diff options
| author | Shigeki Ohtsu <ohtsu@ohtsu.org> | 2018-08-14 23:11:54 +0900 |
|---|---|---|
| committer | Rod Vagg <rod@vagg.org> | 2018-08-16 11:52:37 +1000 |
| commit | 6090e1f54d8e6e8c4ba18091e19faf46c0b09ece (patch) | |
| tree | a2d2fb7b4b4a5e365ac4b6515cf4d7a5c8262d23 /deps/openssl/openssl/doc/crypto | |
| parent | 32902d09b43e9d7f19eb6178ef5db835652d97c1 (diff) | |
| download | android-node-v8-6090e1f54d8e6e8c4ba18091e19faf46c0b09ece.tar.gz android-node-v8-6090e1f54d8e6e8c4ba18091e19faf46c0b09ece.tar.bz2 android-node-v8-6090e1f54d8e6e8c4ba18091e19faf46c0b09ece.zip | |
deps: upgrade openssl sources to 1.1.0i
This updates all sources in deps/openssl/openssl with openssl-1.1.0i.
PR-URL: https://github.com/nodejs/node/pull/22318
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Rod Vagg <rod@vagg.org>
Diffstat (limited to 'deps/openssl/openssl/doc/crypto')
32 files changed, 466 insertions, 87 deletions
diff --git a/deps/openssl/openssl/doc/crypto/ASN1_INTEGER_get_int64.pod b/deps/openssl/openssl/doc/crypto/ASN1_INTEGER_get_int64.pod index f61268d6ac..d0a6a3c810 100644 --- a/deps/openssl/openssl/doc/crypto/ASN1_INTEGER_get_int64.pod +++ b/deps/openssl/openssl/doc/crypto/ASN1_INTEGER_get_int64.pod @@ -11,10 +11,10 @@ ASN1_INTEGER_get_int64, ASN1_INTEGER_get, ASN1_INTEGER_set_int64, ASN1_INTEGER_s #include <openssl/asn1.h> int ASN1_INTEGER_get_int64(int64_t *pr, const ASN1_INTEGER *a); - int ASN1_INTEGER_get(const ASN1_INTEGER *a, long v); + long ASN1_INTEGER_get(const ASN1_INTEGER *a); int ASN1_INTEGER_set_int64(ASN1_INTEGER *a, int64_t r); - long ASN1_INTEGER_set(const ASN1_INTEGER *a); + int ASN1_INTEGER_set(const ASN1_INTEGER *a, long v); int ASN1_INTEGER_get_uint64(uint64_t *pr, const ASN1_INTEGER *a); int ASN1_INTEGER_set_uint64(ASN1_INTEGER *a, uint64_t r); @@ -123,7 +123,7 @@ were added to OpenSSL 1.1.0. =head1 COPYRIGHT -Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2015-2018 The OpenSSL Project Authors. All Rights Reserved. Licensed under the OpenSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/deps/openssl/openssl/doc/crypto/BIO_meth_new.pod b/deps/openssl/openssl/doc/crypto/BIO_meth_new.pod index f682c37d17..89179a46e7 100644 --- a/deps/openssl/openssl/doc/crypto/BIO_meth_new.pod +++ b/deps/openssl/openssl/doc/crypto/BIO_meth_new.pod @@ -17,26 +17,26 @@ BIO_meth_set_callback_ctrl - Routines to build up BIO methods int BIO_get_new_index(void); BIO_METHOD *BIO_meth_new(int type, const char *name); void BIO_meth_free(BIO_METHOD *biom); - int (*BIO_meth_get_write(BIO_METHOD *biom)) (BIO *, const char *, int); + int (*BIO_meth_get_write(const BIO_METHOD *biom)) (BIO *, const char *, int); int BIO_meth_set_write(BIO_METHOD *biom, int (*write) (BIO *, const char *, int)); - int (*BIO_meth_get_read(BIO_METHOD *biom)) (BIO *, char *, int); + int (*BIO_meth_get_read(const BIO_METHOD *biom)) (BIO *, char *, int); int BIO_meth_set_read(BIO_METHOD *biom, int (*read) (BIO *, char *, int)); - int (*BIO_meth_get_puts(BIO_METHOD *biom)) (BIO *, const char *); + int (*BIO_meth_get_puts(const BIO_METHOD *biom)) (BIO *, const char *); int BIO_meth_set_puts(BIO_METHOD *biom, int (*puts) (BIO *, const char *)); - int (*BIO_meth_get_gets(BIO_METHOD *biom)) (BIO *, char *, int); + int (*BIO_meth_get_gets(const BIO_METHOD *biom)) (BIO *, char *, int); int BIO_meth_set_gets(BIO_METHOD *biom, int (*gets) (BIO *, char *, int)); - long (*BIO_meth_get_ctrl(BIO_METHOD *biom)) (BIO *, int, long, void *); + long (*BIO_meth_get_ctrl(const BIO_METHOD *biom)) (BIO *, int, long, void *); int BIO_meth_set_ctrl(BIO_METHOD *biom, long (*ctrl) (BIO *, int, long, void *)); - int (*BIO_meth_get_create(BIO_METHOD *bion)) (BIO *); + int (*BIO_meth_get_create(const BIO_METHOD *bion)) (BIO *); int BIO_meth_set_create(BIO_METHOD *biom, int (*create) (BIO *)); - int (*BIO_meth_get_destroy(BIO_METHOD *biom)) (BIO *); + int (*BIO_meth_get_destroy(const BIO_METHOD *biom)) (BIO *); int BIO_meth_set_destroy(BIO_METHOD *biom, int (*destroy) (BIO *)); - long (*BIO_meth_get_callback_ctrl(BIO_METHOD *biom)) + long (*BIO_meth_get_callback_ctrl(const BIO_METHOD *biom)) (BIO *, int, BIO_info_cb *); int BIO_meth_set_callback_ctrl(BIO_METHOD *biom, long (*callback_ctrl) (BIO *, int, @@ -121,7 +121,7 @@ The functions described here were added in OpenSSL 1.1.0. =head1 COPYRIGHT -Copyright 2016 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved. Licensed under the OpenSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/deps/openssl/openssl/doc/crypto/BN_add.pod b/deps/openssl/openssl/doc/crypto/BN_add.pod index db3b0d45b4..b2c5dd2cc5 100644 --- a/deps/openssl/openssl/doc/crypto/BN_add.pod +++ b/deps/openssl/openssl/doc/crypto/BN_add.pod @@ -92,7 +92,9 @@ BN_exp() raises I<a> to the I<p>-th power and places the result in I<r> BN_mul(). BN_mod_exp() computes I<a> to the I<p>-th power modulo I<m> (C<r=a^p % -m>). This function uses less time and space than BN_exp(). +m>). This function uses less time and space than BN_exp(). Do not call this +function when B<m> is even and any of the parameters have the +B<BN_FLG_CONSTTIME> flag set. BN_gcd() computes the greatest common divisor of I<a> and I<b> and places the result in I<r>. I<r> may be the same B<BIGNUM> as I<a> or @@ -117,7 +119,7 @@ L<BN_add_word(3)>, L<BN_set_bit(3)> =head1 COPYRIGHT -Copyright 2000-2017 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2000-2018 The OpenSSL Project Authors. All Rights Reserved. Licensed under the OpenSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/deps/openssl/openssl/doc/crypto/BN_bn2bin.pod b/deps/openssl/openssl/doc/crypto/BN_bn2bin.pod index ac46948477..c9ca33fd13 100644 --- a/deps/openssl/openssl/doc/crypto/BN_bn2bin.pod +++ b/deps/openssl/openssl/doc/crypto/BN_bn2bin.pod @@ -55,8 +55,8 @@ freed later using OPENSSL_free(). BN_hex2bn() takes as many characters as possible from the string B<str>, including the leading character '-' which means negative, to form a valid hexadecimal number representation and converts them to a B<BIGNUM> and -stores it in **B<bn>. If *B<bn> is NULL, a new B<BIGNUM> is created. If -B<bn> is NULL, it only computes the length of valid representation. +stores it in **B<a>. If *B<a> is NULL, a new B<BIGNUM> is created. If +B<a> is NULL, it only computes the length of valid representation. A "negative zero" is converted to zero. BN_dec2bn() is the same using the decimal system. @@ -106,7 +106,7 @@ L<BN_num_bytes(3)> =head1 COPYRIGHT -Copyright 2000-2017 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2000-2018 The OpenSSL Project Authors. All Rights Reserved. Licensed under the OpenSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/deps/openssl/openssl/doc/crypto/BN_generate_prime.pod b/deps/openssl/openssl/doc/crypto/BN_generate_prime.pod index c97536b5c4..4cd667e2e3 100644 --- a/deps/openssl/openssl/doc/crypto/BN_generate_prime.pod +++ b/deps/openssl/openssl/doc/crypto/BN_generate_prime.pod @@ -100,7 +100,17 @@ If B<do_trial_division == 0>, this test is skipped. Both BN_is_prime_ex() and BN_is_prime_fasttest_ex() perform a Miller-Rabin probabilistic primality test with B<nchecks> iterations. If B<nchecks == BN_prime_checks>, a number of iterations is used that -yields a false positive rate of at most 2^-80 for random input. +yields a false positive rate of at most 2^-64 for random input. +The error rate depends on the size of the prime and goes down for bigger primes. +The rate is 2^-80 starting at 308 bits, 2^-112 at 852 bits, 2^-128 at 1080 bits, +2^-192 at 3747 bits and 2^-256 at 6394 bits. + +When the source of the prime is not random or not trusted, the number +of checks needs to be much higher to reach the same level of assurance: +It should equal half of the targeted security level in bits (rounded up to the +next integer if necessary). +For instance, to reach the 128 bit security level, B<nchecks> should be set to +64. If B<cb> is not B<NULL>, B<BN_GENCB_call(cb, 1, j)> is called after the j-th iteration (j = 0, 1, ...). B<ctx> is a @@ -184,7 +194,7 @@ and BN_GENCB_get_arg() were added in OpenSSL 1.1.0 =head1 COPYRIGHT -Copyright 2000-2017 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2000-2018 The OpenSSL Project Authors. All Rights Reserved. Licensed under the OpenSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/deps/openssl/openssl/doc/crypto/CMS_encrypt.pod b/deps/openssl/openssl/doc/crypto/CMS_encrypt.pod index 0ed42628c3..cbd5a21353 100644 --- a/deps/openssl/openssl/doc/crypto/CMS_encrypt.pod +++ b/deps/openssl/openssl/doc/crypto/CMS_encrypt.pod @@ -18,9 +18,8 @@ B<cipher> is the symmetric cipher to use. B<flags> is an optional set of flags. =head1 NOTES -Only certificates carrying RSA keys are supported so the recipient certificates -supplied to this function must all contain RSA public keys, though they do not -have to be signed using the RSA algorithm. +Only certificates carrying RSA, Diffie-Hellman or EC keys are supported by this +function. EVP_des_ede3_cbc() (triple DES) is the algorithm of choice for S/MIME use because most clients will support it. @@ -94,7 +93,7 @@ The B<CMS_STREAM> flag was first supported in OpenSSL 1.0.0. =head1 COPYRIGHT -Copyright 2008-2016 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2008-2018 The OpenSSL Project Authors. All Rights Reserved. Licensed under the OpenSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/deps/openssl/openssl/doc/crypto/CMS_get0_SignerInfos.pod b/deps/openssl/openssl/doc/crypto/CMS_get0_SignerInfos.pod index e5532c96f4..cea088857a 100644 --- a/deps/openssl/openssl/doc/crypto/CMS_get0_SignerInfos.pod +++ b/deps/openssl/openssl/doc/crypto/CMS_get0_SignerInfos.pod @@ -54,7 +54,7 @@ CMS_SignerInfo_set1_signer_cert(). Once all signer certificates have been set CMS_verify() can be used. -Although CMS_get0_SignerInfos() can return NULL is an error occur B<or> if +Although CMS_get0_SignerInfos() can return NULL if an error occurs B<or> if there are no signers this is not a problem in practice because the only error which can occur is if the B<cms> structure is not of type signedData due to application error. @@ -79,7 +79,7 @@ L<ERR_get_error(3)>, L<CMS_verify(3)> =head1 COPYRIGHT -Copyright 2008-2016 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2008-2018 The OpenSSL Project Authors. All Rights Reserved. Licensed under the OpenSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/deps/openssl/openssl/doc/crypto/CMS_get1_ReceiptRequest.pod b/deps/openssl/openssl/doc/crypto/CMS_get1_ReceiptRequest.pod index 79f5f4232d..cb961be797 100644 --- a/deps/openssl/openssl/doc/crypto/CMS_get1_ReceiptRequest.pod +++ b/deps/openssl/openssl/doc/crypto/CMS_get1_ReceiptRequest.pod @@ -48,7 +48,7 @@ CMS_verify(). CMS_ReceiptRequest_create0() returns a signed receipt request structure or NULL if an error occurred. -CMS_add1_ReceiptRequest() returns 1 for success or 0 is an error occurred. +CMS_add1_ReceiptRequest() returns 1 for success or 0 if an error occurred. CMS_get1_ReceiptRequest() returns 1 is a signed receipt request is found and decoded. It returns 0 if a signed receipt request is not present and -1 if @@ -62,7 +62,7 @@ L<CMS_verify_receipt(3)> =head1 COPYRIGHT -Copyright 2008-2016 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2008-2018 The OpenSSL Project Authors. All Rights Reserved. Licensed under the OpenSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/deps/openssl/openssl/doc/crypto/DH_meth_new.pod b/deps/openssl/openssl/doc/crypto/DH_meth_new.pod index d768da8c6e..ef0a80b195 100644 --- a/deps/openssl/openssl/doc/crypto/DH_meth_new.pod +++ b/deps/openssl/openssl/doc/crypto/DH_meth_new.pod @@ -19,7 +19,7 @@ DH_meth_set_generate_params - Routines to build up DH methods DH_METHOD *DH_meth_dup(const DH_METHOD *dhm); const char *DH_meth_get0_name(const DH_METHOD *dhm); int DH_meth_set1_name(DH_METHOD *dhm, const char *name); - int DH_meth_get_flags(DH_METHOD *dhm); + int DH_meth_get_flags(const DH_METHOD *dhm); int DH_meth_set_flags(DH_METHOD *dhm, int flags); void *DH_meth_get0_app_data(const DH_METHOD *dhm); int DH_meth_set0_app_data(DH_METHOD *dhm, void *app_data); @@ -146,7 +146,7 @@ The functions described here were added in OpenSSL 1.1.0. =head1 COPYRIGHT -Copyright 2016 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved. Licensed under the OpenSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/deps/openssl/openssl/doc/crypto/DSA_meth_new.pod b/deps/openssl/openssl/doc/crypto/DSA_meth_new.pod index 948ab29b58..8ebf7ab6bc 100644 --- a/deps/openssl/openssl/doc/crypto/DSA_meth_new.pod +++ b/deps/openssl/openssl/doc/crypto/DSA_meth_new.pod @@ -21,7 +21,7 @@ DSA_meth_set_keygen - Routines to build up DSA methods DSA_METHOD *DSA_meth_dup(const DSA_METHOD *meth); const char *DSA_meth_get0_name(const DSA_METHOD *dsam); int DSA_meth_set1_name(DSA_METHOD *dsam, const char *name); - int DSA_meth_get_flags(DSA_METHOD *dsam); + int DSA_meth_get_flags(const DSA_METHOD *dsam); int DSA_meth_set_flags(DSA_METHOD *dsam, int flags); void *DSA_meth_get0_app_data(const DSA_METHOD *dsam); int DSA_meth_set0_app_data(DSA_METHOD *dsam, void *app_data); @@ -183,7 +183,7 @@ The functions described here were added in OpenSSL 1.1.0. =head1 COPYRIGHT -Copyright 2016 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved. Licensed under the OpenSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/deps/openssl/openssl/doc/crypto/DSA_sign.pod b/deps/openssl/openssl/doc/crypto/DSA_sign.pod index ba0f6b863e..b91f89f073 100644 --- a/deps/openssl/openssl/doc/crypto/DSA_sign.pod +++ b/deps/openssl/openssl/doc/crypto/DSA_sign.pod @@ -24,13 +24,12 @@ digest B<dgst> using the private key B<dsa> and places its ASN.1 DER encoding at B<sigret>. The length of the signature is places in *B<siglen>. B<sigret> must point to DSA_size(B<dsa>) bytes of memory. -DSA_sign_setup() may be used to precompute part of the signing -operation in case signature generation is time-critical. It expects -B<dsa> to contain DSA parameters. It places the precomputed values -in newly allocated B<BIGNUM>s at *B<kinvp> and *B<rp>, after freeing -the old ones unless *B<kinvp> and *B<rp> are NULL. These values may -be passed to DSA_sign() in B<dsa-E<gt>kinv> and B<dsa-E<gt>r>. -B<ctx> is a pre-allocated B<BN_CTX> or NULL. +DSA_sign_setup() is defined only for backward binary compatibility and +should not be used. +Since OpenSSL 1.1.0 the DSA type is opaque and the output of +DSA_sign_setup() cannot be used anyway: calling this function will only +cause overhead, and does not affect the actual signature +(pre-)computation. DSA_verify() verifies that the signature B<sigbuf> of size B<siglen> matches a given message digest B<dgst> of size B<len>. @@ -60,7 +59,7 @@ L<DSA_do_sign(3)> =head1 COPYRIGHT -Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2000-2018 The OpenSSL Project Authors. All Rights Reserved. Licensed under the OpenSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/deps/openssl/openssl/doc/crypto/ECDSA_SIG_new.pod b/deps/openssl/openssl/doc/crypto/ECDSA_SIG_new.pod index 9e1f662c62..f544ccbb32 100644 --- a/deps/openssl/openssl/doc/crypto/ECDSA_SIG_new.pod +++ b/deps/openssl/openssl/doc/crypto/ECDSA_SIG_new.pod @@ -114,6 +114,8 @@ returned as a newly allocated B<ECDSA_SIG> structure (or NULL on error). =head1 RETURN VALUES +ECDSA_SIG_new() returns NULL if the allocation fails. + ECDSA_SIG_set0() returns 1 on success or 0 on failure. ECDSA_size() returns the maximum length signature or 0 on error. @@ -197,7 +199,7 @@ L<EVP_DigestVerifyInit(3)> =head1 COPYRIGHT -Copyright 2004-2016 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2004-2018 The OpenSSL Project Authors. All Rights Reserved. Licensed under the OpenSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/deps/openssl/openssl/doc/crypto/EVP_DigestInit.pod b/deps/openssl/openssl/doc/crypto/EVP_DigestInit.pod index bb7ef7a28f..1dc76cbdf8 100644 --- a/deps/openssl/openssl/doc/crypto/EVP_DigestInit.pod +++ b/deps/openssl/openssl/doc/crypto/EVP_DigestInit.pod @@ -3,11 +3,12 @@ =head1 NAME EVP_MD_CTX_new, EVP_MD_CTX_reset, EVP_MD_CTX_free, EVP_MD_CTX_copy_ex, +EVP_MD_CTX_set_flags, EVP_MD_CTX_clear_flags, EVP_MD_CTX_test_flags, EVP_DigestInit_ex, EVP_DigestUpdate, EVP_DigestFinal_ex, EVP_DigestInit, EVP_DigestFinal, EVP_MD_CTX_copy, EVP_MD_type, EVP_MD_pkey_type, EVP_MD_size, EVP_MD_block_size, EVP_MD_CTX_md, EVP_MD_CTX_size, -EVP_MD_CTX_block_size, EVP_MD_CTX_type, EVP_md_null, EVP_md2, EVP_md5, EVP_sha1, -EVP_sha224, EVP_sha256, EVP_sha384, EVP_sha512, EVP_mdc2, +EVP_MD_CTX_block_size, EVP_MD_CTX_type, EVP_MD_CTX_md_data, EVP_md_null, EVP_md2, +EVP_md5, EVP_sha1, EVP_sha224, EVP_sha256, EVP_sha384, EVP_sha512, EVP_mdc2, EVP_ripemd160, EVP_blake2b512, EVP_blake2s256, EVP_get_digestbyname, EVP_get_digestbynid, EVP_get_digestbyobj - EVP digest routines @@ -18,6 +19,9 @@ EVP_get_digestbynid, EVP_get_digestbyobj - EVP digest routines EVP_MD_CTX *EVP_MD_CTX_new(void); int EVP_MD_CTX_reset(EVP_MD_CTX *ctx); void EVP_MD_CTX_free(EVP_MD_CTX *ctx); + void EVP_MD_CTX_set_flags(EVP_MD_CTX *ctx, int flags); + void EVP_MD_CTX_clear_flags(EVP_MD_CTX *ctx, int flags); + int EVP_MD_CTX_test_flags(const EVP_MD_CTX *ctx, int flags); int EVP_DigestInit_ex(EVP_MD_CTX *ctx, const EVP_MD *type, ENGINE *impl); int EVP_DigestUpdate(EVP_MD_CTX *ctx, const void *d, size_t cnt); @@ -41,6 +45,7 @@ EVP_get_digestbynid, EVP_get_digestbyobj - EVP digest routines int EVP_MD_CTX_size(const EVP_MD *ctx); int EVP_MD_CTX_block_size(const EVP_MD *ctx); int EVP_MD_CTX_type(const EVP_MD *ctx); + void *EVP_MD_CTX_md_data(const EVP_MD_CTX *ctx); const EVP_MD *EVP_md_null(void); const EVP_MD *EVP_md2(void); @@ -73,6 +78,9 @@ to reuse an already existing context. EVP_MD_CTX_free() cleans up digest context B<ctx> and frees up the space allocated to it. +EVP_MD_CTX_set_flags(), EVP_MD_CTX_clear_flags() and EVP_MD_CTX_test_flags() +sets, clears and tests B<ctx> flags. See L</FLAGS> below for more information. + EVP_DigestInit_ex() sets up digest context B<ctx> to use a digest B<type> from ENGINE B<impl>. B<ctx> must be initialized before calling this function. B<type> will typically be supplied by a function such as EVP_sha1(). @@ -117,6 +125,11 @@ representing the given message digest when passed an B<EVP_MD> structure. For example EVP_MD_type(EVP_sha1()) returns B<NID_sha1>. This function is normally used when setting ASN1 OIDs. +EVP_MD_CTX_md_data() return the digest method private data for the passed +B<EVP_MD_CTX>. +The space is allocated by OpenSSL and has the size originally set with +EVP_MD_meth_set_app_datasize(). + EVP_MD_CTX_md() returns the B<EVP_MD> structure corresponding to the passed B<EVP_MD_CTX>. @@ -139,6 +152,38 @@ EVP_get_digestbyname(), EVP_get_digestbynid() and EVP_get_digestbyobj() return an B<EVP_MD> structure when passed a digest name, a digest NID or an ASN1_OBJECT structure respectively. +=head1 FLAGS + +EVP_MD_CTX_set_flags(), EVP_MD_CTX_clear_flags() and EVP_MD_CTX_test_flags() +can be used the manipulate and test these B<EVP_MD_CTX> flags: + +=over 4 + +=item EVP_MD_CTX_FLAG_ONESHOT + +This flag instructs the digest to optimize for one update only, if possible. + +=for comment EVP_MD_CTX_FLAG_CLEANED is internal, don't mention it + +=for comment EVP_MD_CTX_FLAG_REUSE is internal, don't mention it + +=for comment We currently avoid documenting flags that are only bit holder: +EVP_MD_CTX_FLAG_NON_FIPS_ALLOW, EVP_MD_CTX_FLAGS_PAD_* + +=item EVP_MD_CTX_FLAG_NO_INIT + +This flag instructs EVP_DigestInit() and similar not to initialise the +implementation specific data. + +=item EVP_MD_CTX_FLAG_FINALISE + +Some functions such as EVP_DigestSign only finalise copies of internal +contexts so additional data can be included after the finalisation call. +This is inefficient if this functionality is not required, and can be +disabled with this flag. + +=back + =head1 RETURN VALUES EVP_DigestInit_ex(), EVP_DigestUpdate() and EVP_DigestFinal_ex() return 1 for @@ -249,7 +294,7 @@ was removed in OpenSSL 1.1.0 =head1 COPYRIGHT -Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2000-2018 The OpenSSL Project Authors. All Rights Reserved. Licensed under the OpenSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/deps/openssl/openssl/doc/crypto/EVP_DigestSignInit.pod b/deps/openssl/openssl/doc/crypto/EVP_DigestSignInit.pod index 7ec06b7a27..5fadc82e6a 100644 --- a/deps/openssl/openssl/doc/crypto/EVP_DigestSignInit.pod +++ b/deps/openssl/openssl/doc/crypto/EVP_DigestSignInit.pod @@ -21,7 +21,48 @@ EVP_DigestSignInit() sets up signing context B<ctx> to use digest B<type> from ENGINE B<impl> and private key B<pkey>. B<ctx> must be created with EVP_MD_CTX_new() before calling this function. If B<pctx> is not NULL the EVP_PKEY_CTX of the signing operation will be written to B<*pctx>: this can -be used to set alternative signing options. +be used to set alternative signing options. The digest B<type> may be NULL if +the signing algorithm supports it. + +Only EVP_PKEY types that support signing can be used with these functions. This +includes MAC algorithms where the MAC generation is considered as a form of +"signing." Built-in EVP_PKEY types supported by these functions are CMAC, DSA, +ECDSA, HMAC and RSA. + +Not all digests can be used for all key types. The following combinations apply. + +=over 4 + +=item DSA + +Supports SHA1, SHA224, SHA256, SHA384 and SHA512 + +=item ECDSA + +Supports SHA1, SHA224, SHA256, SHA384 and SHA512 + +=item RSA with no padding + +Supports no digests (the digest B<type> must be NULL) + +=item RSA with X931 padding + +Supports SHA1, SHA256, SHA384 and SHA512 + +=item All other RSA padding types + +Support SHA1, SHA224, SHA256, SHA384, SHA512, MD5, MD5_SHA1, MD2, MD4, MDC2, +RIPEMD160 + +=item HMAC + +Supports any digest + +=item CMAC + +Will ignore any digest provided. + +=back EVP_DigestSignUpdate() hashes B<cnt> bytes of data at B<d> into the signature context B<ctx>. This function can be called several times on the @@ -86,7 +127,7 @@ were first added to OpenSSL 1.0.0. =head1 COPYRIGHT -Copyright 2006-2017 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2006-2018 The OpenSSL Project Authors. All Rights Reserved. Licensed under the OpenSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/deps/openssl/openssl/doc/crypto/EVP_PKEY_CTX_set_hkdf_md.pod b/deps/openssl/openssl/doc/crypto/EVP_PKEY_CTX_set_hkdf_md.pod index 61e0eec528..459e7a02ff 100644 --- a/deps/openssl/openssl/doc/crypto/EVP_PKEY_CTX_set_hkdf_md.pod +++ b/deps/openssl/openssl/doc/crypto/EVP_PKEY_CTX_set_hkdf_md.pod @@ -59,7 +59,7 @@ All these functions are implemented as macros. A context for HKDF can be obtained by calling: - EVP_PKEY_CTX *pctx = EVP_PKEY_new_id(EVP_PKEY_HKDF, NULL); + EVP_PKEY_CTX *pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_HKDF, NULL); The digest, key, salt and info values must be set before a key is derived or an error occurs. @@ -118,7 +118,7 @@ L<EVP_PKEY_derive(3)> =head1 COPYRIGHT -Copyright 2016 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved. Licensed under the OpenSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/deps/openssl/openssl/doc/crypto/EVP_PKEY_CTX_set_tls1_prf_md.pod b/deps/openssl/openssl/doc/crypto/EVP_PKEY_CTX_set_tls1_prf_md.pod index f1f0ae4fbe..fe35a5ece8 100644 --- a/deps/openssl/openssl/doc/crypto/EVP_PKEY_CTX_set_tls1_prf_md.pod +++ b/deps/openssl/openssl/doc/crypto/EVP_PKEY_CTX_set_tls1_prf_md.pod @@ -50,7 +50,7 @@ All these functions are implemented as macros. A context for the TLS PRF can be obtained by calling: - EVP_PKEY_CTX *pctx = EVP_PKEY_new_id(EVP_PKEY_TLS1_PRF, NULL); + EVP_PKEY_CTX *pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_TLS1_PRF, NULL); The digest, secret value and seed must be set before a key is derived or an error occurs. @@ -98,7 +98,7 @@ L<EVP_PKEY_derive(3)> =head1 COPYRIGHT -Copyright 2016 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved. Licensed under the OpenSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/deps/openssl/openssl/doc/crypto/EVP_PKEY_asn1_get_count.pod b/deps/openssl/openssl/doc/crypto/EVP_PKEY_asn1_get_count.pod index a190f5e9ab..9ad2daed4f 100644 --- a/deps/openssl/openssl/doc/crypto/EVP_PKEY_asn1_get_count.pod +++ b/deps/openssl/openssl/doc/crypto/EVP_PKEY_asn1_get_count.pod @@ -48,7 +48,7 @@ engine that implements it. EVP_PKEY_asn1_get0_info() returns the public key ID, base public key ID (both NIDs), any flags, the method description and PEM type string -associated with the public key ASN.1 method B<*ameth>. +associated with the public key ASN.1 method B<*ameth>. EVP_PKEY_asn1_count(), EVP_PKEY_asn1_get0(), EVP_PKEY_asn1_find() and EVP_PKEY_asn1_find_str() are not thread safe, but as long as all diff --git a/deps/openssl/openssl/doc/crypto/OBJ_nid2obj.pod b/deps/openssl/openssl/doc/crypto/OBJ_nid2obj.pod index 3ada6679cf..c84adb2e46 100644 --- a/deps/openssl/openssl/doc/crypto/OBJ_nid2obj.pod +++ b/deps/openssl/openssl/doc/crypto/OBJ_nid2obj.pod @@ -54,7 +54,7 @@ constants. OBJ_nid2obj(), OBJ_nid2ln() and OBJ_nid2sn() convert the NID B<n> to an ASN1_OBJECT structure, its long name and its short name respectively, -or B<NULL> is an error occurred. +or B<NULL> if an error occurred. OBJ_obj2nid(), OBJ_ln2nid(), OBJ_sn2nid() return the corresponding NID for the object B<o>, the long name <ln> or the short name <sn> respectively @@ -188,7 +188,7 @@ OBJ_cleanup() was deprecated in OpenSSL 1.1.0. =head1 COPYRIGHT -Copyright 2002-2016 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2002-2018 The OpenSSL Project Authors. All Rights Reserved. Licensed under the OpenSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/deps/openssl/openssl/doc/crypto/OCSP_resp_find_status.pod b/deps/openssl/openssl/doc/crypto/OCSP_resp_find_status.pod index 5123f0ad6d..e014df500b 100644 --- a/deps/openssl/openssl/doc/crypto/OCSP_resp_find_status.pod +++ b/deps/openssl/openssl/doc/crypto/OCSP_resp_find_status.pod @@ -7,7 +7,8 @@ OCSP_resp_get0_signer, OCSP_resp_get0_id, OCSP_resp_get0_produced_at, OCSP_resp_find_status, OCSP_resp_count, OCSP_resp_get0, OCSP_resp_find, -OCSP_single_get0_status, OCSP_check_validity +OCSP_single_get0_status, OCSP_check_validity, +OCSP_basic_verify - OCSP response utility functions =head1 SYNOPSIS @@ -44,6 +45,9 @@ OCSP_single_get0_status, OCSP_check_validity ASN1_GENERALIZEDTIME *nextupd, long sec, long maxsec); + int OCSP_basic_verify(OCSP_BASICRESP *bs, STACK_OF(X509) *certs, + X509_STORE *st, unsigned long flags); + =head1 DESCRIPTION OCSP_resp_find_status() searches B<bs> for an OCSP response for B<id>. If it is @@ -93,6 +97,27 @@ OCSP_single_get0_status(). If B<sec> is non-zero it indicates how many seconds leeway should be allowed in the check. If B<maxsec> is positive it indicates the maximum age of B<thisupd> in seconds. +OCSP_basic_verify() checks that the basic response message B<bs> is correctly +signed and that the signer certificate can be validated. It takes B<st> as +the trusted store and B<certs> as a set of untrusted intermediate certificates. +The function first tries to find the signer certificate of the response +in <certs>. It also searches the certificates the responder may have included +in B<bs> unless the B<flags> contain B<OCSP_NOINTERN>. +It fails if the signer certificate cannot be found. +Next, the function checks the signature of B<bs> and fails on error +unless the B<flags> contain B<OCSP_NOSIGS>. Then the function already returns +success if the B<flags> contain B<OCSP_NOVERIFY> or if the signer certificate +was found in B<certs> and the B<flags> contain B<OCSP_TRUSTOTHER>. +Otherwise the function continues by validating the signer certificate. +To this end, all certificates in B<cert> and in B<bs> are considered as +untrusted certificates for the construction of the validation path for the +signer certificate unless the B<OCSP_NOCHAIN> flag is set. After successful path +validation the function returns success if the B<OCSP_NOCHECKS> flag is set. +Otherwise it verifies that the signer certificate meets the OCSP issuer +criteria including potential delegation. If this does not succeed and the +B<flags> do not contain B<OCSP_NOEXPLICIT> the function checks for explicit +trust for OCSP signing in the root CA certificate. + =head1 RETURN VALUES OCSP_resp_find_status() returns 1 if B<id> is found in B<bs> and 0 otherwise. @@ -112,6 +137,9 @@ occurred. OCSP_resp_get0_signer() returns 1 if the signing certificate was located, or 0 on error. +OCSP_basic_verify() returns 1 on success, 0 on error, or -1 on fatal error such +as malloc failure. + =head1 NOTES Applications will typically call OCSP_resp_find_status() using the certificate @@ -142,7 +170,7 @@ L<OCSP_sendreq_new(3)> =head1 COPYRIGHT -Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2015-2018 The OpenSSL Project Authors. All Rights Reserved. Licensed under the OpenSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/deps/openssl/openssl/doc/crypto/OPENSSL_VERSION_NUMBER.pod b/deps/openssl/openssl/doc/crypto/OPENSSL_VERSION_NUMBER.pod index f50faec772..f5429d217e 100644 --- a/deps/openssl/openssl/doc/crypto/OPENSSL_VERSION_NUMBER.pod +++ b/deps/openssl/openssl/doc/crypto/OPENSSL_VERSION_NUMBER.pod @@ -47,11 +47,6 @@ number was therefore 0x0090581f. OpenSSL_version_num() returns the version number. -The macro OPENSSL_VERSION_AT_LEAST(major,minor) can be used at compile -time test if the current version is at least as new as the version provided. -The arguments major, minor and fix correspond to the version information -as given above. - OpenSSL_version() returns different strings depending on B<t>: =over 4 diff --git a/deps/openssl/openssl/doc/crypto/OPENSSL_init_crypto.pod b/deps/openssl/openssl/doc/crypto/OPENSSL_init_crypto.pod index f0b3c8aa8d..f9664ee352 100644 --- a/deps/openssl/openssl/doc/crypto/OPENSSL_init_crypto.pod +++ b/deps/openssl/openssl/doc/crypto/OPENSSL_init_crypto.pod @@ -190,10 +190,10 @@ resources should be freed at an earlier time, or under the circumstances described in the NOTES section below. The B<OPENSSL_INIT_LOAD_CONFIG> flag will load a default configuration -file. To specify a different file, an B<OPENSSL_INIT_SETTINGS> must -be created and used. The routines -OPENSSL_init_new() and OPENSSL_INIT_set_config_appname() can be used to -allocate the object and set the application name, and then the +file. For optional configuration file settings, an B<OPENSSL_INIT_SETTINGS> +must be created and used. +The routines OPENSSL_init_new() and OPENSSL_INIT_set_config_appname() can +be used to allocate the object and set the application name, and then the object can be released with OPENSSL_INIT_free() when done. =head1 NOTES @@ -235,7 +235,7 @@ and OPENSSL_INIT_free() functions were added in OpenSSL 1.1.0. =head1 COPYRIGHT -Copyright 2016-2017 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved. Licensed under the OpenSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/deps/openssl/openssl/doc/crypto/OPENSSL_malloc.pod b/deps/openssl/openssl/doc/crypto/OPENSSL_malloc.pod index 2104f43108..ba5dc1069f 100644 --- a/deps/openssl/openssl/doc/crypto/OPENSSL_malloc.pod +++ b/deps/openssl/openssl/doc/crypto/OPENSSL_malloc.pod @@ -68,8 +68,8 @@ CRYPTO_mem_leaks, CRYPTO_mem_leaks_fp - Memory allocation functions int CRYPTO_mem_debug_push(const char *info, const char *file, int line); int CRYPTO_mem_debug_pop(void); - void CRYPTO_mem_leaks(BIO *b); - void CRYPTO_mem_leaks_fp(FILE *fp); + int CRYPTO_mem_leaks(BIO *b); + int CRYPTO_mem_leaks_fp(FILE *fp); =head1 DESCRIPTION @@ -197,7 +197,7 @@ only, say, the malloc() implementation is outright dangerous.> =head1 COPYRIGHT -Copyright 2016 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved. Licensed under the OpenSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/deps/openssl/openssl/doc/crypto/PEM_read_bio_PrivateKey.pod b/deps/openssl/openssl/doc/crypto/PEM_read_bio_PrivateKey.pod index 6b3006ef35..b0ba62a3b3 100644 --- a/deps/openssl/openssl/doc/crypto/PEM_read_bio_PrivateKey.pod +++ b/deps/openssl/openssl/doc/crypto/PEM_read_bio_PrivateKey.pod @@ -294,7 +294,7 @@ for it twice) if B<rwflag> is 1. The B<u> parameter has the same value as the B<u> parameter passed to the PEM routine. It allows arbitrary data to be passed to the callback by the application (for example a window handle in a GUI application). The callback -B<must> return the number of characters in the passphrase or 0 if +B<must> return the number of characters in the passphrase or -1 if an error occurred. =head1 EXAMPLES @@ -348,17 +348,16 @@ Skeleton pass phrase callback: int pass_cb(char *buf, int size, int rwflag, void *u) { - int len; - char *tmp; /* We'd probably do something else if 'rwflag' is 1 */ printf("Enter pass phrase for \"%s\"\n", (char *)u); /* get pass phrase, length 'len' into 'tmp' */ - tmp = "hello"; - len = strlen(tmp); - if (len <= 0) - return 0; + char *tmp = "hello"; + if (tmp == NULL) /* An error occurred */ + return -1; + + size_t len = strlen(tmp); if (len > size) len = size; @@ -471,7 +470,7 @@ L<EVP_EncryptInit(3)>, L<EVP_BytesToKey(3)> =head1 COPYRIGHT -Copyright 2001-2016 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2001-2018 The OpenSSL Project Authors. All Rights Reserved. Licensed under the OpenSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/deps/openssl/openssl/doc/crypto/RSA_meth_new.pod b/deps/openssl/openssl/doc/crypto/RSA_meth_new.pod index 9970aa6b73..9c89426a9a 100644 --- a/deps/openssl/openssl/doc/crypto/RSA_meth_new.pod +++ b/deps/openssl/openssl/doc/crypto/RSA_meth_new.pod @@ -24,7 +24,7 @@ RSA_meth_set_verify, RSA_meth_get_keygen, RSA_meth_set_keygen RSA_METHOD *RSA_meth_dup(const RSA_METHOD *meth); const char *RSA_meth_get0_name(const RSA_METHOD *meth); int RSA_meth_set1_name(RSA_METHOD *meth, const char *name); - int RSA_meth_get_flags(RSA_METHOD *meth); + int RSA_meth_get_flags(const RSA_METHOD *meth); int RSA_meth_set_flags(RSA_METHOD *meth, int flags); void *RSA_meth_get0_app_data(const RSA_METHOD *meth); int RSA_meth_set0_app_data(RSA_METHOD *meth, void *app_data); @@ -225,7 +225,7 @@ The functions described here were added in OpenSSL 1.1.0. =head1 COPYRIGHT -Copyright 2016 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved. Licensed under the OpenSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/deps/openssl/openssl/doc/crypto/SMIME_read_PKCS7.pod b/deps/openssl/openssl/doc/crypto/SMIME_read_PKCS7.pod index 3eb8bbc9a0..c11090891a 100644 --- a/deps/openssl/openssl/doc/crypto/SMIME_read_PKCS7.pod +++ b/deps/openssl/openssl/doc/crypto/SMIME_read_PKCS7.pod @@ -57,7 +57,7 @@ streaming single pass option should be available. =head1 RETURN VALUES SMIME_read_PKCS7() returns a valid B<PKCS7> structure or B<NULL> -is an error occurred. The error can be obtained from ERR_get_error(3). +if an error occurred. The error can be obtained from ERR_get_error(3). =head1 SEE ALSO @@ -68,7 +68,7 @@ L<PKCS7_decrypt(3)> =head1 COPYRIGHT -Copyright 2002-2017 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2002-2018 The OpenSSL Project Authors. All Rights Reserved. Licensed under the OpenSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/deps/openssl/openssl/doc/crypto/UI_STRING.pod b/deps/openssl/openssl/doc/crypto/UI_STRING.pod index 8a0d9f2d25..340d9b2ae2 100644 --- a/deps/openssl/openssl/doc/crypto/UI_STRING.pod +++ b/deps/openssl/openssl/doc/crypto/UI_STRING.pod @@ -132,3 +132,4 @@ in the file LICENSE in the source distribution or at L<https://www.openssl.org/source/license.html>. =cut + diff --git a/deps/openssl/openssl/doc/crypto/X509_LOOKUP_hash_dir.pod b/deps/openssl/openssl/doc/crypto/X509_LOOKUP_hash_dir.pod index 5f8dfa93b0..4f2768d4f4 100644 --- a/deps/openssl/openssl/doc/crypto/X509_LOOKUP_hash_dir.pod +++ b/deps/openssl/openssl/doc/crypto/X509_LOOKUP_hash_dir.pod @@ -117,10 +117,11 @@ L<PEM_read_PrivateKey(3)>, L<X509_STORE_load_locations(3)>, L<X509_store_add_lookup(3)>, L<SSL_CTX_load_verify_locations(3)>, +L<X509_LOOKUP_meth_new(3)>, =head1 COPYRIGHT -Copyright 2015-2017 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2015-2018 The OpenSSL Project Authors. All Rights Reserved. Licensed under the OpenSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/deps/openssl/openssl/doc/crypto/X509_LOOKUP_meth_new.pod b/deps/openssl/openssl/doc/crypto/X509_LOOKUP_meth_new.pod new file mode 100644 index 0000000000..fb165fd6ad --- /dev/null +++ b/deps/openssl/openssl/doc/crypto/X509_LOOKUP_meth_new.pod @@ -0,0 +1,189 @@ +=pod + +=head1 NAME + +X509_LOOKUP_meth_new, X509_LOOKUP_meth_free, X509_LOOKUP_meth_set_new_item, +X509_LOOKUP_meth_get_new_item, X509_LOOKUP_meth_set_free, +X509_LOOKUP_meth_get_free, X509_LOOKUP_meth_set_init, +X509_LOOKUP_meth_get_init, X509_LOOKUP_meth_set_shutdown, +X509_LOOKUP_meth_get_shutdown, +X509_LOOKUP_ctrl_fn, X509_LOOKUP_meth_set_ctrl, X509_LOOKUP_meth_get_ctrl, +X509_LOOKUP_get_by_subject_fn, X509_LOOKUP_meth_set_get_by_subject, +X509_LOOKUP_meth_get_get_by_subject, +X509_LOOKUP_get_by_issuer_serial_fn, X509_LOOKUP_meth_set_get_by_issuer_serial, +X509_LOOKUP_meth_get_get_by_issuer_serial, +X509_LOOKUP_get_by_fingerprint_fn, X509_LOOKUP_meth_set_get_by_fingerprint, +X509_LOOKUP_meth_get_get_by_fingerprint, +X509_LOOKUP_get_by_alias_fn, X509_LOOKUP_meth_set_get_by_alias, +X509_LOOKUP_meth_get_get_by_alias, +X509_LOOKUP_set_method_data, X509_LOOKUP_get_method_data, +X509_LOOKUP_get_store, X509_OBJECT_set1_X509, X509_OBJECT_set1_X509_CRL +- Routines to build up X509_LOOKUP methods + +=head1 SYNOPSIS + + #include <openssl/x509_vfy.h> + + X509_LOOKUP_METHOD *X509_LOOKUP_meth_new(const char *name); + void X509_LOOKUP_meth_free(X509_LOOKUP_METHOD *method); + + int X509_LOOKUP_meth_set_new_item(X509_LOOKUP_METHOD *method, + int (*new_item) (X509_LOOKUP *ctx)); + int (*X509_LOOKUP_meth_get_new_item(const X509_LOOKUP_METHOD* method)) + (X509_LOOKUP *ctx); + + int X509_LOOKUP_meth_set_free(X509_LOOKUP_METHOD *method, + void (*free) (X509_LOOKUP *ctx)); + void (*X509_LOOKUP_meth_get_free(const X509_LOOKUP_METHOD* method)) + (X509_LOOKUP *ctx); + + int X509_LOOKUP_meth_set_init(X509_LOOKUP_METHOD *method, + int (*init) (X509_LOOKUP *ctx)); + int (*X509_LOOKUP_meth_get_init(const X509_LOOKUP_METHOD* method)) + (X509_LOOKUP *ctx); + + int X509_LOOKUP_meth_set_shutdown(X509_LOOKUP_METHOD *method, + int (*shutdown) (X509_LOOKUP *ctx)); + int (*X509_LOOKUP_meth_get_shutdown(const X509_LOOKUP_METHOD* method)) + (X509_LOOKUP *ctx); + + typedef int (*X509_LOOKUP_ctrl_fn)(X509_LOOKUP *ctx, int cmd, const char *argc, + long argl, char **ret); + int X509_LOOKUP_meth_set_ctrl(X509_LOOKUP_METHOD *method, + X509_LOOKUP_ctrl_fn ctrl_fn); + X509_LOOKUP_ctrl_fn X509_LOOKUP_meth_get_ctrl(const X509_LOOKUP_METHOD *method); + + typedef int (*X509_LOOKUP_get_by_subject_fn)(X509_LOOKUP *ctx, + X509_LOOKUP_TYPE type, + X509_NAME *name, + X509_OBJECT *ret); + int X509_LOOKUP_meth_set_get_by_subject(X509_LOOKUP_METHOD *method, + X509_LOOKUP_get_by_subject_fn fn); + X509_LOOKUP_get_by_subject_fn X509_LOOKUP_meth_get_get_by_subject( + const X509_LOOKUP_METHOD *method); + + typedef int (*X509_LOOKUP_get_by_issuer_serial_fn)(X509_LOOKUP *ctx, + X509_LOOKUP_TYPE type, + X509_NAME *name, + ASN1_INTEGER *serial, + X509_OBJECT *ret); + int X509_LOOKUP_meth_set_get_by_issuer_serial( + X509_LOOKUP_METHOD *method, X509_LOOKUP_get_by_issuer_serial_fn fn); + X509_LOOKUP_get_by_issuer_serial_fn X509_LOOKUP_meth_get_get_by_issuer_serial( + const X509_LOOKUP_METHOD *method); + + typedef int (*X509_LOOKUP_get_by_fingerprint_fn)(X509_LOOKUP *ctx, + X509_LOOKUP_TYPE type, + const unsigned char* bytes, + int len, + X509_OBJECT *ret); + int X509_LOOKUP_meth_set_get_by_fingerprint(X509_LOOKUP_METHOD *method, + X509_LOOKUP_get_by_fingerprint_fn fn); + X509_LOOKUP_get_by_fingerprint_fn X509_LOOKUP_meth_get_get_by_fingerprint( + const X509_LOOKUP_METHOD *method); + + typedef int (*X509_LOOKUP_get_by_alias_fn)(X509_LOOKUP *ctx, + X509_LOOKUP_TYPE type, + const char *str, + int len, + X509_OBJECT *ret); + int X509_LOOKUP_meth_set_get_by_alias(X509_LOOKUP_METHOD *method, + X509_LOOKUP_get_by_alias_fn fn); + X509_LOOKUP_get_by_alias_fn X509_LOOKUP_meth_get_get_by_alias( + const X509_LOOKUP_METHOD *method); + + int X509_LOOKUP_set_method_data(X509_LOOKUP *ctx, void *data); + void *X509_LOOKUP_get_method_data(const X509_LOOKUP *ctx); + + X509_STORE *X509_LOOKUP_get_store(const X509_LOOKUP *ctx); + + int X509_OBJECT_set1_X509(X509_OBJECT *a, X509 *obj); + int X509_OBJECT_set1_X509_CRL(X509_OBJECT *a, X509_CRL *obj); + +=head1 DESCRIPTION + +The B<X509_LOOKUP_METHOD> type is a structure used for the implementation of new +X509_LOOKUP types. It provides a set of functions used by OpenSSL for the +implementation of various X509 and X509_CRL lookup capabilities. One instance +of an X509_LOOKUP_METHOD can be associated to many instantiations of an +B<X509_LOOKUP> structure. + +X509_LOOKUP_meth_new() creates a new B<X509_LOOKUP_METHOD> structure. It should +be given a human-readable string containing a brief description of the lookup +method. + +X509_LOOKUP_meth_free() destroys a B<X509_LOOKUP_METHOD> structure. + +X509_LOOKUP_get_new_item() and X509_LOOKUP_set_new_item() get and set the +function that is called when an B<X509_LOOKUP> object is created with +X509_LOOKUP_new(). If an X509_LOOKUP_METHOD requires any per-X509_LOOKUP +specific data, the supplied new_item function should allocate this data and +invoke X509_LOOKUP_set_method_data(). + +X509_LOOKUP_get_free() and X509_LOOKUP_set_free() get and set the function +that is used to free any method data that was allocated and set from within +new_item function. + +X509_LOOKUP_meth_get_init() and X509_LOOKUP_meth_set_init() get and set the +function that is used to initialize the method data that was set with +X509_LOOKUP_set_method_data() as part of the new_item routine. + +X509_LOOKUP_meth_get_shutdown() and X509_LOOKUP_meth_set_shutdown() get and set +the function that is used to shut down the method data whose state was +previously initialized in the init function. + +X509_LOOKUP_meth_get_ctrl() and X509_LOOKUP_meth_set_ctrl() get and set a +function to be used to handle arbitrary control commands issued by +X509_LOOKUP_ctrl(). The control function is given the X509_LOOKUP +B<ctx>, along with the arguments passed by X509_LOOKUP_ctrl. B<cmd> is +an arbitrary integer that defines some operation. B<argc> is a pointer +to an array of characters. B<argl> is an integer. B<ret>, if set, +points to a location where any return data should be written to. How +B<argc> and B<argl> are used depends entirely on the control function. + + +X509_LOOKUP_set_get_by_subject(), X509_LOOKUP_set_get_by_issuer_serial(), +X509_LOOKUP_set_get_by_fingerprint(), X509_LOOKUP_set_get_by_alias() set +the functions used to retrieve an X509 or X509_CRL object by the object's +subject, issuer, fingerprint, and alias respectively. These functions are given +the X509_LOOKUP context, the type of the X509_OBJECT being requested, parameters +related to the lookup, and an X509_OBJECT that will receive the requested +object. + +Implementations should use either X509_OBJECT_set1_X509() or +X509_OBJECT_set1_X509_CRL() to set the result. Any method data that was +created as a result of the new_item function set by +X509_LOOKUP_meth_set_new_item() can be accessed with +X509_LOOKUP_get_method_data(). The B<X509_STORE> object that owns the +X509_LOOKUP may be accessed with X509_LOOKUP_get_store(). Successful lookups +should return 1, and unsuccessful lookups should return 0. + +X509_LOOKUP_get_get_by_subject(), X509_LOOKUP_get_get_by_issuer_serial(), +X509_LOOKUP_get_get_by_fingerprint(), X509_LOOKUP_get_get_by_alias() retrieve +the function set by the corresponding setter. + +=head1 RETURN VALUES + +The B<X509_LOOKUP_meth_set> functions return 1 on success or 0 on error. + +The B<X509_LOOKUP_meth_get> functions return the corresponding function +pointers. + +=head1 SEE ALSO + +L<X509_STORE_new(3)>, L<SSL_CTX_set_cert_store(3)> + +=head1 HISTORY + +The functions described here were added in OpenSSL 1.1.0i. + +=head1 COPYRIGHT + +Copyright 2018 The OpenSSL Project Authors. All Rights Reserved. + +Licensed under the OpenSSL license (the "License"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file LICENSE in the source distribution or at +L<https://www.openssl.org/source/license.html>. + +=cut diff --git a/deps/openssl/openssl/doc/crypto/X509_VERIFY_PARAM_set_flags.pod b/deps/openssl/openssl/doc/crypto/X509_VERIFY_PARAM_set_flags.pod index 5263facfd4..320b258a85 100644 --- a/deps/openssl/openssl/doc/crypto/X509_VERIFY_PARAM_set_flags.pod +++ b/deps/openssl/openssl/doc/crypto/X509_VERIFY_PARAM_set_flags.pod @@ -11,7 +11,9 @@ X509_VERIFY_PARAM_get_auth_level, X509_VERIFY_PARAM_set_time, X509_VERIFY_PARAM_get_time, X509_VERIFY_PARAM_add0_policy, X509_VERIFY_PARAM_set1_policies, X509_VERIFY_PARAM_set1_host, X509_VERIFY_PARAM_add1_host, -X509_VERIFY_PARAM_set_hostflags, X509_VERIFY_PARAM_get0_peername, +X509_VERIFY_PARAM_set_hostflags, +X509_VERIFY_PARAM_get_hostflags, +X509_VERIFY_PARAM_get0_peername, X509_VERIFY_PARAM_set1_email, X509_VERIFY_PARAM_set1_ip, X509_VERIFY_PARAM_set1_ip_asc - X509 verification parameters @@ -54,6 +56,7 @@ X509_VERIFY_PARAM_set1_ip_asc const char *name, size_t namelen); void X509_VERIFY_PARAM_set_hostflags(X509_VERIFY_PARAM *param, unsigned int flags); + unsigned int X509_VERIFY_PARAM_get_hostflags(const X509_VERIFY_PARAM *param); char *X509_VERIFY_PARAM_get0_peername(X509_VERIFY_PARAM *param); int X509_VERIFY_PARAM_set1_email(X509_VERIFY_PARAM *param, const char *email, size_t emaillen); @@ -130,14 +133,32 @@ B<name> clearing any previously specified host name or names. If B<name> is NULL, or empty the list of hostnames is cleared, and name checks are not performed on the peer certificate. If B<name> is NUL-terminated, B<namelen> may be zero, otherwise B<namelen> -must be set to the length of B<name>. When a hostname is specified, +must be set to the length of B<name>. + +When a hostname is specified, certificate verification automatically invokes L<X509_check_host(3)> with flags equal to the B<flags> argument given to X509_VERIFY_PARAM_set_hostflags() (default zero). Applications are strongly advised to use this interface in preference to explicitly -calling L<X509_check_host(3)>, hostname checks are out of scope +calling L<X509_check_host(3)>, hostname checks may be out of scope with the DANE-EE(3) certificate usage, and the internal check will -be suppressed as appropriate when DANE support is added to OpenSSL. +be suppressed as appropriate when DANE verification is enabled. + +When the subject CommonName will not be ignored, whether as a result of the +B<X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT> host flag, or because no DNS subject +alternative names are present in the certificate, any DNS name constraints in +issuer certificates apply to the subject CommonName as well as the subject +alternative name extension. + +When the subject CommonName will be ignored, whether as a result of the +B<X509_CHECK_FLAG_NEVER_CHECK_SUBJECT> host flag, or because some DNS subject +alternative names are present in the certificate, DNS name constraints in +issuer certificates will not be applied to the subject DN. +As described in X509_check_host(3) the B<X509_CHECK_FLAG_NEVER_CHECK_SUBJECT> +flag takes precendence over the B<X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT> flag. + +X509_VERIFY_PARAM_get_hostflags() returns any host flags previously set via a +call to X509_VERIFY_PARAM_set_hostflags(). X509_VERIFY_PARAM_add1_host() adds B<name> as an additional reference identifier that can match the peer's certificate. Any previous names @@ -186,6 +207,8 @@ failure. X509_VERIFY_PARAM_get_flags() returns the current verification flags. +X509_VERIFY_PARAM_get_hostflags() returns any current host flags. + X509_VERIFY_PARAM_get_inh_flags() returns the current inheritance flags. X509_VERIFY_PARAM_set_time() and X509_VERIFY_PARAM_set_depth() do not return @@ -347,6 +370,8 @@ The B<X509_V_FLAG_NO_ALT_CHAINS> flag was added in OpenSSL 1.1.0 The legacy B<X509_V_FLAG_CB_ISSUER_CHECK> flag is deprecated as of OpenSSL 1.1.0, and has no effect. +X509_VERIFY_PARAM_get_hostflags() was added in OpenSSL 1.1.0i. + =head1 COPYRIGHT Copyright 2009-2018 The OpenSSL Project Authors. All Rights Reserved. diff --git a/deps/openssl/openssl/doc/crypto/X509_check_host.pod b/deps/openssl/openssl/doc/crypto/X509_check_host.pod index 93848152b5..fb9f6a64ec 100644 --- a/deps/openssl/openssl/doc/crypto/X509_check_host.pod +++ b/deps/openssl/openssl/doc/crypto/X509_check_host.pod @@ -93,6 +93,9 @@ consider the subject DN even if the certificate contains no subject alternative names of the right type (DNS name or email address as appropriate); the default is to use the subject DN when no corresponding subject alternative names are present. +If both B<X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT> and +B<X509_CHECK_FLAG_NEVER_CHECK_SUBJECT> are specified, the latter takes +precedence and the subject DN is not checked for matching names. If set, B<X509_CHECK_FLAG_NO_WILDCARDS> disables wildcard expansion; this only applies to B<X509_check_host>. @@ -128,9 +131,9 @@ NULs. Applications are encouraged to use X509_VERIFY_PARAM_set1_host() rather than explicitly calling L<X509_check_host(3)>. Host name -checks are out of scope with the DANE-EE(3) certificate usage, +checks may be out of scope with the DANE-EE(3) certificate usage, and the internal checks will be suppressed as appropriate when -DANE support is added to OpenSSL. +DANE support is enabled. =head1 SEE ALSO @@ -147,7 +150,7 @@ These functions were added in OpenSSL 1.0.2. =head1 COPYRIGHT -Copyright 2012-2016 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2012-2018 The OpenSSL Project Authors. All Rights Reserved. Licensed under the OpenSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/deps/openssl/openssl/doc/crypto/X509_cmp_time.pod b/deps/openssl/openssl/doc/crypto/X509_cmp_time.pod new file mode 100644 index 0000000000..5bf5111451 --- /dev/null +++ b/deps/openssl/openssl/doc/crypto/X509_cmp_time.pod @@ -0,0 +1,39 @@ +=pod + +=head1 NAME + +X509_cmp_time - X509 time functions + +=head1 SYNOPSIS + + X509_cmp_time(const ASN1_TIME *asn1_time, time_t *cmp_time); + +=head1 DESCRIPTION + +X509_cmp_time() compares the ASN1_TIME in B<asn1_time> with the time in +<cmp_time>. + +B<asn1_time> must satisfy the ASN1_TIME format mandated by RFC 5280, i.e., +its format must be either YYMMDDHHMMSSZ or YYYYMMDDHHMMSSZ. + +If B<cmp_time> is NULL the current time is used. + +=head1 BUGS + +Unlike many standard comparison functions, X509_cmp_time returns 0 on error. + +=head1 RETURN VALUES + +X509_cmp_time() returns -1 if B<asn1_time> is earlier than, or equal to, +B<cmp_time>, and 1 otherwise. It returns 0 on error. + +=head1 COPYRIGHT + +Copyright 2017-2018 The OpenSSL Project Authors. All Rights Reserved. + +Licensed under the OpenSSL license (the "License"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file LICENSE in the source distribution or at +L<https://www.openssl.org/source/license.html>. + +=cut diff --git a/deps/openssl/openssl/doc/crypto/bio.pod b/deps/openssl/openssl/doc/crypto/bio.pod index 7be3121fd1..1e1dd02106 100644 --- a/deps/openssl/openssl/doc/crypto/bio.pod +++ b/deps/openssl/openssl/doc/crypto/bio.pod @@ -87,3 +87,4 @@ in the file LICENSE in the source distribution or at L<https://www.openssl.org/source/license.html>. =cut + |