diff options
Diffstat (limited to 'deps/openssl/openssl/doc')
86 files changed, 464 insertions, 259 deletions
diff --git a/deps/openssl/openssl/doc/HOWTO/proxy_certificates.txt b/deps/openssl/openssl/doc/HOWTO/proxy_certificates.txt index 2936cd6e51..3c42349261 100644 --- a/deps/openssl/openssl/doc/HOWTO/proxy_certificates.txt +++ b/deps/openssl/openssl/doc/HOWTO/proxy_certificates.txt @@ -255,7 +255,7 @@ Here is some skeleton code you can fill in: /* * process_rights() is supposed to be a procedure - * that takes a string and it's length, interprets + * that takes a string and its length, interprets * it and sets the bits in the YOUR_RIGHTS pointed * at by the third argument. */ diff --git a/deps/openssl/openssl/doc/man1/engine.pod b/deps/openssl/openssl/doc/man1/engine.pod index 24f1b32cdb..d49f04292b 100644 --- a/deps/openssl/openssl/doc/man1/engine.pod +++ b/deps/openssl/openssl/doc/man1/engine.pod @@ -64,7 +64,7 @@ See the example below. =back -=head1 EXAMPLE +=head1 EXAMPLES To list all the commands available to a dynamic engine: @@ -109,7 +109,7 @@ L<config(5)> =head1 COPYRIGHT -Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2016-2019 The OpenSSL Project Authors. All Rights Reserved. Licensed under the OpenSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/deps/openssl/openssl/doc/man1/errstr.pod b/deps/openssl/openssl/doc/man1/errstr.pod index 3c89b8f5cf..94198c123e 100644 --- a/deps/openssl/openssl/doc/man1/errstr.pod +++ b/deps/openssl/openssl/doc/man1/errstr.pod @@ -20,7 +20,7 @@ second colon. None. -=head1 EXAMPLE +=head1 EXAMPLES The error code: @@ -36,7 +36,7 @@ to produce the error message: =head1 COPYRIGHT -Copyright 2004-2016 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2004-2019 The OpenSSL Project Authors. All Rights Reserved. Licensed under the OpenSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/deps/openssl/openssl/doc/man1/pkcs12.pod b/deps/openssl/openssl/doc/man1/pkcs12.pod index 6f890c120f..da887a4699 100644 --- a/deps/openssl/openssl/doc/man1/pkcs12.pod +++ b/deps/openssl/openssl/doc/man1/pkcs12.pod @@ -225,7 +225,8 @@ for this search. If the search fails it is considered a fatal error. Encrypt the certificate using triple DES, this may render the PKCS#12 file unreadable by some "export grade" software. By default the private -key is encrypted using triple DES and the certificate using 40 bit RC2. +key is encrypted using triple DES and the certificate using 40 bit RC2 +unless RC2 is disabled in which case triple DES is used. =item B<-keypbe alg>, B<-certpbe alg> diff --git a/deps/openssl/openssl/doc/man1/pkeyparam.pod b/deps/openssl/openssl/doc/man1/pkeyparam.pod index 50949657c8..bddabc2707 100644 --- a/deps/openssl/openssl/doc/man1/pkeyparam.pod +++ b/deps/openssl/openssl/doc/man1/pkeyparam.pod @@ -60,7 +60,7 @@ This option checks the correctness of parameters. =back -=head1 EXAMPLE +=head1 EXAMPLES Print out text version of parameters: @@ -78,7 +78,7 @@ L<dsa(1)>, L<genrsa(1)>, L<gendsa(1)> =head1 COPYRIGHT -Copyright 2006-2018 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2006-2019 The OpenSSL Project Authors. All Rights Reserved. Licensed under the OpenSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/deps/openssl/openssl/doc/man1/s_client.pod b/deps/openssl/openssl/doc/man1/s_client.pod index cf8153572a..2f19aac1dc 100644 --- a/deps/openssl/openssl/doc/man1/s_client.pod +++ b/deps/openssl/openssl/doc/man1/s_client.pod @@ -147,7 +147,7 @@ SSL servers. =head1 OPTIONS In addition to the options below the B<s_client> utility also supports the -common and client only options documented in the +common and client only options documented in the "Supported Command Line Commands" section of the L<SSL_CONF_cmd(3)> manual page. diff --git a/deps/openssl/openssl/doc/man1/s_server.pod b/deps/openssl/openssl/doc/man1/s_server.pod index 768789633e..7fa382a8ae 100644 --- a/deps/openssl/openssl/doc/man1/s_server.pod +++ b/deps/openssl/openssl/doc/man1/s_server.pod @@ -193,7 +193,7 @@ for connections on a given port using SSL/TLS. =head1 OPTIONS In addition to the options below the B<s_server> utility also supports the -common and server only options documented in the +common and server only options documented in the "Supported Command Line Commands" section of the L<SSL_CONF_cmd(3)> manual page. diff --git a/deps/openssl/openssl/doc/man3/ADMISSIONS.pod b/deps/openssl/openssl/doc/man3/ADMISSIONS.pod index 5dcf72e201..eaf63b2197 100644 --- a/deps/openssl/openssl/doc/man3/ADMISSIONS.pod +++ b/deps/openssl/openssl/doc/man3/ADMISSIONS.pod @@ -130,7 +130,7 @@ ADMISSION_SYNTAX_set0_contentsOfAdmissions() functions free any existing value and set the pointer to the specified value. The B<ADMISSION> type has an authority name, authority object, and a -stack of B<PROFSSION_INFO> items. +stack of B<PROFESSION_INFO> items. The ADMISSIONS_get0_admissionAuthority(), ADMISSIONS_get0_namingAuthority(), and ADMISSIONS_get0_professionInfos() functions return pointers to those values within the object. @@ -169,7 +169,7 @@ L<d2i_X509(3)>, =head1 COPYRIGHT -Copyright 2017-2018 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2017-2019 The OpenSSL Project Authors. All Rights Reserved. Licensed under the OpenSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/deps/openssl/openssl/doc/man3/ASYNC_start_job.pod b/deps/openssl/openssl/doc/man3/ASYNC_start_job.pod index 9bd1044b26..b06db76708 100644 --- a/deps/openssl/openssl/doc/man3/ASYNC_start_job.pod +++ b/deps/openssl/openssl/doc/man3/ASYNC_start_job.pod @@ -170,7 +170,7 @@ is included, commonly as one of the first included headers. Therefore it is defined as an application developer's responsibility to include windows.h prior to async.h. -=head1 EXAMPLE +=head1 EXAMPLES The following example demonstrates how to use most of the core async APIs: @@ -321,7 +321,7 @@ added in OpenSSL 1.1.0. =head1 COPYRIGHT -Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2015-2019 The OpenSSL Project Authors. All Rights Reserved. Licensed under the OpenSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/deps/openssl/openssl/doc/man3/BIO_connect.pod b/deps/openssl/openssl/doc/man3/BIO_connect.pod index 2766c3d6c5..853315aa46 100644 --- a/deps/openssl/openssl/doc/man3/BIO_connect.pod +++ b/deps/openssl/openssl/doc/man3/BIO_connect.pod @@ -24,7 +24,7 @@ but is present for future use. BIO_bind() binds the source address and service to a socket and may be useful before calling BIO_connect(). The options may include -B<BIO_SOCK_REUSADDR>, which is described in L</FLAGS> below. +B<BIO_SOCK_REUSEADDR>, which is described in L</FLAGS> below. BIO_connect() connects B<sock> to the address and service given by B<addr>. Connection B<options> may be zero or any combination of diff --git a/deps/openssl/openssl/doc/man3/BIO_f_ssl.pod b/deps/openssl/openssl/doc/man3/BIO_f_ssl.pod index e069594fd1..59cccbd4e5 100644 --- a/deps/openssl/openssl/doc/man3/BIO_f_ssl.pod +++ b/deps/openssl/openssl/doc/man3/BIO_f_ssl.pod @@ -129,9 +129,25 @@ BIO_set_ssl(), BIO_get_ssl(), BIO_set_ssl_mode(), BIO_set_ssl_renegotiate_bytes(), BIO_set_ssl_renegotiate_timeout(), BIO_get_num_renegotiates(), and BIO_do_handshake() are implemented as macros. -=head1 EXAMPLE +=head1 RETURN VALUES + +BIO_f_ssl() returns the SSL B<BIO_METHOD> structure. + +BIO_set_ssl(), BIO_get_ssl(), BIO_set_ssl_mode(), BIO_set_ssl_renegotiate_bytes(), +BIO_set_ssl_renegotiate_timeout() and BIO_get_num_renegotiates() return 1 on +success or a value which is less than or equal to 0 if an error occurred. + +BIO_new_ssl(), BIO_new_ssl_connect() and BIO_new_buffer_ssl_connect() return +a valid B<BIO> structure on success or B<NULL> if an error occurred. + +BIO_ssl_copy_session_id() returns 1 on success or 0 on error. + +BIO_do_handshake() returns 1 if the connection was established successfully. +A zero or negative value is returned if the connection could not be established. + +=head1 EXAMPLES -This SSL/TLS client example, attempts to retrieve a page from an +This SSL/TLS client example attempts to retrieve a page from an SSL/TLS web server. The I/O routines are identical to those of the unencrypted example in L<BIO_s_connect(3)>. @@ -271,22 +287,6 @@ a client and also echoes the request to standard output. BIO_flush(sbio); BIO_free_all(sbio); -=head1 RETURN VALUES - -BIO_f_ssl() returns the SSL B<BIO_METHOD> structure. - -BIO_set_ssl(), BIO_get_ssl(), BIO_set_ssl_mode(), BIO_set_ssl_renegotiate_bytes(), -BIO_set_ssl_renegotiate_timeout() and BIO_get_num_renegotiates() return 1 on -success or a value which is less than or equal to 0 if an error occurred. - -BIO_new_ssl(), BIO_new_ssl_connect() and BIO_new_buffer_ssl_connect() return -a valid B<BIO> structure on success or B<NULL> if an error occurred. - -BIO_ssl_copy_session_id() returns 1 on success or 0 on error. - -BIO_do_handshake() returns 1 if the connection was established successfully. -A zero or negative value is returned if the connection could not be established. - =head1 HISTORY In OpenSSL before 1.0.0 the BIO_pop() call was handled incorrectly, @@ -298,7 +298,7 @@ be modified to handle this fix or they may free up an already freed BIO. =head1 COPYRIGHT -Copyright 2000-2018 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2000-2019 The OpenSSL Project Authors. All Rights Reserved. Licensed under the OpenSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/deps/openssl/openssl/doc/man3/BIO_find_type.pod b/deps/openssl/openssl/doc/man3/BIO_find_type.pod index b8171942ef..b18b615a33 100644 --- a/deps/openssl/openssl/doc/man3/BIO_find_type.pod +++ b/deps/openssl/openssl/doc/man3/BIO_find_type.pod @@ -40,7 +40,7 @@ BIO_next() returns the next BIO in a chain. BIO_method_type() returns the type of the BIO B<b>. -=head1 EXAMPLE +=head1 EXAMPLES Traverse a chain looking for digest BIOs: @@ -60,7 +60,7 @@ Traverse a chain looking for digest BIOs: =head1 COPYRIGHT -Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2000-2019 The OpenSSL Project Authors. All Rights Reserved. Licensed under the OpenSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/deps/openssl/openssl/doc/man3/BIO_new.pod b/deps/openssl/openssl/doc/man3/BIO_new.pod index 2712be0dab..c33eb9d02e 100644 --- a/deps/openssl/openssl/doc/man3/BIO_new.pod +++ b/deps/openssl/openssl/doc/man3/BIO_new.pod @@ -53,7 +53,7 @@ on it other than the discarded return value. BIO_set() was removed in OpenSSL 1.1.0 as BIO type is now opaque. -=head1 EXAMPLE +=head1 EXAMPLES Create a memory BIO: @@ -61,7 +61,7 @@ Create a memory BIO: =head1 COPYRIGHT -Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2000-2019 The OpenSSL Project Authors. All Rights Reserved. Licensed under the OpenSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/deps/openssl/openssl/doc/man3/BIO_s_accept.pod b/deps/openssl/openssl/doc/man3/BIO_s_accept.pod index 45b864e5e6..37b6f4d839 100644 --- a/deps/openssl/openssl/doc/man3/BIO_s_accept.pod +++ b/deps/openssl/openssl/doc/man3/BIO_s_accept.pod @@ -174,7 +174,7 @@ BIO_get_bind_mode() returns the set of B<BIO_BIND> flags, or -1 on failure. BIO_new_accept() returns a BIO or NULL on error. -=head1 EXAMPLE +=head1 EXAMPLES This example accepts two connections on port 4444, sends messages down each and finally closes both down. @@ -224,7 +224,7 @@ down each and finally closes both down. =head1 COPYRIGHT -Copyright 2000-2018 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2000-2019 The OpenSSL Project Authors. All Rights Reserved. Licensed under the OpenSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/deps/openssl/openssl/doc/man3/BIO_s_bio.pod b/deps/openssl/openssl/doc/man3/BIO_s_bio.pod index dfafa351e4..f78fe13489 100644 --- a/deps/openssl/openssl/doc/man3/BIO_s_bio.pod +++ b/deps/openssl/openssl/doc/man3/BIO_s_bio.pod @@ -133,7 +133,7 @@ locations for B<bio1> and B<bio2>. Check the error stack for more information. [XXXXX: More return values need to be added here] -=head1 EXAMPLE +=head1 EXAMPLES The BIO pair can be used to have full control over the network access of an application. The application can call select() on the socket as required @@ -176,7 +176,7 @@ and must be transferred to the network. Use BIO_ctrl_get_read_request() to find out, how many bytes must be written into the buffer before the SSL_operation() can successfully be continued. -=head1 WARNING +=head1 WARNINGS As the data is buffered, SSL_operation() may return with an ERROR_SSL_WANT_READ condition, but there is still data in the write buffer. An application must @@ -191,7 +191,7 @@ L<BIO_should_retry(3)>, L<BIO_read_ex(3)> =head1 COPYRIGHT -Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2000-2019 The OpenSSL Project Authors. All Rights Reserved. Licensed under the OpenSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/deps/openssl/openssl/doc/man3/BIO_s_connect.pod b/deps/openssl/openssl/doc/man3/BIO_s_connect.pod index d5cc553f25..4f145297c5 100644 --- a/deps/openssl/openssl/doc/man3/BIO_s_connect.pod +++ b/deps/openssl/openssl/doc/man3/BIO_s_connect.pod @@ -163,7 +163,7 @@ BIO_set_nbio() always returns 1. BIO_do_connect() returns 1 if the connection was successfully established and 0 or -1 if the connection failed. -=head1 EXAMPLE +=head1 EXAMPLES This is example connects to a webserver on the local host and attempts to retrieve a page and copy the result to standard output. @@ -203,7 +203,7 @@ Use BIO_set_conn_address() and BIO_get_conn_address() instead. =head1 COPYRIGHT -Copyright 2000-2018 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2000-2019 The OpenSSL Project Authors. All Rights Reserved. Licensed under the OpenSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/deps/openssl/openssl/doc/man3/BIO_s_fd.pod b/deps/openssl/openssl/doc/man3/BIO_s_fd.pod index 8ebf563cf6..6291373cf3 100644 --- a/deps/openssl/openssl/doc/man3/BIO_s_fd.pod +++ b/deps/openssl/openssl/doc/man3/BIO_s_fd.pod @@ -68,7 +68,7 @@ been initialized. BIO_new_fd() returns the newly allocated BIO or NULL is an error occurred. -=head1 EXAMPLE +=head1 EXAMPLES This is a file descriptor BIO version of "Hello World": @@ -88,7 +88,7 @@ L<BIO_set_close(3)>, L<BIO_get_close(3)> =head1 COPYRIGHT -Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2000-2019 The OpenSSL Project Authors. All Rights Reserved. Licensed under the OpenSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/deps/openssl/openssl/doc/man3/BIO_s_mem.pod b/deps/openssl/openssl/doc/man3/BIO_s_mem.pod index 2a5d423648..9d3ae21615 100644 --- a/deps/openssl/openssl/doc/man3/BIO_s_mem.pod +++ b/deps/openssl/openssl/doc/man3/BIO_s_mem.pod @@ -41,9 +41,10 @@ If the BIO_CLOSE flag is set when a memory BIO is freed then the underlying BUF_MEM structure is also freed. Calling BIO_reset() on a read write memory BIO clears any data in it if the -flag BIO_FLAGS_NONCLEAR_RST is not set. On a read only BIO or if the flag -BIO_FLAGS_NONCLEAR_RST is set it restores the BIO to its original state and -the data can be read again. +flag BIO_FLAGS_NONCLEAR_RST is not set, otherwise it just restores the read +pointer to the state it was just after the last write was performed and the +data can be read again. On a read only BIO it similarly restores the BIO to +its original state and the read only data can be read again. BIO_eof() is true if no data is in the BIO. @@ -79,11 +80,11 @@ first, so the supplied area of memory must be unchanged until the BIO is freed. Writes to memory BIOs will always succeed if memory is available: that is their size can grow indefinitely. -Every read from a read write memory BIO will remove the data just read with -an internal copy operation, if a BIO contains a lot of data and it is -read in small chunks the operation can be very slow. The use of a read only -memory BIO avoids this problem. If the BIO must be read write then adding -a buffering BIO to the chain will speed up the process. +Every write after partial read (not all data in the memory buffer was read) +to a read write memory BIO will have to move the unread data with an internal +copy operation, if a BIO contains a lot of data and it is read in small +chunks intertwined with writes the operation can be very slow. Adding +a buffering BIO to the chain can speed up the process. Calling BIO_set_mem_buf() on a BIO created with BIO_new_secmem() will give undefined results, including perhaps a program crash. @@ -104,11 +105,32 @@ BIO is set to BIO_NOCLOSE, before freeing the BUF_MEM the data pointer in it must be set to NULL as the data pointer does not point to an allocated memory. +Calling BIO_reset() on a read write memory BIO with BIO_FLAGS_NONCLEAR_RST +flag set can have unexpected outcome when the reads and writes to the +BIO are intertwined. As documented above the BIO will be reset to the +state after the last completed write operation. The effects of reads +preceding that write operation cannot be undone. + +Calling BIO_get_mem_ptr() prior to a BIO_reset() call with +BIO_FLAGS_NONCLEAR_RST set has the same effect as a write operation. + =head1 BUGS There should be an option to set the maximum size of a memory BIO. -=head1 EXAMPLE +=head1 RETURN VALUES + +BIO_s_mem() and BIO_s_secmem() return a valid memory B<BIO_METHOD> structure. + +BIO_set_mem_eof_return(), BIO_set_mem_buf() and BIO_get_mem_ptr() +return 1 on success or a value which is less than or equal to 0 if an error occurred. + +BIO_get_mem_data() returns the total number of bytes available on success, +0 if b is NULL, or a negative value in case of other errors. + +BIO_new_mem_buf() returns a valid B<BIO> structure on success or NULL on error. + +=head1 EXAMPLES Create a memory BIO and write some data to it: @@ -129,14 +151,6 @@ Extract the BUF_MEM structure from a memory BIO and then free up the BIO: BIO_set_close(mem, BIO_NOCLOSE); /* So BIO_free() leaves BUF_MEM alone */ BIO_free(mem); -=head1 RETURN VALUES - -BIO_s_mem() and BIO_s_secmem() return a valid memory B<BIO_METHOD> structure. - -BIO_set_mem_eof_return(), BIO_get_mem_data(), BIO_set_mem_buf() and BIO_get_mem_ptr() -return 1 on success or a value which is less than or equal to 0 if an error occurred. - -BIO_new_mem_buf() returns a valid B<BIO> structure on success or NULL on error. =head1 COPYRIGHT diff --git a/deps/openssl/openssl/doc/man3/BIO_set_callback.pod b/deps/openssl/openssl/doc/man3/BIO_set_callback.pod index 0a9b6edb65..291456baa4 100644 --- a/deps/openssl/openssl/doc/man3/BIO_set_callback.pod +++ b/deps/openssl/openssl/doc/man3/BIO_set_callback.pod @@ -211,11 +211,6 @@ the actual call parameter, see B<BIO_callback_ctrl>. =back -=head1 EXAMPLE - -The BIO_debug_callback() function is a good example, its source is -in crypto/bio/bio_cb.c - =head1 RETURN VALUES BIO_get_callback_ex() and BIO_get_callback() return the callback function @@ -228,9 +223,14 @@ via a call to BIO_set_callback_arg(). BIO_debug_callback() returns 1 or B<ret> if it's called after specific BIO operations. +=head1 EXAMPLES + +The BIO_debug_callback() function is a good example, its source is +in crypto/bio/bio_cb.c + =head1 COPYRIGHT -Copyright 2000-2018 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2000-2019 The OpenSSL Project Authors. All Rights Reserved. Licensed under the OpenSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/deps/openssl/openssl/doc/man3/BN_generate_prime.pod b/deps/openssl/openssl/doc/man3/BN_generate_prime.pod index b6e9145106..31fbc1ffa1 100644 --- a/deps/openssl/openssl/doc/man3/BN_generate_prime.pod +++ b/deps/openssl/openssl/doc/man3/BN_generate_prime.pod @@ -51,7 +51,9 @@ Deprecated: =head1 DESCRIPTION BN_generate_prime_ex() generates a pseudo-random prime number of -at least bit length B<bits>. +at least bit length B<bits>. The returned number is probably prime +with a negligible error. + If B<ret> is not B<NULL>, it will be used to store the number. If B<cb> is not B<NULL>, it is used as follows: @@ -89,8 +91,9 @@ generator. If B<safe> is true, it will be a safe prime (i.e. a prime p so that (p-1)/2 is also prime). -The PRNG must be seeded prior to calling BN_generate_prime_ex(). -The prime number generation has a negligible error probability. +The random generator must be seeded prior to calling BN_generate_prime_ex(). +If the automatic seeding or reseeding of the OpenSSL CSPRNG fails due to +external circumstances (see L<RAND(7)>), the operation will fail. BN_is_prime_ex() and BN_is_prime_fasttest_ex() test if the number B<p> is prime. The following tests are performed until one of them shows that @@ -193,7 +196,8 @@ Instead applications should create a BN_GENCB structure using BN_GENCB_new: =head1 SEE ALSO L<DH_generate_parameters(3)>, L<DSA_generate_parameters(3)>, -L<RSA_generate_key(3)>, L<ERR_get_error(3)>, L<RAND_bytes(3)> +L<RSA_generate_key(3)>, L<ERR_get_error(3)>, L<RAND_bytes(3)>, +L<RAND(7)> =head1 HISTORY @@ -202,7 +206,7 @@ and BN_GENCB_get_arg() functions were added in OpenSSL 1.1.0. =head1 COPYRIGHT -Copyright 2000-2018 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2000-2019 The OpenSSL Project Authors. All Rights Reserved. Licensed under the OpenSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/deps/openssl/openssl/doc/man3/BN_mod_mul_montgomery.pod b/deps/openssl/openssl/doc/man3/BN_mod_mul_montgomery.pod index 4dfcb21d9a..7f47e94c2b 100644 --- a/deps/openssl/openssl/doc/man3/BN_mod_mul_montgomery.pod +++ b/deps/openssl/openssl/doc/man3/BN_mod_mul_montgomery.pod @@ -64,7 +64,7 @@ BN_MONT_CTX_free() has no return value. For the other functions, 1 is returned for success, 0 on error. The error codes can be obtained by L<ERR_get_error(3)>. -=head1 WARNING +=head1 WARNINGS The inputs must be reduced modulo B<m>, otherwise the result will be outside the expected range. @@ -80,7 +80,7 @@ BN_MONT_CTX_init() was removed in OpenSSL 1.1.0 =head1 COPYRIGHT -Copyright 2000-2017 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2000-2019 The OpenSSL Project Authors. All Rights Reserved. Licensed under the OpenSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/deps/openssl/openssl/doc/man3/BN_new.pod b/deps/openssl/openssl/doc/man3/BN_new.pod index 1fab6d26eb..7f0f6514bc 100644 --- a/deps/openssl/openssl/doc/man3/BN_new.pod +++ b/deps/openssl/openssl/doc/man3/BN_new.pod @@ -22,7 +22,7 @@ BN_new, BN_secure_new, BN_clear, BN_free, BN_clear_free - allocate and free BIGN BN_new() allocates and initializes a B<BIGNUM> structure. BN_secure_new() does the same except that the secure heap -OPENSSL_secure_malloc(3) is used to store the value. +L<OPENSSL_secure_malloc(3)> is used to store the value. BN_clear() is used to destroy sensitive data such as keys when they are no longer needed. It erases the memory used by B<a> and sets it @@ -46,7 +46,7 @@ BN_clear(), BN_free() and BN_clear_free() have no return values. =head1 SEE ALSO -L<ERR_get_error(3)> +L<ERR_get_error(3)>, L<OPENSSL_secure_malloc(3)> =head1 HISTORY diff --git a/deps/openssl/openssl/doc/man3/CMS_final.pod b/deps/openssl/openssl/doc/man3/CMS_final.pod index 264fe7bc3b..15fd15a68c 100644 --- a/deps/openssl/openssl/doc/man3/CMS_final.pod +++ b/deps/openssl/openssl/doc/man3/CMS_final.pod @@ -12,7 +12,7 @@ CMS_final - finalise a CMS_ContentInfo structure =head1 DESCRIPTION -CMS_final() finalises the structure B<cms>. It's purpose is to perform any +CMS_final() finalises the structure B<cms>. Its purpose is to perform any operations necessary on B<cms> (digest computation for example) and set the appropriate fields. The parameter B<data> contains the content to be processed. The B<dcont> parameter contains a BIO to write content to after @@ -36,7 +36,7 @@ L<CMS_encrypt(3)> =head1 COPYRIGHT -Copyright 2008-2016 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2008-2019 The OpenSSL Project Authors. All Rights Reserved. Licensed under the OpenSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/deps/openssl/openssl/doc/man3/CRYPTO_THREAD_run_once.pod b/deps/openssl/openssl/doc/man3/CRYPTO_THREAD_run_once.pod index 3277613193..b919e2e478 100644 --- a/deps/openssl/openssl/doc/man3/CRYPTO_THREAD_run_once.pod +++ b/deps/openssl/openssl/doc/man3/CRYPTO_THREAD_run_once.pod @@ -97,7 +97,7 @@ one of the first included headers. Therefore it is defined as an application developer's responsibility to include windows.h prior to crypto.h where use of CRYPTO_THREAD_* types and functions is required. -=head1 EXAMPLE +=head1 EXAMPLES This example safely initializes and uses a lock. @@ -161,7 +161,7 @@ L<crypto(7)> =head1 COPYRIGHT -Copyright 2000-2018 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2000-2019 The OpenSSL Project Authors. All Rights Reserved. Licensed under the OpenSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/deps/openssl/openssl/doc/man3/CRYPTO_memcmp.pod b/deps/openssl/openssl/doc/man3/CRYPTO_memcmp.pod new file mode 100644 index 0000000000..9182d00796 --- /dev/null +++ b/deps/openssl/openssl/doc/man3/CRYPTO_memcmp.pod @@ -0,0 +1,39 @@ +=pod + +=head1 NAME + +CRYPTO_memcmp - Constant time memory comparison + +=head1 SYNOPSIS + + #include <openssl/crypto.h> + + int CRYPTO_memcmp(const void *a, const void *b, size_t len); + +=head1 DESCRIPTION + +The CRYPTO_memcmp function compares the B<len> bytes pointed to by B<a> and B<b> +for equality. +It takes an amount of time dependent on B<len>, but independent of the +contents of the memory regions pointed to by B<a> and B<b>. + +=head1 RETURN VALUES + +CRYPTO_memcmp() returns 0 if the memory regions are equal and non-zero +otherwise. + +=head1 NOTES + +Unlike memcmp(2), this function cannot be used to order the two memory regions +as the return value when they differ is undefined, other than being non-zero. + +=head1 COPYRIGHT + +Copyright 2019 The OpenSSL Project Authors. All Rights Reserved. + +Licensed under the Apache License 2.0 (the "License"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file LICENSE in the source distribution or at +L<https://www.openssl.org/source/license.html>. + +=cut diff --git a/deps/openssl/openssl/doc/man3/DES_random_key.pod b/deps/openssl/openssl/doc/man3/DES_random_key.pod index bd4bd9750c..04df6ec0df 100644 --- a/deps/openssl/openssl/doc/man3/DES_random_key.pod +++ b/deps/openssl/openssl/doc/man3/DES_random_key.pod @@ -104,9 +104,11 @@ consists of 8 bytes with odd parity. The least significant bit in each byte is the parity bit. The key schedule is an expanded form of the key; it is used to speed the encryption process. -DES_random_key() generates a random key. The PRNG must be seeded -prior to using this function (see L<RAND_bytes(3)>). If the PRNG -could not generate a secure key, 0 is returned. +DES_random_key() generates a random key. The random generator must be +seeded when calling this function. +If the automatic seeding or reseeding of the OpenSSL CSPRNG fails due to +external circumstances (see L<RAND(7)>), the operation will fail. +If the function fails, 0 is returned. Before a DES key can be used, it must be converted into the architecture dependent I<DES_key_schedule> via the diff --git a/deps/openssl/openssl/doc/man3/DSA_generate_key.pod b/deps/openssl/openssl/doc/man3/DSA_generate_key.pod index 9ff7553352..bb1bb36690 100644 --- a/deps/openssl/openssl/doc/man3/DSA_generate_key.pod +++ b/deps/openssl/openssl/doc/man3/DSA_generate_key.pod @@ -15,7 +15,9 @@ DSA_generate_key - generate DSA key pair DSA_generate_key() expects B<a> to contain DSA parameters. It generates a new key pair and stores it in B<a-E<gt>pub_key> and B<a-E<gt>priv_key>. -The PRNG must be seeded prior to calling DSA_generate_key(). +The random generator must be seeded prior to calling DSA_generate_key(). +If the automatic seeding or reseeding of the OpenSSL CSPRNG fails due to +external circumstances (see L<RAND(7)>), the operation will fail. =head1 RETURN VALUES @@ -29,7 +31,7 @@ L<DSA_generate_parameters_ex(3)> =head1 COPYRIGHT -Copyright 2000-2018 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2000-2019 The OpenSSL Project Authors. All Rights Reserved. Licensed under the OpenSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/deps/openssl/openssl/doc/man3/DSA_sign.pod b/deps/openssl/openssl/doc/man3/DSA_sign.pod index 889c7a1e07..0d76b8c3f9 100644 --- a/deps/openssl/openssl/doc/man3/DSA_sign.pod +++ b/deps/openssl/openssl/doc/man3/DSA_sign.pod @@ -36,8 +36,10 @@ B<dsa> is the signer's public key. The B<type> parameter is ignored. -The PRNG must be seeded before DSA_sign() (or DSA_sign_setup()) +The random generator must be seeded when DSA_sign() (or DSA_sign_setup()) is called. +If the automatic seeding or reseeding of the OpenSSL CSPRNG fails due to +external circumstances (see L<RAND(7)>), the operation will fail. =head1 RETURN VALUES @@ -54,11 +56,12 @@ Standard, DSS), ANSI X9.30 =head1 SEE ALSO L<DSA_new(3)>, L<ERR_get_error(3)>, L<RAND_bytes(3)>, -L<DSA_do_sign(3)> +L<DSA_do_sign(3)>, +L<RAND(7)> =head1 COPYRIGHT -Copyright 2000-2018 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2000-2019 The OpenSSL Project Authors. All Rights Reserved. Licensed under the OpenSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/deps/openssl/openssl/doc/man3/ECDSA_SIG_new.pod b/deps/openssl/openssl/doc/man3/ECDSA_SIG_new.pod index 8d6cda5e7a..6a7d107079 100644 --- a/deps/openssl/openssl/doc/man3/ECDSA_SIG_new.pod +++ b/deps/openssl/openssl/doc/man3/ECDSA_SIG_new.pod @@ -3,10 +3,10 @@ =head1 NAME ECDSA_SIG_get0, ECDSA_SIG_get0_r, ECDSA_SIG_get0_s, ECDSA_SIG_set0, -ECDSA_SIG_new, ECDSA_SIG_free, i2d_ECDSA_SIG, d2i_ECDSA_SIG, ECDSA_size, -ECDSA_sign, ECDSA_do_sign, ECDSA_verify, ECDSA_do_verify, ECDSA_sign_setup, -ECDSA_sign_ex, ECDSA_do_sign_ex - low level elliptic curve digital signature -algorithm (ECDSA) functions +ECDSA_SIG_new, ECDSA_SIG_free, ECDSA_size, ECDSA_sign, ECDSA_do_sign, +ECDSA_verify, ECDSA_do_verify, ECDSA_sign_setup, ECDSA_sign_ex, +ECDSA_do_sign_ex - low level elliptic curve digital signature algorithm (ECDSA) +functions =head1 SYNOPSIS @@ -18,8 +18,6 @@ algorithm (ECDSA) functions const BIGNUM *ECDSA_SIG_get0_r(const ECDSA_SIG *sig); const BIGNUM *ECDSA_SIG_get0_s(const ECDSA_SIG *sig); int ECDSA_SIG_set0(ECDSA_SIG *sig, BIGNUM *r, BIGNUM *s); - int i2d_ECDSA_SIG(const ECDSA_SIG *sig, unsigned char **pp); - ECDSA_SIG *d2i_ECDSA_SIG(ECDSA_SIG **sig, const unsigned char **pp, long len); int ECDSA_size(const EC_KEY *eckey); int ECDSA_sign(int type, const unsigned char *dgst, int dgstlen, @@ -68,15 +66,8 @@ function transfers the memory management of the values to the ECDSA_SIG object, and therefore the values that have been passed in should not be freed directly after this function has been called. -i2d_ECDSA_SIG() creates the DER encoding of the ECDSA signature B<sig> and -writes the encoded signature to B<*pp> (note: if B<pp> is NULL i2d_ECDSA_SIG() -returns the expected length in bytes of the DER encoded signature). -i2d_ECDSA_SIG() returns the length of the DER encoded signature (or 0 on -error). - -d2i_ECDSA_SIG() decodes a DER encoded ECDSA signature and returns the decoded -signature in a newly allocated B<ECDSA_SIG> structure. B<*sig> points to the -buffer containing the DER encoded signature of size B<len>. +See L<i2d_ECDSA_SIG(3)> and L<d2i_ECDSA_SIG(3)> for information about encoding +and decoding ECDSA signatures to/from DER. ECDSA_size() returns the maximum length of a DER encoded ECDSA signature created with the private EC key B<eckey>. @@ -202,7 +193,9 @@ ANSI X9.62, US Federal Information Processing Standard FIPS 186-2 L<EC_KEY_new(3)>, L<EVP_DigestSignInit(3)>, -L<EVP_DigestVerifyInit(3)> +L<EVP_DigestVerifyInit(3)>, +L<i2d_ECDSA_SIG(3)>, +L<d2i_ECDSA_SIG(3)> =head1 COPYRIGHT diff --git a/deps/openssl/openssl/doc/man3/EVP_DigestInit.pod b/deps/openssl/openssl/doc/man3/EVP_DigestInit.pod index 37bc10d380..3e3e342297 100644 --- a/deps/openssl/openssl/doc/man3/EVP_DigestInit.pod +++ b/deps/openssl/openssl/doc/man3/EVP_DigestInit.pod @@ -304,7 +304,7 @@ macros. EVP_MD_CTX_ctrl() sends commands to message digests for additional configuration or control. -=head1 EXAMPLE +=head1 EXAMPLES This example digests the data "Test Message\n" and "Hello World\n", using the digest name passed on the command line. @@ -381,7 +381,7 @@ The EVP_MD_CTX_set_pkey_ctx() function was added in 1.1.1. =head1 COPYRIGHT -Copyright 2000-2018 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2000-2019 The OpenSSL Project Authors. All Rights Reserved. Licensed under the OpenSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/deps/openssl/openssl/doc/man3/EVP_DigestSignInit.pod b/deps/openssl/openssl/doc/man3/EVP_DigestSignInit.pod index 7b74a23cbc..0bbc3d0ff8 100644 --- a/deps/openssl/openssl/doc/man3/EVP_DigestSignInit.pod +++ b/deps/openssl/openssl/doc/man3/EVP_DigestSignInit.pod @@ -35,7 +35,7 @@ EVP_MD_CTX is freed). The digest B<type> may be NULL if the signing algorithm supports it. -No B<EVP_PKEY_CTX> will be created by EVP_DigsetSignInit() if the passed B<ctx> +No B<EVP_PKEY_CTX> will be created by EVP_DigestSignInit() if the passed B<ctx> has already been assigned one via L<EVP_MD_CTX_set_ctx(3)>. See also L<SM2(7)>. Only EVP_PKEY types that support signing can be used with these functions. This @@ -125,8 +125,9 @@ and public key algorithms. This meant that "clone" digests such as EVP_dss1() needed to be used to sign using SHA1 and DSA. This is no longer necessary and the use of clone digest is now discouraged. -For some key types and parameters the random number generator must be seeded -or the operation will fail. +For some key types and parameters the random number generator must be seeded. +If the automatic seeding or reseeding of the OpenSSL CSPRNG fails due to +external circumstances (see L<RAND(7)>), the operation will fail. The call to EVP_DigestSignFinal() internally finalizes a copy of the digest context. This means that calls to EVP_DigestSignUpdate() and @@ -147,7 +148,8 @@ L<EVP_DigestVerifyInit(3)>, L<EVP_DigestInit(3)>, L<evp(7)>, L<HMAC(3)>, L<MD2(3)>, L<MD5(3)>, L<MDC2(3)>, L<RIPEMD160(3)>, -L<SHA1(3)>, L<dgst(1)> +L<SHA1(3)>, L<dgst(1)>, +L<RAND(7)> =head1 HISTORY @@ -156,7 +158,7 @@ were added in OpenSSL 1.0.0. =head1 COPYRIGHT -Copyright 2006-2018 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2006-2019 The OpenSSL Project Authors. All Rights Reserved. Licensed under the OpenSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/deps/openssl/openssl/doc/man3/EVP_DigestVerifyInit.pod b/deps/openssl/openssl/doc/man3/EVP_DigestVerifyInit.pod index 592a7508dc..05b99bb913 100644 --- a/deps/openssl/openssl/doc/man3/EVP_DigestVerifyInit.pod +++ b/deps/openssl/openssl/doc/man3/EVP_DigestVerifyInit.pod @@ -32,7 +32,7 @@ being passed to EVP_DigestVerifyInit() (which means the EVP_PKEY_CTX is created inside EVP_DigestVerifyInit() and it will be freed automatically when the EVP_MD_CTX is freed). -No B<EVP_PKEY_CTX> will be created by EVP_DigsetSignInit() if the passed B<ctx> +No B<EVP_PKEY_CTX> will be created by EVP_DigestSignInit() if the passed B<ctx> has already been assigned one via L<EVP_MD_CTX_set_ctx(3)>. See also L<SM2(7)>. EVP_DigestVerifyUpdate() hashes B<cnt> bytes of data at B<d> into the @@ -76,8 +76,9 @@ and public key algorithms. This meant that "clone" digests such as EVP_dss1() needed to be used to sign using SHA1 and DSA. This is no longer necessary and the use of clone digest is now discouraged. -For some key types and parameters the random number generator must be seeded -or the operation will fail. +For some key types and parameters the random number generator must be seeded. +If the automatic seeding or reseeding of the OpenSSL CSPRNG fails due to +external circumstances (see L<RAND(7)>), the operation will fail. The call to EVP_DigestVerifyFinal() internally finalizes a copy of the digest context. This means that EVP_VerifyUpdate() and EVP_VerifyFinal() can @@ -93,7 +94,8 @@ L<EVP_DigestSignInit(3)>, L<EVP_DigestInit(3)>, L<evp(7)>, L<HMAC(3)>, L<MD2(3)>, L<MD5(3)>, L<MDC2(3)>, L<RIPEMD160(3)>, -L<SHA1(3)>, L<dgst(1)> +L<SHA1(3)>, L<dgst(1)>, +L<RAND(7)> =head1 HISTORY diff --git a/deps/openssl/openssl/doc/man3/EVP_PKEY_CTX_set_hkdf_md.pod b/deps/openssl/openssl/doc/man3/EVP_PKEY_CTX_set_hkdf_md.pod index e8f19cfc99..974bbed9b9 100644 --- a/deps/openssl/openssl/doc/man3/EVP_PKEY_CTX_set_hkdf_md.pod +++ b/deps/openssl/openssl/doc/man3/EVP_PKEY_CTX_set_hkdf_md.pod @@ -121,7 +121,7 @@ All these functions return 1 for success and 0 or a negative value for failure. In particular a return value of -2 indicates the operation is not supported by the public key algorithm. -=head1 EXAMPLE +=head1 EXAMPLES This example derives 10 bytes using SHA-256 with the secret key "secret", salt value "salt" and info value "label": @@ -156,7 +156,7 @@ L<EVP_PKEY_derive(3)> =head1 COPYRIGHT -Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2016-2019 The OpenSSL Project Authors. All Rights Reserved. Licensed under the OpenSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/deps/openssl/openssl/doc/man3/EVP_PKEY_CTX_set_tls1_prf_md.pod b/deps/openssl/openssl/doc/man3/EVP_PKEY_CTX_set_tls1_prf_md.pod index 30e50bc63e..9a8d7a8875 100644 --- a/deps/openssl/openssl/doc/man3/EVP_PKEY_CTX_set_tls1_prf_md.pod +++ b/deps/openssl/openssl/doc/man3/EVP_PKEY_CTX_set_tls1_prf_md.pod @@ -70,7 +70,7 @@ All these functions return 1 for success and 0 or a negative value for failure. In particular a return value of -2 indicates the operation is not supported by the public key algorithm. -=head1 EXAMPLE +=head1 EXAMPLES This example derives 10 bytes using SHA-256 with the secret key "secret" and seed value "seed": @@ -99,7 +99,7 @@ L<EVP_PKEY_derive(3)> =head1 COPYRIGHT -Copyright 2016 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2016-2019 The OpenSSL Project Authors. All Rights Reserved. Licensed under the OpenSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/deps/openssl/openssl/doc/man3/EVP_PKEY_decrypt.pod b/deps/openssl/openssl/doc/man3/EVP_PKEY_decrypt.pod index 2e3d266541..08d0ec32bd 100644 --- a/deps/openssl/openssl/doc/man3/EVP_PKEY_decrypt.pod +++ b/deps/openssl/openssl/doc/man3/EVP_PKEY_decrypt.pod @@ -41,7 +41,7 @@ EVP_PKEY_decrypt_init() and EVP_PKEY_decrypt() return 1 for success and 0 or a negative value for failure. In particular a return value of -2 indicates the operation is not supported by the public key algorithm. -=head1 EXAMPLE +=head1 EXAMPLES Decrypt data using OAEP (for RSA keys): @@ -95,7 +95,7 @@ These functions were added in OpenSSL 1.0.0. =head1 COPYRIGHT -Copyright 2006-2018 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2006-2019 The OpenSSL Project Authors. All Rights Reserved. Licensed under the OpenSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/deps/openssl/openssl/doc/man3/EVP_PKEY_derive.pod b/deps/openssl/openssl/doc/man3/EVP_PKEY_derive.pod index a74065e31f..76b3c3986b 100644 --- a/deps/openssl/openssl/doc/man3/EVP_PKEY_derive.pod +++ b/deps/openssl/openssl/doc/man3/EVP_PKEY_derive.pod @@ -42,7 +42,7 @@ EVP_PKEY_derive_init() and EVP_PKEY_derive() return 1 for success and 0 or a negative value for failure. In particular a return value of -2 indicates the operation is not supported by the public key algorithm. -=head1 EXAMPLE +=head1 EXAMPLES Derive shared secret (for example DH or EC keys): @@ -93,7 +93,7 @@ These functions were added in OpenSSL 1.0.0. =head1 COPYRIGHT -Copyright 2006-2018 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2006-2019 The OpenSSL Project Authors. All Rights Reserved. Licensed under the OpenSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/deps/openssl/openssl/doc/man3/EVP_PKEY_encrypt.pod b/deps/openssl/openssl/doc/man3/EVP_PKEY_encrypt.pod index 3718910464..2a3bf2a097 100644 --- a/deps/openssl/openssl/doc/man3/EVP_PKEY_encrypt.pod +++ b/deps/openssl/openssl/doc/man3/EVP_PKEY_encrypt.pod @@ -41,7 +41,7 @@ EVP_PKEY_encrypt_init() and EVP_PKEY_encrypt() return 1 for success and 0 or a negative value for failure. In particular a return value of -2 indicates the operation is not supported by the public key algorithm. -=head1 EXAMPLE +=head1 EXAMPLES Encrypt data using OAEP (for RSA keys). See also L<PEM_read_PUBKEY(3)> or L<d2i_X509(3)> for means to load a public key. You may also simply @@ -100,7 +100,7 @@ These functions were added in OpenSSL 1.0.0. =head1 COPYRIGHT -Copyright 2006-2016 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2006-2019 The OpenSSL Project Authors. All Rights Reserved. Licensed under the OpenSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/deps/openssl/openssl/doc/man3/EVP_PKEY_sign.pod b/deps/openssl/openssl/doc/man3/EVP_PKEY_sign.pod index 1672831ff0..175aeed584 100644 --- a/deps/openssl/openssl/doc/man3/EVP_PKEY_sign.pod +++ b/deps/openssl/openssl/doc/man3/EVP_PKEY_sign.pod @@ -46,7 +46,7 @@ EVP_PKEY_sign_init() and EVP_PKEY_sign() return 1 for success and 0 or a negative value for failure. In particular a return value of -2 indicates the operation is not supported by the public key algorithm. -=head1 EXAMPLE +=head1 EXAMPLES Sign data using RSA with PKCS#1 padding and SHA256 digest: @@ -105,7 +105,7 @@ These functions were added in OpenSSL 1.0.0. =head1 COPYRIGHT -Copyright 2006-2016 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2006-2019 The OpenSSL Project Authors. All Rights Reserved. Licensed under the OpenSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/deps/openssl/openssl/doc/man3/EVP_PKEY_verify.pod b/deps/openssl/openssl/doc/man3/EVP_PKEY_verify.pod index cdbb80b99d..616fd5577f 100644 --- a/deps/openssl/openssl/doc/man3/EVP_PKEY_verify.pod +++ b/deps/openssl/openssl/doc/man3/EVP_PKEY_verify.pod @@ -44,7 +44,7 @@ A negative value indicates an error other that signature verification failure. In particular a return value of -2 indicates the operation is not supported by the public key algorithm. -=head1 EXAMPLE +=head1 EXAMPLES Verify signature using PKCS#1 and SHA256 digest: @@ -93,7 +93,7 @@ These functions were added in OpenSSL 1.0.0. =head1 COPYRIGHT -Copyright 2006-2018 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2006-2019 The OpenSSL Project Authors. All Rights Reserved. Licensed under the OpenSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/deps/openssl/openssl/doc/man3/EVP_PKEY_verify_recover.pod b/deps/openssl/openssl/doc/man3/EVP_PKEY_verify_recover.pod index 2513606561..a3a7818d79 100644 --- a/deps/openssl/openssl/doc/man3/EVP_PKEY_verify_recover.pod +++ b/deps/openssl/openssl/doc/man3/EVP_PKEY_verify_recover.pod @@ -49,7 +49,7 @@ EVP_PKEY_verify_recover_init() and EVP_PKEY_verify_recover() return 1 for succes and 0 or a negative value for failure. In particular a return value of -2 indicates the operation is not supported by the public key algorithm. -=head1 EXAMPLE +=head1 EXAMPLES Recover digest originally signed using PKCS#1 and SHA256 digest: @@ -104,7 +104,7 @@ These functions were added in OpenSSL 1.0.0. =head1 COPYRIGHT -Copyright 2013-2018 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2013-2019 The OpenSSL Project Authors. All Rights Reserved. Licensed under the OpenSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/deps/openssl/openssl/doc/man3/EVP_SealInit.pod b/deps/openssl/openssl/doc/man3/EVP_SealInit.pod index 29d89c3052..2c2c89a71b 100644 --- a/deps/openssl/openssl/doc/man3/EVP_SealInit.pod +++ b/deps/openssl/openssl/doc/man3/EVP_SealInit.pod @@ -55,7 +55,9 @@ failure. =head1 NOTES Because a random secret key is generated the random number generator -must be seeded before calling EVP_SealInit(). +must be seeded when EVP_SealInit() is called. +If the automatic seeding or reseeding of the OpenSSL CSPRNG fails due to +external circumstances (see L<RAND(7)>), the operation will fail. The public key must be RSA because it is the only OpenSSL public key algorithm that supports key transport. @@ -75,11 +77,12 @@ with B<type> set to NULL. L<evp(7)>, L<RAND_bytes(3)>, L<EVP_EncryptInit(3)>, -L<EVP_OpenInit(3)> +L<EVP_OpenInit(3)>, +L<RAND(7)> =head1 COPYRIGHT -Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2000-2019 The OpenSSL Project Authors. All Rights Reserved. Licensed under the OpenSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/deps/openssl/openssl/doc/man3/EVP_SignInit.pod b/deps/openssl/openssl/doc/man3/EVP_SignInit.pod index 86fec82fb0..c26b7f7d5d 100644 --- a/deps/openssl/openssl/doc/man3/EVP_SignInit.pod +++ b/deps/openssl/openssl/doc/man3/EVP_SignInit.pod @@ -66,9 +66,10 @@ The B<EVP> interface to digital signatures should almost always be used in preference to the low level interfaces. This is because the code then becomes transparent to the algorithm used and much more flexible. -When signing with DSA private keys the random number generator must be seeded -or the operation will fail. The random number generator does not need to be -seeded for RSA signatures. +When signing with DSA private keys the random number generator must be seeded. +If the automatic seeding or reseeding of the OpenSSL CSPRNG fails due to +external circumstances (see L<RAND(7)>), the operation will fail. +This requirement does not hold for RSA signatures. The call to EVP_SignFinal() internally finalizes a copy of the digest context. This means that calls to EVP_SignUpdate() and EVP_SignFinal() can be called @@ -102,7 +103,7 @@ L<SHA1(3)>, L<dgst(1)> =head1 COPYRIGHT -Copyright 2000-2018 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2000-2019 The OpenSSL Project Authors. All Rights Reserved. Licensed under the OpenSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/deps/openssl/openssl/doc/man3/EVP_VerifyInit.pod b/deps/openssl/openssl/doc/man3/EVP_VerifyInit.pod index f86825849b..647c99bceb 100644 --- a/deps/openssl/openssl/doc/man3/EVP_VerifyInit.pod +++ b/deps/openssl/openssl/doc/man3/EVP_VerifyInit.pod @@ -72,7 +72,7 @@ data have been passed through EVP_SignUpdate(). It is not possible to change the signing parameters using these function. -The previous two bugs are fixed in the newer EVP_VerifyDigest*() function. +The previous two bugs are fixed in the newer EVP_DigestVerify*() function. =head1 SEE ALSO @@ -85,7 +85,7 @@ L<SHA1(3)>, L<dgst(1)> =head1 COPYRIGHT -Copyright 2000-2018 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2000-2019 The OpenSSL Project Authors. All Rights Reserved. Licensed under the OpenSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/deps/openssl/openssl/doc/man3/EVP_aria.pod b/deps/openssl/openssl/doc/man3/EVP_aria.pod index fbb7918754..c30ff9929c 100644 --- a/deps/openssl/openssl/doc/man3/EVP_aria.pod +++ b/deps/openssl/openssl/doc/man3/EVP_aria.pod @@ -32,7 +32,7 @@ EVP_aria_256_ccm, EVP_aria_128_gcm, EVP_aria_192_gcm, EVP_aria_256_gcm, -- EVP AES cipher +- EVP ARIA cipher =head1 SYNOPSIS @@ -106,7 +106,7 @@ L<EVP_CIPHER_meth_new(3)> =head1 COPYRIGHT -Copyright 2017-2018 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2017-2019 The OpenSSL Project Authors. All Rights Reserved. Licensed under the OpenSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/deps/openssl/openssl/doc/man3/EVP_md5.pod b/deps/openssl/openssl/doc/man3/EVP_md5.pod index 725fcbf5e2..ed0f99c99d 100644 --- a/deps/openssl/openssl/doc/man3/EVP_md5.pod +++ b/deps/openssl/openssl/doc/man3/EVP_md5.pod @@ -29,7 +29,7 @@ The MD5 algorithm which produces a 128-bit output from a given input. =item EVP_md5_sha1() -A hash algorithm of SSL v3 that combines MD5 with SHA-1 as decirbed in RFC +A hash algorithm of SSL v3 that combines MD5 with SHA-1 as described in RFC 6101. WARNING: this algorithm is not intended for non-SSL usage. @@ -54,7 +54,7 @@ L<EVP_DigestInit(3)> =head1 COPYRIGHT -Copyright 2017-2018 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2017-2019 The OpenSSL Project Authors. All Rights Reserved. Licensed under the OpenSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/deps/openssl/openssl/doc/man3/EVP_rc5_32_12_16_cbc.pod b/deps/openssl/openssl/doc/man3/EVP_rc5_32_12_16_cbc.pod index 442a114ea9..9eb8bd9dc3 100644 --- a/deps/openssl/openssl/doc/man3/EVP_rc5_32_12_16_cbc.pod +++ b/deps/openssl/openssl/doc/man3/EVP_rc5_32_12_16_cbc.pod @@ -33,7 +33,26 @@ EVP_rc5_32_12_16_ofb() RC5 encryption algorithm in CBC, CFB, ECB and OFB modes respectively. This is a variable key length cipher with an additional "number of rounds" parameter. By -default the key length is set to 128 bits and 12 rounds. +default the key length is set to 128 bits and 12 rounds. Alternative key lengths +can be set using L<EVP_CIPHER_CTX_set_key_length(3)>. The maximum key length is +2040 bits. + +The following rc5 specific I<ctrl>s are supported (see +L<EVP_CIPHER_CTX_ctrl(3)>). + +=over 4 + +=item EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_SET_RC5_ROUNDS, rounds, NULL) + +Sets the number of rounds to B<rounds>. This must be one of RC5_8_ROUNDS, +RC5_12_ROUNDS or RC5_16_ROUNDS. + +=item EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_GET_RC5_ROUNDS, 0, &rounds) + +Stores the number of rounds currently configured in B<*rounds> where B<*rounds> +is an int. + +=back =back @@ -43,10 +62,6 @@ These functions return an B<EVP_CIPHER> structure that contains the implementation of the symmetric cipher. See L<EVP_CIPHER_meth_new(3)> for details of the B<EVP_CIPHER> structure. -=head1 BUGS - -Currently the number of rounds in RC5 can only be set to 8, 12 or 16. -This is a limitation of the current RC5 code rather than the EVP interface. =head1 SEE ALSO @@ -56,7 +71,7 @@ L<EVP_CIPHER_meth_new(3)> =head1 COPYRIGHT -Copyright 2017-2018 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2017-2019 The OpenSSL Project Authors. All Rights Reserved. Licensed under the OpenSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/deps/openssl/openssl/doc/man3/OCSP_REQUEST_new.pod b/deps/openssl/openssl/doc/man3/OCSP_REQUEST_new.pod index a382b16ed3..283c226bc4 100644 --- a/deps/openssl/openssl/doc/man3/OCSP_REQUEST_new.pod +++ b/deps/openssl/openssl/doc/man3/OCSP_REQUEST_new.pod @@ -75,7 +75,7 @@ corresponding to each certificate. OCSP_request_onereq_count() and OCSP_request_onereq_get0() are mainly used by OCSP responders. -=head1 EXAMPLE +=head1 EXAMPLES Create an B<OCSP_REQUEST> structure for certificate B<cert> with issuer B<issuer>: @@ -108,7 +108,7 @@ L<OCSP_sendreq_new(3)> =head1 COPYRIGHT -Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2015-2019 The OpenSSL Project Authors. All Rights Reserved. Licensed under the OpenSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/deps/openssl/openssl/doc/man3/OPENSSL_fork_prepare.pod b/deps/openssl/openssl/doc/man3/OPENSSL_fork_prepare.pod index 7c4eb1dbfd..a47a07a390 100644 --- a/deps/openssl/openssl/doc/man3/OPENSSL_fork_prepare.pod +++ b/deps/openssl/openssl/doc/man3/OPENSSL_fork_prepare.pod @@ -24,7 +24,7 @@ The OPENSSL_fork_prepare(), OPENSSL_fork_parent(), and OPENSSL_fork_child() functions are used to reset this internal state. Platforms without fork(2) will probably not need to use these functions. -Platforms with fork(2) but without pthreads_atfork(3) will probably need +Platforms with fork(2) but without pthread_atfork(3) will probably need to call them manually, as described in the following paragraph. Platforms such as Linux that have both functions will normally not need to call these functions as the OpenSSL library will do so automatically. @@ -32,7 +32,7 @@ functions as the OpenSSL library will do so automatically. L<OPENSSL_init_crypto(3)> will register these functions with the appropriate handler, when the B<OPENSSL_INIT_ATFORK> flag is used. For other applications, these functions can be called directly. They should be used -according to the calling sequence described by the pthreads_atfork(3) +according to the calling sequence described by the pthread_atfork(3) documentation, which is summarized here. OPENSSL_fork_prepare() should be called before a fork() is done. After the fork() returns, the parent process should call OPENSSL_fork_parent() and the child process should @@ -53,7 +53,7 @@ These functions were added in OpenSSL 1.1.1. =head1 COPYRIGHT -Copyright 2017-2018 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2017-2019 The OpenSSL Project Authors. All Rights Reserved. Licensed under the OpenSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/deps/openssl/openssl/doc/man3/OSSL_STORE_LOADER.pod b/deps/openssl/openssl/doc/man3/OSSL_STORE_LOADER.pod index 1503754114..b0c15b01c3 100644 --- a/deps/openssl/openssl/doc/man3/OSSL_STORE_LOADER.pod +++ b/deps/openssl/openssl/doc/man3/OSSL_STORE_LOADER.pod @@ -95,7 +95,7 @@ manner possible according to the scheme the loader implements, it also takes a B<UI_METHOD> and associated data, to be used any time something needs to be prompted for. Furthermore, this function is expected to initialize what needs to be -initialized, to create a privata data store (B<OSSL_STORE_LOADER_CTX>, see +initialized, to create a private data store (B<OSSL_STORE_LOADER_CTX>, see above), and to return it. If something goes wrong, this function is expected to return NULL. @@ -254,7 +254,7 @@ were added in OpenSSL 1.1.1. =head1 COPYRIGHT -Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2016-2019 The OpenSSL Project Authors. All Rights Reserved. Licensed under the OpenSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/deps/openssl/openssl/doc/man3/OSSL_STORE_expect.pod b/deps/openssl/openssl/doc/man3/OSSL_STORE_expect.pod index 154472a76b..ff3fb2a69d 100644 --- a/deps/openssl/openssl/doc/man3/OSSL_STORE_expect.pod +++ b/deps/openssl/openssl/doc/man3/OSSL_STORE_expect.pod @@ -32,7 +32,7 @@ grained search of objects. OSSL_STORE_supports_search() checks if the loader of the given OSSL_STORE context supports the given search type. -See L<OSSL_STORE_SEARCH/SUPPORED CRITERION TYPES> for information on the +See L<OSSL_STORE_SEARCH/SUPPORTED CRITERION TYPES> for information on the supported search criterion types. OSSL_STORE_expect() and OSSL_STORE_find I<must> be called before the first @@ -69,7 +69,7 @@ were added in OpenSSL 1.1.1. =head1 COPYRIGHT -Copyright 2018 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2018-2019 The OpenSSL Project Authors. All Rights Reserved. Licensed under the OpenSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/deps/openssl/openssl/doc/man3/PKCS12_newpass.pod b/deps/openssl/openssl/doc/man3/PKCS12_newpass.pod index 1c34ee5449..5fc041bfbd 100644 --- a/deps/openssl/openssl/doc/man3/PKCS12_newpass.pod +++ b/deps/openssl/openssl/doc/man3/PKCS12_newpass.pod @@ -34,7 +34,7 @@ L<UI_OpenSSL(3)>, for example. PKCS12_newpass() returns 1 on success or 0 on failure. Applications can retrieve the most recent error from PKCS12_newpass() with ERR_get_error(). -=head1 EXAMPLE +=head1 EXAMPLES This example loads a PKCS#12 file, changes its password and writes out the result to a new file. @@ -107,7 +107,7 @@ L<passphrase-encoding(7)> =head1 COPYRIGHT -Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2016-2019 The OpenSSL Project Authors. All Rights Reserved. Licensed under the OpenSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/deps/openssl/openssl/doc/man3/RAND_DRBG_set_callbacks.pod b/deps/openssl/openssl/doc/man3/RAND_DRBG_set_callbacks.pod index 3da051e696..55e9a8b7af 100644 --- a/deps/openssl/openssl/doc/man3/RAND_DRBG_set_callbacks.pod +++ b/deps/openssl/openssl/doc/man3/RAND_DRBG_set_callbacks.pod @@ -114,7 +114,7 @@ In other words, prediction resistance is currently not supported yet by the DRBG The derivation function is disabled during initialization by calling the RAND_DRBG_set() function with the RAND_DRBG_FLAG_CTR_NO_DF flag. For more information on the derivation function and when it can be omitted, -see [NIST SP 800-90A Rev. 1]. Roughly speeking it can be omitted if the random +see [NIST SP 800-90A Rev. 1]. Roughly speaking it can be omitted if the random source has "full entropy", i.e., contains 8 bits of entropy per byte. Even if a nonce is required, the B<get_nonce>() and B<cleanup_nonce>() diff --git a/deps/openssl/openssl/doc/man3/RAND_set_rand_method.pod b/deps/openssl/openssl/doc/man3/RAND_set_rand_method.pod index d4b65b91fd..83a6cac17a 100644 --- a/deps/openssl/openssl/doc/man3/RAND_set_rand_method.pod +++ b/deps/openssl/openssl/doc/man3/RAND_set_rand_method.pod @@ -10,7 +10,7 @@ RAND_set_rand_method, RAND_get_rand_method, RAND_OpenSSL - select RAND method RAND_METHOD *RAND_OpenSSL(void); - void RAND_set_rand_method(const RAND_METHOD *meth); + int RAND_set_rand_method(const RAND_METHOD *meth); const RAND_METHOD *RAND_get_rand_method(void); @@ -48,8 +48,9 @@ Each pointer may be NULL if the function is not implemented. =head1 RETURN VALUES -RAND_set_rand_method() returns no value. RAND_get_rand_method() and -RAND_OpenSSL() return pointers to the respective methods. +RAND_set_rand_method() returns 1 on success and 0 on failue. +RAND_get_rand_method() and RAND_OpenSSL() return pointers to the respective +methods. =head1 SEE ALSO @@ -59,7 +60,7 @@ L<RAND(7)> =head1 COPYRIGHT -Copyright 2000-2018 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2000-2019 The OpenSSL Project Authors. All Rights Reserved. Licensed under the OpenSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/deps/openssl/openssl/doc/man3/RSA_blinding_on.pod b/deps/openssl/openssl/doc/man3/RSA_blinding_on.pod index 33d49d3720..5db127f16e 100644 --- a/deps/openssl/openssl/doc/man3/RSA_blinding_on.pod +++ b/deps/openssl/openssl/doc/man3/RSA_blinding_on.pod @@ -20,8 +20,7 @@ must be used to protect the RSA operation from that attack. RSA_blinding_on() turns blinding on for key B<rsa> and generates a random blinding factor. B<ctx> is B<NULL> or a pre-allocated and -initialized B<BN_CTX>. The random number generator must be seeded -prior to calling RSA_blinding_on(). +initialized B<BN_CTX>. RSA_blinding_off() turns blinding off and frees the memory used for the blinding factor. @@ -34,7 +33,7 @@ RSA_blinding_off() returns no value. =head1 COPYRIGHT -Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2000-2019 The OpenSSL Project Authors. All Rights Reserved. Licensed under the OpenSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/deps/openssl/openssl/doc/man3/RSA_generate_key.pod b/deps/openssl/openssl/doc/man3/RSA_generate_key.pod index a4c078a4b0..491ba41e50 100644 --- a/deps/openssl/openssl/doc/man3/RSA_generate_key.pod +++ b/deps/openssl/openssl/doc/man3/RSA_generate_key.pod @@ -15,7 +15,7 @@ RSA_generate_multi_prime_key - generate RSA key pair Deprecated: #if OPENSSL_API_COMPAT < 0x00908000L - RSA *RSA_generate_key(int num, unsigned long e, + RSA *RSA_generate_key(int bits, unsigned long e, void (*callback)(int, int, void *), void *cb_arg); #endif @@ -27,8 +27,10 @@ be seeded prior to calling RSA_generate_key_ex(). RSA_generate_multi_prime_key() generates a multi-prime RSA key pair and stores it in the B<RSA> structure provided in B<rsa>. The number of primes is given by -the B<primes> parameter. The pseudo-random number generator must be seeded prior -to calling RSA_generate_multi_prime_key(). +the B<primes> parameter. The random number generator must be seeded when +calling RSA_generate_multi_prime_key(). +If the automatic seeding or reseeding of the OpenSSL CSPRNG fails due to +external circumstances (see L<RAND(7)>), the operation will fail. The modulus size will be of length B<bits>, the number of primes to form the modulus will be B<primes>, and the public exponent will be B<e>. Key sizes @@ -47,7 +49,7 @@ progress of the key generation. If B<cb> is not B<NULL>, it will be called as follows using the BN_GENCB_call() function described on the L<BN_generate_prime(3)> page. -RSA_generate_prime() is similar to RSA_generate_prime_ex() but +RSA_generate_key() is similar to RSA_generate_key_ex() but expects an old-style callback function; see L<BN_generate_prime(3)> for information on the old-style callback. @@ -88,7 +90,8 @@ B<BN_GENCB_call(cb, 2, x)> is used with two different meanings. =head1 SEE ALSO -L<ERR_get_error(3)>, L<RAND_bytes(3)>, L<BN_generate_prime(3)> +L<ERR_get_error(3)>, L<RAND_bytes(3)>, L<BN_generate_prime(3)>, +L<RAND(7)> =head1 HISTORY @@ -97,7 +100,7 @@ RSA_generate_key_ex() instead. =head1 COPYRIGHT -Copyright 2000-2018 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2000-2019 The OpenSSL Project Authors. All Rights Reserved. Licensed under the OpenSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/deps/openssl/openssl/doc/man3/RSA_padding_add_PKCS1_type_1.pod b/deps/openssl/openssl/doc/man3/RSA_padding_add_PKCS1_type_1.pod index 20926003d8..d0d42ce265 100644 --- a/deps/openssl/openssl/doc/man3/RSA_padding_add_PKCS1_type_1.pod +++ b/deps/openssl/openssl/doc/man3/RSA_padding_add_PKCS1_type_1.pod @@ -100,6 +100,8 @@ simply copy the data The random number generator must be seeded prior to calling RSA_padding_add_xxx(). +If the automatic seeding or reseeding of the OpenSSL CSPRNG fails due to +external circumstances (see L<RAND(7)>), the operation will fail. RSA_padding_check_xxx() verifies that the B<fl> bytes at B<f> contain a valid encoding for a B<rsa_len> byte RSA key in the respective @@ -121,7 +123,7 @@ The RSA_padding_check_xxx() functions return the length of the recovered data, -1 on error. Error codes can be obtained by calling L<ERR_get_error(3)>. -=head1 WARNING +=head1 WARNINGS The result of RSA_padding_check_PKCS1_type_2() is a very sensitive information which can potentially be used to mount a Bleichenbacher @@ -143,7 +145,8 @@ including PKCS1_OAEP. L<RSA_public_encrypt(3)>, L<RSA_private_decrypt(3)>, -L<RSA_sign(3)>, L<RSA_verify(3)> +L<RSA_sign(3)>, L<RSA_verify(3)>, +L<RAND(7)> =head1 COPYRIGHT diff --git a/deps/openssl/openssl/doc/man3/RSA_public_encrypt.pod b/deps/openssl/openssl/doc/man3/RSA_public_encrypt.pod index d91c6884b1..384c4823cb 100644 --- a/deps/openssl/openssl/doc/man3/RSA_public_encrypt.pod +++ b/deps/openssl/openssl/doc/man3/RSA_public_encrypt.pod @@ -81,7 +81,7 @@ means only that the plaintext was empty. On error, -1 is returned; the error codes can be obtained by L<ERR_get_error(3)>. -=head1 WARNING +=head1 WARNINGS Decryption failures in the RSA_PKCS1_PADDING mode leak information which can potentially be used to mount a Bleichenbacher padding oracle diff --git a/deps/openssl/openssl/doc/man3/RSA_sign_ASN1_OCTET_STRING.pod b/deps/openssl/openssl/doc/man3/RSA_sign_ASN1_OCTET_STRING.pod index f577e153d6..6e8a53b53e 100644 --- a/deps/openssl/openssl/doc/man3/RSA_sign_ASN1_OCTET_STRING.pod +++ b/deps/openssl/openssl/doc/man3/RSA_sign_ASN1_OCTET_STRING.pod @@ -26,7 +26,10 @@ memory. B<dummy> is ignored. -The random number generator must be seeded prior to calling RSA_sign_ASN1_OCTET_STRING(). +The random number generator must be seeded when calling +RSA_sign_ASN1_OCTET_STRING(). +If the automatic seeding or reseeding of the OpenSSL CSPRNG fails due to +external circumstances (see L<RAND(7)>), the operation will fail. RSA_verify_ASN1_OCTET_STRING() verifies that the signature B<sigbuf> of size B<siglen> is the DER representation of a given octet string @@ -49,11 +52,12 @@ These functions serve no recognizable purpose. L<ERR_get_error(3)>, L<RAND_bytes(3)>, L<RSA_sign(3)>, -L<RSA_verify(3)> +L<RSA_verify(3)>, +L<RAND(7)> =head1 COPYRIGHT -Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2000-2019 The OpenSSL Project Authors. All Rights Reserved. Licensed under the OpenSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/deps/openssl/openssl/doc/man3/SSL_CTX_config.pod b/deps/openssl/openssl/doc/man3/SSL_CTX_config.pod index 90d86746ce..76c4d3238c 100644 --- a/deps/openssl/openssl/doc/man3/SSL_CTX_config.pod +++ b/deps/openssl/openssl/doc/man3/SSL_CTX_config.pod @@ -33,7 +33,7 @@ file syntax. SSL_CTX_config() and SSL_config() return 1 for success or 0 if an error occurred. -=head1 EXAMPLE +=head1 EXAMPLES If the file "config.cnf" contains the following: @@ -81,7 +81,7 @@ The SSL_CTX_config() and SSL_config() functions were added in OpenSSL 1.1.0. =head1 COPYRIGHT -Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2015-2019 The OpenSSL Project Authors. All Rights Reserved. Licensed under the OpenSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/deps/openssl/openssl/doc/man3/SSL_CTX_dane_enable.pod b/deps/openssl/openssl/doc/man3/SSL_CTX_dane_enable.pod index d1b3c1aad7..7168bd64fd 100644 --- a/deps/openssl/openssl/doc/man3/SSL_CTX_dane_enable.pod +++ b/deps/openssl/openssl/doc/man3/SSL_CTX_dane_enable.pod @@ -181,7 +181,7 @@ The functions SSL_CTX_dane_set_flags(), SSL_CTX_dane_clear_flags(), SSL_dane_set_flags() and SSL_dane_clear_flags() return the B<flags> in effect before they were called. -=head1 EXAMPLE +=head1 EXAMPLES Suppose "smtp.example.com" is the MX host of the domain "example.com", and has DNSSEC-validated TLSA records. @@ -372,7 +372,7 @@ These functions were added in OpenSSL 1.1.0. =head1 COPYRIGHT -Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2016-2019 The OpenSSL Project Authors. All Rights Reserved. Licensed under the OpenSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/deps/openssl/openssl/doc/man3/SSL_CTX_get0_param.pod b/deps/openssl/openssl/doc/man3/SSL_CTX_get0_param.pod index 8b99dc330a..55cddfded6 100644 --- a/deps/openssl/openssl/doc/man3/SSL_CTX_get0_param.pod +++ b/deps/openssl/openssl/doc/man3/SSL_CTX_get0_param.pod @@ -29,13 +29,6 @@ Typically parameters are retrieved from an B<SSL_CTX> or B<SSL> structure using SSL_CTX_get0_param() or SSL_get0_param() and an application modifies them to suit its needs: for example to add a hostname check. -=head1 EXAMPLE - -Check hostname matches "www.foo.com" in peer certificate: - - X509_VERIFY_PARAM *vpm = SSL_get0_param(ssl); - X509_VERIFY_PARAM_set1_host(vpm, "www.foo.com", 0); - =head1 RETURN VALUES SSL_CTX_get0_param() and SSL_get0_param() return a pointer to an @@ -44,6 +37,13 @@ B<X509_VERIFY_PARAM> structure. SSL_CTX_set1_param() and SSL_set1_param() return 1 for success and 0 for failure. +=head1 EXAMPLES + +Check hostname matches "www.foo.com" in peer certificate: + + X509_VERIFY_PARAM *vpm = SSL_get0_param(ssl); + X509_VERIFY_PARAM_set1_host(vpm, "www.foo.com", 0); + =head1 SEE ALSO L<X509_VERIFY_PARAM_set_flags(3)> @@ -54,7 +54,7 @@ These functions were added in OpenSSL 1.0.2. =head1 COPYRIGHT -Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2015-2019 The OpenSSL Project Authors. All Rights Reserved. Licensed under the OpenSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/deps/openssl/openssl/doc/man3/SSL_CTX_new.pod b/deps/openssl/openssl/doc/man3/SSL_CTX_new.pod index df25a6f657..a6c036c365 100644 --- a/deps/openssl/openssl/doc/man3/SSL_CTX_new.pod +++ b/deps/openssl/openssl/doc/man3/SSL_CTX_new.pod @@ -94,28 +94,31 @@ The actual protocol version used will be negotiated to the highest version mutually supported by the client and the server. The supported protocols are SSLv3, TLSv1, TLSv1.1, TLSv1.2 and TLSv1.3. Applications should use these methods, and avoid the version-specific -methods described below. +methods described below, which are deprecated. =item SSLv23_method(), SSLv23_server_method(), SSLv23_client_method() -Use of these functions is deprecated. They have been replaced with the above -TLS_method(), TLS_server_method() and TLS_client_method() respectively. New -code should use those functions instead. +These functions do not exist anymore, they have been renamed to +TLS_method(), TLS_server_method() and TLS_client_method() respectively. +Currently, the old function calls are renamed to the corresponding new +ones by preprocessor macros, to ensure that existing code which uses the +old function names still compiles. However, using the old function names +is deprecated and new code should call the new functions instead. =item TLSv1_2_method(), TLSv1_2_server_method(), TLSv1_2_client_method() A TLS/SSL connection established with these methods will only understand the -TLSv1.2 protocol. +TLSv1.2 protocol. These methods are deprecated. =item TLSv1_1_method(), TLSv1_1_server_method(), TLSv1_1_client_method() A TLS/SSL connection established with these methods will only understand the -TLSv1.1 protocol. +TLSv1.1 protocol. These methods are deprecated. =item TLSv1_method(), TLSv1_server_method(), TLSv1_client_method() A TLS/SSL connection established with these methods will only understand the -TLSv1 protocol. +TLSv1 protocol. These methods are deprecated. =item SSLv3_method(), SSLv3_server_method(), SSLv3_client_method() @@ -131,10 +134,12 @@ Currently supported protocols are DTLS 1.0 and DTLS 1.2. =item DTLSv1_2_method(), DTLSv1_2_server_method(), DTLSv1_2_client_method() These are the version-specific methods for DTLSv1.2. +These methods are deprecated. =item DTLSv1_method(), DTLSv1_server_method(), DTLSv1_client_method() These are the version-specific methods for DTLSv1. +These methods are deprecated. =back diff --git a/deps/openssl/openssl/doc/man3/SSL_CTX_set_cipher_list.pod b/deps/openssl/openssl/doc/man3/SSL_CTX_set_cipher_list.pod index 59c6b4bdc9..66ade10283 100644 --- a/deps/openssl/openssl/doc/man3/SSL_CTX_set_cipher_list.pod +++ b/deps/openssl/openssl/doc/man3/SSL_CTX_set_cipher_list.pod @@ -31,7 +31,7 @@ B<ssl>. SSL_CTX_set_ciphersuites() is used to configure the available TLSv1.3 ciphersuites for B<ctx>. This is a simple colon (":") separated list of TLSv1.3 -ciphersuite names in order of perference. Valid TLSv1.3 ciphersuite names are: +ciphersuite names in order of preference. Valid TLSv1.3 ciphersuite names are: =over 4 @@ -102,7 +102,7 @@ L<ciphers(1)> =head1 COPYRIGHT -Copyright 2000-2018 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2000-2019 The OpenSSL Project Authors. All Rights Reserved. Licensed under the OpenSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/deps/openssl/openssl/doc/man3/SSL_CTX_set_generate_session_id.pod b/deps/openssl/openssl/doc/man3/SSL_CTX_set_generate_session_id.pod index dab5637508..1735c6271b 100644 --- a/deps/openssl/openssl/doc/man3/SSL_CTX_set_generate_session_id.pod +++ b/deps/openssl/openssl/doc/man3/SSL_CTX_set_generate_session_id.pod @@ -10,7 +10,7 @@ SSL_has_matching_session_id, GEN_SESSION_CB #include <openssl/ssl.h> - typedef int (*GEN_SESSION_CB)(const SSL *ssl, unsigned char *id, + typedef int (*GEN_SESSION_CB)(SSL *ssl, unsigned char *id, unsigned int *id_len); int SSL_CTX_set_generate_session_id(SSL_CTX *ctx, GEN_SESSION_CB cb); @@ -98,7 +98,7 @@ server id given, and will fill the rest with pseudo random bytes: const char session_id_prefix = "www-18"; #define MAX_SESSION_ID_ATTEMPTS 10 - static int generate_session_id(const SSL *ssl, unsigned char *id, + static int generate_session_id(SSL *ssl, unsigned char *id, unsigned int *id_len) { unsigned int count = 0; diff --git a/deps/openssl/openssl/doc/man3/SSL_CTX_set_session_id_context.pod b/deps/openssl/openssl/doc/man3/SSL_CTX_set_session_id_context.pod index d83235091c..4036d3c7b3 100644 --- a/deps/openssl/openssl/doc/man3/SSL_CTX_set_session_id_context.pod +++ b/deps/openssl/openssl/doc/man3/SSL_CTX_set_session_id_context.pod @@ -42,7 +42,7 @@ OpenSSL clients will check the session id context returned by the server when reusing a session. The maximum length of the B<sid_ctx> is limited to -B<SSL_MAX_SSL_SESSION_ID_LENGTH>. +B<SSL_MAX_SID_CTX_LENGTH>. =head1 WARNINGS @@ -67,7 +67,7 @@ return the following values: =item Z<>0 The length B<sid_ctx_len> of the session id context B<sid_ctx> exceeded -the maximum allowed length of B<SSL_MAX_SSL_SESSION_ID_LENGTH>. The error +the maximum allowed length of B<SSL_MAX_SID_CTX_LENGTH>. The error is logged to the error stack. =item Z<>1 @@ -82,7 +82,7 @@ L<ssl(7)> =head1 COPYRIGHT -Copyright 2001-2016 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2001-2019 The OpenSSL Project Authors. All Rights Reserved. Licensed under the OpenSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/deps/openssl/openssl/doc/man3/SSL_CTX_set_verify.pod b/deps/openssl/openssl/doc/man3/SSL_CTX_set_verify.pod index 21d9ae1018..1e759c3de0 100644 --- a/deps/openssl/openssl/doc/man3/SSL_CTX_set_verify.pod +++ b/deps/openssl/openssl/doc/man3/SSL_CTX_set_verify.pod @@ -102,7 +102,7 @@ B<Server mode:> if the client did not return a certificate, the TLS/SSL handshake is immediately terminated with a "handshake failure" alert. This flag must be used together with SSL_VERIFY_PEER. -B<Client mode:> ignored +B<Client mode:> ignored (see BUGS) =item SSL_VERIFY_CLIENT_ONCE @@ -112,7 +112,7 @@ renegotiation or post-authentication if a certificate was requested during the initial handshake. This flag must be used together with SSL_VERIFY_PEER. -B<Client mode:> ignored +B<Client mode:> ignored (see BUGS) =item SSL_VERIFY_POST_HANDSHAKE @@ -123,7 +123,7 @@ to be configured for post-handshake peer verification before the handshake occurs. This flag must be used together with SSL_VERIFY_PEER. TLSv1.3 only; no effect on pre-TLSv1.3 connections. -B<Client mode:> ignored +B<Client mode:> ignored (see BUGS) =back @@ -203,8 +203,8 @@ message is sent to the client. =head1 BUGS In client mode, it is not checked whether the SSL_VERIFY_PEER flag -is set, but whether any flags are set. This can lead to -unexpected behaviour if SSL_VERIFY_PEER and other flags are not used as +is set, but whether any flags other than SSL_VERIFY_NONE are set. This can +lead to unexpected behaviour if SSL_VERIFY_PEER and other flags are not used as required. =head1 RETURN VALUES @@ -348,7 +348,7 @@ and SSL_set_post_handshake_auth() functions were added in OpenSSL 1.1.1. =head1 COPYRIGHT -Copyright 2000-2018 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2000-2019 The OpenSSL Project Authors. All Rights Reserved. Licensed under the OpenSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/deps/openssl/openssl/doc/man3/SSL_SESSION_get0_hostname.pod b/deps/openssl/openssl/doc/man3/SSL_SESSION_get0_hostname.pod index 989c997882..475f700a88 100644 --- a/deps/openssl/openssl/doc/man3/SSL_SESSION_get0_hostname.pod +++ b/deps/openssl/openssl/doc/man3/SSL_SESSION_get0_hostname.pod @@ -6,7 +6,7 @@ SSL_SESSION_get0_hostname, SSL_SESSION_set1_hostname, SSL_SESSION_get0_alpn_selected, SSL_SESSION_set1_alpn_selected -- get and set SNI and ALPN data ssociated with a session +- get and set SNI and ALPN data associated with a session =head1 SYNOPSIS @@ -64,7 +64,7 @@ SSL_SESSION_set1_alpn_selected() functions were added in OpenSSL 1.1.1. =head1 COPYRIGHT -Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2016-2019 The OpenSSL Project Authors. All Rights Reserved. Licensed under the OpenSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/deps/openssl/openssl/doc/man3/SSL_get_error.pod b/deps/openssl/openssl/doc/man3/SSL_get_error.pod index 32668a036d..97320a6c15 100644 --- a/deps/openssl/openssl/doc/man3/SSL_get_error.pod +++ b/deps/openssl/openssl/doc/man3/SSL_get_error.pod @@ -14,9 +14,9 @@ SSL_get_error - obtain result code for TLS/SSL I/O operation SSL_get_error() returns a result code (suitable for the C "switch" statement) for a preceding call to SSL_connect(), SSL_accept(), SSL_do_handshake(), -SSL_read_ex(), SSL_read(), SSL_peek_ex(), SSL_peek(), SSL_write_ex() or -SSL_write() on B<ssl>. The value returned by that TLS/SSL I/O function must be -passed to SSL_get_error() in parameter B<ret>. +SSL_read_ex(), SSL_read(), SSL_peek_ex(), SSL_peek(), SSL_shutdown(), +SSL_write_ex() or SSL_write() on B<ssl>. The value returned by that TLS/SSL I/O +function must be passed to SSL_get_error() in parameter B<ret>. In addition to B<ssl> and B<ret>, SSL_get_error() inspects the current thread's OpenSSL error queue. Thus, SSL_get_error() must be diff --git a/deps/openssl/openssl/doc/man3/SSL_library_init.pod b/deps/openssl/openssl/doc/man3/SSL_library_init.pod index 85768a1028..e486fae89d 100644 --- a/deps/openssl/openssl/doc/man3/SSL_library_init.pod +++ b/deps/openssl/openssl/doc/man3/SSL_library_init.pod @@ -25,7 +25,7 @@ implemented as a macro. SSL_library_init() must be called before any other action takes place. SSL_library_init() is not reentrant. -=head1 WARNING +=head1 WARNINGS SSL_library_init() adds ciphers and digests used directly and indirectly by SSL/TLS. @@ -47,7 +47,7 @@ deprecated in OpenSSL 1.1.0 by OPENSSL_init_ssl(). =head1 COPYRIGHT -Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2000-2019 The OpenSSL Project Authors. All Rights Reserved. Licensed under the OpenSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/deps/openssl/openssl/doc/man3/SSL_set1_host.pod b/deps/openssl/openssl/doc/man3/SSL_set1_host.pod index a2c9f133ee..4ae9f6e7f3 100644 --- a/deps/openssl/openssl/doc/man3/SSL_set1_host.pod +++ b/deps/openssl/openssl/doc/man3/SSL_set1_host.pod @@ -71,7 +71,7 @@ applicable (as with RFC7671 DANE-EE(3)), or no trusted peername was matched. Otherwise, it returns the matched peername. To determine whether verification succeeded call L<SSL_get_verify_result(3)>. -=head1 EXAMPLE +=head1 EXAMPLES Suppose "smtp.example.com" is the MX host of the domain "example.com". The calls below will arrange to match either the MX hostname or the @@ -108,7 +108,7 @@ These functions were added in OpenSSL 1.1.0. =head1 COPYRIGHT -Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2016-2019 The OpenSSL Project Authors. All Rights Reserved. Licensed under the OpenSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/deps/openssl/openssl/doc/man3/SSL_write.pod b/deps/openssl/openssl/doc/man3/SSL_write.pod index 84eb948cc6..a76ffbb8fd 100644 --- a/deps/openssl/openssl/doc/man3/SSL_write.pod +++ b/deps/openssl/openssl/doc/man3/SSL_write.pod @@ -57,7 +57,7 @@ operation is considered completed. The bytes are sent and a new write call with a new buffer (with the already sent bytes removed) must be started. A partial write is performed with the size of a message block, which is 16kB. -=head1 WARNING +=head1 WARNINGS When a write function call has to be repeated because L<SSL_get_error(3)> returned B<SSL_ERROR_WANT_READ> or B<SSL_ERROR_WANT_WRITE>, it must be repeated diff --git a/deps/openssl/openssl/doc/man3/X509_STORE_CTX_get_error.pod b/deps/openssl/openssl/doc/man3/X509_STORE_CTX_get_error.pod index f166b0832d..bdbf86ae96 100644 --- a/deps/openssl/openssl/doc/man3/X509_STORE_CTX_get_error.pod +++ b/deps/openssl/openssl/doc/man3/X509_STORE_CTX_get_error.pod @@ -101,8 +101,8 @@ the operation was successful. =item B<X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT: unable to get issuer certificate> -the issuer certificate could not be found: this occurs if the issuer certificate -of an untrusted certificate cannot be found. +the issuer certificate of a locally looked up certificate could not be found. +This normally means the list of trusted certificates is not complete. =item B<X509_V_ERR_UNABLE_TO_GET_CRL: unable to get certificate CRL> @@ -180,8 +180,8 @@ the root could not be found locally. =item B<X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY: unable to get local issuer certificate> -the issuer certificate of a locally looked up certificate could not be found. -This normally means the list of trusted certificates is not complete. +the issuer certificate could not be found: this occurs if the issuer certificate +of an untrusted certificate cannot be found. =item B<X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE: unable to verify the first certificate> @@ -328,7 +328,7 @@ L<X509_free(3)>. =head1 COPYRIGHT -Copyright 2009-2016 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2009-2019 The OpenSSL Project Authors. All Rights Reserved. Licensed under the OpenSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/deps/openssl/openssl/doc/man3/X509_STORE_CTX_set_verify_cb.pod b/deps/openssl/openssl/doc/man3/X509_STORE_CTX_set_verify_cb.pod index 647ed2f174..7cd661f215 100644 --- a/deps/openssl/openssl/doc/man3/X509_STORE_CTX_set_verify_cb.pod +++ b/deps/openssl/openssl/doc/man3/X509_STORE_CTX_set_verify_cb.pod @@ -76,7 +76,7 @@ from the corresponding B<X509_STORE>, please see L<X509_STORE_set_verify(3)> for more information. -=head1 WARNING +=head1 WARNINGS In general a verification callback should B<NOT> unconditionally return 1 in all circumstances because this will allow verification to succeed no matter @@ -202,7 +202,7 @@ and X509_STORE_CTX_get_cleanup() functions were added in OpenSSL 1.1.0. =head1 COPYRIGHT -Copyright 2009-2016 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2009-2019 The OpenSSL Project Authors. All Rights Reserved. Licensed under the OpenSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/deps/openssl/openssl/doc/man3/X509_STORE_add_cert.pod b/deps/openssl/openssl/doc/man3/X509_STORE_add_cert.pod index 8ac9729bc3..3ea5b8b127 100644 --- a/deps/openssl/openssl/doc/man3/X509_STORE_add_cert.pod +++ b/deps/openssl/openssl/doc/man3/X509_STORE_add_cert.pod @@ -55,7 +55,9 @@ operate on pointers to B<X509> objects, though. X509_STORE_add_cert() and X509_STORE_add_crl() add the respective object to the B<X509_STORE>'s local storage. Untrusted objects should not be -added in this way. +added in this way. The added object's reference count is incremented by one, +hence the caller retains ownership of the object and needs to free it when it +is no longer needed. X509_STORE_set_depth(), X509_STORE_set_flags(), X509_STORE_set_purpose(), X509_STORE_set_trust(), and X509_STORE_set1_param() set the default values @@ -90,7 +92,7 @@ L<X509_STORE_get0_param(3)> =head1 COPYRIGHT -Copyright 2017-2018 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2017-2019 The OpenSSL Project Authors. All Rights Reserved. Licensed under the OpenSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/deps/openssl/openssl/doc/man3/X509_STORE_new.pod b/deps/openssl/openssl/doc/man3/X509_STORE_new.pod index b3bc96e20b..a28c8a20a8 100644 --- a/deps/openssl/openssl/doc/man3/X509_STORE_new.pod +++ b/deps/openssl/openssl/doc/man3/X509_STORE_new.pod @@ -23,7 +23,7 @@ X509_STORE_up_ref() increments the reference count associated with the X509_STORE object. X509_STORE_lock() locks the store from modification by other threads, -X509_STORE_unlock() locks it. +X509_STORE_unlock() unlocks it. X509_STORE_free() frees up a single X509_STORE object. @@ -48,7 +48,7 @@ functions were added in OpenSSL 1.1.0. =head1 COPYRIGHT -Copyright 2016 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2016-2019 The OpenSSL Project Authors. All Rights Reserved. Licensed under the OpenSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/deps/openssl/openssl/doc/man3/X509_VERIFY_PARAM_set_flags.pod b/deps/openssl/openssl/doc/man3/X509_VERIFY_PARAM_set_flags.pod index f45467cace..7593dea7da 100644 --- a/deps/openssl/openssl/doc/man3/X509_VERIFY_PARAM_set_flags.pod +++ b/deps/openssl/openssl/doc/man3/X509_VERIFY_PARAM_set_flags.pod @@ -346,7 +346,7 @@ If CRLs checking is enable CRLs are expected to be available in the corresponding B<X509_STORE> structure. No attempt is made to download CRLs from the CRL distribution points extension. -=head1 EXAMPLE +=head1 EXAMPLES Enable CRL checking when performing certificate verification during SSL connections associated with an B<SSL_CTX> structure B<ctx>: @@ -376,7 +376,7 @@ The X509_VERIFY_PARAM_get_hostflags() function was added in OpenSSL 1.1.0i. =head1 COPYRIGHT -Copyright 2009-2018 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2009-2019 The OpenSSL Project Authors. All Rights Reserved. Licensed under the OpenSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/deps/openssl/openssl/doc/man3/X509_cmp.pod b/deps/openssl/openssl/doc/man3/X509_cmp.pod new file mode 100644 index 0000000000..3cb16b2a81 --- /dev/null +++ b/deps/openssl/openssl/doc/man3/X509_cmp.pod @@ -0,0 +1,80 @@ +=pod + +=head1 NAME + +X509_cmp, X509_NAME_cmp, +X509_issuer_and_serial_cmp, X509_issuer_name_cmp, X509_subject_name_cmp, +X509_CRL_cmp, X509_CRL_match +- compare X509 certificates and related values + +=head1 SYNOPSIS + + #include <openssl/x509.h> + + int X509_cmp(const X509 *a, const X509 *b); + int X509_NAME_cmp(const X509_NAME *a, const X509_NAME *b); + int X509_issuer_and_serial_cmp(const X509 *a, const X509 *b); + int X509_issuer_name_cmp(const X509 *a, const X509 *b); + int X509_subject_name_cmp(const X509 *a, const X509 *b); + int X509_CRL_cmp(const X509_CRL *a, const X509_CRL *b); + int X509_CRL_match(const X509_CRL *a, const X509_CRL *b); + +=head1 DESCRIPTION + +This set of functions are used to compare X509 objects, including X509 +certificates, X509 CRL objects and various values in an X509 certificate. + +The X509_cmp() function compares two B<X509> objects indicated by parameters +B<a> and B<b>. The comparison is based on the B<memcmp> result of the hash +values of two B<X509> objects and the canonical (DER) encoding values. + +The X509_NAME_cmp() function compares two B<X509_NAME> objects indicated by +parameters B<a> and B<b>. The comparison is based on the B<memcmp> result of +the canonical (DER) encoding values of the two objects. L<i2d_X509_NAME(3)> +has a more detailed description of the DER encoding of the B<X509_NAME> structure. + +The X509_issuer_and_serial_cmp() function compares the serial number and issuer +values in the given B<X509> objects B<a> and B<b>. + +The X509_issuer_name_cmp(), X509_subject_name_cmp() and X509_CRL_cmp() functions +are effectively wrappers of the X509_NAME_cmp() function. These functions compare +issuer names and subject names of the X<509> objects, or issuers of B<X509_CRL> +objects, respectively. + +The X509_CRL_match() function compares two B<X509_CRL> objects. Unlike the +X509_CRL_cmp() function, this function compares the whole CRL content instead +of just the issuer name. + +=head1 RETURN VALUES + +Like common memory comparison functions, the B<X509> comparison functions return +an integer less than, equal to, or greater than zero if object B<a> is found to +be less than, to match, or be greater than object B<b>, respectively. + +X509_NAME_cmp(), X509_issuer_and_serial_cmp(), X509_issuer_name_cmp(), +X509_subject_name_cmp() and X509_CRL_cmp() may return B<-2> to indicate an error. + +=head1 NOTES + +These functions in fact utilize the underlying B<memcmp> of the C library to do +the comparison job. Data to be compared varies from DER encoding data, hash +value or B<ASN1_STRING>. The sign of the comparison can be used to order the +objects but it does not have a special meaning in some cases. + +X509_NAME_cmp() and wrappers utilize the value B<-2> to indicate errors in some +circumstances, which could cause confusion for the applications. + +=head1 SEE ALSO + +L<i2d_X509_NAME(3)>, L<i2d_X509(3)> + +=head1 COPYRIGHT + +Copyright 2019 The OpenSSL Project Authors. All Rights Reserved. + +Licensed under the Apache License 2.0 (the "License"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file LICENSE in the source distribution or at +L<https://www.openssl.org/source/license.html>. + +=cut diff --git a/deps/openssl/openssl/doc/man3/X509_get_extension_flags.pod b/deps/openssl/openssl/doc/man3/X509_get_extension_flags.pod index fc4ebbb31d..2dfe2ef372 100644 --- a/deps/openssl/openssl/doc/man3/X509_get_extension_flags.pod +++ b/deps/openssl/openssl/doc/man3/X509_get_extension_flags.pod @@ -4,6 +4,8 @@ X509_get0_subject_key_id, X509_get0_authority_key_id, +X509_get0_authority_issuer, +X509_get0_authority_serial, X509_get_pathlen, X509_get_extension_flags, X509_get_key_usage, @@ -22,6 +24,8 @@ X509_get_proxy_pathlen - retrieve certificate extension data uint32_t X509_get_extended_key_usage(X509 *x); const ASN1_OCTET_STRING *X509_get0_subject_key_id(X509 *x); const ASN1_OCTET_STRING *X509_get0_authority_key_id(X509 *x); + const GENERAL_NAMES *X509_get0_authority_issuer(X509 *x); + const ASN1_INTEGER *X509_get0_authority_serial(X509 *x); void X509_set_proxy_flag(X509 *x); void X509_set_proxy_pathlen(int l); long X509_get_proxy_pathlen(X509 *x); @@ -115,6 +119,14 @@ X509_get0_authority_key_id() returns an internal pointer to the authority key identifier of B<x> as an B<ASN1_OCTET_STRING> or B<NULL> if the extension is not present or cannot be parsed. +X509_get0_authority_issuer() returns an internal pointer to the authority +certificate issuer of B<x> as a stack of B<GENERAL_NAME> structures or +B<NULL> if the extension is not present or cannot be parsed. + +X509_get0_authority_serial() returns an internal pointer to the authority +certificate serial number of B<x> as an B<ASN1_INTEGER> or B<NULL> if the +extension is not present or cannot be parsed. + X509_set_proxy_flag() marks the certificate with the B<EXFLAG_PROXY> flag. This is for the users who need to mark non-RFC3820 proxy certificates as such, as OpenSSL only detects RFC3820 compliant ones. @@ -171,7 +183,7 @@ X509_get_proxy_pathlen() were added in OpenSSL 1.1.0. =head1 COPYRIGHT -Copyright 2015-2018 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2015-2019 The OpenSSL Project Authors. All Rights Reserved. Licensed under the OpenSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/deps/openssl/openssl/doc/man3/d2i_X509.pod b/deps/openssl/openssl/doc/man3/d2i_X509.pod index 3d50f5d908..e36270f739 100644 --- a/deps/openssl/openssl/doc/man3/d2i_X509.pod +++ b/deps/openssl/openssl/doc/man3/d2i_X509.pod @@ -53,6 +53,7 @@ d2i_DSA_PUBKEY_bio, d2i_DSA_PUBKEY_fp, d2i_DSA_SIG, d2i_DSAparams, +d2i_ECDSA_SIG, d2i_ECPKParameters, d2i_ECParameters, d2i_ECPrivateKey, @@ -229,6 +230,7 @@ i2d_DSA_PUBKEY_bio, i2d_DSA_PUBKEY_fp, i2d_DSA_SIG, i2d_DSAparams, +i2d_ECDSA_SIG, i2d_ECPKParameters, i2d_ECParameters, i2d_ECPrivateKey, @@ -472,6 +474,10 @@ Represents a DSA public key using a B<SubjectPublicKeyInfo> structure. Use a non-standard OpenSSL format and should be avoided; use B<DSA_PUBKEY>, B<PEM_write_PrivateKey(3)>, or similar instead. +=item B<ECDSA_SIG> + +Represents an ECDSA signature. + =item B<RSAPublicKey> Represents a PKCS#1 RSA public key structure. @@ -500,8 +506,8 @@ Represents the B<DigestInfo> structure defined in PKCS#1 and PKCS#7. d2i_TYPE(), d2i_TYPE_bio() and d2i_TYPE_fp() return a valid B<TYPE> structure or B<NULL> if an error occurs. If the "reuse" capability has been used with -a valid structure being passed in via B<a>, then the object is not freed in -the event of error but may be in a potentially invalid or inconsistent state. +a valid structure being passed in via B<a>, then the object is freed in +the event of error and B<*a> is set to NULL. i2d_TYPE() returns the number of bytes successfully encoded or a negative value if an error occurs. @@ -582,9 +588,13 @@ happen. =head1 BUGS In some versions of OpenSSL the "reuse" behaviour of d2i_TYPE() when -B<*px> is valid is broken and some parts of the reused structure may -persist if they are not present in the new one. As a result the use -of this "reuse" behaviour is strongly discouraged. +B<*a> is valid is broken and some parts of the reused structure may +persist if they are not present in the new one. Additionally, in versions of +OpenSSL prior to 1.1.0, when the "reuse" behaviour is used and an error occurs +the behaviour is inconsistent. Some functions behaved as described here, while +some did not free B<*a> on error and did not set B<*a> to NULL. + +As a result of the above issues the "reuse" behaviour is strongly discouraged. i2d_TYPE() will not return an error in many versions of OpenSSL, if mandatory fields are not initialized due to a programming error diff --git a/deps/openssl/openssl/doc/man5/x509v3_config.pod b/deps/openssl/openssl/doc/man5/x509v3_config.pod index a35b4ccfff..803b12b3ed 100644 --- a/deps/openssl/openssl/doc/man5/x509v3_config.pod +++ b/deps/openssl/openssl/doc/man5/x509v3_config.pod @@ -483,7 +483,7 @@ For example: basicConstraints=critical,DER:00:01:02:03 -=head1 WARNING +=head1 WARNINGS There is no guarantee that a specific implementation will process a given extension. It may therefore be sometimes possible to use certificates for @@ -493,7 +493,6 @@ not recognize or honour the values of the relevant extensions. The DER and ASN1 options should be used with caution. It is possible to create totally invalid extensions if they are not used carefully. - =head1 NOTES If an extension is multi-value and a field value must contain a comma the long @@ -535,7 +534,7 @@ L<ASN1_generate_nconf(3)> =head1 COPYRIGHT -Copyright 2004-2016 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2004-2019 The OpenSSL Project Authors. All Rights Reserved. Licensed under the OpenSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/deps/openssl/openssl/doc/man7/Ed25519.pod b/deps/openssl/openssl/doc/man7/Ed25519.pod index 3f54217918..6442e0ea43 100644 --- a/deps/openssl/openssl/doc/man7/Ed25519.pod +++ b/deps/openssl/openssl/doc/man7/Ed25519.pod @@ -53,7 +53,7 @@ Ed25519 and Ed448 can be tested within L<speed(1)> application since version 1.1 Valid algorithm names are B<ed25519>, B<ed448> and B<eddsa>. If B<eddsa> is specified, then both Ed25519 and Ed448 are benchmarked. -=head1 EXAMPLE +=head1 EXAMPLES This example generates an B<ED25519> private key and writes it to standard output in PEM format: @@ -77,7 +77,7 @@ L<EVP_DigestVerifyInit(3)>, =head1 COPYRIGHT -Copyright 2017-2018 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2017-2019 The OpenSSL Project Authors. All Rights Reserved. Licensed under the OpenSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/deps/openssl/openssl/doc/man7/RAND.pod b/deps/openssl/openssl/doc/man7/RAND.pod index 971b3cdb16..7ce44ad9b6 100644 --- a/deps/openssl/openssl/doc/man7/RAND.pod +++ b/deps/openssl/openssl/doc/man7/RAND.pod @@ -28,6 +28,12 @@ As a normal application developer, you do not have to worry about any details, just use L<RAND_bytes(3)> to obtain random data. Having said that, there is one important rule to obey: Always check the error return value of L<RAND_bytes(3)> and do not take randomness for granted. +Although (re-)seeding is automatic, it can fail because no trusted random source +is available or the trusted source(s) temporarily fail to provide sufficient +random seed material. +In this case the CSPRNG enters an error state and ceases to provide output, +until it is able to recover from the error by reseeding itself. +For more details on reseeding and error recovery, see L<RAND_DRBG(7)>. For values that should remain secret, you can use L<RAND_priv_bytes(3)> instead. @@ -71,7 +77,7 @@ L<RAND_DRBG(7)> =head1 COPYRIGHT -Copyright 2018 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2018-2019 The OpenSSL Project Authors. All Rights Reserved. Licensed under the OpenSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/deps/openssl/openssl/doc/man7/SM2.pod b/deps/openssl/openssl/doc/man7/SM2.pod index 029dc736cb..c8fceffa1c 100644 --- a/deps/openssl/openssl/doc/man7/SM2.pod +++ b/deps/openssl/openssl/doc/man7/SM2.pod @@ -41,7 +41,7 @@ done by calling: And normally there is no need to pass a B<pctx> parameter to EVP_DigestSignInit() or EVP_DigestVerifyInit() in such a scenario. -=head1 EXAMPLE +=head1 EXAMPLES This example demonstrates the calling sequence for using an B<EVP_PKEY> to verify a message with the SM2 signature algorithm and the SM3 hash algorithm: @@ -69,7 +69,7 @@ L<EVP_MD_CTX_set_pkey_ctx(3)> =head1 COPYRIGHT -Copyright 2018 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2018-2019 The OpenSSL Project Authors. All Rights Reserved. Licensed under the OpenSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/deps/openssl/openssl/doc/man7/X25519.pod b/deps/openssl/openssl/doc/man7/X25519.pod index 7cb6ff6b3b..4851f8a1d9 100644 --- a/deps/openssl/openssl/doc/man7/X25519.pod +++ b/deps/openssl/openssl/doc/man7/X25519.pod @@ -37,7 +37,7 @@ X25519 or X448 public keys can be set directly using L<EVP_PKEY_new_raw_public_key(3)> or loaded from a SubjectPublicKeyInfo structure in a PEM file using L<PEM_read_bio_PUBKEY(3)> (or similar function). -=head1 EXAMPLE +=head1 EXAMPLES This example generates an B<X25519> private key and writes it to standard output in PEM format: @@ -64,7 +64,7 @@ L<EVP_PKEY_derive_set_peer(3)> =head1 COPYRIGHT -Copyright 2017-2018 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2017-2019 The OpenSSL Project Authors. All Rights Reserved. Licensed under the OpenSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/deps/openssl/openssl/doc/man7/bio.pod b/deps/openssl/openssl/doc/man7/bio.pod index 45ef2f7704..23b231b44e 100644 --- a/deps/openssl/openssl/doc/man7/bio.pod +++ b/deps/openssl/openssl/doc/man7/bio.pod @@ -52,7 +52,7 @@ pointer to a BIO_METHOD. There is a naming convention for such functions: a source/sink BIO is normally called BIO_s_*() and a filter BIO BIO_f_*(); -=head1 EXAMPLE +=head1 EXAMPLES Create a memory BIO: @@ -76,7 +76,7 @@ L<BIO_should_retry(3)> =head1 COPYRIGHT -Copyright 2000-2017 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2000-2019 The OpenSSL Project Authors. All Rights Reserved. Licensed under the OpenSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/deps/openssl/openssl/doc/man7/scrypt.pod b/deps/openssl/openssl/doc/man7/scrypt.pod index 94ff3ab53f..a005133747 100644 --- a/deps/openssl/openssl/doc/man7/scrypt.pod +++ b/deps/openssl/openssl/doc/man7/scrypt.pod @@ -38,7 +38,7 @@ A context for scrypt can be obtained by calling: The output length of an scrypt key derivation is specified via the length parameter to the L<EVP_PKEY_derive(3)> function. -=head1 EXAMPLE +=head1 EXAMPLES This example derives a 64-byte long test vector using scrypt using the password "password", salt "NaCl" and N = 1024, r = 8, p = 16. @@ -105,7 +105,7 @@ L<EVP_PKEY_derive(3)> =head1 COPYRIGHT -Copyright 2017-2018 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2017-2019 The OpenSSL Project Authors. All Rights Reserved. Licensed under the OpenSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy |