diff options
85 files changed, 408 insertions, 324 deletions
diff --git a/lib/libssl/src/doc/crypto/ASN1_STRING_print_ex.pod b/lib/libssl/src/doc/crypto/ASN1_STRING_print_ex.pod index fbf9a1f1412..70ac9b84888 100644 --- a/lib/libssl/src/doc/crypto/ASN1_STRING_print_ex.pod +++ b/lib/libssl/src/doc/crypto/ASN1_STRING_print_ex.pod @@ -30,8 +30,8 @@ with '.'. ASN1_STRING_print() is a legacy function which should be avoided in new applications. -Although there are a large number of options frequently B<ASN1_STRFLAGS_RFC2253> is -suitable, or on UTF8 terminals B<ASN1_STRFLAGS_RFC2253 & ~ASN1_STRFLAGS_ESC_MSB>. +Although there are a large number of options frequently B<ASN1_STRFLGS_RFC2253> is +suitable, or on UTF8 terminals B<ASN1_STRFLGS_RFC2253 & ~ASN1_STRFLGS_ESC_MSB>. The complete set of supported options for B<flags> is listed below. @@ -43,9 +43,9 @@ interprets UTF8 sequences. Escaping takes several forms. -If the character being escaped is a 16 bit character then the form "\WXXXX" is used +If the character being escaped is a 16 bit character then the form "\UXXXX" is used using exactly four characters for the hex representation. If it is 32 bits then -"\UXXXXXXXX" is used using eight characters of its hex representation. These forms +"\WXXXXXXXX" is used using eight characters of its hex representation. These forms will only be used if UTF8 conversion is not set (see below). Printable characters are normally escaped using the backslash '\' character. If @@ -72,10 +72,10 @@ octet. If B<ASN1_STRFLGS_DUMP_ALL> is set then any type is dumped. Normally non character string types (such as OCTET STRING) are assumed to be -one byte per character, if B<ASN1_STRFLAGS_DUMP_UNKNOWN> is set then they will +one byte per character, if B<ASN1_STRFLGS_DUMP_UNKNOWN> is set then they will be dumped instead. -When a type is dumped normally just the content octets are printed, if +When a type is dumped normally just the content octets are printed, if B<ASN1_STRFLGS_DUMP_DER> is set then the complete encoding is dumped instead (including tag and length octets). diff --git a/lib/libssl/src/doc/crypto/ASN1_generate_nconf.pod b/lib/libssl/src/doc/crypto/ASN1_generate_nconf.pod index 1157cff510d..fee7398bd4b 100644 --- a/lib/libssl/src/doc/crypto/ASN1_generate_nconf.pod +++ b/lib/libssl/src/doc/crypto/ASN1_generate_nconf.pod @@ -6,6 +6,8 @@ ASN1_generate_nconf, ASN1_generate_v3 - ASN1 generation functions =head1 SYNOPSIS + #include <openssl/asn1.h> + ASN1_TYPE *ASN1_generate_nconf(char *str, CONF *nconf); ASN1_TYPE *ASN1_generate_v3(char *str, X509V3_CTX *cnf); @@ -50,7 +52,7 @@ only the B<ASCII> format is permissible. This encodes a boolean type. The B<value> string is mandatory and should be B<TRUE> or B<FALSE>. Additionally B<TRUE>, B<true>, B<Y>, B<y>, B<YES>, B<yes>, B<FALSE>, B<false>, B<N>, B<n>, B<NO> and B<no> -are acceptable. +are acceptable. =item B<NULL> @@ -76,12 +78,12 @@ a short name, a long name or numerical format. =item B<UTCTIME>, B<UTC> Encodes an ASN1 B<UTCTime> structure, the value should be in -the format B<YYMMDDHHMMSSZ>. +the format B<YYMMDDHHMMSSZ>. =item B<GENERALIZEDTIME>, B<GENTIME> Encodes an ASN1 B<GeneralizedTime> structure, the value should be in -the format B<YYYYMMDDHHMMSSZ>. +the format B<YYYYMMDDHHMMSSZ>. =item B<OCTETSTRING>, B<OCT> @@ -101,7 +103,8 @@ bits is set to zero. =item B<UNIVERSALSTRING>, B<UNIV>, B<IA5>, B<IA5STRING>, B<UTF8>, B<UTF8String>, B<BMP>, B<BMPSTRING>, B<VISIBLESTRING>, B<VISIBLE>, B<PRINTABLESTRING>, B<PRINTABLE>, B<T61>, -B<T61STRING>, B<TELETEXSTRING>, B<GeneralString> +B<T61STRING>, B<TELETEXSTRING>, B<GeneralString>, B<NUMERICSTRING>, +B<NUMERIC> These encode the corresponding string types. B<value> represents the contents of this structure. The format can be B<ASCII> or B<UTF8>. @@ -175,7 +178,7 @@ An IA5String explicitly tagged using APPLICATION tagging: A BITSTRING with bits 1 and 5 set and all others zero: - FORMAT=BITLIST,BITSTRING:1,5 + FORMAT:BITLIST,BITSTRING:1,5 A more complex example using a config file to produce a SEQUENCE consiting of a BOOL an OID and a UTF8String: diff --git a/lib/libssl/src/doc/crypto/BF_set_key.pod b/lib/libssl/src/doc/crypto/BF_set_key.pod index 5b2d274c15f..08cba3e25cc 100644 --- a/lib/libssl/src/doc/crypto/BF_set_key.pod +++ b/lib/libssl/src/doc/crypto/BF_set_key.pod @@ -52,7 +52,7 @@ everything after the first 64 bits is ignored. The mode functions BF_cbc_encrypt(), BF_cfb64_encrypt() and BF_ofb64_encrypt() all operate on variable length data. They all take an initialization vector -B<ivec> which needs to be passed along into the next call of the same function +B<ivec> which needs to be passed along into the next call of the same function for the same message. B<ivec> may be initialized with anything, but the recipient needs to know what it was initialized with, or it won't be able to decrypt. Some programs and protocols simplify this, like SSH, where diff --git a/lib/libssl/src/doc/crypto/BIO_ctrl.pod b/lib/libssl/src/doc/crypto/BIO_ctrl.pod index 722e8b8f46c..cf203eeb962 100644 --- a/lib/libssl/src/doc/crypto/BIO_ctrl.pod +++ b/lib/libssl/src/doc/crypto/BIO_ctrl.pod @@ -94,7 +94,7 @@ return the amount of pending data. =head1 NOTES BIO_flush(), because it can write data may return 0 or -1 indicating -that the call should be retried later in a similar manner to BIO_write(). +that the call should be retried later in a similar manner to BIO_write(). The BIO_should_retry() call should be used and appropriate action taken is the call fails. @@ -121,7 +121,7 @@ operation. Some of the return values are ambiguous and care should be taken. In particular a return value of 0 can be returned if an operation is not supported, if an error occurred, if EOF has not been reached and in -the case of BIO_seek() on a file BIO for a successful operation. +the case of BIO_seek() on a file BIO for a successful operation. =head1 SEE ALSO diff --git a/lib/libssl/src/doc/crypto/BIO_f_base64.pod b/lib/libssl/src/doc/crypto/BIO_f_base64.pod index 438af3b6b66..aee09bae583 100644 --- a/lib/libssl/src/doc/crypto/BIO_f_base64.pod +++ b/lib/libssl/src/doc/crypto/BIO_f_base64.pod @@ -17,7 +17,7 @@ BIO_f_base64() returns the base64 BIO method. This is a filter BIO that base64 encodes any data written through it and decodes any data read through it. -Base64 BIOs do not support BIO_gets() or BIO_puts(). +Base64 BIOs do not support BIO_gets() or BIO_puts(). BIO_flush() on a base64 BIO that is being written through is used to signal that no more data is to be encoded: this is used @@ -63,7 +63,7 @@ data to standard output: bio = BIO_new_fp(stdin, BIO_NOCLOSE); bio_out = BIO_new_fp(stdout, BIO_NOCLOSE); bio = BIO_push(b64, bio); - while((inlen = BIO_read(bio, inbuf, 512)) > 0) + while((inlen = BIO_read(bio, inbuf, 512)) > 0) BIO_write(bio_out, inbuf, inlen); BIO_free_all(bio); diff --git a/lib/libssl/src/doc/crypto/BIO_f_cipher.pod b/lib/libssl/src/doc/crypto/BIO_f_cipher.pod index 02439cea94a..c0b23c680c6 100644 --- a/lib/libssl/src/doc/crypto/BIO_f_cipher.pod +++ b/lib/libssl/src/doc/crypto/BIO_f_cipher.pod @@ -22,7 +22,7 @@ BIO that encrypts any data written through it, and decrypts any data read from it. It is a BIO wrapper for the cipher routines EVP_CipherInit(), EVP_CipherUpdate() and EVP_CipherFinal(). -Cipher BIOs do not support BIO_gets() or BIO_puts(). +Cipher BIOs do not support BIO_gets() or BIO_puts(). BIO_flush() on an encryption BIO that is being written through is used to signal that no more data is to be encrypted: this is used diff --git a/lib/libssl/src/doc/crypto/BIO_s_accept.pod b/lib/libssl/src/doc/crypto/BIO_s_accept.pod index 7b63e4621b6..2414559372f 100644 --- a/lib/libssl/src/doc/crypto/BIO_s_accept.pod +++ b/lib/libssl/src/doc/crypto/BIO_s_accept.pod @@ -74,7 +74,7 @@ BIO_set_nbio_accept() sets the accept socket to blocking mode BIO_set_accept_bios() can be used to set a chain of BIOs which will be duplicated and prepended to the chain when an incoming -connection is received. This is useful if, for example, a +connection is received. This is useful if, for example, a buffering or SSL BIO is required for each connection. The chain of BIOs must not be freed after this call, they will be automatically freed when the accept BIO is freed. @@ -158,14 +158,14 @@ down each and finally closes both down. if(BIO_do_accept(abio) <= 0) { fprintf(stderr, "Error setting up accept\n"); ERR_print_errors_fp(stderr); - exit(0); + exit(0); } /* Wait for incoming connection */ if(BIO_do_accept(abio) <= 0) { fprintf(stderr, "Error accepting connection\n"); ERR_print_errors_fp(stderr); - exit(0); + exit(0); } fprintf(stderr, "Connection 1 established\n"); /* Retrieve BIO for connection */ @@ -176,7 +176,7 @@ down each and finally closes both down. if(BIO_do_accept(abio) <= 0) { fprintf(stderr, "Error accepting connection\n"); ERR_print_errors_fp(stderr); - exit(0); + exit(0); } fprintf(stderr, "Connection 2 established\n"); /* Close accept BIO to refuse further connections */ diff --git a/lib/libssl/src/doc/crypto/BIO_s_bio.pod b/lib/libssl/src/doc/crypto/BIO_s_bio.pod index 38271f34486..39ae79fd309 100644 --- a/lib/libssl/src/doc/crypto/BIO_s_bio.pod +++ b/lib/libssl/src/doc/crypto/BIO_s_bio.pod @@ -2,7 +2,7 @@ =head1 NAME -BIO_s_bio, BIO_make_bio_pair, BIO_destroy_bio_pair, BIO_shutdown_wr, +BIO_s_bio, BIO_make_bio_pair, BIO_destroy_bio_pair, BIO_shutdown_wr, BIO_set_write_buf_size, BIO_get_write_buf_size, BIO_new_bio_pair, BIO_get_write_guarantee, BIO_ctrl_get_write_guarantee, BIO_get_read_request, BIO_ctrl_get_read_request, BIO_ctrl_reset_read_request - BIO pair BIO @@ -65,7 +65,7 @@ up any half of the pair will automatically destroy the association. BIO_shutdown_wr() is used to close down a BIO B<b>. After this call no further writes on BIO B<b> are allowed (they will return an error). Reads on the other half of the pair will return any pending data or EOF when all pending data has -been read. +been read. BIO_set_write_buf_size() sets the write buffer size of BIO B<b> to B<size>. If the size is not initialized a default value is used. This is currently diff --git a/lib/libssl/src/doc/crypto/BIO_s_connect.pod b/lib/libssl/src/doc/crypto/BIO_s_connect.pod index bcf7d8dcac7..0743c8849fd 100644 --- a/lib/libssl/src/doc/crypto/BIO_s_connect.pod +++ b/lib/libssl/src/doc/crypto/BIO_s_connect.pod @@ -86,7 +86,7 @@ BIO_get_conn_int_port() returns the port as an int. BIO_set_nbio() sets the non blocking I/O flag to B<n>. If B<n> is zero then blocking I/O is set. If B<n> is 1 then non blocking I/O is set. Blocking I/O is the default. The call to BIO_set_nbio() -should be made before the connection is established because +should be made before the connection is established because non blocking I/O is set during the connect process. BIO_new_connect() combines BIO_new() and BIO_set_conn_hostname() into @@ -178,7 +178,7 @@ to retrieve a page and copy the result to standard output. /* whatever ... */ } BIO_puts(cbio, "GET / HTTP/1.0\n\n"); - for(;;) { + for(;;) { len = BIO_read(cbio, tmpbuf, 1024); if(len <= 0) break; BIO_write(out, tmpbuf, len); diff --git a/lib/libssl/src/doc/crypto/BIO_s_fd.pod b/lib/libssl/src/doc/crypto/BIO_s_fd.pod index b1de1d10154..9bbac29f100 100644 --- a/lib/libssl/src/doc/crypto/BIO_s_fd.pod +++ b/lib/libssl/src/doc/crypto/BIO_s_fd.pod @@ -46,7 +46,7 @@ BIO_new_fd() returns a file descriptor BIO using B<fd> and B<close_flag>. =head1 NOTES The behaviour of BIO_read() and BIO_write() depends on the behavior of the -platforms read() and write() calls on the descriptor. If the underlying +platforms read() and write() calls on the descriptor. If the underlying file descriptor is in a non blocking mode then the BIO will behave in the manner described in the L<BIO_read(3)|BIO_read(3)> and L<BIO_should_retry(3)|BIO_should_retry(3)> manual pages. diff --git a/lib/libssl/src/doc/crypto/BIO_s_mem.pod b/lib/libssl/src/doc/crypto/BIO_s_mem.pod index 8f85e0dceeb..76f244caf16 100644 --- a/lib/libssl/src/doc/crypto/BIO_s_mem.pod +++ b/lib/libssl/src/doc/crypto/BIO_s_mem.pod @@ -20,7 +20,7 @@ BIO_get_mem_ptr, BIO_new_mem_buf - memory BIO =head1 DESCRIPTION -BIO_s_mem() return the memory BIO method function. +BIO_s_mem() return the memory BIO method function. A memory BIO is a source/sink BIO which uses memory for its I/O. Data written to a memory BIO is stored in a BUF_MEM structure which is extended @@ -94,7 +94,7 @@ to improve efficiency. Create a memory BIO and write some data to it: BIO *mem = BIO_new(BIO_s_mem()); - BIO_puts(mem, "Hello World\n"); + BIO_puts(mem, "Hello World\n"); Create a read only memory BIO: @@ -108,7 +108,7 @@ Extract the BUF_MEM structure from a memory BIO and then free up the BIO: BIO_get_mem_ptr(mem, &bptr); BIO_set_close(mem, BIO_NOCLOSE); /* So BIO_free() leaves BUF_MEM alone */ BIO_free(mem); - + =head1 SEE ALSO diff --git a/lib/libssl/src/doc/crypto/BIO_should_retry.pod b/lib/libssl/src/doc/crypto/BIO_should_retry.pod index b6d51f719d4..143221ad330 100644 --- a/lib/libssl/src/doc/crypto/BIO_should_retry.pod +++ b/lib/libssl/src/doc/crypto/BIO_should_retry.pod @@ -51,7 +51,7 @@ B<BIO_FLAGS_IO_SPECIAL> though current BIO types will only set one of these. BIO_get_retry_BIO() determines the precise reason for the special -condition, it returns the BIO that caused this condition and if +condition, it returns the BIO that caused this condition and if B<reason> is not NULL it contains the reason code. The meaning of the reason code and the action that should be taken depends on the type of BIO that resulted in this condition. @@ -94,7 +94,7 @@ available and then retry the BIO operation. By combining the retry conditions of several non blocking BIOs in a single select() call it is possible to service several BIOs in a single thread, though the performance may be poor if SSL BIOs are present because long delays -can occur during the initial handshake process. +can occur during the initial handshake process. It is possible for a BIO to block indefinitely if the underlying I/O structure cannot process or return any data. This depends on the behaviour of diff --git a/lib/libssl/src/doc/crypto/BN_BLINDING_new.pod b/lib/libssl/src/doc/crypto/BN_BLINDING_new.pod index 7b087f7288f..3e783ff8ac1 100644 --- a/lib/libssl/src/doc/crypto/BN_BLINDING_new.pod +++ b/lib/libssl/src/doc/crypto/BN_BLINDING_new.pod @@ -2,8 +2,8 @@ =head1 NAME -BN_BLINDING_new, BN_BLINDING_free, BN_BLINDING_update, BN_BLINDING_convert, -BN_BLINDING_invert, BN_BLINDING_convert_ex, BN_BLINDING_invert_ex, +BN_BLINDING_new, BN_BLINDING_free, BN_BLINDING_update, BN_BLINDING_convert, +BN_BLINDING_invert, BN_BLINDING_convert_ex, BN_BLINDING_invert_ex, BN_BLINDING_get_thread_id, BN_BLINDING_set_thread_id, BN_BLINDING_get_flags, BN_BLINDING_set_flags, BN_BLINDING_create_param - blinding related BIGNUM functions. @@ -22,8 +22,11 @@ functions. BN_CTX *ctx); int BN_BLINDING_invert_ex(BIGNUM *n, const BIGNUM *r, BN_BLINDING *b, BN_CTX *ctx); + #ifndef OPENSSL_NO_DEPRECATED unsigned long BN_BLINDING_get_thread_id(const BN_BLINDING *); void BN_BLINDING_set_thread_id(BN_BLINDING *, unsigned long); + #endif + CRYPTO_THREADID *BN_BLINDING_thread_id(BN_BLINDING *); unsigned long BN_BLINDING_get_flags(const BN_BLINDING *); void BN_BLINDING_set_flags(BN_BLINDING *, unsigned long); BN_BLINDING *BN_BLINDING_create_param(BN_BLINDING *b, @@ -45,7 +48,7 @@ necessary parameters are set, by re-creating the blinding parameters. BN_BLINDING_convert_ex() multiplies B<n> with the blinding factor B<A>. If B<r> is not NULL a copy the inverse blinding factor B<Ai> will be -returned in B<r> (this is useful if a B<RSA> object is shared amoung +returned in B<r> (this is useful if a B<RSA> object is shared among several threads). BN_BLINDING_invert_ex() multiplies B<n> with the inverse blinding factor B<Ai>. If B<r> is not NULL it will be used as the inverse blinding. @@ -54,11 +57,11 @@ BN_BLINDING_convert() and BN_BLINDING_invert() are wrapper functions for BN_BLINDING_convert_ex() and BN_BLINDING_invert_ex() with B<r> set to NULL. -BN_BLINDING_set_thread_id() and BN_BLINDING_get_thread_id() -set and get the "thread id" value of the B<BN_BLINDING> structure, -a field provided to users of B<BN_BLINDING> structure to help them -provide proper locking if needed for multi-threaded use. The -"thread id" of a newly allocated B<BN_BLINDING> structure is zero. +BN_BLINDING_thread_id() provides access to the B<CRYPTO_THREADID> +object within the B<BN_BLINDING> structure. This is to help users +provide proper locking if needed for multi-threaded use. The "thread +id" object of a newly allocated B<BN_BLINDING> structure is +initialised to the thread id in which BN_BLINDING_new() was called. BN_BLINDING_get_flags() returns the BN_BLINDING flags. Currently there are two supported flags: B<BN_BLINDING_NO_UPDATE> and @@ -83,13 +86,13 @@ BN_BLINDING_update(), BN_BLINDING_convert(), BN_BLINDING_invert(), BN_BLINDING_convert_ex() and BN_BLINDING_invert_ex() return 1 on success and 0 if an error occured. -BN_BLINDING_get_thread_id() returns the thread id (a B<unsigned long> -value) or 0 if not set. +BN_BLINDING_thread_id() returns a pointer to the thread id object +within a B<BN_BLINDING> object. BN_BLINDING_get_flags() returns the currently set B<BN_BLINDING> flags (a B<unsigned long> value). -BN_BLINDING_create_param() returns the newly created B<BN_BLINDING> +BN_BLINDING_create_param() returns the newly created B<BN_BLINDING> parameters or NULL on error. =head1 SEE ALSO @@ -98,6 +101,9 @@ L<bn(3)|bn(3)> =head1 HISTORY +BN_BLINDING_thread_id was first introduced in OpenSSL 1.0.0, and it +deprecates BN_BLINDING_set_thread_id and BN_BLINDING_get_thread_id. + BN_BLINDING_convert_ex, BN_BLINDIND_invert_ex, BN_BLINDING_get_thread_id, BN_BLINDING_set_thread_id, BN_BLINDING_set_flags, BN_BLINDING_get_flags and BN_BLINDING_create_param were first introduced in OpenSSL 0.9.8 diff --git a/lib/libssl/src/doc/crypto/BN_generate_prime.pod b/lib/libssl/src/doc/crypto/BN_generate_prime.pod index 7dccacbc1e5..6f28a635173 100644 --- a/lib/libssl/src/doc/crypto/BN_generate_prime.pod +++ b/lib/libssl/src/doc/crypto/BN_generate_prime.pod @@ -11,7 +11,7 @@ BN_generate_prime, BN_is_prime, BN_is_prime_fasttest - generate primes and test BIGNUM *BN_generate_prime(BIGNUM *ret, int num, int safe, BIGNUM *add, BIGNUM *rem, void (*callback)(int, int, void *), void *cb_arg); - int BN_is_prime(const BIGNUM *a, int checks, void (*callback)(int, int, + int BN_is_prime(const BIGNUM *a, int checks, void (*callback)(int, int, void *), BN_CTX *ctx, void *cb_arg); int BN_is_prime_fasttest(const BIGNUM *a, int checks, diff --git a/lib/libssl/src/doc/crypto/CMS_add0_cert.pod b/lib/libssl/src/doc/crypto/CMS_add0_cert.pod index 9c13f488f61..78095948b9c 100644 --- a/lib/libssl/src/doc/crypto/CMS_add0_cert.pod +++ b/lib/libssl/src/doc/crypto/CMS_add0_cert.pod @@ -20,7 +20,7 @@ =head1 DESCRIPTION CMS_add0_cert() and CMS_add1_cert() add certificate B<cert> to B<cms>. -must be of type signed data or enveloped data. +must be of type signed data or enveloped data. CMS_get1_certs() returns all certificates in B<cms>. @@ -46,7 +46,7 @@ than once. =head1 RETURN VALUES CMS_add0_cert(), CMS_add1_cert() and CMS_add0_crl() and CMS_add1_crl() return -1 for success and 0 for failure. +1 for success and 0 for failure. CMS_get1_certs() and CMS_get1_crls() return the STACK of certificates or CRLs or NULL if there are none or an error occurs. The only error which will occur diff --git a/lib/libssl/src/doc/crypto/CMS_encrypt.pod b/lib/libssl/src/doc/crypto/CMS_encrypt.pod index 1ee5b275ec8..01100a6df63 100644 --- a/lib/libssl/src/doc/crypto/CMS_encrypt.pod +++ b/lib/libssl/src/doc/crypto/CMS_encrypt.pod @@ -26,7 +26,7 @@ EVP_des_ede3_cbc() (triple DES) is the algorithm of choice for S/MIME use because most clients will support it. The algorithm passed in the B<cipher> parameter must support ASN1 encoding of -its parameters. +its parameters. Many browsers implement a "sign and encrypt" option which is simply an S/MIME envelopedData containing an S/MIME signed message. This can be readily produced diff --git a/lib/libssl/src/doc/crypto/CMS_final.pod b/lib/libssl/src/doc/crypto/CMS_final.pod index 36cf96b8a0b..beacc531ee3 100644 --- a/lib/libssl/src/doc/crypto/CMS_final.pod +++ b/lib/libssl/src/doc/crypto/CMS_final.pod @@ -14,7 +14,7 @@ CMS_final() finalises the structure B<cms>. It's purpose is to perform any operations necessary on B<cms> (digest computation for example) and set the -appropriate fields. The parameter B<data> contains the content to be +appropriate fields. The parameter B<data> contains the content to be processed. The B<dcont> parameter contains a BIO to write content to after processing: this is only used with detached data and will usually be set to NULL. diff --git a/lib/libssl/src/doc/crypto/CMS_get0_RecipientInfos.pod b/lib/libssl/src/doc/crypto/CMS_get0_RecipientInfos.pod index e0355423e6d..ba16e97b557 100644 --- a/lib/libssl/src/doc/crypto/CMS_get0_RecipientInfos.pod +++ b/lib/libssl/src/doc/crypto/CMS_get0_RecipientInfos.pod @@ -33,7 +33,7 @@ CMS_RECIPINFO_KEK, CMS_RECIPINFO_PASS, or CMS_RECIPINFO_OTHER. CMS_RecipientInfo_ktri_get0_signer_id() retrieves the certificate recipient identifier associated with a specific CMS_RecipientInfo structure B<ri>, which must be of type CMS_RECIPINFO_TRANS. Either the keyidentifier will be set in -B<keyid> or B<both> issuer name and serial number in B<issuer> and B<sno>. +B<keyid> or B<both> issuer name and serial number in B<issuer> and B<sno>. CMS_RecipientInfo_ktri_cert_cmp() compares the certificate B<cert> against the CMS_RecipientInfo structure B<ri>, which must be of type CMS_RECIPINFO_TRANS. diff --git a/lib/libssl/src/doc/crypto/CMS_get1_ReceiptRequest.pod b/lib/libssl/src/doc/crypto/CMS_get1_ReceiptRequest.pod index f546376a1e6..50c2b9b9ab4 100644 --- a/lib/libssl/src/doc/crypto/CMS_get1_ReceiptRequest.pod +++ b/lib/libssl/src/doc/crypto/CMS_get1_ReceiptRequest.pod @@ -45,7 +45,7 @@ CMS_verify(). =head1 RETURN VALUES -CMS_ReceiptRequest_create0() returns a signed receipt request structure or +CMS_ReceiptRequest_create0() returns a signed receipt request structure or NULL if an error occurred. CMS_add1_ReceiptRequest() returns 1 for success or 0 is an error occurred. diff --git a/lib/libssl/src/doc/crypto/CMS_sign.pod b/lib/libssl/src/doc/crypto/CMS_sign.pod index 2cc72de3272..6b58ba3bddb 100644 --- a/lib/libssl/src/doc/crypto/CMS_sign.pod +++ b/lib/libssl/src/doc/crypto/CMS_sign.pod @@ -96,7 +96,7 @@ B<certs>, B<signcert> and B<pkey> parameters can all be B<NULL> and the B<CMS_PARTIAL> flag set. Then one or more signers can be added using the function CMS_sign_add1_signer(), non default digests can be used and custom attributes added. B<CMS_final()> must then be called to finalize the -structure if streaming is not enabled. +structure if streaming is not enabled. =head1 BUGS diff --git a/lib/libssl/src/doc/crypto/CMS_sign_add1_signer.pod b/lib/libssl/src/doc/crypto/CMS_sign_add1_signer.pod index bda3ca2adbd..215e994b543 100644 --- a/lib/libssl/src/doc/crypto/CMS_sign_add1_signer.pod +++ b/lib/libssl/src/doc/crypto/CMS_sign_add1_signer.pod @@ -52,7 +52,7 @@ structure. An error occurs if a matching digest value cannot be found to copy. The returned CMS_ContentInfo structure will be valid and finalized when this flag is set. -If B<CMS_PARTIAL> is set in addition to B<CMS_REUSE_DIGEST> then the +If B<CMS_PARTIAL> is set in addition to B<CMS_REUSE_DIGEST> then the CMS_SignerInfo structure will not be finalized so additional attributes can be added. In this case an explicit call to CMS_SignerInfo_sign() is needed to finalize it. @@ -81,7 +81,7 @@ If any of these algorithms is not available then it will not be included: for ex not loaded. CMS_sign_add1_signer() returns an internal pointer to the CMS_SignerInfo -structure just added, this can be used to set additional attributes +structure just added, this can be used to set additional attributes before it is finalized. =head1 RETURN VALUES diff --git a/lib/libssl/src/doc/crypto/CMS_verify.pod b/lib/libssl/src/doc/crypto/CMS_verify.pod index 8f26fdab093..4a6b3bfc97d 100644 --- a/lib/libssl/src/doc/crypto/CMS_verify.pod +++ b/lib/libssl/src/doc/crypto/CMS_verify.pod @@ -67,7 +67,7 @@ returned. If B<CMS_NO_SIGNER_CERT_VERIFY> is set the signing certificates are not verified. -If B<CMS_NO_ATTR_VERIFY> is set the signed attributes signature is not +If B<CMS_NO_ATTR_VERIFY> is set the signed attributes signature is not verified. If B<CMS_NO_CONTENT_VERIFY> is set then the content digest is not checked. @@ -81,13 +81,13 @@ certificates supplied in B<certs> then the verify will fail because the signer cannot be found. In some cases the standard techniques for looking up and validating -certificates are not appropriate: for example an application may wish to +certificates are not appropriate: for example an application may wish to lookup certificates in a database or perform customised verification. This -can be achieved by setting and verifying the signers certificates manually +can be achieved by setting and verifying the signers certificates manually using the signed data utility functions. Care should be taken when modifying the default verify behaviour, for example -setting B<CMS_NO_CONTENT_VERIFY> will totally disable all content verification +setting B<CMS_NO_CONTENT_VERIFY> will totally disable all content verification and any modified content will be considered valid. This combination is however useful if one merely wishes to write the content to B<out> and its validity is not considered important. diff --git a/lib/libssl/src/doc/crypto/CMS_verify_receipt.pod b/lib/libssl/src/doc/crypto/CMS_verify_receipt.pod index 9283e0e04b8..573e725ec14 100644 --- a/lib/libssl/src/doc/crypto/CMS_verify_receipt.pod +++ b/lib/libssl/src/doc/crypto/CMS_verify_receipt.pod @@ -16,7 +16,7 @@ CMS_verify_receipt() verifies a CMS signed receipt. B<rcms> is the signed receipt to verify. B<ocms> is the original SignedData structure containing the receipt request. B<certs> is a set of certificates in which to search for the signing certificate. B<store> is a trusted certificate store (used for chain -verification). +verification). B<flags> is an optional set of flags, which can be used to modify the verify operation. diff --git a/lib/libssl/src/doc/crypto/CONF_modules_load_file.pod b/lib/libssl/src/doc/crypto/CONF_modules_load_file.pod index 9965d69bf2e..64e81272808 100644 --- a/lib/libssl/src/doc/crypto/CONF_modules_load_file.pod +++ b/lib/libssl/src/doc/crypto/CONF_modules_load_file.pod @@ -22,7 +22,7 @@ NULL the standard OpenSSL application name B<openssl_conf> is used. The behaviour can be cutomized using B<flags>. CONF_modules_load() is idential to CONF_modules_load_file() except it -read configuration information from B<cnf>. +read configuration information from B<cnf>. =head1 NOTES diff --git a/lib/libssl/src/doc/crypto/CRYPTO_set_locking_callback.pod b/lib/libssl/src/doc/crypto/CRYPTO_set_locking_callback.pod index dc0e9391dc2..8f4cf4cb2d8 100644 --- a/lib/libssl/src/doc/crypto/CRYPTO_set_locking_callback.pod +++ b/lib/libssl/src/doc/crypto/CRYPTO_set_locking_callback.pod @@ -68,7 +68,7 @@ that at least two callback functions are set, locking_function and threadid_func. locking_function(int mode, int n, const char *file, int line) is -needed to perform locking on shared data structures. +needed to perform locking on shared data structures. (Note that OpenSSL uses a number of global data structures that will be implicitly shared whenever multiple threads use OpenSSL.) Multi-threaded applications will crash at random if it is not set. diff --git a/lib/libssl/src/doc/crypto/DES_set_key.pod b/lib/libssl/src/doc/crypto/DES_set_key.pod index 6f0cf1cc5e5..b49545877ac 100644 --- a/lib/libssl/src/doc/crypto/DES_set_key.pod +++ b/lib/libssl/src/doc/crypto/DES_set_key.pod @@ -28,16 +28,16 @@ DES_fcrypt, DES_crypt, DES_enc_read, DES_enc_write - DES encryption void DES_set_odd_parity(DES_cblock *key); int DES_is_weak_key(const_DES_cblock *key); - void DES_ecb_encrypt(const_DES_cblock *input, DES_cblock *output, + void DES_ecb_encrypt(const_DES_cblock *input, DES_cblock *output, DES_key_schedule *ks, int enc); - void DES_ecb2_encrypt(const_DES_cblock *input, DES_cblock *output, + void DES_ecb2_encrypt(const_DES_cblock *input, DES_cblock *output, DES_key_schedule *ks1, DES_key_schedule *ks2, int enc); - void DES_ecb3_encrypt(const_DES_cblock *input, DES_cblock *output, - DES_key_schedule *ks1, DES_key_schedule *ks2, + void DES_ecb3_encrypt(const_DES_cblock *input, DES_cblock *output, + DES_key_schedule *ks1, DES_key_schedule *ks2, DES_key_schedule *ks3, int enc); - void DES_ncbc_encrypt(const unsigned char *input, unsigned char *output, - long length, DES_key_schedule *schedule, DES_cblock *ivec, + void DES_ncbc_encrypt(const unsigned char *input, unsigned char *output, + long length, DES_key_schedule *schedule, DES_cblock *ivec, int enc); void DES_cfb_encrypt(const unsigned char *in, unsigned char *out, int numbits, long length, DES_key_schedule *schedule, @@ -45,8 +45,8 @@ DES_fcrypt, DES_crypt, DES_enc_read, DES_enc_write - DES encryption void DES_ofb_encrypt(const unsigned char *in, unsigned char *out, int numbits, long length, DES_key_schedule *schedule, DES_cblock *ivec); - void DES_pcbc_encrypt(const unsigned char *input, unsigned char *output, - long length, DES_key_schedule *schedule, DES_cblock *ivec, + void DES_pcbc_encrypt(const unsigned char *input, unsigned char *output, + long length, DES_key_schedule *schedule, DES_cblock *ivec, int enc); void DES_cfb64_encrypt(const unsigned char *in, unsigned char *out, long length, DES_key_schedule *schedule, DES_cblock *ivec, @@ -55,8 +55,8 @@ DES_fcrypt, DES_crypt, DES_enc_read, DES_enc_write - DES encryption long length, DES_key_schedule *schedule, DES_cblock *ivec, int *num); - void DES_xcbc_encrypt(const unsigned char *input, unsigned char *output, - long length, DES_key_schedule *schedule, DES_cblock *ivec, + void DES_xcbc_encrypt(const unsigned char *input, unsigned char *output, + long length, DES_key_schedule *schedule, DES_cblock *ivec, const_DES_cblock *inw, const_DES_cblock *outw, int enc); void DES_ede2_cbc_encrypt(const unsigned char *input, @@ -73,22 +73,22 @@ DES_fcrypt, DES_crypt, DES_enc_read, DES_enc_write - DES encryption unsigned char *output, long length, DES_key_schedule *ks1, DES_key_schedule *ks2, DES_key_schedule *ks3, DES_cblock *ivec, int enc); - void DES_ede3_cbcm_encrypt(const unsigned char *in, unsigned char *out, - long length, DES_key_schedule *ks1, DES_key_schedule *ks2, - DES_key_schedule *ks3, DES_cblock *ivec1, DES_cblock *ivec2, + void DES_ede3_cbcm_encrypt(const unsigned char *in, unsigned char *out, + long length, DES_key_schedule *ks1, DES_key_schedule *ks2, + DES_key_schedule *ks3, DES_cblock *ivec1, DES_cblock *ivec2, int enc); - void DES_ede3_cfb64_encrypt(const unsigned char *in, unsigned char *out, + void DES_ede3_cfb64_encrypt(const unsigned char *in, unsigned char *out, long length, DES_key_schedule *ks1, DES_key_schedule *ks2, DES_key_schedule *ks3, DES_cblock *ivec, int *num, int enc); - void DES_ede3_ofb64_encrypt(const unsigned char *in, unsigned char *out, - long length, DES_key_schedule *ks1, - DES_key_schedule *ks2, DES_key_schedule *ks3, + void DES_ede3_ofb64_encrypt(const unsigned char *in, unsigned char *out, + long length, DES_key_schedule *ks1, + DES_key_schedule *ks2, DES_key_schedule *ks3, DES_cblock *ivec, int *num); - DES_LONG DES_cbc_cksum(const unsigned char *input, DES_cblock *output, - long length, DES_key_schedule *schedule, + DES_LONG DES_cbc_cksum(const unsigned char *input, DES_cblock *output, + long length, DES_key_schedule *schedule, const_DES_cblock *ivec); - DES_LONG DES_quad_cksum(const unsigned char *input, DES_cblock output[], + DES_LONG DES_quad_cksum(const unsigned char *input, DES_cblock output[], long length, int out_count, DES_cblock *seed); void DES_string_to_key(const char *str, DES_cblock *key); void DES_string_to_2keys(const char *str, DES_cblock *key1, diff --git a/lib/libssl/src/doc/crypto/DH_generate_parameters.pod b/lib/libssl/src/doc/crypto/DH_generate_parameters.pod index 9081e9ea7cf..862aa0c39ac 100644 --- a/lib/libssl/src/doc/crypto/DH_generate_parameters.pod +++ b/lib/libssl/src/doc/crypto/DH_generate_parameters.pod @@ -21,7 +21,7 @@ allocated B<DH> structure. The pseudo-random number generator must be seeded prior to calling DH_generate_parameters(). B<prime_len> is the length in bits of the safe prime to be generated. -B<generator> is a small number E<gt> 1, typically 2 or 5. +B<generator> is a small number E<gt> 1, typically 2 or 5. A callback function may be used to provide feedback about the progress of the key generation. If B<callback> is not B<NULL>, it will be diff --git a/lib/libssl/src/doc/crypto/DSA_set_method.pod b/lib/libssl/src/doc/crypto/DSA_set_method.pod index 9c1434bd8d4..5ad7362f589 100644 --- a/lib/libssl/src/doc/crypto/DSA_set_method.pod +++ b/lib/libssl/src/doc/crypto/DSA_set_method.pod @@ -37,7 +37,7 @@ been set as a default for DSA, so this function is no longer recommended. DSA_get_default_method() returns a pointer to the current default DSA_METHOD. However, the meaningfulness of this result is dependent on -whether the ENGINE API is being used, so this function is no longer +whether the ENGINE API is being used, so this function is no longer recommended. DSA_set_method() selects B<meth> to perform all operations using the key diff --git a/lib/libssl/src/doc/crypto/ERR_get_error.pod b/lib/libssl/src/doc/crypto/ERR_get_error.pod index 828ecf529b2..1a765f7affb 100644 --- a/lib/libssl/src/doc/crypto/ERR_get_error.pod +++ b/lib/libssl/src/doc/crypto/ERR_get_error.pod @@ -52,7 +52,7 @@ ERR_get_error_line_data(), ERR_peek_error_line_data() and ERR_get_last_error_line_data() store additional data and flags associated with the error code in *B<data> and *B<flags>, unless these are B<NULL>. *B<data> contains a string -if *B<flags>&B<ERR_TXT_STRING> is true. +if *B<flags>&B<ERR_TXT_STRING> is true. An application B<MUST NOT> free the *B<data> pointer (or any other pointers returned by these functions) with OPENSSL_free() as freeing is handled diff --git a/lib/libssl/src/doc/crypto/EVP_DigestInit.pod b/lib/libssl/src/doc/crypto/EVP_DigestInit.pod index 367691cc7ae..dcc5d73f690 100644 --- a/lib/libssl/src/doc/crypto/EVP_DigestInit.pod +++ b/lib/libssl/src/doc/crypto/EVP_DigestInit.pod @@ -26,18 +26,18 @@ EVP digest routines int EVP_MD_CTX_cleanup(EVP_MD_CTX *ctx); void EVP_MD_CTX_destroy(EVP_MD_CTX *ctx); - int EVP_MD_CTX_copy_ex(EVP_MD_CTX *out,const EVP_MD_CTX *in); + int EVP_MD_CTX_copy_ex(EVP_MD_CTX *out,const EVP_MD_CTX *in); int EVP_DigestInit(EVP_MD_CTX *ctx, const EVP_MD *type); int EVP_DigestFinal(EVP_MD_CTX *ctx, unsigned char *md, unsigned int *s); - int EVP_MD_CTX_copy(EVP_MD_CTX *out,EVP_MD_CTX *in); + int EVP_MD_CTX_copy(EVP_MD_CTX *out,EVP_MD_CTX *in); #define EVP_MAX_MD_SIZE 64 /* SHA512 */ int EVP_MD_type(const EVP_MD *md); - int EVP_MD_pkey_type(const EVP_MD *md); + int EVP_MD_pkey_type(const EVP_MD *md); int EVP_MD_size(const EVP_MD *md); int EVP_MD_block_size(const EVP_MD *md); @@ -136,10 +136,10 @@ reasons. EVP_md2(), EVP_md5(), EVP_sha(), EVP_sha1(), EVP_sha224(), EVP_sha256(), EVP_sha384(), EVP_sha512(), EVP_mdc2() and EVP_ripemd160() return B<EVP_MD> structures for the MD2, MD5, SHA, SHA1, SHA224, SHA256, SHA384, SHA512, MDC2 -and RIPEMD160 digest algorithms respectively. +and RIPEMD160 digest algorithms respectively. EVP_dss() and EVP_dss1() return B<EVP_MD> structures for SHA and SHA1 digest -algorithms but using DSS (DSA) for the signature algorithm. Note: there is +algorithms but using DSS (DSA) for the signature algorithm. Note: there is no need to use these pseudo-digests in OpenSSL 1.0.0 and later, they are however retained for compatibility. @@ -178,21 +178,21 @@ The B<EVP> interface to message digests should almost always be used in preference to the low level interfaces. This is because the code then becomes transparent to the digest used and much more flexible. -New applications should use the SHA2 digest algorithms such as SHA256. +New applications should use the SHA2 digest algorithms such as SHA256. The other digest algorithms are still in common use. For most applications the B<impl> parameter to EVP_DigestInit_ex() will be set to NULL to use the default digest implementation. -The functions EVP_DigestInit(), EVP_DigestFinal() and EVP_MD_CTX_copy() are +The functions EVP_DigestInit(), EVP_DigestFinal() and EVP_MD_CTX_copy() are obsolete but are retained to maintain compatibility with existing code. New -applications should use EVP_DigestInit_ex(), EVP_DigestFinal_ex() and +applications should use EVP_DigestInit_ex(), EVP_DigestFinal_ex() and EVP_MD_CTX_copy_ex() because they can efficiently reuse a digest context instead of initializing and cleaning it up on each call and allow non default implementations of digests to be specified. In OpenSSL 0.9.7 and later if digest contexts are not cleaned up after use -memory leaks will occur. +memory leaks will occur. Stack allocation of EVP_MD_CTX structures is common, for example: diff --git a/lib/libssl/src/doc/crypto/EVP_DigestSignInit.pod b/lib/libssl/src/doc/crypto/EVP_DigestSignInit.pod index 37d960e3b22..11e8f6f9370 100644 --- a/lib/libssl/src/doc/crypto/EVP_DigestSignInit.pod +++ b/lib/libssl/src/doc/crypto/EVP_DigestSignInit.pod @@ -56,7 +56,7 @@ needed to be used to sign using SHA1 and DSA. This is no longer necessary and the use of clone digest is now discouraged. For some key types and parameters the random number generator must be seeded -or the operation will fail. +or the operation will fail. The call to EVP_DigestSignFinal() internally finalizes a copy of the digest context. This means that calls to EVP_DigestSignUpdate() and @@ -81,7 +81,7 @@ L<sha(3)|sha(3)>, L<dgst(1)|dgst(1)> =head1 HISTORY -EVP_DigestSignInit(), EVP_DigestSignUpdate() and EVP_DigestSignFinal() +EVP_DigestSignInit(), EVP_DigestSignUpdate() and EVP_DigestSignFinal() were first added to OpenSSL 1.0.0. =cut diff --git a/lib/libssl/src/doc/crypto/EVP_DigestVerifyInit.pod b/lib/libssl/src/doc/crypto/EVP_DigestVerifyInit.pod index f2244889783..819e0d4b9fb 100644 --- a/lib/libssl/src/doc/crypto/EVP_DigestVerifyInit.pod +++ b/lib/libssl/src/doc/crypto/EVP_DigestVerifyInit.pod @@ -56,7 +56,7 @@ needed to be used to sign using SHA1 and DSA. This is no longer necessary and the use of clone digest is now discouraged. For some key types and parameters the random number generator must be seeded -or the operation will fail. +or the operation will fail. The call to EVP_DigestVerifyFinal() internally finalizes a copy of the digest context. This means that calls to EVP_VerifyUpdate() and EVP_VerifyFinal() can @@ -76,7 +76,7 @@ L<sha(3)|sha(3)>, L<dgst(1)|dgst(1)> =head1 HISTORY -EVP_DigestVerifyInit(), EVP_DigestVerifyUpdate() and EVP_DigestVerifyFinal() +EVP_DigestVerifyInit(), EVP_DigestVerifyUpdate() and EVP_DigestVerifyFinal() were first added to OpenSSL 1.0.0. =cut diff --git a/lib/libssl/src/doc/crypto/EVP_EncryptInit.pod b/lib/libssl/src/doc/crypto/EVP_EncryptInit.pod index 1c4bf184a1b..84875e0fe09 100644 --- a/lib/libssl/src/doc/crypto/EVP_EncryptInit.pod +++ b/lib/libssl/src/doc/crypto/EVP_EncryptInit.pod @@ -128,7 +128,7 @@ calls to EVP_EncryptUpdate() should be made. If padding is disabled then EVP_EncryptFinal_ex() will not encrypt any more data and it will return an error if any data remains in a partial block: -that is if the total data length is not a multiple of the block size. +that is if the total data length is not a multiple of the block size. EVP_DecryptInit_ex(), EVP_DecryptUpdate() and EVP_DecryptFinal_ex() are the corresponding decryption operations. EVP_DecryptFinal() will return an @@ -157,7 +157,7 @@ initialized and they always use the default cipher implementation. EVP_EncryptFinal(), EVP_DecryptFinal() and EVP_CipherFinal() behave in a similar way to EVP_EncryptFinal_ex(), EVP_DecryptFinal_ex() and -EVP_CipherFinal_ex() except B<ctx> is automatically cleaned up +EVP_CipherFinal_ex() except B<ctx> is automatically cleaned up after the call. EVP_get_cipherbyname(), EVP_get_cipherbynid() and EVP_get_cipherbyobj() @@ -268,7 +268,7 @@ OBJECT IDENTIFIER or NID_undef if it has no defined OBJECT IDENTIFIER. EVP_CIPHER_CTX_cipher() returns an B<EVP_CIPHER> structure. -EVP_CIPHER_param_to_asn1() and EVP_CIPHER_asn1_to_param() return 1 for +EVP_CIPHER_param_to_asn1() and EVP_CIPHER_asn1_to_param() return 1 for success or zero for failure. =head1 CIPHER LISTING @@ -283,7 +283,7 @@ Null cipher: does nothing. =item EVP_des_cbc(void), EVP_des_ecb(void), EVP_des_cfb(void), EVP_des_ofb(void) -DES in CBC, ECB, CFB and OFB modes respectively. +DES in CBC, ECB, CFB and OFB modes respectively. =item EVP_des_ede_cbc(void), EVP_des_ede(), EVP_des_ede_ofb(void), EVP_des_ede_cfb(void) @@ -346,7 +346,7 @@ Where possible the B<EVP> interface to symmetric ciphers should be used in preference to the low level interfaces. This is because the code then becomes transparent to the cipher used and much more flexible. -PKCS padding works by adding B<n> padding bytes of value B<n> to make the total +PKCS padding works by adding B<n> padding bytes of value B<n> to make the total length of the encrypted data a multiple of the block size. Padding is always added so if the data is already a multiple of the block size B<n> will equal the block size. For example if the block size is 8 and 11 bytes are to be @@ -376,7 +376,7 @@ a limitation of the current RC5 code rather than the EVP interface. EVP_MAX_KEY_LENGTH and EVP_MAX_IV_LENGTH only refer to the internal ciphers with default key lengths. If custom ciphers exceed these values the results are -unpredictable. This is because it has become standard practice to define a +unpredictable. This is because it has become standard practice to define a generic key as a fixed unsigned char array containing EVP_MAX_KEY_LENGTH bytes. The ASN1 code is incomplete (and sometimes inaccurate) it has only been tested @@ -449,7 +449,7 @@ Encrypt a string using blowfish: The ciphertext from the above example can be decrypted using the B<openssl> utility with the command line: - + S<openssl bf -in cipher.bin -K 000102030405060708090A0B0C0D0E0F -iv 0102030405060708 -d> General encryption, decryption function example using FILE I/O and RC2 with an @@ -472,7 +472,7 @@ General encryption, decryption function example using FILE I/O and RC2 with an /* We finished modifying parameters so now we can set key and IV */ EVP_CipherInit_ex(&ctx, NULL, NULL, key, iv, do_encrypt); - for(;;) + for(;;) { inlen = fread(inbuf, 1, 1024, in); if(inlen <= 0) break; diff --git a/lib/libssl/src/doc/crypto/EVP_OpenInit.pod b/lib/libssl/src/doc/crypto/EVP_OpenInit.pod index 2e710da945b..1aa2a9cd6e4 100644 --- a/lib/libssl/src/doc/crypto/EVP_OpenInit.pod +++ b/lib/libssl/src/doc/crypto/EVP_OpenInit.pod @@ -27,7 +27,7 @@ B<ekl> bytes passed in the B<ek> parameter using the private key B<priv>. The IV is supplied in the B<iv> parameter. EVP_OpenUpdate() and EVP_OpenFinal() have exactly the same properties -as the EVP_DecryptUpdate() and EVP_DecryptFinal() routines, as +as the EVP_DecryptUpdate() and EVP_DecryptFinal() routines, as documented on the L<EVP_EncryptInit(3)|EVP_EncryptInit(3)> manual page. diff --git a/lib/libssl/src/doc/crypto/EVP_PKEY_CTX_ctrl.pod b/lib/libssl/src/doc/crypto/EVP_PKEY_CTX_ctrl.pod index f2f455990f5..e8d1ddda75a 100644 --- a/lib/libssl/src/doc/crypto/EVP_PKEY_CTX_ctrl.pod +++ b/lib/libssl/src/doc/crypto/EVP_PKEY_CTX_ctrl.pod @@ -62,7 +62,7 @@ The macro EVP_PKEY_CTX_set_rsa_padding() sets the RSA padding mode for B<ctx>. The B<pad> parameter can take the value RSA_PKCS1_PADDING for PKCS#1 padding, RSA_SSLV23_PADDING for SSLv23 padding, RSA_NO_PADDING for no padding, RSA_PKCS1_OAEP_PADDING for OAEP padding (encrypt and decrypt only), -RSA_X931_PADDING for X9.31 padding (signature operations only) and +RSA_X931_PADDING for X9.31 padding (signature operations only) and RSA_PKCS1_PSS_PADDING (sign and verify only). Two RSA padding modes behave differently if EVP_PKEY_CTX_set_signature_md() @@ -87,7 +87,7 @@ RSA key genration to B<bits>. If not specified 1024 bits is used. The EVP_PKEY_CTX_set_rsa_keygen_pubexp() macro sets the public exponent value for RSA key generation to B<pubexp> currently it should be an odd integer. The -B<pubexp> pointer is used internally by this function so it should not be +B<pubexp> pointer is used internally by this function so it should not be modified or free after the call. If this macro is not called then 65537 is used. The macro EVP_PKEY_CTX_set_dsa_paramgen_bits() sets the number of bits used @@ -117,9 +117,9 @@ L<EVP_PKEY_encrypt(3)|EVP_PKEY_encrypt(3)>, L<EVP_PKEY_decrypt(3)|EVP_PKEY_decrypt(3)>, L<EVP_PKEY_sign(3)|EVP_PKEY_sign(3)>, L<EVP_PKEY_verify(3)|EVP_PKEY_verify(3)>, -L<EVP_PKEY_verifyrecover(3)|EVP_PKEY_verifyrecover(3)>, -L<EVP_PKEY_derive(3)|EVP_PKEY_derive(3)> -L<EVP_PKEY_keygen(3)|EVP_PKEY_keygen(3)> +L<EVP_PKEY_verify_recover(3)|EVP_PKEY_verify_recover(3)>, +L<EVP_PKEY_derive(3)|EVP_PKEY_derive(3)> +L<EVP_PKEY_keygen(3)|EVP_PKEY_keygen(3)> =head1 HISTORY diff --git a/lib/libssl/src/doc/crypto/EVP_PKEY_cmp.pod b/lib/libssl/src/doc/crypto/EVP_PKEY_cmp.pod index 4f8185e36cd..41452452992 100644 --- a/lib/libssl/src/doc/crypto/EVP_PKEY_cmp.pod +++ b/lib/libssl/src/doc/crypto/EVP_PKEY_cmp.pod @@ -56,6 +56,6 @@ keys match, 0 if they don't match, -1 if the key types are different and =head1 SEE ALSO L<EVP_PKEY_CTX_new(3)|EVP_PKEY_CTX_new(3)>, -L<EVP_PKEY_keygen(3)|EVP_PKEY_keygen(3)> +L<EVP_PKEY_keygen(3)|EVP_PKEY_keygen(3)> =cut diff --git a/lib/libssl/src/doc/crypto/EVP_PKEY_decrypt.pod b/lib/libssl/src/doc/crypto/EVP_PKEY_decrypt.pod index 42b2a8c44ed..197878eff73 100644 --- a/lib/libssl/src/doc/crypto/EVP_PKEY_decrypt.pod +++ b/lib/libssl/src/doc/crypto/EVP_PKEY_decrypt.pod @@ -50,7 +50,7 @@ Decrypt data using OAEP (for RSA keys): EVP_PKEY_CTX *ctx; unsigned char *out, *in; - size_t outlen, inlen; + size_t outlen, inlen; EVP_PKEY *key; /* NB: assumes key in, inlen are already set up * and that key is an RSA private key @@ -71,7 +71,7 @@ Decrypt data using OAEP (for RSA keys): if (!out) /* malloc failure */ - + if (EVP_PKEY_decrypt(ctx, out, &outlen, in, inlen) <= 0) /* Error */ @@ -83,8 +83,8 @@ L<EVP_PKEY_CTX_new(3)|EVP_PKEY_CTX_new(3)>, L<EVP_PKEY_encrypt(3)|EVP_PKEY_encrypt(3)>, L<EVP_PKEY_sign(3)|EVP_PKEY_sign(3)>, L<EVP_PKEY_verify(3)|EVP_PKEY_verify(3)>, -L<EVP_PKEY_verifyrecover(3)|EVP_PKEY_verifyrecover(3)>, -L<EVP_PKEY_derive(3)|EVP_PKEY_derive(3)> +L<EVP_PKEY_verify_recover(3)|EVP_PKEY_verify_recover(3)>, +L<EVP_PKEY_derive(3)|EVP_PKEY_derive(3)> =head1 HISTORY diff --git a/lib/libssl/src/doc/crypto/EVP_PKEY_derive.pod b/lib/libssl/src/doc/crypto/EVP_PKEY_derive.pod index d9d6d76c721..de877ead1a0 100644 --- a/lib/libssl/src/doc/crypto/EVP_PKEY_derive.pod +++ b/lib/libssl/src/doc/crypto/EVP_PKEY_derive.pod @@ -71,7 +71,7 @@ Derive shared secret (for example DH or EC keys): if (!skey) /* malloc failure */ - + if (EVP_PKEY_derive(ctx, skey, &skeylen) <= 0) /* Error */ @@ -84,7 +84,7 @@ L<EVP_PKEY_encrypt(3)|EVP_PKEY_encrypt(3)>, L<EVP_PKEY_decrypt(3)|EVP_PKEY_decrypt(3)>, L<EVP_PKEY_sign(3)|EVP_PKEY_sign(3)>, L<EVP_PKEY_verify(3)|EVP_PKEY_verify(3)>, -L<EVP_PKEY_verifyrecover(3)|EVP_PKEY_verifyrecover(3)>, +L<EVP_PKEY_verify_recover(3)|EVP_PKEY_verify_recover(3)>, =head1 HISTORY diff --git a/lib/libssl/src/doc/crypto/EVP_PKEY_encrypt.pod b/lib/libssl/src/doc/crypto/EVP_PKEY_encrypt.pod index 91c9c5d0a5d..f7969c296ff 100644 --- a/lib/libssl/src/doc/crypto/EVP_PKEY_encrypt.pod +++ b/lib/libssl/src/doc/crypto/EVP_PKEY_encrypt.pod @@ -50,7 +50,7 @@ Encrypt data using OAEP (for RSA keys): EVP_PKEY_CTX *ctx; unsigned char *out, *in; - size_t outlen, inlen; + size_t outlen, inlen; EVP_PKEY *key; /* NB: assumes key in, inlen are already set up * and that key is an RSA public key @@ -71,7 +71,7 @@ Encrypt data using OAEP (for RSA keys): if (!out) /* malloc failure */ - + if (EVP_PKEY_encrypt(ctx, out, &outlen, in, inlen) <= 0) /* Error */ @@ -83,8 +83,8 @@ L<EVP_PKEY_CTX_new(3)|EVP_PKEY_CTX_new(3)>, L<EVP_PKEY_decrypt(3)|EVP_PKEY_decrypt(3)>, L<EVP_PKEY_sign(3)|EVP_PKEY_sign(3)>, L<EVP_PKEY_verify(3)|EVP_PKEY_verify(3)>, -L<EVP_PKEY_verifyrecover(3)|EVP_PKEY_verifyrecover(3)>, -L<EVP_PKEY_derive(3)|EVP_PKEY_derive(3)> +L<EVP_PKEY_verify_recover(3)|EVP_PKEY_verify_recover(3)>, +L<EVP_PKEY_derive(3)|EVP_PKEY_derive(3)> =head1 HISTORY diff --git a/lib/libssl/src/doc/crypto/EVP_PKEY_keygen.pod b/lib/libssl/src/doc/crypto/EVP_PKEY_keygen.pod index 37c6fe95030..b6102da036c 100644 --- a/lib/libssl/src/doc/crypto/EVP_PKEY_keygen.pod +++ b/lib/libssl/src/doc/crypto/EVP_PKEY_keygen.pod @@ -28,7 +28,7 @@ EVP_PKEY_keygen_init, EVP_PKEY_keygen, EVP_PKEY_paramgen_init, EVP_PKEY_paramgen The EVP_PKEY_keygen_init() function initializes a public key algorithm context using key B<pkey> for a key genration operation. -The EVP_PKEY_keygen() function performs a key generation operation, the +The EVP_PKEY_keygen() function performs a key generation operation, the generated key is written to B<ppkey>. The functions EVP_PKEY_paramgen_init() and EVP_PKEY_paramgen() are similar @@ -151,8 +151,8 @@ L<EVP_PKEY_encrypt(3)|EVP_PKEY_encrypt(3)>, L<EVP_PKEY_decrypt(3)|EVP_PKEY_decrypt(3)>, L<EVP_PKEY_sign(3)|EVP_PKEY_sign(3)>, L<EVP_PKEY_verify(3)|EVP_PKEY_verify(3)>, -L<EVP_PKEY_verifyrecover(3)|EVP_PKEY_verifyrecover(3)>, -L<EVP_PKEY_derive(3)|EVP_PKEY_derive(3)> +L<EVP_PKEY_verify_recover(3)|EVP_PKEY_verify_recover(3)>, +L<EVP_PKEY_derive(3)|EVP_PKEY_derive(3)> =head1 HISTORY diff --git a/lib/libssl/src/doc/crypto/EVP_PKEY_new.pod b/lib/libssl/src/doc/crypto/EVP_PKEY_new.pod index 10687e458db..11512249e40 100644 --- a/lib/libssl/src/doc/crypto/EVP_PKEY_new.pod +++ b/lib/libssl/src/doc/crypto/EVP_PKEY_new.pod @@ -14,7 +14,7 @@ EVP_PKEY_new, EVP_PKEY_free - private key allocation functions. =head1 DESCRIPTION -The EVP_PKEY_new() function allocates an empty B<EVP_PKEY> +The EVP_PKEY_new() function allocates an empty B<EVP_PKEY> structure which is used by OpenSSL to store private keys. EVP_PKEY_free() frees up the private key B<key>. diff --git a/lib/libssl/src/doc/crypto/EVP_PKEY_print_private.pod b/lib/libssl/src/doc/crypto/EVP_PKEY_print_private.pod index ce9d70d7a7a..c9b7a898217 100644 --- a/lib/libssl/src/doc/crypto/EVP_PKEY_print_private.pod +++ b/lib/libssl/src/doc/crypto/EVP_PKEY_print_private.pod @@ -28,7 +28,7 @@ be used. =head1 NOTES -Currently no public key algorithms include any options in the B<pctx> parameter +Currently no public key algorithms include any options in the B<pctx> parameter parameter. If the key does not include all the components indicated by the function then @@ -44,7 +44,7 @@ the public key algorithm. =head1 SEE ALSO L<EVP_PKEY_CTX_new(3)|EVP_PKEY_CTX_new(3)>, -L<EVP_PKEY_keygen(3)|EVP_PKEY_keygen(3)> +L<EVP_PKEY_keygen(3)|EVP_PKEY_keygen(3)> =head1 HISTORY diff --git a/lib/libssl/src/doc/crypto/EVP_PKEY_set1_RSA.pod b/lib/libssl/src/doc/crypto/EVP_PKEY_set1_RSA.pod index 2db692e2719..8afb1b22e18 100644 --- a/lib/libssl/src/doc/crypto/EVP_PKEY_set1_RSA.pod +++ b/lib/libssl/src/doc/crypto/EVP_PKEY_set1_RSA.pod @@ -63,7 +63,7 @@ EVP_PKEY_set1_RSA(), EVP_PKEY_set1_DSA(), EVP_PKEY_set1_DH() and EVP_PKEY_set1_EC_KEY() return 1 for success or 0 for failure. EVP_PKEY_get1_RSA(), EVP_PKEY_get1_DSA(), EVP_PKEY_get1_DH() and -EVP_PKEY_get1_EC_KEY() return the referenced key or B<NULL> if +EVP_PKEY_get1_EC_KEY() return the referenced key or B<NULL> if an error occurred. EVP_PKEY_assign_RSA() EVP_PKEY_assign_DSA(), EVP_PKEY_assign_DH() diff --git a/lib/libssl/src/doc/crypto/EVP_PKEY_sign.pod b/lib/libssl/src/doc/crypto/EVP_PKEY_sign.pod index 2fb52c34863..fb8e61cf299 100644 --- a/lib/libssl/src/doc/crypto/EVP_PKEY_sign.pod +++ b/lib/libssl/src/doc/crypto/EVP_PKEY_sign.pod @@ -50,7 +50,7 @@ Sign data using RSA with PKCS#1 padding and SHA256 digest: EVP_PKEY_CTX *ctx; unsigned char *md, *sig; - size_t mdlen, siglen; + size_t mdlen, siglen; EVP_PKEY *signing_key; /* NB: assumes signing_key, md and mdlen are already set up * and that signing_key is an RSA private key @@ -73,7 +73,7 @@ Sign data using RSA with PKCS#1 padding and SHA256 digest: if (!sig) /* malloc failure */ - + if (EVP_PKEY_sign(ctx, sig, &siglen, md, mdlen) <= 0) /* Error */ @@ -86,8 +86,8 @@ L<EVP_PKEY_CTX_new(3)|EVP_PKEY_CTX_new(3)>, L<EVP_PKEY_encrypt(3)|EVP_PKEY_encrypt(3)>, L<EVP_PKEY_decrypt(3)|EVP_PKEY_decrypt(3)>, L<EVP_PKEY_verify(3)|EVP_PKEY_verify(3)>, -L<EVP_PKEY_verifyrecover(3)|EVP_PKEY_verifyrecover(3)>, -L<EVP_PKEY_derive(3)|EVP_PKEY_derive(3)> +L<EVP_PKEY_verify_recover(3)|EVP_PKEY_verify_recover(3)>, +L<EVP_PKEY_derive(3)|EVP_PKEY_derive(3)> =head1 HISTORY diff --git a/lib/libssl/src/doc/crypto/EVP_PKEY_verify.pod b/lib/libssl/src/doc/crypto/EVP_PKEY_verify.pod index 10633da3f23..f7ae4f9ebe7 100644 --- a/lib/libssl/src/doc/crypto/EVP_PKEY_verify.pod +++ b/lib/libssl/src/doc/crypto/EVP_PKEY_verify.pod @@ -53,7 +53,7 @@ Verify signature using PKCS#1 and SHA256 digest: EVP_PKEY_CTX *ctx; unsigned char *md, *sig; - size_t mdlen, siglen; + size_t mdlen, siglen; EVP_PKEY *verify_key; /* NB: assumes verify_key, sig, siglen md and mdlen are already set up * and that verify_key is an RSA public key @@ -69,7 +69,7 @@ Verify signature using PKCS#1 and SHA256 digest: /* Error */ /* Perform operation */ - ret = EVP_PKEY_verify(ctx, md, mdlen, sig, siglen); + ret = EVP_PKEY_verify(ctx, sig, siglen, md, mdlen); /* ret == 1 indicates success, 0 verify failure and < 0 for some * other error. @@ -81,8 +81,8 @@ L<EVP_PKEY_CTX_new(3)|EVP_PKEY_CTX_new(3)>, L<EVP_PKEY_encrypt(3)|EVP_PKEY_encrypt(3)>, L<EVP_PKEY_decrypt(3)|EVP_PKEY_decrypt(3)>, L<EVP_PKEY_sign(3)|EVP_PKEY_sign(3)>, -L<EVP_PKEY_verifyrecover(3)|EVP_PKEY_verifyrecover(3)>, -L<EVP_PKEY_derive(3)|EVP_PKEY_derive(3)> +L<EVP_PKEY_verify_recover(3)|EVP_PKEY_verify_recover(3)>, +L<EVP_PKEY_derive(3)|EVP_PKEY_derive(3)> =head1 HISTORY diff --git a/lib/libssl/src/doc/crypto/EVP_PKEY_verify_recover.pod b/lib/libssl/src/doc/crypto/EVP_PKEY_verify_recover.pod index 23a28a9c43e..00d53db783a 100644 --- a/lib/libssl/src/doc/crypto/EVP_PKEY_verify_recover.pod +++ b/lib/libssl/src/doc/crypto/EVP_PKEY_verify_recover.pod @@ -29,7 +29,7 @@ B<rout> and the amount of data written to B<routlen>. =head1 NOTES Normally an application is only interested in whether a signature verification -operation is successful in those cases the EVP_verify() function should be +operation is successful in those cases the EVP_verify() function should be used. Sometimes however it is useful to obtain the data originally signed using a @@ -58,7 +58,7 @@ Recover digest originally signed using PKCS#1 and SHA256 digest: EVP_PKEY_CTX *ctx; unsigned char *rout, *sig; - size_t routlen, siglen; + size_t routlen, siglen; EVP_PKEY *verify_key; /* NB: assumes verify_key, sig and siglen are already set up * and that verify_key is an RSA public key @@ -81,7 +81,7 @@ Recover digest originally signed using PKCS#1 and SHA256 digest: if (!rout) /* malloc failure */ - + if (EVP_PKEY_verify_recover(ctx, rout, &routlen, sig, siglen) <= 0) /* Error */ @@ -94,7 +94,7 @@ L<EVP_PKEY_encrypt(3)|EVP_PKEY_encrypt(3)>, L<EVP_PKEY_decrypt(3)|EVP_PKEY_decrypt(3)>, L<EVP_PKEY_sign(3)|EVP_PKEY_sign(3)>, L<EVP_PKEY_verify(3)|EVP_PKEY_verify(3)>, -L<EVP_PKEY_derive(3)|EVP_PKEY_derive(3)> +L<EVP_PKEY_derive(3)|EVP_PKEY_derive(3)> =head1 HISTORY diff --git a/lib/libssl/src/doc/crypto/EVP_SealInit.pod b/lib/libssl/src/doc/crypto/EVP_SealInit.pod index 7d793e19ef7..172f210c64f 100644 --- a/lib/libssl/src/doc/crypto/EVP_SealInit.pod +++ b/lib/libssl/src/doc/crypto/EVP_SealInit.pod @@ -42,9 +42,9 @@ If the cipher does not require an IV then the B<iv> parameter is ignored and can be B<NULL>. EVP_SealUpdate() and EVP_SealFinal() have exactly the same properties -as the EVP_EncryptUpdate() and EVP_EncryptFinal() routines, as +as the EVP_EncryptUpdate() and EVP_EncryptFinal() routines, as documented on the L<EVP_EncryptInit(3)|EVP_EncryptInit(3)> manual -page. +page. =head1 RETURN VALUES diff --git a/lib/libssl/src/doc/crypto/EVP_SignInit.pod b/lib/libssl/src/doc/crypto/EVP_SignInit.pod index 620a623ab62..682724b1577 100644 --- a/lib/libssl/src/doc/crypto/EVP_SignInit.pod +++ b/lib/libssl/src/doc/crypto/EVP_SignInit.pod @@ -32,7 +32,7 @@ same B<ctx> to include additional data. EVP_SignFinal() signs the data in B<ctx> using the private key B<pkey> and places the signature in B<sig>. The number of bytes of data written (i.e. the length of the signature) will be written to the integer at B<s>, at most -EVP_PKEY_size(pkey) bytes will be written. +EVP_PKEY_size(pkey) bytes will be written. EVP_SignInit() initializes a signing context B<ctx> to use the default implementation of digest B<type>. @@ -57,7 +57,7 @@ transparent to the algorithm used and much more flexible. Due to the link between message digests and public key algorithms the correct digest algorithm must be used with the correct public key type. A list of -algorithms and associated public key algorithms appears in +algorithms and associated public key algorithms appears in L<EVP_DigestInit(3)|EVP_DigestInit(3)>. When signing with DSA private keys the random number generator must be seeded @@ -74,7 +74,7 @@ will occur. =head1 BUGS -Older versions of this documentation wrongly stated that calls to +Older versions of this documentation wrongly stated that calls to EVP_SignUpdate() could not be made after calling EVP_SignFinal(). Since the private key is passed in the call to EVP_SignFinal() any error diff --git a/lib/libssl/src/doc/crypto/EVP_VerifyInit.pod b/lib/libssl/src/doc/crypto/EVP_VerifyInit.pod index 9097f094105..0ffb0a80775 100644 --- a/lib/libssl/src/doc/crypto/EVP_VerifyInit.pod +++ b/lib/libssl/src/doc/crypto/EVP_VerifyInit.pod @@ -51,7 +51,7 @@ transparent to the algorithm used and much more flexible. Due to the link between message digests and public key algorithms the correct digest algorithm must be used with the correct public key type. A list of -algorithms and associated public key algorithms appears in +algorithms and associated public key algorithms appears in L<EVP_DigestInit(3)|EVP_DigestInit(3)>. The call to EVP_VerifyFinal() internally finalizes a copy of the digest context. @@ -64,7 +64,7 @@ will occur. =head1 BUGS -Older versions of this documentation wrongly stated that calls to +Older versions of this documentation wrongly stated that calls to EVP_VerifyUpdate() could not be made after calling EVP_VerifyFinal(). Since the public key is passed in the call to EVP_SignFinal() any error diff --git a/lib/libssl/src/doc/crypto/MD5.pod b/lib/libssl/src/doc/crypto/MD5.pod index d11d5c32cbf..b0edd5416f7 100644 --- a/lib/libssl/src/doc/crypto/MD5.pod +++ b/lib/libssl/src/doc/crypto/MD5.pod @@ -75,7 +75,7 @@ preferred. =head1 RETURN VALUES -MD2(), MD4(), and MD5() return pointers to the hash value. +MD2(), MD4(), and MD5() return pointers to the hash value. MD2_Init(), MD2_Update(), MD2_Final(), MD4_Init(), MD4_Update(), MD4_Final(), MD5_Init(), MD5_Update(), and MD5_Final() return 1 for diff --git a/lib/libssl/src/doc/crypto/OBJ_nid2obj.pod b/lib/libssl/src/doc/crypto/OBJ_nid2obj.pod index 7dcc07923ff..458ef025f07 100644 --- a/lib/libssl/src/doc/crypto/OBJ_nid2obj.pod +++ b/lib/libssl/src/doc/crypto/OBJ_nid2obj.pod @@ -8,6 +8,8 @@ functions =head1 SYNOPSIS + #include <openssl/objects.h> + ASN1_OBJECT * OBJ_nid2obj(int n); const char * OBJ_nid2ln(int n); const char * OBJ_nid2sn(int n); @@ -32,7 +34,7 @@ functions The ASN1 object utility functions process ASN1_OBJECT structures which are a representation of the ASN1 OBJECT IDENTIFIER (OID) type. -OBJ_nid2obj(), OBJ_nid2ln() and OBJ_nid2sn() convert the NID B<n> to +OBJ_nid2obj(), OBJ_nid2ln() and OBJ_nid2sn() convert the NID B<n> to an ASN1_OBJECT structure, its long name and its short name respectively, or B<NULL> is an error occurred. @@ -60,7 +62,7 @@ OBJ_cmp() compares B<a> to B<b>. If the two are identical 0 is returned. OBJ_dup() returns a copy of B<o>. -OBJ_create() adds a new object to the internal table. B<oid> is the +OBJ_create() adds a new object to the internal table. B<oid> is the numerical form of the object, B<sn> the short name and B<ln> the long name. A new NID is returned for the created object. @@ -113,14 +115,14 @@ Create a new NID and initialize an object from it: new_nid = OBJ_create("1.2.3.4", "NewOID", "New Object Identifier"); obj = OBJ_nid2obj(new_nid); - + Create a new object directly: obj = OBJ_txt2obj("1.2.3.4", 1); =head1 BUGS -OBJ_obj2txt() is awkward and messy to use: it doesn't follow the +OBJ_obj2txt() is awkward and messy to use: it doesn't follow the convention of other OpenSSL functions where the buffer can be set to B<NULL> to determine the amount of data that should be written. Instead B<buf> must point to a valid buffer and B<buf_len> should diff --git a/lib/libssl/src/doc/crypto/OPENSSL_config.pod b/lib/libssl/src/doc/crypto/OPENSSL_config.pod index 16600620ccf..552ed956abe 100644 --- a/lib/libssl/src/doc/crypto/OPENSSL_config.pod +++ b/lib/libssl/src/doc/crypto/OPENSSL_config.pod @@ -35,9 +35,9 @@ calls OPENSSL_add_all_algorithms() by compiling an application with the preprocessor symbol B<OPENSSL_LOAD_CONF> #define'd. In this way configuration can be added without source changes. -The environment variable B<OPENSSL_CONFIG> can be set to specify the location +The environment variable B<OPENSSL_CONF> can be set to specify the location of the configuration file. - + Currently ASN1 OBJECTs and ENGINE configuration can be performed future versions of OpenSSL will add new configuration options. diff --git a/lib/libssl/src/doc/crypto/OPENSSL_load_builtin_modules.pod b/lib/libssl/src/doc/crypto/OPENSSL_load_builtin_modules.pod index f14dfaf005d..6c991701972 100644 --- a/lib/libssl/src/doc/crypto/OPENSSL_load_builtin_modules.pod +++ b/lib/libssl/src/doc/crypto/OPENSSL_load_builtin_modules.pod @@ -24,15 +24,15 @@ ENGINE_add_conf_module() adds just the ENGINE configuration module. =head1 NOTES -If the simple configuration function OPENSSL_config() is called then +If the simple configuration function OPENSSL_config() is called then OPENSSL_load_builtin_modules() is called automatically. Applications which use the configuration functions directly will need to -call OPENSSL_load_builtin_modules() themselves I<before> any other +call OPENSSL_load_builtin_modules() themselves I<before> any other configuration code. Applications should call OPENSSL_load_builtin_modules() to load all -configuration modules instead of adding modules selectively: otherwise +configuration modules instead of adding modules selectively: otherwise functionality may be missing from the application if an when new modules are added. diff --git a/lib/libssl/src/doc/crypto/PEM_read_bio_PrivateKey.pod b/lib/libssl/src/doc/crypto/PEM_read_bio_PrivateKey.pod index 54414a3f6f3..e196bf14986 100644 --- a/lib/libssl/src/doc/crypto/PEM_read_bio_PrivateKey.pod +++ b/lib/libssl/src/doc/crypto/PEM_read_bio_PrivateKey.pod @@ -250,7 +250,7 @@ structure. They will also process a trusted X509 certificate but any trust settings are discarded. The B<X509_AUX> functions process a trusted X509 certificate using -an X509 structure. +an X509 structure. The B<X509_REQ> and B<X509_REQ_NEW> functions process a PKCS#10 certificate request using an X509_REQ structure. The B<X509_REQ> @@ -435,7 +435,7 @@ which is an uninitialised pointer. This old B<PrivateKey> routines use a non standard technique for encryption. -The private key (or other data) takes the following form: +The private key (or other data) takes the following form: -----BEGIN RSA PRIVATE KEY----- Proc-Type: 4,ENCRYPTED @@ -461,7 +461,7 @@ an existing structure. Therefore the following: PEM_read_bio_X509(bp, &x, 0, NULL); -where B<x> already contains a valid certificate, may not work, whereas: +where B<x> already contains a valid certificate, may not work, whereas: X509_free(x); x = PEM_read_bio_X509(bp, NULL, 0, NULL); diff --git a/lib/libssl/src/doc/crypto/PKCS12_create.pod b/lib/libssl/src/doc/crypto/PKCS12_create.pod index 48f3bb8cb8e..0a1e460cf11 100644 --- a/lib/libssl/src/doc/crypto/PKCS12_create.pod +++ b/lib/libssl/src/doc/crypto/PKCS12_create.pod @@ -46,6 +46,24 @@ export grade software which could use signing only keys of arbitrary size but had restrictions on the permissible sizes of keys which could be used for encryption. +=head1 NEW FUNCTIONALITY IN OPENSSL 0.9.8 + +Some additional functionality was added to PKCS12_create() in OpenSSL +0.9.8. These extensions are detailed below. + +If a certificate contains an B<alias> or B<keyid> then this will be +used for the corresponding B<friendlyName> or B<localKeyID> in the +PKCS12 structure. + +Either B<pkey>, B<cert> or both can be B<NULL> to indicate that no key or +certficate is required. In previous versions both had to be present or +a fatal error is returned. + +B<nid_key> or B<nid_cert> can be set to -1 indicating that no encryption +should be used. + +B<mac_iter> can be set to -1 and the MAC will then be omitted entirely. + =head1 SEE ALSO L<d2i_PKCS12(3)|d2i_PKCS12(3)> diff --git a/lib/libssl/src/doc/crypto/PKCS7_encrypt.pod b/lib/libssl/src/doc/crypto/PKCS7_encrypt.pod index 1a507b22a29..e2066843846 100644 --- a/lib/libssl/src/doc/crypto/PKCS7_encrypt.pod +++ b/lib/libssl/src/doc/crypto/PKCS7_encrypt.pod @@ -6,7 +6,9 @@ PKCS7_encrypt - create a PKCS#7 envelopedData structure =head1 SYNOPSIS -PKCS7 *PKCS7_encrypt(STACK_OF(X509) *certs, BIO *in, const EVP_CIPHER *cipher, int flags); + #include <openssl/pkcs7.h> + + PKCS7 *PKCS7_encrypt(STACK_OF(X509) *certs, BIO *in, const EVP_CIPHER *cipher, int flags); =head1 DESCRIPTION @@ -16,43 +18,55 @@ B<cipher> is the symmetric cipher to use. B<flags> is an optional set of flags. =head1 NOTES -Only RSA keys are supported in PKCS#7 and envelopedData so the recipient certificates -supplied to this function must all contain RSA public keys, though they do not have to -be signed using the RSA algorithm. +Only RSA keys are supported in PKCS#7 and envelopedData so the recipient +certificates supplied to this function must all contain RSA public keys, though +they do not have to be signed using the RSA algorithm. -EVP_des_ede3_cbc() (triple DES) is the algorithm of choice for S/MIME use because -most clients will support it. +EVP_des_ede3_cbc() (triple DES) is the algorithm of choice for S/MIME use +because most clients will support it. -Some old "export grade" clients may only support weak encryption using 40 or 64 bit -RC2. These can be used by passing EVP_rc2_40_cbc() and EVP_rc2_64_cbc() respectively. +Some old "export grade" clients may only support weak encryption using 40 or 64 +bit RC2. These can be used by passing EVP_rc2_40_cbc() and EVP_rc2_64_cbc() +respectively. -The algorithm passed in the B<cipher> parameter must support ASN1 encoding of its -parameters. +The algorithm passed in the B<cipher> parameter must support ASN1 encoding of +its parameters. -Many browsers implement a "sign and encrypt" option which is simply an S/MIME +Many browsers implement a "sign and encrypt" option which is simply an S/MIME envelopedData containing an S/MIME signed message. This can be readily produced by storing the S/MIME signed message in a memory BIO and passing it to PKCS7_encrypt(). The following flags can be passed in the B<flags> parameter. -If the B<PKCS7_TEXT> flag is set MIME headers for type B<text/plain> are prepended -to the data. +If the B<PKCS7_TEXT> flag is set MIME headers for type B<text/plain> are +prepended to the data. -Normally the supplied content is translated into MIME canonical format (as required -by the S/MIME specifications) if B<PKCS7_BINARY> is set no translation occurs. This -option should be used if the supplied data is in binary format otherwise the translation -will corrupt it. If B<PKCS7_BINARY> is set then B<PKCS7_TEXT> is ignored. +Normally the supplied content is translated into MIME canonical format (as +required by the S/MIME specifications) if B<PKCS7_BINARY> is set no translation +occurs. This option should be used if the supplied data is in binary format +otherwise the translation will corrupt it. If B<PKCS7_BINARY> is set then +B<PKCS7_TEXT> is ignored. -=head1 RETURN VALUES +If the B<PKCS7_STREAM> flag is set a partial B<PKCS7> structure is output +suitable for streaming I/O: no data is read from the BIO B<in>. -PKCS7_encrypt() returns either a valid PKCS7 structure or NULL if an error occurred. -The error can be obtained from ERR_get_error(3). +=head1 NOTES -=head1 BUGS +If the flag B<PKCS7_STREAM> is set the returned B<PKCS7> structure is B<not> +complete and outputting its contents via a function that does not +properly finalize the B<PKCS7> structure will give unpredictable +results. -The lack of single pass processing and need to hold all data in memory as -mentioned in PKCS7_sign() also applies to PKCS7_verify(). +Several functions including SMIME_write_PKCS7(), i2d_PKCS7_bio_stream(), +PEM_write_bio_PKCS7_stream() finalize the structure. Alternatively finalization +can be performed by obtaining the streaming ASN1 B<BIO> directly using +BIO_new_PKCS7(). + +=head1 RETURN VALUES + +PKCS7_encrypt() returns either a PKCS7 structure or NULL if an error occurred. +The error can be obtained from ERR_get_error(3). =head1 SEE ALSO @@ -61,5 +75,6 @@ L<ERR_get_error(3)|ERR_get_error(3)>, L<PKCS7_decrypt(3)|PKCS7_decrypt(3)> =head1 HISTORY PKCS7_decrypt() was added to OpenSSL 0.9.5 +The B<PKCS7_STREAM> flag was first supported in OpenSSL 1.0.0. =cut diff --git a/lib/libssl/src/doc/crypto/PKCS7_sign.pod b/lib/libssl/src/doc/crypto/PKCS7_sign.pod index fc7e649b341..9a4f5b173ee 100644 --- a/lib/libssl/src/doc/crypto/PKCS7_sign.pod +++ b/lib/libssl/src/doc/crypto/PKCS7_sign.pod @@ -6,14 +6,16 @@ PKCS7_sign - create a PKCS#7 signedData structure =head1 SYNOPSIS -PKCS7 *PKCS7_sign(X509 *signcert, EVP_PKEY *pkey, STACK_OF(X509) *certs, BIO *data, int flags); + #include <openssl/pkcs7.h> + + PKCS7 *PKCS7_sign(X509 *signcert, EVP_PKEY *pkey, STACK_OF(X509) *certs, BIO *data, int flags); =head1 DESCRIPTION -PKCS7_sign() creates and returns a PKCS#7 signedData structure. B<signcert> -is the certificate to sign with, B<pkey> is the corresponsding private key. -B<certs> is an optional additional set of certificates to include in the -PKCS#7 structure (for example any intermediate CAs in the chain). +PKCS7_sign() creates and returns a PKCS#7 signedData structure. B<signcert> is +the certificate to sign with, B<pkey> is the corresponsding private key. +B<certs> is an optional additional set of certificates to include in the PKCS#7 +structure (for example any intermediate CAs in the chain). The data to be signed is read from BIO B<data>. @@ -21,58 +23,83 @@ B<flags> is an optional set of flags. =head1 NOTES -Any of the following flags (ored together) can be passed in the B<flags> parameter. +Any of the following flags (ored together) can be passed in the B<flags> +parameter. Many S/MIME clients expect the signed content to include valid MIME headers. If the B<PKCS7_TEXT> flag is set MIME headers for type B<text/plain> are prepended to the data. If B<PKCS7_NOCERTS> is set the signer's certificate will not be included in the -PKCS7 structure, the signer's certificate must still be supplied in the B<signcert> -parameter though. This can reduce the size of the signature if the signers certificate -can be obtained by other means: for example a previously signed message. +PKCS7 structure, the signer's certificate must still be supplied in the +B<signcert> parameter though. This can reduce the size of the signature if the +signers certificate can be obtained by other means: for example a previously +signed message. + +The data being signed is included in the PKCS7 structure, unless +B<PKCS7_DETACHED> is set in which case it is omitted. This is used for PKCS7 +detached signatures which are used in S/MIME plaintext signed messages for +example. + +Normally the supplied content is translated into MIME canonical format (as +required by the S/MIME specifications) if B<PKCS7_BINARY> is set no translation +occurs. This option should be used if the supplied data is in binary format +otherwise the translation will corrupt it. + +The signedData structure includes several PKCS#7 autenticatedAttributes +including the signing time, the PKCS#7 content type and the supported list of +ciphers in an SMIMECapabilities attribute. If B<PKCS7_NOATTR> is set then no +authenticatedAttributes will be used. If B<PKCS7_NOSMIMECAP> is set then just +the SMIMECapabilities are omitted. -The data being signed is included in the PKCS7 structure, unless B<PKCS7_DETACHED> -is set in which case it is omitted. This is used for PKCS7 detached signatures -which are used in S/MIME plaintext signed messages for example. +If present the SMIMECapabilities attribute indicates support for the following +algorithms: triple DES, 128 bit RC2, 64 bit RC2, DES and 40 bit RC2. If any of +these algorithms is disabled then it will not be included. -Normally the supplied content is translated into MIME canonical format (as required -by the S/MIME specifications) if B<PKCS7_BINARY> is set no translation occurs. This -option should be used if the supplied data is in binary format otherwise the translation -will corrupt it. +If the flags B<PKCS7_STREAM> is set then the returned B<PKCS7> structure is +just initialized ready to perform the signing operation. The signing is however +B<not> performed and the data to be signed is not read from the B<data> +parameter. Signing is deferred until after the data has been written. In this +way data can be signed in a single pass. -The signedData structure includes several PKCS#7 autenticatedAttributes including -the signing time, the PKCS#7 content type and the supported list of ciphers in -an SMIMECapabilities attribute. If B<PKCS7_NOATTR> is set then no authenticatedAttributes -will be used. If B<PKCS7_NOSMIMECAP> is set then just the SMIMECapabilities are -omitted. +If the B<PKCS7_PARTIAL> flag is set a partial B<PKCS7> structure is output to +which additional signers and capabilities can be added before finalization. -If present the SMIMECapabilities attribute indicates support for the following -algorithms: triple DES, 128 bit RC2, 64 bit RC2, DES and 40 bit RC2. If any -of these algorithms is disabled then it will not be included. -=head1 BUGS +=head1 NOTES + +If the flag B<PKCS7_STREAM> is set the returned B<PKCS7> structure is B<not> +complete and outputting its contents via a function that does not properly +finalize the B<PKCS7> structure will give unpredictable results. -PKCS7_sign() is somewhat limited. It does not support multiple signers, some -advanced attributes such as counter signatures are not supported. +Several functions including SMIME_write_PKCS7(), i2d_PKCS7_bio_stream(), +PEM_write_bio_PKCS7_stream() finalize the structure. Alternatively finalization +can be performed by obtaining the streaming ASN1 B<BIO> directly using +BIO_new_PKCS7(). -The SHA1 digest algorithm is currently always used. +If a signer is specified it will use the default digest for the signing +algorithm. This is B<SHA1> for both RSA and DSA keys. -When the signed data is not detached it will be stored in memory within the -B<PKCS7> structure. This effectively limits the size of messages which can be -signed due to memory restraints. There should be a way to sign data without -having to hold it all in memory, this would however require fairly major -revisions of the OpenSSL ASN1 code. +In OpenSSL 1.0.0 the B<certs>, B<signcert> and B<pkey> parameters can all be +B<NULL> if the B<PKCS7_PARTIAL> flag is set. One or more signers can be added +using the function B<PKCS7_sign_add_signer()>. B<PKCS7_final()> must also be +called to finalize the structure if streaming is not enabled. Alternative +signing digests can also be specified using this method. -Clear text signing does not store the content in memory but the way PKCS7_sign() -operates means that two passes of the data must typically be made: one to compute -the signatures and a second to output the data along with the signature. There -should be a way to process the data with only a single pass. +In OpenSSL 1.0.0 if B<signcert> and B<pkey> are NULL then a certificates only +PKCS#7 structure is output. + +In versions of OpenSSL before 1.0.0 the B<signcert> and B<pkey> parameters must +B<NOT> be NULL. + +=head1 BUGS + +Some advanced attributes such as counter signatures are not supported. =head1 RETURN VALUES -PKCS7_sign() returns either a valid PKCS7 structure or NULL if an error occurred. -The error can be obtained from ERR_get_error(3). +PKCS7_sign() returns either a valid PKCS7 structure or NULL if an error +occurred. The error can be obtained from ERR_get_error(3). =head1 SEE ALSO @@ -82,4 +109,8 @@ L<ERR_get_error(3)|ERR_get_error(3)>, L<PKCS7_verify(3)|PKCS7_verify(3)> PKCS7_sign() was added to OpenSSL 0.9.5 +The B<PKCS7_PARTIAL> flag was added in OpenSSL 1.0.0 + +The B<PKCS7_STREAM> flag was added in OpenSSL 1.0.0 + =cut diff --git a/lib/libssl/src/doc/crypto/PKCS7_sign_add_signer.pod b/lib/libssl/src/doc/crypto/PKCS7_sign_add_signer.pod index ebec4d57dea..afe8ad97cd4 100644 --- a/lib/libssl/src/doc/crypto/PKCS7_sign_add_signer.pod +++ b/lib/libssl/src/doc/crypto/PKCS7_sign_add_signer.pod @@ -44,7 +44,7 @@ digest value from the PKCS7 struture: to add a signer to an existing structure. An error occurs if a matching digest value cannot be found to copy. The returned PKCS7 structure will be valid and finalized when this flag is set. -If B<PKCS7_PARTIAL> is set in addition to B<PKCS7_REUSE_DIGEST> then the +If B<PKCS7_PARTIAL> is set in addition to B<PKCS7_REUSE_DIGEST> then the B<PKCS7_SIGNER_INO> structure will not be finalized so additional attributes can be added. In this case an explicit call to PKCS7_SIGNER_INFO_sign() is needed to finalize it. @@ -67,7 +67,7 @@ these algorithms is disabled then it will not be included. PKCS7_sign_add_signers() returns an internal pointer to the PKCS7_SIGNER_INFO -structure just added, this can be used to set additional attributes +structure just added, this can be used to set additional attributes before it is finalized. =head1 RETURN VALUES diff --git a/lib/libssl/src/doc/crypto/PKCS7_verify.pod b/lib/libssl/src/doc/crypto/PKCS7_verify.pod index 07c9fdad402..51ada03f2d9 100644 --- a/lib/libssl/src/doc/crypto/PKCS7_verify.pod +++ b/lib/libssl/src/doc/crypto/PKCS7_verify.pod @@ -6,9 +6,11 @@ PKCS7_verify - verify a PKCS#7 signedData structure =head1 SYNOPSIS -int PKCS7_verify(PKCS7 *p7, STACK_OF(X509) *certs, X509_STORE *store, BIO *indata, BIO *out, int flags); + #include <openssl/pkcs7.h> -int PKCS7_get0_signers(PKCS7 *p7, STACK_OF(X509) *certs, int flags); + int PKCS7_verify(PKCS7 *p7, STACK_OF(X509) *certs, X509_STORE *store, BIO *indata, BIO *out, int flags); + + STACK_OF(X509) *PKCS7_get0_signers(PKCS7 *p7, STACK_OF(X509) *certs, int flags); =head1 DESCRIPTION @@ -52,7 +54,7 @@ Any of the following flags (ored together) can be passed in the B<flags> paramet to change the default verify behaviour. Only the flag B<PKCS7_NOINTERN> is meaningful to PKCS7_get0_signers(). -If B<PKCS7_NOINTERN> is set the certificates in the message itself are not +If B<PKCS7_NOINTERN> is set the certificates in the message itself are not searched when locating the signer's certificate. This means that all the signers certificates must be in the B<certs> parameter. @@ -77,7 +79,7 @@ certificates supplied in B<certs> then the verify will fail because the signer cannot be found. Care should be taken when modifying the default verify behaviour, for example -setting B<PKCS7_NOVERIFY|PKCS7_NOSIGS> will totally disable all verification +setting B<PKCS7_NOVERIFY|PKCS7_NOSIGS> will totally disable all verification and any signed message will be considered valid. This combination is however useful if one merely wishes to write the content to B<out> and its validity is not considered important. diff --git a/lib/libssl/src/doc/crypto/RAND.pod b/lib/libssl/src/doc/crypto/RAND.pod index e460c1653e2..8f803f33eb3 100644 --- a/lib/libssl/src/doc/crypto/RAND.pod +++ b/lib/libssl/src/doc/crypto/RAND.pod @@ -54,7 +54,7 @@ described in L<RAND_add(3)|RAND_add(3)>. Its state can be saved in a seed file seeding process whenever the application is started. L<RAND_bytes(3)|RAND_bytes(3)> describes how to obtain random data from the -PRNG. +PRNG. =head1 INTERNALS @@ -67,6 +67,6 @@ L<BN_rand(3)|BN_rand(3)>, L<RAND_add(3)|RAND_add(3)>, L<RAND_load_file(3)|RAND_load_file(3)>, L<RAND_bytes(3)|RAND_bytes(3)>, L<RAND_set_rand_method(3)|RAND_set_rand_method(3)>, -L<RAND_cleanup(3)|RAND_cleanup(3)> +L<RAND_cleanup(3)|RAND_cleanup(3)> =cut diff --git a/lib/libssl/src/doc/crypto/RIPEMD160.pod b/lib/libssl/src/doc/crypto/RIPEMD160.pod index 264bb99ae79..f66fb02ed2b 100644 --- a/lib/libssl/src/doc/crypto/RIPEMD160.pod +++ b/lib/libssl/src/doc/crypto/RIPEMD160.pod @@ -45,7 +45,7 @@ hash functions directly. =head1 RETURN VALUES -RIPEMD160() returns a pointer to the hash value. +RIPEMD160() returns a pointer to the hash value. RIPEMD160_Init(), RIPEMD160_Update() and RIPEMD160_Final() return 1 for success, 0 otherwise. diff --git a/lib/libssl/src/doc/crypto/RSA_private_encrypt.pod b/lib/libssl/src/doc/crypto/RSA_private_encrypt.pod index 746a80c79ea..4c4d1311721 100644 --- a/lib/libssl/src/doc/crypto/RSA_private_encrypt.pod +++ b/lib/libssl/src/doc/crypto/RSA_private_encrypt.pod @@ -11,7 +11,7 @@ RSA_private_encrypt, RSA_public_decrypt - low level signature operations int RSA_private_encrypt(int flen, unsigned char *from, unsigned char *to, RSA *rsa, int padding); - int RSA_public_decrypt(int flen, unsigned char *from, + int RSA_public_decrypt(int flen, unsigned char *from, unsigned char *to, RSA *rsa, int padding); =head1 DESCRIPTION diff --git a/lib/libssl/src/doc/crypto/RSA_set_method.pod b/lib/libssl/src/doc/crypto/RSA_set_method.pod index 2c963d7e5bb..eb0913c1060 100644 --- a/lib/libssl/src/doc/crypto/RSA_set_method.pod +++ b/lib/libssl/src/doc/crypto/RSA_set_method.pod @@ -43,7 +43,7 @@ been set as a default for RSA, so this function is no longer recommended. RSA_get_default_method() returns a pointer to the current default RSA_METHOD. However, the meaningfulness of this result is dependent on -whether the ENGINE API is being used, so this function is no longer +whether the ENGINE API is being used, so this function is no longer recommended. RSA_set_method() selects B<meth> to perform all operations using the key diff --git a/lib/libssl/src/doc/crypto/RSA_sign.pod b/lib/libssl/src/doc/crypto/RSA_sign.pod index 8553be8e99b..061c0e24372 100644 --- a/lib/libssl/src/doc/crypto/RSA_sign.pod +++ b/lib/libssl/src/doc/crypto/RSA_sign.pod @@ -52,7 +52,7 @@ SSL, PKCS #1 v2.0 L<ERR_get_error(3)|ERR_get_error(3)>, L<objects(3)|objects(3)>, L<rsa(3)|rsa(3)>, L<RSA_private_encrypt(3)|RSA_private_encrypt(3)>, -L<RSA_public_decrypt(3)|RSA_public_decrypt(3)> +L<RSA_public_decrypt(3)|RSA_public_decrypt(3)> =head1 HISTORY diff --git a/lib/libssl/src/doc/crypto/SHA1.pod b/lib/libssl/src/doc/crypto/SHA1.pod index 94ab7bc7241..232af9227e4 100644 --- a/lib/libssl/src/doc/crypto/SHA1.pod +++ b/lib/libssl/src/doc/crypto/SHA1.pod @@ -46,7 +46,7 @@ used only when backward compatibility is required. =head1 RETURN VALUES -SHA1() returns a pointer to the hash value. +SHA1() returns a pointer to the hash value. SHA1_Init(), SHA1_Update() and SHA1_Final() return 1 for success, 0 otherwise. diff --git a/lib/libssl/src/doc/crypto/X509_NAME_ENTRY_get_object.pod b/lib/libssl/src/doc/crypto/X509_NAME_ENTRY_get_object.pod index d287c18564b..ad0d7965351 100644 --- a/lib/libssl/src/doc/crypto/X509_NAME_ENTRY_get_object.pod +++ b/lib/libssl/src/doc/crypto/X509_NAME_ENTRY_get_object.pod @@ -9,15 +9,17 @@ X509_NAME_ENTRY_create_by_OBJ - X509_NAME_ENTRY utility functions =head1 SYNOPSIS -ASN1_OBJECT * X509_NAME_ENTRY_get_object(X509_NAME_ENTRY *ne); -ASN1_STRING * X509_NAME_ENTRY_get_data(X509_NAME_ENTRY *ne); + #include <openssl/x509.h> -int X509_NAME_ENTRY_set_object(X509_NAME_ENTRY *ne, ASN1_OBJECT *obj); -int X509_NAME_ENTRY_set_data(X509_NAME_ENTRY *ne, int type, unsigned char *bytes, int len); + ASN1_OBJECT * X509_NAME_ENTRY_get_object(X509_NAME_ENTRY *ne); + ASN1_STRING * X509_NAME_ENTRY_get_data(X509_NAME_ENTRY *ne); -X509_NAME_ENTRY *X509_NAME_ENTRY_create_by_txt(X509_NAME_ENTRY **ne, char *field, int type, unsigned char *bytes, int len); -X509_NAME_ENTRY *X509_NAME_ENTRY_create_by_NID(X509_NAME_ENTRY **ne, int nid, int type,unsigned char *bytes, int len); -X509_NAME_ENTRY *X509_NAME_ENTRY_create_by_OBJ(X509_NAME_ENTRY **ne, ASN1_OBJECT *obj, int type,unsigned char *bytes, int len); + int X509_NAME_ENTRY_set_object(X509_NAME_ENTRY *ne, ASN1_OBJECT *obj); + int X509_NAME_ENTRY_set_data(X509_NAME_ENTRY *ne, int type, const unsigned char *bytes, int len); + + X509_NAME_ENTRY *X509_NAME_ENTRY_create_by_txt(X509_NAME_ENTRY **ne, const char *field, int type, const unsigned char *bytes, int len); + X509_NAME_ENTRY *X509_NAME_ENTRY_create_by_NID(X509_NAME_ENTRY **ne, int nid, int type,unsigned char *bytes, int len); + X509_NAME_ENTRY *X509_NAME_ENTRY_create_by_OBJ(X509_NAME_ENTRY **ne, ASN1_OBJECT *obj, int type, const unsigned char *bytes, int len); =head1 DESCRIPTION @@ -33,17 +35,17 @@ X509_NAME_ENTRY_set_data() sets the field value of B<ne> to string type B<type> and value determined by B<bytes> and B<len>. X509_NAME_ENTRY_create_by_txt(), X509_NAME_ENTRY_create_by_NID() -and X509_NAME_ENTRY_create_by_OBJ() create and return an +and X509_NAME_ENTRY_create_by_OBJ() create and return an B<X509_NAME_ENTRY> structure. =head1 NOTES X509_NAME_ENTRY_get_object() and X509_NAME_ENTRY_get_data() can be -used to examine an B<X509_NAME_ENTRY> function as returned by +used to examine an B<X509_NAME_ENTRY> function as returned by X509_NAME_get_entry() for example. X509_NAME_ENTRY_create_by_txt(), X509_NAME_ENTRY_create_by_NID(), -and X509_NAME_ENTRY_create_by_OBJ() create and return an +and X509_NAME_ENTRY_create_by_OBJ() create and return an X509_NAME_ENTRY_create_by_txt(), X509_NAME_ENTRY_create_by_OBJ(), X509_NAME_ENTRY_create_by_NID() and X509_NAME_ENTRY_set_data() diff --git a/lib/libssl/src/doc/crypto/X509_NAME_add_entry_by_txt.pod b/lib/libssl/src/doc/crypto/X509_NAME_add_entry_by_txt.pod index 4472a1c5cf7..5b9e81b922d 100644 --- a/lib/libssl/src/doc/crypto/X509_NAME_add_entry_by_txt.pod +++ b/lib/libssl/src/doc/crypto/X509_NAME_add_entry_by_txt.pod @@ -7,11 +7,17 @@ X509_NAME_add_entry, X509_NAME_delete_entry - X509_NAME modification functions =head1 SYNOPSIS -int X509_NAME_add_entry_by_txt(X509_NAME *name, char *field, int type, unsigned char *bytes, int len, int loc, int set); -int X509_NAME_add_entry_by_OBJ(X509_NAME *name, ASN1_OBJECT *obj, int type, unsigned char *bytes, int len, int loc, int set); -int X509_NAME_add_entry_by_NID(X509_NAME *name, int nid, int type, unsigned char *bytes, int len, int loc, int set); -int X509_NAME_add_entry(X509_NAME *name,X509_NAME_ENTRY *ne, int loc, int set); -X509_NAME_ENTRY *X509_NAME_delete_entry(X509_NAME *name, int loc); + #include <openssl/x509.h> + + int X509_NAME_add_entry_by_txt(X509_NAME *name, const char *field, int type, const unsigned char *bytes, int len, int loc, int set); + + int X509_NAME_add_entry_by_OBJ(X509_NAME *name, ASN1_OBJECT *obj, int type, unsigned char *bytes, int len, int loc, int set); + + int X509_NAME_add_entry_by_NID(X509_NAME *name, int nid, int type, unsigned char *bytes, int len, int loc, int set); + + int X509_NAME_add_entry(X509_NAME *name,X509_NAME_ENTRY *ne, int loc, int set); + + X509_NAME_ENTRY *X509_NAME_delete_entry(X509_NAME *name, int loc); =head1 DESCRIPTION @@ -55,7 +61,7 @@ to 0. This adds a new entry to the end of B<name> as a single valued RelativeDistinguishedName (RDN). B<loc> actually determines the index where the new entry is inserted: -if it is -1 it is appended. +if it is -1 it is appended. B<set> determines how the new type is added. If it is zero a new RDN is created. diff --git a/lib/libssl/src/doc/crypto/X509_NAME_get_index_by_NID.pod b/lib/libssl/src/doc/crypto/X509_NAME_get_index_by_NID.pod index 333323d734e..7da92617fb1 100644 --- a/lib/libssl/src/doc/crypto/X509_NAME_get_index_by_NID.pod +++ b/lib/libssl/src/doc/crypto/X509_NAME_get_index_by_NID.pod @@ -8,14 +8,16 @@ X509_NAME lookup and enumeration functions =head1 SYNOPSIS -int X509_NAME_get_index_by_NID(X509_NAME *name,int nid,int lastpos); -int X509_NAME_get_index_by_OBJ(X509_NAME *name,ASN1_OBJECT *obj, int lastpos); + #include <openssl/x509.h> -int X509_NAME_entry_count(X509_NAME *name); -X509_NAME_ENTRY *X509_NAME_get_entry(X509_NAME *name, int loc); + int X509_NAME_get_index_by_NID(X509_NAME *name,int nid,int lastpos); + int X509_NAME_get_index_by_OBJ(X509_NAME *name,ASN1_OBJECT *obj, int lastpos); -int X509_NAME_get_text_by_NID(X509_NAME *name, int nid, char *buf,int len); -int X509_NAME_get_text_by_OBJ(X509_NAME *name, ASN1_OBJECT *obj, char *buf,int len); + int X509_NAME_entry_count(X509_NAME *name); + X509_NAME_ENTRY *X509_NAME_get_entry(X509_NAME *name, int loc); + + int X509_NAME_get_text_by_NID(X509_NAME *name, int nid, char *buf,int len); + int X509_NAME_get_text_by_OBJ(X509_NAME *name, ASN1_OBJECT *obj, char *buf,int len); =head1 DESCRIPTION @@ -41,7 +43,7 @@ B<obj>, if no such entry exists -1 is returned. At most B<len> bytes will be written and the text written to B<buf> will be null terminated. The length of the output string written is returned excluding the terminating null. If B<buf> is <NULL> then the amount -of space needed in B<buf> (excluding the final null) is returned. +of space needed in B<buf> (excluding the final null) is returned. =head1 NOTES diff --git a/lib/libssl/src/doc/crypto/X509_NAME_print_ex.pod b/lib/libssl/src/doc/crypto/X509_NAME_print_ex.pod index 907c04f684f..b2d86d4ddb9 100644 --- a/lib/libssl/src/doc/crypto/X509_NAME_print_ex.pod +++ b/lib/libssl/src/doc/crypto/X509_NAME_print_ex.pod @@ -27,7 +27,7 @@ X509_NAME_oneline() prints an ASCII version of B<a> to B<buf>. At most B<size> bytes will be written. If B<buf> is B<NULL> then a buffer is dynamically allocated and returned, otherwise B<buf> is returned. -X509_NAME_print() prints out B<name> to B<bp> indenting each line by B<obase> +X509_NAME_print() prints out B<name> to B<bp> indenting each line by B<obase> characters. Multiple lines are used if the output (including indent) exceeds 80 characters. @@ -41,8 +41,8 @@ applications. Although there are a large number of possible flags for most purposes B<XN_FLAG_ONELINE>, B<XN_FLAG_MULTILINE> or B<XN_FLAG_RFC2253> will suffice. As noted on the L<ASN1_STRING_print_ex(3)|ASN1_STRING_print_ex(3)> manual page -for UTF8 terminals the B<ASN1_STRFLAGS_ESC_MSB> should be unset: so for example -B<XN_FLAG_ONELINE & ~ASN1_STRFLAGS_ESC_MSB> would be used. +for UTF8 terminals the B<ASN1_STRFLGS_ESC_MSB> should be unset: so for example +B<XN_FLAG_ONELINE & ~ASN1_STRFLGS_ESC_MSB> would be used. The complete set of the flags supported by X509_NAME_print_ex() is listed below. @@ -76,7 +76,7 @@ printed instead of the values. If B<XN_FLAG_FN_ALIGN> is set then field names are padded to 20 characters: this is only of use for multiline format. -Additionally all the options supported by ASN1_STRING_print_ex() can be used to +Additionally all the options supported by ASN1_STRING_print_ex() can be used to control how each field value is displayed. In addition a number options can be set for commonly used formats. @@ -86,10 +86,10 @@ is equivalent to: B<ASN1_STRFLGS_RFC2253 | XN_FLAG_SEP_COMMA_PLUS | XN_FLAG_DN_REV | XN_FLAG_FN_SN | XN_FLAG_DUMP_UNKNOWN_FIELDS> -B<XN_FLAG_ONELINE> is a more readable one line format it is the same as: +B<XN_FLAG_ONELINE> is a more readable one line format which is the same as: B<ASN1_STRFLGS_RFC2253 | ASN1_STRFLGS_ESC_QUOTE | XN_FLAG_SEP_CPLUS_SPC | XN_FLAG_SPC_EQ | XN_FLAG_FN_SN> -B<XN_FLAG_MULTILINE> is a multiline format is is the same as: +B<XN_FLAG_MULTILINE> is a multiline format which is the same as: B<ASN1_STRFLGS_ESC_CTRL | ASN1_STRFLGS_ESC_MSB | XN_FLAG_SEP_MULTILINE | XN_FLAG_SPC_EQ | XN_FLAG_FN_LN | XN_FLAG_FN_ALIGN> B<XN_FLAG_COMPAT> uses a format identical to X509_NAME_print(): in fact it calls X509_NAME_print() internally. diff --git a/lib/libssl/src/doc/crypto/X509_STORE_CTX_get_ex_new_index.pod b/lib/libssl/src/doc/crypto/X509_STORE_CTX_get_ex_new_index.pod index 8d6b9dda47e..1b75967ccd6 100644 --- a/lib/libssl/src/doc/crypto/X509_STORE_CTX_get_ex_new_index.pod +++ b/lib/libssl/src/doc/crypto/X509_STORE_CTX_get_ex_new_index.pod @@ -27,7 +27,7 @@ and RSA_get_ex_data() as described in L<RSA_get_ex_new_index(3)>. This mechanism is used internally by the B<ssl> library to store the B<SSL> structure associated with a verification operation in an B<X509_STORE_CTX> -structure. +structure. =head1 SEE ALSO diff --git a/lib/libssl/src/doc/crypto/X509_STORE_CTX_new.pod b/lib/libssl/src/doc/crypto/X509_STORE_CTX_new.pod index b17888f149e..1c55236aa29 100644 --- a/lib/libssl/src/doc/crypto/X509_STORE_CTX_new.pod +++ b/lib/libssl/src/doc/crypto/X509_STORE_CTX_new.pod @@ -45,7 +45,7 @@ will be untrusted but may be used to build the chain) in B<chain>. Any or all of the B<store>, B<x509> and B<chain> parameters can be B<NULL>. X509_STORE_CTX_trusted_stack() sets the set of trusted certificates of B<ctx> -to B<sk>. This is an alternative way of specifying trusted certificates +to B<sk>. This is an alternative way of specifying trusted certificates instead of using an B<X509_STORE>. X509_STORE_CTX_set_cert() sets the certificate to be vertified in B<ctx> to diff --git a/lib/libssl/src/doc/crypto/X509_STORE_CTX_set_verify_cb.pod b/lib/libssl/src/doc/crypto/X509_STORE_CTX_set_verify_cb.pod index b9787a6ca6f..86d988eee05 100644 --- a/lib/libssl/src/doc/crypto/X509_STORE_CTX_set_verify_cb.pod +++ b/lib/libssl/src/doc/crypto/X509_STORE_CTX_set_verify_cb.pod @@ -94,7 +94,7 @@ expired just one specific case: Full featured logging callback. In this case the B<bio_err> is assumed to be a global logging B<BIO>, an alternative would to store a BIO in B<ctx> using B<ex_data>. - + int verify_callback(int ok, X509_STORE_CTX *ctx) { X509 *err_cert; diff --git a/lib/libssl/src/doc/crypto/X509_STORE_set_verify_cb_func.pod b/lib/libssl/src/doc/crypto/X509_STORE_set_verify_cb_func.pod index 29e3bbe3bce..012f2d2c757 100644 --- a/lib/libssl/src/doc/crypto/X509_STORE_set_verify_cb_func.pod +++ b/lib/libssl/src/doc/crypto/X509_STORE_set_verify_cb_func.pod @@ -24,14 +24,14 @@ is implemented as a macro. =head1 NOTES -The verification callback from an B<X509_STORE> is inherited by +The verification callback from an B<X509_STORE> is inherited by the corresponding B<X509_STORE_CTX> structure when it is initialized. This can -be used to set the verification callback when the B<X509_STORE_CTX> is +be used to set the verification callback when the B<X509_STORE_CTX> is otherwise inaccessible (for example during S/MIME verification). =head1 BUGS -The macro version of this function was the only one available before +The macro version of this function was the only one available before OpenSSL 1.0.0. =head1 RETURN VALUES diff --git a/lib/libssl/src/doc/crypto/X509_VERIFY_PARAM_set_flags.pod b/lib/libssl/src/doc/crypto/X509_VERIFY_PARAM_set_flags.pod index b68eece0338..e5da5bec085 100644 --- a/lib/libssl/src/doc/crypto/X509_VERIFY_PARAM_set_flags.pod +++ b/lib/libssl/src/doc/crypto/X509_VERIFY_PARAM_set_flags.pod @@ -2,7 +2,7 @@ =head1 NAME -X509_VERIFY_PARAM_set_flags, X509_VERIFY_PARAM_clear_flags, X509_VERIFY_PARAM_get_flags, X509_VERIFY_PARAM_set_purpose, X509_VERIFY_PARAM_set_trust, X509_VERIFY_PARAM_set_depth, X509_VERIFY_PARAM_get_depth, X509_VERIFY_PARAM_set_time, X509_VERIFY_PARAM_add0_policy, X509_VERIFY_PARAM_set1_policies - X509 verification parameters +X509_VERIFY_PARAM_set_flags, X509_VERIFY_PARAM_clear_flags, X509_VERIFY_PARAM_get_flags, X509_VERIFY_PARAM_set_purpose, X509_VERIFY_PARAM_set_trust, X509_VERIFY_PARAM_set_depth, X509_VERIFY_PARAM_get_depth, X509_VERIFY_PARAM_set_time, X509_VERIFY_PARAM_add0_policy, X509_VERIFY_PARAM_set1_policies - X509 verification parameters =head1 SYNOPSIS @@ -20,7 +20,7 @@ X509_VERIFY_PARAM_set_flags, X509_VERIFY_PARAM_clear_flags, X509_VERIFY_PARAM_ge int X509_VERIFY_PARAM_add0_policy(X509_VERIFY_PARAM *param, ASN1_OBJECT *policy); - int X509_VERIFY_PARAM_set1_policies(X509_VERIFY_PARAM *param, + int X509_VERIFY_PARAM_set1_policies(X509_VERIFY_PARAM *param, STACK_OF(ASN1_OBJECT) *policies); void X509_VERIFY_PARAM_set_depth(X509_VERIFY_PARAM *param, int depth); @@ -29,7 +29,7 @@ X509_VERIFY_PARAM_set_flags, X509_VERIFY_PARAM_clear_flags, X509_VERIFY_PARAM_ge =head1 DESCRIPTION These functions manipulate the B<X509_VERIFY_PARAM> structure associated with -a certificate verification operation. +a certificate verification operation. The X509_VERIFY_PARAM_set_flags() function sets the flags in B<param> by oring it with B<flags>. See the B<VERIFICATION FLAGS> section for a complete @@ -43,7 +43,7 @@ X509_VERIFY_PARAM_set_purpose() sets the verification purpose in B<param> to B<purpose>. This determines the acceptable purpose of the certificate chain, for example SSL client or SSL server. -X509_VERIFY_PARAM_set_trust() sets the trust setting in B<param> to +X509_VERIFY_PARAM_set_trust() sets the trust setting in B<param> to B<trust>. X509_VERIFY_PARAM_set_time() sets the verification time in B<param> to @@ -63,10 +63,10 @@ chain. =head1 RETURN VALUES -X509_VERIFY_PARAM_set_flags(), X509_VERIFY_PARAM_clear_flags(), +X509_VERIFY_PARAM_set_flags(), X509_VERIFY_PARAM_clear_flags(), X509_VERIFY_PARAM_set_purpose(), X509_VERIFY_PARAM_set_trust(), X509_VERIFY_PARAM_add0_policy() and X509_VERIFY_PARAM_set1_policies() return 1 -for success and 0 for failure. +for success and 0 for failure. X509_VERIFY_PARAM_get_flags() returns the current verification flags. @@ -81,7 +81,7 @@ The verification flags consists of zero or more of the following flags ored together. B<X509_V_FLAG_CRL_CHECK> enables CRL checking for the certificate chain leaf -certificate. An error occurs if a suitable CRL cannot be found. +certificate. An error occurs if a suitable CRL cannot be found. B<X509_V_FLAG_CRL_CHECK_ALL> enables CRL checking for the entire certificate chain. @@ -99,7 +99,7 @@ certificates and makes the verification strictly apply B<X509> rules. B<X509_V_FLAG_ALLOW_PROXY_CERTS> enables proxy certificate verification. B<X509_V_FLAG_POLICY_CHECK> enables certificate policy checking, by default -no policy checking is peformed. Additional information is sent to the +no policy checking is peformed. Additional information is sent to the verification callback relating to policy checking. B<X509_V_FLAG_EXPLICIT_POLICY>, B<X509_V_FLAG_INHIBIT_ANY> and @@ -113,7 +113,7 @@ a special status code is set to the verification callback. This permits it to examine the valid policy tree and perform additional checks or simply log it for debugging purposes. -By default some addtional features such as indirect CRLs and CRLs signed by +By default some additional features such as indirect CRLs and CRLs signed by different keys are disabled. If B<X509_V_FLAG_EXTENDED_CRL_SUPPORT> is set they are enabled. @@ -142,7 +142,7 @@ X509_STORE_CTX_set_flags(). =head1 BUGS Delta CRL checking is currently primitive. Only a single delta can be used and -(partly due to limitations of B<X509_STORE>) constructed CRLs are not +(partly due to limitations of B<X509_STORE>) constructed CRLs are not maintained. If CRLs checking is enable CRLs are expected to be available in the @@ -151,7 +151,7 @@ CRLs from the CRL distribution points extension. =head1 EXAMPLE -Enable CRL checking when performing certificate verification during SSL +Enable CRL checking when performing certificate verification during SSL connections associated with an B<SSL_CTX> structure B<ctx>: X509_VERIFY_PARAM *param; diff --git a/lib/libssl/src/doc/crypto/bn_internal.pod b/lib/libssl/src/doc/crypto/bn_internal.pod index 91840b0f0d6..7d4dac9ccf6 100644 --- a/lib/libssl/src/doc/crypto/bn_internal.pod +++ b/lib/libssl/src/doc/crypto/bn_internal.pod @@ -95,8 +95,8 @@ is the number of words being used, so for a value of 4, bn.d[0]=4 and bn.top=1. B<neg> is 1 if the number is negative. When a B<BIGNUM> is B<0>, the B<d> field can be B<NULL> and B<top> == B<0>. -B<flags> is a bit field of flags which are defined in C<openssl/bn.h>. The -flags begin with B<BN_FLG_>. The macros BN_set_flags(b,n) and +B<flags> is a bit field of flags which are defined in C<openssl/bn.h>. The +flags begin with B<BN_FLG_>. The macros BN_set_flags(b,n) and BN_get_flags(b,n) exist to enable or fetch flag(s) B<n> from B<BIGNUM> structure B<b>. diff --git a/lib/libssl/src/doc/crypto/crypto.pod b/lib/libssl/src/doc/crypto/crypto.pod index 7a527992bb5..3c4a07d9068 100644 --- a/lib/libssl/src/doc/crypto/crypto.pod +++ b/lib/libssl/src/doc/crypto/crypto.pod @@ -28,7 +28,7 @@ hash functions and a cryptographic pseudo-random number generator. =item SYMMETRIC CIPHERS L<blowfish(3)|blowfish(3)>, L<cast(3)|cast(3)>, L<des(3)|des(3)>, -L<idea(3)|idea(3)>, L<rc2(3)|rc2(3)>, L<rc4(3)|rc4(3)>, L<rc5(3)|rc5(3)> +L<idea(3)|idea(3)>, L<rc2(3)|rc2(3)>, L<rc4(3)|rc4(3)>, L<rc5(3)|rc5(3)> =item PUBLIC KEY CRYPTOGRAPHY AND KEY AGREEMENT @@ -52,13 +52,13 @@ L<OPENSSL_VERSION_NUMBER(3)|OPENSSL_VERSION_NUMBER(3)> =item INPUT/OUTPUT, DATA ENCODING L<asn1(3)|asn1(3)>, L<bio(3)|bio(3)>, L<evp(3)|evp(3)>, L<pem(3)|pem(3)>, -L<pkcs7(3)|pkcs7(3)>, L<pkcs12(3)|pkcs12(3)> +L<pkcs7(3)|pkcs7(3)>, L<pkcs12(3)|pkcs12(3)> =item INTERNAL FUNCTIONS L<bn(3)|bn(3)>, L<buffer(3)|buffer(3)>, L<lhash(3)|lhash(3)>, L<objects(3)|objects(3)>, L<stack(3)|stack(3)>, -L<txt_db(3)|txt_db(3)> +L<txt_db(3)|txt_db(3)> =back diff --git a/lib/libssl/src/doc/crypto/d2i_DSAPublicKey.pod b/lib/libssl/src/doc/crypto/d2i_DSAPublicKey.pod index 6ebd30427b8..c80e311d044 100644 --- a/lib/libssl/src/doc/crypto/d2i_DSAPublicKey.pod +++ b/lib/libssl/src/doc/crypto/d2i_DSAPublicKey.pod @@ -9,6 +9,7 @@ and parsing functions. =head1 SYNOPSIS #include <openssl/dsa.h> + #include <openssl/x509.h> DSA * d2i_DSAPublicKey(DSA **a, const unsigned char **pp, long length); @@ -35,8 +36,8 @@ and parsing functions. d2i_DSAPublicKey() and i2d_DSAPublicKey() decode and encode the DSA public key components structure. -d2i_DSA_PUKEY() and i2d_DSA_PUKEY() decode and encode an DSA public key using a -SubjectPublicKeyInfo (certificate public key) structure. +d2i_DSA_PUBKEY() and i2d_DSA_PUBKEY() decode and encode an DSA public key using +a SubjectPublicKeyInfo (certificate public key) structure. d2i_DSAPrivateKey(), i2d_DSAPrivateKey() decode and encode the DSA private key components. @@ -55,7 +56,7 @@ i2d_X509() described in the L<d2i_X509(3)|d2i_X509(3)> manual page. The B<DSA> structure passed to the private key encoding functions should have all the private key components present. -The data encoded by the private key functions is unencrypted and therefore +The data encoded by the private key functions is unencrypted and therefore offers no private key security. The B<DSA_PUBKEY> functions should be used in preference to the B<DSAPublicKey> diff --git a/lib/libssl/src/doc/crypto/d2i_PKCS8PrivateKey.pod b/lib/libssl/src/doc/crypto/d2i_PKCS8PrivateKey.pod index a54b7790884..466f99ab421 100644 --- a/lib/libssl/src/doc/crypto/d2i_PKCS8PrivateKey.pod +++ b/lib/libssl/src/doc/crypto/d2i_PKCS8PrivateKey.pod @@ -41,7 +41,7 @@ corresponding B<PEM> function as described in the L<pem(3)|pem(3)> manual page. Before using these functions L<OpenSSL_add_all_algorithms(3)|OpenSSL_add_all_algorithms(3)> should be called to initialize the internal algorithm lookup tables otherwise errors about -unknown algorithms will occur if an attempt is made to decrypt a private key. +unknown algorithms will occur if an attempt is made to decrypt a private key. These functions are currently the only way to store encrypted private keys using DER format. diff --git a/lib/libssl/src/doc/crypto/d2i_RSAPublicKey.pod b/lib/libssl/src/doc/crypto/d2i_RSAPublicKey.pod index aa6078bcf6b..1711dc038fd 100644 --- a/lib/libssl/src/doc/crypto/d2i_RSAPublicKey.pod +++ b/lib/libssl/src/doc/crypto/d2i_RSAPublicKey.pod @@ -49,8 +49,8 @@ i2d_X509() described in the L<d2i_X509(3)|d2i_X509(3)> manual page. The B<RSA> structure passed to the private key encoding functions should have all the PKCS#1 private key components present. -The data encoded by the private key functions is unencrypted and therefore -offers no private key security. +The data encoded by the private key functions is unencrypted and therefore +offers no private key security. The NET format functions are present to provide compatibility with certain very old software. This format has some severe security weaknesses and should be diff --git a/lib/libssl/src/doc/crypto/d2i_X509.pod b/lib/libssl/src/doc/crypto/d2i_X509.pod index 5e3c3d09857..e212014ac8e 100644 --- a/lib/libssl/src/doc/crypto/d2i_X509.pod +++ b/lib/libssl/src/doc/crypto/d2i_X509.pod @@ -9,34 +9,34 @@ i2d_X509_fp - X509 encode and decode functions #include <openssl/x509.h> - X509 *d2i_X509(X509 **px, unsigned char **in, int len); + X509 *d2i_X509(X509 **px, const unsigned char **in, int len); int i2d_X509(X509 *x, unsigned char **out); X509 *d2i_X509_bio(BIO *bp, X509 **x); X509 *d2i_X509_fp(FILE *fp, X509 **x); - int i2d_X509_bio(X509 *x, BIO *bp); - int i2d_X509_fp(X509 *x, FILE *fp); + int i2d_X509_bio(BIO *bp, X509 *x); + int i2d_X509_fp(FILE *fp, X509 *x); =head1 DESCRIPTION The X509 encode and decode routines encode and parse an B<X509> structure, which represents an X509 certificate. -d2i_X509() attempts to decode B<len> bytes at B<*out>. If +d2i_X509() attempts to decode B<len> bytes at B<*in>. If successful a pointer to the B<X509> structure is returned. If an error occurred then B<NULL> is returned. If B<px> is not B<NULL> then the returned structure is written to B<*px>. If B<*px> is not B<NULL> then it is assumed that B<*px> contains a valid B<X509> structure and an attempt is made to reuse it. If the call is -successful B<*out> is incremented to the byte following the +successful B<*in> is incremented to the byte following the parsed data. i2d_X509() encodes the structure pointed to by B<x> into DER format. If B<out> is not B<NULL> is writes the DER encoded data to the buffer at B<*out>, and increments it to point after the data just written. If the return value is negative an error occurred, otherwise it -returns the length of the encoded data. +returns the length of the encoded data. For OpenSSL 0.9.7 and later if B<*out> is B<NULL> memory will be allocated for a buffer and the encoded data written to it. In this @@ -194,7 +194,7 @@ happen. =head1 BUGS -In some versions of OpenSSL the "reuse" behaviour of d2i_X509() when +In some versions of OpenSSL the "reuse" behaviour of d2i_X509() when B<*px> is valid is broken and some parts of the reused structure may persist if they are not present in the new one. As a result the use of this "reuse" behaviour is strongly discouraged. @@ -210,14 +210,14 @@ always succeed. d2i_X509(), d2i_X509_bio() and d2i_X509_fp() return a valid B<X509> structure or B<NULL> if an error occurs. The error code that can be obtained by -L<ERR_get_error(3)|ERR_get_error(3)>. +L<ERR_get_error(3)|ERR_get_error(3)>. -i2d_X509(), i2d_X509_bio() and i2d_X509_fp() return a the number of bytes -successfully encoded or a negative value if an error occurs. The error code -can be obtained by L<ERR_get_error(3)|ERR_get_error(3)>. +i2d_X509() returns the number of bytes successfully encoded or a negative +value if an error occurs. The error code can be obtained by +L<ERR_get_error(3)|ERR_get_error(3)>. -i2d_X509_bio() and i2d_X509_fp() returns 1 for success and 0 if an error -occurs The error code can be obtained by L<ERR_get_error(3)|ERR_get_error(3)>. +i2d_X509_bio() and i2d_X509_fp() return 1 for success and 0 if an error +occurs The error code can be obtained by L<ERR_get_error(3)|ERR_get_error(3)>. =head1 SEE ALSO diff --git a/lib/libssl/src/doc/crypto/dh.pod b/lib/libssl/src/doc/crypto/dh.pod index c3ccd062078..97aaa75731e 100644 --- a/lib/libssl/src/doc/crypto/dh.pod +++ b/lib/libssl/src/doc/crypto/dh.pod @@ -73,6 +73,6 @@ L<DH_set_method(3)|DH_set_method(3)>, L<DH_new(3)|DH_new(3)>, L<DH_get_ex_new_index(3)|DH_get_ex_new_index(3)>, L<DH_generate_parameters(3)|DH_generate_parameters(3)>, L<DH_compute_key(3)|DH_compute_key(3)>, L<d2i_DHparams(3)|d2i_DHparams(3)>, -L<RSA_print(3)|RSA_print(3)> +L<RSA_print(3)|RSA_print(3)> =cut diff --git a/lib/libssl/src/doc/crypto/ecdsa.pod b/lib/libssl/src/doc/crypto/ecdsa.pod index 49b10f22499..92c3f4fa048 100644 --- a/lib/libssl/src/doc/crypto/ecdsa.pod +++ b/lib/libssl/src/doc/crypto/ecdsa.pod @@ -11,12 +11,12 @@ ecdsa - Elliptic Curve Digital Signature Algorithm ECDSA_SIG* ECDSA_SIG_new(void); void ECDSA_SIG_free(ECDSA_SIG *sig); int i2d_ECDSA_SIG(const ECDSA_SIG *sig, unsigned char **pp); - ECDSA_SIG* d2i_ECDSA_SIG(ECDSA_SIG **sig, const unsigned char **pp, + ECDSA_SIG* d2i_ECDSA_SIG(ECDSA_SIG **sig, const unsigned char **pp, long len); ECDSA_SIG* ECDSA_do_sign(const unsigned char *dgst, int dgst_len, EC_KEY *eckey); - ECDSA_SIG* ECDSA_do_sign_ex(const unsigned char *dgst, int dgstlen, + ECDSA_SIG* ECDSA_do_sign_ex(const unsigned char *dgst, int dgstlen, const BIGNUM *kinv, const BIGNUM *rp, EC_KEY *eckey); int ECDSA_do_verify(const unsigned char *dgst, int dgst_len, @@ -28,7 +28,7 @@ ecdsa - Elliptic Curve Digital Signature Algorithm unsigned int *siglen, EC_KEY *eckey); int ECDSA_sign_ex(int type, const unsigned char *dgst, int dgstlen, unsigned char *sig, - unsigned int *siglen, const BIGNUM *kinv, + unsigned int *siglen, const BIGNUM *kinv, const BIGNUM *rp, EC_KEY *eckey); int ECDSA_verify(int type, const unsigned char *dgst, int dgstlen, const unsigned char *sig, @@ -65,7 +65,7 @@ ECDSA_SIG_free() frees the B<ECDSA_SIG> structure B<sig>. i2d_ECDSA_SIG() creates the DER encoding of the ECDSA signature B<sig> and writes the encoded signature to B<*pp> (note: if B<pp> -is NULL B<i2d_ECDSA_SIG> returns the expected length in bytes of +is NULL B<i2d_ECDSA_SIG> returns the expected length in bytes of the DER encoded signature). B<i2d_ECDSA_SIG> returns the length of the DER encoded signature (or 0 on error). @@ -95,7 +95,7 @@ is ignored. ECDSA_verify() verifies that the signature in B<sig> of size B<siglen> is a valid ECDSA signature of the hash value -value B<dgst> of size B<dgstlen> using the public key B<eckey>. +B<dgst> of size B<dgstlen> using the public key B<eckey>. The parameter B<type> is ignored. ECDSA_do_sign() is wrapper function for ECDSA_do_sign_ex with B<kinv> @@ -114,7 +114,7 @@ using the public key B<eckey>. ECDSA_size() returns the maximum length signature or 0 on error. -ECDSA_sign_setup() and ECDSA_sign() return 1 if successful or -1 +ECDSA_sign_setup() and ECDSA_sign() return 1 if successful or 0 on error. ECDSA_verify() and ECDSA_do_verify() return 1 for a valid @@ -131,23 +131,19 @@ specific) int ret; ECDSA_SIG *sig; - EC_KEY *eckey = EC_KEY_new(); + EC_KEY *eckey; + eckey = EC_KEY_new_by_curve_name(NID_secp192k1); if (eckey == NULL) { /* error */ } - key->group = EC_GROUP_new_by_nid(NID_secp192k1); - if (key->group == NULL) - { - /* error */ - } if (!EC_KEY_generate_key(eckey)) { /* error */ } -Second step: compute the ECDSA signature of a SHA-1 hash value -using B<ECDSA_do_sign> +Second step: compute the ECDSA signature of a SHA-1 hash value +using B<ECDSA_do_sign> sig = ECDSA_do_sign(digest, 20, eckey); if (sig == NULL) diff --git a/lib/libssl/src/doc/crypto/evp.pod b/lib/libssl/src/doc/crypto/evp.pod index 9faa349243a..33ce7cb6d67 100644 --- a/lib/libssl/src/doc/crypto/evp.pod +++ b/lib/libssl/src/doc/crypto/evp.pod @@ -37,7 +37,7 @@ implementations. For more information, consult the engine(3) man page. Although low level algorithm specific functions exist for many algorithms their use is discouraged. They cannot be used with an ENGINE and ENGINE versions of new algorithms cannot be accessed using the low level functions. -Also makes code harder to adapt to new algorithms and some options are not +Also makes code harder to adapt to new algorithms and some options are not cleanly supported at the low level and some operations are more efficient using the high level interface. diff --git a/lib/libssl/src/doc/crypto/lhash.pod b/lib/libssl/src/doc/crypto/lhash.pod index 73a19b6c7e5..b5c8a102825 100644 --- a/lib/libssl/src/doc/crypto/lhash.pod +++ b/lib/libssl/src/doc/crypto/lhash.pod @@ -168,7 +168,7 @@ that is provided by the caller): /* Print out the entire hashtable to a particular BIO */ lh_STUFF_doall_arg(hashtable, LHASH_DOALL_ARG_FN(STUFF_print), BIO, logging_bio); - + lh_<type>_error() can be used to determine if an error occurred in the last operation. lh_<type>_error() is a macro. @@ -293,7 +293,7 @@ This manpage is derived from the SSLeay documentation. In OpenSSL 0.9.7, all lhash functions that were passed function pointers were changed for better type safety, and the function types LHASH_COMP_FN_TYPE, -LHASH_HASH_FN_TYPE, LHASH_DOALL_FN_TYPE and LHASH_DOALL_ARG_FN_TYPE +LHASH_HASH_FN_TYPE, LHASH_DOALL_FN_TYPE and LHASH_DOALL_ARG_FN_TYPE became available. In OpenSSL 1.0.0, the lhash interface was revamped for even better diff --git a/lib/libssl/src/doc/crypto/rsa.pod b/lib/libssl/src/doc/crypto/rsa.pod index 45ac53ffc14..829ce24701d 100644 --- a/lib/libssl/src/doc/crypto/rsa.pod +++ b/lib/libssl/src/doc/crypto/rsa.pod @@ -18,7 +18,7 @@ rsa - RSA public key cryptosystem unsigned char *to, RSA *rsa, int padding); int RSA_private_encrypt(int flen, unsigned char *from, unsigned char *to, RSA *rsa,int padding); - int RSA_public_decrypt(int flen, unsigned char *from, + int RSA_public_decrypt(int flen, unsigned char *from, unsigned char *to, RSA *rsa,int padding); int RSA_sign(int type, unsigned char *m, unsigned int m_len, @@ -118,6 +118,6 @@ L<RSA_set_method(3)|RSA_set_method(3)>, L<RSA_print(3)|RSA_print(3)>, L<RSA_get_ex_new_index(3)|RSA_get_ex_new_index(3)>, L<RSA_private_encrypt(3)|RSA_private_encrypt(3)>, L<RSA_sign_ASN1_OCTET_STRING(3)|RSA_sign_ASN1_OCTET_STRING(3)>, -L<RSA_padding_add_PKCS1_type_1(3)|RSA_padding_add_PKCS1_type_1(3)> +L<RSA_padding_add_PKCS1_type_1(3)|RSA_padding_add_PKCS1_type_1(3)> =cut |