diff options
author | Daniel Bevenius <daniel.bevenius@gmail.com> | 2017-05-26 07:27:45 +0200 |
---|---|---|
committer | Shigeki Ohtsu <ohtsu@ohtsu.org> | 2017-06-03 00:41:47 +0900 |
commit | bd4a53493b4d130e39955a2497995707666cffd4 (patch) | |
tree | ca6d428d3eca9528608af14f0d969f8999e87c64 /deps/openssl/openssl/doc | |
parent | a235e670a820107210be27e0cd266164763fb014 (diff) | |
download | android-node-v8-bd4a53493b4d130e39955a2497995707666cffd4.tar.gz android-node-v8-bd4a53493b4d130e39955a2497995707666cffd4.tar.bz2 android-node-v8-bd4a53493b4d130e39955a2497995707666cffd4.zip |
deps: upgrade openssl sources to 1.0.2l
This replaces all sources of openssl-1.0.2l.tar.gz into
deps/openssl/openssl
Fixes: https://github.com/nodejs/node/issues/13161
PR-URL: https://github.com/nodejs/node/pull/13233
Reviewed-By: Shigeki Ohtsu <ohtsu@ohtsu.org>
Reviewed-By: Sam Roberts <vieuxtech@gmail.com>
Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>
Diffstat (limited to 'deps/openssl/openssl/doc')
-rw-r--r-- | deps/openssl/openssl/doc/apps/ciphers.pod | 3 | ||||
-rw-r--r-- | deps/openssl/openssl/doc/apps/config.pod | 3 | ||||
-rw-r--r-- | deps/openssl/openssl/doc/apps/genrsa.pod | 34 | ||||
-rw-r--r-- | deps/openssl/openssl/doc/apps/req.pod | 3 | ||||
-rw-r--r-- | deps/openssl/openssl/doc/apps/s_client.pod | 15 | ||||
-rw-r--r-- | deps/openssl/openssl/doc/apps/s_server.pod | 14 | ||||
-rw-r--r-- | deps/openssl/openssl/doc/crypto/EVP_EncryptInit.pod | 11 | ||||
-rw-r--r-- | deps/openssl/openssl/doc/crypto/RSA_private_encrypt.pod | 4 | ||||
-rw-r--r-- | deps/openssl/openssl/doc/crypto/RSA_public_encrypt.pod | 4 | ||||
-rw-r--r-- | deps/openssl/openssl/doc/crypto/X509_STORE_CTX_new.pod | 2 | ||||
-rw-r--r-- | deps/openssl/openssl/doc/crypto/des.pod | 2 | ||||
-rw-r--r-- | deps/openssl/openssl/doc/man3/SSL_CTX_set_tlsext_servername_callback.pod | 62 |
12 files changed, 135 insertions, 22 deletions
diff --git a/deps/openssl/openssl/doc/apps/ciphers.pod b/deps/openssl/openssl/doc/apps/ciphers.pod index 9224557255..35d40bbf27 100644 --- a/deps/openssl/openssl/doc/apps/ciphers.pod +++ b/deps/openssl/openssl/doc/apps/ciphers.pod @@ -179,7 +179,8 @@ When in doubt, include B<!aNULL> in your cipherlist. =item B<kRSA>, B<RSA> -cipher suites using RSA key exchange. +cipher suites using RSA key exchange or authentication. B<RSA> is an alias for +B<kRSA>. =item B<kDHr>, B<kDHd>, B<kDH> diff --git a/deps/openssl/openssl/doc/apps/config.pod b/deps/openssl/openssl/doc/apps/config.pod index e12591528c..3f607d3b5f 100644 --- a/deps/openssl/openssl/doc/apps/config.pod +++ b/deps/openssl/openssl/doc/apps/config.pod @@ -47,7 +47,8 @@ or B<${section::name}>. By using the form B<$ENV::name> environment variables can be substituted. It is also possible to assign values to environment variables by using the name B<ENV::name>, this will work if the program looks up environment variables using the B<CONF> library -instead of calling B<getenv()> directly. +instead of calling B<getenv()> directly. The value string must not exceed 64k in +length after variable expansion. Otherwise an error will occur. It is possible to escape certain characters by using any kind of quote or the B<\> character. By making the last character of a line a B<\> diff --git a/deps/openssl/openssl/doc/apps/genrsa.pod b/deps/openssl/openssl/doc/apps/genrsa.pod index 3dc9870f34..f4ed9593ae 100644 --- a/deps/openssl/openssl/doc/apps/genrsa.pod +++ b/deps/openssl/openssl/doc/apps/genrsa.pod @@ -7,11 +7,15 @@ genrsa - generate an RSA private key =head1 SYNOPSIS B<openssl> B<genrsa> +[B<-help>] [B<-out filename>] [B<-passout arg>] [B<-aes128>] [B<-aes192>] [B<-aes256>] +[B<-aria128>] +[B<-aria192>] +[B<-aria256>] [B<-camellia128>] [B<-camellia192>] [B<-camellia256>] @@ -32,17 +36,21 @@ The B<genrsa> command generates an RSA private key. =over 4 +=item B<-help> + +Print out a usage message. + =item B<-out filename> -the output filename. If this argument is not specified then standard output is -used. +Output the key to the specified file. If this argument is not specified then +standard output is used. =item B<-passout arg> the output file password source. For more information about the format of B<arg> -see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)|openssl(1)>. +see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)>. -=item B<-aes128|-aes192|-aes256|-camellia128|-camellia192|-camellia256|-des|-des3|-idea> +=item B<-aes128|-aes192|-aes256|-aria128|-aria192|-aria256|-camellia128|-camellia192|-camellia256|-des|-des3|-idea> These options encrypt the private key with specified cipher before outputting it. If none of these options is @@ -56,8 +64,8 @@ the public exponent to use, either 65537 or 3. The default is 65537. =item B<-rand file(s)> a file or files containing random data used to seed the random number -generator, or an EGD socket (see L<RAND_egd(3)|RAND_egd(3)>). -Multiple files can be specified separated by a OS-dependent character. +generator, or an EGD socket (see L<RAND_egd(3)>). +Multiple files can be specified separated by an OS-dependent character. The separator is B<;> for MS-Windows, B<,> for OpenVMS, and B<:> for all others. @@ -71,7 +79,7 @@ for all available algorithms. =item B<numbits> the size of the private key to generate in bits. This must be the last option -specified. The default is 512. +specified. The default is 2048. =back @@ -96,7 +104,15 @@ be much larger (typically 1024 bits). =head1 SEE ALSO -L<gendsa(1)|gendsa(1)> +L<gendsa(1)> -=cut +=head1 COPYRIGHT +Copyright 2000-2017 The OpenSSL Project Authors. All Rights Reserved. + +Licensed under the OpenSSL license (the "License"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file LICENSE in the source distribution or at +L<https://www.openssl.org/source/license.html>. + +=cut diff --git a/deps/openssl/openssl/doc/apps/req.pod b/deps/openssl/openssl/doc/apps/req.pod index 30653e5093..1682ba5143 100644 --- a/deps/openssl/openssl/doc/apps/req.pod +++ b/deps/openssl/openssl/doc/apps/req.pod @@ -237,6 +237,9 @@ a self signed root CA. The extensions added to the certificate using the B<set_serial> option, a large random number will be used for the serial number. +If existing request is specified with the B<-in> option, it is converted +to the self signed certificate otherwise new request is created. + =item B<-days n> when the B<-x509> option is being used this specifies the number of diff --git a/deps/openssl/openssl/doc/apps/s_client.pod b/deps/openssl/openssl/doc/apps/s_client.pod index 29675dd213..b45acbc5e3 100644 --- a/deps/openssl/openssl/doc/apps/s_client.pod +++ b/deps/openssl/openssl/doc/apps/s_client.pod @@ -42,6 +42,8 @@ B<openssl> B<s_client> [B<-no_tls1_2>] [B<-fallback_scsv>] [B<-bugs>] +[B<-sigalgs sigalglist>] +[B<-curves curvelist>] [B<-cipher cipherlist>] [B<-serverpref>] [B<-starttls protocol>] @@ -217,6 +219,19 @@ Send TLS_FALLBACK_SCSV in the ClientHello. there are several known bug in SSL and TLS implementations. Adding this option enables various workarounds. +=item B<-sigalgs sigalglist> + +Specifies the list of signature algorithms that are sent by the client. +The server selects one entry in the list based on its preferences. +For example strings, see L<SSL_CTX_set1_sigalgs(3)> + +=item B<-curves curvelist> + +Specifies the list of supported curves to be sent by the client. The curve is +is ultimately selected by the server. For a list of all curves, use: + + $ openssl ecparam -list_curves + =item B<-cipher cipherlist> this allows the cipher list sent by the client to be modified. Although diff --git a/deps/openssl/openssl/doc/apps/s_server.pod b/deps/openssl/openssl/doc/apps/s_server.pod index fa17488d91..1fe93ddfbe 100644 --- a/deps/openssl/openssl/doc/apps/s_server.pod +++ b/deps/openssl/openssl/doc/apps/s_server.pod @@ -35,6 +35,8 @@ B<openssl> B<s_server> [B<-CAfile filename>] [B<-no_alt_chains>] [B<-nocert>] +[B<-client_sigalgs sigalglist>] +[B<-named_curve curve>] [B<-cipher cipherlist>] [B<-serverpref>] [B<-quiet>] @@ -234,6 +236,18 @@ option enables various workarounds. this option enables a further workaround for some some early Netscape SSL code (?). +=item B<-client_sigalgs sigalglist> + +Signature algorithms to support for client certificate authentication +(colon-separated list) + +=item B<-named_curve curve> + +Specifies the elliptic curve to use. NOTE: this is single curve, not a list. +For a list of all possible curves, use: + + $ openssl ecparam -list_curves + =item B<-cipher cipherlist> this allows the cipher list used by the server to be modified. When diff --git a/deps/openssl/openssl/doc/crypto/EVP_EncryptInit.pod b/deps/openssl/openssl/doc/crypto/EVP_EncryptInit.pod index d9513338d8..0c0a30c1ff 100644 --- a/deps/openssl/openssl/doc/crypto/EVP_EncryptInit.pod +++ b/deps/openssl/openssl/doc/crypto/EVP_EncryptInit.pod @@ -19,14 +19,17 @@ EVP_CIPHER_CTX_mode, EVP_CIPHER_param_to_asn1, EVP_CIPHER_asn1_to_param, EVP_CIPHER_CTX_set_padding, EVP_enc_null, EVP_des_cbc, EVP_des_ecb, EVP_des_cfb, EVP_des_ofb, EVP_des_ede_cbc, EVP_des_ede, EVP_des_ede_ofb, EVP_des_ede_cfb, EVP_des_ede3_cbc, EVP_des_ede3, EVP_des_ede3_ofb, -EVP_des_ede3_cfb, EVP_desx_cbc, EVP_rc4, EVP_rc4_40, EVP_idea_cbc, -EVP_idea_ecb, EVP_idea_cfb, EVP_idea_ofb, EVP_idea_cbc, EVP_rc2_cbc, +EVP_des_ede3_cfb, EVP_desx_cbc, EVP_rc4, EVP_rc4_40, EVP_rc4_hmac_md5, +EVP_idea_cbc, EVP_idea_ecb, EVP_idea_cfb, EVP_idea_ofb, EVP_rc2_cbc, EVP_rc2_ecb, EVP_rc2_cfb, EVP_rc2_ofb, EVP_rc2_40_cbc, EVP_rc2_64_cbc, EVP_bf_cbc, EVP_bf_ecb, EVP_bf_cfb, EVP_bf_ofb, EVP_cast5_cbc, EVP_cast5_ecb, EVP_cast5_cfb, EVP_cast5_ofb, EVP_rc5_32_12_16_cbc, EVP_rc5_32_12_16_ecb, EVP_rc5_32_12_16_cfb, EVP_rc5_32_12_16_ofb, EVP_aes_128_gcm, EVP_aes_192_gcm, EVP_aes_256_gcm, EVP_aes_128_ccm, -EVP_aes_192_ccm, EVP_aes_256_ccm - EVP cipher routines +EVP_aes_192_ccm, EVP_aes_256_ccm, +EVP_aes_128_cbc_hmac_sha1, EVP_aes_256_cbc_hmac_sha1, +EVP_aes_128_cbc_hmac_sha256, EVP_aes_256_cbc_hmac_sha256 +- EVP cipher routines =head1 SYNOPSIS @@ -395,8 +398,6 @@ Sets the expected tag to B<taglen> bytes from B<tag>. This call is only legal when decrypting data and must be made B<before> any data is processed (e.g. before any EVP_DecryptUpdate() call). -See L<EXAMPLES> below for an example of the use of GCM mode. - =head1 CCM Mode The behaviour of CCM mode ciphers is similar to CCM mode but with a few diff --git a/deps/openssl/openssl/doc/crypto/RSA_private_encrypt.pod b/deps/openssl/openssl/doc/crypto/RSA_private_encrypt.pod index 746a80c79e..3e1f895c5a 100644 --- a/deps/openssl/openssl/doc/crypto/RSA_private_encrypt.pod +++ b/deps/openssl/openssl/doc/crypto/RSA_private_encrypt.pod @@ -8,10 +8,10 @@ RSA_private_encrypt, RSA_public_decrypt - low level signature operations #include <openssl/rsa.h> - int RSA_private_encrypt(int flen, unsigned char *from, + int RSA_private_encrypt(int flen, const unsigned char *from, unsigned char *to, RSA *rsa, int padding); - int RSA_public_decrypt(int flen, unsigned char *from, + int RSA_public_decrypt(int flen, const unsigned char *from, unsigned char *to, RSA *rsa, int padding); =head1 DESCRIPTION diff --git a/deps/openssl/openssl/doc/crypto/RSA_public_encrypt.pod b/deps/openssl/openssl/doc/crypto/RSA_public_encrypt.pod index ab0fe3b2cd..0541f348b3 100644 --- a/deps/openssl/openssl/doc/crypto/RSA_public_encrypt.pod +++ b/deps/openssl/openssl/doc/crypto/RSA_public_encrypt.pod @@ -8,10 +8,10 @@ RSA_public_encrypt, RSA_private_decrypt - RSA public key cryptography #include <openssl/rsa.h> - int RSA_public_encrypt(int flen, unsigned char *from, + int RSA_public_encrypt(int flen, const unsigned char *from, unsigned char *to, RSA *rsa, int padding); - int RSA_private_decrypt(int flen, unsigned char *from, + int RSA_private_decrypt(int flen, const unsigned char *from, unsigned char *to, RSA *rsa, int padding); =head1 DESCRIPTION diff --git a/deps/openssl/openssl/doc/crypto/X509_STORE_CTX_new.pod b/deps/openssl/openssl/doc/crypto/X509_STORE_CTX_new.pod index eb38b0a109..1aee117268 100644 --- a/deps/openssl/openssl/doc/crypto/X509_STORE_CTX_new.pod +++ b/deps/openssl/openssl/doc/crypto/X509_STORE_CTX_new.pod @@ -41,7 +41,7 @@ is no longer valid. X509_STORE_CTX_init() sets up B<ctx> for a subsequent verification operation. It must be called before each call to X509_verify_cert(), i.e. a B<ctx> is only good for one call to X509_verify_cert(); if you want to verify a second -certificate with the same B<ctx> then you must call X509_XTORE_CTX_cleanup() +certificate with the same B<ctx> then you must call X509_STORE_CTX_cleanup() and then X509_STORE_CTX_init() again before the second call to X509_verify_cert(). The trusted certificate store is set to B<store>, the end entity certificate to be verified is set to B<x509> and a set of additional diff --git a/deps/openssl/openssl/doc/crypto/des.pod b/deps/openssl/openssl/doc/crypto/des.pod index e1add56b5e..339617aab0 100644 --- a/deps/openssl/openssl/doc/crypto/des.pod +++ b/deps/openssl/openssl/doc/crypto/des.pod @@ -123,7 +123,7 @@ architecture dependent I<DES_key_schedule> via the DES_set_key_checked() or DES_set_key_unchecked() function. DES_set_key_checked() will check that the key passed is of odd parity -and is not a week or semi-weak key. If the parity is wrong, then -1 +and is not a weak or semi-weak key. If the parity is wrong, then -1 is returned. If the key is a weak key, then -2 is returned. If an error is returned, the key schedule is not generated. diff --git a/deps/openssl/openssl/doc/man3/SSL_CTX_set_tlsext_servername_callback.pod b/deps/openssl/openssl/doc/man3/SSL_CTX_set_tlsext_servername_callback.pod new file mode 100644 index 0000000000..3b0a50956d --- /dev/null +++ b/deps/openssl/openssl/doc/man3/SSL_CTX_set_tlsext_servername_callback.pod @@ -0,0 +1,62 @@ +=pod + +=head1 NAME + +SSL_CTX_set_tlsext_servername_callback, SSL_CTX_set_tlsext_servername_arg, +SSL_get_servername_type, SSL_get_servername - handle server name indication +(SNI) + +=head1 SYNOPSIS + + #include <openssl/ssl.h> + + long SSL_CTX_set_tlsext_servername_callback(SSL_CTX *ctx, + int (*cb)(SSL *, int *, void *)); + long SSL_CTX_set_tlsext_servername_arg(SSL_CTX *ctx, void *arg); + + const char *SSL_get_servername(const SSL *s, const int type); + int SSL_get_servername_type(const SSL *s); + +=head1 DESCRIPTION + +SSL_CTX_set_tlsext_servername_callback() sets the application callback B<cb> +used by a server to perform any actions or configuration required based on +the servername extension received in the incoming connection. When B<cb> +is NULL, SNI is not used. The B<arg> value is a pointer which is passed to +the application callback. + +SSL_CTX_set_tlsext_servername_arg() sets a context-specific argument to be +passed into the callback for this B<SSL_CTX>. + +SSL_get_servername() returns a servername extension value of the specified +type if provided in the Client Hello or NULL. + +SSL_get_servername_type() returns the servername type or -1 if no servername +is present. Currently the only supported type (defined in RFC3546) is +B<TLSEXT_NAMETYPE_host_name>. + +=head1 NOTES + +The ALPN and SNI callbacks are both executed during Client Hello processing. +The servername callback is executed first, followed by the ALPN callback. + +=head1 RETURN VALUES + +SSL_CTX_set_tlsext_servername_callback() and +SSL_CTX_set_tlsext_servername_arg() both always return 1 indicating success. + +=head1 SEE ALSO + +L<ssl(7)>, L<SSL_CTX_set_alpn_select_cb(3)>, +L<SSL_get0_alpn_selected(3)> + +=head1 COPYRIGHT + +Copyright 2017 The OpenSSL Project Authors. All Rights Reserved. + +Licensed under the OpenSSL license (the "License"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file LICENSE in the source distribution or at +L<https://www.openssl.org/source/license.html>. + +=cut |