf, int *mdnid, int *pknid, +\& int *secbits, uint32_t *flags); +\& void X509_SIG_INFO_set(X509_SIG_INFO *siginf, int mdnid, int pknid, +\& int secbits, uint32_t flags); +.Ve +.SH "DESCRIPTION" +.IX Header "DESCRIPTION" +\&\fIX509_get0_signature()\fR sets \fB*psig\fR to the signature of \fBx\fR and \fB*palg\fR +to the signature algorithm of \fBx\fR. The values returned are internal +pointers which \fB\s-1MUST NOT\s0\fR be freed up after the call. +.PP +\&\fIX509_get0_tbs_sigalg()\fR returns the signature algorithm in the signed +portion of \fBx\fR. +.PP +\&\fIX509_get_signature_nid()\fR returns the \s-1NID\s0 corresponding to the signature +algorithm of \fBx\fR. +.PP +\&\fIX509_REQ_get0_signature()\fR, \fIX509_REQ_get_signature_nid()\fR +\&\fIX509_CRL_get0_signature()\fR and \fIX509_CRL_get_signature_nid()\fR perform the +same function for certificate requests and CRLs. +.PP +\&\fIX509_get_signature_info()\fR retrieves information about the signature of +certificate \fBx\fR. The \s-1NID\s0 of the signing digest is written to \fB*mdnid\fR, +the public key algorithm to \fB*pknid\fR, the effective security bits to +\&\fB*secbits\fR and flag details to \fB*flags\fR. Any of the parameters can +be set to \fB\s-1NULL\s0\fR if the information is not required. +.PP +\&\fIX509_SIG_INFO_get()\fR and \fIX509_SIG_INFO_set()\fR get and set information +about a signature in an \fBX509_SIG_INFO\fR structure. They are only +used by implementations of algorithms which need to set custom +signature information: most applications will never need to call +them. +.SH "NOTES" +.IX Header "NOTES" +These functions provide lower level access to signatures in certificates +where an application wishes to analyse or generate a signature in a form +where \fIX509_sign()\fR et al is not appropriate (for example a non standard +or unsupported format). +.PP +The security bits returned by \fIX509_get_signature_info()\fR refers to information +available from the certificate signature (such as the signing digest). In some +cases the actual security of the signature is less because the signing +key is less secure: for example a certificate signed using \s-1SHA\-512\s0 and a +1024 bit \s-1RSA\s0 key. +.SH "RETURN VALUES" +.IX Header "RETURN VALUES" +\&\fIX509_get_signature_nid()\fR, \fIX509_REQ_get_signature_nid()\fR and +\&\fIX509_CRL_get_signature_nid()\fR return a \s-1NID.\s0 +.PP +\&\fIX509_get0_signature()\fR, \fIX509_REQ_get0_signature()\fR and +\&\fIX509_CRL_get0_signature()\fR do not return values. +.PP +\&\fIX509_get_signature_info()\fR returns 1 if the signature information +returned is valid or 0 if the information is not available (e.g. +unknown algorithms or malformed parameters). +.SH "SEE ALSO" +.IX Header "SEE ALSO" +\&\fId2i_X509\fR\|(3), +\&\fIERR_get_error\fR\|(3), +\&\fIX509_CRL_get0_by_serial\fR\|(3), +\&\fIX509_get_ext_d2i\fR\|(3), +\&\fIX509_get_extension_flags\fR\|(3), +\&\fIX509_get_pubkey\fR\|(3), +\&\fIX509_get_subject_name\fR\|(3), +\&\fIX509_get_version\fR\|(3), +\&\fIX509_NAME_add_entry_by_txt\fR\|(3), +\&\fIX509_NAME_ENTRY_get_object\fR\|(3), +\&\fIX509_NAME_get_index_by_NID\fR\|(3), +\&\fIX509_NAME_print_ex\fR\|(3), +\&\fIX509_new\fR\|(3), +\&\fIX509_sign\fR\|(3), +\&\fIX509V3_get_d2i\fR\|(3), +\&\fIX509_verify_cert\fR\|(3) +.SH "HISTORY" +.IX Header "HISTORY" +\&\fIX509_get0_signature()\fR and \fIX509_get_signature_nid()\fR were first added to +OpenSSL 1.0.2. +.PP +\&\fIX509_REQ_get0_signature()\fR, \fIX509_REQ_get_signature_nid()\fR, +\&\fIX509_CRL_get0_signature()\fR and \fIX509_CRL_get_signature_nid()\fR were first added +to OpenSSL 1.1.0. +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2015\-2016 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/X509_get0_uids.3 b/secure/lib/libcrypto/man/X509_get0_uids.3 new file mode 100644 index 000000000000..95ce3721b564 --- /dev/null +++ b/secure/lib/libcrypto/man/X509_get0_uids.3 @@ -0,0 +1,184 @@ +.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35) +.\" +.\" Standard preamble: +.\" ======================================================================== +.de Sp \" Vertical space (when we can't use .PP) +.if t .sp .5v +.if n .sp +.. +.de Vb \" Begin verbatim text +.ft CW +.nf +.ne \\$1 +.. +.de Ve \" End verbatim text +.ft R +.fi +.. +.\" Set up some character translations and predefined strings. \*(-- will +.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left +.\" double quote, and \*(R" will give a right double quote. \*(C+ will +.\" give a nicer C++. Capital omega is used to do unbreakable dashes and +.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, +.\" nothing in troff, for use with C<>. +.tr \(*W- +.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' +.ie n \{\ +. ds -- \(*W- +. ds PI pi +. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch +. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch +. ds L" "" +. ds R" "" +. ds C` "" +. ds C' "" +'br\} +.el\{\ +. ds -- \|\(em\| +. ds PI \(*p +. ds L" `` +. ds R" '' +. ds C` +. ds C' +'br\} +.\" +.\" Escape single quotes in literal strings from groff's Unicode transform. +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" +.\" If the F register is >0, we'll generate index entries on stderr for +.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index +.\" entries marked with X<> in POD. Of course, you'll have to process the +.\" output yourself in some meaningful fashion. +.\" +.\" Avoid warning from groff about undefined register 'F'. +.de IX +.. +.if !\nF .nr F 0 +.if \nF>0 \{\ +. de IX +. tm Index:\\$1\t\\n%\t"\\$2" +.. +. if !\nF==2 \{\ +. nr % 0 +. nr F 2 +. \} +.\} +.\" +.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). +.\" Fear. Run. Save yourself. No user-serviceable parts. +. \" fudge factors for nroff and troff +.if n \{\ +. ds #H 0 +. ds #V .8m +. ds #F .3m +. ds #[ \f1 +. ds #] \fP +.\} +.if t \{\ +. ds #H ((1u-(\\\\n(.fu%2u))*.13m) +. ds #V .6m +. ds #F 0 +. ds #[ \& +. ds #] \& +.\} +. \" simple accents for nroff and troff +.if n \{\ +. ds ' \& +. ds ` \& +. ds ^ \& +. ds , \& +. ds ~ ~ +. ds / +.\} +.if t \{\ +. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" +. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' +. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' +. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' +. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' +. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' +.\} +. \" troff and (daisy-wheel) nroff accents +.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' +.ds 8 \h'\*(#H'\(*b\h'-\*(#H' +.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] +.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' +.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' +.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] +.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] +.ds ae a\h'-(\w'a'u*4/10)'e +.ds Ae A\h'-(\w'A'u*4/10)'E +. \" corrections for vroff +.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' +.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' +. \" for low resolution devices (crt and lpr) +.if \n(.H>23 .if \n(.V>19 \ +\{\ +. ds : e +. ds 8 ss +. ds o a +. ds d- d\h'-1'\(ga +. ds D- D\h'-1'\(hy +. ds th \o'bp' +. ds Th \o'LP' +. ds ae ae +. ds Ae AE +.\} +.rm #[ #] #H #V #F C +.\" ======================================================================== +.\" +.IX Title "X509_GET0_UIDS 3" +.TH X509_GET0_UIDS 3 "2018-09-11" "1.1.1" "OpenSSL" +.\" For nroff, turn off justification. Always turn off hyphenation; it makes +.\" way too many mistakes in technical documents. +.if n .ad l +.nh +.SH "NAME" +X509_get0_uids \- get certificate unique identifiers +.SH "SYNOPSIS" +.IX Header "SYNOPSIS" +.Vb 1 +\& #include +\& +\& void X509_get0_uids(const X509 *x, const ASN1_BIT_STRING **piuid, +\& const ASN1_BIT_STRING **psuid); +.Ve +.SH "DESCRIPTION" +.IX Header "DESCRIPTION" +\&\fIX509_get0_uids()\fR sets \fB*piuid\fR and \fB*psuid\fR to the issuer and subject unique +identifiers of certificate \fBx\fR or \s-1NULL\s0 if the fields are not present. +.SH "NOTES" +.IX Header "NOTES" +The issuer and subject unique identifier fields are very rarely encountered in +practice outside test cases. +.SH "RETURN VALUES" +.IX Header "RETURN VALUES" +\&\fIX509_get0_uids()\fR does not return a value. +.SH "SEE ALSO" +.IX Header "SEE ALSO" +\&\fId2i_X509\fR\|(3), +\&\fIERR_get_error\fR\|(3), +\&\fIX509_CRL_get0_by_serial\fR\|(3), +\&\fIX509_get0_signature\fR\|(3), +\&\fIX509_get_ext_d2i\fR\|(3), +\&\fIX509_get_extension_flags\fR\|(3), +\&\fIX509_get_pubkey\fR\|(3), +\&\fIX509_get_subject_name\fR\|(3), +\&\fIX509_get_version\fR\|(3), +\&\fIX509_NAME_add_entry_by_txt\fR\|(3), +\&\fIX509_NAME_ENTRY_get_object\fR\|(3), +\&\fIX509_NAME_get_index_by_NID\fR\|(3), +\&\fIX509_NAME_print_ex\fR\|(3), +\&\fIX509_new\fR\|(3), +\&\fIX509_sign\fR\|(3), +\&\fIX509V3_get_d2i\fR\|(3), +\&\fIX509_verify_cert\fR\|(3) +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2015\-2016 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/X509_get_extension_flags.3 b/secure/lib/libcrypto/man/X509_get_extension_flags.3 new file mode 100644 index 000000000000..dc9e3ee7e367 --- /dev/null +++ b/secure/lib/libcrypto/man/X509_get_extension_flags.3 @@ -0,0 +1,284 @@ +.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35) +.\" +.\" Standard preamble: +.\" ======================================================================== +.de Sp \" Vertical space (when we can't use .PP) +.if t .sp .5v +.if n .sp +.. +.de Vb \" Begin verbatim text +.ft CW +.nf +.ne \\$1 +.. +.de Ve \" End verbatim text +.ft R +.fi +.. +.\" Set up some character translations and predefined strings. \*(-- will +.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left +.\" double quote, and \*(R" will give a right double quote. \*(C+ will +.\" give a nicer C++. Capital omega is used to do unbreakable dashes and +.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, +.\" nothing in troff, for use with C<>. +.tr \(*W- +.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' +.ie n \{\ +. ds -- \(*W- +. ds PI pi +. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch +. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch +. ds L" "" +. ds R" "" +. ds C` "" +. ds C' "" +'br\} +.el\{\ +. ds -- \|\(em\| +. ds PI \(*p +. ds L" `` +. ds R" '' +. ds C` +. ds C' +'br\} +.\" +.\" Escape single quotes in literal strings from groff's Unicode transform. +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" +.\" If the F register is >0, we'll generate index entries on stderr for +.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index +.\" entries marked with X<> in POD. Of course, you'll have to process the +.\" output yourself in some meaningful fashion. +.\" +.\" Avoid warning from groff about undefined register 'F'. +.de IX +.. +.if !\nF .nr F 0 +.if \nF>0 \{\ +. de IX +. tm Index:\\$1\t\\n%\t"\\$2" +.. +. if !\nF==2 \{\ +. nr % 0 +. nr F 2 +. \} +.\} +.\" +.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). +.\" Fear. Run. Save yourself. No user-serviceable parts. +. \" fudge factors for nroff and troff +.if n \{\ +. ds #H 0 +. ds #V .8m +. ds #F .3m +. ds #[ \f1 +. ds #] \fP +.\} +.if t \{\ +. ds #H ((1u-(\\\\n(.fu%2u))*.13m) +. ds #V .6m +. ds #F 0 +. ds #[ \& +. ds #] \& +.\} +. \" simple accents for nroff and troff +.if n \{\ +. ds ' \& +. ds ` \& +. ds ^ \& +. ds , \& +. ds ~ ~ +. ds / +.\} +.if t \{\ +. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" +. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' +. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' +. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' +. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' +. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' +.\} +. \" troff and (daisy-wheel) nroff accents +.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' +.ds 8 \h'\*(#H'\(*b\h'-\*(#H' +.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] +.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' +.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' +.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] +.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] +.ds ae a\h'-(\w'a'u*4/10)'e +.ds Ae A\h'-(\w'A'u*4/10)'E +. \" corrections for vroff +.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' +.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' +. \" for low resolution devices (crt and lpr) +.if \n(.H>23 .if \n(.V>19 \ +\{\ +. ds : e +. ds 8 ss +. ds o a +. ds d- d\h'-1'\(ga +. ds D- D\h'-1'\(hy +. ds th \o'bp' +. ds Th \o'LP' +. ds ae ae +. ds Ae AE +.\} +.rm #[ #] #H #V #F C +.\" ======================================================================== +.\" +.IX Title "X509_GET_EXTENSION_FLAGS 3" +.TH X509_GET_EXTENSION_FLAGS 3 "2018-09-11" "1.1.1" "OpenSSL" +.\" For nroff, turn off justification. Always turn off hyphenation; it makes +.\" way too many mistakes in technical documents. +.if n .ad l +.nh +.SH "NAME" +X509_get0_subject_key_id, X509_get0_authority_key_id, X509_get_pathlen, X509_get_extension_flags, X509_get_key_usage, X509_get_extended_key_usage, X509_set_proxy_flag, X509_set_proxy_pathlen, X509_get_proxy_pathlen \- retrieve certificate extension data +.SH "SYNOPSIS" +.IX Header "SYNOPSIS" +.Vb 1 +\& #include +\& +\& long X509_get_pathlen(X509 *x); +\& uint32_t X509_get_extension_flags(X509 *x); +\& uint32_t X509_get_key_usage(X509 *x); +\& uint32_t X509_get_extended_key_usage(X509 *x); +\& const ASN1_OCTET_STRING *X509_get0_subject_key_id(X509 *x); +\& const ASN1_OCTET_STRING *X509_get0_authority_key_id(X509 *x); +\& void X509_set_proxy_flag(X509 *x); +\& void X509_set_proxy_pathlen(int l); +\& long X509_get_proxy_pathlen(X509 *x); +.Ve +.SH "DESCRIPTION" +.IX Header "DESCRIPTION" +These functions retrieve information related to commonly used certificate extensions. +.PP +\&\fIX509_get_pathlen()\fR retrieves the path length extension from a certificate. +This extension is used to limit the length of a cert chain that may be +issued from that \s-1CA.\s0 +.PP +\&\fIX509_get_extension_flags()\fR retrieves general information about a certificate, +it will return one or more of the following flags ored together. +.IP "\fB\s-1EXFLAG_V1\s0\fR" 4 +.IX Item "EXFLAG_V1" +The certificate is an obsolete version 1 certificate. +.IP "\fB\s-1EXFLAG_BCONS\s0\fR" 4 +.IX Item "EXFLAG_BCONS" +The certificate contains a basic constraints extension. +.IP "\fB\s-1EXFLAG_CA\s0\fR" 4 +.IX Item "EXFLAG_CA" +The certificate contains basic constraints and asserts the \s-1CA\s0 flag. +.IP "\fB\s-1EXFLAG_PROXY\s0\fR" 4 +.IX Item "EXFLAG_PROXY" +The certificate is a valid proxy certificate. +.IP "\fB\s-1EXFLAG_SI\s0\fR" 4 +.IX Item "EXFLAG_SI" +The certificate is self issued (that is subject and issuer names match). +.IP "\fB\s-1EXFLAG_SS\s0\fR" 4 +.IX Item "EXFLAG_SS" +The subject and issuer names match and extension values imply it is self +signed. +.IP "\fB\s-1EXFLAG_FRESHEST\s0\fR" 4 +.IX Item "EXFLAG_FRESHEST" +The freshest \s-1CRL\s0 extension is present in the certificate. +.IP "\fB\s-1EXFLAG_CRITICAL\s0\fR" 4 +.IX Item "EXFLAG_CRITICAL" +The certificate contains an unhandled critical extension. +.IP "\fB\s-1EXFLAG_INVALID\s0\fR" 4 +.IX Item "EXFLAG_INVALID" +Some certificate extension values are invalid or inconsistent. The +certificate should be rejected. +.IP "\fB\s-1EXFLAG_KUSAGE\s0\fR" 4 +.IX Item "EXFLAG_KUSAGE" +The certificate contains a key usage extension. The value can be retrieved +using \fIX509_get_key_usage()\fR. +.IP "\fB\s-1EXFLAG_XKUSAGE\s0\fR" 4 +.IX Item "EXFLAG_XKUSAGE" +The certificate contains an extended key usage extension. The value can be +retrieved using \fIX509_get_extended_key_usage()\fR. +.PP +\&\fIX509_get_key_usage()\fR returns the value of the key usage extension. If key +usage is present will return zero or more of the flags: +\&\fB\s-1KU_DIGITAL_SIGNATURE\s0\fR, \fB\s-1KU_NON_REPUDIATION\s0\fR, \fB\s-1KU_KEY_ENCIPHERMENT\s0\fR, +\&\fB\s-1KU_DATA_ENCIPHERMENT\s0\fR, \fB\s-1KU_KEY_AGREEMENT\s0\fR, \fB\s-1KU_KEY_CERT_SIGN\s0\fR, +\&\fB\s-1KU_CRL_SIGN\s0\fR, \fB\s-1KU_ENCIPHER_ONLY\s0\fR or \fB\s-1KU_DECIPHER_ONLY\s0\fR corresponding to +individual key usage bits. If key usage is absent then \fB\s-1UINT32_MAX\s0\fR is +returned. +.PP +\&\fIX509_get_extended_key_usage()\fR returns the value of the extended key usage +extension. If extended key usage is present it will return zero or more of the +flags: \fB\s-1XKU_SSL_SERVER\s0\fR, \fB\s-1XKU_SSL_CLIENT\s0\fR, \fB\s-1XKU_SMIME\s0\fR, \fB\s-1XKU_CODE_SIGN\s0\fR +\&\fB\s-1XKU_OCSP_SIGN\s0\fR, \fB\s-1XKU_TIMESTAMP\s0\fR, \fB\s-1XKU_DVCS\s0\fR or \fB\s-1XKU_ANYEKU\s0\fR. These +correspond to the OIDs \fBid-kp-serverAuth\fR, \fBid-kp-clientAuth\fR, +\&\fBid-kp-emailProtection\fR, \fBid-kp-codeSigning\fR, \fBid-kp-OCSPSigning\fR, +\&\fBid-kp-timeStamping\fR, \fBid-kp-dvcs\fR and \fBanyExtendedKeyUsage\fR respectively. +Additionally \fB\s-1XKU_SGC\s0\fR is set if either Netscape or Microsoft \s-1SGC\s0 OIDs are +present. +.PP +\&\fIX509_get0_subject_key_id()\fR returns an internal pointer to the subject key +identifier of \fBx\fR as an \fB\s-1ASN1_OCTET_STRING\s0\fR or \fB\s-1NULL\s0\fR if the extension +is not present or cannot be parsed. +.PP +\&\fIX509_get0_authority_key_id()\fR returns an internal pointer to the authority key +identifier of \fBx\fR as an \fB\s-1ASN1_OCTET_STRING\s0\fR or \fB\s-1NULL\s0\fR if the extension +is not present or cannot be parsed. +.PP +\&\fIX509_set_proxy_flag()\fR marks the certificate with the \fB\s-1EXFLAG_PROXY\s0\fR flag. +This is for the users who need to mark non\-RFC3820 proxy certificates as +such, as OpenSSL only detects \s-1RFC3820\s0 compliant ones. +.PP +\&\fIX509_set_proxy_pathlen()\fR sets the proxy certificate path length for the given +certificate \fBx\fR. This is for the users who need to mark non\-RFC3820 proxy +certificates as such, as OpenSSL only detects \s-1RFC3820\s0 compliant ones. +.PP +\&\fIX509_get_proxy_pathlen()\fR returns the proxy certificate path length for the +given certificate \fBx\fR if it is a proxy certificate. +.SH "NOTES" +.IX Header "NOTES" +The value of the flags correspond to extension values which are cached +in the \fBX509\fR structure. If the flags returned do not provide sufficient +information an application should examine extension values directly +for example using \fIX509_get_ext_d2i()\fR. +.PP +If the key usage or extended key usage extension is absent then typically usage +is unrestricted. For this reason \fIX509_get_key_usage()\fR and +\&\fIX509_get_extended_key_usage()\fR return \fB\s-1UINT32_MAX\s0\fR when the corresponding +extension is absent. Applications can additionally check the return value of +\&\fIX509_get_extension_flags()\fR and take appropriate action is an extension is +absent. +.PP +If \fIX509_get0_subject_key_id()\fR returns \fB\s-1NULL\s0\fR then the extension may be +absent or malformed. Applications can determine the precise reason using +\&\fIX509_get_ext_d2i()\fR. +.SH "RETURN VALUES" +.IX Header "RETURN VALUES" +\&\fIX509_get_pathlen()\fR returns the path length value, or \-1 if the extension +is not present. +.PP +\&\fIX509_get_extension_flags()\fR, \fIX509_get_key_usage()\fR and +\&\fIX509_get_extended_key_usage()\fR return sets of flags corresponding to the +certificate extension values. +.PP +\&\fIX509_get0_subject_key_id()\fR returns the subject key identifier as a +pointer to an \fB\s-1ASN1_OCTET_STRING\s0\fR structure or \fB\s-1NULL\s0\fR if the extension +is absent or an error occurred during parsing. +.PP +\&\fIX509_get_proxy_pathlen()\fR returns the path length value if the given +certificate is a proxy one and has a path length set, and \-1 otherwise. +.SH "SEE ALSO" +.IX Header "SEE ALSO" +\&\fIX509_check_purpose\fR\|(3) +.SH "HISTORY" +.IX Header "HISTORY" +\&\fIX509_get_pathlen()\fR, \fIX509_set_proxy_flag()\fR, \fIX509_set_proxy_pathlen()\fR and +\&\fIX509_get_proxy_pathlen()\fR were added in OpenSSL 1.1.0. +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2015\-2018 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/X509_get_pubkey.3 b/secure/lib/libcrypto/man/X509_get_pubkey.3 new file mode 100644 index 000000000000..6153e38f8cff --- /dev/null +++ b/secure/lib/libcrypto/man/X509_get_pubkey.3 @@ -0,0 +1,211 @@ +.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35) +.\" +.\" Standard preamble: +.\" ======================================================================== +.de Sp \" Vertical space (when we can't use .PP) +.if t .sp .5v +.if n .sp +.. +.de Vb \" Begin verbatim text +.ft CW +.nf +.ne \\$1 +.. +.de Ve \" End verbatim text +.ft R +.fi +.. +.\" Set up some character translations and predefined strings. \*(-- will +.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left +.\" double quote, and \*(R" will give a right double quote. \*(C+ will +.\" give a nicer C++. Capital omega is used to do unbreakable dashes and +.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, +.\" nothing in troff, for use with C<>. +.tr \(*W- +.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' +.ie n \{\ +. ds -- \(*W- +. ds PI pi +. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch +. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch +. ds L" "" +. ds R" "" +. ds C` "" +. ds C' "" +'br\} +.el\{\ +. ds -- \|\(em\| +. ds PI \(*p +. ds L" `` +. ds R" '' +. ds C` +. ds C' +'br\} +.\" +.\" Escape single quotes in literal strings from groff's Unicode transform. +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" +.\" If the F register is >0, we'll generate index entries on stderr for +.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index +.\" entries marked with X<> in POD. Of course, you'll have to process the +.\" output yourself in some meaningful fashion. +.\" +.\" Avoid warning from groff about undefined register 'F'. +.de IX +.. +.if !\nF .nr F 0 +.if \nF>0 \{\ +. de IX +. tm Index:\\$1\t\\n%\t"\\$2" +.. +. if !\nF==2 \{\ +. nr % 0 +. nr F 2 +. \} +.\} +.\" +.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). +.\" Fear. Run. Save yourself. No user-serviceable parts. +. \" fudge factors for nroff and troff +.if n \{\ +. ds #H 0 +. ds #V .8m +. ds #F .3m +. ds #[ \f1 +. ds #] \fP +.\} +.if t \{\ +. ds #H ((1u-(\\\\n(.fu%2u))*.13m) +. ds #V .6m +. ds #F 0 +. ds #[ \& +. ds #] \& +.\} +. \" simple accents for nroff and troff +.if n \{\ +. ds ' \& +. ds ` \& +. ds ^ \& +. ds , \& +. ds ~ ~ +. ds / +.\} +.if t \{\ +. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" +. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' +. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' +. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' +. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' +. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' +.\} +. \" troff and (daisy-wheel) nroff accents +.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' +.ds 8 \h'\*(#H'\(*b\h'-\*(#H' +.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] +.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' +.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' +.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] +.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] +.ds ae a\h'-(\w'a'u*4/10)'e +.ds Ae A\h'-(\w'A'u*4/10)'E +. \" corrections for vroff +.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' +.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' +. \" for low resolution devices (crt and lpr) +.if \n(.H>23 .if \n(.V>19 \ +\{\ +. ds : e +. ds 8 ss +. ds o a +. ds d- d\h'-1'\(ga +. ds D- D\h'-1'\(hy +. ds th \o'bp' +. ds Th \o'LP' +. ds ae ae +. ds Ae AE +.\} +.rm #[ #] #H #V #F C +.\" ======================================================================== +.\" +.IX Title "X509_GET_PUBKEY 3" +.TH X509_GET_PUBKEY 3 "2018-09-11" "1.1.1" "OpenSSL" +.\" For nroff, turn off justification. Always turn off hyphenation; it makes +.\" way too many mistakes in technical documents. +.if n .ad l +.nh +.SH "NAME" +X509_get_pubkey, X509_get0_pubkey, X509_set_pubkey, X509_get_X509_PUBKEY, X509_REQ_get_pubkey, X509_REQ_get0_pubkey, X509_REQ_set_pubkey, X509_REQ_get_X509_PUBKEY \- get or set certificate or certificate request public key +.SH "SYNOPSIS" +.IX Header "SYNOPSIS" +.Vb 1 +\& #include +\& +\& EVP_PKEY *X509_get_pubkey(X509 *x); +\& EVP_PKEY *X509_get0_pubkey(const X509 *x); +\& int X509_set_pubkey(X509 *x, EVP_PKEY *pkey); +\& X509_PUBKEY *X509_get_X509_PUBKEY(X509 *x); +\& +\& EVP_PKEY *X509_REQ_get_pubkey(X509_REQ *req); +\& EVP_PKEY *X509_REQ_get0_pubkey(X509_REQ *req); +\& int X509_REQ_set_pubkey(X509_REQ *x, EVP_PKEY *pkey); +\& X509_PUBKEY *X509_REQ_get_X509_PUBKEY(X509_REQ *x); +.Ve +.SH "DESCRIPTION" +.IX Header "DESCRIPTION" +\&\fIX509_get_pubkey()\fR attempts to decode the public key for certificate \fBx\fR. If +successful it returns the public key as an \fB\s-1EVP_PKEY\s0\fR pointer with its +reference count incremented: this means the returned key must be freed up +after use. \fIX509_get0_pubkey()\fR is similar except it does \fBnot\fR increment +the reference count of the returned \fB\s-1EVP_PKEY\s0\fR so it must not be freed up +after use. +.PP +\&\fIX509_get_X509_PUBKEY()\fR returns an internal pointer to the \fBX509_PUBKEY\fR +structure which encodes the certificate of \fBx\fR. The returned value +must not be freed up after use. +.PP +\&\fIX509_set_pubkey()\fR attempts to set the public key for certificate \fBx\fR to +\&\fBpkey\fR. The key \fBpkey\fR should be freed up after use. +.PP +\&\fIX509_REQ_get_pubkey()\fR, \fIX509_REQ_get0_pubkey()\fR, \fIX509_REQ_set_pubkey()\fR and +\&\fIX509_REQ_get_X509_PUBKEY()\fR are similar but operate on certificate request \fBreq\fR. +.SH "NOTES" +.IX Header "NOTES" +The first time a public key is decoded the \fB\s-1EVP_PKEY\s0\fR structure is +cached in the certificate or certificate request itself. Subsequent calls +return the cached structure with its reference count incremented to +improve performance. +.SH "RETURN VALUES" +.IX Header "RETURN VALUES" +\&\fIX509_get_pubkey()\fR, \fIX509_get0_pubkey()\fR, \fIX509_get_X509_PUBKEY()\fR, +\&\fIX509_REQ_get_pubkey()\fR and \fIX509_REQ_get_X509_PUBKEY()\fR return a public key or +\&\fB\s-1NULL\s0\fR if an error occurred. +.PP +\&\fIX509_set_pubkey()\fR and \fIX509_REQ_set_pubkey()\fR return 1 for success and 0 +for failure. +.SH "SEE ALSO" +.IX Header "SEE ALSO" +\&\fId2i_X509\fR\|(3), +\&\fIERR_get_error\fR\|(3), +\&\fIX509_CRL_get0_by_serial\fR\|(3), +\&\fIX509_get0_signature\fR\|(3), +\&\fIX509_get_ext_d2i\fR\|(3), +\&\fIX509_get_extension_flags\fR\|(3), +\&\fIX509_get_subject_name\fR\|(3), +\&\fIX509_get_version\fR\|(3), +\&\fIX509_NAME_add_entry_by_txt\fR\|(3), +\&\fIX509_NAME_ENTRY_get_object\fR\|(3), +\&\fIX509_NAME_get_index_by_NID\fR\|(3), +\&\fIX509_NAME_print_ex\fR\|(3), +\&\fIX509_new\fR\|(3), +\&\fIX509_sign\fR\|(3), +\&\fIX509V3_get_d2i\fR\|(3), +\&\fIX509_verify_cert\fR\|(3) +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2015\-2016 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/x509.3 b/secure/lib/libcrypto/man/X509_get_serialNumber.3 similarity index 65% rename from secure/lib/libcrypto/man/x509.3 rename to secure/lib/libcrypto/man/X509_get_serialNumber.3 index e1279cad0b00..ba967d364800 100644 --- a/secure/lib/libcrypto/man/x509.3 +++ b/secure/lib/libcrypto/man/X509_get_serialNumber.3 @@ -128,67 +128,68 @@ .rm #[ #] #H #V #F C .\" ======================================================================== .\" -.IX Title "x509 3" -.TH x509 3 "2018-08-14" "1.0.2p" "OpenSSL" +.IX Title "X509_GET_SERIALNUMBER 3" +.TH X509_GET_SERIALNUMBER 3 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" -x509 \- X.509 certificate handling +X509_get_serialNumber, X509_get0_serialNumber, X509_set_serialNumber \&\- get or set certificate serial number .SH "SYNOPSIS" .IX Header "SYNOPSIS" .Vb 1 \& #include +\& +\& ASN1_INTEGER *X509_get_serialNumber(X509 *x); +\& const ASN1_INTEGER *X509_get0_serialNumber(const X509 *x); +\& int X509_set_serialNumber(X509 *x, ASN1_INTEGER *serial); .Ve .SH "DESCRIPTION" .IX Header "DESCRIPTION" -A X.509 certificate is a structured grouping of information about -an individual, a device, or anything one can imagine. A X.509 \s-1CRL\s0 -(certificate revocation list) is a tool to help determine if a -certificate is still valid. The exact definition of those can be -found in the X.509 document from ITU-T, or in \s-1RFC3280\s0 from \s-1PKIX.\s0 -In OpenSSL, the type X509 is used to express such a certificate, and -the type X509_CRL is used to express a \s-1CRL.\s0 +\&\fIX509_get_serialNumber()\fR returns the serial number of certificate \fBx\fR as an +\&\fB\s-1ASN1_INTEGER\s0\fR structure which can be examined or initialised. The value +returned is an internal pointer which \fB\s-1MUST NOT\s0\fR be freed up after the call. .PP -A related structure is a certificate request, defined in PKCS#10 from -\&\s-1RSA\s0 Security, Inc, also reflected in \s-1RFC2896.\s0 In OpenSSL, the type -X509_REQ is used to express such a certificate request. +\&\fIX509_get0_serialNumber()\fR is the same as \fIX509_get_serialNumber()\fR except it +accepts a const parameter and returns a const result. .PP -To handle some complex parts of a certificate, there are the types -X509_NAME (to express a certificate name), X509_ATTRIBUTE (to express -a certificate attributes), X509_EXTENSION (to express a certificate -extension) and a few more. +\&\fIX509_set_serialNumber()\fR sets the serial number of certificate \fBx\fR to +\&\fBserial\fR. A copy of the serial number is used internally so \fBserial\fR should +be freed up after use. +.SH "RETURN VALUES" +.IX Header "RETURN VALUES" +\&\fIX509_get_serialNumber()\fR and \fIX509_get0_serialNumber()\fR return an \fB\s-1ASN1_INTEGER\s0\fR +structure. .PP -Finally, there's the supertype X509_INFO, which can contain a \s-1CRL,\s0 a -certificate and a corresponding private key. -.PP -\&\fBX509_\fR\fI...\fR, \fBd2i_X509_\fR\fI...\fR and \fBi2d_X509_\fR\fI...\fR handle X.509 -certificates, with some exceptions, shown below. -.PP -\&\fBX509_CRL_\fR\fI...\fR, \fBd2i_X509_CRL_\fR\fI...\fR and \fBi2d_X509_CRL_\fR\fI...\fR -handle X.509 CRLs. -.PP -\&\fBX509_REQ_\fR\fI...\fR, \fBd2i_X509_REQ_\fR\fI...\fR and \fBi2d_X509_REQ_\fR\fI...\fR -handle PKCS#10 certificate requests. -.PP -\&\fBX509_NAME_\fR\fI...\fR handle certificate names. -.PP -\&\fBX509_ATTRIBUTE_\fR\fI...\fR handle certificate attributes. -.PP -\&\fBX509_EXTENSION_\fR\fI...\fR handle certificate extensions. +\&\fIX509_set_serialNumber()\fR returns 1 for success and 0 for failure. .SH "SEE ALSO" .IX Header "SEE ALSO" -\&\fIX509_NAME_ENTRY_get_object\fR\|(3), -\&\fIX509_NAME_add_entry_by_txt\fR\|(3), -\&\fIX509_NAME_add_entry_by_NID\fR\|(3), -\&\fIX509_NAME_print_ex\fR\|(3), -\&\fIX509_NAME_new\fR\|(3), \&\fId2i_X509\fR\|(3), -\&\fId2i_X509_ALGOR\fR\|(3), -\&\fId2i_X509_CRL\fR\|(3), -\&\fId2i_X509_NAME\fR\|(3), -\&\fId2i_X509_REQ\fR\|(3), -\&\fId2i_X509_SIG\fR\|(3), -\&\fIcrypto\fR\|(3), -\&\fIx509v3\fR\|(3) +\&\fIERR_get_error\fR\|(3), +\&\fIX509_CRL_get0_by_serial\fR\|(3), +\&\fIX509_get0_signature\fR\|(3), +\&\fIX509_get_ext_d2i\fR\|(3), +\&\fIX509_get_extension_flags\fR\|(3), +\&\fIX509_get_pubkey\fR\|(3), +\&\fIX509_get_subject_name\fR\|(3), +\&\fIX509_NAME_add_entry_by_txt\fR\|(3), +\&\fIX509_NAME_ENTRY_get_object\fR\|(3), +\&\fIX509_NAME_get_index_by_NID\fR\|(3), +\&\fIX509_NAME_print_ex\fR\|(3), +\&\fIX509_new\fR\|(3), +\&\fIX509_sign\fR\|(3), +\&\fIX509V3_get_d2i\fR\|(3), +\&\fIX509_verify_cert\fR\|(3) +.SH "HISTORY" +.IX Header "HISTORY" +\&\fIX509_get_serialNumber()\fR and \fIX509_set_serialNumber()\fR are available in +all versions of OpenSSL. \fIX509_get0_serialNumber()\fR was added in OpenSSL 1.1.0. +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2016 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/X509_get_subject_name.3 b/secure/lib/libcrypto/man/X509_get_subject_name.3 new file mode 100644 index 000000000000..aeddc0f3c36b --- /dev/null +++ b/secure/lib/libcrypto/man/X509_get_subject_name.3 @@ -0,0 +1,210 @@ +.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35) +.\" +.\" Standard preamble: +.\" ======================================================================== +.de Sp \" Vertical space (when we can't use .PP) +.if t .sp .5v +.if n .sp +.. +.de Vb \" Begin verbatim text +.ft CW +.nf +.ne \\$1 +.. +.de Ve \" End verbatim text +.ft R +.fi +.. +.\" Set up some character translations and predefined strings. \*(-- will +.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left +.\" double quote, and \*(R" will give a right double quote. \*(C+ will +.\" give a nicer C++. Capital omega is used to do unbreakable dashes and +.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, +.\" nothing in troff, for use with C<>. +.tr \(*W- +.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' +.ie n \{\ +. ds -- \(*W- +. ds PI pi +. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch +. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch +. ds L" "" +. ds R" "" +. ds C` "" +. ds C' "" +'br\} +.el\{\ +. ds -- \|\(em\| +. ds PI \(*p +. ds L" `` +. ds R" '' +. ds C` +. ds C' +'br\} +.\" +.\" Escape single quotes in literal strings from groff's Unicode transform. +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" +.\" If the F register is >0, we'll generate index entries on stderr for +.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index +.\" entries marked with X<> in POD. Of course, you'll have to process the +.\" output yourself in some meaningful fashion. +.\" +.\" Avoid warning from groff about undefined register 'F'. +.de IX +.. +.if !\nF .nr F 0 +.if \nF>0 \{\ +. de IX +. tm Index:\\$1\t\\n%\t"\\$2" +.. +. if !\nF==2 \{\ +. nr % 0 +. nr F 2 +. \} +.\} +.\" +.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). +.\" Fear. Run. Save yourself. No user-serviceable parts. +. \" fudge factors for nroff and troff +.if n \{\ +. ds #H 0 +. ds #V .8m +. ds #F .3m +. ds #[ \f1 +. ds #] \fP +.\} +.if t \{\ +. ds #H ((1u-(\\\\n(.fu%2u))*.13m) +. ds #V .6m +. ds #F 0 +. ds #[ \& +. ds #] \& +.\} +. \" simple accents for nroff and troff +.if n \{\ +. ds ' \& +. ds ` \& +. ds ^ \& +. ds , \& +. ds ~ ~ +. ds / +.\} +.if t \{\ +. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" +. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' +. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' +. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' +. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' +. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' +.\} +. \" troff and (daisy-wheel) nroff accents +.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' +.ds 8 \h'\*(#H'\(*b\h'-\*(#H' +.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] +.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' +.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' +.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] +.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] +.ds ae a\h'-(\w'a'u*4/10)'e +.ds Ae A\h'-(\w'A'u*4/10)'E +. \" corrections for vroff +.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' +.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' +. \" for low resolution devices (crt and lpr) +.if \n(.H>23 .if \n(.V>19 \ +\{\ +. ds : e +. ds 8 ss +. ds o a +. ds d- d\h'-1'\(ga +. ds D- D\h'-1'\(hy +. ds th \o'bp' +. ds Th \o'LP' +. ds ae ae +. ds Ae AE +.\} +.rm #[ #] #H #V #F C +.\" ======================================================================== +.\" +.IX Title "X509_GET_SUBJECT_NAME 3" +.TH X509_GET_SUBJECT_NAME 3 "2018-09-11" "1.1.1" "OpenSSL" +.\" For nroff, turn off justification. Always turn off hyphenation; it makes +.\" way too many mistakes in technical documents. +.if n .ad l +.nh +.SH "NAME" +X509_get_subject_name, X509_set_subject_name, X509_get_issuer_name, X509_set_issuer_name, X509_REQ_get_subject_name, X509_REQ_set_subject_name, X509_CRL_get_issuer, X509_CRL_set_issuer_name \- get and set issuer or subject names +.SH "SYNOPSIS" +.IX Header "SYNOPSIS" +.Vb 1 +\& #include +\& +\& X509_NAME *X509_get_subject_name(const X509 *x); +\& int X509_set_subject_name(X509 *x, X509_NAME *name); +\& +\& X509_NAME *X509_get_issuer_name(const X509 *x); +\& int X509_set_issuer_name(X509 *x, X509_NAME *name); +\& +\& X509_NAME *X509_REQ_get_subject_name(const X509_REQ *req); +\& int X509_REQ_set_subject_name(X509_REQ *req, X509_NAME *name); +\& +\& X509_NAME *X509_CRL_get_issuer(const X509_CRL *crl); +\& int X509_CRL_set_issuer_name(X509_CRL *x, X509_NAME *name); +.Ve +.SH "DESCRIPTION" +.IX Header "DESCRIPTION" +\&\fIX509_get_subject_name()\fR returns the subject name of certificate \fBx\fR. The +returned value is an internal pointer which \fB\s-1MUST NOT\s0\fR be freed. +.PP +\&\fIX509_set_subject_name()\fR sets the issuer name of certificate \fBx\fR to +\&\fBname\fR. The \fBname\fR parameter is copied internally and should be freed +up when it is no longer needed. +.PP +\&\fIX509_get_issuer_name()\fR and \fIX509_set_issuer_name()\fR are identical to +\&\fIX509_get_subject_name()\fR and \fIX509_set_subject_name()\fR except the get and +set the issuer name of \fBx\fR. +.PP +Similarly \fIX509_REQ_get_subject_name()\fR, \fIX509_REQ_set_subject_name()\fR, +\&\fIX509_CRL_get_issuer()\fR and \fIX509_CRL_set_issuer_name()\fR get or set the subject +or issuer names of certificate requests of CRLs respectively. +.SH "RETURN VALUES" +.IX Header "RETURN VALUES" +\&\fIX509_get_subject_name()\fR, \fIX509_get_issuer_name()\fR, \fIX509_REQ_get_subject_name()\fR +and \fIX509_CRL_get_issuer()\fR return an \fBX509_NAME\fR pointer. +.PP +\&\fIX509_set_subject_name()\fR, \fIX509_set_issuer_name()\fR, \fIX509_REQ_set_subject_name()\fR +and \fIX509_CRL_set_issuer_name()\fR return 1 for success and 0 for failure. +.SH "HISTORY" +.IX Header "HISTORY" +\&\fIX509_REQ_get_subject_name()\fR is a function in OpenSSL 1.1.0 and a macro in +earlier versions. +.PP +\&\fIX509_CRL_get_issuer()\fR is a function in OpenSSL 1.1.0. It was first added +to OpenSSL 1.0.0 as a macro. +.SH "SEE ALSO" +.IX Header "SEE ALSO" +\&\fId2i_X509\fR\|(3), +\&\fIERR_get_error\fR\|(3), \fId2i_X509\fR\|(3) +\&\fIX509_CRL_get0_by_serial\fR\|(3), +\&\fIX509_get0_signature\fR\|(3), +\&\fIX509_get_ext_d2i\fR\|(3), +\&\fIX509_get_extension_flags\fR\|(3), +\&\fIX509_get_pubkey\fR\|(3), +\&\fIX509_NAME_add_entry_by_txt\fR\|(3), +\&\fIX509_NAME_ENTRY_get_object\fR\|(3), +\&\fIX509_NAME_get_index_by_NID\fR\|(3), +\&\fIX509_NAME_print_ex\fR\|(3), +\&\fIX509_new\fR\|(3), +\&\fIX509_sign\fR\|(3), +\&\fIX509V3_get_d2i\fR\|(3), +\&\fIX509_verify_cert\fR\|(3) +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2015\-2016 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/d2i_RSAPublicKey.3 b/secure/lib/libcrypto/man/X509_get_version.3 similarity index 59% rename from secure/lib/libcrypto/man/d2i_RSAPublicKey.3 rename to secure/lib/libcrypto/man/X509_get_version.3 index d944cf90fdaf..9397b4c8c702 100644 --- a/secure/lib/libcrypto/man/d2i_RSAPublicKey.3 +++ b/secure/lib/libcrypto/man/X509_get_version.3 @@ -128,68 +128,80 @@ .rm #[ #] #H #V #F C .\" ======================================================================== .\" -.IX Title "d2i_RSAPublicKey 3" -.TH d2i_RSAPublicKey 3 "2018-08-14" "1.0.2p" "OpenSSL" +.IX Title "X509_GET_VERSION 3" +.TH X509_GET_VERSION 3 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" -d2i_RSAPublicKey, i2d_RSAPublicKey, d2i_RSAPrivateKey, i2d_RSAPrivateKey, -d2i_RSA_PUBKEY, i2d_RSA_PUBKEY, i2d_Netscape_RSA, -d2i_Netscape_RSA \- RSA public and private key encoding functions. +X509_get_version, X509_set_version, X509_REQ_get_version, X509_REQ_set_version, X509_CRL_get_version, X509_CRL_set_version \- get or set certificate, certificate request or CRL version .SH "SYNOPSIS" .IX Header "SYNOPSIS" -.Vb 2 -\& #include +.Vb 1 \& #include \& -\& RSA * d2i_RSAPublicKey(RSA **a, const unsigned char **pp, long length); +\& long X509_get_version(const X509 *x); +\& int X509_set_version(X509 *x, long version); \& -\& int i2d_RSAPublicKey(RSA *a, unsigned char **pp); +\& long X509_REQ_get_version(const X509_REQ *req); +\& int X509_REQ_set_version(X509_REQ *x, long version); \& -\& RSA * d2i_RSA_PUBKEY(RSA **a, const unsigned char **pp, long length); -\& -\& int i2d_RSA_PUBKEY(RSA *a, unsigned char **pp); -\& -\& RSA * d2i_RSAPrivateKey(RSA **a, const unsigned char **pp, long length); -\& -\& int i2d_RSAPrivateKey(RSA *a, unsigned char **pp); -\& -\& int i2d_Netscape_RSA(RSA *a, unsigned char **pp, int (*cb)()); -\& -\& RSA * d2i_Netscape_RSA(RSA **a, const unsigned char **pp, long length, int (*cb)()); +\& long X509_CRL_get_version(const X509_CRL *crl); +\& int X509_CRL_set_version(X509_CRL *x, long version); .Ve .SH "DESCRIPTION" .IX Header "DESCRIPTION" -\&\fId2i_RSAPublicKey()\fR and \fIi2d_RSAPublicKey()\fR decode and encode a PKCS#1 RSAPublicKey -structure. +\&\fIX509_get_version()\fR returns the numerical value of the version field of +certificate \fBx\fR. Note: this is defined by standards (X.509 et al) to be one +less than the certificate version. So a version 3 certificate will return 2 and +a version 1 certificate will return 0. .PP -\&\fId2i_RSA_PUBKEY()\fR and \fIi2d_RSA_PUBKEY()\fR decode and encode an \s-1RSA\s0 public key using -a SubjectPublicKeyInfo (certificate public key) structure. +\&\fIX509_set_version()\fR sets the numerical value of the version field of certificate +\&\fBx\fR to \fBversion\fR. .PP -\&\fId2i_RSAPrivateKey()\fR, \fIi2d_RSAPrivateKey()\fR decode and encode a PKCS#1 RSAPrivateKey -structure. -.PP -\&\fId2i_Netscape_RSA()\fR, \fIi2d_Netscape_RSA()\fR decode and encode an \s-1RSA\s0 private key in -\&\s-1NET\s0 format. -.PP -The usage of all of these functions is similar to the \fId2i_X509()\fR and -\&\fIi2d_X509()\fR described in the \fId2i_X509\fR\|(3) manual page. +Similarly \fIX509_REQ_get_version()\fR, \fIX509_REQ_set_version()\fR, +\&\fIX509_CRL_get_version()\fR and \fIX509_CRL_set_version()\fR get and set the version +number of certificate requests and CRLs. .SH "NOTES" .IX Header "NOTES" -The \fB\s-1RSA\s0\fR structure passed to the private key encoding functions should have -all the PKCS#1 private key components present. +The version field of certificates, certificate requests and CRLs has a +\&\s-1DEFAULT\s0 value of \fB\f(BIv1\fB\|(0)\fR meaning the field should be omitted for version +1. This is handled transparently by these functions. +.SH "RETURN VALUES" +.IX Header "RETURN VALUES" +\&\fIX509_get_version()\fR, \fIX509_REQ_get_version()\fR and \fIX509_CRL_get_version()\fR +return the numerical value of the version field. .PP -The data encoded by the private key functions is unencrypted and therefore -offers no private key security. -.PP -The \s-1NET\s0 format functions are present to provide compatibility with certain very -old software. This format has some severe security weaknesses and should be -avoided if possible. +\&\fIX509_set_version()\fR, \fIX509_REQ_set_version()\fR and \fIX509_CRL_set_version()\fR +return 1 for success and 0 for failure. .SH "SEE ALSO" .IX Header "SEE ALSO" -\&\fId2i_X509\fR\|(3) +\&\fId2i_X509\fR\|(3), +\&\fIERR_get_error\fR\|(3), +\&\fIX509_CRL_get0_by_serial\fR\|(3), +\&\fIX509_get0_signature\fR\|(3), +\&\fIX509_get_ext_d2i\fR\|(3), +\&\fIX509_get_extension_flags\fR\|(3), +\&\fIX509_get_pubkey\fR\|(3), +\&\fIX509_get_subject_name\fR\|(3), +\&\fIX509_NAME_add_entry_by_txt\fR\|(3), +\&\fIX509_NAME_ENTRY_get_object\fR\|(3), +\&\fIX509_NAME_get_index_by_NID\fR\|(3), +\&\fIX509_NAME_print_ex\fR\|(3), +\&\fIX509_new\fR\|(3), +\&\fIX509_sign\fR\|(3), +\&\fIX509V3_get_d2i\fR\|(3), +\&\fIX509_verify_cert\fR\|(3) .SH "HISTORY" .IX Header "HISTORY" -\&\s-1TBA\s0 +\&\fIX509_get_version()\fR, \fIX509_REQ_get_version()\fR and \fIX509_CRL_get_version()\fR are +functions in OpenSSL 1.1.0, in previous versions they were macros. +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2015\-2016 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/X509_new.3 b/secure/lib/libcrypto/man/X509_new.3 index 36a246af15c7..1f44f70fd4cb 100644 --- a/secure/lib/libcrypto/man/X509_new.3 +++ b/secure/lib/libcrypto/man/X509_new.3 @@ -128,14 +128,14 @@ .rm #[ #] #H #V #F C .\" ======================================================================== .\" -.IX Title "X509_new 3" -.TH X509_new 3 "2018-08-14" "1.0.2p" "OpenSSL" +.IX Title "X509_NEW 3" +.TH X509_NEW 3 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" -X509_new, X509_free \- X509 certificate ASN1 allocation functions +X509_chain_up_ref, X509_new, X509_free, X509_up_ref \- X509 certificate ASN1 allocation functions .SH "SYNOPSIS" .IX Header "SYNOPSIS" .Vb 1 @@ -143,25 +143,67 @@ X509_new, X509_free \- X509 certificate ASN1 allocation functions \& \& X509 *X509_new(void); \& void X509_free(X509 *a); +\& int X509_up_ref(X509 *a); +\& STACK_OF(X509) *X509_chain_up_ref(STACK_OF(X509) *x); .Ve .SH "DESCRIPTION" .IX Header "DESCRIPTION" The X509 \s-1ASN1\s0 allocation routines, allocate and free an X509 structure, which represents an X509 certificate. .PP -\&\fIX509_new()\fR allocates and initializes a X509 structure. +\&\fIX509_new()\fR allocates and initializes a X509 structure with reference count +\&\fB1\fR. .PP -\&\fIX509_free()\fR frees up the \fBX509\fR structure \fBa\fR. +\&\fIX509_free()\fR decrements the reference count of \fBX509\fR structure \fBa\fR and +frees it up if the reference count is zero. If \fBa\fR is \s-1NULL\s0 nothing is done. +.PP +\&\fIX509_up_ref()\fR increments the reference count of \fBa\fR. +.PP +\&\fIX509_chain_up_ref()\fR increases the reference count of all certificates in +chain \fBx\fR and returns a copy of the stack. +.SH "NOTES" +.IX Header "NOTES" +The function \fIX509_up_ref()\fR if useful if a certificate structure is being +used by several different operations each of which will free it up after +use: this avoids the need to duplicate the entire certificate structure. +.PP +The function \fIX509_chain_up_ref()\fR doesn't just up the reference count of +each certificate it also returns a copy of the stack, using \fIsk_X509_dup()\fR, +but it serves a similar purpose: the returned chain persists after the +original has been freed. .SH "RETURN VALUES" .IX Header "RETURN VALUES" If the allocation fails, \fIX509_new()\fR returns \fB\s-1NULL\s0\fR and sets an error code that can be obtained by \fIERR_get_error\fR\|(3). Otherwise it returns a pointer to the newly allocated structure. .PP -\&\fIX509_free()\fR returns no value. +\&\fIX509_up_ref()\fR returns 1 for success and 0 for failure. +.PP +\&\fIX509_chain_up_ref()\fR returns a copy of the stack or \fB\s-1NULL\s0\fR if an error +occurred. .SH "SEE ALSO" .IX Header "SEE ALSO" -\&\fIERR_get_error\fR\|(3), \fId2i_X509\fR\|(3) -.SH "HISTORY" -.IX Header "HISTORY" -\&\fIX509_new()\fR and \fIX509_free()\fR are available in all versions of SSLeay and OpenSSL. +\&\fId2i_X509\fR\|(3), +\&\fIERR_get_error\fR\|(3), +\&\fIX509_CRL_get0_by_serial\fR\|(3), +\&\fIX509_get0_signature\fR\|(3), +\&\fIX509_get_ext_d2i\fR\|(3), +\&\fIX509_get_extension_flags\fR\|(3), +\&\fIX509_get_pubkey\fR\|(3), +\&\fIX509_get_subject_name\fR\|(3), +\&\fIX509_get_version\fR\|(3), +\&\fIX509_NAME_add_entry_by_txt\fR\|(3), +\&\fIX509_NAME_ENTRY_get_object\fR\|(3), +\&\fIX509_NAME_get_index_by_NID\fR\|(3), +\&\fIX509_NAME_print_ex\fR\|(3), +\&\fIX509_sign\fR\|(3), +\&\fIX509V3_get_d2i\fR\|(3), +\&\fIX509_verify_cert\fR\|(3) +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2002\-2016 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/X509_sign.3 b/secure/lib/libcrypto/man/X509_sign.3 new file mode 100644 index 000000000000..7ec94661862b --- /dev/null +++ b/secure/lib/libcrypto/man/X509_sign.3 @@ -0,0 +1,223 @@ +.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35) +.\" +.\" Standard preamble: +.\" ======================================================================== +.de Sp \" Vertical space (when we can't use .PP) +.if t .sp .5v +.if n .sp +.. +.de Vb \" Begin verbatim text +.ft CW +.nf +.ne \\$1 +.. +.de Ve \" End verbatim text +.ft R +.fi +.. +.\" Set up some character translations and predefined strings. \*(-- will +.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left +.\" double quote, and \*(R" will give a right double quote. \*(C+ will +.\" give a nicer C++. Capital omega is used to do unbreakable dashes and +.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, +.\" nothing in troff, for use with C<>. +.tr \(*W- +.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' +.ie n \{\ +. ds -- \(*W- +. ds PI pi +. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch +. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch +. ds L" "" +. ds R" "" +. ds C` "" +. ds C' "" +'br\} +.el\{\ +. ds -- \|\(em\| +. ds PI \(*p +. ds L" `` +. ds R" '' +. ds C` +. ds C' +'br\} +.\" +.\" Escape single quotes in literal strings from groff's Unicode transform. +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" +.\" If the F register is >0, we'll generate index entries on stderr for +.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index +.\" entries marked with X<> in POD. Of course, you'll have to process the +.\" output yourself in some meaningful fashion. +.\" +.\" Avoid warning from groff about undefined register 'F'. +.de IX +.. +.if !\nF .nr F 0 +.if \nF>0 \{\ +. de IX +. tm Index:\\$1\t\\n%\t"\\$2" +.. +. if !\nF==2 \{\ +. nr % 0 +. nr F 2 +. \} +.\} +.\" +.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). +.\" Fear. Run. Save yourself. No user-serviceable parts. +. \" fudge factors for nroff and troff +.if n \{\ +. ds #H 0 +. ds #V .8m +. ds #F .3m +. ds #[ \f1 +. ds #] \fP +.\} +.if t \{\ +. ds #H ((1u-(\\\\n(.fu%2u))*.13m) +. ds #V .6m +. ds #F 0 +. ds #[ \& +. ds #] \& +.\} +. \" simple accents for nroff and troff +.if n \{\ +. ds ' \& +. ds ` \& +. ds ^ \& +. ds , \& +. ds ~ ~ +. ds / +.\} +.if t \{\ +. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" +. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' +. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' +. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' +. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' +. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' +.\} +. \" troff and (daisy-wheel) nroff accents +.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' +.ds 8 \h'\*(#H'\(*b\h'-\*(#H' +.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] +.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' +.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' +.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] +.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] +.ds ae a\h'-(\w'a'u*4/10)'e +.ds Ae A\h'-(\w'A'u*4/10)'E +. \" corrections for vroff +.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' +.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' +. \" for low resolution devices (crt and lpr) +.if \n(.H>23 .if \n(.V>19 \ +\{\ +. ds : e +. ds 8 ss +. ds o a +. ds d- d\h'-1'\(ga +. ds D- D\h'-1'\(hy +. ds th \o'bp' +. ds Th \o'LP' +. ds ae ae +. ds Ae AE +.\} +.rm #[ #] #H #V #F C +.\" ======================================================================== +.\" +.IX Title "X509_SIGN 3" +.TH X509_SIGN 3 "2018-09-11" "1.1.1" "OpenSSL" +.\" For nroff, turn off justification. Always turn off hyphenation; it makes +.\" way too many mistakes in technical documents. +.if n .ad l +.nh +.SH "NAME" +X509_sign, X509_sign_ctx, X509_verify, X509_REQ_sign, X509_REQ_sign_ctx, X509_REQ_verify, X509_CRL_sign, X509_CRL_sign_ctx, X509_CRL_verify \- sign or verify certificate, certificate request or CRL signature +.SH "SYNOPSIS" +.IX Header "SYNOPSIS" +.Vb 1 +\& #include +\& +\& int X509_sign(X509 *x, EVP_PKEY *pkey, const EVP_MD *md); +\& int X509_sign_ctx(X509 *x, EVP_MD_CTX *ctx); +\& int X509_verify(X509 *a, EVP_PKEY *r); +\& +\& int X509_REQ_sign(X509_REQ *x, EVP_PKEY *pkey, const EVP_MD *md); +\& int X509_REQ_sign_ctx(X509_REQ *x, EVP_MD_CTX *ctx); +\& int X509_REQ_verify(X509_REQ *a, EVP_PKEY *r); +\& +\& int X509_CRL_sign(X509_CRL *x, EVP_PKEY *pkey, const EVP_MD *md); +\& int X509_CRL_sign_ctx(X509_CRL *x, EVP_MD_CTX *ctx); +\& int X509_CRL_verify(X509_CRL *a, EVP_PKEY *r); +.Ve +.SH "DESCRIPTION" +.IX Header "DESCRIPTION" +\&\fIX509_sign()\fR signs certificate \fBx\fR using private key \fBpkey\fR and message +digest \fBmd\fR and sets the signature in \fBx\fR. \fIX509_sign_ctx()\fR also signs +certificate \fBx\fR but uses the parameters contained in digest context \fBctx\fR. +.PP +\&\fIX509_verify()\fR verifies the signature of certificate \fBx\fR using public key +\&\fBpkey\fR. Only the signature is checked: no other checks (such as certificate +chain validity) are performed. +.PP +\&\fIX509_REQ_sign()\fR, \fIX509_REQ_sign_ctx()\fR, \fIX509_REQ_verify()\fR, +\&\fIX509_CRL_sign()\fR, \fIX509_CRL_sign_ctx()\fR and \fIX509_CRL_verify()\fR sign and verify +certificate requests and CRLs respectively. +.SH "NOTES" +.IX Header "NOTES" +\&\fIX509_sign_ctx()\fR is used where the default parameters for the corresponding +public key and digest are not suitable. It can be used to sign keys using +RSA-PSS for example. +.PP +For efficiency reasons and to work around \s-1ASN.1\s0 encoding issues the encoding +of the signed portion of a certificate, certificate request and \s-1CRL\s0 is cached +internally. If the signed portion of the structure is modified the encoding +is not always updated meaning a stale version is sometimes used. This is not +normally a problem because modifying the signed portion will invalidate the +signature and signing will always update the encoding. +.SH "RETURN VALUES" +.IX Header "RETURN VALUES" +\&\fIX509_sign()\fR, \fIX509_sign_ctx()\fR, \fIX509_REQ_sign()\fR, \fIX509_REQ_sign_ctx()\fR, +\&\fIX509_CRL_sign()\fR and \fIX509_CRL_sign_ctx()\fR return the size of the signature +in bytes for success and zero for failure. +.PP +\&\fIX509_verify()\fR, \fIX509_REQ_verify()\fR and \fIX509_CRL_verify()\fR return 1 if the +signature is valid and 0 if the signature check fails. If the signature +could not be checked at all because it was invalid or some other error +occurred then \-1 is returned. +.SH "SEE ALSO" +.IX Header "SEE ALSO" +\&\fId2i_X509\fR\|(3), +\&\fIERR_get_error\fR\|(3), +\&\fIX509_CRL_get0_by_serial\fR\|(3), +\&\fIX509_get0_signature\fR\|(3), +\&\fIX509_get_ext_d2i\fR\|(3), +\&\fIX509_get_extension_flags\fR\|(3), +\&\fIX509_get_pubkey\fR\|(3), +\&\fIX509_get_subject_name\fR\|(3), +\&\fIX509_get_version\fR\|(3), +\&\fIX509_NAME_add_entry_by_txt\fR\|(3), +\&\fIX509_NAME_ENTRY_get_object\fR\|(3), +\&\fIX509_NAME_get_index_by_NID\fR\|(3), +\&\fIX509_NAME_print_ex\fR\|(3), +\&\fIX509_new\fR\|(3), +\&\fIX509V3_get_d2i\fR\|(3), +\&\fIX509_verify_cert\fR\|(3) +.SH "HISTORY" +.IX Header "HISTORY" +\&\fIX509_sign()\fR, \fIX509_REQ_sign()\fR and \fIX509_CRL_sign()\fR are available in all +versions of OpenSSL. +.PP +\&\fIX509_sign_ctx()\fR, \fIX509_REQ_sign_ctx()\fR and \fIX509_CRL_sign_ctx()\fR were first added +to OpenSSL 1.0.1. +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2015\-2016 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/X509_verify_cert.3 b/secure/lib/libcrypto/man/X509_verify_cert.3 index c69e39b75464..7780519d72a2 100644 --- a/secure/lib/libcrypto/man/X509_verify_cert.3 +++ b/secure/lib/libcrypto/man/X509_verify_cert.3 @@ -128,14 +128,14 @@ .rm #[ #] #H #V #F C .\" ======================================================================== .\" -.IX Title "X509_verify_cert 3" -.TH X509_verify_cert 3 "2018-08-14" "1.0.2p" "OpenSSL" +.IX Title "X509_VERIFY_CERT 3" +.TH X509_VERIFY_CERT 3 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" -X509_verify_cert \- discover and verify X509 certificte chain +X509_verify_cert \- discover and verify X509 certificate chain .SH "SYNOPSIS" .IX Header "SYNOPSIS" .Vb 1 @@ -172,10 +172,15 @@ Applications must check for <= 0 return value on error. .SH "BUGS" .IX Header "BUGS" This function uses the header \fBx509.h\fR as opposed to most chain verification -functiosn which use \fBx509_vfy.h\fR. +functions which use \fBx509_vfy.h\fR. .SH "SEE ALSO" .IX Header "SEE ALSO" \&\fIX509_STORE_CTX_get_error\fR\|(3) -.SH "HISTORY" -.IX Header "HISTORY" -\&\fIX509_verify_cert()\fR is available in all versions of SSLeay and OpenSSL. +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2009\-2016 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/X509v3_get_ext_by_NID.3 b/secure/lib/libcrypto/man/X509v3_get_ext_by_NID.3 new file mode 100644 index 000000000000..e4aad4140b62 --- /dev/null +++ b/secure/lib/libcrypto/man/X509v3_get_ext_by_NID.3 @@ -0,0 +1,260 @@ +.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35) +.\" +.\" Standard preamble: +.\" ======================================================================== +.de Sp \" Vertical space (when we can't use .PP) +.if t .sp .5v +.if n .sp +.. +.de Vb \" Begin verbatim text +.ft CW +.nf +.ne \\$1 +.. +.de Ve \" End verbatim text +.ft R +.fi +.. +.\" Set up some character translations and predefined strings. \*(-- will +.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left +.\" double quote, and \*(R" will give a right double quote. \*(C+ will +.\" give a nicer C++. Capital omega is used to do unbreakable dashes and +.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, +.\" nothing in troff, for use with C<>. +.tr \(*W- +.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' +.ie n \{\ +. ds -- \(*W- +. ds PI pi +. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch +. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch +. ds L" "" +. ds R" "" +. ds C` "" +. ds C' "" +'br\} +.el\{\ +. ds -- \|\(em\| +. ds PI \(*p +. ds L" `` +. ds R" '' +. ds C` +. ds C' +'br\} +.\" +.\" Escape single quotes in literal strings from groff's Unicode transform. +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" +.\" If the F register is >0, we'll generate index entries on stderr for +.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index +.\" entries marked with X<> in POD. Of course, you'll have to process the +.\" output yourself in some meaningful fashion. +.\" +.\" Avoid warning from groff about undefined register 'F'. +.de IX +.. +.if !\nF .nr F 0 +.if \nF>0 \{\ +. de IX +. tm Index:\\$1\t\\n%\t"\\$2" +.. +. if !\nF==2 \{\ +. nr % 0 +. nr F 2 +. \} +.\} +.\" +.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). +.\" Fear. Run. Save yourself. No user-serviceable parts. +. \" fudge factors for nroff and troff +.if n \{\ +. ds #H 0 +. ds #V .8m +. ds #F .3m +. ds #[ \f1 +. ds #] \fP +.\} +.if t \{\ +. ds #H ((1u-(\\\\n(.fu%2u))*.13m) +. ds #V .6m +. ds #F 0 +. ds #[ \& +. ds #] \& +.\} +. \" simple accents for nroff and troff +.if n \{\ +. ds ' \& +. ds ` \& +. ds ^ \& +. ds , \& +. ds ~ ~ +. ds / +.\} +.if t \{\ +. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" +. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' +. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' +. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' +. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' +. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' +.\} +. \" troff and (daisy-wheel) nroff accents +.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' +.ds 8 \h'\*(#H'\(*b\h'-\*(#H' +.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] +.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' +.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' +.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] +.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] +.ds ae a\h'-(\w'a'u*4/10)'e +.ds Ae A\h'-(\w'A'u*4/10)'E +. \" corrections for vroff +.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' +.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' +. \" for low resolution devices (crt and lpr) +.if \n(.H>23 .if \n(.V>19 \ +\{\ +. ds : e +. ds 8 ss +. ds o a +. ds d- d\h'-1'\(ga +. ds D- D\h'-1'\(hy +. ds th \o'bp' +. ds Th \o'LP' +. ds ae ae +. ds Ae AE +.\} +.rm #[ #] #H #V #F C +.\" ======================================================================== +.\" +.IX Title "X509V3_GET_EXT_BY_NID 3" +.TH X509V3_GET_EXT_BY_NID 3 "2018-09-11" "1.1.1" "OpenSSL" +.\" For nroff, turn off justification. Always turn off hyphenation; it makes +.\" way too many mistakes in technical documents. +.if n .ad l +.nh +.SH "NAME" +X509v3_get_ext_count, X509v3_get_ext, X509v3_get_ext_by_NID, X509v3_get_ext_by_OBJ, X509v3_get_ext_by_critical, X509v3_delete_ext, X509v3_add_ext, X509_get_ext_count, X509_get_ext, X509_get_ext_by_NID, X509_get_ext_by_OBJ, X509_get_ext_by_critical, X509_delete_ext, X509_add_ext, X509_CRL_get_ext_count, X509_CRL_get_ext, X509_CRL_get_ext_by_NID, X509_CRL_get_ext_by_OBJ, X509_CRL_get_ext_by_critical, X509_CRL_delete_ext, X509_CRL_add_ext, X509_REVOKED_get_ext_count, X509_REVOKED_get_ext, X509_REVOKED_get_ext_by_NID, X509_REVOKED_get_ext_by_OBJ, X509_REVOKED_get_ext_by_critical, X509_REVOKED_delete_ext, X509_REVOKED_add_ext \- extension stack utility functions +.SH "SYNOPSIS" +.IX Header "SYNOPSIS" +.Vb 1 +\& #include +\& +\& int X509v3_get_ext_count(const STACK_OF(X509_EXTENSION) *x); +\& X509_EXTENSION *X509v3_get_ext(const STACK_OF(X509_EXTENSION) *x, int loc); +\& +\& int X509v3_get_ext_by_NID(const STACK_OF(X509_EXTENSION) *x, +\& int nid, int lastpos); +\& int X509v3_get_ext_by_OBJ(const STACK_OF(X509_EXTENSION) *x, +\& const ASN1_OBJECT *obj, int lastpos); +\& int X509v3_get_ext_by_critical(const STACK_OF(X509_EXTENSION) *x, +\& int crit, int lastpos); +\& X509_EXTENSION *X509v3_delete_ext(STACK_OF(X509_EXTENSION) *x, int loc); +\& STACK_OF(X509_EXTENSION) *X509v3_add_ext(STACK_OF(X509_EXTENSION) **x, +\& X509_EXTENSION *ex, int loc); +\& +\& int X509_get_ext_count(const X509 *x); +\& X509_EXTENSION *X509_get_ext(const X509 *x, int loc); +\& int X509_get_ext_by_NID(const X509 *x, int nid, int lastpos); +\& int X509_get_ext_by_OBJ(const X509 *x, const ASN1_OBJECT *obj, int lastpos); +\& int X509_get_ext_by_critical(const X509 *x, int crit, int lastpos); +\& X509_EXTENSION *X509_delete_ext(X509 *x, int loc); +\& int X509_add_ext(X509 *x, X509_EXTENSION *ex, int loc); +\& +\& int X509_CRL_get_ext_count(const X509_CRL *x); +\& X509_EXTENSION *X509_CRL_get_ext(const X509_CRL *x, int loc); +\& int X509_CRL_get_ext_by_NID(const X509_CRL *x, int nid, int lastpos); +\& int X509_CRL_get_ext_by_OBJ(const X509_CRL *x, const ASN1_OBJECT *obj, int lastpos); +\& int X509_CRL_get_ext_by_critical(const X509_CRL *x, int crit, int lastpos); +\& X509_EXTENSION *X509_CRL_delete_ext(X509_CRL *x, int loc); +\& int X509_CRL_add_ext(X509_CRL *x, X509_EXTENSION *ex, int loc); +\& +\& int X509_REVOKED_get_ext_count(const X509_REVOKED *x); +\& X509_EXTENSION *X509_REVOKED_get_ext(const X509_REVOKED *x, int loc); +\& int X509_REVOKED_get_ext_by_NID(const X509_REVOKED *x, int nid, int lastpos); +\& int X509_REVOKED_get_ext_by_OBJ(const X509_REVOKED *x, const ASN1_OBJECT *obj, +\& int lastpos); +\& int X509_REVOKED_get_ext_by_critical(const X509_REVOKED *x, int crit, int lastpos); +\& X509_EXTENSION *X509_REVOKED_delete_ext(X509_REVOKED *x, int loc); +\& int X509_REVOKED_add_ext(X509_REVOKED *x, X509_EXTENSION *ex, int loc); +.Ve +.SH "DESCRIPTION" +.IX Header "DESCRIPTION" +\&\fIX509v3_get_ext_count()\fR retrieves the number of extensions in \fBx\fR. +.PP +\&\fIX509v3_get_ext()\fR retrieves extension \fBloc\fR from \fBx\fR. The index \fBloc\fR +can take any value from \fB0\fR to X509_get_ext_count(x) \- 1. The returned +extension is an internal pointer which \fBmust not\fR be freed up by the +application. +.PP +\&\fIX509v3_get_ext_by_NID()\fR and \fIX509v3_get_ext_by_OBJ()\fR look for an extension +with \fBnid\fR or \fBobj\fR from extension stack \fBx\fR. The search starts from the +extension after \fBlastpos\fR or from the beginning if is \fB\-1\fR. If +the extension is found its index is returned otherwise \fB\-1\fR is returned. +.PP +\&\fIX509v3_get_ext_by_critical()\fR is similar to \fIX509v3_get_ext_by_NID()\fR except it +looks for an extension of criticality \fBcrit\fR. A zero value for \fBcrit\fR +looks for a non-critical extension a non-zero value looks for a critical +extension. +.PP +\&\fIX509v3_delete_ext()\fR deletes the extension with index \fBloc\fR from \fBx\fR. The +deleted extension is returned and must be freed by the caller. If \fBloc\fR +is in invalid index value \fB\s-1NULL\s0\fR is returned. +.PP +\&\fIX509v3_add_ext()\fR adds extension \fBex\fR to stack \fB*x\fR at position \fBloc\fR. If +\&\fBloc\fR is \fB\-1\fR the new extension is added to the end. If \fB*x\fR is \fB\s-1NULL\s0\fR +a new stack will be allocated. The passed extension \fBex\fR is duplicated +internally so it must be freed after use. +.PP +\&\fIX509_get_ext_count()\fR, \fIX509_get_ext()\fR, \fIX509_get_ext_by_NID()\fR, +\&\fIX509_get_ext_by_OBJ()\fR, \fIX509_get_ext_by_critical()\fR, \fIX509_delete_ext()\fR +and \fIX509_add_ext()\fR operate on the extensions of certificate \fBx\fR they are +otherwise identical to the X509v3 functions. +.PP +\&\fIX509_CRL_get_ext_count()\fR, \fIX509_CRL_get_ext()\fR, \fIX509_CRL_get_ext_by_NID()\fR, +\&\fIX509_CRL_get_ext_by_OBJ()\fR, \fIX509_CRL_get_ext_by_critical()\fR, +\&\fIX509_CRL_delete_ext()\fR and \fIX509_CRL_add_ext()\fR operate on the extensions of +\&\s-1CRL\s0 \fBx\fR they are otherwise identical to the X509v3 functions. +.PP +\&\fIX509_REVOKED_get_ext_count()\fR, \fIX509_REVOKED_get_ext()\fR, +\&\fIX509_REVOKED_get_ext_by_NID()\fR, \fIX509_REVOKED_get_ext_by_OBJ()\fR, +\&\fIX509_REVOKED_get_ext_by_critical()\fR, \fIX509_REVOKED_delete_ext()\fR and +\&\fIX509_REVOKED_add_ext()\fR operate on the extensions of \s-1CRL\s0 entry \fBx\fR +they are otherwise identical to the X509v3 functions. +.SH "NOTES" +.IX Header "NOTES" +These functions are used to examine stacks of extensions directly. Many +applications will want to parse or encode and add an extension: they should +use the extension encode and decode functions instead such as +\&\fIX509_add1_ext_i2d()\fR and \fIX509_get_ext_d2i()\fR. +.PP +Extension indices start from zero, so a zero index return value is \fBnot\fR an +error. These search functions start from the extension \fBafter\fR the \fBlastpos\fR +parameter so it should initially be set to \fB\-1\fR, if it is set to zero the +initial extension will not be checked. +.SH "RETURN VALUES" +.IX Header "RETURN VALUES" +\&\fIX509v3_get_ext_count()\fR returns the extension count. +.PP +\&\fIX509v3_get_ext()\fR, \fIX509v3_delete_ext()\fR and \fIX509_delete_ext()\fR return an +\&\fBX509_EXTENSION\fR pointer or \fB\s-1NULL\s0\fR if an error occurs. +.PP +\&\fIX509v3_get_ext_by_NID()\fR \fIX509v3_get_ext_by_OBJ()\fR and +\&\fIX509v3_get_ext_by_critical()\fR return the an extension index or \fB\-1\fR if an +error occurs. +.PP +\&\fIX509v3_add_ext()\fR returns a stack of extensions or \fB\s-1NULL\s0\fR on error. +.PP +\&\fIX509_add_ext()\fR returns 1 on success and 0 on error. +.SH "SEE ALSO" +.IX Header "SEE ALSO" +\&\fIX509V3_get_d2i\fR\|(3) +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2015\-2018 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/bio.3 b/secure/lib/libcrypto/man/bio.3 deleted file mode 100644 index 43fe8a32efb3..000000000000 --- a/secure/lib/libcrypto/man/bio.3 +++ /dev/null @@ -1,185 +0,0 @@ -.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35) -.\" -.\" Standard preamble: -.\" ======================================================================== -.de Sp \" Vertical space (when we can't use .PP) -.if t .sp .5v -.if n .sp -.. -.de Vb \" Begin verbatim text -.ft CW -.nf -.ne \\$1 -.. -.de Ve \" End verbatim text -.ft R -.fi -.. -.\" Set up some character translations and predefined strings. \*(-- will -.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left -.\" double quote, and \*(R" will give a right double quote. \*(C+ will -.\" give a nicer C++. Capital omega is used to do unbreakable dashes and -.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, -.\" nothing in troff, for use with C<>. -.tr \(*W- -.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' -.ie n \{\ -. ds -- \(*W- -. ds PI pi -. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch -. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch -. ds L" "" -. ds R" "" -. ds C` "" -. ds C' "" -'br\} -.el\{\ -. ds -- \|\(em\| -. ds PI \(*p -. ds L" `` -. ds R" '' -. ds C` -. ds C' -'br\} -.\" -.\" Escape single quotes in literal strings from groff's Unicode transform. -.ie \n(.g .ds Aq \(aq -.el .ds Aq ' -.\" -.\" If the F register is >0, we'll generate index entries on stderr for -.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index -.\" entries marked with X<> in POD. Of course, you'll have to process the -.\" output yourself in some meaningful fashion. -.\" -.\" Avoid warning from groff about undefined register 'F'. -.de IX -.. -.if !\nF .nr F 0 -.if \nF>0 \{\ -. de IX -. tm Index:\\$1\t\\n%\t"\\$2" -.. -. if !\nF==2 \{\ -. nr % 0 -. nr F 2 -. \} -.\} -.\" -.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). -.\" Fear. Run. Save yourself. No user-serviceable parts. -. \" fudge factors for nroff and troff -.if n \{\ -. ds #H 0 -. ds #V .8m -. ds #F .3m -. ds #[ \f1 -. ds #] \fP -.\} -.if t \{\ -. ds #H ((1u-(\\\\n(.fu%2u))*.13m) -. ds #V .6m -. ds #F 0 -. ds #[ \& -. ds #] \& -.\} -. \" simple accents for nroff and troff -.if n \{\ -. ds ' \& -. ds ` \& -. ds ^ \& -. ds , \& -. ds ~ ~ -. ds / -.\} -.if t \{\ -. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" -. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' -. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' -. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' -. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' -. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' -.\} -. \" troff and (daisy-wheel) nroff accents -.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' -.ds 8 \h'\*(#H'\(*b\h'-\*(#H' -.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] -.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' -.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' -.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] -.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] -.ds ae a\h'-(\w'a'u*4/10)'e -.ds Ae A\h'-(\w'A'u*4/10)'E -. \" corrections for vroff -.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' -.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' -. \" for low resolution devices (crt and lpr) -.if \n(.H>23 .if \n(.V>19 \ -\{\ -. ds : e -. ds 8 ss -. ds o a -. ds d- d\h'-1'\(ga -. ds D- D\h'-1'\(hy -. ds th \o'bp' -. ds Th \o'LP' -. ds ae ae -. ds Ae AE -.\} -.rm #[ #] #H #V #F C -.\" ======================================================================== -.\" -.IX Title "bio 3" -.TH bio 3 "2018-08-14" "1.0.2p" "OpenSSL" -.\" For nroff, turn off justification. Always turn off hyphenation; it makes -.\" way too many mistakes in technical documents. -.if n .ad l -.nh -.SH "NAME" -bio \- I/O abstraction -.SH "SYNOPSIS" -.IX Header "SYNOPSIS" -.Vb 1 -\& #include -.Ve -.PP -\&\s-1TBA\s0 -.SH "DESCRIPTION" -.IX Header "DESCRIPTION" -A \s-1BIO\s0 is an I/O abstraction, it hides many of the underlying I/O -details from an application. If an application uses a \s-1BIO\s0 for its -I/O it can transparently handle \s-1SSL\s0 connections, unencrypted network -connections and file I/O. -.PP -There are two type of \s-1BIO,\s0 a source/sink \s-1BIO\s0 and a filter \s-1BIO.\s0 -.PP -As its name implies a source/sink \s-1BIO\s0 is a source and/or sink of data, -examples include a socket \s-1BIO\s0 and a file \s-1BIO.\s0 -.PP -A filter \s-1BIO\s0 takes data from one \s-1BIO\s0 and passes it through to -another, or the application. The data may be left unmodified (for -example a message digest \s-1BIO\s0) or translated (for example an -encryption \s-1BIO\s0). The effect of a filter \s-1BIO\s0 may change according -to the I/O operation it is performing: for example an encryption -\&\s-1BIO\s0 will encrypt data if it is being written to and decrypt data -if it is being read from. -.PP -BIOs can be joined together to form a chain (a single \s-1BIO\s0 is a chain -with one component). A chain normally consist of one source/sink -\&\s-1BIO\s0 and one or more filter BIOs. Data read from or written to the -first \s-1BIO\s0 then traverses the chain to the end (normally a source/sink -\&\s-1BIO\s0). -.SH "SEE ALSO" -.IX Header "SEE ALSO" -\&\fIBIO_ctrl\fR\|(3), -\&\fIBIO_f_base64\fR\|(3), \fIBIO_f_buffer\fR\|(3), -\&\fIBIO_f_cipher\fR\|(3), \fIBIO_f_md\fR\|(3), -\&\fIBIO_f_null\fR\|(3), \fIBIO_f_ssl\fR\|(3), -\&\fIBIO_find_type\fR\|(3), \fIBIO_new\fR\|(3), -\&\fIBIO_new_bio_pair\fR\|(3), -\&\fIBIO_push\fR\|(3), \fIBIO_read\fR\|(3), -\&\fIBIO_s_accept\fR\|(3), \fIBIO_s_bio\fR\|(3), -\&\fIBIO_s_connect\fR\|(3), \fIBIO_s_fd\fR\|(3), -\&\fIBIO_s_file\fR\|(3), \fIBIO_s_mem\fR\|(3), -\&\fIBIO_s_null\fR\|(3), \fIBIO_s_socket\fR\|(3), -\&\fIBIO_set_callback\fR\|(3), -\&\fIBIO_should_retry\fR\|(3) diff --git a/secure/lib/libcrypto/man/bn.3 b/secure/lib/libcrypto/man/bn.3 deleted file mode 100644 index d8c1e8e21a05..000000000000 --- a/secure/lib/libcrypto/man/bn.3 +++ /dev/null @@ -1,311 +0,0 @@ -.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35) -.\" -.\" Standard preamble: -.\" ======================================================================== -.de Sp \" Vertical space (when we can't use .PP) -.if t .sp .5v -.if n .sp -.. -.de Vb \" Begin verbatim text -.ft CW -.nf -.ne \\$1 -.. -.de Ve \" End verbatim text -.ft R -.fi -.. -.\" Set up some character translations and predefined strings. \*(-- will -.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left -.\" double quote, and \*(R" will give a right double quote. \*(C+ will -.\" give a nicer C++. Capital omega is used to do unbreakable dashes and -.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, -.\" nothing in troff, for use with C<>. -.tr \(*W- -.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' -.ie n \{\ -. ds -- \(*W- -. ds PI pi -. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch -. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch -. ds L" "" -. ds R" "" -. ds C` "" -. ds C' "" -'br\} -.el\{\ -. ds -- \|\(em\| -. ds PI \(*p -. ds L" `` -. ds R" '' -. ds C` -. ds C' -'br\} -.\" -.\" Escape single quotes in literal strings from groff's Unicode transform. -.ie \n(.g .ds Aq \(aq -.el .ds Aq ' -.\" -.\" If the F register is >0, we'll generate index entries on stderr for -.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index -.\" entries marked with X<> in POD. Of course, you'll have to process the -.\" output yourself in some meaningful fashion. -.\" -.\" Avoid warning from groff about undefined register 'F'. -.de IX -.. -.if !\nF .nr F 0 -.if \nF>0 \{\ -. de IX -. tm Index:\\$1\t\\n%\t"\\$2" -.. -. if !\nF==2 \{\ -. nr % 0 -. nr F 2 -. \} -.\} -.\" -.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). -.\" Fear. Run. Save yourself. No user-serviceable parts. -. \" fudge factors for nroff and troff -.if n \{\ -. ds #H 0 -. ds #V .8m -. ds #F .3m -. ds #[ \f1 -. ds #] \fP -.\} -.if t \{\ -. ds #H ((1u-(\\\\n(.fu%2u))*.13m) -. ds #V .6m -. ds #F 0 -. ds #[ \& -. ds #] \& -.\} -. \" simple accents for nroff and troff -.if n \{\ -. ds ' \& -. ds ` \& -. ds ^ \& -. ds , \& -. ds ~ ~ -. ds / -.\} -.if t \{\ -. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" -. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' -. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' -. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' -. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' -. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' -.\} -. \" troff and (daisy-wheel) nroff accents -.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' -.ds 8 \h'\*(#H'\(*b\h'-\*(#H' -.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] -.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' -.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' -.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] -.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] -.ds ae a\h'-(\w'a'u*4/10)'e -.ds Ae A\h'-(\w'A'u*4/10)'E -. \" corrections for vroff -.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' -.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' -. \" for low resolution devices (crt and lpr) -.if \n(.H>23 .if \n(.V>19 \ -\{\ -. ds : e -. ds 8 ss -. ds o a -. ds d- d\h'-1'\(ga -. ds D- D\h'-1'\(hy -. ds th \o'bp' -. ds Th \o'LP' -. ds ae ae -. ds Ae AE -.\} -.rm #[ #] #H #V #F C -.\" ======================================================================== -.\" -.IX Title "bn 3" -.TH bn 3 "2018-08-14" "1.0.2p" "OpenSSL" -.\" For nroff, turn off justification. Always turn off hyphenation; it makes -.\" way too many mistakes in technical documents. -.if n .ad l -.nh -.SH "NAME" -bn \- multiprecision integer arithmetics -.SH "SYNOPSIS" -.IX Header "SYNOPSIS" -.Vb 1 -\& #include -\& -\& BIGNUM *BN_new(void); -\& void BN_free(BIGNUM *a); -\& void BN_init(BIGNUM *); -\& void BN_clear(BIGNUM *a); -\& void BN_clear_free(BIGNUM *a); -\& -\& BN_CTX *BN_CTX_new(void); -\& void BN_CTX_init(BN_CTX *c); -\& void BN_CTX_free(BN_CTX *c); -\& -\& BIGNUM *BN_copy(BIGNUM *a, const BIGNUM *b); -\& BIGNUM *BN_dup(const BIGNUM *a); -\& -\& BIGNUM *BN_swap(BIGNUM *a, BIGNUM *b); -\& -\& int BN_num_bytes(const BIGNUM *a); -\& int BN_num_bits(const BIGNUM *a); -\& int BN_num_bits_word(BN_ULONG w); -\& -\& void BN_set_negative(BIGNUM *a, int n); -\& int BN_is_negative(const BIGNUM *a); -\& -\& int BN_add(BIGNUM *r, const BIGNUM *a, const BIGNUM *b); -\& int BN_sub(BIGNUM *r, const BIGNUM *a, const BIGNUM *b); -\& int BN_mul(BIGNUM *r, BIGNUM *a, BIGNUM *b, BN_CTX *ctx); -\& int BN_sqr(BIGNUM *r, BIGNUM *a, BN_CTX *ctx); -\& int BN_div(BIGNUM *dv, BIGNUM *rem, const BIGNUM *a, const BIGNUM *d, -\& BN_CTX *ctx); -\& int BN_mod(BIGNUM *rem, const BIGNUM *a, const BIGNUM *m, BN_CTX *ctx); -\& int BN_nnmod(BIGNUM *rem, const BIGNUM *a, const BIGNUM *m, BN_CTX *ctx); -\& int BN_mod_add(BIGNUM *ret, BIGNUM *a, BIGNUM *b, const BIGNUM *m, -\& BN_CTX *ctx); -\& int BN_mod_sub(BIGNUM *ret, BIGNUM *a, BIGNUM *b, const BIGNUM *m, -\& BN_CTX *ctx); -\& int BN_mod_mul(BIGNUM *ret, BIGNUM *a, BIGNUM *b, const BIGNUM *m, -\& BN_CTX *ctx); -\& int BN_mod_sqr(BIGNUM *ret, BIGNUM *a, const BIGNUM *m, BN_CTX *ctx); -\& int BN_exp(BIGNUM *r, BIGNUM *a, BIGNUM *p, BN_CTX *ctx); -\& int BN_mod_exp(BIGNUM *r, BIGNUM *a, const BIGNUM *p, -\& const BIGNUM *m, BN_CTX *ctx); -\& int BN_gcd(BIGNUM *r, BIGNUM *a, BIGNUM *b, BN_CTX *ctx); -\& -\& int BN_add_word(BIGNUM *a, BN_ULONG w); -\& int BN_sub_word(BIGNUM *a, BN_ULONG w); -\& int BN_mul_word(BIGNUM *a, BN_ULONG w); -\& BN_ULONG BN_div_word(BIGNUM *a, BN_ULONG w); -\& BN_ULONG BN_mod_word(const BIGNUM *a, BN_ULONG w); -\& -\& int BN_cmp(BIGNUM *a, BIGNUM *b); -\& int BN_ucmp(BIGNUM *a, BIGNUM *b); -\& int BN_is_zero(BIGNUM *a); -\& int BN_is_one(BIGNUM *a); -\& int BN_is_word(BIGNUM *a, BN_ULONG w); -\& int BN_is_odd(BIGNUM *a); -\& -\& int BN_zero(BIGNUM *a); -\& int BN_one(BIGNUM *a); -\& const BIGNUM *BN_value_one(void); -\& int BN_set_word(BIGNUM *a, unsigned long w); -\& unsigned long BN_get_word(BIGNUM *a); -\& -\& int BN_rand(BIGNUM *rnd, int bits, int top, int bottom); -\& int BN_pseudo_rand(BIGNUM *rnd, int bits, int top, int bottom); -\& int BN_rand_range(BIGNUM *rnd, BIGNUM *range); -\& int BN_pseudo_rand_range(BIGNUM *rnd, BIGNUM *range); -\& -\& BIGNUM *BN_generate_prime(BIGNUM *ret, int bits,int safe, BIGNUM *add, -\& BIGNUM *rem, void (*callback)(int, int, void *), void *cb_arg); -\& int BN_is_prime(const BIGNUM *p, int nchecks, -\& void (*callback)(int, int, void *), BN_CTX *ctx, void *cb_arg); -\& -\& int BN_set_bit(BIGNUM *a, int n); -\& int BN_clear_bit(BIGNUM *a, int n); -\& int BN_is_bit_set(const BIGNUM *a, int n); -\& int BN_mask_bits(BIGNUM *a, int n); -\& int BN_lshift(BIGNUM *r, const BIGNUM *a, int n); -\& int BN_lshift1(BIGNUM *r, BIGNUM *a); -\& int BN_rshift(BIGNUM *r, BIGNUM *a, int n); -\& int BN_rshift1(BIGNUM *r, BIGNUM *a); -\& -\& int BN_bn2bin(const BIGNUM *a, unsigned char *to); -\& BIGNUM *BN_bin2bn(const unsigned char *s, int len, BIGNUM *ret); -\& char *BN_bn2hex(const BIGNUM *a); -\& char *BN_bn2dec(const BIGNUM *a); -\& int BN_hex2bn(BIGNUM **a, const char *str); -\& int BN_dec2bn(BIGNUM **a, const char *str); -\& int BN_print(BIO *fp, const BIGNUM *a); -\& int BN_print_fp(FILE *fp, const BIGNUM *a); -\& int BN_bn2mpi(const BIGNUM *a, unsigned char *to); -\& BIGNUM *BN_mpi2bn(unsigned char *s, int len, BIGNUM *ret); -\& -\& BIGNUM *BN_mod_inverse(BIGNUM *r, BIGNUM *a, const BIGNUM *n, -\& BN_CTX *ctx); -\& -\& BN_RECP_CTX *BN_RECP_CTX_new(void); -\& void BN_RECP_CTX_init(BN_RECP_CTX *recp); -\& void BN_RECP_CTX_free(BN_RECP_CTX *recp); -\& int BN_RECP_CTX_set(BN_RECP_CTX *recp, const BIGNUM *m, BN_CTX *ctx); -\& int BN_mod_mul_reciprocal(BIGNUM *r, BIGNUM *a, BIGNUM *b, -\& BN_RECP_CTX *recp, BN_CTX *ctx); -\& -\& BN_MONT_CTX *BN_MONT_CTX_new(void); -\& void BN_MONT_CTX_init(BN_MONT_CTX *ctx); -\& void BN_MONT_CTX_free(BN_MONT_CTX *mont); -\& int BN_MONT_CTX_set(BN_MONT_CTX *mont, const BIGNUM *m, BN_CTX *ctx); -\& BN_MONT_CTX *BN_MONT_CTX_copy(BN_MONT_CTX *to, BN_MONT_CTX *from); -\& int BN_mod_mul_montgomery(BIGNUM *r, BIGNUM *a, BIGNUM *b, -\& BN_MONT_CTX *mont, BN_CTX *ctx); -\& int BN_from_montgomery(BIGNUM *r, BIGNUM *a, BN_MONT_CTX *mont, -\& BN_CTX *ctx); -\& int BN_to_montgomery(BIGNUM *r, BIGNUM *a, BN_MONT_CTX *mont, -\& BN_CTX *ctx); -\& -\& BN_BLINDING *BN_BLINDING_new(const BIGNUM *A, const BIGNUM *Ai, -\& BIGNUM *mod); -\& void BN_BLINDING_free(BN_BLINDING *b); -\& int BN_BLINDING_update(BN_BLINDING *b,BN_CTX *ctx); -\& int BN_BLINDING_convert(BIGNUM *n, BN_BLINDING *b, BN_CTX *ctx); -\& int BN_BLINDING_invert(BIGNUM *n, BN_BLINDING *b, BN_CTX *ctx); -\& int BN_BLINDING_convert_ex(BIGNUM *n, BIGNUM *r, BN_BLINDING *b, -\& BN_CTX *ctx); -\& int BN_BLINDING_invert_ex(BIGNUM *n,const BIGNUM *r,BN_BLINDING *b, -\& BN_CTX *ctx); -\& unsigned long BN_BLINDING_get_thread_id(const BN_BLINDING *); -\& void BN_BLINDING_set_thread_id(BN_BLINDING *, unsigned long); -\& unsigned long BN_BLINDING_get_flags(const BN_BLINDING *); -\& void BN_BLINDING_set_flags(BN_BLINDING *, unsigned long); -\& BN_BLINDING *BN_BLINDING_create_param(BN_BLINDING *b, -\& const BIGNUM *e, BIGNUM *m, BN_CTX *ctx, -\& int (*bn_mod_exp)(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, -\& const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx), -\& BN_MONT_CTX *m_ctx); -.Ve -.SH "DESCRIPTION" -.IX Header "DESCRIPTION" -This library performs arithmetic operations on integers of arbitrary -size. It was written for use in public key cryptography, such as \s-1RSA\s0 -and Diffie-Hellman. -.PP -It uses dynamic memory allocation for storing its data structures. -That means that there is no limit on the size of the numbers -manipulated by these functions, but return values must always be -checked in case a memory allocation error has occurred. -.PP -The basic object in this library is a \fB\s-1BIGNUM\s0\fR. It is used to hold a -single large integer. This type should be considered opaque and fields -should not be modified or accessed directly. -.PP -The creation of \fB\s-1BIGNUM\s0\fR objects is described in \fIBN_new\fR\|(3); -\&\fIBN_add\fR\|(3) describes most of the arithmetic operations. -Comparison is described in \fIBN_cmp\fR\|(3); \fIBN_zero\fR\|(3) -describes certain assignments, \fIBN_rand\fR\|(3) the generation of -random numbers, \fIBN_generate_prime\fR\|(3) deals with prime -numbers and \fIBN_set_bit\fR\|(3) with bit operations. The conversion -of \fB\s-1BIGNUM\s0\fRs to external formats is described in \fIBN_bn2bin\fR\|(3). -.SH "SEE ALSO" -.IX Header "SEE ALSO" -\&\fIbn_internal\fR\|(3), -\&\fIdh\fR\|(3), \fIerr\fR\|(3), \fIrand\fR\|(3), \fIrsa\fR\|(3), -\&\fIBN_new\fR\|(3), \fIBN_CTX_new\fR\|(3), -\&\fIBN_copy\fR\|(3), \fIBN_swap\fR\|(3), \fIBN_num_bytes\fR\|(3), -\&\fIBN_add\fR\|(3), \fIBN_add_word\fR\|(3), -\&\fIBN_cmp\fR\|(3), \fIBN_zero\fR\|(3), \fIBN_rand\fR\|(3), -\&\fIBN_generate_prime\fR\|(3), \fIBN_set_bit\fR\|(3), -\&\fIBN_bn2bin\fR\|(3), \fIBN_mod_inverse\fR\|(3), -\&\fIBN_mod_mul_reciprocal\fR\|(3), -\&\fIBN_mod_mul_montgomery\fR\|(3), -\&\fIBN_BLINDING_new\fR\|(3) diff --git a/secure/lib/libcrypto/man/bn_internal.3 b/secure/lib/libcrypto/man/bn_internal.3 deleted file mode 100644 index 73cc04dd564a..000000000000 --- a/secure/lib/libcrypto/man/bn_internal.3 +++ /dev/null @@ -1,365 +0,0 @@ -.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35) -.\" -.\" Standard preamble: -.\" ======================================================================== -.de Sp \" Vertical space (when we can't use .PP) -.if t .sp .5v -.if n .sp -.. -.de Vb \" Begin verbatim text -.ft CW -.nf -.ne \\$1 -.. -.de Ve \" End verbatim text -.ft R -.fi -.. -.\" Set up some character translations and predefined strings. \*(-- will -.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left -.\" double quote, and \*(R" will give a right double quote. \*(C+ will -.\" give a nicer C++. Capital omega is used to do unbreakable dashes and -.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, -.\" nothing in troff, for use with C<>. -.tr \(*W- -.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' -.ie n \{\ -. ds -- \(*W- -. ds PI pi -. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch -. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch -. ds L" "" -. ds R" "" -. ds C` "" -. ds C' "" -'br\} -.el\{\ -. ds -- \|\(em\| -. ds PI \(*p -. ds L" `` -. ds R" '' -. ds C` -. ds C' -'br\} -.\" -.\" Escape single quotes in literal strings from groff's Unicode transform. -.ie \n(.g .ds Aq \(aq -.el .ds Aq ' -.\" -.\" If the F register is >0, we'll generate index entries on stderr for -.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index -.\" entries marked with X<> in POD. Of course, you'll have to process the -.\" output yourself in some meaningful fashion. -.\" -.\" Avoid warning from groff about undefined register 'F'. -.de IX -.. -.if !\nF .nr F 0 -.if \nF>0 \{\ -. de IX -. tm Index:\\$1\t\\n%\t"\\$2" -.. -. if !\nF==2 \{\ -. nr % 0 -. nr F 2 -. \} -.\} -.\" -.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). -.\" Fear. Run. Save yourself. No user-serviceable parts. -. \" fudge factors for nroff and troff -.if n \{\ -. ds #H 0 -. ds #V .8m -. ds #F .3m -. ds #[ \f1 -. ds #] \fP -.\} -.if t \{\ -. ds #H ((1u-(\\\\n(.fu%2u))*.13m) -. ds #V .6m -. ds #F 0 -. ds #[ \& -. ds #] \& -.\} -. \" simple accents for nroff and troff -.if n \{\ -. ds ' \& -. ds ` \& -. ds ^ \& -. ds , \& -. ds ~ ~ -. ds / -.\} -.if t \{\ -. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" -. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' -. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' -. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' -. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' -. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' -.\} -. \" troff and (daisy-wheel) nroff accents -.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' -.ds 8 \h'\*(#H'\(*b\h'-\*(#H' -.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] -.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' -.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' -.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] -.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] -.ds ae a\h'-(\w'a'u*4/10)'e -.ds Ae A\h'-(\w'A'u*4/10)'E -. \" corrections for vroff -.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' -.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' -. \" for low resolution devices (crt and lpr) -.if \n(.H>23 .if \n(.V>19 \ -\{\ -. ds : e -. ds 8 ss -. ds o a -. ds d- d\h'-1'\(ga -. ds D- D\h'-1'\(hy -. ds th \o'bp' -. ds Th \o'LP' -. ds ae ae -. ds Ae AE -.\} -.rm #[ #] #H #V #F C -.\" ======================================================================== -.\" -.IX Title "bn_internal 3" -.TH bn_internal 3 "2018-08-14" "1.0.2p" "OpenSSL" -.\" For nroff, turn off justification. Always turn off hyphenation; it makes -.\" way too many mistakes in technical documents. -.if n .ad l -.nh -.SH "NAME" -bn_mul_words, bn_mul_add_words, bn_sqr_words, bn_div_words, -bn_add_words, bn_sub_words, bn_mul_comba4, bn_mul_comba8, -bn_sqr_comba4, bn_sqr_comba8, bn_cmp_words, bn_mul_normal, -bn_mul_low_normal, bn_mul_recursive, bn_mul_part_recursive, -bn_mul_low_recursive, bn_mul_high, bn_sqr_normal, bn_sqr_recursive, -bn_expand, bn_wexpand, bn_expand2, bn_fix_top, bn_check_top, -bn_print, bn_dump, bn_set_max, bn_set_high, bn_set_low \- BIGNUM -library internal functions -.SH "SYNOPSIS" -.IX Header "SYNOPSIS" -.Vb 1 -\& #include -\& -\& BN_ULONG bn_mul_words(BN_ULONG *rp, BN_ULONG *ap, int num, BN_ULONG w); -\& BN_ULONG bn_mul_add_words(BN_ULONG *rp, BN_ULONG *ap, int num, -\& BN_ULONG w); -\& void bn_sqr_words(BN_ULONG *rp, BN_ULONG *ap, int num); -\& BN_ULONG bn_div_words(BN_ULONG h, BN_ULONG l, BN_ULONG d); -\& BN_ULONG bn_add_words(BN_ULONG *rp, BN_ULONG *ap, BN_ULONG *bp, -\& int num); -\& BN_ULONG bn_sub_words(BN_ULONG *rp, BN_ULONG *ap, BN_ULONG *bp, -\& int num); -\& -\& void bn_mul_comba4(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b); -\& void bn_mul_comba8(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b); -\& void bn_sqr_comba4(BN_ULONG *r, BN_ULONG *a); -\& void bn_sqr_comba8(BN_ULONG *r, BN_ULONG *a); -\& -\& int bn_cmp_words(BN_ULONG *a, BN_ULONG *b, int n); -\& -\& void bn_mul_normal(BN_ULONG *r, BN_ULONG *a, int na, BN_ULONG *b, -\& int nb); -\& void bn_mul_low_normal(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, int n); -\& void bn_mul_recursive(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, int n2, -\& int dna,int dnb,BN_ULONG *tmp); -\& void bn_mul_part_recursive(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, -\& int n, int tna,int tnb, BN_ULONG *tmp); -\& void bn_mul_low_recursive(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, -\& int n2, BN_ULONG *tmp); -\& void bn_mul_high(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, BN_ULONG *l, -\& int n2, BN_ULONG *tmp); -\& -\& void bn_sqr_normal(BN_ULONG *r, BN_ULONG *a, int n, BN_ULONG *tmp); -\& void bn_sqr_recursive(BN_ULONG *r, BN_ULONG *a, int n2, BN_ULONG *tmp); -\& -\& void mul(BN_ULONG r, BN_ULONG a, BN_ULONG w, BN_ULONG c); -\& void mul_add(BN_ULONG r, BN_ULONG a, BN_ULONG w, BN_ULONG c); -\& void sqr(BN_ULONG r0, BN_ULONG r1, BN_ULONG a); -\& -\& BIGNUM *bn_expand(BIGNUM *a, int bits); -\& BIGNUM *bn_wexpand(BIGNUM *a, int n); -\& BIGNUM *bn_expand2(BIGNUM *a, int n); -\& void bn_fix_top(BIGNUM *a); -\& -\& void bn_check_top(BIGNUM *a); -\& void bn_print(BIGNUM *a); -\& void bn_dump(BN_ULONG *d, int n); -\& void bn_set_max(BIGNUM *a); -\& void bn_set_high(BIGNUM *r, BIGNUM *a, int n); -\& void bn_set_low(BIGNUM *r, BIGNUM *a, int n); -.Ve -.SH "DESCRIPTION" -.IX Header "DESCRIPTION" -This page documents the internal functions used by the OpenSSL -\&\fB\s-1BIGNUM\s0\fR implementation. They are described here to facilitate -debugging and extending the library. They are \fInot\fR to be used by -applications. -.SS "The \s-1BIGNUM\s0 structure" -.IX Subsection "The BIGNUM structure" -.Vb 1 -\& typedef struct bignum_st BIGNUM; -\& -\& struct bignum_st -\& { -\& BN_ULONG *d; /* Pointer to an array of \*(AqBN_BITS2\*(Aq bit chunks. */ -\& int top; /* Index of last used d +1. */ -\& /* The next are internal book keeping for bn_expand. */ -\& int dmax; /* Size of the d array. */ -\& int neg; /* one if the number is negative */ -\& int flags; -\& }; -.Ve -.PP -The integer value is stored in \fBd\fR, a \fImalloc()\fRed array of words (\fB\s-1BN_ULONG\s0\fR), -least significant word first. A \fB\s-1BN_ULONG\s0\fR can be either 16, 32 or 64 bits -in size, depending on the 'number of bits' (\fB\s-1BITS2\s0\fR) specified in -\&\f(CW\*(C`openssl/bn.h\*(C'\fR. -.PP -\&\fBdmax\fR is the size of the \fBd\fR array that has been allocated. \fBtop\fR -is the number of words being used, so for a value of 4, bn.d[0]=4 and -bn.top=1. \fBneg\fR is 1 if the number is negative. When a \fB\s-1BIGNUM\s0\fR is -\&\fB0\fR, the \fBd\fR field can be \fB\s-1NULL\s0\fR and \fBtop\fR == \fB0\fR. -.PP -\&\fBflags\fR is a bit field of flags which are defined in \f(CW\*(C`openssl/bn.h\*(C'\fR. The -flags begin with \fB\s-1BN_FLG_\s0\fR. The macros BN_set_flags(b,n) and -BN_get_flags(b,n) exist to enable or fetch flag(s) \fBn\fR from \fB\s-1BIGNUM\s0\fR -structure \fBb\fR. -.PP -Various routines in this library require the use of temporary -\&\fB\s-1BIGNUM\s0\fR variables during their execution. Since dynamic memory -allocation to create \fB\s-1BIGNUM\s0\fRs is rather expensive when used in -conjunction with repeated subroutine calls, the \fB\s-1BN_CTX\s0\fR structure is -used. This structure contains \fB\s-1BN_CTX_NUM\s0\fR \fB\s-1BIGNUM\s0\fRs, see -\&\fIBN_CTX_start\fR\|(3). -.SS "Low-level arithmetic operations" -.IX Subsection "Low-level arithmetic operations" -These functions are implemented in C and for several platforms in -assembly language: -.PP -bn_mul_words(\fBrp\fR, \fBap\fR, \fBnum\fR, \fBw\fR) operates on the \fBnum\fR word -arrays \fBrp\fR and \fBap\fR. It computes \fBap\fR * \fBw\fR, places the result -in \fBrp\fR, and returns the high word (carry). -.PP -bn_mul_add_words(\fBrp\fR, \fBap\fR, \fBnum\fR, \fBw\fR) operates on the \fBnum\fR -word arrays \fBrp\fR and \fBap\fR. It computes \fBap\fR * \fBw\fR + \fBrp\fR, places -the result in \fBrp\fR, and returns the high word (carry). -.PP -bn_sqr_words(\fBrp\fR, \fBap\fR, \fBn\fR) operates on the \fBnum\fR word array -\&\fBap\fR and the 2*\fBnum\fR word array \fBap\fR. It computes \fBap\fR * \fBap\fR -word-wise, and places the low and high bytes of the result in \fBrp\fR. -.PP -bn_div_words(\fBh\fR, \fBl\fR, \fBd\fR) divides the two word number (\fBh\fR,\fBl\fR) -by \fBd\fR and returns the result. -.PP -bn_add_words(\fBrp\fR, \fBap\fR, \fBbp\fR, \fBnum\fR) operates on the \fBnum\fR word -arrays \fBap\fR, \fBbp\fR and \fBrp\fR. It computes \fBap\fR + \fBbp\fR, places the -result in \fBrp\fR, and returns the high word (carry). -.PP -bn_sub_words(\fBrp\fR, \fBap\fR, \fBbp\fR, \fBnum\fR) operates on the \fBnum\fR word -arrays \fBap\fR, \fBbp\fR and \fBrp\fR. It computes \fBap\fR \- \fBbp\fR, places the -result in \fBrp\fR, and returns the carry (1 if \fBbp\fR > \fBap\fR, 0 -otherwise). -.PP -bn_mul_comba4(\fBr\fR, \fBa\fR, \fBb\fR) operates on the 4 word arrays \fBa\fR and -\&\fBb\fR and the 8 word array \fBr\fR. It computes \fBa\fR*\fBb\fR and places the -result in \fBr\fR. -.PP -bn_mul_comba8(\fBr\fR, \fBa\fR, \fBb\fR) operates on the 8 word arrays \fBa\fR and -\&\fBb\fR and the 16 word array \fBr\fR. It computes \fBa\fR*\fBb\fR and places the -result in \fBr\fR. -.PP -bn_sqr_comba4(\fBr\fR, \fBa\fR, \fBb\fR) operates on the 4 word arrays \fBa\fR and -\&\fBb\fR and the 8 word array \fBr\fR. -.PP -bn_sqr_comba8(\fBr\fR, \fBa\fR, \fBb\fR) operates on the 8 word arrays \fBa\fR and -\&\fBb\fR and the 16 word array \fBr\fR. -.PP -The following functions are implemented in C: -.PP -bn_cmp_words(\fBa\fR, \fBb\fR, \fBn\fR) operates on the \fBn\fR word arrays \fBa\fR -and \fBb\fR. It returns 1, 0 and \-1 if \fBa\fR is greater than, equal and -less than \fBb\fR. -.PP -bn_mul_normal(\fBr\fR, \fBa\fR, \fBna\fR, \fBb\fR, \fBnb\fR) operates on the \fBna\fR -word array \fBa\fR, the \fBnb\fR word array \fBb\fR and the \fBna\fR+\fBnb\fR word -array \fBr\fR. It computes \fBa\fR*\fBb\fR and places the result in \fBr\fR. -.PP -bn_mul_low_normal(\fBr\fR, \fBa\fR, \fBb\fR, \fBn\fR) operates on the \fBn\fR word -arrays \fBr\fR, \fBa\fR and \fBb\fR. It computes the \fBn\fR low words of -\&\fBa\fR*\fBb\fR and places the result in \fBr\fR. -.PP -bn_mul_recursive(\fBr\fR, \fBa\fR, \fBb\fR, \fBn2\fR, \fBdna\fR, \fBdnb\fR, \fBt\fR) operates -on the word arrays \fBa\fR and \fBb\fR of length \fBn2\fR+\fBdna\fR and \fBn2\fR+\fBdnb\fR -(\fBdna\fR and \fBdnb\fR are currently allowed to be 0 or negative) and the 2*\fBn2\fR -word arrays \fBr\fR and \fBt\fR. \fBn2\fR must be a power of 2. It computes -\&\fBa\fR*\fBb\fR and places the result in \fBr\fR. -.PP -bn_mul_part_recursive(\fBr\fR, \fBa\fR, \fBb\fR, \fBn\fR, \fBtna\fR, \fBtnb\fR, \fBtmp\fR) -operates on the word arrays \fBa\fR and \fBb\fR of length \fBn\fR+\fBtna\fR and -\&\fBn\fR+\fBtnb\fR and the 4*\fBn\fR word arrays \fBr\fR and \fBtmp\fR. -.PP -bn_mul_low_recursive(\fBr\fR, \fBa\fR, \fBb\fR, \fBn2\fR, \fBtmp\fR) operates on the -\&\fBn2\fR word arrays \fBr\fR and \fBtmp\fR and the \fBn2\fR/2 word arrays \fBa\fR -and \fBb\fR. -.PP -bn_mul_high(\fBr\fR, \fBa\fR, \fBb\fR, \fBl\fR, \fBn2\fR, \fBtmp\fR) operates on the -\&\fBn2\fR word arrays \fBr\fR, \fBa\fR, \fBb\fR and \fBl\fR (?) and the 3*\fBn2\fR word -array \fBtmp\fR. -.PP -\&\fIBN_mul()\fR calls \fIbn_mul_normal()\fR, or an optimized implementation if the -factors have the same size: \fIbn_mul_comba8()\fR is used if they are 8 -words long, \fIbn_mul_recursive()\fR if they are larger than -\&\fB\s-1BN_MULL_SIZE_NORMAL\s0\fR and the size is an exact multiple of the word -size, and \fIbn_mul_part_recursive()\fR for others that are larger than -\&\fB\s-1BN_MULL_SIZE_NORMAL\s0\fR. -.PP -bn_sqr_normal(\fBr\fR, \fBa\fR, \fBn\fR, \fBtmp\fR) operates on the \fBn\fR word array -\&\fBa\fR and the 2*\fBn\fR word arrays \fBtmp\fR and \fBr\fR. -.PP -The implementations use the following macros which, depending on the -architecture, may use \*(L"long long\*(R" C operations or inline assembler. -They are defined in \f(CW\*(C`bn_lcl.h\*(C'\fR. -.PP -mul(\fBr\fR, \fBa\fR, \fBw\fR, \fBc\fR) computes \fBw\fR*\fBa\fR+\fBc\fR and places the -low word of the result in \fBr\fR and the high word in \fBc\fR. -.PP -mul_add(\fBr\fR, \fBa\fR, \fBw\fR, \fBc\fR) computes \fBw\fR*\fBa\fR+\fBr\fR+\fBc\fR and -places the low word of the result in \fBr\fR and the high word in \fBc\fR. -.PP -sqr(\fBr0\fR, \fBr1\fR, \fBa\fR) computes \fBa\fR*\fBa\fR and places the low word -of the result in \fBr0\fR and the high word in \fBr1\fR. -.SS "Size changes" -.IX Subsection "Size changes" -\&\fIbn_expand()\fR ensures that \fBb\fR has enough space for a \fBbits\fR bit -number. \fIbn_wexpand()\fR ensures that \fBb\fR has enough space for an -\&\fBn\fR word number. If the number has to be expanded, both macros -call \fIbn_expand2()\fR, which allocates a new \fBd\fR array and copies the -data. They return \fB\s-1NULL\s0\fR on error, \fBb\fR otherwise. -.PP -The \fIbn_fix_top()\fR macro reduces \fBa\->top\fR to point to the most -significant non-zero word plus one when \fBa\fR has shrunk. -.SS "Debugging" -.IX Subsection "Debugging" -\&\fIbn_check_top()\fR verifies that \f(CW\*(C`((a)\->top >= 0 && (a)\->top -<= (a)\->dmax)\*(C'\fR. A violation will cause the program to abort. -.PP -\&\fIbn_print()\fR prints \fBa\fR to stderr. \fIbn_dump()\fR prints \fBn\fR words at \fBd\fR -(in reverse order, i.e. most significant word first) to stderr. -.PP -\&\fIbn_set_max()\fR makes \fBa\fR a static number with a \fBdmax\fR of its current size. -This is used by \fIbn_set_low()\fR and \fIbn_set_high()\fR to make \fBr\fR a read-only -\&\fB\s-1BIGNUM\s0\fR that contains the \fBn\fR low or high words of \fBa\fR. -.PP -If \fB\s-1BN_DEBUG\s0\fR is not defined, \fIbn_check_top()\fR, \fIbn_print()\fR, \fIbn_dump()\fR -and \fIbn_set_max()\fR are defined as empty macros. -.SH "SEE ALSO" -.IX Header "SEE ALSO" -\&\fIbn\fR\|(3) diff --git a/secure/lib/libcrypto/man/d2i_CMS_ContentInfo.3 b/secure/lib/libcrypto/man/d2i_CMS_ContentInfo.3 deleted file mode 100644 index c1faf1fb6325..000000000000 --- a/secure/lib/libcrypto/man/d2i_CMS_ContentInfo.3 +++ /dev/null @@ -1,158 +0,0 @@ -.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35) -.\" -.\" Standard preamble: -.\" ======================================================================== -.de Sp \" Vertical space (when we can't use .PP) -.if t .sp .5v -.if n .sp -.. -.de Vb \" Begin verbatim text -.ft CW -.nf -.ne \\$1 -.. -.de Ve \" End verbatim text -.ft R -.fi -.. -.\" Set up some character translations and predefined strings. \*(-- will -.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left -.\" double quote, and \*(R" will give a right double quote. \*(C+ will -.\" give a nicer C++. Capital omega is used to do unbreakable dashes and -.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, -.\" nothing in troff, for use with C<>. -.tr \(*W- -.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' -.ie n \{\ -. ds -- \(*W- -. ds PI pi -. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch -. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch -. ds L" "" -. ds R" "" -. ds C` "" -. ds C' "" -'br\} -.el\{\ -. ds -- \|\(em\| -. ds PI \(*p -. ds L" `` -. ds R" '' -. ds C` -. ds C' -'br\} -.\" -.\" Escape single quotes in literal strings from groff's Unicode transform. -.ie \n(.g .ds Aq \(aq -.el .ds Aq ' -.\" -.\" If the F register is >0, we'll generate index entries on stderr for -.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index -.\" entries marked with X<> in POD. Of course, you'll have to process the -.\" output yourself in some meaningful fashion. -.\" -.\" Avoid warning from groff about undefined register 'F'. -.de IX -.. -.if !\nF .nr F 0 -.if \nF>0 \{\ -. de IX -. tm Index:\\$1\t\\n%\t"\\$2" -.. -. if !\nF==2 \{\ -. nr % 0 -. nr F 2 -. \} -.\} -.\" -.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). -.\" Fear. Run. Save yourself. No user-serviceable parts. -. \" fudge factors for nroff and troff -.if n \{\ -. ds #H 0 -. ds #V .8m -. ds #F .3m -. ds #[ \f1 -. ds #] \fP -.\} -.if t \{\ -. ds #H ((1u-(\\\\n(.fu%2u))*.13m) -. ds #V .6m -. ds #F 0 -. ds #[ \& -. ds #] \& -.\} -. \" simple accents for nroff and troff -.if n \{\ -. ds ' \& -. ds ` \& -. ds ^ \& -. ds , \& -. ds ~ ~ -. ds / -.\} -.if t \{\ -. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" -. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' -. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' -. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' -. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' -. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' -.\} -. \" troff and (daisy-wheel) nroff accents -.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' -.ds 8 \h'\*(#H'\(*b\h'-\*(#H' -.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] -.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' -.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' -.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] -.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] -.ds ae a\h'-(\w'a'u*4/10)'e -.ds Ae A\h'-(\w'A'u*4/10)'E -. \" corrections for vroff -.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' -.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' -. \" for low resolution devices (crt and lpr) -.if \n(.H>23 .if \n(.V>19 \ -\{\ -. ds : e -. ds 8 ss -. ds o a -. ds d- d\h'-1'\(ga -. ds D- D\h'-1'\(hy -. ds th \o'bp' -. ds Th \o'LP' -. ds ae ae -. ds Ae AE -.\} -.rm #[ #] #H #V #F C -.\" ======================================================================== -.\" -.IX Title "d2i_CMS_ContentInfo 3" -.TH d2i_CMS_ContentInfo 3 "2018-08-14" "1.0.2p" "OpenSSL" -.\" For nroff, turn off justification. Always turn off hyphenation; it makes -.\" way too many mistakes in technical documents. -.if n .ad l -.nh -.SH "NAME" -d2i_CMS_ContentInfo, i2d_CMS_ContentInfo \- CMS ContentInfo functions -.SH "SYNOPSIS" -.IX Header "SYNOPSIS" -.Vb 1 -\& #include -\& -\& CMS_ContentInfo *d2i_CMS_ContentInfo(CMS_ContentInfo **a, unsigned char **pp, long length); -\& int i2d_CMS_ContentInfo(CMS_ContentInfo *a, unsigned char **pp); -.Ve -.SH "DESCRIPTION" -.IX Header "DESCRIPTION" -These functions decode and encode an \s-1CMS\s0 ContentInfo structure. -.PP -Otherwise they behave in a similar way to \fId2i_X509()\fR and \fIi2d_X509()\fR -described in the \fId2i_X509\fR\|(3) manual page. -.SH "SEE ALSO" -.IX Header "SEE ALSO" -\&\fId2i_X509\fR\|(3) -.SH "HISTORY" -.IX Header "HISTORY" -These functions were first added to OpenSSL 0.9.8 diff --git a/secure/lib/libcrypto/man/d2i_DHparams.3 b/secure/lib/libcrypto/man/d2i_DHparams.3 index 882a5301aed1..5b298057bc26 100644 --- a/secure/lib/libcrypto/man/d2i_DHparams.3 +++ b/secure/lib/libcrypto/man/d2i_DHparams.3 @@ -128,14 +128,14 @@ .rm #[ #] #H #V #F C .\" ======================================================================== .\" -.IX Title "d2i_DHparams 3" -.TH d2i_DHparams 3 "2018-08-14" "1.0.2p" "OpenSSL" +.IX Title "D2I_DHPARAMS 3" +.TH D2I_DHPARAMS 3 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" -d2i_DHparams, i2d_DHparams \- PKCS#3 DH parameter functions. +d2i_DHparams, i2d_DHparams \- PKCS#3 DH parameter functions .SH "SYNOPSIS" .IX Header "SYNOPSIS" .Vb 1 @@ -149,11 +149,22 @@ d2i_DHparams, i2d_DHparams \- PKCS#3 DH parameter functions. These functions decode and encode PKCS#3 \s-1DH\s0 parameters using the DHparameter structure described in PKCS#3. .PP -Othewise these behave in a similar way to \fId2i_X509()\fR and \fIi2d_X509()\fR +Otherwise these behave in a similar way to \fId2i_X509()\fR and \fIi2d_X509()\fR described in the \fId2i_X509\fR\|(3) manual page. +.SH "RETURN VALUES" +.IX Header "RETURN VALUES" +\&\fId2i_DHparams()\fR returns a valid \fB\s-1DH\s0\fR structure or \s-1NULL\s0 if an error occurred. +.PP +\&\fIi2d_DHparams()\fR returns the length of encoded data on success or a value which +is less than or equal to 0 on error. .SH "SEE ALSO" .IX Header "SEE ALSO" \&\fId2i_X509\fR\|(3) -.SH "HISTORY" -.IX Header "HISTORY" -\&\s-1TBA\s0 +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2000\-2018 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/d2i_DSAPublicKey.3 b/secure/lib/libcrypto/man/d2i_DSAPublicKey.3 deleted file mode 100644 index 82d27e6b0200..000000000000 --- a/secure/lib/libcrypto/man/d2i_DSAPublicKey.3 +++ /dev/null @@ -1,211 +0,0 @@ -.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35) -.\" -.\" Standard preamble: -.\" ======================================================================== -.de Sp \" Vertical space (when we can't use .PP) -.if t .sp .5v -.if n .sp -.. -.de Vb \" Begin verbatim text -.ft CW -.nf -.ne \\$1 -.. -.de Ve \" End verbatim text -.ft R -.fi -.. -.\" Set up some character translations and predefined strings. \*(-- will -.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left -.\" double quote, and \*(R" will give a right double quote. \*(C+ will -.\" give a nicer C++. Capital omega is used to do unbreakable dashes and -.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, -.\" nothing in troff, for use with C<>. -.tr \(*W- -.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' -.ie n \{\ -. ds -- \(*W- -. ds PI pi -. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch -. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch -. ds L" "" -. ds R" "" -. ds C` "" -. ds C' "" -'br\} -.el\{\ -. ds -- \|\(em\| -. ds PI \(*p -. ds L" `` -. ds R" '' -. ds C` -. ds C' -'br\} -.\" -.\" Escape single quotes in literal strings from groff's Unicode transform. -.ie \n(.g .ds Aq \(aq -.el .ds Aq ' -.\" -.\" If the F register is >0, we'll generate index entries on stderr for -.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index -.\" entries marked with X<> in POD. Of course, you'll have to process the -.\" output yourself in some meaningful fashion. -.\" -.\" Avoid warning from groff about undefined register 'F'. -.de IX -.. -.if !\nF .nr F 0 -.if \nF>0 \{\ -. de IX -. tm Index:\\$1\t\\n%\t"\\$2" -.. -. if !\nF==2 \{\ -. nr % 0 -. nr F 2 -. \} -.\} -.\" -.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). -.\" Fear. Run. Save yourself. No user-serviceable parts. -. \" fudge factors for nroff and troff -.if n \{\ -. ds #H 0 -. ds #V .8m -. ds #F .3m -. ds #[ \f1 -. ds #] \fP -.\} -.if t \{\ -. ds #H ((1u-(\\\\n(.fu%2u))*.13m) -. ds #V .6m -. ds #F 0 -. ds #[ \& -. ds #] \& -.\} -. \" simple accents for nroff and troff -.if n \{\ -. ds ' \& -. ds ` \& -. ds ^ \& -. ds , \& -. ds ~ ~ -. ds / -.\} -.if t \{\ -. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" -. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' -. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' -. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' -. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' -. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' -.\} -. \" troff and (daisy-wheel) nroff accents -.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' -.ds 8 \h'\*(#H'\(*b\h'-\*(#H' -.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] -.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' -.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' -.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] -.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] -.ds ae a\h'-(\w'a'u*4/10)'e -.ds Ae A\h'-(\w'A'u*4/10)'E -. \" corrections for vroff -.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' -.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' -. \" for low resolution devices (crt and lpr) -.if \n(.H>23 .if \n(.V>19 \ -\{\ -. ds : e -. ds 8 ss -. ds o a -. ds d- d\h'-1'\(ga -. ds D- D\h'-1'\(hy -. ds th \o'bp' -. ds Th \o'LP' -. ds ae ae -. ds Ae AE -.\} -.rm #[ #] #H #V #F C -.\" ======================================================================== -.\" -.IX Title "d2i_DSAPublicKey 3" -.TH d2i_DSAPublicKey 3 "2018-08-14" "1.0.2p" "OpenSSL" -.\" For nroff, turn off justification. Always turn off hyphenation; it makes -.\" way too many mistakes in technical documents. -.if n .ad l -.nh -.SH "NAME" -d2i_DSAPublicKey, i2d_DSAPublicKey, d2i_DSAPrivateKey, i2d_DSAPrivateKey, -d2i_DSA_PUBKEY, i2d_DSA_PUBKEY, d2i_DSAparams, i2d_DSAparams, d2i_DSA_SIG, i2d_DSA_SIG \- DSA key encoding -and parsing functions. -.SH "SYNOPSIS" -.IX Header "SYNOPSIS" -.Vb 2 -\& #include -\& #include -\& -\& DSA * d2i_DSAPublicKey(DSA **a, const unsigned char **pp, long length); -\& -\& int i2d_DSAPublicKey(const DSA *a, unsigned char **pp); -\& -\& DSA * d2i_DSA_PUBKEY(DSA **a, const unsigned char **pp, long length); -\& -\& int i2d_DSA_PUBKEY(const DSA *a, unsigned char **pp); -\& -\& DSA * d2i_DSAPrivateKey(DSA **a, const unsigned char **pp, long length); -\& -\& int i2d_DSAPrivateKey(const DSA *a, unsigned char **pp); -\& -\& DSA * d2i_DSAparams(DSA **a, const unsigned char **pp, long length); -\& -\& int i2d_DSAparams(const DSA *a, unsigned char **pp); -\& -\& DSA * d2i_DSA_SIG(DSA_SIG **a, const unsigned char **pp, long length); -\& -\& int i2d_DSA_SIG(const DSA_SIG *a, unsigned char **pp); -.Ve -.SH "DESCRIPTION" -.IX Header "DESCRIPTION" -\&\fId2i_DSAPublicKey()\fR and \fIi2d_DSAPublicKey()\fR decode and encode the \s-1DSA\s0 public key -components structure. -.PP -\&\fId2i_DSA_PUBKEY()\fR and \fIi2d_DSA_PUBKEY()\fR decode and encode an \s-1DSA\s0 public key using -a SubjectPublicKeyInfo (certificate public key) structure. -.PP -\&\fId2i_DSAPrivateKey()\fR, \fIi2d_DSAPrivateKey()\fR decode and encode the \s-1DSA\s0 private key -components. -.PP -\&\fId2i_DSAparams()\fR, \fIi2d_DSAparams()\fR decode and encode the \s-1DSA\s0 parameters using -a \fBDss-Parms\fR structure as defined in \s-1RFC2459.\s0 -.PP -\&\fId2i_DSA_SIG()\fR, \fIi2d_DSA_SIG()\fR decode and encode a \s-1DSA\s0 signature using a -\&\fBDss-Sig-Value\fR structure as defined in \s-1RFC2459.\s0 -.PP -The usage of all of these functions is similar to the \fId2i_X509()\fR and -\&\fIi2d_X509()\fR described in the \fId2i_X509\fR\|(3) manual page. -.SH "NOTES" -.IX Header "NOTES" -The \fB\s-1DSA\s0\fR structure passed to the private key encoding functions should have -all the private key components present. -.PP -The data encoded by the private key functions is unencrypted and therefore -offers no private key security. -.PP -The \fB\s-1DSA_PUBKEY\s0\fR functions should be used in preference to the \fBDSAPublicKey\fR -functions when encoding public keys because they use a standard format. -.PP -The \fBDSAPublicKey\fR functions use an non standard format the actual data encoded -depends on the value of the \fBwrite_params\fR field of the \fBa\fR key parameter. -If \fBwrite_params\fR is zero then only the \fBpub_key\fR field is encoded as an -\&\fB\s-1INTEGER\s0\fR. If \fBwrite_params\fR is 1 then a \fB\s-1SEQUENCE\s0\fR consisting of the -\&\fBp\fR, \fBq\fR, \fBg\fR and \fBpub_key\fR respectively fields are encoded. -.PP -The \fBDSAPrivateKey\fR functions also use a non standard structure consiting -consisting of a \s-1SEQUENCE\s0 containing the \fBp\fR, \fBq\fR, \fBg\fR and \fBpub_key\fR and -\&\fBpriv_key\fR fields respectively. -.SH "SEE ALSO" -.IX Header "SEE ALSO" -\&\fId2i_X509\fR\|(3) -.SH "HISTORY" -.IX Header "HISTORY" -\&\s-1TBA\s0 diff --git a/secure/lib/libcrypto/man/d2i_ECPKParameters.3 b/secure/lib/libcrypto/man/d2i_ECPKParameters.3 deleted file mode 100644 index a2b9849f0866..000000000000 --- a/secure/lib/libcrypto/man/d2i_ECPKParameters.3 +++ /dev/null @@ -1,212 +0,0 @@ -.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35) -.\" -.\" Standard preamble: -.\" ======================================================================== -.de Sp \" Vertical space (when we can't use .PP) -.if t .sp .5v -.if n .sp -.. -.de Vb \" Begin verbatim text -.ft CW -.nf -.ne \\$1 -.. -.de Ve \" End verbatim text -.ft R -.fi -.. -.\" Set up some character translations and predefined strings. \*(-- will -.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left -.\" double quote, and \*(R" will give a right double quote. \*(C+ will -.\" give a nicer C++. Capital omega is used to do unbreakable dashes and -.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, -.\" nothing in troff, for use with C<>. -.tr \(*W- -.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' -.ie n \{\ -. ds -- \(*W- -. ds PI pi -. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch -. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch -. ds L" "" -. ds R" "" -. ds C` "" -. ds C' "" -'br\} -.el\{\ -. ds -- \|\(em\| -. ds PI \(*p -. ds L" `` -. ds R" '' -. ds C` -. ds C' -'br\} -.\" -.\" Escape single quotes in literal strings from groff's Unicode transform. -.ie \n(.g .ds Aq \(aq -.el .ds Aq ' -.\" -.\" If the F register is >0, we'll generate index entries on stderr for -.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index -.\" entries marked with X<> in POD. Of course, you'll have to process the -.\" output yourself in some meaningful fashion. -.\" -.\" Avoid warning from groff about undefined register 'F'. -.de IX -.. -.if !\nF .nr F 0 -.if \nF>0 \{\ -. de IX -. tm Index:\\$1\t\\n%\t"\\$2" -.. -. if !\nF==2 \{\ -. nr % 0 -. nr F 2 -. \} -.\} -.\" -.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). -.\" Fear. Run. Save yourself. No user-serviceable parts. -. \" fudge factors for nroff and troff -.if n \{\ -. ds #H 0 -. ds #V .8m -. ds #F .3m -. ds #[ \f1 -. ds #] \fP -.\} -.if t \{\ -. ds #H ((1u-(\\\\n(.fu%2u))*.13m) -. ds #V .6m -. ds #F 0 -. ds #[ \& -. ds #] \& -.\} -. \" simple accents for nroff and troff -.if n \{\ -. ds ' \& -. ds ` \& -. ds ^ \& -. ds , \& -. ds ~ ~ -. ds / -.\} -.if t \{\ -. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" -. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' -. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' -. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' -. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' -. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' -.\} -. \" troff and (daisy-wheel) nroff accents -.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' -.ds 8 \h'\*(#H'\(*b\h'-\*(#H' -.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] -.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' -.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' -.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] -.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] -.ds ae a\h'-(\w'a'u*4/10)'e -.ds Ae A\h'-(\w'A'u*4/10)'E -. \" corrections for vroff -.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' -.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' -. \" for low resolution devices (crt and lpr) -.if \n(.H>23 .if \n(.V>19 \ -\{\ -. ds : e -. ds 8 ss -. ds o a -. ds d- d\h'-1'\(ga -. ds D- D\h'-1'\(hy -. ds th \o'bp' -. ds Th \o'LP' -. ds ae ae -. ds Ae AE -.\} -.rm #[ #] #H #V #F C -.\" ======================================================================== -.\" -.IX Title "d2i_ECPKParameters 3" -.TH d2i_ECPKParameters 3 "2018-08-14" "1.0.2p" "OpenSSL" -.\" For nroff, turn off justification. Always turn off hyphenation; it makes -.\" way too many mistakes in technical documents. -.if n .ad l -.nh -.SH "NAME" -d2i_ECPKParameters, i2d_ECPKParameters, d2i_ECPKParameters_bio, i2d_ECPKParameters_bio, d2i_ECPKParameters_fp, i2d_ECPKParameters_fp, ECPKParameters_print, ECPKParameters_print_fp \- Functions for decoding and encoding ASN1 representations of elliptic curve entities -.SH "SYNOPSIS" -.IX Header "SYNOPSIS" -.Vb 1 -\& #include -\& -\& EC_GROUP *d2i_ECPKParameters(EC_GROUP **px, const unsigned char **in, long len); -\& int i2d_ECPKParameters(const EC_GROUP *x, unsigned char **out); -\& #define d2i_ECPKParameters_bio(bp,x) ASN1_d2i_bio_of(EC_GROUP,NULL,d2i_ECPKParameters,bp,x) -\& #define i2d_ECPKParameters_bio(bp,x) ASN1_i2d_bio_of_const(EC_GROUP,i2d_ECPKParameters,bp,x) -\& #define d2i_ECPKParameters_fp(fp,x) (EC_GROUP *)ASN1_d2i_fp(NULL, \e -\& (char *(*)())d2i_ECPKParameters,(fp),(unsigned char **)(x)) -\& #define i2d_ECPKParameters_fp(fp,x) ASN1_i2d_fp(i2d_ECPKParameters,(fp), \e -\& (unsigned char *)(x)) -\& int ECPKParameters_print(BIO *bp, const EC_GROUP *x, int off); -\& int ECPKParameters_print_fp(FILE *fp, const EC_GROUP *x, int off); -.Ve -.SH "DESCRIPTION" -.IX Header "DESCRIPTION" -The ECPKParameters encode and decode routines encode and parse the public parameters for an -\&\fB\s-1EC_GROUP\s0\fR structure, which represents a curve. -.PP -\&\fId2i_ECPKParameters()\fR attempts to decode \fBlen\fR bytes at \fB*in\fR. If -successful a pointer to the \fB\s-1EC_GROUP\s0\fR structure is returned. If an error -occurred then \fB\s-1NULL\s0\fR is returned. If \fBpx\fR is not \fB\s-1NULL\s0\fR then the -returned structure is written to \fB*px\fR. If \fB*px\fR is not \fB\s-1NULL\s0\fR -then it is assumed that \fB*px\fR contains a valid \fB\s-1EC_GROUP\s0\fR -structure and an attempt is made to reuse it. If the call is -successful \fB*in\fR is incremented to the byte following the -parsed data. -.PP -\&\fIi2d_ECPKParameters()\fR encodes the structure pointed to by \fBx\fR into \s-1DER\s0 format. -If \fBout\fR is not \fB\s-1NULL\s0\fR is writes the \s-1DER\s0 encoded data to the buffer -at \fB*out\fR, and increments it to point after the data just written. -If the return value is negative an error occurred, otherwise it -returns the length of the encoded data. -.PP -If \fB*out\fR is \fB\s-1NULL\s0\fR memory will be allocated for a buffer and the encoded -data written to it. In this case \fB*out\fR is not incremented and it points to -the start of the data just written. -.PP -\&\fId2i_ECPKParameters_bio()\fR is similar to \fId2i_ECPKParameters()\fR except it attempts -to parse data from \s-1BIO\s0 \fBbp\fR. -.PP -\&\fId2i_ECPKParameters_fp()\fR is similar to \fId2i_ECPKParameters()\fR except it attempts -to parse data from \s-1FILE\s0 pointer \fBfp\fR. -.PP -\&\fIi2d_ECPKParameters_bio()\fR is similar to \fIi2d_ECPKParameters()\fR except it writes -the encoding of the structure \fBx\fR to \s-1BIO\s0 \fBbp\fR and it -returns 1 for success and 0 for failure. -.PP -\&\fIi2d_ECPKParameters_fp()\fR is similar to \fIi2d_ECPKParameters()\fR except it writes -the encoding of the structure \fBx\fR to \s-1BIO\s0 \fBbp\fR and it -returns 1 for success and 0 for failure. -.PP -These functions are very similar to the X509 functions described in \fId2i_X509\fR\|(3), -where further notes and examples are available. -.PP -The ECPKParameters_print and ECPKParameters_print_fp functions print a human-readable output -of the public parameters of the \s-1EC_GROUP\s0 to \fBbp\fR or \fBfp\fR. The output lines are indented by \fBoff\fR spaces. -.SH "RETURN VALUES" -.IX Header "RETURN VALUES" -\&\fId2i_ECPKParameters()\fR, \fId2i_ECPKParameters_bio()\fR and \fId2i_ECPKParameters_fp()\fR return a valid \fB\s-1EC_GROUP\s0\fR structure -or \fB\s-1NULL\s0\fR if an error occurs. -.PP -\&\fIi2d_ECPKParameters()\fR returns the number of bytes successfully encoded or a negative -value if an error occurs. -.PP -\&\fIi2d_ECPKParameters_bio()\fR, \fIi2d_ECPKParameters_fp()\fR, ECPKParameters_print and ECPKParameters_print_fp -return 1 for success and 0 if an error occurs. -.SH "SEE ALSO" -.IX Header "SEE ALSO" -\&\fIcrypto\fR\|(3), \fIec\fR\|(3), \fIEC_GROUP_new\fR\|(3), \fIEC_GROUP_copy\fR\|(3), -\&\fIEC_POINT_new\fR\|(3), \fIEC_POINT_add\fR\|(3), \fIEC_KEY_new\fR\|(3), -\&\fIEC_GFp_simple_method\fR\|(3), \fId2i_X509\fR\|(3) diff --git a/secure/lib/libcrypto/man/d2i_PKCS8PrivateKey.3 b/secure/lib/libcrypto/man/d2i_PKCS8PrivateKey_bio.3 similarity index 73% rename from secure/lib/libcrypto/man/d2i_PKCS8PrivateKey.3 rename to secure/lib/libcrypto/man/d2i_PKCS8PrivateKey_bio.3 index 7801c63d5bf0..01e93c6a69dd 100644 --- a/secure/lib/libcrypto/man/d2i_PKCS8PrivateKey.3 +++ b/secure/lib/libcrypto/man/d2i_PKCS8PrivateKey_bio.3 @@ -128,16 +128,14 @@ .rm #[ #] #H #V #F C .\" ======================================================================== .\" -.IX Title "d2i_PKCS8PrivateKey 3" -.TH d2i_PKCS8PrivateKey 3 "2018-08-14" "1.0.2p" "OpenSSL" +.IX Title "D2I_PKCS8PRIVATEKEY_BIO 3" +.TH D2I_PKCS8PRIVATEKEY_BIO 3 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" -d2i_PKCS8PrivateKey_bio, d2i_PKCS8PrivateKey_fp, -i2d_PKCS8PrivateKey_bio, i2d_PKCS8PrivateKey_fp, -i2d_PKCS8PrivateKey_nid_bio, i2d_PKCS8PrivateKey_nid_fp \- PKCS#8 format private key functions +d2i_PKCS8PrivateKey_bio, d2i_PKCS8PrivateKey_fp, i2d_PKCS8PrivateKey_bio, i2d_PKCS8PrivateKey_fp, i2d_PKCS8PrivateKey_nid_bio, i2d_PKCS8PrivateKey_nid_fp \- PKCS#8 format private key functions .SH "SYNOPSIS" .IX Header "SYNOPSIS" .Vb 1 @@ -147,20 +145,20 @@ i2d_PKCS8PrivateKey_nid_bio, i2d_PKCS8PrivateKey_nid_fp \- PKCS#8 format private \& EVP_PKEY *d2i_PKCS8PrivateKey_fp(FILE *fp, EVP_PKEY **x, pem_password_cb *cb, void *u); \& \& int i2d_PKCS8PrivateKey_bio(BIO *bp, EVP_PKEY *x, const EVP_CIPHER *enc, -\& char *kstr, int klen, -\& pem_password_cb *cb, void *u); +\& char *kstr, int klen, +\& pem_password_cb *cb, void *u); \& \& int i2d_PKCS8PrivateKey_fp(FILE *fp, EVP_PKEY *x, const EVP_CIPHER *enc, -\& char *kstr, int klen, -\& pem_password_cb *cb, void *u); +\& char *kstr, int klen, +\& pem_password_cb *cb, void *u); \& \& int i2d_PKCS8PrivateKey_nid_bio(BIO *bp, EVP_PKEY *x, int nid, -\& char *kstr, int klen, -\& pem_password_cb *cb, void *u); +\& char *kstr, int klen, +\& pem_password_cb *cb, void *u); \& \& int i2d_PKCS8PrivateKey_nid_fp(FILE *fp, EVP_PKEY *x, int nid, -\& char *kstr, int klen, -\& pem_password_cb *cb, void *u); +\& char *kstr, int klen, +\& pem_password_cb *cb, void *u); .Ve .SH "DESCRIPTION" .IX Header "DESCRIPTION" @@ -168,18 +166,34 @@ The PKCS#8 functions encode and decode private keys in PKCS#8 format using both PKCS#5 v1.5 and PKCS#5 v2.0 password based encryption algorithms. .PP Other than the use of \s-1DER\s0 as opposed to \s-1PEM\s0 these functions are identical to the -corresponding \fB\s-1PEM\s0\fR function as described in the \fIpem\fR\|(3) manual page. +corresponding \fB\s-1PEM\s0\fR function as described in \fIPEM_read_PrivateKey\fR\|(3). .SH "NOTES" .IX Header "NOTES" -Before using these functions \fIOpenSSL_add_all_algorithms\fR\|(3) -should be called to initialize the internal algorithm lookup tables otherwise errors about -unknown algorithms will occur if an attempt is made to decrypt a private key. -.PP These functions are currently the only way to store encrypted private keys using \s-1DER\s0 format. .PP Currently all the functions use BIOs or \s-1FILE\s0 pointers, there are no functions which work directly on memory: this can be readily worked around by converting the buffers to memory BIOs, see \fIBIO_s_mem\fR\|(3) for details. +.PP +These functions make no assumption regarding the pass phrase received from the +password callback. +It will simply be treated as a byte sequence. +.SH "RETURN VALUES" +.IX Header "RETURN VALUES" +\&\fId2i_PKCS8PrivateKey_bio()\fR and \fId2i_PKCS8PrivateKey_fp()\fR return a valid \fB\s-1EVP_PKEY\s0\fR +structure or \s-1NULL\s0 if an error occurred. +.PP +\&\fIi2d_PKCS8PrivateKey_bio()\fR, \fIi2d_PKCS8PrivateKey_fp()\fR, \fIi2d_PKCS8PrivateKey_nid_bio()\fR +and \fIi2d_PKCS8PrivateKey_nid_fp()\fR return 1 on success or 0 on error. .SH "SEE ALSO" .IX Header "SEE ALSO" -\&\fIpem\fR\|(3) +\&\fIPEM_read_PrivateKey\fR\|(3), +\&\fIpassphrase\-encoding\fR\|(7) +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2002\-2018 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/d2i_PrivateKey.3 b/secure/lib/libcrypto/man/d2i_PrivateKey.3 index 2bc89cc26406..0eac8647bf4c 100644 --- a/secure/lib/libcrypto/man/d2i_PrivateKey.3 +++ b/secure/lib/libcrypto/man/d2i_PrivateKey.3 @@ -128,15 +128,14 @@ .rm #[ #] #H #V #F C .\" ======================================================================== .\" -.IX Title "d2i_PrivateKey 3" -.TH d2i_PrivateKey 3 "2018-08-14" "1.0.2p" "OpenSSL" +.IX Title "D2I_PRIVATEKEY 3" +.TH D2I_PRIVATEKEY 3 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" -d2i_Private_key, d2i_AutoPrivateKey, i2d_PrivateKey \- decode and encode -functions for reading and saving EVP_PKEY structures. +d2i_PrivateKey, d2i_PublicKey, d2i_AutoPrivateKey, i2d_PrivateKey, i2d_PublicKey, d2i_PrivateKey_bio, d2i_PrivateKey_fp \&\- decode and encode functions for reading and saving EVP_PKEY structures .SH "SYNOPSIS" .IX Header "SYNOPSIS" .Vb 1 @@ -144,9 +143,15 @@ functions for reading and saving EVP_PKEY structures. \& \& EVP_PKEY *d2i_PrivateKey(int type, EVP_PKEY **a, const unsigned char **pp, \& long length); +\& EVP_PKEY *d2i_PublicKey(int type, EVP_PKEY **a, const unsigned char **pp, +\& long length); \& EVP_PKEY *d2i_AutoPrivateKey(EVP_PKEY **a, const unsigned char **pp, \& long length); \& int i2d_PrivateKey(EVP_PKEY *a, unsigned char **pp); +\& int i2d_PublicKey(EVP_PKEY *a, unsigned char **pp); +\& +\& EVP_PKEY *d2i_PrivateKey_bio(BIO *bp, EVP_PKEY **a); +\& EVP_PKEY *d2i_PrivateKey_fp(FILE *fp, EVP_PKEY **a) .Ve .SH "DESCRIPTION" .IX Header "DESCRIPTION" @@ -154,20 +159,21 @@ functions for reading and saving EVP_PKEY structures. use any key specific format or PKCS#8 unencrypted PrivateKeyInfo format. The \&\fBtype\fR parameter should be a public key algorithm constant such as \&\fB\s-1EVP_PKEY_RSA\s0\fR. An error occurs if the decoded key does not match \fBtype\fR. +\&\fId2i_PublicKey()\fR does the same for public keys. .PP \&\fId2i_AutoPrivateKey()\fR is similar to \fId2i_PrivateKey()\fR except it attempts to automatically detect the private key format. .PP \&\fIi2d_PrivateKey()\fR encodes \fBkey\fR. It uses a key specific format or, if none is defined for that key type, PKCS#8 unencrypted PrivateKeyInfo format. +\&\fIi2d_PublicKey()\fR does the same for public keys. .PP -These functions are similar to the \fId2i_X509()\fR functions, and you should refer to -that page for a detailed description (see \fId2i_X509\fR\|(3)). +These functions are similar to the \fId2i_X509()\fR functions; see \fId2i_X509\fR\|(3). .SH "NOTES" .IX Header "NOTES" All these functions use \s-1DER\s0 format and unencrypted keys. Applications wishing to encrypt or decrypt private keys should use other functions such as -\&\fId2i_PKC8PrivateKey()\fR instead. +\&\fId2i_PKCS8PrivateKey()\fR instead. .PP If the \fB*a\fR is not \s-1NULL\s0 when calling \fId2i_PrivateKey()\fR or \fId2i_AutoPrivateKey()\fR (i.e. an existing structure is being reused) and the key format is PKCS#8 @@ -183,5 +189,13 @@ negative value if an error occurs. The error code can be obtained by calling \&\fIERR_get_error\fR\|(3). .SH "SEE ALSO" .IX Header "SEE ALSO" -\&\fIcrypto\fR\|(3), -\&\fId2i_PKCS8PrivateKey\fR\|(3) +\&\fIcrypto\fR\|(7), +\&\fId2i_PKCS8PrivateKey_bio\fR\|(3) +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2017\-2018 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/d2i_SSL_SESSION.3 b/secure/lib/libcrypto/man/d2i_SSL_SESSION.3 new file mode 100644 index 000000000000..fd1ff1303b4e --- /dev/null +++ b/secure/lib/libcrypto/man/d2i_SSL_SESSION.3 @@ -0,0 +1,178 @@ +.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35) +.\" +.\" Standard preamble: +.\" ======================================================================== +.de Sp \" Vertical space (when we can't use .PP) +.if t .sp .5v +.if n .sp +.. +.de Vb \" Begin verbatim text +.ft CW +.nf +.ne \\$1 +.. +.de Ve \" End verbatim text +.ft R +.fi +.. +.\" Set up some character translations and predefined strings. \*(-- will +.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left +.\" double quote, and \*(R" will give a right double quote. \*(C+ will +.\" give a nicer C++. Capital omega is used to do unbreakable dashes and +.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, +.\" nothing in troff, for use with C<>. +.tr \(*W- +.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' +.ie n \{\ +. ds -- \(*W- +. ds PI pi +. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch +. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch +. ds L" "" +. ds R" "" +. ds C` "" +. ds C' "" +'br\} +.el\{\ +. ds -- \|\(em\| +. ds PI \(*p +. ds L" `` +. ds R" '' +. ds C` +. ds C' +'br\} +.\" +.\" Escape single quotes in literal strings from groff's Unicode transform. +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" +.\" If the F register is >0, we'll generate index entries on stderr for +.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index +.\" entries marked with X<> in POD. Of course, you'll have to process the +.\" output yourself in some meaningful fashion. +.\" +.\" Avoid warning from groff about undefined register 'F'. +.de IX +.. +.if !\nF .nr F 0 +.if \nF>0 \{\ +. de IX +. tm Index:\\$1\t\\n%\t"\\$2" +.. +. if !\nF==2 \{\ +. nr % 0 +. nr F 2 +. \} +.\} +.\" +.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). +.\" Fear. Run. Save yourself. No user-serviceable parts. +. \" fudge factors for nroff and troff +.if n \{\ +. ds #H 0 +. ds #V .8m +. ds #F .3m +. ds #[ \f1 +. ds #] \fP +.\} +.if t \{\ +. ds #H ((1u-(\\\\n(.fu%2u))*.13m) +. ds #V .6m +. ds #F 0 +. ds #[ \& +. ds #] \& +.\} +. \" simple accents for nroff and troff +.if n \{\ +. ds ' \& +. ds ` \& +. ds ^ \& +. ds , \& +. ds ~ ~ +. ds / +.\} +.if t \{\ +. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" +. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' +. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' +. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' +. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' +. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' +.\} +. \" troff and (daisy-wheel) nroff accents +.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' +.ds 8 \h'\*(#H'\(*b\h'-\*(#H' +.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] +.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' +.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' +.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] +.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] +.ds ae a\h'-(\w'a'u*4/10)'e +.ds Ae A\h'-(\w'A'u*4/10)'E +. \" corrections for vroff +.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' +.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' +. \" for low resolution devices (crt and lpr) +.if \n(.H>23 .if \n(.V>19 \ +\{\ +. ds : e +. ds 8 ss +. ds o a +. ds d- d\h'-1'\(ga +. ds D- D\h'-1'\(hy +. ds th \o'bp' +. ds Th \o'LP' +. ds ae ae +. ds Ae AE +.\} +.rm #[ #] #H #V #F C +.\" ======================================================================== +.\" +.IX Title "D2I_SSL_SESSION 3" +.TH D2I_SSL_SESSION 3 "2018-09-11" "1.1.1" "OpenSSL" +.\" For nroff, turn off justification. Always turn off hyphenation; it makes +.\" way too many mistakes in technical documents. +.if n .ad l +.nh +.SH "NAME" +d2i_SSL_SESSION, i2d_SSL_SESSION \- convert SSL_SESSION object from/to ASN1 representation +.SH "SYNOPSIS" +.IX Header "SYNOPSIS" +.Vb 1 +\& #include +\& +\& SSL_SESSION *d2i_SSL_SESSION(SSL_SESSION **a, const unsigned char **pp, +\& long length); +\& int i2d_SSL_SESSION(SSL_SESSION *in, unsigned char **pp); +.Ve +.SH "DESCRIPTION" +.IX Header "DESCRIPTION" +These functions decode and encode an \s-1SSL_SESSION\s0 object. +For encoding details see \fId2i_X509\fR\|(3). +.PP +\&\s-1SSL_SESSION\s0 objects keep internal link information about the session cache +list, when being inserted into one \s-1SSL_CTX\s0 object's session cache. +One \s-1SSL_SESSION\s0 object, regardless of its reference count, must therefore +only be used with one \s-1SSL_CTX\s0 object (and the \s-1SSL\s0 objects created +from this \s-1SSL_CTX\s0 object). +.SH "RETURN VALUES" +.IX Header "RETURN VALUES" +\&\fId2i_SSL_SESSION()\fR returns a pointer to the newly allocated \s-1SSL_SESSION\s0 +object. In case of failure the NULL-pointer is returned and the error message +can be retrieved from the error stack. +.PP +\&\fIi2d_SSL_SESSION()\fR returns the size of the \s-1ASN1\s0 representation in bytes. +When the session is not valid, \fB0\fR is returned and no operation is performed. +.SH "SEE ALSO" +.IX Header "SEE ALSO" +\&\fIssl\fR\|(7), \fISSL_SESSION_free\fR\|(3), +\&\fISSL_CTX_sess_set_get_cb\fR\|(3), +\&\fId2i_X509\fR\|(3) +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2001\-2016 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/d2i_X509.3 b/secure/lib/libcrypto/man/d2i_X509.3 index e08c629c11a2..dcfd42bf6672 100644 --- a/secure/lib/libcrypto/man/d2i_X509.3 +++ b/secure/lib/libcrypto/man/d2i_X509.3 @@ -128,189 +128,178 @@ .rm #[ #] #H #V #F C .\" ======================================================================== .\" -.IX Title "d2i_X509 3" -.TH d2i_X509 3 "2018-08-14" "1.0.2p" "OpenSSL" +.IX Title "D2I_X509 3" +.TH D2I_X509 3 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" -d2i_X509, i2d_X509, d2i_X509_bio, d2i_X509_fp, i2d_X509_bio, -i2d_X509_fp \- X509 encode and decode functions +d2i_ACCESS_DESCRIPTION, d2i_ADMISSIONS, d2i_ADMISSION_SYNTAX, d2i_ASIdOrRange, d2i_ASIdentifierChoice, d2i_ASIdentifiers, d2i_ASN1_BIT_STRING, d2i_ASN1_BMPSTRING, d2i_ASN1_ENUMERATED, d2i_ASN1_GENERALIZEDTIME, d2i_ASN1_GENERALSTRING, d2i_ASN1_IA5STRING, d2i_ASN1_INTEGER, d2i_ASN1_NULL, d2i_ASN1_OBJECT, d2i_ASN1_OCTET_STRING, d2i_ASN1_PRINTABLE, d2i_ASN1_PRINTABLESTRING, d2i_ASN1_SEQUENCE_ANY, d2i_ASN1_SET_ANY, d2i_ASN1_T61STRING, d2i_ASN1_TIME, d2i_ASN1_TYPE, d2i_ASN1_UINTEGER, d2i_ASN1_UNIVERSALSTRING, d2i_ASN1_UTCTIME, d2i_ASN1_UTF8STRING, d2i_ASN1_VISIBLESTRING, d2i_ASRange, d2i_AUTHORITY_INFO_ACCESS, d2i_AUTHORITY_KEYID, d2i_BASIC_CONSTRAINTS, d2i_CERTIFICATEPOLICIES, d2i_CMS_ContentInfo, d2i_CMS_ReceiptRequest, d2i_CMS_bio, d2i_CRL_DIST_POINTS, d2i_DHxparams, d2i_DIRECTORYSTRING, d2i_DISPLAYTEXT, d2i_DIST_POINT, d2i_DIST_POINT_NAME, d2i_DSAPrivateKey, d2i_DSAPrivateKey_bio, d2i_DSAPrivateKey_fp, d2i_DSAPublicKey, d2i_DSA_PUBKEY, d2i_DSA_PUBKEY_bio, d2i_DSA_PUBKEY_fp, d2i_DSA_SIG, d2i_DSAparams, d2i_ECPKParameters, d2i_ECParameters, d2i_ECPrivateKey, d2i_ECPrivateKey_bio, d2i_ECPrivateKey_fp, d2i_EC_PUBKEY, d2i_EC_PUBKEY_bio, d2i_EC_PUBKEY_fp, d2i_EDIPARTYNAME, d2i_ESS_CERT_ID, d2i_ESS_ISSUER_SERIAL, d2i_ESS_SIGNING_CERT, d2i_EXTENDED_KEY_USAGE, d2i_GENERAL_NAME, d2i_GENERAL_NAMES, d2i_IPAddressChoice, d2i_IPAddressFamily, d2i_IPAddressOrRange, d2i_IPAddressRange, d2i_ISSUING_DIST_POINT, d2i_NAMING_AUTHORITY, d2i_NETSCAPE_CERT_SEQUENCE, d2i_NETSCAPE_SPKAC, d2i_NETSCAPE_SPKI, d2i_NOTICEREF, d2i_OCSP_BASICRESP, d2i_OCSP_CERTID, d2i_OCSP_CERTSTATUS, d2i_OCSP_CRLID, d2i_OCSP_ONEREQ, d2i_OCSP_REQINFO, d2i_OCSP_REQUEST, d2i_OCSP_RESPBYTES, d2i_OCSP_RESPDATA, d2i_OCSP_RESPID, d2i_OCSP_RESPONSE, d2i_OCSP_REVOKEDINFO, d2i_OCSP_SERVICELOC, d2i_OCSP_SIGNATURE, d2i_OCSP_SINGLERESP, d2i_OTHERNAME, d2i_PBE2PARAM, d2i_PBEPARAM, d2i_PBKDF2PARAM, d2i_PKCS12, d2i_PKCS12_BAGS, d2i_PKCS12_MAC_DATA, d2i_PKCS12_SAFEBAG, d2i_PKCS12_bio, d2i_PKCS12_fp, d2i_PKCS7, d2i_PKCS7_DIGEST, d2i_PKCS7_ENCRYPT, d2i_PKCS7_ENC_CONTENT, d2i_PKCS7_ENVELOPE, d2i_PKCS7_ISSUER_AND_SERIAL, d2i_PKCS7_RECIP_INFO, d2i_PKCS7_SIGNED, d2i_PKCS7_SIGNER_INFO, d2i_PKCS7_SIGN_ENVELOPE, d2i_PKCS7_bio, d2i_PKCS7_fp, d2i_PKCS8_PRIV_KEY_INFO, d2i_PKCS8_PRIV_KEY_INFO_bio, d2i_PKCS8_PRIV_KEY_INFO_fp, d2i_PKCS8_bio, d2i_PKCS8_fp, d2i_PKEY_USAGE_PERIOD, d2i_POLICYINFO, d2i_POLICYQUALINFO, d2i_PROFESSION_INFO, d2i_PROXY_CERT_INFO_EXTENSION, d2i_PROXY_POLICY, d2i_RSAPrivateKey, d2i_RSAPrivateKey_bio, d2i_RSAPrivateKey_fp, d2i_RSAPublicKey, d2i_RSAPublicKey_bio, d2i_RSAPublicKey_fp, d2i_RSA_OAEP_PARAMS, d2i_RSA_PSS_PARAMS, d2i_RSA_PUBKEY, d2i_RSA_PUBKEY_bio, d2i_RSA_PUBKEY_fp, d2i_SCRYPT_PARAMS, d2i_SCT_LIST, d2i_SXNET, d2i_SXNETID, d2i_TS_ACCURACY, d2i_TS_MSG_IMPRINT, d2i_TS_MSG_IMPRINT_bio, d2i_TS_MSG_IMPRINT_fp, d2i_TS_REQ, d2i_TS_REQ_bio, d2i_TS_REQ_fp, d2i_TS_RESP, d2i_TS_RESP_bio, d2i_TS_RESP_fp, d2i_TS_STATUS_INFO, d2i_TS_TST_INFO, d2i_TS_TST_INFO_bio, d2i_TS_TST_INFO_fp, d2i_USERNOTICE, d2i_X509, d2i_X509_ALGOR, d2i_X509_ALGORS, d2i_X509_ATTRIBUTE, d2i_X509_CERT_AUX, d2i_X509_CINF, d2i_X509_CRL, d2i_X509_CRL_INFO, d2i_X509_CRL_bio, d2i_X509_CRL_fp, d2i_X509_EXTENSION, d2i_X509_EXTENSIONS, d2i_X509_NAME, d2i_X509_NAME_ENTRY, d2i_X509_PUBKEY, d2i_X509_REQ, d2i_X509_REQ_INFO, d2i_X509_REQ_bio, d2i_X509_REQ_fp, d2i_X509_REVOKED, d2i_X509_SIG, d2i_X509_VAL, i2d_ACCESS_DESCRIPTION, i2d_ADMISSIONS, i2d_ADMISSION_SYNTAX, i2d_ASIdOrRange, i2d_ASIdentifierChoice, i2d_ASIdentifiers, i2d_ASN1_BIT_STRING, i2d_ASN1_BMPSTRING, i2d_ASN1_ENUMERATED, i2d_ASN1_GENERALIZEDTIME, i2d_ASN1_GENERALSTRING, i2d_ASN1_IA5STRING, i2d_ASN1_INTEGER, i2d_ASN1_NULL, i2d_ASN1_OBJECT, i2d_ASN1_OCTET_STRING, i2d_ASN1_PRINTABLE, i2d_ASN1_PRINTABLESTRING, i2d_ASN1_SEQUENCE_ANY, i2d_ASN1_SET_ANY, i2d_ASN1_T61STRING, i2d_ASN1_TIME, i2d_ASN1_TYPE, i2d_ASN1_UNIVERSALSTRING, i2d_ASN1_UTCTIME, i2d_ASN1_UTF8STRING, i2d_ASN1_VISIBLESTRING, i2d_ASN1_bio_stream, i2d_ASRange, i2d_AUTHORITY_INFO_ACCESS, i2d_AUTHORITY_KEYID, i2d_BASIC_CONSTRAINTS, i2d_CERTIFICATEPOLICIES, i2d_CMS_ContentInfo, i2d_CMS_ReceiptRequest, i2d_CMS_bio, i2d_CRL_DIST_POINTS, i2d_DHxparams, i2d_DIRECTORYSTRING, i2d_DISPLAYTEXT, i2d_DIST_POINT, i2d_DIST_POINT_NAME, i2d_DSAPrivateKey, i2d_DSAPrivateKey_bio, i2d_DSAPrivateKey_fp, i2d_DSAPublicKey, i2d_DSA_PUBKEY, i2d_DSA_PUBKEY_bio, i2d_DSA_PUBKEY_fp, i2d_DSA_SIG, i2d_DSAparams, i2d_ECPKParameters, i2d_ECParameters, i2d_ECPrivateKey, i2d_ECPrivateKey_bio, i2d_ECPrivateKey_fp, i2d_EC_PUBKEY, i2d_EC_PUBKEY_bio, i2d_EC_PUBKEY_fp, i2d_EDIPARTYNAME, i2d_ESS_CERT_ID, i2d_ESS_ISSUER_SERIAL, i2d_ESS_SIGNING_CERT, i2d_EXTENDED_KEY_USAGE, i2d_GENERAL_NAME, i2d_GENERAL_NAMES, i2d_IPAddressChoice, i2d_IPAddressFamily, i2d_IPAddressOrRange, i2d_IPAddressRange, i2d_ISSUING_DIST_POINT, i2d_NAMING_AUTHORITY, i2d_NETSCAPE_CERT_SEQUENCE, i2d_NETSCAPE_SPKAC, i2d_NETSCAPE_SPKI, i2d_NOTICEREF, i2d_OCSP_BASICRESP, i2d_OCSP_CERTID, i2d_OCSP_CERTSTATUS, i2d_OCSP_CRLID, i2d_OCSP_ONEREQ, i2d_OCSP_REQINFO, i2d_OCSP_REQUEST, i2d_OCSP_RESPBYTES, i2d_OCSP_RESPDATA, i2d_OCSP_RESPID, i2d_OCSP_RESPONSE, i2d_OCSP_REVOKEDINFO, i2d_OCSP_SERVICELOC, i2d_OCSP_SIGNATURE, i2d_OCSP_SINGLERESP, i2d_OTHERNAME, i2d_PBE2PARAM, i2d_PBEPARAM, i2d_PBKDF2PARAM, i2d_PKCS12, i2d_PKCS12_BAGS, i2d_PKCS12_MAC_DATA, i2d_PKCS12_SAFEBAG, i2d_PKCS12_bio, i2d_PKCS12_fp, i2d_PKCS7, i2d_PKCS7_DIGEST, i2d_PKCS7_ENCRYPT, i2d_PKCS7_ENC_CONTENT, i2d_PKCS7_ENVELOPE, i2d_PKCS7_ISSUER_AND_SERIAL, i2d_PKCS7_NDEF, i2d_PKCS7_RECIP_INFO, i2d_PKCS7_SIGNED, i2d_PKCS7_SIGNER_INFO, i2d_PKCS7_SIGN_ENVELOPE, i2d_PKCS7_bio, i2d_PKCS7_fp, i2d_PKCS8PrivateKeyInfo_bio, i2d_PKCS8PrivateKeyInfo_fp, i2d_PKCS8_PRIV_KEY_INFO, i2d_PKCS8_PRIV_KEY_INFO_bio, i2d_PKCS8_PRIV_KEY_INFO_fp, i2d_PKCS8_bio, i2d_PKCS8_fp, i2d_PKEY_USAGE_PERIOD, i2d_POLICYINFO, i2d_POLICYQUALINFO, i2d_PROFESSION_INFO, i2d_PROXY_CERT_INFO_EXTENSION, i2d_PROXY_POLICY, i2d_PublicKey, i2d_RSAPrivateKey, i2d_RSAPrivateKey_bio, i2d_RSAPrivateKey_fp, i2d_RSAPublicKey, i2d_RSAPublicKey_bio, i2d_RSAPublicKey_fp, i2d_RSA_OAEP_PARAMS, i2d_RSA_PSS_PARAMS, i2d_RSA_PUBKEY, i2d_RSA_PUBKEY_bio, i2d_RSA_PUBKEY_fp, i2d_SCRYPT_PARAMS, i2d_SCT_LIST, i2d_SXNET, i2d_SXNETID, i2d_TS_ACCURACY, i2d_TS_MSG_IMPRINT, i2d_TS_MSG_IMPRINT_bio, i2d_TS_MSG_IMPRINT_fp, i2d_TS_REQ, i2d_TS_REQ_bio, i2d_TS_REQ_fp, i2d_TS_RESP, i2d_TS_RESP_bio, i2d_TS_RESP_fp, i2d_TS_STATUS_INFO, i2d_TS_TST_INFO, i2d_TS_TST_INFO_bio, i2d_TS_TST_INFO_fp, i2d_USERNOTICE, i2d_X509, i2d_X509_ALGOR, i2d_X509_ALGORS, i2d_X509_ATTRIBUTE, i2d_X509_CERT_AUX, i2d_X509_CINF, i2d_X509_CRL, i2d_X509_CRL_INFO, i2d_X509_CRL_bio, i2d_X509_CRL_fp, i2d_X509_EXTENSION, i2d_X509_EXTENSIONS, i2d_X509_NAME, i2d_X509_NAME_ENTRY, i2d_X509_PUBKEY, i2d_X509_REQ, i2d_X509_REQ_INFO, i2d_X509_REQ_bio, i2d_X509_REQ_fp, i2d_X509_REVOKED, i2d_X509_SIG, i2d_X509_VAL, \&\- convert objects from/to ASN.1/DER representation .SH "SYNOPSIS" .IX Header "SYNOPSIS" -.Vb 1 -\& #include +.Vb 3 +\& TYPE *d2i_TYPE(TYPE **a, unsigned char **ppin, long length); +\& TYPE *d2i_TYPE_bio(BIO *bp, TYPE **a); +\& TYPE *d2i_TYPE_fp(FILE *fp, TYPE **a); \& -\& X509 *d2i_X509(X509 **px, const unsigned char **in, long len); -\& X509 *d2i_X509_AUX(X509 **px, const unsigned char **in, long len); -\& int i2d_X509(X509 *x, unsigned char **out); -\& int i2d_X509_AUX(X509 *x, unsigned char **out); -\& -\& X509 *d2i_X509_bio(BIO *bp, X509 **x); -\& X509 *d2i_X509_fp(FILE *fp, X509 **x); -\& -\& int i2d_X509_bio(BIO *bp, X509 *x); -\& int i2d_X509_fp(FILE *fp, X509 *x); -\& -\& int i2d_re_X509_tbs(X509 *x, unsigned char **out); +\& int i2d_TYPE(TYPE *a, unsigned char **ppout); +\& int i2d_TYPE_fp(FILE *fp, TYPE *a); +\& int i2d_TYPE_bio(BIO *bp, TYPE *a); .Ve .SH "DESCRIPTION" .IX Header "DESCRIPTION" -The X509 encode and decode routines encode and parse an -\&\fBX509\fR structure, which represents an X509 certificate. +In the description here, \fI\s-1TYPE\s0\fR is used a placeholder +for any of the OpenSSL datatypes, such as \fIX509_CRL\fR. +The function parameters \fIppin\fR and \fIppout\fR are generally +either both named \fIpp\fR in the headers, or \fIin\fR and \fIout\fR. .PP -\&\fId2i_X509()\fR attempts to decode \fBlen\fR bytes at \fB*in\fR. If -successful a pointer to the \fBX509\fR structure is returned. If an error -occurred then \fB\s-1NULL\s0\fR is returned. If \fBpx\fR is not \fB\s-1NULL\s0\fR then the -returned structure is written to \fB*px\fR. If \fB*px\fR is not \fB\s-1NULL\s0\fR -then it is assumed that \fB*px\fR contains a valid \fBX509\fR -structure and an attempt is made to reuse it. This \*(L"reuse\*(R" capability is present -for historical compatibility but its use is \fBstrongly discouraged\fR (see \s-1BUGS\s0 -below, and the discussion in the \s-1RETURN VALUES\s0 section). +These functions convert OpenSSL objects to and from their \s-1ASN.1/DER\s0 +encoding. Unlike the C structures which can have pointers to sub-objects +within, the \s-1DER\s0 is a serialized encoding, suitable for sending over the +network, writing to a file, and so on. .PP -If the call is successful \fB*in\fR is incremented to the byte following the -parsed data. +\&\fId2i_TYPE()\fR attempts to decode \fBlen\fR bytes at \fB*ppin\fR. If successful a +pointer to the \fB\s-1TYPE\s0\fR structure is returned and \fB*ppin\fR is incremented to +the byte following the parsed data. If \fBa\fR is not \fB\s-1NULL\s0\fR then a pointer +to the returned structure is also written to \fB*a\fR. If an error occurred +then \fB\s-1NULL\s0\fR is returned. .PP -\&\fId2i_X509_AUX()\fR is similar to \fId2i_X509()\fR but the input is expected to consist of -an X509 certificate followed by auxiliary trust information. -This is used by the \s-1PEM\s0 routines to read \*(L"\s-1TRUSTED CERTIFICATE\*(R"\s0 objects. -This function should not be called on untrusted input. +On a successful return, if \fB*a\fR is not \fB\s-1NULL\s0\fR then it is assumed that \fB*a\fR +contains a valid \fB\s-1TYPE\s0\fR structure and an attempt is made to reuse it. This +\&\*(L"reuse\*(R" capability is present for historical compatibility but its use is +\&\fBstrongly discouraged\fR (see \s-1BUGS\s0 below, and the discussion in the \s-1RETURN +VALUES\s0 section). .PP -\&\fIi2d_X509()\fR encodes the structure pointed to by \fBx\fR into \s-1DER\s0 format. -If \fBout\fR is not \fB\s-1NULL\s0\fR is writes the \s-1DER\s0 encoded data to the buffer -at \fB*out\fR, and increments it to point after the data just written. +\&\fId2i_TYPE_bio()\fR is similar to \fId2i_TYPE()\fR except it attempts +to parse data from \s-1BIO\s0 \fBbp\fR. +.PP +\&\fId2i_TYPE_fp()\fR is similar to \fId2i_TYPE()\fR except it attempts +to parse data from \s-1FILE\s0 pointer \fBfp\fR. +.PP +\&\fIi2d_TYPE()\fR encodes the structure pointed to by \fBa\fR into \s-1DER\s0 format. +If \fBppout\fR is not \fB\s-1NULL\s0\fR, it writes the \s-1DER\s0 encoded data to the buffer +at \fB*ppout\fR, and increments it to point after the data just written. If the return value is negative an error occurred, otherwise it returns the length of the encoded data. .PP -For OpenSSL 0.9.7 and later if \fB*out\fR is \fB\s-1NULL\s0\fR memory will be -allocated for a buffer and the encoded data written to it. In this -case \fB*out\fR is not incremented and it points to the start of the -data just written. +If \fB*ppout\fR is \fB\s-1NULL\s0\fR memory will be allocated for a buffer and the encoded +data written to it. In this case \fB*ppout\fR is not incremented and it points +to the start of the data just written. .PP -\&\fIi2d_X509_AUX()\fR is similar to \fIi2d_X509()\fR, but the encoded output contains both -the certificate and any auxiliary trust information. -This is used by the \s-1PEM\s0 routines to write \*(L"\s-1TRUSTED CERTIFICATE\*(R"\s0 objects. -Note, this is a non-standard OpenSSL-specific data format. -.PP -\&\fId2i_X509_bio()\fR is similar to \fId2i_X509()\fR except it attempts -to parse data from \s-1BIO\s0 \fBbp\fR. -.PP -\&\fId2i_X509_fp()\fR is similar to \fId2i_X509()\fR except it attempts -to parse data from \s-1FILE\s0 pointer \fBfp\fR. -.PP -\&\fIi2d_X509_bio()\fR is similar to \fIi2d_X509()\fR except it writes -the encoding of the structure \fBx\fR to \s-1BIO\s0 \fBbp\fR and it +\&\fIi2d_TYPE_bio()\fR is similar to \fIi2d_TYPE()\fR except it writes +the encoding of the structure \fBa\fR to \s-1BIO\s0 \fBbp\fR and it returns 1 for success and 0 for failure. .PP -\&\fIi2d_X509_fp()\fR is similar to \fIi2d_X509()\fR except it writes -the encoding of the structure \fBx\fR to \s-1BIO\s0 \fBbp\fR and it +\&\fIi2d_TYPE_fp()\fR is similar to \fIi2d_TYPE()\fR except it writes +the encoding of the structure \fBa\fR to \s-1BIO\s0 \fBbp\fR and it returns 1 for success and 0 for failure. .PP -\&\fIi2d_re_X509_tbs()\fR is similar to \fIi2d_X509()\fR except it encodes -only the TBSCertificate portion of the certificate. +These routines do not encrypt private keys and therefore offer no +security; use \fIPEM_write_PrivateKey\fR\|(3) or similar for writing to files. .SH "NOTES" .IX Header "NOTES" -The letters \fBi\fR and \fBd\fR in for example \fBi2d_X509\fR stand for -\&\*(L"internal\*(R" (that is an internal C structure) and \*(L"\s-1DER\*(R".\s0 So -\&\fBi2d_X509\fR converts from internal to \s-1DER.\s0 The \*(L"re\*(R" in -\&\fBi2d_re_X509_tbs\fR stands for \*(L"re-encode\*(R", and ensures that a fresh -encoding is generated in case the object has been modified after -creation (see the \s-1BUGS\s0 section). +The letters \fBi\fR and \fBd\fR in \fBi2d_TYPE\fR stand for +\&\*(L"internal\*(R" (that is, an internal C structure) and \*(L"\s-1DER\*(R"\s0 respectively. +So \fBi2d_TYPE\fR converts from internal to \s-1DER.\s0 .PP The functions can also understand \fB\s-1BER\s0\fR forms. .PP -The actual X509 structure passed to \fIi2d_X509()\fR must be a valid -populated \fBX509\fR structure it can \fBnot\fR simply be fed with an -empty structure such as that returned by \fIX509_new()\fR. +The actual \s-1TYPE\s0 structure passed to \fIi2d_TYPE()\fR must be a valid +populated \fB\s-1TYPE\s0\fR structure \*(-- it \fBcannot\fR simply be fed with an +empty structure such as that returned by \fITYPE_new()\fR. .PP The encoded data is in binary form and may contain embedded zeroes. Therefore any \s-1FILE\s0 pointers or BIOs should be opened in binary mode. -Functions such as \fB\f(BIstrlen()\fB\fR will \fBnot\fR return the correct length +Functions such as \fIstrlen()\fR will \fBnot\fR return the correct length of the encoded structure. .PP -The ways that \fB*in\fR and \fB*out\fR are incremented after the operation +The ways that \fB*ppin\fR and \fB*ppout\fR are incremented after the operation can trap the unwary. See the \fB\s-1WARNINGS\s0\fR section for some common errors. -.PP -The reason for the auto increment behaviour is to reflect a typical +The reason for this-auto increment behaviour is to reflect a typical usage of \s-1ASN1\s0 functions: after one structure is encoded or decoded -another will processed after it. +another will be processed after it. +.PP +The following points about the data types might be useful: +.IP "\fB\s-1ASN1_OBJECT\s0\fR" 4 +.IX Item "ASN1_OBJECT" +Represents an \s-1ASN1 OBJECT IDENTIFIER.\s0 +.IP "\fBDHparams\fR" 4 +.IX Item "DHparams" +Represents a PKCS#3 \s-1DH\s0 parameters structure. +.IP "\fBDHparamx\fR" 4 +.IX Item "DHparamx" +Represents an \s-1ANSI X9.42 DH\s0 parameters structure. +.IP "\fB\s-1DSA_PUBKEY\s0\fR" 4 +.IX Item "DSA_PUBKEY" +Represents a \s-1DSA\s0 public key using a \fBSubjectPublicKeyInfo\fR structure. +.IP "\fBDSAPublicKey, DSAPrivateKey\fR" 4 +.IX Item "DSAPublicKey, DSAPrivateKey" +Use a non-standard OpenSSL format and should be avoided; use \fB\s-1DSA_PUBKEY\s0\fR, +\&\fB\f(BIPEM_write_PrivateKey\fB\|(3)\fR, or similar instead. +.IP "\fBRSAPublicKey\fR" 4 +.IX Item "RSAPublicKey" +Represents a PKCS#1 \s-1RSA\s0 public key structure. +.IP "\fBX509_ALGOR\fR" 4 +.IX Item "X509_ALGOR" +Represents an \fBAlgorithmIdentifier\fR structure as used in \s-1IETF RFC 6960\s0 and +elsewhere. +.IP "\fBX509_Name\fR" 4 +.IX Item "X509_Name" +Represents a \fBName\fR type as used for subject and issuer names in +\&\s-1IETF RFC 6960\s0 and elsewhere. +.IP "\fBX509_REQ\fR" 4 +.IX Item "X509_REQ" +Represents a PKCS#10 certificate request. +.IP "\fBX509_SIG\fR" 4 +.IX Item "X509_SIG" +Represents the \fBDigestInfo\fR structure defined in PKCS#1 and PKCS#7. .SH "EXAMPLES" .IX Header "EXAMPLES" Allocate and encode the \s-1DER\s0 encoding of an X509 structure: .PP .Vb 2 \& int len; -\& unsigned char *buf, *p; -\& -\& len = i2d_X509(x, NULL); -\& -\& buf = OPENSSL_malloc(len); -\& -\& if (buf == NULL) -\& /* error */ -\& -\& p = buf; -\& -\& i2d_X509(x, &p); -.Ve -.PP -If you are using OpenSSL 0.9.7 or later then this can be -simplified to: -.PP -.Vb 2 -\& int len; \& unsigned char *buf; \& \& buf = NULL; -\& \& len = i2d_X509(x, &buf); -\& \& if (len < 0) -\& /* error */ +\& /* error */ .Ve .PP Attempt to decode a buffer: .PP -.Vb 1 +.Vb 3 \& X509 *x; -\& \& unsigned char *buf, *p; -\& \& int len; \& -\& /* Something to setup buf and len */ -\& +\& /* Set up buf and len to point to the input buffer. */ \& p = buf; -\& \& x = d2i_X509(NULL, &p, len); -\& \& if (x == NULL) -\& /* Some error */ +\& /* error */ .Ve .PP Alternative technique: .PP -.Vb 1 +.Vb 3 \& X509 *x; -\& \& unsigned char *buf, *p; -\& \& int len; \& -\& /* Something to setup buf and len */ -\& +\& /* Set up buf and len to point to the input buffer. */ \& p = buf; -\& \& x = NULL; \& -\& if(!d2i_X509(&x, &p, len)) -\& /* Some error */ +\& if (d2i_X509(&x, &p, len) == NULL) +\& /* error */ .Ve .SH "WARNINGS" .IX Header "WARNINGS" -The use of temporary variable is mandatory. A common +Using a temporary variable is mandatory. A common mistake is to attempt to use a buffer directly as follows: .PP .Vb 2 @@ -318,89 +307,68 @@ mistake is to attempt to use a buffer directly as follows: \& unsigned char *buf; \& \& len = i2d_X509(x, NULL); -\& \& buf = OPENSSL_malloc(len); -\& -\& if (buf == NULL) -\& /* error */ -\& +\& ... \& i2d_X509(x, &buf); -\& -\& /* Other stuff ... */ -\& +\& ... \& OPENSSL_free(buf); .Ve .PP This code will result in \fBbuf\fR apparently containing garbage because it was incremented after the call to point after the data just written. -Also \fBbuf\fR will no longer contain the pointer allocated by \fB\f(BIOPENSSL_malloc()\fB\fR -and the subsequent call to \fB\f(BIOPENSSL_free()\fB\fR may well crash. +Also \fBbuf\fR will no longer contain the pointer allocated by \fIOPENSSL_malloc()\fR +and the subsequent call to \fIOPENSSL_free()\fR is likely to crash. .PP -The auto allocation feature (setting buf to \s-1NULL\s0) only works on OpenSSL -0.9.7 and later. Attempts to use it on earlier versions will typically -cause a segmentation violation. -.PP -Another trap to avoid is misuse of the \fBxp\fR argument to \fB\f(BId2i_X509()\fB\fR: +Another trap to avoid is misuse of the \fBa\fR argument to \fId2i_TYPE()\fR: .PP .Vb 1 \& X509 *x; \& -\& if (!d2i_X509(&x, &p, len)) -\& /* Some error */ +\& if (d2i_X509(&x, &p, len) == NULL) +\& /* error */ .Ve .PP -This will probably crash somewhere in \fB\f(BId2i_X509()\fB\fR. The reason for this +This will probably crash somewhere in \fId2i_X509()\fR. The reason for this is that the variable \fBx\fR is uninitialized and an attempt will be made to interpret its (invalid) value as an \fBX509\fR structure, typically causing a segmentation violation. If \fBx\fR is set to \s-1NULL\s0 first then this will not happen. .SH "BUGS" .IX Header "BUGS" -In some versions of OpenSSL the \*(L"reuse\*(R" behaviour of \fId2i_X509()\fR when +In some versions of OpenSSL the \*(L"reuse\*(R" behaviour of \fId2i_TYPE()\fR when \&\fB*px\fR is valid is broken and some parts of the reused structure may persist if they are not present in the new one. As a result the use of this \*(L"reuse\*(R" behaviour is strongly discouraged. .PP -\&\fIi2d_X509()\fR will not return an error in many versions of OpenSSL, +\&\fIi2d_TYPE()\fR will not return an error in many versions of OpenSSL, if mandatory fields are not initialized due to a programming error then the encoded structure may contain invalid data or omit the -fields entirely and will not be parsed by \fId2i_X509()\fR. This may be -fixed in future so code should not assume that \fIi2d_X509()\fR will +fields entirely and will not be parsed by \fId2i_TYPE()\fR. This may be +fixed in future so code should not assume that \fIi2d_TYPE()\fR will always succeed. .PP -The encoding of the TBSCertificate portion of a certificate is cached -in the \fBX509\fR structure internally to improve encoding performance -and to ensure certificate signatures are verified correctly in some -certificates with broken (non-DER) encodings. -.PP -Any function which encodes an X509 structure such as \fIi2d_X509()\fR, -\&\fIi2d_X509_fp()\fR or \fIi2d_X509_bio()\fR may return a stale encoding if the -\&\fBX509\fR structure has been modified after deserialization or previous -serialization. -.PP -If, after modification, the \fBX509\fR object is re-signed with \fIX509_sign()\fR, -the encoding is automatically renewed. Otherwise, the encoding of the -TBSCertificate portion of the \fBX509\fR can be manually renewed by calling -\&\fIi2d_re_X509_tbs()\fR. +Any function which encodes a structure (\fIi2d_TYPE()\fR, +\&\fIi2d_TYPE()\fR or \fIi2d_TYPE()\fR) may return a stale encoding if the +structure has been modified after deserialization or previous +serialization. This is because some objects cache the encoding for +efficiency reasons. .SH "RETURN VALUES" .IX Header "RETURN VALUES" -\&\fId2i_X509()\fR, \fId2i_X509_bio()\fR and \fId2i_X509_fp()\fR return a valid \fBX509\fR structure -or \fB\s-1NULL\s0\fR if an error occurs. The error code that can be obtained by -\&\fIERR_get_error\fR\|(3). If the \*(L"reuse\*(R" capability has been used -with a valid X509 structure being passed in via \fBpx\fR then the object is not -freed in the event of error but may be in a potentially invalid or inconsistent -state. +\&\fId2i_TYPE()\fR, \fId2i_TYPE_bio()\fR and \fId2i_TYPE_fp()\fR return a valid \fB\s-1TYPE\s0\fR structure +or \fB\s-1NULL\s0\fR if an error occurs. If the \*(L"reuse\*(R" capability has been used with +a valid structure being passed in via \fBa\fR, then the object is not freed in +the event of error but may be in a potentially invalid or inconsistent state. .PP -\&\fIi2d_X509()\fR returns the number of bytes successfully encoded or a negative -value if an error occurs. The error code can be obtained by -\&\fIERR_get_error\fR\|(3). +\&\fIi2d_TYPE()\fR returns the number of bytes successfully encoded or a negative +value if an error occurs. .PP -\&\fIi2d_X509_bio()\fR and \fIi2d_X509_fp()\fR return 1 for success and 0 if an error -occurs The error code can be obtained by \fIERR_get_error\fR\|(3). -.SH "SEE ALSO" -.IX Header "SEE ALSO" -\&\fIERR_get_error\fR\|(3) -.SH "HISTORY" -.IX Header "HISTORY" -d2i_X509, i2d_X509, d2i_X509_bio, d2i_X509_fp, i2d_X509_bio and i2d_X509_fp -are available in all versions of SSLeay and OpenSSL. +\&\fIi2d_TYPE_bio()\fR and \fIi2d_TYPE_fp()\fR return 1 for success and 0 if an error +occurs. +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 1998\-2018 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/dh.3 b/secure/lib/libcrypto/man/dh.3 deleted file mode 100644 index 3c7cfcbbb8e0..000000000000 --- a/secure/lib/libcrypto/man/dh.3 +++ /dev/null @@ -1,210 +0,0 @@ -.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35) -.\" -.\" Standard preamble: -.\" ======================================================================== -.de Sp \" Vertical space (when we can't use .PP) -.if t .sp .5v -.if n .sp -.. -.de Vb \" Begin verbatim text -.ft CW -.nf -.ne \\$1 -.. -.de Ve \" End verbatim text -.ft R -.fi -.. -.\" Set up some character translations and predefined strings. \*(-- will -.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left -.\" double quote, and \*(R" will give a right double quote. \*(C+ will -.\" give a nicer C++. Capital omega is used to do unbreakable dashes and -.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, -.\" nothing in troff, for use with C<>. -.tr \(*W- -.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' -.ie n \{\ -. ds -- \(*W- -. ds PI pi -. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch -. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch -. ds L" "" -. ds R" "" -. ds C` "" -. ds C' "" -'br\} -.el\{\ -. ds -- \|\(em\| -. ds PI \(*p -. ds L" `` -. ds R" '' -. ds C` -. ds C' -'br\} -.\" -.\" Escape single quotes in literal strings from groff's Unicode transform. -.ie \n(.g .ds Aq \(aq -.el .ds Aq ' -.\" -.\" If the F register is >0, we'll generate index entries on stderr for -.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index -.\" entries marked with X<> in POD. Of course, you'll have to process the -.\" output yourself in some meaningful fashion. -.\" -.\" Avoid warning from groff about undefined register 'F'. -.de IX -.. -.if !\nF .nr F 0 -.if \nF>0 \{\ -. de IX -. tm Index:\\$1\t\\n%\t"\\$2" -.. -. if !\nF==2 \{\ -. nr % 0 -. nr F 2 -. \} -.\} -.\" -.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). -.\" Fear. Run. Save yourself. No user-serviceable parts. -. \" fudge factors for nroff and troff -.if n \{\ -. ds #H 0 -. ds #V .8m -. ds #F .3m -. ds #[ \f1 -. ds #] \fP -.\} -.if t \{\ -. ds #H ((1u-(\\\\n(.fu%2u))*.13m) -. ds #V .6m -. ds #F 0 -. ds #[ \& -. ds #] \& -.\} -. \" simple accents for nroff and troff -.if n \{\ -. ds ' \& -. ds ` \& -. ds ^ \& -. ds , \& -. ds ~ ~ -. ds / -.\} -.if t \{\ -. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" -. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' -. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' -. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' -. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' -. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' -.\} -. \" troff and (daisy-wheel) nroff accents -.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' -.ds 8 \h'\*(#H'\(*b\h'-\*(#H' -.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] -.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' -.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' -.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] -.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] -.ds ae a\h'-(\w'a'u*4/10)'e -.ds Ae A\h'-(\w'A'u*4/10)'E -. \" corrections for vroff -.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' -.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' -. \" for low resolution devices (crt and lpr) -.if \n(.H>23 .if \n(.V>19 \ -\{\ -. ds : e -. ds 8 ss -. ds o a -. ds d- d\h'-1'\(ga -. ds D- D\h'-1'\(hy -. ds th \o'bp' -. ds Th \o'LP' -. ds ae ae -. ds Ae AE -.\} -.rm #[ #] #H #V #F C -.\" ======================================================================== -.\" -.IX Title "dh 3" -.TH dh 3 "2018-08-14" "1.0.2p" "OpenSSL" -.\" For nroff, turn off justification. Always turn off hyphenation; it makes -.\" way too many mistakes in technical documents. -.if n .ad l -.nh -.SH "NAME" -dh \- Diffie\-Hellman key agreement -.SH "SYNOPSIS" -.IX Header "SYNOPSIS" -.Vb 2 -\& #include -\& #include -\& -\& DH * DH_new(void); -\& void DH_free(DH *dh); -\& -\& int DH_size(const DH *dh); -\& -\& DH * DH_generate_parameters(int prime_len, int generator, -\& void (*callback)(int, int, void *), void *cb_arg); -\& int DH_check(const DH *dh, int *codes); -\& -\& int DH_generate_key(DH *dh); -\& int DH_compute_key(unsigned char *key, BIGNUM *pub_key, DH *dh); -\& -\& void DH_set_default_method(const DH_METHOD *meth); -\& const DH_METHOD *DH_get_default_method(void); -\& int DH_set_method(DH *dh, const DH_METHOD *meth); -\& DH *DH_new_method(ENGINE *engine); -\& const DH_METHOD *DH_OpenSSL(void); -\& -\& int DH_get_ex_new_index(long argl, char *argp, int (*new_func)(), -\& int (*dup_func)(), void (*free_func)()); -\& int DH_set_ex_data(DH *d, int idx, char *arg); -\& char *DH_get_ex_data(DH *d, int idx); -\& -\& DH * d2i_DHparams(DH **a, unsigned char **pp, long length); -\& int i2d_DHparams(const DH *a, unsigned char **pp); -\& -\& int DHparams_print_fp(FILE *fp, const DH *x); -\& int DHparams_print(BIO *bp, const DH *x); -.Ve -.SH "DESCRIPTION" -.IX Header "DESCRIPTION" -These functions implement the Diffie-Hellman key agreement protocol. -The generation of shared \s-1DH\s0 parameters is described in -\&\fIDH_generate_parameters\fR\|(3); \fIDH_generate_key\fR\|(3) describes how -to perform a key agreement. -.PP -The \fB\s-1DH\s0\fR structure consists of several \s-1BIGNUM\s0 components. -.PP -.Vb 9 -\& struct -\& { -\& BIGNUM *p; // prime number (shared) -\& BIGNUM *g; // generator of Z_p (shared) -\& BIGNUM *priv_key; // private DH value x -\& BIGNUM *pub_key; // public DH value g^x -\& // ... -\& }; -\& DH -.Ve -.PP -Note that \s-1DH\s0 keys may use non-standard \fB\s-1DH_METHOD\s0\fR implementations, -either directly or by the use of \fB\s-1ENGINE\s0\fR modules. In some cases (eg. an -\&\s-1ENGINE\s0 providing support for hardware-embedded keys), these \s-1BIGNUM\s0 values -will not be used by the implementation or may be used for alternative data -storage. For this reason, applications should generally avoid using \s-1DH\s0 -structure elements directly and instead use \s-1API\s0 functions to query or -modify keys. -.SH "SEE ALSO" -.IX Header "SEE ALSO" -\&\fIdhparam\fR\|(1), \fIbn\fR\|(3), \fIdsa\fR\|(3), \fIerr\fR\|(3), -\&\fIrand\fR\|(3), \fIrsa\fR\|(3), \fIengine\fR\|(3), -\&\fIDH_set_method\fR\|(3), \fIDH_new\fR\|(3), -\&\fIDH_get_ex_new_index\fR\|(3), -\&\fIDH_generate_parameters\fR\|(3), -\&\fIDH_compute_key\fR\|(3), \fId2i_DHparams\fR\|(3), -\&\fIRSA_print\fR\|(3) diff --git a/secure/lib/libcrypto/man/dsa.3 b/secure/lib/libcrypto/man/dsa.3 deleted file mode 100644 index 284da7820806..000000000000 --- a/secure/lib/libcrypto/man/dsa.3 +++ /dev/null @@ -1,245 +0,0 @@ -.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35) -.\" -.\" Standard preamble: -.\" ======================================================================== -.de Sp \" Vertical space (when we can't use .PP) -.if t .sp .5v -.if n .sp -.. -.de Vb \" Begin verbatim text -.ft CW -.nf -.ne \\$1 -.. -.de Ve \" End verbatim text -.ft R -.fi -.. -.\" Set up some character translations and predefined strings. \*(-- will -.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left -.\" double quote, and \*(R" will give a right double quote. \*(C+ will -.\" give a nicer C++. Capital omega is used to do unbreakable dashes and -.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, -.\" nothing in troff, for use with C<>. -.tr \(*W- -.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' -.ie n \{\ -. ds -- \(*W- -. ds PI pi -. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch -. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch -. ds L" "" -. ds R" "" -. ds C` "" -. ds C' "" -'br\} -.el\{\ -. ds -- \|\(em\| -. ds PI \(*p -. ds L" `` -. ds R" '' -. ds C` -. ds C' -'br\} -.\" -.\" Escape single quotes in literal strings from groff's Unicode transform. -.ie \n(.g .ds Aq \(aq -.el .ds Aq ' -.\" -.\" If the F register is >0, we'll generate index entries on stderr for -.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index -.\" entries marked with X<> in POD. Of course, you'll have to process the -.\" output yourself in some meaningful fashion. -.\" -.\" Avoid warning from groff about undefined register 'F'. -.de IX -.. -.if !\nF .nr F 0 -.if \nF>0 \{\ -. de IX -. tm Index:\\$1\t\\n%\t"\\$2" -.. -. if !\nF==2 \{\ -. nr % 0 -. nr F 2 -. \} -.\} -.\" -.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). -.\" Fear. Run. Save yourself. No user-serviceable parts. -. \" fudge factors for nroff and troff -.if n \{\ -. ds #H 0 -. ds #V .8m -. ds #F .3m -. ds #[ \f1 -. ds #] \fP -.\} -.if t \{\ -. ds #H ((1u-(\\\\n(.fu%2u))*.13m) -. ds #V .6m -. ds #F 0 -. ds #[ \& -. ds #] \& -.\} -. \" simple accents for nroff and troff -.if n \{\ -. ds ' \& -. ds ` \& -. ds ^ \& -. ds , \& -. ds ~ ~ -. ds / -.\} -.if t \{\ -. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" -. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' -. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' -. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' -. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' -. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' -.\} -. \" troff and (daisy-wheel) nroff accents -.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' -.ds 8 \h'\*(#H'\(*b\h'-\*(#H' -.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] -.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' -.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' -.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] -.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] -.ds ae a\h'-(\w'a'u*4/10)'e -.ds Ae A\h'-(\w'A'u*4/10)'E -. \" corrections for vroff -.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' -.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' -. \" for low resolution devices (crt and lpr) -.if \n(.H>23 .if \n(.V>19 \ -\{\ -. ds : e -. ds 8 ss -. ds o a -. ds d- d\h'-1'\(ga -. ds D- D\h'-1'\(hy -. ds th \o'bp' -. ds Th \o'LP' -. ds ae ae -. ds Ae AE -.\} -.rm #[ #] #H #V #F C -.\" ======================================================================== -.\" -.IX Title "dsa 3" -.TH dsa 3 "2018-08-14" "1.0.2p" "OpenSSL" -.\" For nroff, turn off justification. Always turn off hyphenation; it makes -.\" way too many mistakes in technical documents. -.if n .ad l -.nh -.SH "NAME" -dsa \- Digital Signature Algorithm -.SH "SYNOPSIS" -.IX Header "SYNOPSIS" -.Vb 2 -\& #include -\& #include -\& -\& DSA * DSA_new(void); -\& void DSA_free(DSA *dsa); -\& -\& int DSA_size(const DSA *dsa); -\& -\& DSA * DSA_generate_parameters(int bits, unsigned char *seed, -\& int seed_len, int *counter_ret, unsigned long *h_ret, -\& void (*callback)(int, int, void *), void *cb_arg); -\& -\& DH * DSA_dup_DH(const DSA *r); -\& -\& int DSA_generate_key(DSA *dsa); -\& -\& int DSA_sign(int dummy, const unsigned char *dgst, int len, -\& unsigned char *sigret, unsigned int *siglen, DSA *dsa); -\& int DSA_sign_setup(DSA *dsa, BN_CTX *ctx, BIGNUM **kinvp, -\& BIGNUM **rp); -\& int DSA_verify(int dummy, const unsigned char *dgst, int len, -\& const unsigned char *sigbuf, int siglen, DSA *dsa); -\& -\& void DSA_set_default_method(const DSA_METHOD *meth); -\& const DSA_METHOD *DSA_get_default_method(void); -\& int DSA_set_method(DSA *dsa, const DSA_METHOD *meth); -\& DSA *DSA_new_method(ENGINE *engine); -\& const DSA_METHOD *DSA_OpenSSL(void); -\& -\& int DSA_get_ex_new_index(long argl, char *argp, int (*new_func)(), -\& int (*dup_func)(), void (*free_func)()); -\& int DSA_set_ex_data(DSA *d, int idx, char *arg); -\& char *DSA_get_ex_data(DSA *d, int idx); -\& -\& DSA_SIG *DSA_SIG_new(void); -\& void DSA_SIG_free(DSA_SIG *a); -\& int i2d_DSA_SIG(const DSA_SIG *a, unsigned char **pp); -\& DSA_SIG *d2i_DSA_SIG(DSA_SIG **v, unsigned char **pp, long length); -\& -\& DSA_SIG *DSA_do_sign(const unsigned char *dgst, int dlen, DSA *dsa); -\& int DSA_do_verify(const unsigned char *dgst, int dgst_len, -\& DSA_SIG *sig, DSA *dsa); -\& -\& DSA * d2i_DSAPublicKey(DSA **a, unsigned char **pp, long length); -\& DSA * d2i_DSAPrivateKey(DSA **a, unsigned char **pp, long length); -\& DSA * d2i_DSAparams(DSA **a, unsigned char **pp, long length); -\& int i2d_DSAPublicKey(const DSA *a, unsigned char **pp); -\& int i2d_DSAPrivateKey(const DSA *a, unsigned char **pp); -\& int i2d_DSAparams(const DSA *a,unsigned char **pp); -\& -\& int DSAparams_print(BIO *bp, const DSA *x); -\& int DSAparams_print_fp(FILE *fp, const DSA *x); -\& int DSA_print(BIO *bp, const DSA *x, int off); -\& int DSA_print_fp(FILE *bp, const DSA *x, int off); -.Ve -.SH "DESCRIPTION" -.IX Header "DESCRIPTION" -These functions implement the Digital Signature Algorithm (\s-1DSA\s0). The -generation of shared \s-1DSA\s0 parameters is described in -\&\fIDSA_generate_parameters\fR\|(3); -\&\fIDSA_generate_key\fR\|(3) describes how to -generate a signature key. Signature generation and verification are -described in \fIDSA_sign\fR\|(3). -.PP -The \fB\s-1DSA\s0\fR structure consists of several \s-1BIGNUM\s0 components. -.PP -.Vb 10 -\& struct -\& { -\& BIGNUM *p; // prime number (public) -\& BIGNUM *q; // 160\-bit subprime, q | p\-1 (public) -\& BIGNUM *g; // generator of subgroup (public) -\& BIGNUM *priv_key; // private key x -\& BIGNUM *pub_key; // public key y = g^x -\& // ... -\& } -\& DSA; -.Ve -.PP -In public keys, \fBpriv_key\fR is \s-1NULL.\s0 -.PP -Note that \s-1DSA\s0 keys may use non-standard \fB\s-1DSA_METHOD\s0\fR implementations, -either directly or by the use of \fB\s-1ENGINE\s0\fR modules. In some cases (eg. an -\&\s-1ENGINE\s0 providing support for hardware-embedded keys), these \s-1BIGNUM\s0 values -will not be used by the implementation or may be used for alternative data -storage. For this reason, applications should generally avoid using \s-1DSA\s0 -structure elements directly and instead use \s-1API\s0 functions to query or -modify keys. -.SH "CONFORMING TO" -.IX Header "CONFORMING TO" -\&\s-1US\s0 Federal Information Processing Standard \s-1FIPS 186\s0 (Digital Signature -Standard, \s-1DSS\s0), \s-1ANSI X9.30\s0 -.SH "SEE ALSO" -.IX Header "SEE ALSO" -\&\fIbn\fR\|(3), \fIdh\fR\|(3), \fIerr\fR\|(3), \fIrand\fR\|(3), -\&\fIrsa\fR\|(3), \fIsha\fR\|(3), \fIengine\fR\|(3), -\&\fIDSA_new\fR\|(3), -\&\fIDSA_size\fR\|(3), -\&\fIDSA_generate_parameters\fR\|(3), -\&\fIDSA_dup_DH\fR\|(3), -\&\fIDSA_generate_key\fR\|(3), -\&\fIDSA_sign\fR\|(3), \fIDSA_set_method\fR\|(3), -\&\fIDSA_get_ex_new_index\fR\|(3), -\&\fIRSA_print\fR\|(3) diff --git a/secure/lib/libcrypto/man/ec.3 b/secure/lib/libcrypto/man/ec.3 deleted file mode 100644 index bf05df4ebca0..000000000000 --- a/secure/lib/libcrypto/man/ec.3 +++ /dev/null @@ -1,329 +0,0 @@ -.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35) -.\" -.\" Standard preamble: -.\" ======================================================================== -.de Sp \" Vertical space (when we can't use .PP) -.if t .sp .5v -.if n .sp -.. -.de Vb \" Begin verbatim text -.ft CW -.nf -.ne \\$1 -.. -.de Ve \" End verbatim text -.ft R -.fi -.. -.\" Set up some character translations and predefined strings. \*(-- will -.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left -.\" double quote, and \*(R" will give a right double quote. \*(C+ will -.\" give a nicer C++. Capital omega is used to do unbreakable dashes and -.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, -.\" nothing in troff, for use with C<>. -.tr \(*W- -.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' -.ie n \{\ -. ds -- \(*W- -. ds PI pi -. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch -. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch -. ds L" "" -. ds R" "" -. ds C` "" -. ds C' "" -'br\} -.el\{\ -. ds -- \|\(em\| -. ds PI \(*p -. ds L" `` -. ds R" '' -. ds C` -. ds C' -'br\} -.\" -.\" Escape single quotes in literal strings from groff's Unicode transform. -.ie \n(.g .ds Aq \(aq -.el .ds Aq ' -.\" -.\" If the F register is >0, we'll generate index entries on stderr for -.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index -.\" entries marked with X<> in POD. Of course, you'll have to process the -.\" output yourself in some meaningful fashion. -.\" -.\" Avoid warning from groff about undefined register 'F'. -.de IX -.. -.if !\nF .nr F 0 -.if \nF>0 \{\ -. de IX -. tm Index:\\$1\t\\n%\t"\\$2" -.. -. if !\nF==2 \{\ -. nr % 0 -. nr F 2 -. \} -.\} -.\" -.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). -.\" Fear. Run. Save yourself. No user-serviceable parts. -. \" fudge factors for nroff and troff -.if n \{\ -. ds #H 0 -. ds #V .8m -. ds #F .3m -. ds #[ \f1 -. ds #] \fP -.\} -.if t \{\ -. ds #H ((1u-(\\\\n(.fu%2u))*.13m) -. ds #V .6m -. ds #F 0 -. ds #[ \& -. ds #] \& -.\} -. \" simple accents for nroff and troff -.if n \{\ -. ds ' \& -. ds ` \& -. ds ^ \& -. ds , \& -. ds ~ ~ -. ds / -.\} -.if t \{\ -. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" -. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' -. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' -. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' -. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' -. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' -.\} -. \" troff and (daisy-wheel) nroff accents -.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' -.ds 8 \h'\*(#H'\(*b\h'-\*(#H' -.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] -.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' -.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' -.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] -.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] -.ds ae a\h'-(\w'a'u*4/10)'e -.ds Ae A\h'-(\w'A'u*4/10)'E -. \" corrections for vroff -.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' -.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' -. \" for low resolution devices (crt and lpr) -.if \n(.H>23 .if \n(.V>19 \ -\{\ -. ds : e -. ds 8 ss -. ds o a -. ds d- d\h'-1'\(ga -. ds D- D\h'-1'\(hy -. ds th \o'bp' -. ds Th \o'LP' -. ds ae ae -. ds Ae AE -.\} -.rm #[ #] #H #V #F C -.\" ======================================================================== -.\" -.IX Title "ec 3" -.TH ec 3 "2018-08-14" "1.0.2p" "OpenSSL" -.\" For nroff, turn off justification. Always turn off hyphenation; it makes -.\" way too many mistakes in technical documents. -.if n .ad l -.nh -.SH "NAME" -ec \- Elliptic Curve functions -.SH "SYNOPSIS" -.IX Header "SYNOPSIS" -.Vb 2 -\& #include -\& #include -\& -\& const EC_METHOD *EC_GFp_simple_method(void); -\& const EC_METHOD *EC_GFp_mont_method(void); -\& const EC_METHOD *EC_GFp_nist_method(void); -\& const EC_METHOD *EC_GFp_nistp224_method(void); -\& const EC_METHOD *EC_GFp_nistp256_method(void); -\& const EC_METHOD *EC_GFp_nistp521_method(void); -\& -\& const EC_METHOD *EC_GF2m_simple_method(void); -\& -\& EC_GROUP *EC_GROUP_new(const EC_METHOD *meth); -\& void EC_GROUP_free(EC_GROUP *group); -\& void EC_GROUP_clear_free(EC_GROUP *group); -\& int EC_GROUP_copy(EC_GROUP *dst, const EC_GROUP *src); -\& EC_GROUP *EC_GROUP_dup(const EC_GROUP *src); -\& const EC_METHOD *EC_GROUP_method_of(const EC_GROUP *group); -\& int EC_METHOD_get_field_type(const EC_METHOD *meth); -\& int EC_GROUP_set_generator(EC_GROUP *group, const EC_POINT *generator, const BIGNUM *order, const BIGNUM *cofactor); -\& const EC_POINT *EC_GROUP_get0_generator(const EC_GROUP *group); -\& int EC_GROUP_get_order(const EC_GROUP *group, BIGNUM *order, BN_CTX *ctx); -\& int EC_GROUP_get_cofactor(const EC_GROUP *group, BIGNUM *cofactor, BN_CTX *ctx); -\& void EC_GROUP_set_curve_name(EC_GROUP *group, int nid); -\& int EC_GROUP_get_curve_name(const EC_GROUP *group); -\& void EC_GROUP_set_asn1_flag(EC_GROUP *group, int flag); -\& int EC_GROUP_get_asn1_flag(const EC_GROUP *group); -\& void EC_GROUP_set_point_conversion_form(EC_GROUP *group, point_conversion_form_t form); -\& point_conversion_form_t EC_GROUP_get_point_conversion_form(const EC_GROUP *); -\& unsigned char *EC_GROUP_get0_seed(const EC_GROUP *x); -\& size_t EC_GROUP_get_seed_len(const EC_GROUP *); -\& size_t EC_GROUP_set_seed(EC_GROUP *, const unsigned char *, size_t len); -\& int EC_GROUP_set_curve_GFp(EC_GROUP *group, const BIGNUM *p, const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx); -\& int EC_GROUP_get_curve_GFp(const EC_GROUP *group, BIGNUM *p, BIGNUM *a, BIGNUM *b, BN_CTX *ctx); -\& int EC_GROUP_set_curve_GF2m(EC_GROUP *group, const BIGNUM *p, const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx); -\& int EC_GROUP_get_curve_GF2m(const EC_GROUP *group, BIGNUM *p, BIGNUM *a, BIGNUM *b, BN_CTX *ctx); -\& int EC_GROUP_get_degree(const EC_GROUP *group); -\& int EC_GROUP_check(const EC_GROUP *group, BN_CTX *ctx); -\& int EC_GROUP_check_discriminant(const EC_GROUP *group, BN_CTX *ctx); -\& int EC_GROUP_cmp(const EC_GROUP *a, const EC_GROUP *b, BN_CTX *ctx); -\& EC_GROUP *EC_GROUP_new_curve_GFp(const BIGNUM *p, const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx); -\& EC_GROUP *EC_GROUP_new_curve_GF2m(const BIGNUM *p, const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx); -\& EC_GROUP *EC_GROUP_new_by_curve_name(int nid); -\& -\& size_t EC_get_builtin_curves(EC_builtin_curve *r, size_t nitems); -\& -\& EC_POINT *EC_POINT_new(const EC_GROUP *group); -\& void EC_POINT_free(EC_POINT *point); -\& void EC_POINT_clear_free(EC_POINT *point); -\& int EC_POINT_copy(EC_POINT *dst, const EC_POINT *src); -\& EC_POINT *EC_POINT_dup(const EC_POINT *src, const EC_GROUP *group); -\& const EC_METHOD *EC_POINT_method_of(const EC_POINT *point); -\& int EC_POINT_set_to_infinity(const EC_GROUP *group, EC_POINT *point); -\& int EC_POINT_set_Jprojective_coordinates_GFp(const EC_GROUP *group, EC_POINT *p, -\& const BIGNUM *x, const BIGNUM *y, const BIGNUM *z, BN_CTX *ctx); -\& int EC_POINT_get_Jprojective_coordinates_GFp(const EC_GROUP *group, -\& const EC_POINT *p, BIGNUM *x, BIGNUM *y, BIGNUM *z, BN_CTX *ctx); -\& int EC_POINT_set_affine_coordinates_GFp(const EC_GROUP *group, EC_POINT *p, -\& const BIGNUM *x, const BIGNUM *y, BN_CTX *ctx); -\& int EC_POINT_get_affine_coordinates_GFp(const EC_GROUP *group, -\& const EC_POINT *p, BIGNUM *x, BIGNUM *y, BN_CTX *ctx); -\& int EC_POINT_set_compressed_coordinates_GFp(const EC_GROUP *group, EC_POINT *p, -\& const BIGNUM *x, int y_bit, BN_CTX *ctx); -\& int EC_POINT_set_affine_coordinates_GF2m(const EC_GROUP *group, EC_POINT *p, -\& const BIGNUM *x, const BIGNUM *y, BN_CTX *ctx); -\& int EC_POINT_get_affine_coordinates_GF2m(const EC_GROUP *group, -\& const EC_POINT *p, BIGNUM *x, BIGNUM *y, BN_CTX *ctx); -\& int EC_POINT_set_compressed_coordinates_GF2m(const EC_GROUP *group, EC_POINT *p, -\& const BIGNUM *x, int y_bit, BN_CTX *ctx); -\& size_t EC_POINT_point2oct(const EC_GROUP *group, const EC_POINT *p, -\& point_conversion_form_t form, -\& unsigned char *buf, size_t len, BN_CTX *ctx); -\& int EC_POINT_oct2point(const EC_GROUP *group, EC_POINT *p, -\& const unsigned char *buf, size_t len, BN_CTX *ctx); -\& BIGNUM *EC_POINT_point2bn(const EC_GROUP *, const EC_POINT *, -\& point_conversion_form_t form, BIGNUM *, BN_CTX *); -\& EC_POINT *EC_POINT_bn2point(const EC_GROUP *, const BIGNUM *, -\& EC_POINT *, BN_CTX *); -\& char *EC_POINT_point2hex(const EC_GROUP *, const EC_POINT *, -\& point_conversion_form_t form, BN_CTX *); -\& EC_POINT *EC_POINT_hex2point(const EC_GROUP *, const char *, -\& EC_POINT *, BN_CTX *); -\& -\& int EC_POINT_add(const EC_GROUP *group, EC_POINT *r, const EC_POINT *a, const EC_POINT *b, BN_CTX *ctx); -\& int EC_POINT_dbl(const EC_GROUP *group, EC_POINT *r, const EC_POINT *a, BN_CTX *ctx); -\& int EC_POINT_invert(const EC_GROUP *group, EC_POINT *a, BN_CTX *ctx); -\& int EC_POINT_is_at_infinity(const EC_GROUP *group, const EC_POINT *p); -\& int EC_POINT_is_on_curve(const EC_GROUP *group, const EC_POINT *point, BN_CTX *ctx); -\& int EC_POINT_cmp(const EC_GROUP *group, const EC_POINT *a, const EC_POINT *b, BN_CTX *ctx); -\& int EC_POINT_make_affine(const EC_GROUP *group, EC_POINT *point, BN_CTX *ctx); -\& int EC_POINTs_make_affine(const EC_GROUP *group, size_t num, EC_POINT *points[], BN_CTX *ctx); -\& int EC_POINTs_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *n, size_t num, const EC_POINT *p[], const BIGNUM *m[], BN_CTX *ctx); -\& int EC_POINT_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *n, const EC_POINT *q, const BIGNUM *m, BN_CTX *ctx); -\& int EC_GROUP_precompute_mult(EC_GROUP *group, BN_CTX *ctx); -\& int EC_GROUP_have_precompute_mult(const EC_GROUP *group); -\& -\& int EC_GROUP_get_basis_type(const EC_GROUP *); -\& int EC_GROUP_get_trinomial_basis(const EC_GROUP *, unsigned int *k); -\& int EC_GROUP_get_pentanomial_basis(const EC_GROUP *, unsigned int *k1, -\& unsigned int *k2, unsigned int *k3); -\& EC_GROUP *d2i_ECPKParameters(EC_GROUP **, const unsigned char **in, long len); -\& int i2d_ECPKParameters(const EC_GROUP *, unsigned char **out); -\& #define d2i_ECPKParameters_bio(bp,x) ASN1_d2i_bio_of(EC_GROUP,NULL,d2i_ECPKParameters,bp,x) -\& #define i2d_ECPKParameters_bio(bp,x) ASN1_i2d_bio_of_const(EC_GROUP,i2d_ECPKParameters,bp,x) -\& #define d2i_ECPKParameters_fp(fp,x) (EC_GROUP *)ASN1_d2i_fp(NULL, \e -\& (char *(*)())d2i_ECPKParameters,(fp),(unsigned char **)(x)) -\& #define i2d_ECPKParameters_fp(fp,x) ASN1_i2d_fp(i2d_ECPKParameters,(fp), \e -\& (unsigned char *)(x)) -\& int ECPKParameters_print(BIO *bp, const EC_GROUP *x, int off); -\& int ECPKParameters_print_fp(FILE *fp, const EC_GROUP *x, int off); -\& -\& EC_KEY *EC_KEY_new(void); -\& int EC_KEY_get_flags(const EC_KEY *key); -\& void EC_KEY_set_flags(EC_KEY *key, int flags); -\& void EC_KEY_clear_flags(EC_KEY *key, int flags); -\& EC_KEY *EC_KEY_new_by_curve_name(int nid); -\& void EC_KEY_free(EC_KEY *key); -\& EC_KEY *EC_KEY_copy(EC_KEY *dst, const EC_KEY *src); -\& EC_KEY *EC_KEY_dup(const EC_KEY *src); -\& int EC_KEY_up_ref(EC_KEY *key); -\& const EC_GROUP *EC_KEY_get0_group(const EC_KEY *key); -\& int EC_KEY_set_group(EC_KEY *key, const EC_GROUP *group); -\& const BIGNUM *EC_KEY_get0_private_key(const EC_KEY *key); -\& int EC_KEY_set_private_key(EC_KEY *key, const BIGNUM *prv); -\& const EC_POINT *EC_KEY_get0_public_key(const EC_KEY *key); -\& int EC_KEY_set_public_key(EC_KEY *key, const EC_POINT *pub); -\& unsigned EC_KEY_get_enc_flags(const EC_KEY *key); -\& void EC_KEY_set_enc_flags(EC_KEY *eckey, unsigned int flags); -\& point_conversion_form_t EC_KEY_get_conv_form(const EC_KEY *key); -\& void EC_KEY_set_conv_form(EC_KEY *eckey, point_conversion_form_t cform); -\& void *EC_KEY_get_key_method_data(EC_KEY *key, -\& void *(*dup_func)(void *), void (*free_func)(void *), void (*clear_free_func)(void *)); -\& void EC_KEY_insert_key_method_data(EC_KEY *key, void *data, -\& void *(*dup_func)(void *), void (*free_func)(void *), void (*clear_free_func)(void *)); -\& void EC_KEY_set_asn1_flag(EC_KEY *eckey, int asn1_flag); -\& int EC_KEY_precompute_mult(EC_KEY *key, BN_CTX *ctx); -\& int EC_KEY_generate_key(EC_KEY *key); -\& int EC_KEY_check_key(const EC_KEY *key); -\& int EC_KEY_set_public_key_affine_coordinates(EC_KEY *key, BIGNUM *x, BIGNUM *y); -\& -\& EC_KEY *d2i_ECPrivateKey(EC_KEY **key, const unsigned char **in, long len); -\& int i2d_ECPrivateKey(EC_KEY *key, unsigned char **out); -\& -\& EC_KEY *d2i_ECParameters(EC_KEY **key, const unsigned char **in, long len); -\& int i2d_ECParameters(EC_KEY *key, unsigned char **out); -\& -\& EC_KEY *o2i_ECPublicKey(EC_KEY **key, const unsigned char **in, long len); -\& int i2o_ECPublicKey(EC_KEY *key, unsigned char **out); -\& int ECParameters_print(BIO *bp, const EC_KEY *key); -\& int EC_KEY_print(BIO *bp, const EC_KEY *key, int off); -\& int ECParameters_print_fp(FILE *fp, const EC_KEY *key); -\& int EC_KEY_print_fp(FILE *fp, const EC_KEY *key, int off); -\& #define ECParameters_dup(x) ASN1_dup_of(EC_KEY,i2d_ECParameters,d2i_ECParameters,x) -\& #define EVP_PKEY_CTX_set_ec_paramgen_curve_nid(ctx, nid) \e -\& EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_EC, EVP_PKEY_OP_PARAMGEN, \e -\& EVP_PKEY_CTRL_EC_PARAMGEN_CURVE_NID, nid, NULL) -.Ve -.SH "DESCRIPTION" -.IX Header "DESCRIPTION" -This library provides an extensive set of functions for performing operations on elliptic curves over finite fields. -In general an elliptic curve is one with an equation of the form: -.PP -y^2 = x^3 + ax + b -.PP -An \fB\s-1EC_GROUP\s0\fR structure is used to represent the definition of an elliptic curve. Points on a curve are stored using an -\&\fB\s-1EC_POINT\s0\fR structure. An \fB\s-1EC_KEY\s0\fR is used to hold a private/public key pair, where a private key is simply a \s-1BIGNUM\s0 and a -public key is a point on a curve (represented by an \fB\s-1EC_POINT\s0\fR). -.PP -The library contains a number of alternative implementations of the different functions. Each implementation is optimised -for different scenarios. No matter which implementation is being used, the interface remains the same. The library -handles calling the correct implementation when an interface function is invoked. An implementation is represented by -an \fB\s-1EC_METHOD\s0\fR structure. -.PP -The creation and destruction of \fB\s-1EC_GROUP\s0\fR objects is described in \fIEC_GROUP_new\fR\|(3). Functions for -manipulating \fB\s-1EC_GROUP\s0\fR objects are described in \fIEC_GROUP_copy\fR\|(3). -.PP -Functions for creating, destroying and manipulating \fB\s-1EC_POINT\s0\fR objects are explained in \fIEC_POINT_new\fR\|(3), -whilst functions for performing mathematical operations and tests on \fBEC_POINTs\fR are coverd in \fIEC_POINT_add\fR\|(3). -.PP -For working with private and public keys refer to \fIEC_KEY_new\fR\|(3). Implementations are covered in -\&\fIEC_GFp_simple_method\fR\|(3). -.PP -For information on encoding and decoding curve parameters to and from \s-1ASN1\s0 see \fId2i_ECPKParameters\fR\|(3). -.SH "SEE ALSO" -.IX Header "SEE ALSO" -\&\fIcrypto\fR\|(3), \fIEC_GROUP_new\fR\|(3), \fIEC_GROUP_copy\fR\|(3), -\&\fIEC_POINT_new\fR\|(3), \fIEC_POINT_add\fR\|(3), \fIEC_KEY_new\fR\|(3), -\&\fIEC_GFp_simple_method\fR\|(3), \fId2i_ECPKParameters\fR\|(3) diff --git a/secure/lib/libcrypto/man/ecdsa.3 b/secure/lib/libcrypto/man/ecdsa.3 deleted file mode 100644 index 8e226fdf32bd..000000000000 --- a/secure/lib/libcrypto/man/ecdsa.3 +++ /dev/null @@ -1,347 +0,0 @@ -.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35) -.\" -.\" Standard preamble: -.\" ======================================================================== -.de Sp \" Vertical space (when we can't use .PP) -.if t .sp .5v -.if n .sp -.. -.de Vb \" Begin verbatim text -.ft CW -.nf -.ne \\$1 -.. -.de Ve \" End verbatim text -.ft R -.fi -.. -.\" Set up some character translations and predefined strings. \*(-- will -.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left -.\" double quote, and \*(R" will give a right double quote. \*(C+ will -.\" give a nicer C++. Capital omega is used to do unbreakable dashes and -.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, -.\" nothing in troff, for use with C<>. -.tr \(*W- -.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' -.ie n \{\ -. ds -- \(*W- -. ds PI pi -. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch -. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch -. ds L" "" -. ds R" "" -. ds C` "" -. ds C' "" -'br\} -.el\{\ -. ds -- \|\(em\| -. ds PI \(*p -. ds L" `` -. ds R" '' -. ds C` -. ds C' -'br\} -.\" -.\" Escape single quotes in literal strings from groff's Unicode transform. -.ie \n(.g .ds Aq \(aq -.el .ds Aq ' -.\" -.\" If the F register is >0, we'll generate index entries on stderr for -.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index -.\" entries marked with X<> in POD. Of course, you'll have to process the -.\" output yourself in some meaningful fashion. -.\" -.\" Avoid warning from groff about undefined register 'F'. -.de IX -.. -.if !\nF .nr F 0 -.if \nF>0 \{\ -. de IX -. tm Index:\\$1\t\\n%\t"\\$2" -.. -. if !\nF==2 \{\ -. nr % 0 -. nr F 2 -. \} -.\} -.\" -.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). -.\" Fear. Run. Save yourself. No user-serviceable parts. -. \" fudge factors for nroff and troff -.if n \{\ -. ds #H 0 -. ds #V .8m -. ds #F .3m -. ds #[ \f1 -. ds #] \fP -.\} -.if t \{\ -. ds #H ((1u-(\\\\n(.fu%2u))*.13m) -. ds #V .6m -. ds #F 0 -. ds #[ \& -. ds #] \& -.\} -. \" simple accents for nroff and troff -.if n \{\ -. ds ' \& -. ds ` \& -. ds ^ \& -. ds , \& -. ds ~ ~ -. ds / -.\} -.if t \{\ -. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" -. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' -. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' -. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' -. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' -. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' -.\} -. \" troff and (daisy-wheel) nroff accents -.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' -.ds 8 \h'\*(#H'\(*b\h'-\*(#H' -.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] -.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' -.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' -.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] -.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] -.ds ae a\h'-(\w'a'u*4/10)'e -.ds Ae A\h'-(\w'A'u*4/10)'E -. \" corrections for vroff -.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' -.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' -. \" for low resolution devices (crt and lpr) -.if \n(.H>23 .if \n(.V>19 \ -\{\ -. ds : e -. ds 8 ss -. ds o a -. ds d- d\h'-1'\(ga -. ds D- D\h'-1'\(hy -. ds th \o'bp' -. ds Th \o'LP' -. ds ae ae -. ds Ae AE -.\} -.rm #[ #] #H #V #F C -.\" ======================================================================== -.\" -.IX Title "ecdsa 3" -.TH ecdsa 3 "2018-08-14" "1.0.2p" "OpenSSL" -.\" For nroff, turn off justification. Always turn off hyphenation; it makes -.\" way too many mistakes in technical documents. -.if n .ad l -.nh -.SH "NAME" -ECDSA_SIG_new, ECDSA_SIG_free, i2d_ECDSA_SIG, d2i_ECDSA_SIG, ECDSA_size, ECDSA_sign_setup, ECDSA_sign, ECDSA_sign_ex, ECDSA_verify, ECDSA_do_sign, ECDSA_do_sign_ex, ECDSA_do_verify \- Elliptic Curve Digital Signature Algorithm -.SH "SYNOPSIS" -.IX Header "SYNOPSIS" -.Vb 1 -\& #include -\& -\& ECDSA_SIG* ECDSA_SIG_new(void); -\& void ECDSA_SIG_free(ECDSA_SIG *sig); -\& int i2d_ECDSA_SIG(const ECDSA_SIG *sig, unsigned char **pp); -\& ECDSA_SIG* d2i_ECDSA_SIG(ECDSA_SIG **sig, const unsigned char **pp, -\& long len); -\& -\& ECDSA_SIG* ECDSA_do_sign(const unsigned char *dgst, int dgst_len, -\& EC_KEY *eckey); -\& ECDSA_SIG* ECDSA_do_sign_ex(const unsigned char *dgst, int dgstlen, -\& const BIGNUM *kinv, const BIGNUM *rp, -\& EC_KEY *eckey); -\& int ECDSA_do_verify(const unsigned char *dgst, int dgst_len, -\& const ECDSA_SIG *sig, EC_KEY* eckey); -\& int ECDSA_sign_setup(EC_KEY *eckey, BN_CTX *ctx, -\& BIGNUM **kinv, BIGNUM **rp); -\& int ECDSA_sign(int type, const unsigned char *dgst, -\& int dgstlen, unsigned char *sig, -\& unsigned int *siglen, EC_KEY *eckey); -\& int ECDSA_sign_ex(int type, const unsigned char *dgst, -\& int dgstlen, unsigned char *sig, -\& unsigned int *siglen, const BIGNUM *kinv, -\& const BIGNUM *rp, EC_KEY *eckey); -\& int ECDSA_verify(int type, const unsigned char *dgst, -\& int dgstlen, const unsigned char *sig, -\& int siglen, EC_KEY *eckey); -\& int ECDSA_size(const EC_KEY *eckey); -\& -\& const ECDSA_METHOD* ECDSA_OpenSSL(void); -\& void ECDSA_set_default_method(const ECDSA_METHOD *meth); -\& const ECDSA_METHOD* ECDSA_get_default_method(void); -\& int ECDSA_set_method(EC_KEY *eckey,const ECDSA_METHOD *meth); -\& -\& int ECDSA_get_ex_new_index(long argl, void *argp, -\& CRYPTO_EX_new *new_func, -\& CRYPTO_EX_dup *dup_func, -\& CRYPTO_EX_free *free_func); -\& int ECDSA_set_ex_data(EC_KEY *d, int idx, void *arg); -\& void* ECDSA_get_ex_data(EC_KEY *d, int idx); -.Ve -.SH "DESCRIPTION" -.IX Header "DESCRIPTION" -The \fB\s-1ECDSA_SIG\s0\fR structure consists of two BIGNUMs for the -r and s value of a \s-1ECDSA\s0 signature (see X9.62 or \s-1FIPS 186\-2\s0). -.PP -.Vb 5 -\& struct -\& { -\& BIGNUM *r; -\& BIGNUM *s; -\& } ECDSA_SIG; -.Ve -.PP -\&\fIECDSA_SIG_new()\fR allocates a new \fB\s-1ECDSA_SIG\s0\fR structure (note: this -function also allocates the BIGNUMs) and initialize it. -.PP -\&\fIECDSA_SIG_free()\fR frees the \fB\s-1ECDSA_SIG\s0\fR structure \fBsig\fR. -.PP -\&\fIi2d_ECDSA_SIG()\fR creates the \s-1DER\s0 encoding of the \s-1ECDSA\s0 signature -\&\fBsig\fR and writes the encoded signature to \fB*pp\fR (note: if \fBpp\fR -is \s-1NULL\s0 \fBi2d_ECDSA_SIG\fR returns the expected length in bytes of -the \s-1DER\s0 encoded signature). \fBi2d_ECDSA_SIG\fR returns the length -of the \s-1DER\s0 encoded signature (or 0 on error). -.PP -\&\fId2i_ECDSA_SIG()\fR decodes a \s-1DER\s0 encoded \s-1ECDSA\s0 signature and returns -the decoded signature in a newly allocated \fB\s-1ECDSA_SIG\s0\fR structure. -\&\fB*sig\fR points to the buffer containing the \s-1DER\s0 encoded signature -of size \fBlen\fR. -.PP -\&\fIECDSA_size()\fR returns the maximum length of a \s-1DER\s0 encoded -\&\s-1ECDSA\s0 signature created with the private \s-1EC\s0 key \fBeckey\fR. -.PP -\&\fIECDSA_sign_setup()\fR may be used to precompute parts of the -signing operation. \fBeckey\fR is the private \s-1EC\s0 key and \fBctx\fR -is a pointer to \fB\s-1BN_CTX\s0\fR structure (or \s-1NULL\s0). The precomputed -values or returned in \fBkinv\fR and \fBrp\fR and can be used in a -later call to \fBECDSA_sign_ex\fR or \fBECDSA_do_sign_ex\fR. -.PP -\&\fIECDSA_sign()\fR is wrapper function for ECDSA_sign_ex with \fBkinv\fR -and \fBrp\fR set to \s-1NULL.\s0 -.PP -\&\fIECDSA_sign_ex()\fR computes a digital signature of the \fBdgstlen\fR bytes -hash value \fBdgst\fR using the private \s-1EC\s0 key \fBeckey\fR and the optional -pre-computed values \fBkinv\fR and \fBrp\fR. The \s-1DER\s0 encoded signatures is -stored in \fBsig\fR and it's length is returned in \fBsig_len\fR. Note: \fBsig\fR -must point to \fBECDSA_size\fR bytes of memory. The parameter \fBtype\fR -is ignored. -.PP -\&\fIECDSA_verify()\fR verifies that the signature in \fBsig\fR of size -\&\fBsiglen\fR is a valid \s-1ECDSA\s0 signature of the hash value -\&\fBdgst\fR of size \fBdgstlen\fR using the public key \fBeckey\fR. -The parameter \fBtype\fR is ignored. -.PP -\&\fIECDSA_do_sign()\fR is wrapper function for ECDSA_do_sign_ex with \fBkinv\fR -and \fBrp\fR set to \s-1NULL.\s0 -.PP -\&\fIECDSA_do_sign_ex()\fR computes a digital signature of the \fBdgst_len\fR -bytes hash value \fBdgst\fR using the private key \fBeckey\fR and the -optional pre-computed values \fBkinv\fR and \fBrp\fR. The signature is -returned in a newly allocated \fB\s-1ECDSA_SIG\s0\fR structure (or \s-1NULL\s0 on error). -.PP -\&\fIECDSA_do_verify()\fR verifies that the signature \fBsig\fR is a valid -\&\s-1ECDSA\s0 signature of the hash value \fBdgst\fR of size \fBdgst_len\fR -using the public key \fBeckey\fR. -.SH "RETURN VALUES" -.IX Header "RETURN VALUES" -\&\fIECDSA_SIG_new()\fR returns \s-1NULL\s0 if the allocation fails. -.PP -\&\fIECDSA_size()\fR returns the maximum length signature or 0 on error. -.PP -\&\fIECDSA_sign_setup()\fR and \fIECDSA_sign()\fR return 1 if successful or 0 -on error. -.PP -\&\fIECDSA_verify()\fR and \fIECDSA_do_verify()\fR return 1 for a valid -signature, 0 for an invalid signature and \-1 on error. -The error codes can be obtained by \fIERR_get_error\fR\|(3). -.SH "EXAMPLES" -.IX Header "EXAMPLES" -Creating a \s-1ECDSA\s0 signature of given \s-1SHA\-1\s0 hash value using the -named curve secp192k1. -.PP -First step: create a \s-1EC_KEY\s0 object (note: this part is \fBnot\fR \s-1ECDSA\s0 -specific) -.PP -.Vb 12 -\& int ret; -\& ECDSA_SIG *sig; -\& EC_KEY *eckey; -\& eckey = EC_KEY_new_by_curve_name(NID_secp192k1); -\& if (eckey == NULL) -\& { -\& /* error */ -\& } -\& if (!EC_KEY_generate_key(eckey)) -\& { -\& /* error */ -\& } -.Ve -.PP -Second step: compute the \s-1ECDSA\s0 signature of a \s-1SHA\-1\s0 hash value -using \fBECDSA_do_sign\fR -.PP -.Vb 5 -\& sig = ECDSA_do_sign(digest, 20, eckey); -\& if (sig == NULL) -\& { -\& /* error */ -\& } -.Ve -.PP -or using \fBECDSA_sign\fR -.PP -.Vb 9 -\& unsigned char *buffer, *pp; -\& int buf_len; -\& buf_len = ECDSA_size(eckey); -\& buffer = OPENSSL_malloc(buf_len); -\& pp = buffer; -\& if (!ECDSA_sign(0, dgst, dgstlen, pp, &buf_len, eckey); -\& { -\& /* error */ -\& } -.Ve -.PP -Third step: verify the created \s-1ECDSA\s0 signature using \fBECDSA_do_verify\fR -.PP -.Vb 1 -\& ret = ECDSA_do_verify(digest, 20, sig, eckey); -.Ve -.PP -or using \fBECDSA_verify\fR -.PP -.Vb 1 -\& ret = ECDSA_verify(0, digest, 20, buffer, buf_len, eckey); -.Ve -.PP -and finally evaluate the return value: -.PP -.Vb 12 -\& if (ret == \-1) -\& { -\& /* error */ -\& } -\& else if (ret == 0) -\& { -\& /* incorrect signature */ -\& } -\& else /* ret == 1 */ -\& { -\& /* signature ok */ -\& } -.Ve -.SH "CONFORMING TO" -.IX Header "CONFORMING TO" -\&\s-1ANSI X9.62, US\s0 Federal Information Processing Standard \s-1FIPS 186\-2\s0 -(Digital Signature Standard, \s-1DSS\s0) -.SH "SEE ALSO" -.IX Header "SEE ALSO" -\&\fIdsa\fR\|(3), \fIrsa\fR\|(3) -.SH "HISTORY" -.IX Header "HISTORY" -The ecdsa implementation was first introduced in OpenSSL 0.9.8 -.SH "AUTHOR" -.IX Header "AUTHOR" -Nils Larsch for the OpenSSL project (http://www.openssl.org). diff --git a/secure/lib/libcrypto/man/err.3 b/secure/lib/libcrypto/man/err.3 deleted file mode 100644 index eecd7747abf5..000000000000 --- a/secure/lib/libcrypto/man/err.3 +++ /dev/null @@ -1,317 +0,0 @@ -.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35) -.\" -.\" Standard preamble: -.\" ======================================================================== -.de Sp \" Vertical space (when we can't use .PP) -.if t .sp .5v -.if n .sp -.. -.de Vb \" Begin verbatim text -.ft CW -.nf -.ne \\$1 -.. -.de Ve \" End verbatim text -.ft R -.fi -.. -.\" Set up some character translations and predefined strings. \*(-- will -.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left -.\" double quote, and \*(R" will give a right double quote. \*(C+ will -.\" give a nicer C++. Capital omega is used to do unbreakable dashes and -.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, -.\" nothing in troff, for use with C<>. -.tr \(*W- -.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' -.ie n \{\ -. ds -- \(*W- -. ds PI pi -. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch -. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch -. ds L" "" -. ds R" "" -. ds C` "" -. ds C' "" -'br\} -.el\{\ -. ds -- \|\(em\| -. ds PI \(*p -. ds L" `` -. ds R" '' -. ds C` -. ds C' -'br\} -.\" -.\" Escape single quotes in literal strings from groff's Unicode transform. -.ie \n(.g .ds Aq \(aq -.el .ds Aq ' -.\" -.\" If the F register is >0, we'll generate index entries on stderr for -.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index -.\" entries marked with X<> in POD. Of course, you'll have to process the -.\" output yourself in some meaningful fashion. -.\" -.\" Avoid warning from groff about undefined register 'F'. -.de IX -.. -.if !\nF .nr F 0 -.if \nF>0 \{\ -. de IX -. tm Index:\\$1\t\\n%\t"\\$2" -.. -. if !\nF==2 \{\ -. nr % 0 -. nr F 2 -. \} -.\} -.\" -.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). -.\" Fear. Run. Save yourself. No user-serviceable parts. -. \" fudge factors for nroff and troff -.if n \{\ -. ds #H 0 -. ds #V .8m -. ds #F .3m -. ds #[ \f1 -. ds #] \fP -.\} -.if t \{\ -. ds #H ((1u-(\\\\n(.fu%2u))*.13m) -. ds #V .6m -. ds #F 0 -. ds #[ \& -. ds #] \& -.\} -. \" simple accents for nroff and troff -.if n \{\ -. ds ' \& -. ds ` \& -. ds ^ \& -. ds , \& -. ds ~ ~ -. ds / -.\} -.if t \{\ -. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" -. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' -. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' -. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' -. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' -. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' -.\} -. \" troff and (daisy-wheel) nroff accents -.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' -.ds 8 \h'\*(#H'\(*b\h'-\*(#H' -.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] -.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' -.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' -.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] -.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] -.ds ae a\h'-(\w'a'u*4/10)'e -.ds Ae A\h'-(\w'A'u*4/10)'E -. \" corrections for vroff -.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' -.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' -. \" for low resolution devices (crt and lpr) -.if \n(.H>23 .if \n(.V>19 \ -\{\ -. ds : e -. ds 8 ss -. ds o a -. ds d- d\h'-1'\(ga -. ds D- D\h'-1'\(hy -. ds th \o'bp' -. ds Th \o'LP' -. ds ae ae -. ds Ae AE -.\} -.rm #[ #] #H #V #F C -.\" ======================================================================== -.\" -.IX Title "err 3" -.TH err 3 "2018-08-14" "1.0.2p" "OpenSSL" -.\" For nroff, turn off justification. Always turn off hyphenation; it makes -.\" way too many mistakes in technical documents. -.if n .ad l -.nh -.SH "NAME" -err \- error codes -.SH "SYNOPSIS" -.IX Header "SYNOPSIS" -.Vb 1 -\& #include -\& -\& unsigned long ERR_get_error(void); -\& unsigned long ERR_peek_error(void); -\& unsigned long ERR_get_error_line(const char **file, int *line); -\& unsigned long ERR_peek_error_line(const char **file, int *line); -\& unsigned long ERR_get_error_line_data(const char **file, int *line, -\& const char **data, int *flags); -\& unsigned long ERR_peek_error_line_data(const char **file, int *line, -\& const char **data, int *flags); -\& -\& int ERR_GET_LIB(unsigned long e); -\& int ERR_GET_FUNC(unsigned long e); -\& int ERR_GET_REASON(unsigned long e); -\& -\& void ERR_clear_error(void); -\& -\& char *ERR_error_string(unsigned long e, char *buf); -\& const char *ERR_lib_error_string(unsigned long e); -\& const char *ERR_func_error_string(unsigned long e); -\& const char *ERR_reason_error_string(unsigned long e); -\& -\& void ERR_print_errors(BIO *bp); -\& void ERR_print_errors_fp(FILE *fp); -\& -\& void ERR_load_crypto_strings(void); -\& void ERR_free_strings(void); -\& -\& void ERR_remove_state(unsigned long pid); -\& -\& void ERR_put_error(int lib, int func, int reason, const char *file, -\& int line); -\& void ERR_add_error_data(int num, ...); -\& -\& void ERR_load_strings(int lib,ERR_STRING_DATA str[]); -\& unsigned long ERR_PACK(int lib, int func, int reason); -\& int ERR_get_next_error_library(void); -.Ve -.SH "DESCRIPTION" -.IX Header "DESCRIPTION" -When a call to the OpenSSL library fails, this is usually signalled -by the return value, and an error code is stored in an error queue -associated with the current thread. The \fBerr\fR library provides -functions to obtain these error codes and textual error messages. -.PP -The \fIERR_get_error\fR\|(3) manpage describes how to -access error codes. -.PP -Error codes contain information about where the error occurred, and -what went wrong. \s-1\fIERR_GET_LIB\s0\fR\|(3) describes how to -extract this information. A method to obtain human-readable error -messages is described in \fIERR_error_string\fR\|(3). -.PP -\&\fIERR_clear_error\fR\|(3) can be used to clear the -error queue. -.PP -Note that \fIERR_remove_state\fR\|(3) should be used to -avoid memory leaks when threads are terminated. -.SH "ADDING NEW ERROR CODES TO OPENSSL" -.IX Header "ADDING NEW ERROR CODES TO OPENSSL" -See \fIERR_put_error\fR\|(3) if you want to record error codes in the -OpenSSL error system from within your application. -.PP -The remainder of this section is of interest only if you want to add -new error codes to OpenSSL or add error codes from external libraries. -.SS "Reporting errors" -.IX Subsection "Reporting errors" -Each sub-library has a specific macro \fIXXXerr()\fR that is used to report -errors. Its first argument is a function code \fB\s-1XXX_F_...\s0\fR, the second -argument is a reason code \fB\s-1XXX_R_...\s0\fR. Function codes are derived -from the function names; reason codes consist of textual error -descriptions. For example, the function \fIssl23_read()\fR reports a -\&\*(L"handshake failure\*(R" as follows: -.PP -.Vb 1 -\& SSLerr(SSL_F_SSL23_READ, SSL_R_SSL_HANDSHAKE_FAILURE); -.Ve -.PP -Function and reason codes should consist of upper case characters, -numbers and underscores only. The error file generation script translates -function codes into function names by looking in the header files -for an appropriate function name, if none is found it just uses -the capitalized form such as \*(L"\s-1SSL23_READ\*(R"\s0 in the above example. -.PP -The trailing section of a reason code (after the \*(L"_R_\*(R") is translated -into lower case and underscores changed to spaces. -.PP -When you are using new function or reason codes, run \fBmake errors\fR. -The necessary \fB#define\fRs will then automatically be added to the -sub-library's header file. -.PP -Although a library will normally report errors using its own specific -XXXerr macro, another library's macro can be used. This is normally -only done when a library wants to include \s-1ASN1\s0 code which must use -the \fIASN1err()\fR macro. -.SS "Adding new libraries" -.IX Subsection "Adding new libraries" -When adding a new sub-library to OpenSSL, assign it a library number -\&\fB\s-1ERR_LIB_XXX\s0\fR, define a macro \fIXXXerr()\fR (both in \fBerr.h\fR), add its -name to \fBERR_str_libraries[]\fR (in \fBcrypto/err/err.c\fR), and add -\&\f(CW\*(C`ERR_load_XXX_strings()\*(C'\fR to the \fIERR_load_crypto_strings()\fR function -(in \fBcrypto/err/err_all.c\fR). Finally, add an entry -.PP -.Vb 1 -\& L XXX xxx.h xxx_err.c -.Ve -.PP -to \fBcrypto/err/openssl.ec\fR, and add \fBxxx_err.c\fR to the Makefile. -Running \fBmake errors\fR will then generate a file \fBxxx_err.c\fR, and -add all error codes used in the library to \fBxxx.h\fR. -.PP -Additionally the library include file must have a certain form. -Typically it will initially look like this: -.PP -.Vb 2 -\& #ifndef HEADER_XXX_H -\& #define HEADER_XXX_H -\& -\& #ifdef _\|_cplusplus -\& extern "C" { -\& #endif -\& -\& /* Include files */ -\& -\& #include -\& #include -\& -\& /* Macros, structures and function prototypes */ -\& -\& -\& /* BEGIN ERROR CODES */ -.Ve -.PP -The \fB\s-1BEGIN ERROR CODES\s0\fR sequence is used by the error code -generation script as the point to place new error codes, any text -after this point will be overwritten when \fBmake errors\fR is run. -The closing #endif etc will be automatically added by the script. -.PP -The generated C error code file \fBxxx_err.c\fR will load the header -files \fBstdio.h\fR, \fBopenssl/err.h\fR and \fBopenssl/xxx.h\fR so the -header file must load any additional header files containing any -definitions it uses. -.SH "USING ERROR CODES IN EXTERNAL LIBRARIES" -.IX Header "USING ERROR CODES IN EXTERNAL LIBRARIES" -It is also possible to use OpenSSL's error code scheme in external -libraries. The library needs to load its own codes and call the OpenSSL -error code insertion script \fBmkerr.pl\fR explicitly to add codes to -the header file and generate the C error code file. This will normally -be done if the external library needs to generate new \s-1ASN1\s0 structures -but it can also be used to add more general purpose error code handling. -.PP -\&\s-1TBA\s0 more details -.SH "INTERNALS" -.IX Header "INTERNALS" -The error queues are stored in a hash table with one \fB\s-1ERR_STATE\s0\fR -entry for each pid. \fIERR_get_state()\fR returns the current thread's -\&\fB\s-1ERR_STATE\s0\fR. An \fB\s-1ERR_STATE\s0\fR can hold up to \fB\s-1ERR_NUM_ERRORS\s0\fR error -codes. When more error codes are added, the old ones are overwritten, -on the assumption that the most recent errors are most important. -.PP -Error strings are also stored in hash table. The hash tables can -be obtained by calling ERR_get_err_state_table(void) and -ERR_get_string_table(void) respectively. -.SH "SEE ALSO" -.IX Header "SEE ALSO" -\&\fICRYPTO_set_locking_callback\fR\|(3), -\&\fIERR_get_error\fR\|(3), -\&\s-1\fIERR_GET_LIB\s0\fR\|(3), -\&\fIERR_clear_error\fR\|(3), -\&\fIERR_error_string\fR\|(3), -\&\fIERR_print_errors\fR\|(3), -\&\fIERR_load_crypto_strings\fR\|(3), -\&\fIERR_remove_state\fR\|(3), -\&\fIERR_put_error\fR\|(3), -\&\fIERR_load_strings\fR\|(3), -\&\fISSL_get_error\fR\|(3) diff --git a/secure/lib/libcrypto/man/evp.3 b/secure/lib/libcrypto/man/evp.3 deleted file mode 100644 index 9be7c8e779b9..000000000000 --- a/secure/lib/libcrypto/man/evp.3 +++ /dev/null @@ -1,227 +0,0 @@ -.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35) -.\" -.\" Standard preamble: -.\" ======================================================================== -.de Sp \" Vertical space (when we can't use .PP) -.if t .sp .5v -.if n .sp -.. -.de Vb \" Begin verbatim text -.ft CW -.nf -.ne \\$1 -.. -.de Ve \" End verbatim text -.ft R -.fi -.. -.\" Set up some character translations and predefined strings. \*(-- will -.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left -.\" double quote, and \*(R" will give a right double quote. \*(C+ will -.\" give a nicer C++. Capital omega is used to do unbreakable dashes and -.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, -.\" nothing in troff, for use with C<>. -.tr \(*W- -.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' -.ie n \{\ -. ds -- \(*W- -. ds PI pi -. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch -. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch -. ds L" "" -. ds R" "" -. ds C` "" -. ds C' "" -'br\} -.el\{\ -. ds -- \|\(em\| -. ds PI \(*p -. ds L" `` -. ds R" '' -. ds C` -. ds C' -'br\} -.\" -.\" Escape single quotes in literal strings from groff's Unicode transform. -.ie \n(.g .ds Aq \(aq -.el .ds Aq ' -.\" -.\" If the F register is >0, we'll generate index entries on stderr for -.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index -.\" entries marked with X<> in POD. Of course, you'll have to process the -.\" output yourself in some meaningful fashion. -.\" -.\" Avoid warning from groff about undefined register 'F'. -.de IX -.. -.if !\nF .nr F 0 -.if \nF>0 \{\ -. de IX -. tm Index:\\$1\t\\n%\t"\\$2" -.. -. if !\nF==2 \{\ -. nr % 0 -. nr F 2 -. \} -.\} -.\" -.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). -.\" Fear. Run. Save yourself. No user-serviceable parts. -. \" fudge factors for nroff and troff -.if n \{\ -. ds #H 0 -. ds #V .8m -. ds #F .3m -. ds #[ \f1 -. ds #] \fP -.\} -.if t \{\ -. ds #H ((1u-(\\\\n(.fu%2u))*.13m) -. ds #V .6m -. ds #F 0 -. ds #[ \& -. ds #] \& -.\} -. \" simple accents for nroff and troff -.if n \{\ -. ds ' \& -. ds ` \& -. ds ^ \& -. ds , \& -. ds ~ ~ -. ds / -.\} -.if t \{\ -. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" -. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' -. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' -. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' -. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' -. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' -.\} -. \" troff and (daisy-wheel) nroff accents -.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' -.ds 8 \h'\*(#H'\(*b\h'-\*(#H' -.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] -.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' -.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' -.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] -.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] -.ds ae a\h'-(\w'a'u*4/10)'e -.ds Ae A\h'-(\w'A'u*4/10)'E -. \" corrections for vroff -.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' -.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' -. \" for low resolution devices (crt and lpr) -.if \n(.H>23 .if \n(.V>19 \ -\{\ -. ds : e -. ds 8 ss -. ds o a -. ds d- d\h'-1'\(ga -. ds D- D\h'-1'\(hy -. ds th \o'bp' -. ds Th \o'LP' -. ds ae ae -. ds Ae AE -.\} -.rm #[ #] #H #V #F C -.\" ======================================================================== -.\" -.IX Title "evp 3" -.TH evp 3 "2018-08-14" "1.0.2p" "OpenSSL" -.\" For nroff, turn off justification. Always turn off hyphenation; it makes -.\" way too many mistakes in technical documents. -.if n .ad l -.nh -.SH "NAME" -evp \- high\-level cryptographic functions -.SH "SYNOPSIS" -.IX Header "SYNOPSIS" -.Vb 1 -\& #include -.Ve -.SH "DESCRIPTION" -.IX Header "DESCRIPTION" -The \s-1EVP\s0 library provides a high-level interface to cryptographic -functions. -.PP -\&\fBEVP_Seal\fR\fI...\fR and \fBEVP_Open\fR\fI...\fR -provide public key encryption and decryption to implement digital \*(L"envelopes\*(R". -.PP -The \fBEVP_DigestSign\fR\fI...\fR and -\&\fBEVP_DigestVerify\fR\fI...\fR functions implement -digital signatures and Message Authentication Codes (MACs). Also see the older -\&\fBEVP_Sign\fR\fI...\fR and \fBEVP_Verify\fR\fI...\fR -functions. -.PP -Symmetric encryption is available with the \fBEVP_Encrypt\fR\fI...\fR -functions. The \fBEVP_Digest\fR\fI...\fR functions provide message digests. -.PP -The \fB\s-1EVP_PKEY\s0\fR\fI...\fR functions provide a high level interface to -asymmetric algorithms. To create a new \s-1EVP_PKEY\s0 see -\&\fIEVP_PKEY_new\fR\|(3). EVP_PKEYs can be associated -with a private key of a particular algorithm by using the functions -described on the \fIEVP_PKEY_set1_RSA\fR\|(3) page, or -new keys can be generated using \fIEVP_PKEY_keygen\fR\|(3). -EVP_PKEYs can be compared using \fIEVP_PKEY_cmp\fR\|(3), or printed using -\&\fIEVP_PKEY_print_private\fR\|(3). -.PP -The \s-1EVP_PKEY\s0 functions support the full range of asymmetric algorithm operations: -.IP "For key agreement see \fIEVP_PKEY_derive\fR\|(3)" 4 -.IX Item "For key agreement see EVP_PKEY_derive" -.PD 0 -.IP "For signing and verifying see \fIEVP_PKEY_sign\fR\|(3), \fIEVP_PKEY_verify\fR\|(3) and \fIEVP_PKEY_verify_recover\fR\|(3). However, note that these functions do not perform a digest of the data to be signed. Therefore normally you would use the \fBEVP_DigestSign\fR\fI...\fR functions for this purpose." 4 -.IX Item "For signing and verifying see EVP_PKEY_sign, EVP_PKEY_verify and EVP_PKEY_verify_recover. However, note that these functions do not perform a digest of the data to be signed. Therefore normally you would use the EVP_DigestSign... functions for this purpose." -.ie n .IP "For encryption and decryption see \fIEVP_PKEY_encrypt\fR\|(3) and \fIEVP_PKEY_decrypt\fR\|(3) respectively. However, note that these functions perform encryption and decryption only. As public key encryption is an expensive operation, normally you would wrap an encrypted message in a ""digital envelope"" using the \fBEVP_Seal\fR\fI...\fR and \fBEVP_Open\fR\fI...\fR functions." 4 -.el .IP "For encryption and decryption see \fIEVP_PKEY_encrypt\fR\|(3) and \fIEVP_PKEY_decrypt\fR\|(3) respectively. However, note that these functions perform encryption and decryption only. As public key encryption is an expensive operation, normally you would wrap an encrypted message in a ``digital envelope'' using the \fBEVP_Seal\fR\fI...\fR and \fBEVP_Open\fR\fI...\fR functions." 4 -.IX Item "For encryption and decryption see EVP_PKEY_encrypt and EVP_PKEY_decrypt respectively. However, note that these functions perform encryption and decryption only. As public key encryption is an expensive operation, normally you would wrap an encrypted message in a digital envelope using the EVP_Seal... and EVP_Open... functions." -.PD -.PP -The \fIEVP_BytesToKey\fR\|(3) function provides some limited support for password -based encryption. Careful selection of the parameters will provide a PKCS#5 \s-1PBKDF1\s0 compatible -implementation. However, new applications should not typically use this (preferring, for example, -\&\s-1PBKDF2\s0 from PCKS#5). -.PP -The \fBEVP_Encode\fR\fI...\fR and -\&\fBEVP_Decode\fR\fI...\fR functions implement base 64 encoding -and decoding. -.PP -Algorithms are loaded with \fIOpenSSL_add_all_algorithms\fR\|(3). -.PP -All the symmetric algorithms (ciphers), digests and asymmetric algorithms -(public key algorithms) can be replaced by \s-1ENGINE\s0 modules providing alternative -implementations. If \s-1ENGINE\s0 implementations of ciphers or digests are registered -as defaults, then the various \s-1EVP\s0 functions will automatically use those -implementations automatically in preference to built in software -implementations. For more information, consult the \fIengine\fR\|(3) man page. -.PP -Although low level algorithm specific functions exist for many algorithms -their use is discouraged. They cannot be used with an \s-1ENGINE\s0 and \s-1ENGINE\s0 -versions of new algorithms cannot be accessed using the low level functions. -Also makes code harder to adapt to new algorithms and some options are not -cleanly supported at the low level and some operations are more efficient -using the high level interface. -.SH "SEE ALSO" -.IX Header "SEE ALSO" -\&\fIEVP_DigestInit\fR\|(3), -\&\fIEVP_EncryptInit\fR\|(3), -\&\fIEVP_OpenInit\fR\|(3), -\&\fIEVP_SealInit\fR\|(3), -\&\fIEVP_DigestSignInit\fR\|(3), -\&\fIEVP_SignInit\fR\|(3), -\&\fIEVP_VerifyInit\fR\|(3), -\&\fIEVP_EncodeInit\fR\|(3), -\&\fIEVP_PKEY_new\fR\|(3), -\&\fIEVP_PKEY_set1_RSA\fR\|(3), -\&\fIEVP_PKEY_keygen\fR\|(3), -\&\fIEVP_PKEY_print_private\fR\|(3), -\&\fIEVP_PKEY_decrypt\fR\|(3), -\&\fIEVP_PKEY_encrypt\fR\|(3), -\&\fIEVP_PKEY_sign\fR\|(3), -\&\fIEVP_PKEY_verify\fR\|(3), -\&\fIEVP_PKEY_verify_recover\fR\|(3), -\&\fIEVP_PKEY_derive\fR\|(3), -\&\fIEVP_BytesToKey\fR\|(3), -\&\fIOpenSSL_add_all_algorithms\fR\|(3), -\&\fIengine\fR\|(3) diff --git a/secure/lib/libcrypto/man/i2d_CMS_bio_stream.3 b/secure/lib/libcrypto/man/i2d_CMS_bio_stream.3 index 63bf732093bb..fd0d24658dc2 100644 --- a/secure/lib/libcrypto/man/i2d_CMS_bio_stream.3 +++ b/secure/lib/libcrypto/man/i2d_CMS_bio_stream.3 @@ -128,16 +128,14 @@ .rm #[ #] #H #V #F C .\" ======================================================================== .\" -.IX Title "i2d_CMS_bio_stream 3" -.TH i2d_CMS_bio_stream 3 "2018-08-14" "1.0.2p" "OpenSSL" +.IX Title "I2D_CMS_BIO_STREAM 3" +.TH I2D_CMS_BIO_STREAM 3 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" -.Vb 1 -\& i2d_CMS_bio_stream \- output CMS_ContentInfo structure in BER format. -.Ve +i2d_CMS_bio_stream \- output CMS_ContentInfo structure in BER format .SH "SYNOPSIS" .IX Header "SYNOPSIS" .Vb 1 @@ -170,3 +168,11 @@ The prefix \*(L"i2d\*(R" is arguably wrong because the function outputs \s-1BER\ .SH "HISTORY" .IX Header "HISTORY" \&\fIi2d_CMS_bio_stream()\fR was added to OpenSSL 1.0.0 +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2008\-2016 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/i2d_PKCS7_bio_stream.3 b/secure/lib/libcrypto/man/i2d_PKCS7_bio_stream.3 index d4f92ef1856a..f7dfb73fb434 100644 --- a/secure/lib/libcrypto/man/i2d_PKCS7_bio_stream.3 +++ b/secure/lib/libcrypto/man/i2d_PKCS7_bio_stream.3 @@ -128,14 +128,14 @@ .rm #[ #] #H #V #F C .\" ======================================================================== .\" -.IX Title "i2d_PKCS7_bio_stream 3" -.TH i2d_PKCS7_bio_stream 3 "2018-08-14" "1.0.2p" "OpenSSL" +.IX Title "I2D_PKCS7_BIO_STREAM 3" +.TH I2D_PKCS7_BIO_STREAM 3 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" -i2d_PKCS7_bio_stream \- output PKCS7 structure in BER format. +i2d_PKCS7_bio_stream \- output PKCS7 structure in BER format .SH "SYNOPSIS" .IX Header "SYNOPSIS" .Vb 1 @@ -168,3 +168,11 @@ The prefix \*(L"i2d\*(R" is arguably wrong because the function outputs \s-1BER\ .SH "HISTORY" .IX Header "HISTORY" \&\fIi2d_PKCS7_bio_stream()\fR was added to OpenSSL 1.0.0 +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2008\-2016 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/i2d_re_X509_tbs.3 b/secure/lib/libcrypto/man/i2d_re_X509_tbs.3 new file mode 100644 index 000000000000..bf489906d502 --- /dev/null +++ b/secure/lib/libcrypto/man/i2d_re_X509_tbs.3 @@ -0,0 +1,214 @@ +.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35) +.\" +.\" Standard preamble: +.\" ======================================================================== +.de Sp \" Vertical space (when we can't use .PP) +.if t .sp .5v +.if n .sp +.. +.de Vb \" Begin verbatim text +.ft CW +.nf +.ne \\$1 +.. +.de Ve \" End verbatim text +.ft R +.fi +.. +.\" Set up some character translations and predefined strings. \*(-- will +.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left +.\" double quote, and \*(R" will give a right double quote. \*(C+ will +.\" give a nicer C++. Capital omega is used to do unbreakable dashes and +.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, +.\" nothing in troff, for use with C<>. +.tr \(*W- +.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' +.ie n \{\ +. ds -- \(*W- +. ds PI pi +. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch +. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch +. ds L" "" +. ds R" "" +. ds C` "" +. ds C' "" +'br\} +.el\{\ +. ds -- \|\(em\| +. ds PI \(*p +. ds L" `` +. ds R" '' +. ds C` +. ds C' +'br\} +.\" +.\" Escape single quotes in literal strings from groff's Unicode transform. +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" +.\" If the F register is >0, we'll generate index entries on stderr for +.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index +.\" entries marked with X<> in POD. Of course, you'll have to process the +.\" output yourself in some meaningful fashion. +.\" +.\" Avoid warning from groff about undefined register 'F'. +.de IX +.. +.if !\nF .nr F 0 +.if \nF>0 \{\ +. de IX +. tm Index:\\$1\t\\n%\t"\\$2" +.. +. if !\nF==2 \{\ +. nr % 0 +. nr F 2 +. \} +.\} +.\" +.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). +.\" Fear. Run. Save yourself. No user-serviceable parts. +. \" fudge factors for nroff and troff +.if n \{\ +. ds #H 0 +. ds #V .8m +. ds #F .3m +. ds #[ \f1 +. ds #] \fP +.\} +.if t \{\ +. ds #H ((1u-(\\\\n(.fu%2u))*.13m) +. ds #V .6m +. ds #F 0 +. ds #[ \& +. ds #] \& +.\} +. \" simple accents for nroff and troff +.if n \{\ +. ds ' \& +. ds ` \& +. ds ^ \& +. ds , \& +. ds ~ ~ +. ds / +.\} +.if t \{\ +. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" +. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' +. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' +. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' +. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' +. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' +.\} +. \" troff and (daisy-wheel) nroff accents +.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' +.ds 8 \h'\*(#H'\(*b\h'-\*(#H' +.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] +.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' +.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' +.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] +.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] +.ds ae a\h'-(\w'a'u*4/10)'e +.ds Ae A\h'-(\w'A'u*4/10)'E +. \" corrections for vroff +.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' +.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' +. \" for low resolution devices (crt and lpr) +.if \n(.H>23 .if \n(.V>19 \ +\{\ +. ds : e +. ds 8 ss +. ds o a +. ds d- d\h'-1'\(ga +. ds D- D\h'-1'\(hy +. ds th \o'bp' +. ds Th \o'LP' +. ds ae ae +. ds Ae AE +.\} +.rm #[ #] #H #V #F C +.\" ======================================================================== +.\" +.IX Title "I2D_RE_X509_TBS 3" +.TH I2D_RE_X509_TBS 3 "2018-09-11" "1.1.1" "OpenSSL" +.\" For nroff, turn off justification. Always turn off hyphenation; it makes +.\" way too many mistakes in technical documents. +.if n .ad l +.nh +.SH "NAME" +d2i_X509_AUX, i2d_X509_AUX, i2d_re_X509_tbs, i2d_re_X509_CRL_tbs, i2d_re_X509_REQ_tbs \&\- X509 encode and decode functions +.SH "SYNOPSIS" +.IX Header "SYNOPSIS" +.Vb 1 +\& #include +\& +\& X509 *d2i_X509_AUX(X509 **px, const unsigned char **in, long len); +\& int i2d_X509_AUX(X509 *x, unsigned char **out); +\& int i2d_re_X509_tbs(X509 *x, unsigned char **out); +\& int i2d_re_X509_CRL_tbs(X509_CRL *crl, unsigned char **pp); +\& int i2d_re_X509_REQ_tbs(X509_REQ *req, unsigned char **pp); +.Ve +.SH "DESCRIPTION" +.IX Header "DESCRIPTION" +The X509 encode and decode routines encode and parse an +\&\fBX509\fR structure, which represents an X509 certificate. +.PP +\&\fId2i_X509_AUX()\fR is similar to \fId2i_X509\fR\|(3) but the input is expected to +consist of an X509 certificate followed by auxiliary trust information. +This is used by the \s-1PEM\s0 routines to read \*(L"\s-1TRUSTED CERTIFICATE\*(R"\s0 objects. +This function should not be called on untrusted input. +.PP +\&\fIi2d_X509_AUX()\fR is similar to \fIi2d_X509\fR\|(3), but the encoded output +contains both the certificate and any auxiliary trust information. +This is used by the \s-1PEM\s0 routines to write \*(L"\s-1TRUSTED CERTIFICATE\*(R"\s0 objects. +Note that this is a non-standard OpenSSL-specific data format. +.PP +\&\fIi2d_re_X509_tbs()\fR is similar to \fIi2d_X509\fR\|(3) except it encodes only +the TBSCertificate portion of the certificate. \fIi2d_re_X509_CRL_tbs()\fR +and \fIi2d_re_X509_REQ_tbs()\fR are analogous for \s-1CRL\s0 and certificate request, +respectively. The \*(L"re\*(R" in \fBi2d_re_X509_tbs\fR stands for \*(L"re-encode\*(R", +and ensures that a fresh encoding is generated in case the object has been +modified after creation (see the \s-1BUGS\s0 section). +.PP +The encoding of the TBSCertificate portion of a certificate is cached +in the \fBX509\fR structure internally to improve encoding performance +and to ensure certificate signatures are verified correctly in some +certificates with broken (non-DER) encodings. +.PP +If, after modification, the \fBX509\fR object is re-signed with \fIX509_sign()\fR, +the encoding is automatically renewed. Otherwise, the encoding of the +TBSCertificate portion of the \fBX509\fR can be manually renewed by calling +\&\fIi2d_re_X509_tbs()\fR. +.SH "RETURN VALUES" +.IX Header "RETURN VALUES" +\&\fId2i_X509_AUX()\fR returns a valid \fBX509\fR structure or \s-1NULL\s0 if an error occurred. +.PP +\&\fIi2d_X509_AUX()\fR returns the length of encoded data or \-1 on error. +.PP +\&\fIi2d_re_X509_tbs()\fR, \fIi2d_re_X509_CRL_tbs()\fR and \fIi2d_re_X509_REQ_tbs()\fR return the +length of encoded data or 0 on error. +.SH "SEE ALSO" +.IX Header "SEE ALSO" +\&\fIERR_get_error\fR\|(3) +\&\fIX509_CRL_get0_by_serial\fR\|(3), +\&\fIX509_get0_signature\fR\|(3), +\&\fIX509_get_ext_d2i\fR\|(3), +\&\fIX509_get_extension_flags\fR\|(3), +\&\fIX509_get_pubkey\fR\|(3), +\&\fIX509_get_subject_name\fR\|(3), +\&\fIX509_get_version\fR\|(3), +\&\fIX509_NAME_add_entry_by_txt\fR\|(3), +\&\fIX509_NAME_ENTRY_get_object\fR\|(3), +\&\fIX509_NAME_get_index_by_NID\fR\|(3), +\&\fIX509_NAME_print_ex\fR\|(3), +\&\fIX509_new\fR\|(3), +\&\fIX509_sign\fR\|(3), +\&\fIX509V3_get_d2i\fR\|(3), +\&\fIX509_verify_cert\fR\|(3) +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2002\-2018 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/lhash.3 b/secure/lib/libcrypto/man/lhash.3 deleted file mode 100644 index af5c3caa9b92..000000000000 --- a/secure/lib/libcrypto/man/lhash.3 +++ /dev/null @@ -1,435 +0,0 @@ -.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35) -.\" -.\" Standard preamble: -.\" ======================================================================== -.de Sp \" Vertical space (when we can't use .PP) -.if t .sp .5v -.if n .sp -.. -.de Vb \" Begin verbatim text -.ft CW -.nf -.ne \\$1 -.. -.de Ve \" End verbatim text -.ft R -.fi -.. -.\" Set up some character translations and predefined strings. \*(-- will -.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left -.\" double quote, and \*(R" will give a right double quote. \*(C+ will -.\" give a nicer C++. Capital omega is used to do unbreakable dashes and -.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, -.\" nothing in troff, for use with C<>. -.tr \(*W- -.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' -.ie n \{\ -. ds -- \(*W- -. ds PI pi -. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch -. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch -. ds L" "" -. ds R" "" -. ds C` "" -. ds C' "" -'br\} -.el\{\ -. ds -- \|\(em\| -. ds PI \(*p -. ds L" `` -. ds R" '' -. ds C` -. ds C' -'br\} -.\" -.\" Escape single quotes in literal strings from groff's Unicode transform. -.ie \n(.g .ds Aq \(aq -.el .ds Aq ' -.\" -.\" If the F register is >0, we'll generate index entries on stderr for -.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index -.\" entries marked with X<> in POD. Of course, you'll have to process the -.\" output yourself in some meaningful fashion. -.\" -.\" Avoid warning from groff about undefined register 'F'. -.de IX -.. -.if !\nF .nr F 0 -.if \nF>0 \{\ -. de IX -. tm Index:\\$1\t\\n%\t"\\$2" -.. -. if !\nF==2 \{\ -. nr % 0 -. nr F 2 -. \} -.\} -.\" -.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). -.\" Fear. Run. Save yourself. No user-serviceable parts. -. \" fudge factors for nroff and troff -.if n \{\ -. ds #H 0 -. ds #V .8m -. ds #F .3m -. ds #[ \f1 -. ds #] \fP -.\} -.if t \{\ -. ds #H ((1u-(\\\\n(.fu%2u))*.13m) -. ds #V .6m -. ds #F 0 -. ds #[ \& -. ds #] \& -.\} -. \" simple accents for nroff and troff -.if n \{\ -. ds ' \& -. ds ` \& -. ds ^ \& -. ds , \& -. ds ~ ~ -. ds / -.\} -.if t \{\ -. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" -. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' -. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' -. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' -. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' -. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' -.\} -. \" troff and (daisy-wheel) nroff accents -.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' -.ds 8 \h'\*(#H'\(*b\h'-\*(#H' -.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] -.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' -.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' -.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] -.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] -.ds ae a\h'-(\w'a'u*4/10)'e -.ds Ae A\h'-(\w'A'u*4/10)'E -. \" corrections for vroff -.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' -.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' -. \" for low resolution devices (crt and lpr) -.if \n(.H>23 .if \n(.V>19 \ -\{\ -. ds : e -. ds 8 ss -. ds o a -. ds d- d\h'-1'\(ga -. ds D- D\h'-1'\(hy -. ds th \o'bp' -. ds Th \o'LP' -. ds ae ae -. ds Ae AE -.\} -.rm #[ #] #H #V #F C -.\" ======================================================================== -.\" -.IX Title "lhash 3" -.TH lhash 3 "2018-08-14" "1.0.2p" "OpenSSL" -.\" For nroff, turn off justification. Always turn off hyphenation; it makes -.\" way too many mistakes in technical documents. -.if n .ad l -.nh -.SH "NAME" -lh_new, lh_free, lh_insert, lh_delete, lh_retrieve, lh_doall, lh_doall_arg, lh_error \- dynamic hash table -.SH "SYNOPSIS" -.IX Header "SYNOPSIS" -.Vb 1 -\& #include -\& -\& DECLARE_LHASH_OF(); -\& -\& LHASH *lh__new(); -\& void lh__free(LHASH_OF( *table); -\& -\& *lh__insert(LHASH_OF( *table, *data); -\& *lh__delete(LHASH_OF( *table, *data); -\& *lh_retrieve(LHASH_OF *table, *data); -\& -\& void lh__doall(LHASH_OF( *table, LHASH_DOALL_FN_TYPE func); -\& void lh__doall_arg(LHASH_OF( *table, LHASH_DOALL_ARG_FN_TYPE func, -\& , *arg); -\& -\& int lh__error(LHASH_OF( *table); -\& -\& typedef int (*LHASH_COMP_FN_TYPE)(const void *, const void *); -\& typedef unsigned long (*LHASH_HASH_FN_TYPE)(const void *); -\& typedef void (*LHASH_DOALL_FN_TYPE)(const void *); -\& typedef void (*LHASH_DOALL_ARG_FN_TYPE)(const void *, const void *); -.Ve -.SH "DESCRIPTION" -.IX Header "DESCRIPTION" -This library implements type-checked dynamic hash tables. The hash -table entries can be arbitrary structures. Usually they consist of key -and value fields. -.PP -lh_\fI_new()\fR creates a new \fB\s-1LHASH_OF\s0( structure to store -arbitrary data entries, and provides the 'hash' and 'compare' -callbacks to be used in organising the table's entries. The \fBhash\fR -callback takes a pointer to a table entry as its argument and returns -an unsigned long hash value for its key field. The hash value is -normally truncated to a power of 2, so make sure that your hash -function returns well mixed low order bits. The \fBcompare\fR callback -takes two arguments (pointers to two hash table entries), and returns -0 if their keys are equal, non-zero otherwise. If your hash table -will contain items of some particular type and the \fBhash\fR and -\&\fBcompare\fR callbacks hash/compare these types, then the -\&\fB\s-1DECLARE_LHASH_HASH_FN\s0\fR and \fB\s-1IMPLEMENT_LHASH_COMP_FN\s0\fR macros can be -used to create callback wrappers of the prototypes required by -lh_\fI_new()\fR. These provide per-variable casts before calling the -type-specific callbacks written by the application author. These -macros, as well as those used for the \*(L"doall\*(R" callbacks, are defined -as; -.PP -.Vb 7 -\& #define DECLARE_LHASH_HASH_FN(name, o_type) \e -\& unsigned long name##_LHASH_HASH(const void *); -\& #define IMPLEMENT_LHASH_HASH_FN(name, o_type) \e -\& unsigned long name##_LHASH_HASH(const void *arg) { \e -\& const o_type *a = arg; \e -\& return name##_hash(a); } -\& #define LHASH_HASH_FN(name) name##_LHASH_HASH -\& -\& #define DECLARE_LHASH_COMP_FN(name, o_type) \e -\& int name##_LHASH_COMP(const void *, const void *); -\& #define IMPLEMENT_LHASH_COMP_FN(name, o_type) \e -\& int name##_LHASH_COMP(const void *arg1, const void *arg2) { \e -\& const o_type *a = arg1; \e -\& const o_type *b = arg2; \e -\& return name##_cmp(a,b); } -\& #define LHASH_COMP_FN(name) name##_LHASH_COMP -\& -\& #define DECLARE_LHASH_DOALL_FN(name, o_type) \e -\& void name##_LHASH_DOALL(void *); -\& #define IMPLEMENT_LHASH_DOALL_FN(name, o_type) \e -\& void name##_LHASH_DOALL(void *arg) { \e -\& o_type *a = arg; \e -\& name##_doall(a); } -\& #define LHASH_DOALL_FN(name) name##_LHASH_DOALL -\& -\& #define DECLARE_LHASH_DOALL_ARG_FN(name, o_type, a_type) \e -\& void name##_LHASH_DOALL_ARG(void *, void *); -\& #define IMPLEMENT_LHASH_DOALL_ARG_FN(name, o_type, a_type) \e -\& void name##_LHASH_DOALL_ARG(void *arg1, void *arg2) { \e -\& o_type *a = arg1; \e -\& a_type *b = arg2; \e -\& name##_doall_arg(a, b); } -\& #define LHASH_DOALL_ARG_FN(name) name##_LHASH_DOALL_ARG -\& -\& An example of a hash table storing (pointers to) structures of type \*(AqSTUFF\*(Aq -\& could be defined as follows; -\& -\& /* Calculates the hash value of \*(Aqtohash\*(Aq (implemented elsewhere) */ -\& unsigned long STUFF_hash(const STUFF *tohash); -\& /* Orders \*(Aqarg1\*(Aq and \*(Aqarg2\*(Aq (implemented elsewhere) */ -\& int stuff_cmp(const STUFF *arg1, const STUFF *arg2); -\& /* Create the type\-safe wrapper functions for use in the LHASH internals */ -\& static IMPLEMENT_LHASH_HASH_FN(stuff, STUFF); -\& static IMPLEMENT_LHASH_COMP_FN(stuff, STUFF); -\& /* ... */ -\& int main(int argc, char *argv[]) { -\& /* Create the new hash table using the hash/compare wrappers */ -\& LHASH_OF(STUFF) *hashtable = lh_STUFF_new(LHASH_HASH_FN(STUFF_hash), -\& LHASH_COMP_FN(STUFF_cmp)); -\& /* ... */ -\& } -.Ve -.PP -lh_\fI_free()\fR frees the \fB\s-1LHASH_OF\s0( structure -\&\fBtable\fR. Allocated hash table entries will not be freed; consider -using lh_\fI_doall()\fR to deallocate any remaining entries in the -hash table (see below). -.PP -lh_\fI_insert()\fR inserts the structure pointed to by \fBdata\fR into -\&\fBtable\fR. If there already is an entry with the same key, the old -value is replaced. Note that lh_\fI_insert()\fR stores pointers, the -data are not copied. -.PP -lh_\fI_delete()\fR deletes an entry from \fBtable\fR. -.PP -lh_\fI_retrieve()\fR looks up an entry in \fBtable\fR. Normally, \fBdata\fR -is a structure with the key field(s) set; the function will return a -pointer to a fully populated structure. -.PP -lh_\fI_doall()\fR will, for every entry in the hash table, call -\&\fBfunc\fR with the data item as its parameter. For lh_\fI_doall()\fR -and lh_\fI_doall_arg()\fR, function pointer casting should be avoided -in the callbacks (see \fB\s-1NOTE\s0\fR) \- instead use the declare/implement -macros to create type-checked wrappers that cast variables prior to -calling your type-specific callbacks. An example of this is -illustrated here where the callback is used to cleanup resources for -items in the hash table prior to the hashtable itself being -deallocated: -.PP -.Vb 9 -\& /* Cleans up resources belonging to \*(Aqa\*(Aq (this is implemented elsewhere) */ -\& void STUFF_cleanup_doall(STUFF *a); -\& /* Implement a prototype\-compatible wrapper for "STUFF_cleanup" */ -\& IMPLEMENT_LHASH_DOALL_FN(STUFF_cleanup, STUFF) -\& /* ... then later in the code ... */ -\& /* So to run "STUFF_cleanup" against all items in a hash table ... */ -\& lh_STUFF_doall(hashtable, LHASH_DOALL_FN(STUFF_cleanup)); -\& /* Then the hash table itself can be deallocated */ -\& lh_STUFF_free(hashtable); -.Ve -.PP -When doing this, be careful if you delete entries from the hash table -in your callbacks: the table may decrease in size, moving the item -that you are currently on down lower in the hash table \- this could -cause some entries to be skipped during the iteration. The second -best solution to this problem is to set hash\->down_load=0 before -you start (which will stop the hash table ever decreasing in size). -The best solution is probably to avoid deleting items from the hash -table inside a \*(L"doall\*(R" callback! -.PP -lh_\fI_doall_arg()\fR is the same as lh_\fI_doall()\fR except that -\&\fBfunc\fR will be called with \fBarg\fR as the second argument and \fBfunc\fR -should be of type \fB\s-1LHASH_DOALL_ARG_FN_TYPE\s0\fR (a callback prototype -that is passed both the table entry and an extra argument). As with -\&\fIlh_doall()\fR, you can instead choose to declare your callback with a -prototype matching the types you are dealing with and use the -declare/implement macros to create compatible wrappers that cast -variables before calling your type-specific callbacks. An example of -this is demonstrated here (printing all hash table entries to a \s-1BIO\s0 -that is provided by the caller): -.PP -.Vb 8 -\& /* Prints item \*(Aqa\*(Aq to \*(Aqoutput_bio\*(Aq (this is implemented elsewhere) */ -\& void STUFF_print_doall_arg(const STUFF *a, BIO *output_bio); -\& /* Implement a prototype\-compatible wrapper for "STUFF_print" */ -\& static IMPLEMENT_LHASH_DOALL_ARG_FN(STUFF, const STUFF, BIO) -\& /* ... then later in the code ... */ -\& /* Print out the entire hashtable to a particular BIO */ -\& lh_STUFF_doall_arg(hashtable, LHASH_DOALL_ARG_FN(STUFF_print), BIO, -\& logging_bio); -.Ve -.PP -lh_\fI_error()\fR can be used to determine if an error occurred in the last -operation. lh_\fI_error()\fR is a macro. -.SH "RETURN VALUES" -.IX Header "RETURN VALUES" -lh_\fI_new()\fR returns \fB\s-1NULL\s0\fR on error, otherwise a pointer to the new -\&\fB\s-1LHASH\s0\fR structure. -.PP -When a hash table entry is replaced, lh_\fI_insert()\fR returns the value -being replaced. \fB\s-1NULL\s0\fR is returned on normal operation and on error. -.PP -lh_\fI_delete()\fR returns the entry being deleted. \fB\s-1NULL\s0\fR is returned if -there is no such value in the hash table. -.PP -lh_\fI_retrieve()\fR returns the hash table entry if it has been found, -\&\fB\s-1NULL\s0\fR otherwise. -.PP -lh_\fI_error()\fR returns 1 if an error occurred in the last operation, 0 -otherwise. -.PP -lh_\fI_free()\fR, lh_\fI_doall()\fR and lh_\fI_doall_arg()\fR return no values. -.SH "NOTE" -.IX Header "NOTE" -The various \s-1LHASH\s0 macros and callback types exist to make it possible -to write type-checked code without resorting to function-prototype -casting \- an evil that makes application code much harder to -audit/verify and also opens the window of opportunity for stack -corruption and other hard-to-find bugs. It also, apparently, violates -ANSI-C. -.PP -The \s-1LHASH\s0 code regards table entries as constant data. As such, it -internally represents \fIlh_insert()\fR'd items with a \*(L"const void *\*(R" -pointer type. This is why callbacks such as those used by \fIlh_doall()\fR -and \fIlh_doall_arg()\fR declare their prototypes with \*(L"const\*(R", even for the -parameters that pass back the table items' data pointers \- for -consistency, user-provided data is \*(L"const\*(R" at all times as far as the -\&\s-1LHASH\s0 code is concerned. However, as callers are themselves providing -these pointers, they can choose whether they too should be treating -all such parameters as constant. -.PP -As an example, a hash table may be maintained by code that, for -reasons of encapsulation, has only \*(L"const\*(R" access to the data being -indexed in the hash table (ie. it is returned as \*(L"const\*(R" from -elsewhere in their code) \- in this case the \s-1LHASH\s0 prototypes are -appropriate as-is. Conversely, if the caller is responsible for the -life-time of the data in question, then they may well wish to make -modifications to table item passed back in the \fIlh_doall()\fR or -\&\fIlh_doall_arg()\fR callbacks (see the \*(L"STUFF_cleanup\*(R" example above). If -so, the caller can either cast the \*(L"const\*(R" away (if they're providing -the raw callbacks themselves) or use the macros to declare/implement -the wrapper functions without \*(L"const\*(R" types. -.PP -Callers that only have \*(L"const\*(R" access to data they're indexing in a -table, yet declare callbacks without constant types (or cast the -\&\*(L"const\*(R" away themselves), are therefore creating their own risks/bugs -without being encouraged to do so by the \s-1API.\s0 On a related note, -those auditing code should pay special attention to any instances of -DECLARE/IMPLEMENT_LHASH_DOALL_[\s-1ARG_\s0]_FN macros that provide types -without any \*(L"const\*(R" qualifiers. -.SH "BUGS" -.IX Header "BUGS" -lh_\fI_insert()\fR returns \fB\s-1NULL\s0\fR both for success and error. -.SH "INTERNALS" -.IX Header "INTERNALS" -The following description is based on the SSLeay documentation: -.PP -The \fBlhash\fR library implements a hash table described in the -\&\fICommunications of the \s-1ACM\s0\fR in 1991. What makes this hash table -different is that as the table fills, the hash table is increased (or -decreased) in size via \fIOPENSSL_realloc()\fR. When a 'resize' is done, instead of -all hashes being redistributed over twice as many 'buckets', one -bucket is split. So when an 'expand' is done, there is only a minimal -cost to redistribute some values. Subsequent inserts will cause more -single 'bucket' redistributions but there will never be a sudden large -cost due to redistributing all the 'buckets'. -.PP -The state for a particular hash table is kept in the \fB\s-1LHASH\s0\fR structure. -The decision to increase or decrease the hash table size is made -depending on the 'load' of the hash table. The load is the number of -items in the hash table divided by the size of the hash table. The -default values are as follows. If (hash\->up_load < load) => -expand. if (hash\->down_load > load) => contract. The -\&\fBup_load\fR has a default value of 1 and \fBdown_load\fR has a default value -of 2. These numbers can be modified by the application by just -playing with the \fBup_load\fR and \fBdown_load\fR variables. The 'load' is -kept in a form which is multiplied by 256. So -hash\->up_load=8*256; will cause a load of 8 to be set. -.PP -If you are interested in performance the field to watch is -num_comp_calls. The hash library keeps track of the 'hash' value for -each item so when a lookup is done, the 'hashes' are compared, if -there is a match, then a full compare is done, and -hash\->num_comp_calls is incremented. If num_comp_calls is not equal -to num_delete plus num_retrieve it means that your hash function is -generating hashes that are the same for different values. It is -probably worth changing your hash function if this is the case because -even if your hash table has 10 items in a 'bucket', it can be searched -with 10 \fBunsigned long\fR compares and 10 linked list traverses. This -will be much less expensive that 10 calls to your compare function. -.PP -\&\fIlh_strhash()\fR is a demo string hashing function: -.PP -.Vb 1 -\& unsigned long lh_strhash(const char *c); -.Ve -.PP -Since the \fB\s-1LHASH\s0\fR routines would normally be passed structures, this -routine would not normally be passed to lh_\fI_new()\fR, rather it would be -used in the function passed to lh_\fI_new()\fR. -.SH "SEE ALSO" -.IX Header "SEE ALSO" -\&\fIlh_stats\fR\|(3) -.SH "HISTORY" -.IX Header "HISTORY" -The \fBlhash\fR library is available in all versions of SSLeay and OpenSSL. -\&\fIlh_error()\fR was added in SSLeay 0.9.1b. -.PP -This manpage is derived from the SSLeay documentation. -.PP -In OpenSSL 0.9.7, all lhash functions that were passed function pointers -were changed for better type safety, and the function types \s-1LHASH_COMP_FN_TYPE, -LHASH_HASH_FN_TYPE, LHASH_DOALL_FN_TYPE\s0 and \s-1LHASH_DOALL_ARG_FN_TYPE\s0 -became available. -.PP -In OpenSSL 1.0.0, the lhash interface was revamped for even better -type checking. diff --git a/secure/lib/libcrypto/man/o2i_SCT_LIST.3 b/secure/lib/libcrypto/man/o2i_SCT_LIST.3 new file mode 100644 index 000000000000..f98a663ed0ba --- /dev/null +++ b/secure/lib/libcrypto/man/o2i_SCT_LIST.3 @@ -0,0 +1,175 @@ +.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35) +.\" +.\" Standard preamble: +.\" ======================================================================== +.de Sp \" Vertical space (when we can't use .PP) +.if t .sp .5v +.if n .sp +.. +.de Vb \" Begin verbatim text +.ft CW +.nf +.ne \\$1 +.. +.de Ve \" End verbatim text +.ft R +.fi +.. +.\" Set up some character translations and predefined strings. \*(-- will +.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left +.\" double quote, and \*(R" will give a right double quote. \*(C+ will +.\" give a nicer C++. Capital omega is used to do unbreakable dashes and +.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, +.\" nothing in troff, for use with C<>. +.tr \(*W- +.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' +.ie n \{\ +. ds -- \(*W- +. ds PI pi +. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch +. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch +. ds L" "" +. ds R" "" +. ds C` "" +. ds C' "" +'br\} +.el\{\ +. ds -- \|\(em\| +. ds PI \(*p +. ds L" `` +. ds R" '' +. ds C` +. ds C' +'br\} +.\" +.\" Escape single quotes in literal strings from groff's Unicode transform. +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" +.\" If the F register is >0, we'll generate index entries on stderr for +.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index +.\" entries marked with X<> in POD. Of course, you'll have to process the +.\" output yourself in some meaningful fashion. +.\" +.\" Avoid warning from groff about undefined register 'F'. +.de IX +.. +.if !\nF .nr F 0 +.if \nF>0 \{\ +. de IX +. tm Index:\\$1\t\\n%\t"\\$2" +.. +. if !\nF==2 \{\ +. nr % 0 +. nr F 2 +. \} +.\} +.\" +.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). +.\" Fear. Run. Save yourself. No user-serviceable parts. +. \" fudge factors for nroff and troff +.if n \{\ +. ds #H 0 +. ds #V .8m +. ds #F .3m +. ds #[ \f1 +. ds #] \fP +.\} +.if t \{\ +. ds #H ((1u-(\\\\n(.fu%2u))*.13m) +. ds #V .6m +. ds #F 0 +. ds #[ \& +. ds #] \& +.\} +. \" simple accents for nroff and troff +.if n \{\ +. ds ' \& +. ds ` \& +. ds ^ \& +. ds , \& +. ds ~ ~ +. ds / +.\} +.if t \{\ +. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" +. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' +. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' +. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' +. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' +. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' +.\} +. \" troff and (daisy-wheel) nroff accents +.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' +.ds 8 \h'\*(#H'\(*b\h'-\*(#H' +.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] +.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' +.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' +.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] +.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] +.ds ae a\h'-(\w'a'u*4/10)'e +.ds Ae A\h'-(\w'A'u*4/10)'E +. \" corrections for vroff +.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' +.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' +. \" for low resolution devices (crt and lpr) +.if \n(.H>23 .if \n(.V>19 \ +\{\ +. ds : e +. ds 8 ss +. ds o a +. ds d- d\h'-1'\(ga +. ds D- D\h'-1'\(hy +. ds th \o'bp' +. ds Th \o'LP' +. ds ae ae +. ds Ae AE +.\} +.rm #[ #] #H #V #F C +.\" ======================================================================== +.\" +.IX Title "O2I_SCT_LIST 3" +.TH O2I_SCT_LIST 3 "2018-09-11" "1.1.1" "OpenSSL" +.\" For nroff, turn off justification. Always turn off hyphenation; it makes +.\" way too many mistakes in technical documents. +.if n .ad l +.nh +.SH "NAME" +o2i_SCT_LIST, i2o_SCT_LIST, o2i_SCT, i2o_SCT \- decode and encode Signed Certificate Timestamp lists in TLS wire format +.SH "SYNOPSIS" +.IX Header "SYNOPSIS" +.Vb 1 +\& #include +\& +\& STACK_OF(SCT) *o2i_SCT_LIST(STACK_OF(SCT) **a, const unsigned char **pp, +\& size_t len); +\& int i2o_SCT_LIST(const STACK_OF(SCT) *a, unsigned char **pp); +\& SCT *o2i_SCT(SCT **psct, const unsigned char **in, size_t len); +\& int i2o_SCT(const SCT *sct, unsigned char **out); +.Ve +.SH "DESCRIPTION" +.IX Header "DESCRIPTION" +The \s-1SCT_LIST\s0 and \s-1SCT\s0 functions are very similar to the i2d and d2i family of +functions, except that they convert to and from \s-1TLS\s0 wire format, as described in +\&\s-1RFC 6962.\s0 See d2i_SCT_LIST for more information about how the parameters are +treated and the return values. +.SH "RETURN VALUES" +.IX Header "RETURN VALUES" +All of the functions have return values consistent with those stated for +d2i_SCT_LIST and i2d_SCT_LIST. +.SH "SEE ALSO" +.IX Header "SEE ALSO" +\&\fIct\fR\|(7), +\&\fId2i_SCT_LIST\fR\|(3), +\&\fIi2d_SCT_LIST\fR\|(3) +.SH "HISTORY" +.IX Header "HISTORY" +These functions were added in OpenSSL 1.1.0. +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2016 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/rand.3 b/secure/lib/libcrypto/man/rand.3 deleted file mode 100644 index dabbb601c50e..000000000000 --- a/secure/lib/libcrypto/man/rand.3 +++ /dev/null @@ -1,286 +0,0 @@ -.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35) -.\" -.\" Standard preamble: -.\" ======================================================================== -.de Sp \" Vertical space (when we can't use .PP) -.if t .sp .5v -.if n .sp -.. -.de Vb \" Begin verbatim text -.ft CW -.nf -.ne \\$1 -.. -.de Ve \" End verbatim text -.ft R -.fi -.. -.\" Set up some character translations and predefined strings. \*(-- will -.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left -.\" double quote, and \*(R" will give a right double quote. \*(C+ will -.\" give a nicer C++. Capital omega is used to do unbreakable dashes and -.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, -.\" nothing in troff, for use with C<>. -.tr \(*W- -.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' -.ie n \{\ -. ds -- \(*W- -. ds PI pi -. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch -. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch -. ds L" "" -. ds R" "" -. ds C` "" -. ds C' "" -'br\} -.el\{\ -. ds -- \|\(em\| -. ds PI \(*p -. ds L" `` -. ds R" '' -. ds C` -. ds C' -'br\} -.\" -.\" Escape single quotes in literal strings from groff's Unicode transform. -.ie \n(.g .ds Aq \(aq -.el .ds Aq ' -.\" -.\" If the F register is >0, we'll generate index entries on stderr for -.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index -.\" entries marked with X<> in POD. Of course, you'll have to process the -.\" output yourself in some meaningful fashion. -.\" -.\" Avoid warning from groff about undefined register 'F'. -.de IX -.. -.if !\nF .nr F 0 -.if \nF>0 \{\ -. de IX -. tm Index:\\$1\t\\n%\t"\\$2" -.. -. if !\nF==2 \{\ -. nr % 0 -. nr F 2 -. \} -.\} -.\" -.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). -.\" Fear. Run. Save yourself. No user-serviceable parts. -. \" fudge factors for nroff and troff -.if n \{\ -. ds #H 0 -. ds #V .8m -. ds #F .3m -. ds #[ \f1 -. ds #] \fP -.\} -.if t \{\ -. ds #H ((1u-(\\\\n(.fu%2u))*.13m) -. ds #V .6m -. ds #F 0 -. ds #[ \& -. ds #] \& -.\} -. \" simple accents for nroff and troff -.if n \{\ -. ds ' \& -. ds ` \& -. ds ^ \& -. ds , \& -. ds ~ ~ -. ds / -.\} -.if t \{\ -. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" -. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' -. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' -. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' -. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' -. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' -.\} -. \" troff and (daisy-wheel) nroff accents -.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' -.ds 8 \h'\*(#H'\(*b\h'-\*(#H' -.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] -.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' -.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' -.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] -.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] -.ds ae a\h'-(\w'a'u*4/10)'e -.ds Ae A\h'-(\w'A'u*4/10)'E -. \" corrections for vroff -.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' -.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' -. \" for low resolution devices (crt and lpr) -.if \n(.H>23 .if \n(.V>19 \ -\{\ -. ds : e -. ds 8 ss -. ds o a -. ds d- d\h'-1'\(ga -. ds D- D\h'-1'\(hy -. ds th \o'bp' -. ds Th \o'LP' -. ds ae ae -. ds Ae AE -.\} -.rm #[ #] #H #V #F C -.\" ======================================================================== -.\" -.IX Title "rand 3" -.TH rand 3 "2018-08-14" "1.0.2p" "OpenSSL" -.\" For nroff, turn off justification. Always turn off hyphenation; it makes -.\" way too many mistakes in technical documents. -.if n .ad l -.nh -.SH "NAME" -rand \- pseudo\-random number generator -.SH "SYNOPSIS" -.IX Header "SYNOPSIS" -.Vb 1 -\& #include -\& -\& int RAND_set_rand_engine(ENGINE *engine); -\& -\& int RAND_bytes(unsigned char *buf, int num); -\& int RAND_pseudo_bytes(unsigned char *buf, int num); -\& -\& void RAND_seed(const void *buf, int num); -\& void RAND_add(const void *buf, int num, double entropy); -\& int RAND_status(void); -\& -\& int RAND_load_file(const char *file, long max_bytes); -\& int RAND_write_file(const char *file); -\& const char *RAND_file_name(char *file, size_t num); -\& -\& int RAND_egd(const char *path); -\& -\& void RAND_set_rand_method(const RAND_METHOD *meth); -\& const RAND_METHOD *RAND_get_rand_method(void); -\& RAND_METHOD *RAND_SSLeay(void); -\& -\& void RAND_cleanup(void); -\& -\& /* For Win32 only */ -\& void RAND_screen(void); -\& int RAND_event(UINT, WPARAM, LPARAM); -.Ve -.SH "DESCRIPTION" -.IX Header "DESCRIPTION" -Since the introduction of the \s-1ENGINE API,\s0 the recommended way of controlling -default implementations is by using the \s-1ENGINE API\s0 functions. The default -\&\fB\s-1RAND_METHOD\s0\fR, as set by \fIRAND_set_rand_method()\fR and returned by -\&\fIRAND_get_rand_method()\fR, is only used if no \s-1ENGINE\s0 has been set as the default -\&\*(L"rand\*(R" implementation. Hence, these two functions are no longer the recommended -way to control defaults. -.PP -If an alternative \fB\s-1RAND_METHOD\s0\fR implementation is being used (either set -directly or as provided by an \s-1ENGINE\s0 module), then it is entirely responsible -for the generation and management of a cryptographically secure \s-1PRNG\s0 stream. The -mechanisms described below relate solely to the software \s-1PRNG\s0 implementation -built in to OpenSSL and used by default. -.PP -These functions implement a cryptographically secure pseudo-random -number generator (\s-1PRNG\s0). It is used by other library functions for -example to generate random keys, and applications can use it when they -need randomness. -.PP -A cryptographic \s-1PRNG\s0 must be seeded with unpredictable data such as -mouse movements or keys pressed at random by the user. This is -described in \fIRAND_add\fR\|(3). Its state can be saved in a seed file -(see \fIRAND_load_file\fR\|(3)) to avoid having to go through the -seeding process whenever the application is started. -.PP -\&\fIRAND_bytes\fR\|(3) describes how to obtain random data from the -\&\s-1PRNG.\s0 -.SH "INTERNALS" -.IX Header "INTERNALS" -The \fIRAND_SSLeay()\fR method implements a \s-1PRNG\s0 based on a cryptographic -hash function. -.PP -The following description of its design is based on the SSLeay -documentation: -.PP -First up I will state the things I believe I need for a good \s-1RNG.\s0 -.IP "1." 4 -A good hashing algorithm to mix things up and to convert the \s-1RNG\s0 'state' -to random numbers. -.IP "2." 4 -An initial source of random 'state'. -.IP "3." 4 -The state should be very large. If the \s-1RNG\s0 is being used to generate -4096 bit \s-1RSA\s0 keys, 2 2048 bit random strings are required (at a minimum). -If your \s-1RNG\s0 state only has 128 bits, you are obviously limiting the -search space to 128 bits, not 2048. I'm probably getting a little -carried away on this last point but it does indicate that it may not be -a bad idea to keep quite a lot of \s-1RNG\s0 state. It should be easier to -break a cipher than guess the \s-1RNG\s0 seed data. -.IP "4." 4 -Any \s-1RNG\s0 seed data should influence all subsequent random numbers -generated. This implies that any random seed data entered will have -an influence on all subsequent random numbers generated. -.IP "5." 4 -When using data to seed the \s-1RNG\s0 state, the data used should not be -extractable from the \s-1RNG\s0 state. I believe this should be a -requirement because one possible source of 'secret' semi random -data would be a private key or a password. This data must -not be disclosed by either subsequent random numbers or a -\&'core' dump left by a program crash. -.IP "6." 4 -Given the same initial 'state', 2 systems should deviate in their \s-1RNG\s0 state -(and hence the random numbers generated) over time if at all possible. -.IP "7." 4 -Given the random number output stream, it should not be possible to determine -the \s-1RNG\s0 state or the next random number. -.PP -The algorithm is as follows. -.PP -There is global state made up of a 1023 byte buffer (the 'state'), a -working hash value ('md'), and a counter ('count'). -.PP -Whenever seed data is added, it is inserted into the 'state' as -follows. -.PP -The input is chopped up into units of 20 bytes (or less for -the last block). Each of these blocks is run through the hash -function as follows: The data passed to the hash function -is the current 'md', the same number of bytes from the 'state' -(the location determined by in incremented looping index) as -the current 'block', the new key data 'block', and 'count' -(which is incremented after each use). -The result of this is kept in 'md' and also xored into the -\&'state' at the same locations that were used as input into the -hash function. I -believe this system addresses points 1 (hash function; currently -\&\s-1SHA\-1\s0), 3 (the 'state'), 4 (via the 'md'), 5 (by the use of a hash -function and xor). -.PP -When bytes are extracted from the \s-1RNG,\s0 the following process is used. -For each group of 10 bytes (or less), we do the following: -.PP -Input into the hash function the local 'md' (which is initialized from -the global 'md' before any bytes are generated), the bytes that are to -be overwritten by the random bytes, and bytes from the 'state' -(incrementing looping index). From this digest output (which is kept -in 'md'), the top (up to) 10 bytes are returned to the caller and the -bottom 10 bytes are xored into the 'state'. -.PP -Finally, after we have finished 'num' random bytes for the caller, -\&'count' (which is incremented) and the local and global 'md' are fed -into the hash function and the results are kept in the global 'md'. -.PP -I believe the above addressed points 1 (use of \s-1SHA\-1\s0), 6 (by hashing -into the 'state' the 'old' data from the caller that is about to be -overwritten) and 7 (by not using the 10 bytes given to the caller to -update the 'state', but they are used to update 'md'). -.PP -So of the points raised, only 2 is not addressed (but see -\&\fIRAND_add\fR\|(3)). -.SH "SEE ALSO" -.IX Header "SEE ALSO" -\&\fIBN_rand\fR\|(3), \fIRAND_add\fR\|(3), -\&\fIRAND_load_file\fR\|(3), \fIRAND_egd\fR\|(3), -\&\fIRAND_bytes\fR\|(3), -\&\fIRAND_set_rand_method\fR\|(3), -\&\fIRAND_cleanup\fR\|(3) diff --git a/secure/lib/libcrypto/man/rsa.3 b/secure/lib/libcrypto/man/rsa.3 deleted file mode 100644 index 4471d50008b9..000000000000 --- a/secure/lib/libcrypto/man/rsa.3 +++ /dev/null @@ -1,253 +0,0 @@ -.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35) -.\" -.\" Standard preamble: -.\" ======================================================================== -.de Sp \" Vertical space (when we can't use .PP) -.if t .sp .5v -.if n .sp -.. -.de Vb \" Begin verbatim text -.ft CW -.nf -.ne \\$1 -.. -.de Ve \" End verbatim text -.ft R -.fi -.. -.\" Set up some character translations and predefined strings. \*(-- will -.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left -.\" double quote, and \*(R" will give a right double quote. \*(C+ will -.\" give a nicer C++. Capital omega is used to do unbreakable dashes and -.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, -.\" nothing in troff, for use with C<>. -.tr \(*W- -.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' -.ie n \{\ -. ds -- \(*W- -. ds PI pi -. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch -. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch -. ds L" "" -. ds R" "" -. ds C` "" -. ds C' "" -'br\} -.el\{\ -. ds -- \|\(em\| -. ds PI \(*p -. ds L" `` -. ds R" '' -. ds C` -. ds C' -'br\} -.\" -.\" Escape single quotes in literal strings from groff's Unicode transform. -.ie \n(.g .ds Aq \(aq -.el .ds Aq ' -.\" -.\" If the F register is >0, we'll generate index entries on stderr for -.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index -.\" entries marked with X<> in POD. Of course, you'll have to process the -.\" output yourself in some meaningful fashion. -.\" -.\" Avoid warning from groff about undefined register 'F'. -.de IX -.. -.if !\nF .nr F 0 -.if \nF>0 \{\ -. de IX -. tm Index:\\$1\t\\n%\t"\\$2" -.. -. if !\nF==2 \{\ -. nr % 0 -. nr F 2 -. \} -.\} -.\" -.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). -.\" Fear. Run. Save yourself. No user-serviceable parts. -. \" fudge factors for nroff and troff -.if n \{\ -. ds #H 0 -. ds #V .8m -. ds #F .3m -. ds #[ \f1 -. ds #] \fP -.\} -.if t \{\ -. ds #H ((1u-(\\\\n(.fu%2u))*.13m) -. ds #V .6m -. ds #F 0 -. ds #[ \& -. ds #] \& -.\} -. \" simple accents for nroff and troff -.if n \{\ -. ds ' \& -. ds ` \& -. ds ^ \& -. ds , \& -. ds ~ ~ -. ds / -.\} -.if t \{\ -. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" -. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' -. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' -. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' -. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' -. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' -.\} -. \" troff and (daisy-wheel) nroff accents -.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' -.ds 8 \h'\*(#H'\(*b\h'-\*(#H' -.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] -.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' -.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' -.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] -.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] -.ds ae a\h'-(\w'a'u*4/10)'e -.ds Ae A\h'-(\w'A'u*4/10)'E -. \" corrections for vroff -.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' -.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' -. \" for low resolution devices (crt and lpr) -.if \n(.H>23 .if \n(.V>19 \ -\{\ -. ds : e -. ds 8 ss -. ds o a -. ds d- d\h'-1'\(ga -. ds D- D\h'-1'\(hy -. ds th \o'bp' -. ds Th \o'LP' -. ds ae ae -. ds Ae AE -.\} -.rm #[ #] #H #V #F C -.\" ======================================================================== -.\" -.IX Title "rsa 3" -.TH rsa 3 "2018-08-14" "1.0.2p" "OpenSSL" -.\" For nroff, turn off justification. Always turn off hyphenation; it makes -.\" way too many mistakes in technical documents. -.if n .ad l -.nh -.SH "NAME" -rsa \- RSA public key cryptosystem -.SH "SYNOPSIS" -.IX Header "SYNOPSIS" -.Vb 2 -\& #include -\& #include -\& -\& RSA * RSA_new(void); -\& void RSA_free(RSA *rsa); -\& -\& int RSA_public_encrypt(int flen, unsigned char *from, -\& unsigned char *to, RSA *rsa, int padding); -\& int RSA_private_decrypt(int flen, unsigned char *from, -\& unsigned char *to, RSA *rsa, int padding); -\& int RSA_private_encrypt(int flen, unsigned char *from, -\& unsigned char *to, RSA *rsa,int padding); -\& int RSA_public_decrypt(int flen, unsigned char *from, -\& unsigned char *to, RSA *rsa,int padding); -\& -\& int RSA_sign(int type, unsigned char *m, unsigned int m_len, -\& unsigned char *sigret, unsigned int *siglen, RSA *rsa); -\& int RSA_verify(int type, unsigned char *m, unsigned int m_len, -\& unsigned char *sigbuf, unsigned int siglen, RSA *rsa); -\& -\& int RSA_size(const RSA *rsa); -\& -\& RSA *RSA_generate_key(int num, unsigned long e, -\& void (*callback)(int,int,void *), void *cb_arg); -\& -\& int RSA_check_key(RSA *rsa); -\& -\& int RSA_blinding_on(RSA *rsa, BN_CTX *ctx); -\& void RSA_blinding_off(RSA *rsa); -\& -\& void RSA_set_default_method(const RSA_METHOD *meth); -\& const RSA_METHOD *RSA_get_default_method(void); -\& int RSA_set_method(RSA *rsa, const RSA_METHOD *meth); -\& const RSA_METHOD *RSA_get_method(const RSA *rsa); -\& RSA_METHOD *RSA_PKCS1_SSLeay(void); -\& RSA_METHOD *RSA_null_method(void); -\& int RSA_flags(const RSA *rsa); -\& RSA *RSA_new_method(ENGINE *engine); -\& -\& int RSA_print(BIO *bp, RSA *x, int offset); -\& int RSA_print_fp(FILE *fp, RSA *x, int offset); -\& -\& int RSA_get_ex_new_index(long argl, char *argp, int (*new_func)(), -\& int (*dup_func)(), void (*free_func)()); -\& int RSA_set_ex_data(RSA *r,int idx,char *arg); -\& char *RSA_get_ex_data(RSA *r, int idx); -\& -\& int RSA_sign_ASN1_OCTET_STRING(int dummy, unsigned char *m, -\& unsigned int m_len, unsigned char *sigret, unsigned int *siglen, -\& RSA *rsa); -\& int RSA_verify_ASN1_OCTET_STRING(int dummy, unsigned char *m, -\& unsigned int m_len, unsigned char *sigbuf, unsigned int siglen, -\& RSA *rsa); -.Ve -.SH "DESCRIPTION" -.IX Header "DESCRIPTION" -These functions implement \s-1RSA\s0 public key encryption and signatures -as defined in \s-1PKCS\s0 #1 v2.0 [\s-1RFC 2437\s0]. -.PP -The \fB\s-1RSA\s0\fR structure consists of several \s-1BIGNUM\s0 components. It can -contain public as well as private \s-1RSA\s0 keys: -.PP -.Vb 10 -\& struct -\& { -\& BIGNUM *n; // public modulus -\& BIGNUM *e; // public exponent -\& BIGNUM *d; // private exponent -\& BIGNUM *p; // secret prime factor -\& BIGNUM *q; // secret prime factor -\& BIGNUM *dmp1; // d mod (p\-1) -\& BIGNUM *dmq1; // d mod (q\-1) -\& BIGNUM *iqmp; // q^\-1 mod p -\& // ... -\& }; -\& RSA -.Ve -.PP -In public keys, the private exponent and the related secret values are -\&\fB\s-1NULL\s0\fR. -.PP -\&\fBp\fR, \fBq\fR, \fBdmp1\fR, \fBdmq1\fR and \fBiqmp\fR may be \fB\s-1NULL\s0\fR in private -keys, but the \s-1RSA\s0 operations are much faster when these values are -available. -.PP -Note that \s-1RSA\s0 keys may use non-standard \fB\s-1RSA_METHOD\s0\fR implementations, -either directly or by the use of \fB\s-1ENGINE\s0\fR modules. In some cases (eg. an -\&\s-1ENGINE\s0 providing support for hardware-embedded keys), these \s-1BIGNUM\s0 values -will not be used by the implementation or may be used for alternative data -storage. For this reason, applications should generally avoid using \s-1RSA\s0 -structure elements directly and instead use \s-1API\s0 functions to query or -modify keys. -.SH "CONFORMING TO" -.IX Header "CONFORMING TO" -\&\s-1SSL, PKCS\s0 #1 v2.0 -.SH "PATENTS" -.IX Header "PATENTS" -\&\s-1RSA\s0 was covered by a \s-1US\s0 patent which expired in September 2000. -.SH "SEE ALSO" -.IX Header "SEE ALSO" -\&\fIrsa\fR\|(1), \fIbn\fR\|(3), \fIdsa\fR\|(3), \fIdh\fR\|(3), -\&\fIrand\fR\|(3), \fIengine\fR\|(3), \fIRSA_new\fR\|(3), -\&\fIRSA_public_encrypt\fR\|(3), -\&\fIRSA_sign\fR\|(3), \fIRSA_size\fR\|(3), -\&\fIRSA_generate_key\fR\|(3), -\&\fIRSA_check_key\fR\|(3), -\&\fIRSA_blinding_on\fR\|(3), -\&\fIRSA_set_method\fR\|(3), \fIRSA_print\fR\|(3), -\&\fIRSA_get_ex_new_index\fR\|(3), -\&\fIRSA_private_encrypt\fR\|(3), -\&\fIRSA_sign_ASN1_OCTET_STRING\fR\|(3), -\&\fIRSA_padding_add_PKCS1_type_1\fR\|(3) diff --git a/secure/lib/libcrypto/man/threads.3 b/secure/lib/libcrypto/man/threads.3 deleted file mode 100644 index b9e9ef2c93a2..000000000000 --- a/secure/lib/libcrypto/man/threads.3 +++ /dev/null @@ -1,330 +0,0 @@ -.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35) -.\" -.\" Standard preamble: -.\" ======================================================================== -.de Sp \" Vertical space (when we can't use .PP) -.if t .sp .5v -.if n .sp -.. -.de Vb \" Begin verbatim text -.ft CW -.nf -.ne \\$1 -.. -.de Ve \" End verbatim text -.ft R -.fi -.. -.\" Set up some character translations and predefined strings. \*(-- will -.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left -.\" double quote, and \*(R" will give a right double quote. \*(C+ will -.\" give a nicer C++. Capital omega is used to do unbreakable dashes and -.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, -.\" nothing in troff, for use with C<>. -.tr \(*W- -.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' -.ie n \{\ -. ds -- \(*W- -. ds PI pi -. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch -. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch -. ds L" "" -. ds R" "" -. ds C` "" -. ds C' "" -'br\} -.el\{\ -. ds -- \|\(em\| -. ds PI \(*p -. ds L" `` -. ds R" '' -. ds C` -. ds C' -'br\} -.\" -.\" Escape single quotes in literal strings from groff's Unicode transform. -.ie \n(.g .ds Aq \(aq -.el .ds Aq ' -.\" -.\" If the F register is >0, we'll generate index entries on stderr for -.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index -.\" entries marked with X<> in POD. Of course, you'll have to process the -.\" output yourself in some meaningful fashion. -.\" -.\" Avoid warning from groff about undefined register 'F'. -.de IX -.. -.if !\nF .nr F 0 -.if \nF>0 \{\ -. de IX -. tm Index:\\$1\t\\n%\t"\\$2" -.. -. if !\nF==2 \{\ -. nr % 0 -. nr F 2 -. \} -.\} -.\" -.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). -.\" Fear. Run. Save yourself. No user-serviceable parts. -. \" fudge factors for nroff and troff -.if n \{\ -. ds #H 0 -. ds #V .8m -. ds #F .3m -. ds #[ \f1 -. ds #] \fP -.\} -.if t \{\ -. ds #H ((1u-(\\\\n(.fu%2u))*.13m) -. ds #V .6m -. ds #F 0 -. ds #[ \& -. ds #] \& -.\} -. \" simple accents for nroff and troff -.if n \{\ -. ds ' \& -. ds ` \& -. ds ^ \& -. ds , \& -. ds ~ ~ -. ds / -.\} -.if t \{\ -. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" -. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' -. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' -. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' -. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' -. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' -.\} -. \" troff and (daisy-wheel) nroff accents -.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' -.ds 8 \h'\*(#H'\(*b\h'-\*(#H' -.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] -.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' -.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' -.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] -.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] -.ds ae a\h'-(\w'a'u*4/10)'e -.ds Ae A\h'-(\w'A'u*4/10)'E -. \" corrections for vroff -.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' -.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' -. \" for low resolution devices (crt and lpr) -.if \n(.H>23 .if \n(.V>19 \ -\{\ -. ds : e -. ds 8 ss -. ds o a -. ds d- d\h'-1'\(ga -. ds D- D\h'-1'\(hy -. ds th \o'bp' -. ds Th \o'LP' -. ds ae ae -. ds Ae AE -.\} -.rm #[ #] #H #V #F C -.\" ======================================================================== -.\" -.IX Title "threads 3" -.TH threads 3 "2018-08-14" "1.0.2p" "OpenSSL" -.\" For nroff, turn off justification. Always turn off hyphenation; it makes -.\" way too many mistakes in technical documents. -.if n .ad l -.nh -.SH "NAME" -CRYPTO_THREADID_set_callback, CRYPTO_THREADID_get_callback, -CRYPTO_THREADID_current, CRYPTO_THREADID_cmp, CRYPTO_THREADID_cpy, -CRYPTO_THREADID_hash, CRYPTO_set_locking_callback, CRYPTO_num_locks, -CRYPTO_set_dynlock_create_callback, CRYPTO_set_dynlock_lock_callback, -CRYPTO_set_dynlock_destroy_callback, CRYPTO_get_new_dynlockid, -CRYPTO_destroy_dynlockid, CRYPTO_lock \- OpenSSL thread support -.SH "SYNOPSIS" -.IX Header "SYNOPSIS" -.Vb 1 -\& #include -\& -\& /* Don\*(Aqt use this structure directly. */ -\& typedef struct crypto_threadid_st -\& { -\& void *ptr; -\& unsigned long val; -\& } CRYPTO_THREADID; -\& /* Only use CRYPTO_THREADID_set_[numeric|pointer]() within callbacks */ -\& void CRYPTO_THREADID_set_numeric(CRYPTO_THREADID *id, unsigned long val); -\& void CRYPTO_THREADID_set_pointer(CRYPTO_THREADID *id, void *ptr); -\& int CRYPTO_THREADID_set_callback(void (*threadid_func)(CRYPTO_THREADID *)); -\& void (*CRYPTO_THREADID_get_callback(void))(CRYPTO_THREADID *); -\& void CRYPTO_THREADID_current(CRYPTO_THREADID *id); -\& int CRYPTO_THREADID_cmp(const CRYPTO_THREADID *a, -\& const CRYPTO_THREADID *b); -\& void CRYPTO_THREADID_cpy(CRYPTO_THREADID *dest, -\& const CRYPTO_THREADID *src); -\& unsigned long CRYPTO_THREADID_hash(const CRYPTO_THREADID *id); -\& -\& int CRYPTO_num_locks(void); -\& -\& /* struct CRYPTO_dynlock_value needs to be defined by the user */ -\& struct CRYPTO_dynlock_value; -\& -\& void CRYPTO_set_dynlock_create_callback(struct CRYPTO_dynlock_value * -\& (*dyn_create_function)(char *file, int line)); -\& void CRYPTO_set_dynlock_lock_callback(void (*dyn_lock_function) -\& (int mode, struct CRYPTO_dynlock_value *l, -\& const char *file, int line)); -\& void CRYPTO_set_dynlock_destroy_callback(void (*dyn_destroy_function) -\& (struct CRYPTO_dynlock_value *l, const char *file, int line)); -\& -\& int CRYPTO_get_new_dynlockid(void); -\& -\& void CRYPTO_destroy_dynlockid(int i); -\& -\& void CRYPTO_lock(int mode, int n, const char *file, int line); -\& -\& #define CRYPTO_w_lock(type) \e -\& CRYPTO_lock(CRYPTO_LOCK|CRYPTO_WRITE,type,_\|_FILE_\|_,_\|_LINE_\|_) -\& #define CRYPTO_w_unlock(type) \e -\& CRYPTO_lock(CRYPTO_UNLOCK|CRYPTO_WRITE,type,_\|_FILE_\|_,_\|_LINE_\|_) -\& #define CRYPTO_r_lock(type) \e -\& CRYPTO_lock(CRYPTO_LOCK|CRYPTO_READ,type,_\|_FILE_\|_,_\|_LINE_\|_) -\& #define CRYPTO_r_unlock(type) \e -\& CRYPTO_lock(CRYPTO_UNLOCK|CRYPTO_READ,type,_\|_FILE_\|_,_\|_LINE_\|_) -\& #define CRYPTO_add(addr,amount,type) \e -\& CRYPTO_add_lock(addr,amount,type,_\|_FILE_\|_,_\|_LINE_\|_) -.Ve -.SH "DESCRIPTION" -.IX Header "DESCRIPTION" -OpenSSL can generally be used safely in multi-threaded applications provided -that at least two callback functions are set, the locking_function and -threadid_func. -Note that OpenSSL is not completely thread-safe, and unfortunately not all -global resources have the necessary locks. -Further, the thread-safety does not extend to things like multiple threads -using the same \fB\s-1SSL\s0\fR object at the same time. -.PP -locking_function(int mode, int n, const char *file, int line) is -needed to perform locking on shared data structures. -(Note that OpenSSL uses a number of global data structures that -will be implicitly shared whenever multiple threads use OpenSSL.) -Multi-threaded applications will crash at random if it is not set. -.PP -\&\fIlocking_function()\fR must be able to handle up to \fICRYPTO_num_locks()\fR -different mutex locks. It sets the \fBn\fR\-th lock if \fBmode\fR & -\&\fB\s-1CRYPTO_LOCK\s0\fR, and releases it otherwise. -.PP -\&\fBfile\fR and \fBline\fR are the file number of the function setting the -lock. They can be useful for debugging. -.PP -threadid_func(\s-1CRYPTO_THREADID\s0 *id) is needed to record the currently-executing -thread's identifier into \fBid\fR. The implementation of this callback should not -fill in \fBid\fR directly, but should use \fICRYPTO_THREADID_set_numeric()\fR if thread -IDs are numeric, or \fICRYPTO_THREADID_set_pointer()\fR if they are pointer-based. -If the application does not register such a callback using -\&\fICRYPTO_THREADID_set_callback()\fR, then a default implementation is used \- on -Windows and BeOS this uses the system's default thread identifying APIs, and on -all other platforms it uses the address of \fBerrno\fR. The latter is satisfactory -for thread-safety if and only if the platform has a thread-local error number -facility. -.PP -Once \fIthreadid_func()\fR is registered, or if the built-in default implementation is -to be used; -.IP "\(bu" 4 -\&\fICRYPTO_THREADID_current()\fR records the currently-executing thread \s-1ID\s0 into the -given \fBid\fR object. -.IP "\(bu" 4 -\&\fICRYPTO_THREADID_cmp()\fR compares two thread IDs (returning zero for equality, ie. -the same semantics as \fImemcmp()\fR). -.IP "\(bu" 4 -\&\fICRYPTO_THREADID_cpy()\fR duplicates a thread \s-1ID\s0 value, -.IP "\(bu" 4 -\&\fICRYPTO_THREADID_hash()\fR returns a numeric value usable as a hash-table key. This -is usually the exact numeric or pointer-based thread \s-1ID\s0 used internally, however -this also handles the unusual case where pointers are larger than 'long' -variables and the platform's thread IDs are pointer-based \- in this case, mixing -is done to attempt to produce a unique numeric value even though it is not as -wide as the platform's true thread IDs. -.PP -Additionally, OpenSSL supports dynamic locks, and sometimes, some parts -of OpenSSL need it for better performance. To enable this, the following -is required: -.IP "\(bu" 4 -Three additional callback function, dyn_create_function, dyn_lock_function -and dyn_destroy_function. -.IP "\(bu" 4 -A structure defined with the data that each lock needs to handle. -.PP -struct CRYPTO_dynlock_value has to be defined to contain whatever structure -is needed to handle locks. -.PP -dyn_create_function(const char *file, int line) is needed to create a -lock. Multi-threaded applications might crash at random if it is not set. -.PP -dyn_lock_function(int mode, CRYPTO_dynlock *l, const char *file, int line) -is needed to perform locking off dynamic lock numbered n. Multi-threaded -applications might crash at random if it is not set. -.PP -dyn_destroy_function(CRYPTO_dynlock *l, const char *file, int line) is -needed to destroy the lock l. Multi-threaded applications might crash at -random if it is not set. -.PP -\&\fICRYPTO_get_new_dynlockid()\fR is used to create locks. It will call -dyn_create_function for the actual creation. -.PP -\&\fICRYPTO_destroy_dynlockid()\fR is used to destroy locks. It will call -dyn_destroy_function for the actual destruction. -.PP -\&\fICRYPTO_lock()\fR is used to lock and unlock the locks. mode is a bitfield -describing what should be done with the lock. n is the number of the -lock as returned from \fICRYPTO_get_new_dynlockid()\fR. mode can be combined -from the following values. These values are pairwise exclusive, with -undefined behaviour if misused (for example, \s-1CRYPTO_READ\s0 and \s-1CRYPTO_WRITE\s0 -should not be used together): -.PP -.Vb 4 -\& CRYPTO_LOCK 0x01 -\& CRYPTO_UNLOCK 0x02 -\& CRYPTO_READ 0x04 -\& CRYPTO_WRITE 0x08 -.Ve -.SH "RETURN VALUES" -.IX Header "RETURN VALUES" -\&\fICRYPTO_num_locks()\fR returns the required number of locks. -.PP -\&\fICRYPTO_get_new_dynlockid()\fR returns the index to the newly created lock. -.PP -The other functions return no values. -.SH "NOTES" -.IX Header "NOTES" -You can find out if OpenSSL was configured with thread support: -.PP -.Vb 7 -\& #define OPENSSL_THREAD_DEFINES -\& #include -\& #if defined(OPENSSL_THREADS) -\& // thread support enabled -\& #else -\& // no thread support -\& #endif -.Ve -.PP -Also, dynamic locks are currently not used internally by OpenSSL, but -may do so in the future. -.SH "EXAMPLES" -.IX Header "EXAMPLES" -\&\fBcrypto/threads/mttest.c\fR shows examples of the callback functions on -Solaris, Irix and Win32. -.SH "HISTORY" -.IX Header "HISTORY" -\&\fICRYPTO_set_locking_callback()\fR is -available in all versions of SSLeay and OpenSSL. -\&\fICRYPTO_num_locks()\fR was added in OpenSSL 0.9.4. -All functions dealing with dynamic locks were added in OpenSSL 0.9.5b\-dev. -\&\fB\s-1CRYPTO_THREADID\s0\fR and associated functions were introduced in OpenSSL 1.0.0 -to replace (actually, deprecate) the previous \fICRYPTO_set_id_callback()\fR, -\&\fICRYPTO_get_id_callback()\fR, and \fICRYPTO_thread_id()\fR functions which assumed -thread IDs to always be represented by 'unsigned long'. -.SH "SEE ALSO" -.IX Header "SEE ALSO" -\&\fIcrypto\fR\|(3) diff --git a/secure/lib/libcrypto/man/ui_compat.3 b/secure/lib/libcrypto/man/ui_compat.3 deleted file mode 100644 index 11ceeca01b20..000000000000 --- a/secure/lib/libcrypto/man/ui_compat.3 +++ /dev/null @@ -1,185 +0,0 @@ -.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35) -.\" -.\" Standard preamble: -.\" ======================================================================== -.de Sp \" Vertical space (when we can't use .PP) -.if t .sp .5v -.if n .sp -.. -.de Vb \" Begin verbatim text -.ft CW -.nf -.ne \\$1 -.. -.de Ve \" End verbatim text -.ft R -.fi -.. -.\" Set up some character translations and predefined strings. \*(-- will -.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left -.\" double quote, and \*(R" will give a right double quote. \*(C+ will -.\" give a nicer C++. Capital omega is used to do unbreakable dashes and -.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, -.\" nothing in troff, for use with C<>. -.tr \(*W- -.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' -.ie n \{\ -. ds -- \(*W- -. ds PI pi -. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch -. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch -. ds L" "" -. ds R" "" -. ds C` "" -. ds C' "" -'br\} -.el\{\ -. ds -- \|\(em\| -. ds PI \(*p -. ds L" `` -. ds R" '' -. ds C` -. ds C' -'br\} -.\" -.\" Escape single quotes in literal strings from groff's Unicode transform. -.ie \n(.g .ds Aq \(aq -.el .ds Aq ' -.\" -.\" If the F register is >0, we'll generate index entries on stderr for -.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index -.\" entries marked with X<> in POD. Of course, you'll have to process the -.\" output yourself in some meaningful fashion. -.\" -.\" Avoid warning from groff about undefined register 'F'. -.de IX -.. -.if !\nF .nr F 0 -.if \nF>0 \{\ -. de IX -. tm Index:\\$1\t\\n%\t"\\$2" -.. -. if !\nF==2 \{\ -. nr % 0 -. nr F 2 -. \} -.\} -.\" -.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). -.\" Fear. Run. Save yourself. No user-serviceable parts. -. \" fudge factors for nroff and troff -.if n \{\ -. ds #H 0 -. ds #V .8m -. ds #F .3m -. ds #[ \f1 -. ds #] \fP -.\} -.if t \{\ -. ds #H ((1u-(\\\\n(.fu%2u))*.13m) -. ds #V .6m -. ds #F 0 -. ds #[ \& -. ds #] \& -.\} -. \" simple accents for nroff and troff -.if n \{\ -. ds ' \& -. ds ` \& -. ds ^ \& -. ds , \& -. ds ~ ~ -. ds / -.\} -.if t \{\ -. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" -. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' -. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' -. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' -. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' -. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' -.\} -. \" troff and (daisy-wheel) nroff accents -.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' -.ds 8 \h'\*(#H'\(*b\h'-\*(#H' -.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] -.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' -.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' -.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] -.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] -.ds ae a\h'-(\w'a'u*4/10)'e -.ds Ae A\h'-(\w'A'u*4/10)'E -. \" corrections for vroff -.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' -.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' -. \" for low resolution devices (crt and lpr) -.if \n(.H>23 .if \n(.V>19 \ -\{\ -. ds : e -. ds 8 ss -. ds o a -. ds d- d\h'-1'\(ga -. ds D- D\h'-1'\(hy -. ds th \o'bp' -. ds Th \o'LP' -. ds ae ae -. ds Ae AE -.\} -.rm #[ #] #H #V #F C -.\" ======================================================================== -.\" -.IX Title "ui_compat 3" -.TH ui_compat 3 "2018-08-14" "1.0.2p" "OpenSSL" -.\" For nroff, turn off justification. Always turn off hyphenation; it makes -.\" way too many mistakes in technical documents. -.if n .ad l -.nh -.SH "NAME" -des_read_password, des_read_2passwords, des_read_pw_string, des_read_pw \- -Compatibility user interface functions -.SH "SYNOPSIS" -.IX Header "SYNOPSIS" -.Vb 1 -\& #include -\& -\& int des_read_password(DES_cblock *key,const char *prompt,int verify); -\& int des_read_2passwords(DES_cblock *key1,DES_cblock *key2, -\& const char *prompt,int verify); -\& -\& int des_read_pw_string(char *buf,int length,const char *prompt,int verify); -\& int des_read_pw(char *buf,char *buff,int size,const char *prompt,int verify); -.Ve -.SH "DESCRIPTION" -.IX Header "DESCRIPTION" -The \s-1DES\s0 library contained a few routines to prompt for passwords. These -aren't necessarely dependent on \s-1DES,\s0 and have therefore become part of the -\&\s-1UI\s0 compatibility library. -.PP -\&\fIdes_read_pw()\fR writes the string specified by \fIprompt\fR to standard output -turns echo off and reads an input string from the terminal. The string is -returned in \fIbuf\fR, which must have spac for at least \fIsize\fR bytes. -If \fIverify\fR is set, the user is asked for the password twice and unless -the two copies match, an error is returned. The second password is stored -in \fIbuff\fR, which must therefore also be at least \fIsize\fR bytes. A return -code of \-1 indicates a system error, 1 failure due to use interaction, and -0 is success. All other functions described here use \fIdes_read_pw()\fR to do -the work. -.PP -\&\fIdes_read_pw_string()\fR is a variant of \fIdes_read_pw()\fR that provides a buffer -for you if \fIverify\fR is set. -.PP -\&\fIdes_read_password()\fR calls \fIdes_read_pw()\fR and converts the password to a -\&\s-1DES\s0 key by calling \fIDES_string_to_key()\fR; \fIdes_read_2password()\fR operates in -the same way as \fIdes_read_password()\fR except that it generates two keys -by using the \fIDES_string_to_2key()\fR function. -.SH "NOTES" -.IX Header "NOTES" -\&\fIdes_read_pw_string()\fR is available in the \s-1MIT\s0 Kerberos library as well, and -is also available under the name \fIEVP_read_pw_string()\fR. -.SH "SEE ALSO" -.IX Header "SEE ALSO" -\&\fIui\fR\|(3), \fIui_create\fR\|(3) -.SH "AUTHOR" -.IX Header "AUTHOR" -Richard Levitte (richard@levitte.org) for the OpenSSL project -(http://www.openssl.org). diff --git a/secure/lib/libssl/Makefile.man b/secure/lib/libssl/Makefile.man deleted file mode 100644 index 252cc9929d83..000000000000 --- a/secure/lib/libssl/Makefile.man +++ /dev/null @@ -1,324 +0,0 @@ -# $FreeBSD$ -# DO NOT EDIT: generated from man-makefile-update target -MAN+= SSL_CIPHER_get_name.3 -MAN+= SSL_COMP_add_compression_method.3 -MAN+= SSL_CONF_CTX_new.3 -MAN+= SSL_CONF_CTX_set1_prefix.3 -MAN+= SSL_CONF_CTX_set_flags.3 -MAN+= SSL_CONF_CTX_set_ssl_ctx.3 -MAN+= SSL_CONF_cmd.3 -MAN+= SSL_CONF_cmd_argv.3 -MAN+= SSL_CTX_add1_chain_cert.3 -MAN+= SSL_CTX_add_extra_chain_cert.3 -MAN+= SSL_CTX_add_session.3 -MAN+= SSL_CTX_ctrl.3 -MAN+= SSL_CTX_flush_sessions.3 -MAN+= SSL_CTX_free.3 -MAN+= SSL_CTX_get0_param.3 -MAN+= SSL_CTX_get_ex_new_index.3 -MAN+= SSL_CTX_get_verify_mode.3 -MAN+= SSL_CTX_load_verify_locations.3 -MAN+= SSL_CTX_new.3 -MAN+= SSL_CTX_sess_number.3 -MAN+= SSL_CTX_sess_set_cache_size.3 -MAN+= SSL_CTX_sess_set_get_cb.3 -MAN+= SSL_CTX_sessions.3 -MAN+= SSL_CTX_set1_curves.3 -MAN+= SSL_CTX_set1_verify_cert_store.3 -MAN+= SSL_CTX_set_alpn_select_cb.3 -MAN+= SSL_CTX_set_cert_cb.3 -MAN+= SSL_CTX_set_cert_store.3 -MAN+= SSL_CTX_set_cert_verify_callback.3 -MAN+= SSL_CTX_set_cipher_list.3 -MAN+= SSL_CTX_set_client_CA_list.3 -MAN+= SSL_CTX_set_client_cert_cb.3 -MAN+= SSL_CTX_set_custom_cli_ext.3 -MAN+= SSL_CTX_set_default_passwd_cb.3 -MAN+= SSL_CTX_set_generate_session_id.3 -MAN+= SSL_CTX_set_info_callback.3 -MAN+= SSL_CTX_set_max_cert_list.3 -MAN+= SSL_CTX_set_mode.3 -MAN+= SSL_CTX_set_msg_callback.3 -MAN+= SSL_CTX_set_options.3 -MAN+= SSL_CTX_set_psk_client_callback.3 -MAN+= SSL_CTX_set_quiet_shutdown.3 -MAN+= SSL_CTX_set_read_ahead.3 -MAN+= SSL_CTX_set_session_cache_mode.3 -MAN+= SSL_CTX_set_session_id_context.3 -MAN+= SSL_CTX_set_ssl_version.3 -MAN+= SSL_CTX_set_timeout.3 -MAN+= SSL_CTX_set_tlsext_servername_callback.3 -MAN+= SSL_CTX_set_tlsext_status_cb.3 -MAN+= SSL_CTX_set_tlsext_ticket_key_cb.3 -MAN+= SSL_CTX_set_tmp_dh_callback.3 -MAN+= SSL_CTX_set_tmp_rsa_callback.3 -MAN+= SSL_CTX_set_verify.3 -MAN+= SSL_CTX_use_certificate.3 -MAN+= SSL_CTX_use_psk_identity_hint.3 -MAN+= SSL_CTX_use_serverinfo.3 -MAN+= SSL_SESSION_free.3 -MAN+= SSL_SESSION_get_ex_new_index.3 -MAN+= SSL_SESSION_get_time.3 -MAN+= SSL_accept.3 -MAN+= SSL_alert_type_string.3 -MAN+= SSL_check_chain.3 -MAN+= SSL_clear.3 -MAN+= SSL_connect.3 -MAN+= SSL_do_handshake.3 -MAN+= SSL_export_keying_material.3 -MAN+= SSL_free.3 -MAN+= SSL_get_SSL_CTX.3 -MAN+= SSL_get_ciphers.3 -MAN+= SSL_get_client_CA_list.3 -MAN+= SSL_get_current_cipher.3 -MAN+= SSL_get_default_timeout.3 -MAN+= SSL_get_error.3 -MAN+= SSL_get_ex_data_X509_STORE_CTX_idx.3 -MAN+= SSL_get_ex_new_index.3 -MAN+= SSL_get_fd.3 -MAN+= SSL_get_peer_cert_chain.3 -MAN+= SSL_get_peer_certificate.3 -MAN+= SSL_get_psk_identity.3 -MAN+= SSL_get_rbio.3 -MAN+= SSL_get_session.3 -MAN+= SSL_get_verify_result.3 -MAN+= SSL_get_version.3 -MAN+= SSL_library_init.3 -MAN+= SSL_load_client_CA_file.3 -MAN+= SSL_new.3 -MAN+= SSL_pending.3 -MAN+= SSL_read.3 -MAN+= SSL_rstate_string.3 -MAN+= SSL_session_reused.3 -MAN+= SSL_set_bio.3 -MAN+= SSL_set_connect_state.3 -MAN+= SSL_set_fd.3 -MAN+= SSL_set_session.3 -MAN+= SSL_set_shutdown.3 -MAN+= SSL_set_verify_result.3 -MAN+= SSL_shutdown.3 -MAN+= SSL_state_string.3 -MAN+= SSL_want.3 -MAN+= SSL_write.3 -MAN+= d2i_SSL_SESSION.3 -MAN+= ssl.3 -MLINKS+= SSL_CIPHER_get_name.3 SSL_CIPHER_description.3 -MLINKS+= SSL_CIPHER_get_name.3 SSL_CIPHER_get_bits.3 -MLINKS+= SSL_CIPHER_get_name.3 SSL_CIPHER_get_version.3 -MLINKS+= SSL_COMP_add_compression_method.3 SSL_COMP_free_compression_methods.3 -MLINKS+= SSL_CONF_CTX_new.3 SSL_CONF_CTX_free.3 -MLINKS+= SSL_CONF_CTX_set_flags.3 SSL_CONF_CTX_clear_flags.3 -MLINKS+= SSL_CONF_CTX_set_ssl_ctx.3 SSL_CONF_CTX_set_ssl.3 -MLINKS+= SSL_CTX_add1_chain_cert.3 SSL_CTX_add0_chain_cert.3 -MLINKS+= SSL_CTX_add1_chain_cert.3 SSL_CTX_build_cert_chain.3 -MLINKS+= SSL_CTX_add1_chain_cert.3 SSL_CTX_clear_chain_certs.3 -MLINKS+= SSL_CTX_add1_chain_cert.3 SSL_CTX_get0_chain_certs.3 -MLINKS+= SSL_CTX_add1_chain_cert.3 SSL_CTX_select_current_cert.3 -MLINKS+= SSL_CTX_add1_chain_cert.3 SSL_CTX_set0_chain.3 -MLINKS+= SSL_CTX_add1_chain_cert.3 SSL_CTX_set1_chain.3 -MLINKS+= SSL_CTX_add1_chain_cert.3 SSL_CTX_set_current_cert.3 -MLINKS+= SSL_CTX_add1_chain_cert.3 SSL_add0_chain_cert.3 -MLINKS+= SSL_CTX_add1_chain_cert.3 SSL_add1_chain_cert.3 -MLINKS+= SSL_CTX_add1_chain_cert.3 SSL_build_cert_chain.3 -MLINKS+= SSL_CTX_add1_chain_cert.3 SSL_clear_chain_certs.3 -MLINKS+= SSL_CTX_add1_chain_cert.3 SSL_get0_chain_certs.3 -MLINKS+= SSL_CTX_add1_chain_cert.3 SSL_select_current_cert.3 -MLINKS+= SSL_CTX_add1_chain_cert.3 SSL_set0_chain.3 -MLINKS+= SSL_CTX_add1_chain_cert.3 SSL_set1_chain.3 -MLINKS+= SSL_CTX_add1_chain_cert.3 SSL_set_current_cert.3 -MLINKS+= SSL_CTX_add_extra_chain_cert.3 SSL_CTX_clear_extra_chain_certs.3 -MLINKS+= SSL_CTX_add_session.3 SSL_CTX_remove_session.3 -MLINKS+= SSL_CTX_add_session.3 SSL_add_session.3 -MLINKS+= SSL_CTX_add_session.3 SSL_remove_session.3 -MLINKS+= SSL_CTX_ctrl.3 SSL_CTX_callback_ctrl.3 -MLINKS+= SSL_CTX_ctrl.3 SSL_callback_ctrl.3 -MLINKS+= SSL_CTX_ctrl.3 SSL_ctrl.3 -MLINKS+= SSL_CTX_flush_sessions.3 SSL_flush_sessions.3 -MLINKS+= SSL_CTX_get0_param.3 SSL_CTX_set1_param.3 -MLINKS+= SSL_CTX_get0_param.3 SSL_get0_param.3 -MLINKS+= SSL_CTX_get0_param.3 SSL_set1_param.3 -MLINKS+= SSL_CTX_get_ex_new_index.3 SSL_CTX_get_ex_data.3 -MLINKS+= SSL_CTX_get_ex_new_index.3 SSL_CTX_set_ex_data.3 -MLINKS+= SSL_CTX_get_verify_mode.3 SSL_CTX_get_verify_callback.3 -MLINKS+= SSL_CTX_get_verify_mode.3 SSL_CTX_get_verify_depth.3 -MLINKS+= SSL_CTX_get_verify_mode.3 SSL_get_verify_callback.3 -MLINKS+= SSL_CTX_get_verify_mode.3 SSL_get_verify_depth.3 -MLINKS+= SSL_CTX_get_verify_mode.3 SSL_get_verify_mode.3 -MLINKS+= SSL_CTX_new.3 DTLS_client_method.3 -MLINKS+= SSL_CTX_new.3 DTLS_method.3 -MLINKS+= SSL_CTX_new.3 DTLS_server_method.3 -MLINKS+= SSL_CTX_new.3 DTLSv1_2_client_method.3 -MLINKS+= SSL_CTX_new.3 DTLSv1_2_method.3 -MLINKS+= SSL_CTX_new.3 DTLSv1_2_server_method.3 -MLINKS+= SSL_CTX_new.3 DTLSv1_client_method.3 -MLINKS+= SSL_CTX_new.3 DTLSv1_method.3 -MLINKS+= SSL_CTX_new.3 DTLSv1_server_method.3 -MLINKS+= SSL_CTX_new.3 SSLv23_client_method.3 -MLINKS+= SSL_CTX_new.3 SSLv23_method.3 -MLINKS+= SSL_CTX_new.3 SSLv23_server_method.3 -MLINKS+= SSL_CTX_new.3 SSLv2_client_method.3 -MLINKS+= SSL_CTX_new.3 SSLv2_method.3 -MLINKS+= SSL_CTX_new.3 SSLv2_server_method.3 -MLINKS+= SSL_CTX_new.3 SSLv3_client_method.3 -MLINKS+= SSL_CTX_new.3 SSLv3_method.3 -MLINKS+= SSL_CTX_new.3 SSLv3_server_method.3 -MLINKS+= SSL_CTX_new.3 TLSv1_1_client_method.3 -MLINKS+= SSL_CTX_new.3 TLSv1_1_method.3 -MLINKS+= SSL_CTX_new.3 TLSv1_1_server_method.3 -MLINKS+= SSL_CTX_new.3 TLSv1_2_client_method.3 -MLINKS+= SSL_CTX_new.3 TLSv1_2_method.3 -MLINKS+= SSL_CTX_new.3 TLSv1_2_server_method.3 -MLINKS+= SSL_CTX_new.3 TLSv1_client_method.3 -MLINKS+= SSL_CTX_new.3 TLSv1_method.3 -MLINKS+= SSL_CTX_new.3 TLSv1_server_method.3 -MLINKS+= SSL_CTX_sess_number.3 SSL_CTX_sess_accept.3 -MLINKS+= SSL_CTX_sess_number.3 SSL_CTX_sess_accept_good.3 -MLINKS+= SSL_CTX_sess_number.3 SSL_CTX_sess_accept_renegotiate.3 -MLINKS+= SSL_CTX_sess_number.3 SSL_CTX_sess_cache_full.3 -MLINKS+= SSL_CTX_sess_number.3 SSL_CTX_sess_cb_hits.3 -MLINKS+= SSL_CTX_sess_number.3 SSL_CTX_sess_connect.3 -MLINKS+= SSL_CTX_sess_number.3 SSL_CTX_sess_connect_good.3 -MLINKS+= SSL_CTX_sess_number.3 SSL_CTX_sess_connect_renegotiate.3 -MLINKS+= SSL_CTX_sess_number.3 SSL_CTX_sess_hits.3 -MLINKS+= SSL_CTX_sess_number.3 SSL_CTX_sess_misses.3 -MLINKS+= SSL_CTX_sess_number.3 SSL_CTX_sess_timeouts.3 -MLINKS+= SSL_CTX_sess_set_cache_size.3 SSL_CTX_sess_get_cache_size.3 -MLINKS+= SSL_CTX_sess_set_get_cb.3 SSL_CTX_sess_get_get_cb.3 -MLINKS+= SSL_CTX_sess_set_get_cb.3 SSL_CTX_sess_get_new_cb.3 -MLINKS+= SSL_CTX_sess_set_get_cb.3 SSL_CTX_sess_get_remove_cb.3 -MLINKS+= SSL_CTX_sess_set_get_cb.3 SSL_CTX_sess_set_new_cb.3 -MLINKS+= SSL_CTX_sess_set_get_cb.3 SSL_CTX_sess_set_remove_cb.3 -MLINKS+= SSL_CTX_set1_curves.3 SSL_CTX_set1_curves_list.3 -MLINKS+= SSL_CTX_set1_curves.3 SSL_CTX_set_ecdh_auto.3 -MLINKS+= SSL_CTX_set1_curves.3 SSL_get1_curves.3 -MLINKS+= SSL_CTX_set1_curves.3 SSL_get_shared_curve.3 -MLINKS+= SSL_CTX_set1_curves.3 SSL_set1_curves.3 -MLINKS+= SSL_CTX_set1_curves.3 SSL_set1_curves_list.3 -MLINKS+= SSL_CTX_set1_curves.3 SSL_set_ecdh_auto.3 -MLINKS+= SSL_CTX_set1_verify_cert_store.3 SSL_CTX_set0_chain_cert_store.3 -MLINKS+= SSL_CTX_set1_verify_cert_store.3 SSL_CTX_set0_verify_cert_store.3 -MLINKS+= SSL_CTX_set1_verify_cert_store.3 SSL_CTX_set1_chain_cert_store.3 -MLINKS+= SSL_CTX_set1_verify_cert_store.3 SSL_set0_chain_cert_store.3 -MLINKS+= SSL_CTX_set1_verify_cert_store.3 SSL_set0_verify_cert_store.3 -MLINKS+= SSL_CTX_set1_verify_cert_store.3 SSL_set1_chain_cert_store.3 -MLINKS+= SSL_CTX_set1_verify_cert_store.3 SSL_set1_verify_cert_store.3 -MLINKS+= SSL_CTX_set_alpn_select_cb.3 SSL_CTX_set_alpn_protos.3 -MLINKS+= SSL_CTX_set_alpn_select_cb.3 SSL_get0_alpn_selected.3 -MLINKS+= SSL_CTX_set_alpn_select_cb.3 SSL_select_next_proto.3 -MLINKS+= SSL_CTX_set_alpn_select_cb.3 SSL_set_alpn_protos.3 -MLINKS+= SSL_CTX_set_cert_cb.3 SSL_set_cert_cb.3 -MLINKS+= SSL_CTX_set_cert_store.3 SSL_CTX_get_cert_store.3 -MLINKS+= SSL_CTX_set_cipher_list.3 SSL_set_cipher_list.3 -MLINKS+= SSL_CTX_set_client_CA_list.3 SSL_CTX_add_client_CA.3 -MLINKS+= SSL_CTX_set_client_CA_list.3 SSL_add_client_CA.3 -MLINKS+= SSL_CTX_set_client_CA_list.3 SSL_set_client_CA_list.3 -MLINKS+= SSL_CTX_set_client_cert_cb.3 SSL_CTX_get_client_cert_cb.3 -MLINKS+= SSL_CTX_set_custom_cli_ext.3 SSL_CTX_add_client_custom_ext.3 -MLINKS+= SSL_CTX_set_custom_cli_ext.3 SSL_CTX_add_server_custom_ext.3 -MLINKS+= SSL_CTX_set_default_passwd_cb.3 SSL_CTX_set_default_passwd_cb_userdata.3 -MLINKS+= SSL_CTX_set_generate_session_id.3 SSL_has_matching_session_id.3 -MLINKS+= SSL_CTX_set_generate_session_id.3 SSL_set_generate_session_id.3 -MLINKS+= SSL_CTX_set_info_callback.3 SSL_CTX_get_info_callback.3 -MLINKS+= SSL_CTX_set_info_callback.3 SSL_get_info_callback.3 -MLINKS+= SSL_CTX_set_info_callback.3 SSL_set_info_callback.3 -MLINKS+= SSL_CTX_set_max_cert_list.3 SSL_CTX_get_max_cert_list.3 -MLINKS+= SSL_CTX_set_max_cert_list.3 SSL_get_max_cert_list.3 -MLINKS+= SSL_CTX_set_max_cert_list.3 SSL_set_max_cert_list.3 -MLINKS+= SSL_CTX_set_mode.3 SSL_CTX_get_mode.3 -MLINKS+= SSL_CTX_set_mode.3 SSL_get_mode.3 -MLINKS+= SSL_CTX_set_mode.3 SSL_set_mode.3 -MLINKS+= SSL_CTX_set_msg_callback.3 SSL_CTX_set_msg_callback_arg.3 -MLINKS+= SSL_CTX_set_msg_callback.3 SSL_get_msg_callback_arg.3 -MLINKS+= SSL_CTX_set_msg_callback.3 SSL_set_msg_callback.3 -MLINKS+= SSL_CTX_set_options.3 SSL_CTX_clear_options.3 -MLINKS+= SSL_CTX_set_options.3 SSL_CTX_get_options.3 -MLINKS+= SSL_CTX_set_options.3 SSL_clear_options.3 -MLINKS+= SSL_CTX_set_options.3 SSL_get_options.3 -MLINKS+= SSL_CTX_set_options.3 SSL_get_secure_renegotiation_support.3 -MLINKS+= SSL_CTX_set_options.3 SSL_set_options.3 -MLINKS+= SSL_CTX_set_psk_client_callback.3 SSL_set_psk_client_callback.3 -MLINKS+= SSL_CTX_set_quiet_shutdown.3 SSL_CTX_get_quiet_shutdown.3 -MLINKS+= SSL_CTX_set_quiet_shutdown.3 SSL_get_quiet_shutdown.3 -MLINKS+= SSL_CTX_set_quiet_shutdown.3 SSL_set_quiet_shutdown.3 -MLINKS+= SSL_CTX_set_read_ahead.3 SSL_CTX_get_default_read_ahead.3 -MLINKS+= SSL_CTX_set_read_ahead.3 SSL_CTX_get_read_ahead.3 -MLINKS+= SSL_CTX_set_read_ahead.3 SSL_CTX_set_default_read_ahead.3 -MLINKS+= SSL_CTX_set_read_ahead.3 SSL_get_read_ahead.3 -MLINKS+= SSL_CTX_set_read_ahead.3 SSL_set_read_ahead.3 -MLINKS+= SSL_CTX_set_session_cache_mode.3 SSL_CTX_get_session_cache_mode.3 -MLINKS+= SSL_CTX_set_session_id_context.3 SSL_set_session_id_context.3 -MLINKS+= SSL_CTX_set_ssl_version.3 SSL_get_ssl_method.3 -MLINKS+= SSL_CTX_set_ssl_version.3 SSL_set_ssl_method.3 -MLINKS+= SSL_CTX_set_timeout.3 SSL_CTX_get_timeout.3 -MLINKS+= SSL_CTX_set_tlsext_servername_callback.3 SSL_CTX_set_tlsext_servername_arg.3 -MLINKS+= SSL_CTX_set_tlsext_servername_callback.3 SSL_get_servername.3 -MLINKS+= SSL_CTX_set_tlsext_servername_callback.3 SSL_get_servername_type.3 -MLINKS+= SSL_CTX_set_tlsext_status_cb.3 SSL_CTX_set_tlsext_status_arg.3 -MLINKS+= SSL_CTX_set_tlsext_status_cb.3 SSL_get_tlsext_status_ocsp_resp.3 -MLINKS+= SSL_CTX_set_tlsext_status_cb.3 SSL_set_tlsext_status_ocsp_resp.3 -MLINKS+= SSL_CTX_set_tlsext_status_cb.3 SSL_set_tlsext_status_type.3 -MLINKS+= SSL_CTX_set_tmp_dh_callback.3 SSL_CTX_set_tmp_dh.3 -MLINKS+= SSL_CTX_set_tmp_dh_callback.3 SSL_set_tmp_dh.3 -MLINKS+= SSL_CTX_set_tmp_dh_callback.3 SSL_set_tmp_dh_callback.3 -MLINKS+= SSL_CTX_set_tmp_rsa_callback.3 SSL_CTX_need_tmp_rsa.3 -MLINKS+= SSL_CTX_set_tmp_rsa_callback.3 SSL_CTX_set_tmp_rsa.3 -MLINKS+= SSL_CTX_set_tmp_rsa_callback.3 SSL_need_tmp_rsa.3 -MLINKS+= SSL_CTX_set_tmp_rsa_callback.3 SSL_set_tmp_rsa.3 -MLINKS+= SSL_CTX_set_tmp_rsa_callback.3 SSL_set_tmp_rsa_callback.3 -MLINKS+= SSL_CTX_set_verify.3 SSL_CTX_set_verify_depth.3 -MLINKS+= SSL_CTX_set_verify.3 SSL_set_verify.3 -MLINKS+= SSL_CTX_set_verify.3 SSL_set_verify_depth.3 -MLINKS+= SSL_CTX_use_certificate.3 SSL_CTX_check_private_key.3 -MLINKS+= SSL_CTX_use_certificate.3 SSL_CTX_use_PrivateKey.3 -MLINKS+= SSL_CTX_use_certificate.3 SSL_CTX_use_PrivateKey_ASN1.3 -MLINKS+= SSL_CTX_use_certificate.3 SSL_CTX_use_PrivateKey_file.3 -MLINKS+= SSL_CTX_use_certificate.3 SSL_CTX_use_RSAPrivateKey.3 -MLINKS+= SSL_CTX_use_certificate.3 SSL_CTX_use_RSAPrivateKey_ASN1.3 -MLINKS+= SSL_CTX_use_certificate.3 SSL_CTX_use_RSAPrivateKey_file.3 -MLINKS+= SSL_CTX_use_certificate.3 SSL_CTX_use_certificate_ASN1.3 -MLINKS+= SSL_CTX_use_certificate.3 SSL_CTX_use_certificate_chain_file.3 -MLINKS+= SSL_CTX_use_certificate.3 SSL_CTX_use_certificate_file.3 -MLINKS+= SSL_CTX_use_certificate.3 SSL_check_private_key.3 -MLINKS+= SSL_CTX_use_certificate.3 SSL_use_PrivateKey.3 -MLINKS+= SSL_CTX_use_certificate.3 SSL_use_PrivateKey_ASN1.3 -MLINKS+= SSL_CTX_use_certificate.3 SSL_use_PrivateKey_file.3 -MLINKS+= SSL_CTX_use_certificate.3 SSL_use_RSAPrivateKey.3 -MLINKS+= SSL_CTX_use_certificate.3 SSL_use_RSAPrivateKey_ASN1.3 -MLINKS+= SSL_CTX_use_certificate.3 SSL_use_RSAPrivateKey_file.3 -MLINKS+= SSL_CTX_use_certificate.3 SSL_use_certificate.3 -MLINKS+= SSL_CTX_use_certificate.3 SSL_use_certificate_ASN1.3 -MLINKS+= SSL_CTX_use_certificate.3 SSL_use_certificate_file.3 -MLINKS+= SSL_CTX_use_psk_identity_hint.3 SSL_CTX_set_psk_server_callback.3 -MLINKS+= SSL_CTX_use_psk_identity_hint.3 SSL_set_psk_server_callback.3 -MLINKS+= SSL_CTX_use_psk_identity_hint.3 SSL_use_psk_identity_hint.3 -MLINKS+= SSL_CTX_use_serverinfo.3 SSL_CTX_use_serverinfo_file.3 -MLINKS+= SSL_SESSION_get_ex_new_index.3 SSL_SESSION_get_ex_data.3 -MLINKS+= SSL_SESSION_get_ex_new_index.3 SSL_SESSION_set_ex_data.3 -MLINKS+= SSL_SESSION_get_time.3 SSL_SESSION_get_timeout.3 -MLINKS+= SSL_SESSION_get_time.3 SSL_SESSION_set_time.3 -MLINKS+= SSL_SESSION_get_time.3 SSL_SESSION_set_timeout.3 -MLINKS+= SSL_alert_type_string.3 SSL_alert_desc_string.3 -MLINKS+= SSL_alert_type_string.3 SSL_alert_desc_string_long.3 -MLINKS+= SSL_alert_type_string.3 SSL_alert_type_string_long.3 -MLINKS+= SSL_get_ciphers.3 SSL_get_cipher_list.3 -MLINKS+= SSL_get_ciphers.3 SSL_get_shared_ciphers.3 -MLINKS+= SSL_get_client_CA_list.3 SSL_CTX_get_client_CA_list.3 -MLINKS+= SSL_get_current_cipher.3 SSL_get_cipher.3 -MLINKS+= SSL_get_current_cipher.3 SSL_get_cipher_bits.3 -MLINKS+= SSL_get_current_cipher.3 SSL_get_cipher_name.3 -MLINKS+= SSL_get_current_cipher.3 SSL_get_cipher_version.3 -MLINKS+= SSL_get_ex_new_index.3 SSL_get_ex_data.3 -MLINKS+= SSL_get_ex_new_index.3 SSL_set_ex_data.3 -MLINKS+= SSL_get_psk_identity.3 SSL_get_psk_identity_hint.3 -MLINKS+= SSL_library_init.3 OpenSSL_add_ssl_algorithms.3 -MLINKS+= SSL_library_init.3 SSLeay_add_ssl_algorithms.3 -MLINKS+= SSL_rstate_string.3 SSL_rstate_string_long.3 -MLINKS+= SSL_set_connect_state.3 SSL_get_accept_state.3 -MLINKS+= SSL_set_shutdown.3 SSL_get_shutdown.3 -MLINKS+= SSL_state_string.3 SSL_state_string_long.3 -MLINKS+= SSL_want.3 SSL_want_nothing.3 -MLINKS+= SSL_want.3 SSL_want_read.3 -MLINKS+= SSL_want.3 SSL_want_write.3 -MLINKS+= SSL_want.3 SSL_want_x509_lookup.3 -MLINKS+= d2i_SSL_SESSION.3 i2d_SSL_SESSION.3 -MLINKS+= ssl.3 SSL.3 diff --git a/secure/lib/libssl/man/SSL_CIPHER_get_name.3 b/secure/lib/libssl/man/SSL_CIPHER_get_name.3 deleted file mode 100644 index d1728d5467d2..000000000000 --- a/secure/lib/libssl/man/SSL_CIPHER_get_name.3 +++ /dev/null @@ -1,251 +0,0 @@ -.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35) -.\" -.\" Standard preamble: -.\" ======================================================================== -.de Sp \" Vertical space (when we can't use .PP) -.if t .sp .5v -.if n .sp -.. -.de Vb \" Begin verbatim text -.ft CW -.nf -.ne \\$1 -.. -.de Ve \" End verbatim text -.ft R -.fi -.. -.\" Set up some character translations and predefined strings. \*(-- will -.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left -.\" double quote, and \*(R" will give a right double quote. \*(C+ will -.\" give a nicer C++. Capital omega is used to do unbreakable dashes and -.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, -.\" nothing in troff, for use with C<>. -.tr \(*W- -.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' -.ie n \{\ -. ds -- \(*W- -. ds PI pi -. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch -. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch -. ds L" "" -. ds R" "" -. ds C` "" -. ds C' "" -'br\} -.el\{\ -. ds -- \|\(em\| -. ds PI \(*p -. ds L" `` -. ds R" '' -. ds C` -. ds C' -'br\} -.\" -.\" Escape single quotes in literal strings from groff's Unicode transform. -.ie \n(.g .ds Aq \(aq -.el .ds Aq ' -.\" -.\" If the F register is >0, we'll generate index entries on stderr for -.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index -.\" entries marked with X<> in POD. Of course, you'll have to process the -.\" output yourself in some meaningful fashion. -.\" -.\" Avoid warning from groff about undefined register 'F'. -.de IX -.. -.if !\nF .nr F 0 -.if \nF>0 \{\ -. de IX -. tm Index:\\$1\t\\n%\t"\\$2" -.. -. if !\nF==2 \{\ -. nr % 0 -. nr F 2 -. \} -.\} -.\" -.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). -.\" Fear. Run. Save yourself. No user-serviceable parts. -. \" fudge factors for nroff and troff -.if n \{\ -. ds #H 0 -. ds #V .8m -. ds #F .3m -. ds #[ \f1 -. ds #] \fP -.\} -.if t \{\ -. ds #H ((1u-(\\\\n(.fu%2u))*.13m) -. ds #V .6m -. ds #F 0 -. ds #[ \& -. ds #] \& -.\} -. \" simple accents for nroff and troff -.if n \{\ -. ds ' \& -. ds ` \& -. ds ^ \& -. ds , \& -. ds ~ ~ -. ds / -.\} -.if t \{\ -. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" -. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' -. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' -. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' -. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' -. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' -.\} -. \" troff and (daisy-wheel) nroff accents -.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' -.ds 8 \h'\*(#H'\(*b\h'-\*(#H' -.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] -.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' -.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' -.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] -.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] -.ds ae a\h'-(\w'a'u*4/10)'e -.ds Ae A\h'-(\w'A'u*4/10)'E -. \" corrections for vroff -.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' -.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' -. \" for low resolution devices (crt and lpr) -.if \n(.H>23 .if \n(.V>19 \ -\{\ -. ds : e -. ds 8 ss -. ds o a -. ds d- d\h'-1'\(ga -. ds D- D\h'-1'\(hy -. ds th \o'bp' -. ds Th \o'LP' -. ds ae ae -. ds Ae AE -.\} -.rm #[ #] #H #V #F C -.\" ======================================================================== -.\" -.IX Title "SSL_CIPHER_get_name 3" -.TH SSL_CIPHER_get_name 3 "2018-08-14" "1.0.2p" "OpenSSL" -.\" For nroff, turn off justification. Always turn off hyphenation; it makes -.\" way too many mistakes in technical documents. -.if n .ad l -.nh -.SH "NAME" -SSL_CIPHER_get_name, SSL_CIPHER_get_bits, SSL_CIPHER_get_version, SSL_CIPHER_description \- get SSL_CIPHER properties -.SH "SYNOPSIS" -.IX Header "SYNOPSIS" -.Vb 1 -\& #include -\& -\& const char *SSL_CIPHER_get_name(const SSL_CIPHER *cipher); -\& int SSL_CIPHER_get_bits(const SSL_CIPHER *cipher, int *alg_bits); -\& char *SSL_CIPHER_get_version(const SSL_CIPHER *cipher); -\& char *SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int size); -.Ve -.SH "DESCRIPTION" -.IX Header "DESCRIPTION" -\&\fISSL_CIPHER_get_name()\fR returns a pointer to the name of \fBcipher\fR. If the -argument is the \s-1NULL\s0 pointer, a pointer to the constant value \*(L"\s-1NONE\*(R"\s0 is -returned. -.PP -\&\fISSL_CIPHER_get_bits()\fR returns the number of secret bits used for \fBcipher\fR. If -\&\fBalg_bits\fR is not \s-1NULL,\s0 it contains the number of bits processed by the -chosen algorithm. If \fBcipher\fR is \s-1NULL, 0\s0 is returned. -.PP -\&\fISSL_CIPHER_get_version()\fR returns string which indicates the \s-1SSL/TLS\s0 protocol -version that first defined the cipher. -This is currently \fBSSLv2\fR or \fBTLSv1/SSLv3\fR. -In some cases it should possibly return \*(L"TLSv1.2\*(R" but does not; -use \fISSL_CIPHER_description()\fR instead. -If \fBcipher\fR is \s-1NULL, \*(L"\s0(\s-1NONE\s0)\*(R" is returned. -.PP -\&\fISSL_CIPHER_description()\fR returns a textual description of the cipher used -into the buffer \fBbuf\fR of length \fBlen\fR provided. \fBlen\fR must be at least -128 bytes, otherwise a pointer to the string \*(L"Buffer too small\*(R" is -returned. If \fBbuf\fR is \s-1NULL,\s0 a buffer of 128 bytes is allocated using -\&\fIOPENSSL_malloc()\fR. If the allocation fails, a pointer to the string -\&\*(L"OPENSSL_malloc Error\*(R" is returned. -.SH "NOTES" -.IX Header "NOTES" -The number of bits processed can be different from the secret bits. An -export cipher like e.g. \s-1EXP\-RC4\-MD5\s0 has only 40 secret bits. The algorithm -does use the full 128 bits (which would be returned for \fBalg_bits\fR), of -which however 88bits are fixed. The search space is hence only 40 bits. -.PP -The string returned by \fISSL_CIPHER_description()\fR in case of success consists -of cleartext information separated by one or more blanks in the following -sequence: -.IP "" 4 -.IX Item "" -Textual representation of the cipher name. -.IP "" 4 -.IX Item "" -Protocol version: \fBSSLv2\fR, \fBSSLv3\fR, \fBTLSv1.2\fR. The TLSv1.0 ciphers are -flagged with SSLv3. No new ciphers were added by TLSv1.1. -.IP "Kx=" 4 -.IX Item "Kx=" -Key exchange method: \fB\s-1RSA\s0\fR (for export ciphers as \fB\s-1RSA\s0(512)\fR or -\&\fB\s-1RSA\s0(1024)\fR), \fB\s-1DH\s0\fR (for export ciphers as \fB\s-1DH\s0(512)\fR or \fB\s-1DH\s0(1024)\fR), -\&\fB\s-1DH/RSA\s0\fR, \fB\s-1DH/DSS\s0\fR, \fBFortezza\fR. -.IP "Au=" 4 -.IX Item "Au=" -Authentication method: \fB\s-1RSA\s0\fR, \fB\s-1DSS\s0\fR, \fB\s-1DH\s0\fR, \fBNone\fR. None is the -representation of anonymous ciphers. -.IP "Enc=" 4 -.IX Item "Enc=" -Encryption method with number of secret bits: \fB\s-1DES\s0(40)\fR, \fB\s-1DES\s0(56)\fR, -\&\fB3DES(168)\fR, \fB\s-1RC4\s0(40)\fR, \fB\s-1RC4\s0(56)\fR, \fB\s-1RC4\s0(64)\fR, \fB\s-1RC4\s0(128)\fR, -\&\fB\s-1RC2\s0(40)\fR, \fB\s-1RC2\s0(56)\fR, \fB\s-1RC2\s0(128)\fR, \fB\s-1IDEA\s0(128)\fR, \fBFortezza\fR, \fBNone\fR. -.IP "Mac=" 4 -.IX Item "Mac=" -Message digest: \fB\s-1MD5\s0\fR, \fB\s-1SHA1\s0\fR. -.IP "" 4 -.IX Item "" -If the cipher is flagged exportable with respect to old \s-1US\s0 crypto -regulations, the word "\fBexport\fR" is printed. -.SH "EXAMPLES" -.IX Header "EXAMPLES" -Some examples for the output of \fISSL_CIPHER_description()\fR: -.PP -.Vb 4 -\& EDH\-RSA\-DES\-CBC3\-SHA SSLv3 Kx=DH Au=RSA Enc=3DES(168) Mac=SHA1 -\& EDH\-DSS\-DES\-CBC3\-SHA SSLv3 Kx=DH Au=DSS Enc=3DES(168) Mac=SHA1 -\& RC4\-MD5 SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5 -\& EXP\-RC4\-MD5 SSLv3 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export -.Ve -.PP -A comp[lete list can be retrieved by invoking the following command: -.PP -.Vb 1 -\& openssl ciphers \-v ALL -.Ve -.SH "BUGS" -.IX Header "BUGS" -If \fISSL_CIPHER_description()\fR is called with \fBcipher\fR being \s-1NULL,\s0 the -library crashes. -.PP -If \fISSL_CIPHER_description()\fR cannot handle a built-in cipher, the according -description of the cipher property is \fBunknown\fR. This case should not -occur. -.PP -The standard terminology for ephemeral Diffie-Hellman schemes is \s-1DHE\s0 -(finite field) or \s-1ECDHE\s0 (elliptic curve). This version of OpenSSL -idiosyncratically reports these schemes as \s-1EDH\s0 and \s-1EECDH,\s0 even though -it also accepts the standard terminology. -.PP -It is recommended to use the standard terminology (\s-1DHE\s0 and \s-1ECDHE\s0) -during configuration (e.g. via SSL_CTX_set_cipher_list) for clarity of -configuration. OpenSSL versions after 1.0.2 will report the standard -terms via SSL_CIPHER_get_name and SSL_CIPHER_description. -.SH "RETURN VALUES" -.IX Header "RETURN VALUES" -See \s-1DESCRIPTION\s0 -.SH "SEE ALSO" -.IX Header "SEE ALSO" -\&\fIssl\fR\|(3), \fISSL_get_current_cipher\fR\|(3), -\&\fISSL_get_ciphers\fR\|(3), \fIciphers\fR\|(1), -\&\fISSL_CTX_set_cipher_list\fR\|(3) diff --git a/secure/lib/libssl/man/SSL_CONF_cmd.3 b/secure/lib/libssl/man/SSL_CONF_cmd.3 deleted file mode 100644 index 0121bfe7c8dc..000000000000 --- a/secure/lib/libssl/man/SSL_CONF_cmd.3 +++ /dev/null @@ -1,533 +0,0 @@ -.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35) -.\" -.\" Standard preamble: -.\" ======================================================================== -.de Sp \" Vertical space (when we can't use .PP) -.if t .sp .5v -.if n .sp -.. -.de Vb \" Begin verbatim text -.ft CW -.nf -.ne \\$1 -.. -.de Ve \" End verbatim text -.ft R -.fi -.. -.\" Set up some character translations and predefined strings. \*(-- will -.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left -.\" double quote, and \*(R" will give a right double quote. \*(C+ will -.\" give a nicer C++. Capital omega is used to do unbreakable dashes and -.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, -.\" nothing in troff, for use with C<>. -.tr \(*W- -.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' -.ie n \{\ -. ds -- \(*W- -. ds PI pi -. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch -. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch -. ds L" "" -. ds R" "" -. ds C` "" -. ds C' "" -'br\} -.el\{\ -. ds -- \|\(em\| -. ds PI \(*p -. ds L" `` -. ds R" '' -. ds C` -. ds C' -'br\} -.\" -.\" Escape single quotes in literal strings from groff's Unicode transform. -.ie \n(.g .ds Aq \(aq -.el .ds Aq ' -.\" -.\" If the F register is >0, we'll generate index entries on stderr for -.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index -.\" entries marked with X<> in POD. Of course, you'll have to process the -.\" output yourself in some meaningful fashion. -.\" -.\" Avoid warning from groff about undefined register 'F'. -.de IX -.. -.if !\nF .nr F 0 -.if \nF>0 \{\ -. de IX -. tm Index:\\$1\t\\n%\t"\\$2" -.. -. if !\nF==2 \{\ -. nr % 0 -. nr F 2 -. \} -.\} -.\" -.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). -.\" Fear. Run. Save yourself. No user-serviceable parts. -. \" fudge factors for nroff and troff -.if n \{\ -. ds #H 0 -. ds #V .8m -. ds #F .3m -. ds #[ \f1 -. ds #] \fP -.\} -.if t \{\ -. ds #H ((1u-(\\\\n(.fu%2u))*.13m) -. ds #V .6m -. ds #F 0 -. ds #[ \& -. ds #] \& -.\} -. \" simple accents for nroff and troff -.if n \{\ -. ds ' \& -. ds ` \& -. ds ^ \& -. ds , \& -. ds ~ ~ -. ds / -.\} -.if t \{\ -. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" -. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' -. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' -. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' -. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' -. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' -.\} -. \" troff and (daisy-wheel) nroff accents -.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' -.ds 8 \h'\*(#H'\(*b\h'-\*(#H' -.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] -.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' -.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' -.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] -.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] -.ds ae a\h'-(\w'a'u*4/10)'e -.ds Ae A\h'-(\w'A'u*4/10)'E -. \" corrections for vroff -.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' -.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' -. \" for low resolution devices (crt and lpr) -.if \n(.H>23 .if \n(.V>19 \ -\{\ -. ds : e -. ds 8 ss -. ds o a -. ds d- d\h'-1'\(ga -. ds D- D\h'-1'\(hy -. ds th \o'bp' -. ds Th \o'LP' -. ds ae ae -. ds Ae AE -.\} -.rm #[ #] #H #V #F C -.\" ======================================================================== -.\" -.IX Title "SSL_CONF_cmd 3" -.TH SSL_CONF_cmd 3 "2018-08-14" "1.0.2p" "OpenSSL" -.\" For nroff, turn off justification. Always turn off hyphenation; it makes -.\" way too many mistakes in technical documents. -.if n .ad l -.nh -.SH "NAME" -SSL_CONF_cmd \- send configuration command -.SH "SYNOPSIS" -.IX Header "SYNOPSIS" -.Vb 1 -\& #include -\& -\& int SSL_CONF_cmd(SSL_CONF_CTX *cctx, const char *cmd, const char *value); -\& int SSL_CONF_cmd_value_type(SSL_CONF_CTX *cctx, const char *cmd); -\& int SSL_CONF_finish(SSL_CONF_CTX *cctx); -.Ve -.SH "DESCRIPTION" -.IX Header "DESCRIPTION" -The function \fISSL_CONF_cmd()\fR performs configuration operation \fBcmd\fR with -optional parameter \fBvalue\fR on \fBctx\fR. Its purpose is to simplify application -configuration of \fB\s-1SSL_CTX\s0\fR or \fB\s-1SSL\s0\fR structures by providing a common -framework for command line options or configuration files. -.PP -\&\fISSL_CONF_cmd_value_type()\fR returns the type of value that \fBcmd\fR refers to. -.PP -The function \fISSL_CONF_finish()\fR must be called after all configuration -operations have been completed. It is used to finalise any operations -or to process defaults. -.SH "SUPPORTED COMMAND LINE COMMANDS" -.IX Header "SUPPORTED COMMAND LINE COMMANDS" -Currently supported \fBcmd\fR names for command lines (i.e. when the -flag \fB\s-1SSL_CONF_CMDLINE\s0\fR is set) are listed below. Note: all \fBcmd\fR names -are case sensitive. Unless otherwise stated commands can be used by -both clients and servers and the \fBvalue\fR parameter is not used. The default -prefix for command line commands is \fB\-\fR and that is reflected below. -.IP "\fB\-sigalgs\fR" 4 -.IX Item "-sigalgs" -This sets the supported signature algorithms for \s-1TLS\s0 v1.2. For clients this -value is used directly for the supported signature algorithms extension. For -servers it is used to determine which signature algorithms to support. -.Sp -The \fBvalue\fR argument should be a colon separated list of signature algorithms -in order of decreasing preference of the form \fBalgorithm+hash\fR. \fBalgorithm\fR -is one of \fB\s-1RSA\s0\fR, \fB\s-1DSA\s0\fR or \fB\s-1ECDSA\s0\fR and \fBhash\fR is a supported algorithm -\&\s-1OID\s0 short name such as \fB\s-1SHA1\s0\fR, \fB\s-1SHA224\s0\fR, \fB\s-1SHA256\s0\fR, \fB\s-1SHA384\s0\fR of \fB\s-1SHA512\s0\fR. -Note: algorithm and hash names are case sensitive. -.Sp -If this option is not set then all signature algorithms supported by the -OpenSSL library are permissible. -.IP "\fB\-client_sigalgs\fR" 4 -.IX Item "-client_sigalgs" -This sets the supported signature algorithms associated with client -authentication for \s-1TLS\s0 v1.2. For servers the value is used in the supported -signature algorithms field of a certificate request. For clients it is -used to determine which signature algorithm to with the client certificate. -If a server does not request a certificate this option has no effect. -.Sp -The syntax of \fBvalue\fR is identical to \fB\-sigalgs\fR. If not set then -the value set for \fB\-sigalgs\fR will be used instead. -.IP "\fB\-curves\fR" 4 -.IX Item "-curves" -This sets the supported elliptic curves. For clients the curves are -sent using the supported curves extension. For servers it is used -to determine which curve to use. This setting affects curves used for both -signatures and key exchange, if applicable. -.Sp -The \fBvalue\fR argument is a colon separated list of curves. The curve can be -either the \fB\s-1NIST\s0\fR name (e.g. \fBP\-256\fR) or an OpenSSL \s-1OID\s0 name (e.g -\&\fBprime256v1\fR). Curve names are case sensitive. -.IP "\fB\-named_curve\fR" 4 -.IX Item "-named_curve" -This sets the temporary curve used for ephemeral \s-1ECDH\s0 modes. Only used by -servers -.Sp -The \fBvalue\fR argument is a curve name or the special value \fBauto\fR which -picks an appropriate curve based on client and server preferences. The curve -can be either the \fB\s-1NIST\s0\fR name (e.g. \fBP\-256\fR) or an OpenSSL \s-1OID\s0 name -(e.g \fBprime256v1\fR). Curve names are case sensitive. -.IP "\fB\-cipher\fR" 4 -.IX Item "-cipher" -Sets the cipher suite list to \fBvalue\fR. Note: syntax checking of \fBvalue\fR is -currently not performed unless a \fB\s-1SSL\s0\fR or \fB\s-1SSL_CTX\s0\fR structure is -associated with \fBcctx\fR. -.IP "\fB\-cert\fR" 4 -.IX Item "-cert" -Attempts to use the file \fBvalue\fR as the certificate for the appropriate -context. It currently uses \fISSL_CTX_use_certificate_chain_file()\fR if an \fB\s-1SSL_CTX\s0\fR -structure is set or \fISSL_use_certificate_file()\fR with filetype \s-1PEM\s0 if an \fB\s-1SSL\s0\fR -structure is set. This option is only supported if certificate operations -are permitted. -.IP "\fB\-key\fR" 4 -.IX Item "-key" -Attempts to use the file \fBvalue\fR as the private key for the appropriate -context. This option is only supported if certificate operations -are permitted. Note: if no \fB\-key\fR option is set then a private key is -not loaded: it does not currently use the \fB\-cert\fR file. -.IP "\fB\-dhparam\fR" 4 -.IX Item "-dhparam" -Attempts to use the file \fBvalue\fR as the set of temporary \s-1DH\s0 parameters for -the appropriate context. This option is only supported if certificate -operations are permitted. -.IP "\fB\-no_ssl2\fR, \fB\-no_ssl3\fR, \fB\-no_tls1\fR, \fB\-no_tls1_1\fR, \fB\-no_tls1_2\fR" 4 -.IX Item "-no_ssl2, -no_ssl3, -no_tls1, -no_tls1_1, -no_tls1_2" -Disables protocol support for SSLv2, SSLv3, TLSv1.0, TLSv1.1 or TLSv1.2 -by setting the corresponding options \fBSSL_OP_NO_SSLv2\fR, \fBSSL_OP_NO_SSLv3\fR, -\&\fBSSL_OP_NO_TLSv1\fR, \fBSSL_OP_NO_TLSv1_1\fR and \fBSSL_OP_NO_TLSv1_2\fR respectively. -.IP "\fB\-bugs\fR" 4 -.IX Item "-bugs" -Various bug workarounds are set, same as setting \fB\s-1SSL_OP_ALL\s0\fR. -.IP "\fB\-no_comp\fR" 4 -.IX Item "-no_comp" -Disables support for \s-1SSL/TLS\s0 compression, same as setting \fB\s-1SSL_OP_NO_COMPRESS\s0\fR. -.IP "\fB\-no_ticket\fR" 4 -.IX Item "-no_ticket" -Disables support for session tickets, same as setting \fB\s-1SSL_OP_NO_TICKET\s0\fR. -.IP "\fB\-serverpref\fR" 4 -.IX Item "-serverpref" -Use server and not client preference order when determining which cipher suite, -signature algorithm or elliptic curve to use for an incoming connection. -Equivalent to \fB\s-1SSL_OP_CIPHER_SERVER_PREFERENCE\s0\fR. Only used by servers. -.IP "\fB\-no_resumption_on_reneg\fR" 4 -.IX Item "-no_resumption_on_reneg" -set \s-1SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION\s0 flag. Only used by servers. -.IP "\fB\-legacyrenegotiation\fR" 4 -.IX Item "-legacyrenegotiation" -permits the use of unsafe legacy renegotiation. Equivalent to setting -\&\fB\s-1SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION\s0\fR. -.IP "\fB\-legacy_server_connect\fR, \fB\-no_legacy_server_connect\fR" 4 -.IX Item "-legacy_server_connect, -no_legacy_server_connect" -permits or prohibits the use of unsafe legacy renegotiation for OpenSSL -clients only. Equivalent to setting or clearing \fB\s-1SSL_OP_LEGACY_SERVER_CONNECT\s0\fR. -Set by default. -.IP "\fB\-strict\fR" 4 -.IX Item "-strict" -enables strict mode protocol handling. Equivalent to setting -\&\fB\s-1SSL_CERT_FLAG_TLS_STRICT\s0\fR. -.IP "\fB\-debug_broken_protocol\fR" 4 -.IX Item "-debug_broken_protocol" -disables various checks and permits several kinds of broken protocol behaviour -for testing purposes: it should \fB\s-1NEVER\s0\fR be used in anything other than a test -environment. Only supported if OpenSSL is configured with -\&\fB\-DOPENSSL_SSL_DEBUG_BROKEN_PROTOCOL\fR. -.SH "SUPPORTED CONFIGURATION FILE COMMANDS" -.IX Header "SUPPORTED CONFIGURATION FILE COMMANDS" -Currently supported \fBcmd\fR names for configuration files (i.e. when the -flag \fB\s-1SSL_CONF_FLAG_FILE\s0\fR is set) are listed below. All configuration file -\&\fBcmd\fR names and are case insensitive so \fBsignaturealgorithms\fR is recognised -as well as \fBSignatureAlgorithms\fR. Unless otherwise stated the \fBvalue\fR names -are also case insensitive. -.PP -Note: the command prefix (if set) alters the recognised \fBcmd\fR values. -.IP "\fBCipherString\fR" 4 -.IX Item "CipherString" -Sets the cipher suite list to \fBvalue\fR. Note: syntax checking of \fBvalue\fR is -currently not performed unless an \fB\s-1SSL\s0\fR or \fB\s-1SSL_CTX\s0\fR structure is -associated with \fBcctx\fR. -.IP "\fBCertificate\fR" 4 -.IX Item "Certificate" -Attempts to use the file \fBvalue\fR as the certificate for the appropriate -context. It currently uses \fISSL_CTX_use_certificate_chain_file()\fR if an \fB\s-1SSL_CTX\s0\fR -structure is set or \fISSL_use_certificate_file()\fR with filetype \s-1PEM\s0 if an \fB\s-1SSL\s0\fR -structure is set. This option is only supported if certificate operations -are permitted. -.IP "\fBPrivateKey\fR" 4 -.IX Item "PrivateKey" -Attempts to use the file \fBvalue\fR as the private key for the appropriate -context. This option is only supported if certificate operations -are permitted. Note: if no \fB\-key\fR option is set then a private key is -not loaded: it does not currently use the \fBCertificate\fR file. -.IP "\fBServerInfoFile\fR" 4 -.IX Item "ServerInfoFile" -Attempts to use the file \fBvalue\fR in the \*(L"serverinfo\*(R" extension using the -function SSL_CTX_use_serverinfo_file. -.IP "\fBDHParameters\fR" 4 -.IX Item "DHParameters" -Attempts to use the file \fBvalue\fR as the set of temporary \s-1DH\s0 parameters for -the appropriate context. This option is only supported if certificate -operations are permitted. -.IP "\fBSignatureAlgorithms\fR" 4 -.IX Item "SignatureAlgorithms" -This sets the supported signature algorithms for \s-1TLS\s0 v1.2. For clients this -value is used directly for the supported signature algorithms extension. For -servers it is used to determine which signature algorithms to support. -.Sp -The \fBvalue\fR argument should be a colon separated list of signature algorithms -in order of decreasing preference of the form \fBalgorithm+hash\fR. \fBalgorithm\fR -is one of \fB\s-1RSA\s0\fR, \fB\s-1DSA\s0\fR or \fB\s-1ECDSA\s0\fR and \fBhash\fR is a supported algorithm -\&\s-1OID\s0 short name such as \fB\s-1SHA1\s0\fR, \fB\s-1SHA224\s0\fR, \fB\s-1SHA256\s0\fR, \fB\s-1SHA384\s0\fR of \fB\s-1SHA512\s0\fR. -Note: algorithm and hash names are case sensitive. -.Sp -If this option is not set then all signature algorithms supported by the -OpenSSL library are permissible. -.IP "\fBClientSignatureAlgorithms\fR" 4 -.IX Item "ClientSignatureAlgorithms" -This sets the supported signature algorithms associated with client -authentication for \s-1TLS\s0 v1.2. For servers the value is used in the supported -signature algorithms field of a certificate request. For clients it is -used to determine which signature algorithm to with the client certificate. -.Sp -The syntax of \fBvalue\fR is identical to \fBSignatureAlgorithms\fR. If not set then -the value set for \fBSignatureAlgorithms\fR will be used instead. -.IP "\fBCurves\fR" 4 -.IX Item "Curves" -This sets the supported elliptic curves. For clients the curves are -sent using the supported curves extension. For servers it is used -to determine which curve to use. This setting affects curves used for both -signatures and key exchange, if applicable. -.Sp -The \fBvalue\fR argument is a colon separated list of curves. The curve can be -either the \fB\s-1NIST\s0\fR name (e.g. \fBP\-256\fR) or an OpenSSL \s-1OID\s0 name (e.g -\&\fBprime256v1\fR). Curve names are case sensitive. -.IP "\fBECDHParameters\fR" 4 -.IX Item "ECDHParameters" -This sets the temporary curve used for ephemeral \s-1ECDH\s0 modes. Only used by -servers -.Sp -The \fBvalue\fR argument is a curve name or the special value \fBAutomatic\fR which -picks an appropriate curve based on client and server preferences. The curve -can be either the \fB\s-1NIST\s0\fR name (e.g. \fBP\-256\fR) or an OpenSSL \s-1OID\s0 name -(e.g \fBprime256v1\fR). Curve names are case sensitive. -.IP "\fBProtocol\fR" 4 -.IX Item "Protocol" -The supported versions of the \s-1SSL\s0 or \s-1TLS\s0 protocol. -.Sp -The \fBvalue\fR argument is a comma separated list of supported protocols to -enable or disable. If an protocol is preceded by \fB\-\fR that version is disabled. -Currently supported protocol values are \fBSSLv2\fR, \fBSSLv3\fR, \fBTLSv1\fR, -\&\fBTLSv1.1\fR and \fBTLSv1.2\fR. -All protocol versions other than \fBSSLv2\fR are enabled by default. -To avoid inadvertent enabling of \fBSSLv2\fR, when SSLv2 is disabled, it is not -possible to enable it via the \fBProtocol\fR command. -.IP "\fBOptions\fR" 4 -.IX Item "Options" -The \fBvalue\fR argument is a comma separated list of various flags to set. -If a flag string is preceded \fB\-\fR it is disabled. See the -\&\fBSSL_CTX_set_options\fR function for more details of individual options. -.Sp -Each option is listed below. Where an operation is enabled by default -the \fB\-flag\fR syntax is needed to disable it. -.Sp -\&\fBSessionTicket\fR: session ticket support, enabled by default. Inverse of -\&\fB\s-1SSL_OP_NO_TICKET\s0\fR: that is \fB\-SessionTicket\fR is the same as setting -\&\fB\s-1SSL_OP_NO_TICKET\s0\fR. -.Sp -\&\fBCompression\fR: \s-1SSL/TLS\s0 compression support, enabled by default. Inverse -of \fB\s-1SSL_OP_NO_COMPRESSION\s0\fR. -.Sp -\&\fBEmptyFragments\fR: use empty fragments as a countermeasure against a -\&\s-1SSL 3.0/TLS 1.0\s0 protocol vulnerability affecting \s-1CBC\s0 ciphers. It -is set by default. Inverse of \fB\s-1SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS\s0\fR. -.Sp -\&\fBBugs\fR: enable various bug workarounds. Same as \fB\s-1SSL_OP_ALL\s0\fR. -.Sp -\&\fBDHSingle\fR: enable single use \s-1DH\s0 keys, set by default. Inverse of -\&\fB\s-1SSL_OP_DH_SINGLE\s0\fR. Only used by servers. -.Sp -\&\fBECDHSingle\fR enable single use \s-1ECDH\s0 keys, set by default. Inverse of -\&\fB\s-1SSL_OP_ECDH_SINGLE\s0\fR. Only used by servers. -.Sp -\&\fBServerPreference\fR use server and not client preference order when -determining which cipher suite, signature algorithm or elliptic curve -to use for an incoming connection. Equivalent to -\&\fB\s-1SSL_OP_CIPHER_SERVER_PREFERENCE\s0\fR. Only used by servers. -.Sp -\&\fBNoResumptionOnRenegotiation\fR set -\&\fB\s-1SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION\s0\fR flag. Only used by servers. -.Sp -\&\fBUnsafeLegacyRenegotiation\fR permits the use of unsafe legacy renegotiation. -Equivalent to \fB\s-1SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION\s0\fR. -.Sp -\&\fBUnsafeLegacyServerConnect\fR permits the use of unsafe legacy renegotiation -for OpenSSL clients only. Equivalent to \fB\s-1SSL_OP_LEGACY_SERVER_CONNECT\s0\fR. -Set by default. -.SH "SUPPORTED COMMAND TYPES" -.IX Header "SUPPORTED COMMAND TYPES" -The function \fISSL_CONF_cmd_value_type()\fR currently returns one of the following -types: -.IP "\fB\s-1SSL_CONF_TYPE_UNKNOWN\s0\fR" 4 -.IX Item "SSL_CONF_TYPE_UNKNOWN" -The \fBcmd\fR string is unrecognised, this return value can be use to flag -syntax errors. -.IP "\fB\s-1SSL_CONF_TYPE_STRING\s0\fR" 4 -.IX Item "SSL_CONF_TYPE_STRING" -The value is a string without any specific structure. -.IP "\fB\s-1SSL_CONF_TYPE_FILE\s0\fR" 4 -.IX Item "SSL_CONF_TYPE_FILE" -The value is a file name. -.IP "\fB\s-1SSL_CONF_TYPE_DIR\s0\fR" 4 -.IX Item "SSL_CONF_TYPE_DIR" -The value is a directory name. -.SH "NOTES" -.IX Header "NOTES" -The order of operations is significant. This can be used to set either defaults -or values which cannot be overridden. For example if an application calls: -.PP -.Vb 2 -\& SSL_CONF_cmd(ctx, "Protocol", "\-SSLv3"); -\& SSL_CONF_cmd(ctx, userparam, uservalue); -.Ve -.PP -it will disable SSLv3 support by default but the user can override it. If -however the call sequence is: -.PP -.Vb 2 -\& SSL_CONF_cmd(ctx, userparam, uservalue); -\& SSL_CONF_cmd(ctx, "Protocol", "\-SSLv3"); -.Ve -.PP -then SSLv3 is \fBalways\fR disabled and attempt to override this by the user are -ignored. -.PP -By checking the return code of \fISSL_CTX_cmd()\fR it is possible to query if a -given \fBcmd\fR is recognised, this is useful is \fISSL_CTX_cmd()\fR values are -mixed with additional application specific operations. -.PP -For example an application might call \fISSL_CTX_cmd()\fR and if it returns -\&\-2 (unrecognised command) continue with processing of application specific -commands. -.PP -Applications can also use \fISSL_CTX_cmd()\fR to process command lines though the -utility function \fISSL_CTX_cmd_argv()\fR is normally used instead. One way -to do this is to set the prefix to an appropriate value using -\&\fISSL_CONF_CTX_set1_prefix()\fR, pass the current argument to \fBcmd\fR and the -following argument to \fBvalue\fR (which may be \s-1NULL\s0). -.PP -In this case if the return value is positive then it is used to skip that -number of arguments as they have been processed by \fISSL_CTX_cmd()\fR. If \-2 is -returned then \fBcmd\fR is not recognised and application specific arguments -can be checked instead. If \-3 is returned a required argument is missing -and an error is indicated. If 0 is returned some other error occurred and -this can be reported back to the user. -.PP -The function \fISSL_CONF_cmd_value_type()\fR can be used by applications to -check for the existence of a command or to perform additional syntax -checking or translation of the command value. For example if the return -value is \fB\s-1SSL_CONF_TYPE_FILE\s0\fR an application could translate a relative -pathname to an absolute pathname. -.SH "EXAMPLES" -.IX Header "EXAMPLES" -Set supported signature algorithms: -.PP -.Vb 1 -\& SSL_CONF_cmd(ctx, "SignatureAlgorithms", "ECDSA+SHA256:RSA+SHA256:DSA+SHA256"); -.Ve -.PP -Enable all protocols except SSLv3 and SSLv2: -.PP -.Vb 1 -\& SSL_CONF_cmd(ctx, "Protocol", "ALL,\-SSLv3,\-SSLv2"); -.Ve -.PP -Only enable TLSv1.2: -.PP -.Vb 1 -\& SSL_CONF_cmd(ctx, "Protocol", "\-ALL,TLSv1.2"); -.Ve -.PP -Disable \s-1TLS\s0 session tickets: -.PP -.Vb 1 -\& SSL_CONF_cmd(ctx, "Options", "\-SessionTicket"); -.Ve -.PP -Set supported curves to P\-256, P\-384: -.PP -.Vb 1 -\& SSL_CONF_cmd(ctx, "Curves", "P\-256:P\-384"); -.Ve -.PP -Set automatic support for any elliptic curve for key exchange: -.PP -.Vb 1 -\& SSL_CONF_cmd(ctx, "ECDHParameters", "Automatic"); -.Ve -.SH "RETURN VALUES" -.IX Header "RETURN VALUES" -\&\fISSL_CONF_cmd()\fR returns 1 if the value of \fBcmd\fR is recognised and \fBvalue\fR is -\&\fB\s-1NOT\s0\fR used and 2 if both \fBcmd\fR and \fBvalue\fR are used. In other words it -returns the number of arguments processed. This is useful when processing -command lines. -.PP -A return value of \-2 means \fBcmd\fR is not recognised. -.PP -A return value of \-3 means \fBcmd\fR is recognised and the command requires a -value but \fBvalue\fR is \s-1NULL.\s0 -.PP -A return code of 0 indicates that both \fBcmd\fR and \fBvalue\fR are valid but an -error occurred attempting to perform the operation: for example due to an -error in the syntax of \fBvalue\fR in this case the error queue may provide -additional information. -.PP -\&\fISSL_CONF_finish()\fR returns 1 for success and 0 for failure. -.SH "SEE ALSO" -.IX Header "SEE ALSO" -\&\fISSL_CONF_CTX_new\fR\|(3), -\&\fISSL_CONF_CTX_set_flags\fR\|(3), -\&\fISSL_CONF_CTX_set1_prefix\fR\|(3), -\&\fISSL_CONF_CTX_set_ssl_ctx\fR\|(3), -\&\fISSL_CONF_cmd_argv\fR\|(3) -.SH "HISTORY" -.IX Header "HISTORY" -\&\fISSL_CONF_cmd()\fR was first added to OpenSSL 1.0.2 diff --git a/secure/lib/libssl/man/SSL_CTX_set_custom_cli_ext.3 b/secure/lib/libssl/man/SSL_CTX_set_custom_cli_ext.3 deleted file mode 100644 index 8196ab6e8057..000000000000 --- a/secure/lib/libssl/man/SSL_CTX_set_custom_cli_ext.3 +++ /dev/null @@ -1,260 +0,0 @@ -.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35) -.\" -.\" Standard preamble: -.\" ======================================================================== -.de Sp \" Vertical space (when we can't use .PP) -.if t .sp .5v -.if n .sp -.. -.de Vb \" Begin verbatim text -.ft CW -.nf -.ne \\$1 -.. -.de Ve \" End verbatim text -.ft R -.fi -.. -.\" Set up some character translations and predefined strings. \*(-- will -.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left -.\" double quote, and \*(R" will give a right double quote. \*(C+ will -.\" give a nicer C++. Capital omega is used to do unbreakable dashes and -.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, -.\" nothing in troff, for use with C<>. -.tr \(*W- -.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' -.ie n \{\ -. ds -- \(*W- -. ds PI pi -. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch -. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch -. ds L" "" -. ds R" "" -. ds C` "" -. ds C' "" -'br\} -.el\{\ -. ds -- \|\(em\| -. ds PI \(*p -. ds L" `` -. ds R" '' -. ds C` -. ds C' -'br\} -.\" -.\" Escape single quotes in literal strings from groff's Unicode transform. -.ie \n(.g .ds Aq \(aq -.el .ds Aq ' -.\" -.\" If the F register is >0, we'll generate index entries on stderr for -.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index -.\" entries marked with X<> in POD. Of course, you'll have to process the -.\" output yourself in some meaningful fashion. -.\" -.\" Avoid warning from groff about undefined register 'F'. -.de IX -.. -.if !\nF .nr F 0 -.if \nF>0 \{\ -. de IX -. tm Index:\\$1\t\\n%\t"\\$2" -.. -. if !\nF==2 \{\ -. nr % 0 -. nr F 2 -. \} -.\} -.\" -.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). -.\" Fear. Run. Save yourself. No user-serviceable parts. -. \" fudge factors for nroff and troff -.if n \{\ -. ds #H 0 -. ds #V .8m -. ds #F .3m -. ds #[ \f1 -. ds #] \fP -.\} -.if t \{\ -. ds #H ((1u-(\\\\n(.fu%2u))*.13m) -. ds #V .6m -. ds #F 0 -. ds #[ \& -. ds #] \& -.\} -. \" simple accents for nroff and troff -.if n \{\ -. ds ' \& -. ds ` \& -. ds ^ \& -. ds , \& -. ds ~ ~ -. ds / -.\} -.if t \{\ -. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" -. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' -. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' -. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' -. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' -. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' -.\} -. \" troff and (daisy-wheel) nroff accents -.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' -.ds 8 \h'\*(#H'\(*b\h'-\*(#H' -.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] -.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' -.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' -.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] -.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] -.ds ae a\h'-(\w'a'u*4/10)'e -.ds Ae A\h'-(\w'A'u*4/10)'E -. \" corrections for vroff -.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' -.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' -. \" for low resolution devices (crt and lpr) -.if \n(.H>23 .if \n(.V>19 \ -\{\ -. ds : e -. ds 8 ss -. ds o a -. ds d- d\h'-1'\(ga -. ds D- D\h'-1'\(hy -. ds th \o'bp' -. ds Th \o'LP' -. ds ae ae -. ds Ae AE -.\} -.rm #[ #] #H #V #F C -.\" ======================================================================== -.\" -.IX Title "SSL_CTX_set_custom_cli_ext 3" -.TH SSL_CTX_set_custom_cli_ext 3 "2018-08-14" "1.0.2p" "OpenSSL" -.\" For nroff, turn off justification. Always turn off hyphenation; it makes -.\" way too many mistakes in technical documents. -.if n .ad l -.nh -.SH "NAME" -SSL_CTX_add_client_custom_ext, SSL_CTX_add_server_custom_ext \- custom TLS extension handling -.SH "SYNOPSIS" -.IX Header "SYNOPSIS" -.Vb 1 -\& #include -\& -\& int SSL_CTX_add_client_custom_ext(SSL_CTX *ctx, unsigned int ext_type, -\& custom_ext_add_cb add_cb, -\& custom_ext_free_cb free_cb, void *add_arg, -\& custom_ext_parse_cb parse_cb, -\& void *parse_arg); -\& -\& int SSL_CTX_add_server_custom_ext(SSL_CTX *ctx, unsigned int ext_type, -\& custom_ext_add_cb add_cb, -\& custom_ext_free_cb free_cb, void *add_arg, -\& custom_ext_parse_cb parse_cb, -\& void *parse_arg); -\& -\& int SSL_extension_supported(unsigned int ext_type); -\& -\& typedef int (*custom_ext_add_cb)(SSL *s, unsigned int ext_type, -\& const unsigned char **out, -\& size_t *outlen, int *al, -\& void *add_arg); -\& -\& typedef void (*custom_ext_free_cb)(SSL *s, unsigned int ext_type, -\& const unsigned char *out, -\& void *add_arg); -\& -\& typedef int (*custom_ext_parse_cb)(SSL *s, unsigned int ext_type, -\& const unsigned char *in, -\& size_t inlen, int *al, -\& void *parse_arg); -.Ve -.SH "DESCRIPTION" -.IX Header "DESCRIPTION" -\&\fISSL_CTX_add_client_custom_ext()\fR adds a custom extension for a \s-1TLS\s0 client -with extension type \fBext_type\fR and callbacks \fBadd_cb\fR, \fBfree_cb\fR and -\&\fBparse_cb\fR. -.PP -\&\fISSL_CTX_add_server_custom_ext()\fR adds a custom extension for a \s-1TLS\s0 server -with extension type \fBext_type\fR and callbacks \fBadd_cb\fR, \fBfree_cb\fR and -\&\fBparse_cb\fR. -.PP -In both cases the extension type must not be handled by OpenSSL internally -or an error occurs. -.PP -\&\fISSL_extension_supported()\fR returns 1 if the extension \fBext_type\fR is handled -internally by OpenSSL and 0 otherwise. -.SH "EXTENSION CALLBACKS" -.IX Header "EXTENSION CALLBACKS" -The callback \fBadd_cb\fR is called to send custom extension data to be -included in ClientHello for \s-1TLS\s0 clients or ServerHello for servers. The -\&\fBext_type\fR parameter is set to the extension type which will be added and -\&\fBadd_arg\fR to the value set when the extension handler was added. -.PP -If the application wishes to include the extension \fBext_type\fR it should -set \fB*out\fR to the extension data, set \fB*outlen\fR to the length of the -extension data and return 1. -.PP -If the \fBadd_cb\fR does not wish to include the extension it must return 0. -.PP -If \fBadd_cb\fR returns \-1 a fatal handshake error occurs using the \s-1TLS\s0 -alert value specified in \fB*al\fR. -.PP -For clients (but not servers) if \fBadd_cb\fR is set to \s-1NULL\s0 a zero length -extension is added for \fBext_type\fR. -.PP -For clients every registered \fBadd_cb\fR is always called to see if the -application wishes to add an extension to ClientHello. -.PP -For servers every registered \fBadd_cb\fR is called once if and only if the -corresponding extension was received in ClientHello to see if the application -wishes to add the extension to ServerHello. That is, if no corresponding extension -was received in ClientHello then \fBadd_cb\fR will not be called. -.PP -If an extension is added (that is \fBadd_cb\fR returns 1) \fBfree_cb\fR is called -(if it is set) with the value of \fBout\fR set by the add callback. It can be -used to free up any dynamic extension data set by \fBadd_cb\fR. Since \fBout\fR is -constant (to permit use of constant data in \fBadd_cb\fR) applications may need to -cast away const to free the data. -.PP -The callback \fBparse_cb\fR receives data for \s-1TLS\s0 extensions. For \s-1TLS\s0 clients -the extension data will come from ServerHello and for \s-1TLS\s0 servers it will -come from ClientHello. -.PP -The extension data consists of \fBinlen\fR bytes in the buffer \fBin\fR for the -extension \fBextension_type\fR. -.PP -If the \fBparse_cb\fR considers the extension data acceptable it must return -1. If it returns 0 or a negative value a fatal handshake error occurs -using the \s-1TLS\s0 alert value specified in \fB*al\fR. -.PP -The buffer \fBin\fR is a temporary internal buffer which will not be valid after -the callback returns. -.SH "NOTES" -.IX Header "NOTES" -The \fBadd_arg\fR and \fBparse_arg\fR parameters can be set to arbitrary values -which will be passed to the corresponding callbacks. They can, for example, -be used to store the extension data received in a convenient structure or -pass the extension data to be added or freed when adding extensions. -.PP -The \fBext_type\fR parameter corresponds to the \fBextension_type\fR field of -\&\s-1RFC5246\s0 et al. It is \fBnot\fR a \s-1NID.\s0 -.PP -If the same custom extension type is received multiple times a fatal -\&\fBdecode_error\fR alert is sent and the handshake aborts. If a custom extension -is received in ServerHello which was not sent in ClientHello a fatal -\&\fBunsupported_extension\fR alert is sent and the handshake is aborted. The -ServerHello \fBadd_cb\fR callback is only called if the corresponding extension -was received in ClientHello. This is compliant with the \s-1TLS\s0 specifications. -This behaviour ensures that each callback is called at most once and that -an application can never send unsolicited extensions. -.SH "RETURN VALUES" -.IX Header "RETURN VALUES" -\&\fISSL_CTX_add_client_custom_ext()\fR and \fISSL_CTX_add_server_custom_ext()\fR return 1 for -success and 0 for failure. A failure can occur if an attempt is made to -add the same \fBext_type\fR more than once, if an attempt is made to use an -extension type handled internally by OpenSSL or if an internal error occurs -(for example a memory allocation failure). -.PP -\&\fISSL_extension_supported()\fR returns 1 if the extension \fBext_type\fR is handled -internally by OpenSSL and 0 otherwise. diff --git a/secure/lib/libssl/man/SSL_CTX_set_psk_client_callback.3 b/secure/lib/libssl/man/SSL_CTX_set_psk_client_callback.3 deleted file mode 100644 index c8a1b9a501cf..000000000000 --- a/secure/lib/libssl/man/SSL_CTX_set_psk_client_callback.3 +++ /dev/null @@ -1,180 +0,0 @@ -.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35) -.\" -.\" Standard preamble: -.\" ======================================================================== -.de Sp \" Vertical space (when we can't use .PP) -.if t .sp .5v -.if n .sp -.. -.de Vb \" Begin verbatim text -.ft CW -.nf -.ne \\$1 -.. -.de Ve \" End verbatim text -.ft R -.fi -.. -.\" Set up some character translations and predefined strings. \*(-- will -.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left -.\" double quote, and \*(R" will give a right double quote. \*(C+ will -.\" give a nicer C++. Capital omega is used to do unbreakable dashes and -.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, -.\" nothing in troff, for use with C<>. -.tr \(*W- -.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' -.ie n \{\ -. ds -- \(*W- -. ds PI pi -. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch -. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch -. ds L" "" -. ds R" "" -. ds C` "" -. ds C' "" -'br\} -.el\{\ -. ds -- \|\(em\| -. ds PI \(*p -. ds L" `` -. ds R" '' -. ds C` -. ds C' -'br\} -.\" -.\" Escape single quotes in literal strings from groff's Unicode transform. -.ie \n(.g .ds Aq \(aq -.el .ds Aq ' -.\" -.\" If the F register is >0, we'll generate index entries on stderr for -.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index -.\" entries marked with X<> in POD. Of course, you'll have to process the -.\" output yourself in some meaningful fashion. -.\" -.\" Avoid warning from groff about undefined register 'F'. -.de IX -.. -.if !\nF .nr F 0 -.if \nF>0 \{\ -. de IX -. tm Index:\\$1\t\\n%\t"\\$2" -.. -. if !\nF==2 \{\ -. nr % 0 -. nr F 2 -. \} -.\} -.\" -.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). -.\" Fear. Run. Save yourself. No user-serviceable parts. -. \" fudge factors for nroff and troff -.if n \{\ -. ds #H 0 -. ds #V .8m -. ds #F .3m -. ds #[ \f1 -. ds #] \fP -.\} -.if t \{\ -. ds #H ((1u-(\\\\n(.fu%2u))*.13m) -. ds #V .6m -. ds #F 0 -. ds #[ \& -. ds #] \& -.\} -. \" simple accents for nroff and troff -.if n \{\ -. ds ' \& -. ds ` \& -. ds ^ \& -. ds , \& -. ds ~ ~ -. ds / -.\} -.if t \{\ -. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" -. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' -. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' -. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' -. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' -. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' -.\} -. \" troff and (daisy-wheel) nroff accents -.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' -.ds 8 \h'\*(#H'\(*b\h'-\*(#H' -.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] -.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' -.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' -.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] -.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] -.ds ae a\h'-(\w'a'u*4/10)'e -.ds Ae A\h'-(\w'A'u*4/10)'E -. \" corrections for vroff -.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' -.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' -. \" for low resolution devices (crt and lpr) -.if \n(.H>23 .if \n(.V>19 \ -\{\ -. ds : e -. ds 8 ss -. ds o a -. ds d- d\h'-1'\(ga -. ds D- D\h'-1'\(hy -. ds th \o'bp' -. ds Th \o'LP' -. ds ae ae -. ds Ae AE -.\} -.rm #[ #] #H #V #F C -.\" ======================================================================== -.\" -.IX Title "SSL_CTX_set_psk_client_callback 3" -.TH SSL_CTX_set_psk_client_callback 3 "2018-08-14" "1.0.2p" "OpenSSL" -.\" For nroff, turn off justification. Always turn off hyphenation; it makes -.\" way too many mistakes in technical documents. -.if n .ad l -.nh -.SH "NAME" -SSL_CTX_set_psk_client_callback, SSL_set_psk_client_callback \- set PSK client callback -.SH "SYNOPSIS" -.IX Header "SYNOPSIS" -.Vb 1 -\& #include -\& -\& void SSL_CTX_set_psk_client_callback(SSL_CTX *ctx, -\& unsigned int (*callback)(SSL *ssl, const char *hint, -\& char *identity, unsigned int max_identity_len, -\& unsigned char *psk, unsigned int max_psk_len)); -\& void SSL_set_psk_client_callback(SSL *ssl, -\& unsigned int (*callback)(SSL *ssl, const char *hint, -\& char *identity, unsigned int max_identity_len, -\& unsigned char *psk, unsigned int max_psk_len)); -.Ve -.SH "DESCRIPTION" -.IX Header "DESCRIPTION" -A client application must provide a callback function which is called -when the client is sending the ClientKeyExchange message to the server. -.PP -The purpose of the callback function is to select the \s-1PSK\s0 identity and -the pre-shared key to use during the connection setup phase. -.PP -The callback is set using functions \fISSL_CTX_set_psk_client_callback()\fR -or \fISSL_set_psk_client_callback()\fR. The callback function is given the -connection in parameter \fBssl\fR, a \fB\s-1NULL\s0\fR\-terminated \s-1PSK\s0 identity hint -sent by the server in parameter \fBhint\fR, a buffer \fBidentity\fR of -length \fBmax_identity_len\fR bytes where the resulting -\&\fB\s-1NULL\s0\fR\-terminated identity is to be stored, and a buffer \fBpsk\fR of -length \fBmax_psk_len\fR bytes where the resulting pre-shared key is to -be stored. -.SH "NOTES" -.IX Header "NOTES" -Note that parameter \fBhint\fR given to the callback may be \fB\s-1NULL\s0\fR. -.SH "RETURN VALUES" -.IX Header "RETURN VALUES" -Return values from the client callback are interpreted as follows: -.PP -On success (callback found a \s-1PSK\s0 identity and a pre-shared key to use) -the length (> 0) of \fBpsk\fR in bytes is returned. -.PP -Otherwise or on errors callback should return 0. In this case -the connection setup fails. diff --git a/secure/lib/libssl/man/SSL_CTX_set_tmp_rsa_callback.3 b/secure/lib/libssl/man/SSL_CTX_set_tmp_rsa_callback.3 deleted file mode 100644 index 140fe58da284..000000000000 --- a/secure/lib/libssl/man/SSL_CTX_set_tmp_rsa_callback.3 +++ /dev/null @@ -1,288 +0,0 @@ -.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35) -.\" -.\" Standard preamble: -.\" ======================================================================== -.de Sp \" Vertical space (when we can't use .PP) -.if t .sp .5v -.if n .sp -.. -.de Vb \" Begin verbatim text -.ft CW -.nf -.ne \\$1 -.. -.de Ve \" End verbatim text -.ft R -.fi -.. -.\" Set up some character translations and predefined strings. \*(-- will -.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left -.\" double quote, and \*(R" will give a right double quote. \*(C+ will -.\" give a nicer C++. Capital omega is used to do unbreakable dashes and -.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, -.\" nothing in troff, for use with C<>. -.tr \(*W- -.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' -.ie n \{\ -. ds -- \(*W- -. ds PI pi -. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch -. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch -. ds L" "" -. ds R" "" -. ds C` "" -. ds C' "" -'br\} -.el\{\ -. ds -- \|\(em\| -. ds PI \(*p -. ds L" `` -. ds R" '' -. ds C` -. ds C' -'br\} -.\" -.\" Escape single quotes in literal strings from groff's Unicode transform. -.ie \n(.g .ds Aq \(aq -.el .ds Aq ' -.\" -.\" If the F register is >0, we'll generate index entries on stderr for -.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index -.\" entries marked with X<> in POD. Of course, you'll have to process the -.\" output yourself in some meaningful fashion. -.\" -.\" Avoid warning from groff about undefined register 'F'. -.de IX -.. -.if !\nF .nr F 0 -.if \nF>0 \{\ -. de IX -. tm Index:\\$1\t\\n%\t"\\$2" -.. -. if !\nF==2 \{\ -. nr % 0 -. nr F 2 -. \} -.\} -.\" -.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). -.\" Fear. Run. Save yourself. No user-serviceable parts. -. \" fudge factors for nroff and troff -.if n \{\ -. ds #H 0 -. ds #V .8m -. ds #F .3m -. ds #[ \f1 -. ds #] \fP -.\} -.if t \{\ -. ds #H ((1u-(\\\\n(.fu%2u))*.13m) -. ds #V .6m -. ds #F 0 -. ds #[ \& -. ds #] \& -.\} -. \" simple accents for nroff and troff -.if n \{\ -. ds ' \& -. ds ` \& -. ds ^ \& -. ds , \& -. ds ~ ~ -. ds / -.\} -.if t \{\ -. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" -. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' -. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' -. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' -. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' -. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' -.\} -. \" troff and (daisy-wheel) nroff accents -.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' -.ds 8 \h'\*(#H'\(*b\h'-\*(#H' -.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] -.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' -.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' -.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] -.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] -.ds ae a\h'-(\w'a'u*4/10)'e -.ds Ae A\h'-(\w'A'u*4/10)'E -. \" corrections for vroff -.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' -.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' -. \" for low resolution devices (crt and lpr) -.if \n(.H>23 .if \n(.V>19 \ -\{\ -. ds : e -. ds 8 ss -. ds o a -. ds d- d\h'-1'\(ga -. ds D- D\h'-1'\(hy -. ds th \o'bp' -. ds Th \o'LP' -. ds ae ae -. ds Ae AE -.\} -.rm #[ #] #H #V #F C -.\" ======================================================================== -.\" -.IX Title "SSL_CTX_set_tmp_rsa_callback 3" -.TH SSL_CTX_set_tmp_rsa_callback 3 "2018-08-14" "1.0.2p" "OpenSSL" -.\" For nroff, turn off justification. Always turn off hyphenation; it makes -.\" way too many mistakes in technical documents. -.if n .ad l -.nh -.SH "NAME" -SSL_CTX_set_tmp_rsa_callback, SSL_CTX_set_tmp_rsa, SSL_CTX_need_tmp_rsa, SSL_set_tmp_rsa_callback, SSL_set_tmp_rsa, SSL_need_tmp_rsa \- handle RSA keys for ephemeral key exchange -.SH "SYNOPSIS" -.IX Header "SYNOPSIS" -.Vb 1 -\& #include -\& -\& void SSL_CTX_set_tmp_rsa_callback(SSL_CTX *ctx, -\& RSA *(*tmp_rsa_callback)(SSL *ssl, int is_export, int keylength)); -\& long SSL_CTX_set_tmp_rsa(SSL_CTX *ctx, RSA *rsa); -\& long SSL_CTX_need_tmp_rsa(SSL_CTX *ctx); -\& -\& void SSL_set_tmp_rsa_callback(SSL_CTX *ctx, -\& RSA *(*tmp_rsa_callback)(SSL *ssl, int is_export, int keylength)); -\& long SSL_set_tmp_rsa(SSL *ssl, RSA *rsa) -\& long SSL_need_tmp_rsa(SSL *ssl) -\& -\& RSA *(*tmp_rsa_callback)(SSL *ssl, int is_export, int keylength); -.Ve -.SH "DESCRIPTION" -.IX Header "DESCRIPTION" -\&\fISSL_CTX_set_tmp_rsa_callback()\fR sets the callback function for \fBctx\fR to be -used when a temporary/ephemeral \s-1RSA\s0 key is required to \fBtmp_rsa_callback\fR. -The callback is inherited by all \s-1SSL\s0 objects newly created from \fBctx\fR -with <\fISSL_new\fR\|(3)|\fISSL_new\fR\|(3)>. Already created \s-1SSL\s0 objects are not affected. -.PP -\&\fISSL_CTX_set_tmp_rsa()\fR sets the temporary/ephemeral \s-1RSA\s0 key to be used to be -\&\fBrsa\fR. The key is inherited by all \s-1SSL\s0 objects newly created from \fBctx\fR -with <\fISSL_new\fR\|(3)|\fISSL_new\fR\|(3)>. Already created \s-1SSL\s0 objects are not affected. -.PP -\&\fISSL_CTX_need_tmp_rsa()\fR returns 1, if a temporary/ephemeral \s-1RSA\s0 key is needed -for RSA-based strength-limited 'exportable' ciphersuites because a \s-1RSA\s0 key -with a keysize larger than 512 bits is installed. -.PP -\&\fISSL_set_tmp_rsa_callback()\fR sets the callback only for \fBssl\fR. -.PP -\&\fISSL_set_tmp_rsa()\fR sets the key only for \fBssl\fR. -.PP -\&\fISSL_need_tmp_rsa()\fR returns 1, if a temporary/ephemeral \s-1RSA\s0 key is needed, -for RSA-based strength-limited 'exportable' ciphersuites because a \s-1RSA\s0 key -with a keysize larger than 512 bits is installed. -.PP -These functions apply to \s-1SSL/TLS\s0 servers only. -.SH "NOTES" -.IX Header "NOTES" -When using a cipher with \s-1RSA\s0 authentication, an ephemeral \s-1RSA\s0 key exchange -can take place. In this case the session data are negotiated using the -ephemeral/temporary \s-1RSA\s0 key and the \s-1RSA\s0 key supplied and certified -by the certificate chain is only used for signing. -.PP -Under previous export restrictions, ciphers with \s-1RSA\s0 keys shorter (512 bits) -than the usual key length of 1024 bits were created. To use these ciphers -with \s-1RSA\s0 keys of usual length, an ephemeral key exchange must be performed, -as the normal (certified) key cannot be directly used. -.PP -Using ephemeral \s-1RSA\s0 key exchange yields forward secrecy, as the connection -can only be decrypted, when the \s-1RSA\s0 key is known. By generating a temporary -\&\s-1RSA\s0 key inside the server application that is lost when the application -is left, it becomes impossible for an attacker to decrypt past sessions, -even if he gets hold of the normal (certified) \s-1RSA\s0 key, as this key was -used for signing only. The downside is that creating a \s-1RSA\s0 key is -computationally expensive. -.PP -Additionally, the use of ephemeral \s-1RSA\s0 key exchange is only allowed in -the \s-1TLS\s0 standard, when the \s-1RSA\s0 key can be used for signing only, that is -for export ciphers. Using ephemeral \s-1RSA\s0 key exchange for other purposes -violates the standard and can break interoperability with clients. -It is therefore strongly recommended to not use ephemeral \s-1RSA\s0 key -exchange and use \s-1DHE\s0 (Ephemeral Diffie-Hellman) key exchange instead -in order to achieve forward secrecy (see -\&\fISSL_CTX_set_tmp_dh_callback\fR\|(3)). -.PP -An application may either directly specify the key or can supply the key via a -callback function. The callback approach has the advantage, that the callback -may generate the key only in case it is actually needed. As the generation of a -\&\s-1RSA\s0 key is however costly, it will lead to a significant delay in the handshake -procedure. Another advantage of the callback function is that it can supply -keys of different size while the explicit setting of the key is only useful for -key size of 512 bits to satisfy the export restricted ciphers and does give -away key length if a longer key would be allowed. -.PP -The \fBtmp_rsa_callback\fR is called with the \fBkeylength\fR needed and -the \fBis_export\fR information. The \fBis_export\fR flag is set, when the -ephemeral \s-1RSA\s0 key exchange is performed with an export cipher. -.SH "EXAMPLES" -.IX Header "EXAMPLES" -Generate temporary \s-1RSA\s0 keys to prepare ephemeral \s-1RSA\s0 key exchange. As the -generation of a \s-1RSA\s0 key costs a lot of computer time, they saved for later -reuse. For demonstration purposes, two keys for 512 bits and 1024 bits -respectively are generated. -.PP -.Vb 4 -\& ... -\& /* Set up ephemeral RSA stuff */ -\& RSA *rsa_512 = NULL; -\& RSA *rsa_1024 = NULL; -\& -\& rsa_512 = RSA_generate_key(512,RSA_F4,NULL,NULL); -\& if (rsa_512 == NULL) -\& evaluate_error_queue(); -\& -\& rsa_1024 = RSA_generate_key(1024,RSA_F4,NULL,NULL); -\& if (rsa_1024 == NULL) -\& evaluate_error_queue(); -\& -\& ... -\& -\& RSA *tmp_rsa_callback(SSL *s, int is_export, int keylength) -\& { -\& RSA *rsa_tmp=NULL; -\& -\& switch (keylength) { -\& case 512: -\& if (rsa_512) -\& rsa_tmp = rsa_512; -\& else { /* generate on the fly, should not happen in this example */ -\& rsa_tmp = RSA_generate_key(keylength,RSA_F4,NULL,NULL); -\& rsa_512 = rsa_tmp; /* Remember for later reuse */ -\& } -\& break; -\& case 1024: -\& if (rsa_1024) -\& rsa_tmp=rsa_1024; -\& else -\& should_not_happen_in_this_example(); -\& break; -\& default: -\& /* Generating a key on the fly is very costly, so use what is there */ -\& if (rsa_1024) -\& rsa_tmp=rsa_1024; -\& else -\& rsa_tmp=rsa_512; /* Use at least a shorter key */ -\& } -\& return(rsa_tmp); -\& } -.Ve -.SH "RETURN VALUES" -.IX Header "RETURN VALUES" -\&\fISSL_CTX_set_tmp_rsa_callback()\fR and \fISSL_set_tmp_rsa_callback()\fR do not return -diagnostic output. -.PP -\&\fISSL_CTX_set_tmp_rsa()\fR and \fISSL_set_tmp_rsa()\fR do return 1 on success and 0 -on failure. Check the error queue to find out the reason of failure. -.PP -\&\fISSL_CTX_need_tmp_rsa()\fR and \fISSL_need_tmp_rsa()\fR return 1 if a temporary -\&\s-1RSA\s0 key is needed and 0 otherwise. -.SH "SEE ALSO" -.IX Header "SEE ALSO" -\&\fIssl\fR\|(3), \fISSL_CTX_set_cipher_list\fR\|(3), -\&\fISSL_CTX_set_options\fR\|(3), -\&\fISSL_CTX_set_tmp_dh_callback\fR\|(3), -\&\fISSL_new\fR\|(3), \fIciphers\fR\|(1) diff --git a/secure/lib/libssl/man/SSL_CTX_use_psk_identity_hint.3 b/secure/lib/libssl/man/SSL_CTX_use_psk_identity_hint.3 deleted file mode 100644 index 49f15ba4343b..000000000000 --- a/secure/lib/libssl/man/SSL_CTX_use_psk_identity_hint.3 +++ /dev/null @@ -1,197 +0,0 @@ -.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35) -.\" -.\" Standard preamble: -.\" ======================================================================== -.de Sp \" Vertical space (when we can't use .PP) -.if t .sp .5v -.if n .sp -.. -.de Vb \" Begin verbatim text -.ft CW -.nf -.ne \\$1 -.. -.de Ve \" End verbatim text -.ft R -.fi -.. -.\" Set up some character translations and predefined strings. \*(-- will -.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left -.\" double quote, and \*(R" will give a right double quote. \*(C+ will -.\" give a nicer C++. Capital omega is used to do unbreakable dashes and -.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, -.\" nothing in troff, for use with C<>. -.tr \(*W- -.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' -.ie n \{\ -. ds -- \(*W- -. ds PI pi -. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch -. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch -. ds L" "" -. ds R" "" -. ds C` "" -. ds C' "" -'br\} -.el\{\ -. ds -- \|\(em\| -. ds PI \(*p -. ds L" `` -. ds R" '' -. ds C` -. ds C' -'br\} -.\" -.\" Escape single quotes in literal strings from groff's Unicode transform. -.ie \n(.g .ds Aq \(aq -.el .ds Aq ' -.\" -.\" If the F register is >0, we'll generate index entries on stderr for -.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index -.\" entries marked with X<> in POD. Of course, you'll have to process the -.\" output yourself in some meaningful fashion. -.\" -.\" Avoid warning from groff about undefined register 'F'. -.de IX -.. -.if !\nF .nr F 0 -.if \nF>0 \{\ -. de IX -. tm Index:\\$1\t\\n%\t"\\$2" -.. -. if !\nF==2 \{\ -. nr % 0 -. nr F 2 -. \} -.\} -.\" -.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). -.\" Fear. Run. Save yourself. No user-serviceable parts. -. \" fudge factors for nroff and troff -.if n \{\ -. ds #H 0 -. ds #V .8m -. ds #F .3m -. ds #[ \f1 -. ds #] \fP -.\} -.if t \{\ -. ds #H ((1u-(\\\\n(.fu%2u))*.13m) -. ds #V .6m -. ds #F 0 -. ds #[ \& -. ds #] \& -.\} -. \" simple accents for nroff and troff -.if n \{\ -. ds ' \& -. ds ` \& -. ds ^ \& -. ds , \& -. ds ~ ~ -. ds / -.\} -.if t \{\ -. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" -. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' -. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' -. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' -. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' -. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' -.\} -. \" troff and (daisy-wheel) nroff accents -.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' -.ds 8 \h'\*(#H'\(*b\h'-\*(#H' -.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] -.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' -.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' -.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] -.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] -.ds ae a\h'-(\w'a'u*4/10)'e -.ds Ae A\h'-(\w'A'u*4/10)'E -. \" corrections for vroff -.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' -.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' -. \" for low resolution devices (crt and lpr) -.if \n(.H>23 .if \n(.V>19 \ -\{\ -. ds : e -. ds 8 ss -. ds o a -. ds d- d\h'-1'\(ga -. ds D- D\h'-1'\(hy -. ds th \o'bp' -. ds Th \o'LP' -. ds ae ae -. ds Ae AE -.\} -.rm #[ #] #H #V #F C -.\" ======================================================================== -.\" -.IX Title "SSL_CTX_use_psk_identity_hint 3" -.TH SSL_CTX_use_psk_identity_hint 3 "2018-08-14" "1.0.2p" "OpenSSL" -.\" For nroff, turn off justification. Always turn off hyphenation; it makes -.\" way too many mistakes in technical documents. -.if n .ad l -.nh -.SH "NAME" -SSL_CTX_use_psk_identity_hint, SSL_use_psk_identity_hint, -SSL_CTX_set_psk_server_callback, SSL_set_psk_server_callback \- set PSK -identity hint to use -.SH "SYNOPSIS" -.IX Header "SYNOPSIS" -.Vb 1 -\& #include -\& -\& int SSL_CTX_use_psk_identity_hint(SSL_CTX *ctx, const char *hint); -\& int SSL_use_psk_identity_hint(SSL *ssl, const char *hint); -\& -\& void SSL_CTX_set_psk_server_callback(SSL_CTX *ctx, -\& unsigned int (*callback)(SSL *ssl, const char *identity, -\& unsigned char *psk, int max_psk_len)); -\& void SSL_set_psk_server_callback(SSL *ssl, -\& unsigned int (*callback)(SSL *ssl, const char *identity, -\& unsigned char *psk, int max_psk_len)); -.Ve -.SH "DESCRIPTION" -.IX Header "DESCRIPTION" -\&\fISSL_CTX_use_psk_identity_hint()\fR sets the given \fB\s-1NULL\s0\fR\-terminated \s-1PSK\s0 -identity hint \fBhint\fR to \s-1SSL\s0 context object -\&\fBctx\fR. \fISSL_use_psk_identity_hint()\fR sets the given \fB\s-1NULL\s0\fR\-terminated -\&\s-1PSK\s0 identity hint \fBhint\fR to \s-1SSL\s0 connection object \fBssl\fR. If \fBhint\fR -is \fB\s-1NULL\s0\fR the current hint from \fBctx\fR or \fBssl\fR is deleted. -.PP -In the case where \s-1PSK\s0 identity hint is \fB\s-1NULL\s0\fR, the server -does not send the ServerKeyExchange message to the client. -.PP -A server application must provide a callback function which is called -when the server receives the ClientKeyExchange message from the -client. The purpose of the callback function is to validate the -received \s-1PSK\s0 identity and to fetch the pre-shared key used during the -connection setup phase. The callback is set using functions -\&\fISSL_CTX_set_psk_server_callback()\fR or -\&\fISSL_set_psk_server_callback()\fR. The callback function is given the -connection in parameter \fBssl\fR, \fB\s-1NULL\s0\fR\-terminated \s-1PSK\s0 identity sent -by the client in parameter \fBidentity\fR, and a buffer \fBpsk\fR of length -\&\fBmax_psk_len\fR bytes where the pre-shared key is to be stored. -.SH "RETURN VALUES" -.IX Header "RETURN VALUES" -\&\fISSL_CTX_use_psk_identity_hint()\fR and \fISSL_use_psk_identity_hint()\fR return -1 on success, 0 otherwise. -.PP -Return values from the server callback are interpreted as follows: -.IP "0" 4 -\&\s-1PSK\s0 identity was not found. An \*(L"unknown_psk_identity\*(R" alert message -will be sent and the connection setup fails. -.IP ">0" 4 -.IX Item ">0" -\&\s-1PSK\s0 identity was found and the server callback has provided the \s-1PSK\s0 -successfully in parameter \fBpsk\fR. Return value is the length of -\&\fBpsk\fR in bytes. It is an error to return a value greater than -\&\fBmax_psk_len\fR. -.Sp -If the \s-1PSK\s0 identity was not found but the callback instructs the -protocol to continue anyway, the callback must provide some random -data to \fBpsk\fR and return the length of the random data, so the -connection will fail with decryption_error before it will be finished -completely. diff --git a/secure/lib/libssl/man/SSL_get_ex_new_index.3 b/secure/lib/libssl/man/SSL_get_ex_new_index.3 deleted file mode 100644 index 28838a5bbeff..000000000000 --- a/secure/lib/libssl/man/SSL_get_ex_new_index.3 +++ /dev/null @@ -1,188 +0,0 @@ -.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35) -.\" -.\" Standard preamble: -.\" ======================================================================== -.de Sp \" Vertical space (when we can't use .PP) -.if t .sp .5v -.if n .sp -.. -.de Vb \" Begin verbatim text -.ft CW -.nf -.ne \\$1 -.. -.de Ve \" End verbatim text -.ft R -.fi -.. -.\" Set up some character translations and predefined strings. \*(-- will -.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left -.\" double quote, and \*(R" will give a right double quote. \*(C+ will -.\" give a nicer C++. Capital omega is used to do unbreakable dashes and -.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, -.\" nothing in troff, for use with C<>. -.tr \(*W- -.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' -.ie n \{\ -. ds -- \(*W- -. ds PI pi -. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch -. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch -. ds L" "" -. ds R" "" -. ds C` "" -. ds C' "" -'br\} -.el\{\ -. ds -- \|\(em\| -. ds PI \(*p -. ds L" `` -. ds R" '' -. ds C` -. ds C' -'br\} -.\" -.\" Escape single quotes in literal strings from groff's Unicode transform. -.ie \n(.g .ds Aq \(aq -.el .ds Aq ' -.\" -.\" If the F register is >0, we'll generate index entries on stderr for -.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index -.\" entries marked with X<> in POD. Of course, you'll have to process the -.\" output yourself in some meaningful fashion. -.\" -.\" Avoid warning from groff about undefined register 'F'. -.de IX -.. -.if !\nF .nr F 0 -.if \nF>0 \{\ -. de IX -. tm Index:\\$1\t\\n%\t"\\$2" -.. -. if !\nF==2 \{\ -. nr % 0 -. nr F 2 -. \} -.\} -.\" -.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). -.\" Fear. Run. Save yourself. No user-serviceable parts. -. \" fudge factors for nroff and troff -.if n \{\ -. ds #H 0 -. ds #V .8m -. ds #F .3m -. ds #[ \f1 -. ds #] \fP -.\} -.if t \{\ -. ds #H ((1u-(\\\\n(.fu%2u))*.13m) -. ds #V .6m -. ds #F 0 -. ds #[ \& -. ds #] \& -.\} -. \" simple accents for nroff and troff -.if n \{\ -. ds ' \& -. ds ` \& -. ds ^ \& -. ds , \& -. ds ~ ~ -. ds / -.\} -.if t \{\ -. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" -. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' -. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' -. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' -. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' -. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' -.\} -. \" troff and (daisy-wheel) nroff accents -.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' -.ds 8 \h'\*(#H'\(*b\h'-\*(#H' -.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] -.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' -.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' -.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] -.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] -.ds ae a\h'-(\w'a'u*4/10)'e -.ds Ae A\h'-(\w'A'u*4/10)'E -. \" corrections for vroff -.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' -.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' -. \" for low resolution devices (crt and lpr) -.if \n(.H>23 .if \n(.V>19 \ -\{\ -. ds : e -. ds 8 ss -. ds o a -. ds d- d\h'-1'\(ga -. ds D- D\h'-1'\(hy -. ds th \o'bp' -. ds Th \o'LP' -. ds ae ae -. ds Ae AE -.\} -.rm #[ #] #H #V #F C -.\" ======================================================================== -.\" -.IX Title "SSL_get_ex_new_index 3" -.TH SSL_get_ex_new_index 3 "2018-08-14" "1.0.2p" "OpenSSL" -.\" For nroff, turn off justification. Always turn off hyphenation; it makes -.\" way too many mistakes in technical documents. -.if n .ad l -.nh -.SH "NAME" -SSL_get_ex_new_index, SSL_set_ex_data, SSL_get_ex_data \- internal application specific data functions -.SH "SYNOPSIS" -.IX Header "SYNOPSIS" -.Vb 1 -\& #include -\& -\& int SSL_get_ex_new_index(long argl, void *argp, -\& CRYPTO_EX_new *new_func, -\& CRYPTO_EX_dup *dup_func, -\& CRYPTO_EX_free *free_func); -\& -\& int SSL_set_ex_data(SSL *ssl, int idx, void *arg); -\& -\& void *SSL_get_ex_data(const SSL *ssl, int idx); -\& -\& typedef int new_func(void *parent, void *ptr, CRYPTO_EX_DATA *ad, -\& int idx, long argl, void *argp); -\& typedef void free_func(void *parent, void *ptr, CRYPTO_EX_DATA *ad, -\& int idx, long argl, void *argp); -\& typedef int dup_func(CRYPTO_EX_DATA *to, CRYPTO_EX_DATA *from, void *from_d, -\& int idx, long argl, void *argp); -.Ve -.SH "DESCRIPTION" -.IX Header "DESCRIPTION" -Several OpenSSL structures can have application specific data attached to them. -These functions are used internally by OpenSSL to manipulate application -specific data attached to a specific structure. -.PP -\&\fISSL_get_ex_new_index()\fR is used to register a new index for application -specific data. -.PP -\&\fISSL_set_ex_data()\fR is used to store application data at \fBarg\fR for \fBidx\fR into -the \fBssl\fR object. -.PP -\&\fISSL_get_ex_data()\fR is used to retrieve the information for \fBidx\fR from -\&\fBssl\fR. -.PP -A detailed description for the \fB*\f(BI_get_ex_new_index()\fB\fR functionality -can be found in \fIRSA_get_ex_new_index\fR\|(3). -The \fB*\f(BI_get_ex_data()\fB\fR and \fB*\f(BI_set_ex_data()\fB\fR functionality is described in -\&\fICRYPTO_set_ex_data\fR\|(3). -.SH "EXAMPLES" -.IX Header "EXAMPLES" -An example on how to use the functionality is included in the example -\&\fIverify_callback()\fR in \fISSL_CTX_set_verify\fR\|(3). -.SH "SEE ALSO" -.IX Header "SEE ALSO" -\&\fIssl\fR\|(3), -\&\fIRSA_get_ex_new_index\fR\|(3), -\&\fICRYPTO_set_ex_data\fR\|(3), -\&\fISSL_CTX_set_verify\fR\|(3) diff --git a/secure/lib/libssl/man/SSL_read.3 b/secure/lib/libssl/man/SSL_read.3 deleted file mode 100644 index 26371dd112a3..000000000000 --- a/secure/lib/libssl/man/SSL_read.3 +++ /dev/null @@ -1,242 +0,0 @@ -.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35) -.\" -.\" Standard preamble: -.\" ======================================================================== -.de Sp \" Vertical space (when we can't use .PP) -.if t .sp .5v -.if n .sp -.. -.de Vb \" Begin verbatim text -.ft CW -.nf -.ne \\$1 -.. -.de Ve \" End verbatim text -.ft R -.fi -.. -.\" Set up some character translations and predefined strings. \*(-- will -.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left -.\" double quote, and \*(R" will give a right double quote. \*(C+ will -.\" give a nicer C++. Capital omega is used to do unbreakable dashes and -.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, -.\" nothing in troff, for use with C<>. -.tr \(*W- -.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' -.ie n \{\ -. ds -- \(*W- -. ds PI pi -. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch -. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch -. ds L" "" -. ds R" "" -. ds C` "" -. ds C' "" -'br\} -.el\{\ -. ds -- \|\(em\| -. ds PI \(*p -. ds L" `` -. ds R" '' -. ds C` -. ds C' -'br\} -.\" -.\" Escape single quotes in literal strings from groff's Unicode transform. -.ie \n(.g .ds Aq \(aq -.el .ds Aq ' -.\" -.\" If the F register is >0, we'll generate index entries on stderr for -.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index -.\" entries marked with X<> in POD. Of course, you'll have to process the -.\" output yourself in some meaningful fashion. -.\" -.\" Avoid warning from groff about undefined register 'F'. -.de IX -.. -.if !\nF .nr F 0 -.if \nF>0 \{\ -. de IX -. tm Index:\\$1\t\\n%\t"\\$2" -.. -. if !\nF==2 \{\ -. nr % 0 -. nr F 2 -. \} -.\} -.\" -.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). -.\" Fear. Run. Save yourself. No user-serviceable parts. -. \" fudge factors for nroff and troff -.if n \{\ -. ds #H 0 -. ds #V .8m -. ds #F .3m -. ds #[ \f1 -. ds #] \fP -.\} -.if t \{\ -. ds #H ((1u-(\\\\n(.fu%2u))*.13m) -. ds #V .6m -. ds #F 0 -. ds #[ \& -. ds #] \& -.\} -. \" simple accents for nroff and troff -.if n \{\ -. ds ' \& -. ds ` \& -. ds ^ \& -. ds , \& -. ds ~ ~ -. ds / -.\} -.if t \{\ -. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" -. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' -. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' -. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' -. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' -. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' -.\} -. \" troff and (daisy-wheel) nroff accents -.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' -.ds 8 \h'\*(#H'\(*b\h'-\*(#H' -.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] -.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' -.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' -.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] -.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] -.ds ae a\h'-(\w'a'u*4/10)'e -.ds Ae A\h'-(\w'A'u*4/10)'E -. \" corrections for vroff -.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' -.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' -. \" for low resolution devices (crt and lpr) -.if \n(.H>23 .if \n(.V>19 \ -\{\ -. ds : e -. ds 8 ss -. ds o a -. ds d- d\h'-1'\(ga -. ds D- D\h'-1'\(hy -. ds th \o'bp' -. ds Th \o'LP' -. ds ae ae -. ds Ae AE -.\} -.rm #[ #] #H #V #F C -.\" ======================================================================== -.\" -.IX Title "SSL_read 3" -.TH SSL_read 3 "2018-08-14" "1.0.2p" "OpenSSL" -.\" For nroff, turn off justification. Always turn off hyphenation; it makes -.\" way too many mistakes in technical documents. -.if n .ad l -.nh -.SH "NAME" -SSL_read \- read bytes from a TLS/SSL connection. -.SH "SYNOPSIS" -.IX Header "SYNOPSIS" -.Vb 1 -\& #include -\& -\& int SSL_read(SSL *ssl, void *buf, int num); -.Ve -.SH "DESCRIPTION" -.IX Header "DESCRIPTION" -\&\fISSL_read()\fR tries to read \fBnum\fR bytes from the specified \fBssl\fR into the -buffer \fBbuf\fR. -.SH "NOTES" -.IX Header "NOTES" -If necessary, \fISSL_read()\fR will negotiate a \s-1TLS/SSL\s0 session, if -not already explicitly performed by \fISSL_connect\fR\|(3) or -\&\fISSL_accept\fR\|(3). If the -peer requests a re-negotiation, it will be performed transparently during -the \fISSL_read()\fR operation. The behaviour of \fISSL_read()\fR depends on the -underlying \s-1BIO.\s0 -.PP -For the transparent negotiation to succeed, the \fBssl\fR must have been -initialized to client or server mode. This is being done by calling -\&\fISSL_set_connect_state\fR\|(3) or \fISSL_set_accept_state()\fR -before the first call to an \fISSL_read()\fR or \fISSL_write\fR\|(3) -function. -.PP -\&\fISSL_read()\fR works based on the \s-1SSL/TLS\s0 records. The data are received in -records (with a maximum record size of 16kB for SSLv3/TLSv1). Only when a -record has been completely received, it can be processed (decryption and -check of integrity). Therefore data that was not retrieved at the last -call of \fISSL_read()\fR can still be buffered inside the \s-1SSL\s0 layer and will be -retrieved on the next call to \fISSL_read()\fR. If \fBnum\fR is higher than the -number of bytes buffered, \fISSL_read()\fR will return with the bytes buffered. -If no more bytes are in the buffer, \fISSL_read()\fR will trigger the processing -of the next record. Only when the record has been received and processed -completely, \fISSL_read()\fR will return reporting success. At most the contents -of the record will be returned. As the size of an \s-1SSL/TLS\s0 record may exceed -the maximum packet size of the underlying transport (e.g. \s-1TCP\s0), it may -be necessary to read several packets from the transport layer before the -record is complete and \fISSL_read()\fR can succeed. -.PP -If the underlying \s-1BIO\s0 is \fBblocking\fR, \fISSL_read()\fR will only return, once the -read operation has been finished or an error occurred, except when a -renegotiation take place, in which case a \s-1SSL_ERROR_WANT_READ\s0 may occur. -This behaviour can be controlled with the \s-1SSL_MODE_AUTO_RETRY\s0 flag of the -\&\fISSL_CTX_set_mode\fR\|(3) call. -.PP -If the underlying \s-1BIO\s0 is \fBnon-blocking\fR, \fISSL_read()\fR will also return -when the underlying \s-1BIO\s0 could not satisfy the needs of \fISSL_read()\fR -to continue the operation. In this case a call to -\&\fISSL_get_error\fR\|(3) with the -return value of \fISSL_read()\fR will yield \fB\s-1SSL_ERROR_WANT_READ\s0\fR or -\&\fB\s-1SSL_ERROR_WANT_WRITE\s0\fR. As at any time a re-negotiation is possible, a -call to \fISSL_read()\fR can also cause write operations! The calling process -then must repeat the call after taking appropriate action to satisfy the -needs of \fISSL_read()\fR. The action depends on the underlying \s-1BIO.\s0 When using a -non-blocking socket, nothing is to be done, but \fIselect()\fR can be used to check -for the required condition. When using a buffering \s-1BIO,\s0 like a \s-1BIO\s0 pair, data -must be written into or retrieved out of the \s-1BIO\s0 before being able to continue. -.PP -\&\fISSL_pending\fR\|(3) can be used to find out whether there -are buffered bytes available for immediate retrieval. In this case -\&\fISSL_read()\fR can be called without blocking or actually receiving new -data from the underlying socket. -.SH "WARNING" -.IX Header "WARNING" -When an \fISSL_read()\fR operation has to be repeated because of -\&\fB\s-1SSL_ERROR_WANT_READ\s0\fR or \fB\s-1SSL_ERROR_WANT_WRITE\s0\fR, it must be repeated -with the same arguments. -.SH "RETURN VALUES" -.IX Header "RETURN VALUES" -The following return values can occur: -.IP "> 0" 4 -.IX Item "> 0" -The read operation was successful. -The return value is the number of bytes actually read from the \s-1TLS/SSL\s0 -connection. -.IP "<= 0" 4 -.IX Item "<= 0" -.PD 0 -.IP "<0" 4 -.IX Item "<0" -.PD -The read operation was not successful, because either the connection was closed, -an error occurred or action must be taken by the calling process. -Call \fISSL_get_error\fR\|(3) with the return value \fBret\fR to find out the reason. -.Sp -SSLv2 (deprecated) does not support a shutdown alert protocol, so it can -only be detected, whether the underlying connection was closed. It cannot -be checked, whether the closure was initiated by the peer or by something -else. -.Sp -Old documentation indicated a difference between 0 and \-1, and that \-1 was -retryable. -You should instead call \fISSL_get_error()\fR to find out if it's retryable. -.SH "SEE ALSO" -.IX Header "SEE ALSO" -\&\fISSL_get_error\fR\|(3), \fISSL_write\fR\|(3), -\&\fISSL_CTX_set_mode\fR\|(3), \fISSL_CTX_new\fR\|(3), -\&\fISSL_connect\fR\|(3), \fISSL_accept\fR\|(3) -\&\fISSL_set_connect_state\fR\|(3), -\&\fISSL_pending\fR\|(3), -\&\fISSL_shutdown\fR\|(3), \fISSL_set_shutdown\fR\|(3), -\&\fIssl\fR\|(3), \fIbio\fR\|(3) diff --git a/secure/lib/libssl/man/ssl.3 b/secure/lib/libssl/man/ssl.3 deleted file mode 100644 index 73655f63fbd1..000000000000 --- a/secure/lib/libssl/man/ssl.3 +++ /dev/null @@ -1,874 +0,0 @@ -.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35) -.\" -.\" Standard preamble: -.\" ======================================================================== -.de Sp \" Vertical space (when we can't use .PP) -.if t .sp .5v -.if n .sp -.. -.de Vb \" Begin verbatim text -.ft CW -.nf -.ne \\$1 -.. -.de Ve \" End verbatim text -.ft R -.fi -.. -.\" Set up some character translations and predefined strings. \*(-- will -.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left -.\" double quote, and \*(R" will give a right double quote. \*(C+ will -.\" give a nicer C++. Capital omega is used to do unbreakable dashes and -.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, -.\" nothing in troff, for use with C<>. -.tr \(*W- -.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' -.ie n \{\ -. ds -- \(*W- -. ds PI pi -. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch -. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch -. ds L" "" -. ds R" "" -. ds C` "" -. ds C' "" -'br\} -.el\{\ -. ds -- \|\(em\| -. ds PI \(*p -. ds L" `` -. ds R" '' -. ds C` -. ds C' -'br\} -.\" -.\" Escape single quotes in literal strings from groff's Unicode transform. -.ie \n(.g .ds Aq \(aq -.el .ds Aq ' -.\" -.\" If the F register is >0, we'll generate index entries on stderr for -.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index -.\" entries marked with X<> in POD. Of course, you'll have to process the -.\" output yourself in some meaningful fashion. -.\" -.\" Avoid warning from groff about undefined register 'F'. -.de IX -.. -.if !\nF .nr F 0 -.if \nF>0 \{\ -. de IX -. tm Index:\\$1\t\\n%\t"\\$2" -.. -. if !\nF==2 \{\ -. nr % 0 -. nr F 2 -. \} -.\} -.\" -.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). -.\" Fear. Run. Save yourself. No user-serviceable parts. -. \" fudge factors for nroff and troff -.if n \{\ -. ds #H 0 -. ds #V .8m -. ds #F .3m -. ds #[ \f1 -. ds #] \fP -.\} -.if t \{\ -. ds #H ((1u-(\\\\n(.fu%2u))*.13m) -. ds #V .6m -. ds #F 0 -. ds #[ \& -. ds #] \& -.\} -. \" simple accents for nroff and troff -.if n \{\ -. ds ' \& -. ds ` \& -. ds ^ \& -. ds , \& -. ds ~ ~ -. ds / -.\} -.if t \{\ -. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" -. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' -. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' -. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' -. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' -. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' -.\} -. \" troff and (daisy-wheel) nroff accents -.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' -.ds 8 \h'\*(#H'\(*b\h'-\*(#H' -.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] -.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' -.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' -.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] -.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] -.ds ae a\h'-(\w'a'u*4/10)'e -.ds Ae A\h'-(\w'A'u*4/10)'E -. \" corrections for vroff -.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' -.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' -. \" for low resolution devices (crt and lpr) -.if \n(.H>23 .if \n(.V>19 \ -\{\ -. ds : e -. ds 8 ss -. ds o a -. ds d- d\h'-1'\(ga -. ds D- D\h'-1'\(hy -. ds th \o'bp' -. ds Th \o'LP' -. ds ae ae -. ds Ae AE -.\} -.rm #[ #] #H #V #F C -.\" ======================================================================== -.\" -.IX Title "ssl 3" -.TH ssl 3 "2018-08-14" "1.0.2p" "OpenSSL" -.\" For nroff, turn off justification. Always turn off hyphenation; it makes -.\" way too many mistakes in technical documents. -.if n .ad l -.nh -.SH "NAME" -SSL \- OpenSSL SSL/TLS library -.SH "SYNOPSIS" -.IX Header "SYNOPSIS" -.SH "DESCRIPTION" -.IX Header "DESCRIPTION" -The OpenSSL \fBssl\fR library implements the Secure Sockets Layer (\s-1SSL\s0 v2/v3) and -Transport Layer Security (\s-1TLS\s0 v1) protocols. It provides a rich \s-1API\s0 which is -documented here. -.PP -At first the library must be initialized; see -\&\fISSL_library_init\fR\|(3). -.PP -Then an \fB\s-1SSL_CTX\s0\fR object is created as a framework to establish -\&\s-1TLS/SSL\s0 enabled connections (see \fISSL_CTX_new\fR\|(3)). -Various options regarding certificates, algorithms etc. can be set -in this object. -.PP -When a network connection has been created, it can be assigned to an -\&\fB\s-1SSL\s0\fR object. After the \fB\s-1SSL\s0\fR object has been created using -\&\fISSL_new\fR\|(3), \fISSL_set_fd\fR\|(3) or -\&\fISSL_set_bio\fR\|(3) can be used to associate the network -connection with the object. -.PP -Then the \s-1TLS/SSL\s0 handshake is performed using -\&\fISSL_accept\fR\|(3) or \fISSL_connect\fR\|(3) -respectively. -\&\fISSL_read\fR\|(3) and \fISSL_write\fR\|(3) are used -to read and write data on the \s-1TLS/SSL\s0 connection. -\&\fISSL_shutdown\fR\|(3) can be used to shut down the -\&\s-1TLS/SSL\s0 connection. -.SH "DATA STRUCTURES" -.IX Header "DATA STRUCTURES" -Currently the OpenSSL \fBssl\fR library functions deals with the following data -structures: -.IP "\fB\s-1SSL_METHOD\s0\fR (\s-1SSL\s0 Method)" 4 -.IX Item "SSL_METHOD (SSL Method)" -That's a dispatch structure describing the internal \fBssl\fR library -methods/functions which implement the various protocol versions (SSLv1, SSLv2 -and TLSv1). It's needed to create an \fB\s-1SSL_CTX\s0\fR. -.IP "\fB\s-1SSL_CIPHER\s0\fR (\s-1SSL\s0 Cipher)" 4 -.IX Item "SSL_CIPHER (SSL Cipher)" -This structure holds the algorithm information for a particular cipher which -are a core part of the \s-1SSL/TLS\s0 protocol. The available ciphers are configured -on a \fB\s-1SSL_CTX\s0\fR basis and the actually used ones are then part of the -\&\fB\s-1SSL_SESSION\s0\fR. -.IP "\fB\s-1SSL_CTX\s0\fR (\s-1SSL\s0 Context)" 4 -.IX Item "SSL_CTX (SSL Context)" -That's the global context structure which is created by a server or client -once per program life-time and which holds mainly default values for the -\&\fB\s-1SSL\s0\fR structures which are later created for the connections. -.IP "\fB\s-1SSL_SESSION\s0\fR (\s-1SSL\s0 Session)" 4 -.IX Item "SSL_SESSION (SSL Session)" -This is a structure containing the current \s-1TLS/SSL\s0 session details for a -connection: \fB\s-1SSL_CIPHER\s0\fRs, client and server certificates, keys, etc. -.IP "\fB\s-1SSL\s0\fR (\s-1SSL\s0 Connection)" 4 -.IX Item "SSL (SSL Connection)" -That's the main \s-1SSL/TLS\s0 structure which is created by a server or client per -established connection. This actually is the core structure in the \s-1SSL API.\s0 -Under run-time the application usually deals with this structure which has -links to mostly all other structures. -.SH "HEADER FILES" -.IX Header "HEADER FILES" -Currently the OpenSSL \fBssl\fR library provides the following C header files -containing the prototypes for the data structures and and functions: -.IP "\fBssl.h\fR" 4 -.IX Item "ssl.h" -That's the common header file for the \s-1SSL/TLS API.\s0 Include it into your -program to make the \s-1API\s0 of the \fBssl\fR library available. It internally -includes both more private \s-1SSL\s0 headers and headers from the \fBcrypto\fR library. -Whenever you need hard-core details on the internals of the \s-1SSL API,\s0 look -inside this header file. -.IP "\fBssl2.h\fR" 4 -.IX Item "ssl2.h" -That's the sub header file dealing with the SSLv2 protocol only. -\&\fIUsually you don't have to include it explicitly because -it's already included by ssl.h\fR. -.IP "\fBssl3.h\fR" 4 -.IX Item "ssl3.h" -That's the sub header file dealing with the SSLv3 protocol only. -\&\fIUsually you don't have to include it explicitly because -it's already included by ssl.h\fR. -.IP "\fBssl23.h\fR" 4 -.IX Item "ssl23.h" -That's the sub header file dealing with the combined use of the SSLv2 and -SSLv3 protocols. -\&\fIUsually you don't have to include it explicitly because -it's already included by ssl.h\fR. -.IP "\fBtls1.h\fR" 4 -.IX Item "tls1.h" -That's the sub header file dealing with the TLSv1 protocol only. -\&\fIUsually you don't have to include it explicitly because -it's already included by ssl.h\fR. -.SH "API FUNCTIONS" -.IX Header "API FUNCTIONS" -Currently the OpenSSL \fBssl\fR library exports 214 \s-1API\s0 functions. -They are documented in the following: -.SS "\s-1DEALING WITH PROTOCOL METHODS\s0" -.IX Subsection "DEALING WITH PROTOCOL METHODS" -Here we document the various \s-1API\s0 functions which deal with the \s-1SSL/TLS\s0 -protocol methods defined in \fB\s-1SSL_METHOD\s0\fR structures. -.IP "const \s-1SSL_METHOD\s0 *\fBSSLv23_method\fR(void);" 4 -.IX Item "const SSL_METHOD *SSLv23_method(void);" -Constructor for the \fIversion-flexible\fR \s-1SSL_METHOD\s0 structure for -clients, servers or both. -See \fISSL_CTX_new\fR\|(3) for details. -.IP "const \s-1SSL_METHOD\s0 *\fBSSLv23_client_method\fR(void);" 4 -.IX Item "const SSL_METHOD *SSLv23_client_method(void);" -Constructor for the \fIversion-flexible\fR \s-1SSL_METHOD\s0 structure for -clients. -.IP "const \s-1SSL_METHOD\s0 *\fBSSLv23_client_method\fR(void);" 4 -.IX Item "const SSL_METHOD *SSLv23_client_method(void);" -Constructor for the \fIversion-flexible\fR \s-1SSL_METHOD\s0 structure for -servers. -.IP "const \s-1SSL_METHOD\s0 *\fBTLSv1_2_method\fR(void);" 4 -.IX Item "const SSL_METHOD *TLSv1_2_method(void);" -Constructor for the TLSv1.2 \s-1SSL_METHOD\s0 structure for clients, servers -or both. -.IP "const \s-1SSL_METHOD\s0 *\fBTLSv1_2_client_method\fR(void);" 4 -.IX Item "const SSL_METHOD *TLSv1_2_client_method(void);" -Constructor for the TLSv1.2 \s-1SSL_METHOD\s0 structure for clients. -.IP "const \s-1SSL_METHOD\s0 *\fBTLSv1_2_server_method\fR(void);" 4 -.IX Item "const SSL_METHOD *TLSv1_2_server_method(void);" -Constructor for the TLSv1.2 \s-1SSL_METHOD\s0 structure for servers. -.IP "const \s-1SSL_METHOD\s0 *\fBTLSv1_1_method\fR(void);" 4 -.IX Item "const SSL_METHOD *TLSv1_1_method(void);" -Constructor for the TLSv1.1 \s-1SSL_METHOD\s0 structure for clients, servers -or both. -.IP "const \s-1SSL_METHOD\s0 *\fBTLSv1_1_client_method\fR(void);" 4 -.IX Item "const SSL_METHOD *TLSv1_1_client_method(void);" -Constructor for the TLSv1.1 \s-1SSL_METHOD\s0 structure for clients. -.IP "const \s-1SSL_METHOD\s0 *\fBTLSv1_1_server_method\fR(void);" 4 -.IX Item "const SSL_METHOD *TLSv1_1_server_method(void);" -Constructor for the TLSv1.1 \s-1SSL_METHOD\s0 structure for servers. -.IP "const \s-1SSL_METHOD\s0 *\fBTLSv1_method\fR(void);" 4 -.IX Item "const SSL_METHOD *TLSv1_method(void);" -Constructor for the TLSv1 \s-1SSL_METHOD\s0 structure for clients, servers -or both. -.IP "const \s-1SSL_METHOD\s0 *\fBTLSv1_client_method\fR(void);" 4 -.IX Item "const SSL_METHOD *TLSv1_client_method(void);" -Constructor for the TLSv1 \s-1SSL_METHOD\s0 structure for clients. -.IP "const \s-1SSL_METHOD\s0 *\fBTLSv1_server_method\fR(void);" 4 -.IX Item "const SSL_METHOD *TLSv1_server_method(void);" -Constructor for the TLSv1 \s-1SSL_METHOD\s0 structure for servers. -.IP "const \s-1SSL_METHOD\s0 *\fBSSLv3_method\fR(void);" 4 -.IX Item "const SSL_METHOD *SSLv3_method(void);" -Constructor for the SSLv3 \s-1SSL_METHOD\s0 structure for clients, servers -or both. -.IP "const \s-1SSL_METHOD\s0 *\fBSSLv3_client_method\fR(void);" 4 -.IX Item "const SSL_METHOD *SSLv3_client_method(void);" -Constructor for the SSLv3 \s-1SSL_METHOD\s0 structure for clients. -.IP "const \s-1SSL_METHOD\s0 *\fBSSLv3_server_method\fR(void);" 4 -.IX Item "const SSL_METHOD *SSLv3_server_method(void);" -Constructor for the SSLv3 \s-1SSL_METHOD\s0 structure for servers. -.IP "const \s-1SSL_METHOD\s0 *\fBSSLv2_method\fR(void);" 4 -.IX Item "const SSL_METHOD *SSLv2_method(void);" -Constructor for the SSLv2 \s-1SSL_METHOD\s0 structure for clients, servers -or both. -.IP "const \s-1SSL_METHOD\s0 *\fBSSLv2_client_method\fR(void);" 4 -.IX Item "const SSL_METHOD *SSLv2_client_method(void);" -Constructor for the SSLv2 \s-1SSL_METHOD\s0 structure for clients. -.IP "const \s-1SSL_METHOD\s0 *\fBSSLv2_server_method\fR(void);" 4 -.IX Item "const SSL_METHOD *SSLv2_server_method(void);" -Constructor for the SSLv2 \s-1SSL_METHOD\s0 structure for servers. -.SS "\s-1DEALING WITH CIPHERS\s0" -.IX Subsection "DEALING WITH CIPHERS" -Here we document the various \s-1API\s0 functions which deal with the \s-1SSL/TLS\s0 -ciphers defined in \fB\s-1SSL_CIPHER\s0\fR structures. -.IP "char *\fBSSL_CIPHER_description\fR(\s-1SSL_CIPHER\s0 *cipher, char *buf, int len);" 4 -.IX Item "char *SSL_CIPHER_description(SSL_CIPHER *cipher, char *buf, int len);" -Write a string to \fIbuf\fR (with a maximum size of \fIlen\fR) containing a human -readable description of \fIcipher\fR. Returns \fIbuf\fR. -.IP "int \fBSSL_CIPHER_get_bits\fR(\s-1SSL_CIPHER\s0 *cipher, int *alg_bits);" 4 -.IX Item "int SSL_CIPHER_get_bits(SSL_CIPHER *cipher, int *alg_bits);" -Determine the number of bits in \fIcipher\fR. Because of export crippled ciphers -there are two bits: The bits the algorithm supports in general (stored to -\&\fIalg_bits\fR) and the bits which are actually used (the return value). -.IP "const char *\fBSSL_CIPHER_get_name\fR(\s-1SSL_CIPHER\s0 *cipher);" 4 -.IX Item "const char *SSL_CIPHER_get_name(SSL_CIPHER *cipher);" -Return the internal name of \fIcipher\fR as a string. These are the various -strings defined by the \fISSL2_TXT_xxx\fR, \fISSL3_TXT_xxx\fR and \fITLS1_TXT_xxx\fR -definitions in the header files. -.IP "char *\fBSSL_CIPHER_get_version\fR(\s-1SSL_CIPHER\s0 *cipher);" 4 -.IX Item "char *SSL_CIPHER_get_version(SSL_CIPHER *cipher);" -Returns a string like "\f(CW\*(C`TLSv1/SSLv3\*(C'\fR\*(L" or \*(R"\f(CW\*(C`SSLv2\*(C'\fR" which indicates the -\&\s-1SSL/TLS\s0 protocol version to which \fIcipher\fR belongs (i.e. where it was defined -in the specification the first time). -.SS "\s-1DEALING WITH PROTOCOL CONTEXTS\s0" -.IX Subsection "DEALING WITH PROTOCOL CONTEXTS" -Here we document the various \s-1API\s0 functions which deal with the \s-1SSL/TLS\s0 -protocol context defined in the \fB\s-1SSL_CTX\s0\fR structure. -.IP "int \fBSSL_CTX_add_client_CA\fR(\s-1SSL_CTX\s0 *ctx, X509 *x);" 4 -.IX Item "int SSL_CTX_add_client_CA(SSL_CTX *ctx, X509 *x);" -.PD 0 -.IP "long \fBSSL_CTX_add_extra_chain_cert\fR(\s-1SSL_CTX\s0 *ctx, X509 *x509);" 4 -.IX Item "long SSL_CTX_add_extra_chain_cert(SSL_CTX *ctx, X509 *x509);" -.IP "int \fBSSL_CTX_add_session\fR(\s-1SSL_CTX\s0 *ctx, \s-1SSL_SESSION\s0 *c);" 4 -.IX Item "int SSL_CTX_add_session(SSL_CTX *ctx, SSL_SESSION *c);" -.IP "int \fBSSL_CTX_check_private_key\fR(const \s-1SSL_CTX\s0 *ctx);" 4 -.IX Item "int SSL_CTX_check_private_key(const SSL_CTX *ctx);" -.IP "long \fBSSL_CTX_ctrl\fR(\s-1SSL_CTX\s0 *ctx, int cmd, long larg, char *parg);" 4 -.IX Item "long SSL_CTX_ctrl(SSL_CTX *ctx, int cmd, long larg, char *parg);" -.IP "void \fBSSL_CTX_flush_sessions\fR(\s-1SSL_CTX\s0 *s, long t);" 4 -.IX Item "void SSL_CTX_flush_sessions(SSL_CTX *s, long t);" -.IP "void \fBSSL_CTX_free\fR(\s-1SSL_CTX\s0 *a);" 4 -.IX Item "void SSL_CTX_free(SSL_CTX *a);" -.IP "char *\fBSSL_CTX_get_app_data\fR(\s-1SSL_CTX\s0 *ctx);" 4 -.IX Item "char *SSL_CTX_get_app_data(SSL_CTX *ctx);" -.IP "X509_STORE *\fBSSL_CTX_get_cert_store\fR(\s-1SSL_CTX\s0 *ctx);" 4 -.IX Item "X509_STORE *SSL_CTX_get_cert_store(SSL_CTX *ctx);" -.IP "\s-1STACK\s0 *\fBSSL_CTX_get_client_CA_list\fR(const \s-1SSL_CTX\s0 *ctx);" 4 -.IX Item "STACK *SSL_CTX_get_client_CA_list(const SSL_CTX *ctx);" -.IP "int (*\fBSSL_CTX_get_client_cert_cb\fR(\s-1SSL_CTX\s0 *ctx))(\s-1SSL\s0 *ssl, X509 **x509, \s-1EVP_PKEY\s0 **pkey);" 4 -.IX Item "int (*SSL_CTX_get_client_cert_cb(SSL_CTX *ctx))(SSL *ssl, X509 **x509, EVP_PKEY **pkey);" -.IP "void \fBSSL_CTX_get_default_read_ahead\fR(\s-1SSL_CTX\s0 *ctx);" 4 -.IX Item "void SSL_CTX_get_default_read_ahead(SSL_CTX *ctx);" -.IP "char *\fBSSL_CTX_get_ex_data\fR(const \s-1SSL_CTX\s0 *s, int idx);" 4 -.IX Item "char *SSL_CTX_get_ex_data(const SSL_CTX *s, int idx);" -.IP "int \fBSSL_CTX_get_ex_new_index\fR(long argl, char *argp, int (*new_func);(void), int (*dup_func)(void), void (*free_func)(void))" 4 -.IX Item "int SSL_CTX_get_ex_new_index(long argl, char *argp, int (*new_func);(void), int (*dup_func)(void), void (*free_func)(void))" -.IP "void (*\fBSSL_CTX_get_info_callback\fR(\s-1SSL_CTX\s0 *ctx))(\s-1SSL\s0 *ssl, int cb, int ret);" 4 -.IX Item "void (*SSL_CTX_get_info_callback(SSL_CTX *ctx))(SSL *ssl, int cb, int ret);" -.IP "int \fBSSL_CTX_get_quiet_shutdown\fR(const \s-1SSL_CTX\s0 *ctx);" 4 -.IX Item "int SSL_CTX_get_quiet_shutdown(const SSL_CTX *ctx);" -.IP "void \fBSSL_CTX_get_read_ahead\fR(\s-1SSL_CTX\s0 *ctx);" 4 -.IX Item "void SSL_CTX_get_read_ahead(SSL_CTX *ctx);" -.IP "int \fBSSL_CTX_get_session_cache_mode\fR(\s-1SSL_CTX\s0 *ctx);" 4 -.IX Item "int SSL_CTX_get_session_cache_mode(SSL_CTX *ctx);" -.IP "long \fBSSL_CTX_get_timeout\fR(const \s-1SSL_CTX\s0 *ctx);" 4 -.IX Item "long SSL_CTX_get_timeout(const SSL_CTX *ctx);" -.IP "int (*\fBSSL_CTX_get_verify_callback\fR(const \s-1SSL_CTX\s0 *ctx))(int ok, X509_STORE_CTX *ctx);" 4 -.IX Item "int (*SSL_CTX_get_verify_callback(const SSL_CTX *ctx))(int ok, X509_STORE_CTX *ctx);" -.IP "int \fBSSL_CTX_get_verify_mode\fR(\s-1SSL_CTX\s0 *ctx);" 4 -.IX Item "int SSL_CTX_get_verify_mode(SSL_CTX *ctx);" -.IP "int \fBSSL_CTX_load_verify_locations\fR(\s-1SSL_CTX\s0 *ctx, char *CAfile, char *CApath);" 4 -.IX Item "int SSL_CTX_load_verify_locations(SSL_CTX *ctx, char *CAfile, char *CApath);" -.IP "long \fBSSL_CTX_need_tmp_RSA\fR(\s-1SSL_CTX\s0 *ctx);" 4 -.IX Item "long SSL_CTX_need_tmp_RSA(SSL_CTX *ctx);" -.IP "\s-1SSL_CTX\s0 *\fBSSL_CTX_new\fR(const \s-1SSL_METHOD\s0 *meth);" 4 -.IX Item "SSL_CTX *SSL_CTX_new(const SSL_METHOD *meth);" -.IP "int \fBSSL_CTX_remove_session\fR(\s-1SSL_CTX\s0 *ctx, \s-1SSL_SESSION\s0 *c);" 4 -.IX Item "int SSL_CTX_remove_session(SSL_CTX *ctx, SSL_SESSION *c);" -.IP "int \fBSSL_CTX_sess_accept\fR(\s-1SSL_CTX\s0 *ctx);" 4 -.IX Item "int SSL_CTX_sess_accept(SSL_CTX *ctx);" -.IP "int \fBSSL_CTX_sess_accept_good\fR(\s-1SSL_CTX\s0 *ctx);" 4 -.IX Item "int SSL_CTX_sess_accept_good(SSL_CTX *ctx);" -.IP "int \fBSSL_CTX_sess_accept_renegotiate\fR(\s-1SSL_CTX\s0 *ctx);" 4 -.IX Item "int SSL_CTX_sess_accept_renegotiate(SSL_CTX *ctx);" -.IP "int \fBSSL_CTX_sess_cache_full\fR(\s-1SSL_CTX\s0 *ctx);" 4 -.IX Item "int SSL_CTX_sess_cache_full(SSL_CTX *ctx);" -.IP "int \fBSSL_CTX_sess_cb_hits\fR(\s-1SSL_CTX\s0 *ctx);" 4 -.IX Item "int SSL_CTX_sess_cb_hits(SSL_CTX *ctx);" -.IP "int \fBSSL_CTX_sess_connect\fR(\s-1SSL_CTX\s0 *ctx);" 4 -.IX Item "int SSL_CTX_sess_connect(SSL_CTX *ctx);" -.IP "int \fBSSL_CTX_sess_connect_good\fR(\s-1SSL_CTX\s0 *ctx);" 4 -.IX Item "int SSL_CTX_sess_connect_good(SSL_CTX *ctx);" -.IP "int \fBSSL_CTX_sess_connect_renegotiate\fR(\s-1SSL_CTX\s0 *ctx);" 4 -.IX Item "int SSL_CTX_sess_connect_renegotiate(SSL_CTX *ctx);" -.IP "int \fBSSL_CTX_sess_get_cache_size\fR(\s-1SSL_CTX\s0 *ctx);" 4 -.IX Item "int SSL_CTX_sess_get_cache_size(SSL_CTX *ctx);" -.IP "\s-1SSL_SESSION\s0 *(*\fBSSL_CTX_sess_get_get_cb\fR(\s-1SSL_CTX\s0 *ctx))(\s-1SSL\s0 *ssl, unsigned char *data, int len, int *copy);" 4 -.IX Item "SSL_SESSION *(*SSL_CTX_sess_get_get_cb(SSL_CTX *ctx))(SSL *ssl, unsigned char *data, int len, int *copy);" -.IP "int (*\fBSSL_CTX_sess_get_new_cb\fR(\s-1SSL_CTX\s0 *ctx)(\s-1SSL\s0 *ssl, \s-1SSL_SESSION\s0 *sess);" 4 -.IX Item "int (*SSL_CTX_sess_get_new_cb(SSL_CTX *ctx)(SSL *ssl, SSL_SESSION *sess);" -.IP "void (*\fBSSL_CTX_sess_get_remove_cb\fR(\s-1SSL_CTX\s0 *ctx)(\s-1SSL_CTX\s0 *ctx, \s-1SSL_SESSION\s0 *sess);" 4 -.IX Item "void (*SSL_CTX_sess_get_remove_cb(SSL_CTX *ctx)(SSL_CTX *ctx, SSL_SESSION *sess);" -.IP "int \fBSSL_CTX_sess_hits\fR(\s-1SSL_CTX\s0 *ctx);" 4 -.IX Item "int SSL_CTX_sess_hits(SSL_CTX *ctx);" -.IP "int \fBSSL_CTX_sess_misses\fR(\s-1SSL_CTX\s0 *ctx);" 4 -.IX Item "int SSL_CTX_sess_misses(SSL_CTX *ctx);" -.IP "int \fBSSL_CTX_sess_number\fR(\s-1SSL_CTX\s0 *ctx);" 4 -.IX Item "int SSL_CTX_sess_number(SSL_CTX *ctx);" -.IP "void \fBSSL_CTX_sess_set_cache_size\fR(\s-1SSL_CTX\s0 *ctx,t);" 4 -.IX Item "void SSL_CTX_sess_set_cache_size(SSL_CTX *ctx,t);" -.IP "void \fBSSL_CTX_sess_set_get_cb\fR(\s-1SSL_CTX\s0 *ctx, \s-1SSL_SESSION\s0 *(*cb)(\s-1SSL\s0 *ssl, unsigned char *data, int len, int *copy));" 4 -.IX Item "void SSL_CTX_sess_set_get_cb(SSL_CTX *ctx, SSL_SESSION *(*cb)(SSL *ssl, unsigned char *data, int len, int *copy));" -.IP "void \fBSSL_CTX_sess_set_new_cb\fR(\s-1SSL_CTX\s0 *ctx, int (*cb)(\s-1SSL\s0 *ssl, \s-1SSL_SESSION\s0 *sess));" 4 -.IX Item "void SSL_CTX_sess_set_new_cb(SSL_CTX *ctx, int (*cb)(SSL *ssl, SSL_SESSION *sess));" -.IP "void \fBSSL_CTX_sess_set_remove_cb\fR(\s-1SSL_CTX\s0 *ctx, void (*cb)(\s-1SSL_CTX\s0 *ctx, \s-1SSL_SESSION\s0 *sess));" 4 -.IX Item "void SSL_CTX_sess_set_remove_cb(SSL_CTX *ctx, void (*cb)(SSL_CTX *ctx, SSL_SESSION *sess));" -.IP "int \fBSSL_CTX_sess_timeouts\fR(\s-1SSL_CTX\s0 *ctx);" 4 -.IX Item "int SSL_CTX_sess_timeouts(SSL_CTX *ctx);" -.IP "\s-1LHASH\s0 *\fBSSL_CTX_sessions\fR(\s-1SSL_CTX\s0 *ctx);" 4 -.IX Item "LHASH *SSL_CTX_sessions(SSL_CTX *ctx);" -.IP "void \fBSSL_CTX_set_app_data\fR(\s-1SSL_CTX\s0 *ctx, void *arg);" 4 -.IX Item "void SSL_CTX_set_app_data(SSL_CTX *ctx, void *arg);" -.IP "void \fBSSL_CTX_set_cert_store\fR(\s-1SSL_CTX\s0 *ctx, X509_STORE *cs);" 4 -.IX Item "void SSL_CTX_set_cert_store(SSL_CTX *ctx, X509_STORE *cs);" -.IP "void \fBSSL_CTX_set_cert_verify_cb\fR(\s-1SSL_CTX\s0 *ctx, int (*cb)(), char *arg)" 4 -.IX Item "void SSL_CTX_set_cert_verify_cb(SSL_CTX *ctx, int (*cb)(), char *arg)" -.IP "int \fBSSL_CTX_set_cipher_list\fR(\s-1SSL_CTX\s0 *ctx, char *str);" 4 -.IX Item "int SSL_CTX_set_cipher_list(SSL_CTX *ctx, char *str);" -.IP "void \fBSSL_CTX_set_client_CA_list\fR(\s-1SSL_CTX\s0 *ctx, \s-1STACK\s0 *list);" 4 -.IX Item "void SSL_CTX_set_client_CA_list(SSL_CTX *ctx, STACK *list);" -.IP "void \fBSSL_CTX_set_client_cert_cb\fR(\s-1SSL_CTX\s0 *ctx, int (*cb)(\s-1SSL\s0 *ssl, X509 **x509, \s-1EVP_PKEY\s0 **pkey));" 4 -.IX Item "void SSL_CTX_set_client_cert_cb(SSL_CTX *ctx, int (*cb)(SSL *ssl, X509 **x509, EVP_PKEY **pkey));" -.IP "void \fBSSL_CTX_set_default_passwd_cb\fR(\s-1SSL_CTX\s0 *ctx, int (*cb);(void))" 4 -.IX Item "void SSL_CTX_set_default_passwd_cb(SSL_CTX *ctx, int (*cb);(void))" -.IP "void \fBSSL_CTX_set_default_read_ahead\fR(\s-1SSL_CTX\s0 *ctx, int m);" 4 -.IX Item "void SSL_CTX_set_default_read_ahead(SSL_CTX *ctx, int m);" -.IP "int \fBSSL_CTX_set_default_verify_paths\fR(\s-1SSL_CTX\s0 *ctx);" 4 -.IX Item "int SSL_CTX_set_default_verify_paths(SSL_CTX *ctx);" -.IP "int \fBSSL_CTX_set_ex_data\fR(\s-1SSL_CTX\s0 *s, int idx, char *arg);" 4 -.IX Item "int SSL_CTX_set_ex_data(SSL_CTX *s, int idx, char *arg);" -.IP "void \fBSSL_CTX_set_info_callback\fR(\s-1SSL_CTX\s0 *ctx, void (*cb)(\s-1SSL\s0 *ssl, int cb, int ret));" 4 -.IX Item "void SSL_CTX_set_info_callback(SSL_CTX *ctx, void (*cb)(SSL *ssl, int cb, int ret));" -.IP "void \fBSSL_CTX_set_msg_callback\fR(\s-1SSL_CTX\s0 *ctx, void (*cb)(int write_p, int version, int content_type, const void *buf, size_t len, \s-1SSL\s0 *ssl, void *arg));" 4 -.IX Item "void SSL_CTX_set_msg_callback(SSL_CTX *ctx, void (*cb)(int write_p, int version, int content_type, const void *buf, size_t len, SSL *ssl, void *arg));" -.IP "void \fBSSL_CTX_set_msg_callback_arg\fR(\s-1SSL_CTX\s0 *ctx, void *arg);" 4 -.IX Item "void SSL_CTX_set_msg_callback_arg(SSL_CTX *ctx, void *arg);" -.IP "void \fBSSL_CTX_set_options\fR(\s-1SSL_CTX\s0 *ctx, unsigned long op);" 4 -.IX Item "void SSL_CTX_set_options(SSL_CTX *ctx, unsigned long op);" -.IP "void \fBSSL_CTX_set_quiet_shutdown\fR(\s-1SSL_CTX\s0 *ctx, int mode);" 4 -.IX Item "void SSL_CTX_set_quiet_shutdown(SSL_CTX *ctx, int mode);" -.IP "void \fBSSL_CTX_set_read_ahead\fR(\s-1SSL_CTX\s0 *ctx, int m);" 4 -.IX Item "void SSL_CTX_set_read_ahead(SSL_CTX *ctx, int m);" -.IP "void \fBSSL_CTX_set_session_cache_mode\fR(\s-1SSL_CTX\s0 *ctx, int mode);" 4 -.IX Item "void SSL_CTX_set_session_cache_mode(SSL_CTX *ctx, int mode);" -.IP "int \fBSSL_CTX_set_ssl_version\fR(\s-1SSL_CTX\s0 *ctx, const \s-1SSL_METHOD\s0 *meth);" 4 -.IX Item "int SSL_CTX_set_ssl_version(SSL_CTX *ctx, const SSL_METHOD *meth);" -.IP "void \fBSSL_CTX_set_timeout\fR(\s-1SSL_CTX\s0 *ctx, long t);" 4 -.IX Item "void SSL_CTX_set_timeout(SSL_CTX *ctx, long t);" -.IP "long \fBSSL_CTX_set_tmp_dh\fR(SSL_CTX* ctx, \s-1DH\s0 *dh);" 4 -.IX Item "long SSL_CTX_set_tmp_dh(SSL_CTX* ctx, DH *dh);" -.IP "long \fBSSL_CTX_set_tmp_dh_callback\fR(\s-1SSL_CTX\s0 *ctx, \s-1DH\s0 *(*cb)(void));" 4 -.IX Item "long SSL_CTX_set_tmp_dh_callback(SSL_CTX *ctx, DH *(*cb)(void));" -.IP "long \fBSSL_CTX_set_tmp_rsa\fR(\s-1SSL_CTX\s0 *ctx, \s-1RSA\s0 *rsa);" 4 -.IX Item "long SSL_CTX_set_tmp_rsa(SSL_CTX *ctx, RSA *rsa);" -.IP "SSL_CTX_set_tmp_rsa_callback" 4 -.IX Item "SSL_CTX_set_tmp_rsa_callback" -.PD -\&\f(CW\*(C`long \f(CBSSL_CTX_set_tmp_rsa_callback\f(CW(SSL_CTX *\f(CBctx\f(CW, RSA *(*\f(CBcb\f(CW)(SSL *\f(CBssl\f(CW, int \f(CBexport\f(CW, int \f(CBkeylength\f(CW));\*(C'\fR -.Sp -Sets the callback which will be called when a temporary private key is -required. The \fB\f(CB\*(C`export\*(C'\fB\fR flag will be set if the reason for needing -a temp key is that an export ciphersuite is in use, in which case, -\&\fB\f(CB\*(C`keylength\*(C'\fB\fR will contain the required keylength in bits. Generate a key of -appropriate size (using ???) and return it. -.IP "SSL_set_tmp_rsa_callback" 4 -.IX Item "SSL_set_tmp_rsa_callback" -long \fBSSL_set_tmp_rsa_callback\fR(\s-1SSL\s0 *ssl, \s-1RSA\s0 *(*cb)(\s-1SSL\s0 *ssl, int export, int keylength)); -.Sp -The same as \fBSSL_CTX_set_tmp_rsa_callback\fR, except it operates on an \s-1SSL\s0 -session instead of a context. -.IP "void \fBSSL_CTX_set_verify\fR(\s-1SSL_CTX\s0 *ctx, int mode, int (*cb);(void))" 4 -.IX Item "void SSL_CTX_set_verify(SSL_CTX *ctx, int mode, int (*cb);(void))" -.PD 0 -.IP "int \fBSSL_CTX_use_PrivateKey\fR(\s-1SSL_CTX\s0 *ctx, \s-1EVP_PKEY\s0 *pkey);" 4 -.IX Item "int SSL_CTX_use_PrivateKey(SSL_CTX *ctx, EVP_PKEY *pkey);" -.IP "int \fBSSL_CTX_use_PrivateKey_ASN1\fR(int type, \s-1SSL_CTX\s0 *ctx, unsigned char *d, long len);" 4 -.IX Item "int SSL_CTX_use_PrivateKey_ASN1(int type, SSL_CTX *ctx, unsigned char *d, long len);" -.IP "int \fBSSL_CTX_use_PrivateKey_file\fR(\s-1SSL_CTX\s0 *ctx, char *file, int type);" 4 -.IX Item "int SSL_CTX_use_PrivateKey_file(SSL_CTX *ctx, char *file, int type);" -.IP "int \fBSSL_CTX_use_RSAPrivateKey\fR(\s-1SSL_CTX\s0 *ctx, \s-1RSA\s0 *rsa);" 4 -.IX Item "int SSL_CTX_use_RSAPrivateKey(SSL_CTX *ctx, RSA *rsa);" -.IP "int \fBSSL_CTX_use_RSAPrivateKey_ASN1\fR(\s-1SSL_CTX\s0 *ctx, unsigned char *d, long len);" 4 -.IX Item "int SSL_CTX_use_RSAPrivateKey_ASN1(SSL_CTX *ctx, unsigned char *d, long len);" -.IP "int \fBSSL_CTX_use_RSAPrivateKey_file\fR(\s-1SSL_CTX\s0 *ctx, char *file, int type);" 4 -.IX Item "int SSL_CTX_use_RSAPrivateKey_file(SSL_CTX *ctx, char *file, int type);" -.IP "int \fBSSL_CTX_use_certificate\fR(\s-1SSL_CTX\s0 *ctx, X509 *x);" 4 -.IX Item "int SSL_CTX_use_certificate(SSL_CTX *ctx, X509 *x);" -.IP "int \fBSSL_CTX_use_certificate_ASN1\fR(\s-1SSL_CTX\s0 *ctx, int len, unsigned char *d);" 4 -.IX Item "int SSL_CTX_use_certificate_ASN1(SSL_CTX *ctx, int len, unsigned char *d);" -.IP "int \fBSSL_CTX_use_certificate_file\fR(\s-1SSL_CTX\s0 *ctx, char *file, int type);" 4 -.IX Item "int SSL_CTX_use_certificate_file(SSL_CTX *ctx, char *file, int type);" -.IP "X509 *\fBSSL_CTX_get0_certificate\fR(const \s-1SSL_CTX\s0 *ctx);" 4 -.IX Item "X509 *SSL_CTX_get0_certificate(const SSL_CTX *ctx);" -.IP "\s-1EVP_PKEY\s0 *\fBSSL_CTX_get0_privatekey\fR(const \s-1SSL_CTX\s0 *ctx);" 4 -.IX Item "EVP_PKEY *SSL_CTX_get0_privatekey(const SSL_CTX *ctx);" -.IP "void \fBSSL_CTX_set_psk_client_callback\fR(\s-1SSL_CTX\s0 *ctx, unsigned int (*callback)(\s-1SSL\s0 *ssl, const char *hint, char *identity, unsigned int max_identity_len, unsigned char *psk, unsigned int max_psk_len));" 4 -.IX Item "void SSL_CTX_set_psk_client_callback(SSL_CTX *ctx, unsigned int (*callback)(SSL *ssl, const char *hint, char *identity, unsigned int max_identity_len, unsigned char *psk, unsigned int max_psk_len));" -.IP "int \fBSSL_CTX_use_psk_identity_hint\fR(\s-1SSL_CTX\s0 *ctx, const char *hint);" 4 -.IX Item "int SSL_CTX_use_psk_identity_hint(SSL_CTX *ctx, const char *hint);" -.IP "void \fBSSL_CTX_set_psk_server_callback\fR(\s-1SSL_CTX\s0 *ctx, unsigned int (*callback)(\s-1SSL\s0 *ssl, const char *identity, unsigned char *psk, int max_psk_len));" 4 -.IX Item "void SSL_CTX_set_psk_server_callback(SSL_CTX *ctx, unsigned int (*callback)(SSL *ssl, const char *identity, unsigned char *psk, int max_psk_len));" -.PD -.SS "\s-1DEALING WITH SESSIONS\s0" -.IX Subsection "DEALING WITH SESSIONS" -Here we document the various \s-1API\s0 functions which deal with the \s-1SSL/TLS\s0 -sessions defined in the \fB\s-1SSL_SESSION\s0\fR structures. -.IP "int \fBSSL_SESSION_cmp\fR(const \s-1SSL_SESSION\s0 *a, const \s-1SSL_SESSION\s0 *b);" 4 -.IX Item "int SSL_SESSION_cmp(const SSL_SESSION *a, const SSL_SESSION *b);" -.PD 0 -.IP "void \fBSSL_SESSION_free\fR(\s-1SSL_SESSION\s0 *ss);" 4 -.IX Item "void SSL_SESSION_free(SSL_SESSION *ss);" -.IP "char *\fBSSL_SESSION_get_app_data\fR(\s-1SSL_SESSION\s0 *s);" 4 -.IX Item "char *SSL_SESSION_get_app_data(SSL_SESSION *s);" -.IP "char *\fBSSL_SESSION_get_ex_data\fR(const \s-1SSL_SESSION\s0 *s, int idx);" 4 -.IX Item "char *SSL_SESSION_get_ex_data(const SSL_SESSION *s, int idx);" -.IP "int \fBSSL_SESSION_get_ex_new_index\fR(long argl, char *argp, int (*new_func);(void), int (*dup_func)(void), void (*free_func)(void))" 4 -.IX Item "int SSL_SESSION_get_ex_new_index(long argl, char *argp, int (*new_func);(void), int (*dup_func)(void), void (*free_func)(void))" -.IP "long \fBSSL_SESSION_get_time\fR(const \s-1SSL_SESSION\s0 *s);" 4 -.IX Item "long SSL_SESSION_get_time(const SSL_SESSION *s);" -.IP "long \fBSSL_SESSION_get_timeout\fR(const \s-1SSL_SESSION\s0 *s);" 4 -.IX Item "long SSL_SESSION_get_timeout(const SSL_SESSION *s);" -.IP "unsigned long \fBSSL_SESSION_hash\fR(const \s-1SSL_SESSION\s0 *a);" 4 -.IX Item "unsigned long SSL_SESSION_hash(const SSL_SESSION *a);" -.IP "\s-1SSL_SESSION\s0 *\fBSSL_SESSION_new\fR(void);" 4 -.IX Item "SSL_SESSION *SSL_SESSION_new(void);" -.IP "int \fBSSL_SESSION_print\fR(\s-1BIO\s0 *bp, const \s-1SSL_SESSION\s0 *x);" 4 -.IX Item "int SSL_SESSION_print(BIO *bp, const SSL_SESSION *x);" -.IP "int \fBSSL_SESSION_print_fp\fR(\s-1FILE\s0 *fp, const \s-1SSL_SESSION\s0 *x);" 4 -.IX Item "int SSL_SESSION_print_fp(FILE *fp, const SSL_SESSION *x);" -.IP "void \fBSSL_SESSION_set_app_data\fR(\s-1SSL_SESSION\s0 *s, char *a);" 4 -.IX Item "void SSL_SESSION_set_app_data(SSL_SESSION *s, char *a);" -.IP "int \fBSSL_SESSION_set_ex_data\fR(\s-1SSL_SESSION\s0 *s, int idx, char *arg);" 4 -.IX Item "int SSL_SESSION_set_ex_data(SSL_SESSION *s, int idx, char *arg);" -.IP "long \fBSSL_SESSION_set_time\fR(\s-1SSL_SESSION\s0 *s, long t);" 4 -.IX Item "long SSL_SESSION_set_time(SSL_SESSION *s, long t);" -.IP "long \fBSSL_SESSION_set_timeout\fR(\s-1SSL_SESSION\s0 *s, long t);" 4 -.IX Item "long SSL_SESSION_set_timeout(SSL_SESSION *s, long t);" -.PD -.SS "\s-1DEALING WITH CONNECTIONS\s0" -.IX Subsection "DEALING WITH CONNECTIONS" -Here we document the various \s-1API\s0 functions which deal with the \s-1SSL/TLS\s0 -connection defined in the \fB\s-1SSL\s0\fR structure. -.IP "int \fBSSL_accept\fR(\s-1SSL\s0 *ssl);" 4 -.IX Item "int SSL_accept(SSL *ssl);" -.PD 0 -.IP "int \fBSSL_add_dir_cert_subjects_to_stack\fR(\s-1STACK\s0 *stack, const char *dir);" 4 -.IX Item "int SSL_add_dir_cert_subjects_to_stack(STACK *stack, const char *dir);" -.IP "int \fBSSL_add_file_cert_subjects_to_stack\fR(\s-1STACK\s0 *stack, const char *file);" 4 -.IX Item "int SSL_add_file_cert_subjects_to_stack(STACK *stack, const char *file);" -.IP "int \fBSSL_add_client_CA\fR(\s-1SSL\s0 *ssl, X509 *x);" 4 -.IX Item "int SSL_add_client_CA(SSL *ssl, X509 *x);" -.IP "char *\fBSSL_alert_desc_string\fR(int value);" 4 -.IX Item "char *SSL_alert_desc_string(int value);" -.IP "char *\fBSSL_alert_desc_string_long\fR(int value);" 4 -.IX Item "char *SSL_alert_desc_string_long(int value);" -.IP "char *\fBSSL_alert_type_string\fR(int value);" 4 -.IX Item "char *SSL_alert_type_string(int value);" -.IP "char *\fBSSL_alert_type_string_long\fR(int value);" 4 -.IX Item "char *SSL_alert_type_string_long(int value);" -.IP "int \fBSSL_check_private_key\fR(const \s-1SSL\s0 *ssl);" 4 -.IX Item "int SSL_check_private_key(const SSL *ssl);" -.IP "void \fBSSL_clear\fR(\s-1SSL\s0 *ssl);" 4 -.IX Item "void SSL_clear(SSL *ssl);" -.IP "long \fBSSL_clear_num_renegotiations\fR(\s-1SSL\s0 *ssl);" 4 -.IX Item "long SSL_clear_num_renegotiations(SSL *ssl);" -.IP "int \fBSSL_connect\fR(\s-1SSL\s0 *ssl);" 4 -.IX Item "int SSL_connect(SSL *ssl);" -.IP "void \fBSSL_copy_session_id\fR(\s-1SSL\s0 *t, const \s-1SSL\s0 *f);" 4 -.IX Item "void SSL_copy_session_id(SSL *t, const SSL *f);" -.IP "long \fBSSL_ctrl\fR(\s-1SSL\s0 *ssl, int cmd, long larg, char *parg);" 4 -.IX Item "long SSL_ctrl(SSL *ssl, int cmd, long larg, char *parg);" -.IP "int \fBSSL_do_handshake\fR(\s-1SSL\s0 *ssl);" 4 -.IX Item "int SSL_do_handshake(SSL *ssl);" -.IP "\s-1SSL\s0 *\fBSSL_dup\fR(\s-1SSL\s0 *ssl);" 4 -.IX Item "SSL *SSL_dup(SSL *ssl);" -.IP "\s-1STACK\s0 *\fBSSL_dup_CA_list\fR(\s-1STACK\s0 *sk);" 4 -.IX Item "STACK *SSL_dup_CA_list(STACK *sk);" -.IP "void \fBSSL_free\fR(\s-1SSL\s0 *ssl);" 4 -.IX Item "void SSL_free(SSL *ssl);" -.IP "\s-1SSL_CTX\s0 *\fBSSL_get_SSL_CTX\fR(const \s-1SSL\s0 *ssl);" 4 -.IX Item "SSL_CTX *SSL_get_SSL_CTX(const SSL *ssl);" -.IP "char *\fBSSL_get_app_data\fR(\s-1SSL\s0 *ssl);" 4 -.IX Item "char *SSL_get_app_data(SSL *ssl);" -.IP "X509 *\fBSSL_get_certificate\fR(const \s-1SSL\s0 *ssl);" 4 -.IX Item "X509 *SSL_get_certificate(const SSL *ssl);" -.IP "const char *\fBSSL_get_cipher\fR(const \s-1SSL\s0 *ssl);" 4 -.IX Item "const char *SSL_get_cipher(const SSL *ssl);" -.IP "int \fBSSL_get_cipher_bits\fR(const \s-1SSL\s0 *ssl, int *alg_bits);" 4 -.IX Item "int SSL_get_cipher_bits(const SSL *ssl, int *alg_bits);" -.IP "char *\fBSSL_get_cipher_list\fR(const \s-1SSL\s0 *ssl, int n);" 4 -.IX Item "char *SSL_get_cipher_list(const SSL *ssl, int n);" -.IP "char *\fBSSL_get_cipher_name\fR(const \s-1SSL\s0 *ssl);" 4 -.IX Item "char *SSL_get_cipher_name(const SSL *ssl);" -.IP "char *\fBSSL_get_cipher_version\fR(const \s-1SSL\s0 *ssl);" 4 -.IX Item "char *SSL_get_cipher_version(const SSL *ssl);" -.IP "\s-1STACK\s0 *\fBSSL_get_ciphers\fR(const \s-1SSL\s0 *ssl);" 4 -.IX Item "STACK *SSL_get_ciphers(const SSL *ssl);" -.IP "\s-1STACK\s0 *\fBSSL_get_client_CA_list\fR(const \s-1SSL\s0 *ssl);" 4 -.IX Item "STACK *SSL_get_client_CA_list(const SSL *ssl);" -.IP "\s-1SSL_CIPHER\s0 *\fBSSL_get_current_cipher\fR(\s-1SSL\s0 *ssl);" 4 -.IX Item "SSL_CIPHER *SSL_get_current_cipher(SSL *ssl);" -.IP "long \fBSSL_get_default_timeout\fR(const \s-1SSL\s0 *ssl);" 4 -.IX Item "long SSL_get_default_timeout(const SSL *ssl);" -.IP "int \fBSSL_get_error\fR(const \s-1SSL\s0 *ssl, int i);" 4 -.IX Item "int SSL_get_error(const SSL *ssl, int i);" -.IP "char *\fBSSL_get_ex_data\fR(const \s-1SSL\s0 *ssl, int idx);" 4 -.IX Item "char *SSL_get_ex_data(const SSL *ssl, int idx);" -.IP "int \fBSSL_get_ex_data_X509_STORE_CTX_idx\fR(void);" 4 -.IX Item "int SSL_get_ex_data_X509_STORE_CTX_idx(void);" -.IP "int \fBSSL_get_ex_new_index\fR(long argl, char *argp, int (*new_func);(void), int (*dup_func)(void), void (*free_func)(void))" 4 -.IX Item "int SSL_get_ex_new_index(long argl, char *argp, int (*new_func);(void), int (*dup_func)(void), void (*free_func)(void))" -.IP "int \fBSSL_get_fd\fR(const \s-1SSL\s0 *ssl);" 4 -.IX Item "int SSL_get_fd(const SSL *ssl);" -.IP "void (*\fBSSL_get_info_callback\fR(const \s-1SSL\s0 *ssl);)()" 4 -.IX Item "void (*SSL_get_info_callback(const SSL *ssl);)()" -.IP "\s-1STACK\s0 *\fBSSL_get_peer_cert_chain\fR(const \s-1SSL\s0 *ssl);" 4 -.IX Item "STACK *SSL_get_peer_cert_chain(const SSL *ssl);" -.IP "X509 *\fBSSL_get_peer_certificate\fR(const \s-1SSL\s0 *ssl);" 4 -.IX Item "X509 *SSL_get_peer_certificate(const SSL *ssl);" -.IP "\s-1EVP_PKEY\s0 *\fBSSL_get_privatekey\fR(const \s-1SSL\s0 *ssl);" 4 -.IX Item "EVP_PKEY *SSL_get_privatekey(const SSL *ssl);" -.IP "int \fBSSL_get_quiet_shutdown\fR(const \s-1SSL\s0 *ssl);" 4 -.IX Item "int SSL_get_quiet_shutdown(const SSL *ssl);" -.IP "\s-1BIO\s0 *\fBSSL_get_rbio\fR(const \s-1SSL\s0 *ssl);" 4 -.IX Item "BIO *SSL_get_rbio(const SSL *ssl);" -.IP "int \fBSSL_get_read_ahead\fR(const \s-1SSL\s0 *ssl);" 4 -.IX Item "int SSL_get_read_ahead(const SSL *ssl);" -.IP "\s-1SSL_SESSION\s0 *\fBSSL_get_session\fR(const \s-1SSL\s0 *ssl);" 4 -.IX Item "SSL_SESSION *SSL_get_session(const SSL *ssl);" -.IP "char *\fBSSL_get_shared_ciphers\fR(const \s-1SSL\s0 *ssl, char *buf, int size);" 4 -.IX Item "char *SSL_get_shared_ciphers(const SSL *ssl, char *buf, int size);" -.IP "int \fBSSL_get_shutdown\fR(const \s-1SSL\s0 *ssl);" 4 -.IX Item "int SSL_get_shutdown(const SSL *ssl);" -.IP "const \s-1SSL_METHOD\s0 *\fBSSL_get_ssl_method\fR(\s-1SSL\s0 *ssl);" 4 -.IX Item "const SSL_METHOD *SSL_get_ssl_method(SSL *ssl);" -.IP "int \fBSSL_get_state\fR(const \s-1SSL\s0 *ssl);" 4 -.IX Item "int SSL_get_state(const SSL *ssl);" -.IP "long \fBSSL_get_time\fR(const \s-1SSL\s0 *ssl);" 4 -.IX Item "long SSL_get_time(const SSL *ssl);" -.IP "long \fBSSL_get_timeout\fR(const \s-1SSL\s0 *ssl);" 4 -.IX Item "long SSL_get_timeout(const SSL *ssl);" -.IP "int (*\fBSSL_get_verify_callback\fR(const \s-1SSL\s0 *ssl))(int,X509_STORE_CTX *)" 4 -.IX Item "int (*SSL_get_verify_callback(const SSL *ssl))(int,X509_STORE_CTX *)" -.IP "int \fBSSL_get_verify_mode\fR(const \s-1SSL\s0 *ssl);" 4 -.IX Item "int SSL_get_verify_mode(const SSL *ssl);" -.IP "long \fBSSL_get_verify_result\fR(const \s-1SSL\s0 *ssl);" 4 -.IX Item "long SSL_get_verify_result(const SSL *ssl);" -.IP "char *\fBSSL_get_version\fR(const \s-1SSL\s0 *ssl);" 4 -.IX Item "char *SSL_get_version(const SSL *ssl);" -.IP "\s-1BIO\s0 *\fBSSL_get_wbio\fR(const \s-1SSL\s0 *ssl);" 4 -.IX Item "BIO *SSL_get_wbio(const SSL *ssl);" -.IP "int \fBSSL_in_accept_init\fR(\s-1SSL\s0 *ssl);" 4 -.IX Item "int SSL_in_accept_init(SSL *ssl);" -.IP "int \fBSSL_in_before\fR(\s-1SSL\s0 *ssl);" 4 -.IX Item "int SSL_in_before(SSL *ssl);" -.IP "int \fBSSL_in_connect_init\fR(\s-1SSL\s0 *ssl);" 4 -.IX Item "int SSL_in_connect_init(SSL *ssl);" -.IP "int \fBSSL_in_init\fR(\s-1SSL\s0 *ssl);" 4 -.IX Item "int SSL_in_init(SSL *ssl);" -.IP "int \fBSSL_is_init_finished\fR(\s-1SSL\s0 *ssl);" 4 -.IX Item "int SSL_is_init_finished(SSL *ssl);" -.IP "\s-1STACK\s0 *\fBSSL_load_client_CA_file\fR(char *file);" 4 -.IX Item "STACK *SSL_load_client_CA_file(char *file);" -.IP "void \fBSSL_load_error_strings\fR(void);" 4 -.IX Item "void SSL_load_error_strings(void);" -.IP "\s-1SSL\s0 *\fBSSL_new\fR(\s-1SSL_CTX\s0 *ctx);" 4 -.IX Item "SSL *SSL_new(SSL_CTX *ctx);" -.IP "long \fBSSL_num_renegotiations\fR(\s-1SSL\s0 *ssl);" 4 -.IX Item "long SSL_num_renegotiations(SSL *ssl);" -.IP "int \fBSSL_peek\fR(\s-1SSL\s0 *ssl, void *buf, int num);" 4 -.IX Item "int SSL_peek(SSL *ssl, void *buf, int num);" -.IP "int \fBSSL_pending\fR(const \s-1SSL\s0 *ssl);" 4 -.IX Item "int SSL_pending(const SSL *ssl);" -.IP "int \fBSSL_read\fR(\s-1SSL\s0 *ssl, void *buf, int num);" 4 -.IX Item "int SSL_read(SSL *ssl, void *buf, int num);" -.IP "int \fBSSL_renegotiate\fR(\s-1SSL\s0 *ssl);" 4 -.IX Item "int SSL_renegotiate(SSL *ssl);" -.IP "char *\fBSSL_rstate_string\fR(\s-1SSL\s0 *ssl);" 4 -.IX Item "char *SSL_rstate_string(SSL *ssl);" -.IP "char *\fBSSL_rstate_string_long\fR(\s-1SSL\s0 *ssl);" 4 -.IX Item "char *SSL_rstate_string_long(SSL *ssl);" -.IP "long \fBSSL_session_reused\fR(\s-1SSL\s0 *ssl);" 4 -.IX Item "long SSL_session_reused(SSL *ssl);" -.IP "void \fBSSL_set_accept_state\fR(\s-1SSL\s0 *ssl);" 4 -.IX Item "void SSL_set_accept_state(SSL *ssl);" -.IP "void \fBSSL_set_app_data\fR(\s-1SSL\s0 *ssl, char *arg);" 4 -.IX Item "void SSL_set_app_data(SSL *ssl, char *arg);" -.IP "void \fBSSL_set_bio\fR(\s-1SSL\s0 *ssl, \s-1BIO\s0 *rbio, \s-1BIO\s0 *wbio);" 4 -.IX Item "void SSL_set_bio(SSL *ssl, BIO *rbio, BIO *wbio);" -.IP "int \fBSSL_set_cipher_list\fR(\s-1SSL\s0 *ssl, char *str);" 4 -.IX Item "int SSL_set_cipher_list(SSL *ssl, char *str);" -.IP "void \fBSSL_set_client_CA_list\fR(\s-1SSL\s0 *ssl, \s-1STACK\s0 *list);" 4 -.IX Item "void SSL_set_client_CA_list(SSL *ssl, STACK *list);" -.IP "void \fBSSL_set_connect_state\fR(\s-1SSL\s0 *ssl);" 4 -.IX Item "void SSL_set_connect_state(SSL *ssl);" -.IP "int \fBSSL_set_ex_data\fR(\s-1SSL\s0 *ssl, int idx, char *arg);" 4 -.IX Item "int SSL_set_ex_data(SSL *ssl, int idx, char *arg);" -.IP "int \fBSSL_set_fd\fR(\s-1SSL\s0 *ssl, int fd);" 4 -.IX Item "int SSL_set_fd(SSL *ssl, int fd);" -.IP "void \fBSSL_set_info_callback\fR(\s-1SSL\s0 *ssl, void (*cb);(void))" 4 -.IX Item "void SSL_set_info_callback(SSL *ssl, void (*cb);(void))" -.IP "void \fBSSL_set_msg_callback\fR(\s-1SSL\s0 *ctx, void (*cb)(int write_p, int version, int content_type, const void *buf, size_t len, \s-1SSL\s0 *ssl, void *arg));" 4 -.IX Item "void SSL_set_msg_callback(SSL *ctx, void (*cb)(int write_p, int version, int content_type, const void *buf, size_t len, SSL *ssl, void *arg));" -.IP "void \fBSSL_set_msg_callback_arg\fR(\s-1SSL\s0 *ctx, void *arg);" 4 -.IX Item "void SSL_set_msg_callback_arg(SSL *ctx, void *arg);" -.IP "void \fBSSL_set_options\fR(\s-1SSL\s0 *ssl, unsigned long op);" 4 -.IX Item "void SSL_set_options(SSL *ssl, unsigned long op);" -.IP "void \fBSSL_set_quiet_shutdown\fR(\s-1SSL\s0 *ssl, int mode);" 4 -.IX Item "void SSL_set_quiet_shutdown(SSL *ssl, int mode);" -.IP "void \fBSSL_set_read_ahead\fR(\s-1SSL\s0 *ssl, int yes);" 4 -.IX Item "void SSL_set_read_ahead(SSL *ssl, int yes);" -.IP "int \fBSSL_set_rfd\fR(\s-1SSL\s0 *ssl, int fd);" 4 -.IX Item "int SSL_set_rfd(SSL *ssl, int fd);" -.IP "int \fBSSL_set_session\fR(\s-1SSL\s0 *ssl, \s-1SSL_SESSION\s0 *session);" 4 -.IX Item "int SSL_set_session(SSL *ssl, SSL_SESSION *session);" -.IP "void \fBSSL_set_shutdown\fR(\s-1SSL\s0 *ssl, int mode);" 4 -.IX Item "void SSL_set_shutdown(SSL *ssl, int mode);" -.IP "int \fBSSL_set_ssl_method\fR(\s-1SSL\s0 *ssl, const \s-1SSL_METHOD\s0 *meth);" 4 -.IX Item "int SSL_set_ssl_method(SSL *ssl, const SSL_METHOD *meth);" -.IP "void \fBSSL_set_time\fR(\s-1SSL\s0 *ssl, long t);" 4 -.IX Item "void SSL_set_time(SSL *ssl, long t);" -.IP "void \fBSSL_set_timeout\fR(\s-1SSL\s0 *ssl, long t);" 4 -.IX Item "void SSL_set_timeout(SSL *ssl, long t);" -.IP "void \fBSSL_set_verify\fR(\s-1SSL\s0 *ssl, int mode, int (*callback);(void))" 4 -.IX Item "void SSL_set_verify(SSL *ssl, int mode, int (*callback);(void))" -.IP "void \fBSSL_set_verify_result\fR(\s-1SSL\s0 *ssl, long arg);" 4 -.IX Item "void SSL_set_verify_result(SSL *ssl, long arg);" -.IP "int \fBSSL_set_wfd\fR(\s-1SSL\s0 *ssl, int fd);" 4 -.IX Item "int SSL_set_wfd(SSL *ssl, int fd);" -.IP "int \fBSSL_shutdown\fR(\s-1SSL\s0 *ssl);" 4 -.IX Item "int SSL_shutdown(SSL *ssl);" -.IP "int \fBSSL_state\fR(const \s-1SSL\s0 *ssl);" 4 -.IX Item "int SSL_state(const SSL *ssl);" -.IP "char *\fBSSL_state_string\fR(const \s-1SSL\s0 *ssl);" 4 -.IX Item "char *SSL_state_string(const SSL *ssl);" -.IP "char *\fBSSL_state_string_long\fR(const \s-1SSL\s0 *ssl);" 4 -.IX Item "char *SSL_state_string_long(const SSL *ssl);" -.IP "long \fBSSL_total_renegotiations\fR(\s-1SSL\s0 *ssl);" 4 -.IX Item "long SSL_total_renegotiations(SSL *ssl);" -.IP "int \fBSSL_use_PrivateKey\fR(\s-1SSL\s0 *ssl, \s-1EVP_PKEY\s0 *pkey);" 4 -.IX Item "int SSL_use_PrivateKey(SSL *ssl, EVP_PKEY *pkey);" -.IP "int \fBSSL_use_PrivateKey_ASN1\fR(int type, \s-1SSL\s0 *ssl, unsigned char *d, long len);" 4 -.IX Item "int SSL_use_PrivateKey_ASN1(int type, SSL *ssl, unsigned char *d, long len);" -.IP "int \fBSSL_use_PrivateKey_file\fR(\s-1SSL\s0 *ssl, char *file, int type);" 4 -.IX Item "int SSL_use_PrivateKey_file(SSL *ssl, char *file, int type);" -.IP "int \fBSSL_use_RSAPrivateKey\fR(\s-1SSL\s0 *ssl, \s-1RSA\s0 *rsa);" 4 -.IX Item "int SSL_use_RSAPrivateKey(SSL *ssl, RSA *rsa);" -.IP "int \fBSSL_use_RSAPrivateKey_ASN1\fR(\s-1SSL\s0 *ssl, unsigned char *d, long len);" 4 -.IX Item "int SSL_use_RSAPrivateKey_ASN1(SSL *ssl, unsigned char *d, long len);" -.IP "int \fBSSL_use_RSAPrivateKey_file\fR(\s-1SSL\s0 *ssl, char *file, int type);" 4 -.IX Item "int SSL_use_RSAPrivateKey_file(SSL *ssl, char *file, int type);" -.IP "int \fBSSL_use_certificate\fR(\s-1SSL\s0 *ssl, X509 *x);" 4 -.IX Item "int SSL_use_certificate(SSL *ssl, X509 *x);" -.IP "int \fBSSL_use_certificate_ASN1\fR(\s-1SSL\s0 *ssl, int len, unsigned char *d);" 4 -.IX Item "int SSL_use_certificate_ASN1(SSL *ssl, int len, unsigned char *d);" -.IP "int \fBSSL_use_certificate_file\fR(\s-1SSL\s0 *ssl, char *file, int type);" 4 -.IX Item "int SSL_use_certificate_file(SSL *ssl, char *file, int type);" -.IP "int \fBSSL_version\fR(const \s-1SSL\s0 *ssl);" 4 -.IX Item "int SSL_version(const SSL *ssl);" -.IP "int \fBSSL_want\fR(const \s-1SSL\s0 *ssl);" 4 -.IX Item "int SSL_want(const SSL *ssl);" -.IP "int \fBSSL_want_nothing\fR(const \s-1SSL\s0 *ssl);" 4 -.IX Item "int SSL_want_nothing(const SSL *ssl);" -.IP "int \fBSSL_want_read\fR(const \s-1SSL\s0 *ssl);" 4 -.IX Item "int SSL_want_read(const SSL *ssl);" -.IP "int \fBSSL_want_write\fR(const \s-1SSL\s0 *ssl);" 4 -.IX Item "int SSL_want_write(const SSL *ssl);" -.IP "int \fBSSL_want_x509_lookup\fR(const \s-1SSL\s0 *ssl);" 4 -.IX Item "int SSL_want_x509_lookup(const SSL *ssl);" -.IP "int \fBSSL_write\fR(\s-1SSL\s0 *ssl, const void *buf, int num);" 4 -.IX Item "int SSL_write(SSL *ssl, const void *buf, int num);" -.IP "void \fBSSL_set_psk_client_callback\fR(\s-1SSL\s0 *ssl, unsigned int (*callback)(\s-1SSL\s0 *ssl, const char *hint, char *identity, unsigned int max_identity_len, unsigned char *psk, unsigned int max_psk_len));" 4 -.IX Item "void SSL_set_psk_client_callback(SSL *ssl, unsigned int (*callback)(SSL *ssl, const char *hint, char *identity, unsigned int max_identity_len, unsigned char *psk, unsigned int max_psk_len));" -.IP "int \fBSSL_use_psk_identity_hint\fR(\s-1SSL\s0 *ssl, const char *hint);" 4 -.IX Item "int SSL_use_psk_identity_hint(SSL *ssl, const char *hint);" -.IP "void \fBSSL_set_psk_server_callback\fR(\s-1SSL\s0 *ssl, unsigned int (*callback)(\s-1SSL\s0 *ssl, const char *identity, unsigned char *psk, int max_psk_len));" 4 -.IX Item "void SSL_set_psk_server_callback(SSL *ssl, unsigned int (*callback)(SSL *ssl, const char *identity, unsigned char *psk, int max_psk_len));" -.IP "const char *\fBSSL_get_psk_identity_hint\fR(\s-1SSL\s0 *ssl);" 4 -.IX Item "const char *SSL_get_psk_identity_hint(SSL *ssl);" -.IP "const char *\fBSSL_get_psk_identity\fR(\s-1SSL\s0 *ssl);" 4 -.IX Item "const char *SSL_get_psk_identity(SSL *ssl);" -.PD -.SH "SEE ALSO" -.IX Header "SEE ALSO" -\&\fIopenssl\fR\|(1), \fIcrypto\fR\|(3), -\&\fISSL_accept\fR\|(3), \fISSL_clear\fR\|(3), -\&\fISSL_connect\fR\|(3), -\&\fISSL_CIPHER_get_name\fR\|(3), -\&\fISSL_COMP_add_compression_method\fR\|(3), -\&\fISSL_CTX_add_extra_chain_cert\fR\|(3), -\&\fISSL_CTX_add_session\fR\|(3), -\&\fISSL_CTX_ctrl\fR\|(3), -\&\fISSL_CTX_flush_sessions\fR\|(3), -\&\fISSL_CTX_get_ex_new_index\fR\|(3), -\&\fISSL_CTX_get_verify_mode\fR\|(3), -\&\fISSL_CTX_load_verify_locations\fR\|(3) -\&\fISSL_CTX_new\fR\|(3), -\&\fISSL_CTX_sess_number\fR\|(3), -\&\fISSL_CTX_sess_set_cache_size\fR\|(3), -\&\fISSL_CTX_sess_set_get_cb\fR\|(3), -\&\fISSL_CTX_sessions\fR\|(3), -\&\fISSL_CTX_set_cert_store\fR\|(3), -\&\fISSL_CTX_set_cert_verify_callback\fR\|(3), -\&\fISSL_CTX_set_cipher_list\fR\|(3), -\&\fISSL_CTX_set_client_CA_list\fR\|(3), -\&\fISSL_CTX_set_client_cert_cb\fR\|(3), -\&\fISSL_CTX_set_default_passwd_cb\fR\|(3), -\&\fISSL_CTX_set_generate_session_id\fR\|(3), -\&\fISSL_CTX_set_info_callback\fR\|(3), -\&\fISSL_CTX_set_max_cert_list\fR\|(3), -\&\fISSL_CTX_set_mode\fR\|(3), -\&\fISSL_CTX_set_msg_callback\fR\|(3), -\&\fISSL_CTX_set_options\fR\|(3), -\&\fISSL_CTX_set_quiet_shutdown\fR\|(3), -\&\fISSL_CTX_set_read_ahead\fR\|(3), -\&\fISSL_CTX_set_session_cache_mode\fR\|(3), -\&\fISSL_CTX_set_session_id_context\fR\|(3), -\&\fISSL_CTX_set_ssl_version\fR\|(3), -\&\fISSL_CTX_set_timeout\fR\|(3), -\&\fISSL_CTX_set_tmp_rsa_callback\fR\|(3), -\&\fISSL_CTX_set_tmp_dh_callback\fR\|(3), -\&\fISSL_CTX_set_verify\fR\|(3), -\&\fISSL_CTX_use_certificate\fR\|(3), -\&\fISSL_alert_type_string\fR\|(3), -\&\fISSL_do_handshake\fR\|(3), -\&\fISSL_get_SSL_CTX\fR\|(3), -\&\fISSL_get_ciphers\fR\|(3), -\&\fISSL_get_client_CA_list\fR\|(3), -\&\fISSL_get_default_timeout\fR\|(3), -\&\fISSL_get_error\fR\|(3), -\&\fISSL_get_ex_data_X509_STORE_CTX_idx\fR\|(3), -\&\fISSL_get_ex_new_index\fR\|(3), -\&\fISSL_get_fd\fR\|(3), -\&\fISSL_get_peer_cert_chain\fR\|(3), -\&\fISSL_get_rbio\fR\|(3), -\&\fISSL_get_session\fR\|(3), -\&\fISSL_get_verify_result\fR\|(3), -\&\fISSL_get_version\fR\|(3), -\&\fISSL_library_init\fR\|(3), -\&\fISSL_load_client_CA_file\fR\|(3), -\&\fISSL_new\fR\|(3), -\&\fISSL_pending\fR\|(3), -\&\fISSL_read\fR\|(3), -\&\fISSL_rstate_string\fR\|(3), -\&\fISSL_session_reused\fR\|(3), -\&\fISSL_set_bio\fR\|(3), -\&\fISSL_set_connect_state\fR\|(3), -\&\fISSL_set_fd\fR\|(3), -\&\fISSL_set_session\fR\|(3), -\&\fISSL_set_shutdown\fR\|(3), -\&\fISSL_shutdown\fR\|(3), -\&\fISSL_state_string\fR\|(3), -\&\fISSL_want\fR\|(3), -\&\fISSL_write\fR\|(3), -\&\fISSL_SESSION_free\fR\|(3), -\&\fISSL_SESSION_get_ex_new_index\fR\|(3), -\&\fISSL_SESSION_get_time\fR\|(3), -\&\fId2i_SSL_SESSION\fR\|(3), -\&\fISSL_CTX_set_psk_client_callback\fR\|(3), -\&\fISSL_CTX_use_psk_identity_hint\fR\|(3), -\&\fISSL_get_psk_identity\fR\|(3) -.SH "HISTORY" -.IX Header "HISTORY" -The \fIssl\fR\|(3) document appeared in OpenSSL 0.9.2 diff --git a/secure/usr.bin/openssl/Makefile.man b/secure/usr.bin/openssl/Makefile.man index 02267c37387e..34951d63abb1 100644 --- a/secure/usr.bin/openssl/Makefile.man +++ b/secure/usr.bin/openssl/Makefile.man @@ -1,5 +1,4 @@ # $FreeBSD$ -# DO NOT EDIT: generated from man-makefile-update target MAN+= CA.pl.1 MAN+= asn1parse.1 MAN+= ca.1 @@ -14,10 +13,12 @@ MAN+= dsaparam.1 MAN+= ec.1 MAN+= ecparam.1 MAN+= enc.1 +MAN+= engine.1 MAN+= errstr.1 MAN+= gendsa.1 MAN+= genpkey.1 MAN+= genrsa.1 +MAN+= list.1 MAN+= nseq.1 MAN+= ocsp.1 MAN+= openssl.1 @@ -28,6 +29,7 @@ MAN+= pkcs8.1 MAN+= pkey.1 MAN+= pkeyparam.1 MAN+= pkeyutl.1 +MAN+= prime.1 MAN+= rand.1 MAN+= req.1 MAN+= rsa.1 @@ -39,41 +41,32 @@ MAN+= sess_id.1 MAN+= smime.1 MAN+= speed.1 MAN+= spkac.1 +MAN+= srp.1 +MAN+= storeutl.1 MAN+= ts.1 MAN+= tsget.1 MAN+= verify.1 MAN+= version.1 MAN+= x509.1 -MAN+= x509v3_config.1 MLINKS+= asn1parse.1 openssl-asn1parse.1 MLINKS+= ca.1 openssl-ca.1 MLINKS+= ciphers.1 openssl-ciphers.1 MLINKS+= cms.1 openssl-cms.1 MLINKS+= crl.1 openssl-crl.1 MLINKS+= crl2pkcs7.1 openssl-crl2pkcs7.1 -MLINKS+= dgst.1 dss1.1 -MLINKS+= dgst.1 md2.1 -MLINKS+= dgst.1 md4.1 -MLINKS+= dgst.1 md5.1 -MLINKS+= dgst.1 mdc2.1 MLINKS+= dgst.1 openssl-dgst.1 -MLINKS+= dgst.1 ripemd160.1 -MLINKS+= dgst.1 sha.1 -MLINKS+= dgst.1 sha1.1 -MLINKS+= dgst.1 sha224.1 -MLINKS+= dgst.1 sha256.1 -MLINKS+= dgst.1 sha384.1 -MLINKS+= dgst.1 sha512.1 MLINKS+= dhparam.1 openssl-dhparam.1 MLINKS+= dsa.1 openssl-dsa.1 MLINKS+= dsaparam.1 openssl-dsaparam.1 MLINKS+= ec.1 openssl-ec.1 MLINKS+= ecparam.1 openssl-ecparam.1 MLINKS+= enc.1 openssl-enc.1 +MLINKS+= engine.1 openssl-engine.1 MLINKS+= errstr.1 openssl-errstr.1 MLINKS+= gendsa.1 openssl-gendsa.1 MLINKS+= genpkey.1 openssl-genpkey.1 MLINKS+= genrsa.1 openssl-genrsa.1 +MLINKS+= list.1 openssl-list.1 MLINKS+= nseq.1 openssl-nseq.1 MLINKS+= ocsp.1 openssl-ocsp.1 MLINKS+= passwd.1 openssl-passwd.1 @@ -83,6 +76,7 @@ MLINKS+= pkcs8.1 openssl-pkcs8.1 MLINKS+= pkey.1 openssl-pkey.1 MLINKS+= pkeyparam.1 openssl-pkeyparam.1 MLINKS+= pkeyutl.1 openssl-pkeyutl.1 +MLINKS+= prime.1 openssl-prime.1 MLINKS+= rand.1 openssl-rand.1 MLINKS+= req.1 openssl-req.1 MLINKS+= rsa.1 openssl-rsa.1 @@ -94,6 +88,8 @@ MLINKS+= sess_id.1 openssl-sess_id.1 MLINKS+= smime.1 openssl-smime.1 MLINKS+= speed.1 openssl-speed.1 MLINKS+= spkac.1 openssl-spkac.1 +MLINKS+= srp.1 openssl-srp.1 +MLINKS+= storeutl.1 openssl-storeutl.1 MLINKS+= ts.1 openssl-ts.1 MLINKS+= tsget.1 openssl-tsget.1 MLINKS+= verify.1 openssl-verify.1 diff --git a/secure/usr.bin/openssl/man/CA.pl.1 b/secure/usr.bin/openssl/man/CA.pl.1 index 348189f76080..0eecd9ac0b5e 100644 --- a/secure/usr.bin/openssl/man/CA.pl.1 +++ b/secure/usr.bin/openssl/man/CA.pl.1 @@ -129,7 +129,7 @@ .\" ======================================================================== .\" .IX Title "CA.PL 1" -.TH CA.PL 1 "2018-08-14" "1.0.2p" "OpenSSL" +.TH CA.PL 1 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -139,51 +139,63 @@ CA.pl \- friendlier interface for OpenSSL certificate programs .SH "SYNOPSIS" .IX Header "SYNOPSIS" \&\fB\s-1CA\s0.pl\fR -[\fB\-?\fR] -[\fB\-h\fR] -[\fB\-help\fR] -[\fB\-newcert\fR] -[\fB\-newreq\fR] -[\fB\-newreq\-nodes\fR] -[\fB\-newca\fR] -[\fB\-xsign\fR] -[\fB\-sign\fR] -[\fB\-signreq\fR] -[\fB\-signcert\fR] -[\fB\-verify\fR] -[\fBfiles\fR] +\&\fB\-?\fR | +\&\fB\-h\fR | +\&\fB\-help\fR +.PP +\&\fB\s-1CA\s0.pl\fR +\&\fB\-newcert\fR | +\&\fB\-newreq\fR | +\&\fB\-newreq\-nodes\fR | +\&\fB\-xsign\fR | +\&\fB\-sign\fR | +\&\fB\-signCA\fR | +\&\fB\-signcert\fR | +\&\fB\-crl\fR | +\&\fB\-newca\fR +[\fB\-extra\-cmd\fR extra\-params] +.PP +\&\fB\s-1CA\s0.pl\fR \fB\-pkcs12\fR [\fB\-extra\-pkcs12\fR extra\-params] [\fBcertname\fR] +.PP +\&\fB\s-1CA\s0.pl\fR \fB\-verify\fR [\fB\-extra\-verify\fR extra\-params] \fBcertfile\fR... +.PP +\&\fB\s-1CA\s0.pl\fR \fB\-revoke\fR [\fB\-extra\-ca\fR extra\-params] \fBcertfile\fR [\fBreason\fR] .SH "DESCRIPTION" .IX Header "DESCRIPTION" The \fB\s-1CA\s0.pl\fR script is a perl script that supplies the relevant command line arguments to the \fBopenssl\fR command for some common certificate operations. It is intended to simplify the process of certificate creation and management by the use of some simple options. -.SH "COMMAND OPTIONS" -.IX Header "COMMAND OPTIONS" +.SH "OPTIONS" +.IX Header "OPTIONS" .IP "\fB?\fR, \fB\-h\fR, \fB\-help\fR" 4 .IX Item "?, -h, -help" -prints a usage message. +Prints a usage message. .IP "\fB\-newcert\fR" 4 .IX Item "-newcert" -creates a new self signed certificate. The private key is written to the file +Creates a new self signed certificate. The private key is written to the file \&\*(L"newkey.pem\*(R" and the request written to the file \*(L"newreq.pem\*(R". +This argument invokes \fBopenssl req\fR command. .IP "\fB\-newreq\fR" 4 .IX Item "-newreq" -creates a new certificate request. The private key is written to the file +Creates a new certificate request. The private key is written to the file \&\*(L"newkey.pem\*(R" and the request written to the file \*(L"newreq.pem\*(R". +Executes \fBopenssl req\fR command below the hood. .IP "\fB\-newreq\-nodes\fR" 4 .IX Item "-newreq-nodes" -is like \fB\-newreq\fR except that the private key will not be encrypted. +Is like \fB\-newreq\fR except that the private key will not be encrypted. +Uses \fBopenssl req\fR command. .IP "\fB\-newca\fR" 4 .IX Item "-newca" -creates a new \s-1CA\s0 hierarchy for use with the \fBca\fR program (or the \fB\-signcert\fR +Creates a new \s-1CA\s0 hierarchy for use with the \fBca\fR program (or the \fB\-signcert\fR and \fB\-xsign\fR options). The user is prompted to enter the filename of the \s-1CA\s0 certificates (which should also contain the private key) or by hitting \s-1ENTER\s0 details of the \s-1CA\s0 will be prompted for. The relevant files and directories are created in a directory called \*(L"demoCA\*(R" in the current directory. +\&\fBopenssl req\fR and \fBopenssl ca\fR commands are get invoked. .IP "\fB\-pkcs12\fR" 4 .IX Item "-pkcs12" -create a PKCS#12 file containing the user certificate, private key and \s-1CA\s0 +Create a PKCS#12 file containing the user certificate, private key and \s-1CA\s0 certificate. It expects the user certificate and private key to be in the file \*(L"newcert.pem\*(R" and the \s-1CA\s0 certificate to be in the file demoCA/cacert.pem, it creates a file \*(L"newcert.p12\*(R". This command can thus be called after the @@ -191,28 +203,48 @@ it creates a file \*(L"newcert.p12\*(R". This command can thus be called after t If there is an additional argument on the command line it will be used as the \&\*(L"friendly name\*(R" for the certificate (which is typically displayed in the browser list box), otherwise the name \*(L"My Certificate\*(R" is used. -.IP "\fB\-sign\fR, \fB\-signreq\fR, \fB\-xsign\fR" 4 -.IX Item "-sign, -signreq, -xsign" -calls the \fBca\fR program to sign a certificate request. It expects the request +Delegates work to \fBopenssl pkcs12\fR command. +.IP "\fB\-sign\fR, \fB\-signcert\fR, \fB\-xsign\fR" 4 +.IX Item "-sign, -signcert, -xsign" +Calls the \fBca\fR program to sign a certificate request. It expects the request to be in the file \*(L"newreq.pem\*(R". The new certificate is written to the file \&\*(L"newcert.pem\*(R" except in the case of the \fB\-xsign\fR option when it is written -to standard output. +to standard output. Leverages \fBopenssl ca\fR command. .IP "\fB\-signCA\fR" 4 .IX Item "-signCA" -this option is the same as the \fB\-signreq\fR option except it uses the configuration -file section \fBv3_ca\fR and so makes the signed request a valid \s-1CA\s0 certificate. This -is useful when creating intermediate \s-1CA\s0 from a root \s-1CA.\s0 +This option is the same as the \fB\-signreq\fR option except it uses the +configuration file section \fBv3_ca\fR and so makes the signed request a +valid \s-1CA\s0 certificate. This is useful when creating intermediate \s-1CA\s0 from +a root \s-1CA.\s0 Extra params are passed on to \fBopenssl ca\fR command. .IP "\fB\-signcert\fR" 4 .IX Item "-signcert" -this option is the same as \fB\-sign\fR except it expects a self signed certificate +This option is the same as \fB\-sign\fR except it expects a self signed certificate to be present in the file \*(L"newreq.pem\*(R". +Extra params are passed on to \fBopenssl x509\fR and \fBopenssl ca\fR commands. +.IP "\fB\-crl\fR" 4 +.IX Item "-crl" +Generate a \s-1CRL.\s0 Executes \fBopenssl ca\fR command. +.IP "\fB\-revoke certfile [reason]\fR" 4 +.IX Item "-revoke certfile [reason]" +Revoke the certificate contained in the specified \fBcertfile\fR. An optional +reason may be specified, and must be one of: \fBunspecified\fR, +\&\fBkeyCompromise\fR, \fBCACompromise\fR, \fBaffiliationChanged\fR, \fBsuperseded\fR, +\&\fBcessationOfOperation\fR, \fBcertificateHold\fR, or \fBremoveFromCRL\fR. +Leverages \fBopenssl ca\fR command. .IP "\fB\-verify\fR" 4 .IX Item "-verify" -verifies certificates against the \s-1CA\s0 certificate for \*(L"demoCA\*(R". If no certificates -are specified on the command line it tries to verify the file \*(L"newcert.pem\*(R". -.IP "\fBfiles\fR" 4 -.IX Item "files" -one or more optional certificate file names for use with the \fB\-verify\fR command. +Verifies certificates against the \s-1CA\s0 certificate for \*(L"demoCA\*(R". If no +certificates are specified on the command line it tries to verify the file +\&\*(L"newcert.pem\*(R". Invokes \fBopenssl verify\fR command. +.IP "\fB\-extra\-req\fR | \fB\-extra\-ca\fR | \fB\-extra\-pkcs12\fR | \fB\-extra\-x509\fR | \fB\-extra\-verify\fR " 4 +.IX Item "-extra-req | -extra-ca | -extra-pkcs12 | -extra-x509 | -extra-verify " +The purpose of these parameters is to allow optional parameters to be supplied +to \fBopenssl\fR that this command executes. The \fB\-extra\-cmd\fR are specific to the +option being used and the \fBopenssl\fR command getting invoked. For example +when this command invokes \fBopenssl req\fR extra parameters can be passed on +with the \fB\-extra\-req\fR parameter. The +\&\fBopenssl\fR commands being invoked per option are documented below. +Users should consult \fBopenssl\fR command documentation for more information. .SH "EXAMPLES" .IX Header "EXAMPLES" Create a \s-1CA\s0 hierarchy: @@ -285,18 +317,21 @@ be wrong. In this case the command: \& perl \-S CA.pl .Ve .PP -can be used and the \fB\s-1OPENSSL_CONF\s0\fR environment variable changed to point to -the correct path of the configuration file \*(L"openssl.cnf\*(R". +can be used and the \fB\s-1OPENSSL_CONF\s0\fR environment variable changed to point to +the correct path of the configuration file. .PP The script is intended as a simple front end for the \fBopenssl\fR program for use by a beginner. Its behaviour isn't always what is wanted. For more control over the behaviour of the certificate commands call the \fBopenssl\fR command directly. -.SH "ENVIRONMENT VARIABLES" -.IX Header "ENVIRONMENT VARIABLES" -The variable \fB\s-1OPENSSL_CONF\s0\fR if defined allows an alternative configuration -file location to be specified, it should contain the full path to the -configuration file, not just its directory. .SH "SEE ALSO" .IX Header "SEE ALSO" \&\fIx509\fR\|(1), \fIca\fR\|(1), \fIreq\fR\|(1), \fIpkcs12\fR\|(1), \&\fIconfig\fR\|(5) +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2000\-2017 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/usr.bin/openssl/man/asn1parse.1 b/secure/usr.bin/openssl/man/asn1parse.1 index 4641fc96bd87..a62ec132cf5a 100644 --- a/secure/usr.bin/openssl/man/asn1parse.1 +++ b/secure/usr.bin/openssl/man/asn1parse.1 @@ -129,17 +129,17 @@ .\" ======================================================================== .\" .IX Title "ASN1PARSE 1" -.TH ASN1PARSE 1 "2018-08-14" "1.0.2p" "OpenSSL" +.TH ASN1PARSE 1 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" -openssl\-asn1parse, -asn1parse \- ASN.1 parsing tool +openssl\-asn1parse, asn1parse \- ASN.1 parsing tool .SH "SYNOPSIS" .IX Header "SYNOPSIS" \&\fBopenssl\fR \fBasn1parse\fR +[\fB\-help\fR] [\fB\-inform PEM|DER\fR] [\fB\-in filename\fR] [\fB\-out filename\fR] @@ -153,60 +153,76 @@ asn1parse \- ASN.1 parsing tool [\fB\-strparse offset\fR] [\fB\-genstr string\fR] [\fB\-genconf file\fR] +[\fB\-strictpem\fR] +[\fB\-item name\fR] .SH "DESCRIPTION" .IX Header "DESCRIPTION" The \fBasn1parse\fR command is a diagnostic utility that can parse \s-1ASN.1\s0 structures. It can also be used to extract data from \s-1ASN.1\s0 formatted data. .SH "OPTIONS" .IX Header "OPTIONS" +.IP "\fB\-help\fR" 4 +.IX Item "-help" +Print out a usage message. .IP "\fB\-inform\fR \fBDER|PEM\fR" 4 .IX Item "-inform DER|PEM" -the input format. \fB\s-1DER\s0\fR is binary format and \fB\s-1PEM\s0\fR (the default) is base64 +The input format. \fB\s-1DER\s0\fR is binary format and \fB\s-1PEM\s0\fR (the default) is base64 encoded. .IP "\fB\-in filename\fR" 4 .IX Item "-in filename" -the input file, default is standard input +The input file, default is standard input. .IP "\fB\-out filename\fR" 4 .IX Item "-out filename" -output file to place the \s-1DER\s0 encoded data into. If this +Output file to place the \s-1DER\s0 encoded data into. If this option is not present then no data will be output. This is most useful when combined with the \fB\-strparse\fR option. .IP "\fB\-noout\fR" 4 .IX Item "-noout" -don't output the parsed version of the input file. +Don't output the parsed version of the input file. .IP "\fB\-offset number\fR" 4 .IX Item "-offset number" -starting offset to begin parsing, default is start of file. +Starting offset to begin parsing, default is start of file. .IP "\fB\-length number\fR" 4 .IX Item "-length number" -number of bytes to parse, default is until end of file. +Number of bytes to parse, default is until end of file. .IP "\fB\-i\fR" 4 .IX Item "-i" -indents the output according to the \*(L"depth\*(R" of the structures. +Indents the output according to the \*(L"depth\*(R" of the structures. .IP "\fB\-oid filename\fR" 4 .IX Item "-oid filename" -a file containing additional \s-1OBJECT\s0 IDENTIFIERs (OIDs). The format of this +A file containing additional \s-1OBJECT\s0 IDENTIFIERs (OIDs). The format of this file is described in the \s-1NOTES\s0 section below. .IP "\fB\-dump\fR" 4 .IX Item "-dump" -dump unknown data in hex format. +Dump unknown data in hex format. .IP "\fB\-dlimit num\fR" 4 .IX Item "-dlimit num" -like \fB\-dump\fR, but only the first \fBnum\fR bytes are output. +Like \fB\-dump\fR, but only the first \fBnum\fR bytes are output. .IP "\fB\-strparse offset\fR" 4 .IX Item "-strparse offset" -parse the contents octets of the \s-1ASN.1\s0 object starting at \fBoffset\fR. This +Parse the contents octets of the \s-1ASN.1\s0 object starting at \fBoffset\fR. This option can be used multiple times to \*(L"drill down\*(R" into a nested structure. .IP "\fB\-genstr string\fR, \fB\-genconf file\fR" 4 .IX Item "-genstr string, -genconf file" -generate encoded data based on \fBstring\fR, \fBfile\fR or both using +Generate encoded data based on \fBstring\fR, \fBfile\fR or both using \&\fIASN1_generate_nconf\fR\|(3) format. If \fBfile\fR only is present then the string is obtained from the default section using the name \&\fBasn1\fR. The encoded data is passed through the \s-1ASN1\s0 parser and printed out as though it came from a file, the contents can thus be examined and written to a file using the \fBout\fR option. -.SS "\s-1OUTPUT\s0" -.IX Subsection "OUTPUT" +.IP "\fB\-strictpem\fR" 4 +.IX Item "-strictpem" +If this option is used then \fB\-inform\fR will be ignored. Without this option any +data in a \s-1PEM\s0 format input file will be treated as being base64 encoded and +processed whether it has the normal \s-1PEM BEGIN\s0 and \s-1END\s0 markers or not. This +option will ignore any data prior to the start of the \s-1BEGIN\s0 marker, or after an +\&\s-1END\s0 marker in a \s-1PEM\s0 file. +.IP "\fB\-item name\fR" 4 +.IX Item "-item name" +Attempt to decode and print the data as \fB\s-1ASN1_ITEM\s0 name\fR. This can be used to +print out the fields of any supported \s-1ASN.1\s0 structure if the type is known. +.SS "Output" +.IX Subsection "Output" The output will typically contain lines like this: .PP .Vb 1 @@ -216,21 +232,21 @@ The output will typically contain lines like this: \&..... .PP .Vb 10 -\& 229:d=3 hl=3 l= 141 prim: BIT STRING -\& 373:d=2 hl=3 l= 162 cons: cont [ 3 ] -\& 376:d=3 hl=3 l= 159 cons: SEQUENCE -\& 379:d=4 hl=2 l= 29 cons: SEQUENCE +\& 229:d=3 hl=3 l= 141 prim: BIT STRING +\& 373:d=2 hl=3 l= 162 cons: cont [ 3 ] +\& 376:d=3 hl=3 l= 159 cons: SEQUENCE +\& 379:d=4 hl=2 l= 29 cons: SEQUENCE \& 381:d=5 hl=2 l= 3 prim: OBJECT :X509v3 Subject Key Identifier -\& 386:d=5 hl=2 l= 22 prim: OCTET STRING -\& 410:d=4 hl=2 l= 112 cons: SEQUENCE +\& 386:d=5 hl=2 l= 22 prim: OCTET STRING +\& 410:d=4 hl=2 l= 112 cons: SEQUENCE \& 412:d=5 hl=2 l= 3 prim: OBJECT :X509v3 Authority Key Identifier -\& 417:d=5 hl=2 l= 105 prim: OCTET STRING +\& 417:d=5 hl=2 l= 105 prim: OCTET STRING \& 524:d=4 hl=2 l= 12 cons: SEQUENCE .Ve .PP \&..... .PP -This example is part of a self signed certificate. Each line starts with the +This example is part of a self-signed certificate. Each line starts with the offset in decimal. \fBd=XX\fR specifies the current depth. The depth is increased within the scope of any \s-1SET\s0 or \s-1SEQUENCE.\s0 \fBhl=XX\fR gives the header length (tag and length octets) of the current type. \fBl=XX\fR gives the length of @@ -245,21 +261,21 @@ The contents octets of this will contain the public key information. This can be examined using the option \fB\-strparse 229\fR to yield: .PP .Vb 3 -\& 0:d=0 hl=3 l= 137 cons: SEQUENCE +\& 0:d=0 hl=3 l= 137 cons: SEQUENCE \& 3:d=1 hl=3 l= 129 prim: INTEGER :E5D21E1F5C8D208EA7A2166C7FAF9F6BDF2059669C60876DDB70840F1A5AAFA59699FE471F379F1DD6A487E7D5409AB6A88D4A9746E24B91D8CF55DB3521015460C8EDE44EE8A4189F7A7BE77D6CD3A9AF2696F486855CF58BF0EDF2B4068058C7A947F52548DDF7E15E96B385F86422BEA9064A3EE9E1158A56E4A6F47E5897 \& 135:d=1 hl=2 l= 3 prim: INTEGER :010001 .Ve .SH "NOTES" .IX Header "NOTES" If an \s-1OID\s0 is not part of OpenSSL's internal table it will be represented in -numerical form (for example 1.2.3.4). The file passed to the \fB\-oid\fR option +numerical form (for example 1.2.3.4). The file passed to the \fB\-oid\fR option allows additional OIDs to be included. Each line consists of three columns, the first column is the \s-1OID\s0 in numerical format and should be followed by white space. The second column is the \*(L"short name\*(R" which is a single word followed by white space. The final column is the rest of the line and is the \&\*(L"long name\*(R". \fBasn1parse\fR displays the long name. Example: .PP -\&\f(CW\*(C`1.2.3.4 shortName A long name\*(C'\fR +\&\f(CW\*(C`1.2.3.4 shortName A long name\*(C'\fR .SH "EXAMPLES" .IX Header "EXAMPLES" Parse a file: @@ -309,3 +325,11 @@ There should be options to change the format of output lines. The output of some .SH "SEE ALSO" .IX Header "SEE ALSO" \&\fIASN1_generate_nconf\fR\|(3) +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2000\-2017 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/usr.bin/openssl/man/ca.1 b/secure/usr.bin/openssl/man/ca.1 index dd25df487f63..110d21a109e9 100644 --- a/secure/usr.bin/openssl/man/ca.1 +++ b/secure/usr.bin/openssl/man/ca.1 @@ -129,22 +129,23 @@ .\" ======================================================================== .\" .IX Title "CA 1" -.TH CA 1 "2018-08-14" "1.0.2p" "OpenSSL" +.TH CA 1 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" -openssl\-ca, -ca \- sample minimal CA application +openssl\-ca, ca \- sample minimal CA application .SH "SYNOPSIS" .IX Header "SYNOPSIS" \&\fBopenssl\fR \fBca\fR +[\fB\-help\fR] [\fB\-verbose\fR] [\fB\-config filename\fR] [\fB\-name section\fR] [\fB\-gencrl\fR] [\fB\-revoke file\fR] +[\fB\-valid file\fR] [\fB\-status serial\fR] [\fB\-updatedb\fR] [\fB\-crl_reason reason\fR] @@ -181,7 +182,11 @@ ca \- sample minimal CA application [\fB\-engine id\fR] [\fB\-subj arg\fR] [\fB\-utf8\fR] +[\fB\-create_serial\fR] +[\fB\-rand_serial\fR] [\fB\-multivalue\-rdn\fR] +[\fB\-rand file...\fR] +[\fB\-writerand file\fR] .SH "DESCRIPTION" .IX Header "DESCRIPTION" The \fBca\fR command is a minimal \s-1CA\s0 application. It can be used @@ -190,61 +195,69 @@ CRLs it also maintains a text database of issued certificates and their status. .PP The options descriptions will be divided into each purpose. -.SH "CA OPTIONS" -.IX Header "CA OPTIONS" +.SH "OPTIONS" +.IX Header "OPTIONS" +.IP "\fB\-help\fR" 4 +.IX Item "-help" +Print out a usage message. +.IP "\fB\-verbose\fR" 4 +.IX Item "-verbose" +This prints extra details about the operations being performed. .IP "\fB\-config filename\fR" 4 .IX Item "-config filename" -specifies the configuration file to use. +Specifies the configuration file to use. +Optional; for a description of the default value, +see \*(L"\s-1COMMAND SUMMARY\*(R"\s0 in \fIopenssl\fR\|(1). .IP "\fB\-name section\fR" 4 .IX Item "-name section" -specifies the configuration file section to use (overrides +Specifies the configuration file section to use (overrides \&\fBdefault_ca\fR in the \fBca\fR section). .IP "\fB\-in filename\fR" 4 .IX Item "-in filename" -an input filename containing a single certificate request to be +An input filename containing a single certificate request to be signed by the \s-1CA.\s0 .IP "\fB\-ss_cert filename\fR" 4 .IX Item "-ss_cert filename" -a single self signed certificate to be signed by the \s-1CA.\s0 +A single self-signed certificate to be signed by the \s-1CA.\s0 .IP "\fB\-spkac filename\fR" 4 .IX Item "-spkac filename" -a file containing a single Netscape signed public key and challenge +A file containing a single Netscape signed public key and challenge and additional field values to be signed by the \s-1CA.\s0 See the \fB\s-1SPKAC FORMAT\s0\fR section for information on the required input and output format. .IP "\fB\-infiles\fR" 4 .IX Item "-infiles" -if present this should be the last option, all subsequent arguments -are assumed to be the names of files containing certificate requests. +If present this should be the last option, all subsequent arguments +are taken as the names of files containing certificate requests. .IP "\fB\-out filename\fR" 4 .IX Item "-out filename" -the output file to output certificates to. The default is standard +The output file to output certificates to. The default is standard output. The certificate details will also be printed out to this file in \s-1PEM\s0 format (except that \fB\-spkac\fR outputs \s-1DER\s0 format). .IP "\fB\-outdir directory\fR" 4 .IX Item "-outdir directory" -the directory to output certificates to. The certificate will be +The directory to output certificates to. The certificate will be written to a filename consisting of the serial number in hex with \&\*(L".pem\*(R" appended. .IP "\fB\-cert\fR" 4 .IX Item "-cert" -the \s-1CA\s0 certificate file. +The \s-1CA\s0 certificate file. .IP "\fB\-keyfile filename\fR" 4 .IX Item "-keyfile filename" -the private key to sign requests with. +The private key to sign requests with. .IP "\fB\-keyform PEM|DER\fR" 4 .IX Item "-keyform PEM|DER" -the format of the data in the private key file. +The format of the data in the private key file. The default is \s-1PEM.\s0 .IP "\fB\-key password\fR" 4 .IX Item "-key password" -the password used to encrypt the private key. Since on some +The password used to encrypt the private key. Since on some systems the command line arguments are visible (e.g. Unix with the 'ps' utility) this option should be used with caution. .IP "\fB\-selfsign\fR" 4 .IX Item "-selfsign" -indicates the issued certificates are to be signed with the key +Indicates the issued certificates are to be signed with the key the certificate requests were signed with (given with \fB\-keyfile\fR). -Cerificate requests signed with a different key are ignored. If +Certificate requests signed with a different key are ignored. If \&\fB\-spkac\fR, \fB\-ss_cert\fR or \fB\-gencrl\fR are given, \fB\-selfsign\fR is ignored. .Sp @@ -255,46 +268,48 @@ serial number counter as all other certificates sign with the self-signed certificate. .IP "\fB\-passin arg\fR" 4 .IX Item "-passin arg" -the key password source. For more information about the format of \fBarg\fR +The key password source. For more information about the format of \fBarg\fR see the \fB\s-1PASS PHRASE ARGUMENTS\s0\fR section in \fIopenssl\fR\|(1). -.IP "\fB\-verbose\fR" 4 -.IX Item "-verbose" -this prints extra details about the operations being performed. .IP "\fB\-notext\fR" 4 .IX Item "-notext" -don't output the text form of a certificate to the output file. +Don't output the text form of a certificate to the output file. .IP "\fB\-startdate date\fR" 4 .IX Item "-startdate date" -this allows the start date to be explicitly set. The format of the -date is \s-1YYMMDDHHMMSSZ\s0 (the same as an \s-1ASN1\s0 UTCTime structure). +This allows the start date to be explicitly set. The format of the +date is \s-1YYMMDDHHMMSSZ\s0 (the same as an \s-1ASN1\s0 UTCTime structure), or +\&\s-1YYYYMMDDHHMMSSZ\s0 (the same as an \s-1ASN1\s0 GeneralizedTime structure). In +both formats, seconds \s-1SS\s0 and timezone Z must be present. .IP "\fB\-enddate date\fR" 4 .IX Item "-enddate date" -this allows the expiry date to be explicitly set. The format of the -date is \s-1YYMMDDHHMMSSZ\s0 (the same as an \s-1ASN1\s0 UTCTime structure). +This allows the expiry date to be explicitly set. The format of the +date is \s-1YYMMDDHHMMSSZ\s0 (the same as an \s-1ASN1\s0 UTCTime structure), or +\&\s-1YYYYMMDDHHMMSSZ\s0 (the same as an \s-1ASN1\s0 GeneralizedTime structure). In +both formats, seconds \s-1SS\s0 and timezone Z must be present. .IP "\fB\-days arg\fR" 4 .IX Item "-days arg" -the number of days to certify the certificate for. +The number of days to certify the certificate for. .IP "\fB\-md alg\fR" 4 .IX Item "-md alg" -the message digest to use. Possible values include md5, sha1 and mdc2. -This option also applies to CRLs. +The message digest to use. +Any digest supported by the OpenSSL \fBdgst\fR command can be used. For signing +algorithms that do not support a digest (i.e. Ed25519 and Ed448) any message +digest that is set is ignored. This option also applies to CRLs. .IP "\fB\-policy arg\fR" 4 .IX Item "-policy arg" -this option defines the \s-1CA\s0 \*(L"policy\*(R" to use. This is a section in +This option defines the \s-1CA\s0 \*(L"policy\*(R" to use. This is a section in the configuration file which decides which fields should be mandatory or match the \s-1CA\s0 certificate. Check out the \fB\s-1POLICY FORMAT\s0\fR section for more information. .IP "\fB\-msie_hack\fR" 4 .IX Item "-msie_hack" -this is a legacy option to make \fBca\fR work with very old versions of +This is a deprecated option to make \fBca\fR work with very old versions of the \s-1IE\s0 certificate enrollment control \*(L"certenr3\*(R". It used UniversalStrings for almost everything. Since the old control has various security bugs -its use is strongly discouraged. The newer control \*(L"Xenroll\*(R" does not -need this option. +its use is strongly discouraged. .IP "\fB\-preserveDN\fR" 4 .IX Item "-preserveDN" Normally the \s-1DN\s0 order of a certificate is the same as the order of the -fields in the relevant policy section. When this option is set the order +fields in the relevant policy section. When this option is set the order is the same as the request. This is largely for compatibility with the older \s-1IE\s0 enrollment control which would only accept certificates if their DNs match the order of the request. This is not needed for Xenroll. @@ -308,11 +323,11 @@ the, eventually present, extensions. The \fBemail_in_dn\fR keyword can be used in the configuration file to enable this behaviour. .IP "\fB\-batch\fR" 4 .IX Item "-batch" -this sets the batch mode. In this mode no questions will be asked +This sets the batch mode. In this mode no questions will be asked and all certificates will be certified automatically. .IP "\fB\-extensions section\fR" 4 .IX Item "-extensions section" -the section of the configuration file containing certificate extensions +The section of the configuration file containing certificate extensions to be added when a certificate is issued (defaults to \fBx509_extensions\fR unless the \fB\-extfile\fR option is used). If no extension section is present then, a V1 certificate is created. If the extension section @@ -321,64 +336,89 @@ is present (even if it is empty), then a V3 certificate is created. See the:w extension section format. .IP "\fB\-extfile file\fR" 4 .IX Item "-extfile file" -an additional configuration file to read certificate extensions from +An additional configuration file to read certificate extensions from (using the default section unless the \fB\-extensions\fR option is also used). .IP "\fB\-engine id\fR" 4 .IX Item "-engine id" -specifying an engine (by its unique \fBid\fR string) will cause \fBca\fR +Specifying an engine (by its unique \fBid\fR string) will cause \fBca\fR to attempt to obtain a functional reference to the specified engine, thus initialising it if needed. The engine will then be set as the default for all available algorithms. .IP "\fB\-subj arg\fR" 4 .IX Item "-subj arg" -supersedes subject name given in the request. +Supersedes subject name given in the request. The arg must be formatted as \fI/type0=value0/type1=value1/type2=...\fR, characters may be escaped by \e (backslash), no spaces are skipped. .IP "\fB\-utf8\fR" 4 .IX Item "-utf8" -this option causes field values to be interpreted as \s-1UTF8\s0 strings, by +This option causes field values to be interpreted as \s-1UTF8\s0 strings, by default they are interpreted as \s-1ASCII.\s0 This means that the field values, whether prompted from a terminal or obtained from a configuration file, must be valid \s-1UTF8\s0 strings. +.IP "\fB\-create_serial\fR" 4 +.IX Item "-create_serial" +If reading serial from the text file as specified in the configuration +fails, specifying this option creates a new random serial to be used as next +serial number. +To get random serial numbers, use the \fB\-rand_serial\fR flag instead; this +should only be used for simple error-recovery. +.IP "\fB\-rand_serial\fR" 4 +.IX Item "-rand_serial" +Generate a large random number to use as the serial number. +This overrides any option or configuration to use a serial number file. .IP "\fB\-multivalue\-rdn\fR" 4 .IX Item "-multivalue-rdn" -this option causes the \-subj argument to be interpretedt with full +This option causes the \-subj argument to be interpreted with full support for multivalued RDNs. Example: .Sp \&\fI/DC=org/DC=OpenSSL/DC=users/UID=123456+CN=John Doe\fR .Sp If \-multi\-rdn is not used then the \s-1UID\s0 value is \fI123456+CN=John Doe\fR. +.IP "\fB\-rand file...\fR" 4 +.IX Item "-rand file..." +A file or files containing random data used to seed the random number +generator. +Multiple files can be specified separated by an OS-dependent character. +The separator is \fB;\fR for MS-Windows, \fB,\fR for OpenVMS, and \fB:\fR for +all others. +.IP "[\fB\-writerand file\fR]" 4 +.IX Item "[-writerand file]" +Writes random data to the specified \fIfile\fR upon exit. +This can be used with a subsequent \fB\-rand\fR flag. .SH "CRL OPTIONS" .IX Header "CRL OPTIONS" .IP "\fB\-gencrl\fR" 4 .IX Item "-gencrl" -this option generates a \s-1CRL\s0 based on information in the index file. +This option generates a \s-1CRL\s0 based on information in the index file. .IP "\fB\-crldays num\fR" 4 .IX Item "-crldays num" -the number of days before the next \s-1CRL\s0 is due. That is the days from +The number of days before the next \s-1CRL\s0 is due. That is the days from now to place in the \s-1CRL\s0 nextUpdate field. .IP "\fB\-crlhours num\fR" 4 .IX Item "-crlhours num" -the number of hours before the next \s-1CRL\s0 is due. +The number of hours before the next \s-1CRL\s0 is due. .IP "\fB\-revoke filename\fR" 4 .IX Item "-revoke filename" -a filename containing a certificate to revoke. +A filename containing a certificate to revoke. +.IP "\fB\-valid filename\fR" 4 +.IX Item "-valid filename" +A filename containing a certificate to add a Valid certificate entry. .IP "\fB\-status serial\fR" 4 .IX Item "-status serial" -displays the revocation status of the certificate with the specified +Displays the revocation status of the certificate with the specified serial number and exits. .IP "\fB\-updatedb\fR" 4 .IX Item "-updatedb" Updates the database index to purge expired certificates. .IP "\fB\-crl_reason reason\fR" 4 .IX Item "-crl_reason reason" -revocation reason, where \fBreason\fR is one of: \fBunspecified\fR, \fBkeyCompromise\fR, +Revocation reason, where \fBreason\fR is one of: \fBunspecified\fR, \fBkeyCompromise\fR, \&\fBCACompromise\fR, \fBaffiliationChanged\fR, \fBsuperseded\fR, \fBcessationOfOperation\fR, \&\fBcertificateHold\fR or \fBremoveFromCRL\fR. The matching of \fBreason\fR is case insensitive. Setting any revocation reason will make the \s-1CRL\s0 v2. .Sp -In practive \fBremoveFromCRL\fR is not particularly useful because it is only used +In practice \fBremoveFromCRL\fR is not particularly useful because it is only used in delta CRLs which are not currently implemented. .IP "\fB\-crl_hold instruction\fR" 4 .IX Item "-crl_hold instruction" @@ -396,7 +436,7 @@ This is the same as \fBcrl_compromise\fR except the revocation reason is set to \&\fBCACompromise\fR. .IP "\fB\-crlexts section\fR" 4 .IX Item "-crlexts section" -the section of the configuration file containing \s-1CRL\s0 extensions to +The section of the configuration file containing \s-1CRL\s0 extensions to include. If no \s-1CRL\s0 extension section is present then a V1 \s-1CRL\s0 is created, if the \s-1CRL\s0 extension section is present (even if it is empty) then a V2 \s-1CRL\s0 is created. The \s-1CRL\s0 extensions specified are @@ -439,48 +479,49 @@ object identifier followed by \fB=\fR and the numerical form. The short and long names are the same when this option is used. .IP "\fBnew_certs_dir\fR" 4 .IX Item "new_certs_dir" -the same as the \fB\-outdir\fR command line option. It specifies +The same as the \fB\-outdir\fR command line option. It specifies the directory where new certificates will be placed. Mandatory. .IP "\fBcertificate\fR" 4 .IX Item "certificate" -the same as \fB\-cert\fR. It gives the file containing the \s-1CA\s0 +The same as \fB\-cert\fR. It gives the file containing the \s-1CA\s0 certificate. Mandatory. .IP "\fBprivate_key\fR" 4 .IX Item "private_key" -same as the \fB\-keyfile\fR option. The file containing the +Same as the \fB\-keyfile\fR option. The file containing the \&\s-1CA\s0 private key. Mandatory. .IP "\fB\s-1RANDFILE\s0\fR" 4 .IX Item "RANDFILE" -a file used to read and write random number seed information, or -an \s-1EGD\s0 socket (see \fIRAND_egd\fR\|(3)). +At startup the specified file is loaded into the random number generator, +and at exit 256 bytes will be written to it. .IP "\fBdefault_days\fR" 4 .IX Item "default_days" -the same as the \fB\-days\fR option. The number of days to certify +The same as the \fB\-days\fR option. The number of days to certify a certificate for. .IP "\fBdefault_startdate\fR" 4 .IX Item "default_startdate" -the same as the \fB\-startdate\fR option. The start date to certify +The same as the \fB\-startdate\fR option. The start date to certify a certificate for. If not set the current time is used. .IP "\fBdefault_enddate\fR" 4 .IX Item "default_enddate" -the same as the \fB\-enddate\fR option. Either this option or +The same as the \fB\-enddate\fR option. Either this option or \&\fBdefault_days\fR (or the command line equivalents) must be present. .IP "\fBdefault_crl_hours default_crl_days\fR" 4 .IX Item "default_crl_hours default_crl_days" -the same as the \fB\-crlhours\fR and the \fB\-crldays\fR options. These +The same as the \fB\-crlhours\fR and the \fB\-crldays\fR options. These will only be used if neither command line option is present. At least one of these must be present to generate a \s-1CRL.\s0 .IP "\fBdefault_md\fR" 4 .IX Item "default_md" -the same as the \fB\-md\fR option. The message digest to use. Mandatory. +The same as the \fB\-md\fR option. Mandatory except where the signing algorithm does +not require a digest (i.e. Ed25519 and Ed448). .IP "\fBdatabase\fR" 4 .IX Item "database" -the text database file to use. Mandatory. This file must be present +The text database file to use. Mandatory. This file must be present though initially it will be empty. .IP "\fBunique_subject\fR" 4 .IX Item "unique_subject" -if the value \fByes\fR is given, the valid certificate entries in the +If the value \fByes\fR is given, the valid certificate entries in the database must have unique subjects. if the value \fBno\fR is given, several valid certificate entries may have the exact same subject. The default value is \fByes\fR, to be compatible with older (pre 0.9.8) @@ -493,37 +534,37 @@ without any subject. In the case where there are multiple certificates without subjects this does not count as a duplicate. .IP "\fBserial\fR" 4 .IX Item "serial" -a text file containing the next serial number to use in hex. Mandatory. +A text file containing the next serial number to use in hex. Mandatory. This file must be present and contain a valid serial number. .IP "\fBcrlnumber\fR" 4 .IX Item "crlnumber" -a text file containing the next \s-1CRL\s0 number to use in hex. The crl number +A text file containing the next \s-1CRL\s0 number to use in hex. The crl number will be inserted in the CRLs only if this file exists. If this file is present, it must contain a valid \s-1CRL\s0 number. .IP "\fBx509_extensions\fR" 4 .IX Item "x509_extensions" -the same as \fB\-extensions\fR. +The same as \fB\-extensions\fR. .IP "\fBcrl_extensions\fR" 4 .IX Item "crl_extensions" -the same as \fB\-crlexts\fR. +The same as \fB\-crlexts\fR. .IP "\fBpreserve\fR" 4 .IX Item "preserve" -the same as \fB\-preserveDN\fR +The same as \fB\-preserveDN\fR .IP "\fBemail_in_dn\fR" 4 .IX Item "email_in_dn" -the same as \fB\-noemailDN\fR. If you want the \s-1EMAIL\s0 field to be removed +The same as \fB\-noemailDN\fR. If you want the \s-1EMAIL\s0 field to be removed from the \s-1DN\s0 of the certificate simply set this to 'no'. If not present the default is to allow for the \s-1EMAIL\s0 filed in the certificate's \s-1DN.\s0 .IP "\fBmsie_hack\fR" 4 .IX Item "msie_hack" -the same as \fB\-msie_hack\fR +The same as \fB\-msie_hack\fR .IP "\fBpolicy\fR" 4 .IX Item "policy" -the same as \fB\-policy\fR. Mandatory. See the \fB\s-1POLICY FORMAT\s0\fR section +The same as \fB\-policy\fR. Mandatory. See the \fB\s-1POLICY FORMAT\s0\fR section for more information. .IP "\fBname_opt\fR, \fBcert_opt\fR" 4 .IX Item "name_opt, cert_opt" -these options allow the format used to display the certificate details +These options allow the format used to display the certificate details when asking the user to confirm signing. All the options supported by the \fBx509\fR utilities \fB\-nameopt\fR and \fB\-certopt\fR switches can be used here, except the \fBno_signame\fR and \fBno_sigdump\fR are permanently set @@ -539,7 +580,7 @@ it only displays fields mentioned in the \fBpolicy\fR section, mishandles multicharacter string types and does not display extensions. .IP "\fBcopy_extensions\fR" 4 .IX Item "copy_extensions" -determines how extensions in certificate requests should be handled. +Determines how extensions in certificate requests should be handled. If set to \fBnone\fR or this option is not present then extensions are ignored and not copied to the certificate. If set to \fBcopy\fR then any extensions present in the request that are not already present are copied @@ -563,7 +604,7 @@ this can be regarded more of a quirk than intended behaviour. .IX Header "SPKAC FORMAT" The input to the \fB\-spkac\fR command line option is a Netscape signed public key and challenge. This will usually come from -the \fB\s-1KEYGEN\s0\fR tag in an \s-1HTML\s0 form to create a new private key. +the \fB\s-1KEYGEN\s0\fR tag in an \s-1HTML\s0 form to create a new private key. It is however possible to create SPKACs using the \fBspkac\fR utility. .PP The file should contain the variable \s-1SPKAC\s0 set to the value of @@ -634,18 +675,19 @@ A sample configuration file with the relevant sections for \fBca\fR: .Vb 2 \& [ ca ] \& default_ca = CA_default # The default ca section -\& +\& \& [ CA_default ] \& \& dir = ./demoCA # top dir \& database = $dir/index.txt # index file. \& new_certs_dir = $dir/newcerts # new certs dir -\& +\& \& certificate = $dir/cacert.pem # The CA cert \& serial = $dir/serial # serial no file +\& #rand_serial = yes # for random serial#\*(Aqs \& private_key = $dir/private/cakey.pem# CA private key \& RANDFILE = $dir/private/.rand # random number file -\& +\& \& default_days = 365 # how long to certify for \& default_crl_days= 30 # how long before next CRL \& default_md = md5 # md to use @@ -683,13 +725,9 @@ The values below reflect the default values. \& ./demoCA/certs \- certificate output file \& ./demoCA/.rnd \- CA random seed information .Ve -.SH "ENVIRONMENT VARIABLES" -.IX Header "ENVIRONMENT VARIABLES" -\&\fB\s-1OPENSSL_CONF\s0\fR reflects the location of master configuration file it can -be overridden by the \fB\-config\fR command line option. .SH "RESTRICTIONS" .IX Header "RESTRICTIONS" -The text database index file is a critical part of the process and +The text database index file is a critical part of the process and if corrupted it can be difficult to fix. It is theoretically possible to rebuild the index file from all the issued certificates and a current \&\s-1CRL:\s0 however there is no option to do this. @@ -697,17 +735,17 @@ to rebuild the index file from all the issued certificates and a current V2 \s-1CRL\s0 features like delta CRLs are not currently supported. .PP Although several requests can be input and handled at once it is only -possible to include one \s-1SPKAC\s0 or self signed certificate. +possible to include one \s-1SPKAC\s0 or self-signed certificate. .SH "BUGS" .IX Header "BUGS" -The use of an in memory text database can cause problems when large +The use of an in-memory text database can cause problems when large numbers of certificates are present because, as the name implies the database has to be kept in memory. .PP The \fBca\fR command really needs rewriting or the required functionality exposed at either a command or interface level so a more friendly utility -(perl script or \s-1GUI\s0) can handle things properly. The scripts \fB\s-1CA\s0.sh\fR and -\&\fB\s-1CA\s0.pl\fR help a little but not very much. +(perl script or \s-1GUI\s0) can handle things properly. The script +\&\fB\s-1CA\s0.pl\fR helps a little but not very much. .PP Any fields in a request that are not present in a policy are silently deleted. This does not happen if the \fB\-preserveDN\fR option is used. To @@ -716,7 +754,7 @@ RFCs, regardless the contents of the request' subject the \fB\-noemailDN\fR option can be used. The behaviour should be more friendly and configurable. .PP -Cancelling some commands by refusing to certify a certificate can +Canceling some commands by refusing to certify a certificate can create an empty file. .SH "WARNINGS" .IX Header "WARNINGS" @@ -734,7 +772,7 @@ The \fBcopy_extensions\fR option should be used with caution. If care is not taken then it can be a security risk. For example if a certificate request contains a basicConstraints extension with \s-1CA:TRUE\s0 and the \&\fBcopy_extensions\fR value is set to \fBcopyall\fR and the user does not spot -this when the certificate is displayed then this will hand the requestor +this when the certificate is displayed then this will hand the requester a valid \s-1CA\s0 certificate. .PP This situation can be avoided by setting \fBcopy_extensions\fR to \fBcopy\fR @@ -753,7 +791,22 @@ For example if the \s-1CA\s0 certificate has: .Ve .PP then even if a certificate is issued with \s-1CA:TRUE\s0 it will not be valid. +.SH "HISTORY" +.IX Header "HISTORY" +Since OpenSSL 1.1.1, the program follows \s-1RFC5280.\s0 Specifically, +certificate validity period (specified by any of \fB\-startdate\fR, +\&\fB\-enddate\fR and \fB\-days\fR) will be encoded as UTCTime if the dates are +earlier than year 2049 (included), and as GeneralizedTime if the dates +are in year 2050 or later. .SH "SEE ALSO" .IX Header "SEE ALSO" \&\fIreq\fR\|(1), \fIspkac\fR\|(1), \fIx509\fR\|(1), \s-1\fICA\s0.pl\fR\|(1), \&\fIconfig\fR\|(5), \fIx509v3_config\fR\|(5) +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2000\-2018 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/usr.bin/openssl/man/ciphers.1 b/secure/usr.bin/openssl/man/ciphers.1 index 322381635569..f9b56e902ce0 100644 --- a/secure/usr.bin/openssl/man/ciphers.1 +++ b/secure/usr.bin/openssl/man/ciphers.1 @@ -129,55 +129,99 @@ .\" ======================================================================== .\" .IX Title "CIPHERS 1" -.TH CIPHERS 1 "2018-08-14" "1.0.2p" "OpenSSL" +.TH CIPHERS 1 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" -openssl\-ciphers, -ciphers \- SSL cipher display and cipher list tool. +openssl\-ciphers, ciphers \- SSL cipher display and cipher list tool .SH "SYNOPSIS" .IX Header "SYNOPSIS" \&\fBopenssl\fR \fBciphers\fR +[\fB\-help\fR] +[\fB\-s\fR] [\fB\-v\fR] [\fB\-V\fR] -[\fB\-ssl2\fR] [\fB\-ssl3\fR] [\fB\-tls1\fR] +[\fB\-tls1_1\fR] +[\fB\-tls1_2\fR] +[\fB\-tls1_3\fR] +[\fB\-s\fR] +[\fB\-psk\fR] +[\fB\-srp\fR] +[\fB\-stdname\fR] +[\fB\-convert name\fR] +[\fB\-ciphersuites val\fR] [\fBcipherlist\fR] .SH "DESCRIPTION" .IX Header "DESCRIPTION" The \fBciphers\fR command converts textual OpenSSL cipher lists into ordered \&\s-1SSL\s0 cipher preference lists. It can be used as a test tool to determine the appropriate cipherlist. -.SH "COMMAND OPTIONS" -.IX Header "COMMAND OPTIONS" +.SH "OPTIONS" +.IX Header "OPTIONS" +.IP "\fB\-help\fR" 4 +.IX Item "-help" +Print a usage message. +.IP "\fB\-s\fR" 4 +.IX Item "-s" +Only list supported ciphers: those consistent with the security level, and +minimum and maximum protocol version. This is closer to the actual cipher list +an application will support. +.Sp +\&\s-1PSK\s0 and \s-1SRP\s0 ciphers are not enabled by default: they require \fB\-psk\fR or \fB\-srp\fR +to enable them. +.Sp +It also does not change the default list of supported signature algorithms. +.Sp +On a server the list of supported ciphers might also exclude other ciphers +depending on the configured certificates and presence of \s-1DH\s0 parameters. +.Sp +If this option is not used then all ciphers that match the cipherlist will be +listed. +.IP "\fB\-psk\fR" 4 +.IX Item "-psk" +When combined with \fB\-s\fR includes cipher suites which require \s-1PSK.\s0 +.IP "\fB\-srp\fR" 4 +.IX Item "-srp" +When combined with \fB\-s\fR includes cipher suites which require \s-1SRP.\s0 .IP "\fB\-v\fR" 4 .IX Item "-v" -Verbose option. List ciphers with a complete description of -protocol version (SSLv2 or SSLv3; the latter includes \s-1TLS\s0), key exchange, -authentication, encryption and mac algorithms used along with any key size -restrictions and whether the algorithm is classed as an \*(L"export\*(R" cipher. -Note that without the \fB\-v\fR option, ciphers may seem to appear twice -in a cipher list; this is when similar ciphers are available for -\&\s-1SSL\s0 v2 and for \s-1SSL\s0 v3/TLS v1. +Verbose output: For each cipher suite, list details as provided by +\&\fISSL_CIPHER_description\fR\|(3). .IP "\fB\-V\fR" 4 .IX Item "-V" -Like \fB\-v\fR, but include cipher suite codes in output (hex format). -.IP "\fB\-ssl3\fR, \fB\-tls1\fR" 4 -.IX Item "-ssl3, -tls1" -This lists ciphers compatible with any of SSLv3, TLSv1, TLSv1.1 or TLSv1.2. -.IP "\fB\-ssl2\fR" 4 -.IX Item "-ssl2" -Only include SSLv2 ciphers. -.IP "\fB\-h\fR, \fB\-?\fR" 4 -.IX Item "-h, -?" -Print a brief usage message. +Like \fB\-v\fR, but include the official cipher suite values in hex. +.IP "\fB\-tls1_3\fR, \fB\-tls1_2\fR, \fB\-tls1_1\fR, \fB\-tls1\fR, \fB\-ssl3\fR" 4 +.IX Item "-tls1_3, -tls1_2, -tls1_1, -tls1, -ssl3" +In combination with the \fB\-s\fR option, list the ciphers which could be used if +the specified protocol were negotiated. +Note that not all protocols and flags may be available, depending on how +OpenSSL was built. +.IP "\fB\-stdname\fR" 4 +.IX Item "-stdname" +Precede each cipher suite by its standard name. +.IP "\fB\-convert name\fR" 4 +.IX Item "-convert name" +Convert a standard cipher \fBname\fR to its OpenSSL name. +.IP "\fB\-ciphersuites val\fR" 4 +.IX Item "-ciphersuites val" +Sets the list of TLSv1.3 ciphersuites. This list will be combined with any +TLSv1.2 and below ciphersuites that have been configured. The format for this +list is a simple colon (\*(L":\*(R") separated list of TLSv1.3 ciphersuite names. By +default this value is: +.Sp +.Vb 1 +\& TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256 +.Ve .IP "\fBcipherlist\fR" 4 .IX Item "cipherlist" -A cipher list to convert to a cipher preference list. If it is not included -then the default cipher list will be used. The format is described below. +A cipher list of TLSv1.2 and below ciphersuites to convert to a cipher +preference list. This list will be combined with any TLSv1.3 ciphersuites that +have been configured. If it is not included then the default cipher list will be +used. The format is described below. .SH "CIPHER LIST FORMAT" .IX Header "CIPHER LIST FORMAT" The cipher list consists of one or more \fIcipher strings\fR separated by colons. @@ -215,287 +259,261 @@ as a list of ciphers to be appended to the current preference list. If the list includes any ciphers already present they will be ignored: that is they will not moved to the end of the list. .PP -Additionally the cipher string \fB\f(CB@STRENGTH\fB\fR can be used at any point to sort -the current cipher list in order of encryption algorithm key length. +The cipher string \fB\f(CB@STRENGTH\fB\fR can be used at any point to sort the current +cipher list in order of encryption algorithm key length. +.PP +The cipher string \fB\f(CB@SECLEVEL\fB=n\fR can be used at any point to set the security +level to \fBn\fR, which should be a number between zero and five, inclusive. +See SSL_CTX_set_security_level for a description of what each level means. +.PP +The cipher list can be prefixed with the \fB\s-1DEFAULT\s0\fR keyword, which enables +the default cipher list as defined below. Unlike cipher strings, +this prefix may not be combined with other strings using \fB+\fR character. +For example, \fB\s-1DEFAULT+DES\s0\fR is not valid. +.PP +The content of the default list is determined at compile time and normally +corresponds to \fB\s-1ALL:\s0!COMPLEMENTOFDEFAULT:!eNULL\fR. .SH "CIPHER STRINGS" .IX Header "CIPHER STRINGS" The following is a list of all permitted cipher strings and their meanings. -.IP "\fB\s-1DEFAULT\s0\fR" 4 -.IX Item "DEFAULT" -The default cipher list. -This is determined at compile time and is normally -\&\fB\s-1ALL:\s0!EXPORT:!LOW:!aNULL:!eNULL:!SSLv2\fR. -When used, this must be the first cipherstring specified. .IP "\fB\s-1COMPLEMENTOFDEFAULT\s0\fR" 4 .IX Item "COMPLEMENTOFDEFAULT" -the ciphers included in \fB\s-1ALL\s0\fR, but not enabled by default. Currently -this is \fB\s-1ADH\s0\fR and \fB\s-1AECDH\s0\fR. Note that this rule does not cover \fBeNULL\fR, -which is not included by \fB\s-1ALL\s0\fR (use \fB\s-1COMPLEMENTOFALL\s0\fR if necessary). +The ciphers included in \fB\s-1ALL\s0\fR, but not enabled by default. Currently +this includes all \s-1RC4\s0 and anonymous ciphers. Note that this rule does +not cover \fBeNULL\fR, which is not included by \fB\s-1ALL\s0\fR (use \fB\s-1COMPLEMENTOFALL\s0\fR if +necessary). Note that \s-1RC4\s0 based cipher suites are not built into OpenSSL by +default (see the enable-weak-ssl-ciphers option to Configure). .IP "\fB\s-1ALL\s0\fR" 4 .IX Item "ALL" -all cipher suites except the \fBeNULL\fR ciphers which must be explicitly enabled; -as of OpenSSL, the \fB\s-1ALL\s0\fR cipher suites are reasonably ordered by default +All cipher suites except the \fBeNULL\fR ciphers (which must be explicitly enabled +if needed). +As of OpenSSL 1.0.0, the \fB\s-1ALL\s0\fR cipher suites are sensibly ordered by default. .IP "\fB\s-1COMPLEMENTOFALL\s0\fR" 4 .IX Item "COMPLEMENTOFALL" -the cipher suites not enabled by \fB\s-1ALL\s0\fR, currently being \fBeNULL\fR. +The cipher suites not enabled by \fB\s-1ALL\s0\fR, currently \fBeNULL\fR. .IP "\fB\s-1HIGH\s0\fR" 4 .IX Item "HIGH" -\&\*(L"high\*(R" encryption cipher suites. This currently means those with key lengths larger -than 128 bits, and some cipher suites with 128\-bit keys. +\&\*(L"High\*(R" encryption cipher suites. This currently means those with key lengths +larger than 128 bits, and some cipher suites with 128\-bit keys. .IP "\fB\s-1MEDIUM\s0\fR" 4 .IX Item "MEDIUM" -\&\*(L"medium\*(R" encryption cipher suites, currently some of those using 128 bit encryption. +\&\*(L"Medium\*(R" encryption cipher suites, currently some of those using 128 bit +encryption. .IP "\fB\s-1LOW\s0\fR" 4 .IX Item "LOW" -Low strength encryption cipher suites, currently those using 64 or 56 bit -encryption algorithms but excluding export cipher suites. -As of OpenSSL 1.0.2g, these are disabled in default builds. -.IP "\fB\s-1EXP\s0\fR, \fB\s-1EXPORT\s0\fR" 4 -.IX Item "EXP, EXPORT" -Export strength encryption algorithms. Including 40 and 56 bits algorithms. -As of OpenSSL 1.0.2g, these are disabled in default builds. -.IP "\fB\s-1EXPORT40\s0\fR" 4 -.IX Item "EXPORT40" -40\-bit export encryption algorithms -As of OpenSSL 1.0.2g, these are disabled in default builds. -.IP "\fB\s-1EXPORT56\s0\fR" 4 -.IX Item "EXPORT56" -56\-bit export encryption algorithms. In OpenSSL 0.9.8c and later the set of -56 bit export ciphers is empty unless OpenSSL has been explicitly configured -with support for experimental ciphers. -As of OpenSSL 1.0.2g, these are disabled in default builds. +\&\*(L"Low\*(R" encryption cipher suites, currently those using 64 or 56 bit +encryption algorithms but excluding export cipher suites. All these +cipher suites have been removed as of OpenSSL 1.1.0. .IP "\fBeNULL\fR, \fB\s-1NULL\s0\fR" 4 .IX Item "eNULL, NULL" The \*(L"\s-1NULL\*(R"\s0 ciphers that is those offering no encryption. Because these offer no encryption at all and are a security risk they are not enabled via either the \&\fB\s-1DEFAULT\s0\fR or \fB\s-1ALL\s0\fR cipher strings. Be careful when building cipherlists out of lower-level primitives such as -\&\fBkRSA\fR or \fBaECDSA\fR as these do overlap with the \fBeNULL\fR ciphers. -When in doubt, include \fB!eNULL\fR in your cipherlist. +\&\fBkRSA\fR or \fBaECDSA\fR as these do overlap with the \fBeNULL\fR ciphers. When in +doubt, include \fB!eNULL\fR in your cipherlist. .IP "\fBaNULL\fR" 4 .IX Item "aNULL" The cipher suites offering no authentication. This is currently the anonymous \&\s-1DH\s0 algorithms and anonymous \s-1ECDH\s0 algorithms. These cipher suites are vulnerable -to a \*(L"man in the middle\*(R" attack and so their use is normally discouraged. +to \*(L"man in the middle\*(R" attacks and so their use is discouraged. These are excluded from the \fB\s-1DEFAULT\s0\fR ciphers, but included in the \fB\s-1ALL\s0\fR ciphers. Be careful when building cipherlists out of lower-level primitives such as \&\fBkDHE\fR or \fB\s-1AES\s0\fR as these do overlap with the \fBaNULL\fR ciphers. When in doubt, include \fB!aNULL\fR in your cipherlist. -.IP "\fBkRSA\fR, \fB\s-1RSA\s0\fR" 4 -.IX Item "kRSA, RSA" -cipher suites using \s-1RSA\s0 key exchange or authentication. \fB\s-1RSA\s0\fR is an alias for +.IP "\fBkRSA\fR, \fBaRSA\fR, \fB\s-1RSA\s0\fR" 4 +.IX Item "kRSA, aRSA, RSA" +Cipher suites using \s-1RSA\s0 key exchange or authentication. \fB\s-1RSA\s0\fR is an alias for \&\fBkRSA\fR. .IP "\fBkDHr\fR, \fBkDHd\fR, \fBkDH\fR" 4 .IX Item "kDHr, kDHd, kDH" -cipher suites using \s-1DH\s0 key agreement and \s-1DH\s0 certificates signed by CAs with \s-1RSA\s0 -and \s-1DSS\s0 keys or either respectively. -.IP "\fBkDHE\fR, \fBkEDH\fR" 4 -.IX Item "kDHE, kEDH" -cipher suites using ephemeral \s-1DH\s0 key agreement, including anonymous cipher +Cipher suites using static \s-1DH\s0 key agreement and \s-1DH\s0 certificates signed by CAs +with \s-1RSA\s0 and \s-1DSS\s0 keys or either respectively. +All these cipher suites have been removed in OpenSSL 1.1.0. +.IP "\fBkDHE\fR, \fBkEDH\fR, \fB\s-1DH\s0\fR" 4 +.IX Item "kDHE, kEDH, DH" +Cipher suites using ephemeral \s-1DH\s0 key agreement, including anonymous cipher suites. .IP "\fB\s-1DHE\s0\fR, \fB\s-1EDH\s0\fR" 4 .IX Item "DHE, EDH" -cipher suites using authenticated ephemeral \s-1DH\s0 key agreement. +Cipher suites using authenticated ephemeral \s-1DH\s0 key agreement. .IP "\fB\s-1ADH\s0\fR" 4 .IX Item "ADH" -anonymous \s-1DH\s0 cipher suites, note that this does not include anonymous Elliptic +Anonymous \s-1DH\s0 cipher suites, note that this does not include anonymous Elliptic Curve \s-1DH\s0 (\s-1ECDH\s0) cipher suites. -.IP "\fB\s-1DH\s0\fR" 4 -.IX Item "DH" -cipher suites using \s-1DH,\s0 including anonymous \s-1DH,\s0 ephemeral \s-1DH\s0 and fixed \s-1DH.\s0 -.IP "\fBkECDHr\fR, \fBkECDHe\fR, \fBkECDH\fR" 4 -.IX Item "kECDHr, kECDHe, kECDH" -cipher suites using fixed \s-1ECDH\s0 key agreement signed by CAs with \s-1RSA\s0 and \s-1ECDSA\s0 -keys or either respectively. -.IP "\fBkECDHE\fR, \fBkEECDH\fR" 4 -.IX Item "kECDHE, kEECDH" -cipher suites using ephemeral \s-1ECDH\s0 key agreement, including anonymous +.IP "\fBkEECDH\fR, \fBkECDHE\fR, \fB\s-1ECDH\s0\fR" 4 +.IX Item "kEECDH, kECDHE, ECDH" +Cipher suites using ephemeral \s-1ECDH\s0 key agreement, including anonymous cipher suites. .IP "\fB\s-1ECDHE\s0\fR, \fB\s-1EECDH\s0\fR" 4 .IX Item "ECDHE, EECDH" -cipher suites using authenticated ephemeral \s-1ECDH\s0 key agreement. +Cipher suites using authenticated ephemeral \s-1ECDH\s0 key agreement. .IP "\fB\s-1AECDH\s0\fR" 4 .IX Item "AECDH" -anonymous Elliptic Curve Diffie Hellman cipher suites. -.IP "\fB\s-1ECDH\s0\fR" 4 -.IX Item "ECDH" -cipher suites using \s-1ECDH\s0 key exchange, including anonymous, ephemeral and -fixed \s-1ECDH.\s0 -.IP "\fBaRSA\fR" 4 -.IX Item "aRSA" -cipher suites using \s-1RSA\s0 authentication, i.e. the certificates carry \s-1RSA\s0 keys. +Anonymous Elliptic Curve Diffie-Hellman cipher suites. .IP "\fBaDSS\fR, \fB\s-1DSS\s0\fR" 4 .IX Item "aDSS, DSS" -cipher suites using \s-1DSS\s0 authentication, i.e. the certificates carry \s-1DSS\s0 keys. +Cipher suites using \s-1DSS\s0 authentication, i.e. the certificates carry \s-1DSS\s0 keys. .IP "\fBaDH\fR" 4 .IX Item "aDH" -cipher suites effectively using \s-1DH\s0 authentication, i.e. the certificates carry +Cipher suites effectively using \s-1DH\s0 authentication, i.e. the certificates carry \&\s-1DH\s0 keys. -.IP "\fBaECDH\fR" 4 -.IX Item "aECDH" -cipher suites effectively using \s-1ECDH\s0 authentication, i.e. the certificates -carry \s-1ECDH\s0 keys. +All these cipher suites have been removed in OpenSSL 1.1.0. .IP "\fBaECDSA\fR, \fB\s-1ECDSA\s0\fR" 4 .IX Item "aECDSA, ECDSA" -cipher suites using \s-1ECDSA\s0 authentication, i.e. the certificates carry \s-1ECDSA\s0 +Cipher suites using \s-1ECDSA\s0 authentication, i.e. the certificates carry \s-1ECDSA\s0 keys. -.IP "\fBkFZA\fR, \fBaFZA\fR, \fBeFZA\fR, \fB\s-1FZA\s0\fR" 4 -.IX Item "kFZA, aFZA, eFZA, FZA" -ciphers suites using \s-1FORTEZZA\s0 key exchange, authentication, encryption or all -\&\s-1FORTEZZA\s0 algorithms. Not implemented. -.IP "\fBTLSv1.2\fR, \fBTLSv1\fR, \fBSSLv3\fR, \fBSSLv2\fR" 4 -.IX Item "TLSv1.2, TLSv1, SSLv3, SSLv2" -\&\s-1TLS\s0 v1.2, \s-1TLS\s0 v1.0, \s-1SSL\s0 v3.0 or \s-1SSL\s0 v2.0 cipher suites respectively. Note: -there are no ciphersuites specific to \s-1TLS\s0 v1.1. +.IP "\fBTLSv1.2\fR, \fBTLSv1.0\fR, \fBSSLv3\fR" 4 +.IX Item "TLSv1.2, TLSv1.0, SSLv3" +Lists cipher suites which are only supported in at least \s-1TLS\s0 v1.2, \s-1TLS\s0 v1.0 or +\&\s-1SSL\s0 v3.0 respectively. +Note: there are no cipher suites specific to \s-1TLS\s0 v1.1. +Since this is only the minimum version, if, for example, TLSv1.0 is negotiated +then both TLSv1.0 and SSLv3.0 cipher suites are available. +.Sp +Note: these cipher strings \fBdo not\fR change the negotiated version of \s-1SSL\s0 or +\&\s-1TLS,\s0 they only affect the list of available cipher suites. .IP "\fB\s-1AES128\s0\fR, \fB\s-1AES256\s0\fR, \fB\s-1AES\s0\fR" 4 .IX Item "AES128, AES256, AES" cipher suites using 128 bit \s-1AES, 256\s0 bit \s-1AES\s0 or either 128 or 256 bit \s-1AES.\s0 .IP "\fB\s-1AESGCM\s0\fR" 4 .IX Item "AESGCM" -\&\s-1AES\s0 in Galois Counter Mode (\s-1GCM\s0): these ciphersuites are only supported +\&\s-1AES\s0 in Galois Counter Mode (\s-1GCM\s0): these cipher suites are only supported in \s-1TLS\s0 v1.2. +.IP "\fB\s-1AESCCM\s0\fR, \fB\s-1AESCCM8\s0\fR" 4 +.IX Item "AESCCM, AESCCM8" +\&\s-1AES\s0 in Cipher Block Chaining \- Message Authentication Mode (\s-1CCM\s0): these +cipher suites are only supported in \s-1TLS\s0 v1.2. \fB\s-1AESCCM\s0\fR references \s-1CCM\s0 +cipher suites using both 16 and 8 octet Integrity Check Value (\s-1ICV\s0) +while \fB\s-1AESCCM8\s0\fR only references 8 octet \s-1ICV.\s0 +.IP "\fB\s-1ARIA128\s0\fR, \fB\s-1ARIA256\s0\fR, \fB\s-1ARIA\s0\fR" 4 +.IX Item "ARIA128, ARIA256, ARIA" +Cipher suites using 128 bit \s-1ARIA, 256\s0 bit \s-1ARIA\s0 or either 128 or 256 bit +\&\s-1ARIA.\s0 .IP "\fB\s-1CAMELLIA128\s0\fR, \fB\s-1CAMELLIA256\s0\fR, \fB\s-1CAMELLIA\s0\fR" 4 .IX Item "CAMELLIA128, CAMELLIA256, CAMELLIA" -cipher suites using 128 bit \s-1CAMELLIA, 256\s0 bit \s-1CAMELLIA\s0 or either 128 or 256 bit +Cipher suites using 128 bit \s-1CAMELLIA, 256\s0 bit \s-1CAMELLIA\s0 or either 128 or 256 bit \&\s-1CAMELLIA.\s0 +.IP "\fB\s-1CHACHA20\s0\fR" 4 +.IX Item "CHACHA20" +Cipher suites using ChaCha20. .IP "\fB3DES\fR" 4 .IX Item "3DES" -cipher suites using triple \s-1DES.\s0 +Cipher suites using triple \s-1DES.\s0 .IP "\fB\s-1DES\s0\fR" 4 .IX Item "DES" -cipher suites using \s-1DES\s0 (not triple \s-1DES\s0). +Cipher suites using \s-1DES\s0 (not triple \s-1DES\s0). +All these cipher suites have been removed in OpenSSL 1.1.0. .IP "\fB\s-1RC4\s0\fR" 4 .IX Item "RC4" -cipher suites using \s-1RC4.\s0 +Cipher suites using \s-1RC4.\s0 .IP "\fB\s-1RC2\s0\fR" 4 .IX Item "RC2" -cipher suites using \s-1RC2.\s0 +Cipher suites using \s-1RC2.\s0 .IP "\fB\s-1IDEA\s0\fR" 4 .IX Item "IDEA" -cipher suites using \s-1IDEA.\s0 +Cipher suites using \s-1IDEA.\s0 .IP "\fB\s-1SEED\s0\fR" 4 .IX Item "SEED" -cipher suites using \s-1SEED.\s0 +Cipher suites using \s-1SEED.\s0 .IP "\fB\s-1MD5\s0\fR" 4 .IX Item "MD5" -cipher suites using \s-1MD5.\s0 +Cipher suites using \s-1MD5.\s0 .IP "\fB\s-1SHA1\s0\fR, \fB\s-1SHA\s0\fR" 4 .IX Item "SHA1, SHA" -cipher suites using \s-1SHA1.\s0 +Cipher suites using \s-1SHA1.\s0 .IP "\fB\s-1SHA256\s0\fR, \fB\s-1SHA384\s0\fR" 4 .IX Item "SHA256, SHA384" -ciphersuites using \s-1SHA256\s0 or \s-1SHA384.\s0 +Cipher suites using \s-1SHA256\s0 or \s-1SHA384.\s0 .IP "\fBaGOST\fR" 4 .IX Item "aGOST" -cipher suites using \s-1GOST R 34.10\s0 (either 2001 or 94) for authenticaction +Cipher suites using \s-1GOST R 34.10\s0 (either 2001 or 94) for authentication (needs an engine supporting \s-1GOST\s0 algorithms). .IP "\fBaGOST01\fR" 4 .IX Item "aGOST01" -cipher suites using \s-1GOST R 34.10\-2001\s0 authentication. -.IP "\fBaGOST94\fR" 4 -.IX Item "aGOST94" -cipher suites using \s-1GOST R 34.10\-94\s0 authentication (note that R 34.10\-94 -standard has been expired so use \s-1GOST R 34.10\-2001\s0) +Cipher suites using \s-1GOST R 34.10\-2001\s0 authentication. .IP "\fBkGOST\fR" 4 .IX Item "kGOST" -cipher suites, using \s-1VKO 34.10\s0 key exchange, specified in the \s-1RFC 4357.\s0 +Cipher suites, using \s-1VKO 34.10\s0 key exchange, specified in the \s-1RFC 4357.\s0 .IP "\fB\s-1GOST94\s0\fR" 4 .IX Item "GOST94" -cipher suites, using \s-1HMAC\s0 based on \s-1GOST R 34.11\-94.\s0 +Cipher suites, using \s-1HMAC\s0 based on \s-1GOST R 34.11\-94.\s0 .IP "\fB\s-1GOST89MAC\s0\fR" 4 .IX Item "GOST89MAC" -cipher suites using \s-1GOST 28147\-89 MAC\s0 \fBinstead of\fR \s-1HMAC.\s0 +Cipher suites using \s-1GOST 28147\-89 MAC\s0 \fBinstead of\fR \s-1HMAC.\s0 .IP "\fB\s-1PSK\s0\fR" 4 .IX Item "PSK" -cipher suites using pre-shared keys (\s-1PSK\s0). +All cipher suites using pre-shared keys (\s-1PSK\s0). +.IP "\fBkPSK\fR, \fBkECDHEPSK\fR, \fBkDHEPSK\fR, \fBkRSAPSK\fR" 4 +.IX Item "kPSK, kECDHEPSK, kDHEPSK, kRSAPSK" +Cipher suites using \s-1PSK\s0 key exchange, \s-1ECDHE_PSK, DHE_PSK\s0 or \s-1RSA_PSK.\s0 +.IP "\fBaPSK\fR" 4 +.IX Item "aPSK" +Cipher suites using \s-1PSK\s0 authentication (currently all \s-1PSK\s0 modes apart from +\&\s-1RSA_PSK\s0). .IP "\fB\s-1SUITEB128\s0\fR, \fB\s-1SUITEB128ONLY\s0\fR, \fB\s-1SUITEB192\s0\fR" 4 .IX Item "SUITEB128, SUITEB128ONLY, SUITEB192" -enables suite B mode operation using 128 (permitting 192 bit mode by peer) +Enables suite B mode of operation using 128 (permitting 192 bit mode by peer) 128 bit (not permitting 192 bit by peer) or 192 bit level of security -respectively. If used these cipherstrings should appear first in the cipher -list and anything after them is ignored. Setting Suite B mode has additional -consequences required to comply with \s-1RFC6460.\s0 In particular the supported -signature algorithms is reduced to support only \s-1ECDSA\s0 and \s-1SHA256\s0 or \s-1SHA384,\s0 -only the elliptic curves P\-256 and P\-384 can be used and only the two suite B -compliant ciphersuites (\s-1ECDHE\-ECDSA\-AES128\-GCM\-SHA256\s0 and -\&\s-1ECDHE\-ECDSA\-AES256\-GCM\-SHA384\s0) are permissible. +respectively. +If used these cipherstrings should appear first in the cipher +list and anything after them is ignored. +Setting Suite B mode has additional consequences required to comply with +\&\s-1RFC6460.\s0 +In particular the supported signature algorithms is reduced to support only +\&\s-1ECDSA\s0 and \s-1SHA256\s0 or \s-1SHA384,\s0 only the elliptic curves P\-256 and P\-384 can be +used and only the two suite B compliant cipher suites +(\s-1ECDHE\-ECDSA\-AES128\-GCM\-SHA256\s0 and \s-1ECDHE\-ECDSA\-AES256\-GCM\-SHA384\s0) are +permissible. .SH "CIPHER SUITE NAMES" .IX Header "CIPHER SUITE NAMES" The following lists give the \s-1SSL\s0 or \s-1TLS\s0 cipher suites names from the relevant specification and their OpenSSL equivalents. It should be noted, that several cipher suite names do not include the authentication used, e.g. \s-1DES\-CBC3\-SHA.\s0 In these cases, \s-1RSA\s0 authentication is used. -.SS "\s-1SSL\s0 v3.0 cipher suites." -.IX Subsection "SSL v3.0 cipher suites." -.Vb 10 +.SS "\s-1SSL\s0 v3.0 cipher suites" +.IX Subsection "SSL v3.0 cipher suites" +.Vb 6 \& SSL_RSA_WITH_NULL_MD5 NULL\-MD5 \& SSL_RSA_WITH_NULL_SHA NULL\-SHA -\& SSL_RSA_EXPORT_WITH_RC4_40_MD5 EXP\-RC4\-MD5 \& SSL_RSA_WITH_RC4_128_MD5 RC4\-MD5 \& SSL_RSA_WITH_RC4_128_SHA RC4\-SHA -\& SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5 EXP\-RC2\-CBC\-MD5 \& SSL_RSA_WITH_IDEA_CBC_SHA IDEA\-CBC\-SHA -\& SSL_RSA_EXPORT_WITH_DES40_CBC_SHA EXP\-DES\-CBC\-SHA -\& SSL_RSA_WITH_DES_CBC_SHA DES\-CBC\-SHA \& SSL_RSA_WITH_3DES_EDE_CBC_SHA DES\-CBC3\-SHA \& -\& SSL_DH_DSS_WITH_DES_CBC_SHA DH\-DSS\-DES\-CBC\-SHA \& SSL_DH_DSS_WITH_3DES_EDE_CBC_SHA DH\-DSS\-DES\-CBC3\-SHA -\& SSL_DH_RSA_WITH_DES_CBC_SHA DH\-RSA\-DES\-CBC\-SHA \& SSL_DH_RSA_WITH_3DES_EDE_CBC_SHA DH\-RSA\-DES\-CBC3\-SHA -\& SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA EXP\-EDH\-DSS\-DES\-CBC\-SHA -\& SSL_DHE_DSS_WITH_DES_CBC_SHA EDH\-DSS\-CBC\-SHA -\& SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA EDH\-DSS\-DES\-CBC3\-SHA -\& SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA EXP\-EDH\-RSA\-DES\-CBC\-SHA -\& SSL_DHE_RSA_WITH_DES_CBC_SHA EDH\-RSA\-DES\-CBC\-SHA -\& SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA EDH\-RSA\-DES\-CBC3\-SHA +\& SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA DHE\-DSS\-DES\-CBC3\-SHA +\& SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA DHE\-RSA\-DES\-CBC3\-SHA \& -\& SSL_DH_anon_EXPORT_WITH_RC4_40_MD5 EXP\-ADH\-RC4\-MD5 \& SSL_DH_anon_WITH_RC4_128_MD5 ADH\-RC4\-MD5 -\& SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA EXP\-ADH\-DES\-CBC\-SHA -\& SSL_DH_anon_WITH_DES_CBC_SHA ADH\-DES\-CBC\-SHA \& SSL_DH_anon_WITH_3DES_EDE_CBC_SHA ADH\-DES\-CBC3\-SHA \& \& SSL_FORTEZZA_KEA_WITH_NULL_SHA Not implemented. \& SSL_FORTEZZA_KEA_WITH_FORTEZZA_CBC_SHA Not implemented. \& SSL_FORTEZZA_KEA_WITH_RC4_128_SHA Not implemented. .Ve -.SS "\s-1TLS\s0 v1.0 cipher suites." -.IX Subsection "TLS v1.0 cipher suites." -.Vb 10 +.SS "\s-1TLS\s0 v1.0 cipher suites" +.IX Subsection "TLS v1.0 cipher suites" +.Vb 6 \& TLS_RSA_WITH_NULL_MD5 NULL\-MD5 \& TLS_RSA_WITH_NULL_SHA NULL\-SHA -\& TLS_RSA_EXPORT_WITH_RC4_40_MD5 EXP\-RC4\-MD5 \& TLS_RSA_WITH_RC4_128_MD5 RC4\-MD5 \& TLS_RSA_WITH_RC4_128_SHA RC4\-SHA -\& TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 EXP\-RC2\-CBC\-MD5 \& TLS_RSA_WITH_IDEA_CBC_SHA IDEA\-CBC\-SHA -\& TLS_RSA_EXPORT_WITH_DES40_CBC_SHA EXP\-DES\-CBC\-SHA -\& TLS_RSA_WITH_DES_CBC_SHA DES\-CBC\-SHA \& TLS_RSA_WITH_3DES_EDE_CBC_SHA DES\-CBC3\-SHA \& -\& TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA Not implemented. -\& TLS_DH_DSS_WITH_DES_CBC_SHA Not implemented. \& TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA Not implemented. -\& TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA Not implemented. -\& TLS_DH_RSA_WITH_DES_CBC_SHA Not implemented. \& TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA Not implemented. -\& TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA EXP\-EDH\-DSS\-DES\-CBC\-SHA -\& TLS_DHE_DSS_WITH_DES_CBC_SHA EDH\-DSS\-CBC\-SHA -\& TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA EDH\-DSS\-DES\-CBC3\-SHA -\& TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA EXP\-EDH\-RSA\-DES\-CBC\-SHA -\& TLS_DHE_RSA_WITH_DES_CBC_SHA EDH\-RSA\-DES\-CBC\-SHA -\& TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA EDH\-RSA\-DES\-CBC3\-SHA +\& TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA DHE\-DSS\-DES\-CBC3\-SHA +\& TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA DHE\-RSA\-DES\-CBC3\-SHA \& -\& TLS_DH_anon_EXPORT_WITH_RC4_40_MD5 EXP\-ADH\-RC4\-MD5 \& TLS_DH_anon_WITH_RC4_128_MD5 ADH\-RC4\-MD5 -\& TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA EXP\-ADH\-DES\-CBC\-SHA -\& TLS_DH_anon_WITH_DES_CBC_SHA ADH\-DES\-CBC\-SHA \& TLS_DH_anon_WITH_3DES_EDE_CBC_SHA ADH\-DES\-CBC3\-SHA .Ve -.SS "\s-1AES\s0 ciphersuites from \s-1RFC3268,\s0 extending \s-1TLS\s0 v1.0" -.IX Subsection "AES ciphersuites from RFC3268, extending TLS v1.0" +.SS "\s-1AES\s0 cipher suites from \s-1RFC3268,\s0 extending \s-1TLS\s0 v1.0" +.IX Subsection "AES cipher suites from RFC3268, extending TLS v1.0" .Vb 2 \& TLS_RSA_WITH_AES_128_CBC_SHA AES128\-SHA \& TLS_RSA_WITH_AES_256_CBC_SHA AES256\-SHA @@ -513,8 +531,8 @@ e.g. \s-1DES\-CBC3\-SHA.\s0 In these cases, \s-1RSA\s0 authentication is used. \& TLS_DH_anon_WITH_AES_128_CBC_SHA ADH\-AES128\-SHA \& TLS_DH_anon_WITH_AES_256_CBC_SHA ADH\-AES256\-SHA .Ve -.SS "Camellia ciphersuites from \s-1RFC4132,\s0 extending \s-1TLS\s0 v1.0" -.IX Subsection "Camellia ciphersuites from RFC4132, extending TLS v1.0" +.SS "Camellia cipher suites from \s-1RFC4132,\s0 extending \s-1TLS\s0 v1.0" +.IX Subsection "Camellia cipher suites from RFC4132, extending TLS v1.0" .Vb 2 \& TLS_RSA_WITH_CAMELLIA_128_CBC_SHA CAMELLIA128\-SHA \& TLS_RSA_WITH_CAMELLIA_256_CBC_SHA CAMELLIA256\-SHA @@ -532,8 +550,8 @@ e.g. \s-1DES\-CBC3\-SHA.\s0 In these cases, \s-1RSA\s0 authentication is used. \& TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA ADH\-CAMELLIA128\-SHA \& TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA ADH\-CAMELLIA256\-SHA .Ve -.SS "\s-1SEED\s0 ciphersuites from \s-1RFC4162,\s0 extending \s-1TLS\s0 v1.0" -.IX Subsection "SEED ciphersuites from RFC4162, extending TLS v1.0" +.SS "\s-1SEED\s0 cipher suites from \s-1RFC4162,\s0 extending \s-1TLS\s0 v1.0" +.IX Subsection "SEED cipher suites from RFC4162, extending TLS v1.0" .Vb 1 \& TLS_RSA_WITH_SEED_CBC_SHA SEED\-SHA \& @@ -545,8 +563,8 @@ e.g. \s-1DES\-CBC3\-SHA.\s0 In these cases, \s-1RSA\s0 authentication is used. \& \& TLS_DH_anon_WITH_SEED_CBC_SHA ADH\-SEED\-SHA .Ve -.SS "\s-1GOST\s0 ciphersuites from draft-chudov-cryptopro-cptls, extending \s-1TLS\s0 v1.0" -.IX Subsection "GOST ciphersuites from draft-chudov-cryptopro-cptls, extending TLS v1.0" +.SS "\s-1GOST\s0 cipher suites from draft-chudov-cryptopro-cptls, extending \s-1TLS\s0 v1.0" +.IX Subsection "GOST cipher suites from draft-chudov-cryptopro-cptls, extending TLS v1.0" Note: these ciphers require an engine which including \s-1GOST\s0 cryptographic algorithms, such as the \fBccgost\fR engine, included in the OpenSSL distribution. .PP @@ -560,28 +578,12 @@ algorithms, such as the \fBccgost\fR engine, included in the OpenSSL distributio .IX Subsection "Additional Export 1024 and other cipher suites" Note: these ciphers can also be used in \s-1SSL\s0 v3. .PP -.Vb 5 -\& TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA EXP1024\-DES\-CBC\-SHA -\& TLS_RSA_EXPORT1024_WITH_RC4_56_SHA EXP1024\-RC4\-SHA -\& TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA EXP1024\-DHE\-DSS\-DES\-CBC\-SHA -\& TLS_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA EXP1024\-DHE\-DSS\-RC4\-SHA +.Vb 1 \& TLS_DHE_DSS_WITH_RC4_128_SHA DHE\-DSS\-RC4\-SHA .Ve .SS "Elliptic curve cipher suites." .IX Subsection "Elliptic curve cipher suites." .Vb 5 -\& TLS_ECDH_RSA_WITH_NULL_SHA ECDH\-RSA\-NULL\-SHA -\& TLS_ECDH_RSA_WITH_RC4_128_SHA ECDH\-RSA\-RC4\-SHA -\& TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA ECDH\-RSA\-DES\-CBC3\-SHA -\& TLS_ECDH_RSA_WITH_AES_128_CBC_SHA ECDH\-RSA\-AES128\-SHA -\& TLS_ECDH_RSA_WITH_AES_256_CBC_SHA ECDH\-RSA\-AES256\-SHA -\& -\& TLS_ECDH_ECDSA_WITH_NULL_SHA ECDH\-ECDSA\-NULL\-SHA -\& TLS_ECDH_ECDSA_WITH_RC4_128_SHA ECDH\-ECDSA\-RC4\-SHA -\& TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA ECDH\-ECDSA\-DES\-CBC3\-SHA -\& TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA ECDH\-ECDSA\-AES128\-SHA -\& TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA ECDH\-ECDSA\-AES256\-SHA -\& \& TLS_ECDHE_RSA_WITH_NULL_SHA ECDHE\-RSA\-NULL\-SHA \& TLS_ECDHE_RSA_WITH_RC4_128_SHA ECDHE\-RSA\-RC4\-SHA \& TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA ECDHE\-RSA\-DES\-CBC3\-SHA @@ -630,16 +632,6 @@ Note: these ciphers can also be used in \s-1SSL\s0 v3. \& TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 DHE\-DSS\-AES128\-GCM\-SHA256 \& TLS_DHE_DSS_WITH_AES_256_GCM_SHA384 DHE\-DSS\-AES256\-GCM\-SHA384 \& -\& TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 ECDH\-RSA\-AES128\-SHA256 -\& TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 ECDH\-RSA\-AES256\-SHA384 -\& TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 ECDH\-RSA\-AES128\-GCM\-SHA256 -\& TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384 ECDH\-RSA\-AES256\-GCM\-SHA384 -\& -\& TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 ECDH\-ECDSA\-AES128\-SHA256 -\& TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 ECDH\-ECDSA\-AES256\-SHA384 -\& TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 ECDH\-ECDSA\-AES128\-GCM\-SHA256 -\& TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384 ECDH\-ECDSA\-AES256\-GCM\-SHA384 -\& \& TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 ECDHE\-RSA\-AES128\-SHA256 \& TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 ECDHE\-RSA\-AES256\-SHA384 \& TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ECDHE\-RSA\-AES128\-GCM\-SHA256 @@ -654,25 +646,152 @@ Note: these ciphers can also be used in \s-1SSL\s0 v3. \& TLS_DH_anon_WITH_AES_256_CBC_SHA256 ADH\-AES256\-SHA256 \& TLS_DH_anon_WITH_AES_128_GCM_SHA256 ADH\-AES128\-GCM\-SHA256 \& TLS_DH_anon_WITH_AES_256_GCM_SHA384 ADH\-AES256\-GCM\-SHA384 +\& +\& RSA_WITH_AES_128_CCM AES128\-CCM +\& RSA_WITH_AES_256_CCM AES256\-CCM +\& DHE_RSA_WITH_AES_128_CCM DHE\-RSA\-AES128\-CCM +\& DHE_RSA_WITH_AES_256_CCM DHE\-RSA\-AES256\-CCM +\& RSA_WITH_AES_128_CCM_8 AES128\-CCM8 +\& RSA_WITH_AES_256_CCM_8 AES256\-CCM8 +\& DHE_RSA_WITH_AES_128_CCM_8 DHE\-RSA\-AES128\-CCM8 +\& DHE_RSA_WITH_AES_256_CCM_8 DHE\-RSA\-AES256\-CCM8 +\& ECDHE_ECDSA_WITH_AES_128_CCM ECDHE\-ECDSA\-AES128\-CCM +\& ECDHE_ECDSA_WITH_AES_256_CCM ECDHE\-ECDSA\-AES256\-CCM +\& ECDHE_ECDSA_WITH_AES_128_CCM_8 ECDHE\-ECDSA\-AES128\-CCM8 +\& ECDHE_ECDSA_WITH_AES_256_CCM_8 ECDHE\-ECDSA\-AES256\-CCM8 .Ve -.SS "Pre shared keying (\s-1PSK\s0) cipheruites" -.IX Subsection "Pre shared keying (PSK) cipheruites" +.SS "\s-1ARIA\s0 cipher suites from \s-1RFC6209,\s0 extending \s-1TLS\s0 v1.2" +.IX Subsection "ARIA cipher suites from RFC6209, extending TLS v1.2" +Note: the \s-1CBC\s0 modes mentioned in this \s-1RFC\s0 are not supported. +.PP +.Vb 10 +\& TLS_RSA_WITH_ARIA_128_GCM_SHA256 ARIA128\-GCM\-SHA256 +\& TLS_RSA_WITH_ARIA_256_GCM_SHA384 ARIA256\-GCM\-SHA384 +\& TLS_DHE_RSA_WITH_ARIA_128_GCM_SHA256 DHE\-RSA\-ARIA128\-GCM\-SHA256 +\& TLS_DHE_RSA_WITH_ARIA_256_GCM_SHA384 DHE\-RSA\-ARIA256\-GCM\-SHA384 +\& TLS_DHE_DSS_WITH_ARIA_128_GCM_SHA256 DHE\-DSS\-ARIA128\-GCM\-SHA256 +\& TLS_DHE_DSS_WITH_ARIA_256_GCM_SHA384 DHE\-DSS\-ARIA256\-GCM\-SHA384 +\& TLS_ECDHE_ECDSA_WITH_ARIA_128_GCM_SHA256 ECDHE\-ECDSA\-ARIA128\-GCM\-SHA256 +\& TLS_ECDHE_ECDSA_WITH_ARIA_256_GCM_SHA384 ECDHE\-ECDSA\-ARIA256\-GCM\-SHA384 +\& TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256 ECDHE\-ARIA128\-GCM\-SHA256 +\& TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384 ECDHE\-ARIA256\-GCM\-SHA384 +\& TLS_PSK_WITH_ARIA_128_GCM_SHA256 PSK\-ARIA128\-GCM\-SHA256 +\& TLS_PSK_WITH_ARIA_256_GCM_SHA384 PSK\-ARIA256\-GCM\-SHA384 +\& TLS_DHE_PSK_WITH_ARIA_128_GCM_SHA256 DHE\-PSK\-ARIA128\-GCM\-SHA256 +\& TLS_DHE_PSK_WITH_ARIA_256_GCM_SHA384 DHE\-PSK\-ARIA256\-GCM\-SHA384 +\& TLS_RSA_PSK_WITH_ARIA_128_GCM_SHA256 RSA\-PSK\-ARIA128\-GCM\-SHA256 +\& TLS_RSA_PSK_WITH_ARIA_256_GCM_SHA384 RSA\-PSK\-ARIA256\-GCM\-SHA384 +.Ve +.SS "Camellia HMAC-Based cipher suites from \s-1RFC6367,\s0 extending \s-1TLS\s0 v1.2" +.IX Subsection "Camellia HMAC-Based cipher suites from RFC6367, extending TLS v1.2" .Vb 4 -\& TLS_PSK_WITH_RC4_128_SHA PSK\-RC4\-SHA -\& TLS_PSK_WITH_3DES_EDE_CBC_SHA PSK\-3DES\-EDE\-CBC\-SHA -\& TLS_PSK_WITH_AES_128_CBC_SHA PSK\-AES128\-CBC\-SHA -\& TLS_PSK_WITH_AES_256_CBC_SHA PSK\-AES256\-CBC\-SHA +\& TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256 ECDHE\-ECDSA\-CAMELLIA128\-SHA256 +\& TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384 ECDHE\-ECDSA\-CAMELLIA256\-SHA384 +\& TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 ECDHE\-RSA\-CAMELLIA128\-SHA256 +\& TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384 ECDHE\-RSA\-CAMELLIA256\-SHA384 .Ve -.SS "Deprecated \s-1SSL\s0 v2.0 cipher suites." -.IX Subsection "Deprecated SSL v2.0 cipher suites." +.SS "Pre-shared keying (\s-1PSK\s0) cipher suites" +.IX Subsection "Pre-shared keying (PSK) cipher suites" +.Vb 3 +\& PSK_WITH_NULL_SHA PSK\-NULL\-SHA +\& DHE_PSK_WITH_NULL_SHA DHE\-PSK\-NULL\-SHA +\& RSA_PSK_WITH_NULL_SHA RSA\-PSK\-NULL\-SHA +\& +\& PSK_WITH_RC4_128_SHA PSK\-RC4\-SHA +\& PSK_WITH_3DES_EDE_CBC_SHA PSK\-3DES\-EDE\-CBC\-SHA +\& PSK_WITH_AES_128_CBC_SHA PSK\-AES128\-CBC\-SHA +\& PSK_WITH_AES_256_CBC_SHA PSK\-AES256\-CBC\-SHA +\& +\& DHE_PSK_WITH_RC4_128_SHA DHE\-PSK\-RC4\-SHA +\& DHE_PSK_WITH_3DES_EDE_CBC_SHA DHE\-PSK\-3DES\-EDE\-CBC\-SHA +\& DHE_PSK_WITH_AES_128_CBC_SHA DHE\-PSK\-AES128\-CBC\-SHA +\& DHE_PSK_WITH_AES_256_CBC_SHA DHE\-PSK\-AES256\-CBC\-SHA +\& +\& RSA_PSK_WITH_RC4_128_SHA RSA\-PSK\-RC4\-SHA +\& RSA_PSK_WITH_3DES_EDE_CBC_SHA RSA\-PSK\-3DES\-EDE\-CBC\-SHA +\& RSA_PSK_WITH_AES_128_CBC_SHA RSA\-PSK\-AES128\-CBC\-SHA +\& RSA_PSK_WITH_AES_256_CBC_SHA RSA\-PSK\-AES256\-CBC\-SHA +\& +\& PSK_WITH_AES_128_GCM_SHA256 PSK\-AES128\-GCM\-SHA256 +\& PSK_WITH_AES_256_GCM_SHA384 PSK\-AES256\-GCM\-SHA384 +\& DHE_PSK_WITH_AES_128_GCM_SHA256 DHE\-PSK\-AES128\-GCM\-SHA256 +\& DHE_PSK_WITH_AES_256_GCM_SHA384 DHE\-PSK\-AES256\-GCM\-SHA384 +\& RSA_PSK_WITH_AES_128_GCM_SHA256 RSA\-PSK\-AES128\-GCM\-SHA256 +\& RSA_PSK_WITH_AES_256_GCM_SHA384 RSA\-PSK\-AES256\-GCM\-SHA384 +\& +\& PSK_WITH_AES_128_CBC_SHA256 PSK\-AES128\-CBC\-SHA256 +\& PSK_WITH_AES_256_CBC_SHA384 PSK\-AES256\-CBC\-SHA384 +\& PSK_WITH_NULL_SHA256 PSK\-NULL\-SHA256 +\& PSK_WITH_NULL_SHA384 PSK\-NULL\-SHA384 +\& DHE_PSK_WITH_AES_128_CBC_SHA256 DHE\-PSK\-AES128\-CBC\-SHA256 +\& DHE_PSK_WITH_AES_256_CBC_SHA384 DHE\-PSK\-AES256\-CBC\-SHA384 +\& DHE_PSK_WITH_NULL_SHA256 DHE\-PSK\-NULL\-SHA256 +\& DHE_PSK_WITH_NULL_SHA384 DHE\-PSK\-NULL\-SHA384 +\& RSA_PSK_WITH_AES_128_CBC_SHA256 RSA\-PSK\-AES128\-CBC\-SHA256 +\& RSA_PSK_WITH_AES_256_CBC_SHA384 RSA\-PSK\-AES256\-CBC\-SHA384 +\& RSA_PSK_WITH_NULL_SHA256 RSA\-PSK\-NULL\-SHA256 +\& RSA_PSK_WITH_NULL_SHA384 RSA\-PSK\-NULL\-SHA384 +\& PSK_WITH_AES_128_GCM_SHA256 PSK\-AES128\-GCM\-SHA256 +\& PSK_WITH_AES_256_GCM_SHA384 PSK\-AES256\-GCM\-SHA384 +\& +\& ECDHE_PSK_WITH_RC4_128_SHA ECDHE\-PSK\-RC4\-SHA +\& ECDHE_PSK_WITH_3DES_EDE_CBC_SHA ECDHE\-PSK\-3DES\-EDE\-CBC\-SHA +\& ECDHE_PSK_WITH_AES_128_CBC_SHA ECDHE\-PSK\-AES128\-CBC\-SHA +\& ECDHE_PSK_WITH_AES_256_CBC_SHA ECDHE\-PSK\-AES256\-CBC\-SHA +\& ECDHE_PSK_WITH_AES_128_CBC_SHA256 ECDHE\-PSK\-AES128\-CBC\-SHA256 +\& ECDHE_PSK_WITH_AES_256_CBC_SHA384 ECDHE\-PSK\-AES256\-CBC\-SHA384 +\& ECDHE_PSK_WITH_NULL_SHA ECDHE\-PSK\-NULL\-SHA +\& ECDHE_PSK_WITH_NULL_SHA256 ECDHE\-PSK\-NULL\-SHA256 +\& ECDHE_PSK_WITH_NULL_SHA384 ECDHE\-PSK\-NULL\-SHA384 +\& +\& PSK_WITH_CAMELLIA_128_CBC_SHA256 PSK\-CAMELLIA128\-SHA256 +\& PSK_WITH_CAMELLIA_256_CBC_SHA384 PSK\-CAMELLIA256\-SHA384 +\& +\& DHE_PSK_WITH_CAMELLIA_128_CBC_SHA256 DHE\-PSK\-CAMELLIA128\-SHA256 +\& DHE_PSK_WITH_CAMELLIA_256_CBC_SHA384 DHE\-PSK\-CAMELLIA256\-SHA384 +\& +\& RSA_PSK_WITH_CAMELLIA_128_CBC_SHA256 RSA\-PSK\-CAMELLIA128\-SHA256 +\& RSA_PSK_WITH_CAMELLIA_256_CBC_SHA384 RSA\-PSK\-CAMELLIA256\-SHA384 +\& +\& ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256 ECDHE\-PSK\-CAMELLIA128\-SHA256 +\& ECDHE_PSK_WITH_CAMELLIA_256_CBC_SHA384 ECDHE\-PSK\-CAMELLIA256\-SHA384 +\& +\& PSK_WITH_AES_128_CCM PSK\-AES128\-CCM +\& PSK_WITH_AES_256_CCM PSK\-AES256\-CCM +\& DHE_PSK_WITH_AES_128_CCM DHE\-PSK\-AES128\-CCM +\& DHE_PSK_WITH_AES_256_CCM DHE\-PSK\-AES256\-CCM +\& PSK_WITH_AES_128_CCM_8 PSK\-AES128\-CCM8 +\& PSK_WITH_AES_256_CCM_8 PSK\-AES256\-CCM8 +\& DHE_PSK_WITH_AES_128_CCM_8 DHE\-PSK\-AES128\-CCM8 +\& DHE_PSK_WITH_AES_256_CCM_8 DHE\-PSK\-AES256\-CCM8 +.Ve +.SS "ChaCha20\-Poly1305 cipher suites, extending \s-1TLS\s0 v1.2" +.IX Subsection "ChaCha20-Poly1305 cipher suites, extending TLS v1.2" .Vb 7 -\& SSL_CK_RC4_128_WITH_MD5 RC4\-MD5 -\& SSL_CK_RC4_128_EXPORT40_WITH_MD5 Not implemented. -\& SSL_CK_RC2_128_CBC_WITH_MD5 RC2\-CBC\-MD5 -\& SSL_CK_RC2_128_CBC_EXPORT40_WITH_MD5 Not implemented. -\& SSL_CK_IDEA_128_CBC_WITH_MD5 IDEA\-CBC\-MD5 -\& SSL_CK_DES_64_CBC_WITH_MD5 Not implemented. -\& SSL_CK_DES_192_EDE3_CBC_WITH_MD5 DES\-CBC3\-MD5 +\& TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 ECDHE\-RSA\-CHACHA20\-POLY1305 +\& TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 ECDHE\-ECDSA\-CHACHA20\-POLY1305 +\& TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 DHE\-RSA\-CHACHA20\-POLY1305 +\& TLS_PSK_WITH_CHACHA20_POLY1305_SHA256 PSK\-CHACHA20\-POLY1305 +\& TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256 ECDHE\-PSK\-CHACHA20\-POLY1305 +\& TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256 DHE\-PSK\-CHACHA20\-POLY1305 +\& TLS_RSA_PSK_WITH_CHACHA20_POLY1305_SHA256 RSA\-PSK\-CHACHA20\-POLY1305 +.Ve +.SS "\s-1TLS\s0 v1.3 cipher suites" +.IX Subsection "TLS v1.3 cipher suites" +.Vb 5 +\& TLS_AES_128_GCM_SHA256 TLS_AES_128_GCM_SHA256 +\& TLS_AES_256_GCM_SHA384 TLS_AES_256_GCM_SHA384 +\& TLS_CHACHA20_POLY1305_SHA256 TLS_CHACHA20_POLY1305_SHA256 +\& TLS_AES_128_CCM_SHA256 TLS_AES_128_CCM_SHA256 +\& TLS_AES_128_CCM_8_SHA256 TLS_AES_128_CCM_8_SHA256 +.Ve +.SS "Older names used by OpenSSL" +.IX Subsection "Older names used by OpenSSL" +The following names are accepted by older releases: +.PP +.Vb 2 +\& SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA EDH\-RSA\-DES\-CBC3\-SHA (DHE\-RSA\-DES\-CBC3\-SHA) +\& SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA EDH\-DSS\-DES\-CBC3\-SHA (DHE\-DSS\-DES\-CBC3\-SHA) .Ve .SH "NOTES" .IX Header "NOTES" @@ -712,17 +831,34 @@ Include all \s-1RC4\s0 ciphers but leave out those without authentication: \& openssl ciphers \-v \*(AqRC4:!COMPLEMENTOFDEFAULT\*(Aq .Ve .PP -Include all chiphers with \s-1RSA\s0 authentication but leave out ciphers without +Include all ciphers with \s-1RSA\s0 authentication but leave out ciphers without encryption. .PP .Vb 1 \& openssl ciphers \-v \*(AqRSA:!COMPLEMENTOFALL\*(Aq .Ve +.PP +Set security level to 2 and display all ciphers consistent with level 2: +.PP +.Vb 1 +\& openssl ciphers \-s \-v \*(AqALL:@SECLEVEL=2\*(Aq +.Ve .SH "SEE ALSO" .IX Header "SEE ALSO" -\&\fIs_client\fR\|(1), \fIs_server\fR\|(1), \fIssl\fR\|(3) +\&\fIs_client\fR\|(1), \fIs_server\fR\|(1), \fIssl\fR\|(7) .SH "HISTORY" .IX Header "HISTORY" -The \fB\s-1COMPLENTOFALL\s0\fR and \fB\s-1COMPLEMENTOFDEFAULT\s0\fR selection options -for cipherlist strings were added in OpenSSL 0.9.7. The \fB\-V\fR option for the \fBciphers\fR command was added in OpenSSL 1.0.0. +.PP +The \fB\-stdname\fR is only available if OpenSSL is built with tracing enabled +(\fBenable-ssl-trace\fR argument to Configure) before OpenSSL 1.1.1. +.PP +The \fB\-convert\fR was added in OpenSSL 1.1.1. +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2000\-2018 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/usr.bin/openssl/man/cms.1 b/secure/usr.bin/openssl/man/cms.1 index fe2bb714a92c..7f29de61d0ea 100644 --- a/secure/usr.bin/openssl/man/cms.1 +++ b/secure/usr.bin/openssl/man/cms.1 @@ -129,17 +129,17 @@ .\" ======================================================================== .\" .IX Title "CMS 1" -.TH CMS 1 "2018-08-14" "1.0.2p" "OpenSSL" +.TH CMS 1 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" -openssl\-cms, -cms \- CMS utility +openssl\-cms, cms \- CMS utility .SH "SYNOPSIS" .IX Header "SYNOPSIS" \&\fBopenssl\fR \fBcms\fR +[\fB\-help\fR] [\fB\-encrypt\fR] [\fB\-decrypt\fR] [\fB\-sign\fR] @@ -168,22 +168,54 @@ cms \- CMS utility [\fB\-print\fR] [\fB\-CAfile file\fR] [\fB\-CApath dir\fR] +[\fB\-no\-CAfile\fR] +[\fB\-no\-CApath\fR] +[\fB\-attime timestamp\fR] +[\fB\-check_ss_sig\fR] +[\fB\-crl_check\fR] +[\fB\-crl_check_all\fR] +[\fB\-explicit_policy\fR] +[\fB\-extended_crl\fR] +[\fB\-ignore_critical\fR] +[\fB\-inhibit_any\fR] +[\fB\-inhibit_map\fR] +[\fB\-no_check_time\fR] +[\fB\-partial_chain\fR] +[\fB\-policy arg\fR] +[\fB\-policy_check\fR] +[\fB\-policy_print\fR] +[\fB\-purpose purpose\fR] +[\fB\-suiteB_128\fR] +[\fB\-suiteB_128_only\fR] +[\fB\-suiteB_192\fR] +[\fB\-trusted_first\fR] [\fB\-no_alt_chains\fR] +[\fB\-use_deltas\fR] +[\fB\-auth_level num\fR] +[\fB\-verify_depth num\fR] +[\fB\-verify_email email\fR] +[\fB\-verify_hostname hostname\fR] +[\fB\-verify_ip ip\fR] +[\fB\-verify_name name\fR] +[\fB\-x509_strict\fR] [\fB\-md digest\fR] -[\fB\-[cipher]\fR] +[\fB\-\f(BIcipher\fB\fR] [\fB\-nointern\fR] -[\fB\-no_signer_cert_verify\fR] +[\fB\-noverify\fR] [\fB\-nocerts\fR] [\fB\-noattr\fR] [\fB\-nosmimecap\fR] [\fB\-binary\fR] +[\fB\-crlfeol\fR] +[\fB\-asciicrlf\fR] [\fB\-nodetach\fR] [\fB\-certfile file\fR] [\fB\-certsout file\fR] [\fB\-signer file\fR] [\fB\-recip file\fR] [\fB\-keyid\fR] -[\fB\-receipt_request_all \-receipt_request_first\fR] +[\fB\-receipt_request_all\fR] +[\fB\-receipt_request_first\fR] [\fB\-receipt_request_from emailaddress\fR] [\fB\-receipt_request_to emailaddress\fR] [\fB\-receipt_request_print\fR] @@ -193,7 +225,8 @@ cms \- CMS utility [\fB\-inkey file\fR] [\fB\-keyopt name:parameter\fR] [\fB\-passin arg\fR] -[\fB\-rand file(s)\fR] +[\fB\-rand file...\fR] +[\fB\-writerand file\fR] [\fBcert.pem...\fR] [\fB\-to addr\fR] [\fB\-from addr\fR] @@ -203,14 +236,17 @@ cms \- CMS utility .IX Header "DESCRIPTION" The \fBcms\fR command handles S/MIME v3.1 mail. It can encrypt, decrypt, sign and verify, compress and uncompress S/MIME messages. -.SH "COMMAND OPTIONS" -.IX Header "COMMAND OPTIONS" +.SH "OPTIONS" +.IX Header "OPTIONS" There are fourteen operation options that set the type of operation to be performed. The meaning of the other options varies according to the operation type. +.IP "\fB\-help\fR" 4 +.IX Item "-help" +Print out a usage message. .IP "\fB\-encrypt\fR" 4 .IX Item "-encrypt" -encrypt mail for the given recipient certificates. Input file is the message +Encrypt mail for the given recipient certificates. Input file is the message to be encrypted. The output file is the encrypted mail in \s-1MIME\s0 format. The actual \s-1CMS\s0 type is EnvelopedData. .Sp @@ -218,28 +254,28 @@ Note that no revocation check is done for the recipient cert, so if that key has been compromised, others may be able to decrypt the text. .IP "\fB\-decrypt\fR" 4 .IX Item "-decrypt" -decrypt mail using the supplied certificate and private key. Expects an +Decrypt mail using the supplied certificate and private key. Expects an encrypted mail message in \s-1MIME\s0 format for the input file. The decrypted mail is written to the output file. .IP "\fB\-debug_decrypt\fR" 4 .IX Item "-debug_decrypt" -this option sets the \fB\s-1CMS_DEBUG_DECRYPT\s0\fR flag. This option should be used +This option sets the \fB\s-1CMS_DEBUG_DECRYPT\s0\fR flag. This option should be used with caution: see the notes section below. .IP "\fB\-sign\fR" 4 .IX Item "-sign" -sign mail using the supplied certificate and private key. Input file is +Sign mail using the supplied certificate and private key. Input file is the message to be signed. The signed message in \s-1MIME\s0 format is written to the output file. .IP "\fB\-verify\fR" 4 .IX Item "-verify" -verify signed mail. Expects a signed mail message on input and outputs +Verify signed mail. Expects a signed mail message on input and outputs the signed data. Both clear text and opaque signing is supported. .IP "\fB\-cmsout\fR" 4 .IX Item "-cmsout" -takes an input message and writes out a \s-1PEM\s0 encoded \s-1CMS\s0 structure. +Takes an input message and writes out a \s-1PEM\s0 encoded \s-1CMS\s0 structure. .IP "\fB\-resign\fR" 4 .IX Item "-resign" -resign a message: take an existing message and one or more new signers. +Resign a message: take an existing message and one or more new signers. .IP "\fB\-data_create\fR" 4 .IX Item "-data_create" Create a \s-1CMS\s0 \fBData\fR type. @@ -264,24 +300,24 @@ output an error. .IP "\fB\-EncryptedData_encrypt\fR" 4 .IX Item "-EncryptedData_encrypt" Encrypt content using supplied symmetric key and algorithm using a \s-1CMS\s0 -\&\fBEncrytedData\fR type and output the content. +\&\fBEncryptedData\fR type and output the content. .IP "\fB\-sign_receipt\fR" 4 .IX Item "-sign_receipt" -Generate and output a signed receipt for the supplied message. The input +Generate and output a signed receipt for the supplied message. The input message \fBmust\fR contain a signed receipt request. Functionality is otherwise similar to the \fB\-sign\fR operation. .IP "\fB\-verify_receipt receipt\fR" 4 .IX Item "-verify_receipt receipt" -Verify a signed receipt in filename \fBreceipt\fR. The input message \fBmust\fR +Verify a signed receipt in filename \fBreceipt\fR. The input message \fBmust\fR contain the original receipt request. Functionality is otherwise similar to the \fB\-verify\fR operation. .IP "\fB\-in filename\fR" 4 .IX Item "-in filename" -the input message to be encrypted or signed or the message to be decrypted +The input message to be encrypted or signed or the message to be decrypted or verified. .IP "\fB\-inform SMIME|PEM|DER\fR" 4 .IX Item "-inform SMIME|PEM|DER" -this specifies the input format for the \s-1CMS\s0 structure. The default +This specifies the input format for the \s-1CMS\s0 structure. The default is \fB\s-1SMIME\s0\fR which reads an S/MIME format message. \fB\s-1PEM\s0\fR and \fB\s-1DER\s0\fR format change this to expect \s-1PEM\s0 and \s-1DER\s0 format \s-1CMS\s0 structures instead. This currently only affects the input format of the \s-1CMS\s0 @@ -289,15 +325,15 @@ structure, if no \s-1CMS\s0 structure is being input (for example with \&\fB\-encrypt\fR or \fB\-sign\fR) this option has no effect. .IP "\fB\-rctform SMIME|PEM|DER\fR" 4 .IX Item "-rctform SMIME|PEM|DER" -specify the format for a signed receipt for use with the \fB\-receipt_verify\fR +Specify the format for a signed receipt for use with the \fB\-receipt_verify\fR operation. .IP "\fB\-out filename\fR" 4 .IX Item "-out filename" -the message text that has been decrypted or verified or the output \s-1MIME\s0 +The message text that has been decrypted or verified or the output \s-1MIME\s0 format message that has been signed or verified. .IP "\fB\-outform SMIME|PEM|DER\fR" 4 .IX Item "-outform SMIME|PEM|DER" -this specifies the output format for the \s-1CMS\s0 structure. The default +This specifies the output format for the \s-1CMS\s0 structure. The default is \fB\s-1SMIME\s0\fR which writes an S/MIME format message. \fB\s-1PEM\s0\fR and \fB\s-1DER\s0\fR format change this to write \s-1PEM\s0 and \s-1DER\s0 format \s-1CMS\s0 structures instead. This currently only affects the output format of the \s-1CMS\s0 @@ -305,7 +341,7 @@ structure, if no \s-1CMS\s0 structure is being output (for example with \&\fB\-verify\fR or \fB\-decrypt\fR) this option has no effect. .IP "\fB\-stream \-indef \-noindef\fR" 4 .IX Item "-stream -indef -noindef" -the \fB\-stream\fR and \fB\-indef\fR options are equivalent and enable streaming I/O +The \fB\-stream\fR and \fB\-indef\fR options are equivalent and enable streaming I/O for encoding operations. This permits single pass processing of data without the need to hold the entire contents in memory, potentially supporting very large files. Streaming is automatically set for S/MIME signing with detached @@ -313,7 +349,7 @@ data if the output format is \fB\s-1SMIME\s0\fR it is currently off by default f other operations. .IP "\fB\-noindef\fR" 4 .IX Item "-noindef" -disable streaming I/O where it would produce and indefinite length constructed +Disable streaming I/O where it would produce and indefinite length constructed encoding. This option currently has no effect. In future streaming will be enabled by default on all relevant operations and this option will disable it. .IP "\fB\-content filename\fR" 4 @@ -325,95 +361,113 @@ not included. This option will override any content if the input format is S/MIME and it uses the multipart/signed \s-1MIME\s0 content type. .IP "\fB\-text\fR" 4 .IX Item "-text" -this option adds plain text (text/plain) \s-1MIME\s0 headers to the supplied +This option adds plain text (text/plain) \s-1MIME\s0 headers to the supplied message if encrypting or signing. If decrypting or verifying it strips -off text headers: if the decrypted or verified message is not of \s-1MIME\s0 +off text headers: if the decrypted or verified message is not of \s-1MIME\s0 type text/plain then an error occurs. .IP "\fB\-noout\fR" 4 .IX Item "-noout" -for the \fB\-cmsout\fR operation do not output the parsed \s-1CMS\s0 structure. This +For the \fB\-cmsout\fR operation do not output the parsed \s-1CMS\s0 structure. This is useful when combined with the \fB\-print\fR option or if the syntax of the \s-1CMS\s0 structure is being checked. .IP "\fB\-print\fR" 4 .IX Item "-print" -for the \fB\-cmsout\fR operation print out all fields of the \s-1CMS\s0 structure. This +For the \fB\-cmsout\fR operation print out all fields of the \s-1CMS\s0 structure. This is mainly useful for testing purposes. .IP "\fB\-CAfile file\fR" 4 .IX Item "-CAfile file" -a file containing trusted \s-1CA\s0 certificates, only used with \fB\-verify\fR. +A file containing trusted \s-1CA\s0 certificates, only used with \fB\-verify\fR. .IP "\fB\-CApath dir\fR" 4 .IX Item "-CApath dir" -a directory containing trusted \s-1CA\s0 certificates, only used with +A directory containing trusted \s-1CA\s0 certificates, only used with \&\fB\-verify\fR. This directory must be a standard certificate directory: that is a hash of each subject name (using \fBx509 \-hash\fR) should be linked to each certificate. +.IP "\fB\-no\-CAfile\fR" 4 +.IX Item "-no-CAfile" +Do not load the trusted \s-1CA\s0 certificates from the default file location +.IP "\fB\-no\-CApath\fR" 4 +.IX Item "-no-CApath" +Do not load the trusted \s-1CA\s0 certificates from the default directory location .IP "\fB\-md digest\fR" 4 .IX Item "-md digest" -digest algorithm to use when signing or resigning. If not present then the +Digest algorithm to use when signing or resigning. If not present then the default digest algorithm for the signing key will be used (usually \s-1SHA1\s0). -.IP "\fB\-[cipher]\fR" 4 -.IX Item "-[cipher]" -the encryption algorithm to use. For example triple \s-1DES\s0 (168 bits) \- \fB\-des3\fR +.IP "\fB\-\f(BIcipher\fB\fR" 4 +.IX Item "-cipher" +The encryption algorithm to use. For example triple \s-1DES\s0 (168 bits) \- \fB\-des3\fR or 256 bit \s-1AES\s0 \- \fB\-aes256\fR. Any standard algorithm name (as used by the -\&\fIEVP_get_cipherbyname()\fR function) can also be used preceded by a dash, for -example \fB\-aes_128_cbc\fR. See \fBenc\fR for a list of ciphers +\&\fIEVP_get_cipherbyname()\fR function) can also be used preceded by a dash, for +example \fB\-aes\-128\-cbc\fR. See \fIenc\fR\|(1) for a list of ciphers supported by your version of OpenSSL. .Sp -If not specified triple \s-1DES\s0 is used. Only used with \fB\-encrypt\fR and +If not specified triple \s-1DES\s0 is used. Only used with \fB\-encrypt\fR and \&\fB\-EncryptedData_create\fR commands. .IP "\fB\-nointern\fR" 4 .IX Item "-nointern" -when verifying a message normally certificates (if any) included in +When verifying a message normally certificates (if any) included in the message are searched for the signing certificate. With this option only the certificates specified in the \fB\-certfile\fR option are used. The supplied certificates can still be used as untrusted CAs however. -.IP "\fB\-no_signer_cert_verify\fR" 4 -.IX Item "-no_signer_cert_verify" -do not verify the signers certificate of a signed message. +.IP "\fB\-noverify\fR" 4 +.IX Item "-noverify" +Do not verify the signers certificate of a signed message. .IP "\fB\-nocerts\fR" 4 .IX Item "-nocerts" -when signing a message the signer's certificate is normally included +When signing a message the signer's certificate is normally included with this option it is excluded. This will reduce the size of the signed message but the verifier must have a copy of the signers certificate available locally (passed using the \fB\-certfile\fR option for example). .IP "\fB\-noattr\fR" 4 .IX Item "-noattr" -normally when a message is signed a set of attributes are included which +Normally when a message is signed a set of attributes are included which include the signing time and supported symmetric algorithms. With this option they are not included. .IP "\fB\-nosmimecap\fR" 4 .IX Item "-nosmimecap" -exclude the list of supported algorithms from signed attributes, other options +Exclude the list of supported algorithms from signed attributes, other options such as signing time and content type are still included. .IP "\fB\-binary\fR" 4 .IX Item "-binary" -normally the input message is converted to \*(L"canonical\*(R" format which is +Normally the input message is converted to \*(L"canonical\*(R" format which is effectively using \s-1CR\s0 and \s-1LF\s0 as end of line: as required by the S/MIME specification. When this option is present no translation occurs. This is useful when handling binary data which may not be in \s-1MIME\s0 format. +.IP "\fB\-crlfeol\fR" 4 +.IX Item "-crlfeol" +Normally the output file uses a single \fB\s-1LF\s0\fR as end of line. When this +option is present \fB\s-1CRLF\s0\fR is used instead. +.IP "\fB\-asciicrlf\fR" 4 +.IX Item "-asciicrlf" +When signing use \s-1ASCII CRLF\s0 format canonicalisation. This strips trailing +whitespace from all lines, deletes trailing blank lines at \s-1EOF\s0 and sets +the encapsulated content type. This option is normally used with detached +content and an output signature format of \s-1DER.\s0 This option is not normally +needed when verifying as it is enabled automatically if the encapsulated +content format is detected. .IP "\fB\-nodetach\fR" 4 .IX Item "-nodetach" -when signing a message use opaque signing: this form is more resistant +When signing a message use opaque signing: this form is more resistant to translation by mail relays but it cannot be read by mail agents that do not support S/MIME. Without this option cleartext signing with the \s-1MIME\s0 type multipart/signed is used. .IP "\fB\-certfile file\fR" 4 .IX Item "-certfile file" -allows additional certificates to be specified. When signing these will +Allows additional certificates to be specified. When signing these will be included with the message. When verifying these will be searched for the signers certificates. The certificates should be in \s-1PEM\s0 format. .IP "\fB\-certsout file\fR" 4 .IX Item "-certsout file" -any certificates contained in the message are written to \fBfile\fR. +Any certificates contained in the message are written to \fBfile\fR. .IP "\fB\-signer file\fR" 4 .IX Item "-signer file" -a signing certificate when signing or resigning a message, this option can be +A signing certificate when signing or resigning a message, this option can be used multiple times if more than one signer is required. If a message is being verified then the signers certificates will be written to this file if the verification was successful. .IP "\fB\-recip file\fR" 4 .IX Item "-recip file" -when decrypting a message this specifies the recipients certificate. The +When decrypting a message this specifies the recipients certificate. The certificate must match one of the recipients of the message or an error occurs. .Sp @@ -425,21 +479,21 @@ Only certificates carrying \s-1RSA,\s0 Diffie-Hellman or \s-1EC\s0 keys are supp option. .IP "\fB\-keyid\fR" 4 .IX Item "-keyid" -use subject key identifier to identify certificates instead of issuer name and +Use subject key identifier to identify certificates instead of issuer name and serial number. The supplied certificate \fBmust\fR include a subject key identifier extension. Supported by \fB\-sign\fR and \fB\-encrypt\fR options. -.IP "\fB\-receipt_request_all \-receipt_request_first\fR" 4 -.IX Item "-receipt_request_all -receipt_request_first" -for \fB\-sign\fR option include a signed receipt request. Indicate requests should -be provided by all receipient or first tier recipients (those mailed directly +.IP "\fB\-receipt_request_all\fR, \fB\-receipt_request_first\fR" 4 +.IX Item "-receipt_request_all, -receipt_request_first" +For \fB\-sign\fR option include a signed receipt request. Indicate requests should +be provided by all recipient or first tier recipients (those mailed directly and not from a mailing list). Ignored it \fB\-receipt_request_from\fR is included. .IP "\fB\-receipt_request_from emailaddress\fR" 4 .IX Item "-receipt_request_from emailaddress" -for \fB\-sign\fR option include a signed receipt request. Add an explicit email +For \fB\-sign\fR option include a signed receipt request. Add an explicit email address where receipts should be supplied. .IP "\fB\-receipt_request_to emailaddress\fR" 4 .IX Item "-receipt_request_to emailaddress" -Add an explicit email address where signed receipts should be sent to. This +Add an explicit email address where signed receipts should be sent to. This option \fBmust\fR but supplied if a signed receipt it requested. .IP "\fB\-receipt_request_print\fR" 4 .IX Item "-receipt_request_print" @@ -447,61 +501,65 @@ For the \fB\-verify\fR operation print out the contents of any signed receipt requests. .IP "\fB\-secretkey key\fR" 4 .IX Item "-secretkey key" -specify symmetric key to use. The key must be supplied in hex format and be +Specify symmetric key to use. The key must be supplied in hex format and be consistent with the algorithm used. Supported by the \fB\-EncryptedData_encrypt\fR -\&\fB\-EncrryptedData_decrypt\fR, \fB\-encrypt\fR and \fB\-decrypt\fR options. When used +\&\fB\-EncryptedData_decrypt\fR, \fB\-encrypt\fR and \fB\-decrypt\fR options. When used with \fB\-encrypt\fR or \fB\-decrypt\fR the supplied key is used to wrap or unwrap the content encryption key using an \s-1AES\s0 key in the \fBKEKRecipientInfo\fR type. .IP "\fB\-secretkeyid id\fR" 4 .IX Item "-secretkeyid id" -the key identifier for the supplied symmetric key for \fBKEKRecipientInfo\fR type. +The key identifier for the supplied symmetric key for \fBKEKRecipientInfo\fR type. This option \fBmust\fR be present if the \fB\-secretkey\fR option is used with \&\fB\-encrypt\fR. With \fB\-decrypt\fR operations the \fBid\fR is used to locate the relevant key if it is not supplied then an attempt is used to decrypt any \&\fBKEKRecipientInfo\fR structures. .IP "\fB\-econtent_type type\fR" 4 .IX Item "-econtent_type type" -set the encapsulated content type to \fBtype\fR if not supplied the \fBData\fR type +Set the encapsulated content type to \fBtype\fR if not supplied the \fBData\fR type is used. The \fBtype\fR argument can be any valid \s-1OID\s0 name in either text or numerical format. .IP "\fB\-inkey file\fR" 4 .IX Item "-inkey file" -the private key to use when signing or decrypting. This must match the +The private key to use when signing or decrypting. This must match the corresponding certificate. If this option is not specified then the private key must be included in the certificate file specified with the \fB\-recip\fR or \fB\-signer\fR file. When signing this option can be used multiple times to specify successive keys. .IP "\fB\-keyopt name:opt\fR" 4 .IX Item "-keyopt name:opt" -for signing and encryption this option can be used multiple times to +For signing and encryption this option can be used multiple times to set customised parameters for the preceding key or certificate. It can currently be used to set RSA-PSS for signing, RSA-OAEP for encryption or to modify default parameters for \s-1ECDH.\s0 .IP "\fB\-passin arg\fR" 4 .IX Item "-passin arg" -the private key password source. For more information about the format of \fBarg\fR +The private key password source. For more information about the format of \fBarg\fR see the \fB\s-1PASS PHRASE ARGUMENTS\s0\fR section in \fIopenssl\fR\|(1). -.IP "\fB\-rand file(s)\fR" 4 -.IX Item "-rand file(s)" -a file or files containing random data used to seed the random number -generator, or an \s-1EGD\s0 socket (see \fIRAND_egd\fR\|(3)). -Multiple files can be specified separated by a OS-dependent character. +.IP "\fB\-rand file...\fR" 4 +.IX Item "-rand file..." +A file or files containing random data used to seed the random number +generator. +Multiple files can be specified separated by an OS-dependent character. The separator is \fB;\fR for MS-Windows, \fB,\fR for OpenVMS, and \fB:\fR for all others. +.IP "[\fB\-writerand file\fR]" 4 +.IX Item "[-writerand file]" +Writes random data to the specified \fIfile\fR upon exit. +This can be used with a subsequent \fB\-rand\fR flag. .IP "\fBcert.pem...\fR" 4 .IX Item "cert.pem..." -one or more certificates of message recipients: used when encrypting +One or more certificates of message recipients: used when encrypting a message. .IP "\fB\-to, \-from, \-subject\fR" 4 .IX Item "-to, -from, -subject" -the relevant mail headers. These are included outside the signed +The relevant mail headers. These are included outside the signed portion of a message so they may be included manually. If signing then many S/MIME mail clients check the signers certificate's email address matches that specified in the From: address. -.IP "\fB\-purpose, \-ignore_critical, \-issuer_checks, \-crl_check, \-crl_check_all, \-policy_check, \-extended_crl, \-x509_strict, \-policy \-check_ss_sig \-no_alt_chains\fR" 4 -.IX Item "-purpose, -ignore_critical, -issuer_checks, -crl_check, -crl_check_all, -policy_check, -extended_crl, -x509_strict, -policy -check_ss_sig -no_alt_chains" -Set various certificate chain valiadition option. See the -\&\fBverify\fR manual page for details. +.IP "\fB\-attime\fR, \fB\-check_ss_sig\fR, \fB\-crl_check\fR, \fB\-crl_check_all\fR, \fB\-explicit_policy\fR, \fB\-extended_crl\fR, \fB\-ignore_critical\fR, \fB\-inhibit_any\fR, \fB\-inhibit_map\fR, \fB\-no_alt_chains\fR, \fB\-no_check_time\fR, \fB\-partial_chain\fR, \fB\-policy\fR, \fB\-policy_check\fR, \fB\-policy_print\fR, \fB\-purpose\fR, \fB\-suiteB_128\fR, \fB\-suiteB_128_only\fR, \fB\-suiteB_192\fR, \fB\-trusted_first\fR, \fB\-use_deltas\fR, \fB\-auth_level\fR, \fB\-verify_depth\fR, \fB\-verify_email\fR, \fB\-verify_hostname\fR, \fB\-verify_ip\fR, \fB\-verify_name\fR, \fB\-x509_strict\fR" 4 +.IX Item "-attime, -check_ss_sig, -crl_check, -crl_check_all, -explicit_policy, -extended_crl, -ignore_critical, -inhibit_any, -inhibit_map, -no_alt_chains, -no_check_time, -partial_chain, -policy, -policy_check, -policy_print, -purpose, -suiteB_128, -suiteB_128_only, -suiteB_192, -trusted_first, -use_deltas, -auth_level, -verify_depth, -verify_email, -verify_hostname, -verify_ip, -verify_name, -x509_strict" +Set various certificate chain validation options. See the +\&\fIverify\fR\|(1) manual page for details. .SH "NOTES" .IX Header "NOTES" The \s-1MIME\s0 message must be sent without any blank lines between the @@ -510,7 +568,7 @@ a blank line. Piping the mail directly to sendmail is one way to achieve the correct format. .PP The supplied message to be signed or encrypted must include the -necessary \s-1MIME\s0 headers or many S/MIME clients wont display it +necessary \s-1MIME\s0 headers or many S/MIME clients won't display it properly (if at all). You can use the \fB\-text\fR option to automatically add plain text headers. .PP @@ -531,7 +589,7 @@ The \fB\-resign\fR option uses an existing message digest when adding a new signer. This means that attributes must be present in at least one existing signer using the same message digest or this operation will fail. .PP -The \fB\-stream\fR and \fB\-indef\fR options enable experimental streaming I/O support. +The \fB\-stream\fR and \fB\-indef\fR options enable streaming I/O support. As a result the encoding is \s-1BER\s0 using indefinite length constructed encoding and no longer \s-1DER.\s0 Streaming is supported for the \fB\-encrypt\fR operation and the \&\fB\-sign\fR operation if the content is not detached. @@ -545,30 +603,30 @@ attempt is made to locate the recipient by trying each potential recipient in turn using the supplied private key. To thwart the \s-1MMA\s0 attack (Bleichenbacher's attack on \s-1PKCS\s0 #1 v1.5 \s-1RSA\s0 padding) all recipients are tried whether they succeed or not and if no recipients match the message -is \*(L"decrypted\*(R" using a random key which will typically output garbage. +is \*(L"decrypted\*(R" using a random key which will typically output garbage. The \fB\-debug_decrypt\fR option can be used to disable the \s-1MMA\s0 attack protection and return an error if no recipient can be found: this option should be used with caution. For a fuller description see \fICMS_decrypt\fR\|(3)). .SH "EXIT CODES" .IX Header "EXIT CODES" .IP "0" 4 -the operation was completely successfully. +The operation was completely successfully. .IP "1" 4 .IX Item "1" -an error occurred parsing the command options. +An error occurred parsing the command options. .IP "2" 4 .IX Item "2" -one of the input files could not be read. +One of the input files could not be read. .IP "3" 4 .IX Item "3" -an error occurred creating the \s-1CMS\s0 file or when reading the \s-1MIME\s0 +An error occurred creating the \s-1CMS\s0 file or when reading the \s-1MIME\s0 message. .IP "4" 4 .IX Item "4" -an error occurred decrypting or verifying the message. +An error occurred decrypting or verifying the message. .IP "5" 4 .IX Item "5" -the message was verified correctly but an error occurred writing out +The message was verified correctly but an error occurred writing out the signers certificates. .SH "COMPATIBILITY WITH PKCS#7 format." .IX Header "COMPATIBILITY WITH PKCS#7 format." @@ -748,3 +806,11 @@ The use of non-RSA keys with \fB\-encrypt\fR and \fB\-decrypt\fR was first added to OpenSSL 1.0.2. .PP The \-no_alt_chains options was first added to OpenSSL 1.0.2b. +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2008\-2018 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/usr.bin/openssl/man/crl.1 b/secure/usr.bin/openssl/man/crl.1 index 18a1a2edcbc7..c584a6054592 100644 --- a/secure/usr.bin/openssl/man/crl.1 +++ b/secure/usr.bin/openssl/man/crl.1 @@ -129,17 +129,17 @@ .\" ======================================================================== .\" .IX Title "CRL 1" -.TH CRL 1 "2018-08-14" "1.0.2p" "OpenSSL" +.TH CRL 1 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" -openssl\-crl, -crl \- CRL utility +openssl\-crl, crl \- CRL utility .SH "SYNOPSIS" .IX Header "SYNOPSIS" \&\fBopenssl\fR \fBcrl\fR +[\fB\-help\fR] [\fB\-inform PEM|DER\fR] [\fB\-outform PEM|DER\fR] [\fB\-text\fR] @@ -156,8 +156,11 @@ crl \- CRL utility .SH "DESCRIPTION" .IX Header "DESCRIPTION" The \fBcrl\fR command processes \s-1CRL\s0 files in \s-1DER\s0 or \s-1PEM\s0 format. -.SH "COMMAND OPTIONS" -.IX Header "COMMAND OPTIONS" +.SH "OPTIONS" +.IX Header "OPTIONS" +.IP "\fB\-help\fR" 4 +.IX Item "-help" +Print out a usage message. .IP "\fB\-inform DER|PEM\fR" 4 .IX Item "-inform DER|PEM" This specifies the input format. \fB\s-1DER\s0\fR format is \s-1DER\s0 encoded \s-1CRL\s0 @@ -165,50 +168,50 @@ structure. \fB\s-1PEM\s0\fR (the default) is a base64 encoded version of the \s-1DER\s0 form with header and footer lines. .IP "\fB\-outform DER|PEM\fR" 4 .IX Item "-outform DER|PEM" -This specifies the output format, the options have the same meaning as the -\&\fB\-inform\fR option. +This specifies the output format, the options have the same meaning and default +as the \fB\-inform\fR option. .IP "\fB\-in filename\fR" 4 .IX Item "-in filename" This specifies the input filename to read from or standard input if this option is not specified. .IP "\fB\-out filename\fR" 4 .IX Item "-out filename" -specifies the output filename to write to or standard output by +Specifies the output filename to write to or standard output by default. .IP "\fB\-text\fR" 4 .IX Item "-text" -print out the \s-1CRL\s0 in text form. +Print out the \s-1CRL\s0 in text form. .IP "\fB\-nameopt option\fR" 4 .IX Item "-nameopt option" -option which determines how the subject or issuer names are displayed. See +Option which determines how the subject or issuer names are displayed. See the description of \fB\-nameopt\fR in \fIx509\fR\|(1). .IP "\fB\-noout\fR" 4 .IX Item "-noout" -don't output the encoded version of the \s-1CRL.\s0 +Don't output the encoded version of the \s-1CRL.\s0 .IP "\fB\-hash\fR" 4 .IX Item "-hash" -output a hash of the issuer name. This can be use to lookup CRLs in +Output a hash of the issuer name. This can be use to lookup CRLs in a directory by issuer name. .IP "\fB\-hash_old\fR" 4 .IX Item "-hash_old" -outputs the \*(L"hash\*(R" of the \s-1CRL\s0 issuer name using the older algorithm -as used by OpenSSL versions before 1.0.0. +Outputs the \*(L"hash\*(R" of the \s-1CRL\s0 issuer name using the older algorithm +as used by OpenSSL before version 1.0.0. .IP "\fB\-issuer\fR" 4 .IX Item "-issuer" -output the issuer name. +Output the issuer name. .IP "\fB\-lastupdate\fR" 4 .IX Item "-lastupdate" -output the lastUpdate field. +Output the lastUpdate field. .IP "\fB\-nextupdate\fR" 4 .IX Item "-nextupdate" -output the nextUpdate field. +Output the nextUpdate field. .IP "\fB\-CAfile file\fR" 4 .IX Item "-CAfile file" -verify the signature on a \s-1CRL\s0 by looking up the issuing certificate in -\&\fBfile\fR +Verify the signature on a \s-1CRL\s0 by looking up the issuing certificate in +\&\fBfile\fR. .IP "\fB\-CApath dir\fR" 4 .IX Item "-CApath dir" -verify the signature on a \s-1CRL\s0 by looking up the issuing certificate in +Verify the signature on a \s-1CRL\s0 by looking up the issuing certificate in \&\fBdir\fR. This directory must be a standard certificate directory: that is a hash of each subject name (using \fBx509 \-hash\fR) should be linked to each certificate. @@ -231,7 +234,7 @@ Convert a \s-1CRL\s0 file from \s-1PEM\s0 to \s-1DER:\s0 Output the text form of a \s-1DER\s0 encoded certificate: .PP .Vb 1 -\& openssl crl \-in crl.der \-text \-noout +\& openssl crl \-in crl.der \-inform DER \-text \-noout .Ve .SH "BUGS" .IX Header "BUGS" @@ -240,3 +243,11 @@ and files too. .SH "SEE ALSO" .IX Header "SEE ALSO" \&\fIcrl2pkcs7\fR\|(1), \fIca\fR\|(1), \fIx509\fR\|(1) +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2000\-2018 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/usr.bin/openssl/man/crl2pkcs7.1 b/secure/usr.bin/openssl/man/crl2pkcs7.1 index c1ae08dde2b3..12102f2304d6 100644 --- a/secure/usr.bin/openssl/man/crl2pkcs7.1 +++ b/secure/usr.bin/openssl/man/crl2pkcs7.1 @@ -129,17 +129,17 @@ .\" ======================================================================== .\" .IX Title "CRL2PKCS7 1" -.TH CRL2PKCS7 1 "2018-08-14" "1.0.2p" "OpenSSL" +.TH CRL2PKCS7 1 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" -openssl\-crl2pkcs7, -crl2pkcs7 \- Create a PKCS#7 structure from a CRL and certificates. +openssl\-crl2pkcs7, crl2pkcs7 \- Create a PKCS#7 structure from a CRL and certificates .SH "SYNOPSIS" .IX Header "SYNOPSIS" \&\fBopenssl\fR \fBcrl2pkcs7\fR +[\fB\-help\fR] [\fB\-inform PEM|DER\fR] [\fB\-outform PEM|DER\fR] [\fB\-in filename\fR] @@ -151,35 +151,38 @@ crl2pkcs7 \- Create a PKCS#7 structure from a CRL and certificates. The \fBcrl2pkcs7\fR command takes an optional \s-1CRL\s0 and one or more certificates and converts them into a PKCS#7 degenerate \*(L"certificates only\*(R" structure. -.SH "COMMAND OPTIONS" -.IX Header "COMMAND OPTIONS" +.SH "OPTIONS" +.IX Header "OPTIONS" +.IP "\fB\-help\fR" 4 +.IX Item "-help" +Print out a usage message. .IP "\fB\-inform DER|PEM\fR" 4 .IX Item "-inform DER|PEM" This specifies the \s-1CRL\s0 input format. \fB\s-1DER\s0\fR format is \s-1DER\s0 encoded \s-1CRL\s0 structure.\fB\s-1PEM\s0\fR (the default) is a base64 encoded version of -the \s-1DER\s0 form with header and footer lines. +the \s-1DER\s0 form with header and footer lines. The default format is \s-1PEM.\s0 .IP "\fB\-outform DER|PEM\fR" 4 .IX Item "-outform DER|PEM" This specifies the PKCS#7 structure output format. \fB\s-1DER\s0\fR format is \s-1DER\s0 encoded PKCS#7 structure.\fB\s-1PEM\s0\fR (the default) is a base64 encoded version of -the \s-1DER\s0 form with header and footer lines. +the \s-1DER\s0 form with header and footer lines. The default format is \s-1PEM.\s0 .IP "\fB\-in filename\fR" 4 .IX Item "-in filename" This specifies the input filename to read a \s-1CRL\s0 from or standard input if this option is not specified. .IP "\fB\-out filename\fR" 4 .IX Item "-out filename" -specifies the output filename to write the PKCS#7 structure to or standard +Specifies the output filename to write the PKCS#7 structure to or standard output by default. .IP "\fB\-certfile filename\fR" 4 .IX Item "-certfile filename" -specifies a filename containing one or more certificates in \fB\s-1PEM\s0\fR format. +Specifies a filename containing one or more certificates in \fB\s-1PEM\s0\fR format. All certificates in the file will be added to the PKCS#7 structure. This option can be used more than once to read certificates form multiple files. .IP "\fB\-nocrl\fR" 4 .IX Item "-nocrl" -normally a \s-1CRL\s0 is included in the output file. With this option no \s-1CRL\s0 is +Normally a \s-1CRL\s0 is included in the output file. With this option no \s-1CRL\s0 is included in the output file and a \s-1CRL\s0 is not read from the input file. .SH "EXAMPLES" .IX Header "EXAMPLES" @@ -193,7 +196,7 @@ Creates a PKCS#7 structure in \s-1DER\s0 format with no \s-1CRL\s0 from several different certificates: .PP .Vb 2 -\& openssl crl2pkcs7 \-nocrl \-certfile newcert.pem +\& openssl crl2pkcs7 \-nocrl \-certfile newcert.pem \& \-certfile demoCA/cacert.pem \-outform DER \-out p7.der .Ve .SH "NOTES" @@ -210,3 +213,11 @@ install user certificates and CAs in \s-1MSIE\s0 using the Xenroll control. .SH "SEE ALSO" .IX Header "SEE ALSO" \&\fIpkcs7\fR\|(1) +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2000\-2017 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/usr.bin/openssl/man/dgst.1 b/secure/usr.bin/openssl/man/dgst.1 index eaddb0852226..846e01c0d007 100644 --- a/secure/usr.bin/openssl/man/dgst.1 +++ b/secure/usr.bin/openssl/man/dgst.1 @@ -129,24 +129,23 @@ .\" ======================================================================== .\" .IX Title "DGST 1" -.TH DGST 1 "2018-08-14" "1.0.2p" "OpenSSL" +.TH DGST 1 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" -openssl\-dgst, -dgst, sha, sha1, mdc2, ripemd160, sha224, sha256, sha384, sha512, md2, md4, md5, dss1 \- message digests +openssl\-dgst, dgst \- perform digest operations .SH "SYNOPSIS" .IX Header "SYNOPSIS" -\&\fBopenssl\fR \fBdgst\fR -[\fB\-sha|\-sha1|\-mdc2|\-ripemd160|\-sha224|\-sha256|\-sha384|\-sha512|\-md2|\-md4|\-md5|\-dss1\fR] +\&\fBopenssl dgst\fR +[\fB\-\f(BIdigest\fB\fR] +[\fB\-help\fR] [\fB\-c\fR] [\fB\-d\fR] [\fB\-hex\fR] [\fB\-binary\fR] [\fB\-r\fR] -[\fB\-non\-fips\-allow\fR] [\fB\-out filename\fR] [\fB\-sign filename\fR] [\fB\-keyform arg\fR] @@ -155,81 +154,88 @@ dgst, sha, sha1, mdc2, ripemd160, sha224, sha256, sha384, sha512, md2, md4, md5, [\fB\-prverify filename\fR] [\fB\-signature filename\fR] [\fB\-hmac key\fR] -[\fB\-non\-fips\-allow\fR] [\fB\-fips\-fingerprint\fR] +[\fB\-rand file...\fR] +[\fB\-engine id\fR] +[\fB\-engine_impl\fR] [\fBfile...\fR] .PP -\&\fBopenssl\fR -[\fIdigest\fR] -[\fB...\fR] +\&\fBopenssl\fR \fIdigest\fR [\fB...\fR] .SH "DESCRIPTION" .IX Header "DESCRIPTION" The digest functions output the message digest of a supplied file or files in hexadecimal. The digest functions also generate and verify digital signatures using message digests. +.PP +The generic name, \fBdgst\fR, may be used with an option specifying the +algorithm to be used. +The default digest is \fIsha256\fR. +A supported \fIdigest\fR name may also be used as the command name. +To see the list of supported algorithms, use the \fIlist \-\-digest\-commands\fR +command. .SH "OPTIONS" .IX Header "OPTIONS" +.IP "\fB\-help\fR" 4 +.IX Item "-help" +Print out a usage message. +.IP "\fB\-\f(BIdigest\fB\fR" 4 +.IX Item "-digest" +Specifies name of a supported digest to be used. To see the list of +supported digests, use the command \fIlist \-\-digest\-commands\fR. .IP "\fB\-c\fR" 4 .IX Item "-c" -print out the digest in two digit groups separated by colons, only relevant if +Print out the digest in two digit groups separated by colons, only relevant if \&\fBhex\fR format output is used. .IP "\fB\-d\fR" 4 .IX Item "-d" -print out \s-1BIO\s0 debugging information. +Print out \s-1BIO\s0 debugging information. .IP "\fB\-hex\fR" 4 .IX Item "-hex" -digest is to be output as a hex dump. This is the default case for a \*(L"normal\*(R" +Digest is to be output as a hex dump. This is the default case for a \*(L"normal\*(R" digest as opposed to a digital signature. See \s-1NOTES\s0 below for digital signatures using \fB\-hex\fR. .IP "\fB\-binary\fR" 4 .IX Item "-binary" -output the digest or signature in binary form. +Output the digest or signature in binary form. .IP "\fB\-r\fR" 4 .IX Item "-r" -output the digest in the \*(L"coreutils\*(R" format used by programs like \fBsha1sum\fR. -.IP "\fB\-non\-fips\-allow\fR" 4 -.IX Item "-non-fips-allow" -Allow use of non \s-1FIPS\s0 digest when in \s-1FIPS\s0 mode. This has no effect when not in -\&\s-1FIPS\s0 mode. +Output the digest in the \*(L"coreutils\*(R" format used by programs like \fBsha1sum\fR. .IP "\fB\-out filename\fR" 4 .IX Item "-out filename" -filename to output to, or standard output by default. +Filename to output to, or standard output by default. .IP "\fB\-sign filename\fR" 4 .IX Item "-sign filename" -digitally sign the digest using the private key in \*(L"filename\*(R". +Digitally sign the digest using the private key in \*(L"filename\*(R". Note this option +does not support Ed25519 or Ed448 private keys. Use the \fBpkeyutl\fR command +instead for this. .IP "\fB\-keyform arg\fR" 4 .IX Item "-keyform arg" Specifies the key format to sign digest with. The \s-1DER, PEM, P12,\s0 and \s-1ENGINE\s0 formats are supported. -.IP "\fB\-engine id\fR" 4 -.IX Item "-engine id" -Use engine \fBid\fR for operations (including private key storage). -This engine is not used as source for digest algorithms, unless it is -also specified in the configuration file. .IP "\fB\-sigopt nm:v\fR" 4 .IX Item "-sigopt nm:v" Pass options to the signature algorithm during sign or verify operations. Names and values of these options are algorithm-specific. .IP "\fB\-passin arg\fR" 4 .IX Item "-passin arg" -the private key password source. For more information about the format of \fBarg\fR +The private key password source. For more information about the format of \fBarg\fR see the \fB\s-1PASS PHRASE ARGUMENTS\s0\fR section in \fIopenssl\fR\|(1). .IP "\fB\-verify filename\fR" 4 .IX Item "-verify filename" -verify the signature using the public key in \*(L"filename\*(R". +Verify the signature using the public key in \*(L"filename\*(R". The output is either \*(L"Verification \s-1OK\*(R"\s0 or \*(L"Verification Failure\*(R". .IP "\fB\-prverify filename\fR" 4 .IX Item "-prverify filename" -verify the signature using the private key in \*(L"filename\*(R". +Verify the signature using the private key in \*(L"filename\*(R". .IP "\fB\-signature filename\fR" 4 .IX Item "-signature filename" -the actual signature to verify. +The actual signature to verify. .IP "\fB\-hmac key\fR" 4 .IX Item "-hmac key" -create a hashed \s-1MAC\s0 using \*(L"key\*(R". +Create a hashed \s-1MAC\s0 using \*(L"key\*(R". .IP "\fB\-mac alg\fR" 4 .IX Item "-mac alg" -create \s-1MAC\s0 (keyed Message Authentication Code). The most popular \s-1MAC\s0 +Create \s-1MAC\s0 (keyed Message Authentication Code). The most popular \s-1MAC\s0 algorithm is \s-1HMAC\s0 (hash-based \s-1MAC\s0), but there are other \s-1MAC\s0 algorithms which are not based on hash, for instance \fBgost-mac\fR algorithm, supported by \fBccgost\fR engine. \s-1MAC\s0 keys and other options should be set @@ -239,12 +245,12 @@ via \fB\-macopt\fR parameter. Passes options to \s-1MAC\s0 algorithm, specified by \fB\-mac\fR key. Following options are supported by both by \fB\s-1HMAC\s0\fR and \fBgost-mac\fR: .RS 4 -.IP "\fBkey:string\fR" 8 +.IP "\fBkey:string\fR" 4 .IX Item "key:string" -Specifies \s-1MAC\s0 key as alphnumeric string (use if key contain printable +Specifies \s-1MAC\s0 key as alphanumeric string (use if key contain printable characters only). String length must conform to any restrictions of the \s-1MAC\s0 algorithm for example exactly 32 chars for gost-mac. -.IP "\fBhexkey:string\fR" 8 +.IP "\fBhexkey:string\fR" 4 .IX Item "hexkey:string" Specifies \s-1MAC\s0 key in hexadecimal form (two hex digits per byte). Key length must conform to any restrictions of the \s-1MAC\s0 algorithm @@ -252,23 +258,33 @@ for example exactly 32 chars for gost-mac. .RE .RS 4 .RE -.IP "\fB\-rand file(s)\fR" 4 -.IX Item "-rand file(s)" -a file or files containing random data used to seed the random number -generator, or an \s-1EGD\s0 socket (see \fIRAND_egd\fR\|(3)). -Multiple files can be specified separated by a OS-dependent character. +.IP "\fB\-rand file...\fR" 4 +.IX Item "-rand file..." +A file or files containing random data used to seed the random number +generator. +Multiple files can be specified separated by an OS-dependent character. The separator is \fB;\fR for MS-Windows, \fB,\fR for OpenVMS, and \fB:\fR for all others. -.IP "\fB\-non\-fips\-allow\fR" 4 -.IX Item "-non-fips-allow" -enable use of non-FIPS algorithms such as \s-1MD5\s0 even in \s-1FIPS\s0 mode. +.IP "[\fB\-writerand file\fR]" 4 +.IX Item "[-writerand file]" +Writes random data to the specified \fIfile\fR upon exit. +This can be used with a subsequent \fB\-rand\fR flag. .IP "\fB\-fips\-fingerprint\fR" 4 .IX Item "-fips-fingerprint" -compute \s-1HMAC\s0 using a specific key -for certain OpenSSL-FIPS operations. +Compute \s-1HMAC\s0 using a specific key for certain OpenSSL-FIPS operations. +.IP "\fB\-engine id\fR" 4 +.IX Item "-engine id" +Use engine \fBid\fR for operations (including private key storage). +This engine is not used as source for digest algorithms, unless it is +also specified in the configuration file or \fB\-engine_impl\fR is also +specified. +.IP "\fB\-engine_impl\fR" 4 +.IX Item "-engine_impl" +When used with the \fB\-engine\fR option, it specifies to also use +engine \fBid\fR for digest operations. .IP "\fBfile...\fR" 4 .IX Item "file..." -file or files to digest. If no files are specified then standard input is +File or files to digest. If no files are specified then standard input is used. .SH "EXAMPLES" .IX Header "EXAMPLES" @@ -284,8 +300,13 @@ To verify a signature: file.txt .SH "NOTES" .IX Header "NOTES" -The digest of choice for all new applications is \s-1SHA1.\s0 Other digests are -however still widely used. +The digest mechanisms that are available will depend on the options +used when building OpenSSL. +The \fBlist digest-commands\fR command can be used to list them. +.PP +New or agile applications should use probably use \s-1SHA\-256.\s0 Other digests, +particularly \s-1SHA\-1\s0 and \s-1MD5,\s0 are still widely used for interoperating +with existing formats and protocols. .PP When signing a file, \fBdgst\fR will automatically determine the algorithm (\s-1RSA, ECC,\s0 etc) to use for signing based on the private key's \s-1ASN.1\s0 info. @@ -302,3 +323,15 @@ being signed or verified. Hex signatures cannot be verified using \fBopenssl\fR. Instead, use \*(L"xxd \-r\*(R" or similar program to transform the hex signature into a binary signature prior to verification. +.SH "HISTORY" +.IX Header "HISTORY" +The default digest was changed from \s-1MD5\s0 to \s-1SHA256\s0 in OpenSSL 1.1.0 +The FIPS-related options were removed in OpenSSL 1.1.0 +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2000\-2018 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/usr.bin/openssl/man/dhparam.1 b/secure/usr.bin/openssl/man/dhparam.1 index 33d01cdd00ac..95514740d747 100644 --- a/secure/usr.bin/openssl/man/dhparam.1 +++ b/secure/usr.bin/openssl/man/dhparam.1 @@ -129,17 +129,17 @@ .\" ======================================================================== .\" .IX Title "DHPARAM 1" -.TH DHPARAM 1 "2018-08-14" "1.0.2p" "OpenSSL" +.TH DHPARAM 1 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" -openssl\-dhparam, -dhparam \- DH parameter manipulation and generation +openssl\-dhparam, dhparam \- DH parameter manipulation and generation .SH "SYNOPSIS" .IX Header "SYNOPSIS" \&\fBopenssl dhparam\fR +[\fB\-help\fR] [\fB\-inform DER|PEM\fR] [\fB\-outform DER|PEM\fR] [\fB\-in\fR \fIfilename\fR] @@ -151,7 +151,8 @@ dhparam \- DH parameter manipulation and generation [\fB\-C\fR] [\fB\-2\fR] [\fB\-5\fR] -[\fB\-rand\fR \fIfile(s)\fR] +[\fB\-rand file...\fR] +[\fB\-writerand file\fR] [\fB\-engine id\fR] [\fInumbits\fR] .SH "DESCRIPTION" @@ -159,6 +160,9 @@ dhparam \- DH parameter manipulation and generation This command is used to manipulate \s-1DH\s0 parameter files. .SH "OPTIONS" .IX Header "OPTIONS" +.IP "\fB\-help\fR" 4 +.IX Item "-help" +Print out a usage message. .IP "\fB\-inform DER|PEM\fR" 4 .IX Item "-inform DER|PEM" This specifies the input format. The \fB\s-1DER\s0\fR option uses an \s-1ASN1 DER\s0 encoded @@ -167,8 +171,8 @@ default format: it consists of the \fB\s-1DER\s0\fR format base64 encoded with additional header and footer lines. .IP "\fB\-outform DER|PEM\fR" 4 .IX Item "-outform DER|PEM" -This specifies the output format, the options have the same meaning as the -\&\fB\-inform\fR option. +This specifies the output format, the options have the same meaning and default +as the \fB\-inform\fR option. .IP "\fB\-in\fR \fIfilename\fR" 4 .IX Item "-in filename" This specifies the input filename to read parameters from or standard input if @@ -191,48 +195,53 @@ parameters, a fresh \s-1DH\s0 key should be created for each use to avoid small-subgroup attacks that may be possible otherwise. .IP "\fB\-check\fR" 4 .IX Item "-check" -check if the parameters are valid primes and generator. +Performs numerous checks to see if the supplied parameters are valid and +displays a warning if not. .IP "\fB\-2\fR, \fB\-5\fR" 4 .IX Item "-2, -5" The generator to use, either 2 or 5. If present then the input file is ignored and parameters are generated instead. If not present but \fBnumbits\fR is present, parameters are generated with the default generator 2. -.IP "\fB\-rand\fR \fIfile(s)\fR" 4 -.IX Item "-rand file(s)" -a file or files containing random data used to seed the random number -generator, or an \s-1EGD\s0 socket (see \fIRAND_egd\fR\|(3)). -Multiple files can be specified separated by a OS-dependent character. +.IP "\fB\-rand file...\fR" 4 +.IX Item "-rand file..." +A file or files containing random data used to seed the random number +generator. +Multiple files can be specified separated by an OS-dependent character. The separator is \fB;\fR for MS-Windows, \fB,\fR for OpenVMS, and \fB:\fR for all others. +.IP "[\fB\-writerand file\fR]" 4 +.IX Item "[-writerand file]" +Writes random data to the specified \fIfile\fR upon exit. +This can be used with a subsequent \fB\-rand\fR flag. .IP "\fInumbits\fR" 4 .IX Item "numbits" -this option specifies that a parameter set should be generated of size +This option specifies that a parameter set should be generated of size \&\fInumbits\fR. It must be the last option. If this option is present then the input file is ignored and parameters are generated instead. If this option is not present but a generator (\fB\-2\fR or \fB\-5\fR) is present, parameters are generated with a default length of 2048 bits. .IP "\fB\-noout\fR" 4 .IX Item "-noout" -this option inhibits the output of the encoded version of the parameters. +This option inhibits the output of the encoded version of the parameters. .IP "\fB\-text\fR" 4 .IX Item "-text" -this option prints out the \s-1DH\s0 parameters in human readable form. +This option prints out the \s-1DH\s0 parameters in human readable form. .IP "\fB\-C\fR" 4 .IX Item "-C" -this option converts the parameters into C code. The parameters can then -be loaded by calling the \fBget_dh\fR\fInumbits\fR\fB()\fR function. +This option converts the parameters into C code. The parameters can then +be loaded by calling the \fIget_dhNNNN()\fR function. .IP "\fB\-engine id\fR" 4 .IX Item "-engine id" -specifying an engine (by its unique \fBid\fR string) will cause \fBdhparam\fR +Specifying an engine (by its unique \fBid\fR string) will cause \fBdhparam\fR to attempt to obtain a functional reference to the specified engine, thus initialising it if needed. The engine will then be set as the default for all available algorithms. .SH "WARNINGS" .IX Header "WARNINGS" The program \fBdhparam\fR combines the functionality of the programs \fBdh\fR and -\&\fBgendh\fR in previous versions of OpenSSL and SSLeay. The \fBdh\fR and \fBgendh\fR -programs are retained for now but may have different purposes in future +\&\fBgendh\fR in previous versions of OpenSSL. The \fBdh\fR and \fBgendh\fR +programs are retained for now but may have different purposes in future versions of OpenSSL. .SH "NOTES" .IX Header "NOTES" @@ -253,7 +262,11 @@ There should be a way to generate and manipulate \s-1DH\s0 keys. .SH "SEE ALSO" .IX Header "SEE ALSO" \&\fIdsaparam\fR\|(1) -.SH "HISTORY" -.IX Header "HISTORY" -The \fBdhparam\fR command was added in OpenSSL 0.9.5. -The \fB\-dsaparam\fR option was added in OpenSSL 0.9.6. +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2000\-2017 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/usr.bin/openssl/man/dsa.1 b/secure/usr.bin/openssl/man/dsa.1 index ff600983c912..5f860ac6c859 100644 --- a/secure/usr.bin/openssl/man/dsa.1 +++ b/secure/usr.bin/openssl/man/dsa.1 @@ -129,17 +129,17 @@ .\" ======================================================================== .\" .IX Title "DSA 1" -.TH DSA 1 "2018-08-14" "1.0.2p" "OpenSSL" +.TH DSA 1 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" -openssl\-dsa, -dsa \- DSA key processing +openssl\-dsa, dsa \- DSA key processing .SH "SYNOPSIS" .IX Header "SYNOPSIS" \&\fBopenssl\fR \fBdsa\fR +[\fB\-help\fR] [\fB\-inform PEM|DER\fR] [\fB\-outform PEM|DER\fR] [\fB\-in filename\fR] @@ -149,6 +149,9 @@ dsa \- DSA key processing [\fB\-aes128\fR] [\fB\-aes192\fR] [\fB\-aes256\fR] +[\fB\-aria128\fR] +[\fB\-aria192\fR] +[\fB\-aria256\fR] [\fB\-camellia128\fR] [\fB\-camellia192\fR] [\fB\-camellia256\fR] @@ -167,8 +170,11 @@ The \fBdsa\fR command processes \s-1DSA\s0 keys. They can be converted between v forms and their components printed out. \fBNote\fR This command uses the traditional SSLeay compatible format for private key encryption: newer applications should use the more secure PKCS#8 format using the \fBpkcs8\fR -.SH "COMMAND OPTIONS" -.IX Header "COMMAND OPTIONS" +.SH "OPTIONS" +.IX Header "OPTIONS" +.IP "\fB\-help\fR" 4 +.IX Item "-help" +Print out a usage message. .IP "\fB\-inform DER|PEM\fR" 4 .IX Item "-inform DER|PEM" This specifies the input format. The \fB\s-1DER\s0\fR option with a private key uses @@ -182,8 +188,8 @@ encoded with additional header and footer lines. In the case of a private key PKCS#8 format is also accepted. .IP "\fB\-outform DER|PEM\fR" 4 .IX Item "-outform DER|PEM" -This specifies the output format, the options have the same meaning as the -\&\fB\-inform\fR option. +This specifies the output format, the options have the same meaning and default +as the \fB\-inform\fR option. .IP "\fB\-in filename\fR" 4 .IX Item "-in filename" This specifies the input filename to read a key from or standard input if this @@ -191,7 +197,7 @@ option is not specified. If the key is encrypted a pass phrase will be prompted for. .IP "\fB\-passin arg\fR" 4 .IX Item "-passin arg" -the input file password source. For more information about the format of \fBarg\fR +The input file password source. For more information about the format of \fBarg\fR see the \fB\s-1PASS PHRASE ARGUMENTS\s0\fR section in \fIopenssl\fR\|(1). .IP "\fB\-out filename\fR" 4 .IX Item "-out filename" @@ -201,10 +207,10 @@ prompted for. The output filename should \fBnot\fR be the same as the input filename. .IP "\fB\-passout arg\fR" 4 .IX Item "-passout arg" -the output file password source. For more information about the format of \fBarg\fR +The output file password source. For more information about the format of \fBarg\fR see the \fB\s-1PASS PHRASE ARGUMENTS\s0\fR section in \fIopenssl\fR\|(1). -.IP "\fB\-aes128|\-aes192|\-aes256|\-camellia128|\-camellia192|\-camellia256|\-des|\-des3|\-idea\fR" 4 -.IX Item "-aes128|-aes192|-aes256|-camellia128|-camellia192|-camellia256|-des|-des3|-idea" +.IP "\fB\-aes128\fR, \fB\-aes192\fR, \fB\-aes256\fR, \fB\-aria128\fR, \fB\-aria192\fR, \fB\-aria256\fR, \fB\-camellia128\fR, \fB\-camellia192\fR, \fB\-camellia256\fR, \fB\-des\fR, \fB\-des3\fR, \fB\-idea\fR" 4 +.IX Item "-aes128, -aes192, -aes256, -aria128, -aria192, -aria256, -camellia128, -camellia192, -camellia256, -des, -des3, -idea" These options encrypt the private key with the specified cipher before outputting it. A pass phrase is prompted for. If none of these options is specified the key is written in plain text. This @@ -214,25 +220,25 @@ setting the encryption options it can be use to add or change the pass phrase. These options can only be used with \s-1PEM\s0 format output files. .IP "\fB\-text\fR" 4 .IX Item "-text" -prints out the public, private key components and parameters. +Prints out the public, private key components and parameters. .IP "\fB\-noout\fR" 4 .IX Item "-noout" -this option prevents output of the encoded version of the key. +This option prevents output of the encoded version of the key. .IP "\fB\-modulus\fR" 4 .IX Item "-modulus" -this option prints out the value of the public key component of the key. +This option prints out the value of the public key component of the key. .IP "\fB\-pubin\fR" 4 .IX Item "-pubin" -by default a private key is read from the input file: with this option a +By default, a private key is read from the input file. With this option a public key is read instead. .IP "\fB\-pubout\fR" 4 .IX Item "-pubout" -by default a private key is output. With this option a public +By default, a private key is output. With this option a public key will be output instead. This option is automatically set if the input is a public key. .IP "\fB\-engine id\fR" 4 .IX Item "-engine id" -specifying an engine (by its unique \fBid\fR string) will cause \fBdsa\fR +Specifying an engine (by its unique \fBid\fR string) will cause \fBdsa\fR to attempt to obtain a functional reference to the specified engine, thus initialising it if needed. The engine will then be set as the default for all available algorithms. @@ -286,3 +292,11 @@ To just output the public part of a private key: .IX Header "SEE ALSO" \&\fIdsaparam\fR\|(1), \fIgendsa\fR\|(1), \fIrsa\fR\|(1), \&\fIgenrsa\fR\|(1) +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2000\-2018 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/usr.bin/openssl/man/dsaparam.1 b/secure/usr.bin/openssl/man/dsaparam.1 index 57a597d547f2..33b6cfb0c103 100644 --- a/secure/usr.bin/openssl/man/dsaparam.1 +++ b/secure/usr.bin/openssl/man/dsaparam.1 @@ -129,17 +129,17 @@ .\" ======================================================================== .\" .IX Title "DSAPARAM 1" -.TH DSAPARAM 1 "2018-08-14" "1.0.2p" "OpenSSL" +.TH DSAPARAM 1 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" -openssl\-dsaparam, -dsaparam \- DSA parameter manipulation and generation +openssl\-dsaparam, dsaparam \- DSA parameter manipulation and generation .SH "SYNOPSIS" .IX Header "SYNOPSIS" \&\fBopenssl dsaparam\fR +[\fB\-help\fR] [\fB\-inform DER|PEM\fR] [\fB\-outform DER|PEM\fR] [\fB\-in filename\fR] @@ -147,7 +147,8 @@ dsaparam \- DSA parameter manipulation and generation [\fB\-noout\fR] [\fB\-text\fR] [\fB\-C\fR] -[\fB\-rand file(s)\fR] +[\fB\-rand file...\fR] +[\fB\-writerand file\fR] [\fB\-genkey\fR] [\fB\-engine id\fR] [\fBnumbits\fR] @@ -156,6 +157,9 @@ dsaparam \- DSA parameter manipulation and generation This command is used to manipulate or generate \s-1DSA\s0 parameter files. .SH "OPTIONS" .IX Header "OPTIONS" +.IP "\fB\-help\fR" 4 +.IX Item "-help" +Print out a usage message. .IP "\fB\-inform DER|PEM\fR" 4 .IX Item "-inform DER|PEM" This specifies the input format. The \fB\s-1DER\s0\fR option uses an \s-1ASN1 DER\s0 encoded @@ -164,8 +168,8 @@ of p, q and g respectively. The \s-1PEM\s0 form is the default format: it consis of the \fB\s-1DER\s0\fR format base64 encoded with additional header and footer lines. .IP "\fB\-outform DER|PEM\fR" 4 .IX Item "-outform DER|PEM" -This specifies the output format, the options have the same meaning as the -\&\fB\-inform\fR option. +This specifies the output format, the options have the same meaning and default +as the \fB\-inform\fR option. .IP "\fB\-in filename\fR" 4 .IX Item "-in filename" This specifies the input filename to read parameters from or standard input if @@ -178,33 +182,37 @@ if this option is not present. The output filename should \fBnot\fR be the same as the input filename. .IP "\fB\-noout\fR" 4 .IX Item "-noout" -this option inhibits the output of the encoded version of the parameters. +This option inhibits the output of the encoded version of the parameters. .IP "\fB\-text\fR" 4 .IX Item "-text" -this option prints out the \s-1DSA\s0 parameters in human readable form. +This option prints out the \s-1DSA\s0 parameters in human readable form. .IP "\fB\-C\fR" 4 .IX Item "-C" -this option converts the parameters into C code. The parameters can then -be loaded by calling the \fB\f(BIget_dsaXXX()\fB\fR function. +This option converts the parameters into C code. The parameters can then +be loaded by calling the \fIget_dsaXXX()\fR function. .IP "\fB\-genkey\fR" 4 .IX Item "-genkey" -this option will generate a \s-1DSA\s0 either using the specified or generated +This option will generate a \s-1DSA\s0 either using the specified or generated parameters. -.IP "\fB\-rand file(s)\fR" 4 -.IX Item "-rand file(s)" -a file or files containing random data used to seed the random number -generator, or an \s-1EGD\s0 socket (see \fIRAND_egd\fR\|(3)). -Multiple files can be specified separated by a OS-dependent character. +.IP "\fB\-rand file...\fR" 4 +.IX Item "-rand file..." +A file or files containing random data used to seed the random number +generator. +Multiple files can be specified separated by an OS-dependent character. The separator is \fB;\fR for MS-Windows, \fB,\fR for OpenVMS, and \fB:\fR for all others. +.IP "[\fB\-writerand file\fR]" 4 +.IX Item "[-writerand file]" +Writes random data to the specified \fIfile\fR upon exit. +This can be used with a subsequent \fB\-rand\fR flag. .IP "\fBnumbits\fR" 4 .IX Item "numbits" -this option specifies that a parameter set should be generated of size +This option specifies that a parameter set should be generated of size \&\fBnumbits\fR. It must be the last option. If this option is included then the input file (if any) is ignored. .IP "\fB\-engine id\fR" 4 .IX Item "-engine id" -specifying an engine (by its unique \fBid\fR string) will cause \fBdsaparam\fR +Specifying an engine (by its unique \fBid\fR string) will cause \fBdsaparam\fR to attempt to obtain a functional reference to the specified engine, thus initialising it if needed. The engine will then be set as the default for all available algorithms. @@ -223,3 +231,11 @@ for all available algorithms. .IX Header "SEE ALSO" \&\fIgendsa\fR\|(1), \fIdsa\fR\|(1), \fIgenrsa\fR\|(1), \&\fIrsa\fR\|(1) +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2000\-2017 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/usr.bin/openssl/man/ec.1 b/secure/usr.bin/openssl/man/ec.1 index ae749d1a2d7b..1a752538bf74 100644 --- a/secure/usr.bin/openssl/man/ec.1 +++ b/secure/usr.bin/openssl/man/ec.1 @@ -129,17 +129,17 @@ .\" ======================================================================== .\" .IX Title "EC 1" -.TH EC 1 "2018-08-14" "1.0.2p" "OpenSSL" +.TH EC 1 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" -openssl\-ec, -ec \- EC key processing +openssl\-ec, ec \- EC key processing .SH "SYNOPSIS" .IX Header "SYNOPSIS" \&\fBopenssl\fR \fBec\fR +[\fB\-help\fR] [\fB\-inform PEM|DER\fR] [\fB\-outform PEM|DER\fR] [\fB\-in filename\fR] @@ -156,16 +156,21 @@ ec \- EC key processing [\fB\-pubout\fR] [\fB\-conv_form arg\fR] [\fB\-param_enc arg\fR] +[\fB\-no_public\fR] +[\fB\-check\fR] [\fB\-engine id\fR] .SH "DESCRIPTION" .IX Header "DESCRIPTION" The \fBec\fR command processes \s-1EC\s0 keys. They can be converted between various -forms and their components printed out. \fBNote\fR OpenSSL uses the +forms and their components printed out. \fBNote\fR OpenSSL uses the private key format specified in '\s-1SEC 1:\s0 Elliptic Curve Cryptography' -(http://www.secg.org/). To convert a OpenSSL \s-1EC\s0 private key into the +(http://www.secg.org/). To convert an OpenSSL \s-1EC\s0 private key into the PKCS#8 private key format use the \fBpkcs8\fR command. -.SH "COMMAND OPTIONS" -.IX Header "COMMAND OPTIONS" +.SH "OPTIONS" +.IX Header "OPTIONS" +.IP "\fB\-help\fR" 4 +.IX Item "-help" +Print out a usage message. .IP "\fB\-inform DER|PEM\fR" 4 .IX Item "-inform DER|PEM" This specifies the input format. The \fB\s-1DER\s0\fR option with a private key uses @@ -176,8 +181,8 @@ encoded with additional header and footer lines. In the case of a private key PKCS#8 format is also accepted. .IP "\fB\-outform DER|PEM\fR" 4 .IX Item "-outform DER|PEM" -This specifies the output format, the options have the same meaning as the -\&\fB\-inform\fR option. +This specifies the output format, the options have the same meaning and default +as the \fB\-inform\fR option. .IP "\fB\-in filename\fR" 4 .IX Item "-in filename" This specifies the input filename to read a key from or standard input if this @@ -185,7 +190,7 @@ option is not specified. If the key is encrypted a pass phrase will be prompted for. .IP "\fB\-passin arg\fR" 4 .IX Item "-passin arg" -the input file password source. For more information about the format of \fBarg\fR +The input file password source. For more information about the format of \fBarg\fR see the \fB\s-1PASS PHRASE ARGUMENTS\s0\fR section in \fIopenssl\fR\|(1). .IP "\fB\-out filename\fR" 4 .IX Item "-out filename" @@ -195,11 +200,11 @@ prompted for. The output filename should \fBnot\fR be the same as the input filename. .IP "\fB\-passout arg\fR" 4 .IX Item "-passout arg" -the output file password source. For more information about the format of \fBarg\fR +The output file password source. For more information about the format of \fBarg\fR see the \fB\s-1PASS PHRASE ARGUMENTS\s0\fR section in \fIopenssl\fR\|(1). .IP "\fB\-des|\-des3|\-idea\fR" 4 .IX Item "-des|-des3|-idea" -These options encrypt the private key with the \s-1DES,\s0 triple \s-1DES, IDEA\s0 or +These options encrypt the private key with the \s-1DES,\s0 triple \s-1DES, IDEA\s0 or any other cipher supported by OpenSSL before outputting it. A pass phrase is prompted for. If none of these options is specified the key is written in plain text. This @@ -209,20 +214,20 @@ setting the encryption options it can be use to add or change the pass phrase. These options can only be used with \s-1PEM\s0 format output files. .IP "\fB\-text\fR" 4 .IX Item "-text" -prints out the public, private key components and parameters. +Prints out the public, private key components and parameters. .IP "\fB\-noout\fR" 4 .IX Item "-noout" -this option prevents output of the encoded version of the key. +This option prevents output of the encoded version of the key. .IP "\fB\-modulus\fR" 4 .IX Item "-modulus" -this option prints out the value of the public key component of the key. +This option prints out the value of the public key component of the key. .IP "\fB\-pubin\fR" 4 .IX Item "-pubin" -by default a private key is read from the input file: with this option a +By default, a private key is read from the input file. With this option a public key is read instead. .IP "\fB\-pubout\fR" 4 .IX Item "-pubout" -by default a private key is output. With this option a public +By default a private key is output. With this option a public key will be output instead. This option is automatically set if the input is a public key. .IP "\fB\-conv_form\fR" 4 @@ -238,14 +243,20 @@ the preprocessor macro \fB\s-1OPENSSL_EC_BIN_PT_COMP\s0\fR at compile time. .IX Item "-param_enc arg" This specifies how the elliptic curve parameters are encoded. Possible value are: \fBnamed_curve\fR, i.e. the ec parameters are -specified by a \s-1OID,\s0 or \fBexplicit\fR where the ec parameters are -explicitly given (see \s-1RFC 3279\s0 for the definition of the +specified by an \s-1OID,\s0 or \fBexplicit\fR where the ec parameters are +explicitly given (see \s-1RFC 3279\s0 for the definition of the \&\s-1EC\s0 parameters structures). The default value is \fBnamed_curve\fR. -\&\fBNote\fR the \fBimplicitlyCA\fR alternative ,as specified in \s-1RFC 3279,\s0 +\&\fBNote\fR the \fBimplicitlyCA\fR alternative, as specified in \s-1RFC 3279,\s0 is currently not implemented in OpenSSL. +.IP "\fB\-no_public\fR" 4 +.IX Item "-no_public" +This option omits the public key components from the private key output. +.IP "\fB\-check\fR" 4 +.IX Item "-check" +This option checks the consistency of an \s-1EC\s0 private or public key. .IP "\fB\-engine id\fR" 4 .IX Item "-engine id" -specifying an engine (by its unique \fBid\fR string) will cause \fBec\fR +Specifying an engine (by its unique \fBid\fR string) will cause \fBec\fR to attempt to obtain a functional reference to the specified engine, thus initialising it if needed. The engine will then be set as the default for all available algorithms. @@ -304,9 +315,11 @@ To change the point conversion form to \fBcompressed\fR: .SH "SEE ALSO" .IX Header "SEE ALSO" \&\fIecparam\fR\|(1), \fIdsa\fR\|(1), \fIrsa\fR\|(1) -.SH "HISTORY" -.IX Header "HISTORY" -The ec command was first introduced in OpenSSL 0.9.8. -.SH "AUTHOR" -.IX Header "AUTHOR" -Nils Larsch for the OpenSSL project (http://www.openssl.org). +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2003\-2017 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/usr.bin/openssl/man/ecparam.1 b/secure/usr.bin/openssl/man/ecparam.1 index 88c004c9dca1..9157c6314a41 100644 --- a/secure/usr.bin/openssl/man/ecparam.1 +++ b/secure/usr.bin/openssl/man/ecparam.1 @@ -129,17 +129,17 @@ .\" ======================================================================== .\" .IX Title "ECPARAM 1" -.TH ECPARAM 1 "2018-08-14" "1.0.2p" "OpenSSL" +.TH ECPARAM 1 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" -openssl\-ecparam, -ecparam \- EC parameter manipulation and generation +openssl\-ecparam, ecparam \- EC parameter manipulation and generation .SH "SYNOPSIS" .IX Header "SYNOPSIS" \&\fBopenssl ecparam\fR +[\fB\-help\fR] [\fB\-inform DER|PEM\fR] [\fB\-outform DER|PEM\fR] [\fB\-in filename\fR] @@ -153,7 +153,8 @@ ecparam \- EC parameter manipulation and generation [\fB\-conv_form arg\fR] [\fB\-param_enc arg\fR] [\fB\-no_seed\fR] -[\fB\-rand file(s)\fR] +[\fB\-rand file...\fR] +[\fB\-writerand file\fR] [\fB\-genkey\fR] [\fB\-engine id\fR] .SH "DESCRIPTION" @@ -161,16 +162,19 @@ ecparam \- EC parameter manipulation and generation This command is used to manipulate or generate \s-1EC\s0 parameter files. .SH "OPTIONS" .IX Header "OPTIONS" +.IP "\fB\-help\fR" 4 +.IX Item "-help" +Print out a usage message. .IP "\fB\-inform DER|PEM\fR" 4 .IX Item "-inform DER|PEM" This specifies the input format. The \fB\s-1DER\s0\fR option uses an \s-1ASN.1 DER\s0 encoded form compatible with \s-1RFC 3279\s0 EcpkParameters. The \s-1PEM\s0 form is the default -format: it consists of the \fB\s-1DER\s0\fR format base64 encoded with additional +format: it consists of the \fB\s-1DER\s0\fR format base64 encoded with additional header and footer lines. .IP "\fB\-outform DER|PEM\fR" 4 .IX Item "-outform DER|PEM" -This specifies the output format, the options have the same meaning as the -\&\fB\-inform\fR option. +This specifies the output format, the options have the same meaning and default +as the \fB\-inform\fR option. .IP "\fB\-in filename\fR" 4 .IX Item "-in filename" This specifies the input filename to read parameters from or standard input if @@ -189,7 +193,7 @@ This option prints out the \s-1EC\s0 parameters in human readable form. .IP "\fB\-C\fR" 4 .IX Item "-C" This option converts the \s-1EC\s0 parameters into C code. The parameters can then -be loaded by calling the \fB\f(BIget_ec_group_XXX()\fB\fR function. +be loaded by calling the \fIget_ec_group_XXX()\fR function. .IP "\fB\-check\fR" 4 .IX Item "-check" Validate the elliptic curve parameters. @@ -214,10 +218,10 @@ the preprocessor macro \fB\s-1OPENSSL_EC_BIN_PT_COMP\s0\fR at compile time. .IX Item "-param_enc arg" This specifies how the elliptic curve parameters are encoded. Possible value are: \fBnamed_curve\fR, i.e. the ec parameters are -specified by a \s-1OID,\s0 or \fBexplicit\fR where the ec parameters are -explicitly given (see \s-1RFC 3279\s0 for the definition of the +specified by an \s-1OID,\s0 or \fBexplicit\fR where the ec parameters are +explicitly given (see \s-1RFC 3279\s0 for the definition of the \&\s-1EC\s0 parameters structures). The default value is \fBnamed_curve\fR. -\&\fBNote\fR the \fBimplicitlyCA\fR alternative ,as specified in \s-1RFC 3279,\s0 +\&\fBNote\fR the \fBimplicitlyCA\fR alternative, as specified in \s-1RFC 3279,\s0 is currently not implemented in OpenSSL. .IP "\fB\-no_seed\fR" 4 .IX Item "-no_seed" @@ -225,17 +229,21 @@ This option inhibits that the 'seed' for the parameter generation is included in the ECParameters structure (see \s-1RFC 3279\s0). .IP "\fB\-genkey\fR" 4 .IX Item "-genkey" -This option will generate a \s-1EC\s0 private key using the specified parameters. -.IP "\fB\-rand file(s)\fR" 4 -.IX Item "-rand file(s)" -a file or files containing random data used to seed the random number -generator, or an \s-1EGD\s0 socket (see \fIRAND_egd\fR\|(3)). -Multiple files can be specified separated by a OS-dependent character. +This option will generate an \s-1EC\s0 private key using the specified parameters. +.IP "\fB\-rand file...\fR" 4 +.IX Item "-rand file..." +A file or files containing random data used to seed the random number +generator. +Multiple files can be specified separated by an OS-dependent character. The separator is \fB;\fR for MS-Windows, \fB,\fR for OpenVMS, and \fB:\fR for all others. +.IP "[\fB\-writerand file\fR]" 4 +.IX Item "[-writerand file]" +Writes random data to the specified \fIfile\fR upon exit. +This can be used with a subsequent \fB\-rand\fR flag. .IP "\fB\-engine id\fR" 4 .IX Item "-engine id" -specifying an engine (by its unique \fBid\fR string) will cause \fBecparam\fR +Specifying an engine (by its unique \fBid\fR string) will cause \fBecparam\fR to attempt to obtain a functional reference to the specified engine, thus initialising it if needed. The engine will then be set as the default for all available algorithms. @@ -290,9 +298,11 @@ To print out the \s-1EC\s0 parameters to standard output: .SH "SEE ALSO" .IX Header "SEE ALSO" \&\fIec\fR\|(1), \fIdsaparam\fR\|(1) -.SH "HISTORY" -.IX Header "HISTORY" -The ecparam command was first introduced in OpenSSL 0.9.8. -.SH "AUTHOR" -.IX Header "AUTHOR" -Nils Larsch for the OpenSSL project (http://www.openssl.org) +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2003\-2018 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/usr.bin/openssl/man/enc.1 b/secure/usr.bin/openssl/man/enc.1 index aff72b88afa4..a3a27af063ea 100644 --- a/secure/usr.bin/openssl/man/enc.1 +++ b/secure/usr.bin/openssl/man/enc.1 @@ -129,23 +129,25 @@ .\" ======================================================================== .\" .IX Title "ENC 1" -.TH ENC 1 "2018-08-14" "1.0.2p" "OpenSSL" +.TH ENC 1 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" -openssl\-enc, -enc \- symmetric cipher routines +openssl\-enc, enc \- symmetric cipher routines .SH "SYNOPSIS" .IX Header "SYNOPSIS" -\&\fBopenssl enc \-ciphername\fR +\&\fBopenssl enc \-\f(BIcipher\fB\fR +[\fB\-help\fR] +[\fB\-ciphers\fR] [\fB\-in filename\fR] [\fB\-out filename\fR] [\fB\-pass arg\fR] [\fB\-e\fR] [\fB\-d\fR] -[\fB\-a/\-base64\fR] +[\fB\-a\fR] +[\fB\-base64\fR] [\fB\-A\fR] [\fB\-k password\fR] [\fB\-kfile filename\fR] @@ -155,14 +157,20 @@ enc \- symmetric cipher routines [\fB\-salt\fR] [\fB\-nosalt\fR] [\fB\-z\fR] -[\fB\-md\fR] +[\fB\-md digest\fR] +[\fB\-iter count\fR] +[\fB\-pbkdf2\fR] [\fB\-p\fR] [\fB\-P\fR] [\fB\-bufsize number\fR] [\fB\-nopad\fR] [\fB\-debug\fR] [\fB\-none\fR] +[\fB\-rand file...\fR] +[\fB\-writerand file\fR] [\fB\-engine id\fR] +.PP +\&\fBopenssl\fR \fI[cipher]\fR [\fB...\fR] .SH "DESCRIPTION" .IX Header "DESCRIPTION" The symmetric cipher commands allow data to be encrypted or decrypted @@ -171,90 +179,102 @@ or explicitly provided. Base64 encoding or decoding can also be performed either by itself or in addition to the encryption or decryption. .SH "OPTIONS" .IX Header "OPTIONS" +.IP "\fB\-help\fR" 4 +.IX Item "-help" +Print out a usage message. +.IP "\fB\-ciphers\fR" 4 +.IX Item "-ciphers" +List all supported ciphers. .IP "\fB\-in filename\fR" 4 .IX Item "-in filename" -the input filename, standard input by default. +The input filename, standard input by default. .IP "\fB\-out filename\fR" 4 .IX Item "-out filename" -the output filename, standard output by default. +The output filename, standard output by default. .IP "\fB\-pass arg\fR" 4 .IX Item "-pass arg" -the password source. For more information about the format of \fBarg\fR +The password source. For more information about the format of \fBarg\fR see the \fB\s-1PASS PHRASE ARGUMENTS\s0\fR section in \fIopenssl\fR\|(1). -.IP "\fB\-salt\fR" 4 -.IX Item "-salt" -use a salt in the key derivation routines. This is the default. -.IP "\fB\-nosalt\fR" 4 -.IX Item "-nosalt" -don't use a salt in the key derivation routines. This option \fB\s-1SHOULD NOT\s0\fR be -used except for test purposes or compatibility with ancient versions of OpenSSL -and SSLeay. .IP "\fB\-e\fR" 4 .IX Item "-e" -encrypt the input data: this is the default. +Encrypt the input data: this is the default. .IP "\fB\-d\fR" 4 .IX Item "-d" -decrypt the input data. +Decrypt the input data. .IP "\fB\-a\fR" 4 .IX Item "-a" -base64 process the data. This means that if encryption is taking place +Base64 process the data. This means that if encryption is taking place the data is base64 encoded after encryption. If decryption is set then the input data is base64 decoded before being decrypted. .IP "\fB\-base64\fR" 4 .IX Item "-base64" -same as \fB\-a\fR +Same as \fB\-a\fR .IP "\fB\-A\fR" 4 .IX Item "-A" -if the \fB\-a\fR option is set then base64 process the data on one line. +If the \fB\-a\fR option is set then base64 process the data on one line. .IP "\fB\-k password\fR" 4 .IX Item "-k password" -the password to derive the key from. This is for compatibility with previous +The password to derive the key from. This is for compatibility with previous versions of OpenSSL. Superseded by the \fB\-pass\fR argument. .IP "\fB\-kfile filename\fR" 4 .IX Item "-kfile filename" -read the password to derive the key from the first line of \fBfilename\fR. +Read the password to derive the key from the first line of \fBfilename\fR. This is for compatibility with previous versions of OpenSSL. Superseded by the \fB\-pass\fR argument. +.IP "\fB\-md digest\fR" 4 +.IX Item "-md digest" +Use the specified digest to create the key from the passphrase. +The default algorithm is sha\-256. +.IP "\fB\-iter count\fR" 4 +.IX Item "-iter count" +Use a given number of iterations on the password in deriving the encryption key. +High values increase the time required to brute-force the resulting file. +This option enables the use of \s-1PBKDF2\s0 algorithm to derive the key. +.IP "\fB\-pbkdf2\fR" 4 +.IX Item "-pbkdf2" +Use \s-1PBKDF2\s0 algorithm with default iteration count unless otherwise specified. .IP "\fB\-nosalt\fR" 4 .IX Item "-nosalt" -do not use a salt +Don't use a salt in the key derivation routines. This option \fB\s-1SHOULD NOT\s0\fR be +used except for test purposes or compatibility with ancient versions of +OpenSSL. .IP "\fB\-salt\fR" 4 .IX Item "-salt" -use salt (randomly generated or provide with \fB\-S\fR option) when -encrypting (this is the default). +Use salt (randomly generated or provide with \fB\-S\fR option) when +encrypting, this is the default. .IP "\fB\-S salt\fR" 4 .IX Item "-S salt" -the actual salt to use: this must be represented as a string of hex digits. +The actual salt to use: this must be represented as a string of hex digits. .IP "\fB\-K key\fR" 4 .IX Item "-K key" -the actual key to use: this must be represented as a string comprised only +The actual key to use: this must be represented as a string comprised only of hex digits. If only the key is specified, the \s-1IV\s0 must additionally specified using the \fB\-iv\fR option. When both a key and a password are specified, the key given with the \fB\-K\fR option will be used and the \s-1IV\s0 generated from the -password will be taken. It probably does not make much sense to specify -both key and password. +password will be taken. It does not make much sense to specify both key +and password. .IP "\fB\-iv \s-1IV\s0\fR" 4 .IX Item "-iv IV" -the actual \s-1IV\s0 to use: this must be represented as a string comprised only +The actual \s-1IV\s0 to use: this must be represented as a string comprised only of hex digits. When only the key is specified using the \fB\-K\fR option, the \&\s-1IV\s0 must explicitly be defined. When a password is being specified using one of the other options, the \s-1IV\s0 is generated from this password. .IP "\fB\-p\fR" 4 .IX Item "-p" -print out the key and \s-1IV\s0 used. +Print out the key and \s-1IV\s0 used. .IP "\fB\-P\fR" 4 .IX Item "-P" -print out the key and \s-1IV\s0 used then immediately exit: don't do any encryption +Print out the key and \s-1IV\s0 used then immediately exit: don't do any encryption or decryption. .IP "\fB\-bufsize number\fR" 4 .IX Item "-bufsize number" -set the buffer size for I/O +Set the buffer size for I/O. .IP "\fB\-nopad\fR" 4 .IX Item "-nopad" -disable standard block padding +Disable standard block padding. .IP "\fB\-debug\fR" 4 .IX Item "-debug" -debug the BIOs used for I/O. +Debug the BIOs used for I/O. .IP "\fB\-z\fR" 4 .IX Item "-z" Compress or decompress clear text using zlib before encryption or after @@ -263,28 +283,40 @@ or zlib-dynamic option. .IP "\fB\-none\fR" 4 .IX Item "-none" Use \s-1NULL\s0 cipher (no encryption or decryption of input). +.IP "\fB\-rand file...\fR" 4 +.IX Item "-rand file..." +A file or files containing random data used to seed the random number +generator. +Multiple files can be specified separated by an OS-dependent character. +The separator is \fB;\fR for MS-Windows, \fB,\fR for OpenVMS, and \fB:\fR for +all others. +.IP "[\fB\-writerand file\fR]" 4 +.IX Item "[-writerand file]" +Writes random data to the specified \fIfile\fR upon exit. +This can be used with a subsequent \fB\-rand\fR flag. .SH "NOTES" .IX Header "NOTES" -The program can be called either as \fBopenssl ciphername\fR or -\&\fBopenssl enc \-ciphername\fR. But the first form doesn't work with +The program can be called either as \fBopenssl cipher\fR or +\&\fBopenssl enc \-cipher\fR. The first form doesn't work with engine-provided ciphers, because this form is processed before the configuration file is read and any ENGINEs loaded. +Use the \fBlist\fR command to get a list of supported ciphers. .PP -Engines which provide entirely new encryption algorithms (such as ccgost +Engines which provide entirely new encryption algorithms (such as the ccgost engine which provides gost89 algorithm) should be configured in the -configuration file. Engines, specified in the command line using \-engine -options can only be used for hadrware-assisted implementations of -ciphers, which are supported by OpenSSL core or other engine, specified +configuration file. Engines specified on the command line using \-engine +options can only be used for hardware-assisted implementations of +ciphers which are supported by the OpenSSL core or another engine specified in the configuration file. .PP -When enc command lists supported ciphers, ciphers provided by engines, +When the enc command lists supported ciphers, ciphers provided by engines, specified in the configuration files are listed too. .PP A password will be prompted for to derive the key and \s-1IV\s0 if necessary. .PP The \fB\-salt\fR option should \fB\s-1ALWAYS\s0\fR be used if the key is being derived from a password unless you want compatibility with previous versions of -OpenSSL and SSLeay. +OpenSSL. .PP Without the \fB\-salt\fR option it is possible to perform efficient dictionary attacks on the password and to attack stream cipher encrypted data. The reason @@ -295,12 +327,12 @@ encrypting a file and read from the encrypted file when it is decrypted. .PP Some of the ciphers do not have large keys and others have security implications if not used correctly. A beginner is advised to just use -a strong block cipher in \s-1CBC\s0 mode such as bf or des3. +a strong block cipher, such as \s-1AES,\s0 in \s-1CBC\s0 mode. .PP -All the block ciphers normally use PKCS#5 padding also known as standard block -padding: this allows a rudimentary integrity or password check to be -performed. However since the chance of random data passing the test is -better than 1 in 256 it isn't a very good test. +All the block ciphers normally use PKCS#5 padding, also known as standard +block padding. This allows a rudimentary integrity or password check to +be performed. However since the chance of random data passing the test +is better than 1 in 256 it isn't a very good test. .PP If padding is disabled then the input data must be a multiple of the cipher block length. @@ -313,13 +345,27 @@ Blowfish and \s-1RC5\s0 algorithms use a 128 bit key. Note that some of these ciphers can be disabled at compile time and some are available only if an appropriate engine is configured in the configuration file. The output of the \fBenc\fR command run with -unsupported options (for example \fBopenssl enc \-help\fR) includes a -list of ciphers, supported by your versesion of OpenSSL, including +the \fB\-ciphers\fR option (that is \fBopenssl enc \-ciphers\fR) produces a +list of ciphers, supported by your version of OpenSSL, including ones provided by configured engines. .PP The \fBenc\fR program does not support authenticated encryption modes -like \s-1CCM\s0 and \s-1GCM.\s0 The utility does not store or retrieve the -authentication tag. +like \s-1CCM\s0 and \s-1GCM,\s0 and will not support such modes in the future. +The \fBenc\fR interface by necessity must begin streaming output (e.g., +to standard output when \fB\-out\fR is not used before the authentication +tag could be validated, leading to the usage of \fBenc\fR in pipelines +that begin processing untrusted data and are not capable of rolling +back upon authentication failure. The \s-1AEAD\s0 modes currently in common +use also suffer from catastrophic failure of confidentiality and/or +integrity upon reuse of key/iv/nonce, and since \fBenc\fR places the +entire burden of key/iv/nonce management upon the user, the risk of +exposing \s-1AEAD\s0 modes is too great to allow. These key/iv/nonce +management issues also affect other modes currently exposed in \fBenc\fR, +but the failure modes are less extreme in these cases, and the +functionality cannot be removed with a stable release branch. +For bulk encryption of data, whether using authenticated encryption +modes or other modes, \fIcms\fR\|(1) is recommended, as it provides a +standard data format and performs the needed key/iv/nonce management. .PP .Vb 1 \& base64 Base 64 @@ -339,7 +385,7 @@ authentication tag. \& \& des\-cbc DES in CBC mode \& des Alias for des\-cbc -\& des\-cfb DES in CBC mode +\& des\-cfb DES in CFB mode \& des\-ofb DES in OFB mode \& des\-ecb DES in ECB mode \& @@ -357,7 +403,7 @@ authentication tag. \& desx DESX algorithm. \& \& gost89 GOST 28147\-89 in CFB mode (provided by ccgost engine) -\& gost89\-cnt \`GOST 28147\-89 in CNT mode (provided by ccgost engine) +\& gost89\-cnt \`GOST 28147\-89 in CNT mode (provided by ccgost engine) \& \& idea\-cbc IDEA algorithm in CBC mode \& idea same as idea\-cbc @@ -384,12 +430,22 @@ authentication tag. \& rc5\-ofb RC5 cipher in OFB mode \& \& aes\-[128|192|256]\-cbc 128/192/256 bit AES in CBC mode -\& aes\-[128|192|256] Alias for aes\-[128|192|256]\-cbc +\& aes[128|192|256] Alias for aes\-[128|192|256]\-cbc \& aes\-[128|192|256]\-cfb 128/192/256 bit AES in 128 bit CFB mode \& aes\-[128|192|256]\-cfb1 128/192/256 bit AES in 1 bit CFB mode \& aes\-[128|192|256]\-cfb8 128/192/256 bit AES in 8 bit CFB mode +\& aes\-[128|192|256]\-ctr 128/192/256 bit AES in CTR mode \& aes\-[128|192|256]\-ecb 128/192/256 bit AES in ECB mode \& aes\-[128|192|256]\-ofb 128/192/256 bit AES in OFB mode +\& +\& camellia\-[128|192|256]\-cbc 128/192/256 bit Camellia in CBC mode +\& camellia[128|192|256] Alias for camellia\-[128|192|256]\-cbc +\& camellia\-[128|192|256]\-cfb 128/192/256 bit Camellia in 128 bit CFB mode +\& camellia\-[128|192|256]\-cfb1 128/192/256 bit Camellia in 1 bit CFB mode +\& camellia\-[128|192|256]\-cfb8 128/192/256 bit Camellia in 8 bit CFB mode +\& camellia\-[128|192|256]\-ctr 128/192/256 bit Camellia in CTR mode +\& camellia\-[128|192|256]\-ecb 128/192/256 bit Camellia in ECB mode +\& camellia\-[128|192|256]\-ofb 128/192/256 bit Camellia in OFB mode .Ve .SH "EXAMPLES" .IX Header "EXAMPLES" @@ -439,8 +495,17 @@ Decrypt some data using a supplied 40 bit \s-1RC4\s0 key: .IX Header "BUGS" The \fB\-A\fR option when used with large files doesn't work properly. .PP -There should be an option to allow an iteration count to be included. -.PP The \fBenc\fR program only supports a fixed number of algorithms with certain parameters. So if, for example, you want to use \s-1RC2\s0 with a 76 bit key or \s-1RC4\s0 with an 84 bit key you can't use this program. +.SH "HISTORY" +.IX Header "HISTORY" +The default digest was changed from \s-1MD5\s0 to \s-1SHA256\s0 in Openssl 1.1.0. +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2000\-2018 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/crypto.3 b/secure/usr.bin/openssl/man/engine.1 similarity index 54% rename from secure/lib/libcrypto/man/crypto.3 rename to secure/usr.bin/openssl/man/engine.1 index 1f1cab260278..fe9591ca396f 100644 --- a/secure/lib/libcrypto/man/crypto.3 +++ b/secure/usr.bin/openssl/man/engine.1 @@ -128,76 +128,109 @@ .rm #[ #] #H #V #F C .\" ======================================================================== .\" -.IX Title "crypto 3" -.TH crypto 3 "2018-08-14" "1.0.2p" "OpenSSL" +.IX Title "ENGINE 1" +.TH ENGINE 1 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" -crypto \- OpenSSL cryptographic library +openssl\-engine, engine \- load and query engines .SH "SYNOPSIS" .IX Header "SYNOPSIS" +\&\fBopenssl engine\fR +[ \fIengine...\fR ] +[\fB\-v\fR] +[\fB\-vv\fR] +[\fB\-vvv\fR] +[\fB\-vvv\fR] +[\fB\-vvv\fR] +[\fB\-c\fR] +[\fB\-t\fR] +[\fB\-tt\fR] +[\fB\-pre\fR \fIcommand\fR] +[\fB\-post\fR \fIcommand\fR] +[ \fIengine...\fR ] .SH "DESCRIPTION" .IX Header "DESCRIPTION" -The OpenSSL \fBcrypto\fR library implements a wide range of cryptographic -algorithms used in various Internet standards. The services provided -by this library are used by the OpenSSL implementations of \s-1SSL, TLS\s0 -and S/MIME, and they have also been used to implement \s-1SSH,\s0 OpenPGP, and -other cryptographic standards. -.SH "OVERVIEW" -.IX Header "OVERVIEW" -\&\fBlibcrypto\fR consists of a number of sub-libraries that implement the -individual algorithms. +The \fBengine\fR command is used to query the status and capabilities +of the specified \fBengine\fR's. +Engines may be specified before and after all other command-line flags. +Only those specified are queried. +.SH "OPTIONS" +.IX Header "OPTIONS" +.IP "\fB\-v\fR \fB\-vv\fR \fB\-vvv\fR \fB\-vvvv\fR" 4 +.IX Item "-v -vv -vvv -vvvv" +Provides information about each specified engine. The first flag lists +all the possible run-time control commands; the second adds a +description of each command; the third adds the input flags, and the +final option adds the internal input flags. +.IP "\fB\-c\fR" 4 +.IX Item "-c" +Lists the capabilities of each engine. +.IP "\fB\-t\fR" 4 +.IX Item "-t" +Tests if each specified engine is available, and displays the answer. +.IP "\fB\-tt\fR" 4 +.IX Item "-tt" +Displays an error trace for any unavailable engine. +.IP "\fB\-pre\fR \fIcommand\fR" 4 +.IX Item "-pre command" +.PD 0 +.IP "\fB\-post\fR \fIcommand\fR" 4 +.IX Item "-post command" +.PD +Command-line configuration of engines. +The \fB\-pre\fR command is given to the engine before it is loaded and +the \fB\-post\fR command is given after the engine is loaded. +The \fIcommand\fR is of the form \fIcmd:val\fR where \fIcmd\fR is the command, +and \fIval\fR is the value for the command. +See the example below. +.SH "EXAMPLE" +.IX Header "EXAMPLE" +To list all the commands available to a dynamic engine: .PP -The functionality includes symmetric encryption, public key -cryptography and key agreement, certificate handling, cryptographic -hash functions and a cryptographic pseudo-random number generator. -.IP "\s-1SYMMETRIC CIPHERS\s0" 4 -.IX Item "SYMMETRIC CIPHERS" -\&\fIblowfish\fR\|(3), \fIcast\fR\|(3), \fIdes\fR\|(3), -\&\fIidea\fR\|(3), \fIrc2\fR\|(3), \fIrc4\fR\|(3), \fIrc5\fR\|(3) -.IP "\s-1PUBLIC KEY CRYPTOGRAPHY AND KEY AGREEMENT\s0" 4 -.IX Item "PUBLIC KEY CRYPTOGRAPHY AND KEY AGREEMENT" -\&\fIdsa\fR\|(3), \fIdh\fR\|(3), \fIrsa\fR\|(3) -.IP "\s-1CERTIFICATES\s0" 4 -.IX Item "CERTIFICATES" -\&\fIx509\fR\|(3), \fIx509v3\fR\|(3) -.IP "\s-1AUTHENTICATION CODES, HASH FUNCTIONS\s0" 4 -.IX Item "AUTHENTICATION CODES, HASH FUNCTIONS" -\&\fIhmac\fR\|(3), \fImd2\fR\|(3), \fImd4\fR\|(3), -\&\fImd5\fR\|(3), \fImdc2\fR\|(3), \fIripemd\fR\|(3), -\&\fIsha\fR\|(3) -.IP "\s-1AUXILIARY FUNCTIONS\s0" 4 -.IX Item "AUXILIARY FUNCTIONS" -\&\fIerr\fR\|(3), \fIthreads\fR\|(3), \fIrand\fR\|(3), -\&\s-1\fIOPENSSL_VERSION_NUMBER\s0\fR\|(3) -.IP "\s-1INPUT/OUTPUT, DATA ENCODING\s0" 4 -.IX Item "INPUT/OUTPUT, DATA ENCODING" -\&\fIasn1\fR\|(3), \fIbio\fR\|(3), \fIevp\fR\|(3), \fIpem\fR\|(3), -\&\fIpkcs7\fR\|(3), \fIpkcs12\fR\|(3) -.IP "\s-1INTERNAL FUNCTIONS\s0" 4 -.IX Item "INTERNAL FUNCTIONS" -\&\fIbn\fR\|(3), \fIbuffer\fR\|(3), \fIec\fR\|(3), \fIlhash\fR\|(3), -\&\fIobjects\fR\|(3), \fIstack\fR\|(3), -\&\fItxt_db\fR\|(3) -.SH "NOTES" -.IX Header "NOTES" -Some of the newer functions follow a naming convention using the numbers -\&\fB0\fR and \fB1\fR. For example the functions: -.PP -.Vb 2 -\& int X509_CRL_add0_revoked(X509_CRL *crl, X509_REVOKED *rev); -\& int X509_add1_trust_object(X509 *x, ASN1_OBJECT *obj); +.Vb 10 +\& $ openssl engine \-t \-tt \-vvvv dynamic +\& (dynamic) Dynamic engine loading support +\& [ unavailable ] +\& SO_PATH: Specifies the path to the new ENGINE shared library +\& (input flags): STRING +\& NO_VCHECK: Specifies to continue even if version checking fails (boolean) +\& (input flags): NUMERIC +\& ID: Specifies an ENGINE id name for loading +\& (input flags): STRING +\& LIST_ADD: Whether to add a loaded ENGINE to the internal list (0=no,1=yes,2=mandatory) +\& (input flags): NUMERIC +\& DIR_LOAD: Specifies whether to load from \*(AqDIR_ADD\*(Aq directories (0=no,1=yes,2=mandatory) +\& (input flags): NUMERIC +\& DIR_ADD: Adds a directory from which ENGINEs can be loaded +\& (input flags): STRING +\& LOAD: Load up the ENGINE specified by other settings +\& (input flags): NO_INPUT .Ve .PP -The \fB0\fR version uses the supplied structure pointer directly -in the parent and it will be freed up when the parent is freed. -In the above example \fBcrl\fR would be freed but \fBrev\fR would not. +To list the capabilities of the \fIrsax\fR engine: .PP -The \fB1\fR function uses a copy of the supplied structure pointer -(or in some cases increases its link count) in the parent and -so both (\fBx\fR and \fBobj\fR above) should be freed up. +.Vb 4 +\& $ openssl engine \-c +\& (rsax) RSAX engine support +\& [RSA] +\& (dynamic) Dynamic engine loading support +.Ve +.SH "ENVIRONMENT" +.IX Header "ENVIRONMENT" +.IP "\fB\s-1OPENSSL_ENGINES\s0\fR" 4 +.IX Item "OPENSSL_ENGINES" +The path to the engines directory. .SH "SEE ALSO" .IX Header "SEE ALSO" -\&\fIopenssl\fR\|(1), \fIssl\fR\|(3) +\&\fIconfig\fR\|(5) +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2016\-2018 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/usr.bin/openssl/man/errstr.1 b/secure/usr.bin/openssl/man/errstr.1 index dec3c719aed8..2debaab43215 100644 --- a/secure/usr.bin/openssl/man/errstr.1 +++ b/secure/usr.bin/openssl/man/errstr.1 @@ -129,23 +129,25 @@ .\" ======================================================================== .\" .IX Title "ERRSTR 1" -.TH ERRSTR 1 "2018-08-14" "1.0.2p" "OpenSSL" +.TH ERRSTR 1 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" -openssl\-errstr, -errstr \- lookup error codes +openssl\-errstr, errstr \- lookup error codes .SH "SYNOPSIS" .IX Header "SYNOPSIS" \&\fBopenssl errstr error_code\fR .SH "DESCRIPTION" .IX Header "DESCRIPTION" Sometimes an application will not load error message and only -numerical forms will be available. The \fBerrstr\fR utility can be used to +numerical forms will be available. The \fBerrstr\fR utility can be used to display the meaning of the hex code. The hex code is the hex digits after the second colon. +.SH "OPTIONS" +.IX Header "OPTIONS" +None. .SH "EXAMPLE" .IX Header "EXAMPLE" The error code: @@ -165,8 +167,11 @@ to produce the error message: .Vb 1 \& error:2006D080:BIO routines:BIO_new_file:no such file .Ve -.SH "SEE ALSO" -.IX Header "SEE ALSO" -\&\fIerr\fR\|(3), -\&\fIERR_load_crypto_strings\fR\|(3), -\&\fISSL_load_error_strings\fR\|(3) +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2004\-2016 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/usr.bin/openssl/man/gendsa.1 b/secure/usr.bin/openssl/man/gendsa.1 index 33f91e533856..14d9fd9261fb 100644 --- a/secure/usr.bin/openssl/man/gendsa.1 +++ b/secure/usr.bin/openssl/man/gendsa.1 @@ -129,28 +129,32 @@ .\" ======================================================================== .\" .IX Title "GENDSA 1" -.TH GENDSA 1 "2018-08-14" "1.0.2p" "OpenSSL" +.TH GENDSA 1 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" -openssl\-gendsa, -gendsa \- generate a DSA private key from a set of parameters +openssl\-gendsa, gendsa \- generate a DSA private key from a set of parameters .SH "SYNOPSIS" .IX Header "SYNOPSIS" \&\fBopenssl\fR \fBgendsa\fR +[\fB\-help\fR] [\fB\-out filename\fR] [\fB\-aes128\fR] [\fB\-aes192\fR] [\fB\-aes256\fR] +[\fB\-aria128\fR] +[\fB\-aria192\fR] +[\fB\-aria256\fR] [\fB\-camellia128\fR] [\fB\-camellia192\fR] [\fB\-camellia256\fR] [\fB\-des\fR] [\fB\-des3\fR] [\fB\-idea\fR] -[\fB\-rand file(s)\fR] +[\fB\-rand file...\fR] +[\fB\-writerand file\fR] [\fB\-engine id\fR] [\fBparamfile\fR] .SH "DESCRIPTION" @@ -159,21 +163,32 @@ The \fBgendsa\fR command generates a \s-1DSA\s0 private key from a \s-1DSA\s0 pa (which will be typically generated by the \fBopenssl dsaparam\fR command). .SH "OPTIONS" .IX Header "OPTIONS" -.IP "\fB\-aes128|\-aes192|\-aes256|\-camellia128|\-camellia192|\-camellia256|\-des|\-des3|\-idea\fR" 4 -.IX Item "-aes128|-aes192|-aes256|-camellia128|-camellia192|-camellia256|-des|-des3|-idea" +.IP "\fB\-help\fR" 4 +.IX Item "-help" +Print out a usage message. +.IP "\fB\-out filename\fR" 4 +.IX Item "-out filename" +Output the key to the specified file. If this argument is not specified then +standard output is used. +.IP "\fB\-aes128\fR, \fB\-aes192\fR, \fB\-aes256\fR, \fB\-aria128\fR, \fB\-aria192\fR, \fB\-aria256\fR, \fB\-camellia128\fR, \fB\-camellia192\fR, \fB\-camellia256\fR, \fB\-des\fR, \fB\-des3\fR, \fB\-idea\fR" 4 +.IX Item "-aes128, -aes192, -aes256, -aria128, -aria192, -aria256, -camellia128, -camellia192, -camellia256, -des, -des3, -idea" These options encrypt the private key with specified cipher before outputting it. A pass phrase is prompted for. If none of these options is specified no encryption is used. -.IP "\fB\-rand file(s)\fR" 4 -.IX Item "-rand file(s)" -a file or files containing random data used to seed the random number -generator, or an \s-1EGD\s0 socket (see \fIRAND_egd\fR\|(3)). -Multiple files can be specified separated by a OS-dependent character. +.IP "\fB\-rand file...\fR" 4 +.IX Item "-rand file..." +A file or files containing random data used to seed the random number +generator. +Multiple files can be specified separated by an OS-dependent character. The separator is \fB;\fR for MS-Windows, \fB,\fR for OpenVMS, and \fB:\fR for all others. +.IP "[\fB\-writerand file\fR]" 4 +.IX Item "[-writerand file]" +Writes random data to the specified \fIfile\fR upon exit. +This can be used with a subsequent \fB\-rand\fR flag. .IP "\fB\-engine id\fR" 4 .IX Item "-engine id" -specifying an engine (by its unique \fBid\fR string) will cause \fBgendsa\fR +Specifying an engine (by its unique \fBid\fR string) will cause \fBgendsa\fR to attempt to obtain a functional reference to the specified engine, thus initialising it if needed. The engine will then be set as the default for all available algorithms. @@ -190,3 +205,11 @@ much quicker that \s-1RSA\s0 key generation for example. .IX Header "SEE ALSO" \&\fIdsaparam\fR\|(1), \fIdsa\fR\|(1), \fIgenrsa\fR\|(1), \&\fIrsa\fR\|(1) +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2000\-2018 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/usr.bin/openssl/man/genpkey.1 b/secure/usr.bin/openssl/man/genpkey.1 index ddc58bb64b03..cbfda8622c75 100644 --- a/secure/usr.bin/openssl/man/genpkey.1 +++ b/secure/usr.bin/openssl/man/genpkey.1 @@ -129,17 +129,17 @@ .\" ======================================================================== .\" .IX Title "GENPKEY 1" -.TH GENPKEY 1 "2018-08-14" "1.0.2p" "OpenSSL" +.TH GENPKEY 1 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" -openssl\-genpkey, -genpkey \- generate a private key +openssl\-genpkey, genpkey \- generate a private key .SH "SYNOPSIS" .IX Header "SYNOPSIS" \&\fBopenssl\fR \fBgenpkey\fR +[\fB\-help\fR] [\fB\-out filename\fR] [\fB\-outform PEM|DER\fR] [\fB\-pass arg\fR] @@ -155,10 +155,13 @@ genpkey \- generate a private key The \fBgenpkey\fR command generates a private key. .SH "OPTIONS" .IX Header "OPTIONS" +.IP "\fB\-help\fR" 4 +.IX Item "-help" +Print out a usage message. .IP "\fB\-out filename\fR" 4 .IX Item "-out filename" -the output filename. If this argument is not specified then standard output is -used. +Output the key to the specified file. If this argument is not specified then +standard output is used. .IP "\fB\-outform DER|PEM\fR" 4 .IX Item "-outform DER|PEM" This specifies the output format \s-1DER\s0 or \s-1PEM.\s0 The default format is \s-1PEM.\s0 @@ -184,7 +187,8 @@ precede any \fB\-pkeyopt\fR options. The options \fB\-paramfile\fR and \fB\-algo are mutually exclusive. Engines may add algorithms in addition to the standard built-in ones. .Sp -Valid built-in algorithm names for private key generation are \s-1RSA\s0 and \s-1EC.\s0 +Valid built-in algorithm names for private key generation are \s-1RSA,\s0 RSA-PSS, \s-1EC, +X25519, X448, ED25519\s0 and \s-1ED448.\s0 .Sp Valid built-in algorithm names for parameter generation (see the \fB\-genparam\fR option) are \s-1DH, DSA\s0 and \s-1EC.\s0 @@ -209,7 +213,7 @@ precede any \fB\-algorithm\fR, \fB\-paramfile\fR or \fB\-pkeyopt\fR options. Some public key algorithms generate a private key based on a set of parameters. They can be supplied using this option. If this option is used the public key algorithm used is determined by the parameters. If used this option must -precede and \fB\-pkeyopt\fR options. The options \fB\-paramfile\fR and \fB\-algorithm\fR +precede any \fB\-pkeyopt\fR options. The options \fB\-paramfile\fR and \fB\-algorithm\fR are mutually exclusive. .IP "\fB\-text\fR" 4 .IX Item "-text" @@ -217,18 +221,38 @@ Print an (unencrypted) text representation of private and public keys and parameters along with the \s-1PEM\s0 or \s-1DER\s0 structure. .SH "KEY GENERATION OPTIONS" .IX Header "KEY GENERATION OPTIONS" -The options supported by each algorith and indeed each implementation of an +The options supported by each algorithm and indeed each implementation of an algorithm can vary. The options for the OpenSSL implementations are detailed -below. +below. There are no key generation options defined for the X25519, X448, \s-1ED25519\s0 +or \s-1ED448\s0 algorithms. .SS "\s-1RSA\s0 Key Generation Options" .IX Subsection "RSA Key Generation Options" .IP "\fBrsa_keygen_bits:numbits\fR" 4 .IX Item "rsa_keygen_bits:numbits" The number of bits in the generated key. If not specified 1024 is used. +.IP "\fBrsa_keygen_primes:numprimes\fR" 4 +.IX Item "rsa_keygen_primes:numprimes" +The number of primes in the generated key. If not specified 2 is used. .IP "\fBrsa_keygen_pubexp:value\fR" 4 .IX Item "rsa_keygen_pubexp:value" The \s-1RSA\s0 public exponent value. This can be a large decimal or hexadecimal value if preceded by \fB0x\fR. Default value is 65537. +.SS "RSA-PSS Key Generation Options" +.IX Subsection "RSA-PSS Key Generation Options" +Note: by default an \fBRSA-PSS\fR key has no parameter restrictions. +.IP "\fBrsa_keygen_bits:numbits\fR, \fBrsa_keygen_primes:numprimes\fR, \fBrsa_keygen_pubexp:value\fR" 4 +.IX Item "rsa_keygen_bits:numbits, rsa_keygen_primes:numprimes, rsa_keygen_pubexp:value" +These options have the same meaning as the \fB\s-1RSA\s0\fR algorithm. +.IP "\fBrsa_pss_keygen_md:digest\fR" 4 +.IX Item "rsa_pss_keygen_md:digest" +If set the key is restricted and can only use \fBdigest\fR for signing. +.IP "\fBrsa_pss_keygen_mgf1_md:digest\fR" 4 +.IX Item "rsa_pss_keygen_mgf1_md:digest" +If set the key is restricted and can only use \fBdigest\fR as it's \s-1MGF1\s0 +parameter. +.IP "\fBrsa_pss_keygen_saltlen:len\fR" 4 +.IX Item "rsa_pss_keygen_saltlen:len" +If set the key is restricted and \fBlen\fR specifies the minimum salt length. .SS "\s-1EC\s0 Key Generation Options" .IX Subsection "EC Key Generation Options" The \s-1EC\s0 key generation options can also be used for parameter generation. @@ -291,31 +315,6 @@ options. .IX Subsection "EC Parameter Generation Options" The \s-1EC\s0 parameter generation options are the same as for key generation. See \&\*(L"\s-1EC\s0 Key Generation Options\*(R" above. -.SH "GOST2001 KEY GENERATION AND PARAMETER OPTIONS" -.IX Header "GOST2001 KEY GENERATION AND PARAMETER OPTIONS" -Gost 2001 support is not enabled by default. To enable this algorithm, -one should load the ccgost engine in the OpenSSL configuration file. -See \s-1README\s0.gost file in the engines/ccgost directiry of the source -distribution for more details. -.PP -Use of a parameter file for the \s-1GOST R 34.10\s0 algorithm is optional. -Parameters can be specified during key generation directly as well as -during generation of parameter file. -.IP "\fBparamset:name\fR" 4 -.IX Item "paramset:name" -Specifies \s-1GOST R 34.10\-2001\s0 parameter set according to \s-1RFC 4357.\s0 -Parameter set can be specified using abbreviated name, object short name or -numeric \s-1OID.\s0 Following parameter sets are supported: -.Sp -.Vb 7 -\& paramset OID Usage -\& A 1.2.643.2.2.35.1 Signature -\& B 1.2.643.2.2.35.2 Signature -\& C 1.2.643.2.2.35.3 Signature -\& XA 1.2.643.2.2.36.0 Key exchange -\& XB 1.2.643.2.2.36.1 Key exchange -\& test 1.2.643.2.2.35.0 Test purposes -.Ve .SH "NOTES" .IX Header "NOTES" The use of the genpkey program is encouraged over the algorithm specific @@ -338,15 +337,15 @@ Encrypt output private key using 128 bit \s-1AES\s0 and the passphrase \*(L"hell Generate a 2048 bit \s-1RSA\s0 key using 3 as the public exponent: .PP .Vb 2 -\& openssl genpkey \-algorithm RSA \-out key.pem \-pkeyopt rsa_keygen_bits:2048 \e -\& \-pkeyopt rsa_keygen_pubexp:3 +\& openssl genpkey \-algorithm RSA \-out key.pem \e +\& \-pkeyopt rsa_keygen_bits:2048 \-pkeyopt rsa_keygen_pubexp:3 .Ve .PP Generate 2048 bit \s-1DSA\s0 parameters: .PP .Vb 2 \& openssl genpkey \-genparam \-algorithm DSA \-out dsap.pem \e -\& \-pkeyopt dsa_paramgen_bits:2048 +\& \-pkeyopt dsa_paramgen_bits:2048 .Ve .PP Generate \s-1DSA\s0 key from parameters: @@ -359,15 +358,15 @@ Generate 2048 bit \s-1DH\s0 parameters: .PP .Vb 2 \& openssl genpkey \-genparam \-algorithm DH \-out dhp.pem \e -\& \-pkeyopt dh_paramgen_prime_len:2048 +\& \-pkeyopt dh_paramgen_prime_len:2048 .Ve .PP Generate 2048 bit X9.42 \s-1DH\s0 parameters: .PP .Vb 3 \& openssl genpkey \-genparam \-algorithm DH \-out dhpx.pem \e -\& \-pkeyopt dh_paramgen_prime_len:2048 \e -\& \-pkeyopt dh_paramgen_type:1 +\& \-pkeyopt dh_paramgen_prime_len:2048 \e +\& \-pkeyopt dh_paramgen_type:1 .Ve .PP Output \s-1RFC5114 2048\s0 bit \s-1DH\s0 parameters with 224 bit subgroup: @@ -382,6 +381,20 @@ Generate \s-1DH\s0 key from parameters: \& openssl genpkey \-paramfile dhp.pem \-out dhkey.pem .Ve .PP +Generate \s-1EC\s0 parameters: +.PP +.Vb 3 +\& openssl genpkey \-genparam \-algorithm EC \-out ecp.pem \e +\& \-pkeyopt ec_paramgen_curve:secp384r1 \e +\& \-pkeyopt ec_param_enc:named_curve +.Ve +.PP +Generate \s-1EC\s0 key from parameters: +.PP +.Vb 1 +\& openssl genpkey \-paramfile ecp.pem \-out eckey.pem +.Ve +.PP Generate \s-1EC\s0 key directly: .PP .Vb 3 @@ -389,7 +402,29 @@ Generate \s-1EC\s0 key directly: \& \-pkeyopt ec_paramgen_curve:P\-384 \e \& \-pkeyopt ec_param_enc:named_curve .Ve +.PP +Generate an X25519 private key: +.PP +.Vb 1 +\& openssl genpkey \-algorithm X25519 \-out xkey.pem +.Ve +.PP +Generate an \s-1ED448\s0 private key: +.PP +.Vb 1 +\& openssl genpkey \-algorithm ED448 \-out xkey.pem +.Ve .SH "HISTORY" .IX Header "HISTORY" The ability to use \s-1NIST\s0 curve names, and to generate an \s-1EC\s0 key directly, -were added in OpenSSL 1.0.2. +were added in OpenSSL 1.0.2. The ability to generate X25519 keys was added in +OpenSSL 1.1.0. The ability to generate X448, \s-1ED25519\s0 and \s-1ED448\s0 keys was added in +OpenSSL 1.1.1. +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2006\-2018 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/usr.bin/openssl/man/genrsa.1 b/secure/usr.bin/openssl/man/genrsa.1 index 06b9833fde51..5500dd79dace 100644 --- a/secure/usr.bin/openssl/man/genrsa.1 +++ b/secure/usr.bin/openssl/man/genrsa.1 @@ -129,14 +129,13 @@ .\" ======================================================================== .\" .IX Title "GENRSA 1" -.TH GENRSA 1 "2018-08-14" "1.0.2p" "OpenSSL" +.TH GENRSA 1 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" -openssl\-genrsa, -genrsa \- generate an RSA private key +openssl\-genrsa, genrsa \- generate an RSA private key .SH "SYNOPSIS" .IX Header "SYNOPSIS" \&\fBopenssl\fR \fBgenrsa\fR @@ -157,8 +156,10 @@ genrsa \- generate an RSA private key [\fB\-idea\fR] [\fB\-f4\fR] [\fB\-3\fR] -[\fB\-rand file(s)\fR] +[\fB\-rand file...\fR] +[\fB\-writerand file\fR] [\fB\-engine id\fR] +[\fB\-primes num\fR] [\fBnumbits\fR] .SH "DESCRIPTION" .IX Header "DESCRIPTION" @@ -174,57 +175,63 @@ Output the key to the specified file. If this argument is not specified then standard output is used. .IP "\fB\-passout arg\fR" 4 .IX Item "-passout arg" -the output file password source. For more information about the format of \fBarg\fR -see the \fB\s-1PASS PHRASE ARGUMENTS\s0\fR section in \fIopenssl\fR\|(1). -.IP "\fB\-aes128|\-aes192|\-aes256|\-aria128|\-aria192|\-aria256|\-camellia128|\-camellia192|\-camellia256|\-des|\-des3|\-idea\fR" 4 -.IX Item "-aes128|-aes192|-aes256|-aria128|-aria192|-aria256|-camellia128|-camellia192|-camellia256|-des|-des3|-idea" +The output file password source. For more information about the format +of \fBarg\fR see the \fB\s-1PASS PHRASE ARGUMENTS\s0\fR section in \fIopenssl\fR\|(1). +.IP "\fB\-aes128\fR, \fB\-aes192\fR, \fB\-aes256\fR, \fB\-aria128\fR, \fB\-aria192\fR, \fB\-aria256\fR, \fB\-camellia128\fR, \fB\-camellia192\fR, \fB\-camellia256\fR, \fB\-des\fR, \fB\-des3\fR, \fB\-idea\fR" 4 +.IX Item "-aes128, -aes192, -aes256, -aria128, -aria192, -aria256, -camellia128, -camellia192, -camellia256, -des, -des3, -idea" These options encrypt the private key with specified cipher before outputting it. If none of these options is specified no encryption is used. If encryption is used a pass phrase is prompted for if it is not supplied via the \fB\-passout\fR argument. .IP "\fB\-F4|\-3\fR" 4 .IX Item "-F4|-3" -the public exponent to use, either 65537 or 3. The default is 65537. -.IP "\fB\-rand file(s)\fR" 4 -.IX Item "-rand file(s)" -a file or files containing random data used to seed the random number -generator, or an \s-1EGD\s0 socket (see \fIRAND_egd\fR\|(3)). +The public exponent to use, either 65537 or 3. The default is 65537. +.IP "\fB\-rand file...\fR" 4 +.IX Item "-rand file..." +A file or files containing random data used to seed the random number +generator. Multiple files can be specified separated by an OS-dependent character. The separator is \fB;\fR for MS-Windows, \fB,\fR for OpenVMS, and \fB:\fR for all others. +.IP "[\fB\-writerand file\fR]" 4 +.IX Item "[-writerand file]" +Writes random data to the specified \fIfile\fR upon exit. +This can be used with a subsequent \fB\-rand\fR flag. .IP "\fB\-engine id\fR" 4 .IX Item "-engine id" -specifying an engine (by its unique \fBid\fR string) will cause \fBgenrsa\fR +Specifying an engine (by its unique \fBid\fR string) will cause \fBgenrsa\fR to attempt to obtain a functional reference to the specified engine, thus initialising it if needed. The engine will then be set as the default for all available algorithms. +.IP "\fB\-primes num\fR" 4 +.IX Item "-primes num" +Specify the number of primes to use while generating the \s-1RSA\s0 key. The \fBnum\fR +parameter must be a positive integer that is greater than 1 and less than 16. +If \fBnum\fR is greater than 2, then the generated key is called a 'multi\-prime' +\&\s-1RSA\s0 key, which is defined in \s-1RFC 8017.\s0 .IP "\fBnumbits\fR" 4 .IX Item "numbits" -the size of the private key to generate in bits. This must be the last option -specified. The default is 2048. +The size of the private key to generate in bits. This must be the last option +specified. The default is 2048 and values less than 512 are not allowed. .SH "NOTES" .IX Header "NOTES" -\&\s-1RSA\s0 private key generation essentially involves the generation of two prime -numbers. When generating a private key various symbols will be output to +\&\s-1RSA\s0 private key generation essentially involves the generation of two or more +prime numbers. When generating a private key various symbols will be output to indicate the progress of the generation. A \fB.\fR represents each number which has passed an initial sieve test, \fB+\fR means a number has passed a single -round of the Miller-Rabin primality test. A newline means that the number has -passed all the prime tests (the actual number depends on the key size). +round of the Miller-Rabin primality test, \fB*\fR means the current prime starts +a regenerating progress due to some failed tests. A newline means that the number +has passed all the prime tests (the actual number depends on the key size). .PP Because key generation is a random process the time taken to generate a key -may vary somewhat. -.SH "BUGS" -.IX Header "BUGS" -A quirk of the prime generation algorithm is that it cannot generate small -primes. Therefore the number of bits should not be less that 64. For typical -private keys this will not matter because for security reasons they will -be much larger (typically 1024 bits). +may vary somewhat. But in general, more primes lead to less generation time +of a key. .SH "SEE ALSO" .IX Header "SEE ALSO" \&\fIgendsa\fR\|(1) .SH "COPYRIGHT" .IX Header "COPYRIGHT" -Copyright 2000\-2017 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2000\-2018 The OpenSSL Project Authors. All Rights Reserved. .PP Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/secure/lib/libcrypto/man/d2i_ASN1_OBJECT.3 b/secure/usr.bin/openssl/man/list.1 similarity index 60% rename from secure/lib/libcrypto/man/d2i_ASN1_OBJECT.3 rename to secure/usr.bin/openssl/man/list.1 index 6b9f553f8c62..a64ec72c1e86 100644 --- a/secure/lib/libcrypto/man/d2i_ASN1_OBJECT.3 +++ b/secure/usr.bin/openssl/man/list.1 @@ -128,31 +128,80 @@ .rm #[ #] #H #V #F C .\" ======================================================================== .\" -.IX Title "d2i_ASN1_OBJECT 3" -.TH d2i_ASN1_OBJECT 3 "2018-08-14" "1.0.2p" "OpenSSL" +.IX Title "LIST 1" +.TH LIST 1 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" -d2i_ASN1_OBJECT, i2d_ASN1_OBJECT \- ASN1 OBJECT IDENTIFIER functions +openssl\-list, list \- list algorithms and features .SH "SYNOPSIS" .IX Header "SYNOPSIS" -.Vb 1 -\& #include -\& -\& ASN1_OBJECT *d2i_ASN1_OBJECT(ASN1_OBJECT **a, unsigned char **pp, long length); -\& int i2d_ASN1_OBJECT(ASN1_OBJECT *a, unsigned char **pp); -.Ve +\&\fBopenssl list\fR +[\fB\-help\fR] +[\fB\-1\fR] +[\fB\-commands\fR] +[\fB\-digest\-commands\fR] +[\fB\-digest\-algorithms\fR] +[\fB\-cipher\-commands\fR] +[\fB\-cipher\-algorithms\fR] +[\fB\-public\-key\-algorithms\fR] +[\fB\-public\-key\-methods\fR] +[\fB\-disabled\fR] .SH "DESCRIPTION" .IX Header "DESCRIPTION" -These functions decode and encode an \s-1ASN1 OBJECT IDENTIFIER.\s0 +This command is used to generate list of algorithms or disabled +features. +.SH "OPTIONS" +.IX Header "OPTIONS" +.IP "\fB\-help\fR" 4 +.IX Item "-help" +Display a usage message. +.IP "\fB\-1\fR" 4 +.IX Item "-1" +List the commands, digest-commands, or cipher-commands in a single column. +If used, this option must be given first. +.IP "\fB\-commands\fR" 4 +.IX Item "-commands" +Display a list of standard commands. +.IP "\fB\-digest\-commands\fR" 4 +.IX Item "-digest-commands" +Display a list of message digest commands, which are typically used +as input to the \fIdgst\fR\|(1) or \fIspeed\fR\|(1) commands. +.IP "\fB\-digest\-algorithms\fR" 4 +.IX Item "-digest-algorithms" +Display a list of message digest algorithms. +If a line is of the form + foo => bar +then \fBfoo\fR is an alias for the official algorithm name, \fBbar\fR. +.IP "\fB\-cipher\-commands\fR" 4 +.IX Item "-cipher-commands" +Display a list of cipher commands, which are typically used as input +to the \fIdgst\fR\|(1) or \fIspeed\fR\|(1) commands. +.IP "\fB\-cipher\-algorithms\fR" 4 +.IX Item "-cipher-algorithms" +Display a list of cipher algorithms. +If a line is of the form + foo => bar +then \fBfoo\fR is an alias for the official algorithm name, \fBbar\fR. +.IP "\fB\-public\-key\-algorithms\fR" 4 +.IX Item "-public-key-algorithms" +Display a list of public key algorithms, with each algorithm as +a block of multiple lines, all but the first are indented. +.IP "\fB\-public\-key\-methods\fR" 4 +.IX Item "-public-key-methods" +Display a list of public key method OIDs: this also includes public key methods +without an associated \s-1ASN.1\s0 method, for example, \s-1KDF\s0 algorithms. +.IP "\fB\-disabled\fR" 4 +.IX Item "-disabled" +Display a list of disabled features, those that were compiled out +of the installation. +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2016\-2017 The OpenSSL Project Authors. All Rights Reserved. .PP -Othewise these behave in a similar way to \fId2i_X509()\fR and \fIi2d_X509()\fR -described in the \fId2i_X509\fR\|(3) manual page. -.SH "SEE ALSO" -.IX Header "SEE ALSO" -\&\fId2i_X509\fR\|(3) -.SH "HISTORY" -.IX Header "HISTORY" -\&\s-1TBA\s0 +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/usr.bin/openssl/man/nseq.1 b/secure/usr.bin/openssl/man/nseq.1 index d29c7f501eda..eb7629438308 100644 --- a/secure/usr.bin/openssl/man/nseq.1 +++ b/secure/usr.bin/openssl/man/nseq.1 @@ -129,17 +129,17 @@ .\" ======================================================================== .\" .IX Title "NSEQ 1" -.TH NSEQ 1 "2018-08-14" "1.0.2p" "OpenSSL" +.TH NSEQ 1 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" -openssl\-nseq, -nseq \- create or examine a netscape certificate sequence +openssl\-nseq, nseq \- create or examine a Netscape certificate sequence .SH "SYNOPSIS" .IX Header "SYNOPSIS" \&\fBopenssl\fR \fBnseq\fR +[\fB\-help\fR] [\fB\-in filename\fR] [\fB\-out filename\fR] [\fB\-toseq\fR] @@ -149,18 +149,21 @@ The \fBnseq\fR command takes a file containing a Netscape certificate sequence and prints out the certificates contained in it or takes a file of certificates and converts it into a Netscape certificate sequence. -.SH "COMMAND OPTIONS" -.IX Header "COMMAND OPTIONS" +.SH "OPTIONS" +.IX Header "OPTIONS" +.IP "\fB\-help\fR" 4 +.IX Item "-help" +Print out a usage message. .IP "\fB\-in filename\fR" 4 .IX Item "-in filename" This specifies the input filename to read or standard input if this option is not specified. .IP "\fB\-out filename\fR" 4 .IX Item "-out filename" -specifies the output filename or standard output by default. +Specifies the output filename or standard output by default. .IP "\fB\-toseq\fR" 4 .IX Item "-toseq" -normally a Netscape certificate sequence will be input and the output +Normally a Netscape certificate sequence will be input and the output is the certificates contained in it. With the \fB\-toseq\fR option the situation is reversed: a Netscape certificate sequence is created from a file of certificates. @@ -186,7 +189,7 @@ The \fB\s-1PEM\s0\fR encoded form uses the same headers and footers as a certifi \& \-\-\-\-\-END CERTIFICATE\-\-\-\-\- .Ve .PP -A Netscape certificate sequence is a Netscape specific form that can be sent +A Netscape certificate sequence is a Netscape specific format that can be sent to browsers as an alternative to the standard PKCS#7 format when several certificates are sent to the browser: for example during certificate enrollment. It is used by Netscape certificate server for example. @@ -194,3 +197,11 @@ It is used by Netscape certificate server for example. .IX Header "BUGS" This program needs a few more options: like allowing \s-1DER\s0 or \s-1PEM\s0 input and output files and allowing multiple certificate files to be used. +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2000\-2017 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/usr.bin/openssl/man/ocsp.1 b/secure/usr.bin/openssl/man/ocsp.1 index 74d822041e58..2ce141bc6b2b 100644 --- a/secure/usr.bin/openssl/man/ocsp.1 +++ b/secure/usr.bin/openssl/man/ocsp.1 @@ -129,17 +129,17 @@ .\" ======================================================================== .\" .IX Title "OCSP 1" -.TH OCSP 1 "2018-08-14" "1.0.2p" "OpenSSL" +.TH OCSP 1 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" -openssl\-ocsp, -ocsp \- Online Certificate Status Protocol utility +openssl\-ocsp, ocsp \- Online Certificate Status Protocol utility .SH "SYNOPSIS" .IX Header "SYNOPSIS" \&\fBopenssl\fR \fBocsp\fR +[\fB\-help\fR] [\fB\-out file\fR] [\fB\-issuer file\fR] [\fB\-cert file\fR] @@ -158,12 +158,42 @@ ocsp \- Online Certificate Status Protocol utility [\fB\-nonce\fR] [\fB\-no_nonce\fR] [\fB\-url \s-1URL\s0\fR] -[\fB\-host host:n\fR] -[\fB\-header name value\fR] +[\fB\-host host:port\fR] +[\fB\-multi process-count\fR] +[\fB\-header\fR] [\fB\-path\fR] [\fB\-CApath dir\fR] [\fB\-CAfile file\fR] +[\fB\-no\-CAfile\fR] +[\fB\-no\-CApath\fR] +[\fB\-attime timestamp\fR] +[\fB\-check_ss_sig\fR] +[\fB\-crl_check\fR] +[\fB\-crl_check_all\fR] +[\fB\-explicit_policy\fR] +[\fB\-extended_crl\fR] +[\fB\-ignore_critical\fR] +[\fB\-inhibit_any\fR] +[\fB\-inhibit_map\fR] +[\fB\-no_check_time\fR] +[\fB\-partial_chain\fR] +[\fB\-policy arg\fR] +[\fB\-policy_check\fR] +[\fB\-policy_print\fR] +[\fB\-purpose purpose\fR] +[\fB\-suiteB_128\fR] +[\fB\-suiteB_128_only\fR] +[\fB\-suiteB_192\fR] +[\fB\-trusted_first\fR] [\fB\-no_alt_chains\fR] +[\fB\-use_deltas\fR] +[\fB\-auth_level num\fR] +[\fB\-verify_depth num\fR] +[\fB\-verify_email email\fR] +[\fB\-verify_hostname hostname\fR] +[\fB\-verify_ip ip\fR] +[\fB\-verify_name name\fR] +[\fB\-x509_strict\fR] [\fB\-VAfile file\fR] [\fB\-validity_period n\fR] [\fB\-status_age n\fR] @@ -177,17 +207,19 @@ ocsp \- Online Certificate Status Protocol utility [\fB\-no_cert_checks\fR] [\fB\-no_explicit\fR] [\fB\-port num\fR] +[\fB\-ignore_err\fR] [\fB\-index file\fR] [\fB\-CA file\fR] [\fB\-rsigner file\fR] [\fB\-rkey file\fR] [\fB\-rother file\fR] +[\fB\-rsigopt nm:v\fR] [\fB\-resp_no_certs\fR] [\fB\-nmin n\fR] [\fB\-ndays n\fR] [\fB\-resp_key_id\fR] [\fB\-nrequest n\fR] -[\fB\-md5|\-sha1|...\fR] +[\fB\-\f(BIdigest\fB\fR] .SH "DESCRIPTION" .IX Header "DESCRIPTION" The Online Certificate Status Protocol (\s-1OCSP\s0) enables applications to @@ -196,8 +228,15 @@ determine the (revocation) state of an identified certificate (\s-1RFC 2560\s0). The \fBocsp\fR command performs many common \s-1OCSP\s0 tasks. It can be used to print out requests and responses, create requests and send queries to an \s-1OCSP\s0 responder and behave like a mini \s-1OCSP\s0 server itself. -.SH "OCSP CLIENT OPTIONS" -.IX Header "OCSP CLIENT OPTIONS" +.SH "OPTIONS" +.IX Header "OPTIONS" +This command operates as either a client or a server. +The options are described below, divided into those two modes. +.SS "\s-1OCSP\s0 Client Options" +.IX Subsection "OCSP Client Options" +.IP "\fB\-help\fR" 4 +.IX Item "-help" +Print out a usage message. .IP "\fB\-out filename\fR" 4 .IX Item "-out filename" specify output filename, default is standard output. @@ -230,126 +269,151 @@ Additional certificates to include in the signed request. .IP "\fB\-nonce\fR, \fB\-no_nonce\fR" 4 .IX Item "-nonce, -no_nonce" Add an \s-1OCSP\s0 nonce extension to a request or disable \s-1OCSP\s0 nonce addition. -Normally if an \s-1OCSP\s0 request is input using the \fBrespin\fR option no +Normally if an \s-1OCSP\s0 request is input using the \fBreqin\fR option no nonce is added: using the \fBnonce\fR option will force addition of a nonce. If an \s-1OCSP\s0 request is being created (using \fBcert\fR and \fBserial\fR options) a nonce is automatically added specifying \fBno_nonce\fR overrides this. .IP "\fB\-req_text\fR, \fB\-resp_text\fR, \fB\-text\fR" 4 .IX Item "-req_text, -resp_text, -text" -print out the text form of the \s-1OCSP\s0 request, response or both respectively. +Print out the text form of the \s-1OCSP\s0 request, response or both respectively. .IP "\fB\-reqout file\fR, \fB\-respout file\fR" 4 .IX Item "-reqout file, -respout file" -write out the \s-1DER\s0 encoded certificate request or response to \fBfile\fR. +Write out the \s-1DER\s0 encoded certificate request or response to \fBfile\fR. .IP "\fB\-reqin file\fR, \fB\-respin file\fR" 4 .IX Item "-reqin file, -respin file" -read \s-1OCSP\s0 request or response file from \fBfile\fR. These option are ignored +Read \s-1OCSP\s0 request or response file from \fBfile\fR. These option are ignored if \s-1OCSP\s0 request or response creation is implied by other options (for example with \fBserial\fR, \fBcert\fR and \fBhost\fR options). .IP "\fB\-url responder_url\fR" 4 .IX Item "-url responder_url" -specify the responder \s-1URL.\s0 Both \s-1HTTP\s0 and \s-1HTTPS\s0 (\s-1SSL/TLS\s0) URLs can be specified. +Specify the responder \s-1URL.\s0 Both \s-1HTTP\s0 and \s-1HTTPS\s0 (\s-1SSL/TLS\s0) URLs can be specified. .IP "\fB\-host hostname:port\fR, \fB\-path pathname\fR" 4 .IX Item "-host hostname:port, -path pathname" -if the \fBhost\fR option is present then the \s-1OCSP\s0 request is sent to the host +If the \fBhost\fR option is present then the \s-1OCSP\s0 request is sent to the host \&\fBhostname\fR on port \fBport\fR. \fBpath\fR specifies the \s-1HTTP\s0 path name to use -or \*(L"/\*(R" by default. -.IP "\fB\-header name value\fR" 4 -.IX Item "-header name value" -If sending a request to an \s-1OCSP\s0 server, then the specified header name and -value are added to the \s-1HTTP\s0 request. Note that the \fBname\fR and \fBvalue\fR must -be specified as two separate parameters, not as a single quoted string, and -that the header name does not have the trailing colon. -Some \s-1OCSP\s0 responders require a Host header; use this flag to provide it. +or \*(L"/\*(R" by default. This is equivalent to specifying \fB\-url\fR with scheme +http:// and the given hostname, port, and pathname. +.IP "\fB\-header name=value\fR" 4 +.IX Item "-header name=value" +Adds the header \fBname\fR with the specified \fBvalue\fR to the \s-1OCSP\s0 request +that is sent to the responder. +This may be repeated. .IP "\fB\-timeout seconds\fR" 4 .IX Item "-timeout seconds" -connection timeout to the \s-1OCSP\s0 responder in seconds +Connection timeout to the \s-1OCSP\s0 responder in seconds. +On \s-1POSIX\s0 systems, when running as an \s-1OCSP\s0 responder, this option also limits +the time that the responder is willing to wait for the client request. +This time is measured from the time the responder accepts the connection until +the complete request is received. +.IP "\fB\-multi process-count\fR" 4 +.IX Item "-multi process-count" +Run the specified number of \s-1OCSP\s0 responder child processes, with the parent +process respawning child processes as needed. +Child processes will detect changes in the \s-1CA\s0 index file and automatically +reload it. +When running as a responder \fB\-timeout\fR option is recommended to limit the time +each child is willing to wait for the client's \s-1OCSP\s0 response. +This option is available on \s-1POSIX\s0 systems (that support the \fIfork()\fR and other +required unix system-calls). .IP "\fB\-CAfile file\fR, \fB\-CApath pathname\fR" 4 .IX Item "-CAfile file, -CApath pathname" -file or pathname containing trusted \s-1CA\s0 certificates. These are used to verify +File or pathname containing trusted \s-1CA\s0 certificates. These are used to verify the signature on the \s-1OCSP\s0 response. -.IP "\fB\-no_alt_chains\fR" 4 -.IX Item "-no_alt_chains" -See \fBverify\fR manual page for details. +.IP "\fB\-no\-CAfile\fR" 4 +.IX Item "-no-CAfile" +Do not load the trusted \s-1CA\s0 certificates from the default file location +.IP "\fB\-no\-CApath\fR" 4 +.IX Item "-no-CApath" +Do not load the trusted \s-1CA\s0 certificates from the default directory location +.IP "\fB\-attime\fR, \fB\-check_ss_sig\fR, \fB\-crl_check\fR, \fB\-crl_check_all\fR, \fB\-explicit_policy\fR, \fB\-extended_crl\fR, \fB\-ignore_critical\fR, \fB\-inhibit_any\fR, \fB\-inhibit_map\fR, \fB\-no_alt_chains\fR, \fB\-no_check_time\fR, \fB\-partial_chain\fR, \fB\-policy\fR, \fB\-policy_check\fR, \fB\-policy_print\fR, \fB\-purpose\fR, \fB\-suiteB_128\fR, \fB\-suiteB_128_only\fR, \fB\-suiteB_192\fR, \fB\-trusted_first\fR, \fB\-use_deltas\fR, \fB\-auth_level\fR, \fB\-verify_depth\fR, \fB\-verify_email\fR, \fB\-verify_hostname\fR, \fB\-verify_ip\fR, \fB\-verify_name\fR, \fB\-x509_strict\fR" 4 +.IX Item "-attime, -check_ss_sig, -crl_check, -crl_check_all, -explicit_policy, -extended_crl, -ignore_critical, -inhibit_any, -inhibit_map, -no_alt_chains, -no_check_time, -partial_chain, -policy, -policy_check, -policy_print, -purpose, -suiteB_128, -suiteB_128_only, -suiteB_192, -trusted_first, -use_deltas, -auth_level, -verify_depth, -verify_email, -verify_hostname, -verify_ip, -verify_name, -x509_strict" +Set different certificate verification options. +See \fIverify\fR\|(1) manual page for details. .IP "\fB\-verify_other file\fR" 4 .IX Item "-verify_other file" -file containing additional certificates to search when attempting to locate +File containing additional certificates to search when attempting to locate the \s-1OCSP\s0 response signing certificate. Some responders omit the actual signer's certificate from the response: this option can be used to supply the necessary certificate in such cases. .IP "\fB\-trust_other\fR" 4 .IX Item "-trust_other" -the certificates specified by the \fB\-verify_other\fR option should be explicitly +The certificates specified by the \fB\-verify_other\fR option should be explicitly trusted and no additional checks will be performed on them. This is useful when the complete responder certificate chain is not available or trusting a root \s-1CA\s0 is not appropriate. .IP "\fB\-VAfile file\fR" 4 .IX Item "-VAfile file" -file containing explicitly trusted responder certificates. Equivalent to the +File containing explicitly trusted responder certificates. Equivalent to the \&\fB\-verify_other\fR and \fB\-trust_other\fR options. .IP "\fB\-noverify\fR" 4 .IX Item "-noverify" -don't attempt to verify the \s-1OCSP\s0 response signature or the nonce values. This -option will normally only be used for debugging since it disables all verification -of the responders certificate. +Don't attempt to verify the \s-1OCSP\s0 response signature or the nonce +values. This option will normally only be used for debugging since it +disables all verification of the responders certificate. .IP "\fB\-no_intern\fR" 4 .IX Item "-no_intern" -ignore certificates contained in the \s-1OCSP\s0 response when searching for the +Ignore certificates contained in the \s-1OCSP\s0 response when searching for the signers certificate. With this option the signers certificate must be specified with either the \fB\-verify_other\fR or \fB\-VAfile\fR options. .IP "\fB\-no_signature_verify\fR" 4 .IX Item "-no_signature_verify" -don't check the signature on the \s-1OCSP\s0 response. Since this option tolerates invalid -signatures on \s-1OCSP\s0 responses it will normally only be used for testing purposes. +Don't check the signature on the \s-1OCSP\s0 response. Since this option +tolerates invalid signatures on \s-1OCSP\s0 responses it will normally only be +used for testing purposes. .IP "\fB\-no_cert_verify\fR" 4 .IX Item "-no_cert_verify" -don't verify the \s-1OCSP\s0 response signers certificate at all. Since this option allows -the \s-1OCSP\s0 response to be signed by any certificate it should only be used for -testing purposes. +Don't verify the \s-1OCSP\s0 response signers certificate at all. Since this +option allows the \s-1OCSP\s0 response to be signed by any certificate it should +only be used for testing purposes. .IP "\fB\-no_chain\fR" 4 .IX Item "-no_chain" -do not use certificates in the response as additional untrusted \s-1CA\s0 +Do not use certificates in the response as additional untrusted \s-1CA\s0 certificates. .IP "\fB\-no_explicit\fR" 4 .IX Item "-no_explicit" -do not explicitly trust the root \s-1CA\s0 if it is set to be trusted for \s-1OCSP\s0 signing. +Do not explicitly trust the root \s-1CA\s0 if it is set to be trusted for \s-1OCSP\s0 signing. .IP "\fB\-no_cert_checks\fR" 4 .IX Item "-no_cert_checks" -don't perform any additional checks on the \s-1OCSP\s0 response signers certificate. +Don't perform any additional checks on the \s-1OCSP\s0 response signers certificate. That is do not make any checks to see if the signers certificate is authorised to provide the necessary status information: as a result this option should only be used for testing purposes. .IP "\fB\-validity_period nsec\fR, \fB\-status_age age\fR" 4 .IX Item "-validity_period nsec, -status_age age" -these options specify the range of times, in seconds, which will be tolerated -in an \s-1OCSP\s0 response. Each certificate status response includes a \fBnotBefore\fR time and -an optional \fBnotAfter\fR time. The current time should fall between these two values, but -the interval between the two times may be only a few seconds. In practice the \s-1OCSP\s0 -responder and clients clocks may not be precisely synchronised and so such a check -may fail. To avoid this the \fB\-validity_period\fR option can be used to specify an -acceptable error range in seconds, the default value is 5 minutes. +These options specify the range of times, in seconds, which will be tolerated +in an \s-1OCSP\s0 response. Each certificate status response includes a \fBnotBefore\fR +time and an optional \fBnotAfter\fR time. The current time should fall between +these two values, but the interval between the two times may be only a few +seconds. In practice the \s-1OCSP\s0 responder and clients clocks may not be precisely +synchronised and so such a check may fail. To avoid this the +\&\fB\-validity_period\fR option can be used to specify an acceptable error range in +seconds, the default value is 5 minutes. .Sp -If the \fBnotAfter\fR time is omitted from a response then this means that new status -information is immediately available. In this case the age of the \fBnotBefore\fR field -is checked to see it is not older than \fBage\fR seconds old. By default this additional -check is not performed. -.IP "\fB\-md5|\-sha1|\-sha256|\-ripemod160|...\fR" 4 -.IX Item "-md5|-sha1|-sha256|-ripemod160|..." -this option sets digest algorithm to use for certificate identification -in the \s-1OCSP\s0 request. By default \s-1SHA\-1\s0 is used. -.SH "OCSP SERVER OPTIONS" -.IX Header "OCSP SERVER OPTIONS" +If the \fBnotAfter\fR time is omitted from a response then this means that new +status information is immediately available. In this case the age of the +\&\fBnotBefore\fR field is checked to see it is not older than \fBage\fR seconds old. +By default this additional check is not performed. +.IP "\fB\-\f(BIdigest\fB\fR" 4 +.IX Item "-digest" +This option sets digest algorithm to use for certificate identification in the +\&\s-1OCSP\s0 request. Any digest supported by the OpenSSL \fBdgst\fR command can be used. +The default is \s-1SHA\-1.\s0 This option may be used multiple times to specify the +digest used by subsequent certificate identifiers. +.SS "\s-1OCSP\s0 Server Options" +.IX Subsection "OCSP Server Options" .IP "\fB\-index indexfile\fR" 4 .IX Item "-index indexfile" -\&\fBindexfile\fR is a text index file in \fBca\fR format containing certificate revocation -information. +The \fBindexfile\fR parameter is the name of a text index file in \fBca\fR +format containing certificate revocation information. .Sp -If the \fBindex\fR option is specified the \fBocsp\fR utility is in responder mode, otherwise -it is in client mode. The request(s) the responder processes can be either specified on -the command line (using \fBissuer\fR and \fBserial\fR options), supplied in a file (using the -\&\fBrespin\fR option) or via external \s-1OCSP\s0 clients (if \fBport\fR or \fBurl\fR is specified). +If the \fBindex\fR option is specified the \fBocsp\fR utility is in responder +mode, otherwise it is in client mode. The request(s) the responder +processes can be either specified on the command line (using \fBissuer\fR +and \fBserial\fR options), supplied in a file (using the \fBreqin\fR option) +or via external \s-1OCSP\s0 clients (if \fBport\fR or \fBurl\fR is specified). .Sp -If the \fBindex\fR option is present then the \fB\s-1CA\s0\fR and \fBrsigner\fR options must also be -present. +If the \fBindex\fR option is present then the \fB\s-1CA\s0\fR and \fBrsigner\fR options +must also be present. .IP "\fB\-CA file\fR" 4 .IX Item "-CA file" \&\s-1CA\s0 certificate corresponding to the revocation information in \fBindexfile\fR. @@ -364,23 +428,34 @@ Additional certificates to include in the \s-1OCSP\s0 response. Don't include any certificates in the \s-1OCSP\s0 response. .IP "\fB\-resp_key_id\fR" 4 .IX Item "-resp_key_id" -Identify the signer certificate using the key \s-1ID,\s0 default is to use the subject name. +Identify the signer certificate using the key \s-1ID,\s0 default is to use the +subject name. .IP "\fB\-rkey file\fR" 4 .IX Item "-rkey file" -The private key to sign \s-1OCSP\s0 responses with: if not present the file specified in the -\&\fBrsigner\fR option is used. +The private key to sign \s-1OCSP\s0 responses with: if not present the file +specified in the \fBrsigner\fR option is used. +.IP "\fB\-rsigopt nm:v\fR" 4 +.IX Item "-rsigopt nm:v" +Pass options to the signature algorithm when signing \s-1OCSP\s0 responses. +Names and values of these options are algorithm-specific. .IP "\fB\-port portnum\fR" 4 .IX Item "-port portnum" -Port to listen for \s-1OCSP\s0 requests on. The port may also be specified using the \fBurl\fR -option. +Port to listen for \s-1OCSP\s0 requests on. The port may also be specified +using the \fBurl\fR option. +.IP "\fB\-ignore_err\fR" 4 +.IX Item "-ignore_err" +Ignore malformed requests or responses: When acting as an \s-1OCSP\s0 client, retry if +a malformed response is received. When acting as an \s-1OCSP\s0 responder, continue +running instead of terminating upon receiving a malformed request. .IP "\fB\-nrequest number\fR" 4 .IX Item "-nrequest number" The \s-1OCSP\s0 server will exit after receiving \fBnumber\fR requests, default unlimited. .IP "\fB\-nmin minutes\fR, \fB\-ndays days\fR" 4 .IX Item "-nmin minutes, -ndays days" -Number of minutes or days when fresh revocation information is available: used in the -\&\fBnextUpdate\fR field. If neither option is present then the \fBnextUpdate\fR field is -omitted meaning fresh revocation information is immediately available. +Number of minutes or days when fresh revocation information is available: +used in the \fBnextUpdate\fR field. If neither option is present then the +\&\fBnextUpdate\fR field is omitted meaning fresh revocation information is +immediately available. .SH "OCSP Response verification." .IX Header "OCSP Response verification." \&\s-1OCSP\s0 Response follows the rules specified in \s-1RFC2560.\s0 @@ -440,7 +515,7 @@ format of revocation is also inefficient for large quantities of revocation data. .PP It is possible to run the \fBocsp\fR application in responder mode via a \s-1CGI\s0 -script using the \fBrespin\fR and \fBrespout\fR options. +script using the \fBreqin\fR and \fBrespout\fR options. .SH "EXAMPLES" .IX Header "EXAMPLES" Create an \s-1OCSP\s0 request and write it to a file: @@ -449,8 +524,8 @@ Create an \s-1OCSP\s0 request and write it to a file: \& openssl ocsp \-issuer issuer.pem \-cert c1.pem \-cert c2.pem \-reqout req.der .Ve .PP -Send a query to an \s-1OCSP\s0 responder with \s-1URL\s0 http://ocsp.myhost.com/ save the -response to a file and print it out in text form +Send a query to an \s-1OCSP\s0 responder with \s-1URL\s0 http://ocsp.myhost.com/ save the +response to a file, print it out in text form, and verify the response: .PP .Vb 2 \& openssl ocsp \-issuer issuer.pem \-cert c1.pem \-cert c2.pem \e @@ -460,7 +535,7 @@ response to a file and print it out in text form Read in an \s-1OCSP\s0 response and print out text form: .PP .Vb 1 -\& openssl ocsp \-respin resp.der \-text +\& openssl ocsp \-respin resp.der \-text \-noverify .Ve .PP \&\s-1OCSP\s0 server on port 8888 using a standard \fBca\fR configuration, and a separate @@ -478,15 +553,15 @@ As above but exit after processing one request: \& \-nrequest 1 .Ve .PP -Query status information using internally generated request: +Query status information using an internally generated request: .PP .Vb 2 \& openssl ocsp \-index demoCA/index.txt \-rsigner rcert.pem \-CA demoCA/cacert.pem \& \-issuer demoCA/cacert.pem \-serial 1 .Ve .PP -Query status information using request read from a file, write response to a -second file. +Query status information using request read from a file, and write the response +to a second file. .PP .Vb 2 \& openssl ocsp \-index demoCA/index.txt \-rsigner rcert.pem \-CA demoCA/cacert.pem @@ -494,4 +569,12 @@ second file. .Ve .SH "HISTORY" .IX Header "HISTORY" -The \-no_alt_chains options was first added to OpenSSL 1.0.2b. +The \-no_alt_chains options was first added to OpenSSL 1.1.0. +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2001\-2018 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/usr.bin/openssl/man/openssl.1 b/secure/usr.bin/openssl/man/openssl.1 index f0b6837a3f36..e45cd31fc43d 100644 --- a/secure/usr.bin/openssl/man/openssl.1 +++ b/secure/usr.bin/openssl/man/openssl.1 @@ -129,7 +129,7 @@ .\" ======================================================================== .\" .IX Title "OPENSSL 1" -.TH OPENSSL 1 "2018-08-14" "1.0.2p" "OpenSSL" +.TH OPENSSL 1 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l @@ -143,7 +143,7 @@ openssl \- OpenSSL command line tool [ \fIcommand_opts\fR ] [ \fIcommand_args\fR ] .PP -\&\fBopenssl\fR [ \fBlist-standard-commands\fR | \fBlist-message-digest-commands\fR | \fBlist-cipher-commands\fR | \fBlist-cipher-algorithms\fR | \fBlist-message-digest-algorithms\fR | \fBlist-public-key-algorithms\fR] +\&\fBopenssl\fR \fBlist\fR [ \fBstandard-commands\fR | \fBdigest-commands\fR | \fBcipher-commands\fR | \fBcipher-algorithms\fR | \fBdigest-algorithms\fR | \fBpublic-key-algorithms\fR] .PP \&\fBopenssl\fR \fBno\-\fR\fI\s-1XXX\s0\fR [ \fIarbitrary options\fR ] .SH "DESCRIPTION" @@ -153,13 +153,13 @@ v2/v3) and Transport Layer Security (\s-1TLS\s0 v1) network protocols and relate cryptography standards required by them. .PP The \fBopenssl\fR program is a command line tool for using the various -cryptography functions of OpenSSL's \fBcrypto\fR library from the shell. +cryptography functions of OpenSSL's \fBcrypto\fR library from the shell. It can be used for .PP .Vb 8 \& o Creation and management of private keys, public keys and parameters \& o Public key cryptographic operations -\& o Creation of X.509 certificates, CSRs and CRLs +\& o Creation of X.509 certificates, CSRs and CRLs \& o Calculation of Message Digests \& o Encryption and Decryption with Ciphers \& o SSL/TLS Client and Server Tests @@ -172,22 +172,31 @@ The \fBopenssl\fR program provides a rich variety of commands (\fIcommand\fR in \&\s-1SYNOPSIS\s0 above), each of which often has a wealth of options and arguments (\fIcommand_opts\fR and \fIcommand_args\fR in the \s-1SYNOPSIS\s0). .PP -The pseudo-commands \fBlist-standard-commands\fR, \fBlist-message-digest-commands\fR, -and \fBlist-cipher-commands\fR output a list (one entry per line) of the names +Many commands use an external configuration file for some or all of their +arguments and have a \fB\-config\fR option to specify that file. +The environment variable \fB\s-1OPENSSL_CONF\s0\fR can be used to specify +the location of the file. +If the environment variable is not specified, then the file is named +\&\fBopenssl.cnf\fR in the default certificate storage area, whose value +depends on the configuration flags specified when the OpenSSL +was built. +.PP +The list parameters \fBstandard-commands\fR, \fBdigest-commands\fR, +and \fBcipher-commands\fR output a list (one entry per line) of the names of all standard commands, message digest commands, or cipher commands, respectively, that are available in the present \fBopenssl\fR utility. .PP -The pseudo-commands \fBlist-cipher-algorithms\fR and -\&\fBlist-message-digest-algorithms\fR list all cipher and message digest names, one entry per line. Aliases are listed as: +The list parameters \fBcipher-algorithms\fR and +\&\fBdigest-algorithms\fR list all cipher and message digest names, one entry per line. Aliases are listed as: .PP .Vb 1 \& from => to .Ve .PP -The pseudo-command \fBlist-public-key-algorithms\fR lists all supported public +The list parameter \fBpublic-key-algorithms\fR lists all supported public key algorithms. .PP -The pseudo-command \fBno\-\fR\fI\s-1XXX\s0\fR tests whether a command of the +The command \fBno\-\fR\fI\s-1XXX\s0\fR tests whether a command of the specified name is available. If no command named \fI\s-1XXX\s0\fR exists, it returns 0 (success) and prints \fBno\-\fR\fI\s-1XXX\s0\fR; otherwise it returns 1 and prints \fI\s-1XXX\s0\fR. In both cases, the output goes to \fBstdout\fR and @@ -196,118 +205,127 @@ are always ignored. Since for each cipher there is a command of the same name, this provides an easy way for shell scripts to test for the availability of ciphers in the \fBopenssl\fR program. (\fBno\-\fR\fI\s-1XXX\s0\fR is not able to detect pseudo-commands such as \fBquit\fR, -\&\fBlist\-\fR\fI...\fR\fB\-commands\fR, or \fBno\-\fR\fI\s-1XXX\s0\fR itself.) -.SS "\s-1STANDARD COMMANDS\s0" -.IX Subsection "STANDARD COMMANDS" -.IP "\fBasn1parse\fR" 10 +\&\fBlist\fR, or \fBno\-\fR\fI\s-1XXX\s0\fR itself.) +.SS "Standard Commands" +.IX Subsection "Standard Commands" +.IP "\fBasn1parse\fR" 4 .IX Item "asn1parse" Parse an \s-1ASN.1\s0 sequence. -.IP "\fBca\fR" 10 +.IP "\fBca\fR" 4 .IX Item "ca" Certificate Authority (\s-1CA\s0) Management. -.IP "\fBciphers\fR" 10 +.IP "\fBciphers\fR" 4 .IX Item "ciphers" Cipher Suite Description Determination. -.IP "\fBcms\fR" 10 +.IP "\fBcms\fR" 4 .IX Item "cms" -\&\s-1CMS\s0 (Cryptographic Message Syntax) utility -.IP "\fBcrl\fR" 10 +\&\s-1CMS\s0 (Cryptographic Message Syntax) utility. +.IP "\fBcrl\fR" 4 .IX Item "crl" Certificate Revocation List (\s-1CRL\s0) Management. -.IP "\fBcrl2pkcs7\fR" 10 +.IP "\fBcrl2pkcs7\fR" 4 .IX Item "crl2pkcs7" \&\s-1CRL\s0 to PKCS#7 Conversion. -.IP "\fBdgst\fR" 10 +.IP "\fBdgst\fR" 4 .IX Item "dgst" Message Digest Calculation. -.IP "\fBdh\fR" 10 +.IP "\fBdh\fR" 4 .IX Item "dh" Diffie-Hellman Parameter Management. -Obsoleted by \fBdhparam\fR. -.IP "\fBdhparam\fR" 10 +Obsoleted by \fIdhparam\fR\|(1). +.IP "\fBdhparam\fR" 4 .IX Item "dhparam" -Generation and Management of Diffie-Hellman Parameters. Superseded by -\&\fBgenpkey\fR and \fBpkeyparam\fR -.IP "\fBdsa\fR" 10 +Generation and Management of Diffie-Hellman Parameters. Superseded by +\&\fIgenpkey\fR\|(1) and \fIpkeyparam\fR\|(1). +.IP "\fBdsa\fR" 4 .IX Item "dsa" \&\s-1DSA\s0 Data Management. -.IP "\fBdsaparam\fR" 10 +.IP "\fBdsaparam\fR" 4 .IX Item "dsaparam" -\&\s-1DSA\s0 Parameter Generation and Management. Superseded by -\&\fBgenpkey\fR and \fBpkeyparam\fR -.IP "\fBec\fR" 10 +\&\s-1DSA\s0 Parameter Generation and Management. Superseded by +\&\fIgenpkey\fR\|(1) and \fIpkeyparam\fR\|(1). +.IP "\fBec\fR" 4 .IX Item "ec" -\&\s-1EC\s0 (Elliptic curve) key processing -.IP "\fBecparam\fR" 10 +\&\s-1EC\s0 (Elliptic curve) key processing. +.IP "\fBecparam\fR" 4 .IX Item "ecparam" -\&\s-1EC\s0 parameter manipulation and generation -.IP "\fBenc\fR" 10 +\&\s-1EC\s0 parameter manipulation and generation. +.IP "\fBenc\fR" 4 .IX Item "enc" Encoding with Ciphers. -.IP "\fBengine\fR" 10 +.IP "\fBengine\fR" 4 .IX Item "engine" -Engine (loadble module) information and manipulation. -.IP "\fBerrstr\fR" 10 +Engine (loadable module) information and manipulation. +.IP "\fBerrstr\fR" 4 .IX Item "errstr" Error Number to Error String Conversion. -.IP "\fBgendh\fR" 10 +.IP "\fBgendh\fR" 4 .IX Item "gendh" Generation of Diffie-Hellman Parameters. -Obsoleted by \fBdhparam\fR. -.IP "\fBgendsa\fR" 10 +Obsoleted by \fIdhparam\fR\|(1). +.IP "\fBgendsa\fR" 4 .IX Item "gendsa" -Generation of \s-1DSA\s0 Private Key from Parameters. Superseded by -\&\fBgenpkey\fR and \fBpkey\fR -.IP "\fBgenpkey\fR" 10 +Generation of \s-1DSA\s0 Private Key from Parameters. Superseded by +\&\fIgenpkey\fR\|(1) and \fIpkey\fR\|(1). +.IP "\fBgenpkey\fR" 4 .IX Item "genpkey" Generation of Private Key or Parameters. -.IP "\fBgenrsa\fR" 10 +.IP "\fBgenrsa\fR" 4 .IX Item "genrsa" -Generation of \s-1RSA\s0 Private Key. Superceded by \fBgenpkey\fR. -.IP "\fBnseq\fR" 10 +Generation of \s-1RSA\s0 Private Key. Superseded by \fIgenpkey\fR\|(1). +.IP "\fBnseq\fR" 4 .IX Item "nseq" -Create or examine a netscape certificate sequence -.IP "\fBocsp\fR" 10 +Create or examine a Netscape certificate sequence. +.IP "\fBocsp\fR" 4 .IX Item "ocsp" Online Certificate Status Protocol utility. -.IP "\fBpasswd\fR" 10 +.IP "\fBpasswd\fR" 4 .IX Item "passwd" Generation of hashed passwords. -.IP "\fBpkcs12\fR" 10 +.IP "\fBpkcs12\fR" 4 .IX Item "pkcs12" PKCS#12 Data Management. -.IP "\fBpkcs7\fR" 10 +.IP "\fBpkcs7\fR" 4 .IX Item "pkcs7" PKCS#7 Data Management. -.IP "\fBpkey\fR" 10 +.IP "\fBpkcs8\fR" 4 +.IX Item "pkcs8" +PKCS#8 format private key conversion tool. +.IP "\fBpkey\fR" 4 .IX Item "pkey" Public and private key management. -.IP "\fBpkeyparam\fR" 10 +.IP "\fBpkeyparam\fR" 4 .IX Item "pkeyparam" Public key algorithm parameter management. -.IP "\fBpkeyutl\fR" 10 +.IP "\fBpkeyutl\fR" 4 .IX Item "pkeyutl" Public key algorithm cryptographic operation utility. -.IP "\fBrand\fR" 10 +.IP "\fBprime\fR" 4 +.IX Item "prime" +Compute prime numbers. +.IP "\fBrand\fR" 4 .IX Item "rand" Generate pseudo-random bytes. -.IP "\fBreq\fR" 10 +.IP "\fBrehash\fR" 4 +.IX Item "rehash" +Create symbolic links to certificate and \s-1CRL\s0 files named by the hash values. +.IP "\fBreq\fR" 4 .IX Item "req" PKCS#10 X.509 Certificate Signing Request (\s-1CSR\s0) Management. -.IP "\fBrsa\fR" 10 +.IP "\fBrsa\fR" 4 .IX Item "rsa" \&\s-1RSA\s0 key management. -.IP "\fBrsautl\fR" 10 +.IP "\fBrsautl\fR" 4 .IX Item "rsautl" \&\s-1RSA\s0 utility for signing, verification, encryption, and decryption. Superseded -by \fBpkeyutl\fR -.IP "\fBs_client\fR" 10 +by \fIpkeyutl\fR\|(1). +.IP "\fBs_client\fR" 4 .IX Item "s_client" This implements a generic \s-1SSL/TLS\s0 client which can establish a transparent connection to a remote server speaking \s-1SSL/TLS.\s0 It's intended for testing purposes only and provides only rudimentary interface functionality but internally uses mostly all functionality of the OpenSSL \fBssl\fR library. -.IP "\fBs_server\fR" 10 +.IP "\fBs_server\fR" 4 .IX Item "s_server" This implements a generic \s-1SSL/TLS\s0 server which accepts connections from remote clients speaking \s-1SSL/TLS.\s0 It's intended for testing purposes only and provides @@ -315,99 +333,141 @@ only rudimentary interface functionality but internally uses mostly all functionality of the OpenSSL \fBssl\fR library. It provides both an own command line oriented protocol for testing \s-1SSL\s0 functions and a simple \s-1HTTP\s0 response facility to emulate an SSL/TLS\-aware webserver. -.IP "\fBs_time\fR" 10 +.IP "\fBs_time\fR" 4 .IX Item "s_time" \&\s-1SSL\s0 Connection Timer. -.IP "\fBsess_id\fR" 10 +.IP "\fBsess_id\fR" 4 .IX Item "sess_id" \&\s-1SSL\s0 Session Data Management. -.IP "\fBsmime\fR" 10 +.IP "\fBsmime\fR" 4 .IX Item "smime" S/MIME mail processing. -.IP "\fBspeed\fR" 10 +.IP "\fBspeed\fR" 4 .IX Item "speed" Algorithm Speed Measurement. -.IP "\fBspkac\fR" 10 +.IP "\fBspkac\fR" 4 .IX Item "spkac" -\&\s-1SPKAC\s0 printing and generating utility -.IP "\fBts\fR" 10 +\&\s-1SPKAC\s0 printing and generating utility. +.IP "\fBsrp\fR" 4 +.IX Item "srp" +Maintain \s-1SRP\s0 password file. +.IP "\fBstoreutl\fR" 4 +.IX Item "storeutl" +Utility to list and display certificates, keys, CRLs, etc. +.IP "\fBts\fR" 4 .IX Item "ts" -Time Stamping Authority tool (client/server) -.IP "\fBverify\fR" 10 +Time Stamping Authority tool (client/server). +.IP "\fBverify\fR" 4 .IX Item "verify" X.509 Certificate Verification. -.IP "\fBversion\fR" 10 +.IP "\fBversion\fR" 4 .IX Item "version" OpenSSL Version Information. -.IP "\fBx509\fR" 10 +.IP "\fBx509\fR" 4 .IX Item "x509" X.509 Certificate Data Management. -.SS "\s-1MESSAGE DIGEST COMMANDS\s0" -.IX Subsection "MESSAGE DIGEST COMMANDS" -.IP "\fBmd2\fR" 10 +.SS "Message Digest Commands" +.IX Subsection "Message Digest Commands" +.IP "\fBblake2b512\fR" 4 +.IX Item "blake2b512" +BLAKE2b\-512 Digest +.IP "\fBblake2s256\fR" 4 +.IX Item "blake2s256" +BLAKE2s\-256 Digest +.IP "\fBmd2\fR" 4 .IX Item "md2" \&\s-1MD2\s0 Digest -.IP "\fBmd5\fR" 10 +.IP "\fBmd4\fR" 4 +.IX Item "md4" +\&\s-1MD4\s0 Digest +.IP "\fBmd5\fR" 4 .IX Item "md5" \&\s-1MD5\s0 Digest -.IP "\fBmdc2\fR" 10 +.IP "\fBmdc2\fR" 4 .IX Item "mdc2" \&\s-1MDC2\s0 Digest -.IP "\fBrmd160\fR" 10 +.IP "\fBrmd160\fR" 4 .IX Item "rmd160" \&\s-1RMD\-160\s0 Digest -.IP "\fBsha\fR" 10 -.IX Item "sha" -\&\s-1SHA\s0 Digest -.IP "\fBsha1\fR" 10 +.IP "\fBsha1\fR" 4 .IX Item "sha1" \&\s-1SHA\-1\s0 Digest -.IP "\fBsha224\fR" 10 +.IP "\fBsha224\fR" 4 .IX Item "sha224" -\&\s-1SHA\-224\s0 Digest -.IP "\fBsha256\fR" 10 +\&\s-1SHA\-2 224\s0 Digest +.IP "\fBsha256\fR" 4 .IX Item "sha256" -\&\s-1SHA\-256\s0 Digest -.IP "\fBsha384\fR" 10 +\&\s-1SHA\-2 256\s0 Digest +.IP "\fBsha384\fR" 4 .IX Item "sha384" -\&\s-1SHA\-384\s0 Digest -.IP "\fBsha512\fR" 10 +\&\s-1SHA\-2 384\s0 Digest +.IP "\fBsha512\fR" 4 .IX Item "sha512" -\&\s-1SHA\-512\s0 Digest -.SS "\s-1ENCODING AND CIPHER COMMANDS\s0" -.IX Subsection "ENCODING AND CIPHER COMMANDS" -.IP "\fBbase64\fR" 10 +\&\s-1SHA\-2 512\s0 Digest +.IP "\fBsha3\-224\fR" 4 +.IX Item "sha3-224" +\&\s-1SHA\-3 224\s0 Digest +.IP "\fBsha3\-256\fR" 4 +.IX Item "sha3-256" +\&\s-1SHA\-3 256\s0 Digest +.IP "\fBsha3\-384\fR" 4 +.IX Item "sha3-384" +\&\s-1SHA\-3 384\s0 Digest +.IP "\fBsha3\-512\fR" 4 +.IX Item "sha3-512" +\&\s-1SHA\-3 512\s0 Digest +.IP "\fBshake128\fR" 4 +.IX Item "shake128" +\&\s-1SHA\-3 SHAKE128\s0 Digest +.IP "\fBshake256\fR" 4 +.IX Item "shake256" +\&\s-1SHA\-3 SHAKE256\s0 Digest +.IP "\fBsm3\fR" 4 +.IX Item "sm3" +\&\s-1SM3\s0 Digest +.SS "Encoding and Cipher Commands" +.IX Subsection "Encoding and Cipher Commands" +.IP "\fBbase64\fR" 4 .IX Item "base64" Base64 Encoding -.IP "\fBbf bf-cbc bf-cfb bf-ecb bf-ofb\fR" 10 -.IX Item "bf bf-cbc bf-cfb bf-ecb bf-ofb" +.IP "\fBbf\fR, \fBbf-cbc\fR, \fBbf-cfb\fR, \fBbf-ecb\fR, \fBbf-ofb\fR" 4 +.IX Item "bf, bf-cbc, bf-cfb, bf-ecb, bf-ofb" Blowfish Cipher -.IP "\fBcast cast-cbc\fR" 10 -.IX Item "cast cast-cbc" +.IP "\fBcast\fR, \fBcast-cbc\fR" 4 +.IX Item "cast, cast-cbc" \&\s-1CAST\s0 Cipher -.IP "\fBcast5\-cbc cast5\-cfb cast5\-ecb cast5\-ofb\fR" 10 -.IX Item "cast5-cbc cast5-cfb cast5-ecb cast5-ofb" +.IP "\fBcast5\-cbc\fR, \fBcast5\-cfb\fR, \fBcast5\-ecb\fR, \fBcast5\-ofb\fR" 4 +.IX Item "cast5-cbc, cast5-cfb, cast5-ecb, cast5-ofb" \&\s-1CAST5\s0 Cipher -.IP "\fBdes des-cbc des-cfb des-ecb des-ede des-ede-cbc des-ede-cfb des-ede-ofb des-ofb\fR" 10 -.IX Item "des des-cbc des-cfb des-ecb des-ede des-ede-cbc des-ede-cfb des-ede-ofb des-ofb" +.IP "\fBdes\fR, \fBdes-cbc\fR, \fBdes-cfb\fR, \fBdes-ecb\fR, \fBdes-ede\fR, \fBdes-ede-cbc\fR, \fBdes-ede-cfb\fR, \fBdes-ede-ofb\fR, \fBdes-ofb\fR" 4 +.IX Item "des, des-cbc, des-cfb, des-ecb, des-ede, des-ede-cbc, des-ede-cfb, des-ede-ofb, des-ofb" \&\s-1DES\s0 Cipher -.IP "\fBdes3 desx des\-ede3 des\-ede3\-cbc des\-ede3\-cfb des\-ede3\-ofb\fR" 10 -.IX Item "des3 desx des-ede3 des-ede3-cbc des-ede3-cfb des-ede3-ofb" +.IP "\fBdes3\fR, \fBdesx\fR, \fBdes\-ede3\fR, \fBdes\-ede3\-cbc\fR, \fBdes\-ede3\-cfb\fR, \fBdes\-ede3\-ofb\fR" 4 +.IX Item "des3, desx, des-ede3, des-ede3-cbc, des-ede3-cfb, des-ede3-ofb" Triple-DES Cipher -.IP "\fBidea idea-cbc idea-cfb idea-ecb idea-ofb\fR" 10 -.IX Item "idea idea-cbc idea-cfb idea-ecb idea-ofb" +.IP "\fBidea\fR, \fBidea-cbc\fR, \fBidea-cfb\fR, \fBidea-ecb\fR, \fBidea-ofb\fR" 4 +.IX Item "idea, idea-cbc, idea-cfb, idea-ecb, idea-ofb" \&\s-1IDEA\s0 Cipher -.IP "\fBrc2 rc2\-cbc rc2\-cfb rc2\-ecb rc2\-ofb\fR" 10 -.IX Item "rc2 rc2-cbc rc2-cfb rc2-ecb rc2-ofb" +.IP "\fBrc2\fR, \fBrc2\-cbc\fR, \fBrc2\-cfb\fR, \fBrc2\-ecb\fR, \fBrc2\-ofb\fR" 4 +.IX Item "rc2, rc2-cbc, rc2-cfb, rc2-ecb, rc2-ofb" \&\s-1RC2\s0 Cipher -.IP "\fBrc4\fR" 10 +.IP "\fBrc4\fR" 4 .IX Item "rc4" \&\s-1RC4\s0 Cipher -.IP "\fBrc5 rc5\-cbc rc5\-cfb rc5\-ecb rc5\-ofb\fR" 10 -.IX Item "rc5 rc5-cbc rc5-cfb rc5-ecb rc5-ofb" +.IP "\fBrc5\fR, \fBrc5\-cbc\fR, \fBrc5\-cfb\fR, \fBrc5\-ecb\fR, \fBrc5\-ofb\fR" 4 +.IX Item "rc5, rc5-cbc, rc5-cfb, rc5-ecb, rc5-ofb" \&\s-1RC5\s0 Cipher -.SH "PASS PHRASE ARGUMENTS" -.IX Header "PASS PHRASE ARGUMENTS" +.SH "OPTIONS" +.IX Header "OPTIONS" +Details of which options are available depend on the specific command. +This section describes some common options with common behavior. +.SS "Common Options" +.IX Subsection "Common Options" +.IP "\fB\-help\fR" 4 +.IX Item "-help" +Provides a terse summary of all options. +.SS "Pass Phrase Options" +.IX Subsection "Pass Phrase Options" Several commands accept password arguments, typically using \fB\-passin\fR and \fB\-passout\fR for input and output passwords respectively. These allow the password to be obtained from a variety of sources. Both of these @@ -415,50 +475,61 @@ options take a single argument whose format is described below. If no password argument is given and a password is required then the user is prompted to enter one: this will typically be read from the current terminal with echoing turned off. -.IP "\fBpass:password\fR" 10 +.PP +Note that character encoding may be relevant, please see +\&\fIpassphrase\-encoding\fR\|(7). +.IP "\fBpass:password\fR" 4 .IX Item "pass:password" -the actual password is \fBpassword\fR. Since the password is visible +The actual password is \fBpassword\fR. Since the password is visible to utilities (like 'ps' under Unix) this form should only be used where security is not important. -.IP "\fBenv:var\fR" 10 +.IP "\fBenv:var\fR" 4 .IX Item "env:var" -obtain the password from the environment variable \fBvar\fR. Since +Obtain the password from the environment variable \fBvar\fR. Since the environment of other processes is visible on certain platforms (e.g. ps under certain Unix OSes) this option should be used with caution. -.IP "\fBfile:pathname\fR" 10 +.IP "\fBfile:pathname\fR" 4 .IX Item "file:pathname" -the first line of \fBpathname\fR is the password. If the same \fBpathname\fR +The first line of \fBpathname\fR is the password. If the same \fBpathname\fR argument is supplied to \fB\-passin\fR and \fB\-passout\fR arguments then the first line will be used for the input password and the next line for the output password. \fBpathname\fR need not refer to a regular file: it could for example refer to a device or named pipe. -.IP "\fBfd:number\fR" 10 +.IP "\fBfd:number\fR" 4 .IX Item "fd:number" -read the password from the file descriptor \fBnumber\fR. This can be used to +Read the password from the file descriptor \fBnumber\fR. This can be used to send the data via a pipe for example. -.IP "\fBstdin\fR" 10 +.IP "\fBstdin\fR" 4 .IX Item "stdin" -read the password from standard input. +Read the password from standard input. .SH "SEE ALSO" .IX Header "SEE ALSO" -\&\fIasn1parse\fR\|(1), \fIca\fR\|(1), \fIconfig\fR\|(5), +\&\fIasn1parse\fR\|(1), \fIca\fR\|(1), \fIciphers\fR\|(1), \fIcms\fR\|(1), \fIconfig\fR\|(5), \&\fIcrl\fR\|(1), \fIcrl2pkcs7\fR\|(1), \fIdgst\fR\|(1), \&\fIdhparam\fR\|(1), \fIdsa\fR\|(1), \fIdsaparam\fR\|(1), -\&\fIenc\fR\|(1), \fIgendsa\fR\|(1), \fIgenpkey\fR\|(1), -\&\fIgenrsa\fR\|(1), \fInseq\fR\|(1), \fIopenssl\fR\|(1), +\&\fIec\fR\|(1), \fIecparam\fR\|(1), +\&\fIenc\fR\|(1), \fIengine\fR\|(1), \fIerrstr\fR\|(1), \fIgendsa\fR\|(1), \fIgenpkey\fR\|(1), +\&\fIgenrsa\fR\|(1), \fInseq\fR\|(1), \fIocsp\fR\|(1), \&\fIpasswd\fR\|(1), \&\fIpkcs12\fR\|(1), \fIpkcs7\fR\|(1), \fIpkcs8\fR\|(1), -\&\fIrand\fR\|(1), \fIreq\fR\|(1), \fIrsa\fR\|(1), +\&\fIpkey\fR\|(1), \fIpkeyparam\fR\|(1), \fIpkeyutl\fR\|(1), \fIprime\fR\|(1), +\&\fIrand\fR\|(1), \fIrehash\fR\|(1), \fIreq\fR\|(1), \fIrsa\fR\|(1), \&\fIrsautl\fR\|(1), \fIs_client\fR\|(1), -\&\fIs_server\fR\|(1), \fIs_time\fR\|(1), -\&\fIsmime\fR\|(1), \fIspkac\fR\|(1), +\&\fIs_server\fR\|(1), \fIs_time\fR\|(1), \fIsess_id\fR\|(1), +\&\fIsmime\fR\|(1), \fIspeed\fR\|(1), \fIspkac\fR\|(1), \fIsrp\fR\|(1), \fIstoreutl\fR\|(1), +\&\fIts\fR\|(1), \&\fIverify\fR\|(1), \fIversion\fR\|(1), \fIx509\fR\|(1), -\&\fIcrypto\fR\|(3), \fIssl\fR\|(3), \fIx509v3_config\fR\|(5) +\&\fIcrypto\fR\|(7), \fIssl\fR\|(7), \fIx509v3_config\fR\|(5) .SH "HISTORY" .IX Header "HISTORY" -The \fIopenssl\fR\|(1) document appeared in OpenSSL 0.9.2. -The \fBlist\-\fR\fI\s-1XXX\s0\fR\fB\-commands\fR pseudo-commands were added in OpenSSL 0.9.3; The \fBlist\-\fR\fI\s-1XXX\s0\fR\fB\-algorithms\fR pseudo-commands were added in OpenSSL 1.0.0; -the \fBno\-\fR\fI\s-1XXX\s0\fR pseudo-commands were added in OpenSSL 0.9.5a. For notes on the availability of other commands, see their individual manual pages. +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2000\-2018 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/usr.bin/openssl/man/passwd.1 b/secure/usr.bin/openssl/man/passwd.1 index c0419b1af5be..a01d9e4d28e8 100644 --- a/secure/usr.bin/openssl/man/passwd.1 +++ b/secure/usr.bin/openssl/man/passwd.1 @@ -129,26 +129,31 @@ .\" ======================================================================== .\" .IX Title "PASSWD 1" -.TH PASSWD 1 "2018-08-14" "1.0.2p" "OpenSSL" +.TH PASSWD 1 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" -openssl\-passwd, -passwd \- compute password hashes +openssl\-passwd, passwd \- compute password hashes .SH "SYNOPSIS" .IX Header "SYNOPSIS" \&\fBopenssl passwd\fR +[\fB\-help\fR] [\fB\-crypt\fR] [\fB\-1\fR] [\fB\-apr1\fR] +[\fB\-aixmd5\fR] +[\fB\-5\fR] +[\fB\-6\fR] [\fB\-salt\fR \fIstring\fR] [\fB\-in\fR \fIfile\fR] [\fB\-stdin\fR] [\fB\-noverify\fR] [\fB\-quiet\fR] [\fB\-table\fR] +[\fB\-rand file...\fR] +[\fB\-writerand file\fR] {\fIpassword\fR} .SH "DESCRIPTION" .IX Header "DESCRIPTION" @@ -157,9 +162,12 @@ run-time or the hash of each password in a list. The password list is taken from the named file for option \fB\-in file\fR, from stdin for option \fB\-stdin\fR, or from the command line, or from the terminal otherwise. The Unix standard algorithm \fBcrypt\fR and the MD5\-based \s-1BSD\s0 password -algorithm \fB1\fR and its Apache variant \fBapr1\fR are available. +algorithm \fB1\fR, its Apache variant \fBapr1\fR, and its \s-1AIX\s0 variant are available. .SH "OPTIONS" .IX Header "OPTIONS" +.IP "\fB\-help\fR" 4 +.IX Item "-help" +Print out a usage message. .IP "\fB\-crypt\fR" 4 .IX Item "-crypt" Use the \fBcrypt\fR algorithm (default). @@ -169,6 +177,17 @@ Use the \s-1MD5\s0 based \s-1BSD\s0 password algorithm \fB1\fR. .IP "\fB\-apr1\fR" 4 .IX Item "-apr1" Use the \fBapr1\fR algorithm (Apache variant of the \s-1BSD\s0 algorithm). +.IP "\fB\-aixmd5\fR" 4 +.IX Item "-aixmd5" +Use the \fB\s-1AIX MD5\s0\fR algorithm (\s-1AIX\s0 variant of the \s-1BSD\s0 algorithm). +.IP "\fB\-5\fR" 4 +.IX Item "-5" +.PD 0 +.IP "\fB\-6\fR" 4 +.IX Item "-6" +.PD +Use the \fB\s-1SHA256\s0\fR / \fB\s-1SHA512\s0\fR based algorithms defined by Ulrich Drepper. +See . .IP "\fB\-salt\fR \fIstring\fR" 4 .IX Item "-salt string" Use the specified salt. @@ -189,10 +208,37 @@ Don't output warnings when passwords given at the command line are truncated. .IX Item "-table" In the output list, prepend the cleartext password and a \s-1TAB\s0 character to each password hash. +.IP "\fB\-rand file...\fR" 4 +.IX Item "-rand file..." +A file or files containing random data used to seed the random number +generator. +Multiple files can be specified separated by an OS-dependent character. +The separator is \fB;\fR for MS-Windows, \fB,\fR for OpenVMS, and \fB:\fR for +all others. +.IP "[\fB\-writerand file\fR]" 4 +.IX Item "[-writerand file]" +Writes random data to the specified \fIfile\fR upon exit. +This can be used with a subsequent \fB\-rand\fR flag. .SH "EXAMPLES" .IX Header "EXAMPLES" -\&\fBopenssl passwd \-crypt \-salt xx password\fR prints \fBxxj31ZMTZzkVA\fR. +.Vb 2 +\& % openssl passwd \-crypt \-salt xx password +\& xxj31ZMTZzkVA +\& +\& % openssl passwd \-1 \-salt xxxxxxxx password +\& $1$xxxxxxxx$UYCIxa628.9qXjpQCjM4a. +\& +\& % openssl passwd \-apr1 \-salt xxxxxxxx password +\& $apr1$xxxxxxxx$dxHfLAsjHkDRmG83UXe8K0 +\& +\& % openssl passwd \-aixmd5 \-salt xxxxxxxx password +\& xxxxxxxx$8Oaipk/GPKhC64w/YVeFD/ +.Ve +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2000\-2018 The OpenSSL Project Authors. All Rights Reserved. .PP -\&\fBopenssl passwd \-1 \-salt xxxxxxxx password\fR prints \fB\f(CB$1\fB$xxxxxxxx$UYCIxa628.9qXjpQCjM4a.\fR. -.PP -\&\fBopenssl passwd \-apr1 \-salt xxxxxxxx password\fR prints \fB\f(CB$apr1\fB$xxxxxxxx$dxHfLAsjHkDRmG83UXe8K0\fR. +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/usr.bin/openssl/man/pkcs12.1 b/secure/usr.bin/openssl/man/pkcs12.1 index d6b6851df98a..34d4f5559866 100644 --- a/secure/usr.bin/openssl/man/pkcs12.1 +++ b/secure/usr.bin/openssl/man/pkcs12.1 @@ -129,20 +129,20 @@ .\" ======================================================================== .\" .IX Title "PKCS12 1" -.TH PKCS12 1 "2018-08-14" "1.0.2p" "OpenSSL" +.TH PKCS12 1 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" -openssl\-pkcs12, -pkcs12 \- PKCS#12 file utility +openssl\-pkcs12, pkcs12 \- PKCS#12 file utility .SH "SYNOPSIS" .IX Header "SYNOPSIS" \&\fBopenssl\fR \fBpkcs12\fR +[\fB\-help\fR] [\fB\-export\fR] [\fB\-chain\fR] -[\fB\-inkey filename\fR] +[\fB\-inkey file_or_id\fR] [\fB\-certfile filename\fR] [\fB\-name name\fR] [\fB\-caname name\fR] @@ -155,7 +155,7 @@ pkcs12 \- PKCS#12 file utility [\fB\-cacerts\fR] [\fB\-nokeys\fR] [\fB\-info\fR] -[\fB\-des | \-des3 | \-idea | \-aes128 | \-aes192 | \-aes256 | \-camellia128 | \-camellia192 | \-camellia256 | \-nodes\fR] +[\fB\-des | \-des3 | \-idea | \-aes128 | \-aes192 | \-aes256 | \-aria128 | \-aria192 | \-aria256 | \-camellia128 | \-camellia192 | \-camellia256 | \-nodes\fR] [\fB\-noiter\fR] [\fB\-maciter | \-nomaciter | \-nomac\fR] [\fB\-twopass\fR] @@ -168,22 +168,28 @@ pkcs12 \- PKCS#12 file utility [\fB\-password arg\fR] [\fB\-passin arg\fR] [\fB\-passout arg\fR] -[\fB\-rand file(s)\fR] +[\fB\-rand file...\fR] +[\fB\-writerand file\fR] [\fB\-CAfile file\fR] [\fB\-CApath dir\fR] +[\fB\-no\-CAfile\fR] +[\fB\-no\-CApath\fR] [\fB\-CSP name\fR] .SH "DESCRIPTION" .IX Header "DESCRIPTION" The \fBpkcs12\fR command allows PKCS#12 files (sometimes referred to as \&\s-1PFX\s0 files) to be created and parsed. PKCS#12 files are used by several programs including Netscape, \s-1MSIE\s0 and \s-1MS\s0 Outlook. -.SH "COMMAND OPTIONS" -.IX Header "COMMAND OPTIONS" +.SH "OPTIONS" +.IX Header "OPTIONS" There are a lot of options the meaning of some depends of whether a PKCS#12 file is being created or parsed. By default a PKCS#12 file is parsed. A PKCS#12 file can be created by using the \fB\-export\fR option (see below). .SH "PARSING OPTIONS" .IX Header "PARSING OPTIONS" +.IP "\fB\-help\fR" 4 +.IX Item "-help" +Print out a usage message. .IP "\fB\-in filename\fR" 4 .IX Item "-in filename" This specifies filename of the PKCS#12 file to be parsed. Standard input is used @@ -194,12 +200,12 @@ The filename to write certificates and private keys to, standard output by default. They are all written in \s-1PEM\s0 format. .IP "\fB\-passin arg\fR" 4 .IX Item "-passin arg" -the PKCS#12 file (i.e. input file) password source. For more information about +The PKCS#12 file (i.e. input file) password source. For more information about the format of \fBarg\fR see the \fB\s-1PASS PHRASE ARGUMENTS\s0\fR section in \&\fIopenssl\fR\|(1). .IP "\fB\-passout arg\fR" 4 .IX Item "-passout arg" -pass phrase source to encrypt any outputted private keys with. For more +Pass phrase source to encrypt any outputted private keys with. For more information about the format of \fBarg\fR see the \fB\s-1PASS PHRASE ARGUMENTS\s0\fR section in \fIopenssl\fR\|(1). .IP "\fB\-password arg\fR" 4 @@ -208,48 +214,51 @@ With \-export, \-password is equivalent to \-passout. Otherwise, \-password is equivalent to \-passin. .IP "\fB\-noout\fR" 4 .IX Item "-noout" -this option inhibits output of the keys and certificates to the output file +This option inhibits output of the keys and certificates to the output file version of the PKCS#12 file. .IP "\fB\-clcerts\fR" 4 .IX Item "-clcerts" -only output client certificates (not \s-1CA\s0 certificates). +Only output client certificates (not \s-1CA\s0 certificates). .IP "\fB\-cacerts\fR" 4 .IX Item "-cacerts" -only output \s-1CA\s0 certificates (not client certificates). +Only output \s-1CA\s0 certificates (not client certificates). .IP "\fB\-nocerts\fR" 4 .IX Item "-nocerts" -no certificates at all will be output. +No certificates at all will be output. .IP "\fB\-nokeys\fR" 4 .IX Item "-nokeys" -no private keys will be output. +No private keys will be output. .IP "\fB\-info\fR" 4 .IX Item "-info" -output additional information about the PKCS#12 file structure, algorithms used and -iteration counts. +Output additional information about the PKCS#12 file structure, algorithms +used and iteration counts. .IP "\fB\-des\fR" 4 .IX Item "-des" -use \s-1DES\s0 to encrypt private keys before outputting. +Use \s-1DES\s0 to encrypt private keys before outputting. .IP "\fB\-des3\fR" 4 .IX Item "-des3" -use triple \s-1DES\s0 to encrypt private keys before outputting, this is the default. +Use triple \s-1DES\s0 to encrypt private keys before outputting, this is the default. .IP "\fB\-idea\fR" 4 .IX Item "-idea" -use \s-1IDEA\s0 to encrypt private keys before outputting. +Use \s-1IDEA\s0 to encrypt private keys before outputting. .IP "\fB\-aes128\fR, \fB\-aes192\fR, \fB\-aes256\fR" 4 .IX Item "-aes128, -aes192, -aes256" -use \s-1AES\s0 to encrypt private keys before outputting. +Use \s-1AES\s0 to encrypt private keys before outputting. +.IP "\fB\-aria128\fR, \fB\-aria192\fR, \fB\-aria256\fR" 4 +.IX Item "-aria128, -aria192, -aria256" +Use \s-1ARIA\s0 to encrypt private keys before outputting. .IP "\fB\-camellia128\fR, \fB\-camellia192\fR, \fB\-camellia256\fR" 4 .IX Item "-camellia128, -camellia192, -camellia256" -use Camellia to encrypt private keys before outputting. +Use Camellia to encrypt private keys before outputting. .IP "\fB\-nodes\fR" 4 .IX Item "-nodes" -don't encrypt the private keys at all. +Don't encrypt the private keys at all. .IP "\fB\-nomacver\fR" 4 .IX Item "-nomacver" -don't attempt to verify the integrity \s-1MAC\s0 before reading the file. +Don't attempt to verify the integrity \s-1MAC\s0 before reading the file. .IP "\fB\-twopass\fR" 4 .IX Item "-twopass" -prompt for separate integrity and encryption passwords: most software +Prompt for separate integrity and encryption passwords: most software always assumes these are the same so this option will render such PKCS#12 files unreadable. .SH "FILE CREATION OPTIONS" @@ -268,10 +277,12 @@ The filename to read certificates and private keys from, standard input by default. They must all be in \s-1PEM\s0 format. The order doesn't matter but one private key and its corresponding certificate should be present. If additional certificates are present they will also be included in the PKCS#12 file. -.IP "\fB\-inkey filename\fR" 4 -.IX Item "-inkey filename" -file to read private key from. If not present then a private key must be present +.IP "\fB\-inkey file_or_id\fR" 4 +.IX Item "-inkey file_or_id" +File to read private key from. If not present then a private key must be present in the input file. +If no engine is used, the argument is taken as a file; if an engine is +specified, the argument is given to the engine as a key identifier. .IP "\fB\-name friendlyname\fR" 4 .IX Item "-name friendlyname" This specifies the \*(L"friendly name\*(R" for the certificate and private key. This @@ -287,27 +298,27 @@ appear. Netscape ignores friendly names on other certificates whereas \s-1MSIE\s displays them. .IP "\fB\-pass arg\fR, \fB\-passout arg\fR" 4 .IX Item "-pass arg, -passout arg" -the PKCS#12 file (i.e. output file) password source. For more information about +The PKCS#12 file (i.e. output file) password source. For more information about the format of \fBarg\fR see the \fB\s-1PASS PHRASE ARGUMENTS\s0\fR section in \&\fIopenssl\fR\|(1). .IP "\fB\-passin password\fR" 4 .IX Item "-passin password" -pass phrase source to decrypt any input private keys with. For more information +Pass phrase source to decrypt any input private keys with. For more information about the format of \fBarg\fR see the \fB\s-1PASS PHRASE ARGUMENTS\s0\fR section in \&\fIopenssl\fR\|(1). .IP "\fB\-chain\fR" 4 .IX Item "-chain" -if this option is present then an attempt is made to include the entire +If this option is present then an attempt is made to include the entire certificate chain of the user certificate. The standard \s-1CA\s0 store is used for this search. If the search fails it is considered a fatal error. .IP "\fB\-descert\fR" 4 .IX Item "-descert" -encrypt the certificate using triple \s-1DES,\s0 this may render the PKCS#12 +Encrypt the certificate using triple \s-1DES,\s0 this may render the PKCS#12 file unreadable by some \*(L"export grade\*(R" software. By default the private key is encrypted using triple \s-1DES\s0 and the certificate using 40 bit \s-1RC2.\s0 .IP "\fB\-keypbe alg\fR, \fB\-certpbe alg\fR" 4 .IX Item "-keypbe alg, -certpbe alg" -these options allow the algorithm used to encrypt the private key and +These options allow the algorithm used to encrypt the private key and certificates to be selected. Any PKCS#5 v1.5 or PKCS#12 \s-1PBE\s0 algorithm name can be used (see \fB\s-1NOTES\s0\fR section for more information). If a cipher name (as output by the \fBlist-cipher-algorithms\fR command is specified then it @@ -315,7 +326,7 @@ is used with PKCS#5 v2.0. For interoperability reasons it is advisable to only use PKCS#12 algorithms. .IP "\fB\-keyex|\-keysig\fR" 4 .IX Item "-keyex|-keysig" -specifies that the private key is to be used for key exchange or just signing. +Specifies that the private key is to be used for key exchange or just signing. This option is only interpreted by \s-1MSIE\s0 and similar \s-1MS\s0 software. Normally \&\*(L"export grade\*(R" software will only allow 512 bit \s-1RSA\s0 keys to be used for encryption purposes but arbitrary length keys for signing. The \fB\-keysig\fR @@ -325,10 +336,10 @@ authentication, however due to a bug only \s-1MSIE 5.0\s0 and later support the use of signing only keys for \s-1SSL\s0 client authentication. .IP "\fB\-macalg digest\fR" 4 .IX Item "-macalg digest" -specify the \s-1MAC\s0 digest algorithm. If not included them \s-1SHA1\s0 will be used. +Specify the \s-1MAC\s0 digest algorithm. If not included them \s-1SHA1\s0 will be used. .IP "\fB\-nomaciter\fR, \fB\-noiter\fR" 4 .IX Item "-nomaciter, -noiter" -these options affect the iteration counts on the \s-1MAC\s0 and key algorithms. +These options affect the iteration counts on the \s-1MAC\s0 and key algorithms. Unless you wish to produce files compatible with \s-1MSIE 4.0\s0 you should leave these options alone. .Sp @@ -349,14 +360,18 @@ This option is included for compatibility with previous versions, it used to be needed to use \s-1MAC\s0 iterations counts but they are now used by default. .IP "\fB\-nomac\fR" 4 .IX Item "-nomac" -don't attempt to provide the \s-1MAC\s0 integrity. -.IP "\fB\-rand file(s)\fR" 4 -.IX Item "-rand file(s)" -a file or files containing random data used to seed the random number -generator, or an \s-1EGD\s0 socket (see \fIRAND_egd\fR\|(3)). -Multiple files can be specified separated by a OS-dependent character. +Don't attempt to provide the \s-1MAC\s0 integrity. +.IP "\fB\-rand file...\fR" 4 +.IX Item "-rand file..." +A file or files containing random data used to seed the random number +generator. +Multiple files can be specified separated by an OS-dependent character. The separator is \fB;\fR for MS-Windows, \fB,\fR for OpenVMS, and \fB:\fR for all others. +.IP "[\fB\-writerand file\fR]" 4 +.IX Item "[-writerand file]" +Writes random data to the specified \fIfile\fR upon exit. +This can be used with a subsequent \fB\-rand\fR flag. .IP "\fB\-CAfile file\fR" 4 .IX Item "-CAfile file" \&\s-1CA\s0 storage as a file. @@ -365,9 +380,15 @@ all others. \&\s-1CA\s0 storage as a directory. This directory must be a standard certificate directory: that is a hash of each subject name (using \fBx509 \-hash\fR) should be linked to each certificate. +.IP "\fB\-no\-CAfile\fR" 4 +.IX Item "-no-CAfile" +Do not load the trusted \s-1CA\s0 certificates from the default file location. +.IP "\fB\-no\-CApath\fR" 4 +.IX Item "-no-CApath" +Do not load the trusted \s-1CA\s0 certificates from the default directory location. .IP "\fB\-CSP name\fR" 4 .IX Item "-CSP name" -write \fBname\fR as a Microsoft \s-1CSP\s0 name. +Write \fBname\fR as a Microsoft \s-1CSP\s0 name. .SH "NOTES" .IX Header "NOTES" Although there are a large number of options most of them are very rarely @@ -391,6 +412,16 @@ the defaults are fine but occasionally software can't handle triple \s-1DES\s0 encrypted private keys, then the option \fB\-keypbe \s-1PBE\-SHA1\-RC2\-40\s0\fR can be used to reduce the private key encryption to 40 bit \s-1RC2. A\s0 complete description of all algorithms is contained in the \fBpkcs8\fR manual page. +.PP +Prior 1.1 release passwords containing non-ASCII characters were encoded +in non-compliant manner, which limited interoperability, in first hand +with Windows. But switching to standard-compliant password encoding +poses problem accessing old data protected with broken encoding. For +this reason even legacy encodings is attempted when reading the +data. If you use PKCS#12 files in production application you are advised +to convert the data, because implemented heuristic approach is not +MT-safe, its sole goal is to facilitate the data upgrade with this +utility. .SH "EXAMPLES" .IX Header "EXAMPLES" Parse a PKCS#12 file and output it to a file: @@ -429,31 +460,14 @@ Include some extra certificates: \& openssl pkcs12 \-export \-in file.pem \-out file.p12 \-name "My Certificate" \e \& \-certfile othercerts.pem .Ve -.SH "BUGS" -.IX Header "BUGS" -Some would argue that the PKCS#12 standard is one big bug :\-) -.PP -Versions of OpenSSL before 0.9.6a had a bug in the PKCS#12 key generation -routines. Under rare circumstances this could produce a PKCS#12 file encrypted -with an invalid key. As a result some PKCS#12 files which triggered this bug -from other implementations (\s-1MSIE\s0 or Netscape) could not be decrypted -by OpenSSL and similarly OpenSSL could produce PKCS#12 files which could -not be decrypted by other implementations. The chances of producing such -a file are relatively small: less than 1 in 256. -.PP -A side effect of fixing this bug is that any old invalidly encrypted PKCS#12 -files cannot no longer be parsed by the fixed version. Under such circumstances -the \fBpkcs12\fR utility will report that the \s-1MAC\s0 is \s-1OK\s0 but fail with a decryption -error when extracting private keys. -.PP -This problem can be resolved by extracting the private keys and certificates -from the PKCS#12 file using an older version of OpenSSL and recreating the PKCS#12 -file from the keys and certificates using a newer version of OpenSSL. For example: -.PP -.Vb 2 -\& old\-openssl \-in bad.p12 \-out keycerts.pem -\& openssl \-in keycerts.pem \-export \-name "My PKCS#12 file" \-out fixed.p12 -.Ve .SH "SEE ALSO" .IX Header "SEE ALSO" \&\fIpkcs8\fR\|(1) +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2000\-2017 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/usr.bin/openssl/man/pkcs7.1 b/secure/usr.bin/openssl/man/pkcs7.1 index 3e0fcee9f20e..0b2be258a231 100644 --- a/secure/usr.bin/openssl/man/pkcs7.1 +++ b/secure/usr.bin/openssl/man/pkcs7.1 @@ -129,17 +129,17 @@ .\" ======================================================================== .\" .IX Title "PKCS7 1" -.TH PKCS7 1 "2018-08-14" "1.0.2p" "OpenSSL" +.TH PKCS7 1 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" -openssl\-pkcs7, -pkcs7 \- PKCS#7 utility +openssl\-pkcs7, pkcs7 \- PKCS#7 utility .SH "SYNOPSIS" .IX Header "SYNOPSIS" \&\fBopenssl\fR \fBpkcs7\fR +[\fB\-help\fR] [\fB\-inform PEM|DER\fR] [\fB\-outform PEM|DER\fR] [\fB\-in filename\fR] @@ -151,8 +151,11 @@ pkcs7 \- PKCS#7 utility .SH "DESCRIPTION" .IX Header "DESCRIPTION" The \fBpkcs7\fR command processes PKCS#7 files in \s-1DER\s0 or \s-1PEM\s0 format. -.SH "COMMAND OPTIONS" -.IX Header "COMMAND OPTIONS" +.SH "OPTIONS" +.IX Header "OPTIONS" +.IP "\fB\-help\fR" 4 +.IX Item "-help" +Print out a usage message. .IP "\fB\-inform DER|PEM\fR" 4 .IX Item "-inform DER|PEM" This specifies the input format. \fB\s-1DER\s0\fR format is \s-1DER\s0 encoded PKCS#7 @@ -160,31 +163,31 @@ v1.5 structure.\fB\s-1PEM\s0\fR (the default) is a base64 encoded version of the \s-1DER\s0 form with header and footer lines. .IP "\fB\-outform DER|PEM\fR" 4 .IX Item "-outform DER|PEM" -This specifies the output format, the options have the same meaning as the -\&\fB\-inform\fR option. +This specifies the output format, the options have the same meaning and default +as the \fB\-inform\fR option. .IP "\fB\-in filename\fR" 4 .IX Item "-in filename" This specifies the input filename to read from or standard input if this option is not specified. .IP "\fB\-out filename\fR" 4 .IX Item "-out filename" -specifies the output filename to write to or standard output by +Specifies the output filename to write to or standard output by default. .IP "\fB\-print_certs\fR" 4 .IX Item "-print_certs" -prints out any certificates or CRLs contained in the file. They are +Prints out any certificates or CRLs contained in the file. They are preceded by their subject and issuer names in one line format. .IP "\fB\-text\fR" 4 .IX Item "-text" -prints out certificates details in full rather than just subject and +Prints out certificates details in full rather than just subject and issuer names. .IP "\fB\-noout\fR" 4 .IX Item "-noout" -don't output the encoded version of the PKCS#7 structure (or certificates +Don't output the encoded version of the PKCS#7 structure (or certificates is \fB\-print_certs\fR is set). .IP "\fB\-engine id\fR" 4 .IX Item "-engine id" -specifying an engine (by its unique \fBid\fR string) will cause \fBpkcs7\fR +Specifying an engine (by its unique \fBid\fR string) will cause \fBpkcs7\fR to attempt to obtain a functional reference to the specified engine, thus initialising it if needed. The engine will then be set as the default for all available algorithms. @@ -220,8 +223,16 @@ For compatibility with some CAs it will also accept: .IX Header "RESTRICTIONS" There is no option to print out all the fields of a PKCS#7 file. .PP -This PKCS#7 routines only understand PKCS#7 v 1.5 as specified in \s-1RFC2315\s0 they +This PKCS#7 routines only understand PKCS#7 v 1.5 as specified in \s-1RFC2315\s0 they cannot currently parse, for example, the new \s-1CMS\s0 as described in \s-1RFC2630.\s0 .SH "SEE ALSO" .IX Header "SEE ALSO" \&\fIcrl2pkcs7\fR\|(1) +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2000\-2017 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/usr.bin/openssl/man/pkcs8.1 b/secure/usr.bin/openssl/man/pkcs8.1 index 9a74c124ce34..da5edfc5b9ca 100644 --- a/secure/usr.bin/openssl/man/pkcs8.1 +++ b/secure/usr.bin/openssl/man/pkcs8.1 @@ -129,17 +129,17 @@ .\" ======================================================================== .\" .IX Title "PKCS8 1" -.TH PKCS8 1 "2018-08-14" "1.0.2p" "OpenSSL" +.TH PKCS8 1 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" -openssl\-pkcs8, -pkcs8 \- PKCS#8 format private key conversion tool +openssl\-pkcs8, pkcs8 \- PKCS#8 format private key conversion tool .SH "SYNOPSIS" .IX Header "SYNOPSIS" \&\fBopenssl\fR \fBpkcs8\fR +[\fB\-help\fR] [\fB\-topk8\fR] [\fB\-inform PEM|DER\fR] [\fB\-outform PEM|DER\fR] @@ -147,38 +147,47 @@ pkcs8 \- PKCS#8 format private key conversion tool [\fB\-passin arg\fR] [\fB\-out filename\fR] [\fB\-passout arg\fR] +[\fB\-iter count\fR] [\fB\-noiter\fR] +[\fB\-rand file...\fR] +[\fB\-writerand file\fR] [\fB\-nocrypt\fR] -[\fB\-nooct\fR] -[\fB\-embed\fR] -[\fB\-nsdb\fR] +[\fB\-traditional\fR] [\fB\-v2 alg\fR] [\fB\-v2prf alg\fR] [\fB\-v1 alg\fR] [\fB\-engine id\fR] +[\fB\-scrypt\fR] +[\fB\-scrypt_N N\fR] +[\fB\-scrypt_r r\fR] +[\fB\-scrypt_p p\fR] .SH "DESCRIPTION" .IX Header "DESCRIPTION" The \fBpkcs8\fR command processes private keys in PKCS#8 format. It can handle both unencrypted PKCS#8 PrivateKeyInfo format and EncryptedPrivateKeyInfo format with a variety of PKCS#5 (v1.5 and v2.0) and PKCS#12 algorithms. -.SH "COMMAND OPTIONS" -.IX Header "COMMAND OPTIONS" +.SH "OPTIONS" +.IX Header "OPTIONS" +.IP "\fB\-help\fR" 4 +.IX Item "-help" +Print out a usage message. .IP "\fB\-topk8\fR" 4 .IX Item "-topk8" -Normally a PKCS#8 private key is expected on input and a traditional format -private key will be written. With the \fB\-topk8\fR option the situation is -reversed: it reads a traditional format private key and writes a PKCS#8 -format key. +Normally a PKCS#8 private key is expected on input and a private key will be +written to the output file. With the \fB\-topk8\fR option the situation is +reversed: it reads a private key and writes a PKCS#8 format key. .IP "\fB\-inform DER|PEM\fR" 4 .IX Item "-inform DER|PEM" -This specifies the input format. If a PKCS#8 format key is expected on input -then either a \fB\s-1DER\s0\fR or \fB\s-1PEM\s0\fR encoded version of a PKCS#8 key will be -expected. Otherwise the \fB\s-1DER\s0\fR or \fB\s-1PEM\s0\fR format of the traditional format -private key is used. +This specifies the input format: see \*(L"\s-1KEY FORMATS\*(R"\s0 for more details. The default +format is \s-1PEM.\s0 .IP "\fB\-outform DER|PEM\fR" 4 .IX Item "-outform DER|PEM" -This specifies the output format, the options have the same meaning as the -\&\fB\-inform\fR option. +This specifies the output format: see \*(L"\s-1KEY FORMATS\*(R"\s0 for more details. The default +format is \s-1PEM.\s0 +.IP "\fB\-traditional\fR" 4 +.IX Item "-traditional" +When this option is present and \fB\-topk8\fR is not a traditional format private +key is written. .IP "\fB\-in filename\fR" 4 .IX Item "-in filename" This specifies the input filename to read a key from or standard input if this @@ -186,7 +195,7 @@ option is not specified. If the key is encrypted a pass phrase will be prompted for. .IP "\fB\-passin arg\fR" 4 .IX Item "-passin arg" -the input file password source. For more information about the format of \fBarg\fR +The input file password source. For more information about the format of \fBarg\fR see the \fB\s-1PASS PHRASE ARGUMENTS\s0\fR section in \fIopenssl\fR\|(1). .IP "\fB\-out filename\fR" 4 .IX Item "-out filename" @@ -196,8 +205,13 @@ prompted for. The output filename should \fBnot\fR be the same as the input filename. .IP "\fB\-passout arg\fR" 4 .IX Item "-passout arg" -the output file password source. For more information about the format of \fBarg\fR +The output file password source. For more information about the format of \fBarg\fR see the \fB\s-1PASS PHRASE ARGUMENTS\s0\fR section in \fIopenssl\fR\|(1). +.IP "\fB\-iter count\fR" 4 +.IX Item "-iter count" +When creating new PKCS#8 containers, use a given number of iterations on +the password in deriving the encryption key for the PKCS#8 output. +High values increase the time required to brute-force a PKCS#8 container. .IP "\fB\-nocrypt\fR" 4 .IX Item "-nocrypt" PKCS#8 keys generated or input are normally PKCS#8 EncryptedPrivateKeyInfo @@ -206,53 +220,81 @@ this option an unencrypted PrivateKeyInfo structure is expected or output. This option does not encrypt private keys at all and should only be used when absolutely necessary. Certain software such as some versions of Java code signing software used unencrypted private keys. -.IP "\fB\-nooct\fR" 4 -.IX Item "-nooct" -This option generates \s-1RSA\s0 private keys in a broken format that some software -uses. Specifically the private key should be enclosed in a \s-1OCTET STRING\s0 -but some software just includes the structure itself without the -surrounding \s-1OCTET STRING.\s0 -.IP "\fB\-embed\fR" 4 -.IX Item "-embed" -This option generates \s-1DSA\s0 keys in a broken format. The \s-1DSA\s0 parameters are -embedded inside the PrivateKey structure. In this form the \s-1OCTET STRING\s0 -contains an \s-1ASN1 SEQUENCE\s0 consisting of two structures: a \s-1SEQUENCE\s0 containing -the parameters and an \s-1ASN1 INTEGER\s0 containing the private key. -.IP "\fB\-nsdb\fR" 4 -.IX Item "-nsdb" -This option generates \s-1DSA\s0 keys in a broken format compatible with Netscape -private key databases. The PrivateKey contains a \s-1SEQUENCE\s0 consisting of -the public and private keys respectively. +.IP "\fB\-rand file...\fR" 4 +.IX Item "-rand file..." +A file or files containing random data used to seed the random number +generator. +Multiple files can be specified separated by an OS-dependent character. +The separator is \fB;\fR for MS-Windows, \fB,\fR for OpenVMS, and \fB:\fR for +all others. +.IP "[\fB\-writerand file\fR]" 4 +.IX Item "[-writerand file]" +Writes random data to the specified \fIfile\fR upon exit. +This can be used with a subsequent \fB\-rand\fR flag. .IP "\fB\-v2 alg\fR" 4 .IX Item "-v2 alg" -This option enables the use of PKCS#5 v2.0 algorithms. Normally PKCS#8 -private keys are encrypted with the password based encryption algorithm -called \fBpbeWithMD5AndDES\-CBC\fR this uses 56 bit \s-1DES\s0 encryption but it -was the strongest encryption algorithm supported in PKCS#5 v1.5. Using -the \fB\-v2\fR option PKCS#5 v2.0 algorithms are used which can use any -encryption algorithm such as 168 bit triple \s-1DES\s0 or 128 bit \s-1RC2\s0 however -not many implementations support PKCS#5 v2.0 yet. If you are just using -private keys with OpenSSL then this doesn't matter. +This option sets the PKCS#5 v2.0 algorithm. .Sp The \fBalg\fR argument is the encryption algorithm to use, valid values include -\&\fBdes\fR, \fBdes3\fR and \fBrc2\fR. It is recommended that \fBdes3\fR is used. +\&\fBaes128\fR, \fBaes256\fR and \fBdes3\fR. If this option isn't specified then \fBaes256\fR +is used. .IP "\fB\-v2prf alg\fR" 4 .IX Item "-v2prf alg" This option sets the \s-1PRF\s0 algorithm to use with PKCS#5 v2.0. A typical value -values would be \fBhmacWithSHA256\fR. If this option isn't set then the default -for the cipher is used or \fBhmacWithSHA1\fR if there is no default. +value would be \fBhmacWithSHA256\fR. If this option isn't set then the default +for the cipher is used or \fBhmacWithSHA256\fR if there is no default. +.Sp +Some implementations may not support custom \s-1PRF\s0 algorithms and may require +the \fBhmacWithSHA1\fR option to work. .IP "\fB\-v1 alg\fR" 4 .IX Item "-v1 alg" -This option specifies a PKCS#5 v1.5 or PKCS#12 algorithm to use. A complete -list of possible algorithms is included below. +This option indicates a PKCS#5 v1.5 or PKCS#12 algorithm should be used. Some +older implementations may not support PKCS#5 v2.0 and may require this option. +If not specified PKCS#5 v2.0 form is used. .IP "\fB\-engine id\fR" 4 .IX Item "-engine id" -specifying an engine (by its unique \fBid\fR string) will cause \fBpkcs8\fR +Specifying an engine (by its unique \fBid\fR string) will cause \fBpkcs8\fR to attempt to obtain a functional reference to the specified engine, thus initialising it if needed. The engine will then be set as the default for all available algorithms. +.IP "\fB\-scrypt\fR" 4 +.IX Item "-scrypt" +Uses the \fBscrypt\fR algorithm for private key encryption using default +parameters: currently N=16384, r=8 and p=1 and \s-1AES\s0 in \s-1CBC\s0 mode with a 256 bit +key. These parameters can be modified using the \fB\-scrypt_N\fR, \fB\-scrypt_r\fR, +\&\fB\-scrypt_p\fR and \fB\-v2\fR options. +.IP "\fB\-scrypt_N N\fR \fB\-scrypt_r r\fR \fB\-scrypt_p p\fR" 4 +.IX Item "-scrypt_N N -scrypt_r r -scrypt_p p" +Sets the scrypt \fBN\fR, \fBr\fR or \fBp\fR parameters. +.SH "KEY FORMATS" +.IX Header "KEY FORMATS" +Various different formats are used by the pkcs8 utility. These are detailed +below. +.PP +If a key is being converted from PKCS#8 form (i.e. the \fB\-topk8\fR option is +not used) then the input file must be in PKCS#8 format. An encrypted +key is expected unless \fB\-nocrypt\fR is included. +.PP +If \fB\-topk8\fR is not used and \fB\s-1PEM\s0\fR mode is set the output file will be an +unencrypted private key in PKCS#8 format. If the \fB\-traditional\fR option is +used then a traditional format private key is written instead. +.PP +If \fB\-topk8\fR is not used and \fB\s-1DER\s0\fR mode is set the output file will be an +unencrypted private key in traditional \s-1DER\s0 format. +.PP +If \fB\-topk8\fR is used then any supported private key can be used for the input +file in a format specified by \fB\-inform\fR. The output file will be encrypted +PKCS#8 format using the specified encryption parameters unless \fB\-nocrypt\fR +is included. .SH "NOTES" .IX Header "NOTES" +By default, when converting a key to PKCS#8 format, PKCS#5 v2.0 using 256 bit +\&\s-1AES\s0 with \s-1HMAC\s0 and \s-1SHA256\s0 is used. +.PP +Some older implementations do not support PKCS#5 v2.0 format and require +the older PKCS#5 v1.5 form instead, possibly also requiring insecure weak +encryption algorithms such as 56 bit \s-1DES.\s0 +.PP The encrypted form of a \s-1PEM\s0 encode PKCS#8 files uses the following headers and footers: .PP @@ -273,13 +315,6 @@ counts are more secure that those encrypted using the traditional SSLeay compatible formats. So if additional security is considered important the keys should be converted. .PP -The default encryption is only 56 bits because this is the encryption -that most current implementations of PKCS#8 will support. -.PP -Some software may use PKCS#12 password based encryption algorithms -with PKCS#8 format private keys: these are handled automatically -but there is no option to produce them. -.PP It is possible to write out \s-1DER\s0 encoded encrypted private keys in PKCS#8 format because the encryption details are included at an \s-1ASN1\s0 level whereas the traditional format includes them at a \s-1PEM\s0 level. @@ -292,37 +327,49 @@ below. .IX Item "PBE-MD2-DES PBE-MD5-DES" These algorithms were included in the original PKCS#5 v1.5 specification. They only offer 56 bits of protection since they both use \s-1DES.\s0 -.IP "\fB\s-1PBE\-SHA1\-RC2\-64 PBE\-MD2\-RC2\-64 PBE\-MD5\-RC2\-64 PBE\-SHA1\-DES\s0\fR" 4 -.IX Item "PBE-SHA1-RC2-64 PBE-MD2-RC2-64 PBE-MD5-RC2-64 PBE-SHA1-DES" +.IP "\fB\s-1PBE\-SHA1\-RC2\-64\s0\fR, \fB\s-1PBE\-MD2\-RC2\-64\s0\fR, \fB\s-1PBE\-MD5\-RC2\-64\s0\fR, \fB\s-1PBE\-SHA1\-DES\s0\fR" 4 +.IX Item "PBE-SHA1-RC2-64, PBE-MD2-RC2-64, PBE-MD5-RC2-64, PBE-SHA1-DES" These algorithms are not mentioned in the original PKCS#5 v1.5 specification but they use the same key derivation algorithm and are supported by some software. They are mentioned in PKCS#5 v2.0. They use either 64 bit \s-1RC2\s0 or 56 bit \s-1DES.\s0 -.IP "\fB\s-1PBE\-SHA1\-RC4\-128 PBE\-SHA1\-RC4\-40 PBE\-SHA1\-3DES PBE\-SHA1\-2DES PBE\-SHA1\-RC2\-128 PBE\-SHA1\-RC2\-40\s0\fR" 4 -.IX Item "PBE-SHA1-RC4-128 PBE-SHA1-RC4-40 PBE-SHA1-3DES PBE-SHA1-2DES PBE-SHA1-RC2-128 PBE-SHA1-RC2-40" +.IP "\fB\s-1PBE\-SHA1\-RC4\-128\s0\fR, \fB\s-1PBE\-SHA1\-RC4\-40\s0\fR, \fB\s-1PBE\-SHA1\-3DES\s0\fR, \fB\s-1PBE\-SHA1\-2DES\s0\fR, \fB\s-1PBE\-SHA1\-RC2\-128\s0\fR, \fB\s-1PBE\-SHA1\-RC2\-40\s0\fR" 4 +.IX Item "PBE-SHA1-RC4-128, PBE-SHA1-RC4-40, PBE-SHA1-3DES, PBE-SHA1-2DES, PBE-SHA1-RC2-128, PBE-SHA1-RC2-40" These algorithms use the PKCS#12 password based encryption algorithm and allow strong encryption algorithms like triple \s-1DES\s0 or 128 bit \s-1RC2\s0 to be used. .SH "EXAMPLES" .IX Header "EXAMPLES" -Convert a private from traditional to PKCS#5 v2.0 format using triple -\&\s-1DES:\s0 +Convert a private key to PKCS#8 format using default parameters (\s-1AES\s0 with +256 bit key and \fBhmacWithSHA256\fR): +.PP +.Vb 1 +\& openssl pkcs8 \-in key.pem \-topk8 \-out enckey.pem +.Ve +.PP +Convert a private key to PKCS#8 unencrypted format: +.PP +.Vb 1 +\& openssl pkcs8 \-in key.pem \-topk8 \-nocrypt \-out enckey.pem +.Ve +.PP +Convert a private key to PKCS#5 v2.0 format using triple \s-1DES:\s0 .PP .Vb 1 \& openssl pkcs8 \-in key.pem \-topk8 \-v2 des3 \-out enckey.pem .Ve .PP -Convert a private from traditional to PKCS#5 v2.0 format using \s-1AES\s0 with -256 bits in \s-1CBC\s0 mode and \fBhmacWithSHA256\fR \s-1PRF:\s0 +Convert a private key to PKCS#5 v2.0 format using \s-1AES\s0 with 256 bits in \s-1CBC\s0 +mode and \fBhmacWithSHA512\fR \s-1PRF:\s0 .PP .Vb 1 -\& openssl pkcs8 \-in key.pem \-topk8 \-v2 aes\-256\-cbc \-v2prf hmacWithSHA256 \-out enckey.pem +\& openssl pkcs8 \-in key.pem \-topk8 \-v2 aes\-256\-cbc \-v2prf hmacWithSHA512 \-out enckey.pem .Ve .PP Convert a private key to PKCS#8 using a PKCS#5 1.5 compatible algorithm (\s-1DES\s0): .PP .Vb 1 -\& openssl pkcs8 \-in key.pem \-topk8 \-out enckey.pem +\& openssl pkcs8 \-in key.pem \-topk8 \-v1 PBE\-MD5\-DES \-out enckey.pem .Ve .PP Convert a private key to PKCS#8 using a PKCS#12 compatible algorithm @@ -338,10 +385,17 @@ Read a \s-1DER\s0 unencrypted PKCS#8 format private key: \& openssl pkcs8 \-inform DER \-nocrypt \-in key.der \-out key.pem .Ve .PP -Convert a private key from any PKCS#8 format to traditional format: +Convert a private key from any PKCS#8 encrypted format to traditional format: .PP .Vb 1 -\& openssl pkcs8 \-in pk8.pem \-out key.pem +\& openssl pkcs8 \-in pk8.pem \-traditional \-out key.pem +.Ve +.PP +Convert a private key to PKCS#8 format, encrypting with \s-1AES\-256\s0 and with +one million iterations of the password: +.PP +.Vb 1 +\& openssl pkcs8 \-in key.pem \-topk8 \-v2 aes\-256\-cbc \-iter 1000000 \-out pk8.pem .Ve .SH "STANDARDS" .IX Header "STANDARDS" @@ -359,11 +413,18 @@ PKCS#8 private key format complies with this standard. .IX Header "BUGS" There should be an option that prints out the encryption algorithm in use and other details such as the iteration count. -.PP -PKCS#8 using triple \s-1DES\s0 and PKCS#5 v2.0 should be the default private -key format for OpenSSL: for compatibility several of the utilities use -the old format at present. .SH "SEE ALSO" .IX Header "SEE ALSO" \&\fIdsa\fR\|(1), \fIrsa\fR\|(1), \fIgenrsa\fR\|(1), \&\fIgendsa\fR\|(1) +.SH "HISTORY" +.IX Header "HISTORY" +The \fB\-iter\fR option was added to OpenSSL 1.1.0. +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2000\-2018 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/usr.bin/openssl/man/pkey.1 b/secure/usr.bin/openssl/man/pkey.1 index 797329601894..c5d6ce0e139f 100644 --- a/secure/usr.bin/openssl/man/pkey.1 +++ b/secure/usr.bin/openssl/man/pkey.1 @@ -129,43 +129,49 @@ .\" ======================================================================== .\" .IX Title "PKEY 1" -.TH PKEY 1 "2018-08-14" "1.0.2p" "OpenSSL" +.TH PKEY 1 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" -openssl\-pkey, -pkey \- public or private key processing tool +openssl\-pkey, pkey \- public or private key processing tool .SH "SYNOPSIS" .IX Header "SYNOPSIS" \&\fBopenssl\fR \fBpkey\fR +[\fB\-help\fR] [\fB\-inform PEM|DER\fR] [\fB\-outform PEM|DER\fR] [\fB\-in filename\fR] [\fB\-passin arg\fR] [\fB\-out filename\fR] [\fB\-passout arg\fR] -[\fB\-cipher\fR] +[\fB\-traditional\fR] +[\fB\-\f(BIcipher\fB\fR] [\fB\-text\fR] [\fB\-text_pub\fR] [\fB\-noout\fR] [\fB\-pubin\fR] [\fB\-pubout\fR] [\fB\-engine id\fR] +[\fB\-check\fR] +[\fB\-pubcheck\fR] .SH "DESCRIPTION" .IX Header "DESCRIPTION" The \fBpkey\fR command processes public or private keys. They can be converted between various forms and their components printed out. -.SH "COMMAND OPTIONS" -.IX Header "COMMAND OPTIONS" +.SH "OPTIONS" +.IX Header "OPTIONS" +.IP "\fB\-help\fR" 4 +.IX Item "-help" +Print out a usage message. .IP "\fB\-inform DER|PEM\fR" 4 .IX Item "-inform DER|PEM" -This specifies the input format \s-1DER\s0 or \s-1PEM.\s0 +This specifies the input format \s-1DER\s0 or \s-1PEM.\s0 The default format is \s-1PEM.\s0 .IP "\fB\-outform DER|PEM\fR" 4 .IX Item "-outform DER|PEM" -This specifies the output format, the options have the same meaning as the -\&\fB\-inform\fR option. +This specifies the output format, the options have the same meaning and default +as the \fB\-inform\fR option. .IP "\fB\-in filename\fR" 4 .IX Item "-in filename" This specifies the input filename to read a key from or standard input if this @@ -173,7 +179,7 @@ option is not specified. If the key is encrypted a pass phrase will be prompted for. .IP "\fB\-passin arg\fR" 4 .IX Item "-passin arg" -the input file password source. For more information about the format of \fBarg\fR +The input file password source. For more information about the format of \fBarg\fR see the \fB\s-1PASS PHRASE ARGUMENTS\s0\fR section in \fIopenssl\fR\|(1). .IP "\fB\-out filename\fR" 4 .IX Item "-out filename" @@ -183,37 +189,50 @@ will be prompted for. The output filename should \fBnot\fR be the same as the in filename. .IP "\fB\-passout password\fR" 4 .IX Item "-passout password" -the output file password source. For more information about the format of \fBarg\fR +The output file password source. For more information about the format of \fBarg\fR see the \fB\s-1PASS PHRASE ARGUMENTS\s0\fR section in \fIopenssl\fR\|(1). -.IP "\fB\-cipher\fR" 4 +.IP "\fB\-traditional\fR" 4 +.IX Item "-traditional" +Normally a private key is written using standard format: this is PKCS#8 form +with the appropriate encryption algorithm (if any). If the \fB\-traditional\fR +option is specified then the older \*(L"traditional\*(R" format is used instead. +.IP "\fB\-\f(BIcipher\fB\fR" 4 .IX Item "-cipher" These options encrypt the private key with the supplied cipher. Any algorithm name accepted by \fIEVP_get_cipherbyname()\fR is acceptable such as \fBdes3\fR. .IP "\fB\-text\fR" 4 .IX Item "-text" -prints out the various public or private key components in +Prints out the various public or private key components in plain text in addition to the encoded version. .IP "\fB\-text_pub\fR" 4 .IX Item "-text_pub" -print out only public key components even if a private key is being processed. +Print out only public key components even if a private key is being processed. .IP "\fB\-noout\fR" 4 .IX Item "-noout" -do not output the encoded version of the key. +Do not output the encoded version of the key. .IP "\fB\-pubin\fR" 4 .IX Item "-pubin" -by default a private key is read from the input file: with this +By default a private key is read from the input file: with this option a public key is read instead. .IP "\fB\-pubout\fR" 4 .IX Item "-pubout" -by default a private key is output: with this option a public +By default a private key is output: with this option a public key will be output instead. This option is automatically set if the input is a public key. .IP "\fB\-engine id\fR" 4 .IX Item "-engine id" -specifying an engine (by its unique \fBid\fR string) will cause \fBpkey\fR +Specifying an engine (by its unique \fBid\fR string) will cause \fBpkey\fR to attempt to obtain a functional reference to the specified engine, thus initialising it if needed. The engine will then be set as the default for all available algorithms. +.IP "\fB\-check\fR" 4 +.IX Item "-check" +This option checks the consistency of a key pair for both public and private +components. +.IP "\fB\-pubcheck\fR" 4 +.IX Item "-pubcheck" +This option checks the correctness of either a public key or the public component +of a key pair. .SH "EXAMPLES" .IX Header "EXAMPLES" To remove the pass phrase on an \s-1RSA\s0 private key: @@ -255,3 +274,11 @@ To just output the public part of a private key: .IX Header "SEE ALSO" \&\fIgenpkey\fR\|(1), \fIrsa\fR\|(1), \fIpkcs8\fR\|(1), \&\fIdsa\fR\|(1), \fIgenrsa\fR\|(1), \fIgendsa\fR\|(1) +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2006\-2017 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/usr.bin/openssl/man/pkeyparam.1 b/secure/usr.bin/openssl/man/pkeyparam.1 index f93976eb16fa..e4ee8bd9a013 100644 --- a/secure/usr.bin/openssl/man/pkeyparam.1 +++ b/secure/usr.bin/openssl/man/pkeyparam.1 @@ -129,28 +129,32 @@ .\" ======================================================================== .\" .IX Title "PKEYPARAM 1" -.TH PKEYPARAM 1 "2018-08-14" "1.0.2p" "OpenSSL" +.TH PKEYPARAM 1 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" -openssl\-pkeyparam, -pkeyparam \- public key algorithm parameter processing tool +openssl\-pkeyparam, pkeyparam \- public key algorithm parameter processing tool .SH "SYNOPSIS" .IX Header "SYNOPSIS" \&\fBopenssl\fR \fBpkeyparam\fR +[\fB\-help\fR] [\fB\-in filename\fR] [\fB\-out filename\fR] [\fB\-text\fR] [\fB\-noout\fR] [\fB\-engine id\fR] +[\fB\-check\fR] .SH "DESCRIPTION" .IX Header "DESCRIPTION" -The \fBpkey\fR command processes public or private keys. They can be converted -between various forms and their components printed out. -.SH "COMMAND OPTIONS" -.IX Header "COMMAND OPTIONS" +The \fBpkeyparam\fR command processes public key algorithm parameters. +They can be checked for correctness and their components printed out. +.SH "OPTIONS" +.IX Header "OPTIONS" +.IP "\fB\-help\fR" 4 +.IX Item "-help" +Print out a usage message. .IP "\fB\-in filename\fR" 4 .IX Item "-in filename" This specifies the input filename to read parameters from or standard input if @@ -161,16 +165,19 @@ This specifies the output filename to write parameters to or standard output if this option is not specified. .IP "\fB\-text\fR" 4 .IX Item "-text" -prints out the parameters in plain text in addition to the encoded version. +Prints out the parameters in plain text in addition to the encoded version. .IP "\fB\-noout\fR" 4 .IX Item "-noout" -do not output the encoded version of the parameters. +Do not output the encoded version of the parameters. .IP "\fB\-engine id\fR" 4 .IX Item "-engine id" -specifying an engine (by its unique \fBid\fR string) will cause \fBpkeyparam\fR +Specifying an engine (by its unique \fBid\fR string) will cause \fBpkeyparam\fR to attempt to obtain a functional reference to the specified engine, thus initialising it if needed. The engine will then be set as the default for all available algorithms. +.IP "\fB\-check\fR" 4 +.IX Item "-check" +This option checks the correctness of parameters. .SH "EXAMPLE" .IX Header "EXAMPLE" Print out text version of parameters: @@ -186,3 +193,11 @@ There are no \fB\-inform\fR or \fB\-outform\fR options for this command because .IX Header "SEE ALSO" \&\fIgenpkey\fR\|(1), \fIrsa\fR\|(1), \fIpkcs8\fR\|(1), \&\fIdsa\fR\|(1), \fIgenrsa\fR\|(1), \fIgendsa\fR\|(1) +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2006\-2018 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/usr.bin/openssl/man/pkeyutl.1 b/secure/usr.bin/openssl/man/pkeyutl.1 index c51a1170cbf3..bd5bbde52353 100644 --- a/secure/usr.bin/openssl/man/pkeyutl.1 +++ b/secure/usr.bin/openssl/man/pkeyutl.1 @@ -129,25 +129,25 @@ .\" ======================================================================== .\" .IX Title "PKEYUTL 1" -.TH PKEYUTL 1 "2018-08-14" "1.0.2p" "OpenSSL" +.TH PKEYUTL 1 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" -openssl\-pkeyutl, -pkeyutl \- public key algorithm utility +openssl\-pkeyutl, pkeyutl \- public key algorithm utility .SH "SYNOPSIS" .IX Header "SYNOPSIS" \&\fBopenssl\fR \fBpkeyutl\fR +[\fB\-help\fR] [\fB\-in file\fR] [\fB\-out file\fR] [\fB\-sigfile file\fR] [\fB\-inkey file\fR] -[\fB\-keyform PEM|DER\fR] +[\fB\-keyform PEM|DER|ENGINE\fR] [\fB\-passin arg\fR] [\fB\-peerkey file\fR] -[\fB\-peerform PEM|DER\fR] +[\fB\-peerform PEM|DER|ENGINE\fR] [\fB\-pubin\fR] [\fB\-certin\fR] [\fB\-rev\fR] @@ -157,83 +157,123 @@ pkeyutl \- public key algorithm utility [\fB\-encrypt\fR] [\fB\-decrypt\fR] [\fB\-derive\fR] +[\fB\-kdf algorithm\fR] +[\fB\-kdflen length\fR] [\fB\-pkeyopt opt:value\fR] [\fB\-hexdump\fR] [\fB\-asn1parse\fR] +[\fB\-rand file...\fR] +[\fB\-writerand file\fR] [\fB\-engine id\fR] +[\fB\-engine_impl\fR] .SH "DESCRIPTION" .IX Header "DESCRIPTION" -The \fBpkeyutl\fR command can be used to perform public key operations using -any supported algorithm. -.SH "COMMAND OPTIONS" -.IX Header "COMMAND OPTIONS" +The \fBpkeyutl\fR command can be used to perform low level public key operations +using any supported algorithm. +.SH "OPTIONS" +.IX Header "OPTIONS" +.IP "\fB\-help\fR" 4 +.IX Item "-help" +Print out a usage message. .IP "\fB\-in filename\fR" 4 .IX Item "-in filename" This specifies the input filename to read data from or standard input if this option is not specified. .IP "\fB\-out filename\fR" 4 .IX Item "-out filename" -specifies the output filename to write to or standard output by +Specifies the output filename to write to or standard output by default. +.IP "\fB\-sigfile file\fR" 4 +.IX Item "-sigfile file" +Signature file, required for \fBverify\fR operations only .IP "\fB\-inkey file\fR" 4 .IX Item "-inkey file" -the input key file, by default it should be a private key. -.IP "\fB\-keyform PEM|DER\fR" 4 -.IX Item "-keyform PEM|DER" -the key format \s-1PEM, DER\s0 or \s-1ENGINE.\s0 +The input key file, by default it should be a private key. +.IP "\fB\-keyform PEM|DER|ENGINE\fR" 4 +.IX Item "-keyform PEM|DER|ENGINE" +The key format \s-1PEM, DER\s0 or \s-1ENGINE.\s0 Default is \s-1PEM.\s0 .IP "\fB\-passin arg\fR" 4 .IX Item "-passin arg" -the input key password source. For more information about the format of \fBarg\fR +The input key password source. For more information about the format of \fBarg\fR see the \fB\s-1PASS PHRASE ARGUMENTS\s0\fR section in \fIopenssl\fR\|(1). .IP "\fB\-peerkey file\fR" 4 .IX Item "-peerkey file" -the peer key file, used by key derivation (agreement) operations. -.IP "\fB\-peerform PEM|DER\fR" 4 -.IX Item "-peerform PEM|DER" -the peer key format \s-1PEM, DER\s0 or \s-1ENGINE.\s0 -.IP "\fB\-engine id\fR" 4 -.IX Item "-engine id" -specifying an engine (by its unique \fBid\fR string) will cause \fBpkeyutl\fR -to attempt to obtain a functional reference to the specified engine, -thus initialising it if needed. The engine will then be set as the default -for all available algorithms. +The peer key file, used by key derivation (agreement) operations. +.IP "\fB\-peerform PEM|DER|ENGINE\fR" 4 +.IX Item "-peerform PEM|DER|ENGINE" +The peer key format \s-1PEM, DER\s0 or \s-1ENGINE.\s0 Default is \s-1PEM.\s0 .IP "\fB\-pubin\fR" 4 .IX Item "-pubin" -the input file is a public key. +The input file is a public key. .IP "\fB\-certin\fR" 4 .IX Item "-certin" -the input is a certificate containing a public key. +The input is a certificate containing a public key. .IP "\fB\-rev\fR" 4 .IX Item "-rev" -reverse the order of the input buffer. This is useful for some libraries +Reverse the order of the input buffer. This is useful for some libraries (such as CryptoAPI) which represent the buffer in little endian format. .IP "\fB\-sign\fR" 4 .IX Item "-sign" -sign the input data and output the signed result. This requires -a private key. +Sign the input data (which must be a hash) and output the signed result. This +requires a private key. .IP "\fB\-verify\fR" 4 .IX Item "-verify" -verify the input data against the signature file and indicate if the -verification succeeded or failed. +Verify the input data (which must be a hash) against the signature file and +indicate if the verification succeeded or failed. .IP "\fB\-verifyrecover\fR" 4 .IX Item "-verifyrecover" -verify the input data and output the recovered data. +Verify the input data (which must be a hash) and output the recovered data. .IP "\fB\-encrypt\fR" 4 .IX Item "-encrypt" -encrypt the input data using a public key. +Encrypt the input data using a public key. .IP "\fB\-decrypt\fR" 4 .IX Item "-decrypt" -decrypt the input data using a private key. +Decrypt the input data using a private key. .IP "\fB\-derive\fR" 4 .IX Item "-derive" -derive a shared secret using the peer key. +Derive a shared secret using the peer key. +.IP "\fB\-kdf algorithm\fR" 4 +.IX Item "-kdf algorithm" +Use key derivation function \fBalgorithm\fR. The supported algorithms are +at present \fB\s-1TLS1\-PRF\s0\fR and \fB\s-1HKDF\s0\fR. +Note: additional parameters and the \s-1KDF\s0 output length will normally have to be +set for this to work. +See \fIEVP_PKEY_CTX_set_hkdf_md\fR\|(3) and \fIEVP_PKEY_CTX_set_tls1_prf_md\fR\|(3) +for the supported string parameters of each algorithm. +.IP "\fB\-kdflen length\fR" 4 +.IX Item "-kdflen length" +Set the output length for \s-1KDF.\s0 +.IP "\fB\-pkeyopt opt:value\fR" 4 +.IX Item "-pkeyopt opt:value" +Public key options specified as opt:value. See \s-1NOTES\s0 below for more details. .IP "\fB\-hexdump\fR" 4 .IX Item "-hexdump" hex dump the output data. .IP "\fB\-asn1parse\fR" 4 .IX Item "-asn1parse" -asn1parse the output data, this is useful when combined with the +Parse the \s-1ASN.1\s0 output data, this is useful when combined with the \&\fB\-verifyrecover\fR option when an \s-1ASN1\s0 structure is signed. +.IP "\fB\-rand file...\fR" 4 +.IX Item "-rand file..." +A file or files containing random data used to seed the random number +generator. +Multiple files can be specified separated by an OS-dependent character. +The separator is \fB;\fR for MS-Windows, \fB,\fR for OpenVMS, and \fB:\fR for +all others. +.IP "[\fB\-writerand file\fR]" 4 +.IX Item "[-writerand file]" +Writes random data to the specified \fIfile\fR upon exit. +This can be used with a subsequent \fB\-rand\fR flag. +.IP "\fB\-engine id\fR" 4 +.IX Item "-engine id" +Specifying an engine (by its unique \fBid\fR string) will cause \fBpkeyutl\fR +to attempt to obtain a functional reference to the specified engine, +thus initialising it if needed. The engine will then be set as the default +for all available algorithms. +.IP "\fB\-engine_impl\fR" 4 +.IX Item "-engine_impl" +When used with the \fB\-engine\fR option, it specifies to also use +engine \fBid\fR for crypto operations. .SH "NOTES" .IX Header "NOTES" The operations and options supported vary according to the key algorithm @@ -242,37 +282,43 @@ and its implementation. The OpenSSL operations and options are indicated below. Unless otherwise mentioned all algorithms support the \fBdigest:alg\fR option which specifies the digest in use for sign, verify and verifyrecover operations. The value \fBalg\fR should represent a digest name as used in the -\&\fIEVP_get_digestbyname()\fR function for example \fBsha1\fR. -This value is used only for sanity-checking the lengths of data passed in to -the \fBpkeyutl\fR and for creating the structures that make up the signature -(e.g. \fBDigestInfo\fR in \s-1RSASSA\s0 PKCS#1 v1.5 signatures). -In case of \s-1RSA, ECDSA\s0 and \s-1DSA\s0 signatures, this utility -will not perform hashing on input data but rather use the data directly as -input of signature algorithm. Depending on key type, signature type and mode -of padding, the maximum acceptable lengths of input data differ. In general, -with \s-1RSA\s0 the signed data can't be longer than the key modulus, in case of \s-1ECDSA\s0 -and \s-1DSA\s0 the data shouldn't be longer than field size, otherwise it will be -silently truncated to field size. +\&\fIEVP_get_digestbyname()\fR function for example \fBsha1\fR. This value is not used to +hash the input data. It is used (by some algorithms) for sanity-checking the +lengths of data passed in to the \fBpkeyutl\fR and for creating the structures that +make up the signature (e.g. \fBDigestInfo\fR in \s-1RSASSA\s0 PKCS#1 v1.5 signatures). .PP -In other words, if the value of digest is \fBsha1\fR the input should be 20 bytes -long binary encoding of \s-1SHA\-1\s0 hash function output. +This utility does not hash the input data but rather it will use the data +directly as input to the signature algorithm. Depending on the key type, +signature type, and mode of padding, the maximum acceptable lengths of input +data differ. The signed data can't be longer than the key modulus with \s-1RSA.\s0 In +case of \s-1ECDSA\s0 and \s-1DSA\s0 the data shouldn't be longer than the field +size, otherwise it will be silently truncated to the field size. In any event +the input size must not be larger than the largest supported digest size. +.PP +In other words, if the value of digest is \fBsha1\fR the input should be the 20 +bytes long binary encoding of the \s-1SHA\-1\s0 hash function output. +.PP +The Ed25519 and Ed448 signature algorithms are not supported by this utility. +They accept non-hashed input, but this utility can only be used to sign hashed +input. .SH "RSA ALGORITHM" .IX Header "RSA ALGORITHM" -The \s-1RSA\s0 algorithm supports encrypt, decrypt, sign, verify and verifyrecover -operations in general. Some padding modes only support some of these -operations however. -.IP "\-\fBrsa_padding_mode:mode\fR" 4 -.IX Item "-rsa_padding_mode:mode" +The \s-1RSA\s0 algorithm generally supports the encrypt, decrypt, sign, +verify and verifyrecover operations. However, some padding modes +support only a subset of these operations. The following additional +\&\fBpkeyopt\fR values are supported: +.IP "\fBrsa_padding_mode:mode\fR" 4 +.IX Item "rsa_padding_mode:mode" This sets the \s-1RSA\s0 padding mode. Acceptable values for \fBmode\fR are \fBpkcs1\fR for PKCS#1 padding, \fBsslv23\fR for SSLv23 padding, \fBnone\fR for no padding, \fBoaep\fR for \fB\s-1OAEP\s0\fR mode, \fBx931\fR for X9.31 mode and \fBpss\fR for \s-1PSS.\s0 .Sp -In PKCS#1 padding if the message digest is not set then the supplied data is +In PKCS#1 padding if the message digest is not set then the supplied data is signed or verified directly instead of using a \fBDigestInfo\fR structure. If a digest is set then the a \fBDigestInfo\fR structure is used and its the length must correspond to the digest type. .Sp -For \fBoeap\fR mode only encryption and decryption is supported. +For \fBoaep\fR mode only encryption and decryption is supported. .Sp For \fBx931\fR if the digest type is set it is used to format the block data otherwise the first byte is used to specify the X9.31 digest \s-1ID.\s0 Sign, @@ -282,11 +328,30 @@ For \fBpss\fR mode only sign and verify are supported and the digest type must b specified. .IP "\fBrsa_pss_saltlen:len\fR" 4 .IX Item "rsa_pss_saltlen:len" -For \fBpss\fR mode only this option specifies the salt length. Two special values -are supported: \-1 sets the salt length to the digest length. When signing \-2 -sets the salt length to the maximum permissible value. When verifying \-2 causes -the salt length to be automatically determined based on the \fB\s-1PSS\s0\fR block -structure. +For \fBpss\fR mode only this option specifies the salt length. Three special +values are supported: \*(L"digest\*(R" sets the salt length to the digest length, +\&\*(L"max\*(R" sets the salt length to the maximum permissible value. When verifying +\&\*(L"auto\*(R" causes the salt length to be automatically determined based on the +\&\fB\s-1PSS\s0\fR block structure. +.IP "\fBrsa_mgf1_md:digest\fR" 4 +.IX Item "rsa_mgf1_md:digest" +For \s-1PSS\s0 and \s-1OAEP\s0 padding sets the \s-1MGF1\s0 digest. If the \s-1MGF1\s0 digest is not +explicitly set in \s-1PSS\s0 mode then the signing digest is used. +.SH "RSA-PSS ALGORITHM" +.IX Header "RSA-PSS ALGORITHM" +The RSA-PSS algorithm is a restricted version of the \s-1RSA\s0 algorithm which only +supports the sign and verify operations with \s-1PSS\s0 padding. The following +additional \fBpkeyopt\fR values are supported: +.IP "\fBrsa_padding_mode:mode\fR, \fBrsa_pss_saltlen:len\fR, \fBrsa_mgf1_md:digest\fR" 4 +.IX Item "rsa_padding_mode:mode, rsa_pss_saltlen:len, rsa_mgf1_md:digest" +These have the same meaning as the \fB\s-1RSA\s0\fR algorithm with some additional +restrictions. The padding mode can only be set to \fBpss\fR which is the +default value. +.Sp +If the key has parameter restrictions than the digest, \s-1MGF1\s0 +digest and salt length are set to the values specified in the parameters. +The digest and \s-1MG\s0 cannot be changed and the salt length cannot be set to a +value less than the minimum restriction. .SH "DSA ALGORITHM" .IX Header "DSA ALGORITHM" The \s-1DSA\s0 algorithm supports signing and verification operations only. Currently @@ -302,6 +367,10 @@ The \s-1EC\s0 algorithm supports sign, verify and derive operations. The sign an verify operations use \s-1ECDSA\s0 and derive uses \s-1ECDH.\s0 Currently there are no additional options other than \fBdigest\fR. Only the \s-1SHA1\s0 digest can be used and this digest is assumed by default. +.SH "X25519 and X448 ALGORITHMS" +.IX Header "X25519 and X448 ALGORITHMS" +The X25519 and X448 algorithms support key derivation only. Currently there are +no additional options. .SH "EXAMPLES" .IX Header "EXAMPLES" Sign some data using a private key: @@ -333,7 +402,24 @@ Derive a shared secret value: .Vb 1 \& openssl pkeyutl \-derive \-inkey key.pem \-peerkey pubkey.pem \-out secret .Ve +.PP +Hexdump 48 bytes of \s-1TLS1 PRF\s0 using digest \fB\s-1SHA256\s0\fR and shared secret and +seed consisting of the single byte 0xFF: +.PP +.Vb 2 +\& openssl pkeyutl \-kdf TLS1\-PRF \-kdflen 48 \-pkeyopt md:SHA256 \e +\& \-pkeyopt hexsecret:ff \-pkeyopt hexseed:ff \-hexdump +.Ve .SH "SEE ALSO" .IX Header "SEE ALSO" \&\fIgenpkey\fR\|(1), \fIpkey\fR\|(1), \fIrsautl\fR\|(1) -\&\fIdgst\fR\|(1), \fIrsa\fR\|(1), \fIgenrsa\fR\|(1) +\&\fIdgst\fR\|(1), \fIrsa\fR\|(1), \fIgenrsa\fR\|(1), +\&\fIEVP_PKEY_CTX_set_hkdf_md\fR\|(3), \fIEVP_PKEY_CTX_set_tls1_prf_md\fR\|(3) +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2006\-2018 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/usr.bin/openssl/man/prime.1 b/secure/usr.bin/openssl/man/prime.1 new file mode 100644 index 000000000000..0a073a027128 --- /dev/null +++ b/secure/usr.bin/openssl/man/prime.1 @@ -0,0 +1,185 @@ +.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35) +.\" +.\" Standard preamble: +.\" ======================================================================== +.de Sp \" Vertical space (when we can't use .PP) +.if t .sp .5v +.if n .sp +.. +.de Vb \" Begin verbatim text +.ft CW +.nf +.ne \\$1 +.. +.de Ve \" End verbatim text +.ft R +.fi +.. +.\" Set up some character translations and predefined strings. \*(-- will +.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left +.\" double quote, and \*(R" will give a right double quote. \*(C+ will +.\" give a nicer C++. Capital omega is used to do unbreakable dashes and +.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, +.\" nothing in troff, for use with C<>. +.tr \(*W- +.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' +.ie n \{\ +. ds -- \(*W- +. ds PI pi +. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch +. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch +. ds L" "" +. ds R" "" +. ds C` "" +. ds C' "" +'br\} +.el\{\ +. ds -- \|\(em\| +. ds PI \(*p +. ds L" `` +. ds R" '' +. ds C` +. ds C' +'br\} +.\" +.\" Escape single quotes in literal strings from groff's Unicode transform. +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" +.\" If the F register is >0, we'll generate index entries on stderr for +.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index +.\" entries marked with X<> in POD. Of course, you'll have to process the +.\" output yourself in some meaningful fashion. +.\" +.\" Avoid warning from groff about undefined register 'F'. +.de IX +.. +.if !\nF .nr F 0 +.if \nF>0 \{\ +. de IX +. tm Index:\\$1\t\\n%\t"\\$2" +.. +. if !\nF==2 \{\ +. nr % 0 +. nr F 2 +. \} +.\} +.\" +.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). +.\" Fear. Run. Save yourself. No user-serviceable parts. +. \" fudge factors for nroff and troff +.if n \{\ +. ds #H 0 +. ds #V .8m +. ds #F .3m +. ds #[ \f1 +. ds #] \fP +.\} +.if t \{\ +. ds #H ((1u-(\\\\n(.fu%2u))*.13m) +. ds #V .6m +. ds #F 0 +. ds #[ \& +. ds #] \& +.\} +. \" simple accents for nroff and troff +.if n \{\ +. ds ' \& +. ds ` \& +. ds ^ \& +. ds , \& +. ds ~ ~ +. ds / +.\} +.if t \{\ +. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" +. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' +. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' +. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' +. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' +. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' +.\} +. \" troff and (daisy-wheel) nroff accents +.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' +.ds 8 \h'\*(#H'\(*b\h'-\*(#H' +.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] +.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' +.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' +.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] +.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] +.ds ae a\h'-(\w'a'u*4/10)'e +.ds Ae A\h'-(\w'A'u*4/10)'E +. \" corrections for vroff +.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' +.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' +. \" for low resolution devices (crt and lpr) +.if \n(.H>23 .if \n(.V>19 \ +\{\ +. ds : e +. ds 8 ss +. ds o a +. ds d- d\h'-1'\(ga +. ds D- D\h'-1'\(hy +. ds th \o'bp' +. ds Th \o'LP' +. ds ae ae +. ds Ae AE +.\} +.rm #[ #] #H #V #F C +.\" ======================================================================== +.\" +.IX Title "PRIME 1" +.TH PRIME 1 "2018-09-11" "1.1.1" "OpenSSL" +.\" For nroff, turn off justification. Always turn off hyphenation; it makes +.\" way too many mistakes in technical documents. +.if n .ad l +.nh +.SH "NAME" +openssl\-prime, prime \- compute prime numbers +.SH "SYNOPSIS" +.IX Header "SYNOPSIS" +\&\fBopenssl prime\fR +[\fB\-help\fR] +[\fB\-hex\fR] +[\fB\-generate\fR] +[\fB\-bits\fR] +[\fB\-safe\fR] +[\fB\-checks\fR] +[\fInumber...\fR] +.SH "DESCRIPTION" +.IX Header "DESCRIPTION" +The \fBprime\fR command checks if the specified numbers are prime. +.PP +If no numbers are given on the command line, the \fB\-generate\fR flag should +be used to generate primes according to the requirements specified by the +rest of the flags. +.SH "OPTIONS" +.IX Header "OPTIONS" +.IP "[\fB\-help\fR]" 4 +.IX Item "[-help]" +Display an option summary. +.IP "[\fB\-hex\fR]" 4 +.IX Item "[-hex]" +Generate hex output. +.IP "[\fB\-generate\fR]" 4 +.IX Item "[-generate]" +Generate a prime number. +.IP "[\fB\-bits num\fR]" 4 +.IX Item "[-bits num]" +Generate a prime with \fBnum\fR bits. +.IP "[\fB\-safe\fR]" 4 +.IX Item "[-safe]" +When used with \fB\-generate\fR, generates a \*(L"safe\*(R" prime. If the number +generated is \fBn\fR, then check that \fB(n\-1)/2\fR is also prime. +.IP "[\fB\-checks num\fR]" 4 +.IX Item "[-checks num]" +Perform the checks \fBnum\fR times to see that the generated number +is prime. The default is 20. +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2017 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/usr.bin/openssl/man/rand.1 b/secure/usr.bin/openssl/man/rand.1 index b3ce4d20b719..c2c1191737cd 100644 --- a/secure/usr.bin/openssl/man/rand.1 +++ b/secure/usr.bin/openssl/man/rand.1 @@ -129,19 +129,20 @@ .\" ======================================================================== .\" .IX Title "RAND 1" -.TH RAND 1 "2018-08-14" "1.0.2p" "OpenSSL" +.TH RAND 1 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" -openssl\-rand, -rand \- generate pseudo\-random bytes +openssl\-rand, rand \- generate pseudo\-random bytes .SH "SYNOPSIS" .IX Header "SYNOPSIS" \&\fBopenssl rand\fR +[\fB\-help\fR] [\fB\-out\fR \fIfile\fR] -[\fB\-rand\fR \fIfile(s)\fR] +[\fB\-rand file...\fR] +[\fB\-writerand file\fR] [\fB\-base64\fR] [\fB\-hex\fR] \&\fInum\fR @@ -155,16 +156,23 @@ in addition to the files given in the \fB\-rand\fR option. A new seeding was obtained from these sources. .SH "OPTIONS" .IX Header "OPTIONS" -.IP "\fB\-out\fR \fIfile\fR" 4 +.IP "\fB\-help\fR" 4 +.IX Item "-help" +Print out a usage message. +.IP "\fB\-out file\fR" 4 .IX Item "-out file" Write to \fIfile\fR instead of standard output. -.IP "\fB\-rand\fR \fIfile(s)\fR" 4 -.IX Item "-rand file(s)" -Use specified file or files or \s-1EGD\s0 socket (see \fIRAND_egd\fR\|(3)) -for seeding the random number generator. -Multiple files can be specified separated by a OS-dependent character. +.IP "\fB\-rand file...\fR" 4 +.IX Item "-rand file..." +A file or files containing random data used to seed the random number +generator. +Multiple files can be specified separated by an OS-dependent character. The separator is \fB;\fR for MS-Windows, \fB,\fR for OpenVMS, and \fB:\fR for all others. +.IP "[\fB\-writerand file\fR]" 4 +.IX Item "[-writerand file]" +Writes random data to the specified \fIfile\fR upon exit. +This can be used with a subsequent \fB\-rand\fR flag. .IP "\fB\-base64\fR" 4 .IX Item "-base64" Perform base64 encoding on the output. @@ -174,3 +182,11 @@ Show the output as a hex string. .SH "SEE ALSO" .IX Header "SEE ALSO" \&\fIRAND_bytes\fR\|(3) +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2000\-2016 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/usr.bin/openssl/man/req.1 b/secure/usr.bin/openssl/man/req.1 index a2e8660a86a4..afc45dce57a4 100644 --- a/secure/usr.bin/openssl/man/req.1 +++ b/secure/usr.bin/openssl/man/req.1 @@ -129,17 +129,17 @@ .\" ======================================================================== .\" .IX Title "REQ 1" -.TH REQ 1 "2018-08-14" "1.0.2p" "OpenSSL" +.TH REQ 1 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" -openssl\-req, -req \- PKCS#10 certificate request and certificate generating utility. +openssl\-req, req \- PKCS#10 certificate request and certificate generating utility .SH "SYNOPSIS" .IX Header "SYNOPSIS" \&\fBopenssl\fR \fBreq\fR +[\fB\-help\fR] [\fB\-inform PEM|DER\fR] [\fB\-outform PEM|DER\fR] [\fB\-in filename\fR] @@ -152,7 +152,8 @@ req \- PKCS#10 certificate request and certificate generating utility. [\fB\-verify\fR] [\fB\-modulus\fR] [\fB\-new\fR] -[\fB\-rand file(s)\fR] +[\fB\-rand file...\fR] +[\fB\-writerand file\fR] [\fB\-newkey rsa:bits\fR] [\fB\-newkey alg:file\fR] [\fB\-nodes\fR] @@ -160,17 +161,17 @@ req \- PKCS#10 certificate request and certificate generating utility. [\fB\-keyform PEM|DER\fR] [\fB\-keyout filename\fR] [\fB\-keygen_engine id\fR] -[\fB\-[digest]\fR] +[\fB\-\f(BIdigest\fB\fR] [\fB\-config filename\fR] [\fB\-multivalue\-rdn\fR] [\fB\-x509\fR] [\fB\-days n\fR] [\fB\-set_serial n\fR] -[\fB\-asn1\-kludge\fR] -[\fB\-no\-asn1\-kludge\fR] [\fB\-newhdr\fR] +[\fB\-addext ext\fR] [\fB\-extensions section\fR] [\fB\-reqexts section\fR] +[\fB\-precert\fR] [\fB\-utf8\fR] [\fB\-nameopt\fR] [\fB\-reqopt\fR] @@ -184,8 +185,11 @@ req \- PKCS#10 certificate request and certificate generating utility. The \fBreq\fR command primarily creates and processes certificate requests in PKCS#10 format. It can additionally create self signed certificates for use as root CAs for example. -.SH "COMMAND OPTIONS" -.IX Header "COMMAND OPTIONS" +.SH "OPTIONS" +.IX Header "OPTIONS" +.IP "\fB\-help\fR" 4 +.IX Item "-help" +Print out a usage message. .IP "\fB\-inform DER|PEM\fR" 4 .IX Item "-inform DER|PEM" This specifies the input format. The \fB\s-1DER\s0\fR option uses an \s-1ASN1 DER\s0 encoded @@ -194,8 +198,8 @@ consists of the \fB\s-1DER\s0\fR format base64 encoded with additional header an footer lines. .IP "\fB\-outform DER|PEM\fR" 4 .IX Item "-outform DER|PEM" -This specifies the output format, the options have the same meaning as the -\&\fB\-inform\fR option. +This specifies the output format, the options have the same meaning and default +as the \fB\-inform\fR option. .IP "\fB\-in filename\fR" 4 .IX Item "-in filename" This specifies the input filename to read a request from or standard input @@ -203,7 +207,7 @@ if this option is not specified. A request is only read if the creation options (\fB\-new\fR and \fB\-newkey\fR) are not specified. .IP "\fB\-passin arg\fR" 4 .IX Item "-passin arg" -the input file password source. For more information about the format of \fBarg\fR +The input file password source. For more information about the format of \fBarg\fR see the \fB\s-1PASS PHRASE ARGUMENTS\s0\fR section in \fIopenssl\fR\|(1). .IP "\fB\-out filename\fR" 4 .IX Item "-out filename" @@ -211,53 +215,51 @@ This specifies the output filename to write to or standard output by default. .IP "\fB\-passout arg\fR" 4 .IX Item "-passout arg" -the output file password source. For more information about the format of \fBarg\fR +The output file password source. For more information about the format of \fBarg\fR see the \fB\s-1PASS PHRASE ARGUMENTS\s0\fR section in \fIopenssl\fR\|(1). .IP "\fB\-text\fR" 4 .IX Item "-text" -prints out the certificate request in text form. +Prints out the certificate request in text form. .IP "\fB\-subject\fR" 4 .IX Item "-subject" -prints out the request subject (or certificate subject if \fB\-x509\fR is +Prints out the request subject (or certificate subject if \fB\-x509\fR is specified) .IP "\fB\-pubkey\fR" 4 .IX Item "-pubkey" -outputs the public key. +Outputs the public key. .IP "\fB\-noout\fR" 4 .IX Item "-noout" -this option prevents output of the encoded version of the request. +This option prevents output of the encoded version of the request. .IP "\fB\-modulus\fR" 4 .IX Item "-modulus" -this option prints out the value of the modulus of the public key +This option prints out the value of the modulus of the public key contained in the request. .IP "\fB\-verify\fR" 4 .IX Item "-verify" -verifies the signature on the request. +Verifies the signature on the request. .IP "\fB\-new\fR" 4 .IX Item "-new" -this option generates a new certificate request. It will prompt +This option generates a new certificate request. It will prompt the user for the relevant field values. The actual fields prompted for and their maximum and minimum sizes are specified in the configuration file and any requested extensions. .Sp If the \fB\-key\fR option is not used it will generate a new \s-1RSA\s0 private key using information specified in the configuration file. -.IP "\fB\-subj arg\fR" 4 -.IX Item "-subj arg" -Replaces subject field of input request with specified data and outputs -modified request. The arg must be formatted as -\&\fI/type0=value0/type1=value1/type2=...\fR, -characters may be escaped by \e (backslash), no spaces are skipped. -.IP "\fB\-rand file(s)\fR" 4 -.IX Item "-rand file(s)" -a file or files containing random data used to seed the random number -generator, or an \s-1EGD\s0 socket (see \fIRAND_egd\fR\|(3)). -Multiple files can be specified separated by a OS-dependent character. +.IP "\fB\-rand file...\fR" 4 +.IX Item "-rand file..." +A file or files containing random data used to seed the random number +generator. +Multiple files can be specified separated by an OS-dependent character. The separator is \fB;\fR for MS-Windows, \fB,\fR for OpenVMS, and \fB:\fR for all others. +.IP "[\fB\-writerand file\fR]" 4 +.IX Item "[-writerand file]" +Writes random data to the specified \fIfile\fR upon exit. +This can be used with a subsequent \fB\-rand\fR flag. .IP "\fB\-newkey arg\fR" 4 .IX Item "-newkey arg" -this option creates a new certificate request and a new private +This option creates a new certificate request and a new private key. The argument takes one of several forms. \fBrsa:nbits\fR, where \&\fBnbits\fR is the number of bits, generates an \s-1RSA\s0 key \fBnbits\fR in size. If \fBnbits\fR is omitted, i.e. \fB\-newkey rsa\fR specified, @@ -265,13 +267,13 @@ the default key size, specified in the configuration file is used. .Sp All other algorithms support the \fB\-newkey alg:file\fR form, where file may be an algorithm parameter file, created by the \fBgenpkey \-genparam\fR command -or and X.509 certificate for a key with approriate algorithm. +or and X.509 certificate for a key with appropriate algorithm. .Sp \&\fBparam:file\fR generates a key using the parameter file or certificate \fBfile\fR, the algorithm is determined by the parameters. \fBalgname:file\fR use algorithm \&\fBalgname\fR and parameter file \fBfile\fR: the two algorithms must match or an error occurs. \fBalgname\fR just uses algorithm \fBalgname\fR, and parameters, -if neccessary should be specified via \fB\-pkeyopt\fR parameter. +if necessary should be specified via \fB\-pkeyopt\fR parameter. .Sp \&\fBdsa:filename\fR generates a \s-1DSA\s0 key using the parameters in the file \fBfilename\fR. \fBec:filename\fR generates \s-1EC\s0 key (usable both with @@ -281,7 +283,7 @@ file). If just \fBgost2001\fR is specified a parameter set should be specified by \fB\-pkeyopt paramset:X\fR .IP "\fB\-pkeyopt opt:value\fR" 4 .IX Item "-pkeyopt opt:value" -set the public key algorithm option \fBopt\fR to \fBvalue\fR. The precise set of +Set the public key algorithm option \fBopt\fR to \fBvalue\fR. The precise set of options supported depends on the public key algorithm used and its implementation. See \fB\s-1KEY GENERATION OPTIONS\s0\fR in the \fBgenpkey\fR manual page for more details. @@ -291,40 +293,41 @@ This specifies the file to read the private key from. It also accepts PKCS#8 format private keys for \s-1PEM\s0 format files. .IP "\fB\-keyform PEM|DER\fR" 4 .IX Item "-keyform PEM|DER" -the format of the private key file specified in the \fB\-key\fR +The format of the private key file specified in the \fB\-key\fR argument. \s-1PEM\s0 is the default. .IP "\fB\-keyout filename\fR" 4 .IX Item "-keyout filename" -this gives the filename to write the newly created private key to. +This gives the filename to write the newly created private key to. If this option is not specified then the filename present in the configuration file is used. .IP "\fB\-nodes\fR" 4 .IX Item "-nodes" -if this option is specified then if a private key is created it +If this option is specified then if a private key is created it will not be encrypted. -.IP "\fB\-[digest]\fR" 4 -.IX Item "-[digest]" -this specifies the message digest to sign the request with (such as -\&\fB\-md5\fR, \fB\-sha1\fR). This overrides the digest algorithm specified in +.IP "\fB\-\f(BIdigest\fB\fR" 4 +.IX Item "-digest" +This specifies the message digest to sign the request. +Any digest supported by the OpenSSL \fBdgst\fR command can be used. +This overrides the digest algorithm specified in the configuration file. .Sp Some public key algorithms may override this choice. For instance, \s-1DSA\s0 signatures always use \s-1SHA1, GOST R 34.10\s0 signatures always use -\&\s-1GOST R 34.11\-94\s0 (\fB\-md_gost94\fR). +\&\s-1GOST R 34.11\-94\s0 (\fB\-md_gost94\fR), Ed25519 and Ed448 never use any digest. .IP "\fB\-config filename\fR" 4 .IX Item "-config filename" -this allows an alternative configuration file to be specified, -this overrides the compile time filename or any specified in -the \fB\s-1OPENSSL_CONF\s0\fR environment variable. +This allows an alternative configuration file to be specified. +Optional; for a description of the default value, +see \*(L"\s-1COMMAND SUMMARY\*(R"\s0 in \fIopenssl\fR\|(1). .IP "\fB\-subj arg\fR" 4 .IX Item "-subj arg" -sets subject name for new request or supersedes the subject name +Sets subject name for new request or supersedes the subject name when processing a request. The arg must be formatted as \fI/type0=value0/type1=value1/type2=...\fR, characters may be escaped by \e (backslash), no spaces are skipped. .IP "\fB\-multivalue\-rdn\fR" 4 .IX Item "-multivalue-rdn" -this option causes the \-subj argument to be interpreted with full +This option causes the \-subj argument to be interpreted with full support for multivalued RDNs. Example: .Sp \&\fI/DC=org/DC=OpenSSL/DC=users/UID=123456+CN=John Doe\fR @@ -332,7 +335,7 @@ support for multivalued RDNs. Example: If \-multi\-rdn is not used then the \s-1UID\s0 value is \fI123456+CN=John Doe\fR. .IP "\fB\-x509\fR" 4 .IX Item "-x509" -this option outputs a self signed certificate instead of a certificate +This option outputs a self signed certificate instead of a certificate request. This is typically used to generate a test certificate or a self signed root \s-1CA.\s0 The extensions added to the certificate (if any) are specified in the configuration file. Unless specified @@ -343,79 +346,78 @@ If existing request is specified with the \fB\-in\fR option, it is converted to the self signed certificate otherwise new request is created. .IP "\fB\-days n\fR" 4 .IX Item "-days n" -when the \fB\-x509\fR option is being used this specifies the number of -days to certify the certificate for. The default is 30 days. +When the \fB\-x509\fR option is being used this specifies the number of +days to certify the certificate for, otherwise it is ignored. \fBn\fR should +be a positive integer. The default is 30 days. .IP "\fB\-set_serial n\fR" 4 .IX Item "-set_serial n" -serial number to use when outputting a self signed certificate. This +Serial number to use when outputting a self signed certificate. This may be specified as a decimal value or a hex value if preceded by \fB0x\fR. -It is possible to use negative serial numbers but this is not recommended. +.IP "\fB\-addext ext\fR" 4 +.IX Item "-addext ext" +Add a specific extension to the certificate (if the \fB\-x509\fR option is +present) or certificate request. The argument must have the form of +a key=value pair as it would appear in a config file. +.Sp +This option can be given multiple times. .IP "\fB\-extensions section\fR" 4 .IX Item "-extensions section" .PD 0 .IP "\fB\-reqexts section\fR" 4 .IX Item "-reqexts section" .PD -these options specify alternative sections to include certificate +These options specify alternative sections to include certificate extensions (if the \fB\-x509\fR option is present) or certificate request extensions. This allows several different sections to be used in the same configuration file to specify requests for a variety of purposes. +.IP "\fB\-precert\fR" 4 +.IX Item "-precert" +A poison extension will be added to the certificate, making it a +\&\*(L"pre-certificate\*(R" (see \s-1RFC6962\s0). This can be submitted to Certificate +Transparency logs in order to obtain signed certificate timestamps (SCTs). +These SCTs can then be embedded into the pre-certificate as an extension, before +removing the poison and signing the certificate. +.Sp +This implies the \fB\-new\fR flag. .IP "\fB\-utf8\fR" 4 .IX Item "-utf8" -this option causes field values to be interpreted as \s-1UTF8\s0 strings, by +This option causes field values to be interpreted as \s-1UTF8\s0 strings, by default they are interpreted as \s-1ASCII.\s0 This means that the field values, whether prompted from a terminal or obtained from a configuration file, must be valid \s-1UTF8\s0 strings. .IP "\fB\-nameopt option\fR" 4 .IX Item "-nameopt option" -option which determines how the subject or issuer names are displayed. The +Option which determines how the subject or issuer names are displayed. The \&\fBoption\fR argument can be a single option or multiple options separated by commas. Alternatively the \fB\-nameopt\fR switch may be used more than once to set multiple options. See the \fIx509\fR\|(1) manual page for details. .IP "\fB\-reqopt\fR" 4 .IX Item "-reqopt" -customise the output format used with \fB\-text\fR. The \fBoption\fR argument can be +Customise the output format used with \fB\-text\fR. The \fBoption\fR argument can be a single option or multiple options separated by commas. .Sp -See discission of the \fB\-certopt\fR parameter in the \fBx509\fR +See discussion of the \fB\-certopt\fR parameter in the \fIx509\fR\|(1) command. -.IP "\fB\-asn1\-kludge\fR" 4 -.IX Item "-asn1-kludge" -by default the \fBreq\fR command outputs certificate requests containing -no attributes in the correct PKCS#10 format. However certain CAs will only -accept requests containing no attributes in an invalid form: this -option produces this invalid format. -.Sp -More precisely the \fBAttributes\fR in a PKCS#10 certificate request -are defined as a \fB\s-1SET OF\s0 Attribute\fR. They are \fBnot \s-1OPTIONAL\s0\fR so -if no attributes are present then they should be encoded as an -empty \fB\s-1SET OF\s0\fR. The invalid form does not include the empty -\&\fB\s-1SET OF\s0\fR whereas the correct form does. -.Sp -It should be noted that very few CAs still require the use of this option. -.IP "\fB\-no\-asn1\-kludge\fR" 4 -.IX Item "-no-asn1-kludge" -Reverses effect of \fB\-asn1\-kludge\fR .IP "\fB\-newhdr\fR" 4 .IX Item "-newhdr" Adds the word \fB\s-1NEW\s0\fR to the \s-1PEM\s0 file header and footer lines on the outputted request. Some software (Netscape certificate server) and some CAs need this. .IP "\fB\-batch\fR" 4 .IX Item "-batch" -non-interactive mode. +Non-interactive mode. .IP "\fB\-verbose\fR" 4 .IX Item "-verbose" -print extra details about the operations being performed. +Print extra details about the operations being performed. .IP "\fB\-engine id\fR" 4 .IX Item "-engine id" -specifying an engine (by its unique \fBid\fR string) will cause \fBreq\fR +Specifying an engine (by its unique \fBid\fR string) will cause \fBreq\fR to attempt to obtain a functional reference to the specified engine, thus initialising it if needed. The engine will then be set as the default for all available algorithms. .IP "\fB\-keygen_engine id\fR" 4 .IX Item "-keygen_engine id" -specifies an engine (by its unique \fBid\fR string) which would be used +Specifies an engine (by its unique \fBid\fR string) which would be used for key generation operations. .SH "CONFIGURATION FILE FORMAT" .IX Header "CONFIGURATION FILE FORMAT" @@ -458,8 +460,8 @@ object identifier followed by \fB=\fR and the numerical form. The short and long names are the same when this option is used. .IP "\fB\s-1RANDFILE\s0\fR" 4 .IX Item "RANDFILE" -This specifies a filename in which random number seed information is -placed and read from, or an \s-1EGD\s0 socket (see \fIRAND_egd\fR\|(3)). +At startup the specified file is loaded into the random number generator, +and at exit 256 bytes will be written to it. It is used for private key generation. .IP "\fBencrypt_key\fR" 4 .IX Item "encrypt_key" @@ -468,16 +470,17 @@ If this is set to \fBno\fR then if a private key is generated it is option. For compatibility \fBencrypt_rsa_key\fR is an equivalent option. .IP "\fBdefault_md\fR" 4 .IX Item "default_md" -This option specifies the digest algorithm to use. Possible values -include \fBmd5 sha1 mdc2\fR. If not present then \s-1MD5\s0 is used. This -option can be overridden on the command line. +This option specifies the digest algorithm to use. Any digest supported by the +OpenSSL \fBdgst\fR command can be used. This option can be overridden on the +command line. Certain signing algorithms (i.e. Ed25519 and Ed448) will ignore +any digest that has been set. .IP "\fBstring_mask\fR" 4 .IX Item "string_mask" This option masks out the use of certain string types in certain fields. Most users will not need to change this option. .Sp It can be set to several values \fBdefault\fR which is also the default -option uses PrintableStrings, T61Strings and BMPStrings if the +option uses PrintableStrings, T61Strings and BMPStrings if the \&\fBpkix\fR value is used then only PrintableStrings and BMPStrings will be used. This follows the \s-1PKIX\s0 recommendation in \s-1RFC2459.\s0 If the \&\fButf8only\fR option is used then only UTF8Strings will be used: this @@ -486,30 +489,30 @@ option just uses PrintableStrings and T61Strings: certain software has problems with BMPStrings and UTF8Strings: in particular Netscape. .IP "\fBreq_extensions\fR" 4 .IX Item "req_extensions" -this specifies the configuration file section containing a list of +This specifies the configuration file section containing a list of extensions to add to the certificate request. It can be overridden -by the \fB\-reqexts\fR command line switch. See the +by the \fB\-reqexts\fR command line switch. See the \&\fIx509v3_config\fR\|(5) manual page for details of the extension section format. .IP "\fBx509_extensions\fR" 4 .IX Item "x509_extensions" -this specifies the configuration file section containing a list of +This specifies the configuration file section containing a list of extensions to add to certificate generated when the \fB\-x509\fR switch is used. It can be overridden by the \fB\-extensions\fR command line switch. .IP "\fBprompt\fR" 4 .IX Item "prompt" -if set to the value \fBno\fR this disables prompting of certificate fields +If set to the value \fBno\fR this disables prompting of certificate fields and just takes values from the config file directly. It also changes the expected format of the \fBdistinguished_name\fR and \fBattributes\fR sections. .IP "\fButf8\fR" 4 .IX Item "utf8" -if set to the value \fByes\fR then field values to be interpreted as \s-1UTF8\s0 +If set to the value \fByes\fR then field values to be interpreted as \s-1UTF8\s0 strings, by default they are interpreted as \s-1ASCII.\s0 This means that the field values, whether prompted from a terminal or obtained from a configuration file, must be valid \s-1UTF8\s0 strings. .IP "\fBattributes\fR" 4 .IX Item "attributes" -this specifies the section containing any request attributes: its format +This specifies the section containing any request attributes: its format is the same as \fBdistinguished_name\fR. Typically these may contain the challengePassword or unstructuredName types. They are currently ignored by OpenSSL's request signing utilities but some CAs might want them. @@ -622,7 +625,7 @@ Sample configuration file prompting for field values: \& default_keyfile = privkey.pem \& distinguished_name = req_distinguished_name \& attributes = req_attributes -\& x509_extensions = v3_ca +\& req_extensions = v3_ca \& \& dirstring_type = nobmp \& @@ -651,7 +654,7 @@ Sample configuration file prompting for field values: \& \& subjectKeyIdentifier=hash \& authorityKeyIdentifier=keyid:always,issuer:always -\& basicConstraints = CA:true +\& basicConstraints = critical, CA:true .Ve .PP Sample configuration containing all field values: @@ -679,6 +682,16 @@ Sample configuration containing all field values: \& [ req_attributes ] \& challengePassword = A challenge password .Ve +.PP +Example of giving the most common attributes (subject and extensions) +on the command line: +.PP +.Vb 4 +\& openssl req \-new \-subj "/C=GB/CN=foo" \e +\& \-addext "subjectAltName = DNS:foo.co.uk" \e +\& \-addext "certificatePolicies = 1.2.3.4" \e +\& \-newkey rsa:2048 \-keyout key.pem \-out req.pem +.Ve .SH "NOTES" .IX Header "NOTES" The header and footer lines in the \fB\s-1PEM\s0\fR format are normally: @@ -742,12 +755,6 @@ the correct empty \fB\s-1SET OF\s0\fR structure (the \s-1DER\s0 encoding of whic then the \fB\s-1SET OF\s0\fR is missing and the encoding is technically invalid (but it is tolerated). See the description of the command line option \fB\-asn1\-kludge\fR for more information. -.SH "ENVIRONMENT VARIABLES" -.IX Header "ENVIRONMENT VARIABLES" -The variable \fB\s-1OPENSSL_CONF\s0\fR if defined allows an alternative configuration -file location to be specified, it will be overridden by the \fB\-config\fR command -line switch if it is present. For compatibility reasons the \fB\s-1SSLEAY_CONF\s0\fR -environment variable serves the same purpose but its use is discouraged. .SH "BUGS" .IX Header "BUGS" OpenSSL's handling of T61Strings (aka TeletexStrings) is broken: it effectively @@ -769,3 +776,11 @@ address in subjectAltName should be input by the user. \&\fIx509\fR\|(1), \fIca\fR\|(1), \fIgenrsa\fR\|(1), \&\fIgendsa\fR\|(1), \fIconfig\fR\|(5), \&\fIx509v3_config\fR\|(5) +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2000\-2018 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/usr.bin/openssl/man/rsa.1 b/secure/usr.bin/openssl/man/rsa.1 index 59adddec669f..1f1c8644f3bb 100644 --- a/secure/usr.bin/openssl/man/rsa.1 +++ b/secure/usr.bin/openssl/man/rsa.1 @@ -129,27 +129,29 @@ .\" ======================================================================== .\" .IX Title "RSA 1" -.TH RSA 1 "2018-08-14" "1.0.2p" "OpenSSL" +.TH RSA 1 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" -openssl\-rsa, -rsa \- RSA key processing tool +openssl\-rsa, rsa \- RSA key processing tool .SH "SYNOPSIS" .IX Header "SYNOPSIS" \&\fBopenssl\fR \fBrsa\fR +[\fB\-help\fR] [\fB\-inform PEM|NET|DER\fR] [\fB\-outform PEM|NET|DER\fR] [\fB\-in filename\fR] [\fB\-passin arg\fR] [\fB\-out filename\fR] [\fB\-passout arg\fR] -[\fB\-sgckey\fR] [\fB\-aes128\fR] [\fB\-aes192\fR] [\fB\-aes256\fR] +[\fB\-aria128\fR] +[\fB\-aria192\fR] +[\fB\-aria256\fR] [\fB\-camellia128\fR] [\fB\-camellia192\fR] [\fB\-camellia256\fR] @@ -172,8 +174,11 @@ forms and their components printed out. \fBNote\fR this command uses the traditional SSLeay compatible format for private key encryption: newer applications should use the more secure PKCS#8 format using the \fBpkcs8\fR utility. -.SH "COMMAND OPTIONS" -.IX Header "COMMAND OPTIONS" +.SH "OPTIONS" +.IX Header "OPTIONS" +.IP "\fB\-help\fR" 4 +.IX Item "-help" +Print out a usage message. .IP "\fB\-inform DER|NET|PEM\fR" 4 .IX Item "-inform DER|NET|PEM" This specifies the input format. The \fB\s-1DER\s0\fR option uses an \s-1ASN1 DER\s0 encoded @@ -184,8 +189,8 @@ keys are also accepted. The \fB\s-1NET\s0\fR form is a format is described in th section. .IP "\fB\-outform DER|NET|PEM\fR" 4 .IX Item "-outform DER|NET|PEM" -This specifies the output format, the options have the same meaning as the -\&\fB\-inform\fR option. +This specifies the output format, the options have the same meaning and default +as the \fB\-inform\fR option. .IP "\fB\-in filename\fR" 4 .IX Item "-in filename" This specifies the input filename to read a key from or standard input if this @@ -193,7 +198,7 @@ option is not specified. If the key is encrypted a pass phrase will be prompted for. .IP "\fB\-passin arg\fR" 4 .IX Item "-passin arg" -the input file password source. For more information about the format of \fBarg\fR +The input file password source. For more information about the format of \fBarg\fR see the \fB\s-1PASS PHRASE ARGUMENTS\s0\fR section in \fIopenssl\fR\|(1). .IP "\fB\-out filename\fR" 4 .IX Item "-out filename" @@ -203,14 +208,10 @@ will be prompted for. The output filename should \fBnot\fR be the same as the in filename. .IP "\fB\-passout password\fR" 4 .IX Item "-passout password" -the output file password source. For more information about the format of \fBarg\fR +The output file password source. For more information about the format of \fBarg\fR see the \fB\s-1PASS PHRASE ARGUMENTS\s0\fR section in \fIopenssl\fR\|(1). -.IP "\fB\-sgckey\fR" 4 -.IX Item "-sgckey" -use the modified \s-1NET\s0 algorithm used with some versions of Microsoft \s-1IIS\s0 and \s-1SGC\s0 -keys. -.IP "\fB\-aes128|\-aes192|\-aes256|\-camellia128|\-camellia192|\-camellia256|\-des|\-des3|\-idea\fR" 4 -.IX Item "-aes128|-aes192|-aes256|-camellia128|-camellia192|-camellia256|-des|-des3|-idea" +.IP "\fB\-aes128\fR, \fB\-aes192\fR, \fB\-aes256\fR, \fB\-aria128\fR, \fB\-aria192\fR, \fB\-aria256\fR, \fB\-camellia128\fR, \fB\-camellia192\fR, \fB\-camellia256\fR, \fB\-des\fR, \fB\-des3\fR, \fB\-idea\fR" 4 +.IX Item "-aes128, -aes192, -aes256, -aria128, -aria192, -aria256, -camellia128, -camellia192, -camellia256, -des, -des3, -idea" These options encrypt the private key with the specified cipher before outputting it. A pass phrase is prompted for. If none of these options is specified the key is written in plain text. This @@ -220,32 +221,32 @@ setting the encryption options it can be use to add or change the pass phrase. These options can only be used with \s-1PEM\s0 format output files. .IP "\fB\-text\fR" 4 .IX Item "-text" -prints out the various public or private key components in +Prints out the various public or private key components in plain text in addition to the encoded version. .IP "\fB\-noout\fR" 4 .IX Item "-noout" -this option prevents output of the encoded version of the key. +This option prevents output of the encoded version of the key. .IP "\fB\-modulus\fR" 4 .IX Item "-modulus" -this option prints out the value of the modulus of the key. +This option prints out the value of the modulus of the key. .IP "\fB\-check\fR" 4 .IX Item "-check" -this option checks the consistency of an \s-1RSA\s0 private key. +This option checks the consistency of an \s-1RSA\s0 private key. .IP "\fB\-pubin\fR" 4 .IX Item "-pubin" -by default a private key is read from the input file: with this +By default a private key is read from the input file: with this option a public key is read instead. .IP "\fB\-pubout\fR" 4 .IX Item "-pubout" -by default a private key is output: with this option a public +By default a private key is output: with this option a public key will be output instead. This option is automatically set if the input is a public key. .IP "\fB\-RSAPublicKey_in\fR, \fB\-RSAPublicKey_out\fR" 4 .IX Item "-RSAPublicKey_in, -RSAPublicKey_out" -like \fB\-pubin\fR and \fB\-pubout\fR except \fBRSAPublicKey\fR format is used instead. +Like \fB\-pubin\fR and \fB\-pubout\fR except \fBRSAPublicKey\fR format is used instead. .IP "\fB\-engine id\fR" 4 .IX Item "-engine id" -specifying an engine (by its unique \fBid\fR string) will cause \fBrsa\fR +Specifying an engine (by its unique \fBid\fR string) will cause \fBrsa\fR to attempt to obtain a functional reference to the specified engine, thus initialising it if needed. The engine will then be set as the default for all available algorithms. @@ -281,8 +282,7 @@ files. To use these with the utility, view the file with a binary editor and look for the string \*(L"private-key\*(R", then trace back to the byte sequence 0x30, 0x82 (this is an \s-1ASN1 SEQUENCE\s0). Copy all the data from this point onwards to another file and use that as the input -to the \fBrsa\fR utility with the \fB\-inform \s-1NET\s0\fR option. If you get -an error after entering the password try the \fB\-sgckey\fR option. +to the \fBrsa\fR utility with the \fB\-inform \s-1NET\s0\fR option. .SH "EXAMPLES" .IX Header "EXAMPLES" To remove the pass phrase on an \s-1RSA\s0 private key: @@ -331,3 +331,11 @@ without having to manually edit them. .IX Header "SEE ALSO" \&\fIpkcs8\fR\|(1), \fIdsa\fR\|(1), \fIgenrsa\fR\|(1), \&\fIgendsa\fR\|(1) +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2000\-2018 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/usr.bin/openssl/man/rsautl.1 b/secure/usr.bin/openssl/man/rsautl.1 index fc1a0da59a7e..9a2183296025 100644 --- a/secure/usr.bin/openssl/man/rsautl.1 +++ b/secure/usr.bin/openssl/man/rsautl.1 @@ -129,26 +129,29 @@ .\" ======================================================================== .\" .IX Title "RSAUTL 1" -.TH RSAUTL 1 "2018-08-14" "1.0.2p" "OpenSSL" +.TH RSAUTL 1 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" -openssl\-rsautl, -rsautl \- RSA utility +openssl\-rsautl, rsautl \- RSA utility .SH "SYNOPSIS" .IX Header "SYNOPSIS" \&\fBopenssl\fR \fBrsautl\fR +[\fB\-help\fR] [\fB\-in file\fR] [\fB\-out file\fR] [\fB\-inkey file\fR] +[\fB\-keyform PEM|DER|ENGINE\fR] [\fB\-pubin\fR] [\fB\-certin\fR] [\fB\-sign\fR] [\fB\-verify\fR] [\fB\-encrypt\fR] [\fB\-decrypt\fR] +[\fB\-rand file...\fR] +[\fB\-writerand file\fR] [\fB\-pkcs\fR] [\fB\-ssl\fR] [\fB\-raw\fR] @@ -158,50 +161,67 @@ rsautl \- RSA utility .IX Header "DESCRIPTION" The \fBrsautl\fR command can be used to sign, verify, encrypt and decrypt data using the \s-1RSA\s0 algorithm. -.SH "COMMAND OPTIONS" -.IX Header "COMMAND OPTIONS" +.SH "OPTIONS" +.IX Header "OPTIONS" +.IP "\fB\-help\fR" 4 +.IX Item "-help" +Print out a usage message. .IP "\fB\-in filename\fR" 4 .IX Item "-in filename" This specifies the input filename to read data from or standard input if this option is not specified. .IP "\fB\-out filename\fR" 4 .IX Item "-out filename" -specifies the output filename to write to or standard output by +Specifies the output filename to write to or standard output by default. .IP "\fB\-inkey file\fR" 4 .IX Item "-inkey file" -the input key file, by default it should be an \s-1RSA\s0 private key. +The input key file, by default it should be an \s-1RSA\s0 private key. +.IP "\fB\-keyform PEM|DER|ENGINE\fR" 4 +.IX Item "-keyform PEM|DER|ENGINE" +The key format \s-1PEM, DER\s0 or \s-1ENGINE.\s0 .IP "\fB\-pubin\fR" 4 .IX Item "-pubin" -the input file is an \s-1RSA\s0 public key. +The input file is an \s-1RSA\s0 public key. .IP "\fB\-certin\fR" 4 .IX Item "-certin" -the input is a certificate containing an \s-1RSA\s0 public key. +The input is a certificate containing an \s-1RSA\s0 public key. .IP "\fB\-sign\fR" 4 .IX Item "-sign" -sign the input data and output the signed result. This requires -and \s-1RSA\s0 private key. +Sign the input data and output the signed result. This requires +an \s-1RSA\s0 private key. .IP "\fB\-verify\fR" 4 .IX Item "-verify" -verify the input data and output the recovered data. +Verify the input data and output the recovered data. .IP "\fB\-encrypt\fR" 4 .IX Item "-encrypt" -encrypt the input data using an \s-1RSA\s0 public key. +Encrypt the input data using an \s-1RSA\s0 public key. .IP "\fB\-decrypt\fR" 4 .IX Item "-decrypt" -decrypt the input data using an \s-1RSA\s0 private key. +Decrypt the input data using an \s-1RSA\s0 private key. +.IP "\fB\-rand file...\fR" 4 +.IX Item "-rand file..." +A file or files containing random data used to seed the random number +generator. +Multiple files can be specified separated by an OS-dependent character. +The separator is \fB;\fR for MS-Windows, \fB,\fR for OpenVMS, and \fB:\fR for +all others. +.IP "[\fB\-writerand file\fR]" 4 +.IX Item "[-writerand file]" +Writes random data to the specified \fIfile\fR upon exit. +This can be used with a subsequent \fB\-rand\fR flag. .IP "\fB\-pkcs, \-oaep, \-ssl, \-raw\fR" 4 .IX Item "-pkcs, -oaep, -ssl, -raw" -the padding to use: PKCS#1 v1.5 (the default), PKCS#1 \s-1OAEP,\s0 +The padding to use: PKCS#1 v1.5 (the default), PKCS#1 \s-1OAEP,\s0 special padding used in \s-1SSL\s0 v2 backwards compatible handshakes, or no padding, respectively. For signatures, only \fB\-pkcs\fR and \fB\-raw\fR can be used. .IP "\fB\-hexdump\fR" 4 .IX Item "-hexdump" -hex dump the output data. +Hex dump the output data. .IP "\fB\-asn1parse\fR" 4 .IX Item "-asn1parse" -asn1parse the output data, this is useful when combined with the +Parse the \s-1ASN.1\s0 output data, this is useful when combined with the \&\fB\-verify\fR option. .SH "NOTES" .IX Header "NOTES" @@ -247,23 +267,23 @@ example in certs/pca\-cert.pem . Running \fBasn1parse\fR as follows yields: .Vb 1 \& openssl asn1parse \-in pca\-cert.pem \& -\& 0:d=0 hl=4 l= 742 cons: SEQUENCE -\& 4:d=1 hl=4 l= 591 cons: SEQUENCE -\& 8:d=2 hl=2 l= 3 cons: cont [ 0 ] +\& 0:d=0 hl=4 l= 742 cons: SEQUENCE +\& 4:d=1 hl=4 l= 591 cons: SEQUENCE +\& 8:d=2 hl=2 l= 3 cons: cont [ 0 ] \& 10:d=3 hl=2 l= 1 prim: INTEGER :02 \& 13:d=2 hl=2 l= 1 prim: INTEGER :00 -\& 16:d=2 hl=2 l= 13 cons: SEQUENCE +\& 16:d=2 hl=2 l= 13 cons: SEQUENCE \& 18:d=3 hl=2 l= 9 prim: OBJECT :md5WithRSAEncryption -\& 29:d=3 hl=2 l= 0 prim: NULL -\& 31:d=2 hl=2 l= 92 cons: SEQUENCE -\& 33:d=3 hl=2 l= 11 cons: SET -\& 35:d=4 hl=2 l= 9 cons: SEQUENCE +\& 29:d=3 hl=2 l= 0 prim: NULL +\& 31:d=2 hl=2 l= 92 cons: SEQUENCE +\& 33:d=3 hl=2 l= 11 cons: SET +\& 35:d=4 hl=2 l= 9 cons: SEQUENCE \& 37:d=5 hl=2 l= 3 prim: OBJECT :countryName \& 42:d=5 hl=2 l= 2 prim: PRINTABLESTRING :AU \& .... -\& 599:d=1 hl=2 l= 13 cons: SEQUENCE +\& 599:d=1 hl=2 l= 13 cons: SEQUENCE \& 601:d=2 hl=2 l= 9 prim: OBJECT :md5WithRSAEncryption -\& 612:d=2 hl=2 l= 0 prim: NULL +\& 612:d=2 hl=2 l= 0 prim: NULL \& 614:d=1 hl=3 l= 129 prim: BIT STRING .Ve .PP @@ -284,11 +304,11 @@ The signature can be analysed with: .Vb 1 \& openssl rsautl \-in sig \-verify \-asn1parse \-inkey pubkey.pem \-pubin \& -\& 0:d=0 hl=2 l= 32 cons: SEQUENCE -\& 2:d=1 hl=2 l= 12 cons: SEQUENCE +\& 0:d=0 hl=2 l= 32 cons: SEQUENCE +\& 2:d=1 hl=2 l= 12 cons: SEQUENCE \& 4:d=2 hl=2 l= 8 prim: OBJECT :md5 -\& 14:d=2 hl=2 l= 0 prim: NULL -\& 16:d=1 hl=2 l= 16 prim: OCTET STRING +\& 14:d=2 hl=2 l= 0 prim: NULL +\& 16:d=1 hl=2 l= 16 prim: OCTET STRING \& 0000 \- f3 46 9e aa 1a 4a 73 c9\-37 ea 93 00 48 25 08 b5 .F...Js.7...H%.. .Ve .PP @@ -311,3 +331,11 @@ which it can be seen agrees with the recovered value above. .SH "SEE ALSO" .IX Header "SEE ALSO" \&\fIdgst\fR\|(1), \fIrsa\fR\|(1), \fIgenrsa\fR\|(1) +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2000\-2017 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/usr.bin/openssl/man/s_client.1 b/secure/usr.bin/openssl/man/s_client.1 index a02eab0c33a1..79283319546f 100644 --- a/secure/usr.bin/openssl/man/s_client.1 +++ b/secure/usr.bin/openssl/man/s_client.1 @@ -129,31 +129,81 @@ .\" ======================================================================== .\" .IX Title "S_CLIENT 1" -.TH S_CLIENT 1 "2018-08-14" "1.0.2p" "OpenSSL" +.TH S_CLIENT 1 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" -openssl\-s_client, -s_client \- SSL/TLS client program +openssl\-s_client, s_client \- SSL/TLS client program .SH "SYNOPSIS" .IX Header "SYNOPSIS" \&\fBopenssl\fR \fBs_client\fR +[\fB\-help\fR] [\fB\-connect host:port\fR] +[\fB\-bind host:port\fR] +[\fB\-proxy host:port\fR] +[\fB\-unix path\fR] +[\fB\-4\fR] +[\fB\-6\fR] [\fB\-servername name\fR] +[\fB\-noservername\fR] [\fB\-verify depth\fR] [\fB\-verify_return_error\fR] [\fB\-cert filename\fR] [\fB\-certform DER|PEM\fR] [\fB\-key filename\fR] [\fB\-keyform DER|PEM\fR] +[\fB\-cert_chain filename\fR] +[\fB\-build_chain\fR] +[\fB\-xkey\fR] +[\fB\-xcert\fR] +[\fB\-xchain\fR] +[\fB\-xchain_build\fR] +[\fB\-xcertform PEM|DER\fR] +[\fB\-xkeyform PEM|DER\fR] [\fB\-pass arg\fR] [\fB\-CApath directory\fR] [\fB\-CAfile filename\fR] +[\fB\-chainCApath directory\fR] +[\fB\-chainCAfile filename\fR] +[\fB\-no\-CAfile\fR] +[\fB\-no\-CApath\fR] +[\fB\-requestCAfile filename\fR] +[\fB\-dane_tlsa_domain domain\fR] +[\fB\-dane_tlsa_rrdata rrdata\fR] +[\fB\-dane_ee_no_namechecks\fR] +[\fB\-attime timestamp\fR] +[\fB\-check_ss_sig\fR] +[\fB\-crl_check\fR] +[\fB\-crl_check_all\fR] +[\fB\-explicit_policy\fR] +[\fB\-extended_crl\fR] +[\fB\-ignore_critical\fR] +[\fB\-inhibit_any\fR] +[\fB\-inhibit_map\fR] +[\fB\-no_check_time\fR] +[\fB\-partial_chain\fR] +[\fB\-policy arg\fR] +[\fB\-policy_check\fR] +[\fB\-policy_print\fR] +[\fB\-purpose purpose\fR] +[\fB\-suiteB_128\fR] +[\fB\-suiteB_128_only\fR] +[\fB\-suiteB_192\fR] +[\fB\-trusted_first\fR] [\fB\-no_alt_chains\fR] +[\fB\-use_deltas\fR] +[\fB\-auth_level num\fR] +[\fB\-nameopt option\fR] +[\fB\-verify_depth num\fR] +[\fB\-verify_email email\fR] +[\fB\-verify_hostname hostname\fR] +[\fB\-verify_ip ip\fR] +[\fB\-verify_name name\fR] +[\fB\-build_chain\fR] +[\fB\-x509_strict\fR] [\fB\-reconnect\fR] -[\fB\-pause\fR] [\fB\-showcerts\fR] [\fB\-debug\fR] [\fB\-msg\fR] @@ -163,32 +213,60 @@ s_client \- SSL/TLS client program [\fB\-crlf\fR] [\fB\-ign_eof\fR] [\fB\-no_ign_eof\fR] +[\fB\-psk_identity identity\fR] +[\fB\-psk key\fR] +[\fB\-psk_session file\fR] [\fB\-quiet\fR] -[\fB\-ssl2\fR] [\fB\-ssl3\fR] [\fB\-tls1\fR] -[\fB\-no_ssl2\fR] +[\fB\-tls1_1\fR] +[\fB\-tls1_2\fR] +[\fB\-tls1_3\fR] [\fB\-no_ssl3\fR] [\fB\-no_tls1\fR] [\fB\-no_tls1_1\fR] [\fB\-no_tls1_2\fR] +[\fB\-no_tls1_3\fR] +[\fB\-dtls\fR] +[\fB\-dtls1\fR] +[\fB\-dtls1_2\fR] +[\fB\-sctp\fR] [\fB\-fallback_scsv\fR] +[\fB\-async\fR] +[\fB\-max_send_frag\fR] +[\fB\-split_send_frag\fR] +[\fB\-max_pipelines\fR] +[\fB\-read_buf\fR] [\fB\-bugs\fR] +[\fB\-comp\fR] +[\fB\-no_comp\fR] +[\fB\-allow_no_dhe_kex\fR] [\fB\-sigalgs sigalglist\fR] [\fB\-curves curvelist\fR] [\fB\-cipher cipherlist\fR] +[\fB\-ciphersuites val\fR] [\fB\-serverpref\fR] [\fB\-starttls protocol\fR] +[\fB\-xmpphost hostname\fR] +[\fB\-name hostname\fR] [\fB\-engine id\fR] [\fB\-tlsextdebug\fR] [\fB\-no_ticket\fR] [\fB\-sess_out filename\fR] [\fB\-sess_in filename\fR] -[\fB\-rand file(s)\fR] +[\fB\-rand file...\fR] +[\fB\-writerand file\fR] [\fB\-serverinfo types\fR] [\fB\-status\fR] [\fB\-alpn protocols\fR] [\fB\-nextprotoneg protocols\fR] +[\fB\-ct\fR] +[\fB\-noct\fR] +[\fB\-ctlogfile\fR] +[\fB\-keylogfile file\fR] +[\fB\-early_data file\fR] +[\fB\-enable_pha\fR] +[\fBtarget\fR] .SH "DESCRIPTION" .IX Header "DESCRIPTION" The \fBs_client\fR command implements a generic \s-1SSL/TLS\s0 client which connects @@ -196,13 +274,54 @@ to a remote host using \s-1SSL/TLS.\s0 It is a \fIvery\fR useful diagnostic tool \&\s-1SSL\s0 servers. .SH "OPTIONS" .IX Header "OPTIONS" +In addition to the options below the \fBs_client\fR utility also supports the +common and client only options documented in the +in the \*(L"Supported Command Line Commands\*(R" section of the \fISSL_CONF_cmd\fR\|(3) +manual page. +.IP "\fB\-help\fR" 4 +.IX Item "-help" +Print out a usage message. .IP "\fB\-connect host:port\fR" 4 .IX Item "-connect host:port" -This specifies the host and optional port to connect to. If not specified -then an attempt is made to connect to the local host on port 4433. +This specifies the host and optional port to connect to. It is possible to +select the host and port using the optional target positional argument instead. +If neither this nor the target positional argument are specified then an attempt +is made to connect to the local host on port 4433. +.IP "\fB\-bind host:port\fR]" 4 +.IX Item "-bind host:port]" +This specifies the host address and or port to bind as the source for the +connection. For Unix-domain sockets the port is ignored and the host is +used as the source socket address. +.IP "\fB\-proxy host:port\fR" 4 +.IX Item "-proxy host:port" +When used with the \fB\-connect\fR flag, the program uses the host and port +specified with this flag and issues an \s-1HTTP CONNECT\s0 command to connect +to the desired server. +.IP "\fB\-unix path\fR" 4 +.IX Item "-unix path" +Connect over the specified Unix-domain socket. +.IP "\fB\-4\fR" 4 +.IX Item "-4" +Use IPv4 only. +.IP "\fB\-6\fR" 4 +.IX Item "-6" +Use IPv6 only. .IP "\fB\-servername name\fR" 4 .IX Item "-servername name" -Set the \s-1TLS SNI\s0 (Server Name Indication) extension in the ClientHello message. +Set the \s-1TLS SNI\s0 (Server Name Indication) extension in the ClientHello message to +the given value. If both this option and the \fB\-noservername\fR are not given, the +\&\s-1TLS SNI\s0 extension is still set to the hostname provided to the \fB\-connect\fR option, +or \*(L"localhost\*(R" if \fB\-connect\fR has not been supplied. This is default since OpenSSL +1.1.1. +.Sp +Even though \s-1SNI\s0 name should normally be a \s-1DNS\s0 name and not an \s-1IP\s0 address, this +option will not make the distinction when parsing \fB\-connect\fR and will send +\&\s-1IP\s0 address if one passed. +.IP "\fB\-noservername\fR" 4 +.IX Item "-noservername" +Suppresses sending of the \s-1SNI\s0 (Server Name Indication) extension in the +ClientHello message. Cannot be used in conjunction with the \fB\-servername\fR or +<\-dane_tlsa_domain> options. .IP "\fB\-cert certname\fR" 4 .IX Item "-cert certname" The certificate to use, if one is requested by the server. The default is @@ -217,6 +336,29 @@ be used. .IP "\fB\-keyform format\fR" 4 .IX Item "-keyform format" The private format to use: \s-1DER\s0 or \s-1PEM. PEM\s0 is the default. +.IP "\fB\-cert_chain\fR" 4 +.IX Item "-cert_chain" +A file containing trusted certificates to use when attempting to build the +client/server certificate chain related to the certificate specified via the +\&\fB\-cert\fR option. +.IP "\fB\-build_chain\fR" 4 +.IX Item "-build_chain" +Specify whether the application should build the certificate chain to be +provided to the server. +.IP "\fB\-xkey infile\fR, \fB\-xcert infile\fR, \fB\-xchain\fR" 4 +.IX Item "-xkey infile, -xcert infile, -xchain" +Specify an extra certificate, private key and certificate chain. These behave +in the same manner as the \fB\-cert\fR, \fB\-key\fR and \fB\-cert_chain\fR options. When +specified, the callback returning the first valid chain will be in use by the +client. +.IP "\fB\-xchain_build\fR" 4 +.IX Item "-xchain_build" +Specify whether the application should build the certificate chain to be +provided to the server for the extra certificates provided via \fB\-xkey infile\fR, +\&\fB\-xcert infile\fR, \fB\-xchain\fR options. +.IP "\fB\-xcertform PEM|DER\fR, \fB\-xkeyform PEM|DER\fR" 4 +.IX Item "-xcertform PEM|DER, -xkeyform PEM|DER" +Extra certificate and private key format respectively. .IP "\fB\-pass arg\fR" 4 .IX Item "-pass arg" the private key password source. For more information about the format of \fBarg\fR @@ -232,26 +374,103 @@ will never fail due to a server certificate verify failure. .IX Item "-verify_return_error" Return verification errors instead of continuing. This will typically abort the handshake with a fatal error. +.IP "\fB\-nameopt option\fR" 4 +.IX Item "-nameopt option" +Option which determines how the subject or issuer names are displayed. The +\&\fBoption\fR argument can be a single option or multiple options separated by +commas. Alternatively the \fB\-nameopt\fR switch may be used more than once to +set multiple options. See the \fIx509\fR\|(1) manual page for details. .IP "\fB\-CApath directory\fR" 4 .IX Item "-CApath directory" The directory to use for server certificate verification. This directory -must be in \*(L"hash format\*(R", see \fBverify\fR for more information. These are +must be in \*(L"hash format\*(R", see \fIverify\fR\|(1) for more information. These are also used when building the client certificate chain. .IP "\fB\-CAfile file\fR" 4 .IX Item "-CAfile file" A file containing trusted certificates to use during server authentication and to use when attempting to build the client certificate chain. -.IP "\fB\-purpose, \-ignore_critical, \-issuer_checks, \-crl_check, \-crl_check_all, \-policy_check, \-extended_crl, \-x509_strict, \-policy \-check_ss_sig \-no_alt_chains\fR" 4 -.IX Item "-purpose, -ignore_critical, -issuer_checks, -crl_check, -crl_check_all, -policy_check, -extended_crl, -x509_strict, -policy -check_ss_sig -no_alt_chains" -Set various certificate chain valiadition option. See the -\&\fBverify\fR manual page for details. +.IP "\fB\-chainCApath directory\fR" 4 +.IX Item "-chainCApath directory" +The directory to use for building the chain provided to the server. This +directory must be in \*(L"hash format\*(R", see \fIverify\fR\|(1) for more information. +.IP "\fB\-chainCAfile file\fR" 4 +.IX Item "-chainCAfile file" +A file containing trusted certificates to use when attempting to build the +client certificate chain. +.IP "\fB\-no\-CAfile\fR" 4 +.IX Item "-no-CAfile" +Do not load the trusted \s-1CA\s0 certificates from the default file location +.IP "\fB\-no\-CApath\fR" 4 +.IX Item "-no-CApath" +Do not load the trusted \s-1CA\s0 certificates from the default directory location +.IP "\fB\-requestCAfile file\fR" 4 +.IX Item "-requestCAfile file" +A file containing a list of certificates whose subject names will be sent +to the server in the \fBcertificate_authorities\fR extension. Only supported +for \s-1TLS 1.3\s0 +.IP "\fB\-dane_tlsa_domain domain\fR" 4 +.IX Item "-dane_tlsa_domain domain" +Enable \s-1RFC6698/RFC7671 DANE TLSA\s0 authentication and specify the +\&\s-1TLSA\s0 base domain which becomes the default \s-1SNI\s0 hint and the primary +reference identifier for hostname checks. This must be used in +combination with at least one instance of the \fB\-dane_tlsa_rrdata\fR +option below. +.Sp +When \s-1DANE\s0 authentication succeeds, the diagnostic output will include +the lowest (closest to 0) depth at which a \s-1TLSA\s0 record authenticated +a chain certificate. When that \s-1TLSA\s0 record is a \*(L"2 1 0\*(R" trust +anchor public key that signed (rather than matched) the top-most +certificate of the chain, the result is reported as \*(L"\s-1TA\s0 public key +verified\*(R". Otherwise, either the \s-1TLSA\s0 record \*(L"matched \s-1TA\s0 certificate\*(R" +at a positive depth or else \*(L"matched \s-1EE\s0 certificate\*(R" at depth 0. +.IP "\fB\-dane_tlsa_rrdata rrdata\fR" 4 +.IX Item "-dane_tlsa_rrdata rrdata" +Use one or more times to specify the \s-1RRDATA\s0 fields of the \s-1DANE TLSA\s0 +RRset associated with the target service. The \fBrrdata\fR value is +specied in \*(L"presentation form\*(R", that is four whitespace separated +fields that specify the usage, selector, matching type and associated +data, with the last of these encoded in hexadecimal. Optional +whitespace is ignored in the associated data field. For example: +.Sp +.Vb 12 +\& $ openssl s_client \-brief \-starttls smtp \e +\& \-connect smtp.example.com:25 \e +\& \-dane_tlsa_domain smtp.example.com \e +\& \-dane_tlsa_rrdata "2 1 1 +\& B111DD8A1C2091A89BD4FD60C57F0716CCE50FEEFF8137CDBEE0326E 02CF362B" \e +\& \-dane_tlsa_rrdata "2 1 1 +\& 60B87575447DCBA2A36B7D11AC09FB24A9DB406FEE12D2CC90180517 616E8A18" +\& ... +\& Verification: OK +\& Verified peername: smtp.example.com +\& DANE TLSA 2 1 1 ...ee12d2cc90180517616e8a18 matched TA certificate at depth 1 +\& ... +.Ve +.IP "\fB\-dane_ee_no_namechecks\fR" 4 +.IX Item "-dane_ee_no_namechecks" +This disables server name checks when authenticating via \s-1\fIDANE\-EE\s0\fR\|(3) \s-1TLSA\s0 +records. +For some applications, primarily web browsers, it is not safe to disable name +checks due to \*(L"unknown key share\*(R" attacks, in which a malicious server can +convince a client that a connection to a victim server is instead a secure +connection to the malicious server. +The malicious server may then be able to violate cross-origin scripting +restrictions. +Thus, despite the text of \s-1RFC7671,\s0 name checks are by default enabled for +\&\s-1\fIDANE\-EE\s0\fR\|(3) \s-1TLSA\s0 records, and can be disabled in applications where it is safe +to do so. +In particular, \s-1SMTP\s0 and \s-1XMPP\s0 clients should set this option as \s-1SRV\s0 and \s-1MX\s0 +records already make it possible for a remote domain to redirect client +connections to any server of its choice, and in any case \s-1SMTP\s0 and \s-1XMPP\s0 clients +do not execute scripts downloaded from remote servers. +.IP "\fB\-attime\fR, \fB\-check_ss_sig\fR, \fB\-crl_check\fR, \fB\-crl_check_all\fR, \fB\-explicit_policy\fR, \fB\-extended_crl\fR, \fB\-ignore_critical\fR, \fB\-inhibit_any\fR, \fB\-inhibit_map\fR, \fB\-no_alt_chains\fR, \fB\-no_check_time\fR, \fB\-partial_chain\fR, \fB\-policy\fR, \fB\-policy_check\fR, \fB\-policy_print\fR, \fB\-purpose\fR, \fB\-suiteB_128\fR, \fB\-suiteB_128_only\fR, \fB\-suiteB_192\fR, \fB\-trusted_first\fR, \fB\-use_deltas\fR, \fB\-auth_level\fR, \fB\-verify_depth\fR, \fB\-verify_email\fR, \fB\-verify_hostname\fR, \fB\-verify_ip\fR, \fB\-verify_name\fR, \fB\-x509_strict\fR" 4 +.IX Item "-attime, -check_ss_sig, -crl_check, -crl_check_all, -explicit_policy, -extended_crl, -ignore_critical, -inhibit_any, -inhibit_map, -no_alt_chains, -no_check_time, -partial_chain, -policy, -policy_check, -policy_print, -purpose, -suiteB_128, -suiteB_128_only, -suiteB_192, -trusted_first, -use_deltas, -auth_level, -verify_depth, -verify_email, -verify_hostname, -verify_ip, -verify_name, -x509_strict" +Set various certificate chain validation options. See the +\&\fIverify\fR\|(1) manual page for details. .IP "\fB\-reconnect\fR" 4 .IX Item "-reconnect" -reconnects to the same server 5 times using the same session \s-1ID,\s0 this can +Reconnects to the same server 5 times using the same session \s-1ID,\s0 this can be used as a test that session caching is working. -.IP "\fB\-pause\fR" 4 -.IX Item "-pause" -pauses 1 second between each read and write call. .IP "\fB\-showcerts\fR" 4 .IX Item "-showcerts" Displays the server certificate list as sent by the server: it only consists of @@ -259,7 +478,7 @@ certificates the server has sent (in the order the server has sent them). It is \&\fBnot\fR a verified chain. .IP "\fB\-prexit\fR" 4 .IX Item "-prexit" -print session information when the program exits. This will always attempt +Print session information when the program exits. This will always attempt to print out information even if the connection fails. Normally information will only be printed out once if the connection succeeds. This option is useful because the cipher in use may be renegotiated or the connection may fail @@ -269,34 +488,41 @@ option is not always accurate because a connection might never have been established. .IP "\fB\-state\fR" 4 .IX Item "-state" -prints out the \s-1SSL\s0 session states. +Prints out the \s-1SSL\s0 session states. .IP "\fB\-debug\fR" 4 .IX Item "-debug" -print extensive debugging information including a hex dump of all traffic. +Print extensive debugging information including a hex dump of all traffic. .IP "\fB\-msg\fR" 4 .IX Item "-msg" -show all protocol messages with hex dump. +Show all protocol messages with hex dump. +.IP "\fB\-trace\fR" 4 +.IX Item "-trace" +Show verbose trace output of protocol messages. OpenSSL needs to be compiled +with \fBenable-ssl-trace\fR for this option to work. +.IP "\fB\-msgfile\fR" 4 +.IX Item "-msgfile" +File to send output of \fB\-msg\fR or \fB\-trace\fR to, default standard output. .IP "\fB\-nbio_test\fR" 4 .IX Item "-nbio_test" -tests non-blocking I/O +Tests non-blocking I/O .IP "\fB\-nbio\fR" 4 .IX Item "-nbio" -turns on non-blocking I/O +Turns on non-blocking I/O .IP "\fB\-crlf\fR" 4 .IX Item "-crlf" -this option translated a line feed from the terminal into \s-1CR+LF\s0 as required +This option translated a line feed from the terminal into \s-1CR+LF\s0 as required by some servers. .IP "\fB\-ign_eof\fR" 4 .IX Item "-ign_eof" -inhibit shutting down the connection when end of file is reached in the +Inhibit shutting down the connection when end of file is reached in the input. .IP "\fB\-quiet\fR" 4 .IX Item "-quiet" -inhibit printing of session and certificate information. This implicitly +Inhibit printing of session and certificate information. This implicitly turns on \fB\-ign_eof\fR as well. .IP "\fB\-no_ign_eof\fR" 4 .IX Item "-no_ign_eof" -shut down the connection when end of file is reached in the input. +Shut down the connection when end of file is reached in the input. Can be used to override the implicit \fB\-ign_eof\fR after \fB\-quiet\fR. .IP "\fB\-psk_identity identity\fR" 4 .IX Item "-psk_identity identity" @@ -308,18 +534,82 @@ Use the \s-1PSK\s0 key \fBkey\fR when using a \s-1PSK\s0 cipher suite. The key i given as a hexadecimal number without leading 0x, for example \-psk 1a2b3c4d. This option must be provided in order to use a \s-1PSK\s0 cipher. -.IP "\fB\-ssl2\fR, \fB\-ssl3\fR, \fB\-tls1\fR, \fB\-tls1_1\fR, \fB\-tls1_2\fR, \fB\-no_ssl2\fR, \fB\-no_ssl3\fR, \fB\-no_tls1\fR, \fB\-no_tls1_1\fR, \fB\-no_tls1_2\fR" 4 -.IX Item "-ssl2, -ssl3, -tls1, -tls1_1, -tls1_2, -no_ssl2, -no_ssl3, -no_tls1, -no_tls1_1, -no_tls1_2" +.IP "\fB\-psk_session file\fR" 4 +.IX Item "-psk_session file" +Use the pem encoded \s-1SSL_SESSION\s0 data stored in \fBfile\fR as the basis of a \s-1PSK.\s0 +Note that this will only work if TLSv1.3 is negotiated. +.IP "\fB\-ssl3\fR, \fB\-tls1\fR, \fB\-tls1_1\fR, \fB\-tls1_2\fR, \fB\-tls1_3\fR, \fB\-no_ssl3\fR, \fB\-no_tls1\fR, \fB\-no_tls1_1\fR, \fB\-no_tls1_2\fR, \fB\-no_tls1_3\fR" 4 +.IX Item "-ssl3, -tls1, -tls1_1, -tls1_2, -tls1_3, -no_ssl3, -no_tls1, -no_tls1_1, -no_tls1_2, -no_tls1_3" These options require or disable the use of the specified \s-1SSL\s0 or \s-1TLS\s0 protocols. -By default the initial handshake uses a \fIversion-flexible\fR method which will -negotiate the highest mutually supported protocol version. +By default \fBs_client\fR will negotiate the highest mutually supported protocol +version. +When a specific \s-1TLS\s0 version is required, only that version will be offered to +and accepted from the server. +Note that not all protocols and flags may be available, depending on how +OpenSSL was built. +.IP "\fB\-dtls\fR, \fB\-dtls1\fR, \fB\-dtls1_2\fR" 4 +.IX Item "-dtls, -dtls1, -dtls1_2" +These options make \fBs_client\fR use \s-1DTLS\s0 protocols instead of \s-1TLS.\s0 +With \fB\-dtls\fR, \fBs_client\fR will negotiate any supported \s-1DTLS\s0 protocol version, +whilst \fB\-dtls1\fR and \fB\-dtls1_2\fR will only support \s-1DTLS1.0\s0 and \s-1DTLS1.2\s0 +respectively. +.IP "\fB\-sctp\fR" 4 +.IX Item "-sctp" +Use \s-1SCTP\s0 for the transport protocol instead of \s-1UDP\s0 in \s-1DTLS.\s0 Must be used in +conjunction with \fB\-dtls\fR, \fB\-dtls1\fR or \fB\-dtls1_2\fR. This option is only +available where OpenSSL has support for \s-1SCTP\s0 enabled. .IP "\fB\-fallback_scsv\fR" 4 .IX Item "-fallback_scsv" Send \s-1TLS_FALLBACK_SCSV\s0 in the ClientHello. +.IP "\fB\-async\fR" 4 +.IX Item "-async" +Switch on asynchronous mode. Cryptographic operations will be performed +asynchronously. This will only have an effect if an asynchronous capable engine +is also used via the \fB\-engine\fR option. For test purposes the dummy async engine +(dasync) can be used (if available). +.IP "\fB\-max_send_frag int\fR" 4 +.IX Item "-max_send_frag int" +The maximum size of data fragment to send. +See \fISSL_CTX_set_max_send_fragment\fR\|(3) for further information. +.IP "\fB\-split_send_frag int\fR" 4 +.IX Item "-split_send_frag int" +The size used to split data for encrypt pipelines. If more data is written in +one go than this value then it will be split into multiple pipelines, up to the +maximum number of pipelines defined by max_pipelines. This only has an effect if +a suitable cipher suite has been negotiated, an engine that supports pipelining +has been loaded, and max_pipelines is greater than 1. See +\&\fISSL_CTX_set_split_send_fragment\fR\|(3) for further information. +.IP "\fB\-max_pipelines int\fR" 4 +.IX Item "-max_pipelines int" +The maximum number of encrypt/decrypt pipelines to be used. This will only have +an effect if an engine has been loaded that supports pipelining (e.g. the dasync +engine) and a suitable cipher suite has been negotiated. The default value is 1. +See \fISSL_CTX_set_max_pipelines\fR\|(3) for further information. +.IP "\fB\-read_buf int\fR" 4 +.IX Item "-read_buf int" +The default read buffer size to be used for connections. This will only have an +effect if the buffer size is larger than the size that would otherwise be used +and pipelining is in use (see \fISSL_CTX_set_default_read_buffer_len\fR\|(3) for +further information). .IP "\fB\-bugs\fR" 4 .IX Item "-bugs" -there are several known bug in \s-1SSL\s0 and \s-1TLS\s0 implementations. Adding this +There are several known bug in \s-1SSL\s0 and \s-1TLS\s0 implementations. Adding this option enables various workarounds. +.IP "\fB\-comp\fR" 4 +.IX Item "-comp" +Enables support for \s-1SSL/TLS\s0 compression. +This option was introduced in OpenSSL 1.1.0. +\&\s-1TLS\s0 compression is not recommended and is off by default as of +OpenSSL 1.1.0. +.IP "\fB\-no_comp\fR" 4 +.IX Item "-no_comp" +Disables support for \s-1SSL/TLS\s0 compression. +\&\s-1TLS\s0 compression is not recommended and is off by default as of +OpenSSL 1.1.0. +.IP "\fB\-brief\fR" 4 +.IX Item "-brief" +Only provide a brief summary of connection parameters instead of the +normal verbose output. .IP "\fB\-sigalgs sigalglist\fR" 4 .IX Item "-sigalgs sigalglist" Specifies the list of signature algorithms that are sent by the client. @@ -328,83 +618,162 @@ For example strings, see \fISSL_CTX_set1_sigalgs\fR\|(3) .IP "\fB\-curves curvelist\fR" 4 .IX Item "-curves curvelist" Specifies the list of supported curves to be sent by the client. The curve is -is ultimately selected by the server. For a list of all curves, use: +ultimately selected by the server. For a list of all curves, use: .Sp .Vb 1 \& $ openssl ecparam \-list_curves .Ve .IP "\fB\-cipher cipherlist\fR" 4 .IX Item "-cipher cipherlist" -this allows the cipher list sent by the client to be modified. Although -the server determines which cipher suite is used it should take the first -supported cipher in the list sent by the client. See the \fBciphers\fR -command for more information. -.IP "\fB\-serverpref\fR" 4 -.IX Item "-serverpref" -use the server's cipher preferences; only used for \s-1SSLV2.\s0 +This allows the TLSv1.2 and below cipher list sent by the client to be modified. +This list will be combined with any TLSv1.3 ciphersuites that have been +configured. Although the server determines which ciphersuite is used it should +take the first supported cipher in the list sent by the client. See the +\&\fBciphers\fR command for more information. +.IP "\fB\-ciphersuites val\fR" 4 +.IX Item "-ciphersuites val" +This allows the TLSv1.3 ciphersuites sent by the client to be modified. This +list will be combined with any TLSv1.2 and below ciphersuites that have been +configured. Although the server determines which cipher suite is used it should +take the first supported cipher in the list sent by the client. See the +\&\fBciphers\fR command for more information. The format for this list is a simple +colon (\*(L":\*(R") separated list of TLSv1.3 ciphersuite names. .IP "\fB\-starttls protocol\fR" 4 .IX Item "-starttls protocol" -send the protocol-specific message(s) to switch to \s-1TLS\s0 for communication. +Send the protocol-specific message(s) to switch to \s-1TLS\s0 for communication. \&\fBprotocol\fR is a keyword for the intended protocol. Currently, the only -supported keywords are \*(L"smtp\*(R", \*(L"pop3\*(R", \*(L"imap\*(R", \*(L"ftp\*(R" and \*(L"xmpp\*(R". +supported keywords are \*(L"smtp\*(R", \*(L"pop3\*(R", \*(L"imap\*(R", \*(L"ftp\*(R", \*(L"xmpp\*(R", \*(L"xmpp-server\*(R", +\&\*(L"irc\*(R", \*(L"postgres\*(R", \*(L"mysql\*(R", \*(L"lmtp\*(R", \*(L"nntp\*(R", \*(L"sieve\*(R" and \*(L"ldap\*(R". +.IP "\fB\-xmpphost hostname\fR" 4 +.IX Item "-xmpphost hostname" +This option, when used with \*(L"\-starttls xmpp\*(R" or \*(L"\-starttls xmpp-server\*(R", +specifies the host for the \*(L"to\*(R" attribute of the stream element. +If this option is not specified, then the host specified with \*(L"\-connect\*(R" +will be used. +.Sp +This option is an alias of the \fB\-name\fR option for \*(L"xmpp\*(R" and \*(L"xmpp-server\*(R". +.IP "\fB\-name hostname\fR" 4 +.IX Item "-name hostname" +This option is used to specify hostname information for various protocols +used with \fB\-starttls\fR option. Currently only \*(L"xmpp\*(R", \*(L"xmpp-server\*(R", +\&\*(L"smtp\*(R" and \*(L"lmtp\*(R" can utilize this \fB\-name\fR option. +.Sp +If this option is used with \*(L"\-starttls xmpp\*(R" or \*(L"\-starttls xmpp-server\*(R", +if specifies the host for the \*(L"to\*(R" attribute of the stream element. If this +option is not specified, then the host specified with \*(L"\-connect\*(R" will be used. +.Sp +If this option is used with \*(L"\-starttls lmtp\*(R" or \*(L"\-starttls smtp\*(R", it specifies +the name to use in the \*(L"\s-1LMTP LHLO\*(R"\s0 or \*(L"\s-1SMTP EHLO\*(R"\s0 message, respectively. If +this option is not specified, then \*(L"mail.example.com\*(R" will be used. .IP "\fB\-tlsextdebug\fR" 4 .IX Item "-tlsextdebug" -print out a hex dump of any \s-1TLS\s0 extensions received from the server. +Print out a hex dump of any \s-1TLS\s0 extensions received from the server. .IP "\fB\-no_ticket\fR" 4 .IX Item "-no_ticket" -disable RFC4507bis session ticket support. +Disable RFC4507bis session ticket support. .IP "\fB\-sess_out filename\fR" 4 .IX Item "-sess_out filename" -output \s-1SSL\s0 session to \fBfilename\fR +Output \s-1SSL\s0 session to \fBfilename\fR. .IP "\fB\-sess_in sess.pem\fR" 4 .IX Item "-sess_in sess.pem" -load \s-1SSL\s0 session from \fBfilename\fR. The client will attempt to resume a +Load \s-1SSL\s0 session from \fBfilename\fR. The client will attempt to resume a connection from this session. .IP "\fB\-engine id\fR" 4 .IX Item "-engine id" -specifying an engine (by its unique \fBid\fR string) will cause \fBs_client\fR +Specifying an engine (by its unique \fBid\fR string) will cause \fBs_client\fR to attempt to obtain a functional reference to the specified engine, thus initialising it if needed. The engine will then be set as the default for all available algorithms. -.IP "\fB\-rand file(s)\fR" 4 -.IX Item "-rand file(s)" -a file or files containing random data used to seed the random number -generator, or an \s-1EGD\s0 socket (see \fIRAND_egd\fR\|(3)). -Multiple files can be specified separated by a OS-dependent character. +.IP "\fB\-rand file...\fR" 4 +.IX Item "-rand file..." +A file or files containing random data used to seed the random number +generator. +Multiple files can be specified separated by an OS-dependent character. The separator is \fB;\fR for MS-Windows, \fB,\fR for OpenVMS, and \fB:\fR for all others. +.IP "[\fB\-writerand file\fR]" 4 +.IX Item "[-writerand file]" +Writes random data to the specified \fIfile\fR upon exit. +This can be used with a subsequent \fB\-rand\fR flag. .IP "\fB\-serverinfo types\fR" 4 .IX Item "-serverinfo types" -a list of comma-separated \s-1TLS\s0 Extension Types (numbers between 0 and +A list of comma-separated \s-1TLS\s0 Extension Types (numbers between 0 and 65535). Each type will be sent as an empty ClientHello \s-1TLS\s0 Extension. The server's response (if any) will be encoded and displayed as a \s-1PEM\s0 file. .IP "\fB\-status\fR" 4 .IX Item "-status" -sends a certificate status request to the server (\s-1OCSP\s0 stapling). The server +Sends a certificate status request to the server (\s-1OCSP\s0 stapling). The server response (if any) is printed out. .IP "\fB\-alpn protocols\fR, \fB\-nextprotoneg protocols\fR" 4 .IX Item "-alpn protocols, -nextprotoneg protocols" -these flags enable the -Enable the Application-Layer Protocol Negotiation or Next Protocol -Negotiation extension, respectively. \s-1ALPN\s0 is the \s-1IETF\s0 standard and -replaces \s-1NPN.\s0 -The \fBprotocols\fR list is a -comma-separated protocol names that the client should advertise -support for. The list should contain most wanted protocols first. -Protocol names are printable \s-1ASCII\s0 strings, for example \*(L"http/1.1\*(R" or -\&\*(L"spdy/3\*(R". -Empty list of protocols is treated specially and will cause the client to -advertise support for the \s-1TLS\s0 extension but disconnect just after -reciving ServerHello with a list of server supported protocols. +These flags enable the Enable the Application-Layer Protocol Negotiation +or Next Protocol Negotiation (\s-1NPN\s0) extension, respectively. \s-1ALPN\s0 is the +\&\s-1IETF\s0 standard and replaces \s-1NPN.\s0 +The \fBprotocols\fR list is a comma-separated list of protocol names that +the client should advertise support for. The list should contain the most +desirable protocols first. Protocol names are printable \s-1ASCII\s0 strings, +for example \*(L"http/1.1\*(R" or \*(L"spdy/3\*(R". +An empty list of protocols is treated specially and will cause the +client to advertise support for the \s-1TLS\s0 extension but disconnect just +after receiving ServerHello with a list of server supported protocols. +The flag \fB\-nextprotoneg\fR cannot be specified if \fB\-tls1_3\fR is used. +.IP "\fB\-ct\fR, \fB\-noct\fR" 4 +.IX Item "-ct, -noct" +Use one of these two options to control whether Certificate Transparency (\s-1CT\s0) +is enabled (\fB\-ct\fR) or disabled (\fB\-noct\fR). +If \s-1CT\s0 is enabled, signed certificate timestamps (SCTs) will be requested from +the server and reported at handshake completion. +.Sp +Enabling \s-1CT\s0 also enables \s-1OCSP\s0 stapling, as this is one possible delivery method +for SCTs. +.IP "\fB\-ctlogfile\fR" 4 +.IX Item "-ctlogfile" +A file containing a list of known Certificate Transparency logs. See +\&\fISSL_CTX_set_ctlog_list_file\fR\|(3) for the expected file format. +.IP "\fB\-keylogfile file\fR" 4 +.IX Item "-keylogfile file" +Appends \s-1TLS\s0 secrets to the specified keylog file such that external programs +(like Wireshark) can decrypt \s-1TLS\s0 connections. +.IP "\fB\-early_data file\fR" 4 +.IX Item "-early_data file" +Reads the contents of the specified file and attempts to send it as early data +to the server. This will only work with resumed sessions that support early +data and when the server accepts the early data. +.IP "\fB\-enable_pha\fR" 4 +.IX Item "-enable_pha" +For TLSv1.3 only, send the Post-Handshake Authentication extension. This will +happen whether or not a certificate has been provided via \fB\-cert\fR. +.IP "\fB[target]\fR" 4 +.IX Item "[target]" +Rather than providing \fB\-connect\fR, the target hostname and optional port may +be provided as a single positional argument after all options. If neither this +nor \fB\-connect\fR are provided, falls back to attempting to connect to localhost +on port 4433. .SH "CONNECTED COMMANDS" .IX Header "CONNECTED COMMANDS" If a connection is established with an \s-1SSL\s0 server then any data received from the server is displayed and any key presses will be sent to the -server. When used interactively (which means neither \fB\-quiet\fR nor \fB\-ign_eof\fR -have been given), the session will be renegotiated if the line begins with an -\&\fBR\fR, and if the line begins with a \fBQ\fR or if end of file is reached, the -connection will be closed down. +server. If end of file is reached then the connection will be closed down. When +used interactively (which means neither \fB\-quiet\fR nor \fB\-ign_eof\fR have been +given), then certain commands are also recognized which perform special +operations. These commands are a letter which must appear at the start of a +line. They are listed below. +.IP "\fBQ\fR" 4 +.IX Item "Q" +End the current \s-1SSL\s0 connection and exit. +.IP "\fBR\fR" 4 +.IX Item "R" +Renegotiate the \s-1SSL\s0 session (TLSv1.2 and below only). +.IP "\fBB\fR" 4 +.IX Item "B" +Send a heartbeat message to the server (\s-1DTLS\s0 only) +.IP "\fBk\fR" 4 +.IX Item "k" +Send a key update message to the server (TLSv1.3 only) +.IP "\fBK\fR" 4 +.IX Item "K" +Send a key update message to the server and request one back (TLSv1.3 only) .SH "NOTES" .IX Header "NOTES" \&\fBs_client\fR can be used to debug \s-1SSL\s0 servers. To connect to an \s-1SSL HTTP\s0 @@ -418,8 +787,8 @@ would typically be used (https uses port 443). If the connection succeeds then an \s-1HTTP\s0 command can be given such as \*(L"\s-1GET /\*(R"\s0 to retrieve a web page. .PP If the handshake fails then there are several possible causes, if it is -nothing obvious like no client certificate then the \fB\-bugs\fR, \fB\-ssl2\fR, -\&\fB\-ssl3\fR, \fB\-tls1\fR, \fB\-no_ssl2\fR, \fB\-no_ssl3\fR, \fB\-no_tls1\fR options can be tried +nothing obvious like no client certificate then the \fB\-bugs\fR, +\&\fB\-ssl3\fR, \fB\-tls1\fR, \fB\-no_ssl3\fR, \fB\-no_tls1\fR options can be tried in case it is a buggy server. In particular you should play with these options \fBbefore\fR submitting a bug report to an OpenSSL mailing list. .PP @@ -442,28 +811,38 @@ If there are problems verifying a server certificate then the \&\fB\-showcerts\fR option can be used to show all the certificates sent by the server. .PP -Since the SSLv23 client hello cannot include compression methods or extensions -these will only be supported if its use is disabled, for example by using the -\&\fB\-no_sslv2\fR option. -.PP The \fBs_client\fR utility is a test tool and is designed to continue the handshake after any certificate verification errors. As a result it will accept any certificate chain (trusted or not) sent by the peer. None test applications should \fBnot\fR do this as it makes them vulnerable to a \s-1MITM\s0 attack. This behaviour can be changed by with the \fB\-verify_return_error\fR option: any verify errors are then returned aborting the handshake. +.PP +The \fB\-bind\fR option may be useful if the server or a firewall requires +connections to come from some particular address and or port. .SH "BUGS" .IX Header "BUGS" -Because this program has a lot of options and also because some of -the techniques used are rather old, the C source of s_client is rather -hard to read and not a model of how things should be done. A typical -\&\s-1SSL\s0 client program would be much simpler. +Because this program has a lot of options and also because some of the +techniques used are rather old, the C source of \fBs_client\fR is rather hard to +read and not a model of how things should be done. +A typical \s-1SSL\s0 client program would be much simpler. .PP The \fB\-prexit\fR option is a bit of a hack. We should really report information whenever a session is renegotiated. .SH "SEE ALSO" .IX Header "SEE ALSO" -\&\fIsess_id\fR\|(1), \fIs_server\fR\|(1), \fIciphers\fR\|(1) +\&\fISSL_CONF_cmd\fR\|(3), \fIsess_id\fR\|(1), \fIs_server\fR\|(1), \fIciphers\fR\|(1), +\&\fISSL_CTX_set_max_send_fragment\fR\|(3), \fISSL_CTX_set_split_send_fragment\fR\|(3), +\&\fISSL_CTX_set_max_pipelines\fR\|(3) .SH "HISTORY" .IX Header "HISTORY" -The \-no_alt_chains options was first added to OpenSSL 1.0.2b. +The \fB\-no_alt_chains\fR option was first added to OpenSSL 1.1.0. +The \fB\-name\fR option was added in OpenSSL 1.1.1. +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2000\-2018 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/usr.bin/openssl/man/s_server.1 b/secure/usr.bin/openssl/man/s_server.1 index 9e3198ad82a9..109d65719f85 100644 --- a/secure/usr.bin/openssl/man/s_server.1 +++ b/secure/usr.bin/openssl/man/s_server.1 @@ -129,111 +129,284 @@ .\" ======================================================================== .\" .IX Title "S_SERVER 1" -.TH S_SERVER 1 "2018-08-14" "1.0.2p" "OpenSSL" +.TH S_SERVER 1 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" -openssl\-s_server, -s_server \- SSL/TLS server program +openssl\-s_server, s_server \- SSL/TLS server program .SH "SYNOPSIS" .IX Header "SYNOPSIS" \&\fBopenssl\fR \fBs_server\fR -[\fB\-accept port\fR] -[\fB\-context id\fR] -[\fB\-verify depth\fR] -[\fB\-Verify depth\fR] -[\fB\-crl_check\fR] -[\fB\-crl_check_all\fR] -[\fB\-cert filename\fR] -[\fB\-certform DER|PEM\fR] -[\fB\-key keyfile\fR] -[\fB\-keyform DER|PEM\fR] -[\fB\-pass arg\fR] -[\fB\-dcert filename\fR] -[\fB\-dcertform DER|PEM\fR] -[\fB\-dkey keyfile\fR] -[\fB\-dkeyform DER|PEM\fR] -[\fB\-dpass arg\fR] -[\fB\-dhparam filename\fR] -[\fB\-nbio\fR] +[\fB\-help\fR] +[\fB\-port +int\fR] +[\fB\-accept val\fR] +[\fB\-unix val\fR] +[\fB\-4\fR] +[\fB\-6\fR] +[\fB\-unlink\fR] +[\fB\-context val\fR] +[\fB\-verify int\fR] +[\fB\-Verify int\fR] +[\fB\-cert infile\fR] +[\fB\-nameopt val\fR] +[\fB\-naccept +int\fR] +[\fB\-serverinfo val\fR] +[\fB\-certform PEM|DER\fR] +[\fB\-key infile\fR] +[\fB\-keyform format\fR] +[\fB\-pass val\fR] +[\fB\-dcert infile\fR] +[\fB\-dcertform PEM|DER\fR] +[\fB\-dkey infile\fR] +[\fB\-dkeyform PEM|DER\fR] +[\fB\-dpass val\fR] [\fB\-nbio_test\fR] [\fB\-crlf\fR] [\fB\-debug\fR] [\fB\-msg\fR] +[\fB\-msgfile outfile\fR] [\fB\-state\fR] -[\fB\-CApath directory\fR] -[\fB\-CAfile filename\fR] -[\fB\-no_alt_chains\fR] +[\fB\-CAfile infile\fR] +[\fB\-CApath dir\fR] +[\fB\-no\-CAfile\fR] +[\fB\-no\-CApath\fR] [\fB\-nocert\fR] -[\fB\-client_sigalgs sigalglist\fR] -[\fB\-named_curve curve\fR] -[\fB\-cipher cipherlist\fR] -[\fB\-serverpref\fR] [\fB\-quiet\fR] -[\fB\-no_tmp_rsa\fR] -[\fB\-ssl2\fR] -[\fB\-ssl3\fR] -[\fB\-tls1\fR] -[\fB\-no_ssl2\fR] -[\fB\-no_ssl3\fR] -[\fB\-no_tls1\fR] -[\fB\-no_dhe\fR] -[\fB\-bugs\fR] -[\fB\-hack\fR] +[\fB\-no_resume_ephemeral\fR] [\fB\-www\fR] [\fB\-WWW\fR] -[\fB\-HTTP\fR] -[\fB\-engine id\fR] +[\fB\-servername\fR] +[\fB\-servername_fatal\fR] +[\fB\-cert2 infile\fR] +[\fB\-key2 infile\fR] [\fB\-tlsextdebug\fR] -[\fB\-no_ticket\fR] -[\fB\-id_prefix arg\fR] -[\fB\-rand file(s)\fR] -[\fB\-serverinfo file\fR] -[\fB\-no_resumption_on_reneg\fR] +[\fB\-HTTP\fR] +[\fB\-id_prefix val\fR] +[\fB\-rand file...\fR] +[\fB\-writerand file\fR] +[\fB\-keymatexport val\fR] +[\fB\-keymatexportlen +int\fR] +[\fB\-CRL infile\fR] +[\fB\-crl_download\fR] +[\fB\-cert_chain infile\fR] +[\fB\-dcert_chain infile\fR] +[\fB\-chainCApath dir\fR] +[\fB\-verifyCApath dir\fR] +[\fB\-no_cache\fR] +[\fB\-ext_cache\fR] +[\fB\-CRLform PEM|DER\fR] +[\fB\-verify_return_error\fR] +[\fB\-verify_quiet\fR] +[\fB\-build_chain\fR] +[\fB\-chainCAfile infile\fR] +[\fB\-verifyCAfile infile\fR] +[\fB\-ign_eof\fR] +[\fB\-no_ign_eof\fR] [\fB\-status\fR] [\fB\-status_verbose\fR] -[\fB\-status_timeout nsec\fR] -[\fB\-status_url url\fR] -[\fB\-alpn protocols\fR] -[\fB\-nextprotoneg protocols\fR] +[\fB\-status_timeout int\fR] +[\fB\-status_url val\fR] +[\fB\-status_file infile\fR] +[\fB\-trace\fR] +[\fB\-security_debug\fR] +[\fB\-security_debug_verbose\fR] +[\fB\-brief\fR] +[\fB\-rev\fR] +[\fB\-async\fR] +[\fB\-ssl_config val\fR] +[\fB\-max_send_frag +int\fR] +[\fB\-split_send_frag +int\fR] +[\fB\-max_pipelines +int\fR] +[\fB\-read_buf +int\fR] +[\fB\-no_ssl3\fR] +[\fB\-no_tls1\fR] +[\fB\-no_tls1_1\fR] +[\fB\-no_tls1_2\fR] +[\fB\-no_tls1_3\fR] +[\fB\-bugs\fR] +[\fB\-no_comp\fR] +[\fB\-comp\fR] +[\fB\-no_ticket\fR] +[\fB\-serverpref\fR] +[\fB\-legacy_renegotiation\fR] +[\fB\-no_renegotiation\fR] +[\fB\-legacy_server_connect\fR] +[\fB\-no_resumption_on_reneg\fR] +[\fB\-no_legacy_server_connect\fR] +[\fB\-allow_no_dhe_kex\fR] +[\fB\-prioritize_chacha\fR] +[\fB\-strict\fR] +[\fB\-sigalgs val\fR] +[\fB\-client_sigalgs val\fR] +[\fB\-groups val\fR] +[\fB\-curves val\fR] +[\fB\-named_curve val\fR] +[\fB\-cipher val\fR] +[\fB\-ciphersuites val\fR] +[\fB\-dhparam infile\fR] +[\fB\-record_padding val\fR] +[\fB\-debug_broken_protocol\fR] +[\fB\-policy val\fR] +[\fB\-purpose val\fR] +[\fB\-verify_name val\fR] +[\fB\-verify_depth int\fR] +[\fB\-auth_level int\fR] +[\fB\-attime intmax\fR] +[\fB\-verify_hostname val\fR] +[\fB\-verify_email val\fR] +[\fB\-verify_ip\fR] +[\fB\-ignore_critical\fR] +[\fB\-issuer_checks\fR] +[\fB\-crl_check\fR] +[\fB\-crl_check_all\fR] +[\fB\-policy_check\fR] +[\fB\-explicit_policy\fR] +[\fB\-inhibit_any\fR] +[\fB\-inhibit_map\fR] +[\fB\-x509_strict\fR] +[\fB\-extended_crl\fR] +[\fB\-use_deltas\fR] +[\fB\-policy_print\fR] +[\fB\-check_ss_sig\fR] +[\fB\-trusted_first\fR] +[\fB\-suiteB_128_only\fR] +[\fB\-suiteB_128\fR] +[\fB\-suiteB_192\fR] +[\fB\-partial_chain\fR] +[\fB\-no_alt_chains\fR] +[\fB\-no_check_time\fR] +[\fB\-allow_proxy_certs\fR] +[\fB\-xkey\fR] +[\fB\-xcert\fR] +[\fB\-xchain\fR] +[\fB\-xchain_build\fR] +[\fB\-xcertform PEM|DER\fR] +[\fB\-xkeyform PEM|DER\fR] +[\fB\-nbio\fR] +[\fB\-psk_identity val\fR] +[\fB\-psk_hint val\fR] +[\fB\-psk val\fR] +[\fB\-psk_session file\fR] +[\fB\-srpvfile infile\fR] +[\fB\-srpuserseed val\fR] +[\fB\-ssl3\fR] +[\fB\-tls1\fR] +[\fB\-tls1_1\fR] +[\fB\-tls1_2\fR] +[\fB\-tls1_3\fR] +[\fB\-dtls\fR] +[\fB\-timeout\fR] +[\fB\-mtu +int\fR] +[\fB\-listen\fR] +[\fB\-dtls1\fR] +[\fB\-dtls1_2\fR] +[\fB\-sctp\fR] +[\fB\-no_dhe\fR] +[\fB\-nextprotoneg val\fR] +[\fB\-use_srtp val\fR] +[\fB\-alpn val\fR] +[\fB\-engine val\fR] +[\fB\-keylogfile outfile\fR] +[\fB\-max_early_data int\fR] +[\fB\-early_data\fR] +[\fB\-anti_replay\fR] +[\fB\-no_anti_replay\fR] .SH "DESCRIPTION" .IX Header "DESCRIPTION" The \fBs_server\fR command implements a generic \s-1SSL/TLS\s0 server which listens for connections on a given port using \s-1SSL/TLS.\s0 .SH "OPTIONS" .IX Header "OPTIONS" -.IP "\fB\-accept port\fR" 4 -.IX Item "-accept port" -the \s-1TCP\s0 port to listen on for connections. If not specified 4433 is used. -.IP "\fB\-context id\fR" 4 -.IX Item "-context id" -sets the \s-1SSL\s0 context id. It can be given any string value. If this option +In addition to the options below the \fBs_server\fR utility also supports the +common and server only options documented in the +in the \*(L"Supported Command Line Commands\*(R" section of the \fISSL_CONF_cmd\fR\|(3) +manual page. +.IP "\fB\-help\fR" 4 +.IX Item "-help" +Print out a usage message. +.IP "\fB\-port +int\fR" 4 +.IX Item "-port +int" +The \s-1TCP\s0 port to listen on for connections. If not specified 4433 is used. +.IP "\fB\-accept val\fR" 4 +.IX Item "-accept val" +The optional \s-1TCP\s0 host and port to listen on for connections. If not specified, *:4433 is used. +.IP "\fB\-unix val\fR" 4 +.IX Item "-unix val" +Unix domain socket to accept on. +.IP "\fB\-4\fR" 4 +.IX Item "-4" +Use IPv4 only. +.IP "\fB\-6\fR" 4 +.IX Item "-6" +Use IPv6 only. +.IP "\fB\-unlink\fR" 4 +.IX Item "-unlink" +For \-unix, unlink any existing socket first. +.IP "\fB\-context val\fR" 4 +.IX Item "-context val" +Sets the \s-1SSL\s0 context id. It can be given any string value. If this option is not present a default value will be used. -.IP "\fB\-cert certname\fR" 4 -.IX Item "-cert certname" +.IP "\fB\-verify int\fR, \fB\-Verify int\fR" 4 +.IX Item "-verify int, -Verify int" +The verify depth to use. This specifies the maximum length of the +client certificate chain and makes the server request a certificate from +the client. With the \fB\-verify\fR option a certificate is requested but the +client does not have to send one, with the \fB\-Verify\fR option the client +must supply a certificate or an error occurs. +.Sp +If the cipher suite cannot request a client certificate (for example an +anonymous cipher suite or \s-1PSK\s0) this option has no effect. +.IP "\fB\-cert infile\fR" 4 +.IX Item "-cert infile" The certificate to use, most servers cipher suites require the use of a certificate and some require a certificate with a certain public key type: for example the \s-1DSS\s0 cipher suites require a certificate containing a \s-1DSS\s0 (\s-1DSA\s0) key. If not specified then the filename \*(L"server.pem\*(R" will be used. -.IP "\fB\-certform format\fR" 4 -.IX Item "-certform format" +.IP "\fB\-cert_chain\fR" 4 +.IX Item "-cert_chain" +A file containing trusted certificates to use when attempting to build the +client/server certificate chain related to the certificate specified via the +\&\fB\-cert\fR option. +.IP "\fB\-build_chain\fR" 4 +.IX Item "-build_chain" +Specify whether the application should build the certificate chain to be +provided to the client. +.IP "\fB\-nameopt val\fR" 4 +.IX Item "-nameopt val" +Option which determines how the subject or issuer names are displayed. The +\&\fBval\fR argument can be a single option or multiple options separated by +commas. Alternatively the \fB\-nameopt\fR switch may be used more than once to +set multiple options. See the \fIx509\fR\|(1) manual page for details. +.IP "\fB\-naccept +int\fR" 4 +.IX Item "-naccept +int" +The server will exit after receiving the specified number of connections, +default unlimited. +.IP "\fB\-serverinfo val\fR" 4 +.IX Item "-serverinfo val" +A file containing one or more blocks of \s-1PEM\s0 data. Each \s-1PEM\s0 block +must encode a \s-1TLS\s0 ServerHello extension (2 bytes type, 2 bytes length, +followed by \*(L"length\*(R" bytes of extension data). If the client sends +an empty \s-1TLS\s0 ClientHello extension matching the type, the corresponding +ServerHello extension will be returned. +.IP "\fB\-certform PEM|DER\fR" 4 +.IX Item "-certform PEM|DER" The certificate format to use: \s-1DER\s0 or \s-1PEM. PEM\s0 is the default. -.IP "\fB\-key keyfile\fR" 4 -.IX Item "-key keyfile" +.IP "\fB\-key infile\fR" 4 +.IX Item "-key infile" The private key to use. If not specified then the certificate file will be used. .IP "\fB\-keyform format\fR" 4 .IX Item "-keyform format" The private format to use: \s-1DER\s0 or \s-1PEM. PEM\s0 is the default. -.IP "\fB\-pass arg\fR" 4 -.IX Item "-pass arg" -the private key password source. For more information about the format of \fBarg\fR +.IP "\fB\-pass val\fR" 4 +.IX Item "-pass val" +The private key password source. For more information about the format of \fBval\fR see the \fB\s-1PASS PHRASE ARGUMENTS\s0\fR section in \fIopenssl\fR\|(1). -.IP "\fB\-dcert filename\fR, \fB\-dkey keyname\fR" 4 -.IX Item "-dcert filename, -dkey keyname" -specify an additional certificate and private key, these behave in the +.IP "\fB\-dcert infile\fR, \fB\-dkey infile\fR" 4 +.IX Item "-dcert infile, -dkey infile" +Specify an additional certificate and private key, these behave in the same manner as the \fB\-cert\fR and \fB\-key\fR options except there is no default if they are not specified (no additional certificate and key is used). As noted above some cipher suites require a certificate containing a key of @@ -241,228 +414,387 @@ a certain type. Some cipher suites need a certificate carrying an \s-1RSA\s0 key and some a \s-1DSS\s0 (\s-1DSA\s0) key. By using \s-1RSA\s0 and \s-1DSS\s0 certificates and keys a server can support clients which only support \s-1RSA\s0 or \s-1DSS\s0 cipher suites by using an appropriate certificate. -.IP "\fB\-dcertform format\fR, \fB\-dkeyform format\fR, \fB\-dpass arg\fR" 4 -.IX Item "-dcertform format, -dkeyform format, -dpass arg" -additional certificate and private key format and passphrase respectively. -.IP "\fB\-nocert\fR" 4 -.IX Item "-nocert" -if this option is set then no certificate is used. This restricts the -cipher suites available to the anonymous ones (currently just anonymous -\&\s-1DH\s0). -.IP "\fB\-dhparam filename\fR" 4 -.IX Item "-dhparam filename" -the \s-1DH\s0 parameter file to use. The ephemeral \s-1DH\s0 cipher suites generate keys -using a set of \s-1DH\s0 parameters. If not specified then an attempt is made to -load the parameters from the server certificate file. If this fails then -a static set of parameters hard coded into the s_server program will be used. -.IP "\fB\-no_dhe\fR" 4 -.IX Item "-no_dhe" -if this option is set then no \s-1DH\s0 parameters will be loaded effectively -disabling the ephemeral \s-1DH\s0 cipher suites. -.IP "\fB\-no_tmp_rsa\fR" 4 -.IX Item "-no_tmp_rsa" -certain export cipher suites sometimes use a temporary \s-1RSA\s0 key, this option -disables temporary \s-1RSA\s0 key generation. -.IP "\fB\-verify depth\fR, \fB\-Verify depth\fR" 4 -.IX Item "-verify depth, -Verify depth" -The verify depth to use. This specifies the maximum length of the -client certificate chain and makes the server request a certificate from -the client. With the \fB\-verify\fR option a certificate is requested but the -client does not have to send one, with the \fB\-Verify\fR option the client -must supply a certificate or an error occurs. -.Sp -If the ciphersuite cannot request a client certificate (for example an -anonymous ciphersuite or \s-1PSK\s0) this option has no effect. -.IP "\fB\-crl_check\fR, \fB\-crl_check_all\fR" 4 -.IX Item "-crl_check, -crl_check_all" -Check the peer certificate has not been revoked by its \s-1CA.\s0 -The \s-1CRL\s0(s) are appended to the certificate file. With the \fB\-crl_check_all\fR -option all CRLs of all CAs in the chain are checked. -.IP "\fB\-CApath directory\fR" 4 -.IX Item "-CApath directory" -The directory to use for client certificate verification. This directory -must be in \*(L"hash format\*(R", see \fBverify\fR for more information. These are -also used when building the server certificate chain. -.IP "\fB\-CAfile file\fR" 4 -.IX Item "-CAfile file" +.IP "\fB\-dcert_chain\fR" 4 +.IX Item "-dcert_chain" +A file containing trusted certificates to use when attempting to build the +server certificate chain when a certificate specified via the \fB\-dcert\fR option +is in use. +.IP "\fB\-dcertform PEM|DER\fR, \fB\-dkeyform PEM|DER\fR, \fB\-dpass val\fR" 4 +.IX Item "-dcertform PEM|DER, -dkeyform PEM|DER, -dpass val" +Additional certificate and private key format and passphrase respectively. +.IP "\fB\-xkey infile\fR, \fB\-xcert infile\fR, \fB\-xchain\fR" 4 +.IX Item "-xkey infile, -xcert infile, -xchain" +Specify an extra certificate, private key and certificate chain. These behave +in the same manner as the \fB\-cert\fR, \fB\-key\fR and \fB\-cert_chain\fR options. When +specified, the callback returning the first valid chain will be in use by +the server. +.IP "\fB\-xchain_build\fR" 4 +.IX Item "-xchain_build" +Specify whether the application should build the certificate chain to be +provided to the client for the extra certificates provided via \fB\-xkey infile\fR, +\&\fB\-xcert infile\fR, \fB\-xchain\fR options. +.IP "\fB\-xcertform PEM|DER\fR, \fB\-xkeyform PEM|DER\fR" 4 +.IX Item "-xcertform PEM|DER, -xkeyform PEM|DER" +Extra certificate and private key format respectively. +.IP "\fB\-nbio_test\fR" 4 +.IX Item "-nbio_test" +Tests non blocking I/O. +.IP "\fB\-crlf\fR" 4 +.IX Item "-crlf" +This option translated a line feed from the terminal into \s-1CR+LF.\s0 +.IP "\fB\-debug\fR" 4 +.IX Item "-debug" +Print extensive debugging information including a hex dump of all traffic. +.IP "\fB\-msg\fR" 4 +.IX Item "-msg" +Show all protocol messages with hex dump. +.IP "\fB\-msgfile outfile\fR" 4 +.IX Item "-msgfile outfile" +File to send output of \fB\-msg\fR or \fB\-trace\fR to, default standard output. +.IP "\fB\-state\fR" 4 +.IX Item "-state" +Prints the \s-1SSL\s0 session states. +.IP "\fB\-CAfile infile\fR" 4 +.IX Item "-CAfile infile" A file containing trusted certificates to use during client authentication and to use when attempting to build the server certificate chain. The list is also used in the list of acceptable client CAs passed to the client when a certificate is requested. -.IP "\fB\-no_alt_chains\fR" 4 -.IX Item "-no_alt_chains" -See the \fBverify\fR manual page for details. -.IP "\fB\-state\fR" 4 -.IX Item "-state" -prints out the \s-1SSL\s0 session states. -.IP "\fB\-debug\fR" 4 -.IX Item "-debug" -print extensive debugging information including a hex dump of all traffic. -.IP "\fB\-msg\fR" 4 -.IX Item "-msg" -show all protocol messages with hex dump. -.IP "\fB\-nbio_test\fR" 4 -.IX Item "-nbio_test" -tests non blocking I/O -.IP "\fB\-nbio\fR" 4 -.IX Item "-nbio" -turns on non blocking I/O -.IP "\fB\-crlf\fR" 4 -.IX Item "-crlf" -this option translated a line feed from the terminal into \s-1CR+LF.\s0 +.IP "\fB\-CApath dir\fR" 4 +.IX Item "-CApath dir" +The directory to use for client certificate verification. This directory +must be in \*(L"hash format\*(R", see \fIverify\fR\|(1) for more information. These are +also used when building the server certificate chain. +.IP "\fB\-chainCApath dir\fR" 4 +.IX Item "-chainCApath dir" +The directory to use for building the chain provided to the client. This +directory must be in \*(L"hash format\*(R", see \fIverify\fR\|(1) for more information. +.IP "\fB\-chainCAfile file\fR" 4 +.IX Item "-chainCAfile file" +A file containing trusted certificates to use when attempting to build the +server certificate chain. +.IP "\fB\-no\-CAfile\fR" 4 +.IX Item "-no-CAfile" +Do not load the trusted \s-1CA\s0 certificates from the default file location. +.IP "\fB\-no\-CApath\fR" 4 +.IX Item "-no-CApath" +Do not load the trusted \s-1CA\s0 certificates from the default directory location. +.IP "\fB\-nocert\fR" 4 +.IX Item "-nocert" +If this option is set then no certificate is used. This restricts the +cipher suites available to the anonymous ones (currently just anonymous +\&\s-1DH\s0). .IP "\fB\-quiet\fR" 4 .IX Item "-quiet" -inhibit printing of session and certificate information. -.IP "\fB\-psk_hint hint\fR" 4 -.IX Item "-psk_hint hint" -Use the \s-1PSK\s0 identity hint \fBhint\fR when using a \s-1PSK\s0 cipher suite. -.IP "\fB\-psk key\fR" 4 -.IX Item "-psk key" -Use the \s-1PSK\s0 key \fBkey\fR when using a \s-1PSK\s0 cipher suite. The key is -given as a hexadecimal number without leading 0x, for example \-psk -1a2b3c4d. -This option must be provided in order to use a \s-1PSK\s0 cipher. -.IP "\fB\-ssl2\fR, \fB\-ssl3\fR, \fB\-tls1\fR, \fB\-tls1_1\fR, \fB\-tls1_2\fR, \fB\-no_ssl2\fR, \fB\-no_ssl3\fR, \fB\-no_tls1\fR, \fB\-no_tls1_1\fR, \fB\-no_tls1_2\fR" 4 -.IX Item "-ssl2, -ssl3, -tls1, -tls1_1, -tls1_2, -no_ssl2, -no_ssl3, -no_tls1, -no_tls1_1, -no_tls1_2" +Inhibit printing of session and certificate information. +.IP "\fB\-www\fR" 4 +.IX Item "-www" +Sends a status message back to the client when it connects. This includes +information about the ciphers used and various session parameters. +The output is in \s-1HTML\s0 format so this option will normally be used with a +web browser. +.IP "\fB\-WWW\fR" 4 +.IX Item "-WWW" +Emulates a simple web server. Pages will be resolved relative to the +current directory, for example if the \s-1URL\s0 https://myhost/page.html is +requested the file ./page.html will be loaded. +.IP "\fB\-tlsextdebug\fR" 4 +.IX Item "-tlsextdebug" +Print a hex dump of any \s-1TLS\s0 extensions received from the server. +.IP "\fB\-HTTP\fR" 4 +.IX Item "-HTTP" +Emulates a simple web server. Pages will be resolved relative to the +current directory, for example if the \s-1URL\s0 https://myhost/page.html is +requested the file ./page.html will be loaded. The files loaded are +assumed to contain a complete and correct \s-1HTTP\s0 response (lines that +are part of the \s-1HTTP\s0 response line and headers must end with \s-1CRLF\s0). +.IP "\fB\-id_prefix val\fR" 4 +.IX Item "-id_prefix val" +Generate \s-1SSL/TLS\s0 session IDs prefixed by \fBval\fR. This is mostly useful +for testing any \s-1SSL/TLS\s0 code (eg. proxies) that wish to deal with multiple +servers, when each of which might be generating a unique range of session +IDs (eg. with a certain prefix). +.IP "\fB\-rand file...\fR" 4 +.IX Item "-rand file..." +A file or files containing random data used to seed the random number +generator. +Multiple files can be specified separated by an OS-dependent character. +The separator is \fB;\fR for MS-Windows, \fB,\fR for OpenVMS, and \fB:\fR for +all others. +.IP "[\fB\-writerand file\fR]" 4 +.IX Item "[-writerand file]" +Writes random data to the specified \fIfile\fR upon exit. +This can be used with a subsequent \fB\-rand\fR flag. +.IP "\fB\-verify_return_error\fR" 4 +.IX Item "-verify_return_error" +Verification errors normally just print a message but allow the +connection to continue, for debugging purposes. +If this option is used, then verification errors close the connection. +.IP "\fB\-status\fR" 4 +.IX Item "-status" +Enables certificate status request support (aka \s-1OCSP\s0 stapling). +.IP "\fB\-status_verbose\fR" 4 +.IX Item "-status_verbose" +Enables certificate status request support (aka \s-1OCSP\s0 stapling) and gives +a verbose printout of the \s-1OCSP\s0 response. +.IP "\fB\-status_timeout int\fR" 4 +.IX Item "-status_timeout int" +Sets the timeout for \s-1OCSP\s0 response to \fBint\fR seconds. +.IP "\fB\-status_url val\fR" 4 +.IX Item "-status_url val" +Sets a fallback responder \s-1URL\s0 to use if no responder \s-1URL\s0 is present in the +server certificate. Without this option an error is returned if the server +certificate does not contain a responder address. +.IP "\fB\-status_file infile\fR" 4 +.IX Item "-status_file infile" +Overrides any \s-1OCSP\s0 responder URLs from the certificate and always provides the +\&\s-1OCSP\s0 Response stored in the file. The file must be in \s-1DER\s0 format. +.IP "\fB\-trace\fR" 4 +.IX Item "-trace" +Show verbose trace output of protocol messages. OpenSSL needs to be compiled +with \fBenable-ssl-trace\fR for this option to work. +.IP "\fB\-brief\fR" 4 +.IX Item "-brief" +Provide a brief summary of connection parameters instead of the normal verbose +output. +.IP "\fB\-rev\fR" 4 +.IX Item "-rev" +Simple test server which just reverses the text received from the client +and sends it back to the server. Also sets \fB\-brief\fR. +.IP "\fB\-async\fR" 4 +.IX Item "-async" +Switch on asynchronous mode. Cryptographic operations will be performed +asynchronously. This will only have an effect if an asynchronous capable engine +is also used via the \fB\-engine\fR option. For test purposes the dummy async engine +(dasync) can be used (if available). +.IP "\fB\-max_send_frag +int\fR" 4 +.IX Item "-max_send_frag +int" +The maximum size of data fragment to send. +See \fISSL_CTX_set_max_send_fragment\fR\|(3) for further information. +.IP "\fB\-split_send_frag +int\fR" 4 +.IX Item "-split_send_frag +int" +The size used to split data for encrypt pipelines. If more data is written in +one go than this value then it will be split into multiple pipelines, up to the +maximum number of pipelines defined by max_pipelines. This only has an effect if +a suitable cipher suite has been negotiated, an engine that supports pipelining +has been loaded, and max_pipelines is greater than 1. See +\&\fISSL_CTX_set_split_send_fragment\fR\|(3) for further information. +.IP "\fB\-max_pipelines +int\fR" 4 +.IX Item "-max_pipelines +int" +The maximum number of encrypt/decrypt pipelines to be used. This will only have +an effect if an engine has been loaded that supports pipelining (e.g. the dasync +engine) and a suitable cipher suite has been negotiated. The default value is 1. +See \fISSL_CTX_set_max_pipelines\fR\|(3) for further information. +.IP "\fB\-read_buf +int\fR" 4 +.IX Item "-read_buf +int" +The default read buffer size to be used for connections. This will only have an +effect if the buffer size is larger than the size that would otherwise be used +and pipelining is in use (see \fISSL_CTX_set_default_read_buffer_len\fR\|(3) for +further information). +.IP "\fB\-ssl2\fR, \fB\-ssl3\fR, \fB\-tls1\fR, \fB\-tls1_1\fR, \fB\-tls1_2\fR, \fB\-tls1_3\fR, \fB\-no_ssl2\fR, \fB\-no_ssl3\fR, \fB\-no_tls1\fR, \fB\-no_tls1_1\fR, \fB\-no_tls1_2\fR, \fB\-no_tls1_3\fR" 4 +.IX Item "-ssl2, -ssl3, -tls1, -tls1_1, -tls1_2, -tls1_3, -no_ssl2, -no_ssl3, -no_tls1, -no_tls1_1, -no_tls1_2, -no_tls1_3" These options require or disable the use of the specified \s-1SSL\s0 or \s-1TLS\s0 protocols. -By default the initial handshake uses a \fIversion-flexible\fR method which will -negotiate the highest mutually supported protocol version. +By default \fBs_server\fR will negotiate the highest mutually supported protocol +version. +When a specific \s-1TLS\s0 version is required, only that version will be accepted +from the client. +Note that not all protocols and flags may be available, depending on how +OpenSSL was built. .IP "\fB\-bugs\fR" 4 .IX Item "-bugs" -there are several known bug in \s-1SSL\s0 and \s-1TLS\s0 implementations. Adding this +There are several known bug in \s-1SSL\s0 and \s-1TLS\s0 implementations. Adding this option enables various workarounds. -.IP "\fB\-hack\fR" 4 -.IX Item "-hack" -this option enables a further workaround for some some early Netscape -\&\s-1SSL\s0 code (?). -.IP "\fB\-client_sigalgs sigalglist\fR" 4 -.IX Item "-client_sigalgs sigalglist" +.IP "\fB\-no_comp\fR" 4 +.IX Item "-no_comp" +Disable negotiation of \s-1TLS\s0 compression. +\&\s-1TLS\s0 compression is not recommended and is off by default as of +OpenSSL 1.1.0. +.IP "\fB\-comp\fR" 4 +.IX Item "-comp" +Enable negotiation of \s-1TLS\s0 compression. +This option was introduced in OpenSSL 1.1.0. +\&\s-1TLS\s0 compression is not recommended and is off by default as of +OpenSSL 1.1.0. +.IP "\fB\-no_ticket\fR" 4 +.IX Item "-no_ticket" +Disable RFC4507bis session ticket support. +.IP "\fB\-serverpref\fR" 4 +.IX Item "-serverpref" +Use the server's cipher preferences, rather than the client's preferences. +.IP "\fB\-prioritize_chacha\fR" 4 +.IX Item "-prioritize_chacha" +Prioritize ChaCha ciphers when preferred by clients. Requires \fB\-serverpref\fR. +.IP "\fB\-no_resumption_on_reneg\fR" 4 +.IX Item "-no_resumption_on_reneg" +Set the \fB\s-1SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION\s0\fR option. +.IP "\fB\-client_sigalgs val\fR" 4 +.IX Item "-client_sigalgs val" Signature algorithms to support for client certificate authentication -(colon-separated list) -.IP "\fB\-named_curve curve\fR" 4 -.IX Item "-named_curve curve" +(colon-separated list). +.IP "\fB\-named_curve val\fR" 4 +.IX Item "-named_curve val" Specifies the elliptic curve to use. \s-1NOTE:\s0 this is single curve, not a list. For a list of all possible curves, use: .Sp .Vb 1 \& $ openssl ecparam \-list_curves .Ve -.IP "\fB\-cipher cipherlist\fR" 4 -.IX Item "-cipher cipherlist" -this allows the cipher list used by the server to be modified. When -the client sends a list of supported ciphers the first client cipher -also included in the server list is used. Because the client specifies -the preference order, the order of the server cipherlist irrelevant. See +.IP "\fB\-cipher val\fR" 4 +.IX Item "-cipher val" +This allows the list of TLSv1.2 and below ciphersuites used by the server to be +modified. This list is combined with any TLSv1.3 ciphersuites that have been +configured. When the client sends a list of supported ciphers the first client +cipher also included in the server list is used. Because the client specifies +the preference order, the order of the server cipherlist is irrelevant. See the \fBciphers\fR command for more information. -.IP "\fB\-serverpref\fR" 4 -.IX Item "-serverpref" -use the server's cipher preferences, rather than the client's preferences. -.IP "\fB\-tlsextdebug\fR" 4 -.IX Item "-tlsextdebug" -print out a hex dump of any \s-1TLS\s0 extensions received from the server. -.IP "\fB\-no_ticket\fR" 4 -.IX Item "-no_ticket" -disable RFC4507bis session ticket support. -.IP "\fB\-www\fR" 4 -.IX Item "-www" -sends a status message back to the client when it connects. This includes -lots of information about the ciphers used and various session parameters. -The output is in \s-1HTML\s0 format so this option will normally be used with a -web browser. -.IP "\fB\-WWW\fR" 4 -.IX Item "-WWW" -emulates a simple web server. Pages will be resolved relative to the -current directory, for example if the \s-1URL\s0 https://myhost/page.html is -requested the file ./page.html will be loaded. -.IP "\fB\-HTTP\fR" 4 -.IX Item "-HTTP" -emulates a simple web server. Pages will be resolved relative to the -current directory, for example if the \s-1URL\s0 https://myhost/page.html is -requested the file ./page.html will be loaded. The files loaded are -assumed to contain a complete and correct \s-1HTTP\s0 response (lines that -are part of the \s-1HTTP\s0 response line and headers must end with \s-1CRLF\s0). -.IP "\fB\-engine id\fR" 4 -.IX Item "-engine id" -specifying an engine (by its unique \fBid\fR string) will cause \fBs_server\fR +.IP "\fB\-ciphersuites val\fR" 4 +.IX Item "-ciphersuites val" +This allows the list of TLSv1.3 ciphersuites used by the server to be modified. +This list is combined with any TLSv1.2 and below ciphersuites that have been +configured. When the client sends a list of supported ciphers the first client +cipher also included in the server list is used. Because the client specifies +the preference order, the order of the server cipherlist is irrelevant. See +the \fBciphers\fR command for more information. The format for this list is a +simple colon (\*(L":\*(R") separated list of TLSv1.3 ciphersuite names. +.IP "\fB\-dhparam infile\fR" 4 +.IX Item "-dhparam infile" +The \s-1DH\s0 parameter file to use. The ephemeral \s-1DH\s0 cipher suites generate keys +using a set of \s-1DH\s0 parameters. If not specified then an attempt is made to +load the parameters from the server certificate file. +If this fails then a static set of parameters hard coded into the \fBs_server\fR +program will be used. +.IP "\fB\-attime\fR, \fB\-check_ss_sig\fR, \fB\-crl_check\fR, \fB\-crl_check_all\fR, \fB\-explicit_policy\fR, \fB\-extended_crl\fR, \fB\-ignore_critical\fR, \fB\-inhibit_any\fR, \fB\-inhibit_map\fR, \fB\-no_alt_chains\fR, \fB\-no_check_time\fR, \fB\-partial_chain\fR, \fB\-policy\fR, \fB\-policy_check\fR, \fB\-policy_print\fR, \fB\-purpose\fR, \fB\-suiteB_128\fR, \fB\-suiteB_128_only\fR, \fB\-suiteB_192\fR, \fB\-trusted_first\fR, \fB\-use_deltas\fR, \fB\-auth_level\fR, \fB\-verify_depth\fR, \fB\-verify_email\fR, \fB\-verify_hostname\fR, \fB\-verify_ip\fR, \fB\-verify_name\fR, \fB\-x509_strict\fR" 4 +.IX Item "-attime, -check_ss_sig, -crl_check, -crl_check_all, -explicit_policy, -extended_crl, -ignore_critical, -inhibit_any, -inhibit_map, -no_alt_chains, -no_check_time, -partial_chain, -policy, -policy_check, -policy_print, -purpose, -suiteB_128, -suiteB_128_only, -suiteB_192, -trusted_first, -use_deltas, -auth_level, -verify_depth, -verify_email, -verify_hostname, -verify_ip, -verify_name, -x509_strict" +Set different peer certificate verification options. +See the \fIverify\fR\|(1) manual page for details. +.IP "\fB\-crl_check\fR, \fB\-crl_check_all\fR" 4 +.IX Item "-crl_check, -crl_check_all" +Check the peer certificate has not been revoked by its \s-1CA.\s0 +The \s-1CRL\s0(s) are appended to the certificate file. With the \fB\-crl_check_all\fR +option all CRLs of all CAs in the chain are checked. +.IP "\fB\-nbio\fR" 4 +.IX Item "-nbio" +Turns on non blocking I/O. +.IP "\fB\-psk_identity val\fR" 4 +.IX Item "-psk_identity val" +Expect the client to send \s-1PSK\s0 identity \fBval\fR when using a \s-1PSK\s0 +cipher suite, and warn if they do not. By default, the expected \s-1PSK\s0 +identity is the string \*(L"Client_identity\*(R". +.IP "\fB\-psk_hint val\fR" 4 +.IX Item "-psk_hint val" +Use the \s-1PSK\s0 identity hint \fBval\fR when using a \s-1PSK\s0 cipher suite. +.IP "\fB\-psk val\fR" 4 +.IX Item "-psk val" +Use the \s-1PSK\s0 key \fBval\fR when using a \s-1PSK\s0 cipher suite. The key is +given as a hexadecimal number without leading 0x, for example \-psk +1a2b3c4d. +This option must be provided in order to use a \s-1PSK\s0 cipher. +.IP "\fB\-psk_session file\fR" 4 +.IX Item "-psk_session file" +Use the pem encoded \s-1SSL_SESSION\s0 data stored in \fBfile\fR as the basis of a \s-1PSK.\s0 +Note that this will only work if TLSv1.3 is negotiated. +.IP "\fB\-listen\fR" 4 +.IX Item "-listen" +This option can only be used in conjunction with one of the \s-1DTLS\s0 options above. +With this option \fBs_server\fR will listen on a \s-1UDP\s0 port for incoming connections. +Any ClientHellos that arrive will be checked to see if they have a cookie in +them or not. +Any without a cookie will be responded to with a HelloVerifyRequest. +If a ClientHello with a cookie is received then \fBs_server\fR will connect to +that peer and complete the handshake. +.IP "\fB\-dtls\fR, \fB\-dtls1\fR, \fB\-dtls1_2\fR" 4 +.IX Item "-dtls, -dtls1, -dtls1_2" +These options make \fBs_server\fR use \s-1DTLS\s0 protocols instead of \s-1TLS.\s0 +With \fB\-dtls\fR, \fBs_server\fR will negotiate any supported \s-1DTLS\s0 protocol version, +whilst \fB\-dtls1\fR and \fB\-dtls1_2\fR will only support DTLSv1.0 and DTLSv1.2 +respectively. +.IP "\fB\-sctp\fR" 4 +.IX Item "-sctp" +Use \s-1SCTP\s0 for the transport protocol instead of \s-1UDP\s0 in \s-1DTLS.\s0 Must be used in +conjunction with \fB\-dtls\fR, \fB\-dtls1\fR or \fB\-dtls1_2\fR. This option is only +available where OpenSSL has support for \s-1SCTP\s0 enabled. +.IP "\fB\-no_dhe\fR" 4 +.IX Item "-no_dhe" +If this option is set then no \s-1DH\s0 parameters will be loaded effectively +disabling the ephemeral \s-1DH\s0 cipher suites. +.IP "\fB\-alpn val\fR, \fB\-nextprotoneg val\fR" 4 +.IX Item "-alpn val, -nextprotoneg val" +These flags enable the Enable the Application-Layer Protocol Negotiation +or Next Protocol Negotiation (\s-1NPN\s0) extension, respectively. \s-1ALPN\s0 is the +\&\s-1IETF\s0 standard and replaces \s-1NPN.\s0 +The \fBval\fR list is a comma-separated list of supported protocol +names. The list should contain the most desirable protocols first. +Protocol names are printable \s-1ASCII\s0 strings, for example \*(L"http/1.1\*(R" or +\&\*(L"spdy/3\*(R". +The flag \fB\-nextprotoneg\fR cannot be specified if \fB\-tls1_3\fR is used. +.IP "\fB\-engine val\fR" 4 +.IX Item "-engine val" +Specifying an engine (by its unique id string in \fBval\fR) will cause \fBs_server\fR to attempt to obtain a functional reference to the specified engine, thus initialising it if needed. The engine will then be set as the default for all available algorithms. -.IP "\fB\-id_prefix arg\fR" 4 -.IX Item "-id_prefix arg" -generate \s-1SSL/TLS\s0 session IDs prefixed by \fBarg\fR. This is mostly useful -for testing any \s-1SSL/TLS\s0 code (eg. proxies) that wish to deal with multiple -servers, when each of which might be generating a unique range of session -IDs (eg. with a certain prefix). -.IP "\fB\-rand file(s)\fR" 4 -.IX Item "-rand file(s)" -a file or files containing random data used to seed the random number -generator, or an \s-1EGD\s0 socket (see \fIRAND_egd\fR\|(3)). -Multiple files can be specified separated by a OS-dependent character. -The separator is \fB;\fR for MS-Windows, \fB,\fR for OpenVMS, and \fB:\fR for -all others. -.IP "\fB\-serverinfo file\fR" 4 -.IX Item "-serverinfo file" -a file containing one or more blocks of \s-1PEM\s0 data. Each \s-1PEM\s0 block -must encode a \s-1TLS\s0 ServerHello extension (2 bytes type, 2 bytes length, -followed by \*(L"length\*(R" bytes of extension data). If the client sends -an empty \s-1TLS\s0 ClientHello extension matching the type, the corresponding -ServerHello extension will be returned. -.IP "\fB\-no_resumption_on_reneg\fR" 4 -.IX Item "-no_resumption_on_reneg" -set \s-1SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION\s0 flag. -.IP "\fB\-status\fR" 4 -.IX Item "-status" -enables certificate status request support (aka \s-1OCSP\s0 stapling). -.IP "\fB\-status_verbose\fR" 4 -.IX Item "-status_verbose" -enables certificate status request support (aka \s-1OCSP\s0 stapling) and gives -a verbose printout of the \s-1OCSP\s0 response. -.IP "\fB\-status_timeout nsec\fR" 4 -.IX Item "-status_timeout nsec" -sets the timeout for \s-1OCSP\s0 response to \fBnsec\fR seconds. -.IP "\fB\-status_url url\fR" 4 -.IX Item "-status_url url" -sets a fallback responder \s-1URL\s0 to use if no responder \s-1URL\s0 is present in the -server certificate. Without this option an error is returned if the server -certificate does not contain a responder address. -.IP "\fB\-alpn protocols\fR, \fB\-nextprotoneg protocols\fR" 4 -.IX Item "-alpn protocols, -nextprotoneg protocols" -these flags enable the -Enable the Application-Layer Protocol Negotiation or Next Protocol -Negotiation extension, respectively. \s-1ALPN\s0 is the \s-1IETF\s0 standard and -replaces \s-1NPN.\s0 -The \fBprotocols\fR list is a -comma-separated list of supported protocol names. -The list should contain most wanted protocols first. -Protocol names are printable \s-1ASCII\s0 strings, for example \*(L"http/1.1\*(R" or -\&\*(L"spdy/3\*(R". +.IP "\fB\-keylogfile outfile\fR" 4 +.IX Item "-keylogfile outfile" +Appends \s-1TLS\s0 secrets to the specified keylog file such that external programs +(like Wireshark) can decrypt \s-1TLS\s0 connections. +.IP "\fB\-max_early_data int\fR" 4 +.IX Item "-max_early_data int" +Change the default maximum early data bytes that are specified for new sessions +and any incoming early data (when used in conjunction with the \fB\-early_data\fR +flag). The default value is approximately 16k. The argument must be an integer +greater than or equal to 0. +.IP "\fB\-early_data\fR" 4 +.IX Item "-early_data" +Accept early data where possible. +.IP "\fB\-anti_replay\fR, \fB\-no_anti_replay\fR" 4 +.IX Item "-anti_replay, -no_anti_replay" +Switches replay protection on or off, respectively. Replay protection is on by +default unless overridden by a configuration file. When it is on, OpenSSL will +automatically detect if a session ticket has been used more than once, TLSv1.3 +has been negotiated, and early data is enabled on the server. A full handshake +is forced if a session ticket is used a second or subsequent time. Any early +data that was sent will be rejected. .SH "CONNECTED COMMANDS" .IX Header "CONNECTED COMMANDS" If a connection request is established with an \s-1SSL\s0 client and neither the \&\fB\-www\fR nor the \fB\-WWW\fR option has been used then normally any data received from the client is displayed and any key presses will be sent to the client. .PP -Certain single letter commands are also recognized which perform special -operations: these are listed below. +Certain commands are also recognized which perform special operations. These +commands are a letter which must appear at the start of a line. They are listed +below. .IP "\fBq\fR" 4 .IX Item "q" -end the current \s-1SSL\s0 connection but still accept new connections. +End the current \s-1SSL\s0 connection but still accept new connections. .IP "\fBQ\fR" 4 .IX Item "Q" -end the current \s-1SSL\s0 connection and exit. +End the current \s-1SSL\s0 connection and exit. .IP "\fBr\fR" 4 .IX Item "r" -renegotiate the \s-1SSL\s0 session. +Renegotiate the \s-1SSL\s0 session (TLSv1.2 and below only). .IP "\fBR\fR" 4 .IX Item "R" -renegotiate the \s-1SSL\s0 session and request a client certificate. +Renegotiate the \s-1SSL\s0 session and request a client certificate (TLSv1.2 and below +only). .IP "\fBP\fR" 4 .IX Item "P" -send some plain text down the underlying \s-1TCP\s0 connection: this should +Send some plain text down the underlying \s-1TCP\s0 connection: this should cause the client to disconnect due to a protocol violation. .IP "\fBS\fR" 4 .IX Item "S" -print out some session cache status information. +Print out some session cache status information. +.IP "\fBB\fR" 4 +.IX Item "B" +Send a heartbeat message to the client (\s-1DTLS\s0 only) +.IP "\fBk\fR" 4 +.IX Item "k" +Send a key update message to the client (TLSv1.3 only) +.IP "\fBK\fR" 4 +.IX Item "K" +Send a key update message to the client and request one back (TLSv1.3 only) +.IP "\fBc\fR" 4 +.IX Item "c" +Send a certificate request to the client (TLSv1.3 only) .SH "NOTES" .IX Header "NOTES" \&\fBs_server\fR can be used to debug \s-1SSL\s0 clients. To accept connections from @@ -481,10 +813,10 @@ mean any \s-1CA\s0 is acceptable. This is useful for debugging purposes. The session parameters can printed out using the \fBsess_id\fR program. .SH "BUGS" .IX Header "BUGS" -Because this program has a lot of options and also because some of -the techniques used are rather old, the C source of s_server is rather -hard to read and not a model of how things should be done. A typical -\&\s-1SSL\s0 server program would be much simpler. +Because this program has a lot of options and also because some of the +techniques used are rather old, the C source of \fBs_server\fR is rather hard to +read and not a model of how things should be done. +A typical \s-1SSL\s0 server program would be much simpler. .PP The output of common ciphers is wrong: it just gives the list of ciphers that OpenSSL recognizes and the client supports. @@ -493,7 +825,21 @@ There should be a way for the \fBs_server\fR program to print out details of any unknown cipher suites a client says it supports. .SH "SEE ALSO" .IX Header "SEE ALSO" -\&\fIsess_id\fR\|(1), \fIs_client\fR\|(1), \fIciphers\fR\|(1) +\&\fISSL_CONF_cmd\fR\|(3), \fIsess_id\fR\|(1), \fIs_client\fR\|(1), \fIciphers\fR\|(1) +\&\fISSL_CTX_set_max_send_fragment\fR\|(3), +\&\fISSL_CTX_set_split_send_fragment\fR\|(3), +\&\fISSL_CTX_set_max_pipelines\fR\|(3) .SH "HISTORY" .IX Header "HISTORY" -The \-no_alt_chains options was first added to OpenSSL 1.0.2b. +The \-no_alt_chains option was first added to OpenSSL 1.1.0. +.PP +The \-allow\-no\-dhe\-kex and \-prioritize_chacha options were first added to +OpenSSL 1.1.1. +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2000\-2018 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/usr.bin/openssl/man/s_time.1 b/secure/usr.bin/openssl/man/s_time.1 index dace18071052..220b5e4b4486 100644 --- a/secure/usr.bin/openssl/man/s_time.1 +++ b/secure/usr.bin/openssl/man/s_time.1 @@ -129,32 +129,34 @@ .\" ======================================================================== .\" .IX Title "S_TIME 1" -.TH S_TIME 1 "2018-08-14" "1.0.2p" "OpenSSL" +.TH S_TIME 1 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" -openssl\-s_time, -s_time \- SSL/TLS performance timing program +openssl\-s_time, s_time \- SSL/TLS performance timing program .SH "SYNOPSIS" .IX Header "SYNOPSIS" \&\fBopenssl\fR \fBs_time\fR +[\fB\-help\fR] [\fB\-connect host:port\fR] [\fB\-www page\fR] [\fB\-cert filename\fR] [\fB\-key filename\fR] [\fB\-CApath directory\fR] -[\fB\-CAfile filename\fR] +[\fB\-cafile filename\fR] +[\fB\-no\-CAfile\fR] +[\fB\-no\-CApath\fR] [\fB\-reuse\fR] [\fB\-new\fR] [\fB\-verify depth\fR] -[\fB\-nbio\fR] +[\fB\-nameopt option\fR] [\fB\-time seconds\fR] -[\fB\-ssl2\fR] [\fB\-ssl3\fR] [\fB\-bugs\fR] [\fB\-cipher cipherlist\fR] +[\fB\-ciphersuites val\fR] .SH "DESCRIPTION" .IX Header "DESCRIPTION" The \fBs_time\fR command implements a generic \s-1SSL/TLS\s0 client which connects to a @@ -164,6 +166,9 @@ the number of connections within a given timeframe, the amount of data transferred (if any), and calculates the average time spent for one connection. .SH "OPTIONS" .IX Header "OPTIONS" +.IP "\fB\-help\fR" 4 +.IX Item "-help" +Print out a usage message. .IP "\fB\-connect host:port\fR" 4 .IX Item "-connect host:port" This specifies the host and optional port to connect to. @@ -188,6 +193,12 @@ server certificate chain and turns on server certificate verification. Currently the verify operation continues after errors so all the problems with a certificate chain can be seen. As a side effect the connection will never fail due to a server certificate verify failure. +.IP "\fB\-nameopt option\fR" 4 +.IX Item "-nameopt option" +Option which determines how the subject or issuer names are displayed. The +\&\fBoption\fR argument can be a single option or multiple options separated by +commas. Alternatively the \fB\-nameopt\fR switch may be used more than once to +set multiple options. See the \fIx509\fR\|(1) manual page for details. .IP "\fB\-CApath directory\fR" 4 .IX Item "-CApath directory" The directory to use for server certificate verification. This directory @@ -197,44 +208,58 @@ also used when building the client certificate chain. .IX Item "-CAfile file" A file containing trusted certificates to use during server authentication and to use when attempting to build the client certificate chain. +.IP "\fB\-no\-CAfile\fR" 4 +.IX Item "-no-CAfile" +Do not load the trusted \s-1CA\s0 certificates from the default file location +.IP "\fB\-no\-CApath\fR" 4 +.IX Item "-no-CApath" +Do not load the trusted \s-1CA\s0 certificates from the default directory location .IP "\fB\-new\fR" 4 .IX Item "-new" -performs the timing test using a new session \s-1ID\s0 for each connection. +Performs the timing test using a new session \s-1ID\s0 for each connection. If neither \fB\-new\fR nor \fB\-reuse\fR are specified, they are both on by default and executed in sequence. .IP "\fB\-reuse\fR" 4 .IX Item "-reuse" -performs the timing test using the same session \s-1ID\s0; this can be used as a test +Performs the timing test using the same session \s-1ID\s0; this can be used as a test that session caching is working. If neither \fB\-new\fR nor \fB\-reuse\fR are specified, they are both on by default and executed in sequence. -.IP "\fB\-nbio\fR" 4 -.IX Item "-nbio" -turns on non-blocking I/O. -.IP "\fB\-ssl2\fR, \fB\-ssl3\fR" 4 -.IX Item "-ssl2, -ssl3" -these options disable the use of certain \s-1SSL\s0 or \s-1TLS\s0 protocols. By default +.IP "\fB\-ssl3\fR" 4 +.IX Item "-ssl3" +This option disables the use of \s-1SSL\s0 version 3. By default the initial handshake uses a method which should be compatible with all -servers and permit them to use \s-1SSL\s0 v3, \s-1SSL\s0 v2 or \s-1TLS\s0 as appropriate. +servers and permit them to use \s-1SSL\s0 v3 or \s-1TLS\s0 as appropriate. +.Sp The timing program is not as rich in options to turn protocols on and off as the \fIs_client\fR\|(1) program and may not connect to all servers. -.Sp Unfortunately there are a lot of ancient and broken servers in use which cannot handle this technique and will fail to connect. Some servers only -work if \s-1TLS\s0 is turned off with the \fB\-ssl3\fR option; others -will only support \s-1SSL\s0 v2 and may need the \fB\-ssl2\fR option. +work if \s-1TLS\s0 is turned off with the \fB\-ssl3\fR option. +.Sp +Note that this option may not be available, depending on how +OpenSSL was built. .IP "\fB\-bugs\fR" 4 .IX Item "-bugs" -there are several known bug in \s-1SSL\s0 and \s-1TLS\s0 implementations. Adding this +There are several known bug in \s-1SSL\s0 and \s-1TLS\s0 implementations. Adding this option enables various workarounds. .IP "\fB\-cipher cipherlist\fR" 4 .IX Item "-cipher cipherlist" -this allows the cipher list sent by the client to be modified. Although -the server determines which cipher suite is used it should take the first -supported cipher in the list sent by the client. -See the \fIciphers\fR\|(1) command for more information. +This allows the TLSv1.2 and below cipher list sent by the client to be modified. +This list will be combined with any TLSv1.3 ciphersuites that have been +configured. Although the server determines which cipher suite is used it should +take the first supported cipher in the list sent by the client. See +\&\fIciphers\fR\|(1) for more information. +.IP "\fB\-ciphersuites val\fR" 4 +.IX Item "-ciphersuites val" +This allows the TLSv1.3 ciphersuites sent by the client to be modified. This +list will be combined with any TLSv1.2 and below ciphersuites that have been +configured. Although the server determines which cipher suite is used it should +take the first supported cipher in the list sent by the client. See +\&\fIciphers\fR\|(1) for more information. The format for this list is a simple +colon (\*(L":\*(R") separated list of TLSv1.3 ciphersuite names. .IP "\fB\-time length\fR" 4 .IX Item "-time length" -specifies how long (in seconds) \fBs_time\fR should establish connections and +Specifies how long (in seconds) \fBs_time\fR should establish connections and optionally transfer payload data from a server. Server and client performance and the link speed determine how many connections \fBs_time\fR can establish. .SH "NOTES" @@ -251,7 +276,7 @@ which both client and server can agree, see the \fIciphers\fR\|(1) command for details. .PP If the handshake fails then there are several possible causes, if it is -nothing obvious like no client certificate then the \fB\-bugs\fR, \fB\-ssl2\fR, +nothing obvious like no client certificate then the \fB\-bugs\fR and \&\fB\-ssl3\fR options can be tried in case it is a buggy server. In particular you should play with these options \fBbefore\fR submitting a bug report to an OpenSSL mailing list. @@ -281,3 +306,11 @@ fails. .SH "SEE ALSO" .IX Header "SEE ALSO" \&\fIs_client\fR\|(1), \fIs_server\fR\|(1), \fIciphers\fR\|(1) +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2004\-2018 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/usr.bin/openssl/man/sess_id.1 b/secure/usr.bin/openssl/man/sess_id.1 index 55e577da5e15..e13d2bea8639 100644 --- a/secure/usr.bin/openssl/man/sess_id.1 +++ b/secure/usr.bin/openssl/man/sess_id.1 @@ -129,19 +129,19 @@ .\" ======================================================================== .\" .IX Title "SESS_ID 1" -.TH SESS_ID 1 "2018-08-14" "1.0.2p" "OpenSSL" +.TH SESS_ID 1 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" -openssl\-sess_id, -sess_id \- SSL/TLS session handling utility +openssl\-sess_id, sess_id \- SSL/TLS session handling utility .SH "SYNOPSIS" .IX Header "SYNOPSIS" \&\fBopenssl\fR \fBsess_id\fR +[\fB\-help\fR] [\fB\-inform PEM|DER\fR] -[\fB\-outform PEM|DER\fR] +[\fB\-outform PEM|DER|NSS\fR] [\fB\-in filename\fR] [\fB\-out filename\fR] [\fB\-text\fR] @@ -154,16 +154,22 @@ and optionally prints out \s-1SSL\s0 session details (for example the \s-1SSL\s0 master key) in human readable format. Since this is a diagnostic tool that needs some knowledge of the \s-1SSL\s0 protocol to use properly, most users will not need to use it. +.SH "OPTIONS" +.IX Header "OPTIONS" +.IP "\fB\-help\fR" 4 +.IX Item "-help" +Print out a usage message. .IP "\fB\-inform DER|PEM\fR" 4 .IX Item "-inform DER|PEM" This specifies the input format. The \fB\s-1DER\s0\fR option uses an \s-1ASN1 DER\s0 encoded format containing session details. The precise format can vary from one version to the next. The \fB\s-1PEM\s0\fR form is the default format: it consists of the \fB\s-1DER\s0\fR format base64 encoded with additional header and footer lines. -.IP "\fB\-outform DER|PEM\fR" 4 -.IX Item "-outform DER|PEM" -This specifies the output format, the options have the same meaning as the -\&\fB\-inform\fR option. +.IP "\fB\-outform DER|PEM|NSS\fR" 4 +.IX Item "-outform DER|PEM|NSS" +This specifies the output format. The \fB\s-1PEM\s0\fR and \fB\s-1DER\s0\fR options have the same meaning +and default as the \fB\-inform\fR option. The \fB\s-1NSS\s0\fR option outputs the session id and +the master key in \s-1NSS\s0 keylog format. .IP "\fB\-in filename\fR" 4 .IX Item "-in filename" This specifies the input filename to read session information from or standard @@ -174,19 +180,19 @@ This specifies the output filename to write session information to or standard output if this option is not specified. .IP "\fB\-text\fR" 4 .IX Item "-text" -prints out the various public or private key components in +Prints out the various public or private key components in plain text in addition to the encoded version. .IP "\fB\-cert\fR" 4 .IX Item "-cert" -if a certificate is present in the session it will be output using this option, +If a certificate is present in the session it will be output using this option, if the \fB\-text\fR option is also present then it will be printed out in text form. .IP "\fB\-noout\fR" 4 .IX Item "-noout" -this option prevents output of the encoded version of the session. +This option prevents output of the encoded version of the session. .IP "\fB\-context \s-1ID\s0\fR" 4 .IX Item "-context ID" -this option can set the session id so the output session information uses the -supplied \s-1ID.\s0 The \s-1ID\s0 can be any string of characters. This option wont normally +This option can set the session id so the output session information uses the +supplied \s-1ID.\s0 The \s-1ID\s0 can be any string of characters. This option won't normally be used. .SH "OUTPUT" .IX Header "OUTPUT" @@ -208,32 +214,30 @@ Typical output: Theses are described below in more detail. .IP "\fBProtocol\fR" 4 .IX Item "Protocol" -this is the protocol in use TLSv1, SSLv3 or SSLv2. +This is the protocol in use TLSv1.3, TLSv1.2, TLSv1.1, TLSv1 or SSLv3. .IP "\fBCipher\fR" 4 .IX Item "Cipher" -the cipher used this is the actual raw \s-1SSL\s0 or \s-1TLS\s0 cipher code, see the \s-1SSL\s0 +The cipher used this is the actual raw \s-1SSL\s0 or \s-1TLS\s0 cipher code, see the \s-1SSL\s0 or \s-1TLS\s0 specifications for more information. .IP "\fBSession-ID\fR" 4 .IX Item "Session-ID" -the \s-1SSL\s0 session \s-1ID\s0 in hex format. +The \s-1SSL\s0 session \s-1ID\s0 in hex format. .IP "\fBSession-ID-ctx\fR" 4 .IX Item "Session-ID-ctx" -the session \s-1ID\s0 context in hex format. +The session \s-1ID\s0 context in hex format. .IP "\fBMaster-Key\fR" 4 .IX Item "Master-Key" -this is the \s-1SSL\s0 session master key. -.IP "\fBKey-Arg\fR" 4 -.IX Item "Key-Arg" -the key argument, this is only used in \s-1SSL\s0 v2. +This is the \s-1SSL\s0 session master key. .IP "\fBStart Time\fR" 4 .IX Item "Start Time" -this is the session start time represented as an integer in standard Unix format. +This is the session start time represented as an integer in standard +Unix format. .IP "\fBTimeout\fR" 4 .IX Item "Timeout" -the timeout in seconds. +The timeout in seconds. .IP "\fBVerify return code\fR" 4 .IX Item "Verify return code" -this is the return code when an \s-1SSL\s0 client certificate is verified. +This is the return code when an \s-1SSL\s0 client certificate is verified. .SH "NOTES" .IX Header "NOTES" The \s-1PEM\s0 encoded session format uses the header and footer lines: @@ -243,13 +247,22 @@ The \s-1PEM\s0 encoded session format uses the header and footer lines: \& \-\-\-\-\-END SSL SESSION PARAMETERS\-\-\-\-\- .Ve .PP -Since the \s-1SSL\s0 session output contains the master key it is possible to read the contents -of an encrypted session using this information. Therefore appropriate security precautions -should be taken if the information is being output by a \*(L"real\*(R" application. This is -however strongly discouraged and should only be used for debugging purposes. +Since the \s-1SSL\s0 session output contains the master key it is +possible to read the contents of an encrypted session using this +information. Therefore appropriate security precautions should be taken if +the information is being output by a \*(L"real\*(R" application. This is however +strongly discouraged and should only be used for debugging purposes. .SH "BUGS" .IX Header "BUGS" The cipher and start time should be printed out in human readable form. .SH "SEE ALSO" .IX Header "SEE ALSO" \&\fIciphers\fR\|(1), \fIs_server\fR\|(1) +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2000\-2018 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/usr.bin/openssl/man/smime.1 b/secure/usr.bin/openssl/man/smime.1 index d7d1423917d5..80dc532af552 100644 --- a/secure/usr.bin/openssl/man/smime.1 +++ b/secure/usr.bin/openssl/man/smime.1 @@ -129,32 +129,64 @@ .\" ======================================================================== .\" .IX Title "SMIME 1" -.TH SMIME 1 "2018-08-14" "1.0.2p" "OpenSSL" +.TH SMIME 1 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" -openssl\-smime, -smime \- S/MIME utility +openssl\-smime, smime \- S/MIME utility .SH "SYNOPSIS" .IX Header "SYNOPSIS" \&\fBopenssl\fR \fBsmime\fR +[\fB\-help\fR] [\fB\-encrypt\fR] [\fB\-decrypt\fR] [\fB\-sign\fR] [\fB\-resign\fR] [\fB\-verify\fR] [\fB\-pk7out\fR] -[\fB\-[cipher]\fR] +[\fB\-binary\fR] +[\fB\-crlfeol\fR] +[\fB\-\f(BIcipher\fB\fR] [\fB\-in file\fR] +[\fB\-CAfile file\fR] +[\fB\-CApath dir\fR] +[\fB\-no\-CAfile\fR] +[\fB\-no\-CApath\fR] +[\fB\-attime timestamp\fR] +[\fB\-check_ss_sig\fR] +[\fB\-crl_check\fR] +[\fB\-crl_check_all\fR] +[\fB\-explicit_policy\fR] +[\fB\-extended_crl\fR] +[\fB\-ignore_critical\fR] +[\fB\-inhibit_any\fR] +[\fB\-inhibit_map\fR] +[\fB\-partial_chain\fR] +[\fB\-policy arg\fR] +[\fB\-policy_check\fR] +[\fB\-policy_print\fR] +[\fB\-purpose purpose\fR] +[\fB\-suiteB_128\fR] +[\fB\-suiteB_128_only\fR] +[\fB\-suiteB_192\fR] +[\fB\-trusted_first\fR] [\fB\-no_alt_chains\fR] +[\fB\-use_deltas\fR] +[\fB\-auth_level num\fR] +[\fB\-verify_depth num\fR] +[\fB\-verify_email email\fR] +[\fB\-verify_hostname hostname\fR] +[\fB\-verify_ip ip\fR] +[\fB\-verify_name name\fR] +[\fB\-x509_strict\fR] [\fB\-certfile file\fR] [\fB\-signer file\fR] [\fB\-recip file\fR] [\fB\-inform SMIME|PEM|DER\fR] [\fB\-passin arg\fR] -[\fB\-inkey file\fR] +[\fB\-inkey file_or_id\fR] [\fB\-out file\fR] [\fB\-outform SMIME|PEM|DER\fR] [\fB\-content file\fR] @@ -165,51 +197,55 @@ smime \- S/MIME utility [\fB\-indef\fR] [\fB\-noindef\fR] [\fB\-stream\fR] -[\fB\-rand file(s)\fR] +[\fB\-rand file...\fR] +[\fB\-writerand file\fR] [\fB\-md digest\fR] [cert.pem]... .SH "DESCRIPTION" .IX Header "DESCRIPTION" The \fBsmime\fR command handles S/MIME mail. It can encrypt, decrypt, sign and verify S/MIME messages. -.SH "COMMAND OPTIONS" -.IX Header "COMMAND OPTIONS" +.SH "OPTIONS" +.IX Header "OPTIONS" There are six operation options that set the type of operation to be performed. The meaning of the other options varies according to the operation type. +.IP "\fB\-help\fR" 4 +.IX Item "-help" +Print out a usage message. .IP "\fB\-encrypt\fR" 4 .IX Item "-encrypt" -encrypt mail for the given recipient certificates. Input file is the message +Encrypt mail for the given recipient certificates. Input file is the message to be encrypted. The output file is the encrypted mail in \s-1MIME\s0 format. .Sp Note that no revocation check is done for the recipient cert, so if that key has been compromised, others may be able to decrypt the text. .IP "\fB\-decrypt\fR" 4 .IX Item "-decrypt" -decrypt mail using the supplied certificate and private key. Expects an +Decrypt mail using the supplied certificate and private key. Expects an encrypted mail message in \s-1MIME\s0 format for the input file. The decrypted mail is written to the output file. .IP "\fB\-sign\fR" 4 .IX Item "-sign" -sign mail using the supplied certificate and private key. Input file is +Sign mail using the supplied certificate and private key. Input file is the message to be signed. The signed message in \s-1MIME\s0 format is written to the output file. .IP "\fB\-verify\fR" 4 .IX Item "-verify" -verify signed mail. Expects a signed mail message on input and outputs +Verify signed mail. Expects a signed mail message on input and outputs the signed data. Both clear text and opaque signing is supported. .IP "\fB\-pk7out\fR" 4 .IX Item "-pk7out" -takes an input message and writes out a \s-1PEM\s0 encoded PKCS#7 structure. +Takes an input message and writes out a \s-1PEM\s0 encoded PKCS#7 structure. .IP "\fB\-resign\fR" 4 .IX Item "-resign" -resign a message: take an existing message and one or more new signers. +Resign a message: take an existing message and one or more new signers. .IP "\fB\-in filename\fR" 4 .IX Item "-in filename" -the input message to be encrypted or signed or the \s-1MIME\s0 message to +The input message to be encrypted or signed or the \s-1MIME\s0 message to be decrypted or verified. .IP "\fB\-inform SMIME|PEM|DER\fR" 4 .IX Item "-inform SMIME|PEM|DER" -this specifies the input format for the PKCS#7 structure. The default +This specifies the input format for the PKCS#7 structure. The default is \fB\s-1SMIME\s0\fR which reads an S/MIME format message. \fB\s-1PEM\s0\fR and \fB\s-1DER\s0\fR format change this to expect \s-1PEM\s0 and \s-1DER\s0 format PKCS#7 structures instead. This currently only affects the input format of the PKCS#7 @@ -217,11 +253,11 @@ structure, if no PKCS#7 structure is being input (for example with \&\fB\-encrypt\fR or \fB\-sign\fR) this option has no effect. .IP "\fB\-out filename\fR" 4 .IX Item "-out filename" -the message text that has been decrypted or verified or the output \s-1MIME\s0 +The message text that has been decrypted or verified or the output \s-1MIME\s0 format message that has been signed or verified. .IP "\fB\-outform SMIME|PEM|DER\fR" 4 .IX Item "-outform SMIME|PEM|DER" -this specifies the output format for the PKCS#7 structure. The default +This specifies the output format for the PKCS#7 structure. The default is \fB\s-1SMIME\s0\fR which write an S/MIME format message. \fB\s-1PEM\s0\fR and \fB\s-1DER\s0\fR format change this to write \s-1PEM\s0 and \s-1DER\s0 format PKCS#7 structures instead. This currently only affects the output format of the PKCS#7 @@ -229,7 +265,7 @@ structure, if no PKCS#7 structure is being output (for example with \&\fB\-verify\fR or \fB\-decrypt\fR) this option has no effect. .IP "\fB\-stream \-indef \-noindef\fR" 4 .IX Item "-stream -indef -noindef" -the \fB\-stream\fR and \fB\-indef\fR options are equivalent and enable streaming I/O +The \fB\-stream\fR and \fB\-indef\fR options are equivalent and enable streaming I/O for encoding operations. This permits single pass processing of data without the need to hold the entire contents in memory, potentially supporting very large files. Streaming is automatically set for S/MIME signing with detached @@ -237,7 +273,7 @@ data if the output format is \fB\s-1SMIME\s0\fR it is currently off by default f other operations. .IP "\fB\-noindef\fR" 4 .IX Item "-noindef" -disable streaming I/O where it would produce and indefinite length constructed +Disable streaming I/O where it would produce and indefinite length constructed encoding. This option currently has no effect. In future streaming will be enabled by default on all relevant operations and this option will disable it. .IP "\fB\-content filename\fR" 4 @@ -249,118 +285,134 @@ not included. This option will override any content if the input format is S/MIME and it uses the multipart/signed \s-1MIME\s0 content type. .IP "\fB\-text\fR" 4 .IX Item "-text" -this option adds plain text (text/plain) \s-1MIME\s0 headers to the supplied +This option adds plain text (text/plain) \s-1MIME\s0 headers to the supplied message if encrypting or signing. If decrypting or verifying it strips -off text headers: if the decrypted or verified message is not of \s-1MIME\s0 +off text headers: if the decrypted or verified message is not of \s-1MIME\s0 type text/plain then an error occurs. .IP "\fB\-CAfile file\fR" 4 .IX Item "-CAfile file" -a file containing trusted \s-1CA\s0 certificates, only used with \fB\-verify\fR. +A file containing trusted \s-1CA\s0 certificates, only used with \fB\-verify\fR. .IP "\fB\-CApath dir\fR" 4 .IX Item "-CApath dir" -a directory containing trusted \s-1CA\s0 certificates, only used with +A directory containing trusted \s-1CA\s0 certificates, only used with \&\fB\-verify\fR. This directory must be a standard certificate directory: that is a hash of each subject name (using \fBx509 \-hash\fR) should be linked to each certificate. +.IP "\fB\-no\-CAfile\fR" 4 +.IX Item "-no-CAfile" +Do not load the trusted \s-1CA\s0 certificates from the default file location. +.IP "\fB\-no\-CApath\fR" 4 +.IX Item "-no-CApath" +Do not load the trusted \s-1CA\s0 certificates from the default directory location. .IP "\fB\-md digest\fR" 4 .IX Item "-md digest" -digest algorithm to use when signing or resigning. If not present then the +Digest algorithm to use when signing or resigning. If not present then the default digest algorithm for the signing key will be used (usually \s-1SHA1\s0). -.IP "\fB\-[cipher]\fR" 4 -.IX Item "-[cipher]" -the encryption algorithm to use. For example \s-1DES\s0 (56 bits) \- \fB\-des\fR, +.IP "\fB\-\f(BIcipher\fB\fR" 4 +.IX Item "-cipher" +The encryption algorithm to use. For example \s-1DES\s0 (56 bits) \- \fB\-des\fR, triple \s-1DES\s0 (168 bits) \- \fB\-des3\fR, -\&\fIEVP_get_cipherbyname()\fR function) can also be used preceded by a dash, for -example \fB\-aes_128_cbc\fR. See \fBenc\fR for list of ciphers +\&\fIEVP_get_cipherbyname()\fR function) can also be used preceded by a dash, for +example \fB\-aes\-128\-cbc\fR. See \fBenc\fR for list of ciphers supported by your version of OpenSSL. .Sp If not specified triple \s-1DES\s0 is used. Only used with \fB\-encrypt\fR. .IP "\fB\-nointern\fR" 4 .IX Item "-nointern" -when verifying a message normally certificates (if any) included in +When verifying a message normally certificates (if any) included in the message are searched for the signing certificate. With this option only the certificates specified in the \fB\-certfile\fR option are used. The supplied certificates can still be used as untrusted CAs however. .IP "\fB\-noverify\fR" 4 .IX Item "-noverify" -do not verify the signers certificate of a signed message. +Do not verify the signers certificate of a signed message. .IP "\fB\-nochain\fR" 4 .IX Item "-nochain" -do not do chain verification of signers certificates: that is don't +Do not do chain verification of signers certificates: that is don't use the certificates in the signed message as untrusted CAs. .IP "\fB\-nosigs\fR" 4 .IX Item "-nosigs" -don't try to verify the signatures on the message. +Don't try to verify the signatures on the message. .IP "\fB\-nocerts\fR" 4 .IX Item "-nocerts" -when signing a message the signer's certificate is normally included +When signing a message the signer's certificate is normally included with this option it is excluded. This will reduce the size of the signed message but the verifier must have a copy of the signers certificate available locally (passed using the \fB\-certfile\fR option for example). .IP "\fB\-noattr\fR" 4 .IX Item "-noattr" -normally when a message is signed a set of attributes are included which +Normally when a message is signed a set of attributes are included which include the signing time and supported symmetric algorithms. With this option they are not included. .IP "\fB\-binary\fR" 4 .IX Item "-binary" -normally the input message is converted to \*(L"canonical\*(R" format which is +Normally the input message is converted to \*(L"canonical\*(R" format which is effectively using \s-1CR\s0 and \s-1LF\s0 as end of line: as required by the S/MIME specification. When this option is present no translation occurs. This is useful when handling binary data which may not be in \s-1MIME\s0 format. +.IP "\fB\-crlfeol\fR" 4 +.IX Item "-crlfeol" +Normally the output file uses a single \fB\s-1LF\s0\fR as end of line. When this +option is present \fB\s-1CRLF\s0\fR is used instead. .IP "\fB\-nodetach\fR" 4 .IX Item "-nodetach" -when signing a message use opaque signing: this form is more resistant +When signing a message use opaque signing: this form is more resistant to translation by mail relays but it cannot be read by mail agents that do not support S/MIME. Without this option cleartext signing with the \s-1MIME\s0 type multipart/signed is used. .IP "\fB\-certfile file\fR" 4 .IX Item "-certfile file" -allows additional certificates to be specified. When signing these will +Allows additional certificates to be specified. When signing these will be included with the message. When verifying these will be searched for the signers certificates. The certificates should be in \s-1PEM\s0 format. .IP "\fB\-signer file\fR" 4 .IX Item "-signer file" -a signing certificate when signing or resigning a message, this option can be +A signing certificate when signing or resigning a message, this option can be used multiple times if more than one signer is required. If a message is being verified then the signers certificates will be written to this file if the verification was successful. .IP "\fB\-recip file\fR" 4 .IX Item "-recip file" -the recipients certificate when decrypting a message. This certificate +The recipients certificate when decrypting a message. This certificate must match one of the recipients of the message or an error occurs. -.IP "\fB\-inkey file\fR" 4 -.IX Item "-inkey file" -the private key to use when signing or decrypting. This must match the +.IP "\fB\-inkey file_or_id\fR" 4 +.IX Item "-inkey file_or_id" +The private key to use when signing or decrypting. This must match the corresponding certificate. If this option is not specified then the private key must be included in the certificate file specified with the \fB\-recip\fR or \fB\-signer\fR file. When signing this option can be used multiple times to specify successive keys. +If no engine is used, the argument is taken as a file; if an engine is +specified, the argument is given to the engine as a key identifier. .IP "\fB\-passin arg\fR" 4 .IX Item "-passin arg" -the private key password source. For more information about the format of \fBarg\fR +The private key password source. For more information about the format of \fBarg\fR see the \fB\s-1PASS PHRASE ARGUMENTS\s0\fR section in \fIopenssl\fR\|(1). -.IP "\fB\-rand file(s)\fR" 4 -.IX Item "-rand file(s)" -a file or files containing random data used to seed the random number -generator, or an \s-1EGD\s0 socket (see \fIRAND_egd\fR\|(3)). -Multiple files can be specified separated by a OS-dependent character. +.IP "\fB\-rand file...\fR" 4 +.IX Item "-rand file..." +A file or files containing random data used to seed the random number +generator. +Multiple files can be specified separated by an OS-dependent character. The separator is \fB;\fR for MS-Windows, \fB,\fR for OpenVMS, and \fB:\fR for all others. +.IP "[\fB\-writerand file\fR]" 4 +.IX Item "[-writerand file]" +Writes random data to the specified \fIfile\fR upon exit. +This can be used with a subsequent \fB\-rand\fR flag. .IP "\fBcert.pem...\fR" 4 .IX Item "cert.pem..." -one or more certificates of message recipients: used when encrypting +One or more certificates of message recipients: used when encrypting a message. .IP "\fB\-to, \-from, \-subject\fR" 4 .IX Item "-to, -from, -subject" -the relevant mail headers. These are included outside the signed +The relevant mail headers. These are included outside the signed portion of a message so they may be included manually. If signing then many S/MIME mail clients check the signers certificate's email address matches that specified in the From: address. -.IP "\fB\-purpose, \-ignore_critical, \-issuer_checks, \-crl_check, \-crl_check_all, \-policy_check, \-extended_crl, \-x509_strict, \-policy \-check_ss_sig \-no_alt_chains\fR" 4 -.IX Item "-purpose, -ignore_critical, -issuer_checks, -crl_check, -crl_check_all, -policy_check, -extended_crl, -x509_strict, -policy -check_ss_sig -no_alt_chains" +.IP "\fB\-attime\fR, \fB\-check_ss_sig\fR, \fB\-crl_check\fR, \fB\-crl_check_all\fR, \fB\-explicit_policy\fR, \fB\-extended_crl\fR, \fB\-ignore_critical\fR, \fB\-inhibit_any\fR, \fB\-inhibit_map\fR, \fB\-no_alt_chains\fR, \fB\-partial_chain\fR, \fB\-policy\fR, \fB\-policy_check\fR, \fB\-policy_print\fR, \fB\-purpose\fR, \fB\-suiteB_128\fR, \fB\-suiteB_128_only\fR, \fB\-suiteB_192\fR, \fB\-trusted_first\fR, \fB\-use_deltas\fR, \fB\-auth_level\fR, \fB\-verify_depth\fR, \fB\-verify_email\fR, \fB\-verify_hostname\fR, \fB\-verify_ip\fR, \fB\-verify_name\fR, \fB\-x509_strict\fR" 4 +.IX Item "-attime, -check_ss_sig, -crl_check, -crl_check_all, -explicit_policy, -extended_crl, -ignore_critical, -inhibit_any, -inhibit_map, -no_alt_chains, -partial_chain, -policy, -policy_check, -policy_print, -purpose, -suiteB_128, -suiteB_128_only, -suiteB_192, -trusted_first, -use_deltas, -auth_level, -verify_depth, -verify_email, -verify_hostname, -verify_ip, -verify_name, -x509_strict" Set various options of certificate chain verification. See -\&\fBverify\fR manual page for details. +\&\fIverify\fR\|(1) manual page for details. .SH "NOTES" .IX Header "NOTES" The \s-1MIME\s0 message must be sent without any blank lines between the @@ -369,7 +421,7 @@ a blank line. Piping the mail directly to sendmail is one way to achieve the correct format. .PP The supplied message to be signed or encrypted must include the -necessary \s-1MIME\s0 headers or many S/MIME clients wont display it +necessary \s-1MIME\s0 headers or many S/MIME clients won't display it properly (if at all). You can use the \fB\-text\fR option to automatically add plain text headers. .PP @@ -390,7 +442,7 @@ The \fB\-resign\fR option uses an existing message digest when adding a new signer. This means that attributes must be present in at least one existing signer using the same message digest or this operation will fail. .PP -The \fB\-stream\fR and \fB\-indef\fR options enable experimental streaming I/O support. +The \fB\-stream\fR and \fB\-indef\fR options enable streaming I/O support. As a result the encoding is \s-1BER\s0 using indefinite length constructed encoding and no longer \s-1DER.\s0 Streaming is supported for the \fB\-encrypt\fR operation and the \&\fB\-sign\fR operation if the content is not detached. @@ -401,23 +453,23 @@ remains \s-1DER.\s0 .SH "EXIT CODES" .IX Header "EXIT CODES" .IP "0" 4 -the operation was completely successfully. +The operation was completely successfully. .IP "1" 4 .IX Item "1" -an error occurred parsing the command options. +An error occurred parsing the command options. .IP "2" 4 .IX Item "2" -one of the input files could not be read. +One of the input files could not be read. .IP "3" 4 .IX Item "3" -an error occurred creating the PKCS#7 file or when reading the \s-1MIME\s0 +An error occurred creating the PKCS#7 file or when reading the \s-1MIME\s0 message. .IP "4" 4 .IX Item "4" -an error occurred decrypting or verifying the message. +An error occurred decrypting or verifying the message. .IP "5" 4 .IX Item "5" -the message was verified correctly but an error occurred writing out +The message was verified correctly but an error occurred writing out the signers certificates. .SH "EXAMPLES" .IX Header "EXAMPLES" @@ -550,4 +602,12 @@ structures may cause parsing errors. The use of multiple \fB\-signer\fR options and the \fB\-resign\fR command were first added in OpenSSL 1.0.0 .PP -The \-no_alt_chains options was first added to OpenSSL 1.0.2b. +The \-no_alt_chains options was first added to OpenSSL 1.1.0. +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2000\-2017 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/usr.bin/openssl/man/speed.1 b/secure/usr.bin/openssl/man/speed.1 index d249db4ab7e1..1a20ee8b9c07 100644 --- a/secure/usr.bin/openssl/man/speed.1 +++ b/secure/usr.bin/openssl/man/speed.1 @@ -129,55 +129,88 @@ .\" ======================================================================== .\" .IX Title "SPEED 1" -.TH SPEED 1 "2018-08-14" "1.0.2p" "OpenSSL" +.TH SPEED 1 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" -openssl\-speed, -speed \- test library performance +openssl\-speed, speed \- test library performance .SH "SYNOPSIS" .IX Header "SYNOPSIS" \&\fBopenssl speed\fR +[\fB\-help\fR] [\fB\-engine id\fR] -[\fBmd2\fR] -[\fBmdc2\fR] -[\fBmd5\fR] -[\fBhmac\fR] -[\fBsha1\fR] -[\fBrmd160\fR] -[\fBidea-cbc\fR] -[\fBrc2\-cbc\fR] -[\fBrc5\-cbc\fR] -[\fBbf-cbc\fR] -[\fBdes-cbc\fR] -[\fBdes\-ede3\fR] -[\fBrc4\fR] -[\fBrsa512\fR] -[\fBrsa1024\fR] -[\fBrsa2048\fR] -[\fBrsa4096\fR] -[\fBdsa512\fR] -[\fBdsa1024\fR] -[\fBdsa2048\fR] -[\fBidea\fR] -[\fBrc2\fR] -[\fBdes\fR] -[\fBrsa\fR] -[\fBblowfish\fR] +[\fB\-elapsed\fR] +[\fB\-evp algo\fR] +[\fB\-decrypt\fR] +[\fB\-rand file...\fR] +[\fB\-writerand file\fR] +[\fB\-primes num\fR] +[\fB\-seconds num\fR] +[\fB\-bytes num\fR] +[\fBalgorithm...\fR] .SH "DESCRIPTION" .IX Header "DESCRIPTION" This command is used to test the performance of cryptographic algorithms. +To see the list of supported algorithms, use the \fIlist \-\-digest\-commands\fR +or \fIlist \-\-cipher\-commands\fR command. The global \s-1CSPRNG\s0 is denoted by +the \fIrand\fR algorithm name. .SH "OPTIONS" .IX Header "OPTIONS" +.IP "\fB\-help\fR" 4 +.IX Item "-help" +Print out a usage message. .IP "\fB\-engine id\fR" 4 .IX Item "-engine id" -specifying an engine (by its unique \fBid\fR string) will cause \fBspeed\fR +Specifying an engine (by its unique \fBid\fR string) will cause \fBspeed\fR to attempt to obtain a functional reference to the specified engine, thus initialising it if needed. The engine will then be set as the default for all available algorithms. +.IP "\fB\-elapsed\fR" 4 +.IX Item "-elapsed" +When calculating operations\- or bytes-per-second, use wall-clock time +instead of \s-1CPU\s0 user time as divisor. It can be useful when testing speed +of hardware engines. +.IP "\fB\-evp algo\fR" 4 +.IX Item "-evp algo" +Use the specified cipher or message digest algorithm via the \s-1EVP\s0 interface. +If \fBalgo\fR is an \s-1AEAD\s0 cipher, then you can pass <\-aead> to benchmark a +TLS-like sequence. And if \fBalgo\fR is a multi-buffer capable cipher, e.g. +aes\-128\-cbc\-hmac\-sha1, then \fB\-mb\fR will time multi-buffer operation. +.IP "\fB\-decrypt\fR" 4 +.IX Item "-decrypt" +Time the decryption instead of encryption. Affects only the \s-1EVP\s0 testing. +.IP "\fB\-rand file...\fR" 4 +.IX Item "-rand file..." +A file or files containing random data used to seed the random number +generator. +Multiple files can be specified separated by an OS-dependent character. +The separator is \fB;\fR for MS-Windows, \fB,\fR for OpenVMS, and \fB:\fR for +all others. +.IP "[\fB\-writerand file\fR]" 4 +.IX Item "[-writerand file]" +Writes random data to the specified \fIfile\fR upon exit. +This can be used with a subsequent \fB\-rand\fR flag. +.IP "\fB\-primes num\fR" 4 +.IX Item "-primes num" +Generate a \fBnum\fR\-prime \s-1RSA\s0 key and use it to run the benchmarks. This option +is only effective if \s-1RSA\s0 algorithm is specified to test. +.IP "\fB\-seconds num\fR" 4 +.IX Item "-seconds num" +Run benchmarks for \fBnum\fR seconds. +.IP "\fB\-bytes num\fR" 4 +.IX Item "-bytes num" +Run benchmarks on \fBnum\fR\-byte buffers. Affects ciphers, digests and the \s-1CSPRNG.\s0 .IP "\fB[zero or more test algorithms]\fR" 4 .IX Item "[zero or more test algorithms]" -If any options are given, \fBspeed\fR tests those algorithms, otherwise all of -the above are tested. +If any options are given, \fBspeed\fR tests those algorithms, otherwise a +pre-compiled grand selection is tested. +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2000\-2018 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/usr.bin/openssl/man/spkac.1 b/secure/usr.bin/openssl/man/spkac.1 index 762b8a222540..cbd60d3f8b5f 100644 --- a/secure/usr.bin/openssl/man/spkac.1 +++ b/secure/usr.bin/openssl/man/spkac.1 @@ -129,20 +129,21 @@ .\" ======================================================================== .\" .IX Title "SPKAC 1" -.TH SPKAC 1 "2018-08-14" "1.0.2p" "OpenSSL" +.TH SPKAC 1 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" -openssl\-spkac, -spkac \- SPKAC printing and generating utility +openssl\-spkac, spkac \- SPKAC printing and generating utility .SH "SYNOPSIS" .IX Header "SYNOPSIS" \&\fBopenssl\fR \fBspkac\fR +[\fB\-help\fR] [\fB\-in filename\fR] [\fB\-out filename\fR] [\fB\-key keyfile\fR] +[\fB\-keyform PEM|DER|ENGINE\fR] [\fB\-passin arg\fR] [\fB\-challenge string\fR] [\fB\-pubkey\fR] @@ -156,51 +157,58 @@ spkac \- SPKAC printing and generating utility The \fBspkac\fR command processes Netscape signed public key and challenge (\s-1SPKAC\s0) files. It can print out their contents, verify the signature and produce its own SPKACs from a supplied private key. -.SH "COMMAND OPTIONS" -.IX Header "COMMAND OPTIONS" +.SH "OPTIONS" +.IX Header "OPTIONS" +.IP "\fB\-help\fR" 4 +.IX Item "-help" +Print out a usage message. .IP "\fB\-in filename\fR" 4 .IX Item "-in filename" This specifies the input filename to read from or standard input if this option is not specified. Ignored if the \fB\-key\fR option is used. .IP "\fB\-out filename\fR" 4 .IX Item "-out filename" -specifies the output filename to write to or standard output by +Specifies the output filename to write to or standard output by default. .IP "\fB\-key keyfile\fR" 4 .IX Item "-key keyfile" -create an \s-1SPKAC\s0 file using the private key in \fBkeyfile\fR. The +Create an \s-1SPKAC\s0 file using the private key in \fBkeyfile\fR. The \&\fB\-in\fR, \fB\-noout\fR, \fB\-spksect\fR and \fB\-verify\fR options are ignored if present. +.IP "\fB\-keyform PEM|DER|ENGINE\fR" 4 +.IX Item "-keyform PEM|DER|ENGINE" +Whether the key format is \s-1PEM, DER,\s0 or an engine-backed key. +The default is \s-1PEM.\s0 .IP "\fB\-passin password\fR" 4 .IX Item "-passin password" -the input file password source. For more information about the format of \fBarg\fR +The input file password source. For more information about the format of \fBarg\fR see the \fB\s-1PASS PHRASE ARGUMENTS\s0\fR section in \fIopenssl\fR\|(1). .IP "\fB\-challenge string\fR" 4 .IX Item "-challenge string" -specifies the challenge string if an \s-1SPKAC\s0 is being created. +Specifies the challenge string if an \s-1SPKAC\s0 is being created. .IP "\fB\-spkac spkacname\fR" 4 .IX Item "-spkac spkacname" -allows an alternative name form the variable containing the +Allows an alternative name form the variable containing the \&\s-1SPKAC.\s0 The default is \*(L"\s-1SPKAC\*(R".\s0 This option affects both generated and input \s-1SPKAC\s0 files. .IP "\fB\-spksect section\fR" 4 .IX Item "-spksect section" -allows an alternative name form the section containing the +Allows an alternative name form the section containing the \&\s-1SPKAC.\s0 The default is the default section. .IP "\fB\-noout\fR" 4 .IX Item "-noout" -don't output the text version of the \s-1SPKAC\s0 (not used if an +Don't output the text version of the \s-1SPKAC\s0 (not used if an \&\s-1SPKAC\s0 is being created). .IP "\fB\-pubkey\fR" 4 .IX Item "-pubkey" -output the public key of an \s-1SPKAC\s0 (not used if an \s-1SPKAC\s0 is +Output the public key of an \s-1SPKAC\s0 (not used if an \s-1SPKAC\s0 is being created). .IP "\fB\-verify\fR" 4 .IX Item "-verify" -verifies the digital signature on the supplied \s-1SPKAC.\s0 +Verifies the digital signature on the supplied \s-1SPKAC.\s0 .IP "\fB\-engine id\fR" 4 .IX Item "-engine id" -specifying an engine (by its unique \fBid\fR string) will cause \fBspkac\fR +Specifying an engine (by its unique \fBid\fR string) will cause \fBspkac\fR to attempt to obtain a functional reference to the specified engine, thus initialising it if needed. The engine will then be set as the default for all available algorithms. @@ -226,12 +234,13 @@ Create an \s-1SPKAC\s0 using the challenge string \*(L"hello\*(R": .PP Example of an \s-1SPKAC,\s0 (long lines split up for clarity): .PP -.Vb 5 -\& SPKAC=MIG5MGUwXDANBgkqhkiG9w0BAQEFAANLADBIAkEA1cCoq2Wa3Ixs47uI7F\e -\& PVwHVIPDx5yso105Y6zpozam135a8R0CpoRvkkigIyXfcCjiVi5oWk+6FfPaD03u\e -\& PFoQIDAQABFgVoZWxsbzANBgkqhkiG9w0BAQQFAANBAFpQtY/FojdwkJh1bEIYuc\e -\& 2EeM2KHTWPEepWYeawvHD0gQ3DngSC75YCWnnDdq+NQ3F+X4deMx9AaEglZtULwV\e -\& 4= +.Vb 6 +\& SPKAC=MIG5MGUwXDANBgkqhkiG9w0BAQEFAANLADBIAkEA\e +\& 1cCoq2Wa3Ixs47uI7FPVwHVIPDx5yso105Y6zpozam135a\e +\& 8R0CpoRvkkigIyXfcCjiVi5oWk+6FfPaD03uPFoQIDAQAB\e +\& FgVoZWxsbzANBgkqhkiG9w0BAQQFAANBAFpQtY/FojdwkJ\e +\& h1bEIYuc2EeM2KHTWPEepWYeawvHD0gQ3DngSC75YCWnnD\e +\& dq+NQ3F+X4deMx9AaEglZtULwV4= .Ve .SH "NOTES" .IX Header "NOTES" @@ -251,3 +260,11 @@ to be used in a \*(L"replay attack\*(R". .SH "SEE ALSO" .IX Header "SEE ALSO" \&\fIca\fR\|(1) +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2000\-2018 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libssl/man/SSL_CTX_get_ex_new_index.3 b/secure/usr.bin/openssl/man/srp.1 similarity index 66% rename from secure/lib/libssl/man/SSL_CTX_get_ex_new_index.3 rename to secure/usr.bin/openssl/man/srp.1 index 8dd9b4ac4a00..e328b09ccf78 100644 --- a/secure/lib/libssl/man/SSL_CTX_get_ex_new_index.3 +++ b/secure/usr.bin/openssl/man/srp.1 @@ -128,56 +128,67 @@ .rm #[ #] #H #V #F C .\" ======================================================================== .\" -.IX Title "SSL_CTX_get_ex_new_index 3" -.TH SSL_CTX_get_ex_new_index 3 "2018-08-14" "1.0.2p" "OpenSSL" +.IX Title "SRP 1" +.TH SRP 1 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" -SSL_CTX_get_ex_new_index, SSL_CTX_set_ex_data, SSL_CTX_get_ex_data \- internal application specific data functions +openssl\-srp, srp \- maintain SRP password file .SH "SYNOPSIS" .IX Header "SYNOPSIS" -.Vb 1 -\& #include -\& -\& int SSL_CTX_get_ex_new_index(long argl, void *argp, -\& CRYPTO_EX_new *new_func, -\& CRYPTO_EX_dup *dup_func, -\& CRYPTO_EX_free *free_func); -\& -\& int SSL_CTX_set_ex_data(SSL_CTX *ctx, int idx, void *arg); -\& -\& void *SSL_CTX_get_ex_data(const SSL_CTX *ctx, int idx); -\& -\& typedef int new_func(void *parent, void *ptr, CRYPTO_EX_DATA *ad, -\& int idx, long argl, void *argp); -\& typedef void free_func(void *parent, void *ptr, CRYPTO_EX_DATA *ad, -\& int idx, long argl, void *argp); -\& typedef int dup_func(CRYPTO_EX_DATA *to, CRYPTO_EX_DATA *from, void *from_d, -\& int idx, long argl, void *argp); -.Ve +\&\fBopenssl srp\fR +[\fB\-help\fR] +[\fB\-verbose\fR] +[\fB\-add\fR] +[\fB\-modify\fR] +[\fB\-delete\fR] +[\fB\-list\fR] +[\fB\-name section\fR] +[\fB\-config file\fR] +[\fB\-srpvfile file\fR] +[\fB\-gn identifier\fR] +[\fB\-userinfo text...\fR] +[\fB\-passin arg\fR] +[\fB\-passout arg\fR] +[\fIuser...\fR] .SH "DESCRIPTION" .IX Header "DESCRIPTION" -Several OpenSSL structures can have application specific data attached to them. -These functions are used internally by OpenSSL to manipulate application -specific data attached to a specific structure. +The \fBsrp\fR command is user to maintain an \s-1SRP\s0 (secure remote password) +file. +At most one of the \fB\-add\fR, \fB\-modify\fR, \fB\-delete\fR, and \fB\-list\fR options +can be specified. +These options take zero or more usernames as parameters and perform the +appropriate operation on the \s-1SRP\s0 file. +For \fB\-list\fR, if no \fBuser\fR is given then all users are displayed. .PP -\&\fISSL_CTX_get_ex_new_index()\fR is used to register a new index for application -specific data. +The configuration file to use, and the section within the file, can be +specified with the \fB\-config\fR and \fB\-name\fR flags, respectively. +If the config file is not specified, the \fB\-srpvfile\fR can be used to +just specify the file to operate on. .PP -\&\fISSL_CTX_set_ex_data()\fR is used to store application data at \fBarg\fR for \fBidx\fR -into the \fBctx\fR object. +The \fB\-userinfo\fR option specifies additional information to add when +adding or modifying a user. .PP -\&\fISSL_CTX_get_ex_data()\fR is used to retrieve the information for \fBidx\fR from -\&\fBctx\fR. +The \fB\-gn\fR flag specifies the \fBg\fR and \fBN\fR values, using one of +the strengths defined in \s-1IETF RFC 5054.\s0 .PP -A detailed description for the \fB*\f(BI_get_ex_new_index()\fB\fR functionality -can be found in \fIRSA_get_ex_new_index\fR\|(3). -The \fB*\f(BI_get_ex_data()\fB\fR and \fB*\f(BI_set_ex_data()\fB\fR functionality is described in -\&\fICRYPTO_set_ex_data\fR\|(3). -.SH "SEE ALSO" -.IX Header "SEE ALSO" -\&\fIssl\fR\|(3), -\&\fIRSA_get_ex_new_index\fR\|(3), -\&\fICRYPTO_set_ex_data\fR\|(3) +The \fB\-passin\fR and \fB\-passout\fR arguments are parsed as described in +the \fIopenssl\fR\|(1) command. +.SH "OPTIONS" +.IX Header "OPTIONS" +.IP "[\fB\-help\fR]" 4 +.IX Item "[-help]" +Display an option summary. +.IP "[\fB\-verbose\fR]" 4 +.IX Item "[-verbose]" +Generate verbose output while processing. +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2017 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/lib/libcrypto/man/DH_get_ex_new_index.3 b/secure/usr.bin/openssl/man/storeutl.1 similarity index 53% rename from secure/lib/libcrypto/man/DH_get_ex_new_index.3 rename to secure/usr.bin/openssl/man/storeutl.1 index 67c50e959c87..8c7f9b2d147f 100644 --- a/secure/lib/libcrypto/man/DH_get_ex_new_index.3 +++ b/secure/usr.bin/openssl/man/storeutl.1 @@ -128,38 +128,115 @@ .rm #[ #] #H #V #F C .\" ======================================================================== .\" -.IX Title "DH_get_ex_new_index 3" -.TH DH_get_ex_new_index 3 "2018-08-14" "1.0.2p" "OpenSSL" +.IX Title "STOREUTL 1" +.TH STOREUTL 1 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" -DH_get_ex_new_index, DH_set_ex_data, DH_get_ex_data \- add application specific data to DH structures +openssl\-storeutl, storeutl \- STORE utility .SH "SYNOPSIS" .IX Header "SYNOPSIS" -.Vb 1 -\& #include -\& -\& int DH_get_ex_new_index(long argl, void *argp, -\& CRYPTO_EX_new *new_func, -\& CRYPTO_EX_dup *dup_func, -\& CRYPTO_EX_free *free_func); -\& -\& int DH_set_ex_data(DH *d, int idx, void *arg); -\& -\& char *DH_get_ex_data(DH *d, int idx); -.Ve +\&\fBopenssl\fR \fBstoreutl\fR +[\fB\-help\fR] +[\fB\-out file\fR] +[\fB\-noout\fR] +[\fB\-passin arg\fR] +[\fB\-text arg\fR] +[\fB\-engine id\fR] +[\fB\-r\fR] +[\fB\-certs\fR] +[\fB\-keys\fR] +[\fB\-crls\fR] +[\fB\-subject arg\fR] +[\fB\-issuer arg\fR] +[\fB\-serial arg\fR] +[\fB\-alias arg\fR] +[\fB\-fingerprint arg\fR] +[\fB\-\f(BIdigest\fB\fR] +\&\fBuri\fR ... .SH "DESCRIPTION" .IX Header "DESCRIPTION" -These functions handle application specific data in \s-1DH\s0 -structures. Their usage is identical to that of -\&\fIRSA_get_ex_new_index()\fR, \fIRSA_set_ex_data()\fR and \fIRSA_get_ex_data()\fR -as described in \fIRSA_get_ex_new_index\fR\|(3). +The \fBstoreutl\fR command can be used to display the contents (after decryption +as the case may be) fetched from the given URIs. +.SH "OPTIONS" +.IX Header "OPTIONS" +.IP "\fB\-help\fR" 4 +.IX Item "-help" +Print out a usage message. +.IP "\fB\-out filename\fR" 4 +.IX Item "-out filename" +specifies the output filename to write to or standard output by +default. +.IP "\fB\-noout\fR" 4 +.IX Item "-noout" +this option prevents output of the \s-1PEM\s0 data. +.IP "\fB\-passin arg\fR" 4 +.IX Item "-passin arg" +the key password source. For more information about the format of \fBarg\fR +see the \fB\s-1PASS PHRASE ARGUMENTS\s0\fR section in \fIopenssl\fR\|(1). +.IP "\fB\-text\fR" 4 +.IX Item "-text" +Prints out the objects in text form, similarly to the \fB\-text\fR output from +\&\fBopenssl x509\fR, \fBopenssl pkey\fR, etc. +.IP "\fB\-engine id\fR" 4 +.IX Item "-engine id" +specifying an engine (by its unique \fBid\fR string) will cause \fBstoreutl\fR +to attempt to obtain a functional reference to the specified engine, +thus initialising it if needed. +The engine will then be set as the default for all available algorithms. +.IP "\fB\-r\fR" 4 +.IX Item "-r" +Fetch objects recursively when possible. +.IP "\fB\-certs\fR" 4 +.IX Item "-certs" +.PD 0 +.IP "\fB\-keys\fR" 4 +.IX Item "-keys" +.IP "\fB\-crls\fR" 4 +.IX Item "-crls" +.PD +Only select the certificates, keys or CRLs from the given \s-1URI.\s0 +However, if this \s-1URI\s0 would return a set of names (URIs), those are always +returned. +.IP "\fB\-subject arg\fR" 4 +.IX Item "-subject arg" +Search for an object having the subject name \fBarg\fR. +The arg must be formatted as \fI/type0=value0/type1=value1/type2=...\fR, +characters may be escaped by \e (backslash), no spaces are skipped. +.IP "\fB\-issuer arg\fR" 4 +.IX Item "-issuer arg" +.PD 0 +.IP "\fB\-serial arg\fR" 4 +.IX Item "-serial arg" +.PD +Search for an object having the given issuer name and serial number. +These two options \fImust\fR be used together. +The issuer arg must be formatted as \fI/type0=value0/type1=value1/type2=...\fR, +characters may be escaped by \e (backslash), no spaces are skipped. +The serial arg may be specified as a decimal value or a hex value if preceded +by \fB0x\fR. +.IP "\fB\-alias arg\fR" 4 +.IX Item "-alias arg" +Search for an object having the given alias. +.IP "\fB\-fingerprint arg\fR" 4 +.IX Item "-fingerprint arg" +Search for an object having the given fingerprint. +.IP "\fB\-\f(BIdigest\fB\fR" 4 +.IX Item "-digest" +The digest that was used to compute the fingerprint given with \fB\-fingerprint\fR. .SH "SEE ALSO" .IX Header "SEE ALSO" -\&\fIRSA_get_ex_new_index\fR\|(3), \fIdh\fR\|(3) +\&\fIopenssl\fR\|(1) .SH "HISTORY" .IX Header "HISTORY" -\&\fIDH_get_ex_new_index()\fR, \fIDH_set_ex_data()\fR and \fIDH_get_ex_data()\fR are -available since OpenSSL 0.9.5. +\&\fBopenssl\fR \fBstoreutl\fR was added to OpenSSL 1.1.1. +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2016\-2018 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/usr.bin/openssl/man/ts.1 b/secure/usr.bin/openssl/man/ts.1 index 34c30ebffa6f..7b597e4b42e8 100644 --- a/secure/usr.bin/openssl/man/ts.1 +++ b/secure/usr.bin/openssl/man/ts.1 @@ -129,24 +129,24 @@ .\" ======================================================================== .\" .IX Title "TS 1" -.TH TS 1 "2018-08-14" "1.0.2p" "OpenSSL" +.TH TS 1 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" -openssl\-ts, -ts \- Time Stamping Authority tool (client/server) +openssl\-ts, ts \- Time Stamping Authority tool (client/server) .SH "SYNOPSIS" .IX Header "SYNOPSIS" \&\fBopenssl\fR \fBts\fR \&\fB\-query\fR -[\fB\-rand\fR file:file...] +[\fB\-rand file...\fR] +[\fB\-writerand file\fR] [\fB\-config\fR configfile] [\fB\-data\fR file_to_hash] [\fB\-digest\fR digest_bytes] -[\fB\-md2\fR|\fB\-md4\fR|\fB\-md5\fR|\fB\-sha\fR|\fB\-sha1\fR|\fB\-mdc2\fR|\fB\-ripemd160\fR|\fB...\fR] -[\fB\-policy\fR object_id] +[\fB\-\f(BIdigest\fB\fR] +[\fB\-tspolicy\fR object_id] [\fB\-no_nonce\fR] [\fB\-cert\fR] [\fB\-in\fR request.tsq] @@ -160,9 +160,10 @@ ts \- Time Stamping Authority tool (client/server) [\fB\-queryfile\fR request.tsq] [\fB\-passin\fR password_src] [\fB\-signer\fR tsa_cert.pem] -[\fB\-inkey\fR private.pem] +[\fB\-inkey\fR file_or_id] +[\fB\-\f(BIdigest\fB\fR] [\fB\-chain\fR certs_file.pem] -[\fB\-policy\fR object_id] +[\fB\-tspolicy\fR object_id] [\fB\-in\fR response.tsr] [\fB\-token_in\fR] [\fB\-out\fR response.tsr] @@ -180,6 +181,38 @@ ts \- Time Stamping Authority tool (client/server) [\fB\-CApath\fR trusted_cert_path] [\fB\-CAfile\fR trusted_certs.pem] [\fB\-untrusted\fR cert_file.pem] +[\fIverify options\fR] +.PP +\&\fIverify options:\fR +[\-attime timestamp] +[\-check_ss_sig] +[\-crl_check] +[\-crl_check_all] +[\-explicit_policy] +[\-extended_crl] +[\-ignore_critical] +[\-inhibit_any] +[\-inhibit_map] +[\-issuer_checks] +[\-no_alt_chains] +[\-no_check_time] +[\-partial_chain] +[\-policy arg] +[\-policy_check] +[\-policy_print] +[\-purpose purpose] +[\-suiteB_128] +[\-suiteB_128_only] +[\-suiteB_192] +[\-trusted_first] +[\-use_deltas] +[\-auth_level num] +[\-verify_depth num] +[\-verify_email email] +[\-verify_hostname hostname] +[\-verify_ip ip] +[\-verify_name name] +[\-x509_strict] .SH "DESCRIPTION" .IX Header "DESCRIPTION" The \fBts\fR command is a basic Time Stamping Authority (\s-1TSA\s0) client and server @@ -216,16 +249,22 @@ requests either by ftp or e\-mail. .IX Subsection "Time Stamp Request generation" The \fB\-query\fR switch can be used for creating and printing a time stamp request with the following options: -.IP "\fB\-rand\fR file:file..." 4 -.IX Item "-rand file:file..." -The files containing random data for seeding the random number -generator. Multiple files can be specified, the separator is \fB;\fR for -MS-Windows, \fB,\fR for \s-1VMS\s0 and \fB:\fR for all other platforms. (Optional) +.IP "\fB\-rand file...\fR" 4 +.IX Item "-rand file..." +A file or files containing random data used to seed the random number +generator. +Multiple files can be specified separated by an OS-dependent character. +The separator is \fB;\fR for MS-Windows, \fB,\fR for OpenVMS, and \fB:\fR for +all others. +.IP "[\fB\-writerand file\fR]" 4 +.IX Item "[-writerand file]" +Writes random data to the specified \fIfile\fR upon exit. +This can be used with a subsequent \fB\-rand\fR flag. .IP "\fB\-config\fR configfile" 4 .IX Item "-config configfile" -The configuration file to use, this option overrides the -\&\fB\s-1OPENSSL_CONF\s0\fR environment variable. Only the \s-1OID\s0 section -of the config file is used with the \fB\-query\fR command. (Optional) +The configuration file to use. +Optional; for a description of the default value, +see \*(L"\s-1COMMAND SUMMARY\*(R"\s0 in \fIopenssl\fR\|(1). .IP "\fB\-data\fR file_to_hash" 4 .IX Item "-data file_to_hash" The data file for which the time stamp request needs to be @@ -236,15 +275,15 @@ parameter is specified. (Optional) It is possible to specify the message imprint explicitly without the data file. The imprint must be specified in a hexadecimal format, two characters per byte, the bytes optionally separated by colons (e.g. 1A:F6:01:... or -1AF601...). The number of bytes must match the message digest algorithm +1AF601...). The number of bytes must match the message digest algorithm in use. (Optional) -.IP "\fB\-md2\fR|\fB\-md4\fR|\fB\-md5\fR|\fB\-sha\fR|\fB\-sha1\fR|\fB\-mdc2\fR|\fB\-ripemd160\fR|\fB...\fR" 4 -.IX Item "-md2|-md4|-md5|-sha|-sha1|-mdc2|-ripemd160|..." -The message digest to apply to the data file, it supports all the message -digest algorithms that are supported by the openssl \fBdgst\fR command. +.IP "\fB\-\f(BIdigest\fB\fR" 4 +.IX Item "-digest" +The message digest to apply to the data file. +Any digest supported by the OpenSSL \fBdgst\fR command can be used. The default is \s-1SHA\-1.\s0 (Optional) -.IP "\fB\-policy\fR object_id" 4 -.IX Item "-policy object_id" +.IP "\fB\-tspolicy\fR object_id" 4 +.IX Item "-tspolicy object_id" The policy that the client expects the \s-1TSA\s0 to use for creating the time stamp token. Either the dotted \s-1OID\s0 notation or \s-1OID\s0 names defined in the config file can be used. If no policy is requested the \s-1TSA\s0 will @@ -264,7 +303,6 @@ response. (Optional) This option specifies a previously created time stamp request in \s-1DER\s0 format that will be printed into the output file. Useful when you need to examine the content of a request in human-readable -.Sp format. (Optional) .IP "\fB\-out\fR request.tsq" 4 .IX Item "-out request.tsq" @@ -285,12 +323,13 @@ specified the output is always a time stamp response (TimeStampResp), otherwise it is a time stamp token (ContentInfo). .IP "\fB\-config\fR configfile" 4 .IX Item "-config configfile" -The configuration file to use, this option overrides the -\&\fB\s-1OPENSSL_CONF\s0\fR environment variable. See \fB\s-1CONFIGURATION FILE -OPTIONS\s0\fR for configurable variables. (Optional) +The configuration file to use. +Optional; for a description of the default value, +see \*(L"\s-1COMMAND SUMMARY\*(R"\s0 in \fIopenssl\fR\|(1). +See \fB\s-1CONFIGURATION FILE OPTIONS\s0\fR for configurable variables. .IP "\fB\-section\fR tsa_section" 4 .IX Item "-section tsa_section" -The name of the config file section conatining the settings for the +The name of the config file section containing the settings for the response generation. If not specified the default \s-1TSA\s0 section is used, see \fB\s-1CONFIGURATION FILE OPTIONS\s0\fR for details. (Optional) .IP "\fB\-queryfile\fR request.tsq" 4 @@ -307,10 +346,16 @@ certificate must have exactly one extended key usage assigned to it: timeStamping. The extended key usage must also be critical, otherwise the certificate is going to be refused. Overrides the \fBsigner_cert\fR variable of the config file. (Optional) -.IP "\fB\-inkey\fR private.pem" 4 -.IX Item "-inkey private.pem" +.IP "\fB\-inkey\fR file_or_id" 4 +.IX Item "-inkey file_or_id" The signer private key of the \s-1TSA\s0 in \s-1PEM\s0 format. Overrides the \&\fBsigner_key\fR config file option. (Optional) +If no engine is used, the argument is taken as a file; if an engine is +specified, the argument is given to the engine as a key identifier. +.IP "\fB\-\f(BIdigest\fB\fR" 4 +.IX Item "-digest" +Signing digest to use. Overrides the \fBsigner_digest\fR config file +option. (Optional) .IP "\fB\-chain\fR certs_file.pem" 4 .IX Item "-chain certs_file.pem" The collection of certificates in \s-1PEM\s0 format that will all @@ -319,8 +364,8 @@ the \fB\-cert\fR option was used for the request. This file is supposed to contain the certificate chain for the signer certificate from its issuer upwards. The \fB\-reply\fR command does not build a certificate chain automatically. (Optional) -.IP "\fB\-policy\fR object_id" 4 -.IX Item "-policy object_id" +.IP "\fB\-tspolicy\fR object_id" 4 +.IX Item "-tspolicy object_id" The default policy to use for the response unless the client explicitly requires a particular \s-1TSA\s0 policy. The \s-1OID\s0 can be specified either in dotted notation or with its name. Overrides the @@ -366,7 +411,7 @@ data file. The \fB\-verify\fR command does not use the configuration file. .IP "\fB\-data\fR file_to_hash" 4 .IX Item "-data file_to_hash" The response or token must be verified against file_to_hash. The file -is hashed with the message digest algorithm specified in the token. +is hashed with the message digest algorithm specified in the token. The \fB\-digest\fR and \fB\-queryfile\fR options must not be specified with this one. (Optional) .IP "\fB\-digest\fR digest_bytes" 4 @@ -389,14 +434,14 @@ that the input is a \s-1DER\s0 encoded time stamp token (ContentInfo) instead of a time stamp response (TimeStampResp). (Optional) .IP "\fB\-CApath\fR trusted_cert_path" 4 .IX Item "-CApath trusted_cert_path" -The name of the directory containing the trused \s-1CA\s0 certificates of the +The name of the directory containing the trusted \s-1CA\s0 certificates of the client. See the similar option of \fIverify\fR\|(1) for additional details. Either this option or \fB\-CAfile\fR must be specified. (Optional) .IP "\fB\-CAfile\fR trusted_certs.pem" 4 .IX Item "-CAfile trusted_certs.pem" -The name of the file containing a set of trusted self-signed \s-1CA\s0 -certificates in \s-1PEM\s0 format. See the similar option of -\&\fIverify\fR\|(1) for additional details. Either this option +The name of the file containing a set of trusted self-signed \s-1CA\s0 +certificates in \s-1PEM\s0 format. See the similar option of +\&\fIverify\fR\|(1) for additional details. Either this option or \fB\-CApath\fR must be specified. (Optional) .IP "\fB\-untrusted\fR cert_file.pem" 4 @@ -406,10 +451,21 @@ needed when building the certificate chain for the \s-1TSA\s0's signing certificate. This file must contain the \s-1TSA\s0 signing certificate and all intermediate \s-1CA\s0 certificates unless the response includes them. (Optional) +.IP "\fIverify options\fR" 4 +.IX Item "verify options" +The options \fB\-attime timestamp\fR, \fB\-check_ss_sig\fR, \fB\-crl_check\fR, +\&\fB\-crl_check_all\fR, \fB\-explicit_policy\fR, \fB\-extended_crl\fR, \fB\-ignore_critical\fR, +\&\fB\-inhibit_any\fR, \fB\-inhibit_map\fR, \fB\-issuer_checks\fR, \fB\-no_alt_chains\fR, +\&\fB\-no_check_time\fR, \fB\-partial_chain\fR, \fB\-policy\fR, \fB\-policy_check\fR, +\&\fB\-policy_print\fR, \fB\-purpose\fR, \fB\-suiteB_128\fR, \fB\-suiteB_128_only\fR, +\&\fB\-suiteB_192\fR, \fB\-trusted_first\fR, \fB\-use_deltas\fR, \fB\-auth_level\fR, +\&\fB\-verify_depth\fR, \fB\-verify_email\fR, \fB\-verify_hostname\fR, \fB\-verify_ip\fR, +\&\fB\-verify_name\fR, and \fB\-x509_strict\fR can be used to control timestamp +verification. See \fIverify\fR\|(1). .SH "CONFIGURATION FILE OPTIONS" .IX Header "CONFIGURATION FILE OPTIONS" -The \fB\-query\fR and \fB\-reply\fR commands make use of a configuration file -defined by the \fB\s-1OPENSSL_CONF\s0\fR environment variable. See \fIconfig\fR\|(5) +The \fB\-query\fR and \fB\-reply\fR commands make use of a configuration file. +See \fIconfig\fR\|(5) for a general description of the syntax of the config file. The \&\fB\-query\fR command uses only the symbolic \s-1OID\s0 names section and it can work without it. However, the \fB\-reply\fR command needs the @@ -439,8 +495,8 @@ each response. If the file does not exist at the time of response generation a new file is created with serial number 1. (Mandatory) .IP "\fBcrypto_device\fR" 4 .IX Item "crypto_device" -Specifies the OpenSSL engine that will be set as the default for -all available algorithms. The default value is builtin, you can specify +Specifies the OpenSSL engine that will be set as the default for +all available algorithms. The default value is builtin, you can specify any other engines supported by OpenSSL (e.g. use chil for the NCipher \s-1HSM\s0). (Optional) .IP "\fBsigner_cert\fR" 4 @@ -456,10 +512,14 @@ option. (Optional) .IX Item "signer_key" The private key of the \s-1TSA\s0 in \s-1PEM\s0 format. The same as the \fB\-inkey\fR command line option. (Optional) +.IP "\fBsigner_digest\fR" 4 +.IX Item "signer_digest" +Signing digest to use. The same as the +\&\fB\-\f(BIdigest\fB\fR command line option. (Optional) .IP "\fBdefault_policy\fR" 4 .IX Item "default_policy" The default policy to use when the request does not mandate any -policy. The same as the \fB\-policy\fR command line option. (Optional) +policy. The same as the \fB\-tspolicy\fR command line option. (Optional) .IP "\fBother_policies\fR" 4 .IX Item "other_policies" Comma separated list of policies that are also acceptable by the \s-1TSA\s0 @@ -475,7 +535,7 @@ and microseconds. E.g. secs:1, millisecs:500, microsecs:100. If any of the components is missing zero is assumed for that field. (Optional) .IP "\fBclock_precision_digits\fR" 4 .IX Item "clock_precision_digits" -Specifies the maximum number of digits, which represent the fraction of +Specifies the maximum number of digits, which represent the fraction of seconds, that need to be included in the time field. The trailing zeroes must be removed from the time, so there might actually be fewer digits, or no fraction of seconds at all. Supported only on \s-1UNIX\s0 platforms. @@ -500,18 +560,18 @@ is specified then the certificate identifiers of the chain will also be included in the SigningCertificate signed attribute. If this variable is set to no, only the signing certificate identifier is included. Default is no. (Optional) -.SH "ENVIRONMENT VARIABLES" -.IX Header "ENVIRONMENT VARIABLES" -\&\fB\s-1OPENSSL_CONF\s0\fR contains the path of the configuration file and can be -overridden by the \fB\-config\fR command line option. +.IP "\fBess_cert_id_alg\fR" 4 +.IX Item "ess_cert_id_alg" +This option specifies the hash function to be used to calculate the \s-1TSA\s0's +public key certificate identifier. Default is sha1. (Optional) .SH "EXAMPLES" .IX Header "EXAMPLES" All the examples below presume that \fB\s-1OPENSSL_CONF\s0\fR is set to a proper -configuration file, e.g. the example configuration file +configuration file, e.g. the example configuration file openssl/apps/openssl.cnf will do. .SS "Time Stamp Request" .IX Subsection "Time Stamp Request" -To create a time stamp request for design1.txt with \s-1SHA\-1\s0 +To create a time stamp request for design1.txt with \s-1SHA\-1\s0 without nonce and policy and no certificate is required in the response: .PP .Vb 2 @@ -533,23 +593,27 @@ To print the content of the previous request in human readable format: \& openssl ts \-query \-in design1.tsq \-text .Ve .PP -To create a time stamp request which includes the \s-1MD\-5\s0 digest +To create a time stamp request which includes the \s-1MD\-5\s0 digest of design2.txt, requests the signer certificate and nonce, specifies a policy id (assuming the tsa_policy1 name is defined in the \&\s-1OID\s0 section of the config file): .PP .Vb 2 \& openssl ts \-query \-data design2.txt \-md5 \e -\& \-policy tsa_policy1 \-cert \-out design2.tsq +\& \-tspolicy tsa_policy1 \-cert \-out design2.tsq .Ve .SS "Time Stamp Response" .IX Subsection "Time Stamp Response" Before generating a response a signing certificate must be created for the \s-1TSA\s0 that contains the \fBtimeStamping\fR critical extended key usage extension -without any other key usage extensions. You can add the -\&'extendedKeyUsage = critical,timeStamping' line to the user certificate section -of the config file to generate a proper certificate. See \fIreq\fR\|(1), -\&\fIca\fR\|(1), \fIx509\fR\|(1) for instructions. The examples +without any other key usage extensions. You can add this line to the +user certificate section of the config file to generate a proper certificate; +.PP +.Vb 1 +\& extendedKeyUsage = critical,timeStamping +.Ve +.PP +See \fIreq\fR\|(1), \fIca\fR\|(1), and \fIx509\fR\|(1) for instructions. The examples below assume that cacert.pem contains the certificate of the \s-1CA,\s0 tsacert.pem is the signing certificate issued by cacert.pem and tsakey.pem is the private key of the \s-1TSA.\s0 @@ -615,41 +679,44 @@ To verify a time stamp reply that includes the certificate chain: .PP To verify a time stamp token against the original data file: openssl ts \-verify \-data design2.txt \-in design2.tsr \e - \-CAfile cacert.pem + \-CAfile cacert.pem .PP To verify a time stamp token against a message imprint: openssl ts \-verify \-digest b7e5d3f93198b38379852f2c04e78d73abdd0f4b \e - \-in design2.tsr \-CAfile cacert.pem + \-in design2.tsr \-CAfile cacert.pem .PP You could also look at the 'test' directory for more examples. .SH "BUGS" .IX Header "BUGS" -If you find any bugs or you have suggestions please write to -Zoltan Glozik . Known issues: -.IP "\(bu" 4 +.IP "\(bu" 2 No support for time stamps over \s-1SMTP,\s0 though it is quite easy -to implement an automatic e\-mail based \s-1TSA\s0 with \fIprocmail\fR\|(1) -and \fIperl\fR\|(1). \s-1HTTP\s0 server support is provided in the form of +to implement an automatic e\-mail based \s-1TSA\s0 with \fIprocmail\fR\|(1) +and \fIperl\fR\|(1). \s-1HTTP\s0 server support is provided in the form of a separate apache module. \s-1HTTP\s0 client support is provided by \&\fItsget\fR\|(1). Pure \s-1TCP/IP\s0 protocol is not supported. -.IP "\(bu" 4 +.IP "\(bu" 2 The file containing the last serial number of the \s-1TSA\s0 is not locked when being read or written. This is a problem if more than one instance of \fIopenssl\fR\|(1) is trying to create a time stamp response at the same time. This is not an issue when using the apache server module, it does proper locking. -.IP "\(bu" 4 +.IP "\(bu" 2 Look for the \s-1FIXME\s0 word in the source files. -.IP "\(bu" 4 +.IP "\(bu" 2 The source code should really be reviewed by somebody else, too. -.IP "\(bu" 4 +.IP "\(bu" 2 More testing is needed, I have done only some basic tests (see test/testtsa). -.SH "AUTHOR" -.IX Header "AUTHOR" -Zoltan Glozik , OpenTSA project (http://www.opentsa.org) .SH "SEE ALSO" .IX Header "SEE ALSO" -\&\fItsget\fR\|(1), \fIopenssl\fR\|(1), \fIreq\fR\|(1), -\&\fIx509\fR\|(1), \fIca\fR\|(1), \fIgenrsa\fR\|(1), +\&\fItsget\fR\|(1), \fIopenssl\fR\|(1), \fIreq\fR\|(1), +\&\fIx509\fR\|(1), \fIca\fR\|(1), \fIgenrsa\fR\|(1), \&\fIconfig\fR\|(5) +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2006\-2018 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/usr.bin/openssl/man/tsget.1 b/secure/usr.bin/openssl/man/tsget.1 index a04cc9594b20..a0c6201f2427 100644 --- a/secure/usr.bin/openssl/man/tsget.1 +++ b/secure/usr.bin/openssl/man/tsget.1 @@ -129,14 +129,13 @@ .\" ======================================================================== .\" .IX Title "TSGET 1" -.TH TSGET 1 "2018-08-14" "1.0.2p" "OpenSSL" +.TH TSGET 1 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" -openssl\-tsget, -tsget \- Time Stamping HTTP/HTTPS client +openssl\-tsget, tsget \- Time Stamping HTTP/HTTPS client .SH "SYNOPSIS" .IX Header "SYNOPSIS" \&\fBtsget\fR @@ -257,7 +256,7 @@ time stamp requests, tsa.opentsa.org listens at port 8080 for \s-1HTTP\s0 reques and at port 8443 for \s-1HTTPS\s0 requests, the \s-1TSA\s0 service is available at the /tsa absolute path. .PP -Get a time stamp response for file1.tsq over \s-1HTTP,\s0 output is written to +Get a time stamp response for file1.tsq over \s-1HTTP,\s0 output is written to file1.tsr: .PP .Vb 1 @@ -308,10 +307,15 @@ example: \& export TSGET \& tsget file1.tsq .Ve -.SH "AUTHOR" -.IX Header "AUTHOR" -Zoltan Glozik , OpenTSA project (http://www.opentsa.org) .SH "SEE ALSO" .IX Header "SEE ALSO" -\&\fIopenssl\fR\|(1), \fIts\fR\|(1), \fIcurl\fR\|(1), +\&\fIopenssl\fR\|(1), \fIts\fR\|(1), \fIcurl\fR\|(1), \&\fB\s-1RFC 3161\s0\fR +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2006\-2016 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/usr.bin/openssl/man/verify.1 b/secure/usr.bin/openssl/man/verify.1 index 60649b8a6c8f..f36841d8a99e 100644 --- a/secure/usr.bin/openssl/man/verify.1 +++ b/secure/usr.bin/openssl/man/verify.1 @@ -129,50 +129,72 @@ .\" ======================================================================== .\" .IX Title "VERIFY 1" -.TH VERIFY 1 "2018-08-14" "1.0.2p" "OpenSSL" +.TH VERIFY 1 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" -openssl\-verify, -verify \- Utility to verify certificates. +openssl\-verify, verify \- Utility to verify certificates .SH "SYNOPSIS" .IX Header "SYNOPSIS" \&\fBopenssl\fR \fBverify\fR -[\fB\-CApath directory\fR] +[\fB\-help\fR] [\fB\-CAfile file\fR] -[\fB\-purpose purpose\fR] -[\fB\-policy arg\fR] -[\fB\-ignore_critical\fR] +[\fB\-CApath directory\fR] +[\fB\-no\-CAfile\fR] +[\fB\-no\-CApath\fR] +[\fB\-allow_proxy_certs\fR] [\fB\-attime timestamp\fR] [\fB\-check_ss_sig\fR] [\fB\-CRLfile file\fR] [\fB\-crl_download\fR] [\fB\-crl_check\fR] [\fB\-crl_check_all\fR] -[\fB\-policy_check\fR] +[\fB\-engine id\fR] [\fB\-explicit_policy\fR] +[\fB\-extended_crl\fR] +[\fB\-ignore_critical\fR] [\fB\-inhibit_any\fR] [\fB\-inhibit_map\fR] -[\fB\-x509_strict\fR] -[\fB\-extended_crl\fR] -[\fB\-use_deltas\fR] +[\fB\-nameopt option\fR] +[\fB\-no_check_time\fR] +[\fB\-partial_chain\fR] +[\fB\-policy arg\fR] +[\fB\-policy_check\fR] [\fB\-policy_print\fR] +[\fB\-purpose purpose\fR] +[\fB\-suiteB_128\fR] +[\fB\-suiteB_128_only\fR] +[\fB\-suiteB_192\fR] +[\fB\-trusted_first\fR] [\fB\-no_alt_chains\fR] -[\fB\-allow_proxy_certs\fR] [\fB\-untrusted file\fR] -[\fB\-help\fR] -[\fB\-issuer_checks\fR] [\fB\-trusted file\fR] +[\fB\-use_deltas\fR] [\fB\-verbose\fR] +[\fB\-auth_level level\fR] +[\fB\-verify_depth num\fR] +[\fB\-verify_email email\fR] +[\fB\-verify_hostname hostname\fR] +[\fB\-verify_ip ip\fR] +[\fB\-verify_name name\fR] +[\fB\-x509_strict\fR] +[\fB\-show_chain\fR] [\fB\-\fR] [certificates] .SH "DESCRIPTION" .IX Header "DESCRIPTION" The \fBverify\fR command verifies certificate chains. -.SH "COMMAND OPTIONS" -.IX Header "COMMAND OPTIONS" +.SH "OPTIONS" +.IX Header "OPTIONS" +.IP "\fB\-help\fR" 4 +.IX Item "-help" +Print out a usage message. +.IP "\fB\-CAfile file\fR" 4 +.IX Item "-CAfile file" +A \fBfile\fR of trusted certificates. +The file should contain one or more certificates in \s-1PEM\s0 format. .IP "\fB\-CApath directory\fR" 4 .IX Item "-CApath directory" A directory of trusted certificates. The certificates should have names @@ -180,12 +202,17 @@ of the form: hash.0 or have symbolic links to them of this form (\*(L"hash\*(R" is the hashed certificate subject name: see the \fB\-hash\fR option of the \fBx509\fR utility). Under Unix the \fBc_rehash\fR script will automatically create symbolic links to a directory of certificates. -.IP "\fB\-CAfile file\fR A file of trusted certificates. The file should contain multiple certificates in \s-1PEM\s0 format concatenated together." 4 -.IX Item "-CAfile file A file of trusted certificates. The file should contain multiple certificates in PEM format concatenated together." -.PD 0 +.IP "\fB\-no\-CAfile\fR" 4 +.IX Item "-no-CAfile" +Do not load the trusted \s-1CA\s0 certificates from the default file location. +.IP "\fB\-no\-CApath\fR" 4 +.IX Item "-no-CApath" +Do not load the trusted \s-1CA\s0 certificates from the default directory location. +.IP "\fB\-allow_proxy_certs\fR" 4 +.IX Item "-allow_proxy_certs" +Allow the verification of proxy certificates. .IP "\fB\-attime timestamp\fR" 4 .IX Item "-attime timestamp" -.PD Perform validation checks using time specified by \fBtimestamp\fR and not current system time. \fBtimestamp\fR is the number of seconds since 01.01.1970 (\s-1UNIX\s0 time). @@ -195,7 +222,9 @@ Verify the signature on the self-signed root \s-1CA.\s0 This is disabled by defa because it doesn't add any security. .IP "\fB\-CRLfile file\fR" 4 .IX Item "-CRLfile file" -File containing one or more \s-1CRL\s0's (in \s-1PEM\s0 format) to load. +The \fBfile\fR should contain one or more CRLs in \s-1PEM\s0 format. +This option can be specified more than once to include CRLs from multiple +\&\fBfiles\fR. .IP "\fB\-crl_download\fR" 4 .IX Item "-crl_download" Attempt to download \s-1CRL\s0 information for this certificate. @@ -203,92 +232,177 @@ Attempt to download \s-1CRL\s0 information for this certificate. .IX Item "-crl_check" Checks end entity certificate validity by attempting to look up a valid \s-1CRL.\s0 If a valid \s-1CRL\s0 cannot be found an error occurs. -.IP "\fB\-untrusted file\fR" 4 -.IX Item "-untrusted file" -A file of untrusted certificates. The file should contain multiple certificates -in \s-1PEM\s0 format concatenated together. -.IP "\fB\-purpose purpose\fR" 4 -.IX Item "-purpose purpose" -The intended use for the certificate. If this option is not specified, -\&\fBverify\fR will not consider certificate purpose during chain verification. -Currently accepted uses are \fBsslclient\fR, \fBsslserver\fR, \fBnssslserver\fR, -\&\fBsmimesign\fR, \fBsmimeencrypt\fR. See the \fB\s-1VERIFY OPERATION\s0\fR section for more -information. -.IP "\fB\-help\fR" 4 -.IX Item "-help" -Print out a usage message. -.IP "\fB\-verbose\fR" 4 -.IX Item "-verbose" -Print extra information about the operations being performed. -.IP "\fB\-issuer_checks\fR" 4 -.IX Item "-issuer_checks" -Print out diagnostics relating to searches for the issuer certificate of the -current certificate. This shows why each candidate issuer certificate was -rejected. The presence of rejection messages does not itself imply that -anything is wrong; during the normal verification process, several -rejections may take place. -.IP "\fB\-policy arg\fR" 4 -.IX Item "-policy arg" -Enable policy processing and add \fBarg\fR to the user-initial-policy-set (see -\&\s-1RFC5280\s0). The policy \fBarg\fR can be an object name an \s-1OID\s0 in numeric form. -This argument can appear more than once. -.IP "\fB\-policy_check\fR" 4 -.IX Item "-policy_check" -Enables certificate policy processing. -.IP "\fB\-explicit_policy\fR" 4 -.IX Item "-explicit_policy" -Set policy variable require-explicit-policy (see \s-1RFC5280\s0). -.IP "\fB\-inhibit_any\fR" 4 -.IX Item "-inhibit_any" -Set policy variable inhibit-any-policy (see \s-1RFC5280\s0). -.IP "\fB\-inhibit_map\fR" 4 -.IX Item "-inhibit_map" -Set policy variable inhibit-policy-mapping (see \s-1RFC5280\s0). -.IP "\fB\-no_alt_chains\fR" 4 -.IX Item "-no_alt_chains" -When building a certificate chain, if the first certificate chain found is not -trusted, then OpenSSL will continue to check to see if an alternative chain can -be found that is trusted. With this option that behaviour is suppressed so that -only the first chain found is ever used. Using this option will force the -behaviour to match that of previous OpenSSL versions. -.IP "\fB\-allow_proxy_certs\fR" 4 -.IX Item "-allow_proxy_certs" -Allow the verification of proxy certificates. -.IP "\fB\-trusted file\fR" 4 -.IX Item "-trusted file" -A file of additional trusted certificates. The file should contain multiple -certificates in \s-1PEM\s0 format concatenated together. -.IP "\fB\-policy_print\fR" 4 -.IX Item "-policy_print" -Print out diagnostics related to policy processing. -.IP "\fB\-crl_check\fR" 4 -.IX Item "-crl_check" -Checks end entity certificate validity by attempting to look up a valid \s-1CRL.\s0 -If a valid \s-1CRL\s0 cannot be found an error occurs. .IP "\fB\-crl_check_all\fR" 4 .IX Item "-crl_check_all" Checks the validity of \fBall\fR certificates in the chain by attempting to look up valid CRLs. +.IP "\fB\-engine id\fR" 4 +.IX Item "-engine id" +Specifying an engine \fBid\fR will cause \fIverify\fR\|(1) to attempt to load the +specified engine. +The engine will then be set as the default for all its supported algorithms. +If you want to load certificates or CRLs that require engine support via any of +the \fB\-trusted\fR, \fB\-untrusted\fR or \fB\-CRLfile\fR options, the \fB\-engine\fR option +must be specified before those options. +.IP "\fB\-explicit_policy\fR" 4 +.IX Item "-explicit_policy" +Set policy variable require-explicit-policy (see \s-1RFC5280\s0). +.IP "\fB\-extended_crl\fR" 4 +.IX Item "-extended_crl" +Enable extended \s-1CRL\s0 features such as indirect CRLs and alternate \s-1CRL\s0 +signing keys. .IP "\fB\-ignore_critical\fR" 4 .IX Item "-ignore_critical" Normally if an unhandled critical extension is present which is not supported by OpenSSL the certificate is rejected (as required by \s-1RFC5280\s0). If this option is set critical extensions are ignored. +.IP "\fB\-inhibit_any\fR" 4 +.IX Item "-inhibit_any" +Set policy variable inhibit-any-policy (see \s-1RFC5280\s0). +.IP "\fB\-inhibit_map\fR" 4 +.IX Item "-inhibit_map" +Set policy variable inhibit-policy-mapping (see \s-1RFC5280\s0). +.IP "\fB\-nameopt option\fR" 4 +.IX Item "-nameopt option" +Option which determines how the subject or issuer names are displayed. The +\&\fBoption\fR argument can be a single option or multiple options separated by +commas. Alternatively the \fB\-nameopt\fR switch may be used more than once to +set multiple options. See the \fIx509\fR\|(1) manual page for details. +.IP "\fB\-no_check_time\fR" 4 +.IX Item "-no_check_time" +This option suppresses checking the validity period of certificates and CRLs +against the current time. If option \fB\-attime timestamp\fR is used to specify +a verification time, the check is not suppressed. +.IP "\fB\-partial_chain\fR" 4 +.IX Item "-partial_chain" +Allow verification to succeed even if a \fIcomplete\fR chain cannot be built to a +self-signed trust-anchor, provided it is possible to construct a chain to a +trusted certificate that might not be self-signed. +.IP "\fB\-policy arg\fR" 4 +.IX Item "-policy arg" +Enable policy processing and add \fBarg\fR to the user-initial-policy-set (see +\&\s-1RFC5280\s0). The policy \fBarg\fR can be an object name an \s-1OID\s0 in numeric form. +This argument can appear more than once. +.IP "\fB\-policy_check\fR" 4 +.IX Item "-policy_check" +Enables certificate policy processing. +.IP "\fB\-policy_print\fR" 4 +.IX Item "-policy_print" +Print out diagnostics related to policy processing. +.IP "\fB\-purpose purpose\fR" 4 +.IX Item "-purpose purpose" +The intended use for the certificate. If this option is not specified, +\&\fBverify\fR will not consider certificate purpose during chain verification. +Currently accepted uses are \fBsslclient\fR, \fBsslserver\fR, \fBnssslserver\fR, +\&\fBsmimesign\fR, \fBsmimeencrypt\fR. See the \fB\s-1VERIFY OPERATION\s0\fR section for more +information. +.IP "\fB\-suiteB_128_only\fR, \fB\-suiteB_128\fR, \fB\-suiteB_192\fR" 4 +.IX Item "-suiteB_128_only, -suiteB_128, -suiteB_192" +Enable the Suite B mode operation at 128 bit Level of Security, 128 bit or +192 bit, or only 192 bit Level of Security respectively. +See \s-1RFC6460\s0 for details. In particular the supported signature algorithms are +reduced to support only \s-1ECDSA\s0 and \s-1SHA256\s0 or \s-1SHA384\s0 and only the elliptic curves +P\-256 and P\-384. +.IP "\fB\-trusted_first\fR" 4 +.IX Item "-trusted_first" +When constructing the certificate chain, use the trusted certificates specified +via \fB\-CAfile\fR, \fB\-CApath\fR or \fB\-trusted\fR before any certificates specified via +\&\fB\-untrusted\fR. +This can be useful in environments with Bridge or Cross-Certified CAs. +As of OpenSSL 1.1.0 this option is on by default and cannot be disabled. +.IP "\fB\-no_alt_chains\fR" 4 +.IX Item "-no_alt_chains" +By default, unless \fB\-trusted_first\fR is specified, when building a certificate +chain, if the first certificate chain found is not trusted, then OpenSSL will +attempt to replace untrusted issuer certificates with certificates from the +trust store to see if an alternative chain can be found that is trusted. +As of OpenSSL 1.1.0, with \fB\-trusted_first\fR always on, this option has no +effect. +.IP "\fB\-untrusted file\fR" 4 +.IX Item "-untrusted file" +A \fBfile\fR of additional untrusted certificates (intermediate issuer CAs) used +to construct a certificate chain from the subject certificate to a trust-anchor. +The \fBfile\fR should contain one or more certificates in \s-1PEM\s0 format. +This option can be specified more than once to include untrusted certificates +from multiple \fBfiles\fR. +.IP "\fB\-trusted file\fR" 4 +.IX Item "-trusted file" +A \fBfile\fR of trusted certificates, which must be self-signed, unless the +\&\fB\-partial_chain\fR option is specified. +The \fBfile\fR contains one or more certificates in \s-1PEM\s0 format. +With this option, no additional (e.g., default) certificate lists are +consulted. +That is, the only trust-anchors are those listed in \fBfile\fR. +This option can be specified more than once to include trusted certificates +from multiple \fBfiles\fR. +This option implies the \fB\-no\-CAfile\fR and \fB\-no\-CApath\fR options. +This option cannot be used in combination with either of the \fB\-CAfile\fR or +\&\fB\-CApath\fR options. +.IP "\fB\-use_deltas\fR" 4 +.IX Item "-use_deltas" +Enable support for delta CRLs. +.IP "\fB\-verbose\fR" 4 +.IX Item "-verbose" +Print extra information about the operations being performed. +.IP "\fB\-auth_level level\fR" 4 +.IX Item "-auth_level level" +Set the certificate chain authentication security level to \fBlevel\fR. +The authentication security level determines the acceptable signature and +public key strength when verifying certificate chains. +For a certificate chain to validate, the public keys of all the certificates +must meet the specified security \fBlevel\fR. +The signature algorithm security level is enforced for all the certificates in +the chain except for the chain's \fItrust anchor\fR, which is either directly +trusted or validated by means other than its signature. +See \fISSL_CTX_set_security_level\fR\|(3) for the definitions of the available +levels. +The default security level is \-1, or \*(L"not set\*(R". +At security level 0 or lower all algorithms are acceptable. +Security level 1 requires at least 80\-bit\-equivalent security and is broadly +interoperable, though it will, for example, reject \s-1MD5\s0 signatures or \s-1RSA\s0 keys +shorter than 1024 bits. +.IP "\fB\-verify_depth num\fR" 4 +.IX Item "-verify_depth num" +Limit the certificate chain to \fBnum\fR intermediate \s-1CA\s0 certificates. +A maximal depth chain can have up to \fBnum+2\fR certificates, since neither the +end-entity certificate nor the trust-anchor certificate count against the +\&\fB\-verify_depth\fR limit. +.IP "\fB\-verify_email email\fR" 4 +.IX Item "-verify_email email" +Verify if the \fBemail\fR matches the email address in Subject Alternative Name or +the email in the subject Distinguished Name. +.IP "\fB\-verify_hostname hostname\fR" 4 +.IX Item "-verify_hostname hostname" +Verify if the \fBhostname\fR matches \s-1DNS\s0 name in Subject Alternative Name or +Common Name in the subject certificate. +.IP "\fB\-verify_ip ip\fR" 4 +.IX Item "-verify_ip ip" +Verify if the \fBip\fR matches the \s-1IP\s0 address in Subject Alternative Name of +the subject certificate. +.IP "\fB\-verify_name name\fR" 4 +.IX Item "-verify_name name" +Use default verification policies like trust model and required certificate +policies identified by \fBname\fR. +The trust model determines which auxiliary trust or reject OIDs are applicable +to verifying the given certificate chain. +See the \fB\-addtrust\fR and \fB\-addreject\fR options of the \fIx509\fR\|(1) command-line +utility. +Supported policy names include: \fBdefault\fR, \fBpkcs7\fR, \fBsmime_sign\fR, +\&\fBssl_client\fR, \fBssl_server\fR. +These mimics the combinations of purpose and trust settings used in \s-1SSL, CMS\s0 +and S/MIME. +As of OpenSSL 1.1.0, the trust model is inferred from the purpose when not +specified, so the \fB\-verify_name\fR options are functionally equivalent to the +corresponding \fB\-purpose\fR settings. .IP "\fB\-x509_strict\fR" 4 .IX Item "-x509_strict" For strict X.509 compliance, disable non-compliant workarounds for broken certificates. -.IP "\fB\-extended_crl\fR" 4 -.IX Item "-extended_crl" -Enable extended \s-1CRL\s0 features such as indirect CRLs and alternate \s-1CRL\s0 -signing keys. -.IP "\fB\-use_deltas\fR" 4 -.IX Item "-use_deltas" -Enable support for delta CRLs. -.IP "\fB\-check_ss_sig\fR" 4 -.IX Item "-check_ss_sig" -Verify the signature on the self-signed root \s-1CA.\s0 This is disabled by default -because it doesn't add any security. +.IP "\fB\-show_chain\fR" 4 +.IX Item "-show_chain" +Display information about the certificate chain that has been built (if +successful). Certificates in the chain that came from the untrusted list will be +flagged as \*(L"untrusted\*(R". .IP "\fB\-\fR" 4 .IX Item "-" Indicates the last option. All arguments following this are assumed to be @@ -314,21 +428,21 @@ determined. The verify operation consists of a number of separate steps. .PP Firstly a certificate chain is built up starting from the supplied certificate -and ending in the root \s-1CA.\s0 It is an error if the whole chain cannot be built -up. The chain is built up by looking up the issuers certificate of the current -certificate. If a certificate is found which is its own issuer it is assumed -to be the root \s-1CA.\s0 +and ending in the root \s-1CA.\s0 +It is an error if the whole chain cannot be built up. +The chain is built up by looking up the issuers certificate of the current +certificate. +If a certificate is found which is its own issuer it is assumed to be the root +\&\s-1CA.\s0 .PP -The process of 'looking up the issuers certificate' itself involves a number -of steps. In versions of OpenSSL before 0.9.5a the first certificate whose -subject name matched the issuer of the current certificate was assumed to be -the issuers certificate. In OpenSSL 0.9.6 and later all certificates -whose subject name matches the issuer name of the current certificate are -subject to further tests. The relevant authority key identifier components -of the current certificate (if present) must match the subject key identifier -(if present) and issuer and serial number of the candidate issuer, in addition -the keyUsage extension of the candidate issuer (if present) must permit -certificate signing. +The process of 'looking up the issuers certificate' itself involves a number of +steps. +After all certificates whose subject name matches the issuer name of the current +certificate are subject to further tests. +The relevant authority key identifier components of the current certificate (if +present) must match the subject key identifier (if present) and issuer and +serial number of the candidate issuer, in addition the keyUsage extension of +the candidate issuer (if present) must permit certificate signing. .PP The lookup first looks in the list of untrusted certificates and if no match is found the remaining lookups are from the trusted certificates. The root \s-1CA\s0 @@ -343,10 +457,10 @@ compatible with the supplied purpose and all other certificates must also be val \&\s-1CA\s0 certificates. The precise extensions required are described in more detail in the \fB\s-1CERTIFICATE EXTENSIONS\s0\fR section of the \fBx509\fR utility. .PP -The third operation is to check the trust settings on the root \s-1CA.\s0 The root -\&\s-1CA\s0 should be trusted for the supplied purpose. For compatibility with previous -versions of SSLeay and OpenSSL a certificate with no trust settings is considered -to be valid for all purposes. +The third operation is to check the trust settings on the root \s-1CA.\s0 The root \s-1CA\s0 +should be trusted for the supplied purpose. +For compatibility with previous versions of OpenSSL, a certificate with no +trust settings is considered to be valid for all purposes. .PP The final operation is to check the validity of the certificate chain. The validity period is checked against the current system time and the notBefore and notAfter @@ -372,142 +486,291 @@ problem was detected starting with zero for the certificate being verified itsel then 1 for the \s-1CA\s0 that signed the certificate and so on. Finally a text version of the error number is presented. .PP -An exhaustive list of the error codes and messages is shown below, this also +A partial list of the error codes and messages is shown below, this also includes the name of the error code as defined in the header file x509_vfy.h Some of the error codes are defined but never returned: these are described as \*(L"unused\*(R". -.IP "\fB0 X509_V_OK: ok\fR" 4 -.IX Item "0 X509_V_OK: ok" -the operation was successful. -.IP "\fB2 X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT: unable to get issuer certificate\fR" 4 -.IX Item "2 X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT: unable to get issuer certificate" -the issuer certificate of a looked up certificate could not be found. This +.IP "\fBX509_V_OK\fR" 4 +.IX Item "X509_V_OK" +The operation was successful. +.IP "\fBX509_V_ERR_UNSPECIFIED\fR" 4 +.IX Item "X509_V_ERR_UNSPECIFIED" +Unspecified error; should not happen. +.IP "\fBX509_V_ERR_UNABLE_TO_GET_ISSUER_CERT\fR" 4 +.IX Item "X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT" +The issuer certificate of a looked up certificate could not be found. This normally means the list of trusted certificates is not complete. -.IP "\fB3 X509_V_ERR_UNABLE_TO_GET_CRL: unable to get certificate \s-1CRL\s0\fR" 4 -.IX Item "3 X509_V_ERR_UNABLE_TO_GET_CRL: unable to get certificate CRL" -the \s-1CRL\s0 of a certificate could not be found. -.IP "\fB4 X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE: unable to decrypt certificate's signature\fR" 4 -.IX Item "4 X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE: unable to decrypt certificate's signature" -the certificate signature could not be decrypted. This means that the actual signature value -could not be determined rather than it not matching the expected value, this is only -meaningful for \s-1RSA\s0 keys. -.IP "\fB5 X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE: unable to decrypt \s-1CRL\s0's signature\fR" 4 -.IX Item "5 X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE: unable to decrypt CRL's signature" -the \s-1CRL\s0 signature could not be decrypted: this means that the actual signature value -could not be determined rather than it not matching the expected value. Unused. -.IP "\fB6 X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY: unable to decode issuer public key\fR" 4 -.IX Item "6 X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY: unable to decode issuer public key" -the public key in the certificate SubjectPublicKeyInfo could not be read. -.IP "\fB7 X509_V_ERR_CERT_SIGNATURE_FAILURE: certificate signature failure\fR" 4 -.IX Item "7 X509_V_ERR_CERT_SIGNATURE_FAILURE: certificate signature failure" -the signature of the certificate is invalid. -.IP "\fB8 X509_V_ERR_CRL_SIGNATURE_FAILURE: \s-1CRL\s0 signature failure\fR" 4 -.IX Item "8 X509_V_ERR_CRL_SIGNATURE_FAILURE: CRL signature failure" -the signature of the certificate is invalid. -.IP "\fB9 X509_V_ERR_CERT_NOT_YET_VALID: certificate is not yet valid\fR" 4 -.IX Item "9 X509_V_ERR_CERT_NOT_YET_VALID: certificate is not yet valid" -the certificate is not yet valid: the notBefore date is after the current time. -.IP "\fB10 X509_V_ERR_CERT_HAS_EXPIRED: certificate has expired\fR" 4 -.IX Item "10 X509_V_ERR_CERT_HAS_EXPIRED: certificate has expired" -the certificate has expired: that is the notAfter date is before the current time. -.IP "\fB11 X509_V_ERR_CRL_NOT_YET_VALID: \s-1CRL\s0 is not yet valid\fR" 4 -.IX Item "11 X509_V_ERR_CRL_NOT_YET_VALID: CRL is not yet valid" -the \s-1CRL\s0 is not yet valid. -.IP "\fB12 X509_V_ERR_CRL_HAS_EXPIRED: \s-1CRL\s0 has expired\fR" 4 -.IX Item "12 X509_V_ERR_CRL_HAS_EXPIRED: CRL has expired" -the \s-1CRL\s0 has expired. -.IP "\fB13 X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD: format error in certificate's notBefore field\fR" 4 -.IX Item "13 X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD: format error in certificate's notBefore field" -the certificate notBefore field contains an invalid time. -.IP "\fB14 X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD: format error in certificate's notAfter field\fR" 4 -.IX Item "14 X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD: format error in certificate's notAfter field" -the certificate notAfter field contains an invalid time. -.IP "\fB15 X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD: format error in \s-1CRL\s0's lastUpdate field\fR" 4 -.IX Item "15 X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD: format error in CRL's lastUpdate field" -the \s-1CRL\s0 lastUpdate field contains an invalid time. -.IP "\fB16 X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD: format error in \s-1CRL\s0's nextUpdate field\fR" 4 -.IX Item "16 X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD: format error in CRL's nextUpdate field" -the \s-1CRL\s0 nextUpdate field contains an invalid time. -.IP "\fB17 X509_V_ERR_OUT_OF_MEM: out of memory\fR" 4 -.IX Item "17 X509_V_ERR_OUT_OF_MEM: out of memory" -an error occurred trying to allocate memory. This should never happen. -.IP "\fB18 X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT: self signed certificate\fR" 4 -.IX Item "18 X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT: self signed certificate" -the passed certificate is self signed and the same certificate cannot be found in the list of -trusted certificates. -.IP "\fB19 X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN: self signed certificate in certificate chain\fR" 4 -.IX Item "19 X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN: self signed certificate in certificate chain" -the certificate chain could be built up using the untrusted certificates but the root could not -be found locally. -.IP "\fB20 X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY: unable to get local issuer certificate\fR" 4 -.IX Item "20 X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY: unable to get local issuer certificate" -the issuer certificate could not be found: this occurs if the issuer +.IP "\fBX509_V_ERR_UNABLE_TO_GET_CRL\fR" 4 +.IX Item "X509_V_ERR_UNABLE_TO_GET_CRL" +The \s-1CRL\s0 of a certificate could not be found. +.IP "\fBX509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE\fR" 4 +.IX Item "X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE" +The certificate signature could not be decrypted. This means that the +actual signature value could not be determined rather than it not matching +the expected value, this is only meaningful for \s-1RSA\s0 keys. +.IP "\fBX509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE\fR" 4 +.IX Item "X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE" +The \s-1CRL\s0 signature could not be decrypted: this means that the actual +signature value could not be determined rather than it not matching the +expected value. Unused. +.IP "\fBX509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY\fR" 4 +.IX Item "X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY" +The public key in the certificate SubjectPublicKeyInfo could not be read. +.IP "\fBX509_V_ERR_CERT_SIGNATURE_FAILURE\fR" 4 +.IX Item "X509_V_ERR_CERT_SIGNATURE_FAILURE" +The signature of the certificate is invalid. +.IP "\fBX509_V_ERR_CRL_SIGNATURE_FAILURE\fR" 4 +.IX Item "X509_V_ERR_CRL_SIGNATURE_FAILURE" +The signature of the certificate is invalid. +.IP "\fBX509_V_ERR_CERT_NOT_YET_VALID\fR" 4 +.IX Item "X509_V_ERR_CERT_NOT_YET_VALID" +The certificate is not yet valid: the notBefore date is after the +current time. +.IP "\fBX509_V_ERR_CERT_HAS_EXPIRED\fR" 4 +.IX Item "X509_V_ERR_CERT_HAS_EXPIRED" +The certificate has expired: that is the notAfter date is before the +current time. +.IP "\fBX509_V_ERR_CRL_NOT_YET_VALID\fR" 4 +.IX Item "X509_V_ERR_CRL_NOT_YET_VALID" +The \s-1CRL\s0 is not yet valid. +.IP "\fBX509_V_ERR_CRL_HAS_EXPIRED\fR" 4 +.IX Item "X509_V_ERR_CRL_HAS_EXPIRED" +The \s-1CRL\s0 has expired. +.IP "\fBX509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD\fR" 4 +.IX Item "X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD" +The certificate notBefore field contains an invalid time. +.IP "\fBX509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD\fR" 4 +.IX Item "X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD" +The certificate notAfter field contains an invalid time. +.IP "\fBX509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD\fR" 4 +.IX Item "X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD" +The \s-1CRL\s0 lastUpdate field contains an invalid time. +.IP "\fBX509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD\fR" 4 +.IX Item "X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD" +The \s-1CRL\s0 nextUpdate field contains an invalid time. +.IP "\fBX509_V_ERR_OUT_OF_MEM\fR" 4 +.IX Item "X509_V_ERR_OUT_OF_MEM" +An error occurred trying to allocate memory. This should never happen. +.IP "\fBX509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT\fR" 4 +.IX Item "X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT" +The passed certificate is self-signed and the same certificate cannot +be found in the list of trusted certificates. +.IP "\fBX509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN\fR" 4 +.IX Item "X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN" +The certificate chain could be built up using the untrusted certificates +but the root could not be found locally. +.IP "\fBX509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY\fR" 4 +.IX Item "X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY" +The issuer certificate could not be found: this occurs if the issuer certificate of an untrusted certificate cannot be found. -.IP "\fB21 X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE: unable to verify the first certificate\fR" 4 -.IX Item "21 X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE: unable to verify the first certificate" -no signatures could be verified because the chain contains only one certificate and it is not -self signed. -.IP "\fB22 X509_V_ERR_CERT_CHAIN_TOO_LONG: certificate chain too long\fR" 4 -.IX Item "22 X509_V_ERR_CERT_CHAIN_TOO_LONG: certificate chain too long" -the certificate chain length is greater than the supplied maximum depth. Unused. -.IP "\fB23 X509_V_ERR_CERT_REVOKED: certificate revoked\fR" 4 -.IX Item "23 X509_V_ERR_CERT_REVOKED: certificate revoked" -the certificate has been revoked. -.IP "\fB24 X509_V_ERR_INVALID_CA: invalid \s-1CA\s0 certificate\fR" 4 -.IX Item "24 X509_V_ERR_INVALID_CA: invalid CA certificate" -a \s-1CA\s0 certificate is invalid. Either it is not a \s-1CA\s0 or its extensions are not consistent -with the supplied purpose. -.IP "\fB25 X509_V_ERR_PATH_LENGTH_EXCEEDED: path length constraint exceeded\fR" 4 -.IX Item "25 X509_V_ERR_PATH_LENGTH_EXCEEDED: path length constraint exceeded" -the basicConstraints pathlength parameter has been exceeded. -.IP "\fB26 X509_V_ERR_INVALID_PURPOSE: unsupported certificate purpose\fR" 4 -.IX Item "26 X509_V_ERR_INVALID_PURPOSE: unsupported certificate purpose" -the supplied certificate cannot be used for the specified purpose. -.IP "\fB27 X509_V_ERR_CERT_UNTRUSTED: certificate not trusted\fR" 4 -.IX Item "27 X509_V_ERR_CERT_UNTRUSTED: certificate not trusted" -the root \s-1CA\s0 is not marked as trusted for the specified purpose. -.IP "\fB28 X509_V_ERR_CERT_REJECTED: certificate rejected\fR" 4 -.IX Item "28 X509_V_ERR_CERT_REJECTED: certificate rejected" -the root \s-1CA\s0 is marked to reject the specified purpose. -.IP "\fB29 X509_V_ERR_SUBJECT_ISSUER_MISMATCH: subject issuer mismatch\fR" 4 -.IX Item "29 X509_V_ERR_SUBJECT_ISSUER_MISMATCH: subject issuer mismatch" -the current candidate issuer certificate was rejected because its subject name -did not match the issuer name of the current certificate. Only displayed when -the \fB\-issuer_checks\fR option is set. -.IP "\fB30 X509_V_ERR_AKID_SKID_MISMATCH: authority and subject key identifier mismatch\fR" 4 -.IX Item "30 X509_V_ERR_AKID_SKID_MISMATCH: authority and subject key identifier mismatch" -the current candidate issuer certificate was rejected because its subject key -identifier was present and did not match the authority key identifier current -certificate. Only displayed when the \fB\-issuer_checks\fR option is set. -.IP "\fB31 X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH: authority and issuer serial number mismatch\fR" 4 -.IX Item "31 X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH: authority and issuer serial number mismatch" -the current candidate issuer certificate was rejected because its issuer name -and serial number was present and did not match the authority key identifier -of the current certificate. Only displayed when the \fB\-issuer_checks\fR option is set. -.IP "\fB32 X509_V_ERR_KEYUSAGE_NO_CERTSIGN:key usage does not include certificate signing\fR" 4 -.IX Item "32 X509_V_ERR_KEYUSAGE_NO_CERTSIGN:key usage does not include certificate signing" -the current candidate issuer certificate was rejected because its keyUsage extension -does not permit certificate signing. -.IP "\fB50 X509_V_ERR_APPLICATION_VERIFICATION: application verification failure\fR" 4 -.IX Item "50 X509_V_ERR_APPLICATION_VERIFICATION: application verification failure" -an application specific error. Unused. +.IP "\fBX509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE\fR" 4 +.IX Item "X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE" +No signatures could be verified because the chain contains only one +certificate and it is not self signed. +.IP "\fBX509_V_ERR_CERT_CHAIN_TOO_LONG\fR" 4 +.IX Item "X509_V_ERR_CERT_CHAIN_TOO_LONG" +The certificate chain length is greater than the supplied maximum +depth. Unused. +.IP "\fBX509_V_ERR_CERT_REVOKED\fR" 4 +.IX Item "X509_V_ERR_CERT_REVOKED" +The certificate has been revoked. +.IP "\fBX509_V_ERR_INVALID_CA\fR" 4 +.IX Item "X509_V_ERR_INVALID_CA" +A \s-1CA\s0 certificate is invalid. Either it is not a \s-1CA\s0 or its extensions +are not consistent with the supplied purpose. +.IP "\fBX509_V_ERR_PATH_LENGTH_EXCEEDED\fR" 4 +.IX Item "X509_V_ERR_PATH_LENGTH_EXCEEDED" +The basicConstraints pathlength parameter has been exceeded. +.IP "\fBX509_V_ERR_INVALID_PURPOSE\fR" 4 +.IX Item "X509_V_ERR_INVALID_PURPOSE" +The supplied certificate cannot be used for the specified purpose. +.IP "\fBX509_V_ERR_CERT_UNTRUSTED\fR" 4 +.IX Item "X509_V_ERR_CERT_UNTRUSTED" +The root \s-1CA\s0 is not marked as trusted for the specified purpose. +.IP "\fBX509_V_ERR_CERT_REJECTED\fR" 4 +.IX Item "X509_V_ERR_CERT_REJECTED" +The root \s-1CA\s0 is marked to reject the specified purpose. +.IP "\fBX509_V_ERR_SUBJECT_ISSUER_MISMATCH\fR" 4 +.IX Item "X509_V_ERR_SUBJECT_ISSUER_MISMATCH" +Not used as of OpenSSL 1.1.0 as a result of the deprecation of the +\&\fB\-issuer_checks\fR option. +.IP "\fBX509_V_ERR_AKID_SKID_MISMATCH\fR" 4 +.IX Item "X509_V_ERR_AKID_SKID_MISMATCH" +Not used as of OpenSSL 1.1.0 as a result of the deprecation of the +\&\fB\-issuer_checks\fR option. +.IP "\fBX509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH\fR" 4 +.IX Item "X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH" +Not used as of OpenSSL 1.1.0 as a result of the deprecation of the +\&\fB\-issuer_checks\fR option. +.IP "\fBX509_V_ERR_KEYUSAGE_NO_CERTSIGN\fR" 4 +.IX Item "X509_V_ERR_KEYUSAGE_NO_CERTSIGN" +Not used as of OpenSSL 1.1.0 as a result of the deprecation of the +\&\fB\-issuer_checks\fR option. +.IP "\fBX509_V_ERR_UNABLE_TO_GET_CRL_ISSUER\fR" 4 +.IX Item "X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER" +Unable to get \s-1CRL\s0 issuer certificate. +.IP "\fBX509_V_ERR_UNHANDLED_CRITICAL_EXTENSION\fR" 4 +.IX Item "X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION" +Unhandled critical extension. +.IP "\fBX509_V_ERR_KEYUSAGE_NO_CRL_SIGN\fR" 4 +.IX Item "X509_V_ERR_KEYUSAGE_NO_CRL_SIGN" +Key usage does not include \s-1CRL\s0 signing. +.IP "\fBX509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION\fR" 4 +.IX Item "X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION" +Unhandled critical \s-1CRL\s0 extension. +.IP "\fBX509_V_ERR_INVALID_NON_CA\fR" 4 +.IX Item "X509_V_ERR_INVALID_NON_CA" +Invalid non-CA certificate has \s-1CA\s0 markings. +.IP "\fBX509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED\fR" 4 +.IX Item "X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED" +Proxy path length constraint exceeded. +.IP "\fBX509_V_ERR_PROXY_SUBJECT_INVALID\fR" 4 +.IX Item "X509_V_ERR_PROXY_SUBJECT_INVALID" +Proxy certificate subject is invalid. It \s-1MUST\s0 be the same as the issuer +with a single \s-1CN\s0 component added. +.IP "\fBX509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE\fR" 4 +.IX Item "X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE" +Key usage does not include digital signature. +.IP "\fBX509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED\fR" 4 +.IX Item "X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED" +Proxy certificates not allowed, please use \fB\-allow_proxy_certs\fR. +.IP "\fBX509_V_ERR_INVALID_EXTENSION\fR" 4 +.IX Item "X509_V_ERR_INVALID_EXTENSION" +Invalid or inconsistent certificate extension. +.IP "\fBX509_V_ERR_INVALID_POLICY_EXTENSION\fR" 4 +.IX Item "X509_V_ERR_INVALID_POLICY_EXTENSION" +Invalid or inconsistent certificate policy extension. +.IP "\fBX509_V_ERR_NO_EXPLICIT_POLICY\fR" 4 +.IX Item "X509_V_ERR_NO_EXPLICIT_POLICY" +No explicit policy. +.IP "\fBX509_V_ERR_DIFFERENT_CRL_SCOPE\fR" 4 +.IX Item "X509_V_ERR_DIFFERENT_CRL_SCOPE" +Different \s-1CRL\s0 scope. +.IP "\fBX509_V_ERR_UNSUPPORTED_EXTENSION_FEATURE\fR" 4 +.IX Item "X509_V_ERR_UNSUPPORTED_EXTENSION_FEATURE" +Unsupported extension feature. +.IP "\fBX509_V_ERR_UNNESTED_RESOURCE\fR" 4 +.IX Item "X509_V_ERR_UNNESTED_RESOURCE" +\&\s-1RFC 3779\s0 resource not subset of parent's resources. +.IP "\fBX509_V_ERR_PERMITTED_VIOLATION\fR" 4 +.IX Item "X509_V_ERR_PERMITTED_VIOLATION" +Permitted subtree violation. +.IP "\fBX509_V_ERR_EXCLUDED_VIOLATION\fR" 4 +.IX Item "X509_V_ERR_EXCLUDED_VIOLATION" +Excluded subtree violation. +.IP "\fBX509_V_ERR_SUBTREE_MINMAX\fR" 4 +.IX Item "X509_V_ERR_SUBTREE_MINMAX" +Name constraints minimum and maximum not supported. +.IP "\fBX509_V_ERR_APPLICATION_VERIFICATION\fR" 4 +.IX Item "X509_V_ERR_APPLICATION_VERIFICATION" +Application verification failure. Unused. +.IP "\fBX509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE\fR" 4 +.IX Item "X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE" +Unsupported name constraint type. +.IP "\fBX509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX\fR" 4 +.IX Item "X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX" +Unsupported or invalid name constraint syntax. +.IP "\fBX509_V_ERR_UNSUPPORTED_NAME_SYNTAX\fR" 4 +.IX Item "X509_V_ERR_UNSUPPORTED_NAME_SYNTAX" +Unsupported or invalid name syntax. +.IP "\fBX509_V_ERR_CRL_PATH_VALIDATION_ERROR\fR" 4 +.IX Item "X509_V_ERR_CRL_PATH_VALIDATION_ERROR" +\&\s-1CRL\s0 path validation error. +.IP "\fBX509_V_ERR_PATH_LOOP\fR" 4 +.IX Item "X509_V_ERR_PATH_LOOP" +Path loop. +.IP "\fBX509_V_ERR_SUITE_B_INVALID_VERSION\fR" 4 +.IX Item "X509_V_ERR_SUITE_B_INVALID_VERSION" +Suite B: certificate version invalid. +.IP "\fBX509_V_ERR_SUITE_B_INVALID_ALGORITHM\fR" 4 +.IX Item "X509_V_ERR_SUITE_B_INVALID_ALGORITHM" +Suite B: invalid public key algorithm. +.IP "\fBX509_V_ERR_SUITE_B_INVALID_CURVE\fR" 4 +.IX Item "X509_V_ERR_SUITE_B_INVALID_CURVE" +Suite B: invalid \s-1ECC\s0 curve. +.IP "\fBX509_V_ERR_SUITE_B_INVALID_SIGNATURE_ALGORITHM\fR" 4 +.IX Item "X509_V_ERR_SUITE_B_INVALID_SIGNATURE_ALGORITHM" +Suite B: invalid signature algorithm. +.IP "\fBX509_V_ERR_SUITE_B_LOS_NOT_ALLOWED\fR" 4 +.IX Item "X509_V_ERR_SUITE_B_LOS_NOT_ALLOWED" +Suite B: curve not allowed for this \s-1LOS.\s0 +.IP "\fBX509_V_ERR_SUITE_B_CANNOT_SIGN_P_384_WITH_P_256\fR" 4 +.IX Item "X509_V_ERR_SUITE_B_CANNOT_SIGN_P_384_WITH_P_256" +Suite B: cannot sign P\-384 with P\-256. +.IP "\fBX509_V_ERR_HOSTNAME_MISMATCH\fR" 4 +.IX Item "X509_V_ERR_HOSTNAME_MISMATCH" +Hostname mismatch. +.IP "\fBX509_V_ERR_EMAIL_MISMATCH\fR" 4 +.IX Item "X509_V_ERR_EMAIL_MISMATCH" +Email address mismatch. +.IP "\fBX509_V_ERR_IP_ADDRESS_MISMATCH\fR" 4 +.IX Item "X509_V_ERR_IP_ADDRESS_MISMATCH" +\&\s-1IP\s0 address mismatch. +.IP "\fBX509_V_ERR_DANE_NO_MATCH\fR" 4 +.IX Item "X509_V_ERR_DANE_NO_MATCH" +\&\s-1DANE TLSA\s0 authentication is enabled, but no \s-1TLSA\s0 records matched the +certificate chain. +This error is only possible in \fIs_client\fR\|(1). +.IP "\fBX509_V_ERR_EE_KEY_TOO_SMALL\fR" 4 +.IX Item "X509_V_ERR_EE_KEY_TOO_SMALL" +\&\s-1EE\s0 certificate key too weak. +.IP "\fBX509_ERR_CA_KEY_TOO_SMALL\fR" 4 +.IX Item "X509_ERR_CA_KEY_TOO_SMALL" +\&\s-1CA\s0 certificate key too weak. +.IP "\fBX509_ERR_CA_MD_TOO_WEAK\fR" 4 +.IX Item "X509_ERR_CA_MD_TOO_WEAK" +\&\s-1CA\s0 signature digest algorithm too weak. +.IP "\fBX509_V_ERR_INVALID_CALL\fR" 4 +.IX Item "X509_V_ERR_INVALID_CALL" +nvalid certificate verification context. +.IP "\fBX509_V_ERR_STORE_LOOKUP\fR" 4 +.IX Item "X509_V_ERR_STORE_LOOKUP" +Issuer certificate lookup error. +.IP "\fBX509_V_ERR_NO_VALID_SCTS\fR" 4 +.IX Item "X509_V_ERR_NO_VALID_SCTS" +Certificate Transparency required, but no valid SCTs found. +.IP "\fBX509_V_ERR_PROXY_SUBJECT_NAME_VIOLATION\fR" 4 +.IX Item "X509_V_ERR_PROXY_SUBJECT_NAME_VIOLATION" +Proxy subject name violation. +.IP "\fBX509_V_ERR_OCSP_VERIFY_NEEDED\fR" 4 +.IX Item "X509_V_ERR_OCSP_VERIFY_NEEDED" +Returned by the verify callback to indicate an \s-1OCSP\s0 verification is needed. +.IP "\fBX509_V_ERR_OCSP_VERIFY_FAILED\fR" 4 +.IX Item "X509_V_ERR_OCSP_VERIFY_FAILED" +Returned by the verify callback to indicate \s-1OCSP\s0 verification failed. +.IP "\fBX509_V_ERR_OCSP_CERT_UNKNOWN\fR" 4 +.IX Item "X509_V_ERR_OCSP_CERT_UNKNOWN" +Returned by the verify callback to indicate that the certificate is not recognized +by the \s-1OCSP\s0 responder. .SH "BUGS" .IX Header "BUGS" -Although the issuer checks are a considerable improvement over the old technique they still -suffer from limitations in the underlying X509_LOOKUP \s-1API.\s0 One consequence of this is that -trusted certificates with matching subject name must either appear in a file (as specified by the -\&\fB\-CAfile\fR option) or a directory (as specified by \fB\-CApath\fR. If they occur in both then only -the certificates in the file will be recognised. +Although the issuer checks are a considerable improvement over the old +technique they still suffer from limitations in the underlying X509_LOOKUP +\&\s-1API.\s0 One consequence of this is that trusted certificates with matching +subject name must either appear in a file (as specified by the \fB\-CAfile\fR +option) or a directory (as specified by \fB\-CApath\fR). If they occur in +both then only the certificates in the file will be recognised. .PP -Previous versions of OpenSSL assume certificates with matching subject name are identical and -mishandled them. +Previous versions of OpenSSL assume certificates with matching subject +name are identical and mishandled them. .PP Previous versions of this documentation swapped the meaning of the \&\fBX509_V_ERR_UNABLE_TO_GET_ISSUER_CERT\fR and -\&\fB20 X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY\fR error codes. +\&\fBX509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY\fR error codes. .SH "SEE ALSO" .IX Header "SEE ALSO" \&\fIx509\fR\|(1) .SH "HISTORY" .IX Header "HISTORY" -The \-no_alt_chains options was first added to OpenSSL 1.0.2b. +The \fB\-show_chain\fR option was first added to OpenSSL 1.1.0. +.PP +The \fB\-issuer_checks\fR option is deprecated as of OpenSSL 1.1.0 and +is silently ignored. +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2000\-2017 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/usr.bin/openssl/man/version.1 b/secure/usr.bin/openssl/man/version.1 index df5ab0084033..f2f60adb8b68 100644 --- a/secure/usr.bin/openssl/man/version.1 +++ b/secure/usr.bin/openssl/man/version.1 @@ -129,17 +129,17 @@ .\" ======================================================================== .\" .IX Title "VERSION 1" -.TH VERSION 1 "2018-08-14" "1.0.2p" "OpenSSL" +.TH VERSION 1 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" -openssl\-version, -version \- print OpenSSL version information +openssl\-version, version \- print OpenSSL version information .SH "SYNOPSIS" .IX Header "SYNOPSIS" \&\fBopenssl version\fR +[\fB\-help\fR] [\fB\-a\fR] [\fB\-v\fR] [\fB\-b\fR] @@ -147,36 +147,48 @@ version \- print OpenSSL version information [\fB\-f\fR] [\fB\-p\fR] [\fB\-d\fR] +[\fB\-e\fR] .SH "DESCRIPTION" .IX Header "DESCRIPTION" This command is used to print out version information about OpenSSL. .SH "OPTIONS" .IX Header "OPTIONS" +.IP "\fB\-help\fR" 4 +.IX Item "-help" +Print out a usage message. .IP "\fB\-a\fR" 4 .IX Item "-a" -all information, this is the same as setting all the other flags. +All information, this is the same as setting all the other flags. .IP "\fB\-v\fR" 4 .IX Item "-v" -the current OpenSSL version. +The current OpenSSL version. .IP "\fB\-b\fR" 4 .IX Item "-b" -the date the current version of OpenSSL was built. +The date the current version of OpenSSL was built. .IP "\fB\-o\fR" 4 .IX Item "-o" -option information: various options set when the library was built. +Option information: various options set when the library was built. .IP "\fB\-f\fR" 4 .IX Item "-f" -compilation flags. +Compilation flags. .IP "\fB\-p\fR" 4 .IX Item "-p" -platform setting. +Platform setting. .IP "\fB\-d\fR" 4 .IX Item "-d" \&\s-1OPENSSLDIR\s0 setting. +.IP "\fB\-e\fR" 4 +.IX Item "-e" +\&\s-1ENGINESDIR\s0 setting. .SH "NOTES" .IX Header "NOTES" The output of \fBopenssl version \-a\fR would typically be used when sending in a bug report. -.SH "HISTORY" -.IX Header "HISTORY" -The \fB\-d\fR option was added in OpenSSL 0.9.7. +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2000\-2017 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/usr.bin/openssl/man/x509.1 b/secure/usr.bin/openssl/man/x509.1 index df969c81ed3f..8a657bf02173 100644 --- a/secure/usr.bin/openssl/man/x509.1 +++ b/secure/usr.bin/openssl/man/x509.1 @@ -129,17 +129,17 @@ .\" ======================================================================== .\" .IX Title "X509 1" -.TH X509 1 "2018-08-14" "1.0.2p" "OpenSSL" +.TH X509 1 "2018-09-11" "1.1.1" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" -openssl\-x509, -x509 \- Certificate display and signing utility +openssl\-x509, x509 \- Certificate display and signing utility .SH "SYNOPSIS" .IX Header "SYNOPSIS" \&\fBopenssl\fR \fBx509\fR +[\fB\-help\fR] [\fB\-inform DER|PEM|NET\fR] [\fB\-outform DER|PEM|NET\fR] [\fB\-keyform DER|PEM\fR] @@ -185,13 +185,17 @@ x509 \- Certificate display and signing utility [\fB\-CAserial filename\fR] [\fB\-force_pubkey key\fR] [\fB\-text\fR] +[\fB\-ext extensions\fR] [\fB\-certopt option\fR] [\fB\-C\fR] -[\fB\-md2|\-md5|\-sha1|\-mdc2\fR] +[\fB\-\f(BIdigest\fB\fR] [\fB\-clrext\fR] [\fB\-extfile filename\fR] [\fB\-extensions section\fR] +[\fB\-rand file...\fR] +[\fB\-writerand file\fR] [\fB\-engine id\fR] +[\fB\-preserve_dates\fR] .SH "DESCRIPTION" .IX Header "DESCRIPTION" The \fBx509\fR command is a multi purpose certificate utility. It can be @@ -203,8 +207,11 @@ Since there are a large number of options they will split up into various sections. .SH "OPTIONS" .IX Header "OPTIONS" -.SS "\s-1INPUT, OUTPUT AND GENERAL PURPOSE OPTIONS\s0" -.IX Subsection "INPUT, OUTPUT AND GENERAL PURPOSE OPTIONS" +.SS "Input, Output, and General Purpose Options" +.IX Subsection "Input, Output, and General Purpose Options" +.IP "\fB\-help\fR" 4 +.IX Item "-help" +Print out a usage message. .IP "\fB\-inform DER|PEM|NET\fR" 4 .IX Item "-inform DER|PEM|NET" This specifies the input format normally the command will expect an X509 @@ -212,11 +219,11 @@ certificate but this can change if other options such as \fB\-req\fR are present. The \s-1DER\s0 format is the \s-1DER\s0 encoding of the certificate and \s-1PEM\s0 is the base64 encoding of the \s-1DER\s0 encoding with header and footer lines added. The \s-1NET\s0 option is an obscure Netscape server format that is now -obsolete. +obsolete. The default format is \s-1PEM.\s0 .IP "\fB\-outform DER|PEM|NET\fR" 4 .IX Item "-outform DER|PEM|NET" -This specifies the output format, the options have the same meaning as the -\&\fB\-inform\fR option. +This specifies the output format, the options have the same meaning and default +as the \fB\-inform\fR option. .IP "\fB\-in filename\fR" 4 .IX Item "-in filename" This specifies the input filename to read a certificate from or standard input @@ -225,98 +232,120 @@ if this option is not specified. .IX Item "-out filename" This specifies the output filename to write to or standard output by default. -.IP "\fB\-md2|\-md5|\-sha1|\-mdc2\fR" 4 -.IX Item "-md2|-md5|-sha1|-mdc2" -the digest to use. This affects any signing or display option that uses a message -digest, such as the \fB\-fingerprint\fR, \fB\-signkey\fR and \fB\-CA\fR options. If not -specified then \s-1SHA1\s0 is used. If the key being used to sign with is a \s-1DSA\s0 key -then this option has no effect: \s-1SHA1\s0 is always used with \s-1DSA\s0 keys. +.IP "\fB\-\f(BIdigest\fB\fR" 4 +.IX Item "-digest" +The digest to use. +This affects any signing or display option that uses a message +digest, such as the \fB\-fingerprint\fR, \fB\-signkey\fR and \fB\-CA\fR options. +Any digest supported by the OpenSSL \fBdgst\fR command can be used. +If not specified then \s-1SHA1\s0 is used with \fB\-fingerprint\fR or +the default digest for the signing algorithm is used, typically \s-1SHA256.\s0 +.IP "\fB\-rand file...\fR" 4 +.IX Item "-rand file..." +A file or files containing random data used to seed the random number +generator. +Multiple files can be specified separated by an OS-dependent character. +The separator is \fB;\fR for MS-Windows, \fB,\fR for OpenVMS, and \fB:\fR for +all others. +.IP "[\fB\-writerand file\fR]" 4 +.IX Item "[-writerand file]" +Writes random data to the specified \fIfile\fR upon exit. +This can be used with a subsequent \fB\-rand\fR flag. .IP "\fB\-engine id\fR" 4 .IX Item "-engine id" -specifying an engine (by its unique \fBid\fR string) will cause \fBx509\fR +Specifying an engine (by its unique \fBid\fR string) will cause \fBx509\fR to attempt to obtain a functional reference to the specified engine, thus initialising it if needed. The engine will then be set as the default for all available algorithms. -.SS "\s-1DISPLAY OPTIONS\s0" -.IX Subsection "DISPLAY OPTIONS" +.IP "\fB\-preserve_dates\fR" 4 +.IX Item "-preserve_dates" +When signing a certificate, preserve the \*(L"notBefore\*(R" and \*(L"notAfter\*(R" dates instead +of adjusting them to current time and duration. Cannot be used with the \fB\-days\fR option. +.SS "Display Options" +.IX Subsection "Display Options" Note: the \fB\-alias\fR and \fB\-purpose\fR options are also display options but are described in the \fB\s-1TRUST SETTINGS\s0\fR section. .IP "\fB\-text\fR" 4 .IX Item "-text" -prints out the certificate in text form. Full details are output including the +Prints out the certificate in text form. Full details are output including the public key, signature algorithms, issuer and subject names, serial number any extensions present and any trust settings. +.IP "\fB\-ext extensions\fR" 4 +.IX Item "-ext extensions" +Prints out the certificate extensions in text form. Extensions are specified +with a comma separated string, e.g., \*(L"subjectAltName,subjectKeyIdentifier\*(R". +See the \fIx509v3_config\fR\|(5) manual page for the extension names. .IP "\fB\-certopt option\fR" 4 .IX Item "-certopt option" -customise the output format used with \fB\-text\fR. The \fBoption\fR argument can be -a single option or multiple options separated by commas. The \fB\-certopt\fR switch -may be also be used more than once to set multiple options. See the \fB\s-1TEXT OPTIONS\s0\fR -section for more information. +Customise the output format used with \fB\-text\fR. The \fBoption\fR argument +can be a single option or multiple options separated by commas. The +\&\fB\-certopt\fR switch may be also be used more than once to set multiple +options. See the \fB\s-1TEXT OPTIONS\s0\fR section for more information. .IP "\fB\-noout\fR" 4 .IX Item "-noout" -this option prevents output of the encoded version of the request. +This option prevents output of the encoded version of the request. .IP "\fB\-pubkey\fR" 4 .IX Item "-pubkey" -outputs the certificate's SubjectPublicKeyInfo block in \s-1PEM\s0 format. +Outputs the certificate's SubjectPublicKeyInfo block in \s-1PEM\s0 format. .IP "\fB\-modulus\fR" 4 .IX Item "-modulus" -this option prints out the value of the modulus of the public key +This option prints out the value of the modulus of the public key contained in the certificate. .IP "\fB\-serial\fR" 4 .IX Item "-serial" -outputs the certificate serial number. +Outputs the certificate serial number. .IP "\fB\-subject_hash\fR" 4 .IX Item "-subject_hash" -outputs the \*(L"hash\*(R" of the certificate subject name. This is used in OpenSSL to +Outputs the \*(L"hash\*(R" of the certificate subject name. This is used in OpenSSL to form an index to allow certificates in a directory to be looked up by subject name. .IP "\fB\-issuer_hash\fR" 4 .IX Item "-issuer_hash" -outputs the \*(L"hash\*(R" of the certificate issuer name. +Outputs the \*(L"hash\*(R" of the certificate issuer name. .IP "\fB\-ocspid\fR" 4 .IX Item "-ocspid" -outputs the \s-1OCSP\s0 hash values for the subject name and public key. +Outputs the \s-1OCSP\s0 hash values for the subject name and public key. .IP "\fB\-hash\fR" 4 .IX Item "-hash" -synonym for \*(L"\-subject_hash\*(R" for backward compatibility reasons. +Synonym for \*(L"\-subject_hash\*(R" for backward compatibility reasons. .IP "\fB\-subject_hash_old\fR" 4 .IX Item "-subject_hash_old" -outputs the \*(L"hash\*(R" of the certificate subject name using the older algorithm -as used by OpenSSL versions before 1.0.0. +Outputs the \*(L"hash\*(R" of the certificate subject name using the older algorithm +as used by OpenSSL before version 1.0.0. .IP "\fB\-issuer_hash_old\fR" 4 .IX Item "-issuer_hash_old" -outputs the \*(L"hash\*(R" of the certificate issuer name using the older algorithm -as used by OpenSSL versions before 1.0.0. +Outputs the \*(L"hash\*(R" of the certificate issuer name using the older algorithm +as used by OpenSSL before version 1.0.0. .IP "\fB\-subject\fR" 4 .IX Item "-subject" -outputs the subject name. +Outputs the subject name. .IP "\fB\-issuer\fR" 4 .IX Item "-issuer" -outputs the issuer name. +Outputs the issuer name. .IP "\fB\-nameopt option\fR" 4 .IX Item "-nameopt option" -option which determines how the subject or issuer names are displayed. The +Option which determines how the subject or issuer names are displayed. The \&\fBoption\fR argument can be a single option or multiple options separated by commas. Alternatively the \fB\-nameopt\fR switch may be used more than once to set multiple options. See the \fB\s-1NAME OPTIONS\s0\fR section for more information. .IP "\fB\-email\fR" 4 .IX Item "-email" -outputs the email address(es) if any. +Outputs the email address(es) if any. .IP "\fB\-ocsp_uri\fR" 4 .IX Item "-ocsp_uri" -outputs the \s-1OCSP\s0 responder address(es) if any. +Outputs the \s-1OCSP\s0 responder address(es) if any. .IP "\fB\-startdate\fR" 4 .IX Item "-startdate" -prints out the start date of the certificate, that is the notBefore date. +Prints out the start date of the certificate, that is the notBefore date. .IP "\fB\-enddate\fR" 4 .IX Item "-enddate" -prints out the expiry date of the certificate, that is the notAfter date. +Prints out the expiry date of the certificate, that is the notAfter date. .IP "\fB\-dates\fR" 4 .IX Item "-dates" -prints out the start and expiry dates of a certificate. +Prints out the start and expiry dates of a certificate. .IP "\fB\-checkend arg\fR" 4 .IX Item "-checkend arg" -checks if the certificate expires within the next \fBarg\fR seconds and exits +Checks if the certificate expires within the next \fBarg\fR seconds and exits non-zero if yes it will expire or zero if not. .IP "\fB\-fingerprint\fR" 4 .IX Item "-fingerprint" @@ -327,11 +356,9 @@ digests, the fingerprint of a certificate is unique to that certificate and two certificates with the same fingerprint can be considered to be the same. .IP "\fB\-C\fR" 4 .IX Item "-C" -this outputs the certificate in the form of a C source file. -.SS "\s-1TRUST SETTINGS\s0" -.IX Subsection "TRUST SETTINGS" -Please note these options are currently experimental and may well change. -.PP +This outputs the certificate in the form of a C source file. +.SS "Trust Settings" +.IX Subsection "Trust Settings" A \fBtrusted certificate\fR is an ordinary certificate which has several additional pieces of information attached to it such as the permitted and prohibited uses of the certificate and an \*(L"alias\*(R". @@ -352,46 +379,49 @@ Future versions of OpenSSL will recognize trust settings on any certificate: not just root CAs. .IP "\fB\-trustout\fR" 4 .IX Item "-trustout" -this causes \fBx509\fR to output a \fBtrusted\fR certificate. An ordinary +This causes \fBx509\fR to output a \fBtrusted\fR certificate. An ordinary or trusted certificate can be input but by default an ordinary certificate is output and any trust settings are discarded. With the \&\fB\-trustout\fR option a trusted certificate is output. A trusted certificate is automatically output if any trust settings are modified. .IP "\fB\-setalias arg\fR" 4 .IX Item "-setalias arg" -sets the alias of the certificate. This will allow the certificate +Sets the alias of the certificate. This will allow the certificate to be referred to using a nickname for example \*(L"Steve's Certificate\*(R". .IP "\fB\-alias\fR" 4 .IX Item "-alias" -outputs the certificate alias, if any. +Outputs the certificate alias, if any. .IP "\fB\-clrtrust\fR" 4 .IX Item "-clrtrust" -clears all the permitted or trusted uses of the certificate. +Clears all the permitted or trusted uses of the certificate. .IP "\fB\-clrreject\fR" 4 .IX Item "-clrreject" -clears all the prohibited or rejected uses of the certificate. +Clears all the prohibited or rejected uses of the certificate. .IP "\fB\-addtrust arg\fR" 4 .IX Item "-addtrust arg" -adds a trusted certificate use. Any object name can be used here -but currently only \fBclientAuth\fR (\s-1SSL\s0 client use), \fBserverAuth\fR -(\s-1SSL\s0 server use) and \fBemailProtection\fR (S/MIME email) are used. +Adds a trusted certificate use. +Any object name can be used here but currently only \fBclientAuth\fR (\s-1SSL\s0 client +use), \fBserverAuth\fR (\s-1SSL\s0 server use), \fBemailProtection\fR (S/MIME email) and +\&\fBanyExtendedKeyUsage\fR are used. +As of OpenSSL 1.1.0, the last of these blocks all purposes when rejected or +enables all purposes when trusted. Other OpenSSL applications may define additional uses. .IP "\fB\-addreject arg\fR" 4 .IX Item "-addreject arg" -adds a prohibited use. It accepts the same values as the \fB\-addtrust\fR +Adds a prohibited use. It accepts the same values as the \fB\-addtrust\fR option. .IP "\fB\-purpose\fR" 4 .IX Item "-purpose" -this option performs tests on the certificate extensions and outputs +This option performs tests on the certificate extensions and outputs the results. For a more complete description see the \fB\s-1CERTIFICATE EXTENSIONS\s0\fR section. -.SS "\s-1SIGNING OPTIONS\s0" -.IX Subsection "SIGNING OPTIONS" +.SS "Signing Options" +.IX Subsection "Signing Options" The \fBx509\fR utility can be used to sign certificates and requests: it can thus behave like a \*(L"mini \s-1CA\*(R".\s0 .IP "\fB\-signkey filename\fR" 4 .IX Item "-signkey filename" -this option causes the input file to be self signed using the supplied +This option causes the input file to be self signed using the supplied private key. .Sp If the input file is a certificate it sets the issuer name to the @@ -399,49 +429,49 @@ subject name (i.e. makes it self signed) changes the public key to the supplied value and changes the start and end dates. The start date is set to the current time and the end date is set to a value determined by the \fB\-days\fR option. Any certificate extensions are retained unless -the \fB\-clrext\fR option is supplied. +the \fB\-clrext\fR option is supplied; this includes, for example, any existing +key identifier extensions. .Sp If the input is a certificate request then a self signed certificate is created using the supplied private key using the subject name in the request. .IP "\fB\-passin arg\fR" 4 .IX Item "-passin arg" -the key password source. For more information about the format of \fBarg\fR +The key password source. For more information about the format of \fBarg\fR see the \fB\s-1PASS PHRASE ARGUMENTS\s0\fR section in \fIopenssl\fR\|(1). .IP "\fB\-clrext\fR" 4 .IX Item "-clrext" -delete any extensions from a certificate. This option is used when a +Delete any extensions from a certificate. This option is used when a certificate is being created from another certificate (for example with the \fB\-signkey\fR or the \fB\-CA\fR options). Normally all extensions are retained. .IP "\fB\-keyform PEM|DER\fR" 4 .IX Item "-keyform PEM|DER" -specifies the format (\s-1DER\s0 or \s-1PEM\s0) of the private key file used in the +Specifies the format (\s-1DER\s0 or \s-1PEM\s0) of the private key file used in the \&\fB\-signkey\fR option. .IP "\fB\-days arg\fR" 4 .IX Item "-days arg" -specifies the number of days to make a certificate valid for. The default -is 30 days. +Specifies the number of days to make a certificate valid for. The default +is 30 days. Cannot be used with the \fB\-preserve_dates\fR option. .IP "\fB\-x509toreq\fR" 4 .IX Item "-x509toreq" -converts a certificate into a certificate request. The \fB\-signkey\fR option +Converts a certificate into a certificate request. The \fB\-signkey\fR option is used to pass the required private key. .IP "\fB\-req\fR" 4 .IX Item "-req" -by default a certificate is expected on input. With this option a +By default a certificate is expected on input. With this option a certificate request is expected instead. .IP "\fB\-set_serial n\fR" 4 .IX Item "-set_serial n" -specifies the serial number to use. This option can be used with either +Specifies the serial number to use. This option can be used with either the \fB\-signkey\fR or \fB\-CA\fR options. If used in conjunction with the \fB\-CA\fR option the serial number file (as specified by the \fB\-CAserial\fR or \&\fB\-CAcreateserial\fR options) is not used. .Sp -The serial number can be decimal or hex (if preceded by \fB0x\fR). Negative -serial numbers can also be specified but their use is not recommended. +The serial number can be decimal or hex (if preceded by \fB0x\fR). .IP "\fB\-CA filename\fR" 4 .IX Item "-CA filename" -specifies the \s-1CA\s0 certificate to be used for signing. When this option is +Specifies the \s-1CA\s0 certificate to be used for signing. When this option is present \fBx509\fR behaves like a \*(L"mini \s-1CA\*(R".\s0 The input file is signed by this \&\s-1CA\s0 using this option: that is its issuer name is set to the subject name of the \s-1CA\s0 and it is digitally signed using the CAs private key. @@ -450,34 +480,35 @@ This option is normally combined with the \fB\-req\fR option. Without the \&\fB\-req\fR option the input is a certificate which must be self signed. .IP "\fB\-CAkey filename\fR" 4 .IX Item "-CAkey filename" -sets the \s-1CA\s0 private key to sign a certificate with. If this option is +Sets the \s-1CA\s0 private key to sign a certificate with. If this option is not specified then it is assumed that the \s-1CA\s0 private key is present in the \s-1CA\s0 certificate file. .IP "\fB\-CAserial filename\fR" 4 .IX Item "-CAserial filename" -sets the \s-1CA\s0 serial number file to use. +Sets the \s-1CA\s0 serial number file to use. .Sp When the \fB\-CA\fR option is used to sign a certificate it uses a serial -number specified in a file. This file consist of one line containing +number specified in a file. This file consists of one line containing an even number of hex digits with the serial number to use. After each use the serial number is incremented and written out to the file again. .Sp The default filename consists of the \s-1CA\s0 certificate file base name with -\&\*(L".srl\*(R" appended. For example if the \s-1CA\s0 certificate file is called +\&\*(L".srl\*(R" appended. For example if the \s-1CA\s0 certificate file is called \&\*(L"mycacert.pem\*(R" it expects to find a serial number file called \*(L"mycacert.srl\*(R". .IP "\fB\-CAcreateserial\fR" 4 .IX Item "-CAcreateserial" -with this option the \s-1CA\s0 serial number file is created if it does not exist: +With this option the \s-1CA\s0 serial number file is created if it does not exist: it will contain the serial number \*(L"02\*(R" and the certificate being signed will -have the 1 as its serial number. Normally if the \fB\-CA\fR option is specified -and the serial number file does not exist it is an error. +have the 1 as its serial number. If the \fB\-CA\fR option is specified +and the serial number file does not exist a random number is generated; +this is the recommended practice. .IP "\fB\-extfile filename\fR" 4 .IX Item "-extfile filename" -file containing certificate extensions to use. If not specified then +File containing certificate extensions to use. If not specified then no extensions are added to the certificate. .IP "\fB\-extensions section\fR" 4 .IX Item "-extensions section" -the section to add certificate extensions from. If this option is not +The section to add certificate extensions from. If this option is not specified then the extensions should either be contained in the unnamed (default) section or the default section should contain a variable called \&\*(L"extensions\*(R" which contains the section to use. See the @@ -485,14 +516,14 @@ specified then the extensions should either be contained in the unnamed extension section format. .IP "\fB\-force_pubkey key\fR" 4 .IX Item "-force_pubkey key" -when a certificate is created set its public key to \fBkey\fR instead of the +When a certificate is created set its public key to \fBkey\fR instead of the key in the certificate or certificate request. This option is useful for creating certificates where the algorithm can't normally sign requests, for example \s-1DH.\s0 .Sp The format or \fBkey\fR can be specified using the \fB\-keyform\fR option. -.SS "\s-1NAME OPTIONS\s0" -.IX Subsection "NAME OPTIONS" +.SS "Name Options" +.IX Subsection "Name Options" The \fBnameopt\fR command line switch determines how the subject and issuer names are displayed. If no \fBnameopt\fR switch is present the default \*(L"oneline\*(R" format is used which is compatible with previous versions of OpenSSL. @@ -500,44 +531,48 @@ Each option is described in detail below, all options can be preceded by a \fB\-\fR to turn the option off. Only the first four will normally be used. .IP "\fBcompat\fR" 4 .IX Item "compat" -use the old format. This is equivalent to specifying no name options at all. +Use the old format. .IP "\fB\s-1RFC2253\s0\fR" 4 .IX Item "RFC2253" -displays names compatible with \s-1RFC2253\s0 equivalent to \fBesc_2253\fR, \fBesc_ctrl\fR, +Displays names compatible with \s-1RFC2253\s0 equivalent to \fBesc_2253\fR, \fBesc_ctrl\fR, \&\fBesc_msb\fR, \fButf8\fR, \fBdump_nostr\fR, \fBdump_unknown\fR, \fBdump_der\fR, \&\fBsep_comma_plus\fR, \fBdn_rev\fR and \fBsname\fR. .IP "\fBoneline\fR" 4 .IX Item "oneline" -a oneline format which is more readable than \s-1RFC2253.\s0 It is equivalent to +A oneline format which is more readable than \s-1RFC2253.\s0 It is equivalent to specifying the \fBesc_2253\fR, \fBesc_ctrl\fR, \fBesc_msb\fR, \fButf8\fR, \fBdump_nostr\fR, \&\fBdump_der\fR, \fBuse_quote\fR, \fBsep_comma_plus_space\fR, \fBspace_eq\fR and \fBsname\fR -options. +options. This is the \fIdefault\fR of no name options are given explicitly. .IP "\fBmultiline\fR" 4 .IX Item "multiline" -a multiline format. It is equivalent \fBesc_ctrl\fR, \fBesc_msb\fR, \fBsep_multiline\fR, +A multiline format. It is equivalent \fBesc_ctrl\fR, \fBesc_msb\fR, \fBsep_multiline\fR, \&\fBspace_eq\fR, \fBlname\fR and \fBalign\fR. .IP "\fBesc_2253\fR" 4 .IX Item "esc_2253" -escape the \*(L"special\*(R" characters required by \s-1RFC2253\s0 in a field That is +Escape the \*(L"special\*(R" characters required by \s-1RFC2253\s0 in a field. That is \&\fB,+"<>;\fR. Additionally \fB#\fR is escaped at the beginning of a string and a space character at the beginning or end of a string. +.IP "\fBesc_2254\fR" 4 +.IX Item "esc_2254" +Escape the \*(L"special\*(R" characters required by \s-1RFC2254\s0 in a field. That is +the \fB\s-1NUL\s0\fR character as well as and \fB()*\fR. .IP "\fBesc_ctrl\fR" 4 .IX Item "esc_ctrl" -escape control characters. That is those with \s-1ASCII\s0 values less than +Escape control characters. That is those with \s-1ASCII\s0 values less than 0x20 (space) and the delete (0x7f) character. They are escaped using the \&\s-1RFC2253\s0 \eXX notation (where \s-1XX\s0 are two hex digits representing the character value). .IP "\fBesc_msb\fR" 4 .IX Item "esc_msb" -escape characters with the \s-1MSB\s0 set, that is with \s-1ASCII\s0 values larger than +Escape characters with the \s-1MSB\s0 set, that is with \s-1ASCII\s0 values larger than 127. .IP "\fBuse_quote\fR" 4 .IX Item "use_quote" -escapes some characters by surrounding the whole string with \fB"\fR characters, +Escapes some characters by surrounding the whole string with \fB"\fR characters, without the option all escaping is done with the \fB\e\fR character. .IP "\fButf8\fR" 4 .IX Item "utf8" -convert all strings to \s-1UTF8\s0 format first. This is required by \s-1RFC2253.\s0 If +Convert all strings to \s-1UTF8\s0 format first. This is required by \s-1RFC2253.\s0 If you are lucky enough to have a \s-1UTF8\s0 compatible terminal then the use of this option (and \fBnot\fR setting \fBesc_msb\fR) may result in the correct display of multibyte (international) characters. Is this option is not @@ -547,35 +582,35 @@ Also if this option is off any UTF8Strings will be converted to their character form first. .IP "\fBignore_type\fR" 4 .IX Item "ignore_type" -this option does not attempt to interpret multibyte characters in any +This option does not attempt to interpret multibyte characters in any way. That is their content octets are merely dumped as though one octet represents each character. This is useful for diagnostic purposes but will result in rather odd looking output. .IP "\fBshow_type\fR" 4 .IX Item "show_type" -show the type of the \s-1ASN1\s0 character string. The type precedes the +Show the type of the \s-1ASN1\s0 character string. The type precedes the field contents. For example \*(L"\s-1BMPSTRING:\s0 Hello World\*(R". .IP "\fBdump_der\fR" 4 .IX Item "dump_der" -when this option is set any fields that need to be hexdumped will +When this option is set any fields that need to be hexdumped will be dumped using the \s-1DER\s0 encoding of the field. Otherwise just the content octets will be displayed. Both options use the \s-1RFC2253\s0 \&\fB#XXXX...\fR format. .IP "\fBdump_nostr\fR" 4 .IX Item "dump_nostr" -dump non character string types (for example \s-1OCTET STRING\s0) if this +Dump non character string types (for example \s-1OCTET STRING\s0) if this option is not set then non character string types will be displayed as though each content octet represents a single character. .IP "\fBdump_all\fR" 4 .IX Item "dump_all" -dump all fields. This option when used with \fBdump_der\fR allows the +Dump all fields. This option when used with \fBdump_der\fR allows the \&\s-1DER\s0 encoding of the structure to be unambiguously determined. .IP "\fBdump_unknown\fR" 4 .IX Item "dump_unknown" -dump any field whose \s-1OID\s0 is not recognised by OpenSSL. +Dump any field whose \s-1OID\s0 is not recognised by OpenSSL. .IP "\fBsep_comma_plus\fR, \fBsep_comma_plus_space\fR, \fBsep_semi_plus_space\fR, \fBsep_multiline\fR" 4 .IX Item "sep_comma_plus, sep_comma_plus_space, sep_semi_plus_space, sep_multiline" -these options determine the field separators. The first character is +These options determine the field separators. The first character is between RDNs and the second between multiple AVAs (multiple AVAs are very rare and their use is discouraged). The options ending in \&\*(L"space\*(R" additionally place a space after the separator to make it @@ -585,80 +620,82 @@ indents the fields by four characters. If no field separator is specified then \fBsep_comma_plus_space\fR is used by default. .IP "\fBdn_rev\fR" 4 .IX Item "dn_rev" -reverse the fields of the \s-1DN.\s0 This is required by \s-1RFC2253.\s0 As a side +Reverse the fields of the \s-1DN.\s0 This is required by \s-1RFC2253.\s0 As a side effect this also reverses the order of multiple AVAs but this is permissible. .IP "\fBnofname\fR, \fBsname\fR, \fBlname\fR, \fBoid\fR" 4 .IX Item "nofname, sname, lname, oid" -these options alter how the field name is displayed. \fBnofname\fR does +These options alter how the field name is displayed. \fBnofname\fR does not display the field at all. \fBsname\fR uses the \*(L"short name\*(R" form (\s-1CN\s0 for commonName for example). \fBlname\fR uses the long form. \&\fBoid\fR represents the \s-1OID\s0 in numerical form and is useful for diagnostic purpose. .IP "\fBalign\fR" 4 .IX Item "align" -align field values for a more readable output. Only usable with +Align field values for a more readable output. Only usable with \&\fBsep_multiline\fR. .IP "\fBspace_eq\fR" 4 .IX Item "space_eq" -places spaces round the \fB=\fR character which follows the field +Places spaces round the \fB=\fR character which follows the field name. -.SS "\s-1TEXT OPTIONS\s0" -.IX Subsection "TEXT OPTIONS" +.SS "Text Options" +.IX Subsection "Text Options" As well as customising the name output format, it is also possible to customise the actual fields printed using the \fBcertopt\fR options when the \fBtext\fR option is present. The default behaviour is to print all fields. .IP "\fBcompatible\fR" 4 .IX Item "compatible" -use the old format. This is equivalent to specifying no output options at all. +Use the old format. This is equivalent to specifying no output options at all. .IP "\fBno_header\fR" 4 .IX Item "no_header" -don't print header information: that is the lines saying \*(L"Certificate\*(R" and \*(L"Data\*(R". +Don't print header information: that is the lines saying \*(L"Certificate\*(R" +and \*(L"Data\*(R". .IP "\fBno_version\fR" 4 .IX Item "no_version" -don't print out the version number. +Don't print out the version number. .IP "\fBno_serial\fR" 4 .IX Item "no_serial" -don't print out the serial number. +Don't print out the serial number. .IP "\fBno_signame\fR" 4 .IX Item "no_signame" -don't print out the signature algorithm used. +Don't print out the signature algorithm used. .IP "\fBno_validity\fR" 4 .IX Item "no_validity" -don't print the validity, that is the \fBnotBefore\fR and \fBnotAfter\fR fields. +Don't print the validity, that is the \fBnotBefore\fR and \fBnotAfter\fR fields. .IP "\fBno_subject\fR" 4 .IX Item "no_subject" -don't print out the subject name. +Don't print out the subject name. .IP "\fBno_issuer\fR" 4 .IX Item "no_issuer" -don't print out the issuer name. +Don't print out the issuer name. .IP "\fBno_pubkey\fR" 4 .IX Item "no_pubkey" -don't print out the public key. +Don't print out the public key. .IP "\fBno_sigdump\fR" 4 .IX Item "no_sigdump" -don't give a hexadecimal dump of the certificate signature. +Don't give a hexadecimal dump of the certificate signature. .IP "\fBno_aux\fR" 4 .IX Item "no_aux" -don't print out certificate trust information. +Don't print out certificate trust information. .IP "\fBno_extensions\fR" 4 .IX Item "no_extensions" -don't print out any X509V3 extensions. +Don't print out any X509V3 extensions. .IP "\fBext_default\fR" 4 .IX Item "ext_default" -retain default extension behaviour: attempt to print out unsupported certificate extensions. +Retain default extension behaviour: attempt to print out unsupported +certificate extensions. .IP "\fBext_error\fR" 4 .IX Item "ext_error" -print an error message for unsupported certificate extensions. +Print an error message for unsupported certificate extensions. .IP "\fBext_parse\fR" 4 .IX Item "ext_parse" \&\s-1ASN1\s0 parse unsupported extensions. .IP "\fBext_dump\fR" 4 .IX Item "ext_dump" -hex dump unsupported extensions. +Hex dump unsupported extensions. .IP "\fBca_default\fR" 4 .IX Item "ca_default" -the value used by the \fBca\fR utility, equivalent to \fBno_issuer\fR, \fBno_pubkey\fR, +The value used by the \fBca\fR utility, equivalent to \fBno_issuer\fR, \fBno_pubkey\fR, \&\fBno_header\fR, and \fBno_version\fR. .SH "EXAMPLES" .IX Header "EXAMPLES" @@ -671,6 +708,18 @@ Display the contents of a certificate: \& openssl x509 \-in cert.pem \-noout \-text .Ve .PP +Display the \*(L"Subject Alternative Name\*(R" extension of a certificate: +.PP +.Vb 1 +\& openssl x509 \-in cert.pem \-noout \-ext subjectAltName +.Ve +.PP +Display more extensions of a certificate: +.PP +.Vb 1 +\& openssl x509 \-in cert.pem \-noout \-ext subjectAltName,nsCertType +.Ve +.PP Display the certificate serial number: .PP .Vb 1 @@ -839,13 +888,13 @@ Otherwise it is the same as a normal \s-1SSL\s0 server. .IX Item "Common S/MIME Client Tests" The extended key usage extension must be absent or include the \*(L"email protection\*(R" \s-1OID.\s0 Netscape certificate type must be absent or should have the -S/MIME bit set. If the S/MIME bit is not set in netscape certificate type +S/MIME bit set. If the S/MIME bit is not set in Netscape certificate type then the \s-1SSL\s0 client bit is tolerated as an alternative but a warning is shown: this is because some Verisign certificates don't set the S/MIME bit. .IP "\fBS/MIME Signing\fR" 4 .IX Item "S/MIME Signing" -In addition to the common S/MIME client tests the digitalSignature bit must -be set if the keyUsage extension is present. +In addition to the common S/MIME client tests the digitalSignature bit or +the nonRepudiation bit must be set if the keyUsage extension is present. .IP "\fBS/MIME Encryption\fR" 4 .IX Item "S/MIME Encryption" In addition to the common S/MIME tests the keyEncipherment bit must be set @@ -875,11 +924,6 @@ be checked. .PP There should be options to explicitly set such things as start and end dates rather than an offset from the current time. -.PP -The code to implement the verify behaviour described in the \fB\s-1TRUST SETTINGS\s0\fR -is currently being developed. It thus describes the intended behaviour rather -than the current behaviour. It is hoped that it will represent reality in -OpenSSL 0.9.5 and later. .SH "SEE ALSO" .IX Header "SEE ALSO" \&\fIreq\fR\|(1), \fIca\fR\|(1), \fIgenrsa\fR\|(1), @@ -887,10 +931,16 @@ OpenSSL 0.9.5 and later. \&\fIx509v3_config\fR\|(5) .SH "HISTORY" .IX Header "HISTORY" -Before OpenSSL 0.9.8, the default digest for \s-1RSA\s0 keys was \s-1MD5.\s0 -.PP The hash algorithm used in the \fB\-subject_hash\fR and \fB\-issuer_hash\fR options before OpenSSL 1.0.0 was based on the deprecated \s-1MD5\s0 algorithm and the encoding of the distinguished name. In OpenSSL 1.0.0 and later it is based on a canonical version of the \s-1DN\s0 using \s-1SHA1.\s0 This means that any directories using the old form must have their links rebuilt using \fBc_rehash\fR or similar. +.SH "COPYRIGHT" +.IX Header "COPYRIGHT" +Copyright 2000\-2018 The OpenSSL Project Authors. All Rights Reserved. +.PP +Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file \s-1LICENSE\s0 in the source distribution or at +. diff --git a/secure/usr.bin/openssl/man/x509v3_config.1 b/secure/usr.bin/openssl/man/x509v3_config.1 deleted file mode 100644 index ab46f48c8a03..000000000000 --- a/secure/usr.bin/openssl/man/x509v3_config.1 +++ /dev/null @@ -1,679 +0,0 @@ -.\" Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35) -.\" -.\" Standard preamble: -.\" ======================================================================== -.de Sp \" Vertical space (when we can't use .PP) -.if t .sp .5v -.if n .sp -.. -.de Vb \" Begin verbatim text -.ft CW -.nf -.ne \\$1 -.. -.de Ve \" End verbatim text -.ft R -.fi -.. -.\" Set up some character translations and predefined strings. \*(-- will -.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left -.\" double quote, and \*(R" will give a right double quote. \*(C+ will -.\" give a nicer C++. Capital omega is used to do unbreakable dashes and -.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, -.\" nothing in troff, for use with C<>. -.tr \(*W- -.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' -.ie n \{\ -. ds -- \(*W- -. ds PI pi -. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch -. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch -. ds L" "" -. ds R" "" -. ds C` "" -. ds C' "" -'br\} -.el\{\ -. ds -- \|\(em\| -. ds PI \(*p -. ds L" `` -. ds R" '' -. ds C` -. ds C' -'br\} -.\" -.\" Escape single quotes in literal strings from groff's Unicode transform. -.ie \n(.g .ds Aq \(aq -.el .ds Aq ' -.\" -.\" If the F register is >0, we'll generate index entries on stderr for -.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index -.\" entries marked with X<> in POD. Of course, you'll have to process the -.\" output yourself in some meaningful fashion. -.\" -.\" Avoid warning from groff about undefined register 'F'. -.de IX -.. -.if !\nF .nr F 0 -.if \nF>0 \{\ -. de IX -. tm Index:\\$1\t\\n%\t"\\$2" -.. -. if !\nF==2 \{\ -. nr % 0 -. nr F 2 -. \} -.\} -.\" -.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). -.\" Fear. Run. Save yourself. No user-serviceable parts. -. \" fudge factors for nroff and troff -.if n \{\ -. ds #H 0 -. ds #V .8m -. ds #F .3m -. ds #[ \f1 -. ds #] \fP -.\} -.if t \{\ -. ds #H ((1u-(\\\\n(.fu%2u))*.13m) -. ds #V .6m -. ds #F 0 -. ds #[ \& -. ds #] \& -.\} -. \" simple accents for nroff and troff -.if n \{\ -. ds ' \& -. ds ` \& -. ds ^ \& -. ds , \& -. ds ~ ~ -. ds / -.\} -.if t \{\ -. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" -. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' -. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' -. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' -. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' -. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' -.\} -. \" troff and (daisy-wheel) nroff accents -.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' -.ds 8 \h'\*(#H'\(*b\h'-\*(#H' -.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] -.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' -.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' -.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] -.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] -.ds ae a\h'-(\w'a'u*4/10)'e -.ds Ae A\h'-(\w'A'u*4/10)'E -. \" corrections for vroff -.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' -.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' -. \" for low resolution devices (crt and lpr) -.if \n(.H>23 .if \n(.V>19 \ -\{\ -. ds : e -. ds 8 ss -. ds o a -. ds d- d\h'-1'\(ga -. ds D- D\h'-1'\(hy -. ds th \o'bp' -. ds Th \o'LP' -. ds ae ae -. ds Ae AE -.\} -.rm #[ #] #H #V #F C -.\" ======================================================================== -.\" -.IX Title "X509V3_CONFIG 1" -.TH X509V3_CONFIG 1 "2018-08-14" "1.0.2p" "OpenSSL" -.\" For nroff, turn off justification. Always turn off hyphenation; it makes -.\" way too many mistakes in technical documents. -.if n .ad l -.nh -.SH "NAME" -x509v3_config \- X509 V3 certificate extension configuration format -.SH "DESCRIPTION" -.IX Header "DESCRIPTION" -Several of the OpenSSL utilities can add extensions to a certificate or -certificate request based on the contents of a configuration file. -.PP -Typically the application will contain an option to point to an extension -section. Each line of the extension section takes the form: -.PP -.Vb 1 -\& extension_name=[critical,] extension_options -.Ve -.PP -If \fBcritical\fR is present then the extension will be critical. -.PP -The format of \fBextension_options\fR depends on the value of \fBextension_name\fR. -.PP -There are four main types of extension: \fIstring\fR extensions, \fImulti-valued\fR -extensions, \fIraw\fR and \fIarbitrary\fR extensions. -.PP -String extensions simply have a string which contains either the value itself -or how it is obtained. -.PP -For example: -.PP -.Vb 1 -\& nsComment="This is a Comment" -.Ve -.PP -Multi-valued extensions have a short form and a long form. The short form -is a list of names and values: -.PP -.Vb 1 -\& basicConstraints=critical,CA:true,pathlen:1 -.Ve -.PP -The long form allows the values to be placed in a separate section: -.PP -.Vb 1 -\& basicConstraints=critical,@bs_section -\& -\& [bs_section] -\& -\& CA=true -\& pathlen=1 -.Ve -.PP -Both forms are equivalent. -.PP -The syntax of raw extensions is governed by the extension code: it can -for example contain data in multiple sections. The correct syntax to -use is defined by the extension code itself: check out the certificate -policies extension for an example. -.PP -If an extension type is unsupported then the \fIarbitrary\fR extension syntax -must be used, see the \s-1ARBITRARY EXTENSIONS\s0 section for more details. -.SH "STANDARD EXTENSIONS" -.IX Header "STANDARD EXTENSIONS" -The following sections describe each supported extension in detail. -.SS "Basic Constraints." -.IX Subsection "Basic Constraints." -This is a multi valued extension which indicates whether a certificate is -a \s-1CA\s0 certificate. The first (mandatory) name is \fB\s-1CA\s0\fR followed by \fB\s-1TRUE\s0\fR or -\&\fB\s-1FALSE\s0\fR. If \fB\s-1CA\s0\fR is \fB\s-1TRUE\s0\fR then an optional \fBpathlen\fR name followed by an -non-negative value can be included. -.PP -For example: -.PP -.Vb 1 -\& basicConstraints=CA:TRUE -\& -\& basicConstraints=CA:FALSE -\& -\& basicConstraints=critical,CA:TRUE, pathlen:0 -.Ve -.PP -A \s-1CA\s0 certificate \fBmust\fR include the basicConstraints value with the \s-1CA\s0 field -set to \s-1TRUE.\s0 An end user certificate must either set \s-1CA\s0 to \s-1FALSE\s0 or exclude the -extension entirely. Some software may require the inclusion of basicConstraints -with \s-1CA\s0 set to \s-1FALSE\s0 for end entity certificates. -.PP -The pathlen parameter indicates the maximum number of CAs that can appear -below this one in a chain. So if you have a \s-1CA\s0 with a pathlen of zero it can -only be used to sign end user certificates and not further CAs. -.SS "Key Usage." -.IX Subsection "Key Usage." -Key usage is a multi valued extension consisting of a list of names of the -permitted key usages. -.PP -The supporte names are: digitalSignature, nonRepudiation, keyEncipherment, -dataEncipherment, keyAgreement, keyCertSign, cRLSign, encipherOnly -and decipherOnly. -.PP -Examples: -.PP -.Vb 1 -\& keyUsage=digitalSignature, nonRepudiation -\& -\& keyUsage=critical, keyCertSign -.Ve -.SS "Extended Key Usage." -.IX Subsection "Extended Key Usage." -This extensions consists of a list of usages indicating purposes for which -the certificate public key can be used for, -.PP -These can either be object short names or the dotted numerical form of OIDs. -While any \s-1OID\s0 can be used only certain values make sense. In particular the -following \s-1PKIX, NS\s0 and \s-1MS\s0 values are meaningful: -.PP -.Vb 10 -\& Value Meaning -\& \-\-\-\-\- \-\-\-\-\-\-\- -\& serverAuth SSL/TLS Web Server Authentication. -\& clientAuth SSL/TLS Web Client Authentication. -\& codeSigning Code signing. -\& emailProtection E\-mail Protection (S/MIME). -\& timeStamping Trusted Timestamping -\& msCodeInd Microsoft Individual Code Signing (authenticode) -\& msCodeCom Microsoft Commercial Code Signing (authenticode) -\& msCTLSign Microsoft Trust List Signing -\& msSGC Microsoft Server Gated Crypto -\& msEFS Microsoft Encrypted File System -\& nsSGC Netscape Server Gated Crypto -.Ve -.PP -Examples: -.PP -.Vb 2 -\& extendedKeyUsage=critical,codeSigning,1.2.3.4 -\& extendedKeyUsage=nsSGC,msSGC -.Ve -.SS "Subject Key Identifier." -.IX Subsection "Subject Key Identifier." -This is really a string extension and can take two possible values. Either -the word \fBhash\fR which will automatically follow the guidelines in \s-1RFC3280\s0 -or a hex string giving the extension value to include. The use of the hex -string is strongly discouraged. -.PP -Example: -.PP -.Vb 1 -\& subjectKeyIdentifier=hash -.Ve -.SS "Authority Key Identifier." -.IX Subsection "Authority Key Identifier." -The authority key identifier extension permits two options. keyid and issuer: -both can take the optional value \*(L"always\*(R". -.PP -If the keyid option is present an attempt is made to copy the subject key -identifier from the parent certificate. If the value \*(L"always\*(R" is present -then an error is returned if the option fails. -.PP -The issuer option copies the issuer and serial number from the issuer -certificate. This will only be done if the keyid option fails or -is not included unless the \*(L"always\*(R" flag will always include the value. -.PP -Example: -.PP -.Vb 1 -\& authorityKeyIdentifier=keyid,issuer -.Ve -.SS "Subject Alternative Name." -.IX Subsection "Subject Alternative Name." -The subject alternative name extension allows various literal values to be -included in the configuration file. These include \fBemail\fR (an email address) -\&\fB\s-1URI\s0\fR a uniform resource indicator, \fB\s-1DNS\s0\fR (a \s-1DNS\s0 domain name), \fB\s-1RID\s0\fR (a -registered \s-1ID: OBJECT IDENTIFIER\s0), \fB\s-1IP\s0\fR (an \s-1IP\s0 address), \fBdirName\fR -(a distinguished name) and otherName. -.PP -The email option include a special 'copy' value. This will automatically -include and email addresses contained in the certificate subject name in -the extension. -.PP -The \s-1IP\s0 address used in the \fB\s-1IP\s0\fR options can be in either IPv4 or IPv6 format. -.PP -The value of \fBdirName\fR should point to a section containing the distinguished -name to use as a set of name value pairs. Multi values AVAs can be formed by -prefacing the name with a \fB+\fR character. -.PP -otherName can include arbitrary data associated with an \s-1OID:\s0 the value -should be the \s-1OID\s0 followed by a semicolon and the content in standard -\&\fIASN1_generate_nconf\fR\|(3) format. -.PP -Examples: -.PP -.Vb 5 -\& subjectAltName=email:copy,email:my@other.address,URI:http://my.url.here/ -\& subjectAltName=IP:192.168.7.1 -\& subjectAltName=IP:13::17 -\& subjectAltName=email:my@other.address,RID:1.2.3.4 -\& subjectAltName=otherName:1.2.3.4;UTF8:some other identifier -\& -\& subjectAltName=dirName:dir_sect -\& -\& [dir_sect] -\& C=UK -\& O=My Organization -\& OU=My Unit -\& CN=My Name -.Ve -.SS "Issuer Alternative Name." -.IX Subsection "Issuer Alternative Name." -The issuer alternative name option supports all the literal options of -subject alternative name. It does \fBnot\fR support the email:copy option because -that would not make sense. It does support an additional issuer:copy option -that will copy all the subject alternative name values from the issuer -certificate (if possible). -.PP -Example: -.PP -.Vb 1 -\& issuserAltName = issuer:copy -.Ve -.SS "Authority Info Access." -.IX Subsection "Authority Info Access." -The authority information access extension gives details about how to access -certain information relating to the \s-1CA.\s0 Its syntax is accessOID;location -where \fIlocation\fR has the same syntax as subject alternative name (except -that email:copy is not supported). accessOID can be any valid \s-1OID\s0 but only -certain values are meaningful, for example \s-1OCSP\s0 and caIssuers. -.PP -Example: -.PP -.Vb 2 -\& authorityInfoAccess = OCSP;URI:http://ocsp.my.host/ -\& authorityInfoAccess = caIssuers;URI:http://my.ca/ca.html -.Ve -.SS "\s-1CRL\s0 distribution points." -.IX Subsection "CRL distribution points." -This is a multi-valued extension whose options can be either in name:value pair -using the same form as subject alternative name or a single value representing -a section name containing all the distribution point fields. -.PP -For a name:value pair a new DistributionPoint with the fullName field set to -the given value both the cRLissuer and reasons fields are omitted in this case. -.PP -In the single option case the section indicated contains values for each -field. In this section: -.PP -If the name is \*(L"fullname\*(R" the value field should contain the full name -of the distribution point in the same format as subject alternative name. -.PP -If the name is \*(L"relativename\*(R" then the value field should contain a section -name whose contents represent a \s-1DN\s0 fragment to be placed in this field. -.PP -The name \*(L"CRLIssuer\*(R" if present should contain a value for this field in -subject alternative name format. -.PP -If the name is \*(L"reasons\*(R" the value field should consist of a comma -separated field containing the reasons. Valid reasons are: \*(L"keyCompromise\*(R", -\&\*(L"CACompromise\*(R", \*(L"affiliationChanged\*(R", \*(L"superseded\*(R", \*(L"cessationOfOperation\*(R", -\&\*(L"certificateHold\*(R", \*(L"privilegeWithdrawn\*(R" and \*(L"AACompromise\*(R". -.PP -Simple examples: -.PP -.Vb 2 -\& crlDistributionPoints=URI:http://myhost.com/myca.crl -\& crlDistributionPoints=URI:http://my.com/my.crl,URI:http://oth.com/my.crl -.Ve -.PP -Full distribution point example: -.PP -.Vb 1 -\& crlDistributionPoints=crldp1_section -\& -\& [crldp1_section] -\& -\& fullname=URI:http://myhost.com/myca.crl -\& CRLissuer=dirName:issuer_sect -\& reasons=keyCompromise, CACompromise -\& -\& [issuer_sect] -\& C=UK -\& O=Organisation -\& CN=Some Name -.Ve -.SS "Issuing Distribution Point" -.IX Subsection "Issuing Distribution Point" -This extension should only appear in CRLs. It is a multi valued extension -whose syntax is similar to the \*(L"section\*(R" pointed to by the \s-1CRL\s0 distribution -points extension with a few differences. -.PP -The names \*(L"reasons\*(R" and \*(L"CRLissuer\*(R" are not recognized. -.PP -The name \*(L"onlysomereasons\*(R" is accepted which sets this field. The value is -in the same format as the \s-1CRL\s0 distribution point \*(L"reasons\*(R" field. -.PP -The names \*(L"onlyuser\*(R", \*(L"onlyCA\*(R", \*(L"onlyAA\*(R" and \*(L"indirectCRL\*(R" are also accepted -the values should be a boolean value (\s-1TRUE\s0 or \s-1FALSE\s0) to indicate the value of -the corresponding field. -.PP -Example: -.PP -.Vb 1 -\& issuingDistributionPoint=critical, @idp_section -\& -\& [idp_section] -\& -\& fullname=URI:http://myhost.com/myca.crl -\& indirectCRL=TRUE -\& onlysomereasons=keyCompromise, CACompromise -\& -\& [issuer_sect] -\& C=UK -\& O=Organisation -\& CN=Some Name -.Ve -.SS "Certificate Policies." -.IX Subsection "Certificate Policies." -This is a \fIraw\fR extension. All the fields of this extension can be set by -using the appropriate syntax. -.PP -If you follow the \s-1PKIX\s0 recommendations and just using one \s-1OID\s0 then you just -include the value of that \s-1OID.\s0 Multiple OIDs can be set separated by commas, -for example: -.PP -.Vb 1 -\& certificatePolicies= 1.2.4.5, 1.1.3.4 -.Ve -.PP -If you wish to include qualifiers then the policy \s-1OID\s0 and qualifiers need to -be specified in a separate section: this is done by using the \f(CW@section\fR syntax -instead of a literal \s-1OID\s0 value. -.PP -The section referred to must include the policy \s-1OID\s0 using the name -policyIdentifier, cPSuri qualifiers can be included using the syntax: -.PP -.Vb 1 -\& CPS.nnn=value -.Ve -.PP -userNotice qualifiers can be set using the syntax: -.PP -.Vb 1 -\& userNotice.nnn=@notice -.Ve -.PP -The value of the userNotice qualifier is specified in the relevant section. -This section can include explicitText, organization and noticeNumbers -options. explicitText and organization are text strings, noticeNumbers is a -comma separated list of numbers. The organization and noticeNumbers options -(if included) must \s-1BOTH\s0 be present. If you use the userNotice option with \s-1IE5\s0 -then you need the 'ia5org' option at the top level to modify the encoding: -otherwise it will not be interpreted properly. -.PP -Example: -.PP -.Vb 1 -\& certificatePolicies=ia5org,1.2.3.4,1.5.6.7.8,@polsect -\& -\& [polsect] -\& -\& policyIdentifier = 1.3.5.8 -\& CPS.1="http://my.host.name/" -\& CPS.2="http://my.your.name/" -\& userNotice.1=@notice -\& -\& [notice] -\& -\& explicitText="Explicit Text Here" -\& organization="Organisation Name" -\& noticeNumbers=1,2,3,4 -.Ve -.PP -The \fBia5org\fR option changes the type of the \fIorganization\fR field. In \s-1RFC2459\s0 -it can only be of type DisplayText. In \s-1RFC3280\s0 IA5Strring is also permissible. -Some software (for example some versions of \s-1MSIE\s0) may require ia5org. -.SS "Policy Constraints" -.IX Subsection "Policy Constraints" -This is a multi-valued extension which consisting of the names -\&\fBrequireExplicitPolicy\fR or \fBinhibitPolicyMapping\fR and a non negative intger -value. At least one component must be present. -.PP -Example: -.PP -.Vb 1 -\& policyConstraints = requireExplicitPolicy:3 -.Ve -.SS "Inhibit Any Policy" -.IX Subsection "Inhibit Any Policy" -This is a string extension whose value must be a non negative integer. -.PP -Example: -.PP -.Vb 1 -\& inhibitAnyPolicy = 2 -.Ve -.SS "Name Constraints" -.IX Subsection "Name Constraints" -The name constraints extension is a multi-valued extension. The name should -begin with the word \fBpermitted\fR or \fBexcluded\fR followed by a \fB;\fR. The rest of -the name and the value follows the syntax of subjectAltName except email:copy -is not supported and the \fB\s-1IP\s0\fR form should consist of an \s-1IP\s0 addresses and -subnet mask separated by a \fB/\fR. -.PP -Examples: -.PP -.Vb 1 -\& nameConstraints=permitted;IP:192.168.0.0/255.255.0.0 -\& -\& nameConstraints=permitted;email:.somedomain.com -\& -\& nameConstraints=excluded;email:.com -.Ve -.SS "\s-1OCSP\s0 No Check" -.IX Subsection "OCSP No Check" -The \s-1OCSP\s0 No Check extension is a string extension but its value is ignored. -.PP -Example: -.PP -.Vb 1 -\& noCheck = ignored -.Ve -.SH "DEPRECATED EXTENSIONS" -.IX Header "DEPRECATED EXTENSIONS" -The following extensions are non standard, Netscape specific and largely -obsolete. Their use in new applications is discouraged. -.SS "Netscape String extensions." -.IX Subsection "Netscape String extensions." -Netscape Comment (\fBnsComment\fR) is a string extension containing a comment -which will be displayed when the certificate is viewed in some browsers. -.PP -Example: -.PP -.Vb 1 -\& nsComment = "Some Random Comment" -.Ve -.PP -Other supported extensions in this category are: \fBnsBaseUrl\fR, -\&\fBnsRevocationUrl\fR, \fBnsCaRevocationUrl\fR, \fBnsRenewalUrl\fR, \fBnsCaPolicyUrl\fR -and \fBnsSslServerName\fR. -.SS "Netscape Certificate Type" -.IX Subsection "Netscape Certificate Type" -This is a multi-valued extensions which consists of a list of flags to be -included. It was used to indicate the purposes for which a certificate could -be used. The basicConstraints, keyUsage and extended key usage extensions are -now used instead. -.PP -Acceptable values for nsCertType are: \fBclient\fR, \fBserver\fR, \fBemail\fR, -\&\fBobjsign\fR, \fBreserved\fR, \fBsslCA\fR, \fBemailCA\fR, \fBobjCA\fR. -.SH "ARBITRARY EXTENSIONS" -.IX Header "ARBITRARY EXTENSIONS" -If an extension is not supported by the OpenSSL code then it must be encoded -using the arbitrary extension format. It is also possible to use the arbitrary -format for supported extensions. Extreme care should be taken to ensure that -the data is formatted correctly for the given extension type. -.PP -There are two ways to encode arbitrary extensions. -.PP -The first way is to use the word \s-1ASN1\s0 followed by the extension content -using the same syntax as \fIASN1_generate_nconf\fR\|(3). -For example: -.PP -.Vb 1 -\& 1.2.3.4=critical,ASN1:UTF8String:Some random data -\& -\& 1.2.3.4=ASN1:SEQUENCE:seq_sect -\& -\& [seq_sect] -\& -\& field1 = UTF8:field1 -\& field2 = UTF8:field2 -.Ve -.PP -It is also possible to use the word \s-1DER\s0 to include the raw encoded data in any -extension. -.PP -.Vb 2 -\& 1.2.3.4=critical,DER:01:02:03:04 -\& 1.2.3.4=DER:01020304 -.Ve -.PP -The value following \s-1DER\s0 is a hex dump of the \s-1DER\s0 encoding of the extension -Any extension can be placed in this form to override the default behaviour. -For example: -.PP -.Vb 1 -\& basicConstraints=critical,DER:00:01:02:03 -.Ve -.SH "WARNING" -.IX Header "WARNING" -There is no guarantee that a specific implementation will process a given -extension. It may therefore be sometimes possible to use certificates for -purposes prohibited by their extensions because a specific application does -not recognize or honour the values of the relevant extensions. -.PP -The \s-1DER\s0 and \s-1ASN1\s0 options should be used with caution. It is possible to create -totally invalid extensions if they are not used carefully. -.SH "NOTES" -.IX Header "NOTES" -If an extension is multi-value and a field value must contain a comma the long -form must be used otherwise the comma would be misinterpreted as a field -separator. For example: -.PP -.Vb 1 -\& subjectAltName=URI:ldap://somehost.com/CN=foo,OU=bar -.Ve -.PP -will produce an error but the equivalent form: -.PP -.Vb 1 -\& subjectAltName=@subject_alt_section -\& -\& [subject_alt_section] -\& subjectAltName=URI:ldap://somehost.com/CN=foo,OU=bar -.Ve -.PP -is valid. -.PP -Due to the behaviour of the OpenSSL \fBconf\fR library the same field name -can only occur once in a section. This means that: -.PP -.Vb 1 -\& subjectAltName=@alt_section -\& -\& [alt_section] -\& -\& email=steve@here -\& email=steve@there -.Ve -.PP -will only recognize the last value. This can be worked around by using the form: -.PP -.Vb 1 -\& [alt_section] -\& -\& email.1=steve@here -\& email.2=steve@there -.Ve -.SH "HISTORY" -.IX Header "HISTORY" -The X509v3 extension code was first added to OpenSSL 0.9.2. -.PP -Policy mappings, inhibit any policy and name constraints support was added in -OpenSSL 0.9.8 -.PP -The \fBdirectoryName\fR and \fBotherName\fR option as well as the \fB\s-1ASN1\s0\fR option -for arbitrary extensions was added in OpenSSL 0.9.8 -.SH "SEE ALSO" -.IX Header "SEE ALSO" -\&\fIreq\fR\|(1), \fIca\fR\|(1), \fIx509\fR\|(1), -\&\fIASN1_generate_nconf\fR\|(3)