diff options
Diffstat (limited to 'deps/openssl/openssl/doc/crypto')
6 files changed, 52 insertions, 23 deletions
diff --git a/deps/openssl/openssl/doc/crypto/ASN1_STRING_length.pod b/deps/openssl/openssl/doc/crypto/ASN1_STRING_length.pod index f651e4f2ae..4ea6e8c226 100644 --- a/deps/openssl/openssl/doc/crypto/ASN1_STRING_length.pod +++ b/deps/openssl/openssl/doc/crypto/ASN1_STRING_length.pod @@ -66,8 +66,8 @@ utility functions should be used instead. In general it cannot be assumed that the data returned by ASN1_STRING_data() is null terminated or does not contain embedded nulls. The actual format of the data will depend on the actual string type itself: for example -for and IA5String the data will be ASCII, for a BMPString two bytes per -character in big endian format, UTF8String will be in UTF8 format. +for an IA5String the data will be ASCII, for a BMPString two bytes per +character in big endian format, and for an UTF8String it will be in UTF8 format. Similar care should be take to ensure the data is in the correct format when calling ASN1_STRING_set(). diff --git a/deps/openssl/openssl/doc/crypto/BIO_s_mem.pod b/deps/openssl/openssl/doc/crypto/BIO_s_mem.pod index 9f239648d7..7663d8bf5f 100644 --- a/deps/openssl/openssl/doc/crypto/BIO_s_mem.pod +++ b/deps/openssl/openssl/doc/crypto/BIO_s_mem.pod @@ -50,14 +50,14 @@ zero then it will return B<v> when it is empty and it will set the read retry flag (that is BIO_read_retry(b) is true). To avoid ambiguity with a normal positive return value B<v> should be set to a negative value, typically -1. -BIO_get_mem_data() sets B<pp> to a pointer to the start of the memory BIOs data +BIO_get_mem_data() sets *B<pp> to a pointer to the start of the memory BIOs data and returns the total amount of data available. It is implemented as a macro. BIO_set_mem_buf() sets the internal BUF_MEM structure to B<bm> and sets the close flag to B<c>, that is B<c> should be either BIO_CLOSE or BIO_NOCLOSE. It is a macro. -BIO_get_mem_ptr() places the underlying BUF_MEM structure in B<pp>. It is +BIO_get_mem_ptr() places the underlying BUF_MEM structure in *B<pp>. It is a macro. BIO_new_mem_buf() creates a memory BIO using B<len> bytes of data at B<buf>, diff --git a/deps/openssl/openssl/doc/crypto/BN_zero.pod b/deps/openssl/openssl/doc/crypto/BN_zero.pod index b555ec3988..8aa9c142b7 100644 --- a/deps/openssl/openssl/doc/crypto/BN_zero.pod +++ b/deps/openssl/openssl/doc/crypto/BN_zero.pod @@ -14,34 +14,37 @@ operations const BIGNUM *BN_value_one(void); - int BN_set_word(BIGNUM *a, unsigned long w); - unsigned long BN_get_word(BIGNUM *a); + int BN_set_word(BIGNUM *a, BN_ULONG w); + BN_ULONG BN_get_word(BIGNUM *a); =head1 DESCRIPTION +B<BN_ULONG> is a macro that will be an unsigned integral type optimied +for the most efficient implementation on the local platform. + BN_zero(), BN_one() and BN_set_word() set B<a> to the values 0, 1 and B<w> respectively. BN_zero() and BN_one() are macros. BN_value_one() returns a B<BIGNUM> constant of value 1. This constant is useful for use in comparisons and assignment. -BN_get_word() returns B<a>, if it can be represented as an unsigned -long. +BN_get_word() returns B<a>, if it can be represented as a B<BN_ULONG>. =head1 RETURN VALUES -BN_get_word() returns the value B<a>, and 0xffffffffL if B<a> cannot -be represented as an unsigned long. +BN_get_word() returns the value B<a>, or all-bits-set if B<a> cannot +be represented as a B<BN_ULONG>. BN_zero(), BN_one() and BN_set_word() return 1 on success, 0 otherwise. BN_value_one() returns the constant. =head1 BUGS -Someone might change the constant. +If a B<BIGNUM> is equal to the value of all-bits-set, it will collide +with the error condition returned by BN_get_word() which uses that +as an error value. -If a B<BIGNUM> is equal to 0xffffffffL it can be represented as an -unsigned long but this value is also returned on error. +B<BN_ULONG> should probably be a typedef. =head1 SEE ALSO diff --git a/deps/openssl/openssl/doc/crypto/EVP_EncryptInit.pod b/deps/openssl/openssl/doc/crypto/EVP_EncryptInit.pod index 4cd24d7e01..4973f0a23b 100644 --- a/deps/openssl/openssl/doc/crypto/EVP_EncryptInit.pod +++ b/deps/openssl/openssl/doc/crypto/EVP_EncryptInit.pod @@ -38,38 +38,38 @@ EVP_aes_128_cbc_hmac_sha256, EVP_aes_256_cbc_hmac_sha256 void EVP_CIPHER_CTX_init(EVP_CIPHER_CTX *a); int EVP_EncryptInit_ex(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *type, - ENGINE *impl, unsigned char *key, unsigned char *iv); + ENGINE *impl, const unsigned char *key, const unsigned char *iv); int EVP_EncryptUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl, const unsigned char *in, int inl); int EVP_EncryptFinal_ex(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl); int EVP_DecryptInit_ex(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *type, - ENGINE *impl, unsigned char *key, unsigned char *iv); + ENGINE *impl, const unsigned char *key, const unsigned char *iv); int EVP_DecryptUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl, const unsigned char *in, int inl); int EVP_DecryptFinal_ex(EVP_CIPHER_CTX *ctx, unsigned char *outm, int *outl); int EVP_CipherInit_ex(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *type, - ENGINE *impl, unsigned char *key, unsigned char *iv, int enc); + ENGINE *impl, const unsigned char *key, const unsigned char *iv, int enc); int EVP_CipherUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out, - int *outl, unsigned char *in, int inl); + int *outl, const unsigned char *in, int inl); int EVP_CipherFinal_ex(EVP_CIPHER_CTX *ctx, unsigned char *outm, int *outl); int EVP_EncryptInit(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *type, - unsigned char *key, unsigned char *iv); + const unsigned char *key, const unsigned char *iv); int EVP_EncryptFinal(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl); int EVP_DecryptInit(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *type, - unsigned char *key, unsigned char *iv); + const unsigned char *key, const unsigned char *iv); int EVP_DecryptFinal(EVP_CIPHER_CTX *ctx, unsigned char *outm, int *outl); int EVP_CipherInit(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *type, - unsigned char *key, unsigned char *iv, int enc); + const unsigned char *key, const unsigned char *iv, int enc); int EVP_CipherFinal(EVP_CIPHER_CTX *ctx, unsigned char *outm, int *outl); diff --git a/deps/openssl/openssl/doc/crypto/X509_VERIFY_PARAM_set_flags.pod b/deps/openssl/openssl/doc/crypto/X509_VERIFY_PARAM_set_flags.pod index 44792f91a1..10399ecbaf 100644 --- a/deps/openssl/openssl/doc/crypto/X509_VERIFY_PARAM_set_flags.pod +++ b/deps/openssl/openssl/doc/crypto/X509_VERIFY_PARAM_set_flags.pod @@ -203,6 +203,27 @@ chain found is not trusted, then OpenSSL will continue to check to see if an alternative chain can be found that is trusted. With this flag set the behaviour will match that of OpenSSL versions prior to 1.0.2b. +The B<X509_V_FLAG_TRUSTED_FIRST> flag causes chain construction to look for +issuers in the trust store before looking at the untrusted certificates +provided as part of the the peer chain. +Though it is not on by default in OpenSSL 1.0.2, applications should generally +set this flag. +Local issuer certificates are often more likely to satisfy local security +requirements and lead to a locally trusted root. +This is especially important When some certificates in the trust store have +explicit trust settings (see "TRUST SETTINGS" in L<x509(1)>). + +The B<X509_V_FLAG_PARTIAL_CHAIN> flag causes intermediate certificates in the +trust store to be treated as trust-anchors, in the same way as the self-signed +root CA certificates. +This makes it possible to trust certificates issued by an intermediate CA +without having to trust its ancestor root CA. +With OpenSSL 1.0.2, chain construction continues as long as there are +additional trusted issuers in the trust store, and the last trusted issuer +becomes the trust-anchor. +Thus, even when an intermediate certificate is found in the trust store, the +verified chain passed to callbacks may still be anchored by a root CA. + =head1 NOTES The above functions should be used to manipulate verification parameters @@ -235,7 +256,8 @@ connections associated with an B<SSL_CTX> structure B<ctx>: L<X509_verify_cert(3)|X509_verify_cert(3)>, L<X509_check_host(3)|X509_check_host(3)>, L<X509_check_email(3)|X509_check_email(3)>, -L<X509_check_ip(3)|X509_check_ip(3)> +L<X509_check_ip(3)|X509_check_ip(3)>, +L<x509(1)|x509(1)> =head1 HISTORY diff --git a/deps/openssl/openssl/doc/crypto/threads.pod b/deps/openssl/openssl/doc/crypto/threads.pod index dc0e9391dc..30c19b815f 100644 --- a/deps/openssl/openssl/doc/crypto/threads.pod +++ b/deps/openssl/openssl/doc/crypto/threads.pod @@ -63,9 +63,13 @@ CRYPTO_destroy_dynlockid, CRYPTO_lock - OpenSSL thread support =head1 DESCRIPTION -OpenSSL can safely be used in multi-threaded applications provided -that at least two callback functions are set, locking_function and +OpenSSL can generally be used safely in multi-threaded applications provided +that at least two callback functions are set, the locking_function and threadid_func. +Note that OpenSSL is not completely thread-safe, and unfortunately not all +global resources have the necessary locks. +Further, the thread-safety does not extend to things like multiple threads +using the same B<SSL> object at the same time. locking_function(int mode, int n, const char *file, int line) is needed to perform locking on shared data structures. |