diff options
Diffstat (limited to 'deps/openssl/openssl/doc')
17 files changed, 69 insertions, 101 deletions
diff --git a/deps/openssl/openssl/doc/HOWTO/proxy_certificates.txt b/deps/openssl/openssl/doc/HOWTO/proxy_certificates.txt index f98ec36076..3d36b02f6b 100644 --- a/deps/openssl/openssl/doc/HOWTO/proxy_certificates.txt +++ b/deps/openssl/openssl/doc/HOWTO/proxy_certificates.txt @@ -57,7 +57,7 @@ following methods: - in all other cases, proxy certificate validation can be enabled before starting the application by setting the envirnoment variable - OPENSSL_ALLOW_PROXY_CERTS with some non-empty value. + OPENSSL_ALLOW_PROXY with some non-empty value. There are thoughts to allow proxy certificates with a line in the default openssl.cnf, but that's still in the future. diff --git a/deps/openssl/openssl/doc/apps/CA.pl.pod b/deps/openssl/openssl/doc/apps/CA.pl.pod index d326101cde..ed69952f37 100644 --- a/deps/openssl/openssl/doc/apps/CA.pl.pod +++ b/deps/openssl/openssl/doc/apps/CA.pl.pod @@ -39,13 +39,13 @@ prints a usage message. =item B<-newcert> -creates a new self signed certificate. The private key is written to the file -"newkey.pem" and the request written to the file "newreq.pem". +creates a new self signed certificate. The private key and certificate are +written to the file "newreq.pem". =item B<-newreq> -creates a new certificate request. The private key is written to the file -"newkey.pem" and the request written to the file "newreq.pem". +creates a new certificate request. The private key and request are +written to the file "newreq.pem". =item B<-newreq-nodes> diff --git a/deps/openssl/openssl/doc/apps/genpkey.pod b/deps/openssl/openssl/doc/apps/genpkey.pod index c74d097fb3..1611b5ca78 100644 --- a/deps/openssl/openssl/doc/apps/genpkey.pod +++ b/deps/openssl/openssl/doc/apps/genpkey.pod @@ -114,8 +114,6 @@ hexadecimal value if preceded by B<0x>. Default value is 65537. The number of bits in the generated parameters. If not specified 1024 is used. -=back - =head1 DH PARAMETER GENERATION OPTIONS =over 4 diff --git a/deps/openssl/openssl/doc/apps/openssl.pod b/deps/openssl/openssl/doc/apps/openssl.pod index 64a160c20a..738142e9ff 100644 --- a/deps/openssl/openssl/doc/apps/openssl.pod +++ b/deps/openssl/openssl/doc/apps/openssl.pod @@ -287,6 +287,8 @@ SHA Digest SHA-1 Digest +=back + =item B<sha224> SHA-224 Digest @@ -303,8 +305,6 @@ SHA-384 Digest SHA-512 Digest -=back - =head2 ENCODING AND CIPHER COMMANDS =over 10 diff --git a/deps/openssl/openssl/doc/apps/verify.pod b/deps/openssl/openssl/doc/apps/verify.pod index da683004bd..336098f1e3 100644 --- a/deps/openssl/openssl/doc/apps/verify.pod +++ b/deps/openssl/openssl/doc/apps/verify.pod @@ -54,37 +54,35 @@ in PEM format concatenated together. =item B<-untrusted file> A file of untrusted certificates. The file should contain multiple certificates -in PEM format concatenated together. =item B<-purpose purpose> -The intended use for the certificate. If this option is not specified, -B<verify> will not consider certificate purpose during chain verification. -Currently accepted uses are B<sslclient>, B<sslserver>, B<nssslserver>, -B<smimesign>, B<smimeencrypt>. See the B<VERIFY OPERATION> section for more -information. +the intended use for the certificate. Without this option no chain verification +will be done. Currently accepted uses are B<sslclient>, B<sslserver>, +B<nssslserver>, B<smimesign>, B<smimeencrypt>. See the B<VERIFY OPERATION> +section for more information. =item B<-help> -Print out a usage message. +prints out a usage message. =item B<-verbose> -Print extra information about the operations being performed. +print extra information about the operations being performed. =item B<-issuer_checks> -Print out diagnostics relating to searches for the issuer certificate of the -current certificate. This shows why each candidate issuer certificate was -rejected. The presence of rejection messages does not itself imply that -anything is wrong; during the normal verification process, several -rejections may take place. +print out diagnostics relating to searches for the issuer certificate +of the current certificate. This shows why each candidate issuer +certificate was rejected. However the presence of rejection messages +does not itself imply that anything is wrong: during the normal +verify process several rejections may take place. =item B<-policy arg> -Enable policy processing and add B<arg> to the user-initial-policy-set (see -RFC5280). The policy B<arg> can be an object name an OID in numeric form. -This argument can appear more than once. +Enable policy processing and add B<arg> to the user-initial-policy-set +(see RFC3280 et al). The policy B<arg> can be an object name an OID in numeric +form. This argument can appear more than once. =item B<-policy_check> @@ -92,40 +90,41 @@ Enables certificate policy processing. =item B<-explicit_policy> -Set policy variable require-explicit-policy (see RFC5280). +Set policy variable require-explicit-policy (see RFC3280 et al). =item B<-inhibit_any> -Set policy variable inhibit-any-policy (see RFC5280). +Set policy variable inhibit-any-policy (see RFC3280 et al). =item B<-inhibit_map> -Set policy variable inhibit-policy-mapping (see RFC5280). +Set policy variable inhibit-policy-mapping (see RFC3280 et al). =item B<-policy_print> -Print out diagnostics related to policy processing. +Print out diagnostics, related to policy checking =item B<-crl_check> -Checks end entity certificate validity by attempting to look up a valid CRL. +Checks end entity certificate validity by attempting to lookup a valid CRL. If a valid CRL cannot be found an error occurs. =item B<-crl_check_all> Checks the validity of B<all> certificates in the chain by attempting -to look up valid CRLs. +to lookup valid CRLs. =item B<-ignore_critical> Normally if an unhandled critical extension is present which is not -supported by OpenSSL the certificate is rejected (as required by RFC5280). -If this option is set critical extensions are ignored. +supported by OpenSSL the certificate is rejected (as required by +RFC3280 et al). If this option is set critical extensions are +ignored. =item B<-x509_strict> -For strict X.509 compliance, disable non-compliant workarounds for broken -certificates. +Disable workarounds for broken certificates which have to be disabled +for strict X.509 compliance. =item B<-extended_crl> @@ -143,15 +142,16 @@ because it doesn't add any security. =item B<-> -Indicates the last option. All arguments following this are assumed to be +marks the last option. All arguments following this are assumed to be certificate files. This is useful if the first certificate filename begins with a B<->. =item B<certificates> -One or more certificates to verify. If no certificates are given, B<verify> -will attempt to read a certificate from standard input. Certificates must be -in PEM format. +one or more certificates to verify. If no certificate filenames are included +then an attempt is made to read a certificate from standard input. They should +all be in PEM format. + =back diff --git a/deps/openssl/openssl/doc/apps/x509.pod b/deps/openssl/openssl/doc/apps/x509.pod index d2d9eb812a..3002b08123 100644 --- a/deps/openssl/openssl/doc/apps/x509.pod +++ b/deps/openssl/openssl/doc/apps/x509.pod @@ -29,7 +29,6 @@ B<openssl> B<x509> [B<-purpose>] [B<-dates>] [B<-modulus>] -[B<-pubkey>] [B<-fingerprint>] [B<-alias>] [B<-noout>] @@ -136,10 +135,6 @@ section for more information. this option prevents output of the encoded version of the request. -=item B<-pubkey> - -outputs the the certificate's SubjectPublicKeyInfo block in PEM format. - =item B<-modulus> this option prints out the value of the modulus of the public key diff --git a/deps/openssl/openssl/doc/crypto/EVP_DigestInit.pod b/deps/openssl/openssl/doc/crypto/EVP_DigestInit.pod index 367691cc7a..5b477ac6ec 100644 --- a/deps/openssl/openssl/doc/crypto/EVP_DigestInit.pod +++ b/deps/openssl/openssl/doc/crypto/EVP_DigestInit.pod @@ -6,8 +6,7 @@ EVP_MD_CTX_init, EVP_MD_CTX_create, EVP_DigestInit_ex, EVP_DigestUpdate, EVP_DigestFinal_ex, EVP_MD_CTX_cleanup, EVP_MD_CTX_destroy, EVP_MAX_MD_SIZE, EVP_MD_CTX_copy_ex, EVP_MD_CTX_copy, EVP_MD_type, EVP_MD_pkey_type, EVP_MD_size, EVP_MD_block_size, EVP_MD_CTX_md, EVP_MD_CTX_size, EVP_MD_CTX_block_size, EVP_MD_CTX_type, -EVP_md_null, EVP_md2, EVP_md5, EVP_sha, EVP_sha1, EVP_sha224, EVP_sha256, -EVP_sha384, EVP_sha512, EVP_dss, EVP_dss1, EVP_mdc2, +EVP_md_null, EVP_md2, EVP_md5, EVP_sha, EVP_sha1, EVP_dss, EVP_dss1, EVP_mdc2, EVP_ripemd160, EVP_get_digestbyname, EVP_get_digestbynid, EVP_get_digestbyobj - EVP digest routines @@ -34,15 +33,16 @@ EVP digest routines int EVP_MD_CTX_copy(EVP_MD_CTX *out,EVP_MD_CTX *in); - #define EVP_MAX_MD_SIZE 64 /* SHA512 */ + #define EVP_MAX_MD_SIZE (16+20) /* The SSLv3 md5+sha1 type */ - int EVP_MD_type(const EVP_MD *md); - int EVP_MD_pkey_type(const EVP_MD *md); - int EVP_MD_size(const EVP_MD *md); - int EVP_MD_block_size(const EVP_MD *md); - const EVP_MD *EVP_MD_CTX_md(const EVP_MD_CTX *ctx); - #define EVP_MD_CTX_size(e) EVP_MD_size(EVP_MD_CTX_md(e)) + #define EVP_MD_type(e) ((e)->type) + #define EVP_MD_pkey_type(e) ((e)->pkey_type) + #define EVP_MD_size(e) ((e)->md_size) + #define EVP_MD_block_size(e) ((e)->block_size) + + #define EVP_MD_CTX_md(e) (e)->digest) + #define EVP_MD_CTX_size(e) EVP_MD_size((e)->digest) #define EVP_MD_CTX_block_size(e) EVP_MD_block_size((e)->digest) #define EVP_MD_CTX_type(e) EVP_MD_type((e)->digest) @@ -56,11 +56,6 @@ EVP digest routines const EVP_MD *EVP_mdc2(void); const EVP_MD *EVP_ripemd160(void); - const EVP_MD *EVP_sha224(void); - const EVP_MD *EVP_sha256(void); - const EVP_MD *EVP_sha384(void); - const EVP_MD *EVP_sha512(void); - const EVP_MD *EVP_get_digestbyname(const char *name); #define EVP_get_digestbynid(a) EVP_get_digestbyname(OBJ_nid2sn(a)) #define EVP_get_digestbyobj(a) EVP_get_digestbynid(OBJ_obj2nid(a)) @@ -129,14 +124,12 @@ B<EVP_MD_CTX>. EVP_MD_pkey_type() returns the NID of the public key signing algorithm associated with this digest. For example EVP_sha1() is associated with RSA so this will -return B<NID_sha1WithRSAEncryption>. Since digests and signature algorithms -are no longer linked this function is only retained for compatibility -reasons. +return B<NID_sha1WithRSAEncryption>. This "link" between digests and signature +algorithms may not be retained in future versions of OpenSSL. -EVP_md2(), EVP_md5(), EVP_sha(), EVP_sha1(), EVP_sha224(), EVP_sha256(), -EVP_sha384(), EVP_sha512(), EVP_mdc2() and EVP_ripemd160() return B<EVP_MD> -structures for the MD2, MD5, SHA, SHA1, SHA224, SHA256, SHA384, SHA512, MDC2 -and RIPEMD160 digest algorithms respectively. +EVP_md2(), EVP_md5(), EVP_sha(), EVP_sha1(), EVP_mdc2() and EVP_ripemd160() +return B<EVP_MD> structures for the MD2, MD5, SHA, SHA1, MDC2 and RIPEMD160 digest +algorithms respectively. The associated signature algorithm is RSA in each case. EVP_dss() and EVP_dss1() return B<EVP_MD> structures for SHA and SHA1 digest algorithms but using DSS (DSA) for the signature algorithm. Note: there is @@ -178,8 +171,8 @@ The B<EVP> interface to message digests should almost always be used in preference to the low level interfaces. This is because the code then becomes transparent to the digest used and much more flexible. -New applications should use the SHA2 digest algorithms such as SHA256. -The other digest algorithms are still in common use. +SHA1 is the digest of choice for new applications. The other digest algorithms +are still in common use. For most applications the B<impl> parameter to EVP_DigestInit_ex() will be set to NULL to use the default digest implementation. @@ -194,19 +187,6 @@ implementations of digests to be specified. In OpenSSL 0.9.7 and later if digest contexts are not cleaned up after use memory leaks will occur. -Stack allocation of EVP_MD_CTX structures is common, for example: - - EVP_MD_CTX mctx; - EVP_MD_CTX_init(&mctx); - -This will cause binary compatibility issues if the size of EVP_MD_CTX -structure changes (this will only happen with a major release of OpenSSL). -Applications wishing to avoid this should use EVP_MD_CTX_create() instead: - - EVP_MD_CTX *mctx; - mctx = EVP_MD_CTX_create(); - - =head1 EXAMPLE This example digests the data "Test Message\n" and "Hello World\n", using the @@ -217,7 +197,7 @@ digest name passed on the command line. main(int argc, char *argv[]) { - EVP_MD_CTX *mdctx; + EVP_MD_CTX mdctx; const EVP_MD *md; char mess1[] = "Test Message\n"; char mess2[] = "Hello World\n"; @@ -238,12 +218,12 @@ digest name passed on the command line. exit(1); } - mdctx = EVP_MD_CTX_create(); - EVP_DigestInit_ex(mdctx, md, NULL); - EVP_DigestUpdate(mdctx, mess1, strlen(mess1)); - EVP_DigestUpdate(mdctx, mess2, strlen(mess2)); - EVP_DigestFinal_ex(mdctx, md_value, &md_len); - EVP_MD_CTX_destroy(mdctx); + EVP_MD_CTX_init(&mdctx); + EVP_DigestInit_ex(&mdctx, md, NULL); + EVP_DigestUpdate(&mdctx, mess1, strlen(mess1)); + EVP_DigestUpdate(&mdctx, mess2, strlen(mess2)); + EVP_DigestFinal_ex(&mdctx, md_value, &md_len); + EVP_MD_CTX_cleanup(&mdctx); printf("Digest is: "); for(i = 0; i < md_len; i++) printf("%02x", md_value[i]); diff --git a/deps/openssl/openssl/doc/crypto/EVP_PKEY_CTX_ctrl.pod b/deps/openssl/openssl/doc/crypto/EVP_PKEY_CTX_ctrl.pod index 13b91f1e6e..f2f455990f 100644 --- a/deps/openssl/openssl/doc/crypto/EVP_PKEY_CTX_ctrl.pod +++ b/deps/openssl/openssl/doc/crypto/EVP_PKEY_CTX_ctrl.pod @@ -117,7 +117,7 @@ L<EVP_PKEY_encrypt(3)|EVP_PKEY_encrypt(3)>, L<EVP_PKEY_decrypt(3)|EVP_PKEY_decrypt(3)>, L<EVP_PKEY_sign(3)|EVP_PKEY_sign(3)>, L<EVP_PKEY_verify(3)|EVP_PKEY_verify(3)>, -L<EVP_PKEY_verify_recover(3)|EVP_PKEY_verify_recover(3)>, +L<EVP_PKEY_verifyrecover(3)|EVP_PKEY_verifyrecover(3)>, L<EVP_PKEY_derive(3)|EVP_PKEY_derive(3)> L<EVP_PKEY_keygen(3)|EVP_PKEY_keygen(3)> diff --git a/deps/openssl/openssl/doc/crypto/EVP_PKEY_decrypt.pod b/deps/openssl/openssl/doc/crypto/EVP_PKEY_decrypt.pod index 847983237b..42b2a8c44e 100644 --- a/deps/openssl/openssl/doc/crypto/EVP_PKEY_decrypt.pod +++ b/deps/openssl/openssl/doc/crypto/EVP_PKEY_decrypt.pod @@ -83,7 +83,7 @@ L<EVP_PKEY_CTX_new(3)|EVP_PKEY_CTX_new(3)>, L<EVP_PKEY_encrypt(3)|EVP_PKEY_encrypt(3)>, L<EVP_PKEY_sign(3)|EVP_PKEY_sign(3)>, L<EVP_PKEY_verify(3)|EVP_PKEY_verify(3)>, -L<EVP_PKEY_verify_recover(3)|EVP_PKEY_verify_recover(3)>, +L<EVP_PKEY_verifyrecover(3)|EVP_PKEY_verifyrecover(3)>, L<EVP_PKEY_derive(3)|EVP_PKEY_derive(3)> =head1 HISTORY diff --git a/deps/openssl/openssl/doc/crypto/EVP_PKEY_derive.pod b/deps/openssl/openssl/doc/crypto/EVP_PKEY_derive.pod index 27464be571..d9d6d76c72 100644 --- a/deps/openssl/openssl/doc/crypto/EVP_PKEY_derive.pod +++ b/deps/openssl/openssl/doc/crypto/EVP_PKEY_derive.pod @@ -84,7 +84,7 @@ L<EVP_PKEY_encrypt(3)|EVP_PKEY_encrypt(3)>, L<EVP_PKEY_decrypt(3)|EVP_PKEY_decrypt(3)>, L<EVP_PKEY_sign(3)|EVP_PKEY_sign(3)>, L<EVP_PKEY_verify(3)|EVP_PKEY_verify(3)>, -L<EVP_PKEY_verify_recover(3)|EVP_PKEY_verify_recover(3)>, +L<EVP_PKEY_verifyrecover(3)|EVP_PKEY_verifyrecover(3)>, =head1 HISTORY diff --git a/deps/openssl/openssl/doc/crypto/EVP_PKEY_encrypt.pod b/deps/openssl/openssl/doc/crypto/EVP_PKEY_encrypt.pod index e495a81242..91c9c5d0a5 100644 --- a/deps/openssl/openssl/doc/crypto/EVP_PKEY_encrypt.pod +++ b/deps/openssl/openssl/doc/crypto/EVP_PKEY_encrypt.pod @@ -83,7 +83,7 @@ L<EVP_PKEY_CTX_new(3)|EVP_PKEY_CTX_new(3)>, L<EVP_PKEY_decrypt(3)|EVP_PKEY_decrypt(3)>, L<EVP_PKEY_sign(3)|EVP_PKEY_sign(3)>, L<EVP_PKEY_verify(3)|EVP_PKEY_verify(3)>, -L<EVP_PKEY_verify_recover(3)|EVP_PKEY_verify_recover(3)>, +L<EVP_PKEY_verifyrecover(3)|EVP_PKEY_verifyrecover(3)>, L<EVP_PKEY_derive(3)|EVP_PKEY_derive(3)> =head1 HISTORY diff --git a/deps/openssl/openssl/doc/crypto/EVP_PKEY_get_default_digest.pod b/deps/openssl/openssl/doc/crypto/EVP_PKEY_get_default_digest.pod index 8ff597d44a..1a9c7954c5 100644 --- a/deps/openssl/openssl/doc/crypto/EVP_PKEY_get_default_digest.pod +++ b/deps/openssl/openssl/doc/crypto/EVP_PKEY_get_default_digest.pod @@ -32,7 +32,7 @@ public key algorithm. L<EVP_PKEY_CTX_new(3)|EVP_PKEY_CTX_new(3)>, L<EVP_PKEY_sign(3)|EVP_PKEY_sign(3)>, L<EVP_PKEY_verify(3)|EVP_PKEY_verify(3)>, -L<EVP_PKEY_verify_recover(3)|EVP_PKEY_verify_recover(3)>, +L<EVP_PKEY_verifyrecover(3)|EVP_PKEY_verifyrecover(3)>, =head1 HISTORY diff --git a/deps/openssl/openssl/doc/crypto/EVP_PKEY_keygen.pod b/deps/openssl/openssl/doc/crypto/EVP_PKEY_keygen.pod index fd431ace6d..37c6fe9503 100644 --- a/deps/openssl/openssl/doc/crypto/EVP_PKEY_keygen.pod +++ b/deps/openssl/openssl/doc/crypto/EVP_PKEY_keygen.pod @@ -151,7 +151,7 @@ L<EVP_PKEY_encrypt(3)|EVP_PKEY_encrypt(3)>, L<EVP_PKEY_decrypt(3)|EVP_PKEY_decrypt(3)>, L<EVP_PKEY_sign(3)|EVP_PKEY_sign(3)>, L<EVP_PKEY_verify(3)|EVP_PKEY_verify(3)>, -L<EVP_PKEY_verify_recover(3)|EVP_PKEY_verify_recover(3)>, +L<EVP_PKEY_verifyrecover(3)|EVP_PKEY_verifyrecover(3)>, L<EVP_PKEY_derive(3)|EVP_PKEY_derive(3)> =head1 HISTORY diff --git a/deps/openssl/openssl/doc/crypto/EVP_PKEY_sign.pod b/deps/openssl/openssl/doc/crypto/EVP_PKEY_sign.pod index a044f2c131..2fb52c3486 100644 --- a/deps/openssl/openssl/doc/crypto/EVP_PKEY_sign.pod +++ b/deps/openssl/openssl/doc/crypto/EVP_PKEY_sign.pod @@ -86,7 +86,7 @@ L<EVP_PKEY_CTX_new(3)|EVP_PKEY_CTX_new(3)>, L<EVP_PKEY_encrypt(3)|EVP_PKEY_encrypt(3)>, L<EVP_PKEY_decrypt(3)|EVP_PKEY_decrypt(3)>, L<EVP_PKEY_verify(3)|EVP_PKEY_verify(3)>, -L<EVP_PKEY_verify_recover(3)|EVP_PKEY_verify_recover(3)>, +L<EVP_PKEY_verifyrecover(3)|EVP_PKEY_verifyrecover(3)>, L<EVP_PKEY_derive(3)|EVP_PKEY_derive(3)> =head1 HISTORY diff --git a/deps/openssl/openssl/doc/crypto/EVP_PKEY_verify.pod b/deps/openssl/openssl/doc/crypto/EVP_PKEY_verify.pod index 90612ba2f0..f93e5fc6c3 100644 --- a/deps/openssl/openssl/doc/crypto/EVP_PKEY_verify.pod +++ b/deps/openssl/openssl/doc/crypto/EVP_PKEY_verify.pod @@ -81,7 +81,7 @@ L<EVP_PKEY_CTX_new(3)|EVP_PKEY_CTX_new(3)>, L<EVP_PKEY_encrypt(3)|EVP_PKEY_encrypt(3)>, L<EVP_PKEY_decrypt(3)|EVP_PKEY_decrypt(3)>, L<EVP_PKEY_sign(3)|EVP_PKEY_sign(3)>, -L<EVP_PKEY_verify_recover(3)|EVP_PKEY_verify_recover(3)>, +L<EVP_PKEY_verifyrecover(3)|EVP_PKEY_verifyrecover(3)>, L<EVP_PKEY_derive(3)|EVP_PKEY_derive(3)> =head1 HISTORY diff --git a/deps/openssl/openssl/doc/crypto/ecdsa.pod b/deps/openssl/openssl/doc/crypto/ecdsa.pod index 20edff97ff..49b10f2249 100644 --- a/deps/openssl/openssl/doc/crypto/ecdsa.pod +++ b/deps/openssl/openssl/doc/crypto/ecdsa.pod @@ -114,7 +114,7 @@ using the public key B<eckey>. ECDSA_size() returns the maximum length signature or 0 on error. -ECDSA_sign_setup() and ECDSA_sign() return 1 if successful or 0 +ECDSA_sign_setup() and ECDSA_sign() return 1 if successful or -1 on error. ECDSA_verify() and ECDSA_do_verify() return 1 for a valid diff --git a/deps/openssl/openssl/doc/ssl/SSL_alert_type_string.pod b/deps/openssl/openssl/doc/ssl/SSL_alert_type_string.pod index 0329c34869..94e28cc307 100644 --- a/deps/openssl/openssl/doc/ssl/SSL_alert_type_string.pod +++ b/deps/openssl/openssl/doc/ssl/SSL_alert_type_string.pod @@ -214,11 +214,6 @@ satisfy a request; the process might receive security parameters difficult to communicate changes to these parameters after that point. This message is always a warning. -=item "UP"/"unknown PSK identity" - -Sent by the server to indicate that it does not recognize a PSK -identity or an SRP identity. - =item "UK"/"unknown" This indicates that no description is available for this alert type. |